diff --git a/src/assets/data/baselineProfiles/canonical-ubuntu-16.04-lts-stig-baseline.json b/src/assets/data/baselineProfiles/canonical-ubuntu-16.04-lts-stig-baseline.json index f7ec29e7..55acf058 100644 --- a/src/assets/data/baselineProfiles/canonical-ubuntu-16.04-lts-stig-baseline.json +++ b/src/assets/data/baselineProfiles/canonical-ubuntu-16.04-lts-stig-baseline.json @@ -17,43 +17,26 @@ "inputs": [], "controls": [ { - "title": "Successful/unsuccessful modifications to the faillog file must\ngenerate an audit record.", - "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "title": "The Ubuntu operating system must accept Personal Identity Verification\n(PIV) credentials.", + "desc": "The use of PIV credentials facilitates standardization and reduces the\nrisk of unauthorized access.\n\n DoD has mandated the use of the CAC to support identity management and\npersonal authentication for systems covered under Homeland Security\nPresidential Directive (HSPD) 12, as well as making the CAC a primary component\nof layered protection for national security systems.", "descriptions": { - "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", - "check": "Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful modifications to the \"faillog\" file occur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \"/etc/audit/audit.rules\":\n\n# sudo grep -w faillog /etc/audit/audit.rules\n\n-w /var/log/faillog -p wa -k logins\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", - "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful modifications to the \"faillog\" file occur.\n\nAdd or update the following rules in the \"/etc/audit/audit.rules\" file:\n\n-w /var/log/faillog -p wa -k logins\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" + "default": "The use of PIV credentials facilitates standardization and reduces the\nrisk of unauthorized access.\n\n DoD has mandated the use of the CAC to support identity management and\npersonal authentication for systems covered under Homeland Security\nPresidential Directive (HSPD) 12, as well as making the CAC a primary component\nof layered protection for national security systems.", + "check": "Verify the Ubuntu operating system accepts Personal Identity\nVerification (PIV) credentials.\n\nCheck that the \"opensc-pcks11\" package is installed on the system with the\nfollowing command:\n\n# dpkg -l | grep opensc-pkcs11\n\nii opensc-pkcs11:amd64 0.15.0-1Ubuntu1 amd64 Smart card utilities with support\nfor PKCS#15 compatible cards\n\nIf the \"opensc-pcks11\" package is not installed, this is a finding.", + "fix": "Configure the Ubuntu operating system to accept Personal Identity\nVerification (PIV) credentials.\n\nInstall the \"opensc-pkcs11\" package using the following command:\n\n# sudo apt-get install opensc-pkcs11" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000037-GPOS-00015", - "satisfies": [ - "SRG-OS-000037-GPOS-00015", - "SRG-OS-000042-GPOS-00020", - "SRG-OS-000062-GPOS-00031", - "SRG-OS-000392-GPOS-00172", - "SRG-OS-000462-GPOS-00206", - "SRG-OS-000471-GPOS-00215", - "SRG-OS-000473-GPOS-00218" - ], - "gid": "V-75773", - "rid": "SV-90453r3_rule", - "stig_id": "UBTU-16-020740", - "fix_id": "F-82401r2_fix", + "gtitle": "SRG-OS-000376-GPOS-00161", + "gid": "V-75905", + "rid": "SV-90585r1_rule", + "stig_id": "UBTU-16-030810", + "fix_id": "F-82535r1_fix", "cci": [ - "CCI-000130", - "CCI-000135", - "CCI-000169", - "CCI-000172", - "CCI-002884" + "CCI-001953" ], "nist": [ - "AU-3", - "AU-3 (1)", - "AU-12 a", - "AU-12 c", - "MA-4 (1) (a)", + "IA-2 (12)", "Rev_4" ], "false_negatives": null, @@ -67,54 +50,40 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75773' do\n title \"Successful/unsuccessful modifications to the faillog file must\ngenerate an audit record.\"\n desc \"Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020\n SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172\n SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215\n SRG-OS-000473-GPOS-00218]\n tag \"gid\": 'V-75773'\n tag \"rid\": 'SV-90453r3_rule'\n tag \"stig_id\": 'UBTU-16-020740'\n tag \"fix_id\": 'F-82401r2_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'MA-4 (1) (a)',\n 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful modifications to the \\\"faillog\\\" file occur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \\\"/etc/audit/audit.rules\\\":\n\n# sudo grep -w faillog /etc/audit/audit.rules\n\n-w /var/log/faillog -p wa -k logins\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful modifications to the \\\"faillog\\\" file occur.\n\nAdd or update the following rules in the \\\"/etc/audit/audit.rules\\\" file:\n\n-w /var/log/faillog -p wa -k logins\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n @audit_file = '/var/log/faillog'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe ('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", + "code": "control 'V-75905' do\n title \"The Ubuntu operating system must accept Personal Identity Verification\n(PIV) credentials.\"\n desc \"The use of PIV credentials facilitates standardization and reduces the\nrisk of unauthorized access.\n\n DoD has mandated the use of the CAC to support identity management and\npersonal authentication for systems covered under Homeland Security\nPresidential Directive (HSPD) 12, as well as making the CAC a primary component\nof layered protection for national security systems.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000376-GPOS-00161'\n tag \"gid\": 'V-75905'\n tag \"rid\": 'SV-90585r1_rule'\n tag \"stig_id\": 'UBTU-16-030810'\n tag \"fix_id\": 'F-82535r1_fix'\n tag \"cci\": ['CCI-001953']\n tag \"nist\": ['IA-2 (12)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system accepts Personal Identity\nVerification (PIV) credentials.\n\nCheck that the \\\"opensc-pcks11\\\" package is installed on the system with the\nfollowing command:\n\n# dpkg -l | grep opensc-pkcs11\n\nii opensc-pkcs11:amd64 0.15.0-1Ubuntu1 amd64 Smart card utilities with support\nfor PKCS#15 compatible cards\n\nIf the \\\"opensc-pcks11\\\" package is not installed, this is a finding.\"\n desc 'fix', \"Configure the Ubuntu operating system to accept Personal Identity\nVerification (PIV) credentials.\n\nInstall the \\\"opensc-pkcs11\\\" package using the following command:\n\n# sudo apt-get install opensc-pkcs11\"\n\n describe package('opensc-pkcs11') do\n it { should be_installed }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75773.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75905.rb", "line": 3 }, - "id": "V-75773" + "id": "V-75905" }, { - "title": "The Ubuntu operating system must generate audit records for all\naccount creations, modifications, disabling, and termination events that affect\n/etc/group.", - "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "title": "The Apparmor module must be configured to employ a deny-all,\npermit-by-exception policy to allow the execution of authorized software\nprograms and limit the ability of non-privileged users to grant other users\ndirect access to the contents of their home directories/folders.", + "desc": "The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n Utilizing a whitelist provides a configuration management method for\nallowing the execution of only authorized software. Using only authorized\nsoftware decreases risk by limiting the number of potential vulnerabilities.\nVerification of white-listed software occurs prior to execution or at system\nstartup.\n\n Users' home directories/folders may contain information of a sensitive\nnature. Non-privileged users should coordinate any sharing of information with\nan SA through shared resources.", "descriptions": { - "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", - "check": "Verify the Ubuntu operating system generates audit records for\nall account creations, modifications, disabling, and termination events that\naffect \"/etc/group\".\n\nCheck the auditing rules in \"/etc/audit/audit.rules\" with the following\ncommand:\n\n# sudo grep /etc/group /etc/audit/audit.rules\n\n-w /etc/group -p wa -k audit_rules_usergroup_modification\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", - "fix": "Configure the Ubuntu operating system to generate audit records\nfor all account creations, modifications, disabling, and termination events\nthat affect \"/etc/group\".\n\nAdd or update the following file system rule to \"/etc/audit/audit.rules\":\n\n-w /etc/group -p wa -k identity\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" + "default": "The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n Utilizing a whitelist provides a configuration management method for\nallowing the execution of only authorized software. Using only authorized\nsoftware decreases risk by limiting the number of potential vulnerabilities.\nVerification of white-listed software occurs prior to execution or at system\nstartup.\n\n Users' home directories/folders may contain information of a sensitive\nnature. Non-privileged users should coordinate any sharing of information with\nan SA through shared resources.", + "check": "Verify the Ubuntu operating system is configured to employ a\ndeny-all, permit-by-exception policy to allow the execution of authorized\nsoftware programs and access to user home directories.\n\nCheck that \"Apparmor\" is configured to employ application whitelisting and\nhome directory access control with the following command:\n\n# sudo apparmor_status\n\napparmor module is loaded.\n13 profiles are loaded.\n13 profiles are in enforce mode.\n /sbin/dhclient\n ...\n lxc-container-default-with-nesting\n0 profiles are in complain mode.\n\nIf the defined profiles do not match the organization’s list of authorized\nsoftware, this is a finding.", + "fix": "Configure the Ubuntu operating system to employ a deny-all,\npermit-by-exception policy to allow the execution of authorized software\nprograms.\n\nInstall \"Apparmor\" (if it is not installed) with the following command:\n\n# sudo apt-get install libpam-apparmor\n\nEnable/Activate \"Apparmor\" (if it is not already active) with the following\ncommand:\n\n# sudo systemctl enable apparmor.service\n\nStart \"Apparmor\" with the following command:\n\n# sudo systemctl start apparmor.service\n\nNote: Apparmor must have properly configured profiles for applications and home\ndirectories. All configurations will be based on the actual system setup and\norganization and normally are on a per role basis. See the \"Apparmor\"\ndocumentation for more information on configuring profiles." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000037-GPOS-00015", + "gtitle": "SRG-OS-000368-GPOS-00154", "satisfies": [ - "SRG-OS-000037-GPOS-00015", - "SRG-OS-000042-GPOS-00020", - "SRG-OS-000062-GPOS-00031", - "SRG-OS-000304-GPOS-00121", - "SRG-OS-000392-GPOS-00172", - "SRG-OS-000462-GPOS-00206", - "SRG-OS-000470-GPOS-00214", - "SRG-OS-000471-GPOS-00215" + "SRG-OS-000368-GPOS-00154", + "SRG-OS-000370-GPOS-00155" ], - "gid": "V-75663", - "rid": "SV-90343r3_rule", - "stig_id": "UBTU-16-020310", - "fix_id": "F-82291r2_fix", + "gid": "V-75537", + "rid": "SV-90217r2_rule", + "stig_id": "UBTU-16-010610", + "fix_id": "F-82165r1_fix", "cci": [ - "CCI-000130", - "CCI-000135", - "CCI-000169", - "CCI-000172", - "CCI-002132", - "CCI-002884" + "CCI-001764", + "CCI-001774" ], "nist": [ - "AU-3", - "AU-3 (1)", - "AU-12 a", - "AU-12 c", - "AC-2 (4)", - "MA-4 (1)\n(a)", + "CM-7 (2)", + "CM-7 (5) (b)", "Rev_4" ], "false_negatives": null, @@ -128,50 +97,75 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75663' do\n title \"The Ubuntu operating system must generate audit records for all\naccount creations, modifications, disabling, and termination events that affect\n/etc/group.\"\n desc \"Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020\n SRG-OS-000062-GPOS-00031 SRG-OS-000304-GPOS-00121\n SRG-OS-000392-GPOS-00172 SRG-OS-000462-GPOS-00206\n SRG-OS-000470-GPOS-00214 SRG-OS-000471-GPOS-00215]\n tag \"gid\": 'V-75663'\n tag \"rid\": 'SV-90343r3_rule'\n tag \"stig_id\": 'UBTU-16-020310'\n tag \"fix_id\": 'F-82291r2_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002132 CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'AC-2 (4)', \"MA-4 (1)\n(a)\", 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system generates audit records for\nall account creations, modifications, disabling, and termination events that\naffect \\\"/etc/group\\\".\n\nCheck the auditing rules in \\\"/etc/audit/audit.rules\\\" with the following\ncommand:\n\n# sudo grep /etc/group /etc/audit/audit.rules\n\n-w /etc/group -p wa -k audit_rules_usergroup_modification\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records\nfor all account creations, modifications, disabling, and termination events\nthat affect \\\"/etc/group\\\".\n\nAdd or update the following file system rule to \\\"/etc/audit/audit.rules\\\":\n\n-w /etc/group -p wa -k identity\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n @audit_file = '/etc/group'\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe ('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", + "code": "control 'V-75537' do\n title \"The Apparmor module must be configured to employ a deny-all,\npermit-by-exception policy to allow the execution of authorized software\nprograms and limit the ability of non-privileged users to grant other users\ndirect access to the contents of their home directories/folders.\"\n desc \"The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n Utilizing a whitelist provides a configuration management method for\nallowing the execution of only authorized software. Using only authorized\nsoftware decreases risk by limiting the number of potential vulnerabilities.\nVerification of white-listed software occurs prior to execution or at system\nstartup.\n\n Users' home directories/folders may contain information of a sensitive\nnature. Non-privileged users should coordinate any sharing of information with\nan SA through shared resources.\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000368-GPOS-00154'\n tag \"satisfies\": %w[SRG-OS-000368-GPOS-00154 SRG-OS-000370-GPOS-00155]\n tag \"gid\": 'V-75537'\n tag \"rid\": 'SV-90217r2_rule'\n tag \"stig_id\": 'UBTU-16-010610'\n tag \"fix_id\": 'F-82165r1_fix'\n tag \"cci\": %w[CCI-001764 CCI-001774]\n tag \"nist\": ['CM-7 (2)', 'CM-7 (5) (b)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system is configured to employ a\ndeny-all, permit-by-exception policy to allow the execution of authorized\nsoftware programs and access to user home directories.\n\nCheck that \\\"Apparmor\\\" is configured to employ application whitelisting and\nhome directory access control with the following command:\n\n# sudo apparmor_status\n\napparmor module is loaded.\n13 profiles are loaded.\n13 profiles are in enforce mode.\n /sbin/dhclient\n ...\n lxc-container-default-with-nesting\n0 profiles are in complain mode.\n\nIf the defined profiles do not match the organization’s list of authorized\nsoftware, this is a finding.\"\n desc 'fix', \"Configure the Ubuntu operating system to employ a deny-all,\npermit-by-exception policy to allow the execution of authorized software\nprograms.\n\nInstall \\\"Apparmor\\\" (if it is not installed) with the following command:\n\n# sudo apt-get install libpam-apparmor\n\nEnable/Activate \\\"Apparmor\\\" (if it is not already active) with the following\ncommand:\n\n# sudo systemctl enable apparmor.service\n\nStart \\\"Apparmor\\\" with the following command:\n\n# sudo systemctl start apparmor.service\n\nNote: Apparmor must have properly configured profiles for applications and home\ndirectories. All configurations will be based on the actual system setup and\norganization and normally are on a per role basis. See the \\\"Apparmor\\\"\ndocumentation for more information on configuring profiles.\"\n\n describe 'Manual test' do\n skip 'This control must be reviewed manually'\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75663.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75537.rb", "line": 3 }, - "id": "V-75663" + "id": "V-75537" }, { - "title": "The audit system must be configured to audit any usage of the kmod\ncommand.", - "desc": "Without the capability to generate audit records, it would be\ndifficult to establish, correlate, and investigate the events relating to an\nincident or identify those responsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n The list of audited events is the set of events for which audits are to be\ngenerated. This set of events is typically a subset of the list of all events\nfor which the system is capable of generating audit records.\n\n DoD has defined the list of events for which the Ubuntu operating system\nwill provide an audit record generation capability as the following:\n\n 1) Successful and unsuccessful attempts to access, modify, or delete\nprivileges, security objects, security levels, or categories of information\n(e.g., classification levels);\n\n 2) Access actions, such as successful and unsuccessful logon attempts,\nprivileged activities or other system-level access, starting and ending time\nfor user access to the system, concurrent logons from different workstations,\nsuccessful and unsuccessful accesses to objects, all program initiations, and\nall direct access to the information system;\n\n 3) All account creations, modifications, disabling, and terminations; and\n\n 4) All kernel module load, unload, and restart actions.", + "title": "Advance package Tool (APT) must remove all software components after\nupdated versions have been installed.", + "desc": "Previous versions of software components that are not removed from the\ninformation system after updates have been installed may be exploited by\nadversaries. Some information technology products may remove older versions of\nsoftware automatically from the information system.", "descriptions": { - "default": "Without the capability to generate audit records, it would be\ndifficult to establish, correlate, and investigate the events relating to an\nincident or identify those responsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n The list of audited events is the set of events for which audits are to be\ngenerated. This set of events is typically a subset of the list of all events\nfor which the system is capable of generating audit records.\n\n DoD has defined the list of events for which the Ubuntu operating system\nwill provide an audit record generation capability as the following:\n\n 1) Successful and unsuccessful attempts to access, modify, or delete\nprivileges, security objects, security levels, or categories of information\n(e.g., classification levels);\n\n 2) Access actions, such as successful and unsuccessful logon attempts,\nprivileged activities or other system-level access, starting and ending time\nfor user access to the system, concurrent logons from different workstations,\nsuccessful and unsuccessful accesses to objects, all program initiations, and\nall direct access to the information system;\n\n 3) All account creations, modifications, disabling, and terminations; and\n\n 4) All kernel module load, unload, and restart actions.", - "check": "Verify if the Ubuntu operating system is configured to audit\nthe execution of the module management program \"kmod\", by running the\nfollowing command:\n\n# sudo grep \"/bin/kmod\" /etc/audit/audit.rules\n\n-w /bin/kmod -p x -k modules\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", - "fix": "Configure the Ubuntu operating system to audit the execution of\nthe module management program \"kmod\" by adding the following line to\n\"/etc/audit/audit.rules\":\n\n-w /bin/kmod -p x -k modules\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" + "default": "Previous versions of software components that are not removed from the\ninformation system after updates have been installed may be exploited by\nadversaries. Some information technology products may remove older versions of\nsoftware automatically from the information system.", + "check": "Verify Advance package Tool (APT) is configured to remove all\nsoftware components after updated versions have been installed.\n\nCheck that APT is configured to remove all software components after updating\nwith the following command:\n\n# grep -i remove-unused /etc/apt/apt.conf.d/50unattended-upgrades\nUnattended-Upgrade::Remove-Unused-Dependencies \"true\";\n\nIf the \"Remove-Unused-Dependencies\" parameter is not set to \"true\", or is\nmissing, this is a finding.", + "fix": "Configure APT to remove all software components after updated\nversions have been installed.\n\nAdd or updated the following option to the\n\"/etc/apt/apt.conf.d/50unattended-upgrades\" file:\n\nUnattended-Upgrade::Remove-Unused-Dependencies \"true\";" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000037-GPOS-00015", - "satisfies": [ - "SRG-OS-000037-GPOS-00015", - "SRG-OS-000042-GPOS-00020", - "SRG-OS-000062-GPOS-00031", - "SRG-OS-000392-GPOS-00172", - "SRG-OS-000462-GPOS-00206", - "SRG-OS-000471-GPOS-00215" + "gtitle": "SRG-OS-000437-GPOS-00194", + "gid": "V-75529", + "rid": "SV-90209r1_rule", + "stig_id": "UBTU-16-010570", + "fix_id": "F-82157r1_fix", + "cci": [ + "CCI-002617" ], - "gid": "V-75715", - "rid": "SV-90395r2_rule", - "stig_id": "UBTU-16-020450", - "fix_id": "F-82343r2_fix", + "nist": [ + "SI-2 (6)", + "Rev_4" + ], + "false_negatives": null, + "false_positives": null, + "documentable": false, + "mitigations": null, + "severity_override_guidance": false, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_controls": null, + "responsibility": null, + "ia_controls": null + }, + "code": "control 'V-75529' do\n title \"Advance package Tool (APT) must remove all software components after\nupdated versions have been installed.\"\n desc \"Previous versions of software components that are not removed from the\ninformation system after updates have been installed may be exploited by\nadversaries. Some information technology products may remove older versions of\nsoftware automatically from the information system.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000437-GPOS-00194'\n tag \"gid\": 'V-75529'\n tag \"rid\": 'SV-90209r1_rule'\n tag \"stig_id\": 'UBTU-16-010570'\n tag \"fix_id\": 'F-82157r1_fix'\n tag \"cci\": ['CCI-002617']\n tag \"nist\": ['SI-2 (6)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify Advance package Tool (APT) is configured to remove all\nsoftware components after updated versions have been installed.\n\nCheck that APT is configured to remove all software components after updating\nwith the following command:\n\n# grep -i remove-unused /etc/apt/apt.conf.d/50unattended-upgrades\nUnattended-Upgrade::Remove-Unused-Dependencies \\\"true\\\";\n\nIf the \\\"Remove-Unused-Dependencies\\\" parameter is not set to \\\"true\\\", or is\nmissing, this is a finding.\"\n desc 'fix', \"Configure APT to remove all software components after updated\nversions have been installed.\n\nAdd or updated the following option to the\n\\\"/etc/apt/apt.conf.d/50unattended-upgrades\\\" file:\n\nUnattended-Upgrade::Remove-Unused-Dependencies \\\"true\\\";\"\n\n describe directory('/etc/apt/apt.conf.d') do\n it { should exist }\n end\n\n describe command('grep -i remove-unused /etc/apt/apt.conf.d/50unattended-upgrades').stdout.strip do\n it { should match /^\\s*([^\\s]*::Remove-Unused-Dependencies)\\s*\\\"true\\\"\\s*;$/ }\n end\nend\n", + "source_location": { + "ref": "./Ubuntu 16.04 STIG/controls/V-75529.rb", + "line": 3 + }, + "id": "V-75529" + }, + { + "title": "Unattended or automatic login via the GUI must not be allowed.", + "desc": "Failure to restrict system access to authenticated users negatively\nimpacts Ubuntu operating system security.", + "descriptions": { + "default": "Failure to restrict system access to authenticated users negatively\nimpacts Ubuntu operating system security.", + "check": "Verify that unattended or automatic login via the GUI is\ndisabled.\n\nCheck that unattended or automatic login is disabled with the following command:\n\n# sudo grep -i automaticloginenable /etc/gdm3/custom.conf\n\nAutomaticLoginEnable=false\n\nIf the \"AutomaticLoginEnable\" parameter is not set to \"false\", or is\ncommented out, this is a finding.", + "fix": "Configure the GUI to not allow unattended or automatic login to\nthe system.\n\nAdd or edit the following line in the \"/etc/gdm3/custom.conf\" file directly\nbelow the \"[daemon]\" tag:\n\nAutomaticLoginEnable=false" + }, + "impact": 0, + "refs": [], + "tags": { + "gtitle": "SRG-OS-000480-GPOS-00229", + "gid": "V-75495", + "rid": "SV-90175r2_rule", + "stig_id": "UBTU-16-010330", + "fix_id": "F-82123r2_fix", "cci": [ - "CCI-000130", - "CCI-000135", - "CCI-000169", - "CCI-000172", - "CCI-002884" + "CCI-000366" ], "nist": [ - "AU-3", - "AU-3 (1)", - "AU-12 a", - "AU-12 c", - "MA-4 (1) (a)", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -185,34 +179,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75715' do\n title \"The audit system must be configured to audit any usage of the kmod\ncommand.\"\n desc \"Without the capability to generate audit records, it would be\ndifficult to establish, correlate, and investigate the events relating to an\nincident or identify those responsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n The list of audited events is the set of events for which audits are to be\ngenerated. This set of events is typically a subset of the list of all events\nfor which the system is capable of generating audit records.\n\n DoD has defined the list of events for which the Ubuntu operating system\nwill provide an audit record generation capability as the following:\n\n 1) Successful and unsuccessful attempts to access, modify, or delete\nprivileges, security objects, security levels, or categories of information\n(e.g., classification levels);\n\n 2) Access actions, such as successful and unsuccessful logon attempts,\nprivileged activities or other system-level access, starting and ending time\nfor user access to the system, concurrent logons from different workstations,\nsuccessful and unsuccessful accesses to objects, all program initiations, and\nall direct access to the information system;\n\n 3) All account creations, modifications, disabling, and terminations; and\n\n 4) All kernel module load, unload, and restart actions.\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020\n SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172\n SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215]\n tag \"gid\": 'V-75715'\n tag \"rid\": 'SV-90395r2_rule'\n tag \"stig_id\": 'UBTU-16-020450'\n tag \"fix_id\": 'F-82343r2_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'MA-4 (1) (a)',\n 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify if the Ubuntu operating system is configured to audit\nthe execution of the module management program \\\"kmod\\\", by running the\nfollowing command:\n\n# sudo grep \\\"/bin/kmod\\\" /etc/audit/audit.rules\n\n-w /bin/kmod -p x -k modules\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the Ubuntu operating system to audit the execution of\nthe module management program \\\"kmod\\\" by adding the following line to\n\\\"/etc/audit/audit.rules\\\":\n\n-w /bin/kmod -p x -k modules\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n @audit_file = '/bin/kmod'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe ('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", + "code": "control 'V-75495' do\n title 'Unattended or automatic login via the GUI must not be allowed.'\n desc \"Failure to restrict system access to authenticated users negatively\nimpacts Ubuntu operating system security.\"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00229'\n tag \"gid\": 'V-75495'\n tag \"rid\": 'SV-90175r2_rule'\n tag \"stig_id\": 'UBTU-16-010330'\n tag \"fix_id\": 'F-82123r2_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that unattended or automatic login via the GUI is\ndisabled.\n\nCheck that unattended or automatic login is disabled with the following command:\n\n# sudo grep -i automaticloginenable /etc/gdm3/custom.conf\n\nAutomaticLoginEnable=false\n\nIf the \\\"AutomaticLoginEnable\\\" parameter is not set to \\\"false\\\", or is\ncommented out, this is a finding.\"\n desc 'fix', \"Configure the GUI to not allow unattended or automatic login to\nthe system.\n\nAdd or edit the following line in the \\\"/etc/gdm3/custom.conf\\\" file directly\nbelow the \\\"[daemon]\\\" tag:\n\nAutomaticLoginEnable=false\"\n\n gnome_installed = (package('ubuntu-gnome-desktop').installed? || package('ubuntu-desktop').installed?)\n\n if gnome_installed\n describe parse_config_file('/etc/gdm3/custom.conf') do\n its('AutomaticLoginEnable') { should cmp 'false' }\n end\n else\n impact 0\n describe 'Not Applicable as GNOME dekstop environment is installed' do\n subject { gnome_installed }\n it { should be false }\n end\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75715.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75495.rb", "line": 3 }, - "id": "V-75715" + "id": "V-75495" }, { - "title": "The Ubuntu operating system must implement DoD-approved encryption to\nprotect the confidentiality of SSH connections.", - "desc": "Without confidentiality protection mechanisms, unauthorized\nindividuals may gain access to sensitive information via a remote access\nsession.\n\n Remote access is access to DoD nonpublic information systems by an\nauthorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\n Encryption provides a means to secure the remote connection to prevent\nunauthorized access to the data traversing the remote access connection (e.g.,\nRDP), thereby providing a degree of confidentiality. The encryption strength of\na mechanism is selected based on the security categorization of the information.", + "title": "All world-writable directories must be group-owned by root, sys, bin,\nor an application group.", + "desc": "If a world-writable directory has the sticky bit set and is not\ngroup-owned by a privileged Group Identifier (GID), unauthorized users may be\nable to modify files created by others.\n\n The only authorized public directories are those temporary directories\nsupplied with the system or those designed to be temporary file repositories.\nThe setting is normally reserved for directories used by the system and by\nusers for temporary file storage, (e.g., /tmp), and for directories requiring\nglobal read/write access.", "descriptions": { - "default": "Without confidentiality protection mechanisms, unauthorized\nindividuals may gain access to sensitive information via a remote access\nsession.\n\n Remote access is access to DoD nonpublic information systems by an\nauthorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\n Encryption provides a means to secure the remote connection to prevent\nunauthorized access to the data traversing the remote access connection (e.g.,\nRDP), thereby providing a degree of confidentiality. The encryption strength of\na mechanism is selected based on the security categorization of the information.", - "check": "Verify the SSH daemon is configured to only implement\nDoD-approved encryption.\n\nCheck the SSH daemon's current configured ciphers by running the following\ncommand:\n\n# sudo grep -i ciphers /etc/ssh/sshd_config | grep -v '^#'\n\nCiphers aes128-ctr aes192-ctr, aes256-ctr\n\nIf any ciphers other than \"aes128-ctr\", \"aes192-ctr\", or \"aes256-ctr\" are\nlisted, the \"Ciphers\" keyword is missing, or the retuned line is commented\nout, this is a finding.", - "fix": "Configure the Ubuntu operating system to allow the SSH daemon to\nonly implement DoD-approved encryption.\n\nEdit the SSH daemon configuration \"/etc/ssh/sshd_config\" and remove any\nciphers not starting with \"aes\" and remove any ciphers ending with \"cbc\".\nIf necessary, append the \"Ciphers\" line to the \"/etc/ssh/sshd_config\"\ndocument.\n\nCiphers aes128-ctr,aes192-ctr,aes256-ctr\n\nThe SSH daemon must be restarted for the changes to take effect. To restart the\nSSH daemon, run the following command:\n\n# sudo systemctl restart sshd.service" + "default": "If a world-writable directory has the sticky bit set and is not\ngroup-owned by a privileged Group Identifier (GID), unauthorized users may be\nable to modify files created by others.\n\n The only authorized public directories are those temporary directories\nsupplied with the system or those designed to be temporary file repositories.\nThe setting is normally reserved for directories used by the system and by\nusers for temporary file storage, (e.g., /tmp), and for directories requiring\nglobal read/write access.", + "check": "Verify all world-writable directories are group-owned by root,\nsys, bin, or an application group.\n\nCheck the system for world-writable directories with the following command:\n\n# sudo find / -perm -2 -type d ! -group sys ! -group root ! -group bin -exec\nls -lLd {} \\;\ndrwxrwsrwt 2 root whoops 4096 Jun 6 07:44 /var/crash\ndrwxrwsrwt 2 root whoops 4096 Jul 19 2016 /var/metrics\n\nIf any world-writable directories are not owned by root, sys, bin, or an\napplication group associated with the directory, this is a finding.", + "fix": "Change the group of the world-writable directories to root with\nthe following command:\n\n# chgrp root " }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000033-GPOS-00014", - "gid": "V-75829", - "rid": "SV-90509r2_rule", - "stig_id": "UBTU-16-030230", - "fix_id": "F-82459r2_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-75583", + "rid": "SV-90263r2_rule", + "stig_id": "UBTU-16-010840", + "fix_id": "F-82211r1_fix", "cci": [ - "CCI-000068" + "CCI-000366" ], "nist": [ - "AC-17 (2)", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -226,20 +220,20 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75829' do\n title \"The Ubuntu operating system must implement DoD-approved encryption to\nprotect the confidentiality of SSH connections.\"\n desc \"Without confidentiality protection mechanisms, unauthorized\nindividuals may gain access to sensitive information via a remote access\nsession.\n\n Remote access is access to DoD nonpublic information systems by an\nauthorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\n Encryption provides a means to secure the remote connection to prevent\nunauthorized access to the data traversing the remote access connection (e.g.,\nRDP), thereby providing a degree of confidentiality. The encryption strength of\na mechanism is selected based on the security categorization of the information.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000033-GPOS-00014'\n tag \"gid\": 'V-75829'\n tag \"rid\": 'SV-90509r2_rule'\n tag \"stig_id\": 'UBTU-16-030230'\n tag \"fix_id\": 'F-82459r2_fix'\n tag \"cci\": ['CCI-000068']\n tag \"nist\": ['AC-17 (2)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the SSH daemon is configured to only implement\nDoD-approved encryption.\n\nCheck the SSH daemon's current configured ciphers by running the following\ncommand:\n\n# sudo grep -i ciphers /etc/ssh/sshd_config | grep -v '^#'\n\nCiphers aes128-ctr aes192-ctr, aes256-ctr\n\nIf any ciphers other than \\\"aes128-ctr\\\", \\\"aes192-ctr\\\", or \\\"aes256-ctr\\\" are\nlisted, the \\\"Ciphers\\\" keyword is missing, or the retuned line is commented\nout, this is a finding.\"\n desc 'fix', \"Configure the Ubuntu operating system to allow the SSH daemon to\nonly implement DoD-approved encryption.\n\nEdit the SSH daemon configuration \\\"/etc/ssh/sshd_config\\\" and remove any\nciphers not starting with \\\"aes\\\" and remove any ciphers ending with \\\"cbc\\\".\nIf necessary, append the \\\"Ciphers\\\" line to the \\\"/etc/ssh/sshd_config\\\"\ndocument.\n\nCiphers aes128-ctr,aes192-ctr,aes256-ctr\n\nThe SSH daemon must be restarted for the changes to take effect. To restart the\nSSH daemon, run the following command:\n\n# sudo systemctl restart sshd.service\"\n\n @ciphers_array = inspec.sshd_config.params['ciphers']\n\n @ciphers_array = @ciphers_array.first.split(',') unless @ciphers_array.nil?\n\n describe @ciphers_array do\n it { should be_in %w[aes128-ctr aes192-ctr aes256-ctr] }\n end\nend\n", + "code": "control 'V-75583' do\n title \"All world-writable directories must be group-owned by root, sys, bin,\nor an application group.\"\n desc \"If a world-writable directory has the sticky bit set and is not\ngroup-owned by a privileged Group Identifier (GID), unauthorized users may be\nable to modify files created by others.\n\n The only authorized public directories are those temporary directories\nsupplied with the system or those designed to be temporary file repositories.\nThe setting is normally reserved for directories used by the system and by\nusers for temporary file storage, (e.g., /tmp), and for directories requiring\nglobal read/write access.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75583'\n tag \"rid\": 'SV-90263r2_rule'\n tag \"stig_id\": 'UBTU-16-010840'\n tag \"fix_id\": 'F-82211r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify all world-writable directories are group-owned by root,\nsys, bin, or an application group.\n\nCheck the system for world-writable directories with the following command:\n\n# sudo find / -perm -2 -type d ! -group sys ! -group root ! -group bin -exec\nls -lLd {} \\\\;\ndrwxrwsrwt 2 root whoops 4096 Jun 6 07:44 /var/crash\ndrwxrwsrwt 2 root whoops 4096 Jul 19 2016 /var/metrics\n\nIf any world-writable directories are not owned by root, sys, bin, or an\napplication group associated with the directory, this is a finding.\"\n desc 'fix', \"Change the group of the world-writable directories to root with\nthe following command:\n\n# chgrp root \"\n\n application_groups = input('application_groups')\n\n directories = command('find / -xdev -perm -2 -type d ! -group sys ! -group root ! -group bin -exec ls -lLd {} \\\\;').stdout.strip.split(\"\\n\").entries\n if directories.count > 0\n directories.each do |entry|\n describe directory(entry) do\n its('group') { should be_in %w[root sys bin] + application_groups }\n end\n end\n else\n describe 'No world-writable directories found on the system' do\n subject { directories }\n its('count') { should eq 0 }\n end\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75829.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75583.rb", "line": 3 }, - "id": "V-75829" + "id": "V-75583" }, { - "title": "Successful/unsuccessful uses of the unix_update command must generate\nan audit record.", + "title": "Successful/unsuccessful uses of the chsh command must generate an\naudit record.", "desc": "Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged commands. The organization must maintain audit trails in sufficient\ndetail to reconstruct events to determine the cause and impact of compromise.", "descriptions": { "default": "Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged commands. The organization must maintain audit trails in sufficient\ndetail to reconstruct events to determine the cause and impact of compromise.", - "check": "Verify that an audit event is generated for any\nsuccessful/unsuccessful use of the \"unix_update\" command.\n\nCheck for the following system call being audited by performing the following\ncommand to check the file system rules in \"/etc/audit/audit.rules\":\n\n# sudo grep -w \"unix_update\" /etc/audit/audit.rules\n\n-a always,exit -F path=/sbin/unix_update -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k privileged-unix-update\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", - "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful uses of the \"unix_update\" command. Add or update the\nfollowing rules in the \"/etc/audit/audit.rules\" file:\n\n-a always,exit -F path=/sbin/unix_update -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k privileged-unix-update\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" + "check": "Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful attempts to use the \"chsh\" command occur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \"/etc/audit/audit.rules\":\n\n# sudo grep -w chsh /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k priv_cmd\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", + "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \"chsh\" command.\n\nAdd or update the following rules in the \"/etc/audit/audit.rules\" file:\n\n-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k priv_cmd\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" }, "impact": 0.5, "refs": [], @@ -253,10 +247,10 @@ "SRG-OS-000462-GPOS-00206", "SRG-OS-000471-GPOS-00215" ], - "gid": "V-75779", - "rid": "SV-90459r3_rule", - "stig_id": "UBTU-16-020770", - "fix_id": "F-82409r2_fix", + "gid": "V-75759", + "rid": "SV-90439r3_rule", + "stig_id": "UBTU-16-020670", + "fix_id": "F-82387r2_fix", "cci": [ "CCI-000130", "CCI-000135", @@ -283,34 +277,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75779' do\n title \"Successful/unsuccessful uses of the unix_update command must generate\nan audit record.\"\n desc \"Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged commands. The organization must maintain audit trails in sufficient\ndetail to reconstruct events to determine the cause and impact of compromise.\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020\n SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172\n SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215]\n tag \"gid\": 'V-75779'\n tag \"rid\": 'SV-90459r3_rule'\n tag \"stig_id\": 'UBTU-16-020770'\n tag \"fix_id\": 'F-82409r2_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'MA-4 (1) (a)',\n 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that an audit event is generated for any\nsuccessful/unsuccessful use of the \\\"unix_update\\\" command.\n\nCheck for the following system call being audited by performing the following\ncommand to check the file system rules in \\\"/etc/audit/audit.rules\\\":\n\n# sudo grep -w \\\"unix_update\\\" /etc/audit/audit.rules\n\n-a always,exit -F path=/sbin/unix_update -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k privileged-unix-update\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful uses of the \\\"unix_update\\\" command. Add or update the\nfollowing rules in the \\\"/etc/audit/audit.rules\\\" file:\n\n-a always,exit -F path=/sbin/unix_update -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k privileged-unix-update\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n @audit_file = '/sbin/unix_update'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe ('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", + "code": "control 'V-75759' do\n title \"Successful/unsuccessful uses of the chsh command must generate an\naudit record.\"\n desc \"Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged commands. The organization must maintain audit trails in sufficient\ndetail to reconstruct events to determine the cause and impact of compromise.\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020\n SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172\n SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215]\n tag \"gid\": 'V-75759'\n tag \"rid\": 'SV-90439r3_rule'\n tag \"stig_id\": 'UBTU-16-020670'\n tag \"fix_id\": 'F-82387r2_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'MA-4 (1) (a)',\n 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful attempts to use the \\\"chsh\\\" command occur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \\\"/etc/audit/audit.rules\\\":\n\n# sudo grep -w chsh /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k priv_cmd\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \\\"chsh\\\" command.\n\nAdd or update the following rules in the \\\"/etc/audit/audit.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k priv_cmd\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n @audit_file = '/usr/bin/chsh'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe ('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75779.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75759.rb", "line": 3 }, - "id": "V-75779" + "id": "V-75759" }, { - "title": "The audit system must take appropriate action when the network cannot\nbe used to off-load audit records.", - "desc": "Information stored in one location is vulnerable to accidental or\nincidental deletion or alteration.\n\n Off-loading is a common process in information systems with limited audit\nstorage capacity.", + "title": "All files and directories must have a valid group owner.", + "desc": "Files without a valid group owner may be unintentionally inherited if\na group is assigned the same Group Identifier (GID) as the GID of the files\nwithout a valid group owner.", "descriptions": { - "default": "Information stored in one location is vulnerable to accidental or\nincidental deletion or alteration.\n\n Off-loading is a common process in information systems with limited audit\nstorage capacity.", - "check": "Verify that the audit system takes appropriate action if the\nnetwork cannot be used to off-load audit records.\n\nCheck what action will take place if the network connection fails with the\nfollowing command:\n\n# sudo grep -iw \"network_failure\" /etc/audisp/audisp-remote.conf\n\nnetwork_failure_action = stop\n\nIf the value of the “network_failure_action” option is not \"syslog\",\n\"single\", or \"halt\", or the line is commented out, this is a finding.", - "fix": "Configure the Ubuntu operating system to take appropriate action\nwhen the network cannot be used to off-load audit records.\n\nAdd, edit or uncomment the \"network_failure_action\" option in\n\"/etc/audisp/audisp-remote.conf\". Set it to \"syslog\", \"single\" or\n\"halt\" like the below example:\n\nnetwork_failure_action = single" + "default": "Files without a valid group owner may be unintentionally inherited if\na group is assigned the same Group Identifier (GID) as the GID of the files\nwithout a valid group owner.", + "check": "Verify all files and directories on the Ubuntu operating system\nhave a valid group.\n\nCheck the owner of all files and directories with the following command:\n\n# sudo find / -nogroup\n\nIf any files on the system do not have an assigned group, this is a finding.", + "fix": "Either remove all files and directories from the Ubuntu operating\nsystem that do not have a valid group, or assign a valid group to all files and\ndirectories on the system with the \"chgrp\" command:\n\n# sudo chgrp " }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000479-GPOS-00224", - "gid": "V-75859", - "rid": "SV-90539r2_rule", - "stig_id": "UBTU-16-030430", - "fix_id": "F-82489r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-75557", + "rid": "SV-90237r1_rule", + "stig_id": "UBTU-16-010710", + "fix_id": "F-82185r1_fix", "cci": [ - "CCI-001851" + "CCI-002165" ], "nist": [ - "AU-4 (1)", + "AC-3 (4)", "Rev_4" ], "false_negatives": null, @@ -324,34 +318,50 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75859' do\n title \"The audit system must take appropriate action when the network cannot\nbe used to off-load audit records.\"\n desc \"Information stored in one location is vulnerable to accidental or\nincidental deletion or alteration.\n\n Off-loading is a common process in information systems with limited audit\nstorage capacity.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000479-GPOS-00224'\n tag \"gid\": 'V-75859'\n tag \"rid\": 'SV-90539r2_rule'\n tag \"stig_id\": 'UBTU-16-030430'\n tag \"fix_id\": 'F-82489r1_fix'\n tag \"cci\": ['CCI-001851']\n tag \"nist\": ['AU-4 (1)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that the audit system takes appropriate action if the\nnetwork cannot be used to off-load audit records.\n\nCheck what action will take place if the network connection fails with the\nfollowing command:\n\n# sudo grep -iw \\\"network_failure\\\" /etc/audisp/audisp-remote.conf\n\nnetwork_failure_action = stop\n\nIf the value of the “network_failure_action” option is not \\\"syslog\\\",\n\\\"single\\\", or \\\"halt\\\", or the line is commented out, this is a finding.\"\n desc 'fix', \"Configure the Ubuntu operating system to take appropriate action\nwhen the network cannot be used to off-load audit records.\n\nAdd, edit or uncomment the \\\"network_failure_action\\\" option in\n\\\"/etc/audisp/audisp-remote.conf\\\". Set it to \\\"syslog\\\", \\\"single\\\" or\n\\\"halt\\\" like the below example:\n\nnetwork_failure_action = single\"\n\n config_file_exists = file('/etc/audisp/audisp-remote.conf').exist?\n\n if config_file_exists\n describe parse_config_file('/etc/audisp/audisp-remote.conf') do\n its('network_failure_action.strip') { should match(/^(syslog|single|halt)$/) }\n end\n else\n describe '/etc/audisp/audisp-remote.conf exists' do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n", + "code": "control 'V-75557' do\n title 'All files and directories must have a valid group owner.'\n desc \"Files without a valid group owner may be unintentionally inherited if\na group is assigned the same Group Identifier (GID) as the GID of the files\nwithout a valid group owner.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75557'\n tag \"rid\": 'SV-90237r1_rule'\n tag \"stig_id\": 'UBTU-16-010710'\n tag \"fix_id\": 'F-82185r1_fix'\n tag \"cci\": ['CCI-002165']\n tag \"nist\": ['AC-3 (4)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify all files and directories on the Ubuntu operating system\nhave a valid group.\n\nCheck the owner of all files and directories with the following command:\n\n# sudo find / -nogroup\n\nIf any files on the system do not have an assigned group, this is a finding.\"\n desc 'fix', \"Either remove all files and directories from the Ubuntu operating\nsystem that do not have a valid group, or assign a valid group to all files and\ndirectories on the system with the \\\"chgrp\\\" command:\n\n# sudo chgrp \"\n\n dir_list = command('find / -nogroup').stdout.strip.split(\"\\n\")\n if dir_list.count > 0\n dir_list.each do |entry|\n describe directory(entry) do\n its('group') { should_not be_empty }\n end\n end\n else\n describe 'The number of files and directories without a valid group' do\n subject { dir_list }\n its('count') { should cmp 0 }\n end\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75859.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75557.rb", "line": 3 }, - "id": "V-75859" + "id": "V-75557" }, { - "title": "Unattended or automatic login via ssh must not be allowed.", - "desc": "Failure to restrict system access to authenticated users negatively\nimpacts Ubuntu operating system security.", + "title": "Successful/unsuccessful uses of the ftruncate command must generate an\naudit record.", + "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", "descriptions": { - "default": "Failure to restrict system access to authenticated users negatively\nimpacts Ubuntu operating system security.", - "check": "Verify that unattended or automatic login via ssh is disabled.\n\nCheck that unattended or automatic login via ssh is disabled with the following\ncommand:\n\n# egrep '(Permit(.*?)(Passwords|Environment))' /etc/ssh/sshd_config\n\nPermitEmptyPasswords no\nPermitUserEnvironment no\n\nIf \"PermitEmptyPasswords\" or \"PermitUserEnvironment\" keywords are not set\nto \"no\", is missing completely, or they are commented out, this is a finding.", - "fix": "Configure the Ubuntu operating system to allow the SSH daemon to\nnot allow unattended or automatic login to the system.\n\nAdd or edit the following lines in the \"/etc/ssh/sshd_config\" file:\n\nPermitEmptyPasswords no\nPermitUserEnvironment no\n\nThe SSH daemon must be restarted for the changes to take effect. To restart the\nSSH daemon, run the following command:\n\n# sudo systemctl restart sshd.service" + "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "check": "Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful attempts to use the \"ftruncate\" command occur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \"/etc/audit/audit.rules\":\n\n# sudo grep -iw ftruncate /etc/audit/audit.rules\n\n-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F\nauid!=4294967295 -k perm_access\n\n-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F\nauid!=4294967295 -k perm_access\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", + "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \"ftruncate\" command.\n\nAdd or update the following rules in the \"/etc/audit/audit.rules\" file:\n\n-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F\nauid!=4294967295 -k perm_access\n\n-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F\nauid!=4294967295 -k perm_access\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" }, - "impact": 0.7, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000480-GPOS-00229", - "gid": "V-75833", - "rid": "SV-90513r2_rule", - "stig_id": "UBTU-16-030250", - "fix_id": "F-82463r2_fix", + "gtitle": "SRG-OS-000037-GPOS-00015", + "satisfies": [ + "SRG-OS-000037-GPOS-00015", + "SRG-OS-000042-GPOS-00020", + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000392-GPOS-00172", + "SRG-OS-000462-GPOS-00206", + "SRG-OS-000471-GPOS-00215" + ], + "gid": "V-75747", + "rid": "SV-90427r3_rule", + "stig_id": "UBTU-16-020610", + "fix_id": "F-82375r2_fix", "cci": [ - "CCI-000366" + "CCI-000130", + "CCI-000135", + "CCI-000169", + "CCI-000172", + "CCI-002884" ], "nist": [ - "CM-6 b", + "AU-3", + "AU-3 (1)", + "AU-12 a", + "AU-12 c", + "MA-4 (1) (a)", "Rev_4" ], "false_negatives": null, @@ -365,43 +375,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75833' do\n title 'Unattended or automatic login via ssh must not be allowed.'\n desc \"Failure to restrict system access to authenticated users negatively\nimpacts Ubuntu operating system security.\"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00229'\n tag \"gid\": 'V-75833'\n tag \"rid\": 'SV-90513r2_rule'\n tag \"stig_id\": 'UBTU-16-030250'\n tag \"fix_id\": 'F-82463r2_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that unattended or automatic login via ssh is disabled.\n\nCheck that unattended or automatic login via ssh is disabled with the following\ncommand:\n\n# egrep '(Permit(.*?)(Passwords|Environment))' /etc/ssh/sshd_config\n\nPermitEmptyPasswords no\nPermitUserEnvironment no\n\nIf \\\"PermitEmptyPasswords\\\" or \\\"PermitUserEnvironment\\\" keywords are not set\nto \\\"no\\\", is missing completely, or they are commented out, this is a finding.\"\n desc 'fix', \"Configure the Ubuntu operating system to allow the SSH daemon to\nnot allow unattended or automatic login to the system.\n\nAdd or edit the following lines in the \\\"/etc/ssh/sshd_config\\\" file:\n\nPermitEmptyPasswords no\nPermitUserEnvironment no\n\nThe SSH daemon must be restarted for the changes to take effect. To restart the\nSSH daemon, run the following command:\n\n# sudo systemctl restart sshd.service\"\n\n describe sshd_config do\n its('PermitEmptyPasswords') { should cmp 'no' }\n its('PermitUserEnvironment') { should cmp 'no' }\n end\nend\n", + "code": "control 'V-75747' do\n title \"Successful/unsuccessful uses of the ftruncate command must generate an\naudit record.\"\n desc \"Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020\n SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172\n SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215]\n tag \"gid\": 'V-75747'\n tag \"rid\": 'SV-90427r3_rule'\n tag \"stig_id\": 'UBTU-16-020610'\n tag \"fix_id\": 'F-82375r2_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'MA-4 (1) (a)',\n 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful attempts to use the \\\"ftruncate\\\" command occur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \\\"/etc/audit/audit.rules\\\":\n\n# sudo grep -iw ftruncate /etc/audit/audit.rules\n\n-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F\nauid!=4294967295 -k perm_access\n\n-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F\nauid!=4294967295 -k perm_access\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \\\"ftruncate\\\" command.\n\nAdd or update the following rules in the \\\"/etc/audit/audit.rules\\\" file:\n\n-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F\nauid!=4294967295 -k perm_access\n\n-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F\nauid!=4294967295 -k perm_access\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n if os.arch == 'x86_64'\n describe auditd.syscall('ftruncate').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EPERM' }\n end\n describe auditd.syscall('ftruncate').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EACCES' }\n end\n end\n describe auditd.syscall('ftruncate').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EPERM' }\n end\n describe auditd.syscall('ftruncate').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EACCES' }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75833.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75747.rb", "line": 3 }, - "id": "V-75833" + "id": "V-75747" }, { - "title": "File system automounter must be disabled unless required.", - "desc": "Automatically mounting file systems permits easy introduction of\nunknown devices, thereby facilitating malicious activity.", + "title": "Off-loading audit records to another system must be authenticated.", + "desc": "Information stored in one location is vulnerable to accidental or\nincidental deletion or alteration.\n\n Off-loading is a common process in information systems with limited audit\nstorage capacity.", "descriptions": { - "default": "Automatically mounting file systems permits easy introduction of\nunknown devices, thereby facilitating malicious activity.", - "check": "Verify the Ubuntu operating system disables the ability to\nautomount devices.\n\nCheck to see if automounter service is active with the following command:\n\n# systemctl status autofs\n autofs.service - LSB: Automounts filesystems on demand\n Loaded: loaded (/etc/init.d/autofs; bad; vendor preset: enabled)\n Active: active (running) since Thu 2017-05-04 07:53:51 EDT; 6 days ago\n Docs: man:systemd-sysv-generator(8)\n CGroup: /system.slice/autofs.service\n +-24206 /usr/sbin/automount --pid-file /var/run/autofs.pid\n\nIf the \"autofs\" status is set to \"active\" and is not documented with the\nInformation System Security Officer (ISSO) as an operational requirement, this\nis a finding.", - "fix": "Configure the Ubuntu operating system to disable the ability to\nautomount devices.\n\nTurn off the automount service with the following command:\n\n# sudo systemctl stop autofs\n\nIf \"autofs\" is required for Network File System (NFS), it must be documented\nwith the Information System Security Officer (ISSO)." + "default": "Information stored in one location is vulnerable to accidental or\nincidental deletion or alteration.\n\n Off-loading is a common process in information systems with limited audit\nstorage capacity.", + "check": "Verify the audit system authenticates off-loading audit records\nto a different system.\n\nCheck that the off-loading of audit records to a different system is\nauthenticated with the following command:\n\n# sudo grep enable /etc/audisp/audisp-remote.conf\n\nenable_krb5 = yes\n\nIf “enable_krb5” option is not set to \"yes\" or the line is commented out,\nthis is a finding.", + "fix": "Configure the audit system to authenticate off-loading audit\nrecords to a different system.\n\nUncomment the \"enable_krb5\" option in \"/etc/audisp/audisp-remote.conf\" and\nset it to \"yes\". See the example below.\n\nenable_krb5 = yes" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000114-GPOS-00059", - "satisfies": [ - "SRG-OS-000114-GPOS-00059", - "SRG-OS-000378-GPOS-00163", - "SRG-OS-000480-GPOS-00227" - ], - "gid": "V-75533", - "rid": "SV-90213r2_rule", - "stig_id": "UBTU-16-010590", - "fix_id": "F-82161r2_fix", + "gtitle": "SRG-OS-000479-GPOS-00224", + "gid": "V-75633", + "rid": "SV-90313r1_rule", + "stig_id": "UBTU-16-020080", + "fix_id": "F-82261r1_fix", "cci": [ - "CCI-000366", - "CCI-000778", - "CCI-001958" + "CCI-001851" ], "nist": [ - "CM-6 b", - "IA-3", - "IA-3", + "AU-4 (1)", "Rev_4" ], "false_negatives": null, @@ -415,20 +416,20 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75533' do\n title 'File system automounter must be disabled unless required.'\n desc \"Automatically mounting file systems permits easy introduction of\nunknown devices, thereby facilitating malicious activity.\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000114-GPOS-00059'\n tag \"satisfies\": %w[SRG-OS-000114-GPOS-00059 SRG-OS-000378-GPOS-00163\n SRG-OS-000480-GPOS-00227]\n tag \"gid\": 'V-75533'\n tag \"rid\": 'SV-90213r2_rule'\n tag \"stig_id\": 'UBTU-16-010590'\n tag \"fix_id\": 'F-82161r2_fix'\n tag \"cci\": %w[CCI-000366 CCI-000778 CCI-001958]\n tag \"nist\": ['CM-6 b', 'IA-3', 'IA-3', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system disables the ability to\nautomount devices.\n\nCheck to see if automounter service is active with the following command:\n\n# systemctl status autofs\n autofs.service - LSB: Automounts filesystems on demand\n Loaded: loaded (/etc/init.d/autofs; bad; vendor preset: enabled)\n Active: active (running) since Thu 2017-05-04 07:53:51 EDT; 6 days ago\n Docs: man:systemd-sysv-generator(8)\n CGroup: /system.slice/autofs.service\n +-24206 /usr/sbin/automount --pid-file /var/run/autofs.pid\n\nIf the \\\"autofs\\\" status is set to \\\"active\\\" and is not documented with the\nInformation System Security Officer (ISSO) as an operational requirement, this\nis a finding.\"\n desc 'fix', \"Configure the Ubuntu operating system to disable the ability to\nautomount devices.\n\nTurn off the automount service with the following command:\n\n# sudo systemctl stop autofs\n\nIf \\\"autofs\\\" is required for Network File System (NFS), it must be documented\nwith the Information System Security Officer (ISSO).\"\n\n describe service('autofs') do\n it { should_not be_enabled }\n end\nend\n", + "code": "control 'V-75633' do\n title 'Off-loading audit records to another system must be authenticated.'\n desc \"Information stored in one location is vulnerable to accidental or\nincidental deletion or alteration.\n\n Off-loading is a common process in information systems with limited audit\nstorage capacity.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000479-GPOS-00224'\n tag \"gid\": 'V-75633'\n tag \"rid\": 'SV-90313r1_rule'\n tag \"stig_id\": 'UBTU-16-020080'\n tag \"fix_id\": 'F-82261r1_fix'\n tag \"cci\": ['CCI-001851']\n tag \"nist\": ['AU-4 (1)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the audit system authenticates off-loading audit records\nto a different system.\n\nCheck that the off-loading of audit records to a different system is\nauthenticated with the following command:\n\n# sudo grep enable /etc/audisp/audisp-remote.conf\n\nenable_krb5 = yes\n\nIf “enable_krb5” option is not set to \\\"yes\\\" or the line is commented out,\nthis is a finding.\"\n desc 'fix', \"Configure the audit system to authenticate off-loading audit\nrecords to a different system.\n\nUncomment the \\\"enable_krb5\\\" option in \\\"/etc/audisp/audisp-remote.conf\\\" and\nset it to \\\"yes\\\". See the example below.\n\nenable_krb5 = yes\"\n\n config_file_exists = file('/etc/audisp/audisp-remote.conf').exist?\n\n if config_file_exists\n describe auditd_conf('/etc/audisp/audisp-remote.conf') do\n its('enable_krb5') { should_not be_empty }\n its('enable_krb5') { should cmp 'yes' }\n end\n else\n describe '/etc/audisp/audisp-remote.conf exists' do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75533.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75633.rb", "line": 3 }, - "id": "V-75533" + "id": "V-75633" }, { - "title": "Successful/unsuccessful uses of the open_by_handle_at command must\ngenerate an audit record.", + "title": "The Ubuntu operating system must generate audit records for all\naccount creations, modifications, disabling, and termination events that affect\n/etc/passwd.", "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", "descriptions": { "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", - "check": "Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful attempts to use the \"open_by_handle_at\" command\noccur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \"/etc/audit/audit.rules\":\n\n# sudo grep -iw open_by_handle_at /etc/audit/audit.rules\n\n-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F\nauid!=4294967295 -k perm_access\n\n-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000\n-F auid!=4294967295 -k perm_access\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", - "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \"open_by_handle_at\" command.\n\nAdd or update the following rules in the \"/etc/audit/audit.rules\" file:\n\n-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F\nauid!=4294967295 -k perm_access\n\n-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000\n-F auid!=4294967295 -k perm_access\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" + "check": "Verify the Ubuntu operating system generates audit records for\nall account creations, modifications, disabling, and termination events that\naffect \"/etc/passwd\".\n\nCheck the auditing rules in \"/etc/audit/audit.rules\" with the following\ncommand:\n\n# sudo grep /etc/passwd /etc/audit/audit.rules\n\n-w /etc/passwd -p wa -k audit_rules_usergroup_modification\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", + "fix": "Configure the Ubuntu operating system to generate audit records\nfor all account creations, modifications, disabling, and termination events\nthat affect \"/etc/passwd\".\n\nAdd or update the following file system rule to \"/etc/audit/audit.rules\":\n\n-w /etc/passwd -p wa -k identity\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" }, "impact": 0.5, "refs": [], @@ -438,19 +439,22 @@ "SRG-OS-000037-GPOS-00015", "SRG-OS-000042-GPOS-00020", "SRG-OS-000062-GPOS-00031", + "SRG-OS-000304-GPOS-00121", "SRG-OS-000392-GPOS-00172", "SRG-OS-000462-GPOS-00206", + "SRG-OS-000470-GPOS-00214", "SRG-OS-000471-GPOS-00215" ], - "gid": "V-75753", - "rid": "SV-90433r3_rule", - "stig_id": "UBTU-16-020640", - "fix_id": "F-82381r2_fix", + "gid": "V-75661", + "rid": "SV-90341r3_rule", + "stig_id": "UBTU-16-020300", + "fix_id": "F-82289r2_fix", "cci": [ "CCI-000130", "CCI-000135", "CCI-000169", "CCI-000172", + "CCI-002132", "CCI-002884" ], "nist": [ @@ -458,7 +462,8 @@ "AU-3 (1)", "AU-12 a", "AU-12 c", - "MA-4 (1) (a)", + "AC-2 (4)", + "MA-4 (1)\n(a)", "Rev_4" ], "false_negatives": null, @@ -472,34 +477,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75753' do\n title \"Successful/unsuccessful uses of the open_by_handle_at command must\ngenerate an audit record.\"\n desc \"Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020\n SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172\n SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215]\n tag \"gid\": 'V-75753'\n tag \"rid\": 'SV-90433r3_rule'\n tag \"stig_id\": 'UBTU-16-020640'\n tag \"fix_id\": 'F-82381r2_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'MA-4 (1) (a)',\n 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful attempts to use the \\\"open_by_handle_at\\\" command\noccur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \\\"/etc/audit/audit.rules\\\":\n\n# sudo grep -iw open_by_handle_at /etc/audit/audit.rules\n\n-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F\nauid!=4294967295 -k perm_access\n\n-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000\n-F auid!=4294967295 -k perm_access\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \\\"open_by_handle_at\\\" command.\n\nAdd or update the following rules in the \\\"/etc/audit/audit.rules\\\" file:\n\n-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F\nauid!=4294967295 -k perm_access\n\n-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000\n-F auid!=4294967295 -k perm_access\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n if os.arch == 'x86_64'\n describe auditd.syscall('open_by_handle_at').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EPERM' }\n end\n describe auditd.syscall('open_by_handle_at').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EACCES' }\n end\n end\n describe auditd.syscall('open_by_handle_at').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EPERM' }\n end\n describe auditd.syscall('open_by_handle_at').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EACCES' }\n end\nend\n", + "code": "control 'V-75661' do\n title \"The Ubuntu operating system must generate audit records for all\naccount creations, modifications, disabling, and termination events that affect\n/etc/passwd.\"\n desc \"Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020\n SRG-OS-000062-GPOS-00031 SRG-OS-000304-GPOS-00121\n SRG-OS-000392-GPOS-00172 SRG-OS-000462-GPOS-00206\n SRG-OS-000470-GPOS-00214 SRG-OS-000471-GPOS-00215]\n tag \"gid\": 'V-75661'\n tag \"rid\": 'SV-90341r3_rule'\n tag \"stig_id\": 'UBTU-16-020300'\n tag \"fix_id\": 'F-82289r2_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002132 CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'AC-2 (4)', \"MA-4 (1)\n(a)\", 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system generates audit records for\nall account creations, modifications, disabling, and termination events that\naffect \\\"/etc/passwd\\\".\n\nCheck the auditing rules in \\\"/etc/audit/audit.rules\\\" with the following\ncommand:\n\n# sudo grep /etc/passwd /etc/audit/audit.rules\n\n-w /etc/passwd -p wa -k audit_rules_usergroup_modification\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records\nfor all account creations, modifications, disabling, and termination events\nthat affect \\\"/etc/passwd\\\".\n\nAdd or update the following file system rule to \\\"/etc/audit/audit.rules\\\":\n\n-w /etc/passwd -p wa -k identity\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n @audit_file = '/etc/passwd'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe ('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75753.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75661.rb", "line": 3 }, - "id": "V-75753" + "id": "V-75661" }, { - "title": "Unattended or automatic login via the GUI must not be allowed.", - "desc": "Failure to restrict system access to authenticated users negatively\nimpacts Ubuntu operating system security.", + "title": "User accounts with temporary passwords, must require an immediate\nchange to a permanent password after login.", + "desc": "Without providing this capability, an account may be created without a\npassword. Non-repudiation cannot be guaranteed once an account is created if a\nuser is not forced to change the temporary password upon initial logon.\n\n Temporary passwords are typically used to allow access when new accounts\nare created or passwords are changed. It is common practice for administrators\nto create temporary passwords for user accounts which allow the users to log\non, yet force them to change the password once they have successfully\nauthenticated.", "descriptions": { - "default": "Failure to restrict system access to authenticated users negatively\nimpacts Ubuntu operating system security.", - "check": "Verify that unattended or automatic login via the GUI is\ndisabled.\n\nCheck that unattended or automatic login is disabled with the following command:\n\n# sudo grep -i automaticloginenable /etc/gdm3/custom.conf\n\nAutomaticLoginEnable=false\n\nIf the \"AutomaticLoginEnable\" parameter is not set to \"false\", or is\ncommented out, this is a finding.", - "fix": "Configure the GUI to not allow unattended or automatic login to\nthe system.\n\nAdd or edit the following line in the \"/etc/gdm3/custom.conf\" file directly\nbelow the \"[daemon]\" tag:\n\nAutomaticLoginEnable=false" + "default": "Without providing this capability, an account may be created without a\npassword. Non-repudiation cannot be guaranteed once an account is created if a\nuser is not forced to change the temporary password upon initial logon.\n\n Temporary passwords are typically used to allow access when new accounts\nare created or passwords are changed. It is common practice for administrators\nto create temporary passwords for user accounts which allow the users to log\non, yet force them to change the password once they have successfully\nauthenticated.", + "check": "Verify a policy exists that ensures when a user account is\ncreated, it is created using a method that forces a user to change their\npassword upon their next login.\n\nIf a policy does not exist, this is a finding.", + "fix": "Create a policy that ensures when a user is created, it is\ncreated using a method that forces a user to change their password upon their\nnext login.\n\nBelow are two examples of how to create a user account that requires the user\nto change their password upon their next login.\n\n# chage -d 0 [UserName]\n\nor\n\n# passwd -e [UserName]" }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000480-GPOS-00229", - "gid": "V-75495", - "rid": "SV-90175r2_rule", - "stig_id": "UBTU-16-010330", - "fix_id": "F-82123r2_fix", + "gtitle": "SRG-OS-000380-GPOS-00165", + "gid": "V-75551", + "rid": "SV-90231r1_rule", + "stig_id": "UBTU-16-010680", + "fix_id": "F-82179r1_fix", "cci": [ - "CCI-000366" + "CCI-002041" ], "nist": [ - "CM-6 b", + "IA-5 (1) (f)", "Rev_4" ], "false_negatives": null, @@ -513,34 +518,51 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75495' do\n title 'Unattended or automatic login via the GUI must not be allowed.'\n desc \"Failure to restrict system access to authenticated users negatively\nimpacts Ubuntu operating system security.\"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00229'\n tag \"gid\": 'V-75495'\n tag \"rid\": 'SV-90175r2_rule'\n tag \"stig_id\": 'UBTU-16-010330'\n tag \"fix_id\": 'F-82123r2_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that unattended or automatic login via the GUI is\ndisabled.\n\nCheck that unattended or automatic login is disabled with the following command:\n\n# sudo grep -i automaticloginenable /etc/gdm3/custom.conf\n\nAutomaticLoginEnable=false\n\nIf the \\\"AutomaticLoginEnable\\\" parameter is not set to \\\"false\\\", or is\ncommented out, this is a finding.\"\n desc 'fix', \"Configure the GUI to not allow unattended or automatic login to\nthe system.\n\nAdd or edit the following line in the \\\"/etc/gdm3/custom.conf\\\" file directly\nbelow the \\\"[daemon]\\\" tag:\n\nAutomaticLoginEnable=false\"\n\n gnome_installed = (package('ubuntu-gnome-desktop').installed? || package('ubuntu-desktop').installed?)\n\n if gnome_installed\n describe parse_config_file('/etc/gdm3/custom.conf') do\n its('AutomaticLoginEnable') { should cmp 'false' }\n end\n else\n impact 0\n describe 'Not Applicable as GNOME dekstop environment is installed' do\n subject { gnome_installed }\n it { should be false }\n end\n end\nend\n", + "code": "control 'V-75551' do\n title \"User accounts with temporary passwords, must require an immediate\nchange to a permanent password after login.\"\n desc \"Without providing this capability, an account may be created without a\npassword. Non-repudiation cannot be guaranteed once an account is created if a\nuser is not forced to change the temporary password upon initial logon.\n\n Temporary passwords are typically used to allow access when new accounts\nare created or passwords are changed. It is common practice for administrators\nto create temporary passwords for user accounts which allow the users to log\non, yet force them to change the password once they have successfully\nauthenticated.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000380-GPOS-00165'\n tag \"gid\": 'V-75551'\n tag \"rid\": 'SV-90231r1_rule'\n tag \"stig_id\": 'UBTU-16-010680'\n tag \"fix_id\": 'F-82179r1_fix'\n tag \"cci\": ['CCI-002041']\n tag \"nist\": ['IA-5 (1) (f)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify a policy exists that ensures when a user account is\ncreated, it is created using a method that forces a user to change their\npassword upon their next login.\n\nIf a policy does not exist, this is a finding.\"\n desc 'fix', \"Create a policy that ensures when a user is created, it is\ncreated using a method that forces a user to change their password upon their\nnext login.\n\nBelow are two examples of how to create a user account that requires the user\nto change their password upon their next login.\n\n# chage -d 0 [UserName]\n\nor\n\n# passwd -e [UserName]\"\n\n describe 'Manual verification required' do\n skip 'Manually verify if a policy exists to ensure that a method exists to force temporary users to change their password upon next login'\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75495.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75551.rb", "line": 3 }, - "id": "V-75495" + "id": "V-75551" }, { - "title": "The file integrity tool must perform verification of the correct\noperation of security functions: upon system start-up and/or restart; upon\ncommand by a user with privileged access; and/or every 30 days.", - "desc": "Without verification of the security functions, security functions may\nnot operate correctly and the failure may go unnoticed. Security function is\ndefined as the hardware, software, and/or firmware of the information system\nresponsible for enforcing the system security policy and supporting the\nisolation of code and data on which the protection is based. Security\nfunctionality includes, but is not limited to, establishing system accounts,\nconfiguring access authorizations (i.e., permissions, privileges), setting\nevents to be audited, and setting intrusion detection parameters.\n\n Notifications provided by information systems include, for example,\nelectronic alerts to system administrators, messages to local computer\nconsoles, and/or hardware indications, such as lights.\n\n This requirement applies to Ubuntu operating systems performing security\nfunction verification/testing and/or systems and environments that require this\nfunctionality.", + "title": "Successful/unsuccessful uses of the su command must generate an audit\nrecord.", + "desc": "Without establishing what type of events occurred, it would be\ndifficult to establish, correlate, and investigate the events leading up to an\noutage or attack.\n\n Audit record content that may be necessary to satisfy this requirement\nincludes, for example, time stamps, source and destination addresses,\nuser/process identifiers, event descriptions, success/fail indications,\nfilenames involved, and access control or flow control rules invoked.\n\n Associating event types with detected events in the Ubuntu operating system\naudit logs provides a means of investigating an attack; recognizing resource\nutilization or capacity thresholds; or identifying an improperly configured\nUbuntu operating system.", "descriptions": { - "default": "Without verification of the security functions, security functions may\nnot operate correctly and the failure may go unnoticed. Security function is\ndefined as the hardware, software, and/or firmware of the information system\nresponsible for enforcing the system security policy and supporting the\nisolation of code and data on which the protection is based. Security\nfunctionality includes, but is not limited to, establishing system accounts,\nconfiguring access authorizations (i.e., permissions, privileges), setting\nevents to be audited, and setting intrusion detection parameters.\n\n Notifications provided by information systems include, for example,\nelectronic alerts to system administrators, messages to local computer\nconsoles, and/or hardware indications, such as lights.\n\n This requirement applies to Ubuntu operating systems performing security\nfunction verification/testing and/or systems and environments that require this\nfunctionality.", - "check": "Verify that Advanced Intrusion Detection Environment (AIDE)\nperforms a verification of the operation of security functions every 30 days.\n\nNote: A file integrity tool other than AIDE may be used, but the tool must be\nexecuted at least once per week.\n\nCheck that AIDE is being executed every 30 days or less with the following\ncommand:\n\n# ls -al /etc/cron.daily/aide\n\n-rwxr-xr-x 1 root root 26049 Oct 24 2014 /etc/cron.daily/aide\n\nIf the \"/etc/cron.daily/aide\" file does not exist or the cron job is not\nconfigured to run at least every 30 days, this is a finding.", - "fix": "The cron file for AIDE is fairly complex as it creates the\nreport. The easiest way to create the file is to update the AIDE package with\nthe following command:\n\n# sudo apt-get install aide" + "default": "Without establishing what type of events occurred, it would be\ndifficult to establish, correlate, and investigate the events leading up to an\noutage or attack.\n\n Audit record content that may be necessary to satisfy this requirement\nincludes, for example, time stamps, source and destination addresses,\nuser/process identifiers, event descriptions, success/fail indications,\nfilenames involved, and access control or flow control rules invoked.\n\n Associating event types with detected events in the Ubuntu operating system\naudit logs provides a means of investigating an attack; recognizing resource\nutilization or capacity thresholds; or identifying an improperly configured\nUbuntu operating system.", + "check": "Verify the Ubuntu operating system generates audit records when\nsuccessful/unsuccessful attempts to use the \"su\" command occur.\n\nCheck for the following system call being audited by performing the following\ncommand to check the file system rules in \"/etc/audit/audit.rules\":\n\n# sudo grep -iw /bin/su /etc/audit/audit.rules\n\n-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k\nprivileged-priv_change\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", + "fix": "Configure the Ubuntu operating system to generate audit records\nwhen successful/unsuccessful attempts to use the \"su\" command occur.\n\nAdd or update the following rule in \"/etc/audit/audit.rules\":\n\n-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k\nprivileged-priv_change\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000446-GPOS-00200", - "gid": "V-75517", - "rid": "SV-90197r2_rule", - "stig_id": "UBTU-16-010510", - "fix_id": "F-82145r1_fix", + "gtitle": "SRG-OS-000037-GPOS-00015", + "satisfies": [ + "SRG-OS-000037-GPOS-00015", + "SRG-OS-000042-GPOS-00020", + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000064-GPOS-0003", + "SRG-OS-000392-GPOS-00172", + "SRG-OS-000462-GPOS-00206", + "SRG-OS-000471-GPOS-00215" + ], + "gid": "V-75691", + "rid": "SV-90371r3_rule", + "stig_id": "UBTU-16-020360", + "fix_id": "F-82319r2_fix", "cci": [ - "CCI-002699" + "CCI-000130", + "CCI-000135", + "CCI-000169", + "CCI-000172", + "CCI-002884" ], "nist": [ - "SI-6 b", + "AU-3", + "AU-3 (1)", + "AU-12 a", + "AU-12 c", + "MA-4 (1) (a)", "Rev_4" ], "false_negatives": null, @@ -554,29 +576,29 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75517' do\n title \"The file integrity tool must perform verification of the correct\noperation of security functions: upon system start-up and/or restart; upon\ncommand by a user with privileged access; and/or every 30 days.\"\n desc \"Without verification of the security functions, security functions may\nnot operate correctly and the failure may go unnoticed. Security function is\ndefined as the hardware, software, and/or firmware of the information system\nresponsible for enforcing the system security policy and supporting the\nisolation of code and data on which the protection is based. Security\nfunctionality includes, but is not limited to, establishing system accounts,\nconfiguring access authorizations (i.e., permissions, privileges), setting\nevents to be audited, and setting intrusion detection parameters.\n\n Notifications provided by information systems include, for example,\nelectronic alerts to system administrators, messages to local computer\nconsoles, and/or hardware indications, such as lights.\n\n This requirement applies to Ubuntu operating systems performing security\nfunction verification/testing and/or systems and environments that require this\nfunctionality.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000446-GPOS-00200'\n tag \"gid\": 'V-75517'\n tag \"rid\": 'SV-90197r2_rule'\n tag \"stig_id\": 'UBTU-16-010510'\n tag \"fix_id\": 'F-82145r1_fix'\n tag \"cci\": ['CCI-002699']\n tag \"nist\": ['SI-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that Advanced Intrusion Detection Environment (AIDE)\nperforms a verification of the operation of security functions every 30 days.\n\nNote: A file integrity tool other than AIDE may be used, but the tool must be\nexecuted at least once per week.\n\nCheck that AIDE is being executed every 30 days or less with the following\ncommand:\n\n# ls -al /etc/cron.daily/aide\n\n-rwxr-xr-x 1 root root 26049 Oct 24 2014 /etc/cron.daily/aide\n\nIf the \\\"/etc/cron.daily/aide\\\" file does not exist or the cron job is not\nconfigured to run at least every 30 days, this is a finding.\"\n desc 'fix', \"The cron file for AIDE is fairly complex as it creates the\nreport. The easiest way to create the file is to update the AIDE package with\nthe following command:\n\n# sudo apt-get install aide\"\n\n describe file('/etc/cron.daily/aide') do\n it { should exist }\n end\nend\n", + "code": "control 'V-75691' do\n title \"Successful/unsuccessful uses of the su command must generate an audit\nrecord.\"\n desc \"Without establishing what type of events occurred, it would be\ndifficult to establish, correlate, and investigate the events leading up to an\noutage or attack.\n\n Audit record content that may be necessary to satisfy this requirement\nincludes, for example, time stamps, source and destination addresses,\nuser/process identifiers, event descriptions, success/fail indications,\nfilenames involved, and access control or flow control rules invoked.\n\n Associating event types with detected events in the Ubuntu operating system\naudit logs provides a means of investigating an attack; recognizing resource\nutilization or capacity thresholds; or identifying an improperly configured\nUbuntu operating system.\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020\n SRG-OS-000062-GPOS-00031 SRG-OS-000064-GPOS-0003\n SRG-OS-000392-GPOS-00172 SRG-OS-000462-GPOS-00206\n SRG-OS-000471-GPOS-00215]\n tag \"gid\": 'V-75691'\n tag \"rid\": 'SV-90371r3_rule'\n tag \"stig_id\": 'UBTU-16-020360'\n tag \"fix_id\": 'F-82319r2_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'MA-4 (1) (a)',\n 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system generates audit records when\nsuccessful/unsuccessful attempts to use the \\\"su\\\" command occur.\n\nCheck for the following system call being audited by performing the following\ncommand to check the file system rules in \\\"/etc/audit/audit.rules\\\":\n\n# sudo grep -iw /bin/su /etc/audit/audit.rules\n\n-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k\nprivileged-priv_change\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records\nwhen successful/unsuccessful attempts to use the \\\"su\\\" command occur.\n\nAdd or update the following rule in \\\"/etc/audit/audit.rules\\\":\n\n-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k\nprivileged-priv_change\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n @audit_file = '/bin/su'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe ('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75517.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75691.rb", "line": 3 }, - "id": "V-75517" + "id": "V-75691" }, { - "title": "For Ubuntu operating systems using Domain Name Servers (DNS)\nresolution, at least two name servers must be configured.", - "desc": "To provide availability for name resolution services, multiple\nredundant name servers are mandated. A failure in name resolution could lead to\nthe failure of security functions requiring name resolution, which may include\ntime synchronization, centralized authentication, and remote system logging.", + "title": "The Ubuntu operating system must not send Internet Protocol version 4\n(IPv4) Internet Control Message Protocol (ICMP) redirects.", + "desc": "Internet Control Message Protocol (ICMP) redirect messages are used by\nrouters to inform hosts that a more direct route exists for a particular\ndestination. These messages contain information from the system's route table,\npossibly revealing portions of the network topology.", "descriptions": { - "default": "To provide availability for name resolution services, multiple\nredundant name servers are mandated. A failure in name resolution could lead to\nthe failure of security functions requiring name resolution, which may include\ntime synchronization, centralized authentication, and remote system logging.", - "check": "Determine whether the Ubuntu operating system is using local or\nDomain Name Server (DNS) name resolution with the following command:\n\n# grep hosts /etc/nsswitch.conf\nhosts: files dns\n\nIf the DNS entry is missing from the host’s line in the \"/etc/nsswitch.conf\"\nfile, the \"/etc/resolv.conf\" file must be empty.\n\nIf the \"/etc/resolv.conf\" file is not empty, this is a finding.\n\nIf the DNS entry is found on the host’s line of the \"/etc/nsswitch.conf\"\nfile, verify the Ubuntu operating system is configured to use two or more name\nservers for DNS resolution.\n\nDetermine the name servers used by the system with the following command:\n\n# sudo grep nameserver /etc/resolv.conf\n\nnameserver 192.168.1.2\n\nnameserver 192.168.1.3\n\nIf less than two lines are returned that are not commented out, this is a\nfinding.", - "fix": "Configure the Ubuntu operating system to use two or more name\nservers for Domain Name Server (DNS) resolution.\n\nEdit the \"/etc/resolv.conf\" file to uncomment or add the two or more\n\"nameserver\" option lines with the IP address of local authoritative name\nservers. If local host resolution is being performed, the \"/etc/resolv.conf\"\nfile must be empty. An empty \"/etc/resolv.conf\" file can be created as\nfollows:\n\n# echo -n > /etc/resolv.conf" + "default": "Internet Control Message Protocol (ICMP) redirect messages are used by\nrouters to inform hosts that a more direct route exists for a particular\ndestination. These messages contain information from the system's route table,\npossibly revealing portions of the network topology.", + "check": "Verify the Ubuntu operating system does not send Internet\nProtocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect\nmessages.\n\nCheck the value of the \"all send_redirects\" variables with the following\ncommand:\n\n# sudo sysctl net.ipv4.conf.all.send_redirects\n\nnet.ipv4.conf.all.send_redirects=0\n\nIf the returned line does not have a value of \"0\", or a line is not returned,\nthis is a finding.", + "fix": "Configure the Ubuntu operating system to not allow interfaces to\nperform Internet Protocol version 4 (IPv4) Internet Control Message Protocol\n(ICMP) redirects with the following command:\n\n# sudo sysctl -w net.ipv4.conf.all.send_redirects=0\n\nIf \"0\" is not the system's default value then add or update the following\nline in \"/etc/sysctl.conf\" or in the appropriate file under \"/etc/sysctl.d\":\n\nnet.ipv4.conf.all.send_redirects=0" }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-75871", - "rid": "SV-90551r2_rule", - "stig_id": "UBTU-16-030520", - "fix_id": "F-82501r2_fix", + "gid": "V-75885", + "rid": "SV-90565r2_rule", + "stig_id": "UBTU-16-030590", + "fix_id": "F-82515r2_fix", "cci": [ "CCI-000366" ], @@ -595,48 +617,50 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75871' do\n title \"For Ubuntu operating systems using Domain Name Servers (DNS)\nresolution, at least two name servers must be configured.\"\n desc \"To provide availability for name resolution services, multiple\nredundant name servers are mandated. A failure in name resolution could lead to\nthe failure of security functions requiring name resolution, which may include\ntime synchronization, centralized authentication, and remote system logging.\"\n impact 0.3\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75871'\n tag \"rid\": 'SV-90551r2_rule'\n tag \"stig_id\": 'UBTU-16-030520'\n tag \"fix_id\": 'F-82501r2_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Determine whether the Ubuntu operating system is using local or\nDomain Name Server (DNS) name resolution with the following command:\n\n# grep hosts /etc/nsswitch.conf\nhosts: files dns\n\nIf the DNS entry is missing from the host’s line in the \\\"/etc/nsswitch.conf\\\"\nfile, the \\\"/etc/resolv.conf\\\" file must be empty.\n\nIf the \\\"/etc/resolv.conf\\\" file is not empty, this is a finding.\n\nIf the DNS entry is found on the host’s line of the \\\"/etc/nsswitch.conf\\\"\nfile, verify the Ubuntu operating system is configured to use two or more name\nservers for DNS resolution.\n\nDetermine the name servers used by the system with the following command:\n\n# sudo grep nameserver /etc/resolv.conf\n\nnameserver 192.168.1.2\n\nnameserver 192.168.1.3\n\nIf less than two lines are returned that are not commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the Ubuntu operating system to use two or more name\nservers for Domain Name Server (DNS) resolution.\n\nEdit the \\\"/etc/resolv.conf\\\" file to uncomment or add the two or more\n\\\"nameserver\\\" option lines with the IP address of local authoritative name\nservers. If local host resolution is being performed, the \\\"/etc/resolv.conf\\\"\nfile must be empty. An empty \\\"/etc/resolv.conf\\\" file can be created as\nfollows:\n\n# echo -n > /etc/resolv.conf\"\n\n describe file('/etc/nsswitch.conf') do\n it { should exist }\n end\n\n options = {\n assignment_regex: /^\\s*([^:]*?)\\s*:\\s*(.*?)\\s*$/\n }\n\n dns_entry_exists = parse_config_file('/etc/nsswitch.conf', options).params('hosts').match?(/dns/)\n if dns_entry_exists\n describe 'DNS entry exists in /etc/nsswitch.conf' do\n subject { dns_entry_exists }\n it { should be true }\n end\n else\n describe file('/etc/resolv.conf') do\n its('content') { should match %r{/^(?!(#.*)).+/m} }\n end\n end\nend\n", + "code": "control 'V-75885' do\n title \"The Ubuntu operating system must not send Internet Protocol version 4\n(IPv4) Internet Control Message Protocol (ICMP) redirects.\"\n desc \"Internet Control Message Protocol (ICMP) redirect messages are used by\nrouters to inform hosts that a more direct route exists for a particular\ndestination. These messages contain information from the system's route table,\npossibly revealing portions of the network topology.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75885'\n tag \"rid\": 'SV-90565r2_rule'\n tag \"stig_id\": 'UBTU-16-030590'\n tag \"fix_id\": 'F-82515r2_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system does not send Internet\nProtocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect\nmessages.\n\nCheck the value of the \\\"all send_redirects\\\" variables with the following\ncommand:\n\n# sudo sysctl net.ipv4.conf.all.send_redirects\n\nnet.ipv4.conf.all.send_redirects=0\n\nIf the returned line does not have a value of \\\"0\\\", or a line is not returned,\nthis is a finding.\"\n desc 'fix', \"Configure the Ubuntu operating system to not allow interfaces to\nperform Internet Protocol version 4 (IPv4) Internet Control Message Protocol\n(ICMP) redirects with the following command:\n\n# sudo sysctl -w net.ipv4.conf.all.send_redirects=0\n\nIf \\\"0\\\" is not the system's default value then add or update the following\nline in \\\"/etc/sysctl.conf\\\" or in the appropriate file under \\\"/etc/sysctl.d\\\":\n\nnet.ipv4.conf.all.send_redirects=0\"\n\n describe kernel_parameter('net.ipv4.conf.all.send_redirects') do\n its('value') { should eq 0 }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75871.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75885.rb", "line": 3 }, - "id": "V-75871" + "id": "V-75885" }, { - "title": "The Ubuntu operating system must display the Standard Mandatory DoD\nNotice and Consent Banner before granting local or remote access to the system\nvia a graphical user logon.", - "desc": "Display of a standardized and approved use notification before\ngranting access to the Ubuntu operating system ensures privacy and security\nnotification verbiage used is consistent with applicable federal laws,\nExecutive Orders, directives, policies, regulations, standards, and guidance.\n\n System use notifications are required only for access via logon interfaces\nwith human users and are not required when such human interfaces do not exist.\n\n The banner must be formatted in accordance with applicable DoD policy. Use\nthe following verbiage for Ubuntu operating systems that can accommodate\nbanners of 1300 characters:\n\n \"You are accessing a U.S. Government (USG) Information System (IS) that is\nprovided for USG-authorized use only.\n\n By using this IS (which includes any device attached to this IS), you\nconsent to the following conditions:\n\n -The USG routinely intercepts and monitors communications on this IS for\npurposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct (PM), law enforcement\n(LE), and counterintelligence (CI) investigations.\n\n -At any time, the USG may inspect and seize data stored on this IS.\n\n -Communications using, or data stored on, this IS are not private, are\nsubject to routine monitoring, interception, and search, and may be disclosed\nor used for any USG-authorized purpose.\n\n -This IS includes security measures (e.g., authentication and access\ncontrols) to protect USG interests--not for your personal benefit or privacy.\n\n -Notwithstanding the above, using this IS does not constitute consent to\nPM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services\nby attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User\nAgreement for details.\"\n\n Use the following verbiage for Ubuntu operating systems that have severe\nlimitations on the number of characters that can be displayed in the banner:\n\n \"I've read and consent to terms in IS user agreem't.\"", + "title": "Successful/unsuccessful uses of the openat command must generate an\naudit record.", + "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", "descriptions": { - "default": "Display of a standardized and approved use notification before\ngranting access to the Ubuntu operating system ensures privacy and security\nnotification verbiage used is consistent with applicable federal laws,\nExecutive Orders, directives, policies, regulations, standards, and guidance.\n\n System use notifications are required only for access via logon interfaces\nwith human users and are not required when such human interfaces do not exist.\n\n The banner must be formatted in accordance with applicable DoD policy. Use\nthe following verbiage for Ubuntu operating systems that can accommodate\nbanners of 1300 characters:\n\n \"You are accessing a U.S. Government (USG) Information System (IS) that is\nprovided for USG-authorized use only.\n\n By using this IS (which includes any device attached to this IS), you\nconsent to the following conditions:\n\n -The USG routinely intercepts and monitors communications on this IS for\npurposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct (PM), law enforcement\n(LE), and counterintelligence (CI) investigations.\n\n -At any time, the USG may inspect and seize data stored on this IS.\n\n -Communications using, or data stored on, this IS are not private, are\nsubject to routine monitoring, interception, and search, and may be disclosed\nor used for any USG-authorized purpose.\n\n -This IS includes security measures (e.g., authentication and access\ncontrols) to protect USG interests--not for your personal benefit or privacy.\n\n -Notwithstanding the above, using this IS does not constitute consent to\nPM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services\nby attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User\nAgreement for details.\"\n\n Use the following verbiage for Ubuntu operating systems that have severe\nlimitations on the number of characters that can be displayed in the banner:\n\n \"I've read and consent to terms in IS user agreem't.\"", - "check": "Verify the Ubuntu operating system security patches and updates\nare installed and up to date. Updates are required to be applied with a\nfrequency determined by the site or Program Management Office (PMO).\n\nObtain the list of available package security updates from Ubuntu. The URL for\nupdates is https://www.Ubuntu.com/usn/. It is important to note that updates\nprovided by Ubuntu may not be present on the system if the underlying packages\nare not installed.\n\nCheck that the available package security updates have been installed on the\nsystem with the following command:\n\n# /usr/lib/update-notifier/apt-check --human-readable\n\n246 packages can be updated.\n0 updates are security updates.\n\nIf security package updates have not been performed on the system within the\ntimeframe that the site/program documentation requires, this is a finding.\n\nTypical update frequency may be overridden by Information Assurance\nVulnerability Alert (IAVA) notifications from JFHQ-DoDIN.\n\nIf the Ubuntu operating system is in non-compliance with the Information\nAssurance Vulnerability Management (IAVM) process, this is a finding.", - "fix": "Configure the Ubuntu operating system to display the Standard\nMandatory DoD Notice and Consent Banner before granting access to the system.\n\nCreate a database that will contain the system wide graphical user logon\nsettings (if it does not already exist) with the following command:\n\n# sudo touch /etc/dconf/db/local.d/01-banner-message\n\nAdd the following line to the \"[org/gnome/login-screen]\" section of the\n\"/etc/dconf/db/local.d/01-banner-message\" file:\n\n[org/gnome/login-screen]\nbanner-message-enable=true" + "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "check": "Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful attempts to use the \"openat\" command occur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \"/etc/audit/audit.rules\":\n\n# sudo grep -iw openat /etc/audit/audit.rules\n\n-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F\nauid!=4294967295 -k perm_access\n\n-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F\nauid!=4294967295 -k perm_access\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", + "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \"openat\" command.\n\nAdd or update the following rules in the \"/etc/audit/audit.rules\" file:\n\n-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F\nauid!=4294967295 -k perm_access\n\n-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F\nauid!=4294967295 -k perm_access\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000023-GPOS-00006", + "gtitle": "SRG-OS-000037-GPOS-00015", "satisfies": [ - "SRG-OS-000023-GPOS-00006", - "SRG-OS-000228-GPOS-00088" + "SRG-OS-000037-GPOS-00015", + "SRG-OS-000042-GPOS-00020", + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000392-GPOS-00172", + "SRG-OS-000462-GPOS-00206", + "SRG-OS-000471-GPOS-00215" ], - "gid": "V-75393", - "rid": "SV-90073r2_rule", - "stig_id": "UBTU-16-010020", - "fix_id": "F-82021r1_fix", + "gid": "V-75751", + "rid": "SV-90431r3_rule", + "stig_id": "UBTU-16-020630", + "fix_id": "F-82379r2_fix", "cci": [ - "CCI-000048", - "CCI-001384", - "CCI-001385", - "CCI-001386", - "CCI-001387", - "CCI-001388" + "CCI-000130", + "CCI-000135", + "CCI-000169", + "CCI-000172", + "CCI-002884" ], "nist": [ - "AC-8 a", - "AC-8 c 1", - "AC-8 c 2", - "AC-8 c 2", - "AC-8 c 2", - "AC-8\nc 3", + "AU-3", + "AU-3 (1)", + "AU-12 a", + "AU-12 c", + "MA-4 (1) (a)", "Rev_4" ], "false_negatives": null, @@ -650,34 +674,42 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75393' do\n title \"The Ubuntu operating system must display the Standard Mandatory DoD\nNotice and Consent Banner before granting local or remote access to the system\nvia a graphical user logon.\"\n desc \"Display of a standardized and approved use notification before\ngranting access to the Ubuntu operating system ensures privacy and security\nnotification verbiage used is consistent with applicable federal laws,\nExecutive Orders, directives, policies, regulations, standards, and guidance.\n\n System use notifications are required only for access via logon interfaces\nwith human users and are not required when such human interfaces do not exist.\n\n The banner must be formatted in accordance with applicable DoD policy. Use\nthe following verbiage for Ubuntu operating systems that can accommodate\nbanners of 1300 characters:\n\n \\\"You are accessing a U.S. Government (USG) Information System (IS) that is\nprovided for USG-authorized use only.\n\n By using this IS (which includes any device attached to this IS), you\nconsent to the following conditions:\n\n -The USG routinely intercepts and monitors communications on this IS for\npurposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct (PM), law enforcement\n(LE), and counterintelligence (CI) investigations.\n\n -At any time, the USG may inspect and seize data stored on this IS.\n\n -Communications using, or data stored on, this IS are not private, are\nsubject to routine monitoring, interception, and search, and may be disclosed\nor used for any USG-authorized purpose.\n\n -This IS includes security measures (e.g., authentication and access\ncontrols) to protect USG interests--not for your personal benefit or privacy.\n\n -Notwithstanding the above, using this IS does not constitute consent to\nPM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services\nby attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User\nAgreement for details.\\\"\n\n Use the following verbiage for Ubuntu operating systems that have severe\nlimitations on the number of characters that can be displayed in the banner:\n\n \\\"I've read and consent to terms in IS user agreem't.\\\"\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000023-GPOS-00006'\n tag \"satisfies\": %w[SRG-OS-000023-GPOS-00006 SRG-OS-000228-GPOS-00088]\n tag \"gid\": 'V-75393'\n tag \"rid\": 'SV-90073r2_rule'\n tag \"stig_id\": 'UBTU-16-010020'\n tag \"fix_id\": 'F-82021r1_fix'\n tag \"cci\": %w[CCI-000048 CCI-001384 CCI-001385 CCI-001386\n CCI-001387 CCI-001388]\n tag \"nist\": ['AC-8 a', 'AC-8 c 1', 'AC-8 c 2', 'AC-8 c 2', 'AC-8 c 2', \"AC-8\nc 3\", 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system security patches and updates\nare installed and up to date. Updates are required to be applied with a\nfrequency determined by the site or Program Management Office (PMO).\n\nObtain the list of available package security updates from Ubuntu. The URL for\nupdates is https://www.Ubuntu.com/usn/. It is important to note that updates\nprovided by Ubuntu may not be present on the system if the underlying packages\nare not installed.\n\nCheck that the available package security updates have been installed on the\nsystem with the following command:\n\n# /usr/lib/update-notifier/apt-check --human-readable\n\n246 packages can be updated.\n0 updates are security updates.\n\nIf security package updates have not been performed on the system within the\ntimeframe that the site/program documentation requires, this is a finding.\n\nTypical update frequency may be overridden by Information Assurance\nVulnerability Alert (IAVA) notifications from JFHQ-DoDIN.\n\nIf the Ubuntu operating system is in non-compliance with the Information\nAssurance Vulnerability Management (IAVM) process, this is a finding.\"\n desc 'fix', \"Configure the Ubuntu operating system to display the Standard\nMandatory DoD Notice and Consent Banner before granting access to the system.\n\nCreate a database that will contain the system wide graphical user logon\nsettings (if it does not already exist) with the following command:\n\n# sudo touch /etc/dconf/db/local.d/01-banner-message\n\nAdd the following line to the \\\"[org/gnome/login-screen]\\\" section of the\n\\\"/etc/dconf/db/local.d/01-banner-message\\\" file:\n\n[org/gnome/login-screen]\nbanner-message-enable=true\"\n\n describe command('/usr/lib/update-notifier/apt-check --human-readable') do\n its('exit_status') { should cmp 0 }\n its('stdout') { should match '^0 updates are security updates.$' }\n end\n\n describe 'banner-message-enable must be set to true' do\n subject { command('grep banner-message-enable /etc/dconf/db/local.d/*') }\n its('stdout') { should match /(banner-message-enable).+=.+(true)/ }\n end\nend\n", + "code": "control 'V-75751' do\n title \"Successful/unsuccessful uses of the openat command must generate an\naudit record.\"\n desc \"Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020\n SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172\n SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215]\n tag \"gid\": 'V-75751'\n tag \"rid\": 'SV-90431r3_rule'\n tag \"stig_id\": 'UBTU-16-020630'\n tag \"fix_id\": 'F-82379r2_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'MA-4 (1) (a)',\n 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful attempts to use the \\\"openat\\\" command occur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \\\"/etc/audit/audit.rules\\\":\n\n# sudo grep -iw openat /etc/audit/audit.rules\n\n-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F\nauid!=4294967295 -k perm_access\n\n-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F\nauid!=4294967295 -k perm_access\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \\\"openat\\\" command.\n\nAdd or update the following rules in the \\\"/etc/audit/audit.rules\\\" file:\n\n-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F\nauid!=4294967295 -k perm_access\n\n-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F\nauid!=4294967295 -k perm_access\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n if os.arch == 'x86_64'\n describe auditd.syscall('openat').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EPERM' }\n end\n describe auditd.syscall('openat').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EACCES' }\n end\n end\n describe auditd.syscall('openat').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EPERM' }\n end\n describe auditd.syscall('openat').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EACCES' }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75393.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75751.rb", "line": 3 }, - "id": "V-75393" + "id": "V-75751" }, { - "title": "The Ubuntu operating system must prevent Internet Protocol version 4\n(IPv4) Internet Control Message Protocol (ICMP) redirect messages from being\naccepted.", - "desc": "Internet Control Message Protocol (ICMP) redirect messages are used by\nrouters to inform hosts that a more direct route exists for a particular\ndestination. These messages modify the host's route table and are\nunauthenticated. An illicit ICMP redirect message could result in a\nman-in-the-middle attack.", + "title": "The Trivial File Transfer Protocol (TFTP) server package must not be\ninstalled if not required for operational support.", + "desc": "If TFTP is required for operational support (such as the transmission\nof router configurations) its use must be documented with the Information\nSystem Security Officer (ISSO), restricted to only authorized personnel, and\nhave access control rules established.", "descriptions": { - "default": "Internet Control Message Protocol (ICMP) redirect messages are used by\nrouters to inform hosts that a more direct route exists for a particular\ndestination. These messages modify the host's route table and are\nunauthenticated. An illicit ICMP redirect message could result in a\nman-in-the-middle attack.", - "check": "Verify the Ubuntu operating system will not accept IPv4\nInternet Control Message Protocol (ICMP) redirect messages.\n\nCheck the value of the default \"accept_redirects\" variables with the\nfollowing command:\n\n# sudo sysctl net.ipv4.conf.default.accept_redirects\n\nnet.ipv4.conf.default.accept_redirects=0\n\nIf the returned line does not have a value of \"0\", or a line is not returned,\nthis is a finding.", - "fix": "Configure the Ubuntu operating system to prevent Internet\nProtocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect\nmessages from being acceptedr with the following command:\n\n# sudo sysctl -w net.ipv4.conf.default.accept_redirects=0\n\nIf \"0\" is not the system's default value then add or update the following\nline in \"/etc/sysctl.conf\" or in the appropriate file under \"/etc/sysctl.d\":\n\nnet.ipv4.conf.default.accept_redirects=0" + "default": "If TFTP is required for operational support (such as the transmission\nof router configurations) its use must be documented with the Information\nSystem Security Officer (ISSO), restricted to only authorized personnel, and\nhave access control rules established.", + "check": "Verify a Trivial File Transfer Protocol (TFTP) server has not\nbeen installed.\n\nCheck to see if a TFTP server has been installed with the following command:\n\n# dpkg -l | grep tftpd-hpa\nii tftpd-hpa 5.2+20150808-1Ubuntu1.16.04.1\n\nIf TFTP is installed and the requirement for TFTP is not documented with the\nInformation System Security Officer (ISSO), this is a finding.", + "fix": "Remove the Trivial File Transfer Protocol (TFTP) package from the\nsystem with the following command:\n\n# sudo apt-get remove tftpd-hpa" }, - "impact": 0.5, + "impact": 0.7, "refs": [], "tags": { "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-75879", - "rid": "SV-90559r3_rule", - "stig_id": "UBTU-16-030560", - "fix_id": "F-82509r2_fix", + "gid": "V-75897", + "rid": "SV-90577r2_rule", + "stig_id": "UBTU-16-030720", + "fix_id": "F-82527r1_fix", "cci": [ - "CCI-000366" + "CCI-000318", + "CCI-000368", + "CCI-001812", + "CCI-001813", + "CCI-001814" ], "nist": [ - "CM-6 b", + "CM-3 f", + "CM-6 c", + "CM-11 (2)", + "CM-5 (1)", + "CM-5 (1)", "Rev_4" ], "false_negatives": null, @@ -691,34 +723,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75879' do\n title \"The Ubuntu operating system must prevent Internet Protocol version 4\n(IPv4) Internet Control Message Protocol (ICMP) redirect messages from being\naccepted.\"\n desc \"Internet Control Message Protocol (ICMP) redirect messages are used by\nrouters to inform hosts that a more direct route exists for a particular\ndestination. These messages modify the host's route table and are\nunauthenticated. An illicit ICMP redirect message could result in a\nman-in-the-middle attack.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75879'\n tag \"rid\": 'SV-90559r3_rule'\n tag \"stig_id\": 'UBTU-16-030560'\n tag \"fix_id\": 'F-82509r2_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system will not accept IPv4\nInternet Control Message Protocol (ICMP) redirect messages.\n\nCheck the value of the default \\\"accept_redirects\\\" variables with the\nfollowing command:\n\n# sudo sysctl net.ipv4.conf.default.accept_redirects\n\nnet.ipv4.conf.default.accept_redirects=0\n\nIf the returned line does not have a value of \\\"0\\\", or a line is not returned,\nthis is a finding.\"\n desc 'fix', \"Configure the Ubuntu operating system to prevent Internet\nProtocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect\nmessages from being acceptedr with the following command:\n\n# sudo sysctl -w net.ipv4.conf.default.accept_redirects=0\n\nIf \\\"0\\\" is not the system's default value then add or update the following\nline in \\\"/etc/sysctl.conf\\\" or in the appropriate file under \\\"/etc/sysctl.d\\\":\n\nnet.ipv4.conf.default.accept_redirects=0\"\n\n describe kernel_parameter('net.ipv4.conf.default.accept_redirects') do\n its('value') { should eq 0 }\n end\nend\n", + "code": "control 'V-75897' do\n title \"The Trivial File Transfer Protocol (TFTP) server package must not be\ninstalled if not required for operational support.\"\n desc \"If TFTP is required for operational support (such as the transmission\nof router configurations) its use must be documented with the Information\nSystem Security Officer (ISSO), restricted to only authorized personnel, and\nhave access control rules established.\"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75897'\n tag \"rid\": 'SV-90577r2_rule'\n tag \"stig_id\": 'UBTU-16-030720'\n tag \"fix_id\": 'F-82527r1_fix'\n tag \"cci\": %w[CCI-000318 CCI-000368 CCI-001812 CCI-001813\n CCI-001814]\n tag \"nist\": ['CM-3 f', 'CM-6 c', 'CM-11 (2)', 'CM-5 (1)', 'CM-5 (1)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify a Trivial File Transfer Protocol (TFTP) server has not\nbeen installed.\n\nCheck to see if a TFTP server has been installed with the following command:\n\n# dpkg -l | grep tftpd-hpa\nii tftpd-hpa 5.2+20150808-1Ubuntu1.16.04.1\n\nIf TFTP is installed and the requirement for TFTP is not documented with the\nInformation System Security Officer (ISSO), this is a finding.\"\n desc 'fix', \"Remove the Trivial File Transfer Protocol (TFTP) package from the\nsystem with the following command:\n\n# sudo apt-get remove tftpd-hpa\"\n\n describe package('tftpd-hpa') do\n it { should_not be_installed }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75879.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75897.rb", "line": 3 }, - "id": "V-75879" + "id": "V-75897" }, { - "title": "The Ubuntu operating system must allocate audit record storage\ncapacity to store at least one weeks worth of audit records, when audit records\nare not immediately sent to a central audit record storage facility.", - "desc": "In order to ensure Ubuntu operating systems have a sufficient storage\ncapacity in which to write the audit logs, Ubuntu operating systems need to be\nable to allocate audit record storage capacity.\n\n The task of allocating audit record storage capacity is usually performed\nduring initial installation of the Ubuntu operating system.", + "title": "The audit system must take appropriate action when the network cannot\nbe used to off-load audit records.", + "desc": "Information stored in one location is vulnerable to accidental or\nincidental deletion or alteration.\n\n Off-loading is a common process in information systems with limited audit\nstorage capacity.", "descriptions": { - "default": "In order to ensure Ubuntu operating systems have a sufficient storage\ncapacity in which to write the audit logs, Ubuntu operating systems need to be\nable to allocate audit record storage capacity.\n\n The task of allocating audit record storage capacity is usually performed\nduring initial installation of the Ubuntu operating system.", - "check": "Verify the Ubuntu operating system allocates audit record\nstorage capacity to store at least one week's worth of audit records when audit\nrecords are not immediately sent to a central audit record storage facility.\n\nDetermine which partition the audit records are being written to with the\nfollowing command:\n\n# sudo grep log_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nCheck the size of the partition that audit records are written to (with the\nexample being /var/log/audit/) with the following command:\n\n# df –h /var/log/audit/\n/dev/sda2 24G 10.4G 13.6G 43% /var/log/audit\n\nIf the audit records are not written to a partition made specifically for audit\nrecords (/var/log/audit is a separate partition), determine the amount of space\nbeing used by other files in the partition with the following command:\n\n#du –sh [audit_partition]\n1.8G /var/log/audit\n\nNote: The partition size needed to capture a week's worth of audit records is\nbased on the activity level of the system and the total storage capacity\navailable. In normal circumstances, 10.0 GB of storage space for audit records\nwill be sufficient.\n\nIf the audit record partition is not allocated for sufficient storage capacity,\nthis is a finding.", - "fix": "Allocate enough storage capacity for at least one week's worth of\naudit records when audit records are not immediately sent to a central audit\nrecord storage facility.\n\nIf audit records are stored on a partition made specifically for audit records,\nuse the \"X\" program to resize the partition with sufficient space to contain\none week's worth of audit records.\n\nIf audit records are not stored on a partition made specifically for audit\nrecords, a new partition with sufficient amount of space will need be to be\ncreated." + "default": "Information stored in one location is vulnerable to accidental or\nincidental deletion or alteration.\n\n Off-loading is a common process in information systems with limited audit\nstorage capacity.", + "check": "Verify that the audit system takes appropriate action if the\nnetwork cannot be used to off-load audit records.\n\nCheck what action will take place if the network connection fails with the\nfollowing command:\n\n# sudo grep -iw \"network_failure\" /etc/audisp/audisp-remote.conf\n\nnetwork_failure_action = stop\n\nIf the value of the “network_failure_action” option is not \"syslog\",\n\"single\", or \"halt\", or the line is commented out, this is a finding.", + "fix": "Configure the Ubuntu operating system to take appropriate action\nwhen the network cannot be used to off-load audit records.\n\nAdd, edit or uncomment the \"network_failure_action\" option in\n\"/etc/audisp/audisp-remote.conf\". Set it to \"syslog\", \"single\" or\n\"halt\" like the below example:\n\nnetwork_failure_action = single" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000341-GPOS-00132", - "gid": "V-75621", - "rid": "SV-90301r2_rule", - "stig_id": "UBTU-16-020020", - "fix_id": "F-82249r1_fix", + "gtitle": "SRG-OS-000479-GPOS-00224", + "gid": "V-75859", + "rid": "SV-90539r2_rule", + "stig_id": "UBTU-16-030430", + "fix_id": "F-82489r1_fix", "cci": [ - "CCI-001849" + "CCI-001851" ], "nist": [ - "AU-4", + "AU-4 (1)", "Rev_4" ], "false_negatives": null, @@ -732,20 +764,20 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75621' do\n title \"The Ubuntu operating system must allocate audit record storage\ncapacity to store at least one weeks worth of audit records, when audit records\nare not immediately sent to a central audit record storage facility.\"\n desc \"In order to ensure Ubuntu operating systems have a sufficient storage\ncapacity in which to write the audit logs, Ubuntu operating systems need to be\nable to allocate audit record storage capacity.\n\n The task of allocating audit record storage capacity is usually performed\nduring initial installation of the Ubuntu operating system.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000341-GPOS-00132'\n tag \"gid\": 'V-75621'\n tag \"rid\": 'SV-90301r2_rule'\n tag \"stig_id\": 'UBTU-16-020020'\n tag \"fix_id\": 'F-82249r1_fix'\n tag \"cci\": ['CCI-001849']\n tag \"nist\": %w[AU-4 Rev_4]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system allocates audit record\nstorage capacity to store at least one week's worth of audit records when audit\nrecords are not immediately sent to a central audit record storage facility.\n\nDetermine which partition the audit records are being written to with the\nfollowing command:\n\n# sudo grep log_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nCheck the size of the partition that audit records are written to (with the\nexample being /var/log/audit/) with the following command:\n\n# df –h /var/log/audit/\n/dev/sda2 24G 10.4G 13.6G 43% /var/log/audit\n\nIf the audit records are not written to a partition made specifically for audit\nrecords (/var/log/audit is a separate partition), determine the amount of space\nbeing used by other files in the partition with the following command:\n\n#du –sh [audit_partition]\n1.8G /var/log/audit\n\nNote: The partition size needed to capture a week's worth of audit records is\nbased on the activity level of the system and the total storage capacity\navailable. In normal circumstances, 10.0 GB of storage space for audit records\nwill be sufficient.\n\nIf the audit record partition is not allocated for sufficient storage capacity,\nthis is a finding.\"\n desc 'fix', \"Allocate enough storage capacity for at least one week's worth of\naudit records when audit records are not immediately sent to a central audit\nrecord storage facility.\n\nIf audit records are stored on a partition made specifically for audit records,\nuse the \\\"X\\\" program to resize the partition with sufficient space to contain\none week's worth of audit records.\n\nIf audit records are not stored on a partition made specifically for audit\nrecords, a new partition with sufficient amount of space will need be to be\ncreated.\"\n\n log_file_path = input('log_file_path')\n log_file_dir = input('log_file_dir')\n available_storage = filesystem(log_file_dir).free_kb\n log_file_size = file(log_file_path).size\n standard_audit_log_size = input('standard_audit_log_size')\n\n describe ('Current audit log file size is less than the specified standard of ' + standard_audit_log_size.to_s) do\n subject { log_file_size.to_i }\n it { should be <= standard_audit_log_size }\n end\n describe ('Available storage for audit log should be more than the defined standard of ' + standard_audit_log_size.to_s) do\n subject { available_storage.to_i }\n it { should be > standard_audit_log_size }\n end\nend\n", + "code": "control 'V-75859' do\n title \"The audit system must take appropriate action when the network cannot\nbe used to off-load audit records.\"\n desc \"Information stored in one location is vulnerable to accidental or\nincidental deletion or alteration.\n\n Off-loading is a common process in information systems with limited audit\nstorage capacity.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000479-GPOS-00224'\n tag \"gid\": 'V-75859'\n tag \"rid\": 'SV-90539r2_rule'\n tag \"stig_id\": 'UBTU-16-030430'\n tag \"fix_id\": 'F-82489r1_fix'\n tag \"cci\": ['CCI-001851']\n tag \"nist\": ['AU-4 (1)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that the audit system takes appropriate action if the\nnetwork cannot be used to off-load audit records.\n\nCheck what action will take place if the network connection fails with the\nfollowing command:\n\n# sudo grep -iw \\\"network_failure\\\" /etc/audisp/audisp-remote.conf\n\nnetwork_failure_action = stop\n\nIf the value of the “network_failure_action” option is not \\\"syslog\\\",\n\\\"single\\\", or \\\"halt\\\", or the line is commented out, this is a finding.\"\n desc 'fix', \"Configure the Ubuntu operating system to take appropriate action\nwhen the network cannot be used to off-load audit records.\n\nAdd, edit or uncomment the \\\"network_failure_action\\\" option in\n\\\"/etc/audisp/audisp-remote.conf\\\". Set it to \\\"syslog\\\", \\\"single\\\" or\n\\\"halt\\\" like the below example:\n\nnetwork_failure_action = single\"\n\n config_file_exists = file('/etc/audisp/audisp-remote.conf').exist?\n\n if config_file_exists\n describe parse_config_file('/etc/audisp/audisp-remote.conf') do\n its('network_failure_action.strip') { should match(/^(syslog|single|halt)$/) }\n end\n else\n describe '/etc/audisp/audisp-remote.conf exists' do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75621.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75859.rb", "line": 3 }, - "id": "V-75621" + "id": "V-75859" }, { - "title": "Audit records must contain information to establish what type of\nevents occurred, the source of events, where events occurred, and the outcome\nof events.", - "desc": "Without establishing what type of events occurred, the source of\nevents, where events occurred, and the outcome of events, it would be difficult\nto establish, correlate, and investigate the events leading up to an outage or\nattack.\n\n Audit record content that may be necessary to satisfy this requirement\nincludes, for example, time stamps, source and destination addresses,\nuser/process identifiers, event descriptions, success/fail indications,\nfilenames involved, and access control or flow control rules invoked.\n\n Associating event types with detected events in the Ubuntu operating system\naudit logs provides a means of investigating an attack, recognizing resource\nutilization or capacity thresholds, or identifying an improperly configured\nUbuntu operating system.", + "title": "Successful/unsuccessful uses of the pam_timestamp_check command must\ngenerate an audit record.", + "desc": "At a minimum, the organization must audit the full-text recording of\nprivileged commands. The organization must maintain audit trails in sufficient\ndetail to reconstruct events to determine the cause and impact of compromise.", "descriptions": { - "default": "Without establishing what type of events occurred, the source of\nevents, where events occurred, and the outcome of events, it would be difficult\nto establish, correlate, and investigate the events leading up to an outage or\nattack.\n\n Audit record content that may be necessary to satisfy this requirement\nincludes, for example, time stamps, source and destination addresses,\nuser/process identifiers, event descriptions, success/fail indications,\nfilenames involved, and access control or flow control rules invoked.\n\n Associating event types with detected events in the Ubuntu operating system\naudit logs provides a means of investigating an attack, recognizing resource\nutilization or capacity thresholds, or identifying an improperly configured\nUbuntu operating system.", - "check": "Verify the audit service is configured to produce audit\nrecords.\n\nCheck that the audit service is installed properly with the following command:\n\n# dpkg -l | grep auditd\n\nIf the \"auditd\" package is not installed, this is a finding.\n\nCheck that the audit service is properly running and active on the system with\nthe following command:\n\n# systemctl is-active auditd.service\nactive\n\nIf the command above returns \"inactive\", this is a finding.", - "fix": "Configure the audit service to produce audit records containing\nthe information needed to establish when (date and time) an event occurred.\n\nInstall the audit service (if the audit service is not already installed) with\nthe following command:\n\n# sudo apt-get install auditd\n\nEnable the audit service with the following command:\n\n# sudo systemctl enable auditd.service\n\nRestart the audit service with the following command:\n\n# sudo systemctl restart auditd.service" + "default": "At a minimum, the organization must audit the full-text recording of\nprivileged commands. The organization must maintain audit trails in sufficient\ndetail to reconstruct events to determine the cause and impact of compromise.", + "check": "Verify that an audit event is generated for any\nsuccessful/unsuccessful use of the \"pam_timestamp_check\" command.\n\nCheck for the following system call being audited by performing the following\ncommand to check the file system rules in \"/etc/audit/audit.rules\":\n\n# sudo grep -w pam_timestamp_check /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k privileged-pam_timestamp_check\n\nIf the above command does not return the exact same output displayed in the\nexample, this is a finding.", + "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful uses of the \"pam_timestamp_check\" command. Add or\nupdate the following rules in the \"/etc/audit/audit.rules\" file:\n\n-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k privileged-pam_timestamp_check\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" }, "impact": 0.5, "refs": [], @@ -753,73 +785,28 @@ "gtitle": "SRG-OS-000037-GPOS-00015", "satisfies": [ "SRG-OS-000037-GPOS-00015", - "SRG-OS-000038-GPOS-00016", - "SRG-OS-000039-GPOS-00017", - "SRG-OS-000040-GPOS-00018", - "SRG-OS-000041-GPOS-00019", - "SRG-OS-000042-GPOS-00021", - "SRG-OS-000051-GPOS-00024", - "SRG-OS-000054-GPOS-00025", - "SRG-OS-000122-GPOS-00063", - "SRG-OS-000254-GPOS-00095", - "SRG-OS-000255-GPOS-00096", - "SRG-OS-000337-GPOS-00129", - "SRG-OS-000348-GPOS-00136", - "SRG-OS-000349-GPOS-00137", - "SRG-OS-000350-GPOS-00138", - "SRG-OS-000351-GPOS-00139", - "SRG-OS-000352-GPOS-00140", - "SRG-OS-000353-GPOS-00141", - "SRG-OS-000354-GPOS-00142", - "SRG-OS-000358-GPOS-00145", - "SRG-OS-000365-GPOS-00152", + "SRG-OS-000042-GPOS-00020", + "SRG-OS-000062-GPOS-00031", "SRG-OS-000392-GPOS-00172", - "SRG-OS-000475-GPOS-00220" + "SRG-OS-000462-GPOS-00206", + "SRG-OS-000471-GPOS-00215" ], - "gid": "V-75617", - "rid": "SV-90297r1_rule", - "stig_id": "UBTU-16-020000", - "fix_id": "F-82245r1_fix", + "gid": "V-75789", + "rid": "SV-90469r3_rule", + "stig_id": "UBTU-16-020820", + "fix_id": "F-82419r2_fix", "cci": [ "CCI-000130", - "CCI-000131", - "CCI-000132", - "CCI-000133", - "CCI-000134", "CCI-000135", - "CCI-000154", - "CCI-000158", + "CCI-000169", "CCI-000172", - "CCI-001464", - "CCI-001487", - "CCI-001814", - "CCI-001875", - "CCI-001876", - "CCI-001877", - "CCI-001878", - "CCI-001880", - "CCI-001914", "CCI-002884" ], "nist": [ - "AU-3", - "AU-3", - "AU-3", - "AU-3", "AU-3", "AU-3 (1)", - "AU-6 (4)", - "AU-7 (1)", + "AU-12 a", "AU-12 c", - "AU-14 (1)", - "AU-3", - "CM-5 (1)", - "AU-7 a", - "AU-7 a", - "AU-7 a", - "AU-7 a", - "AU-7 a", - "AU-12 (3)", "MA-4 (1) (a)", "Rev_4" ], @@ -834,50 +821,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75617' do\n title \"Audit records must contain information to establish what type of\nevents occurred, the source of events, where events occurred, and the outcome\nof events.\"\n desc \"Without establishing what type of events occurred, the source of\nevents, where events occurred, and the outcome of events, it would be difficult\nto establish, correlate, and investigate the events leading up to an outage or\nattack.\n\n Audit record content that may be necessary to satisfy this requirement\nincludes, for example, time stamps, source and destination addresses,\nuser/process identifiers, event descriptions, success/fail indications,\nfilenames involved, and access control or flow control rules invoked.\n\n Associating event types with detected events in the Ubuntu operating system\naudit logs provides a means of investigating an attack, recognizing resource\nutilization or capacity thresholds, or identifying an improperly configured\nUbuntu operating system.\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000038-GPOS-00016\n SRG-OS-000039-GPOS-00017 SRG-OS-000040-GPOS-00018\n SRG-OS-000041-GPOS-00019 SRG-OS-000042-GPOS-00021\n SRG-OS-000051-GPOS-00024 SRG-OS-000054-GPOS-00025\n SRG-OS-000122-GPOS-00063 SRG-OS-000254-GPOS-00095\n SRG-OS-000255-GPOS-00096 SRG-OS-000337-GPOS-00129\n SRG-OS-000348-GPOS-00136 SRG-OS-000349-GPOS-00137\n SRG-OS-000350-GPOS-00138 SRG-OS-000351-GPOS-00139\n SRG-OS-000352-GPOS-00140 SRG-OS-000353-GPOS-00141\n SRG-OS-000354-GPOS-00142 SRG-OS-000358-GPOS-00145\n SRG-OS-000365-GPOS-00152 SRG-OS-000392-GPOS-00172\n SRG-OS-000475-GPOS-00220]\n tag \"gid\": 'V-75617'\n tag \"rid\": 'SV-90297r1_rule'\n tag \"stig_id\": 'UBTU-16-020000'\n tag \"fix_id\": 'F-82245r1_fix'\n tag \"cci\": %w[CCI-000130 CCI-000131 CCI-000132 CCI-000133\n CCI-000134 CCI-000135 CCI-000154 CCI-000158 CCI-000172\n CCI-001464 CCI-001487 CCI-001814 CCI-001875 CCI-001876\n CCI-001877 CCI-001878 CCI-001880 CCI-001914 CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3', 'AU-3', 'AU-3', 'AU-3', 'AU-3 (1)', 'AU-6 (4)',\n 'AU-7 (1)', 'AU-12 c', 'AU-14 (1)', 'AU-3', 'CM-5 (1)', 'AU-7 a', 'AU-7 a',\n 'AU-7 a', 'AU-7 a', 'AU-7 a', 'AU-12 (3)', 'MA-4 (1) (a)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the audit service is configured to produce audit\nrecords.\n\nCheck that the audit service is installed properly with the following command:\n\n# dpkg -l | grep auditd\n\nIf the \\\"auditd\\\" package is not installed, this is a finding.\n\nCheck that the audit service is properly running and active on the system with\nthe following command:\n\n# systemctl is-active auditd.service\nactive\n\nIf the command above returns \\\"inactive\\\", this is a finding.\"\n desc 'fix', \"Configure the audit service to produce audit records containing\nthe information needed to establish when (date and time) an event occurred.\n\nInstall the audit service (if the audit service is not already installed) with\nthe following command:\n\n# sudo apt-get install auditd\n\nEnable the audit service with the following command:\n\n# sudo systemctl enable auditd.service\n\nRestart the audit service with the following command:\n\n# sudo systemctl restart auditd.service\"\n\n describe package('auditd') do\n it { should be_installed }\n end\n describe service('auditd') do\n it { should be_installed }\n it { should be_enabled }\n it { should be_running }\n end\nend\n", + "code": "control 'V-75789' do\n title \"Successful/unsuccessful uses of the pam_timestamp_check command must\ngenerate an audit record.\"\n desc \"At a minimum, the organization must audit the full-text recording of\nprivileged commands. The organization must maintain audit trails in sufficient\ndetail to reconstruct events to determine the cause and impact of compromise.\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020\n SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172\n SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215]\n tag \"gid\": 'V-75789'\n tag \"rid\": 'SV-90469r3_rule'\n tag \"stig_id\": 'UBTU-16-020820'\n tag \"fix_id\": 'F-82419r2_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'MA-4 (1) (a)',\n 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that an audit event is generated for any\nsuccessful/unsuccessful use of the \\\"pam_timestamp_check\\\" command.\n\nCheck for the following system call being audited by performing the following\ncommand to check the file system rules in \\\"/etc/audit/audit.rules\\\":\n\n# sudo grep -w pam_timestamp_check /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k privileged-pam_timestamp_check\n\nIf the above command does not return the exact same output displayed in the\nexample, this is a finding.\"\n desc 'fix', \"Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful uses of the \\\"pam_timestamp_check\\\" command. Add or\nupdate the following rules in the \\\"/etc/audit/audit.rules\\\" file:\n\n-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k privileged-pam_timestamp_check\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n @audit_file = '/usr/sbin/pam_timestamp_check'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe ('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75617.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75789.rb", "line": 3 }, - "id": "V-75617" + "id": "V-75789" }, { - "title": "Successful/unsuccessful uses of the init_module command must generate\nan audit record.", - "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "title": "All passwords must contain at least one special character.", + "desc": "Use of a complex password helps to increase the time and resources\nrequired to compromise the password. Password complexity or strength is a\nmeasure of the effectiveness of a password in resisting attempts at guessing\nand brute-force attacks.\n\n Password complexity is one factor in determining how long it takes to crack\na password. The more complex the password, the greater the number of possible\ncombinations that need to be tested before the password is compromised.\n\n Special characters are those characters that are not alphanumeric. Examples\ninclude: ~ ! @ # $ % ^ *.", "descriptions": { - "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", - "check": "Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful attempts to use the \"init_module\" command occur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \"/etc/audit/audit.rules\":\n\n# sudo grep -w \"init_module\" /etc/audit/audit.rules\n\n-a always,exit -F arch=b64 -S init_module -F auid>=1000 -F auid!=4294967295 -k\nmodule_chng\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", - "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \"init_module\" command.\n\nAdd or update the following rules in the \"/etc/audit/audit.rules\" file:\n\n-a always,exit -F arch=b64 -S init_module -F auid>=1000 -F auid!=4294967295 -k\nmodule_chng\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" + "default": "Use of a complex password helps to increase the time and resources\nrequired to compromise the password. Password complexity or strength is a\nmeasure of the effectiveness of a password in resisting attempts at guessing\nand brute-force attacks.\n\n Password complexity is one factor in determining how long it takes to crack\na password. The more complex the password, the greater the number of possible\ncombinations that need to be tested before the password is compromised.\n\n Special characters are those characters that are not alphanumeric. Examples\ninclude: ~ ! @ # $ % ^ *.", + "check": "Verify the Ubuntu operating system enforces password complexity\nby requiring that at least one special character be used.\n\nDetermine if the field \"ocredit\" is set in the\n\"/etc/security/pwquality.conf\" file with the following command:\n\n# grep -i \"ocredit\" /etc/security/pwquality.conf\nocredit=-1\n\nIf the \"ocredit\" parameter is not equal to \"-1\", or is commented out, this\nis a finding.", + "fix": "Configure the Ubuntu operating system to enforce password\ncomplexity by requiring that at least one special character be used.\n\nAdd or update the following line in the \"/etc/security/pwquality.conf\" file\nto contain the \"ocredit\" parameter:\n\nocredit=-1" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000037-GPOS-00015", - "satisfies": [ - "SRG-OS-000037-GPOS-00015", - "SRG-OS-000042-GPOS-00020", - "SRG-OS-000062-GPOS-00031", - "SRG-OS-000392-GPOS-00172", - "SRG-OS-000462-GPOS-00206", - "SRG-OS-000471-GPOS-00215" - ], - "gid": "V-75791", - "rid": "SV-90471r3_rule", - "stig_id": "UBTU-16-020830", - "fix_id": "F-82421r2_fix", + "gtitle": "SRG-OS-000266-GPOS-00101", + "gid": "V-75455", + "rid": "SV-90135r2_rule", + "stig_id": "UBTU-16-010130", + "fix_id": "F-82083r2_fix", "cci": [ - "CCI-000130", - "CCI-000135", - "CCI-000169", - "CCI-000172", - "CCI-002884" + "CCI-001619" ], "nist": [ - "AU-3", - "AU-3 (1)", - "AU-12 a", - "AU-12 c", - "MA-4 (1) (a)", + "IA-5 (1) (a)", "Rev_4" ], "false_negatives": null, @@ -891,29 +862,29 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75791' do\n title \"Successful/unsuccessful uses of the init_module command must generate\nan audit record.\"\n desc \"Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020\n SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172\n SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215]\n tag \"gid\": 'V-75791'\n tag \"rid\": 'SV-90471r3_rule'\n tag \"stig_id\": 'UBTU-16-020830'\n tag \"fix_id\": 'F-82421r2_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'MA-4 (1) (a)',\n 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful attempts to use the \\\"init_module\\\" command occur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \\\"/etc/audit/audit.rules\\\":\n\n# sudo grep -w \\\"init_module\\\" /etc/audit/audit.rules\n\n-a always,exit -F arch=b64 -S init_module -F auid>=1000 -F auid!=4294967295 -k\nmodule_chng\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \\\"init_module\\\" command.\n\nAdd or update the following rules in the \\\"/etc/audit/audit.rules\\\" file:\n\n-a always,exit -F arch=b64 -S init_module -F auid>=1000 -F auid!=4294967295 -k\nmodule_chng\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n if os.arch == 'x86_64'\n describe auditd.syscall('init_module').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('init_module').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\nend\n", + "code": "control 'V-75455' do\n title 'All passwords must contain at least one special character.'\n desc \"Use of a complex password helps to increase the time and resources\nrequired to compromise the password. Password complexity or strength is a\nmeasure of the effectiveness of a password in resisting attempts at guessing\nand brute-force attacks.\n\n Password complexity is one factor in determining how long it takes to crack\na password. The more complex the password, the greater the number of possible\ncombinations that need to be tested before the password is compromised.\n\n Special characters are those characters that are not alphanumeric. Examples\ninclude: ~ ! @ # $ % ^ *.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000266-GPOS-00101'\n tag \"gid\": 'V-75455'\n tag \"rid\": 'SV-90135r2_rule'\n tag \"stig_id\": 'UBTU-16-010130'\n tag \"fix_id\": 'F-82083r2_fix'\n tag \"cci\": ['CCI-001619']\n tag \"nist\": ['IA-5 (1) (a)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system enforces password complexity\nby requiring that at least one special character be used.\n\nDetermine if the field \\\"ocredit\\\" is set in the\n\\\"/etc/security/pwquality.conf\\\" file with the following command:\n\n# grep -i \\\"ocredit\\\" /etc/security/pwquality.conf\nocredit=-1\n\nIf the \\\"ocredit\\\" parameter is not equal to \\\"-1\\\", or is commented out, this\nis a finding.\"\n desc 'fix', \"Configure the Ubuntu operating system to enforce password\ncomplexity by requiring that at least one special character be used.\n\nAdd or update the following line in the \\\"/etc/security/pwquality.conf\\\" file\nto contain the \\\"ocredit\\\" parameter:\n\nocredit=-1\"\n\n min_num_special_char = input('min_num_special_char')\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('ocredit') { should cmp min_num_special_char }\n end\n else\n describe (config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75791.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75455.rb", "line": 3 }, - "id": "V-75791" + "id": "V-75455" }, { - "title": "The x86 Ctrl-Alt-Delete key sequence must be disabled.", - "desc": "A locally logged-on user who presses Ctrl-Alt-Delete, when at the\nconsole, can reboot the system. If accidentally pressed, as could happen in the\ncase of a mixed OS environment, this can create the risk of short-term loss of\navailability of systems due to unintentional reboot. In the GNOME graphical\nenvironment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is\nreduced because the user will be prompted before any action is taken.", + "title": "Default permissions must be defined in such a way that all\nauthenticated users can only read and modify their own files.", + "desc": "Setting the most restrictive default permissions ensures that when new\naccounts are created they do not have unnecessary access.", "descriptions": { - "default": "A locally logged-on user who presses Ctrl-Alt-Delete, when at the\nconsole, can reboot the system. If accidentally pressed, as could happen in the\ncase of a mixed OS environment, this can create the risk of short-term loss of\navailability of systems due to unintentional reboot. In the GNOME graphical\nenvironment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is\nreduced because the user will be prompted before any action is taken.", - "check": "Verify the Ubuntu operating system is not configured to reboot\nthe system when Ctrl-Alt-Delete is pressed.\n\nCheck that the \"ctrl-alt-del.target\" (otherwise also known as reboot.target)\nis not active with the following command:\n\n# systemctl status ctrl-alt-del.target\nreboot.target - Reboot\n Loaded: loaded (/usr/lib/systemd/system/reboot.target; disabled)\n Active: inactive (dead)\n Docs: man:systemd.special(7)\n\nIf the \"ctrl-alt-del.target\" is active, this is a finding.", - "fix": "Configure the system to disable the Ctrl-Alt-Delete sequence for\nthe command line with the following command:\n\n# sudo systemctl mask ctrl-alt-del.target\n\nAnd reload the daemon to take effect\n\n# sudo systemctl daemon-reload\n\nIf GNOME is active on the system, create a database to contain the system-wide\nsetting (if it does not already exist) with the following command:\n\n# cat /etc/dconf/db/local.d/00-disable-CAD\n\nAdd the setting to disable the Ctrl-Alt-Delete sequence for GNOME:\n\n[org/gnome/settings-daemon/plugins/media-keys]\nlogout=’’" + "default": "Setting the most restrictive default permissions ensures that when new\naccounts are created they do not have unnecessary access.", + "check": "Verify the Ubuntu operating system defines default permissions\nfor all authenticated users in such a way that the user can only read and\nmodify their own files.\n\nCheck that the Ubuntu operating system defines default permissions for all\nauthenticated users with the following command:\n\n# grep -i \"umask\" /etc/login.defs\n\nUMASK 077\n\nIf the \"UMASK\" variable is set to \"000\", this is a finding with the\nseverity raised to a CAT I.\n\nIf the value of \"UMASK\" is not set to \"077\", \"UMASK\" is commented out or\n\"UMASK\" is missing completely, this is a finding.", + "fix": "Configure the system to define the default permissions for all\nauthenticated users in such a way that the user can only read and modify their\nown files.\n\nEdit the \"UMASK\" parameter in the \"/etc/login.defs\" file to match the\nexample below:\n\nUMASK 077" }, - "impact": 0.7, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-75541", - "rid": "SV-90221r2_rule", - "stig_id": "UBTU-16-010630", - "fix_id": "F-82169r2_fix", + "gtitle": "SRG-OS-000480-GPOS-00228", + "gid": "V-75543", + "rid": "SV-90223r2_rule", + "stig_id": "UBTU-16-010640", + "fix_id": "F-82171r1_fix", "cci": [ "CCI-000366" ], @@ -932,34 +903,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75541' do\n title 'The x86 Ctrl-Alt-Delete key sequence must be disabled.'\n desc \"A locally logged-on user who presses Ctrl-Alt-Delete, when at the\nconsole, can reboot the system. If accidentally pressed, as could happen in the\ncase of a mixed OS environment, this can create the risk of short-term loss of\navailability of systems due to unintentional reboot. In the GNOME graphical\nenvironment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is\nreduced because the user will be prompted before any action is taken.\"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75541'\n tag \"rid\": 'SV-90221r2_rule'\n tag \"stig_id\": 'UBTU-16-010630'\n tag \"fix_id\": 'F-82169r2_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system is not configured to reboot\nthe system when Ctrl-Alt-Delete is pressed.\n\nCheck that the \\\"ctrl-alt-del.target\\\" (otherwise also known as reboot.target)\nis not active with the following command:\n\n# systemctl status ctrl-alt-del.target\nreboot.target - Reboot\n Loaded: loaded (/usr/lib/systemd/system/reboot.target; disabled)\n Active: inactive (dead)\n Docs: man:systemd.special(7)\n\nIf the \\\"ctrl-alt-del.target\\\" is active, this is a finding.\"\n desc 'fix', \"Configure the system to disable the Ctrl-Alt-Delete sequence for\nthe command line with the following command:\n\n# sudo systemctl mask ctrl-alt-del.target\n\nAnd reload the daemon to take effect\n\n# sudo systemctl daemon-reload\n\nIf GNOME is active on the system, create a database to contain the system-wide\nsetting (if it does not already exist) with the following command:\n\n# cat /etc/dconf/db/local.d/00-disable-CAD\n\nAdd the setting to disable the Ctrl-Alt-Delete sequence for GNOME:\n\n[org/gnome/settings-daemon/plugins/media-keys]\nlogout=’’\"\n\n describe service('ctrl-alt-del.target') do\n it { should_not be_running }\n it { should_not be_enabled }\n end\nend\n", + "code": "control 'V-75543' do\n title \"Default permissions must be defined in such a way that all\nauthenticated users can only read and modify their own files.\"\n desc \"Setting the most restrictive default permissions ensures that when new\naccounts are created they do not have unnecessary access.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00228'\n tag \"gid\": 'V-75543'\n tag \"rid\": 'SV-90223r2_rule'\n tag \"stig_id\": 'UBTU-16-010640'\n tag \"fix_id\": 'F-82171r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system defines default permissions\nfor all authenticated users in such a way that the user can only read and\nmodify their own files.\n\nCheck that the Ubuntu operating system defines default permissions for all\nauthenticated users with the following command:\n\n# grep -i \\\"umask\\\" /etc/login.defs\n\nUMASK 077\n\nIf the \\\"UMASK\\\" variable is set to \\\"000\\\", this is a finding with the\nseverity raised to a CAT I.\n\nIf the value of \\\"UMASK\\\" is not set to \\\"077\\\", \\\"UMASK\\\" is commented out or\n\\\"UMASK\\\" is missing completely, this is a finding.\"\n desc 'fix', \"Configure the system to define the default permissions for all\nauthenticated users in such a way that the user can only read and modify their\nown files.\n\nEdit the \\\"UMASK\\\" parameter in the \\\"/etc/login.defs\\\" file to match the\nexample below:\n\nUMASK 077\"\n\n describe login_defs do\n its('UMASK') { should eq '077' }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75541.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75543.rb", "line": 3 }, - "id": "V-75541" + "id": "V-75543" }, { - "title": "All local interactive user home directories must be group-owned by the\nhome directory owners primary group.", - "desc": "If the Group Identifier (GID) of a local interactive user’s home\ndirectory is not the same as the primary GID of the user, this would allow\nunauthorized access to the user’s files, and users that share the same group\nmay not be able to access files that they legitimately should.", + "title": "The Ubuntu operating system must implement non-executable data to\nprotect its memory from unauthorized code execution.", + "desc": "Some adversaries launch attacks with the intent of executing code in\nnon-executable regions of memory or in memory locations that are prohibited.\nSecurity safeguards employed to protect memory include, for example, data\nexecution prevention and address space layout randomization. Data execution\nprevention safeguards can either be hardware-enforced or software-enforced with\nhardware providing the greater strength of mechanism.\n\n Examples of attacks are buffer overflow attacks.", "descriptions": { - "default": "If the Group Identifier (GID) of a local interactive user’s home\ndirectory is not the same as the primary GID of the user, this would allow\nunauthorized access to the user’s files, and users that share the same group\nmay not be able to access files that they legitimately should.", - "check": "Verify the assigned home directory of all local interactive\nusers is group-owned by that user’s primary Group Identifier (GID).\n\nCheck the home directory assignment for all non-privileged users on the system\nwith the following command:\n\nNote: This may miss local interactive users that have been assigned a\nprivileged UID. Evidence of interactive use may be obtained from a number of\nlog files containing system logon information. The returned directory\n\"/home/smithj\" is used as an example.\n\n# ls -ld $(awk -F: '($3>=1000)&&($1!=\"nobody\"){print $6}' /etc/passwd)\n\ndrwxr-x--- 2 smithj admin 4096 Jun 5 12:41 smithj\n\nCheck the user's primary group with the following command:\n\n# grep admin /etc/group\nadmin:x:250:smithj,jonesj,jacksons\n\nIf the user home directory referenced in \"/etc/passwd\" is not group-owned by\nthat user’s primary GID, this is a finding.", - "fix": "Change the group owner of a local interactive user’s home\ndirectory to the group found in \"/etc/passwd\". To change the group owner of a\nlocal interactive user’s home directory, use the following command:\n\nNote: The example will be for the user \"smithj\", who has a home directory of\n\"/home/smithj\", and has a primary group of users.\n\n# chgrp users /home/smithj" + "default": "Some adversaries launch attacks with the intent of executing code in\nnon-executable regions of memory or in memory locations that are prohibited.\nSecurity safeguards employed to protect memory include, for example, data\nexecution prevention and address space layout randomization. Data execution\nprevention safeguards can either be hardware-enforced or software-enforced with\nhardware providing the greater strength of mechanism.\n\n Examples of attacks are buffer overflow attacks.", + "check": "Verify the NX (no-execution) bit flag is set on the system.\n\nCheck that the no-execution bit flag is set with the following commands:\n\n# dmesg | grep NX\n\n[ 0.000000] NX (Execute Disable) protection: active\n\nIf \"dmesg\" does not show \"NX (Execute Disable) protection\" active, check\nthe cpuinfo settings with the following command:\n\n# less /proc/cpuinfo | grep -i flags\nflags : fpu vme de pse tsc ms nx rdtscp lm constant_tsc\n\nIf \"flags\" does not contain the \"nx\" flag, this is a finding.", + "fix": "The NX bit execute protection must be enabled in the system BIOS." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-75567", - "rid": "SV-90247r1_rule", - "stig_id": "UBTU-16-010760", - "fix_id": "F-82195r1_fix", + "gtitle": "SRG-OS-000433-GPOS-00192", + "gid": "V-75819", + "rid": "SV-90499r2_rule", + "stig_id": "UBTU-16-030130", + "fix_id": "F-82449r1_fix", "cci": [ - "CCI-000366" + "CCI-002824" ], "nist": [ - "CM-6 b", + "SI-16", "Rev_4" ], "false_negatives": null, @@ -973,54 +944,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75567' do\n title \"All local interactive user home directories must be group-owned by the\nhome directory owners primary group.\"\n desc \"If the Group Identifier (GID) of a local interactive user’s home\ndirectory is not the same as the primary GID of the user, this would allow\nunauthorized access to the user’s files, and users that share the same group\nmay not be able to access files that they legitimately should.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75567'\n tag \"rid\": 'SV-90247r1_rule'\n tag \"stig_id\": 'UBTU-16-010760'\n tag \"fix_id\": 'F-82195r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the assigned home directory of all local interactive\nusers is group-owned by that user’s primary Group Identifier (GID).\n\nCheck the home directory assignment for all non-privileged users on the system\nwith the following command:\n\nNote: This may miss local interactive users that have been assigned a\nprivileged UID. Evidence of interactive use may be obtained from a number of\nlog files containing system logon information. The returned directory\n\\\"/home/smithj\\\" is used as an example.\n\n# ls -ld $(awk -F: '($3>=1000)&&($1!=\\\"nobody\\\"){print $6}' /etc/passwd)\n\ndrwxr-x--- 2 smithj admin 4096 Jun 5 12:41 smithj\n\nCheck the user's primary group with the following command:\n\n# grep admin /etc/group\nadmin:x:250:smithj,jonesj,jacksons\n\nIf the user home directory referenced in \\\"/etc/passwd\\\" is not group-owned by\nthat user’s primary GID, this is a finding.\"\n desc 'fix', \"Change the group owner of a local interactive user’s home\ndirectory to the group found in \\\"/etc/passwd\\\". To change the group owner of a\nlocal interactive user’s home directory, use the following command:\n\nNote: The example will be for the user \\\"smithj\\\", who has a home directory of\n\\\"/home/smithj\\\", and has a primary group of users.\n\n# chgrp users /home/smithj\"\n\n exempt_home_users = input('exempt_home_users')\n non_interactive_shells = input('non_interactive_shells')\n ignore_shells = non_interactive_shells.join('|')\n\n findings = Set[]\n users.where { !shell.match(ignore_shells) && (uid >= 1000 || uid == 0) }.entries.each do |user_info|\n next if exempt_home_users.include?(user_info.username.to_s)\n\n findings += command(\"find #{user_info.home} -maxdepth 0 -not -gid #{user_info.gid}\").stdout.split(\"\\n\")\n end\n describe \"Home directories that are not group-owned by the user's primary GID\" do\n subject { findings.to_a }\n it { should be_empty }\n end\nend\n", + "code": "control 'V-75819' do\n title \"The Ubuntu operating system must implement non-executable data to\nprotect its memory from unauthorized code execution.\"\n desc \"Some adversaries launch attacks with the intent of executing code in\nnon-executable regions of memory or in memory locations that are prohibited.\nSecurity safeguards employed to protect memory include, for example, data\nexecution prevention and address space layout randomization. Data execution\nprevention safeguards can either be hardware-enforced or software-enforced with\nhardware providing the greater strength of mechanism.\n\n Examples of attacks are buffer overflow attacks.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000433-GPOS-00192'\n tag \"gid\": 'V-75819'\n tag \"rid\": 'SV-90499r2_rule'\n tag \"stig_id\": 'UBTU-16-030130'\n tag \"fix_id\": 'F-82449r1_fix'\n tag \"cci\": ['CCI-002824']\n tag \"nist\": %w[SI-16 Rev_4]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the NX (no-execution) bit flag is set on the system.\n\nCheck that the no-execution bit flag is set with the following commands:\n\n# dmesg | grep NX\n\n[ 0.000000] NX (Execute Disable) protection: active\n\nIf \\\"dmesg\\\" does not show \\\"NX (Execute Disable) protection\\\" active, check\nthe cpuinfo settings with the following command:\n\n# less /proc/cpuinfo | grep -i flags\nflags : fpu vme de pse tsc ms nx rdtscp lm constant_tsc\n\nIf \\\"flags\\\" does not contain the \\\"nx\\\" flag, this is a finding.\"\n desc 'fix', 'The NX bit execute protection must be enabled in the system BIOS.'\n\n options = {\n assignment_regex: /^\\s*([^:]*?)\\s*:\\s*(.*?)\\s*$/\n }\n describe.one do\n describe command('dmesg | grep NX').stdout.strip do\n it { should match /.+(NX \\(Execute Disable\\) protection: active)/ }\n end\n describe parse_config_file('/proc/cpuinfo', options).flags.split(' ') do\n it { should include 'nx' }\n end\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75567.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75819.rb", "line": 3 }, - "id": "V-75567" + "id": "V-75819" }, { - "title": "The Ubuntu operating system must generate audit records for all\naccount creations, modifications, disabling, and termination events that affect\n/etc/passwd.", - "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "title": "Automatic mounting of Universal Serial Bus (USB) mass storage driver\nmust be disabled.", + "desc": "Without authenticating devices, unidentified or unknown devices may be\nintroduced, thereby facilitating malicious activity.\n\n Peripherals include, but are not limited to, such devices as flash drives,\nexternal storage, and printers.", "descriptions": { - "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", - "check": "Verify the Ubuntu operating system generates audit records for\nall account creations, modifications, disabling, and termination events that\naffect \"/etc/passwd\".\n\nCheck the auditing rules in \"/etc/audit/audit.rules\" with the following\ncommand:\n\n# sudo grep /etc/passwd /etc/audit/audit.rules\n\n-w /etc/passwd -p wa -k audit_rules_usergroup_modification\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", - "fix": "Configure the Ubuntu operating system to generate audit records\nfor all account creations, modifications, disabling, and termination events\nthat affect \"/etc/passwd\".\n\nAdd or update the following file system rule to \"/etc/audit/audit.rules\":\n\n-w /etc/passwd -p wa -k identity\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" + "default": "Without authenticating devices, unidentified or unknown devices may be\nintroduced, thereby facilitating malicious activity.\n\n Peripherals include, but are not limited to, such devices as flash drives,\nexternal storage, and printers.", + "check": "Verify that automatic mounting of the Universal Serial Bus\n(USB) mass storage driver has been disabled.\n\nCheck that the USB mass storage drive has not been loaded with the following\ncommand:\n\n#lsmod | grep usb-storage\n\nIf a \"usb-storage\" line is returned, this is a finding.\n\nCheck that automatic mounting of the USB mass storage driver has been disabled\nwith the following command:\n\n#sudo modprobe -vn usb-storage\n\ninstall /bin/true\n\nIf “install /bin/true” is not returned, this is a finding.", + "fix": "Disable the mounting of the Universal Serial Bus (USB) mass\nstorage driver by running the following command:\n\n# sudo echo “install usb-storage /bin/true” >> /etc/modprobe.d/DISASTIG.conf" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000037-GPOS-00015", - "satisfies": [ - "SRG-OS-000037-GPOS-00015", - "SRG-OS-000042-GPOS-00020", - "SRG-OS-000062-GPOS-00031", - "SRG-OS-000304-GPOS-00121", - "SRG-OS-000392-GPOS-00172", - "SRG-OS-000462-GPOS-00206", - "SRG-OS-000470-GPOS-00214", - "SRG-OS-000471-GPOS-00215" - ], - "gid": "V-75661", - "rid": "SV-90341r3_rule", - "stig_id": "UBTU-16-020300", - "fix_id": "F-82289r2_fix", + "gtitle": "SRG-OS-000378-GPOS-00163", + "gid": "V-75531", + "rid": "SV-90211r2_rule", + "stig_id": "UBTU-16-010580", + "fix_id": "F-82159r2_fix", "cci": [ - "CCI-000130", - "CCI-000135", - "CCI-000169", - "CCI-000172", - "CCI-002132", - "CCI-002884" + "CCI-001958" ], "nist": [ - "AU-3", - "AU-3 (1)", - "AU-12 a", - "AU-12 c", - "AC-2 (4)", - "MA-4 (1)\n(a)", + "IA-3", "Rev_4" ], "false_negatives": null, @@ -1034,50 +985,46 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75661' do\n title \"The Ubuntu operating system must generate audit records for all\naccount creations, modifications, disabling, and termination events that affect\n/etc/passwd.\"\n desc \"Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020\n SRG-OS-000062-GPOS-00031 SRG-OS-000304-GPOS-00121\n SRG-OS-000392-GPOS-00172 SRG-OS-000462-GPOS-00206\n SRG-OS-000470-GPOS-00214 SRG-OS-000471-GPOS-00215]\n tag \"gid\": 'V-75661'\n tag \"rid\": 'SV-90341r3_rule'\n tag \"stig_id\": 'UBTU-16-020300'\n tag \"fix_id\": 'F-82289r2_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002132 CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'AC-2 (4)', \"MA-4 (1)\n(a)\", 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system generates audit records for\nall account creations, modifications, disabling, and termination events that\naffect \\\"/etc/passwd\\\".\n\nCheck the auditing rules in \\\"/etc/audit/audit.rules\\\" with the following\ncommand:\n\n# sudo grep /etc/passwd /etc/audit/audit.rules\n\n-w /etc/passwd -p wa -k audit_rules_usergroup_modification\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records\nfor all account creations, modifications, disabling, and termination events\nthat affect \\\"/etc/passwd\\\".\n\nAdd or update the following file system rule to \\\"/etc/audit/audit.rules\\\":\n\n-w /etc/passwd -p wa -k identity\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n @audit_file = '/etc/passwd'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe ('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", + "code": "control 'V-75531' do\n title \"Automatic mounting of Universal Serial Bus (USB) mass storage driver\nmust be disabled.\"\n desc \"Without authenticating devices, unidentified or unknown devices may be\nintroduced, thereby facilitating malicious activity.\n\n Peripherals include, but are not limited to, such devices as flash drives,\nexternal storage, and printers.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000378-GPOS-00163'\n tag \"gid\": 'V-75531'\n tag \"rid\": 'SV-90211r2_rule'\n tag \"stig_id\": 'UBTU-16-010580'\n tag \"fix_id\": 'F-82159r2_fix'\n tag \"cci\": ['CCI-001958']\n tag \"nist\": %w[IA-3 Rev_4]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that automatic mounting of the Universal Serial Bus\n(USB) mass storage driver has been disabled.\n\nCheck that the USB mass storage drive has not been loaded with the following\ncommand:\n\n#lsmod | grep usb-storage\n\nIf a \\\"usb-storage\\\" line is returned, this is a finding.\n\nCheck that automatic mounting of the USB mass storage driver has been disabled\nwith the following command:\n\n#sudo modprobe -vn usb-storage\n\ninstall /bin/true\n\nIf “install /bin/true” is not returned, this is a finding.\"\n desc 'fix', \"Disable the mounting of the Universal Serial Bus (USB) mass\nstorage driver by running the following command:\n\n# sudo echo “install usb-storage /bin/true” >> /etc/modprobe.d/DISASTIG.conf\"\n\n describe kernel_module('usb-storage') do\n it { should_not be_loaded }\n it { should be_disabled }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75661.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75531.rb", "line": 3 }, - "id": "V-75661" + "id": "V-75531" }, { - "title": "Successful/unsuccessful uses of the finit_module command must generate\nan audit record.", - "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "title": "All networked systems must have and implement SSH to protect the\nconfidentiality and integrity of transmitted and received information, as well\nas information during preparation for transmission.", + "desc": "Without protection of the transmitted information, confidentiality and\nintegrity may be compromised because unprotected communications can be\nintercepted and either read or altered.\n\n This requirement applies to both internal and external networks and all\ntypes of information system components from which information can be\ntransmitted (e.g., servers, mobile devices, notebook computers, printers,\ncopiers, scanners, and facsimile machines). Communication paths outside the\nphysical protection of a controlled boundary are exposed to the possibility of\ninterception and modification.\n\n Protecting the confidentiality and integrity of organizational information\ncan be accomplished by physical means (e.g., employing physical distribution\nsystems) or by logical means (e.g., employing cryptographic techniques). If\nphysical means of protection are employed, logical means (cryptography) do not\nhave to be employed, and vice versa.", "descriptions": { - "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", - "check": "Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful attempts to use the \"finit_module\" command occur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \"/etc/audit/audit.rules\":\n\n# sudo grep -w \"finit_module\" /etc/audit/audit.rules\n\n-a always,exit -F arch=b64 -S finit_module -F auid>=1000 -F auid!=4294967295 -k\nmodule_chng\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", - "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \"finit_module\" command.\n\nAdd or update the following rules in the \"/etc/audit/audit.rules\" file:\n\n-a always,exit -F arch=b64 -S finit_module -F auid>=1000 -F auid!=4294967295 -k\nmodule_chng\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" + "default": "Without protection of the transmitted information, confidentiality and\nintegrity may be compromised because unprotected communications can be\nintercepted and either read or altered.\n\n This requirement applies to both internal and external networks and all\ntypes of information system components from which information can be\ntransmitted (e.g., servers, mobile devices, notebook computers, printers,\ncopiers, scanners, and facsimile machines). Communication paths outside the\nphysical protection of a controlled boundary are exposed to the possibility of\ninterception and modification.\n\n Protecting the confidentiality and integrity of organizational information\ncan be accomplished by physical means (e.g., employing physical distribution\nsystems) or by logical means (e.g., employing cryptographic techniques). If\nphysical means of protection are employed, logical means (cryptography) do not\nhave to be employed, and vice versa.", + "check": "Verify the \"ssh\" meta-package is installed.\n\nCheck that the ssh package is installed with the following command:\n\n$ dpkg -l | grep openssh\n\nii openssh-client 1:7.2p2-4Ubuntu2.1\namd64 secure shell (SSH) client, for secure access to\nremote machines\nii openssh-server 1:7.2p2-4Ubuntu2.1\namd64 secure shell (SSH) server, for secure access\nfrom remote machines\nii openssh-sftp-server 1:7.2p2-4Ubuntu2.1\namd64 secure shell (SSH) sftp server module, for SFTP\naccess from remote machines\n\nIf the \"openssh\" server package is not installed, this is a finding.\n\nCheck that the \"sshd.service\" is loaded and active with the following command:\n\n# systemctl status sshd.service | egrep -i \"(active|loaded)\"\n\nLoaded: loaded (/usr/lib/systemd/system/sshd.service; enabled)\nActive: active (running) since Sun 2016-06-05 23:46:29 CDT; 1h 4min ago\n\nIf \"sshd.service\" is not active or loaded, this is a finding.", + "fix": "Install the \"ssh\" meta-package on the system with the following\ncommand:\n\n# sudo apt install ssh\n\nEnable the \"ssh\" service to start automatically on reboot with the following\ncommand:\n\n# sudo systemctl enable sshd.service" }, - "impact": 0.5, + "impact": 0.7, "refs": [], "tags": { - "gtitle": "SRG-OS-000037-GPOS-00015", + "gtitle": "SRG-OS-000423-GPOS-00187", "satisfies": [ - "SRG-OS-000037-GPOS-00015", - "SRG-OS-000042-GPOS-00020", - "SRG-OS-000062-GPOS-00031", - "SRG-OS-000392-GPOS-00172", - "SRG-OS-000462-GPOS-00206", - "SRG-OS-000471-GPOS-00215" + "SRG-OS-000423-GPOS-00187", + "SRG-OS-000424-GPOS-00188", + "SRG-OS-000425-GPOS-00189", + "SRG-OS-000426-GPOS-00190" ], - "gid": "V-75793", - "rid": "SV-90473r3_rule", - "stig_id": "UBTU-16-020840", - "fix_id": "F-82423r2_fix", + "gid": "V-75857", + "rid": "SV-90537r1_rule", + "stig_id": "UBTU-16-030420", + "fix_id": "F-82487r1_fix", "cci": [ - "CCI-000130", - "CCI-000135", - "CCI-000169", - "CCI-000172", - "CCI-002884" + "CCI-002418", + "CCI-002420", + "CCI-002421", + "CCI-002422" ], "nist": [ - "AU-3", - "AU-3 (1)", - "AU-12 a", - "AU-12 c", - "MA-4 (1) (a)", + "SC-8", + "SC-8 (2)", + "SC-8 (1)", + "SC-8 (2)", "Rev_4" ], "false_negatives": null, @@ -1091,50 +1038,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75793' do\n title \"Successful/unsuccessful uses of the finit_module command must generate\nan audit record.\"\n desc \"Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020\n SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172\n SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215]\n tag \"gid\": 'V-75793'\n tag \"rid\": 'SV-90473r3_rule'\n tag \"stig_id\": 'UBTU-16-020840'\n tag \"fix_id\": 'F-82423r2_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'MA-4 (1) (a)',\n 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful attempts to use the \\\"finit_module\\\" command occur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \\\"/etc/audit/audit.rules\\\":\n\n# sudo grep -w \\\"finit_module\\\" /etc/audit/audit.rules\n\n-a always,exit -F arch=b64 -S finit_module -F auid>=1000 -F auid!=4294967295 -k\nmodule_chng\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \\\"finit_module\\\" command.\n\nAdd or update the following rules in the \\\"/etc/audit/audit.rules\\\" file:\n\n-a always,exit -F arch=b64 -S finit_module -F auid>=1000 -F auid!=4294967295 -k\nmodule_chng\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n if os.arch == 'x86_64'\n describe auditd.syscall('finit_module').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('finit_module').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\nend\n", + "code": "control 'V-75857' do\n title \"All networked systems must have and implement SSH to protect the\nconfidentiality and integrity of transmitted and received information, as well\nas information during preparation for transmission.\"\n desc \"Without protection of the transmitted information, confidentiality and\nintegrity may be compromised because unprotected communications can be\nintercepted and either read or altered.\n\n This requirement applies to both internal and external networks and all\ntypes of information system components from which information can be\ntransmitted (e.g., servers, mobile devices, notebook computers, printers,\ncopiers, scanners, and facsimile machines). Communication paths outside the\nphysical protection of a controlled boundary are exposed to the possibility of\ninterception and modification.\n\n Protecting the confidentiality and integrity of organizational information\ncan be accomplished by physical means (e.g., employing physical distribution\nsystems) or by logical means (e.g., employing cryptographic techniques). If\nphysical means of protection are employed, logical means (cryptography) do not\nhave to be employed, and vice versa.\n\n\n \"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000423-GPOS-00187'\n tag \"satisfies\": %w[SRG-OS-000423-GPOS-00187 SRG-OS-000424-GPOS-00188\n SRG-OS-000425-GPOS-00189 SRG-OS-000426-GPOS-00190]\n tag \"gid\": 'V-75857'\n tag \"rid\": 'SV-90537r1_rule'\n tag \"stig_id\": 'UBTU-16-030420'\n tag \"fix_id\": 'F-82487r1_fix'\n tag \"cci\": %w[CCI-002418 CCI-002420 CCI-002421 CCI-002422]\n tag \"nist\": ['SC-8', 'SC-8 (2)', 'SC-8 (1)', 'SC-8 (2)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the \\\"ssh\\\" meta-package is installed.\n\nCheck that the ssh package is installed with the following command:\n\n$ dpkg -l | grep openssh\n\nii openssh-client 1:7.2p2-4Ubuntu2.1\namd64 secure shell (SSH) client, for secure access to\nremote machines\nii openssh-server 1:7.2p2-4Ubuntu2.1\namd64 secure shell (SSH) server, for secure access\nfrom remote machines\nii openssh-sftp-server 1:7.2p2-4Ubuntu2.1\namd64 secure shell (SSH) sftp server module, for SFTP\naccess from remote machines\n\nIf the \\\"openssh\\\" server package is not installed, this is a finding.\n\nCheck that the \\\"sshd.service\\\" is loaded and active with the following command:\n\n# systemctl status sshd.service | egrep -i \\\"(active|loaded)\\\"\n\nLoaded: loaded (/usr/lib/systemd/system/sshd.service; enabled)\nActive: active (running) since Sun 2016-06-05 23:46:29 CDT; 1h 4min ago\n\nIf \\\"sshd.service\\\" is not active or loaded, this is a finding.\"\n desc 'fix', \"Install the \\\"ssh\\\" meta-package on the system with the following\ncommand:\n\n# sudo apt install ssh\n\nEnable the \\\"ssh\\\" service to start automatically on reboot with the following\ncommand:\n\n# sudo systemctl enable sshd.service\"\n\n describe package('openssh-server') do\n it { should be_installed }\n end\n\n describe service('sshd') do\n it { should be_enabled }\n it { should be_installed }\n it { should be_running }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75793.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75857.rb", "line": 3 }, - "id": "V-75793" + "id": "V-75857" }, { - "title": "Successful/unsuccessful uses of the truncate command must generate an\naudit record.", - "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "title": "The Ubuntu operating system must be configured to prohibit or restrict\nthe use of functions, ports, protocols, and/or services, as defined in the\nPorts, Protocols, and Services Management (PPSM) Category Assignments List\n(CAL) and vulnerability assessments.", + "desc": "In order to prevent unauthorized connection of devices, unauthorized\ntransfer of information, or unauthorized tunneling (i.e., embedding of data\ntypes within data types), organizations must disable or restrict unused or\nunnecessary physical and logical ports/protocols on information systems.\n\n Ubuntu operating systems are capable of providing a wide variety of\nfunctions and services. Some of the functions and services provided by default\nmay not be necessary to support essential organizational operations.\nAdditionally, it is sometimes convenient to provide multiple services from a\nsingle component (e.g., VPN and IPS); however, doing so increases risk over\nlimiting the services provided by any one component.\n\n To support the requirements and principles of least functionality, the\nUbuntu operating system must support the organizational requirements, providing\nonly essential capabilities and limiting the use of ports, protocols, and/or\nservices to only those required, authorized, and approved to conduct official\nbusiness or to address authorized quality of life issues.", "descriptions": { - "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", - "check": "Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful attempts to use the \"truncate\" command occur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \"/etc/audit/audit.rules\":\n\n# sudo grep -iw truncate /etc/audit/audit.rules\n\n-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F\nauid!=4294967295 -k perm_access\n\n-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F\nauid!=4294967295 -k perm_access\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", - "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \"truncate\" command.\n\nAdd or update the following rules in the \"/etc/audit/audit.rules\" file:\n\n-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F\nauid!=4294967295 -k perm_access\n\n-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F\nauid!=4294967295 -k perm_access\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" + "default": "In order to prevent unauthorized connection of devices, unauthorized\ntransfer of information, or unauthorized tunneling (i.e., embedding of data\ntypes within data types), organizations must disable or restrict unused or\nunnecessary physical and logical ports/protocols on information systems.\n\n Ubuntu operating systems are capable of providing a wide variety of\nfunctions and services. Some of the functions and services provided by default\nmay not be necessary to support essential organizational operations.\nAdditionally, it is sometimes convenient to provide multiple services from a\nsingle component (e.g., VPN and IPS); however, doing so increases risk over\nlimiting the services provided by any one component.\n\n To support the requirements and principles of least functionality, the\nUbuntu operating system must support the organizational requirements, providing\nonly essential capabilities and limiting the use of ports, protocols, and/or\nservices to only those required, authorized, and approved to conduct official\nbusiness or to address authorized quality of life issues.", + "check": "Verify the Uncomplicated Firewall is configured to employ a\ndeny-all, allow-by-exception policy for allowing connections to other systems.\n\nCheck the Uncomplicated Firewall configuration with the following command:\n# sudo ufw status\nStatus: active\n\n To Action From\n -- ------ ----\n[ 1] 22 LIMIT IN Anywhere\n\nIf any services, ports, or applications are \"allowed\" and are not documented\nwith the organization, this is a finding.", + "fix": "Add/Modify the Ubuntu operating system's firewall settings and/or\nrunning services to comply with the Ports, Protocols, and Services Management\n(PPSM) Category Assignments List (CAL)." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000037-GPOS-00015", - "satisfies": [ - "SRG-OS-000037-GPOS-00015", - "SRG-OS-000042-GPOS-00020", - "SRG-OS-000062-GPOS-00031", - "SRG-OS-000392-GPOS-00172", - "SRG-OS-000462-GPOS-00206", - "SRG-OS-000471-GPOS-00215" - ], - "gid": "V-75745", - "rid": "SV-90425r3_rule", - "stig_id": "UBTU-16-020600", - "fix_id": "F-82373r2_fix", + "gtitle": "SRG-OS-000096-GPOS-00050", + "gid": "V-75809", + "rid": "SV-90489r2_rule", + "stig_id": "UBTU-16-030060", + "fix_id": "F-82439r1_fix", "cci": [ - "CCI-000130", - "CCI-000135", - "CCI-000169", - "CCI-000172", - "CCI-002884" + "CCI-000382" ], "nist": [ - "AU-3", - "AU-3 (1)", - "AU-12 a", - "AU-12 c", - "MA-4 (1) (a)", + "CM-7 b", "Rev_4" ], "false_negatives": null, @@ -1148,53 +1079,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75745' do\n title \"Successful/unsuccessful uses of the truncate command must generate an\naudit record.\"\n desc \"Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020\n SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172\n SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215]\n tag \"gid\": 'V-75745'\n tag \"rid\": 'SV-90425r3_rule'\n tag \"stig_id\": 'UBTU-16-020600'\n tag \"fix_id\": 'F-82373r2_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'MA-4 (1) (a)',\n 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful attempts to use the \\\"truncate\\\" command occur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \\\"/etc/audit/audit.rules\\\":\n\n# sudo grep -iw truncate /etc/audit/audit.rules\n\n-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F\nauid!=4294967295 -k perm_access\n\n-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F\nauid!=4294967295 -k perm_access\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \\\"truncate\\\" command.\n\nAdd or update the following rules in the \\\"/etc/audit/audit.rules\\\" file:\n\n-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F\nauid!=4294967295 -k perm_access\n\n-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F\nauid!=4294967295 -k perm_access\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n if os.arch == 'x86_64'\n describe auditd.syscall('truncate').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EPERM' }\n end\n describe auditd.syscall('truncate').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EACCES' }\n end\n end\n describe auditd.syscall('truncate').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EPERM' }\n end\n describe auditd.syscall('truncate').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EACCES' }\n end\nend\n", + "code": "control 'V-75809' do\n title \"The Ubuntu operating system must be configured to prohibit or restrict\nthe use of functions, ports, protocols, and/or services, as defined in the\nPorts, Protocols, and Services Management (PPSM) Category Assignments List\n(CAL) and vulnerability assessments.\"\n desc \"In order to prevent unauthorized connection of devices, unauthorized\ntransfer of information, or unauthorized tunneling (i.e., embedding of data\ntypes within data types), organizations must disable or restrict unused or\nunnecessary physical and logical ports/protocols on information systems.\n\n Ubuntu operating systems are capable of providing a wide variety of\nfunctions and services. Some of the functions and services provided by default\nmay not be necessary to support essential organizational operations.\nAdditionally, it is sometimes convenient to provide multiple services from a\nsingle component (e.g., VPN and IPS); however, doing so increases risk over\nlimiting the services provided by any one component.\n\n To support the requirements and principles of least functionality, the\nUbuntu operating system must support the organizational requirements, providing\nonly essential capabilities and limiting the use of ports, protocols, and/or\nservices to only those required, authorized, and approved to conduct official\nbusiness or to address authorized quality of life issues.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000096-GPOS-00050'\n tag \"gid\": 'V-75809'\n tag \"rid\": 'SV-90489r2_rule'\n tag \"stig_id\": 'UBTU-16-030060'\n tag \"fix_id\": 'F-82439r1_fix'\n tag \"cci\": ['CCI-000382']\n tag \"nist\": ['CM-7 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Uncomplicated Firewall is configured to employ a\ndeny-all, allow-by-exception policy for allowing connections to other systems.\n\nCheck the Uncomplicated Firewall configuration with the following command:\n# sudo ufw status\nStatus: active\n\n To Action From\n -- ------ ----\n[ 1] 22 LIMIT IN Anywhere\n\nIf any services, ports, or applications are \\\"allowed\\\" and are not documented\nwith the organization, this is a finding.\"\n desc 'fix', \"Add/Modify the Ubuntu operating system's firewall settings and/or\nrunning services to comply with the Ports, Protocols, and Services Management\n(PPSM) Category Assignments List (CAL).\"\n\n ufw_status = command('ufw status').stdout.strip.lines.first\n value = ufw_status.split(':')[1].strip\n\n describe 'UFW status' do\n subject { value }\n it { should cmp 'active' }\n end\n describe 'Status listings for any allowed services, ports, or applications must be documented with the organization' do\n skip 'Status listings checks must be preformed manually'\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75745.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75809.rb", "line": 3 }, - "id": "V-75745" + "id": "V-75809" }, { - "title": "The audit system must be configured to audit any usage of the\nfremovexattr system call.", - "desc": "Without the capability to generate audit records, it would be\ndifficult to establish, correlate, and investigate the events relating to an\nincident or identify those responsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n The list of audited events is the set of events for which audits are to be\ngenerated. This set of events is typically a subset of the list of all events\nfor which the system is capable of generating audit records.\n\n DoD has defined the list of events for which the Ubuntu operating system\nwill provide an audit record generation capability as the following:\n\n 1) Successful and unsuccessful attempts to access, modify, or delete\nprivileges, security objects, security levels, or categories of information\n(e.g., classification levels);\n\n 2) Access actions, such as successful and unsuccessful logon attempts,\nprivileged activities or other system-level access, starting and ending time\nfor user access to the system, concurrent logons from different workstations,\nsuccessful and unsuccessful accesses to objects, all program initiations, and\nall direct access to the information system;\n\n 3) All account creations, modifications, disabling, and terminations; and\n\n 4) All kernel module load, unload, and restart actions.", + "title": "The Ubuntu operating system must synchronize internal information\nsystem clocks to the authoritative time source when the time difference is\ngreater than one second.", + "desc": "Inaccurate time stamps make it more difficult to correlate events and\ncan lead to an inaccurate analysis. Determining the correct time a particular\nevent occurred on a system is critical when conducting forensic analysis and\ninvestigating system events.\n\n Synchronizing internal information system clocks provides uniformity of\ntime stamps for information systems with multiple system clocks and systems\nconnected over a network. Organizations should consider setting time periods\nfor different types of systems (e.g., financial, legal, or mission-critical\nsystems).\n\n Organizations should also consider endpoints that may not have regular\naccess to the authoritative time server (e.g., mobile, teleworking, and\ntactical endpoints). This requirement is related to the comparison done every\n24 hours in SRG-OS-000355 because a comparison must be done in order to\ndetermine the time difference.", "descriptions": { - "default": "Without the capability to generate audit records, it would be\ndifficult to establish, correlate, and investigate the events relating to an\nincident or identify those responsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n The list of audited events is the set of events for which audits are to be\ngenerated. This set of events is typically a subset of the list of all events\nfor which the system is capable of generating audit records.\n\n DoD has defined the list of events for which the Ubuntu operating system\nwill provide an audit record generation capability as the following:\n\n 1) Successful and unsuccessful attempts to access, modify, or delete\nprivileges, security objects, security levels, or categories of information\n(e.g., classification levels);\n\n 2) Access actions, such as successful and unsuccessful logon attempts,\nprivileged activities or other system-level access, starting and ending time\nfor user access to the system, concurrent logons from different workstations,\nsuccessful and unsuccessful accesses to objects, all program initiations, and\nall direct access to the information system;\n\n 3) All account creations, modifications, disabling, and terminations; and\n\n 4) All kernel module load, unload, and restart actions.", - "check": "Verify if the Ubuntu operating system is configured to audit\nthe execution of the \"fremovexattr\" system call, by running the following\ncommand:\n\n# sudo grep -w fremovexattr /etc/audit/audit.rules\n\n-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k\nperm_mod\n\n-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -k perm_mod\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", - "fix": "Configure the Ubuntu operating system to audit the execution of\nthe \"fremovexattr\" system call by adding the following lines to\n\"/etc/audit/audit.rules\":\n\n-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k\nperm_mod\n\n-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -k perm_mod\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" + "default": "Inaccurate time stamps make it more difficult to correlate events and\ncan lead to an inaccurate analysis. Determining the correct time a particular\nevent occurred on a system is critical when conducting forensic analysis and\ninvestigating system events.\n\n Synchronizing internal information system clocks provides uniformity of\ntime stamps for information systems with multiple system clocks and systems\nconnected over a network. Organizations should consider setting time periods\nfor different types of systems (e.g., financial, legal, or mission-critical\nsystems).\n\n Organizations should also consider endpoints that may not have regular\naccess to the authoritative time server (e.g., mobile, teleworking, and\ntactical endpoints). This requirement is related to the comparison done every\n24 hours in SRG-OS-000355 because a comparison must be done in order to\ndetermine the time difference.", + "check": "Verify that Network Time Protocol (NTP) is running in\ncontinuous mode.\n\nCheck that NTP is running in continuous mode with the following command:\n\n# grep ntpdate /etc/init.d/ntpd\n\n if ntpdate -u -s -b -p 4 -t 5 $NTPSERVER ; then\n\nIf the option \"-q\" is present, this is a finding.", + "fix": "The Network Time Protocol (NTP) will run in continuous mode by\ndefault. If the query only option (-q) has been added to the ntpdate command in\n/etc/init.d/ntpd it must be removed." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000037-GPOS-00015", - "satisfies": [ - "SRG-OS-000037-GPOS-00015", - "SRG-OS-000042-GPOS-00020", - "SRG-OS-000062-GPOS-00031", - "SRG-OS-000392-GPOS-00172", - "SRG-OS-000458-GPOS-00203", - "SRG-OS-000462-GPOS-00206", - "SRG-OS-000463-GPOS-00207", - "SRG-OS-000471-GPOS-00215", - "SRG-OS-000474-GPOS-00219" - ], - "gid": "V-75727", - "rid": "SV-90407r3_rule", - "stig_id": "UBTU-16-020510", - "fix_id": "F-82355r2_fix", + "gtitle": "SRG-OS-000356-GPOS-00144", + "gid": "V-75815", + "rid": "SV-90495r2_rule", + "stig_id": "UBTU-16-030110", + "fix_id": "F-82445r2_fix", "cci": [ - "CCI-000130", - "CCI-000135", - "CCI-000169", - "CCI-000172", - "CCI-002884" + "CCI-002046" ], "nist": [ - "AU-3", - "AU-3 (1)", - "AU-12 a", - "AU-12 c", - "MA-4 (1) (a)", + "AU-8 (1) (b)", "Rev_4" ], "false_negatives": null, @@ -1208,34 +1120,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75727' do\n title \"The audit system must be configured to audit any usage of the\nfremovexattr system call.\"\n desc \"Without the capability to generate audit records, it would be\ndifficult to establish, correlate, and investigate the events relating to an\nincident or identify those responsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n The list of audited events is the set of events for which audits are to be\ngenerated. This set of events is typically a subset of the list of all events\nfor which the system is capable of generating audit records.\n\n DoD has defined the list of events for which the Ubuntu operating system\nwill provide an audit record generation capability as the following:\n\n 1) Successful and unsuccessful attempts to access, modify, or delete\nprivileges, security objects, security levels, or categories of information\n(e.g., classification levels);\n\n 2) Access actions, such as successful and unsuccessful logon attempts,\nprivileged activities or other system-level access, starting and ending time\nfor user access to the system, concurrent logons from different workstations,\nsuccessful and unsuccessful accesses to objects, all program initiations, and\nall direct access to the information system;\n\n 3) All account creations, modifications, disabling, and terminations; and\n\n 4) All kernel module load, unload, and restart actions.\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020\n SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172\n SRG-OS-000458-GPOS-00203 SRG-OS-000462-GPOS-00206\n SRG-OS-000463-GPOS-00207 SRG-OS-000471-GPOS-00215\n SRG-OS-000474-GPOS-00219]\n tag \"gid\": 'V-75727'\n tag \"rid\": 'SV-90407r3_rule'\n tag \"stig_id\": 'UBTU-16-020510'\n tag \"fix_id\": 'F-82355r2_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'MA-4 (1) (a)',\n 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify if the Ubuntu operating system is configured to audit\nthe execution of the \\\"fremovexattr\\\" system call, by running the following\ncommand:\n\n# sudo grep -w fremovexattr /etc/audit/audit.rules\n\n-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k\nperm_mod\n\n-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -k perm_mod\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the Ubuntu operating system to audit the execution of\nthe \\\"fremovexattr\\\" system call by adding the following lines to\n\\\"/etc/audit/audit.rules\\\":\n\n-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k\nperm_mod\n\n-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -k perm_mod\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n if os.arch == 'x86_64'\n describe auditd.syscall('fremovexattr').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('fremovexattr').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\nend\n", + "code": "control 'V-75815' do\n title \"The Ubuntu operating system must synchronize internal information\nsystem clocks to the authoritative time source when the time difference is\ngreater than one second.\"\n desc \"Inaccurate time stamps make it more difficult to correlate events and\ncan lead to an inaccurate analysis. Determining the correct time a particular\nevent occurred on a system is critical when conducting forensic analysis and\ninvestigating system events.\n\n Synchronizing internal information system clocks provides uniformity of\ntime stamps for information systems with multiple system clocks and systems\nconnected over a network. Organizations should consider setting time periods\nfor different types of systems (e.g., financial, legal, or mission-critical\nsystems).\n\n Organizations should also consider endpoints that may not have regular\naccess to the authoritative time server (e.g., mobile, teleworking, and\ntactical endpoints). This requirement is related to the comparison done every\n24 hours in SRG-OS-000355 because a comparison must be done in order to\ndetermine the time difference.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000356-GPOS-00144'\n tag \"gid\": 'V-75815'\n tag \"rid\": 'SV-90495r2_rule'\n tag \"stig_id\": 'UBTU-16-030110'\n tag \"fix_id\": 'F-82445r2_fix'\n tag \"cci\": ['CCI-002046']\n tag \"nist\": ['AU-8 (1) (b)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that Network Time Protocol (NTP) is running in\ncontinuous mode.\n\nCheck that NTP is running in continuous mode with the following command:\n\n# grep ntpdate /etc/init.d/ntpd\n\n if ntpdate -u -s -b -p 4 -t 5 $NTPSERVER ; then\n\nIf the option \\\"-q\\\" is present, this is a finding.\"\n desc 'fix', \"The Network Time Protocol (NTP) will run in continuous mode by\ndefault. If the query only option (-q) has been added to the ntpdate command in\n/etc/init.d/ntpd it must be removed.\"\n\n ntpd_exists = file('/etc/init.d/ntpd').exist?\n\n if ntpd_exists\n describe command('grep ntpdate /etc/init.d/ntpd').stdout.strip do\n it { should_not match /.+(-q).+/ }\n end\n else\n describe 'The file /etc/init.d/ntpd exists' do\n subject { ntpd_exists }\n it { should be true }\n end\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75727.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75815.rb", "line": 3 }, - "id": "V-75727" + "id": "V-75815" }, { - "title": "The Ubuntu operating system must record time stamps for audit records\nthat can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time\n(GMT).", - "desc": "If time stamps are not consistently applied and there is no common\ntime reference, it is difficult to perform forensic analysis.\n\n Time stamps generated by the Ubuntu operating system include date and time.\nTime is commonly expressed in Coordinated Universal Time (UTC), a modern\ncontinuation of Greenwich Mean Time (GMT), or local time with an offset from\nUTC.", + "title": "A separate file system must be used for user home directories (such as\n/home or an equivalent).", + "desc": "The use of separate file systems for different paths can protect the\nsystem from failures resulting from a file system becoming full or failing.", "descriptions": { - "default": "If time stamps are not consistently applied and there is no common\ntime reference, it is difficult to perform forensic analysis.\n\n Time stamps generated by the Ubuntu operating system include date and time.\nTime is commonly expressed in Coordinated Universal Time (UTC), a modern\ncontinuation of Greenwich Mean Time (GMT), or local time with an offset from\nUTC.", - "check": "The time zone must be configured to use Coordinated Universal\nTime (UTC) or Greenwich Mean Time (GMT). To verify run the following command.\n\n# sudo timedatectl status | grep -i \"time zone\"\nTime zone: UTC (UTC, +0000)\n\nIf \"Time zone\" is not set to UTC or GMT, this is a finding.", - "fix": "To configure the system time zone to use Coordinated Universal\nTime (UTC) or Greenwich Mean Time (GMT), run the following command replacing\n[ZONE] with UTC or GMT.\n\n# sudo timedatectl set-timezone [ZONE]" + "default": "The use of separate file systems for different paths can protect the\nsystem from failures resulting from a file system becoming full or failing.", + "check": "Verify that a separate file system/partition has been created\nfor non-privileged local interactive user home directories.\n\nCheck the home directory assignment for all non-privileged users, users with a\nUser Identifier (UID) greater than 1000, on the system with the following\ncommand:\n\n# awk -F: '($3>=1000)&&($1!=\"nobody\"){print $1,$3,$6}' /etc/passwd\n\nadamsj 1001 /home/adamsj\njacksonm 1002 /home/jacksonm\nsmithj 1003 /home/smithj\n\nThe output of the command will give the directory/partition that contains the\nhome directories for the non-privileged users on the system (in this example,\n\"/home\") and users’ shell. All accounts with a valid shell (such as\n/bin/bash) are considered interactive users.\n\nCheck that a file system/partition has been created for the non-privileged\ninteractive users with the following command:\n\nNote: The partition of \"/home\" is used in the example.\n\n# grep /home /etc/fstab\nUUID=333ada18 /home ext4 noatime,nobarrier,nodev 1 2\n\nIf a separate entry for the file system/partition that contains the\nnon-privileged interactive users' home directories does not exist, this is a\nfinding.", + "fix": "Migrate the \"/home\" directory onto a separate file\nsystem/partition." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000359-GPOS-00146", - "gid": "V-75817", - "rid": "SV-90497r2_rule", - "stig_id": "UBTU-16-030120", - "fix_id": "F-82447r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-75587", + "rid": "SV-90267r2_rule", + "stig_id": "UBTU-16-010910", + "fix_id": "F-82215r1_fix", "cci": [ - "CCI-001890" + "CCI-000366" ], "nist": [ - "AU-8 b", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -1249,34 +1161,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75817' do\n title \"The Ubuntu operating system must record time stamps for audit records\nthat can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time\n(GMT).\"\n desc \"If time stamps are not consistently applied and there is no common\ntime reference, it is difficult to perform forensic analysis.\n\n Time stamps generated by the Ubuntu operating system include date and time.\nTime is commonly expressed in Coordinated Universal Time (UTC), a modern\ncontinuation of Greenwich Mean Time (GMT), or local time with an offset from\nUTC.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000359-GPOS-00146'\n tag \"gid\": 'V-75817'\n tag \"rid\": 'SV-90497r2_rule'\n tag \"stig_id\": 'UBTU-16-030120'\n tag \"fix_id\": 'F-82447r1_fix'\n tag \"cci\": ['CCI-001890']\n tag \"nist\": ['AU-8 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"The time zone must be configured to use Coordinated Universal\nTime (UTC) or Greenwich Mean Time (GMT). To verify run the following command.\n\n# sudo timedatectl status | grep -i \\\"time zone\\\"\nTime zone: UTC (UTC, +0000)\n\nIf \\\"Time zone\\\" is not set to UTC or GMT, this is a finding.\"\n desc 'fix', \"To configure the system time zone to use Coordinated Universal\nTime (UTC) or Greenwich Mean Time (GMT), run the following command replacing\n[ZONE] with UTC or GMT.\n\n# sudo timedatectl set-timezone [ZONE]\"\n\n time_zone = command('timedatectl status | grep -i \"time zone\"').stdout.strip\n\n describe time_zone do\n it { should match 'UTC' }\n end\nend\n", + "code": "control 'V-75587' do\n title \"A separate file system must be used for user home directories (such as\n/home or an equivalent).\"\n desc \"The use of separate file systems for different paths can protect the\nsystem from failures resulting from a file system becoming full or failing.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75587'\n tag \"rid\": 'SV-90267r2_rule'\n tag \"stig_id\": 'UBTU-16-010910'\n tag \"fix_id\": 'F-82215r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that a separate file system/partition has been created\nfor non-privileged local interactive user home directories.\n\nCheck the home directory assignment for all non-privileged users, users with a\nUser Identifier (UID) greater than 1000, on the system with the following\ncommand:\n\n# awk -F: '($3>=1000)&&($1!=\\\"nobody\\\"){print $1,$3,$6}' /etc/passwd\n\nadamsj 1001 /home/adamsj\njacksonm 1002 /home/jacksonm\nsmithj 1003 /home/smithj\n\nThe output of the command will give the directory/partition that contains the\nhome directories for the non-privileged users on the system (in this example,\n\\\"/home\\\") and users’ shell. All accounts with a valid shell (such as\n/bin/bash) are considered interactive users.\n\nCheck that a file system/partition has been created for the non-privileged\ninteractive users with the following command:\n\nNote: The partition of \\\"/home\\\" is used in the example.\n\n# grep /home /etc/fstab\nUUID=333ada18 /home ext4 noatime,nobarrier,nodev 1 2\n\nIf a separate entry for the file system/partition that contains the\nnon-privileged interactive users' home directories does not exist, this is a\nfinding.\"\n desc 'fix', \"Migrate the \\\"/home\\\" directory onto a separate file\nsystem/partition.\"\n\n non_interactive_shells = input('non_interactive_shells')\n exempt_home_users = input('exempt_home_users')\n ignore_shells = non_interactive_shells.join('|')\n\n users.where { !shell.match(ignore_shells) && (uid >= 1000) }.entries.each do |user_info|\n next if exempt_home_users.include?(user_info.username.to_s)\n\n home_mount = command(%(df #{user_info.home} --output=target | tail -1)).stdout.strip\n describe user_info.username do\n context 'with mountpoint' do\n context home_mount do\n it { should_not be_empty }\n it { should_not match(%r{^/$}) }\n end\n end\n end\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75817.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75587.rb", "line": 3 }, - "id": "V-75817" + "id": "V-75587" }, { - "title": "The Ubuntu operating system must not be performing packet forwarding\nunless the system is a router.", - "desc": "Routing protocol daemons are typically used on routers to exchange\nnetwork topology information with other routers. If this software is used when\nnot required, system network information may be unnecessarily transmitted\nacross the network.", + "title": "The Ubuntu operating system must enforce password complexity by\nrequiring that at least one lower-case character be used.", + "desc": "Use of a complex password helps to increase the time and resources\nrequired to compromise the password. Password complexity, or strength, is a\nmeasure of the effectiveness of a password in resisting attempts at guessing\nand brute-force attacks.\n\n Password complexity is one factor of several that determines how long it\ntakes to crack a password. The more complex the password, the greater the\nnumber of possible combinations that need to be tested before the password is\ncompromised.", "descriptions": { - "default": "Routing protocol daemons are typically used on routers to exchange\nnetwork topology information with other routers. If this software is used when\nnot required, system network information may be unnecessarily transmitted\nacross the network.", - "check": "Verify the Ubuntu operating system is not performing packet\nforwarding, unless the system is a router.\n\nCheck to see if IP forwarding is enabled using the following command:\n\n# /sbin/sysctl -a | grep net.ipv4.ip_forward\nnet.ipv4.ip_forward=0\n\nIf IP forwarding value is \"1\" and is not documented with the Information\nSystem Security Officer (ISSO) as an operational requirement , this is a\nfinding.", - "fix": "Configure the Ubuntu operating system to not allow packet\nforwarding, unless the system is a router with the following command:\n\n# sudo sysctl -w net.ipv4.ip_forward=0\n\nIf \"0\" is not the system's default value then add or update the following\nline in \"/etc/sysctl.conf\" or in the appropriate file under \"/etc/sysctl.d\":\n\nnet.ipv4.ip_forward=0" + "default": "Use of a complex password helps to increase the time and resources\nrequired to compromise the password. Password complexity, or strength, is a\nmeasure of the effectiveness of a password in resisting attempts at guessing\nand brute-force attacks.\n\n Password complexity is one factor of several that determines how long it\ntakes to crack a password. The more complex the password, the greater the\nnumber of possible combinations that need to be tested before the password is\ncompromised.", + "check": "Verify the Ubuntu operating system enforces password complexity\nby requiring that at least one lower-case character be used.\n\nDetermine if the field \"lcredit\" is set in the\n\"/etc/security/pwquality.conf\" file with the following command:\n\n# grep -i \"lcredit\" /etc/security/pwquality.conf\nlcredit=-1\n\nIf the \"lcredit\" parameter is not equal to \"-1\", or is commented out, this\nis a finding.", + "fix": "Configure the Ubuntu operating system to enforce password\ncomplexity by requiring that at least one lower-case character be used.\n\nAdd or update the following line in the \"/etc/security/pwquality.conf\" file\nto contain the \"lcredit\" parameter:\n\nlcredit=-1" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-75887", - "rid": "SV-90567r2_rule", - "stig_id": "UBTU-16-030600", - "fix_id": "F-82517r2_fix", + "gtitle": "SRG-OS-000070-GPOS-00038", + "gid": "V-75451", + "rid": "SV-90131r2_rule", + "stig_id": "UBTU-16-010110", + "fix_id": "F-82079r1_fix", "cci": [ - "CCI-000366" + "CCI-000193" ], "nist": [ - "CM-6 b", + "IA-5 (1) (a)", "Rev_4" ], "false_negatives": null, @@ -1290,50 +1202,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75887' do\n title \"The Ubuntu operating system must not be performing packet forwarding\nunless the system is a router.\"\n desc \"Routing protocol daemons are typically used on routers to exchange\nnetwork topology information with other routers. If this software is used when\nnot required, system network information may be unnecessarily transmitted\nacross the network.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75887'\n tag \"rid\": 'SV-90567r2_rule'\n tag \"stig_id\": 'UBTU-16-030600'\n tag \"fix_id\": 'F-82517r2_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system is not performing packet\nforwarding, unless the system is a router.\n\nCheck to see if IP forwarding is enabled using the following command:\n\n# /sbin/sysctl -a | grep net.ipv4.ip_forward\nnet.ipv4.ip_forward=0\n\nIf IP forwarding value is \\\"1\\\" and is not documented with the Information\nSystem Security Officer (ISSO) as an operational requirement , this is a\nfinding.\"\n desc 'fix', \"Configure the Ubuntu operating system to not allow packet\nforwarding, unless the system is a router with the following command:\n\n# sudo sysctl -w net.ipv4.ip_forward=0\n\nIf \\\"0\\\" is not the system's default value then add or update the following\nline in \\\"/etc/sysctl.conf\\\" or in the appropriate file under \\\"/etc/sysctl.d\\\":\n\nnet.ipv4.ip_forward=0\"\n\n describe kernel_parameter('net.ipv4.ip_forward') do\n its('value') { should eq 0 }\n end\nend\n", + "code": "control 'V-75451' do\n title \"The Ubuntu operating system must enforce password complexity by\nrequiring that at least one lower-case character be used.\"\n desc \"Use of a complex password helps to increase the time and resources\nrequired to compromise the password. Password complexity, or strength, is a\nmeasure of the effectiveness of a password in resisting attempts at guessing\nand brute-force attacks.\n\n Password complexity is one factor of several that determines how long it\ntakes to crack a password. The more complex the password, the greater the\nnumber of possible combinations that need to be tested before the password is\ncompromised.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000070-GPOS-00038'\n tag \"gid\": 'V-75451'\n tag \"rid\": 'SV-90131r2_rule'\n tag \"stig_id\": 'UBTU-16-010110'\n tag \"fix_id\": 'F-82079r1_fix'\n tag \"cci\": ['CCI-000193']\n tag \"nist\": ['IA-5 (1) (a)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system enforces password complexity\nby requiring that at least one lower-case character be used.\n\nDetermine if the field \\\"lcredit\\\" is set in the\n\\\"/etc/security/pwquality.conf\\\" file with the following command:\n\n# grep -i \\\"lcredit\\\" /etc/security/pwquality.conf\nlcredit=-1\n\nIf the \\\"lcredit\\\" parameter is not equal to \\\"-1\\\", or is commented out, this\nis a finding.\"\n desc 'fix', \"Configure the Ubuntu operating system to enforce password\ncomplexity by requiring that at least one lower-case character be used.\n\nAdd or update the following line in the \\\"/etc/security/pwquality.conf\\\" file\nto contain the \\\"lcredit\\\" parameter:\n\nlcredit=-1\"\n\n min_num_lowercase_char = input('min_num_lowercase_char')\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('lcredit') { should cmp min_num_lowercase_char }\n end\n else\n describe (config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75887.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75451.rb", "line": 3 }, - "id": "V-75887" + "id": "V-75451" }, { - "title": "Successful/unsuccessful uses of the chmod command must generate an\naudit record.", - "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "title": "The audit system must take appropriate action when the audit storage\nvolume is full.", + "desc": "It is critical that when the Ubuntu operating system is at risk of\nfailing to process audit logs as required, it takes action to mitigate the\nfailure. Audit processing failures include: software/hardware errors; failures\nin the audit capturing mechanisms; and audit storage capacity being reached or\nexceeded. Responses to audit failure depend upon the nature of the failure mode.\n\n When availability is an overriding concern, other approved actions in\nresponse to an audit failure are as follows:\n\n 1) If the failure was caused by the lack of audit record storage capacity,\nthe Ubuntu operating system must continue generating audit records if possible\n(automatically restarting the audit service if necessary), overwriting the\noldest audit records in a first-in-first-out manner.\n\n 2) If audit records are sent to a centralized collection server and\ncommunication with this server is lost or the server fails, the Ubuntu\noperating system must queue audit records locally until communication is\nrestored or until the audit records are retrieved manually. Upon restoration of\nthe connection to the centralized collection server, action should be taken to\nsynchronize the local audit data with the collection server.", "descriptions": { - "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", - "check": "Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful attempts to use the \"chmod\" command occur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \"/etc/audit/audit.rules\":\n\n# sudo grep -w chmod /etc/audit/audit.rules\n\n-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=4294967295 -k\nperm_chng\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", - "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \"chmod\" command by adding the following\nline to \"/etc/audit/audit.rules\":\n\n-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=4294967295 -k\nperm_chng\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" + "default": "It is critical that when the Ubuntu operating system is at risk of\nfailing to process audit logs as required, it takes action to mitigate the\nfailure. Audit processing failures include: software/hardware errors; failures\nin the audit capturing mechanisms; and audit storage capacity being reached or\nexceeded. Responses to audit failure depend upon the nature of the failure mode.\n\n When availability is an overriding concern, other approved actions in\nresponse to an audit failure are as follows:\n\n 1) If the failure was caused by the lack of audit record storage capacity,\nthe Ubuntu operating system must continue generating audit records if possible\n(automatically restarting the audit service if necessary), overwriting the\noldest audit records in a first-in-first-out manner.\n\n 2) If audit records are sent to a centralized collection server and\ncommunication with this server is lost or the server fails, the Ubuntu\noperating system must queue audit records locally until communication is\nrestored or until the audit records are retrieved manually. Upon restoration of\nthe connection to the centralized collection server, action should be taken to\nsynchronize the local audit data with the collection server.", + "check": "Verify the Ubuntu operating system takes the appropriate action\nwhen the audit storage volume is full.\n\nCheck that the Ubuntu operating system takes the appropriate action when the\naudit storage volume is full with the following command:\n\n# sudo grep disk_full_action /etc/audit/auditd.conf\n\ndisk_full_action = HALT\n\nIf the value of the \"disk_full_action\" option is not \"SYSLOG\", \"SINGLE\",\nor \"HALT\", or the line is commented out, this is a finding.", + "fix": "Configure the Ubuntu operating system to shut down by default\nupon audit failure (unless availability is an overriding concern).\n\nAdd or update the following line (depending on configuration\n\"disk_full_action\" can be set to \"SYSLOG\" or \"SINGLE\" depending on\nconfiguration) in \"/etc/audit/auditd.conf\" file:\n\ndisk_full_action = HALT" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000037-GPOS-00015", - "satisfies": [ - "SRG-OS-000037-GPOS-00015", - "SRG-OS-000042-GPOS-00020", - "SRG-OS-000062-GPOS-00031", - "SRG-OS-000392-GPOS-00172", - "SRG-OS-000462-GPOS-00206", - "SRG-OS-000471-GPOS-00215" - ], - "gid": "V-75737", - "rid": "SV-90417r3_rule", - "stig_id": "UBTU-16-020560", - "fix_id": "F-82365r2_fix", + "gtitle": "SRG-OS-000047-GPOS-00023", + "gid": "V-75629", + "rid": "SV-90309r2_rule", + "stig_id": "UBTU-16-020060", + "fix_id": "F-82257r2_fix", "cci": [ - "CCI-000130", - "CCI-000135", - "CCI-000169", - "CCI-000172", - "CCI-002884" + "CCI-000140" ], "nist": [ - "AU-3", - "AU-3 (1)", - "AU-12 a", - "AU-12 c", - "MA-4 (1) (a)", + "AU-5 b", "Rev_4" ], "false_negatives": null, @@ -1347,29 +1243,29 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75737' do\n title \"Successful/unsuccessful uses of the chmod command must generate an\naudit record.\"\n desc \"Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020\n SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172\n SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215]\n tag \"gid\": 'V-75737'\n tag \"rid\": 'SV-90417r3_rule'\n tag \"stig_id\": 'UBTU-16-020560'\n tag \"fix_id\": 'F-82365r2_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'MA-4 (1) (a)',\n 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful attempts to use the \\\"chmod\\\" command occur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \\\"/etc/audit/audit.rules\\\":\n\n# sudo grep -w chmod /etc/audit/audit.rules\n\n-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=4294967295 -k\nperm_chng\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \\\"chmod\\\" command by adding the following\nline to \\\"/etc/audit/audit.rules\\\":\n\n-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=4294967295 -k\nperm_chng\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n if os.arch == 'x86_64'\n describe auditd.syscall('chmod').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('chmod').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\nend\n", + "code": "control 'V-75629' do\n title \"The audit system must take appropriate action when the audit storage\nvolume is full.\"\n desc \"It is critical that when the Ubuntu operating system is at risk of\nfailing to process audit logs as required, it takes action to mitigate the\nfailure. Audit processing failures include: software/hardware errors; failures\nin the audit capturing mechanisms; and audit storage capacity being reached or\nexceeded. Responses to audit failure depend upon the nature of the failure mode.\n\n When availability is an overriding concern, other approved actions in\nresponse to an audit failure are as follows:\n\n 1) If the failure was caused by the lack of audit record storage capacity,\nthe Ubuntu operating system must continue generating audit records if possible\n(automatically restarting the audit service if necessary), overwriting the\noldest audit records in a first-in-first-out manner.\n\n 2) If audit records are sent to a centralized collection server and\ncommunication with this server is lost or the server fails, the Ubuntu\noperating system must queue audit records locally until communication is\nrestored or until the audit records are retrieved manually. Upon restoration of\nthe connection to the centralized collection server, action should be taken to\nsynchronize the local audit data with the collection server.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000047-GPOS-00023'\n tag \"gid\": 'V-75629'\n tag \"rid\": 'SV-90309r2_rule'\n tag \"stig_id\": 'UBTU-16-020060'\n tag \"fix_id\": 'F-82257r2_fix'\n tag \"cci\": ['CCI-000140']\n tag \"nist\": ['AU-5 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system takes the appropriate action\nwhen the audit storage volume is full.\n\nCheck that the Ubuntu operating system takes the appropriate action when the\naudit storage volume is full with the following command:\n\n# sudo grep disk_full_action /etc/audit/auditd.conf\n\ndisk_full_action = HALT\n\nIf the value of the \\\"disk_full_action\\\" option is not \\\"SYSLOG\\\", \\\"SINGLE\\\",\nor \\\"HALT\\\", or the line is commented out, this is a finding.\"\n desc 'fix', \"Configure the Ubuntu operating system to shut down by default\nupon audit failure (unless availability is an overriding concern).\n\nAdd or update the following line (depending on configuration\n\\\"disk_full_action\\\" can be set to \\\"SYSLOG\\\" or \\\"SINGLE\\\" depending on\nconfiguration) in \\\"/etc/audit/auditd.conf\\\" file:\n\ndisk_full_action = HALT\"\n\n describe auditd_conf do\n its('disk_full_action') { should_not be_empty }\n its('disk_full_action') { should cmp /(?:SYSLOG|SINGLE|HALT)/i }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75737.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75629.rb", "line": 3 }, - "id": "V-75737" + "id": "V-75629" }, { - "title": "The Ubuntu operating system must not allow interfaces to perform\nInternet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP)\nredirects by default.", - "desc": "Internet Control Message Protocol (ICMP) redirect messages are used by\nrouters to inform hosts that a more direct route exists for a particular\ndestination. These messages contain information from the system's route table,\npossibly revealing portions of the network topology.", + "title": "The Ubuntu operating system must prevent the use of dictionary words\nfor passwords.", + "desc": "If the Ubuntu operating system allows the user to select passwords\nbased on dictionary words, this increases the chances of password compromise by\nincreasing the opportunity for successful guesses and brute-force attacks.", "descriptions": { - "default": "Internet Control Message Protocol (ICMP) redirect messages are used by\nrouters to inform hosts that a more direct route exists for a particular\ndestination. These messages contain information from the system's route table,\npossibly revealing portions of the network topology.", - "check": "Verify the Ubuntu operating system does not allow interfaces to\nperform Internet Protocol version 4 (IPv4) Internet Control Message Protocol\n(ICMP) redirects by default.\n\nCheck the value of the \"default send_redirects\" variables with the following\ncommand:\n\n# sudo sysctl net.ipv4.conf.default.send_redirects\n\nnet.ipv4.conf.default.send_redirects=0\n\nIf the returned line does not have a value of \"0\", or a line is not returned,\nthis is a finding.", - "fix": "Configure the Ubuntu operating system to not allow interfaces to\nperform Internet Protocol version 4 (IPv4) Internet Control Message Protocol\n(ICMP) redirects by default with the following command:\n\n# sudo sysctl -w net.ipv4.conf.default.send_redirects=0\n\nIf \"0\" is not the system's default value then add or update the following\nline in \"/etc/sysctl.conf\" or in the appropriate file under \"/etc/sysctl.d\":\n\nnet.ipv4.conf.default.send_redirects=0" + "default": "If the Ubuntu operating system allows the user to select passwords\nbased on dictionary words, this increases the chances of password compromise by\nincreasing the opportunity for successful guesses and brute-force attacks.", + "check": "Verify the Ubuntu operating system prevents the use of\ndictionary words for passwords.\n\nCheck that the Ubuntu operating system uses the cracklib library to prevent the\nuse of dictionary words with the following command:\n\n# grep dictcheck /etc/security/pwquality.conf\n\ndictcheck=1\n\nIf the \"dictcheck\" parameter is not set to \"1\", or is commented out, this\nis a finding.", + "fix": "Configure the Ubuntu operating system to prevent the use of\ndictionary words for passwords.\n\nEdit the file \"/etc/security/pwquality.conf\" by adding a line such as:\n\ndictcheck=1" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-75883", - "rid": "SV-90563r2_rule", - "stig_id": "UBTU-16-030580", - "fix_id": "F-82513r2_fix", + "gtitle": "SRG-OS-000480-GPOS-00225", + "gid": "V-75481", + "rid": "SV-90161r3_rule", + "stig_id": "UBTU-16-010260", + "fix_id": "F-82109r2_fix", "cci": [ "CCI-000366" ], @@ -1388,34 +1284,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75883' do\n title \"The Ubuntu operating system must not allow interfaces to perform\nInternet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP)\nredirects by default.\"\n desc \"Internet Control Message Protocol (ICMP) redirect messages are used by\nrouters to inform hosts that a more direct route exists for a particular\ndestination. These messages contain information from the system's route table,\npossibly revealing portions of the network topology.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75883'\n tag \"rid\": 'SV-90563r2_rule'\n tag \"stig_id\": 'UBTU-16-030580'\n tag \"fix_id\": 'F-82513r2_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system does not allow interfaces to\nperform Internet Protocol version 4 (IPv4) Internet Control Message Protocol\n(ICMP) redirects by default.\n\nCheck the value of the \\\"default send_redirects\\\" variables with the following\ncommand:\n\n# sudo sysctl net.ipv4.conf.default.send_redirects\n\nnet.ipv4.conf.default.send_redirects=0\n\nIf the returned line does not have a value of \\\"0\\\", or a line is not returned,\nthis is a finding.\"\n desc 'fix', \"Configure the Ubuntu operating system to not allow interfaces to\nperform Internet Protocol version 4 (IPv4) Internet Control Message Protocol\n(ICMP) redirects by default with the following command:\n\n# sudo sysctl -w net.ipv4.conf.default.send_redirects=0\n\nIf \\\"0\\\" is not the system's default value then add or update the following\nline in \\\"/etc/sysctl.conf\\\" or in the appropriate file under \\\"/etc/sysctl.d\\\":\n\nnet.ipv4.conf.default.send_redirects=0\"\n\n describe kernel_parameter('net.ipv4.conf.default.send_redirects') do\n its('value') { should eq 0 }\n end\nend\n", + "code": "control 'V-75481' do\n title \"The Ubuntu operating system must prevent the use of dictionary words\nfor passwords.\"\n desc \"If the Ubuntu operating system allows the user to select passwords\nbased on dictionary words, this increases the chances of password compromise by\nincreasing the opportunity for successful guesses and brute-force attacks.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00225'\n tag \"gid\": 'V-75481'\n tag \"rid\": 'SV-90161r3_rule'\n tag \"stig_id\": 'UBTU-16-010260'\n tag \"fix_id\": 'F-82109r2_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system prevents the use of\ndictionary words for passwords.\n\nCheck that the Ubuntu operating system uses the cracklib library to prevent the\nuse of dictionary words with the following command:\n\n# grep dictcheck /etc/security/pwquality.conf\n\ndictcheck=1\n\nIf the \\\"dictcheck\\\" parameter is not set to \\\"1\\\", or is commented out, this\nis a finding.\"\n desc 'fix', \"Configure the Ubuntu operating system to prevent the use of\ndictionary words for passwords.\n\nEdit the file \\\"/etc/security/pwquality.conf\\\" by adding a line such as:\n\ndictcheck=1\"\n\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('dictcheck') { should cmp '1' }\n end\n else\n describe (config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75883.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75481.rb", "line": 3 }, - "id": "V-75883" + "id": "V-75481" }, { - "title": "The System Administrator (SA) and Information System Security Officer\n(ISSO) (at a minimum) must be alerted of an audit processing failure event.", - "desc": "It is critical for the appropriate personnel to be aware if a system\nis at risk of failing to process audit logs as required. Without this\nnotification, the security personnel may be unaware of an impending failure of\nthe audit capability, and system operation may be adversely affected.\n\n Audit processing failures include software/hardware errors, failures in the\naudit capturing mechanisms, and audit storage capacity being reached or\nexceeded.\n\n This requirement applies to each audit data storage repository (i.e.,\ndistinct information system component where audit records are stored), the\ncentralized audit storage capacity of organizations (i.e., all audit data\nstorage repositories combined), or both.", + "title": "The Ubuntu operating system must notify the System Administrator (SA)\nand Information System Security Officer (ISSO) (at a minimum) via email when\nallocated audit record storage volume reaches 75% of the repository maximum\naudit record storage capacity.", + "desc": "If security personnel are not notified immediately when storage volume\nreaches 75% utilization, they are unable to plan for audit record storage\ncapacity expansion.", "descriptions": { - "default": "It is critical for the appropriate personnel to be aware if a system\nis at risk of failing to process audit logs as required. Without this\nnotification, the security personnel may be unaware of an impending failure of\nthe audit capability, and system operation may be adversely affected.\n\n Audit processing failures include software/hardware errors, failures in the\naudit capturing mechanisms, and audit storage capacity being reached or\nexceeded.\n\n This requirement applies to each audit data storage repository (i.e.,\ndistinct information system component where audit records are stored), the\ncentralized audit storage capacity of organizations (i.e., all audit data\nstorage repositories combined), or both.", - "check": "Verify that the System Administrator (SA) and Information\nSystem Security Officer (ISSO) (at a minimum) are notified in the event of an\naudit processing failure.\n\nCheck that the Ubuntu operating system notifies the SA and ISSO (at a minimum)\nin the event of an audit processing failure with the following command:\n\n#sudo grep space_left_action /etc/audit/auditd.conf\n\naction_mail_acct = root\n\nIf the value of the \"action_mail_acct\" keyword is not set to \"root\" and/or\nother accounts for security personnel, the \"action_mail_acct\" keyword is\nmissing, or the retuned line is commented out, this is a finding.", - "fix": "Configure \"auditd\" service to notify the System Administrator\n(SA) and Information System Security Officer (ISSO) in the event of an audit\nprocessing failure.\n\nEdit the following line in \"/etc/audit/auditd.conf\" to ensure that\nadministrators are notified via email for those situations:\n\naction_mail_acct = root" + "default": "If security personnel are not notified immediately when storage volume\nreaches 75% utilization, they are unable to plan for audit record storage\ncapacity expansion.", + "check": "Verify the Ubuntu operating system notifies the System\nAdministrator (SA) and Information System Security Officer (ISSO) (at a\nminimum) via email when allocated audit record storage volume reaches 75% of\nthe repository maximum audit record storage capacity.\n\nCheck that the Ubuntu operating system notifies the SA and ISSO (at a minimum)\nvia email when allocated audit record storage volume reaches 75% of the\nrepository maximum audit record storage capacity with the following commands:\n\n#sudo grep space_left_action /etc/audit/auditd.conf\n\nspace_left_action email\n\nIf the space_left_action is set to \"email\" check the value of the\n\"action_mail_acct\" parameter with the following command:\n\n#sudo grep action_mail_acct parameter /etc/audit/auditd.conf\n\naction_mail_acct parameter root@localhost\n\nIf the space_left_action or the action_mail_accnt parameters are set to blanks,\nthis is a finding.\n\nIf the space_left_action is set to \"syslog\", the system logs the event, this\nis not a finding.\n\nIf the space_left_action is set to \"exe c\", the system executes a designated\nscript. If this script informs the SA of the event, this is not a finding.\n\nThe action_mail_acct parameter, if missing, defaults to \"root\". If the\n\"action_mail_acct parameter\" is not set to the e-mail address of the system\nadministrator(s) and/or ISSO, this is a finding.\n\nNote: If the email address of the system administrator is on a remote system a\nmail package must be available.", + "fix": "Configure the operating system to immediately notify the SA and\nISSO (at a minimum) via email when allocated audit record storage volume\nreaches 75% of the repository maximum audit record storage capacity.\n\nEdit \"/etc/audit/auditd.conf\" and set the \"space_left_action\" parameter to\n\"exec\", \"email\", or \"syslog\". If the \"space_left_action\" parameter is\nset to \"email\" set the \"action_mail_acct\" parameter to an e-mail address\nfor the System Administrator (SA) and Information System Security Officer\n(ISSO)." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000046-GPOS-00022", - "gid": "V-75625", - "rid": "SV-90305r2_rule", - "stig_id": "UBTU-16-020040", - "fix_id": "F-82253r1_fix", + "gtitle": "SRG-OS-000343-GPOS-00134", + "gid": "V-75623", + "rid": "SV-90303r2_rule", + "stig_id": "UBTU-16-020030", + "fix_id": "F-82251r2_fix", "cci": [ - "CCI-000139" + "CCI-001855" ], "nist": [ - "AU-5 a", + "AU-5 (1)", "Rev_4" ], "false_negatives": null, @@ -1429,51 +1325,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75625' do\n title \"The System Administrator (SA) and Information System Security Officer\n(ISSO) (at a minimum) must be alerted of an audit processing failure event.\"\n desc \"It is critical for the appropriate personnel to be aware if a system\nis at risk of failing to process audit logs as required. Without this\nnotification, the security personnel may be unaware of an impending failure of\nthe audit capability, and system operation may be adversely affected.\n\n Audit processing failures include software/hardware errors, failures in the\naudit capturing mechanisms, and audit storage capacity being reached or\nexceeded.\n\n This requirement applies to each audit data storage repository (i.e.,\ndistinct information system component where audit records are stored), the\ncentralized audit storage capacity of organizations (i.e., all audit data\nstorage repositories combined), or both.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000046-GPOS-00022'\n tag \"gid\": 'V-75625'\n tag \"rid\": 'SV-90305r2_rule'\n tag \"stig_id\": 'UBTU-16-020040'\n tag \"fix_id\": 'F-82253r1_fix'\n tag \"cci\": ['CCI-000139']\n tag \"nist\": ['AU-5 a', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that the System Administrator (SA) and Information\nSystem Security Officer (ISSO) (at a minimum) are notified in the event of an\naudit processing failure.\n\nCheck that the Ubuntu operating system notifies the SA and ISSO (at a minimum)\nin the event of an audit processing failure with the following command:\n\n#sudo grep space_left_action /etc/audit/auditd.conf\n\naction_mail_acct = root\n\nIf the value of the \\\"action_mail_acct\\\" keyword is not set to \\\"root\\\" and/or\nother accounts for security personnel, the \\\"action_mail_acct\\\" keyword is\nmissing, or the retuned line is commented out, this is a finding.\"\n desc 'fix', \"Configure \\\"auditd\\\" service to notify the System Administrator\n(SA) and Information System Security Officer (ISSO) in the event of an audit\nprocessing failure.\n\nEdit the following line in \\\"/etc/audit/auditd.conf\\\" to ensure that\nadministrators are notified via email for those situations:\n\naction_mail_acct = root\"\n\n security_accounts = input('security_accounts').join('|')\n space_left_action = auditd_conf.space_left_action\n\n describe 'System Administrator (SA) and Information System Security Officer (ISSO) are notified in the event of an audit processing failure' do\n subject { security_accounts.include?(space_left_action) }\n it { should be true }\n end\nend\n", + "code": "control 'V-75623' do\n title \"The Ubuntu operating system must notify the System Administrator (SA)\nand Information System Security Officer (ISSO) (at a minimum) via email when\nallocated audit record storage volume reaches 75% of the repository maximum\naudit record storage capacity.\"\n desc \"If security personnel are not notified immediately when storage volume\nreaches 75% utilization, they are unable to plan for audit record storage\ncapacity expansion.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000343-GPOS-00134'\n tag \"gid\": 'V-75623'\n tag \"rid\": 'SV-90303r2_rule'\n tag \"stig_id\": 'UBTU-16-020030'\n tag \"fix_id\": 'F-82251r2_fix'\n tag \"cci\": ['CCI-001855']\n tag \"nist\": ['AU-5 (1)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system notifies the System\nAdministrator (SA) and Information System Security Officer (ISSO) (at a\nminimum) via email when allocated audit record storage volume reaches 75% of\nthe repository maximum audit record storage capacity.\n\nCheck that the Ubuntu operating system notifies the SA and ISSO (at a minimum)\nvia email when allocated audit record storage volume reaches 75% of the\nrepository maximum audit record storage capacity with the following commands:\n\n#sudo grep space_left_action /etc/audit/auditd.conf\n\nspace_left_action email\n\nIf the space_left_action is set to \\\"email\\\" check the value of the\n\\\"action_mail_acct\\\" parameter with the following command:\n\n#sudo grep action_mail_acct parameter /etc/audit/auditd.conf\n\naction_mail_acct parameter root@localhost\n\nIf the space_left_action or the action_mail_accnt parameters are set to blanks,\nthis is a finding.\n\nIf the space_left_action is set to \\\"syslog\\\", the system logs the event, this\nis not a finding.\n\nIf the space_left_action is set to \\\"exe c\\\", the system executes a designated\nscript. If this script informs the SA of the event, this is not a finding.\n\nThe action_mail_acct parameter, if missing, defaults to \\\"root\\\". If the\n\\\"action_mail_acct parameter\\\" is not set to the e-mail address of the system\nadministrator(s) and/or ISSO, this is a finding.\n\nNote: If the email address of the system administrator is on a remote system a\nmail package must be available.\"\n desc 'fix', \"Configure the operating system to immediately notify the SA and\nISSO (at a minimum) via email when allocated audit record storage volume\nreaches 75% of the repository maximum audit record storage capacity.\n\nEdit \\\"/etc/audit/auditd.conf\\\" and set the \\\"space_left_action\\\" parameter to\n\\\"exec\\\", \\\"email\\\", or \\\"syslog\\\". If the \\\"space_left_action\\\" parameter is\nset to \\\"email\\\" set the \\\"action_mail_acct\\\" parameter to an e-mail address\nfor the System Administrator (SA) and Information System Security Officer\n(ISSO).\"\n\n space_left_action = auditd_conf.space_left_action\n if space_left_action.casecmp?('email')\n action_mail_acct = input('action_mail_acct')\n describe auditd_conf do\n its('action_mail_acct') { should cmp action_mail_acct }\n end\n elsif space_left_action.casecmp?('syslog') || space_left_action.casecmp?('exec')\n describe.one do\n describe auditd_conf do\n its('space_left_action') { should cmp 'syslog' }\n end\n describe auditd_conf do\n its('space_left_action') { should cmp 'exec' }\n end\n end\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75625.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75623.rb", "line": 3 }, - "id": "V-75625" + "id": "V-75623" }, { - "title": "Successful/unsuccessful modifications to the lastlog file must\ngenerate an audit record.", - "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "title": "Emergency administrator accounts must never be automatically removed\nor disabled.", + "desc": "Emergency accounts are privileged accounts that are established in\nresponse to crisis situations where the need for rapid account activation is\nrequired. Therefore, emergency account activation may bypass normal account\nauthorization processes. If these accounts are automatically disabled, system\nmaintenance during emergencies may not be possible, thus adversely affecting\nsystem availability.\n\n Emergency accounts are different from infrequently used accounts (i.e.,\nlocal logon accounts used by the organization's system administrators when\nnetwork or normal logon/access is not available). Infrequently used accounts\nare not subject to automatic termination dates. Emergency accounts are accounts\ncreated in response to crisis situations, usually for use by maintenance\npersonnel. The automatic expiration or disabling time period may be extended as\nneeded until the crisis is resolved; however, it must not be extended\nindefinitely. A permanent account should be established for privileged users\nwho need long-term maintenance accounts.\n\n To address access requirements, many Ubuntu operating systems can be\nintegrated with enterprise-level authentication/access mechanisms that meet or\nexceed access control policy requirements.", "descriptions": { - "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", - "check": "Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful modifications to the \"lastlog\" file occur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \"/etc/audit/audit.rules\":\n\n# sudo grep -w lastlog /etc/audit/audit.rules\n\n-w /var/log/lastlog -p wa -k logins\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", - "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful modifications to the \"lastlog\" file occur.\n\nAdd or update the following rules in the \"/etc/audit/audit.rules\" file:\n\n-w /var/log/lastlog -p wa -k logins\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" + "default": "Emergency accounts are privileged accounts that are established in\nresponse to crisis situations where the need for rapid account activation is\nrequired. Therefore, emergency account activation may bypass normal account\nauthorization processes. If these accounts are automatically disabled, system\nmaintenance during emergencies may not be possible, thus adversely affecting\nsystem availability.\n\n Emergency accounts are different from infrequently used accounts (i.e.,\nlocal logon accounts used by the organization's system administrators when\nnetwork or normal logon/access is not available). Infrequently used accounts\nare not subject to automatic termination dates. Emergency accounts are accounts\ncreated in response to crisis situations, usually for use by maintenance\npersonnel. The automatic expiration or disabling time period may be extended as\nneeded until the crisis is resolved; however, it must not be extended\nindefinitely. A permanent account should be established for privileged users\nwho need long-term maintenance accounts.\n\n To address access requirements, many Ubuntu operating systems can be\nintegrated with enterprise-level authentication/access mechanisms that meet or\nexceed access control policy requirements.", + "check": "Verify the Ubuntu operating system is configured such that the\nemergency administrator account is never automatically removed or disabled.\n\nCheck to see if the root account password or account expires with the following\ncommand:\n\n# sudo chage -l root\n\nPassword expires :never\n\nIf \"Password expires\" or \"Account expires\" is set to anything other than\n\"never\", this is a finding.", + "fix": "Replace \"[Emergency_Administrator]\" in the following command\nwith the correct emergency administrator account. Run the following command as\nan administrator:\n\n# sudo chage -I -1 -M 99999 [Emergency_Administrator]" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000037-GPOS-00015", - "satisfies": [ - "SRG-OS-000037-GPOS-00015", - "SRG-OS-000042-GPOS-00020", - "SRG-OS-000062-GPOS-00031", - "SRG-OS-000392-GPOS-00172", - "SRG-OS-000462-GPOS-00206", - "SRG-OS-000471-GPOS-00215", - "SRG-OS-000473-GPOS-00218" - ], - "gid": "V-75775", - "rid": "SV-90455r3_rule", - "stig_id": "UBTU-16-020750", - "fix_id": "F-82403r2_fix", + "gtitle": "SRG-OS-000123-GPOS-00064", + "gid": "V-75469", + "rid": "SV-90149r1_rule", + "stig_id": "UBTU-16-010200", + "fix_id": "F-82097r1_fix", "cci": [ - "CCI-000130", - "CCI-000135", - "CCI-000169", - "CCI-000172", - "CCI-002884" + "CCI-001682" ], "nist": [ - "AU-3", - "AU-3 (1)", - "AU-12 a", - "AU-12 c", - "MA-4 (1) (a)", + "AC-2 (2)", "Rev_4" ], "false_negatives": null, @@ -1487,34 +1366,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75775' do\n title \"Successful/unsuccessful modifications to the lastlog file must\ngenerate an audit record.\"\n desc \"Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020\n SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172\n SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215\n SRG-OS-000473-GPOS-00218]\n tag \"gid\": 'V-75775'\n tag \"rid\": 'SV-90455r3_rule'\n tag \"stig_id\": 'UBTU-16-020750'\n tag \"fix_id\": 'F-82403r2_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'MA-4 (1) (a)',\n 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful modifications to the \\\"lastlog\\\" file occur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \\\"/etc/audit/audit.rules\\\":\n\n# sudo grep -w lastlog /etc/audit/audit.rules\n\n-w /var/log/lastlog -p wa -k logins\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful modifications to the \\\"lastlog\\\" file occur.\n\nAdd or update the following rules in the \\\"/etc/audit/audit.rules\\\" file:\n\n-w /var/log/lastlog -p wa -k logins\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n @audit_file = '/var/log/lastlog'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe ('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", + "code": "control 'V-75469' do\n title \"Emergency administrator accounts must never be automatically removed\nor disabled.\"\n desc \"Emergency accounts are privileged accounts that are established in\nresponse to crisis situations where the need for rapid account activation is\nrequired. Therefore, emergency account activation may bypass normal account\nauthorization processes. If these accounts are automatically disabled, system\nmaintenance during emergencies may not be possible, thus adversely affecting\nsystem availability.\n\n Emergency accounts are different from infrequently used accounts (i.e.,\nlocal logon accounts used by the organization's system administrators when\nnetwork or normal logon/access is not available). Infrequently used accounts\nare not subject to automatic termination dates. Emergency accounts are accounts\ncreated in response to crisis situations, usually for use by maintenance\npersonnel. The automatic expiration or disabling time period may be extended as\nneeded until the crisis is resolved; however, it must not be extended\nindefinitely. A permanent account should be established for privileged users\nwho need long-term maintenance accounts.\n\n To address access requirements, many Ubuntu operating systems can be\nintegrated with enterprise-level authentication/access mechanisms that meet or\nexceed access control policy requirements.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000123-GPOS-00064'\n tag \"gid\": 'V-75469'\n tag \"rid\": 'SV-90149r1_rule'\n tag \"stig_id\": 'UBTU-16-010200'\n tag \"fix_id\": 'F-82097r1_fix'\n tag \"cci\": ['CCI-001682']\n tag \"nist\": ['AC-2 (2)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system is configured such that the\nemergency administrator account is never automatically removed or disabled.\n\nCheck to see if the root account password or account expires with the following\ncommand:\n\n# sudo chage -l root\n\nPassword expires :never\n\nIf \\\"Password expires\\\" or \\\"Account expires\\\" is set to anything other than\n\\\"never\\\", this is a finding.\"\n desc 'fix', \"Replace \\\"[Emergency_Administrator]\\\" in the following command\nwith the correct emergency administrator account. Run the following command as\nan administrator:\n\n# sudo chage -I -1 -M 99999 [Emergency_Administrator]\"\n\n emergency_accounts = input('emergency_accounts')\n\n if emergency_accounts.empty?\n describe 'Emergency accounts' do\n subject { emergency_accounts }\n it { should be_empty }\n end\n describe shadow.where(user: 'root') do\n its('expiry_dates') { should eq [nil] }\n end\n else\n emergency_accounts.each do |acct|\n describe command(\"sudo chage -l #{acct} | grep 'Account expires'\") do\n its('stdout.strip') { should_not match /:\\s*never/ }\n end\n end\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75775.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75469.rb", "line": 3 }, - "id": "V-75775" + "id": "V-75469" }, { - "title": "System commands must be owned by root.", - "desc": "If the Ubuntu operating system were to allow any user to make changes\nto software libraries, then those changes might be implemented without\nundergoing the appropriate testing and approvals that are part of a robust\nchange management process.\n\n This requirement applies to Ubuntu operating systems with software\nlibraries that are accessible and configurable, as in the case of interpreted\nlanguages. Software libraries also include privileged programs which execute\nwith escalated privileges. Only qualified and authorized individuals shall be\nallowed to obtain access to information system components for purposes of\ninitiating changes, including upgrades and modifications.", + "title": "A sticky bit must be set on all public directories to prevent\nunauthorized and unintended information transferred via shared system\nresources.", + "desc": "Preventing unauthorized information transfers mitigates the risk of\ninformation, including encrypted representations of information, produced by\nthe actions of prior users/roles (or the actions of processes acting on behalf\nof prior users/roles) from being available to any current users/roles (or\ncurrent processes) that obtain access to shared system resources (e.g.,\nregisters, main memory, hard disks) after those resources have been released\nback to information systems. The control of information in shared resources is\nalso commonly referred to as object reuse and residual information protection.\n\n This requirement generally applies to the design of an information\ntechnology product, but it can also apply to the configuration of particular\ninformation system components that are, or use, such products. This can be\nverified by acceptance/validation processes in DoD or other government agencies.\n\n There may be shared resources with configurable protections (e.g., files in\nstorage) that may be assessed on specific information system components.", "descriptions": { - "default": "If the Ubuntu operating system were to allow any user to make changes\nto software libraries, then those changes might be implemented without\nundergoing the appropriate testing and approvals that are part of a robust\nchange management process.\n\n This requirement applies to Ubuntu operating systems with software\nlibraries that are accessible and configurable, as in the case of interpreted\nlanguages. Software libraries also include privileged programs which execute\nwith escalated privileges. Only qualified and authorized individuals shall be\nallowed to obtain access to information system components for purposes of\ninitiating changes, including upgrades and modifications.", - "check": "Verify the system commands contained in the following\ndirectories are owned by \"root\".\n\nCheck that the system command files contained in the following directories are\nowned by \"root\" with the following command:\n\n# sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin !\n-user root | xargs ls -la\n\nIf any system commands are returned, this is a finding.", - "fix": "Configure the system commands to be protected from unauthorized\naccess.\n\nRun the following command, replacing \"[FILE]\" with any system command file\nnot owned by \"root\".\n\n# sudo chown root [FILE]" + "default": "Preventing unauthorized information transfers mitigates the risk of\ninformation, including encrypted representations of information, produced by\nthe actions of prior users/roles (or the actions of processes acting on behalf\nof prior users/roles) from being available to any current users/roles (or\ncurrent processes) that obtain access to shared system resources (e.g.,\nregisters, main memory, hard disks) after those resources have been released\nback to information systems. The control of information in shared resources is\nalso commonly referred to as object reuse and residual information protection.\n\n This requirement generally applies to the design of an information\ntechnology product, but it can also apply to the configuration of particular\ninformation system components that are, or use, such products. This can be\nverified by acceptance/validation processes in DoD or other government agencies.\n\n There may be shared resources with configurable protections (e.g., files in\nstorage) that may be assessed on specific information system components.", + "check": "Verify that all world writable directories have the sticky bit\nset.\n\nCheck to see that all world writable directories have the sticky bit set by\nrunning the following command:\n\n# sudo find / -type d \\( -perm -0002 -a ! -perm -1000 \\) -print 2>/dev/null\n\ndrwxrwxrwxt 7 root root 4096 Jul 26 11:19 /tmp\n\nIf any of the returned directories are world writable and do not have the\nsticky bit set, this is a finding.", + "fix": "Configure all world writable directories have the sticky bit set\nto prevent unauthorized and unintended information transferred via shared\nsystem resources.\n\nSet the sticky bit on all world writable directories using the command, replace\n\"[World-Writable Directory]\" with any directory path missing the sticky bit:\n\n# sudo chmod 1777 [World-Writable Directory]" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000259-GPOS-00100", - "gid": "V-75613", - "rid": "SV-90293r2_rule", - "stig_id": "UBTU-16-011040", - "fix_id": "F-82241r2_fix", + "gtitle": "SRG-OS-000138-GPOS-00069", + "gid": "V-75811", + "rid": "SV-90491r4_rule", + "stig_id": "UBTU-16-030070", + "fix_id": "F-82441r2_fix", "cci": [ - "CCI-001499" + "CCI-001090" ], "nist": [ - "CM-5 (6)", + "SC-4", "Rev_4" ], "false_negatives": null, @@ -1528,50 +1407,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75613' do\n title 'System commands must be owned by root.'\n desc \"If the Ubuntu operating system were to allow any user to make changes\nto software libraries, then those changes might be implemented without\nundergoing the appropriate testing and approvals that are part of a robust\nchange management process.\n\n This requirement applies to Ubuntu operating systems with software\nlibraries that are accessible and configurable, as in the case of interpreted\nlanguages. Software libraries also include privileged programs which execute\nwith escalated privileges. Only qualified and authorized individuals shall be\nallowed to obtain access to information system components for purposes of\ninitiating changes, including upgrades and modifications.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000259-GPOS-00100'\n tag \"gid\": 'V-75613'\n tag \"rid\": 'SV-90293r2_rule'\n tag \"stig_id\": 'UBTU-16-011040'\n tag \"fix_id\": 'F-82241r2_fix'\n tag \"cci\": ['CCI-001499']\n tag \"nist\": ['CM-5 (6)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the system commands contained in the following\ndirectories are owned by \\\"root\\\".\n\nCheck that the system command files contained in the following directories are\nowned by \\\"root\\\" with the following command:\n\n# sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin !\n-user root | xargs ls -la\n\nIf any system commands are returned, this is a finding.\"\n desc 'fix', \"Configure the system commands to be protected from unauthorized\naccess.\n\nRun the following command, replacing \\\"[FILE]\\\" with any system command file\nnot owned by \\\"root\\\".\n\n# sudo chown root [FILE]\"\n\n system_commands = command('find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root').stdout.strip.split(\"\\n\").entries\n valid_system_commands = Set[]\n\n if system_commands.count > 0\n system_commands.each do |sys_cmd|\n if file(sys_cmd).exist?\n valid_system_commands = valid_system_commands << sys_cmd\n end\n end\n end\n\n if valid_system_commands.count > 0\n valid_system_commands.each do |val_sys_cmd|\n describe file(val_sys_cmd) do\n its('owner') { should cmp 'root' }\n end\n end\n else\n describe 'Number of system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or /usr/local/sbin, that are NOT owned by root' do\n subject { valid_system_commands }\n its('count') { should eq 0 }\n end\n end\nend\n", + "code": "control 'V-75811' do\n title \"A sticky bit must be set on all public directories to prevent\nunauthorized and unintended information transferred via shared system\nresources.\"\n desc \"Preventing unauthorized information transfers mitigates the risk of\ninformation, including encrypted representations of information, produced by\nthe actions of prior users/roles (or the actions of processes acting on behalf\nof prior users/roles) from being available to any current users/roles (or\ncurrent processes) that obtain access to shared system resources (e.g.,\nregisters, main memory, hard disks) after those resources have been released\nback to information systems. The control of information in shared resources is\nalso commonly referred to as object reuse and residual information protection.\n\n This requirement generally applies to the design of an information\ntechnology product, but it can also apply to the configuration of particular\ninformation system components that are, or use, such products. This can be\nverified by acceptance/validation processes in DoD or other government agencies.\n\n There may be shared resources with configurable protections (e.g., files in\nstorage) that may be assessed on specific information system components.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000138-GPOS-00069'\n tag \"gid\": 'V-75811'\n tag \"rid\": 'SV-90491r4_rule'\n tag \"stig_id\": 'UBTU-16-030070'\n tag \"fix_id\": 'F-82441r2_fix'\n tag \"cci\": ['CCI-001090']\n tag \"nist\": %w[SC-4 Rev_4]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that all world writable directories have the sticky bit\nset.\n\nCheck to see that all world writable directories have the sticky bit set by\nrunning the following command:\n\n# sudo find / -type d \\\\( -perm -0002 -a ! -perm -1000 \\\\) -print 2>/dev/null\n\ndrwxrwxrwxt 7 root root 4096 Jul 26 11:19 /tmp\n\nIf any of the returned directories are world writable and do not have the\nsticky bit set, this is a finding.\"\n desc 'fix', \"Configure all world writable directories have the sticky bit set\nto prevent unauthorized and unintended information transferred via shared\nsystem resources.\n\nSet the sticky bit on all world writable directories using the command, replace\n\\\"[World-Writable Directory]\\\" with any directory path missing the sticky bit:\n\n# sudo chmod 1777 [World-Writable Directory]\"\n\n lines = command('find / -xdev -type d \\( -perm -0002 -a ! -perm -1000 \\) -print 2>/dev/null').stdout.lines\n if lines.count > 0\n lines.each do |line|\n dir = line.strip\n describe directory(dir) do\n it { should be_sticky }\n end\n end\n else\n describe 'Sticky bit has been set on all world writable directories' do\n subject { lines }\n its('count') { should eq 0 }\n end\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75613.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75811.rb", "line": 3 }, - "id": "V-75613" + "id": "V-75811" }, { - "title": "Successful/unsuccessful uses of the open command must generate an\naudit record.", - "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "title": "All local interactive user home directories defined in the /etc/passwd\nfile must exist.", + "desc": "If a local interactive user has a home directory defined that does not\nexist, the user may be given access to the / directory as the current working\ndirectory upon logon. This could create a Denial of Service because the user\nwould not be able to access their logon configuration files, and it may give\nthem visibility to system files they normally would not be able to access.", "descriptions": { - "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", - "check": "Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful attempts to use the \"open\" command occur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \"/etc/audit/audit.rules\":\n\n# sudo grep -iw open /etc/audit/audit.rules\n\n-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F\nauid!=4294967295 -k perm_access\n\n-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F\nauid!=4294967295 -k perm_access\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", - "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \"open\" command.\n\nAdd or update the following rules in the \"/etc/audit/audit.rules\" file:\n\n-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F\nauid!=4294967295 -k perm_access\n\n-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F\nauid!=4294967295 -k perm_access\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" + "default": "If a local interactive user has a home directory defined that does not\nexist, the user may be given access to the / directory as the current working\ndirectory upon logon. This could create a Denial of Service because the user\nwould not be able to access their logon configuration files, and it may give\nthem visibility to system files they normally would not be able to access.", + "check": "Verify the assigned home directory of all local interactive\nusers on the Ubuntu operating system exists.\n\nCheck the home directory assignment for all local interactive non-privileged\nusers with the following command:\n\n# ls -ld $(awk -F: '($3>=1000)&&($1!=\"nobody\"){print $6}' /etc/passwd)\n\ndrwxr-xr-x 2 smithj admin 4096 Jun 5 12:41 smithj\n\nNote: This may miss interactive users that have been assigned a privileged User\nID (UID). Evidence of interactive use may be obtained from a number of log\nfiles containing system logon information.\n\nCheck that all referenced home directories exist with the following command:\n\n# pwck -r\n\nuser 'smithj': directory '/home/smithj' does not exist\n\nIf any home directories referenced in \"/etc/passwd\" are returned as not\ndefined, this is a finding.", + "fix": "Create home directories to all local interactive users that\ncurrently do not have a home directory assigned. Use the following commands to\ncreate the user home directory assigned in \"/etc/ passwd\":\n\nNote: The example will be for the user smithj, who has a home directory of\n\"/home/smithj\", a User ID (UID) of \"smithj\", and a Group Identifier (GID)\nof \"users assigned\" in \"/etc/passwd\".\n\n# mkdir /home/smithj\n# chown smithj /home/smithj\n# chgrp users /home/smithj\n# chmod 0750 /home/smithj" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000037-GPOS-00015", - "satisfies": [ - "SRG-OS-000037-GPOS-00015", - "SRG-OS-000042-GPOS-00020", - "SRG-OS-000062-GPOS-00031", - "SRG-OS-000392-GPOS-00172", - "SRG-OS-000462-GPOS-00206", - "SRG-OS-000471-GPOS-00215" - ], - "gid": "V-75743", - "rid": "SV-90423r3_rule", - "stig_id": "UBTU-16-020590", - "fix_id": "F-82371r2_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-75563", + "rid": "SV-90243r1_rule", + "stig_id": "UBTU-16-010740", + "fix_id": "F-82191r1_fix", "cci": [ - "CCI-000130", - "CCI-000135", - "CCI-000169", - "CCI-000172", - "CCI-002884" + "CCI-000366" ], "nist": [ - "AU-3", - "AU-3 (1)", - "AU-12 a", - "AU-12 c", - "MA-4 (1) (a)", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -1585,53 +1448,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75743' do\n title \"Successful/unsuccessful uses of the open command must generate an\naudit record.\"\n desc \"Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020\n SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172\n SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215]\n tag \"gid\": 'V-75743'\n tag \"rid\": 'SV-90423r3_rule'\n tag \"stig_id\": 'UBTU-16-020590'\n tag \"fix_id\": 'F-82371r2_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'MA-4 (1) (a)',\n 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful attempts to use the \\\"open\\\" command occur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \\\"/etc/audit/audit.rules\\\":\n\n# sudo grep -iw open /etc/audit/audit.rules\n\n-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F\nauid!=4294967295 -k perm_access\n\n-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F\nauid!=4294967295 -k perm_access\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \\\"open\\\" command.\n\nAdd or update the following rules in the \\\"/etc/audit/audit.rules\\\" file:\n\n-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F\nauid!=4294967295 -k perm_access\n\n-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F\nauid!=4294967295 -k perm_access\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n if os.arch == 'x86_64'\n describe auditd.syscall('open').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EPERM' }\n end\n describe auditd.syscall('open').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EACCES' }\n end\n end\n describe auditd.syscall('open').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EPERM' }\n end\n describe auditd.syscall('open').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EACCES' }\n end\nend\n", + "code": "control 'V-75563' do\n title \"All local interactive user home directories defined in the /etc/passwd\nfile must exist.\"\n desc \"If a local interactive user has a home directory defined that does not\nexist, the user may be given access to the / directory as the current working\ndirectory upon logon. This could create a Denial of Service because the user\nwould not be able to access their logon configuration files, and it may give\nthem visibility to system files they normally would not be able to access.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75563'\n tag \"rid\": 'SV-90243r1_rule'\n tag \"stig_id\": 'UBTU-16-010740'\n tag \"fix_id\": 'F-82191r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the assigned home directory of all local interactive\nusers on the Ubuntu operating system exists.\n\nCheck the home directory assignment for all local interactive non-privileged\nusers with the following command:\n\n# ls -ld $(awk -F: '($3>=1000)&&($1!=\\\"nobody\\\"){print $6}' /etc/passwd)\n\ndrwxr-xr-x 2 smithj admin 4096 Jun 5 12:41 smithj\n\nNote: This may miss interactive users that have been assigned a privileged User\nID (UID). Evidence of interactive use may be obtained from a number of log\nfiles containing system logon information.\n\nCheck that all referenced home directories exist with the following command:\n\n# pwck -r\n\nuser 'smithj': directory '/home/smithj' does not exist\n\nIf any home directories referenced in \\\"/etc/passwd\\\" are returned as not\ndefined, this is a finding.\"\n desc 'fix', \"Create home directories to all local interactive users that\ncurrently do not have a home directory assigned. Use the following commands to\ncreate the user home directory assigned in \\\"/etc/ passwd\\\":\n\nNote: The example will be for the user smithj, who has a home directory of\n\\\"/home/smithj\\\", a User ID (UID) of \\\"smithj\\\", and a Group Identifier (GID)\nof \\\"users assigned\\\" in \\\"/etc/passwd\\\".\n\n# mkdir /home/smithj\n# chown smithj /home/smithj\n# chgrp users /home/smithj\n# chmod 0750 /home/smithj\"\n\n exempt_home_users = input('exempt_home_users')\n non_interactive_shells = input('non_interactive_shells')\n ignore_shells = non_interactive_shells.join('|')\n\n users.where { !shell.match(ignore_shells) && (uid >= 1000 || uid == 0) }.entries.each do |user_info|\n next if exempt_home_users.include?(user_info.username.to_s)\n\n describe directory(user_info.home) do\n it { should exist }\n end\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75743.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75563.rb", "line": 3 }, - "id": "V-75743" + "id": "V-75563" }, { - "title": "The audit system must be configured to audit any usage of the\nlremovexattr system call.", - "desc": "Without the capability to generate audit records, it would be\ndifficult to establish, correlate, and investigate the events relating to an\nincident or identify those responsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n The list of audited events is the set of events for which audits are to be\ngenerated. This set of events is typically a subset of the list of all events\nfor which the system is capable of generating audit records.\n\n DoD has defined the list of events for which the Ubuntu operating system\nwill provide an audit record generation capability as the following:\n\n 1) Successful and unsuccessful attempts to access, modify, or delete\nprivileges, security objects, security levels, or categories of information\n(e.g., classification levels);\n\n 2) Access actions, such as successful and unsuccessful logon attempts,\nprivileged activities or other system-level access, starting and ending time\nfor user access to the system, concurrent logons from different workstations,\nsuccessful and unsuccessful accesses to objects, all program initiations, and\nall direct access to the information system;\n\n 3) All account creations, modifications, disabling, and terminations; and\n\n 4) All kernel module load, unload, and restart actions.", - "descriptions": { - "default": "Without the capability to generate audit records, it would be\ndifficult to establish, correlate, and investigate the events relating to an\nincident or identify those responsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n The list of audited events is the set of events for which audits are to be\ngenerated. This set of events is typically a subset of the list of all events\nfor which the system is capable of generating audit records.\n\n DoD has defined the list of events for which the Ubuntu operating system\nwill provide an audit record generation capability as the following:\n\n 1) Successful and unsuccessful attempts to access, modify, or delete\nprivileges, security objects, security levels, or categories of information\n(e.g., classification levels);\n\n 2) Access actions, such as successful and unsuccessful logon attempts,\nprivileged activities or other system-level access, starting and ending time\nfor user access to the system, concurrent logons from different workstations,\nsuccessful and unsuccessful accesses to objects, all program initiations, and\nall direct access to the information system;\n\n 3) All account creations, modifications, disabling, and terminations; and\n\n 4) All kernel module load, unload, and restart actions.", - "check": "Verify if the Ubuntu operating system is configured to audit\nthe execution of the \"lremovexattr\" system call, by running the following\ncommand:\n\n# sudo grep -w lremovexattr /etc/audit/audit.rules\n\n-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -k\nperm_mod\n\n-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -k perm_mod\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", - "fix": "Configure the Ubuntu operating system to audit the execution of\nthe \"lremovexattr\" system call, by adding the following lines to\n\"/etc/audit/audit.rules\":\n\n-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -k\nperm_mod\n\n-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -k perm_mod\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" + "title": "Kernel core dumps must be disabled unless needed.", + "desc": "Kernel core dumps may contain the full contents of system memory at\nthe time of the crash. Kernel core dumps may consume a considerable amount of\ndisk space and may result in denial of service by exhausting the available\nspace on the target file system partition.", + "descriptions": { + "default": "Kernel core dumps may contain the full contents of system memory at\nthe time of the crash. Kernel core dumps may consume a considerable amount of\ndisk space and may result in denial of service by exhausting the available\nspace on the target file system partition.", + "check": "Verify that kernel core dumps are disabled unless needed.\n\nCheck the status of the \"kdump\" service with the following command:\n\n# systemctl status kdump.service\nLoaded: not-found (Reason: No such file or directory)\nActive: inactive (dead)\n\nIf the \"kdump\" service is active, ask the System Administrator if the use of\nthe service is required and documented with the Information System Security\nOfficer (ISSO).\n\nIf the service is active and is not documented, this is a finding.", + "fix": "If kernel core dumps are not required, disable the \"kdump\"\nservice with the following command:\n\n# systemctl disable kdump.service\n\nIf kernel core dumps are required, document the need with the Information\nSystem Security Officer (ISSO)." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000037-GPOS-00015", - "satisfies": [ - "SRG-OS-000037-GPOS-00015", - "SRG-OS-000042-GPOS-00020", - "SRG-OS-000062-GPOS-00031", - "SRG-OS-000392-GPOS-00172", - "SRG-OS-000458-GPOS-00203", - "SRG-OS-000462-GPOS-00206", - "SRG-OS-000463-GPOS-00207", - "SRG-OS-000471-GPOS-00215", - "SRG-OS-000474-GPOS-00219" - ], - "gid": "V-75725", - "rid": "SV-90405r2_rule", - "stig_id": "UBTU-16-020500", - "fix_id": "F-82353r2_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-75585", + "rid": "SV-90265r1_rule", + "stig_id": "UBTU-16-010900", + "fix_id": "F-82213r1_fix", "cci": [ - "CCI-000130", - "CCI-000135", - "CCI-000169", - "CCI-000172", - "CCI-002884" + "CCI-000366" ], "nist": [ - "AU-3", - "AU-3 (1)", - "AU-12 a", - "AU-12 c", - "MA-4 (1) (a)", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -1645,43 +1489,53 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75725' do\n title \"The audit system must be configured to audit any usage of the\nlremovexattr system call.\"\n desc \"Without the capability to generate audit records, it would be\ndifficult to establish, correlate, and investigate the events relating to an\nincident or identify those responsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n The list of audited events is the set of events for which audits are to be\ngenerated. This set of events is typically a subset of the list of all events\nfor which the system is capable of generating audit records.\n\n DoD has defined the list of events for which the Ubuntu operating system\nwill provide an audit record generation capability as the following:\n\n 1) Successful and unsuccessful attempts to access, modify, or delete\nprivileges, security objects, security levels, or categories of information\n(e.g., classification levels);\n\n 2) Access actions, such as successful and unsuccessful logon attempts,\nprivileged activities or other system-level access, starting and ending time\nfor user access to the system, concurrent logons from different workstations,\nsuccessful and unsuccessful accesses to objects, all program initiations, and\nall direct access to the information system;\n\n 3) All account creations, modifications, disabling, and terminations; and\n\n 4) All kernel module load, unload, and restart actions.\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020\n SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172\n SRG-OS-000458-GPOS-00203 SRG-OS-000462-GPOS-00206\n SRG-OS-000463-GPOS-00207 SRG-OS-000471-GPOS-00215\n SRG-OS-000474-GPOS-00219]\n tag \"gid\": 'V-75725'\n tag \"rid\": 'SV-90405r2_rule'\n tag \"stig_id\": 'UBTU-16-020500'\n tag \"fix_id\": 'F-82353r2_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'MA-4 (1) (a)',\n 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify if the Ubuntu operating system is configured to audit\nthe execution of the \\\"lremovexattr\\\" system call, by running the following\ncommand:\n\n# sudo grep -w lremovexattr /etc/audit/audit.rules\n\n-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -k\nperm_mod\n\n-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -k perm_mod\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the Ubuntu operating system to audit the execution of\nthe \\\"lremovexattr\\\" system call, by adding the following lines to\n\\\"/etc/audit/audit.rules\\\":\n\n-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -k\nperm_mod\n\n-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -k perm_mod\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n if os.arch == 'x86_64'\n describe auditd.syscall('lremovexattr').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('lremovexattr').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\nend\n", + "code": "control 'V-75585' do\n title 'Kernel core dumps must be disabled unless needed.'\n desc \"Kernel core dumps may contain the full contents of system memory at\nthe time of the crash. Kernel core dumps may consume a considerable amount of\ndisk space and may result in denial of service by exhausting the available\nspace on the target file system partition.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75585'\n tag \"rid\": 'SV-90265r1_rule'\n tag \"stig_id\": 'UBTU-16-010900'\n tag \"fix_id\": 'F-82213r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that kernel core dumps are disabled unless needed.\n\nCheck the status of the \\\"kdump\\\" service with the following command:\n\n# systemctl status kdump.service\nLoaded: not-found (Reason: No such file or directory)\nActive: inactive (dead)\n\nIf the \\\"kdump\\\" service is active, ask the System Administrator if the use of\nthe service is required and documented with the Information System Security\nOfficer (ISSO).\n\nIf the service is active and is not documented, this is a finding.\"\n desc 'fix', \"If kernel core dumps are not required, disable the \\\"kdump\\\"\nservice with the following command:\n\n# systemctl disable kdump.service\n\nIf kernel core dumps are required, document the need with the Information\nSystem Security Officer (ISSO).\"\n\n is_kdump_required = input('is_kdump_required')\n if is_kdump_required\n describe service('kdump') do\n it { should be_enabled }\n it { should be_installed }\n it { should be_running }\n end\n else\n describe service('kdump') do\n it { should_not be_enabled }\n it { should_not be_installed }\n it { should_not be_running }\n end\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75725.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75585.rb", "line": 3 }, - "id": "V-75725" + "id": "V-75585" }, { - "title": "The Ubuntu operating system must implement certificate status checking\nfor multifactor authentication.", - "desc": "Using an authentication device, such as a CAC or token that is\nseparate from the information system, ensures that even if the information\nsystem is compromised, that compromise will not affect credentials stored on\nthe authentication device.\n\n Multifactor solutions that require devices separate from information\nsystems gaining access include, for example, hardware tokens providing\ntime-based or challenge-response authenticators and smart cards such as the\nU.S. Government Personal Identity Verification card and the DoD Common Access\nCard.\n\n A privileged account is defined as an information system account with\nauthorizations of a privileged user.\n\n Remote access is access to DoD nonpublic information systems by an\nauthorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\n This requirement only applies to components where this is specific to the\nfunction of the device or has the concept of an organizational user (e.g., VPN,\nproxy capability). This does not apply to authentication for the purpose of\nconfiguring the device itself (management).\n\n Requires further clarification from NIST.", + "title": "The audit system must be configured to audit any usage of the\nlsetxattr system call.", + "desc": "Without the capability to generate audit records, it would be\ndifficult to establish, correlate, and investigate the events relating to an\nincident or identify those responsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n The list of audited events is the set of events for which audits are to be\ngenerated. This set of events is typically a subset of the list of all events\nfor which the system is capable of generating audit records.\n\n DoD has defined the list of events for which the Ubuntu operating system\nwill provide an audit record generation capability as the following:\n\n 1) Successful and unsuccessful attempts to access, modify, or delete\nprivileges, security objects, security levels, or categories of information\n(e.g., classification levels);\n\n 2) Access actions, such as successful and unsuccessful logon attempts,\nprivileged activities or other system-level access, starting and ending time\nfor user access to the system, concurrent logons from different workstations,\nsuccessful and unsuccessful accesses to objects, all program initiations, and\nall direct access to the information system;\n\n 3) All account creations, modifications, disabling, and terminations; and\n\n 4) All kernel module load, unload, and restart actions.", "descriptions": { - "default": "Using an authentication device, such as a CAC or token that is\nseparate from the information system, ensures that even if the information\nsystem is compromised, that compromise will not affect credentials stored on\nthe authentication device.\n\n Multifactor solutions that require devices separate from information\nsystems gaining access include, for example, hardware tokens providing\ntime-based or challenge-response authenticators and smart cards such as the\nU.S. Government Personal Identity Verification card and the DoD Common Access\nCard.\n\n A privileged account is defined as an information system account with\nauthorizations of a privileged user.\n\n Remote access is access to DoD nonpublic information systems by an\nauthorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\n This requirement only applies to components where this is specific to the\nfunction of the device or has the concept of an organizational user (e.g., VPN,\nproxy capability). This does not apply to authentication for the purpose of\nconfiguring the device itself (management).\n\n Requires further clarification from NIST.", - "check": "Verify the Ubuntu operating system implements certificate\nstatus checking for multifactor authentication.\n\nCheck that certificate status checking for multifactor authentication is\nimplemented with the following command:\n\n# sudo grep cert_policy /etc/pam_pkcs11/pam_pkcs11.conf | grep ocsp_on\n\ncert_policy = ca,signature,ocsp_on;\n\nIf \"cert_policy\" is not set to \"ocsp_on\", has a value of \"none\", or the\nline is commented out, this is a finding.", - "fix": "Configure the Ubuntu operating system to certificate status\nchecking for multifactor authentication.\n\nModify all of the cert_policy lines in \"/etc/pam_pkcs11/pam_pkcs11.conf\" to\ninclude \"ocsp_on\"." + "default": "Without the capability to generate audit records, it would be\ndifficult to establish, correlate, and investigate the events relating to an\nincident or identify those responsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n The list of audited events is the set of events for which audits are to be\ngenerated. This set of events is typically a subset of the list of all events\nfor which the system is capable of generating audit records.\n\n DoD has defined the list of events for which the Ubuntu operating system\nwill provide an audit record generation capability as the following:\n\n 1) Successful and unsuccessful attempts to access, modify, or delete\nprivileges, security objects, security levels, or categories of information\n(e.g., classification levels);\n\n 2) Access actions, such as successful and unsuccessful logon attempts,\nprivileged activities or other system-level access, starting and ending time\nfor user access to the system, concurrent logons from different workstations,\nsuccessful and unsuccessful accesses to objects, all program initiations, and\nall direct access to the information system;\n\n 3) All account creations, modifications, disabling, and terminations; and\n\n 4) All kernel module load, unload, and restart actions.", + "check": "Verify if the Ubuntu operating system is configured to audit\nthe execution of the \"lsetxattr\" system call, by running the following\ncommand:\n\n# sudo grep -w lsetxattr /etc/audit/audit.rules\n\n-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -k\nperm_mod\n\n-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -k perm_mod\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", + "fix": "Configure the Ubuntu operating system to audit the execution of\nthe \"lsetxattr\" system call, by adding the following lines to\n\"/etc/audit/audit.rules\":\n\n-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -k\nperm_mod\n\n-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -k perm_mod\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000375-GPOS-00160", + "gtitle": "SRG-OS-000037-GPOS-00015", "satisfies": [ - "SRG-OS-000375-GPOS-00160", - "SRG-OS-000375-GPOS-00161", - "SRG-OS-000375-GPOS-00162" + "SRG-OS-000037-GPOS-00015", + "SRG-OS-000042-GPOS-00020", + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000392-GPOS-00172", + "SRG-OS-000458-GPOS-00203", + "SRG-OS-000462-GPOS-00206", + "SRG-OS-000463-GPOS-00207", + "SRG-OS-000471-GPOS-00215", + "SRG-OS-000474-GPOS-00219" ], - "gid": "V-75907", - "rid": "SV-90587r2_rule", - "stig_id": "UBTU-16-030820", - "fix_id": "F-82537r2_fix", + "gid": "V-75719", + "rid": "SV-90399r2_rule", + "stig_id": "UBTU-16-020470", + "fix_id": "F-82347r2_fix", "cci": [ - "CCI-001948", - "CCI-001953", - "CCI-001954" + "CCI-000130", + "CCI-000135", + "CCI-000169", + "CCI-000172", + "CCI-002884" ], "nist": [ - "IA-2 (11)", - "IA-2 (12)", - "IA-2 (12)", + "AU-3", + "AU-3 (1)", + "AU-12 a", + "AU-12 c", + "MA-4 (1) (a)", "Rev_4" ], "false_negatives": null, @@ -1695,34 +1549,50 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75907' do\n title \"The Ubuntu operating system must implement certificate status checking\nfor multifactor authentication.\"\n desc \"Using an authentication device, such as a CAC or token that is\nseparate from the information system, ensures that even if the information\nsystem is compromised, that compromise will not affect credentials stored on\nthe authentication device.\n\n Multifactor solutions that require devices separate from information\nsystems gaining access include, for example, hardware tokens providing\ntime-based or challenge-response authenticators and smart cards such as the\nU.S. Government Personal Identity Verification card and the DoD Common Access\nCard.\n\n A privileged account is defined as an information system account with\nauthorizations of a privileged user.\n\n Remote access is access to DoD nonpublic information systems by an\nauthorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\n This requirement only applies to components where this is specific to the\nfunction of the device or has the concept of an organizational user (e.g., VPN,\nproxy capability). This does not apply to authentication for the purpose of\nconfiguring the device itself (management).\n\n Requires further clarification from NIST.\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000375-GPOS-00160'\n tag \"satisfies\": %w[SRG-OS-000375-GPOS-00160 SRG-OS-000375-GPOS-00161\n SRG-OS-000375-GPOS-00162]\n tag \"gid\": 'V-75907'\n tag \"rid\": 'SV-90587r2_rule'\n tag \"stig_id\": 'UBTU-16-030820'\n tag \"fix_id\": 'F-82537r2_fix'\n tag \"cci\": %w[CCI-001948 CCI-001953 CCI-001954]\n tag \"nist\": ['IA-2 (11)', 'IA-2 (12)', 'IA-2 (12)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system implements certificate\nstatus checking for multifactor authentication.\n\nCheck that certificate status checking for multifactor authentication is\nimplemented with the following command:\n\n# sudo grep cert_policy /etc/pam_pkcs11/pam_pkcs11.conf | grep ocsp_on\n\ncert_policy = ca,signature,ocsp_on;\n\nIf \\\"cert_policy\\\" is not set to \\\"ocsp_on\\\", has a value of \\\"none\\\", or the\nline is commented out, this is a finding.\"\n desc 'fix', \"Configure the Ubuntu operating system to certificate status\nchecking for multifactor authentication.\n\nModify all of the cert_policy lines in \\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\" to\ninclude \\\"ocsp_on\\\".\"\n\n config_file_exists = file('/etc/pam_pkcs11/pam_pkcs11.conf').exist?\n\n if config_file_exists\n describe parse_config_file('/etc/pam_pkcs11/pam_pkcs11.conf') do\n its('cert_policy') { should include 'ocsp_on' }\n end\n else\n describe '/etc/pam_pkcs11/pam_pkcs11.conf exists' do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n", + "code": "control 'V-75719' do\n title \"The audit system must be configured to audit any usage of the\nlsetxattr system call.\"\n desc \"Without the capability to generate audit records, it would be\ndifficult to establish, correlate, and investigate the events relating to an\nincident or identify those responsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n The list of audited events is the set of events for which audits are to be\ngenerated. This set of events is typically a subset of the list of all events\nfor which the system is capable of generating audit records.\n\n DoD has defined the list of events for which the Ubuntu operating system\nwill provide an audit record generation capability as the following:\n\n 1) Successful and unsuccessful attempts to access, modify, or delete\nprivileges, security objects, security levels, or categories of information\n(e.g., classification levels);\n\n 2) Access actions, such as successful and unsuccessful logon attempts,\nprivileged activities or other system-level access, starting and ending time\nfor user access to the system, concurrent logons from different workstations,\nsuccessful and unsuccessful accesses to objects, all program initiations, and\nall direct access to the information system;\n\n 3) All account creations, modifications, disabling, and terminations; and\n\n 4) All kernel module load, unload, and restart actions.\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020\n SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172\n SRG-OS-000458-GPOS-00203 SRG-OS-000462-GPOS-00206\n SRG-OS-000463-GPOS-00207 SRG-OS-000471-GPOS-00215\n SRG-OS-000474-GPOS-00219]\n tag \"gid\": 'V-75719'\n tag \"rid\": 'SV-90399r2_rule'\n tag \"stig_id\": 'UBTU-16-020470'\n tag \"fix_id\": 'F-82347r2_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'MA-4 (1) (a)',\n 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify if the Ubuntu operating system is configured to audit\nthe execution of the \\\"lsetxattr\\\" system call, by running the following\ncommand:\n\n# sudo grep -w lsetxattr /etc/audit/audit.rules\n\n-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -k\nperm_mod\n\n-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -k perm_mod\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the Ubuntu operating system to audit the execution of\nthe \\\"lsetxattr\\\" system call, by adding the following lines to\n\\\"/etc/audit/audit.rules\\\":\n\n-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -k\nperm_mod\n\n-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -k perm_mod\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n if os.arch == 'x86_64'\n describe auditd.syscall('lsetxattr').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('lsetxattr').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75907.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75719.rb", "line": 3 }, - "id": "V-75907" + "id": "V-75719" }, { - "title": "All local interactive users must have a home directory assigned in the\n/etc/passwd file.", - "desc": "If local interactive users are not assigned a valid home directory,\nthere is no place for the storage and control of files they should own.", + "title": "Successful/unsuccessful uses of the init_module command must generate\nan audit record.", + "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", "descriptions": { - "default": "If local interactive users are not assigned a valid home directory,\nthere is no place for the storage and control of files they should own.", - "check": "Verify local interactive users on the Ubuntu operating system\nhave a home directory assigned.\n\nCheck for missing local interactive user home directories with the following\ncommand:\n\n# sudo pwck -r\nuser 'lp': directory '/var/spool/lpd' does not exist\nuser 'news': directory '/var/spool/news' does not exist\nuser 'uucp': directory '/var/spool/uucp' does not exist\nuser 'www-data': directory '/var/www' does not exist\n\nAsk the System Administrator (SA) if any users found without home directories\nare local interactive users. If the SA is unable to provide a response, check\nfor users with a User Identifier (UID) of 1000 or greater with the following\ncommand:\n\n# sudo cut -d: -f 1,3 /etc/passwd | egrep \":[1-4][0-9]{2}$|:[0-9]{1,2}$\"\n\nIf any interactive users do not have a home directory assigned, this is a\nfinding.", - "fix": "Assign home directories to all local interactive users on the\nUbuntu operating system that currently do not have a home directory assigned." + "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "check": "Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful attempts to use the \"init_module\" command occur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \"/etc/audit/audit.rules\":\n\n# sudo grep -w \"init_module\" /etc/audit/audit.rules\n\n-a always,exit -F arch=b64 -S init_module -F auid>=1000 -F auid!=4294967295 -k\nmodule_chng\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", + "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \"init_module\" command.\n\nAdd or update the following rules in the \"/etc/audit/audit.rules\" file:\n\n-a always,exit -F arch=b64 -S init_module -F auid>=1000 -F auid!=4294967295 -k\nmodule_chng\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-75559", - "rid": "SV-90239r1_rule", - "stig_id": "UBTU-16-010720", - "fix_id": "F-82187r1_fix", + "gtitle": "SRG-OS-000037-GPOS-00015", + "satisfies": [ + "SRG-OS-000037-GPOS-00015", + "SRG-OS-000042-GPOS-00020", + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000392-GPOS-00172", + "SRG-OS-000462-GPOS-00206", + "SRG-OS-000471-GPOS-00215" + ], + "gid": "V-75791", + "rid": "SV-90471r3_rule", + "stig_id": "UBTU-16-020830", + "fix_id": "F-82421r2_fix", "cci": [ - "CCI-000366" + "CCI-000130", + "CCI-000135", + "CCI-000169", + "CCI-000172", + "CCI-002884" ], "nist": [ - "CM-6 b", + "AU-3", + "AU-3 (1)", + "AU-12 a", + "AU-12 c", + "MA-4 (1) (a)", "Rev_4" ], "false_negatives": null, @@ -1736,34 +1606,40 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75559' do\n title \"All local interactive users must have a home directory assigned in the\n/etc/passwd file.\"\n desc \"If local interactive users are not assigned a valid home directory,\nthere is no place for the storage and control of files they should own.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75559'\n tag \"rid\": 'SV-90239r1_rule'\n tag \"stig_id\": 'UBTU-16-010720'\n tag \"fix_id\": 'F-82187r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify local interactive users on the Ubuntu operating system\nhave a home directory assigned.\n\nCheck for missing local interactive user home directories with the following\ncommand:\n\n# sudo pwck -r\nuser 'lp': directory '/var/spool/lpd' does not exist\nuser 'news': directory '/var/spool/news' does not exist\nuser 'uucp': directory '/var/spool/uucp' does not exist\nuser 'www-data': directory '/var/www' does not exist\n\nAsk the System Administrator (SA) if any users found without home directories\nare local interactive users. If the SA is unable to provide a response, check\nfor users with a User Identifier (UID) of 1000 or greater with the following\ncommand:\n\n# sudo cut -d: -f 1,3 /etc/passwd | egrep \\\":[1-4][0-9]{2}$|:[0-9]{1,2}$\\\"\n\nIf any interactive users do not have a home directory assigned, this is a\nfinding.\"\n desc 'fix', \"Assign home directories to all local interactive users on the\nUbuntu operating system that currently do not have a home directory assigned.\"\n\n exempt_home_users = input('exempt_home_users')\n non_interactive_shells = input('non_interactive_shells')\n ignore_shells = non_interactive_shells.join('|')\n\n users.where { !shell.match(ignore_shells) && (uid >= 1000 || uid == 0) }.entries.each do |user_info|\n next if exempt_home_users.include?(user_info.username.to_s)\n\n describe directory(user_info.home) do\n it { should exist }\n end\n end\nend\n", + "code": "control 'V-75791' do\n title \"Successful/unsuccessful uses of the init_module command must generate\nan audit record.\"\n desc \"Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020\n SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172\n SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215]\n tag \"gid\": 'V-75791'\n tag \"rid\": 'SV-90471r3_rule'\n tag \"stig_id\": 'UBTU-16-020830'\n tag \"fix_id\": 'F-82421r2_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'MA-4 (1) (a)',\n 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful attempts to use the \\\"init_module\\\" command occur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \\\"/etc/audit/audit.rules\\\":\n\n# sudo grep -w \\\"init_module\\\" /etc/audit/audit.rules\n\n-a always,exit -F arch=b64 -S init_module -F auid>=1000 -F auid!=4294967295 -k\nmodule_chng\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \\\"init_module\\\" command.\n\nAdd or update the following rules in the \\\"/etc/audit/audit.rules\\\" file:\n\n-a always,exit -F arch=b64 -S init_module -F auid>=1000 -F auid!=4294967295 -k\nmodule_chng\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n if os.arch == 'x86_64'\n describe auditd.syscall('init_module').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('init_module').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75559.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75791.rb", "line": 3 }, - "id": "V-75559" + "id": "V-75791" }, { - "title": "The audit system must take appropriate action when the audit storage\nvolume is full.", - "desc": "It is critical that when the Ubuntu operating system is at risk of\nfailing to process audit logs as required, it takes action to mitigate the\nfailure. Audit processing failures include: software/hardware errors; failures\nin the audit capturing mechanisms; and audit storage capacity being reached or\nexceeded. Responses to audit failure depend upon the nature of the failure mode.\n\n When availability is an overriding concern, other approved actions in\nresponse to an audit failure are as follows:\n\n 1) If the failure was caused by the lack of audit record storage capacity,\nthe Ubuntu operating system must continue generating audit records if possible\n(automatically restarting the audit service if necessary), overwriting the\noldest audit records in a first-in-first-out manner.\n\n 2) If audit records are sent to a centralized collection server and\ncommunication with this server is lost or the server fails, the Ubuntu\noperating system must queue audit records locally until communication is\nrestored or until the audit records are retrieved manually. Upon restoration of\nthe connection to the centralized collection server, action should be taken to\nsynchronize the local audit data with the collection server.", + "title": "The Ubuntu operating system must employ FIPS 140-2 approved\ncryptographic hashing algorithms for all created passwords.", + "desc": "The system must use a strong hashing algorithm to store the password.\nThe system must use a sufficient number of hashing rounds to ensure the\nrequired level of entropy.\n\n Passwords need to be protected at all times, and encryption is the standard\nmethod for protecting passwords. If passwords are not encrypted, they can be\nplainly read (i.e., clear text) and easily compromised.", "descriptions": { - "default": "It is critical that when the Ubuntu operating system is at risk of\nfailing to process audit logs as required, it takes action to mitigate the\nfailure. Audit processing failures include: software/hardware errors; failures\nin the audit capturing mechanisms; and audit storage capacity being reached or\nexceeded. Responses to audit failure depend upon the nature of the failure mode.\n\n When availability is an overriding concern, other approved actions in\nresponse to an audit failure are as follows:\n\n 1) If the failure was caused by the lack of audit record storage capacity,\nthe Ubuntu operating system must continue generating audit records if possible\n(automatically restarting the audit service if necessary), overwriting the\noldest audit records in a first-in-first-out manner.\n\n 2) If audit records are sent to a centralized collection server and\ncommunication with this server is lost or the server fails, the Ubuntu\noperating system must queue audit records locally until communication is\nrestored or until the audit records are retrieved manually. Upon restoration of\nthe connection to the centralized collection server, action should be taken to\nsynchronize the local audit data with the collection server.", - "check": "Verify the Ubuntu operating system takes the appropriate action\nwhen the audit storage volume is full.\n\nCheck that the Ubuntu operating system takes the appropriate action when the\naudit storage volume is full with the following command:\n\n# sudo grep disk_full_action /etc/audit/auditd.conf\n\ndisk_full_action = HALT\n\nIf the value of the \"disk_full_action\" option is not \"SYSLOG\", \"SINGLE\",\nor \"HALT\", or the line is commented out, this is a finding.", - "fix": "Configure the Ubuntu operating system to shut down by default\nupon audit failure (unless availability is an overriding concern).\n\nAdd or update the following line (depending on configuration\n\"disk_full_action\" can be set to \"SYSLOG\" or \"SINGLE\" depending on\nconfiguration) in \"/etc/audit/auditd.conf\" file:\n\ndisk_full_action = HALT" + "default": "The system must use a strong hashing algorithm to store the password.\nThe system must use a sufficient number of hashing rounds to ensure the\nrequired level of entropy.\n\n Passwords need to be protected at all times, and encryption is the standard\nmethod for protecting passwords. If passwords are not encrypted, they can be\nplainly read (i.e., clear text) and easily compromised.", + "check": "Verify the shadow password suite configuration is set to create\npasswords using a strong cryptographic hash with the following command:\n\nCheck that a minimum number of hash rounds is configured by running the\nfollowing command:\n\n# grep rounds /etc/pam.d/common-password\n\npassword [success=1 default=ignore] pam_unix.so obscure sha512 rounds=5000\n\nIf \"rounds\" has a value below \"5000\", or is commented out, this is a\nfinding.", + "fix": "Configure the Ubuntu operating system to encrypt all stored\npasswords with a strong cryptographic hash.\n\nEdit/modify the following line in the \"/etc/pam.d/common-password\" file and\nset \"rounds\" to a value no lower than \"5000\":\n\npassword [success=1 default=ignore] pam_unix.so obscure sha512 rounds=5000" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000047-GPOS-00023", - "gid": "V-75629", - "rid": "SV-90309r2_rule", - "stig_id": "UBTU-16-020060", - "fix_id": "F-82257r2_fix", + "gtitle": "SRG-OS-000073-GPOS-00041", + "satisfies": [ + "SRG-OS-000073-GPOS-00041", + "SRG-OS-000120-GPOS-00061" + ], + "gid": "V-75463", + "rid": "SV-90143r2_rule", + "stig_id": "UBTU-16-010170", + "fix_id": "F-82091r2_fix", "cci": [ - "CCI-000140" + "CCI-000196", + "CCI-000803" ], "nist": [ - "AU-5 b", + "IA-5 (1) (c)", + "IA-7", "Rev_4" ], "false_negatives": null, @@ -1777,29 +1653,29 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75629' do\n title \"The audit system must take appropriate action when the audit storage\nvolume is full.\"\n desc \"It is critical that when the Ubuntu operating system is at risk of\nfailing to process audit logs as required, it takes action to mitigate the\nfailure. Audit processing failures include: software/hardware errors; failures\nin the audit capturing mechanisms; and audit storage capacity being reached or\nexceeded. Responses to audit failure depend upon the nature of the failure mode.\n\n When availability is an overriding concern, other approved actions in\nresponse to an audit failure are as follows:\n\n 1) If the failure was caused by the lack of audit record storage capacity,\nthe Ubuntu operating system must continue generating audit records if possible\n(automatically restarting the audit service if necessary), overwriting the\noldest audit records in a first-in-first-out manner.\n\n 2) If audit records are sent to a centralized collection server and\ncommunication with this server is lost or the server fails, the Ubuntu\noperating system must queue audit records locally until communication is\nrestored or until the audit records are retrieved manually. Upon restoration of\nthe connection to the centralized collection server, action should be taken to\nsynchronize the local audit data with the collection server.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000047-GPOS-00023'\n tag \"gid\": 'V-75629'\n tag \"rid\": 'SV-90309r2_rule'\n tag \"stig_id\": 'UBTU-16-020060'\n tag \"fix_id\": 'F-82257r2_fix'\n tag \"cci\": ['CCI-000140']\n tag \"nist\": ['AU-5 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system takes the appropriate action\nwhen the audit storage volume is full.\n\nCheck that the Ubuntu operating system takes the appropriate action when the\naudit storage volume is full with the following command:\n\n# sudo grep disk_full_action /etc/audit/auditd.conf\n\ndisk_full_action = HALT\n\nIf the value of the \\\"disk_full_action\\\" option is not \\\"SYSLOG\\\", \\\"SINGLE\\\",\nor \\\"HALT\\\", or the line is commented out, this is a finding.\"\n desc 'fix', \"Configure the Ubuntu operating system to shut down by default\nupon audit failure (unless availability is an overriding concern).\n\nAdd or update the following line (depending on configuration\n\\\"disk_full_action\\\" can be set to \\\"SYSLOG\\\" or \\\"SINGLE\\\" depending on\nconfiguration) in \\\"/etc/audit/auditd.conf\\\" file:\n\ndisk_full_action = HALT\"\n\n describe auditd_conf do\n its('disk_full_action') { should_not be_empty }\n its('disk_full_action') { should cmp /(?:SYSLOG|SINGLE|HALT)/i }\n end\nend\n", + "code": "control 'V-75463' do\n title \"The Ubuntu operating system must employ FIPS 140-2 approved\ncryptographic hashing algorithms for all created passwords.\"\n desc \"The system must use a strong hashing algorithm to store the password.\nThe system must use a sufficient number of hashing rounds to ensure the\nrequired level of entropy.\n\n Passwords need to be protected at all times, and encryption is the standard\nmethod for protecting passwords. If passwords are not encrypted, they can be\nplainly read (i.e., clear text) and easily compromised.\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000073-GPOS-00041'\n tag \"satisfies\": %w[SRG-OS-000073-GPOS-00041 SRG-OS-000120-GPOS-00061]\n tag \"gid\": 'V-75463'\n tag \"rid\": 'SV-90143r2_rule'\n tag \"stig_id\": 'UBTU-16-010170'\n tag \"fix_id\": 'F-82091r2_fix'\n tag \"cci\": %w[CCI-000196 CCI-000803]\n tag \"nist\": ['IA-5 (1) (c)', 'IA-7', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the shadow password suite configuration is set to create\npasswords using a strong cryptographic hash with the following command:\n\nCheck that a minimum number of hash rounds is configured by running the\nfollowing command:\n\n# grep rounds /etc/pam.d/common-password\n\npassword [success=1 default=ignore] pam_unix.so obscure sha512 rounds=5000\n\nIf \\\"rounds\\\" has a value below \\\"5000\\\", or is commented out, this is a\nfinding.\n\"\n desc 'fix', \"Configure the Ubuntu operating system to encrypt all stored\npasswords with a strong cryptographic hash.\n\nEdit/modify the following line in the \\\"/etc/pam.d/common-password\\\" file and\nset \\\"rounds\\\" to a value no lower than \\\"5000\\\":\n\npassword [success=1 default=ignore] pam_unix.so obscure sha512 rounds=5000\"\n\n describe file('/etc/pam.d/common-password') do\n it { should exist }\n end\n\n describe command('grep rounds /etc/pam.d/common-password') do\n its('exit_status') { should eq 0 }\n its('stdout') { should match /^\\s*password\\s+\\[\\s*success=1\\s+default=ignore\\s*\\].*\\s+rounds=([5-9]\\d\\d\\d|[1-9]\\d\\d\\d\\d+)($|\\s+.*$)/ }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75629.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75463.rb", "line": 3 }, - "id": "V-75629" + "id": "V-75463" }, { - "title": "The system must display the date and time of the last successful\naccount logon upon an SSH logon.", - "desc": "Providing users with feedback on when account accesses via SSH last\noccurred facilitates user recognition and reporting of unauthorized account\nuse.", + "title": "The Ubuntu operating system must not be performing packet forwarding\nunless the system is a router.", + "desc": "Routing protocol daemons are typically used on routers to exchange\nnetwork topology information with other routers. If this software is used when\nnot required, system network information may be unnecessarily transmitted\nacross the network.", "descriptions": { - "default": "Providing users with feedback on when account accesses via SSH last\noccurred facilitates user recognition and reporting of unauthorized account\nuse.", - "check": "Verify SSH provides users with feedback on when account\naccesses last occurred.\n\nCheck that \"PrintLastLog\" keyword in the sshd daemon configuration file is\nused and set to \"yes\" with the following command:\n\n# grep PrintLastLog /etc/ssh/sshd_config\nPrintLastLog yes\n\nIf the \"PrintLastLog\" keyword is set to \"no\", is missing, or is commented\nout, this is a finding.", - "fix": "Add or edit the following lines in the \"/etc/ssh/sshd_config\"\nfile:\n\nPrintLastLog yes\n\nThe SSH daemon must be restarted for the changes to take effect. To restart the\nSSH daemon, run the following command:\n\n# sudo systemctl restart sshd.service" + "default": "Routing protocol daemons are typically used on routers to exchange\nnetwork topology information with other routers. If this software is used when\nnot required, system network information may be unnecessarily transmitted\nacross the network.", + "check": "Verify the Ubuntu operating system is not performing packet\nforwarding, unless the system is a router.\n\nCheck to see if IP forwarding is enabled using the following command:\n\n# /sbin/sysctl -a | grep net.ipv4.ip_forward\nnet.ipv4.ip_forward=0\n\nIf IP forwarding value is \"1\" and is not documented with the Information\nSystem Security Officer (ISSO) as an operational requirement , this is a\nfinding.", + "fix": "Configure the Ubuntu operating system to not allow packet\nforwarding, unless the system is a router with the following command:\n\n# sudo sysctl -w net.ipv4.ip_forward=0\n\nIf \"0\" is not the system's default value then add or update the following\nline in \"/etc/sysctl.conf\" or in the appropriate file under \"/etc/sysctl.d\":\n\nnet.ipv4.ip_forward=0" }, "impact": 0.5, "refs": [], "tags": { "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-75835", - "rid": "SV-90515r2_rule", - "stig_id": "UBTU-16-030260", - "fix_id": "F-82465r2_fix", + "gid": "V-75887", + "rid": "SV-90567r2_rule", + "stig_id": "UBTU-16-030600", + "fix_id": "F-82517r2_fix", "cci": [ "CCI-000366" ], @@ -1818,34 +1694,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75835' do\n title \"The system must display the date and time of the last successful\naccount logon upon an SSH logon.\"\n desc \"Providing users with feedback on when account accesses via SSH last\noccurred facilitates user recognition and reporting of unauthorized account\nuse.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75835'\n tag \"rid\": 'SV-90515r2_rule'\n tag \"stig_id\": 'UBTU-16-030260'\n tag \"fix_id\": 'F-82465r2_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify SSH provides users with feedback on when account\naccesses last occurred.\n\nCheck that \\\"PrintLastLog\\\" keyword in the sshd daemon configuration file is\nused and set to \\\"yes\\\" with the following command:\n\n# grep PrintLastLog /etc/ssh/sshd_config\nPrintLastLog yes\n\nIf the \\\"PrintLastLog\\\" keyword is set to \\\"no\\\", is missing, or is commented\nout, this is a finding.\"\n desc 'fix', \"Add or edit the following lines in the \\\"/etc/ssh/sshd_config\\\"\nfile:\n\nPrintLastLog yes\n\nThe SSH daemon must be restarted for the changes to take effect. To restart the\nSSH daemon, run the following command:\n\n# sudo systemctl restart sshd.service\"\n\n describe sshd_config do\n its('PrintLastLog') { should cmp 'yes' }\n end\nend\n", + "code": "control 'V-75887' do\n title \"The Ubuntu operating system must not be performing packet forwarding\nunless the system is a router.\"\n desc \"Routing protocol daemons are typically used on routers to exchange\nnetwork topology information with other routers. If this software is used when\nnot required, system network information may be unnecessarily transmitted\nacross the network.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75887'\n tag \"rid\": 'SV-90567r2_rule'\n tag \"stig_id\": 'UBTU-16-030600'\n tag \"fix_id\": 'F-82517r2_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system is not performing packet\nforwarding, unless the system is a router.\n\nCheck to see if IP forwarding is enabled using the following command:\n\n# /sbin/sysctl -a | grep net.ipv4.ip_forward\nnet.ipv4.ip_forward=0\n\nIf IP forwarding value is \\\"1\\\" and is not documented with the Information\nSystem Security Officer (ISSO) as an operational requirement , this is a\nfinding.\"\n desc 'fix', \"Configure the Ubuntu operating system to not allow packet\nforwarding, unless the system is a router with the following command:\n\n# sudo sysctl -w net.ipv4.ip_forward=0\n\nIf \\\"0\\\" is not the system's default value then add or update the following\nline in \\\"/etc/sysctl.conf\\\" or in the appropriate file under \\\"/etc/sysctl.d\\\":\n\nnet.ipv4.ip_forward=0\"\n\n describe kernel_parameter('net.ipv4.ip_forward') do\n its('value') { should eq 0 }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75835.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75887.rb", "line": 3 }, - "id": "V-75835" + "id": "V-75887" }, { - "title": "The Ubuntu operating system must display the Standard Mandatory DoD\nNotice and Consent Banner before granting local or remote access to the system\nvia a ssh logon and the user must acknowledge the usage conditions and take\nexplicit actions to log on for further access.", - "desc": "Display of a standardized and approved use notification before\ngranting access to the Ubuntu operating system ensures privacy and security\nnotification verbiage used is consistent with applicable federal laws,\nExecutive Orders, directives, policies, regulations, standards, and guidance.\n\n System use notifications are required only for access via logon interfaces\nwith human users and are not required when such human interfaces do not exist.\n\n The banner must be formatted in accordance with applicable DoD policy. Use\nthe following verbiage for Ubuntu operating systems that can accommodate\nbanners of 1300 characters:\n\n \"You are accessing a U.S. Government (USG) Information System (IS) that is\nprovided for USG-authorized use only.\n\n By using this IS (which includes any device attached to this IS), you\nconsent to the following conditions:\n\n -The USG routinely intercepts and monitors communications on this IS for\npurposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct (PM), law enforcement\n(LE), and counterintelligence (CI) investigations.\n\n -At any time, the USG may inspect and seize data stored on this IS.\n\n -Communications using, or data stored on, this IS are not private, are\nsubject to routine monitoring, interception, and search, and may be disclosed\nor used for any USG-authorized purpose.\n\n -This IS includes security measures (e.g., authentication and access\ncontrols) to protect USG interests--not for your personal benefit or privacy.\n\n -Notwithstanding the above, using this IS does not constitute consent to\nPM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services\nby attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User\nAgreement for details.\"\n\n Use the following verbiage for Ubuntu operating systems that have severe\nlimitations on the number of characters that can be displayed in the banner:\n\n \"I've read and consent to terms in IS user agreem't.\"", + "title": "The Ubuntu operating system must enforce password complexity by\nrequiring that at least one upper-case character be used.", + "desc": "Use of a complex password helps to increase the time and resources\nrequired to compromise the password. Password complexity, or strength, is a\nmeasure of the effectiveness of a password in resisting attempts at guessing\nand brute-force attacks.\n\n Password complexity is one factor of several that determines how long it\ntakes to crack a password. The more complex the password, the greater the\nnumber of possible combinations that need to be tested before the password is\ncompromised.", "descriptions": { - "default": "Display of a standardized and approved use notification before\ngranting access to the Ubuntu operating system ensures privacy and security\nnotification verbiage used is consistent with applicable federal laws,\nExecutive Orders, directives, policies, regulations, standards, and guidance.\n\n System use notifications are required only for access via logon interfaces\nwith human users and are not required when such human interfaces do not exist.\n\n The banner must be formatted in accordance with applicable DoD policy. Use\nthe following verbiage for Ubuntu operating systems that can accommodate\nbanners of 1300 characters:\n\n \"You are accessing a U.S. Government (USG) Information System (IS) that is\nprovided for USG-authorized use only.\n\n By using this IS (which includes any device attached to this IS), you\nconsent to the following conditions:\n\n -The USG routinely intercepts and monitors communications on this IS for\npurposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct (PM), law enforcement\n(LE), and counterintelligence (CI) investigations.\n\n -At any time, the USG may inspect and seize data stored on this IS.\n\n -Communications using, or data stored on, this IS are not private, are\nsubject to routine monitoring, interception, and search, and may be disclosed\nor used for any USG-authorized purpose.\n\n -This IS includes security measures (e.g., authentication and access\ncontrols) to protect USG interests--not for your personal benefit or privacy.\n\n -Notwithstanding the above, using this IS does not constitute consent to\nPM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services\nby attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User\nAgreement for details.\"\n\n Use the following verbiage for Ubuntu operating systems that have severe\nlimitations on the number of characters that can be displayed in the banner:\n\n \"I've read and consent to terms in IS user agreem't.\"", - "check": "Verify the Ubuntu operating system displays the Standard\nMandatory DoD Notice and Consent Banner before granting access to the Ubuntu\noperating system via a ssh logon.\n\nCheck that the Ubuntu operating system displays the Standard Mandatory DoD\nNotice and Consent Banner before granting access to the Ubuntu operating system\nvia a ssh logon with the following command:\n\n# grep -i banner /etc/ssh/sshd_config\n\nBanner=/etc/issue.net\n\nThe command will return the banner option along with the name of the file that\ncontains the ssh banner. If the line is commented out this is a finding.\n\nCheck the specified banner file to check that it matches the Standard Mandatory\nDoD Notice and Consent Banner exactly:\n\n“You are accessing a U.S. Government (USG) Information System (IS) that is\nprovided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent\nto the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for\npurposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct (PM), law enforcement\n(LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject\nto routine monitoring, interception, and search, and may be disclosed or used\nfor any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls)\nto protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE\nor CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services\nby attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User\nAgreement for details.”\n\nIf the banner text does not match the Standard Mandatory DoD Notice and Consent\nBanner exactly, this is a finding.", - "fix": "Configure the Ubuntu operating system to display the Standard\nMandatory DoD Notice and Consent Banner before granting access to the system\nvia SSH logon.\n\nEdit the SSH daemon configuration \"/etc/ssh/sshd_config\" file. Uncomment the\nbanner keyword and configure it to point to the file that contains the correct\nbanner. An example of this configure is below:\n\nBanner=/etc/issue.net\n\nEither create the file containing the banner, or replace the text in the file\nwith the Standard Mandatory DoD Notice and Consent Banner. The DoD required\ntext is:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is\nprovided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent\nto the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for\npurposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct (PM), law enforcement\n(LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject\nto routine monitoring, interception, and search, and may be disclosed or used\nfor any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls)\nto protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE\nor CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services\nby attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User\nAgreement for details.\"\n\nThe SSH daemon must be restarted for the changes to take effect. To restart the\nSSH daemon, run the following command:\n\n# sudo systemctl restart sshd.service" + "default": "Use of a complex password helps to increase the time and resources\nrequired to compromise the password. Password complexity, or strength, is a\nmeasure of the effectiveness of a password in resisting attempts at guessing\nand brute-force attacks.\n\n Password complexity is one factor of several that determines how long it\ntakes to crack a password. The more complex the password, the greater the\nnumber of possible combinations that need to be tested before the password is\ncompromised.", + "check": "Verify the Ubuntu operating system enforces password complexity\nby requiring that at least one upper-case character be used.\n\nDetermine if the field \"ucredit\" is set in the\n\"/etc/security/pwquality.conf\" file with the following command:\n\n# grep -i \"ucredit\" /etc/security/pwquality.conf\nucredit=-1\n\nIf the \"ucredit\" parameter is not equal to \"-1\", or is commented out, this\nis a finding.", + "fix": "Configure the Ubuntu operating system to enforce password\ncomplexity by requiring that at least one upper-case character be used.\n\nAdd or update the following line in the \"/etc/security/pwquality.conf\" file\nto contain the \"ucredit\" parameter:\n\nucredit=-1" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000023-GPOS-00006", - "gid": "V-75825", - "rid": "SV-90505r3_rule", - "stig_id": "UBTU-16-030210", - "fix_id": "F-82455r2_fix", + "gtitle": "SRG-OS-000069-GPOS-00037", + "gid": "V-75449", + "rid": "SV-90129r2_rule", + "stig_id": "UBTU-16-010100", + "fix_id": "F-82077r1_fix", "cci": [ - "CCI-000048" + "CCI-000192" ], "nist": [ - "AC-8 a", + "IA-5 (1) (a)", "Rev_4" ], "false_negatives": null, @@ -1859,20 +1735,20 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75825' do\n title \"The Ubuntu operating system must display the Standard Mandatory DoD\nNotice and Consent Banner before granting local or remote access to the system\nvia a ssh logon and the user must acknowledge the usage conditions and take\nexplicit actions to log on for further access.\"\n desc \"Display of a standardized and approved use notification before\ngranting access to the Ubuntu operating system ensures privacy and security\nnotification verbiage used is consistent with applicable federal laws,\nExecutive Orders, directives, policies, regulations, standards, and guidance.\n\n System use notifications are required only for access via logon interfaces\nwith human users and are not required when such human interfaces do not exist.\n\n The banner must be formatted in accordance with applicable DoD policy. Use\nthe following verbiage for Ubuntu operating systems that can accommodate\nbanners of 1300 characters:\n\n \\\"You are accessing a U.S. Government (USG) Information System (IS) that is\nprovided for USG-authorized use only.\n\n By using this IS (which includes any device attached to this IS), you\nconsent to the following conditions:\n\n -The USG routinely intercepts and monitors communications on this IS for\npurposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct (PM), law enforcement\n(LE), and counterintelligence (CI) investigations.\n\n -At any time, the USG may inspect and seize data stored on this IS.\n\n -Communications using, or data stored on, this IS are not private, are\nsubject to routine monitoring, interception, and search, and may be disclosed\nor used for any USG-authorized purpose.\n\n -This IS includes security measures (e.g., authentication and access\ncontrols) to protect USG interests--not for your personal benefit or privacy.\n\n -Notwithstanding the above, using this IS does not constitute consent to\nPM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services\nby attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User\nAgreement for details.\\\"\n\n Use the following verbiage for Ubuntu operating systems that have severe\nlimitations on the number of characters that can be displayed in the banner:\n\n \\\"I've read and consent to terms in IS user agreem't.\\\"\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000023-GPOS-00006'\n tag \"gid\": 'V-75825'\n tag \"rid\": 'SV-90505r3_rule'\n tag \"stig_id\": 'UBTU-16-030210'\n tag \"fix_id\": 'F-82455r2_fix'\n tag \"cci\": ['CCI-000048']\n tag \"nist\": ['AC-8 a', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system displays the Standard\nMandatory DoD Notice and Consent Banner before granting access to the Ubuntu\noperating system via a ssh logon.\n\nCheck that the Ubuntu operating system displays the Standard Mandatory DoD\nNotice and Consent Banner before granting access to the Ubuntu operating system\nvia a ssh logon with the following command:\n\n# grep -i banner /etc/ssh/sshd_config\n\nBanner=/etc/issue.net\n\nThe command will return the banner option along with the name of the file that\ncontains the ssh banner. If the line is commented out this is a finding.\n\nCheck the specified banner file to check that it matches the Standard Mandatory\nDoD Notice and Consent Banner exactly:\n\n“You are accessing a U.S. Government (USG) Information System (IS) that is\nprovided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent\nto the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for\npurposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct (PM), law enforcement\n(LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject\nto routine monitoring, interception, and search, and may be disclosed or used\nfor any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls)\nto protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE\nor CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services\nby attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User\nAgreement for details.”\n\nIf the banner text does not match the Standard Mandatory DoD Notice and Consent\nBanner exactly, this is a finding.\"\n desc 'fix', \"Configure the Ubuntu operating system to display the Standard\nMandatory DoD Notice and Consent Banner before granting access to the system\nvia SSH logon.\n\nEdit the SSH daemon configuration \\\"/etc/ssh/sshd_config\\\" file. Uncomment the\nbanner keyword and configure it to point to the file that contains the correct\nbanner. An example of this configure is below:\n\nBanner=/etc/issue.net\n\nEither create the file containing the banner, or replace the text in the file\nwith the Standard Mandatory DoD Notice and Consent Banner. The DoD required\ntext is:\n\n\\\"You are accessing a U.S. Government (USG) Information System (IS) that is\nprovided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent\nto the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for\npurposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct (PM), law enforcement\n(LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject\nto routine monitoring, interception, and search, and may be disclosed or used\nfor any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls)\nto protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE\nor CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services\nby attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User\nAgreement for details.\\\"\n\nThe SSH daemon must be restarted for the changes to take effect. To restart the\nSSH daemon, run the following command:\n\n# sudo systemctl restart sshd.service\"\n\n banner_text = input('banner_text')\n banner_files = [sshd_config.banner].flatten\n\n banner_files.each do |banner_file|\n if banner_file.nil?\n describe 'The SSHD Banner is not set' do\n subject { banner_file.nil? }\n it { should be false }\n end\n end\n if !banner_file.nil? && !banner_file.match(/none/i).nil?\n describe 'The SSHD Banner is disabled' do\n subject { banner_file.match(/none/i).nil? }\n it { should be true }\n end\n end\n if !banner_file.nil? && banner_file.match(/none/i).nil? && !file(banner_file).exist?\n describe 'The SSHD Banner is set, but, the file does not exist' do\n subject { file(banner_file).exist? }\n it { should be true }\n end\n end\n next unless !banner_file.nil? && banner_file.match(/none/i).nil? && file(banner_file).exist?\n\n describe 'The SSHD Banner is set to the standard banner and has the correct text' do\n clean_banner = banner_text.gsub(/[\\r\\n\\s]/, '')\n subject { file(banner_file).content.gsub(/[\\r\\n\\s]/, '') }\n it { should cmp clean_banner }\n end\n end\nend\n", + "code": "control 'V-75449' do\n title \"The Ubuntu operating system must enforce password complexity by\nrequiring that at least one upper-case character be used.\"\n desc \"Use of a complex password helps to increase the time and resources\nrequired to compromise the password. Password complexity, or strength, is a\nmeasure of the effectiveness of a password in resisting attempts at guessing\nand brute-force attacks.\n\n Password complexity is one factor of several that determines how long it\ntakes to crack a password. The more complex the password, the greater the\nnumber of possible combinations that need to be tested before the password is\ncompromised.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000069-GPOS-00037'\n tag \"gid\": 'V-75449'\n tag \"rid\": 'SV-90129r2_rule'\n tag \"stig_id\": 'UBTU-16-010100'\n tag \"fix_id\": 'F-82077r1_fix'\n tag \"cci\": ['CCI-000192']\n tag \"nist\": ['IA-5 (1) (a)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system enforces password complexity\nby requiring that at least one upper-case character be used.\n\nDetermine if the field \\\"ucredit\\\" is set in the\n\\\"/etc/security/pwquality.conf\\\" file with the following command:\n\n# grep -i \\\"ucredit\\\" /etc/security/pwquality.conf\nucredit=-1\n\nIf the \\\"ucredit\\\" parameter is not equal to \\\"-1\\\", or is commented out, this\nis a finding.\"\n desc 'fix', \"Configure the Ubuntu operating system to enforce password\ncomplexity by requiring that at least one upper-case character be used.\n\nAdd or update the following line in the \\\"/etc/security/pwquality.conf\\\" file\nto contain the \\\"ucredit\\\" parameter:\n\nucredit=-1\"\n\n min_num_uppercase_char = input('min_num_uppercase_char')\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('ucredit') { should cmp min_num_uppercase_char }\n end\n else\n describe (config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75825.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75449.rb", "line": 3 }, - "id": "V-75825" + "id": "V-75449" }, { - "title": "Successful/unsuccessful uses of the newgrp command must generate an\naudit record.", + "title": "Successful/unsuccessful uses of the fchownat command must generate an\naudit record.", "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", "descriptions": { "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", - "check": "Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful attempts to use the \"newgrp\" command occur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \"/etc/audit/audit.rules\":\n\n# sudo grep -w newgrp /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k priv_cmd\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", - "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \"newgrp\" command.\n\nAdd or update the following rules in the \"/etc/audit/audit.rules\" file:\n\n-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k priv_cmd\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" + "check": "Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful attempts to use the \"fchownat\" command occur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \"/etc/audit/audit.rules\":\n\n# sudo grep -w fchownat /etc/audit/audit.rules\n\n-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=4294967295 -k\nperm_chng\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", + "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \"fchownat\" command by adding the following\nline to \"/etc/audit/audit.rules\":\n\n-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=4294967295 -k\nperm_chng\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" }, "impact": 0.5, "refs": [], @@ -1886,10 +1762,10 @@ "SRG-OS-000462-GPOS-00206", "SRG-OS-000471-GPOS-00215" ], - "gid": "V-75761", - "rid": "SV-90441r4_rule", - "stig_id": "UBTU-16-020680", - "fix_id": "F-82389r2_fix", + "gid": "V-75733", + "rid": "SV-90413r3_rule", + "stig_id": "UBTU-16-020540", + "fix_id": "F-82361r2_fix", "cci": [ "CCI-000130", "CCI-000135", @@ -1916,50 +1792,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75761' do\n title \"Successful/unsuccessful uses of the newgrp command must generate an\naudit record.\"\n desc \"Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020\n SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172\n SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215]\n tag \"gid\": 'V-75761'\n tag \"rid\": 'SV-90441r4_rule'\n tag \"stig_id\": 'UBTU-16-020680'\n tag \"fix_id\": 'F-82389r2_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'MA-4 (1) (a)',\n 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful attempts to use the \\\"newgrp\\\" command occur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \\\"/etc/audit/audit.rules\\\":\n\n# sudo grep -w newgrp /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k priv_cmd\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\n\n\n\"\n desc 'fix', \"Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \\\"newgrp\\\" command.\n\nAdd or update the following rules in the \\\"/etc/audit/audit.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k priv_cmd\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n @audit_file = '/usr/bin/newgrp'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe ('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", + "code": "control 'V-75733' do\n title \"Successful/unsuccessful uses of the fchownat command must generate an\naudit record.\"\n desc \"Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020\n SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172\n SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215]\n tag \"gid\": 'V-75733'\n tag \"rid\": 'SV-90413r3_rule'\n tag \"stig_id\": 'UBTU-16-020540'\n tag \"fix_id\": 'F-82361r2_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'MA-4 (1) (a)',\n 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful attempts to use the \\\"fchownat\\\" command occur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \\\"/etc/audit/audit.rules\\\":\n\n# sudo grep -w fchownat /etc/audit/audit.rules\n\n-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=4294967295 -k\nperm_chng\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \\\"fchownat\\\" command by adding the following\nline to \\\"/etc/audit/audit.rules\\\":\n\n-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=4294967295 -k\nperm_chng\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n if os.arch == 'x86_64'\n describe auditd.syscall('fchownat').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('fchownat').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75761.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75733.rb", "line": 3 }, - "id": "V-75761" + "id": "V-75733" }, { - "title": "Successful/unsuccessful uses of the gpasswd command must generate an\naudit record.", - "desc": "Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged commands. The organization must maintain audit trails in sufficient\ndetail to reconstruct events to determine the cause and impact of compromise.", + "title": "All local interactive user initialization files executable search\npaths must contain only paths that resolve to the system default or the users\nhome directory.", + "desc": "The executable search path (typically the PATH environment variable)\ncontains a list of directories for the shell to search to find executables. If\nthis path includes the current working directory executables in these\ndirectories may be executed instead of system commands. This variable is\nformatted as a colon-separated list of directories. If there is an empty entry,\nsuch as a leading or trailing colon or two consecutive colons, this is\ninterpreted as the current working directory. If deviations from the default\nsystem search path for the local interactive user are required, they must be\ndocumented with the Information System Security Officer (ISSO).", "descriptions": { - "default": "Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged commands. The organization must maintain audit trails in sufficient\ndetail to reconstruct events to determine the cause and impact of compromise.", - "check": "Verify that an audit event is generated for any\nsuccessful/unsuccessful use of the \"gpasswd\" command.\n\nCheck for the following system call being audited by performing the following\ncommand to check the file system rules in \"/etc/audit/audit.rules\":\n\n# sudo grep -w gpasswd /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k privileged-gpasswd\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", - "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful uses of the \"gpasswd\" command. Add or update the\nfollowing rules in the \"/etc/audit/audit.rules\" file:\n\n-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k privileged-gpasswd\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" + "default": "The executable search path (typically the PATH environment variable)\ncontains a list of directories for the shell to search to find executables. If\nthis path includes the current working directory executables in these\ndirectories may be executed instead of system commands. This variable is\nformatted as a colon-separated list of directories. If there is an empty entry,\nsuch as a leading or trailing colon or two consecutive colons, this is\ninterpreted as the current working directory. If deviations from the default\nsystem search path for the local interactive user are required, they must be\ndocumented with the Information System Security Officer (ISSO).", + "check": "Verify that all local interactive user initialization files'\nexecutable search path statements do not contain statements that will reference\na working directory other than the users’ home directory or the system default.\n\nCheck the executable search path statement for all local interactive user\ninitialization files in the users' home directory with the following commands:\n\nNote: The example will be for the smithj user, which has a home directory of\n\"/home/smithj\".\n\n# grep -i path /home/smithj/.*\n/home/smithj/.bash_profile:PATH=$PATH:$HOME/.local/bin:$HOME/bin\n/home/smithj/.bash_profile:export PATH\n\nIf any local interactive user initialization files have executable search path\nstatements that include directories outside of their home directory, and the\nadditional path statements are not documented with the Information System\nSecurity Officer (ISSO) as an operational requirement, this is a finding.", + "fix": "Edit the local interactive user initialization files to change\nany PATH variable statements for executables that reference directories other\nthan their home directory or the system default. If a local interactive user\nrequires path variables to reference a directory owned by the application, it\nmust be documented with the Information System Security Officer (ISSO)." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000037-GPOS-00015", - "satisfies": [ - "SRG-OS-000037-GPOS-00015", - "SRG-OS-000042-GPOS-00020", - "SRG-OS-000062-GPOS-00031", - "SRG-OS-000392-GPOS-00172", - "SRG-OS-000462-GPOS-00206", - "SRG-OS-000471-GPOS-00215" - ], - "gid": "V-75781", - "rid": "SV-90461r3_rule", - "stig_id": "UBTU-16-020780", - "fix_id": "F-82411r2_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-75571", + "rid": "SV-90251r1_rule", + "stig_id": "UBTU-16-010780", + "fix_id": "F-82199r1_fix", "cci": [ - "CCI-000130", - "CCI-000135", - "CCI-000169", - "CCI-000172", - "CCI-002884" + "CCI-000366" ], "nist": [ - "AU-3", - "AU-3 (1)", - "AU-12 a", - "AU-12 c", - "MA-4 (1) (a)", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -1973,34 +1833,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75781' do\n title \"Successful/unsuccessful uses of the gpasswd command must generate an\naudit record.\"\n desc \"Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged commands. The organization must maintain audit trails in sufficient\ndetail to reconstruct events to determine the cause and impact of compromise.\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020\n SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172\n SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215]\n tag \"gid\": 'V-75781'\n tag \"rid\": 'SV-90461r3_rule'\n tag \"stig_id\": 'UBTU-16-020780'\n tag \"fix_id\": 'F-82411r2_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'MA-4 (1) (a)',\n 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that an audit event is generated for any\nsuccessful/unsuccessful use of the \\\"gpasswd\\\" command.\n\nCheck for the following system call being audited by performing the following\ncommand to check the file system rules in \\\"/etc/audit/audit.rules\\\":\n\n# sudo grep -w gpasswd /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k privileged-gpasswd\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful uses of the \\\"gpasswd\\\" command. Add or update the\nfollowing rules in the \\\"/etc/audit/audit.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k privileged-gpasswd\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n @audit_file = '/usr/bin/gpasswd'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe ('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", + "code": "control 'V-75571' do\n title \"All local interactive user initialization files executable search\npaths must contain only paths that resolve to the system default or the users\nhome directory.\"\n desc \"The executable search path (typically the PATH environment variable)\ncontains a list of directories for the shell to search to find executables. If\nthis path includes the current working directory executables in these\ndirectories may be executed instead of system commands. This variable is\nformatted as a colon-separated list of directories. If there is an empty entry,\nsuch as a leading or trailing colon or two consecutive colons, this is\ninterpreted as the current working directory. If deviations from the default\nsystem search path for the local interactive user are required, they must be\ndocumented with the Information System Security Officer (ISSO).\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75571'\n tag \"rid\": 'SV-90251r1_rule'\n tag \"stig_id\": 'UBTU-16-010780'\n tag \"fix_id\": 'F-82199r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that all local interactive user initialization files'\nexecutable search path statements do not contain statements that will reference\na working directory other than the users’ home directory or the system default.\n\nCheck the executable search path statement for all local interactive user\ninitialization files in the users' home directory with the following commands:\n\nNote: The example will be for the smithj user, which has a home directory of\n\\\"/home/smithj\\\".\n\n# grep -i path /home/smithj/.*\n/home/smithj/.bash_profile:PATH=$PATH:$HOME/.local/bin:$HOME/bin\n/home/smithj/.bash_profile:export PATH\n\nIf any local interactive user initialization files have executable search path\nstatements that include directories outside of their home directory, and the\nadditional path statements are not documented with the Information System\nSecurity Officer (ISSO) as an operational requirement, this is a finding.\"\n desc 'fix', \"Edit the local interactive user initialization files to change\nany PATH variable statements for executables that reference directories other\nthan their home directory or the system default. If a local interactive user\nrequires path variables to reference a directory owned by the application, it\nmust be documented with the Information System Security Officer (ISSO).\"\n\n exempt_home_users = input('exempt_home_users')\n non_interactive_shells = input('non_interactive_shells')\n ignore_shells = non_interactive_shells.join('|')\n\n findings = Set[]\n users.where { !shell.match(ignore_shells) && (uid >= 1000 || uid == 0) }.entries.each do |user_info|\n next if exempt_home_users.include?(user_info.username.to_s)\n\n grep_results = command(\"grep -i path --exclude=\\\".bash_history\\\" #{user_info.home}/.*\").stdout.split('\\\\n')\n grep_results.each do |result|\n result.slice! 'PATH='\n result += ' ' if result[-1] == ':'\n result.slice! '$PATH:'\n result.slice! \"$PATH\\\"\\n\"\n result.gsub! '$HOME', user_info.home.to_s\n result.gsub! '~', user_info.home.to_s\n line_arr = result.split(':')\n line_arr.delete_at(0)\n line_arr.each do |line|\n line.slice! '\"'\n next unless !line.start_with?('export') && !line.start_with?('#')\n\n if line.strip.empty?\n curr_work_dir = command('pwd').stdout.gsub(\"\\n\", '')\n line = curr_work_dir if curr_work_dir.start_with?(user_info.home.to_s)\n end\n findings.add(line) unless line.start_with?(user_info.home)\n end\n end\n end\n describe 'Initialization files that include executable search paths that include directories outside their home directories' do\n subject { findings.to_a }\n it { should be_empty }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75781.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75571.rb", "line": 3 }, - "id": "V-75781" + "id": "V-75571" }, { - "title": "The Ubuntu operating system must enforce password complexity by\nrequiring that at least one numeric character be used.", - "desc": "Use of a complex password helps to increase the time and resources\nrequired to compromise the password. Password complexity, or strength, is a\nmeasure of the effectiveness of a password in resisting attempts at guessing\nand brute-force attacks.\n\n Password complexity is one factor of several that determines how long it\ntakes to crack a password. The more complex the password, the greater the\nnumber of possible combinations that need to be tested before the password is\ncompromised.", + "title": "The rsh-server package must not be installed.", + "desc": "It is detrimental for Ubuntu operating systems to provide, or install\nby default, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n Ubuntu operating systems are capable of providing a wide variety of\nfunctions and services. Some of the functions and services, provided by\ndefault, may not be necessary to support essential organizational operations\n(e.g., key missions, functions).\n\n The rsh-server service provides an unencrypted remote access service that\ndoes not provide for the confidentiality and integrity of user passwords or the\nremote session and has very weak authentication.\n\n If a privileged user were to log on using this service, the privileged user\npassword could be compromised.", "descriptions": { - "default": "Use of a complex password helps to increase the time and resources\nrequired to compromise the password. Password complexity, or strength, is a\nmeasure of the effectiveness of a password in resisting attempts at guessing\nand brute-force attacks.\n\n Password complexity is one factor of several that determines how long it\ntakes to crack a password. The more complex the password, the greater the\nnumber of possible combinations that need to be tested before the password is\ncompromised.", - "check": "Verify the Ubuntu operating system enforces password complexity\nby requiring that at least one numeric character be used.\n\nDetermine if the field \"dcredit\" is set in the\n\"/etc/security/pwquality.conf\" file with the following command:\n\n# grep -i \"dcredit\" /etc/security/pwquality.conf\ndcredit=-1\n\nIf the \"dcredit\" parameter is not equal to \"-1\", or is commented out, this\nis a finding.", - "fix": "Configure the Ubuntu operating system to enforce password\ncomplexity by requiring that at least one numeric character be used.\n\nAdd or update the following line in the \"/etc/security/pwquality.conf\" file\nto contain the \"dcredit\" parameter:\n\ndcredit=-1" + "default": "It is detrimental for Ubuntu operating systems to provide, or install\nby default, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n Ubuntu operating systems are capable of providing a wide variety of\nfunctions and services. Some of the functions and services, provided by\ndefault, may not be necessary to support essential organizational operations\n(e.g., key missions, functions).\n\n The rsh-server service provides an unencrypted remote access service that\ndoes not provide for the confidentiality and integrity of user passwords or the\nremote session and has very weak authentication.\n\n If a privileged user were to log on using this service, the privileged user\npassword could be compromised.", + "check": "Verify that the rsh-server package is not installed on the\nUbuntu operating system.\n\nCheck to see if the rsh-server package is installed with the following command:\n\n# sudo apt list rsh-server\n\nIf the rsh-server package is installed, this is a finding.", + "fix": "Configure the Ubuntu operating system to disable non-essential\ncapabilities by removing the rsh-server package from the system with the\nfollowing command:\n\n# sudo apt-get remove rsh-server" }, - "impact": 0.5, + "impact": 0.7, "refs": [], "tags": { - "gtitle": "SRG-OS-000071-GPOS-00039", - "gid": "V-75453", - "rid": "SV-90133r2_rule", - "stig_id": "UBTU-16-010120", - "fix_id": "F-82081r1_fix", + "gtitle": "SRG-OS-000095-GPOS-00049", + "gid": "V-75801", + "rid": "SV-90481r2_rule", + "stig_id": "UBTU-16-030020", + "fix_id": "F-82431r1_fix", "cci": [ - "CCI-000194" + "CCI-000381" ], "nist": [ - "IA-5 (1) (a)", + "CM-7 a", "Rev_4" ], "false_negatives": null, @@ -2014,34 +1874,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75453' do\n title \"The Ubuntu operating system must enforce password complexity by\nrequiring that at least one numeric character be used.\"\n desc \"Use of a complex password helps to increase the time and resources\nrequired to compromise the password. Password complexity, or strength, is a\nmeasure of the effectiveness of a password in resisting attempts at guessing\nand brute-force attacks.\n\n Password complexity is one factor of several that determines how long it\ntakes to crack a password. The more complex the password, the greater the\nnumber of possible combinations that need to be tested before the password is\ncompromised.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000071-GPOS-00039'\n tag \"gid\": 'V-75453'\n tag \"rid\": 'SV-90133r2_rule'\n tag \"stig_id\": 'UBTU-16-010120'\n tag \"fix_id\": 'F-82081r1_fix'\n tag \"cci\": ['CCI-000194']\n tag \"nist\": ['IA-5 (1) (a)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system enforces password complexity\nby requiring that at least one numeric character be used.\n\nDetermine if the field \\\"dcredit\\\" is set in the\n\\\"/etc/security/pwquality.conf\\\" file with the following command:\n\n# grep -i \\\"dcredit\\\" /etc/security/pwquality.conf\ndcredit=-1\n\nIf the \\\"dcredit\\\" parameter is not equal to \\\"-1\\\", or is commented out, this\nis a finding.\"\n desc 'fix', \"Configure the Ubuntu operating system to enforce password\ncomplexity by requiring that at least one numeric character be used.\n\nAdd or update the following line in the \\\"/etc/security/pwquality.conf\\\" file\nto contain the \\\"dcredit\\\" parameter:\n\ndcredit=-1\"\n\n min_num_numeric_char = input('min_num_numeric_char')\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('ucredit') { should cmp min_num_numeric_char }\n end\n else\n describe (config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n", + "code": "control 'V-75801' do\n title 'The rsh-server package must not be installed.'\n desc \"It is detrimental for Ubuntu operating systems to provide, or install\nby default, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n Ubuntu operating systems are capable of providing a wide variety of\nfunctions and services. Some of the functions and services, provided by\ndefault, may not be necessary to support essential organizational operations\n(e.g., key missions, functions).\n\n The rsh-server service provides an unencrypted remote access service that\ndoes not provide for the confidentiality and integrity of user passwords or the\nremote session and has very weak authentication.\n\n If a privileged user were to log on using this service, the privileged user\npassword could be compromised.\n \"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000095-GPOS-00049'\n tag \"gid\": 'V-75801'\n tag \"rid\": 'SV-90481r2_rule'\n tag \"stig_id\": 'UBTU-16-030020'\n tag \"fix_id\": 'F-82431r1_fix'\n tag \"cci\": ['CCI-000381']\n tag \"nist\": ['CM-7 a', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that the rsh-server package is not installed on the\nUbuntu operating system.\n\nCheck to see if the rsh-server package is installed with the following command:\n\n# sudo apt list rsh-server\n\nIf the rsh-server package is installed, this is a finding.\"\n desc 'fix', \"Configure the Ubuntu operating system to disable non-essential\ncapabilities by removing the rsh-server package from the system with the\nfollowing command:\n\n# sudo apt-get remove rsh-server\"\n\n describe package('rsh-server') do\n it { should_not be_installed }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75453.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75801.rb", "line": 3 }, - "id": "V-75453" + "id": "V-75801" }, { - "title": "The Ubuntu operating system must not send Internet Protocol version 4\n(IPv4) Internet Control Message Protocol (ICMP) redirects.", - "desc": "Internet Control Message Protocol (ICMP) redirect messages are used by\nrouters to inform hosts that a more direct route exists for a particular\ndestination. These messages contain information from the system's route table,\npossibly revealing portions of the network topology.", + "title": "The system must use a DoD-approved virus scan program.", + "desc": "Virus scanning software can be used to protect a system from\npenetration from computer viruses and to limit their spread through\nintermediate systems.\n\n The virus scanning software should be configured to perform scans\ndynamically on accessed files. If this capability is not available, the system\nmust be configured to scan, at a minimum, all altered files on the system on a\ndaily basis.\n\n If the system processes inbound SMTP mail, the virus scanner must be\nconfigured to scan all received mail.", "descriptions": { - "default": "Internet Control Message Protocol (ICMP) redirect messages are used by\nrouters to inform hosts that a more direct route exists for a particular\ndestination. These messages contain information from the system's route table,\npossibly revealing portions of the network topology.", - "check": "Verify the Ubuntu operating system does not send Internet\nProtocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect\nmessages.\n\nCheck the value of the \"all send_redirects\" variables with the following\ncommand:\n\n# sudo sysctl net.ipv4.conf.all.send_redirects\n\nnet.ipv4.conf.all.send_redirects=0\n\nIf the returned line does not have a value of \"0\", or a line is not returned,\nthis is a finding.", - "fix": "Configure the Ubuntu operating system to not allow interfaces to\nperform Internet Protocol version 4 (IPv4) Internet Control Message Protocol\n(ICMP) redirects with the following command:\n\n# sudo sysctl -w net.ipv4.conf.all.send_redirects=0\n\nIf \"0\" is not the system's default value then add or update the following\nline in \"/etc/sysctl.conf\" or in the appropriate file under \"/etc/sysctl.d\":\n\nnet.ipv4.conf.all.send_redirects=0" + "default": "Virus scanning software can be used to protect a system from\npenetration from computer viruses and to limit their spread through\nintermediate systems.\n\n The virus scanning software should be configured to perform scans\ndynamically on accessed files. If this capability is not available, the system\nmust be configured to scan, at a minimum, all altered files on the system on a\ndaily basis.\n\n If the system processes inbound SMTP mail, the virus scanner must be\nconfigured to scan all received mail.", + "check": "Verify the system is using a DoD-approved virus scan program.\n\n\nCheck for the presence of \"McAfee VirusScan Enterprise for Linux\" with the\nfollowing command:\n\n\n# systemctl status nails\n\nnails - service for McAfee VirusScan Enterprise for Linux\n\n> Loaded: loaded\n/opt/NAI/package/McAfeeVSEForLinux/McAfeeVSEForLinux-2.0.2.;\nenabled)\n\n> Active: active (running) since Mon 2015-09-27 04:11:22 UTC;21 min ago\n\n\nIf the \"nails\" service is not active, check for the presence of \"clamav\" on\nthe system with the following command:\n\n\n# systemctl status clamav-daemon.socket\n\nsystemctl status clamav-daemon.socket\n\nclamav-daemon.socket - Socket for Clam AntiVirus userspace daemon\n\nLoaded: loaded (/lib/systemd/system/clamav-daemon.socket; enabled)\n\nActive: active (running) since Mon 2015-01-12 09:32:59 UTC; 7min ago\n\n\nIf neither of these applications are loaded and active, ask the System\nAdministrator if there is an antivirus package installed and active on the\nsystem.\n\n\nIf no antivirus scan program is active on the system, this is a finding.", + "fix": "Install an approved DoD antivirus solution on the system." }, - "impact": 0.5, + "impact": 0.7, "refs": [], "tags": { "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-75885", - "rid": "SV-90565r2_rule", - "stig_id": "UBTU-16-030590", - "fix_id": "F-82515r2_fix", + "gid": "V-78005", + "rid": "SV-92701r1_rule", + "stig_id": "UBTU-16-030900", + "fix_id": "F-84715r1_fix", "cci": [ - "CCI-000366" + "CCI-001668" ], "nist": [ - "CM-6 b", + "SI-3 a", "Rev_4" ], "false_negatives": null, @@ -2055,34 +1915,51 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75885' do\n title \"The Ubuntu operating system must not send Internet Protocol version 4\n(IPv4) Internet Control Message Protocol (ICMP) redirects.\"\n desc \"Internet Control Message Protocol (ICMP) redirect messages are used by\nrouters to inform hosts that a more direct route exists for a particular\ndestination. These messages contain information from the system's route table,\npossibly revealing portions of the network topology.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75885'\n tag \"rid\": 'SV-90565r2_rule'\n tag \"stig_id\": 'UBTU-16-030590'\n tag \"fix_id\": 'F-82515r2_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system does not send Internet\nProtocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect\nmessages.\n\nCheck the value of the \\\"all send_redirects\\\" variables with the following\ncommand:\n\n# sudo sysctl net.ipv4.conf.all.send_redirects\n\nnet.ipv4.conf.all.send_redirects=0\n\nIf the returned line does not have a value of \\\"0\\\", or a line is not returned,\nthis is a finding.\"\n desc 'fix', \"Configure the Ubuntu operating system to not allow interfaces to\nperform Internet Protocol version 4 (IPv4) Internet Control Message Protocol\n(ICMP) redirects with the following command:\n\n# sudo sysctl -w net.ipv4.conf.all.send_redirects=0\n\nIf \\\"0\\\" is not the system's default value then add or update the following\nline in \\\"/etc/sysctl.conf\\\" or in the appropriate file under \\\"/etc/sysctl.d\\\":\n\nnet.ipv4.conf.all.send_redirects=0\"\n\n describe kernel_parameter('net.ipv4.conf.all.send_redirects') do\n its('value') { should eq 0 }\n end\nend\n", + "code": "control 'V-78005' do\n title 'The system must use a DoD-approved virus scan program.'\n desc \"Virus scanning software can be used to protect a system from\npenetration from computer viruses and to limit their spread through\nintermediate systems.\n\n The virus scanning software should be configured to perform scans\ndynamically on accessed files. If this capability is not available, the system\nmust be configured to scan, at a minimum, all altered files on the system on a\ndaily basis.\n\n If the system processes inbound SMTP mail, the virus scanner must be\nconfigured to scan all received mail.\n \"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-78005'\n tag \"rid\": 'SV-92701r1_rule'\n tag \"stig_id\": 'UBTU-16-030900'\n tag \"fix_id\": 'F-84715r1_fix'\n tag \"cci\": ['CCI-001668']\n tag \"nist\": ['SI-3 a', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the system is using a DoD-approved virus scan program.\n\n\nCheck for the presence of \\\"McAfee VirusScan Enterprise for Linux\\\" with the\nfollowing command:\n\n\n# systemctl status nails\n\nnails - service for McAfee VirusScan Enterprise for Linux\n\n> Loaded: loaded\n/opt/NAI/package/McAfeeVSEForLinux/McAfeeVSEForLinux-2.0.2.;\nenabled)\n\n> Active: active (running) since Mon 2015-09-27 04:11:22 UTC;21 min ago\n\n\nIf the \\\"nails\\\" service is not active, check for the presence of \\\"clamav\\\" on\nthe system with the following command:\n\n\n# systemctl status clamav-daemon.socket\n\nsystemctl status clamav-daemon.socket\n\nclamav-daemon.socket - Socket for Clam AntiVirus userspace daemon\n\nLoaded: loaded (/lib/systemd/system/clamav-daemon.socket; enabled)\n\nActive: active (running) since Mon 2015-01-12 09:32:59 UTC; 7min ago\n\n\nIf neither of these applications are loaded and active, ask the System\nAdministrator if there is an antivirus package installed and active on the\nsystem.\n\n\nIf no antivirus scan program is active on the system, this is a finding.\"\n desc 'fix', 'Install an approved DoD antivirus solution on the system.'\n\n other_antivirus_loaded_active = input('other_antivirus_loaded_active')\n org_name = input('org_name')\n describe.one do\n describe service('nails') do\n it { should be_installed }\n it { should be_enabled }\n it { should be_running }\n end\n describe service('clamav-daemon.service') do\n it { should be_installed }\n it { should be_enabled }\n it { should be_running }\n end\n describe ('System Administrator and/or ' + org_name + ' approved antivirus program loaded, other than McAfee VirusScan Enterprise for Linux or Clam AntiVirus is loaded and activities') do\n subject { other_antivirus_loaded_active }\n it { should be true }\n end\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75885.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-78005.rb", "line": 3 }, - "id": "V-75885" + "id": "V-78005" }, { - "title": "An application firewall must be installed.", - "desc": "Uncomplicated Firewall provides a easy and effective way to\nblock/limit remote access to the system, via ports, services and protocols.\n\n Remote access services, such as those providing remote access to network\ndevices and information systems, which lack automated control capabilities,\nincrease risk and make remote user access management difficult at best.\n\n Remote access is access to DoD nonpublic information systems by an\nauthorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\n Ubuntu operating system functionality (e.g., RDP) must be capable of taking\nenforcement action if the audit reveals unauthorized activity. Automated\ncontrol of remote access sessions allows organizations to ensure ongoing\ncompliance with remote access policies by enforcing connection rules of remote\naccess applications on a variety of information system components (e.g.,\nservers, workstations, notebook computers, smartphones, and tablets).", + "title": "Successful/unsuccessful modifications to the tallylog file must\ngenerate an audit record.", + "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", "descriptions": { - "default": "Uncomplicated Firewall provides a easy and effective way to\nblock/limit remote access to the system, via ports, services and protocols.\n\n Remote access services, such as those providing remote access to network\ndevices and information systems, which lack automated control capabilities,\nincrease risk and make remote user access management difficult at best.\n\n Remote access is access to DoD nonpublic information systems by an\nauthorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\n Ubuntu operating system functionality (e.g., RDP) must be capable of taking\nenforcement action if the audit reveals unauthorized activity. Automated\ncontrol of remote access sessions allows organizations to ensure ongoing\ncompliance with remote access policies by enforcing connection rules of remote\naccess applications on a variety of information system components (e.g.,\nservers, workstations, notebook computers, smartphones, and tablets).", - "check": "Verify that the Uncomplicated Firewall is installed.\n\nCheck that the Uncomplicated Firewall is installed with the following command:\n\n# sudo apt list ufw\n\nii ufw 0.35-0Ubuntu2 [installed]\n\nIf the \"ufw\" package is not installed, ask the System Administrator if\nanother application firewall is installed. If no application firewall is\ninstalled this is a finding.", - "fix": "Install Uncomplicated Firewall with the following command:\n\n# sudo apt-get install ufw" + "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "check": "Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful modifications to the \"tallylog\" file occur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \"/etc/audit/audit.rules\":\n\n# sudo grep -w tallylog /etc/audit/audit.rules\n\n-w /var/log/tallylog -p wa -k logins\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", + "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful modifications to the \"tallylog\" file occur.\n\nAdd or update the following rules in the \"/etc/audit/audit.rules\" file:\n\n-w /var/log/tallylog -p wa -k logins\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000297-GPOS-00115", - "gid": "V-75803", - "rid": "SV-90483r2_rule", - "stig_id": "UBTU-16-030030", - "fix_id": "F-82433r1_fix", + "gtitle": "SRG-OS-000037-GPOS-00015", + "satisfies": [ + "SRG-OS-000037-GPOS-00015", + "SRG-OS-000042-GPOS-00020", + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000392-GPOS-00172", + "SRG-OS-000462-GPOS-00206", + "SRG-OS-000471-GPOS-00215", + "SRG-OS-000473-GPOS-00218" + ], + "gid": "V-75771", + "rid": "SV-90451r3_rule", + "stig_id": "UBTU-16-020730", + "fix_id": "F-82399r2_fix", "cci": [ - "CCI-002314" + "CCI-000130", + "CCI-000135", + "CCI-000169", + "CCI-000172", + "CCI-002884" ], "nist": [ - "AC-17 (1)", + "AU-3", + "AU-3 (1)", + "AU-12 a", + "AU-12 c", + "MA-4 (1) (a)", "Rev_4" ], "false_negatives": null, @@ -2096,43 +1973,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75803' do\n title 'An application firewall must be installed.'\n desc \"Uncomplicated Firewall provides a easy and effective way to\nblock/limit remote access to the system, via ports, services and protocols.\n\n Remote access services, such as those providing remote access to network\ndevices and information systems, which lack automated control capabilities,\nincrease risk and make remote user access management difficult at best.\n\n Remote access is access to DoD nonpublic information systems by an\nauthorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\n Ubuntu operating system functionality (e.g., RDP) must be capable of taking\nenforcement action if the audit reveals unauthorized activity. Automated\ncontrol of remote access sessions allows organizations to ensure ongoing\ncompliance with remote access policies by enforcing connection rules of remote\naccess applications on a variety of information system components (e.g.,\nservers, workstations, notebook computers, smartphones, and tablets).\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000297-GPOS-00115'\n tag \"gid\": 'V-75803'\n tag \"rid\": 'SV-90483r2_rule'\n tag \"stig_id\": 'UBTU-16-030030'\n tag \"fix_id\": 'F-82433r1_fix'\n tag \"cci\": ['CCI-002314']\n tag \"nist\": ['AC-17 (1)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that the Uncomplicated Firewall is installed.\n\nCheck that the Uncomplicated Firewall is installed with the following command:\n\n# sudo apt list ufw\n\nii ufw 0.35-0Ubuntu2 [installed]\n\nIf the \\\"ufw\\\" package is not installed, ask the System Administrator if\nanother application firewall is installed. If no application firewall is\ninstalled this is a finding.\"\n desc 'fix', \"Install Uncomplicated Firewall with the following command:\n\n# sudo apt-get install ufw\"\n\n describe package('ufw') do\n it { should be_installed }\n end\nend\n", + "code": "control 'V-75771' do\n title \"Successful/unsuccessful modifications to the tallylog file must\ngenerate an audit record.\"\n desc \"Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020\n SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172\n SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215\n SRG-OS-000473-GPOS-00218]\n tag \"gid\": 'V-75771'\n tag \"rid\": 'SV-90451r3_rule'\n tag \"stig_id\": 'UBTU-16-020730'\n tag \"fix_id\": 'F-82399r2_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'MA-4 (1) (a)',\n 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful modifications to the \\\"tallylog\\\" file occur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \\\"/etc/audit/audit.rules\\\":\n\n# sudo grep -w tallylog /etc/audit/audit.rules\n\n-w /var/log/tallylog -p wa -k logins\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful modifications to the \\\"tallylog\\\" file occur.\n\nAdd or update the following rules in the \\\"/etc/audit/audit.rules\\\" file:\n\n-w /var/log/tallylog -p wa -k logins\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n @audit_file = '/var/log/tallylog'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe ('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75803.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75771.rb", "line": 3 }, - "id": "V-75803" + "id": "V-75771" }, { - "title": "Duplicate User IDs (UIDs) must not exist for interactive users.", - "desc": "To assure accountability and prevent unauthenticated access,\ninteractive users must be identified and authenticated to prevent potential\nmisuse and compromise of the system.\n\n Interactive users include organizational employees or individuals the\norganization deems to have equivalent status of employees (e.g., contractors).\nInteractive users (and processes acting on behalf of users) must be uniquely\nidentified and authenticated to all accesses, except for the following:\n\n 1) Accesses explicitly identified and documented by the organization.\nOrganizations document specific user actions that can be performed on the\ninformation system without identification or authentication; and\n\n 2) Accesses that occur through authorized use of group authenticators\nwithout individual authentication. Organizations may require unique\nidentification of individuals in group accounts (e.g., shared privilege\naccounts) or for detailed accountability of individual activity.", + "title": "The file integrity tool must be configured to verify Access Control\nLists (ACLs).", + "desc": "ACLs can provide permissions beyond those permitted through the file\nmode and must be verified by file integrity tools.", "descriptions": { - "default": "To assure accountability and prevent unauthenticated access,\ninteractive users must be identified and authenticated to prevent potential\nmisuse and compromise of the system.\n\n Interactive users include organizational employees or individuals the\norganization deems to have equivalent status of employees (e.g., contractors).\nInteractive users (and processes acting on behalf of users) must be uniquely\nidentified and authenticated to all accesses, except for the following:\n\n 1) Accesses explicitly identified and documented by the organization.\nOrganizations document specific user actions that can be performed on the\ninformation system without identification or authentication; and\n\n 2) Accesses that occur through authorized use of group authenticators\nwithout individual authentication. Organizations may require unique\nidentification of individuals in group accounts (e.g., shared privilege\naccounts) or for detailed accountability of individual activity.", - "check": "Verify that the Ubuntu operating system contains no duplicate\nUser IDs (UIDs) for interactive users.\n\nCheck that the Ubuntu operating system contains no duplicate UIDs for\ninteractive users with the following command:\n\n# awk -F \":\" 'list[$3]++{print $1, $3}' /etc/passwd\n\nIf output is produced, and the accounts listed are interactive user accounts,\nthis is a finding.", - "fix": "Edit the file \"/etc/passwd\" and provide each interactive user\naccount that has a duplicate User ID (UID) with a unique UID." + "default": "ACLs can provide permissions beyond those permitted through the file\nmode and must be verified by file integrity tools.", + "check": "Verify the file integrity tool is configured to verify Access\nControl Lists (ACLs).\n\nUse the following command to determine if the file is in a location other than\n\"/etc/aide/aide.conf\":\n\n# find / -name aide.conf\n\nCheck the \"aide.conf\" file to determine if the \"acl\" rule has been added to\nthe rule list being applied to the files and directories selection lists with\nthe following command:\n\n# egrep \"[+]?acl\" /etc/aide/aide.conf\n\nVarFile = OwnerMode+n+l+X+acl\n\nIf the \"acl\" rule is not being used on all selection lines in the\n\"/etc/aide.conf\" file, is commented out, or ACLs are not being checked by\nanother file integrity tool, this is a finding.", + "fix": "Configure the file integrity tool to check file and directory\nACLs.\n\nIf AIDE is installed, ensure the \"acl\" rule is present on all file and\ndirectory selection lists." }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { - "gtitle": "SRG-OS-000104-GPOS-00051", - "satisfies": [ - "SRG-OS-000104-GPOS-00051", - "SRG-OS-000121-GPOS-00062", - "SRG-OS-000134-GPOS-00068" - ], - "gid": "V-75547", - "rid": "SV-90227r2_rule", - "stig_id": "UBTU-16-010660", - "fix_id": "F-82175r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-75519", + "rid": "SV-90199r3_rule", + "stig_id": "UBTU-16-010520", + "fix_id": "F-82147r1_fix", "cci": [ - "CCI-000764", - "CCI-000804", - "CCI-001084" + "CCI-000366" ], "nist": [ - "IA-2", - "IA-8", - "SC-3", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -2146,43 +2014,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75547' do\n title 'Duplicate User IDs (UIDs) must not exist for interactive users.'\n desc \"To assure accountability and prevent unauthenticated access,\ninteractive users must be identified and authenticated to prevent potential\nmisuse and compromise of the system.\n\n Interactive users include organizational employees or individuals the\norganization deems to have equivalent status of employees (e.g., contractors).\nInteractive users (and processes acting on behalf of users) must be uniquely\nidentified and authenticated to all accesses, except for the following:\n\n 1) Accesses explicitly identified and documented by the organization.\nOrganizations document specific user actions that can be performed on the\ninformation system without identification or authentication; and\n\n 2) Accesses that occur through authorized use of group authenticators\nwithout individual authentication. Organizations may require unique\nidentification of individuals in group accounts (e.g., shared privilege\naccounts) or for detailed accountability of individual activity.\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000104-GPOS-00051'\n tag \"satisfies\": %w[SRG-OS-000104-GPOS-00051 SRG-OS-000121-GPOS-00062\n SRG-OS-000134-GPOS-00068]\n tag \"gid\": 'V-75547'\n tag \"rid\": 'SV-90227r2_rule'\n tag \"stig_id\": 'UBTU-16-010660'\n tag \"fix_id\": 'F-82175r1_fix'\n tag \"cci\": %w[CCI-000764 CCI-000804 CCI-001084]\n tag \"nist\": %w[IA-2 IA-8 SC-3 Rev_4]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that the Ubuntu operating system contains no duplicate\nUser IDs (UIDs) for interactive users.\n\nCheck that the Ubuntu operating system contains no duplicate UIDs for\ninteractive users with the following command:\n\n# awk -F \\\":\\\" 'list[$3]++{print $1, $3}' /etc/passwd\n\nIf output is produced, and the accounts listed are interactive user accounts,\nthis is a finding.\"\n desc 'fix', \"Edit the file \\\"/etc/passwd\\\" and provide each interactive user\naccount that has a duplicate User ID (UID) with a unique UID.\"\n\n user_list = command(\"awk -F \\\":\\\" 'list[$3]++{print $1}' /etc/passwd\").stdout.split(\"\\n\")\n findings = Set[]\n\n user_list.each do |user_name|\n findings = findings << user_name\n end\n describe 'Duplicate User IDs (UIDs) must not exist for interactive users' do\n subject { findings.to_a }\n it { should be_empty }\n end\nend\n", + "code": "control 'V-75519' do\n title \"The file integrity tool must be configured to verify Access Control\nLists (ACLs).\"\n desc \"ACLs can provide permissions beyond those permitted through the file\nmode and must be verified by file integrity tools.\"\n impact 0.3\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75519'\n tag \"rid\": 'SV-90199r3_rule'\n tag \"stig_id\": 'UBTU-16-010520'\n tag \"fix_id\": 'F-82147r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the file integrity tool is configured to verify Access\nControl Lists (ACLs).\n\nUse the following command to determine if the file is in a location other than\n\\\"/etc/aide/aide.conf\\\":\n\n# find / -name aide.conf\n\nCheck the \\\"aide.conf\\\" file to determine if the \\\"acl\\\" rule has been added to\nthe rule list being applied to the files and directories selection lists with\nthe following command:\n\n# egrep \\\"[+]?acl\\\" /etc/aide/aide.conf\n\nVarFile = OwnerMode+n+l+X+acl\n\nIf the \\\"acl\\\" rule is not being used on all selection lines in the\n\\\"/etc/aide.conf\\\" file, is commented out, or ACLs are not being checked by\nanother file integrity tool, this is a finding.\"\n desc 'fix', \"Configure the file integrity tool to check file and directory\nACLs.\n\nIf AIDE is installed, ensure the \\\"acl\\\" rule is present on all file and\ndirectory selection lists.\"\n\n describe aide_conf.all_have_rule('acl') do\n it { should eq true }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75547.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75519.rb", "line": 3 }, - "id": "V-75547" + "id": "V-75519" }, { - "title": "Audit log directory must be owned by root to prevent unauthorized read\naccess.", - "desc": "Unauthorized disclosure of audit records can reveal system and\nconfiguration data to attackers, thus compromising its confidentiality.\n\n Audit information includes all information (e.g., audit records, audit\nsettings, audit reports) needed to successfully audit Ubuntu operating system\nactivity.", + "title": "The Ubuntu operating system must be configured to use TCP syncookies.", + "desc": "DoS is a condition when a resource is not available for legitimate\nusers. When this occurs, the organization either cannot accomplish its mission\nor must operate at degraded capacity.\n\n Managing excess capacity ensures that sufficient capacity is available to\ncounter flooding attacks. Employing increased capacity and service redundancy\nmay reduce the susceptibility to some DoS attacks. Managing excess capacity may\ninclude, for example, establishing selected usage priorities, quotas, or\npartitioning.", "descriptions": { - "default": "Unauthorized disclosure of audit records can reveal system and\nconfiguration data to attackers, thus compromising its confidentiality.\n\n Audit information includes all information (e.g., audit records, audit\nsettings, audit reports) needed to successfully audit Ubuntu operating system\nactivity.", - "check": "Verify the audit log directory is owned by \"root\" to prevent\nunauthorized read access.\n\nDetermine where the audit logs are stored with the following command:\n\n# sudo grep -iw log_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nDetermine the audit log directory by using the output of the above command (ex:\n\"/var/log/audit/\"). Run the following command with the correct audit log\ndirectory path:\n\n# sudo ls -ld /var/log/audit\ndrwxr-x--- 2 root root 8096 Jun 26 11:56 /var/log/audit\n\nIf the audit log directory is not owned by \"root\", this is a finding.", - "fix": "Configure the audit log to be protected from unauthorized read\naccess, by setting the correct owner as \"root\" with the following command:\n\n# sudo chown root [audit_log_directory]\n\nReplace \"[audit_log_directory]\" with the correct audit log directory path, by\ndefault this location is usually \"/var/log/audit\"." + "default": "DoS is a condition when a resource is not available for legitimate\nusers. When this occurs, the organization either cannot accomplish its mission\nor must operate at degraded capacity.\n\n Managing excess capacity ensures that sufficient capacity is available to\ncounter flooding attacks. Employing increased capacity and service redundancy\nmay reduce the susceptibility to some DoS attacks. Managing excess capacity may\ninclude, for example, establishing selected usage priorities, quotas, or\npartitioning.", + "check": "Verify the Ubuntu operating system is configured to use TCP\nsyncookies.\n\nCheck the value of TCP syncookies with the following command:\n\n# sysctl net.ipv4.tcp_syncookies\nnet.ipv4.tcp_syncookies = 1\n\nIf the value is not \"1\", this is a finding.", + "fix": "Configure the Ubuntu operating system to use TCP syncookies, by\nrunning the following command:\n\n# sudo sysctl -w net.ipv4.tcp_syncookies=1\n\nIf \"1\" is not the system's default value then add or update the following\nline in \"/etc/sysctl.conf\" or in the appropriate file under \"/etc/sysctl.d\":\n\nnet.ipv4.tcp_syncookies = 1" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000057-GPOS-00027", - "satisfies": [ - "SRG-OS-000057-GPOS-00027", - "SRG-OS-000058-GPOS-00028", - "SRG-OS-000059-GPOS-00029" - ], - "gid": "V-75643", - "rid": "SV-90323r2_rule", - "stig_id": "UBTU-16-020130", - "fix_id": "F-82271r2_fix", + "gtitle": "SRG-OS-000142-GPOS-00071", + "gid": "V-75869", + "rid": "SV-90549r2_rule", + "stig_id": "UBTU-16-030510", + "fix_id": "F-82499r2_fix", "cci": [ - "CCI-000162", - "CCI-000163", - "CCI-000164" + "CCI-001095" ], "nist": [ - "AU-9", - "AU-9", - "AU-9", + "SC-5 (2)", "Rev_4" ], "false_negatives": null, @@ -2196,50 +2055,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75643' do\n title \"Audit log directory must be owned by root to prevent unauthorized read\naccess.\"\n desc \"Unauthorized disclosure of audit records can reveal system and\nconfiguration data to attackers, thus compromising its confidentiality.\n\n Audit information includes all information (e.g., audit records, audit\nsettings, audit reports) needed to successfully audit Ubuntu operating system\nactivity.\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000057-GPOS-00027'\n tag \"satisfies\": %w[SRG-OS-000057-GPOS-00027 SRG-OS-000058-GPOS-00028\n SRG-OS-000059-GPOS-00029]\n tag \"gid\": 'V-75643'\n tag \"rid\": 'SV-90323r2_rule'\n tag \"stig_id\": 'UBTU-16-020130'\n tag \"fix_id\": 'F-82271r2_fix'\n tag \"cci\": %w[CCI-000162 CCI-000163 CCI-000164]\n tag \"nist\": %w[AU-9 AU-9 AU-9 Rev_4]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the audit log directory is owned by \\\"root\\\" to prevent\nunauthorized read access.\n\nDetermine where the audit logs are stored with the following command:\n\n# sudo grep -iw log_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nDetermine the audit log directory by using the output of the above command (ex:\n\\\"/var/log/audit/\\\"). Run the following command with the correct audit log\ndirectory path:\n\n# sudo ls -ld /var/log/audit\ndrwxr-x--- 2 root root 8096 Jun 26 11:56 /var/log/audit\n\nIf the audit log directory is not owned by \\\"root\\\", this is a finding.\"\n desc 'fix', \"Configure the audit log to be protected from unauthorized read\naccess, by setting the correct owner as \\\"root\\\" with the following command:\n\n# sudo chown root [audit_log_directory]\n\nReplace \\\"[audit_log_directory]\\\" with the correct audit log directory path, by\ndefault this location is usually \\\"/var/log/audit\\\".\"\n\n log_file_dir = input('log_file_dir')\n\n describe directory(log_file_dir) do\n its('owner') { should cmp 'root' }\n end\nend\n", + "code": "control 'V-75869' do\n title 'The Ubuntu operating system must be configured to use TCP syncookies.'\n desc \"DoS is a condition when a resource is not available for legitimate\nusers. When this occurs, the organization either cannot accomplish its mission\nor must operate at degraded capacity.\n\n Managing excess capacity ensures that sufficient capacity is available to\ncounter flooding attacks. Employing increased capacity and service redundancy\nmay reduce the susceptibility to some DoS attacks. Managing excess capacity may\ninclude, for example, establishing selected usage priorities, quotas, or\npartitioning.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000142-GPOS-00071'\n tag \"gid\": 'V-75869'\n tag \"rid\": 'SV-90549r2_rule'\n tag \"stig_id\": 'UBTU-16-030510'\n tag \"fix_id\": 'F-82499r2_fix'\n tag \"cci\": ['CCI-001095']\n tag \"nist\": ['SC-5 (2)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system is configured to use TCP\nsyncookies.\n\nCheck the value of TCP syncookies with the following command:\n\n# sysctl net.ipv4.tcp_syncookies\nnet.ipv4.tcp_syncookies = 1\n\nIf the value is not \\\"1\\\", this is a finding.\"\n desc 'fix', \"Configure the Ubuntu operating system to use TCP syncookies, by\nrunning the following command:\n\n# sudo sysctl -w net.ipv4.tcp_syncookies=1\n\nIf \\\"1\\\" is not the system's default value then add or update the following\nline in \\\"/etc/sysctl.conf\\\" or in the appropriate file under \\\"/etc/sysctl.d\\\":\n\nnet.ipv4.tcp_syncookies = 1\"\n\n describe kernel_parameter('net.ipv4.tcp_syncookies') do\n its('value') { should cmp 1 }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75643.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75869.rb", "line": 3 }, - "id": "V-75643" + "id": "V-75869" }, { - "title": "Successful/unsuccessful uses of the chage command must generate an\naudit record.", - "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "title": "The Ubuntu operating system must display the Standard Mandatory DoD\nNotice and Consent Banner before granting local or remote access to the system\nvia a ssh logon and the user must acknowledge the usage conditions and take\nexplicit actions to log on for further access.", + "desc": "Display of a standardized and approved use notification before\ngranting access to the Ubuntu operating system ensures privacy and security\nnotification verbiage used is consistent with applicable federal laws,\nExecutive Orders, directives, policies, regulations, standards, and guidance.\n\n System use notifications are required only for access via logon interfaces\nwith human users and are not required when such human interfaces do not exist.\n\n The banner must be formatted in accordance with applicable DoD policy. Use\nthe following verbiage for Ubuntu operating systems that can accommodate\nbanners of 1300 characters:\n\n \"You are accessing a U.S. Government (USG) Information System (IS) that is\nprovided for USG-authorized use only.\n\n By using this IS (which includes any device attached to this IS), you\nconsent to the following conditions:\n\n -The USG routinely intercepts and monitors communications on this IS for\npurposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct (PM), law enforcement\n(LE), and counterintelligence (CI) investigations.\n\n -At any time, the USG may inspect and seize data stored on this IS.\n\n -Communications using, or data stored on, this IS are not private, are\nsubject to routine monitoring, interception, and search, and may be disclosed\nor used for any USG-authorized purpose.\n\n -This IS includes security measures (e.g., authentication and access\ncontrols) to protect USG interests--not for your personal benefit or privacy.\n\n -Notwithstanding the above, using this IS does not constitute consent to\nPM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services\nby attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User\nAgreement for details.\"\n\n Use the following verbiage for Ubuntu operating systems that have severe\nlimitations on the number of characters that can be displayed in the banner:\n\n \"I've read and consent to terms in IS user agreem't.\"", "descriptions": { - "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", - "check": "Verify that an audit event is generated for any\nsuccessful/unsuccessful use of the \"chage\" command.\n\nCheck for the following system call being audited by performing the following\ncommand to check the file system rules in \"/etc/audit/audit.rules\":\n\n# sudo grep -w chage /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k privileged-chage\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", - "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful uses of the \"chage\" command. Add or update the\nfollowing rules in the \"/etc/audit/audit.rules\" file:\n\n-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k privileged-chage\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" + "default": "Display of a standardized and approved use notification before\ngranting access to the Ubuntu operating system ensures privacy and security\nnotification verbiage used is consistent with applicable federal laws,\nExecutive Orders, directives, policies, regulations, standards, and guidance.\n\n System use notifications are required only for access via logon interfaces\nwith human users and are not required when such human interfaces do not exist.\n\n The banner must be formatted in accordance with applicable DoD policy. Use\nthe following verbiage for Ubuntu operating systems that can accommodate\nbanners of 1300 characters:\n\n \"You are accessing a U.S. Government (USG) Information System (IS) that is\nprovided for USG-authorized use only.\n\n By using this IS (which includes any device attached to this IS), you\nconsent to the following conditions:\n\n -The USG routinely intercepts and monitors communications on this IS for\npurposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct (PM), law enforcement\n(LE), and counterintelligence (CI) investigations.\n\n -At any time, the USG may inspect and seize data stored on this IS.\n\n -Communications using, or data stored on, this IS are not private, are\nsubject to routine monitoring, interception, and search, and may be disclosed\nor used for any USG-authorized purpose.\n\n -This IS includes security measures (e.g., authentication and access\ncontrols) to protect USG interests--not for your personal benefit or privacy.\n\n -Notwithstanding the above, using this IS does not constitute consent to\nPM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services\nby attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User\nAgreement for details.\"\n\n Use the following verbiage for Ubuntu operating systems that have severe\nlimitations on the number of characters that can be displayed in the banner:\n\n \"I've read and consent to terms in IS user agreem't.\"", + "check": "Verify the Ubuntu operating system displays the Standard\nMandatory DoD Notice and Consent Banner before granting access to the Ubuntu\noperating system via a ssh logon.\n\nCheck that the Ubuntu operating system displays the Standard Mandatory DoD\nNotice and Consent Banner before granting access to the Ubuntu operating system\nvia a ssh logon with the following command:\n\n# grep -i banner /etc/ssh/sshd_config\n\nBanner=/etc/issue.net\n\nThe command will return the banner option along with the name of the file that\ncontains the ssh banner. If the line is commented out this is a finding.\n\nCheck the specified banner file to check that it matches the Standard Mandatory\nDoD Notice and Consent Banner exactly:\n\n“You are accessing a U.S. Government (USG) Information System (IS) that is\nprovided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent\nto the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for\npurposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct (PM), law enforcement\n(LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject\nto routine monitoring, interception, and search, and may be disclosed or used\nfor any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls)\nto protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE\nor CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services\nby attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User\nAgreement for details.”\n\nIf the banner text does not match the Standard Mandatory DoD Notice and Consent\nBanner exactly, this is a finding.", + "fix": "Configure the Ubuntu operating system to display the Standard\nMandatory DoD Notice and Consent Banner before granting access to the system\nvia SSH logon.\n\nEdit the SSH daemon configuration \"/etc/ssh/sshd_config\" file. Uncomment the\nbanner keyword and configure it to point to the file that contains the correct\nbanner. An example of this configure is below:\n\nBanner=/etc/issue.net\n\nEither create the file containing the banner, or replace the text in the file\nwith the Standard Mandatory DoD Notice and Consent Banner. The DoD required\ntext is:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is\nprovided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent\nto the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for\npurposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct (PM), law enforcement\n(LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject\nto routine monitoring, interception, and search, and may be disclosed or used\nfor any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls)\nto protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE\nor CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services\nby attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User\nAgreement for details.\"\n\nThe SSH daemon must be restarted for the changes to take effect. To restart the\nSSH daemon, run the following command:\n\n# sudo systemctl restart sshd.service" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000037-GPOS-00015", - "satisfies": [ - "SRG-OS-000037-GPOS-00015", - "SRG-OS-000042-GPOS-00020", - "SRG-OS-000062-GPOS-00031", - "SRG-OS-000392-GPOS-00172", - "SRG-OS-000462-GPOS-00206", - "SRG-OS-000471-GPOS-00215" - ], - "gid": "V-75783", - "rid": "SV-90463r3_rule", - "stig_id": "UBTU-16-020790", - "fix_id": "F-82413r2_fix", + "gtitle": "SRG-OS-000023-GPOS-00006", + "gid": "V-75825", + "rid": "SV-90505r3_rule", + "stig_id": "UBTU-16-030210", + "fix_id": "F-82455r2_fix", "cci": [ - "CCI-000130", - "CCI-000135", - "CCI-000169", - "CCI-000172", - "CCI-002884" + "CCI-000048" ], "nist": [ - "AU-3", - "AU-3 (1)", - "AU-12 a", - "AU-12 c", - "MA-4 (1) (a)", + "AC-8 a", "Rev_4" ], "false_negatives": null, @@ -2253,34 +2096,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75783' do\n title \"Successful/unsuccessful uses of the chage command must generate an\naudit record.\"\n desc \"Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020\n SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172\n SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215]\n tag \"gid\": 'V-75783'\n tag \"rid\": 'SV-90463r3_rule'\n tag \"stig_id\": 'UBTU-16-020790'\n tag \"fix_id\": 'F-82413r2_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'MA-4 (1) (a)',\n 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that an audit event is generated for any\nsuccessful/unsuccessful use of the \\\"chage\\\" command.\n\nCheck for the following system call being audited by performing the following\ncommand to check the file system rules in \\\"/etc/audit/audit.rules\\\":\n\n# sudo grep -w chage /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k privileged-chage\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful uses of the \\\"chage\\\" command. Add or update the\nfollowing rules in the \\\"/etc/audit/audit.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k privileged-chage\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n @audit_file = '/usr/bin/chage'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe ('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", + "code": "control 'V-75825' do\n title \"The Ubuntu operating system must display the Standard Mandatory DoD\nNotice and Consent Banner before granting local or remote access to the system\nvia a ssh logon and the user must acknowledge the usage conditions and take\nexplicit actions to log on for further access.\"\n desc \"Display of a standardized and approved use notification before\ngranting access to the Ubuntu operating system ensures privacy and security\nnotification verbiage used is consistent with applicable federal laws,\nExecutive Orders, directives, policies, regulations, standards, and guidance.\n\n System use notifications are required only for access via logon interfaces\nwith human users and are not required when such human interfaces do not exist.\n\n The banner must be formatted in accordance with applicable DoD policy. Use\nthe following verbiage for Ubuntu operating systems that can accommodate\nbanners of 1300 characters:\n\n \\\"You are accessing a U.S. Government (USG) Information System (IS) that is\nprovided for USG-authorized use only.\n\n By using this IS (which includes any device attached to this IS), you\nconsent to the following conditions:\n\n -The USG routinely intercepts and monitors communications on this IS for\npurposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct (PM), law enforcement\n(LE), and counterintelligence (CI) investigations.\n\n -At any time, the USG may inspect and seize data stored on this IS.\n\n -Communications using, or data stored on, this IS are not private, are\nsubject to routine monitoring, interception, and search, and may be disclosed\nor used for any USG-authorized purpose.\n\n -This IS includes security measures (e.g., authentication and access\ncontrols) to protect USG interests--not for your personal benefit or privacy.\n\n -Notwithstanding the above, using this IS does not constitute consent to\nPM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services\nby attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User\nAgreement for details.\\\"\n\n Use the following verbiage for Ubuntu operating systems that have severe\nlimitations on the number of characters that can be displayed in the banner:\n\n \\\"I've read and consent to terms in IS user agreem't.\\\"\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000023-GPOS-00006'\n tag \"gid\": 'V-75825'\n tag \"rid\": 'SV-90505r3_rule'\n tag \"stig_id\": 'UBTU-16-030210'\n tag \"fix_id\": 'F-82455r2_fix'\n tag \"cci\": ['CCI-000048']\n tag \"nist\": ['AC-8 a', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system displays the Standard\nMandatory DoD Notice and Consent Banner before granting access to the Ubuntu\noperating system via a ssh logon.\n\nCheck that the Ubuntu operating system displays the Standard Mandatory DoD\nNotice and Consent Banner before granting access to the Ubuntu operating system\nvia a ssh logon with the following command:\n\n# grep -i banner /etc/ssh/sshd_config\n\nBanner=/etc/issue.net\n\nThe command will return the banner option along with the name of the file that\ncontains the ssh banner. If the line is commented out this is a finding.\n\nCheck the specified banner file to check that it matches the Standard Mandatory\nDoD Notice and Consent Banner exactly:\n\n“You are accessing a U.S. Government (USG) Information System (IS) that is\nprovided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent\nto the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for\npurposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct (PM), law enforcement\n(LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject\nto routine monitoring, interception, and search, and may be disclosed or used\nfor any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls)\nto protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE\nor CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services\nby attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User\nAgreement for details.”\n\nIf the banner text does not match the Standard Mandatory DoD Notice and Consent\nBanner exactly, this is a finding.\"\n desc 'fix', \"Configure the Ubuntu operating system to display the Standard\nMandatory DoD Notice and Consent Banner before granting access to the system\nvia SSH logon.\n\nEdit the SSH daemon configuration \\\"/etc/ssh/sshd_config\\\" file. Uncomment the\nbanner keyword and configure it to point to the file that contains the correct\nbanner. An example of this configure is below:\n\nBanner=/etc/issue.net\n\nEither create the file containing the banner, or replace the text in the file\nwith the Standard Mandatory DoD Notice and Consent Banner. The DoD required\ntext is:\n\n\\\"You are accessing a U.S. Government (USG) Information System (IS) that is\nprovided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent\nto the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for\npurposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct (PM), law enforcement\n(LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject\nto routine monitoring, interception, and search, and may be disclosed or used\nfor any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls)\nto protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE\nor CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services\nby attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User\nAgreement for details.\\\"\n\nThe SSH daemon must be restarted for the changes to take effect. To restart the\nSSH daemon, run the following command:\n\n# sudo systemctl restart sshd.service\"\n\n banner_text = input('banner_text')\n banner_files = [sshd_config.banner].flatten\n\n banner_files.each do |banner_file|\n if banner_file.nil?\n describe 'The SSHD Banner is not set' do\n subject { banner_file.nil? }\n it { should be false }\n end\n end\n if !banner_file.nil? && !banner_file.match(/none/i).nil?\n describe 'The SSHD Banner is disabled' do\n subject { banner_file.match(/none/i).nil? }\n it { should be true }\n end\n end\n if !banner_file.nil? && banner_file.match(/none/i).nil? && !file(banner_file).exist?\n describe 'The SSHD Banner is set, but, the file does not exist' do\n subject { file(banner_file).exist? }\n it { should be true }\n end\n end\n next unless !banner_file.nil? && banner_file.match(/none/i).nil? && file(banner_file).exist?\n\n describe 'The SSHD Banner is set to the standard banner and has the correct text' do\n clean_banner = banner_text.gsub(/[\\r\\n\\s]/, '')\n subject { file(banner_file).content.gsub(/[\\r\\n\\s]/, '') }\n it { should cmp clean_banner }\n end\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75783.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75825.rb", "line": 3 }, - "id": "V-75783" + "id": "V-75825" }, { - "title": "The SSH daemon must use privilege separation.", - "desc": "SSH daemon privilege separation causes the SSH process to drop root\nprivileges when not needed, which would decrease the impact of software\nvulnerabilities in the unprivileged section.", + "title": "The Ubuntu operating system must allow only the Information System\nSecurity Manager (ISSM) (or individuals or roles appointed by the ISSM) to\nselect which auditable events are to be audited.", + "desc": "Without the capability to restrict which roles and individuals can\nselect which events are audited, unauthorized personnel may be able to prevent\nthe auditing of critical events. Misconfigured audits may degrade the system's\nperformance by overwhelming the audit log. Misconfigured audits may also make\nit more difficult to establish, correlate, and investigate the events relating\nto an incident or identify those responsible for one.", "descriptions": { - "default": "SSH daemon privilege separation causes the SSH process to drop root\nprivileges when not needed, which would decrease the impact of software\nvulnerabilities in the unprivileged section.", - "check": "Check that the SSH daemon performs privilege separation with\nthe following command:\n\n# grep UsePrivilegeSeparation /etc/ssh/sshd_config\n\nUsePrivilegeSeparation yes\n\nIf the \"UsePrivilegeSeparation\" keyword is set to \"no\", is missing, or the\nreturned line is commented out, this is a finding.", - "fix": "Configure SSH to use privilege separation. Uncomment the\n\"UsePrivilegeSeparation\" keyword in \"/etc/ssh/sshd_config\" and set the\nvalue to \"yes\":\n\nUsePrivilegeSeparation yes\n\nThe SSH daemon must be restarted for the changes to take effect. To restart the\nSSH daemon, run the following command:\n\n# sudo systemctl restart sshd.service" + "default": "Without the capability to restrict which roles and individuals can\nselect which events are audited, unauthorized personnel may be able to prevent\nthe auditing of critical events. Misconfigured audits may degrade the system's\nperformance by overwhelming the audit log. Misconfigured audits may also make\nit more difficult to establish, correlate, and investigate the events relating\nto an incident or identify those responsible for one.", + "check": "Verify that the /etc/audit/audit.rule and\n/etc/audit/auditd.conf file have a mode of 0640 or less permissive by using the\nfollowing command:\n\n# sudo ls -la /etc/audit/audit.rules\n\n-rw-r----- 1 root root 1280 Feb 16 17:09 audit.rules\n-rw-r----- 1 root root 621 Sep 22 2014 auditd.conf\n\nIf the \"/etc/audit/audit.rule\" or \"/etc/audit/auditd.conf\" file have a mode\nmore permissive than \"0640\", this is a finding.", + "fix": "Configure the /etc/audit/audit.rule and /etc/audit/auditd.conf\nfile to have a mode of 0640 with the following command:\n\n# sudo chmod 0640 /etc/audit/audit.rule\n# sudo chmod 0640 /etc/audit/audit.conf" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-75849", - "rid": "SV-90529r2_rule", - "stig_id": "UBTU-16-030340", - "fix_id": "F-82479r2_fix", + "gtitle": "SRG-OS-000063-GPOS-00032", + "gid": "V-75647", + "rid": "SV-90327r1_rule", + "stig_id": "UBTU-16-020150", + "fix_id": "F-82275r1_fix", "cci": [ - "CCI-000366" + "CCI-000171" ], "nist": [ - "CM-6 b", + "AU-12 b", "Rev_4" ], "false_negatives": null, @@ -2294,20 +2137,70 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75849' do\n title 'The SSH daemon must use privilege separation.'\n desc \"SSH daemon privilege separation causes the SSH process to drop root\nprivileges when not needed, which would decrease the impact of software\nvulnerabilities in the unprivileged section.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75849'\n tag \"rid\": 'SV-90529r2_rule'\n tag \"stig_id\": 'UBTU-16-030340'\n tag \"fix_id\": 'F-82479r2_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Check that the SSH daemon performs privilege separation with\nthe following command:\n\n# grep UsePrivilegeSeparation /etc/ssh/sshd_config\n\nUsePrivilegeSeparation yes\n\nIf the \\\"UsePrivilegeSeparation\\\" keyword is set to \\\"no\\\", is missing, or the\nreturned line is commented out, this is a finding.\"\n desc 'fix', \"Configure SSH to use privilege separation. Uncomment the\n\\\"UsePrivilegeSeparation\\\" keyword in \\\"/etc/ssh/sshd_config\\\" and set the\nvalue to \\\"yes\\\":\n\nUsePrivilegeSeparation yes\n\nThe SSH daemon must be restarted for the changes to take effect. To restart the\nSSH daemon, run the following command:\n\n# sudo systemctl restart sshd.service\"\n\n describe sshd_config do\n its('UsePrivilegeSeparation') { should cmp 'yes' }\n end\nend\n", + "code": "control 'V-75647' do\n title \"The Ubuntu operating system must allow only the Information System\nSecurity Manager (ISSM) (or individuals or roles appointed by the ISSM) to\nselect which auditable events are to be audited.\"\n desc \"Without the capability to restrict which roles and individuals can\nselect which events are audited, unauthorized personnel may be able to prevent\nthe auditing of critical events. Misconfigured audits may degrade the system's\nperformance by overwhelming the audit log. Misconfigured audits may also make\nit more difficult to establish, correlate, and investigate the events relating\nto an incident or identify those responsible for one.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000063-GPOS-00032'\n tag \"gid\": 'V-75647'\n tag \"rid\": 'SV-90327r1_rule'\n tag \"stig_id\": 'UBTU-16-020150'\n tag \"fix_id\": 'F-82275r1_fix'\n tag \"cci\": ['CCI-000171']\n tag \"nist\": ['AU-12 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that the /etc/audit/audit.rule and\n/etc/audit/auditd.conf file have a mode of 0640 or less permissive by using the\nfollowing command:\n\n# sudo ls -la /etc/audit/audit.rules\n\n-rw-r----- 1 root root 1280 Feb 16 17:09 audit.rules\n-rw-r----- 1 root root 621 Sep 22 2014 auditd.conf\n\nIf the \\\"/etc/audit/audit.rule\\\" or \\\"/etc/audit/auditd.conf\\\" file have a mode\nmore permissive than \\\"0640\\\", this is a finding.\"\n desc 'fix', \"Configure the /etc/audit/audit.rule and /etc/audit/auditd.conf\nfile to have a mode of 0640 with the following command:\n\n# sudo chmod 0640 /etc/audit/audit.rule\n# sudo chmod 0640 /etc/audit/audit.conf\"\n\n describe file('/etc/audit/audit.rules') do\n it { should_not be_more_permissive_than('0640') }\n end\n describe file('/etc/audit/auditd.conf') do\n it { should_not be_more_permissive_than('0640') }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75849.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75647.rb", "line": 3 }, - "id": "V-75849" + "id": "V-75647" }, { - "title": "Successful/unsuccessful uses of the usermod command must generate an\naudit record.", + "title": "Audit log directory must be group-owned by root to prevent\nunauthorized read access.", + "desc": "Unauthorized disclosure of audit records can reveal system and\nconfiguration data to attackers, thus compromising its confidentiality.\n\n Audit information includes all information (e.g., audit records, audit\nsettings, audit reports) needed to successfully audit Ubuntu operating system\nactivity.", + "descriptions": { + "default": "Unauthorized disclosure of audit records can reveal system and\nconfiguration data to attackers, thus compromising its confidentiality.\n\n Audit information includes all information (e.g., audit records, audit\nsettings, audit reports) needed to successfully audit Ubuntu operating system\nactivity.", + "check": "Verify the audit log directory is group-owned by \"root\" to\nprevent unauthorized read access.\n\nDetermine where the audit logs are stored with the following command:\n\n# sudo grep -iw log_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nDetermine the audit log directory by using the output of the above command (ex:\n\"/var/log/audit/\"). Run the following command with the correct audit log\ndirectory path:\n\n# sudo ls -ld /var/log/audit\ndrwxr-x--- 2 root root 8096 Jun 26 11:56 /var/log/audit\n\nIf the audit log directory is not group-owned by \"root\", this is a finding.", + "fix": "Configure the audit log to be protected from unauthorized read\naccess, by setting the correct group-owner as \"root\" with the following\ncommand:\n\n# sudo chgrp root [audit_log_directory]\n\nReplace \"[audit_log_directory]\" with the correct audit log directory path, by\ndefault this location is usually \"/var/log/audit\"." + }, + "impact": 0.5, + "refs": [], + "tags": { + "gtitle": "SRG-OS-000057-GPOS-00027", + "satisfies": [ + "SRG-OS-000057-GPOS-00027", + "SRG-OS-000058-GPOS-00028", + "SRG-OS-000059-GPOS-00029" + ], + "gid": "V-75645", + "rid": "SV-90325r2_rule", + "stig_id": "UBTU-16-020140", + "fix_id": "F-82273r2_fix", + "cci": [ + "CCI-000162", + "CCI-000163", + "CCI-000164" + ], + "nist": [ + "AU-9", + "AU-9", + "AU-9", + "Rev_4" + ], + "false_negatives": null, + "false_positives": null, + "documentable": false, + "mitigations": null, + "severity_override_guidance": false, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_controls": null, + "responsibility": null, + "ia_controls": null + }, + "code": "control 'V-75645' do\n title \"Audit log directory must be group-owned by root to prevent\nunauthorized read access.\"\n desc \"Unauthorized disclosure of audit records can reveal system and\nconfiguration data to attackers, thus compromising its confidentiality.\n\n Audit information includes all information (e.g., audit records, audit\nsettings, audit reports) needed to successfully audit Ubuntu operating system\nactivity.\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000057-GPOS-00027'\n tag \"satisfies\": %w[SRG-OS-000057-GPOS-00027 SRG-OS-000058-GPOS-00028\n SRG-OS-000059-GPOS-00029]\n tag \"gid\": 'V-75645'\n tag \"rid\": 'SV-90325r2_rule'\n tag \"stig_id\": 'UBTU-16-020140'\n tag \"fix_id\": 'F-82273r2_fix'\n tag \"cci\": %w[CCI-000162 CCI-000163 CCI-000164]\n tag \"nist\": %w[AU-9 AU-9 AU-9 Rev_4]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the audit log directory is group-owned by \\\"root\\\" to\nprevent unauthorized read access.\n\nDetermine where the audit logs are stored with the following command:\n\n# sudo grep -iw log_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nDetermine the audit log directory by using the output of the above command (ex:\n\\\"/var/log/audit/\\\"). Run the following command with the correct audit log\ndirectory path:\n\n# sudo ls -ld /var/log/audit\ndrwxr-x--- 2 root root 8096 Jun 26 11:56 /var/log/audit\n\nIf the audit log directory is not group-owned by \\\"root\\\", this is a finding.\"\n desc 'fix', \"Configure the audit log to be protected from unauthorized read\naccess, by setting the correct group-owner as \\\"root\\\" with the following\ncommand:\n\n# sudo chgrp root [audit_log_directory]\n\nReplace \\\"[audit_log_directory]\\\" with the correct audit log directory path, by\ndefault this location is usually \\\"/var/log/audit\\\".\"\n\n log_file_dir = input('log_file_dir')\n\n describe directory(log_file_dir) do\n its('group') { should cmp 'root' }\n end\nend\n", + "source_location": { + "ref": "./Ubuntu 16.04 STIG/controls/V-75645.rb", + "line": 3 + }, + "id": "V-75645" + }, + { + "title": "Successful/unsuccessful uses of the finit_module command must generate\nan audit record.", "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", "descriptions": { "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", - "check": "Verify that an audit event is generated for any\nsuccessful/unsuccessful use of the \"usermod\" command.\n\nCheck for the following system call being audited by performing the following\ncommand to check the file system rules in \"/etc/audit/audit.rules\":\n\n# sudo grep -w usermod /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k privileged-usermod\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", - "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful uses of the \"usermod\" command. Add or update the\nfollowing rules in the \"/etc/audit/audit.rules\" file:\n\n-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k privileged-usermod\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" + "check": "Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful attempts to use the \"finit_module\" command occur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \"/etc/audit/audit.rules\":\n\n# sudo grep -w \"finit_module\" /etc/audit/audit.rules\n\n-a always,exit -F arch=b64 -S finit_module -F auid>=1000 -F auid!=4294967295 -k\nmodule_chng\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", + "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \"finit_module\" command.\n\nAdd or update the following rules in the \"/etc/audit/audit.rules\" file:\n\n-a always,exit -F arch=b64 -S finit_module -F auid>=1000 -F auid!=4294967295 -k\nmodule_chng\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" }, "impact": 0.5, "refs": [], @@ -2321,10 +2214,10 @@ "SRG-OS-000462-GPOS-00206", "SRG-OS-000471-GPOS-00215" ], - "gid": "V-75785", - "rid": "SV-90465r3_rule", - "stig_id": "UBTU-16-020800", - "fix_id": "F-82415r2_fix", + "gid": "V-75793", + "rid": "SV-90473r3_rule", + "stig_id": "UBTU-16-020840", + "fix_id": "F-82423r2_fix", "cci": [ "CCI-000130", "CCI-000135", @@ -2351,43 +2244,43 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75785' do\n title \"Successful/unsuccessful uses of the usermod command must generate an\naudit record.\"\n desc \"Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020\n SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172\n SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215]\n tag \"gid\": 'V-75785'\n tag \"rid\": 'SV-90465r3_rule'\n tag \"stig_id\": 'UBTU-16-020800'\n tag \"fix_id\": 'F-82415r2_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'MA-4 (1) (a)',\n 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that an audit event is generated for any\nsuccessful/unsuccessful use of the \\\"usermod\\\" command.\n\nCheck for the following system call being audited by performing the following\ncommand to check the file system rules in \\\"/etc/audit/audit.rules\\\":\n\n# sudo grep -w usermod /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k privileged-usermod\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful uses of the \\\"usermod\\\" command. Add or update the\nfollowing rules in the \\\"/etc/audit/audit.rules\\\" file:\n\n-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k privileged-usermod\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n @audit_file = '/usr/sbin/usermod'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe ('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", + "code": "control 'V-75793' do\n title \"Successful/unsuccessful uses of the finit_module command must generate\nan audit record.\"\n desc \"Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020\n SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172\n SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215]\n tag \"gid\": 'V-75793'\n tag \"rid\": 'SV-90473r3_rule'\n tag \"stig_id\": 'UBTU-16-020840'\n tag \"fix_id\": 'F-82423r2_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'MA-4 (1) (a)',\n 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful attempts to use the \\\"finit_module\\\" command occur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \\\"/etc/audit/audit.rules\\\":\n\n# sudo grep -w \\\"finit_module\\\" /etc/audit/audit.rules\n\n-a always,exit -F arch=b64 -S finit_module -F auid>=1000 -F auid!=4294967295 -k\nmodule_chng\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \\\"finit_module\\\" command.\n\nAdd or update the following rules in the \\\"/etc/audit/audit.rules\\\" file:\n\n-a always,exit -F arch=b64 -S finit_module -F auid>=1000 -F auid!=4294967295 -k\nmodule_chng\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n if os.arch == 'x86_64'\n describe auditd.syscall('finit_module').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('finit_module').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75785.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75793.rb", "line": 3 }, - "id": "V-75785" + "id": "V-75793" }, { - "title": "All users must be able to directly initiate a session lock for all\nconnection types.", - "desc": "A session lock is a temporary action taken when a user stops work and\nmoves away from the immediate physical vicinity of the information system but\ndoes not want to log out because of the temporary nature of the absence.\n\n The session lock is implemented at the point where session activity can be\ndetermined. Rather than be forced to wait for a period of time to expire before\nthe user session can be locked, Ubuntu operating systems need to provide users\nwith the ability to manually invoke a session lock so users may secure their\nsession should the need arise for them to temporarily vacate the immediate\nphysical vicinity.", + "title": "Audit logs must be owned by root to prevent unauthorized read access.", + "desc": "Unauthorized disclosure of audit records can reveal system and\nconfiguration data to attackers, thus compromising its confidentiality.\n\n Audit information includes all information (e.g., audit records, audit\nsettings, audit reports) needed to successfully audit Ubuntu operating system\nactivity.", "descriptions": { - "default": "A session lock is a temporary action taken when a user stops work and\nmoves away from the immediate physical vicinity of the information system but\ndoes not want to log out because of the temporary nature of the absence.\n\n The session lock is implemented at the point where session activity can be\ndetermined. Rather than be forced to wait for a period of time to expire before\nthe user session can be locked, Ubuntu operating systems need to provide users\nwith the ability to manually invoke a session lock so users may secure their\nsession should the need arise for them to temporarily vacate the immediate\nphysical vicinity.", - "check": "Verify the Ubuntu operating system has the 'vlock' package\ninstalled, by running the following command:\n\n# dpkg -l | grep vlock\n\nvlock_2.2.2-7\n\nIf \"vlock\" is not installed, this is a finding.", - "fix": "Install the \"vlock\" (if it is not already installed) package by\nrunning the following command:\n\n# sudo apt-get install vlock" + "default": "Unauthorized disclosure of audit records can reveal system and\nconfiguration data to attackers, thus compromising its confidentiality.\n\n Audit information includes all information (e.g., audit records, audit\nsettings, audit reports) needed to successfully audit Ubuntu operating system\nactivity.", + "check": "Verify the audit logs are owned by \"root\". First determine\nwhere the audit logs are stored with the following command:\n\n# sudo grep -iw log_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the location of the audit log file, determine if the audit log is owned\nby \"root\" using the following command:\n\n# sudo ls -la /var/log/audit/audit.log\nrw------- 2 root root 8096 Jun 26 11:56 /var/log/audit/audit.log\n\nIf the audit log is not owned by \"root\", this is a finding.", + "fix": "Configure the audit log to be protected from unauthorized read\naccess, by setting the correct owner as \"root\" with the following command:\n\n# sudo chown root [audit_log_file]\n\nReplace \"[audit_log_file]\" to the correct audit log path, by default this\nlocation is \"/var/log/audit/audit.log\"." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000028-GPOS-00009", + "gtitle": "SRG-OS-000057-GPOS-00027", "satisfies": [ - "SRG-OS-000028-GPOS-00009", - "SRG-OS-000030-GPOS-00011", - "SRG-OS-000031-GPOS-00012" + "SRG-OS-000057-GPOS-00027", + "SRG-OS-000058-GPOS-00028", + "SRG-OS-000059-GPOS-00029" ], - "gid": "V-75439", - "rid": "SV-90119r2_rule", - "stig_id": "UBTU-16-010050", - "fix_id": "F-82067r1_fix", + "gid": "V-75639", + "rid": "SV-90319r2_rule", + "stig_id": "UBTU-16-020110", + "fix_id": "F-82267r2_fix", "cci": [ - "CCI-000056", - "CCI-000058", - "CCI-000060" + "CCI-000162", + "CCI-000163", + "CCI-000164" ], "nist": [ - "AC-11 b", - "AC-11 a", - "AC-11 (1)", + "AU-9", + "AU-9", + "AU-9", "Rev_4" ], "false_negatives": null, @@ -2401,53 +2294,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75439' do\n title \"All users must be able to directly initiate a session lock for all\nconnection types.\"\n desc \"A session lock is a temporary action taken when a user stops work and\nmoves away from the immediate physical vicinity of the information system but\ndoes not want to log out because of the temporary nature of the absence.\n\n The session lock is implemented at the point where session activity can be\ndetermined. Rather than be forced to wait for a period of time to expire before\nthe user session can be locked, Ubuntu operating systems need to provide users\nwith the ability to manually invoke a session lock so users may secure their\nsession should the need arise for them to temporarily vacate the immediate\nphysical vicinity.\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000028-GPOS-00009'\n tag \"satisfies\": %w[SRG-OS-000028-GPOS-00009 SRG-OS-000030-GPOS-00011\n SRG-OS-000031-GPOS-00012]\n tag \"gid\": 'V-75439'\n tag \"rid\": 'SV-90119r2_rule'\n tag \"stig_id\": 'UBTU-16-010050'\n tag \"fix_id\": 'F-82067r1_fix'\n tag \"cci\": %w[CCI-000056 CCI-000058 CCI-000060]\n tag \"nist\": ['AC-11 b', 'AC-11 a', 'AC-11 (1)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system has the 'vlock' package\ninstalled, by running the following command:\n\n# dpkg -l | grep vlock\n\nvlock_2.2.2-7\n\nIf \\\"vlock\\\" is not installed, this is a finding.\"\n desc 'fix', \"Install the \\\"vlock\\\" (if it is not already installed) package by\nrunning the following command:\n\n# sudo apt-get install vlock\"\n\n describe package('vlock') do\n it { should be_installed }\n end\nend\n", + "code": "control 'V-75639' do\n title 'Audit logs must be owned by root to prevent unauthorized read access.'\n desc \"Unauthorized disclosure of audit records can reveal system and\nconfiguration data to attackers, thus compromising its confidentiality.\n\n Audit information includes all information (e.g., audit records, audit\nsettings, audit reports) needed to successfully audit Ubuntu operating system\nactivity.\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000057-GPOS-00027'\n tag \"satisfies\": %w[SRG-OS-000057-GPOS-00027 SRG-OS-000058-GPOS-00028\n SRG-OS-000059-GPOS-00029]\n tag \"gid\": 'V-75639'\n tag \"rid\": 'SV-90319r2_rule'\n tag \"stig_id\": 'UBTU-16-020110'\n tag \"fix_id\": 'F-82267r2_fix'\n tag \"cci\": %w[CCI-000162 CCI-000163 CCI-000164]\n tag \"nist\": %w[AU-9 AU-9 AU-9 Rev_4]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the audit logs are owned by \\\"root\\\". First determine\nwhere the audit logs are stored with the following command:\n\n# sudo grep -iw log_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the location of the audit log file, determine if the audit log is owned\nby \\\"root\\\" using the following command:\n\n# sudo ls -la /var/log/audit/audit.log\nrw------- 2 root root 8096 Jun 26 11:56 /var/log/audit/audit.log\n\nIf the audit log is not owned by \\\"root\\\", this is a finding.\"\n desc 'fix', \"Configure the audit log to be protected from unauthorized read\naccess, by setting the correct owner as \\\"root\\\" with the following command:\n\n# sudo chown root [audit_log_file]\n\nReplace \\\"[audit_log_file]\\\" to the correct audit log path, by default this\nlocation is \\\"/var/log/audit/audit.log\\\".\"\n\n log_file_path = auditd_conf.log_file\n\n describe file(log_file_path) do\n its('owner') { should cmp 'root' }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75439.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75639.rb", "line": 3 }, - "id": "V-75439" + "id": "V-75639" }, { - "title": "The audit system must be configured to audit any usage of the\nlsetxattr system call.", - "desc": "Without the capability to generate audit records, it would be\ndifficult to establish, correlate, and investigate the events relating to an\nincident or identify those responsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n The list of audited events is the set of events for which audits are to be\ngenerated. This set of events is typically a subset of the list of all events\nfor which the system is capable of generating audit records.\n\n DoD has defined the list of events for which the Ubuntu operating system\nwill provide an audit record generation capability as the following:\n\n 1) Successful and unsuccessful attempts to access, modify, or delete\nprivileges, security objects, security levels, or categories of information\n(e.g., classification levels);\n\n 2) Access actions, such as successful and unsuccessful logon attempts,\nprivileged activities or other system-level access, starting and ending time\nfor user access to the system, concurrent logons from different workstations,\nsuccessful and unsuccessful accesses to objects, all program initiations, and\nall direct access to the information system;\n\n 3) All account creations, modifications, disabling, and terminations; and\n\n 4) All kernel module load, unload, and restart actions.", + "title": "Library files must be owned by root.", + "desc": "If the Ubuntu operating system were to allow any user to make changes\nto software libraries, then those changes might be implemented without\nundergoing the appropriate testing and approvals that are part of a robust\nchange management process.\n\n This requirement applies to Ubuntu operating systems with software\nlibraries that are accessible and configurable, as in the case of interpreted\nlanguages. Software libraries also include privileged programs which execute\nwith escalated privileges. Only qualified and authorized individuals shall be\nallowed to obtain access to information system components for purposes of\ninitiating changes, including upgrades and modifications.", "descriptions": { - "default": "Without the capability to generate audit records, it would be\ndifficult to establish, correlate, and investigate the events relating to an\nincident or identify those responsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n The list of audited events is the set of events for which audits are to be\ngenerated. This set of events is typically a subset of the list of all events\nfor which the system is capable of generating audit records.\n\n DoD has defined the list of events for which the Ubuntu operating system\nwill provide an audit record generation capability as the following:\n\n 1) Successful and unsuccessful attempts to access, modify, or delete\nprivileges, security objects, security levels, or categories of information\n(e.g., classification levels);\n\n 2) Access actions, such as successful and unsuccessful logon attempts,\nprivileged activities or other system-level access, starting and ending time\nfor user access to the system, concurrent logons from different workstations,\nsuccessful and unsuccessful accesses to objects, all program initiations, and\nall direct access to the information system;\n\n 3) All account creations, modifications, disabling, and terminations; and\n\n 4) All kernel module load, unload, and restart actions.", - "check": "Verify if the Ubuntu operating system is configured to audit\nthe execution of the \"lsetxattr\" system call, by running the following\ncommand:\n\n# sudo grep -w lsetxattr /etc/audit/audit.rules\n\n-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -k\nperm_mod\n\n-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -k perm_mod\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", - "fix": "Configure the Ubuntu operating system to audit the execution of\nthe \"lsetxattr\" system call, by adding the following lines to\n\"/etc/audit/audit.rules\":\n\n-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -k\nperm_mod\n\n-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -k perm_mod\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" + "default": "If the Ubuntu operating system were to allow any user to make changes\nto software libraries, then those changes might be implemented without\nundergoing the appropriate testing and approvals that are part of a robust\nchange management process.\n\n This requirement applies to Ubuntu operating systems with software\nlibraries that are accessible and configurable, as in the case of interpreted\nlanguages. Software libraries also include privileged programs which execute\nwith escalated privileges. Only qualified and authorized individuals shall be\nallowed to obtain access to information system components for purposes of\ninitiating changes, including upgrades and modifications.", + "check": "Verify the system-wide shared library files are owned by\n\"root\".\n\nCheck that the system-wide shared library files are owned by \"root\" with the\nfollowing command:\n\n# sudo find /lib /usr/lib /lib64 ! -user root | xargs ls -la\n\nIf any system wide shared library file is returned, this is a finding.", + "fix": "Configure the system-wide shared library files (/lib, /usr/lib,\n/lib64) to be protected from unauthorized access.\n\nRun the following command, replacing \"[FILE]\" with any library file not owned\nby \"root\".\n\n# sudo chown root [FILE]" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000037-GPOS-00015", - "satisfies": [ - "SRG-OS-000037-GPOS-00015", - "SRG-OS-000042-GPOS-00020", - "SRG-OS-000062-GPOS-00031", - "SRG-OS-000392-GPOS-00172", - "SRG-OS-000458-GPOS-00203", - "SRG-OS-000462-GPOS-00206", - "SRG-OS-000463-GPOS-00207", - "SRG-OS-000471-GPOS-00215", - "SRG-OS-000474-GPOS-00219" - ], - "gid": "V-75719", - "rid": "SV-90399r2_rule", - "stig_id": "UBTU-16-020470", - "fix_id": "F-82347r2_fix", + "gtitle": "SRG-OS-000259-GPOS-00100", + "gid": "V-75607", + "rid": "SV-90287r2_rule", + "stig_id": "UBTU-16-011010", + "fix_id": "F-82235r2_fix", "cci": [ - "CCI-000130", - "CCI-000135", - "CCI-000169", - "CCI-000172", - "CCI-002884" + "CCI-001499" ], "nist": [ - "AU-3", - "AU-3 (1)", - "AU-12 a", - "AU-12 c", - "MA-4 (1) (a)", + "CM-5 (6)", "Rev_4" ], "false_negatives": null, @@ -2461,50 +2335,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75719' do\n title \"The audit system must be configured to audit any usage of the\nlsetxattr system call.\"\n desc \"Without the capability to generate audit records, it would be\ndifficult to establish, correlate, and investigate the events relating to an\nincident or identify those responsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n The list of audited events is the set of events for which audits are to be\ngenerated. This set of events is typically a subset of the list of all events\nfor which the system is capable of generating audit records.\n\n DoD has defined the list of events for which the Ubuntu operating system\nwill provide an audit record generation capability as the following:\n\n 1) Successful and unsuccessful attempts to access, modify, or delete\nprivileges, security objects, security levels, or categories of information\n(e.g., classification levels);\n\n 2) Access actions, such as successful and unsuccessful logon attempts,\nprivileged activities or other system-level access, starting and ending time\nfor user access to the system, concurrent logons from different workstations,\nsuccessful and unsuccessful accesses to objects, all program initiations, and\nall direct access to the information system;\n\n 3) All account creations, modifications, disabling, and terminations; and\n\n 4) All kernel module load, unload, and restart actions.\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020\n SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172\n SRG-OS-000458-GPOS-00203 SRG-OS-000462-GPOS-00206\n SRG-OS-000463-GPOS-00207 SRG-OS-000471-GPOS-00215\n SRG-OS-000474-GPOS-00219]\n tag \"gid\": 'V-75719'\n tag \"rid\": 'SV-90399r2_rule'\n tag \"stig_id\": 'UBTU-16-020470'\n tag \"fix_id\": 'F-82347r2_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'MA-4 (1) (a)',\n 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify if the Ubuntu operating system is configured to audit\nthe execution of the \\\"lsetxattr\\\" system call, by running the following\ncommand:\n\n# sudo grep -w lsetxattr /etc/audit/audit.rules\n\n-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -k\nperm_mod\n\n-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -k perm_mod\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the Ubuntu operating system to audit the execution of\nthe \\\"lsetxattr\\\" system call, by adding the following lines to\n\\\"/etc/audit/audit.rules\\\":\n\n-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -k\nperm_mod\n\n-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -k perm_mod\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n if os.arch == 'x86_64'\n describe auditd.syscall('lsetxattr').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('lsetxattr').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\nend\n", + "code": "control 'V-75607' do\n title 'Library files must be owned by root.'\n desc \"If the Ubuntu operating system were to allow any user to make changes\nto software libraries, then those changes might be implemented without\nundergoing the appropriate testing and approvals that are part of a robust\nchange management process.\n\n This requirement applies to Ubuntu operating systems with software\nlibraries that are accessible and configurable, as in the case of interpreted\nlanguages. Software libraries also include privileged programs which execute\nwith escalated privileges. Only qualified and authorized individuals shall be\nallowed to obtain access to information system components for purposes of\ninitiating changes, including upgrades and modifications.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000259-GPOS-00100'\n tag \"gid\": 'V-75607'\n tag \"rid\": 'SV-90287r2_rule'\n tag \"stig_id\": 'UBTU-16-011010'\n tag \"fix_id\": 'F-82235r2_fix'\n tag \"cci\": ['CCI-001499']\n tag \"nist\": ['CM-5 (6)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the system-wide shared library files are owned by\n\\\"root\\\".\n\nCheck that the system-wide shared library files are owned by \\\"root\\\" with the\nfollowing command:\n\n# sudo find /lib /usr/lib /lib64 ! -user root | xargs ls -la\n\nIf any system wide shared library file is returned, this is a finding.\"\n desc 'fix', \"Configure the system-wide shared library files (/lib, /usr/lib,\n/lib64) to be protected from unauthorized access.\n\nRun the following command, replacing \\\"[FILE]\\\" with any library file not owned\nby \\\"root\\\".\n\n# sudo chown root [FILE]\"\n\n if os.arch == 'x86_64'\n library_files = command('find /lib /usr/lib /usr/lib32 /lib32 /lib64 ! \\-user root').stdout.strip.split(\"\\n\").entries\n else\n library_files = command('find /lib /usr/lib /usr/lib32 /lib32 ! \\-user root').stdout.strip.split(\"\\n\").entries\n end\n\n if library_files.count > 0\n library_files.each do |lib_file|\n describe file(lib_file) do\n its('owner') { should cmp 'root' }\n end\n end\n else\n describe 'Number of system-wide shared library files found that are NOT owned by root' do\n subject { library_files }\n its('count') { should eq 0 }\n end\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75719.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75607.rb", "line": 3 }, - "id": "V-75719" + "id": "V-75607" }, { - "title": "Successful/unsuccessful uses of the openat command must generate an\naudit record.", - "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "title": "The file integrity tool must perform verification of the correct\noperation of security functions: upon system start-up and/or restart; upon\ncommand by a user with privileged access; and/or every 30 days.", + "desc": "Without verification of the security functions, security functions may\nnot operate correctly and the failure may go unnoticed. Security function is\ndefined as the hardware, software, and/or firmware of the information system\nresponsible for enforcing the system security policy and supporting the\nisolation of code and data on which the protection is based. Security\nfunctionality includes, but is not limited to, establishing system accounts,\nconfiguring access authorizations (i.e., permissions, privileges), setting\nevents to be audited, and setting intrusion detection parameters.\n\n Notifications provided by information systems include, for example,\nelectronic alerts to system administrators, messages to local computer\nconsoles, and/or hardware indications, such as lights.\n\n This requirement applies to Ubuntu operating systems performing security\nfunction verification/testing and/or systems and environments that require this\nfunctionality.", "descriptions": { - "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", - "check": "Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful attempts to use the \"openat\" command occur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \"/etc/audit/audit.rules\":\n\n# sudo grep -iw openat /etc/audit/audit.rules\n\n-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F\nauid!=4294967295 -k perm_access\n\n-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F\nauid!=4294967295 -k perm_access\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", - "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \"openat\" command.\n\nAdd or update the following rules in the \"/etc/audit/audit.rules\" file:\n\n-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F\nauid!=4294967295 -k perm_access\n\n-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F\nauid!=4294967295 -k perm_access\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" + "default": "Without verification of the security functions, security functions may\nnot operate correctly and the failure may go unnoticed. Security function is\ndefined as the hardware, software, and/or firmware of the information system\nresponsible for enforcing the system security policy and supporting the\nisolation of code and data on which the protection is based. Security\nfunctionality includes, but is not limited to, establishing system accounts,\nconfiguring access authorizations (i.e., permissions, privileges), setting\nevents to be audited, and setting intrusion detection parameters.\n\n Notifications provided by information systems include, for example,\nelectronic alerts to system administrators, messages to local computer\nconsoles, and/or hardware indications, such as lights.\n\n This requirement applies to Ubuntu operating systems performing security\nfunction verification/testing and/or systems and environments that require this\nfunctionality.", + "check": "Verify that Advanced Intrusion Detection Environment (AIDE)\nperforms a verification of the operation of security functions every 30 days.\n\nNote: A file integrity tool other than AIDE may be used, but the tool must be\nexecuted at least once per week.\n\nCheck that AIDE is being executed every 30 days or less with the following\ncommand:\n\n# ls -al /etc/cron.daily/aide\n\n-rwxr-xr-x 1 root root 26049 Oct 24 2014 /etc/cron.daily/aide\n\nIf the \"/etc/cron.daily/aide\" file does not exist or the cron job is not\nconfigured to run at least every 30 days, this is a finding.", + "fix": "The cron file for AIDE is fairly complex as it creates the\nreport. The easiest way to create the file is to update the AIDE package with\nthe following command:\n\n# sudo apt-get install aide" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000037-GPOS-00015", - "satisfies": [ - "SRG-OS-000037-GPOS-00015", - "SRG-OS-000042-GPOS-00020", - "SRG-OS-000062-GPOS-00031", - "SRG-OS-000392-GPOS-00172", - "SRG-OS-000462-GPOS-00206", - "SRG-OS-000471-GPOS-00215" - ], - "gid": "V-75751", - "rid": "SV-90431r3_rule", - "stig_id": "UBTU-16-020630", - "fix_id": "F-82379r2_fix", + "gtitle": "SRG-OS-000446-GPOS-00200", + "gid": "V-75517", + "rid": "SV-90197r2_rule", + "stig_id": "UBTU-16-010510", + "fix_id": "F-82145r1_fix", "cci": [ - "CCI-000130", - "CCI-000135", - "CCI-000169", - "CCI-000172", - "CCI-002884" + "CCI-002699" ], "nist": [ - "AU-3", - "AU-3 (1)", - "AU-12 a", - "AU-12 c", - "MA-4 (1) (a)", + "SI-6 b", "Rev_4" ], "false_negatives": null, @@ -2518,34 +2376,43 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75751' do\n title \"Successful/unsuccessful uses of the openat command must generate an\naudit record.\"\n desc \"Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020\n SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172\n SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215]\n tag \"gid\": 'V-75751'\n tag \"rid\": 'SV-90431r3_rule'\n tag \"stig_id\": 'UBTU-16-020630'\n tag \"fix_id\": 'F-82379r2_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'MA-4 (1) (a)',\n 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful attempts to use the \\\"openat\\\" command occur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \\\"/etc/audit/audit.rules\\\":\n\n# sudo grep -iw openat /etc/audit/audit.rules\n\n-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F\nauid!=4294967295 -k perm_access\n\n-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F\nauid!=4294967295 -k perm_access\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \\\"openat\\\" command.\n\nAdd or update the following rules in the \\\"/etc/audit/audit.rules\\\" file:\n\n-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F\nauid!=4294967295 -k perm_access\n\n-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F\nauid!=4294967295 -k perm_access\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n if os.arch == 'x86_64'\n describe auditd.syscall('openat').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EPERM' }\n end\n describe auditd.syscall('openat').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EACCES' }\n end\n end\n describe auditd.syscall('openat').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EPERM' }\n end\n describe auditd.syscall('openat').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EACCES' }\n end\nend\n", + "code": "control 'V-75517' do\n title \"The file integrity tool must perform verification of the correct\noperation of security functions: upon system start-up and/or restart; upon\ncommand by a user with privileged access; and/or every 30 days.\"\n desc \"Without verification of the security functions, security functions may\nnot operate correctly and the failure may go unnoticed. Security function is\ndefined as the hardware, software, and/or firmware of the information system\nresponsible for enforcing the system security policy and supporting the\nisolation of code and data on which the protection is based. Security\nfunctionality includes, but is not limited to, establishing system accounts,\nconfiguring access authorizations (i.e., permissions, privileges), setting\nevents to be audited, and setting intrusion detection parameters.\n\n Notifications provided by information systems include, for example,\nelectronic alerts to system administrators, messages to local computer\nconsoles, and/or hardware indications, such as lights.\n\n This requirement applies to Ubuntu operating systems performing security\nfunction verification/testing and/or systems and environments that require this\nfunctionality.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000446-GPOS-00200'\n tag \"gid\": 'V-75517'\n tag \"rid\": 'SV-90197r2_rule'\n tag \"stig_id\": 'UBTU-16-010510'\n tag \"fix_id\": 'F-82145r1_fix'\n tag \"cci\": ['CCI-002699']\n tag \"nist\": ['SI-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that Advanced Intrusion Detection Environment (AIDE)\nperforms a verification of the operation of security functions every 30 days.\n\nNote: A file integrity tool other than AIDE may be used, but the tool must be\nexecuted at least once per week.\n\nCheck that AIDE is being executed every 30 days or less with the following\ncommand:\n\n# ls -al /etc/cron.daily/aide\n\n-rwxr-xr-x 1 root root 26049 Oct 24 2014 /etc/cron.daily/aide\n\nIf the \\\"/etc/cron.daily/aide\\\" file does not exist or the cron job is not\nconfigured to run at least every 30 days, this is a finding.\"\n desc 'fix', \"The cron file for AIDE is fairly complex as it creates the\nreport. The easiest way to create the file is to update the AIDE package with\nthe following command:\n\n# sudo apt-get install aide\"\n\n describe file('/etc/cron.daily/aide') do\n it { should exist }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75751.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75517.rb", "line": 3 }, - "id": "V-75751" + "id": "V-75517" }, { - "title": "Local initialization files must not execute world-writable programs.", - "desc": "If user start-up files execute world-writable programs, especially in\nunprotected directories, they could be maliciously modified to destroy user\nfiles or otherwise compromise the system at the user level. If the system is\ncompromised at the user level, it is easier to elevate privileges to eventually\ncompromise the system at the root and network level.", + "title": "Wireless network adapters must be disabled.", + "desc": "Without protection of communications with wireless peripherals,\nconfidentiality and integrity may be compromised because unprotected\ncommunications can be intercepted and either read, altered, or used to\ncompromise the Ubuntu operating system.\n\n This requirement applies to wireless peripheral technologies (e.g.,\nwireless mice, keyboards, displays, etc.) used with an Ubuntu operating system.\nWireless peripherals (e.g., Wi-Fi/Bluetooth/IR Keyboards, Mice, and Pointing\nDevices and Near Field Communications [NFC]) present a unique challenge by\ncreating an open, unsecured port on a computer. Wireless peripherals must meet\nDoD requirements for wireless data transmission and be approved for use by the\nAO. Even though some wireless peripherals, such as mice and pointing devices,\ndo not ordinarily carry information that need to be protected, modification of\ncommunications with these wireless peripherals may be used to compromise the\nUbuntu operating system. Communication paths outside the physical protection of\na controlled boundary are exposed to the possibility of interception and\nmodification.\n\n Protecting the confidentiality and integrity of communications with\nwireless peripherals can be accomplished by physical means (e.g., employing\nphysical barriers to wireless radio frequencies) or by logical means (e.g.,\nemploying cryptographic techniques). If physical means of protection are\nemployed, then logical means (cryptography) do not have to be employed, and\nvice versa. If the wireless peripheral is only passing telemetry data,\nencryption of the data may not be required.", "descriptions": { - "default": "If user start-up files execute world-writable programs, especially in\nunprotected directories, they could be maliciously modified to destroy user\nfiles or otherwise compromise the system at the user level. If the system is\ncompromised at the user level, it is easier to elevate privileges to eventually\ncompromise the system at the root and network level.", - "check": "Verify that local initialization files do not execute\nworld-writable programs.\n\nCheck the system for world-writable files with the following command:\n\n# sudo find / -perm -002 -type f -exec ls -ld {} \\; | more\n\nFor all files listed, check for their presence in the local initialization\nfiles with the following commands:\n\nNote: The example will be for a system that is configured to create users’ home\ndirectories in the \"/home\" directory.\n\n# grep /home/*/.*\n\nIf any local initialization files are found to reference world-writable files,\nthis is a finding.", - "fix": "Set the mode on files being executed by the local initialization\nfiles with the following command:\n\n# chmod 0755 " + "default": "Without protection of communications with wireless peripherals,\nconfidentiality and integrity may be compromised because unprotected\ncommunications can be intercepted and either read, altered, or used to\ncompromise the Ubuntu operating system.\n\n This requirement applies to wireless peripheral technologies (e.g.,\nwireless mice, keyboards, displays, etc.) used with an Ubuntu operating system.\nWireless peripherals (e.g., Wi-Fi/Bluetooth/IR Keyboards, Mice, and Pointing\nDevices and Near Field Communications [NFC]) present a unique challenge by\ncreating an open, unsecured port on a computer. Wireless peripherals must meet\nDoD requirements for wireless data transmission and be approved for use by the\nAO. Even though some wireless peripherals, such as mice and pointing devices,\ndo not ordinarily carry information that need to be protected, modification of\ncommunications with these wireless peripherals may be used to compromise the\nUbuntu operating system. Communication paths outside the physical protection of\na controlled boundary are exposed to the possibility of interception and\nmodification.\n\n Protecting the confidentiality and integrity of communications with\nwireless peripherals can be accomplished by physical means (e.g., employing\nphysical barriers to wireless radio frequencies) or by logical means (e.g.,\nemploying cryptographic techniques). If physical means of protection are\nemployed, then logical means (cryptography) do not have to be employed, and\nvice versa. If the wireless peripheral is only passing telemetry data,\nencryption of the data may not be required.", + "check": "Verify that there are no wireless interfaces configured on the\nsystem.\n\nCheck that the system does not have active wireless interfaces with the\nfollowing command:\n\nNote: This requirement is Not Applicable for systems that do not have physical\nwireless network radios.\n\n# ifconfig -a | more\n\neth0 Link encap:Ethernet HWaddr ff:ff:ff:ff:ff:ff\ninet addr:192.168.2.100 Bcast:192.168.2.255 Mask:255.255.255.0\n...\n\neth1 IEEE 802.11b ESSID:\"tacnet\"\nMode:Managed Frequency:2.412 GHz Access Point: 00:40:E7:22:45:CD\n...\n\nlo Link encap:Local Loopback\ninet addr:127.0.0.1 Mask:255.0.0.0\ninet6 addr: ::1/128 Scope:Host\n...\n\nIf a wireless interface is configured and has not been documented and approved\nby the Information System Security Officer (ISSO), this is a finding.", + "fix": "Configure the system to disable all wireless network interfaces\nwith the following command:\n\n# sudo ifdown [ADAPTER_NAME]" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-75573", - "rid": "SV-90253r1_rule", - "stig_id": "UBTU-16-010790", - "fix_id": "F-82201r1_fix", + "gtitle": "SRG-OS-000299-GPOS-00117", + "satisfies": [ + "SRG-OS-000299-GPOS-00117", + "SRG-OS-000300-GPOS-00118", + "SRG-OS-000481-GPOS-000481" + ], + "gid": "V-75867", + "rid": "SV-90547r1_rule", + "stig_id": "UBTU-16-030500", + "fix_id": "F-82497r1_fix", "cci": [ - "CCI-000366" + "CCI-001443", + "CCI-001444", + "CCI-002418" ], "nist": [ - "CM-6 b", + "AC-18 (1)", + "AC-18 (1)", + "SC-8", "Rev_4" ], "false_negatives": null, @@ -2559,34 +2426,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75573' do\n title 'Local initialization files must not execute world-writable programs.'\n desc \"If user start-up files execute world-writable programs, especially in\nunprotected directories, they could be maliciously modified to destroy user\nfiles or otherwise compromise the system at the user level. If the system is\ncompromised at the user level, it is easier to elevate privileges to eventually\ncompromise the system at the root and network level.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75573'\n tag \"rid\": 'SV-90253r1_rule'\n tag \"stig_id\": 'UBTU-16-010790'\n tag \"fix_id\": 'F-82201r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that local initialization files do not execute\nworld-writable programs.\n\nCheck the system for world-writable files with the following command:\n\n# sudo find / -perm -002 -type f -exec ls -ld {} \\\\; | more\n\nFor all files listed, check for their presence in the local initialization\nfiles with the following commands:\n\nNote: The example will be for a system that is configured to create users’ home\ndirectories in the \\\"/home\\\" directory.\n\n# grep /home/*/.*\n\nIf any local initialization files are found to reference world-writable files,\nthis is a finding.\"\n desc 'fix', \"Set the mode on files being executed by the local initialization\nfiles with the following command:\n\n# chmod 0755 \"\n\n disable_slow_controls = input('disable_slow_controls')\n non_interactive_shells = input('non_interactive_shells')\n if disable_slow_controls\n describe 'This control consistently takes a long to run and has been disabled using the DISABLE_SLOW_CONTROLS attribute.' do\n skip \"This control consistently takes a long to run and has been disabled\n using the DISABLE_SLOW_CONTROLS attribute. You must enable this control for a\n full accredidation for production.\"\n end\n else\n ignore_shells = non_interactive_shells.join('|')\n\n dotfiles = Set[]\n u = users.where { !shell.match(ignore_shells) && (uid >= 1000 || uid == 0) }.entries\n u.each do |user|\n dotfiles += command(\"find #{user.home} -xdev -maxdepth 2 -name '.*' ! -name \\\".bash_history\\\" -type f\").stdout.split(\"\\n\")\n end\n ww_files = Set[]\n ww_files = command('find / -perm -002 -type f -exec ls {} \\;').stdout.lines\n findings = Set[]\n dotfiles.each do |dotfile|\n dotfile = dotfile.strip\n ww_files.each do |ww_file|\n ww_file = ww_file.strip\n count = command(\"grep -c \\\"#{ww_file}\\\" \\\"#{dotfile}\\\"\").stdout.strip.to_i\n findings << dotfile if count > 0\n end\n end\n describe 'Local initialization files that are found to reference world-writable files' do\n subject { findings.to_a }\n it { should be_empty }\n end\n end\nend\n", + "code": "control 'V-75867' do\n title 'Wireless network adapters must be disabled.'\n desc \"Without protection of communications with wireless peripherals,\nconfidentiality and integrity may be compromised because unprotected\ncommunications can be intercepted and either read, altered, or used to\ncompromise the Ubuntu operating system.\n\n This requirement applies to wireless peripheral technologies (e.g.,\nwireless mice, keyboards, displays, etc.) used with an Ubuntu operating system.\nWireless peripherals (e.g., Wi-Fi/Bluetooth/IR Keyboards, Mice, and Pointing\nDevices and Near Field Communications [NFC]) present a unique challenge by\ncreating an open, unsecured port on a computer. Wireless peripherals must meet\nDoD requirements for wireless data transmission and be approved for use by the\nAO. Even though some wireless peripherals, such as mice and pointing devices,\ndo not ordinarily carry information that need to be protected, modification of\ncommunications with these wireless peripherals may be used to compromise the\nUbuntu operating system. Communication paths outside the physical protection of\na controlled boundary are exposed to the possibility of interception and\nmodification.\n\n Protecting the confidentiality and integrity of communications with\nwireless peripherals can be accomplished by physical means (e.g., employing\nphysical barriers to wireless radio frequencies) or by logical means (e.g.,\nemploying cryptographic techniques). If physical means of protection are\nemployed, then logical means (cryptography) do not have to be employed, and\nvice versa. If the wireless peripheral is only passing telemetry data,\nencryption of the data may not be required.\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000299-GPOS-00117'\n tag \"satisfies\": %w[SRG-OS-000299-GPOS-00117 SRG-OS-000300-GPOS-00118\n SRG-OS-000481-GPOS-000481]\n tag \"gid\": 'V-75867'\n tag \"rid\": 'SV-90547r1_rule'\n tag \"stig_id\": 'UBTU-16-030500'\n tag \"fix_id\": 'F-82497r1_fix'\n tag \"cci\": %w[CCI-001443 CCI-001444 CCI-002418]\n tag \"nist\": ['AC-18 (1)', 'AC-18 (1)', 'SC-8', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that there are no wireless interfaces configured on the\nsystem.\n\nCheck that the system does not have active wireless interfaces with the\nfollowing command:\n\nNote: This requirement is Not Applicable for systems that do not have physical\nwireless network radios.\n\n# ifconfig -a | more\n\neth0 Link encap:Ethernet HWaddr ff:ff:ff:ff:ff:ff\ninet addr:192.168.2.100 Bcast:192.168.2.255 Mask:255.255.255.0\n...\n\neth1 IEEE 802.11b ESSID:\\\"tacnet\\\"\nMode:Managed Frequency:2.412 GHz Access Point: 00:40:E7:22:45:CD\n...\n\nlo Link encap:Local Loopback\ninet addr:127.0.0.1 Mask:255.0.0.0\ninet6 addr: ::1/128 Scope:Host\n...\n\nIf a wireless interface is configured and has not been documented and approved\nby the Information System Security Officer (ISSO), this is a finding.\"\n desc 'fix', \"Configure the system to disable all wireless network interfaces\nwith the following command:\n\n# sudo ifdown [ADAPTER_NAME]\"\n\n allowed_network_interfaces = input('allowed_network_interfaces')\n ifconfig_output = command('ifconfig -s | cut -d \" \" -f 1').stdout.split(\"\\n\")\n system_network_interfaces = ifconfig_output.drop(1)\n\n other_network_interfaces = system_network_interfaces - allowed_network_interfaces\n\n if other_network_interfaces.count > 0\n other_network_interfaces.each do |net_int|\n describe ('Interface: ' + net_int + ' not permitted') do\n subject { net_int }\n it { should be_empty }\n end\n end\n else\n describe 'Number of wireless network interfaces found' do\n subject { other_network_interfaces }\n its('count') { should eq 0 }\n end\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75573.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75867.rb", "line": 3 }, - "id": "V-75573" + "id": "V-75867" }, { - "title": "All passwords must contain at least one special character.", - "desc": "Use of a complex password helps to increase the time and resources\nrequired to compromise the password. Password complexity or strength is a\nmeasure of the effectiveness of a password in resisting attempts at guessing\nand brute-force attacks.\n\n Password complexity is one factor in determining how long it takes to crack\na password. The more complex the password, the greater the number of possible\ncombinations that need to be tested before the password is compromised.\n\n Special characters are those characters that are not alphanumeric. Examples\ninclude: ~ ! @ # $ % ^ *.", + "title": "The x86 Ctrl-Alt-Delete key sequence must be disabled.", + "desc": "A locally logged-on user who presses Ctrl-Alt-Delete, when at the\nconsole, can reboot the system. If accidentally pressed, as could happen in the\ncase of a mixed OS environment, this can create the risk of short-term loss of\navailability of systems due to unintentional reboot. In the GNOME graphical\nenvironment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is\nreduced because the user will be prompted before any action is taken.", "descriptions": { - "default": "Use of a complex password helps to increase the time and resources\nrequired to compromise the password. Password complexity or strength is a\nmeasure of the effectiveness of a password in resisting attempts at guessing\nand brute-force attacks.\n\n Password complexity is one factor in determining how long it takes to crack\na password. The more complex the password, the greater the number of possible\ncombinations that need to be tested before the password is compromised.\n\n Special characters are those characters that are not alphanumeric. Examples\ninclude: ~ ! @ # $ % ^ *.", - "check": "Verify the Ubuntu operating system enforces password complexity\nby requiring that at least one special character be used.\n\nDetermine if the field \"ocredit\" is set in the\n\"/etc/security/pwquality.conf\" file with the following command:\n\n# grep -i \"ocredit\" /etc/security/pwquality.conf\nocredit=-1\n\nIf the \"ocredit\" parameter is not equal to \"-1\", or is commented out, this\nis a finding.", - "fix": "Configure the Ubuntu operating system to enforce password\ncomplexity by requiring that at least one special character be used.\n\nAdd or update the following line in the \"/etc/security/pwquality.conf\" file\nto contain the \"ocredit\" parameter:\n\nocredit=-1" + "default": "A locally logged-on user who presses Ctrl-Alt-Delete, when at the\nconsole, can reboot the system. If accidentally pressed, as could happen in the\ncase of a mixed OS environment, this can create the risk of short-term loss of\navailability of systems due to unintentional reboot. In the GNOME graphical\nenvironment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is\nreduced because the user will be prompted before any action is taken.", + "check": "Verify the Ubuntu operating system is not configured to reboot\nthe system when Ctrl-Alt-Delete is pressed.\n\nCheck that the \"ctrl-alt-del.target\" (otherwise also known as reboot.target)\nis not active with the following command:\n\n# systemctl status ctrl-alt-del.target\nreboot.target - Reboot\n Loaded: loaded (/usr/lib/systemd/system/reboot.target; disabled)\n Active: inactive (dead)\n Docs: man:systemd.special(7)\n\nIf the \"ctrl-alt-del.target\" is active, this is a finding.", + "fix": "Configure the system to disable the Ctrl-Alt-Delete sequence for\nthe command line with the following command:\n\n# sudo systemctl mask ctrl-alt-del.target\n\nAnd reload the daemon to take effect\n\n# sudo systemctl daemon-reload\n\nIf GNOME is active on the system, create a database to contain the system-wide\nsetting (if it does not already exist) with the following command:\n\n# cat /etc/dconf/db/local.d/00-disable-CAD\n\nAdd the setting to disable the Ctrl-Alt-Delete sequence for GNOME:\n\n[org/gnome/settings-daemon/plugins/media-keys]\nlogout=’’" }, - "impact": 0.5, + "impact": 0.7, "refs": [], "tags": { - "gtitle": "SRG-OS-000266-GPOS-00101", - "gid": "V-75455", - "rid": "SV-90135r2_rule", - "stig_id": "UBTU-16-010130", - "fix_id": "F-82083r2_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-75541", + "rid": "SV-90221r2_rule", + "stig_id": "UBTU-16-010630", + "fix_id": "F-82169r2_fix", "cci": [ - "CCI-001619" + "CCI-000366" ], "nist": [ - "IA-5 (1) (a)", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -2600,50 +2467,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75455' do\n title 'All passwords must contain at least one special character.'\n desc \"Use of a complex password helps to increase the time and resources\nrequired to compromise the password. Password complexity or strength is a\nmeasure of the effectiveness of a password in resisting attempts at guessing\nand brute-force attacks.\n\n Password complexity is one factor in determining how long it takes to crack\na password. The more complex the password, the greater the number of possible\ncombinations that need to be tested before the password is compromised.\n\n Special characters are those characters that are not alphanumeric. Examples\ninclude: ~ ! @ # $ % ^ *.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000266-GPOS-00101'\n tag \"gid\": 'V-75455'\n tag \"rid\": 'SV-90135r2_rule'\n tag \"stig_id\": 'UBTU-16-010130'\n tag \"fix_id\": 'F-82083r2_fix'\n tag \"cci\": ['CCI-001619']\n tag \"nist\": ['IA-5 (1) (a)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system enforces password complexity\nby requiring that at least one special character be used.\n\nDetermine if the field \\\"ocredit\\\" is set in the\n\\\"/etc/security/pwquality.conf\\\" file with the following command:\n\n# grep -i \\\"ocredit\\\" /etc/security/pwquality.conf\nocredit=-1\n\nIf the \\\"ocredit\\\" parameter is not equal to \\\"-1\\\", or is commented out, this\nis a finding.\"\n desc 'fix', \"Configure the Ubuntu operating system to enforce password\ncomplexity by requiring that at least one special character be used.\n\nAdd or update the following line in the \\\"/etc/security/pwquality.conf\\\" file\nto contain the \\\"ocredit\\\" parameter:\n\nocredit=-1\"\n\n min_num_special_char = input('min_num_special_char')\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('ocredit') { should cmp min_num_special_char }\n end\n else\n describe (config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n", + "code": "control 'V-75541' do\n title 'The x86 Ctrl-Alt-Delete key sequence must be disabled.'\n desc \"A locally logged-on user who presses Ctrl-Alt-Delete, when at the\nconsole, can reboot the system. If accidentally pressed, as could happen in the\ncase of a mixed OS environment, this can create the risk of short-term loss of\navailability of systems due to unintentional reboot. In the GNOME graphical\nenvironment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is\nreduced because the user will be prompted before any action is taken.\"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75541'\n tag \"rid\": 'SV-90221r2_rule'\n tag \"stig_id\": 'UBTU-16-010630'\n tag \"fix_id\": 'F-82169r2_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system is not configured to reboot\nthe system when Ctrl-Alt-Delete is pressed.\n\nCheck that the \\\"ctrl-alt-del.target\\\" (otherwise also known as reboot.target)\nis not active with the following command:\n\n# systemctl status ctrl-alt-del.target\nreboot.target - Reboot\n Loaded: loaded (/usr/lib/systemd/system/reboot.target; disabled)\n Active: inactive (dead)\n Docs: man:systemd.special(7)\n\nIf the \\\"ctrl-alt-del.target\\\" is active, this is a finding.\"\n desc 'fix', \"Configure the system to disable the Ctrl-Alt-Delete sequence for\nthe command line with the following command:\n\n# sudo systemctl mask ctrl-alt-del.target\n\nAnd reload the daemon to take effect\n\n# sudo systemctl daemon-reload\n\nIf GNOME is active on the system, create a database to contain the system-wide\nsetting (if it does not already exist) with the following command:\n\n# cat /etc/dconf/db/local.d/00-disable-CAD\n\nAdd the setting to disable the Ctrl-Alt-Delete sequence for GNOME:\n\n[org/gnome/settings-daemon/plugins/media-keys]\nlogout=’’\"\n\n describe service('ctrl-alt-del.target') do\n it { should_not be_running }\n it { should_not be_enabled }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75455.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75541.rb", "line": 3 }, - "id": "V-75455" + "id": "V-75541" }, { - "title": "The audit system must be configured to audit any usage of the setxattr\nsystem call.", - "desc": "Without the capability to generate audit records, it would be\ndifficult to establish, correlate, and investigate the events relating to an\nincident or identify those responsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n The list of audited events is the set of events for which audits are to be\ngenerated. This set of events is typically a subset of the list of all events\nfor which the system is capable of generating audit records.\n\n DoD has defined the list of events for which the Ubuntu operating system\nwill provide an audit record generation capability as the following:\n\n 1) Successful and unsuccessful attempts to access, modify, or delete\nprivileges, security objects, security levels, or categories of information\n(e.g., classification levels);\n\n 2) Access actions, such as successful and unsuccessful logon attempts,\nprivileged activities or other system-level access, starting and ending time\nfor user access to the system, concurrent logons from different workstations,\nsuccessful and unsuccessful accesses to objects, all program initiations, and\nall direct access to the information system;\n\n 3) All account creations, modifications, disabling, and terminations; and\n\n 4) All kernel module load, unload, and restart actions.", + "title": "The Ubuntu operating system must ignore Internet Protocol version 4\n(IPv4) Internet Control Message Protocol (ICMP) redirect messages.", + "desc": "Internet Control Message Protocol (ICMP) redirect messages are used by\nrouters to inform hosts that a more direct route exists for a particular\ndestination. These messages modify the host's route table and are\nunauthenticated. An illicit ICMP redirect message could result in a\nman-in-the-middle attack.", "descriptions": { - "default": "Without the capability to generate audit records, it would be\ndifficult to establish, correlate, and investigate the events relating to an\nincident or identify those responsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n The list of audited events is the set of events for which audits are to be\ngenerated. This set of events is typically a subset of the list of all events\nfor which the system is capable of generating audit records.\n\n DoD has defined the list of events for which the Ubuntu operating system\nwill provide an audit record generation capability as the following:\n\n 1) Successful and unsuccessful attempts to access, modify, or delete\nprivileges, security objects, security levels, or categories of information\n(e.g., classification levels);\n\n 2) Access actions, such as successful and unsuccessful logon attempts,\nprivileged activities or other system-level access, starting and ending time\nfor user access to the system, concurrent logons from different workstations,\nsuccessful and unsuccessful accesses to objects, all program initiations, and\nall direct access to the information system;\n\n 3) All account creations, modifications, disabling, and terminations; and\n\n 4) All kernel module load, unload, and restart actions.", - "check": "Verify if the Ubuntu operating system is configured to audit\nthe execution of the \"setxattr\" system call, by running the following command:\n\n# sudo grep -w setxattr /etc/audit/audit.rules\n\n-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=4294967295 -k\nperm_mod\n\n-a always,exit -F arch=b64 -S setxattr -F auid=0 -k perm_mod\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", - "fix": "Configure the Ubuntu operating system to audit the execution of\nthe \"setxattr\" system call, by adding the following lines to\n\"/etc/audit/audit.rules\":\n\n-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=4294967295 -k\nperm_mod\n\n-a always,exit -F arch=b64 -S setxattr -F auid=0 -k perm_mod\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" + "default": "Internet Control Message Protocol (ICMP) redirect messages are used by\nrouters to inform hosts that a more direct route exists for a particular\ndestination. These messages modify the host's route table and are\nunauthenticated. An illicit ICMP redirect message could result in a\nman-in-the-middle attack.", + "check": "Verify the Ubuntu operating system ignores Internet Protocol\nversion 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages.\n\nCheck the value of the \"accept_redirects\" variables with the following\ncommand:\n\n# sudo sysctl net.ipv4.conf.all.accept_redirects\n\nnet.ipv4.conf.all.accept_redirects=0\n\nIf both of the returned lines do not have a value of \"0\", or a line is not\nreturned, this is a finding.", + "fix": "Configure the Ubuntu operating system to ignore Internet Protocol\nversion 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages\nwith the following command:\n\n# sudo sysctl -w net.ipv4.conf.all.accept_redirects=0\n\nIf \"0\" is not the system's default value then add or update the following\nline in \"/etc/sysctl.conf\" or in the appropriate file under \"/etc/sysctl.d\":\n\nnet.ipv4.conf.all.accept_redirects=0" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000037-GPOS-00015", - "satisfies": [ - "SRG-OS-000037-GPOS-00015", - "SRG-OS-000042-GPOS-00020", - "SRG-OS-000062-GPOS-00031", - "SRG-OS-000392-GPOS-00172", - "SRG-OS-000462-GPOS-00206", - "SRG-OS-000471-GPOS-00215" - ], - "gid": "V-75717", - "rid": "SV-90397r2_rule", - "stig_id": "UBTU-16-020460", - "fix_id": "F-82345r2_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-75881", + "rid": "SV-90561r2_rule", + "stig_id": "UBTU-16-030570", + "fix_id": "F-82511r2_fix", "cci": [ - "CCI-000130", - "CCI-000135", - "CCI-000169", - "CCI-000172", - "CCI-002884" + "CCI-000366" ], "nist": [ - "AU-3", - "AU-3 (1)", - "AU-12 a", - "AU-12 c", - "MA-4 (1) (a)", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -2657,34 +2508,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75717' do\n title \"The audit system must be configured to audit any usage of the setxattr\nsystem call.\"\n desc \"Without the capability to generate audit records, it would be\ndifficult to establish, correlate, and investigate the events relating to an\nincident or identify those responsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n The list of audited events is the set of events for which audits are to be\ngenerated. This set of events is typically a subset of the list of all events\nfor which the system is capable of generating audit records.\n\n DoD has defined the list of events for which the Ubuntu operating system\nwill provide an audit record generation capability as the following:\n\n 1) Successful and unsuccessful attempts to access, modify, or delete\nprivileges, security objects, security levels, or categories of information\n(e.g., classification levels);\n\n 2) Access actions, such as successful and unsuccessful logon attempts,\nprivileged activities or other system-level access, starting and ending time\nfor user access to the system, concurrent logons from different workstations,\nsuccessful and unsuccessful accesses to objects, all program initiations, and\nall direct access to the information system;\n\n 3) All account creations, modifications, disabling, and terminations; and\n\n 4) All kernel module load, unload, and restart actions.\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020\n SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172\n SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215]\n tag \"gid\": 'V-75717'\n tag \"rid\": 'SV-90397r2_rule'\n tag \"stig_id\": 'UBTU-16-020460'\n tag \"fix_id\": 'F-82345r2_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'MA-4 (1) (a)',\n 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify if the Ubuntu operating system is configured to audit\nthe execution of the \\\"setxattr\\\" system call, by running the following command:\n\n# sudo grep -w setxattr /etc/audit/audit.rules\n\n-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=4294967295 -k\nperm_mod\n\n-a always,exit -F arch=b64 -S setxattr -F auid=0 -k perm_mod\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the Ubuntu operating system to audit the execution of\nthe \\\"setxattr\\\" system call, by adding the following lines to\n\\\"/etc/audit/audit.rules\\\":\n\n-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=4294967295 -k\nperm_mod\n\n-a always,exit -F arch=b64 -S setxattr -F auid=0 -k perm_mod\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n if os.arch == 'x86_64'\n describe auditd.syscall('setxattr').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('setxattr').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\nend\n", + "code": "control 'V-75881' do\n title \"The Ubuntu operating system must ignore Internet Protocol version 4\n(IPv4) Internet Control Message Protocol (ICMP) redirect messages.\"\n desc \"Internet Control Message Protocol (ICMP) redirect messages are used by\nrouters to inform hosts that a more direct route exists for a particular\ndestination. These messages modify the host's route table and are\nunauthenticated. An illicit ICMP redirect message could result in a\nman-in-the-middle attack.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75881'\n tag \"rid\": 'SV-90561r2_rule'\n tag \"stig_id\": 'UBTU-16-030570'\n tag \"fix_id\": 'F-82511r2_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system ignores Internet Protocol\nversion 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages.\n\nCheck the value of the \\\"accept_redirects\\\" variables with the following\ncommand:\n\n# sudo sysctl net.ipv4.conf.all.accept_redirects\n\nnet.ipv4.conf.all.accept_redirects=0\n\nIf both of the returned lines do not have a value of \\\"0\\\", or a line is not\nreturned, this is a finding.\"\n desc 'fix', \"Configure the Ubuntu operating system to ignore Internet Protocol\nversion 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages\nwith the following command:\n\n# sudo sysctl -w net.ipv4.conf.all.accept_redirects=0\n\nIf \\\"0\\\" is not the system's default value then add or update the following\nline in \\\"/etc/sysctl.conf\\\" or in the appropriate file under \\\"/etc/sysctl.d\\\":\n\nnet.ipv4.conf.all.accept_redirects=0\"\n\n describe kernel_parameter('net.ipv4.conf.all.accept_redirects') do\n its('value') { should eq 0 }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75717.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75881.rb", "line": 3 }, - "id": "V-75717" + "id": "V-75881" }, { - "title": "The Ubuntu operating system must be configured to prohibit or restrict\nthe use of functions, ports, protocols, and/or services, as defined in the\nPorts, Protocols, and Services Management (PPSM) Category Assignments List\n(CAL) and vulnerability assessments.", - "desc": "In order to prevent unauthorized connection of devices, unauthorized\ntransfer of information, or unauthorized tunneling (i.e., embedding of data\ntypes within data types), organizations must disable or restrict unused or\nunnecessary physical and logical ports/protocols on information systems.\n\n Ubuntu operating systems are capable of providing a wide variety of\nfunctions and services. Some of the functions and services provided by default\nmay not be necessary to support essential organizational operations.\nAdditionally, it is sometimes convenient to provide multiple services from a\nsingle component (e.g., VPN and IPS); however, doing so increases risk over\nlimiting the services provided by any one component.\n\n To support the requirements and principles of least functionality, the\nUbuntu operating system must support the organizational requirements, providing\nonly essential capabilities and limiting the use of ports, protocols, and/or\nservices to only those required, authorized, and approved to conduct official\nbusiness or to address authorized quality of life issues.", + "title": "The Ubuntu operating system must compare internal information system\nclocks at least every 24 hours with a server which is synchronized to an\nauthoritative time source, such as the United States Naval Observatory (USNO)\ntime servers, or a time server designated for the appropriate DoD network\n(NIPRNet/SIPRNet), and/or the Global Positioning System (GPS).", + "desc": "Inaccurate time stamps make it more difficult to correlate events and\ncan lead to an inaccurate analysis. Determining the correct time a particular\nevent occurred on a system is critical when conducting forensic analysis and\ninvestigating system events. Sources outside the configured acceptable\nallowance (drift) may be inaccurate.\n\n Synchronizing internal information system clocks provides uniformity of\ntime stamps for information systems with multiple system clocks and systems\nconnected over a network.\n\n Organizations should consider endpoints that may not have regular access to\nthe authoritative time server (e.g., mobile, teleworking, and tactical\nendpoints).", "descriptions": { - "default": "In order to prevent unauthorized connection of devices, unauthorized\ntransfer of information, or unauthorized tunneling (i.e., embedding of data\ntypes within data types), organizations must disable or restrict unused or\nunnecessary physical and logical ports/protocols on information systems.\n\n Ubuntu operating systems are capable of providing a wide variety of\nfunctions and services. Some of the functions and services provided by default\nmay not be necessary to support essential organizational operations.\nAdditionally, it is sometimes convenient to provide multiple services from a\nsingle component (e.g., VPN and IPS); however, doing so increases risk over\nlimiting the services provided by any one component.\n\n To support the requirements and principles of least functionality, the\nUbuntu operating system must support the organizational requirements, providing\nonly essential capabilities and limiting the use of ports, protocols, and/or\nservices to only those required, authorized, and approved to conduct official\nbusiness or to address authorized quality of life issues.", - "check": "Verify the Uncomplicated Firewall is configured to employ a\ndeny-all, allow-by-exception policy for allowing connections to other systems.\n\nCheck the Uncomplicated Firewall configuration with the following command:\n# sudo ufw status\nStatus: active\n\n To Action From\n -- ------ ----\n[ 1] 22 LIMIT IN Anywhere\n\nIf any services, ports, or applications are \"allowed\" and are not documented\nwith the organization, this is a finding.", - "fix": "Add/Modify the Ubuntu operating system's firewall settings and/or\nrunning services to comply with the Ports, Protocols, and Services Management\n(PPSM) Category Assignments List (CAL)." + "default": "Inaccurate time stamps make it more difficult to correlate events and\ncan lead to an inaccurate analysis. Determining the correct time a particular\nevent occurred on a system is critical when conducting forensic analysis and\ninvestigating system events. Sources outside the configured acceptable\nallowance (drift) may be inaccurate.\n\n Synchronizing internal information system clocks provides uniformity of\ntime stamps for information systems with multiple system clocks and systems\nconnected over a network.\n\n Organizations should consider endpoints that may not have regular access to\nthe authoritative time server (e.g., mobile, teleworking, and tactical\nendpoints).", + "check": "The system clock must be configured to compare the system clock\nat least every 24 hours to the authoritative time source.\n\nNote: If the system is not networked this item is Not Applicable.\n\nCheck the value of \"maxpoll\" in the \"/etc/ntp.conf\" file with the following\ncommand:\n\n# sudo grep -i maxpoll /etc/ntp.conf\nmaxpoll = 17\n\nIf \"maxpoll\" is not set to \"17\" or does not exist, this is a finding.\n\nVerify that the \"ntp.conf\" file is configured to an authoritative DoD time\nsource by running the following command:\n\n# grep -i server /etc/ntp.conf\nserver 0.us.pool.ntp.org iburst\n\nIf the parameter \"server\" is not set, is not set to an authoritative DoD time\nsource, or is commented out, this is a finding.", + "fix": "Note: If the system is not networked this item is Not Applicable.\n\nTo configure the system clock to compare the system clock at least every 24\nhours to the authoritative time source, edit the \"/etc/ntp.conf\" file. Add or\ncorrect the following lines, by replacing \"[source]\" in the following line\nwith an authoritative DoD time source.\n\nmaxpoll = 17\nserver [source] iburst\n\nIf the \"NTP\" service was running and the value of \"maxpoll\" or \"server\"\nwas updated then the service must be restarted using the following command:\n\n# sudo systemctl restart ntp.service\n\nIf the \"NTP\" service was not running then it must be started." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000096-GPOS-00050", - "gid": "V-75809", - "rid": "SV-90489r2_rule", - "stig_id": "UBTU-16-030060", - "fix_id": "F-82439r1_fix", + "gtitle": "SRG-OS-000355-GPOS-00143", + "gid": "V-75813", + "rid": "SV-90493r2_rule", + "stig_id": "UBTU-16-030100", + "fix_id": "F-82443r2_fix", "cci": [ - "CCI-000382" + "CCI-001891" ], "nist": [ - "CM-7 b", + "AU-8 (1) (a)", "Rev_4" ], "false_negatives": null, @@ -2698,34 +2549,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75809' do\n title \"The Ubuntu operating system must be configured to prohibit or restrict\nthe use of functions, ports, protocols, and/or services, as defined in the\nPorts, Protocols, and Services Management (PPSM) Category Assignments List\n(CAL) and vulnerability assessments.\"\n desc \"In order to prevent unauthorized connection of devices, unauthorized\ntransfer of information, or unauthorized tunneling (i.e., embedding of data\ntypes within data types), organizations must disable or restrict unused or\nunnecessary physical and logical ports/protocols on information systems.\n\n Ubuntu operating systems are capable of providing a wide variety of\nfunctions and services. Some of the functions and services provided by default\nmay not be necessary to support essential organizational operations.\nAdditionally, it is sometimes convenient to provide multiple services from a\nsingle component (e.g., VPN and IPS); however, doing so increases risk over\nlimiting the services provided by any one component.\n\n To support the requirements and principles of least functionality, the\nUbuntu operating system must support the organizational requirements, providing\nonly essential capabilities and limiting the use of ports, protocols, and/or\nservices to only those required, authorized, and approved to conduct official\nbusiness or to address authorized quality of life issues.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000096-GPOS-00050'\n tag \"gid\": 'V-75809'\n tag \"rid\": 'SV-90489r2_rule'\n tag \"stig_id\": 'UBTU-16-030060'\n tag \"fix_id\": 'F-82439r1_fix'\n tag \"cci\": ['CCI-000382']\n tag \"nist\": ['CM-7 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Uncomplicated Firewall is configured to employ a\ndeny-all, allow-by-exception policy for allowing connections to other systems.\n\nCheck the Uncomplicated Firewall configuration with the following command:\n# sudo ufw status\nStatus: active\n\n To Action From\n -- ------ ----\n[ 1] 22 LIMIT IN Anywhere\n\nIf any services, ports, or applications are \\\"allowed\\\" and are not documented\nwith the organization, this is a finding.\"\n desc 'fix', \"Add/Modify the Ubuntu operating system's firewall settings and/or\nrunning services to comply with the Ports, Protocols, and Services Management\n(PPSM) Category Assignments List (CAL).\"\n\n ufw_status = command('ufw status').stdout.strip.lines.first\n value = ufw_status.split(':')[1].strip\n\n describe 'UFW status' do\n subject { value }\n it { should cmp 'active' }\n end\n describe 'Status listings for any allowed services, ports, or applications must be documented with the organization' do\n skip 'Status listings checks must be preformed manually'\n end\nend\n", + "code": "control 'V-75813' do\n title \"The Ubuntu operating system must compare internal information system\nclocks at least every 24 hours with a server which is synchronized to an\nauthoritative time source, such as the United States Naval Observatory (USNO)\ntime servers, or a time server designated for the appropriate DoD network\n(NIPRNet/SIPRNet), and/or the Global Positioning System (GPS).\"\n desc \"Inaccurate time stamps make it more difficult to correlate events and\ncan lead to an inaccurate analysis. Determining the correct time a particular\nevent occurred on a system is critical when conducting forensic analysis and\ninvestigating system events. Sources outside the configured acceptable\nallowance (drift) may be inaccurate.\n\n Synchronizing internal information system clocks provides uniformity of\ntime stamps for information systems with multiple system clocks and systems\nconnected over a network.\n\n Organizations should consider endpoints that may not have regular access to\nthe authoritative time server (e.g., mobile, teleworking, and tactical\nendpoints).\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000355-GPOS-00143'\n tag \"gid\": 'V-75813'\n tag \"rid\": 'SV-90493r2_rule'\n tag \"stig_id\": 'UBTU-16-030100'\n tag \"fix_id\": 'F-82443r2_fix'\n tag \"cci\": ['CCI-001891']\n tag \"nist\": ['AU-8 (1) (a)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"The system clock must be configured to compare the system clock\nat least every 24 hours to the authoritative time source.\n\nNote: If the system is not networked this item is Not Applicable.\n\nCheck the value of \\\"maxpoll\\\" in the \\\"/etc/ntp.conf\\\" file with the following\ncommand:\n\n# sudo grep -i maxpoll /etc/ntp.conf\nmaxpoll = 17\n\nIf \\\"maxpoll\\\" is not set to \\\"17\\\" or does not exist, this is a finding.\n\nVerify that the \\\"ntp.conf\\\" file is configured to an authoritative DoD time\nsource by running the following command:\n\n# grep -i server /etc/ntp.conf\nserver 0.us.pool.ntp.org iburst\n\nIf the parameter \\\"server\\\" is not set, is not set to an authoritative DoD time\nsource, or is commented out, this is a finding.\"\n desc 'fix', \"Note: If the system is not networked this item is Not Applicable.\n\nTo configure the system clock to compare the system clock at least every 24\nhours to the authoritative time source, edit the \\\"/etc/ntp.conf\\\" file. Add or\ncorrect the following lines, by replacing \\\"[source]\\\" in the following line\nwith an authoritative DoD time source.\n\nmaxpoll = 17\nserver [source] iburst\n\nIf the \\\"NTP\\\" service was running and the value of \\\"maxpoll\\\" or \\\"server\\\"\nwas updated then the service must be restarted using the following command:\n\n# sudo systemctl restart ntp.service\n\nIf the \\\"NTP\\\" service was not running then it must be started.\"\n\n is_system_networked = input('is_system_networked')\n if is_system_networked\n ntp_conf_exists = file('/etc/ntp.conf').exist?\n if ntp_conf_exists\n describe ntp_conf do\n it { should exist }\n its('maxpoll') { should cmp 17 }\n its('server') { should_not be_empty }\n its('server') { should_not eq nil }\n end\n else\n describe '/etc/ntp.conf exists' do\n subject { ntp_conf_exists }\n it { should be true }\n end\n end\n else\n describe 'System is not networked' do\n skip 'This control is Not Applicable as the system is not networked'\n end\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75809.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75813.rb", "line": 3 }, - "id": "V-75809" + "id": "V-75813" }, { - "title": "System commands must have mode 0755 or less permissive.", - "desc": "If the Ubuntu operating system were to allow any user to make changes\nto software libraries, then those changes might be implemented without\nundergoing the appropriate testing and approvals that are part of a robust\nchange management process.\n\n This requirement applies to Ubuntu operating systems with software\nlibraries that are accessible and configurable, as in the case of interpreted\nlanguages. Software libraries also include privileged programs which execute\nwith escalated privileges. Only qualified and authorized individuals shall be\nallowed to obtain access to information system components for purposes of\ninitiating changes, including upgrades and modifications.", + "title": "There must be no shosts.equiv files on the Ubuntu operating system.", + "desc": "The shosts.equiv files are used to configure host-based authentication\nfor the system via SSH. Host-based authentication is not sufficient for\npreventing unauthorized access to the system, as it does not require\ninteractive identification and authentication of a connection request, or for\nthe use of two-factor authentication.", "descriptions": { - "default": "If the Ubuntu operating system were to allow any user to make changes\nto software libraries, then those changes might be implemented without\nundergoing the appropriate testing and approvals that are part of a robust\nchange management process.\n\n This requirement applies to Ubuntu operating systems with software\nlibraries that are accessible and configurable, as in the case of interpreted\nlanguages. Software libraries also include privileged programs which execute\nwith escalated privileges. Only qualified and authorized individuals shall be\nallowed to obtain access to information system components for purposes of\ninitiating changes, including upgrades and modifications.", - "check": "Verify the system commands contained in the following\ndirectories have mode \"0755\" or less permissive.\n\nCheck that the system command files contained in the following directories have\nmode \"0755\" or less permissive with the following command:\n\n# find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm\n/022 | xargs ls -la\n\nIf any system commands are found to be group-writable or world-writable, this\nis a finding.", - "fix": "Configure the system commands to be protected from unauthorized\naccess.\n\nRun the following command, replacing \"[FILE]\" with any system command with a\nmode more permissive than \"0755\".\n\n# sudo chmod 0755 [FILE]" + "default": "The shosts.equiv files are used to configure host-based authentication\nfor the system via SSH. Host-based authentication is not sufficient for\npreventing unauthorized access to the system, as it does not require\ninteractive identification and authentication of a connection request, or for\nthe use of two-factor authentication.", + "check": "Verify there are no \"shosts.equiv\" files on the Ubuntu\noperating system.\n\nCheck for the existence of these files with the following command:\n\n# find / -name shosts.equiv\n\nIf a \"shosts.equiv\" file is found, this is a finding.", + "fix": "Remove any found \"shosts.equiv\" files from the Ubuntu operating\nsystem.\n\n# rm /etc/ssh/shosts.equiv" }, - "impact": 0.5, + "impact": 0.7, "refs": [], "tags": { - "gtitle": "SRG-OS-000259-GPOS-00100", - "gid": "V-75611", - "rid": "SV-90291r2_rule", - "stig_id": "UBTU-16-011030", - "fix_id": "F-82239r2_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-75501", + "rid": "SV-90181r2_rule", + "stig_id": "UBTU-16-010360", + "fix_id": "F-82129r1_fix", "cci": [ - "CCI-001499" + "CCI-000366" ], "nist": [ - "CM-5 (6)", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -2739,34 +2590,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75611' do\n title 'System commands must have mode 0755 or less permissive.'\n desc \"If the Ubuntu operating system were to allow any user to make changes\nto software libraries, then those changes might be implemented without\nundergoing the appropriate testing and approvals that are part of a robust\nchange management process.\n\n This requirement applies to Ubuntu operating systems with software\nlibraries that are accessible and configurable, as in the case of interpreted\nlanguages. Software libraries also include privileged programs which execute\nwith escalated privileges. Only qualified and authorized individuals shall be\nallowed to obtain access to information system components for purposes of\ninitiating changes, including upgrades and modifications.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000259-GPOS-00100'\n tag \"gid\": 'V-75611'\n tag \"rid\": 'SV-90291r2_rule'\n tag \"stig_id\": 'UBTU-16-011030'\n tag \"fix_id\": 'F-82239r2_fix'\n tag \"cci\": ['CCI-001499']\n tag \"nist\": ['CM-5 (6)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the system commands contained in the following\ndirectories have mode \\\"0755\\\" or less permissive.\n\nCheck that the system command files contained in the following directories have\nmode \\\"0755\\\" or less permissive with the following command:\n\n# find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm\n/022 | xargs ls -la\n\nIf any system commands are found to be group-writable or world-writable, this\nis a finding.\"\n desc 'fix', \"Configure the system commands to be protected from unauthorized\naccess.\n\nRun the following command, replacing \\\"[FILE]\\\" with any system command with a\nmode more permissive than \\\"0755\\\".\n\n# sudo chmod 0755 [FILE]\"\n\n system_commands = command('find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022').stdout.strip.split(\"\\n\").entries\n valid_system_commands = Set[]\n\n if system_commands.count > 0\n system_commands.each do |sys_cmd|\n if file(sys_cmd).exist?\n valid_system_commands = valid_system_commands << sys_cmd\n end\n end\n end\n\n if valid_system_commands.count > 0\n valid_system_commands.each do |val_sys_cmd|\n describe file(val_sys_cmd) do\n it { should_not be_more_permissive_than('0755') }\n end\n end\n else\n describe 'Number of system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or /usr/local/sbin, that are less permissive than 0755' do\n subject { valid_system_commands }\n its('count') { should eq 0 }\n end\n end\nend\n", + "code": "control 'V-75501' do\n title 'There must be no shosts.equiv files on the Ubuntu operating system.'\n desc \"The shosts.equiv files are used to configure host-based authentication\nfor the system via SSH. Host-based authentication is not sufficient for\npreventing unauthorized access to the system, as it does not require\ninteractive identification and authentication of a connection request, or for\nthe use of two-factor authentication.\"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75501'\n tag \"rid\": 'SV-90181r2_rule'\n tag \"stig_id\": 'UBTU-16-010360'\n tag \"fix_id\": 'F-82129r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify there are no \\\"shosts.equiv\\\" files on the Ubuntu\noperating system.\n\nCheck for the existence of these files with the following command:\n\n# find / -name shosts.equiv\n\nIf a \\\"shosts.equiv\\\" file is found, this is a finding.\"\n desc 'fix', \"Remove any found \\\"shosts.equiv\\\" files from the Ubuntu operating\nsystem.\n\n# rm /etc/ssh/shosts.equiv\"\n\n describe command('find / -name shosts.equiv') do\n its('exit_status') { should eq 0 }\n its('stdout.strip') { should be_empty }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75611.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75501.rb", "line": 3 }, - "id": "V-75611" + "id": "V-75501" }, { - "title": "All files and directories must have a valid owner.", - "desc": "Unowned files and directories may be unintentionally inherited if a\nuser is assigned the same User Identifier \"UID\" as the UID of the un-owned\nfiles.", + "title": "The SSH daemon must use privilege separation.", + "desc": "SSH daemon privilege separation causes the SSH process to drop root\nprivileges when not needed, which would decrease the impact of software\nvulnerabilities in the unprivileged section.", "descriptions": { - "default": "Unowned files and directories may be unintentionally inherited if a\nuser is assigned the same User Identifier \"UID\" as the UID of the un-owned\nfiles.", - "check": "Verify all files and directories on the Ubuntu operating system\nhave a valid owner.\n\nCheck the owner of all files and directories with the following command:\n\n# sudo find / -nouser\n\nIf any files on the system do not have an assigned owner, this is a finding.", - "fix": "Either remove all files and directories from the system that do\nnot have a valid user, or assign a valid user to all unowned files and\ndirectories on the Ubuntu operating system with the \"chown\" command:\n\n# sudo chown " + "default": "SSH daemon privilege separation causes the SSH process to drop root\nprivileges when not needed, which would decrease the impact of software\nvulnerabilities in the unprivileged section.", + "check": "Check that the SSH daemon performs privilege separation with\nthe following command:\n\n# grep UsePrivilegeSeparation /etc/ssh/sshd_config\n\nUsePrivilegeSeparation yes\n\nIf the \"UsePrivilegeSeparation\" keyword is set to \"no\", is missing, or the\nreturned line is commented out, this is a finding.", + "fix": "Configure SSH to use privilege separation. Uncomment the\n\"UsePrivilegeSeparation\" keyword in \"/etc/ssh/sshd_config\" and set the\nvalue to \"yes\":\n\nUsePrivilegeSeparation yes\n\nThe SSH daemon must be restarted for the changes to take effect. To restart the\nSSH daemon, run the following command:\n\n# sudo systemctl restart sshd.service" }, "impact": 0.5, "refs": [], "tags": { "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-75555", - "rid": "SV-90235r1_rule", - "stig_id": "UBTU-16-010700", - "fix_id": "F-82183r1_fix", + "gid": "V-75849", + "rid": "SV-90529r2_rule", + "stig_id": "UBTU-16-030340", + "fix_id": "F-82479r2_fix", "cci": [ - "CCI-002165" + "CCI-000366" ], "nist": [ - "AC-3 (4)", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -2780,20 +2631,20 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75555' do\n title 'All files and directories must have a valid owner.'\n desc \"Unowned files and directories may be unintentionally inherited if a\nuser is assigned the same User Identifier \\\"UID\\\" as the UID of the un-owned\nfiles.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75555'\n tag \"rid\": 'SV-90235r1_rule'\n tag \"stig_id\": 'UBTU-16-010700'\n tag \"fix_id\": 'F-82183r1_fix'\n tag \"cci\": ['CCI-002165']\n tag \"nist\": ['AC-3 (4)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify all files and directories on the Ubuntu operating system\nhave a valid owner.\n\nCheck the owner of all files and directories with the following command:\n\n# sudo find / -nouser\n\nIf any files on the system do not have an assigned owner, this is a finding.\"\n desc 'fix', \"Either remove all files and directories from the system that do\nnot have a valid user, or assign a valid user to all unowned files and\ndirectories on the Ubuntu operating system with the \\\"chown\\\" command:\n\n# sudo chown \"\n\n dir_list = command('find / -nouser').stdout.strip.split(\"\\n\")\n if dir_list.count > 0\n dir_list.each do |entry|\n describe directory(entry) do\n its('owner') { should_not be_empty }\n end\n end\n else\n describe 'The number of files and directories without a valid owner' do\n subject { dir_list }\n its('count') { should cmp 0 }\n end\n end\nend\n", + "code": "control 'V-75849' do\n title 'The SSH daemon must use privilege separation.'\n desc \"SSH daemon privilege separation causes the SSH process to drop root\nprivileges when not needed, which would decrease the impact of software\nvulnerabilities in the unprivileged section.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75849'\n tag \"rid\": 'SV-90529r2_rule'\n tag \"stig_id\": 'UBTU-16-030340'\n tag \"fix_id\": 'F-82479r2_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Check that the SSH daemon performs privilege separation with\nthe following command:\n\n# grep UsePrivilegeSeparation /etc/ssh/sshd_config\n\nUsePrivilegeSeparation yes\n\nIf the \\\"UsePrivilegeSeparation\\\" keyword is set to \\\"no\\\", is missing, or the\nreturned line is commented out, this is a finding.\"\n desc 'fix', \"Configure SSH to use privilege separation. Uncomment the\n\\\"UsePrivilegeSeparation\\\" keyword in \\\"/etc/ssh/sshd_config\\\" and set the\nvalue to \\\"yes\\\":\n\nUsePrivilegeSeparation yes\n\nThe SSH daemon must be restarted for the changes to take effect. To restart the\nSSH daemon, run the following command:\n\n# sudo systemctl restart sshd.service\"\n\n describe sshd_config do\n its('UsePrivilegeSeparation') { should cmp 'yes' }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75555.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75849.rb", "line": 3 }, - "id": "V-75555" + "id": "V-75849" }, { - "title": "Successful/unsuccessful uses of the fchownat command must generate an\naudit record.", + "title": "Successful/unsuccessful modifications to the lastlog file must\ngenerate an audit record.", "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", "descriptions": { "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", - "check": "Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful attempts to use the \"fchownat\" command occur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \"/etc/audit/audit.rules\":\n\n# sudo grep -w fchownat /etc/audit/audit.rules\n\n-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=4294967295 -k\nperm_chng\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", - "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \"fchownat\" command by adding the following\nline to \"/etc/audit/audit.rules\":\n\n-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=4294967295 -k\nperm_chng\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" + "check": "Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful modifications to the \"lastlog\" file occur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \"/etc/audit/audit.rules\":\n\n# sudo grep -w lastlog /etc/audit/audit.rules\n\n-w /var/log/lastlog -p wa -k logins\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", + "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful modifications to the \"lastlog\" file occur.\n\nAdd or update the following rules in the \"/etc/audit/audit.rules\" file:\n\n-w /var/log/lastlog -p wa -k logins\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" }, "impact": 0.5, "refs": [], @@ -2805,12 +2656,13 @@ "SRG-OS-000062-GPOS-00031", "SRG-OS-000392-GPOS-00172", "SRG-OS-000462-GPOS-00206", - "SRG-OS-000471-GPOS-00215" + "SRG-OS-000471-GPOS-00215", + "SRG-OS-000473-GPOS-00218" ], - "gid": "V-75733", - "rid": "SV-90413r3_rule", - "stig_id": "UBTU-16-020540", - "fix_id": "F-82361r2_fix", + "gid": "V-75775", + "rid": "SV-90455r3_rule", + "stig_id": "UBTU-16-020750", + "fix_id": "F-82403r2_fix", "cci": [ "CCI-000130", "CCI-000135", @@ -2837,34 +2689,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75733' do\n title \"Successful/unsuccessful uses of the fchownat command must generate an\naudit record.\"\n desc \"Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020\n SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172\n SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215]\n tag \"gid\": 'V-75733'\n tag \"rid\": 'SV-90413r3_rule'\n tag \"stig_id\": 'UBTU-16-020540'\n tag \"fix_id\": 'F-82361r2_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'MA-4 (1) (a)',\n 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful attempts to use the \\\"fchownat\\\" command occur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \\\"/etc/audit/audit.rules\\\":\n\n# sudo grep -w fchownat /etc/audit/audit.rules\n\n-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=4294967295 -k\nperm_chng\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \\\"fchownat\\\" command by adding the following\nline to \\\"/etc/audit/audit.rules\\\":\n\n-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=4294967295 -k\nperm_chng\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n if os.arch == 'x86_64'\n describe auditd.syscall('fchownat').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('fchownat').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\nend\n", + "code": "control 'V-75775' do\n title \"Successful/unsuccessful modifications to the lastlog file must\ngenerate an audit record.\"\n desc \"Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020\n SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172\n SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215\n SRG-OS-000473-GPOS-00218]\n tag \"gid\": 'V-75775'\n tag \"rid\": 'SV-90455r3_rule'\n tag \"stig_id\": 'UBTU-16-020750'\n tag \"fix_id\": 'F-82403r2_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'MA-4 (1) (a)',\n 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful modifications to the \\\"lastlog\\\" file occur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \\\"/etc/audit/audit.rules\\\":\n\n# sudo grep -w lastlog /etc/audit/audit.rules\n\n-w /var/log/lastlog -p wa -k logins\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful modifications to the \\\"lastlog\\\" file occur.\n\nAdd or update the following rules in the \\\"/etc/audit/audit.rules\\\" file:\n\n-w /var/log/lastlog -p wa -k logins\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n @audit_file = '/var/log/lastlog'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe ('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75733.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75775.rb", "line": 3 }, - "id": "V-75733" + "id": "V-75775" }, { - "title": "Library files must be group-owned by root.", - "desc": "If the Ubuntu operating system were to allow any user to make changes\nto software libraries, then those changes might be implemented without\nundergoing the appropriate testing and approvals that are part of a robust\nchange management process.\n\n This requirement applies to Ubuntu operating systems with software\nlibraries that are accessible and configurable, as in the case of interpreted\nlanguages. Software libraries also include privileged programs which execute\nwith escalated privileges. Only qualified and authorized individuals shall be\nallowed to obtain access to information system components for purposes of\ninitiating changes, including upgrades and modifications.", + "title": "Ubuntu operating systems booted with United Extensible Firmware\nInterface (UEFI) implemented must require authentication upon booting into\nsingle-user mode and maintenance.", + "desc": "To mitigate the risk of unauthorized access to sensitive information\nby entities that have been issued certificates by DoD-approved PKIs, all DoD\nsystems (e.g., web servers and web portals) must be properly configured to\nincorporate access control methods that do not rely solely on the possession of\na certificate for access. Successful authentication must not automatically give\nan entity access to an asset or security boundary. Authorization procedures and\ncontrols must be implemented to ensure each authenticated entity also has a\nvalidated and current authorization. Authorization is the process of\ndetermining whether an entity, once authenticated, is permitted to access a\nspecific asset. Information systems use access control policies and enforcement\nmechanisms to implement this requirement.\n\n Access control policies include: identity-based policies, role-based\npolicies, and attribute-based policies. Access enforcement mechanisms include:\naccess control lists, access control matrices, and cryptography. These policies\nand mechanisms must be employed by the application to control access between\nusers (or processes acting on behalf of users) and objects (e.g., devices,\nfiles, records, processes, programs, and domains) in the information system.", "descriptions": { - "default": "If the Ubuntu operating system were to allow any user to make changes\nto software libraries, then those changes might be implemented without\nundergoing the appropriate testing and approvals that are part of a robust\nchange management process.\n\n This requirement applies to Ubuntu operating systems with software\nlibraries that are accessible and configurable, as in the case of interpreted\nlanguages. Software libraries also include privileged programs which execute\nwith escalated privileges. Only qualified and authorized individuals shall be\nallowed to obtain access to information system components for purposes of\ninitiating changes, including upgrades and modifications.", - "check": "Verify the system-wide shared library files contained in the\nfollowing directories are group-owned by \"root\".\n\nCheck that the system-wide shared library files are group-owned by \"root\"\nwith the following command:\n\n# sudo find /lib /usr/lib /lib64 ! -group root | xargs ls -la\n\nIf any system wide shared library file is returned, this is a finding.", - "fix": "Configure the library files to be protected from unauthorized\naccess.\n\nRun the following command, replacing \"[FILE]\" with any library file not\ngroup-owned by root.\n\n# sudo chgrp root [FILE]" + "default": "To mitigate the risk of unauthorized access to sensitive information\nby entities that have been issued certificates by DoD-approved PKIs, all DoD\nsystems (e.g., web servers and web portals) must be properly configured to\nincorporate access control methods that do not rely solely on the possession of\na certificate for access. Successful authentication must not automatically give\nan entity access to an asset or security boundary. Authorization procedures and\ncontrols must be implemented to ensure each authenticated entity also has a\nvalidated and current authorization. Authorization is the process of\ndetermining whether an entity, once authenticated, is permitted to access a\nspecific asset. Information systems use access control policies and enforcement\nmechanisms to implement this requirement.\n\n Access control policies include: identity-based policies, role-based\npolicies, and attribute-based policies. Access enforcement mechanisms include:\naccess control lists, access control matrices, and cryptography. These policies\nand mechanisms must be employed by the application to control access between\nusers (or processes acting on behalf of users) and objects (e.g., devices,\nfiles, records, processes, programs, and domains) in the information system.", + "check": "Verify that an encrypted root password is set. This is only\napplicable on Ubuntu operating systems that use UEFI.\n\nRun the following command to verify the encrypted password is set:\n\n# grep –i password /boot/efi/EFI/grub.cfg\npassword_pbkdf2 root grub.pbkdf2.sha512.10000.VeryLongString\n\nIf the root password entry does not begin with “password_pbkdf2”, this is a\nfinding.", + "fix": "Configure the system to require a password for authentication\nupon booting into single-user and maintenance modes.\n\nGenerate an encrypted (grub) password for root with the following command:\n\n# grub-mkpasswd-pbkdf2\nEnter Password:\nReenter Password:\nPBKDF2 hash of your password is\ngrub.pbkdf2.sha512.10000.MFU48934NJD84NF8NSD39993JDHF84NG\n\nUsing the hash from the output, modify the \"/etc/grub.d/10_linux\" file with\nthe following command to add a boot password for the root entry:\n\n# cat << EOF > set superusers=\"root\" password_pbkdf2 root\ngrub.pbkdf2.sha512.VeryLongString > EOF\n\nGenerate an updated \"grub.conf\" file with the new password using the\nfollowing commands:\n\n# grub-mkconfig --output=/tmp/grub2.cfg\n# mv /tmp/grub2.cfg /boot/efi/EFI/grub.cfg" }, - "impact": 0.5, + "impact": 0.7, "refs": [], "tags": { - "gtitle": "SRG-OS-000259-GPOS-00100", - "gid": "V-75609", - "rid": "SV-90289r2_rule", - "stig_id": "UBTU-16-011020", - "fix_id": "F-82237r2_fix", + "gtitle": "SRG-OS-000080-GPOS-00048", + "gid": "V-75507", + "rid": "SV-90187r2_rule", + "stig_id": "UBTU-16-010390", + "fix_id": "F-82135r2_fix", "cci": [ - "CCI-001499" + "CCI-000213" ], "nist": [ - "CM-5 (6)", + "AC-3", "Rev_4" ], "false_negatives": null, @@ -2878,50 +2730,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75609' do\n title 'Library files must be group-owned by root.'\n desc \"If the Ubuntu operating system were to allow any user to make changes\nto software libraries, then those changes might be implemented without\nundergoing the appropriate testing and approvals that are part of a robust\nchange management process.\n\n This requirement applies to Ubuntu operating systems with software\nlibraries that are accessible and configurable, as in the case of interpreted\nlanguages. Software libraries also include privileged programs which execute\nwith escalated privileges. Only qualified and authorized individuals shall be\nallowed to obtain access to information system components for purposes of\ninitiating changes, including upgrades and modifications.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000259-GPOS-00100'\n tag \"gid\": 'V-75609'\n tag \"rid\": 'SV-90289r2_rule'\n tag \"stig_id\": 'UBTU-16-011020'\n tag \"fix_id\": 'F-82237r2_fix'\n tag \"cci\": ['CCI-001499']\n tag \"nist\": ['CM-5 (6)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the system-wide shared library files contained in the\nfollowing directories are group-owned by \\\"root\\\".\n\nCheck that the system-wide shared library files are group-owned by \\\"root\\\"\nwith the following command:\n\n# sudo find /lib /usr/lib /lib64 ! -group root | xargs ls -la\n\nIf any system wide shared library file is returned, this is a finding.\"\n desc 'fix', \"Configure the library files to be protected from unauthorized\naccess.\n\nRun the following command, replacing \\\"[FILE]\\\" with any library file not\ngroup-owned by root.\n\n# sudo chgrp root [FILE]\"\n\n if os.arch == 'x86_64'\n library_files = command('find /lib /usr/lib /usr/lib32 /lib32 /lib64 ! \\-group root').stdout.strip.split(\"\\n\").entries\n else\n library_files = command('find /lib /usr/lib /usr/lib32 /lib32 ! \\-group root').stdout.strip.split(\"\\n\").entries\n end\n\n if library_files.count > 0\n library_files.each do |lib_file|\n describe file(lib_file) do\n its('group') { should cmp 'root' }\n end\n end\n else\n describe 'Number of system-wide shared library files found that are NOT group-owned by root' do\n subject { library_files }\n its('count') { should eq 0 }\n end\n end\nend\n", + "code": "control 'V-75507' do\n title \"Ubuntu operating systems booted with United Extensible Firmware\nInterface (UEFI) implemented must require authentication upon booting into\nsingle-user mode and maintenance.\"\n desc \"To mitigate the risk of unauthorized access to sensitive information\nby entities that have been issued certificates by DoD-approved PKIs, all DoD\nsystems (e.g., web servers and web portals) must be properly configured to\nincorporate access control methods that do not rely solely on the possession of\na certificate for access. Successful authentication must not automatically give\nan entity access to an asset or security boundary. Authorization procedures and\ncontrols must be implemented to ensure each authenticated entity also has a\nvalidated and current authorization. Authorization is the process of\ndetermining whether an entity, once authenticated, is permitted to access a\nspecific asset. Information systems use access control policies and enforcement\nmechanisms to implement this requirement.\n\n Access control policies include: identity-based policies, role-based\npolicies, and attribute-based policies. Access enforcement mechanisms include:\naccess control lists, access control matrices, and cryptography. These policies\nand mechanisms must be employed by the application to control access between\nusers (or processes acting on behalf of users) and objects (e.g., devices,\nfiles, records, processes, programs, and domains) in the information system.\n \"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000080-GPOS-00048'\n tag \"gid\": 'V-75507'\n tag \"rid\": 'SV-90187r2_rule'\n tag \"stig_id\": 'UBTU-16-010390'\n tag \"fix_id\": 'F-82135r2_fix'\n tag \"cci\": ['CCI-000213']\n tag \"nist\": %w[AC-3 Rev_4]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that an encrypted root password is set. This is only\napplicable on Ubuntu operating systems that use UEFI.\n\nRun the following command to verify the encrypted password is set:\n\n# grep –i password /boot/efi/EFI/grub.cfg\npassword_pbkdf2 root grub.pbkdf2.sha512.10000.VeryLongString\n\nIf the root password entry does not begin with “password_pbkdf2”, this is a\nfinding.\"\n desc 'fix', \"Configure the system to require a password for authentication\nupon booting into single-user and maintenance modes.\n\nGenerate an encrypted (grub) password for root with the following command:\n\n# grub-mkpasswd-pbkdf2\nEnter Password:\nReenter Password:\nPBKDF2 hash of your password is\ngrub.pbkdf2.sha512.10000.MFU48934NJD84NF8NSD39993JDHF84NG\n\nUsing the hash from the output, modify the \\\"/etc/grub.d/10_linux\\\" file with\nthe following command to add a boot password for the root entry:\n\n# cat << EOF > set superusers=\\\"root\\\" password_pbkdf2 root\ngrub.pbkdf2.sha512.VeryLongString > EOF\n\nGenerate an updated \\\"grub.conf\\\" file with the new password using the\nfollowing commands:\n\n# grub-mkconfig --output=/tmp/grub2.cfg\n# mv /tmp/grub2.cfg /boot/efi/EFI/grub.cfg\"\n\n describe file('/boot/efi/EFI/grub.cfg') do\n its('content') { should match '^password_pbkdf2' }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75609.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75507.rb", "line": 3 }, - "id": "V-75609" + "id": "V-75507" }, { - "title": "Successful/unsuccessful uses of the pam_timestamp_check command must\ngenerate an audit record.", - "desc": "At a minimum, the organization must audit the full-text recording of\nprivileged commands. The organization must maintain audit trails in sufficient\ndetail to reconstruct events to determine the cause and impact of compromise.", + "title": "The Ubuntu operating system must notify the System Administrator (SA)\nand Information System Security Officer (ISSO) (at a minimum) when allocated\naudit record storage volume reaches 75% of the repository maximum audit record\nstorage capacity.", + "desc": "If security personnel are not notified immediately when storage volume\nreaches 75% utilization, they are unable to plan for audit record storage\ncapacity expansion.", "descriptions": { - "default": "At a minimum, the organization must audit the full-text recording of\nprivileged commands. The organization must maintain audit trails in sufficient\ndetail to reconstruct events to determine the cause and impact of compromise.", - "check": "Verify that an audit event is generated for any\nsuccessful/unsuccessful use of the \"pam_timestamp_check\" command.\n\nCheck for the following system call being audited by performing the following\ncommand to check the file system rules in \"/etc/audit/audit.rules\":\n\n# sudo grep -w pam_timestamp_check /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k privileged-pam_timestamp_check\n\nIf the above command does not return the exact same output displayed in the\nexample, this is a finding.", - "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful uses of the \"pam_timestamp_check\" command. Add or\nupdate the following rules in the \"/etc/audit/audit.rules\" file:\n\n-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k privileged-pam_timestamp_check\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" + "default": "If security personnel are not notified immediately when storage volume\nreaches 75% utilization, they are unable to plan for audit record storage\ncapacity expansion.", + "check": "Verify the Ubuntu operating system notifies the System\nAdministrator (SA) and Information System Security Officer (ISSO) (at a\nminimum) when allocated audit record storage volume reaches 75% of the\nrepository maximum audit record storage capacity.\n\nCheck the system configuration to determine the partition the audit records are\nbeing written to with the following command:\n\n# sudo grep log_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nCheck the size of the partition that audit records are written to (with the\nexample being \"/var/log/audit/\"):\n\n# df -h /var/log/audit/\n1.0G /var/log/audit\n\nIf the audit records are not being written to a partition specifically created\nfor audit records (in this example \"/var/log/audit\" is a separate partition),\ndetermine the amount of space other files in the partition are currently\noccupying with the following command:\n\n# du -sh \n1.0G /var\n\nDetermine what the threshold is for the system to take action when 75% of the\nrepository maximum audit record storage capacity is reached:\n\n# grep -i space_left /etc/audit/auditd.conf\nspace_left = 250\n\nIf the value of the \"space_left\" keyword is not set to 25% of the total\npartition size, this is a finding.", + "fix": "Configure the operating system to immediately notify the SA and\nISSO (at a minimum) when allocated audit record storage volume reaches 75% of\nthe repository maximum audit record storage capacity.\n\nCheck the system configuration to determine the partition the audit records are\nbeing written to:\n\n# grep log_file /etc/audit/auditd.conf\n\nDetermine the size of the partition that audit records are written to (with the\nexample being \"/var/log/audit/\"):\n\n# df -h /var/log/audit/\n\nSet the value of the \"space_left\" keyword in \"/etc/audit/auditd.conf\" to\n25% of the partition size." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000037-GPOS-00015", - "satisfies": [ - "SRG-OS-000037-GPOS-00015", - "SRG-OS-000042-GPOS-00020", - "SRG-OS-000062-GPOS-00031", - "SRG-OS-000392-GPOS-00172", - "SRG-OS-000462-GPOS-00206", - "SRG-OS-000471-GPOS-00215" - ], - "gid": "V-75789", - "rid": "SV-90469r3_rule", - "stig_id": "UBTU-16-020820", - "fix_id": "F-82419r2_fix", + "gtitle": "SRG-OS-000343-GPOS-00134", + "gid": "V-80961", + "rid": "SV-95673r1_rule", + "stig_id": "UBTU-16-020021", + "fix_id": "F-87821r1_fix", "cci": [ - "CCI-000130", - "CCI-000135", - "CCI-000169", - "CCI-000172", - "CCI-002884" + "CCI-001855" ], "nist": [ - "AU-3", - "AU-3 (1)", - "AU-12 a", - "AU-12 c", - "MA-4 (1) (a)", + "AU-5 (1)", "Rev_4" ], "false_negatives": null, @@ -2935,34 +2771,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75789' do\n title \"Successful/unsuccessful uses of the pam_timestamp_check command must\ngenerate an audit record.\"\n desc \"At a minimum, the organization must audit the full-text recording of\nprivileged commands. The organization must maintain audit trails in sufficient\ndetail to reconstruct events to determine the cause and impact of compromise.\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020\n SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172\n SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215]\n tag \"gid\": 'V-75789'\n tag \"rid\": 'SV-90469r3_rule'\n tag \"stig_id\": 'UBTU-16-020820'\n tag \"fix_id\": 'F-82419r2_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'MA-4 (1) (a)',\n 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that an audit event is generated for any\nsuccessful/unsuccessful use of the \\\"pam_timestamp_check\\\" command.\n\nCheck for the following system call being audited by performing the following\ncommand to check the file system rules in \\\"/etc/audit/audit.rules\\\":\n\n# sudo grep -w pam_timestamp_check /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k privileged-pam_timestamp_check\n\nIf the above command does not return the exact same output displayed in the\nexample, this is a finding.\"\n desc 'fix', \"Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful uses of the \\\"pam_timestamp_check\\\" command. Add or\nupdate the following rules in the \\\"/etc/audit/audit.rules\\\" file:\n\n-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k privileged-pam_timestamp_check\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n @audit_file = '/usr/sbin/pam_timestamp_check'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe ('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", + "code": "control 'V-80961' do\n title \"The Ubuntu operating system must notify the System Administrator (SA)\nand Information System Security Officer (ISSO) (at a minimum) when allocated\naudit record storage volume reaches 75% of the repository maximum audit record\nstorage capacity.\"\n desc \"If security personnel are not notified immediately when storage volume\nreaches 75% utilization, they are unable to plan for audit record storage\ncapacity expansion.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000343-GPOS-00134'\n tag \"gid\": 'V-80961'\n tag \"rid\": 'SV-95673r1_rule'\n tag \"stig_id\": 'UBTU-16-020021'\n tag \"fix_id\": 'F-87821r1_fix'\n tag \"cci\": ['CCI-001855']\n tag \"nist\": ['AU-5 (1)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system notifies the System\nAdministrator (SA) and Information System Security Officer (ISSO) (at a\nminimum) when allocated audit record storage volume reaches 75% of the\nrepository maximum audit record storage capacity.\n\nCheck the system configuration to determine the partition the audit records are\nbeing written to with the following command:\n\n# sudo grep log_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nCheck the size of the partition that audit records are written to (with the\nexample being \\\"/var/log/audit/\\\"):\n\n# df -h /var/log/audit/\n1.0G /var/log/audit\n\nIf the audit records are not being written to a partition specifically created\nfor audit records (in this example \\\"/var/log/audit\\\" is a separate partition),\ndetermine the amount of space other files in the partition are currently\noccupying with the following command:\n\n# du -sh \n1.0G /var\n\nDetermine what the threshold is for the system to take action when 75% of the\nrepository maximum audit record storage capacity is reached:\n\n# grep -i space_left /etc/audit/auditd.conf\nspace_left = 250\n\nIf the value of the \\\"space_left\\\" keyword is not set to 25% of the total\npartition size, this is a finding.\"\n desc 'fix', \"Configure the operating system to immediately notify the SA and\nISSO (at a minimum) when allocated audit record storage volume reaches 75% of\nthe repository maximum audit record storage capacity.\n\nCheck the system configuration to determine the partition the audit records are\nbeing written to:\n\n# grep log_file /etc/audit/auditd.conf\n\nDetermine the size of the partition that audit records are written to (with the\nexample being \\\"/var/log/audit/\\\"):\n\n# df -h /var/log/audit/\n\nSet the value of the \\\"space_left\\\" keyword in \\\"/etc/audit/auditd.conf\\\" to\n25% of the partition size.\"\n\n space_left_percent = input('space_left_percent')\n audit_log_path = input('log_file_dir')\n\n describe filesystem(audit_log_path) do\n its('percent_free') { should be >= space_left_percent }\n end\n\n partition_threshold_mb = (filesystem(audit_log_path).size_kb / 1024 * 0.25).to_i\n system_alert_configuration_mb = auditd_conf.space_left.to_i\n\n describe 'The space_left configuration' do\n subject { system_alert_configuration_mb }\n it { should >= partition_threshold_mb }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75789.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-80961.rb", "line": 3 }, - "id": "V-75789" + "id": "V-80961" }, { - "title": "The Ubuntu operating system must require the change of at least 8\ncharacters when passwords are changed.", - "desc": "If the Ubuntu operating system allows the user to consecutively reuse\nextensive portions of passwords, this increases the chances of password\ncompromise by increasing the window of opportunity for attempts at guessing and\nbrute-force attacks.\n\n The number of changed characters refers to the number of changes required\nwith respect to the total number of positions in the current password. In other\nwords, characters may be the same within the two passwords; however, the\npositions of the like characters must be different.\n\n If the password length is an odd number then number of changed characters\nmust be rounded up. For example, a password length of 15 characters must\nrequire the change of at least 8 characters.", + "title": "The root account must be the only account having unrestricted access\nto the system.", + "desc": "If an account other than root also has a User Identifier (UID) of\n\"0\", it has root authority, giving that account unrestricted access to the\nentire Ubuntu operating system. Multiple accounts with a UID of \"0\" afford an\nopportunity for potential intruders to guess a password for a privileged\naccount.", "descriptions": { - "default": "If the Ubuntu operating system allows the user to consecutively reuse\nextensive portions of passwords, this increases the chances of password\ncompromise by increasing the window of opportunity for attempts at guessing and\nbrute-force attacks.\n\n The number of changed characters refers to the number of changes required\nwith respect to the total number of positions in the current password. In other\nwords, characters may be the same within the two passwords; however, the\npositions of the like characters must be different.\n\n If the password length is an odd number then number of changed characters\nmust be rounded up. For example, a password length of 15 characters must\nrequire the change of at least 8 characters.", - "check": "Verify the Ubuntu operating system requires the change of at\nleast \"8\" characters when passwords are changed.\n\nDetermine if the field \"difok\" is set in the \"/etc/security/pwquality.conf\"\nfile with the following command:\n\n# grep -i \"difok\" /etc/security/pwquality.conf\ndifok=8\n\nIf the \"difok\" parameter is less than \"8\", or is commented out, this is a\nfinding.", - "fix": "Configure the Ubuntu operating system to require the change of at\nleast \"8\" characters when passwords are changed.\n\nAdd or update the following line in the \"/etc/security/pwquality.conf\" file\nto include the \"difok=8\" parameter:\n\ndifok=8" + "default": "If an account other than root also has a User Identifier (UID) of\n\"0\", it has root authority, giving that account unrestricted access to the\nentire Ubuntu operating system. Multiple accounts with a UID of \"0\" afford an\nopportunity for potential intruders to guess a password for a privileged\naccount.", + "check": "Check the Ubuntu operating system for duplicate User ID (UID)\n\"0\" assignments with the following command:\n\n# awk -F: '$3 == 0 {print $1}' /etc/passwd\n\nroot\n\nIf any accounts other than root have a UID of \"0\", this is a finding.", + "fix": "Change the User ID (UID) of any account on the system, other than\nroot, that has a UID of \"0\".\n\nIf the account is associated with system commands or applications, the UID\nshould be changed to one greater than \"0\" but less than \"1000\". Otherwise,\nassign a UID of greater than \"1000\" that has not already been assigned." }, - "impact": 0.5, + "impact": 0.7, "refs": [], "tags": { - "gtitle": "SRG-OS-000072-GPOS-00040", - "gid": "V-75457", - "rid": "SV-90137r2_rule", - "stig_id": "UBTU-16-010140", - "fix_id": "F-82085r2_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-75549", + "rid": "SV-90229r1_rule", + "stig_id": "UBTU-16-010670", + "fix_id": "F-82177r1_fix", "cci": [ - "CCI-000195" + "CCI-000366" ], "nist": [ - "IA-5 (1) (b)", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -2976,50 +2812,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75457' do\n title \"The Ubuntu operating system must require the change of at least 8\ncharacters when passwords are changed.\"\n desc \"If the Ubuntu operating system allows the user to consecutively reuse\nextensive portions of passwords, this increases the chances of password\ncompromise by increasing the window of opportunity for attempts at guessing and\nbrute-force attacks.\n\n The number of changed characters refers to the number of changes required\nwith respect to the total number of positions in the current password. In other\nwords, characters may be the same within the two passwords; however, the\npositions of the like characters must be different.\n\n If the password length is an odd number then number of changed characters\nmust be rounded up. For example, a password length of 15 characters must\nrequire the change of at least 8 characters.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000072-GPOS-00040'\n tag \"gid\": 'V-75457'\n tag \"rid\": 'SV-90137r2_rule'\n tag \"stig_id\": 'UBTU-16-010140'\n tag \"fix_id\": 'F-82085r2_fix'\n tag \"cci\": ['CCI-000195']\n tag \"nist\": ['IA-5 (1) (b)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system requires the change of at\nleast \\\"8\\\" characters when passwords are changed.\n\nDetermine if the field \\\"difok\\\" is set in the \\\"/etc/security/pwquality.conf\\\"\nfile with the following command:\n\n# grep -i \\\"difok\\\" /etc/security/pwquality.conf\ndifok=8\n\nIf the \\\"difok\\\" parameter is less than \\\"8\\\", or is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the Ubuntu operating system to require the change of at\nleast \\\"8\\\" characters when passwords are changed.\n\nAdd or update the following line in the \\\"/etc/security/pwquality.conf\\\" file\nto include the \\\"difok=8\\\" parameter:\n\ndifok=8\"\n\n min_num_characters_to_change = input('min_num_characters_to_change')\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('difok') { should cmp min_num_characters_to_change }\n end\n else\n describe (config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n", + "code": "control 'V-75549' do\n title \"The root account must be the only account having unrestricted access\nto the system.\"\n desc \"If an account other than root also has a User Identifier (UID) of\n\\\"0\\\", it has root authority, giving that account unrestricted access to the\nentire Ubuntu operating system. Multiple accounts with a UID of \\\"0\\\" afford an\nopportunity for potential intruders to guess a password for a privileged\naccount.\"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75549'\n tag \"rid\": 'SV-90229r1_rule'\n tag \"stig_id\": 'UBTU-16-010670'\n tag \"fix_id\": 'F-82177r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Check the Ubuntu operating system for duplicate User ID (UID)\n\\\"0\\\" assignments with the following command:\n\n# awk -F: '$3 == 0 {print $1}' /etc/passwd\n\nroot\n\nIf any accounts other than root have a UID of \\\"0\\\", this is a finding.\"\n desc 'fix', \"Change the User ID (UID) of any account on the system, other than\nroot, that has a UID of \\\"0\\\".\n\nIf the account is associated with system commands or applications, the UID\nshould be changed to one greater than \\\"0\\\" but less than \\\"1000\\\". Otherwise,\nassign a UID of greater than \\\"1000\\\" that has not already been assigned.\"\n\n describe passwd.uids(0) do\n its('users') { should cmp 'root' }\n its('count') { should eq 1 }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75457.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75549.rb", "line": 3 }, - "id": "V-75457" + "id": "V-75549" }, { - "title": "Successful/unsuccessful uses of the chfn command must generate an\naudit record.", - "desc": "Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged password commands. The organization must maintain audit trails in\nsufficient detail to reconstruct events to determine the cause and impact of\ncompromise.", + "title": "System commands must have mode 0755 or less permissive.", + "desc": "If the Ubuntu operating system were to allow any user to make changes\nto software libraries, then those changes might be implemented without\nundergoing the appropriate testing and approvals that are part of a robust\nchange management process.\n\n This requirement applies to Ubuntu operating systems with software\nlibraries that are accessible and configurable, as in the case of interpreted\nlanguages. Software libraries also include privileged programs which execute\nwith escalated privileges. Only qualified and authorized individuals shall be\nallowed to obtain access to information system components for purposes of\ninitiating changes, including upgrades and modifications.", "descriptions": { - "default": "Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged password commands. The organization must maintain audit trails in\nsufficient detail to reconstruct events to determine the cause and impact of\ncompromise.", - "check": "Verify that an audit event is generated for any\nsuccessful/unsuccessful use of the \"chfn\" command.\n\nCheck for the following system call being audited by performing the following\ncommand to check the file system rules in \"/etc/audit/audit.rules\":\n\n# sudo grep chfn /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k privileged-gpasswd\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", - "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful uses of the \"passwd\" command. Add or update the\nfollowing rule in the \"/etc/audit/audit.rules\" file:\n\n-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k privileged-passwd\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" + "default": "If the Ubuntu operating system were to allow any user to make changes\nto software libraries, then those changes might be implemented without\nundergoing the appropriate testing and approvals that are part of a robust\nchange management process.\n\n This requirement applies to Ubuntu operating systems with software\nlibraries that are accessible and configurable, as in the case of interpreted\nlanguages. Software libraries also include privileged programs which execute\nwith escalated privileges. Only qualified and authorized individuals shall be\nallowed to obtain access to information system components for purposes of\ninitiating changes, including upgrades and modifications.", + "check": "Verify the system commands contained in the following\ndirectories have mode \"0755\" or less permissive.\n\nCheck that the system command files contained in the following directories have\nmode \"0755\" or less permissive with the following command:\n\n# find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm\n/022 | xargs ls -la\n\nIf any system commands are found to be group-writable or world-writable, this\nis a finding.", + "fix": "Configure the system commands to be protected from unauthorized\naccess.\n\nRun the following command, replacing \"[FILE]\" with any system command with a\nmode more permissive than \"0755\".\n\n# sudo chmod 0755 [FILE]" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000037-GPOS-00015", - "satisfies": [ - "SRG-OS-000037-GPOS-00015", - "SRG-OS-000042-GPOS-00020", - "SRG-OS-000062-GPOS-00031", - "SRG-OS-000392-GPOS-00172", - "SRG-OS-000462-GPOS-00206", - "SRG-OS-000471-GPOS-00215" - ], - "gid": "V-75693", - "rid": "SV-90373r3_rule", - "stig_id": "UBTU-16-020370", - "fix_id": "F-82321r2_fix", + "gtitle": "SRG-OS-000259-GPOS-00100", + "gid": "V-75611", + "rid": "SV-90291r2_rule", + "stig_id": "UBTU-16-011030", + "fix_id": "F-82239r2_fix", "cci": [ - "CCI-000130", - "CCI-000135", - "CCI-000169", - "CCI-000172", - "CCI-002884" + "CCI-001499" ], "nist": [ - "AU-3", - "AU-3 (1)", - "AU-12 a", - "AU-12 c", - "MA-4 (1) (a)", + "CM-5 (6)", "Rev_4" ], "false_negatives": null, @@ -3033,34 +2853,50 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75693' do\n title \"Successful/unsuccessful uses of the chfn command must generate an\naudit record.\"\n desc \"Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged password commands. The organization must maintain audit trails in\nsufficient detail to reconstruct events to determine the cause and impact of\ncompromise.\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020\n SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172\n SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215]\n tag \"gid\": 'V-75693'\n tag \"rid\": 'SV-90373r3_rule'\n tag \"stig_id\": 'UBTU-16-020370'\n tag \"fix_id\": 'F-82321r2_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'MA-4 (1) (a)',\n 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that an audit event is generated for any\nsuccessful/unsuccessful use of the \\\"chfn\\\" command.\n\nCheck for the following system call being audited by performing the following\ncommand to check the file system rules in \\\"/etc/audit/audit.rules\\\":\n\n# sudo grep chfn /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k privileged-gpasswd\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful uses of the \\\"passwd\\\" command. Add or update the\nfollowing rule in the \\\"/etc/audit/audit.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k privileged-passwd\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n @audit_file = '/usr/bin/chfn'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe ('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", + "code": "control 'V-75611' do\n title 'System commands must have mode 0755 or less permissive.'\n desc \"If the Ubuntu operating system were to allow any user to make changes\nto software libraries, then those changes might be implemented without\nundergoing the appropriate testing and approvals that are part of a robust\nchange management process.\n\n This requirement applies to Ubuntu operating systems with software\nlibraries that are accessible and configurable, as in the case of interpreted\nlanguages. Software libraries also include privileged programs which execute\nwith escalated privileges. Only qualified and authorized individuals shall be\nallowed to obtain access to information system components for purposes of\ninitiating changes, including upgrades and modifications.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000259-GPOS-00100'\n tag \"gid\": 'V-75611'\n tag \"rid\": 'SV-90291r2_rule'\n tag \"stig_id\": 'UBTU-16-011030'\n tag \"fix_id\": 'F-82239r2_fix'\n tag \"cci\": ['CCI-001499']\n tag \"nist\": ['CM-5 (6)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the system commands contained in the following\ndirectories have mode \\\"0755\\\" or less permissive.\n\nCheck that the system command files contained in the following directories have\nmode \\\"0755\\\" or less permissive with the following command:\n\n# find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm\n/022 | xargs ls -la\n\nIf any system commands are found to be group-writable or world-writable, this\nis a finding.\"\n desc 'fix', \"Configure the system commands to be protected from unauthorized\naccess.\n\nRun the following command, replacing \\\"[FILE]\\\" with any system command with a\nmode more permissive than \\\"0755\\\".\n\n# sudo chmod 0755 [FILE]\"\n\n system_commands = command('find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022').stdout.strip.split(\"\\n\").entries\n valid_system_commands = Set[]\n\n if system_commands.count > 0\n system_commands.each do |sys_cmd|\n if file(sys_cmd).exist?\n valid_system_commands = valid_system_commands << sys_cmd\n end\n end\n end\n\n if valid_system_commands.count > 0\n valid_system_commands.each do |val_sys_cmd|\n describe file(val_sys_cmd) do\n it { should_not be_more_permissive_than('0755') }\n end\n end\n else\n describe 'Number of system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or /usr/local/sbin, that are less permissive than 0755' do\n subject { valid_system_commands }\n its('count') { should eq 0 }\n end\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75693.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75611.rb", "line": 3 }, - "id": "V-75693" + "id": "V-75611" }, { - "title": "The file integrity tool must be configured to verify Access Control\nLists (ACLs).", - "desc": "ACLs can provide permissions beyond those permitted through the file\nmode and must be verified by file integrity tools.", + "title": "The audit system must be configured to audit any usage of the modprobe\ncommand.", + "desc": "Without the capability to generate audit records, it would be\ndifficult to establish, correlate, and investigate the events relating to an\nincident or identify those responsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n The list of audited events is the set of events for which audits are to be\ngenerated. This set of events is typically a subset of the list of all events\nfor which the system is capable of generating audit records.\n\n DoD has defined the list of events for which the Ubuntu operating system\nwill provide an audit record generation capability as the following:\n\n 1) Successful and unsuccessful attempts to access, modify, or delete\nprivileges, security objects, security levels, or categories of information\n(e.g., classification levels);\n\n 2) Access actions, such as successful and unsuccessful logon attempts,\nprivileged activities or other system-level access, starting and ending time\nfor user access to the system, concurrent logons from different workstations,\nsuccessful and unsuccessful accesses to objects, all program initiations, and\nall direct access to the information system;\n\n 3) All account creations, modifications, disabling, and terminations; and\n\n 4) All kernel module load, unload, and restart actions.", "descriptions": { - "default": "ACLs can provide permissions beyond those permitted through the file\nmode and must be verified by file integrity tools.", - "check": "Verify the file integrity tool is configured to verify Access\nControl Lists (ACLs).\n\nUse the following command to determine if the file is in a location other than\n\"/etc/aide/aide.conf\":\n\n# find / -name aide.conf\n\nCheck the \"aide.conf\" file to determine if the \"acl\" rule has been added to\nthe rule list being applied to the files and directories selection lists with\nthe following command:\n\n# egrep \"[+]?acl\" /etc/aide/aide.conf\n\nVarFile = OwnerMode+n+l+X+acl\n\nIf the \"acl\" rule is not being used on all selection lines in the\n\"/etc/aide.conf\" file, is commented out, or ACLs are not being checked by\nanother file integrity tool, this is a finding.", - "fix": "Configure the file integrity tool to check file and directory\nACLs.\n\nIf AIDE is installed, ensure the \"acl\" rule is present on all file and\ndirectory selection lists." + "default": "Without the capability to generate audit records, it would be\ndifficult to establish, correlate, and investigate the events relating to an\nincident or identify those responsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n The list of audited events is the set of events for which audits are to be\ngenerated. This set of events is typically a subset of the list of all events\nfor which the system is capable of generating audit records.\n\n DoD has defined the list of events for which the Ubuntu operating system\nwill provide an audit record generation capability as the following:\n\n 1) Successful and unsuccessful attempts to access, modify, or delete\nprivileges, security objects, security levels, or categories of information\n(e.g., classification levels);\n\n 2) Access actions, such as successful and unsuccessful logon attempts,\nprivileged activities or other system-level access, starting and ending time\nfor user access to the system, concurrent logons from different workstations,\nsuccessful and unsuccessful accesses to objects, all program initiations, and\nall direct access to the information system;\n\n 3) All account creations, modifications, disabling, and terminations; and\n\n 4) All kernel module load, unload, and restart actions.", + "check": "Verify if the Ubuntu operating system is configured to audit\nthe execution of the module management program \"modprobe\", by running the\nfollowing command:\n\n# sudo grep \"/sbin/modprobe\" /etc/audit/audit.rules\n\n-w /sbin/modprobe -p x -k modules\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", + "fix": "Configure the Ubuntu operating system to audit the execution of\nthe module management program \"modprobe\", by adding the following line to\n\"/etc/audit/audit.rules\":\n\n-w /sbin/modprobe -p x -k modules\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-75519", - "rid": "SV-90199r3_rule", - "stig_id": "UBTU-16-010520", - "fix_id": "F-82147r1_fix", + "gtitle": "SRG-OS-000037-GPOS-00015", + "satisfies": [ + "SRG-OS-000037-GPOS-00015", + "SRG-OS-000042-GPOS-00020", + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000392-GPOS-00172", + "SRG-OS-000462-GPOS-00206", + "SRG-OS-000471-GPOS-00215" + ], + "gid": "V-75713", + "rid": "SV-90393r2_rule", + "stig_id": "UBTU-16-020440", + "fix_id": "F-82341r2_fix", "cci": [ - "CCI-000366" + "CCI-000130", + "CCI-000135", + "CCI-000169", + "CCI-000172", + "CCI-002884" ], "nist": [ - "CM-6 b", + "AU-3", + "AU-3 (1)", + "AU-12 a", + "AU-12 c", + "MA-4 (1) (a)", "Rev_4" ], "false_negatives": null, @@ -3074,40 +2910,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75519' do\n title \"The file integrity tool must be configured to verify Access Control\nLists (ACLs).\"\n desc \"ACLs can provide permissions beyond those permitted through the file\nmode and must be verified by file integrity tools.\"\n impact 0.3\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75519'\n tag \"rid\": 'SV-90199r3_rule'\n tag \"stig_id\": 'UBTU-16-010520'\n tag \"fix_id\": 'F-82147r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the file integrity tool is configured to verify Access\nControl Lists (ACLs).\n\nUse the following command to determine if the file is in a location other than\n\\\"/etc/aide/aide.conf\\\":\n\n# find / -name aide.conf\n\nCheck the \\\"aide.conf\\\" file to determine if the \\\"acl\\\" rule has been added to\nthe rule list being applied to the files and directories selection lists with\nthe following command:\n\n# egrep \\\"[+]?acl\\\" /etc/aide/aide.conf\n\nVarFile = OwnerMode+n+l+X+acl\n\nIf the \\\"acl\\\" rule is not being used on all selection lines in the\n\\\"/etc/aide.conf\\\" file, is commented out, or ACLs are not being checked by\nanother file integrity tool, this is a finding.\"\n desc 'fix', \"Configure the file integrity tool to check file and directory\nACLs.\n\nIf AIDE is installed, ensure the \\\"acl\\\" rule is present on all file and\ndirectory selection lists.\"\n\n describe aide_conf.all_have_rule('acl') do\n it { should eq true }\n end\nend\n", + "code": "control 'V-75713' do\n title \"The audit system must be configured to audit any usage of the modprobe\ncommand.\"\n desc \"Without the capability to generate audit records, it would be\ndifficult to establish, correlate, and investigate the events relating to an\nincident or identify those responsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n The list of audited events is the set of events for which audits are to be\ngenerated. This set of events is typically a subset of the list of all events\nfor which the system is capable of generating audit records.\n\n DoD has defined the list of events for which the Ubuntu operating system\nwill provide an audit record generation capability as the following:\n\n 1) Successful and unsuccessful attempts to access, modify, or delete\nprivileges, security objects, security levels, or categories of information\n(e.g., classification levels);\n\n 2) Access actions, such as successful and unsuccessful logon attempts,\nprivileged activities or other system-level access, starting and ending time\nfor user access to the system, concurrent logons from different workstations,\nsuccessful and unsuccessful accesses to objects, all program initiations, and\nall direct access to the information system;\n\n 3) All account creations, modifications, disabling, and terminations; and\n\n 4) All kernel module load, unload, and restart actions.\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020\n SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172\n SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215]\n tag \"gid\": 'V-75713'\n tag \"rid\": 'SV-90393r2_rule'\n tag \"stig_id\": 'UBTU-16-020440'\n tag \"fix_id\": 'F-82341r2_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'MA-4 (1) (a)',\n 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify if the Ubuntu operating system is configured to audit\nthe execution of the module management program \\\"modprobe\\\", by running the\nfollowing command:\n\n# sudo grep \\\"/sbin/modprobe\\\" /etc/audit/audit.rules\n\n-w /sbin/modprobe -p x -k modules\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the Ubuntu operating system to audit the execution of\nthe module management program \\\"modprobe\\\", by adding the following line to\n\\\"/etc/audit/audit.rules\\\":\n\n-w /sbin/modprobe -p x -k modules\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n @audit_file = '/sbin/modprobe'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe ('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75519.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75713.rb", "line": 3 }, - "id": "V-75519" + "id": "V-75713" }, { - "title": "The Ubuntu operating system must automatically lock an account until\nthe locked account is released by an administrator when three unsuccessful\nlogon attempts.", - "desc": "By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as\nbrute-forcing, is reduced. Limits are imposed by locking the account.", + "title": "The system must display the date and time of the last successful\naccount logon upon an SSH logon.", + "desc": "Providing users with feedback on when account accesses via SSH last\noccurred facilitates user recognition and reporting of unauthorized account\nuse.", "descriptions": { - "default": "By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as\nbrute-forcing, is reduced. Limits are imposed by locking the account.", - "check": "Verify the Ubuntu operating system automatically locks an\naccount until the account lock is released by an administrator when three\nunsuccessful logon attempts are made.\n\nCheck that the Ubuntu operating system automatically locks an account after\nthree unsuccessful attempts with the following command:\n\n# grep pam_tally /etc/pam.d/common-auth\n\nauth required pam_tally2.so onerr=fail deny=3\n\nIf \"onerr=fail deny=3\" is not used in \"/etc/pam.d/common-auth\" or is called\nwith \"unlock_time\", this is a finding.", - "fix": "Configure the Ubuntu operating system to automatically lock an\naccount until the locked account is released by an administrator when three\nunsuccessful logon attempts are made by appending the following line to the\n\"/etc/pam.d/common-auth file\":\n\n\"auth required pam_tally2.so onerr=fail deny=3\"" + "default": "Providing users with feedback on when account accesses via SSH last\noccurred facilitates user recognition and reporting of unauthorized account\nuse.", + "check": "Verify SSH provides users with feedback on when account\naccesses last occurred.\n\nCheck that \"PrintLastLog\" keyword in the sshd daemon configuration file is\nused and set to \"yes\" with the following command:\n\n# grep PrintLastLog /etc/ssh/sshd_config\nPrintLastLog yes\n\nIf the \"PrintLastLog\" keyword is set to \"no\", is missing, or is commented\nout, this is a finding.", + "fix": "Add or edit the following lines in the \"/etc/ssh/sshd_config\"\nfile:\n\nPrintLastLog yes\n\nThe SSH daemon must be restarted for the changes to take effect. To restart the\nSSH daemon, run the following command:\n\n# sudo systemctl restart sshd.service" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000021-GPOS-00005", - "satisfies": [ - "SRG-OS-000021-GPOS-00005", - "SRG-OS-000329-GPOS-00128" - ], - "gid": "V-75487", - "rid": "SV-90167r2_rule", - "stig_id": "UBTU-16-010290", - "fix_id": "F-82115r2_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-75835", + "rid": "SV-90515r2_rule", + "stig_id": "UBTU-16-030260", + "fix_id": "F-82465r2_fix", "cci": [ - "CCI-000044", - "CCI-002238" + "CCI-000366" ], "nist": [ - "AC-7 a", - "AC-7 b", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -3121,29 +2951,29 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75487' do\n title \"The Ubuntu operating system must automatically lock an account until\nthe locked account is released by an administrator when three unsuccessful\nlogon attempts.\"\n desc \"By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as\nbrute-forcing, is reduced. Limits are imposed by locking the account.\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000021-GPOS-00005'\n tag \"satisfies\": %w[SRG-OS-000021-GPOS-00005 SRG-OS-000329-GPOS-00128]\n tag \"gid\": 'V-75487'\n tag \"rid\": 'SV-90167r2_rule'\n tag \"stig_id\": 'UBTU-16-010290'\n tag \"fix_id\": 'F-82115r2_fix'\n tag \"cci\": %w[CCI-000044 CCI-002238]\n tag \"nist\": ['AC-7 a', 'AC-7 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system automatically locks an\naccount until the account lock is released by an administrator when three\nunsuccessful logon attempts are made.\n\nCheck that the Ubuntu operating system automatically locks an account after\nthree unsuccessful attempts with the following command:\n\n# grep pam_tally /etc/pam.d/common-auth\n\nauth required pam_tally2.so onerr=fail deny=3\n\nIf \\\"onerr=fail deny=3\\\" is not used in \\\"/etc/pam.d/common-auth\\\" or is called\nwith \\\"unlock_time\\\", this is a finding.\"\n desc 'fix', \"Configure the Ubuntu operating system to automatically lock an\naccount until the locked account is released by an administrator when three\nunsuccessful logon attempts are made by appending the following line to the\n\\\"/etc/pam.d/common-auth file\\\":\n\n\\\"auth required pam_tally2.so onerr=fail deny=3\\\"\"\n\n describe file('/etc/pam.d/common-auth') do\n it { should exist }\n end\n\n describe command('grep pam_tally /etc/pam.d/common-auth') do\n its('exit_status') { should eq 0 }\n its('stdout.strip') { should match /^\\s*auth\\s+required\\s+pam_tally2.so\\s+.*onerr=fail\\s+deny=3($|\\s+.*$)/ }\n its('stdout.strip') { should_not match /^\\s*auth\\s+required\\s+pam_tally2.so\\s+.*onerr=fail\\s+deny=3\\s+.*unlock_time.*$/ }\n end\nend\n", + "code": "control 'V-75835' do\n title \"The system must display the date and time of the last successful\naccount logon upon an SSH logon.\"\n desc \"Providing users with feedback on when account accesses via SSH last\noccurred facilitates user recognition and reporting of unauthorized account\nuse.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75835'\n tag \"rid\": 'SV-90515r2_rule'\n tag \"stig_id\": 'UBTU-16-030260'\n tag \"fix_id\": 'F-82465r2_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify SSH provides users with feedback on when account\naccesses last occurred.\n\nCheck that \\\"PrintLastLog\\\" keyword in the sshd daemon configuration file is\nused and set to \\\"yes\\\" with the following command:\n\n# grep PrintLastLog /etc/ssh/sshd_config\nPrintLastLog yes\n\nIf the \\\"PrintLastLog\\\" keyword is set to \\\"no\\\", is missing, or is commented\nout, this is a finding.\"\n desc 'fix', \"Add or edit the following lines in the \\\"/etc/ssh/sshd_config\\\"\nfile:\n\nPrintLastLog yes\n\nThe SSH daemon must be restarted for the changes to take effect. To restart the\nSSH daemon, run the following command:\n\n# sudo systemctl restart sshd.service\"\n\n describe sshd_config do\n its('PrintLastLog') { should cmp 'yes' }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75487.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75835.rb", "line": 3 }, - "id": "V-75487" + "id": "V-75835" }, { - "title": "The Ubuntu operating system must display the date and time of the last\nsuccessful account logon upon logon.", - "desc": "Providing users with feedback on when account accesses last occurred\nfacilitates user recognition and reporting of unauthorized account use.", + "title": "There must be no .shosts files on the Ubuntu operating system.", + "desc": "The .shosts files are used to configure host-based authentication for\nindividual users or the system via SSH. Host-based authentication is not\nsufficient for preventing unauthorized access to the system, as it does not\nrequire interactive identification and authentication of a connection request,\nor for the use of two-factor authentication.", "descriptions": { - "default": "Providing users with feedback on when account accesses last occurred\nfacilitates user recognition and reporting of unauthorized account use.", - "check": "Verify users are provided with feedback on when account\naccesses last occurred.\n\nCheck that \"pam_lastlog\" is used and not silent with the following command:\n\n# grep pam_lastlog /etc/pam.d/login\n\nsession required pam_lastlog.so showfailed\n\nIf \"pam_lastlog\" is missing from \"/etc/pam.d/login\" file, or the \"silent\"\noption is present, this is a finding.", - "fix": "Configure the Ubuntu operating system to provide users with\nfeedback on when account accesses last occurred by setting the required\nconfiguration options in \"/etc/pam.d/postlogin-ac\".\n\nAdd the following line to the top of \"/etc/pam.d/login\":\n\nsession required pam_lastlog.so showfailed" + "default": "The .shosts files are used to configure host-based authentication for\nindividual users or the system via SSH. Host-based authentication is not\nsufficient for preventing unauthorized access to the system, as it does not\nrequire interactive identification and authentication of a connection request,\nor for the use of two-factor authentication.", + "check": "Verify there are no \".shosts\" files on the Ubuntu operating\nsystem.\n\nCheck the system for the existence of these files with the following command:\n\n# sudo find / -name '*.shosts'\n\nIf any \".shosts\" files are found, this is a finding.", + "fix": "Remove any found \".shosts\" files from the Ubuntu operating\nsystem.\n\n# rm /[path]/[to]/[file]/.shosts" }, - "impact": 0.3, + "impact": 0.7, "refs": [], "tags": { "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-75497", - "rid": "SV-90177r1_rule", - "stig_id": "UBTU-16-010340", - "fix_id": "F-82125r1_fix", + "gid": "V-75499", + "rid": "SV-90179r1_rule", + "stig_id": "UBTU-16-010350", + "fix_id": "F-82127r1_fix", "cci": [ "CCI-000366" ], @@ -3162,20 +2992,20 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75497' do\n title \"The Ubuntu operating system must display the date and time of the last\nsuccessful account logon upon logon.\"\n desc \"Providing users with feedback on when account accesses last occurred\nfacilitates user recognition and reporting of unauthorized account use.\"\n impact 0.3\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75497'\n tag \"rid\": 'SV-90177r1_rule'\n tag \"stig_id\": 'UBTU-16-010340'\n tag \"fix_id\": 'F-82125r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify users are provided with feedback on when account\naccesses last occurred.\n\nCheck that \\\"pam_lastlog\\\" is used and not silent with the following command:\n\n# grep pam_lastlog /etc/pam.d/login\n\nsession required pam_lastlog.so showfailed\n\nIf \\\"pam_lastlog\\\" is missing from \\\"/etc/pam.d/login\\\" file, or the \\\"silent\\\"\noption is present, this is a finding.\"\n desc 'fix', \"Configure the Ubuntu operating system to provide users with\nfeedback on when account accesses last occurred by setting the required\nconfiguration options in \\\"/etc/pam.d/postlogin-ac\\\".\n\nAdd the following line to the top of \\\"/etc/pam.d/login\\\":\n\nsession required pam_lastlog.so showfailed\"\n\n describe file('/etc/pam.d/login') do\n it { should exist }\n end\n\n describe command('grep pam_lastlog /etc/pam.d/login') do\n its('exit_status') { should eq 0 }\n its('stdout.strip') { should match /^\\s*session\\s+required\\s+pam_lastlog.so/ }\n its('stdout.strip') { should_not match /^\\s*session\\s+required\\s+pam_lastlog.so[\\s\\w\\d\\=]+.*silent/ }\n end\nend\n", + "code": "control 'V-75499' do\n title 'There must be no .shosts files on the Ubuntu operating system.'\n desc \"The .shosts files are used to configure host-based authentication for\nindividual users or the system via SSH. Host-based authentication is not\nsufficient for preventing unauthorized access to the system, as it does not\nrequire interactive identification and authentication of a connection request,\nor for the use of two-factor authentication.\"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75499'\n tag \"rid\": 'SV-90179r1_rule'\n tag \"stig_id\": 'UBTU-16-010350'\n tag \"fix_id\": 'F-82127r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify there are no \\\".shosts\\\" files on the Ubuntu operating\nsystem.\n\nCheck the system for the existence of these files with the following command:\n\n# sudo find / -name '*.shosts'\n\nIf any \\\".shosts\\\" files are found, this is a finding.\"\n desc 'fix', \"Remove any found \\\".shosts\\\" files from the Ubuntu operating\nsystem.\n\n# rm /[path]/[to]/[file]/.shosts\"\n\n describe command(\"find / -name '*.shosts'\") do\n its('exit_status') { should eq 0 }\n its('stdout.strip') { should be_empty }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75497.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75499.rb", "line": 3 }, - "id": "V-75497" + "id": "V-75499" }, { - "title": "The audit system must be configured to audit any usage of the insmod\ncommand.", - "desc": "Without the capability to generate audit records, it would be\ndifficult to establish, correlate, and investigate the events relating to an\nincident or identify those responsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n The list of audited events is the set of events for which audits are to be\ngenerated. This set of events is typically a subset of the list of all events\nfor which the system is capable of generating audit records.\n\n DoD has defined the list of events for which the Ubuntu operating system\nwill provide an audit record generation capability as the following:\n\n 1) Successful and unsuccessful attempts to access, modify, or delete\nprivileges, security objects, security levels, or categories of information\n(e.g., classification levels);\n\n 2) Access actions, such as successful and unsuccessful logon attempts,\nprivileged activities or other system-level access, starting and ending time\nfor user access to the system, concurrent logons from different workstations,\nsuccessful and unsuccessful accesses to objects, all program initiations, and\nall direct access to the information system;\n\n 3) All account creations, modifications, disabling, and terminations; and\n\n 4) All kernel module load, unload, and restart actions.", + "title": "The Ubuntu operating system must generate audit records for all\naccount creations, modifications, disabling, and termination events that affect\n/etc/group.", + "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", "descriptions": { - "default": "Without the capability to generate audit records, it would be\ndifficult to establish, correlate, and investigate the events relating to an\nincident or identify those responsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n The list of audited events is the set of events for which audits are to be\ngenerated. This set of events is typically a subset of the list of all events\nfor which the system is capable of generating audit records.\n\n DoD has defined the list of events for which the Ubuntu operating system\nwill provide an audit record generation capability as the following:\n\n 1) Successful and unsuccessful attempts to access, modify, or delete\nprivileges, security objects, security levels, or categories of information\n(e.g., classification levels);\n\n 2) Access actions, such as successful and unsuccessful logon attempts,\nprivileged activities or other system-level access, starting and ending time\nfor user access to the system, concurrent logons from different workstations,\nsuccessful and unsuccessful accesses to objects, all program initiations, and\nall direct access to the information system;\n\n 3) All account creations, modifications, disabling, and terminations; and\n\n 4) All kernel module load, unload, and restart actions.", - "check": "Verify if the Ubuntu operating system is configured to audit\nthe execution of the module management program \"insmod\", by running the\nfollowing command:\n\n# sudo grep \"/sbin/insmod\" /etc/audit/audit.rules\n\n-w /sbin/insmod -p x -k modules\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", - "fix": "Configure the Ubuntu operating system to audit the execution of\nthe module management program \"insmod\", by adding the following line to\n\"/etc/audit/audit.rules\":\n\n-w /sbin/insmod -p x -k modules\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" + "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "check": "Verify the Ubuntu operating system generates audit records for\nall account creations, modifications, disabling, and termination events that\naffect \"/etc/group\".\n\nCheck the auditing rules in \"/etc/audit/audit.rules\" with the following\ncommand:\n\n# sudo grep /etc/group /etc/audit/audit.rules\n\n-w /etc/group -p wa -k audit_rules_usergroup_modification\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", + "fix": "Configure the Ubuntu operating system to generate audit records\nfor all account creations, modifications, disabling, and termination events\nthat affect \"/etc/group\".\n\nAdd or update the following file system rule to \"/etc/audit/audit.rules\":\n\n-w /etc/group -p wa -k identity\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" }, "impact": 0.5, "refs": [], @@ -3185,21 +3015,22 @@ "SRG-OS-000037-GPOS-00015", "SRG-OS-000042-GPOS-00020", "SRG-OS-000062-GPOS-00031", + "SRG-OS-000304-GPOS-00121", "SRG-OS-000392-GPOS-00172", "SRG-OS-000462-GPOS-00206", - "SRG-OS-000471-GPOS-00215", - "SRG-OS-000471-GPOS-00216", - "SRG-OS-000477-GPOS-00222" + "SRG-OS-000470-GPOS-00214", + "SRG-OS-000471-GPOS-00215" ], - "gid": "V-75709", - "rid": "SV-90389r2_rule", - "stig_id": "UBTU-16-020420", - "fix_id": "F-82337r2_fix", + "gid": "V-75663", + "rid": "SV-90343r3_rule", + "stig_id": "UBTU-16-020310", + "fix_id": "F-82291r2_fix", "cci": [ "CCI-000130", "CCI-000135", "CCI-000169", "CCI-000172", + "CCI-002132", "CCI-002884" ], "nist": [ @@ -3207,48 +3038,8 @@ "AU-3 (1)", "AU-12 a", "AU-12 c", - "MA-4 (1) (a)", - "Rev_4" - ], - "false_negatives": null, - "false_positives": null, - "documentable": false, - "mitigations": null, - "severity_override_guidance": false, - "potential_impacts": null, - "third_party_tools": null, - "mitigation_controls": null, - "responsibility": null, - "ia_controls": null - }, - "code": "control 'V-75709' do\n title \"The audit system must be configured to audit any usage of the insmod\ncommand.\"\n desc \"Without the capability to generate audit records, it would be\ndifficult to establish, correlate, and investigate the events relating to an\nincident or identify those responsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n The list of audited events is the set of events for which audits are to be\ngenerated. This set of events is typically a subset of the list of all events\nfor which the system is capable of generating audit records.\n\n DoD has defined the list of events for which the Ubuntu operating system\nwill provide an audit record generation capability as the following:\n\n 1) Successful and unsuccessful attempts to access, modify, or delete\nprivileges, security objects, security levels, or categories of information\n(e.g., classification levels);\n\n 2) Access actions, such as successful and unsuccessful logon attempts,\nprivileged activities or other system-level access, starting and ending time\nfor user access to the system, concurrent logons from different workstations,\nsuccessful and unsuccessful accesses to objects, all program initiations, and\nall direct access to the information system;\n\n 3) All account creations, modifications, disabling, and terminations; and\n\n 4) All kernel module load, unload, and restart actions.\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020\n SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172\n SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215\n SRG-OS-000471-GPOS-00216 SRG-OS-000477-GPOS-00222]\n tag \"gid\": 'V-75709'\n tag \"rid\": 'SV-90389r2_rule'\n tag \"stig_id\": 'UBTU-16-020420'\n tag \"fix_id\": 'F-82337r2_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'MA-4 (1) (a)',\n 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify if the Ubuntu operating system is configured to audit\nthe execution of the module management program \\\"insmod\\\", by running the\nfollowing command:\n\n# sudo grep \\\"/sbin/insmod\\\" /etc/audit/audit.rules\n\n-w /sbin/insmod -p x -k modules\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the Ubuntu operating system to audit the execution of\nthe module management program \\\"insmod\\\", by adding the following line to\n\\\"/etc/audit/audit.rules\\\":\n\n-w /sbin/insmod -p x -k modules\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n @audit_file = '/sbin/insmod'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe ('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", - "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75709.rb", - "line": 3 - }, - "id": "V-75709" - }, - { - "title": "The SSH public host key files must have mode 0644 or less permissive.", - "desc": "If a public host key file is modified by an unauthorized user, the SSH\nservice may be compromised.", - "descriptions": { - "default": "If a public host key file is modified by an unauthorized user, the SSH\nservice may be compromised.", - "check": "Verify the SSH public host key files have mode \"0644\" or less\npermissive.\n\nNote: SSH public key files may be found in other directories on the system\ndepending on the installation.\n\nThe following command will find all SSH public key files on the system:\n\n# ls -l /etc/ssh/*.pub\n\n-rw-r--r-- 1 root wheel 618 Nov 28 06:43 ssh_host_dsa_key.pub\n-rw-r--r-- 1 root wheel 347 Nov 28 06:43 ssh_host_key.pub\n-rw-r--r-- 1 root wheel 238 Nov 28 06:43 ssh_host_rsa_key.pub\n\nIf any key.pub file has a mode more permissive than \"0644\", this is a\nfinding.", - "fix": "Note: SSH public key files may be found in other directories on\nthe system depending on the installation.\n\nChange the mode of public host key files under \"/etc/ssh\" to \"0644\" with\nthe following command:\n\n# sudo chmod 0644 /etc/ssh/*key.pub\n\nThe SSH daemon must be restarted for the changes to take effect. To restart the\nSSH daemon, run the following command:\n\n# sudo systemctl restart sshd.service" - }, - "impact": 0.5, - "refs": [], - "tags": { - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-75843", - "rid": "SV-90523r2_rule", - "stig_id": "UBTU-16-030310", - "fix_id": "F-82473r2_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b", + "AC-2 (4)", + "MA-4 (1)\n(a)", "Rev_4" ], "false_negatives": null, @@ -3262,40 +3053,51 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75843' do\n title 'The SSH public host key files must have mode 0644 or less permissive.'\n desc \"If a public host key file is modified by an unauthorized user, the SSH\nservice may be compromised.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75843'\n tag \"rid\": 'SV-90523r2_rule'\n tag \"stig_id\": 'UBTU-16-030310'\n tag \"fix_id\": 'F-82473r2_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the SSH public host key files have mode \\\"0644\\\" or less\npermissive.\n\nNote: SSH public key files may be found in other directories on the system\ndepending on the installation.\n\nThe following command will find all SSH public key files on the system:\n\n# ls -l /etc/ssh/*.pub\n\n-rw-r--r-- 1 root wheel 618 Nov 28 06:43 ssh_host_dsa_key.pub\n-rw-r--r-- 1 root wheel 347 Nov 28 06:43 ssh_host_key.pub\n-rw-r--r-- 1 root wheel 238 Nov 28 06:43 ssh_host_rsa_key.pub\n\nIf any key.pub file has a mode more permissive than \\\"0644\\\", this is a\nfinding.\"\n desc 'fix', \"Note: SSH public key files may be found in other directories on\nthe system depending on the installation.\n\nChange the mode of public host key files under \\\"/etc/ssh\\\" to \\\"0644\\\" with\nthe following command:\n\n# sudo chmod 0644 /etc/ssh/*key.pub\n\nThe SSH daemon must be restarted for the changes to take effect. To restart the\nSSH daemon, run the following command:\n\n# sudo systemctl restart sshd.service\"\n\n pub_files = command(\"find /etc/ssh -xdev -name '*.pub' -perm /133\").stdout.split(\"\\n\")\n if !pub_files.nil? && !pub_files.empty?\n pub_files.each do |pubfile|\n describe file(pubfile) do\n it { should_not be_executable.by('user') }\n it { should_not be_executable.by('group') }\n it { should_not be_writable.by('group') }\n it { should_not be_executable.by('others') }\n it { should_not be_writable.by('others') }\n end\n end\n else\n describe 'No files have a more permissive mode.' do\n subject { pub_files.nil? || pub_files.empty? }\n it { should eq true }\n end\n end\nend\n", + "code": "control 'V-75663' do\n title \"The Ubuntu operating system must generate audit records for all\naccount creations, modifications, disabling, and termination events that affect\n/etc/group.\"\n desc \"Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020\n SRG-OS-000062-GPOS-00031 SRG-OS-000304-GPOS-00121\n SRG-OS-000392-GPOS-00172 SRG-OS-000462-GPOS-00206\n SRG-OS-000470-GPOS-00214 SRG-OS-000471-GPOS-00215]\n tag \"gid\": 'V-75663'\n tag \"rid\": 'SV-90343r3_rule'\n tag \"stig_id\": 'UBTU-16-020310'\n tag \"fix_id\": 'F-82291r2_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002132 CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'AC-2 (4)', \"MA-4 (1)\n(a)\", 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system generates audit records for\nall account creations, modifications, disabling, and termination events that\naffect \\\"/etc/group\\\".\n\nCheck the auditing rules in \\\"/etc/audit/audit.rules\\\" with the following\ncommand:\n\n# sudo grep /etc/group /etc/audit/audit.rules\n\n-w /etc/group -p wa -k audit_rules_usergroup_modification\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records\nfor all account creations, modifications, disabling, and termination events\nthat affect \\\"/etc/group\\\".\n\nAdd or update the following file system rule to \\\"/etc/audit/audit.rules\\\":\n\n-w /etc/group -p wa -k identity\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n @audit_file = '/etc/group'\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe ('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75843.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75663.rb", "line": 3 }, - "id": "V-75843" + "id": "V-75663" }, { - "title": "The Ubuntu operating system, for PKI-based authentication, must\nvalidate certificates by constructing a certification path (which includes\nstatus information) to an accepted trust anchor.", - "desc": "Without path validation, an informed trust decision by the relying\nparty cannot be made when presented with any certificate not already explicitly\ntrusted.\n\n A trust anchor is an authoritative entity represented via a public key and\nassociated data. It is used in the context of public key infrastructures, X.509\ndigital certificates, and DNSSEC.\n\n When there is a chain of trust, usually the top entity to be trusted\nbecomes the trust anchor; it can be, for example, a Certification Authority\n(CA). A certification path starts with the subject certificate and proceeds\nthrough a number of intermediate certificates up to a trusted root certificate,\ntypically issued by a trusted CA.\n\n This requirement verifies that a certification path to an accepted trust\nanchor is used for certificate validation and that the path includes status\ninformation. Path validation is necessary for a relying party to make an\ninformed trust decision when presented with any certificate not already\nexplicitly trusted. Status information for certification paths includes\ncertificate revocation lists or online certificate status protocol responses.\nValidation of the certificate status information is out of scope for this\nrequirement.", + "title": "Successful/unsuccessful modifications to the faillog file must\ngenerate an audit record.", + "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", "descriptions": { - "default": "Without path validation, an informed trust decision by the relying\nparty cannot be made when presented with any certificate not already explicitly\ntrusted.\n\n A trust anchor is an authoritative entity represented via a public key and\nassociated data. It is used in the context of public key infrastructures, X.509\ndigital certificates, and DNSSEC.\n\n When there is a chain of trust, usually the top entity to be trusted\nbecomes the trust anchor; it can be, for example, a Certification Authority\n(CA). A certification path starts with the subject certificate and proceeds\nthrough a number of intermediate certificates up to a trusted root certificate,\ntypically issued by a trusted CA.\n\n This requirement verifies that a certification path to an accepted trust\nanchor is used for certificate validation and that the path includes status\ninformation. Path validation is necessary for a relying party to make an\ninformed trust decision when presented with any certificate not already\nexplicitly trusted. Status information for certification paths includes\ncertificate revocation lists or online certificate status protocol responses.\nValidation of the certificate status information is out of scope for this\nrequirement.", - "check": "Verify the Ubuntu operating system, for PKI-based\nauthentication, had valid certificates by constructing a certification path\n(which includes status information) to an accepted trust anchor.\n\nCheck which pkcs11 module is being used via the \"use_pkcs11_module\" in\n\"/etc/pam_pkcs11/pam_pkcs11.conf\" and then ensure \"ca\" is enabled in\n\"cert_policy\" with the following command:\n\n# sudo grep cert_policy /etc/pam_pkcs11/pam_pkcs11.conf\n\ncert_policy = ca,signature,ocsp_on;\n\nIf \"cert_policy\" is not set to \"ca\", has a value of \"none\", or the line\nis commented out, this is a finding.", - "fix": "Configure the Ubuntu operating system, for PKI-based\nauthentication, to validate certificates by constructing a certification path\n(which includes status information) to an accepted trust anchor.\n\nDetermine which pkcs11 module is being used via the \"use_pkcs11_module\" in\n\"/etc/pam_pkcs11/pam_pkcs11.conf\" and ensure \"ca\" is enabled in\n\"cert_policy\".\n\nAdd or update the \"cert_policy\" to ensure \"ca\" is enabled:\n\ncert_policy = ca,signature,ocsp_on;" + "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "check": "Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful modifications to the \"faillog\" file occur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \"/etc/audit/audit.rules\":\n\n# sudo grep -w faillog /etc/audit/audit.rules\n\n-w /var/log/faillog -p wa -k logins\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", + "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful modifications to the \"faillog\" file occur.\n\nAdd or update the following rules in the \"/etc/audit/audit.rules\" file:\n\n-w /var/log/faillog -p wa -k logins\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000066-GPOS-00034", + "gtitle": "SRG-OS-000037-GPOS-00015", "satisfies": [ - "SRG-OS-000066-GPOS-00034", - "SRG-OS-000384-GPOS-00167" + "SRG-OS-000037-GPOS-00015", + "SRG-OS-000042-GPOS-00020", + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000392-GPOS-00172", + "SRG-OS-000462-GPOS-00206", + "SRG-OS-000471-GPOS-00215", + "SRG-OS-000473-GPOS-00218" ], - "gid": "V-75909", - "rid": "SV-90589r2_rule", - "stig_id": "UBTU-16-030830", - "fix_id": "F-82539r2_fix", + "gid": "V-75773", + "rid": "SV-90453r3_rule", + "stig_id": "UBTU-16-020740", + "fix_id": "F-82401r2_fix", "cci": [ - "CCI-000185", - "CCI-001991" + "CCI-000130", + "CCI-000135", + "CCI-000169", + "CCI-000172", + "CCI-002884" ], "nist": [ - "IA-5 (2) (a)", - "IA-5 (2) (d)", + "AU-3", + "AU-3 (1)", + "AU-12 a", + "AU-12 c", + "MA-4 (1) (a)", "Rev_4" ], "false_negatives": null, @@ -3309,34 +3111,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75909' do\n title \"The Ubuntu operating system, for PKI-based authentication, must\nvalidate certificates by constructing a certification path (which includes\nstatus information) to an accepted trust anchor.\"\n desc \"Without path validation, an informed trust decision by the relying\nparty cannot be made when presented with any certificate not already explicitly\ntrusted.\n\n A trust anchor is an authoritative entity represented via a public key and\nassociated data. It is used in the context of public key infrastructures, X.509\ndigital certificates, and DNSSEC.\n\n When there is a chain of trust, usually the top entity to be trusted\nbecomes the trust anchor; it can be, for example, a Certification Authority\n(CA). A certification path starts with the subject certificate and proceeds\nthrough a number of intermediate certificates up to a trusted root certificate,\ntypically issued by a trusted CA.\n\n This requirement verifies that a certification path to an accepted trust\nanchor is used for certificate validation and that the path includes status\ninformation. Path validation is necessary for a relying party to make an\ninformed trust decision when presented with any certificate not already\nexplicitly trusted. Status information for certification paths includes\ncertificate revocation lists or online certificate status protocol responses.\nValidation of the certificate status information is out of scope for this\nrequirement.\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000066-GPOS-00034'\n tag \"satisfies\": %w[SRG-OS-000066-GPOS-00034 SRG-OS-000384-GPOS-00167]\n tag \"gid\": 'V-75909'\n tag \"rid\": 'SV-90589r2_rule'\n tag \"stig_id\": 'UBTU-16-030830'\n tag \"fix_id\": 'F-82539r2_fix'\n tag \"cci\": %w[CCI-000185 CCI-001991]\n tag \"nist\": ['IA-5 (2) (a)', 'IA-5 (2) (d)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system, for PKI-based\nauthentication, had valid certificates by constructing a certification path\n(which includes status information) to an accepted trust anchor.\n\nCheck which pkcs11 module is being used via the \\\"use_pkcs11_module\\\" in\n\\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\" and then ensure \\\"ca\\\" is enabled in\n\\\"cert_policy\\\" with the following command:\n\n# sudo grep cert_policy /etc/pam_pkcs11/pam_pkcs11.conf\n\ncert_policy = ca,signature,ocsp_on;\n\nIf \\\"cert_policy\\\" is not set to \\\"ca\\\", has a value of \\\"none\\\", or the line\nis commented out, this is a finding.\"\n desc 'fix', \"Configure the Ubuntu operating system, for PKI-based\nauthentication, to validate certificates by constructing a certification path\n(which includes status information) to an accepted trust anchor.\n\nDetermine which pkcs11 module is being used via the \\\"use_pkcs11_module\\\" in\n\\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\" and ensure \\\"ca\\\" is enabled in\n\\\"cert_policy\\\".\n\nAdd or update the \\\"cert_policy\\\" to ensure \\\"ca\\\" is enabled:\n\ncert_policy = ca,signature,ocsp_on;\"\n\n config_file_exists = file('/etc/pam_pkcs11/pam_pkcs11.conf').exist?\n\n if config_file_exists\n describe parse_config_file('/etc/pam_pkcs11/pam_pkcs11.conf') do\n its('use_pkcs11_module') { should_not be_nil }\n its('cert_policy') { should include 'ca' }\n end\n else\n describe '/etc/pam_pkcs11/pam_pkcs11.conf exists' do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n", + "code": "control 'V-75773' do\n title \"Successful/unsuccessful modifications to the faillog file must\ngenerate an audit record.\"\n desc \"Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020\n SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172\n SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215\n SRG-OS-000473-GPOS-00218]\n tag \"gid\": 'V-75773'\n tag \"rid\": 'SV-90453r3_rule'\n tag \"stig_id\": 'UBTU-16-020740'\n tag \"fix_id\": 'F-82401r2_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'MA-4 (1) (a)',\n 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful modifications to the \\\"faillog\\\" file occur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \\\"/etc/audit/audit.rules\\\":\n\n# sudo grep -w faillog /etc/audit/audit.rules\n\n-w /var/log/faillog -p wa -k logins\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful modifications to the \\\"faillog\\\" file occur.\n\nAdd or update the following rules in the \\\"/etc/audit/audit.rules\\\" file:\n\n-w /var/log/faillog -p wa -k logins\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n @audit_file = '/var/log/faillog'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe ('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75909.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75773.rb", "line": 3 }, - "id": "V-75909" + "id": "V-75773" }, { - "title": "The Ubuntu operating system must compare internal information system\nclocks at least every 24 hours with a server which is synchronized to an\nauthoritative time source, such as the United States Naval Observatory (USNO)\ntime servers, or a time server designated for the appropriate DoD network\n(NIPRNet/SIPRNet), and/or the Global Positioning System (GPS).", - "desc": "Inaccurate time stamps make it more difficult to correlate events and\ncan lead to an inaccurate analysis. Determining the correct time a particular\nevent occurred on a system is critical when conducting forensic analysis and\ninvestigating system events. Sources outside the configured acceptable\nallowance (drift) may be inaccurate.\n\n Synchronizing internal information system clocks provides uniformity of\ntime stamps for information systems with multiple system clocks and systems\nconnected over a network.\n\n Organizations should consider endpoints that may not have regular access to\nthe authoritative time server (e.g., mobile, teleworking, and tactical\nendpoints).", + "title": "The system must update the DoD-approved virus scan program every seven\ndays or more frequently.", + "desc": "Virus scanning software can be used to protect a system from\npenetration from computer viruses and to limit their spread through\nintermediate systems.\n\n The virus scanning software should be configured to check for software and\nvirus definition updates with a frequency no longer than seven days. If a\nmanual process is required to update the virus scan software or definitions, it\nmust be documented with the Information System Security Officer (ISSO).", "descriptions": { - "default": "Inaccurate time stamps make it more difficult to correlate events and\ncan lead to an inaccurate analysis. Determining the correct time a particular\nevent occurred on a system is critical when conducting forensic analysis and\ninvestigating system events. Sources outside the configured acceptable\nallowance (drift) may be inaccurate.\n\n Synchronizing internal information system clocks provides uniformity of\ntime stamps for information systems with multiple system clocks and systems\nconnected over a network.\n\n Organizations should consider endpoints that may not have regular access to\nthe authoritative time server (e.g., mobile, teleworking, and tactical\nendpoints).", - "check": "The system clock must be configured to compare the system clock\nat least every 24 hours to the authoritative time source.\n\nNote: If the system is not networked this item is Not Applicable.\n\nCheck the value of \"maxpoll\" in the \"/etc/ntp.conf\" file with the following\ncommand:\n\n# sudo grep -i maxpoll /etc/ntp.conf\nmaxpoll = 17\n\nIf \"maxpoll\" is not set to \"17\" or does not exist, this is a finding.\n\nVerify that the \"ntp.conf\" file is configured to an authoritative DoD time\nsource by running the following command:\n\n# grep -i server /etc/ntp.conf\nserver 0.us.pool.ntp.org iburst\n\nIf the parameter \"server\" is not set, is not set to an authoritative DoD time\nsource, or is commented out, this is a finding.", - "fix": "Note: If the system is not networked this item is Not Applicable.\n\nTo configure the system clock to compare the system clock at least every 24\nhours to the authoritative time source, edit the \"/etc/ntp.conf\" file. Add or\ncorrect the following lines, by replacing \"[source]\" in the following line\nwith an authoritative DoD time source.\n\nmaxpoll = 17\nserver [source] iburst\n\nIf the \"NTP\" service was running and the value of \"maxpoll\" or \"server\"\nwas updated then the service must be restarted using the following command:\n\n# sudo systemctl restart ntp.service\n\nIf the \"NTP\" service was not running then it must be started." + "default": "Virus scanning software can be used to protect a system from\npenetration from computer viruses and to limit their spread through\nintermediate systems.\n\n The virus scanning software should be configured to check for software and\nvirus definition updates with a frequency no longer than seven days. If a\nmanual process is required to update the virus scan software or definitions, it\nmust be documented with the Information System Security Officer (ISSO).", + "check": "Verify the system is using a DoD-approved virus scan program\nand the virus definition file is less than seven days old.\n\nCheck for the presence of \"McAfee VirusScan Enterprise for Linux\" with the\nfollowing command:\n\n# systemctl status nails\n\nnails - service for McAfee VirusScan Enterprise for Linux\n\n> Loaded: loaded\n/opt/NAI/package/McAfeeVSEForLinux/McAfeeVSEForLinux-2.0.2.;\nenabled)\n\n> Active: active (running) since Mon 2015-09-27 04:11:22 UTC;21 min ago\n\nIf the \"nails\" service is not active, check for the presence of \"clamav\" on\nthe system with the following command:\n\n# systemctl status clamav-daemon.socket\n\nsystemctl status clamav-daemon.socket\n\nclamav-daemon.socket - Socket for Clam AntiVirus userspace daemon\n\nLoaded: loaded (/lib/systemd/system/clamav-daemon.socket; enabled)\n\nActive: active (running) since Mon 2015-01-12 09:32:59 UTC; 7min ago\n\nIf \"McAfee VirusScan Enterprise for Linux\" is active on the system, check the\ndates of the virus definition files with the following command:\n\n# ls -al /opt/NAI/LinuxShield/engine/dat/*.dat\n\n-rwxr-xr-x 1 root root 243217 Mar 5 2017 avvclean.dat\n-rwxr-xr-x 1 root root 16995 Mar 5 2017 avvnames.dat\n-rwxr-xr-x 1 root root 4713245 Mar 5 2017 avvscan.dat\n\nIf the virus definition files have dates older than seven days from the current\ndate, this is a finding.\n\nIf \"clamav\" is active on the system, check the dates of the virus database\nwith the following commands:\n\n# grep -I databasedirectory /etc/clamav.conf\n\nDatabaseDirectory /var/lib/clamav\n\n# ls -al /var/lib/clamav/*.cvd\n\n-rwxr-xr-x 1 root root 149156 Mar 5 2011 daily.cvd\n\nIf the database file has a date older than seven days from the current date,\nthis is a finding.", + "fix": "Update the approved DoD virus scan software and virus definition\nfiles." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000355-GPOS-00143", - "gid": "V-75813", - "rid": "SV-90493r2_rule", - "stig_id": "UBTU-16-030100", - "fix_id": "F-82443r2_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-78007", + "rid": "SV-92703r1_rule", + "stig_id": "UBTU-16-030910", + "fix_id": "F-84717r1_fix", "cci": [ - "CCI-001891" + "CCI-001668" ], "nist": [ - "AU-8 (1) (a)", + "SI-3 a", "Rev_4" ], "false_negatives": null, @@ -3350,34 +3152,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75813' do\n title \"The Ubuntu operating system must compare internal information system\nclocks at least every 24 hours with a server which is synchronized to an\nauthoritative time source, such as the United States Naval Observatory (USNO)\ntime servers, or a time server designated for the appropriate DoD network\n(NIPRNet/SIPRNet), and/or the Global Positioning System (GPS).\"\n desc \"Inaccurate time stamps make it more difficult to correlate events and\ncan lead to an inaccurate analysis. Determining the correct time a particular\nevent occurred on a system is critical when conducting forensic analysis and\ninvestigating system events. Sources outside the configured acceptable\nallowance (drift) may be inaccurate.\n\n Synchronizing internal information system clocks provides uniformity of\ntime stamps for information systems with multiple system clocks and systems\nconnected over a network.\n\n Organizations should consider endpoints that may not have regular access to\nthe authoritative time server (e.g., mobile, teleworking, and tactical\nendpoints).\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000355-GPOS-00143'\n tag \"gid\": 'V-75813'\n tag \"rid\": 'SV-90493r2_rule'\n tag \"stig_id\": 'UBTU-16-030100'\n tag \"fix_id\": 'F-82443r2_fix'\n tag \"cci\": ['CCI-001891']\n tag \"nist\": ['AU-8 (1) (a)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"The system clock must be configured to compare the system clock\nat least every 24 hours to the authoritative time source.\n\nNote: If the system is not networked this item is Not Applicable.\n\nCheck the value of \\\"maxpoll\\\" in the \\\"/etc/ntp.conf\\\" file with the following\ncommand:\n\n# sudo grep -i maxpoll /etc/ntp.conf\nmaxpoll = 17\n\nIf \\\"maxpoll\\\" is not set to \\\"17\\\" or does not exist, this is a finding.\n\nVerify that the \\\"ntp.conf\\\" file is configured to an authoritative DoD time\nsource by running the following command:\n\n# grep -i server /etc/ntp.conf\nserver 0.us.pool.ntp.org iburst\n\nIf the parameter \\\"server\\\" is not set, is not set to an authoritative DoD time\nsource, or is commented out, this is a finding.\"\n desc 'fix', \"Note: If the system is not networked this item is Not Applicable.\n\nTo configure the system clock to compare the system clock at least every 24\nhours to the authoritative time source, edit the \\\"/etc/ntp.conf\\\" file. Add or\ncorrect the following lines, by replacing \\\"[source]\\\" in the following line\nwith an authoritative DoD time source.\n\nmaxpoll = 17\nserver [source] iburst\n\nIf the \\\"NTP\\\" service was running and the value of \\\"maxpoll\\\" or \\\"server\\\"\nwas updated then the service must be restarted using the following command:\n\n# sudo systemctl restart ntp.service\n\nIf the \\\"NTP\\\" service was not running then it must be started.\"\n\n is_system_networked = input('is_system_networked')\n if is_system_networked\n ntp_conf_exists = file('/etc/ntp.conf').exist?\n if ntp_conf_exists\n describe ntp_conf do\n it { should exist }\n its('maxpoll') { should cmp 17 }\n its('server') { should_not be_empty }\n its('server') { should_not eq nil }\n end\n else\n describe '/etc/ntp.conf exists' do\n subject { ntp_conf_exists }\n it { should be true }\n end\n end\n else\n describe 'System is not networked' do\n skip 'This control is Not Applicable as the system is not networked'\n end\n end\nend\n", + "code": "control 'V-78007' do\n title \"The system must update the DoD-approved virus scan program every seven\ndays or more frequently.\"\n desc \"Virus scanning software can be used to protect a system from\npenetration from computer viruses and to limit their spread through\nintermediate systems.\n\n The virus scanning software should be configured to check for software and\nvirus definition updates with a frequency no longer than seven days. If a\nmanual process is required to update the virus scan software or definitions, it\nmust be documented with the Information System Security Officer (ISSO).\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-78007'\n tag \"rid\": 'SV-92703r1_rule'\n tag \"stig_id\": 'UBTU-16-030910'\n tag \"fix_id\": 'F-84717r1_fix'\n tag \"cci\": ['CCI-001668']\n tag \"nist\": ['SI-3 a', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the system is using a DoD-approved virus scan program\nand the virus definition file is less than seven days old.\n\nCheck for the presence of \\\"McAfee VirusScan Enterprise for Linux\\\" with the\nfollowing command:\n\n# systemctl status nails\n\nnails - service for McAfee VirusScan Enterprise for Linux\n\n> Loaded: loaded\n/opt/NAI/package/McAfeeVSEForLinux/McAfeeVSEForLinux-2.0.2.;\nenabled)\n\n> Active: active (running) since Mon 2015-09-27 04:11:22 UTC;21 min ago\n\nIf the \\\"nails\\\" service is not active, check for the presence of \\\"clamav\\\" on\nthe system with the following command:\n\n# systemctl status clamav-daemon.socket\n\nsystemctl status clamav-daemon.socket\n\nclamav-daemon.socket - Socket for Clam AntiVirus userspace daemon\n\nLoaded: loaded (/lib/systemd/system/clamav-daemon.socket; enabled)\n\nActive: active (running) since Mon 2015-01-12 09:32:59 UTC; 7min ago\n\nIf \\\"McAfee VirusScan Enterprise for Linux\\\" is active on the system, check the\ndates of the virus definition files with the following command:\n\n# ls -al /opt/NAI/LinuxShield/engine/dat/*.dat\n\n-rwxr-xr-x 1 root root 243217 Mar 5 2017 avvclean.dat\n-rwxr-xr-x 1 root root 16995 Mar 5 2017 avvnames.dat\n-rwxr-xr-x 1 root root 4713245 Mar 5 2017 avvscan.dat\n\nIf the virus definition files have dates older than seven days from the current\ndate, this is a finding.\n\nIf \\\"clamav\\\" is active on the system, check the dates of the virus database\nwith the following commands:\n\n# grep -I databasedirectory /etc/clamav.conf\n\nDatabaseDirectory /var/lib/clamav\n\n# ls -al /var/lib/clamav/*.cvd\n\n-rwxr-xr-x 1 root root 149156 Mar 5 2011 daily.cvd\n\nIf the database file has a date older than seven days from the current date,\nthis is a finding.\n\"\n desc 'fix', \"Update the approved DoD virus scan software and virus definition\nfiles.\"\n\n org_name = input('org_name')\n is_antivirus_active = false\n seven_days = 604_800 # (7 days * 24 hours * 60 minutes * 60 seconds)\n\n def_files = command('find /opt/NAI/LinuxShield/engine/dat -type f -name *.dat').stdout.split(\"\\n\")\n if service('nails').installed? && service('nails').enabled? && service('nails').running?\n if !def_files.nil? && !def_files.empty?\n def_files.each do |deffile|\n describe file(deffile) do\n its('mtime') { should >= Time.now.to_i - seven_days }\n end\n end\n else\n describe 'No McAfee VirusScan Enterprise for Linux definition files have been found' do\n subject { def_files.nil? || def_files.empty? }\n it { should eq false }\n end\n end\n is_antivirus_active = true\n end\n\n def_files = command('find /var/lib/clamav -type f -name *.cvd').stdout.split(\"\\n\")\n if service('clamav-daemon.service').installed? && service('clamav-daemon.service').enabled? && service('clamav-daemon.service').running?\n if !def_files.nil? && !def_files.empty?\n def_files.each do |deffile|\n describe file(deffile) do\n its('mtime') { should >= Time.now.to_i - seven_days }\n end\n end\n else\n describe 'No ClamAV definition files have been found' do\n subject { def_files.nil? || def_files.empty? }\n it { should eq false }\n end\n end\n is_antivirus_active = true\n end\n\n unless is_antivirus_active\n describe ('No ' + org_name + '-approved virus scan program is found to be active on the system') do\n subject { is_antivirus_active }\n it { should be true }\n end\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75813.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-78007.rb", "line": 3 }, - "id": "V-75813" + "id": "V-78007" }, { - "title": "All local interactive user home directories defined in the /etc/passwd\nfile must exist.", - "desc": "If a local interactive user has a home directory defined that does not\nexist, the user may be given access to the / directory as the current working\ndirectory upon logon. This could create a Denial of Service because the user\nwould not be able to access their logon configuration files, and it may give\nthem visibility to system files they normally would not be able to access.", + "title": "The Ubuntu operating system must use cryptographic mechanisms to\nprotect the integrity of audit tools.", + "desc": "Protecting the integrity of the tools used for auditing purposes is a\ncritical step toward ensuring the integrity of audit information. Audit\ninformation includes all information (e.g., audit records, audit settings, and\naudit reports) needed to successfully audit information system activity.\n\n Audit tools include, but are not limited to, vendor-provided and open\nsource audit tools needed to successfully view and manipulate audit information\nsystem activity and records. Audit tools include custom queries and report\ngenerators.\n\n It is not uncommon for attackers to replace the audit tools or inject code\ninto the existing tools with the purpose of providing the capability to hide or\nerase system activity from the audit logs.\n\n To address this risk, audit tools must be cryptographically signed in order\nto provide the capability to identify when the audit tools have been modified,\nmanipulated, or replaced. An example is a checksum hash of the file or files.", "descriptions": { - "default": "If a local interactive user has a home directory defined that does not\nexist, the user may be given access to the / directory as the current working\ndirectory upon logon. This could create a Denial of Service because the user\nwould not be able to access their logon configuration files, and it may give\nthem visibility to system files they normally would not be able to access.", - "check": "Verify the assigned home directory of all local interactive\nusers on the Ubuntu operating system exists.\n\nCheck the home directory assignment for all local interactive non-privileged\nusers with the following command:\n\n# ls -ld $(awk -F: '($3>=1000)&&($1!=\"nobody\"){print $6}' /etc/passwd)\n\ndrwxr-xr-x 2 smithj admin 4096 Jun 5 12:41 smithj\n\nNote: This may miss interactive users that have been assigned a privileged User\nID (UID). Evidence of interactive use may be obtained from a number of log\nfiles containing system logon information.\n\nCheck that all referenced home directories exist with the following command:\n\n# pwck -r\n\nuser 'smithj': directory '/home/smithj' does not exist\n\nIf any home directories referenced in \"/etc/passwd\" are returned as not\ndefined, this is a finding.", - "fix": "Create home directories to all local interactive users that\ncurrently do not have a home directory assigned. Use the following commands to\ncreate the user home directory assigned in \"/etc/ passwd\":\n\nNote: The example will be for the user smithj, who has a home directory of\n\"/home/smithj\", a User ID (UID) of \"smithj\", and a Group Identifier (GID)\nof \"users assigned\" in \"/etc/passwd\".\n\n# mkdir /home/smithj\n# chown smithj /home/smithj\n# chgrp users /home/smithj\n# chmod 0750 /home/smithj" + "default": "Protecting the integrity of the tools used for auditing purposes is a\ncritical step toward ensuring the integrity of audit information. Audit\ninformation includes all information (e.g., audit records, audit settings, and\naudit reports) needed to successfully audit information system activity.\n\n Audit tools include, but are not limited to, vendor-provided and open\nsource audit tools needed to successfully view and manipulate audit information\nsystem activity and records. Audit tools include custom queries and report\ngenerators.\n\n It is not uncommon for attackers to replace the audit tools or inject code\ninto the existing tools with the purpose of providing the capability to hide or\nerase system activity from the audit logs.\n\n To address this risk, audit tools must be cryptographically signed in order\nto provide the capability to identify when the audit tools have been modified,\nmanipulated, or replaced. An example is a checksum hash of the file or files.", + "check": "Verify that Advanced Intrusion Detection Environment (AIDE) to\nproperly configured to use cryptographic mechanisms to protect the integrity of\naudit tools.\n\nCheck the selection lines that aide is configured to add/check with the\nfollowing command:\n\n# egrep '(\\/usr\\/sbin\\/(audit|au))' /etc/aide/aide.conf\n\n/usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattr+sha512\n/usr/sbin/auditd p+i+n+u+g+s+b+acl+xattr+sha512\n/usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattr+sha512\n/usr/sbin/aureport p+i+n+u+g+s+b+acl+xattr+sha512\n/usr/sbin/autrace p+i+n+u+g+s+b+acl+xattr+sha512\n/usr/sbin/audispd p+i+n+u+g+s+b+acl+xattr+sha512\n/usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattr+sha512\n\nIf any of the seven audit tools does not have an appropriate selection line,\nthis is a finding.", + "fix": "Add or update the following selection lines to\n\"/etc/aide/aide.conf\", in order to protect the integrity of the audit tools.\n\n# Audit Tools\n/usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattr+sha512\n/usr/sbin/auditd p+i+n+u+g+s+b+acl+xattr+sha512\n/usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattr+sha512\n/usr/sbin/aureport p+i+n+u+g+s+b+acl+xattr+sha512\n/usr/sbin/autrace p+i+n+u+g+s+b+acl+xattr+sha512\n/usr/sbin/audispd p+i+n+u+g+s+b+acl+xattr+sha512\n/usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattr+sha512" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-75563", - "rid": "SV-90243r1_rule", - "stig_id": "UBTU-16-010740", - "fix_id": "F-82191r1_fix", + "gtitle": "SRG-OS-000278-GPOS-00108", + "gid": "V-75525", + "rid": "SV-90205r2_rule", + "stig_id": "UBTU-16-010550", + "fix_id": "F-82153r1_fix", "cci": [ - "CCI-000366" + "CCI-001496" ], "nist": [ - "CM-6 b", + "AU-9 (3)", "Rev_4" ], "false_negatives": null, @@ -3391,20 +3193,20 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75563' do\n title \"All local interactive user home directories defined in the /etc/passwd\nfile must exist.\"\n desc \"If a local interactive user has a home directory defined that does not\nexist, the user may be given access to the / directory as the current working\ndirectory upon logon. This could create a Denial of Service because the user\nwould not be able to access their logon configuration files, and it may give\nthem visibility to system files they normally would not be able to access.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75563'\n tag \"rid\": 'SV-90243r1_rule'\n tag \"stig_id\": 'UBTU-16-010740'\n tag \"fix_id\": 'F-82191r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the assigned home directory of all local interactive\nusers on the Ubuntu operating system exists.\n\nCheck the home directory assignment for all local interactive non-privileged\nusers with the following command:\n\n# ls -ld $(awk -F: '($3>=1000)&&($1!=\\\"nobody\\\"){print $6}' /etc/passwd)\n\ndrwxr-xr-x 2 smithj admin 4096 Jun 5 12:41 smithj\n\nNote: This may miss interactive users that have been assigned a privileged User\nID (UID). Evidence of interactive use may be obtained from a number of log\nfiles containing system logon information.\n\nCheck that all referenced home directories exist with the following command:\n\n# pwck -r\n\nuser 'smithj': directory '/home/smithj' does not exist\n\nIf any home directories referenced in \\\"/etc/passwd\\\" are returned as not\ndefined, this is a finding.\"\n desc 'fix', \"Create home directories to all local interactive users that\ncurrently do not have a home directory assigned. Use the following commands to\ncreate the user home directory assigned in \\\"/etc/ passwd\\\":\n\nNote: The example will be for the user smithj, who has a home directory of\n\\\"/home/smithj\\\", a User ID (UID) of \\\"smithj\\\", and a Group Identifier (GID)\nof \\\"users assigned\\\" in \\\"/etc/passwd\\\".\n\n# mkdir /home/smithj\n# chown smithj /home/smithj\n# chgrp users /home/smithj\n# chmod 0750 /home/smithj\"\n\n exempt_home_users = input('exempt_home_users')\n non_interactive_shells = input('non_interactive_shells')\n ignore_shells = non_interactive_shells.join('|')\n\n users.where { !shell.match(ignore_shells) && (uid >= 1000 || uid == 0) }.entries.each do |user_info|\n next if exempt_home_users.include?(user_info.username.to_s)\n\n describe directory(user_info.home) do\n it { should exist }\n end\n end\nend\n", + "code": "control 'V-75525' do\n title \"The Ubuntu operating system must use cryptographic mechanisms to\nprotect the integrity of audit tools.\"\n desc \"Protecting the integrity of the tools used for auditing purposes is a\ncritical step toward ensuring the integrity of audit information. Audit\ninformation includes all information (e.g., audit records, audit settings, and\naudit reports) needed to successfully audit information system activity.\n\n Audit tools include, but are not limited to, vendor-provided and open\nsource audit tools needed to successfully view and manipulate audit information\nsystem activity and records. Audit tools include custom queries and report\ngenerators.\n\n It is not uncommon for attackers to replace the audit tools or inject code\ninto the existing tools with the purpose of providing the capability to hide or\nerase system activity from the audit logs.\n\n To address this risk, audit tools must be cryptographically signed in order\nto provide the capability to identify when the audit tools have been modified,\nmanipulated, or replaced. An example is a checksum hash of the file or files.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000278-GPOS-00108'\n tag \"gid\": 'V-75525'\n tag \"rid\": 'SV-90205r2_rule'\n tag \"stig_id\": 'UBTU-16-010550'\n tag \"fix_id\": 'F-82153r1_fix'\n tag \"cci\": ['CCI-001496']\n tag \"nist\": ['AU-9 (3)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that Advanced Intrusion Detection Environment (AIDE) to\nproperly configured to use cryptographic mechanisms to protect the integrity of\naudit tools.\n\nCheck the selection lines that aide is configured to add/check with the\nfollowing command:\n\n# egrep '(\\\\/usr\\\\/sbin\\\\/(audit|au))' /etc/aide/aide.conf\n\n/usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattr+sha512\n/usr/sbin/auditd p+i+n+u+g+s+b+acl+xattr+sha512\n/usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattr+sha512\n/usr/sbin/aureport p+i+n+u+g+s+b+acl+xattr+sha512\n/usr/sbin/autrace p+i+n+u+g+s+b+acl+xattr+sha512\n/usr/sbin/audispd p+i+n+u+g+s+b+acl+xattr+sha512\n/usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattr+sha512\n\nIf any of the seven audit tools does not have an appropriate selection line,\nthis is a finding.\"\n desc 'fix', \"Add or update the following selection lines to\n\\\"/etc/aide/aide.conf\\\", in order to protect the integrity of the audit tools.\n\n# Audit Tools\n/usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattr+sha512\n/usr/sbin/auditd p+i+n+u+g+s+b+acl+xattr+sha512\n/usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattr+sha512\n/usr/sbin/aureport p+i+n+u+g+s+b+acl+xattr+sha512\n/usr/sbin/autrace p+i+n+u+g+s+b+acl+xattr+sha512\n/usr/sbin/audispd p+i+n+u+g+s+b+acl+xattr+sha512\n/usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattr+sha512\"\n\n aide_conf_exists = aide_conf.exist?\n\n if aide_conf_exists\n describe aide_conf.where { selection_line == '/usr/sbin/auditctl' } do\n its('rules') { should include ['p', 'i', 'n', 'u', 'g', 's', 'b', 'acl', 'xattr' 'sha512'] }\n end\n\n describe aide_conf.where { selection_line == '/usr/sbin/auditd' } do\n its('rules') { should include ['p', 'i', 'n', 'u', 'g', 's', 'b', 'acl', 'xattr' 'sha512'] }\n end\n\n describe aide_conf.where { selection_line == '/usr/sbin/ausearch' } do\n its('rules') { should include ['p', 'i', 'n', 'u', 'g', 's', 'b', 'acl', 'xattr' 'sha512'] }\n end\n\n describe aide_conf.where { selection_line == '/usr/sbin/aureport' } do\n its('rules') { should include ['p', 'i', 'n', 'u', 'g', 's', 'b', 'acl', 'xattr' 'sha512'] }\n end\n\n describe aide_conf.where { selection_line == '/usr/sbin/autrace' } do\n its('rules') { should include ['p', 'i', 'n', 'u', 'g', 's', 'b', 'acl', 'xattr' 'sha512'] }\n end\n\n describe aide_conf.where { selection_line == '/usr/sbin/audispd' } do\n its('rules') { should include ['p', 'i', 'n', 'u', 'g', 's', 'b', 'acl', 'xattr' 'sha512'] }\n end\n\n describe aide_conf.where { selection_line == '/usr/sbin/augenrules' } do\n its('rules') { should include ['p', 'i', 'n', 'u', 'g', 's', 'b', 'acl', 'xattr' 'sha512'] }\n end\n else\n describe 'aide.conf file exists' do\n subject { aide_conf_exists }\n it { should be true }\n end\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75563.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75525.rb", "line": 3 }, - "id": "V-75563" + "id": "V-75525" }, { - "title": "Successful/unsuccessful modifications to the tallylog file must\ngenerate an audit record.", - "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "title": "Audit records must contain information to establish what type of\nevents occurred, the source of events, where events occurred, and the outcome\nof events.", + "desc": "Without establishing what type of events occurred, the source of\nevents, where events occurred, and the outcome of events, it would be difficult\nto establish, correlate, and investigate the events leading up to an outage or\nattack.\n\n Audit record content that may be necessary to satisfy this requirement\nincludes, for example, time stamps, source and destination addresses,\nuser/process identifiers, event descriptions, success/fail indications,\nfilenames involved, and access control or flow control rules invoked.\n\n Associating event types with detected events in the Ubuntu operating system\naudit logs provides a means of investigating an attack, recognizing resource\nutilization or capacity thresholds, or identifying an improperly configured\nUbuntu operating system.", "descriptions": { - "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", - "check": "Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful modifications to the \"tallylog\" file occur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \"/etc/audit/audit.rules\":\n\n# sudo grep -w tallylog /etc/audit/audit.rules\n\n-w /var/log/tallylog -p wa -k logins\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", - "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful modifications to the \"tallylog\" file occur.\n\nAdd or update the following rules in the \"/etc/audit/audit.rules\" file:\n\n-w /var/log/tallylog -p wa -k logins\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" + "default": "Without establishing what type of events occurred, the source of\nevents, where events occurred, and the outcome of events, it would be difficult\nto establish, correlate, and investigate the events leading up to an outage or\nattack.\n\n Audit record content that may be necessary to satisfy this requirement\nincludes, for example, time stamps, source and destination addresses,\nuser/process identifiers, event descriptions, success/fail indications,\nfilenames involved, and access control or flow control rules invoked.\n\n Associating event types with detected events in the Ubuntu operating system\naudit logs provides a means of investigating an attack, recognizing resource\nutilization or capacity thresholds, or identifying an improperly configured\nUbuntu operating system.", + "check": "Verify the audit service is configured to produce audit\nrecords.\n\nCheck that the audit service is installed properly with the following command:\n\n# dpkg -l | grep auditd\n\nIf the \"auditd\" package is not installed, this is a finding.\n\nCheck that the audit service is properly running and active on the system with\nthe following command:\n\n# systemctl is-active auditd.service\nactive\n\nIf the command above returns \"inactive\", this is a finding.", + "fix": "Configure the audit service to produce audit records containing\nthe information needed to establish when (date and time) an event occurred.\n\nInstall the audit service (if the audit service is not already installed) with\nthe following command:\n\n# sudo apt-get install auditd\n\nEnable the audit service with the following command:\n\n# sudo systemctl enable auditd.service\n\nRestart the audit service with the following command:\n\n# sudo systemctl restart auditd.service" }, "impact": 0.5, "refs": [], @@ -3412,29 +3214,73 @@ "gtitle": "SRG-OS-000037-GPOS-00015", "satisfies": [ "SRG-OS-000037-GPOS-00015", - "SRG-OS-000042-GPOS-00020", - "SRG-OS-000062-GPOS-00031", + "SRG-OS-000038-GPOS-00016", + "SRG-OS-000039-GPOS-00017", + "SRG-OS-000040-GPOS-00018", + "SRG-OS-000041-GPOS-00019", + "SRG-OS-000042-GPOS-00021", + "SRG-OS-000051-GPOS-00024", + "SRG-OS-000054-GPOS-00025", + "SRG-OS-000122-GPOS-00063", + "SRG-OS-000254-GPOS-00095", + "SRG-OS-000255-GPOS-00096", + "SRG-OS-000337-GPOS-00129", + "SRG-OS-000348-GPOS-00136", + "SRG-OS-000349-GPOS-00137", + "SRG-OS-000350-GPOS-00138", + "SRG-OS-000351-GPOS-00139", + "SRG-OS-000352-GPOS-00140", + "SRG-OS-000353-GPOS-00141", + "SRG-OS-000354-GPOS-00142", + "SRG-OS-000358-GPOS-00145", + "SRG-OS-000365-GPOS-00152", "SRG-OS-000392-GPOS-00172", - "SRG-OS-000462-GPOS-00206", - "SRG-OS-000471-GPOS-00215", - "SRG-OS-000473-GPOS-00218" + "SRG-OS-000475-GPOS-00220" ], - "gid": "V-75771", - "rid": "SV-90451r3_rule", - "stig_id": "UBTU-16-020730", - "fix_id": "F-82399r2_fix", + "gid": "V-75617", + "rid": "SV-90297r1_rule", + "stig_id": "UBTU-16-020000", + "fix_id": "F-82245r1_fix", "cci": [ "CCI-000130", + "CCI-000131", + "CCI-000132", + "CCI-000133", + "CCI-000134", "CCI-000135", - "CCI-000169", + "CCI-000154", + "CCI-000158", "CCI-000172", + "CCI-001464", + "CCI-001487", + "CCI-001814", + "CCI-001875", + "CCI-001876", + "CCI-001877", + "CCI-001878", + "CCI-001880", + "CCI-001914", "CCI-002884" ], "nist": [ + "AU-3", + "AU-3", + "AU-3", + "AU-3", "AU-3", "AU-3 (1)", - "AU-12 a", + "AU-6 (4)", + "AU-7 (1)", "AU-12 c", + "AU-14 (1)", + "AU-3", + "CM-5 (1)", + "AU-7 a", + "AU-7 a", + "AU-7 a", + "AU-7 a", + "AU-7 a", + "AU-12 (3)", "MA-4 (1) (a)", "Rev_4" ], @@ -3449,34 +3295,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75771' do\n title \"Successful/unsuccessful modifications to the tallylog file must\ngenerate an audit record.\"\n desc \"Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020\n SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172\n SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215\n SRG-OS-000473-GPOS-00218]\n tag \"gid\": 'V-75771'\n tag \"rid\": 'SV-90451r3_rule'\n tag \"stig_id\": 'UBTU-16-020730'\n tag \"fix_id\": 'F-82399r2_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'MA-4 (1) (a)',\n 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful modifications to the \\\"tallylog\\\" file occur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \\\"/etc/audit/audit.rules\\\":\n\n# sudo grep -w tallylog /etc/audit/audit.rules\n\n-w /var/log/tallylog -p wa -k logins\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful modifications to the \\\"tallylog\\\" file occur.\n\nAdd or update the following rules in the \\\"/etc/audit/audit.rules\\\" file:\n\n-w /var/log/tallylog -p wa -k logins\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n @audit_file = '/var/log/tallylog'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe ('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", + "code": "control 'V-75617' do\n title \"Audit records must contain information to establish what type of\nevents occurred, the source of events, where events occurred, and the outcome\nof events.\"\n desc \"Without establishing what type of events occurred, the source of\nevents, where events occurred, and the outcome of events, it would be difficult\nto establish, correlate, and investigate the events leading up to an outage or\nattack.\n\n Audit record content that may be necessary to satisfy this requirement\nincludes, for example, time stamps, source and destination addresses,\nuser/process identifiers, event descriptions, success/fail indications,\nfilenames involved, and access control or flow control rules invoked.\n\n Associating event types with detected events in the Ubuntu operating system\naudit logs provides a means of investigating an attack, recognizing resource\nutilization or capacity thresholds, or identifying an improperly configured\nUbuntu operating system.\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000038-GPOS-00016\n SRG-OS-000039-GPOS-00017 SRG-OS-000040-GPOS-00018\n SRG-OS-000041-GPOS-00019 SRG-OS-000042-GPOS-00021\n SRG-OS-000051-GPOS-00024 SRG-OS-000054-GPOS-00025\n SRG-OS-000122-GPOS-00063 SRG-OS-000254-GPOS-00095\n SRG-OS-000255-GPOS-00096 SRG-OS-000337-GPOS-00129\n SRG-OS-000348-GPOS-00136 SRG-OS-000349-GPOS-00137\n SRG-OS-000350-GPOS-00138 SRG-OS-000351-GPOS-00139\n SRG-OS-000352-GPOS-00140 SRG-OS-000353-GPOS-00141\n SRG-OS-000354-GPOS-00142 SRG-OS-000358-GPOS-00145\n SRG-OS-000365-GPOS-00152 SRG-OS-000392-GPOS-00172\n SRG-OS-000475-GPOS-00220]\n tag \"gid\": 'V-75617'\n tag \"rid\": 'SV-90297r1_rule'\n tag \"stig_id\": 'UBTU-16-020000'\n tag \"fix_id\": 'F-82245r1_fix'\n tag \"cci\": %w[CCI-000130 CCI-000131 CCI-000132 CCI-000133\n CCI-000134 CCI-000135 CCI-000154 CCI-000158 CCI-000172\n CCI-001464 CCI-001487 CCI-001814 CCI-001875 CCI-001876\n CCI-001877 CCI-001878 CCI-001880 CCI-001914 CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3', 'AU-3', 'AU-3', 'AU-3', 'AU-3 (1)', 'AU-6 (4)',\n 'AU-7 (1)', 'AU-12 c', 'AU-14 (1)', 'AU-3', 'CM-5 (1)', 'AU-7 a', 'AU-7 a',\n 'AU-7 a', 'AU-7 a', 'AU-7 a', 'AU-12 (3)', 'MA-4 (1) (a)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the audit service is configured to produce audit\nrecords.\n\nCheck that the audit service is installed properly with the following command:\n\n# dpkg -l | grep auditd\n\nIf the \\\"auditd\\\" package is not installed, this is a finding.\n\nCheck that the audit service is properly running and active on the system with\nthe following command:\n\n# systemctl is-active auditd.service\nactive\n\nIf the command above returns \\\"inactive\\\", this is a finding.\"\n desc 'fix', \"Configure the audit service to produce audit records containing\nthe information needed to establish when (date and time) an event occurred.\n\nInstall the audit service (if the audit service is not already installed) with\nthe following command:\n\n# sudo apt-get install auditd\n\nEnable the audit service with the following command:\n\n# sudo systemctl enable auditd.service\n\nRestart the audit service with the following command:\n\n# sudo systemctl restart auditd.service\"\n\n describe package('auditd') do\n it { should be_installed }\n end\n describe service('auditd') do\n it { should be_installed }\n it { should be_enabled }\n it { should be_running }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75771.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75617.rb", "line": 3 }, - "id": "V-75771" + "id": "V-75617" }, { - "title": "The Ubuntu operating system must enforce password complexity by\nrequiring that at least one lower-case character be used.", - "desc": "Use of a complex password helps to increase the time and resources\nrequired to compromise the password. Password complexity, or strength, is a\nmeasure of the effectiveness of a password in resisting attempts at guessing\nand brute-force attacks.\n\n Password complexity is one factor of several that determines how long it\ntakes to crack a password. The more complex the password, the greater the\nnumber of possible combinations that need to be tested before the password is\ncompromised.", + "title": "The Ubuntu operating system must prevent Internet Protocol version 4\n(IPv4) Internet Control Message Protocol (ICMP) redirect messages from being\naccepted.", + "desc": "Internet Control Message Protocol (ICMP) redirect messages are used by\nrouters to inform hosts that a more direct route exists for a particular\ndestination. These messages modify the host's route table and are\nunauthenticated. An illicit ICMP redirect message could result in a\nman-in-the-middle attack.", "descriptions": { - "default": "Use of a complex password helps to increase the time and resources\nrequired to compromise the password. Password complexity, or strength, is a\nmeasure of the effectiveness of a password in resisting attempts at guessing\nand brute-force attacks.\n\n Password complexity is one factor of several that determines how long it\ntakes to crack a password. The more complex the password, the greater the\nnumber of possible combinations that need to be tested before the password is\ncompromised.", - "check": "Verify the Ubuntu operating system enforces password complexity\nby requiring that at least one lower-case character be used.\n\nDetermine if the field \"lcredit\" is set in the\n\"/etc/security/pwquality.conf\" file with the following command:\n\n# grep -i \"lcredit\" /etc/security/pwquality.conf\nlcredit=-1\n\nIf the \"lcredit\" parameter is not equal to \"-1\", or is commented out, this\nis a finding.", - "fix": "Configure the Ubuntu operating system to enforce password\ncomplexity by requiring that at least one lower-case character be used.\n\nAdd or update the following line in the \"/etc/security/pwquality.conf\" file\nto contain the \"lcredit\" parameter:\n\nlcredit=-1" + "default": "Internet Control Message Protocol (ICMP) redirect messages are used by\nrouters to inform hosts that a more direct route exists for a particular\ndestination. These messages modify the host's route table and are\nunauthenticated. An illicit ICMP redirect message could result in a\nman-in-the-middle attack.", + "check": "Verify the Ubuntu operating system will not accept IPv4\nInternet Control Message Protocol (ICMP) redirect messages.\n\nCheck the value of the default \"accept_redirects\" variables with the\nfollowing command:\n\n# sudo sysctl net.ipv4.conf.default.accept_redirects\n\nnet.ipv4.conf.default.accept_redirects=0\n\nIf the returned line does not have a value of \"0\", or a line is not returned,\nthis is a finding.", + "fix": "Configure the Ubuntu operating system to prevent Internet\nProtocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect\nmessages from being acceptedr with the following command:\n\n# sudo sysctl -w net.ipv4.conf.default.accept_redirects=0\n\nIf \"0\" is not the system's default value then add or update the following\nline in \"/etc/sysctl.conf\" or in the appropriate file under \"/etc/sysctl.d\":\n\nnet.ipv4.conf.default.accept_redirects=0" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000070-GPOS-00038", - "gid": "V-75451", - "rid": "SV-90131r2_rule", - "stig_id": "UBTU-16-010110", - "fix_id": "F-82079r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-75879", + "rid": "SV-90559r3_rule", + "stig_id": "UBTU-16-030560", + "fix_id": "F-82509r2_fix", "cci": [ - "CCI-000193" + "CCI-000366" ], "nist": [ - "IA-5 (1) (a)", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -3490,34 +3336,50 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75451' do\n title \"The Ubuntu operating system must enforce password complexity by\nrequiring that at least one lower-case character be used.\"\n desc \"Use of a complex password helps to increase the time and resources\nrequired to compromise the password. Password complexity, or strength, is a\nmeasure of the effectiveness of a password in resisting attempts at guessing\nand brute-force attacks.\n\n Password complexity is one factor of several that determines how long it\ntakes to crack a password. The more complex the password, the greater the\nnumber of possible combinations that need to be tested before the password is\ncompromised.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000070-GPOS-00038'\n tag \"gid\": 'V-75451'\n tag \"rid\": 'SV-90131r2_rule'\n tag \"stig_id\": 'UBTU-16-010110'\n tag \"fix_id\": 'F-82079r1_fix'\n tag \"cci\": ['CCI-000193']\n tag \"nist\": ['IA-5 (1) (a)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system enforces password complexity\nby requiring that at least one lower-case character be used.\n\nDetermine if the field \\\"lcredit\\\" is set in the\n\\\"/etc/security/pwquality.conf\\\" file with the following command:\n\n# grep -i \\\"lcredit\\\" /etc/security/pwquality.conf\nlcredit=-1\n\nIf the \\\"lcredit\\\" parameter is not equal to \\\"-1\\\", or is commented out, this\nis a finding.\"\n desc 'fix', \"Configure the Ubuntu operating system to enforce password\ncomplexity by requiring that at least one lower-case character be used.\n\nAdd or update the following line in the \\\"/etc/security/pwquality.conf\\\" file\nto contain the \\\"lcredit\\\" parameter:\n\nlcredit=-1\"\n\n min_num_lowercase_char = input('min_num_lowercase_char')\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('lcredit') { should cmp min_num_lowercase_char }\n end\n else\n describe (config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n", + "code": "control 'V-75879' do\n title \"The Ubuntu operating system must prevent Internet Protocol version 4\n(IPv4) Internet Control Message Protocol (ICMP) redirect messages from being\naccepted.\"\n desc \"Internet Control Message Protocol (ICMP) redirect messages are used by\nrouters to inform hosts that a more direct route exists for a particular\ndestination. These messages modify the host's route table and are\nunauthenticated. An illicit ICMP redirect message could result in a\nman-in-the-middle attack.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75879'\n tag \"rid\": 'SV-90559r3_rule'\n tag \"stig_id\": 'UBTU-16-030560'\n tag \"fix_id\": 'F-82509r2_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system will not accept IPv4\nInternet Control Message Protocol (ICMP) redirect messages.\n\nCheck the value of the default \\\"accept_redirects\\\" variables with the\nfollowing command:\n\n# sudo sysctl net.ipv4.conf.default.accept_redirects\n\nnet.ipv4.conf.default.accept_redirects=0\n\nIf the returned line does not have a value of \\\"0\\\", or a line is not returned,\nthis is a finding.\"\n desc 'fix', \"Configure the Ubuntu operating system to prevent Internet\nProtocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect\nmessages from being acceptedr with the following command:\n\n# sudo sysctl -w net.ipv4.conf.default.accept_redirects=0\n\nIf \\\"0\\\" is not the system's default value then add or update the following\nline in \\\"/etc/sysctl.conf\\\" or in the appropriate file under \\\"/etc/sysctl.d\\\":\n\nnet.ipv4.conf.default.accept_redirects=0\"\n\n describe kernel_parameter('net.ipv4.conf.default.accept_redirects') do\n its('value') { should eq 0 }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75451.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75879.rb", "line": 3 }, - "id": "V-75451" + "id": "V-75879" }, { - "title": "The audit records must be off-loaded onto a different system or\nstorage media from the system being audited.", - "desc": "Information stored in one location is vulnerable to accidental or\nincidental deletion or alteration.\n\n Off-loading is a common process in information systems with limited audit\nstorage capacity.", + "title": "Successful/unsuccessful uses of the chacl command must generate an\naudit record.", + "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", "descriptions": { - "default": "Information stored in one location is vulnerable to accidental or\nincidental deletion or alteration.\n\n Off-loading is a common process in information systems with limited audit\nstorage capacity.", - "check": "Verify the audit system off-loads audit records to a different\nsystem or storage media from the system being audited.\n\nCheck that the records are being off-loaded to a remote server with the\nfollowing command:\n\n# sudo grep -i remote_server /etc/audisp/audisp-remote.conf\n\nremote_server = 10.0.1.2\n\nIf \"remote_server\" is not configured, or the line is commented out, this is a\nfinding.", - "fix": "Configure the audit system to off-load audit records to a\ndifferent system or storage media from the system being audited.\n\nSet the \"remote_server\" option in \"/etc/audisp/audisp-remote.conf\" with the\nIP address of the log server. See the example below.\n\nremote_server = 10.0.1.2\n\nIn order for the changes to take effect, the audit daemon must be restarted.\nThe audit daemon can be restarted with the following command:\n\n# sudo systemctl restart auditd.service" + "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "check": "Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful attempts to use the \"chacl\" command occur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \"/etc/audit/audit.rules\":\n\n# sudo grep -w chacl /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k perm_chng\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", + "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \"chacl\" command.\n\nAdd or update the following rules in the \"/etc/audit/audit.rules\" file:\n\n-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k perm_chng\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000342-GPOS-00133", - "gid": "V-80965", - "rid": "SV-95677r1_rule", - "stig_id": "UBTU-16-020220", - "fix_id": "F-87825r1_fix", + "gtitle": "SRG-OS-000037-GPOS-00015", + "satisfies": [ + "SRG-OS-000037-GPOS-00015", + "SRG-OS-000042-GPOS-00020", + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000392-GPOS-00172", + "SRG-OS-000462-GPOS-00206", + "SRG-OS-000471-GPOS-00215" + ], + "gid": "V-75769", + "rid": "SV-90449r3_rule", + "stig_id": "UBTU-16-020720", + "fix_id": "F-82397r2_fix", "cci": [ - "CCI-001851" + "CCI-000130", + "CCI-000135", + "CCI-000169", + "CCI-000172", + "CCI-002884" ], "nist": [ - "AU-4 (1)", + "AU-3", + "AU-3 (1)", + "AU-12 a", + "AU-12 c", + "MA-4 (1) (a)", "Rev_4" ], "false_negatives": null, @@ -3531,34 +3393,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-80965' do\n title \"The audit records must be off-loaded onto a different system or\nstorage media from the system being audited.\"\n desc \"Information stored in one location is vulnerable to accidental or\nincidental deletion or alteration.\n\n Off-loading is a common process in information systems with limited audit\nstorage capacity.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000342-GPOS-00133'\n tag \"gid\": 'V-80965'\n tag \"rid\": 'SV-95677r1_rule'\n tag \"stig_id\": 'UBTU-16-020220'\n tag \"fix_id\": 'F-87825r1_fix'\n tag \"cci\": ['CCI-001851']\n tag \"nist\": ['AU-4 (1)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the audit system off-loads audit records to a different\nsystem or storage media from the system being audited.\n\nCheck that the records are being off-loaded to a remote server with the\nfollowing command:\n\n# sudo grep -i remote_server /etc/audisp/audisp-remote.conf\n\nremote_server = 10.0.1.2\n\nIf \\\"remote_server\\\" is not configured, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the audit system to off-load audit records to a\ndifferent system or storage media from the system being audited.\n\nSet the \\\"remote_server\\\" option in \\\"/etc/audisp/audisp-remote.conf\\\" with the\nIP address of the log server. See the example below.\n\nremote_server = 10.0.1.2\n\nIn order for the changes to take effect, the audit daemon must be restarted.\nThe audit daemon can be restarted with the following command:\n\n# sudo systemctl restart auditd.service\"\n\n config_file_exists = file('/etc/audisp/audisp-remote.conf').exist?\n\n if config_file_exists\n describe parse_config_file('/etc/audisp/audisp-remote.conf') do\n its('remote_server') { should match /./ }\n end\n else\n describe '/etc/audisp/audisp-remote.conf exists' do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n", + "code": "control 'V-75769' do\n title \"Successful/unsuccessful uses of the chacl command must generate an\naudit record.\"\n desc \"Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020\n SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172\n SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215]\n tag \"gid\": 'V-75769'\n tag \"rid\": 'SV-90449r3_rule'\n tag \"stig_id\": 'UBTU-16-020720'\n tag \"fix_id\": 'F-82397r2_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'MA-4 (1) (a)',\n 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful attempts to use the \\\"chacl\\\" command occur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \\\"/etc/audit/audit.rules\\\":\n\n# sudo grep -w chacl /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k perm_chng\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \\\"chacl\\\" command.\n\nAdd or update the following rules in the \\\"/etc/audit/audit.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k perm_chng\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n @audit_file = '/usr/bin/chacl'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe ('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-80965.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75769.rb", "line": 3 }, - "id": "V-80965" + "id": "V-75769" }, { - "title": "There must be no shosts.equiv files on the Ubuntu operating system.", - "desc": "The shosts.equiv files are used to configure host-based authentication\nfor the system via SSH. Host-based authentication is not sufficient for\npreventing unauthorized access to the system, as it does not require\ninteractive identification and authentication of a connection request, or for\nthe use of two-factor authentication.", + "title": "Passwords for new users must have a 24 hours/1 day minimum password\nlifetime restriction.", + "desc": "Enforcing a minimum password lifetime helps to prevent repeated\npassword changes to defeat the password reuse or history enforcement\nrequirement. If users are allowed to immediately and continually change their\npassword, then the password could be repeatedly changed in a short period of\ntime to defeat the organization's policy regarding password reuse.", "descriptions": { - "default": "The shosts.equiv files are used to configure host-based authentication\nfor the system via SSH. Host-based authentication is not sufficient for\npreventing unauthorized access to the system, as it does not require\ninteractive identification and authentication of a connection request, or for\nthe use of two-factor authentication.", - "check": "Verify there are no \"shosts.equiv\" files on the Ubuntu\noperating system.\n\nCheck for the existence of these files with the following command:\n\n# find / -name shosts.equiv\n\nIf a \"shosts.equiv\" file is found, this is a finding.", - "fix": "Remove any found \"shosts.equiv\" files from the Ubuntu operating\nsystem.\n\n# rm /etc/ssh/shosts.equiv" + "default": "Enforcing a minimum password lifetime helps to prevent repeated\npassword changes to defeat the password reuse or history enforcement\nrequirement. If users are allowed to immediately and continually change their\npassword, then the password could be repeatedly changed in a short period of\ntime to defeat the organization's policy regarding password reuse.", + "check": "Verify that the Ubuntu operating system enforces a 24 hours/1\nday minimum password lifetime for new user accounts by running the following\ncommand:\n\n# grep -i pass_min_days /etc/login.defs\n\nPASS_MIN_DAYS 1\n\nIf the \"PASS_MIN_DAYS\" parameter value is less than or equal to \"1\", or\ncommented out, this is a finding.", + "fix": "Configure the Ubuntu operating system to enforce a 24 hours/1 day\nminimum password lifetime.\n\nAdd, or modify the following line in the \"/etc/login.defs\" file:\n\nPASS_MIN_DAYS 1" }, - "impact": 0.7, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-75501", - "rid": "SV-90181r2_rule", - "stig_id": "UBTU-16-010360", - "fix_id": "F-82129r1_fix", + "gtitle": "SRG-OS-000075-GPOS-00043", + "gid": "V-75471", + "rid": "SV-90151r2_rule", + "stig_id": "UBTU-16-010210", + "fix_id": "F-82099r2_fix", "cci": [ - "CCI-000366" + "CCI-000198" ], "nist": [ - "CM-6 b", + "IA-5 (1) (d)", "Rev_4" ], "false_negatives": null, @@ -3572,34 +3434,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75501' do\n title 'There must be no shosts.equiv files on the Ubuntu operating system.'\n desc \"The shosts.equiv files are used to configure host-based authentication\nfor the system via SSH. Host-based authentication is not sufficient for\npreventing unauthorized access to the system, as it does not require\ninteractive identification and authentication of a connection request, or for\nthe use of two-factor authentication.\"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75501'\n tag \"rid\": 'SV-90181r2_rule'\n tag \"stig_id\": 'UBTU-16-010360'\n tag \"fix_id\": 'F-82129r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify there are no \\\"shosts.equiv\\\" files on the Ubuntu\noperating system.\n\nCheck for the existence of these files with the following command:\n\n# find / -name shosts.equiv\n\nIf a \\\"shosts.equiv\\\" file is found, this is a finding.\"\n desc 'fix', \"Remove any found \\\"shosts.equiv\\\" files from the Ubuntu operating\nsystem.\n\n# rm /etc/ssh/shosts.equiv\"\n\n describe command('find / -name shosts.equiv') do\n its('exit_status') { should eq 0 }\n its('stdout.strip') { should be_empty }\n end\nend\n", + "code": "control 'V-75471' do\n title \"Passwords for new users must have a 24 hours/1 day minimum password\nlifetime restriction.\"\n desc \"Enforcing a minimum password lifetime helps to prevent repeated\npassword changes to defeat the password reuse or history enforcement\nrequirement. If users are allowed to immediately and continually change their\npassword, then the password could be repeatedly changed in a short period of\ntime to defeat the organization's policy regarding password reuse.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000075-GPOS-00043'\n tag \"gid\": 'V-75471'\n tag \"rid\": 'SV-90151r2_rule'\n tag \"stig_id\": 'UBTU-16-010210'\n tag \"fix_id\": 'F-82099r2_fix'\n tag \"cci\": ['CCI-000198']\n tag \"nist\": ['IA-5 (1) (d)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that the Ubuntu operating system enforces a 24 hours/1\nday minimum password lifetime for new user accounts by running the following\ncommand:\n\n# grep -i pass_min_days /etc/login.defs\n\nPASS_MIN_DAYS 1\n\nIf the \\\"PASS_MIN_DAYS\\\" parameter value is less than or equal to \\\"1\\\", or\ncommented out, this is a finding.\"\n desc 'fix', \"Configure the Ubuntu operating system to enforce a 24 hours/1 day\nminimum password lifetime.\n\nAdd, or modify the following line in the \\\"/etc/login.defs\\\" file:\n\nPASS_MIN_DAYS 1\"\n\n describe login_defs do\n its('PASS_MIN_DAYS') { should >= '1' }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75501.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75471.rb", "line": 3 }, - "id": "V-75501" + "id": "V-75471" }, { - "title": "Ubuntu operating systems booted with United Extensible Firmware\nInterface (UEFI) implemented must require authentication upon booting into\nsingle-user mode and maintenance.", - "desc": "To mitigate the risk of unauthorized access to sensitive information\nby entities that have been issued certificates by DoD-approved PKIs, all DoD\nsystems (e.g., web servers and web portals) must be properly configured to\nincorporate access control methods that do not rely solely on the possession of\na certificate for access. Successful authentication must not automatically give\nan entity access to an asset or security boundary. Authorization procedures and\ncontrols must be implemented to ensure each authenticated entity also has a\nvalidated and current authorization. Authorization is the process of\ndetermining whether an entity, once authenticated, is permitted to access a\nspecific asset. Information systems use access control policies and enforcement\nmechanisms to implement this requirement.\n\n Access control policies include: identity-based policies, role-based\npolicies, and attribute-based policies. Access enforcement mechanisms include:\naccess control lists, access control matrices, and cryptography. These policies\nand mechanisms must be employed by the application to control access between\nusers (or processes acting on behalf of users) and objects (e.g., devices,\nfiles, records, processes, programs, and domains) in the information system.", + "title": "The Ubuntu operating system must not permit direct logons to the root\naccount using remote access via SSH.", + "desc": "Even though the communications channel may be encrypted, an additional\nlayer of security is gained by extending the policy of not logging on directly\nas root. In addition, logging on with a user-specific account provides\nindividual accountability of actions performed on the system.", "descriptions": { - "default": "To mitigate the risk of unauthorized access to sensitive information\nby entities that have been issued certificates by DoD-approved PKIs, all DoD\nsystems (e.g., web servers and web portals) must be properly configured to\nincorporate access control methods that do not rely solely on the possession of\na certificate for access. Successful authentication must not automatically give\nan entity access to an asset or security boundary. Authorization procedures and\ncontrols must be implemented to ensure each authenticated entity also has a\nvalidated and current authorization. Authorization is the process of\ndetermining whether an entity, once authenticated, is permitted to access a\nspecific asset. Information systems use access control policies and enforcement\nmechanisms to implement this requirement.\n\n Access control policies include: identity-based policies, role-based\npolicies, and attribute-based policies. Access enforcement mechanisms include:\naccess control lists, access control matrices, and cryptography. These policies\nand mechanisms must be employed by the application to control access between\nusers (or processes acting on behalf of users) and objects (e.g., devices,\nfiles, records, processes, programs, and domains) in the information system.", - "check": "Verify that an encrypted root password is set. This is only\napplicable on Ubuntu operating systems that use UEFI.\n\nRun the following command to verify the encrypted password is set:\n\n# grep –i password /boot/efi/EFI/grub.cfg\npassword_pbkdf2 root grub.pbkdf2.sha512.10000.VeryLongString\n\nIf the root password entry does not begin with “password_pbkdf2”, this is a\nfinding.", - "fix": "Configure the system to require a password for authentication\nupon booting into single-user and maintenance modes.\n\nGenerate an encrypted (grub) password for root with the following command:\n\n# grub-mkpasswd-pbkdf2\nEnter Password:\nReenter Password:\nPBKDF2 hash of your password is\ngrub.pbkdf2.sha512.10000.MFU48934NJD84NF8NSD39993JDHF84NG\n\nUsing the hash from the output, modify the \"/etc/grub.d/10_linux\" file with\nthe following command to add a boot password for the root entry:\n\n# cat << EOF > set superusers=\"root\" password_pbkdf2 root\ngrub.pbkdf2.sha512.VeryLongString > EOF\n\nGenerate an updated \"grub.conf\" file with the new password using the\nfollowing commands:\n\n# grub-mkconfig --output=/tmp/grub2.cfg\n# mv /tmp/grub2.cfg /boot/efi/EFI/grub.cfg" + "default": "Even though the communications channel may be encrypted, an additional\nlayer of security is gained by extending the policy of not logging on directly\nas root. In addition, logging on with a user-specific account provides\nindividual accountability of actions performed on the system.", + "check": "Verify remote access using SSH prevents users from logging on\ndirectly as \"root\".\n\nCheck that SSH prevents users from logging on directly as \"root\" with the\nfollowing command:\n\n# grep PermitRootLogin /etc/ssh/sshd_config\nPermitRootLogin no\n\nIf the \"PermitRootLogin\" keyword is set to \"yes\", is missing, or is\ncommented out, this is a finding.", + "fix": "Configure the Ubuntu operating system to stop users from logging\non remotely as the \"root\" user via SSH.\n\nEdit the appropriate \"/etc/ssh/sshd_config\" file to uncomment or add the\nline for the \"PermitRootLogin\" keyword and set its value to \"no\":\n\nPermitRootLogin no\n\nThe SSH daemon must be restarted for the changes to take effect. To restart the\nSSH daemon, run the following command:\n\n# sudo systemctl restart sshd.service" }, - "impact": 0.7, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000080-GPOS-00048", - "gid": "V-75507", - "rid": "SV-90187r2_rule", - "stig_id": "UBTU-16-010390", - "fix_id": "F-82135r2_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-75827", + "rid": "SV-90507r2_rule", + "stig_id": "UBTU-16-030220", + "fix_id": "F-82457r2_fix", "cci": [ - "CCI-000213" + "CCI-000366" ], "nist": [ - "AC-3", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -3613,34 +3475,43 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75507' do\n title \"Ubuntu operating systems booted with United Extensible Firmware\nInterface (UEFI) implemented must require authentication upon booting into\nsingle-user mode and maintenance.\"\n desc \"To mitigate the risk of unauthorized access to sensitive information\nby entities that have been issued certificates by DoD-approved PKIs, all DoD\nsystems (e.g., web servers and web portals) must be properly configured to\nincorporate access control methods that do not rely solely on the possession of\na certificate for access. Successful authentication must not automatically give\nan entity access to an asset or security boundary. Authorization procedures and\ncontrols must be implemented to ensure each authenticated entity also has a\nvalidated and current authorization. Authorization is the process of\ndetermining whether an entity, once authenticated, is permitted to access a\nspecific asset. Information systems use access control policies and enforcement\nmechanisms to implement this requirement.\n\n Access control policies include: identity-based policies, role-based\npolicies, and attribute-based policies. Access enforcement mechanisms include:\naccess control lists, access control matrices, and cryptography. These policies\nand mechanisms must be employed by the application to control access between\nusers (or processes acting on behalf of users) and objects (e.g., devices,\nfiles, records, processes, programs, and domains) in the information system.\n \"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000080-GPOS-00048'\n tag \"gid\": 'V-75507'\n tag \"rid\": 'SV-90187r2_rule'\n tag \"stig_id\": 'UBTU-16-010390'\n tag \"fix_id\": 'F-82135r2_fix'\n tag \"cci\": ['CCI-000213']\n tag \"nist\": %w[AC-3 Rev_4]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that an encrypted root password is set. This is only\napplicable on Ubuntu operating systems that use UEFI.\n\nRun the following command to verify the encrypted password is set:\n\n# grep –i password /boot/efi/EFI/grub.cfg\npassword_pbkdf2 root grub.pbkdf2.sha512.10000.VeryLongString\n\nIf the root password entry does not begin with “password_pbkdf2”, this is a\nfinding.\"\n desc 'fix', \"Configure the system to require a password for authentication\nupon booting into single-user and maintenance modes.\n\nGenerate an encrypted (grub) password for root with the following command:\n\n# grub-mkpasswd-pbkdf2\nEnter Password:\nReenter Password:\nPBKDF2 hash of your password is\ngrub.pbkdf2.sha512.10000.MFU48934NJD84NF8NSD39993JDHF84NG\n\nUsing the hash from the output, modify the \\\"/etc/grub.d/10_linux\\\" file with\nthe following command to add a boot password for the root entry:\n\n# cat << EOF > set superusers=\\\"root\\\" password_pbkdf2 root\ngrub.pbkdf2.sha512.VeryLongString > EOF\n\nGenerate an updated \\\"grub.conf\\\" file with the new password using the\nfollowing commands:\n\n# grub-mkconfig --output=/tmp/grub2.cfg\n# mv /tmp/grub2.cfg /boot/efi/EFI/grub.cfg\"\n\n describe file('/boot/efi/EFI/grub.cfg') do\n its('content') { should match '^password_pbkdf2' }\n end\nend\n", + "code": "control 'V-75827' do\n title \"The Ubuntu operating system must not permit direct logons to the root\naccount using remote access via SSH.\"\n desc \"Even though the communications channel may be encrypted, an additional\nlayer of security is gained by extending the policy of not logging on directly\nas root. In addition, logging on with a user-specific account provides\nindividual accountability of actions performed on the system.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75827'\n tag \"rid\": 'SV-90507r2_rule'\n tag \"stig_id\": 'UBTU-16-030220'\n tag \"fix_id\": 'F-82457r2_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify remote access using SSH prevents users from logging on\ndirectly as \\\"root\\\".\n\nCheck that SSH prevents users from logging on directly as \\\"root\\\" with the\nfollowing command:\n\n# grep PermitRootLogin /etc/ssh/sshd_config\nPermitRootLogin no\n\nIf the \\\"PermitRootLogin\\\" keyword is set to \\\"yes\\\", is missing, or is\ncommented out, this is a finding.\"\n desc 'fix', \"Configure the Ubuntu operating system to stop users from logging\non remotely as the \\\"root\\\" user via SSH.\n\nEdit the appropriate \\\"/etc/ssh/sshd_config\\\" file to uncomment or add the\nline for the \\\"PermitRootLogin\\\" keyword and set its value to \\\"no\\\":\n\nPermitRootLogin no\n\nThe SSH daemon must be restarted for the changes to take effect. To restart the\nSSH daemon, run the following command:\n\n# sudo systemctl restart sshd.service\"\n\n describe sshd_config do\n its('PermitRootLogin') { should cmp 'no' }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75507.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75827.rb", "line": 3 }, - "id": "V-75507" + "id": "V-75827" }, { - "title": "Advance package Tool (APT) must remove all software components after\nupdated versions have been installed.", - "desc": "Previous versions of software components that are not removed from the\ninformation system after updates have been installed may be exploited by\nadversaries. Some information technology products may remove older versions of\nsoftware automatically from the information system.", + "title": "Audit log directory must be owned by root to prevent unauthorized read\naccess.", + "desc": "Unauthorized disclosure of audit records can reveal system and\nconfiguration data to attackers, thus compromising its confidentiality.\n\n Audit information includes all information (e.g., audit records, audit\nsettings, audit reports) needed to successfully audit Ubuntu operating system\nactivity.", "descriptions": { - "default": "Previous versions of software components that are not removed from the\ninformation system after updates have been installed may be exploited by\nadversaries. Some information technology products may remove older versions of\nsoftware automatically from the information system.", - "check": "Verify Advance package Tool (APT) is configured to remove all\nsoftware components after updated versions have been installed.\n\nCheck that APT is configured to remove all software components after updating\nwith the following command:\n\n# grep -i remove-unused /etc/apt/apt.conf.d/50unattended-upgrades\nUnattended-Upgrade::Remove-Unused-Dependencies \"true\";\n\nIf the \"Remove-Unused-Dependencies\" parameter is not set to \"true\", or is\nmissing, this is a finding.", - "fix": "Configure APT to remove all software components after updated\nversions have been installed.\n\nAdd or updated the following option to the\n\"/etc/apt/apt.conf.d/50unattended-upgrades\" file:\n\nUnattended-Upgrade::Remove-Unused-Dependencies \"true\";" + "default": "Unauthorized disclosure of audit records can reveal system and\nconfiguration data to attackers, thus compromising its confidentiality.\n\n Audit information includes all information (e.g., audit records, audit\nsettings, audit reports) needed to successfully audit Ubuntu operating system\nactivity.", + "check": "Verify the audit log directory is owned by \"root\" to prevent\nunauthorized read access.\n\nDetermine where the audit logs are stored with the following command:\n\n# sudo grep -iw log_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nDetermine the audit log directory by using the output of the above command (ex:\n\"/var/log/audit/\"). Run the following command with the correct audit log\ndirectory path:\n\n# sudo ls -ld /var/log/audit\ndrwxr-x--- 2 root root 8096 Jun 26 11:56 /var/log/audit\n\nIf the audit log directory is not owned by \"root\", this is a finding.", + "fix": "Configure the audit log to be protected from unauthorized read\naccess, by setting the correct owner as \"root\" with the following command:\n\n# sudo chown root [audit_log_directory]\n\nReplace \"[audit_log_directory]\" with the correct audit log directory path, by\ndefault this location is usually \"/var/log/audit\"." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000437-GPOS-00194", - "gid": "V-75529", - "rid": "SV-90209r1_rule", - "stig_id": "UBTU-16-010570", - "fix_id": "F-82157r1_fix", + "gtitle": "SRG-OS-000057-GPOS-00027", + "satisfies": [ + "SRG-OS-000057-GPOS-00027", + "SRG-OS-000058-GPOS-00028", + "SRG-OS-000059-GPOS-00029" + ], + "gid": "V-75643", + "rid": "SV-90323r2_rule", + "stig_id": "UBTU-16-020130", + "fix_id": "F-82271r2_fix", "cci": [ - "CCI-002617" + "CCI-000162", + "CCI-000163", + "CCI-000164" ], "nist": [ - "SI-2 (6)", + "AU-9", + "AU-9", + "AU-9", "Rev_4" ], "false_negatives": null, @@ -3654,43 +3525,50 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75529' do\n title \"Advance package Tool (APT) must remove all software components after\nupdated versions have been installed.\"\n desc \"Previous versions of software components that are not removed from the\ninformation system after updates have been installed may be exploited by\nadversaries. Some information technology products may remove older versions of\nsoftware automatically from the information system.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000437-GPOS-00194'\n tag \"gid\": 'V-75529'\n tag \"rid\": 'SV-90209r1_rule'\n tag \"stig_id\": 'UBTU-16-010570'\n tag \"fix_id\": 'F-82157r1_fix'\n tag \"cci\": ['CCI-002617']\n tag \"nist\": ['SI-2 (6)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify Advance package Tool (APT) is configured to remove all\nsoftware components after updated versions have been installed.\n\nCheck that APT is configured to remove all software components after updating\nwith the following command:\n\n# grep -i remove-unused /etc/apt/apt.conf.d/50unattended-upgrades\nUnattended-Upgrade::Remove-Unused-Dependencies \\\"true\\\";\n\nIf the \\\"Remove-Unused-Dependencies\\\" parameter is not set to \\\"true\\\", or is\nmissing, this is a finding.\"\n desc 'fix', \"Configure APT to remove all software components after updated\nversions have been installed.\n\nAdd or updated the following option to the\n\\\"/etc/apt/apt.conf.d/50unattended-upgrades\\\" file:\n\nUnattended-Upgrade::Remove-Unused-Dependencies \\\"true\\\";\"\n\n describe directory('/etc/apt/apt.conf.d') do\n it { should exist }\n end\n\n describe command('grep -i remove-unused /etc/apt/apt.conf.d/50unattended-upgrades').stdout.strip do\n it { should match /^\\s*([^\\s]*::Remove-Unused-Dependencies)\\s*\\\"true\\\"\\s*;$/ }\n end\nend\n", + "code": "control 'V-75643' do\n title \"Audit log directory must be owned by root to prevent unauthorized read\naccess.\"\n desc \"Unauthorized disclosure of audit records can reveal system and\nconfiguration data to attackers, thus compromising its confidentiality.\n\n Audit information includes all information (e.g., audit records, audit\nsettings, audit reports) needed to successfully audit Ubuntu operating system\nactivity.\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000057-GPOS-00027'\n tag \"satisfies\": %w[SRG-OS-000057-GPOS-00027 SRG-OS-000058-GPOS-00028\n SRG-OS-000059-GPOS-00029]\n tag \"gid\": 'V-75643'\n tag \"rid\": 'SV-90323r2_rule'\n tag \"stig_id\": 'UBTU-16-020130'\n tag \"fix_id\": 'F-82271r2_fix'\n tag \"cci\": %w[CCI-000162 CCI-000163 CCI-000164]\n tag \"nist\": %w[AU-9 AU-9 AU-9 Rev_4]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the audit log directory is owned by \\\"root\\\" to prevent\nunauthorized read access.\n\nDetermine where the audit logs are stored with the following command:\n\n# sudo grep -iw log_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nDetermine the audit log directory by using the output of the above command (ex:\n\\\"/var/log/audit/\\\"). Run the following command with the correct audit log\ndirectory path:\n\n# sudo ls -ld /var/log/audit\ndrwxr-x--- 2 root root 8096 Jun 26 11:56 /var/log/audit\n\nIf the audit log directory is not owned by \\\"root\\\", this is a finding.\"\n desc 'fix', \"Configure the audit log to be protected from unauthorized read\naccess, by setting the correct owner as \\\"root\\\" with the following command:\n\n# sudo chown root [audit_log_directory]\n\nReplace \\\"[audit_log_directory]\\\" with the correct audit log directory path, by\ndefault this location is usually \\\"/var/log/audit\\\".\"\n\n log_file_dir = input('log_file_dir')\n\n describe directory(log_file_dir) do\n its('owner') { should cmp 'root' }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75529.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75643.rb", "line": 3 }, - "id": "V-75529" + "id": "V-75643" }, { - "title": "The Ubuntu operating system must have the packages required for\nmultifactor authentication to be installed.", - "desc": "Using an authentication device, such as a CAC or token that is\nseparate from the information system, ensures that even if the information\nsystem is compromised, that compromise will not affect credentials stored on\nthe authentication device.\n\n Multifactor solutions that require devices separate from information\nsystems gaining access include, for example, hardware tokens providing\ntime-based or challenge-response authenticators and smart cards such as the\nU.S. Government Personal Identity Verification card and the DoD Common Access\nCard.\n\n A privileged account is defined as an information system account with\nauthorizations of a privileged user.\n\n Remote access is access to DoD nonpublic information systems by an\nauthorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\n This requirement only applies to components where this is specific to the\nfunction of the device or has the concept of an organizational user (e.g., VPN,\nproxy capability). This does not apply to authentication for the purpose of\nconfiguring the device itself (management).\n\n Requires further clarification from NIST.", + "title": "Successful/unsuccessful uses of the chage command must generate an\naudit record.", + "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", "descriptions": { - "default": "Using an authentication device, such as a CAC or token that is\nseparate from the information system, ensures that even if the information\nsystem is compromised, that compromise will not affect credentials stored on\nthe authentication device.\n\n Multifactor solutions that require devices separate from information\nsystems gaining access include, for example, hardware tokens providing\ntime-based or challenge-response authenticators and smart cards such as the\nU.S. Government Personal Identity Verification card and the DoD Common Access\nCard.\n\n A privileged account is defined as an information system account with\nauthorizations of a privileged user.\n\n Remote access is access to DoD nonpublic information systems by an\nauthorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\n This requirement only applies to components where this is specific to the\nfunction of the device or has the concept of an organizational user (e.g., VPN,\nproxy capability). This does not apply to authentication for the purpose of\nconfiguring the device itself (management).\n\n Requires further clarification from NIST.", - "check": "Verify the Ubuntu operating system has the packages required\nfor multifactor authentication installed.\n\nCheck for the presence of the packages required to support multifactor\nauthentication with the following commands:\n\n# dpkg -l | grep libpam-pkcs11\n\nii libpam-pkcs11 0.6.8-4 amd64 Fully featured PAM module for using PKCS#11\nsmart cards\n\nIf the \"libpam-pkcs11\" package is not installed, this is a finding.", - "fix": "Configure the Ubuntu operating system to implement multifactor\nauthentication by installing the required packages.\nInstall the \"libpam-pkcs11\" package on the system with the following command:\n\n# sudo apt install libpam-pkcs11" + "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "check": "Verify that an audit event is generated for any\nsuccessful/unsuccessful use of the \"chage\" command.\n\nCheck for the following system call being audited by performing the following\ncommand to check the file system rules in \"/etc/audit/audit.rules\":\n\n# sudo grep -w chage /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k privileged-chage\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", + "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful uses of the \"chage\" command. Add or update the\nfollowing rules in the \"/etc/audit/audit.rules\" file:\n\n-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k privileged-chage\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000375-GPOS-00160", + "gtitle": "SRG-OS-000037-GPOS-00015", "satisfies": [ - "SRG-OS-000375-GPOS-00160", - "SRG-OS-000375-GPOS-00161", - "SRG-OS-000375-GPOS-00162" + "SRG-OS-000037-GPOS-00015", + "SRG-OS-000042-GPOS-00020", + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000392-GPOS-00172", + "SRG-OS-000462-GPOS-00206", + "SRG-OS-000471-GPOS-00215" ], - "gid": "V-75903", - "rid": "SV-90583r1_rule", - "stig_id": "UBTU-16-030800", - "fix_id": "F-82533r1_fix", + "gid": "V-75783", + "rid": "SV-90463r3_rule", + "stig_id": "UBTU-16-020790", + "fix_id": "F-82413r2_fix", "cci": [ - "CCI-001948", - "CCI-001953", - "CCI-001954" + "CCI-000130", + "CCI-000135", + "CCI-000169", + "CCI-000172", + "CCI-002884" ], "nist": [ - "IA-2 (11)", - "IA-2 (12)", - "IA-2 (12)", + "AU-3", + "AU-3 (1)", + "AU-12 a", + "AU-12 c", + "MA-4 (1) (a)", "Rev_4" ], "false_negatives": null, @@ -3704,43 +3582,48 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75903' do\n title \"The Ubuntu operating system must have the packages required for\nmultifactor authentication to be installed.\"\n desc \"Using an authentication device, such as a CAC or token that is\nseparate from the information system, ensures that even if the information\nsystem is compromised, that compromise will not affect credentials stored on\nthe authentication device.\n\n Multifactor solutions that require devices separate from information\nsystems gaining access include, for example, hardware tokens providing\ntime-based or challenge-response authenticators and smart cards such as the\nU.S. Government Personal Identity Verification card and the DoD Common Access\nCard.\n\n A privileged account is defined as an information system account with\nauthorizations of a privileged user.\n\n Remote access is access to DoD nonpublic information systems by an\nauthorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\n This requirement only applies to components where this is specific to the\nfunction of the device or has the concept of an organizational user (e.g., VPN,\nproxy capability). This does not apply to authentication for the purpose of\nconfiguring the device itself (management).\n\n Requires further clarification from NIST.\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000375-GPOS-00160'\n tag \"satisfies\": %w[SRG-OS-000375-GPOS-00160 SRG-OS-000375-GPOS-00161\n SRG-OS-000375-GPOS-00162]\n tag \"gid\": 'V-75903'\n tag \"rid\": 'SV-90583r1_rule'\n tag \"stig_id\": 'UBTU-16-030800'\n tag \"fix_id\": 'F-82533r1_fix'\n tag \"cci\": %w[CCI-001948 CCI-001953 CCI-001954]\n tag \"nist\": ['IA-2 (11)', 'IA-2 (12)', 'IA-2 (12)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system has the packages required\nfor multifactor authentication installed.\n\nCheck for the presence of the packages required to support multifactor\nauthentication with the following commands:\n\n# dpkg -l | grep libpam-pkcs11\n\nii libpam-pkcs11 0.6.8-4 amd64 Fully featured PAM module for using PKCS#11\nsmart cards\n\nIf the \\\"libpam-pkcs11\\\" package is not installed, this is a finding.\"\n desc 'fix', \"Configure the Ubuntu operating system to implement multifactor\nauthentication by installing the required packages.\nInstall the \\\"libpam-pkcs11\\\" package on the system with the following command:\n\n# sudo apt install libpam-pkcs11\"\n\n describe package('libpam-pkcs-11') do\n it { should be_installed }\n end\nend\n", + "code": "control 'V-75783' do\n title \"Successful/unsuccessful uses of the chage command must generate an\naudit record.\"\n desc \"Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020\n SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172\n SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215]\n tag \"gid\": 'V-75783'\n tag \"rid\": 'SV-90463r3_rule'\n tag \"stig_id\": 'UBTU-16-020790'\n tag \"fix_id\": 'F-82413r2_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'MA-4 (1) (a)',\n 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that an audit event is generated for any\nsuccessful/unsuccessful use of the \\\"chage\\\" command.\n\nCheck for the following system call being audited by performing the following\ncommand to check the file system rules in \\\"/etc/audit/audit.rules\\\":\n\n# sudo grep -w chage /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k privileged-chage\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful uses of the \\\"chage\\\" command. Add or update the\nfollowing rules in the \\\"/etc/audit/audit.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k privileged-chage\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n @audit_file = '/usr/bin/chage'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe ('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75903.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75783.rb", "line": 3 }, - "id": "V-75903" + "id": "V-75783" }, { - "title": "All persistent disk partitions must implement cryptographic mechanisms\nto prevent unauthorized disclosure or modification of all information that\nrequires at rest protection.", - "desc": "Ubuntu operating systems handling data requiring \"data at rest\"\nprotections must employ cryptographic mechanisms to prevent unauthorized\ndisclosure and modification of the information at rest.\n\n Selection of a cryptographic mechanism is based on the need to protect the\nintegrity of organizational information. The strength of the mechanism is\ncommensurate with the security category and/or classification of the\ninformation. Organizations have the flexibility to either encrypt all\ninformation on storage devices (i.e., full disk encryption) or encrypt specific\ndata structures (e.g., files, records, or fields).", + "title": "The Ubuntu operating system must display the Standard Mandatory DoD\nNotice and Consent Banner before granting local or remote access to the system\nvia a graphical user logon.", + "desc": "Display of a standardized and approved use notification before\ngranting access to the Ubuntu operating system ensures privacy and security\nnotification verbiage used is consistent with applicable federal laws,\nExecutive Orders, directives, policies, regulations, standards, and guidance.\n\n System use notifications are required only for access via logon interfaces\nwith human users and are not required when such human interfaces do not exist.\n\n The banner must be formatted in accordance with applicable DoD policy. Use\nthe following verbiage for Ubuntu operating systems that can accommodate\nbanners of 1300 characters:\n\n \"You are accessing a U.S. Government (USG) Information System (IS) that is\nprovided for USG-authorized use only.\n\n By using this IS (which includes any device attached to this IS), you\nconsent to the following conditions:\n\n -The USG routinely intercepts and monitors communications on this IS for\npurposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct (PM), law enforcement\n(LE), and counterintelligence (CI) investigations.\n\n -At any time, the USG may inspect and seize data stored on this IS.\n\n -Communications using, or data stored on, this IS are not private, are\nsubject to routine monitoring, interception, and search, and may be disclosed\nor used for any USG-authorized purpose.\n\n -This IS includes security measures (e.g., authentication and access\ncontrols) to protect USG interests--not for your personal benefit or privacy.\n\n -Notwithstanding the above, using this IS does not constitute consent to\nPM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services\nby attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User\nAgreement for details.\"\n\n Use the following verbiage for Ubuntu operating systems that have severe\nlimitations on the number of characters that can be displayed in the banner:\n\n \"I've read and consent to terms in IS user agreem't.\"", "descriptions": { - "default": "Ubuntu operating systems handling data requiring \"data at rest\"\nprotections must employ cryptographic mechanisms to prevent unauthorized\ndisclosure and modification of the information at rest.\n\n Selection of a cryptographic mechanism is based on the need to protect the\nintegrity of organizational information. The strength of the mechanism is\ncommensurate with the security category and/or classification of the\ninformation. Organizations have the flexibility to either encrypt all\ninformation on storage devices (i.e., full disk encryption) or encrypt specific\ndata structures (e.g., files, records, or fields).", - "check": "Verify the Ubuntu operating system prevents unauthorized\ndisclosure or modification of all information requiring at rest protection by\nusing disk encryption.\n\nIf there is a documented and approved reason for not having data-at-rest\nencryption, this requirement is Not Applicable.\n\nDetermine the partition layout for the system with the following command:\n\n# fdisk –l\n\nVerify that the system partitions are all encrypted with the following command:\n\n# more /etc/crypttab\n\nEvery persistent disk partition present must have an entry in the file. If any\npartitions other than pseudo file systems (such as /proc or /sys) are not\nlisted, this is a finding.", - "fix": "Configure the Ubuntu operating system to prevent unauthorized\nmodification of all information at rest by using disk encryption.\n\nEncrypting a partition in an already-installed system is more difficult,\nbecause you need to resize and change existing partitions. To encrypt an entire\npartition, dedicate a partition for encryption in the partition layout." + "default": "Display of a standardized and approved use notification before\ngranting access to the Ubuntu operating system ensures privacy and security\nnotification verbiage used is consistent with applicable federal laws,\nExecutive Orders, directives, policies, regulations, standards, and guidance.\n\n System use notifications are required only for access via logon interfaces\nwith human users and are not required when such human interfaces do not exist.\n\n The banner must be formatted in accordance with applicable DoD policy. Use\nthe following verbiage for Ubuntu operating systems that can accommodate\nbanners of 1300 characters:\n\n \"You are accessing a U.S. Government (USG) Information System (IS) that is\nprovided for USG-authorized use only.\n\n By using this IS (which includes any device attached to this IS), you\nconsent to the following conditions:\n\n -The USG routinely intercepts and monitors communications on this IS for\npurposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct (PM), law enforcement\n(LE), and counterintelligence (CI) investigations.\n\n -At any time, the USG may inspect and seize data stored on this IS.\n\n -Communications using, or data stored on, this IS are not private, are\nsubject to routine monitoring, interception, and search, and may be disclosed\nor used for any USG-authorized purpose.\n\n -This IS includes security measures (e.g., authentication and access\ncontrols) to protect USG interests--not for your personal benefit or privacy.\n\n -Notwithstanding the above, using this IS does not constitute consent to\nPM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services\nby attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User\nAgreement for details.\"\n\n Use the following verbiage for Ubuntu operating systems that have severe\nlimitations on the number of characters that can be displayed in the banner:\n\n \"I've read and consent to terms in IS user agreem't.\"", + "check": "Verify the Ubuntu operating system security patches and updates\nare installed and up to date. Updates are required to be applied with a\nfrequency determined by the site or Program Management Office (PMO).\n\nObtain the list of available package security updates from Ubuntu. The URL for\nupdates is https://www.Ubuntu.com/usn/. It is important to note that updates\nprovided by Ubuntu may not be present on the system if the underlying packages\nare not installed.\n\nCheck that the available package security updates have been installed on the\nsystem with the following command:\n\n# /usr/lib/update-notifier/apt-check --human-readable\n\n246 packages can be updated.\n0 updates are security updates.\n\nIf security package updates have not been performed on the system within the\ntimeframe that the site/program documentation requires, this is a finding.\n\nTypical update frequency may be overridden by Information Assurance\nVulnerability Alert (IAVA) notifications from JFHQ-DoDIN.\n\nIf the Ubuntu operating system is in non-compliance with the Information\nAssurance Vulnerability Management (IAVM) process, this is a finding.", + "fix": "Configure the Ubuntu operating system to display the Standard\nMandatory DoD Notice and Consent Banner before granting access to the system.\n\nCreate a database that will contain the system wide graphical user logon\nsettings (if it does not already exist) with the following command:\n\n# sudo touch /etc/dconf/db/local.d/01-banner-message\n\nAdd the following line to the \"[org/gnome/login-screen]\" section of the\n\"/etc/dconf/db/local.d/01-banner-message\" file:\n\n[org/gnome/login-screen]\nbanner-message-enable=true" }, - "impact": 0.7, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000185-GPOS-00079", + "gtitle": "SRG-OS-000023-GPOS-00006", "satisfies": [ - "SRG-OS-000185-GPOS-00079", - "SRG-OS-000404-GPOS-00183", - "SRG-OS-000405-GPOS-00184" + "SRG-OS-000023-GPOS-00006", + "SRG-OS-000228-GPOS-00088" ], - "gid": "V-75509", - "rid": "SV-90189r1_rule", - "stig_id": "UBTU-16-010400", - "fix_id": "F-82137r1_fix", + "gid": "V-75393", + "rid": "SV-90073r2_rule", + "stig_id": "UBTU-16-010020", + "fix_id": "F-82021r1_fix", "cci": [ - "CCI-001199", - "CCI-002475", - "CCI-002476" + "CCI-000048", + "CCI-001384", + "CCI-001385", + "CCI-001386", + "CCI-001387", + "CCI-001388" ], "nist": [ - "SC-28", - "SC-28 (1)", - "SC-28 (1)", + "AC-8 a", + "AC-8 c 1", + "AC-8 c 2", + "AC-8 c 2", + "AC-8 c 2", + "AC-8\nc 3", "Rev_4" ], "false_negatives": null, @@ -3754,46 +3637,40 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75509' do\n title \"All persistent disk partitions must implement cryptographic mechanisms\nto prevent unauthorized disclosure or modification of all information that\nrequires at rest protection.\"\n desc \"Ubuntu operating systems handling data requiring \\\"data at rest\\\"\nprotections must employ cryptographic mechanisms to prevent unauthorized\ndisclosure and modification of the information at rest.\n\n Selection of a cryptographic mechanism is based on the need to protect the\nintegrity of organizational information. The strength of the mechanism is\ncommensurate with the security category and/or classification of the\ninformation. Organizations have the flexibility to either encrypt all\ninformation on storage devices (i.e., full disk encryption) or encrypt specific\ndata structures (e.g., files, records, or fields).\n\n\n \"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000185-GPOS-00079'\n tag \"satisfies\": %w[SRG-OS-000185-GPOS-00079 SRG-OS-000404-GPOS-00183\n SRG-OS-000405-GPOS-00184]\n tag \"gid\": 'V-75509'\n tag \"rid\": 'SV-90189r1_rule'\n tag \"stig_id\": 'UBTU-16-010400'\n tag \"fix_id\": 'F-82137r1_fix'\n tag \"cci\": %w[CCI-001199 CCI-002475 CCI-002476]\n tag \"nist\": ['SC-28', 'SC-28 (1)', 'SC-28 (1)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system prevents unauthorized\ndisclosure or modification of all information requiring at rest protection by\nusing disk encryption.\n\nIf there is a documented and approved reason for not having data-at-rest\nencryption, this requirement is Not Applicable.\n\nDetermine the partition layout for the system with the following command:\n\n# fdisk –l\n\nVerify that the system partitions are all encrypted with the following command:\n\n# more /etc/crypttab\n\nEvery persistent disk partition present must have an entry in the file. If any\npartitions other than pseudo file systems (such as /proc or /sys) are not\nlisted, this is a finding.\"\n desc 'fix', \"Configure the Ubuntu operating system to prevent unauthorized\nmodification of all information at rest by using disk encryption.\n\nEncrypting a partition in an already-installed system is more difficult,\nbecause you need to resize and change existing partitions. To encrypt an entire\npartition, dedicate a partition for encryption in the partition layout.\"\n\n describe 'Manual test' do\n skip 'This control must be reviewed manually'\n end\nend\n", + "code": "control 'V-75393' do\n title \"The Ubuntu operating system must display the Standard Mandatory DoD\nNotice and Consent Banner before granting local or remote access to the system\nvia a graphical user logon.\"\n desc \"Display of a standardized and approved use notification before\ngranting access to the Ubuntu operating system ensures privacy and security\nnotification verbiage used is consistent with applicable federal laws,\nExecutive Orders, directives, policies, regulations, standards, and guidance.\n\n System use notifications are required only for access via logon interfaces\nwith human users and are not required when such human interfaces do not exist.\n\n The banner must be formatted in accordance with applicable DoD policy. Use\nthe following verbiage for Ubuntu operating systems that can accommodate\nbanners of 1300 characters:\n\n \\\"You are accessing a U.S. Government (USG) Information System (IS) that is\nprovided for USG-authorized use only.\n\n By using this IS (which includes any device attached to this IS), you\nconsent to the following conditions:\n\n -The USG routinely intercepts and monitors communications on this IS for\npurposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct (PM), law enforcement\n(LE), and counterintelligence (CI) investigations.\n\n -At any time, the USG may inspect and seize data stored on this IS.\n\n -Communications using, or data stored on, this IS are not private, are\nsubject to routine monitoring, interception, and search, and may be disclosed\nor used for any USG-authorized purpose.\n\n -This IS includes security measures (e.g., authentication and access\ncontrols) to protect USG interests--not for your personal benefit or privacy.\n\n -Notwithstanding the above, using this IS does not constitute consent to\nPM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services\nby attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User\nAgreement for details.\\\"\n\n Use the following verbiage for Ubuntu operating systems that have severe\nlimitations on the number of characters that can be displayed in the banner:\n\n \\\"I've read and consent to terms in IS user agreem't.\\\"\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000023-GPOS-00006'\n tag \"satisfies\": %w[SRG-OS-000023-GPOS-00006 SRG-OS-000228-GPOS-00088]\n tag \"gid\": 'V-75393'\n tag \"rid\": 'SV-90073r2_rule'\n tag \"stig_id\": 'UBTU-16-010020'\n tag \"fix_id\": 'F-82021r1_fix'\n tag \"cci\": %w[CCI-000048 CCI-001384 CCI-001385 CCI-001386\n CCI-001387 CCI-001388]\n tag \"nist\": ['AC-8 a', 'AC-8 c 1', 'AC-8 c 2', 'AC-8 c 2', 'AC-8 c 2', \"AC-8\nc 3\", 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system security patches and updates\nare installed and up to date. Updates are required to be applied with a\nfrequency determined by the site or Program Management Office (PMO).\n\nObtain the list of available package security updates from Ubuntu. The URL for\nupdates is https://www.Ubuntu.com/usn/. It is important to note that updates\nprovided by Ubuntu may not be present on the system if the underlying packages\nare not installed.\n\nCheck that the available package security updates have been installed on the\nsystem with the following command:\n\n# /usr/lib/update-notifier/apt-check --human-readable\n\n246 packages can be updated.\n0 updates are security updates.\n\nIf security package updates have not been performed on the system within the\ntimeframe that the site/program documentation requires, this is a finding.\n\nTypical update frequency may be overridden by Information Assurance\nVulnerability Alert (IAVA) notifications from JFHQ-DoDIN.\n\nIf the Ubuntu operating system is in non-compliance with the Information\nAssurance Vulnerability Management (IAVM) process, this is a finding.\"\n desc 'fix', \"Configure the Ubuntu operating system to display the Standard\nMandatory DoD Notice and Consent Banner before granting access to the system.\n\nCreate a database that will contain the system wide graphical user logon\nsettings (if it does not already exist) with the following command:\n\n# sudo touch /etc/dconf/db/local.d/01-banner-message\n\nAdd the following line to the \\\"[org/gnome/login-screen]\\\" section of the\n\\\"/etc/dconf/db/local.d/01-banner-message\\\" file:\n\n[org/gnome/login-screen]\nbanner-message-enable=true\"\n\n describe command('/usr/lib/update-notifier/apt-check --human-readable') do\n its('exit_status') { should cmp 0 }\n its('stdout') { should match '^0 updates are security updates.$' }\n end\n\n describe 'banner-message-enable must be set to true' do\n subject { command('grep banner-message-enable /etc/dconf/db/local.d/*') }\n its('stdout') { should match /(banner-message-enable).+=.+(true)/ }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75509.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75393.rb", "line": 3 }, - "id": "V-75509" + "id": "V-75393" }, { - "title": "All networked systems must have and implement SSH to protect the\nconfidentiality and integrity of transmitted and received information, as well\nas information during preparation for transmission.", - "desc": "Without protection of the transmitted information, confidentiality and\nintegrity may be compromised because unprotected communications can be\nintercepted and either read or altered.\n\n This requirement applies to both internal and external networks and all\ntypes of information system components from which information can be\ntransmitted (e.g., servers, mobile devices, notebook computers, printers,\ncopiers, scanners, and facsimile machines). Communication paths outside the\nphysical protection of a controlled boundary are exposed to the possibility of\ninterception and modification.\n\n Protecting the confidentiality and integrity of organizational information\ncan be accomplished by physical means (e.g., employing physical distribution\nsystems) or by logical means (e.g., employing cryptographic techniques). If\nphysical means of protection are employed, logical means (cryptography) do not\nhave to be employed, and vice versa.", + "title": "The Ubuntu operating system must employ a FIPS 140-2 approved\ncryptographic hashing algorithms for all stored passwords.", + "desc": "The system must use a strong hashing algorithm to store the password.\nThe system must use a sufficient number of hashing rounds to ensure the\nrequired level of entropy.\n\n Passwords need to be protected at all times, and encryption is the standard\nmethod for protecting passwords. If passwords are not encrypted, they can be\nplainly read (i.e., clear text) and easily compromised.", "descriptions": { - "default": "Without protection of the transmitted information, confidentiality and\nintegrity may be compromised because unprotected communications can be\nintercepted and either read or altered.\n\n This requirement applies to both internal and external networks and all\ntypes of information system components from which information can be\ntransmitted (e.g., servers, mobile devices, notebook computers, printers,\ncopiers, scanners, and facsimile machines). Communication paths outside the\nphysical protection of a controlled boundary are exposed to the possibility of\ninterception and modification.\n\n Protecting the confidentiality and integrity of organizational information\ncan be accomplished by physical means (e.g., employing physical distribution\nsystems) or by logical means (e.g., employing cryptographic techniques). If\nphysical means of protection are employed, logical means (cryptography) do not\nhave to be employed, and vice versa.", - "check": "Verify the \"ssh\" meta-package is installed.\n\nCheck that the ssh package is installed with the following command:\n\n$ dpkg -l | grep openssh\n\nii openssh-client 1:7.2p2-4Ubuntu2.1\namd64 secure shell (SSH) client, for secure access to\nremote machines\nii openssh-server 1:7.2p2-4Ubuntu2.1\namd64 secure shell (SSH) server, for secure access\nfrom remote machines\nii openssh-sftp-server 1:7.2p2-4Ubuntu2.1\namd64 secure shell (SSH) sftp server module, for SFTP\naccess from remote machines\n\nIf the \"openssh\" server package is not installed, this is a finding.\n\nCheck that the \"sshd.service\" is loaded and active with the following command:\n\n# systemctl status sshd.service | egrep -i \"(active|loaded)\"\n\nLoaded: loaded (/usr/lib/systemd/system/sshd.service; enabled)\nActive: active (running) since Sun 2016-06-05 23:46:29 CDT; 1h 4min ago\n\nIf \"sshd.service\" is not active or loaded, this is a finding.", - "fix": "Install the \"ssh\" meta-package on the system with the following\ncommand:\n\n# sudo apt install ssh\n\nEnable the \"ssh\" service to start automatically on reboot with the following\ncommand:\n\n# sudo systemctl enable sshd.service" + "default": "The system must use a strong hashing algorithm to store the password.\nThe system must use a sufficient number of hashing rounds to ensure the\nrequired level of entropy.\n\n Passwords need to be protected at all times, and encryption is the standard\nmethod for protecting passwords. If passwords are not encrypted, they can be\nplainly read (i.e., clear text) and easily compromised.", + "check": "Verify the shadow password suite configuration is set to\nencrypt interactive user passwords using a strong cryptographic hash with the\nfollowing command:\n\nConfirm that the interactive user account passwords are using a strong password\nhash with the following command:\n\n# sudo cut -d: -f2 /etc/shadow\n\n$6$kcOnRq/5$NUEYPuyL.wghQwWssXRcLRFiiru7f5JPV6GaJhNC2aK5F3PZpE/BCCtwrxRc/AInKMNX3CdMw11m9STiql12f/\n\nPassword hashes \"!\" or \"*\" indicate inactive accounts not available for\nlogon and are not evaluated. If any interactive user password hash does not\nbegin with \"$6\", this is a finding.", + "fix": "Configure the Ubuntu operating system to encrypt all stored\npasswords with a strong cryptographic hash.\n\nLock all interactive user accounts not using SHA-512 hashing until the\npasswords can be regenerated." }, - "impact": 0.7, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000423-GPOS-00187", + "gtitle": "SRG-OS-000073-GPOS-00041", "satisfies": [ - "SRG-OS-000423-GPOS-00187", - "SRG-OS-000424-GPOS-00188", - "SRG-OS-000425-GPOS-00189", - "SRG-OS-000426-GPOS-00190" + "SRG-OS-000073-GPOS-00041", + "SRG-OS-000120-GPOS-00061" ], - "gid": "V-75857", - "rid": "SV-90537r1_rule", - "stig_id": "UBTU-16-030420", - "fix_id": "F-82487r1_fix", + "gid": "V-75461", + "rid": "SV-90141r1_rule", + "stig_id": "UBTU-16-010160", + "fix_id": "F-82089r1_fix", "cci": [ - "CCI-002418", - "CCI-002420", - "CCI-002421", - "CCI-002422" + "CCI-000196", + "CCI-000803" ], "nist": [ - "SC-8", - "SC-8 (2)", - "SC-8 (1)", - "SC-8 (2)", + "IA-5 (1) (c)", + "IA-7", "Rev_4" ], "false_negatives": null, @@ -3807,34 +3684,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75857' do\n title \"All networked systems must have and implement SSH to protect the\nconfidentiality and integrity of transmitted and received information, as well\nas information during preparation for transmission.\"\n desc \"Without protection of the transmitted information, confidentiality and\nintegrity may be compromised because unprotected communications can be\nintercepted and either read or altered.\n\n This requirement applies to both internal and external networks and all\ntypes of information system components from which information can be\ntransmitted (e.g., servers, mobile devices, notebook computers, printers,\ncopiers, scanners, and facsimile machines). Communication paths outside the\nphysical protection of a controlled boundary are exposed to the possibility of\ninterception and modification.\n\n Protecting the confidentiality and integrity of organizational information\ncan be accomplished by physical means (e.g., employing physical distribution\nsystems) or by logical means (e.g., employing cryptographic techniques). If\nphysical means of protection are employed, logical means (cryptography) do not\nhave to be employed, and vice versa.\n\n\n \"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000423-GPOS-00187'\n tag \"satisfies\": %w[SRG-OS-000423-GPOS-00187 SRG-OS-000424-GPOS-00188\n SRG-OS-000425-GPOS-00189 SRG-OS-000426-GPOS-00190]\n tag \"gid\": 'V-75857'\n tag \"rid\": 'SV-90537r1_rule'\n tag \"stig_id\": 'UBTU-16-030420'\n tag \"fix_id\": 'F-82487r1_fix'\n tag \"cci\": %w[CCI-002418 CCI-002420 CCI-002421 CCI-002422]\n tag \"nist\": ['SC-8', 'SC-8 (2)', 'SC-8 (1)', 'SC-8 (2)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the \\\"ssh\\\" meta-package is installed.\n\nCheck that the ssh package is installed with the following command:\n\n$ dpkg -l | grep openssh\n\nii openssh-client 1:7.2p2-4Ubuntu2.1\namd64 secure shell (SSH) client, for secure access to\nremote machines\nii openssh-server 1:7.2p2-4Ubuntu2.1\namd64 secure shell (SSH) server, for secure access\nfrom remote machines\nii openssh-sftp-server 1:7.2p2-4Ubuntu2.1\namd64 secure shell (SSH) sftp server module, for SFTP\naccess from remote machines\n\nIf the \\\"openssh\\\" server package is not installed, this is a finding.\n\nCheck that the \\\"sshd.service\\\" is loaded and active with the following command:\n\n# systemctl status sshd.service | egrep -i \\\"(active|loaded)\\\"\n\nLoaded: loaded (/usr/lib/systemd/system/sshd.service; enabled)\nActive: active (running) since Sun 2016-06-05 23:46:29 CDT; 1h 4min ago\n\nIf \\\"sshd.service\\\" is not active or loaded, this is a finding.\"\n desc 'fix', \"Install the \\\"ssh\\\" meta-package on the system with the following\ncommand:\n\n# sudo apt install ssh\n\nEnable the \\\"ssh\\\" service to start automatically on reboot with the following\ncommand:\n\n# sudo systemctl enable sshd.service\"\n\n describe package('openssh-server') do\n it { should be_installed }\n end\n\n describe service('sshd') do\n it { should be_enabled }\n it { should be_installed }\n it { should be_running }\n end\nend\n", + "code": "control 'V-75461' do\n title \"The Ubuntu operating system must employ a FIPS 140-2 approved\ncryptographic hashing algorithms for all stored passwords.\"\n desc \"The system must use a strong hashing algorithm to store the password.\nThe system must use a sufficient number of hashing rounds to ensure the\nrequired level of entropy.\n\n Passwords need to be protected at all times, and encryption is the standard\nmethod for protecting passwords. If passwords are not encrypted, they can be\nplainly read (i.e., clear text) and easily compromised.\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000073-GPOS-00041'\n tag \"satisfies\": %w[SRG-OS-000073-GPOS-00041 SRG-OS-000120-GPOS-00061]\n tag \"gid\": 'V-75461'\n tag \"rid\": 'SV-90141r1_rule'\n tag \"stig_id\": 'UBTU-16-010160'\n tag \"fix_id\": 'F-82089r1_fix'\n tag \"cci\": %w[CCI-000196 CCI-000803]\n tag \"nist\": ['IA-5 (1) (c)', 'IA-7', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the shadow password suite configuration is set to\nencrypt interactive user passwords using a strong cryptographic hash with the\nfollowing command:\n\nConfirm that the interactive user account passwords are using a strong password\nhash with the following command:\n\n# sudo cut -d: -f2 /etc/shadow\n\n$6$kcOnRq/5$NUEYPuyL.wghQwWssXRcLRFiiru7f5JPV6GaJhNC2aK5F3PZpE/BCCtwrxRc/AInKMNX3CdMw11m9STiql12f/\n\nPassword hashes \\\"!\\\" or \\\"*\\\" indicate inactive accounts not available for\nlogon and are not evaluated. If any interactive user password hash does not\nbegin with \\\"$6\\\", this is a finding.\"\n desc 'fix', \"Configure the Ubuntu operating system to encrypt all stored\npasswords with a strong cryptographic hash.\n\nLock all interactive user accounts not using SHA-512 hashing until the\npasswords can be regenerated.\"\n\n non_interactive_shells = input('non_interactive_shells')\n ignore_shells = non_interactive_shells.join('|')\n counter = 0\n\n users.where { !shell.match(ignore_shells) }.entries.each do |user_info|\n shadow.where(user: user_info.username).passwords.each do |user_pwd|\n pwd_should_be_evaluated = !(user_pwd.casecmp?('!') || user_pwd.casecmp?('*'))\n next unless pwd_should_be_evaluated\n\n describe (user_info.username + ' - user\\'s password hash') do\n subject { user_pwd }\n it { should start_with '$6' }\n end\n counter += 1\n end\n end\n if counter == 0\n describe 'Number of interactive users on the system' do\n subject { counter }\n it { should be 0 }\n end\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75857.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75461.rb", "line": 3 }, - "id": "V-75857" + "id": "V-75461" }, { - "title": "All public directories must be owned by root to prevent unauthorized\nand unintended information transferred via shared system resources.", - "desc": "Preventing unauthorized information transfers mitigates the risk of\ninformation, including encrypted representations of information, produced by\nthe actions of prior users/roles (or the actions of processes acting on behalf\nof prior users/roles) from being available to any current users/roles (or\ncurrent processes) that obtain access to shared system resources (e.g.,\nregisters, main memory, hard disks) after those resources have been released\nback to information systems. The control of information in shared resources is\nalso commonly referred to as object reuse and residual information protection.\n\n This requirement generally applies to the design of an information\ntechnology product, but it can also apply to the configuration of particular\ninformation system components that are, or use, such products. This can be\nverified by acceptance/validation processes in DoD or other government agencies.\n\n There may be shared resources with configurable protections (e.g., files in\nstorage) that may be assessed on specific information system components.", + "title": "Pluggable Authentication Module (PAM) must prohibit the use of cached\nauthentications after one day.", + "desc": "If cached authentication information is out-of-date, the validity of\nthe authentication information may be questionable.", "descriptions": { - "default": "Preventing unauthorized information transfers mitigates the risk of\ninformation, including encrypted representations of information, produced by\nthe actions of prior users/roles (or the actions of processes acting on behalf\nof prior users/roles) from being available to any current users/roles (or\ncurrent processes) that obtain access to shared system resources (e.g.,\nregisters, main memory, hard disks) after those resources have been released\nback to information systems. The control of information in shared resources is\nalso commonly referred to as object reuse and residual information protection.\n\n This requirement generally applies to the design of an information\ntechnology product, but it can also apply to the configuration of particular\ninformation system components that are, or use, such products. This can be\nverified by acceptance/validation processes in DoD or other government agencies.\n\n There may be shared resources with configurable protections (e.g., files in\nstorage) that may be assessed on specific information system components.", - "check": "Verify that all public directories are owned by root to prevent\nunauthorized and unintended information transferred via shared system resources.\n\nCheck to see that all public directories have the public sticky bit set by\nrunning the following command:\n\n# sudo find / -type d -perm -0002 -exec ls -lLd {} \\;\n\ndrwxrwxrwxt 7 root root 4096 Jul 26 11:19 /tmp\n\nIf any of the returned directories are not owned by root, this is a finding.", - "fix": "Configure all public directories to be owned by root to prevent\nunauthorized and unintended information transferred via shared system resources.\n\nSet the owner of all public directories as root using the command, replace\n\"[Public Directory]\" with any directory path not owned by root:\n\n# sudo chown root [Public Directory]" + "default": "If cached authentication information is out-of-date, the validity of\nthe authentication information may be questionable.", + "check": "Verify that Pluggable Authentication Module (PAM) prohibits the\nuse of cached authentications after one day.\n\nNote: If smart card authentication is not being used on the system this item is\nNot Applicable.\n\nCheck that PAM prohibits the use of cached authentications after one day with\nthe following command:\n\n# sudo grep -i \"timestamp_timeout\" /etc/pam.d/*\n\ntimestamp_timeout=86400\n\nIf \"timestamp_timeout\" is not set to a value of \"86400\" or less, or is\ncommented out, this is a finding.", + "fix": "Configure Pluggable Authentication Module (PAM) to prohibit the\nuse of cached authentications after one day.\n\nAdd or change the following line in \"/etc/pam.d/common-auth\" or\n\"/etc/pam.d/common-session\" just below the line \"[pam]\".\n\ntimestamp_timeout = 86400" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000138-GPOS-00069", - "gid": "V-75511", - "rid": "SV-90191r1_rule", - "stig_id": "UBTU-16-010410", - "fix_id": "F-82139r1_fix", + "gtitle": "SRG-OS-000383-GPOS-00166", + "gid": "V-75553", + "rid": "SV-90233r2_rule", + "stig_id": "UBTU-16-010690", + "fix_id": "F-82181r2_fix", "cci": [ - "CCI-001090" + "CCI-002007" ], "nist": [ - "SC-4", + "IA-5 (13)", "Rev_4" ], "false_negatives": null, @@ -3848,50 +3725,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75511' do\n title \"All public directories must be owned by root to prevent unauthorized\nand unintended information transferred via shared system resources.\"\n desc \"Preventing unauthorized information transfers mitigates the risk of\ninformation, including encrypted representations of information, produced by\nthe actions of prior users/roles (or the actions of processes acting on behalf\nof prior users/roles) from being available to any current users/roles (or\ncurrent processes) that obtain access to shared system resources (e.g.,\nregisters, main memory, hard disks) after those resources have been released\nback to information systems. The control of information in shared resources is\nalso commonly referred to as object reuse and residual information protection.\n\n This requirement generally applies to the design of an information\ntechnology product, but it can also apply to the configuration of particular\ninformation system components that are, or use, such products. This can be\nverified by acceptance/validation processes in DoD or other government agencies.\n\n There may be shared resources with configurable protections (e.g., files in\nstorage) that may be assessed on specific information system components.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000138-GPOS-00069'\n tag \"gid\": 'V-75511'\n tag \"rid\": 'SV-90191r1_rule'\n tag \"stig_id\": 'UBTU-16-010410'\n tag \"fix_id\": 'F-82139r1_fix'\n tag \"cci\": ['CCI-001090']\n tag \"nist\": %w[SC-4 Rev_4]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that all public directories are owned by root to prevent\nunauthorized and unintended information transferred via shared system resources.\n\nCheck to see that all public directories have the public sticky bit set by\nrunning the following command:\n\n# sudo find / -type d -perm -0002 -exec ls -lLd {} \\\\;\n\ndrwxrwxrwxt 7 root root 4096 Jul 26 11:19 /tmp\n\nIf any of the returned directories are not owned by root, this is a finding.\"\n desc 'fix', \"Configure all public directories to be owned by root to prevent\nunauthorized and unintended information transferred via shared system resources.\n\nSet the owner of all public directories as root using the command, replace\n\\\"[Public Directory]\\\" with any directory path not owned by root:\n\n# sudo chown root [Public Directory]\"\n\n dir_list = command('sudo find / -xdev -type d -perm -0002 -exec ls -dL {} \\\\;').stdout.strip.split(\"\\n\")\n if dir_list.count > 0\n dir_list.each do |entry|\n describe directory(entry) do\n its('owner') { should eq 'root' }\n end\n end\n else\n describe 'The number of public directories not owned by root' do\n subject { dir_list }\n its('count') { should cmp 0 }\n end\n end\nend\n", + "code": "control 'V-75553' do\n title \"Pluggable Authentication Module (PAM) must prohibit the use of cached\nauthentications after one day.\"\n desc \"If cached authentication information is out-of-date, the validity of\nthe authentication information may be questionable.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000383-GPOS-00166'\n tag \"gid\": 'V-75553'\n tag \"rid\": 'SV-90233r2_rule'\n tag \"stig_id\": 'UBTU-16-010690'\n tag \"fix_id\": 'F-82181r2_fix'\n tag \"cci\": ['CCI-002007']\n tag \"nist\": ['IA-5 (13)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that Pluggable Authentication Module (PAM) prohibits the\nuse of cached authentications after one day.\n\nNote: If smart card authentication is not being used on the system this item is\nNot Applicable.\n\nCheck that PAM prohibits the use of cached authentications after one day with\nthe following command:\n\n# sudo grep -i \\\"timestamp_timeout\\\" /etc/pam.d/*\n\ntimestamp_timeout=86400\n\nIf \\\"timestamp_timeout\\\" is not set to a value of \\\"86400\\\" or less, or is\ncommented out, this is a finding.\"\n desc 'fix', \"Configure Pluggable Authentication Module (PAM) to prohibit the\nuse of cached authentications after one day.\n\nAdd or change the following line in \\\"/etc/pam.d/common-auth\\\" or\n\\\"/etc/pam.d/common-session\\\" just below the line \\\"[pam]\\\".\n\ntimestamp_timeout = 86400\"\n\n describe.one do\n describe parse_config_file('/etc/pam.d/common-auth') do\n its('timestamp_timeout') { should be <= '86400' }\n end\n\n describe parse_config_file('/etc/pam.d/common-session') do\n its('timestamp_timeout') { should be <= '86400' }\n end\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75511.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75553.rb", "line": 3 }, - "id": "V-75511" + "id": "V-75553" }, { - "title": "Successful/unsuccessful uses of the sudo command must generate an\naudit record.", - "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "title": "A file integrity tool must be installed to verify correct operation of\nall security functions in the Ubuntu operating system.", + "desc": "Without verification of the security functions, security functions may\nnot operate correctly and the failure may go unnoticed. Security function is\ndefined as the hardware, software, and/or firmware of the information system\nresponsible for enforcing the system security policy and supporting the\nisolation of code and data on which the protection is based. Security\nfunctionality includes, but is not limited to, establishing system accounts,\nconfiguring access authorizations (i.e., permissions, privileges), setting\nevents to be audited, and setting intrusion detection parameters.\n\n This requirement applies to Ubuntu operating systems performing security\nfunction verification/testing and/or systems and environments that require this\nfunctionality.", "descriptions": { - "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", - "check": "Verify that an audit event is generated for any\nsuccessful/unsuccessful use of the \"sudo\" command.\n\nCheck for the following system call being audited by performing the following\ncommand to check the file system rules in \"/etc/audit/audit.rules\":\n\n# sudo grep -w sudo /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k priv_cmd\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", - "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \"sudo\" command.\n\nAdd or update the following rules in the \"/etc/audit/audit.rules\" file:\n\n-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k priv_cmd\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" + "default": "Without verification of the security functions, security functions may\nnot operate correctly and the failure may go unnoticed. Security function is\ndefined as the hardware, software, and/or firmware of the information system\nresponsible for enforcing the system security policy and supporting the\nisolation of code and data on which the protection is based. Security\nfunctionality includes, but is not limited to, establishing system accounts,\nconfiguring access authorizations (i.e., permissions, privileges), setting\nevents to be audited, and setting intrusion detection parameters.\n\n This requirement applies to Ubuntu operating systems performing security\nfunction verification/testing and/or systems and environments that require this\nfunctionality.", + "check": "Verify that Advanced Intrusion Detection Environment (AIDE) is\ninstalled and verifies the correct operation of all security functions.\n\nCheck that the AIDE package is installed with the following command:\n\n# sudo apt list aide\n\naide/xenial,now 0.16~a2.git20130520-3 amd64 [installed]\n\nIf AIDE is not installed, ask the System Administrator how file integrity\nchecks are performed on the system.\n\nIf there is no application installed to perform integrity checks, this is a\nfinding.", + "fix": "Install the AIDE package by running the following command:\n\n# sudo apt-get install aide" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000037-GPOS-00015", - "satisfies": [ - "SRG-OS-000037-GPOS-00015", - "SRG-OS-000042-GPOS-00020", - "SRG-OS-000062-GPOS-00031", - "SRG-OS-000392-GPOS-00172", - "SRG-OS-000462-GPOS-00206", - "SRG-OS-000471-GPOS-00215" - ], - "gid": "V-75755", - "rid": "SV-90435r3_rule", - "stig_id": "UBTU-16-020650", - "fix_id": "F-82383r2_fix", + "gtitle": "SRG-OS-000445-GPOS-00199", + "gid": "V-75515", + "rid": "SV-90195r3_rule", + "stig_id": "UBTU-16-010500", + "fix_id": "F-82143r1_fix", "cci": [ - "CCI-000130", - "CCI-000135", - "CCI-000169", - "CCI-000172", - "CCI-002884" + "CCI-002696" ], "nist": [ - "AU-3", - "AU-3 (1)", - "AU-12 a", - "AU-12 c", - "MA-4 (1) (a)", + "SI-6 a", "Rev_4" ], "false_negatives": null, @@ -3905,34 +3766,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75755' do\n title \"Successful/unsuccessful uses of the sudo command must generate an\naudit record.\"\n desc \"Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020\n SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172\n SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215]\n tag \"gid\": 'V-75755'\n tag \"rid\": 'SV-90435r3_rule'\n tag \"stig_id\": 'UBTU-16-020650'\n tag \"fix_id\": 'F-82383r2_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'MA-4 (1) (a)',\n 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that an audit event is generated for any\nsuccessful/unsuccessful use of the \\\"sudo\\\" command.\n\nCheck for the following system call being audited by performing the following\ncommand to check the file system rules in \\\"/etc/audit/audit.rules\\\":\n\n# sudo grep -w sudo /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k priv_cmd\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \\\"sudo\\\" command.\n\nAdd or update the following rules in the \\\"/etc/audit/audit.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k priv_cmd\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n @audit_file = '/usr/bin/sudo'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe ('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", + "code": "control 'V-75515' do\n title \"A file integrity tool must be installed to verify correct operation of\nall security functions in the Ubuntu operating system.\"\n desc \"Without verification of the security functions, security functions may\nnot operate correctly and the failure may go unnoticed. Security function is\ndefined as the hardware, software, and/or firmware of the information system\nresponsible for enforcing the system security policy and supporting the\nisolation of code and data on which the protection is based. Security\nfunctionality includes, but is not limited to, establishing system accounts,\nconfiguring access authorizations (i.e., permissions, privileges), setting\nevents to be audited, and setting intrusion detection parameters.\n\n This requirement applies to Ubuntu operating systems performing security\nfunction verification/testing and/or systems and environments that require this\nfunctionality.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000445-GPOS-00199'\n tag \"gid\": 'V-75515'\n tag \"rid\": 'SV-90195r3_rule'\n tag \"stig_id\": 'UBTU-16-010500'\n tag \"fix_id\": 'F-82143r1_fix'\n tag \"cci\": ['CCI-002696']\n tag \"nist\": ['SI-6 a', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that Advanced Intrusion Detection Environment (AIDE) is\ninstalled and verifies the correct operation of all security functions.\n\nCheck that the AIDE package is installed with the following command:\n\n# sudo apt list aide\n\naide/xenial,now 0.16~a2.git20130520-3 amd64 [installed]\n\nIf AIDE is not installed, ask the System Administrator how file integrity\nchecks are performed on the system.\n\nIf there is no application installed to perform integrity checks, this is a\nfinding.\"\n desc 'fix', \"Install the AIDE package by running the following command:\n\n# sudo apt-get install aide\"\n\n describe package('aide') do\n it { should be_installed }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75755.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75515.rb", "line": 3 }, - "id": "V-75755" + "id": "V-75515" }, { - "title": "The SSH daemon must not allow authentication using known hosts\nauthentication.", - "desc": "Configuring this setting for the SSH daemon provides additional\nassurance that remote logon via SSH will require a password, even in the event\nof misconfiguration elsewhere.", + "title": "The /var/log/syslog file must have mode 0640 or less permissive.", + "desc": "Only authorized personnel should be aware of errors and the details of\nthe errors. Error messages are an indicator of an organization's operational\nstate or can identify the Ubuntu operating system or platform. Additionally,\nPersonally Identifiable Information (PII) and operational information must not\nbe revealed through error messages to unauthorized personnel or their\ndesignated representatives.\n\n The structure and content of error messages must be carefully considered by\nthe organization and development team. The extent to which the information\nsystem is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.", "descriptions": { - "default": "Configuring this setting for the SSH daemon provides additional\nassurance that remote logon via SSH will require a password, even in the event\nof misconfiguration elsewhere.", - "check": "Verify the SSH daemon does not allow authentication using known\nhosts authentication.\n\nTo determine how the SSH daemon's \"IgnoreUserKnownHosts\" option is set, run\nthe following command:\n\n# grep IgnoreUserKnownHosts /etc/ssh/sshd_config\n\nIgnoreUserKnownHosts yes\n\nIf the value is returned as \"no\", the returned line is commented out, or no\noutput is returned, this is a finding.", - "fix": "Configure the SSH daemon to not allow authentication using known\nhosts authentication.\n\nAdd the following line in \"/etc/ssh/sshd_config\", or uncomment the line and\nset the value to \"yes\":\n\nIgnoreUserKnownHosts yes\n\nThe SSH daemon must be restarted for the changes to take effect. To restart the\nSSH daemon, run the following command:\n\n# sudo systemctl restart sshd.service" + "default": "Only authorized personnel should be aware of errors and the details of\nthe errors. Error messages are an indicator of an organization's operational\nstate or can identify the Ubuntu operating system or platform. Additionally,\nPersonally Identifiable Information (PII) and operational information must not\nbe revealed through error messages to unauthorized personnel or their\ndesignated representatives.\n\n The structure and content of error messages must be carefully considered by\nthe organization and development team. The extent to which the information\nsystem is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.", + "check": "Verify that the \"/var/log/syslog\" file has mode \"0640\" or\nless permissive.\n\nCheck that \"/var/log/syslog\" has mode \"0640\" or less permissive with the\nfollowing command:\n\n# stat -c \"%a %n\" /var/log/syslog\n\n640 /var/log/syslog\n\nIf a value of \"640\" or less permissive is not returned, this is a finding.", + "fix": "Change the permissions of the file \"/var/log/syslog\" to\n\"0640\" by running the following command:\n\n# sudo chmod 0640 /var/log" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-75841", - "rid": "SV-90521r2_rule", - "stig_id": "UBTU-16-030300", - "fix_id": "F-82471r2_fix", + "gtitle": "SRG-OS-000206-GPOS-00084", + "gid": "V-75603", + "rid": "SV-90283r3_rule", + "stig_id": "UBTU-16-010990", + "fix_id": "F-82231r3_fix", "cci": [ - "CCI-000366" + "CCI-001314" ], "nist": [ - "CM-6 b", + "SI-11 b", "Rev_4" ], "false_negatives": null, @@ -3946,34 +3807,50 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75841' do\n title \"The SSH daemon must not allow authentication using known hosts\nauthentication.\"\n desc \"Configuring this setting for the SSH daemon provides additional\nassurance that remote logon via SSH will require a password, even in the event\nof misconfiguration elsewhere.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75841'\n tag \"rid\": 'SV-90521r2_rule'\n tag \"stig_id\": 'UBTU-16-030300'\n tag \"fix_id\": 'F-82471r2_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the SSH daemon does not allow authentication using known\nhosts authentication.\n\nTo determine how the SSH daemon's \\\"IgnoreUserKnownHosts\\\" option is set, run\nthe following command:\n\n# grep IgnoreUserKnownHosts /etc/ssh/sshd_config\n\nIgnoreUserKnownHosts yes\n\nIf the value is returned as \\\"no\\\", the returned line is commented out, or no\noutput is returned, this is a finding.\"\n desc 'fix', \"Configure the SSH daemon to not allow authentication using known\nhosts authentication.\n\nAdd the following line in \\\"/etc/ssh/sshd_config\\\", or uncomment the line and\nset the value to \\\"yes\\\":\n\nIgnoreUserKnownHosts yes\n\nThe SSH daemon must be restarted for the changes to take effect. To restart the\nSSH daemon, run the following command:\n\n# sudo systemctl restart sshd.service\n\"\n\n describe sshd_config do\n its('IgnoreUserKnownHosts') { should cmp 'yes' }\n end\nend\n", + "code": "control 'V-75603' do\n title 'The /var/log/syslog file must have mode 0640 or less permissive.'\n desc \"Only authorized personnel should be aware of errors and the details of\nthe errors. Error messages are an indicator of an organization's operational\nstate or can identify the Ubuntu operating system or platform. Additionally,\nPersonally Identifiable Information (PII) and operational information must not\nbe revealed through error messages to unauthorized personnel or their\ndesignated representatives.\n\n The structure and content of error messages must be carefully considered by\nthe organization and development team. The extent to which the information\nsystem is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000206-GPOS-00084'\n tag \"gid\": 'V-75603'\n tag \"rid\": 'SV-90283r3_rule'\n tag \"stig_id\": 'UBTU-16-010990'\n tag \"fix_id\": 'F-82231r3_fix'\n tag \"cci\": ['CCI-001314']\n tag \"nist\": ['SI-11 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that the \\\"/var/log/syslog\\\" file has mode \\\"0640\\\" or\nless permissive.\n\nCheck that \\\"/var/log/syslog\\\" has mode \\\"0640\\\" or less permissive with the\nfollowing command:\n\n# stat -c \\\"%a %n\\\" /var/log/syslog\n\n640 /var/log/syslog\n\nIf a value of \\\"640\\\" or less permissive is not returned, this is a finding.\"\n desc 'fix', \"Change the permissions of the file \\\"/var/log/syslog\\\" to\n\\\"0640\\\" by running the following command:\n\n# sudo chmod 0640 /var/log\"\n\n describe file('/var/log/syslog') do\n it { should_not be_more_permissive_than('0640') }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75841.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75603.rb", "line": 3 }, - "id": "V-75841" + "id": "V-75603" }, { - "title": "Ubuntu vendor packaged system security patches and updates must be\ninstalled and up to date.", - "desc": "Timely patching is critical for maintaining the operational\navailability, confidentiality, and integrity of information technology (IT)\nsystems. However, failure to keep Ubuntu operating system and application\nsoftware patched is a common mistake made by IT professionals. New patches are\nreleased daily, and it is often difficult for even experienced System\nAdministrators to keep abreast of all the new patches. When new weaknesses in\nan Ubuntu operating system exist, patches are usually made available by the\nvendor to resolve the problems. If the most recent security patches and updates\nare not installed, unauthorized users may take advantage of weaknesses in the\nunpatched software. The lack of prompt attention to patching could result in a\nsystem compromise.", + "title": "Successful/unsuccessful uses of the open command must generate an\naudit record.", + "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", "descriptions": { - "default": "Timely patching is critical for maintaining the operational\navailability, confidentiality, and integrity of information technology (IT)\nsystems. However, failure to keep Ubuntu operating system and application\nsoftware patched is a common mistake made by IT professionals. New patches are\nreleased daily, and it is often difficult for even experienced System\nAdministrators to keep abreast of all the new patches. When new weaknesses in\nan Ubuntu operating system exist, patches are usually made available by the\nvendor to resolve the problems. If the most recent security patches and updates\nare not installed, unauthorized users may take advantage of weaknesses in the\nunpatched software. The lack of prompt attention to patching could result in a\nsystem compromise.", - "check": "Verify the Ubuntu operating system security patches and updates\nare installed and up to date. Updates are required to be applied with a\nfrequency determined by the site or Program Management Office (PMO).\n\nObtain the list of available package security updates from Ubuntu. The URL for\nupdates is https://www.Ubuntu.com/usn/. It is important to note that updates\nprovided by Ubuntu may not be present on the system if the underlying packages\nare not installed.\n\nCheck that the available package security updates have been installed on the\nsystem with the following command:\n\n# /usr/lib/update-notifier/apt-check --human-readable\n\n246 packages can be updated.\n0 updates are security updates.\n\nIf security package updates have not been performed on the system within the\ntimeframe that the site/program documentation requires, this is a finding.\n\nTypical update frequency may be overridden by Information Assurance\nVulnerability Alert (IAVA) notifications from JFHQ-DoDIN.\n\nIf the Ubuntu operating system is in non-compliance with the Information\nAssurance Vulnerability Management (IAVM) process, this is a finding.", - "fix": "Install the Ubuntu operating system patches or updated packages\navailable from Canonical within 30 days or sooner as local policy dictates." + "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "check": "Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful attempts to use the \"open\" command occur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \"/etc/audit/audit.rules\":\n\n# sudo grep -iw open /etc/audit/audit.rules\n\n-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F\nauid!=4294967295 -k perm_access\n\n-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F\nauid!=4294967295 -k perm_access\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", + "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \"open\" command.\n\nAdd or update the following rules in the \"/etc/audit/audit.rules\" file:\n\n-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F\nauid!=4294967295 -k perm_access\n\n-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F\nauid!=4294967295 -k perm_access\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-75391", - "rid": "SV-90071r4_rule", - "stig_id": "UBTU-16-010010", - "fix_id": "F-82019r4_fix", + "gtitle": "SRG-OS-000037-GPOS-00015", + "satisfies": [ + "SRG-OS-000037-GPOS-00015", + "SRG-OS-000042-GPOS-00020", + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000392-GPOS-00172", + "SRG-OS-000462-GPOS-00206", + "SRG-OS-000471-GPOS-00215" + ], + "gid": "V-75743", + "rid": "SV-90423r3_rule", + "stig_id": "UBTU-16-020590", + "fix_id": "F-82371r2_fix", "cci": [ - "CCI-000366" + "CCI-000130", + "CCI-000135", + "CCI-000169", + "CCI-000172", + "CCI-002884" ], "nist": [ - "CM-6 b", + "AU-3", + "AU-3 (1)", + "AU-12 a", + "AU-12 c", + "MA-4 (1) (a)", "Rev_4" ], "false_negatives": null, @@ -3987,42 +3864,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75391' do\n title \"Ubuntu vendor packaged system security patches and updates must be\ninstalled and up to date.\"\n desc \"Timely patching is critical for maintaining the operational\navailability, confidentiality, and integrity of information technology (IT)\nsystems. However, failure to keep Ubuntu operating system and application\nsoftware patched is a common mistake made by IT professionals. New patches are\nreleased daily, and it is often difficult for even experienced System\nAdministrators to keep abreast of all the new patches. When new weaknesses in\nan Ubuntu operating system exist, patches are usually made available by the\nvendor to resolve the problems. If the most recent security patches and updates\nare not installed, unauthorized users may take advantage of weaknesses in the\nunpatched software. The lack of prompt attention to patching could result in a\nsystem compromise.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75391'\n tag \"rid\": 'SV-90071r4_rule'\n tag \"stig_id\": 'UBTU-16-010010'\n tag \"fix_id\": 'F-82019r4_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system security patches and updates\nare installed and up to date. Updates are required to be applied with a\nfrequency determined by the site or Program Management Office (PMO).\n\nObtain the list of available package security updates from Ubuntu. The URL for\nupdates is https://www.Ubuntu.com/usn/. It is important to note that updates\nprovided by Ubuntu may not be present on the system if the underlying packages\nare not installed.\n\nCheck that the available package security updates have been installed on the\nsystem with the following command:\n\n# /usr/lib/update-notifier/apt-check --human-readable\n\n246 packages can be updated.\n0 updates are security updates.\n\nIf security package updates have not been performed on the system within the\ntimeframe that the site/program documentation requires, this is a finding.\n\nTypical update frequency may be overridden by Information Assurance\nVulnerability Alert (IAVA) notifications from JFHQ-DoDIN.\n\nIf the Ubuntu operating system is in non-compliance with the Information\nAssurance Vulnerability Management (IAVM) process, this is a finding.\"\n desc 'fix', \"Install the Ubuntu operating system patches or updated packages\navailable from Canonical within 30 days or sooner as local policy dictates.\"\n\n describe command('/usr/lib/update-notifier/apt-check --human-readable') do\n its('exit_status') { should cmp 0 }\n its('stdout') { should match '^0 updates are security updates.$' }\n end\nend\n", + "code": "control 'V-75743' do\n title \"Successful/unsuccessful uses of the open command must generate an\naudit record.\"\n desc \"Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020\n SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172\n SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215]\n tag \"gid\": 'V-75743'\n tag \"rid\": 'SV-90423r3_rule'\n tag \"stig_id\": 'UBTU-16-020590'\n tag \"fix_id\": 'F-82371r2_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'MA-4 (1) (a)',\n 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful attempts to use the \\\"open\\\" command occur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \\\"/etc/audit/audit.rules\\\":\n\n# sudo grep -iw open /etc/audit/audit.rules\n\n-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F\nauid!=4294967295 -k perm_access\n\n-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F\nauid!=4294967295 -k perm_access\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \\\"open\\\" command.\n\nAdd or update the following rules in the \\\"/etc/audit/audit.rules\\\" file:\n\n-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F\nauid!=4294967295 -k perm_access\n\n-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F\nauid!=4294967295 -k perm_access\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n if os.arch == 'x86_64'\n describe auditd.syscall('open').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EPERM' }\n end\n describe auditd.syscall('open').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EACCES' }\n end\n end\n describe auditd.syscall('open').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EPERM' }\n end\n describe auditd.syscall('open').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EACCES' }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75391.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75743.rb", "line": 3 }, - "id": "V-75391" + "id": "V-75743" }, { - "title": "Pam_Apparmor must be configured to allow system administrators to pass\ninformation to any other Ubuntu operating system administrator or user, change\nsecurity attributes, and to confine all non-privileged users from executing\nfunctions to include disabling, circumventing, or altering implemented security\nsafeguards/countermeasures.", - "desc": "Discretionary Access Control (DAC) is based on the notion that\nindividual users are \"owners\" of objects and therefore have discretion over\nwho should be authorized to access the object and in which mode (e.g., read or\nwrite). Ownership is usually acquired as a consequence of creating the object\nor via specified ownership assignment. DAC allows the owner to determine who\nwill have access to objects they control. An example of DAC includes\nuser-controlled file permissions.\n\n When discretionary access control policies are implemented, subjects are\nnot constrained with regard to what actions they can take with information for\nwhich they have already been granted access. Thus, subjects that have been\ngranted access to information are not prevented from passing (i.e., the\nsubjects have the discretion to pass) the information to other subjects or\nobjects. A subject that is constrained in its operation by Mandatory Access\nControl policies is still able to operate under the less rigorous constraints\nof this requirement. Thus, while Mandatory Access Control imposes constraints\npreventing a subject from passing information to another subject operating at a\ndifferent sensitivity level, this requirement permits the subject to pass the\ninformation to any subject at the same sensitivity level. The policy is bounded\nby the information system boundary. Once the information is passed outside the\ncontrol of the information system, additional means may be required to ensure\nthe constraints remain in effect. While the older, more traditional definitions\nof discretionary access control require identity-based access control, that\nlimitation is not required for this use of discretionary access control.", + "title": "All files and directories must have a valid owner.", + "desc": "Unowned files and directories may be unintentionally inherited if a\nuser is assigned the same User Identifier \"UID\" as the UID of the un-owned\nfiles.", "descriptions": { - "default": "Discretionary Access Control (DAC) is based on the notion that\nindividual users are \"owners\" of objects and therefore have discretion over\nwho should be authorized to access the object and in which mode (e.g., read or\nwrite). Ownership is usually acquired as a consequence of creating the object\nor via specified ownership assignment. DAC allows the owner to determine who\nwill have access to objects they control. An example of DAC includes\nuser-controlled file permissions.\n\n When discretionary access control policies are implemented, subjects are\nnot constrained with regard to what actions they can take with information for\nwhich they have already been granted access. Thus, subjects that have been\ngranted access to information are not prevented from passing (i.e., the\nsubjects have the discretion to pass) the information to other subjects or\nobjects. A subject that is constrained in its operation by Mandatory Access\nControl policies is still able to operate under the less rigorous constraints\nof this requirement. Thus, while Mandatory Access Control imposes constraints\npreventing a subject from passing information to another subject operating at a\ndifferent sensitivity level, this requirement permits the subject to pass the\ninformation to any subject at the same sensitivity level. The policy is bounded\nby the information system boundary. Once the information is passed outside the\ncontrol of the information system, additional means may be required to ensure\nthe constraints remain in effect. While the older, more traditional definitions\nof discretionary access control require identity-based access control, that\nlimitation is not required for this use of discretionary access control.", - "check": "Verify the Ubuntu operating system is configured to allow\nsystem administrators to pass information to any other Ubuntu operating system\nadministrator or user.\n\nCheck that \"Pam_Apparmor\" is installed on the system with the following\ncommand:\n\n# sudo apt list libpam-apparmor\n\nlibpam-apparmor/xenial-updates,now 2.10.95-0ubuntu2.7 amd64 [installed]\n\nIf the \"Pam_Apparmor\" package is not installed, this is a finding.\n\nCheck that Pam_Apparmor has properly configured profiles\n\n# sudo apparmor_status\n\napparmor module is loaded.\n13 profiles are loaded.\n13 profiles are in enforce mode.\n /sbin/dhclient\n ...\n lxc-container-default-with-nesting\n0 profiles are in complain mode.\n\nIf all loaded profiles are not in \"enforce\" mode, or there are any profiles\nin \"complain\" mode, this is a finding.", - "fix": "Configure the Ubuntu operating system to allow system\nadministrators to pass information to any other Ubuntu operating system\nadministrator or user.\n\nInstall \"Pam_Apparmor\" (if it is not installed) with the following command:\n\n# sudo apt-get install libpam-apparmor\n\nEnable/Activate \"Apparmor\" (if it is not already active) with the following\ncommand:\n\n# sudo systemctl enable apparmor.service\n\nStart \"Apparmor\" with the following command:\n\n# sudo systemctl start apparmor.service\n\nNote: Pam_Apparmor must have properly configured profiles. All configurations\nwill be based on the actual system setup and organization. See the\n\"Pam_Apparmor\" documentation for more information on configuring profiles." + "default": "Unowned files and directories may be unintentionally inherited if a\nuser is assigned the same User Identifier \"UID\" as the UID of the un-owned\nfiles.", + "check": "Verify all files and directories on the Ubuntu operating system\nhave a valid owner.\n\nCheck the owner of all files and directories with the following command:\n\n# sudo find / -nouser\n\nIf any files on the system do not have an assigned owner, this is a finding.", + "fix": "Either remove all files and directories from the system that do\nnot have a valid user, or assign a valid user to all unowned files and\ndirectories on the Ubuntu operating system with the \"chown\" command:\n\n# sudo chown " }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000312-GPOS-00122", - "satisfies": [ - "SRG-OS-000312-GPOS-00122", - "SRG-OS-000312-GPOS-00123", - "SRG-OS-000312-GPOS-00124", - "SRG-OS-000324-GPOS-00125" - ], - "gid": "V-75535", - "rid": "SV-90215r2_rule", - "stig_id": "UBTU-16-010600", - "fix_id": "F-82163r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-75555", + "rid": "SV-90235r1_rule", + "stig_id": "UBTU-16-010700", + "fix_id": "F-82183r1_fix", "cci": [ - "CCI-002165", - "CCI-002235" + "CCI-002165" ], "nist": [ "AC-3 (4)", - "AC-6 (10)", "Rev_4" ], "false_negatives": null, @@ -4036,34 +3905,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75535' do\n title \"Pam_Apparmor must be configured to allow system administrators to pass\ninformation to any other Ubuntu operating system administrator or user, change\nsecurity attributes, and to confine all non-privileged users from executing\nfunctions to include disabling, circumventing, or altering implemented security\nsafeguards/countermeasures.\"\n desc \"Discretionary Access Control (DAC) is based on the notion that\nindividual users are \\\"owners\\\" of objects and therefore have discretion over\nwho should be authorized to access the object and in which mode (e.g., read or\nwrite). Ownership is usually acquired as a consequence of creating the object\nor via specified ownership assignment. DAC allows the owner to determine who\nwill have access to objects they control. An example of DAC includes\nuser-controlled file permissions.\n\n When discretionary access control policies are implemented, subjects are\nnot constrained with regard to what actions they can take with information for\nwhich they have already been granted access. Thus, subjects that have been\ngranted access to information are not prevented from passing (i.e., the\nsubjects have the discretion to pass) the information to other subjects or\nobjects. A subject that is constrained in its operation by Mandatory Access\nControl policies is still able to operate under the less rigorous constraints\nof this requirement. Thus, while Mandatory Access Control imposes constraints\npreventing a subject from passing information to another subject operating at a\ndifferent sensitivity level, this requirement permits the subject to pass the\ninformation to any subject at the same sensitivity level. The policy is bounded\nby the information system boundary. Once the information is passed outside the\ncontrol of the information system, additional means may be required to ensure\nthe constraints remain in effect. While the older, more traditional definitions\nof discretionary access control require identity-based access control, that\nlimitation is not required for this use of discretionary access control.\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000312-GPOS-00122'\n tag \"satisfies\": %w[SRG-OS-000312-GPOS-00122 SRG-OS-000312-GPOS-00123\n SRG-OS-000312-GPOS-00124 SRG-OS-000324-GPOS-00125]\n tag \"gid\": 'V-75535'\n tag \"rid\": 'SV-90215r2_rule'\n tag \"stig_id\": 'UBTU-16-010600'\n tag \"fix_id\": 'F-82163r1_fix'\n tag \"cci\": %w[CCI-002165 CCI-002235]\n tag \"nist\": ['AC-3 (4)', 'AC-6 (10)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system is configured to allow\nsystem administrators to pass information to any other Ubuntu operating system\nadministrator or user.\n\nCheck that \\\"Pam_Apparmor\\\" is installed on the system with the following\ncommand:\n\n# sudo apt list libpam-apparmor\n\nlibpam-apparmor/xenial-updates,now 2.10.95-0ubuntu2.7 amd64 [installed]\n\nIf the \\\"Pam_Apparmor\\\" package is not installed, this is a finding.\n\nCheck that Pam_Apparmor has properly configured profiles\n\n# sudo apparmor_status\n\napparmor module is loaded.\n13 profiles are loaded.\n13 profiles are in enforce mode.\n /sbin/dhclient\n ...\n lxc-container-default-with-nesting\n0 profiles are in complain mode.\n\nIf all loaded profiles are not in \\\"enforce\\\" mode, or there are any profiles\nin \\\"complain\\\" mode, this is a finding.\"\n desc 'fix', \"Configure the Ubuntu operating system to allow system\nadministrators to pass information to any other Ubuntu operating system\nadministrator or user.\n\nInstall \\\"Pam_Apparmor\\\" (if it is not installed) with the following command:\n\n# sudo apt-get install libpam-apparmor\n\nEnable/Activate \\\"Apparmor\\\" (if it is not already active) with the following\ncommand:\n\n# sudo systemctl enable apparmor.service\n\nStart \\\"Apparmor\\\" with the following command:\n\n# sudo systemctl start apparmor.service\n\nNote: Pam_Apparmor must have properly configured profiles. All configurations\nwill be based on the actual system setup and organization. See the\n\\\"Pam_Apparmor\\\" documentation for more information on configuring profiles.\"\n\n describe package('libpam-apparmor') do\n it { should be_installed }\n end\n\n num_loaded_profiles = inspec.command('apparmor_status | grep \"profiles are loaded.\" | cut -f 1 -d \" \"').stdout\n num_enforced_profiles = inspec.command('apparmor_status | grep \"profiles are in enforce mode.\" | cut -f 1 -d \" \"').stdout\n\n describe 'AppArmor Profiles' do\n it 'loaded and enforced' do\n expect(num_loaded_profiles).to eq(num_enforced_profiles)\n end\n end\nend\n", + "code": "control 'V-75555' do\n title 'All files and directories must have a valid owner.'\n desc \"Unowned files and directories may be unintentionally inherited if a\nuser is assigned the same User Identifier \\\"UID\\\" as the UID of the un-owned\nfiles.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75555'\n tag \"rid\": 'SV-90235r1_rule'\n tag \"stig_id\": 'UBTU-16-010700'\n tag \"fix_id\": 'F-82183r1_fix'\n tag \"cci\": ['CCI-002165']\n tag \"nist\": ['AC-3 (4)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify all files and directories on the Ubuntu operating system\nhave a valid owner.\n\nCheck the owner of all files and directories with the following command:\n\n# sudo find / -nouser\n\nIf any files on the system do not have an assigned owner, this is a finding.\"\n desc 'fix', \"Either remove all files and directories from the system that do\nnot have a valid user, or assign a valid user to all unowned files and\ndirectories on the Ubuntu operating system with the \\\"chown\\\" command:\n\n# sudo chown \"\n\n dir_list = command('find / -nouser').stdout.strip.split(\"\\n\")\n if dir_list.count > 0\n dir_list.each do |entry|\n describe directory(entry) do\n its('owner') { should_not be_empty }\n end\n end\n else\n describe 'The number of files and directories without a valid owner' do\n subject { dir_list }\n its('count') { should cmp 0 }\n end\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75535.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75555.rb", "line": 3 }, - "id": "V-75535" + "id": "V-75555" }, { - "title": "The root account must be the only account having unrestricted access\nto the system.", - "desc": "If an account other than root also has a User Identifier (UID) of\n\"0\", it has root authority, giving that account unrestricted access to the\nentire Ubuntu operating system. Multiple accounts with a UID of \"0\" afford an\nopportunity for potential intruders to guess a password for a privileged\naccount.", + "title": "Ubuntu operating systems booted with a BIOS must require\nauthentication upon booting into single-user and maintenance modes.", + "desc": "To mitigate the risk of unauthorized access to sensitive information\nby entities that have been issued certificates by DoD-approved PKIs, all DoD\nsystems (e.g., web servers and web portals) must be properly configured to\nincorporate access control methods that do not rely solely on the possession of\na certificate for access. Successful authentication must not automatically give\nan entity access to an asset or security boundary. Authorization procedures and\ncontrols must be implemented to ensure each authenticated entity also has a\nvalidated and current authorization. Authorization is the process of\ndetermining whether an entity, once authenticated, is permitted to access a\nspecific asset. Information systems use access control policies and enforcement\nmechanisms to implement this requirement.\n\n Access control policies include: identity-based policies, role-based\npolicies, and attribute-based policies. Access enforcement mechanisms include:\naccess control lists, access control matrices, and cryptography. These policies\nand mechanisms must be employed by the application to control access between\nusers (or processes acting on behalf of users) and objects (e.g., devices,\nfiles, records, processes, programs, and domains) in the information system.", "descriptions": { - "default": "If an account other than root also has a User Identifier (UID) of\n\"0\", it has root authority, giving that account unrestricted access to the\nentire Ubuntu operating system. Multiple accounts with a UID of \"0\" afford an\nopportunity for potential intruders to guess a password for a privileged\naccount.", - "check": "Check the Ubuntu operating system for duplicate User ID (UID)\n\"0\" assignments with the following command:\n\n# awk -F: '$3 == 0 {print $1}' /etc/passwd\n\nroot\n\nIf any accounts other than root have a UID of \"0\", this is a finding.", - "fix": "Change the User ID (UID) of any account on the system, other than\nroot, that has a UID of \"0\".\n\nIf the account is associated with system commands or applications, the UID\nshould be changed to one greater than \"0\" but less than \"1000\". Otherwise,\nassign a UID of greater than \"1000\" that has not already been assigned." + "default": "To mitigate the risk of unauthorized access to sensitive information\nby entities that have been issued certificates by DoD-approved PKIs, all DoD\nsystems (e.g., web servers and web portals) must be properly configured to\nincorporate access control methods that do not rely solely on the possession of\na certificate for access. Successful authentication must not automatically give\nan entity access to an asset or security boundary. Authorization procedures and\ncontrols must be implemented to ensure each authenticated entity also has a\nvalidated and current authorization. Authorization is the process of\ndetermining whether an entity, once authenticated, is permitted to access a\nspecific asset. Information systems use access control policies and enforcement\nmechanisms to implement this requirement.\n\n Access control policies include: identity-based policies, role-based\npolicies, and attribute-based policies. Access enforcement mechanisms include:\naccess control lists, access control matrices, and cryptography. These policies\nand mechanisms must be employed by the application to control access between\nusers (or processes acting on behalf of users) and objects (e.g., devices,\nfiles, records, processes, programs, and domains) in the information system.", + "check": "Verify that an encrypted root password is set. This is only\napplicable on systems that use a basic Input/Output System BIOS.\n\nRun the following command to verify the encrypted password is set:\n\n# grep –i password /boot/grub/grub.cfg\n\npassword_pbkdf2 root grub.pbkdf2.sha512.10000.MFU48934NJA87HF8NSD34493GDHF84NG\n\nIf the root password entry does not begin with “password_pbkdf2”, this is a\nfinding.", + "fix": "Configure the system to require a password for authentication\nupon booting into single-user and maintenance modes.\n\nGenerate an encrypted (grub) password for root with the following command:\n\n# grub-mkpasswd-pbkdf2\nEnter Password:\nReenter Password:\nPBKDF2 hash of your password is\ngrub.pbkdf2.sha512.10000.MFU48934NJD84NF8NSD39993JDHF84NG\n\nUsing the hash from the output, modify the \"/etc/grub.d/10_linux\" file with\nthe following command to add a boot password for the root entry:\n\n# cat << EOF > set superusers=\"root\" password_pbkdf2 root\ngrub.pbkdf2.sha512.VeryLongString > EOF\n\nGenerate an updated \"grub.conf\" file with the new password by using the\nfollowing commands:\n\n# grub2-mkconfig --output=/tmp/grub2.cfg\n# mv /tmp/grub2.cfg /boot/grub2/grub.cfg" }, "impact": 0.7, "refs": [], "tags": { - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-75549", - "rid": "SV-90229r1_rule", - "stig_id": "UBTU-16-010670", - "fix_id": "F-82177r1_fix", + "gtitle": "SRG-OS-000080-GPOS-00048", + "gid": "V-75505", + "rid": "SV-90185r2_rule", + "stig_id": "UBTU-16-010380", + "fix_id": "F-82133r1_fix", "cci": [ - "CCI-000366" + "CCI-000213" ], "nist": [ - "CM-6 b", + "AC-3", "Rev_4" ], "false_negatives": null, @@ -4077,50 +3946,43 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75549' do\n title \"The root account must be the only account having unrestricted access\nto the system.\"\n desc \"If an account other than root also has a User Identifier (UID) of\n\\\"0\\\", it has root authority, giving that account unrestricted access to the\nentire Ubuntu operating system. Multiple accounts with a UID of \\\"0\\\" afford an\nopportunity for potential intruders to guess a password for a privileged\naccount.\"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75549'\n tag \"rid\": 'SV-90229r1_rule'\n tag \"stig_id\": 'UBTU-16-010670'\n tag \"fix_id\": 'F-82177r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Check the Ubuntu operating system for duplicate User ID (UID)\n\\\"0\\\" assignments with the following command:\n\n# awk -F: '$3 == 0 {print $1}' /etc/passwd\n\nroot\n\nIf any accounts other than root have a UID of \\\"0\\\", this is a finding.\"\n desc 'fix', \"Change the User ID (UID) of any account on the system, other than\nroot, that has a UID of \\\"0\\\".\n\nIf the account is associated with system commands or applications, the UID\nshould be changed to one greater than \\\"0\\\" but less than \\\"1000\\\". Otherwise,\nassign a UID of greater than \\\"1000\\\" that has not already been assigned.\"\n\n describe passwd.uids(0) do\n its('users') { should cmp 'root' }\n its('count') { should eq 1 }\n end\nend\n", + "code": "control 'V-75505' do\n title \"Ubuntu operating systems booted with a BIOS must require\nauthentication upon booting into single-user and maintenance modes.\"\n desc \"To mitigate the risk of unauthorized access to sensitive information\nby entities that have been issued certificates by DoD-approved PKIs, all DoD\nsystems (e.g., web servers and web portals) must be properly configured to\nincorporate access control methods that do not rely solely on the possession of\na certificate for access. Successful authentication must not automatically give\nan entity access to an asset or security boundary. Authorization procedures and\ncontrols must be implemented to ensure each authenticated entity also has a\nvalidated and current authorization. Authorization is the process of\ndetermining whether an entity, once authenticated, is permitted to access a\nspecific asset. Information systems use access control policies and enforcement\nmechanisms to implement this requirement.\n\n Access control policies include: identity-based policies, role-based\npolicies, and attribute-based policies. Access enforcement mechanisms include:\naccess control lists, access control matrices, and cryptography. These policies\nand mechanisms must be employed by the application to control access between\nusers (or processes acting on behalf of users) and objects (e.g., devices,\nfiles, records, processes, programs, and domains) in the information system.\n \"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000080-GPOS-00048'\n tag \"gid\": 'V-75505'\n tag \"rid\": 'SV-90185r2_rule'\n tag \"stig_id\": 'UBTU-16-010380'\n tag \"fix_id\": 'F-82133r1_fix'\n tag \"cci\": ['CCI-000213']\n tag \"nist\": %w[AC-3 Rev_4]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that an encrypted root password is set. This is only\napplicable on systems that use a basic Input/Output System BIOS.\n\nRun the following command to verify the encrypted password is set:\n\n# grep –i password /boot/grub/grub.cfg\n\npassword_pbkdf2 root grub.pbkdf2.sha512.10000.MFU48934NJA87HF8NSD34493GDHF84NG\n\nIf the root password entry does not begin with “password_pbkdf2”, this is a\nfinding.\"\n desc 'fix', \"Configure the system to require a password for authentication\nupon booting into single-user and maintenance modes.\n\nGenerate an encrypted (grub) password for root with the following command:\n\n# grub-mkpasswd-pbkdf2\nEnter Password:\nReenter Password:\nPBKDF2 hash of your password is\ngrub.pbkdf2.sha512.10000.MFU48934NJD84NF8NSD39993JDHF84NG\n\nUsing the hash from the output, modify the \\\"/etc/grub.d/10_linux\\\" file with\nthe following command to add a boot password for the root entry:\n\n# cat << EOF > set superusers=\\\"root\\\" password_pbkdf2 root\ngrub.pbkdf2.sha512.VeryLongString > EOF\n\nGenerate an updated \\\"grub.conf\\\" file with the new password by using the\nfollowing commands:\n\n# grub2-mkconfig --output=/tmp/grub2.cfg\n# mv /tmp/grub2.cfg /boot/grub2/grub.cfg\"\n\n describe file('/boot/grub/grub.cfg') do\n its('content') { should match '^password_pbkdf2' }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75549.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75505.rb", "line": 3 }, - "id": "V-75549" + "id": "V-75505" }, { - "title": "The audit system must be configured to audit any usage of the modprobe\ncommand.", - "desc": "Without the capability to generate audit records, it would be\ndifficult to establish, correlate, and investigate the events relating to an\nincident or identify those responsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n The list of audited events is the set of events for which audits are to be\ngenerated. This set of events is typically a subset of the list of all events\nfor which the system is capable of generating audit records.\n\n DoD has defined the list of events for which the Ubuntu operating system\nwill provide an audit record generation capability as the following:\n\n 1) Successful and unsuccessful attempts to access, modify, or delete\nprivileges, security objects, security levels, or categories of information\n(e.g., classification levels);\n\n 2) Access actions, such as successful and unsuccessful logon attempts,\nprivileged activities or other system-level access, starting and ending time\nfor user access to the system, concurrent logons from different workstations,\nsuccessful and unsuccessful accesses to objects, all program initiations, and\nall direct access to the information system;\n\n 3) All account creations, modifications, disabling, and terminations; and\n\n 4) All kernel module load, unload, and restart actions.", + "title": "Audit log directories must have a mode of 0750 or less permissive to\nprevent unauthorized read access.", + "desc": "Unauthorized disclosure of audit records can reveal system and\nconfiguration data to attackers, thus compromising its confidentiality.\n\n Audit information includes all information (e.g., audit records, audit\nsettings, audit reports) needed to successfully audit Ubuntu operating system\nactivity.", "descriptions": { - "default": "Without the capability to generate audit records, it would be\ndifficult to establish, correlate, and investigate the events relating to an\nincident or identify those responsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n The list of audited events is the set of events for which audits are to be\ngenerated. This set of events is typically a subset of the list of all events\nfor which the system is capable of generating audit records.\n\n DoD has defined the list of events for which the Ubuntu operating system\nwill provide an audit record generation capability as the following:\n\n 1) Successful and unsuccessful attempts to access, modify, or delete\nprivileges, security objects, security levels, or categories of information\n(e.g., classification levels);\n\n 2) Access actions, such as successful and unsuccessful logon attempts,\nprivileged activities or other system-level access, starting and ending time\nfor user access to the system, concurrent logons from different workstations,\nsuccessful and unsuccessful accesses to objects, all program initiations, and\nall direct access to the information system;\n\n 3) All account creations, modifications, disabling, and terminations; and\n\n 4) All kernel module load, unload, and restart actions.", - "check": "Verify if the Ubuntu operating system is configured to audit\nthe execution of the module management program \"modprobe\", by running the\nfollowing command:\n\n# sudo grep \"/sbin/modprobe\" /etc/audit/audit.rules\n\n-w /sbin/modprobe -p x -k modules\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", - "fix": "Configure the Ubuntu operating system to audit the execution of\nthe module management program \"modprobe\", by adding the following line to\n\"/etc/audit/audit.rules\":\n\n-w /sbin/modprobe -p x -k modules\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" + "default": "Unauthorized disclosure of audit records can reveal system and\nconfiguration data to attackers, thus compromising its confidentiality.\n\n Audit information includes all information (e.g., audit records, audit\nsettings, audit reports) needed to successfully audit Ubuntu operating system\nactivity.", + "check": "Verify the audit log directories have a mode of \"0750\" or\nless permissive by first determining where the audit logs are stored with the\nfollowing command:\n\n# sudo grep -iw log_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the location of the audit log, determine the directory where the audit\nlogs are stored (ex: \"/var/log/audit\"). Run the following command to\ndetermine the permissions for the audit log folder:\n\n# sudo stat -c \"%a %n\" /var/log/audit\n750 /var/log/audit\n\nIf the audit log directory has a mode more permissive than \"0750\", this is a\nfinding.", + "fix": "Configure the audit log directory to be protected from\nunauthorized read access by setting the correct permissive mode with the\nfollowing command:\n\n# sudo chmod 0750 [audit_log_directory]\n\nReplace \"[audit_log_directory]\" to the correct audit log directory path, by\ndefault this location is \"/var/log/audit\"." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000037-GPOS-00015", + "gtitle": "SRG-OS-000057-GPOS-00027", "satisfies": [ - "SRG-OS-000037-GPOS-00015", - "SRG-OS-000042-GPOS-00020", - "SRG-OS-000062-GPOS-00031", - "SRG-OS-000392-GPOS-00172", - "SRG-OS-000462-GPOS-00206", - "SRG-OS-000471-GPOS-00215" + "SRG-OS-000057-GPOS-00027", + "SRG-OS-000058-GPOS-00028", + "SRG-OS-000059-GPOS-00029" ], - "gid": "V-75713", - "rid": "SV-90393r2_rule", - "stig_id": "UBTU-16-020440", - "fix_id": "F-82341r2_fix", + "gid": "V-75637", + "rid": "SV-90317r2_rule", + "stig_id": "UBTU-16-020100", + "fix_id": "F-82265r1_fix", "cci": [ - "CCI-000130", - "CCI-000135", - "CCI-000169", - "CCI-000172", - "CCI-002884" + "CCI-000162", + "CCI-000163", + "CCI-000164" ], "nist": [ - "AU-3", - "AU-3 (1)", - "AU-12 a", - "AU-12 c", - "MA-4 (1) (a)", + "AU-9", + "AU-9", + "AU-9", "Rev_4" ], "false_negatives": null, @@ -4134,34 +3996,50 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75713' do\n title \"The audit system must be configured to audit any usage of the modprobe\ncommand.\"\n desc \"Without the capability to generate audit records, it would be\ndifficult to establish, correlate, and investigate the events relating to an\nincident or identify those responsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n The list of audited events is the set of events for which audits are to be\ngenerated. This set of events is typically a subset of the list of all events\nfor which the system is capable of generating audit records.\n\n DoD has defined the list of events for which the Ubuntu operating system\nwill provide an audit record generation capability as the following:\n\n 1) Successful and unsuccessful attempts to access, modify, or delete\nprivileges, security objects, security levels, or categories of information\n(e.g., classification levels);\n\n 2) Access actions, such as successful and unsuccessful logon attempts,\nprivileged activities or other system-level access, starting and ending time\nfor user access to the system, concurrent logons from different workstations,\nsuccessful and unsuccessful accesses to objects, all program initiations, and\nall direct access to the information system;\n\n 3) All account creations, modifications, disabling, and terminations; and\n\n 4) All kernel module load, unload, and restart actions.\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020\n SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172\n SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215]\n tag \"gid\": 'V-75713'\n tag \"rid\": 'SV-90393r2_rule'\n tag \"stig_id\": 'UBTU-16-020440'\n tag \"fix_id\": 'F-82341r2_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'MA-4 (1) (a)',\n 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify if the Ubuntu operating system is configured to audit\nthe execution of the module management program \\\"modprobe\\\", by running the\nfollowing command:\n\n# sudo grep \\\"/sbin/modprobe\\\" /etc/audit/audit.rules\n\n-w /sbin/modprobe -p x -k modules\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the Ubuntu operating system to audit the execution of\nthe module management program \\\"modprobe\\\", by adding the following line to\n\\\"/etc/audit/audit.rules\\\":\n\n-w /sbin/modprobe -p x -k modules\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n @audit_file = '/sbin/modprobe'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe ('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", + "code": "control 'V-75637' do\n title \"Audit log directories must have a mode of 0750 or less permissive to\nprevent unauthorized read access.\"\n desc \"Unauthorized disclosure of audit records can reveal system and\nconfiguration data to attackers, thus compromising its confidentiality.\n\n Audit information includes all information (e.g., audit records, audit\nsettings, audit reports) needed to successfully audit Ubuntu operating system\nactivity.\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000057-GPOS-00027'\n tag \"satisfies\": %w[SRG-OS-000057-GPOS-00027 SRG-OS-000058-GPOS-00028\n SRG-OS-000059-GPOS-00029]\n tag \"gid\": 'V-75637'\n tag \"rid\": 'SV-90317r2_rule'\n tag \"stig_id\": 'UBTU-16-020100'\n tag \"fix_id\": 'F-82265r1_fix'\n tag \"cci\": %w[CCI-000162 CCI-000163 CCI-000164]\n tag \"nist\": %w[AU-9 AU-9 AU-9 Rev_4]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the audit log directories have a mode of \\\"0750\\\" or\nless permissive by first determining where the audit logs are stored with the\nfollowing command:\n\n# sudo grep -iw log_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the location of the audit log, determine the directory where the audit\nlogs are stored (ex: \\\"/var/log/audit\\\"). Run the following command to\ndetermine the permissions for the audit log folder:\n\n# sudo stat -c \\\"%a %n\\\" /var/log/audit\n750 /var/log/audit\n\nIf the audit log directory has a mode more permissive than \\\"0750\\\", this is a\nfinding.\"\n desc 'fix', \"Configure the audit log directory to be protected from\nunauthorized read access by setting the correct permissive mode with the\nfollowing command:\n\n# sudo chmod 0750 [audit_log_directory]\n\nReplace \\\"[audit_log_directory]\\\" to the correct audit log directory path, by\ndefault this location is \\\"/var/log/audit\\\".\"\n\n log_file_path = input('log_file_path')\n log_dir = input('log_file_dir')\n\n log_file_and_dir_exist = !log_file_path.nil? && !log_dir.nil?\n if log_file_and_dir_exist\n describe directory(log_dir) do\n it { should_not be_more_permissive_than('0750') }\n end\n else\n describe ('Audit log file:' + log_file_path + ' and/or audit directory:' + log_dir + ' exist') do\n subject { log_file_and_dir_exist }\n it { should be true }\n end\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75713.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75637.rb", "line": 3 }, - "id": "V-75713" + "id": "V-75637" }, { - "title": "An application firewall must protect against or limit the effects of\nDenial of Service (DoS) attacks by ensuring the Ubuntu operating system is\nimplementing rate-limiting measures on impacted network interfaces.", - "desc": "DoS is a condition when a resource is not available for legitimate\nusers. When this occurs, the organization either cannot accomplish its mission\nor must operate at degraded capacity.\n\n This requirement addresses the configuration of the Ubuntu operating system\nto mitigate the impact of DoS attacks that have occurred or are ongoing on\nsystem availability. For each system, known and potential DoS attacks must be\nidentified and solutions for each type implemented. A variety of technologies\nexist to limit or, in some cases, eliminate the effects of DoS attacks (e.g.,\nlimiting processes or establishing memory partitions). Employing increased\ncapacity and bandwidth, combined with service redundancy, may reduce the\nsusceptibility to some DoS attacks.", + "title": "Successful/unsuccessful uses of the fchmodat command must generate an\naudit record.", + "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", "descriptions": { - "default": "DoS is a condition when a resource is not available for legitimate\nusers. When this occurs, the organization either cannot accomplish its mission\nor must operate at degraded capacity.\n\n This requirement addresses the configuration of the Ubuntu operating system\nto mitigate the impact of DoS attacks that have occurred or are ongoing on\nsystem availability. For each system, known and potential DoS attacks must be\nidentified and solutions for each type implemented. A variety of technologies\nexist to limit or, in some cases, eliminate the effects of DoS attacks (e.g.,\nlimiting processes or establishing memory partitions). Employing increased\ncapacity and bandwidth, combined with service redundancy, may reduce the\nsusceptibility to some DoS attacks.", - "check": "Verify an application firewall is configured to rate limit any\nconnection to the system.\n\nCheck that the Uncomplicated Firewall is configured to rate limit any\nconnection to the system with the following command:\n\n# sudo ufw show raw\n\nChain ufw-user-input (1 references)\npkts bytes target prot opt in out source destination\n0 0 ufw-user-limit all -- eth0 * 0.0.0.0/0 0.0.0.0/0\nctstate NEW recent: UPDATE seconds: 30 hit_count: 6 name: DEFAULT side:\nsource mask: 255.255.255.255\n\n0 0 ufw-user-limit-accept all -- eth0 * 0.0.0.0/0 0.0.0.0/0\n\n\nIf any service is not rate limited by the Uncomplicated Firewall, this is a\nfinding.", - "fix": "Configure the application firewall to protect against or limit\nthe effects of Denial of Service (DoS) attacks by ensuring the Ubuntu operating\nsystem is implementing rate-limiting measures on impacted network interfaces.\n\nRun the following command replacing \"[service]\" with the service that needs\nto be rate limited.\n\n# sudo ufw limit [service]\n\nOr rate-limiting can be done on an interface. An example of adding a rate-limit\non the eth0 interface:\n\n# sudo ufw limit in on eth0" + "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "check": "Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful attempts to use the \"fchmodat\" command occur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \"/etc/audit/audit.rules\":\n\n# sudo grep -w fchmodat /etc/audit/audit.rules\n\n-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=4294967295 -k\nperm_chng\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", + "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \"fchmodat\" command by adding the following\nline to \"/etc/audit/audit.rules\":\n\n-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=4294967295 -k\nperm_chng\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000420-GPOS-00186", - "gid": "V-75855", - "rid": "SV-90535r1_rule", - "stig_id": "UBTU-16-030410", - "fix_id": "F-82485r1_fix", + "gtitle": "SRG-OS-000037-GPOS-00015", + "satisfies": [ + "SRG-OS-000037-GPOS-00015", + "SRG-OS-000042-GPOS-00020", + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000392-GPOS-00172", + "SRG-OS-000462-GPOS-00206", + "SRG-OS-000471-GPOS-00215" + ], + "gid": "V-75741", + "rid": "SV-90421r3_rule", + "stig_id": "UBTU-16-020580", + "fix_id": "F-82369r2_fix", "cci": [ - "CCI-002385" + "CCI-000130", + "CCI-000135", + "CCI-000169", + "CCI-000172", + "CCI-002884" ], "nist": [ - "SC-5", + "AU-3", + "AU-3 (1)", + "AU-12 a", + "AU-12 c", + "MA-4 (1) (a)", "Rev_4" ], "false_negatives": null, @@ -4175,34 +4053,53 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75855' do\n title \"An application firewall must protect against or limit the effects of\nDenial of Service (DoS) attacks by ensuring the Ubuntu operating system is\nimplementing rate-limiting measures on impacted network interfaces.\"\n desc \"DoS is a condition when a resource is not available for legitimate\nusers. When this occurs, the organization either cannot accomplish its mission\nor must operate at degraded capacity.\n\n This requirement addresses the configuration of the Ubuntu operating system\nto mitigate the impact of DoS attacks that have occurred or are ongoing on\nsystem availability. For each system, known and potential DoS attacks must be\nidentified and solutions for each type implemented. A variety of technologies\nexist to limit or, in some cases, eliminate the effects of DoS attacks (e.g.,\nlimiting processes or establishing memory partitions). Employing increased\ncapacity and bandwidth, combined with service redundancy, may reduce the\nsusceptibility to some DoS attacks.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000420-GPOS-00186'\n tag \"gid\": 'V-75855'\n tag \"rid\": 'SV-90535r1_rule'\n tag \"stig_id\": 'UBTU-16-030410'\n tag \"fix_id\": 'F-82485r1_fix'\n tag \"cci\": ['CCI-002385']\n tag \"nist\": %w[SC-5 Rev_4]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify an application firewall is configured to rate limit any\nconnection to the system.\n\nCheck that the Uncomplicated Firewall is configured to rate limit any\nconnection to the system with the following command:\n\n# sudo ufw show raw\n\nChain ufw-user-input (1 references)\npkts bytes target prot opt in out source destination\n0 0 ufw-user-limit all -- eth0 * 0.0.0.0/0 0.0.0.0/0\nctstate NEW recent: UPDATE seconds: 30 hit_count: 6 name: DEFAULT side:\nsource mask: 255.255.255.255\n\n0 0 ufw-user-limit-accept all -- eth0 * 0.0.0.0/0 0.0.0.0/0\n\n\nIf any service is not rate limited by the Uncomplicated Firewall, this is a\nfinding.\"\n desc 'fix', \"Configure the application firewall to protect against or limit\nthe effects of Denial of Service (DoS) attacks by ensuring the Ubuntu operating\nsystem is implementing rate-limiting measures on impacted network interfaces.\n\nRun the following command replacing \\\"[service]\\\" with the service that needs\nto be rate limited.\n\n# sudo ufw limit [service]\n\nOr rate-limiting can be done on an interface. An example of adding a rate-limit\non the eth0 interface:\n\n# sudo ufw limit in on eth0\"\n\n ufw_status_output = command('ufw status').stdout.strip\n is_ufw_active = !ufw_status_output.lines.first.include?('inactive')\n\n if is_ufw_active\n describe ufw_status_output do\n it { should match /(LIMIT)/ }\n end\n else\n describe 'UFW status is active' do\n subject { is_ufw_active }\n it { should be true }\n end\n end\nend\n", + "code": "control 'V-75741' do\n title \"Successful/unsuccessful uses of the fchmodat command must generate an\naudit record.\"\n desc \"Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020\n SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172\n SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215]\n tag \"gid\": 'V-75741'\n tag \"rid\": 'SV-90421r3_rule'\n tag \"stig_id\": 'UBTU-16-020580'\n tag \"fix_id\": 'F-82369r2_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'MA-4 (1) (a)',\n 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful attempts to use the \\\"fchmodat\\\" command occur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \\\"/etc/audit/audit.rules\\\":\n\n# sudo grep -w fchmodat /etc/audit/audit.rules\n\n-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=4294967295 -k\nperm_chng\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \\\"fchmodat\\\" command by adding the following\nline to \\\"/etc/audit/audit.rules\\\":\n\n-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=4294967295 -k\nperm_chng\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n if os.arch == 'x86_64'\n describe auditd.syscall('fchmodat').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('fchmodat').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75855.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75741.rb", "line": 3 }, - "id": "V-75855" + "id": "V-75741" }, { - "title": "Advance package Tool (APT) must be configured to prevent the\ninstallation of patches, service packs, device drivers, or Ubuntu operating\nsystem components without verification they have been digitally signed using a\ncertificate that is recognized and approved by the organization.", - "desc": "Changes to any software components can have significant effects on the\noverall security of the Ubuntu operating system. This requirement ensures the\nsoftware has not been tampered with and that it has been provided by a trusted\nvendor.\n\n Accordingly, patches, service packs, device drivers, or Ubuntu operating\nsystem components must be signed with a certificate recognized and approved by\nthe organization.\n\n Verifying the authenticity of the software prior to installation validates\nthe integrity of the patch or upgrade received from a vendor. Setting the\n\"Verify-Peer\" Boolean will determine whether or not the server's host\ncertificate should be verified against trusted certificates. This ensures the\nsoftware has not been tampered with and that it has been provided by a trusted\nvendor. Self-signed certificates are disallowed by this requirement. The Ubuntu\noperating system should not have to verify the software again. This requirement\ndoes not mandate DoD certificates for this purpose; however, the certificate\nused to verify the software must be from an approved CA.", + "title": "The audit system must be configured to audit any usage of the\nremovexattr system call.", + "desc": "Without the capability to generate audit records, it would be\ndifficult to establish, correlate, and investigate the events relating to an\nincident or identify those responsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n The list of audited events is the set of events for which audits are to be\ngenerated. This set of events is typically a subset of the list of all events\nfor which the system is capable of generating audit records.\n\n DoD has defined the list of events for which the Ubuntu operating system\nwill provide an audit record generation capability as the following:\n\n 1) Successful and unsuccessful attempts to access, modify, or delete\nprivileges, security objects, security levels, or categories of information\n(e.g., classification levels);\n\n 2) Access actions, such as successful and unsuccessful logon attempts,\nprivileged activities or other system-level access, starting and ending time\nfor user access to the system, concurrent logons from different workstations,\nsuccessful and unsuccessful accesses to objects, all program initiations, and\nall direct access to the information system;\n\n 3) All account creations, modifications, disabling, and terminations; and\n\n 4) All kernel module load, unload, and restart actions.", "descriptions": { - "default": "Changes to any software components can have significant effects on the\noverall security of the Ubuntu operating system. This requirement ensures the\nsoftware has not been tampered with and that it has been provided by a trusted\nvendor.\n\n Accordingly, patches, service packs, device drivers, or Ubuntu operating\nsystem components must be signed with a certificate recognized and approved by\nthe organization.\n\n Verifying the authenticity of the software prior to installation validates\nthe integrity of the patch or upgrade received from a vendor. Setting the\n\"Verify-Peer\" Boolean will determine whether or not the server's host\ncertificate should be verified against trusted certificates. This ensures the\nsoftware has not been tampered with and that it has been provided by a trusted\nvendor. Self-signed certificates are disallowed by this requirement. The Ubuntu\noperating system should not have to verify the software again. This requirement\ndoes not mandate DoD certificates for this purpose; however, the certificate\nused to verify the software must be from an approved CA.", - "check": "Verify that Advance package Tool (APT) is configured to prevent\nthe installation of patches, service packs, device drivers, or Ubuntu operating\nsystem components without verification they have been digitally signed using a\ncertificate that is recognized and approved by the organization.\n\nCheck that the \"AllowUnauthenticated\" variable is not set at all or set to\n\"false\" with the following command:\n\n# grep -i allowunauth /etc/apt/apt.conf.d/*\n/etc/apt/apt.conf.d/01-vendor-Ubuntu:APT::Get::AllowUnauthenticated \"false\";\n\nIf any of the files returned from the command with \"AllowUnauthenticated\" set\nto \"true\", this is a finding.", - "fix": "Configure Advance package Tool (APT) to prevent the installation\nof patches, service packs, device drivers, or Ubuntu operating system\ncomponents without verification they have been digitally signed using a\ncertificate that is recognized and approved by the organization.\n\nRemove/Update any APT configuration file that contain the variable\n\"AllowUnauthenticated\" to \"false\", or remove \"AllowUnauthenticated\"\nentirely from each file. Below is an example of setting the\n\"AllowUnauthenticated\" variable to \"false\":\n\nAPT::Get::AllowUnauthenticated \"false\";" + "default": "Without the capability to generate audit records, it would be\ndifficult to establish, correlate, and investigate the events relating to an\nincident or identify those responsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n The list of audited events is the set of events for which audits are to be\ngenerated. This set of events is typically a subset of the list of all events\nfor which the system is capable of generating audit records.\n\n DoD has defined the list of events for which the Ubuntu operating system\nwill provide an audit record generation capability as the following:\n\n 1) Successful and unsuccessful attempts to access, modify, or delete\nprivileges, security objects, security levels, or categories of information\n(e.g., classification levels);\n\n 2) Access actions, such as successful and unsuccessful logon attempts,\nprivileged activities or other system-level access, starting and ending time\nfor user access to the system, concurrent logons from different workstations,\nsuccessful and unsuccessful accesses to objects, all program initiations, and\nall direct access to the information system;\n\n 3) All account creations, modifications, disabling, and terminations; and\n\n 4) All kernel module load, unload, and restart actions.", + "check": "Verify if the Ubuntu operating system is configured to audit\nthe execution of the \"removexattr\" system call, by running the following\ncommand:\n\n# sudo grep -w removexattr /etc/audit/audit.rules\n\n-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -k\nperm_mod\n\n-a always,exit -F arch=b64 -S removexattr -F auid=0 -k perm_mod\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", + "fix": "Configure the Ubuntu operating system to audit the execution of\nthe \"removexattr\" system call, by adding the following lines to\n\"/etc/audit/audit.rules\":\n\n-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -k\nperm_mod\n\n-a always,exit -F arch=b64 -S removexattr -F auid=0 -k perm_mod\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000366-GPOS-00153", - "gid": "V-75527", - "rid": "SV-90207r2_rule", - "stig_id": "UBTU-16-010560", - "fix_id": "F-82155r1_fix", + "gtitle": "SRG-OS-000037-GPOS-00015", + "satisfies": [ + "SRG-OS-000037-GPOS-00015", + "SRG-OS-000042-GPOS-00020", + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000392-GPOS-00172", + "SRG-OS-000458-GPOS-00203", + "SRG-OS-000462-GPOS-00206", + "SRG-OS-000463-GPOS-00207", + "SRG-OS-000471-GPOS-00215", + "SRG-OS-000474-GPOS-00219" + ], + "gid": "V-75723", + "rid": "SV-90403r2_rule", + "stig_id": "UBTU-16-020490", + "fix_id": "F-82351r2_fix", "cci": [ - "CCI-001749" + "CCI-000130", + "CCI-000135", + "CCI-000169", + "CCI-000172", + "CCI-002884" ], "nist": [ - "CM-5 (3)", + "AU-3", + "AU-3 (1)", + "AU-12 a", + "AU-12 c", + "MA-4 (1) (a)", "Rev_4" ], "false_negatives": null, @@ -4216,29 +4113,29 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75527' do\n title \"Advance package Tool (APT) must be configured to prevent the\ninstallation of patches, service packs, device drivers, or Ubuntu operating\nsystem components without verification they have been digitally signed using a\ncertificate that is recognized and approved by the organization.\"\n desc \"Changes to any software components can have significant effects on the\noverall security of the Ubuntu operating system. This requirement ensures the\nsoftware has not been tampered with and that it has been provided by a trusted\nvendor.\n\n Accordingly, patches, service packs, device drivers, or Ubuntu operating\nsystem components must be signed with a certificate recognized and approved by\nthe organization.\n\n Verifying the authenticity of the software prior to installation validates\nthe integrity of the patch or upgrade received from a vendor. Setting the\n\\\"Verify-Peer\\\" Boolean will determine whether or not the server's host\ncertificate should be verified against trusted certificates. This ensures the\nsoftware has not been tampered with and that it has been provided by a trusted\nvendor. Self-signed certificates are disallowed by this requirement. The Ubuntu\noperating system should not have to verify the software again. This requirement\ndoes not mandate DoD certificates for this purpose; however, the certificate\nused to verify the software must be from an approved CA.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000366-GPOS-00153'\n tag \"gid\": 'V-75527'\n tag \"rid\": 'SV-90207r2_rule'\n tag \"stig_id\": 'UBTU-16-010560'\n tag \"fix_id\": 'F-82155r1_fix'\n tag \"cci\": ['CCI-001749']\n tag \"nist\": ['CM-5 (3)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that Advance package Tool (APT) is configured to prevent\nthe installation of patches, service packs, device drivers, or Ubuntu operating\nsystem components without verification they have been digitally signed using a\ncertificate that is recognized and approved by the organization.\n\nCheck that the \\\"AllowUnauthenticated\\\" variable is not set at all or set to\n\\\"false\\\" with the following command:\n\n# grep -i allowunauth /etc/apt/apt.conf.d/*\n/etc/apt/apt.conf.d/01-vendor-Ubuntu:APT::Get::AllowUnauthenticated \\\"false\\\";\n\nIf any of the files returned from the command with \\\"AllowUnauthenticated\\\" set\nto \\\"true\\\", this is a finding.\"\n desc 'fix', \"Configure Advance package Tool (APT) to prevent the installation\nof patches, service packs, device drivers, or Ubuntu operating system\ncomponents without verification they have been digitally signed using a\ncertificate that is recognized and approved by the organization.\n\nRemove/Update any APT configuration file that contain the variable\n\\\"AllowUnauthenticated\\\" to \\\"false\\\", or remove \\\"AllowUnauthenticated\\\"\nentirely from each file. Below is an example of setting the\n\\\"AllowUnauthenticated\\\" variable to \\\"false\\\":\n\nAPT::Get::AllowUnauthenticated \\\"false\\\";\"\n\n describe directory('/etc/apt/apt.conf.d') do\n it { should exist }\n end\n\n apt_allowunauth = command('grep -i allowunauth /etc/apt/apt.conf.d/*').stdout.strip.split(\"\\n\")\n if apt_allowunauth.empty?\n describe 'apt conf files do not contain AllowUnauthenticated' do\n subject { apt_allowunauth.empty? }\n it { should be true }\n end\n else\n apt_allowunauth.each do |line|\n describe \"#{line} contains AllowUnauthenctication\" do\n subject { line }\n it { should_not match /.*false.*/ }\n end\n end\n end\nend\n", + "code": "control 'V-75723' do\n title \"The audit system must be configured to audit any usage of the\nremovexattr system call.\"\n desc \"Without the capability to generate audit records, it would be\ndifficult to establish, correlate, and investigate the events relating to an\nincident or identify those responsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n The list of audited events is the set of events for which audits are to be\ngenerated. This set of events is typically a subset of the list of all events\nfor which the system is capable of generating audit records.\n\n DoD has defined the list of events for which the Ubuntu operating system\nwill provide an audit record generation capability as the following:\n\n 1) Successful and unsuccessful attempts to access, modify, or delete\nprivileges, security objects, security levels, or categories of information\n(e.g., classification levels);\n\n 2) Access actions, such as successful and unsuccessful logon attempts,\nprivileged activities or other system-level access, starting and ending time\nfor user access to the system, concurrent logons from different workstations,\nsuccessful and unsuccessful accesses to objects, all program initiations, and\nall direct access to the information system;\n\n 3) All account creations, modifications, disabling, and terminations; and\n\n 4) All kernel module load, unload, and restart actions.\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020\n SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172\n SRG-OS-000458-GPOS-00203 SRG-OS-000462-GPOS-00206\n SRG-OS-000463-GPOS-00207 SRG-OS-000471-GPOS-00215\n SRG-OS-000474-GPOS-00219]\n tag \"gid\": 'V-75723'\n tag \"rid\": 'SV-90403r2_rule'\n tag \"stig_id\": 'UBTU-16-020490'\n tag \"fix_id\": 'F-82351r2_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'MA-4 (1) (a)',\n 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify if the Ubuntu operating system is configured to audit\nthe execution of the \\\"removexattr\\\" system call, by running the following\ncommand:\n\n# sudo grep -w removexattr /etc/audit/audit.rules\n\n-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -k\nperm_mod\n\n-a always,exit -F arch=b64 -S removexattr -F auid=0 -k perm_mod\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the Ubuntu operating system to audit the execution of\nthe \\\"removexattr\\\" system call, by adding the following lines to\n\\\"/etc/audit/audit.rules\\\":\n\n-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -k\nperm_mod\n\n-a always,exit -F arch=b64 -S removexattr -F auid=0 -k perm_mod\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n if os.arch == 'x86_64'\n describe auditd.syscall('removexattr').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('removexattr').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75527.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75723.rb", "line": 3 }, - "id": "V-75527" + "id": "V-75723" }, { - "title": "There must be no .shosts files on the Ubuntu operating system.", - "desc": "The .shosts files are used to configure host-based authentication for\nindividual users or the system via SSH. Host-based authentication is not\nsufficient for preventing unauthorized access to the system, as it does not\nrequire interactive identification and authentication of a connection request,\nor for the use of two-factor authentication.", + "title": "The Ubuntu operating system must not respond to Internet Protocol\nversion 4 (IPv4) Internet Control Message Protocol (ICMP) echoes sent to a\nbroadcast address.", + "desc": "Responding to broadcast Internet Control Message Protocol (ICMP)\nechoes facilitates network mapping and provides a vector for amplification\nattacks.", "descriptions": { - "default": "The .shosts files are used to configure host-based authentication for\nindividual users or the system via SSH. Host-based authentication is not\nsufficient for preventing unauthorized access to the system, as it does not\nrequire interactive identification and authentication of a connection request,\nor for the use of two-factor authentication.", - "check": "Verify there are no \".shosts\" files on the Ubuntu operating\nsystem.\n\nCheck the system for the existence of these files with the following command:\n\n# sudo find / -name '*.shosts'\n\nIf any \".shosts\" files are found, this is a finding.", - "fix": "Remove any found \".shosts\" files from the Ubuntu operating\nsystem.\n\n# rm /[path]/[to]/[file]/.shosts" + "default": "Responding to broadcast Internet Control Message Protocol (ICMP)\nechoes facilitates network mapping and provides a vector for amplification\nattacks.", + "check": "Verify the Ubuntu operating system does not respond to IPv4\nInternet Control Message Protocol (ICMP) echoes sent to a broadcast address.\n\nCheck the value of the \"icmp_echo_ignore_broadcasts\" variable with the\nfollowing command:\n\n# sudo sysctl net.ipv4.icmp_echo_ignore_broadcasts\nnet.ipv4.icmp_echo_ignore_broadcasts=1\n\nIf the returned line does not have a value of \"1\", a line is not returned, or\nthe retuned line is commented out, this is a finding.", + "fix": "Configure the Ubuntu operating system to not respond to Internet\nProtocol version 4 (IPv4) Internet Control Message Protocol (ICMP) echoes sent\nto a broadcast address with the following command:\n\n# sudo sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1\n\nIf \"1\" is not the system's default value then add or update the following\nline in \"/etc/sysctl.conf\" or in the appropriate file under \"/etc/sysctl.d\":\n\nnet.ipv4.icmp_echo_ignore_broadcasts=1" }, - "impact": 0.7, + "impact": 0.5, "refs": [], "tags": { "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-75499", - "rid": "SV-90179r1_rule", - "stig_id": "UBTU-16-010350", - "fix_id": "F-82127r1_fix", + "gid": "V-75877", + "rid": "SV-90557r2_rule", + "stig_id": "UBTU-16-030550", + "fix_id": "F-82507r2_fix", "cci": [ "CCI-000366" ], @@ -4257,43 +4154,40 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75499' do\n title 'There must be no .shosts files on the Ubuntu operating system.'\n desc \"The .shosts files are used to configure host-based authentication for\nindividual users or the system via SSH. Host-based authentication is not\nsufficient for preventing unauthorized access to the system, as it does not\nrequire interactive identification and authentication of a connection request,\nor for the use of two-factor authentication.\"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75499'\n tag \"rid\": 'SV-90179r1_rule'\n tag \"stig_id\": 'UBTU-16-010350'\n tag \"fix_id\": 'F-82127r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify there are no \\\".shosts\\\" files on the Ubuntu operating\nsystem.\n\nCheck the system for the existence of these files with the following command:\n\n# sudo find / -name '*.shosts'\n\nIf any \\\".shosts\\\" files are found, this is a finding.\"\n desc 'fix', \"Remove any found \\\".shosts\\\" files from the Ubuntu operating\nsystem.\n\n# rm /[path]/[to]/[file]/.shosts\"\n\n describe command(\"find / -name '*.shosts'\") do\n its('exit_status') { should eq 0 }\n its('stdout.strip') { should be_empty }\n end\nend\n", + "code": "control 'V-75877' do\n title \"The Ubuntu operating system must not respond to Internet Protocol\nversion 4 (IPv4) Internet Control Message Protocol (ICMP) echoes sent to a\nbroadcast address.\"\n desc \"Responding to broadcast Internet Control Message Protocol (ICMP)\nechoes facilitates network mapping and provides a vector for amplification\nattacks.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75877'\n tag \"rid\": 'SV-90557r2_rule'\n tag \"stig_id\": 'UBTU-16-030550'\n tag \"fix_id\": 'F-82507r2_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system does not respond to IPv4\nInternet Control Message Protocol (ICMP) echoes sent to a broadcast address.\n\nCheck the value of the \\\"icmp_echo_ignore_broadcasts\\\" variable with the\nfollowing command:\n\n# sudo sysctl net.ipv4.icmp_echo_ignore_broadcasts\nnet.ipv4.icmp_echo_ignore_broadcasts=1\n\nIf the returned line does not have a value of \\\"1\\\", a line is not returned, or\nthe retuned line is commented out, this is a finding.\"\n desc 'fix', \"Configure the Ubuntu operating system to not respond to Internet\nProtocol version 4 (IPv4) Internet Control Message Protocol (ICMP) echoes sent\nto a broadcast address with the following command:\n\n# sudo sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1\n\nIf \\\"1\\\" is not the system's default value then add or update the following\nline in \\\"/etc/sysctl.conf\\\" or in the appropriate file under \\\"/etc/sysctl.d\\\":\n\nnet.ipv4.icmp_echo_ignore_broadcasts=1\"\n\n describe kernel_parameter('net.ipv4.icmp_echo_ignore_broadcasts') do\n its('value') { should eq 1 }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75499.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75877.rb", "line": 3 }, - "id": "V-75499" + "id": "V-75877" }, { - "title": "Audit logs must be owned by root to prevent unauthorized read access.", - "desc": "Unauthorized disclosure of audit records can reveal system and\nconfiguration data to attackers, thus compromising its confidentiality.\n\n Audit information includes all information (e.g., audit records, audit\nsettings, audit reports) needed to successfully audit Ubuntu operating system\nactivity.", + "title": "The Ubuntu operating system must enforce SSHv2 for network access to\nall accounts.", + "desc": "A replay attack may enable an unauthorized user to gain access to the\nUbuntu operating system. Authentication sessions between the authenticator and\nthe Ubuntu operating system validating the user credentials must not be\nvulnerable to a replay attack.\n\n An authentication process resists replay attacks if it is impractical to\nachieve a successful authentication by recording and replaying a previous\nauthentication message.\n\n A privileged account is any information system account with authorizations\nof a privileged user.\n\n Techniques used to address this include protocols using nonces (e.g.,\nnumbers generated for a specific one-time use) or challenges (e.g., TLS,\nWS_Security). Additional techniques include time-synchronous or\nchallenge-response one-time authenticators.", "descriptions": { - "default": "Unauthorized disclosure of audit records can reveal system and\nconfiguration data to attackers, thus compromising its confidentiality.\n\n Audit information includes all information (e.g., audit records, audit\nsettings, audit reports) needed to successfully audit Ubuntu operating system\nactivity.", - "check": "Verify the audit logs are owned by \"root\". First determine\nwhere the audit logs are stored with the following command:\n\n# sudo grep -iw log_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the location of the audit log file, determine if the audit log is owned\nby \"root\" using the following command:\n\n# sudo ls -la /var/log/audit/audit.log\nrw------- 2 root root 8096 Jun 26 11:56 /var/log/audit/audit.log\n\nIf the audit log is not owned by \"root\", this is a finding.", - "fix": "Configure the audit log to be protected from unauthorized read\naccess, by setting the correct owner as \"root\" with the following command:\n\n# sudo chown root [audit_log_file]\n\nReplace \"[audit_log_file]\" to the correct audit log path, by default this\nlocation is \"/var/log/audit/audit.log\"." + "default": "A replay attack may enable an unauthorized user to gain access to the\nUbuntu operating system. Authentication sessions between the authenticator and\nthe Ubuntu operating system validating the user credentials must not be\nvulnerable to a replay attack.\n\n An authentication process resists replay attacks if it is impractical to\nachieve a successful authentication by recording and replaying a previous\nauthentication message.\n\n A privileged account is any information system account with authorizations\nof a privileged user.\n\n Techniques used to address this include protocols using nonces (e.g.,\nnumbers generated for a specific one-time use) or challenges (e.g., TLS,\nWS_Security). Additional techniques include time-synchronous or\nchallenge-response one-time authenticators.", + "check": "Verify that the Ubuntu operating system enforces SSH protocol 2\nfor network access.\n\nCheck the protocol versions that SSH allows with the following command:\n\n#grep -i protocol /etc/ssh/sshd_config\n\nProtocol 2\n\nIf the returned line allows for use of protocol \"1\", is commented out, or the\nline is missing, this is a finding.", + "fix": "Configure the Ubuntu operating system to enforce SSHv2 for\nnetwork access to all accounts.\n\nAdd or update the following line in the \"/etc/ssh/sshd_config\" file:\n\nProtocol 2\n\nRestart the ssh service.\n\n# systemctl restart sshd.service" }, - "impact": 0.5, + "impact": 0.7, "refs": [], "tags": { - "gtitle": "SRG-OS-000057-GPOS-00027", + "gtitle": "SRG-OS-000112-GPOS-00057", "satisfies": [ - "SRG-OS-000057-GPOS-00027", - "SRG-OS-000058-GPOS-00028", - "SRG-OS-000059-GPOS-00029" + "SRG-OS-000112-GPOS-00057", + "SRG-OS-000113-GPOS-00058" ], - "gid": "V-75639", - "rid": "SV-90319r2_rule", - "stig_id": "UBTU-16-020110", - "fix_id": "F-82267r2_fix", + "gid": "V-75823", + "rid": "SV-90503r1_rule", + "stig_id": "UBTU-16-030200", + "fix_id": "F-82453r1_fix", "cci": [ - "CCI-000162", - "CCI-000163", - "CCI-000164" + "CCI-001941", + "CCI-001942" ], "nist": [ - "AU-9", - "AU-9", - "AU-9", + "IA-2 (8)", + "IA-2 (9)", "Rev_4" ], "false_negatives": null, @@ -4307,83 +4201,50 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75639' do\n title 'Audit logs must be owned by root to prevent unauthorized read access.'\n desc \"Unauthorized disclosure of audit records can reveal system and\nconfiguration data to attackers, thus compromising its confidentiality.\n\n Audit information includes all information (e.g., audit records, audit\nsettings, audit reports) needed to successfully audit Ubuntu operating system\nactivity.\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000057-GPOS-00027'\n tag \"satisfies\": %w[SRG-OS-000057-GPOS-00027 SRG-OS-000058-GPOS-00028\n SRG-OS-000059-GPOS-00029]\n tag \"gid\": 'V-75639'\n tag \"rid\": 'SV-90319r2_rule'\n tag \"stig_id\": 'UBTU-16-020110'\n tag \"fix_id\": 'F-82267r2_fix'\n tag \"cci\": %w[CCI-000162 CCI-000163 CCI-000164]\n tag \"nist\": %w[AU-9 AU-9 AU-9 Rev_4]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the audit logs are owned by \\\"root\\\". First determine\nwhere the audit logs are stored with the following command:\n\n# sudo grep -iw log_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the location of the audit log file, determine if the audit log is owned\nby \\\"root\\\" using the following command:\n\n# sudo ls -la /var/log/audit/audit.log\nrw------- 2 root root 8096 Jun 26 11:56 /var/log/audit/audit.log\n\nIf the audit log is not owned by \\\"root\\\", this is a finding.\"\n desc 'fix', \"Configure the audit log to be protected from unauthorized read\naccess, by setting the correct owner as \\\"root\\\" with the following command:\n\n# sudo chown root [audit_log_file]\n\nReplace \\\"[audit_log_file]\\\" to the correct audit log path, by default this\nlocation is \\\"/var/log/audit/audit.log\\\".\"\n\n log_file_path = auditd_conf.log_file\n\n describe file(log_file_path) do\n its('owner') { should cmp 'root' }\n end\nend\n", + "code": "control 'V-75823' do\n title \"The Ubuntu operating system must enforce SSHv2 for network access to\nall accounts.\"\n desc \"A replay attack may enable an unauthorized user to gain access to the\nUbuntu operating system. Authentication sessions between the authenticator and\nthe Ubuntu operating system validating the user credentials must not be\nvulnerable to a replay attack.\n\n An authentication process resists replay attacks if it is impractical to\nachieve a successful authentication by recording and replaying a previous\nauthentication message.\n\n A privileged account is any information system account with authorizations\nof a privileged user.\n\n Techniques used to address this include protocols using nonces (e.g.,\nnumbers generated for a specific one-time use) or challenges (e.g., TLS,\nWS_Security). Additional techniques include time-synchronous or\nchallenge-response one-time authenticators.\n\n\n \"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000112-GPOS-00057'\n tag \"satisfies\": %w[SRG-OS-000112-GPOS-00057 SRG-OS-000113-GPOS-00058]\n tag \"gid\": 'V-75823'\n tag \"rid\": 'SV-90503r1_rule'\n tag \"stig_id\": 'UBTU-16-030200'\n tag \"fix_id\": 'F-82453r1_fix'\n tag \"cci\": %w[CCI-001941 CCI-001942]\n tag \"nist\": ['IA-2 (8)', 'IA-2 (9)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that the Ubuntu operating system enforces SSH protocol 2\nfor network access.\n\nCheck the protocol versions that SSH allows with the following command:\n\n#grep -i protocol /etc/ssh/sshd_config\n\nProtocol 2\n\nIf the returned line allows for use of protocol \\\"1\\\", is commented out, or the\nline is missing, this is a finding.\"\n desc 'fix', \"Configure the Ubuntu operating system to enforce SSHv2 for\nnetwork access to all accounts.\n\nAdd or update the following line in the \\\"/etc/ssh/sshd_config\\\" file:\n\nProtocol 2\n\nRestart the ssh service.\n\n# systemctl restart sshd.service\"\n\n describe sshd_config do\n its('Protocol') { should cmp 2 }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75639.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75823.rb", "line": 3 }, - "id": "V-75639" + "id": "V-75823" }, { - "title": "An application firewall must employ a deny-all, allow-by-exception\npolicy for allowing connections to other systems.", - "desc": "Failure to restrict network connectivity only to authorized systems\npermits inbound connections from malicious systems. It also permits outbound\nconnections that may facilitate exfiltration of DoD data.", + "title": "Successful/unsuccessful uses of the chmod command must generate an\naudit record.", + "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", "descriptions": { - "default": "Failure to restrict network connectivity only to authorized systems\npermits inbound connections from malicious systems. It also permits outbound\nconnections that may facilitate exfiltration of DoD data.", - "check": "Verify the Uncomplicated Firewall is configured to employ a\ndeny-all, allow-by-exception policy for allowing connections to other systems.\n\nCheck the Uncomplicated Firewall configuration with the following command:\n# sudo ufw status\nStatus: active\n\n To Action From\n -- ------ ----\n[ 1] 22 LIMIT IN Anywhere\n\nIf any services, ports, or applications are \"allowed\" and are not documented\nwith the organization, this is a finding.", - "fix": "Configure the Uncomplicated Firewall to employ a deny-all,\nallow-by-exception policy for allowing connections to other systems.\n\nRemove any service that is not needed or documented by the organization with\nthe following command (replace [NUMBER] with the rule number):\n\n# sudo ufw delete [NUMBER]\n\nAnother option would be to set the Uncomplicated Firewall back to default with\nthe following commands:\n\n# sudo ufw default deny incoming\n# sudo ufw default allow outgoing\n\nNote: UFW’s defaults are to deny all incoming connections and allow all\noutgoing connections." + "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "check": "Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful attempts to use the \"chmod\" command occur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \"/etc/audit/audit.rules\":\n\n# sudo grep -w chmod /etc/audit/audit.rules\n\n-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=4294967295 -k\nperm_chng\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", + "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \"chmod\" command by adding the following\nline to \"/etc/audit/audit.rules\":\n\n-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=4294967295 -k\nperm_chng\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000297-GPOS-00115", + "gtitle": "SRG-OS-000037-GPOS-00015", "satisfies": [ - "SRG-OS-000297-GPOS-00115", - "SRG-OS-000480-GPOS-00231" - ], - "gid": "V-75807", - "rid": "SV-90487r2_rule", - "stig_id": "UBTU-16-030050", - "fix_id": "F-82437r1_fix", - "cci": [ - "CCI-000366", - "CCI-002080", - "CCI-002314" - ], - "nist": [ - "CM-6 b", - "CA-3 (5)", - "AC-17 (1)", - "Rev_4" + "SRG-OS-000037-GPOS-00015", + "SRG-OS-000042-GPOS-00020", + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000392-GPOS-00172", + "SRG-OS-000462-GPOS-00206", + "SRG-OS-000471-GPOS-00215" ], - "false_negatives": null, - "false_positives": null, - "documentable": false, - "mitigations": null, - "severity_override_guidance": false, - "potential_impacts": null, - "third_party_tools": null, - "mitigation_controls": null, - "responsibility": null, - "ia_controls": null - }, - "code": "control 'V-75807' do\n title \"An application firewall must employ a deny-all, allow-by-exception\npolicy for allowing connections to other systems.\"\n desc \"Failure to restrict network connectivity only to authorized systems\npermits inbound connections from malicious systems. It also permits outbound\nconnections that may facilitate exfiltration of DoD data.\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000297-GPOS-00115'\n tag \"satisfies\": %w[SRG-OS-000297-GPOS-00115 SRG-OS-000480-GPOS-00231]\n tag \"gid\": 'V-75807'\n tag \"rid\": 'SV-90487r2_rule'\n tag \"stig_id\": 'UBTU-16-030050'\n tag \"fix_id\": 'F-82437r1_fix'\n tag \"cci\": %w[CCI-000366 CCI-002080 CCI-002314]\n tag \"nist\": ['CM-6 b', 'CA-3 (5)', 'AC-17 (1)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Uncomplicated Firewall is configured to employ a\ndeny-all, allow-by-exception policy for allowing connections to other systems.\n\nCheck the Uncomplicated Firewall configuration with the following command:\n# sudo ufw status\nStatus: active\n\n To Action From\n -- ------ ----\n[ 1] 22 LIMIT IN Anywhere\n\nIf any services, ports, or applications are \\\"allowed\\\" and are not documented\nwith the organization, this is a finding.\"\n desc 'fix', \"Configure the Uncomplicated Firewall to employ a deny-all,\nallow-by-exception policy for allowing connections to other systems.\n\nRemove any service that is not needed or documented by the organization with\nthe following command (replace [NUMBER] with the rule number):\n\n# sudo ufw delete [NUMBER]\n\nAnother option would be to set the Uncomplicated Firewall back to default with\nthe following commands:\n\n# sudo ufw default deny incoming\n# sudo ufw default allow outgoing\n\nNote: UFW’s defaults are to deny all incoming connections and allow all\noutgoing connections.\"\n\n ufw_status = command('ufw status').stdout.strip.lines.first\n value = ufw_status.split(':')[1].strip\n\n describe 'UFW status' do\n subject { value }\n it { should cmp 'active' }\n end\n describe 'Status listings for any allowed services, ports, or applications must be documented with the organization' do\n skip 'Status listings checks must be preformed manually'\n end\nend\n", - "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75807.rb", - "line": 3 - }, - "id": "V-75807" - }, - { - "title": "A file integrity tool must be installed to verify correct operation of\nall security functions in the Ubuntu operating system.", - "desc": "Without verification of the security functions, security functions may\nnot operate correctly and the failure may go unnoticed. Security function is\ndefined as the hardware, software, and/or firmware of the information system\nresponsible for enforcing the system security policy and supporting the\nisolation of code and data on which the protection is based. Security\nfunctionality includes, but is not limited to, establishing system accounts,\nconfiguring access authorizations (i.e., permissions, privileges), setting\nevents to be audited, and setting intrusion detection parameters.\n\n This requirement applies to Ubuntu operating systems performing security\nfunction verification/testing and/or systems and environments that require this\nfunctionality.", - "descriptions": { - "default": "Without verification of the security functions, security functions may\nnot operate correctly and the failure may go unnoticed. Security function is\ndefined as the hardware, software, and/or firmware of the information system\nresponsible for enforcing the system security policy and supporting the\nisolation of code and data on which the protection is based. Security\nfunctionality includes, but is not limited to, establishing system accounts,\nconfiguring access authorizations (i.e., permissions, privileges), setting\nevents to be audited, and setting intrusion detection parameters.\n\n This requirement applies to Ubuntu operating systems performing security\nfunction verification/testing and/or systems and environments that require this\nfunctionality.", - "check": "Verify that Advanced Intrusion Detection Environment (AIDE) is\ninstalled and verifies the correct operation of all security functions.\n\nCheck that the AIDE package is installed with the following command:\n\n# sudo apt list aide\n\naide/xenial,now 0.16~a2.git20130520-3 amd64 [installed]\n\nIf AIDE is not installed, ask the System Administrator how file integrity\nchecks are performed on the system.\n\nIf there is no application installed to perform integrity checks, this is a\nfinding.", - "fix": "Install the AIDE package by running the following command:\n\n# sudo apt-get install aide" - }, - "impact": 0.5, - "refs": [], - "tags": { - "gtitle": "SRG-OS-000445-GPOS-00199", - "gid": "V-75515", - "rid": "SV-90195r3_rule", - "stig_id": "UBTU-16-010500", - "fix_id": "F-82143r1_fix", + "gid": "V-75737", + "rid": "SV-90417r3_rule", + "stig_id": "UBTU-16-020560", + "fix_id": "F-82365r2_fix", "cci": [ - "CCI-002696" + "CCI-000130", + "CCI-000135", + "CCI-000169", + "CCI-000172", + "CCI-002884" ], "nist": [ - "SI-6 a", + "AU-3", + "AU-3 (1)", + "AU-12 a", + "AU-12 c", + "MA-4 (1) (a)", "Rev_4" ], "false_negatives": null, @@ -4397,34 +4258,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75515' do\n title \"A file integrity tool must be installed to verify correct operation of\nall security functions in the Ubuntu operating system.\"\n desc \"Without verification of the security functions, security functions may\nnot operate correctly and the failure may go unnoticed. Security function is\ndefined as the hardware, software, and/or firmware of the information system\nresponsible for enforcing the system security policy and supporting the\nisolation of code and data on which the protection is based. Security\nfunctionality includes, but is not limited to, establishing system accounts,\nconfiguring access authorizations (i.e., permissions, privileges), setting\nevents to be audited, and setting intrusion detection parameters.\n\n This requirement applies to Ubuntu operating systems performing security\nfunction verification/testing and/or systems and environments that require this\nfunctionality.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000445-GPOS-00199'\n tag \"gid\": 'V-75515'\n tag \"rid\": 'SV-90195r3_rule'\n tag \"stig_id\": 'UBTU-16-010500'\n tag \"fix_id\": 'F-82143r1_fix'\n tag \"cci\": ['CCI-002696']\n tag \"nist\": ['SI-6 a', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that Advanced Intrusion Detection Environment (AIDE) is\ninstalled and verifies the correct operation of all security functions.\n\nCheck that the AIDE package is installed with the following command:\n\n# sudo apt list aide\n\naide/xenial,now 0.16~a2.git20130520-3 amd64 [installed]\n\nIf AIDE is not installed, ask the System Administrator how file integrity\nchecks are performed on the system.\n\nIf there is no application installed to perform integrity checks, this is a\nfinding.\"\n desc 'fix', \"Install the AIDE package by running the following command:\n\n# sudo apt-get install aide\"\n\n describe package('aide') do\n it { should be_installed }\n end\nend\n", + "code": "control 'V-75737' do\n title \"Successful/unsuccessful uses of the chmod command must generate an\naudit record.\"\n desc \"Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020\n SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172\n SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215]\n tag \"gid\": 'V-75737'\n tag \"rid\": 'SV-90417r3_rule'\n tag \"stig_id\": 'UBTU-16-020560'\n tag \"fix_id\": 'F-82365r2_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'MA-4 (1) (a)',\n 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful attempts to use the \\\"chmod\\\" command occur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \\\"/etc/audit/audit.rules\\\":\n\n# sudo grep -w chmod /etc/audit/audit.rules\n\n-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=4294967295 -k\nperm_chng\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \\\"chmod\\\" command by adding the following\nline to \\\"/etc/audit/audit.rules\\\":\n\n-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=4294967295 -k\nperm_chng\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n if os.arch == 'x86_64'\n describe auditd.syscall('chmod').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('chmod').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75515.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75737.rb", "line": 3 }, - "id": "V-75515" + "id": "V-75737" }, { - "title": "Library files must be owned by root.", - "desc": "If the Ubuntu operating system were to allow any user to make changes\nto software libraries, then those changes might be implemented without\nundergoing the appropriate testing and approvals that are part of a robust\nchange management process.\n\n This requirement applies to Ubuntu operating systems with software\nlibraries that are accessible and configurable, as in the case of interpreted\nlanguages. Software libraries also include privileged programs which execute\nwith escalated privileges. Only qualified and authorized individuals shall be\nallowed to obtain access to information system components for purposes of\ninitiating changes, including upgrades and modifications.", + "title": "All local initialization files must have mode 0740 or less permissive.", + "desc": "Local initialization files are used to configure the user's shell\nenvironment upon logon. Malicious modification of these files could compromise\naccounts upon logon.", "descriptions": { - "default": "If the Ubuntu operating system were to allow any user to make changes\nto software libraries, then those changes might be implemented without\nundergoing the appropriate testing and approvals that are part of a robust\nchange management process.\n\n This requirement applies to Ubuntu operating systems with software\nlibraries that are accessible and configurable, as in the case of interpreted\nlanguages. Software libraries also include privileged programs which execute\nwith escalated privileges. Only qualified and authorized individuals shall be\nallowed to obtain access to information system components for purposes of\ninitiating changes, including upgrades and modifications.", - "check": "Verify the system-wide shared library files are owned by\n\"root\".\n\nCheck that the system-wide shared library files are owned by \"root\" with the\nfollowing command:\n\n# sudo find /lib /usr/lib /lib64 ! -user root | xargs ls -la\n\nIf any system wide shared library file is returned, this is a finding.", - "fix": "Configure the system-wide shared library files (/lib, /usr/lib,\n/lib64) to be protected from unauthorized access.\n\nRun the following command, replacing \"[FILE]\" with any library file not owned\nby \"root\".\n\n# sudo chown root [FILE]" + "default": "Local initialization files are used to configure the user's shell\nenvironment upon logon. Malicious modification of these files could compromise\naccounts upon logon.", + "check": "Verify that all local initialization files have a mode of\n\"0740\" or less permissive.\n\nCheck the mode on all local initialization files with the following command:\n\nNote: The example will be for the smithj user, who has a home directory of\n\"/home/smithj\".\n\n# ls -al /home/smithj/.* | more\n-rwxr-xr-x 1 smithj users 896 Mar 10 2011 .profile\n-rwxr-xr-x 1 smithj users 497 Jan 6 2007 .login\n-rwxr-xr-x 1 smithj users 886 Jan 6 2007 .something\n\nIf any local initialization files have a mode more permissive than \"0740\",\nthis is a finding.", + "fix": "Set the mode of the local initialization files to \"0740\" with\nthe following command:\n\nNote: The example will be for the smithj user, who has a home directory of\n\"/home/smithj\".\n\n# chmod 0740 /home/smithj/." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000259-GPOS-00100", - "gid": "V-75607", - "rid": "SV-90287r2_rule", - "stig_id": "UBTU-16-011010", - "fix_id": "F-82235r2_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-75569", + "rid": "SV-90249r1_rule", + "stig_id": "UBTU-16-010770", + "fix_id": "F-82197r1_fix", "cci": [ - "CCI-001499" + "CCI-000366" ], "nist": [ - "CM-5 (6)", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -4438,29 +4299,37 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75607' do\n title 'Library files must be owned by root.'\n desc \"If the Ubuntu operating system were to allow any user to make changes\nto software libraries, then those changes might be implemented without\nundergoing the appropriate testing and approvals that are part of a robust\nchange management process.\n\n This requirement applies to Ubuntu operating systems with software\nlibraries that are accessible and configurable, as in the case of interpreted\nlanguages. Software libraries also include privileged programs which execute\nwith escalated privileges. Only qualified and authorized individuals shall be\nallowed to obtain access to information system components for purposes of\ninitiating changes, including upgrades and modifications.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000259-GPOS-00100'\n tag \"gid\": 'V-75607'\n tag \"rid\": 'SV-90287r2_rule'\n tag \"stig_id\": 'UBTU-16-011010'\n tag \"fix_id\": 'F-82235r2_fix'\n tag \"cci\": ['CCI-001499']\n tag \"nist\": ['CM-5 (6)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the system-wide shared library files are owned by\n\\\"root\\\".\n\nCheck that the system-wide shared library files are owned by \\\"root\\\" with the\nfollowing command:\n\n# sudo find /lib /usr/lib /lib64 ! -user root | xargs ls -la\n\nIf any system wide shared library file is returned, this is a finding.\"\n desc 'fix', \"Configure the system-wide shared library files (/lib, /usr/lib,\n/lib64) to be protected from unauthorized access.\n\nRun the following command, replacing \\\"[FILE]\\\" with any library file not owned\nby \\\"root\\\".\n\n# sudo chown root [FILE]\"\n\n if os.arch == 'x86_64'\n library_files = command('find /lib /usr/lib /usr/lib32 /lib32 /lib64 ! \\-user root').stdout.strip.split(\"\\n\").entries\n else\n library_files = command('find /lib /usr/lib /usr/lib32 /lib32 ! \\-user root').stdout.strip.split(\"\\n\").entries\n end\n\n if library_files.count > 0\n library_files.each do |lib_file|\n describe file(lib_file) do\n its('owner') { should cmp 'root' }\n end\n end\n else\n describe 'Number of system-wide shared library files found that are NOT owned by root' do\n subject { library_files }\n its('count') { should eq 0 }\n end\n end\nend\n", + "code": "control 'V-75569' do\n title 'All local initialization files must have mode 0740 or less permissive.'\n desc \"Local initialization files are used to configure the user's shell\nenvironment upon logon. Malicious modification of these files could compromise\naccounts upon logon.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75569'\n tag \"rid\": 'SV-90249r1_rule'\n tag \"stig_id\": 'UBTU-16-010770'\n tag \"fix_id\": 'F-82197r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that all local initialization files have a mode of\n\\\"0740\\\" or less permissive.\n\nCheck the mode on all local initialization files with the following command:\n\nNote: The example will be for the smithj user, who has a home directory of\n\\\"/home/smithj\\\".\n\n# ls -al /home/smithj/.* | more\n-rwxr-xr-x 1 smithj users 896 Mar 10 2011 .profile\n-rwxr-xr-x 1 smithj users 497 Jan 6 2007 .login\n-rwxr-xr-x 1 smithj users 886 Jan 6 2007 .something\n\nIf any local initialization files have a mode more permissive than \\\"0740\\\",\nthis is a finding.\"\n desc 'fix', \"Set the mode of the local initialization files to \\\"0740\\\" with\nthe following command:\n\nNote: The example will be for the smithj user, who has a home directory of\n\\\"/home/smithj\\\".\n\n# chmod 0740 /home/smithj/.\"\n\n non_interactive_shells = input('non_interactive_shells')\n ignore_shells = non_interactive_shells.join('|')\n\n findings = Set[]\n users.where { !shell.match(ignore_shells) && (uid >= 1000 || uid == 0) }.entries.each do |user_info|\n dot_files = command(\"find #{user_info.home} -xdev -maxdepth 1 -name '.*' -type f\").stdout.split(\"\\n\")\n dot_files.each do |dot_file|\n next unless file(dot_file).more_permissive_than?('0740')\n\n findings << dot_file\n end\n end\n describe 'All local initialization files have a mode of 0740 or less permissive' do\n subject { findings.to_a }\n it { should be_empty }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75607.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75569.rb", "line": 3 }, - "id": "V-75607" + "id": "V-75569" }, { - "title": "Successful/unsuccessful uses of the chcon command must generate an\naudit record.", - "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "title": "The audit system must be configured to audit any usage of the kmod\ncommand.", + "desc": "Without the capability to generate audit records, it would be\ndifficult to establish, correlate, and investigate the events relating to an\nincident or identify those responsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n The list of audited events is the set of events for which audits are to be\ngenerated. This set of events is typically a subset of the list of all events\nfor which the system is capable of generating audit records.\n\n DoD has defined the list of events for which the Ubuntu operating system\nwill provide an audit record generation capability as the following:\n\n 1) Successful and unsuccessful attempts to access, modify, or delete\nprivileges, security objects, security levels, or categories of information\n(e.g., classification levels);\n\n 2) Access actions, such as successful and unsuccessful logon attempts,\nprivileged activities or other system-level access, starting and ending time\nfor user access to the system, concurrent logons from different workstations,\nsuccessful and unsuccessful accesses to objects, all program initiations, and\nall direct access to the information system;\n\n 3) All account creations, modifications, disabling, and terminations; and\n\n 4) All kernel module load, unload, and restart actions.", "descriptions": { - "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", - "check": "Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful attempts to use the \"chcon\" command occur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \"/etc/audit/audit.rules\":\n\n# sudo grep -w chcon /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k perm_chng\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", - "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \"chcon\" command.\n\nAdd or update the following rules in the \"/etc/audit/audit.rules\" file:\n\n-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k perm_chng\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" + "default": "Without the capability to generate audit records, it would be\ndifficult to establish, correlate, and investigate the events relating to an\nincident or identify those responsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n The list of audited events is the set of events for which audits are to be\ngenerated. This set of events is typically a subset of the list of all events\nfor which the system is capable of generating audit records.\n\n DoD has defined the list of events for which the Ubuntu operating system\nwill provide an audit record generation capability as the following:\n\n 1) Successful and unsuccessful attempts to access, modify, or delete\nprivileges, security objects, security levels, or categories of information\n(e.g., classification levels);\n\n 2) Access actions, such as successful and unsuccessful logon attempts,\nprivileged activities or other system-level access, starting and ending time\nfor user access to the system, concurrent logons from different workstations,\nsuccessful and unsuccessful accesses to objects, all program initiations, and\nall direct access to the information system;\n\n 3) All account creations, modifications, disabling, and terminations; and\n\n 4) All kernel module load, unload, and restart actions.", + "check": "Verify if the Ubuntu operating system is configured to audit\nthe execution of the module management program \"kmod\", by running the\nfollowing command:\n\n# sudo grep \"/bin/kmod\" /etc/audit/audit.rules\n\n-w /bin/kmod -p x -k modules\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", + "fix": "Configure the Ubuntu operating system to audit the execution of\nthe module management program \"kmod\" by adding the following line to\n\"/etc/audit/audit.rules\":\n\n-w /bin/kmod -p x -k modules\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" }, "impact": 0.5, "refs": [], "tags": { "gtitle": "SRG-OS-000037-GPOS-00015", - "gid": "V-80969", - "rid": "SV-95681r1_rule", - "stig_id": "UBTU-16-020690", - "fix_id": "F-87829r1_fix", + "satisfies": [ + "SRG-OS-000037-GPOS-00015", + "SRG-OS-000042-GPOS-00020", + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000392-GPOS-00172", + "SRG-OS-000462-GPOS-00206", + "SRG-OS-000471-GPOS-00215" + ], + "gid": "V-75715", + "rid": "SV-90395r2_rule", + "stig_id": "UBTU-16-020450", + "fix_id": "F-82343r2_fix", "cci": [ "CCI-000130", "CCI-000135", @@ -4487,34 +4356,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-80969' do\n title \"Successful/unsuccessful uses of the chcon command must generate an\naudit record.\"\n desc \"Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"gid\": 'V-80969'\n tag \"rid\": 'SV-95681r1_rule'\n tag \"stig_id\": 'UBTU-16-020690'\n tag \"fix_id\": 'F-87829r1_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'MA-4 (1) (a)',\n 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful attempts to use the \\\"chcon\\\" command occur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \\\"/etc/audit/audit.rules\\\":\n\n# sudo grep -w chcon /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k perm_chng\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \\\"chcon\\\" command.\n\nAdd or update the following rules in the \\\"/etc/audit/audit.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k perm_chng\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n @audit_file = '/usr/bin/chcon'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe ('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", + "code": "control 'V-75715' do\n title \"The audit system must be configured to audit any usage of the kmod\ncommand.\"\n desc \"Without the capability to generate audit records, it would be\ndifficult to establish, correlate, and investigate the events relating to an\nincident or identify those responsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n The list of audited events is the set of events for which audits are to be\ngenerated. This set of events is typically a subset of the list of all events\nfor which the system is capable of generating audit records.\n\n DoD has defined the list of events for which the Ubuntu operating system\nwill provide an audit record generation capability as the following:\n\n 1) Successful and unsuccessful attempts to access, modify, or delete\nprivileges, security objects, security levels, or categories of information\n(e.g., classification levels);\n\n 2) Access actions, such as successful and unsuccessful logon attempts,\nprivileged activities or other system-level access, starting and ending time\nfor user access to the system, concurrent logons from different workstations,\nsuccessful and unsuccessful accesses to objects, all program initiations, and\nall direct access to the information system;\n\n 3) All account creations, modifications, disabling, and terminations; and\n\n 4) All kernel module load, unload, and restart actions.\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020\n SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172\n SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215]\n tag \"gid\": 'V-75715'\n tag \"rid\": 'SV-90395r2_rule'\n tag \"stig_id\": 'UBTU-16-020450'\n tag \"fix_id\": 'F-82343r2_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'MA-4 (1) (a)',\n 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify if the Ubuntu operating system is configured to audit\nthe execution of the module management program \\\"kmod\\\", by running the\nfollowing command:\n\n# sudo grep \\\"/bin/kmod\\\" /etc/audit/audit.rules\n\n-w /bin/kmod -p x -k modules\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the Ubuntu operating system to audit the execution of\nthe module management program \\\"kmod\\\" by adding the following line to\n\\\"/etc/audit/audit.rules\\\":\n\n-w /bin/kmod -p x -k modules\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n @audit_file = '/bin/kmod'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe ('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-80969.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75715.rb", "line": 3 }, - "id": "V-80969" + "id": "V-75715" }, { - "title": "The Ubuntu operating system must notify the System Administrator (SA)\nand Information System Security Officer (ISSO) (at a minimum) via email when\nallocated audit record storage volume reaches 75% of the repository maximum\naudit record storage capacity.", - "desc": "If security personnel are not notified immediately when storage volume\nreaches 75% utilization, they are unable to plan for audit record storage\ncapacity expansion.", + "title": "Ubuntu operating system sessions must be automatically logged out\nafter 15 minutes of inactivity.", + "desc": "An Ubuntu operating system needs to be able to identify when a user's\nsessions has idled for longer than 15 minutes. The Ubuntu operating system must\nlogout a users' session after 15 minutes to prevent anyone from gaining access\nto the machine while the user is away.", "descriptions": { - "default": "If security personnel are not notified immediately when storage volume\nreaches 75% utilization, they are unable to plan for audit record storage\ncapacity expansion.", - "check": "Verify the Ubuntu operating system notifies the System\nAdministrator (SA) and Information System Security Officer (ISSO) (at a\nminimum) via email when allocated audit record storage volume reaches 75% of\nthe repository maximum audit record storage capacity.\n\nCheck that the Ubuntu operating system notifies the SA and ISSO (at a minimum)\nvia email when allocated audit record storage volume reaches 75% of the\nrepository maximum audit record storage capacity with the following commands:\n\n#sudo grep space_left_action /etc/audit/auditd.conf\n\nspace_left_action email\n\nIf the space_left_action is set to \"email\" check the value of the\n\"action_mail_acct\" parameter with the following command:\n\n#sudo grep action_mail_acct parameter /etc/audit/auditd.conf\n\naction_mail_acct parameter root@localhost\n\nIf the space_left_action or the action_mail_accnt parameters are set to blanks,\nthis is a finding.\n\nIf the space_left_action is set to \"syslog\", the system logs the event, this\nis not a finding.\n\nIf the space_left_action is set to \"exe c\", the system executes a designated\nscript. If this script informs the SA of the event, this is not a finding.\n\nThe action_mail_acct parameter, if missing, defaults to \"root\". If the\n\"action_mail_acct parameter\" is not set to the e-mail address of the system\nadministrator(s) and/or ISSO, this is a finding.\n\nNote: If the email address of the system administrator is on a remote system a\nmail package must be available.", - "fix": "Configure the operating system to immediately notify the SA and\nISSO (at a minimum) via email when allocated audit record storage volume\nreaches 75% of the repository maximum audit record storage capacity.\n\nEdit \"/etc/audit/auditd.conf\" and set the \"space_left_action\" parameter to\n\"exec\", \"email\", or \"syslog\". If the \"space_left_action\" parameter is\nset to \"email\" set the \"action_mail_acct\" parameter to an e-mail address\nfor the System Administrator (SA) and Information System Security Officer\n(ISSO)." + "default": "An Ubuntu operating system needs to be able to identify when a user's\nsessions has idled for longer than 15 minutes. The Ubuntu operating system must\nlogout a users' session after 15 minutes to prevent anyone from gaining access\nto the machine while the user is away.", + "check": "Verify the Ubuntu operating system initiates a session logout\nafter a \"15\" minutes of inactivity.\n\nCheck that the proper auto logout script exists with the following command:\n\n# cat /etc/profile.d/autologout.sh\nTMOUT=900\nreadonly TMOUT\nexport TMOUT\n\nIf the file \"/etc/profile.d/autologout.sh\" does not exist, the timeout values\nare commented out, the output from the function call are not the same, this is\na finding.", + "fix": "Configure the Ubuntu operating system to initiate a session\nlogout after a \"15\" minutes of inactivity.\n\nCreate a file to contain the system-wide session auto logout script (if it does\nnot already exist) with the following command:\n\n# sudo touch /etc/profile.d/autologout.sh\n\nAdd the following lines to the \"/etc/profile.d/autologout.sh\" script:\n\nTMOUT=900\nreadonly TMOUT\nexport TMOUT" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000343-GPOS-00134", - "gid": "V-75623", - "rid": "SV-90303r2_rule", - "stig_id": "UBTU-16-020030", - "fix_id": "F-82251r2_fix", + "gtitle": "SRG-OS-000029-GPOS-00010", + "gid": "V-75441", + "rid": "SV-90121r2_rule", + "stig_id": "UBTU-16-010060", + "fix_id": "F-82069r2_fix", "cci": [ - "CCI-001855" + "CCI-000057" ], "nist": [ - "AU-5 (1)", + "AC-11 a", "Rev_4" ], "false_negatives": null, @@ -4528,29 +4397,29 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75623' do\n title \"The Ubuntu operating system must notify the System Administrator (SA)\nand Information System Security Officer (ISSO) (at a minimum) via email when\nallocated audit record storage volume reaches 75% of the repository maximum\naudit record storage capacity.\"\n desc \"If security personnel are not notified immediately when storage volume\nreaches 75% utilization, they are unable to plan for audit record storage\ncapacity expansion.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000343-GPOS-00134'\n tag \"gid\": 'V-75623'\n tag \"rid\": 'SV-90303r2_rule'\n tag \"stig_id\": 'UBTU-16-020030'\n tag \"fix_id\": 'F-82251r2_fix'\n tag \"cci\": ['CCI-001855']\n tag \"nist\": ['AU-5 (1)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system notifies the System\nAdministrator (SA) and Information System Security Officer (ISSO) (at a\nminimum) via email when allocated audit record storage volume reaches 75% of\nthe repository maximum audit record storage capacity.\n\nCheck that the Ubuntu operating system notifies the SA and ISSO (at a minimum)\nvia email when allocated audit record storage volume reaches 75% of the\nrepository maximum audit record storage capacity with the following commands:\n\n#sudo grep space_left_action /etc/audit/auditd.conf\n\nspace_left_action email\n\nIf the space_left_action is set to \\\"email\\\" check the value of the\n\\\"action_mail_acct\\\" parameter with the following command:\n\n#sudo grep action_mail_acct parameter /etc/audit/auditd.conf\n\naction_mail_acct parameter root@localhost\n\nIf the space_left_action or the action_mail_accnt parameters are set to blanks,\nthis is a finding.\n\nIf the space_left_action is set to \\\"syslog\\\", the system logs the event, this\nis not a finding.\n\nIf the space_left_action is set to \\\"exe c\\\", the system executes a designated\nscript. If this script informs the SA of the event, this is not a finding.\n\nThe action_mail_acct parameter, if missing, defaults to \\\"root\\\". If the\n\\\"action_mail_acct parameter\\\" is not set to the e-mail address of the system\nadministrator(s) and/or ISSO, this is a finding.\n\nNote: If the email address of the system administrator is on a remote system a\nmail package must be available.\"\n desc 'fix', \"Configure the operating system to immediately notify the SA and\nISSO (at a minimum) via email when allocated audit record storage volume\nreaches 75% of the repository maximum audit record storage capacity.\n\nEdit \\\"/etc/audit/auditd.conf\\\" and set the \\\"space_left_action\\\" parameter to\n\\\"exec\\\", \\\"email\\\", or \\\"syslog\\\". If the \\\"space_left_action\\\" parameter is\nset to \\\"email\\\" set the \\\"action_mail_acct\\\" parameter to an e-mail address\nfor the System Administrator (SA) and Information System Security Officer\n(ISSO).\"\n\n space_left_action = auditd_conf.space_left_action\n if space_left_action.casecmp?('email')\n action_mail_acct = input('action_mail_acct')\n describe auditd_conf do\n its('action_mail_acct') { should cmp action_mail_acct }\n end\n elsif space_left_action.casecmp?('syslog') || space_left_action.casecmp?('exec')\n describe.one do\n describe auditd_conf do\n its('space_left_action') { should cmp 'syslog' }\n end\n describe auditd_conf do\n its('space_left_action') { should cmp 'exec' }\n end\n end\n end\nend\n", + "code": "control 'V-75441' do\n title \"Ubuntu operating system sessions must be automatically logged out\nafter 15 minutes of inactivity.\"\n desc \"An Ubuntu operating system needs to be able to identify when a user's\nsessions has idled for longer than 15 minutes. The Ubuntu operating system must\nlogout a users' session after 15 minutes to prevent anyone from gaining access\nto the machine while the user is away.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000029-GPOS-00010'\n tag \"gid\": 'V-75441'\n tag \"rid\": 'SV-90121r2_rule'\n tag \"stig_id\": 'UBTU-16-010060'\n tag \"fix_id\": 'F-82069r2_fix'\n tag \"cci\": ['CCI-000057']\n tag \"nist\": ['AC-11 a', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system initiates a session logout\nafter a \\\"15\\\" minutes of inactivity.\n\nCheck that the proper auto logout script exists with the following command:\n\n# cat /etc/profile.d/autologout.sh\nTMOUT=900\nreadonly TMOUT\nexport TMOUT\n\nIf the file \\\"/etc/profile.d/autologout.sh\\\" does not exist, the timeout values\nare commented out, the output from the function call are not the same, this is\na finding.\"\n desc 'fix', \"Configure the Ubuntu operating system to initiate a session\nlogout after a \\\"15\\\" minutes of inactivity.\n\nCreate a file to contain the system-wide session auto logout script (if it does\nnot already exist) with the following command:\n\n# sudo touch /etc/profile.d/autologout.sh\n\nAdd the following lines to the \\\"/etc/profile.d/autologout.sh\\\" script:\n\nTMOUT=900\nreadonly TMOUT\nexport TMOUT\"\n\n describe file('/etc/profile.d/autologout.sh') do\n it { should exist }\n its('content') { should match /^\\s*TMOUT=900\\s*$/ }\n its('content') { should match /^\\s*readonly\\s+TMOUT\\s*$/ }\n its('content') { should match /^\\s*export\\s+TMOUT\\s*$/ }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75623.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75441.rb", "line": 3 }, - "id": "V-75623" + "id": "V-75441" }, { - "title": "The Ubuntu operating system must use a separate file system for /var.", - "desc": "The use of separate file systems for different paths can protect the\nsystem from failures resulting from a file system becoming full or failing.", + "title": "The Ubuntu operating system must not forward Internet Protocol version\n4 (IPv4) source-routed packets by default.", + "desc": "Source-routed packets allow the source of the packet to suggest that\nrouters forward the packet along a different path than configured on the\nrouter, which can be used to bypass network security measures. This requirement\napplies only to the forwarding of source-routed traffic, such as when IPv4\nforwarding is enabled and the system is functioning as a router.", "descriptions": { - "default": "The use of separate file systems for different paths can protect the\nsystem from failures resulting from a file system becoming full or failing.", - "check": "Verify that a separate file system/partition has been created\nfor \"/var\".\n\nCheck that a file system/partition has been created for \"/var\" with the\nfollowing command:\n\n# grep /var /etc/fstab\nUUID=c274f65f /var ext4 noatime,nobarrier 1 2\n\nIf a separate entry for \"/var\" is not in use, this is a finding.", - "fix": "Migrate the \"/var\" path onto a separate file system." + "default": "Source-routed packets allow the source of the packet to suggest that\nrouters forward the packet along a different path than configured on the\nrouter, which can be used to bypass network security measures. This requirement\napplies only to the forwarding of source-routed traffic, such as when IPv4\nforwarding is enabled and the system is functioning as a router.", + "check": "Verify the Ubuntu operating system does not accept Internet\nProtocol version 4 (IPv4) source-routed packets by default.\n\nCheck the value of the accept source route variable with the following command:\n\n# sudo sysctl net.ipv4.conf.default.accept_source_route\nnet.ipv4.conf.default.accept_source_route=0\n\nIf the returned line does not have a value of \"0\", a line is not returned, or\nthe returned line is commented out, this is a finding.", + "fix": "Configure the Ubuntu operating system to not forward Internet\nProtocol version 4 (IPv4) source-routed packets by default with the following\ncommand:\n\n# sudo sysctl -w net.ipv4.conf.default.accept_source_route=0\n\nIf \"0\" is not the system's default value then add or update the following\nline in \"/etc/sysctl.conf\" or in the appropriate file under \"/etc/sysctl.d\":\n\nnet.ipv4.conf.default.accept_source_route=0" }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-75589", - "rid": "SV-90269r1_rule", - "stig_id": "UBTU-16-010920", - "fix_id": "F-82217r1_fix", + "gid": "V-75875", + "rid": "SV-90555r3_rule", + "stig_id": "UBTU-16-030540", + "fix_id": "F-82505r3_fix", "cci": [ "CCI-000366" ], @@ -4569,20 +4438,20 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75589' do\n title 'The Ubuntu operating system must use a separate file system for /var.'\n desc \"The use of separate file systems for different paths can protect the\nsystem from failures resulting from a file system becoming full or failing.\"\n impact 0.3\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75589'\n tag \"rid\": 'SV-90269r1_rule'\n tag \"stig_id\": 'UBTU-16-010920'\n tag \"fix_id\": 'F-82217r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that a separate file system/partition has been created\nfor \\\"/var\\\".\n\nCheck that a file system/partition has been created for \\\"/var\\\" with the\nfollowing command:\n\n# grep /var /etc/fstab\nUUID=c274f65f /var ext4 noatime,nobarrier 1 2\n\nIf a separate entry for \\\"/var\\\" is not in use, this is a finding.\"\n desc 'fix', 'Migrate the \"/var\" path onto a separate file system.'\n\n describe mount('/var') do\n it { should be_mounted }\n end\nend\n", + "code": "control 'V-75875' do\n title \"The Ubuntu operating system must not forward Internet Protocol version\n4 (IPv4) source-routed packets by default.\"\n desc \"Source-routed packets allow the source of the packet to suggest that\nrouters forward the packet along a different path than configured on the\nrouter, which can be used to bypass network security measures. This requirement\napplies only to the forwarding of source-routed traffic, such as when IPv4\nforwarding is enabled and the system is functioning as a router.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75875'\n tag \"rid\": 'SV-90555r3_rule'\n tag \"stig_id\": 'UBTU-16-030540'\n tag \"fix_id\": 'F-82505r3_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system does not accept Internet\nProtocol version 4 (IPv4) source-routed packets by default.\n\nCheck the value of the accept source route variable with the following command:\n\n# sudo sysctl net.ipv4.conf.default.accept_source_route\nnet.ipv4.conf.default.accept_source_route=0\n\nIf the returned line does not have a value of \\\"0\\\", a line is not returned, or\nthe returned line is commented out, this is a finding.\"\n desc 'fix', \"Configure the Ubuntu operating system to not forward Internet\nProtocol version 4 (IPv4) source-routed packets by default with the following\ncommand:\n\n# sudo sysctl -w net.ipv4.conf.default.accept_source_route=0\n\nIf \\\"0\\\" is not the system's default value then add or update the following\nline in \\\"/etc/sysctl.conf\\\" or in the appropriate file under \\\"/etc/sysctl.d\\\":\n\nnet.ipv4.conf.default.accept_source_route=0\"\n\n describe kernel_parameter('net.ipv4.conf.default.accept_source_route') do\n its('value') { should eq 0 }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75589.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75875.rb", "line": 3 }, - "id": "V-75589" + "id": "V-75875" }, { - "title": "The audit system must be configured to audit any usage of the rmmod\ncommand.", - "desc": "Without the capability to generate audit records, it would be\ndifficult to establish, correlate, and investigate the events relating to an\nincident or identify those responsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n The list of audited events is the set of events for which audits are to be\ngenerated. This set of events is typically a subset of the list of all events\nfor which the system is capable of generating audit records.\n\n DoD has defined the list of events for which the Ubuntu operating system\nwill provide an audit record generation capability as the following:\n\n 1) Successful and unsuccessful attempts to access, modify, or delete\nprivileges, security objects, security levels, or categories of information\n(e.g., classification levels);\n\n 2) Access actions, such as successful and unsuccessful logon attempts,\nprivileged activities or other system-level access, starting and ending time\nfor user access to the system, concurrent logons from different workstations,\nsuccessful and unsuccessful accesses to objects, all program initiations, and\nall direct access to the information system;\n\n 3) All account creations, modifications, disabling, and terminations; and\n\n 4) All kernel module load, unload, and restart actions.", + "title": "Successful/unsuccessful uses of the passwd command must generate an\naudit record.", + "desc": "Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged commands. The organization must maintain audit trails in sufficient\ndetail to reconstruct events to determine the cause and impact of compromise.", "descriptions": { - "default": "Without the capability to generate audit records, it would be\ndifficult to establish, correlate, and investigate the events relating to an\nincident or identify those responsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n The list of audited events is the set of events for which audits are to be\ngenerated. This set of events is typically a subset of the list of all events\nfor which the system is capable of generating audit records.\n\n DoD has defined the list of events for which the Ubuntu operating system\nwill provide an audit record generation capability as the following:\n\n 1) Successful and unsuccessful attempts to access, modify, or delete\nprivileges, security objects, security levels, or categories of information\n(e.g., classification levels);\n\n 2) Access actions, such as successful and unsuccessful logon attempts,\nprivileged activities or other system-level access, starting and ending time\nfor user access to the system, concurrent logons from different workstations,\nsuccessful and unsuccessful accesses to objects, all program initiations, and\nall direct access to the information system;\n\n 3) All account creations, modifications, disabling, and terminations; and\n\n 4) All kernel module load, unload, and restart actions.", - "check": "Verify if the Ubuntu operating system is configured to audit\nthe execution of the module management program \"rmmod\", by running the\nfollowing command:\n\n# sudo grep \"/sbin/rmmod\" /etc/audit/audit.rules\n\n-w /sbin/rmmod -p x -k modules\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", - "fix": "Configure the Ubuntu operating system to audit the execution of\nthe module management program \"rmmod\", by adding the following line to\n\"/etc/audit/audit.rules\":\n\n-w /sbin/rmmod -p x -k modules\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" + "default": "Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged commands. The organization must maintain audit trails in sufficient\ndetail to reconstruct events to determine the cause and impact of compromise.", + "check": "Verify that an audit event is generated for any\nsuccessful/unsuccessful use of the \"passwd\" command.\n\nCheck for the following system call being audited by performing the following\ncommand to check the file system rules in \"/etc/audit/audit.rules\":\n\n# sudo grep -w passwd /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k privileged-passwd\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", + "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful uses of the \"passwd\" command. Add or update the\nfollowing rule in the \"/etc/audit/audit.rules\" file:\n\n-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k privileged-passwd\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" }, "impact": 0.5, "refs": [], @@ -4594,14 +4463,12 @@ "SRG-OS-000062-GPOS-00031", "SRG-OS-000392-GPOS-00172", "SRG-OS-000462-GPOS-00206", - "SRG-OS-000471-GPOS-00215", - "SRG-OS-000471-GPOS-00216", - "SRG-OS-000477-GPOS-00222" + "SRG-OS-000471-GPOS-00215" ], - "gid": "V-75711", - "rid": "SV-90391r2_rule", - "stig_id": "UBTU-16-020430", - "fix_id": "F-82339r2_fix", + "gid": "V-75777", + "rid": "SV-90457r3_rule", + "stig_id": "UBTU-16-020760", + "fix_id": "F-82407r4_fix", "cci": [ "CCI-000130", "CCI-000135", @@ -4628,41 +4495,48 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75711' do\n title \"The audit system must be configured to audit any usage of the rmmod\ncommand.\"\n desc \"Without the capability to generate audit records, it would be\ndifficult to establish, correlate, and investigate the events relating to an\nincident or identify those responsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n The list of audited events is the set of events for which audits are to be\ngenerated. This set of events is typically a subset of the list of all events\nfor which the system is capable of generating audit records.\n\n DoD has defined the list of events for which the Ubuntu operating system\nwill provide an audit record generation capability as the following:\n\n 1) Successful and unsuccessful attempts to access, modify, or delete\nprivileges, security objects, security levels, or categories of information\n(e.g., classification levels);\n\n 2) Access actions, such as successful and unsuccessful logon attempts,\nprivileged activities or other system-level access, starting and ending time\nfor user access to the system, concurrent logons from different workstations,\nsuccessful and unsuccessful accesses to objects, all program initiations, and\nall direct access to the information system;\n\n 3) All account creations, modifications, disabling, and terminations; and\n\n 4) All kernel module load, unload, and restart actions.\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020\n SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172\n SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215\n SRG-OS-000471-GPOS-00216 SRG-OS-000477-GPOS-00222]\n tag \"gid\": 'V-75711'\n tag \"rid\": 'SV-90391r2_rule'\n tag \"stig_id\": 'UBTU-16-020430'\n tag \"fix_id\": 'F-82339r2_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'MA-4 (1) (a)',\n 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify if the Ubuntu operating system is configured to audit\nthe execution of the module management program \\\"rmmod\\\", by running the\nfollowing command:\n\n# sudo grep \\\"/sbin/rmmod\\\" /etc/audit/audit.rules\n\n-w /sbin/rmmod -p x -k modules\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the Ubuntu operating system to audit the execution of\nthe module management program \\\"rmmod\\\", by adding the following line to\n\\\"/etc/audit/audit.rules\\\":\n\n-w /sbin/rmmod -p x -k modules\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n @audit_file = '/sbin/rmmod'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe ('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", + "code": "control 'V-75777' do\n title \"Successful/unsuccessful uses of the passwd command must generate an\naudit record.\"\n desc \"Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged commands. The organization must maintain audit trails in sufficient\ndetail to reconstruct events to determine the cause and impact of compromise.\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020\n SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172\n SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215]\n tag \"gid\": 'V-75777'\n tag \"rid\": 'SV-90457r3_rule'\n tag \"stig_id\": 'UBTU-16-020760'\n tag \"fix_id\": 'F-82407r4_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'MA-4 (1) (a)',\n 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that an audit event is generated for any\nsuccessful/unsuccessful use of the \\\"passwd\\\" command.\n\nCheck for the following system call being audited by performing the following\ncommand to check the file system rules in \\\"/etc/audit/audit.rules\\\":\n\n# sudo grep -w passwd /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k privileged-passwd\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful uses of the \\\"passwd\\\" command. Add or update the\nfollowing rule in the \\\"/etc/audit/audit.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k privileged-passwd\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n @audit_file = '/usr/bin/passwd'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe ('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75711.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75777.rb", "line": 3 }, - "id": "V-75711" + "id": "V-75777" }, { - "title": "Successful/unsuccessful uses of the umount command must generate an\naudit record.", - "desc": "Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged commands. The organization must maintain audit trails in sufficient\ndetail to reconstruct events to determine the cause and impact of compromise.", + "title": "The audit system must be configured to audit any usage of the setxattr\nsystem call.", + "desc": "Without the capability to generate audit records, it would be\ndifficult to establish, correlate, and investigate the events relating to an\nincident or identify those responsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n The list of audited events is the set of events for which audits are to be\ngenerated. This set of events is typically a subset of the list of all events\nfor which the system is capable of generating audit records.\n\n DoD has defined the list of events for which the Ubuntu operating system\nwill provide an audit record generation capability as the following:\n\n 1) Successful and unsuccessful attempts to access, modify, or delete\nprivileges, security objects, security levels, or categories of information\n(e.g., classification levels);\n\n 2) Access actions, such as successful and unsuccessful logon attempts,\nprivileged activities or other system-level access, starting and ending time\nfor user access to the system, concurrent logons from different workstations,\nsuccessful and unsuccessful accesses to objects, all program initiations, and\nall direct access to the information system;\n\n 3) All account creations, modifications, disabling, and terminations; and\n\n 4) All kernel module load, unload, and restart actions.", "descriptions": { - "default": "Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged commands. The organization must maintain audit trails in sufficient\ndetail to reconstruct events to determine the cause and impact of compromise.", - "check": "Verify that an audit event is generated for any\nsuccessful/unsuccessful use of the \"umount\" command.\n\nCheck for the following system call being audited by performing the following\ncommand to check the file system rules in \"/etc/audit/audit.rules\":\n\n# sudo grep umount /etc/audit/audit.rules\n\n-a always,exit -F path=/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295\n-k privileged-mount\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", - "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \"umount\" command.\n\nAdd or update the following rules in the \"/etc/audit/audit.rules\" file:\n\n-a always,exit -F path=/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295\n-k privileged-mount\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" + "default": "Without the capability to generate audit records, it would be\ndifficult to establish, correlate, and investigate the events relating to an\nincident or identify those responsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n The list of audited events is the set of events for which audits are to be\ngenerated. This set of events is typically a subset of the list of all events\nfor which the system is capable of generating audit records.\n\n DoD has defined the list of events for which the Ubuntu operating system\nwill provide an audit record generation capability as the following:\n\n 1) Successful and unsuccessful attempts to access, modify, or delete\nprivileges, security objects, security levels, or categories of information\n(e.g., classification levels);\n\n 2) Access actions, such as successful and unsuccessful logon attempts,\nprivileged activities or other system-level access, starting and ending time\nfor user access to the system, concurrent logons from different workstations,\nsuccessful and unsuccessful accesses to objects, all program initiations, and\nall direct access to the information system;\n\n 3) All account creations, modifications, disabling, and terminations; and\n\n 4) All kernel module load, unload, and restart actions.", + "check": "Verify if the Ubuntu operating system is configured to audit\nthe execution of the \"setxattr\" system call, by running the following command:\n\n# sudo grep -w setxattr /etc/audit/audit.rules\n\n-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=4294967295 -k\nperm_mod\n\n-a always,exit -F arch=b64 -S setxattr -F auid=0 -k perm_mod\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", + "fix": "Configure the Ubuntu operating system to audit the execution of\nthe \"setxattr\" system call, by adding the following lines to\n\"/etc/audit/audit.rules\":\n\n-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=4294967295 -k\nperm_mod\n\n-a always,exit -F arch=b64 -S setxattr -F auid=0 -k perm_mod\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000042-GPOS-00020", + "gtitle": "SRG-OS-000037-GPOS-00015", "satisfies": [ + "SRG-OS-000037-GPOS-00015", "SRG-OS-000042-GPOS-00020", + "SRG-OS-000062-GPOS-00031", "SRG-OS-000392-GPOS-00172", + "SRG-OS-000462-GPOS-00206", "SRG-OS-000471-GPOS-00215" ], - "gid": "V-75697", - "rid": "SV-90377r3_rule", - "stig_id": "UBTU-16-020390", - "fix_id": "F-82325r2_fix", + "gid": "V-75717", + "rid": "SV-90397r2_rule", + "stig_id": "UBTU-16-020460", + "fix_id": "F-82345r2_fix", "cci": [ + "CCI-000130", "CCI-000135", + "CCI-000169", "CCI-000172", "CCI-002884" ], "nist": [ + "AU-3", "AU-3 (1)", + "AU-12 a", "AU-12 c", "MA-4 (1) (a)", "Rev_4" @@ -4678,34 +4552,50 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75697' do\n title \"Successful/unsuccessful uses of the umount command must generate an\naudit record.\"\n desc \"Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged commands. The organization must maintain audit trails in sufficient\ndetail to reconstruct events to determine the cause and impact of compromise.\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000042-GPOS-00020'\n tag \"satisfies\": %w[SRG-OS-000042-GPOS-00020 SRG-OS-000392-GPOS-00172\n SRG-OS-000471-GPOS-00215]\n tag \"gid\": 'V-75697'\n tag \"rid\": 'SV-90377r3_rule'\n tag \"stig_id\": 'UBTU-16-020390'\n tag \"fix_id\": 'F-82325r2_fix'\n tag \"cci\": %w[CCI-000135 CCI-000172 CCI-002884]\n tag \"nist\": ['AU-3 (1)', 'AU-12 c', 'MA-4 (1) (a)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that an audit event is generated for any\nsuccessful/unsuccessful use of the \\\"umount\\\" command.\n\nCheck for the following system call being audited by performing the following\ncommand to check the file system rules in \\\"/etc/audit/audit.rules\\\":\n\n# sudo grep umount /etc/audit/audit.rules\n\n-a always,exit -F path=/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295\n-k privileged-mount\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \\\"umount\\\" command.\n\nAdd or update the following rules in the \\\"/etc/audit/audit.rules\\\" file:\n\n-a always,exit -F path=/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295\n-k privileged-mount\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n @audit_file = '/bin/umount'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe ('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", + "code": "control 'V-75717' do\n title \"The audit system must be configured to audit any usage of the setxattr\nsystem call.\"\n desc \"Without the capability to generate audit records, it would be\ndifficult to establish, correlate, and investigate the events relating to an\nincident or identify those responsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n The list of audited events is the set of events for which audits are to be\ngenerated. This set of events is typically a subset of the list of all events\nfor which the system is capable of generating audit records.\n\n DoD has defined the list of events for which the Ubuntu operating system\nwill provide an audit record generation capability as the following:\n\n 1) Successful and unsuccessful attempts to access, modify, or delete\nprivileges, security objects, security levels, or categories of information\n(e.g., classification levels);\n\n 2) Access actions, such as successful and unsuccessful logon attempts,\nprivileged activities or other system-level access, starting and ending time\nfor user access to the system, concurrent logons from different workstations,\nsuccessful and unsuccessful accesses to objects, all program initiations, and\nall direct access to the information system;\n\n 3) All account creations, modifications, disabling, and terminations; and\n\n 4) All kernel module load, unload, and restart actions.\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020\n SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172\n SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215]\n tag \"gid\": 'V-75717'\n tag \"rid\": 'SV-90397r2_rule'\n tag \"stig_id\": 'UBTU-16-020460'\n tag \"fix_id\": 'F-82345r2_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'MA-4 (1) (a)',\n 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify if the Ubuntu operating system is configured to audit\nthe execution of the \\\"setxattr\\\" system call, by running the following command:\n\n# sudo grep -w setxattr /etc/audit/audit.rules\n\n-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=4294967295 -k\nperm_mod\n\n-a always,exit -F arch=b64 -S setxattr -F auid=0 -k perm_mod\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the Ubuntu operating system to audit the execution of\nthe \\\"setxattr\\\" system call, by adding the following lines to\n\\\"/etc/audit/audit.rules\\\":\n\n-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=4294967295 -k\nperm_mod\n\n-a always,exit -F arch=b64 -S setxattr -F auid=0 -k perm_mod\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n if os.arch == 'x86_64'\n describe auditd.syscall('setxattr').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('setxattr').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75697.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75717.rb", "line": 3 }, - "id": "V-75697" + "id": "V-75717" }, { - "title": "The Ubuntu operating system must synchronize internal information\nsystem clocks to the authoritative time source when the time difference is\ngreater than one second.", - "desc": "Inaccurate time stamps make it more difficult to correlate events and\ncan lead to an inaccurate analysis. Determining the correct time a particular\nevent occurred on a system is critical when conducting forensic analysis and\ninvestigating system events.\n\n Synchronizing internal information system clocks provides uniformity of\ntime stamps for information systems with multiple system clocks and systems\nconnected over a network. Organizations should consider setting time periods\nfor different types of systems (e.g., financial, legal, or mission-critical\nsystems).\n\n Organizations should also consider endpoints that may not have regular\naccess to the authoritative time server (e.g., mobile, teleworking, and\ntactical endpoints). This requirement is related to the comparison done every\n24 hours in SRG-OS-000355 because a comparison must be done in order to\ndetermine the time difference.", + "title": "Successful/unsuccessful uses of the fchown command must generate an\naudit record.", + "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", "descriptions": { - "default": "Inaccurate time stamps make it more difficult to correlate events and\ncan lead to an inaccurate analysis. Determining the correct time a particular\nevent occurred on a system is critical when conducting forensic analysis and\ninvestigating system events.\n\n Synchronizing internal information system clocks provides uniformity of\ntime stamps for information systems with multiple system clocks and systems\nconnected over a network. Organizations should consider setting time periods\nfor different types of systems (e.g., financial, legal, or mission-critical\nsystems).\n\n Organizations should also consider endpoints that may not have regular\naccess to the authoritative time server (e.g., mobile, teleworking, and\ntactical endpoints). This requirement is related to the comparison done every\n24 hours in SRG-OS-000355 because a comparison must be done in order to\ndetermine the time difference.", - "check": "Verify that Network Time Protocol (NTP) is running in\ncontinuous mode.\n\nCheck that NTP is running in continuous mode with the following command:\n\n# grep ntpdate /etc/init.d/ntpd\n\n if ntpdate -u -s -b -p 4 -t 5 $NTPSERVER ; then\n\nIf the option \"-q\" is present, this is a finding.", - "fix": "The Network Time Protocol (NTP) will run in continuous mode by\ndefault. If the query only option (-q) has been added to the ntpdate command in\n/etc/init.d/ntpd it must be removed." + "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "check": "Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful attempts to use the \"fchown\" command occur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \"/etc/audit/audit.rules\":\n\n# sudo grep -w fchown /etc/audit/audit.rules\n\n-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=4294967295 -k\nperm_chng\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", + "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \"fchown\" command by adding the following\nline to \"/etc/audit/audit.rules\":\n\n-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=4294967295 -k\nperm_chng\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000356-GPOS-00144", - "gid": "V-75815", - "rid": "SV-90495r2_rule", - "stig_id": "UBTU-16-030110", - "fix_id": "F-82445r2_fix", + "gtitle": "SRG-OS-000037-GPOS-00015", + "satisfies": [ + "SRG-OS-000037-GPOS-00015", + "SRG-OS-000042-GPOS-00020", + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000392-GPOS-00172", + "SRG-OS-000462-GPOS-00206", + "SRG-OS-000471-GPOS-00215" + ], + "gid": "V-75731", + "rid": "SV-90411r3_rule", + "stig_id": "UBTU-16-020530", + "fix_id": "F-82359r2_fix", "cci": [ - "CCI-002046" + "CCI-000130", + "CCI-000135", + "CCI-000169", + "CCI-000172", + "CCI-002884" ], "nist": [ - "AU-8 (1) (b)", + "AU-3", + "AU-3 (1)", + "AU-12 a", + "AU-12 c", + "MA-4 (1) (a)", "Rev_4" ], "false_negatives": null, @@ -4719,43 +4609,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75815' do\n title \"The Ubuntu operating system must synchronize internal information\nsystem clocks to the authoritative time source when the time difference is\ngreater than one second.\"\n desc \"Inaccurate time stamps make it more difficult to correlate events and\ncan lead to an inaccurate analysis. Determining the correct time a particular\nevent occurred on a system is critical when conducting forensic analysis and\ninvestigating system events.\n\n Synchronizing internal information system clocks provides uniformity of\ntime stamps for information systems with multiple system clocks and systems\nconnected over a network. Organizations should consider setting time periods\nfor different types of systems (e.g., financial, legal, or mission-critical\nsystems).\n\n Organizations should also consider endpoints that may not have regular\naccess to the authoritative time server (e.g., mobile, teleworking, and\ntactical endpoints). This requirement is related to the comparison done every\n24 hours in SRG-OS-000355 because a comparison must be done in order to\ndetermine the time difference.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000356-GPOS-00144'\n tag \"gid\": 'V-75815'\n tag \"rid\": 'SV-90495r2_rule'\n tag \"stig_id\": 'UBTU-16-030110'\n tag \"fix_id\": 'F-82445r2_fix'\n tag \"cci\": ['CCI-002046']\n tag \"nist\": ['AU-8 (1) (b)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that Network Time Protocol (NTP) is running in\ncontinuous mode.\n\nCheck that NTP is running in continuous mode with the following command:\n\n# grep ntpdate /etc/init.d/ntpd\n\n if ntpdate -u -s -b -p 4 -t 5 $NTPSERVER ; then\n\nIf the option \\\"-q\\\" is present, this is a finding.\"\n desc 'fix', \"The Network Time Protocol (NTP) will run in continuous mode by\ndefault. If the query only option (-q) has been added to the ntpdate command in\n/etc/init.d/ntpd it must be removed.\"\n\n ntpd_exists = file('/etc/init.d/ntpd').exist?\n\n if ntpd_exists\n describe command('grep ntpdate /etc/init.d/ntpd').stdout.strip do\n it { should_not match /.+(-q).+/ }\n end\n else\n describe 'The file /etc/init.d/ntpd exists' do\n subject { ntpd_exists }\n it { should be true }\n end\n end\nend\n", + "code": "control 'V-75731' do\n title \"Successful/unsuccessful uses of the fchown command must generate an\naudit record.\"\n desc \"Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020\n SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172\n SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215]\n tag \"gid\": 'V-75731'\n tag \"rid\": 'SV-90411r3_rule'\n tag \"stig_id\": 'UBTU-16-020530'\n tag \"fix_id\": 'F-82359r2_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'MA-4 (1) (a)',\n 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful attempts to use the \\\"fchown\\\" command occur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \\\"/etc/audit/audit.rules\\\":\n\n# sudo grep -w fchown /etc/audit/audit.rules\n\n-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=4294967295 -k\nperm_chng\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \\\"fchown\\\" command by adding the following\nline to \\\"/etc/audit/audit.rules\\\":\n\n-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=4294967295 -k\nperm_chng\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n if os.arch == 'x86_64'\n describe auditd.syscall('fchown').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('fchown').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75815.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75731.rb", "line": 3 }, - "id": "V-75815" + "id": "V-75731" }, { - "title": "Audit log directories must have a mode of 0750 or less permissive to\nprevent unauthorized read access.", - "desc": "Unauthorized disclosure of audit records can reveal system and\nconfiguration data to attackers, thus compromising its confidentiality.\n\n Audit information includes all information (e.g., audit records, audit\nsettings, audit reports) needed to successfully audit Ubuntu operating system\nactivity.", + "title": "Library files must have mode 0755 or less permissive.", + "desc": "If the Ubuntu operating system were to allow any user to make changes\nto software libraries, then those changes might be implemented without\nundergoing the appropriate testing and approvals that are part of a robust\nchange management process.\n\n This requirement applies to Ubuntu operating systems with software\nlibraries that are accessible and configurable, as in the case of interpreted\nlanguages. Software libraries also include privileged programs which execute\nwith escalated privileges. Only qualified and authorized individuals shall be\nallowed to obtain access to information system components for purposes of\ninitiating changes, including upgrades and modifications.", "descriptions": { - "default": "Unauthorized disclosure of audit records can reveal system and\nconfiguration data to attackers, thus compromising its confidentiality.\n\n Audit information includes all information (e.g., audit records, audit\nsettings, audit reports) needed to successfully audit Ubuntu operating system\nactivity.", - "check": "Verify the audit log directories have a mode of \"0750\" or\nless permissive by first determining where the audit logs are stored with the\nfollowing command:\n\n# sudo grep -iw log_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the location of the audit log, determine the directory where the audit\nlogs are stored (ex: \"/var/log/audit\"). Run the following command to\ndetermine the permissions for the audit log folder:\n\n# sudo stat -c \"%a %n\" /var/log/audit\n750 /var/log/audit\n\nIf the audit log directory has a mode more permissive than \"0750\", this is a\nfinding.", - "fix": "Configure the audit log directory to be protected from\nunauthorized read access by setting the correct permissive mode with the\nfollowing command:\n\n# sudo chmod 0750 [audit_log_directory]\n\nReplace \"[audit_log_directory]\" to the correct audit log directory path, by\ndefault this location is \"/var/log/audit\"." + "default": "If the Ubuntu operating system were to allow any user to make changes\nto software libraries, then those changes might be implemented without\nundergoing the appropriate testing and approvals that are part of a robust\nchange management process.\n\n This requirement applies to Ubuntu operating systems with software\nlibraries that are accessible and configurable, as in the case of interpreted\nlanguages. Software libraries also include privileged programs which execute\nwith escalated privileges. Only qualified and authorized individuals shall be\nallowed to obtain access to information system components for purposes of\ninitiating changes, including upgrades and modifications.", + "check": "Verify the system-wide shared library files contained in the\nfollowing directories have mode \"0755\" or less permissive.\n\nCheck that the system-wide shared library files contained in the following\ndirectories have mode \"0755\" or less permissive with the following command:\n\nNote: Replace \"[directory]\" with one of the following paths:\n/lib\n/lib64\n/usr/lib\n\n# find /lib /lib64 /usr/lib -perm /022 -type f | xargs ls -la\n/usr/lib64/pkcs11-spy.so\n\nIf any system-wide shared library file is found to be group-writable or\nworld-writable, this is a finding.", + "fix": "Configure the library files to be protected from unauthorized\naccess. Run the following command, replacing \"[file]\" with any library file\nwith a mode more permissive than 0755.\n\n# sudo chmod 0755 [file]" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000057-GPOS-00027", - "satisfies": [ - "SRG-OS-000057-GPOS-00027", - "SRG-OS-000058-GPOS-00028", - "SRG-OS-000059-GPOS-00029" - ], - "gid": "V-75637", - "rid": "SV-90317r2_rule", - "stig_id": "UBTU-16-020100", - "fix_id": "F-82265r1_fix", + "gtitle": "SRG-OS-000259-GPOS-00100", + "gid": "V-75605", + "rid": "SV-90285r2_rule", + "stig_id": "UBTU-16-011000", + "fix_id": "F-82233r1_fix", "cci": [ - "CCI-000162", - "CCI-000163", - "CCI-000164" + "CCI-001499" ], "nist": [ - "AU-9", - "AU-9", - "AU-9", + "CM-5 (6)", "Rev_4" ], "false_negatives": null, @@ -4769,29 +4650,29 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75637' do\n title \"Audit log directories must have a mode of 0750 or less permissive to\nprevent unauthorized read access.\"\n desc \"Unauthorized disclosure of audit records can reveal system and\nconfiguration data to attackers, thus compromising its confidentiality.\n\n Audit information includes all information (e.g., audit records, audit\nsettings, audit reports) needed to successfully audit Ubuntu operating system\nactivity.\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000057-GPOS-00027'\n tag \"satisfies\": %w[SRG-OS-000057-GPOS-00027 SRG-OS-000058-GPOS-00028\n SRG-OS-000059-GPOS-00029]\n tag \"gid\": 'V-75637'\n tag \"rid\": 'SV-90317r2_rule'\n tag \"stig_id\": 'UBTU-16-020100'\n tag \"fix_id\": 'F-82265r1_fix'\n tag \"cci\": %w[CCI-000162 CCI-000163 CCI-000164]\n tag \"nist\": %w[AU-9 AU-9 AU-9 Rev_4]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the audit log directories have a mode of \\\"0750\\\" or\nless permissive by first determining where the audit logs are stored with the\nfollowing command:\n\n# sudo grep -iw log_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the location of the audit log, determine the directory where the audit\nlogs are stored (ex: \\\"/var/log/audit\\\"). Run the following command to\ndetermine the permissions for the audit log folder:\n\n# sudo stat -c \\\"%a %n\\\" /var/log/audit\n750 /var/log/audit\n\nIf the audit log directory has a mode more permissive than \\\"0750\\\", this is a\nfinding.\"\n desc 'fix', \"Configure the audit log directory to be protected from\nunauthorized read access by setting the correct permissive mode with the\nfollowing command:\n\n# sudo chmod 0750 [audit_log_directory]\n\nReplace \\\"[audit_log_directory]\\\" to the correct audit log directory path, by\ndefault this location is \\\"/var/log/audit\\\".\"\n\n log_file_path = input('log_file_path')\n log_dir = input('log_file_dir')\n\n log_file_and_dir_exist = !log_file_path.nil? && !log_dir.nil?\n if log_file_and_dir_exist\n describe directory(log_dir) do\n it { should_not be_more_permissive_than('0750') }\n end\n else\n describe ('Audit log file:' + log_file_path + ' and/or audit directory:' + log_dir + ' exist') do\n subject { log_file_and_dir_exist }\n it { should be true }\n end\n end\nend\n", + "code": "control 'V-75605' do\n title 'Library files must have mode 0755 or less permissive.'\n desc \"If the Ubuntu operating system were to allow any user to make changes\nto software libraries, then those changes might be implemented without\nundergoing the appropriate testing and approvals that are part of a robust\nchange management process.\n\n This requirement applies to Ubuntu operating systems with software\nlibraries that are accessible and configurable, as in the case of interpreted\nlanguages. Software libraries also include privileged programs which execute\nwith escalated privileges. Only qualified and authorized individuals shall be\nallowed to obtain access to information system components for purposes of\ninitiating changes, including upgrades and modifications.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000259-GPOS-00100'\n tag \"gid\": 'V-75605'\n tag \"rid\": 'SV-90285r2_rule'\n tag \"stig_id\": 'UBTU-16-011000'\n tag \"fix_id\": 'F-82233r1_fix'\n tag \"cci\": ['CCI-001499']\n tag \"nist\": ['CM-5 (6)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the system-wide shared library files contained in the\nfollowing directories have mode \\\"0755\\\" or less permissive.\n\nCheck that the system-wide shared library files contained in the following\ndirectories have mode \\\"0755\\\" or less permissive with the following command:\n\nNote: Replace \\\"[directory]\\\" with one of the following paths:\n/lib\n/lib64\n/usr/lib\n\n# find /lib /lib64 /usr/lib -perm /022 -type f | xargs ls -la\n/usr/lib64/pkcs11-spy.so\n\nIf any system-wide shared library file is found to be group-writable or\nworld-writable, this is a finding.\"\n desc 'fix', \"Configure the library files to be protected from unauthorized\naccess. Run the following command, replacing \\\"[file]\\\" with any library file\nwith a mode more permissive than 0755.\n\n# sudo chmod 0755 [file]\"\n\n if os.arch == 'x86_64'\n library_files = command('find /lib /lib32 lib64 /usr/lib /usr/lib32 -perm /022 -type f').stdout.strip.split(\"\\n\").entries\n else\n library_files = command('find /lib /usr/lib /usr/lib32 /lib32 -perm /022 -type f').stdout.strip.split(\"\\n\").entries\n end\n\n if library_files.count > 0\n library_files.each do |lib_file|\n describe file(lib_file) do\n it { should_not be_more_permissive_than('0755') }\n end\n end\n else\n describe 'Number of system-wide shared library files found that are less permissive than 0755' do\n subject { library_files }\n its('count') { should eq 0 }\n end\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75637.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75605.rb", "line": 3 }, - "id": "V-75637" + "id": "V-75605" }, { - "title": "The Ubuntu operating system must use a separate file system for the\nsystem audit data path.", - "desc": "The use of separate file systems for different paths can protect the\nsystem from failures resulting from a file system becoming full or failing.", + "title": "Unattended or automatic login via ssh must not be allowed.", + "desc": "Failure to restrict system access to authenticated users negatively\nimpacts Ubuntu operating system security.", "descriptions": { - "default": "The use of separate file systems for different paths can protect the\nsystem from failures resulting from a file system becoming full or failing.", - "check": "Verify that a separate file system/partition has been created\nfor the system audit data path.\n\nCheck that a file system/partition has been created for the system audit data\npath with the following command:\n\nNote: /var/log/audit is used as the example as it is a common location.\n\n#grep /var/log/audit /etc/fstab\nUUID=3645951a /var/log/audit ext4 defaults 1 2\n\nIf a separate entry for \"/var/log/audit\" does not exist, ask the System\nAdministrator if the system audit logs are being written to a different file\nsystem/partition on the system, then grep for that file system/partition.\n\nIf a separate file system/partition does not exist for the system audit data\npath, this is a finding.", - "fix": "Migrate the system audit data path onto a separate file system." + "default": "Failure to restrict system access to authenticated users negatively\nimpacts Ubuntu operating system security.", + "check": "Verify that unattended or automatic login via ssh is disabled.\n\nCheck that unattended or automatic login via ssh is disabled with the following\ncommand:\n\n# egrep '(Permit(.*?)(Passwords|Environment))' /etc/ssh/sshd_config\n\nPermitEmptyPasswords no\nPermitUserEnvironment no\n\nIf \"PermitEmptyPasswords\" or \"PermitUserEnvironment\" keywords are not set\nto \"no\", is missing completely, or they are commented out, this is a finding.", + "fix": "Configure the Ubuntu operating system to allow the SSH daemon to\nnot allow unattended or automatic login to the system.\n\nAdd or edit the following lines in the \"/etc/ssh/sshd_config\" file:\n\nPermitEmptyPasswords no\nPermitUserEnvironment no\n\nThe SSH daemon must be restarted for the changes to take effect. To restart the\nSSH daemon, run the following command:\n\n# sudo systemctl restart sshd.service" }, - "impact": 0.3, + "impact": 0.7, "refs": [], "tags": { - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-75591", - "rid": "SV-90271r1_rule", - "stig_id": "UBTU-16-010930", - "fix_id": "F-82219r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00229", + "gid": "V-75833", + "rid": "SV-90513r2_rule", + "stig_id": "UBTU-16-030250", + "fix_id": "F-82463r2_fix", "cci": [ "CCI-000366" ], @@ -4810,40 +4691,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75591' do\n title \"The Ubuntu operating system must use a separate file system for the\nsystem audit data path.\"\n desc \"The use of separate file systems for different paths can protect the\nsystem from failures resulting from a file system becoming full or failing.\"\n impact 0.3\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75591'\n tag \"rid\": 'SV-90271r1_rule'\n tag \"stig_id\": 'UBTU-16-010930'\n tag \"fix_id\": 'F-82219r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that a separate file system/partition has been created\nfor the system audit data path.\n\nCheck that a file system/partition has been created for the system audit data\npath with the following command:\n\nNote: /var/log/audit is used as the example as it is a common location.\n\n#grep /var/log/audit /etc/fstab\nUUID=3645951a /var/log/audit ext4 defaults 1 2\n\nIf a separate entry for \\\"/var/log/audit\\\" does not exist, ask the System\nAdministrator if the system audit logs are being written to a different file\nsystem/partition on the system, then grep for that file system/partition.\n\nIf a separate file system/partition does not exist for the system audit data\npath, this is a finding.\"\n desc 'fix', 'Migrate the system audit data path onto a separate file system.'\n\n audit_log_path = input('audit_log_path')\n\n describe mount(audit_log_path) do\n it { should be_mounted }\n end\nend\n", + "code": "control 'V-75833' do\n title 'Unattended or automatic login via ssh must not be allowed.'\n desc \"Failure to restrict system access to authenticated users negatively\nimpacts Ubuntu operating system security.\"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00229'\n tag \"gid\": 'V-75833'\n tag \"rid\": 'SV-90513r2_rule'\n tag \"stig_id\": 'UBTU-16-030250'\n tag \"fix_id\": 'F-82463r2_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that unattended or automatic login via ssh is disabled.\n\nCheck that unattended or automatic login via ssh is disabled with the following\ncommand:\n\n# egrep '(Permit(.*?)(Passwords|Environment))' /etc/ssh/sshd_config\n\nPermitEmptyPasswords no\nPermitUserEnvironment no\n\nIf \\\"PermitEmptyPasswords\\\" or \\\"PermitUserEnvironment\\\" keywords are not set\nto \\\"no\\\", is missing completely, or they are commented out, this is a finding.\"\n desc 'fix', \"Configure the Ubuntu operating system to allow the SSH daemon to\nnot allow unattended or automatic login to the system.\n\nAdd or edit the following lines in the \\\"/etc/ssh/sshd_config\\\" file:\n\nPermitEmptyPasswords no\nPermitUserEnvironment no\n\nThe SSH daemon must be restarted for the changes to take effect. To restart the\nSSH daemon, run the following command:\n\n# sudo systemctl restart sshd.service\"\n\n describe sshd_config do\n its('PermitEmptyPasswords') { should cmp 'no' }\n its('PermitUserEnvironment') { should cmp 'no' }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75591.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75833.rb", "line": 3 }, - "id": "V-75591" + "id": "V-75833" }, { - "title": "The Ubuntu operating system must employ FIPS 140-2 approved\ncryptographic hashing algorithms for all created passwords.", - "desc": "The system must use a strong hashing algorithm to store the password.\nThe system must use a sufficient number of hashing rounds to ensure the\nrequired level of entropy.\n\n Passwords need to be protected at all times, and encryption is the standard\nmethod for protecting passwords. If passwords are not encrypted, they can be\nplainly read (i.e., clear text) and easily compromised.", + "title": "The Ubuntu operating system must record time stamps for audit records\nthat can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time\n(GMT).", + "desc": "If time stamps are not consistently applied and there is no common\ntime reference, it is difficult to perform forensic analysis.\n\n Time stamps generated by the Ubuntu operating system include date and time.\nTime is commonly expressed in Coordinated Universal Time (UTC), a modern\ncontinuation of Greenwich Mean Time (GMT), or local time with an offset from\nUTC.", "descriptions": { - "default": "The system must use a strong hashing algorithm to store the password.\nThe system must use a sufficient number of hashing rounds to ensure the\nrequired level of entropy.\n\n Passwords need to be protected at all times, and encryption is the standard\nmethod for protecting passwords. If passwords are not encrypted, they can be\nplainly read (i.e., clear text) and easily compromised.", - "check": "Verify the shadow password suite configuration is set to create\npasswords using a strong cryptographic hash with the following command:\n\nCheck that a minimum number of hash rounds is configured by running the\nfollowing command:\n\n# grep rounds /etc/pam.d/common-password\n\npassword [success=1 default=ignore] pam_unix.so obscure sha512 rounds=5000\n\nIf \"rounds\" has a value below \"5000\", or is commented out, this is a\nfinding.", - "fix": "Configure the Ubuntu operating system to encrypt all stored\npasswords with a strong cryptographic hash.\n\nEdit/modify the following line in the \"/etc/pam.d/common-password\" file and\nset \"rounds\" to a value no lower than \"5000\":\n\npassword [success=1 default=ignore] pam_unix.so obscure sha512 rounds=5000" + "default": "If time stamps are not consistently applied and there is no common\ntime reference, it is difficult to perform forensic analysis.\n\n Time stamps generated by the Ubuntu operating system include date and time.\nTime is commonly expressed in Coordinated Universal Time (UTC), a modern\ncontinuation of Greenwich Mean Time (GMT), or local time with an offset from\nUTC.", + "check": "The time zone must be configured to use Coordinated Universal\nTime (UTC) or Greenwich Mean Time (GMT). To verify run the following command.\n\n# sudo timedatectl status | grep -i \"time zone\"\nTime zone: UTC (UTC, +0000)\n\nIf \"Time zone\" is not set to UTC or GMT, this is a finding.", + "fix": "To configure the system time zone to use Coordinated Universal\nTime (UTC) or Greenwich Mean Time (GMT), run the following command replacing\n[ZONE] with UTC or GMT.\n\n# sudo timedatectl set-timezone [ZONE]" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000073-GPOS-00041", - "satisfies": [ - "SRG-OS-000073-GPOS-00041", - "SRG-OS-000120-GPOS-00061" - ], - "gid": "V-75463", - "rid": "SV-90143r2_rule", - "stig_id": "UBTU-16-010170", - "fix_id": "F-82091r2_fix", + "gtitle": "SRG-OS-000359-GPOS-00146", + "gid": "V-75817", + "rid": "SV-90497r2_rule", + "stig_id": "UBTU-16-030120", + "fix_id": "F-82447r1_fix", "cci": [ - "CCI-000196", - "CCI-000803" + "CCI-001890" ], "nist": [ - "IA-5 (1) (c)", - "IA-7", + "AU-8 b", "Rev_4" ], "false_negatives": null, @@ -4857,34 +4732,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75463' do\n title \"The Ubuntu operating system must employ FIPS 140-2 approved\ncryptographic hashing algorithms for all created passwords.\"\n desc \"The system must use a strong hashing algorithm to store the password.\nThe system must use a sufficient number of hashing rounds to ensure the\nrequired level of entropy.\n\n Passwords need to be protected at all times, and encryption is the standard\nmethod for protecting passwords. If passwords are not encrypted, they can be\nplainly read (i.e., clear text) and easily compromised.\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000073-GPOS-00041'\n tag \"satisfies\": %w[SRG-OS-000073-GPOS-00041 SRG-OS-000120-GPOS-00061]\n tag \"gid\": 'V-75463'\n tag \"rid\": 'SV-90143r2_rule'\n tag \"stig_id\": 'UBTU-16-010170'\n tag \"fix_id\": 'F-82091r2_fix'\n tag \"cci\": %w[CCI-000196 CCI-000803]\n tag \"nist\": ['IA-5 (1) (c)', 'IA-7', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the shadow password suite configuration is set to create\npasswords using a strong cryptographic hash with the following command:\n\nCheck that a minimum number of hash rounds is configured by running the\nfollowing command:\n\n# grep rounds /etc/pam.d/common-password\n\npassword [success=1 default=ignore] pam_unix.so obscure sha512 rounds=5000\n\nIf \\\"rounds\\\" has a value below \\\"5000\\\", or is commented out, this is a\nfinding.\n\"\n desc 'fix', \"Configure the Ubuntu operating system to encrypt all stored\npasswords with a strong cryptographic hash.\n\nEdit/modify the following line in the \\\"/etc/pam.d/common-password\\\" file and\nset \\\"rounds\\\" to a value no lower than \\\"5000\\\":\n\npassword [success=1 default=ignore] pam_unix.so obscure sha512 rounds=5000\"\n\n describe file('/etc/pam.d/common-password') do\n it { should exist }\n end\n\n describe command('grep rounds /etc/pam.d/common-password') do\n its('exit_status') { should eq 0 }\n its('stdout') { should match /^\\s*password\\s+\\[\\s*success=1\\s+default=ignore\\s*\\].*\\s+rounds=([5-9]\\d\\d\\d|[1-9]\\d\\d\\d\\d+)($|\\s+.*$)/ }\n end\nend\n", + "code": "control 'V-75817' do\n title \"The Ubuntu operating system must record time stamps for audit records\nthat can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time\n(GMT).\"\n desc \"If time stamps are not consistently applied and there is no common\ntime reference, it is difficult to perform forensic analysis.\n\n Time stamps generated by the Ubuntu operating system include date and time.\nTime is commonly expressed in Coordinated Universal Time (UTC), a modern\ncontinuation of Greenwich Mean Time (GMT), or local time with an offset from\nUTC.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000359-GPOS-00146'\n tag \"gid\": 'V-75817'\n tag \"rid\": 'SV-90497r2_rule'\n tag \"stig_id\": 'UBTU-16-030120'\n tag \"fix_id\": 'F-82447r1_fix'\n tag \"cci\": ['CCI-001890']\n tag \"nist\": ['AU-8 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"The time zone must be configured to use Coordinated Universal\nTime (UTC) or Greenwich Mean Time (GMT). To verify run the following command.\n\n# sudo timedatectl status | grep -i \\\"time zone\\\"\nTime zone: UTC (UTC, +0000)\n\nIf \\\"Time zone\\\" is not set to UTC or GMT, this is a finding.\"\n desc 'fix', \"To configure the system time zone to use Coordinated Universal\nTime (UTC) or Greenwich Mean Time (GMT), run the following command replacing\n[ZONE] with UTC or GMT.\n\n# sudo timedatectl set-timezone [ZONE]\"\n\n time_zone = command('timedatectl status | grep -i \"time zone\"').stdout.strip\n\n describe time_zone do\n it { should match 'UTC' }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75463.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75817.rb", "line": 3 }, - "id": "V-75463" + "id": "V-75817" }, { - "title": "All world-writable directories must be group-owned by root, sys, bin,\nor an application group.", - "desc": "If a world-writable directory has the sticky bit set and is not\ngroup-owned by a privileged Group Identifier (GID), unauthorized users may be\nable to modify files created by others.\n\n The only authorized public directories are those temporary directories\nsupplied with the system or those designed to be temporary file repositories.\nThe setting is normally reserved for directories used by the system and by\nusers for temporary file storage, (e.g., /tmp), and for directories requiring\nglobal read/write access.", + "title": "Ubuntu vendor packaged system security patches and updates must be\ninstalled and up to date.", + "desc": "Timely patching is critical for maintaining the operational\navailability, confidentiality, and integrity of information technology (IT)\nsystems. However, failure to keep Ubuntu operating system and application\nsoftware patched is a common mistake made by IT professionals. New patches are\nreleased daily, and it is often difficult for even experienced System\nAdministrators to keep abreast of all the new patches. When new weaknesses in\nan Ubuntu operating system exist, patches are usually made available by the\nvendor to resolve the problems. If the most recent security patches and updates\nare not installed, unauthorized users may take advantage of weaknesses in the\nunpatched software. The lack of prompt attention to patching could result in a\nsystem compromise.", "descriptions": { - "default": "If a world-writable directory has the sticky bit set and is not\ngroup-owned by a privileged Group Identifier (GID), unauthorized users may be\nable to modify files created by others.\n\n The only authorized public directories are those temporary directories\nsupplied with the system or those designed to be temporary file repositories.\nThe setting is normally reserved for directories used by the system and by\nusers for temporary file storage, (e.g., /tmp), and for directories requiring\nglobal read/write access.", - "check": "Verify that all world-writable directories are group-owned by\nroot to prevent unauthorized and unintended information transferred via shared\nsystem resources.\n\nCheck the system for world-writable directories with the following command:\n\n# sudo find / -type d -perm -0002 -exec ls -lLd {} \\;\n\ndrwxrwxrwxt 7 root root 4096 Jul 26 11:19 /tmp\n\nIf any world-writable directories are not owned by root, sys, bin, or an\napplication group associated with the directory, this is a finding.", - "fix": "Change the group of the world-writable directories to root, sys,\nbin, or an application group with the following command, replacing\n\"[world-writable Directory]\":\n\n# sudo chgrp root [world-writable Directory]" + "default": "Timely patching is critical for maintaining the operational\navailability, confidentiality, and integrity of information technology (IT)\nsystems. However, failure to keep Ubuntu operating system and application\nsoftware patched is a common mistake made by IT professionals. New patches are\nreleased daily, and it is often difficult for even experienced System\nAdministrators to keep abreast of all the new patches. When new weaknesses in\nan Ubuntu operating system exist, patches are usually made available by the\nvendor to resolve the problems. If the most recent security patches and updates\nare not installed, unauthorized users may take advantage of weaknesses in the\nunpatched software. The lack of prompt attention to patching could result in a\nsystem compromise.", + "check": "Verify the Ubuntu operating system security patches and updates\nare installed and up to date. Updates are required to be applied with a\nfrequency determined by the site or Program Management Office (PMO).\n\nObtain the list of available package security updates from Ubuntu. The URL for\nupdates is https://www.Ubuntu.com/usn/. It is important to note that updates\nprovided by Ubuntu may not be present on the system if the underlying packages\nare not installed.\n\nCheck that the available package security updates have been installed on the\nsystem with the following command:\n\n# /usr/lib/update-notifier/apt-check --human-readable\n\n246 packages can be updated.\n0 updates are security updates.\n\nIf security package updates have not been performed on the system within the\ntimeframe that the site/program documentation requires, this is a finding.\n\nTypical update frequency may be overridden by Information Assurance\nVulnerability Alert (IAVA) notifications from JFHQ-DoDIN.\n\nIf the Ubuntu operating system is in non-compliance with the Information\nAssurance Vulnerability Management (IAVM) process, this is a finding.", + "fix": "Install the Ubuntu operating system patches or updated packages\navailable from Canonical within 30 days or sooner as local policy dictates." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000138-GPOS-00069", - "gid": "V-75513", - "rid": "SV-90193r3_rule", - "stig_id": "UBTU-16-010420", - "fix_id": "F-82141r2_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-75391", + "rid": "SV-90071r4_rule", + "stig_id": "UBTU-16-010010", + "fix_id": "F-82019r4_fix", "cci": [ - "CCI-001090" + "CCI-000366" ], "nist": [ - "SC-4", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -4898,34 +4773,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75513' do\n title \"All world-writable directories must be group-owned by root, sys, bin,\nor an application group.\"\n desc \"If a world-writable directory has the sticky bit set and is not\ngroup-owned by a privileged Group Identifier (GID), unauthorized users may be\nable to modify files created by others.\n\n The only authorized public directories are those temporary directories\nsupplied with the system or those designed to be temporary file repositories.\nThe setting is normally reserved for directories used by the system and by\nusers for temporary file storage, (e.g., /tmp), and for directories requiring\nglobal read/write access.\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000138-GPOS-00069'\n tag \"gid\": 'V-75513'\n tag \"rid\": 'SV-90193r3_rule'\n tag \"stig_id\": 'UBTU-16-010420'\n tag \"fix_id\": 'F-82141r2_fix'\n tag \"cci\": ['CCI-001090']\n tag \"nist\": %w[SC-4 Rev_4]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that all world-writable directories are group-owned by\nroot to prevent unauthorized and unintended information transferred via shared\nsystem resources.\n\nCheck the system for world-writable directories with the following command:\n\n# sudo find / -type d -perm -0002 -exec ls -lLd {} \\\\;\n\ndrwxrwxrwxt 7 root root 4096 Jul 26 11:19 /tmp\n\nIf any world-writable directories are not owned by root, sys, bin, or an\napplication group associated with the directory, this is a finding.\"\n desc 'fix', \"Change the group of the world-writable directories to root, sys,\nbin, or an application group with the following command, replacing\n\\\"[world-writable Directory]\\\":\n\n# sudo chgrp root [world-writable Directory]\"\n\n application_groups = input('application_groups')\n\n directories = command('find / -xdev -type d -perm -0002 -exec ls -Ld {} \\\\;').stdout.strip.split(\"\\n\").entries\n if directories.count > 0\n directories.each do |entry|\n describe directory(entry) do\n its('group') { should be_in %w[root sys bin] + application_groups }\n end\n end\n else\n describe 'No world-writable directories found' do\n skip 'No world-writable directories found on the system'\n end\n end\nend\n", + "code": "control 'V-75391' do\n title \"Ubuntu vendor packaged system security patches and updates must be\ninstalled and up to date.\"\n desc \"Timely patching is critical for maintaining the operational\navailability, confidentiality, and integrity of information technology (IT)\nsystems. However, failure to keep Ubuntu operating system and application\nsoftware patched is a common mistake made by IT professionals. New patches are\nreleased daily, and it is often difficult for even experienced System\nAdministrators to keep abreast of all the new patches. When new weaknesses in\nan Ubuntu operating system exist, patches are usually made available by the\nvendor to resolve the problems. If the most recent security patches and updates\nare not installed, unauthorized users may take advantage of weaknesses in the\nunpatched software. The lack of prompt attention to patching could result in a\nsystem compromise.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75391'\n tag \"rid\": 'SV-90071r4_rule'\n tag \"stig_id\": 'UBTU-16-010010'\n tag \"fix_id\": 'F-82019r4_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system security patches and updates\nare installed and up to date. Updates are required to be applied with a\nfrequency determined by the site or Program Management Office (PMO).\n\nObtain the list of available package security updates from Ubuntu. The URL for\nupdates is https://www.Ubuntu.com/usn/. It is important to note that updates\nprovided by Ubuntu may not be present on the system if the underlying packages\nare not installed.\n\nCheck that the available package security updates have been installed on the\nsystem with the following command:\n\n# /usr/lib/update-notifier/apt-check --human-readable\n\n246 packages can be updated.\n0 updates are security updates.\n\nIf security package updates have not been performed on the system within the\ntimeframe that the site/program documentation requires, this is a finding.\n\nTypical update frequency may be overridden by Information Assurance\nVulnerability Alert (IAVA) notifications from JFHQ-DoDIN.\n\nIf the Ubuntu operating system is in non-compliance with the Information\nAssurance Vulnerability Management (IAVM) process, this is a finding.\"\n desc 'fix', \"Install the Ubuntu operating system patches or updated packages\navailable from Canonical within 30 days or sooner as local policy dictates.\"\n\n describe command('/usr/lib/update-notifier/apt-check --human-readable') do\n its('exit_status') { should cmp 0 }\n its('stdout') { should match '^0 updates are security updates.$' }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75513.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75391.rb", "line": 3 }, - "id": "V-75513" + "id": "V-75391" }, { - "title": "Network interfaces must not be in promiscuous mode.", - "desc": "Network interfaces in promiscuous mode allow for the capture of all\nnetwork traffic visible to the system. If unauthorized individuals can access\nthese applications, it may allow then to collect information such as logon IDs,\npasswords, and key exchanges between systems.\n\n If the system is being used to perform a network troubleshooting function,\nthe use of these tools must be documented with the Information System Security\nOfficer (ISSO) and restricted to only authorized personnel.", + "title": "The Ubuntu operating system must allocate audit record storage\ncapacity to store at least one weeks worth of audit records, when audit records\nare not immediately sent to a central audit record storage facility.", + "desc": "In order to ensure Ubuntu operating systems have a sufficient storage\ncapacity in which to write the audit logs, Ubuntu operating systems need to be\nable to allocate audit record storage capacity.\n\n The task of allocating audit record storage capacity is usually performed\nduring initial installation of the Ubuntu operating system.", "descriptions": { - "default": "Network interfaces in promiscuous mode allow for the capture of all\nnetwork traffic visible to the system. If unauthorized individuals can access\nthese applications, it may allow then to collect information such as logon IDs,\npasswords, and key exchanges between systems.\n\n If the system is being used to perform a network troubleshooting function,\nthe use of these tools must be documented with the Information System Security\nOfficer (ISSO) and restricted to only authorized personnel.", - "check": "Verify network interfaces are not in promiscuous mode unless\napproved by the Information System Security Officer (ISSO) and documented.\n\nCheck for the status with the following command:\n\n# ip link | grep -i promisc\n\nIf network interfaces are found on the system in promiscuous mode and their use\nhas not been approved by the ISSO and documented, this is a finding.", - "fix": "Configure network interfaces to turn off promiscuous mode unless\napproved by the Information System Security Officer (ISSO) and documented.\n\nSet the promiscuous mode of an interface to \"off\" with the following command:\n\n# sudo ip link set dev promisc off" + "default": "In order to ensure Ubuntu operating systems have a sufficient storage\ncapacity in which to write the audit logs, Ubuntu operating systems need to be\nable to allocate audit record storage capacity.\n\n The task of allocating audit record storage capacity is usually performed\nduring initial installation of the Ubuntu operating system.", + "check": "Verify the Ubuntu operating system allocates audit record\nstorage capacity to store at least one week's worth of audit records when audit\nrecords are not immediately sent to a central audit record storage facility.\n\nDetermine which partition the audit records are being written to with the\nfollowing command:\n\n# sudo grep log_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nCheck the size of the partition that audit records are written to (with the\nexample being /var/log/audit/) with the following command:\n\n# df –h /var/log/audit/\n/dev/sda2 24G 10.4G 13.6G 43% /var/log/audit\n\nIf the audit records are not written to a partition made specifically for audit\nrecords (/var/log/audit is a separate partition), determine the amount of space\nbeing used by other files in the partition with the following command:\n\n#du –sh [audit_partition]\n1.8G /var/log/audit\n\nNote: The partition size needed to capture a week's worth of audit records is\nbased on the activity level of the system and the total storage capacity\navailable. In normal circumstances, 10.0 GB of storage space for audit records\nwill be sufficient.\n\nIf the audit record partition is not allocated for sufficient storage capacity,\nthis is a finding.", + "fix": "Allocate enough storage capacity for at least one week's worth of\naudit records when audit records are not immediately sent to a central audit\nrecord storage facility.\n\nIf audit records are stored on a partition made specifically for audit records,\nuse the \"X\" program to resize the partition with sufficient space to contain\none week's worth of audit records.\n\nIf audit records are not stored on a partition made specifically for audit\nrecords, a new partition with sufficient amount of space will need be to be\ncreated." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-75889", - "rid": "SV-90569r2_rule", - "stig_id": "UBTU-16-030610", - "fix_id": "F-82519r2_fix", + "gtitle": "SRG-OS-000341-GPOS-00132", + "gid": "V-75621", + "rid": "SV-90301r2_rule", + "stig_id": "UBTU-16-020020", + "fix_id": "F-82249r1_fix", "cci": [ - "CCI-000366" + "CCI-001849" ], "nist": [ - "CM-6 b", + "AU-4", "Rev_4" ], "false_negatives": null, @@ -4939,12 +4814,12 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75889' do\n title 'Network interfaces must not be in promiscuous mode.'\n desc \"Network interfaces in promiscuous mode allow for the capture of all\nnetwork traffic visible to the system. If unauthorized individuals can access\nthese applications, it may allow then to collect information such as logon IDs,\npasswords, and key exchanges between systems.\n\n If the system is being used to perform a network troubleshooting function,\nthe use of these tools must be documented with the Information System Security\nOfficer (ISSO) and restricted to only authorized personnel.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75889'\n tag \"rid\": 'SV-90569r2_rule'\n tag \"stig_id\": 'UBTU-16-030610'\n tag \"fix_id\": 'F-82519r2_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify network interfaces are not in promiscuous mode unless\napproved by the Information System Security Officer (ISSO) and documented.\n\nCheck for the status with the following command:\n\n# ip link | grep -i promisc\n\nIf network interfaces are found on the system in promiscuous mode and their use\nhas not been approved by the ISSO and documented, this is a finding.\"\n desc 'fix', \"Configure network interfaces to turn off promiscuous mode unless\napproved by the Information System Security Officer (ISSO) and documented.\n\nSet the promiscuous mode of an interface to \\\"off\\\" with the following command:\n\n# sudo ip link set dev promisc off\"\n\n describe command('ip link | grep -i promisc').stdout.strip do\n it { should be_empty }\n end\nend\n", + "code": "control 'V-75621' do\n title \"The Ubuntu operating system must allocate audit record storage\ncapacity to store at least one weeks worth of audit records, when audit records\nare not immediately sent to a central audit record storage facility.\"\n desc \"In order to ensure Ubuntu operating systems have a sufficient storage\ncapacity in which to write the audit logs, Ubuntu operating systems need to be\nable to allocate audit record storage capacity.\n\n The task of allocating audit record storage capacity is usually performed\nduring initial installation of the Ubuntu operating system.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000341-GPOS-00132'\n tag \"gid\": 'V-75621'\n tag \"rid\": 'SV-90301r2_rule'\n tag \"stig_id\": 'UBTU-16-020020'\n tag \"fix_id\": 'F-82249r1_fix'\n tag \"cci\": ['CCI-001849']\n tag \"nist\": %w[AU-4 Rev_4]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system allocates audit record\nstorage capacity to store at least one week's worth of audit records when audit\nrecords are not immediately sent to a central audit record storage facility.\n\nDetermine which partition the audit records are being written to with the\nfollowing command:\n\n# sudo grep log_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nCheck the size of the partition that audit records are written to (with the\nexample being /var/log/audit/) with the following command:\n\n# df –h /var/log/audit/\n/dev/sda2 24G 10.4G 13.6G 43% /var/log/audit\n\nIf the audit records are not written to a partition made specifically for audit\nrecords (/var/log/audit is a separate partition), determine the amount of space\nbeing used by other files in the partition with the following command:\n\n#du –sh [audit_partition]\n1.8G /var/log/audit\n\nNote: The partition size needed to capture a week's worth of audit records is\nbased on the activity level of the system and the total storage capacity\navailable. In normal circumstances, 10.0 GB of storage space for audit records\nwill be sufficient.\n\nIf the audit record partition is not allocated for sufficient storage capacity,\nthis is a finding.\"\n desc 'fix', \"Allocate enough storage capacity for at least one week's worth of\naudit records when audit records are not immediately sent to a central audit\nrecord storage facility.\n\nIf audit records are stored on a partition made specifically for audit records,\nuse the \\\"X\\\" program to resize the partition with sufficient space to contain\none week's worth of audit records.\n\nIf audit records are not stored on a partition made specifically for audit\nrecords, a new partition with sufficient amount of space will need be to be\ncreated.\"\n\n log_file_path = input('log_file_path')\n log_file_dir = input('log_file_dir')\n available_storage = filesystem(log_file_dir).free_kb\n log_file_size = file(log_file_path).size\n standard_audit_log_size = input('standard_audit_log_size')\n\n describe ('Current audit log file size is less than the specified standard of ' + standard_audit_log_size.to_s) do\n subject { log_file_size.to_i }\n it { should be <= standard_audit_log_size }\n end\n describe ('Available storage for audit log should be more than the defined standard of ' + standard_audit_log_size.to_s) do\n subject { available_storage.to_i }\n it { should be > standard_audit_log_size }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75889.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75621.rb", "line": 3 }, - "id": "V-75889" + "id": "V-75621" }, { "title": "The /var/log directory must be owned by root.", @@ -4988,28 +4863,44 @@ "id": "V-75595" }, { - "title": "All files and directories must have a valid group owner.", - "desc": "Files without a valid group owner may be unintentionally inherited if\na group is assigned the same Group Identifier (GID) as the GID of the files\nwithout a valid group owner.", + "title": "Successful/unsuccessful uses of the lchown command must generate an\naudit record.", + "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", "descriptions": { - "default": "Files without a valid group owner may be unintentionally inherited if\na group is assigned the same Group Identifier (GID) as the GID of the files\nwithout a valid group owner.", - "check": "Verify all files and directories on the Ubuntu operating system\nhave a valid group.\n\nCheck the owner of all files and directories with the following command:\n\n# sudo find / -nogroup\n\nIf any files on the system do not have an assigned group, this is a finding.", - "fix": "Either remove all files and directories from the Ubuntu operating\nsystem that do not have a valid group, or assign a valid group to all files and\ndirectories on the system with the \"chgrp\" command:\n\n# sudo chgrp " + "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "check": "Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful attempts to use the \"lchown\" command occur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \"/etc/audit/audit.rules\":\n\n# sudo grep -w lchown /etc/audit/audit.rules\n\n-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=4294967295 -k\nperm_chng\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", + "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \"lchown\" command by adding the following\nline to \"/etc/audit/audit.rules\":\n\n-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=4294967295 -k\nperm_chng\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-75557", - "rid": "SV-90237r1_rule", - "stig_id": "UBTU-16-010710", - "fix_id": "F-82185r1_fix", + "gtitle": "SRG-OS-000037-GPOS-00015", + "satisfies": [ + "SRG-OS-000037-GPOS-00015", + "SRG-OS-000042-GPOS-00020", + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000392-GPOS-00172", + "SRG-OS-000462-GPOS-00206", + "SRG-OS-000471-GPOS-00215" + ], + "gid": "V-75735", + "rid": "SV-90415r3_rule", + "stig_id": "UBTU-16-020550", + "fix_id": "F-82363r2_fix", "cci": [ - "CCI-002165" + "CCI-000130", + "CCI-000135", + "CCI-000169", + "CCI-000172", + "CCI-002884" ], "nist": [ - "AC-3 (4)", - "Rev_4" - ], + "AU-3", + "AU-3 (1)", + "AU-12 a", + "AU-12 c", + "MA-4 (1) (a)", + "Rev_4" + ], "false_negatives": null, "false_positives": null, "documentable": false, @@ -5021,29 +4912,29 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75557' do\n title 'All files and directories must have a valid group owner.'\n desc \"Files without a valid group owner may be unintentionally inherited if\na group is assigned the same Group Identifier (GID) as the GID of the files\nwithout a valid group owner.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75557'\n tag \"rid\": 'SV-90237r1_rule'\n tag \"stig_id\": 'UBTU-16-010710'\n tag \"fix_id\": 'F-82185r1_fix'\n tag \"cci\": ['CCI-002165']\n tag \"nist\": ['AC-3 (4)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify all files and directories on the Ubuntu operating system\nhave a valid group.\n\nCheck the owner of all files and directories with the following command:\n\n# sudo find / -nogroup\n\nIf any files on the system do not have an assigned group, this is a finding.\"\n desc 'fix', \"Either remove all files and directories from the Ubuntu operating\nsystem that do not have a valid group, or assign a valid group to all files and\ndirectories on the system with the \\\"chgrp\\\" command:\n\n# sudo chgrp \"\n\n dir_list = command('find / -nogroup').stdout.strip.split(\"\\n\")\n if dir_list.count > 0\n dir_list.each do |entry|\n describe directory(entry) do\n its('group') { should_not be_empty }\n end\n end\n else\n describe 'The number of files and directories without a valid group' do\n subject { dir_list }\n its('count') { should cmp 0 }\n end\n end\nend\n", + "code": "control 'V-75735' do\n title \"Successful/unsuccessful uses of the lchown command must generate an\naudit record.\"\n desc \"Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020\n SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172\n SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215]\n tag \"gid\": 'V-75735'\n tag \"rid\": 'SV-90415r3_rule'\n tag \"stig_id\": 'UBTU-16-020550'\n tag \"fix_id\": 'F-82363r2_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'MA-4 (1) (a)',\n 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful attempts to use the \\\"lchown\\\" command occur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \\\"/etc/audit/audit.rules\\\":\n\n# sudo grep -w lchown /etc/audit/audit.rules\n\n-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=4294967295 -k\nperm_chng\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \\\"lchown\\\" command by adding the following\nline to \\\"/etc/audit/audit.rules\\\":\n\n-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=4294967295 -k\nperm_chng\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n if os.arch == 'x86_64'\n describe auditd.syscall('lchown').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('lchown').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75557.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75735.rb", "line": 3 }, - "id": "V-75557" + "id": "V-75735" }, { - "title": "File systems that are being imported via Network File System (NFS)\nmust be mounted to prevent files with the setuid and setguid bit set from being\nexecuted.", - "desc": "The \"nosuid\" mount option causes the system to not execute\n\"setuid\" and \"setgid\" files with owner privileges. This option must be used\nfor mounting any file system not containing approved \"setuid\" and \"setguid\"\nfiles. Executing files from untrusted file systems increases the opportunity\nfor unprivileged users to attain unauthorized administrative access.", + "title": "The Ubuntu operating system must display the date and time of the last\nsuccessful account logon upon logon.", + "desc": "Providing users with feedback on when account accesses last occurred\nfacilitates user recognition and reporting of unauthorized account use.", "descriptions": { - "default": "The \"nosuid\" mount option causes the system to not execute\n\"setuid\" and \"setgid\" files with owner privileges. This option must be used\nfor mounting any file system not containing approved \"setuid\" and \"setguid\"\nfiles. Executing files from untrusted file systems increases the opportunity\nfor unprivileged users to attain unauthorized administrative access.", - "check": "Verify file systems that are being Network File System (NFS)\nimported are mounted with the \"nosuid\" option.\n\nFind the file system(s) that contain the directories being exported with the\nfollowing command:\n\n# grep nfs /etc/fstab | grep nosuid\n\nUUID=e06097bb-cfcd-437b-9e4d-a691f5662a7d /store nfs\nrw,nosuid 0 0\n\nIf a file system found in \"/etc/fstab\" refers to NFS and it does not have the\n\"nosuid\" option set, this is a finding.", - "fix": "Configure the \"/etc/fstab\" to use the \"nosuid\" option on file\nsystems that are being imported via Network File System (NFS)." + "default": "Providing users with feedback on when account accesses last occurred\nfacilitates user recognition and reporting of unauthorized account use.", + "check": "Verify users are provided with feedback on when account\naccesses last occurred.\n\nCheck that \"pam_lastlog\" is used and not silent with the following command:\n\n# grep pam_lastlog /etc/pam.d/login\n\nsession required pam_lastlog.so showfailed\n\nIf \"pam_lastlog\" is missing from \"/etc/pam.d/login\" file, or the \"silent\"\noption is present, this is a finding.", + "fix": "Configure the Ubuntu operating system to provide users with\nfeedback on when account accesses last occurred by setting the required\nconfiguration options in \"/etc/pam.d/postlogin-ac\".\n\nAdd the following line to the top of \"/etc/pam.d/login\":\n\nsession required pam_lastlog.so showfailed" }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-75579", - "rid": "SV-90259r3_rule", - "stig_id": "UBTU-16-010820", - "fix_id": "F-82207r2_fix", + "gid": "V-75497", + "rid": "SV-90177r1_rule", + "stig_id": "UBTU-16-010340", + "fix_id": "F-82125r1_fix", "cci": [ "CCI-000366" ], @@ -5062,55 +4953,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75579' do\n title \"File systems that are being imported via Network File System (NFS)\nmust be mounted to prevent files with the setuid and setguid bit set from being\nexecuted.\"\n desc \"The \\\"nosuid\\\" mount option causes the system to not execute\n\\\"setuid\\\" and \\\"setgid\\\" files with owner privileges. This option must be used\nfor mounting any file system not containing approved \\\"setuid\\\" and \\\"setguid\\\"\nfiles. Executing files from untrusted file systems increases the opportunity\nfor unprivileged users to attain unauthorized administrative access.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75579'\n tag \"rid\": 'SV-90259r3_rule'\n tag \"stig_id\": 'UBTU-16-010820'\n tag \"fix_id\": 'F-82207r2_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify file systems that are being Network File System (NFS)\nimported are mounted with the \\\"nosuid\\\" option.\n\nFind the file system(s) that contain the directories being exported with the\nfollowing command:\n\n# grep nfs /etc/fstab | grep nosuid\n\nUUID=e06097bb-cfcd-437b-9e4d-a691f5662a7d /store nfs\nrw,nosuid 0 0\n\nIf a file system found in \\\"/etc/fstab\\\" refers to NFS and it does not have the\n\\\"nosuid\\\" option set, this is a finding.\"\n desc 'fix', \"Configure the \\\"/etc/fstab\\\" to use the \\\"nosuid\\\" option on file\nsystems that are being imported via Network File System (NFS).\"\n\n device_rules = etc_fstab.where { file_system_type == 'nfs' }.entries\n if device_rules.count > 0\n device_rules.each do |device_rule|\n describe device_rule do\n its ('mount_options') { should include 'nosuid' }\n end\n end\n else\n describe 'No NFS mounts found on the system' do\n subject { device_rules }\n its('count') { should eq 0 }\n end\n end\nend\n", + "code": "control 'V-75497' do\n title \"The Ubuntu operating system must display the date and time of the last\nsuccessful account logon upon logon.\"\n desc \"Providing users with feedback on when account accesses last occurred\nfacilitates user recognition and reporting of unauthorized account use.\"\n impact 0.3\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75497'\n tag \"rid\": 'SV-90177r1_rule'\n tag \"stig_id\": 'UBTU-16-010340'\n tag \"fix_id\": 'F-82125r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify users are provided with feedback on when account\naccesses last occurred.\n\nCheck that \\\"pam_lastlog\\\" is used and not silent with the following command:\n\n# grep pam_lastlog /etc/pam.d/login\n\nsession required pam_lastlog.so showfailed\n\nIf \\\"pam_lastlog\\\" is missing from \\\"/etc/pam.d/login\\\" file, or the \\\"silent\\\"\noption is present, this is a finding.\"\n desc 'fix', \"Configure the Ubuntu operating system to provide users with\nfeedback on when account accesses last occurred by setting the required\nconfiguration options in \\\"/etc/pam.d/postlogin-ac\\\".\n\nAdd the following line to the top of \\\"/etc/pam.d/login\\\":\n\nsession required pam_lastlog.so showfailed\"\n\n describe file('/etc/pam.d/login') do\n it { should exist }\n end\n\n describe command('grep pam_lastlog /etc/pam.d/login') do\n its('exit_status') { should eq 0 }\n its('stdout.strip') { should match /^\\s*session\\s+required\\s+pam_lastlog.so/ }\n its('stdout.strip') { should_not match /^\\s*session\\s+required\\s+pam_lastlog.so[\\s\\w\\d\\=]+.*silent/ }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75579.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75497.rb", "line": 3 }, - "id": "V-75579" + "id": "V-75497" }, { - "title": "The Ubuntu operating system must implement smart card logins for\nmultifactor authentication for access to accounts.", - "desc": "Using an authentication device, such as a CAC or token that is\nseparate from the information system, ensures that even if the information\nsystem is compromised, that compromise will not affect credentials stored on\nthe authentication device.\n\n Multifactor solutions that require devices separate from information\nsystems gaining access include, for example, hardware tokens providing\ntime-based or challenge-response authenticators and smart cards such as the\nU.S. Government Personal Identity Verification card and the DoD Common Access\nCard.\n\n Remote access is access to DoD nonpublic information systems by an\nauthorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\n This requirement only applies to components where this is specific to the\nfunction of the device or has the concept of an organizational user (e.g., VPN,\nproxy capability). This does not apply to authentication for the purpose of\nconfiguring the device itself (management).\n\n Requires further clarification from NIST.", + "title": "All local interactive user home directories must be group-owned by the\nhome directory owners primary group.", + "desc": "If the Group Identifier (GID) of a local interactive user’s home\ndirectory is not the same as the primary GID of the user, this would allow\nunauthorized access to the user’s files, and users that share the same group\nmay not be able to access files that they legitimately should.", "descriptions": { - "default": "Using an authentication device, such as a CAC or token that is\nseparate from the information system, ensures that even if the information\nsystem is compromised, that compromise will not affect credentials stored on\nthe authentication device.\n\n Multifactor solutions that require devices separate from information\nsystems gaining access include, for example, hardware tokens providing\ntime-based or challenge-response authenticators and smart cards such as the\nU.S. Government Personal Identity Verification card and the DoD Common Access\nCard.\n\n Remote access is access to DoD nonpublic information systems by an\nauthorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\n This requirement only applies to components where this is specific to the\nfunction of the device or has the concept of an organizational user (e.g., VPN,\nproxy capability). This does not apply to authentication for the purpose of\nconfiguring the device itself (management).\n\n Requires further clarification from NIST.", - "check": "Verify the Ubuntu operating system uses multifactor\nauthentication for local access to accounts.\n\nCheck that the \"pam_pkcs11.so\" option is configured in the\n\"/etc/pam.d/common-auth\" file with the following command:\n\n# grep pam_pkcs11.so /etc/pam.d/common-auth\nauth [success=2 default=ignore] pam_pkcs11.so\n\nIf \"pam_pkcs11.so\" is not set in \"/etc/pam.d/common-auth\", this is a\nfinding.", - "fix": "Configure the Ubuntu operating system to use multifactor\nauthentication for local access to accounts.\n\nAdd or update \"pam_pkcs11.so\" in \"/etc/pam.d/common-auth\" to match the\nfollowing line:\n\nauth [success=2 default=ignore] pam_pkcs11.so" + "default": "If the Group Identifier (GID) of a local interactive user’s home\ndirectory is not the same as the primary GID of the user, this would allow\nunauthorized access to the user’s files, and users that share the same group\nmay not be able to access files that they legitimately should.", + "check": "Verify the assigned home directory of all local interactive\nusers is group-owned by that user’s primary Group Identifier (GID).\n\nCheck the home directory assignment for all non-privileged users on the system\nwith the following command:\n\nNote: This may miss local interactive users that have been assigned a\nprivileged UID. Evidence of interactive use may be obtained from a number of\nlog files containing system logon information. The returned directory\n\"/home/smithj\" is used as an example.\n\n# ls -ld $(awk -F: '($3>=1000)&&($1!=\"nobody\"){print $6}' /etc/passwd)\n\ndrwxr-x--- 2 smithj admin 4096 Jun 5 12:41 smithj\n\nCheck the user's primary group with the following command:\n\n# grep admin /etc/group\nadmin:x:250:smithj,jonesj,jacksons\n\nIf the user home directory referenced in \"/etc/passwd\" is not group-owned by\nthat user’s primary GID, this is a finding.", + "fix": "Change the group owner of a local interactive user’s home\ndirectory to the group found in \"/etc/passwd\". To change the group owner of a\nlocal interactive user’s home directory, use the following command:\n\nNote: The example will be for the user \"smithj\", who has a home directory of\n\"/home/smithj\", and has a primary group of users.\n\n# chgrp users /home/smithj" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000105-GPOS-00052", - "satisfies": [ - "SRG-OS-000105-GPOS-00052", - "SRG-OS-000106-GPOS-00053", - "SRG-OS-000107-GPOS-00054", - "SRG-OS-000108-GPOS-00055", - "SRG-OS-000375-GPOS-00162", - "SRG-OS-000376-GPOS-00161", - "SRG-OS-000377-GPOS-00162" - ], - "gid": "V-75911", - "rid": "SV-90591r1_rule", - "stig_id": "UBTU-16-030840", - "fix_id": "F-82541r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-75567", + "rid": "SV-90247r1_rule", + "stig_id": "UBTU-16-010760", + "fix_id": "F-82195r1_fix", "cci": [ - "CCI-000765", - "CCI-000766", - "CCI-000767", - "CCI-000768", - "CCI-001948", - "CCI-001953", - "CCI-001954" + "CCI-000366" ], "nist": [ - "IA-2 (1)", - "IA-2 (2)", - "IA-2 (3)", - "IA-2 (4)", - "IA-2 (11)", - "IA-2 (12)", - "IA-2 (12)", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -5124,34 +4994,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75911' do\n title \"The Ubuntu operating system must implement smart card logins for\nmultifactor authentication for access to accounts.\"\n desc \"Using an authentication device, such as a CAC or token that is\nseparate from the information system, ensures that even if the information\nsystem is compromised, that compromise will not affect credentials stored on\nthe authentication device.\n\n Multifactor solutions that require devices separate from information\nsystems gaining access include, for example, hardware tokens providing\ntime-based or challenge-response authenticators and smart cards such as the\nU.S. Government Personal Identity Verification card and the DoD Common Access\nCard.\n\n Remote access is access to DoD nonpublic information systems by an\nauthorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\n This requirement only applies to components where this is specific to the\nfunction of the device or has the concept of an organizational user (e.g., VPN,\nproxy capability). This does not apply to authentication for the purpose of\nconfiguring the device itself (management).\n\n Requires further clarification from NIST.\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000105-GPOS-00052'\n tag \"satisfies\": %w[SRG-OS-000105-GPOS-00052 SRG-OS-000106-GPOS-00053\n SRG-OS-000107-GPOS-00054 SRG-OS-000108-GPOS-00055\n SRG-OS-000375-GPOS-00162 SRG-OS-000376-GPOS-00161\n SRG-OS-000377-GPOS-00162]\n tag \"gid\": 'V-75911'\n tag \"rid\": 'SV-90591r1_rule'\n tag \"stig_id\": 'UBTU-16-030840'\n tag \"fix_id\": 'F-82541r1_fix'\n tag \"cci\": %w[CCI-000765 CCI-000766 CCI-000767 CCI-000768\n CCI-001948 CCI-001953 CCI-001954]\n tag \"nist\": ['IA-2 (1)', 'IA-2 (2)', 'IA-2 (3)', 'IA-2 (4)', 'IA-2 (11)',\n 'IA-2 (12)', 'IA-2 (12)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system uses multifactor\nauthentication for local access to accounts.\n\nCheck that the \\\"pam_pkcs11.so\\\" option is configured in the\n\\\"/etc/pam.d/common-auth\\\" file with the following command:\n\n# grep pam_pkcs11.so /etc/pam.d/common-auth\nauth [success=2 default=ignore] pam_pkcs11.so\n\nIf \\\"pam_pkcs11.so\\\" is not set in \\\"/etc/pam.d/common-auth\\\", this is a\nfinding.\"\n desc 'fix', \"Configure the Ubuntu operating system to use multifactor\nauthentication for local access to accounts.\n\nAdd or update \\\"pam_pkcs11.so\\\" in \\\"/etc/pam.d/common-auth\\\" to match the\nfollowing line:\n\nauth [success=2 default=ignore] pam_pkcs11.so\"\n\n describe command('grep pam_pkcs11.so /etc/pam.d/common-auth') do\n its('stdout') { should_not be_empty }\n end\nend\n", + "code": "control 'V-75567' do\n title \"All local interactive user home directories must be group-owned by the\nhome directory owners primary group.\"\n desc \"If the Group Identifier (GID) of a local interactive user’s home\ndirectory is not the same as the primary GID of the user, this would allow\nunauthorized access to the user’s files, and users that share the same group\nmay not be able to access files that they legitimately should.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75567'\n tag \"rid\": 'SV-90247r1_rule'\n tag \"stig_id\": 'UBTU-16-010760'\n tag \"fix_id\": 'F-82195r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the assigned home directory of all local interactive\nusers is group-owned by that user’s primary Group Identifier (GID).\n\nCheck the home directory assignment for all non-privileged users on the system\nwith the following command:\n\nNote: This may miss local interactive users that have been assigned a\nprivileged UID. Evidence of interactive use may be obtained from a number of\nlog files containing system logon information. The returned directory\n\\\"/home/smithj\\\" is used as an example.\n\n# ls -ld $(awk -F: '($3>=1000)&&($1!=\\\"nobody\\\"){print $6}' /etc/passwd)\n\ndrwxr-x--- 2 smithj admin 4096 Jun 5 12:41 smithj\n\nCheck the user's primary group with the following command:\n\n# grep admin /etc/group\nadmin:x:250:smithj,jonesj,jacksons\n\nIf the user home directory referenced in \\\"/etc/passwd\\\" is not group-owned by\nthat user’s primary GID, this is a finding.\"\n desc 'fix', \"Change the group owner of a local interactive user’s home\ndirectory to the group found in \\\"/etc/passwd\\\". To change the group owner of a\nlocal interactive user’s home directory, use the following command:\n\nNote: The example will be for the user \\\"smithj\\\", who has a home directory of\n\\\"/home/smithj\\\", and has a primary group of users.\n\n# chgrp users /home/smithj\"\n\n exempt_home_users = input('exempt_home_users')\n non_interactive_shells = input('non_interactive_shells')\n ignore_shells = non_interactive_shells.join('|')\n\n findings = Set[]\n users.where { !shell.match(ignore_shells) && (uid >= 1000 || uid == 0) }.entries.each do |user_info|\n next if exempt_home_users.include?(user_info.username.to_s)\n\n findings += command(\"find #{user_info.home} -maxdepth 0 -not -gid #{user_info.gid}\").stdout.split(\"\\n\")\n end\n describe \"Home directories that are not group-owned by the user's primary GID\" do\n subject { findings.to_a }\n it { should be_empty }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75911.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75567.rb", "line": 3 }, - "id": "V-75911" + "id": "V-75567" }, { - "title": "System commands must be group-owned by root.", - "desc": "If the Ubuntu operating system were to allow any user to make changes\nto software libraries, then those changes might be implemented without\nundergoing the appropriate testing and approvals that are part of a robust\nchange management process.\n\n This requirement applies to Ubuntu operating systems with software\nlibraries that are accessible and configurable, as in the case of interpreted\nlanguages. Software libraries also include privileged programs which execute\nwith escalated privileges. Only qualified and authorized individuals shall be\nallowed to obtain access to information system components for purposes of\ninitiating changes, including upgrades and modifications.", + "title": "Remote X connections for interactive users must be encrypted.", + "desc": "Open X displays allow an attacker to capture keystrokes and execute\ncommands remotely.", "descriptions": { - "default": "If the Ubuntu operating system were to allow any user to make changes\nto software libraries, then those changes might be implemented without\nundergoing the appropriate testing and approvals that are part of a robust\nchange management process.\n\n This requirement applies to Ubuntu operating systems with software\nlibraries that are accessible and configurable, as in the case of interpreted\nlanguages. Software libraries also include privileged programs which execute\nwith escalated privileges. Only qualified and authorized individuals shall be\nallowed to obtain access to information system components for purposes of\ninitiating changes, including upgrades and modifications.", - "check": "Verify the system commands contained in the following\ndirectories are group-owned by \"root\".\n\nCheck that the system command files contained in the following directories are\ngroup-owned by \"root\" with the following command:\n\n# sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin !\n-group root | xargs ls -la\n\nIf the command returns any files that are not group-owned by \"root\", and if\nthey are not SGID and owned by a privileged group, this is a finding.", - "fix": "Configure the system commands to be protected from unauthorized\naccess.\n\nRun the following command, replacing \"[FILE]\" with any system command file\nnot group-owned by \"root\".\n\n# sudo chgrp root [FILE]" + "default": "Open X displays allow an attacker to capture keystrokes and execute\ncommands remotely.", + "check": "Verify remote X connections for interactive users are encrypted.\n\nCheck that remote X connections are encrypted with the following command:\n\n# grep -i x11forwarding /etc/ssh/sshd_config\nX11Forwarding yes\n\nIf the \"X11Forwarding\" keyword is set to \"no\", is missing, or is commented\nout, this is a finding.", + "fix": "Configure SSH to encrypt connections for interactive users.\n\nEdit the \"/etc/ssh/sshd_config\" file to uncomment or add the line for the\n\"X11Forwarding\" keyword and set its value to \"yes\":\n\nX11Forwarding yes\n\nThe SSH daemon must be restarted for the changes to take effect. To restart the\nSSH daemon, run the following command:\n\n# sudo systemctl restart sshd.service" }, - "impact": 0.5, + "impact": 0.7, "refs": [], "tags": { - "gtitle": "SRG-OS-000259-GPOS-00100", - "gid": "V-75615", - "rid": "SV-90295r2_rule", - "stig_id": "UBTU-16-011050", - "fix_id": "F-82243r2_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-75853", + "rid": "SV-90533r2_rule", + "stig_id": "UBTU-16-030400", + "fix_id": "F-82483r2_fix", "cci": [ - "CCI-001499" + "CCI-000366" ], "nist": [ - "CM-5 (6)", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -5165,34 +5035,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75615' do\n title 'System commands must be group-owned by root.'\n desc \"If the Ubuntu operating system were to allow any user to make changes\nto software libraries, then those changes might be implemented without\nundergoing the appropriate testing and approvals that are part of a robust\nchange management process.\n\n This requirement applies to Ubuntu operating systems with software\nlibraries that are accessible and configurable, as in the case of interpreted\nlanguages. Software libraries also include privileged programs which execute\nwith escalated privileges. Only qualified and authorized individuals shall be\nallowed to obtain access to information system components for purposes of\ninitiating changes, including upgrades and modifications.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000259-GPOS-00100'\n tag \"gid\": 'V-75615'\n tag \"rid\": 'SV-90295r2_rule'\n tag \"stig_id\": 'UBTU-16-011050'\n tag \"fix_id\": 'F-82243r2_fix'\n tag \"cci\": ['CCI-001499']\n tag \"nist\": ['CM-5 (6)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the system commands contained in the following\ndirectories are group-owned by \\\"root\\\".\n\nCheck that the system command files contained in the following directories are\ngroup-owned by \\\"root\\\" with the following command:\n\n# sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin !\n-group root | xargs ls -la\n\nIf the command returns any files that are not group-owned by \\\"root\\\", and if\nthey are not SGID and owned by a privileged group, this is a finding.\"\n desc 'fix', \"Configure the system commands to be protected from unauthorized\naccess.\n\nRun the following command, replacing \\\"[FILE]\\\" with any system command file\nnot group-owned by \\\"root\\\".\n\n# sudo chgrp root [FILE]\"\n\n system_commands = command('find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root').stdout.strip.split(\"\\n\").entries\n valid_system_commands = Set[]\n\n if system_commands.count > 0\n system_commands.each do |sys_cmd|\n if file(sys_cmd).exist?\n valid_system_commands = valid_system_commands << sys_cmd\n end\n end\n end\n\n if valid_system_commands.count > 0\n valid_system_commands.each do |val_sys_cmd|\n describe file(val_sys_cmd) do\n its('group') { should cmp 'root' }\n end\n end\n else\n describe 'Number of system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or /usr/local/sbin, that are NOT group-owned by root' do\n subject { valid_system_commands }\n its('count') { should eq 0 }\n end\n end\nend\n", + "code": "control 'V-75853' do\n title 'Remote X connections for interactive users must be encrypted.'\n desc \"Open X displays allow an attacker to capture keystrokes and execute\ncommands remotely.\"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75853'\n tag \"rid\": 'SV-90533r2_rule'\n tag \"stig_id\": 'UBTU-16-030400'\n tag \"fix_id\": 'F-82483r2_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify remote X connections for interactive users are encrypted.\n\nCheck that remote X connections are encrypted with the following command:\n\n# grep -i x11forwarding /etc/ssh/sshd_config\nX11Forwarding yes\n\nIf the \\\"X11Forwarding\\\" keyword is set to \\\"no\\\", is missing, or is commented\nout, this is a finding.\"\n desc 'fix', \"Configure SSH to encrypt connections for interactive users.\n\nEdit the \\\"/etc/ssh/sshd_config\\\" file to uncomment or add the line for the\n\\\"X11Forwarding\\\" keyword and set its value to \\\"yes\\\":\n\nX11Forwarding yes\n\nThe SSH daemon must be restarted for the changes to take effect. To restart the\nSSH daemon, run the following command:\n\n# sudo systemctl restart sshd.service\"\n\n describe sshd_config do\n its('x11forwarding') { should cmp 'yes' }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75615.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75853.rb", "line": 3 }, - "id": "V-75615" + "id": "V-75853" }, { - "title": "The Ubuntu operating system must ignore Internet Protocol version 4\n(IPv4) Internet Control Message Protocol (ICMP) redirect messages.", - "desc": "Internet Control Message Protocol (ICMP) redirect messages are used by\nrouters to inform hosts that a more direct route exists for a particular\ndestination. These messages modify the host's route table and are\nunauthenticated. An illicit ICMP redirect message could result in a\nman-in-the-middle attack.", + "title": "An application firewall must protect against or limit the effects of\nDenial of Service (DoS) attacks by ensuring the Ubuntu operating system is\nimplementing rate-limiting measures on impacted network interfaces.", + "desc": "DoS is a condition when a resource is not available for legitimate\nusers. When this occurs, the organization either cannot accomplish its mission\nor must operate at degraded capacity.\n\n This requirement addresses the configuration of the Ubuntu operating system\nto mitigate the impact of DoS attacks that have occurred or are ongoing on\nsystem availability. For each system, known and potential DoS attacks must be\nidentified and solutions for each type implemented. A variety of technologies\nexist to limit or, in some cases, eliminate the effects of DoS attacks (e.g.,\nlimiting processes or establishing memory partitions). Employing increased\ncapacity and bandwidth, combined with service redundancy, may reduce the\nsusceptibility to some DoS attacks.", "descriptions": { - "default": "Internet Control Message Protocol (ICMP) redirect messages are used by\nrouters to inform hosts that a more direct route exists for a particular\ndestination. These messages modify the host's route table and are\nunauthenticated. An illicit ICMP redirect message could result in a\nman-in-the-middle attack.", - "check": "Verify the Ubuntu operating system ignores Internet Protocol\nversion 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages.\n\nCheck the value of the \"accept_redirects\" variables with the following\ncommand:\n\n# sudo sysctl net.ipv4.conf.all.accept_redirects\n\nnet.ipv4.conf.all.accept_redirects=0\n\nIf both of the returned lines do not have a value of \"0\", or a line is not\nreturned, this is a finding.", - "fix": "Configure the Ubuntu operating system to ignore Internet Protocol\nversion 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages\nwith the following command:\n\n# sudo sysctl -w net.ipv4.conf.all.accept_redirects=0\n\nIf \"0\" is not the system's default value then add or update the following\nline in \"/etc/sysctl.conf\" or in the appropriate file under \"/etc/sysctl.d\":\n\nnet.ipv4.conf.all.accept_redirects=0" + "default": "DoS is a condition when a resource is not available for legitimate\nusers. When this occurs, the organization either cannot accomplish its mission\nor must operate at degraded capacity.\n\n This requirement addresses the configuration of the Ubuntu operating system\nto mitigate the impact of DoS attacks that have occurred or are ongoing on\nsystem availability. For each system, known and potential DoS attacks must be\nidentified and solutions for each type implemented. A variety of technologies\nexist to limit or, in some cases, eliminate the effects of DoS attacks (e.g.,\nlimiting processes or establishing memory partitions). Employing increased\ncapacity and bandwidth, combined with service redundancy, may reduce the\nsusceptibility to some DoS attacks.", + "check": "Verify an application firewall is configured to rate limit any\nconnection to the system.\n\nCheck that the Uncomplicated Firewall is configured to rate limit any\nconnection to the system with the following command:\n\n# sudo ufw show raw\n\nChain ufw-user-input (1 references)\npkts bytes target prot opt in out source destination\n0 0 ufw-user-limit all -- eth0 * 0.0.0.0/0 0.0.0.0/0\nctstate NEW recent: UPDATE seconds: 30 hit_count: 6 name: DEFAULT side:\nsource mask: 255.255.255.255\n\n0 0 ufw-user-limit-accept all -- eth0 * 0.0.0.0/0 0.0.0.0/0\n\n\nIf any service is not rate limited by the Uncomplicated Firewall, this is a\nfinding.", + "fix": "Configure the application firewall to protect against or limit\nthe effects of Denial of Service (DoS) attacks by ensuring the Ubuntu operating\nsystem is implementing rate-limiting measures on impacted network interfaces.\n\nRun the following command replacing \"[service]\" with the service that needs\nto be rate limited.\n\n# sudo ufw limit [service]\n\nOr rate-limiting can be done on an interface. An example of adding a rate-limit\non the eth0 interface:\n\n# sudo ufw limit in on eth0" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-75881", - "rid": "SV-90561r2_rule", - "stig_id": "UBTU-16-030570", - "fix_id": "F-82511r2_fix", + "gtitle": "SRG-OS-000420-GPOS-00186", + "gid": "V-75855", + "rid": "SV-90535r1_rule", + "stig_id": "UBTU-16-030410", + "fix_id": "F-82485r1_fix", "cci": [ - "CCI-000366" + "CCI-002385" ], "nist": [ - "CM-6 b", + "SC-5", "Rev_4" ], "false_negatives": null, @@ -5206,40 +5076,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75881' do\n title \"The Ubuntu operating system must ignore Internet Protocol version 4\n(IPv4) Internet Control Message Protocol (ICMP) redirect messages.\"\n desc \"Internet Control Message Protocol (ICMP) redirect messages are used by\nrouters to inform hosts that a more direct route exists for a particular\ndestination. These messages modify the host's route table and are\nunauthenticated. An illicit ICMP redirect message could result in a\nman-in-the-middle attack.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75881'\n tag \"rid\": 'SV-90561r2_rule'\n tag \"stig_id\": 'UBTU-16-030570'\n tag \"fix_id\": 'F-82511r2_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system ignores Internet Protocol\nversion 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages.\n\nCheck the value of the \\\"accept_redirects\\\" variables with the following\ncommand:\n\n# sudo sysctl net.ipv4.conf.all.accept_redirects\n\nnet.ipv4.conf.all.accept_redirects=0\n\nIf both of the returned lines do not have a value of \\\"0\\\", or a line is not\nreturned, this is a finding.\"\n desc 'fix', \"Configure the Ubuntu operating system to ignore Internet Protocol\nversion 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages\nwith the following command:\n\n# sudo sysctl -w net.ipv4.conf.all.accept_redirects=0\n\nIf \\\"0\\\" is not the system's default value then add or update the following\nline in \\\"/etc/sysctl.conf\\\" or in the appropriate file under \\\"/etc/sysctl.d\\\":\n\nnet.ipv4.conf.all.accept_redirects=0\"\n\n describe kernel_parameter('net.ipv4.conf.all.accept_redirects') do\n its('value') { should eq 0 }\n end\nend\n", + "code": "control 'V-75855' do\n title \"An application firewall must protect against or limit the effects of\nDenial of Service (DoS) attacks by ensuring the Ubuntu operating system is\nimplementing rate-limiting measures on impacted network interfaces.\"\n desc \"DoS is a condition when a resource is not available for legitimate\nusers. When this occurs, the organization either cannot accomplish its mission\nor must operate at degraded capacity.\n\n This requirement addresses the configuration of the Ubuntu operating system\nto mitigate the impact of DoS attacks that have occurred or are ongoing on\nsystem availability. For each system, known and potential DoS attacks must be\nidentified and solutions for each type implemented. A variety of technologies\nexist to limit or, in some cases, eliminate the effects of DoS attacks (e.g.,\nlimiting processes or establishing memory partitions). Employing increased\ncapacity and bandwidth, combined with service redundancy, may reduce the\nsusceptibility to some DoS attacks.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000420-GPOS-00186'\n tag \"gid\": 'V-75855'\n tag \"rid\": 'SV-90535r1_rule'\n tag \"stig_id\": 'UBTU-16-030410'\n tag \"fix_id\": 'F-82485r1_fix'\n tag \"cci\": ['CCI-002385']\n tag \"nist\": %w[SC-5 Rev_4]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify an application firewall is configured to rate limit any\nconnection to the system.\n\nCheck that the Uncomplicated Firewall is configured to rate limit any\nconnection to the system with the following command:\n\n# sudo ufw show raw\n\nChain ufw-user-input (1 references)\npkts bytes target prot opt in out source destination\n0 0 ufw-user-limit all -- eth0 * 0.0.0.0/0 0.0.0.0/0\nctstate NEW recent: UPDATE seconds: 30 hit_count: 6 name: DEFAULT side:\nsource mask: 255.255.255.255\n\n0 0 ufw-user-limit-accept all -- eth0 * 0.0.0.0/0 0.0.0.0/0\n\n\nIf any service is not rate limited by the Uncomplicated Firewall, this is a\nfinding.\"\n desc 'fix', \"Configure the application firewall to protect against or limit\nthe effects of Denial of Service (DoS) attacks by ensuring the Ubuntu operating\nsystem is implementing rate-limiting measures on impacted network interfaces.\n\nRun the following command replacing \\\"[service]\\\" with the service that needs\nto be rate limited.\n\n# sudo ufw limit [service]\n\nOr rate-limiting can be done on an interface. An example of adding a rate-limit\non the eth0 interface:\n\n# sudo ufw limit in on eth0\"\n\n ufw_status_output = command('ufw status').stdout.strip\n is_ufw_active = !ufw_status_output.lines.first.include?('inactive')\n\n if is_ufw_active\n describe ufw_status_output do\n it { should match /(LIMIT)/ }\n end\n else\n describe 'UFW status is active' do\n subject { is_ufw_active }\n it { should be true }\n end\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75881.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75855.rb", "line": 3 }, - "id": "V-75881" + "id": "V-75855" }, { - "title": "The telnet package must not be installed.", - "desc": "It is detrimental for Ubuntu operating systems to provide, or install\nby default, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n Ubuntu operating systems are capable of providing a wide variety of\nfunctions and services. Some of the functions and services, provided by\ndefault, may not be necessary to support essential organizational operations\n(e.g., key missions, functions).\n\n Examples of non-essential capabilities include, but are not limited to,\ngames, software packages, tools, and demonstration software, not related to\nrequirements or providing a wide array of functionality not required for every\nmission, but which cannot be disabled.", + "title": "The Ubuntu operating system must prevent direct login into the root\naccount.", + "desc": "To assure individual accountability and prevent unauthorized access,\norganizational users must be individually identified and authenticated.\n\n A group authenticator is a generic account used by multiple individuals.\nUse of a group authenticator alone does not uniquely identify individual users.\nExamples of the group authenticator is the UNIX OS \"root\" user account, the\nWindows \"Administrator\" account, the \"sa\" account, or a \"helpdesk\"\naccount.\n\n For example, the UNIX and Windows operating systems offer a 'switch user'\ncapability allowing users to authenticate with their individual credentials\nand, when needed, 'switch' to the administrator role. This method provides for\nunique individual authentication prior to using a group authenticator.\n\n Users (and any processes acting on behalf of users) need to be uniquely\nidentified and authenticated for all accesses other than those accesses\nexplicitly identified and documented by the organization, which outlines\nspecific user actions that can be performed on the Ubuntu operating system\nwithout identification or authentication.\n\n Requiring individuals to be authenticated with an individual authenticator\nprior to using a group authenticator allows for traceability of actions, as\nwell as adding an additional level of protection of the actions that can be\ntaken with group account knowledge.", "descriptions": { - "default": "It is detrimental for Ubuntu operating systems to provide, or install\nby default, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n Ubuntu operating systems are capable of providing a wide variety of\nfunctions and services. Some of the functions and services, provided by\ndefault, may not be necessary to support essential organizational operations\n(e.g., key missions, functions).\n\n Examples of non-essential capabilities include, but are not limited to,\ngames, software packages, tools, and demonstration software, not related to\nrequirements or providing a wide array of functionality not required for every\nmission, but which cannot be disabled.", - "check": "Verify that the telnet package is not installed on the Ubuntu\noperating system.\n\nCheck that the telnet daemon is not installed on the Ubuntu operating system by\nrunning the following command:\n\n# sudo apt list telnetd\n\nIf the package is installed, this is a finding.", - "fix": "Remove the telnet package from the Ubuntu operating system by\nrunning the following command:\n\n# sudo apt-get remove telnetd" + "default": "To assure individual accountability and prevent unauthorized access,\norganizational users must be individually identified and authenticated.\n\n A group authenticator is a generic account used by multiple individuals.\nUse of a group authenticator alone does not uniquely identify individual users.\nExamples of the group authenticator is the UNIX OS \"root\" user account, the\nWindows \"Administrator\" account, the \"sa\" account, or a \"helpdesk\"\naccount.\n\n For example, the UNIX and Windows operating systems offer a 'switch user'\ncapability allowing users to authenticate with their individual credentials\nand, when needed, 'switch' to the administrator role. This method provides for\nunique individual authentication prior to using a group authenticator.\n\n Users (and any processes acting on behalf of users) need to be uniquely\nidentified and authenticated for all accesses other than those accesses\nexplicitly identified and documented by the organization, which outlines\nspecific user actions that can be performed on the Ubuntu operating system\nwithout identification or authentication.\n\n Requiring individuals to be authenticated with an individual authenticator\nprior to using a group authenticator allows for traceability of actions, as\nwell as adding an additional level of protection of the actions that can be\ntaken with group account knowledge.", + "check": "Verify the Ubuntu operating system prevents direct logins to\nthe root account.\n\nCheck that the Ubuntu operating system prevents direct logins to the root\naccount with the following command:\n\n# grep root /etc/shadow\n\nroot L 11/11/2017 0 99999 7 -1\n\nIf any output is returned and the second field is not an \"L\", this is a\nfinding.", + "fix": "Configure the Ubuntu operating system to prevent direct logins to\nthe root account.\n\nRun the following command to lock the root account:\n\n# passwd -l root" }, - "impact": 0.7, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000074-GPOS-00042", - "satisfies": [ - "SRG-OS-000074-GPOS-00042", - "SRG-OS-000095-GPOS-00049" - ], - "gid": "V-75797", - "rid": "SV-90477r2_rule", - "stig_id": "UBTU-16-030000", - "fix_id": "F-82427r1_fix", + "gtitle": "SRG-OS-000109-GPOS-00056", + "gid": "V-75445", + "rid": "SV-90125r3_rule", + "stig_id": "UBTU-16-010080", + "fix_id": "F-82073r3_fix", "cci": [ - "CCI-000197", - "CCI-000381" + "CCI-000770" ], "nist": [ - "IA-5 (1) (c)", - "CM-7 a", + "IA-2 (5)", "Rev_4" ], "false_negatives": null, @@ -5253,34 +5117,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75797' do\n title 'The telnet package must not be installed.'\n desc \"It is detrimental for Ubuntu operating systems to provide, or install\nby default, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n Ubuntu operating systems are capable of providing a wide variety of\nfunctions and services. Some of the functions and services, provided by\ndefault, may not be necessary to support essential organizational operations\n(e.g., key missions, functions).\n\n Examples of non-essential capabilities include, but are not limited to,\ngames, software packages, tools, and demonstration software, not related to\nrequirements or providing a wide array of functionality not required for every\nmission, but which cannot be disabled.\n\n\n \"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000074-GPOS-00042'\n tag \"satisfies\": %w[SRG-OS-000074-GPOS-00042 SRG-OS-000095-GPOS-00049]\n tag \"gid\": 'V-75797'\n tag \"rid\": 'SV-90477r2_rule'\n tag \"stig_id\": 'UBTU-16-030000'\n tag \"fix_id\": 'F-82427r1_fix'\n tag \"cci\": %w[CCI-000197 CCI-000381]\n tag \"nist\": ['IA-5 (1) (c)', 'CM-7 a', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that the telnet package is not installed on the Ubuntu\noperating system.\n\nCheck that the telnet daemon is not installed on the Ubuntu operating system by\nrunning the following command:\n\n# sudo apt list telnetd\n\nIf the package is installed, this is a finding.\"\n desc 'fix', \"Remove the telnet package from the Ubuntu operating system by\nrunning the following command:\n\n# sudo apt-get remove telnetd\"\n\n describe package('telnetd') do\n it { should_not be_installed }\n end\nend\n", + "code": "control 'V-75445' do\n title \"The Ubuntu operating system must prevent direct login into the root\naccount.\"\n desc \"To assure individual accountability and prevent unauthorized access,\norganizational users must be individually identified and authenticated.\n\n A group authenticator is a generic account used by multiple individuals.\nUse of a group authenticator alone does not uniquely identify individual users.\nExamples of the group authenticator is the UNIX OS \\\"root\\\" user account, the\nWindows \\\"Administrator\\\" account, the \\\"sa\\\" account, or a \\\"helpdesk\\\"\naccount.\n\n For example, the UNIX and Windows operating systems offer a 'switch user'\ncapability allowing users to authenticate with their individual credentials\nand, when needed, 'switch' to the administrator role. This method provides for\nunique individual authentication prior to using a group authenticator.\n\n Users (and any processes acting on behalf of users) need to be uniquely\nidentified and authenticated for all accesses other than those accesses\nexplicitly identified and documented by the organization, which outlines\nspecific user actions that can be performed on the Ubuntu operating system\nwithout identification or authentication.\n\n Requiring individuals to be authenticated with an individual authenticator\nprior to using a group authenticator allows for traceability of actions, as\nwell as adding an additional level of protection of the actions that can be\ntaken with group account knowledge.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000109-GPOS-00056'\n tag \"gid\": 'V-75445'\n tag \"rid\": 'SV-90125r3_rule'\n tag \"stig_id\": 'UBTU-16-010080'\n tag \"fix_id\": 'F-82073r3_fix'\n tag \"cci\": ['CCI-000770']\n tag \"nist\": ['IA-2 (5)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system prevents direct logins to\nthe root account.\n\nCheck that the Ubuntu operating system prevents direct logins to the root\naccount with the following command:\n\n# grep root /etc/shadow\n\nroot L 11/11/2017 0 99999 7 -1\n\nIf any output is returned and the second field is not an \\\"L\\\", this is a\nfinding.\"\n desc 'fix', \"Configure the Ubuntu operating system to prevent direct logins to\nthe root account.\n\nRun the following command to lock the root account:\n\n# passwd -l root\"\n\n describe.one do\n describe shadow.where(user: 'root') do\n its('passwords') { should include '!*' }\n end\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75797.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75445.rb", "line": 3 }, - "id": "V-75797" + "id": "V-75445" }, { - "title": "The SSH private host key files must have mode 0600 or less permissive.", - "desc": "If an unauthorized user obtains the private SSH host key file, the\nhost could be impersonated.", + "title": "The audit log files in the Ubuntu operating system must have mode 0640\nor less permissive.", + "desc": "Only authorized personnel should be aware of errors and the details of\nthe errors. Error messages are an indicator of an organization's operational\nstate or can identify the Ubuntu operating system or platform. Additionally,\nPersonally Identifiable Information (PII) and operational information must not\nbe revealed through error messages to unauthorized personnel or their\ndesignated representatives.\n\n The structure and content of error messages must be carefully considered by\nthe organization and development team. The extent to which the information\nsystem is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.", "descriptions": { - "default": "If an unauthorized user obtains the private SSH host key file, the\nhost could be impersonated.", - "check": "Verify the SSH private host key files have mode \"0600\" or\nless permissive.\n\nCheck the mode of the private host key files under \"/etc/ssh\" file with the\nfollowing command:\n\n# ls -alL /etc/ssh/ssh_host*key\n\n-rw------- 1 root wheel 668 Nov 28 06:43 ssh_host_dsa_key\n-rw------- 1 root wheel 582 Nov 28 06:43 ssh_host_key\n-rw------- 1 root wheel 887 Nov 28 06:43 ssh_host_rsa_key\n\nIf any private host key file has a mode more permissive than \"0600\", this is\na finding.", - "fix": "Configure the mode of SSH private host key files under\n\"/etc/ssh\" to \"0600\" with the following command:\n\n#sudo chmod 0600 /etc/ssh/ssh_host*key\n\nThe SSH daemon must be restarted for the changes to take effect. To restart the\nSSH daemon, run the following command:\n\n# sudo systemctl restart sshd.service" + "default": "Only authorized personnel should be aware of errors and the details of\nthe errors. Error messages are an indicator of an organization's operational\nstate or can identify the Ubuntu operating system or platform. Additionally,\nPersonally Identifiable Information (PII) and operational information must not\nbe revealed through error messages to unauthorized personnel or their\ndesignated representatives.\n\n The structure and content of error messages must be carefully considered by\nthe organization and development team. The extent to which the information\nsystem is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.", + "check": "Verify that the audit log files have a mode of \"0640\" or less\npermissive.\n\nCheck where the audit logs are stored on the system using the following command:\n\n# sudo grep log_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the audit log path from the command above, replace \"[log_path]\" in the\nfollowing command:\n\n# sudo ls -lad [log_file] | cut -d' ' -f1\nls -lad /var/log/audit/audit.log | cut -d' ' -f1\n-rw-r-----\n\nIf the audit log file does not have a mode of \"0640\" or less permissive, this\nis a finding.", + "fix": "Configure the octal permission value of the audit log to \"0640\"\nor less permissive.\n\nUse the following command to find where the audit log files are stored on the\nsystem:\n\n# sudo grep log_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the audit log path from the command above, replace \"[log_path]\" in the\nfollowing command:\n\n# sudo chmod 0640 [log_path]" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-75845", - "rid": "SV-90525r2_rule", - "stig_id": "UBTU-16-030320", - "fix_id": "F-82475r2_fix", + "gtitle": "SRG-OS-000206-GPOS-00084", + "gid": "V-80963", + "rid": "SV-95675r1_rule", + "stig_id": "UBTU-16-020170", + "fix_id": "F-87823r1_fix", "cci": [ - "CCI-000366" + "CCI-001314" ], "nist": [ - "CM-6 b", + "SI-11 b", "Rev_4" ], "false_negatives": null, @@ -5294,34 +5158,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75845' do\n title 'The SSH private host key files must have mode 0600 or less permissive.'\n desc \"If an unauthorized user obtains the private SSH host key file, the\nhost could be impersonated.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75845'\n tag \"rid\": 'SV-90525r2_rule'\n tag \"stig_id\": 'UBTU-16-030320'\n tag \"fix_id\": 'F-82475r2_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the SSH private host key files have mode \\\"0600\\\" or\nless permissive.\n\nCheck the mode of the private host key files under \\\"/etc/ssh\\\" file with the\nfollowing command:\n\n# ls -alL /etc/ssh/ssh_host*key\n\n-rw------- 1 root wheel 668 Nov 28 06:43 ssh_host_dsa_key\n-rw------- 1 root wheel 582 Nov 28 06:43 ssh_host_key\n-rw------- 1 root wheel 887 Nov 28 06:43 ssh_host_rsa_key\n\nIf any private host key file has a mode more permissive than \\\"0600\\\", this is\na finding.\"\n desc 'fix', \"Configure the mode of SSH private host key files under\n\\\"/etc/ssh\\\" to \\\"0600\\\" with the following command:\n\n#sudo chmod 0600 /etc/ssh/ssh_host*key\n\nThe SSH daemon must be restarted for the changes to take effect. To restart the\nSSH daemon, run the following command:\n\n# sudo systemctl restart sshd.service\"\n\n key_files = command(\"find /etc/ssh -xdev -name '*ssh_host*key' -perm /177\").stdout.split(\"\\n\")\n if !key_files.nil? && !key_files.empty?\n key_files.each do |keyfile|\n describe file(keyfile) do\n it { should_not be_executable.by('user') }\n it { should_not be_readable.by('group') }\n it { should_not be_writable.by('group') }\n it { should_not be_executable.by('group') }\n it { should_not be_readable.by('others') }\n it { should_not be_writable.by('others') }\n it { should_not be_executable.by('others') }\n end\n end\n else\n describe 'No files have a more permissive mode.' do\n subject { key_files.nil? || key_files.empty? }\n it { should eq true }\n end\n end\nend\n", + "code": "control 'V-80963' do\n title \"The audit log files in the Ubuntu operating system must have mode 0640\nor less permissive.\"\n desc \"Only authorized personnel should be aware of errors and the details of\nthe errors. Error messages are an indicator of an organization's operational\nstate or can identify the Ubuntu operating system or platform. Additionally,\nPersonally Identifiable Information (PII) and operational information must not\nbe revealed through error messages to unauthorized personnel or their\ndesignated representatives.\n\n The structure and content of error messages must be carefully considered by\nthe organization and development team. The extent to which the information\nsystem is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000206-GPOS-00084'\n tag \"gid\": 'V-80963'\n tag \"rid\": 'SV-95675r1_rule'\n tag \"stig_id\": 'UBTU-16-020170'\n tag \"fix_id\": 'F-87823r1_fix'\n tag \"cci\": ['CCI-001314']\n tag \"nist\": ['SI-11 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that the audit log files have a mode of \\\"0640\\\" or less\npermissive.\n\nCheck where the audit logs are stored on the system using the following command:\n\n# sudo grep log_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the audit log path from the command above, replace \\\"[log_path]\\\" in the\nfollowing command:\n\n# sudo ls -lad [log_file] | cut -d' ' -f1\nls -lad /var/log/audit/audit.log | cut -d' ' -f1\n-rw-r-----\n\nIf the audit log file does not have a mode of \\\"0640\\\" or less permissive, this\nis a finding.\"\n desc 'fix', \"Configure the octal permission value of the audit log to \\\"0640\\\"\nor less permissive.\n\nUse the following command to find where the audit log files are stored on the\nsystem:\n\n# sudo grep log_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the audit log path from the command above, replace \\\"[log_path]\\\" in the\nfollowing command:\n\n# sudo chmod 0640 [log_path]\"\n\n log_file_path = auditd_conf.log_file\n if log_file_path.nil?\n describe \"auditd.conf's log_file specification\" do\n subject { log_file_path }\n it { should_not be_nil }\n end\n else\n describe file(log_file_path) do\n it { should exist }\n it { should_not be_more_permissive_than('0640') }\n end\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75845.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-80963.rb", "line": 3 }, - "id": "V-75845" + "id": "V-80963" }, { - "title": "The system must update the DoD-approved virus scan program every seven\ndays or more frequently.", - "desc": "Virus scanning software can be used to protect a system from\npenetration from computer viruses and to limit their spread through\nintermediate systems.\n\n The virus scanning software should be configured to check for software and\nvirus definition updates with a frequency no longer than seven days. If a\nmanual process is required to update the virus scan software or definitions, it\nmust be documented with the Information System Security Officer (ISSO).", + "title": "The Information System Security Officer (ISSO) and System\nAdministrator (SA) (at a minimum) must have mail aliases to be notified of an\naudit processing failure.", + "desc": "It is critical for the appropriate personnel to be aware if a system\nis at risk of failing to process audit logs as required. Without this\nnotification, the security personnel may be unaware of an impending failure of\nthe audit capability, and system operation may be adversely affected.\n\n Audit processing failures include software/hardware errors, failures in the\naudit capturing mechanisms, and audit storage capacity being reached or\nexceeded.\n\n This requirement applies to each audit data storage repository (i.e.,\ndistinct information system component where audit records are stored), the\ncentralized audit storage capacity of organizations (i.e., all audit data\nstorage repositories combined), or both.", "descriptions": { - "default": "Virus scanning software can be used to protect a system from\npenetration from computer viruses and to limit their spread through\nintermediate systems.\n\n The virus scanning software should be configured to check for software and\nvirus definition updates with a frequency no longer than seven days. If a\nmanual process is required to update the virus scan software or definitions, it\nmust be documented with the Information System Security Officer (ISSO).", - "check": "Verify the system is using a DoD-approved virus scan program\nand the virus definition file is less than seven days old.\n\nCheck for the presence of \"McAfee VirusScan Enterprise for Linux\" with the\nfollowing command:\n\n# systemctl status nails\n\nnails - service for McAfee VirusScan Enterprise for Linux\n\n> Loaded: loaded\n/opt/NAI/package/McAfeeVSEForLinux/McAfeeVSEForLinux-2.0.2.;\nenabled)\n\n> Active: active (running) since Mon 2015-09-27 04:11:22 UTC;21 min ago\n\nIf the \"nails\" service is not active, check for the presence of \"clamav\" on\nthe system with the following command:\n\n# systemctl status clamav-daemon.socket\n\nsystemctl status clamav-daemon.socket\n\nclamav-daemon.socket - Socket for Clam AntiVirus userspace daemon\n\nLoaded: loaded (/lib/systemd/system/clamav-daemon.socket; enabled)\n\nActive: active (running) since Mon 2015-01-12 09:32:59 UTC; 7min ago\n\nIf \"McAfee VirusScan Enterprise for Linux\" is active on the system, check the\ndates of the virus definition files with the following command:\n\n# ls -al /opt/NAI/LinuxShield/engine/dat/*.dat\n\n-rwxr-xr-x 1 root root 243217 Mar 5 2017 avvclean.dat\n-rwxr-xr-x 1 root root 16995 Mar 5 2017 avvnames.dat\n-rwxr-xr-x 1 root root 4713245 Mar 5 2017 avvscan.dat\n\nIf the virus definition files have dates older than seven days from the current\ndate, this is a finding.\n\nIf \"clamav\" is active on the system, check the dates of the virus database\nwith the following commands:\n\n# grep -I databasedirectory /etc/clamav.conf\n\nDatabaseDirectory /var/lib/clamav\n\n# ls -al /var/lib/clamav/*.cvd\n\n-rwxr-xr-x 1 root root 149156 Mar 5 2011 daily.cvd\n\nIf the database file has a date older than seven days from the current date,\nthis is a finding.", - "fix": "Update the approved DoD virus scan software and virus definition\nfiles." + "default": "It is critical for the appropriate personnel to be aware if a system\nis at risk of failing to process audit logs as required. Without this\nnotification, the security personnel may be unaware of an impending failure of\nthe audit capability, and system operation may be adversely affected.\n\n Audit processing failures include software/hardware errors, failures in the\naudit capturing mechanisms, and audit storage capacity being reached or\nexceeded.\n\n This requirement applies to each audit data storage repository (i.e.,\ndistinct information system component where audit records are stored), the\ncentralized audit storage capacity of organizations (i.e., all audit data\nstorage repositories combined), or both.", + "check": "Verify that the administrators are notified in the event of an\naudit processing failure.\n\nNote: If postfix is not installed, this is Not Applicable.\n\nCheck that the \"/etc/aliases\" file has a defined value for \"root\".\n\n# sudo grep \"postmaster: *root$\" /etc/aliases\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", + "fix": "Configure the Ubuntu operating system to notify administrators in\nthe event of an audit processing failure.\n\nAdd/update the following line in \"/etc/aliases\":\n\npostmaster: root" }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-78007", - "rid": "SV-92703r1_rule", - "stig_id": "UBTU-16-030910", - "fix_id": "F-84717r1_fix", + "gtitle": "SRG-OS-000046-GPOS-00022", + "gid": "V-75893", + "rid": "SV-90573r2_rule", + "stig_id": "UBTU-16-030700", + "fix_id": "F-82523r1_fix", "cci": [ - "CCI-001668" + "CCI-000139" ], "nist": [ - "SI-3 a", + "AU-5 a", "Rev_4" ], "false_negatives": null, @@ -5335,34 +5199,38 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-78007' do\n title \"The system must update the DoD-approved virus scan program every seven\ndays or more frequently.\"\n desc \"Virus scanning software can be used to protect a system from\npenetration from computer viruses and to limit their spread through\nintermediate systems.\n\n The virus scanning software should be configured to check for software and\nvirus definition updates with a frequency no longer than seven days. If a\nmanual process is required to update the virus scan software or definitions, it\nmust be documented with the Information System Security Officer (ISSO).\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-78007'\n tag \"rid\": 'SV-92703r1_rule'\n tag \"stig_id\": 'UBTU-16-030910'\n tag \"fix_id\": 'F-84717r1_fix'\n tag \"cci\": ['CCI-001668']\n tag \"nist\": ['SI-3 a', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the system is using a DoD-approved virus scan program\nand the virus definition file is less than seven days old.\n\nCheck for the presence of \\\"McAfee VirusScan Enterprise for Linux\\\" with the\nfollowing command:\n\n# systemctl status nails\n\nnails - service for McAfee VirusScan Enterprise for Linux\n\n> Loaded: loaded\n/opt/NAI/package/McAfeeVSEForLinux/McAfeeVSEForLinux-2.0.2.;\nenabled)\n\n> Active: active (running) since Mon 2015-09-27 04:11:22 UTC;21 min ago\n\nIf the \\\"nails\\\" service is not active, check for the presence of \\\"clamav\\\" on\nthe system with the following command:\n\n# systemctl status clamav-daemon.socket\n\nsystemctl status clamav-daemon.socket\n\nclamav-daemon.socket - Socket for Clam AntiVirus userspace daemon\n\nLoaded: loaded (/lib/systemd/system/clamav-daemon.socket; enabled)\n\nActive: active (running) since Mon 2015-01-12 09:32:59 UTC; 7min ago\n\nIf \\\"McAfee VirusScan Enterprise for Linux\\\" is active on the system, check the\ndates of the virus definition files with the following command:\n\n# ls -al /opt/NAI/LinuxShield/engine/dat/*.dat\n\n-rwxr-xr-x 1 root root 243217 Mar 5 2017 avvclean.dat\n-rwxr-xr-x 1 root root 16995 Mar 5 2017 avvnames.dat\n-rwxr-xr-x 1 root root 4713245 Mar 5 2017 avvscan.dat\n\nIf the virus definition files have dates older than seven days from the current\ndate, this is a finding.\n\nIf \\\"clamav\\\" is active on the system, check the dates of the virus database\nwith the following commands:\n\n# grep -I databasedirectory /etc/clamav.conf\n\nDatabaseDirectory /var/lib/clamav\n\n# ls -al /var/lib/clamav/*.cvd\n\n-rwxr-xr-x 1 root root 149156 Mar 5 2011 daily.cvd\n\nIf the database file has a date older than seven days from the current date,\nthis is a finding.\n\"\n desc 'fix', \"Update the approved DoD virus scan software and virus definition\nfiles.\"\n\n org_name = input('org_name')\n is_antivirus_active = false\n seven_days = 604_800 # (7 days * 24 hours * 60 minutes * 60 seconds)\n\n def_files = command('find /opt/NAI/LinuxShield/engine/dat -type f -name *.dat').stdout.split(\"\\n\")\n if service('nails').installed? && service('nails').enabled? && service('nails').running?\n if !def_files.nil? && !def_files.empty?\n def_files.each do |deffile|\n describe file(deffile) do\n its('mtime') { should >= Time.now.to_i - seven_days }\n end\n end\n else\n describe 'No McAfee VirusScan Enterprise for Linux definition files have been found' do\n subject { def_files.nil? || def_files.empty? }\n it { should eq false }\n end\n end\n is_antivirus_active = true\n end\n\n def_files = command('find /var/lib/clamav -type f -name *.cvd').stdout.split(\"\\n\")\n if service('clamav-daemon.service').installed? && service('clamav-daemon.service').enabled? && service('clamav-daemon.service').running?\n if !def_files.nil? && !def_files.empty?\n def_files.each do |deffile|\n describe file(deffile) do\n its('mtime') { should >= Time.now.to_i - seven_days }\n end\n end\n else\n describe 'No ClamAV definition files have been found' do\n subject { def_files.nil? || def_files.empty? }\n it { should eq false }\n end\n end\n is_antivirus_active = true\n end\n\n unless is_antivirus_active\n describe ('No ' + org_name + '-approved virus scan program is found to be active on the system') do\n subject { is_antivirus_active }\n it { should be true }\n end\n end\nend\n", + "code": "control 'V-75893' do\n title \"The Information System Security Officer (ISSO) and System\nAdministrator (SA) (at a minimum) must have mail aliases to be notified of an\naudit processing failure.\"\n desc \"It is critical for the appropriate personnel to be aware if a system\nis at risk of failing to process audit logs as required. Without this\nnotification, the security personnel may be unaware of an impending failure of\nthe audit capability, and system operation may be adversely affected.\n\n Audit processing failures include software/hardware errors, failures in the\naudit capturing mechanisms, and audit storage capacity being reached or\nexceeded.\n\n This requirement applies to each audit data storage repository (i.e.,\ndistinct information system component where audit records are stored), the\ncentralized audit storage capacity of organizations (i.e., all audit data\nstorage repositories combined), or both.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000046-GPOS-00022'\n tag \"gid\": 'V-75893'\n tag \"rid\": 'SV-90573r2_rule'\n tag \"stig_id\": 'UBTU-16-030700'\n tag \"fix_id\": 'F-82523r1_fix'\n tag \"cci\": ['CCI-000139']\n tag \"nist\": ['AU-5 a', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that the administrators are notified in the event of an\naudit processing failure.\n\nNote: If postfix is not installed, this is Not Applicable.\n\nCheck that the \\\"/etc/aliases\\\" file has a defined value for \\\"root\\\".\n\n# sudo grep \\\"postmaster: *root$\\\" /etc/aliases\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the Ubuntu operating system to notify administrators in\nthe event of an audit processing failure.\n\nAdd/update the following line in \\\"/etc/aliases\\\":\n\npostmaster: root\"\n\n is_postfix_installed = package('postfix').installed?\n\n if is_postfix_installed\n describe command('grep \"postmaster: *root$\" /etc/aliases') do\n its('stdout') { should_not be_empty }\n end\n else\n impact 0\n describe 'Control Not Applicable as postfix is not installed' do\n subject { is_postfix_installed }\n it { should be false }\n end\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-78007.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75893.rb", "line": 3 }, - "id": "V-78007" + "id": "V-75893" }, { - "title": "The /var/log directory must have mode 0770 or less permissive.", - "desc": "Only authorized personnel should be aware of errors and the details of\nthe errors. Error messages are an indicator of an organization's operational\nstate or can identify the Ubuntu operating system or platform. Additionally,\nPersonally Identifiable Information (PII) and operational information must not\nbe revealed through error messages to unauthorized personnel or their\ndesignated representatives.\n\n The structure and content of error messages must be carefully considered by\nthe organization and development team. The extent to which the information\nsystem is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.", + "title": "The Ubuntu operating system must require users to re-authenticate for\nprivilege escalation and changing roles.", + "desc": "Without re-authentication, users may access resources or perform tasks\nfor which they do not have authorization.\n\n When Ubuntu operating systems provide the capability to escalate a\nfunctional capability or change security roles, it is critical the user\nre-authenticate.", "descriptions": { - "default": "Only authorized personnel should be aware of errors and the details of\nthe errors. Error messages are an indicator of an organization's operational\nstate or can identify the Ubuntu operating system or platform. Additionally,\nPersonally Identifiable Information (PII) and operational information must not\nbe revealed through error messages to unauthorized personnel or their\ndesignated representatives.\n\n The structure and content of error messages must be carefully considered by\nthe organization and development team. The extent to which the information\nsystem is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.", - "check": "Verify that the \"/var/log\" directory has a mode of \"0770\"\nor less.\n\nCheck the mode of the \"/var/log\" directory with the following command:\n\n# stat -c \"%a %n\" /var/log\n\n770\n\nIf a value of \"0770\" or less permissive is not returned, this is a finding.", - "fix": "Change the permissions of the directory \"/var/log\" to \"0770\"\nby running the following command:\n\n# sudo chmod 0770 /var/log" + "default": "Without re-authentication, users may access resources or perform tasks\nfor which they do not have authorization.\n\n When Ubuntu operating systems provide the capability to escalate a\nfunctional capability or change security roles, it is critical the user\nre-authenticate.", + "check": "Verify that \"/etc/sudoers\" has no occurrences of \"NOPASSWD\"\nor \"!authenticate\".\n\nCheck that the \"/etc/sudoers\" file has no occurrences of \"NOPASSWD\" or\n\"!authenticate\" by running the following command:\n\n# sudo egrep -i '(nopasswd|!authenticate)' /etc/sudoers /etc/sudoers.d/*\n\n%wheel ALL=(ALL) NOPASSWD: ALL\n\nIf any occurrences of \"NOPASSWD\" or \"!authenticate\" return from the\ncommand, this is a finding.", + "fix": "Remove any occurrence of \"NOPASSWD\" or \"!authenticate\" found\nin \"/etc/sudoers\" file or files in the \"/etc/sudoers.d\" directory." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000206-GPOS-00084", - "gid": "V-75597", - "rid": "SV-90277r3_rule", - "stig_id": "UBTU-16-010960", - "fix_id": "F-82225r2_fix", + "gtitle": "SRG-OS-000373-GPOS-00156", + "satisfies": [ + "SRG-OS-000373-GPOS-00156", + "SRG-OS-000373-GPOS-00157" + ], + "gid": "V-75489", + "rid": "SV-90169r2_rule", + "stig_id": "UBTU-16-010300", + "fix_id": "F-82117r2_fix", "cci": [ - "CCI-001314" + "CCI-002038" ], "nist": [ - "SI-11 b", + "IA-11", "Rev_4" ], "false_negatives": null, @@ -5376,34 +5244,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75597' do\n title 'The /var/log directory must have mode 0770 or less permissive.'\n desc \"Only authorized personnel should be aware of errors and the details of\nthe errors. Error messages are an indicator of an organization's operational\nstate or can identify the Ubuntu operating system or platform. Additionally,\nPersonally Identifiable Information (PII) and operational information must not\nbe revealed through error messages to unauthorized personnel or their\ndesignated representatives.\n\n The structure and content of error messages must be carefully considered by\nthe organization and development team. The extent to which the information\nsystem is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000206-GPOS-00084'\n tag \"gid\": 'V-75597'\n tag \"rid\": 'SV-90277r3_rule'\n tag \"stig_id\": 'UBTU-16-010960'\n tag \"fix_id\": 'F-82225r2_fix'\n tag \"cci\": ['CCI-001314']\n tag \"nist\": ['SI-11 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that the \\\"/var/log\\\" directory has a mode of \\\"0770\\\"\nor less.\n\nCheck the mode of the \\\"/var/log\\\" directory with the following command:\n\n# stat -c \\\"%a %n\\\" /var/log\n\n770\n\nIf a value of \\\"0770\\\" or less permissive is not returned, this is a finding.\"\n desc 'fix', \"Change the permissions of the directory \\\"/var/log\\\" to \\\"0770\\\"\nby running the following command:\n\n# sudo chmod 0770 /var/log\"\n\n describe directory('/var/log') do\n it { should_not be_more_permissive_than('0770') }\n end\nend\n", + "code": "control 'V-75489' do\n title \"The Ubuntu operating system must require users to re-authenticate for\nprivilege escalation and changing roles.\"\n desc \"Without re-authentication, users may access resources or perform tasks\nfor which they do not have authorization.\n\n When Ubuntu operating systems provide the capability to escalate a\nfunctional capability or change security roles, it is critical the user\nre-authenticate.\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000373-GPOS-00156'\n tag \"satisfies\": %w[SRG-OS-000373-GPOS-00156 SRG-OS-000373-GPOS-00157]\n tag \"gid\": 'V-75489'\n tag \"rid\": 'SV-90169r2_rule'\n tag \"stig_id\": 'UBTU-16-010300'\n tag \"fix_id\": 'F-82117r2_fix'\n tag \"cci\": ['CCI-002038']\n tag \"nist\": %w[IA-11 Rev_4]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that \\\"/etc/sudoers\\\" has no occurrences of \\\"NOPASSWD\\\"\nor \\\"!authenticate\\\".\n\nCheck that the \\\"/etc/sudoers\\\" file has no occurrences of \\\"NOPASSWD\\\" or\n\\\"!authenticate\\\" by running the following command:\n\n# sudo egrep -i '(nopasswd|!authenticate)' /etc/sudoers /etc/sudoers.d/*\n\n%wheel ALL=(ALL) NOPASSWD: ALL\n\nIf any occurrences of \\\"NOPASSWD\\\" or \\\"!authenticate\\\" return from the\ncommand, this is a finding.\"\n desc 'fix', \"Remove any occurrence of \\\"NOPASSWD\\\" or \\\"!authenticate\\\" found\nin \\\"/etc/sudoers\\\" file or files in the \\\"/etc/sudoers.d\\\" directory.\"\n\n describe command(\"egrep -r -i '(nopasswd|!authenticate)' /etc/sudoers.d/ /etc/sudoers\") do\n its('stdout.strip') { should be_empty }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75597.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75489.rb", "line": 3 }, - "id": "V-75597" + "id": "V-75489" }, { - "title": "File systems that contain user home directories must be mounted to\nprevent files with the setuid and setguid bit set from being executed.", - "desc": "The \"nosuid\" mount option causes the system to not execute setuid\nand setgid files with owner privileges. This option must be used for mounting\nany file system not containing approved setuid and setguid files. Executing\nfiles from untrusted file systems increases the opportunity for unprivileged\nusers to attain unauthorized administrative access.", + "title": "Passwords must be prohibited from reuse for a minimum of five\ngenerations.", + "desc": "Password complexity, or strength, is a measure of the effectiveness of\na password in resisting attempts at guessing and brute-force attacks. If the\ninformation system or application allows the user to consecutively reuse their\npassword when that password has exceeded its defined lifetime, the end result\nis a password that is not changed as per policy requirements.", "descriptions": { - "default": "The \"nosuid\" mount option causes the system to not execute setuid\nand setgid files with owner privileges. This option must be used for mounting\nany file system not containing approved setuid and setguid files. Executing\nfiles from untrusted file systems increases the opportunity for unprivileged\nusers to attain unauthorized administrative access.", - "check": "Verify file systems that contain user home directories are\nmounted with the \"nosuid\" option.\n\nNote: If a separate file system has not been created for the user home\ndirectories (user home directories are mounted under \"/\"), this is not a\nfinding as the \"nosuid\" option cannot be used on the \"/\" system.\n\nFind the file system(s) that contain the user home directories with the\nfollowing command:\n\n# awk -F: '($3>=1000)&&($1!=\"nobody\"){print $1,$3,$6}' /etc/passwd\n\nsmithj:1001: /home/smithj\nrobinst:1002: /home/robinst\n\nCheck the file systems that are mounted at boot time with the following command:\n\n# more /etc/fstab\n\nUUID=a411dc99-f2a1-4c87-9e05-184977be8539 /home ext4\nrw,relatime,discard,data=ordered,nosuid 0 2\n\nIf a file system found in \"/etc/fstab\" refers to the user home directory file\nsystem and it does not have the \"nosuid\" option set, this is a finding.", - "fix": "Configure the \"/etc/fstab\" to use the \"nosuid\" option on file\nsystems that contain user home directories for interactive users." + "default": "Password complexity, or strength, is a measure of the effectiveness of\na password in resisting attempts at guessing and brute-force attacks. If the\ninformation system or application allows the user to consecutively reuse their\npassword when that password has exceeded its defined lifetime, the end result\nis a password that is not changed as per policy requirements.", + "check": "Verify that the Ubuntu operating system prevents passwords from\nbeing reused for a minimum of five generations by running the following command:\n\n# grep -i remember /etc/pam.d/common-password\n\npassword [success=1 default=ignore] pam_unix.so obscure sha512 remember=5\nrounds=5000\n\nIf the \"remember\" parameter value is not greater than or equal to \"5\", is\ncommented out, or is not set at all this is a finding.", + "fix": "Configure the Ubuntu operating system prevents passwords from\nbeing reused for a minimum of five generations.\n\nAdd or modify the \"remember\" parameter value to the following line in\n\"/etc/pam.d/common-password\" file:\n\npassword [success=1 default=ignore] pam_unix.so obscure sha512 remember=5\nrounds=5000" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-75575", - "rid": "SV-90255r2_rule", - "stig_id": "UBTU-16-010800", - "fix_id": "F-82203r1_fix", + "gtitle": "SRG-OS-000077-GPOS-00045", + "gid": "V-75475", + "rid": "SV-90155r2_rule", + "stig_id": "UBTU-16-010230", + "fix_id": "F-82103r2_fix", "cci": [ - "CCI-000366" + "CCI-000200" ], "nist": [ - "CM-6 b", + "IA-5 (1) (e)", "Rev_4" ], "false_negatives": null, @@ -5417,53 +5285,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75575' do\n title \"File systems that contain user home directories must be mounted to\nprevent files with the setuid and setguid bit set from being executed.\"\n desc \"The \\\"nosuid\\\" mount option causes the system to not execute setuid\nand setgid files with owner privileges. This option must be used for mounting\nany file system not containing approved setuid and setguid files. Executing\nfiles from untrusted file systems increases the opportunity for unprivileged\nusers to attain unauthorized administrative access.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75575'\n tag \"rid\": 'SV-90255r2_rule'\n tag \"stig_id\": 'UBTU-16-010800'\n tag \"fix_id\": 'F-82203r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify file systems that contain user home directories are\nmounted with the \\\"nosuid\\\" option.\n\nNote: If a separate file system has not been created for the user home\ndirectories (user home directories are mounted under \\\"/\\\"), this is not a\nfinding as the \\\"nosuid\\\" option cannot be used on the \\\"/\\\" system.\n\nFind the file system(s) that contain the user home directories with the\nfollowing command:\n\n# awk -F: '($3>=1000)&&($1!=\\\"nobody\\\"){print $1,$3,$6}' /etc/passwd\n\nsmithj:1001: /home/smithj\nrobinst:1002: /home/robinst\n\nCheck the file systems that are mounted at boot time with the following command:\n\n# more /etc/fstab\n\nUUID=a411dc99-f2a1-4c87-9e05-184977be8539 /home ext4\nrw,relatime,discard,data=ordered,nosuid 0 2\n\nIf a file system found in \\\"/etc/fstab\\\" refers to the user home directory file\nsystem and it does not have the \\\"nosuid\\\" option set, this is a finding.\"\n desc 'fix', \"Configure the \\\"/etc/fstab\\\" to use the \\\"nosuid\\\" option on file\nsystems that contain user home directories for interactive users.\"\n\n known_system_mount_points = input('known_system_mount_points')\n fstab_mount_points = etc_fstab.entries.map(&:mount_point)\n other_mount_points = fstab_mount_points - known_system_mount_points\n\n if other_mount_points.count > 0\n other_mount_points.each do |mount_point|\n describe mount(mount_point) do\n its('options') { should include 'nosuid' }\n end\n end\n else\n describe 'Separate file system has not been detected for the user home directories' do\n subject { other_mount_points }\n its('count') { should eq 0 }\n end\n end\nend\n", + "code": "control 'V-75475' do\n title \"Passwords must be prohibited from reuse for a minimum of five\ngenerations.\"\n desc \"Password complexity, or strength, is a measure of the effectiveness of\na password in resisting attempts at guessing and brute-force attacks. If the\ninformation system or application allows the user to consecutively reuse their\npassword when that password has exceeded its defined lifetime, the end result\nis a password that is not changed as per policy requirements.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000077-GPOS-00045'\n tag \"gid\": 'V-75475'\n tag \"rid\": 'SV-90155r2_rule'\n tag \"stig_id\": 'UBTU-16-010230'\n tag \"fix_id\": 'F-82103r2_fix'\n tag \"cci\": ['CCI-000200']\n tag \"nist\": ['IA-5 (1) (e)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that the Ubuntu operating system prevents passwords from\nbeing reused for a minimum of five generations by running the following command:\n\n# grep -i remember /etc/pam.d/common-password\n\npassword [success=1 default=ignore] pam_unix.so obscure sha512 remember=5\nrounds=5000\n\nIf the \\\"remember\\\" parameter value is not greater than or equal to \\\"5\\\", is\ncommented out, or is not set at all this is a finding.\"\n desc 'fix', \"Configure the Ubuntu operating system prevents passwords from\nbeing reused for a minimum of five generations.\n\nAdd or modify the \\\"remember\\\" parameter value to the following line in\n\\\"/etc/pam.d/common-password\\\" file:\n\npassword [success=1 default=ignore] pam_unix.so obscure sha512 remember=5\nrounds=5000\"\n\n min_num_password_generations = input('min_num_password_generations')\n\n describe file('/etc/pam.d/common-password') do\n it { should exist }\n end\n\n describe command(\"grep -i remember /etc/pam.d/common-password | sed 's/.*remember=\\\\([^ ]*\\\\).*/\\\\1/'\") do\n its('exit_status') { should eq 0 }\n its('stdout.strip') { should cmp min_num_password_generations }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75575.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75475.rb", "line": 3 }, - "id": "V-75575" + "id": "V-75475" }, { - "title": "The audit system must be configured to audit any usage of the\nremovexattr system call.", - "desc": "Without the capability to generate audit records, it would be\ndifficult to establish, correlate, and investigate the events relating to an\nincident or identify those responsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n The list of audited events is the set of events for which audits are to be\ngenerated. This set of events is typically a subset of the list of all events\nfor which the system is capable of generating audit records.\n\n DoD has defined the list of events for which the Ubuntu operating system\nwill provide an audit record generation capability as the following:\n\n 1) Successful and unsuccessful attempts to access, modify, or delete\nprivileges, security objects, security levels, or categories of information\n(e.g., classification levels);\n\n 2) Access actions, such as successful and unsuccessful logon attempts,\nprivileged activities or other system-level access, starting and ending time\nfor user access to the system, concurrent logons from different workstations,\nsuccessful and unsuccessful accesses to objects, all program initiations, and\nall direct access to the information system;\n\n 3) All account creations, modifications, disabling, and terminations; and\n\n 4) All kernel module load, unload, and restart actions.", + "title": "If the Trivial File Transfer Protocol (TFTP) server is required, the\nTFTP daemon must be configured to operate in secure mode.", + "desc": "Restricting TFTP to a specific directory prevents remote users from\ncopying, transferring, or overwriting system files.", "descriptions": { - "default": "Without the capability to generate audit records, it would be\ndifficult to establish, correlate, and investigate the events relating to an\nincident or identify those responsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n The list of audited events is the set of events for which audits are to be\ngenerated. This set of events is typically a subset of the list of all events\nfor which the system is capable of generating audit records.\n\n DoD has defined the list of events for which the Ubuntu operating system\nwill provide an audit record generation capability as the following:\n\n 1) Successful and unsuccessful attempts to access, modify, or delete\nprivileges, security objects, security levels, or categories of information\n(e.g., classification levels);\n\n 2) Access actions, such as successful and unsuccessful logon attempts,\nprivileged activities or other system-level access, starting and ending time\nfor user access to the system, concurrent logons from different workstations,\nsuccessful and unsuccessful accesses to objects, all program initiations, and\nall direct access to the information system;\n\n 3) All account creations, modifications, disabling, and terminations; and\n\n 4) All kernel module load, unload, and restart actions.", - "check": "Verify if the Ubuntu operating system is configured to audit\nthe execution of the \"removexattr\" system call, by running the following\ncommand:\n\n# sudo grep -w removexattr /etc/audit/audit.rules\n\n-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -k\nperm_mod\n\n-a always,exit -F arch=b64 -S removexattr -F auid=0 -k perm_mod\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", - "fix": "Configure the Ubuntu operating system to audit the execution of\nthe \"removexattr\" system call, by adding the following lines to\n\"/etc/audit/audit.rules\":\n\n-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -k\nperm_mod\n\n-a always,exit -F arch=b64 -S removexattr -F auid=0 -k perm_mod\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" + "default": "Restricting TFTP to a specific directory prevents remote users from\ncopying, transferring, or overwriting system files.", + "check": "Verify the Trivial File Transfer Protocol (TFTP) daemon is\nconfigured to operate in secure mode.\n\nCheck to see if a TFTP server has been installed with the following commands:\n\n# dpkg -l | grep tftpd-hpa\nii tftpd-hpa 5.2+20150808-1Ubuntu1.16.04.1\nIf a TFTP server is not installed, this is Not Applicable.\n\nIf a TFTP server is installed, check for the server arguments with the\nfollowing command:\n\n# grep TFTP_OPTIONS /etc/default/tftpd-hpa\nTFTP_OPTIONS=\"--secure\"\n\nIf \"--secure\" is not listed in the TFTP_OPTIONS, this is a finding.", + "fix": "Configure the Trivial File Transfer Protocol (TFTP) daemon to\noperate in the secure mode by adding the \"--secure\" option to TFTP_OPTIONS in\n/etc/default/tftpd-hpa and restart the tftpd daemon." }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { - "gtitle": "SRG-OS-000037-GPOS-00015", - "satisfies": [ - "SRG-OS-000037-GPOS-00015", - "SRG-OS-000042-GPOS-00020", - "SRG-OS-000062-GPOS-00031", - "SRG-OS-000392-GPOS-00172", - "SRG-OS-000458-GPOS-00203", - "SRG-OS-000462-GPOS-00206", - "SRG-OS-000463-GPOS-00207", - "SRG-OS-000471-GPOS-00215", - "SRG-OS-000474-GPOS-00219" - ], - "gid": "V-75723", - "rid": "SV-90403r2_rule", - "stig_id": "UBTU-16-020490", - "fix_id": "F-82351r2_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-75899", + "rid": "SV-90579r1_rule", + "stig_id": "UBTU-16-030730", + "fix_id": "F-82529r1_fix", "cci": [ - "CCI-000130", - "CCI-000135", - "CCI-000169", - "CCI-000172", - "CCI-002884" + "CCI-000366" ], "nist": [ - "AU-3", - "AU-3 (1)", - "AU-12 a", - "AU-12 c", - "MA-4 (1) (a)", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -5477,34 +5326,43 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75723' do\n title \"The audit system must be configured to audit any usage of the\nremovexattr system call.\"\n desc \"Without the capability to generate audit records, it would be\ndifficult to establish, correlate, and investigate the events relating to an\nincident or identify those responsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n The list of audited events is the set of events for which audits are to be\ngenerated. This set of events is typically a subset of the list of all events\nfor which the system is capable of generating audit records.\n\n DoD has defined the list of events for which the Ubuntu operating system\nwill provide an audit record generation capability as the following:\n\n 1) Successful and unsuccessful attempts to access, modify, or delete\nprivileges, security objects, security levels, or categories of information\n(e.g., classification levels);\n\n 2) Access actions, such as successful and unsuccessful logon attempts,\nprivileged activities or other system-level access, starting and ending time\nfor user access to the system, concurrent logons from different workstations,\nsuccessful and unsuccessful accesses to objects, all program initiations, and\nall direct access to the information system;\n\n 3) All account creations, modifications, disabling, and terminations; and\n\n 4) All kernel module load, unload, and restart actions.\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020\n SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172\n SRG-OS-000458-GPOS-00203 SRG-OS-000462-GPOS-00206\n SRG-OS-000463-GPOS-00207 SRG-OS-000471-GPOS-00215\n SRG-OS-000474-GPOS-00219]\n tag \"gid\": 'V-75723'\n tag \"rid\": 'SV-90403r2_rule'\n tag \"stig_id\": 'UBTU-16-020490'\n tag \"fix_id\": 'F-82351r2_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'MA-4 (1) (a)',\n 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify if the Ubuntu operating system is configured to audit\nthe execution of the \\\"removexattr\\\" system call, by running the following\ncommand:\n\n# sudo grep -w removexattr /etc/audit/audit.rules\n\n-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -k\nperm_mod\n\n-a always,exit -F arch=b64 -S removexattr -F auid=0 -k perm_mod\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the Ubuntu operating system to audit the execution of\nthe \\\"removexattr\\\" system call, by adding the following lines to\n\\\"/etc/audit/audit.rules\\\":\n\n-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -k\nperm_mod\n\n-a always,exit -F arch=b64 -S removexattr -F auid=0 -k perm_mod\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n if os.arch == 'x86_64'\n describe auditd.syscall('removexattr').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('removexattr').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\nend\n", + "code": "control 'V-75899' do\n title \"If the Trivial File Transfer Protocol (TFTP) server is required, the\nTFTP daemon must be configured to operate in secure mode.\"\n desc \"Restricting TFTP to a specific directory prevents remote users from\ncopying, transferring, or overwriting system files.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75899'\n tag \"rid\": 'SV-90579r1_rule'\n tag \"stig_id\": 'UBTU-16-030730'\n tag \"fix_id\": 'F-82529r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Trivial File Transfer Protocol (TFTP) daemon is\nconfigured to operate in secure mode.\n\nCheck to see if a TFTP server has been installed with the following commands:\n\n# dpkg -l | grep tftpd-hpa\nii tftpd-hpa 5.2+20150808-1Ubuntu1.16.04.1\nIf a TFTP server is not installed, this is Not Applicable.\n\nIf a TFTP server is installed, check for the server arguments with the\nfollowing command:\n\n# grep TFTP_OPTIONS /etc/default/tftpd-hpa\nTFTP_OPTIONS=\\\"--secure\\\"\n\nIf \\\"--secure\\\" is not listed in the TFTP_OPTIONS, this is a finding.\"\n desc 'fix', \"Configure the Trivial File Transfer Protocol (TFTP) daemon to\noperate in the secure mode by adding the \\\"--secure\\\" option to TFTP_OPTIONS in\n/etc/default/tftpd-hpa and restart the tftpd daemon.\"\n\n is_installed = package('tftpd-hpa').installed?\n if is_installed\n tftp_options = command('grep TFTP_OPTIONS /etc/default/tftpd-hpa').stdout.strip\n describe tftp_options do\n it { should match /(--secure)/ }\n end\n else\n impact 0\n describe 'No TFTP server is installed' do\n skip 'This control is Not Applicable as a TFTP server has not been installed on this server.'\n end\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75723.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75899.rb", "line": 3 }, - "id": "V-75723" + "id": "V-75899" }, { - "title": "All local interactive user accounts, upon creation, must be assigned a\nhome directory.", - "desc": "If local interactive users are not assigned a valid home directory,\nthere is no place for the storage and control of files they should own.", + "title": "The SSH daemon must be configured to only use Message Authentication\nCodes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.", + "desc": "Without cryptographic integrity protections, information can be\naltered by unauthorized users without detection.\n\n Remote access (e.g., RDP) is access to DoD nonpublic information systems by\nan authorized user (or an information system) communicating through an\nexternal, non-organization-controlled network. Remote access methods include,\nfor example, dial-up, broadband, and wireless.\n\n Cryptographic mechanisms used for protecting the integrity of information\ninclude, for example, signed hash functions using asymmetric cryptography\nenabling distribution of the public key to verify the hash information while\nmaintaining the confidentiality of the secret key used to generate the hash.", "descriptions": { - "default": "If local interactive users are not assigned a valid home directory,\nthere is no place for the storage and control of files they should own.", - "check": "Verify all local interactive users on the Ubuntu operating\nsystem are assigned a home directory upon creation.\n\nCheck to see if the system is configured to create home directories for local\ninteractive users with the following command:\n\n# grep -i create_home /etc/login.defs\nCREATE_HOME yes\n\nIf the value for \"CREATE_HOME\" parameter is not set to \"yes\", the line is\nmissing, or the line is commented out, this is a finding.", - "fix": "Configure the Ubuntu operating system to assign home directories\nto all new local interactive users by setting the \"CREATE_HOME\" parameter in\n\"/etc/login.defs\" to \"yes\" as follows.\n\nCREATE_HOME yes" + "default": "Without cryptographic integrity protections, information can be\naltered by unauthorized users without detection.\n\n Remote access (e.g., RDP) is access to DoD nonpublic information systems by\nan authorized user (or an information system) communicating through an\nexternal, non-organization-controlled network. Remote access methods include,\nfor example, dial-up, broadband, and wireless.\n\n Cryptographic mechanisms used for protecting the integrity of information\ninclude, for example, signed hash functions using asymmetric cryptography\nenabling distribution of the public key to verify the hash information while\nmaintaining the confidentiality of the secret key used to generate the hash.", + "check": "Verify the SSH daemon is configured to only use Message\nAuthentication Codes (MACs) that employ FIPS 140-2 approved ciphers.\n\nCheck that the SSH daemon is configured to only use MACs that employ FIPS 140-2\napproved ciphers with the following command:\n\n# sudo grep -i macs /etc/ssh/sshd_config\nMACs hmac-sha2-256,hmac-sha2-512\n\nIf any ciphers other than \"hmac-sha2-256\" or \"hmac-sha2-512\" are listed, or\nthe retuned line is commented out, this is a finding.", + "fix": "Configure the Ubuntu operating system to allow the SSH daemon to\nonly use Message Authentication Codes (MACs) that employ FIPS 140-2 approved\nciphers.\n\nEdit the \"/etc/ssh/sshd_config\" file to uncomment or add the line for the\n\"MACs\" keyword and set its value to \"hmac-sha2-256\" and/or\n\"hmac-sha2-512\":\n\nMACs hmac-sha2-256,hmac-sha2-512\n\nThe SSH daemon must be restarted for the changes to take effect. To restart the\nSSH daemon, run the following command:\n\n# sudo systemctl restart sshd.service" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-75561", - "rid": "SV-90241r1_rule", - "stig_id": "UBTU-16-010730", - "fix_id": "F-82189r1_fix", + "gtitle": "SRG-OS-000250-GPOS-00093", + "satisfies": [ + "SRG-OS-000250-GPOS-00093", + "SRG-OS-000393-GPOS-00173", + "SRG-OS-000394-GPOS-00174" + ], + "gid": "V-75831", + "rid": "SV-90511r2_rule", + "stig_id": "UBTU-16-030240", + "fix_id": "F-82461r2_fix", "cci": [ - "CCI-000366" + "CCI-001453", + "CCI-002890", + "CCI-003123" ], "nist": [ - "CM-6 b", + "AC-17 (2)", + "MA-4 (6)", + "MA-4 (6)", "Rev_4" ], "false_negatives": null, @@ -5518,34 +5376,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75561' do\n title \"All local interactive user accounts, upon creation, must be assigned a\nhome directory.\"\n desc \"If local interactive users are not assigned a valid home directory,\nthere is no place for the storage and control of files they should own.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75561'\n tag \"rid\": 'SV-90241r1_rule'\n tag \"stig_id\": 'UBTU-16-010730'\n tag \"fix_id\": 'F-82189r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify all local interactive users on the Ubuntu operating\nsystem are assigned a home directory upon creation.\n\nCheck to see if the system is configured to create home directories for local\ninteractive users with the following command:\n\n# grep -i create_home /etc/login.defs\nCREATE_HOME yes\n\nIf the value for \\\"CREATE_HOME\\\" parameter is not set to \\\"yes\\\", the line is\nmissing, or the line is commented out, this is a finding.\"\n desc 'fix', \"Configure the Ubuntu operating system to assign home directories\nto all new local interactive users by setting the \\\"CREATE_HOME\\\" parameter in\n\\\"/etc/login.defs\\\" to \\\"yes\\\" as follows.\n\nCREATE_HOME yes\"\n\n describe login_defs do\n its('CREATE_HOME') { should match /yes/ }\n end\nend\n", + "code": "control 'V-75831' do\n title \"The SSH daemon must be configured to only use Message Authentication\nCodes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.\"\n desc \"Without cryptographic integrity protections, information can be\naltered by unauthorized users without detection.\n\n Remote access (e.g., RDP) is access to DoD nonpublic information systems by\nan authorized user (or an information system) communicating through an\nexternal, non-organization-controlled network. Remote access methods include,\nfor example, dial-up, broadband, and wireless.\n\n Cryptographic mechanisms used for protecting the integrity of information\ninclude, for example, signed hash functions using asymmetric cryptography\nenabling distribution of the public key to verify the hash information while\nmaintaining the confidentiality of the secret key used to generate the hash.\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000250-GPOS-00093'\n tag \"satisfies\": %w[SRG-OS-000250-GPOS-00093 SRG-OS-000393-GPOS-00173\n SRG-OS-000394-GPOS-00174]\n tag \"gid\": 'V-75831'\n tag \"rid\": 'SV-90511r2_rule'\n tag \"stig_id\": 'UBTU-16-030240'\n tag \"fix_id\": 'F-82461r2_fix'\n tag \"cci\": %w[CCI-001453 CCI-002890 CCI-003123]\n tag \"nist\": ['AC-17 (2)', 'MA-4 (6)', 'MA-4 (6)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the SSH daemon is configured to only use Message\nAuthentication Codes (MACs) that employ FIPS 140-2 approved ciphers.\n\nCheck that the SSH daemon is configured to only use MACs that employ FIPS 140-2\napproved ciphers with the following command:\n\n# sudo grep -i macs /etc/ssh/sshd_config\nMACs hmac-sha2-256,hmac-sha2-512\n\nIf any ciphers other than \\\"hmac-sha2-256\\\" or \\\"hmac-sha2-512\\\" are listed, or\nthe retuned line is commented out, this is a finding.\"\n desc 'fix', \"Configure the Ubuntu operating system to allow the SSH daemon to\nonly use Message Authentication Codes (MACs) that employ FIPS 140-2 approved\nciphers.\n\nEdit the \\\"/etc/ssh/sshd_config\\\" file to uncomment or add the line for the\n\\\"MACs\\\" keyword and set its value to \\\"hmac-sha2-256\\\" and/or\n\\\"hmac-sha2-512\\\":\n\nMACs hmac-sha2-256,hmac-sha2-512\n\nThe SSH daemon must be restarted for the changes to take effect. To restart the\nSSH daemon, run the following command:\n\n# sudo systemctl restart sshd.service\"\n\n @macs_array = inspec.sshd_config.params['macs']\n\n @macs_array = @macs_array.first.split(',') unless @macs_array.nil?\n\n describe @macs_array do\n it { should be_in %w[hmac-sha2-256 hmac-sha2-512] }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75561.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75831.rb", "line": 3 }, - "id": "V-75561" + "id": "V-75831" }, { - "title": "The Ubuntu operating system must not permit direct logons to the root\naccount using remote access via SSH.", - "desc": "Even though the communications channel may be encrypted, an additional\nlayer of security is gained by extending the policy of not logging on directly\nas root. In addition, logging on with a user-specific account provides\nindividual accountability of actions performed on the system.", + "title": "The /var/log/syslog file must be owned by syslog.", + "desc": "Only authorized personnel should be aware of errors and the details of\nthe errors. Error messages are an indicator of an organization's operational\nstate or can identify the Ubuntu operating system or platform. Additionally,\nPersonally Identifiable Information (PII) and operational information must not\nbe revealed through error messages to unauthorized personnel or their\ndesignated representatives.\n\n The structure and content of error messages must be carefully considered by\nthe organization and development team. The extent to which the information\nsystem is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.", "descriptions": { - "default": "Even though the communications channel may be encrypted, an additional\nlayer of security is gained by extending the policy of not logging on directly\nas root. In addition, logging on with a user-specific account provides\nindividual accountability of actions performed on the system.", - "check": "Verify remote access using SSH prevents users from logging on\ndirectly as \"root\".\n\nCheck that SSH prevents users from logging on directly as \"root\" with the\nfollowing command:\n\n# grep PermitRootLogin /etc/ssh/sshd_config\nPermitRootLogin no\n\nIf the \"PermitRootLogin\" keyword is set to \"yes\", is missing, or is\ncommented out, this is a finding.", - "fix": "Configure the Ubuntu operating system to stop users from logging\non remotely as the \"root\" user via SSH.\n\nEdit the appropriate \"/etc/ssh/sshd_config\" file to uncomment or add the\nline for the \"PermitRootLogin\" keyword and set its value to \"no\":\n\nPermitRootLogin no\n\nThe SSH daemon must be restarted for the changes to take effect. To restart the\nSSH daemon, run the following command:\n\n# sudo systemctl restart sshd.service" + "default": "Only authorized personnel should be aware of errors and the details of\nthe errors. Error messages are an indicator of an organization's operational\nstate or can identify the Ubuntu operating system or platform. Additionally,\nPersonally Identifiable Information (PII) and operational information must not\nbe revealed through error messages to unauthorized personnel or their\ndesignated representatives.\n\n The structure and content of error messages must be carefully considered by\nthe organization and development team. The extent to which the information\nsystem is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.", + "check": "Verify that the /var/log/syslog file is owned by syslog.\n\nCheck that the /var/log/syslog file is owned by syslog with the following\ncommand:\n\n# ls -la /var/log/syslog | cut -d' ' -f3\n\nsyslog\n\nIf \"syslog\" is not returned as a result, this is a finding.", + "fix": "Change the owner of the file /var/log/syslog to syslog by running\nthe following command:\n\n# sudo chown syslog /var/log/syslog" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-75827", - "rid": "SV-90507r2_rule", - "stig_id": "UBTU-16-030220", - "fix_id": "F-82457r2_fix", + "gtitle": "SRG-OS-000206-GPOS-00084", + "gid": "V-75601", + "rid": "SV-90281r2_rule", + "stig_id": "UBTU-16-010980", + "fix_id": "F-82229r1_fix", "cci": [ - "CCI-000366" + "CCI-001314" ], "nist": [ - "CM-6 b", + "SI-11 b", "Rev_4" ], "false_negatives": null, @@ -5559,38 +5417,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75827' do\n title \"The Ubuntu operating system must not permit direct logons to the root\naccount using remote access via SSH.\"\n desc \"Even though the communications channel may be encrypted, an additional\nlayer of security is gained by extending the policy of not logging on directly\nas root. In addition, logging on with a user-specific account provides\nindividual accountability of actions performed on the system.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75827'\n tag \"rid\": 'SV-90507r2_rule'\n tag \"stig_id\": 'UBTU-16-030220'\n tag \"fix_id\": 'F-82457r2_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify remote access using SSH prevents users from logging on\ndirectly as \\\"root\\\".\n\nCheck that SSH prevents users from logging on directly as \\\"root\\\" with the\nfollowing command:\n\n# grep PermitRootLogin /etc/ssh/sshd_config\nPermitRootLogin no\n\nIf the \\\"PermitRootLogin\\\" keyword is set to \\\"yes\\\", is missing, or is\ncommented out, this is a finding.\"\n desc 'fix', \"Configure the Ubuntu operating system to stop users from logging\non remotely as the \\\"root\\\" user via SSH.\n\nEdit the appropriate \\\"/etc/ssh/sshd_config\\\" file to uncomment or add the\nline for the \\\"PermitRootLogin\\\" keyword and set its value to \\\"no\\\":\n\nPermitRootLogin no\n\nThe SSH daemon must be restarted for the changes to take effect. To restart the\nSSH daemon, run the following command:\n\n# sudo systemctl restart sshd.service\"\n\n describe sshd_config do\n its('PermitRootLogin') { should cmp 'no' }\n end\nend\n", + "code": "control 'V-75601' do\n title 'The /var/log/syslog file must be owned by syslog.'\n desc \"Only authorized personnel should be aware of errors and the details of\nthe errors. Error messages are an indicator of an organization's operational\nstate or can identify the Ubuntu operating system or platform. Additionally,\nPersonally Identifiable Information (PII) and operational information must not\nbe revealed through error messages to unauthorized personnel or their\ndesignated representatives.\n\n The structure and content of error messages must be carefully considered by\nthe organization and development team. The extent to which the information\nsystem is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000206-GPOS-00084'\n tag \"gid\": 'V-75601'\n tag \"rid\": 'SV-90281r2_rule'\n tag \"stig_id\": 'UBTU-16-010980'\n tag \"fix_id\": 'F-82229r1_fix'\n tag \"cci\": ['CCI-001314']\n tag \"nist\": ['SI-11 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that the /var/log/syslog file is owned by syslog.\n\nCheck that the /var/log/syslog file is owned by syslog with the following\ncommand:\n\n# ls -la /var/log/syslog | cut -d' ' -f3\n\nsyslog\n\nIf \\\"syslog\\\" is not returned as a result, this is a finding.\"\n desc 'fix', \"Change the owner of the file /var/log/syslog to syslog by running\nthe following command:\n\n# sudo chown syslog /var/log/syslog\"\n\n describe file('/var/log/syslog') do\n its('owner') { should cmp 'syslog' }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75827.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75601.rb", "line": 3 }, - "id": "V-75827" + "id": "V-75601" }, { - "title": "The Ubuntu operating system for all network connections associated\nwith SSH traffic must immediately terminate at the end of the session or after\n10 minutes of inactivity.", - "desc": "Automatic session termination addresses the termination of\nuser-initiated logical sessions in contrast to the termination of network\nconnections that are associated with communications sessions (i.e., network\ndisconnect). A logical session (for local, network, and remote access) is\ninitiated whenever a user (or process acting on behalf of a user) accesses an\norganizational information system. Such user sessions can be terminated (and\nthus terminate user access) without terminating network sessions.\n\n Session termination terminates all processes associated with a user's\nlogical session except those processes that are specifically created by the\nuser (i.e., session owner) to continue after the session is terminated.\n\n Conditions or trigger events requiring automatic session termination can\ninclude, for example, organization-defined periods of user inactivity, targeted\nresponses to certain types of incidents, and time-of-day restrictions on\ninformation system use.\n\n This capability is typically reserved for specific Ubuntu operating system\nfunctionality where the system owner, data owner, or organization requires\nadditional assurance.", + "title": "An X Windows display manager must not be installed unless approved.", + "desc": "Internet services that are not required for system or application\nprocesses must not be active to decrease the attack surface of the system. X\nWindows has a long history of security vulnerabilities and will not be used\nunless approved and documented.", "descriptions": { - "default": "Automatic session termination addresses the termination of\nuser-initiated logical sessions in contrast to the termination of network\nconnections that are associated with communications sessions (i.e., network\ndisconnect). A logical session (for local, network, and remote access) is\ninitiated whenever a user (or process acting on behalf of a user) accesses an\norganizational information system. Such user sessions can be terminated (and\nthus terminate user access) without terminating network sessions.\n\n Session termination terminates all processes associated with a user's\nlogical session except those processes that are specifically created by the\nuser (i.e., session owner) to continue after the session is terminated.\n\n Conditions or trigger events requiring automatic session termination can\ninclude, for example, organization-defined periods of user inactivity, targeted\nresponses to certain types of incidents, and time-of-day restrictions on\ninformation system use.\n\n This capability is typically reserved for specific Ubuntu operating system\nfunctionality where the system owner, data owner, or organization requires\nadditional assurance.", - "check": "Verify that all network connections associated with SSH traffic\nare automatically terminated at the end of the session or after \"10\" minutes\nof inactivity.\n\nCheck that the \"ClientAliveInterval\" variable is set to a value of \"600\" or\nless by performing the following command:\n\n# sudo grep -i clientalive /etc/ssh/sshd_config\n\nClientAliveInterval 600\n\nClientAliveCountMax 1\n\nIf \"ClientAliveInterval\" or \"ClientAliveCountMax\" does not exist,\n\"ClientAliveInterval\" is not set to a value of \"600\" or less and\n\"ClientAliveCountMax\" is not set to a value of \"1\" or greater in\n\"/etc/ssh/sshd_config\", or either line is commented out, this is a finding.", - "fix": "Configure the Ubuntu operating system to automatically terminate\nall network connections associated with SSH traffic at the end of a session or\nafter a \"10\" minute period of inactivity.\n\nModify or append the following lines in the \"/etc/ssh/sshd_config\" file\nreplacing \"[Interval]\" with a value of \"600\" or less and \"[CountMax] with\na value of \"1\" or greater:\n\nClientAliveInterval 600\n\nClientAliveCountMax 1\n\nIn order for the changes to take effect, the SSH daemon must be restarted.\n\n# sudo systemctl restart sshd.service" + "default": "Internet services that are not required for system or application\nprocesses must not be active to decrease the attack surface of the system. X\nWindows has a long history of security vulnerabilities and will not be used\nunless approved and documented.", + "check": "Verify that if X Windows is installed it is authorized.\n\nCheck for the X11 package with the following command:\n\n# dpkg -l | grep lightdm\n\nAsk the System Administrator if use of the X Windows system is an operational\nrequirement.\n\nIf the use of X Windows on the system is not documented with the Information\nSystem Security Officer (ISSO), this is a finding.", + "fix": "Document the requirement for an X Windows server with the\nInformation System Security Officer (ISSO) or remove the related packages with\nthe following commands:\n\n# sudo apt-get purge lightdm" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000163-GPOS-00072", - "gid": "V-75837", - "rid": "SV-90517r2_rule", - "stig_id": "UBTU-16-030270", - "fix_id": "F-82467r2_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-75901", + "rid": "SV-90581r1_rule", + "stig_id": "UBTU-16-030740", + "fix_id": "F-82531r1_fix", "cci": [ - "CCI-000879", - "CCI-001133", - "CCI-002361" + "CCI-000366" ], "nist": [ - "MA-4 e", - "SC-10", - "AC-12", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -5604,34 +5458,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75837' do\n title \"The Ubuntu operating system for all network connections associated\nwith SSH traffic must immediately terminate at the end of the session or after\n10 minutes of inactivity.\"\n desc \"Automatic session termination addresses the termination of\nuser-initiated logical sessions in contrast to the termination of network\nconnections that are associated with communications sessions (i.e., network\ndisconnect). A logical session (for local, network, and remote access) is\ninitiated whenever a user (or process acting on behalf of a user) accesses an\norganizational information system. Such user sessions can be terminated (and\nthus terminate user access) without terminating network sessions.\n\n Session termination terminates all processes associated with a user's\nlogical session except those processes that are specifically created by the\nuser (i.e., session owner) to continue after the session is terminated.\n\n Conditions or trigger events requiring automatic session termination can\ninclude, for example, organization-defined periods of user inactivity, targeted\nresponses to certain types of incidents, and time-of-day restrictions on\ninformation system use.\n\n This capability is typically reserved for specific Ubuntu operating system\nfunctionality where the system owner, data owner, or organization requires\nadditional assurance.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000163-GPOS-00072'\n tag \"gid\": 'V-75837'\n tag \"rid\": 'SV-90517r2_rule'\n tag \"stig_id\": 'UBTU-16-030270'\n tag \"fix_id\": 'F-82467r2_fix'\n tag \"cci\": %w[CCI-000879 CCI-001133 CCI-002361]\n tag \"nist\": ['MA-4 e', 'SC-10', 'AC-12', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that all network connections associated with SSH traffic\nare automatically terminated at the end of the session or after \\\"10\\\" minutes\nof inactivity.\n\nCheck that the \\\"ClientAliveInterval\\\" variable is set to a value of \\\"600\\\" or\nless by performing the following command:\n\n# sudo grep -i clientalive /etc/ssh/sshd_config\n\nClientAliveInterval 600\n\nClientAliveCountMax 1\n\nIf \\\"ClientAliveInterval\\\" or \\\"ClientAliveCountMax\\\" does not exist,\n\\\"ClientAliveInterval\\\" is not set to a value of \\\"600\\\" or less and\n\\\"ClientAliveCountMax\\\" is not set to a value of \\\"1\\\" or greater in\n\\\"/etc/ssh/sshd_config\\\", or either line is commented out, this is a finding.\"\n desc 'fix', \"Configure the Ubuntu operating system to automatically terminate\nall network connections associated with SSH traffic at the end of a session or\nafter a \\\"10\\\" minute period of inactivity.\n\nModify or append the following lines in the \\\"/etc/ssh/sshd_config\\\" file\nreplacing \\\"[Interval]\\\" with a value of \\\"600\\\" or less and \\\"[CountMax] with\na value of \\\"1\\\" or greater:\n\nClientAliveInterval 600\n\nClientAliveCountMax 1\n\nIn order for the changes to take effect, the SSH daemon must be restarted.\n\n# sudo systemctl restart sshd.service\"\n\n client_alive_interval = input('client_alive_interval')\n client_alive_count_max = input('client_alive_count_max')\n\n describe sshd_config do\n its('ClientAliveInterval') { should cmp <= client_alive_interval }\n its('ClientAliveCountMax') { should cmp >= client_alive_count_max }\n end\nend\n", + "code": "control 'V-75901' do\n title 'An X Windows display manager must not be installed unless approved.'\n desc \"Internet services that are not required for system or application\nprocesses must not be active to decrease the attack surface of the system. X\nWindows has a long history of security vulnerabilities and will not be used\nunless approved and documented.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75901'\n tag \"rid\": 'SV-90581r1_rule'\n tag \"stig_id\": 'UBTU-16-030740'\n tag \"fix_id\": 'F-82531r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that if X Windows is installed it is authorized.\n\nCheck for the X11 package with the following command:\n\n# dpkg -l | grep lightdm\n\nAsk the System Administrator if use of the X Windows system is an operational\nrequirement.\n\nIf the use of X Windows on the system is not documented with the Information\nSystem Security Officer (ISSO), this is a finding.\"\n desc 'fix', \"Document the requirement for an X Windows server with the\nInformation System Security Officer (ISSO) or remove the related packages with\nthe following commands:\n\n# sudo apt-get purge lightdm\"\n\n describe package('lightdm') do\n it { should_not be_installed }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75837.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75901.rb", "line": 3 }, - "id": "V-75837" + "id": "V-75901" }, { - "title": "A separate file system must be used for user home directories (such as\n/home or an equivalent).", - "desc": "The use of separate file systems for different paths can protect the\nsystem from failures resulting from a file system becoming full or failing.", + "title": "All remote access methods must be monitored.", + "desc": "Remote access services, such as those providing remote access to\nnetwork devices and information systems, which lack automated monitoring\ncapabilities, increase risk and make remote user access management difficult at\nbest.\n\n Remote access is access to DoD nonpublic information systems by an\nauthorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\n Automated monitoring of remote access sessions allows organizations to\ndetect cyber attacks and also ensure ongoing compliance with remote access\npolicies by auditing connection activities of remote access capabilities, such\nas Remote Desktop Protocol (RDP), on a variety of information system components\n(e.g., servers, workstations, notebook computers, smartphones, and tablets).", "descriptions": { - "default": "The use of separate file systems for different paths can protect the\nsystem from failures resulting from a file system becoming full or failing.", - "check": "Verify that a separate file system/partition has been created\nfor non-privileged local interactive user home directories.\n\nCheck the home directory assignment for all non-privileged users, users with a\nUser Identifier (UID) greater than 1000, on the system with the following\ncommand:\n\n# awk -F: '($3>=1000)&&($1!=\"nobody\"){print $1,$3,$6}' /etc/passwd\n\nadamsj 1001 /home/adamsj\njacksonm 1002 /home/jacksonm\nsmithj 1003 /home/smithj\n\nThe output of the command will give the directory/partition that contains the\nhome directories for the non-privileged users on the system (in this example,\n\"/home\") and users’ shell. All accounts with a valid shell (such as\n/bin/bash) are considered interactive users.\n\nCheck that a file system/partition has been created for the non-privileged\ninteractive users with the following command:\n\nNote: The partition of \"/home\" is used in the example.\n\n# grep /home /etc/fstab\nUUID=333ada18 /home ext4 noatime,nobarrier,nodev 1 2\n\nIf a separate entry for the file system/partition that contains the\nnon-privileged interactive users' home directories does not exist, this is a\nfinding.", - "fix": "Migrate the \"/home\" directory onto a separate file\nsystem/partition." + "default": "Remote access services, such as those providing remote access to\nnetwork devices and information systems, which lack automated monitoring\ncapabilities, increase risk and make remote user access management difficult at\nbest.\n\n Remote access is access to DoD nonpublic information systems by an\nauthorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\n Automated monitoring of remote access sessions allows organizations to\ndetect cyber attacks and also ensure ongoing compliance with remote access\npolicies by auditing connection activities of remote access capabilities, such\nas Remote Desktop Protocol (RDP), on a variety of information system components\n(e.g., servers, workstations, notebook computers, smartphones, and tablets).", + "check": "Verify that the Ubuntu operating system monitors all remote\naccess methods.\n\nCheck that remote access methods are being logged by running the following\ncommand:\n\n# grep -E '(auth.*|authpriv.*|daemon.*)' /etc/rsyslog.d/50-default.conf\n\nauth,authpriv.* /var/log/auth.log\ndaemon.notice /var/log/messages\n\nIf \"auth.*\", \"authpriv.*\" or \"daemon.*\" are not configured to be logged,\nthis is a finding.", + "fix": "Configure the Ubuntu operating system to monitor all remote\naccess methods by adding the following lines to the\n\"/etc/rsyslog.d/50-default.conf\" file:\n\nauth.*,authpriv.* /var/log/secure\ndaemon.notice /var/log/messages\n\nThe \"rsyslog\" service must be restarted for the changes to take effect. To\nrestart the \"rsyslog\" service, run the following command:\n\n# sudo systemctl restart rsyslog.service" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-75587", - "rid": "SV-90267r2_rule", - "stig_id": "UBTU-16-010910", - "fix_id": "F-82215r1_fix", + "gtitle": "SRG-OS-000032-GPOS-00013", + "gid": "V-75863", + "rid": "SV-90543r2_rule", + "stig_id": "UBTU-16-030450", + "fix_id": "F-82493r2_fix", "cci": [ - "CCI-000366" + "CCI-000067" ], "nist": [ - "CM-6 b", + "AC-17 (1)", "Rev_4" ], "false_negatives": null, @@ -5645,50 +5499,40 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75587' do\n title \"A separate file system must be used for user home directories (such as\n/home or an equivalent).\"\n desc \"The use of separate file systems for different paths can protect the\nsystem from failures resulting from a file system becoming full or failing.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75587'\n tag \"rid\": 'SV-90267r2_rule'\n tag \"stig_id\": 'UBTU-16-010910'\n tag \"fix_id\": 'F-82215r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that a separate file system/partition has been created\nfor non-privileged local interactive user home directories.\n\nCheck the home directory assignment for all non-privileged users, users with a\nUser Identifier (UID) greater than 1000, on the system with the following\ncommand:\n\n# awk -F: '($3>=1000)&&($1!=\\\"nobody\\\"){print $1,$3,$6}' /etc/passwd\n\nadamsj 1001 /home/adamsj\njacksonm 1002 /home/jacksonm\nsmithj 1003 /home/smithj\n\nThe output of the command will give the directory/partition that contains the\nhome directories for the non-privileged users on the system (in this example,\n\\\"/home\\\") and users’ shell. All accounts with a valid shell (such as\n/bin/bash) are considered interactive users.\n\nCheck that a file system/partition has been created for the non-privileged\ninteractive users with the following command:\n\nNote: The partition of \\\"/home\\\" is used in the example.\n\n# grep /home /etc/fstab\nUUID=333ada18 /home ext4 noatime,nobarrier,nodev 1 2\n\nIf a separate entry for the file system/partition that contains the\nnon-privileged interactive users' home directories does not exist, this is a\nfinding.\"\n desc 'fix', \"Migrate the \\\"/home\\\" directory onto a separate file\nsystem/partition.\"\n\n non_interactive_shells = input('non_interactive_shells')\n exempt_home_users = input('exempt_home_users')\n ignore_shells = non_interactive_shells.join('|')\n\n users.where { !shell.match(ignore_shells) && (uid >= 1000) }.entries.each do |user_info|\n next if exempt_home_users.include?(user_info.username.to_s)\n\n home_mount = command(%(df #{user_info.home} --output=target | tail -1)).stdout.strip\n describe user_info.username do\n context 'with mountpoint' do\n context home_mount do\n it { should_not be_empty }\n it { should_not match(%r{^/$}) }\n end\n end\n end\n end\nend\n", + "code": "control 'V-75863' do\n title 'All remote access methods must be monitored.'\n desc \"Remote access services, such as those providing remote access to\nnetwork devices and information systems, which lack automated monitoring\ncapabilities, increase risk and make remote user access management difficult at\nbest.\n\n Remote access is access to DoD nonpublic information systems by an\nauthorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\n Automated monitoring of remote access sessions allows organizations to\ndetect cyber attacks and also ensure ongoing compliance with remote access\npolicies by auditing connection activities of remote access capabilities, such\nas Remote Desktop Protocol (RDP), on a variety of information system components\n(e.g., servers, workstations, notebook computers, smartphones, and tablets).\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000032-GPOS-00013'\n tag \"gid\": 'V-75863'\n tag \"rid\": 'SV-90543r2_rule'\n tag \"stig_id\": 'UBTU-16-030450'\n tag \"fix_id\": 'F-82493r2_fix'\n tag \"cci\": ['CCI-000067']\n tag \"nist\": ['AC-17 (1)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that the Ubuntu operating system monitors all remote\naccess methods.\n\nCheck that remote access methods are being logged by running the following\ncommand:\n\n# grep -E '(auth.*|authpriv.*|daemon.*)' /etc/rsyslog.d/50-default.conf\n\nauth,authpriv.* /var/log/auth.log\ndaemon.notice /var/log/messages\n\nIf \\\"auth.*\\\", \\\"authpriv.*\\\" or \\\"daemon.*\\\" are not configured to be logged,\nthis is a finding.\"\n desc 'fix', \"Configure the Ubuntu operating system to monitor all remote\naccess methods by adding the following lines to the\n\\\"/etc/rsyslog.d/50-default.conf\\\" file:\n\nauth.*,authpriv.* /var/log/secure\ndaemon.notice /var/log/messages\n\nThe \\\"rsyslog\\\" service must be restarted for the changes to take effect. To\nrestart the \\\"rsyslog\\\" service, run the following command:\n\n# sudo systemctl restart rsyslog.service\"\n\n options = {\n assignment_regex: /^\\s*([^:]*?)\\s*\\t\\s*(.*?)\\s*$/\n }\n config_file = '/etc/rsyslog.d/50-default.conf'\n auth_setting = parse_config_file(config_file, options).params['auth,authpriv.*']\n daemon_setting = parse_config_file(config_file, options).params['daemon.notice']\n describe auth_setting do\n it { should_not be_nil }\n it { should_not be_empty }\n end\n describe daemon_setting do\n it { should_not be_nil }\n it { should_not be_empty }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75587.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75863.rb", "line": 3 }, - "id": "V-75587" + "id": "V-75863" }, { - "title": "Successful/unsuccessful uses of the fchmod command must generate an\naudit record.", - "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "title": "The Ubuntu operating system must automatically lock an account until\nthe locked account is released by an administrator when three unsuccessful\nlogon attempts.", + "desc": "By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as\nbrute-forcing, is reduced. Limits are imposed by locking the account.", "descriptions": { - "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", - "check": "Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful attempts to use the \"fchmod\" command occur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \"/etc/audit/audit.rules\":\n\n# sudo grep -w fchmod /etc/audit/audit.rules\n\n-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=4294967295 -k\nperm_chng\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", - "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \"fchmod\" command by adding the following\nline to \"/etc/audit/audit.rules\":\n\n-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=4294967295 -k\nperm_chng\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" + "default": "By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as\nbrute-forcing, is reduced. Limits are imposed by locking the account.", + "check": "Verify the Ubuntu operating system automatically locks an\naccount until the account lock is released by an administrator when three\nunsuccessful logon attempts are made.\n\nCheck that the Ubuntu operating system automatically locks an account after\nthree unsuccessful attempts with the following command:\n\n# grep pam_tally /etc/pam.d/common-auth\n\nauth required pam_tally2.so onerr=fail deny=3\n\nIf \"onerr=fail deny=3\" is not used in \"/etc/pam.d/common-auth\" or is called\nwith \"unlock_time\", this is a finding.", + "fix": "Configure the Ubuntu operating system to automatically lock an\naccount until the locked account is released by an administrator when three\nunsuccessful logon attempts are made by appending the following line to the\n\"/etc/pam.d/common-auth file\":\n\n\"auth required pam_tally2.so onerr=fail deny=3\"" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000037-GPOS-00015", + "gtitle": "SRG-OS-000021-GPOS-00005", "satisfies": [ - "SRG-OS-000037-GPOS-00015", - "SRG-OS-000042-GPOS-00020", - "SRG-OS-000062-GPOS-00031", - "SRG-OS-000392-GPOS-00172", - "SRG-OS-000462-GPOS-00206", - "SRG-OS-000471-GPOS-00215" + "SRG-OS-000021-GPOS-00005", + "SRG-OS-000329-GPOS-00128" ], - "gid": "V-75739", - "rid": "SV-90419r3_rule", - "stig_id": "UBTU-16-020570", - "fix_id": "F-82367r2_fix", + "gid": "V-75487", + "rid": "SV-90167r2_rule", + "stig_id": "UBTU-16-010290", + "fix_id": "F-82115r2_fix", "cci": [ - "CCI-000130", - "CCI-000135", - "CCI-000169", - "CCI-000172", - "CCI-002884" + "CCI-000044", + "CCI-002238" ], "nist": [ - "AU-3", - "AU-3 (1)", - "AU-12 a", - "AU-12 c", - "MA-4 (1) (a)", + "AC-7 a", + "AC-7 b", "Rev_4" ], "false_negatives": null, @@ -5702,75 +5546,50 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75739' do\n title \"Successful/unsuccessful uses of the fchmod command must generate an\naudit record.\"\n desc \"Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020\n SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172\n SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215]\n tag \"gid\": 'V-75739'\n tag \"rid\": 'SV-90419r3_rule'\n tag \"stig_id\": 'UBTU-16-020570'\n tag \"fix_id\": 'F-82367r2_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'MA-4 (1) (a)',\n 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful attempts to use the \\\"fchmod\\\" command occur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \\\"/etc/audit/audit.rules\\\":\n\n# sudo grep -w fchmod /etc/audit/audit.rules\n\n-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=4294967295 -k\nperm_chng\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \\\"fchmod\\\" command by adding the following\nline to \\\"/etc/audit/audit.rules\\\":\n\n-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=4294967295 -k\nperm_chng\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n if os.arch == 'x86_64'\n describe auditd.syscall('fchmod').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('fchmod').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\nend\n", + "code": "control 'V-75487' do\n title \"The Ubuntu operating system must automatically lock an account until\nthe locked account is released by an administrator when three unsuccessful\nlogon attempts.\"\n desc \"By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as\nbrute-forcing, is reduced. Limits are imposed by locking the account.\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000021-GPOS-00005'\n tag \"satisfies\": %w[SRG-OS-000021-GPOS-00005 SRG-OS-000329-GPOS-00128]\n tag \"gid\": 'V-75487'\n tag \"rid\": 'SV-90167r2_rule'\n tag \"stig_id\": 'UBTU-16-010290'\n tag \"fix_id\": 'F-82115r2_fix'\n tag \"cci\": %w[CCI-000044 CCI-002238]\n tag \"nist\": ['AC-7 a', 'AC-7 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system automatically locks an\naccount until the account lock is released by an administrator when three\nunsuccessful logon attempts are made.\n\nCheck that the Ubuntu operating system automatically locks an account after\nthree unsuccessful attempts with the following command:\n\n# grep pam_tally /etc/pam.d/common-auth\n\nauth required pam_tally2.so onerr=fail deny=3\n\nIf \\\"onerr=fail deny=3\\\" is not used in \\\"/etc/pam.d/common-auth\\\" or is called\nwith \\\"unlock_time\\\", this is a finding.\"\n desc 'fix', \"Configure the Ubuntu operating system to automatically lock an\naccount until the locked account is released by an administrator when three\nunsuccessful logon attempts are made by appending the following line to the\n\\\"/etc/pam.d/common-auth file\\\":\n\n\\\"auth required pam_tally2.so onerr=fail deny=3\\\"\"\n\n describe file('/etc/pam.d/common-auth') do\n it { should exist }\n end\n\n describe command('grep pam_tally /etc/pam.d/common-auth') do\n its('exit_status') { should eq 0 }\n its('stdout.strip') { should match /^\\s*auth\\s+required\\s+pam_tally2.so\\s+.*onerr=fail\\s+deny=3($|\\s+.*$)/ }\n its('stdout.strip') { should_not match /^\\s*auth\\s+required\\s+pam_tally2.so\\s+.*onerr=fail\\s+deny=3\\s+.*unlock_time.*$/ }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75739.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75487.rb", "line": 3 }, - "id": "V-75739" + "id": "V-75487" }, { - "title": "The auditd service must be running in the Ubuntu operating system.", - "desc": "Configuring the Ubuntu operating system to implement organization-wide\nsecurity implementation guides and security checklists ensures compliance with\nfederal standards and establishes a common security baseline across DoD that\nreflects the most restrictive security posture consistent with operational\nrequirements.\n\n Configuration settings are the set of parameters that can be changed in\nhardware, software, or firmware components of the system that affect the\nsecurity posture and/or functionality of the system. Security-related\nparameters are those parameters impacting the security state of the system,\nincluding the parameters required to satisfy other security control\nrequirements. Security-related parameters include, for example: registry\nsettings; account, file, directory permission settings; and settings for\nfunctions, ports, protocols, services, and remote connections.", + "title": "Successful/unsuccessful uses of the ssh-agent command must generate an\naudit record.", + "desc": "Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged ssh commands. The organization must maintain audit trails in\nsufficient detail to reconstruct events to determine the cause and impact of\ncompromise.", "descriptions": { - "default": "Configuring the Ubuntu operating system to implement organization-wide\nsecurity implementation guides and security checklists ensures compliance with\nfederal standards and establishes a common security baseline across DoD that\nreflects the most restrictive security posture consistent with operational\nrequirements.\n\n Configuration settings are the set of parameters that can be changed in\nhardware, software, or firmware components of the system that affect the\nsecurity posture and/or functionality of the system. Security-related\nparameters are those parameters impacting the security state of the system,\nincluding the parameters required to satisfy other security control\nrequirements. Security-related parameters include, for example: registry\nsettings; account, file, directory permission settings; and settings for\nfunctions, ports, protocols, services, and remote connections.", - "check": "Verify the audit service is active.\n\nCheck that the audit service is active with the following command:\n\n# service auditd status\nActive: active (running)\n\nIf the service is not active this is a finding.", - "fix": "Start the auditd service, and enable the auditd service with the\nfollowing commands:\n\nStart the audit service.\n# systemctl start auditd.service\n\nEnable auditd in the targets of the system.\n# systemctl enable auditd.service" + "default": "Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged ssh commands. The organization must maintain audit trails in\nsufficient detail to reconstruct events to determine the cause and impact of\ncompromise.", + "check": "Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful attempts to use the \"ssh-agent\" command occur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \"/etc/audit/audit.rules\":\n\n# sudo grep ssh-agent /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k privileged-ssh\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", + "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \"ssh-agent\" command.\n\nAdd or update the following rules in the \"/etc/audit/audit.rules\" file:\n\n-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k privileged-ssh\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-80959", - "rid": "SV-95671r1_rule", - "stig_id": "UBTU-16-020010", - "fix_id": "F-87819r1_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b", - "Rev_4" + "gtitle": "SRG-OS-000037-GPOS-00015", + "satisfies": [ + "SRG-OS-000037-GPOS-00015", + "SRG-OS-000042-GPOS-00020", + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000392-GPOS-00172", + "SRG-OS-000462-GPOS-00206", + "SRG-OS-000471-GPOS-00215" ], - "false_negatives": null, - "false_positives": null, - "documentable": false, - "mitigations": null, - "severity_override_guidance": false, - "potential_impacts": null, - "third_party_tools": null, - "mitigation_controls": null, - "responsibility": null, - "ia_controls": null - }, - "code": "control 'V-80959' do\n title 'The auditd service must be running in the Ubuntu operating system.'\n desc \"Configuring the Ubuntu operating system to implement organization-wide\nsecurity implementation guides and security checklists ensures compliance with\nfederal standards and establishes a common security baseline across DoD that\nreflects the most restrictive security posture consistent with operational\nrequirements.\n\n Configuration settings are the set of parameters that can be changed in\nhardware, software, or firmware components of the system that affect the\nsecurity posture and/or functionality of the system. Security-related\nparameters are those parameters impacting the security state of the system,\nincluding the parameters required to satisfy other security control\nrequirements. Security-related parameters include, for example: registry\nsettings; account, file, directory permission settings; and settings for\nfunctions, ports, protocols, services, and remote connections.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-80959'\n tag \"rid\": 'SV-95671r1_rule'\n tag \"stig_id\": 'UBTU-16-020010'\n tag \"fix_id\": 'F-87819r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the audit service is active.\n\nCheck that the audit service is active with the following command:\n\n# service auditd status\nActive: active (running)\n\nIf the service is not active this is a finding.\"\n desc 'fix', \"Start the auditd service, and enable the auditd service with the\nfollowing commands:\n\nStart the audit service.\n# systemctl start auditd.service\n\nEnable auditd in the targets of the system.\n# systemctl enable auditd.service\"\n describe service('auditd') do\n it { should be_installed }\n it { should be_enabled }\n it { should be_running }\n end\nend\n", - "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-80959.rb", - "line": 3 - }, - "id": "V-80959" - }, - { - "title": "The pam_unix.so module must use a FIPS 140-2 approved cryptographic\nhashing algorithm for system authentication.", - "desc": "Unapproved mechanisms that are used for authentication to the\ncryptographic module are not verified and therefore cannot be relied upon to\nprovide confidentiality or integrity, and DoD data may be compromised.\n\n Ubuntu operating systems utilizing encryption are required to use\nFIPS-compliant mechanisms for authenticating to cryptographic modules.\n\n FIPS 140-2 is the current standard for validating that mechanisms used to\naccess cryptographic modules utilize authentication that meets DoD\nrequirements. This allows for Security Levels 1, 2, 3, or 4 for use on a\ngeneral purpose computing system.", - "descriptions": { - "default": "Unapproved mechanisms that are used for authentication to the\ncryptographic module are not verified and therefore cannot be relied upon to\nprovide confidentiality or integrity, and DoD data may be compromised.\n\n Ubuntu operating systems utilizing encryption are required to use\nFIPS-compliant mechanisms for authenticating to cryptographic modules.\n\n FIPS 140-2 is the current standard for validating that mechanisms used to\naccess cryptographic modules utilize authentication that meets DoD\nrequirements. This allows for Security Levels 1, 2, 3, or 4 for use on a\ngeneral purpose computing system.", - "check": "Verify that pam_unix.so auth is configured to use sha512.\n\nCheck that pam_unix.so auth is configured to use sha512 with the following\ncommand:\n\n# grep password /etc/pam.d/common-password | grep pam_unix\n\npassword [success=1 default=ignore] pam_unix.so obscure sha512\n\nIf \"sha512\" is not an option of the output, or is commented out, this is a\nfinding.", - "fix": "Configure the Ubuntu operating system to use a FIPS 140-2\napproved cryptographic hashing algorithm for system authentication.\n\nEdit/modify the following line in the file \"/etc/pam.d/common-password\" file\nto include the sha512 option for pam_unix.so:\n\npassword [success=1 default=ignore] pam_unix.so obscure sha512\nshadow remember=5" - }, - "impact": 0.5, - "refs": [], - "tags": { - "gtitle": "SRG-OS-000120-GPOS-00061", - "gid": "V-75465", - "rid": "SV-90145r2_rule", - "stig_id": "UBTU-16-010180", - "fix_id": "F-82093r2_fix", + "gid": "V-75699", + "rid": "SV-90379r3_rule", + "stig_id": "UBTU-16-020400", + "fix_id": "F-82327r2_fix", "cci": [ - "CCI-000803" + "CCI-000130", + "CCI-000135", + "CCI-000169", + "CCI-000172", + "CCI-002884" ], "nist": [ - "IA-7", + "AU-3", + "AU-3 (1)", + "AU-12 a", + "AU-12 c", + "MA-4 (1) (a)", "Rev_4" ], "false_negatives": null, @@ -5784,20 +5603,20 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75465' do\n title \"The pam_unix.so module must use a FIPS 140-2 approved cryptographic\nhashing algorithm for system authentication.\"\n desc \"Unapproved mechanisms that are used for authentication to the\ncryptographic module are not verified and therefore cannot be relied upon to\nprovide confidentiality or integrity, and DoD data may be compromised.\n\n Ubuntu operating systems utilizing encryption are required to use\nFIPS-compliant mechanisms for authenticating to cryptographic modules.\n\n FIPS 140-2 is the current standard for validating that mechanisms used to\naccess cryptographic modules utilize authentication that meets DoD\nrequirements. This allows for Security Levels 1, 2, 3, or 4 for use on a\ngeneral purpose computing system.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000120-GPOS-00061'\n tag \"gid\": 'V-75465'\n tag \"rid\": 'SV-90145r2_rule'\n tag \"stig_id\": 'UBTU-16-010180'\n tag \"fix_id\": 'F-82093r2_fix'\n tag \"cci\": ['CCI-000803']\n tag \"nist\": %w[IA-7 Rev_4]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that pam_unix.so auth is configured to use sha512.\n\nCheck that pam_unix.so auth is configured to use sha512 with the following\ncommand:\n\n# grep password /etc/pam.d/common-password | grep pam_unix\n\npassword [success=1 default=ignore] pam_unix.so obscure sha512\n\nIf \\\"sha512\\\" is not an option of the output, or is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the Ubuntu operating system to use a FIPS 140-2\napproved cryptographic hashing algorithm for system authentication.\n\nEdit/modify the following line in the file \\\"/etc/pam.d/common-password\\\" file\nto include the sha512 option for pam_unix.so:\n\npassword [success=1 default=ignore] pam_unix.so obscure sha512\nshadow remember=5\"\n\n describe file('/etc/pam.d/common-password') do\n it { should exist }\n end\n\n describe command('grep rounds /etc/pam.d/common-password') do\n its('exit_status') { should eq 0 }\n its('stdout') { should match /^\\s*password\\s+\\[\\s*success=1\\s+default=ignore\\s*\\].*\\s+sha512($|\\s+.*$)/ }\n end\nend\n", + "code": "control 'V-75699' do\n title \"Successful/unsuccessful uses of the ssh-agent command must generate an\naudit record.\"\n desc \"Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged ssh commands. The organization must maintain audit trails in\nsufficient detail to reconstruct events to determine the cause and impact of\ncompromise.\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020\n SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172\n SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215]\n tag \"gid\": 'V-75699'\n tag \"rid\": 'SV-90379r3_rule'\n tag \"stig_id\": 'UBTU-16-020400'\n tag \"fix_id\": 'F-82327r2_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'MA-4 (1) (a)',\n 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful attempts to use the \\\"ssh-agent\\\" command occur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \\\"/etc/audit/audit.rules\\\":\n\n# sudo grep ssh-agent /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k privileged-ssh\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \\\"ssh-agent\\\" command.\n\nAdd or update the following rules in the \\\"/etc/audit/audit.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k privileged-ssh\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n @audit_file = '/usr/bin/ssh-agent'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe ('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75465.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75699.rb", "line": 3 }, - "id": "V-75465" + "id": "V-75699" }, { - "title": "Successful/unsuccessful uses of the passwd command must generate an\naudit record.", - "desc": "Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged commands. The organization must maintain audit trails in sufficient\ndetail to reconstruct events to determine the cause and impact of compromise.", + "title": "Successful/unsuccessful uses of the chown command must generate an\naudit record.", + "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", "descriptions": { - "default": "Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged commands. The organization must maintain audit trails in sufficient\ndetail to reconstruct events to determine the cause and impact of compromise.", - "check": "Verify that an audit event is generated for any\nsuccessful/unsuccessful use of the \"passwd\" command.\n\nCheck for the following system call being audited by performing the following\ncommand to check the file system rules in \"/etc/audit/audit.rules\":\n\n# sudo grep -w passwd /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k privileged-passwd\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", - "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful uses of the \"passwd\" command. Add or update the\nfollowing rule in the \"/etc/audit/audit.rules\" file:\n\n-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k privileged-passwd\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" + "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "check": "Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful attempts to use the \"chown\" command occur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \"/etc/audit/audit.rules\":\n\n# sudo grep -w chown /etc/audit/audit.rules\n\n-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -k\nperm_chng\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", + "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \"chown\" command by adding the following\nline to \"/etc/audit/audit.rules\":\n\n-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -k\nperm_chng\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" }, "impact": 0.5, "refs": [], @@ -5811,10 +5630,10 @@ "SRG-OS-000462-GPOS-00206", "SRG-OS-000471-GPOS-00215" ], - "gid": "V-75777", - "rid": "SV-90457r3_rule", - "stig_id": "UBTU-16-020760", - "fix_id": "F-82407r4_fix", + "gid": "V-75729", + "rid": "SV-90409r3_rule", + "stig_id": "UBTU-16-020520", + "fix_id": "F-82357r3_fix", "cci": [ "CCI-000130", "CCI-000135", @@ -5841,34 +5660,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75777' do\n title \"Successful/unsuccessful uses of the passwd command must generate an\naudit record.\"\n desc \"Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged commands. The organization must maintain audit trails in sufficient\ndetail to reconstruct events to determine the cause and impact of compromise.\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020\n SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172\n SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215]\n tag \"gid\": 'V-75777'\n tag \"rid\": 'SV-90457r3_rule'\n tag \"stig_id\": 'UBTU-16-020760'\n tag \"fix_id\": 'F-82407r4_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'MA-4 (1) (a)',\n 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that an audit event is generated for any\nsuccessful/unsuccessful use of the \\\"passwd\\\" command.\n\nCheck for the following system call being audited by performing the following\ncommand to check the file system rules in \\\"/etc/audit/audit.rules\\\":\n\n# sudo grep -w passwd /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k privileged-passwd\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful uses of the \\\"passwd\\\" command. Add or update the\nfollowing rule in the \\\"/etc/audit/audit.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k privileged-passwd\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n @audit_file = '/usr/bin/passwd'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe ('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", + "code": "control 'V-75729' do\n title \"Successful/unsuccessful uses of the chown command must generate an\naudit record.\"\n desc \"Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020\n SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172\n SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215]\n tag \"gid\": 'V-75729'\n tag \"rid\": 'SV-90409r3_rule'\n tag \"stig_id\": 'UBTU-16-020520'\n tag \"fix_id\": 'F-82357r3_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'MA-4 (1) (a)',\n 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful attempts to use the \\\"chown\\\" command occur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \\\"/etc/audit/audit.rules\\\":\n\n# sudo grep -w chown /etc/audit/audit.rules\n\n-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -k\nperm_chng\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \\\"chown\\\" command by adding the following\nline to \\\"/etc/audit/audit.rules\\\":\n\n-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -k\nperm_chng\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n if os.arch == 'x86_64'\n describe auditd.syscall('chown').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('chown').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75777.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75729.rb", "line": 3 }, - "id": "V-75777" + "id": "V-75729" }, { - "title": "The Information System Security Officer (ISSO) and System\nAdministrator (SA) (at a minimum) must have mail aliases to be notified of an\naudit processing failure.", - "desc": "It is critical for the appropriate personnel to be aware if a system\nis at risk of failing to process audit logs as required. Without this\nnotification, the security personnel may be unaware of an impending failure of\nthe audit capability, and system operation may be adversely affected.\n\n Audit processing failures include software/hardware errors, failures in the\naudit capturing mechanisms, and audit storage capacity being reached or\nexceeded.\n\n This requirement applies to each audit data storage repository (i.e.,\ndistinct information system component where audit records are stored), the\ncentralized audit storage capacity of organizations (i.e., all audit data\nstorage repositories combined), or both.", + "title": "File systems that are being imported via Network File System (NFS)\nmust be mounted to prevent binary files from being executed.", + "desc": "The \"noexec\" mount option causes the system to not execute binary\nfiles. This option must be used for mounting any file system not containing\napproved binary files as they may be incompatible. Executing files from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.", "descriptions": { - "default": "It is critical for the appropriate personnel to be aware if a system\nis at risk of failing to process audit logs as required. Without this\nnotification, the security personnel may be unaware of an impending failure of\nthe audit capability, and system operation may be adversely affected.\n\n Audit processing failures include software/hardware errors, failures in the\naudit capturing mechanisms, and audit storage capacity being reached or\nexceeded.\n\n This requirement applies to each audit data storage repository (i.e.,\ndistinct information system component where audit records are stored), the\ncentralized audit storage capacity of organizations (i.e., all audit data\nstorage repositories combined), or both.", - "check": "Verify that the administrators are notified in the event of an\naudit processing failure.\n\nNote: If postfix is not installed, this is Not Applicable.\n\nCheck that the \"/etc/aliases\" file has a defined value for \"root\".\n\n# sudo grep \"postmaster: *root$\" /etc/aliases\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", - "fix": "Configure the Ubuntu operating system to notify administrators in\nthe event of an audit processing failure.\n\nAdd/update the following line in \"/etc/aliases\":\n\npostmaster: root" + "default": "The \"noexec\" mount option causes the system to not execute binary\nfiles. This option must be used for mounting any file system not containing\napproved binary files as they may be incompatible. Executing files from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.", + "check": "Verify file systems that are being Network File System (NFS)\nimported are mounted with the \"noexec\" option.\n\nFind the file system(s) that contain the directories being exported with the\nfollowing command:\n\n# grep nfs /etc/fstab | grep noexec\n\nUUID=e06097bb-cfcd-437b-9e4d-a691f5662a7d /store nfs\nrw,noexec 0 0\n\nIf a file system found in \"/etc/fstab\" refers to NFS and it does not have the\n\"noexec\" option set, and use of NFS exported binaries is not documented with\nthe Information System Security Officer (ISSO) as an operational requirement,\nthis is a finding.", + "fix": "Configure the \"/etc/fstab\" to use the \"noexec\" option on file\nsystems that are being imported via Network File System (NFS)." }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000046-GPOS-00022", - "gid": "V-75893", - "rid": "SV-90573r2_rule", - "stig_id": "UBTU-16-030700", - "fix_id": "F-82523r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-75581", + "rid": "SV-90261r2_rule", + "stig_id": "UBTU-16-010830", + "fix_id": "F-82209r2_fix", "cci": [ - "CCI-000139" + "CCI-000366" ], "nist": [ - "AU-5 a", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -5882,34 +5701,43 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75893' do\n title \"The Information System Security Officer (ISSO) and System\nAdministrator (SA) (at a minimum) must have mail aliases to be notified of an\naudit processing failure.\"\n desc \"It is critical for the appropriate personnel to be aware if a system\nis at risk of failing to process audit logs as required. Without this\nnotification, the security personnel may be unaware of an impending failure of\nthe audit capability, and system operation may be adversely affected.\n\n Audit processing failures include software/hardware errors, failures in the\naudit capturing mechanisms, and audit storage capacity being reached or\nexceeded.\n\n This requirement applies to each audit data storage repository (i.e.,\ndistinct information system component where audit records are stored), the\ncentralized audit storage capacity of organizations (i.e., all audit data\nstorage repositories combined), or both.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000046-GPOS-00022'\n tag \"gid\": 'V-75893'\n tag \"rid\": 'SV-90573r2_rule'\n tag \"stig_id\": 'UBTU-16-030700'\n tag \"fix_id\": 'F-82523r1_fix'\n tag \"cci\": ['CCI-000139']\n tag \"nist\": ['AU-5 a', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that the administrators are notified in the event of an\naudit processing failure.\n\nNote: If postfix is not installed, this is Not Applicable.\n\nCheck that the \\\"/etc/aliases\\\" file has a defined value for \\\"root\\\".\n\n# sudo grep \\\"postmaster: *root$\\\" /etc/aliases\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the Ubuntu operating system to notify administrators in\nthe event of an audit processing failure.\n\nAdd/update the following line in \\\"/etc/aliases\\\":\n\npostmaster: root\"\n\n is_postfix_installed = package('postfix').installed?\n\n if is_postfix_installed\n describe command('grep \"postmaster: *root$\" /etc/aliases') do\n its('stdout') { should_not be_empty }\n end\n else\n impact 0\n describe 'Control Not Applicable as postfix is not installed' do\n subject { is_postfix_installed }\n it { should be false }\n end\n end\nend\n", + "code": "control 'V-75581' do\n title \"File systems that are being imported via Network File System (NFS)\nmust be mounted to prevent binary files from being executed.\"\n desc \"The \\\"noexec\\\" mount option causes the system to not execute binary\nfiles. This option must be used for mounting any file system not containing\napproved binary files as they may be incompatible. Executing files from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75581'\n tag \"rid\": 'SV-90261r2_rule'\n tag \"stig_id\": 'UBTU-16-010830'\n tag \"fix_id\": 'F-82209r2_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify file systems that are being Network File System (NFS)\nimported are mounted with the \\\"noexec\\\" option.\n\nFind the file system(s) that contain the directories being exported with the\nfollowing command:\n\n# grep nfs /etc/fstab | grep noexec\n\nUUID=e06097bb-cfcd-437b-9e4d-a691f5662a7d /store nfs\nrw,noexec 0 0\n\nIf a file system found in \\\"/etc/fstab\\\" refers to NFS and it does not have the\n\\\"noexec\\\" option set, and use of NFS exported binaries is not documented with\nthe Information System Security Officer (ISSO) as an operational requirement,\nthis is a finding.\"\n desc 'fix', \"Configure the \\\"/etc/fstab\\\" to use the \\\"noexec\\\" option on file\nsystems that are being imported via Network File System (NFS).\"\n\n device_rules = etc_fstab.where { file_system_type == 'nfs' }.entries\n if device_rules.count > 0\n device_rules.each do |device_rule|\n describe device_rule do\n its ('mount_options') { should include 'noexec' }\n end\n end\n else\n describe 'No NFS mounts found on the system' do\n subject { device_rules }\n its('count') { should eq 0 }\n end\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75893.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75581.rb", "line": 3 }, - "id": "V-75893" + "id": "V-75581" }, { - "title": "Automatic mounting of Universal Serial Bus (USB) mass storage driver\nmust be disabled.", - "desc": "Without authenticating devices, unidentified or unknown devices may be\nintroduced, thereby facilitating malicious activity.\n\n Peripherals include, but are not limited to, such devices as flash drives,\nexternal storage, and printers.", + "title": "Audit tools must be group-owned by root.", + "desc": "Protecting audit information also includes identifying and protecting\nthe tools used to view and manipulate log data. Therefore, protecting audit\ntools is necessary to prevent unauthorized operation on audit information.\n\n Ubuntu operating systems providing tools to interface with audit\ninformation will leverage user permissions and roles identifying the user\naccessing the tools and the corresponding rights the user enjoys in order to\nmake access decisions regarding the access to audit tools.\n\n Audit tools include, but are not limited to, vendor-provided and open\nsource audit tools needed to successfully view and manipulate audit information\nsystem activity and records. Audit tools include custom queries and report\ngenerators.", "descriptions": { - "default": "Without authenticating devices, unidentified or unknown devices may be\nintroduced, thereby facilitating malicious activity.\n\n Peripherals include, but are not limited to, such devices as flash drives,\nexternal storage, and printers.", - "check": "Verify that automatic mounting of the Universal Serial Bus\n(USB) mass storage driver has been disabled.\n\nCheck that the USB mass storage drive has not been loaded with the following\ncommand:\n\n#lsmod | grep usb-storage\n\nIf a \"usb-storage\" line is returned, this is a finding.\n\nCheck that automatic mounting of the USB mass storage driver has been disabled\nwith the following command:\n\n#sudo modprobe -vn usb-storage\n\ninstall /bin/true\n\nIf “install /bin/true” is not returned, this is a finding.", - "fix": "Disable the mounting of the Universal Serial Bus (USB) mass\nstorage driver by running the following command:\n\n# sudo echo “install usb-storage /bin/true” >> /etc/modprobe.d/DISASTIG.conf" + "default": "Protecting audit information also includes identifying and protecting\nthe tools used to view and manipulate log data. Therefore, protecting audit\ntools is necessary to prevent unauthorized operation on audit information.\n\n Ubuntu operating systems providing tools to interface with audit\ninformation will leverage user permissions and roles identifying the user\naccessing the tools and the corresponding rights the user enjoys in order to\nmake access decisions regarding the access to audit tools.\n\n Audit tools include, but are not limited to, vendor-provided and open\nsource audit tools needed to successfully view and manipulate audit information\nsystem activity and records. Audit tools include custom queries and report\ngenerators.", + "check": "Verify the audit tools are group-owned by \"root\" to prevent\nany unauthorized access, deletion, or modification.\n\nCheck the owner of each audit tool by running the following commands:\n\n# ls -la /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace\n/sbin/auditd /sbin/audispd /sbin/augenrules\n-rwxr-xr-x 1 root root 97128 Jan 18 2016 /sbin/augenrules\n\nIf any of the audit tools are not group-owned by \"root\", this is a finding.", + "fix": "Configure the audit tools to be group-owned by \"root\", by\nrunning the following command:\n\n# sudo chgrp root [audit_tool]\n\nReplace \"[audit_tool]\" with each audit tool not group-owned by \"root\"." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000378-GPOS-00163", - "gid": "V-75531", - "rid": "SV-90211r2_rule", - "stig_id": "UBTU-16-010580", - "fix_id": "F-82159r2_fix", + "gtitle": "SRG-OS-000256-GPOS-00097", + "satisfies": [ + "SRG-OS-000256-GPOS-00097", + "SRG-OS-000257-GPOS-00098", + "SRG-OS-000258-GPOS-00099" + ], + "gid": "V-75657", + "rid": "SV-90337r2_rule", + "stig_id": "UBTU-16-020200", + "fix_id": "F-82285r2_fix", "cci": [ - "CCI-001958" + "CCI-001493", + "CCI-001494", + "CCI-001495" ], "nist": [ - "IA-3", + "AU-9", + "AU-9", + "AU-9", "Rev_4" ], "false_negatives": null, @@ -5923,34 +5751,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75531' do\n title \"Automatic mounting of Universal Serial Bus (USB) mass storage driver\nmust be disabled.\"\n desc \"Without authenticating devices, unidentified or unknown devices may be\nintroduced, thereby facilitating malicious activity.\n\n Peripherals include, but are not limited to, such devices as flash drives,\nexternal storage, and printers.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000378-GPOS-00163'\n tag \"gid\": 'V-75531'\n tag \"rid\": 'SV-90211r2_rule'\n tag \"stig_id\": 'UBTU-16-010580'\n tag \"fix_id\": 'F-82159r2_fix'\n tag \"cci\": ['CCI-001958']\n tag \"nist\": %w[IA-3 Rev_4]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that automatic mounting of the Universal Serial Bus\n(USB) mass storage driver has been disabled.\n\nCheck that the USB mass storage drive has not been loaded with the following\ncommand:\n\n#lsmod | grep usb-storage\n\nIf a \\\"usb-storage\\\" line is returned, this is a finding.\n\nCheck that automatic mounting of the USB mass storage driver has been disabled\nwith the following command:\n\n#sudo modprobe -vn usb-storage\n\ninstall /bin/true\n\nIf “install /bin/true” is not returned, this is a finding.\"\n desc 'fix', \"Disable the mounting of the Universal Serial Bus (USB) mass\nstorage driver by running the following command:\n\n# sudo echo “install usb-storage /bin/true” >> /etc/modprobe.d/DISASTIG.conf\"\n\n describe kernel_module('usb-storage') do\n it { should_not be_loaded }\n it { should be_disabled }\n end\nend\n", + "code": "control 'V-75657' do\n title 'Audit tools must be group-owned by root.'\n desc \"Protecting audit information also includes identifying and protecting\nthe tools used to view and manipulate log data. Therefore, protecting audit\ntools is necessary to prevent unauthorized operation on audit information.\n\n Ubuntu operating systems providing tools to interface with audit\ninformation will leverage user permissions and roles identifying the user\naccessing the tools and the corresponding rights the user enjoys in order to\nmake access decisions regarding the access to audit tools.\n\n Audit tools include, but are not limited to, vendor-provided and open\nsource audit tools needed to successfully view and manipulate audit information\nsystem activity and records. Audit tools include custom queries and report\ngenerators.\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000256-GPOS-00097'\n tag \"satisfies\": %w[SRG-OS-000256-GPOS-00097 SRG-OS-000257-GPOS-00098\n SRG-OS-000258-GPOS-00099]\n tag \"gid\": 'V-75657'\n tag \"rid\": 'SV-90337r2_rule'\n tag \"stig_id\": 'UBTU-16-020200'\n tag \"fix_id\": 'F-82285r2_fix'\n tag \"cci\": %w[CCI-001493 CCI-001494 CCI-001495]\n tag \"nist\": %w[AU-9 AU-9 AU-9 Rev_4]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the audit tools are group-owned by \\\"root\\\" to prevent\nany unauthorized access, deletion, or modification.\n\nCheck the owner of each audit tool by running the following commands:\n\n# ls -la /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace\n/sbin/auditd /sbin/audispd /sbin/augenrules\n-rwxr-xr-x 1 root root 97128 Jan 18 2016 /sbin/augenrules\n\nIf any of the audit tools are not group-owned by \\\"root\\\", this is a finding.\"\n desc 'fix', \"Configure the audit tools to be group-owned by \\\"root\\\", by\nrunning the following command:\n\n# sudo chgrp root [audit_tool]\n\nReplace \\\"[audit_tool]\\\" with each audit tool not group-owned by \\\"root\\\".\"\n\n audit_tools = input('audit_tools')\n\n audit_tools.each do |tool|\n describe file(tool) do\n its('group') { should cmp 'root' }\n end\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75531.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75657.rb", "line": 3 }, - "id": "V-75531" + "id": "V-75657" }, { - "title": "The Ubuntu operating system must not forward Internet Protocol version\n4 (IPv4) source-routed packets by default.", - "desc": "Source-routed packets allow the source of the packet to suggest that\nrouters forward the packet along a different path than configured on the\nrouter, which can be used to bypass network security measures. This requirement\napplies only to the forwarding of source-routed traffic, such as when IPv4\nforwarding is enabled and the system is functioning as a router.", + "title": "The audit log files must be owned by root.", + "desc": "Only authorized personnel should be aware of errors and the details of\nthe errors. Error messages are an indicator of an organization's operational\nstate or can identify the Ubuntu operating system or platform. Additionally,\nPersonally Identifiable Information (PII) and operational information must not\nbe revealed through error messages to unauthorized personnel or their\ndesignated representatives.\n\n The structure and content of error messages must be carefully considered by\nthe organization and development team. The extent to which the information\nsystem is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.", "descriptions": { - "default": "Source-routed packets allow the source of the packet to suggest that\nrouters forward the packet along a different path than configured on the\nrouter, which can be used to bypass network security measures. This requirement\napplies only to the forwarding of source-routed traffic, such as when IPv4\nforwarding is enabled and the system is functioning as a router.", - "check": "Verify the Ubuntu operating system does not accept Internet\nProtocol version 4 (IPv4) source-routed packets by default.\n\nCheck the value of the accept source route variable with the following command:\n\n# sudo sysctl net.ipv4.conf.default.accept_source_route\nnet.ipv4.conf.default.accept_source_route=0\n\nIf the returned line does not have a value of \"0\", a line is not returned, or\nthe returned line is commented out, this is a finding.", - "fix": "Configure the Ubuntu operating system to not forward Internet\nProtocol version 4 (IPv4) source-routed packets by default with the following\ncommand:\n\n# sudo sysctl -w net.ipv4.conf.default.accept_source_route=0\n\nIf \"0\" is not the system's default value then add or update the following\nline in \"/etc/sysctl.conf\" or in the appropriate file under \"/etc/sysctl.d\":\n\nnet.ipv4.conf.default.accept_source_route=0" + "default": "Only authorized personnel should be aware of errors and the details of\nthe errors. Error messages are an indicator of an organization's operational\nstate or can identify the Ubuntu operating system or platform. Additionally,\nPersonally Identifiable Information (PII) and operational information must not\nbe revealed through error messages to unauthorized personnel or their\ndesignated representatives.\n\n The structure and content of error messages must be carefully considered by\nthe organization and development team. The extent to which the information\nsystem is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.", + "check": "Verify the audit log files are owned by \"root\".\n\nCheck where the audit logs are stored on the system using the following command:\n\n# sudo grep log_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the audit log path from the command above, replace \"[log_path]\" in the\nfollowing command:\n\n# sudo ls -la [log_path] | cut -d' ' -f3\nroot\n\nIf the audit logs are not group-owned by \"root\", this is a finding.", + "fix": "Change the owner of the audit log file by running the following\ncommand:\n\nUse the following command to get the audit log path:\n\n# sudo grep log_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the audit log path from the command above, replace \"[log_path]\" in the\nfollowing command:\n\n# sudo chown root [log_path]" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-75875", - "rid": "SV-90555r3_rule", - "stig_id": "UBTU-16-030540", - "fix_id": "F-82505r3_fix", + "gtitle": "SRG-OS-000206-GPOS-00084", + "gid": "V-75649", + "rid": "SV-90329r2_rule", + "stig_id": "UBTU-16-020160", + "fix_id": "F-82277r2_fix", "cci": [ - "CCI-000366" + "CCI-001314" ], "nist": [ - "CM-6 b", + "SI-11 b", "Rev_4" ], "false_negatives": null, @@ -5964,75 +5792,50 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75875' do\n title \"The Ubuntu operating system must not forward Internet Protocol version\n4 (IPv4) source-routed packets by default.\"\n desc \"Source-routed packets allow the source of the packet to suggest that\nrouters forward the packet along a different path than configured on the\nrouter, which can be used to bypass network security measures. This requirement\napplies only to the forwarding of source-routed traffic, such as when IPv4\nforwarding is enabled and the system is functioning as a router.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75875'\n tag \"rid\": 'SV-90555r3_rule'\n tag \"stig_id\": 'UBTU-16-030540'\n tag \"fix_id\": 'F-82505r3_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system does not accept Internet\nProtocol version 4 (IPv4) source-routed packets by default.\n\nCheck the value of the accept source route variable with the following command:\n\n# sudo sysctl net.ipv4.conf.default.accept_source_route\nnet.ipv4.conf.default.accept_source_route=0\n\nIf the returned line does not have a value of \\\"0\\\", a line is not returned, or\nthe returned line is commented out, this is a finding.\"\n desc 'fix', \"Configure the Ubuntu operating system to not forward Internet\nProtocol version 4 (IPv4) source-routed packets by default with the following\ncommand:\n\n# sudo sysctl -w net.ipv4.conf.default.accept_source_route=0\n\nIf \\\"0\\\" is not the system's default value then add or update the following\nline in \\\"/etc/sysctl.conf\\\" or in the appropriate file under \\\"/etc/sysctl.d\\\":\n\nnet.ipv4.conf.default.accept_source_route=0\"\n\n describe kernel_parameter('net.ipv4.conf.default.accept_source_route') do\n its('value') { should eq 0 }\n end\nend\n", + "code": "control 'V-75649' do\n title 'The audit log files must be owned by root.'\n desc \"Only authorized personnel should be aware of errors and the details of\nthe errors. Error messages are an indicator of an organization's operational\nstate or can identify the Ubuntu operating system or platform. Additionally,\nPersonally Identifiable Information (PII) and operational information must not\nbe revealed through error messages to unauthorized personnel or their\ndesignated representatives.\n\n The structure and content of error messages must be carefully considered by\nthe organization and development team. The extent to which the information\nsystem is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000206-GPOS-00084'\n tag \"gid\": 'V-75649'\n tag \"rid\": 'SV-90329r2_rule'\n tag \"stig_id\": 'UBTU-16-020160'\n tag \"fix_id\": 'F-82277r2_fix'\n tag \"cci\": ['CCI-001314']\n tag \"nist\": ['SI-11 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the audit log files are owned by \\\"root\\\".\n\nCheck where the audit logs are stored on the system using the following command:\n\n# sudo grep log_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the audit log path from the command above, replace \\\"[log_path]\\\" in the\nfollowing command:\n\n# sudo ls -la [log_path] | cut -d' ' -f3\nroot\n\nIf the audit logs are not group-owned by \\\"root\\\", this is a finding.\"\n desc 'fix', \"Change the owner of the audit log file by running the following\ncommand:\n\nUse the following command to get the audit log path:\n\n# sudo grep log_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the audit log path from the command above, replace \\\"[log_path]\\\" in the\nfollowing command:\n\n# sudo chown root [log_path]\"\n\n log_file_path = auditd_conf.log_file\n\n describe file(log_file_path) do\n its('owner') { should cmp 'root' }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75875.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75649.rb", "line": 3 }, - "id": "V-75875" + "id": "V-75649" }, { - "title": "A File Transfer Protocol (FTP) server package must not be installed\nunless needed.", - "desc": "The FTP service provides an unencrypted remote access that does not\nprovide for the confidentiality and integrity of user passwords or the remote\nsession. If a privileged user were to log on using this service, the privileged\nuser password could be compromised. SSH or other encrypted file transfer\nmethods must be used in place of this service.", + "title": "Successful/unsuccessful uses of the usermod command must generate an\naudit record.", + "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", "descriptions": { - "default": "The FTP service provides an unencrypted remote access that does not\nprovide for the confidentiality and integrity of user passwords or the remote\nsession. If a privileged user were to log on using this service, the privileged\nuser password could be compromised. SSH or other encrypted file transfer\nmethods must be used in place of this service.", - "check": "Verify a File Transfer Protocol (FTP) server has not been\ninstalled on the system.\n\nCheck to see if a FTP server has been installed with the following commands:\n\n# dpkg -l | grep vsftpd\nii vsftpd 3.0.3-3Ubuntu2\n\nIf \"vsftpd\" is installed and is not documented with the Information System\nSecurity Officer (ISSO) as an operational requirement, this is a finding.", - "fix": "Document the \"vsftpd\" package with the Information System\nSecurity Officer (ISSO) as an operational requirement or remove it from the\nsystem with the following command:\n\n# sudo apt-get remove vsftpd" + "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "check": "Verify that an audit event is generated for any\nsuccessful/unsuccessful use of the \"usermod\" command.\n\nCheck for the following system call being audited by performing the following\ncommand to check the file system rules in \"/etc/audit/audit.rules\":\n\n# sudo grep -w usermod /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k privileged-usermod\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", + "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful uses of the \"usermod\" command. Add or update the\nfollowing rules in the \"/etc/audit/audit.rules\" file:\n\n-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k privileged-usermod\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" }, - "impact": 0.7, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-75895", - "rid": "SV-90575r1_rule", - "stig_id": "UBTU-16-030710", - "fix_id": "F-82525r1_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b", - "Rev_4" + "gtitle": "SRG-OS-000037-GPOS-00015", + "satisfies": [ + "SRG-OS-000037-GPOS-00015", + "SRG-OS-000042-GPOS-00020", + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000392-GPOS-00172", + "SRG-OS-000462-GPOS-00206", + "SRG-OS-000471-GPOS-00215" ], - "false_negatives": null, - "false_positives": null, - "documentable": false, - "mitigations": null, - "severity_override_guidance": false, - "potential_impacts": null, - "third_party_tools": null, - "mitigation_controls": null, - "responsibility": null, - "ia_controls": null - }, - "code": "control 'V-75895' do\n title \"A File Transfer Protocol (FTP) server package must not be installed\nunless needed.\"\n desc \"The FTP service provides an unencrypted remote access that does not\nprovide for the confidentiality and integrity of user passwords or the remote\nsession. If a privileged user were to log on using this service, the privileged\nuser password could be compromised. SSH or other encrypted file transfer\nmethods must be used in place of this service.\"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75895'\n tag \"rid\": 'SV-90575r1_rule'\n tag \"stig_id\": 'UBTU-16-030710'\n tag \"fix_id\": 'F-82525r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify a File Transfer Protocol (FTP) server has not been\ninstalled on the system.\n\nCheck to see if a FTP server has been installed with the following commands:\n\n# dpkg -l | grep vsftpd\nii vsftpd 3.0.3-3Ubuntu2\n\nIf \\\"vsftpd\\\" is installed and is not documented with the Information System\nSecurity Officer (ISSO) as an operational requirement, this is a finding.\"\n desc 'fix', \"Document the \\\"vsftpd\\\" package with the Information System\nSecurity Officer (ISSO) as an operational requirement or remove it from the\nsystem with the following command:\n\n# sudo apt-get remove vsftpd\"\n\n describe package('vsftpd') do\n it { should_not be_installed }\n end\nend\n", - "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75895.rb", - "line": 3 - }, - "id": "V-75895" - }, - { - "title": "The Ubuntu operating system must limit the number of concurrent\nsessions to ten for all accounts and/or account types.", - "desc": "Ubuntu operating system management includes the ability to control the\nnumber of users and user sessions that utilize an Ubuntu operating system.\nLimiting the number of allowed users and sessions per user is helpful in\nreducing the risks related to DoS attacks.\n\n This requirement addresses concurrent sessions for information system\naccounts and does not address concurrent sessions by single users via multiple\nsystem accounts. The maximum number of concurrent sessions should be defined\nbased upon mission needs and the operational environment for each system.", - "descriptions": { - "default": "Ubuntu operating system management includes the ability to control the\nnumber of users and user sessions that utilize an Ubuntu operating system.\nLimiting the number of allowed users and sessions per user is helpful in\nreducing the risks related to DoS attacks.\n\n This requirement addresses concurrent sessions for information system\naccounts and does not address concurrent sessions by single users via multiple\nsystem accounts. The maximum number of concurrent sessions should be defined\nbased upon mission needs and the operational environment for each system.", - "check": "Verify that the Ubuntu operating system limits the number of\nconcurrent sessions to \"10\" for all accounts and/or account types by running\nthe following command:\n\n# grep maxlogins /etc/security/limits.conf\n\nThe result must contain the following line:\n\n* hard maxlogins 10\n\nIf the \"maxlogins\" item is missing or the value is not set to \"10\" or less,\nor is commented out, this is a finding.", - "fix": "Configure the Ubuntu operating system to limit the number of\nconcurrent sessions to ten for all accounts and/or account types.\n\nAdd the following line to the top of the /etc/security/limits.conf:\n\n* hard maxlogins 10" - }, - "impact": 0.3, - "refs": [], - "tags": { - "gtitle": "SRG-OS-000027-GPOS-00008", - "gid": "V-75443", - "rid": "SV-90123r2_rule", - "stig_id": "UBTU-16-010070", - "fix_id": "F-82071r1_fix", + "gid": "V-75785", + "rid": "SV-90465r3_rule", + "stig_id": "UBTU-16-020800", + "fix_id": "F-82415r2_fix", "cci": [ - "CCI-000054" + "CCI-000130", + "CCI-000135", + "CCI-000169", + "CCI-000172", + "CCI-002884" ], "nist": [ - "AC-10", + "AU-3", + "AU-3 (1)", + "AU-12 a", + "AU-12 c", + "MA-4 (1) (a)", "Rev_4" ], "false_negatives": null, @@ -6046,40 +5849,53 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75443' do\n title \"The Ubuntu operating system must limit the number of concurrent\nsessions to ten for all accounts and/or account types.\"\n desc \"Ubuntu operating system management includes the ability to control the\nnumber of users and user sessions that utilize an Ubuntu operating system.\nLimiting the number of allowed users and sessions per user is helpful in\nreducing the risks related to DoS attacks.\n\n This requirement addresses concurrent sessions for information system\naccounts and does not address concurrent sessions by single users via multiple\nsystem accounts. The maximum number of concurrent sessions should be defined\nbased upon mission needs and the operational environment for each system.\n \"\n impact 0.3\n tag \"gtitle\": 'SRG-OS-000027-GPOS-00008'\n tag \"gid\": 'V-75443'\n tag \"rid\": 'SV-90123r2_rule'\n tag \"stig_id\": 'UBTU-16-010070'\n tag \"fix_id\": 'F-82071r1_fix'\n tag \"cci\": ['CCI-000054']\n tag \"nist\": %w[AC-10 Rev_4]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that the Ubuntu operating system limits the number of\nconcurrent sessions to \\\"10\\\" for all accounts and/or account types by running\nthe following command:\n\n# grep maxlogins /etc/security/limits.conf\n\nThe result must contain the following line:\n\n* hard maxlogins 10\n\nIf the \\\"maxlogins\\\" item is missing or the value is not set to \\\"10\\\" or less,\nor is commented out, this is a finding.\"\n desc 'fix', \"Configure the Ubuntu operating system to limit the number of\nconcurrent sessions to ten for all accounts and/or account types.\n\nAdd the following line to the top of the /etc/security/limits.conf:\n\n* hard maxlogins 10\"\n\n describe limits_conf do\n its('*') { should include ['hard', 'maxlogins', input('maxlogins').to_s] }\n end\nend\n", + "code": "control 'V-75785' do\n title \"Successful/unsuccessful uses of the usermod command must generate an\naudit record.\"\n desc \"Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020\n SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172\n SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215]\n tag \"gid\": 'V-75785'\n tag \"rid\": 'SV-90465r3_rule'\n tag \"stig_id\": 'UBTU-16-020800'\n tag \"fix_id\": 'F-82415r2_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'MA-4 (1) (a)',\n 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that an audit event is generated for any\nsuccessful/unsuccessful use of the \\\"usermod\\\" command.\n\nCheck for the following system call being audited by performing the following\ncommand to check the file system rules in \\\"/etc/audit/audit.rules\\\":\n\n# sudo grep -w usermod /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k privileged-usermod\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful uses of the \\\"usermod\\\" command. Add or update the\nfollowing rules in the \\\"/etc/audit/audit.rules\\\" file:\n\n-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k privileged-usermod\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n @audit_file = '/usr/sbin/usermod'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe ('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75443.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75785.rb", "line": 3 }, - "id": "V-75443" + "id": "V-75785" }, { - "title": "The Apparmor module must be configured to employ a deny-all,\npermit-by-exception policy to allow the execution of authorized software\nprograms and limit the ability of non-privileged users to grant other users\ndirect access to the contents of their home directories/folders.", - "desc": "The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n Utilizing a whitelist provides a configuration management method for\nallowing the execution of only authorized software. Using only authorized\nsoftware decreases risk by limiting the number of potential vulnerabilities.\nVerification of white-listed software occurs prior to execution or at system\nstartup.\n\n Users' home directories/folders may contain information of a sensitive\nnature. Non-privileged users should coordinate any sharing of information with\nan SA through shared resources.", + "title": "The audit system must be configured to audit any usage of the\nlremovexattr system call.", + "desc": "Without the capability to generate audit records, it would be\ndifficult to establish, correlate, and investigate the events relating to an\nincident or identify those responsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n The list of audited events is the set of events for which audits are to be\ngenerated. This set of events is typically a subset of the list of all events\nfor which the system is capable of generating audit records.\n\n DoD has defined the list of events for which the Ubuntu operating system\nwill provide an audit record generation capability as the following:\n\n 1) Successful and unsuccessful attempts to access, modify, or delete\nprivileges, security objects, security levels, or categories of information\n(e.g., classification levels);\n\n 2) Access actions, such as successful and unsuccessful logon attempts,\nprivileged activities or other system-level access, starting and ending time\nfor user access to the system, concurrent logons from different workstations,\nsuccessful and unsuccessful accesses to objects, all program initiations, and\nall direct access to the information system;\n\n 3) All account creations, modifications, disabling, and terminations; and\n\n 4) All kernel module load, unload, and restart actions.", "descriptions": { - "default": "The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n Utilizing a whitelist provides a configuration management method for\nallowing the execution of only authorized software. Using only authorized\nsoftware decreases risk by limiting the number of potential vulnerabilities.\nVerification of white-listed software occurs prior to execution or at system\nstartup.\n\n Users' home directories/folders may contain information of a sensitive\nnature. Non-privileged users should coordinate any sharing of information with\nan SA through shared resources.", - "check": "Verify the Ubuntu operating system is configured to employ a\ndeny-all, permit-by-exception policy to allow the execution of authorized\nsoftware programs and access to user home directories.\n\nCheck that \"Apparmor\" is configured to employ application whitelisting and\nhome directory access control with the following command:\n\n# sudo apparmor_status\n\napparmor module is loaded.\n13 profiles are loaded.\n13 profiles are in enforce mode.\n /sbin/dhclient\n ...\n lxc-container-default-with-nesting\n0 profiles are in complain mode.\n\nIf the defined profiles do not match the organization’s list of authorized\nsoftware, this is a finding.", - "fix": "Configure the Ubuntu operating system to employ a deny-all,\npermit-by-exception policy to allow the execution of authorized software\nprograms.\n\nInstall \"Apparmor\" (if it is not installed) with the following command:\n\n# sudo apt-get install libpam-apparmor\n\nEnable/Activate \"Apparmor\" (if it is not already active) with the following\ncommand:\n\n# sudo systemctl enable apparmor.service\n\nStart \"Apparmor\" with the following command:\n\n# sudo systemctl start apparmor.service\n\nNote: Apparmor must have properly configured profiles for applications and home\ndirectories. All configurations will be based on the actual system setup and\norganization and normally are on a per role basis. See the \"Apparmor\"\ndocumentation for more information on configuring profiles." + "default": "Without the capability to generate audit records, it would be\ndifficult to establish, correlate, and investigate the events relating to an\nincident or identify those responsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n The list of audited events is the set of events for which audits are to be\ngenerated. This set of events is typically a subset of the list of all events\nfor which the system is capable of generating audit records.\n\n DoD has defined the list of events for which the Ubuntu operating system\nwill provide an audit record generation capability as the following:\n\n 1) Successful and unsuccessful attempts to access, modify, or delete\nprivileges, security objects, security levels, or categories of information\n(e.g., classification levels);\n\n 2) Access actions, such as successful and unsuccessful logon attempts,\nprivileged activities or other system-level access, starting and ending time\nfor user access to the system, concurrent logons from different workstations,\nsuccessful and unsuccessful accesses to objects, all program initiations, and\nall direct access to the information system;\n\n 3) All account creations, modifications, disabling, and terminations; and\n\n 4) All kernel module load, unload, and restart actions.", + "check": "Verify if the Ubuntu operating system is configured to audit\nthe execution of the \"lremovexattr\" system call, by running the following\ncommand:\n\n# sudo grep -w lremovexattr /etc/audit/audit.rules\n\n-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -k\nperm_mod\n\n-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -k perm_mod\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", + "fix": "Configure the Ubuntu operating system to audit the execution of\nthe \"lremovexattr\" system call, by adding the following lines to\n\"/etc/audit/audit.rules\":\n\n-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -k\nperm_mod\n\n-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -k perm_mod\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000368-GPOS-00154", + "gtitle": "SRG-OS-000037-GPOS-00015", "satisfies": [ - "SRG-OS-000368-GPOS-00154", - "SRG-OS-000370-GPOS-00155" + "SRG-OS-000037-GPOS-00015", + "SRG-OS-000042-GPOS-00020", + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000392-GPOS-00172", + "SRG-OS-000458-GPOS-00203", + "SRG-OS-000462-GPOS-00206", + "SRG-OS-000463-GPOS-00207", + "SRG-OS-000471-GPOS-00215", + "SRG-OS-000474-GPOS-00219" ], - "gid": "V-75537", - "rid": "SV-90217r2_rule", - "stig_id": "UBTU-16-010610", - "fix_id": "F-82165r1_fix", + "gid": "V-75725", + "rid": "SV-90405r2_rule", + "stig_id": "UBTU-16-020500", + "fix_id": "F-82353r2_fix", "cci": [ - "CCI-001764", - "CCI-001774" + "CCI-000130", + "CCI-000135", + "CCI-000169", + "CCI-000172", + "CCI-002884" ], "nist": [ - "CM-7 (2)", - "CM-7 (5) (b)", + "AU-3", + "AU-3 (1)", + "AU-12 a", + "AU-12 c", + "MA-4 (1) (a)", "Rev_4" ], "false_negatives": null, @@ -6093,34 +5909,50 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75537' do\n title \"The Apparmor module must be configured to employ a deny-all,\npermit-by-exception policy to allow the execution of authorized software\nprograms and limit the ability of non-privileged users to grant other users\ndirect access to the contents of their home directories/folders.\"\n desc \"The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n Utilizing a whitelist provides a configuration management method for\nallowing the execution of only authorized software. Using only authorized\nsoftware decreases risk by limiting the number of potential vulnerabilities.\nVerification of white-listed software occurs prior to execution or at system\nstartup.\n\n Users' home directories/folders may contain information of a sensitive\nnature. Non-privileged users should coordinate any sharing of information with\nan SA through shared resources.\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000368-GPOS-00154'\n tag \"satisfies\": %w[SRG-OS-000368-GPOS-00154 SRG-OS-000370-GPOS-00155]\n tag \"gid\": 'V-75537'\n tag \"rid\": 'SV-90217r2_rule'\n tag \"stig_id\": 'UBTU-16-010610'\n tag \"fix_id\": 'F-82165r1_fix'\n tag \"cci\": %w[CCI-001764 CCI-001774]\n tag \"nist\": ['CM-7 (2)', 'CM-7 (5) (b)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system is configured to employ a\ndeny-all, permit-by-exception policy to allow the execution of authorized\nsoftware programs and access to user home directories.\n\nCheck that \\\"Apparmor\\\" is configured to employ application whitelisting and\nhome directory access control with the following command:\n\n# sudo apparmor_status\n\napparmor module is loaded.\n13 profiles are loaded.\n13 profiles are in enforce mode.\n /sbin/dhclient\n ...\n lxc-container-default-with-nesting\n0 profiles are in complain mode.\n\nIf the defined profiles do not match the organization’s list of authorized\nsoftware, this is a finding.\"\n desc 'fix', \"Configure the Ubuntu operating system to employ a deny-all,\npermit-by-exception policy to allow the execution of authorized software\nprograms.\n\nInstall \\\"Apparmor\\\" (if it is not installed) with the following command:\n\n# sudo apt-get install libpam-apparmor\n\nEnable/Activate \\\"Apparmor\\\" (if it is not already active) with the following\ncommand:\n\n# sudo systemctl enable apparmor.service\n\nStart \\\"Apparmor\\\" with the following command:\n\n# sudo systemctl start apparmor.service\n\nNote: Apparmor must have properly configured profiles for applications and home\ndirectories. All configurations will be based on the actual system setup and\norganization and normally are on a per role basis. See the \\\"Apparmor\\\"\ndocumentation for more information on configuring profiles.\"\n\n describe 'Manual test' do\n skip 'This control must be reviewed manually'\n end\nend\n", + "code": "control 'V-75725' do\n title \"The audit system must be configured to audit any usage of the\nlremovexattr system call.\"\n desc \"Without the capability to generate audit records, it would be\ndifficult to establish, correlate, and investigate the events relating to an\nincident or identify those responsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n The list of audited events is the set of events for which audits are to be\ngenerated. This set of events is typically a subset of the list of all events\nfor which the system is capable of generating audit records.\n\n DoD has defined the list of events for which the Ubuntu operating system\nwill provide an audit record generation capability as the following:\n\n 1) Successful and unsuccessful attempts to access, modify, or delete\nprivileges, security objects, security levels, or categories of information\n(e.g., classification levels);\n\n 2) Access actions, such as successful and unsuccessful logon attempts,\nprivileged activities or other system-level access, starting and ending time\nfor user access to the system, concurrent logons from different workstations,\nsuccessful and unsuccessful accesses to objects, all program initiations, and\nall direct access to the information system;\n\n 3) All account creations, modifications, disabling, and terminations; and\n\n 4) All kernel module load, unload, and restart actions.\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020\n SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172\n SRG-OS-000458-GPOS-00203 SRG-OS-000462-GPOS-00206\n SRG-OS-000463-GPOS-00207 SRG-OS-000471-GPOS-00215\n SRG-OS-000474-GPOS-00219]\n tag \"gid\": 'V-75725'\n tag \"rid\": 'SV-90405r2_rule'\n tag \"stig_id\": 'UBTU-16-020500'\n tag \"fix_id\": 'F-82353r2_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'MA-4 (1) (a)',\n 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify if the Ubuntu operating system is configured to audit\nthe execution of the \\\"lremovexattr\\\" system call, by running the following\ncommand:\n\n# sudo grep -w lremovexattr /etc/audit/audit.rules\n\n-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -k\nperm_mod\n\n-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -k perm_mod\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the Ubuntu operating system to audit the execution of\nthe \\\"lremovexattr\\\" system call, by adding the following lines to\n\\\"/etc/audit/audit.rules\\\":\n\n-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -k\nperm_mod\n\n-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -k perm_mod\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n if os.arch == 'x86_64'\n describe auditd.syscall('lremovexattr').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('lremovexattr').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75537.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75725.rb", "line": 3 }, - "id": "V-75537" + "id": "V-75725" }, { - "title": "File systems that are being imported via Network File System (NFS)\nmust be mounted to prevent binary files from being executed.", - "desc": "The \"noexec\" mount option causes the system to not execute binary\nfiles. This option must be used for mounting any file system not containing\napproved binary files as they may be incompatible. Executing files from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.", + "title": "Successful/unsuccessful uses of the sudo command must generate an\naudit record.", + "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", "descriptions": { - "default": "The \"noexec\" mount option causes the system to not execute binary\nfiles. This option must be used for mounting any file system not containing\napproved binary files as they may be incompatible. Executing files from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.", - "check": "Verify file systems that are being Network File System (NFS)\nimported are mounted with the \"noexec\" option.\n\nFind the file system(s) that contain the directories being exported with the\nfollowing command:\n\n# grep nfs /etc/fstab | grep noexec\n\nUUID=e06097bb-cfcd-437b-9e4d-a691f5662a7d /store nfs\nrw,noexec 0 0\n\nIf a file system found in \"/etc/fstab\" refers to NFS and it does not have the\n\"noexec\" option set, and use of NFS exported binaries is not documented with\nthe Information System Security Officer (ISSO) as an operational requirement,\nthis is a finding.", - "fix": "Configure the \"/etc/fstab\" to use the \"noexec\" option on file\nsystems that are being imported via Network File System (NFS)." + "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "check": "Verify that an audit event is generated for any\nsuccessful/unsuccessful use of the \"sudo\" command.\n\nCheck for the following system call being audited by performing the following\ncommand to check the file system rules in \"/etc/audit/audit.rules\":\n\n# sudo grep -w sudo /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k priv_cmd\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", + "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \"sudo\" command.\n\nAdd or update the following rules in the \"/etc/audit/audit.rules\" file:\n\n-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k priv_cmd\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-75581", - "rid": "SV-90261r2_rule", - "stig_id": "UBTU-16-010830", - "fix_id": "F-82209r2_fix", + "gtitle": "SRG-OS-000037-GPOS-00015", + "satisfies": [ + "SRG-OS-000037-GPOS-00015", + "SRG-OS-000042-GPOS-00020", + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000392-GPOS-00172", + "SRG-OS-000462-GPOS-00206", + "SRG-OS-000471-GPOS-00215" + ], + "gid": "V-75755", + "rid": "SV-90435r3_rule", + "stig_id": "UBTU-16-020650", + "fix_id": "F-82383r2_fix", "cci": [ - "CCI-000366" + "CCI-000130", + "CCI-000135", + "CCI-000169", + "CCI-000172", + "CCI-002884" ], "nist": [ - "CM-6 b", + "AU-3", + "AU-3 (1)", + "AU-12 a", + "AU-12 c", + "MA-4 (1) (a)", "Rev_4" ], "false_negatives": null, @@ -6134,34 +5966,52 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75581' do\n title \"File systems that are being imported via Network File System (NFS)\nmust be mounted to prevent binary files from being executed.\"\n desc \"The \\\"noexec\\\" mount option causes the system to not execute binary\nfiles. This option must be used for mounting any file system not containing\napproved binary files as they may be incompatible. Executing files from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75581'\n tag \"rid\": 'SV-90261r2_rule'\n tag \"stig_id\": 'UBTU-16-010830'\n tag \"fix_id\": 'F-82209r2_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify file systems that are being Network File System (NFS)\nimported are mounted with the \\\"noexec\\\" option.\n\nFind the file system(s) that contain the directories being exported with the\nfollowing command:\n\n# grep nfs /etc/fstab | grep noexec\n\nUUID=e06097bb-cfcd-437b-9e4d-a691f5662a7d /store nfs\nrw,noexec 0 0\n\nIf a file system found in \\\"/etc/fstab\\\" refers to NFS and it does not have the\n\\\"noexec\\\" option set, and use of NFS exported binaries is not documented with\nthe Information System Security Officer (ISSO) as an operational requirement,\nthis is a finding.\"\n desc 'fix', \"Configure the \\\"/etc/fstab\\\" to use the \\\"noexec\\\" option on file\nsystems that are being imported via Network File System (NFS).\"\n\n device_rules = etc_fstab.where { file_system_type == 'nfs' }.entries\n if device_rules.count > 0\n device_rules.each do |device_rule|\n describe device_rule do\n its ('mount_options') { should include 'noexec' }\n end\n end\n else\n describe 'No NFS mounts found on the system' do\n subject { device_rules }\n its('count') { should eq 0 }\n end\n end\nend\n", + "code": "control 'V-75755' do\n title \"Successful/unsuccessful uses of the sudo command must generate an\naudit record.\"\n desc \"Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020\n SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172\n SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215]\n tag \"gid\": 'V-75755'\n tag \"rid\": 'SV-90435r3_rule'\n tag \"stig_id\": 'UBTU-16-020650'\n tag \"fix_id\": 'F-82383r2_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'MA-4 (1) (a)',\n 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that an audit event is generated for any\nsuccessful/unsuccessful use of the \\\"sudo\\\" command.\n\nCheck for the following system call being audited by performing the following\ncommand to check the file system rules in \\\"/etc/audit/audit.rules\\\":\n\n# sudo grep -w sudo /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k priv_cmd\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \\\"sudo\\\" command.\n\nAdd or update the following rules in the \\\"/etc/audit/audit.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k priv_cmd\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n @audit_file = '/usr/bin/sudo'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe ('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75581.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75755.rb", "line": 3 }, - "id": "V-75581" + "id": "V-75755" }, { - "title": "All remote access methods must be monitored.", - "desc": "Remote access services, such as those providing remote access to\nnetwork devices and information systems, which lack automated monitoring\ncapabilities, increase risk and make remote user access management difficult at\nbest.\n\n Remote access is access to DoD nonpublic information systems by an\nauthorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\n Automated monitoring of remote access sessions allows organizations to\ndetect cyber attacks and also ensure ongoing compliance with remote access\npolicies by auditing connection activities of remote access capabilities, such\nas Remote Desktop Protocol (RDP), on a variety of information system components\n(e.g., servers, workstations, notebook computers, smartphones, and tablets).", + "title": "The audit system must be configured to audit any usage of the rmmod\ncommand.", + "desc": "Without the capability to generate audit records, it would be\ndifficult to establish, correlate, and investigate the events relating to an\nincident or identify those responsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n The list of audited events is the set of events for which audits are to be\ngenerated. This set of events is typically a subset of the list of all events\nfor which the system is capable of generating audit records.\n\n DoD has defined the list of events for which the Ubuntu operating system\nwill provide an audit record generation capability as the following:\n\n 1) Successful and unsuccessful attempts to access, modify, or delete\nprivileges, security objects, security levels, or categories of information\n(e.g., classification levels);\n\n 2) Access actions, such as successful and unsuccessful logon attempts,\nprivileged activities or other system-level access, starting and ending time\nfor user access to the system, concurrent logons from different workstations,\nsuccessful and unsuccessful accesses to objects, all program initiations, and\nall direct access to the information system;\n\n 3) All account creations, modifications, disabling, and terminations; and\n\n 4) All kernel module load, unload, and restart actions.", "descriptions": { - "default": "Remote access services, such as those providing remote access to\nnetwork devices and information systems, which lack automated monitoring\ncapabilities, increase risk and make remote user access management difficult at\nbest.\n\n Remote access is access to DoD nonpublic information systems by an\nauthorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\n Automated monitoring of remote access sessions allows organizations to\ndetect cyber attacks and also ensure ongoing compliance with remote access\npolicies by auditing connection activities of remote access capabilities, such\nas Remote Desktop Protocol (RDP), on a variety of information system components\n(e.g., servers, workstations, notebook computers, smartphones, and tablets).", - "check": "Verify that the Ubuntu operating system monitors all remote\naccess methods.\n\nCheck that remote access methods are being logged by running the following\ncommand:\n\n# grep -E '(auth.*|authpriv.*|daemon.*)' /etc/rsyslog.d/50-default.conf\n\nauth,authpriv.* /var/log/auth.log\ndaemon.notice /var/log/messages\n\nIf \"auth.*\", \"authpriv.*\" or \"daemon.*\" are not configured to be logged,\nthis is a finding.", - "fix": "Configure the Ubuntu operating system to monitor all remote\naccess methods by adding the following lines to the\n\"/etc/rsyslog.d/50-default.conf\" file:\n\nauth.*,authpriv.* /var/log/secure\ndaemon.notice /var/log/messages\n\nThe \"rsyslog\" service must be restarted for the changes to take effect. To\nrestart the \"rsyslog\" service, run the following command:\n\n# sudo systemctl restart rsyslog.service" + "default": "Without the capability to generate audit records, it would be\ndifficult to establish, correlate, and investigate the events relating to an\nincident or identify those responsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n The list of audited events is the set of events for which audits are to be\ngenerated. This set of events is typically a subset of the list of all events\nfor which the system is capable of generating audit records.\n\n DoD has defined the list of events for which the Ubuntu operating system\nwill provide an audit record generation capability as the following:\n\n 1) Successful and unsuccessful attempts to access, modify, or delete\nprivileges, security objects, security levels, or categories of information\n(e.g., classification levels);\n\n 2) Access actions, such as successful and unsuccessful logon attempts,\nprivileged activities or other system-level access, starting and ending time\nfor user access to the system, concurrent logons from different workstations,\nsuccessful and unsuccessful accesses to objects, all program initiations, and\nall direct access to the information system;\n\n 3) All account creations, modifications, disabling, and terminations; and\n\n 4) All kernel module load, unload, and restart actions.", + "check": "Verify if the Ubuntu operating system is configured to audit\nthe execution of the module management program \"rmmod\", by running the\nfollowing command:\n\n# sudo grep \"/sbin/rmmod\" /etc/audit/audit.rules\n\n-w /sbin/rmmod -p x -k modules\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", + "fix": "Configure the Ubuntu operating system to audit the execution of\nthe module management program \"rmmod\", by adding the following line to\n\"/etc/audit/audit.rules\":\n\n-w /sbin/rmmod -p x -k modules\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000032-GPOS-00013", - "gid": "V-75863", - "rid": "SV-90543r2_rule", - "stig_id": "UBTU-16-030450", - "fix_id": "F-82493r2_fix", + "gtitle": "SRG-OS-000037-GPOS-00015", + "satisfies": [ + "SRG-OS-000037-GPOS-00015", + "SRG-OS-000042-GPOS-00020", + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000392-GPOS-00172", + "SRG-OS-000462-GPOS-00206", + "SRG-OS-000471-GPOS-00215", + "SRG-OS-000471-GPOS-00216", + "SRG-OS-000477-GPOS-00222" + ], + "gid": "V-75711", + "rid": "SV-90391r2_rule", + "stig_id": "UBTU-16-020430", + "fix_id": "F-82339r2_fix", "cci": [ - "CCI-000067" + "CCI-000130", + "CCI-000135", + "CCI-000169", + "CCI-000172", + "CCI-002884" ], "nist": [ - "AC-17 (1)", + "AU-3", + "AU-3 (1)", + "AU-12 a", + "AU-12 c", + "MA-4 (1) (a)", "Rev_4" ], "false_negatives": null, @@ -6175,12 +6025,12 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75863' do\n title 'All remote access methods must be monitored.'\n desc \"Remote access services, such as those providing remote access to\nnetwork devices and information systems, which lack automated monitoring\ncapabilities, increase risk and make remote user access management difficult at\nbest.\n\n Remote access is access to DoD nonpublic information systems by an\nauthorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\n Automated monitoring of remote access sessions allows organizations to\ndetect cyber attacks and also ensure ongoing compliance with remote access\npolicies by auditing connection activities of remote access capabilities, such\nas Remote Desktop Protocol (RDP), on a variety of information system components\n(e.g., servers, workstations, notebook computers, smartphones, and tablets).\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000032-GPOS-00013'\n tag \"gid\": 'V-75863'\n tag \"rid\": 'SV-90543r2_rule'\n tag \"stig_id\": 'UBTU-16-030450'\n tag \"fix_id\": 'F-82493r2_fix'\n tag \"cci\": ['CCI-000067']\n tag \"nist\": ['AC-17 (1)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that the Ubuntu operating system monitors all remote\naccess methods.\n\nCheck that remote access methods are being logged by running the following\ncommand:\n\n# grep -E '(auth.*|authpriv.*|daemon.*)' /etc/rsyslog.d/50-default.conf\n\nauth,authpriv.* /var/log/auth.log\ndaemon.notice /var/log/messages\n\nIf \\\"auth.*\\\", \\\"authpriv.*\\\" or \\\"daemon.*\\\" are not configured to be logged,\nthis is a finding.\"\n desc 'fix', \"Configure the Ubuntu operating system to monitor all remote\naccess methods by adding the following lines to the\n\\\"/etc/rsyslog.d/50-default.conf\\\" file:\n\nauth.*,authpriv.* /var/log/secure\ndaemon.notice /var/log/messages\n\nThe \\\"rsyslog\\\" service must be restarted for the changes to take effect. To\nrestart the \\\"rsyslog\\\" service, run the following command:\n\n# sudo systemctl restart rsyslog.service\"\n\n options = {\n assignment_regex: /^\\s*([^:]*?)\\s*\\t\\s*(.*?)\\s*$/\n }\n config_file = '/etc/rsyslog.d/50-default.conf'\n auth_setting = parse_config_file(config_file, options).params['auth,authpriv.*']\n daemon_setting = parse_config_file(config_file, options).params['daemon.notice']\n describe auth_setting do\n it { should_not be_nil }\n it { should_not be_empty }\n end\n describe daemon_setting do\n it { should_not be_nil }\n it { should_not be_empty }\n end\nend\n", + "code": "control 'V-75711' do\n title \"The audit system must be configured to audit any usage of the rmmod\ncommand.\"\n desc \"Without the capability to generate audit records, it would be\ndifficult to establish, correlate, and investigate the events relating to an\nincident or identify those responsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n The list of audited events is the set of events for which audits are to be\ngenerated. This set of events is typically a subset of the list of all events\nfor which the system is capable of generating audit records.\n\n DoD has defined the list of events for which the Ubuntu operating system\nwill provide an audit record generation capability as the following:\n\n 1) Successful and unsuccessful attempts to access, modify, or delete\nprivileges, security objects, security levels, or categories of information\n(e.g., classification levels);\n\n 2) Access actions, such as successful and unsuccessful logon attempts,\nprivileged activities or other system-level access, starting and ending time\nfor user access to the system, concurrent logons from different workstations,\nsuccessful and unsuccessful accesses to objects, all program initiations, and\nall direct access to the information system;\n\n 3) All account creations, modifications, disabling, and terminations; and\n\n 4) All kernel module load, unload, and restart actions.\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020\n SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172\n SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215\n SRG-OS-000471-GPOS-00216 SRG-OS-000477-GPOS-00222]\n tag \"gid\": 'V-75711'\n tag \"rid\": 'SV-90391r2_rule'\n tag \"stig_id\": 'UBTU-16-020430'\n tag \"fix_id\": 'F-82339r2_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'MA-4 (1) (a)',\n 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify if the Ubuntu operating system is configured to audit\nthe execution of the module management program \\\"rmmod\\\", by running the\nfollowing command:\n\n# sudo grep \\\"/sbin/rmmod\\\" /etc/audit/audit.rules\n\n-w /sbin/rmmod -p x -k modules\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the Ubuntu operating system to audit the execution of\nthe module management program \\\"rmmod\\\", by adding the following line to\n\\\"/etc/audit/audit.rules\\\":\n\n-w /sbin/rmmod -p x -k modules\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n @audit_file = '/sbin/rmmod'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe ('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75863.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75711.rb", "line": 3 }, - "id": "V-75863" + "id": "V-75711" }, { "title": "The passwd command must be configured to prevent the use of dictionary\nwords as passwords.", @@ -6224,12 +6074,12 @@ "id": "V-75483" }, { - "title": "Successful/unsuccessful uses of the ssh-keysign command must generate\nan audit record.", - "desc": "Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged ssh commands. The organization must maintain audit trails in\nsufficient detail to reconstruct events to determine the cause and impact of\ncompromise.", + "title": "Successful/unsuccessful uses of the crontab command must generate an\naudit record.", + "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", "descriptions": { - "default": "Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged ssh commands. The organization must maintain audit trails in\nsufficient detail to reconstruct events to determine the cause and impact of\ncompromise.", - "check": "Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful attempts to use the \"ssh-keysign\" command occur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \"/etc/audit/audit.rules\":\n\n# sudo grep ssh-keysign /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k privileged-ssh\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", - "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \"ssh-keysign\" command.\n\nAdd or update the following rules in the \"/etc/audit/audit.rules\" file:\n\n-a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k privileged-ssh\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" + "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "check": "Verify that an audit event is generated for any\nsuccessful/unsuccessful use of the \"crontab\" command.\n\nCheck for the following system call being audited by performing the following\ncommand to check the file system rules in \"/etc/audit/audit.rules\":\n\n# sudo grep -w crontab /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k privileged-crontab\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", + "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful uses of the \"crontab\" command. Add or update the\nfollowing rules in the \"/etc/audit/audit.rules\" file:\n\n-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k privileged-crontab\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" }, "impact": 0.5, "refs": [], @@ -6243,10 +6093,10 @@ "SRG-OS-000462-GPOS-00206", "SRG-OS-000471-GPOS-00215" ], - "gid": "V-75707", - "rid": "SV-90387r3_rule", - "stig_id": "UBTU-16-020410", - "fix_id": "F-82335r2_fix", + "gid": "V-75787", + "rid": "SV-90467r3_rule", + "stig_id": "UBTU-16-020810", + "fix_id": "F-82417r2_fix", "cci": [ "CCI-000130", "CCI-000135", @@ -6273,34 +6123,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75707' do\n title \"Successful/unsuccessful uses of the ssh-keysign command must generate\nan audit record.\"\n desc \"Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged ssh commands. The organization must maintain audit trails in\nsufficient detail to reconstruct events to determine the cause and impact of\ncompromise.\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020\n SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172\n SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215]\n tag \"gid\": 'V-75707'\n tag \"rid\": 'SV-90387r3_rule'\n tag \"stig_id\": 'UBTU-16-020410'\n tag \"fix_id\": 'F-82335r2_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'MA-4 (1) (a)',\n 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful attempts to use the \\\"ssh-keysign\\\" command occur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \\\"/etc/audit/audit.rules\\\":\n\n# sudo grep ssh-keysign /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k privileged-ssh\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \\\"ssh-keysign\\\" command.\n\nAdd or update the following rules in the \\\"/etc/audit/audit.rules\\\" file:\n\n-a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k privileged-ssh\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n @audit_file = '/usr/lib/openssh/ssh-keysign'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe ('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", + "code": "control 'V-75787' do\n title \"Successful/unsuccessful uses of the crontab command must generate an\naudit record.\"\n desc \"Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020\n SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172\n SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215]\n tag \"gid\": 'V-75787'\n tag \"rid\": 'SV-90467r3_rule'\n tag \"stig_id\": 'UBTU-16-020810'\n tag \"fix_id\": 'F-82417r2_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'MA-4 (1) (a)',\n 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that an audit event is generated for any\nsuccessful/unsuccessful use of the \\\"crontab\\\" command.\n\nCheck for the following system call being audited by performing the following\ncommand to check the file system rules in \\\"/etc/audit/audit.rules\\\":\n\n# sudo grep -w crontab /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k privileged-crontab\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful uses of the \\\"crontab\\\" command. Add or update the\nfollowing rules in the \\\"/etc/audit/audit.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k privileged-crontab\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n @audit_file = '/usr/bin/crontab'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe ('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75707.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75787.rb", "line": 3 }, - "id": "V-75707" + "id": "V-75787" }, { - "title": "The Ubuntu operating system must not have accounts configured with\nblank or null passwords.", - "desc": "If an account has an empty password, anyone could log on and run\ncommands with the privileges of that account. Accounts with empty passwords\nshould never be used in operational environments.", + "title": "Temporary user accounts must be provisioned with an expiration time of\n72 hours or less.", + "desc": "If temporary user accounts remain active when no longer needed or for\nan excessive period, these accounts may be used to gain unauthorized access. To\nmitigate this risk, automated termination of all temporary accounts must be set\nupon account creation.\n\n Temporary accounts are established as part of normal account activation\nprocedures when there is a need for short-term accounts without the demand for\nimmediacy in account activation.\n\n If temporary accounts are used, the Ubuntu operating system must be\nconfigured to automatically terminate these types of accounts after a\nDoD-defined time period of 72 hours.\n\n To address access requirements, many Ubuntu operating systems may be\nintegrated with enterprise-level authentication/access mechanisms that meet or\nexceed access control policy requirements.", "descriptions": { - "default": "If an account has an empty password, anyone could log on and run\ncommands with the privileges of that account. Accounts with empty passwords\nshould never be used in operational environments.", - "check": "To verify that null passwords cannot be used, run the following\ncommand:\n\n# grep pam_unix.so /etc/pam.d/* | grep nullok\nIf this produces any output, it may be possible to log on with accounts with\nempty passwords.\n\nIf null passwords can be used, this is a finding.", - "fix": "If an account is configured for password authentication but does\nnot have an assigned password, it may be possible to log on to the account\nwithout authenticating.\n\nRemove any instances of the \"nullok\" option in files under \"/etc/pam.d/\" to\nprevent logons with empty passwords." + "default": "If temporary user accounts remain active when no longer needed or for\nan excessive period, these accounts may be used to gain unauthorized access. To\nmitigate this risk, automated termination of all temporary accounts must be set\nupon account creation.\n\n Temporary accounts are established as part of normal account activation\nprocedures when there is a need for short-term accounts without the demand for\nimmediacy in account activation.\n\n If temporary accounts are used, the Ubuntu operating system must be\nconfigured to automatically terminate these types of accounts after a\nDoD-defined time period of 72 hours.\n\n To address access requirements, many Ubuntu operating systems may be\nintegrated with enterprise-level authentication/access mechanisms that meet or\nexceed access control policy requirements.", + "check": "Verify that temporary accounts have been provisioned with an\nexpiration date for 72 hours.\n\nFor every existing temporary account, run the following command to obtain its\naccount expiration information.\n\n# sudo chage -l system_account_name\n\nVerify each of these accounts has an expiration date set within 72 hours.\nIf any temporary accounts have no expiration date set or do not expire within\n72 hours, this is a finding.", + "fix": "If a temporary account must be created configure the system to\nterminate the account after a 72 hour time period with the following command to\nset an expiration date on it. Substitute \"system_account_name\" with the\naccount to be created.\n\n# sudo chage -E `date -d \"+3 days\" +%Y-%m-%d` system_account_name" }, - "impact": 0.7, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-75479", - "rid": "SV-90159r1_rule", - "stig_id": "UBTU-16-010250", - "fix_id": "F-82107r1_fix", + "gtitle": "SRG-OS-000002-GPOS-00002", + "gid": "V-75491", + "rid": "SV-90171r1_rule", + "stig_id": "UBTU-16-010310", + "fix_id": "F-82119r1_fix", "cci": [ - "CCI-000366" + "CCI-000016" ], "nist": [ - "CM-6 b", + "AC-2 (2)", "Rev_4" ], "false_negatives": null, @@ -6314,43 +6164,50 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75479' do\n title \"The Ubuntu operating system must not have accounts configured with\nblank or null passwords.\"\n desc \"If an account has an empty password, anyone could log on and run\ncommands with the privileges of that account. Accounts with empty passwords\nshould never be used in operational environments.\"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75479'\n tag \"rid\": 'SV-90159r1_rule'\n tag \"stig_id\": 'UBTU-16-010250'\n tag \"fix_id\": 'F-82107r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"To verify that null passwords cannot be used, run the following\ncommand:\n\n# grep pam_unix.so /etc/pam.d/* | grep nullok\nIf this produces any output, it may be possible to log on with accounts with\nempty passwords.\n\nIf null passwords can be used, this is a finding.\"\n desc 'fix', \"If an account is configured for password authentication but does\nnot have an assigned password, it may be possible to log on to the account\nwithout authenticating.\n\nRemove any instances of the \\\"nullok\\\" option in files under \\\"/etc/pam.d/\\\" to\nprevent logons with empty passwords.\"\n\n describe command('grep pam_unix.so /etc/pam.d/* | grep nullok') do\n its('stdout.strip') { should be_empty }\n end\nend\n", + "code": "control 'V-75491' do\n title \"Temporary user accounts must be provisioned with an expiration time of\n72 hours or less.\"\n desc \"If temporary user accounts remain active when no longer needed or for\nan excessive period, these accounts may be used to gain unauthorized access. To\nmitigate this risk, automated termination of all temporary accounts must be set\nupon account creation.\n\n Temporary accounts are established as part of normal account activation\nprocedures when there is a need for short-term accounts without the demand for\nimmediacy in account activation.\n\n If temporary accounts are used, the Ubuntu operating system must be\nconfigured to automatically terminate these types of accounts after a\nDoD-defined time period of 72 hours.\n\n To address access requirements, many Ubuntu operating systems may be\nintegrated with enterprise-level authentication/access mechanisms that meet or\nexceed access control policy requirements.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000002-GPOS-00002'\n tag \"gid\": 'V-75491'\n tag \"rid\": 'SV-90171r1_rule'\n tag \"stig_id\": 'UBTU-16-010310'\n tag \"fix_id\": 'F-82119r1_fix'\n tag \"cci\": ['CCI-000016']\n tag \"nist\": ['AC-2 (2)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that temporary accounts have been provisioned with an\nexpiration date for 72 hours.\n\nFor every existing temporary account, run the following command to obtain its\naccount expiration information.\n\n# sudo chage -l system_account_name\n\nVerify each of these accounts has an expiration date set within 72 hours.\nIf any temporary accounts have no expiration date set or do not expire within\n72 hours, this is a finding.\"\n desc 'fix', \"If a temporary account must be created configure the system to\nterminate the account after a 72 hour time period with the following command to\nset an expiration date on it. Substitute \\\"system_account_name\\\" with the\naccount to be created.\n\n# sudo chage -E `date -d \\\"+3 days\\\" +%Y-%m-%d` system_account_name\"\n\n temporary_accounts = input('temporary_accounts')\n\n if temporary_accounts.empty?\n describe 'Temporary accounts' do\n subject { temporary_accounts }\n it { should be_empty }\n end\n else\n temporary_accounts.each do |acct|\n describe command(\"chage -l #{acct} | grep 'Account expires'\") do\n its('stdout.strip') { should_not match /:\\s*never/ }\n end\n end\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75479.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75491.rb", "line": 3 }, - "id": "V-75479" + "id": "V-75491" }, { - "title": "Wireless network adapters must be disabled.", - "desc": "Without protection of communications with wireless peripherals,\nconfidentiality and integrity may be compromised because unprotected\ncommunications can be intercepted and either read, altered, or used to\ncompromise the Ubuntu operating system.\n\n This requirement applies to wireless peripheral technologies (e.g.,\nwireless mice, keyboards, displays, etc.) used with an Ubuntu operating system.\nWireless peripherals (e.g., Wi-Fi/Bluetooth/IR Keyboards, Mice, and Pointing\nDevices and Near Field Communications [NFC]) present a unique challenge by\ncreating an open, unsecured port on a computer. Wireless peripherals must meet\nDoD requirements for wireless data transmission and be approved for use by the\nAO. Even though some wireless peripherals, such as mice and pointing devices,\ndo not ordinarily carry information that need to be protected, modification of\ncommunications with these wireless peripherals may be used to compromise the\nUbuntu operating system. Communication paths outside the physical protection of\na controlled boundary are exposed to the possibility of interception and\nmodification.\n\n Protecting the confidentiality and integrity of communications with\nwireless peripherals can be accomplished by physical means (e.g., employing\nphysical barriers to wireless radio frequencies) or by logical means (e.g.,\nemploying cryptographic techniques). If physical means of protection are\nemployed, then logical means (cryptography) do not have to be employed, and\nvice versa. If the wireless peripheral is only passing telemetry data,\nencryption of the data may not be required.", + "title": "Successful/unsuccessful uses of the open_by_handle_at command must\ngenerate an audit record.", + "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", "descriptions": { - "default": "Without protection of communications with wireless peripherals,\nconfidentiality and integrity may be compromised because unprotected\ncommunications can be intercepted and either read, altered, or used to\ncompromise the Ubuntu operating system.\n\n This requirement applies to wireless peripheral technologies (e.g.,\nwireless mice, keyboards, displays, etc.) used with an Ubuntu operating system.\nWireless peripherals (e.g., Wi-Fi/Bluetooth/IR Keyboards, Mice, and Pointing\nDevices and Near Field Communications [NFC]) present a unique challenge by\ncreating an open, unsecured port on a computer. Wireless peripherals must meet\nDoD requirements for wireless data transmission and be approved for use by the\nAO. Even though some wireless peripherals, such as mice and pointing devices,\ndo not ordinarily carry information that need to be protected, modification of\ncommunications with these wireless peripherals may be used to compromise the\nUbuntu operating system. Communication paths outside the physical protection of\na controlled boundary are exposed to the possibility of interception and\nmodification.\n\n Protecting the confidentiality and integrity of communications with\nwireless peripherals can be accomplished by physical means (e.g., employing\nphysical barriers to wireless radio frequencies) or by logical means (e.g.,\nemploying cryptographic techniques). If physical means of protection are\nemployed, then logical means (cryptography) do not have to be employed, and\nvice versa. If the wireless peripheral is only passing telemetry data,\nencryption of the data may not be required.", - "check": "Verify that there are no wireless interfaces configured on the\nsystem.\n\nCheck that the system does not have active wireless interfaces with the\nfollowing command:\n\nNote: This requirement is Not Applicable for systems that do not have physical\nwireless network radios.\n\n# ifconfig -a | more\n\neth0 Link encap:Ethernet HWaddr ff:ff:ff:ff:ff:ff\ninet addr:192.168.2.100 Bcast:192.168.2.255 Mask:255.255.255.0\n...\n\neth1 IEEE 802.11b ESSID:\"tacnet\"\nMode:Managed Frequency:2.412 GHz Access Point: 00:40:E7:22:45:CD\n...\n\nlo Link encap:Local Loopback\ninet addr:127.0.0.1 Mask:255.0.0.0\ninet6 addr: ::1/128 Scope:Host\n...\n\nIf a wireless interface is configured and has not been documented and approved\nby the Information System Security Officer (ISSO), this is a finding.", - "fix": "Configure the system to disable all wireless network interfaces\nwith the following command:\n\n# sudo ifdown [ADAPTER_NAME]" + "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "check": "Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful attempts to use the \"open_by_handle_at\" command\noccur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \"/etc/audit/audit.rules\":\n\n# sudo grep -iw open_by_handle_at /etc/audit/audit.rules\n\n-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F\nauid!=4294967295 -k perm_access\n\n-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000\n-F auid!=4294967295 -k perm_access\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", + "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \"open_by_handle_at\" command.\n\nAdd or update the following rules in the \"/etc/audit/audit.rules\" file:\n\n-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F\nauid!=4294967295 -k perm_access\n\n-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000\n-F auid!=4294967295 -k perm_access\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000299-GPOS-00117", + "gtitle": "SRG-OS-000037-GPOS-00015", "satisfies": [ - "SRG-OS-000299-GPOS-00117", - "SRG-OS-000300-GPOS-00118", - "SRG-OS-000481-GPOS-000481" + "SRG-OS-000037-GPOS-00015", + "SRG-OS-000042-GPOS-00020", + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000392-GPOS-00172", + "SRG-OS-000462-GPOS-00206", + "SRG-OS-000471-GPOS-00215" ], - "gid": "V-75867", - "rid": "SV-90547r1_rule", - "stig_id": "UBTU-16-030500", - "fix_id": "F-82497r1_fix", + "gid": "V-75753", + "rid": "SV-90433r3_rule", + "stig_id": "UBTU-16-020640", + "fix_id": "F-82381r2_fix", "cci": [ - "CCI-001443", - "CCI-001444", - "CCI-002418" + "CCI-000130", + "CCI-000135", + "CCI-000169", + "CCI-000172", + "CCI-002884" ], "nist": [ - "AC-18 (1)", - "AC-18 (1)", - "SC-8", + "AU-3", + "AU-3 (1)", + "AU-12 a", + "AU-12 c", + "MA-4 (1) (a)", "Rev_4" ], "false_negatives": null, @@ -6364,34 +6221,50 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75867' do\n title 'Wireless network adapters must be disabled.'\n desc \"Without protection of communications with wireless peripherals,\nconfidentiality and integrity may be compromised because unprotected\ncommunications can be intercepted and either read, altered, or used to\ncompromise the Ubuntu operating system.\n\n This requirement applies to wireless peripheral technologies (e.g.,\nwireless mice, keyboards, displays, etc.) used with an Ubuntu operating system.\nWireless peripherals (e.g., Wi-Fi/Bluetooth/IR Keyboards, Mice, and Pointing\nDevices and Near Field Communications [NFC]) present a unique challenge by\ncreating an open, unsecured port on a computer. Wireless peripherals must meet\nDoD requirements for wireless data transmission and be approved for use by the\nAO. Even though some wireless peripherals, such as mice and pointing devices,\ndo not ordinarily carry information that need to be protected, modification of\ncommunications with these wireless peripherals may be used to compromise the\nUbuntu operating system. Communication paths outside the physical protection of\na controlled boundary are exposed to the possibility of interception and\nmodification.\n\n Protecting the confidentiality and integrity of communications with\nwireless peripherals can be accomplished by physical means (e.g., employing\nphysical barriers to wireless radio frequencies) or by logical means (e.g.,\nemploying cryptographic techniques). If physical means of protection are\nemployed, then logical means (cryptography) do not have to be employed, and\nvice versa. If the wireless peripheral is only passing telemetry data,\nencryption of the data may not be required.\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000299-GPOS-00117'\n tag \"satisfies\": %w[SRG-OS-000299-GPOS-00117 SRG-OS-000300-GPOS-00118\n SRG-OS-000481-GPOS-000481]\n tag \"gid\": 'V-75867'\n tag \"rid\": 'SV-90547r1_rule'\n tag \"stig_id\": 'UBTU-16-030500'\n tag \"fix_id\": 'F-82497r1_fix'\n tag \"cci\": %w[CCI-001443 CCI-001444 CCI-002418]\n tag \"nist\": ['AC-18 (1)', 'AC-18 (1)', 'SC-8', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that there are no wireless interfaces configured on the\nsystem.\n\nCheck that the system does not have active wireless interfaces with the\nfollowing command:\n\nNote: This requirement is Not Applicable for systems that do not have physical\nwireless network radios.\n\n# ifconfig -a | more\n\neth0 Link encap:Ethernet HWaddr ff:ff:ff:ff:ff:ff\ninet addr:192.168.2.100 Bcast:192.168.2.255 Mask:255.255.255.0\n...\n\neth1 IEEE 802.11b ESSID:\\\"tacnet\\\"\nMode:Managed Frequency:2.412 GHz Access Point: 00:40:E7:22:45:CD\n...\n\nlo Link encap:Local Loopback\ninet addr:127.0.0.1 Mask:255.0.0.0\ninet6 addr: ::1/128 Scope:Host\n...\n\nIf a wireless interface is configured and has not been documented and approved\nby the Information System Security Officer (ISSO), this is a finding.\"\n desc 'fix', \"Configure the system to disable all wireless network interfaces\nwith the following command:\n\n# sudo ifdown [ADAPTER_NAME]\"\n\n allowed_network_interfaces = input('allowed_network_interfaces')\n ifconfig_output = command('ifconfig -s | cut -d \" \" -f 1').stdout.split(\"\\n\")\n system_network_interfaces = ifconfig_output.drop(1)\n\n other_network_interfaces = system_network_interfaces - allowed_network_interfaces\n\n if other_network_interfaces.count > 0\n other_network_interfaces.each do |net_int|\n describe ('Interface: ' + net_int + ' not permitted') do\n subject { net_int }\n it { should be_empty }\n end\n end\n else\n describe 'Number of wireless network interfaces found' do\n subject { other_network_interfaces }\n its('count') { should eq 0 }\n end\n end\nend\n", + "code": "control 'V-75753' do\n title \"Successful/unsuccessful uses of the open_by_handle_at command must\ngenerate an audit record.\"\n desc \"Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020\n SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172\n SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215]\n tag \"gid\": 'V-75753'\n tag \"rid\": 'SV-90433r3_rule'\n tag \"stig_id\": 'UBTU-16-020640'\n tag \"fix_id\": 'F-82381r2_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'MA-4 (1) (a)',\n 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful attempts to use the \\\"open_by_handle_at\\\" command\noccur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \\\"/etc/audit/audit.rules\\\":\n\n# sudo grep -iw open_by_handle_at /etc/audit/audit.rules\n\n-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F\nauid!=4294967295 -k perm_access\n\n-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000\n-F auid!=4294967295 -k perm_access\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \\\"open_by_handle_at\\\" command.\n\nAdd or update the following rules in the \\\"/etc/audit/audit.rules\\\" file:\n\n-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F\nauid!=4294967295 -k perm_access\n\n-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000\n-F auid!=4294967295 -k perm_access\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n if os.arch == 'x86_64'\n describe auditd.syscall('open_by_handle_at').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EPERM' }\n end\n describe auditd.syscall('open_by_handle_at').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EACCES' }\n end\n end\n describe auditd.syscall('open_by_handle_at').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EPERM' }\n end\n describe auditd.syscall('open_by_handle_at').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EACCES' }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75867.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75753.rb", "line": 3 }, - "id": "V-75867" + "id": "V-75753" }, { - "title": "The Ubuntu operating system must prevent the use of dictionary words\nfor passwords.", - "desc": "If the Ubuntu operating system allows the user to select passwords\nbased on dictionary words, this increases the chances of password compromise by\nincreasing the opportunity for successful guesses and brute-force attacks.", + "title": "Successful/unsuccessful uses of the mount command must generate an\naudit record.", + "desc": "Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged commands. The organization must maintain audit trails in sufficient\ndetail to reconstruct events to determine the cause and impact of compromise.", "descriptions": { - "default": "If the Ubuntu operating system allows the user to select passwords\nbased on dictionary words, this increases the chances of password compromise by\nincreasing the opportunity for successful guesses and brute-force attacks.", - "check": "Verify the Ubuntu operating system prevents the use of\ndictionary words for passwords.\n\nCheck that the Ubuntu operating system uses the cracklib library to prevent the\nuse of dictionary words with the following command:\n\n# grep dictcheck /etc/security/pwquality.conf\n\ndictcheck=1\n\nIf the \"dictcheck\" parameter is not set to \"1\", or is commented out, this\nis a finding.", - "fix": "Configure the Ubuntu operating system to prevent the use of\ndictionary words for passwords.\n\nEdit the file \"/etc/security/pwquality.conf\" by adding a line such as:\n\ndictcheck=1" + "default": "Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged commands. The organization must maintain audit trails in sufficient\ndetail to reconstruct events to determine the cause and impact of compromise.", + "check": "Verify that an audit event is generated for any\nsuccessful/unsuccessful use of the \"mount\" command.\n\nCheck for the following system call being audited by performing the following\ncommand to check the file system rules in \"/etc/audit/audit.rules\":\n\n# sudo grep -w mount /etc/audit/audit.rules\n\n-a always,exit -F path=/bin/mount -F perm=x -F auid>=1000 -F auid!=4294967295\n-k privileged-mount\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", + "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \"mount\" command.\n\nAdd or update the following rules in the \"/etc/audit/audit.rules\" file:\n\n-a always,exit -F path=/bin/mount -F perm=x -F auid>=1000 -F auid!=4294967295\n-k privileged-mount\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { - "gtitle": "SRG-OS-000480-GPOS-00225", - "gid": "V-75481", - "rid": "SV-90161r3_rule", - "stig_id": "UBTU-16-010260", - "fix_id": "F-82109r2_fix", + "gtitle": "SRG-OS-000037-GPOS-00015", + "satisfies": [ + "SRG-OS-000037-GPOS-00015", + "SRG-OS-000042-GPOS-00020", + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000392-GPOS-00172", + "SRG-OS-000462-GPOS-00206", + "SRG-OS-000471-GPOS-00215" + ], + "gid": "V-75695", + "rid": "SV-90375r3_rule", + "stig_id": "UBTU-16-020380", + "fix_id": "F-82323r2_fix", "cci": [ - "CCI-000366" + "CCI-000130", + "CCI-000135", + "CCI-000169", + "CCI-000172", + "CCI-002884" ], "nist": [ - "CM-6 b", + "AU-3", + "AU-3 (1)", + "AU-12 a", + "AU-12 c", + "MA-4 (1) (a)", "Rev_4" ], "false_negatives": null, @@ -6405,40 +6278,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75481' do\n title \"The Ubuntu operating system must prevent the use of dictionary words\nfor passwords.\"\n desc \"If the Ubuntu operating system allows the user to select passwords\nbased on dictionary words, this increases the chances of password compromise by\nincreasing the opportunity for successful guesses and brute-force attacks.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00225'\n tag \"gid\": 'V-75481'\n tag \"rid\": 'SV-90161r3_rule'\n tag \"stig_id\": 'UBTU-16-010260'\n tag \"fix_id\": 'F-82109r2_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system prevents the use of\ndictionary words for passwords.\n\nCheck that the Ubuntu operating system uses the cracklib library to prevent the\nuse of dictionary words with the following command:\n\n# grep dictcheck /etc/security/pwquality.conf\n\ndictcheck=1\n\nIf the \\\"dictcheck\\\" parameter is not set to \\\"1\\\", or is commented out, this\nis a finding.\"\n desc 'fix', \"Configure the Ubuntu operating system to prevent the use of\ndictionary words for passwords.\n\nEdit the file \\\"/etc/security/pwquality.conf\\\" by adding a line such as:\n\ndictcheck=1\"\n\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('dictcheck') { should cmp '1' }\n end\n else\n describe (config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n", + "code": "control 'V-75695' do\n title \"Successful/unsuccessful uses of the mount command must generate an\naudit record.\"\n desc \"Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged commands. The organization must maintain audit trails in sufficient\ndetail to reconstruct events to determine the cause and impact of compromise.\n\n\n \"\n impact 0.3\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020\n SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172\n SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215]\n tag \"gid\": 'V-75695'\n tag \"rid\": 'SV-90375r3_rule'\n tag \"stig_id\": 'UBTU-16-020380'\n tag \"fix_id\": 'F-82323r2_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'MA-4 (1) (a)',\n 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that an audit event is generated for any\nsuccessful/unsuccessful use of the \\\"mount\\\" command.\n\nCheck for the following system call being audited by performing the following\ncommand to check the file system rules in \\\"/etc/audit/audit.rules\\\":\n\n# sudo grep -w mount /etc/audit/audit.rules\n\n-a always,exit -F path=/bin/mount -F perm=x -F auid>=1000 -F auid!=4294967295\n-k privileged-mount\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \\\"mount\\\" command.\n\nAdd or update the following rules in the \\\"/etc/audit/audit.rules\\\" file:\n\n-a always,exit -F path=/bin/mount -F perm=x -F auid>=1000 -F auid!=4294967295\n-k privileged-mount\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n @audit_file = '/bin/mount'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe ('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75481.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75695.rb", "line": 3 }, - "id": "V-75481" + "id": "V-75695" }, { - "title": "The Ubuntu operating system must enforce SSHv2 for network access to\nall accounts.", - "desc": "A replay attack may enable an unauthorized user to gain access to the\nUbuntu operating system. Authentication sessions between the authenticator and\nthe Ubuntu operating system validating the user credentials must not be\nvulnerable to a replay attack.\n\n An authentication process resists replay attacks if it is impractical to\nachieve a successful authentication by recording and replaying a previous\nauthentication message.\n\n A privileged account is any information system account with authorizations\nof a privileged user.\n\n Techniques used to address this include protocols using nonces (e.g.,\nnumbers generated for a specific one-time use) or challenges (e.g., TLS,\nWS_Security). Additional techniques include time-synchronous or\nchallenge-response one-time authenticators.", + "title": "The Ubuntu operating system must implement address space layout\nrandomization to protect its memory from unauthorized code execution.", + "desc": "Some adversaries launch attacks with the intent of executing code in\nnon-executable regions of memory or in memory locations that are prohibited.\nSecurity safeguards employed to protect memory include, for example, data\nexecution prevention and address space layout randomization. Data execution\nprevention safeguards can either be hardware-enforced or software-enforced with\nhardware providing the greater strength of mechanism.\n\n Examples of attacks are buffer overflow attacks.", "descriptions": { - "default": "A replay attack may enable an unauthorized user to gain access to the\nUbuntu operating system. Authentication sessions between the authenticator and\nthe Ubuntu operating system validating the user credentials must not be\nvulnerable to a replay attack.\n\n An authentication process resists replay attacks if it is impractical to\nachieve a successful authentication by recording and replaying a previous\nauthentication message.\n\n A privileged account is any information system account with authorizations\nof a privileged user.\n\n Techniques used to address this include protocols using nonces (e.g.,\nnumbers generated for a specific one-time use) or challenges (e.g., TLS,\nWS_Security). Additional techniques include time-synchronous or\nchallenge-response one-time authenticators.", - "check": "Verify that the Ubuntu operating system enforces SSH protocol 2\nfor network access.\n\nCheck the protocol versions that SSH allows with the following command:\n\n#grep -i protocol /etc/ssh/sshd_config\n\nProtocol 2\n\nIf the returned line allows for use of protocol \"1\", is commented out, or the\nline is missing, this is a finding.", - "fix": "Configure the Ubuntu operating system to enforce SSHv2 for\nnetwork access to all accounts.\n\nAdd or update the following line in the \"/etc/ssh/sshd_config\" file:\n\nProtocol 2\n\nRestart the ssh service.\n\n# systemctl restart sshd.service" + "default": "Some adversaries launch attacks with the intent of executing code in\nnon-executable regions of memory or in memory locations that are prohibited.\nSecurity safeguards employed to protect memory include, for example, data\nexecution prevention and address space layout randomization. Data execution\nprevention safeguards can either be hardware-enforced or software-enforced with\nhardware providing the greater strength of mechanism.\n\n Examples of attacks are buffer overflow attacks.", + "check": "Verify the Ubuntu operating system implements address space\nlayout randomization (ASLR).\n\nCheck that ASLR is configured on the system with the following command:\n\n# sudo sysctl kernel.randomize_va_space\n\nkernel.randomize_va_space = 2\n\nIf nothing is returned; we must verify the kernel parameter\n\"randomize_va_space\" is set to \"2\" with the following command:\n\n# kernel.randomize_va_space\" /etc/sysctl.conf /etc/sysctl.d/*\n\nkernel.randomize_va_space = 2\n\nIf \"kernel.randomize_va_space\" is not set to \"2\", this is a finding.", + "fix": "Configure the operating system implement virtual address space\nrandomization.\n\nSet the system to the required kernel parameter by adding the following line to\n\"/etc/sysctl.conf\" (or modify the line to have the required value):\n\nkernel.randomize_va_space=2" }, - "impact": 0.7, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000112-GPOS-00057", - "satisfies": [ - "SRG-OS-000112-GPOS-00057", - "SRG-OS-000113-GPOS-00058" - ], - "gid": "V-75823", - "rid": "SV-90503r1_rule", - "stig_id": "UBTU-16-030200", - "fix_id": "F-82453r1_fix", + "gtitle": "SRG-OS-000433-GPOS-00193", + "gid": "V-75821", + "rid": "SV-90501r2_rule", + "stig_id": "UBTU-16-030140", + "fix_id": "F-82451r2_fix", "cci": [ - "CCI-001941", - "CCI-001942" + "CCI-002824" ], "nist": [ - "IA-2 (8)", - "IA-2 (9)", + "SI-16", "Rev_4" ], "false_negatives": null, @@ -6452,34 +6319,43 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75823' do\n title \"The Ubuntu operating system must enforce SSHv2 for network access to\nall accounts.\"\n desc \"A replay attack may enable an unauthorized user to gain access to the\nUbuntu operating system. Authentication sessions between the authenticator and\nthe Ubuntu operating system validating the user credentials must not be\nvulnerable to a replay attack.\n\n An authentication process resists replay attacks if it is impractical to\nachieve a successful authentication by recording and replaying a previous\nauthentication message.\n\n A privileged account is any information system account with authorizations\nof a privileged user.\n\n Techniques used to address this include protocols using nonces (e.g.,\nnumbers generated for a specific one-time use) or challenges (e.g., TLS,\nWS_Security). Additional techniques include time-synchronous or\nchallenge-response one-time authenticators.\n\n\n \"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000112-GPOS-00057'\n tag \"satisfies\": %w[SRG-OS-000112-GPOS-00057 SRG-OS-000113-GPOS-00058]\n tag \"gid\": 'V-75823'\n tag \"rid\": 'SV-90503r1_rule'\n tag \"stig_id\": 'UBTU-16-030200'\n tag \"fix_id\": 'F-82453r1_fix'\n tag \"cci\": %w[CCI-001941 CCI-001942]\n tag \"nist\": ['IA-2 (8)', 'IA-2 (9)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that the Ubuntu operating system enforces SSH protocol 2\nfor network access.\n\nCheck the protocol versions that SSH allows with the following command:\n\n#grep -i protocol /etc/ssh/sshd_config\n\nProtocol 2\n\nIf the returned line allows for use of protocol \\\"1\\\", is commented out, or the\nline is missing, this is a finding.\"\n desc 'fix', \"Configure the Ubuntu operating system to enforce SSHv2 for\nnetwork access to all accounts.\n\nAdd or update the following line in the \\\"/etc/ssh/sshd_config\\\" file:\n\nProtocol 2\n\nRestart the ssh service.\n\n# systemctl restart sshd.service\"\n\n describe sshd_config do\n its('Protocol') { should cmp 2 }\n end\nend\n", + "code": "control 'V-75821' do\n title \"The Ubuntu operating system must implement address space layout\nrandomization to protect its memory from unauthorized code execution.\"\n desc \"Some adversaries launch attacks with the intent of executing code in\nnon-executable regions of memory or in memory locations that are prohibited.\nSecurity safeguards employed to protect memory include, for example, data\nexecution prevention and address space layout randomization. Data execution\nprevention safeguards can either be hardware-enforced or software-enforced with\nhardware providing the greater strength of mechanism.\n\n Examples of attacks are buffer overflow attacks.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000433-GPOS-00193'\n tag \"gid\": 'V-75821'\n tag \"rid\": 'SV-90501r2_rule'\n tag \"stig_id\": 'UBTU-16-030140'\n tag \"fix_id\": 'F-82451r2_fix'\n tag \"cci\": ['CCI-002824']\n tag \"nist\": %w[SI-16 Rev_4]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system implements address space\nlayout randomization (ASLR).\n\nCheck that ASLR is configured on the system with the following command:\n\n# sudo sysctl kernel.randomize_va_space\n\nkernel.randomize_va_space = 2\n\nIf nothing is returned; we must verify the kernel parameter\n\\\"randomize_va_space\\\" is set to \\\"2\\\" with the following command:\n\n# kernel.randomize_va_space\\\" /etc/sysctl.conf /etc/sysctl.d/*\n\nkernel.randomize_va_space = 2\n\nIf \\\"kernel.randomize_va_space\\\" is not set to \\\"2\\\", this is a finding.\"\n desc 'fix', \"Configure the operating system implement virtual address space\nrandomization.\n\nSet the system to the required kernel parameter by adding the following line to\n\\\"/etc/sysctl.conf\\\" (or modify the line to have the required value):\n\nkernel.randomize_va_space=2\"\n\n describe kernel_parameter('kernel.randomize_va_space') do\n its('value') { should cmp 2 }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75823.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75821.rb", "line": 3 }, - "id": "V-75823" + "id": "V-75821" }, { - "title": "The Ubuntu operating system must not respond to Internet Protocol\nversion 4 (IPv4) Internet Control Message Protocol (ICMP) echoes sent to a\nbroadcast address.", - "desc": "Responding to broadcast Internet Control Message Protocol (ICMP)\nechoes facilitates network mapping and provides a vector for amplification\nattacks.", + "title": "Duplicate User IDs (UIDs) must not exist for interactive users.", + "desc": "To assure accountability and prevent unauthenticated access,\ninteractive users must be identified and authenticated to prevent potential\nmisuse and compromise of the system.\n\n Interactive users include organizational employees or individuals the\norganization deems to have equivalent status of employees (e.g., contractors).\nInteractive users (and processes acting on behalf of users) must be uniquely\nidentified and authenticated to all accesses, except for the following:\n\n 1) Accesses explicitly identified and documented by the organization.\nOrganizations document specific user actions that can be performed on the\ninformation system without identification or authentication; and\n\n 2) Accesses that occur through authorized use of group authenticators\nwithout individual authentication. Organizations may require unique\nidentification of individuals in group accounts (e.g., shared privilege\naccounts) or for detailed accountability of individual activity.", "descriptions": { - "default": "Responding to broadcast Internet Control Message Protocol (ICMP)\nechoes facilitates network mapping and provides a vector for amplification\nattacks.", - "check": "Verify the Ubuntu operating system does not respond to IPv4\nInternet Control Message Protocol (ICMP) echoes sent to a broadcast address.\n\nCheck the value of the \"icmp_echo_ignore_broadcasts\" variable with the\nfollowing command:\n\n# sudo sysctl net.ipv4.icmp_echo_ignore_broadcasts\nnet.ipv4.icmp_echo_ignore_broadcasts=1\n\nIf the returned line does not have a value of \"1\", a line is not returned, or\nthe retuned line is commented out, this is a finding.", - "fix": "Configure the Ubuntu operating system to not respond to Internet\nProtocol version 4 (IPv4) Internet Control Message Protocol (ICMP) echoes sent\nto a broadcast address with the following command:\n\n# sudo sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1\n\nIf \"1\" is not the system's default value then add or update the following\nline in \"/etc/sysctl.conf\" or in the appropriate file under \"/etc/sysctl.d\":\n\nnet.ipv4.icmp_echo_ignore_broadcasts=1" + "default": "To assure accountability and prevent unauthenticated access,\ninteractive users must be identified and authenticated to prevent potential\nmisuse and compromise of the system.\n\n Interactive users include organizational employees or individuals the\norganization deems to have equivalent status of employees (e.g., contractors).\nInteractive users (and processes acting on behalf of users) must be uniquely\nidentified and authenticated to all accesses, except for the following:\n\n 1) Accesses explicitly identified and documented by the organization.\nOrganizations document specific user actions that can be performed on the\ninformation system without identification or authentication; and\n\n 2) Accesses that occur through authorized use of group authenticators\nwithout individual authentication. Organizations may require unique\nidentification of individuals in group accounts (e.g., shared privilege\naccounts) or for detailed accountability of individual activity.", + "check": "Verify that the Ubuntu operating system contains no duplicate\nUser IDs (UIDs) for interactive users.\n\nCheck that the Ubuntu operating system contains no duplicate UIDs for\ninteractive users with the following command:\n\n# awk -F \":\" 'list[$3]++{print $1, $3}' /etc/passwd\n\nIf output is produced, and the accounts listed are interactive user accounts,\nthis is a finding.", + "fix": "Edit the file \"/etc/passwd\" and provide each interactive user\naccount that has a duplicate User ID (UID) with a unique UID." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-75877", - "rid": "SV-90557r2_rule", - "stig_id": "UBTU-16-030550", - "fix_id": "F-82507r2_fix", + "gtitle": "SRG-OS-000104-GPOS-00051", + "satisfies": [ + "SRG-OS-000104-GPOS-00051", + "SRG-OS-000121-GPOS-00062", + "SRG-OS-000134-GPOS-00068" + ], + "gid": "V-75547", + "rid": "SV-90227r2_rule", + "stig_id": "UBTU-16-010660", + "fix_id": "F-82175r1_fix", "cci": [ - "CCI-000366" + "CCI-000764", + "CCI-000804", + "CCI-001084" ], "nist": [ - "CM-6 b", + "IA-2", + "IA-8", + "SC-3", "Rev_4" ], "false_negatives": null, @@ -6493,50 +6369,46 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75877' do\n title \"The Ubuntu operating system must not respond to Internet Protocol\nversion 4 (IPv4) Internet Control Message Protocol (ICMP) echoes sent to a\nbroadcast address.\"\n desc \"Responding to broadcast Internet Control Message Protocol (ICMP)\nechoes facilitates network mapping and provides a vector for amplification\nattacks.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75877'\n tag \"rid\": 'SV-90557r2_rule'\n tag \"stig_id\": 'UBTU-16-030550'\n tag \"fix_id\": 'F-82507r2_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system does not respond to IPv4\nInternet Control Message Protocol (ICMP) echoes sent to a broadcast address.\n\nCheck the value of the \\\"icmp_echo_ignore_broadcasts\\\" variable with the\nfollowing command:\n\n# sudo sysctl net.ipv4.icmp_echo_ignore_broadcasts\nnet.ipv4.icmp_echo_ignore_broadcasts=1\n\nIf the returned line does not have a value of \\\"1\\\", a line is not returned, or\nthe retuned line is commented out, this is a finding.\"\n desc 'fix', \"Configure the Ubuntu operating system to not respond to Internet\nProtocol version 4 (IPv4) Internet Control Message Protocol (ICMP) echoes sent\nto a broadcast address with the following command:\n\n# sudo sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1\n\nIf \\\"1\\\" is not the system's default value then add or update the following\nline in \\\"/etc/sysctl.conf\\\" or in the appropriate file under \\\"/etc/sysctl.d\\\":\n\nnet.ipv4.icmp_echo_ignore_broadcasts=1\"\n\n describe kernel_parameter('net.ipv4.icmp_echo_ignore_broadcasts') do\n its('value') { should eq 1 }\n end\nend\n", + "code": "control 'V-75547' do\n title 'Duplicate User IDs (UIDs) must not exist for interactive users.'\n desc \"To assure accountability and prevent unauthenticated access,\ninteractive users must be identified and authenticated to prevent potential\nmisuse and compromise of the system.\n\n Interactive users include organizational employees or individuals the\norganization deems to have equivalent status of employees (e.g., contractors).\nInteractive users (and processes acting on behalf of users) must be uniquely\nidentified and authenticated to all accesses, except for the following:\n\n 1) Accesses explicitly identified and documented by the organization.\nOrganizations document specific user actions that can be performed on the\ninformation system without identification or authentication; and\n\n 2) Accesses that occur through authorized use of group authenticators\nwithout individual authentication. Organizations may require unique\nidentification of individuals in group accounts (e.g., shared privilege\naccounts) or for detailed accountability of individual activity.\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000104-GPOS-00051'\n tag \"satisfies\": %w[SRG-OS-000104-GPOS-00051 SRG-OS-000121-GPOS-00062\n SRG-OS-000134-GPOS-00068]\n tag \"gid\": 'V-75547'\n tag \"rid\": 'SV-90227r2_rule'\n tag \"stig_id\": 'UBTU-16-010660'\n tag \"fix_id\": 'F-82175r1_fix'\n tag \"cci\": %w[CCI-000764 CCI-000804 CCI-001084]\n tag \"nist\": %w[IA-2 IA-8 SC-3 Rev_4]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that the Ubuntu operating system contains no duplicate\nUser IDs (UIDs) for interactive users.\n\nCheck that the Ubuntu operating system contains no duplicate UIDs for\ninteractive users with the following command:\n\n# awk -F \\\":\\\" 'list[$3]++{print $1, $3}' /etc/passwd\n\nIf output is produced, and the accounts listed are interactive user accounts,\nthis is a finding.\"\n desc 'fix', \"Edit the file \\\"/etc/passwd\\\" and provide each interactive user\naccount that has a duplicate User ID (UID) with a unique UID.\"\n\n user_list = command(\"awk -F \\\":\\\" 'list[$3]++{print $1}' /etc/passwd\").stdout.split(\"\\n\")\n findings = Set[]\n\n user_list.each do |user_name|\n findings = findings << user_name\n end\n describe 'Duplicate User IDs (UIDs) must not exist for interactive users' do\n subject { findings.to_a }\n it { should be_empty }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75877.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75547.rb", "line": 3 }, - "id": "V-75877" + "id": "V-75547" }, { - "title": "Successful/unsuccessful uses of the creat command must generate an\naudit record.", - "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "title": "Audit logs must be group-owned by root to prevent unauthorized read\naccess.", + "desc": "Unauthorized disclosure of audit records can reveal system and\nconfiguration data to attackers, thus compromising its confidentiality.\n\n Audit information includes all information (e.g., audit records, audit\nsettings, audit reports) needed to successfully audit Ubuntu operating system\nactivity.", "descriptions": { - "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", - "check": "Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful attempts to use the \"creat\" command occur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \"/etc/audit/audit.rules\":\n\n# sudo grep -iw creat /etc/audit/audit.rules\n\n-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F\nauid!=4294967295 -k perm_access\n\n-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F\nauid!=4294967295 -k perm_access\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", - "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \"creat\" command.\n\nAdd or update the following rules in the \"/etc/audit/audit.rules\" file:\n\n-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F\nauid!=4294967295 -k perm_access\n\n-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F\nauid!=4294967295 -k perm_access\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" + "default": "Unauthorized disclosure of audit records can reveal system and\nconfiguration data to attackers, thus compromising its confidentiality.\n\n Audit information includes all information (e.g., audit records, audit\nsettings, audit reports) needed to successfully audit Ubuntu operating system\nactivity.", + "check": "Verify the audit logs are group-owned by \"root\". First\ndetermine where the audit logs are stored with the following command:\n\n# sudo grep -iw log_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the location of the audit log file, determine if the audit log is\ngroup-owned by \"root\" using the following command:\n\n# sudo ls -la /var/log/audit/audit.log\nrw------- 2 root root 8096 Jun 26 11:56 /var/log/audit/audit.log\n\nIf the audit log is not group-owned by \"root\", this is a finding.", + "fix": "Configure the audit log to be protected from unauthorized read\naccess, by setting the correct group-owner as \"root\" with the following\ncommand:\n\n# sudo chgrp root [audit_log_file]\n\nReplace \"[audit_log_file]\" to the correct audit log path, by default this\nlocation is \"/var/log/audit/audit.log\"." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000037-GPOS-00015", + "gtitle": "SRG-OS-000057-GPOS-00027", "satisfies": [ - "SRG-OS-000037-GPOS-00015", - "SRG-OS-000042-GPOS-00020", - "SRG-OS-000062-GPOS-00031", - "SRG-OS-000392-GPOS-00172", - "SRG-OS-000462-GPOS-00206", - "SRG-OS-000471-GPOS-00215" + "SRG-OS-000057-GPOS-00027", + "SRG-OS-000058-GPOS-00028", + "SRG-OS-000059-GPOS-00029", + "SRG-OS-000206-GPOS-00084" ], - "gid": "V-75749", - "rid": "SV-90429r3_rule", - "stig_id": "UBTU-16-020620", - "fix_id": "F-82377r2_fix", + "gid": "V-75641", + "rid": "SV-90321r2_rule", + "stig_id": "UBTU-16-020120", + "fix_id": "F-82269r2_fix", "cci": [ - "CCI-000130", - "CCI-000135", - "CCI-000169", - "CCI-000172", - "CCI-002884" + "CCI-000162", + "CCI-000163", + "CCI-000164", + "CCI-001314" ], "nist": [ - "AU-3", - "AU-3 (1)", - "AU-12 a", - "AU-12 c", - "MA-4 (1) (a)", + "AU-9", + "AU-9", + "AU-9", + "SI-11 b", "Rev_4" ], "false_negatives": null, @@ -6550,50 +6422,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75749' do\n title \"Successful/unsuccessful uses of the creat command must generate an\naudit record.\"\n desc \"Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020\n SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172\n SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215]\n tag \"gid\": 'V-75749'\n tag \"rid\": 'SV-90429r3_rule'\n tag \"stig_id\": 'UBTU-16-020620'\n tag \"fix_id\": 'F-82377r2_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'MA-4 (1) (a)',\n 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful attempts to use the \\\"creat\\\" command occur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \\\"/etc/audit/audit.rules\\\":\n\n# sudo grep -iw creat /etc/audit/audit.rules\n\n-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F\nauid!=4294967295 -k perm_access\n\n-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F\nauid!=4294967295 -k perm_access\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \\\"creat\\\" command.\n\nAdd or update the following rules in the \\\"/etc/audit/audit.rules\\\" file:\n\n-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F\nauid!=4294967295 -k perm_access\n\n-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F\nauid!=4294967295 -k perm_access\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n if os.arch == 'x86_64'\n describe auditd.syscall('creat').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EPERM' }\n end\n describe auditd.syscall('creat').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EACCES' }\n end\n end\n describe auditd.syscall('creat').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EPERM' }\n end\n describe auditd.syscall('creat').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EACCES' }\n end\nend\n", + "code": "control 'V-75641' do\n title \"Audit logs must be group-owned by root to prevent unauthorized read\naccess.\"\n desc \"Unauthorized disclosure of audit records can reveal system and\nconfiguration data to attackers, thus compromising its confidentiality.\n\n Audit information includes all information (e.g., audit records, audit\nsettings, audit reports) needed to successfully audit Ubuntu operating system\nactivity.\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000057-GPOS-00027'\n tag \"satisfies\": %w[SRG-OS-000057-GPOS-00027 SRG-OS-000058-GPOS-00028\n SRG-OS-000059-GPOS-00029 SRG-OS-000206-GPOS-00084]\n tag \"gid\": 'V-75641'\n tag \"rid\": 'SV-90321r2_rule'\n tag \"stig_id\": 'UBTU-16-020120'\n tag \"fix_id\": 'F-82269r2_fix'\n tag \"cci\": %w[CCI-000162 CCI-000163 CCI-000164 CCI-001314]\n tag \"nist\": ['AU-9', 'AU-9', 'AU-9', 'SI-11 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the audit logs are group-owned by \\\"root\\\". First\ndetermine where the audit logs are stored with the following command:\n\n# sudo grep -iw log_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the location of the audit log file, determine if the audit log is\ngroup-owned by \\\"root\\\" using the following command:\n\n# sudo ls -la /var/log/audit/audit.log\nrw------- 2 root root 8096 Jun 26 11:56 /var/log/audit/audit.log\n\nIf the audit log is not group-owned by \\\"root\\\", this is a finding.\"\n desc 'fix', \"Configure the audit log to be protected from unauthorized read\naccess, by setting the correct group-owner as \\\"root\\\" with the following\ncommand:\n\n# sudo chgrp root [audit_log_file]\n\nReplace \\\"[audit_log_file]\\\" to the correct audit log path, by default this\nlocation is \\\"/var/log/audit/audit.log\\\".\"\n\n log_file_path = auditd_conf.log_file\n\n describe file(log_file_path) do\n its('group') { should cmp 'root' }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75749.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75641.rb", "line": 3 }, - "id": "V-75749" + "id": "V-75641" }, { - "title": "Successful/unsuccessful uses of the ssh-agent command must generate an\naudit record.", - "desc": "Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged ssh commands. The organization must maintain audit trails in\nsufficient detail to reconstruct events to determine the cause and impact of\ncompromise.", + "title": "File systems that contain user home directories must be mounted to\nprevent files with the setuid and setguid bit set from being executed.", + "desc": "The \"nosuid\" mount option causes the system to not execute setuid\nand setgid files with owner privileges. This option must be used for mounting\nany file system not containing approved setuid and setguid files. Executing\nfiles from untrusted file systems increases the opportunity for unprivileged\nusers to attain unauthorized administrative access.", "descriptions": { - "default": "Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged ssh commands. The organization must maintain audit trails in\nsufficient detail to reconstruct events to determine the cause and impact of\ncompromise.", - "check": "Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful attempts to use the \"ssh-agent\" command occur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \"/etc/audit/audit.rules\":\n\n# sudo grep ssh-agent /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k privileged-ssh\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", - "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \"ssh-agent\" command.\n\nAdd or update the following rules in the \"/etc/audit/audit.rules\" file:\n\n-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k privileged-ssh\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" + "default": "The \"nosuid\" mount option causes the system to not execute setuid\nand setgid files with owner privileges. This option must be used for mounting\nany file system not containing approved setuid and setguid files. Executing\nfiles from untrusted file systems increases the opportunity for unprivileged\nusers to attain unauthorized administrative access.", + "check": "Verify file systems that contain user home directories are\nmounted with the \"nosuid\" option.\n\nNote: If a separate file system has not been created for the user home\ndirectories (user home directories are mounted under \"/\"), this is not a\nfinding as the \"nosuid\" option cannot be used on the \"/\" system.\n\nFind the file system(s) that contain the user home directories with the\nfollowing command:\n\n# awk -F: '($3>=1000)&&($1!=\"nobody\"){print $1,$3,$6}' /etc/passwd\n\nsmithj:1001: /home/smithj\nrobinst:1002: /home/robinst\n\nCheck the file systems that are mounted at boot time with the following command:\n\n# more /etc/fstab\n\nUUID=a411dc99-f2a1-4c87-9e05-184977be8539 /home ext4\nrw,relatime,discard,data=ordered,nosuid 0 2\n\nIf a file system found in \"/etc/fstab\" refers to the user home directory file\nsystem and it does not have the \"nosuid\" option set, this is a finding.", + "fix": "Configure the \"/etc/fstab\" to use the \"nosuid\" option on file\nsystems that contain user home directories for interactive users." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000037-GPOS-00015", - "satisfies": [ - "SRG-OS-000037-GPOS-00015", - "SRG-OS-000042-GPOS-00020", - "SRG-OS-000062-GPOS-00031", - "SRG-OS-000392-GPOS-00172", - "SRG-OS-000462-GPOS-00206", - "SRG-OS-000471-GPOS-00215" - ], - "gid": "V-75699", - "rid": "SV-90379r3_rule", - "stig_id": "UBTU-16-020400", - "fix_id": "F-82327r2_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-75575", + "rid": "SV-90255r2_rule", + "stig_id": "UBTU-16-010800", + "fix_id": "F-82203r1_fix", "cci": [ - "CCI-000130", - "CCI-000135", - "CCI-000169", - "CCI-000172", - "CCI-002884" + "CCI-000366" ], "nist": [ - "AU-3", - "AU-3 (1)", - "AU-12 a", - "AU-12 c", - "MA-4 (1) (a)", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -6607,34 +6463,43 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75699' do\n title \"Successful/unsuccessful uses of the ssh-agent command must generate an\naudit record.\"\n desc \"Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged ssh commands. The organization must maintain audit trails in\nsufficient detail to reconstruct events to determine the cause and impact of\ncompromise.\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020\n SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172\n SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215]\n tag \"gid\": 'V-75699'\n tag \"rid\": 'SV-90379r3_rule'\n tag \"stig_id\": 'UBTU-16-020400'\n tag \"fix_id\": 'F-82327r2_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'MA-4 (1) (a)',\n 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful attempts to use the \\\"ssh-agent\\\" command occur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \\\"/etc/audit/audit.rules\\\":\n\n# sudo grep ssh-agent /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k privileged-ssh\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \\\"ssh-agent\\\" command.\n\nAdd or update the following rules in the \\\"/etc/audit/audit.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k privileged-ssh\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n @audit_file = '/usr/bin/ssh-agent'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe ('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", + "code": "control 'V-75575' do\n title \"File systems that contain user home directories must be mounted to\nprevent files with the setuid and setguid bit set from being executed.\"\n desc \"The \\\"nosuid\\\" mount option causes the system to not execute setuid\nand setgid files with owner privileges. This option must be used for mounting\nany file system not containing approved setuid and setguid files. Executing\nfiles from untrusted file systems increases the opportunity for unprivileged\nusers to attain unauthorized administrative access.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75575'\n tag \"rid\": 'SV-90255r2_rule'\n tag \"stig_id\": 'UBTU-16-010800'\n tag \"fix_id\": 'F-82203r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify file systems that contain user home directories are\nmounted with the \\\"nosuid\\\" option.\n\nNote: If a separate file system has not been created for the user home\ndirectories (user home directories are mounted under \\\"/\\\"), this is not a\nfinding as the \\\"nosuid\\\" option cannot be used on the \\\"/\\\" system.\n\nFind the file system(s) that contain the user home directories with the\nfollowing command:\n\n# awk -F: '($3>=1000)&&($1!=\\\"nobody\\\"){print $1,$3,$6}' /etc/passwd\n\nsmithj:1001: /home/smithj\nrobinst:1002: /home/robinst\n\nCheck the file systems that are mounted at boot time with the following command:\n\n# more /etc/fstab\n\nUUID=a411dc99-f2a1-4c87-9e05-184977be8539 /home ext4\nrw,relatime,discard,data=ordered,nosuid 0 2\n\nIf a file system found in \\\"/etc/fstab\\\" refers to the user home directory file\nsystem and it does not have the \\\"nosuid\\\" option set, this is a finding.\"\n desc 'fix', \"Configure the \\\"/etc/fstab\\\" to use the \\\"nosuid\\\" option on file\nsystems that contain user home directories for interactive users.\"\n\n known_system_mount_points = input('known_system_mount_points')\n fstab_mount_points = etc_fstab.entries.map(&:mount_point)\n other_mount_points = fstab_mount_points - known_system_mount_points\n\n if other_mount_points.count > 0\n other_mount_points.each do |mount_point|\n describe mount(mount_point) do\n its('options') { should include 'nosuid' }\n end\n end\n else\n describe 'Separate file system has not been detected for the user home directories' do\n subject { other_mount_points }\n its('count') { should eq 0 }\n end\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75699.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75575.rb", "line": 3 }, - "id": "V-75699" + "id": "V-75575" }, { - "title": "The file integrity tool must be configured to verify extended\nattributes.", - "desc": "Extended attributes in file systems are used to contain arbitrary data\nand file metadata with security implications.", + "title": "All persistent disk partitions must implement cryptographic mechanisms\nto prevent unauthorized disclosure or modification of all information that\nrequires at rest protection.", + "desc": "Ubuntu operating systems handling data requiring \"data at rest\"\nprotections must employ cryptographic mechanisms to prevent unauthorized\ndisclosure and modification of the information at rest.\n\n Selection of a cryptographic mechanism is based on the need to protect the\nintegrity of organizational information. The strength of the mechanism is\ncommensurate with the security category and/or classification of the\ninformation. Organizations have the flexibility to either encrypt all\ninformation on storage devices (i.e., full disk encryption) or encrypt specific\ndata structures (e.g., files, records, or fields).", "descriptions": { - "default": "Extended attributes in file systems are used to contain arbitrary data\nand file metadata with security implications.", - "check": "Verify the file integrity tool is configured to verify extended\nattributes.\n\nCheck to see if Advanced Intrusion Detection Environment (AIDE) is installed\nwith the following command:\n\n# dpkg -l |grep aide\n\nii aide 0.16~a2.git20130520-3\nii aide-common 0.16~a2.git20130520-3\n\nIf AIDE is not installed, ask the System Administrator how file integrity\nchecks are performed on the system.\n\nIf there is no application installed to perform integrity checks, this is a\nfinding.\n\nNote: AIDE is highly configurable at install time. These commands assume the\n\"aide.conf\" file is under the \"/etc\" directory.\n\nUse the following command to determine if the file is in another location:\n\n# find / -name aide.conf\n\nCheck the \"aide.conf\" file to determine if the \"xattrs\" rule has been added\nto the rule list being applied to the files and directories selection lists\nwith the following command:\n\n# egrep \"[+]?xattrs\" /etc/aide/aide.conf\n\nVarFile = OwnerMode+n+l+X+xattrs\n\nIf the \"xattrs\" rule is not being used on all selection lines in the\n\"/etc/aide.conf\" file, or extended attributes are not being checked by\nanother file integrity tool, this is a finding.", - "fix": "Configure the file integrity tool to check file and directory\nextended attributes.\n\nIf AIDE is installed, ensure the \"xattrs\" rule is present on all file and\ndirectory selection lists." + "default": "Ubuntu operating systems handling data requiring \"data at rest\"\nprotections must employ cryptographic mechanisms to prevent unauthorized\ndisclosure and modification of the information at rest.\n\n Selection of a cryptographic mechanism is based on the need to protect the\nintegrity of organizational information. The strength of the mechanism is\ncommensurate with the security category and/or classification of the\ninformation. Organizations have the flexibility to either encrypt all\ninformation on storage devices (i.e., full disk encryption) or encrypt specific\ndata structures (e.g., files, records, or fields).", + "check": "Verify the Ubuntu operating system prevents unauthorized\ndisclosure or modification of all information requiring at rest protection by\nusing disk encryption.\n\nIf there is a documented and approved reason for not having data-at-rest\nencryption, this requirement is Not Applicable.\n\nDetermine the partition layout for the system with the following command:\n\n# fdisk –l\n\nVerify that the system partitions are all encrypted with the following command:\n\n# more /etc/crypttab\n\nEvery persistent disk partition present must have an entry in the file. If any\npartitions other than pseudo file systems (such as /proc or /sys) are not\nlisted, this is a finding.", + "fix": "Configure the Ubuntu operating system to prevent unauthorized\nmodification of all information at rest by using disk encryption.\n\nEncrypting a partition in an already-installed system is more difficult,\nbecause you need to resize and change existing partitions. To encrypt an entire\npartition, dedicate a partition for encryption in the partition layout." }, - "impact": 0.3, + "impact": 0.7, "refs": [], "tags": { - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-75521", - "rid": "SV-90201r1_rule", - "stig_id": "UBTU-16-010530", - "fix_id": "F-82149r1_fix", + "gtitle": "SRG-OS-000185-GPOS-00079", + "satisfies": [ + "SRG-OS-000185-GPOS-00079", + "SRG-OS-000404-GPOS-00183", + "SRG-OS-000405-GPOS-00184" + ], + "gid": "V-75509", + "rid": "SV-90189r1_rule", + "stig_id": "UBTU-16-010400", + "fix_id": "F-82137r1_fix", "cci": [ - "CCI-000366" + "CCI-001199", + "CCI-002475", + "CCI-002476" ], "nist": [ - "CM-6 b", + "SC-28", + "SC-28 (1)", + "SC-28 (1)", "Rev_4" ], "false_negatives": null, @@ -6648,54 +6513,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75521' do\n title \"The file integrity tool must be configured to verify extended\nattributes.\"\n desc \"Extended attributes in file systems are used to contain arbitrary data\nand file metadata with security implications.\"\n impact 0.3\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75521'\n tag \"rid\": 'SV-90201r1_rule'\n tag \"stig_id\": 'UBTU-16-010530'\n tag \"fix_id\": 'F-82149r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the file integrity tool is configured to verify extended\nattributes.\n\nCheck to see if Advanced Intrusion Detection Environment (AIDE) is installed\nwith the following command:\n\n# dpkg -l |grep aide\n\nii aide 0.16~a2.git20130520-3\nii aide-common 0.16~a2.git20130520-3\n\nIf AIDE is not installed, ask the System Administrator how file integrity\nchecks are performed on the system.\n\nIf there is no application installed to perform integrity checks, this is a\nfinding.\n\nNote: AIDE is highly configurable at install time. These commands assume the\n\\\"aide.conf\\\" file is under the \\\"/etc\\\" directory.\n\nUse the following command to determine if the file is in another location:\n\n# find / -name aide.conf\n\nCheck the \\\"aide.conf\\\" file to determine if the \\\"xattrs\\\" rule has been added\nto the rule list being applied to the files and directories selection lists\nwith the following command:\n\n# egrep \\\"[+]?xattrs\\\" /etc/aide/aide.conf\n\nVarFile = OwnerMode+n+l+X+xattrs\n\nIf the \\\"xattrs\\\" rule is not being used on all selection lines in the\n\\\"/etc/aide.conf\\\" file, or extended attributes are not being checked by\nanother file integrity tool, this is a finding.\"\n desc 'fix', \"Configure the file integrity tool to check file and directory\nextended attributes.\n\nIf AIDE is installed, ensure the \\\"xattrs\\\" rule is present on all file and\ndirectory selection lists.\"\n\n describe aide_conf.all_have_rule('xattr') do\n it { should eq true }\n end\nend\n", + "code": "control 'V-75509' do\n title \"All persistent disk partitions must implement cryptographic mechanisms\nto prevent unauthorized disclosure or modification of all information that\nrequires at rest protection.\"\n desc \"Ubuntu operating systems handling data requiring \\\"data at rest\\\"\nprotections must employ cryptographic mechanisms to prevent unauthorized\ndisclosure and modification of the information at rest.\n\n Selection of a cryptographic mechanism is based on the need to protect the\nintegrity of organizational information. The strength of the mechanism is\ncommensurate with the security category and/or classification of the\ninformation. Organizations have the flexibility to either encrypt all\ninformation on storage devices (i.e., full disk encryption) or encrypt specific\ndata structures (e.g., files, records, or fields).\n\n\n \"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000185-GPOS-00079'\n tag \"satisfies\": %w[SRG-OS-000185-GPOS-00079 SRG-OS-000404-GPOS-00183\n SRG-OS-000405-GPOS-00184]\n tag \"gid\": 'V-75509'\n tag \"rid\": 'SV-90189r1_rule'\n tag \"stig_id\": 'UBTU-16-010400'\n tag \"fix_id\": 'F-82137r1_fix'\n tag \"cci\": %w[CCI-001199 CCI-002475 CCI-002476]\n tag \"nist\": ['SC-28', 'SC-28 (1)', 'SC-28 (1)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system prevents unauthorized\ndisclosure or modification of all information requiring at rest protection by\nusing disk encryption.\n\nIf there is a documented and approved reason for not having data-at-rest\nencryption, this requirement is Not Applicable.\n\nDetermine the partition layout for the system with the following command:\n\n# fdisk –l\n\nVerify that the system partitions are all encrypted with the following command:\n\n# more /etc/crypttab\n\nEvery persistent disk partition present must have an entry in the file. If any\npartitions other than pseudo file systems (such as /proc or /sys) are not\nlisted, this is a finding.\"\n desc 'fix', \"Configure the Ubuntu operating system to prevent unauthorized\nmodification of all information at rest by using disk encryption.\n\nEncrypting a partition in an already-installed system is more difficult,\nbecause you need to resize and change existing partitions. To encrypt an entire\npartition, dedicate a partition for encryption in the partition layout.\"\n\n describe 'Manual test' do\n skip 'This control must be reviewed manually'\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75521.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75509.rb", "line": 3 }, - "id": "V-75521" + "id": "V-75509" }, { - "title": "The Ubuntu operating system must generate audit records for all\naccount creations, modifications, disabling, and termination events that affect\n/etc/shadow.", - "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "title": "Advance package Tool (APT) must be configured to prevent the\ninstallation of patches, service packs, device drivers, or Ubuntu operating\nsystem components without verification they have been digitally signed using a\ncertificate that is recognized and approved by the organization.", + "desc": "Changes to any software components can have significant effects on the\noverall security of the Ubuntu operating system. This requirement ensures the\nsoftware has not been tampered with and that it has been provided by a trusted\nvendor.\n\n Accordingly, patches, service packs, device drivers, or Ubuntu operating\nsystem components must be signed with a certificate recognized and approved by\nthe organization.\n\n Verifying the authenticity of the software prior to installation validates\nthe integrity of the patch or upgrade received from a vendor. Setting the\n\"Verify-Peer\" Boolean will determine whether or not the server's host\ncertificate should be verified against trusted certificates. This ensures the\nsoftware has not been tampered with and that it has been provided by a trusted\nvendor. Self-signed certificates are disallowed by this requirement. The Ubuntu\noperating system should not have to verify the software again. This requirement\ndoes not mandate DoD certificates for this purpose; however, the certificate\nused to verify the software must be from an approved CA.", "descriptions": { - "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", - "check": "Verify the Ubuntu operating system generates audit records for\nall account creations, modifications, disabling, and termination events that\naffect \"/etc/shadow\".\n\nCheck the auditing rules in \"/etc/audit/audit.rules\" with the following\ncommand:\n\n# sudo grep /etc/shadow /etc/audit/audit.rules\n\n-w /etc/shadow -p wa -k audit_rules_usergroup_modification\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", - "fix": "Configure the Ubuntu operating system to generate audit records\nfor all account creations, modifications, disabling, and termination events\nthat affect \"/etc/shadow\".\n\nAdd or update the following file system rule to \"/etc/audit/audit.rules\":\n\n-w /etc/shadow -p wa -k identity\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" + "default": "Changes to any software components can have significant effects on the\noverall security of the Ubuntu operating system. This requirement ensures the\nsoftware has not been tampered with and that it has been provided by a trusted\nvendor.\n\n Accordingly, patches, service packs, device drivers, or Ubuntu operating\nsystem components must be signed with a certificate recognized and approved by\nthe organization.\n\n Verifying the authenticity of the software prior to installation validates\nthe integrity of the patch or upgrade received from a vendor. Setting the\n\"Verify-Peer\" Boolean will determine whether or not the server's host\ncertificate should be verified against trusted certificates. This ensures the\nsoftware has not been tampered with and that it has been provided by a trusted\nvendor. Self-signed certificates are disallowed by this requirement. The Ubuntu\noperating system should not have to verify the software again. This requirement\ndoes not mandate DoD certificates for this purpose; however, the certificate\nused to verify the software must be from an approved CA.", + "check": "Verify that Advance package Tool (APT) is configured to prevent\nthe installation of patches, service packs, device drivers, or Ubuntu operating\nsystem components without verification they have been digitally signed using a\ncertificate that is recognized and approved by the organization.\n\nCheck that the \"AllowUnauthenticated\" variable is not set at all or set to\n\"false\" with the following command:\n\n# grep -i allowunauth /etc/apt/apt.conf.d/*\n/etc/apt/apt.conf.d/01-vendor-Ubuntu:APT::Get::AllowUnauthenticated \"false\";\n\nIf any of the files returned from the command with \"AllowUnauthenticated\" set\nto \"true\", this is a finding.", + "fix": "Configure Advance package Tool (APT) to prevent the installation\nof patches, service packs, device drivers, or Ubuntu operating system\ncomponents without verification they have been digitally signed using a\ncertificate that is recognized and approved by the organization.\n\nRemove/Update any APT configuration file that contain the variable\n\"AllowUnauthenticated\" to \"false\", or remove \"AllowUnauthenticated\"\nentirely from each file. Below is an example of setting the\n\"AllowUnauthenticated\" variable to \"false\":\n\nAPT::Get::AllowUnauthenticated \"false\";" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000037-GPOS-00015", - "satisfies": [ - "SRG-OS-000037-GPOS-00015", - "SRG-OS-000042-GPOS-00020", - "SRG-OS-000062-GPOS-00031", - "SRG-OS-000304-GPOS-00121", - "SRG-OS-000392-GPOS-00172", - "SRG-OS-000462-GPOS-00206", - "SRG-OS-000470-GPOS-00214", - "SRG-OS-000471-GPOS-00215" - ], - "gid": "V-75667", - "rid": "SV-90347r3_rule", - "stig_id": "UBTU-16-020330", - "fix_id": "F-82295r2_fix", + "gtitle": "SRG-OS-000366-GPOS-00153", + "gid": "V-75527", + "rid": "SV-90207r2_rule", + "stig_id": "UBTU-16-010560", + "fix_id": "F-82155r1_fix", "cci": [ - "CCI-000130", - "CCI-000135", - "CCI-000169", - "CCI-000172", - "CCI-002132", - "CCI-002884" + "CCI-001749" ], "nist": [ - "AU-3", - "AU-3 (1)", - "AU-12 a", - "AU-12 c", - "AC-2 (4)", - "MA-4 (1)\n(a)", + "CM-5 (3)", "Rev_4" ], "false_negatives": null, @@ -6709,34 +6554,43 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75667' do\n title \"The Ubuntu operating system must generate audit records for all\naccount creations, modifications, disabling, and termination events that affect\n/etc/shadow.\"\n desc \"Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020\n SRG-OS-000062-GPOS-00031 SRG-OS-000304-GPOS-00121\n SRG-OS-000392-GPOS-00172 SRG-OS-000462-GPOS-00206\n SRG-OS-000470-GPOS-00214 SRG-OS-000471-GPOS-00215]\n tag \"gid\": 'V-75667'\n tag \"rid\": 'SV-90347r3_rule'\n tag \"stig_id\": 'UBTU-16-020330'\n tag \"fix_id\": 'F-82295r2_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002132 CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'AC-2 (4)', \"MA-4 (1)\n(a)\", 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system generates audit records for\nall account creations, modifications, disabling, and termination events that\naffect \\\"/etc/shadow\\\".\n\nCheck the auditing rules in \\\"/etc/audit/audit.rules\\\" with the following\ncommand:\n\n# sudo grep /etc/shadow /etc/audit/audit.rules\n\n-w /etc/shadow -p wa -k audit_rules_usergroup_modification\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records\nfor all account creations, modifications, disabling, and termination events\nthat affect \\\"/etc/shadow\\\".\n\nAdd or update the following file system rule to \\\"/etc/audit/audit.rules\\\":\n\n-w /etc/shadow -p wa -k identity\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n @audit_file = '/etc/shadow'\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe ('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", + "code": "control 'V-75527' do\n title \"Advance package Tool (APT) must be configured to prevent the\ninstallation of patches, service packs, device drivers, or Ubuntu operating\nsystem components without verification they have been digitally signed using a\ncertificate that is recognized and approved by the organization.\"\n desc \"Changes to any software components can have significant effects on the\noverall security of the Ubuntu operating system. This requirement ensures the\nsoftware has not been tampered with and that it has been provided by a trusted\nvendor.\n\n Accordingly, patches, service packs, device drivers, or Ubuntu operating\nsystem components must be signed with a certificate recognized and approved by\nthe organization.\n\n Verifying the authenticity of the software prior to installation validates\nthe integrity of the patch or upgrade received from a vendor. Setting the\n\\\"Verify-Peer\\\" Boolean will determine whether or not the server's host\ncertificate should be verified against trusted certificates. This ensures the\nsoftware has not been tampered with and that it has been provided by a trusted\nvendor. Self-signed certificates are disallowed by this requirement. The Ubuntu\noperating system should not have to verify the software again. This requirement\ndoes not mandate DoD certificates for this purpose; however, the certificate\nused to verify the software must be from an approved CA.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000366-GPOS-00153'\n tag \"gid\": 'V-75527'\n tag \"rid\": 'SV-90207r2_rule'\n tag \"stig_id\": 'UBTU-16-010560'\n tag \"fix_id\": 'F-82155r1_fix'\n tag \"cci\": ['CCI-001749']\n tag \"nist\": ['CM-5 (3)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that Advance package Tool (APT) is configured to prevent\nthe installation of patches, service packs, device drivers, or Ubuntu operating\nsystem components without verification they have been digitally signed using a\ncertificate that is recognized and approved by the organization.\n\nCheck that the \\\"AllowUnauthenticated\\\" variable is not set at all or set to\n\\\"false\\\" with the following command:\n\n# grep -i allowunauth /etc/apt/apt.conf.d/*\n/etc/apt/apt.conf.d/01-vendor-Ubuntu:APT::Get::AllowUnauthenticated \\\"false\\\";\n\nIf any of the files returned from the command with \\\"AllowUnauthenticated\\\" set\nto \\\"true\\\", this is a finding.\"\n desc 'fix', \"Configure Advance package Tool (APT) to prevent the installation\nof patches, service packs, device drivers, or Ubuntu operating system\ncomponents without verification they have been digitally signed using a\ncertificate that is recognized and approved by the organization.\n\nRemove/Update any APT configuration file that contain the variable\n\\\"AllowUnauthenticated\\\" to \\\"false\\\", or remove \\\"AllowUnauthenticated\\\"\nentirely from each file. Below is an example of setting the\n\\\"AllowUnauthenticated\\\" variable to \\\"false\\\":\n\nAPT::Get::AllowUnauthenticated \\\"false\\\";\"\n\n describe directory('/etc/apt/apt.conf.d') do\n it { should exist }\n end\n\n apt_allowunauth = command('grep -i allowunauth /etc/apt/apt.conf.d/*').stdout.strip.split(\"\\n\")\n if apt_allowunauth.empty?\n describe 'apt conf files do not contain AllowUnauthenticated' do\n subject { apt_allowunauth.empty? }\n it { should be true }\n end\n else\n apt_allowunauth.each do |line|\n describe \"#{line} contains AllowUnauthenctication\" do\n subject { line }\n it { should_not match /.*false.*/ }\n end\n end\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75667.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75527.rb", "line": 3 }, - "id": "V-75667" + "id": "V-75527" }, { - "title": "Default permissions must be defined in such a way that all\nauthenticated users can only read and modify their own files.", - "desc": "Setting the most restrictive default permissions ensures that when new\naccounts are created they do not have unnecessary access.", + "title": "Audit tools must have a mode of 0755 or less permissive.", + "desc": "Protecting audit information also includes identifying and protecting\nthe tools used to view and manipulate log data. Therefore, protecting audit\ntools is necessary to prevent unauthorized operation on audit information.\n\n Ubuntu operating systems providing tools to interface with audit\ninformation will leverage user permissions and roles identifying the user\naccessing the tools and the corresponding rights the user enjoys in order to\nmake access decisions regarding the access to audit tools.\n\n Audit tools include, but are not limited to, vendor-provided and open\nsource audit tools needed to successfully view and manipulate audit information\nsystem activity and records. Audit tools include custom queries and report\ngenerators.", "descriptions": { - "default": "Setting the most restrictive default permissions ensures that when new\naccounts are created they do not have unnecessary access.", - "check": "Verify the Ubuntu operating system defines default permissions\nfor all authenticated users in such a way that the user can only read and\nmodify their own files.\n\nCheck that the Ubuntu operating system defines default permissions for all\nauthenticated users with the following command:\n\n# grep -i \"umask\" /etc/login.defs\n\nUMASK 077\n\nIf the \"UMASK\" variable is set to \"000\", this is a finding with the\nseverity raised to a CAT I.\n\nIf the value of \"UMASK\" is not set to \"077\", \"UMASK\" is commented out or\n\"UMASK\" is missing completely, this is a finding.", - "fix": "Configure the system to define the default permissions for all\nauthenticated users in such a way that the user can only read and modify their\nown files.\n\nEdit the \"UMASK\" parameter in the \"/etc/login.defs\" file to match the\nexample below:\n\nUMASK 077" + "default": "Protecting audit information also includes identifying and protecting\nthe tools used to view and manipulate log data. Therefore, protecting audit\ntools is necessary to prevent unauthorized operation on audit information.\n\n Ubuntu operating systems providing tools to interface with audit\ninformation will leverage user permissions and roles identifying the user\naccessing the tools and the corresponding rights the user enjoys in order to\nmake access decisions regarding the access to audit tools.\n\n Audit tools include, but are not limited to, vendor-provided and open\nsource audit tools needed to successfully view and manipulate audit information\nsystem activity and records. Audit tools include custom queries and report\ngenerators.", + "check": "Verify the audit tools are protected from unauthorized access,\ndeletion, or modification by checking the permissive mode.\n\nCheck the octal permission of each audit tool by running the following command:\n\n#stat -c \"%a %n\" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace\n/sbin/auditd /sbin/audispd /sbin/augenrules\n\n755 /sbin/augenrules\n\nIf any of the audit tools has a mode more permissive than \"0755\", this is a\nfinding.", + "fix": "Configure the audit tools to be protected from unauthorized\naccess by setting the correct permissive mode using the following command:\n\n# sudo chmod 0755 [audit_tool]\n\nReplace \"[audit_tool]\" with the audit tool that does not have the correct\npermissive mode." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000480-GPOS-00228", - "gid": "V-75543", - "rid": "SV-90223r2_rule", - "stig_id": "UBTU-16-010640", - "fix_id": "F-82171r1_fix", + "gtitle": "SRG-OS-000256-GPOS-00097", + "satisfies": [ + "SRG-OS-000256-GPOS-00097", + "SRG-OS-000257-GPOS-00098", + "SRG-OS-000258-GPOS-00099" + ], + "gid": "V-75653", + "rid": "SV-90333r2_rule", + "stig_id": "UBTU-16-020180", + "fix_id": "F-82281r1_fix", "cci": [ - "CCI-000366" + "CCI-001493", + "CCI-001494", + "CCI-001495" ], "nist": [ - "CM-6 b", + "AU-9", + "AU-9", + "AU-9", "Rev_4" ], "false_negatives": null, @@ -6750,34 +6604,50 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75543' do\n title \"Default permissions must be defined in such a way that all\nauthenticated users can only read and modify their own files.\"\n desc \"Setting the most restrictive default permissions ensures that when new\naccounts are created they do not have unnecessary access.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00228'\n tag \"gid\": 'V-75543'\n tag \"rid\": 'SV-90223r2_rule'\n tag \"stig_id\": 'UBTU-16-010640'\n tag \"fix_id\": 'F-82171r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system defines default permissions\nfor all authenticated users in such a way that the user can only read and\nmodify their own files.\n\nCheck that the Ubuntu operating system defines default permissions for all\nauthenticated users with the following command:\n\n# grep -i \\\"umask\\\" /etc/login.defs\n\nUMASK 077\n\nIf the \\\"UMASK\\\" variable is set to \\\"000\\\", this is a finding with the\nseverity raised to a CAT I.\n\nIf the value of \\\"UMASK\\\" is not set to \\\"077\\\", \\\"UMASK\\\" is commented out or\n\\\"UMASK\\\" is missing completely, this is a finding.\"\n desc 'fix', \"Configure the system to define the default permissions for all\nauthenticated users in such a way that the user can only read and modify their\nown files.\n\nEdit the \\\"UMASK\\\" parameter in the \\\"/etc/login.defs\\\" file to match the\nexample below:\n\nUMASK 077\"\n\n describe login_defs do\n its('UMASK') { should eq '077' }\n end\nend\n", + "code": "control 'V-75653' do\n title 'Audit tools must have a mode of 0755 or less permissive.'\n desc \"Protecting audit information also includes identifying and protecting\nthe tools used to view and manipulate log data. Therefore, protecting audit\ntools is necessary to prevent unauthorized operation on audit information.\n\n Ubuntu operating systems providing tools to interface with audit\ninformation will leverage user permissions and roles identifying the user\naccessing the tools and the corresponding rights the user enjoys in order to\nmake access decisions regarding the access to audit tools.\n\n Audit tools include, but are not limited to, vendor-provided and open\nsource audit tools needed to successfully view and manipulate audit information\nsystem activity and records. Audit tools include custom queries and report\ngenerators.\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000256-GPOS-00097'\n tag \"satisfies\": %w[SRG-OS-000256-GPOS-00097 SRG-OS-000257-GPOS-00098\n SRG-OS-000258-GPOS-00099]\n tag \"gid\": 'V-75653'\n tag \"rid\": 'SV-90333r2_rule'\n tag \"stig_id\": 'UBTU-16-020180'\n tag \"fix_id\": 'F-82281r1_fix'\n tag \"cci\": %w[CCI-001493 CCI-001494 CCI-001495]\n tag \"nist\": %w[AU-9 AU-9 AU-9 Rev_4]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the audit tools are protected from unauthorized access,\ndeletion, or modification by checking the permissive mode.\n\nCheck the octal permission of each audit tool by running the following command:\n\n#stat -c \\\"%a %n\\\" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace\n/sbin/auditd /sbin/audispd /sbin/augenrules\n\n755 /sbin/augenrules\n\nIf any of the audit tools has a mode more permissive than \\\"0755\\\", this is a\nfinding.\"\n desc 'fix', \"Configure the audit tools to be protected from unauthorized\naccess by setting the correct permissive mode using the following command:\n\n# sudo chmod 0755 [audit_tool]\n\nReplace \\\"[audit_tool]\\\" with the audit tool that does not have the correct\npermissive mode.\"\n\n audit_tools = input('audit_tools')\n\n audit_tools.each do |tool|\n describe file(tool) do\n it { should_not be_more_permissive_than('0755') }\n end\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75543.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75653.rb", "line": 3 }, - "id": "V-75543" + "id": "V-75653" }, { - "title": "An application firewall must be enabled on the system.", - "desc": "Firewalls protect computers from network attacks by blocking or\nlimiting access to open network ports. Application firewalls limit which\napplications are allowed to communicate over the network.", + "title": "Successful/unsuccessful uses of the sudoedit command must generate an\naudit record.", + "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", "descriptions": { - "default": "Firewalls protect computers from network attacks by blocking or\nlimiting access to open network ports. Application firewalls limit which\napplications are allowed to communicate over the network.", - "check": "Verify the Uncomplicated Firewall is enabled on the system by\nrunning the following command:\n\n# sudo systemctl is-enabled ufw\n\nenabled\n\nIf the above command returns the status as \"disabled\", this is a finding.\n\nIf the Uncomplicated Firewall is not installed, ask the System Administrator if\nanother application firewall is installed. If no application firewall is\ninstalled this is a finding.", - "fix": "Enable the Uncomplicated Firewall by using the following commands:\n\n# sudo systemctl start ufw\n\n# sudo systemctl enable ufw" + "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "check": "Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful attempts to use the \"sudoedit\" command occur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \"/etc/audit/audit.rules\":\n\n# sudo grep -w sudoedit /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k priv_cmd\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", + "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \"sudoedit\" command.\n\nAdd or update the following rules in the \"/etc/audit/audit.rules\" file:\n\n-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k priv_cmd\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000480-GPOS-00232", - "gid": "V-75805", - "rid": "SV-90485r2_rule", - "stig_id": "UBTU-16-030040", - "fix_id": "F-82435r2_fix", + "gtitle": "SRG-OS-000037-GPOS-00015", + "satisfies": [ + "SRG-OS-000037-GPOS-00015", + "SRG-OS-000042-GPOS-00020", + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000392-GPOS-00172", + "SRG-OS-000462-GPOS-00206", + "SRG-OS-000471-GPOS-00215" + ], + "gid": "V-75757", + "rid": "SV-90437r3_rule", + "stig_id": "UBTU-16-020660", + "fix_id": "F-82385r2_fix", "cci": [ - "CCI-000366" + "CCI-000130", + "CCI-000135", + "CCI-000169", + "CCI-000172", + "CCI-002884" ], "nist": [ - "CM-6 b", + "AU-3", + "AU-3 (1)", + "AU-12 a", + "AU-12 c", + "MA-4 (1) (a)", "Rev_4" ], "false_negatives": null, @@ -6791,34 +6661,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75805' do\n title 'An application firewall must be enabled on the system.'\n desc \"Firewalls protect computers from network attacks by blocking or\nlimiting access to open network ports. Application firewalls limit which\napplications are allowed to communicate over the network.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00232'\n tag \"gid\": 'V-75805'\n tag \"rid\": 'SV-90485r2_rule'\n tag \"stig_id\": 'UBTU-16-030040'\n tag \"fix_id\": 'F-82435r2_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Uncomplicated Firewall is enabled on the system by\nrunning the following command:\n\n# sudo systemctl is-enabled ufw\n\nenabled\n\nIf the above command returns the status as \\\"disabled\\\", this is a finding.\n\nIf the Uncomplicated Firewall is not installed, ask the System Administrator if\nanother application firewall is installed. If no application firewall is\ninstalled this is a finding.\"\n desc 'fix', \"Enable the Uncomplicated Firewall by using the following commands:\n\n# sudo systemctl start ufw\n\n# sudo systemctl enable ufw\n\"\n\n describe service('ufw') do\n it { should be_installed }\n it { should be_enabled }\n it { should be_running }\n end\nend\n", + "code": "control 'V-75757' do\n title \"Successful/unsuccessful uses of the sudoedit command must generate an\naudit record.\"\n desc \"Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020\n SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172\n SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215]\n tag \"gid\": 'V-75757'\n tag \"rid\": 'SV-90437r3_rule'\n tag \"stig_id\": 'UBTU-16-020660'\n tag \"fix_id\": 'F-82385r2_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'MA-4 (1) (a)',\n 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful attempts to use the \\\"sudoedit\\\" command occur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \\\"/etc/audit/audit.rules\\\":\n\n# sudo grep -w sudoedit /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k priv_cmd\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \\\"sudoedit\\\" command.\n\nAdd or update the following rules in the \\\"/etc/audit/audit.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k priv_cmd\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n @audit_file = '/usr/bin/sudoedit'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n\n else\n describe ('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75805.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75757.rb", "line": 3 }, - "id": "V-75805" + "id": "V-75757" }, { - "title": "The Ubuntu operating system must enforce password complexity by\nrequiring that at least one upper-case character be used.", - "desc": "Use of a complex password helps to increase the time and resources\nrequired to compromise the password. Password complexity, or strength, is a\nmeasure of the effectiveness of a password in resisting attempts at guessing\nand brute-force attacks.\n\n Password complexity is one factor of several that determines how long it\ntakes to crack a password. The more complex the password, the greater the\nnumber of possible combinations that need to be tested before the password is\ncompromised.", + "title": "An application firewall must be installed.", + "desc": "Uncomplicated Firewall provides a easy and effective way to\nblock/limit remote access to the system, via ports, services and protocols.\n\n Remote access services, such as those providing remote access to network\ndevices and information systems, which lack automated control capabilities,\nincrease risk and make remote user access management difficult at best.\n\n Remote access is access to DoD nonpublic information systems by an\nauthorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\n Ubuntu operating system functionality (e.g., RDP) must be capable of taking\nenforcement action if the audit reveals unauthorized activity. Automated\ncontrol of remote access sessions allows organizations to ensure ongoing\ncompliance with remote access policies by enforcing connection rules of remote\naccess applications on a variety of information system components (e.g.,\nservers, workstations, notebook computers, smartphones, and tablets).", "descriptions": { - "default": "Use of a complex password helps to increase the time and resources\nrequired to compromise the password. Password complexity, or strength, is a\nmeasure of the effectiveness of a password in resisting attempts at guessing\nand brute-force attacks.\n\n Password complexity is one factor of several that determines how long it\ntakes to crack a password. The more complex the password, the greater the\nnumber of possible combinations that need to be tested before the password is\ncompromised.", - "check": "Verify the Ubuntu operating system enforces password complexity\nby requiring that at least one upper-case character be used.\n\nDetermine if the field \"ucredit\" is set in the\n\"/etc/security/pwquality.conf\" file with the following command:\n\n# grep -i \"ucredit\" /etc/security/pwquality.conf\nucredit=-1\n\nIf the \"ucredit\" parameter is not equal to \"-1\", or is commented out, this\nis a finding.", - "fix": "Configure the Ubuntu operating system to enforce password\ncomplexity by requiring that at least one upper-case character be used.\n\nAdd or update the following line in the \"/etc/security/pwquality.conf\" file\nto contain the \"ucredit\" parameter:\n\nucredit=-1" + "default": "Uncomplicated Firewall provides a easy and effective way to\nblock/limit remote access to the system, via ports, services and protocols.\n\n Remote access services, such as those providing remote access to network\ndevices and information systems, which lack automated control capabilities,\nincrease risk and make remote user access management difficult at best.\n\n Remote access is access to DoD nonpublic information systems by an\nauthorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\n Ubuntu operating system functionality (e.g., RDP) must be capable of taking\nenforcement action if the audit reveals unauthorized activity. Automated\ncontrol of remote access sessions allows organizations to ensure ongoing\ncompliance with remote access policies by enforcing connection rules of remote\naccess applications on a variety of information system components (e.g.,\nservers, workstations, notebook computers, smartphones, and tablets).", + "check": "Verify that the Uncomplicated Firewall is installed.\n\nCheck that the Uncomplicated Firewall is installed with the following command:\n\n# sudo apt list ufw\n\nii ufw 0.35-0Ubuntu2 [installed]\n\nIf the \"ufw\" package is not installed, ask the System Administrator if\nanother application firewall is installed. If no application firewall is\ninstalled this is a finding.", + "fix": "Install Uncomplicated Firewall with the following command:\n\n# sudo apt-get install ufw" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000069-GPOS-00037", - "gid": "V-75449", - "rid": "SV-90129r2_rule", - "stig_id": "UBTU-16-010100", - "fix_id": "F-82077r1_fix", + "gtitle": "SRG-OS-000297-GPOS-00115", + "gid": "V-75803", + "rid": "SV-90483r2_rule", + "stig_id": "UBTU-16-030030", + "fix_id": "F-82433r1_fix", "cci": [ - "CCI-000192" + "CCI-002314" ], "nist": [ - "IA-5 (1) (a)", + "AC-17 (1)", "Rev_4" ], "false_negatives": null, @@ -6832,50 +6702,75 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75449' do\n title \"The Ubuntu operating system must enforce password complexity by\nrequiring that at least one upper-case character be used.\"\n desc \"Use of a complex password helps to increase the time and resources\nrequired to compromise the password. Password complexity, or strength, is a\nmeasure of the effectiveness of a password in resisting attempts at guessing\nand brute-force attacks.\n\n Password complexity is one factor of several that determines how long it\ntakes to crack a password. The more complex the password, the greater the\nnumber of possible combinations that need to be tested before the password is\ncompromised.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000069-GPOS-00037'\n tag \"gid\": 'V-75449'\n tag \"rid\": 'SV-90129r2_rule'\n tag \"stig_id\": 'UBTU-16-010100'\n tag \"fix_id\": 'F-82077r1_fix'\n tag \"cci\": ['CCI-000192']\n tag \"nist\": ['IA-5 (1) (a)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system enforces password complexity\nby requiring that at least one upper-case character be used.\n\nDetermine if the field \\\"ucredit\\\" is set in the\n\\\"/etc/security/pwquality.conf\\\" file with the following command:\n\n# grep -i \\\"ucredit\\\" /etc/security/pwquality.conf\nucredit=-1\n\nIf the \\\"ucredit\\\" parameter is not equal to \\\"-1\\\", or is commented out, this\nis a finding.\"\n desc 'fix', \"Configure the Ubuntu operating system to enforce password\ncomplexity by requiring that at least one upper-case character be used.\n\nAdd or update the following line in the \\\"/etc/security/pwquality.conf\\\" file\nto contain the \\\"ucredit\\\" parameter:\n\nucredit=-1\"\n\n min_num_uppercase_char = input('min_num_uppercase_char')\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('ucredit') { should cmp min_num_uppercase_char }\n end\n else\n describe (config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n", + "code": "control 'V-75803' do\n title 'An application firewall must be installed.'\n desc \"Uncomplicated Firewall provides a easy and effective way to\nblock/limit remote access to the system, via ports, services and protocols.\n\n Remote access services, such as those providing remote access to network\ndevices and information systems, which lack automated control capabilities,\nincrease risk and make remote user access management difficult at best.\n\n Remote access is access to DoD nonpublic information systems by an\nauthorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\n Ubuntu operating system functionality (e.g., RDP) must be capable of taking\nenforcement action if the audit reveals unauthorized activity. Automated\ncontrol of remote access sessions allows organizations to ensure ongoing\ncompliance with remote access policies by enforcing connection rules of remote\naccess applications on a variety of information system components (e.g.,\nservers, workstations, notebook computers, smartphones, and tablets).\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000297-GPOS-00115'\n tag \"gid\": 'V-75803'\n tag \"rid\": 'SV-90483r2_rule'\n tag \"stig_id\": 'UBTU-16-030030'\n tag \"fix_id\": 'F-82433r1_fix'\n tag \"cci\": ['CCI-002314']\n tag \"nist\": ['AC-17 (1)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that the Uncomplicated Firewall is installed.\n\nCheck that the Uncomplicated Firewall is installed with the following command:\n\n# sudo apt list ufw\n\nii ufw 0.35-0Ubuntu2 [installed]\n\nIf the \\\"ufw\\\" package is not installed, ask the System Administrator if\nanother application firewall is installed. If no application firewall is\ninstalled this is a finding.\"\n desc 'fix', \"Install Uncomplicated Firewall with the following command:\n\n# sudo apt-get install ufw\"\n\n describe package('ufw') do\n it { should be_installed }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75449.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75803.rb", "line": 3 }, - "id": "V-75449" + "id": "V-75803" }, { - "title": "Successful/unsuccessful uses of the fchmodat command must generate an\naudit record.", - "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "title": "The Ubuntu operating system must enforce password complexity by\nrequiring that at least one numeric character be used.", + "desc": "Use of a complex password helps to increase the time and resources\nrequired to compromise the password. Password complexity, or strength, is a\nmeasure of the effectiveness of a password in resisting attempts at guessing\nand brute-force attacks.\n\n Password complexity is one factor of several that determines how long it\ntakes to crack a password. The more complex the password, the greater the\nnumber of possible combinations that need to be tested before the password is\ncompromised.", "descriptions": { - "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", - "check": "Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful attempts to use the \"fchmodat\" command occur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \"/etc/audit/audit.rules\":\n\n# sudo grep -w fchmodat /etc/audit/audit.rules\n\n-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=4294967295 -k\nperm_chng\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", - "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \"fchmodat\" command by adding the following\nline to \"/etc/audit/audit.rules\":\n\n-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=4294967295 -k\nperm_chng\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" - }, + "default": "Use of a complex password helps to increase the time and resources\nrequired to compromise the password. Password complexity, or strength, is a\nmeasure of the effectiveness of a password in resisting attempts at guessing\nand brute-force attacks.\n\n Password complexity is one factor of several that determines how long it\ntakes to crack a password. The more complex the password, the greater the\nnumber of possible combinations that need to be tested before the password is\ncompromised.", + "check": "Verify the Ubuntu operating system enforces password complexity\nby requiring that at least one numeric character be used.\n\nDetermine if the field \"dcredit\" is set in the\n\"/etc/security/pwquality.conf\" file with the following command:\n\n# grep -i \"dcredit\" /etc/security/pwquality.conf\ndcredit=-1\n\nIf the \"dcredit\" parameter is not equal to \"-1\", or is commented out, this\nis a finding.", + "fix": "Configure the Ubuntu operating system to enforce password\ncomplexity by requiring that at least one numeric character be used.\n\nAdd or update the following line in the \"/etc/security/pwquality.conf\" file\nto contain the \"dcredit\" parameter:\n\ndcredit=-1" + }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000037-GPOS-00015", - "satisfies": [ - "SRG-OS-000037-GPOS-00015", - "SRG-OS-000042-GPOS-00020", - "SRG-OS-000062-GPOS-00031", - "SRG-OS-000392-GPOS-00172", - "SRG-OS-000462-GPOS-00206", - "SRG-OS-000471-GPOS-00215" + "gtitle": "SRG-OS-000071-GPOS-00039", + "gid": "V-75453", + "rid": "SV-90133r2_rule", + "stig_id": "UBTU-16-010120", + "fix_id": "F-82081r1_fix", + "cci": [ + "CCI-000194" ], - "gid": "V-75741", - "rid": "SV-90421r3_rule", - "stig_id": "UBTU-16-020580", - "fix_id": "F-82369r2_fix", + "nist": [ + "IA-5 (1) (a)", + "Rev_4" + ], + "false_negatives": null, + "false_positives": null, + "documentable": false, + "mitigations": null, + "severity_override_guidance": false, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_controls": null, + "responsibility": null, + "ia_controls": null + }, + "code": "control 'V-75453' do\n title \"The Ubuntu operating system must enforce password complexity by\nrequiring that at least one numeric character be used.\"\n desc \"Use of a complex password helps to increase the time and resources\nrequired to compromise the password. Password complexity, or strength, is a\nmeasure of the effectiveness of a password in resisting attempts at guessing\nand brute-force attacks.\n\n Password complexity is one factor of several that determines how long it\ntakes to crack a password. The more complex the password, the greater the\nnumber of possible combinations that need to be tested before the password is\ncompromised.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000071-GPOS-00039'\n tag \"gid\": 'V-75453'\n tag \"rid\": 'SV-90133r2_rule'\n tag \"stig_id\": 'UBTU-16-010120'\n tag \"fix_id\": 'F-82081r1_fix'\n tag \"cci\": ['CCI-000194']\n tag \"nist\": ['IA-5 (1) (a)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system enforces password complexity\nby requiring that at least one numeric character be used.\n\nDetermine if the field \\\"dcredit\\\" is set in the\n\\\"/etc/security/pwquality.conf\\\" file with the following command:\n\n# grep -i \\\"dcredit\\\" /etc/security/pwquality.conf\ndcredit=-1\n\nIf the \\\"dcredit\\\" parameter is not equal to \\\"-1\\\", or is commented out, this\nis a finding.\"\n desc 'fix', \"Configure the Ubuntu operating system to enforce password\ncomplexity by requiring that at least one numeric character be used.\n\nAdd or update the following line in the \\\"/etc/security/pwquality.conf\\\" file\nto contain the \\\"dcredit\\\" parameter:\n\ndcredit=-1\"\n\n min_num_numeric_char = input('min_num_numeric_char')\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('ucredit') { should cmp min_num_numeric_char }\n end\n else\n describe (config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n", + "source_location": { + "ref": "./Ubuntu 16.04 STIG/controls/V-75453.rb", + "line": 3 + }, + "id": "V-75453" + }, + { + "title": "Cron logging must be implemented.", + "desc": "Cron logging can be used to trace the successful or unsuccessful\nexecution of cron jobs. It can also be used to spot intrusions into the use of\nthe cron facility by unauthorized and malicious users.", + "descriptions": { + "default": "Cron logging can be used to trace the successful or unsuccessful\nexecution of cron jobs. It can also be used to spot intrusions into the use of\nthe cron facility by unauthorized and malicious users.", + "check": "Verify that \"rsyslog\" is configured to log cron events.\n\nCheck the configuration of \"/etc/rsyslog.d/50-default.conf\" for the cron\nfacility with the following commands:\n\nNote: If another logging package is used, substitute the utility configuration\nfile for \"/etc/rsyslog.d/50-default.conf\".\n\n# grep cron /etc/rsyslog.d/50-default.conf\n\ncron.* /var/log/cron.log\n\nIf the commands do not return a response, check for cron logging all facilities\nby inspecting the \"/etc/rsyslog.d/50-default.con\" file:\n\n# more /etc/rsyslog.conf\n\nLook for the following entry:\n\n*.* /var/log/messages\n\nIf \"rsyslog\" is not logging messages for the cron facility or all facilities,\nthis is a finding.", + "fix": "Configure \"rsyslog\" to log all cron messages by adding or\nupdating the following line to \"/etc/rsyslog.d/50-default.conf\":\n\ncron.* /var/log/cron.log\n\nNote: The line must be added before the following entry if it exists in\n\"/etc/rsyslog.d/50-default.conf\":\n\n*.* ~ # discards everything" + }, + "impact": 0.5, + "refs": [], + "tags": { + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-75865", + "rid": "SV-90545r2_rule", + "stig_id": "UBTU-16-030460", + "fix_id": "F-82495r2_fix", "cci": [ - "CCI-000130", - "CCI-000135", - "CCI-000169", - "CCI-000172", - "CCI-002884" + "CCI-000366" ], "nist": [ - "AU-3", - "AU-3 (1)", - "AU-12 a", - "AU-12 c", - "MA-4 (1) (a)", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -6889,29 +6784,29 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75741' do\n title \"Successful/unsuccessful uses of the fchmodat command must generate an\naudit record.\"\n desc \"Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020\n SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172\n SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215]\n tag \"gid\": 'V-75741'\n tag \"rid\": 'SV-90421r3_rule'\n tag \"stig_id\": 'UBTU-16-020580'\n tag \"fix_id\": 'F-82369r2_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'MA-4 (1) (a)',\n 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful attempts to use the \\\"fchmodat\\\" command occur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \\\"/etc/audit/audit.rules\\\":\n\n# sudo grep -w fchmodat /etc/audit/audit.rules\n\n-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=4294967295 -k\nperm_chng\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \\\"fchmodat\\\" command by adding the following\nline to \\\"/etc/audit/audit.rules\\\":\n\n-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=4294967295 -k\nperm_chng\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n if os.arch == 'x86_64'\n describe auditd.syscall('fchmodat').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('fchmodat').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\nend\n", + "code": "control 'V-75865' do\n title 'Cron logging must be implemented.'\n desc \"Cron logging can be used to trace the successful or unsuccessful\nexecution of cron jobs. It can also be used to spot intrusions into the use of\nthe cron facility by unauthorized and malicious users.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75865'\n tag \"rid\": 'SV-90545r2_rule'\n tag \"stig_id\": 'UBTU-16-030460'\n tag \"fix_id\": 'F-82495r2_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that \\\"rsyslog\\\" is configured to log cron events.\n\nCheck the configuration of \\\"/etc/rsyslog.d/50-default.conf\\\" for the cron\nfacility with the following commands:\n\nNote: If another logging package is used, substitute the utility configuration\nfile for \\\"/etc/rsyslog.d/50-default.conf\\\".\n\n# grep cron /etc/rsyslog.d/50-default.conf\n\ncron.* /var/log/cron.log\n\nIf the commands do not return a response, check for cron logging all facilities\nby inspecting the \\\"/etc/rsyslog.d/50-default.con\\\" file:\n\n# more /etc/rsyslog.conf\n\nLook for the following entry:\n\n*.* /var/log/messages\n\nIf \\\"rsyslog\\\" is not logging messages for the cron facility or all facilities,\nthis is a finding.\"\n desc 'fix', \"Configure \\\"rsyslog\\\" to log all cron messages by adding or\nupdating the following line to \\\"/etc/rsyslog.d/50-default.conf\\\":\n\ncron.* /var/log/cron.log\n\nNote: The line must be added before the following entry if it exists in\n\\\"/etc/rsyslog.d/50-default.conf\\\":\n\n*.* ~ # discards everything\"\n\n describe.one do\n default_conf_output = command('grep ''^cron.*'' /etc/rsyslog.d/50-default.conf')\n describe default_conf_output do\n its('stdout') { should_not be_empty }\n end\n\n messages_output = command('grep ''^*.*'' /etc/rsyslog.conf')\n describe messages_output do\n its('stdout') { should_not be_empty }\n end\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75741.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75865.rb", "line": 3 }, - "id": "V-75741" + "id": "V-75865" }, { - "title": "The audit system must take appropriate action when audit storage is\nfull.", + "title": "The audit records must be off-loaded onto a different system or\nstorage media from the system being audited.", "desc": "Information stored in one location is vulnerable to accidental or\nincidental deletion or alteration.\n\n Off-loading is a common process in information systems with limited audit\nstorage capacity.", "descriptions": { "default": "Information stored in one location is vulnerable to accidental or\nincidental deletion or alteration.\n\n Off-loading is a common process in information systems with limited audit\nstorage capacity.", - "check": "Verify the action that the audit system takes when the storage\nvolume becomes full.\n\nCheck the action that the audit system takes when the storage volume becomes\nfull with the following command:\n\n# sudo grep disk_full /etc/audisp/audisp-remote.conf\n\ndisk_full_action = single\n\nIf the value of the \"disk_full_action\" option is not \"syslog\", \"single\",\nor \"halt\", or the line is commented out, this is a finding.", - "fix": "Configure the audit system to take an appropriate action when the\naudit storage is full.\n\nAdd, edit or uncomment the \"disk_full_action\" option in\n\"/etc/audisp/audisp-remote.conf\". Set it to \"syslog\", \"single\" or\n\"halt\" like the below example:\n\ndisk_full_action = single" + "check": "Verify the audit system off-loads audit records to a different\nsystem or storage media from the system being audited.\n\nCheck that the records are being off-loaded to a remote server with the\nfollowing command:\n\n# sudo grep -i remote_server /etc/audisp/audisp-remote.conf\n\nremote_server = 10.0.1.2\n\nIf \"remote_server\" is not configured, or the line is commented out, this is a\nfinding.", + "fix": "Configure the audit system to off-load audit records to a\ndifferent system or storage media from the system being audited.\n\nSet the \"remote_server\" option in \"/etc/audisp/audisp-remote.conf\" with the\nIP address of the log server. See the example below.\n\nremote_server = 10.0.1.2\n\nIn order for the changes to take effect, the audit daemon must be restarted.\nThe audit daemon can be restarted with the following command:\n\n# sudo systemctl restart auditd.service" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000479-GPOS-00224", - "gid": "V-75631", - "rid": "SV-90311r1_rule", - "stig_id": "UBTU-16-020070", - "fix_id": "F-82259r1_fix", + "gtitle": "SRG-OS-000342-GPOS-00133", + "gid": "V-80965", + "rid": "SV-95677r1_rule", + "stig_id": "UBTU-16-020220", + "fix_id": "F-87825r1_fix", "cci": [ "CCI-001851" ], @@ -6930,34 +6825,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75631' do\n title \"The audit system must take appropriate action when audit storage is\nfull.\"\n desc \"Information stored in one location is vulnerable to accidental or\nincidental deletion or alteration.\n\n Off-loading is a common process in information systems with limited audit\nstorage capacity.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000479-GPOS-00224'\n tag \"gid\": 'V-75631'\n tag \"rid\": 'SV-90311r1_rule'\n tag \"stig_id\": 'UBTU-16-020070'\n tag \"fix_id\": 'F-82259r1_fix'\n tag \"cci\": ['CCI-001851']\n tag \"nist\": ['AU-4 (1)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the action that the audit system takes when the storage\nvolume becomes full.\n\nCheck the action that the audit system takes when the storage volume becomes\nfull with the following command:\n\n# sudo grep disk_full /etc/audisp/audisp-remote.conf\n\ndisk_full_action = single\n\nIf the value of the \\\"disk_full_action\\\" option is not \\\"syslog\\\", \\\"single\\\",\nor \\\"halt\\\", or the line is commented out, this is a finding.\"\n desc 'fix', \"Configure the audit system to take an appropriate action when the\naudit storage is full.\n\nAdd, edit or uncomment the \\\"disk_full_action\\\" option in\n\\\"/etc/audisp/audisp-remote.conf\\\". Set it to \\\"syslog\\\", \\\"single\\\" or\n\\\"halt\\\" like the below example:\n\ndisk_full_action = single\"\n\n config_file_exists = file('/etc/audisp/audisp-remote.conf').exist?\n\n if config_file_exists\n describe auditd_conf('/etc/audisp/audisp-remote.conf') do\n its('disk_full_action') { should_not be_empty }\n its('disk_full_action') { should cmp /(?:SYSLOG|SINGLE|HALT)/i }\n end\n else\n describe '/etc/audisp/audisp-remote.conf exists' do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n", + "code": "control 'V-80965' do\n title \"The audit records must be off-loaded onto a different system or\nstorage media from the system being audited.\"\n desc \"Information stored in one location is vulnerable to accidental or\nincidental deletion or alteration.\n\n Off-loading is a common process in information systems with limited audit\nstorage capacity.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000342-GPOS-00133'\n tag \"gid\": 'V-80965'\n tag \"rid\": 'SV-95677r1_rule'\n tag \"stig_id\": 'UBTU-16-020220'\n tag \"fix_id\": 'F-87825r1_fix'\n tag \"cci\": ['CCI-001851']\n tag \"nist\": ['AU-4 (1)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the audit system off-loads audit records to a different\nsystem or storage media from the system being audited.\n\nCheck that the records are being off-loaded to a remote server with the\nfollowing command:\n\n# sudo grep -i remote_server /etc/audisp/audisp-remote.conf\n\nremote_server = 10.0.1.2\n\nIf \\\"remote_server\\\" is not configured, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the audit system to off-load audit records to a\ndifferent system or storage media from the system being audited.\n\nSet the \\\"remote_server\\\" option in \\\"/etc/audisp/audisp-remote.conf\\\" with the\nIP address of the log server. See the example below.\n\nremote_server = 10.0.1.2\n\nIn order for the changes to take effect, the audit daemon must be restarted.\nThe audit daemon can be restarted with the following command:\n\n# sudo systemctl restart auditd.service\"\n\n config_file_exists = file('/etc/audisp/audisp-remote.conf').exist?\n\n if config_file_exists\n describe parse_config_file('/etc/audisp/audisp-remote.conf') do\n its('remote_server') { should match /./ }\n end\n else\n describe '/etc/audisp/audisp-remote.conf exists' do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75631.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-80965.rb", "line": 3 }, - "id": "V-75631" + "id": "V-80965" }, { - "title": "Passwords must be prohibited from reuse for a minimum of five\ngenerations.", - "desc": "Password complexity, or strength, is a measure of the effectiveness of\na password in resisting attempts at guessing and brute-force attacks. If the\ninformation system or application allows the user to consecutively reuse their\npassword when that password has exceeded its defined lifetime, the end result\nis a password that is not changed as per policy requirements.", + "title": "The file integrity tool must be configured to verify extended\nattributes.", + "desc": "Extended attributes in file systems are used to contain arbitrary data\nand file metadata with security implications.", "descriptions": { - "default": "Password complexity, or strength, is a measure of the effectiveness of\na password in resisting attempts at guessing and brute-force attacks. If the\ninformation system or application allows the user to consecutively reuse their\npassword when that password has exceeded its defined lifetime, the end result\nis a password that is not changed as per policy requirements.", - "check": "Verify that the Ubuntu operating system prevents passwords from\nbeing reused for a minimum of five generations by running the following command:\n\n# grep -i remember /etc/pam.d/common-password\n\npassword [success=1 default=ignore] pam_unix.so obscure sha512 remember=5\nrounds=5000\n\nIf the \"remember\" parameter value is not greater than or equal to \"5\", is\ncommented out, or is not set at all this is a finding.", - "fix": "Configure the Ubuntu operating system prevents passwords from\nbeing reused for a minimum of five generations.\n\nAdd or modify the \"remember\" parameter value to the following line in\n\"/etc/pam.d/common-password\" file:\n\npassword [success=1 default=ignore] pam_unix.so obscure sha512 remember=5\nrounds=5000" + "default": "Extended attributes in file systems are used to contain arbitrary data\nand file metadata with security implications.", + "check": "Verify the file integrity tool is configured to verify extended\nattributes.\n\nCheck to see if Advanced Intrusion Detection Environment (AIDE) is installed\nwith the following command:\n\n# dpkg -l |grep aide\n\nii aide 0.16~a2.git20130520-3\nii aide-common 0.16~a2.git20130520-3\n\nIf AIDE is not installed, ask the System Administrator how file integrity\nchecks are performed on the system.\n\nIf there is no application installed to perform integrity checks, this is a\nfinding.\n\nNote: AIDE is highly configurable at install time. These commands assume the\n\"aide.conf\" file is under the \"/etc\" directory.\n\nUse the following command to determine if the file is in another location:\n\n# find / -name aide.conf\n\nCheck the \"aide.conf\" file to determine if the \"xattrs\" rule has been added\nto the rule list being applied to the files and directories selection lists\nwith the following command:\n\n# egrep \"[+]?xattrs\" /etc/aide/aide.conf\n\nVarFile = OwnerMode+n+l+X+xattrs\n\nIf the \"xattrs\" rule is not being used on all selection lines in the\n\"/etc/aide.conf\" file, or extended attributes are not being checked by\nanother file integrity tool, this is a finding.", + "fix": "Configure the file integrity tool to check file and directory\nextended attributes.\n\nIf AIDE is installed, ensure the \"xattrs\" rule is present on all file and\ndirectory selection lists." }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { - "gtitle": "SRG-OS-000077-GPOS-00045", - "gid": "V-75475", - "rid": "SV-90155r2_rule", - "stig_id": "UBTU-16-010230", - "fix_id": "F-82103r2_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-75521", + "rid": "SV-90201r1_rule", + "stig_id": "UBTU-16-010530", + "fix_id": "F-82149r1_fix", "cci": [ - "CCI-000200" + "CCI-000366" ], "nist": [ - "IA-5 (1) (e)", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -6971,12 +6866,12 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75475' do\n title \"Passwords must be prohibited from reuse for a minimum of five\ngenerations.\"\n desc \"Password complexity, or strength, is a measure of the effectiveness of\na password in resisting attempts at guessing and brute-force attacks. If the\ninformation system or application allows the user to consecutively reuse their\npassword when that password has exceeded its defined lifetime, the end result\nis a password that is not changed as per policy requirements.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000077-GPOS-00045'\n tag \"gid\": 'V-75475'\n tag \"rid\": 'SV-90155r2_rule'\n tag \"stig_id\": 'UBTU-16-010230'\n tag \"fix_id\": 'F-82103r2_fix'\n tag \"cci\": ['CCI-000200']\n tag \"nist\": ['IA-5 (1) (e)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that the Ubuntu operating system prevents passwords from\nbeing reused for a minimum of five generations by running the following command:\n\n# grep -i remember /etc/pam.d/common-password\n\npassword [success=1 default=ignore] pam_unix.so obscure sha512 remember=5\nrounds=5000\n\nIf the \\\"remember\\\" parameter value is not greater than or equal to \\\"5\\\", is\ncommented out, or is not set at all this is a finding.\"\n desc 'fix', \"Configure the Ubuntu operating system prevents passwords from\nbeing reused for a minimum of five generations.\n\nAdd or modify the \\\"remember\\\" parameter value to the following line in\n\\\"/etc/pam.d/common-password\\\" file:\n\npassword [success=1 default=ignore] pam_unix.so obscure sha512 remember=5\nrounds=5000\"\n\n min_num_password_generations = input('min_num_password_generations')\n\n describe file('/etc/pam.d/common-password') do\n it { should exist }\n end\n\n describe command(\"grep -i remember /etc/pam.d/common-password | sed 's/.*remember=\\\\([^ ]*\\\\).*/\\\\1/'\") do\n its('exit_status') { should eq 0 }\n its('stdout.strip') { should cmp min_num_password_generations }\n end\nend\n", + "code": "control 'V-75521' do\n title \"The file integrity tool must be configured to verify extended\nattributes.\"\n desc \"Extended attributes in file systems are used to contain arbitrary data\nand file metadata with security implications.\"\n impact 0.3\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75521'\n tag \"rid\": 'SV-90201r1_rule'\n tag \"stig_id\": 'UBTU-16-010530'\n tag \"fix_id\": 'F-82149r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the file integrity tool is configured to verify extended\nattributes.\n\nCheck to see if Advanced Intrusion Detection Environment (AIDE) is installed\nwith the following command:\n\n# dpkg -l |grep aide\n\nii aide 0.16~a2.git20130520-3\nii aide-common 0.16~a2.git20130520-3\n\nIf AIDE is not installed, ask the System Administrator how file integrity\nchecks are performed on the system.\n\nIf there is no application installed to perform integrity checks, this is a\nfinding.\n\nNote: AIDE is highly configurable at install time. These commands assume the\n\\\"aide.conf\\\" file is under the \\\"/etc\\\" directory.\n\nUse the following command to determine if the file is in another location:\n\n# find / -name aide.conf\n\nCheck the \\\"aide.conf\\\" file to determine if the \\\"xattrs\\\" rule has been added\nto the rule list being applied to the files and directories selection lists\nwith the following command:\n\n# egrep \\\"[+]?xattrs\\\" /etc/aide/aide.conf\n\nVarFile = OwnerMode+n+l+X+xattrs\n\nIf the \\\"xattrs\\\" rule is not being used on all selection lines in the\n\\\"/etc/aide.conf\\\" file, or extended attributes are not being checked by\nanother file integrity tool, this is a finding.\"\n desc 'fix', \"Configure the file integrity tool to check file and directory\nextended attributes.\n\nIf AIDE is installed, ensure the \\\"xattrs\\\" rule is present on all file and\ndirectory selection lists.\"\n\n describe aide_conf.all_have_rule('xattr') do\n it { should eq true }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75475.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75521.rb", "line": 3 }, - "id": "V-75475" + "id": "V-75521" }, { "title": "The file integrity tool must notify the system administrator when\nchanges to the baseline configuration or anomalies in the operation of any\nsecurity functions are discovered.", @@ -7026,12 +6921,53 @@ "id": "V-75523" }, { - "title": "The audit system must be configured to audit any usage of the\nfsetxattr system call.", - "desc": "Without the capability to generate audit records, it would be\ndifficult to establish, correlate, and investigate the events relating to an\nincident or identify those responsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n The list of audited events is the set of events for which audits are to be\ngenerated. This set of events is typically a subset of the list of all events\nfor which the system is capable of generating audit records.\n\n DoD has defined the list of events for which the Ubuntu operating system\nwill provide an audit record generation capability as the following:\n\n 1) Successful and unsuccessful attempts to access, modify, or delete\nprivileges, security objects, security levels, or categories of information\n(e.g., classification levels);\n\n 2) Access actions, such as successful and unsuccessful logon attempts,\nprivileged activities or other system-level access, starting and ending time\nfor user access to the system, concurrent logons from different workstations,\nsuccessful and unsuccessful accesses to objects, all program initiations, and\nall direct access to the information system;\n\n 3) All account creations, modifications, disabling, and terminations; and\n\n 4) All kernel module load, unload, and restart actions.", + "title": "The SSH daemon must not allow authentication using known hosts\nauthentication.", + "desc": "Configuring this setting for the SSH daemon provides additional\nassurance that remote logon via SSH will require a password, even in the event\nof misconfiguration elsewhere.", "descriptions": { - "default": "Without the capability to generate audit records, it would be\ndifficult to establish, correlate, and investigate the events relating to an\nincident or identify those responsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n The list of audited events is the set of events for which audits are to be\ngenerated. This set of events is typically a subset of the list of all events\nfor which the system is capable of generating audit records.\n\n DoD has defined the list of events for which the Ubuntu operating system\nwill provide an audit record generation capability as the following:\n\n 1) Successful and unsuccessful attempts to access, modify, or delete\nprivileges, security objects, security levels, or categories of information\n(e.g., classification levels);\n\n 2) Access actions, such as successful and unsuccessful logon attempts,\nprivileged activities or other system-level access, starting and ending time\nfor user access to the system, concurrent logons from different workstations,\nsuccessful and unsuccessful accesses to objects, all program initiations, and\nall direct access to the information system;\n\n 3) All account creations, modifications, disabling, and terminations; and\n\n 4) All kernel module load, unload, and restart actions.", - "check": "Verify if the Ubuntu operating system is configured to audit\nthe execution of the \"fsetxattr\" system call, by running the following\ncommand:\n\n# sudo grep -w fsetxattr /etc/audit/audit.rules\n\n-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -k\nperm_mod\n\n-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -k perm_mod\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", - "fix": "Configure the Ubuntu operating system to audit the execution of\nthe \"fsetxattr\" system call, by adding the following lines to\n\"/etc/audit/audit.rules\":\n\n-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -k\nperm_mod\n\n-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -k perm_mod\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" + "default": "Configuring this setting for the SSH daemon provides additional\nassurance that remote logon via SSH will require a password, even in the event\nof misconfiguration elsewhere.", + "check": "Verify the SSH daemon does not allow authentication using known\nhosts authentication.\n\nTo determine how the SSH daemon's \"IgnoreUserKnownHosts\" option is set, run\nthe following command:\n\n# grep IgnoreUserKnownHosts /etc/ssh/sshd_config\n\nIgnoreUserKnownHosts yes\n\nIf the value is returned as \"no\", the returned line is commented out, or no\noutput is returned, this is a finding.", + "fix": "Configure the SSH daemon to not allow authentication using known\nhosts authentication.\n\nAdd the following line in \"/etc/ssh/sshd_config\", or uncomment the line and\nset the value to \"yes\":\n\nIgnoreUserKnownHosts yes\n\nThe SSH daemon must be restarted for the changes to take effect. To restart the\nSSH daemon, run the following command:\n\n# sudo systemctl restart sshd.service" + }, + "impact": 0.5, + "refs": [], + "tags": { + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-75841", + "rid": "SV-90521r2_rule", + "stig_id": "UBTU-16-030300", + "fix_id": "F-82471r2_fix", + "cci": [ + "CCI-000366" + ], + "nist": [ + "CM-6 b", + "Rev_4" + ], + "false_negatives": null, + "false_positives": null, + "documentable": false, + "mitigations": null, + "severity_override_guidance": false, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_controls": null, + "responsibility": null, + "ia_controls": null + }, + "code": "control 'V-75841' do\n title \"The SSH daemon must not allow authentication using known hosts\nauthentication.\"\n desc \"Configuring this setting for the SSH daemon provides additional\nassurance that remote logon via SSH will require a password, even in the event\nof misconfiguration elsewhere.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75841'\n tag \"rid\": 'SV-90521r2_rule'\n tag \"stig_id\": 'UBTU-16-030300'\n tag \"fix_id\": 'F-82471r2_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the SSH daemon does not allow authentication using known\nhosts authentication.\n\nTo determine how the SSH daemon's \\\"IgnoreUserKnownHosts\\\" option is set, run\nthe following command:\n\n# grep IgnoreUserKnownHosts /etc/ssh/sshd_config\n\nIgnoreUserKnownHosts yes\n\nIf the value is returned as \\\"no\\\", the returned line is commented out, or no\noutput is returned, this is a finding.\"\n desc 'fix', \"Configure the SSH daemon to not allow authentication using known\nhosts authentication.\n\nAdd the following line in \\\"/etc/ssh/sshd_config\\\", or uncomment the line and\nset the value to \\\"yes\\\":\n\nIgnoreUserKnownHosts yes\n\nThe SSH daemon must be restarted for the changes to take effect. To restart the\nSSH daemon, run the following command:\n\n# sudo systemctl restart sshd.service\n\"\n\n describe sshd_config do\n its('IgnoreUserKnownHosts') { should cmp 'yes' }\n end\nend\n", + "source_location": { + "ref": "./Ubuntu 16.04 STIG/controls/V-75841.rb", + "line": 3 + }, + "id": "V-75841" + }, + { + "title": "Successful/unsuccessful uses of the fchmod command must generate an\naudit record.", + "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "descriptions": { + "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "check": "Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful attempts to use the \"fchmod\" command occur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \"/etc/audit/audit.rules\":\n\n# sudo grep -w fchmod /etc/audit/audit.rules\n\n-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=4294967295 -k\nperm_chng\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", + "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \"fchmod\" command by adding the following\nline to \"/etc/audit/audit.rules\":\n\n-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=4294967295 -k\nperm_chng\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" }, "impact": 0.5, "refs": [], @@ -7042,16 +6978,13 @@ "SRG-OS-000042-GPOS-00020", "SRG-OS-000062-GPOS-00031", "SRG-OS-000392-GPOS-00172", - "SRG-OS-000458-GPOS-00203", "SRG-OS-000462-GPOS-00206", - "SRG-OS-000463-GPOS-00207", - "SRG-OS-000471-GPOS-00215", - "SRG-OS-000474-GPOS-00219" + "SRG-OS-000471-GPOS-00215" ], - "gid": "V-75721", - "rid": "SV-90401r2_rule", - "stig_id": "UBTU-16-020480", - "fix_id": "F-82349r2_fix", + "gid": "V-75739", + "rid": "SV-90419r3_rule", + "stig_id": "UBTU-16-020570", + "fix_id": "F-82367r2_fix", "cci": [ "CCI-000130", "CCI-000135", @@ -7078,34 +7011,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75721' do\n title \"The audit system must be configured to audit any usage of the\nfsetxattr system call.\"\n desc \"Without the capability to generate audit records, it would be\ndifficult to establish, correlate, and investigate the events relating to an\nincident or identify those responsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n The list of audited events is the set of events for which audits are to be\ngenerated. This set of events is typically a subset of the list of all events\nfor which the system is capable of generating audit records.\n\n DoD has defined the list of events for which the Ubuntu operating system\nwill provide an audit record generation capability as the following:\n\n 1) Successful and unsuccessful attempts to access, modify, or delete\nprivileges, security objects, security levels, or categories of information\n(e.g., classification levels);\n\n 2) Access actions, such as successful and unsuccessful logon attempts,\nprivileged activities or other system-level access, starting and ending time\nfor user access to the system, concurrent logons from different workstations,\nsuccessful and unsuccessful accesses to objects, all program initiations, and\nall direct access to the information system;\n\n 3) All account creations, modifications, disabling, and terminations; and\n\n 4) All kernel module load, unload, and restart actions.\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020\n SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172\n SRG-OS-000458-GPOS-00203 SRG-OS-000462-GPOS-00206\n SRG-OS-000463-GPOS-00207 SRG-OS-000471-GPOS-00215\n SRG-OS-000474-GPOS-00219]\n tag \"gid\": 'V-75721'\n tag \"rid\": 'SV-90401r2_rule'\n tag \"stig_id\": 'UBTU-16-020480'\n tag \"fix_id\": 'F-82349r2_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'MA-4 (1) (a)',\n 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify if the Ubuntu operating system is configured to audit\nthe execution of the \\\"fsetxattr\\\" system call, by running the following\ncommand:\n\n# sudo grep -w fsetxattr /etc/audit/audit.rules\n\n-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -k\nperm_mod\n\n-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -k perm_mod\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the Ubuntu operating system to audit the execution of\nthe \\\"fsetxattr\\\" system call, by adding the following lines to\n\\\"/etc/audit/audit.rules\\\":\n\n-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -k\nperm_mod\n\n-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -k perm_mod\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n if os.arch == 'x86_64'\n describe auditd.syscall('fsetxattr').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('fsetxattr').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\nend\n", + "code": "control 'V-75739' do\n title \"Successful/unsuccessful uses of the fchmod command must generate an\naudit record.\"\n desc \"Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020\n SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172\n SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215]\n tag \"gid\": 'V-75739'\n tag \"rid\": 'SV-90419r3_rule'\n tag \"stig_id\": 'UBTU-16-020570'\n tag \"fix_id\": 'F-82367r2_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'MA-4 (1) (a)',\n 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful attempts to use the \\\"fchmod\\\" command occur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \\\"/etc/audit/audit.rules\\\":\n\n# sudo grep -w fchmod /etc/audit/audit.rules\n\n-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=4294967295 -k\nperm_chng\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \\\"fchmod\\\" command by adding the following\nline to \\\"/etc/audit/audit.rules\\\":\n\n-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=4294967295 -k\nperm_chng\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n if os.arch == 'x86_64'\n describe auditd.syscall('fchmod').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('fchmod').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75721.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75739.rb", "line": 3 }, - "id": "V-75721" + "id": "V-75739" }, { - "title": "The audit log files in the Ubuntu operating system must have mode 0640\nor less permissive.", - "desc": "Only authorized personnel should be aware of errors and the details of\nthe errors. Error messages are an indicator of an organization's operational\nstate or can identify the Ubuntu operating system or platform. Additionally,\nPersonally Identifiable Information (PII) and operational information must not\nbe revealed through error messages to unauthorized personnel or their\ndesignated representatives.\n\n The structure and content of error messages must be carefully considered by\nthe organization and development team. The extent to which the information\nsystem is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.", + "title": "The SSH private host key files must have mode 0600 or less permissive.", + "desc": "If an unauthorized user obtains the private SSH host key file, the\nhost could be impersonated.", "descriptions": { - "default": "Only authorized personnel should be aware of errors and the details of\nthe errors. Error messages are an indicator of an organization's operational\nstate or can identify the Ubuntu operating system or platform. Additionally,\nPersonally Identifiable Information (PII) and operational information must not\nbe revealed through error messages to unauthorized personnel or their\ndesignated representatives.\n\n The structure and content of error messages must be carefully considered by\nthe organization and development team. The extent to which the information\nsystem is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.", - "check": "Verify that the audit log files have a mode of \"0640\" or less\npermissive.\n\nCheck where the audit logs are stored on the system using the following command:\n\n# sudo grep log_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the audit log path from the command above, replace \"[log_path]\" in the\nfollowing command:\n\n# sudo ls -lad [log_file] | cut -d' ' -f1\nls -lad /var/log/audit/audit.log | cut -d' ' -f1\n-rw-r-----\n\nIf the audit log file does not have a mode of \"0640\" or less permissive, this\nis a finding.", - "fix": "Configure the octal permission value of the audit log to \"0640\"\nor less permissive.\n\nUse the following command to find where the audit log files are stored on the\nsystem:\n\n# sudo grep log_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the audit log path from the command above, replace \"[log_path]\" in the\nfollowing command:\n\n# sudo chmod 0640 [log_path]" + "default": "If an unauthorized user obtains the private SSH host key file, the\nhost could be impersonated.", + "check": "Verify the SSH private host key files have mode \"0600\" or\nless permissive.\n\nCheck the mode of the private host key files under \"/etc/ssh\" file with the\nfollowing command:\n\n# ls -alL /etc/ssh/ssh_host*key\n\n-rw------- 1 root wheel 668 Nov 28 06:43 ssh_host_dsa_key\n-rw------- 1 root wheel 582 Nov 28 06:43 ssh_host_key\n-rw------- 1 root wheel 887 Nov 28 06:43 ssh_host_rsa_key\n\nIf any private host key file has a mode more permissive than \"0600\", this is\na finding.", + "fix": "Configure the mode of SSH private host key files under\n\"/etc/ssh\" to \"0600\" with the following command:\n\n#sudo chmod 0600 /etc/ssh/ssh_host*key\n\nThe SSH daemon must be restarted for the changes to take effect. To restart the\nSSH daemon, run the following command:\n\n# sudo systemctl restart sshd.service" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000206-GPOS-00084", - "gid": "V-80963", - "rid": "SV-95675r1_rule", - "stig_id": "UBTU-16-020170", - "fix_id": "F-87823r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-75845", + "rid": "SV-90525r2_rule", + "stig_id": "UBTU-16-030320", + "fix_id": "F-82475r2_fix", "cci": [ - "CCI-001314" + "CCI-000366" ], "nist": [ - "SI-11 b", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -7119,34 +7052,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-80963' do\n title \"The audit log files in the Ubuntu operating system must have mode 0640\nor less permissive.\"\n desc \"Only authorized personnel should be aware of errors and the details of\nthe errors. Error messages are an indicator of an organization's operational\nstate or can identify the Ubuntu operating system or platform. Additionally,\nPersonally Identifiable Information (PII) and operational information must not\nbe revealed through error messages to unauthorized personnel or their\ndesignated representatives.\n\n The structure and content of error messages must be carefully considered by\nthe organization and development team. The extent to which the information\nsystem is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000206-GPOS-00084'\n tag \"gid\": 'V-80963'\n tag \"rid\": 'SV-95675r1_rule'\n tag \"stig_id\": 'UBTU-16-020170'\n tag \"fix_id\": 'F-87823r1_fix'\n tag \"cci\": ['CCI-001314']\n tag \"nist\": ['SI-11 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that the audit log files have a mode of \\\"0640\\\" or less\npermissive.\n\nCheck where the audit logs are stored on the system using the following command:\n\n# sudo grep log_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the audit log path from the command above, replace \\\"[log_path]\\\" in the\nfollowing command:\n\n# sudo ls -lad [log_file] | cut -d' ' -f1\nls -lad /var/log/audit/audit.log | cut -d' ' -f1\n-rw-r-----\n\nIf the audit log file does not have a mode of \\\"0640\\\" or less permissive, this\nis a finding.\"\n desc 'fix', \"Configure the octal permission value of the audit log to \\\"0640\\\"\nor less permissive.\n\nUse the following command to find where the audit log files are stored on the\nsystem:\n\n# sudo grep log_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the audit log path from the command above, replace \\\"[log_path]\\\" in the\nfollowing command:\n\n# sudo chmod 0640 [log_path]\"\n\n log_file_path = auditd_conf.log_file\n if log_file_path.nil?\n describe \"auditd.conf's log_file specification\" do\n subject { log_file_path }\n it { should_not be_nil }\n end\n else\n describe file(log_file_path) do\n it { should exist }\n it { should_not be_more_permissive_than('0640') }\n end\n end\nend\n", + "code": "control 'V-75845' do\n title 'The SSH private host key files must have mode 0600 or less permissive.'\n desc \"If an unauthorized user obtains the private SSH host key file, the\nhost could be impersonated.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75845'\n tag \"rid\": 'SV-90525r2_rule'\n tag \"stig_id\": 'UBTU-16-030320'\n tag \"fix_id\": 'F-82475r2_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the SSH private host key files have mode \\\"0600\\\" or\nless permissive.\n\nCheck the mode of the private host key files under \\\"/etc/ssh\\\" file with the\nfollowing command:\n\n# ls -alL /etc/ssh/ssh_host*key\n\n-rw------- 1 root wheel 668 Nov 28 06:43 ssh_host_dsa_key\n-rw------- 1 root wheel 582 Nov 28 06:43 ssh_host_key\n-rw------- 1 root wheel 887 Nov 28 06:43 ssh_host_rsa_key\n\nIf any private host key file has a mode more permissive than \\\"0600\\\", this is\na finding.\"\n desc 'fix', \"Configure the mode of SSH private host key files under\n\\\"/etc/ssh\\\" to \\\"0600\\\" with the following command:\n\n#sudo chmod 0600 /etc/ssh/ssh_host*key\n\nThe SSH daemon must be restarted for the changes to take effect. To restart the\nSSH daemon, run the following command:\n\n# sudo systemctl restart sshd.service\"\n\n key_files = command(\"find /etc/ssh -xdev -name '*ssh_host*key' -perm /177\").stdout.split(\"\\n\")\n if !key_files.nil? && !key_files.empty?\n key_files.each do |keyfile|\n describe file(keyfile) do\n it { should_not be_executable.by('user') }\n it { should_not be_readable.by('group') }\n it { should_not be_writable.by('group') }\n it { should_not be_executable.by('group') }\n it { should_not be_readable.by('others') }\n it { should_not be_writable.by('others') }\n it { should_not be_executable.by('others') }\n end\n end\n else\n describe 'No files have a more permissive mode.' do\n subject { key_files.nil? || key_files.empty? }\n it { should eq true }\n end\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-80963.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75845.rb", "line": 3 }, - "id": "V-80963" + "id": "V-75845" }, { - "title": "The Ubuntu operating system must allow only the Information System\nSecurity Manager (ISSM) (or individuals or roles appointed by the ISSM) to\nselect which auditable events are to be audited.", - "desc": "Without the capability to restrict which roles and individuals can\nselect which events are audited, unauthorized personnel may be able to prevent\nthe auditing of critical events. Misconfigured audits may degrade the system's\nperformance by overwhelming the audit log. Misconfigured audits may also make\nit more difficult to establish, correlate, and investigate the events relating\nto an incident or identify those responsible for one.", + "title": "The /var/log directory must be group-owned by syslog.", + "desc": "Only authorized personnel should be aware of errors and the details of\nthe errors. Error messages are an indicator of an organization's operational\nstate or can identify the Ubuntu operating system or platform. Additionally,\nPersonally Identifiable Information (PII) and operational information must not\nbe revealed through error messages to unauthorized personnel or their\ndesignated representatives.\n\n The structure and content of error messages must be carefully considered by\nthe organization and development team. The extent to which the information\nsystem is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.", "descriptions": { - "default": "Without the capability to restrict which roles and individuals can\nselect which events are audited, unauthorized personnel may be able to prevent\nthe auditing of critical events. Misconfigured audits may degrade the system's\nperformance by overwhelming the audit log. Misconfigured audits may also make\nit more difficult to establish, correlate, and investigate the events relating\nto an incident or identify those responsible for one.", - "check": "Verify that the /etc/audit/audit.rule and\n/etc/audit/auditd.conf file have a mode of 0640 or less permissive by using the\nfollowing command:\n\n# sudo ls -la /etc/audit/audit.rules\n\n-rw-r----- 1 root root 1280 Feb 16 17:09 audit.rules\n-rw-r----- 1 root root 621 Sep 22 2014 auditd.conf\n\nIf the \"/etc/audit/audit.rule\" or \"/etc/audit/auditd.conf\" file have a mode\nmore permissive than \"0640\", this is a finding.", - "fix": "Configure the /etc/audit/audit.rule and /etc/audit/auditd.conf\nfile to have a mode of 0640 with the following command:\n\n# sudo chmod 0640 /etc/audit/audit.rule\n# sudo chmod 0640 /etc/audit/audit.conf" + "default": "Only authorized personnel should be aware of errors and the details of\nthe errors. Error messages are an indicator of an organization's operational\nstate or can identify the Ubuntu operating system or platform. Additionally,\nPersonally Identifiable Information (PII) and operational information must not\nbe revealed through error messages to unauthorized personnel or their\ndesignated representatives.\n\n The structure and content of error messages must be carefully considered by\nthe organization and development team. The extent to which the information\nsystem is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.", + "check": "Verify the \"/var/log\" directory is group-owned by syslog.\n\nCheck that the \"/var/log\" directory is group owned by syslog with the\nfollowing command:\n\n# ls -lad /var/log | cut -d' ' -f4\n\nsyslog\n\nIf \"syslog\" is not returned as a result, this is a finding.", + "fix": "Change the group of the directory \"/var/log\" to \"syslog\" by\nrunning the following command:\n\n# sudo chgrp syslog /var/log" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000063-GPOS-00032", - "gid": "V-75647", - "rid": "SV-90327r1_rule", - "stig_id": "UBTU-16-020150", - "fix_id": "F-82275r1_fix", + "gtitle": "SRG-OS-000206-GPOS-00084", + "gid": "V-75593", + "rid": "SV-90273r2_rule", + "stig_id": "UBTU-16-010940", + "fix_id": "F-82221r2_fix", "cci": [ - "CCI-000171" + "CCI-001314" ], "nist": [ - "AU-12 b", + "SI-11 b", "Rev_4" ], "false_negatives": null, @@ -7160,50 +7093,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75647' do\n title \"The Ubuntu operating system must allow only the Information System\nSecurity Manager (ISSM) (or individuals or roles appointed by the ISSM) to\nselect which auditable events are to be audited.\"\n desc \"Without the capability to restrict which roles and individuals can\nselect which events are audited, unauthorized personnel may be able to prevent\nthe auditing of critical events. Misconfigured audits may degrade the system's\nperformance by overwhelming the audit log. Misconfigured audits may also make\nit more difficult to establish, correlate, and investigate the events relating\nto an incident or identify those responsible for one.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000063-GPOS-00032'\n tag \"gid\": 'V-75647'\n tag \"rid\": 'SV-90327r1_rule'\n tag \"stig_id\": 'UBTU-16-020150'\n tag \"fix_id\": 'F-82275r1_fix'\n tag \"cci\": ['CCI-000171']\n tag \"nist\": ['AU-12 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that the /etc/audit/audit.rule and\n/etc/audit/auditd.conf file have a mode of 0640 or less permissive by using the\nfollowing command:\n\n# sudo ls -la /etc/audit/audit.rules\n\n-rw-r----- 1 root root 1280 Feb 16 17:09 audit.rules\n-rw-r----- 1 root root 621 Sep 22 2014 auditd.conf\n\nIf the \\\"/etc/audit/audit.rule\\\" or \\\"/etc/audit/auditd.conf\\\" file have a mode\nmore permissive than \\\"0640\\\", this is a finding.\"\n desc 'fix', \"Configure the /etc/audit/audit.rule and /etc/audit/auditd.conf\nfile to have a mode of 0640 with the following command:\n\n# sudo chmod 0640 /etc/audit/audit.rule\n# sudo chmod 0640 /etc/audit/audit.conf\"\n\n describe file('/etc/audit/audit.rules') do\n it { should_not be_more_permissive_than('0640') }\n end\n describe file('/etc/audit/auditd.conf') do\n it { should_not be_more_permissive_than('0640') }\n end\nend\n", + "code": "control 'V-75593' do\n title 'The /var/log directory must be group-owned by syslog.'\n desc \"Only authorized personnel should be aware of errors and the details of\nthe errors. Error messages are an indicator of an organization's operational\nstate or can identify the Ubuntu operating system or platform. Additionally,\nPersonally Identifiable Information (PII) and operational information must not\nbe revealed through error messages to unauthorized personnel or their\ndesignated representatives.\n\n The structure and content of error messages must be carefully considered by\nthe organization and development team. The extent to which the information\nsystem is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000206-GPOS-00084'\n tag \"gid\": 'V-75593'\n tag \"rid\": 'SV-90273r2_rule'\n tag \"stig_id\": 'UBTU-16-010940'\n tag \"fix_id\": 'F-82221r2_fix'\n tag \"cci\": ['CCI-001314']\n tag \"nist\": ['SI-11 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the \\\"/var/log\\\" directory is group-owned by syslog.\n\nCheck that the \\\"/var/log\\\" directory is group owned by syslog with the\nfollowing command:\n\n# ls -lad /var/log | cut -d' ' -f4\n\nsyslog\n\nIf \\\"syslog\\\" is not returned as a result, this is a finding.\"\n desc 'fix', \"Change the group of the directory \\\"/var/log\\\" to \\\"syslog\\\" by\nrunning the following command:\n\n# sudo chgrp syslog /var/log \"\n\n describe directory('/var/log') do\n its('group') { should cmp 'syslog' }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75647.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75593.rb", "line": 3 }, - "id": "V-75647" + "id": "V-75593" }, { - "title": "Successful/unsuccessful uses of the fchown command must generate an\naudit record.", - "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "title": "Network interfaces must not be in promiscuous mode.", + "desc": "Network interfaces in promiscuous mode allow for the capture of all\nnetwork traffic visible to the system. If unauthorized individuals can access\nthese applications, it may allow then to collect information such as logon IDs,\npasswords, and key exchanges between systems.\n\n If the system is being used to perform a network troubleshooting function,\nthe use of these tools must be documented with the Information System Security\nOfficer (ISSO) and restricted to only authorized personnel.", "descriptions": { - "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", - "check": "Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful attempts to use the \"fchown\" command occur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \"/etc/audit/audit.rules\":\n\n# sudo grep -w fchown /etc/audit/audit.rules\n\n-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=4294967295 -k\nperm_chng\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", - "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \"fchown\" command by adding the following\nline to \"/etc/audit/audit.rules\":\n\n-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=4294967295 -k\nperm_chng\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" + "default": "Network interfaces in promiscuous mode allow for the capture of all\nnetwork traffic visible to the system. If unauthorized individuals can access\nthese applications, it may allow then to collect information such as logon IDs,\npasswords, and key exchanges between systems.\n\n If the system is being used to perform a network troubleshooting function,\nthe use of these tools must be documented with the Information System Security\nOfficer (ISSO) and restricted to only authorized personnel.", + "check": "Verify network interfaces are not in promiscuous mode unless\napproved by the Information System Security Officer (ISSO) and documented.\n\nCheck for the status with the following command:\n\n# ip link | grep -i promisc\n\nIf network interfaces are found on the system in promiscuous mode and their use\nhas not been approved by the ISSO and documented, this is a finding.", + "fix": "Configure network interfaces to turn off promiscuous mode unless\napproved by the Information System Security Officer (ISSO) and documented.\n\nSet the promiscuous mode of an interface to \"off\" with the following command:\n\n# sudo ip link set dev promisc off" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000037-GPOS-00015", - "satisfies": [ - "SRG-OS-000037-GPOS-00015", - "SRG-OS-000042-GPOS-00020", - "SRG-OS-000062-GPOS-00031", - "SRG-OS-000392-GPOS-00172", - "SRG-OS-000462-GPOS-00206", - "SRG-OS-000471-GPOS-00215" - ], - "gid": "V-75731", - "rid": "SV-90411r3_rule", - "stig_id": "UBTU-16-020530", - "fix_id": "F-82359r2_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-75889", + "rid": "SV-90569r2_rule", + "stig_id": "UBTU-16-030610", + "fix_id": "F-82519r2_fix", "cci": [ - "CCI-000130", - "CCI-000135", - "CCI-000169", - "CCI-000172", - "CCI-002884" + "CCI-000366" ], "nist": [ - "AU-3", - "AU-3 (1)", - "AU-12 a", - "AU-12 c", - "MA-4 (1) (a)", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -7217,34 +7134,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75731' do\n title \"Successful/unsuccessful uses of the fchown command must generate an\naudit record.\"\n desc \"Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020\n SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172\n SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215]\n tag \"gid\": 'V-75731'\n tag \"rid\": 'SV-90411r3_rule'\n tag \"stig_id\": 'UBTU-16-020530'\n tag \"fix_id\": 'F-82359r2_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'MA-4 (1) (a)',\n 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful attempts to use the \\\"fchown\\\" command occur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \\\"/etc/audit/audit.rules\\\":\n\n# sudo grep -w fchown /etc/audit/audit.rules\n\n-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=4294967295 -k\nperm_chng\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \\\"fchown\\\" command by adding the following\nline to \\\"/etc/audit/audit.rules\\\":\n\n-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=4294967295 -k\nperm_chng\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n if os.arch == 'x86_64'\n describe auditd.syscall('fchown').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('fchown').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\nend\n", + "code": "control 'V-75889' do\n title 'Network interfaces must not be in promiscuous mode.'\n desc \"Network interfaces in promiscuous mode allow for the capture of all\nnetwork traffic visible to the system. If unauthorized individuals can access\nthese applications, it may allow then to collect information such as logon IDs,\npasswords, and key exchanges between systems.\n\n If the system is being used to perform a network troubleshooting function,\nthe use of these tools must be documented with the Information System Security\nOfficer (ISSO) and restricted to only authorized personnel.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75889'\n tag \"rid\": 'SV-90569r2_rule'\n tag \"stig_id\": 'UBTU-16-030610'\n tag \"fix_id\": 'F-82519r2_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify network interfaces are not in promiscuous mode unless\napproved by the Information System Security Officer (ISSO) and documented.\n\nCheck for the status with the following command:\n\n# ip link | grep -i promisc\n\nIf network interfaces are found on the system in promiscuous mode and their use\nhas not been approved by the ISSO and documented, this is a finding.\"\n desc 'fix', \"Configure network interfaces to turn off promiscuous mode unless\napproved by the Information System Security Officer (ISSO) and documented.\n\nSet the promiscuous mode of an interface to \\\"off\\\" with the following command:\n\n# sudo ip link set dev promisc off\"\n\n describe command('ip link | grep -i promisc').stdout.strip do\n it { should be_empty }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75731.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75889.rb", "line": 3 }, - "id": "V-75731" + "id": "V-75889" }, { - "title": "The audit event multiplexor must be configured to off-load audit logs\nonto a different system or storage media from the system being audited.", - "desc": "Information stored in one location is vulnerable to accidental or\nincidental deletion or alteration.\n\n Off-loading is a common process in information systems with limited audit\nstorage capacity.", + "title": "All local interactive user accounts, upon creation, must be assigned a\nhome directory.", + "desc": "If local interactive users are not assigned a valid home directory,\nthere is no place for the storage and control of files they should own.", "descriptions": { - "default": "Information stored in one location is vulnerable to accidental or\nincidental deletion or alteration.\n\n Off-loading is a common process in information systems with limited audit\nstorage capacity.", - "check": "Verify the audit event multiplexor is configured to off-load\naudit records to a different system or storage media from the system being\naudited.\n\nCheck that the records are being off-loaded to a remote server with the\nfollowing command:\n\n# sudo grep -i active /etc/audisp/plugins.d/au-remote.conf\n\nactive = yes\n\nIf \"active\" is not set to \"yes\", or the line is commented out, this is a\nfinding.", - "fix": "Configure the audit event multiplexor to off-load audit records\nto a different system or storage media from the system being audited.\n\nSet the \"active\" option in \"/etc/audisp/plugins.d/au-remote.conf\" to\n\"yes\":\n\nactive = yes\n\nIn order for the changes to take effect, the audit daemon must be restarted.\nThe audit daemon can be restarted with the following command:\n\n# sudo systemctl restart auditd.service" + "default": "If local interactive users are not assigned a valid home directory,\nthere is no place for the storage and control of files they should own.", + "check": "Verify all local interactive users on the Ubuntu operating\nsystem are assigned a home directory upon creation.\n\nCheck to see if the system is configured to create home directories for local\ninteractive users with the following command:\n\n# grep -i create_home /etc/login.defs\nCREATE_HOME yes\n\nIf the value for \"CREATE_HOME\" parameter is not set to \"yes\", the line is\nmissing, or the line is commented out, this is a finding.", + "fix": "Configure the Ubuntu operating system to assign home directories\nto all new local interactive users by setting the \"CREATE_HOME\" parameter in\n\"/etc/login.defs\" to \"yes\" as follows.\n\nCREATE_HOME yes" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000479-GPOS-00224", - "gid": "V-75659", - "rid": "SV-90339r2_rule", - "stig_id": "UBTU-16-020210", - "fix_id": "F-82287r2_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-75561", + "rid": "SV-90241r1_rule", + "stig_id": "UBTU-16-010730", + "fix_id": "F-82189r1_fix", "cci": [ - "CCI-001851" + "CCI-000366" ], "nist": [ - "AU-4 (1)", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -7258,34 +7175,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75659' do\n title \"The audit event multiplexor must be configured to off-load audit logs\nonto a different system or storage media from the system being audited.\"\n desc \"Information stored in one location is vulnerable to accidental or\nincidental deletion or alteration.\n\n Off-loading is a common process in information systems with limited audit\nstorage capacity.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000479-GPOS-00224'\n tag \"gid\": 'V-75659'\n tag \"rid\": 'SV-90339r2_rule'\n tag \"stig_id\": 'UBTU-16-020210'\n tag \"fix_id\": 'F-82287r2_fix'\n tag \"cci\": ['CCI-001851']\n tag \"nist\": ['AU-4 (1)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the audit event multiplexor is configured to off-load\naudit records to a different system or storage media from the system being\naudited.\n\nCheck that the records are being off-loaded to a remote server with the\nfollowing command:\n\n# sudo grep -i active /etc/audisp/plugins.d/au-remote.conf\n\nactive = yes\n\nIf \\\"active\\\" is not set to \\\"yes\\\", or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the audit event multiplexor to off-load audit records\nto a different system or storage media from the system being audited.\n\nSet the \\\"active\\\" option in \\\"/etc/audisp/plugins.d/au-remote.conf\\\" to\n\\\"yes\\\":\n\nactive = yes\n\nIn order for the changes to take effect, the audit daemon must be restarted.\nThe audit daemon can be restarted with the following command:\n\n# sudo systemctl restart auditd.service\"\n\n config_file_exists = file('/etc/audisp/plugins.d/au-remote.conf').exist?\n\n if config_file_exists\n describe parse_config_file('/etc/audisp/plugins.d/au-remote.conf') do\n its('active') { should cmp 'yes' }\n end\n else\n describe '/etc/audisp/plugins.d/au-remote.conf exists' do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n", + "code": "control 'V-75561' do\n title \"All local interactive user accounts, upon creation, must be assigned a\nhome directory.\"\n desc \"If local interactive users are not assigned a valid home directory,\nthere is no place for the storage and control of files they should own.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75561'\n tag \"rid\": 'SV-90241r1_rule'\n tag \"stig_id\": 'UBTU-16-010730'\n tag \"fix_id\": 'F-82189r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify all local interactive users on the Ubuntu operating\nsystem are assigned a home directory upon creation.\n\nCheck to see if the system is configured to create home directories for local\ninteractive users with the following command:\n\n# grep -i create_home /etc/login.defs\nCREATE_HOME yes\n\nIf the value for \\\"CREATE_HOME\\\" parameter is not set to \\\"yes\\\", the line is\nmissing, or the line is commented out, this is a finding.\"\n desc 'fix', \"Configure the Ubuntu operating system to assign home directories\nto all new local interactive users by setting the \\\"CREATE_HOME\\\" parameter in\n\\\"/etc/login.defs\\\" to \\\"yes\\\" as follows.\n\nCREATE_HOME yes\"\n\n describe login_defs do\n its('CREATE_HOME') { should match /yes/ }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75659.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75561.rb", "line": 3 }, - "id": "V-75659" + "id": "V-75561" }, { - "title": "Pluggable Authentication Module (PAM) must prohibit the use of cached\nauthentications after one day.", - "desc": "If cached authentication information is out-of-date, the validity of\nthe authentication information may be questionable.", + "title": "The System Administrator (SA) and Information System Security Officer\n(ISSO) (at a minimum) must be alerted of an audit processing failure event.", + "desc": "It is critical for the appropriate personnel to be aware if a system\nis at risk of failing to process audit logs as required. Without this\nnotification, the security personnel may be unaware of an impending failure of\nthe audit capability, and system operation may be adversely affected.\n\n Audit processing failures include software/hardware errors, failures in the\naudit capturing mechanisms, and audit storage capacity being reached or\nexceeded.\n\n This requirement applies to each audit data storage repository (i.e.,\ndistinct information system component where audit records are stored), the\ncentralized audit storage capacity of organizations (i.e., all audit data\nstorage repositories combined), or both.", "descriptions": { - "default": "If cached authentication information is out-of-date, the validity of\nthe authentication information may be questionable.", - "check": "Verify that Pluggable Authentication Module (PAM) prohibits the\nuse of cached authentications after one day.\n\nNote: If smart card authentication is not being used on the system this item is\nNot Applicable.\n\nCheck that PAM prohibits the use of cached authentications after one day with\nthe following command:\n\n# sudo grep -i \"timestamp_timeout\" /etc/pam.d/*\n\ntimestamp_timeout=86400\n\nIf \"timestamp_timeout\" is not set to a value of \"86400\" or less, or is\ncommented out, this is a finding.", - "fix": "Configure Pluggable Authentication Module (PAM) to prohibit the\nuse of cached authentications after one day.\n\nAdd or change the following line in \"/etc/pam.d/common-auth\" or\n\"/etc/pam.d/common-session\" just below the line \"[pam]\".\n\ntimestamp_timeout = 86400" + "default": "It is critical for the appropriate personnel to be aware if a system\nis at risk of failing to process audit logs as required. Without this\nnotification, the security personnel may be unaware of an impending failure of\nthe audit capability, and system operation may be adversely affected.\n\n Audit processing failures include software/hardware errors, failures in the\naudit capturing mechanisms, and audit storage capacity being reached or\nexceeded.\n\n This requirement applies to each audit data storage repository (i.e.,\ndistinct information system component where audit records are stored), the\ncentralized audit storage capacity of organizations (i.e., all audit data\nstorage repositories combined), or both.", + "check": "Verify that the System Administrator (SA) and Information\nSystem Security Officer (ISSO) (at a minimum) are notified in the event of an\naudit processing failure.\n\nCheck that the Ubuntu operating system notifies the SA and ISSO (at a minimum)\nin the event of an audit processing failure with the following command:\n\n#sudo grep space_left_action /etc/audit/auditd.conf\n\naction_mail_acct = root\n\nIf the value of the \"action_mail_acct\" keyword is not set to \"root\" and/or\nother accounts for security personnel, the \"action_mail_acct\" keyword is\nmissing, or the retuned line is commented out, this is a finding.", + "fix": "Configure \"auditd\" service to notify the System Administrator\n(SA) and Information System Security Officer (ISSO) in the event of an audit\nprocessing failure.\n\nEdit the following line in \"/etc/audit/auditd.conf\" to ensure that\nadministrators are notified via email for those situations:\n\naction_mail_acct = root" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000383-GPOS-00166", - "gid": "V-75553", - "rid": "SV-90233r2_rule", - "stig_id": "UBTU-16-010690", - "fix_id": "F-82181r2_fix", + "gtitle": "SRG-OS-000046-GPOS-00022", + "gid": "V-75625", + "rid": "SV-90305r2_rule", + "stig_id": "UBTU-16-020040", + "fix_id": "F-82253r1_fix", "cci": [ - "CCI-002007" + "CCI-000139" ], "nist": [ - "IA-5 (13)", + "AU-5 a", "Rev_4" ], "false_negatives": null, @@ -7299,43 +7216,43 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75553' do\n title \"Pluggable Authentication Module (PAM) must prohibit the use of cached\nauthentications after one day.\"\n desc \"If cached authentication information is out-of-date, the validity of\nthe authentication information may be questionable.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000383-GPOS-00166'\n tag \"gid\": 'V-75553'\n tag \"rid\": 'SV-90233r2_rule'\n tag \"stig_id\": 'UBTU-16-010690'\n tag \"fix_id\": 'F-82181r2_fix'\n tag \"cci\": ['CCI-002007']\n tag \"nist\": ['IA-5 (13)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that Pluggable Authentication Module (PAM) prohibits the\nuse of cached authentications after one day.\n\nNote: If smart card authentication is not being used on the system this item is\nNot Applicable.\n\nCheck that PAM prohibits the use of cached authentications after one day with\nthe following command:\n\n# sudo grep -i \\\"timestamp_timeout\\\" /etc/pam.d/*\n\ntimestamp_timeout=86400\n\nIf \\\"timestamp_timeout\\\" is not set to a value of \\\"86400\\\" or less, or is\ncommented out, this is a finding.\"\n desc 'fix', \"Configure Pluggable Authentication Module (PAM) to prohibit the\nuse of cached authentications after one day.\n\nAdd or change the following line in \\\"/etc/pam.d/common-auth\\\" or\n\\\"/etc/pam.d/common-session\\\" just below the line \\\"[pam]\\\".\n\ntimestamp_timeout = 86400\"\n\n describe.one do\n describe parse_config_file('/etc/pam.d/common-auth') do\n its('timestamp_timeout') { should be <= '86400' }\n end\n\n describe parse_config_file('/etc/pam.d/common-session') do\n its('timestamp_timeout') { should be <= '86400' }\n end\n end\nend\n", + "code": "control 'V-75625' do\n title \"The System Administrator (SA) and Information System Security Officer\n(ISSO) (at a minimum) must be alerted of an audit processing failure event.\"\n desc \"It is critical for the appropriate personnel to be aware if a system\nis at risk of failing to process audit logs as required. Without this\nnotification, the security personnel may be unaware of an impending failure of\nthe audit capability, and system operation may be adversely affected.\n\n Audit processing failures include software/hardware errors, failures in the\naudit capturing mechanisms, and audit storage capacity being reached or\nexceeded.\n\n This requirement applies to each audit data storage repository (i.e.,\ndistinct information system component where audit records are stored), the\ncentralized audit storage capacity of organizations (i.e., all audit data\nstorage repositories combined), or both.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000046-GPOS-00022'\n tag \"gid\": 'V-75625'\n tag \"rid\": 'SV-90305r2_rule'\n tag \"stig_id\": 'UBTU-16-020040'\n tag \"fix_id\": 'F-82253r1_fix'\n tag \"cci\": ['CCI-000139']\n tag \"nist\": ['AU-5 a', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that the System Administrator (SA) and Information\nSystem Security Officer (ISSO) (at a minimum) are notified in the event of an\naudit processing failure.\n\nCheck that the Ubuntu operating system notifies the SA and ISSO (at a minimum)\nin the event of an audit processing failure with the following command:\n\n#sudo grep space_left_action /etc/audit/auditd.conf\n\naction_mail_acct = root\n\nIf the value of the \\\"action_mail_acct\\\" keyword is not set to \\\"root\\\" and/or\nother accounts for security personnel, the \\\"action_mail_acct\\\" keyword is\nmissing, or the retuned line is commented out, this is a finding.\"\n desc 'fix', \"Configure \\\"auditd\\\" service to notify the System Administrator\n(SA) and Information System Security Officer (ISSO) in the event of an audit\nprocessing failure.\n\nEdit the following line in \\\"/etc/audit/auditd.conf\\\" to ensure that\nadministrators are notified via email for those situations:\n\naction_mail_acct = root\"\n\n security_accounts = input('security_accounts').join('|')\n space_left_action = auditd_conf.space_left_action\n\n describe 'System Administrator (SA) and Information System Security Officer (ISSO) are notified in the event of an audit processing failure' do\n subject { security_accounts.include?(space_left_action) }\n it { should be true }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75553.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75625.rb", "line": 3 }, - "id": "V-75553" + "id": "V-75625" }, { - "title": "Audit log directory must be group-owned by root to prevent\nunauthorized read access.", - "desc": "Unauthorized disclosure of audit records can reveal system and\nconfiguration data to attackers, thus compromising its confidentiality.\n\n Audit information includes all information (e.g., audit records, audit\nsettings, audit reports) needed to successfully audit Ubuntu operating system\nactivity.", + "title": "The Ubuntu operating system must implement certificate status checking\nfor multifactor authentication.", + "desc": "Using an authentication device, such as a CAC or token that is\nseparate from the information system, ensures that even if the information\nsystem is compromised, that compromise will not affect credentials stored on\nthe authentication device.\n\n Multifactor solutions that require devices separate from information\nsystems gaining access include, for example, hardware tokens providing\ntime-based or challenge-response authenticators and smart cards such as the\nU.S. Government Personal Identity Verification card and the DoD Common Access\nCard.\n\n A privileged account is defined as an information system account with\nauthorizations of a privileged user.\n\n Remote access is access to DoD nonpublic information systems by an\nauthorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\n This requirement only applies to components where this is specific to the\nfunction of the device or has the concept of an organizational user (e.g., VPN,\nproxy capability). This does not apply to authentication for the purpose of\nconfiguring the device itself (management).\n\n Requires further clarification from NIST.", "descriptions": { - "default": "Unauthorized disclosure of audit records can reveal system and\nconfiguration data to attackers, thus compromising its confidentiality.\n\n Audit information includes all information (e.g., audit records, audit\nsettings, audit reports) needed to successfully audit Ubuntu operating system\nactivity.", - "check": "Verify the audit log directory is group-owned by \"root\" to\nprevent unauthorized read access.\n\nDetermine where the audit logs are stored with the following command:\n\n# sudo grep -iw log_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nDetermine the audit log directory by using the output of the above command (ex:\n\"/var/log/audit/\"). Run the following command with the correct audit log\ndirectory path:\n\n# sudo ls -ld /var/log/audit\ndrwxr-x--- 2 root root 8096 Jun 26 11:56 /var/log/audit\n\nIf the audit log directory is not group-owned by \"root\", this is a finding.", - "fix": "Configure the audit log to be protected from unauthorized read\naccess, by setting the correct group-owner as \"root\" with the following\ncommand:\n\n# sudo chgrp root [audit_log_directory]\n\nReplace \"[audit_log_directory]\" with the correct audit log directory path, by\ndefault this location is usually \"/var/log/audit\"." + "default": "Using an authentication device, such as a CAC or token that is\nseparate from the information system, ensures that even if the information\nsystem is compromised, that compromise will not affect credentials stored on\nthe authentication device.\n\n Multifactor solutions that require devices separate from information\nsystems gaining access include, for example, hardware tokens providing\ntime-based or challenge-response authenticators and smart cards such as the\nU.S. Government Personal Identity Verification card and the DoD Common Access\nCard.\n\n A privileged account is defined as an information system account with\nauthorizations of a privileged user.\n\n Remote access is access to DoD nonpublic information systems by an\nauthorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\n This requirement only applies to components where this is specific to the\nfunction of the device or has the concept of an organizational user (e.g., VPN,\nproxy capability). This does not apply to authentication for the purpose of\nconfiguring the device itself (management).\n\n Requires further clarification from NIST.", + "check": "Verify the Ubuntu operating system implements certificate\nstatus checking for multifactor authentication.\n\nCheck that certificate status checking for multifactor authentication is\nimplemented with the following command:\n\n# sudo grep cert_policy /etc/pam_pkcs11/pam_pkcs11.conf | grep ocsp_on\n\ncert_policy = ca,signature,ocsp_on;\n\nIf \"cert_policy\" is not set to \"ocsp_on\", has a value of \"none\", or the\nline is commented out, this is a finding.", + "fix": "Configure the Ubuntu operating system to certificate status\nchecking for multifactor authentication.\n\nModify all of the cert_policy lines in \"/etc/pam_pkcs11/pam_pkcs11.conf\" to\ninclude \"ocsp_on\"." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000057-GPOS-00027", + "gtitle": "SRG-OS-000375-GPOS-00160", "satisfies": [ - "SRG-OS-000057-GPOS-00027", - "SRG-OS-000058-GPOS-00028", - "SRG-OS-000059-GPOS-00029" + "SRG-OS-000375-GPOS-00160", + "SRG-OS-000375-GPOS-00161", + "SRG-OS-000375-GPOS-00162" ], - "gid": "V-75645", - "rid": "SV-90325r2_rule", - "stig_id": "UBTU-16-020140", - "fix_id": "F-82273r2_fix", + "gid": "V-75907", + "rid": "SV-90587r2_rule", + "stig_id": "UBTU-16-030820", + "fix_id": "F-82537r2_fix", "cci": [ - "CCI-000162", - "CCI-000163", - "CCI-000164" + "CCI-001948", + "CCI-001953", + "CCI-001954" ], "nist": [ - "AU-9", - "AU-9", - "AU-9", + "IA-2 (11)", + "IA-2 (12)", + "IA-2 (12)", "Rev_4" ], "false_negatives": null, @@ -7349,34 +7266,50 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75645' do\n title \"Audit log directory must be group-owned by root to prevent\nunauthorized read access.\"\n desc \"Unauthorized disclosure of audit records can reveal system and\nconfiguration data to attackers, thus compromising its confidentiality.\n\n Audit information includes all information (e.g., audit records, audit\nsettings, audit reports) needed to successfully audit Ubuntu operating system\nactivity.\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000057-GPOS-00027'\n tag \"satisfies\": %w[SRG-OS-000057-GPOS-00027 SRG-OS-000058-GPOS-00028\n SRG-OS-000059-GPOS-00029]\n tag \"gid\": 'V-75645'\n tag \"rid\": 'SV-90325r2_rule'\n tag \"stig_id\": 'UBTU-16-020140'\n tag \"fix_id\": 'F-82273r2_fix'\n tag \"cci\": %w[CCI-000162 CCI-000163 CCI-000164]\n tag \"nist\": %w[AU-9 AU-9 AU-9 Rev_4]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the audit log directory is group-owned by \\\"root\\\" to\nprevent unauthorized read access.\n\nDetermine where the audit logs are stored with the following command:\n\n# sudo grep -iw log_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nDetermine the audit log directory by using the output of the above command (ex:\n\\\"/var/log/audit/\\\"). Run the following command with the correct audit log\ndirectory path:\n\n# sudo ls -ld /var/log/audit\ndrwxr-x--- 2 root root 8096 Jun 26 11:56 /var/log/audit\n\nIf the audit log directory is not group-owned by \\\"root\\\", this is a finding.\"\n desc 'fix', \"Configure the audit log to be protected from unauthorized read\naccess, by setting the correct group-owner as \\\"root\\\" with the following\ncommand:\n\n# sudo chgrp root [audit_log_directory]\n\nReplace \\\"[audit_log_directory]\\\" with the correct audit log directory path, by\ndefault this location is usually \\\"/var/log/audit\\\".\"\n\n log_file_dir = input('log_file_dir')\n\n describe directory(log_file_dir) do\n its('group') { should cmp 'root' }\n end\nend\n", + "code": "control 'V-75907' do\n title \"The Ubuntu operating system must implement certificate status checking\nfor multifactor authentication.\"\n desc \"Using an authentication device, such as a CAC or token that is\nseparate from the information system, ensures that even if the information\nsystem is compromised, that compromise will not affect credentials stored on\nthe authentication device.\n\n Multifactor solutions that require devices separate from information\nsystems gaining access include, for example, hardware tokens providing\ntime-based or challenge-response authenticators and smart cards such as the\nU.S. Government Personal Identity Verification card and the DoD Common Access\nCard.\n\n A privileged account is defined as an information system account with\nauthorizations of a privileged user.\n\n Remote access is access to DoD nonpublic information systems by an\nauthorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\n This requirement only applies to components where this is specific to the\nfunction of the device or has the concept of an organizational user (e.g., VPN,\nproxy capability). This does not apply to authentication for the purpose of\nconfiguring the device itself (management).\n\n Requires further clarification from NIST.\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000375-GPOS-00160'\n tag \"satisfies\": %w[SRG-OS-000375-GPOS-00160 SRG-OS-000375-GPOS-00161\n SRG-OS-000375-GPOS-00162]\n tag \"gid\": 'V-75907'\n tag \"rid\": 'SV-90587r2_rule'\n tag \"stig_id\": 'UBTU-16-030820'\n tag \"fix_id\": 'F-82537r2_fix'\n tag \"cci\": %w[CCI-001948 CCI-001953 CCI-001954]\n tag \"nist\": ['IA-2 (11)', 'IA-2 (12)', 'IA-2 (12)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system implements certificate\nstatus checking for multifactor authentication.\n\nCheck that certificate status checking for multifactor authentication is\nimplemented with the following command:\n\n# sudo grep cert_policy /etc/pam_pkcs11/pam_pkcs11.conf | grep ocsp_on\n\ncert_policy = ca,signature,ocsp_on;\n\nIf \\\"cert_policy\\\" is not set to \\\"ocsp_on\\\", has a value of \\\"none\\\", or the\nline is commented out, this is a finding.\"\n desc 'fix', \"Configure the Ubuntu operating system to certificate status\nchecking for multifactor authentication.\n\nModify all of the cert_policy lines in \\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\" to\ninclude \\\"ocsp_on\\\".\"\n\n config_file_exists = file('/etc/pam_pkcs11/pam_pkcs11.conf').exist?\n\n if config_file_exists\n describe parse_config_file('/etc/pam_pkcs11/pam_pkcs11.conf') do\n its('cert_policy') { should include 'ocsp_on' }\n end\n else\n describe '/etc/pam_pkcs11/pam_pkcs11.conf exists' do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75645.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75907.rb", "line": 3 }, - "id": "V-75645" + "id": "V-75907" }, { - "title": "All local interactive user initialization files executable search\npaths must contain only paths that resolve to the system default or the users\nhome directory.", - "desc": "The executable search path (typically the PATH environment variable)\ncontains a list of directories for the shell to search to find executables. If\nthis path includes the current working directory executables in these\ndirectories may be executed instead of system commands. This variable is\nformatted as a colon-separated list of directories. If there is an empty entry,\nsuch as a leading or trailing colon or two consecutive colons, this is\ninterpreted as the current working directory. If deviations from the default\nsystem search path for the local interactive user are required, they must be\ndocumented with the Information System Security Officer (ISSO).", + "title": "Successful/unsuccessful uses of the truncate command must generate an\naudit record.", + "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", "descriptions": { - "default": "The executable search path (typically the PATH environment variable)\ncontains a list of directories for the shell to search to find executables. If\nthis path includes the current working directory executables in these\ndirectories may be executed instead of system commands. This variable is\nformatted as a colon-separated list of directories. If there is an empty entry,\nsuch as a leading or trailing colon or two consecutive colons, this is\ninterpreted as the current working directory. If deviations from the default\nsystem search path for the local interactive user are required, they must be\ndocumented with the Information System Security Officer (ISSO).", - "check": "Verify that all local interactive user initialization files'\nexecutable search path statements do not contain statements that will reference\na working directory other than the users’ home directory or the system default.\n\nCheck the executable search path statement for all local interactive user\ninitialization files in the users' home directory with the following commands:\n\nNote: The example will be for the smithj user, which has a home directory of\n\"/home/smithj\".\n\n# grep -i path /home/smithj/.*\n/home/smithj/.bash_profile:PATH=$PATH:$HOME/.local/bin:$HOME/bin\n/home/smithj/.bash_profile:export PATH\n\nIf any local interactive user initialization files have executable search path\nstatements that include directories outside of their home directory, and the\nadditional path statements are not documented with the Information System\nSecurity Officer (ISSO) as an operational requirement, this is a finding.", - "fix": "Edit the local interactive user initialization files to change\nany PATH variable statements for executables that reference directories other\nthan their home directory or the system default. If a local interactive user\nrequires path variables to reference a directory owned by the application, it\nmust be documented with the Information System Security Officer (ISSO)." + "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "check": "Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful attempts to use the \"truncate\" command occur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \"/etc/audit/audit.rules\":\n\n# sudo grep -iw truncate /etc/audit/audit.rules\n\n-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F\nauid!=4294967295 -k perm_access\n\n-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F\nauid!=4294967295 -k perm_access\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", + "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \"truncate\" command.\n\nAdd or update the following rules in the \"/etc/audit/audit.rules\" file:\n\n-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F\nauid!=4294967295 -k perm_access\n\n-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F\nauid!=4294967295 -k perm_access\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-75571", - "rid": "SV-90251r1_rule", - "stig_id": "UBTU-16-010780", - "fix_id": "F-82199r1_fix", + "gtitle": "SRG-OS-000037-GPOS-00015", + "satisfies": [ + "SRG-OS-000037-GPOS-00015", + "SRG-OS-000042-GPOS-00020", + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000392-GPOS-00172", + "SRG-OS-000462-GPOS-00206", + "SRG-OS-000471-GPOS-00215" + ], + "gid": "V-75745", + "rid": "SV-90425r3_rule", + "stig_id": "UBTU-16-020600", + "fix_id": "F-82373r2_fix", "cci": [ - "CCI-000366" + "CCI-000130", + "CCI-000135", + "CCI-000169", + "CCI-000172", + "CCI-002884" ], "nist": [ - "CM-6 b", + "AU-3", + "AU-3 (1)", + "AU-12 a", + "AU-12 c", + "MA-4 (1) (a)", "Rev_4" ], "false_negatives": null, @@ -7390,34 +7323,43 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75571' do\n title \"All local interactive user initialization files executable search\npaths must contain only paths that resolve to the system default or the users\nhome directory.\"\n desc \"The executable search path (typically the PATH environment variable)\ncontains a list of directories for the shell to search to find executables. If\nthis path includes the current working directory executables in these\ndirectories may be executed instead of system commands. This variable is\nformatted as a colon-separated list of directories. If there is an empty entry,\nsuch as a leading or trailing colon or two consecutive colons, this is\ninterpreted as the current working directory. If deviations from the default\nsystem search path for the local interactive user are required, they must be\ndocumented with the Information System Security Officer (ISSO).\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75571'\n tag \"rid\": 'SV-90251r1_rule'\n tag \"stig_id\": 'UBTU-16-010780'\n tag \"fix_id\": 'F-82199r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that all local interactive user initialization files'\nexecutable search path statements do not contain statements that will reference\na working directory other than the users’ home directory or the system default.\n\nCheck the executable search path statement for all local interactive user\ninitialization files in the users' home directory with the following commands:\n\nNote: The example will be for the smithj user, which has a home directory of\n\\\"/home/smithj\\\".\n\n# grep -i path /home/smithj/.*\n/home/smithj/.bash_profile:PATH=$PATH:$HOME/.local/bin:$HOME/bin\n/home/smithj/.bash_profile:export PATH\n\nIf any local interactive user initialization files have executable search path\nstatements that include directories outside of their home directory, and the\nadditional path statements are not documented with the Information System\nSecurity Officer (ISSO) as an operational requirement, this is a finding.\"\n desc 'fix', \"Edit the local interactive user initialization files to change\nany PATH variable statements for executables that reference directories other\nthan their home directory or the system default. If a local interactive user\nrequires path variables to reference a directory owned by the application, it\nmust be documented with the Information System Security Officer (ISSO).\"\n\n exempt_home_users = input('exempt_home_users')\n non_interactive_shells = input('non_interactive_shells')\n ignore_shells = non_interactive_shells.join('|')\n\n findings = Set[]\n users.where { !shell.match(ignore_shells) && (uid >= 1000 || uid == 0) }.entries.each do |user_info|\n next if exempt_home_users.include?(user_info.username.to_s)\n\n grep_results = command(\"grep -i path --exclude=\\\".bash_history\\\" #{user_info.home}/.*\").stdout.split('\\\\n')\n grep_results.each do |result|\n result.slice! 'PATH='\n result += ' ' if result[-1] == ':'\n result.slice! '$PATH:'\n result.slice! \"$PATH\\\"\\n\"\n result.gsub! '$HOME', user_info.home.to_s\n result.gsub! '~', user_info.home.to_s\n line_arr = result.split(':')\n line_arr.delete_at(0)\n line_arr.each do |line|\n line.slice! '\"'\n next unless !line.start_with?('export') && !line.start_with?('#')\n\n if line.strip.empty?\n curr_work_dir = command('pwd').stdout.gsub(\"\\n\", '')\n line = curr_work_dir if curr_work_dir.start_with?(user_info.home.to_s)\n end\n findings.add(line) unless line.start_with?(user_info.home)\n end\n end\n end\n describe 'Initialization files that include executable search paths that include directories outside their home directories' do\n subject { findings.to_a }\n it { should be_empty }\n end\nend\n", + "code": "control 'V-75745' do\n title \"Successful/unsuccessful uses of the truncate command must generate an\naudit record.\"\n desc \"Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020\n SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172\n SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215]\n tag \"gid\": 'V-75745'\n tag \"rid\": 'SV-90425r3_rule'\n tag \"stig_id\": 'UBTU-16-020600'\n tag \"fix_id\": 'F-82373r2_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'MA-4 (1) (a)',\n 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful attempts to use the \\\"truncate\\\" command occur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \\\"/etc/audit/audit.rules\\\":\n\n# sudo grep -iw truncate /etc/audit/audit.rules\n\n-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F\nauid!=4294967295 -k perm_access\n\n-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F\nauid!=4294967295 -k perm_access\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \\\"truncate\\\" command.\n\nAdd or update the following rules in the \\\"/etc/audit/audit.rules\\\" file:\n\n-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F\nauid!=4294967295 -k perm_access\n\n-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F\nauid!=4294967295 -k perm_access\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n if os.arch == 'x86_64'\n describe auditd.syscall('truncate').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EPERM' }\n end\n describe auditd.syscall('truncate').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EACCES' }\n end\n end\n describe auditd.syscall('truncate').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EPERM' }\n end\n describe auditd.syscall('truncate').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EACCES' }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75571.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75745.rb", "line": 3 }, - "id": "V-75571" + "id": "V-75745" }, { - "title": "Kernel core dumps must be disabled unless needed.", - "desc": "Kernel core dumps may contain the full contents of system memory at\nthe time of the crash. Kernel core dumps may consume a considerable amount of\ndisk space and may result in denial of service by exhausting the available\nspace on the target file system partition.", + "title": "All users must be able to directly initiate a session lock for all\nconnection types.", + "desc": "A session lock is a temporary action taken when a user stops work and\nmoves away from the immediate physical vicinity of the information system but\ndoes not want to log out because of the temporary nature of the absence.\n\n The session lock is implemented at the point where session activity can be\ndetermined. Rather than be forced to wait for a period of time to expire before\nthe user session can be locked, Ubuntu operating systems need to provide users\nwith the ability to manually invoke a session lock so users may secure their\nsession should the need arise for them to temporarily vacate the immediate\nphysical vicinity.", "descriptions": { - "default": "Kernel core dumps may contain the full contents of system memory at\nthe time of the crash. Kernel core dumps may consume a considerable amount of\ndisk space and may result in denial of service by exhausting the available\nspace on the target file system partition.", - "check": "Verify that kernel core dumps are disabled unless needed.\n\nCheck the status of the \"kdump\" service with the following command:\n\n# systemctl status kdump.service\nLoaded: not-found (Reason: No such file or directory)\nActive: inactive (dead)\n\nIf the \"kdump\" service is active, ask the System Administrator if the use of\nthe service is required and documented with the Information System Security\nOfficer (ISSO).\n\nIf the service is active and is not documented, this is a finding.", - "fix": "If kernel core dumps are not required, disable the \"kdump\"\nservice with the following command:\n\n# systemctl disable kdump.service\n\nIf kernel core dumps are required, document the need with the Information\nSystem Security Officer (ISSO)." + "default": "A session lock is a temporary action taken when a user stops work and\nmoves away from the immediate physical vicinity of the information system but\ndoes not want to log out because of the temporary nature of the absence.\n\n The session lock is implemented at the point where session activity can be\ndetermined. Rather than be forced to wait for a period of time to expire before\nthe user session can be locked, Ubuntu operating systems need to provide users\nwith the ability to manually invoke a session lock so users may secure their\nsession should the need arise for them to temporarily vacate the immediate\nphysical vicinity.", + "check": "Verify the Ubuntu operating system has the 'vlock' package\ninstalled, by running the following command:\n\n# dpkg -l | grep vlock\n\nvlock_2.2.2-7\n\nIf \"vlock\" is not installed, this is a finding.", + "fix": "Install the \"vlock\" (if it is not already installed) package by\nrunning the following command:\n\n# sudo apt-get install vlock" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-75585", - "rid": "SV-90265r1_rule", - "stig_id": "UBTU-16-010900", - "fix_id": "F-82213r1_fix", + "gtitle": "SRG-OS-000028-GPOS-00009", + "satisfies": [ + "SRG-OS-000028-GPOS-00009", + "SRG-OS-000030-GPOS-00011", + "SRG-OS-000031-GPOS-00012" + ], + "gid": "V-75439", + "rid": "SV-90119r2_rule", + "stig_id": "UBTU-16-010050", + "fix_id": "F-82067r1_fix", "cci": [ - "CCI-000366" + "CCI-000056", + "CCI-000058", + "CCI-000060" ], "nist": [ - "CM-6 b", + "AC-11 b", + "AC-11 a", + "AC-11 (1)", "Rev_4" ], "false_negatives": null, @@ -7431,34 +7373,53 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75585' do\n title 'Kernel core dumps must be disabled unless needed.'\n desc \"Kernel core dumps may contain the full contents of system memory at\nthe time of the crash. Kernel core dumps may consume a considerable amount of\ndisk space and may result in denial of service by exhausting the available\nspace on the target file system partition.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75585'\n tag \"rid\": 'SV-90265r1_rule'\n tag \"stig_id\": 'UBTU-16-010900'\n tag \"fix_id\": 'F-82213r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that kernel core dumps are disabled unless needed.\n\nCheck the status of the \\\"kdump\\\" service with the following command:\n\n# systemctl status kdump.service\nLoaded: not-found (Reason: No such file or directory)\nActive: inactive (dead)\n\nIf the \\\"kdump\\\" service is active, ask the System Administrator if the use of\nthe service is required and documented with the Information System Security\nOfficer (ISSO).\n\nIf the service is active and is not documented, this is a finding.\"\n desc 'fix', \"If kernel core dumps are not required, disable the \\\"kdump\\\"\nservice with the following command:\n\n# systemctl disable kdump.service\n\nIf kernel core dumps are required, document the need with the Information\nSystem Security Officer (ISSO).\"\n\n is_kdump_required = input('is_kdump_required')\n if is_kdump_required\n describe service('kdump') do\n it { should be_enabled }\n it { should be_installed }\n it { should be_running }\n end\n else\n describe service('kdump') do\n it { should_not be_enabled }\n it { should_not be_installed }\n it { should_not be_running }\n end\n end\nend\n", + "code": "control 'V-75439' do\n title \"All users must be able to directly initiate a session lock for all\nconnection types.\"\n desc \"A session lock is a temporary action taken when a user stops work and\nmoves away from the immediate physical vicinity of the information system but\ndoes not want to log out because of the temporary nature of the absence.\n\n The session lock is implemented at the point where session activity can be\ndetermined. Rather than be forced to wait for a period of time to expire before\nthe user session can be locked, Ubuntu operating systems need to provide users\nwith the ability to manually invoke a session lock so users may secure their\nsession should the need arise for them to temporarily vacate the immediate\nphysical vicinity.\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000028-GPOS-00009'\n tag \"satisfies\": %w[SRG-OS-000028-GPOS-00009 SRG-OS-000030-GPOS-00011\n SRG-OS-000031-GPOS-00012]\n tag \"gid\": 'V-75439'\n tag \"rid\": 'SV-90119r2_rule'\n tag \"stig_id\": 'UBTU-16-010050'\n tag \"fix_id\": 'F-82067r1_fix'\n tag \"cci\": %w[CCI-000056 CCI-000058 CCI-000060]\n tag \"nist\": ['AC-11 b', 'AC-11 a', 'AC-11 (1)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system has the 'vlock' package\ninstalled, by running the following command:\n\n# dpkg -l | grep vlock\n\nvlock_2.2.2-7\n\nIf \\\"vlock\\\" is not installed, this is a finding.\"\n desc 'fix', \"Install the \\\"vlock\\\" (if it is not already installed) package by\nrunning the following command:\n\n# sudo apt-get install vlock\"\n\n describe package('vlock') do\n it { should be_installed }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75585.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75439.rb", "line": 3 }, - "id": "V-75585" + "id": "V-75439" }, { - "title": "Passwords must have a minimum of 15-characters.", - "desc": "The shorter the password, the lower the number of possible\ncombinations that need to be tested before the password is compromised.\n\n Password complexity, or strength, is a measure of the effectiveness of a\npassword in resisting attempts at guessing and brute-force attacks. Password\nlength is one factor of several that helps to determine strength and how long\nit takes to crack a password. Use of more characters in a password helps to\nexponentially increase the time and/or resources required to compromise the\npassword.", + "title": "The audit system must be configured to audit any usage of the\nfsetxattr system call.", + "desc": "Without the capability to generate audit records, it would be\ndifficult to establish, correlate, and investigate the events relating to an\nincident or identify those responsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n The list of audited events is the set of events for which audits are to be\ngenerated. This set of events is typically a subset of the list of all events\nfor which the system is capable of generating audit records.\n\n DoD has defined the list of events for which the Ubuntu operating system\nwill provide an audit record generation capability as the following:\n\n 1) Successful and unsuccessful attempts to access, modify, or delete\nprivileges, security objects, security levels, or categories of information\n(e.g., classification levels);\n\n 2) Access actions, such as successful and unsuccessful logon attempts,\nprivileged activities or other system-level access, starting and ending time\nfor user access to the system, concurrent logons from different workstations,\nsuccessful and unsuccessful accesses to objects, all program initiations, and\nall direct access to the information system;\n\n 3) All account creations, modifications, disabling, and terminations; and\n\n 4) All kernel module load, unload, and restart actions.", "descriptions": { - "default": "The shorter the password, the lower the number of possible\ncombinations that need to be tested before the password is compromised.\n\n Password complexity, or strength, is a measure of the effectiveness of a\npassword in resisting attempts at guessing and brute-force attacks. Password\nlength is one factor of several that helps to determine strength and how long\nit takes to crack a password. Use of more characters in a password helps to\nexponentially increase the time and/or resources required to compromise the\npassword.", - "check": "Verify that the Ubuntu operating system enforces a minimum\n\"15\" character password length, by running the following command:\n\n# grep -i minlen /etc/security/pwquality.conf\n minlen=15\n\nIf \"minlen\" parameter value is not \"15\" or higher, or is commented out,\nthis is a finding.", - "fix": "Configure the Ubuntu operating system to enforce a minimum\n15-character password length.\n\nAdd, or modify the \"minlen\" parameter value to the following line in\n\"/etc/security/pwquality.conf\" file:\n\nminlen=15" + "default": "Without the capability to generate audit records, it would be\ndifficult to establish, correlate, and investigate the events relating to an\nincident or identify those responsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n The list of audited events is the set of events for which audits are to be\ngenerated. This set of events is typically a subset of the list of all events\nfor which the system is capable of generating audit records.\n\n DoD has defined the list of events for which the Ubuntu operating system\nwill provide an audit record generation capability as the following:\n\n 1) Successful and unsuccessful attempts to access, modify, or delete\nprivileges, security objects, security levels, or categories of information\n(e.g., classification levels);\n\n 2) Access actions, such as successful and unsuccessful logon attempts,\nprivileged activities or other system-level access, starting and ending time\nfor user access to the system, concurrent logons from different workstations,\nsuccessful and unsuccessful accesses to objects, all program initiations, and\nall direct access to the information system;\n\n 3) All account creations, modifications, disabling, and terminations; and\n\n 4) All kernel module load, unload, and restart actions.", + "check": "Verify if the Ubuntu operating system is configured to audit\nthe execution of the \"fsetxattr\" system call, by running the following\ncommand:\n\n# sudo grep -w fsetxattr /etc/audit/audit.rules\n\n-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -k\nperm_mod\n\n-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -k perm_mod\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", + "fix": "Configure the Ubuntu operating system to audit the execution of\nthe \"fsetxattr\" system call, by adding the following lines to\n\"/etc/audit/audit.rules\":\n\n-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -k\nperm_mod\n\n-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -k perm_mod\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000078-GPOS-00046", - "gid": "V-75477", - "rid": "SV-90157r2_rule", - "stig_id": "UBTU-16-010240", - "fix_id": "F-82105r1_fix", + "gtitle": "SRG-OS-000037-GPOS-00015", + "satisfies": [ + "SRG-OS-000037-GPOS-00015", + "SRG-OS-000042-GPOS-00020", + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000392-GPOS-00172", + "SRG-OS-000458-GPOS-00203", + "SRG-OS-000462-GPOS-00206", + "SRG-OS-000463-GPOS-00207", + "SRG-OS-000471-GPOS-00215", + "SRG-OS-000474-GPOS-00219" + ], + "gid": "V-75721", + "rid": "SV-90401r2_rule", + "stig_id": "UBTU-16-020480", + "fix_id": "F-82349r2_fix", "cci": [ - "CCI-000205" + "CCI-000130", + "CCI-000135", + "CCI-000169", + "CCI-000172", + "CCI-002884" ], "nist": [ - "IA-5 (1) (a)", + "AU-3", + "AU-3 (1)", + "AU-12 a", + "AU-12 c", + "MA-4 (1) (a)", "Rev_4" ], "false_negatives": null, @@ -7472,34 +7433,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75477' do\n title 'Passwords must have a minimum of 15-characters.'\n desc \"The shorter the password, the lower the number of possible\ncombinations that need to be tested before the password is compromised.\n\n Password complexity, or strength, is a measure of the effectiveness of a\npassword in resisting attempts at guessing and brute-force attacks. Password\nlength is one factor of several that helps to determine strength and how long\nit takes to crack a password. Use of more characters in a password helps to\nexponentially increase the time and/or resources required to compromise the\npassword.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000078-GPOS-00046'\n tag \"gid\": 'V-75477'\n tag \"rid\": 'SV-90157r2_rule'\n tag \"stig_id\": 'UBTU-16-010240'\n tag \"fix_id\": 'F-82105r1_fix'\n tag \"cci\": ['CCI-000205']\n tag \"nist\": ['IA-5 (1) (a)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that the Ubuntu operating system enforces a minimum\n\\\"15\\\" character password length, by running the following command:\n\n# grep -i minlen /etc/security/pwquality.conf\n minlen=15\n\nIf \\\"minlen\\\" parameter value is not \\\"15\\\" or higher, or is commented out,\nthis is a finding.\"\n desc 'fix', \"Configure the Ubuntu operating system to enforce a minimum\n15-character password length.\n\nAdd, or modify the \\\"minlen\\\" parameter value to the following line in\n\\\"/etc/security/pwquality.conf\\\" file:\n\nminlen=15\"\n\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('minlen') { should cmp >= '15' }\n end\n else\n describe (config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n", + "code": "control 'V-75721' do\n title \"The audit system must be configured to audit any usage of the\nfsetxattr system call.\"\n desc \"Without the capability to generate audit records, it would be\ndifficult to establish, correlate, and investigate the events relating to an\nincident or identify those responsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n The list of audited events is the set of events for which audits are to be\ngenerated. This set of events is typically a subset of the list of all events\nfor which the system is capable of generating audit records.\n\n DoD has defined the list of events for which the Ubuntu operating system\nwill provide an audit record generation capability as the following:\n\n 1) Successful and unsuccessful attempts to access, modify, or delete\nprivileges, security objects, security levels, or categories of information\n(e.g., classification levels);\n\n 2) Access actions, such as successful and unsuccessful logon attempts,\nprivileged activities or other system-level access, starting and ending time\nfor user access to the system, concurrent logons from different workstations,\nsuccessful and unsuccessful accesses to objects, all program initiations, and\nall direct access to the information system;\n\n 3) All account creations, modifications, disabling, and terminations; and\n\n 4) All kernel module load, unload, and restart actions.\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020\n SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172\n SRG-OS-000458-GPOS-00203 SRG-OS-000462-GPOS-00206\n SRG-OS-000463-GPOS-00207 SRG-OS-000471-GPOS-00215\n SRG-OS-000474-GPOS-00219]\n tag \"gid\": 'V-75721'\n tag \"rid\": 'SV-90401r2_rule'\n tag \"stig_id\": 'UBTU-16-020480'\n tag \"fix_id\": 'F-82349r2_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'MA-4 (1) (a)',\n 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify if the Ubuntu operating system is configured to audit\nthe execution of the \\\"fsetxattr\\\" system call, by running the following\ncommand:\n\n# sudo grep -w fsetxattr /etc/audit/audit.rules\n\n-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -k\nperm_mod\n\n-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -k perm_mod\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the Ubuntu operating system to audit the execution of\nthe \\\"fsetxattr\\\" system call, by adding the following lines to\n\\\"/etc/audit/audit.rules\\\":\n\n-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -k\nperm_mod\n\n-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -k perm_mod\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n if os.arch == 'x86_64'\n describe auditd.syscall('fsetxattr').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('fsetxattr').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75477.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75721.rb", "line": 3 }, - "id": "V-75477" + "id": "V-75721" }, { - "title": "The system must use a DoD-approved virus scan program.", - "desc": "Virus scanning software can be used to protect a system from\npenetration from computer viruses and to limit their spread through\nintermediate systems.\n\n The virus scanning software should be configured to perform scans\ndynamically on accessed files. If this capability is not available, the system\nmust be configured to scan, at a minimum, all altered files on the system on a\ndaily basis.\n\n If the system processes inbound SMTP mail, the virus scanner must be\nconfigured to scan all received mail.", + "title": "A File Transfer Protocol (FTP) server package must not be installed\nunless needed.", + "desc": "The FTP service provides an unencrypted remote access that does not\nprovide for the confidentiality and integrity of user passwords or the remote\nsession. If a privileged user were to log on using this service, the privileged\nuser password could be compromised. SSH or other encrypted file transfer\nmethods must be used in place of this service.", "descriptions": { - "default": "Virus scanning software can be used to protect a system from\npenetration from computer viruses and to limit their spread through\nintermediate systems.\n\n The virus scanning software should be configured to perform scans\ndynamically on accessed files. If this capability is not available, the system\nmust be configured to scan, at a minimum, all altered files on the system on a\ndaily basis.\n\n If the system processes inbound SMTP mail, the virus scanner must be\nconfigured to scan all received mail.", - "check": "Verify the system is using a DoD-approved virus scan program.\n\n\nCheck for the presence of \"McAfee VirusScan Enterprise for Linux\" with the\nfollowing command:\n\n\n# systemctl status nails\n\nnails - service for McAfee VirusScan Enterprise for Linux\n\n> Loaded: loaded\n/opt/NAI/package/McAfeeVSEForLinux/McAfeeVSEForLinux-2.0.2.;\nenabled)\n\n> Active: active (running) since Mon 2015-09-27 04:11:22 UTC;21 min ago\n\n\nIf the \"nails\" service is not active, check for the presence of \"clamav\" on\nthe system with the following command:\n\n\n# systemctl status clamav-daemon.socket\n\nsystemctl status clamav-daemon.socket\n\nclamav-daemon.socket - Socket for Clam AntiVirus userspace daemon\n\nLoaded: loaded (/lib/systemd/system/clamav-daemon.socket; enabled)\n\nActive: active (running) since Mon 2015-01-12 09:32:59 UTC; 7min ago\n\n\nIf neither of these applications are loaded and active, ask the System\nAdministrator if there is an antivirus package installed and active on the\nsystem.\n\n\nIf no antivirus scan program is active on the system, this is a finding.", - "fix": "Install an approved DoD antivirus solution on the system." + "default": "The FTP service provides an unencrypted remote access that does not\nprovide for the confidentiality and integrity of user passwords or the remote\nsession. If a privileged user were to log on using this service, the privileged\nuser password could be compromised. SSH or other encrypted file transfer\nmethods must be used in place of this service.", + "check": "Verify a File Transfer Protocol (FTP) server has not been\ninstalled on the system.\n\nCheck to see if a FTP server has been installed with the following commands:\n\n# dpkg -l | grep vsftpd\nii vsftpd 3.0.3-3Ubuntu2\n\nIf \"vsftpd\" is installed and is not documented with the Information System\nSecurity Officer (ISSO) as an operational requirement, this is a finding.", + "fix": "Document the \"vsftpd\" package with the Information System\nSecurity Officer (ISSO) as an operational requirement or remove it from the\nsystem with the following command:\n\n# sudo apt-get remove vsftpd" }, "impact": 0.7, "refs": [], "tags": { "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-78005", - "rid": "SV-92701r1_rule", - "stig_id": "UBTU-16-030900", - "fix_id": "F-84715r1_fix", + "gid": "V-75895", + "rid": "SV-90575r1_rule", + "stig_id": "UBTU-16-030710", + "fix_id": "F-82525r1_fix", "cci": [ - "CCI-001668" + "CCI-000366" ], "nist": [ - "SI-3 a", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -7513,34 +7474,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-78005' do\n title 'The system must use a DoD-approved virus scan program.'\n desc \"Virus scanning software can be used to protect a system from\npenetration from computer viruses and to limit their spread through\nintermediate systems.\n\n The virus scanning software should be configured to perform scans\ndynamically on accessed files. If this capability is not available, the system\nmust be configured to scan, at a minimum, all altered files on the system on a\ndaily basis.\n\n If the system processes inbound SMTP mail, the virus scanner must be\nconfigured to scan all received mail.\n \"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-78005'\n tag \"rid\": 'SV-92701r1_rule'\n tag \"stig_id\": 'UBTU-16-030900'\n tag \"fix_id\": 'F-84715r1_fix'\n tag \"cci\": ['CCI-001668']\n tag \"nist\": ['SI-3 a', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the system is using a DoD-approved virus scan program.\n\n\nCheck for the presence of \\\"McAfee VirusScan Enterprise for Linux\\\" with the\nfollowing command:\n\n\n# systemctl status nails\n\nnails - service for McAfee VirusScan Enterprise for Linux\n\n> Loaded: loaded\n/opt/NAI/package/McAfeeVSEForLinux/McAfeeVSEForLinux-2.0.2.;\nenabled)\n\n> Active: active (running) since Mon 2015-09-27 04:11:22 UTC;21 min ago\n\n\nIf the \\\"nails\\\" service is not active, check for the presence of \\\"clamav\\\" on\nthe system with the following command:\n\n\n# systemctl status clamav-daemon.socket\n\nsystemctl status clamav-daemon.socket\n\nclamav-daemon.socket - Socket for Clam AntiVirus userspace daemon\n\nLoaded: loaded (/lib/systemd/system/clamav-daemon.socket; enabled)\n\nActive: active (running) since Mon 2015-01-12 09:32:59 UTC; 7min ago\n\n\nIf neither of these applications are loaded and active, ask the System\nAdministrator if there is an antivirus package installed and active on the\nsystem.\n\n\nIf no antivirus scan program is active on the system, this is a finding.\"\n desc 'fix', 'Install an approved DoD antivirus solution on the system.'\n\n other_antivirus_loaded_active = input('other_antivirus_loaded_active')\n org_name = input('org_name')\n describe.one do\n describe service('nails') do\n it { should be_installed }\n it { should be_enabled }\n it { should be_running }\n end\n describe service('clamav-daemon.service') do\n it { should be_installed }\n it { should be_enabled }\n it { should be_running }\n end\n describe ('System Administrator and/or ' + org_name + ' approved antivirus program loaded, other than McAfee VirusScan Enterprise for Linux or Clam AntiVirus is loaded and activities') do\n subject { other_antivirus_loaded_active }\n it { should be true }\n end\n end\nend\n", + "code": "control 'V-75895' do\n title \"A File Transfer Protocol (FTP) server package must not be installed\nunless needed.\"\n desc \"The FTP service provides an unencrypted remote access that does not\nprovide for the confidentiality and integrity of user passwords or the remote\nsession. If a privileged user were to log on using this service, the privileged\nuser password could be compromised. SSH or other encrypted file transfer\nmethods must be used in place of this service.\"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75895'\n tag \"rid\": 'SV-90575r1_rule'\n tag \"stig_id\": 'UBTU-16-030710'\n tag \"fix_id\": 'F-82525r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify a File Transfer Protocol (FTP) server has not been\ninstalled on the system.\n\nCheck to see if a FTP server has been installed with the following commands:\n\n# dpkg -l | grep vsftpd\nii vsftpd 3.0.3-3Ubuntu2\n\nIf \\\"vsftpd\\\" is installed and is not documented with the Information System\nSecurity Officer (ISSO) as an operational requirement, this is a finding.\"\n desc 'fix', \"Document the \\\"vsftpd\\\" package with the Information System\nSecurity Officer (ISSO) as an operational requirement or remove it from the\nsystem with the following command:\n\n# sudo apt-get remove vsftpd\"\n\n describe package('vsftpd') do\n it { should_not be_installed }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-78005.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75895.rb", "line": 3 }, - "id": "V-78005" + "id": "V-75895" }, { - "title": "An X Windows display manager must not be installed unless approved.", - "desc": "Internet services that are not required for system or application\nprocesses must not be active to decrease the attack surface of the system. X\nWindows has a long history of security vulnerabilities and will not be used\nunless approved and documented.", + "title": "The audit system must take appropriate action when audit storage is\nfull.", + "desc": "Information stored in one location is vulnerable to accidental or\nincidental deletion or alteration.\n\n Off-loading is a common process in information systems with limited audit\nstorage capacity.", "descriptions": { - "default": "Internet services that are not required for system or application\nprocesses must not be active to decrease the attack surface of the system. X\nWindows has a long history of security vulnerabilities and will not be used\nunless approved and documented.", - "check": "Verify that if X Windows is installed it is authorized.\n\nCheck for the X11 package with the following command:\n\n# dpkg -l | grep lightdm\n\nAsk the System Administrator if use of the X Windows system is an operational\nrequirement.\n\nIf the use of X Windows on the system is not documented with the Information\nSystem Security Officer (ISSO), this is a finding.", - "fix": "Document the requirement for an X Windows server with the\nInformation System Security Officer (ISSO) or remove the related packages with\nthe following commands:\n\n# sudo apt-get purge lightdm" + "default": "Information stored in one location is vulnerable to accidental or\nincidental deletion or alteration.\n\n Off-loading is a common process in information systems with limited audit\nstorage capacity.", + "check": "Verify the action that the audit system takes when the storage\nvolume becomes full.\n\nCheck the action that the audit system takes when the storage volume becomes\nfull with the following command:\n\n# sudo grep disk_full /etc/audisp/audisp-remote.conf\n\ndisk_full_action = single\n\nIf the value of the \"disk_full_action\" option is not \"syslog\", \"single\",\nor \"halt\", or the line is commented out, this is a finding.", + "fix": "Configure the audit system to take an appropriate action when the\naudit storage is full.\n\nAdd, edit or uncomment the \"disk_full_action\" option in\n\"/etc/audisp/audisp-remote.conf\". Set it to \"syslog\", \"single\" or\n\"halt\" like the below example:\n\ndisk_full_action = single" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-75901", - "rid": "SV-90581r1_rule", - "stig_id": "UBTU-16-030740", - "fix_id": "F-82531r1_fix", + "gtitle": "SRG-OS-000479-GPOS-00224", + "gid": "V-75631", + "rid": "SV-90311r1_rule", + "stig_id": "UBTU-16-020070", + "fix_id": "F-82259r1_fix", "cci": [ - "CCI-000366" + "CCI-001851" ], "nist": [ - "CM-6 b", + "AU-4 (1)", "Rev_4" ], "false_negatives": null, @@ -7554,38 +7515,55 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75901' do\n title 'An X Windows display manager must not be installed unless approved.'\n desc \"Internet services that are not required for system or application\nprocesses must not be active to decrease the attack surface of the system. X\nWindows has a long history of security vulnerabilities and will not be used\nunless approved and documented.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75901'\n tag \"rid\": 'SV-90581r1_rule'\n tag \"stig_id\": 'UBTU-16-030740'\n tag \"fix_id\": 'F-82531r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that if X Windows is installed it is authorized.\n\nCheck for the X11 package with the following command:\n\n# dpkg -l | grep lightdm\n\nAsk the System Administrator if use of the X Windows system is an operational\nrequirement.\n\nIf the use of X Windows on the system is not documented with the Information\nSystem Security Officer (ISSO), this is a finding.\"\n desc 'fix', \"Document the requirement for an X Windows server with the\nInformation System Security Officer (ISSO) or remove the related packages with\nthe following commands:\n\n# sudo apt-get purge lightdm\"\n\n describe package('lightdm') do\n it { should_not be_installed }\n end\nend\n", + "code": "control 'V-75631' do\n title \"The audit system must take appropriate action when audit storage is\nfull.\"\n desc \"Information stored in one location is vulnerable to accidental or\nincidental deletion or alteration.\n\n Off-loading is a common process in information systems with limited audit\nstorage capacity.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000479-GPOS-00224'\n tag \"gid\": 'V-75631'\n tag \"rid\": 'SV-90311r1_rule'\n tag \"stig_id\": 'UBTU-16-020070'\n tag \"fix_id\": 'F-82259r1_fix'\n tag \"cci\": ['CCI-001851']\n tag \"nist\": ['AU-4 (1)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the action that the audit system takes when the storage\nvolume becomes full.\n\nCheck the action that the audit system takes when the storage volume becomes\nfull with the following command:\n\n# sudo grep disk_full /etc/audisp/audisp-remote.conf\n\ndisk_full_action = single\n\nIf the value of the \\\"disk_full_action\\\" option is not \\\"syslog\\\", \\\"single\\\",\nor \\\"halt\\\", or the line is commented out, this is a finding.\"\n desc 'fix', \"Configure the audit system to take an appropriate action when the\naudit storage is full.\n\nAdd, edit or uncomment the \\\"disk_full_action\\\" option in\n\\\"/etc/audisp/audisp-remote.conf\\\". Set it to \\\"syslog\\\", \\\"single\\\" or\n\\\"halt\\\" like the below example:\n\ndisk_full_action = single\"\n\n config_file_exists = file('/etc/audisp/audisp-remote.conf').exist?\n\n if config_file_exists\n describe auditd_conf('/etc/audisp/audisp-remote.conf') do\n its('disk_full_action') { should_not be_empty }\n its('disk_full_action') { should cmp /(?:SYSLOG|SINGLE|HALT)/i }\n end\n else\n describe '/etc/audisp/audisp-remote.conf exists' do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75901.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75631.rb", "line": 3 }, - "id": "V-75901" + "id": "V-75631" }, { - "title": "The Ubuntu operating system must implement NSA-approved cryptography\nto protect classified information in accordance with applicable federal laws,\nExecutive Orders, directives, policies, regulations, and standards.", - "desc": "Use of weak or untested encryption algorithms undermines the purposes\nof utilizing encryption to protect data. The Ubuntu operating system must\nimplement cryptographic modules adhering to the higher standards approved by\nthe federal government since this provides assurance they have been tested and\nvalidated.", + "title": "The Ubuntu operating system must implement smart card logins for\nmultifactor authentication for access to accounts.", + "desc": "Using an authentication device, such as a CAC or token that is\nseparate from the information system, ensures that even if the information\nsystem is compromised, that compromise will not affect credentials stored on\nthe authentication device.\n\n Multifactor solutions that require devices separate from information\nsystems gaining access include, for example, hardware tokens providing\ntime-based or challenge-response authenticators and smart cards such as the\nU.S. Government Personal Identity Verification card and the DoD Common Access\nCard.\n\n Remote access is access to DoD nonpublic information systems by an\nauthorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\n This requirement only applies to components where this is specific to the\nfunction of the device or has the concept of an organizational user (e.g., VPN,\nproxy capability). This does not apply to authentication for the purpose of\nconfiguring the device itself (management).\n\n Requires further clarification from NIST.", "descriptions": { - "default": "Use of weak or untested encryption algorithms undermines the purposes\nof utilizing encryption to protect data. The Ubuntu operating system must\nimplement cryptographic modules adhering to the higher standards approved by\nthe federal government since this provides assurance they have been tested and\nvalidated.", - "check": "Verify the system is configured to run in FIPS mode.\n\nCheck that the system is configured to run in FIPS mode with the following\ncommand:\n\n# grep -i 1 /proc/sys/crypto/fips_enabled\n1\n\nIf a value of \"1\" is not returned, this is a finding.", - "fix": "Configure the system to run in FIPS mode. Add \"fips=1\" to the\nkernel parameter during the Ubuntu operating systems install.\n\nEnabling a FIPS mode on a pre-existing system involves a number of\nmodifications to the Ubuntu operating system. Refer to the Ubuntu Server 16.04\nFIPS 140-2 security policy document for instructions." + "default": "Using an authentication device, such as a CAC or token that is\nseparate from the information system, ensures that even if the information\nsystem is compromised, that compromise will not affect credentials stored on\nthe authentication device.\n\n Multifactor solutions that require devices separate from information\nsystems gaining access include, for example, hardware tokens providing\ntime-based or challenge-response authenticators and smart cards such as the\nU.S. Government Personal Identity Verification card and the DoD Common Access\nCard.\n\n Remote access is access to DoD nonpublic information systems by an\nauthorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\n This requirement only applies to components where this is specific to the\nfunction of the device or has the concept of an organizational user (e.g., VPN,\nproxy capability). This does not apply to authentication for the purpose of\nconfiguring the device itself (management).\n\n Requires further clarification from NIST.", + "check": "Verify the Ubuntu operating system uses multifactor\nauthentication for local access to accounts.\n\nCheck that the \"pam_pkcs11.so\" option is configured in the\n\"/etc/pam.d/common-auth\" file with the following command:\n\n# grep pam_pkcs11.so /etc/pam.d/common-auth\nauth [success=2 default=ignore] pam_pkcs11.so\n\nIf \"pam_pkcs11.so\" is not set in \"/etc/pam.d/common-auth\", this is a\nfinding.", + "fix": "Configure the Ubuntu operating system to use multifactor\nauthentication for local access to accounts.\n\nAdd or update \"pam_pkcs11.so\" in \"/etc/pam.d/common-auth\" to match the\nfollowing line:\n\nauth [success=2 default=ignore] pam_pkcs11.so" }, - "impact": 0.7, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000396-GPOS-00176", + "gtitle": "SRG-OS-000105-GPOS-00052", "satisfies": [ - "SRG-OS-000396-GPOS-00176", - "SRG-OS-000478-GPOS-00223" + "SRG-OS-000105-GPOS-00052", + "SRG-OS-000106-GPOS-00053", + "SRG-OS-000107-GPOS-00054", + "SRG-OS-000108-GPOS-00055", + "SRG-OS-000375-GPOS-00162", + "SRG-OS-000376-GPOS-00161", + "SRG-OS-000377-GPOS-00162" ], - "gid": "V-75503", - "rid": "SV-90183r1_rule", - "stig_id": "UBTU-16-010370", - "fix_id": "F-82131r1_fix", + "gid": "V-75911", + "rid": "SV-90591r1_rule", + "stig_id": "UBTU-16-030840", + "fix_id": "F-82541r1_fix", "cci": [ - "CCI-002450" + "CCI-000765", + "CCI-000766", + "CCI-000767", + "CCI-000768", + "CCI-001948", + "CCI-001953", + "CCI-001954" ], "nist": [ - "SC-13", + "IA-2 (1)", + "IA-2 (2)", + "IA-2 (3)", + "IA-2 (4)", + "IA-2 (11)", + "IA-2 (12)", + "IA-2 (12)", "Rev_4" ], "false_negatives": null, @@ -7599,34 +7577,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75503' do\n title \"The Ubuntu operating system must implement NSA-approved cryptography\nto protect classified information in accordance with applicable federal laws,\nExecutive Orders, directives, policies, regulations, and standards.\"\n desc \"Use of weak or untested encryption algorithms undermines the purposes\nof utilizing encryption to protect data. The Ubuntu operating system must\nimplement cryptographic modules adhering to the higher standards approved by\nthe federal government since this provides assurance they have been tested and\nvalidated.\n\n\n \"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000396-GPOS-00176'\n tag \"satisfies\": %w[SRG-OS-000396-GPOS-00176 SRG-OS-000478-GPOS-00223]\n tag \"gid\": 'V-75503'\n tag \"rid\": 'SV-90183r1_rule'\n tag \"stig_id\": 'UBTU-16-010370'\n tag \"fix_id\": 'F-82131r1_fix'\n tag \"cci\": ['CCI-002450']\n tag \"nist\": %w[SC-13 Rev_4]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the system is configured to run in FIPS mode.\n\nCheck that the system is configured to run in FIPS mode with the following\ncommand:\n\n# grep -i 1 /proc/sys/crypto/fips_enabled\n1\n\nIf a value of \\\"1\\\" is not returned, this is a finding.\"\n desc 'fix', \"Configure the system to run in FIPS mode. Add \\\"fips=1\\\" to the\nkernel parameter during the Ubuntu operating systems install.\n\nEnabling a FIPS mode on a pre-existing system involves a number of\nmodifications to the Ubuntu operating system. Refer to the Ubuntu Server 16.04\nFIPS 140-2 security policy document for instructions.\"\n\n config_file = '/proc/sys/crypto/fips_enabled'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n it { should cmp '1' }\n end\n else\n describe ('FIPS is enabled') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n", + "code": "control 'V-75911' do\n title \"The Ubuntu operating system must implement smart card logins for\nmultifactor authentication for access to accounts.\"\n desc \"Using an authentication device, such as a CAC or token that is\nseparate from the information system, ensures that even if the information\nsystem is compromised, that compromise will not affect credentials stored on\nthe authentication device.\n\n Multifactor solutions that require devices separate from information\nsystems gaining access include, for example, hardware tokens providing\ntime-based or challenge-response authenticators and smart cards such as the\nU.S. Government Personal Identity Verification card and the DoD Common Access\nCard.\n\n Remote access is access to DoD nonpublic information systems by an\nauthorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\n This requirement only applies to components where this is specific to the\nfunction of the device or has the concept of an organizational user (e.g., VPN,\nproxy capability). This does not apply to authentication for the purpose of\nconfiguring the device itself (management).\n\n Requires further clarification from NIST.\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000105-GPOS-00052'\n tag \"satisfies\": %w[SRG-OS-000105-GPOS-00052 SRG-OS-000106-GPOS-00053\n SRG-OS-000107-GPOS-00054 SRG-OS-000108-GPOS-00055\n SRG-OS-000375-GPOS-00162 SRG-OS-000376-GPOS-00161\n SRG-OS-000377-GPOS-00162]\n tag \"gid\": 'V-75911'\n tag \"rid\": 'SV-90591r1_rule'\n tag \"stig_id\": 'UBTU-16-030840'\n tag \"fix_id\": 'F-82541r1_fix'\n tag \"cci\": %w[CCI-000765 CCI-000766 CCI-000767 CCI-000768\n CCI-001948 CCI-001953 CCI-001954]\n tag \"nist\": ['IA-2 (1)', 'IA-2 (2)', 'IA-2 (3)', 'IA-2 (4)', 'IA-2 (11)',\n 'IA-2 (12)', 'IA-2 (12)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system uses multifactor\nauthentication for local access to accounts.\n\nCheck that the \\\"pam_pkcs11.so\\\" option is configured in the\n\\\"/etc/pam.d/common-auth\\\" file with the following command:\n\n# grep pam_pkcs11.so /etc/pam.d/common-auth\nauth [success=2 default=ignore] pam_pkcs11.so\n\nIf \\\"pam_pkcs11.so\\\" is not set in \\\"/etc/pam.d/common-auth\\\", this is a\nfinding.\"\n desc 'fix', \"Configure the Ubuntu operating system to use multifactor\nauthentication for local access to accounts.\n\nAdd or update \\\"pam_pkcs11.so\\\" in \\\"/etc/pam.d/common-auth\\\" to match the\nfollowing line:\n\nauth [success=2 default=ignore] pam_pkcs11.so\"\n\n describe command('grep pam_pkcs11.so /etc/pam.d/common-auth') do\n its('stdout') { should_not be_empty }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75503.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75911.rb", "line": 3 }, - "id": "V-75503" + "id": "V-75911" }, { - "title": "The rsh-server package must not be installed.", - "desc": "It is detrimental for Ubuntu operating systems to provide, or install\nby default, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n Ubuntu operating systems are capable of providing a wide variety of\nfunctions and services. Some of the functions and services, provided by\ndefault, may not be necessary to support essential organizational operations\n(e.g., key missions, functions).\n\n The rsh-server service provides an unencrypted remote access service that\ndoes not provide for the confidentiality and integrity of user passwords or the\nremote session and has very weak authentication.\n\n If a privileged user were to log on using this service, the privileged user\npassword could be compromised.", + "title": "The Ubuntu operating system must use a separate file system for the\nsystem audit data path.", + "desc": "The use of separate file systems for different paths can protect the\nsystem from failures resulting from a file system becoming full or failing.", "descriptions": { - "default": "It is detrimental for Ubuntu operating systems to provide, or install\nby default, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n Ubuntu operating systems are capable of providing a wide variety of\nfunctions and services. Some of the functions and services, provided by\ndefault, may not be necessary to support essential organizational operations\n(e.g., key missions, functions).\n\n The rsh-server service provides an unencrypted remote access service that\ndoes not provide for the confidentiality and integrity of user passwords or the\nremote session and has very weak authentication.\n\n If a privileged user were to log on using this service, the privileged user\npassword could be compromised.", - "check": "Verify that the rsh-server package is not installed on the\nUbuntu operating system.\n\nCheck to see if the rsh-server package is installed with the following command:\n\n# sudo apt list rsh-server\n\nIf the rsh-server package is installed, this is a finding.", - "fix": "Configure the Ubuntu operating system to disable non-essential\ncapabilities by removing the rsh-server package from the system with the\nfollowing command:\n\n# sudo apt-get remove rsh-server" + "default": "The use of separate file systems for different paths can protect the\nsystem from failures resulting from a file system becoming full or failing.", + "check": "Verify that a separate file system/partition has been created\nfor the system audit data path.\n\nCheck that a file system/partition has been created for the system audit data\npath with the following command:\n\nNote: /var/log/audit is used as the example as it is a common location.\n\n#grep /var/log/audit /etc/fstab\nUUID=3645951a /var/log/audit ext4 defaults 1 2\n\nIf a separate entry for \"/var/log/audit\" does not exist, ask the System\nAdministrator if the system audit logs are being written to a different file\nsystem/partition on the system, then grep for that file system/partition.\n\nIf a separate file system/partition does not exist for the system audit data\npath, this is a finding.", + "fix": "Migrate the system audit data path onto a separate file system." }, - "impact": 0.7, + "impact": 0.3, "refs": [], "tags": { - "gtitle": "SRG-OS-000095-GPOS-00049", - "gid": "V-75801", - "rid": "SV-90481r2_rule", - "stig_id": "UBTU-16-030020", - "fix_id": "F-82431r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-75591", + "rid": "SV-90271r1_rule", + "stig_id": "UBTU-16-010930", + "fix_id": "F-82219r1_fix", "cci": [ - "CCI-000381" + "CCI-000366" ], "nist": [ - "CM-7 a", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -7640,29 +7618,29 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75801' do\n title 'The rsh-server package must not be installed.'\n desc \"It is detrimental for Ubuntu operating systems to provide, or install\nby default, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n Ubuntu operating systems are capable of providing a wide variety of\nfunctions and services. Some of the functions and services, provided by\ndefault, may not be necessary to support essential organizational operations\n(e.g., key missions, functions).\n\n The rsh-server service provides an unencrypted remote access service that\ndoes not provide for the confidentiality and integrity of user passwords or the\nremote session and has very weak authentication.\n\n If a privileged user were to log on using this service, the privileged user\npassword could be compromised.\n \"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000095-GPOS-00049'\n tag \"gid\": 'V-75801'\n tag \"rid\": 'SV-90481r2_rule'\n tag \"stig_id\": 'UBTU-16-030020'\n tag \"fix_id\": 'F-82431r1_fix'\n tag \"cci\": ['CCI-000381']\n tag \"nist\": ['CM-7 a', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that the rsh-server package is not installed on the\nUbuntu operating system.\n\nCheck to see if the rsh-server package is installed with the following command:\n\n# sudo apt list rsh-server\n\nIf the rsh-server package is installed, this is a finding.\"\n desc 'fix', \"Configure the Ubuntu operating system to disable non-essential\ncapabilities by removing the rsh-server package from the system with the\nfollowing command:\n\n# sudo apt-get remove rsh-server\"\n\n describe package('rsh-server') do\n it { should_not be_installed }\n end\nend\n", + "code": "control 'V-75591' do\n title \"The Ubuntu operating system must use a separate file system for the\nsystem audit data path.\"\n desc \"The use of separate file systems for different paths can protect the\nsystem from failures resulting from a file system becoming full or failing.\"\n impact 0.3\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75591'\n tag \"rid\": 'SV-90271r1_rule'\n tag \"stig_id\": 'UBTU-16-010930'\n tag \"fix_id\": 'F-82219r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that a separate file system/partition has been created\nfor the system audit data path.\n\nCheck that a file system/partition has been created for the system audit data\npath with the following command:\n\nNote: /var/log/audit is used as the example as it is a common location.\n\n#grep /var/log/audit /etc/fstab\nUUID=3645951a /var/log/audit ext4 defaults 1 2\n\nIf a separate entry for \\\"/var/log/audit\\\" does not exist, ask the System\nAdministrator if the system audit logs are being written to a different file\nsystem/partition on the system, then grep for that file system/partition.\n\nIf a separate file system/partition does not exist for the system audit data\npath, this is a finding.\"\n desc 'fix', 'Migrate the system audit data path onto a separate file system.'\n\n audit_log_path = input('audit_log_path')\n\n describe mount(audit_log_path) do\n it { should be_mounted }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75801.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75591.rb", "line": 3 }, - "id": "V-75801" + "id": "V-75591" }, { - "title": "The Ubuntu operating system must enforce a delay of at least 4 seconds\nbetween logon prompts following a failed logon attempt.", - "desc": "Limiting the number of logon attempts over a certain time interval\nreduces the chances that an unauthorized user may gain access to an account.", + "title": "The x86 Ctrl-Alt-Delete key sequence in the Ubuntu operating system\nmust be disabled if GNOME is installed.", + "desc": "A locally logged-on user who presses Ctrl-Alt-Delete, when at the\nconsole, can reboot the system. If accidentally pressed, as could happen in the\ncase of a mixed OS environment, this can create the risk of short-term loss of\navailability of systems due to unintentional reboot. In the GNOME graphical\nenvironment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is\nreduced because the user will be prompted before any action is taken.", "descriptions": { - "default": "Limiting the number of logon attempts over a certain time interval\nreduces the chances that an unauthorized user may gain access to an account.", - "check": "Verify the Ubuntu operating system enforces a delay of at least\n4 seconds between logon prompts following a failed logon attempt.\n\nCheck that the Ubuntu operating system enforces a delay of at least 4 seconds\nbetween logon prompts with the following command:\n\n# grep pam_faildelay /etc/pam.d/common-auth*\n\nauth required pam_faildelay.so delay=4000000\n\nIf the line is not present, or is commented out, this is a finding.", - "fix": "Configure the Ubuntu operating system to enforce a delay of at\nleast 4 seconds between logon prompts following a failed logon attempt.\n\nEdit the file \"/etc/pam.d/common-auth\" and set the parameter\n\"pam_faildelay\" to a value of 4000000 or greater:\n\nauth required pam_faildelay.so delay=4000000" + "default": "A locally logged-on user who presses Ctrl-Alt-Delete, when at the\nconsole, can reboot the system. If accidentally pressed, as could happen in the\ncase of a mixed OS environment, this can create the risk of short-term loss of\navailability of systems due to unintentional reboot. In the GNOME graphical\nenvironment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is\nreduced because the user will be prompted before any action is taken.", + "check": "Verify the Ubuntu operating system is not configured to reboot\nthe system when Ctrl-Alt-Delete is pressed when using GNOME.\n\nCheck that the \"logout\" target is not bound to an action with the following\ncommand:\n\n# grep logout /etc/dconf/db/local.d/*\n\nlogout=''\n\nIf the \"logout\" key is bound to an action, is commented out, or is missing,\nthis is a finding.", + "fix": "Configure the system to disable the Ctrl-Alt-Delete sequence when\nusing GNOME by creating or editing the /etc/dconf/db/local.d/00-disable-CAD\nfile.\n\nAdd the setting to disable the Ctrl-Alt-Delete sequence for GNOME:\n\n[org/gnome/settings-daemon/plugins/media-keys]\nlogout=’’\n\nThen update the dconf settings:\n\n# dconf update" }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { - "gtitle": "SRG-OS-000480-GPOS-00226", - "gid": "V-75493", - "rid": "SV-90173r1_rule", - "stig_id": "UBTU-16-010320", - "fix_id": "F-82121r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-80957", + "rid": "SV-95669r1_rule", + "stig_id": "UBTU-16-010631", + "fix_id": "F-87833r1_fix", "cci": [ "CCI-000366" ], @@ -7681,34 +7659,40 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75493' do\n title \"The Ubuntu operating system must enforce a delay of at least 4 seconds\nbetween logon prompts following a failed logon attempt.\"\n desc \"Limiting the number of logon attempts over a certain time interval\nreduces the chances that an unauthorized user may gain access to an account.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00226'\n tag \"gid\": 'V-75493'\n tag \"rid\": 'SV-90173r1_rule'\n tag \"stig_id\": 'UBTU-16-010320'\n tag \"fix_id\": 'F-82121r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system enforces a delay of at least\n4 seconds between logon prompts following a failed logon attempt.\n\nCheck that the Ubuntu operating system enforces a delay of at least 4 seconds\nbetween logon prompts with the following command:\n\n# grep pam_faildelay /etc/pam.d/common-auth*\n\nauth required pam_faildelay.so delay=4000000\n\nIf the line is not present, or is commented out, this is a finding.\"\n desc 'fix', \"Configure the Ubuntu operating system to enforce a delay of at\nleast 4 seconds between logon prompts following a failed logon attempt.\n\nEdit the file \\\"/etc/pam.d/common-auth\\\" and set the parameter\n\\\"pam_faildelay\\\" to a value of 4000000 or greater:\n\nauth required pam_faildelay.so delay=4000000\"\n\n describe file('/etc/pam.d/common-auth') do\n it { should exist }\n end\n\n describe command('grep pam_faildelay /etc/pam.d/common-auth') do\n its('exit_status') { should eq 0 }\n its('stdout.strip') { should match /^\\s*auth\\s+required\\s+pam_faildelay.so\\s+.*delay=([4-9][\\d]{6,}|[1-9][\\d]{7,}).*$/ }\n end\n\n file('/etc/pam.d/common-auth').content.to_s.scan(/^\\s*auth\\s+required\\s+pam_faildelay.so\\s+.*delay=(\\d+).*$/).flatten.each do |entry|\n describe entry do\n it { should cmp > 4_000_000 }\n end\n end\nend\n", + "code": "control 'V-80957' do\n title \"The x86 Ctrl-Alt-Delete key sequence in the Ubuntu operating system\nmust be disabled if GNOME is installed.\"\n desc \"A locally logged-on user who presses Ctrl-Alt-Delete, when at the\nconsole, can reboot the system. If accidentally pressed, as could happen in the\ncase of a mixed OS environment, this can create the risk of short-term loss of\navailability of systems due to unintentional reboot. In the GNOME graphical\nenvironment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is\nreduced because the user will be prompted before any action is taken.\"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-80957'\n tag \"rid\": 'SV-95669r1_rule'\n tag \"stig_id\": 'UBTU-16-010631'\n tag \"fix_id\": 'F-87833r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system is not configured to reboot\nthe system when Ctrl-Alt-Delete is pressed when using GNOME.\n\nCheck that the \\\"logout\\\" target is not bound to an action with the following\ncommand:\n\n# grep logout /etc/dconf/db/local.d/*\n\nlogout=''\n\nIf the \\\"logout\\\" key is bound to an action, is commented out, or is missing,\nthis is a finding.\"\n desc 'fix', \"Configure the system to disable the Ctrl-Alt-Delete sequence when\nusing GNOME by creating or editing the /etc/dconf/db/local.d/00-disable-CAD\nfile.\n\nAdd the setting to disable the Ctrl-Alt-Delete sequence for GNOME:\n\n[org/gnome/settings-daemon/plugins/media-keys]\nlogout=’’\n\nThen update the dconf settings:\n\n# dconf update\"\n\n gnome_installed = (package('ubuntu-gnome-desktop').installed? || package('ubuntu-desktop').installed?)\n\n if gnome_installed\n logout_enabled = command('gsettings get org.gnome.settings-daemon.plugins.media-keys logout')\n describe logout_enabled do\n its('stdout') { should cmp '' }\n end\n else\n impact 0\n describe 'Control Not Applicable as GNOME dekstop environment is not installed' do\n subject { gnome_installed }\n it { should be false }\n end\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75493.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-80957.rb", "line": 3 }, - "id": "V-75493" + "id": "V-80957" }, { - "title": "The audit log files must be owned by root.", - "desc": "Only authorized personnel should be aware of errors and the details of\nthe errors. Error messages are an indicator of an organization's operational\nstate or can identify the Ubuntu operating system or platform. Additionally,\nPersonally Identifiable Information (PII) and operational information must not\nbe revealed through error messages to unauthorized personnel or their\ndesignated representatives.\n\n The structure and content of error messages must be carefully considered by\nthe organization and development team. The extent to which the information\nsystem is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.", + "title": "The audit system must be configured to audit the execution of\nprivileged functions and prevent all software from executing at higher\nprivilege levels than users executing the software.", + "desc": "Misuse of privileged functions, either intentionally or\nunintentionally by authorized users, or by unauthorized external entities that\nhave compromised information system accounts, is a serious and ongoing concern\nand can have significant adverse impacts on organizations. Auditing the use of\nprivileged functions is one way to detect such misuse and identify the risk\nfrom insider threats and the advanced persistent threat.", "descriptions": { - "default": "Only authorized personnel should be aware of errors and the details of\nthe errors. Error messages are an indicator of an organization's operational\nstate or can identify the Ubuntu operating system or platform. Additionally,\nPersonally Identifiable Information (PII) and operational information must not\nbe revealed through error messages to unauthorized personnel or their\ndesignated representatives.\n\n The structure and content of error messages must be carefully considered by\nthe organization and development team. The extent to which the information\nsystem is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.", - "check": "Verify the audit log files are owned by \"root\".\n\nCheck where the audit logs are stored on the system using the following command:\n\n# sudo grep log_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the audit log path from the command above, replace \"[log_path]\" in the\nfollowing command:\n\n# sudo ls -la [log_path] | cut -d' ' -f3\nroot\n\nIf the audit logs are not group-owned by \"root\", this is a finding.", - "fix": "Change the owner of the audit log file by running the following\ncommand:\n\nUse the following command to get the audit log path:\n\n# sudo grep log_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the audit log path from the command above, replace \"[log_path]\" in the\nfollowing command:\n\n# sudo chown root [log_path]" + "default": "Misuse of privileged functions, either intentionally or\nunintentionally by authorized users, or by unauthorized external entities that\nhave compromised information system accounts, is a serious and ongoing concern\nand can have significant adverse impacts on organizations. Auditing the use of\nprivileged functions is one way to detect such misuse and identify the risk\nfrom insider threats and the advanced persistent threat.", + "check": "Verify the Ubuntu operating system audits the execution of\nprivilege functions.\n\nVerify if the Ubuntu operating system is configured to audit the execution of\nthe \"execve\" system call, by running the following command:\n\n# sudo grep execve /etc/audit/audit.rules\n\n-a always,exit -F arch=b64 -S execve -C uid!=euid -F key=execpriv\n-a always,exit -F arch=b64 -S execve -C gid!=egid -F key=execpriv\n\nIf the command does not return both lines, or the line is commented out, this\nis a finding.", + "fix": "Configure the Ubuntu operating system to audit the execution of\nthe \"execve\" system call.\n\nAdd or update the following file system rules to \"/etc/audit/audit.rules\":\n\n-a always,exit -F arch=b64 -S execve -C uid!=euid -F key=execpriv\n-a always,exit -F arch=b64 -S execve -C gid!=egid -F key=execpriv\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000206-GPOS-00084", - "gid": "V-75649", - "rid": "SV-90329r2_rule", - "stig_id": "UBTU-16-020160", - "fix_id": "F-82277r2_fix", + "gtitle": "SRG-OS-000326-GPOS-00126", + "satisfies": [ + "SRG-OS-000326-GPOS-00126", + "SRG-OS-000327-GPOS-00127" + ], + "gid": "V-75689", + "rid": "SV-90369r2_rule", + "stig_id": "UBTU-16-020350", + "fix_id": "F-82317r2_fix", "cci": [ - "CCI-001314" + "CCI-002233", + "CCI-002234" ], "nist": [ - "SI-11 b", + "AC-6 (8)", + "AC-6 (9)", "Rev_4" ], "false_negatives": null, @@ -7722,84 +7706,50 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75649' do\n title 'The audit log files must be owned by root.'\n desc \"Only authorized personnel should be aware of errors and the details of\nthe errors. Error messages are an indicator of an organization's operational\nstate or can identify the Ubuntu operating system or platform. Additionally,\nPersonally Identifiable Information (PII) and operational information must not\nbe revealed through error messages to unauthorized personnel or their\ndesignated representatives.\n\n The structure and content of error messages must be carefully considered by\nthe organization and development team. The extent to which the information\nsystem is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000206-GPOS-00084'\n tag \"gid\": 'V-75649'\n tag \"rid\": 'SV-90329r2_rule'\n tag \"stig_id\": 'UBTU-16-020160'\n tag \"fix_id\": 'F-82277r2_fix'\n tag \"cci\": ['CCI-001314']\n tag \"nist\": ['SI-11 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the audit log files are owned by \\\"root\\\".\n\nCheck where the audit logs are stored on the system using the following command:\n\n# sudo grep log_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the audit log path from the command above, replace \\\"[log_path]\\\" in the\nfollowing command:\n\n# sudo ls -la [log_path] | cut -d' ' -f3\nroot\n\nIf the audit logs are not group-owned by \\\"root\\\", this is a finding.\"\n desc 'fix', \"Change the owner of the audit log file by running the following\ncommand:\n\nUse the following command to get the audit log path:\n\n# sudo grep log_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the audit log path from the command above, replace \\\"[log_path]\\\" in the\nfollowing command:\n\n# sudo chown root [log_path]\"\n\n log_file_path = auditd_conf.log_file\n\n describe file(log_file_path) do\n its('owner') { should cmp 'root' }\n end\nend\n", + "code": "control 'V-75689' do\n title \"The audit system must be configured to audit the execution of\nprivileged functions and prevent all software from executing at higher\nprivilege levels than users executing the software.\"\n desc \"Misuse of privileged functions, either intentionally or\nunintentionally by authorized users, or by unauthorized external entities that\nhave compromised information system accounts, is a serious and ongoing concern\nand can have significant adverse impacts on organizations. Auditing the use of\nprivileged functions is one way to detect such misuse and identify the risk\nfrom insider threats and the advanced persistent threat.\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000326-GPOS-00126'\n tag \"satisfies\": %w[SRG-OS-000326-GPOS-00126 SRG-OS-000327-GPOS-00127]\n tag \"gid\": 'V-75689'\n tag \"rid\": 'SV-90369r2_rule'\n tag \"stig_id\": 'UBTU-16-020350'\n tag \"fix_id\": 'F-82317r2_fix'\n tag \"cci\": %w[CCI-002233 CCI-002234]\n tag \"nist\": ['AC-6 (8)', 'AC-6 (9)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system audits the execution of\nprivilege functions.\n\nVerify if the Ubuntu operating system is configured to audit the execution of\nthe \\\"execve\\\" system call, by running the following command:\n\n# sudo grep execve /etc/audit/audit.rules\n\n-a always,exit -F arch=b64 -S execve -C uid!=euid -F key=execpriv\n-a always,exit -F arch=b64 -S execve -C gid!=egid -F key=execpriv\n\nIf the command does not return both lines, or the line is commented out, this\nis a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to audit the execution of\nthe \\\"execve\\\" system call.\n\nAdd or update the following file system rules to \\\"/etc/audit/audit.rules\\\":\n\n-a always,exit -F arch=b64 -S execve -C uid!=euid -F key=execpriv\n-a always,exit -F arch=b64 -S execve -C gid!=egid -F key=execpriv\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n if os.arch == 'x86_64'\n describe auditd.syscall('execve').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('execve').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75649.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75689.rb", "line": 3 }, - "id": "V-75649" + "id": "V-75689" }, { - "title": "Audit tools must be owned by root.", - "desc": "Protecting audit information also includes identifying and protecting\nthe tools used to view and manipulate log data. Therefore, protecting audit\ntools is necessary to prevent unauthorized operation on audit information.\n\n Ubuntu operating systems providing tools to interface with audit\ninformation will leverage user permissions and roles identifying the user\naccessing the tools and the corresponding rights the user enjoys in order to\nmake access decisions regarding the access to audit tools.\n\n Audit tools include, but are not limited to, vendor-provided and open\nsource audit tools needed to successfully view and manipulate audit information\nsystem activity and records. Audit tools include custom queries and report\ngenerators.", + "title": "Successful/unsuccessful uses of the ssh-keysign command must generate\nan audit record.", + "desc": "Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged ssh commands. The organization must maintain audit trails in\nsufficient detail to reconstruct events to determine the cause and impact of\ncompromise.", "descriptions": { - "default": "Protecting audit information also includes identifying and protecting\nthe tools used to view and manipulate log data. Therefore, protecting audit\ntools is necessary to prevent unauthorized operation on audit information.\n\n Ubuntu operating systems providing tools to interface with audit\ninformation will leverage user permissions and roles identifying the user\naccessing the tools and the corresponding rights the user enjoys in order to\nmake access decisions regarding the access to audit tools.\n\n Audit tools include, but are not limited to, vendor-provided and open\nsource audit tools needed to successfully view and manipulate audit information\nsystem activity and records. Audit tools include custom queries and report\ngenerators.", - "check": "Verify the audit tools are owned by \"root\" to prevent any\nunauthorized access, deletion, or modification.\n\nCheck the owner of each audit tool by running the following command:\n\n# ls -la /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace\n/sbin/auditd /sbin/audispd /sbin/augenrules\n-rwxr-xr-x 1 root root 97128 Jan 18 2016 /sbin/augenrules\n\nIf any of the audit tools are not owned by \"root\", this is a finding.", - "fix": "Configure the audit tools to be owned by \"root\", by running the\nfollowing command:\n\n# sudo chown root [audit_tool]\n\nReplace \"[audit_tool]\" with each audit tool not owned by \"root\"." + "default": "Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged ssh commands. The organization must maintain audit trails in\nsufficient detail to reconstruct events to determine the cause and impact of\ncompromise.", + "check": "Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful attempts to use the \"ssh-keysign\" command occur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \"/etc/audit/audit.rules\":\n\n# sudo grep ssh-keysign /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k privileged-ssh\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", + "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \"ssh-keysign\" command.\n\nAdd or update the following rules in the \"/etc/audit/audit.rules\" file:\n\n-a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k privileged-ssh\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000256-GPOS-00097", + "gtitle": "SRG-OS-000037-GPOS-00015", "satisfies": [ - "SRG-OS-000256-GPOS-00097", - "SRG-OS-000257-GPOS-00098", - "SRG-OS-000258-GPOS-00099" - ], - "gid": "V-75655", - "rid": "SV-90335r2_rule", - "stig_id": "UBTU-16-020190", - "fix_id": "F-82283r2_fix", - "cci": [ - "CCI-001493", - "CCI-001494", - "CCI-001495" - ], - "nist": [ - "AU-9", - "AU-9", - "AU-9", - "Rev_4" + "SRG-OS-000037-GPOS-00015", + "SRG-OS-000042-GPOS-00020", + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000392-GPOS-00172", + "SRG-OS-000462-GPOS-00206", + "SRG-OS-000471-GPOS-00215" ], - "false_negatives": null, - "false_positives": null, - "documentable": false, - "mitigations": null, - "severity_override_guidance": false, - "potential_impacts": null, - "third_party_tools": null, - "mitigation_controls": null, - "responsibility": null, - "ia_controls": null - }, - "code": "control 'V-75655' do\n title 'Audit tools must be owned by root.'\n desc \"Protecting audit information also includes identifying and protecting\nthe tools used to view and manipulate log data. Therefore, protecting audit\ntools is necessary to prevent unauthorized operation on audit information.\n\n Ubuntu operating systems providing tools to interface with audit\ninformation will leverage user permissions and roles identifying the user\naccessing the tools and the corresponding rights the user enjoys in order to\nmake access decisions regarding the access to audit tools.\n\n Audit tools include, but are not limited to, vendor-provided and open\nsource audit tools needed to successfully view and manipulate audit information\nsystem activity and records. Audit tools include custom queries and report\ngenerators.\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000256-GPOS-00097'\n tag \"satisfies\": %w[SRG-OS-000256-GPOS-00097 SRG-OS-000257-GPOS-00098\n SRG-OS-000258-GPOS-00099]\n tag \"gid\": 'V-75655'\n tag \"rid\": 'SV-90335r2_rule'\n tag \"stig_id\": 'UBTU-16-020190'\n tag \"fix_id\": 'F-82283r2_fix'\n tag \"cci\": %w[CCI-001493 CCI-001494 CCI-001495]\n tag \"nist\": %w[AU-9 AU-9 AU-9 Rev_4]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the audit tools are owned by \\\"root\\\" to prevent any\nunauthorized access, deletion, or modification.\n\nCheck the owner of each audit tool by running the following command:\n\n# ls -la /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace\n/sbin/auditd /sbin/audispd /sbin/augenrules\n-rwxr-xr-x 1 root root 97128 Jan 18 2016 /sbin/augenrules\n\nIf any of the audit tools are not owned by \\\"root\\\", this is a finding.\"\n desc 'fix', \"Configure the audit tools to be owned by \\\"root\\\", by running the\nfollowing command:\n\n# sudo chown root [audit_tool]\n\nReplace \\\"[audit_tool]\\\" with each audit tool not owned by \\\"root\\\".\"\n\n audit_tools = input('audit_tools')\n\n audit_tools.each do |tool|\n describe file(tool) do\n its('owner') { should cmp 'root' }\n end\n end\nend\n", - "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75655.rb", - "line": 3 - }, - "id": "V-75655" - }, - { - "title": "The Ubuntu operating system must implement address space layout\nrandomization to protect its memory from unauthorized code execution.", - "desc": "Some adversaries launch attacks with the intent of executing code in\nnon-executable regions of memory or in memory locations that are prohibited.\nSecurity safeguards employed to protect memory include, for example, data\nexecution prevention and address space layout randomization. Data execution\nprevention safeguards can either be hardware-enforced or software-enforced with\nhardware providing the greater strength of mechanism.\n\n Examples of attacks are buffer overflow attacks.", - "descriptions": { - "default": "Some adversaries launch attacks with the intent of executing code in\nnon-executable regions of memory or in memory locations that are prohibited.\nSecurity safeguards employed to protect memory include, for example, data\nexecution prevention and address space layout randomization. Data execution\nprevention safeguards can either be hardware-enforced or software-enforced with\nhardware providing the greater strength of mechanism.\n\n Examples of attacks are buffer overflow attacks.", - "check": "Verify the Ubuntu operating system implements address space\nlayout randomization (ASLR).\n\nCheck that ASLR is configured on the system with the following command:\n\n# sudo sysctl kernel.randomize_va_space\n\nkernel.randomize_va_space = 2\n\nIf nothing is returned; we must verify the kernel parameter\n\"randomize_va_space\" is set to \"2\" with the following command:\n\n# kernel.randomize_va_space\" /etc/sysctl.conf /etc/sysctl.d/*\n\nkernel.randomize_va_space = 2\n\nIf \"kernel.randomize_va_space\" is not set to \"2\", this is a finding.", - "fix": "Configure the operating system implement virtual address space\nrandomization.\n\nSet the system to the required kernel parameter by adding the following line to\n\"/etc/sysctl.conf\" (or modify the line to have the required value):\n\nkernel.randomize_va_space=2" - }, - "impact": 0.5, - "refs": [], - "tags": { - "gtitle": "SRG-OS-000433-GPOS-00193", - "gid": "V-75821", - "rid": "SV-90501r2_rule", - "stig_id": "UBTU-16-030140", - "fix_id": "F-82451r2_fix", + "gid": "V-75707", + "rid": "SV-90387r3_rule", + "stig_id": "UBTU-16-020410", + "fix_id": "F-82335r2_fix", "cci": [ - "CCI-002824" + "CCI-000130", + "CCI-000135", + "CCI-000169", + "CCI-000172", + "CCI-002884" ], "nist": [ - "SI-16", + "AU-3", + "AU-3 (1)", + "AU-12 a", + "AU-12 c", + "MA-4 (1) (a)", "Rev_4" ], "false_negatives": null, @@ -7813,51 +7763,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75821' do\n title \"The Ubuntu operating system must implement address space layout\nrandomization to protect its memory from unauthorized code execution.\"\n desc \"Some adversaries launch attacks with the intent of executing code in\nnon-executable regions of memory or in memory locations that are prohibited.\nSecurity safeguards employed to protect memory include, for example, data\nexecution prevention and address space layout randomization. Data execution\nprevention safeguards can either be hardware-enforced or software-enforced with\nhardware providing the greater strength of mechanism.\n\n Examples of attacks are buffer overflow attacks.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000433-GPOS-00193'\n tag \"gid\": 'V-75821'\n tag \"rid\": 'SV-90501r2_rule'\n tag \"stig_id\": 'UBTU-16-030140'\n tag \"fix_id\": 'F-82451r2_fix'\n tag \"cci\": ['CCI-002824']\n tag \"nist\": %w[SI-16 Rev_4]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system implements address space\nlayout randomization (ASLR).\n\nCheck that ASLR is configured on the system with the following command:\n\n# sudo sysctl kernel.randomize_va_space\n\nkernel.randomize_va_space = 2\n\nIf nothing is returned; we must verify the kernel parameter\n\\\"randomize_va_space\\\" is set to \\\"2\\\" with the following command:\n\n# kernel.randomize_va_space\\\" /etc/sysctl.conf /etc/sysctl.d/*\n\nkernel.randomize_va_space = 2\n\nIf \\\"kernel.randomize_va_space\\\" is not set to \\\"2\\\", this is a finding.\"\n desc 'fix', \"Configure the operating system implement virtual address space\nrandomization.\n\nSet the system to the required kernel parameter by adding the following line to\n\\\"/etc/sysctl.conf\\\" (or modify the line to have the required value):\n\nkernel.randomize_va_space=2\"\n\n describe kernel_parameter('kernel.randomize_va_space') do\n its('value') { should cmp 2 }\n end\nend\n", + "code": "control 'V-75707' do\n title \"Successful/unsuccessful uses of the ssh-keysign command must generate\nan audit record.\"\n desc \"Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged ssh commands. The organization must maintain audit trails in\nsufficient detail to reconstruct events to determine the cause and impact of\ncompromise.\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020\n SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172\n SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215]\n tag \"gid\": 'V-75707'\n tag \"rid\": 'SV-90387r3_rule'\n tag \"stig_id\": 'UBTU-16-020410'\n tag \"fix_id\": 'F-82335r2_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'MA-4 (1) (a)',\n 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful attempts to use the \\\"ssh-keysign\\\" command occur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \\\"/etc/audit/audit.rules\\\":\n\n# sudo grep ssh-keysign /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k privileged-ssh\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \\\"ssh-keysign\\\" command.\n\nAdd or update the following rules in the \\\"/etc/audit/audit.rules\\\" file:\n\n-a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k privileged-ssh\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n @audit_file = '/usr/lib/openssh/ssh-keysign'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe ('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75821.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75707.rb", "line": 3 }, - "id": "V-75821" + "id": "V-75707" }, { - "title": "Successful/unsuccessful uses of the su command must generate an audit\nrecord.", - "desc": "Without establishing what type of events occurred, it would be\ndifficult to establish, correlate, and investigate the events leading up to an\noutage or attack.\n\n Audit record content that may be necessary to satisfy this requirement\nincludes, for example, time stamps, source and destination addresses,\nuser/process identifiers, event descriptions, success/fail indications,\nfilenames involved, and access control or flow control rules invoked.\n\n Associating event types with detected events in the Ubuntu operating system\naudit logs provides a means of investigating an attack; recognizing resource\nutilization or capacity thresholds; or identifying an improperly configured\nUbuntu operating system.", + "title": "All local interactive user home directories must have mode 0750 or\nless permissive.", + "desc": "Excessive permissions on local interactive user home directories may\nallow unauthorized access to user files by other users.", "descriptions": { - "default": "Without establishing what type of events occurred, it would be\ndifficult to establish, correlate, and investigate the events leading up to an\noutage or attack.\n\n Audit record content that may be necessary to satisfy this requirement\nincludes, for example, time stamps, source and destination addresses,\nuser/process identifiers, event descriptions, success/fail indications,\nfilenames involved, and access control or flow control rules invoked.\n\n Associating event types with detected events in the Ubuntu operating system\naudit logs provides a means of investigating an attack; recognizing resource\nutilization or capacity thresholds; or identifying an improperly configured\nUbuntu operating system.", - "check": "Verify the Ubuntu operating system generates audit records when\nsuccessful/unsuccessful attempts to use the \"su\" command occur.\n\nCheck for the following system call being audited by performing the following\ncommand to check the file system rules in \"/etc/audit/audit.rules\":\n\n# sudo grep -iw /bin/su /etc/audit/audit.rules\n\n-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k\nprivileged-priv_change\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", - "fix": "Configure the Ubuntu operating system to generate audit records\nwhen successful/unsuccessful attempts to use the \"su\" command occur.\n\nAdd or update the following rule in \"/etc/audit/audit.rules\":\n\n-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k\nprivileged-priv_change\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" + "default": "Excessive permissions on local interactive user home directories may\nallow unauthorized access to user files by other users.", + "check": "Verify the assigned home directory of all local interactive\nusers has a mode of \"0750\" or less permissive.\n\nCheck the home directory assignment for all non-privileged users with the\nfollowing command:\n\nNote: This may miss interactive users that have been assigned a privileged User\nIdentifier (UID). Evidence of interactive use may be obtained from a number of\nlog files containing system logon information.\n\n# ls -ld $(awk -F: '($3>=1000)&&($1!=\"nobody\"){print $6}' /etc/passwd)\n\ndrwxr-x--- 2 smithj admin 4096 Jun 5 12:41 smithj\n\nIf home directories referenced in \"/etc/passwd\" do not have a mode of\n\"0750\" or less permissive, this is a finding.", + "fix": "Change the mode of interactive user’s home directories to\n\"0750\". To change the mode of a local interactive user’s home directory, use\nthe following command:\n\nNote: The example will be for the user \"smithj\".\n\n# chmod 0750 /home/smithj" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000037-GPOS-00015", - "satisfies": [ - "SRG-OS-000037-GPOS-00015", - "SRG-OS-000042-GPOS-00020", - "SRG-OS-000062-GPOS-00031", - "SRG-OS-000064-GPOS-0003", - "SRG-OS-000392-GPOS-00172", - "SRG-OS-000462-GPOS-00206", - "SRG-OS-000471-GPOS-00215" - ], - "gid": "V-75691", - "rid": "SV-90371r3_rule", - "stig_id": "UBTU-16-020360", - "fix_id": "F-82319r2_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-75565", + "rid": "SV-90245r1_rule", + "stig_id": "UBTU-16-010750", + "fix_id": "F-82193r1_fix", "cci": [ - "CCI-000130", - "CCI-000135", - "CCI-000169", - "CCI-000172", - "CCI-002884" + "CCI-000366" ], "nist": [ - "AU-3", - "AU-3 (1)", - "AU-12 a", - "AU-12 c", - "MA-4 (1) (a)", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -7871,34 +7804,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75691' do\n title \"Successful/unsuccessful uses of the su command must generate an audit\nrecord.\"\n desc \"Without establishing what type of events occurred, it would be\ndifficult to establish, correlate, and investigate the events leading up to an\noutage or attack.\n\n Audit record content that may be necessary to satisfy this requirement\nincludes, for example, time stamps, source and destination addresses,\nuser/process identifiers, event descriptions, success/fail indications,\nfilenames involved, and access control or flow control rules invoked.\n\n Associating event types with detected events in the Ubuntu operating system\naudit logs provides a means of investigating an attack; recognizing resource\nutilization or capacity thresholds; or identifying an improperly configured\nUbuntu operating system.\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020\n SRG-OS-000062-GPOS-00031 SRG-OS-000064-GPOS-0003\n SRG-OS-000392-GPOS-00172 SRG-OS-000462-GPOS-00206\n SRG-OS-000471-GPOS-00215]\n tag \"gid\": 'V-75691'\n tag \"rid\": 'SV-90371r3_rule'\n tag \"stig_id\": 'UBTU-16-020360'\n tag \"fix_id\": 'F-82319r2_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'MA-4 (1) (a)',\n 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system generates audit records when\nsuccessful/unsuccessful attempts to use the \\\"su\\\" command occur.\n\nCheck for the following system call being audited by performing the following\ncommand to check the file system rules in \\\"/etc/audit/audit.rules\\\":\n\n# sudo grep -iw /bin/su /etc/audit/audit.rules\n\n-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k\nprivileged-priv_change\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records\nwhen successful/unsuccessful attempts to use the \\\"su\\\" command occur.\n\nAdd or update the following rule in \\\"/etc/audit/audit.rules\\\":\n\n-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k\nprivileged-priv_change\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n @audit_file = '/bin/su'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe ('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", + "code": "control 'V-75565' do\n title \"All local interactive user home directories must have mode 0750 or\nless permissive.\"\n desc \"Excessive permissions on local interactive user home directories may\nallow unauthorized access to user files by other users.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75565'\n tag \"rid\": 'SV-90245r1_rule'\n tag \"stig_id\": 'UBTU-16-010750'\n tag \"fix_id\": 'F-82193r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the assigned home directory of all local interactive\nusers has a mode of \\\"0750\\\" or less permissive.\n\nCheck the home directory assignment for all non-privileged users with the\nfollowing command:\n\nNote: This may miss interactive users that have been assigned a privileged User\nIdentifier (UID). Evidence of interactive use may be obtained from a number of\nlog files containing system logon information.\n\n# ls -ld $(awk -F: '($3>=1000)&&($1!=\\\"nobody\\\"){print $6}' /etc/passwd)\n\ndrwxr-x--- 2 smithj admin 4096 Jun 5 12:41 smithj\n\nIf home directories referenced in \\\"/etc/passwd\\\" do not have a mode of\n\\\"0750\\\" or less permissive, this is a finding.\"\n desc 'fix', \"Change the mode of interactive user’s home directories to\n\\\"0750\\\". To change the mode of a local interactive user’s home directory, use\nthe following command:\n\nNote: The example will be for the user \\\"smithj\\\".\n\n# chmod 0750 /home/smithj\"\n\n exempt_home_users = input('exempt_home_users')\n non_interactive_shells = input('non_interactive_shells')\n ignore_shells = non_interactive_shells.join('|')\n\n findings = Set[]\n users.where { !shell.match(ignore_shells) && (uid >= 1000 || uid == 0) }.entries.each do |user_info|\n next if exempt_home_users.include?(user_info.username.to_s)\n\n findings += command(\"find #{user_info.home} -maxdepth 0 -perm /027\").stdout.split(\"\\n\")\n end\n describe 'Home directories with excessive permissions' do\n subject { findings.to_a }\n it { should be_empty }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75691.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75565.rb", "line": 3 }, - "id": "V-75691" + "id": "V-75565" }, { - "title": "A sticky bit must be set on all public directories to prevent\nunauthorized and unintended information transferred via shared system\nresources.", - "desc": "Preventing unauthorized information transfers mitigates the risk of\ninformation, including encrypted representations of information, produced by\nthe actions of prior users/roles (or the actions of processes acting on behalf\nof prior users/roles) from being available to any current users/roles (or\ncurrent processes) that obtain access to shared system resources (e.g.,\nregisters, main memory, hard disks) after those resources have been released\nback to information systems. The control of information in shared resources is\nalso commonly referred to as object reuse and residual information protection.\n\n This requirement generally applies to the design of an information\ntechnology product, but it can also apply to the configuration of particular\ninformation system components that are, or use, such products. This can be\nverified by acceptance/validation processes in DoD or other government agencies.\n\n There may be shared resources with configurable protections (e.g., files in\nstorage) that may be assessed on specific information system components.", + "title": "The Ubuntu operating system must be configured to prevent unrestricted\nmail relaying.", + "desc": "If unrestricted mail relaying is permitted, unauthorized senders could\nuse this host as a mail relay for the purpose of sending spam or other\nunauthorized activity.", "descriptions": { - "default": "Preventing unauthorized information transfers mitigates the risk of\ninformation, including encrypted representations of information, produced by\nthe actions of prior users/roles (or the actions of processes acting on behalf\nof prior users/roles) from being available to any current users/roles (or\ncurrent processes) that obtain access to shared system resources (e.g.,\nregisters, main memory, hard disks) after those resources have been released\nback to information systems. The control of information in shared resources is\nalso commonly referred to as object reuse and residual information protection.\n\n This requirement generally applies to the design of an information\ntechnology product, but it can also apply to the configuration of particular\ninformation system components that are, or use, such products. This can be\nverified by acceptance/validation processes in DoD or other government agencies.\n\n There may be shared resources with configurable protections (e.g., files in\nstorage) that may be assessed on specific information system components.", - "check": "Verify that all world writable directories have the sticky bit\nset.\n\nCheck to see that all world writable directories have the sticky bit set by\nrunning the following command:\n\n# sudo find / -type d \\( -perm -0002 -a ! -perm -1000 \\) -print 2>/dev/null\n\ndrwxrwxrwxt 7 root root 4096 Jul 26 11:19 /tmp\n\nIf any of the returned directories are world writable and do not have the\nsticky bit set, this is a finding.", - "fix": "Configure all world writable directories have the sticky bit set\nto prevent unauthorized and unintended information transferred via shared\nsystem resources.\n\nSet the sticky bit on all world writable directories using the command, replace\n\"[World-Writable Directory]\" with any directory path missing the sticky bit:\n\n# sudo chmod 1777 [World-Writable Directory]" + "default": "If unrestricted mail relaying is permitted, unauthorized senders could\nuse this host as a mail relay for the purpose of sending spam or other\nunauthorized activity.", + "check": "Determine if \"postfix\" is installed with the following\ncommands:\n\nNote: If postfix is not installed, this is Not Applicable.\n\n# dpkg -l | grep postfix\nii postfix 3.1.0-3\n\nVerify the Ubuntu operating system is configured to prevent unrestricted mail\nrelaying.\n\nIf postfix is installed, determine if it is configured to reject connections\nfrom unknown or untrusted networks with the following command:\n\n# postconf -n smtpd_client_restrictions\n\nsmtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject\n\nIf the \"smtpd_relay_restrictions\" parameter contains any entries other than\n\"permit_mynetworks\", \"permit_sasl_authenticated\" and \"reject\", is\nmissing, or is commented out, this is a finding.", + "fix": "If \"postfix\" is installed, modify the \"/etc/postfix/main.cf\"\nfile to restrict client connections to the local network with the following\ncommand:\n\n# sudo postconf -e 'smtpd_relay_restrictions = permit_mynetworks,\npermit_sasl_authenticated, reject'" }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { - "gtitle": "SRG-OS-000138-GPOS-00069", - "gid": "V-75811", - "rid": "SV-90491r4_rule", - "stig_id": "UBTU-16-030070", - "fix_id": "F-82441r2_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-75891", + "rid": "SV-90571r2_rule", + "stig_id": "UBTU-16-030620", + "fix_id": "F-82521r2_fix", "cci": [ - "CCI-001090" + "CCI-000366" ], "nist": [ - "SC-4", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -7912,20 +7845,20 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75811' do\n title \"A sticky bit must be set on all public directories to prevent\nunauthorized and unintended information transferred via shared system\nresources.\"\n desc \"Preventing unauthorized information transfers mitigates the risk of\ninformation, including encrypted representations of information, produced by\nthe actions of prior users/roles (or the actions of processes acting on behalf\nof prior users/roles) from being available to any current users/roles (or\ncurrent processes) that obtain access to shared system resources (e.g.,\nregisters, main memory, hard disks) after those resources have been released\nback to information systems. The control of information in shared resources is\nalso commonly referred to as object reuse and residual information protection.\n\n This requirement generally applies to the design of an information\ntechnology product, but it can also apply to the configuration of particular\ninformation system components that are, or use, such products. This can be\nverified by acceptance/validation processes in DoD or other government agencies.\n\n There may be shared resources with configurable protections (e.g., files in\nstorage) that may be assessed on specific information system components.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000138-GPOS-00069'\n tag \"gid\": 'V-75811'\n tag \"rid\": 'SV-90491r4_rule'\n tag \"stig_id\": 'UBTU-16-030070'\n tag \"fix_id\": 'F-82441r2_fix'\n tag \"cci\": ['CCI-001090']\n tag \"nist\": %w[SC-4 Rev_4]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that all world writable directories have the sticky bit\nset.\n\nCheck to see that all world writable directories have the sticky bit set by\nrunning the following command:\n\n# sudo find / -type d \\\\( -perm -0002 -a ! -perm -1000 \\\\) -print 2>/dev/null\n\ndrwxrwxrwxt 7 root root 4096 Jul 26 11:19 /tmp\n\nIf any of the returned directories are world writable and do not have the\nsticky bit set, this is a finding.\"\n desc 'fix', \"Configure all world writable directories have the sticky bit set\nto prevent unauthorized and unintended information transferred via shared\nsystem resources.\n\nSet the sticky bit on all world writable directories using the command, replace\n\\\"[World-Writable Directory]\\\" with any directory path missing the sticky bit:\n\n# sudo chmod 1777 [World-Writable Directory]\"\n\n lines = command('find / -xdev -type d \\( -perm -0002 -a ! -perm -1000 \\) -print 2>/dev/null').stdout.lines\n if lines.count > 0\n lines.each do |line|\n dir = line.strip\n describe directory(dir) do\n it { should be_sticky }\n end\n end\n else\n describe 'Sticky bit has been set on all world writable directories' do\n subject { lines }\n its('count') { should eq 0 }\n end\n end\nend\n", + "code": "control 'V-75891' do\n title \"The Ubuntu operating system must be configured to prevent unrestricted\nmail relaying.\"\n desc \"If unrestricted mail relaying is permitted, unauthorized senders could\nuse this host as a mail relay for the purpose of sending spam or other\nunauthorized activity.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75891'\n tag \"rid\": 'SV-90571r2_rule'\n tag \"stig_id\": 'UBTU-16-030620'\n tag \"fix_id\": 'F-82521r2_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Determine if \\\"postfix\\\" is installed with the following\ncommands:\n\nNote: If postfix is not installed, this is Not Applicable.\n\n# dpkg -l | grep postfix\nii postfix 3.1.0-3\n\nVerify the Ubuntu operating system is configured to prevent unrestricted mail\nrelaying.\n\nIf postfix is installed, determine if it is configured to reject connections\nfrom unknown or untrusted networks with the following command:\n\n# postconf -n smtpd_client_restrictions\n\nsmtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject\n\nIf the \\\"smtpd_relay_restrictions\\\" parameter contains any entries other than\n\\\"permit_mynetworks\\\", \\\"permit_sasl_authenticated\\\" and \\\"reject\\\", is\nmissing, or is commented out, this is a finding.\"\n desc 'fix', \"If \\\"postfix\\\" is installed, modify the \\\"/etc/postfix/main.cf\\\"\nfile to restrict client connections to the local network with the following\ncommand:\n\n# sudo postconf -e 'smtpd_relay_restrictions = permit_mynetworks,\npermit_sasl_authenticated, reject'\"\n\n is_postfix_installed = package('postfix').installed?\n\n if is_postfix_installed\n postconf_output = command('postconf -n smtpd_client_restrictions').stdout.strip\n smtpd_relay_restrictions = postconf_output.split(' = ')[1].split(', ')\n describe smtpd_relay_restrictions do\n it { should be_in %w[permit_mynetworks permit_sasl_authenticated reject] }\n end\n else\n impact 0\n describe 'Control Not Applicable as postfix is not installed' do\n subject { is_postfix_installed }\n it { should be false }\n end\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75811.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75891.rb", "line": 3 }, - "id": "V-75811" + "id": "V-75891" }, { - "title": "Successful/unsuccessful uses of the lchown command must generate an\naudit record.", + "title": "Successful/unsuccessful uses of the newgrp command must generate an\naudit record.", "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", "descriptions": { "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", - "check": "Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful attempts to use the \"lchown\" command occur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \"/etc/audit/audit.rules\":\n\n# sudo grep -w lchown /etc/audit/audit.rules\n\n-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=4294967295 -k\nperm_chng\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", - "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \"lchown\" command by adding the following\nline to \"/etc/audit/audit.rules\":\n\n-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=4294967295 -k\nperm_chng\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" + "check": "Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful attempts to use the \"newgrp\" command occur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \"/etc/audit/audit.rules\":\n\n# sudo grep -w newgrp /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k priv_cmd\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", + "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \"newgrp\" command.\n\nAdd or update the following rules in the \"/etc/audit/audit.rules\" file:\n\n-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k priv_cmd\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" }, "impact": 0.5, "refs": [], @@ -7939,10 +7872,10 @@ "SRG-OS-000462-GPOS-00206", "SRG-OS-000471-GPOS-00215" ], - "gid": "V-75735", - "rid": "SV-90415r3_rule", - "stig_id": "UBTU-16-020550", - "fix_id": "F-82363r2_fix", + "gid": "V-75761", + "rid": "SV-90441r4_rule", + "stig_id": "UBTU-16-020680", + "fix_id": "F-82389r2_fix", "cci": [ "CCI-000130", "CCI-000135", @@ -7969,34 +7902,42 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75735' do\n title \"Successful/unsuccessful uses of the lchown command must generate an\naudit record.\"\n desc \"Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020\n SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172\n SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215]\n tag \"gid\": 'V-75735'\n tag \"rid\": 'SV-90415r3_rule'\n tag \"stig_id\": 'UBTU-16-020550'\n tag \"fix_id\": 'F-82363r2_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'MA-4 (1) (a)',\n 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful attempts to use the \\\"lchown\\\" command occur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \\\"/etc/audit/audit.rules\\\":\n\n# sudo grep -w lchown /etc/audit/audit.rules\n\n-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=4294967295 -k\nperm_chng\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \\\"lchown\\\" command by adding the following\nline to \\\"/etc/audit/audit.rules\\\":\n\n-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=4294967295 -k\nperm_chng\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n if os.arch == 'x86_64'\n describe auditd.syscall('lchown').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('lchown').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\nend\n", + "code": "control 'V-75761' do\n title \"Successful/unsuccessful uses of the newgrp command must generate an\naudit record.\"\n desc \"Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020\n SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172\n SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215]\n tag \"gid\": 'V-75761'\n tag \"rid\": 'SV-90441r4_rule'\n tag \"stig_id\": 'UBTU-16-020680'\n tag \"fix_id\": 'F-82389r2_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'MA-4 (1) (a)',\n 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful attempts to use the \\\"newgrp\\\" command occur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \\\"/etc/audit/audit.rules\\\":\n\n# sudo grep -w newgrp /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k priv_cmd\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\n\n\n\"\n desc 'fix', \"Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \\\"newgrp\\\" command.\n\nAdd or update the following rules in the \\\"/etc/audit/audit.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k priv_cmd\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n @audit_file = '/usr/bin/newgrp'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe ('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75735.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75761.rb", "line": 3 }, - "id": "V-75735" + "id": "V-75761" }, { - "title": "The Ubuntu operating system must notify the System Administrator (SA)\nand Information System Security Officer (ISSO) (at a minimum) when allocated\naudit record storage volume reaches 75% of the repository maximum audit record\nstorage capacity.", - "desc": "If security personnel are not notified immediately when storage volume\nreaches 75% utilization, they are unable to plan for audit record storage\ncapacity expansion.", + "title": "An application firewall must employ a deny-all, allow-by-exception\npolicy for allowing connections to other systems.", + "desc": "Failure to restrict network connectivity only to authorized systems\npermits inbound connections from malicious systems. It also permits outbound\nconnections that may facilitate exfiltration of DoD data.", "descriptions": { - "default": "If security personnel are not notified immediately when storage volume\nreaches 75% utilization, they are unable to plan for audit record storage\ncapacity expansion.", - "check": "Verify the Ubuntu operating system notifies the System\nAdministrator (SA) and Information System Security Officer (ISSO) (at a\nminimum) when allocated audit record storage volume reaches 75% of the\nrepository maximum audit record storage capacity.\n\nCheck the system configuration to determine the partition the audit records are\nbeing written to with the following command:\n\n# sudo grep log_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nCheck the size of the partition that audit records are written to (with the\nexample being \"/var/log/audit/\"):\n\n# df -h /var/log/audit/\n1.0G /var/log/audit\n\nIf the audit records are not being written to a partition specifically created\nfor audit records (in this example \"/var/log/audit\" is a separate partition),\ndetermine the amount of space other files in the partition are currently\noccupying with the following command:\n\n# du -sh \n1.0G /var\n\nDetermine what the threshold is for the system to take action when 75% of the\nrepository maximum audit record storage capacity is reached:\n\n# grep -i space_left /etc/audit/auditd.conf\nspace_left = 250\n\nIf the value of the \"space_left\" keyword is not set to 25% of the total\npartition size, this is a finding.", - "fix": "Configure the operating system to immediately notify the SA and\nISSO (at a minimum) when allocated audit record storage volume reaches 75% of\nthe repository maximum audit record storage capacity.\n\nCheck the system configuration to determine the partition the audit records are\nbeing written to:\n\n# grep log_file /etc/audit/auditd.conf\n\nDetermine the size of the partition that audit records are written to (with the\nexample being \"/var/log/audit/\"):\n\n# df -h /var/log/audit/\n\nSet the value of the \"space_left\" keyword in \"/etc/audit/auditd.conf\" to\n25% of the partition size." + "default": "Failure to restrict network connectivity only to authorized systems\npermits inbound connections from malicious systems. It also permits outbound\nconnections that may facilitate exfiltration of DoD data.", + "check": "Verify the Uncomplicated Firewall is configured to employ a\ndeny-all, allow-by-exception policy for allowing connections to other systems.\n\nCheck the Uncomplicated Firewall configuration with the following command:\n# sudo ufw status\nStatus: active\n\n To Action From\n -- ------ ----\n[ 1] 22 LIMIT IN Anywhere\n\nIf any services, ports, or applications are \"allowed\" and are not documented\nwith the organization, this is a finding.", + "fix": "Configure the Uncomplicated Firewall to employ a deny-all,\nallow-by-exception policy for allowing connections to other systems.\n\nRemove any service that is not needed or documented by the organization with\nthe following command (replace [NUMBER] with the rule number):\n\n# sudo ufw delete [NUMBER]\n\nAnother option would be to set the Uncomplicated Firewall back to default with\nthe following commands:\n\n# sudo ufw default deny incoming\n# sudo ufw default allow outgoing\n\nNote: UFW’s defaults are to deny all incoming connections and allow all\noutgoing connections." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000343-GPOS-00134", - "gid": "V-80961", - "rid": "SV-95673r1_rule", - "stig_id": "UBTU-16-020021", - "fix_id": "F-87821r1_fix", + "gtitle": "SRG-OS-000297-GPOS-00115", + "satisfies": [ + "SRG-OS-000297-GPOS-00115", + "SRG-OS-000480-GPOS-00231" + ], + "gid": "V-75807", + "rid": "SV-90487r2_rule", + "stig_id": "UBTU-16-030050", + "fix_id": "F-82437r1_fix", "cci": [ - "CCI-001855" + "CCI-000366", + "CCI-002080", + "CCI-002314" ], "nist": [ - "AU-5 (1)", + "CM-6 b", + "CA-3 (5)", + "AC-17 (1)", "Rev_4" ], "false_negatives": null, @@ -8010,40 +7951,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-80961' do\n title \"The Ubuntu operating system must notify the System Administrator (SA)\nand Information System Security Officer (ISSO) (at a minimum) when allocated\naudit record storage volume reaches 75% of the repository maximum audit record\nstorage capacity.\"\n desc \"If security personnel are not notified immediately when storage volume\nreaches 75% utilization, they are unable to plan for audit record storage\ncapacity expansion.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000343-GPOS-00134'\n tag \"gid\": 'V-80961'\n tag \"rid\": 'SV-95673r1_rule'\n tag \"stig_id\": 'UBTU-16-020021'\n tag \"fix_id\": 'F-87821r1_fix'\n tag \"cci\": ['CCI-001855']\n tag \"nist\": ['AU-5 (1)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system notifies the System\nAdministrator (SA) and Information System Security Officer (ISSO) (at a\nminimum) when allocated audit record storage volume reaches 75% of the\nrepository maximum audit record storage capacity.\n\nCheck the system configuration to determine the partition the audit records are\nbeing written to with the following command:\n\n# sudo grep log_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nCheck the size of the partition that audit records are written to (with the\nexample being \\\"/var/log/audit/\\\"):\n\n# df -h /var/log/audit/\n1.0G /var/log/audit\n\nIf the audit records are not being written to a partition specifically created\nfor audit records (in this example \\\"/var/log/audit\\\" is a separate partition),\ndetermine the amount of space other files in the partition are currently\noccupying with the following command:\n\n# du -sh \n1.0G /var\n\nDetermine what the threshold is for the system to take action when 75% of the\nrepository maximum audit record storage capacity is reached:\n\n# grep -i space_left /etc/audit/auditd.conf\nspace_left = 250\n\nIf the value of the \\\"space_left\\\" keyword is not set to 25% of the total\npartition size, this is a finding.\"\n desc 'fix', \"Configure the operating system to immediately notify the SA and\nISSO (at a minimum) when allocated audit record storage volume reaches 75% of\nthe repository maximum audit record storage capacity.\n\nCheck the system configuration to determine the partition the audit records are\nbeing written to:\n\n# grep log_file /etc/audit/auditd.conf\n\nDetermine the size of the partition that audit records are written to (with the\nexample being \\\"/var/log/audit/\\\"):\n\n# df -h /var/log/audit/\n\nSet the value of the \\\"space_left\\\" keyword in \\\"/etc/audit/auditd.conf\\\" to\n25% of the partition size.\"\n\n space_left_percent = input('space_left_percent')\n audit_log_path = input('log_file_dir')\n\n describe filesystem(audit_log_path) do\n its('percent_free') { should be >= space_left_percent }\n end\n\n partition_threshold_mb = (filesystem(audit_log_path).size_kb / 1024 * 0.25).to_i\n system_alert_configuration_mb = auditd_conf.space_left.to_i\n\n describe 'The space_left configuration' do\n subject { system_alert_configuration_mb }\n it { should >= partition_threshold_mb }\n end\nend\n", + "code": "control 'V-75807' do\n title \"An application firewall must employ a deny-all, allow-by-exception\npolicy for allowing connections to other systems.\"\n desc \"Failure to restrict network connectivity only to authorized systems\npermits inbound connections from malicious systems. It also permits outbound\nconnections that may facilitate exfiltration of DoD data.\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000297-GPOS-00115'\n tag \"satisfies\": %w[SRG-OS-000297-GPOS-00115 SRG-OS-000480-GPOS-00231]\n tag \"gid\": 'V-75807'\n tag \"rid\": 'SV-90487r2_rule'\n tag \"stig_id\": 'UBTU-16-030050'\n tag \"fix_id\": 'F-82437r1_fix'\n tag \"cci\": %w[CCI-000366 CCI-002080 CCI-002314]\n tag \"nist\": ['CM-6 b', 'CA-3 (5)', 'AC-17 (1)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Uncomplicated Firewall is configured to employ a\ndeny-all, allow-by-exception policy for allowing connections to other systems.\n\nCheck the Uncomplicated Firewall configuration with the following command:\n# sudo ufw status\nStatus: active\n\n To Action From\n -- ------ ----\n[ 1] 22 LIMIT IN Anywhere\n\nIf any services, ports, or applications are \\\"allowed\\\" and are not documented\nwith the organization, this is a finding.\"\n desc 'fix', \"Configure the Uncomplicated Firewall to employ a deny-all,\nallow-by-exception policy for allowing connections to other systems.\n\nRemove any service that is not needed or documented by the organization with\nthe following command (replace [NUMBER] with the rule number):\n\n# sudo ufw delete [NUMBER]\n\nAnother option would be to set the Uncomplicated Firewall back to default with\nthe following commands:\n\n# sudo ufw default deny incoming\n# sudo ufw default allow outgoing\n\nNote: UFW’s defaults are to deny all incoming connections and allow all\noutgoing connections.\"\n\n ufw_status = command('ufw status').stdout.strip.lines.first\n value = ufw_status.split(':')[1].strip\n\n describe 'UFW status' do\n subject { value }\n it { should cmp 'active' }\n end\n describe 'Status listings for any allowed services, ports, or applications must be documented with the organization' do\n skip 'Status listings checks must be preformed manually'\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-80961.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75807.rb", "line": 3 }, - "id": "V-80961" + "id": "V-75807" }, { - "title": "The audit system must be configured to audit the execution of\nprivileged functions and prevent all software from executing at higher\nprivilege levels than users executing the software.", - "desc": "Misuse of privileged functions, either intentionally or\nunintentionally by authorized users, or by unauthorized external entities that\nhave compromised information system accounts, is a serious and ongoing concern\nand can have significant adverse impacts on organizations. Auditing the use of\nprivileged functions is one way to detect such misuse and identify the risk\nfrom insider threats and the advanced persistent threat.", + "title": "The SSH daemon must perform strict mode checking of home directory\nconfiguration files.", + "desc": "If other users have access to modify user-specific SSH configuration\nfiles, they may be able to log on to the system as another user.", "descriptions": { - "default": "Misuse of privileged functions, either intentionally or\nunintentionally by authorized users, or by unauthorized external entities that\nhave compromised information system accounts, is a serious and ongoing concern\nand can have significant adverse impacts on organizations. Auditing the use of\nprivileged functions is one way to detect such misuse and identify the risk\nfrom insider threats and the advanced persistent threat.", - "check": "Verify the Ubuntu operating system audits the execution of\nprivilege functions.\n\nVerify if the Ubuntu operating system is configured to audit the execution of\nthe \"execve\" system call, by running the following command:\n\n# sudo grep execve /etc/audit/audit.rules\n\n-a always,exit -F arch=b64 -S execve -C uid!=euid -F key=execpriv\n-a always,exit -F arch=b64 -S execve -C gid!=egid -F key=execpriv\n\nIf the command does not return both lines, or the line is commented out, this\nis a finding.", - "fix": "Configure the Ubuntu operating system to audit the execution of\nthe \"execve\" system call.\n\nAdd or update the following file system rules to \"/etc/audit/audit.rules\":\n\n-a always,exit -F arch=b64 -S execve -C uid!=euid -F key=execpriv\n-a always,exit -F arch=b64 -S execve -C gid!=egid -F key=execpriv\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" + "default": "If other users have access to modify user-specific SSH configuration\nfiles, they may be able to log on to the system as another user.", + "check": "Verify the SSH daemon performs strict mode checking of home\ndirectory configuration files.\n\nCheck that the SSH daemon performs strict mode checking of home directory\nconfiguration files with the following command:\n\n# grep StrictModes /etc/ssh/sshd_config\n\nStrictModes yes\n\nIf \"StrictModes\" is set to \"no\", is missing, or the returned line is\ncommented out, this is a finding.", + "fix": "Configure SSH to perform strict mode checking of home directory\nconfiguration files. Uncomment the \"StrictModes\" keyword in\n\"/etc/ssh/sshd_config\" and set the value to \"yes\":\n\nStrictModes yes\n\nThe SSH daemon must be restarted for the changes to take effect. To restart the\nSSH daemon, run the following command:\n\n# sudo systemctl restart sshd.service" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000326-GPOS-00126", - "satisfies": [ - "SRG-OS-000326-GPOS-00126", - "SRG-OS-000327-GPOS-00127" - ], - "gid": "V-75689", - "rid": "SV-90369r2_rule", - "stig_id": "UBTU-16-020350", - "fix_id": "F-82317r2_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-75847", + "rid": "SV-90527r2_rule", + "stig_id": "UBTU-16-030330", + "fix_id": "F-82477r2_fix", "cci": [ - "CCI-002233", - "CCI-002234" + "CCI-000366" ], "nist": [ - "AC-6 (8)", - "AC-6 (9)", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -8057,54 +7992,43 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75689' do\n title \"The audit system must be configured to audit the execution of\nprivileged functions and prevent all software from executing at higher\nprivilege levels than users executing the software.\"\n desc \"Misuse of privileged functions, either intentionally or\nunintentionally by authorized users, or by unauthorized external entities that\nhave compromised information system accounts, is a serious and ongoing concern\nand can have significant adverse impacts on organizations. Auditing the use of\nprivileged functions is one way to detect such misuse and identify the risk\nfrom insider threats and the advanced persistent threat.\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000326-GPOS-00126'\n tag \"satisfies\": %w[SRG-OS-000326-GPOS-00126 SRG-OS-000327-GPOS-00127]\n tag \"gid\": 'V-75689'\n tag \"rid\": 'SV-90369r2_rule'\n tag \"stig_id\": 'UBTU-16-020350'\n tag \"fix_id\": 'F-82317r2_fix'\n tag \"cci\": %w[CCI-002233 CCI-002234]\n tag \"nist\": ['AC-6 (8)', 'AC-6 (9)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system audits the execution of\nprivilege functions.\n\nVerify if the Ubuntu operating system is configured to audit the execution of\nthe \\\"execve\\\" system call, by running the following command:\n\n# sudo grep execve /etc/audit/audit.rules\n\n-a always,exit -F arch=b64 -S execve -C uid!=euid -F key=execpriv\n-a always,exit -F arch=b64 -S execve -C gid!=egid -F key=execpriv\n\nIf the command does not return both lines, or the line is commented out, this\nis a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to audit the execution of\nthe \\\"execve\\\" system call.\n\nAdd or update the following file system rules to \\\"/etc/audit/audit.rules\\\":\n\n-a always,exit -F arch=b64 -S execve -C uid!=euid -F key=execpriv\n-a always,exit -F arch=b64 -S execve -C gid!=egid -F key=execpriv\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n if os.arch == 'x86_64'\n describe auditd.syscall('execve').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('execve').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\nend\n", + "code": "control 'V-75847' do\n title \"The SSH daemon must perform strict mode checking of home directory\nconfiguration files.\"\n desc \"If other users have access to modify user-specific SSH configuration\nfiles, they may be able to log on to the system as another user.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75847'\n tag \"rid\": 'SV-90527r2_rule'\n tag \"stig_id\": 'UBTU-16-030330'\n tag \"fix_id\": 'F-82477r2_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the SSH daemon performs strict mode checking of home\ndirectory configuration files.\n\nCheck that the SSH daemon performs strict mode checking of home directory\nconfiguration files with the following command:\n\n# grep StrictModes /etc/ssh/sshd_config\n\nStrictModes yes\n\nIf \\\"StrictModes\\\" is set to \\\"no\\\", is missing, or the returned line is\ncommented out, this is a finding.\"\n desc 'fix', \"Configure SSH to perform strict mode checking of home directory\nconfiguration files. Uncomment the \\\"StrictModes\\\" keyword in\n\\\"/etc/ssh/sshd_config\\\" and set the value to \\\"yes\\\":\n\nStrictModes yes\n\nThe SSH daemon must be restarted for the changes to take effect. To restart the\nSSH daemon, run the following command:\n\n# sudo systemctl restart sshd.service\"\n\n describe sshd_config do\n its('StrictModes') { should cmp 'yes' }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75689.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75847.rb", "line": 3 }, - "id": "V-75689" + "id": "V-75847" }, { - "title": "The Ubuntu operating system must generate audit records for all\naccount creations, modifications, disabling, and termination events that affect\n/etc/gshadow.", - "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "title": "The Ubuntu operating system must have the packages required for\nmultifactor authentication to be installed.", + "desc": "Using an authentication device, such as a CAC or token that is\nseparate from the information system, ensures that even if the information\nsystem is compromised, that compromise will not affect credentials stored on\nthe authentication device.\n\n Multifactor solutions that require devices separate from information\nsystems gaining access include, for example, hardware tokens providing\ntime-based or challenge-response authenticators and smart cards such as the\nU.S. Government Personal Identity Verification card and the DoD Common Access\nCard.\n\n A privileged account is defined as an information system account with\nauthorizations of a privileged user.\n\n Remote access is access to DoD nonpublic information systems by an\nauthorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\n This requirement only applies to components where this is specific to the\nfunction of the device or has the concept of an organizational user (e.g., VPN,\nproxy capability). This does not apply to authentication for the purpose of\nconfiguring the device itself (management).\n\n Requires further clarification from NIST.", "descriptions": { - "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", - "check": "Verify the Ubuntu operating system generates audit records for\nall account creations, modifications, disabling, and termination events that\naffect \"/etc/gshadow\".\n\nCheck the auditing rules in \"/etc/audit/audit.rules\" with the following\ncommand:\n\n# sudo grep /etc/gshadow /etc/audit/audit.rules\n\n-w /etc/gshadow -p wa -k audit_rules_usergroup_modification\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", - "fix": "Configure the Ubuntu operating system to generate audit records\nfor all account creations, modifications, disabling, and termination events\nthat affect \"/etc/gshadow\".\n\nAdd or update the following file system rule to \"/etc/audit/audit.rules\":\n\n-w /etc/gshadow -p wa -k identity\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" + "default": "Using an authentication device, such as a CAC or token that is\nseparate from the information system, ensures that even if the information\nsystem is compromised, that compromise will not affect credentials stored on\nthe authentication device.\n\n Multifactor solutions that require devices separate from information\nsystems gaining access include, for example, hardware tokens providing\ntime-based or challenge-response authenticators and smart cards such as the\nU.S. Government Personal Identity Verification card and the DoD Common Access\nCard.\n\n A privileged account is defined as an information system account with\nauthorizations of a privileged user.\n\n Remote access is access to DoD nonpublic information systems by an\nauthorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\n This requirement only applies to components where this is specific to the\nfunction of the device or has the concept of an organizational user (e.g., VPN,\nproxy capability). This does not apply to authentication for the purpose of\nconfiguring the device itself (management).\n\n Requires further clarification from NIST.", + "check": "Verify the Ubuntu operating system has the packages required\nfor multifactor authentication installed.\n\nCheck for the presence of the packages required to support multifactor\nauthentication with the following commands:\n\n# dpkg -l | grep libpam-pkcs11\n\nii libpam-pkcs11 0.6.8-4 amd64 Fully featured PAM module for using PKCS#11\nsmart cards\n\nIf the \"libpam-pkcs11\" package is not installed, this is a finding.", + "fix": "Configure the Ubuntu operating system to implement multifactor\nauthentication by installing the required packages.\nInstall the \"libpam-pkcs11\" package on the system with the following command:\n\n# sudo apt install libpam-pkcs11" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000037-GPOS-00015", + "gtitle": "SRG-OS-000375-GPOS-00160", "satisfies": [ - "SRG-OS-000037-GPOS-00015", - "SRG-OS-000042-GPOS-00020", - "SRG-OS-000062-GPOS-00031", - "SRG-OS-000304-GPOS-00121", - "SRG-OS-000392-GPOS-00172", - "SRG-OS-000462-GPOS-00206", - "SRG-OS-000470-GPOS-00214", - "SRG-OS-000471-GPOS-00215" + "SRG-OS-000375-GPOS-00160", + "SRG-OS-000375-GPOS-00161", + "SRG-OS-000375-GPOS-00162" ], - "gid": "V-75665", - "rid": "SV-90345r3_rule", - "stig_id": "UBTU-16-020320", - "fix_id": "F-82293r2_fix", + "gid": "V-75903", + "rid": "SV-90583r1_rule", + "stig_id": "UBTU-16-030800", + "fix_id": "F-82533r1_fix", "cci": [ - "CCI-000130", - "CCI-000135", - "CCI-000169", - "CCI-000172", - "CCI-002132", - "CCI-002884" + "CCI-001948", + "CCI-001953", + "CCI-001954" ], "nist": [ - "AU-3", - "AU-3 (1)", - "AU-12 a", - "AU-12 c", - "AC-2 (4)", - "MA-4 (1)\n(a)", + "IA-2 (11)", + "IA-2 (12)", + "IA-2 (12)", "Rev_4" ], "false_negatives": null, @@ -8118,29 +8042,29 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75665' do\n title \"The Ubuntu operating system must generate audit records for all\naccount creations, modifications, disabling, and termination events that affect\n/etc/gshadow.\"\n desc \"Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020\n SRG-OS-000062-GPOS-00031 SRG-OS-000304-GPOS-00121\n SRG-OS-000392-GPOS-00172 SRG-OS-000462-GPOS-00206\n SRG-OS-000470-GPOS-00214 SRG-OS-000471-GPOS-00215]\n tag \"gid\": 'V-75665'\n tag \"rid\": 'SV-90345r3_rule'\n tag \"stig_id\": 'UBTU-16-020320'\n tag \"fix_id\": 'F-82293r2_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002132 CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'AC-2 (4)', \"MA-4 (1)\n(a)\", 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system generates audit records for\nall account creations, modifications, disabling, and termination events that\naffect \\\"/etc/gshadow\\\".\n\nCheck the auditing rules in \\\"/etc/audit/audit.rules\\\" with the following\ncommand:\n\n# sudo grep /etc/gshadow /etc/audit/audit.rules\n\n-w /etc/gshadow -p wa -k audit_rules_usergroup_modification\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records\nfor all account creations, modifications, disabling, and termination events\nthat affect \\\"/etc/gshadow\\\".\n\nAdd or update the following file system rule to \\\"/etc/audit/audit.rules\\\":\n\n-w /etc/gshadow -p wa -k identity\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n @audit_file = '/etc/gshadow'\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe ('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", + "code": "control 'V-75903' do\n title \"The Ubuntu operating system must have the packages required for\nmultifactor authentication to be installed.\"\n desc \"Using an authentication device, such as a CAC or token that is\nseparate from the information system, ensures that even if the information\nsystem is compromised, that compromise will not affect credentials stored on\nthe authentication device.\n\n Multifactor solutions that require devices separate from information\nsystems gaining access include, for example, hardware tokens providing\ntime-based or challenge-response authenticators and smart cards such as the\nU.S. Government Personal Identity Verification card and the DoD Common Access\nCard.\n\n A privileged account is defined as an information system account with\nauthorizations of a privileged user.\n\n Remote access is access to DoD nonpublic information systems by an\nauthorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\n This requirement only applies to components where this is specific to the\nfunction of the device or has the concept of an organizational user (e.g., VPN,\nproxy capability). This does not apply to authentication for the purpose of\nconfiguring the device itself (management).\n\n Requires further clarification from NIST.\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000375-GPOS-00160'\n tag \"satisfies\": %w[SRG-OS-000375-GPOS-00160 SRG-OS-000375-GPOS-00161\n SRG-OS-000375-GPOS-00162]\n tag \"gid\": 'V-75903'\n tag \"rid\": 'SV-90583r1_rule'\n tag \"stig_id\": 'UBTU-16-030800'\n tag \"fix_id\": 'F-82533r1_fix'\n tag \"cci\": %w[CCI-001948 CCI-001953 CCI-001954]\n tag \"nist\": ['IA-2 (11)', 'IA-2 (12)', 'IA-2 (12)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system has the packages required\nfor multifactor authentication installed.\n\nCheck for the presence of the packages required to support multifactor\nauthentication with the following commands:\n\n# dpkg -l | grep libpam-pkcs11\n\nii libpam-pkcs11 0.6.8-4 amd64 Fully featured PAM module for using PKCS#11\nsmart cards\n\nIf the \\\"libpam-pkcs11\\\" package is not installed, this is a finding.\"\n desc 'fix', \"Configure the Ubuntu operating system to implement multifactor\nauthentication by installing the required packages.\nInstall the \\\"libpam-pkcs11\\\" package on the system with the following command:\n\n# sudo apt install libpam-pkcs11\"\n\n describe package('libpam-pkcs-11') do\n it { should be_installed }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75665.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75903.rb", "line": 3 }, - "id": "V-75665" + "id": "V-75903" }, { - "title": "All local initialization files must have mode 0740 or less permissive.", - "desc": "Local initialization files are used to configure the user's shell\nenvironment upon logon. Malicious modification of these files could compromise\naccounts upon logon.", + "title": "The SSH public host key files must have mode 0644 or less permissive.", + "desc": "If a public host key file is modified by an unauthorized user, the SSH\nservice may be compromised.", "descriptions": { - "default": "Local initialization files are used to configure the user's shell\nenvironment upon logon. Malicious modification of these files could compromise\naccounts upon logon.", - "check": "Verify that all local initialization files have a mode of\n\"0740\" or less permissive.\n\nCheck the mode on all local initialization files with the following command:\n\nNote: The example will be for the smithj user, who has a home directory of\n\"/home/smithj\".\n\n# ls -al /home/smithj/.* | more\n-rwxr-xr-x 1 smithj users 896 Mar 10 2011 .profile\n-rwxr-xr-x 1 smithj users 497 Jan 6 2007 .login\n-rwxr-xr-x 1 smithj users 886 Jan 6 2007 .something\n\nIf any local initialization files have a mode more permissive than \"0740\",\nthis is a finding.", - "fix": "Set the mode of the local initialization files to \"0740\" with\nthe following command:\n\nNote: The example will be for the smithj user, who has a home directory of\n\"/home/smithj\".\n\n# chmod 0740 /home/smithj/." + "default": "If a public host key file is modified by an unauthorized user, the SSH\nservice may be compromised.", + "check": "Verify the SSH public host key files have mode \"0644\" or less\npermissive.\n\nNote: SSH public key files may be found in other directories on the system\ndepending on the installation.\n\nThe following command will find all SSH public key files on the system:\n\n# ls -l /etc/ssh/*.pub\n\n-rw-r--r-- 1 root wheel 618 Nov 28 06:43 ssh_host_dsa_key.pub\n-rw-r--r-- 1 root wheel 347 Nov 28 06:43 ssh_host_key.pub\n-rw-r--r-- 1 root wheel 238 Nov 28 06:43 ssh_host_rsa_key.pub\n\nIf any key.pub file has a mode more permissive than \"0644\", this is a\nfinding.", + "fix": "Note: SSH public key files may be found in other directories on\nthe system depending on the installation.\n\nChange the mode of public host key files under \"/etc/ssh\" to \"0644\" with\nthe following command:\n\n# sudo chmod 0644 /etc/ssh/*key.pub\n\nThe SSH daemon must be restarted for the changes to take effect. To restart the\nSSH daemon, run the following command:\n\n# sudo systemctl restart sshd.service" }, "impact": 0.5, "refs": [], "tags": { "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-75569", - "rid": "SV-90249r1_rule", - "stig_id": "UBTU-16-010770", - "fix_id": "F-82197r1_fix", + "gid": "V-75843", + "rid": "SV-90523r2_rule", + "stig_id": "UBTU-16-030310", + "fix_id": "F-82473r2_fix", "cci": [ "CCI-000366" ], @@ -8159,34 +8083,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75569' do\n title 'All local initialization files must have mode 0740 or less permissive.'\n desc \"Local initialization files are used to configure the user's shell\nenvironment upon logon. Malicious modification of these files could compromise\naccounts upon logon.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75569'\n tag \"rid\": 'SV-90249r1_rule'\n tag \"stig_id\": 'UBTU-16-010770'\n tag \"fix_id\": 'F-82197r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that all local initialization files have a mode of\n\\\"0740\\\" or less permissive.\n\nCheck the mode on all local initialization files with the following command:\n\nNote: The example will be for the smithj user, who has a home directory of\n\\\"/home/smithj\\\".\n\n# ls -al /home/smithj/.* | more\n-rwxr-xr-x 1 smithj users 896 Mar 10 2011 .profile\n-rwxr-xr-x 1 smithj users 497 Jan 6 2007 .login\n-rwxr-xr-x 1 smithj users 886 Jan 6 2007 .something\n\nIf any local initialization files have a mode more permissive than \\\"0740\\\",\nthis is a finding.\"\n desc 'fix', \"Set the mode of the local initialization files to \\\"0740\\\" with\nthe following command:\n\nNote: The example will be for the smithj user, who has a home directory of\n\\\"/home/smithj\\\".\n\n# chmod 0740 /home/smithj/.\"\n\n non_interactive_shells = input('non_interactive_shells')\n ignore_shells = non_interactive_shells.join('|')\n\n findings = Set[]\n users.where { !shell.match(ignore_shells) && (uid >= 1000 || uid == 0) }.entries.each do |user_info|\n dot_files = command(\"find #{user_info.home} -xdev -maxdepth 1 -name '.*' -type f\").stdout.split(\"\\n\")\n dot_files.each do |dot_file|\n next unless file(dot_file).more_permissive_than?('0740')\n\n findings << dot_file\n end\n end\n describe 'All local initialization files have a mode of 0740 or less permissive' do\n subject { findings.to_a }\n it { should be_empty }\n end\nend\n", + "code": "control 'V-75843' do\n title 'The SSH public host key files must have mode 0644 or less permissive.'\n desc \"If a public host key file is modified by an unauthorized user, the SSH\nservice may be compromised.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75843'\n tag \"rid\": 'SV-90523r2_rule'\n tag \"stig_id\": 'UBTU-16-030310'\n tag \"fix_id\": 'F-82473r2_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the SSH public host key files have mode \\\"0644\\\" or less\npermissive.\n\nNote: SSH public key files may be found in other directories on the system\ndepending on the installation.\n\nThe following command will find all SSH public key files on the system:\n\n# ls -l /etc/ssh/*.pub\n\n-rw-r--r-- 1 root wheel 618 Nov 28 06:43 ssh_host_dsa_key.pub\n-rw-r--r-- 1 root wheel 347 Nov 28 06:43 ssh_host_key.pub\n-rw-r--r-- 1 root wheel 238 Nov 28 06:43 ssh_host_rsa_key.pub\n\nIf any key.pub file has a mode more permissive than \\\"0644\\\", this is a\nfinding.\"\n desc 'fix', \"Note: SSH public key files may be found in other directories on\nthe system depending on the installation.\n\nChange the mode of public host key files under \\\"/etc/ssh\\\" to \\\"0644\\\" with\nthe following command:\n\n# sudo chmod 0644 /etc/ssh/*key.pub\n\nThe SSH daemon must be restarted for the changes to take effect. To restart the\nSSH daemon, run the following command:\n\n# sudo systemctl restart sshd.service\"\n\n pub_files = command(\"find /etc/ssh -xdev -name '*.pub' -perm /133\").stdout.split(\"\\n\")\n if !pub_files.nil? && !pub_files.empty?\n pub_files.each do |pubfile|\n describe file(pubfile) do\n it { should_not be_executable.by('user') }\n it { should_not be_executable.by('group') }\n it { should_not be_writable.by('group') }\n it { should_not be_executable.by('others') }\n it { should_not be_writable.by('others') }\n end\n end\n else\n describe 'No files have a more permissive mode.' do\n subject { pub_files.nil? || pub_files.empty? }\n it { should eq true }\n end\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75569.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75843.rb", "line": 3 }, - "id": "V-75569" + "id": "V-75843" }, { - "title": "If the Trivial File Transfer Protocol (TFTP) server is required, the\nTFTP daemon must be configured to operate in secure mode.", - "desc": "Restricting TFTP to a specific directory prevents remote users from\ncopying, transferring, or overwriting system files.", + "title": "The Ubuntu operating system must implement DoD-approved encryption to\nprotect the confidentiality of SSH connections.", + "desc": "Without confidentiality protection mechanisms, unauthorized\nindividuals may gain access to sensitive information via a remote access\nsession.\n\n Remote access is access to DoD nonpublic information systems by an\nauthorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\n Encryption provides a means to secure the remote connection to prevent\nunauthorized access to the data traversing the remote access connection (e.g.,\nRDP), thereby providing a degree of confidentiality. The encryption strength of\na mechanism is selected based on the security categorization of the information.", "descriptions": { - "default": "Restricting TFTP to a specific directory prevents remote users from\ncopying, transferring, or overwriting system files.", - "check": "Verify the Trivial File Transfer Protocol (TFTP) daemon is\nconfigured to operate in secure mode.\n\nCheck to see if a TFTP server has been installed with the following commands:\n\n# dpkg -l | grep tftpd-hpa\nii tftpd-hpa 5.2+20150808-1Ubuntu1.16.04.1\nIf a TFTP server is not installed, this is Not Applicable.\n\nIf a TFTP server is installed, check for the server arguments with the\nfollowing command:\n\n# grep TFTP_OPTIONS /etc/default/tftpd-hpa\nTFTP_OPTIONS=\"--secure\"\n\nIf \"--secure\" is not listed in the TFTP_OPTIONS, this is a finding.", - "fix": "Configure the Trivial File Transfer Protocol (TFTP) daemon to\noperate in the secure mode by adding the \"--secure\" option to TFTP_OPTIONS in\n/etc/default/tftpd-hpa and restart the tftpd daemon." + "default": "Without confidentiality protection mechanisms, unauthorized\nindividuals may gain access to sensitive information via a remote access\nsession.\n\n Remote access is access to DoD nonpublic information systems by an\nauthorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\n Encryption provides a means to secure the remote connection to prevent\nunauthorized access to the data traversing the remote access connection (e.g.,\nRDP), thereby providing a degree of confidentiality. The encryption strength of\na mechanism is selected based on the security categorization of the information.", + "check": "Verify the SSH daemon is configured to only implement\nDoD-approved encryption.\n\nCheck the SSH daemon's current configured ciphers by running the following\ncommand:\n\n# sudo grep -i ciphers /etc/ssh/sshd_config | grep -v '^#'\n\nCiphers aes128-ctr aes192-ctr, aes256-ctr\n\nIf any ciphers other than \"aes128-ctr\", \"aes192-ctr\", or \"aes256-ctr\" are\nlisted, the \"Ciphers\" keyword is missing, or the retuned line is commented\nout, this is a finding.", + "fix": "Configure the Ubuntu operating system to allow the SSH daemon to\nonly implement DoD-approved encryption.\n\nEdit the SSH daemon configuration \"/etc/ssh/sshd_config\" and remove any\nciphers not starting with \"aes\" and remove any ciphers ending with \"cbc\".\nIf necessary, append the \"Ciphers\" line to the \"/etc/ssh/sshd_config\"\ndocument.\n\nCiphers aes128-ctr,aes192-ctr,aes256-ctr\n\nThe SSH daemon must be restarted for the changes to take effect. To restart the\nSSH daemon, run the following command:\n\n# sudo systemctl restart sshd.service" }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-75899", - "rid": "SV-90579r1_rule", - "stig_id": "UBTU-16-030730", - "fix_id": "F-82529r1_fix", + "gtitle": "SRG-OS-000033-GPOS-00014", + "gid": "V-75829", + "rid": "SV-90509r2_rule", + "stig_id": "UBTU-16-030230", + "fix_id": "F-82459r2_fix", "cci": [ - "CCI-000366" + "CCI-000068" ], "nist": [ - "CM-6 b", + "AC-17 (2)", "Rev_4" ], "false_negatives": null, @@ -8200,50 +8124,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75899' do\n title \"If the Trivial File Transfer Protocol (TFTP) server is required, the\nTFTP daemon must be configured to operate in secure mode.\"\n desc \"Restricting TFTP to a specific directory prevents remote users from\ncopying, transferring, or overwriting system files.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75899'\n tag \"rid\": 'SV-90579r1_rule'\n tag \"stig_id\": 'UBTU-16-030730'\n tag \"fix_id\": 'F-82529r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Trivial File Transfer Protocol (TFTP) daemon is\nconfigured to operate in secure mode.\n\nCheck to see if a TFTP server has been installed with the following commands:\n\n# dpkg -l | grep tftpd-hpa\nii tftpd-hpa 5.2+20150808-1Ubuntu1.16.04.1\nIf a TFTP server is not installed, this is Not Applicable.\n\nIf a TFTP server is installed, check for the server arguments with the\nfollowing command:\n\n# grep TFTP_OPTIONS /etc/default/tftpd-hpa\nTFTP_OPTIONS=\\\"--secure\\\"\n\nIf \\\"--secure\\\" is not listed in the TFTP_OPTIONS, this is a finding.\"\n desc 'fix', \"Configure the Trivial File Transfer Protocol (TFTP) daemon to\noperate in the secure mode by adding the \\\"--secure\\\" option to TFTP_OPTIONS in\n/etc/default/tftpd-hpa and restart the tftpd daemon.\"\n\n is_installed = package('tftpd-hpa').installed?\n if is_installed\n tftp_options = command('grep TFTP_OPTIONS /etc/default/tftpd-hpa').stdout.strip\n describe tftp_options do\n it { should match /(--secure)/ }\n end\n else\n impact 0\n describe 'No TFTP server is installed' do\n skip 'This control is Not Applicable as a TFTP server has not been installed on this server.'\n end\n end\nend\n", + "code": "control 'V-75829' do\n title \"The Ubuntu operating system must implement DoD-approved encryption to\nprotect the confidentiality of SSH connections.\"\n desc \"Without confidentiality protection mechanisms, unauthorized\nindividuals may gain access to sensitive information via a remote access\nsession.\n\n Remote access is access to DoD nonpublic information systems by an\nauthorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\n Encryption provides a means to secure the remote connection to prevent\nunauthorized access to the data traversing the remote access connection (e.g.,\nRDP), thereby providing a degree of confidentiality. The encryption strength of\na mechanism is selected based on the security categorization of the information.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000033-GPOS-00014'\n tag \"gid\": 'V-75829'\n tag \"rid\": 'SV-90509r2_rule'\n tag \"stig_id\": 'UBTU-16-030230'\n tag \"fix_id\": 'F-82459r2_fix'\n tag \"cci\": ['CCI-000068']\n tag \"nist\": ['AC-17 (2)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the SSH daemon is configured to only implement\nDoD-approved encryption.\n\nCheck the SSH daemon's current configured ciphers by running the following\ncommand:\n\n# sudo grep -i ciphers /etc/ssh/sshd_config | grep -v '^#'\n\nCiphers aes128-ctr aes192-ctr, aes256-ctr\n\nIf any ciphers other than \\\"aes128-ctr\\\", \\\"aes192-ctr\\\", or \\\"aes256-ctr\\\" are\nlisted, the \\\"Ciphers\\\" keyword is missing, or the retuned line is commented\nout, this is a finding.\"\n desc 'fix', \"Configure the Ubuntu operating system to allow the SSH daemon to\nonly implement DoD-approved encryption.\n\nEdit the SSH daemon configuration \\\"/etc/ssh/sshd_config\\\" and remove any\nciphers not starting with \\\"aes\\\" and remove any ciphers ending with \\\"cbc\\\".\nIf necessary, append the \\\"Ciphers\\\" line to the \\\"/etc/ssh/sshd_config\\\"\ndocument.\n\nCiphers aes128-ctr,aes192-ctr,aes256-ctr\n\nThe SSH daemon must be restarted for the changes to take effect. To restart the\nSSH daemon, run the following command:\n\n# sudo systemctl restart sshd.service\"\n\n @ciphers_array = inspec.sshd_config.params['ciphers']\n\n @ciphers_array = @ciphers_array.first.split(',') unless @ciphers_array.nil?\n\n describe @ciphers_array do\n it { should be_in %w[aes128-ctr aes192-ctr aes256-ctr] }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75899.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75829.rb", "line": 3 }, - "id": "V-75899" + "id": "V-75829" }, { - "title": "Successful/unsuccessful uses of the apparmor_parser command must\ngenerate an audit record.", - "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "title": "The Ubuntu operating system must not have accounts configured with\nblank or null passwords.", + "desc": "If an account has an empty password, anyone could log on and run\ncommands with the privileges of that account. Accounts with empty passwords\nshould never be used in operational environments.", "descriptions": { - "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", - "check": "Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful attempts to use the \"apparmor_parser\" command\noccur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \"/etc/audit/audit.rules\":\n\n# sudo grep -w apparmor_parser /etc/audit/audit.rules\n\n-a always,exit -F path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k perm_chng\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", - "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \"apparmor_parser\" command.\n\nAdd or update the following rules in the \"/etc/audit/audit.rules\" file:\n\n-a always,exit -F path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k perm_chng\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" + "default": "If an account has an empty password, anyone could log on and run\ncommands with the privileges of that account. Accounts with empty passwords\nshould never be used in operational environments.", + "check": "To verify that null passwords cannot be used, run the following\ncommand:\n\n# grep pam_unix.so /etc/pam.d/* | grep nullok\nIf this produces any output, it may be possible to log on with accounts with\nempty passwords.\n\nIf null passwords can be used, this is a finding.", + "fix": "If an account is configured for password authentication but does\nnot have an assigned password, it may be possible to log on to the account\nwithout authenticating.\n\nRemove any instances of the \"nullok\" option in files under \"/etc/pam.d/\" to\nprevent logons with empty passwords." }, - "impact": 0.5, + "impact": 0.7, "refs": [], "tags": { - "gtitle": "SRG-OS-000037-GPOS-00015", - "satisfies": [ - "SRG-OS-000037-GPOS-00015", - "SRG-OS-000042-GPOS-00020", - "SRG-OS-000062-GPOS-00031", - "SRG-OS-000392-GPOS-00172", - "SRG-OS-000462-GPOS-00206", - "SRG-OS-000471-GPOS-00215" - ], - "gid": "V-75765", - "rid": "SV-90445r3_rule", - "stig_id": "UBTU-16-020700", - "fix_id": "F-82393r2_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-75479", + "rid": "SV-90159r1_rule", + "stig_id": "UBTU-16-010250", + "fix_id": "F-82107r1_fix", "cci": [ - "CCI-000130", - "CCI-000135", - "CCI-000169", - "CCI-000172", - "CCI-002884" + "CCI-000366" ], "nist": [ - "AU-3", - "AU-3 (1)", - "AU-12 a", - "AU-12 c", - "MA-4 (1) (a)", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -8257,48 +8165,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75765' do\n title \"Successful/unsuccessful uses of the apparmor_parser command must\ngenerate an audit record.\"\n desc \"Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020\n SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172\n SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215]\n tag \"gid\": 'V-75765'\n tag \"rid\": 'SV-90445r3_rule'\n tag \"stig_id\": 'UBTU-16-020700'\n tag \"fix_id\": 'F-82393r2_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'MA-4 (1) (a)',\n 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful attempts to use the \\\"apparmor_parser\\\" command\noccur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \\\"/etc/audit/audit.rules\\\":\n\n# sudo grep -w apparmor_parser /etc/audit/audit.rules\n\n-a always,exit -F path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k perm_chng\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \\\"apparmor_parser\\\" command.\n\nAdd or update the following rules in the \\\"/etc/audit/audit.rules\\\" file:\n\n-a always,exit -F path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k perm_chng\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n @audit_file = '/sbin/apparmor_parser'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe ('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", + "code": "control 'V-75479' do\n title \"The Ubuntu operating system must not have accounts configured with\nblank or null passwords.\"\n desc \"If an account has an empty password, anyone could log on and run\ncommands with the privileges of that account. Accounts with empty passwords\nshould never be used in operational environments.\"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75479'\n tag \"rid\": 'SV-90159r1_rule'\n tag \"stig_id\": 'UBTU-16-010250'\n tag \"fix_id\": 'F-82107r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"To verify that null passwords cannot be used, run the following\ncommand:\n\n# grep pam_unix.so /etc/pam.d/* | grep nullok\nIf this produces any output, it may be possible to log on with accounts with\nempty passwords.\n\nIf null passwords can be used, this is a finding.\"\n desc 'fix', \"If an account is configured for password authentication but does\nnot have an assigned password, it may be possible to log on to the account\nwithout authenticating.\n\nRemove any instances of the \\\"nullok\\\" option in files under \\\"/etc/pam.d/\\\" to\nprevent logons with empty passwords.\"\n\n describe command('grep pam_unix.so /etc/pam.d/* | grep nullok') do\n its('stdout.strip') { should be_empty }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75765.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75479.rb", "line": 3 }, - "id": "V-75765" + "id": "V-75479" }, { - "title": "The Ubuntu operating system must display the Standard Mandatory DoD\nNotice and Consent Banner before granting local or remote access to the system\nvia a command line user logon.", - "desc": "Display of a standardized and approved use notification before\ngranting access to the Ubuntu operating system ensures privacy and security\nnotification verbiage used is consistent with applicable federal laws,\nExecutive Orders, directives, policies, regulations, standards, and guidance.\n\n System use notifications are required only for access via logon interfaces\nwith human users and are not required when such human interfaces do not exist.\n\n The banner must be formatted in accordance with applicable DoD policy. Use\nthe following verbiage for Ubuntu operating systems that can accommodate\nbanners of 1300 characters:\n\n \"You are accessing a U.S. Government (USG) Information System (IS) that is\nprovided for USG-authorized use only.\n\n By using this IS (which includes any device attached to this IS), you\nconsent to the following conditions:\n\n -The USG routinely intercepts and monitors communications on this IS for\npurposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct (PM), law enforcement\n(LE), and counterintelligence (CI) investigations.\n\n -At any time, the USG may inspect and seize data stored on this IS.\n\n -Communications using, or data stored on, this IS are not private, are\nsubject to routine monitoring, interception, and search, and may be disclosed\nor used for any USG-authorized purpose.\n\n -This IS includes security measures (e.g., authentication and access\ncontrols) to protect USG interests--not for your personal benefit or privacy.\n\n -Notwithstanding the above, using this IS does not constitute consent to\nPM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services\nby attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User\nAgreement for details.\"\n\n Use the following verbiage for Ubuntu operating systems that have severe\nlimitations on the number of characters that can be displayed in the banner:\n\n \"I've read and consent to terms in IS user agreem't.\"", + "title": "The /var/log/syslog file must be group-owned by adm.", + "desc": "Only authorized personnel should be aware of errors and the details of\nthe errors. Error messages are an indicator of an organization's operational\nstate or can identify the Ubuntu operating system or platform. Additionally,\nPersonally Identifiable Information (PII) and operational information must not\nbe revealed through error messages to unauthorized personnel or their\ndesignated representatives.\n\n The structure and content of error messages must be carefully considered by\nthe organization and development team. The extent to which the information\nsystem is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.", "descriptions": { - "default": "Display of a standardized and approved use notification before\ngranting access to the Ubuntu operating system ensures privacy and security\nnotification verbiage used is consistent with applicable federal laws,\nExecutive Orders, directives, policies, regulations, standards, and guidance.\n\n System use notifications are required only for access via logon interfaces\nwith human users and are not required when such human interfaces do not exist.\n\n The banner must be formatted in accordance with applicable DoD policy. Use\nthe following verbiage for Ubuntu operating systems that can accommodate\nbanners of 1300 characters:\n\n \"You are accessing a U.S. Government (USG) Information System (IS) that is\nprovided for USG-authorized use only.\n\n By using this IS (which includes any device attached to this IS), you\nconsent to the following conditions:\n\n -The USG routinely intercepts and monitors communications on this IS for\npurposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct (PM), law enforcement\n(LE), and counterintelligence (CI) investigations.\n\n -At any time, the USG may inspect and seize data stored on this IS.\n\n -Communications using, or data stored on, this IS are not private, are\nsubject to routine monitoring, interception, and search, and may be disclosed\nor used for any USG-authorized purpose.\n\n -This IS includes security measures (e.g., authentication and access\ncontrols) to protect USG interests--not for your personal benefit or privacy.\n\n -Notwithstanding the above, using this IS does not constitute consent to\nPM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services\nby attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User\nAgreement for details.\"\n\n Use the following verbiage for Ubuntu operating systems that have severe\nlimitations on the number of characters that can be displayed in the banner:\n\n \"I've read and consent to terms in IS user agreem't.\"", - "check": "Verify the Ubuntu operating system displays the Standard\nMandatory DoD Notice and Consent Banner before granting access to the Ubuntu\noperating system via a command line user logon.\n\nCheck that the Ubuntu operating system displays a banner at the command line\nlogin screen with the following command:\n\n# cat /etc/issue\n\nIf the banner is set correctly it will return the following text:\n\n“You are accessing a U.S. Government (USG) Information System (IS) that is\nprovided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent\nto the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for\npurposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct (PM), law enforcement\n(LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject\nto routine monitoring, interception, and search, and may be disclosed or used\nfor any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls)\nto protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE\nor CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services\nby attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User\nAgreement for details.”\n\nIf the banner text does not match the Standard Mandatory DoD Notice and Consent\nBanner exactly, this is a finding.", - "fix": "Configure the Ubuntu operating system to display the Standard\nMandatory DoD Notice and Consent Banner before granting access to the system\nvia command line logon.\n\nEdit the \"/etc/issue\" file to replace the default text with the Standard\nMandatory DoD Notice and Consent Banner. The DoD required text is:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is\nprovided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent\nto the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for\npurposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct (PM), law enforcement\n(LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject\nto routine monitoring, interception, and search, and may be disclosed or used\nfor any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls)\nto protect USG interests -- not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE\nor CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services\nby attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User\nAgreement for details.\"" + "default": "Only authorized personnel should be aware of errors and the details of\nthe errors. Error messages are an indicator of an organization's operational\nstate or can identify the Ubuntu operating system or platform. Additionally,\nPersonally Identifiable Information (PII) and operational information must not\nbe revealed through error messages to unauthorized personnel or their\ndesignated representatives.\n\n The structure and content of error messages must be carefully considered by\nthe organization and development team. The extent to which the information\nsystem is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.", + "check": "Verify the \"/var/log/syslog\" file is group-owned by \"adm\".\n\nCheck that \"/var/log/syslog\" is group-owned by \"adm\" with the following\ncommand:\n\n# ls -la /var/log/syslog | cut -d' ' -f4\n\nadm\n\nIf \"adm\" is not returned as a result, this is a finding.", + "fix": "Change the group of the file \"/var/log/syslog\" to \"adm\" by\nrunning the following command:\n\n# sudo chgrp adm /var/log/syslog" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000023-GPOS-00006", - "satisfies": [ - "SRG-OS-000023-GPOS-00006", - "SRG-OS-000228-GPOS-00088" - ], - "gid": "V-75435", - "rid": "SV-90115r2_rule", - "stig_id": "UBTU-16-010030", - "fix_id": "F-82063r2_fix", + "gtitle": "SRG-OS-000206-GPOS-00084", + "gid": "V-75599", + "rid": "SV-90279r2_rule", + "stig_id": "UBTU-16-010970", + "fix_id": "F-82227r2_fix", "cci": [ - "CCI-000048", - "CCI-001384", - "CCI-001385", - "CCI-001386", - "CCI-001387", - "CCI-001388" + "CCI-001314" ], "nist": [ - "AC-8 a", - "AC-8 c 1", - "AC-8 c 2", - "AC-8 c 2", - "AC-8 c 2", - "AC-8\nc 3", + "SI-11 b", "Rev_4" ], "false_negatives": null, @@ -8312,34 +8206,43 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75435' do\n title \"The Ubuntu operating system must display the Standard Mandatory DoD\nNotice and Consent Banner before granting local or remote access to the system\nvia a command line user logon.\"\n desc \"Display of a standardized and approved use notification before\ngranting access to the Ubuntu operating system ensures privacy and security\nnotification verbiage used is consistent with applicable federal laws,\nExecutive Orders, directives, policies, regulations, standards, and guidance.\n\n System use notifications are required only for access via logon interfaces\nwith human users and are not required when such human interfaces do not exist.\n\n The banner must be formatted in accordance with applicable DoD policy. Use\nthe following verbiage for Ubuntu operating systems that can accommodate\nbanners of 1300 characters:\n\n \\\"You are accessing a U.S. Government (USG) Information System (IS) that is\nprovided for USG-authorized use only.\n\n By using this IS (which includes any device attached to this IS), you\nconsent to the following conditions:\n\n -The USG routinely intercepts and monitors communications on this IS for\npurposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct (PM), law enforcement\n(LE), and counterintelligence (CI) investigations.\n\n -At any time, the USG may inspect and seize data stored on this IS.\n\n -Communications using, or data stored on, this IS are not private, are\nsubject to routine monitoring, interception, and search, and may be disclosed\nor used for any USG-authorized purpose.\n\n -This IS includes security measures (e.g., authentication and access\ncontrols) to protect USG interests--not for your personal benefit or privacy.\n\n -Notwithstanding the above, using this IS does not constitute consent to\nPM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services\nby attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User\nAgreement for details.\\\"\n\n Use the following verbiage for Ubuntu operating systems that have severe\nlimitations on the number of characters that can be displayed in the banner:\n\n \\\"I've read and consent to terms in IS user agreem't.\\\"\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000023-GPOS-00006'\n tag \"satisfies\": %w[SRG-OS-000023-GPOS-00006 SRG-OS-000228-GPOS-00088]\n tag \"gid\": 'V-75435'\n tag \"rid\": 'SV-90115r2_rule'\n tag \"stig_id\": 'UBTU-16-010030'\n tag \"fix_id\": 'F-82063r2_fix'\n tag \"cci\": %w[CCI-000048 CCI-001384 CCI-001385 CCI-001386\n CCI-001387 CCI-001388]\n tag \"nist\": ['AC-8 a', 'AC-8 c 1', 'AC-8 c 2', 'AC-8 c 2', 'AC-8 c 2', \"AC-8\nc 3\", 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system displays the Standard\nMandatory DoD Notice and Consent Banner before granting access to the Ubuntu\noperating system via a command line user logon.\n\nCheck that the Ubuntu operating system displays a banner at the command line\nlogin screen with the following command:\n\n# cat /etc/issue\n\nIf the banner is set correctly it will return the following text:\n\n“You are accessing a U.S. Government (USG) Information System (IS) that is\nprovided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent\nto the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for\npurposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct (PM), law enforcement\n(LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject\nto routine monitoring, interception, and search, and may be disclosed or used\nfor any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls)\nto protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE\nor CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services\nby attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User\nAgreement for details.”\n\nIf the banner text does not match the Standard Mandatory DoD Notice and Consent\nBanner exactly, this is a finding.\"\n desc 'fix', \"Configure the Ubuntu operating system to display the Standard\nMandatory DoD Notice and Consent Banner before granting access to the system\nvia command line logon.\n\nEdit the \\\"/etc/issue\\\" file to replace the default text with the Standard\nMandatory DoD Notice and Consent Banner. The DoD required text is:\n\n\\\"You are accessing a U.S. Government (USG) Information System (IS) that is\nprovided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent\nto the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for\npurposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct (PM), law enforcement\n(LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject\nto routine monitoring, interception, and search, and may be disclosed or used\nfor any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls)\nto protect USG interests -- not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE\nor CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services\nby attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User\nAgreement for details.\\\"\"\n\n banner_text = file('/etc/issue').content.gsub(/[\\r\\n\\s]/, '')\n\n describe 'Banner text' do\n subject { banner_text }\n it { should eq input('banner_text').gsub(/[\\r\\n\\s]/, '') }\n end\nend\n", + "code": "control 'V-75599' do\n title 'The /var/log/syslog file must be group-owned by adm.'\n desc \"Only authorized personnel should be aware of errors and the details of\nthe errors. Error messages are an indicator of an organization's operational\nstate or can identify the Ubuntu operating system or platform. Additionally,\nPersonally Identifiable Information (PII) and operational information must not\nbe revealed through error messages to unauthorized personnel or their\ndesignated representatives.\n\n The structure and content of error messages must be carefully considered by\nthe organization and development team. The extent to which the information\nsystem is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000206-GPOS-00084'\n tag \"gid\": 'V-75599'\n tag \"rid\": 'SV-90279r2_rule'\n tag \"stig_id\": 'UBTU-16-010970'\n tag \"fix_id\": 'F-82227r2_fix'\n tag \"cci\": ['CCI-001314']\n tag \"nist\": ['SI-11 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the \\\"/var/log/syslog\\\" file is group-owned by \\\"adm\\\".\n\nCheck that \\\"/var/log/syslog\\\" is group-owned by \\\"adm\\\" with the following\ncommand:\n\n# ls -la /var/log/syslog | cut -d' ' -f4\n\nadm\n\nIf \\\"adm\\\" is not returned as a result, this is a finding.\"\n desc 'fix', \"Change the group of the file \\\"/var/log/syslog\\\" to \\\"adm\\\" by\nrunning the following command:\n\n# sudo chgrp adm /var/log/syslog\"\n\n describe file('/var/log/syslog') do\n its('group') { should cmp 'adm' }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75435.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75599.rb", "line": 3 }, - "id": "V-75435" + "id": "V-75599" }, { - "title": "Ubuntu operating system sessions must be automatically logged out\nafter 15 minutes of inactivity.", - "desc": "An Ubuntu operating system needs to be able to identify when a user's\nsessions has idled for longer than 15 minutes. The Ubuntu operating system must\nlogout a users' session after 15 minutes to prevent anyone from gaining access\nto the machine while the user is away.", + "title": "Audit tools must be owned by root.", + "desc": "Protecting audit information also includes identifying and protecting\nthe tools used to view and manipulate log data. Therefore, protecting audit\ntools is necessary to prevent unauthorized operation on audit information.\n\n Ubuntu operating systems providing tools to interface with audit\ninformation will leverage user permissions and roles identifying the user\naccessing the tools and the corresponding rights the user enjoys in order to\nmake access decisions regarding the access to audit tools.\n\n Audit tools include, but are not limited to, vendor-provided and open\nsource audit tools needed to successfully view and manipulate audit information\nsystem activity and records. Audit tools include custom queries and report\ngenerators.", "descriptions": { - "default": "An Ubuntu operating system needs to be able to identify when a user's\nsessions has idled for longer than 15 minutes. The Ubuntu operating system must\nlogout a users' session after 15 minutes to prevent anyone from gaining access\nto the machine while the user is away.", - "check": "Verify the Ubuntu operating system initiates a session logout\nafter a \"15\" minutes of inactivity.\n\nCheck that the proper auto logout script exists with the following command:\n\n# cat /etc/profile.d/autologout.sh\nTMOUT=900\nreadonly TMOUT\nexport TMOUT\n\nIf the file \"/etc/profile.d/autologout.sh\" does not exist, the timeout values\nare commented out, the output from the function call are not the same, this is\na finding.", - "fix": "Configure the Ubuntu operating system to initiate a session\nlogout after a \"15\" minutes of inactivity.\n\nCreate a file to contain the system-wide session auto logout script (if it does\nnot already exist) with the following command:\n\n# sudo touch /etc/profile.d/autologout.sh\n\nAdd the following lines to the \"/etc/profile.d/autologout.sh\" script:\n\nTMOUT=900\nreadonly TMOUT\nexport TMOUT" + "default": "Protecting audit information also includes identifying and protecting\nthe tools used to view and manipulate log data. Therefore, protecting audit\ntools is necessary to prevent unauthorized operation on audit information.\n\n Ubuntu operating systems providing tools to interface with audit\ninformation will leverage user permissions and roles identifying the user\naccessing the tools and the corresponding rights the user enjoys in order to\nmake access decisions regarding the access to audit tools.\n\n Audit tools include, but are not limited to, vendor-provided and open\nsource audit tools needed to successfully view and manipulate audit information\nsystem activity and records. Audit tools include custom queries and report\ngenerators.", + "check": "Verify the audit tools are owned by \"root\" to prevent any\nunauthorized access, deletion, or modification.\n\nCheck the owner of each audit tool by running the following command:\n\n# ls -la /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace\n/sbin/auditd /sbin/audispd /sbin/augenrules\n-rwxr-xr-x 1 root root 97128 Jan 18 2016 /sbin/augenrules\n\nIf any of the audit tools are not owned by \"root\", this is a finding.", + "fix": "Configure the audit tools to be owned by \"root\", by running the\nfollowing command:\n\n# sudo chown root [audit_tool]\n\nReplace \"[audit_tool]\" with each audit tool not owned by \"root\"." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000029-GPOS-00010", - "gid": "V-75441", - "rid": "SV-90121r2_rule", - "stig_id": "UBTU-16-010060", - "fix_id": "F-82069r2_fix", + "gtitle": "SRG-OS-000256-GPOS-00097", + "satisfies": [ + "SRG-OS-000256-GPOS-00097", + "SRG-OS-000257-GPOS-00098", + "SRG-OS-000258-GPOS-00099" + ], + "gid": "V-75655", + "rid": "SV-90335r2_rule", + "stig_id": "UBTU-16-020190", + "fix_id": "F-82283r2_fix", "cci": [ - "CCI-000057" + "CCI-001493", + "CCI-001494", + "CCI-001495" ], "nist": [ - "AC-11 a", + "AU-9", + "AU-9", + "AU-9", "Rev_4" ], "false_negatives": null, @@ -8353,116 +8256,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75441' do\n title \"Ubuntu operating system sessions must be automatically logged out\nafter 15 minutes of inactivity.\"\n desc \"An Ubuntu operating system needs to be able to identify when a user's\nsessions has idled for longer than 15 minutes. The Ubuntu operating system must\nlogout a users' session after 15 minutes to prevent anyone from gaining access\nto the machine while the user is away.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000029-GPOS-00010'\n tag \"gid\": 'V-75441'\n tag \"rid\": 'SV-90121r2_rule'\n tag \"stig_id\": 'UBTU-16-010060'\n tag \"fix_id\": 'F-82069r2_fix'\n tag \"cci\": ['CCI-000057']\n tag \"nist\": ['AC-11 a', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system initiates a session logout\nafter a \\\"15\\\" minutes of inactivity.\n\nCheck that the proper auto logout script exists with the following command:\n\n# cat /etc/profile.d/autologout.sh\nTMOUT=900\nreadonly TMOUT\nexport TMOUT\n\nIf the file \\\"/etc/profile.d/autologout.sh\\\" does not exist, the timeout values\nare commented out, the output from the function call are not the same, this is\na finding.\"\n desc 'fix', \"Configure the Ubuntu operating system to initiate a session\nlogout after a \\\"15\\\" minutes of inactivity.\n\nCreate a file to contain the system-wide session auto logout script (if it does\nnot already exist) with the following command:\n\n# sudo touch /etc/profile.d/autologout.sh\n\nAdd the following lines to the \\\"/etc/profile.d/autologout.sh\\\" script:\n\nTMOUT=900\nreadonly TMOUT\nexport TMOUT\"\n\n describe file('/etc/profile.d/autologout.sh') do\n it { should exist }\n its('content') { should match /^\\s*TMOUT=900\\s*$/ }\n its('content') { should match /^\\s*readonly\\s+TMOUT\\s*$/ }\n its('content') { should match /^\\s*export\\s+TMOUT\\s*$/ }\n end\nend\n", + "code": "control 'V-75655' do\n title 'Audit tools must be owned by root.'\n desc \"Protecting audit information also includes identifying and protecting\nthe tools used to view and manipulate log data. Therefore, protecting audit\ntools is necessary to prevent unauthorized operation on audit information.\n\n Ubuntu operating systems providing tools to interface with audit\ninformation will leverage user permissions and roles identifying the user\naccessing the tools and the corresponding rights the user enjoys in order to\nmake access decisions regarding the access to audit tools.\n\n Audit tools include, but are not limited to, vendor-provided and open\nsource audit tools needed to successfully view and manipulate audit information\nsystem activity and records. Audit tools include custom queries and report\ngenerators.\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000256-GPOS-00097'\n tag \"satisfies\": %w[SRG-OS-000256-GPOS-00097 SRG-OS-000257-GPOS-00098\n SRG-OS-000258-GPOS-00099]\n tag \"gid\": 'V-75655'\n tag \"rid\": 'SV-90335r2_rule'\n tag \"stig_id\": 'UBTU-16-020190'\n tag \"fix_id\": 'F-82283r2_fix'\n tag \"cci\": %w[CCI-001493 CCI-001494 CCI-001495]\n tag \"nist\": %w[AU-9 AU-9 AU-9 Rev_4]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the audit tools are owned by \\\"root\\\" to prevent any\nunauthorized access, deletion, or modification.\n\nCheck the owner of each audit tool by running the following command:\n\n# ls -la /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace\n/sbin/auditd /sbin/audispd /sbin/augenrules\n-rwxr-xr-x 1 root root 97128 Jan 18 2016 /sbin/augenrules\n\nIf any of the audit tools are not owned by \\\"root\\\", this is a finding.\"\n desc 'fix', \"Configure the audit tools to be owned by \\\"root\\\", by running the\nfollowing command:\n\n# sudo chown root [audit_tool]\n\nReplace \\\"[audit_tool]\\\" with each audit tool not owned by \\\"root\\\".\"\n\n audit_tools = input('audit_tools')\n\n audit_tools.each do |tool|\n describe file(tool) do\n its('owner') { should cmp 'root' }\n end\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75441.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75655.rb", "line": 3 }, - "id": "V-75441" + "id": "V-75655" }, { - "title": "Remote X connections for interactive users must be encrypted.", - "desc": "Open X displays allow an attacker to capture keystrokes and execute\ncommands remotely.", + "title": "All world-writable directories must be group-owned by root, sys, bin,\nor an application group.", + "desc": "If a world-writable directory has the sticky bit set and is not\ngroup-owned by a privileged Group Identifier (GID), unauthorized users may be\nable to modify files created by others.\n\n The only authorized public directories are those temporary directories\nsupplied with the system or those designed to be temporary file repositories.\nThe setting is normally reserved for directories used by the system and by\nusers for temporary file storage, (e.g., /tmp), and for directories requiring\nglobal read/write access.", "descriptions": { - "default": "Open X displays allow an attacker to capture keystrokes and execute\ncommands remotely.", - "check": "Verify remote X connections for interactive users are encrypted.\n\nCheck that remote X connections are encrypted with the following command:\n\n# grep -i x11forwarding /etc/ssh/sshd_config\nX11Forwarding yes\n\nIf the \"X11Forwarding\" keyword is set to \"no\", is missing, or is commented\nout, this is a finding.", - "fix": "Configure SSH to encrypt connections for interactive users.\n\nEdit the \"/etc/ssh/sshd_config\" file to uncomment or add the line for the\n\"X11Forwarding\" keyword and set its value to \"yes\":\n\nX11Forwarding yes\n\nThe SSH daemon must be restarted for the changes to take effect. To restart the\nSSH daemon, run the following command:\n\n# sudo systemctl restart sshd.service" + "default": "If a world-writable directory has the sticky bit set and is not\ngroup-owned by a privileged Group Identifier (GID), unauthorized users may be\nable to modify files created by others.\n\n The only authorized public directories are those temporary directories\nsupplied with the system or those designed to be temporary file repositories.\nThe setting is normally reserved for directories used by the system and by\nusers for temporary file storage, (e.g., /tmp), and for directories requiring\nglobal read/write access.", + "check": "Verify that all world-writable directories are group-owned by\nroot to prevent unauthorized and unintended information transferred via shared\nsystem resources.\n\nCheck the system for world-writable directories with the following command:\n\n# sudo find / -type d -perm -0002 -exec ls -lLd {} \\;\n\ndrwxrwxrwxt 7 root root 4096 Jul 26 11:19 /tmp\n\nIf any world-writable directories are not owned by root, sys, bin, or an\napplication group associated with the directory, this is a finding.", + "fix": "Change the group of the world-writable directories to root, sys,\nbin, or an application group with the following command, replacing\n\"[world-writable Directory]\":\n\n# sudo chgrp root [world-writable Directory]" }, - "impact": 0.7, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-75853", - "rid": "SV-90533r2_rule", - "stig_id": "UBTU-16-030400", - "fix_id": "F-82483r2_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b", - "Rev_4" - ], - "false_negatives": null, - "false_positives": null, - "documentable": false, - "mitigations": null, - "severity_override_guidance": false, - "potential_impacts": null, - "third_party_tools": null, - "mitigation_controls": null, - "responsibility": null, - "ia_controls": null - }, - "code": "control 'V-75853' do\n title 'Remote X connections for interactive users must be encrypted.'\n desc \"Open X displays allow an attacker to capture keystrokes and execute\ncommands remotely.\"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75853'\n tag \"rid\": 'SV-90533r2_rule'\n tag \"stig_id\": 'UBTU-16-030400'\n tag \"fix_id\": 'F-82483r2_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify remote X connections for interactive users are encrypted.\n\nCheck that remote X connections are encrypted with the following command:\n\n# grep -i x11forwarding /etc/ssh/sshd_config\nX11Forwarding yes\n\nIf the \\\"X11Forwarding\\\" keyword is set to \\\"no\\\", is missing, or is commented\nout, this is a finding.\"\n desc 'fix', \"Configure SSH to encrypt connections for interactive users.\n\nEdit the \\\"/etc/ssh/sshd_config\\\" file to uncomment or add the line for the\n\\\"X11Forwarding\\\" keyword and set its value to \\\"yes\\\":\n\nX11Forwarding yes\n\nThe SSH daemon must be restarted for the changes to take effect. To restart the\nSSH daemon, run the following command:\n\n# sudo systemctl restart sshd.service\"\n\n describe sshd_config do\n its('x11forwarding') { should cmp 'yes' }\n end\nend\n", - "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75853.rb", - "line": 3 - }, - "id": "V-75853" - }, - { - "title": "The x86 Ctrl-Alt-Delete key sequence in the Ubuntu operating system\nmust be disabled if GNOME is installed.", - "desc": "A locally logged-on user who presses Ctrl-Alt-Delete, when at the\nconsole, can reboot the system. If accidentally pressed, as could happen in the\ncase of a mixed OS environment, this can create the risk of short-term loss of\navailability of systems due to unintentional reboot. In the GNOME graphical\nenvironment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is\nreduced because the user will be prompted before any action is taken.", - "descriptions": { - "default": "A locally logged-on user who presses Ctrl-Alt-Delete, when at the\nconsole, can reboot the system. If accidentally pressed, as could happen in the\ncase of a mixed OS environment, this can create the risk of short-term loss of\navailability of systems due to unintentional reboot. In the GNOME graphical\nenvironment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is\nreduced because the user will be prompted before any action is taken.", - "check": "Verify the Ubuntu operating system is not configured to reboot\nthe system when Ctrl-Alt-Delete is pressed when using GNOME.\n\nCheck that the \"logout\" target is not bound to an action with the following\ncommand:\n\n# grep logout /etc/dconf/db/local.d/*\n\nlogout=''\n\nIf the \"logout\" key is bound to an action, is commented out, or is missing,\nthis is a finding.", - "fix": "Configure the system to disable the Ctrl-Alt-Delete sequence when\nusing GNOME by creating or editing the /etc/dconf/db/local.d/00-disable-CAD\nfile.\n\nAdd the setting to disable the Ctrl-Alt-Delete sequence for GNOME:\n\n[org/gnome/settings-daemon/plugins/media-keys]\nlogout=’’\n\nThen update the dconf settings:\n\n# dconf update" - }, - "impact": 0, - "refs": [], - "tags": { - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-80957", - "rid": "SV-95669r1_rule", - "stig_id": "UBTU-16-010631", - "fix_id": "F-87833r1_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b", - "Rev_4" - ], - "false_negatives": null, - "false_positives": null, - "documentable": false, - "mitigations": null, - "severity_override_guidance": false, - "potential_impacts": null, - "third_party_tools": null, - "mitigation_controls": null, - "responsibility": null, - "ia_controls": null - }, - "code": "control 'V-80957' do\n title \"The x86 Ctrl-Alt-Delete key sequence in the Ubuntu operating system\nmust be disabled if GNOME is installed.\"\n desc \"A locally logged-on user who presses Ctrl-Alt-Delete, when at the\nconsole, can reboot the system. If accidentally pressed, as could happen in the\ncase of a mixed OS environment, this can create the risk of short-term loss of\navailability of systems due to unintentional reboot. In the GNOME graphical\nenvironment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is\nreduced because the user will be prompted before any action is taken.\"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-80957'\n tag \"rid\": 'SV-95669r1_rule'\n tag \"stig_id\": 'UBTU-16-010631'\n tag \"fix_id\": 'F-87833r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system is not configured to reboot\nthe system when Ctrl-Alt-Delete is pressed when using GNOME.\n\nCheck that the \\\"logout\\\" target is not bound to an action with the following\ncommand:\n\n# grep logout /etc/dconf/db/local.d/*\n\nlogout=''\n\nIf the \\\"logout\\\" key is bound to an action, is commented out, or is missing,\nthis is a finding.\"\n desc 'fix', \"Configure the system to disable the Ctrl-Alt-Delete sequence when\nusing GNOME by creating or editing the /etc/dconf/db/local.d/00-disable-CAD\nfile.\n\nAdd the setting to disable the Ctrl-Alt-Delete sequence for GNOME:\n\n[org/gnome/settings-daemon/plugins/media-keys]\nlogout=’’\n\nThen update the dconf settings:\n\n# dconf update\"\n\n gnome_installed = (package('ubuntu-gnome-desktop').installed? || package('ubuntu-desktop').installed?)\n\n if gnome_installed\n logout_enabled = command('gsettings get org.gnome.settings-daemon.plugins.media-keys logout')\n describe logout_enabled do\n its('stdout') { should cmp '' }\n end\n else\n impact 0\n describe 'Control Not Applicable as GNOME dekstop environment is not installed' do\n subject { gnome_installed }\n it { should be false }\n end\n end\nend\n", - "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-80957.rb", - "line": 3 - }, - "id": "V-80957" - }, - { - "title": "The Ubuntu operating system must be configured to use TCP syncookies.", - "desc": "DoS is a condition when a resource is not available for legitimate\nusers. When this occurs, the organization either cannot accomplish its mission\nor must operate at degraded capacity.\n\n Managing excess capacity ensures that sufficient capacity is available to\ncounter flooding attacks. Employing increased capacity and service redundancy\nmay reduce the susceptibility to some DoS attacks. Managing excess capacity may\ninclude, for example, establishing selected usage priorities, quotas, or\npartitioning.", - "descriptions": { - "default": "DoS is a condition when a resource is not available for legitimate\nusers. When this occurs, the organization either cannot accomplish its mission\nor must operate at degraded capacity.\n\n Managing excess capacity ensures that sufficient capacity is available to\ncounter flooding attacks. Employing increased capacity and service redundancy\nmay reduce the susceptibility to some DoS attacks. Managing excess capacity may\ninclude, for example, establishing selected usage priorities, quotas, or\npartitioning.", - "check": "Verify the Ubuntu operating system is configured to use TCP\nsyncookies.\n\nCheck the value of TCP syncookies with the following command:\n\n# sysctl net.ipv4.tcp_syncookies\nnet.ipv4.tcp_syncookies = 1\n\nIf the value is not \"1\", this is a finding.", - "fix": "Configure the Ubuntu operating system to use TCP syncookies, by\nrunning the following command:\n\n# sudo sysctl -w net.ipv4.tcp_syncookies=1\n\nIf \"1\" is not the system's default value then add or update the following\nline in \"/etc/sysctl.conf\" or in the appropriate file under \"/etc/sysctl.d\":\n\nnet.ipv4.tcp_syncookies = 1" - }, - "impact": 0.5, - "refs": [], - "tags": { - "gtitle": "SRG-OS-000142-GPOS-00071", - "gid": "V-75869", - "rid": "SV-90549r2_rule", - "stig_id": "UBTU-16-030510", - "fix_id": "F-82499r2_fix", + "gtitle": "SRG-OS-000138-GPOS-00069", + "gid": "V-75513", + "rid": "SV-90193r3_rule", + "stig_id": "UBTU-16-010420", + "fix_id": "F-82141r2_fix", "cci": [ - "CCI-001095" + "CCI-001090" ], "nist": [ - "SC-5 (2)", + "SC-4", "Rev_4" ], "false_negatives": null, @@ -8476,42 +8297,40 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75869' do\n title 'The Ubuntu operating system must be configured to use TCP syncookies.'\n desc \"DoS is a condition when a resource is not available for legitimate\nusers. When this occurs, the organization either cannot accomplish its mission\nor must operate at degraded capacity.\n\n Managing excess capacity ensures that sufficient capacity is available to\ncounter flooding attacks. Employing increased capacity and service redundancy\nmay reduce the susceptibility to some DoS attacks. Managing excess capacity may\ninclude, for example, establishing selected usage priorities, quotas, or\npartitioning.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000142-GPOS-00071'\n tag \"gid\": 'V-75869'\n tag \"rid\": 'SV-90549r2_rule'\n tag \"stig_id\": 'UBTU-16-030510'\n tag \"fix_id\": 'F-82499r2_fix'\n tag \"cci\": ['CCI-001095']\n tag \"nist\": ['SC-5 (2)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system is configured to use TCP\nsyncookies.\n\nCheck the value of TCP syncookies with the following command:\n\n# sysctl net.ipv4.tcp_syncookies\nnet.ipv4.tcp_syncookies = 1\n\nIf the value is not \\\"1\\\", this is a finding.\"\n desc 'fix', \"Configure the Ubuntu operating system to use TCP syncookies, by\nrunning the following command:\n\n# sudo sysctl -w net.ipv4.tcp_syncookies=1\n\nIf \\\"1\\\" is not the system's default value then add or update the following\nline in \\\"/etc/sysctl.conf\\\" or in the appropriate file under \\\"/etc/sysctl.d\\\":\n\nnet.ipv4.tcp_syncookies = 1\"\n\n describe kernel_parameter('net.ipv4.tcp_syncookies') do\n its('value') { should cmp 1 }\n end\nend\n", + "code": "control 'V-75513' do\n title \"All world-writable directories must be group-owned by root, sys, bin,\nor an application group.\"\n desc \"If a world-writable directory has the sticky bit set and is not\ngroup-owned by a privileged Group Identifier (GID), unauthorized users may be\nable to modify files created by others.\n\n The only authorized public directories are those temporary directories\nsupplied with the system or those designed to be temporary file repositories.\nThe setting is normally reserved for directories used by the system and by\nusers for temporary file storage, (e.g., /tmp), and for directories requiring\nglobal read/write access.\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000138-GPOS-00069'\n tag \"gid\": 'V-75513'\n tag \"rid\": 'SV-90193r3_rule'\n tag \"stig_id\": 'UBTU-16-010420'\n tag \"fix_id\": 'F-82141r2_fix'\n tag \"cci\": ['CCI-001090']\n tag \"nist\": %w[SC-4 Rev_4]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that all world-writable directories are group-owned by\nroot to prevent unauthorized and unintended information transferred via shared\nsystem resources.\n\nCheck the system for world-writable directories with the following command:\n\n# sudo find / -type d -perm -0002 -exec ls -lLd {} \\\\;\n\ndrwxrwxrwxt 7 root root 4096 Jul 26 11:19 /tmp\n\nIf any world-writable directories are not owned by root, sys, bin, or an\napplication group associated with the directory, this is a finding.\"\n desc 'fix', \"Change the group of the world-writable directories to root, sys,\nbin, or an application group with the following command, replacing\n\\\"[world-writable Directory]\\\":\n\n# sudo chgrp root [world-writable Directory]\"\n\n application_groups = input('application_groups')\n\n directories = command('find / -xdev -type d -perm -0002 -exec ls -Ld {} \\\\;').stdout.strip.split(\"\\n\").entries\n if directories.count > 0\n directories.each do |entry|\n describe directory(entry) do\n its('group') { should be_in %w[root sys bin] + application_groups }\n end\n end\n else\n describe 'No world-writable directories found' do\n skip 'No world-writable directories found on the system'\n end\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75869.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75513.rb", "line": 3 }, - "id": "V-75869" + "id": "V-75513" }, { - "title": "The Trivial File Transfer Protocol (TFTP) server package must not be\ninstalled if not required for operational support.", - "desc": "If TFTP is required for operational support (such as the transmission\nof router configurations) its use must be documented with the Information\nSystem Security Officer (ISSO), restricted to only authorized personnel, and\nhave access control rules established.", + "title": "The telnet package must not be installed.", + "desc": "It is detrimental for Ubuntu operating systems to provide, or install\nby default, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n Ubuntu operating systems are capable of providing a wide variety of\nfunctions and services. Some of the functions and services, provided by\ndefault, may not be necessary to support essential organizational operations\n(e.g., key missions, functions).\n\n Examples of non-essential capabilities include, but are not limited to,\ngames, software packages, tools, and demonstration software, not related to\nrequirements or providing a wide array of functionality not required for every\nmission, but which cannot be disabled.", "descriptions": { - "default": "If TFTP is required for operational support (such as the transmission\nof router configurations) its use must be documented with the Information\nSystem Security Officer (ISSO), restricted to only authorized personnel, and\nhave access control rules established.", - "check": "Verify a Trivial File Transfer Protocol (TFTP) server has not\nbeen installed.\n\nCheck to see if a TFTP server has been installed with the following command:\n\n# dpkg -l | grep tftpd-hpa\nii tftpd-hpa 5.2+20150808-1Ubuntu1.16.04.1\n\nIf TFTP is installed and the requirement for TFTP is not documented with the\nInformation System Security Officer (ISSO), this is a finding.", - "fix": "Remove the Trivial File Transfer Protocol (TFTP) package from the\nsystem with the following command:\n\n# sudo apt-get remove tftpd-hpa" + "default": "It is detrimental for Ubuntu operating systems to provide, or install\nby default, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n Ubuntu operating systems are capable of providing a wide variety of\nfunctions and services. Some of the functions and services, provided by\ndefault, may not be necessary to support essential organizational operations\n(e.g., key missions, functions).\n\n Examples of non-essential capabilities include, but are not limited to,\ngames, software packages, tools, and demonstration software, not related to\nrequirements or providing a wide array of functionality not required for every\nmission, but which cannot be disabled.", + "check": "Verify that the telnet package is not installed on the Ubuntu\noperating system.\n\nCheck that the telnet daemon is not installed on the Ubuntu operating system by\nrunning the following command:\n\n# sudo apt list telnetd\n\nIf the package is installed, this is a finding.", + "fix": "Remove the telnet package from the Ubuntu operating system by\nrunning the following command:\n\n# sudo apt-get remove telnetd" }, "impact": 0.7, "refs": [], "tags": { - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-75897", - "rid": "SV-90577r2_rule", - "stig_id": "UBTU-16-030720", - "fix_id": "F-82527r1_fix", + "gtitle": "SRG-OS-000074-GPOS-00042", + "satisfies": [ + "SRG-OS-000074-GPOS-00042", + "SRG-OS-000095-GPOS-00049" + ], + "gid": "V-75797", + "rid": "SV-90477r2_rule", + "stig_id": "UBTU-16-030000", + "fix_id": "F-82427r1_fix", "cci": [ - "CCI-000318", - "CCI-000368", - "CCI-001812", - "CCI-001813", - "CCI-001814" + "CCI-000197", + "CCI-000381" ], "nist": [ - "CM-3 f", - "CM-6 c", - "CM-11 (2)", - "CM-5 (1)", - "CM-5 (1)", + "IA-5 (1) (c)", + "CM-7 a", "Rev_4" ], "false_negatives": null, @@ -8525,34 +8344,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75897' do\n title \"The Trivial File Transfer Protocol (TFTP) server package must not be\ninstalled if not required for operational support.\"\n desc \"If TFTP is required for operational support (such as the transmission\nof router configurations) its use must be documented with the Information\nSystem Security Officer (ISSO), restricted to only authorized personnel, and\nhave access control rules established.\"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75897'\n tag \"rid\": 'SV-90577r2_rule'\n tag \"stig_id\": 'UBTU-16-030720'\n tag \"fix_id\": 'F-82527r1_fix'\n tag \"cci\": %w[CCI-000318 CCI-000368 CCI-001812 CCI-001813\n CCI-001814]\n tag \"nist\": ['CM-3 f', 'CM-6 c', 'CM-11 (2)', 'CM-5 (1)', 'CM-5 (1)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify a Trivial File Transfer Protocol (TFTP) server has not\nbeen installed.\n\nCheck to see if a TFTP server has been installed with the following command:\n\n# dpkg -l | grep tftpd-hpa\nii tftpd-hpa 5.2+20150808-1Ubuntu1.16.04.1\n\nIf TFTP is installed and the requirement for TFTP is not documented with the\nInformation System Security Officer (ISSO), this is a finding.\"\n desc 'fix', \"Remove the Trivial File Transfer Protocol (TFTP) package from the\nsystem with the following command:\n\n# sudo apt-get remove tftpd-hpa\"\n\n describe package('tftpd-hpa') do\n it { should_not be_installed }\n end\nend\n", + "code": "control 'V-75797' do\n title 'The telnet package must not be installed.'\n desc \"It is detrimental for Ubuntu operating systems to provide, or install\nby default, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n Ubuntu operating systems are capable of providing a wide variety of\nfunctions and services. Some of the functions and services, provided by\ndefault, may not be necessary to support essential organizational operations\n(e.g., key missions, functions).\n\n Examples of non-essential capabilities include, but are not limited to,\ngames, software packages, tools, and demonstration software, not related to\nrequirements or providing a wide array of functionality not required for every\nmission, but which cannot be disabled.\n\n\n \"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000074-GPOS-00042'\n tag \"satisfies\": %w[SRG-OS-000074-GPOS-00042 SRG-OS-000095-GPOS-00049]\n tag \"gid\": 'V-75797'\n tag \"rid\": 'SV-90477r2_rule'\n tag \"stig_id\": 'UBTU-16-030000'\n tag \"fix_id\": 'F-82427r1_fix'\n tag \"cci\": %w[CCI-000197 CCI-000381]\n tag \"nist\": ['IA-5 (1) (c)', 'CM-7 a', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that the telnet package is not installed on the Ubuntu\noperating system.\n\nCheck that the telnet daemon is not installed on the Ubuntu operating system by\nrunning the following command:\n\n# sudo apt list telnetd\n\nIf the package is installed, this is a finding.\"\n desc 'fix', \"Remove the telnet package from the Ubuntu operating system by\nrunning the following command:\n\n# sudo apt-get remove telnetd\"\n\n describe package('telnetd') do\n it { should_not be_installed }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75897.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75797.rb", "line": 3 }, - "id": "V-75897" + "id": "V-75797" }, { - "title": "The Network Information Service (NIS) package must not be installed.", - "desc": "Removing the Network Information Service (NIS) package decreases the\nrisk of the accidental (or intentional) activation of NIS or NIS+ services.", + "title": "The SSH daemon must not allow compression or must only allow\ncompression after successful authentication.", + "desc": "If compression is allowed in an SSH connection prior to\nauthentication, vulnerabilities in the compression software could result in\ncompromise of the system from an unauthenticated connection, potentially with\nroot privileges.", "descriptions": { - "default": "Removing the Network Information Service (NIS) package decreases the\nrisk of the accidental (or intentional) activation of NIS or NIS+ services.", - "check": "Verify that the Network Information Service (NIS) package is\nnot installed on the Ubuntu operating system.\n\nCheck to see if the NIS package is installed with the following command:\n\n# sudo apt list nis\n\nIf the NIS package is installed, this is a finding.", - "fix": "Configure the Ubuntu operating system to disable non-essential\ncapabilities by removing the Network Information Service (NIS) package from the\nsystem with the following command:\n\n# sudo apt-get remove nis" + "default": "If compression is allowed in an SSH connection prior to\nauthentication, vulnerabilities in the compression software could result in\ncompromise of the system from an unauthenticated connection, potentially with\nroot privileges.", + "check": "Verify the SSH daemon performs compression after a user\nsuccessfully authenticates.\n\nCheck that the SSH daemon performs compression after a user successfully\nauthenticates with the following command:\n\n# grep Compression /etc/ssh/sshd_config\nCompression delayed\n\nIf the \"Compression\" keyword is set to \"yes\", is missing, or the returned\nline is commented out, this is a finding.", + "fix": "Configure SSH to use compression. Uncomment the \"Compression\"\nkeyword in \"/etc/ssh/sshd_config\" on the system and set the value to\n\"delayed\" or \"no\":\n\nCompression no\n\nThe SSH daemon must be restarted for the changes to take effect. To restart the\nSSH daemon, run the following command:\n\n# sudo systemctl restart sshd.service" }, - "impact": 0.7, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000095-GPOS-00049", - "gid": "V-75799", - "rid": "SV-90479r2_rule", - "stig_id": "UBTU-16-030010", - "fix_id": "F-82429r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-75851", + "rid": "SV-90531r2_rule", + "stig_id": "UBTU-16-030350", + "fix_id": "F-82481r3_fix", "cci": [ - "CCI-000381" + "CCI-000366" ], "nist": [ - "CM-7 a", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -8566,12 +8385,12 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75799' do\n title 'The Network Information Service (NIS) package must not be installed.'\n desc \"Removing the Network Information Service (NIS) package decreases the\nrisk of the accidental (or intentional) activation of NIS or NIS+ services.\"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000095-GPOS-00049'\n tag \"gid\": 'V-75799'\n tag \"rid\": 'SV-90479r2_rule'\n tag \"stig_id\": 'UBTU-16-030010'\n tag \"fix_id\": 'F-82429r1_fix'\n tag \"cci\": ['CCI-000381']\n tag \"nist\": ['CM-7 a', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that the Network Information Service (NIS) package is\nnot installed on the Ubuntu operating system.\n\nCheck to see if the NIS package is installed with the following command:\n\n# sudo apt list nis\n\nIf the NIS package is installed, this is a finding.\"\n desc 'fix', \"Configure the Ubuntu operating system to disable non-essential\ncapabilities by removing the Network Information Service (NIS) package from the\nsystem with the following command:\n\n# sudo apt-get remove nis\"\n\n describe package('nis') do\n it { should_not be_installed }\n end\nend\n", + "code": "control 'V-75851' do\n title \"The SSH daemon must not allow compression or must only allow\ncompression after successful authentication.\"\n desc \"If compression is allowed in an SSH connection prior to\nauthentication, vulnerabilities in the compression software could result in\ncompromise of the system from an unauthenticated connection, potentially with\nroot privileges.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75851'\n tag \"rid\": 'SV-90531r2_rule'\n tag \"stig_id\": 'UBTU-16-030350'\n tag \"fix_id\": 'F-82481r3_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the SSH daemon performs compression after a user\nsuccessfully authenticates.\n\nCheck that the SSH daemon performs compression after a user successfully\nauthenticates with the following command:\n\n# grep Compression /etc/ssh/sshd_config\nCompression delayed\n\nIf the \\\"Compression\\\" keyword is set to \\\"yes\\\", is missing, or the returned\nline is commented out, this is a finding.\"\n desc 'fix', \"Configure SSH to use compression. Uncomment the \\\"Compression\\\"\nkeyword in \\\"/etc/ssh/sshd_config\\\" on the system and set the value to\n\\\"delayed\\\" or \\\"no\\\":\n\nCompression no\n\nThe SSH daemon must be restarted for the changes to take effect. To restart the\nSSH daemon, run the following command:\n\n# sudo systemctl restart sshd.service\"\n\n describe.one do\n describe sshd_config do\n its('Compression') { should cmp 'delayed' }\n end\n describe sshd_config do\n its('Compression') { should cmp 'no' }\n end\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75799.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75851.rb", "line": 3 }, - "id": "V-75799" + "id": "V-75851" }, { "title": "Audit logs must have a mode of 0600 or less permissive to prevent\nunauthorized read access.", @@ -8624,26 +8443,26 @@ "id": "V-75635" }, { - "title": "The /var/log/syslog file must be group-owned by adm.", - "desc": "Only authorized personnel should be aware of errors and the details of\nthe errors. Error messages are an indicator of an organization's operational\nstate or can identify the Ubuntu operating system or platform. Additionally,\nPersonally Identifiable Information (PII) and operational information must not\nbe revealed through error messages to unauthorized personnel or their\ndesignated representatives.\n\n The structure and content of error messages must be carefully considered by\nthe organization and development team. The extent to which the information\nsystem is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.", + "title": "Passwords for new users must have a 60-day maximum password lifetime\nrestriction.", + "desc": "Any password, no matter how complex, can eventually be cracked.\nTherefore, passwords need to be changed periodically. If the Ubuntu operating\nsystem does not limit the lifetime of passwords and force users to change their\npasswords, there is the risk that the Ubuntu operating system passwords could\nbe compromised.", "descriptions": { - "default": "Only authorized personnel should be aware of errors and the details of\nthe errors. Error messages are an indicator of an organization's operational\nstate or can identify the Ubuntu operating system or platform. Additionally,\nPersonally Identifiable Information (PII) and operational information must not\nbe revealed through error messages to unauthorized personnel or their\ndesignated representatives.\n\n The structure and content of error messages must be carefully considered by\nthe organization and development team. The extent to which the information\nsystem is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.", - "check": "Verify the \"/var/log/syslog\" file is group-owned by \"adm\".\n\nCheck that \"/var/log/syslog\" is group-owned by \"adm\" with the following\ncommand:\n\n# ls -la /var/log/syslog | cut -d' ' -f4\n\nadm\n\nIf \"adm\" is not returned as a result, this is a finding.", - "fix": "Change the group of the file \"/var/log/syslog\" to \"adm\" by\nrunning the following command:\n\n# sudo chgrp adm /var/log/syslog" + "default": "Any password, no matter how complex, can eventually be cracked.\nTherefore, passwords need to be changed periodically. If the Ubuntu operating\nsystem does not limit the lifetime of passwords and force users to change their\npasswords, there is the risk that the Ubuntu operating system passwords could\nbe compromised.", + "check": "Verify that the Ubuntu operating system enforces a 60-day\nmaximum password lifetime for new user accounts by running the following\ncommand:\n\n# grep -i pass_max_days /etc/login.defs\nPASS_MAX_DAYS 60\n\nIf the \"PASS_MAX_DAYS\" parameter value is less than \"60\", or commented out,\nthis is a finding.", + "fix": "Configure the Ubuntu operating system to enforce a 60-day maximum\npassword lifetime.\n\nAdd, or modify the following line in the \"/etc/login.defs\" file:\n\nPASS_MAX_DAYS 60" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000206-GPOS-00084", - "gid": "V-75599", - "rid": "SV-90279r2_rule", - "stig_id": "UBTU-16-010970", - "fix_id": "F-82227r2_fix", + "gtitle": "SRG-OS-000076-GPOS-00044", + "gid": "V-75473", + "rid": "SV-90153r2_rule", + "stig_id": "UBTU-16-010220", + "fix_id": "F-82101r2_fix", "cci": [ - "CCI-001314" + "CCI-000199" ], "nist": [ - "SI-11 b", + "IA-5 (1) (d)", "Rev_4" ], "false_negatives": null, @@ -8657,34 +8476,43 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75599' do\n title 'The /var/log/syslog file must be group-owned by adm.'\n desc \"Only authorized personnel should be aware of errors and the details of\nthe errors. Error messages are an indicator of an organization's operational\nstate or can identify the Ubuntu operating system or platform. Additionally,\nPersonally Identifiable Information (PII) and operational information must not\nbe revealed through error messages to unauthorized personnel or their\ndesignated representatives.\n\n The structure and content of error messages must be carefully considered by\nthe organization and development team. The extent to which the information\nsystem is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000206-GPOS-00084'\n tag \"gid\": 'V-75599'\n tag \"rid\": 'SV-90279r2_rule'\n tag \"stig_id\": 'UBTU-16-010970'\n tag \"fix_id\": 'F-82227r2_fix'\n tag \"cci\": ['CCI-001314']\n tag \"nist\": ['SI-11 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the \\\"/var/log/syslog\\\" file is group-owned by \\\"adm\\\".\n\nCheck that \\\"/var/log/syslog\\\" is group-owned by \\\"adm\\\" with the following\ncommand:\n\n# ls -la /var/log/syslog | cut -d' ' -f4\n\nadm\n\nIf \\\"adm\\\" is not returned as a result, this is a finding.\"\n desc 'fix', \"Change the group of the file \\\"/var/log/syslog\\\" to \\\"adm\\\" by\nrunning the following command:\n\n# sudo chgrp adm /var/log/syslog\"\n\n describe file('/var/log/syslog') do\n its('group') { should cmp 'adm' }\n end\nend\n", + "code": "control 'V-75473' do\n title \"Passwords for new users must have a 60-day maximum password lifetime\nrestriction.\"\n desc \"Any password, no matter how complex, can eventually be cracked.\nTherefore, passwords need to be changed periodically. If the Ubuntu operating\nsystem does not limit the lifetime of passwords and force users to change their\npasswords, there is the risk that the Ubuntu operating system passwords could\nbe compromised.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000076-GPOS-00044'\n tag \"gid\": 'V-75473'\n tag \"rid\": 'SV-90153r2_rule'\n tag \"stig_id\": 'UBTU-16-010220'\n tag \"fix_id\": 'F-82101r2_fix'\n tag \"cci\": ['CCI-000199']\n tag \"nist\": ['IA-5 (1) (d)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that the Ubuntu operating system enforces a 60-day\nmaximum password lifetime for new user accounts by running the following\ncommand:\n\n# grep -i pass_max_days /etc/login.defs\nPASS_MAX_DAYS 60\n\nIf the \\\"PASS_MAX_DAYS\\\" parameter value is less than \\\"60\\\", or commented out,\nthis is a finding.\"\n desc 'fix', \"Configure the Ubuntu operating system to enforce a 60-day maximum\npassword lifetime.\n\nAdd, or modify the following line in the \\\"/etc/login.defs\\\" file:\n\nPASS_MAX_DAYS 60\"\n\n describe login_defs do\n its('PASS_MAX_DAYS') { should cmp <= 60 }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75599.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75473.rb", "line": 3 }, - "id": "V-75599" + "id": "V-75473" }, { - "title": "The SSH daemon must not allow compression or must only allow\ncompression after successful authentication.", - "desc": "If compression is allowed in an SSH connection prior to\nauthentication, vulnerabilities in the compression software could result in\ncompromise of the system from an unauthenticated connection, potentially with\nroot privileges.", + "title": "File system automounter must be disabled unless required.", + "desc": "Automatically mounting file systems permits easy introduction of\nunknown devices, thereby facilitating malicious activity.", "descriptions": { - "default": "If compression is allowed in an SSH connection prior to\nauthentication, vulnerabilities in the compression software could result in\ncompromise of the system from an unauthenticated connection, potentially with\nroot privileges.", - "check": "Verify the SSH daemon performs compression after a user\nsuccessfully authenticates.\n\nCheck that the SSH daemon performs compression after a user successfully\nauthenticates with the following command:\n\n# grep Compression /etc/ssh/sshd_config\nCompression delayed\n\nIf the \"Compression\" keyword is set to \"yes\", is missing, or the returned\nline is commented out, this is a finding.", - "fix": "Configure SSH to use compression. Uncomment the \"Compression\"\nkeyword in \"/etc/ssh/sshd_config\" on the system and set the value to\n\"delayed\" or \"no\":\n\nCompression no\n\nThe SSH daemon must be restarted for the changes to take effect. To restart the\nSSH daemon, run the following command:\n\n# sudo systemctl restart sshd.service" + "default": "Automatically mounting file systems permits easy introduction of\nunknown devices, thereby facilitating malicious activity.", + "check": "Verify the Ubuntu operating system disables the ability to\nautomount devices.\n\nCheck to see if automounter service is active with the following command:\n\n# systemctl status autofs\n autofs.service - LSB: Automounts filesystems on demand\n Loaded: loaded (/etc/init.d/autofs; bad; vendor preset: enabled)\n Active: active (running) since Thu 2017-05-04 07:53:51 EDT; 6 days ago\n Docs: man:systemd-sysv-generator(8)\n CGroup: /system.slice/autofs.service\n +-24206 /usr/sbin/automount --pid-file /var/run/autofs.pid\n\nIf the \"autofs\" status is set to \"active\" and is not documented with the\nInformation System Security Officer (ISSO) as an operational requirement, this\nis a finding.", + "fix": "Configure the Ubuntu operating system to disable the ability to\nautomount devices.\n\nTurn off the automount service with the following command:\n\n# sudo systemctl stop autofs\n\nIf \"autofs\" is required for Network File System (NFS), it must be documented\nwith the Information System Security Officer (ISSO)." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-75851", - "rid": "SV-90531r2_rule", - "stig_id": "UBTU-16-030350", - "fix_id": "F-82481r3_fix", + "gtitle": "SRG-OS-000114-GPOS-00059", + "satisfies": [ + "SRG-OS-000114-GPOS-00059", + "SRG-OS-000378-GPOS-00163", + "SRG-OS-000480-GPOS-00227" + ], + "gid": "V-75533", + "rid": "SV-90213r2_rule", + "stig_id": "UBTU-16-010590", + "fix_id": "F-82161r2_fix", "cci": [ - "CCI-000366" + "CCI-000366", + "CCI-000778", + "CCI-001958" ], "nist": [ "CM-6 b", + "IA-3", + "IA-3", "Rev_4" ], "false_negatives": null, @@ -8698,34 +8526,42 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75851' do\n title \"The SSH daemon must not allow compression or must only allow\ncompression after successful authentication.\"\n desc \"If compression is allowed in an SSH connection prior to\nauthentication, vulnerabilities in the compression software could result in\ncompromise of the system from an unauthenticated connection, potentially with\nroot privileges.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75851'\n tag \"rid\": 'SV-90531r2_rule'\n tag \"stig_id\": 'UBTU-16-030350'\n tag \"fix_id\": 'F-82481r3_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the SSH daemon performs compression after a user\nsuccessfully authenticates.\n\nCheck that the SSH daemon performs compression after a user successfully\nauthenticates with the following command:\n\n# grep Compression /etc/ssh/sshd_config\nCompression delayed\n\nIf the \\\"Compression\\\" keyword is set to \\\"yes\\\", is missing, or the returned\nline is commented out, this is a finding.\"\n desc 'fix', \"Configure SSH to use compression. Uncomment the \\\"Compression\\\"\nkeyword in \\\"/etc/ssh/sshd_config\\\" on the system and set the value to\n\\\"delayed\\\" or \\\"no\\\":\n\nCompression no\n\nThe SSH daemon must be restarted for the changes to take effect. To restart the\nSSH daemon, run the following command:\n\n# sudo systemctl restart sshd.service\"\n\n describe.one do\n describe sshd_config do\n its('Compression') { should cmp 'delayed' }\n end\n describe sshd_config do\n its('Compression') { should cmp 'no' }\n end\n end\nend\n", + "code": "control 'V-75533' do\n title 'File system automounter must be disabled unless required.'\n desc \"Automatically mounting file systems permits easy introduction of\nunknown devices, thereby facilitating malicious activity.\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000114-GPOS-00059'\n tag \"satisfies\": %w[SRG-OS-000114-GPOS-00059 SRG-OS-000378-GPOS-00163\n SRG-OS-000480-GPOS-00227]\n tag \"gid\": 'V-75533'\n tag \"rid\": 'SV-90213r2_rule'\n tag \"stig_id\": 'UBTU-16-010590'\n tag \"fix_id\": 'F-82161r2_fix'\n tag \"cci\": %w[CCI-000366 CCI-000778 CCI-001958]\n tag \"nist\": ['CM-6 b', 'IA-3', 'IA-3', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system disables the ability to\nautomount devices.\n\nCheck to see if automounter service is active with the following command:\n\n# systemctl status autofs\n autofs.service - LSB: Automounts filesystems on demand\n Loaded: loaded (/etc/init.d/autofs; bad; vendor preset: enabled)\n Active: active (running) since Thu 2017-05-04 07:53:51 EDT; 6 days ago\n Docs: man:systemd-sysv-generator(8)\n CGroup: /system.slice/autofs.service\n +-24206 /usr/sbin/automount --pid-file /var/run/autofs.pid\n\nIf the \\\"autofs\\\" status is set to \\\"active\\\" and is not documented with the\nInformation System Security Officer (ISSO) as an operational requirement, this\nis a finding.\"\n desc 'fix', \"Configure the Ubuntu operating system to disable the ability to\nautomount devices.\n\nTurn off the automount service with the following command:\n\n# sudo systemctl stop autofs\n\nIf \\\"autofs\\\" is required for Network File System (NFS), it must be documented\nwith the Information System Security Officer (ISSO).\"\n\n describe service('autofs') do\n it { should_not be_enabled }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75851.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75533.rb", "line": 3 }, - "id": "V-75851" + "id": "V-75533" }, { - "title": "All world-writable directories must be group-owned by root, sys, bin,\nor an application group.", - "desc": "If a world-writable directory has the sticky bit set and is not\ngroup-owned by a privileged Group Identifier (GID), unauthorized users may be\nable to modify files created by others.\n\n The only authorized public directories are those temporary directories\nsupplied with the system or those designed to be temporary file repositories.\nThe setting is normally reserved for directories used by the system and by\nusers for temporary file storage, (e.g., /tmp), and for directories requiring\nglobal read/write access.", + "title": "Successful/unsuccessful uses of the chcon command must generate an\naudit record.", + "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", "descriptions": { - "default": "If a world-writable directory has the sticky bit set and is not\ngroup-owned by a privileged Group Identifier (GID), unauthorized users may be\nable to modify files created by others.\n\n The only authorized public directories are those temporary directories\nsupplied with the system or those designed to be temporary file repositories.\nThe setting is normally reserved for directories used by the system and by\nusers for temporary file storage, (e.g., /tmp), and for directories requiring\nglobal read/write access.", - "check": "Verify all world-writable directories are group-owned by root,\nsys, bin, or an application group.\n\nCheck the system for world-writable directories with the following command:\n\n# sudo find / -perm -2 -type d ! -group sys ! -group root ! -group bin -exec\nls -lLd {} \\;\ndrwxrwsrwt 2 root whoops 4096 Jun 6 07:44 /var/crash\ndrwxrwsrwt 2 root whoops 4096 Jul 19 2016 /var/metrics\n\nIf any world-writable directories are not owned by root, sys, bin, or an\napplication group associated with the directory, this is a finding.", - "fix": "Change the group of the world-writable directories to root with\nthe following command:\n\n# chgrp root " + "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "check": "Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful attempts to use the \"chcon\" command occur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \"/etc/audit/audit.rules\":\n\n# sudo grep -w chcon /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k perm_chng\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", + "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \"chcon\" command.\n\nAdd or update the following rules in the \"/etc/audit/audit.rules\" file:\n\n-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k perm_chng\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-75583", - "rid": "SV-90263r2_rule", - "stig_id": "UBTU-16-010840", - "fix_id": "F-82211r1_fix", - "cci": [ - "CCI-000366" - ], + "gtitle": "SRG-OS-000037-GPOS-00015", + "gid": "V-80969", + "rid": "SV-95681r1_rule", + "stig_id": "UBTU-16-020690", + "fix_id": "F-87829r1_fix", + "cci": [ + "CCI-000130", + "CCI-000135", + "CCI-000169", + "CCI-000172", + "CCI-002884" + ], "nist": [ - "CM-6 b", + "AU-3", + "AU-3 (1)", + "AU-12 a", + "AU-12 c", + "MA-4 (1) (a)", "Rev_4" ], "false_negatives": null, @@ -8739,12 +8575,53 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75583' do\n title \"All world-writable directories must be group-owned by root, sys, bin,\nor an application group.\"\n desc \"If a world-writable directory has the sticky bit set and is not\ngroup-owned by a privileged Group Identifier (GID), unauthorized users may be\nable to modify files created by others.\n\n The only authorized public directories are those temporary directories\nsupplied with the system or those designed to be temporary file repositories.\nThe setting is normally reserved for directories used by the system and by\nusers for temporary file storage, (e.g., /tmp), and for directories requiring\nglobal read/write access.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75583'\n tag \"rid\": 'SV-90263r2_rule'\n tag \"stig_id\": 'UBTU-16-010840'\n tag \"fix_id\": 'F-82211r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify all world-writable directories are group-owned by root,\nsys, bin, or an application group.\n\nCheck the system for world-writable directories with the following command:\n\n# sudo find / -perm -2 -type d ! -group sys ! -group root ! -group bin -exec\nls -lLd {} \\\\;\ndrwxrwsrwt 2 root whoops 4096 Jun 6 07:44 /var/crash\ndrwxrwsrwt 2 root whoops 4096 Jul 19 2016 /var/metrics\n\nIf any world-writable directories are not owned by root, sys, bin, or an\napplication group associated with the directory, this is a finding.\"\n desc 'fix', \"Change the group of the world-writable directories to root with\nthe following command:\n\n# chgrp root \"\n\n application_groups = input('application_groups')\n\n directories = command('find / -xdev -perm -2 -type d ! -group sys ! -group root ! -group bin -exec ls -lLd {} \\\\;').stdout.strip.split(\"\\n\").entries\n if directories.count > 0\n directories.each do |entry|\n describe directory(entry) do\n its('group') { should be_in %w[root sys bin] + application_groups }\n end\n end\n else\n describe 'No world-writable directories found on the system' do\n subject { directories }\n its('count') { should eq 0 }\n end\n end\nend\n", + "code": "control 'V-80969' do\n title \"Successful/unsuccessful uses of the chcon command must generate an\naudit record.\"\n desc \"Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"gid\": 'V-80969'\n tag \"rid\": 'SV-95681r1_rule'\n tag \"stig_id\": 'UBTU-16-020690'\n tag \"fix_id\": 'F-87829r1_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'MA-4 (1) (a)',\n 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful attempts to use the \\\"chcon\\\" command occur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \\\"/etc/audit/audit.rules\\\":\n\n# sudo grep -w chcon /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k perm_chng\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \\\"chcon\\\" command.\n\nAdd or update the following rules in the \\\"/etc/audit/audit.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k perm_chng\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n @audit_file = '/usr/bin/chcon'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe ('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75583.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-80969.rb", "line": 3 }, - "id": "V-75583" + "id": "V-80969" + }, + { + "title": "The Ubuntu operating system must be a vendor supported release.", + "desc": "An Ubuntu operating system release is considered \"supported\" if the\nvendor continues to provide security patches for the product. With an\nunsupported release, it will not be possible to resolve security issues\ndiscovered in the system software.", + "descriptions": { + "default": "An Ubuntu operating system release is considered \"supported\" if the\nvendor continues to provide security patches for the product. With an\nunsupported release, it will not be possible to resolve security issues\ndiscovered in the system software.", + "check": "Verify the version of the Ubuntu operating system is vendor\nsupported.\n\nCheck the version of the Ubuntu operating system with the following command:\n\n# cat /etc/lsb-release\n\nDISTRIB_RELEASE=16.04\nDISTRIB_CODENAME=xenial\nDISTRIB_DESCRIPTION=\"Ubuntu 16.04.1 LTS\"\n\nCurrent End of Life for Ubuntu 16.04 LTS is April 2021.\n\nIf the release is not supported by the vendor, this is a finding.", + "fix": "Upgrade to a supported version of the Ubuntu operating system." + }, + "impact": 0.7, + "refs": [], + "tags": { + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-75389", + "rid": "SV-90069r1_rule", + "stig_id": "UBTU-16-010000", + "fix_id": "F-82017r1_fix", + "cci": [ + "CCI-001230" + ], + "nist": [ + "SI-2 d", + "Rev_4" + ], + "false_negatives": null, + "false_positives": null, + "documentable": false, + "mitigations": null, + "severity_override_guidance": false, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_controls": null, + "responsibility": null, + "ia_controls": null + }, + "code": "control 'V-75389' do\n title 'The Ubuntu operating system must be a vendor supported release.'\n desc \"An Ubuntu operating system release is considered \\\"supported\\\" if the\nvendor continues to provide security patches for the product. With an\nunsupported release, it will not be possible to resolve security issues\ndiscovered in the system software.\"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75389'\n tag \"rid\": 'SV-90069r1_rule'\n tag \"stig_id\": 'UBTU-16-010000'\n tag \"fix_id\": 'F-82017r1_fix'\n tag \"cci\": ['CCI-001230']\n tag \"nist\": ['SI-2 d', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the version of the Ubuntu operating system is vendor\nsupported.\n\nCheck the version of the Ubuntu operating system with the following command:\n\n# cat /etc/lsb-release\n\nDISTRIB_RELEASE=16.04\nDISTRIB_CODENAME=xenial\nDISTRIB_DESCRIPTION=\\\"Ubuntu 16.04.1 LTS\\\"\n\nCurrent End of Life for Ubuntu 16.04 LTS is April 2021.\n\nIf the release is not supported by the vendor, this is a finding.\"\n desc 'fix', 'Upgrade to a supported version of the Ubuntu operating system.'\n\n platform_name = input('platform_name')\n platform_release = input('platform_release')\n supported_until = input('supported_until')\n describe platform.name do\n it { should cmp platform_name }\n end\n\n describe platform.release do\n it { should cmp platform_release }\n end\n\n describe \"The current system is still within its End of Life of #{supported_until}\" do\n subject { Date.today <= Date.parse(supported_until) }\n it { should be true }\n end\nend\n", + "source_location": { + "ref": "./Ubuntu 16.04 STIG/controls/V-75389.rb", + "line": 3 + }, + "id": "V-75389" }, { "title": "Successful/unsuccessful uses of the delete_module command must\ngenerate an audit record.", @@ -8804,26 +8681,42 @@ "id": "V-75795" }, { - "title": "The Ubuntu operating system must be configured to prevent unrestricted\nmail relaying.", - "desc": "If unrestricted mail relaying is permitted, unauthorized senders could\nuse this host as a mail relay for the purpose of sending spam or other\nunauthorized activity.", + "title": "Successful/unsuccessful uses of the unix_update command must generate\nan audit record.", + "desc": "Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged commands. The organization must maintain audit trails in sufficient\ndetail to reconstruct events to determine the cause and impact of compromise.", "descriptions": { - "default": "If unrestricted mail relaying is permitted, unauthorized senders could\nuse this host as a mail relay for the purpose of sending spam or other\nunauthorized activity.", - "check": "Determine if \"postfix\" is installed with the following\ncommands:\n\nNote: If postfix is not installed, this is Not Applicable.\n\n# dpkg -l | grep postfix\nii postfix 3.1.0-3\n\nVerify the Ubuntu operating system is configured to prevent unrestricted mail\nrelaying.\n\nIf postfix is installed, determine if it is configured to reject connections\nfrom unknown or untrusted networks with the following command:\n\n# postconf -n smtpd_client_restrictions\n\nsmtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject\n\nIf the \"smtpd_relay_restrictions\" parameter contains any entries other than\n\"permit_mynetworks\", \"permit_sasl_authenticated\" and \"reject\", is\nmissing, or is commented out, this is a finding.", - "fix": "If \"postfix\" is installed, modify the \"/etc/postfix/main.cf\"\nfile to restrict client connections to the local network with the following\ncommand:\n\n# sudo postconf -e 'smtpd_relay_restrictions = permit_mynetworks,\npermit_sasl_authenticated, reject'" + "default": "Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged commands. The organization must maintain audit trails in sufficient\ndetail to reconstruct events to determine the cause and impact of compromise.", + "check": "Verify that an audit event is generated for any\nsuccessful/unsuccessful use of the \"unix_update\" command.\n\nCheck for the following system call being audited by performing the following\ncommand to check the file system rules in \"/etc/audit/audit.rules\":\n\n# sudo grep -w \"unix_update\" /etc/audit/audit.rules\n\n-a always,exit -F path=/sbin/unix_update -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k privileged-unix-update\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", + "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful uses of the \"unix_update\" command. Add or update the\nfollowing rules in the \"/etc/audit/audit.rules\" file:\n\n-a always,exit -F path=/sbin/unix_update -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k privileged-unix-update\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-75891", - "rid": "SV-90571r2_rule", - "stig_id": "UBTU-16-030620", - "fix_id": "F-82521r2_fix", + "gtitle": "SRG-OS-000037-GPOS-00015", + "satisfies": [ + "SRG-OS-000037-GPOS-00015", + "SRG-OS-000042-GPOS-00020", + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000392-GPOS-00172", + "SRG-OS-000462-GPOS-00206", + "SRG-OS-000471-GPOS-00215" + ], + "gid": "V-75779", + "rid": "SV-90459r3_rule", + "stig_id": "UBTU-16-020770", + "fix_id": "F-82409r2_fix", "cci": [ - "CCI-000366" + "CCI-000130", + "CCI-000135", + "CCI-000169", + "CCI-000172", + "CCI-002884" ], "nist": [ - "CM-6 b", + "AU-3", + "AU-3 (1)", + "AU-12 a", + "AU-12 c", + "MA-4 (1) (a)", "Rev_4" ], "false_negatives": null, @@ -8837,34 +8730,54 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75891' do\n title \"The Ubuntu operating system must be configured to prevent unrestricted\nmail relaying.\"\n desc \"If unrestricted mail relaying is permitted, unauthorized senders could\nuse this host as a mail relay for the purpose of sending spam or other\nunauthorized activity.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75891'\n tag \"rid\": 'SV-90571r2_rule'\n tag \"stig_id\": 'UBTU-16-030620'\n tag \"fix_id\": 'F-82521r2_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Determine if \\\"postfix\\\" is installed with the following\ncommands:\n\nNote: If postfix is not installed, this is Not Applicable.\n\n# dpkg -l | grep postfix\nii postfix 3.1.0-3\n\nVerify the Ubuntu operating system is configured to prevent unrestricted mail\nrelaying.\n\nIf postfix is installed, determine if it is configured to reject connections\nfrom unknown or untrusted networks with the following command:\n\n# postconf -n smtpd_client_restrictions\n\nsmtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject\n\nIf the \\\"smtpd_relay_restrictions\\\" parameter contains any entries other than\n\\\"permit_mynetworks\\\", \\\"permit_sasl_authenticated\\\" and \\\"reject\\\", is\nmissing, or is commented out, this is a finding.\"\n desc 'fix', \"If \\\"postfix\\\" is installed, modify the \\\"/etc/postfix/main.cf\\\"\nfile to restrict client connections to the local network with the following\ncommand:\n\n# sudo postconf -e 'smtpd_relay_restrictions = permit_mynetworks,\npermit_sasl_authenticated, reject'\"\n\n is_postfix_installed = package('postfix').installed?\n\n if is_postfix_installed\n postconf_output = command('postconf -n smtpd_client_restrictions').stdout.strip\n smtpd_relay_restrictions = postconf_output.split(' = ')[1].split(', ')\n describe smtpd_relay_restrictions do\n it { should be_in %w[permit_mynetworks permit_sasl_authenticated reject] }\n end\n else\n impact 0\n describe 'Control Not Applicable as postfix is not installed' do\n subject { is_postfix_installed }\n it { should be false }\n end\n end\nend\n", + "code": "control 'V-75779' do\n title \"Successful/unsuccessful uses of the unix_update command must generate\nan audit record.\"\n desc \"Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged commands. The organization must maintain audit trails in sufficient\ndetail to reconstruct events to determine the cause and impact of compromise.\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020\n SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172\n SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215]\n tag \"gid\": 'V-75779'\n tag \"rid\": 'SV-90459r3_rule'\n tag \"stig_id\": 'UBTU-16-020770'\n tag \"fix_id\": 'F-82409r2_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'MA-4 (1) (a)',\n 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that an audit event is generated for any\nsuccessful/unsuccessful use of the \\\"unix_update\\\" command.\n\nCheck for the following system call being audited by performing the following\ncommand to check the file system rules in \\\"/etc/audit/audit.rules\\\":\n\n# sudo grep -w \\\"unix_update\\\" /etc/audit/audit.rules\n\n-a always,exit -F path=/sbin/unix_update -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k privileged-unix-update\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful uses of the \\\"unix_update\\\" command. Add or update the\nfollowing rules in the \\\"/etc/audit/audit.rules\\\" file:\n\n-a always,exit -F path=/sbin/unix_update -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k privileged-unix-update\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n @audit_file = '/sbin/unix_update'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe ('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75891.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75779.rb", "line": 3 }, - "id": "V-75891" + "id": "V-75779" }, { - "title": "The Ubuntu operating system must enable a user session lock until that\nuser re-establishes access using established identification and authentication\nprocedures.", - "desc": "A session lock is a temporary action taken when a user stops work and\nmoves away from the immediate physical vicinity of the information system but\ndoes not want to log out because of the temporary nature of the absence.\n\n The session lock is implemented at the point where session activity can be\ndetermined.\n\n Regardless of where the session lock is determined and implemented, once\ninvoked, the session lock shall remain in place until the user\nre-authenticates. No other activity aside from re-authentication shall unlock\nthe system.", + "title": "The Ubuntu operating system must generate audit records for all\naccount creations, modifications, disabling, and termination events that affect\n/etc/security/opasswd.", + "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", "descriptions": { - "default": "A session lock is a temporary action taken when a user stops work and\nmoves away from the immediate physical vicinity of the information system but\ndoes not want to log out because of the temporary nature of the absence.\n\n The session lock is implemented at the point where session activity can be\ndetermined.\n\n Regardless of where the session lock is determined and implemented, once\ninvoked, the session lock shall remain in place until the user\nre-authenticates. No other activity aside from re-authentication shall unlock\nthe system.", - "check": "Verify the operating system allows a user to lock the current\ngraphical user interface (GUI) session.\n\nNote: If the Ubuntu operating system does not have GNOME installed, this\nrequirement is Not Applicable.\n\nCheck to see if the Ubuntu operating system allows the user to lock the current\nGUI session with the following command:\n\n# gsettings get org.gnome.desktop.lock-enabled\n\ntrue\n\nIf \"lock-enabled\" is not set to \"true\", this is a finding.", - "fix": "Configure the Ubuntu operating system so that it allows a user to\nlock the current GUI session.\n\nNote: If the Ubuntu operating system does not have GNOME installed, this\nrequirement is Not Applicable.\n\nSet the \"lock-enabled\" setting in GNOME to allow GUI session locks with the\nfollowing command:\n\nNote: The command must be performed from a terminal window inside the graphical\nuser interface (GUI).\n\n# sudo gsettings set org.gnome.desktop.lock-enabled true" + "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "check": "Verify the Ubuntu operating system generates audit records for\nall account creations, modifications, disabling, and termination events that\naffect \"/etc/security/opasswd\".\n\nCheck the auditing rules in \"/etc/audit/audit.rules\" with the following\ncommand:\n\n# sudo grep /etc/security/opasswd /etc/audit/audit.rules\n\n-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", + "fix": "Configure the Ubuntu operating system to generate audit records\nfor all account creations, modifications, disabling, and termination events\nthat affect \"/etc/security/opasswd\".\n\nAdd or update the following file system rule to \"/etc/audit/audit.rules\":\n\n-w /etc/security/opasswd -p wa -k identity\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000028-GPOS-00009", - "gid": "V-75437", - "rid": "SV-90117r3_rule", - "stig_id": "UBTU-16-010040", - "fix_id": "F-82065r2_fix", + "gtitle": "SRG-OS-000037-GPOS-00015", + "satisfies": [ + "SRG-OS-000037-GPOS-00015", + "SRG-OS-000042-GPOS-00020", + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000304-GPOS-00121", + "SRG-OS-000392-GPOS-00172", + "SRG-OS-000462-GPOS-00206", + "SRG-OS-000470-GPOS-00214", + "SRG-OS-000471-GPOS-00215" + ], + "gid": "V-75687", + "rid": "SV-90367r3_rule", + "stig_id": "UBTU-16-020340", + "fix_id": "F-82315r2_fix", "cci": [ - "CCI-000056" + "CCI-000130", + "CCI-000135", + "CCI-000169", + "CCI-000172", + "CCI-002132", + "CCI-002884" ], "nist": [ - "AC-11 b", + "AU-3", + "AU-3 (1)", + "AU-12 a", + "AU-12 c", + "AC-2 (4)", + "MA-4 (1)\n(a)", "Rev_4" ], "false_negatives": null, @@ -8878,34 +8791,43 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75437' do\n title \"The Ubuntu operating system must enable a user session lock until that\nuser re-establishes access using established identification and authentication\nprocedures.\"\n desc \"A session lock is a temporary action taken when a user stops work and\nmoves away from the immediate physical vicinity of the information system but\ndoes not want to log out because of the temporary nature of the absence.\n\n The session lock is implemented at the point where session activity can be\ndetermined.\n\n Regardless of where the session lock is determined and implemented, once\ninvoked, the session lock shall remain in place until the user\nre-authenticates. No other activity aside from re-authentication shall unlock\nthe system.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000028-GPOS-00009'\n tag \"gid\": 'V-75437'\n tag \"rid\": 'SV-90117r3_rule'\n tag \"stig_id\": 'UBTU-16-010040'\n tag \"fix_id\": 'F-82065r2_fix'\n tag \"cci\": ['CCI-000056']\n tag \"nist\": ['AC-11 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the operating system allows a user to lock the current\ngraphical user interface (GUI) session.\n\nNote: If the Ubuntu operating system does not have GNOME installed, this\nrequirement is Not Applicable.\n\nCheck to see if the Ubuntu operating system allows the user to lock the current\nGUI session with the following command:\n\n# gsettings get org.gnome.desktop.lock-enabled\n\ntrue\n\nIf \\\"lock-enabled\\\" is not set to \\\"true\\\", this is a finding.\"\n desc 'fix', \"Configure the Ubuntu operating system so that it allows a user to\nlock the current GUI session.\n\nNote: If the Ubuntu operating system does not have GNOME installed, this\nrequirement is Not Applicable.\n\nSet the \\\"lock-enabled\\\" setting in GNOME to allow GUI session locks with the\nfollowing command:\n\nNote: The command must be performed from a terminal window inside the graphical\nuser interface (GUI).\n\n# sudo gsettings set org.gnome.desktop.lock-enabled true\"\n\n gnome_installed = (package('ubuntu-gnome-desktop').installed? || package('ubuntu-desktop').installed?)\n\n if gnome_installed\n lock_enabled = command('gsettings get org.gnome.desktop.screensaver lock-enabled')\n describe lock_enabled do\n its('stdout') { should cmp 'true' }\n end\n else\n impact 0\n describe 'Not Applicable as GNOME dekstop environment is installed' do\n subject { gnome_installed }\n it { should be false }\n end\n end\nend\n", + "code": "control 'V-75687' do\n title \"The Ubuntu operating system must generate audit records for all\naccount creations, modifications, disabling, and termination events that affect\n/etc/security/opasswd.\"\n desc \"Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020\n SRG-OS-000062-GPOS-00031 SRG-OS-000304-GPOS-00121\n SRG-OS-000392-GPOS-00172 SRG-OS-000462-GPOS-00206\n SRG-OS-000470-GPOS-00214 SRG-OS-000471-GPOS-00215]\n tag \"gid\": 'V-75687'\n tag \"rid\": 'SV-90367r3_rule'\n tag \"stig_id\": 'UBTU-16-020340'\n tag \"fix_id\": 'F-82315r2_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002132 CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'AC-2 (4)', \"MA-4 (1)\n(a)\", 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system generates audit records for\nall account creations, modifications, disabling, and termination events that\naffect \\\"/etc/security/opasswd\\\".\n\nCheck the auditing rules in \\\"/etc/audit/audit.rules\\\" with the following\ncommand:\n\n# sudo grep /etc/security/opasswd /etc/audit/audit.rules\n\n-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records\nfor all account creations, modifications, disabling, and termination events\nthat affect \\\"/etc/security/opasswd\\\".\n\nAdd or update the following file system rule to \\\"/etc/audit/audit.rules\\\":\n\n-w /etc/security/opasswd -p wa -k identity\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n @audit_file = '/etc/security/opasswd'\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe ('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75437.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75687.rb", "line": 3 }, - "id": "V-75437" + "id": "V-75687" }, { - "title": "Cron logging must be implemented.", - "desc": "Cron logging can be used to trace the successful or unsuccessful\nexecution of cron jobs. It can also be used to spot intrusions into the use of\nthe cron facility by unauthorized and malicious users.", + "title": "Successful/unsuccessful uses of the umount command must generate an\naudit record.", + "desc": "Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged commands. The organization must maintain audit trails in sufficient\ndetail to reconstruct events to determine the cause and impact of compromise.", "descriptions": { - "default": "Cron logging can be used to trace the successful or unsuccessful\nexecution of cron jobs. It can also be used to spot intrusions into the use of\nthe cron facility by unauthorized and malicious users.", - "check": "Verify that \"rsyslog\" is configured to log cron events.\n\nCheck the configuration of \"/etc/rsyslog.d/50-default.conf\" for the cron\nfacility with the following commands:\n\nNote: If another logging package is used, substitute the utility configuration\nfile for \"/etc/rsyslog.d/50-default.conf\".\n\n# grep cron /etc/rsyslog.d/50-default.conf\n\ncron.* /var/log/cron.log\n\nIf the commands do not return a response, check for cron logging all facilities\nby inspecting the \"/etc/rsyslog.d/50-default.con\" file:\n\n# more /etc/rsyslog.conf\n\nLook for the following entry:\n\n*.* /var/log/messages\n\nIf \"rsyslog\" is not logging messages for the cron facility or all facilities,\nthis is a finding.", - "fix": "Configure \"rsyslog\" to log all cron messages by adding or\nupdating the following line to \"/etc/rsyslog.d/50-default.conf\":\n\ncron.* /var/log/cron.log\n\nNote: The line must be added before the following entry if it exists in\n\"/etc/rsyslog.d/50-default.conf\":\n\n*.* ~ # discards everything" + "default": "Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged commands. The organization must maintain audit trails in sufficient\ndetail to reconstruct events to determine the cause and impact of compromise.", + "check": "Verify that an audit event is generated for any\nsuccessful/unsuccessful use of the \"umount\" command.\n\nCheck for the following system call being audited by performing the following\ncommand to check the file system rules in \"/etc/audit/audit.rules\":\n\n# sudo grep umount /etc/audit/audit.rules\n\n-a always,exit -F path=/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295\n-k privileged-mount\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", + "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \"umount\" command.\n\nAdd or update the following rules in the \"/etc/audit/audit.rules\" file:\n\n-a always,exit -F path=/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295\n-k privileged-mount\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-75865", - "rid": "SV-90545r2_rule", - "stig_id": "UBTU-16-030460", - "fix_id": "F-82495r2_fix", + "gtitle": "SRG-OS-000042-GPOS-00020", + "satisfies": [ + "SRG-OS-000042-GPOS-00020", + "SRG-OS-000392-GPOS-00172", + "SRG-OS-000471-GPOS-00215" + ], + "gid": "V-75697", + "rid": "SV-90377r3_rule", + "stig_id": "UBTU-16-020390", + "fix_id": "F-82325r2_fix", "cci": [ - "CCI-000366" + "CCI-000135", + "CCI-000172", + "CCI-002884" ], "nist": [ - "CM-6 b", + "AU-3 (1)", + "AU-12 c", + "MA-4 (1) (a)", "Rev_4" ], "false_negatives": null, @@ -8919,34 +8841,52 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75865' do\n title 'Cron logging must be implemented.'\n desc \"Cron logging can be used to trace the successful or unsuccessful\nexecution of cron jobs. It can also be used to spot intrusions into the use of\nthe cron facility by unauthorized and malicious users.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75865'\n tag \"rid\": 'SV-90545r2_rule'\n tag \"stig_id\": 'UBTU-16-030460'\n tag \"fix_id\": 'F-82495r2_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that \\\"rsyslog\\\" is configured to log cron events.\n\nCheck the configuration of \\\"/etc/rsyslog.d/50-default.conf\\\" for the cron\nfacility with the following commands:\n\nNote: If another logging package is used, substitute the utility configuration\nfile for \\\"/etc/rsyslog.d/50-default.conf\\\".\n\n# grep cron /etc/rsyslog.d/50-default.conf\n\ncron.* /var/log/cron.log\n\nIf the commands do not return a response, check for cron logging all facilities\nby inspecting the \\\"/etc/rsyslog.d/50-default.con\\\" file:\n\n# more /etc/rsyslog.conf\n\nLook for the following entry:\n\n*.* /var/log/messages\n\nIf \\\"rsyslog\\\" is not logging messages for the cron facility or all facilities,\nthis is a finding.\"\n desc 'fix', \"Configure \\\"rsyslog\\\" to log all cron messages by adding or\nupdating the following line to \\\"/etc/rsyslog.d/50-default.conf\\\":\n\ncron.* /var/log/cron.log\n\nNote: The line must be added before the following entry if it exists in\n\\\"/etc/rsyslog.d/50-default.conf\\\":\n\n*.* ~ # discards everything\"\n\n describe.one do\n default_conf_output = command('grep ''^cron.*'' /etc/rsyslog.d/50-default.conf')\n describe default_conf_output do\n its('stdout') { should_not be_empty }\n end\n\n messages_output = command('grep ''^*.*'' /etc/rsyslog.conf')\n describe messages_output do\n its('stdout') { should_not be_empty }\n end\n end\nend\n", + "code": "control 'V-75697' do\n title \"Successful/unsuccessful uses of the umount command must generate an\naudit record.\"\n desc \"Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged commands. The organization must maintain audit trails in sufficient\ndetail to reconstruct events to determine the cause and impact of compromise.\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000042-GPOS-00020'\n tag \"satisfies\": %w[SRG-OS-000042-GPOS-00020 SRG-OS-000392-GPOS-00172\n SRG-OS-000471-GPOS-00215]\n tag \"gid\": 'V-75697'\n tag \"rid\": 'SV-90377r3_rule'\n tag \"stig_id\": 'UBTU-16-020390'\n tag \"fix_id\": 'F-82325r2_fix'\n tag \"cci\": %w[CCI-000135 CCI-000172 CCI-002884]\n tag \"nist\": ['AU-3 (1)', 'AU-12 c', 'MA-4 (1) (a)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that an audit event is generated for any\nsuccessful/unsuccessful use of the \\\"umount\\\" command.\n\nCheck for the following system call being audited by performing the following\ncommand to check the file system rules in \\\"/etc/audit/audit.rules\\\":\n\n# sudo grep umount /etc/audit/audit.rules\n\n-a always,exit -F path=/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295\n-k privileged-mount\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \\\"umount\\\" command.\n\nAdd or update the following rules in the \\\"/etc/audit/audit.rules\\\" file:\n\n-a always,exit -F path=/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295\n-k privileged-mount\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n @audit_file = '/bin/umount'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe ('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75865.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75697.rb", "line": 3 }, - "id": "V-75865" + "id": "V-75697" }, { - "title": "Ubuntu operating systems booted with a BIOS must require\nauthentication upon booting into single-user and maintenance modes.", - "desc": "To mitigate the risk of unauthorized access to sensitive information\nby entities that have been issued certificates by DoD-approved PKIs, all DoD\nsystems (e.g., web servers and web portals) must be properly configured to\nincorporate access control methods that do not rely solely on the possession of\na certificate for access. Successful authentication must not automatically give\nan entity access to an asset or security boundary. Authorization procedures and\ncontrols must be implemented to ensure each authenticated entity also has a\nvalidated and current authorization. Authorization is the process of\ndetermining whether an entity, once authenticated, is permitted to access a\nspecific asset. Information systems use access control policies and enforcement\nmechanisms to implement this requirement.\n\n Access control policies include: identity-based policies, role-based\npolicies, and attribute-based policies. Access enforcement mechanisms include:\naccess control lists, access control matrices, and cryptography. These policies\nand mechanisms must be employed by the application to control access between\nusers (or processes acting on behalf of users) and objects (e.g., devices,\nfiles, records, processes, programs, and domains) in the information system.", + "title": "The audit system must be configured to audit any usage of the insmod\ncommand.", + "desc": "Without the capability to generate audit records, it would be\ndifficult to establish, correlate, and investigate the events relating to an\nincident or identify those responsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n The list of audited events is the set of events for which audits are to be\ngenerated. This set of events is typically a subset of the list of all events\nfor which the system is capable of generating audit records.\n\n DoD has defined the list of events for which the Ubuntu operating system\nwill provide an audit record generation capability as the following:\n\n 1) Successful and unsuccessful attempts to access, modify, or delete\nprivileges, security objects, security levels, or categories of information\n(e.g., classification levels);\n\n 2) Access actions, such as successful and unsuccessful logon attempts,\nprivileged activities or other system-level access, starting and ending time\nfor user access to the system, concurrent logons from different workstations,\nsuccessful and unsuccessful accesses to objects, all program initiations, and\nall direct access to the information system;\n\n 3) All account creations, modifications, disabling, and terminations; and\n\n 4) All kernel module load, unload, and restart actions.", "descriptions": { - "default": "To mitigate the risk of unauthorized access to sensitive information\nby entities that have been issued certificates by DoD-approved PKIs, all DoD\nsystems (e.g., web servers and web portals) must be properly configured to\nincorporate access control methods that do not rely solely on the possession of\na certificate for access. Successful authentication must not automatically give\nan entity access to an asset or security boundary. Authorization procedures and\ncontrols must be implemented to ensure each authenticated entity also has a\nvalidated and current authorization. Authorization is the process of\ndetermining whether an entity, once authenticated, is permitted to access a\nspecific asset. Information systems use access control policies and enforcement\nmechanisms to implement this requirement.\n\n Access control policies include: identity-based policies, role-based\npolicies, and attribute-based policies. Access enforcement mechanisms include:\naccess control lists, access control matrices, and cryptography. These policies\nand mechanisms must be employed by the application to control access between\nusers (or processes acting on behalf of users) and objects (e.g., devices,\nfiles, records, processes, programs, and domains) in the information system.", - "check": "Verify that an encrypted root password is set. This is only\napplicable on systems that use a basic Input/Output System BIOS.\n\nRun the following command to verify the encrypted password is set:\n\n# grep –i password /boot/grub/grub.cfg\n\npassword_pbkdf2 root grub.pbkdf2.sha512.10000.MFU48934NJA87HF8NSD34493GDHF84NG\n\nIf the root password entry does not begin with “password_pbkdf2”, this is a\nfinding.", - "fix": "Configure the system to require a password for authentication\nupon booting into single-user and maintenance modes.\n\nGenerate an encrypted (grub) password for root with the following command:\n\n# grub-mkpasswd-pbkdf2\nEnter Password:\nReenter Password:\nPBKDF2 hash of your password is\ngrub.pbkdf2.sha512.10000.MFU48934NJD84NF8NSD39993JDHF84NG\n\nUsing the hash from the output, modify the \"/etc/grub.d/10_linux\" file with\nthe following command to add a boot password for the root entry:\n\n# cat << EOF > set superusers=\"root\" password_pbkdf2 root\ngrub.pbkdf2.sha512.VeryLongString > EOF\n\nGenerate an updated \"grub.conf\" file with the new password by using the\nfollowing commands:\n\n# grub2-mkconfig --output=/tmp/grub2.cfg\n# mv /tmp/grub2.cfg /boot/grub2/grub.cfg" + "default": "Without the capability to generate audit records, it would be\ndifficult to establish, correlate, and investigate the events relating to an\nincident or identify those responsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n The list of audited events is the set of events for which audits are to be\ngenerated. This set of events is typically a subset of the list of all events\nfor which the system is capable of generating audit records.\n\n DoD has defined the list of events for which the Ubuntu operating system\nwill provide an audit record generation capability as the following:\n\n 1) Successful and unsuccessful attempts to access, modify, or delete\nprivileges, security objects, security levels, or categories of information\n(e.g., classification levels);\n\n 2) Access actions, such as successful and unsuccessful logon attempts,\nprivileged activities or other system-level access, starting and ending time\nfor user access to the system, concurrent logons from different workstations,\nsuccessful and unsuccessful accesses to objects, all program initiations, and\nall direct access to the information system;\n\n 3) All account creations, modifications, disabling, and terminations; and\n\n 4) All kernel module load, unload, and restart actions.", + "check": "Verify if the Ubuntu operating system is configured to audit\nthe execution of the module management program \"insmod\", by running the\nfollowing command:\n\n# sudo grep \"/sbin/insmod\" /etc/audit/audit.rules\n\n-w /sbin/insmod -p x -k modules\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", + "fix": "Configure the Ubuntu operating system to audit the execution of\nthe module management program \"insmod\", by adding the following line to\n\"/etc/audit/audit.rules\":\n\n-w /sbin/insmod -p x -k modules\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" }, - "impact": 0.7, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000080-GPOS-00048", - "gid": "V-75505", - "rid": "SV-90185r2_rule", - "stig_id": "UBTU-16-010380", - "fix_id": "F-82133r1_fix", + "gtitle": "SRG-OS-000037-GPOS-00015", + "satisfies": [ + "SRG-OS-000037-GPOS-00015", + "SRG-OS-000042-GPOS-00020", + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000392-GPOS-00172", + "SRG-OS-000462-GPOS-00206", + "SRG-OS-000471-GPOS-00215", + "SRG-OS-000471-GPOS-00216", + "SRG-OS-000477-GPOS-00222" + ], + "gid": "V-75709", + "rid": "SV-90389r2_rule", + "stig_id": "UBTU-16-020420", + "fix_id": "F-82337r2_fix", "cci": [ - "CCI-000213" + "CCI-000130", + "CCI-000135", + "CCI-000169", + "CCI-000172", + "CCI-002884" ], "nist": [ - "AC-3", + "AU-3", + "AU-3 (1)", + "AU-12 a", + "AU-12 c", + "MA-4 (1) (a)", "Rev_4" ], "false_negatives": null, @@ -8960,20 +8900,20 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75505' do\n title \"Ubuntu operating systems booted with a BIOS must require\nauthentication upon booting into single-user and maintenance modes.\"\n desc \"To mitigate the risk of unauthorized access to sensitive information\nby entities that have been issued certificates by DoD-approved PKIs, all DoD\nsystems (e.g., web servers and web portals) must be properly configured to\nincorporate access control methods that do not rely solely on the possession of\na certificate for access. Successful authentication must not automatically give\nan entity access to an asset or security boundary. Authorization procedures and\ncontrols must be implemented to ensure each authenticated entity also has a\nvalidated and current authorization. Authorization is the process of\ndetermining whether an entity, once authenticated, is permitted to access a\nspecific asset. Information systems use access control policies and enforcement\nmechanisms to implement this requirement.\n\n Access control policies include: identity-based policies, role-based\npolicies, and attribute-based policies. Access enforcement mechanisms include:\naccess control lists, access control matrices, and cryptography. These policies\nand mechanisms must be employed by the application to control access between\nusers (or processes acting on behalf of users) and objects (e.g., devices,\nfiles, records, processes, programs, and domains) in the information system.\n \"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000080-GPOS-00048'\n tag \"gid\": 'V-75505'\n tag \"rid\": 'SV-90185r2_rule'\n tag \"stig_id\": 'UBTU-16-010380'\n tag \"fix_id\": 'F-82133r1_fix'\n tag \"cci\": ['CCI-000213']\n tag \"nist\": %w[AC-3 Rev_4]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that an encrypted root password is set. This is only\napplicable on systems that use a basic Input/Output System BIOS.\n\nRun the following command to verify the encrypted password is set:\n\n# grep –i password /boot/grub/grub.cfg\n\npassword_pbkdf2 root grub.pbkdf2.sha512.10000.MFU48934NJA87HF8NSD34493GDHF84NG\n\nIf the root password entry does not begin with “password_pbkdf2”, this is a\nfinding.\"\n desc 'fix', \"Configure the system to require a password for authentication\nupon booting into single-user and maintenance modes.\n\nGenerate an encrypted (grub) password for root with the following command:\n\n# grub-mkpasswd-pbkdf2\nEnter Password:\nReenter Password:\nPBKDF2 hash of your password is\ngrub.pbkdf2.sha512.10000.MFU48934NJD84NF8NSD39993JDHF84NG\n\nUsing the hash from the output, modify the \\\"/etc/grub.d/10_linux\\\" file with\nthe following command to add a boot password for the root entry:\n\n# cat << EOF > set superusers=\\\"root\\\" password_pbkdf2 root\ngrub.pbkdf2.sha512.VeryLongString > EOF\n\nGenerate an updated \\\"grub.conf\\\" file with the new password by using the\nfollowing commands:\n\n# grub2-mkconfig --output=/tmp/grub2.cfg\n# mv /tmp/grub2.cfg /boot/grub2/grub.cfg\"\n\n describe file('/boot/grub/grub.cfg') do\n its('content') { should match '^password_pbkdf2' }\n end\nend\n", + "code": "control 'V-75709' do\n title \"The audit system must be configured to audit any usage of the insmod\ncommand.\"\n desc \"Without the capability to generate audit records, it would be\ndifficult to establish, correlate, and investigate the events relating to an\nincident or identify those responsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n The list of audited events is the set of events for which audits are to be\ngenerated. This set of events is typically a subset of the list of all events\nfor which the system is capable of generating audit records.\n\n DoD has defined the list of events for which the Ubuntu operating system\nwill provide an audit record generation capability as the following:\n\n 1) Successful and unsuccessful attempts to access, modify, or delete\nprivileges, security objects, security levels, or categories of information\n(e.g., classification levels);\n\n 2) Access actions, such as successful and unsuccessful logon attempts,\nprivileged activities or other system-level access, starting and ending time\nfor user access to the system, concurrent logons from different workstations,\nsuccessful and unsuccessful accesses to objects, all program initiations, and\nall direct access to the information system;\n\n 3) All account creations, modifications, disabling, and terminations; and\n\n 4) All kernel module load, unload, and restart actions.\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020\n SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172\n SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215\n SRG-OS-000471-GPOS-00216 SRG-OS-000477-GPOS-00222]\n tag \"gid\": 'V-75709'\n tag \"rid\": 'SV-90389r2_rule'\n tag \"stig_id\": 'UBTU-16-020420'\n tag \"fix_id\": 'F-82337r2_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'MA-4 (1) (a)',\n 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify if the Ubuntu operating system is configured to audit\nthe execution of the module management program \\\"insmod\\\", by running the\nfollowing command:\n\n# sudo grep \\\"/sbin/insmod\\\" /etc/audit/audit.rules\n\n-w /sbin/insmod -p x -k modules\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the Ubuntu operating system to audit the execution of\nthe module management program \\\"insmod\\\", by adding the following line to\n\\\"/etc/audit/audit.rules\\\":\n\n-w /sbin/insmod -p x -k modules\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n @audit_file = '/sbin/insmod'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe ('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75505.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75709.rb", "line": 3 }, - "id": "V-75505" + "id": "V-75709" }, { - "title": "Successful/unsuccessful uses of the chsh command must generate an\naudit record.", - "desc": "Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged commands. The organization must maintain audit trails in sufficient\ndetail to reconstruct events to determine the cause and impact of compromise.", + "title": "The Ubuntu operating system must generate audit records for all\naccount creations, modifications, disabling, and termination events that affect\n/etc/gshadow.", + "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", "descriptions": { - "default": "Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged commands. The organization must maintain audit trails in sufficient\ndetail to reconstruct events to determine the cause and impact of compromise.", - "check": "Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful attempts to use the \"chsh\" command occur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \"/etc/audit/audit.rules\":\n\n# sudo grep -w chsh /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k priv_cmd\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", - "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \"chsh\" command.\n\nAdd or update the following rules in the \"/etc/audit/audit.rules\" file:\n\n-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k priv_cmd\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" + "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "check": "Verify the Ubuntu operating system generates audit records for\nall account creations, modifications, disabling, and termination events that\naffect \"/etc/gshadow\".\n\nCheck the auditing rules in \"/etc/audit/audit.rules\" with the following\ncommand:\n\n# sudo grep /etc/gshadow /etc/audit/audit.rules\n\n-w /etc/gshadow -p wa -k audit_rules_usergroup_modification\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", + "fix": "Configure the Ubuntu operating system to generate audit records\nfor all account creations, modifications, disabling, and termination events\nthat affect \"/etc/gshadow\".\n\nAdd or update the following file system rule to \"/etc/audit/audit.rules\":\n\n-w /etc/gshadow -p wa -k identity\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" }, "impact": 0.5, "refs": [], @@ -8983,19 +8923,22 @@ "SRG-OS-000037-GPOS-00015", "SRG-OS-000042-GPOS-00020", "SRG-OS-000062-GPOS-00031", + "SRG-OS-000304-GPOS-00121", "SRG-OS-000392-GPOS-00172", "SRG-OS-000462-GPOS-00206", + "SRG-OS-000470-GPOS-00214", "SRG-OS-000471-GPOS-00215" ], - "gid": "V-75759", - "rid": "SV-90439r3_rule", - "stig_id": "UBTU-16-020670", - "fix_id": "F-82387r2_fix", + "gid": "V-75665", + "rid": "SV-90345r3_rule", + "stig_id": "UBTU-16-020320", + "fix_id": "F-82293r2_fix", "cci": [ "CCI-000130", "CCI-000135", "CCI-000169", "CCI-000172", + "CCI-002132", "CCI-002884" ], "nist": [ @@ -9003,7 +8946,8 @@ "AU-3 (1)", "AU-12 a", "AU-12 c", - "MA-4 (1) (a)", + "AC-2 (4)", + "MA-4 (1)\n(a)", "Rev_4" ], "false_negatives": null, @@ -9017,34 +8961,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75759' do\n title \"Successful/unsuccessful uses of the chsh command must generate an\naudit record.\"\n desc \"Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged commands. The organization must maintain audit trails in sufficient\ndetail to reconstruct events to determine the cause and impact of compromise.\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020\n SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172\n SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215]\n tag \"gid\": 'V-75759'\n tag \"rid\": 'SV-90439r3_rule'\n tag \"stig_id\": 'UBTU-16-020670'\n tag \"fix_id\": 'F-82387r2_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'MA-4 (1) (a)',\n 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful attempts to use the \\\"chsh\\\" command occur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \\\"/etc/audit/audit.rules\\\":\n\n# sudo grep -w chsh /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k priv_cmd\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \\\"chsh\\\" command.\n\nAdd or update the following rules in the \\\"/etc/audit/audit.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k priv_cmd\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n @audit_file = '/usr/bin/chsh'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe ('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", + "code": "control 'V-75665' do\n title \"The Ubuntu operating system must generate audit records for all\naccount creations, modifications, disabling, and termination events that affect\n/etc/gshadow.\"\n desc \"Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020\n SRG-OS-000062-GPOS-00031 SRG-OS-000304-GPOS-00121\n SRG-OS-000392-GPOS-00172 SRG-OS-000462-GPOS-00206\n SRG-OS-000470-GPOS-00214 SRG-OS-000471-GPOS-00215]\n tag \"gid\": 'V-75665'\n tag \"rid\": 'SV-90345r3_rule'\n tag \"stig_id\": 'UBTU-16-020320'\n tag \"fix_id\": 'F-82293r2_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002132 CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'AC-2 (4)', \"MA-4 (1)\n(a)\", 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system generates audit records for\nall account creations, modifications, disabling, and termination events that\naffect \\\"/etc/gshadow\\\".\n\nCheck the auditing rules in \\\"/etc/audit/audit.rules\\\" with the following\ncommand:\n\n# sudo grep /etc/gshadow /etc/audit/audit.rules\n\n-w /etc/gshadow -p wa -k audit_rules_usergroup_modification\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records\nfor all account creations, modifications, disabling, and termination events\nthat affect \\\"/etc/gshadow\\\".\n\nAdd or update the following file system rule to \\\"/etc/audit/audit.rules\\\":\n\n-w /etc/gshadow -p wa -k identity\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n @audit_file = '/etc/gshadow'\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe ('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75759.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75665.rb", "line": 3 }, - "id": "V-75759" + "id": "V-75665" }, { - "title": "The /var/log directory must be group-owned by syslog.", - "desc": "Only authorized personnel should be aware of errors and the details of\nthe errors. Error messages are an indicator of an organization's operational\nstate or can identify the Ubuntu operating system or platform. Additionally,\nPersonally Identifiable Information (PII) and operational information must not\nbe revealed through error messages to unauthorized personnel or their\ndesignated representatives.\n\n The structure and content of error messages must be carefully considered by\nthe organization and development team. The extent to which the information\nsystem is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.", + "title": "The pam_unix.so module must use a FIPS 140-2 approved cryptographic\nhashing algorithm for system authentication.", + "desc": "Unapproved mechanisms that are used for authentication to the\ncryptographic module are not verified and therefore cannot be relied upon to\nprovide confidentiality or integrity, and DoD data may be compromised.\n\n Ubuntu operating systems utilizing encryption are required to use\nFIPS-compliant mechanisms for authenticating to cryptographic modules.\n\n FIPS 140-2 is the current standard for validating that mechanisms used to\naccess cryptographic modules utilize authentication that meets DoD\nrequirements. This allows for Security Levels 1, 2, 3, or 4 for use on a\ngeneral purpose computing system.", "descriptions": { - "default": "Only authorized personnel should be aware of errors and the details of\nthe errors. Error messages are an indicator of an organization's operational\nstate or can identify the Ubuntu operating system or platform. Additionally,\nPersonally Identifiable Information (PII) and operational information must not\nbe revealed through error messages to unauthorized personnel or their\ndesignated representatives.\n\n The structure and content of error messages must be carefully considered by\nthe organization and development team. The extent to which the information\nsystem is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.", - "check": "Verify the \"/var/log\" directory is group-owned by syslog.\n\nCheck that the \"/var/log\" directory is group owned by syslog with the\nfollowing command:\n\n# ls -lad /var/log | cut -d' ' -f4\n\nsyslog\n\nIf \"syslog\" is not returned as a result, this is a finding.", - "fix": "Change the group of the directory \"/var/log\" to \"syslog\" by\nrunning the following command:\n\n# sudo chgrp syslog /var/log" + "default": "Unapproved mechanisms that are used for authentication to the\ncryptographic module are not verified and therefore cannot be relied upon to\nprovide confidentiality or integrity, and DoD data may be compromised.\n\n Ubuntu operating systems utilizing encryption are required to use\nFIPS-compliant mechanisms for authenticating to cryptographic modules.\n\n FIPS 140-2 is the current standard for validating that mechanisms used to\naccess cryptographic modules utilize authentication that meets DoD\nrequirements. This allows for Security Levels 1, 2, 3, or 4 for use on a\ngeneral purpose computing system.", + "check": "Verify that pam_unix.so auth is configured to use sha512.\n\nCheck that pam_unix.so auth is configured to use sha512 with the following\ncommand:\n\n# grep password /etc/pam.d/common-password | grep pam_unix\n\npassword [success=1 default=ignore] pam_unix.so obscure sha512\n\nIf \"sha512\" is not an option of the output, or is commented out, this is a\nfinding.", + "fix": "Configure the Ubuntu operating system to use a FIPS 140-2\napproved cryptographic hashing algorithm for system authentication.\n\nEdit/modify the following line in the file \"/etc/pam.d/common-password\" file\nto include the sha512 option for pam_unix.so:\n\npassword [success=1 default=ignore] pam_unix.so obscure sha512\nshadow remember=5" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000206-GPOS-00084", - "gid": "V-75593", - "rid": "SV-90273r2_rule", - "stig_id": "UBTU-16-010940", - "fix_id": "F-82221r2_fix", + "gtitle": "SRG-OS-000120-GPOS-00061", + "gid": "V-75465", + "rid": "SV-90145r2_rule", + "stig_id": "UBTU-16-010180", + "fix_id": "F-82093r2_fix", "cci": [ - "CCI-001314" + "CCI-000803" ], "nist": [ - "SI-11 b", + "IA-7", "Rev_4" ], "false_negatives": null, @@ -9058,34 +9002,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75593' do\n title 'The /var/log directory must be group-owned by syslog.'\n desc \"Only authorized personnel should be aware of errors and the details of\nthe errors. Error messages are an indicator of an organization's operational\nstate or can identify the Ubuntu operating system or platform. Additionally,\nPersonally Identifiable Information (PII) and operational information must not\nbe revealed through error messages to unauthorized personnel or their\ndesignated representatives.\n\n The structure and content of error messages must be carefully considered by\nthe organization and development team. The extent to which the information\nsystem is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000206-GPOS-00084'\n tag \"gid\": 'V-75593'\n tag \"rid\": 'SV-90273r2_rule'\n tag \"stig_id\": 'UBTU-16-010940'\n tag \"fix_id\": 'F-82221r2_fix'\n tag \"cci\": ['CCI-001314']\n tag \"nist\": ['SI-11 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the \\\"/var/log\\\" directory is group-owned by syslog.\n\nCheck that the \\\"/var/log\\\" directory is group owned by syslog with the\nfollowing command:\n\n# ls -lad /var/log | cut -d' ' -f4\n\nsyslog\n\nIf \\\"syslog\\\" is not returned as a result, this is a finding.\"\n desc 'fix', \"Change the group of the directory \\\"/var/log\\\" to \\\"syslog\\\" by\nrunning the following command:\n\n# sudo chgrp syslog /var/log \"\n\n describe directory('/var/log') do\n its('group') { should cmp 'syslog' }\n end\nend\n", + "code": "control 'V-75465' do\n title \"The pam_unix.so module must use a FIPS 140-2 approved cryptographic\nhashing algorithm for system authentication.\"\n desc \"Unapproved mechanisms that are used for authentication to the\ncryptographic module are not verified and therefore cannot be relied upon to\nprovide confidentiality or integrity, and DoD data may be compromised.\n\n Ubuntu operating systems utilizing encryption are required to use\nFIPS-compliant mechanisms for authenticating to cryptographic modules.\n\n FIPS 140-2 is the current standard for validating that mechanisms used to\naccess cryptographic modules utilize authentication that meets DoD\nrequirements. This allows for Security Levels 1, 2, 3, or 4 for use on a\ngeneral purpose computing system.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000120-GPOS-00061'\n tag \"gid\": 'V-75465'\n tag \"rid\": 'SV-90145r2_rule'\n tag \"stig_id\": 'UBTU-16-010180'\n tag \"fix_id\": 'F-82093r2_fix'\n tag \"cci\": ['CCI-000803']\n tag \"nist\": %w[IA-7 Rev_4]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that pam_unix.so auth is configured to use sha512.\n\nCheck that pam_unix.so auth is configured to use sha512 with the following\ncommand:\n\n# grep password /etc/pam.d/common-password | grep pam_unix\n\npassword [success=1 default=ignore] pam_unix.so obscure sha512\n\nIf \\\"sha512\\\" is not an option of the output, or is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the Ubuntu operating system to use a FIPS 140-2\napproved cryptographic hashing algorithm for system authentication.\n\nEdit/modify the following line in the file \\\"/etc/pam.d/common-password\\\" file\nto include the sha512 option for pam_unix.so:\n\npassword [success=1 default=ignore] pam_unix.so obscure sha512\nshadow remember=5\"\n\n describe file('/etc/pam.d/common-password') do\n it { should exist }\n end\n\n describe command('grep rounds /etc/pam.d/common-password') do\n its('exit_status') { should eq 0 }\n its('stdout') { should match /^\\s*password\\s+\\[\\s*success=1\\s+default=ignore\\s*\\].*\\s+sha512($|\\s+.*$)/ }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75593.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75465.rb", "line": 3 }, - "id": "V-75593" + "id": "V-75465" }, { - "title": "The Ubuntu operating system must use cryptographic mechanisms to\nprotect the integrity of audit tools.", - "desc": "Protecting the integrity of the tools used for auditing purposes is a\ncritical step toward ensuring the integrity of audit information. Audit\ninformation includes all information (e.g., audit records, audit settings, and\naudit reports) needed to successfully audit information system activity.\n\n Audit tools include, but are not limited to, vendor-provided and open\nsource audit tools needed to successfully view and manipulate audit information\nsystem activity and records. Audit tools include custom queries and report\ngenerators.\n\n It is not uncommon for attackers to replace the audit tools or inject code\ninto the existing tools with the purpose of providing the capability to hide or\nerase system activity from the audit logs.\n\n To address this risk, audit tools must be cryptographically signed in order\nto provide the capability to identify when the audit tools have been modified,\nmanipulated, or replaced. An example is a checksum hash of the file or files.", + "title": "The audit event multiplexor must be configured to off-load audit logs\nonto a different system or storage media from the system being audited.", + "desc": "Information stored in one location is vulnerable to accidental or\nincidental deletion or alteration.\n\n Off-loading is a common process in information systems with limited audit\nstorage capacity.", "descriptions": { - "default": "Protecting the integrity of the tools used for auditing purposes is a\ncritical step toward ensuring the integrity of audit information. Audit\ninformation includes all information (e.g., audit records, audit settings, and\naudit reports) needed to successfully audit information system activity.\n\n Audit tools include, but are not limited to, vendor-provided and open\nsource audit tools needed to successfully view and manipulate audit information\nsystem activity and records. Audit tools include custom queries and report\ngenerators.\n\n It is not uncommon for attackers to replace the audit tools or inject code\ninto the existing tools with the purpose of providing the capability to hide or\nerase system activity from the audit logs.\n\n To address this risk, audit tools must be cryptographically signed in order\nto provide the capability to identify when the audit tools have been modified,\nmanipulated, or replaced. An example is a checksum hash of the file or files.", - "check": "Verify that Advanced Intrusion Detection Environment (AIDE) to\nproperly configured to use cryptographic mechanisms to protect the integrity of\naudit tools.\n\nCheck the selection lines that aide is configured to add/check with the\nfollowing command:\n\n# egrep '(\\/usr\\/sbin\\/(audit|au))' /etc/aide/aide.conf\n\n/usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattr+sha512\n/usr/sbin/auditd p+i+n+u+g+s+b+acl+xattr+sha512\n/usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattr+sha512\n/usr/sbin/aureport p+i+n+u+g+s+b+acl+xattr+sha512\n/usr/sbin/autrace p+i+n+u+g+s+b+acl+xattr+sha512\n/usr/sbin/audispd p+i+n+u+g+s+b+acl+xattr+sha512\n/usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattr+sha512\n\nIf any of the seven audit tools does not have an appropriate selection line,\nthis is a finding.", - "fix": "Add or update the following selection lines to\n\"/etc/aide/aide.conf\", in order to protect the integrity of the audit tools.\n\n# Audit Tools\n/usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattr+sha512\n/usr/sbin/auditd p+i+n+u+g+s+b+acl+xattr+sha512\n/usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattr+sha512\n/usr/sbin/aureport p+i+n+u+g+s+b+acl+xattr+sha512\n/usr/sbin/autrace p+i+n+u+g+s+b+acl+xattr+sha512\n/usr/sbin/audispd p+i+n+u+g+s+b+acl+xattr+sha512\n/usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattr+sha512" + "default": "Information stored in one location is vulnerable to accidental or\nincidental deletion or alteration.\n\n Off-loading is a common process in information systems with limited audit\nstorage capacity.", + "check": "Verify the audit event multiplexor is configured to off-load\naudit records to a different system or storage media from the system being\naudited.\n\nCheck that the records are being off-loaded to a remote server with the\nfollowing command:\n\n# sudo grep -i active /etc/audisp/plugins.d/au-remote.conf\n\nactive = yes\n\nIf \"active\" is not set to \"yes\", or the line is commented out, this is a\nfinding.", + "fix": "Configure the audit event multiplexor to off-load audit records\nto a different system or storage media from the system being audited.\n\nSet the \"active\" option in \"/etc/audisp/plugins.d/au-remote.conf\" to\n\"yes\":\n\nactive = yes\n\nIn order for the changes to take effect, the audit daemon must be restarted.\nThe audit daemon can be restarted with the following command:\n\n# sudo systemctl restart auditd.service" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000278-GPOS-00108", - "gid": "V-75525", - "rid": "SV-90205r2_rule", - "stig_id": "UBTU-16-010550", - "fix_id": "F-82153r1_fix", + "gtitle": "SRG-OS-000479-GPOS-00224", + "gid": "V-75659", + "rid": "SV-90339r2_rule", + "stig_id": "UBTU-16-020210", + "fix_id": "F-82287r2_fix", "cci": [ - "CCI-001496" + "CCI-001851" ], "nist": [ - "AU-9 (3)", + "AU-4 (1)", "Rev_4" ], "false_negatives": null, @@ -9099,40 +9043,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75525' do\n title \"The Ubuntu operating system must use cryptographic mechanisms to\nprotect the integrity of audit tools.\"\n desc \"Protecting the integrity of the tools used for auditing purposes is a\ncritical step toward ensuring the integrity of audit information. Audit\ninformation includes all information (e.g., audit records, audit settings, and\naudit reports) needed to successfully audit information system activity.\n\n Audit tools include, but are not limited to, vendor-provided and open\nsource audit tools needed to successfully view and manipulate audit information\nsystem activity and records. Audit tools include custom queries and report\ngenerators.\n\n It is not uncommon for attackers to replace the audit tools or inject code\ninto the existing tools with the purpose of providing the capability to hide or\nerase system activity from the audit logs.\n\n To address this risk, audit tools must be cryptographically signed in order\nto provide the capability to identify when the audit tools have been modified,\nmanipulated, or replaced. An example is a checksum hash of the file or files.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000278-GPOS-00108'\n tag \"gid\": 'V-75525'\n tag \"rid\": 'SV-90205r2_rule'\n tag \"stig_id\": 'UBTU-16-010550'\n tag \"fix_id\": 'F-82153r1_fix'\n tag \"cci\": ['CCI-001496']\n tag \"nist\": ['AU-9 (3)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that Advanced Intrusion Detection Environment (AIDE) to\nproperly configured to use cryptographic mechanisms to protect the integrity of\naudit tools.\n\nCheck the selection lines that aide is configured to add/check with the\nfollowing command:\n\n# egrep '(\\\\/usr\\\\/sbin\\\\/(audit|au))' /etc/aide/aide.conf\n\n/usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattr+sha512\n/usr/sbin/auditd p+i+n+u+g+s+b+acl+xattr+sha512\n/usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattr+sha512\n/usr/sbin/aureport p+i+n+u+g+s+b+acl+xattr+sha512\n/usr/sbin/autrace p+i+n+u+g+s+b+acl+xattr+sha512\n/usr/sbin/audispd p+i+n+u+g+s+b+acl+xattr+sha512\n/usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattr+sha512\n\nIf any of the seven audit tools does not have an appropriate selection line,\nthis is a finding.\"\n desc 'fix', \"Add or update the following selection lines to\n\\\"/etc/aide/aide.conf\\\", in order to protect the integrity of the audit tools.\n\n# Audit Tools\n/usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattr+sha512\n/usr/sbin/auditd p+i+n+u+g+s+b+acl+xattr+sha512\n/usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattr+sha512\n/usr/sbin/aureport p+i+n+u+g+s+b+acl+xattr+sha512\n/usr/sbin/autrace p+i+n+u+g+s+b+acl+xattr+sha512\n/usr/sbin/audispd p+i+n+u+g+s+b+acl+xattr+sha512\n/usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattr+sha512\"\n\n aide_conf_exists = aide_conf.exist?\n\n if aide_conf_exists\n describe aide_conf.where { selection_line == '/usr/sbin/auditctl' } do\n its('rules') { should include ['p', 'i', 'n', 'u', 'g', 's', 'b', 'acl', 'xattr' 'sha512'] }\n end\n\n describe aide_conf.where { selection_line == '/usr/sbin/auditd' } do\n its('rules') { should include ['p', 'i', 'n', 'u', 'g', 's', 'b', 'acl', 'xattr' 'sha512'] }\n end\n\n describe aide_conf.where { selection_line == '/usr/sbin/ausearch' } do\n its('rules') { should include ['p', 'i', 'n', 'u', 'g', 's', 'b', 'acl', 'xattr' 'sha512'] }\n end\n\n describe aide_conf.where { selection_line == '/usr/sbin/aureport' } do\n its('rules') { should include ['p', 'i', 'n', 'u', 'g', 's', 'b', 'acl', 'xattr' 'sha512'] }\n end\n\n describe aide_conf.where { selection_line == '/usr/sbin/autrace' } do\n its('rules') { should include ['p', 'i', 'n', 'u', 'g', 's', 'b', 'acl', 'xattr' 'sha512'] }\n end\n\n describe aide_conf.where { selection_line == '/usr/sbin/audispd' } do\n its('rules') { should include ['p', 'i', 'n', 'u', 'g', 's', 'b', 'acl', 'xattr' 'sha512'] }\n end\n\n describe aide_conf.where { selection_line == '/usr/sbin/augenrules' } do\n its('rules') { should include ['p', 'i', 'n', 'u', 'g', 's', 'b', 'acl', 'xattr' 'sha512'] }\n end\n else\n describe 'aide.conf file exists' do\n subject { aide_conf_exists }\n it { should be true }\n end\n end\nend\n", + "code": "control 'V-75659' do\n title \"The audit event multiplexor must be configured to off-load audit logs\nonto a different system or storage media from the system being audited.\"\n desc \"Information stored in one location is vulnerable to accidental or\nincidental deletion or alteration.\n\n Off-loading is a common process in information systems with limited audit\nstorage capacity.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000479-GPOS-00224'\n tag \"gid\": 'V-75659'\n tag \"rid\": 'SV-90339r2_rule'\n tag \"stig_id\": 'UBTU-16-020210'\n tag \"fix_id\": 'F-82287r2_fix'\n tag \"cci\": ['CCI-001851']\n tag \"nist\": ['AU-4 (1)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the audit event multiplexor is configured to off-load\naudit records to a different system or storage media from the system being\naudited.\n\nCheck that the records are being off-loaded to a remote server with the\nfollowing command:\n\n# sudo grep -i active /etc/audisp/plugins.d/au-remote.conf\n\nactive = yes\n\nIf \\\"active\\\" is not set to \\\"yes\\\", or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the audit event multiplexor to off-load audit records\nto a different system or storage media from the system being audited.\n\nSet the \\\"active\\\" option in \\\"/etc/audisp/plugins.d/au-remote.conf\\\" to\n\\\"yes\\\":\n\nactive = yes\n\nIn order for the changes to take effect, the audit daemon must be restarted.\nThe audit daemon can be restarted with the following command:\n\n# sudo systemctl restart auditd.service\"\n\n config_file_exists = file('/etc/audisp/plugins.d/au-remote.conf').exist?\n\n if config_file_exists\n describe parse_config_file('/etc/audisp/plugins.d/au-remote.conf') do\n its('active') { should cmp 'yes' }\n end\n else\n describe '/etc/audisp/plugins.d/au-remote.conf exists' do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75525.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75659.rb", "line": 3 }, - "id": "V-75525" + "id": "V-75659" }, { - "title": "The Ubuntu operating system must employ a FIPS 140-2 approved\ncryptographic hashing algorithms for all stored passwords.", - "desc": "The system must use a strong hashing algorithm to store the password.\nThe system must use a sufficient number of hashing rounds to ensure the\nrequired level of entropy.\n\n Passwords need to be protected at all times, and encryption is the standard\nmethod for protecting passwords. If passwords are not encrypted, they can be\nplainly read (i.e., clear text) and easily compromised.", + "title": "System commands must be group-owned by root.", + "desc": "If the Ubuntu operating system were to allow any user to make changes\nto software libraries, then those changes might be implemented without\nundergoing the appropriate testing and approvals that are part of a robust\nchange management process.\n\n This requirement applies to Ubuntu operating systems with software\nlibraries that are accessible and configurable, as in the case of interpreted\nlanguages. Software libraries also include privileged programs which execute\nwith escalated privileges. Only qualified and authorized individuals shall be\nallowed to obtain access to information system components for purposes of\ninitiating changes, including upgrades and modifications.", "descriptions": { - "default": "The system must use a strong hashing algorithm to store the password.\nThe system must use a sufficient number of hashing rounds to ensure the\nrequired level of entropy.\n\n Passwords need to be protected at all times, and encryption is the standard\nmethod for protecting passwords. If passwords are not encrypted, they can be\nplainly read (i.e., clear text) and easily compromised.", - "check": "Verify the shadow password suite configuration is set to\nencrypt interactive user passwords using a strong cryptographic hash with the\nfollowing command:\n\nConfirm that the interactive user account passwords are using a strong password\nhash with the following command:\n\n# sudo cut -d: -f2 /etc/shadow\n\n$6$kcOnRq/5$NUEYPuyL.wghQwWssXRcLRFiiru7f5JPV6GaJhNC2aK5F3PZpE/BCCtwrxRc/AInKMNX3CdMw11m9STiql12f/\n\nPassword hashes \"!\" or \"*\" indicate inactive accounts not available for\nlogon and are not evaluated. If any interactive user password hash does not\nbegin with \"$6\", this is a finding.", - "fix": "Configure the Ubuntu operating system to encrypt all stored\npasswords with a strong cryptographic hash.\n\nLock all interactive user accounts not using SHA-512 hashing until the\npasswords can be regenerated." + "default": "If the Ubuntu operating system were to allow any user to make changes\nto software libraries, then those changes might be implemented without\nundergoing the appropriate testing and approvals that are part of a robust\nchange management process.\n\n This requirement applies to Ubuntu operating systems with software\nlibraries that are accessible and configurable, as in the case of interpreted\nlanguages. Software libraries also include privileged programs which execute\nwith escalated privileges. Only qualified and authorized individuals shall be\nallowed to obtain access to information system components for purposes of\ninitiating changes, including upgrades and modifications.", + "check": "Verify the system commands contained in the following\ndirectories are group-owned by \"root\".\n\nCheck that the system command files contained in the following directories are\ngroup-owned by \"root\" with the following command:\n\n# sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin !\n-group root | xargs ls -la\n\nIf the command returns any files that are not group-owned by \"root\", and if\nthey are not SGID and owned by a privileged group, this is a finding.", + "fix": "Configure the system commands to be protected from unauthorized\naccess.\n\nRun the following command, replacing \"[FILE]\" with any system command file\nnot group-owned by \"root\".\n\n# sudo chgrp root [FILE]" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000073-GPOS-00041", - "satisfies": [ - "SRG-OS-000073-GPOS-00041", - "SRG-OS-000120-GPOS-00061" - ], - "gid": "V-75461", - "rid": "SV-90141r1_rule", - "stig_id": "UBTU-16-010160", - "fix_id": "F-82089r1_fix", + "gtitle": "SRG-OS-000259-GPOS-00100", + "gid": "V-75615", + "rid": "SV-90295r2_rule", + "stig_id": "UBTU-16-011050", + "fix_id": "F-82243r2_fix", "cci": [ - "CCI-000196", - "CCI-000803" + "CCI-001499" ], "nist": [ - "IA-5 (1) (c)", - "IA-7", + "CM-5 (6)", "Rev_4" ], "false_negatives": null, @@ -9146,50 +9084,40 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75461' do\n title \"The Ubuntu operating system must employ a FIPS 140-2 approved\ncryptographic hashing algorithms for all stored passwords.\"\n desc \"The system must use a strong hashing algorithm to store the password.\nThe system must use a sufficient number of hashing rounds to ensure the\nrequired level of entropy.\n\n Passwords need to be protected at all times, and encryption is the standard\nmethod for protecting passwords. If passwords are not encrypted, they can be\nplainly read (i.e., clear text) and easily compromised.\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000073-GPOS-00041'\n tag \"satisfies\": %w[SRG-OS-000073-GPOS-00041 SRG-OS-000120-GPOS-00061]\n tag \"gid\": 'V-75461'\n tag \"rid\": 'SV-90141r1_rule'\n tag \"stig_id\": 'UBTU-16-010160'\n tag \"fix_id\": 'F-82089r1_fix'\n tag \"cci\": %w[CCI-000196 CCI-000803]\n tag \"nist\": ['IA-5 (1) (c)', 'IA-7', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the shadow password suite configuration is set to\nencrypt interactive user passwords using a strong cryptographic hash with the\nfollowing command:\n\nConfirm that the interactive user account passwords are using a strong password\nhash with the following command:\n\n# sudo cut -d: -f2 /etc/shadow\n\n$6$kcOnRq/5$NUEYPuyL.wghQwWssXRcLRFiiru7f5JPV6GaJhNC2aK5F3PZpE/BCCtwrxRc/AInKMNX3CdMw11m9STiql12f/\n\nPassword hashes \\\"!\\\" or \\\"*\\\" indicate inactive accounts not available for\nlogon and are not evaluated. If any interactive user password hash does not\nbegin with \\\"$6\\\", this is a finding.\"\n desc 'fix', \"Configure the Ubuntu operating system to encrypt all stored\npasswords with a strong cryptographic hash.\n\nLock all interactive user accounts not using SHA-512 hashing until the\npasswords can be regenerated.\"\n\n non_interactive_shells = input('non_interactive_shells')\n ignore_shells = non_interactive_shells.join('|')\n counter = 0\n\n users.where { !shell.match(ignore_shells) }.entries.each do |user_info|\n shadow.where(user: user_info.username).passwords.each do |user_pwd|\n pwd_should_be_evaluated = !(user_pwd.casecmp?('!') || user_pwd.casecmp?('*'))\n next unless pwd_should_be_evaluated\n\n describe (user_info.username + ' - user\\'s password hash') do\n subject { user_pwd }\n it { should start_with '$6' }\n end\n counter += 1\n end\n end\n if counter == 0\n describe 'Number of interactive users on the system' do\n subject { counter }\n it { should be 0 }\n end\n end\nend\n", + "code": "control 'V-75615' do\n title 'System commands must be group-owned by root.'\n desc \"If the Ubuntu operating system were to allow any user to make changes\nto software libraries, then those changes might be implemented without\nundergoing the appropriate testing and approvals that are part of a robust\nchange management process.\n\n This requirement applies to Ubuntu operating systems with software\nlibraries that are accessible and configurable, as in the case of interpreted\nlanguages. Software libraries also include privileged programs which execute\nwith escalated privileges. Only qualified and authorized individuals shall be\nallowed to obtain access to information system components for purposes of\ninitiating changes, including upgrades and modifications.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000259-GPOS-00100'\n tag \"gid\": 'V-75615'\n tag \"rid\": 'SV-90295r2_rule'\n tag \"stig_id\": 'UBTU-16-011050'\n tag \"fix_id\": 'F-82243r2_fix'\n tag \"cci\": ['CCI-001499']\n tag \"nist\": ['CM-5 (6)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the system commands contained in the following\ndirectories are group-owned by \\\"root\\\".\n\nCheck that the system command files contained in the following directories are\ngroup-owned by \\\"root\\\" with the following command:\n\n# sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin !\n-group root | xargs ls -la\n\nIf the command returns any files that are not group-owned by \\\"root\\\", and if\nthey are not SGID and owned by a privileged group, this is a finding.\"\n desc 'fix', \"Configure the system commands to be protected from unauthorized\naccess.\n\nRun the following command, replacing \\\"[FILE]\\\" with any system command file\nnot group-owned by \\\"root\\\".\n\n# sudo chgrp root [FILE]\"\n\n system_commands = command('find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root').stdout.strip.split(\"\\n\").entries\n valid_system_commands = Set[]\n\n if system_commands.count > 0\n system_commands.each do |sys_cmd|\n if file(sys_cmd).exist?\n valid_system_commands = valid_system_commands << sys_cmd\n end\n end\n end\n\n if valid_system_commands.count > 0\n valid_system_commands.each do |val_sys_cmd|\n describe file(val_sys_cmd) do\n its('group') { should cmp 'root' }\n end\n end\n else\n describe 'Number of system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or /usr/local/sbin, that are NOT group-owned by root' do\n subject { valid_system_commands }\n its('count') { should eq 0 }\n end\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75461.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75615.rb", "line": 3 }, - "id": "V-75461" + "id": "V-75615" }, { - "title": "Successful/unsuccessful uses of the ftruncate command must generate an\naudit record.", - "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "title": "The Ubuntu operating system, for PKI-based authentication, must\nvalidate certificates by constructing a certification path (which includes\nstatus information) to an accepted trust anchor.", + "desc": "Without path validation, an informed trust decision by the relying\nparty cannot be made when presented with any certificate not already explicitly\ntrusted.\n\n A trust anchor is an authoritative entity represented via a public key and\nassociated data. It is used in the context of public key infrastructures, X.509\ndigital certificates, and DNSSEC.\n\n When there is a chain of trust, usually the top entity to be trusted\nbecomes the trust anchor; it can be, for example, a Certification Authority\n(CA). A certification path starts with the subject certificate and proceeds\nthrough a number of intermediate certificates up to a trusted root certificate,\ntypically issued by a trusted CA.\n\n This requirement verifies that a certification path to an accepted trust\nanchor is used for certificate validation and that the path includes status\ninformation. Path validation is necessary for a relying party to make an\ninformed trust decision when presented with any certificate not already\nexplicitly trusted. Status information for certification paths includes\ncertificate revocation lists or online certificate status protocol responses.\nValidation of the certificate status information is out of scope for this\nrequirement.", "descriptions": { - "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", - "check": "Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful attempts to use the \"ftruncate\" command occur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \"/etc/audit/audit.rules\":\n\n# sudo grep -iw ftruncate /etc/audit/audit.rules\n\n-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F\nauid!=4294967295 -k perm_access\n\n-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F\nauid!=4294967295 -k perm_access\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", - "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \"ftruncate\" command.\n\nAdd or update the following rules in the \"/etc/audit/audit.rules\" file:\n\n-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F\nauid!=4294967295 -k perm_access\n\n-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F\nauid!=4294967295 -k perm_access\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" + "default": "Without path validation, an informed trust decision by the relying\nparty cannot be made when presented with any certificate not already explicitly\ntrusted.\n\n A trust anchor is an authoritative entity represented via a public key and\nassociated data. It is used in the context of public key infrastructures, X.509\ndigital certificates, and DNSSEC.\n\n When there is a chain of trust, usually the top entity to be trusted\nbecomes the trust anchor; it can be, for example, a Certification Authority\n(CA). A certification path starts with the subject certificate and proceeds\nthrough a number of intermediate certificates up to a trusted root certificate,\ntypically issued by a trusted CA.\n\n This requirement verifies that a certification path to an accepted trust\nanchor is used for certificate validation and that the path includes status\ninformation. Path validation is necessary for a relying party to make an\ninformed trust decision when presented with any certificate not already\nexplicitly trusted. Status information for certification paths includes\ncertificate revocation lists or online certificate status protocol responses.\nValidation of the certificate status information is out of scope for this\nrequirement.", + "check": "Verify the Ubuntu operating system, for PKI-based\nauthentication, had valid certificates by constructing a certification path\n(which includes status information) to an accepted trust anchor.\n\nCheck which pkcs11 module is being used via the \"use_pkcs11_module\" in\n\"/etc/pam_pkcs11/pam_pkcs11.conf\" and then ensure \"ca\" is enabled in\n\"cert_policy\" with the following command:\n\n# sudo grep cert_policy /etc/pam_pkcs11/pam_pkcs11.conf\n\ncert_policy = ca,signature,ocsp_on;\n\nIf \"cert_policy\" is not set to \"ca\", has a value of \"none\", or the line\nis commented out, this is a finding.", + "fix": "Configure the Ubuntu operating system, for PKI-based\nauthentication, to validate certificates by constructing a certification path\n(which includes status information) to an accepted trust anchor.\n\nDetermine which pkcs11 module is being used via the \"use_pkcs11_module\" in\n\"/etc/pam_pkcs11/pam_pkcs11.conf\" and ensure \"ca\" is enabled in\n\"cert_policy\".\n\nAdd or update the \"cert_policy\" to ensure \"ca\" is enabled:\n\ncert_policy = ca,signature,ocsp_on;" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000037-GPOS-00015", + "gtitle": "SRG-OS-000066-GPOS-00034", "satisfies": [ - "SRG-OS-000037-GPOS-00015", - "SRG-OS-000042-GPOS-00020", - "SRG-OS-000062-GPOS-00031", - "SRG-OS-000392-GPOS-00172", - "SRG-OS-000462-GPOS-00206", - "SRG-OS-000471-GPOS-00215" + "SRG-OS-000066-GPOS-00034", + "SRG-OS-000384-GPOS-00167" ], - "gid": "V-75747", - "rid": "SV-90427r3_rule", - "stig_id": "UBTU-16-020610", - "fix_id": "F-82375r2_fix", + "gid": "V-75909", + "rid": "SV-90589r2_rule", + "stig_id": "UBTU-16-030830", + "fix_id": "F-82539r2_fix", "cci": [ - "CCI-000130", - "CCI-000135", - "CCI-000169", - "CCI-000172", - "CCI-002884" + "CCI-000185", + "CCI-001991" ], "nist": [ - "AU-3", - "AU-3 (1)", - "AU-12 a", - "AU-12 c", - "MA-4 (1) (a)", + "IA-5 (2) (a)", + "IA-5 (2) (d)", "Rev_4" ], "false_negatives": null, @@ -9203,34 +9131,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75747' do\n title \"Successful/unsuccessful uses of the ftruncate command must generate an\naudit record.\"\n desc \"Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020\n SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172\n SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215]\n tag \"gid\": 'V-75747'\n tag \"rid\": 'SV-90427r3_rule'\n tag \"stig_id\": 'UBTU-16-020610'\n tag \"fix_id\": 'F-82375r2_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'MA-4 (1) (a)',\n 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful attempts to use the \\\"ftruncate\\\" command occur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \\\"/etc/audit/audit.rules\\\":\n\n# sudo grep -iw ftruncate /etc/audit/audit.rules\n\n-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F\nauid!=4294967295 -k perm_access\n\n-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F\nauid!=4294967295 -k perm_access\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \\\"ftruncate\\\" command.\n\nAdd or update the following rules in the \\\"/etc/audit/audit.rules\\\" file:\n\n-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F\nauid!=4294967295 -k perm_access\n\n-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F\nauid!=4294967295 -k perm_access\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n if os.arch == 'x86_64'\n describe auditd.syscall('ftruncate').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EPERM' }\n end\n describe auditd.syscall('ftruncate').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EACCES' }\n end\n end\n describe auditd.syscall('ftruncate').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EPERM' }\n end\n describe auditd.syscall('ftruncate').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EACCES' }\n end\nend\n", + "code": "control 'V-75909' do\n title \"The Ubuntu operating system, for PKI-based authentication, must\nvalidate certificates by constructing a certification path (which includes\nstatus information) to an accepted trust anchor.\"\n desc \"Without path validation, an informed trust decision by the relying\nparty cannot be made when presented with any certificate not already explicitly\ntrusted.\n\n A trust anchor is an authoritative entity represented via a public key and\nassociated data. It is used in the context of public key infrastructures, X.509\ndigital certificates, and DNSSEC.\n\n When there is a chain of trust, usually the top entity to be trusted\nbecomes the trust anchor; it can be, for example, a Certification Authority\n(CA). A certification path starts with the subject certificate and proceeds\nthrough a number of intermediate certificates up to a trusted root certificate,\ntypically issued by a trusted CA.\n\n This requirement verifies that a certification path to an accepted trust\nanchor is used for certificate validation and that the path includes status\ninformation. Path validation is necessary for a relying party to make an\ninformed trust decision when presented with any certificate not already\nexplicitly trusted. Status information for certification paths includes\ncertificate revocation lists or online certificate status protocol responses.\nValidation of the certificate status information is out of scope for this\nrequirement.\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000066-GPOS-00034'\n tag \"satisfies\": %w[SRG-OS-000066-GPOS-00034 SRG-OS-000384-GPOS-00167]\n tag \"gid\": 'V-75909'\n tag \"rid\": 'SV-90589r2_rule'\n tag \"stig_id\": 'UBTU-16-030830'\n tag \"fix_id\": 'F-82539r2_fix'\n tag \"cci\": %w[CCI-000185 CCI-001991]\n tag \"nist\": ['IA-5 (2) (a)', 'IA-5 (2) (d)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system, for PKI-based\nauthentication, had valid certificates by constructing a certification path\n(which includes status information) to an accepted trust anchor.\n\nCheck which pkcs11 module is being used via the \\\"use_pkcs11_module\\\" in\n\\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\" and then ensure \\\"ca\\\" is enabled in\n\\\"cert_policy\\\" with the following command:\n\n# sudo grep cert_policy /etc/pam_pkcs11/pam_pkcs11.conf\n\ncert_policy = ca,signature,ocsp_on;\n\nIf \\\"cert_policy\\\" is not set to \\\"ca\\\", has a value of \\\"none\\\", or the line\nis commented out, this is a finding.\"\n desc 'fix', \"Configure the Ubuntu operating system, for PKI-based\nauthentication, to validate certificates by constructing a certification path\n(which includes status information) to an accepted trust anchor.\n\nDetermine which pkcs11 module is being used via the \\\"use_pkcs11_module\\\" in\n\\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\" and ensure \\\"ca\\\" is enabled in\n\\\"cert_policy\\\".\n\nAdd or update the \\\"cert_policy\\\" to ensure \\\"ca\\\" is enabled:\n\ncert_policy = ca,signature,ocsp_on;\"\n\n config_file_exists = file('/etc/pam_pkcs11/pam_pkcs11.conf').exist?\n\n if config_file_exists\n describe parse_config_file('/etc/pam_pkcs11/pam_pkcs11.conf') do\n its('use_pkcs11_module') { should_not be_nil }\n its('cert_policy') { should include 'ca' }\n end\n else\n describe '/etc/pam_pkcs11/pam_pkcs11.conf exists' do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75747.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75909.rb", "line": 3 }, - "id": "V-75747" + "id": "V-75909" }, { - "title": "Passwords for new users must have a 60-day maximum password lifetime\nrestriction.", - "desc": "Any password, no matter how complex, can eventually be cracked.\nTherefore, passwords need to be changed periodically. If the Ubuntu operating\nsystem does not limit the lifetime of passwords and force users to change their\npasswords, there is the risk that the Ubuntu operating system passwords could\nbe compromised.", + "title": "Passwords must have a minimum of 15-characters.", + "desc": "The shorter the password, the lower the number of possible\ncombinations that need to be tested before the password is compromised.\n\n Password complexity, or strength, is a measure of the effectiveness of a\npassword in resisting attempts at guessing and brute-force attacks. Password\nlength is one factor of several that helps to determine strength and how long\nit takes to crack a password. Use of more characters in a password helps to\nexponentially increase the time and/or resources required to compromise the\npassword.", "descriptions": { - "default": "Any password, no matter how complex, can eventually be cracked.\nTherefore, passwords need to be changed periodically. If the Ubuntu operating\nsystem does not limit the lifetime of passwords and force users to change their\npasswords, there is the risk that the Ubuntu operating system passwords could\nbe compromised.", - "check": "Verify that the Ubuntu operating system enforces a 60-day\nmaximum password lifetime for new user accounts by running the following\ncommand:\n\n# grep -i pass_max_days /etc/login.defs\nPASS_MAX_DAYS 60\n\nIf the \"PASS_MAX_DAYS\" parameter value is less than \"60\", or commented out,\nthis is a finding.", - "fix": "Configure the Ubuntu operating system to enforce a 60-day maximum\npassword lifetime.\n\nAdd, or modify the following line in the \"/etc/login.defs\" file:\n\nPASS_MAX_DAYS 60" + "default": "The shorter the password, the lower the number of possible\ncombinations that need to be tested before the password is compromised.\n\n Password complexity, or strength, is a measure of the effectiveness of a\npassword in resisting attempts at guessing and brute-force attacks. Password\nlength is one factor of several that helps to determine strength and how long\nit takes to crack a password. Use of more characters in a password helps to\nexponentially increase the time and/or resources required to compromise the\npassword.", + "check": "Verify that the Ubuntu operating system enforces a minimum\n\"15\" character password length, by running the following command:\n\n# grep -i minlen /etc/security/pwquality.conf\n minlen=15\n\nIf \"minlen\" parameter value is not \"15\" or higher, or is commented out,\nthis is a finding.", + "fix": "Configure the Ubuntu operating system to enforce a minimum\n15-character password length.\n\nAdd, or modify the \"minlen\" parameter value to the following line in\n\"/etc/security/pwquality.conf\" file:\n\nminlen=15" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000076-GPOS-00044", - "gid": "V-75473", - "rid": "SV-90153r2_rule", - "stig_id": "UBTU-16-010220", - "fix_id": "F-82101r2_fix", + "gtitle": "SRG-OS-000078-GPOS-00046", + "gid": "V-75477", + "rid": "SV-90157r2_rule", + "stig_id": "UBTU-16-010240", + "fix_id": "F-82105r1_fix", "cci": [ - "CCI-000199" + "CCI-000205" ], "nist": [ - "IA-5 (1) (d)", + "IA-5 (1) (a)", "Rev_4" ], "false_negatives": null, @@ -9244,34 +9172,53 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75473' do\n title \"Passwords for new users must have a 60-day maximum password lifetime\nrestriction.\"\n desc \"Any password, no matter how complex, can eventually be cracked.\nTherefore, passwords need to be changed periodically. If the Ubuntu operating\nsystem does not limit the lifetime of passwords and force users to change their\npasswords, there is the risk that the Ubuntu operating system passwords could\nbe compromised.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000076-GPOS-00044'\n tag \"gid\": 'V-75473'\n tag \"rid\": 'SV-90153r2_rule'\n tag \"stig_id\": 'UBTU-16-010220'\n tag \"fix_id\": 'F-82101r2_fix'\n tag \"cci\": ['CCI-000199']\n tag \"nist\": ['IA-5 (1) (d)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that the Ubuntu operating system enforces a 60-day\nmaximum password lifetime for new user accounts by running the following\ncommand:\n\n# grep -i pass_max_days /etc/login.defs\nPASS_MAX_DAYS 60\n\nIf the \\\"PASS_MAX_DAYS\\\" parameter value is less than \\\"60\\\", or commented out,\nthis is a finding.\"\n desc 'fix', \"Configure the Ubuntu operating system to enforce a 60-day maximum\npassword lifetime.\n\nAdd, or modify the following line in the \\\"/etc/login.defs\\\" file:\n\nPASS_MAX_DAYS 60\"\n\n describe login_defs do\n its('PASS_MAX_DAYS') { should cmp <= 60 }\n end\nend\n", + "code": "control 'V-75477' do\n title 'Passwords must have a minimum of 15-characters.'\n desc \"The shorter the password, the lower the number of possible\ncombinations that need to be tested before the password is compromised.\n\n Password complexity, or strength, is a measure of the effectiveness of a\npassword in resisting attempts at guessing and brute-force attacks. Password\nlength is one factor of several that helps to determine strength and how long\nit takes to crack a password. Use of more characters in a password helps to\nexponentially increase the time and/or resources required to compromise the\npassword.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000078-GPOS-00046'\n tag \"gid\": 'V-75477'\n tag \"rid\": 'SV-90157r2_rule'\n tag \"stig_id\": 'UBTU-16-010240'\n tag \"fix_id\": 'F-82105r1_fix'\n tag \"cci\": ['CCI-000205']\n tag \"nist\": ['IA-5 (1) (a)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that the Ubuntu operating system enforces a minimum\n\\\"15\\\" character password length, by running the following command:\n\n# grep -i minlen /etc/security/pwquality.conf\n minlen=15\n\nIf \\\"minlen\\\" parameter value is not \\\"15\\\" or higher, or is commented out,\nthis is a finding.\"\n desc 'fix', \"Configure the Ubuntu operating system to enforce a minimum\n15-character password length.\n\nAdd, or modify the \\\"minlen\\\" parameter value to the following line in\n\\\"/etc/security/pwquality.conf\\\" file:\n\nminlen=15\"\n\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('minlen') { should cmp >= '15' }\n end\n else\n describe (config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75473.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75477.rb", "line": 3 }, - "id": "V-75473" + "id": "V-75477" }, { - "title": "The /var/log/syslog file must have mode 0640 or less permissive.", - "desc": "Only authorized personnel should be aware of errors and the details of\nthe errors. Error messages are an indicator of an organization's operational\nstate or can identify the Ubuntu operating system or platform. Additionally,\nPersonally Identifiable Information (PII) and operational information must not\nbe revealed through error messages to unauthorized personnel or their\ndesignated representatives.\n\n The structure and content of error messages must be carefully considered by\nthe organization and development team. The extent to which the information\nsystem is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.", + "title": "The audit system must be configured to audit any usage of the\nfremovexattr system call.", + "desc": "Without the capability to generate audit records, it would be\ndifficult to establish, correlate, and investigate the events relating to an\nincident or identify those responsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n The list of audited events is the set of events for which audits are to be\ngenerated. This set of events is typically a subset of the list of all events\nfor which the system is capable of generating audit records.\n\n DoD has defined the list of events for which the Ubuntu operating system\nwill provide an audit record generation capability as the following:\n\n 1) Successful and unsuccessful attempts to access, modify, or delete\nprivileges, security objects, security levels, or categories of information\n(e.g., classification levels);\n\n 2) Access actions, such as successful and unsuccessful logon attempts,\nprivileged activities or other system-level access, starting and ending time\nfor user access to the system, concurrent logons from different workstations,\nsuccessful and unsuccessful accesses to objects, all program initiations, and\nall direct access to the information system;\n\n 3) All account creations, modifications, disabling, and terminations; and\n\n 4) All kernel module load, unload, and restart actions.", "descriptions": { - "default": "Only authorized personnel should be aware of errors and the details of\nthe errors. Error messages are an indicator of an organization's operational\nstate or can identify the Ubuntu operating system or platform. Additionally,\nPersonally Identifiable Information (PII) and operational information must not\nbe revealed through error messages to unauthorized personnel or their\ndesignated representatives.\n\n The structure and content of error messages must be carefully considered by\nthe organization and development team. The extent to which the information\nsystem is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.", - "check": "Verify that the \"/var/log/syslog\" file has mode \"0640\" or\nless permissive.\n\nCheck that \"/var/log/syslog\" has mode \"0640\" or less permissive with the\nfollowing command:\n\n# stat -c \"%a %n\" /var/log/syslog\n\n640 /var/log/syslog\n\nIf a value of \"640\" or less permissive is not returned, this is a finding.", - "fix": "Change the permissions of the file \"/var/log/syslog\" to\n\"0640\" by running the following command:\n\n# sudo chmod 0640 /var/log" + "default": "Without the capability to generate audit records, it would be\ndifficult to establish, correlate, and investigate the events relating to an\nincident or identify those responsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n The list of audited events is the set of events for which audits are to be\ngenerated. This set of events is typically a subset of the list of all events\nfor which the system is capable of generating audit records.\n\n DoD has defined the list of events for which the Ubuntu operating system\nwill provide an audit record generation capability as the following:\n\n 1) Successful and unsuccessful attempts to access, modify, or delete\nprivileges, security objects, security levels, or categories of information\n(e.g., classification levels);\n\n 2) Access actions, such as successful and unsuccessful logon attempts,\nprivileged activities or other system-level access, starting and ending time\nfor user access to the system, concurrent logons from different workstations,\nsuccessful and unsuccessful accesses to objects, all program initiations, and\nall direct access to the information system;\n\n 3) All account creations, modifications, disabling, and terminations; and\n\n 4) All kernel module load, unload, and restart actions.", + "check": "Verify if the Ubuntu operating system is configured to audit\nthe execution of the \"fremovexattr\" system call, by running the following\ncommand:\n\n# sudo grep -w fremovexattr /etc/audit/audit.rules\n\n-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k\nperm_mod\n\n-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -k perm_mod\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", + "fix": "Configure the Ubuntu operating system to audit the execution of\nthe \"fremovexattr\" system call by adding the following lines to\n\"/etc/audit/audit.rules\":\n\n-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k\nperm_mod\n\n-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -k perm_mod\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000206-GPOS-00084", - "gid": "V-75603", - "rid": "SV-90283r3_rule", - "stig_id": "UBTU-16-010990", - "fix_id": "F-82231r3_fix", + "gtitle": "SRG-OS-000037-GPOS-00015", + "satisfies": [ + "SRG-OS-000037-GPOS-00015", + "SRG-OS-000042-GPOS-00020", + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000392-GPOS-00172", + "SRG-OS-000458-GPOS-00203", + "SRG-OS-000462-GPOS-00206", + "SRG-OS-000463-GPOS-00207", + "SRG-OS-000471-GPOS-00215", + "SRG-OS-000474-GPOS-00219" + ], + "gid": "V-75727", + "rid": "SV-90407r3_rule", + "stig_id": "UBTU-16-020510", + "fix_id": "F-82355r2_fix", "cci": [ - "CCI-001314" + "CCI-000130", + "CCI-000135", + "CCI-000169", + "CCI-000172", + "CCI-002884" ], "nist": [ - "SI-11 b", + "AU-3", + "AU-3 (1)", + "AU-12 a", + "AU-12 c", + "MA-4 (1) (a)", "Rev_4" ], "false_negatives": null, @@ -9285,22 +9232,63 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75603' do\n title 'The /var/log/syslog file must have mode 0640 or less permissive.'\n desc \"Only authorized personnel should be aware of errors and the details of\nthe errors. Error messages are an indicator of an organization's operational\nstate or can identify the Ubuntu operating system or platform. Additionally,\nPersonally Identifiable Information (PII) and operational information must not\nbe revealed through error messages to unauthorized personnel or their\ndesignated representatives.\n\n The structure and content of error messages must be carefully considered by\nthe organization and development team. The extent to which the information\nsystem is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000206-GPOS-00084'\n tag \"gid\": 'V-75603'\n tag \"rid\": 'SV-90283r3_rule'\n tag \"stig_id\": 'UBTU-16-010990'\n tag \"fix_id\": 'F-82231r3_fix'\n tag \"cci\": ['CCI-001314']\n tag \"nist\": ['SI-11 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that the \\\"/var/log/syslog\\\" file has mode \\\"0640\\\" or\nless permissive.\n\nCheck that \\\"/var/log/syslog\\\" has mode \\\"0640\\\" or less permissive with the\nfollowing command:\n\n# stat -c \\\"%a %n\\\" /var/log/syslog\n\n640 /var/log/syslog\n\nIf a value of \\\"640\\\" or less permissive is not returned, this is a finding.\"\n desc 'fix', \"Change the permissions of the file \\\"/var/log/syslog\\\" to\n\\\"0640\\\" by running the following command:\n\n# sudo chmod 0640 /var/log\"\n\n describe file('/var/log/syslog') do\n it { should_not be_more_permissive_than('0640') }\n end\nend\n", + "code": "control 'V-75727' do\n title \"The audit system must be configured to audit any usage of the\nfremovexattr system call.\"\n desc \"Without the capability to generate audit records, it would be\ndifficult to establish, correlate, and investigate the events relating to an\nincident or identify those responsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n The list of audited events is the set of events for which audits are to be\ngenerated. This set of events is typically a subset of the list of all events\nfor which the system is capable of generating audit records.\n\n DoD has defined the list of events for which the Ubuntu operating system\nwill provide an audit record generation capability as the following:\n\n 1) Successful and unsuccessful attempts to access, modify, or delete\nprivileges, security objects, security levels, or categories of information\n(e.g., classification levels);\n\n 2) Access actions, such as successful and unsuccessful logon attempts,\nprivileged activities or other system-level access, starting and ending time\nfor user access to the system, concurrent logons from different workstations,\nsuccessful and unsuccessful accesses to objects, all program initiations, and\nall direct access to the information system;\n\n 3) All account creations, modifications, disabling, and terminations; and\n\n 4) All kernel module load, unload, and restart actions.\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020\n SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172\n SRG-OS-000458-GPOS-00203 SRG-OS-000462-GPOS-00206\n SRG-OS-000463-GPOS-00207 SRG-OS-000471-GPOS-00215\n SRG-OS-000474-GPOS-00219]\n tag \"gid\": 'V-75727'\n tag \"rid\": 'SV-90407r3_rule'\n tag \"stig_id\": 'UBTU-16-020510'\n tag \"fix_id\": 'F-82355r2_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'MA-4 (1) (a)',\n 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify if the Ubuntu operating system is configured to audit\nthe execution of the \\\"fremovexattr\\\" system call, by running the following\ncommand:\n\n# sudo grep -w fremovexattr /etc/audit/audit.rules\n\n-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k\nperm_mod\n\n-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -k perm_mod\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the Ubuntu operating system to audit the execution of\nthe \\\"fremovexattr\\\" system call by adding the following lines to\n\\\"/etc/audit/audit.rules\\\":\n\n-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k\nperm_mod\n\n-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -k perm_mod\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n if os.arch == 'x86_64'\n describe auditd.syscall('fremovexattr').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('fremovexattr').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75603.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75727.rb", "line": 3 }, - "id": "V-75603" + "id": "V-75727" }, { - "title": "Successful/unsuccessful uses of the mount command must generate an\naudit record.", - "desc": "Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged commands. The organization must maintain audit trails in sufficient\ndetail to reconstruct events to determine the cause and impact of compromise.", + "title": "Library files must be group-owned by root.", + "desc": "If the Ubuntu operating system were to allow any user to make changes\nto software libraries, then those changes might be implemented without\nundergoing the appropriate testing and approvals that are part of a robust\nchange management process.\n\n This requirement applies to Ubuntu operating systems with software\nlibraries that are accessible and configurable, as in the case of interpreted\nlanguages. Software libraries also include privileged programs which execute\nwith escalated privileges. Only qualified and authorized individuals shall be\nallowed to obtain access to information system components for purposes of\ninitiating changes, including upgrades and modifications.", "descriptions": { - "default": "Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged commands. The organization must maintain audit trails in sufficient\ndetail to reconstruct events to determine the cause and impact of compromise.", - "check": "Verify that an audit event is generated for any\nsuccessful/unsuccessful use of the \"mount\" command.\n\nCheck for the following system call being audited by performing the following\ncommand to check the file system rules in \"/etc/audit/audit.rules\":\n\n# sudo grep -w mount /etc/audit/audit.rules\n\n-a always,exit -F path=/bin/mount -F perm=x -F auid>=1000 -F auid!=4294967295\n-k privileged-mount\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", - "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \"mount\" command.\n\nAdd or update the following rules in the \"/etc/audit/audit.rules\" file:\n\n-a always,exit -F path=/bin/mount -F perm=x -F auid>=1000 -F auid!=4294967295\n-k privileged-mount\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" + "default": "If the Ubuntu operating system were to allow any user to make changes\nto software libraries, then those changes might be implemented without\nundergoing the appropriate testing and approvals that are part of a robust\nchange management process.\n\n This requirement applies to Ubuntu operating systems with software\nlibraries that are accessible and configurable, as in the case of interpreted\nlanguages. Software libraries also include privileged programs which execute\nwith escalated privileges. Only qualified and authorized individuals shall be\nallowed to obtain access to information system components for purposes of\ninitiating changes, including upgrades and modifications.", + "check": "Verify the system-wide shared library files contained in the\nfollowing directories are group-owned by \"root\".\n\nCheck that the system-wide shared library files are group-owned by \"root\"\nwith the following command:\n\n# sudo find /lib /usr/lib /lib64 ! -group root | xargs ls -la\n\nIf any system wide shared library file is returned, this is a finding.", + "fix": "Configure the library files to be protected from unauthorized\naccess.\n\nRun the following command, replacing \"[FILE]\" with any library file not\ngroup-owned by root.\n\n# sudo chgrp root [FILE]" }, - "impact": 0.3, + "impact": 0.5, + "refs": [], + "tags": { + "gtitle": "SRG-OS-000259-GPOS-00100", + "gid": "V-75609", + "rid": "SV-90289r2_rule", + "stig_id": "UBTU-16-011020", + "fix_id": "F-82237r2_fix", + "cci": [ + "CCI-001499" + ], + "nist": [ + "CM-5 (6)", + "Rev_4" + ], + "false_negatives": null, + "false_positives": null, + "documentable": false, + "mitigations": null, + "severity_override_guidance": false, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_controls": null, + "responsibility": null, + "ia_controls": null + }, + "code": "control 'V-75609' do\n title 'Library files must be group-owned by root.'\n desc \"If the Ubuntu operating system were to allow any user to make changes\nto software libraries, then those changes might be implemented without\nundergoing the appropriate testing and approvals that are part of a robust\nchange management process.\n\n This requirement applies to Ubuntu operating systems with software\nlibraries that are accessible and configurable, as in the case of interpreted\nlanguages. Software libraries also include privileged programs which execute\nwith escalated privileges. Only qualified and authorized individuals shall be\nallowed to obtain access to information system components for purposes of\ninitiating changes, including upgrades and modifications.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000259-GPOS-00100'\n tag \"gid\": 'V-75609'\n tag \"rid\": 'SV-90289r2_rule'\n tag \"stig_id\": 'UBTU-16-011020'\n tag \"fix_id\": 'F-82237r2_fix'\n tag \"cci\": ['CCI-001499']\n tag \"nist\": ['CM-5 (6)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the system-wide shared library files contained in the\nfollowing directories are group-owned by \\\"root\\\".\n\nCheck that the system-wide shared library files are group-owned by \\\"root\\\"\nwith the following command:\n\n# sudo find /lib /usr/lib /lib64 ! -group root | xargs ls -la\n\nIf any system wide shared library file is returned, this is a finding.\"\n desc 'fix', \"Configure the library files to be protected from unauthorized\naccess.\n\nRun the following command, replacing \\\"[FILE]\\\" with any library file not\ngroup-owned by root.\n\n# sudo chgrp root [FILE]\"\n\n if os.arch == 'x86_64'\n library_files = command('find /lib /usr/lib /usr/lib32 /lib32 /lib64 ! \\-group root').stdout.strip.split(\"\\n\").entries\n else\n library_files = command('find /lib /usr/lib /usr/lib32 /lib32 ! \\-group root').stdout.strip.split(\"\\n\").entries\n end\n\n if library_files.count > 0\n library_files.each do |lib_file|\n describe file(lib_file) do\n its('group') { should cmp 'root' }\n end\n end\n else\n describe 'Number of system-wide shared library files found that are NOT group-owned by root' do\n subject { library_files }\n its('count') { should eq 0 }\n end\n end\nend\n", + "source_location": { + "ref": "./Ubuntu 16.04 STIG/controls/V-75609.rb", + "line": 3 + }, + "id": "V-75609" + }, + { + "title": "The Ubuntu operating system must generate audit records for all\naccount creations, modifications, disabling, and termination events that affect\n/etc/shadow.", + "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "descriptions": { + "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "check": "Verify the Ubuntu operating system generates audit records for\nall account creations, modifications, disabling, and termination events that\naffect \"/etc/shadow\".\n\nCheck the auditing rules in \"/etc/audit/audit.rules\" with the following\ncommand:\n\n# sudo grep /etc/shadow /etc/audit/audit.rules\n\n-w /etc/shadow -p wa -k audit_rules_usergroup_modification\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", + "fix": "Configure the Ubuntu operating system to generate audit records\nfor all account creations, modifications, disabling, and termination events\nthat affect \"/etc/shadow\".\n\nAdd or update the following file system rule to \"/etc/audit/audit.rules\":\n\n-w /etc/shadow -p wa -k identity\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" + }, + "impact": 0.5, "refs": [], "tags": { "gtitle": "SRG-OS-000037-GPOS-00015", @@ -9308,19 +9296,22 @@ "SRG-OS-000037-GPOS-00015", "SRG-OS-000042-GPOS-00020", "SRG-OS-000062-GPOS-00031", + "SRG-OS-000304-GPOS-00121", "SRG-OS-000392-GPOS-00172", "SRG-OS-000462-GPOS-00206", + "SRG-OS-000470-GPOS-00214", "SRG-OS-000471-GPOS-00215" ], - "gid": "V-75695", - "rid": "SV-90375r3_rule", - "stig_id": "UBTU-16-020380", - "fix_id": "F-82323r2_fix", + "gid": "V-75667", + "rid": "SV-90347r3_rule", + "stig_id": "UBTU-16-020330", + "fix_id": "F-82295r2_fix", "cci": [ "CCI-000130", "CCI-000135", "CCI-000169", "CCI-000172", + "CCI-002132", "CCI-002884" ], "nist": [ @@ -9328,7 +9319,8 @@ "AU-3 (1)", "AU-12 a", "AU-12 c", - "MA-4 (1) (a)", + "AC-2 (4)", + "MA-4 (1)\n(a)", "Rev_4" ], "false_negatives": null, @@ -9342,34 +9334,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75695' do\n title \"Successful/unsuccessful uses of the mount command must generate an\naudit record.\"\n desc \"Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged commands. The organization must maintain audit trails in sufficient\ndetail to reconstruct events to determine the cause and impact of compromise.\n\n\n \"\n impact 0.3\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020\n SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172\n SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215]\n tag \"gid\": 'V-75695'\n tag \"rid\": 'SV-90375r3_rule'\n tag \"stig_id\": 'UBTU-16-020380'\n tag \"fix_id\": 'F-82323r2_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'MA-4 (1) (a)',\n 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that an audit event is generated for any\nsuccessful/unsuccessful use of the \\\"mount\\\" command.\n\nCheck for the following system call being audited by performing the following\ncommand to check the file system rules in \\\"/etc/audit/audit.rules\\\":\n\n# sudo grep -w mount /etc/audit/audit.rules\n\n-a always,exit -F path=/bin/mount -F perm=x -F auid>=1000 -F auid!=4294967295\n-k privileged-mount\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \\\"mount\\\" command.\n\nAdd or update the following rules in the \\\"/etc/audit/audit.rules\\\" file:\n\n-a always,exit -F path=/bin/mount -F perm=x -F auid>=1000 -F auid!=4294967295\n-k privileged-mount\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n @audit_file = '/bin/mount'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe ('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", + "code": "control 'V-75667' do\n title \"The Ubuntu operating system must generate audit records for all\naccount creations, modifications, disabling, and termination events that affect\n/etc/shadow.\"\n desc \"Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020\n SRG-OS-000062-GPOS-00031 SRG-OS-000304-GPOS-00121\n SRG-OS-000392-GPOS-00172 SRG-OS-000462-GPOS-00206\n SRG-OS-000470-GPOS-00214 SRG-OS-000471-GPOS-00215]\n tag \"gid\": 'V-75667'\n tag \"rid\": 'SV-90347r3_rule'\n tag \"stig_id\": 'UBTU-16-020330'\n tag \"fix_id\": 'F-82295r2_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002132 CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'AC-2 (4)', \"MA-4 (1)\n(a)\", 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system generates audit records for\nall account creations, modifications, disabling, and termination events that\naffect \\\"/etc/shadow\\\".\n\nCheck the auditing rules in \\\"/etc/audit/audit.rules\\\" with the following\ncommand:\n\n# sudo grep /etc/shadow /etc/audit/audit.rules\n\n-w /etc/shadow -p wa -k audit_rules_usergroup_modification\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records\nfor all account creations, modifications, disabling, and termination events\nthat affect \\\"/etc/shadow\\\".\n\nAdd or update the following file system rule to \\\"/etc/audit/audit.rules\\\":\n\n-w /etc/shadow -p wa -k identity\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n @audit_file = '/etc/shadow'\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe ('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75695.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75667.rb", "line": 3 }, - "id": "V-75695" + "id": "V-75667" }, { - "title": "The SSH daemon must perform strict mode checking of home directory\nconfiguration files.", - "desc": "If other users have access to modify user-specific SSH configuration\nfiles, they may be able to log on to the system as another user.", + "title": "The /var/log directory must have mode 0770 or less permissive.", + "desc": "Only authorized personnel should be aware of errors and the details of\nthe errors. Error messages are an indicator of an organization's operational\nstate or can identify the Ubuntu operating system or platform. Additionally,\nPersonally Identifiable Information (PII) and operational information must not\nbe revealed through error messages to unauthorized personnel or their\ndesignated representatives.\n\n The structure and content of error messages must be carefully considered by\nthe organization and development team. The extent to which the information\nsystem is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.", "descriptions": { - "default": "If other users have access to modify user-specific SSH configuration\nfiles, they may be able to log on to the system as another user.", - "check": "Verify the SSH daemon performs strict mode checking of home\ndirectory configuration files.\n\nCheck that the SSH daemon performs strict mode checking of home directory\nconfiguration files with the following command:\n\n# grep StrictModes /etc/ssh/sshd_config\n\nStrictModes yes\n\nIf \"StrictModes\" is set to \"no\", is missing, or the returned line is\ncommented out, this is a finding.", - "fix": "Configure SSH to perform strict mode checking of home directory\nconfiguration files. Uncomment the \"StrictModes\" keyword in\n\"/etc/ssh/sshd_config\" and set the value to \"yes\":\n\nStrictModes yes\n\nThe SSH daemon must be restarted for the changes to take effect. To restart the\nSSH daemon, run the following command:\n\n# sudo systemctl restart sshd.service" + "default": "Only authorized personnel should be aware of errors and the details of\nthe errors. Error messages are an indicator of an organization's operational\nstate or can identify the Ubuntu operating system or platform. Additionally,\nPersonally Identifiable Information (PII) and operational information must not\nbe revealed through error messages to unauthorized personnel or their\ndesignated representatives.\n\n The structure and content of error messages must be carefully considered by\nthe organization and development team. The extent to which the information\nsystem is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.", + "check": "Verify that the \"/var/log\" directory has a mode of \"0770\"\nor less.\n\nCheck the mode of the \"/var/log\" directory with the following command:\n\n# stat -c \"%a %n\" /var/log\n\n770\n\nIf a value of \"0770\" or less permissive is not returned, this is a finding.", + "fix": "Change the permissions of the directory \"/var/log\" to \"0770\"\nby running the following command:\n\n# sudo chmod 0770 /var/log" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-75847", - "rid": "SV-90527r2_rule", - "stig_id": "UBTU-16-030330", - "fix_id": "F-82477r2_fix", + "gtitle": "SRG-OS-000206-GPOS-00084", + "gid": "V-75597", + "rid": "SV-90277r3_rule", + "stig_id": "UBTU-16-010960", + "fix_id": "F-82225r2_fix", "cci": [ - "CCI-000366" + "CCI-001314" ], "nist": [ - "CM-6 b", + "SI-11 b", "Rev_4" ], "false_negatives": null, @@ -9383,34 +9375,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75847' do\n title \"The SSH daemon must perform strict mode checking of home directory\nconfiguration files.\"\n desc \"If other users have access to modify user-specific SSH configuration\nfiles, they may be able to log on to the system as another user.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75847'\n tag \"rid\": 'SV-90527r2_rule'\n tag \"stig_id\": 'UBTU-16-030330'\n tag \"fix_id\": 'F-82477r2_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the SSH daemon performs strict mode checking of home\ndirectory configuration files.\n\nCheck that the SSH daemon performs strict mode checking of home directory\nconfiguration files with the following command:\n\n# grep StrictModes /etc/ssh/sshd_config\n\nStrictModes yes\n\nIf \\\"StrictModes\\\" is set to \\\"no\\\", is missing, or the returned line is\ncommented out, this is a finding.\"\n desc 'fix', \"Configure SSH to perform strict mode checking of home directory\nconfiguration files. Uncomment the \\\"StrictModes\\\" keyword in\n\\\"/etc/ssh/sshd_config\\\" and set the value to \\\"yes\\\":\n\nStrictModes yes\n\nThe SSH daemon must be restarted for the changes to take effect. To restart the\nSSH daemon, run the following command:\n\n# sudo systemctl restart sshd.service\"\n\n describe sshd_config do\n its('StrictModes') { should cmp 'yes' }\n end\nend\n", + "code": "control 'V-75597' do\n title 'The /var/log directory must have mode 0770 or less permissive.'\n desc \"Only authorized personnel should be aware of errors and the details of\nthe errors. Error messages are an indicator of an organization's operational\nstate or can identify the Ubuntu operating system or platform. Additionally,\nPersonally Identifiable Information (PII) and operational information must not\nbe revealed through error messages to unauthorized personnel or their\ndesignated representatives.\n\n The structure and content of error messages must be carefully considered by\nthe organization and development team. The extent to which the information\nsystem is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000206-GPOS-00084'\n tag \"gid\": 'V-75597'\n tag \"rid\": 'SV-90277r3_rule'\n tag \"stig_id\": 'UBTU-16-010960'\n tag \"fix_id\": 'F-82225r2_fix'\n tag \"cci\": ['CCI-001314']\n tag \"nist\": ['SI-11 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that the \\\"/var/log\\\" directory has a mode of \\\"0770\\\"\nor less.\n\nCheck the mode of the \\\"/var/log\\\" directory with the following command:\n\n# stat -c \\\"%a %n\\\" /var/log\n\n770\n\nIf a value of \\\"0770\\\" or less permissive is not returned, this is a finding.\"\n desc 'fix', \"Change the permissions of the directory \\\"/var/log\\\" to \\\"0770\\\"\nby running the following command:\n\n# sudo chmod 0770 /var/log\"\n\n describe directory('/var/log') do\n it { should_not be_more_permissive_than('0770') }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75847.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75597.rb", "line": 3 }, - "id": "V-75847" + "id": "V-75597" }, { - "title": "Off-loading audit records to another system must be authenticated.", - "desc": "Information stored in one location is vulnerable to accidental or\nincidental deletion or alteration.\n\n Off-loading is a common process in information systems with limited audit\nstorage capacity.", + "title": "File systems that are being imported via Network File System (NFS)\nmust be mounted to prevent files with the setuid and setguid bit set from being\nexecuted.", + "desc": "The \"nosuid\" mount option causes the system to not execute\n\"setuid\" and \"setgid\" files with owner privileges. This option must be used\nfor mounting any file system not containing approved \"setuid\" and \"setguid\"\nfiles. Executing files from untrusted file systems increases the opportunity\nfor unprivileged users to attain unauthorized administrative access.", "descriptions": { - "default": "Information stored in one location is vulnerable to accidental or\nincidental deletion or alteration.\n\n Off-loading is a common process in information systems with limited audit\nstorage capacity.", - "check": "Verify the audit system authenticates off-loading audit records\nto a different system.\n\nCheck that the off-loading of audit records to a different system is\nauthenticated with the following command:\n\n# sudo grep enable /etc/audisp/audisp-remote.conf\n\nenable_krb5 = yes\n\nIf “enable_krb5” option is not set to \"yes\" or the line is commented out,\nthis is a finding.", - "fix": "Configure the audit system to authenticate off-loading audit\nrecords to a different system.\n\nUncomment the \"enable_krb5\" option in \"/etc/audisp/audisp-remote.conf\" and\nset it to \"yes\". See the example below.\n\nenable_krb5 = yes" + "default": "The \"nosuid\" mount option causes the system to not execute\n\"setuid\" and \"setgid\" files with owner privileges. This option must be used\nfor mounting any file system not containing approved \"setuid\" and \"setguid\"\nfiles. Executing files from untrusted file systems increases the opportunity\nfor unprivileged users to attain unauthorized administrative access.", + "check": "Verify file systems that are being Network File System (NFS)\nimported are mounted with the \"nosuid\" option.\n\nFind the file system(s) that contain the directories being exported with the\nfollowing command:\n\n# grep nfs /etc/fstab | grep nosuid\n\nUUID=e06097bb-cfcd-437b-9e4d-a691f5662a7d /store nfs\nrw,nosuid 0 0\n\nIf a file system found in \"/etc/fstab\" refers to NFS and it does not have the\n\"nosuid\" option set, this is a finding.", + "fix": "Configure the \"/etc/fstab\" to use the \"nosuid\" option on file\nsystems that are being imported via Network File System (NFS)." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000479-GPOS-00224", - "gid": "V-75633", - "rid": "SV-90313r1_rule", - "stig_id": "UBTU-16-020080", - "fix_id": "F-82261r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-75579", + "rid": "SV-90259r3_rule", + "stig_id": "UBTU-16-010820", + "fix_id": "F-82207r2_fix", "cci": [ - "CCI-001851" + "CCI-000366" ], "nist": [ - "AU-4 (1)", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -9424,34 +9416,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75633' do\n title 'Off-loading audit records to another system must be authenticated.'\n desc \"Information stored in one location is vulnerable to accidental or\nincidental deletion or alteration.\n\n Off-loading is a common process in information systems with limited audit\nstorage capacity.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000479-GPOS-00224'\n tag \"gid\": 'V-75633'\n tag \"rid\": 'SV-90313r1_rule'\n tag \"stig_id\": 'UBTU-16-020080'\n tag \"fix_id\": 'F-82261r1_fix'\n tag \"cci\": ['CCI-001851']\n tag \"nist\": ['AU-4 (1)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the audit system authenticates off-loading audit records\nto a different system.\n\nCheck that the off-loading of audit records to a different system is\nauthenticated with the following command:\n\n# sudo grep enable /etc/audisp/audisp-remote.conf\n\nenable_krb5 = yes\n\nIf “enable_krb5” option is not set to \\\"yes\\\" or the line is commented out,\nthis is a finding.\"\n desc 'fix', \"Configure the audit system to authenticate off-loading audit\nrecords to a different system.\n\nUncomment the \\\"enable_krb5\\\" option in \\\"/etc/audisp/audisp-remote.conf\\\" and\nset it to \\\"yes\\\". See the example below.\n\nenable_krb5 = yes\"\n\n config_file_exists = file('/etc/audisp/audisp-remote.conf').exist?\n\n if config_file_exists\n describe auditd_conf('/etc/audisp/audisp-remote.conf') do\n its('enable_krb5') { should_not be_empty }\n its('enable_krb5') { should cmp 'yes' }\n end\n else\n describe '/etc/audisp/audisp-remote.conf exists' do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n", + "code": "control 'V-75579' do\n title \"File systems that are being imported via Network File System (NFS)\nmust be mounted to prevent files with the setuid and setguid bit set from being\nexecuted.\"\n desc \"The \\\"nosuid\\\" mount option causes the system to not execute\n\\\"setuid\\\" and \\\"setgid\\\" files with owner privileges. This option must be used\nfor mounting any file system not containing approved \\\"setuid\\\" and \\\"setguid\\\"\nfiles. Executing files from untrusted file systems increases the opportunity\nfor unprivileged users to attain unauthorized administrative access.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75579'\n tag \"rid\": 'SV-90259r3_rule'\n tag \"stig_id\": 'UBTU-16-010820'\n tag \"fix_id\": 'F-82207r2_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify file systems that are being Network File System (NFS)\nimported are mounted with the \\\"nosuid\\\" option.\n\nFind the file system(s) that contain the directories being exported with the\nfollowing command:\n\n# grep nfs /etc/fstab | grep nosuid\n\nUUID=e06097bb-cfcd-437b-9e4d-a691f5662a7d /store nfs\nrw,nosuid 0 0\n\nIf a file system found in \\\"/etc/fstab\\\" refers to NFS and it does not have the\n\\\"nosuid\\\" option set, this is a finding.\"\n desc 'fix', \"Configure the \\\"/etc/fstab\\\" to use the \\\"nosuid\\\" option on file\nsystems that are being imported via Network File System (NFS).\"\n\n device_rules = etc_fstab.where { file_system_type == 'nfs' }.entries\n if device_rules.count > 0\n device_rules.each do |device_rule|\n describe device_rule do\n its ('mount_options') { should include 'nosuid' }\n end\n end\n else\n describe 'No NFS mounts found on the system' do\n subject { device_rules }\n its('count') { should eq 0 }\n end\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75633.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75579.rb", "line": 3 }, - "id": "V-75633" + "id": "V-75579" }, { - "title": "The Ubuntu operating system must prevent direct login into the root\naccount.", - "desc": "To assure individual accountability and prevent unauthorized access,\norganizational users must be individually identified and authenticated.\n\n A group authenticator is a generic account used by multiple individuals.\nUse of a group authenticator alone does not uniquely identify individual users.\nExamples of the group authenticator is the UNIX OS \"root\" user account, the\nWindows \"Administrator\" account, the \"sa\" account, or a \"helpdesk\"\naccount.\n\n For example, the UNIX and Windows operating systems offer a 'switch user'\ncapability allowing users to authenticate with their individual credentials\nand, when needed, 'switch' to the administrator role. This method provides for\nunique individual authentication prior to using a group authenticator.\n\n Users (and any processes acting on behalf of users) need to be uniquely\nidentified and authenticated for all accesses other than those accesses\nexplicitly identified and documented by the organization, which outlines\nspecific user actions that can be performed on the Ubuntu operating system\nwithout identification or authentication.\n\n Requiring individuals to be authenticated with an individual authenticator\nprior to using a group authenticator allows for traceability of actions, as\nwell as adding an additional level of protection of the actions that can be\ntaken with group account knowledge.", + "title": "The Ubuntu operating system must not allow interfaces to perform\nInternet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP)\nredirects by default.", + "desc": "Internet Control Message Protocol (ICMP) redirect messages are used by\nrouters to inform hosts that a more direct route exists for a particular\ndestination. These messages contain information from the system's route table,\npossibly revealing portions of the network topology.", "descriptions": { - "default": "To assure individual accountability and prevent unauthorized access,\norganizational users must be individually identified and authenticated.\n\n A group authenticator is a generic account used by multiple individuals.\nUse of a group authenticator alone does not uniquely identify individual users.\nExamples of the group authenticator is the UNIX OS \"root\" user account, the\nWindows \"Administrator\" account, the \"sa\" account, or a \"helpdesk\"\naccount.\n\n For example, the UNIX and Windows operating systems offer a 'switch user'\ncapability allowing users to authenticate with their individual credentials\nand, when needed, 'switch' to the administrator role. This method provides for\nunique individual authentication prior to using a group authenticator.\n\n Users (and any processes acting on behalf of users) need to be uniquely\nidentified and authenticated for all accesses other than those accesses\nexplicitly identified and documented by the organization, which outlines\nspecific user actions that can be performed on the Ubuntu operating system\nwithout identification or authentication.\n\n Requiring individuals to be authenticated with an individual authenticator\nprior to using a group authenticator allows for traceability of actions, as\nwell as adding an additional level of protection of the actions that can be\ntaken with group account knowledge.", - "check": "Verify the Ubuntu operating system prevents direct logins to\nthe root account.\n\nCheck that the Ubuntu operating system prevents direct logins to the root\naccount with the following command:\n\n# grep root /etc/shadow\n\nroot L 11/11/2017 0 99999 7 -1\n\nIf any output is returned and the second field is not an \"L\", this is a\nfinding.", - "fix": "Configure the Ubuntu operating system to prevent direct logins to\nthe root account.\n\nRun the following command to lock the root account:\n\n# passwd -l root" + "default": "Internet Control Message Protocol (ICMP) redirect messages are used by\nrouters to inform hosts that a more direct route exists for a particular\ndestination. These messages contain information from the system's route table,\npossibly revealing portions of the network topology.", + "check": "Verify the Ubuntu operating system does not allow interfaces to\nperform Internet Protocol version 4 (IPv4) Internet Control Message Protocol\n(ICMP) redirects by default.\n\nCheck the value of the \"default send_redirects\" variables with the following\ncommand:\n\n# sudo sysctl net.ipv4.conf.default.send_redirects\n\nnet.ipv4.conf.default.send_redirects=0\n\nIf the returned line does not have a value of \"0\", or a line is not returned,\nthis is a finding.", + "fix": "Configure the Ubuntu operating system to not allow interfaces to\nperform Internet Protocol version 4 (IPv4) Internet Control Message Protocol\n(ICMP) redirects by default with the following command:\n\n# sudo sysctl -w net.ipv4.conf.default.send_redirects=0\n\nIf \"0\" is not the system's default value then add or update the following\nline in \"/etc/sysctl.conf\" or in the appropriate file under \"/etc/sysctl.d\":\n\nnet.ipv4.conf.default.send_redirects=0" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000109-GPOS-00056", - "gid": "V-75445", - "rid": "SV-90125r3_rule", - "stig_id": "UBTU-16-010080", - "fix_id": "F-82073r3_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-75883", + "rid": "SV-90563r2_rule", + "stig_id": "UBTU-16-030580", + "fix_id": "F-82513r2_fix", "cci": [ - "CCI-000770" + "CCI-000366" ], "nist": [ - "IA-2 (5)", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -9465,46 +9457,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75445' do\n title \"The Ubuntu operating system must prevent direct login into the root\naccount.\"\n desc \"To assure individual accountability and prevent unauthorized access,\norganizational users must be individually identified and authenticated.\n\n A group authenticator is a generic account used by multiple individuals.\nUse of a group authenticator alone does not uniquely identify individual users.\nExamples of the group authenticator is the UNIX OS \\\"root\\\" user account, the\nWindows \\\"Administrator\\\" account, the \\\"sa\\\" account, or a \\\"helpdesk\\\"\naccount.\n\n For example, the UNIX and Windows operating systems offer a 'switch user'\ncapability allowing users to authenticate with their individual credentials\nand, when needed, 'switch' to the administrator role. This method provides for\nunique individual authentication prior to using a group authenticator.\n\n Users (and any processes acting on behalf of users) need to be uniquely\nidentified and authenticated for all accesses other than those accesses\nexplicitly identified and documented by the organization, which outlines\nspecific user actions that can be performed on the Ubuntu operating system\nwithout identification or authentication.\n\n Requiring individuals to be authenticated with an individual authenticator\nprior to using a group authenticator allows for traceability of actions, as\nwell as adding an additional level of protection of the actions that can be\ntaken with group account knowledge.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000109-GPOS-00056'\n tag \"gid\": 'V-75445'\n tag \"rid\": 'SV-90125r3_rule'\n tag \"stig_id\": 'UBTU-16-010080'\n tag \"fix_id\": 'F-82073r3_fix'\n tag \"cci\": ['CCI-000770']\n tag \"nist\": ['IA-2 (5)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system prevents direct logins to\nthe root account.\n\nCheck that the Ubuntu operating system prevents direct logins to the root\naccount with the following command:\n\n# grep root /etc/shadow\n\nroot L 11/11/2017 0 99999 7 -1\n\nIf any output is returned and the second field is not an \\\"L\\\", this is a\nfinding.\"\n desc 'fix', \"Configure the Ubuntu operating system to prevent direct logins to\nthe root account.\n\nRun the following command to lock the root account:\n\n# passwd -l root\"\n\n describe.one do\n describe shadow.where(user: 'root') do\n its('passwords') { should include '!*' }\n end\n end\nend\n", + "code": "control 'V-75883' do\n title \"The Ubuntu operating system must not allow interfaces to perform\nInternet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP)\nredirects by default.\"\n desc \"Internet Control Message Protocol (ICMP) redirect messages are used by\nrouters to inform hosts that a more direct route exists for a particular\ndestination. These messages contain information from the system's route table,\npossibly revealing portions of the network topology.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75883'\n tag \"rid\": 'SV-90563r2_rule'\n tag \"stig_id\": 'UBTU-16-030580'\n tag \"fix_id\": 'F-82513r2_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system does not allow interfaces to\nperform Internet Protocol version 4 (IPv4) Internet Control Message Protocol\n(ICMP) redirects by default.\n\nCheck the value of the \\\"default send_redirects\\\" variables with the following\ncommand:\n\n# sudo sysctl net.ipv4.conf.default.send_redirects\n\nnet.ipv4.conf.default.send_redirects=0\n\nIf the returned line does not have a value of \\\"0\\\", or a line is not returned,\nthis is a finding.\"\n desc 'fix', \"Configure the Ubuntu operating system to not allow interfaces to\nperform Internet Protocol version 4 (IPv4) Internet Control Message Protocol\n(ICMP) redirects by default with the following command:\n\n# sudo sysctl -w net.ipv4.conf.default.send_redirects=0\n\nIf \\\"0\\\" is not the system's default value then add or update the following\nline in \\\"/etc/sysctl.conf\\\" or in the appropriate file under \\\"/etc/sysctl.d\\\":\n\nnet.ipv4.conf.default.send_redirects=0\"\n\n describe kernel_parameter('net.ipv4.conf.default.send_redirects') do\n its('value') { should eq 0 }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75445.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75883.rb", "line": 3 }, - "id": "V-75445" + "id": "V-75883" }, { - "title": "Audit logs must be group-owned by root to prevent unauthorized read\naccess.", - "desc": "Unauthorized disclosure of audit records can reveal system and\nconfiguration data to attackers, thus compromising its confidentiality.\n\n Audit information includes all information (e.g., audit records, audit\nsettings, audit reports) needed to successfully audit Ubuntu operating system\nactivity.", + "title": "The Ubuntu operating system must require the change of at least 8\ncharacters when passwords are changed.", + "desc": "If the Ubuntu operating system allows the user to consecutively reuse\nextensive portions of passwords, this increases the chances of password\ncompromise by increasing the window of opportunity for attempts at guessing and\nbrute-force attacks.\n\n The number of changed characters refers to the number of changes required\nwith respect to the total number of positions in the current password. In other\nwords, characters may be the same within the two passwords; however, the\npositions of the like characters must be different.\n\n If the password length is an odd number then number of changed characters\nmust be rounded up. For example, a password length of 15 characters must\nrequire the change of at least 8 characters.", "descriptions": { - "default": "Unauthorized disclosure of audit records can reveal system and\nconfiguration data to attackers, thus compromising its confidentiality.\n\n Audit information includes all information (e.g., audit records, audit\nsettings, audit reports) needed to successfully audit Ubuntu operating system\nactivity.", - "check": "Verify the audit logs are group-owned by \"root\". First\ndetermine where the audit logs are stored with the following command:\n\n# sudo grep -iw log_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the location of the audit log file, determine if the audit log is\ngroup-owned by \"root\" using the following command:\n\n# sudo ls -la /var/log/audit/audit.log\nrw------- 2 root root 8096 Jun 26 11:56 /var/log/audit/audit.log\n\nIf the audit log is not group-owned by \"root\", this is a finding.", - "fix": "Configure the audit log to be protected from unauthorized read\naccess, by setting the correct group-owner as \"root\" with the following\ncommand:\n\n# sudo chgrp root [audit_log_file]\n\nReplace \"[audit_log_file]\" to the correct audit log path, by default this\nlocation is \"/var/log/audit/audit.log\"." + "default": "If the Ubuntu operating system allows the user to consecutively reuse\nextensive portions of passwords, this increases the chances of password\ncompromise by increasing the window of opportunity for attempts at guessing and\nbrute-force attacks.\n\n The number of changed characters refers to the number of changes required\nwith respect to the total number of positions in the current password. In other\nwords, characters may be the same within the two passwords; however, the\npositions of the like characters must be different.\n\n If the password length is an odd number then number of changed characters\nmust be rounded up. For example, a password length of 15 characters must\nrequire the change of at least 8 characters.", + "check": "Verify the Ubuntu operating system requires the change of at\nleast \"8\" characters when passwords are changed.\n\nDetermine if the field \"difok\" is set in the \"/etc/security/pwquality.conf\"\nfile with the following command:\n\n# grep -i \"difok\" /etc/security/pwquality.conf\ndifok=8\n\nIf the \"difok\" parameter is less than \"8\", or is commented out, this is a\nfinding.", + "fix": "Configure the Ubuntu operating system to require the change of at\nleast \"8\" characters when passwords are changed.\n\nAdd or update the following line in the \"/etc/security/pwquality.conf\" file\nto include the \"difok=8\" parameter:\n\ndifok=8" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000057-GPOS-00027", - "satisfies": [ - "SRG-OS-000057-GPOS-00027", - "SRG-OS-000058-GPOS-00028", - "SRG-OS-000059-GPOS-00029", - "SRG-OS-000206-GPOS-00084" - ], - "gid": "V-75641", - "rid": "SV-90321r2_rule", - "stig_id": "UBTU-16-020120", - "fix_id": "F-82269r2_fix", + "gtitle": "SRG-OS-000072-GPOS-00040", + "gid": "V-75457", + "rid": "SV-90137r2_rule", + "stig_id": "UBTU-16-010140", + "fix_id": "F-82085r2_fix", "cci": [ - "CCI-000162", - "CCI-000163", - "CCI-000164", - "CCI-001314" + "CCI-000195" ], "nist": [ - "AU-9", - "AU-9", - "AU-9", - "SI-11 b", + "IA-5 (1) (b)", "Rev_4" ], "false_negatives": null, @@ -9518,34 +9498,40 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75641' do\n title \"Audit logs must be group-owned by root to prevent unauthorized read\naccess.\"\n desc \"Unauthorized disclosure of audit records can reveal system and\nconfiguration data to attackers, thus compromising its confidentiality.\n\n Audit information includes all information (e.g., audit records, audit\nsettings, audit reports) needed to successfully audit Ubuntu operating system\nactivity.\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000057-GPOS-00027'\n tag \"satisfies\": %w[SRG-OS-000057-GPOS-00027 SRG-OS-000058-GPOS-00028\n SRG-OS-000059-GPOS-00029 SRG-OS-000206-GPOS-00084]\n tag \"gid\": 'V-75641'\n tag \"rid\": 'SV-90321r2_rule'\n tag \"stig_id\": 'UBTU-16-020120'\n tag \"fix_id\": 'F-82269r2_fix'\n tag \"cci\": %w[CCI-000162 CCI-000163 CCI-000164 CCI-001314]\n tag \"nist\": ['AU-9', 'AU-9', 'AU-9', 'SI-11 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the audit logs are group-owned by \\\"root\\\". First\ndetermine where the audit logs are stored with the following command:\n\n# sudo grep -iw log_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the location of the audit log file, determine if the audit log is\ngroup-owned by \\\"root\\\" using the following command:\n\n# sudo ls -la /var/log/audit/audit.log\nrw------- 2 root root 8096 Jun 26 11:56 /var/log/audit/audit.log\n\nIf the audit log is not group-owned by \\\"root\\\", this is a finding.\"\n desc 'fix', \"Configure the audit log to be protected from unauthorized read\naccess, by setting the correct group-owner as \\\"root\\\" with the following\ncommand:\n\n# sudo chgrp root [audit_log_file]\n\nReplace \\\"[audit_log_file]\\\" to the correct audit log path, by default this\nlocation is \\\"/var/log/audit/audit.log\\\".\"\n\n log_file_path = auditd_conf.log_file\n\n describe file(log_file_path) do\n its('group') { should cmp 'root' }\n end\nend\n", + "code": "control 'V-75457' do\n title \"The Ubuntu operating system must require the change of at least 8\ncharacters when passwords are changed.\"\n desc \"If the Ubuntu operating system allows the user to consecutively reuse\nextensive portions of passwords, this increases the chances of password\ncompromise by increasing the window of opportunity for attempts at guessing and\nbrute-force attacks.\n\n The number of changed characters refers to the number of changes required\nwith respect to the total number of positions in the current password. In other\nwords, characters may be the same within the two passwords; however, the\npositions of the like characters must be different.\n\n If the password length is an odd number then number of changed characters\nmust be rounded up. For example, a password length of 15 characters must\nrequire the change of at least 8 characters.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000072-GPOS-00040'\n tag \"gid\": 'V-75457'\n tag \"rid\": 'SV-90137r2_rule'\n tag \"stig_id\": 'UBTU-16-010140'\n tag \"fix_id\": 'F-82085r2_fix'\n tag \"cci\": ['CCI-000195']\n tag \"nist\": ['IA-5 (1) (b)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system requires the change of at\nleast \\\"8\\\" characters when passwords are changed.\n\nDetermine if the field \\\"difok\\\" is set in the \\\"/etc/security/pwquality.conf\\\"\nfile with the following command:\n\n# grep -i \\\"difok\\\" /etc/security/pwquality.conf\ndifok=8\n\nIf the \\\"difok\\\" parameter is less than \\\"8\\\", or is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the Ubuntu operating system to require the change of at\nleast \\\"8\\\" characters when passwords are changed.\n\nAdd or update the following line in the \\\"/etc/security/pwquality.conf\\\" file\nto include the \\\"difok=8\\\" parameter:\n\ndifok=8\"\n\n min_num_characters_to_change = input('min_num_characters_to_change')\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('difok') { should cmp min_num_characters_to_change }\n end\n else\n describe (config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75641.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75457.rb", "line": 3 }, - "id": "V-75641" + "id": "V-75457" }, { - "title": "All local interactive user home directories must have mode 0750 or\nless permissive.", - "desc": "Excessive permissions on local interactive user home directories may\nallow unauthorized access to user files by other users.", + "title": "The Ubuntu operating system must encrypt all stored passwords with a\nFIPS 140-2 approved cryptographic hashing algorithm.", + "desc": "Passwords need to be protected at all times, and encryption is the\nstandard method for protecting passwords. If passwords are not encrypted, they\ncan be plainly read (i.e., clear text) and easily compromised.\n\n Unapproved mechanisms that are used for authentication to the cryptographic\nmodule are not verified and therefore cannot be relied upon to provide\nconfidentiality or integrity, and DoD data may be compromised.\n\n FIPS 140-2 is the current standard for validating that mechanisms used to\naccess cryptographic modules utilize authentication that meets DoD requirements.", "descriptions": { - "default": "Excessive permissions on local interactive user home directories may\nallow unauthorized access to user files by other users.", - "check": "Verify the assigned home directory of all local interactive\nusers has a mode of \"0750\" or less permissive.\n\nCheck the home directory assignment for all non-privileged users with the\nfollowing command:\n\nNote: This may miss interactive users that have been assigned a privileged User\nIdentifier (UID). Evidence of interactive use may be obtained from a number of\nlog files containing system logon information.\n\n# ls -ld $(awk -F: '($3>=1000)&&($1!=\"nobody\"){print $6}' /etc/passwd)\n\ndrwxr-x--- 2 smithj admin 4096 Jun 5 12:41 smithj\n\nIf home directories referenced in \"/etc/passwd\" do not have a mode of\n\"0750\" or less permissive, this is a finding.", - "fix": "Change the mode of interactive user’s home directories to\n\"0750\". To change the mode of a local interactive user’s home directory, use\nthe following command:\n\nNote: The example will be for the user \"smithj\".\n\n# chmod 0750 /home/smithj" + "default": "Passwords need to be protected at all times, and encryption is the\nstandard method for protecting passwords. If passwords are not encrypted, they\ncan be plainly read (i.e., clear text) and easily compromised.\n\n Unapproved mechanisms that are used for authentication to the cryptographic\nmodule are not verified and therefore cannot be relied upon to provide\nconfidentiality or integrity, and DoD data may be compromised.\n\n FIPS 140-2 is the current standard for validating that mechanisms used to\naccess cryptographic modules utilize authentication that meets DoD requirements.", + "check": "Verify that the shadow password suite configuration is set to\nencrypt password with a FIPS 140-2 approved cryptographic hashing algorithm.\n\nCheck the hashing algorithm that is being used to hash passwords with the\nfollowing command:\n\n# cat /etc/login.defs | grep -i crypt\n\nENCRYPT_METHOD SHA512\n\nIf \"ENCRYPT_METHOD\" does not equal SHA512 or greater, this is a finding.", + "fix": "Configure the Ubuntu operating system to encrypt all stored\npasswords.\n\nEdit/Modify the following line in the \"/etc/login.defs\" file and set\n\"[ENCRYPT_METHOD]\" to SHA512.\n\nENCRYPT_METHOD SHA512" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-75565", - "rid": "SV-90245r1_rule", - "stig_id": "UBTU-16-010750", - "fix_id": "F-82193r1_fix", + "gtitle": "SRG-OS-000073-GPOS-00041", + "satisfies": [ + "SRG-OS-000073-GPOS-00041", + "SRG-OS-000120-GPOS-00061" + ], + "gid": "V-75459", + "rid": "SV-90139r1_rule", + "stig_id": "UBTU-16-010150", + "fix_id": "F-82087r1_fix", "cci": [ - "CCI-000366" + "CCI-000196", + "CCI-000803" ], "nist": [ - "CM-6 b", + "IA-5 (1) (c)", + "IA-7", "Rev_4" ], "false_negatives": null, @@ -9559,37 +9545,78 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75565' do\n title \"All local interactive user home directories must have mode 0750 or\nless permissive.\"\n desc \"Excessive permissions on local interactive user home directories may\nallow unauthorized access to user files by other users.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75565'\n tag \"rid\": 'SV-90245r1_rule'\n tag \"stig_id\": 'UBTU-16-010750'\n tag \"fix_id\": 'F-82193r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the assigned home directory of all local interactive\nusers has a mode of \\\"0750\\\" or less permissive.\n\nCheck the home directory assignment for all non-privileged users with the\nfollowing command:\n\nNote: This may miss interactive users that have been assigned a privileged User\nIdentifier (UID). Evidence of interactive use may be obtained from a number of\nlog files containing system logon information.\n\n# ls -ld $(awk -F: '($3>=1000)&&($1!=\\\"nobody\\\"){print $6}' /etc/passwd)\n\ndrwxr-x--- 2 smithj admin 4096 Jun 5 12:41 smithj\n\nIf home directories referenced in \\\"/etc/passwd\\\" do not have a mode of\n\\\"0750\\\" or less permissive, this is a finding.\"\n desc 'fix', \"Change the mode of interactive user’s home directories to\n\\\"0750\\\". To change the mode of a local interactive user’s home directory, use\nthe following command:\n\nNote: The example will be for the user \\\"smithj\\\".\n\n# chmod 0750 /home/smithj\"\n\n exempt_home_users = input('exempt_home_users')\n non_interactive_shells = input('non_interactive_shells')\n ignore_shells = non_interactive_shells.join('|')\n\n findings = Set[]\n users.where { !shell.match(ignore_shells) && (uid >= 1000 || uid == 0) }.entries.each do |user_info|\n next if exempt_home_users.include?(user_info.username.to_s)\n\n findings += command(\"find #{user_info.home} -maxdepth 0 -perm /027\").stdout.split(\"\\n\")\n end\n describe 'Home directories with excessive permissions' do\n subject { findings.to_a }\n it { should be_empty }\n end\nend\n", + "code": "control 'V-75459' do\n title \"The Ubuntu operating system must encrypt all stored passwords with a\nFIPS 140-2 approved cryptographic hashing algorithm.\"\n desc \"Passwords need to be protected at all times, and encryption is the\nstandard method for protecting passwords. If passwords are not encrypted, they\ncan be plainly read (i.e., clear text) and easily compromised.\n\n Unapproved mechanisms that are used for authentication to the cryptographic\nmodule are not verified and therefore cannot be relied upon to provide\nconfidentiality or integrity, and DoD data may be compromised.\n\n FIPS 140-2 is the current standard for validating that mechanisms used to\naccess cryptographic modules utilize authentication that meets DoD requirements.\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000073-GPOS-00041'\n tag \"satisfies\": %w[SRG-OS-000073-GPOS-00041 SRG-OS-000120-GPOS-00061]\n tag \"gid\": 'V-75459'\n tag \"rid\": 'SV-90139r1_rule'\n tag \"stig_id\": 'UBTU-16-010150'\n tag \"fix_id\": 'F-82087r1_fix'\n tag \"cci\": %w[CCI-000196 CCI-000803]\n tag \"nist\": ['IA-5 (1) (c)', 'IA-7', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that the shadow password suite configuration is set to\nencrypt password with a FIPS 140-2 approved cryptographic hashing algorithm.\n\nCheck the hashing algorithm that is being used to hash passwords with the\nfollowing command:\n\n# cat /etc/login.defs | grep -i crypt\n\nENCRYPT_METHOD SHA512\n\nIf \\\"ENCRYPT_METHOD\\\" does not equal SHA512 or greater, this is a finding.\"\n desc 'fix', \"Configure the Ubuntu operating system to encrypt all stored\npasswords.\n\nEdit/Modify the following line in the \\\"/etc/login.defs\\\" file and set\n\\\"[ENCRYPT_METHOD]\\\" to SHA512.\n\nENCRYPT_METHOD SHA512\"\n\n describe login_defs do\n its('ENCRYPT_METHOD') { should eq 'SHA512' }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75565.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75459.rb", "line": 3 }, - "id": "V-75565" + "id": "V-75459" }, { - "title": "Successful/unsuccessful uses of the chacl command must generate an\naudit record.", - "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "title": "The auditd service must be running in the Ubuntu operating system.", + "desc": "Configuring the Ubuntu operating system to implement organization-wide\nsecurity implementation guides and security checklists ensures compliance with\nfederal standards and establishes a common security baseline across DoD that\nreflects the most restrictive security posture consistent with operational\nrequirements.\n\n Configuration settings are the set of parameters that can be changed in\nhardware, software, or firmware components of the system that affect the\nsecurity posture and/or functionality of the system. Security-related\nparameters are those parameters impacting the security state of the system,\nincluding the parameters required to satisfy other security control\nrequirements. Security-related parameters include, for example: registry\nsettings; account, file, directory permission settings; and settings for\nfunctions, ports, protocols, services, and remote connections.", "descriptions": { - "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", - "check": "Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful attempts to use the \"chacl\" command occur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \"/etc/audit/audit.rules\":\n\n# sudo grep -w chacl /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k perm_chng\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", - "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \"chacl\" command.\n\nAdd or update the following rules in the \"/etc/audit/audit.rules\" file:\n\n-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k perm_chng\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" + "default": "Configuring the Ubuntu operating system to implement organization-wide\nsecurity implementation guides and security checklists ensures compliance with\nfederal standards and establishes a common security baseline across DoD that\nreflects the most restrictive security posture consistent with operational\nrequirements.\n\n Configuration settings are the set of parameters that can be changed in\nhardware, software, or firmware components of the system that affect the\nsecurity posture and/or functionality of the system. Security-related\nparameters are those parameters impacting the security state of the system,\nincluding the parameters required to satisfy other security control\nrequirements. Security-related parameters include, for example: registry\nsettings; account, file, directory permission settings; and settings for\nfunctions, ports, protocols, services, and remote connections.", + "check": "Verify the audit service is active.\n\nCheck that the audit service is active with the following command:\n\n# service auditd status\nActive: active (running)\n\nIf the service is not active this is a finding.", + "fix": "Start the auditd service, and enable the auditd service with the\nfollowing commands:\n\nStart the audit service.\n# systemctl start auditd.service\n\nEnable auditd in the targets of the system.\n# systemctl enable auditd.service" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000037-GPOS-00015", - "satisfies": [ - "SRG-OS-000037-GPOS-00015", - "SRG-OS-000042-GPOS-00020", - "SRG-OS-000062-GPOS-00031", - "SRG-OS-000392-GPOS-00172", - "SRG-OS-000462-GPOS-00206", - "SRG-OS-000471-GPOS-00215" - ], - "gid": "V-75769", - "rid": "SV-90449r3_rule", - "stig_id": "UBTU-16-020720", - "fix_id": "F-82397r2_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-80959", + "rid": "SV-95671r1_rule", + "stig_id": "UBTU-16-020010", + "fix_id": "F-87819r1_fix", + "cci": [ + "CCI-000366" + ], + "nist": [ + "CM-6 b", + "Rev_4" + ], + "false_negatives": null, + "false_positives": null, + "documentable": false, + "mitigations": null, + "severity_override_guidance": false, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_controls": null, + "responsibility": null, + "ia_controls": null + }, + "code": "control 'V-80959' do\n title 'The auditd service must be running in the Ubuntu operating system.'\n desc \"Configuring the Ubuntu operating system to implement organization-wide\nsecurity implementation guides and security checklists ensures compliance with\nfederal standards and establishes a common security baseline across DoD that\nreflects the most restrictive security posture consistent with operational\nrequirements.\n\n Configuration settings are the set of parameters that can be changed in\nhardware, software, or firmware components of the system that affect the\nsecurity posture and/or functionality of the system. Security-related\nparameters are those parameters impacting the security state of the system,\nincluding the parameters required to satisfy other security control\nrequirements. Security-related parameters include, for example: registry\nsettings; account, file, directory permission settings; and settings for\nfunctions, ports, protocols, services, and remote connections.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-80959'\n tag \"rid\": 'SV-95671r1_rule'\n tag \"stig_id\": 'UBTU-16-020010'\n tag \"fix_id\": 'F-87819r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the audit service is active.\n\nCheck that the audit service is active with the following command:\n\n# service auditd status\nActive: active (running)\n\nIf the service is not active this is a finding.\"\n desc 'fix', \"Start the auditd service, and enable the auditd service with the\nfollowing commands:\n\nStart the audit service.\n# systemctl start auditd.service\n\nEnable auditd in the targets of the system.\n# systemctl enable auditd.service\"\n describe service('auditd') do\n it { should be_installed }\n it { should be_enabled }\n it { should be_running }\n end\nend\n", + "source_location": { + "ref": "./Ubuntu 16.04 STIG/controls/V-80959.rb", + "line": 3 + }, + "id": "V-80959" + }, + { + "title": "Successful/unsuccessful uses of the creat command must generate an\naudit record.", + "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "descriptions": { + "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "check": "Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful attempts to use the \"creat\" command occur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \"/etc/audit/audit.rules\":\n\n# sudo grep -iw creat /etc/audit/audit.rules\n\n-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F\nauid!=4294967295 -k perm_access\n\n-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F\nauid!=4294967295 -k perm_access\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", + "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \"creat\" command.\n\nAdd or update the following rules in the \"/etc/audit/audit.rules\" file:\n\n-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F\nauid!=4294967295 -k perm_access\n\n-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F\nauid!=4294967295 -k perm_access\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" + }, + "impact": 0.5, + "refs": [], + "tags": { + "gtitle": "SRG-OS-000037-GPOS-00015", + "satisfies": [ + "SRG-OS-000037-GPOS-00015", + "SRG-OS-000042-GPOS-00020", + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000392-GPOS-00172", + "SRG-OS-000462-GPOS-00206", + "SRG-OS-000471-GPOS-00215" + ], + "gid": "V-75749", + "rid": "SV-90429r3_rule", + "stig_id": "UBTU-16-020620", + "fix_id": "F-82377r2_fix", "cci": [ "CCI-000130", "CCI-000135", @@ -9616,34 +9643,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75769' do\n title \"Successful/unsuccessful uses of the chacl command must generate an\naudit record.\"\n desc \"Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020\n SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172\n SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215]\n tag \"gid\": 'V-75769'\n tag \"rid\": 'SV-90449r3_rule'\n tag \"stig_id\": 'UBTU-16-020720'\n tag \"fix_id\": 'F-82397r2_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'MA-4 (1) (a)',\n 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful attempts to use the \\\"chacl\\\" command occur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \\\"/etc/audit/audit.rules\\\":\n\n# sudo grep -w chacl /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k perm_chng\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \\\"chacl\\\" command.\n\nAdd or update the following rules in the \\\"/etc/audit/audit.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k perm_chng\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n @audit_file = '/usr/bin/chacl'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe ('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", + "code": "control 'V-75749' do\n title \"Successful/unsuccessful uses of the creat command must generate an\naudit record.\"\n desc \"Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020\n SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172\n SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215]\n tag \"gid\": 'V-75749'\n tag \"rid\": 'SV-90429r3_rule'\n tag \"stig_id\": 'UBTU-16-020620'\n tag \"fix_id\": 'F-82377r2_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'MA-4 (1) (a)',\n 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful attempts to use the \\\"creat\\\" command occur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \\\"/etc/audit/audit.rules\\\":\n\n# sudo grep -iw creat /etc/audit/audit.rules\n\n-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F\nauid!=4294967295 -k perm_access\n\n-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F\nauid!=4294967295 -k perm_access\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \\\"creat\\\" command.\n\nAdd or update the following rules in the \\\"/etc/audit/audit.rules\\\" file:\n\n-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F\nauid!=4294967295 -k perm_access\n\n-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F\nauid!=4294967295 -k perm_access\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n if os.arch == 'x86_64'\n describe auditd.syscall('creat').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EPERM' }\n end\n describe auditd.syscall('creat').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EACCES' }\n end\n end\n describe auditd.syscall('creat').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EPERM' }\n end\n describe auditd.syscall('creat').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EACCES' }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75769.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75749.rb", "line": 3 }, - "id": "V-75769" + "id": "V-75749" }, { - "title": "Passwords for new users must have a 24 hours/1 day minimum password\nlifetime restriction.", - "desc": "Enforcing a minimum password lifetime helps to prevent repeated\npassword changes to defeat the password reuse or history enforcement\nrequirement. If users are allowed to immediately and continually change their\npassword, then the password could be repeatedly changed in a short period of\ntime to defeat the organization's policy regarding password reuse.", + "title": "The Ubuntu operating system must not forward Internet Protocol version\n4 (IPv4) source-routed packets.", + "desc": "Source-routed packets allow the source of the packet to suggest that\nrouters forward the packet along a different path than configured on the\nrouter, which can be used to bypass network security measures. This requirement\napplies only to the forwarding of source-routed traffic, such as when IPv4\nforwarding is enabled and the system is functioning as a router.", "descriptions": { - "default": "Enforcing a minimum password lifetime helps to prevent repeated\npassword changes to defeat the password reuse or history enforcement\nrequirement. If users are allowed to immediately and continually change their\npassword, then the password could be repeatedly changed in a short period of\ntime to defeat the organization's policy regarding password reuse.", - "check": "Verify that the Ubuntu operating system enforces a 24 hours/1\nday minimum password lifetime for new user accounts by running the following\ncommand:\n\n# grep -i pass_min_days /etc/login.defs\n\nPASS_MIN_DAYS 1\n\nIf the \"PASS_MIN_DAYS\" parameter value is less than or equal to \"1\", or\ncommented out, this is a finding.", - "fix": "Configure the Ubuntu operating system to enforce a 24 hours/1 day\nminimum password lifetime.\n\nAdd, or modify the following line in the \"/etc/login.defs\" file:\n\nPASS_MIN_DAYS 1" + "default": "Source-routed packets allow the source of the packet to suggest that\nrouters forward the packet along a different path than configured on the\nrouter, which can be used to bypass network security measures. This requirement\napplies only to the forwarding of source-routed traffic, such as when IPv4\nforwarding is enabled and the system is functioning as a router.", + "check": "Verify the Ubuntu operating system does not accept IPv4\nsource-routed packets.\n\nCheck the value of the accept source route variable with the following command:\n\n# sudo sysctl net.ipv4.conf.all.accept_source_route\n\nnet.ipv4.conf.all.accept_source_route=0\n\nIf the returned line does not have a value of \"0\", a line is not returned, or\nthe returned line is commented out, this is a finding.", + "fix": "Configure the Ubuntu operating system to not forward Internet\nProtocol version 4 (IPv4) source-routed packets with the following command:\n\n# sudo sysctl -w net.ipv4.conf.all.accept_source_route=0\n\nIf \"0\" is not the system's default value then add or update the following\nline in \"/etc/sysctl.conf\" or in the appropriate file under \"/etc/sysctl.d\":\n\nnet.ipv4.conf.all.accept_source_route=0" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000075-GPOS-00043", - "gid": "V-75471", - "rid": "SV-90151r2_rule", - "stig_id": "UBTU-16-010210", - "fix_id": "F-82099r2_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-75873", + "rid": "SV-90553r3_rule", + "stig_id": "UBTU-16-030530", + "fix_id": "F-82503r3_fix", "cci": [ - "CCI-000198" + "CCI-000366" ], "nist": [ - "IA-5 (1) (d)", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -9657,34 +9684,38 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75471' do\n title \"Passwords for new users must have a 24 hours/1 day minimum password\nlifetime restriction.\"\n desc \"Enforcing a minimum password lifetime helps to prevent repeated\npassword changes to defeat the password reuse or history enforcement\nrequirement. If users are allowed to immediately and continually change their\npassword, then the password could be repeatedly changed in a short period of\ntime to defeat the organization's policy regarding password reuse.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000075-GPOS-00043'\n tag \"gid\": 'V-75471'\n tag \"rid\": 'SV-90151r2_rule'\n tag \"stig_id\": 'UBTU-16-010210'\n tag \"fix_id\": 'F-82099r2_fix'\n tag \"cci\": ['CCI-000198']\n tag \"nist\": ['IA-5 (1) (d)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that the Ubuntu operating system enforces a 24 hours/1\nday minimum password lifetime for new user accounts by running the following\ncommand:\n\n# grep -i pass_min_days /etc/login.defs\n\nPASS_MIN_DAYS 1\n\nIf the \\\"PASS_MIN_DAYS\\\" parameter value is less than or equal to \\\"1\\\", or\ncommented out, this is a finding.\"\n desc 'fix', \"Configure the Ubuntu operating system to enforce a 24 hours/1 day\nminimum password lifetime.\n\nAdd, or modify the following line in the \\\"/etc/login.defs\\\" file:\n\nPASS_MIN_DAYS 1\"\n\n describe login_defs do\n its('PASS_MIN_DAYS') { should >= '1' }\n end\nend\n", + "code": "control 'V-75873' do\n title \"The Ubuntu operating system must not forward Internet Protocol version\n4 (IPv4) source-routed packets.\"\n desc \"Source-routed packets allow the source of the packet to suggest that\nrouters forward the packet along a different path than configured on the\nrouter, which can be used to bypass network security measures. This requirement\napplies only to the forwarding of source-routed traffic, such as when IPv4\nforwarding is enabled and the system is functioning as a router.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75873'\n tag \"rid\": 'SV-90553r3_rule'\n tag \"stig_id\": 'UBTU-16-030530'\n tag \"fix_id\": 'F-82503r3_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system does not accept IPv4\nsource-routed packets.\n\nCheck the value of the accept source route variable with the following command:\n\n# sudo sysctl net.ipv4.conf.all.accept_source_route\n\nnet.ipv4.conf.all.accept_source_route=0\n\nIf the returned line does not have a value of \\\"0\\\", a line is not returned, or\nthe returned line is commented out, this is a finding.\"\n desc 'fix', \"Configure the Ubuntu operating system to not forward Internet\nProtocol version 4 (IPv4) source-routed packets with the following command:\n\n# sudo sysctl -w net.ipv4.conf.all.accept_source_route=0\n\nIf \\\"0\\\" is not the system's default value then add or update the following\nline in \\\"/etc/sysctl.conf\\\" or in the appropriate file under \\\"/etc/sysctl.d\\\":\n\nnet.ipv4.conf.all.accept_source_route=0\"\n\n describe kernel_parameter('net.ipv4.conf.all.accept_source_route') do\n its('value') { should eq 0 }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75471.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75873.rb", "line": 3 }, - "id": "V-75471" + "id": "V-75873" }, { - "title": "The System Administrator (SA) and Information System Security Officer\n(ISSO) (at a minimum) must be alerted when the audit storage volume is full.", - "desc": "It is critical that when the Ubuntu operating system is at risk of\nfailing to process audit logs as required, it takes action to mitigate the\nfailure. Audit processing failures include: software/hardware errors; failures\nin the audit capturing mechanisms; and audit storage capacity being reached or\nexceeded. Responses to audit failure depend upon the nature of the failure mode.\n\n When availability is an overriding concern, other approved actions in\nresponse to an audit failure are as follows:\n\n 1) If the failure was caused by the lack of audit record storage capacity,\nthe Ubuntu operating system must continue generating audit records if possible\n(automatically restarting the audit service if necessary), overwriting the\noldest audit records in a first-in-first-out manner.\n\n 2) If audit records are sent to a centralized collection server and\ncommunication with this server is lost or the server fails, the Ubuntu\noperating system must queue audit records locally until communication is\nrestored or until the audit records are retrieved manually. Upon restoration of\nthe connection to the centralized collection server, action should be taken to\nsynchronize the local audit data with the collection server.", + "title": "The Ubuntu operating system for all network connections associated\nwith SSH traffic must immediately terminate at the end of the session or after\n10 minutes of inactivity.", + "desc": "Automatic session termination addresses the termination of\nuser-initiated logical sessions in contrast to the termination of network\nconnections that are associated with communications sessions (i.e., network\ndisconnect). A logical session (for local, network, and remote access) is\ninitiated whenever a user (or process acting on behalf of a user) accesses an\norganizational information system. Such user sessions can be terminated (and\nthus terminate user access) without terminating network sessions.\n\n Session termination terminates all processes associated with a user's\nlogical session except those processes that are specifically created by the\nuser (i.e., session owner) to continue after the session is terminated.\n\n Conditions or trigger events requiring automatic session termination can\ninclude, for example, organization-defined periods of user inactivity, targeted\nresponses to certain types of incidents, and time-of-day restrictions on\ninformation system use.\n\n This capability is typically reserved for specific Ubuntu operating system\nfunctionality where the system owner, data owner, or organization requires\nadditional assurance.", "descriptions": { - "default": "It is critical that when the Ubuntu operating system is at risk of\nfailing to process audit logs as required, it takes action to mitigate the\nfailure. Audit processing failures include: software/hardware errors; failures\nin the audit capturing mechanisms; and audit storage capacity being reached or\nexceeded. Responses to audit failure depend upon the nature of the failure mode.\n\n When availability is an overriding concern, other approved actions in\nresponse to an audit failure are as follows:\n\n 1) If the failure was caused by the lack of audit record storage capacity,\nthe Ubuntu operating system must continue generating audit records if possible\n(automatically restarting the audit service if necessary), overwriting the\noldest audit records in a first-in-first-out manner.\n\n 2) If audit records are sent to a centralized collection server and\ncommunication with this server is lost or the server fails, the Ubuntu\noperating system must queue audit records locally until communication is\nrestored or until the audit records are retrieved manually. Upon restoration of\nthe connection to the centralized collection server, action should be taken to\nsynchronize the local audit data with the collection server.", - "check": "Verify that the System Administrator (SA) and Information\nSystem Security Officer (ISSO) (at a minimum) are notified when the audit\nstorage volume is full.\n\nCheck which action the Ubuntu operating system takes when the audit storage\nvolume is full with the following command:\n\n# sudo grep max_log_file_action /etc/audit/auditd.conf\n\nmax_log_file_action=syslog\n\nIf the value of the \"max_log_file_action\" option is set to \"ignore\",\n\"rotate\", or \"suspend\", or the line is commented out, this is a finding.", - "fix": "Configure the Ubuntu operating system to notify the System\nAdministrator (SA) and Information System Security Officer (ISSO) when the\naudit storage volume is full by configuring the \"max_log_file_action\"\nparameter in the \"/etc/audit/auditd.conf\" file with the a value of \"syslog\"\nor \"keep_logs\":\n\nmax_log_file_action=syslog" + "default": "Automatic session termination addresses the termination of\nuser-initiated logical sessions in contrast to the termination of network\nconnections that are associated with communications sessions (i.e., network\ndisconnect). A logical session (for local, network, and remote access) is\ninitiated whenever a user (or process acting on behalf of a user) accesses an\norganizational information system. Such user sessions can be terminated (and\nthus terminate user access) without terminating network sessions.\n\n Session termination terminates all processes associated with a user's\nlogical session except those processes that are specifically created by the\nuser (i.e., session owner) to continue after the session is terminated.\n\n Conditions or trigger events requiring automatic session termination can\ninclude, for example, organization-defined periods of user inactivity, targeted\nresponses to certain types of incidents, and time-of-day restrictions on\ninformation system use.\n\n This capability is typically reserved for specific Ubuntu operating system\nfunctionality where the system owner, data owner, or organization requires\nadditional assurance.", + "check": "Verify that all network connections associated with SSH traffic\nare automatically terminated at the end of the session or after \"10\" minutes\nof inactivity.\n\nCheck that the \"ClientAliveInterval\" variable is set to a value of \"600\" or\nless by performing the following command:\n\n# sudo grep -i clientalive /etc/ssh/sshd_config\n\nClientAliveInterval 600\n\nClientAliveCountMax 1\n\nIf \"ClientAliveInterval\" or \"ClientAliveCountMax\" does not exist,\n\"ClientAliveInterval\" is not set to a value of \"600\" or less and\n\"ClientAliveCountMax\" is not set to a value of \"1\" or greater in\n\"/etc/ssh/sshd_config\", or either line is commented out, this is a finding.", + "fix": "Configure the Ubuntu operating system to automatically terminate\nall network connections associated with SSH traffic at the end of a session or\nafter a \"10\" minute period of inactivity.\n\nModify or append the following lines in the \"/etc/ssh/sshd_config\" file\nreplacing \"[Interval]\" with a value of \"600\" or less and \"[CountMax] with\na value of \"1\" or greater:\n\nClientAliveInterval 600\n\nClientAliveCountMax 1\n\nIn order for the changes to take effect, the SSH daemon must be restarted.\n\n# sudo systemctl restart sshd.service" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000047-GPOS-00023", - "gid": "V-75627", - "rid": "SV-90307r1_rule", - "stig_id": "UBTU-16-020050", - "fix_id": "F-82255r1_fix", + "gtitle": "SRG-OS-000163-GPOS-00072", + "gid": "V-75837", + "rid": "SV-90517r2_rule", + "stig_id": "UBTU-16-030270", + "fix_id": "F-82467r2_fix", "cci": [ - "CCI-000140" + "CCI-000879", + "CCI-001133", + "CCI-002361" ], "nist": [ - "AU-5 b", + "MA-4 e", + "SC-10", + "AC-12", "Rev_4" ], "false_negatives": null, @@ -9698,43 +9729,50 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75627' do\n title \"The System Administrator (SA) and Information System Security Officer\n(ISSO) (at a minimum) must be alerted when the audit storage volume is full.\"\n desc \"It is critical that when the Ubuntu operating system is at risk of\nfailing to process audit logs as required, it takes action to mitigate the\nfailure. Audit processing failures include: software/hardware errors; failures\nin the audit capturing mechanisms; and audit storage capacity being reached or\nexceeded. Responses to audit failure depend upon the nature of the failure mode.\n\n When availability is an overriding concern, other approved actions in\nresponse to an audit failure are as follows:\n\n 1) If the failure was caused by the lack of audit record storage capacity,\nthe Ubuntu operating system must continue generating audit records if possible\n(automatically restarting the audit service if necessary), overwriting the\noldest audit records in a first-in-first-out manner.\n\n 2) If audit records are sent to a centralized collection server and\ncommunication with this server is lost or the server fails, the Ubuntu\noperating system must queue audit records locally until communication is\nrestored or until the audit records are retrieved manually. Upon restoration of\nthe connection to the centralized collection server, action should be taken to\nsynchronize the local audit data with the collection server.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000047-GPOS-00023'\n tag \"gid\": 'V-75627'\n tag \"rid\": 'SV-90307r1_rule'\n tag \"stig_id\": 'UBTU-16-020050'\n tag \"fix_id\": 'F-82255r1_fix'\n tag \"cci\": ['CCI-000140']\n tag \"nist\": ['AU-5 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that the System Administrator (SA) and Information\nSystem Security Officer (ISSO) (at a minimum) are notified when the audit\nstorage volume is full.\n\nCheck which action the Ubuntu operating system takes when the audit storage\nvolume is full with the following command:\n\n# sudo grep max_log_file_action /etc/audit/auditd.conf\n\nmax_log_file_action=syslog\n\nIf the value of the \\\"max_log_file_action\\\" option is set to \\\"ignore\\\",\n\\\"rotate\\\", or \\\"suspend\\\", or the line is commented out, this is a finding.\"\n desc 'fix', \"Configure the Ubuntu operating system to notify the System\nAdministrator (SA) and Information System Security Officer (ISSO) when the\naudit storage volume is full by configuring the \\\"max_log_file_action\\\"\nparameter in the \\\"/etc/audit/auditd.conf\\\" file with the a value of \\\"syslog\\\"\nor \\\"keep_logs\\\":\n\nmax_log_file_action=syslog\"\n\n describe auditd_conf do\n its('max_log_file_action') { should_not be_empty }\n its('max_log_file_action') { should_not cmp /(?:ignore|rotate|suspend)/i }\n its('max_log_file_action') { should cmp /(?:syslog|keep_logs)/i }\n end\nend\n", + "code": "control 'V-75837' do\n title \"The Ubuntu operating system for all network connections associated\nwith SSH traffic must immediately terminate at the end of the session or after\n10 minutes of inactivity.\"\n desc \"Automatic session termination addresses the termination of\nuser-initiated logical sessions in contrast to the termination of network\nconnections that are associated with communications sessions (i.e., network\ndisconnect). A logical session (for local, network, and remote access) is\ninitiated whenever a user (or process acting on behalf of a user) accesses an\norganizational information system. Such user sessions can be terminated (and\nthus terminate user access) without terminating network sessions.\n\n Session termination terminates all processes associated with a user's\nlogical session except those processes that are specifically created by the\nuser (i.e., session owner) to continue after the session is terminated.\n\n Conditions or trigger events requiring automatic session termination can\ninclude, for example, organization-defined periods of user inactivity, targeted\nresponses to certain types of incidents, and time-of-day restrictions on\ninformation system use.\n\n This capability is typically reserved for specific Ubuntu operating system\nfunctionality where the system owner, data owner, or organization requires\nadditional assurance.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000163-GPOS-00072'\n tag \"gid\": 'V-75837'\n tag \"rid\": 'SV-90517r2_rule'\n tag \"stig_id\": 'UBTU-16-030270'\n tag \"fix_id\": 'F-82467r2_fix'\n tag \"cci\": %w[CCI-000879 CCI-001133 CCI-002361]\n tag \"nist\": ['MA-4 e', 'SC-10', 'AC-12', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that all network connections associated with SSH traffic\nare automatically terminated at the end of the session or after \\\"10\\\" minutes\nof inactivity.\n\nCheck that the \\\"ClientAliveInterval\\\" variable is set to a value of \\\"600\\\" or\nless by performing the following command:\n\n# sudo grep -i clientalive /etc/ssh/sshd_config\n\nClientAliveInterval 600\n\nClientAliveCountMax 1\n\nIf \\\"ClientAliveInterval\\\" or \\\"ClientAliveCountMax\\\" does not exist,\n\\\"ClientAliveInterval\\\" is not set to a value of \\\"600\\\" or less and\n\\\"ClientAliveCountMax\\\" is not set to a value of \\\"1\\\" or greater in\n\\\"/etc/ssh/sshd_config\\\", or either line is commented out, this is a finding.\"\n desc 'fix', \"Configure the Ubuntu operating system to automatically terminate\nall network connections associated with SSH traffic at the end of a session or\nafter a \\\"10\\\" minute period of inactivity.\n\nModify or append the following lines in the \\\"/etc/ssh/sshd_config\\\" file\nreplacing \\\"[Interval]\\\" with a value of \\\"600\\\" or less and \\\"[CountMax] with\na value of \\\"1\\\" or greater:\n\nClientAliveInterval 600\n\nClientAliveCountMax 1\n\nIn order for the changes to take effect, the SSH daemon must be restarted.\n\n# sudo systemctl restart sshd.service\"\n\n client_alive_interval = input('client_alive_interval')\n client_alive_count_max = input('client_alive_count_max')\n\n describe sshd_config do\n its('ClientAliveInterval') { should cmp <= client_alive_interval }\n its('ClientAliveCountMax') { should cmp >= client_alive_count_max }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75627.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75837.rb", "line": 3 }, - "id": "V-75627" + "id": "V-75837" }, { - "title": "Audit tools must have a mode of 0755 or less permissive.", - "desc": "Protecting audit information also includes identifying and protecting\nthe tools used to view and manipulate log data. Therefore, protecting audit\ntools is necessary to prevent unauthorized operation on audit information.\n\n Ubuntu operating systems providing tools to interface with audit\ninformation will leverage user permissions and roles identifying the user\naccessing the tools and the corresponding rights the user enjoys in order to\nmake access decisions regarding the access to audit tools.\n\n Audit tools include, but are not limited to, vendor-provided and open\nsource audit tools needed to successfully view and manipulate audit information\nsystem activity and records. Audit tools include custom queries and report\ngenerators.", + "title": "Successful/unsuccessful uses of the apparmor_parser command must\ngenerate an audit record.", + "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", "descriptions": { - "default": "Protecting audit information also includes identifying and protecting\nthe tools used to view and manipulate log data. Therefore, protecting audit\ntools is necessary to prevent unauthorized operation on audit information.\n\n Ubuntu operating systems providing tools to interface with audit\ninformation will leverage user permissions and roles identifying the user\naccessing the tools and the corresponding rights the user enjoys in order to\nmake access decisions regarding the access to audit tools.\n\n Audit tools include, but are not limited to, vendor-provided and open\nsource audit tools needed to successfully view and manipulate audit information\nsystem activity and records. Audit tools include custom queries and report\ngenerators.", - "check": "Verify the audit tools are protected from unauthorized access,\ndeletion, or modification by checking the permissive mode.\n\nCheck the octal permission of each audit tool by running the following command:\n\n#stat -c \"%a %n\" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace\n/sbin/auditd /sbin/audispd /sbin/augenrules\n\n755 /sbin/augenrules\n\nIf any of the audit tools has a mode more permissive than \"0755\", this is a\nfinding.", - "fix": "Configure the audit tools to be protected from unauthorized\naccess by setting the correct permissive mode using the following command:\n\n# sudo chmod 0755 [audit_tool]\n\nReplace \"[audit_tool]\" with the audit tool that does not have the correct\npermissive mode." + "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "check": "Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful attempts to use the \"apparmor_parser\" command\noccur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \"/etc/audit/audit.rules\":\n\n# sudo grep -w apparmor_parser /etc/audit/audit.rules\n\n-a always,exit -F path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k perm_chng\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", + "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \"apparmor_parser\" command.\n\nAdd or update the following rules in the \"/etc/audit/audit.rules\" file:\n\n-a always,exit -F path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k perm_chng\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000256-GPOS-00097", + "gtitle": "SRG-OS-000037-GPOS-00015", "satisfies": [ - "SRG-OS-000256-GPOS-00097", - "SRG-OS-000257-GPOS-00098", - "SRG-OS-000258-GPOS-00099" + "SRG-OS-000037-GPOS-00015", + "SRG-OS-000042-GPOS-00020", + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000392-GPOS-00172", + "SRG-OS-000462-GPOS-00206", + "SRG-OS-000471-GPOS-00215" ], - "gid": "V-75653", - "rid": "SV-90333r2_rule", - "stig_id": "UBTU-16-020180", - "fix_id": "F-82281r1_fix", + "gid": "V-75765", + "rid": "SV-90445r3_rule", + "stig_id": "UBTU-16-020700", + "fix_id": "F-82393r2_fix", "cci": [ - "CCI-001493", - "CCI-001494", - "CCI-001495" + "CCI-000130", + "CCI-000135", + "CCI-000169", + "CCI-000172", + "CCI-002884" ], "nist": [ - "AU-9", - "AU-9", - "AU-9", + "AU-3", + "AU-3 (1)", + "AU-12 a", + "AU-12 c", + "MA-4 (1) (a)", "Rev_4" ], "false_negatives": null, @@ -9748,34 +9786,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75653' do\n title 'Audit tools must have a mode of 0755 or less permissive.'\n desc \"Protecting audit information also includes identifying and protecting\nthe tools used to view and manipulate log data. Therefore, protecting audit\ntools is necessary to prevent unauthorized operation on audit information.\n\n Ubuntu operating systems providing tools to interface with audit\ninformation will leverage user permissions and roles identifying the user\naccessing the tools and the corresponding rights the user enjoys in order to\nmake access decisions regarding the access to audit tools.\n\n Audit tools include, but are not limited to, vendor-provided and open\nsource audit tools needed to successfully view and manipulate audit information\nsystem activity and records. Audit tools include custom queries and report\ngenerators.\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000256-GPOS-00097'\n tag \"satisfies\": %w[SRG-OS-000256-GPOS-00097 SRG-OS-000257-GPOS-00098\n SRG-OS-000258-GPOS-00099]\n tag \"gid\": 'V-75653'\n tag \"rid\": 'SV-90333r2_rule'\n tag \"stig_id\": 'UBTU-16-020180'\n tag \"fix_id\": 'F-82281r1_fix'\n tag \"cci\": %w[CCI-001493 CCI-001494 CCI-001495]\n tag \"nist\": %w[AU-9 AU-9 AU-9 Rev_4]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the audit tools are protected from unauthorized access,\ndeletion, or modification by checking the permissive mode.\n\nCheck the octal permission of each audit tool by running the following command:\n\n#stat -c \\\"%a %n\\\" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace\n/sbin/auditd /sbin/audispd /sbin/augenrules\n\n755 /sbin/augenrules\n\nIf any of the audit tools has a mode more permissive than \\\"0755\\\", this is a\nfinding.\"\n desc 'fix', \"Configure the audit tools to be protected from unauthorized\naccess by setting the correct permissive mode using the following command:\n\n# sudo chmod 0755 [audit_tool]\n\nReplace \\\"[audit_tool]\\\" with the audit tool that does not have the correct\npermissive mode.\"\n\n audit_tools = input('audit_tools')\n\n audit_tools.each do |tool|\n describe file(tool) do\n it { should_not be_more_permissive_than('0755') }\n end\n end\nend\n", + "code": "control 'V-75765' do\n title \"Successful/unsuccessful uses of the apparmor_parser command must\ngenerate an audit record.\"\n desc \"Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020\n SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172\n SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215]\n tag \"gid\": 'V-75765'\n tag \"rid\": 'SV-90445r3_rule'\n tag \"stig_id\": 'UBTU-16-020700'\n tag \"fix_id\": 'F-82393r2_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'MA-4 (1) (a)',\n 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful attempts to use the \\\"apparmor_parser\\\" command\noccur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \\\"/etc/audit/audit.rules\\\":\n\n# sudo grep -w apparmor_parser /etc/audit/audit.rules\n\n-a always,exit -F path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k perm_chng\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \\\"apparmor_parser\\\" command.\n\nAdd or update the following rules in the \\\"/etc/audit/audit.rules\\\" file:\n\n-a always,exit -F path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k perm_chng\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n @audit_file = '/sbin/apparmor_parser'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe ('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75653.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75765.rb", "line": 3 }, - "id": "V-75653" + "id": "V-75765" }, { - "title": "User accounts with temporary passwords, must require an immediate\nchange to a permanent password after login.", - "desc": "Without providing this capability, an account may be created without a\npassword. Non-repudiation cannot be guaranteed once an account is created if a\nuser is not forced to change the temporary password upon initial logon.\n\n Temporary passwords are typically used to allow access when new accounts\nare created or passwords are changed. It is common practice for administrators\nto create temporary passwords for user accounts which allow the users to log\non, yet force them to change the password once they have successfully\nauthenticated.", + "title": "File systems that are used with removable media must be mounted to\nprevent files with the setuid and setguid bit set from being executed.", + "desc": "The \"nosuid\" mount option causes the system to not execute\n\"setuid\" and \"setgid\" files with owner privileges. This option must be used\nfor mounting any file system not containing approved \"setuid\" and \"setguid\"\nfiles. Executing files from untrusted file systems increases the opportunity\nfor unprivileged users to attain unauthorized administrative access.", "descriptions": { - "default": "Without providing this capability, an account may be created without a\npassword. Non-repudiation cannot be guaranteed once an account is created if a\nuser is not forced to change the temporary password upon initial logon.\n\n Temporary passwords are typically used to allow access when new accounts\nare created or passwords are changed. It is common practice for administrators\nto create temporary passwords for user accounts which allow the users to log\non, yet force them to change the password once they have successfully\nauthenticated.", - "check": "Verify a policy exists that ensures when a user account is\ncreated, it is created using a method that forces a user to change their\npassword upon their next login.\n\nIf a policy does not exist, this is a finding.", - "fix": "Create a policy that ensures when a user is created, it is\ncreated using a method that forces a user to change their password upon their\nnext login.\n\nBelow are two examples of how to create a user account that requires the user\nto change their password upon their next login.\n\n# chage -d 0 [UserName]\n\nor\n\n# passwd -e [UserName]" + "default": "The \"nosuid\" mount option causes the system to not execute\n\"setuid\" and \"setgid\" files with owner privileges. This option must be used\nfor mounting any file system not containing approved \"setuid\" and \"setguid\"\nfiles. Executing files from untrusted file systems increases the opportunity\nfor unprivileged users to attain unauthorized administrative access.", + "check": "Verify file systems that are used for removable media are\nmounted with the \"nosuid\" option.\n\nCheck the file systems that are mounted at boot time with the following command:\n\n# more /etc/fstab\n\nUUID=2bc871e4-e2a3-4f29-9ece-3be60c835222 /mnt/usbflash vfat\nnoauto,owner,ro,nosuid 0 0\n\nIf a file system found in \"/etc/fstab\" refers to removable media and it does\nnot have the \"nosuid\" option set, this is a finding.", + "fix": "Configure the \"/etc/fstab\" to use the \"nosuid\" option on file\nsystems that are associated with removable media." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000380-GPOS-00165", - "gid": "V-75551", - "rid": "SV-90231r1_rule", - "stig_id": "UBTU-16-010680", - "fix_id": "F-82179r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-75577", + "rid": "SV-90257r3_rule", + "stig_id": "UBTU-16-010810", + "fix_id": "F-82205r1_fix", "cci": [ - "CCI-002041" + "CCI-000366" ], "nist": [ - "IA-5 (1) (f)", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -9789,34 +9827,48 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75551' do\n title \"User accounts with temporary passwords, must require an immediate\nchange to a permanent password after login.\"\n desc \"Without providing this capability, an account may be created without a\npassword. Non-repudiation cannot be guaranteed once an account is created if a\nuser is not forced to change the temporary password upon initial logon.\n\n Temporary passwords are typically used to allow access when new accounts\nare created or passwords are changed. It is common practice for administrators\nto create temporary passwords for user accounts which allow the users to log\non, yet force them to change the password once they have successfully\nauthenticated.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000380-GPOS-00165'\n tag \"gid\": 'V-75551'\n tag \"rid\": 'SV-90231r1_rule'\n tag \"stig_id\": 'UBTU-16-010680'\n tag \"fix_id\": 'F-82179r1_fix'\n tag \"cci\": ['CCI-002041']\n tag \"nist\": ['IA-5 (1) (f)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify a policy exists that ensures when a user account is\ncreated, it is created using a method that forces a user to change their\npassword upon their next login.\n\nIf a policy does not exist, this is a finding.\"\n desc 'fix', \"Create a policy that ensures when a user is created, it is\ncreated using a method that forces a user to change their password upon their\nnext login.\n\nBelow are two examples of how to create a user account that requires the user\nto change their password upon their next login.\n\n# chage -d 0 [UserName]\n\nor\n\n# passwd -e [UserName]\"\n\n describe 'Manual verification required' do\n skip 'Manually verify if a policy exists to ensure that a method exists to force temporary users to change their password upon next login'\n end\nend\n", + "code": "control 'V-75577' do\n title \"File systems that are used with removable media must be mounted to\nprevent files with the setuid and setguid bit set from being executed.\"\n desc \"The \\\"nosuid\\\" mount option causes the system to not execute\n\\\"setuid\\\" and \\\"setgid\\\" files with owner privileges. This option must be used\nfor mounting any file system not containing approved \\\"setuid\\\" and \\\"setguid\\\"\nfiles. Executing files from untrusted file systems increases the opportunity\nfor unprivileged users to attain unauthorized administrative access.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75577'\n tag \"rid\": 'SV-90257r3_rule'\n tag \"stig_id\": 'UBTU-16-010810'\n tag \"fix_id\": 'F-82205r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify file systems that are used for removable media are\nmounted with the \\\"nosuid\\\" option.\n\nCheck the file systems that are mounted at boot time with the following command:\n\n# more /etc/fstab\n\nUUID=2bc871e4-e2a3-4f29-9ece-3be60c835222 /mnt/usbflash vfat\nnoauto,owner,ro,nosuid 0 0\n\nIf a file system found in \\\"/etc/fstab\\\" refers to removable media and it does\nnot have the \\\"nosuid\\\" option set, this is a finding.\"\n desc 'fix', \"Configure the \\\"/etc/fstab\\\" to use the \\\"nosuid\\\" option on file\nsystems that are associated with removable media.\"\n\n removable_media_mount_points = input('removable_media_mount_points')\n\n if removable_media_mount_points.count > 0\n removable_media_mount_points.each do |mount_point|\n describe mount(mount_point) do\n its('options') { should include 'nosuid' }\n end\n end\n else\n describe 'Removable media mount points' do\n subject { removable_media_mount_points }\n its('count') { should cmp 0 }\n end\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75551.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75577.rb", "line": 3 }, - "id": "V-75551" + "id": "V-75577" }, { - "title": "Temporary user accounts must be provisioned with an expiration time of\n72 hours or less.", - "desc": "If temporary user accounts remain active when no longer needed or for\nan excessive period, these accounts may be used to gain unauthorized access. To\nmitigate this risk, automated termination of all temporary accounts must be set\nupon account creation.\n\n Temporary accounts are established as part of normal account activation\nprocedures when there is a need for short-term accounts without the demand for\nimmediacy in account activation.\n\n If temporary accounts are used, the Ubuntu operating system must be\nconfigured to automatically terminate these types of accounts after a\nDoD-defined time period of 72 hours.\n\n To address access requirements, many Ubuntu operating systems may be\nintegrated with enterprise-level authentication/access mechanisms that meet or\nexceed access control policy requirements.", + "title": "The Ubuntu operating system must display the Standard Mandatory DoD\nNotice and Consent Banner before granting local or remote access to the system\nvia a command line user logon.", + "desc": "Display of a standardized and approved use notification before\ngranting access to the Ubuntu operating system ensures privacy and security\nnotification verbiage used is consistent with applicable federal laws,\nExecutive Orders, directives, policies, regulations, standards, and guidance.\n\n System use notifications are required only for access via logon interfaces\nwith human users and are not required when such human interfaces do not exist.\n\n The banner must be formatted in accordance with applicable DoD policy. Use\nthe following verbiage for Ubuntu operating systems that can accommodate\nbanners of 1300 characters:\n\n \"You are accessing a U.S. Government (USG) Information System (IS) that is\nprovided for USG-authorized use only.\n\n By using this IS (which includes any device attached to this IS), you\nconsent to the following conditions:\n\n -The USG routinely intercepts and monitors communications on this IS for\npurposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct (PM), law enforcement\n(LE), and counterintelligence (CI) investigations.\n\n -At any time, the USG may inspect and seize data stored on this IS.\n\n -Communications using, or data stored on, this IS are not private, are\nsubject to routine monitoring, interception, and search, and may be disclosed\nor used for any USG-authorized purpose.\n\n -This IS includes security measures (e.g., authentication and access\ncontrols) to protect USG interests--not for your personal benefit or privacy.\n\n -Notwithstanding the above, using this IS does not constitute consent to\nPM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services\nby attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User\nAgreement for details.\"\n\n Use the following verbiage for Ubuntu operating systems that have severe\nlimitations on the number of characters that can be displayed in the banner:\n\n \"I've read and consent to terms in IS user agreem't.\"", "descriptions": { - "default": "If temporary user accounts remain active when no longer needed or for\nan excessive period, these accounts may be used to gain unauthorized access. To\nmitigate this risk, automated termination of all temporary accounts must be set\nupon account creation.\n\n Temporary accounts are established as part of normal account activation\nprocedures when there is a need for short-term accounts without the demand for\nimmediacy in account activation.\n\n If temporary accounts are used, the Ubuntu operating system must be\nconfigured to automatically terminate these types of accounts after a\nDoD-defined time period of 72 hours.\n\n To address access requirements, many Ubuntu operating systems may be\nintegrated with enterprise-level authentication/access mechanisms that meet or\nexceed access control policy requirements.", - "check": "Verify that temporary accounts have been provisioned with an\nexpiration date for 72 hours.\n\nFor every existing temporary account, run the following command to obtain its\naccount expiration information.\n\n# sudo chage -l system_account_name\n\nVerify each of these accounts has an expiration date set within 72 hours.\nIf any temporary accounts have no expiration date set or do not expire within\n72 hours, this is a finding.", - "fix": "If a temporary account must be created configure the system to\nterminate the account after a 72 hour time period with the following command to\nset an expiration date on it. Substitute \"system_account_name\" with the\naccount to be created.\n\n# sudo chage -E `date -d \"+3 days\" +%Y-%m-%d` system_account_name" + "default": "Display of a standardized and approved use notification before\ngranting access to the Ubuntu operating system ensures privacy and security\nnotification verbiage used is consistent with applicable federal laws,\nExecutive Orders, directives, policies, regulations, standards, and guidance.\n\n System use notifications are required only for access via logon interfaces\nwith human users and are not required when such human interfaces do not exist.\n\n The banner must be formatted in accordance with applicable DoD policy. Use\nthe following verbiage for Ubuntu operating systems that can accommodate\nbanners of 1300 characters:\n\n \"You are accessing a U.S. Government (USG) Information System (IS) that is\nprovided for USG-authorized use only.\n\n By using this IS (which includes any device attached to this IS), you\nconsent to the following conditions:\n\n -The USG routinely intercepts and monitors communications on this IS for\npurposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct (PM), law enforcement\n(LE), and counterintelligence (CI) investigations.\n\n -At any time, the USG may inspect and seize data stored on this IS.\n\n -Communications using, or data stored on, this IS are not private, are\nsubject to routine monitoring, interception, and search, and may be disclosed\nor used for any USG-authorized purpose.\n\n -This IS includes security measures (e.g., authentication and access\ncontrols) to protect USG interests--not for your personal benefit or privacy.\n\n -Notwithstanding the above, using this IS does not constitute consent to\nPM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services\nby attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User\nAgreement for details.\"\n\n Use the following verbiage for Ubuntu operating systems that have severe\nlimitations on the number of characters that can be displayed in the banner:\n\n \"I've read and consent to terms in IS user agreem't.\"", + "check": "Verify the Ubuntu operating system displays the Standard\nMandatory DoD Notice and Consent Banner before granting access to the Ubuntu\noperating system via a command line user logon.\n\nCheck that the Ubuntu operating system displays a banner at the command line\nlogin screen with the following command:\n\n# cat /etc/issue\n\nIf the banner is set correctly it will return the following text:\n\n“You are accessing a U.S. Government (USG) Information System (IS) that is\nprovided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent\nto the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for\npurposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct (PM), law enforcement\n(LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject\nto routine monitoring, interception, and search, and may be disclosed or used\nfor any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls)\nto protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE\nor CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services\nby attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User\nAgreement for details.”\n\nIf the banner text does not match the Standard Mandatory DoD Notice and Consent\nBanner exactly, this is a finding.", + "fix": "Configure the Ubuntu operating system to display the Standard\nMandatory DoD Notice and Consent Banner before granting access to the system\nvia command line logon.\n\nEdit the \"/etc/issue\" file to replace the default text with the Standard\nMandatory DoD Notice and Consent Banner. The DoD required text is:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is\nprovided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent\nto the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for\npurposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct (PM), law enforcement\n(LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject\nto routine monitoring, interception, and search, and may be disclosed or used\nfor any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls)\nto protect USG interests -- not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE\nor CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services\nby attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User\nAgreement for details.\"" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000002-GPOS-00002", - "gid": "V-75491", - "rid": "SV-90171r1_rule", - "stig_id": "UBTU-16-010310", - "fix_id": "F-82119r1_fix", + "gtitle": "SRG-OS-000023-GPOS-00006", + "satisfies": [ + "SRG-OS-000023-GPOS-00006", + "SRG-OS-000228-GPOS-00088" + ], + "gid": "V-75435", + "rid": "SV-90115r2_rule", + "stig_id": "UBTU-16-010030", + "fix_id": "F-82063r2_fix", "cci": [ - "CCI-000016" + "CCI-000048", + "CCI-001384", + "CCI-001385", + "CCI-001386", + "CCI-001387", + "CCI-001388" ], "nist": [ - "AC-2 (2)", + "AC-8 a", + "AC-8 c 1", + "AC-8 c 2", + "AC-8 c 2", + "AC-8 c 2", + "AC-8\nc 3", "Rev_4" ], "false_negatives": null, @@ -9830,43 +9882,50 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75491' do\n title \"Temporary user accounts must be provisioned with an expiration time of\n72 hours or less.\"\n desc \"If temporary user accounts remain active when no longer needed or for\nan excessive period, these accounts may be used to gain unauthorized access. To\nmitigate this risk, automated termination of all temporary accounts must be set\nupon account creation.\n\n Temporary accounts are established as part of normal account activation\nprocedures when there is a need for short-term accounts without the demand for\nimmediacy in account activation.\n\n If temporary accounts are used, the Ubuntu operating system must be\nconfigured to automatically terminate these types of accounts after a\nDoD-defined time period of 72 hours.\n\n To address access requirements, many Ubuntu operating systems may be\nintegrated with enterprise-level authentication/access mechanisms that meet or\nexceed access control policy requirements.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000002-GPOS-00002'\n tag \"gid\": 'V-75491'\n tag \"rid\": 'SV-90171r1_rule'\n tag \"stig_id\": 'UBTU-16-010310'\n tag \"fix_id\": 'F-82119r1_fix'\n tag \"cci\": ['CCI-000016']\n tag \"nist\": ['AC-2 (2)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that temporary accounts have been provisioned with an\nexpiration date for 72 hours.\n\nFor every existing temporary account, run the following command to obtain its\naccount expiration information.\n\n# sudo chage -l system_account_name\n\nVerify each of these accounts has an expiration date set within 72 hours.\nIf any temporary accounts have no expiration date set or do not expire within\n72 hours, this is a finding.\"\n desc 'fix', \"If a temporary account must be created configure the system to\nterminate the account after a 72 hour time period with the following command to\nset an expiration date on it. Substitute \\\"system_account_name\\\" with the\naccount to be created.\n\n# sudo chage -E `date -d \\\"+3 days\\\" +%Y-%m-%d` system_account_name\"\n\n temporary_accounts = input('temporary_accounts')\n\n if temporary_accounts.empty?\n describe 'Temporary accounts' do\n subject { temporary_accounts }\n it { should be_empty }\n end\n else\n temporary_accounts.each do |acct|\n describe command(\"chage -l #{acct} | grep 'Account expires'\") do\n its('stdout.strip') { should_not match /:\\s*never/ }\n end\n end\n end\nend\n", + "code": "control 'V-75435' do\n title \"The Ubuntu operating system must display the Standard Mandatory DoD\nNotice and Consent Banner before granting local or remote access to the system\nvia a command line user logon.\"\n desc \"Display of a standardized and approved use notification before\ngranting access to the Ubuntu operating system ensures privacy and security\nnotification verbiage used is consistent with applicable federal laws,\nExecutive Orders, directives, policies, regulations, standards, and guidance.\n\n System use notifications are required only for access via logon interfaces\nwith human users and are not required when such human interfaces do not exist.\n\n The banner must be formatted in accordance with applicable DoD policy. Use\nthe following verbiage for Ubuntu operating systems that can accommodate\nbanners of 1300 characters:\n\n \\\"You are accessing a U.S. Government (USG) Information System (IS) that is\nprovided for USG-authorized use only.\n\n By using this IS (which includes any device attached to this IS), you\nconsent to the following conditions:\n\n -The USG routinely intercepts and monitors communications on this IS for\npurposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct (PM), law enforcement\n(LE), and counterintelligence (CI) investigations.\n\n -At any time, the USG may inspect and seize data stored on this IS.\n\n -Communications using, or data stored on, this IS are not private, are\nsubject to routine monitoring, interception, and search, and may be disclosed\nor used for any USG-authorized purpose.\n\n -This IS includes security measures (e.g., authentication and access\ncontrols) to protect USG interests--not for your personal benefit or privacy.\n\n -Notwithstanding the above, using this IS does not constitute consent to\nPM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services\nby attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User\nAgreement for details.\\\"\n\n Use the following verbiage for Ubuntu operating systems that have severe\nlimitations on the number of characters that can be displayed in the banner:\n\n \\\"I've read and consent to terms in IS user agreem't.\\\"\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000023-GPOS-00006'\n tag \"satisfies\": %w[SRG-OS-000023-GPOS-00006 SRG-OS-000228-GPOS-00088]\n tag \"gid\": 'V-75435'\n tag \"rid\": 'SV-90115r2_rule'\n tag \"stig_id\": 'UBTU-16-010030'\n tag \"fix_id\": 'F-82063r2_fix'\n tag \"cci\": %w[CCI-000048 CCI-001384 CCI-001385 CCI-001386\n CCI-001387 CCI-001388]\n tag \"nist\": ['AC-8 a', 'AC-8 c 1', 'AC-8 c 2', 'AC-8 c 2', 'AC-8 c 2', \"AC-8\nc 3\", 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system displays the Standard\nMandatory DoD Notice and Consent Banner before granting access to the Ubuntu\noperating system via a command line user logon.\n\nCheck that the Ubuntu operating system displays a banner at the command line\nlogin screen with the following command:\n\n# cat /etc/issue\n\nIf the banner is set correctly it will return the following text:\n\n“You are accessing a U.S. Government (USG) Information System (IS) that is\nprovided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent\nto the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for\npurposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct (PM), law enforcement\n(LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject\nto routine monitoring, interception, and search, and may be disclosed or used\nfor any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls)\nto protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE\nor CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services\nby attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User\nAgreement for details.”\n\nIf the banner text does not match the Standard Mandatory DoD Notice and Consent\nBanner exactly, this is a finding.\"\n desc 'fix', \"Configure the Ubuntu operating system to display the Standard\nMandatory DoD Notice and Consent Banner before granting access to the system\nvia command line logon.\n\nEdit the \\\"/etc/issue\\\" file to replace the default text with the Standard\nMandatory DoD Notice and Consent Banner. The DoD required text is:\n\n\\\"You are accessing a U.S. Government (USG) Information System (IS) that is\nprovided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent\nto the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for\npurposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct (PM), law enforcement\n(LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject\nto routine monitoring, interception, and search, and may be disclosed or used\nfor any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls)\nto protect USG interests -- not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE\nor CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services\nby attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User\nAgreement for details.\\\"\"\n\n banner_text = file('/etc/issue').content.gsub(/[\\r\\n\\s]/, '')\n\n describe 'Banner text' do\n subject { banner_text }\n it { should eq input('banner_text').gsub(/[\\r\\n\\s]/, '') }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75491.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75435.rb", "line": 3 }, - "id": "V-75491" + "id": "V-75435" }, { - "title": "Audit tools must be group-owned by root.", - "desc": "Protecting audit information also includes identifying and protecting\nthe tools used to view and manipulate log data. Therefore, protecting audit\ntools is necessary to prevent unauthorized operation on audit information.\n\n Ubuntu operating systems providing tools to interface with audit\ninformation will leverage user permissions and roles identifying the user\naccessing the tools and the corresponding rights the user enjoys in order to\nmake access decisions regarding the access to audit tools.\n\n Audit tools include, but are not limited to, vendor-provided and open\nsource audit tools needed to successfully view and manipulate audit information\nsystem activity and records. Audit tools include custom queries and report\ngenerators.", + "title": "Successful/unsuccessful uses of the setfacl command must generate an\naudit record.", + "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", "descriptions": { - "default": "Protecting audit information also includes identifying and protecting\nthe tools used to view and manipulate log data. Therefore, protecting audit\ntools is necessary to prevent unauthorized operation on audit information.\n\n Ubuntu operating systems providing tools to interface with audit\ninformation will leverage user permissions and roles identifying the user\naccessing the tools and the corresponding rights the user enjoys in order to\nmake access decisions regarding the access to audit tools.\n\n Audit tools include, but are not limited to, vendor-provided and open\nsource audit tools needed to successfully view and manipulate audit information\nsystem activity and records. Audit tools include custom queries and report\ngenerators.", - "check": "Verify the audit tools are group-owned by \"root\" to prevent\nany unauthorized access, deletion, or modification.\n\nCheck the owner of each audit tool by running the following commands:\n\n# ls -la /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace\n/sbin/auditd /sbin/audispd /sbin/augenrules\n-rwxr-xr-x 1 root root 97128 Jan 18 2016 /sbin/augenrules\n\nIf any of the audit tools are not group-owned by \"root\", this is a finding.", - "fix": "Configure the audit tools to be group-owned by \"root\", by\nrunning the following command:\n\n# sudo chgrp root [audit_tool]\n\nReplace \"[audit_tool]\" with each audit tool not group-owned by \"root\"." + "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "check": "Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful attempts to use the \"setfacl\" command occur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \"/etc/audit/audit.rules\":\n\n# sudo grep -w setfacl /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k perm_chng\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", + "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \"setfacl\" command.\n\nAdd or update the following rules in the \"/etc/audit/audit.rules\" file:\n\n-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k perm_chng\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000256-GPOS-00097", + "gtitle": "SRG-OS-000037-GPOS-00015", "satisfies": [ - "SRG-OS-000256-GPOS-00097", - "SRG-OS-000257-GPOS-00098", - "SRG-OS-000258-GPOS-00099" + "SRG-OS-000037-GPOS-00015", + "SRG-OS-000042-GPOS-00020", + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000392-GPOS-00172", + "SRG-OS-000462-GPOS-00206", + "SRG-OS-000471-GPOS-00215" ], - "gid": "V-75657", - "rid": "SV-90337r2_rule", - "stig_id": "UBTU-16-020200", - "fix_id": "F-82285r2_fix", + "gid": "V-75767", + "rid": "SV-90447r3_rule", + "stig_id": "UBTU-16-020710", + "fix_id": "F-82395r2_fix", "cci": [ - "CCI-001493", - "CCI-001494", - "CCI-001495" + "CCI-000130", + "CCI-000135", + "CCI-000169", + "CCI-000172", + "CCI-002884" ], "nist": [ - "AU-9", - "AU-9", - "AU-9", + "AU-3", + "AU-3 (1)", + "AU-12 a", + "AU-12 c", + "MA-4 (1) (a)", "Rev_4" ], "false_negatives": null, @@ -9880,34 +9939,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75657' do\n title 'Audit tools must be group-owned by root.'\n desc \"Protecting audit information also includes identifying and protecting\nthe tools used to view and manipulate log data. Therefore, protecting audit\ntools is necessary to prevent unauthorized operation on audit information.\n\n Ubuntu operating systems providing tools to interface with audit\ninformation will leverage user permissions and roles identifying the user\naccessing the tools and the corresponding rights the user enjoys in order to\nmake access decisions regarding the access to audit tools.\n\n Audit tools include, but are not limited to, vendor-provided and open\nsource audit tools needed to successfully view and manipulate audit information\nsystem activity and records. Audit tools include custom queries and report\ngenerators.\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000256-GPOS-00097'\n tag \"satisfies\": %w[SRG-OS-000256-GPOS-00097 SRG-OS-000257-GPOS-00098\n SRG-OS-000258-GPOS-00099]\n tag \"gid\": 'V-75657'\n tag \"rid\": 'SV-90337r2_rule'\n tag \"stig_id\": 'UBTU-16-020200'\n tag \"fix_id\": 'F-82285r2_fix'\n tag \"cci\": %w[CCI-001493 CCI-001494 CCI-001495]\n tag \"nist\": %w[AU-9 AU-9 AU-9 Rev_4]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the audit tools are group-owned by \\\"root\\\" to prevent\nany unauthorized access, deletion, or modification.\n\nCheck the owner of each audit tool by running the following commands:\n\n# ls -la /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace\n/sbin/auditd /sbin/audispd /sbin/augenrules\n-rwxr-xr-x 1 root root 97128 Jan 18 2016 /sbin/augenrules\n\nIf any of the audit tools are not group-owned by \\\"root\\\", this is a finding.\"\n desc 'fix', \"Configure the audit tools to be group-owned by \\\"root\\\", by\nrunning the following command:\n\n# sudo chgrp root [audit_tool]\n\nReplace \\\"[audit_tool]\\\" with each audit tool not group-owned by \\\"root\\\".\"\n\n audit_tools = input('audit_tools')\n\n audit_tools.each do |tool|\n describe file(tool) do\n its('group') { should cmp 'root' }\n end\n end\nend\n", + "code": "control 'V-75767' do\n title \"Successful/unsuccessful uses of the setfacl command must generate an\naudit record.\"\n desc \"Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020\n SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172\n SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215]\n tag \"gid\": 'V-75767'\n tag \"rid\": 'SV-90447r3_rule'\n tag \"stig_id\": 'UBTU-16-020710'\n tag \"fix_id\": 'F-82395r2_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'MA-4 (1) (a)',\n 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful attempts to use the \\\"setfacl\\\" command occur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \\\"/etc/audit/audit.rules\\\":\n\n# sudo grep -w setfacl /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k perm_chng\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \\\"setfacl\\\" command.\n\nAdd or update the following rules in the \\\"/etc/audit/audit.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k perm_chng\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n @audit_file = '/usr/bin/setfacl'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe ('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75657.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75767.rb", "line": 3 }, - "id": "V-75657" + "id": "V-75767" }, { - "title": "The Ubuntu operating system must not have unnecessary accounts.", - "desc": "Accounts providing no operational purpose provide additional\nopportunities for system compromise. Unnecessary accounts include user accounts\nfor individuals not requiring access to the system and application accounts for\napplications not installed on the system.", + "title": "The Ubuntu operating system must enable a user session lock until that\nuser re-establishes access using established identification and authentication\nprocedures.", + "desc": "A session lock is a temporary action taken when a user stops work and\nmoves away from the immediate physical vicinity of the information system but\ndoes not want to log out because of the temporary nature of the absence.\n\n The session lock is implemented at the point where session activity can be\ndetermined.\n\n Regardless of where the session lock is determined and implemented, once\ninvoked, the session lock shall remain in place until the user\nre-authenticates. No other activity aside from re-authentication shall unlock\nthe system.", "descriptions": { - "default": "Accounts providing no operational purpose provide additional\nopportunities for system compromise. Unnecessary accounts include user accounts\nfor individuals not requiring access to the system and application accounts for\napplications not installed on the system.", - "check": "Verify all accounts on the system are assigned to an active\nsystem, application, or user account.\n\nObtain the list of authorized system accounts from the Information System\nSecurity Officer (ISSO).\n\nCheck the system accounts on the system with the following command:\n\n# more /etc/passwd\nroot:x:0:0:root:/root:/bin/bash\n...\ngames:x:5:60:games:/usr/games:/usr/sbin/nologin\n\nAccounts such as \"games\" and \"gopher\" are not authorized accounts as they\ndo not support authorized system functions.\n\nIf the accounts on the system do not match the provided documentation, or\naccounts that do not support an authorized system function are present, this is\na finding.", - "fix": "Configure the system so all accounts on the system are assigned\nto an active system, application, or user account.\n\nRemove accounts that do not support approved system activities or that allow\nfor a normal user to perform administrative-level actions.\n\nDocument all authorized accounts on the system." + "default": "A session lock is a temporary action taken when a user stops work and\nmoves away from the immediate physical vicinity of the information system but\ndoes not want to log out because of the temporary nature of the absence.\n\n The session lock is implemented at the point where session activity can be\ndetermined.\n\n Regardless of where the session lock is determined and implemented, once\ninvoked, the session lock shall remain in place until the user\nre-authenticates. No other activity aside from re-authentication shall unlock\nthe system.", + "check": "Verify the operating system allows a user to lock the current\ngraphical user interface (GUI) session.\n\nNote: If the Ubuntu operating system does not have GNOME installed, this\nrequirement is Not Applicable.\n\nCheck to see if the Ubuntu operating system allows the user to lock the current\nGUI session with the following command:\n\n# gsettings get org.gnome.desktop.lock-enabled\n\ntrue\n\nIf \"lock-enabled\" is not set to \"true\", this is a finding.", + "fix": "Configure the Ubuntu operating system so that it allows a user to\nlock the current GUI session.\n\nNote: If the Ubuntu operating system does not have GNOME installed, this\nrequirement is Not Applicable.\n\nSet the \"lock-enabled\" setting in GNOME to allow GUI session locks with the\nfollowing command:\n\nNote: The command must be performed from a terminal window inside the graphical\nuser interface (GUI).\n\n# sudo gsettings set org.gnome.desktop.lock-enabled true" }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-75545", - "rid": "SV-90225r2_rule", - "stig_id": "UBTU-16-010650", - "fix_id": "F-82173r1_fix", + "gtitle": "SRG-OS-000028-GPOS-00009", + "gid": "V-75437", + "rid": "SV-90117r3_rule", + "stig_id": "UBTU-16-010040", + "fix_id": "F-82065r2_fix", "cci": [ - "CCI-000366" + "CCI-000056" ], "nist": [ - "CM-6 b", + "AC-11 b", "Rev_4" ], "false_negatives": null, @@ -9921,34 +9980,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75545' do\n title 'The Ubuntu operating system must not have unnecessary accounts.'\n desc \"Accounts providing no operational purpose provide additional\nopportunities for system compromise. Unnecessary accounts include user accounts\nfor individuals not requiring access to the system and application accounts for\napplications not installed on the system.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75545'\n tag \"rid\": 'SV-90225r2_rule'\n tag \"stig_id\": 'UBTU-16-010650'\n tag \"fix_id\": 'F-82173r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify all accounts on the system are assigned to an active\nsystem, application, or user account.\n\nObtain the list of authorized system accounts from the Information System\nSecurity Officer (ISSO).\n\nCheck the system accounts on the system with the following command:\n\n# more /etc/passwd\nroot:x:0:0:root:/root:/bin/bash\n...\ngames:x:5:60:games:/usr/games:/usr/sbin/nologin\n\nAccounts such as \\\"games\\\" and \\\"gopher\\\" are not authorized accounts as they\ndo not support authorized system functions.\n\nIf the accounts on the system do not match the provided documentation, or\naccounts that do not support an authorized system function are present, this is\na finding.\"\n desc 'fix', \"Configure the system so all accounts on the system are assigned\nto an active system, application, or user account.\n\nRemove accounts that do not support approved system activities or that allow\nfor a normal user to perform administrative-level actions.\n\nDocument all authorized accounts on the system.\"\n\n known_system_accounts = input('known_system_accounts')\n disallowed_accounts = input('disallowed_accounts')\n user_accounts = input('user_accounts')\n allowed_accounts = (known_system_accounts + user_accounts).uniq\n\n describe 'The active system users' do\n subject { passwd }\n its('users') { should be_in allowed_accounts }\n its('users') { should_not be_in disallowed_accounts }\n end\nend\n", + "code": "control 'V-75437' do\n title \"The Ubuntu operating system must enable a user session lock until that\nuser re-establishes access using established identification and authentication\nprocedures.\"\n desc \"A session lock is a temporary action taken when a user stops work and\nmoves away from the immediate physical vicinity of the information system but\ndoes not want to log out because of the temporary nature of the absence.\n\n The session lock is implemented at the point where session activity can be\ndetermined.\n\n Regardless of where the session lock is determined and implemented, once\ninvoked, the session lock shall remain in place until the user\nre-authenticates. No other activity aside from re-authentication shall unlock\nthe system.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000028-GPOS-00009'\n tag \"gid\": 'V-75437'\n tag \"rid\": 'SV-90117r3_rule'\n tag \"stig_id\": 'UBTU-16-010040'\n tag \"fix_id\": 'F-82065r2_fix'\n tag \"cci\": ['CCI-000056']\n tag \"nist\": ['AC-11 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the operating system allows a user to lock the current\ngraphical user interface (GUI) session.\n\nNote: If the Ubuntu operating system does not have GNOME installed, this\nrequirement is Not Applicable.\n\nCheck to see if the Ubuntu operating system allows the user to lock the current\nGUI session with the following command:\n\n# gsettings get org.gnome.desktop.lock-enabled\n\ntrue\n\nIf \\\"lock-enabled\\\" is not set to \\\"true\\\", this is a finding.\"\n desc 'fix', \"Configure the Ubuntu operating system so that it allows a user to\nlock the current GUI session.\n\nNote: If the Ubuntu operating system does not have GNOME installed, this\nrequirement is Not Applicable.\n\nSet the \\\"lock-enabled\\\" setting in GNOME to allow GUI session locks with the\nfollowing command:\n\nNote: The command must be performed from a terminal window inside the graphical\nuser interface (GUI).\n\n# sudo gsettings set org.gnome.desktop.lock-enabled true\"\n\n gnome_installed = (package('ubuntu-gnome-desktop').installed? || package('ubuntu-desktop').installed?)\n\n if gnome_installed\n lock_enabled = command('gsettings get org.gnome.desktop.screensaver lock-enabled')\n describe lock_enabled do\n its('stdout') { should cmp 'true' }\n end\n else\n impact 0\n describe 'Not Applicable as GNOME dekstop environment is installed' do\n subject { gnome_installed }\n it { should be false }\n end\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75545.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75437.rb", "line": 3 }, - "id": "V-75545" + "id": "V-75437" }, { - "title": "The Ubuntu operating system must implement non-executable data to\nprotect its memory from unauthorized code execution.", - "desc": "Some adversaries launch attacks with the intent of executing code in\nnon-executable regions of memory or in memory locations that are prohibited.\nSecurity safeguards employed to protect memory include, for example, data\nexecution prevention and address space layout randomization. Data execution\nprevention safeguards can either be hardware-enforced or software-enforced with\nhardware providing the greater strength of mechanism.\n\n Examples of attacks are buffer overflow attacks.", + "title": "All public directories must be owned by root to prevent unauthorized\nand unintended information transferred via shared system resources.", + "desc": "Preventing unauthorized information transfers mitigates the risk of\ninformation, including encrypted representations of information, produced by\nthe actions of prior users/roles (or the actions of processes acting on behalf\nof prior users/roles) from being available to any current users/roles (or\ncurrent processes) that obtain access to shared system resources (e.g.,\nregisters, main memory, hard disks) after those resources have been released\nback to information systems. The control of information in shared resources is\nalso commonly referred to as object reuse and residual information protection.\n\n This requirement generally applies to the design of an information\ntechnology product, but it can also apply to the configuration of particular\ninformation system components that are, or use, such products. This can be\nverified by acceptance/validation processes in DoD or other government agencies.\n\n There may be shared resources with configurable protections (e.g., files in\nstorage) that may be assessed on specific information system components.", "descriptions": { - "default": "Some adversaries launch attacks with the intent of executing code in\nnon-executable regions of memory or in memory locations that are prohibited.\nSecurity safeguards employed to protect memory include, for example, data\nexecution prevention and address space layout randomization. Data execution\nprevention safeguards can either be hardware-enforced or software-enforced with\nhardware providing the greater strength of mechanism.\n\n Examples of attacks are buffer overflow attacks.", - "check": "Verify the NX (no-execution) bit flag is set on the system.\n\nCheck that the no-execution bit flag is set with the following commands:\n\n# dmesg | grep NX\n\n[ 0.000000] NX (Execute Disable) protection: active\n\nIf \"dmesg\" does not show \"NX (Execute Disable) protection\" active, check\nthe cpuinfo settings with the following command:\n\n# less /proc/cpuinfo | grep -i flags\nflags : fpu vme de pse tsc ms nx rdtscp lm constant_tsc\n\nIf \"flags\" does not contain the \"nx\" flag, this is a finding.", - "fix": "The NX bit execute protection must be enabled in the system BIOS." + "default": "Preventing unauthorized information transfers mitigates the risk of\ninformation, including encrypted representations of information, produced by\nthe actions of prior users/roles (or the actions of processes acting on behalf\nof prior users/roles) from being available to any current users/roles (or\ncurrent processes) that obtain access to shared system resources (e.g.,\nregisters, main memory, hard disks) after those resources have been released\nback to information systems. The control of information in shared resources is\nalso commonly referred to as object reuse and residual information protection.\n\n This requirement generally applies to the design of an information\ntechnology product, but it can also apply to the configuration of particular\ninformation system components that are, or use, such products. This can be\nverified by acceptance/validation processes in DoD or other government agencies.\n\n There may be shared resources with configurable protections (e.g., files in\nstorage) that may be assessed on specific information system components.", + "check": "Verify that all public directories are owned by root to prevent\nunauthorized and unintended information transferred via shared system resources.\n\nCheck to see that all public directories have the public sticky bit set by\nrunning the following command:\n\n# sudo find / -type d -perm -0002 -exec ls -lLd {} \\;\n\ndrwxrwxrwxt 7 root root 4096 Jul 26 11:19 /tmp\n\nIf any of the returned directories are not owned by root, this is a finding.", + "fix": "Configure all public directories to be owned by root to prevent\nunauthorized and unintended information transferred via shared system resources.\n\nSet the owner of all public directories as root using the command, replace\n\"[Public Directory]\" with any directory path not owned by root:\n\n# sudo chown root [Public Directory]" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000433-GPOS-00192", - "gid": "V-75819", - "rid": "SV-90499r2_rule", - "stig_id": "UBTU-16-030130", - "fix_id": "F-82449r1_fix", + "gtitle": "SRG-OS-000138-GPOS-00069", + "gid": "V-75511", + "rid": "SV-90191r1_rule", + "stig_id": "UBTU-16-010410", + "fix_id": "F-82139r1_fix", "cci": [ - "CCI-002824" + "CCI-001090" ], "nist": [ - "SI-16", + "SC-4", "Rev_4" ], "false_negatives": null, @@ -9962,29 +10021,29 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75819' do\n title \"The Ubuntu operating system must implement non-executable data to\nprotect its memory from unauthorized code execution.\"\n desc \"Some adversaries launch attacks with the intent of executing code in\nnon-executable regions of memory or in memory locations that are prohibited.\nSecurity safeguards employed to protect memory include, for example, data\nexecution prevention and address space layout randomization. Data execution\nprevention safeguards can either be hardware-enforced or software-enforced with\nhardware providing the greater strength of mechanism.\n\n Examples of attacks are buffer overflow attacks.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000433-GPOS-00192'\n tag \"gid\": 'V-75819'\n tag \"rid\": 'SV-90499r2_rule'\n tag \"stig_id\": 'UBTU-16-030130'\n tag \"fix_id\": 'F-82449r1_fix'\n tag \"cci\": ['CCI-002824']\n tag \"nist\": %w[SI-16 Rev_4]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the NX (no-execution) bit flag is set on the system.\n\nCheck that the no-execution bit flag is set with the following commands:\n\n# dmesg | grep NX\n\n[ 0.000000] NX (Execute Disable) protection: active\n\nIf \\\"dmesg\\\" does not show \\\"NX (Execute Disable) protection\\\" active, check\nthe cpuinfo settings with the following command:\n\n# less /proc/cpuinfo | grep -i flags\nflags : fpu vme de pse tsc ms nx rdtscp lm constant_tsc\n\nIf \\\"flags\\\" does not contain the \\\"nx\\\" flag, this is a finding.\"\n desc 'fix', 'The NX bit execute protection must be enabled in the system BIOS.'\n\n options = {\n assignment_regex: /^\\s*([^:]*?)\\s*:\\s*(.*?)\\s*$/\n }\n describe.one do\n describe command('dmesg | grep NX').stdout.strip do\n it { should match /.+(NX \\(Execute Disable\\) protection: active)/ }\n end\n describe parse_config_file('/proc/cpuinfo', options).flags.split(' ') do\n it { should include 'nx' }\n end\n end\nend\n", + "code": "control 'V-75511' do\n title \"All public directories must be owned by root to prevent unauthorized\nand unintended information transferred via shared system resources.\"\n desc \"Preventing unauthorized information transfers mitigates the risk of\ninformation, including encrypted representations of information, produced by\nthe actions of prior users/roles (or the actions of processes acting on behalf\nof prior users/roles) from being available to any current users/roles (or\ncurrent processes) that obtain access to shared system resources (e.g.,\nregisters, main memory, hard disks) after those resources have been released\nback to information systems. The control of information in shared resources is\nalso commonly referred to as object reuse and residual information protection.\n\n This requirement generally applies to the design of an information\ntechnology product, but it can also apply to the configuration of particular\ninformation system components that are, or use, such products. This can be\nverified by acceptance/validation processes in DoD or other government agencies.\n\n There may be shared resources with configurable protections (e.g., files in\nstorage) that may be assessed on specific information system components.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000138-GPOS-00069'\n tag \"gid\": 'V-75511'\n tag \"rid\": 'SV-90191r1_rule'\n tag \"stig_id\": 'UBTU-16-010410'\n tag \"fix_id\": 'F-82139r1_fix'\n tag \"cci\": ['CCI-001090']\n tag \"nist\": %w[SC-4 Rev_4]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that all public directories are owned by root to prevent\nunauthorized and unintended information transferred via shared system resources.\n\nCheck to see that all public directories have the public sticky bit set by\nrunning the following command:\n\n# sudo find / -type d -perm -0002 -exec ls -lLd {} \\\\;\n\ndrwxrwxrwxt 7 root root 4096 Jul 26 11:19 /tmp\n\nIf any of the returned directories are not owned by root, this is a finding.\"\n desc 'fix', \"Configure all public directories to be owned by root to prevent\nunauthorized and unintended information transferred via shared system resources.\n\nSet the owner of all public directories as root using the command, replace\n\\\"[Public Directory]\\\" with any directory path not owned by root:\n\n# sudo chown root [Public Directory]\"\n\n dir_list = command('sudo find / -xdev -type d -perm -0002 -exec ls -dL {} \\\\;').stdout.strip.split(\"\\n\")\n if dir_list.count > 0\n dir_list.each do |entry|\n describe directory(entry) do\n its('owner') { should eq 'root' }\n end\n end\n else\n describe 'The number of public directories not owned by root' do\n subject { dir_list }\n its('count') { should cmp 0 }\n end\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75819.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75511.rb", "line": 3 }, - "id": "V-75819" + "id": "V-75511" }, { - "title": "File systems that are used with removable media must be mounted to\nprevent files with the setuid and setguid bit set from being executed.", - "desc": "The \"nosuid\" mount option causes the system to not execute\n\"setuid\" and \"setgid\" files with owner privileges. This option must be used\nfor mounting any file system not containing approved \"setuid\" and \"setguid\"\nfiles. Executing files from untrusted file systems increases the opportunity\nfor unprivileged users to attain unauthorized administrative access.", + "title": "The Ubuntu operating system must use a separate file system for /var.", + "desc": "The use of separate file systems for different paths can protect the\nsystem from failures resulting from a file system becoming full or failing.", "descriptions": { - "default": "The \"nosuid\" mount option causes the system to not execute\n\"setuid\" and \"setgid\" files with owner privileges. This option must be used\nfor mounting any file system not containing approved \"setuid\" and \"setguid\"\nfiles. Executing files from untrusted file systems increases the opportunity\nfor unprivileged users to attain unauthorized administrative access.", - "check": "Verify file systems that are used for removable media are\nmounted with the \"nosuid\" option.\n\nCheck the file systems that are mounted at boot time with the following command:\n\n# more /etc/fstab\n\nUUID=2bc871e4-e2a3-4f29-9ece-3be60c835222 /mnt/usbflash vfat\nnoauto,owner,ro,nosuid 0 0\n\nIf a file system found in \"/etc/fstab\" refers to removable media and it does\nnot have the \"nosuid\" option set, this is a finding.", - "fix": "Configure the \"/etc/fstab\" to use the \"nosuid\" option on file\nsystems that are associated with removable media." + "default": "The use of separate file systems for different paths can protect the\nsystem from failures resulting from a file system becoming full or failing.", + "check": "Verify that a separate file system/partition has been created\nfor \"/var\".\n\nCheck that a file system/partition has been created for \"/var\" with the\nfollowing command:\n\n# grep /var /etc/fstab\nUUID=c274f65f /var ext4 noatime,nobarrier 1 2\n\nIf a separate entry for \"/var\" is not in use, this is a finding.", + "fix": "Migrate the \"/var\" path onto a separate file system." }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-75577", - "rid": "SV-90257r3_rule", - "stig_id": "UBTU-16-010810", - "fix_id": "F-82205r1_fix", + "gid": "V-75589", + "rid": "SV-90269r1_rule", + "stig_id": "UBTU-16-010920", + "fix_id": "F-82217r1_fix", "cci": [ "CCI-000366" ], @@ -10003,38 +10062,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75577' do\n title \"File systems that are used with removable media must be mounted to\nprevent files with the setuid and setguid bit set from being executed.\"\n desc \"The \\\"nosuid\\\" mount option causes the system to not execute\n\\\"setuid\\\" and \\\"setgid\\\" files with owner privileges. This option must be used\nfor mounting any file system not containing approved \\\"setuid\\\" and \\\"setguid\\\"\nfiles. Executing files from untrusted file systems increases the opportunity\nfor unprivileged users to attain unauthorized administrative access.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75577'\n tag \"rid\": 'SV-90257r3_rule'\n tag \"stig_id\": 'UBTU-16-010810'\n tag \"fix_id\": 'F-82205r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify file systems that are used for removable media are\nmounted with the \\\"nosuid\\\" option.\n\nCheck the file systems that are mounted at boot time with the following command:\n\n# more /etc/fstab\n\nUUID=2bc871e4-e2a3-4f29-9ece-3be60c835222 /mnt/usbflash vfat\nnoauto,owner,ro,nosuid 0 0\n\nIf a file system found in \\\"/etc/fstab\\\" refers to removable media and it does\nnot have the \\\"nosuid\\\" option set, this is a finding.\"\n desc 'fix', \"Configure the \\\"/etc/fstab\\\" to use the \\\"nosuid\\\" option on file\nsystems that are associated with removable media.\"\n\n removable_media_mount_points = input('removable_media_mount_points')\n\n if removable_media_mount_points.count > 0\n removable_media_mount_points.each do |mount_point|\n describe mount(mount_point) do\n its('options') { should include 'nosuid' }\n end\n end\n else\n describe 'Removable media mount points' do\n subject { removable_media_mount_points }\n its('count') { should cmp 0 }\n end\n end\nend\n", + "code": "control 'V-75589' do\n title 'The Ubuntu operating system must use a separate file system for /var.'\n desc \"The use of separate file systems for different paths can protect the\nsystem from failures resulting from a file system becoming full or failing.\"\n impact 0.3\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75589'\n tag \"rid\": 'SV-90269r1_rule'\n tag \"stig_id\": 'UBTU-16-010920'\n tag \"fix_id\": 'F-82217r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that a separate file system/partition has been created\nfor \\\"/var\\\".\n\nCheck that a file system/partition has been created for \\\"/var\\\" with the\nfollowing command:\n\n# grep /var /etc/fstab\nUUID=c274f65f /var ext4 noatime,nobarrier 1 2\n\nIf a separate entry for \\\"/var\\\" is not in use, this is a finding.\"\n desc 'fix', 'Migrate the \"/var\" path onto a separate file system.'\n\n describe mount('/var') do\n it { should be_mounted }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75577.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75589.rb", "line": 3 }, - "id": "V-75577" + "id": "V-75589" }, { - "title": "The Ubuntu operating system must require users to re-authenticate for\nprivilege escalation and changing roles.", - "desc": "Without re-authentication, users may access resources or perform tasks\nfor which they do not have authorization.\n\n When Ubuntu operating systems provide the capability to escalate a\nfunctional capability or change security roles, it is critical the user\nre-authenticate.", + "title": "An application firewall must be enabled on the system.", + "desc": "Firewalls protect computers from network attacks by blocking or\nlimiting access to open network ports. Application firewalls limit which\napplications are allowed to communicate over the network.", "descriptions": { - "default": "Without re-authentication, users may access resources or perform tasks\nfor which they do not have authorization.\n\n When Ubuntu operating systems provide the capability to escalate a\nfunctional capability or change security roles, it is critical the user\nre-authenticate.", - "check": "Verify that \"/etc/sudoers\" has no occurrences of \"NOPASSWD\"\nor \"!authenticate\".\n\nCheck that the \"/etc/sudoers\" file has no occurrences of \"NOPASSWD\" or\n\"!authenticate\" by running the following command:\n\n# sudo egrep -i '(nopasswd|!authenticate)' /etc/sudoers /etc/sudoers.d/*\n\n%wheel ALL=(ALL) NOPASSWD: ALL\n\nIf any occurrences of \"NOPASSWD\" or \"!authenticate\" return from the\ncommand, this is a finding.", - "fix": "Remove any occurrence of \"NOPASSWD\" or \"!authenticate\" found\nin \"/etc/sudoers\" file or files in the \"/etc/sudoers.d\" directory." + "default": "Firewalls protect computers from network attacks by blocking or\nlimiting access to open network ports. Application firewalls limit which\napplications are allowed to communicate over the network.", + "check": "Verify the Uncomplicated Firewall is enabled on the system by\nrunning the following command:\n\n# sudo systemctl is-enabled ufw\n\nenabled\n\nIf the above command returns the status as \"disabled\", this is a finding.\n\nIf the Uncomplicated Firewall is not installed, ask the System Administrator if\nanother application firewall is installed. If no application firewall is\ninstalled this is a finding.", + "fix": "Enable the Uncomplicated Firewall by using the following commands:\n\n# sudo systemctl start ufw\n\n# sudo systemctl enable ufw" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000373-GPOS-00156", - "satisfies": [ - "SRG-OS-000373-GPOS-00156", - "SRG-OS-000373-GPOS-00157" - ], - "gid": "V-75489", - "rid": "SV-90169r2_rule", - "stig_id": "UBTU-16-010300", - "fix_id": "F-82117r2_fix", + "gtitle": "SRG-OS-000480-GPOS-00232", + "gid": "V-75805", + "rid": "SV-90485r2_rule", + "stig_id": "UBTU-16-030040", + "fix_id": "F-82435r2_fix", "cci": [ - "CCI-002038" + "CCI-000366" ], "nist": [ - "IA-11", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -10048,50 +10103,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75489' do\n title \"The Ubuntu operating system must require users to re-authenticate for\nprivilege escalation and changing roles.\"\n desc \"Without re-authentication, users may access resources or perform tasks\nfor which they do not have authorization.\n\n When Ubuntu operating systems provide the capability to escalate a\nfunctional capability or change security roles, it is critical the user\nre-authenticate.\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000373-GPOS-00156'\n tag \"satisfies\": %w[SRG-OS-000373-GPOS-00156 SRG-OS-000373-GPOS-00157]\n tag \"gid\": 'V-75489'\n tag \"rid\": 'SV-90169r2_rule'\n tag \"stig_id\": 'UBTU-16-010300'\n tag \"fix_id\": 'F-82117r2_fix'\n tag \"cci\": ['CCI-002038']\n tag \"nist\": %w[IA-11 Rev_4]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that \\\"/etc/sudoers\\\" has no occurrences of \\\"NOPASSWD\\\"\nor \\\"!authenticate\\\".\n\nCheck that the \\\"/etc/sudoers\\\" file has no occurrences of \\\"NOPASSWD\\\" or\n\\\"!authenticate\\\" by running the following command:\n\n# sudo egrep -i '(nopasswd|!authenticate)' /etc/sudoers /etc/sudoers.d/*\n\n%wheel ALL=(ALL) NOPASSWD: ALL\n\nIf any occurrences of \\\"NOPASSWD\\\" or \\\"!authenticate\\\" return from the\ncommand, this is a finding.\"\n desc 'fix', \"Remove any occurrence of \\\"NOPASSWD\\\" or \\\"!authenticate\\\" found\nin \\\"/etc/sudoers\\\" file or files in the \\\"/etc/sudoers.d\\\" directory.\"\n\n describe command(\"egrep -r -i '(nopasswd|!authenticate)' /etc/sudoers.d/ /etc/sudoers\") do\n its('stdout.strip') { should be_empty }\n end\nend\n", + "code": "control 'V-75805' do\n title 'An application firewall must be enabled on the system.'\n desc \"Firewalls protect computers from network attacks by blocking or\nlimiting access to open network ports. Application firewalls limit which\napplications are allowed to communicate over the network.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00232'\n tag \"gid\": 'V-75805'\n tag \"rid\": 'SV-90485r2_rule'\n tag \"stig_id\": 'UBTU-16-030040'\n tag \"fix_id\": 'F-82435r2_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Uncomplicated Firewall is enabled on the system by\nrunning the following command:\n\n# sudo systemctl is-enabled ufw\n\nenabled\n\nIf the above command returns the status as \\\"disabled\\\", this is a finding.\n\nIf the Uncomplicated Firewall is not installed, ask the System Administrator if\nanother application firewall is installed. If no application firewall is\ninstalled this is a finding.\"\n desc 'fix', \"Enable the Uncomplicated Firewall by using the following commands:\n\n# sudo systemctl start ufw\n\n# sudo systemctl enable ufw\n\"\n\n describe service('ufw') do\n it { should be_installed }\n it { should be_enabled }\n it { should be_running }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75489.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75805.rb", "line": 3 }, - "id": "V-75489" + "id": "V-75805" }, { - "title": "Successful/unsuccessful uses of the chown command must generate an\naudit record.", - "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "title": "The Ubuntu operating system must enforce a delay of at least 4 seconds\nbetween logon prompts following a failed logon attempt.", + "desc": "Limiting the number of logon attempts over a certain time interval\nreduces the chances that an unauthorized user may gain access to an account.", "descriptions": { - "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", - "check": "Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful attempts to use the \"chown\" command occur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \"/etc/audit/audit.rules\":\n\n# sudo grep -w chown /etc/audit/audit.rules\n\n-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -k\nperm_chng\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", - "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \"chown\" command by adding the following\nline to \"/etc/audit/audit.rules\":\n\n-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -k\nperm_chng\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" + "default": "Limiting the number of logon attempts over a certain time interval\nreduces the chances that an unauthorized user may gain access to an account.", + "check": "Verify the Ubuntu operating system enforces a delay of at least\n4 seconds between logon prompts following a failed logon attempt.\n\nCheck that the Ubuntu operating system enforces a delay of at least 4 seconds\nbetween logon prompts with the following command:\n\n# grep pam_faildelay /etc/pam.d/common-auth*\n\nauth required pam_faildelay.so delay=4000000\n\nIf the line is not present, or is commented out, this is a finding.", + "fix": "Configure the Ubuntu operating system to enforce a delay of at\nleast 4 seconds between logon prompts following a failed logon attempt.\n\nEdit the file \"/etc/pam.d/common-auth\" and set the parameter\n\"pam_faildelay\" to a value of 4000000 or greater:\n\nauth required pam_faildelay.so delay=4000000" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000037-GPOS-00015", - "satisfies": [ - "SRG-OS-000037-GPOS-00015", - "SRG-OS-000042-GPOS-00020", - "SRG-OS-000062-GPOS-00031", - "SRG-OS-000392-GPOS-00172", - "SRG-OS-000462-GPOS-00206", - "SRG-OS-000471-GPOS-00215" - ], - "gid": "V-75729", - "rid": "SV-90409r3_rule", - "stig_id": "UBTU-16-020520", - "fix_id": "F-82357r3_fix", + "gtitle": "SRG-OS-000480-GPOS-00226", + "gid": "V-75493", + "rid": "SV-90173r1_rule", + "stig_id": "UBTU-16-010320", + "fix_id": "F-82121r1_fix", "cci": [ - "CCI-000130", - "CCI-000135", - "CCI-000169", - "CCI-000172", - "CCI-002884" + "CCI-000366" ], "nist": [ - "AU-3", - "AU-3 (1)", - "AU-12 a", - "AU-12 c", - "MA-4 (1) (a)", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -10105,50 +10144,38 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75729' do\n title \"Successful/unsuccessful uses of the chown command must generate an\naudit record.\"\n desc \"Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020\n SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172\n SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215]\n tag \"gid\": 'V-75729'\n tag \"rid\": 'SV-90409r3_rule'\n tag \"stig_id\": 'UBTU-16-020520'\n tag \"fix_id\": 'F-82357r3_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'MA-4 (1) (a)',\n 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful attempts to use the \\\"chown\\\" command occur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \\\"/etc/audit/audit.rules\\\":\n\n# sudo grep -w chown /etc/audit/audit.rules\n\n-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -k\nperm_chng\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \\\"chown\\\" command by adding the following\nline to \\\"/etc/audit/audit.rules\\\":\n\n-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -k\nperm_chng\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n if os.arch == 'x86_64'\n describe auditd.syscall('chown').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('chown').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\nend\n", + "code": "control 'V-75493' do\n title \"The Ubuntu operating system must enforce a delay of at least 4 seconds\nbetween logon prompts following a failed logon attempt.\"\n desc \"Limiting the number of logon attempts over a certain time interval\nreduces the chances that an unauthorized user may gain access to an account.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00226'\n tag \"gid\": 'V-75493'\n tag \"rid\": 'SV-90173r1_rule'\n tag \"stig_id\": 'UBTU-16-010320'\n tag \"fix_id\": 'F-82121r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system enforces a delay of at least\n4 seconds between logon prompts following a failed logon attempt.\n\nCheck that the Ubuntu operating system enforces a delay of at least 4 seconds\nbetween logon prompts with the following command:\n\n# grep pam_faildelay /etc/pam.d/common-auth*\n\nauth required pam_faildelay.so delay=4000000\n\nIf the line is not present, or is commented out, this is a finding.\"\n desc 'fix', \"Configure the Ubuntu operating system to enforce a delay of at\nleast 4 seconds between logon prompts following a failed logon attempt.\n\nEdit the file \\\"/etc/pam.d/common-auth\\\" and set the parameter\n\\\"pam_faildelay\\\" to a value of 4000000 or greater:\n\nauth required pam_faildelay.so delay=4000000\"\n\n describe file('/etc/pam.d/common-auth') do\n it { should exist }\n end\n\n describe command('grep pam_faildelay /etc/pam.d/common-auth') do\n its('exit_status') { should eq 0 }\n its('stdout.strip') { should match /^\\s*auth\\s+required\\s+pam_faildelay.so\\s+.*delay=([4-9][\\d]{6,}|[1-9][\\d]{7,}).*$/ }\n end\n\n file('/etc/pam.d/common-auth').content.to_s.scan(/^\\s*auth\\s+required\\s+pam_faildelay.so\\s+.*delay=(\\d+).*$/).flatten.each do |entry|\n describe entry do\n it { should cmp > 4_000_000 }\n end\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75729.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75493.rb", "line": 3 }, - "id": "V-75729" + "id": "V-75493" }, { - "title": "Successful/unsuccessful uses of the sudoedit command must generate an\naudit record.", - "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "title": "The Ubuntu operating system must implement NSA-approved cryptography\nto protect classified information in accordance with applicable federal laws,\nExecutive Orders, directives, policies, regulations, and standards.", + "desc": "Use of weak or untested encryption algorithms undermines the purposes\nof utilizing encryption to protect data. The Ubuntu operating system must\nimplement cryptographic modules adhering to the higher standards approved by\nthe federal government since this provides assurance they have been tested and\nvalidated.", "descriptions": { - "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", - "check": "Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful attempts to use the \"sudoedit\" command occur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \"/etc/audit/audit.rules\":\n\n# sudo grep -w sudoedit /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k priv_cmd\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", - "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \"sudoedit\" command.\n\nAdd or update the following rules in the \"/etc/audit/audit.rules\" file:\n\n-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k priv_cmd\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" + "default": "Use of weak or untested encryption algorithms undermines the purposes\nof utilizing encryption to protect data. The Ubuntu operating system must\nimplement cryptographic modules adhering to the higher standards approved by\nthe federal government since this provides assurance they have been tested and\nvalidated.", + "check": "Verify the system is configured to run in FIPS mode.\n\nCheck that the system is configured to run in FIPS mode with the following\ncommand:\n\n# grep -i 1 /proc/sys/crypto/fips_enabled\n1\n\nIf a value of \"1\" is not returned, this is a finding.", + "fix": "Configure the system to run in FIPS mode. Add \"fips=1\" to the\nkernel parameter during the Ubuntu operating systems install.\n\nEnabling a FIPS mode on a pre-existing system involves a number of\nmodifications to the Ubuntu operating system. Refer to the Ubuntu Server 16.04\nFIPS 140-2 security policy document for instructions." }, - "impact": 0.5, + "impact": 0.7, "refs": [], "tags": { - "gtitle": "SRG-OS-000037-GPOS-00015", + "gtitle": "SRG-OS-000396-GPOS-00176", "satisfies": [ - "SRG-OS-000037-GPOS-00015", - "SRG-OS-000042-GPOS-00020", - "SRG-OS-000062-GPOS-00031", - "SRG-OS-000392-GPOS-00172", - "SRG-OS-000462-GPOS-00206", - "SRG-OS-000471-GPOS-00215" + "SRG-OS-000396-GPOS-00176", + "SRG-OS-000478-GPOS-00223" ], - "gid": "V-75757", - "rid": "SV-90437r3_rule", - "stig_id": "UBTU-16-020660", - "fix_id": "F-82385r2_fix", + "gid": "V-75503", + "rid": "SV-90183r1_rule", + "stig_id": "UBTU-16-010370", + "fix_id": "F-82131r1_fix", "cci": [ - "CCI-000130", - "CCI-000135", - "CCI-000169", - "CCI-000172", - "CCI-002884" + "CCI-002450" ], "nist": [ - "AU-3", - "AU-3 (1)", - "AU-12 a", - "AU-12 c", - "MA-4 (1) (a)", + "SC-13", "Rev_4" ], "false_negatives": null, @@ -10162,34 +10189,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75757' do\n title \"Successful/unsuccessful uses of the sudoedit command must generate an\naudit record.\"\n desc \"Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020\n SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172\n SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215]\n tag \"gid\": 'V-75757'\n tag \"rid\": 'SV-90437r3_rule'\n tag \"stig_id\": 'UBTU-16-020660'\n tag \"fix_id\": 'F-82385r2_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'MA-4 (1) (a)',\n 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful attempts to use the \\\"sudoedit\\\" command occur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \\\"/etc/audit/audit.rules\\\":\n\n# sudo grep -w sudoedit /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k priv_cmd\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \\\"sudoedit\\\" command.\n\nAdd or update the following rules in the \\\"/etc/audit/audit.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k priv_cmd\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n @audit_file = '/usr/bin/sudoedit'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n\n else\n describe ('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", + "code": "control 'V-75503' do\n title \"The Ubuntu operating system must implement NSA-approved cryptography\nto protect classified information in accordance with applicable federal laws,\nExecutive Orders, directives, policies, regulations, and standards.\"\n desc \"Use of weak or untested encryption algorithms undermines the purposes\nof utilizing encryption to protect data. The Ubuntu operating system must\nimplement cryptographic modules adhering to the higher standards approved by\nthe federal government since this provides assurance they have been tested and\nvalidated.\n\n\n \"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000396-GPOS-00176'\n tag \"satisfies\": %w[SRG-OS-000396-GPOS-00176 SRG-OS-000478-GPOS-00223]\n tag \"gid\": 'V-75503'\n tag \"rid\": 'SV-90183r1_rule'\n tag \"stig_id\": 'UBTU-16-010370'\n tag \"fix_id\": 'F-82131r1_fix'\n tag \"cci\": ['CCI-002450']\n tag \"nist\": %w[SC-13 Rev_4]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the system is configured to run in FIPS mode.\n\nCheck that the system is configured to run in FIPS mode with the following\ncommand:\n\n# grep -i 1 /proc/sys/crypto/fips_enabled\n1\n\nIf a value of \\\"1\\\" is not returned, this is a finding.\"\n desc 'fix', \"Configure the system to run in FIPS mode. Add \\\"fips=1\\\" to the\nkernel parameter during the Ubuntu operating systems install.\n\nEnabling a FIPS mode on a pre-existing system involves a number of\nmodifications to the Ubuntu operating system. Refer to the Ubuntu Server 16.04\nFIPS 140-2 security policy document for instructions.\"\n\n config_file = '/proc/sys/crypto/fips_enabled'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n it { should cmp '1' }\n end\n else\n describe ('FIPS is enabled') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75757.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75503.rb", "line": 3 }, - "id": "V-75757" + "id": "V-75503" }, { - "title": "The /var/log/syslog file must be owned by syslog.", - "desc": "Only authorized personnel should be aware of errors and the details of\nthe errors. Error messages are an indicator of an organization's operational\nstate or can identify the Ubuntu operating system or platform. Additionally,\nPersonally Identifiable Information (PII) and operational information must not\nbe revealed through error messages to unauthorized personnel or their\ndesignated representatives.\n\n The structure and content of error messages must be carefully considered by\nthe organization and development team. The extent to which the information\nsystem is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.", + "title": "The Ubuntu operating system must limit the number of concurrent\nsessions to ten for all accounts and/or account types.", + "desc": "Ubuntu operating system management includes the ability to control the\nnumber of users and user sessions that utilize an Ubuntu operating system.\nLimiting the number of allowed users and sessions per user is helpful in\nreducing the risks related to DoS attacks.\n\n This requirement addresses concurrent sessions for information system\naccounts and does not address concurrent sessions by single users via multiple\nsystem accounts. The maximum number of concurrent sessions should be defined\nbased upon mission needs and the operational environment for each system.", "descriptions": { - "default": "Only authorized personnel should be aware of errors and the details of\nthe errors. Error messages are an indicator of an organization's operational\nstate or can identify the Ubuntu operating system or platform. Additionally,\nPersonally Identifiable Information (PII) and operational information must not\nbe revealed through error messages to unauthorized personnel or their\ndesignated representatives.\n\n The structure and content of error messages must be carefully considered by\nthe organization and development team. The extent to which the information\nsystem is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.", - "check": "Verify that the /var/log/syslog file is owned by syslog.\n\nCheck that the /var/log/syslog file is owned by syslog with the following\ncommand:\n\n# ls -la /var/log/syslog | cut -d' ' -f3\n\nsyslog\n\nIf \"syslog\" is not returned as a result, this is a finding.", - "fix": "Change the owner of the file /var/log/syslog to syslog by running\nthe following command:\n\n# sudo chown syslog /var/log/syslog" + "default": "Ubuntu operating system management includes the ability to control the\nnumber of users and user sessions that utilize an Ubuntu operating system.\nLimiting the number of allowed users and sessions per user is helpful in\nreducing the risks related to DoS attacks.\n\n This requirement addresses concurrent sessions for information system\naccounts and does not address concurrent sessions by single users via multiple\nsystem accounts. The maximum number of concurrent sessions should be defined\nbased upon mission needs and the operational environment for each system.", + "check": "Verify that the Ubuntu operating system limits the number of\nconcurrent sessions to \"10\" for all accounts and/or account types by running\nthe following command:\n\n# grep maxlogins /etc/security/limits.conf\n\nThe result must contain the following line:\n\n* hard maxlogins 10\n\nIf the \"maxlogins\" item is missing or the value is not set to \"10\" or less,\nor is commented out, this is a finding.", + "fix": "Configure the Ubuntu operating system to limit the number of\nconcurrent sessions to ten for all accounts and/or account types.\n\nAdd the following line to the top of the /etc/security/limits.conf:\n\n* hard maxlogins 10" }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { - "gtitle": "SRG-OS-000206-GPOS-00084", - "gid": "V-75601", - "rid": "SV-90281r2_rule", - "stig_id": "UBTU-16-010980", - "fix_id": "F-82229r1_fix", + "gtitle": "SRG-OS-000027-GPOS-00008", + "gid": "V-75443", + "rid": "SV-90123r2_rule", + "stig_id": "UBTU-16-010070", + "fix_id": "F-82071r1_fix", "cci": [ - "CCI-001314" + "CCI-000054" ], "nist": [ - "SI-11 b", + "AC-10", "Rev_4" ], "false_negatives": null, @@ -10203,34 +10230,50 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75601' do\n title 'The /var/log/syslog file must be owned by syslog.'\n desc \"Only authorized personnel should be aware of errors and the details of\nthe errors. Error messages are an indicator of an organization's operational\nstate or can identify the Ubuntu operating system or platform. Additionally,\nPersonally Identifiable Information (PII) and operational information must not\nbe revealed through error messages to unauthorized personnel or their\ndesignated representatives.\n\n The structure and content of error messages must be carefully considered by\nthe organization and development team. The extent to which the information\nsystem is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000206-GPOS-00084'\n tag \"gid\": 'V-75601'\n tag \"rid\": 'SV-90281r2_rule'\n tag \"stig_id\": 'UBTU-16-010980'\n tag \"fix_id\": 'F-82229r1_fix'\n tag \"cci\": ['CCI-001314']\n tag \"nist\": ['SI-11 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that the /var/log/syslog file is owned by syslog.\n\nCheck that the /var/log/syslog file is owned by syslog with the following\ncommand:\n\n# ls -la /var/log/syslog | cut -d' ' -f3\n\nsyslog\n\nIf \\\"syslog\\\" is not returned as a result, this is a finding.\"\n desc 'fix', \"Change the owner of the file /var/log/syslog to syslog by running\nthe following command:\n\n# sudo chown syslog /var/log/syslog\"\n\n describe file('/var/log/syslog') do\n its('owner') { should cmp 'syslog' }\n end\nend\n", + "code": "control 'V-75443' do\n title \"The Ubuntu operating system must limit the number of concurrent\nsessions to ten for all accounts and/or account types.\"\n desc \"Ubuntu operating system management includes the ability to control the\nnumber of users and user sessions that utilize an Ubuntu operating system.\nLimiting the number of allowed users and sessions per user is helpful in\nreducing the risks related to DoS attacks.\n\n This requirement addresses concurrent sessions for information system\naccounts and does not address concurrent sessions by single users via multiple\nsystem accounts. The maximum number of concurrent sessions should be defined\nbased upon mission needs and the operational environment for each system.\n \"\n impact 0.3\n tag \"gtitle\": 'SRG-OS-000027-GPOS-00008'\n tag \"gid\": 'V-75443'\n tag \"rid\": 'SV-90123r2_rule'\n tag \"stig_id\": 'UBTU-16-010070'\n tag \"fix_id\": 'F-82071r1_fix'\n tag \"cci\": ['CCI-000054']\n tag \"nist\": %w[AC-10 Rev_4]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that the Ubuntu operating system limits the number of\nconcurrent sessions to \\\"10\\\" for all accounts and/or account types by running\nthe following command:\n\n# grep maxlogins /etc/security/limits.conf\n\nThe result must contain the following line:\n\n* hard maxlogins 10\n\nIf the \\\"maxlogins\\\" item is missing or the value is not set to \\\"10\\\" or less,\nor is commented out, this is a finding.\"\n desc 'fix', \"Configure the Ubuntu operating system to limit the number of\nconcurrent sessions to ten for all accounts and/or account types.\n\nAdd the following line to the top of the /etc/security/limits.conf:\n\n* hard maxlogins 10\"\n\n describe limits_conf do\n its('*') { should include ['hard', 'maxlogins', input('maxlogins').to_s] }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75601.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75443.rb", "line": 3 }, - "id": "V-75601" + "id": "V-75443" }, { - "title": "Library files must have mode 0755 or less permissive.", - "desc": "If the Ubuntu operating system were to allow any user to make changes\nto software libraries, then those changes might be implemented without\nundergoing the appropriate testing and approvals that are part of a robust\nchange management process.\n\n This requirement applies to Ubuntu operating systems with software\nlibraries that are accessible and configurable, as in the case of interpreted\nlanguages. Software libraries also include privileged programs which execute\nwith escalated privileges. Only qualified and authorized individuals shall be\nallowed to obtain access to information system components for purposes of\ninitiating changes, including upgrades and modifications.", + "title": "Successful/unsuccessful uses of the chfn command must generate an\naudit record.", + "desc": "Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged password commands. The organization must maintain audit trails in\nsufficient detail to reconstruct events to determine the cause and impact of\ncompromise.", "descriptions": { - "default": "If the Ubuntu operating system were to allow any user to make changes\nto software libraries, then those changes might be implemented without\nundergoing the appropriate testing and approvals that are part of a robust\nchange management process.\n\n This requirement applies to Ubuntu operating systems with software\nlibraries that are accessible and configurable, as in the case of interpreted\nlanguages. Software libraries also include privileged programs which execute\nwith escalated privileges. Only qualified and authorized individuals shall be\nallowed to obtain access to information system components for purposes of\ninitiating changes, including upgrades and modifications.", - "check": "Verify the system-wide shared library files contained in the\nfollowing directories have mode \"0755\" or less permissive.\n\nCheck that the system-wide shared library files contained in the following\ndirectories have mode \"0755\" or less permissive with the following command:\n\nNote: Replace \"[directory]\" with one of the following paths:\n/lib\n/lib64\n/usr/lib\n\n# find /lib /lib64 /usr/lib -perm /022 -type f | xargs ls -la\n/usr/lib64/pkcs11-spy.so\n\nIf any system-wide shared library file is found to be group-writable or\nworld-writable, this is a finding.", - "fix": "Configure the library files to be protected from unauthorized\naccess. Run the following command, replacing \"[file]\" with any library file\nwith a mode more permissive than 0755.\n\n# sudo chmod 0755 [file]" + "default": "Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged password commands. The organization must maintain audit trails in\nsufficient detail to reconstruct events to determine the cause and impact of\ncompromise.", + "check": "Verify that an audit event is generated for any\nsuccessful/unsuccessful use of the \"chfn\" command.\n\nCheck for the following system call being audited by performing the following\ncommand to check the file system rules in \"/etc/audit/audit.rules\":\n\n# sudo grep chfn /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k privileged-gpasswd\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", + "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful uses of the \"passwd\" command. Add or update the\nfollowing rule in the \"/etc/audit/audit.rules\" file:\n\n-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k privileged-passwd\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000259-GPOS-00100", - "gid": "V-75605", - "rid": "SV-90285r2_rule", - "stig_id": "UBTU-16-011000", - "fix_id": "F-82233r1_fix", + "gtitle": "SRG-OS-000037-GPOS-00015", + "satisfies": [ + "SRG-OS-000037-GPOS-00015", + "SRG-OS-000042-GPOS-00020", + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000392-GPOS-00172", + "SRG-OS-000462-GPOS-00206", + "SRG-OS-000471-GPOS-00215" + ], + "gid": "V-75693", + "rid": "SV-90373r3_rule", + "stig_id": "UBTU-16-020370", + "fix_id": "F-82321r2_fix", "cci": [ - "CCI-001499" + "CCI-000130", + "CCI-000135", + "CCI-000169", + "CCI-000172", + "CCI-002884" ], "nist": [ - "CM-5 (6)", + "AU-3", + "AU-3 (1)", + "AU-12 a", + "AU-12 c", + "MA-4 (1) (a)", "Rev_4" ], "false_negatives": null, @@ -10244,34 +10287,50 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75605' do\n title 'Library files must have mode 0755 or less permissive.'\n desc \"If the Ubuntu operating system were to allow any user to make changes\nto software libraries, then those changes might be implemented without\nundergoing the appropriate testing and approvals that are part of a robust\nchange management process.\n\n This requirement applies to Ubuntu operating systems with software\nlibraries that are accessible and configurable, as in the case of interpreted\nlanguages. Software libraries also include privileged programs which execute\nwith escalated privileges. Only qualified and authorized individuals shall be\nallowed to obtain access to information system components for purposes of\ninitiating changes, including upgrades and modifications.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000259-GPOS-00100'\n tag \"gid\": 'V-75605'\n tag \"rid\": 'SV-90285r2_rule'\n tag \"stig_id\": 'UBTU-16-011000'\n tag \"fix_id\": 'F-82233r1_fix'\n tag \"cci\": ['CCI-001499']\n tag \"nist\": ['CM-5 (6)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the system-wide shared library files contained in the\nfollowing directories have mode \\\"0755\\\" or less permissive.\n\nCheck that the system-wide shared library files contained in the following\ndirectories have mode \\\"0755\\\" or less permissive with the following command:\n\nNote: Replace \\\"[directory]\\\" with one of the following paths:\n/lib\n/lib64\n/usr/lib\n\n# find /lib /lib64 /usr/lib -perm /022 -type f | xargs ls -la\n/usr/lib64/pkcs11-spy.so\n\nIf any system-wide shared library file is found to be group-writable or\nworld-writable, this is a finding.\"\n desc 'fix', \"Configure the library files to be protected from unauthorized\naccess. Run the following command, replacing \\\"[file]\\\" with any library file\nwith a mode more permissive than 0755.\n\n# sudo chmod 0755 [file]\"\n\n if os.arch == 'x86_64'\n library_files = command('find /lib /lib32 lib64 /usr/lib /usr/lib32 -perm /022 -type f').stdout.strip.split(\"\\n\").entries\n else\n library_files = command('find /lib /usr/lib /usr/lib32 /lib32 -perm /022 -type f').stdout.strip.split(\"\\n\").entries\n end\n\n if library_files.count > 0\n library_files.each do |lib_file|\n describe file(lib_file) do\n it { should_not be_more_permissive_than('0755') }\n end\n end\n else\n describe 'Number of system-wide shared library files found that are less permissive than 0755' do\n subject { library_files }\n its('count') { should eq 0 }\n end\n end\nend\n", + "code": "control 'V-75693' do\n title \"Successful/unsuccessful uses of the chfn command must generate an\naudit record.\"\n desc \"Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged password commands. The organization must maintain audit trails in\nsufficient detail to reconstruct events to determine the cause and impact of\ncompromise.\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020\n SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172\n SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215]\n tag \"gid\": 'V-75693'\n tag \"rid\": 'SV-90373r3_rule'\n tag \"stig_id\": 'UBTU-16-020370'\n tag \"fix_id\": 'F-82321r2_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'MA-4 (1) (a)',\n 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that an audit event is generated for any\nsuccessful/unsuccessful use of the \\\"chfn\\\" command.\n\nCheck for the following system call being audited by performing the following\ncommand to check the file system rules in \\\"/etc/audit/audit.rules\\\":\n\n# sudo grep chfn /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k privileged-gpasswd\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful uses of the \\\"passwd\\\" command. Add or update the\nfollowing rule in the \\\"/etc/audit/audit.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k privileged-passwd\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n @audit_file = '/usr/bin/chfn'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe ('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75605.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75693.rb", "line": 3 }, - "id": "V-75605" + "id": "V-75693" }, { - "title": "The Ubuntu operating system must be a vendor supported release.", - "desc": "An Ubuntu operating system release is considered \"supported\" if the\nvendor continues to provide security patches for the product. With an\nunsupported release, it will not be possible to resolve security issues\ndiscovered in the system software.", + "title": "Successful/unsuccessful uses of the gpasswd command must generate an\naudit record.", + "desc": "Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged commands. The organization must maintain audit trails in sufficient\ndetail to reconstruct events to determine the cause and impact of compromise.", "descriptions": { - "default": "An Ubuntu operating system release is considered \"supported\" if the\nvendor continues to provide security patches for the product. With an\nunsupported release, it will not be possible to resolve security issues\ndiscovered in the system software.", - "check": "Verify the version of the Ubuntu operating system is vendor\nsupported.\n\nCheck the version of the Ubuntu operating system with the following command:\n\n# cat /etc/lsb-release\n\nDISTRIB_RELEASE=16.04\nDISTRIB_CODENAME=xenial\nDISTRIB_DESCRIPTION=\"Ubuntu 16.04.1 LTS\"\n\nCurrent End of Life for Ubuntu 16.04 LTS is April 2021.\n\nIf the release is not supported by the vendor, this is a finding.", - "fix": "Upgrade to a supported version of the Ubuntu operating system." + "default": "Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged commands. The organization must maintain audit trails in sufficient\ndetail to reconstruct events to determine the cause and impact of compromise.", + "check": "Verify that an audit event is generated for any\nsuccessful/unsuccessful use of the \"gpasswd\" command.\n\nCheck for the following system call being audited by performing the following\ncommand to check the file system rules in \"/etc/audit/audit.rules\":\n\n# sudo grep -w gpasswd /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k privileged-gpasswd\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", + "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful uses of the \"gpasswd\" command. Add or update the\nfollowing rules in the \"/etc/audit/audit.rules\" file:\n\n-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k privileged-gpasswd\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" }, - "impact": 0.7, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-75389", - "rid": "SV-90069r1_rule", - "stig_id": "UBTU-16-010000", - "fix_id": "F-82017r1_fix", + "gtitle": "SRG-OS-000037-GPOS-00015", + "satisfies": [ + "SRG-OS-000037-GPOS-00015", + "SRG-OS-000042-GPOS-00020", + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000392-GPOS-00172", + "SRG-OS-000462-GPOS-00206", + "SRG-OS-000471-GPOS-00215" + ], + "gid": "V-75781", + "rid": "SV-90461r3_rule", + "stig_id": "UBTU-16-020780", + "fix_id": "F-82411r2_fix", "cci": [ - "CCI-001230" + "CCI-000130", + "CCI-000135", + "CCI-000169", + "CCI-000172", + "CCI-002884" ], "nist": [ - "SI-2 d", + "AU-3", + "AU-3 (1)", + "AU-12 a", + "AU-12 c", + "MA-4 (1) (a)", "Rev_4" ], "false_negatives": null, @@ -10285,34 +10344,42 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75389' do\n title 'The Ubuntu operating system must be a vendor supported release.'\n desc \"An Ubuntu operating system release is considered \\\"supported\\\" if the\nvendor continues to provide security patches for the product. With an\nunsupported release, it will not be possible to resolve security issues\ndiscovered in the system software.\"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75389'\n tag \"rid\": 'SV-90069r1_rule'\n tag \"stig_id\": 'UBTU-16-010000'\n tag \"fix_id\": 'F-82017r1_fix'\n tag \"cci\": ['CCI-001230']\n tag \"nist\": ['SI-2 d', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the version of the Ubuntu operating system is vendor\nsupported.\n\nCheck the version of the Ubuntu operating system with the following command:\n\n# cat /etc/lsb-release\n\nDISTRIB_RELEASE=16.04\nDISTRIB_CODENAME=xenial\nDISTRIB_DESCRIPTION=\\\"Ubuntu 16.04.1 LTS\\\"\n\nCurrent End of Life for Ubuntu 16.04 LTS is April 2021.\n\nIf the release is not supported by the vendor, this is a finding.\"\n desc 'fix', 'Upgrade to a supported version of the Ubuntu operating system.'\n\n platform_name = input('platform_name')\n platform_release = input('platform_release')\n supported_until = input('supported_until')\n describe platform.name do\n it { should cmp platform_name }\n end\n\n describe platform.release do\n it { should cmp platform_release }\n end\n\n describe \"The current system is still within its End of Life of #{supported_until}\" do\n subject { Date.today <= Date.parse(supported_until) }\n it { should be true }\n end\nend\n", + "code": "control 'V-75781' do\n title \"Successful/unsuccessful uses of the gpasswd command must generate an\naudit record.\"\n desc \"Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged commands. The organization must maintain audit trails in sufficient\ndetail to reconstruct events to determine the cause and impact of compromise.\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020\n SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172\n SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215]\n tag \"gid\": 'V-75781'\n tag \"rid\": 'SV-90461r3_rule'\n tag \"stig_id\": 'UBTU-16-020780'\n tag \"fix_id\": 'F-82411r2_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'MA-4 (1) (a)',\n 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that an audit event is generated for any\nsuccessful/unsuccessful use of the \\\"gpasswd\\\" command.\n\nCheck for the following system call being audited by performing the following\ncommand to check the file system rules in \\\"/etc/audit/audit.rules\\\":\n\n# sudo grep -w gpasswd /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k privileged-gpasswd\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful uses of the \\\"gpasswd\\\" command. Add or update the\nfollowing rules in the \\\"/etc/audit/audit.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k privileged-gpasswd\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n @audit_file = '/usr/bin/gpasswd'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe ('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75389.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75781.rb", "line": 3 }, - "id": "V-75389" + "id": "V-75781" }, { - "title": "The Ubuntu operating system must not forward Internet Protocol version\n4 (IPv4) source-routed packets.", - "desc": "Source-routed packets allow the source of the packet to suggest that\nrouters forward the packet along a different path than configured on the\nrouter, which can be used to bypass network security measures. This requirement\napplies only to the forwarding of source-routed traffic, such as when IPv4\nforwarding is enabled and the system is functioning as a router.", + "title": "Pam_Apparmor must be configured to allow system administrators to pass\ninformation to any other Ubuntu operating system administrator or user, change\nsecurity attributes, and to confine all non-privileged users from executing\nfunctions to include disabling, circumventing, or altering implemented security\nsafeguards/countermeasures.", + "desc": "Discretionary Access Control (DAC) is based on the notion that\nindividual users are \"owners\" of objects and therefore have discretion over\nwho should be authorized to access the object and in which mode (e.g., read or\nwrite). Ownership is usually acquired as a consequence of creating the object\nor via specified ownership assignment. DAC allows the owner to determine who\nwill have access to objects they control. An example of DAC includes\nuser-controlled file permissions.\n\n When discretionary access control policies are implemented, subjects are\nnot constrained with regard to what actions they can take with information for\nwhich they have already been granted access. Thus, subjects that have been\ngranted access to information are not prevented from passing (i.e., the\nsubjects have the discretion to pass) the information to other subjects or\nobjects. A subject that is constrained in its operation by Mandatory Access\nControl policies is still able to operate under the less rigorous constraints\nof this requirement. Thus, while Mandatory Access Control imposes constraints\npreventing a subject from passing information to another subject operating at a\ndifferent sensitivity level, this requirement permits the subject to pass the\ninformation to any subject at the same sensitivity level. The policy is bounded\nby the information system boundary. Once the information is passed outside the\ncontrol of the information system, additional means may be required to ensure\nthe constraints remain in effect. While the older, more traditional definitions\nof discretionary access control require identity-based access control, that\nlimitation is not required for this use of discretionary access control.", "descriptions": { - "default": "Source-routed packets allow the source of the packet to suggest that\nrouters forward the packet along a different path than configured on the\nrouter, which can be used to bypass network security measures. This requirement\napplies only to the forwarding of source-routed traffic, such as when IPv4\nforwarding is enabled and the system is functioning as a router.", - "check": "Verify the Ubuntu operating system does not accept IPv4\nsource-routed packets.\n\nCheck the value of the accept source route variable with the following command:\n\n# sudo sysctl net.ipv4.conf.all.accept_source_route\n\nnet.ipv4.conf.all.accept_source_route=0\n\nIf the returned line does not have a value of \"0\", a line is not returned, or\nthe returned line is commented out, this is a finding.", - "fix": "Configure the Ubuntu operating system to not forward Internet\nProtocol version 4 (IPv4) source-routed packets with the following command:\n\n# sudo sysctl -w net.ipv4.conf.all.accept_source_route=0\n\nIf \"0\" is not the system's default value then add or update the following\nline in \"/etc/sysctl.conf\" or in the appropriate file under \"/etc/sysctl.d\":\n\nnet.ipv4.conf.all.accept_source_route=0" + "default": "Discretionary Access Control (DAC) is based on the notion that\nindividual users are \"owners\" of objects and therefore have discretion over\nwho should be authorized to access the object and in which mode (e.g., read or\nwrite). Ownership is usually acquired as a consequence of creating the object\nor via specified ownership assignment. DAC allows the owner to determine who\nwill have access to objects they control. An example of DAC includes\nuser-controlled file permissions.\n\n When discretionary access control policies are implemented, subjects are\nnot constrained with regard to what actions they can take with information for\nwhich they have already been granted access. Thus, subjects that have been\ngranted access to information are not prevented from passing (i.e., the\nsubjects have the discretion to pass) the information to other subjects or\nobjects. A subject that is constrained in its operation by Mandatory Access\nControl policies is still able to operate under the less rigorous constraints\nof this requirement. Thus, while Mandatory Access Control imposes constraints\npreventing a subject from passing information to another subject operating at a\ndifferent sensitivity level, this requirement permits the subject to pass the\ninformation to any subject at the same sensitivity level. The policy is bounded\nby the information system boundary. Once the information is passed outside the\ncontrol of the information system, additional means may be required to ensure\nthe constraints remain in effect. While the older, more traditional definitions\nof discretionary access control require identity-based access control, that\nlimitation is not required for this use of discretionary access control.", + "check": "Verify the Ubuntu operating system is configured to allow\nsystem administrators to pass information to any other Ubuntu operating system\nadministrator or user.\n\nCheck that \"Pam_Apparmor\" is installed on the system with the following\ncommand:\n\n# sudo apt list libpam-apparmor\n\nlibpam-apparmor/xenial-updates,now 2.10.95-0ubuntu2.7 amd64 [installed]\n\nIf the \"Pam_Apparmor\" package is not installed, this is a finding.\n\nCheck that Pam_Apparmor has properly configured profiles\n\n# sudo apparmor_status\n\napparmor module is loaded.\n13 profiles are loaded.\n13 profiles are in enforce mode.\n /sbin/dhclient\n ...\n lxc-container-default-with-nesting\n0 profiles are in complain mode.\n\nIf all loaded profiles are not in \"enforce\" mode, or there are any profiles\nin \"complain\" mode, this is a finding.", + "fix": "Configure the Ubuntu operating system to allow system\nadministrators to pass information to any other Ubuntu operating system\nadministrator or user.\n\nInstall \"Pam_Apparmor\" (if it is not installed) with the following command:\n\n# sudo apt-get install libpam-apparmor\n\nEnable/Activate \"Apparmor\" (if it is not already active) with the following\ncommand:\n\n# sudo systemctl enable apparmor.service\n\nStart \"Apparmor\" with the following command:\n\n# sudo systemctl start apparmor.service\n\nNote: Pam_Apparmor must have properly configured profiles. All configurations\nwill be based on the actual system setup and organization. See the\n\"Pam_Apparmor\" documentation for more information on configuring profiles." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-75873", - "rid": "SV-90553r3_rule", - "stig_id": "UBTU-16-030530", - "fix_id": "F-82503r3_fix", + "gtitle": "SRG-OS-000312-GPOS-00122", + "satisfies": [ + "SRG-OS-000312-GPOS-00122", + "SRG-OS-000312-GPOS-00123", + "SRG-OS-000312-GPOS-00124", + "SRG-OS-000324-GPOS-00125" + ], + "gid": "V-75535", + "rid": "SV-90215r2_rule", + "stig_id": "UBTU-16-010600", + "fix_id": "F-82163r1_fix", "cci": [ - "CCI-000366" + "CCI-002165", + "CCI-002235" ], "nist": [ - "CM-6 b", + "AC-3 (4)", + "AC-6 (10)", "Rev_4" ], "false_negatives": null, @@ -10326,40 +10393,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75873' do\n title \"The Ubuntu operating system must not forward Internet Protocol version\n4 (IPv4) source-routed packets.\"\n desc \"Source-routed packets allow the source of the packet to suggest that\nrouters forward the packet along a different path than configured on the\nrouter, which can be used to bypass network security measures. This requirement\napplies only to the forwarding of source-routed traffic, such as when IPv4\nforwarding is enabled and the system is functioning as a router.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75873'\n tag \"rid\": 'SV-90553r3_rule'\n tag \"stig_id\": 'UBTU-16-030530'\n tag \"fix_id\": 'F-82503r3_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system does not accept IPv4\nsource-routed packets.\n\nCheck the value of the accept source route variable with the following command:\n\n# sudo sysctl net.ipv4.conf.all.accept_source_route\n\nnet.ipv4.conf.all.accept_source_route=0\n\nIf the returned line does not have a value of \\\"0\\\", a line is not returned, or\nthe returned line is commented out, this is a finding.\"\n desc 'fix', \"Configure the Ubuntu operating system to not forward Internet\nProtocol version 4 (IPv4) source-routed packets with the following command:\n\n# sudo sysctl -w net.ipv4.conf.all.accept_source_route=0\n\nIf \\\"0\\\" is not the system's default value then add or update the following\nline in \\\"/etc/sysctl.conf\\\" or in the appropriate file under \\\"/etc/sysctl.d\\\":\n\nnet.ipv4.conf.all.accept_source_route=0\"\n\n describe kernel_parameter('net.ipv4.conf.all.accept_source_route') do\n its('value') { should eq 0 }\n end\nend\n", + "code": "control 'V-75535' do\n title \"Pam_Apparmor must be configured to allow system administrators to pass\ninformation to any other Ubuntu operating system administrator or user, change\nsecurity attributes, and to confine all non-privileged users from executing\nfunctions to include disabling, circumventing, or altering implemented security\nsafeguards/countermeasures.\"\n desc \"Discretionary Access Control (DAC) is based on the notion that\nindividual users are \\\"owners\\\" of objects and therefore have discretion over\nwho should be authorized to access the object and in which mode (e.g., read or\nwrite). Ownership is usually acquired as a consequence of creating the object\nor via specified ownership assignment. DAC allows the owner to determine who\nwill have access to objects they control. An example of DAC includes\nuser-controlled file permissions.\n\n When discretionary access control policies are implemented, subjects are\nnot constrained with regard to what actions they can take with information for\nwhich they have already been granted access. Thus, subjects that have been\ngranted access to information are not prevented from passing (i.e., the\nsubjects have the discretion to pass) the information to other subjects or\nobjects. A subject that is constrained in its operation by Mandatory Access\nControl policies is still able to operate under the less rigorous constraints\nof this requirement. Thus, while Mandatory Access Control imposes constraints\npreventing a subject from passing information to another subject operating at a\ndifferent sensitivity level, this requirement permits the subject to pass the\ninformation to any subject at the same sensitivity level. The policy is bounded\nby the information system boundary. Once the information is passed outside the\ncontrol of the information system, additional means may be required to ensure\nthe constraints remain in effect. While the older, more traditional definitions\nof discretionary access control require identity-based access control, that\nlimitation is not required for this use of discretionary access control.\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000312-GPOS-00122'\n tag \"satisfies\": %w[SRG-OS-000312-GPOS-00122 SRG-OS-000312-GPOS-00123\n SRG-OS-000312-GPOS-00124 SRG-OS-000324-GPOS-00125]\n tag \"gid\": 'V-75535'\n tag \"rid\": 'SV-90215r2_rule'\n tag \"stig_id\": 'UBTU-16-010600'\n tag \"fix_id\": 'F-82163r1_fix'\n tag \"cci\": %w[CCI-002165 CCI-002235]\n tag \"nist\": ['AC-3 (4)', 'AC-6 (10)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system is configured to allow\nsystem administrators to pass information to any other Ubuntu operating system\nadministrator or user.\n\nCheck that \\\"Pam_Apparmor\\\" is installed on the system with the following\ncommand:\n\n# sudo apt list libpam-apparmor\n\nlibpam-apparmor/xenial-updates,now 2.10.95-0ubuntu2.7 amd64 [installed]\n\nIf the \\\"Pam_Apparmor\\\" package is not installed, this is a finding.\n\nCheck that Pam_Apparmor has properly configured profiles\n\n# sudo apparmor_status\n\napparmor module is loaded.\n13 profiles are loaded.\n13 profiles are in enforce mode.\n /sbin/dhclient\n ...\n lxc-container-default-with-nesting\n0 profiles are in complain mode.\n\nIf all loaded profiles are not in \\\"enforce\\\" mode, or there are any profiles\nin \\\"complain\\\" mode, this is a finding.\"\n desc 'fix', \"Configure the Ubuntu operating system to allow system\nadministrators to pass information to any other Ubuntu operating system\nadministrator or user.\n\nInstall \\\"Pam_Apparmor\\\" (if it is not installed) with the following command:\n\n# sudo apt-get install libpam-apparmor\n\nEnable/Activate \\\"Apparmor\\\" (if it is not already active) with the following\ncommand:\n\n# sudo systemctl enable apparmor.service\n\nStart \\\"Apparmor\\\" with the following command:\n\n# sudo systemctl start apparmor.service\n\nNote: Pam_Apparmor must have properly configured profiles. All configurations\nwill be based on the actual system setup and organization. See the\n\\\"Pam_Apparmor\\\" documentation for more information on configuring profiles.\"\n\n describe package('libpam-apparmor') do\n it { should be_installed }\n end\n\n num_loaded_profiles = inspec.command('apparmor_status | grep \"profiles are loaded.\" | cut -f 1 -d \" \"').stdout\n num_enforced_profiles = inspec.command('apparmor_status | grep \"profiles are in enforce mode.\" | cut -f 1 -d \" \"').stdout\n\n describe 'AppArmor Profiles' do\n it 'loaded and enforced' do\n expect(num_loaded_profiles).to eq(num_enforced_profiles)\n end\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75873.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75535.rb", "line": 3 }, - "id": "V-75873" + "id": "V-75535" }, { - "title": "The Ubuntu operating system must encrypt all stored passwords with a\nFIPS 140-2 approved cryptographic hashing algorithm.", - "desc": "Passwords need to be protected at all times, and encryption is the\nstandard method for protecting passwords. If passwords are not encrypted, they\ncan be plainly read (i.e., clear text) and easily compromised.\n\n Unapproved mechanisms that are used for authentication to the cryptographic\nmodule are not verified and therefore cannot be relied upon to provide\nconfidentiality or integrity, and DoD data may be compromised.\n\n FIPS 140-2 is the current standard for validating that mechanisms used to\naccess cryptographic modules utilize authentication that meets DoD requirements.", + "title": "Local initialization files must not execute world-writable programs.", + "desc": "If user start-up files execute world-writable programs, especially in\nunprotected directories, they could be maliciously modified to destroy user\nfiles or otherwise compromise the system at the user level. If the system is\ncompromised at the user level, it is easier to elevate privileges to eventually\ncompromise the system at the root and network level.", "descriptions": { - "default": "Passwords need to be protected at all times, and encryption is the\nstandard method for protecting passwords. If passwords are not encrypted, they\ncan be plainly read (i.e., clear text) and easily compromised.\n\n Unapproved mechanisms that are used for authentication to the cryptographic\nmodule are not verified and therefore cannot be relied upon to provide\nconfidentiality or integrity, and DoD data may be compromised.\n\n FIPS 140-2 is the current standard for validating that mechanisms used to\naccess cryptographic modules utilize authentication that meets DoD requirements.", - "check": "Verify that the shadow password suite configuration is set to\nencrypt password with a FIPS 140-2 approved cryptographic hashing algorithm.\n\nCheck the hashing algorithm that is being used to hash passwords with the\nfollowing command:\n\n# cat /etc/login.defs | grep -i crypt\n\nENCRYPT_METHOD SHA512\n\nIf \"ENCRYPT_METHOD\" does not equal SHA512 or greater, this is a finding.", - "fix": "Configure the Ubuntu operating system to encrypt all stored\npasswords.\n\nEdit/Modify the following line in the \"/etc/login.defs\" file and set\n\"[ENCRYPT_METHOD]\" to SHA512.\n\nENCRYPT_METHOD SHA512" + "default": "If user start-up files execute world-writable programs, especially in\nunprotected directories, they could be maliciously modified to destroy user\nfiles or otherwise compromise the system at the user level. If the system is\ncompromised at the user level, it is easier to elevate privileges to eventually\ncompromise the system at the root and network level.", + "check": "Verify that local initialization files do not execute\nworld-writable programs.\n\nCheck the system for world-writable files with the following command:\n\n# sudo find / -perm -002 -type f -exec ls -ld {} \\; | more\n\nFor all files listed, check for their presence in the local initialization\nfiles with the following commands:\n\nNote: The example will be for a system that is configured to create users’ home\ndirectories in the \"/home\" directory.\n\n# grep /home/*/.*\n\nIf any local initialization files are found to reference world-writable files,\nthis is a finding.", + "fix": "Set the mode on files being executed by the local initialization\nfiles with the following command:\n\n# chmod 0755 " }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000073-GPOS-00041", - "satisfies": [ - "SRG-OS-000073-GPOS-00041", - "SRG-OS-000120-GPOS-00061" - ], - "gid": "V-75459", - "rid": "SV-90139r1_rule", - "stig_id": "UBTU-16-010150", - "fix_id": "F-82087r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-75573", + "rid": "SV-90253r1_rule", + "stig_id": "UBTU-16-010790", + "fix_id": "F-82201r1_fix", "cci": [ - "CCI-000196", - "CCI-000803" + "CCI-000366" ], "nist": [ - "IA-5 (1) (c)", - "IA-7", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -10373,50 +10434,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75459' do\n title \"The Ubuntu operating system must encrypt all stored passwords with a\nFIPS 140-2 approved cryptographic hashing algorithm.\"\n desc \"Passwords need to be protected at all times, and encryption is the\nstandard method for protecting passwords. If passwords are not encrypted, they\ncan be plainly read (i.e., clear text) and easily compromised.\n\n Unapproved mechanisms that are used for authentication to the cryptographic\nmodule are not verified and therefore cannot be relied upon to provide\nconfidentiality or integrity, and DoD data may be compromised.\n\n FIPS 140-2 is the current standard for validating that mechanisms used to\naccess cryptographic modules utilize authentication that meets DoD requirements.\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000073-GPOS-00041'\n tag \"satisfies\": %w[SRG-OS-000073-GPOS-00041 SRG-OS-000120-GPOS-00061]\n tag \"gid\": 'V-75459'\n tag \"rid\": 'SV-90139r1_rule'\n tag \"stig_id\": 'UBTU-16-010150'\n tag \"fix_id\": 'F-82087r1_fix'\n tag \"cci\": %w[CCI-000196 CCI-000803]\n tag \"nist\": ['IA-5 (1) (c)', 'IA-7', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that the shadow password suite configuration is set to\nencrypt password with a FIPS 140-2 approved cryptographic hashing algorithm.\n\nCheck the hashing algorithm that is being used to hash passwords with the\nfollowing command:\n\n# cat /etc/login.defs | grep -i crypt\n\nENCRYPT_METHOD SHA512\n\nIf \\\"ENCRYPT_METHOD\\\" does not equal SHA512 or greater, this is a finding.\"\n desc 'fix', \"Configure the Ubuntu operating system to encrypt all stored\npasswords.\n\nEdit/Modify the following line in the \\\"/etc/login.defs\\\" file and set\n\\\"[ENCRYPT_METHOD]\\\" to SHA512.\n\nENCRYPT_METHOD SHA512\"\n\n describe login_defs do\n its('ENCRYPT_METHOD') { should eq 'SHA512' }\n end\nend\n", + "code": "control 'V-75573' do\n title 'Local initialization files must not execute world-writable programs.'\n desc \"If user start-up files execute world-writable programs, especially in\nunprotected directories, they could be maliciously modified to destroy user\nfiles or otherwise compromise the system at the user level. If the system is\ncompromised at the user level, it is easier to elevate privileges to eventually\ncompromise the system at the root and network level.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75573'\n tag \"rid\": 'SV-90253r1_rule'\n tag \"stig_id\": 'UBTU-16-010790'\n tag \"fix_id\": 'F-82201r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that local initialization files do not execute\nworld-writable programs.\n\nCheck the system for world-writable files with the following command:\n\n# sudo find / -perm -002 -type f -exec ls -ld {} \\\\; | more\n\nFor all files listed, check for their presence in the local initialization\nfiles with the following commands:\n\nNote: The example will be for a system that is configured to create users’ home\ndirectories in the \\\"/home\\\" directory.\n\n# grep /home/*/.*\n\nIf any local initialization files are found to reference world-writable files,\nthis is a finding.\"\n desc 'fix', \"Set the mode on files being executed by the local initialization\nfiles with the following command:\n\n# chmod 0755 \"\n\n disable_slow_controls = input('disable_slow_controls')\n non_interactive_shells = input('non_interactive_shells')\n if disable_slow_controls\n describe 'This control consistently takes a long to run and has been disabled using the DISABLE_SLOW_CONTROLS attribute.' do\n skip \"This control consistently takes a long to run and has been disabled\n using the DISABLE_SLOW_CONTROLS attribute. You must enable this control for a\n full accredidation for production.\"\n end\n else\n ignore_shells = non_interactive_shells.join('|')\n\n dotfiles = Set[]\n u = users.where { !shell.match(ignore_shells) && (uid >= 1000 || uid == 0) }.entries\n u.each do |user|\n dotfiles += command(\"find #{user.home} -xdev -maxdepth 2 -name '.*' ! -name \\\".bash_history\\\" -type f\").stdout.split(\"\\n\")\n end\n ww_files = Set[]\n ww_files = command('find / -perm -002 -type f -exec ls {} \\;').stdout.lines\n findings = Set[]\n dotfiles.each do |dotfile|\n dotfile = dotfile.strip\n ww_files.each do |ww_file|\n ww_file = ww_file.strip\n count = command(\"grep -c \\\"#{ww_file}\\\" \\\"#{dotfile}\\\"\").stdout.strip.to_i\n findings << dotfile if count > 0\n end\n end\n describe 'Local initialization files that are found to reference world-writable files' do\n subject { findings.to_a }\n it { should be_empty }\n end\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75459.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75573.rb", "line": 3 }, - "id": "V-75459" + "id": "V-75573" }, { - "title": "Successful/unsuccessful uses of the crontab command must generate an\naudit record.", - "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "title": "The System Administrator (SA) and Information System Security Officer\n(ISSO) (at a minimum) must be alerted when the audit storage volume is full.", + "desc": "It is critical that when the Ubuntu operating system is at risk of\nfailing to process audit logs as required, it takes action to mitigate the\nfailure. Audit processing failures include: software/hardware errors; failures\nin the audit capturing mechanisms; and audit storage capacity being reached or\nexceeded. Responses to audit failure depend upon the nature of the failure mode.\n\n When availability is an overriding concern, other approved actions in\nresponse to an audit failure are as follows:\n\n 1) If the failure was caused by the lack of audit record storage capacity,\nthe Ubuntu operating system must continue generating audit records if possible\n(automatically restarting the audit service if necessary), overwriting the\noldest audit records in a first-in-first-out manner.\n\n 2) If audit records are sent to a centralized collection server and\ncommunication with this server is lost or the server fails, the Ubuntu\noperating system must queue audit records locally until communication is\nrestored or until the audit records are retrieved manually. Upon restoration of\nthe connection to the centralized collection server, action should be taken to\nsynchronize the local audit data with the collection server.", "descriptions": { - "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", - "check": "Verify that an audit event is generated for any\nsuccessful/unsuccessful use of the \"crontab\" command.\n\nCheck for the following system call being audited by performing the following\ncommand to check the file system rules in \"/etc/audit/audit.rules\":\n\n# sudo grep -w crontab /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k privileged-crontab\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", - "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful uses of the \"crontab\" command. Add or update the\nfollowing rules in the \"/etc/audit/audit.rules\" file:\n\n-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k privileged-crontab\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" + "default": "It is critical that when the Ubuntu operating system is at risk of\nfailing to process audit logs as required, it takes action to mitigate the\nfailure. Audit processing failures include: software/hardware errors; failures\nin the audit capturing mechanisms; and audit storage capacity being reached or\nexceeded. Responses to audit failure depend upon the nature of the failure mode.\n\n When availability is an overriding concern, other approved actions in\nresponse to an audit failure are as follows:\n\n 1) If the failure was caused by the lack of audit record storage capacity,\nthe Ubuntu operating system must continue generating audit records if possible\n(automatically restarting the audit service if necessary), overwriting the\noldest audit records in a first-in-first-out manner.\n\n 2) If audit records are sent to a centralized collection server and\ncommunication with this server is lost or the server fails, the Ubuntu\noperating system must queue audit records locally until communication is\nrestored or until the audit records are retrieved manually. Upon restoration of\nthe connection to the centralized collection server, action should be taken to\nsynchronize the local audit data with the collection server.", + "check": "Verify that the System Administrator (SA) and Information\nSystem Security Officer (ISSO) (at a minimum) are notified when the audit\nstorage volume is full.\n\nCheck which action the Ubuntu operating system takes when the audit storage\nvolume is full with the following command:\n\n# sudo grep max_log_file_action /etc/audit/auditd.conf\n\nmax_log_file_action=syslog\n\nIf the value of the \"max_log_file_action\" option is set to \"ignore\",\n\"rotate\", or \"suspend\", or the line is commented out, this is a finding.", + "fix": "Configure the Ubuntu operating system to notify the System\nAdministrator (SA) and Information System Security Officer (ISSO) when the\naudit storage volume is full by configuring the \"max_log_file_action\"\nparameter in the \"/etc/audit/auditd.conf\" file with the a value of \"syslog\"\nor \"keep_logs\":\n\nmax_log_file_action=syslog" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000037-GPOS-00015", - "satisfies": [ - "SRG-OS-000037-GPOS-00015", - "SRG-OS-000042-GPOS-00020", - "SRG-OS-000062-GPOS-00031", - "SRG-OS-000392-GPOS-00172", - "SRG-OS-000462-GPOS-00206", - "SRG-OS-000471-GPOS-00215" - ], - "gid": "V-75787", - "rid": "SV-90467r3_rule", - "stig_id": "UBTU-16-020810", - "fix_id": "F-82417r2_fix", + "gtitle": "SRG-OS-000047-GPOS-00023", + "gid": "V-75627", + "rid": "SV-90307r1_rule", + "stig_id": "UBTU-16-020050", + "fix_id": "F-82255r1_fix", "cci": [ - "CCI-000130", - "CCI-000135", - "CCI-000169", - "CCI-000172", - "CCI-002884" + "CCI-000140" ], "nist": [ - "AU-3", - "AU-3 (1)", - "AU-12 a", - "AU-12 c", - "MA-4 (1) (a)", + "AU-5 b", "Rev_4" ], "false_negatives": null, @@ -10430,50 +10475,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75787' do\n title \"Successful/unsuccessful uses of the crontab command must generate an\naudit record.\"\n desc \"Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020\n SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172\n SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215]\n tag \"gid\": 'V-75787'\n tag \"rid\": 'SV-90467r3_rule'\n tag \"stig_id\": 'UBTU-16-020810'\n tag \"fix_id\": 'F-82417r2_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'MA-4 (1) (a)',\n 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that an audit event is generated for any\nsuccessful/unsuccessful use of the \\\"crontab\\\" command.\n\nCheck for the following system call being audited by performing the following\ncommand to check the file system rules in \\\"/etc/audit/audit.rules\\\":\n\n# sudo grep -w crontab /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k privileged-crontab\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful uses of the \\\"crontab\\\" command. Add or update the\nfollowing rules in the \\\"/etc/audit/audit.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k privileged-crontab\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n @audit_file = '/usr/bin/crontab'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe ('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", + "code": "control 'V-75627' do\n title \"The System Administrator (SA) and Information System Security Officer\n(ISSO) (at a minimum) must be alerted when the audit storage volume is full.\"\n desc \"It is critical that when the Ubuntu operating system is at risk of\nfailing to process audit logs as required, it takes action to mitigate the\nfailure. Audit processing failures include: software/hardware errors; failures\nin the audit capturing mechanisms; and audit storage capacity being reached or\nexceeded. Responses to audit failure depend upon the nature of the failure mode.\n\n When availability is an overriding concern, other approved actions in\nresponse to an audit failure are as follows:\n\n 1) If the failure was caused by the lack of audit record storage capacity,\nthe Ubuntu operating system must continue generating audit records if possible\n(automatically restarting the audit service if necessary), overwriting the\noldest audit records in a first-in-first-out manner.\n\n 2) If audit records are sent to a centralized collection server and\ncommunication with this server is lost or the server fails, the Ubuntu\noperating system must queue audit records locally until communication is\nrestored or until the audit records are retrieved manually. Upon restoration of\nthe connection to the centralized collection server, action should be taken to\nsynchronize the local audit data with the collection server.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000047-GPOS-00023'\n tag \"gid\": 'V-75627'\n tag \"rid\": 'SV-90307r1_rule'\n tag \"stig_id\": 'UBTU-16-020050'\n tag \"fix_id\": 'F-82255r1_fix'\n tag \"cci\": ['CCI-000140']\n tag \"nist\": ['AU-5 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that the System Administrator (SA) and Information\nSystem Security Officer (ISSO) (at a minimum) are notified when the audit\nstorage volume is full.\n\nCheck which action the Ubuntu operating system takes when the audit storage\nvolume is full with the following command:\n\n# sudo grep max_log_file_action /etc/audit/auditd.conf\n\nmax_log_file_action=syslog\n\nIf the value of the \\\"max_log_file_action\\\" option is set to \\\"ignore\\\",\n\\\"rotate\\\", or \\\"suspend\\\", or the line is commented out, this is a finding.\"\n desc 'fix', \"Configure the Ubuntu operating system to notify the System\nAdministrator (SA) and Information System Security Officer (ISSO) when the\naudit storage volume is full by configuring the \\\"max_log_file_action\\\"\nparameter in the \\\"/etc/audit/auditd.conf\\\" file with the a value of \\\"syslog\\\"\nor \\\"keep_logs\\\":\n\nmax_log_file_action=syslog\"\n\n describe auditd_conf do\n its('max_log_file_action') { should_not be_empty }\n its('max_log_file_action') { should_not cmp /(?:ignore|rotate|suspend)/i }\n its('max_log_file_action') { should cmp /(?:syslog|keep_logs)/i }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75787.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75627.rb", "line": 3 }, - "id": "V-75787" + "id": "V-75627" }, { - "title": "Successful/unsuccessful uses of the setfacl command must generate an\naudit record.", - "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "title": "The Ubuntu operating system must not have unnecessary accounts.", + "desc": "Accounts providing no operational purpose provide additional\nopportunities for system compromise. Unnecessary accounts include user accounts\nfor individuals not requiring access to the system and application accounts for\napplications not installed on the system.", "descriptions": { - "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", - "check": "Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful attempts to use the \"setfacl\" command occur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \"/etc/audit/audit.rules\":\n\n# sudo grep -w setfacl /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k perm_chng\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", - "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \"setfacl\" command.\n\nAdd or update the following rules in the \"/etc/audit/audit.rules\" file:\n\n-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k perm_chng\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" + "default": "Accounts providing no operational purpose provide additional\nopportunities for system compromise. Unnecessary accounts include user accounts\nfor individuals not requiring access to the system and application accounts for\napplications not installed on the system.", + "check": "Verify all accounts on the system are assigned to an active\nsystem, application, or user account.\n\nObtain the list of authorized system accounts from the Information System\nSecurity Officer (ISSO).\n\nCheck the system accounts on the system with the following command:\n\n# more /etc/passwd\nroot:x:0:0:root:/root:/bin/bash\n...\ngames:x:5:60:games:/usr/games:/usr/sbin/nologin\n\nAccounts such as \"games\" and \"gopher\" are not authorized accounts as they\ndo not support authorized system functions.\n\nIf the accounts on the system do not match the provided documentation, or\naccounts that do not support an authorized system function are present, this is\na finding.", + "fix": "Configure the system so all accounts on the system are assigned\nto an active system, application, or user account.\n\nRemove accounts that do not support approved system activities or that allow\nfor a normal user to perform administrative-level actions.\n\nDocument all authorized accounts on the system." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000037-GPOS-00015", - "satisfies": [ - "SRG-OS-000037-GPOS-00015", - "SRG-OS-000042-GPOS-00020", - "SRG-OS-000062-GPOS-00031", - "SRG-OS-000392-GPOS-00172", - "SRG-OS-000462-GPOS-00206", - "SRG-OS-000471-GPOS-00215" - ], - "gid": "V-75767", - "rid": "SV-90447r3_rule", - "stig_id": "UBTU-16-020710", - "fix_id": "F-82395r2_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-75545", + "rid": "SV-90225r2_rule", + "stig_id": "UBTU-16-010650", + "fix_id": "F-82173r1_fix", "cci": [ - "CCI-000130", - "CCI-000135", - "CCI-000169", - "CCI-000172", - "CCI-002884" + "CCI-000366" ], "nist": [ - "AU-3", - "AU-3 (1)", - "AU-12 a", - "AU-12 c", - "MA-4 (1) (a)", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -10487,54 +10516,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75767' do\n title \"Successful/unsuccessful uses of the setfacl command must generate an\naudit record.\"\n desc \"Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020\n SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172\n SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215]\n tag \"gid\": 'V-75767'\n tag \"rid\": 'SV-90447r3_rule'\n tag \"stig_id\": 'UBTU-16-020710'\n tag \"fix_id\": 'F-82395r2_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'MA-4 (1) (a)',\n 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system generates an audit record\nwhen successful/unsuccessful attempts to use the \\\"setfacl\\\" command occur.\n\nCheck that the following calls are being audited by performing the following\ncommand to check the file system rules in \\\"/etc/audit/audit.rules\\\":\n\n# sudo grep -w setfacl /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k perm_chng\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \\\"setfacl\\\" command.\n\nAdd or update the following rules in the \\\"/etc/audit/audit.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F\nauid!=4294967295 -k perm_chng\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n @audit_file = '/usr/bin/setfacl'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe ('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", + "code": "control 'V-75545' do\n title 'The Ubuntu operating system must not have unnecessary accounts.'\n desc \"Accounts providing no operational purpose provide additional\nopportunities for system compromise. Unnecessary accounts include user accounts\nfor individuals not requiring access to the system and application accounts for\napplications not installed on the system.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75545'\n tag \"rid\": 'SV-90225r2_rule'\n tag \"stig_id\": 'UBTU-16-010650'\n tag \"fix_id\": 'F-82173r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify all accounts on the system are assigned to an active\nsystem, application, or user account.\n\nObtain the list of authorized system accounts from the Information System\nSecurity Officer (ISSO).\n\nCheck the system accounts on the system with the following command:\n\n# more /etc/passwd\nroot:x:0:0:root:/root:/bin/bash\n...\ngames:x:5:60:games:/usr/games:/usr/sbin/nologin\n\nAccounts such as \\\"games\\\" and \\\"gopher\\\" are not authorized accounts as they\ndo not support authorized system functions.\n\nIf the accounts on the system do not match the provided documentation, or\naccounts that do not support an authorized system function are present, this is\na finding.\"\n desc 'fix', \"Configure the system so all accounts on the system are assigned\nto an active system, application, or user account.\n\nRemove accounts that do not support approved system activities or that allow\nfor a normal user to perform administrative-level actions.\n\nDocument all authorized accounts on the system.\"\n\n known_system_accounts = input('known_system_accounts')\n disallowed_accounts = input('disallowed_accounts')\n user_accounts = input('user_accounts')\n allowed_accounts = (known_system_accounts + user_accounts).uniq\n\n describe 'The active system users' do\n subject { passwd }\n its('users') { should be_in allowed_accounts }\n its('users') { should_not be_in disallowed_accounts }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75767.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75545.rb", "line": 3 }, - "id": "V-75767" + "id": "V-75545" }, { - "title": "The Ubuntu operating system must generate audit records for all\naccount creations, modifications, disabling, and termination events that affect\n/etc/security/opasswd.", - "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "title": "Account identifiers (individuals, groups, roles, and devices) must\ndisabled after 35 days of inactivity.", + "desc": "Inactive identifiers pose a risk to systems and applications because\nattackers may exploit an inactive identifier and potentially obtain undetected\naccess to the system. Owners of inactive accounts will not notice if\nunauthorized access to their user account has been obtained.\n\n Ubuntu operating systems need to track periods of inactivity and disable\napplication identifiers after 35 days of inactivity.", "descriptions": { - "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", - "check": "Verify the Ubuntu operating system generates audit records for\nall account creations, modifications, disabling, and termination events that\naffect \"/etc/security/opasswd\".\n\nCheck the auditing rules in \"/etc/audit/audit.rules\" with the following\ncommand:\n\n# sudo grep /etc/security/opasswd /etc/audit/audit.rules\n\n-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.", - "fix": "Configure the Ubuntu operating system to generate audit records\nfor all account creations, modifications, disabling, and termination events\nthat affect \"/etc/security/opasswd\".\n\nAdd or update the following file system rule to \"/etc/audit/audit.rules\":\n\n-w /etc/security/opasswd -p wa -k identity\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service" + "default": "Inactive identifiers pose a risk to systems and applications because\nattackers may exploit an inactive identifier and potentially obtain undetected\naccess to the system. Owners of inactive accounts will not notice if\nunauthorized access to their user account has been obtained.\n\n Ubuntu operating systems need to track periods of inactivity and disable\napplication identifiers after 35 days of inactivity.", + "check": "Verify the account identifiers (individuals, groups, roles, and\ndevices) are disabled after \"35\" days of inactivity with the following\ncommand:\n\nCheck the account inactivity value by performing the following command:\n\n# sudo grep -i inactive /etc/default/useradd\n\nINACTIVE=35\n\nIf \"INACTIVE\" is not set to a value \"0<[VALUE]<=35\", or is commented out,\nthis is a finding.", + "fix": "Configure the Ubuntu operating system to disable account\nidentifiers after 35 days of inactivity after the password expiration.\n\nRun the following command to change the configuration for useradd:\n\n# sudo useradd -D -f 35\n\nDoD recommendation is 35 days, but a lower value is acceptable. The value\n\"-1\" will disable this feature, and \"0\" will disable the account\nimmediately after the password expires." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000037-GPOS-00015", - "satisfies": [ - "SRG-OS-000037-GPOS-00015", - "SRG-OS-000042-GPOS-00020", - "SRG-OS-000062-GPOS-00031", - "SRG-OS-000304-GPOS-00121", - "SRG-OS-000392-GPOS-00172", - "SRG-OS-000462-GPOS-00206", - "SRG-OS-000470-GPOS-00214", - "SRG-OS-000471-GPOS-00215" - ], - "gid": "V-75687", - "rid": "SV-90367r3_rule", - "stig_id": "UBTU-16-020340", - "fix_id": "F-82315r2_fix", + "gtitle": "SRG-OS-000118-GPOS-00060", + "gid": "V-75485", + "rid": "SV-90165r3_rule", + "stig_id": "UBTU-16-010280", + "fix_id": "F-82113r1_fix", "cci": [ - "CCI-000130", - "CCI-000135", - "CCI-000169", - "CCI-000172", - "CCI-002132", - "CCI-002884" + "CCI-000795" ], "nist": [ - "AU-3", - "AU-3 (1)", - "AU-12 a", - "AU-12 c", - "AC-2 (4)", - "MA-4 (1)\n(a)", + "IA-4 e", "Rev_4" ], "false_negatives": null, @@ -10548,43 +10557,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75687' do\n title \"The Ubuntu operating system must generate audit records for all\naccount creations, modifications, disabling, and termination events that affect\n/etc/security/opasswd.\"\n desc \"Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000037-GPOS-00015'\n tag \"satisfies\": %w[SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020\n SRG-OS-000062-GPOS-00031 SRG-OS-000304-GPOS-00121\n SRG-OS-000392-GPOS-00172 SRG-OS-000462-GPOS-00206\n SRG-OS-000470-GPOS-00214 SRG-OS-000471-GPOS-00215]\n tag \"gid\": 'V-75687'\n tag \"rid\": 'SV-90367r3_rule'\n tag \"stig_id\": 'UBTU-16-020340'\n tag \"fix_id\": 'F-82315r2_fix'\n tag \"cci\": %w[CCI-000130 CCI-000135 CCI-000169 CCI-000172\n CCI-002132 CCI-002884]\n tag \"nist\": ['AU-3', 'AU-3 (1)', 'AU-12 a', 'AU-12 c', 'AC-2 (4)', \"MA-4 (1)\n(a)\", 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system generates audit records for\nall account creations, modifications, disabling, and termination events that\naffect \\\"/etc/security/opasswd\\\".\n\nCheck the auditing rules in \\\"/etc/audit/audit.rules\\\" with the following\ncommand:\n\n# sudo grep /etc/security/opasswd /etc/audit/audit.rules\n\n-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification\n\nIf the command does not return a line, or the line is commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records\nfor all account creations, modifications, disabling, and termination events\nthat affect \\\"/etc/security/opasswd\\\".\n\nAdd or update the following file system rule to \\\"/etc/audit/audit.rules\\\":\n\n-w /etc/security/opasswd -p wa -k identity\n\nThe audit daemon must be restarted for the changes to take effect. To restart\nthe audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service\"\n\n @audit_file = '/etc/security/opasswd'\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe ('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", + "code": "control 'V-75485' do\n title \"Account identifiers (individuals, groups, roles, and devices) must\ndisabled after 35 days of inactivity.\"\n desc \"Inactive identifiers pose a risk to systems and applications because\nattackers may exploit an inactive identifier and potentially obtain undetected\naccess to the system. Owners of inactive accounts will not notice if\nunauthorized access to their user account has been obtained.\n\n Ubuntu operating systems need to track periods of inactivity and disable\napplication identifiers after 35 days of inactivity.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000118-GPOS-00060'\n tag \"gid\": 'V-75485'\n tag \"rid\": 'SV-90165r3_rule'\n tag \"stig_id\": 'UBTU-16-010280'\n tag \"fix_id\": 'F-82113r1_fix'\n tag \"cci\": ['CCI-000795']\n tag \"nist\": ['IA-4 e', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the account identifiers (individuals, groups, roles, and\ndevices) are disabled after \\\"35\\\" days of inactivity with the following\ncommand:\n\nCheck the account inactivity value by performing the following command:\n\n# sudo grep -i inactive /etc/default/useradd\n\nINACTIVE=35\n\nIf \\\"INACTIVE\\\" is not set to a value \\\"0<[VALUE]<=35\\\", or is commented out,\nthis is a finding.\"\n desc 'fix', \"Configure the Ubuntu operating system to disable account\nidentifiers after 35 days of inactivity after the password expiration.\n\nRun the following command to change the configuration for useradd:\n\n# sudo useradd -D -f 35\n\nDoD recommendation is 35 days, but a lower value is acceptable. The value\n\\\"-1\\\" will disable this feature, and \\\"0\\\" will disable the account\nimmediately after the password expires.\"\n\n max_account_inactive_days = input('max_account_inactive_days')\n config_file = '/etc/default/useradd'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('INACTIVE') { should cmp > '0' }\n its('INACTIVE') { should cmp <= max_account_inactive_days }\n end\n else\n describe (config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75687.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75485.rb", "line": 3 }, - "id": "V-75687" + "id": "V-75485" }, { - "title": "The SSH daemon must be configured to only use Message Authentication\nCodes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.", - "desc": "Without cryptographic integrity protections, information can be\naltered by unauthorized users without detection.\n\n Remote access (e.g., RDP) is access to DoD nonpublic information systems by\nan authorized user (or an information system) communicating through an\nexternal, non-organization-controlled network. Remote access methods include,\nfor example, dial-up, broadband, and wireless.\n\n Cryptographic mechanisms used for protecting the integrity of information\ninclude, for example, signed hash functions using asymmetric cryptography\nenabling distribution of the public key to verify the hash information while\nmaintaining the confidentiality of the secret key used to generate the hash.", + "title": "The Network Information Service (NIS) package must not be installed.", + "desc": "Removing the Network Information Service (NIS) package decreases the\nrisk of the accidental (or intentional) activation of NIS or NIS+ services.", "descriptions": { - "default": "Without cryptographic integrity protections, information can be\naltered by unauthorized users without detection.\n\n Remote access (e.g., RDP) is access to DoD nonpublic information systems by\nan authorized user (or an information system) communicating through an\nexternal, non-organization-controlled network. Remote access methods include,\nfor example, dial-up, broadband, and wireless.\n\n Cryptographic mechanisms used for protecting the integrity of information\ninclude, for example, signed hash functions using asymmetric cryptography\nenabling distribution of the public key to verify the hash information while\nmaintaining the confidentiality of the secret key used to generate the hash.", - "check": "Verify the SSH daemon is configured to only use Message\nAuthentication Codes (MACs) that employ FIPS 140-2 approved ciphers.\n\nCheck that the SSH daemon is configured to only use MACs that employ FIPS 140-2\napproved ciphers with the following command:\n\n# sudo grep -i macs /etc/ssh/sshd_config\nMACs hmac-sha2-256,hmac-sha2-512\n\nIf any ciphers other than \"hmac-sha2-256\" or \"hmac-sha2-512\" are listed, or\nthe retuned line is commented out, this is a finding.", - "fix": "Configure the Ubuntu operating system to allow the SSH daemon to\nonly use Message Authentication Codes (MACs) that employ FIPS 140-2 approved\nciphers.\n\nEdit the \"/etc/ssh/sshd_config\" file to uncomment or add the line for the\n\"MACs\" keyword and set its value to \"hmac-sha2-256\" and/or\n\"hmac-sha2-512\":\n\nMACs hmac-sha2-256,hmac-sha2-512\n\nThe SSH daemon must be restarted for the changes to take effect. To restart the\nSSH daemon, run the following command:\n\n# sudo systemctl restart sshd.service" + "default": "Removing the Network Information Service (NIS) package decreases the\nrisk of the accidental (or intentional) activation of NIS or NIS+ services.", + "check": "Verify that the Network Information Service (NIS) package is\nnot installed on the Ubuntu operating system.\n\nCheck to see if the NIS package is installed with the following command:\n\n# sudo apt list nis\n\nIf the NIS package is installed, this is a finding.", + "fix": "Configure the Ubuntu operating system to disable non-essential\ncapabilities by removing the Network Information Service (NIS) package from the\nsystem with the following command:\n\n# sudo apt-get remove nis" }, - "impact": 0.5, + "impact": 0.7, "refs": [], "tags": { - "gtitle": "SRG-OS-000250-GPOS-00093", - "satisfies": [ - "SRG-OS-000250-GPOS-00093", - "SRG-OS-000393-GPOS-00173", - "SRG-OS-000394-GPOS-00174" - ], - "gid": "V-75831", - "rid": "SV-90511r2_rule", - "stig_id": "UBTU-16-030240", - "fix_id": "F-82461r2_fix", + "gtitle": "SRG-OS-000095-GPOS-00049", + "gid": "V-75799", + "rid": "SV-90479r2_rule", + "stig_id": "UBTU-16-030010", + "fix_id": "F-82429r1_fix", "cci": [ - "CCI-001453", - "CCI-002890", - "CCI-003123" + "CCI-000381" ], "nist": [ - "AC-17 (2)", - "MA-4 (6)", - "MA-4 (6)", + "CM-7 a", "Rev_4" ], "false_negatives": null, @@ -10598,34 +10598,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75831' do\n title \"The SSH daemon must be configured to only use Message Authentication\nCodes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.\"\n desc \"Without cryptographic integrity protections, information can be\naltered by unauthorized users without detection.\n\n Remote access (e.g., RDP) is access to DoD nonpublic information systems by\nan authorized user (or an information system) communicating through an\nexternal, non-organization-controlled network. Remote access methods include,\nfor example, dial-up, broadband, and wireless.\n\n Cryptographic mechanisms used for protecting the integrity of information\ninclude, for example, signed hash functions using asymmetric cryptography\nenabling distribution of the public key to verify the hash information while\nmaintaining the confidentiality of the secret key used to generate the hash.\n\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000250-GPOS-00093'\n tag \"satisfies\": %w[SRG-OS-000250-GPOS-00093 SRG-OS-000393-GPOS-00173\n SRG-OS-000394-GPOS-00174]\n tag \"gid\": 'V-75831'\n tag \"rid\": 'SV-90511r2_rule'\n tag \"stig_id\": 'UBTU-16-030240'\n tag \"fix_id\": 'F-82461r2_fix'\n tag \"cci\": %w[CCI-001453 CCI-002890 CCI-003123]\n tag \"nist\": ['AC-17 (2)', 'MA-4 (6)', 'MA-4 (6)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the SSH daemon is configured to only use Message\nAuthentication Codes (MACs) that employ FIPS 140-2 approved ciphers.\n\nCheck that the SSH daemon is configured to only use MACs that employ FIPS 140-2\napproved ciphers with the following command:\n\n# sudo grep -i macs /etc/ssh/sshd_config\nMACs hmac-sha2-256,hmac-sha2-512\n\nIf any ciphers other than \\\"hmac-sha2-256\\\" or \\\"hmac-sha2-512\\\" are listed, or\nthe retuned line is commented out, this is a finding.\"\n desc 'fix', \"Configure the Ubuntu operating system to allow the SSH daemon to\nonly use Message Authentication Codes (MACs) that employ FIPS 140-2 approved\nciphers.\n\nEdit the \\\"/etc/ssh/sshd_config\\\" file to uncomment or add the line for the\n\\\"MACs\\\" keyword and set its value to \\\"hmac-sha2-256\\\" and/or\n\\\"hmac-sha2-512\\\":\n\nMACs hmac-sha2-256,hmac-sha2-512\n\nThe SSH daemon must be restarted for the changes to take effect. To restart the\nSSH daemon, run the following command:\n\n# sudo systemctl restart sshd.service\"\n\n @macs_array = inspec.sshd_config.params['macs']\n\n @macs_array = @macs_array.first.split(',') unless @macs_array.nil?\n\n describe @macs_array do\n it { should be_in %w[hmac-sha2-256 hmac-sha2-512] }\n end\nend\n", + "code": "control 'V-75799' do\n title 'The Network Information Service (NIS) package must not be installed.'\n desc \"Removing the Network Information Service (NIS) package decreases the\nrisk of the accidental (or intentional) activation of NIS or NIS+ services.\"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000095-GPOS-00049'\n tag \"gid\": 'V-75799'\n tag \"rid\": 'SV-90479r2_rule'\n tag \"stig_id\": 'UBTU-16-030010'\n tag \"fix_id\": 'F-82429r1_fix'\n tag \"cci\": ['CCI-000381']\n tag \"nist\": ['CM-7 a', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that the Network Information Service (NIS) package is\nnot installed on the Ubuntu operating system.\n\nCheck to see if the NIS package is installed with the following command:\n\n# sudo apt list nis\n\nIf the NIS package is installed, this is a finding.\"\n desc 'fix', \"Configure the Ubuntu operating system to disable non-essential\ncapabilities by removing the Network Information Service (NIS) package from the\nsystem with the following command:\n\n# sudo apt-get remove nis\"\n\n describe package('nis') do\n it { should_not be_installed }\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75831.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75799.rb", "line": 3 }, - "id": "V-75831" + "id": "V-75799" }, { - "title": "The Ubuntu operating system must accept Personal Identity Verification\n(PIV) credentials.", - "desc": "The use of PIV credentials facilitates standardization and reduces the\nrisk of unauthorized access.\n\n DoD has mandated the use of the CAC to support identity management and\npersonal authentication for systems covered under Homeland Security\nPresidential Directive (HSPD) 12, as well as making the CAC a primary component\nof layered protection for national security systems.", + "title": "For Ubuntu operating systems using Domain Name Servers (DNS)\nresolution, at least two name servers must be configured.", + "desc": "To provide availability for name resolution services, multiple\nredundant name servers are mandated. A failure in name resolution could lead to\nthe failure of security functions requiring name resolution, which may include\ntime synchronization, centralized authentication, and remote system logging.", "descriptions": { - "default": "The use of PIV credentials facilitates standardization and reduces the\nrisk of unauthorized access.\n\n DoD has mandated the use of the CAC to support identity management and\npersonal authentication for systems covered under Homeland Security\nPresidential Directive (HSPD) 12, as well as making the CAC a primary component\nof layered protection for national security systems.", - "check": "Verify the Ubuntu operating system accepts Personal Identity\nVerification (PIV) credentials.\n\nCheck that the \"opensc-pcks11\" package is installed on the system with the\nfollowing command:\n\n# dpkg -l | grep opensc-pkcs11\n\nii opensc-pkcs11:amd64 0.15.0-1Ubuntu1 amd64 Smart card utilities with support\nfor PKCS#15 compatible cards\n\nIf the \"opensc-pcks11\" package is not installed, this is a finding.", - "fix": "Configure the Ubuntu operating system to accept Personal Identity\nVerification (PIV) credentials.\n\nInstall the \"opensc-pkcs11\" package using the following command:\n\n# sudo apt-get install opensc-pkcs11" + "default": "To provide availability for name resolution services, multiple\nredundant name servers are mandated. A failure in name resolution could lead to\nthe failure of security functions requiring name resolution, which may include\ntime synchronization, centralized authentication, and remote system logging.", + "check": "Determine whether the Ubuntu operating system is using local or\nDomain Name Server (DNS) name resolution with the following command:\n\n# grep hosts /etc/nsswitch.conf\nhosts: files dns\n\nIf the DNS entry is missing from the host’s line in the \"/etc/nsswitch.conf\"\nfile, the \"/etc/resolv.conf\" file must be empty.\n\nIf the \"/etc/resolv.conf\" file is not empty, this is a finding.\n\nIf the DNS entry is found on the host’s line of the \"/etc/nsswitch.conf\"\nfile, verify the Ubuntu operating system is configured to use two or more name\nservers for DNS resolution.\n\nDetermine the name servers used by the system with the following command:\n\n# sudo grep nameserver /etc/resolv.conf\n\nnameserver 192.168.1.2\n\nnameserver 192.168.1.3\n\nIf less than two lines are returned that are not commented out, this is a\nfinding.", + "fix": "Configure the Ubuntu operating system to use two or more name\nservers for Domain Name Server (DNS) resolution.\n\nEdit the \"/etc/resolv.conf\" file to uncomment or add the two or more\n\"nameserver\" option lines with the IP address of local authoritative name\nservers. If local host resolution is being performed, the \"/etc/resolv.conf\"\nfile must be empty. An empty \"/etc/resolv.conf\" file can be created as\nfollows:\n\n# echo -n > /etc/resolv.conf" }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { - "gtitle": "SRG-OS-000376-GPOS-00161", - "gid": "V-75905", - "rid": "SV-90585r1_rule", - "stig_id": "UBTU-16-030810", - "fix_id": "F-82535r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-75871", + "rid": "SV-90551r2_rule", + "stig_id": "UBTU-16-030520", + "fix_id": "F-82501r2_fix", "cci": [ - "CCI-001953" + "CCI-000366" ], "nist": [ - "IA-2 (12)", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -10639,34 +10639,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75905' do\n title \"The Ubuntu operating system must accept Personal Identity Verification\n(PIV) credentials.\"\n desc \"The use of PIV credentials facilitates standardization and reduces the\nrisk of unauthorized access.\n\n DoD has mandated the use of the CAC to support identity management and\npersonal authentication for systems covered under Homeland Security\nPresidential Directive (HSPD) 12, as well as making the CAC a primary component\nof layered protection for national security systems.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000376-GPOS-00161'\n tag \"gid\": 'V-75905'\n tag \"rid\": 'SV-90585r1_rule'\n tag \"stig_id\": 'UBTU-16-030810'\n tag \"fix_id\": 'F-82535r1_fix'\n tag \"cci\": ['CCI-001953']\n tag \"nist\": ['IA-2 (12)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system accepts Personal Identity\nVerification (PIV) credentials.\n\nCheck that the \\\"opensc-pcks11\\\" package is installed on the system with the\nfollowing command:\n\n# dpkg -l | grep opensc-pkcs11\n\nii opensc-pkcs11:amd64 0.15.0-1Ubuntu1 amd64 Smart card utilities with support\nfor PKCS#15 compatible cards\n\nIf the \\\"opensc-pcks11\\\" package is not installed, this is a finding.\"\n desc 'fix', \"Configure the Ubuntu operating system to accept Personal Identity\nVerification (PIV) credentials.\n\nInstall the \\\"opensc-pkcs11\\\" package using the following command:\n\n# sudo apt-get install opensc-pkcs11\"\n\n describe package('opensc-pkcs11') do\n it { should be_installed }\n end\nend\n", + "code": "control 'V-75871' do\n title \"For Ubuntu operating systems using Domain Name Servers (DNS)\nresolution, at least two name servers must be configured.\"\n desc \"To provide availability for name resolution services, multiple\nredundant name servers are mandated. A failure in name resolution could lead to\nthe failure of security functions requiring name resolution, which may include\ntime synchronization, centralized authentication, and remote system logging.\"\n impact 0.3\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75871'\n tag \"rid\": 'SV-90551r2_rule'\n tag \"stig_id\": 'UBTU-16-030520'\n tag \"fix_id\": 'F-82501r2_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Determine whether the Ubuntu operating system is using local or\nDomain Name Server (DNS) name resolution with the following command:\n\n# grep hosts /etc/nsswitch.conf\nhosts: files dns\n\nIf the DNS entry is missing from the host’s line in the \\\"/etc/nsswitch.conf\\\"\nfile, the \\\"/etc/resolv.conf\\\" file must be empty.\n\nIf the \\\"/etc/resolv.conf\\\" file is not empty, this is a finding.\n\nIf the DNS entry is found on the host’s line of the \\\"/etc/nsswitch.conf\\\"\nfile, verify the Ubuntu operating system is configured to use two or more name\nservers for DNS resolution.\n\nDetermine the name servers used by the system with the following command:\n\n# sudo grep nameserver /etc/resolv.conf\n\nnameserver 192.168.1.2\n\nnameserver 192.168.1.3\n\nIf less than two lines are returned that are not commented out, this is a\nfinding.\"\n desc 'fix', \"Configure the Ubuntu operating system to use two or more name\nservers for Domain Name Server (DNS) resolution.\n\nEdit the \\\"/etc/resolv.conf\\\" file to uncomment or add the two or more\n\\\"nameserver\\\" option lines with the IP address of local authoritative name\nservers. If local host resolution is being performed, the \\\"/etc/resolv.conf\\\"\nfile must be empty. An empty \\\"/etc/resolv.conf\\\" file can be created as\nfollows:\n\n# echo -n > /etc/resolv.conf\"\n\n describe file('/etc/nsswitch.conf') do\n it { should exist }\n end\n\n options = {\n assignment_regex: /^\\s*([^:]*?)\\s*:\\s*(.*?)\\s*$/\n }\n\n dns_entry_exists = parse_config_file('/etc/nsswitch.conf', options).params('hosts').match?(/dns/)\n if dns_entry_exists\n describe 'DNS entry exists in /etc/nsswitch.conf' do\n subject { dns_entry_exists }\n it { should be true }\n end\n else\n describe file('/etc/resolv.conf') do\n its('content') { should match %r{/^(?!(#.*)).+/m} }\n end\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75905.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75871.rb", "line": 3 }, - "id": "V-75905" + "id": "V-75871" }, { - "title": "Account identifiers (individuals, groups, roles, and devices) must\ndisabled after 35 days of inactivity.", - "desc": "Inactive identifiers pose a risk to systems and applications because\nattackers may exploit an inactive identifier and potentially obtain undetected\naccess to the system. Owners of inactive accounts will not notice if\nunauthorized access to their user account has been obtained.\n\n Ubuntu operating systems need to track periods of inactivity and disable\napplication identifiers after 35 days of inactivity.", + "title": "System commands must be owned by root.", + "desc": "If the Ubuntu operating system were to allow any user to make changes\nto software libraries, then those changes might be implemented without\nundergoing the appropriate testing and approvals that are part of a robust\nchange management process.\n\n This requirement applies to Ubuntu operating systems with software\nlibraries that are accessible and configurable, as in the case of interpreted\nlanguages. Software libraries also include privileged programs which execute\nwith escalated privileges. Only qualified and authorized individuals shall be\nallowed to obtain access to information system components for purposes of\ninitiating changes, including upgrades and modifications.", "descriptions": { - "default": "Inactive identifiers pose a risk to systems and applications because\nattackers may exploit an inactive identifier and potentially obtain undetected\naccess to the system. Owners of inactive accounts will not notice if\nunauthorized access to their user account has been obtained.\n\n Ubuntu operating systems need to track periods of inactivity and disable\napplication identifiers after 35 days of inactivity.", - "check": "Verify the account identifiers (individuals, groups, roles, and\ndevices) are disabled after \"35\" days of inactivity with the following\ncommand:\n\nCheck the account inactivity value by performing the following command:\n\n# sudo grep -i inactive /etc/default/useradd\n\nINACTIVE=35\n\nIf \"INACTIVE\" is not set to a value \"0<[VALUE]<=35\", or is commented out,\nthis is a finding.", - "fix": "Configure the Ubuntu operating system to disable account\nidentifiers after 35 days of inactivity after the password expiration.\n\nRun the following command to change the configuration for useradd:\n\n# sudo useradd -D -f 35\n\nDoD recommendation is 35 days, but a lower value is acceptable. The value\n\"-1\" will disable this feature, and \"0\" will disable the account\nimmediately after the password expires." + "default": "If the Ubuntu operating system were to allow any user to make changes\nto software libraries, then those changes might be implemented without\nundergoing the appropriate testing and approvals that are part of a robust\nchange management process.\n\n This requirement applies to Ubuntu operating systems with software\nlibraries that are accessible and configurable, as in the case of interpreted\nlanguages. Software libraries also include privileged programs which execute\nwith escalated privileges. Only qualified and authorized individuals shall be\nallowed to obtain access to information system components for purposes of\ninitiating changes, including upgrades and modifications.", + "check": "Verify the system commands contained in the following\ndirectories are owned by \"root\".\n\nCheck that the system command files contained in the following directories are\nowned by \"root\" with the following command:\n\n# sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin !\n-user root | xargs ls -la\n\nIf any system commands are returned, this is a finding.", + "fix": "Configure the system commands to be protected from unauthorized\naccess.\n\nRun the following command, replacing \"[FILE]\" with any system command file\nnot owned by \"root\".\n\n# sudo chown root [FILE]" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000118-GPOS-00060", - "gid": "V-75485", - "rid": "SV-90165r3_rule", - "stig_id": "UBTU-16-010280", - "fix_id": "F-82113r1_fix", + "gtitle": "SRG-OS-000259-GPOS-00100", + "gid": "V-75613", + "rid": "SV-90293r2_rule", + "stig_id": "UBTU-16-011040", + "fix_id": "F-82241r2_fix", "cci": [ - "CCI-000795" + "CCI-001499" ], "nist": [ - "IA-4 e", + "CM-5 (6)", "Rev_4" ], "false_negatives": null, @@ -10680,34 +10680,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75485' do\n title \"Account identifiers (individuals, groups, roles, and devices) must\ndisabled after 35 days of inactivity.\"\n desc \"Inactive identifiers pose a risk to systems and applications because\nattackers may exploit an inactive identifier and potentially obtain undetected\naccess to the system. Owners of inactive accounts will not notice if\nunauthorized access to their user account has been obtained.\n\n Ubuntu operating systems need to track periods of inactivity and disable\napplication identifiers after 35 days of inactivity.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000118-GPOS-00060'\n tag \"gid\": 'V-75485'\n tag \"rid\": 'SV-90165r3_rule'\n tag \"stig_id\": 'UBTU-16-010280'\n tag \"fix_id\": 'F-82113r1_fix'\n tag \"cci\": ['CCI-000795']\n tag \"nist\": ['IA-4 e', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the account identifiers (individuals, groups, roles, and\ndevices) are disabled after \\\"35\\\" days of inactivity with the following\ncommand:\n\nCheck the account inactivity value by performing the following command:\n\n# sudo grep -i inactive /etc/default/useradd\n\nINACTIVE=35\n\nIf \\\"INACTIVE\\\" is not set to a value \\\"0<[VALUE]<=35\\\", or is commented out,\nthis is a finding.\"\n desc 'fix', \"Configure the Ubuntu operating system to disable account\nidentifiers after 35 days of inactivity after the password expiration.\n\nRun the following command to change the configuration for useradd:\n\n# sudo useradd -D -f 35\n\nDoD recommendation is 35 days, but a lower value is acceptable. The value\n\\\"-1\\\" will disable this feature, and \\\"0\\\" will disable the account\nimmediately after the password expires.\"\n\n max_account_inactive_days = input('max_account_inactive_days')\n config_file = '/etc/default/useradd'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('INACTIVE') { should cmp > '0' }\n its('INACTIVE') { should cmp <= max_account_inactive_days }\n end\n else\n describe (config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n", + "code": "control 'V-75613' do\n title 'System commands must be owned by root.'\n desc \"If the Ubuntu operating system were to allow any user to make changes\nto software libraries, then those changes might be implemented without\nundergoing the appropriate testing and approvals that are part of a robust\nchange management process.\n\n This requirement applies to Ubuntu operating systems with software\nlibraries that are accessible and configurable, as in the case of interpreted\nlanguages. Software libraries also include privileged programs which execute\nwith escalated privileges. Only qualified and authorized individuals shall be\nallowed to obtain access to information system components for purposes of\ninitiating changes, including upgrades and modifications.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000259-GPOS-00100'\n tag \"gid\": 'V-75613'\n tag \"rid\": 'SV-90293r2_rule'\n tag \"stig_id\": 'UBTU-16-011040'\n tag \"fix_id\": 'F-82241r2_fix'\n tag \"cci\": ['CCI-001499']\n tag \"nist\": ['CM-5 (6)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the system commands contained in the following\ndirectories are owned by \\\"root\\\".\n\nCheck that the system command files contained in the following directories are\nowned by \\\"root\\\" with the following command:\n\n# sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin !\n-user root | xargs ls -la\n\nIf any system commands are returned, this is a finding.\"\n desc 'fix', \"Configure the system commands to be protected from unauthorized\naccess.\n\nRun the following command, replacing \\\"[FILE]\\\" with any system command file\nnot owned by \\\"root\\\".\n\n# sudo chown root [FILE]\"\n\n system_commands = command('find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root').stdout.strip.split(\"\\n\").entries\n valid_system_commands = Set[]\n\n if system_commands.count > 0\n system_commands.each do |sys_cmd|\n if file(sys_cmd).exist?\n valid_system_commands = valid_system_commands << sys_cmd\n end\n end\n end\n\n if valid_system_commands.count > 0\n valid_system_commands.each do |val_sys_cmd|\n describe file(val_sys_cmd) do\n its('owner') { should cmp 'root' }\n end\n end\n else\n describe 'Number of system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or /usr/local/sbin, that are NOT owned by root' do\n subject { valid_system_commands }\n its('count') { should eq 0 }\n end\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75485.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75613.rb", "line": 3 }, - "id": "V-75485" + "id": "V-75613" }, { - "title": "Emergency administrator accounts must never be automatically removed\nor disabled.", - "desc": "Emergency accounts are privileged accounts that are established in\nresponse to crisis situations where the need for rapid account activation is\nrequired. Therefore, emergency account activation may bypass normal account\nauthorization processes. If these accounts are automatically disabled, system\nmaintenance during emergencies may not be possible, thus adversely affecting\nsystem availability.\n\n Emergency accounts are different from infrequently used accounts (i.e.,\nlocal logon accounts used by the organization's system administrators when\nnetwork or normal logon/access is not available). Infrequently used accounts\nare not subject to automatic termination dates. Emergency accounts are accounts\ncreated in response to crisis situations, usually for use by maintenance\npersonnel. The automatic expiration or disabling time period may be extended as\nneeded until the crisis is resolved; however, it must not be extended\nindefinitely. A permanent account should be established for privileged users\nwho need long-term maintenance accounts.\n\n To address access requirements, many Ubuntu operating systems can be\nintegrated with enterprise-level authentication/access mechanisms that meet or\nexceed access control policy requirements.", + "title": "All local interactive users must have a home directory assigned in the\n/etc/passwd file.", + "desc": "If local interactive users are not assigned a valid home directory,\nthere is no place for the storage and control of files they should own.", "descriptions": { - "default": "Emergency accounts are privileged accounts that are established in\nresponse to crisis situations where the need for rapid account activation is\nrequired. Therefore, emergency account activation may bypass normal account\nauthorization processes. If these accounts are automatically disabled, system\nmaintenance during emergencies may not be possible, thus adversely affecting\nsystem availability.\n\n Emergency accounts are different from infrequently used accounts (i.e.,\nlocal logon accounts used by the organization's system administrators when\nnetwork or normal logon/access is not available). Infrequently used accounts\nare not subject to automatic termination dates. Emergency accounts are accounts\ncreated in response to crisis situations, usually for use by maintenance\npersonnel. The automatic expiration or disabling time period may be extended as\nneeded until the crisis is resolved; however, it must not be extended\nindefinitely. A permanent account should be established for privileged users\nwho need long-term maintenance accounts.\n\n To address access requirements, many Ubuntu operating systems can be\nintegrated with enterprise-level authentication/access mechanisms that meet or\nexceed access control policy requirements.", - "check": "Verify the Ubuntu operating system is configured such that the\nemergency administrator account is never automatically removed or disabled.\n\nCheck to see if the root account password or account expires with the following\ncommand:\n\n# sudo chage -l root\n\nPassword expires :never\n\nIf \"Password expires\" or \"Account expires\" is set to anything other than\n\"never\", this is a finding.", - "fix": "Replace \"[Emergency_Administrator]\" in the following command\nwith the correct emergency administrator account. Run the following command as\nan administrator:\n\n# sudo chage -I -1 -M 99999 [Emergency_Administrator]" + "default": "If local interactive users are not assigned a valid home directory,\nthere is no place for the storage and control of files they should own.", + "check": "Verify local interactive users on the Ubuntu operating system\nhave a home directory assigned.\n\nCheck for missing local interactive user home directories with the following\ncommand:\n\n# sudo pwck -r\nuser 'lp': directory '/var/spool/lpd' does not exist\nuser 'news': directory '/var/spool/news' does not exist\nuser 'uucp': directory '/var/spool/uucp' does not exist\nuser 'www-data': directory '/var/www' does not exist\n\nAsk the System Administrator (SA) if any users found without home directories\nare local interactive users. If the SA is unable to provide a response, check\nfor users with a User Identifier (UID) of 1000 or greater with the following\ncommand:\n\n# sudo cut -d: -f 1,3 /etc/passwd | egrep \":[1-4][0-9]{2}$|:[0-9]{1,2}$\"\n\nIf any interactive users do not have a home directory assigned, this is a\nfinding.", + "fix": "Assign home directories to all local interactive users on the\nUbuntu operating system that currently do not have a home directory assigned." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000123-GPOS-00064", - "gid": "V-75469", - "rid": "SV-90149r1_rule", - "stig_id": "UBTU-16-010200", - "fix_id": "F-82097r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-75559", + "rid": "SV-90239r1_rule", + "stig_id": "UBTU-16-010720", + "fix_id": "F-82187r1_fix", "cci": [ - "CCI-001682" + "CCI-000366" ], "nist": [ - "AC-2 (2)", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -10721,735 +10721,735 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75469' do\n title \"Emergency administrator accounts must never be automatically removed\nor disabled.\"\n desc \"Emergency accounts are privileged accounts that are established in\nresponse to crisis situations where the need for rapid account activation is\nrequired. Therefore, emergency account activation may bypass normal account\nauthorization processes. If these accounts are automatically disabled, system\nmaintenance during emergencies may not be possible, thus adversely affecting\nsystem availability.\n\n Emergency accounts are different from infrequently used accounts (i.e.,\nlocal logon accounts used by the organization's system administrators when\nnetwork or normal logon/access is not available). Infrequently used accounts\nare not subject to automatic termination dates. Emergency accounts are accounts\ncreated in response to crisis situations, usually for use by maintenance\npersonnel. The automatic expiration or disabling time period may be extended as\nneeded until the crisis is resolved; however, it must not be extended\nindefinitely. A permanent account should be established for privileged users\nwho need long-term maintenance accounts.\n\n To address access requirements, many Ubuntu operating systems can be\nintegrated with enterprise-level authentication/access mechanisms that meet or\nexceed access control policy requirements.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000123-GPOS-00064'\n tag \"gid\": 'V-75469'\n tag \"rid\": 'SV-90149r1_rule'\n tag \"stig_id\": 'UBTU-16-010200'\n tag \"fix_id\": 'F-82097r1_fix'\n tag \"cci\": ['CCI-001682']\n tag \"nist\": ['AC-2 (2)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify the Ubuntu operating system is configured such that the\nemergency administrator account is never automatically removed or disabled.\n\nCheck to see if the root account password or account expires with the following\ncommand:\n\n# sudo chage -l root\n\nPassword expires :never\n\nIf \\\"Password expires\\\" or \\\"Account expires\\\" is set to anything other than\n\\\"never\\\", this is a finding.\"\n desc 'fix', \"Replace \\\"[Emergency_Administrator]\\\" in the following command\nwith the correct emergency administrator account. Run the following command as\nan administrator:\n\n# sudo chage -I -1 -M 99999 [Emergency_Administrator]\"\n\n emergency_accounts = input('emergency_accounts')\n\n if emergency_accounts.empty?\n describe 'Emergency accounts' do\n subject { emergency_accounts }\n it { should be_empty }\n end\n describe shadow.where(user: 'root') do\n its('expiry_dates') { should eq [nil] }\n end\n else\n emergency_accounts.each do |acct|\n describe command(\"sudo chage -l #{acct} | grep 'Account expires'\") do\n its('stdout.strip') { should_not match /:\\s*never/ }\n end\n end\n end\nend\n", + "code": "control 'V-75559' do\n title \"All local interactive users must have a home directory assigned in the\n/etc/passwd file.\"\n desc \"If local interactive users are not assigned a valid home directory,\nthere is no place for the storage and control of files they should own.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-75559'\n tag \"rid\": 'SV-90239r1_rule'\n tag \"stig_id\": 'UBTU-16-010720'\n tag \"fix_id\": 'F-82187r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify local interactive users on the Ubuntu operating system\nhave a home directory assigned.\n\nCheck for missing local interactive user home directories with the following\ncommand:\n\n# sudo pwck -r\nuser 'lp': directory '/var/spool/lpd' does not exist\nuser 'news': directory '/var/spool/news' does not exist\nuser 'uucp': directory '/var/spool/uucp' does not exist\nuser 'www-data': directory '/var/www' does not exist\n\nAsk the System Administrator (SA) if any users found without home directories\nare local interactive users. If the SA is unable to provide a response, check\nfor users with a User Identifier (UID) of 1000 or greater with the following\ncommand:\n\n# sudo cut -d: -f 1,3 /etc/passwd | egrep \\\":[1-4][0-9]{2}$|:[0-9]{1,2}$\\\"\n\nIf any interactive users do not have a home directory assigned, this is a\nfinding.\"\n desc 'fix', \"Assign home directories to all local interactive users on the\nUbuntu operating system that currently do not have a home directory assigned.\"\n\n exempt_home_users = input('exempt_home_users')\n non_interactive_shells = input('non_interactive_shells')\n ignore_shells = non_interactive_shells.join('|')\n\n users.where { !shell.match(ignore_shells) && (uid >= 1000 || uid == 0) }.entries.each do |user_info|\n next if exempt_home_users.include?(user_info.username.to_s)\n\n describe directory(user_info.home) do\n it { should exist }\n end\n end\nend\n", "source_location": { - "ref": "./Ubuntu 16.04 STIG/controls/V-75469.rb", + "ref": "./Ubuntu 16.04 STIG/controls/V-75559.rb", "line": 3 }, - "id": "V-75469" + "id": "V-75559" } ], "groups": [ { "title": null, "controls": [ - "V-75773" + "V-75905" ], - "id": "controls/V-75773.rb" + "id": "controls/V-75905.rb" }, { "title": null, "controls": [ - "V-75663" + "V-75537" ], - "id": "controls/V-75663.rb" + "id": "controls/V-75537.rb" }, { "title": null, "controls": [ - "V-75715" + "V-75529" ], - "id": "controls/V-75715.rb" + "id": "controls/V-75529.rb" }, { "title": null, "controls": [ - "V-75829" + "V-75495" ], - "id": "controls/V-75829.rb" + "id": "controls/V-75495.rb" }, { "title": null, "controls": [ - "V-75779" + "V-75583" ], - "id": "controls/V-75779.rb" + "id": "controls/V-75583.rb" }, { "title": null, "controls": [ - "V-75859" + "V-75759" ], - "id": "controls/V-75859.rb" + "id": "controls/V-75759.rb" }, { "title": null, "controls": [ - "V-75833" + "V-75557" ], - "id": "controls/V-75833.rb" + "id": "controls/V-75557.rb" }, { "title": null, "controls": [ - "V-75533" + "V-75747" ], - "id": "controls/V-75533.rb" + "id": "controls/V-75747.rb" }, { "title": null, "controls": [ - "V-75753" + "V-75633" ], - "id": "controls/V-75753.rb" + "id": "controls/V-75633.rb" }, { "title": null, "controls": [ - "V-75495" + "V-75661" ], - "id": "controls/V-75495.rb" + "id": "controls/V-75661.rb" }, { "title": null, "controls": [ - "V-75517" + "V-75551" ], - "id": "controls/V-75517.rb" + "id": "controls/V-75551.rb" }, { "title": null, "controls": [ - "V-75871" + "V-75691" ], - "id": "controls/V-75871.rb" + "id": "controls/V-75691.rb" }, { "title": null, "controls": [ - "V-75393" + "V-75885" ], - "id": "controls/V-75393.rb" + "id": "controls/V-75885.rb" }, { "title": null, "controls": [ - "V-75879" + "V-75751" ], - "id": "controls/V-75879.rb" + "id": "controls/V-75751.rb" }, { "title": null, "controls": [ - "V-75621" + "V-75897" ], - "id": "controls/V-75621.rb" + "id": "controls/V-75897.rb" }, { "title": null, "controls": [ - "V-75617" + "V-75859" ], - "id": "controls/V-75617.rb" + "id": "controls/V-75859.rb" }, { "title": null, "controls": [ - "V-75791" + "V-75789" ], - "id": "controls/V-75791.rb" + "id": "controls/V-75789.rb" }, { "title": null, "controls": [ - "V-75541" + "V-75455" ], - "id": "controls/V-75541.rb" + "id": "controls/V-75455.rb" }, { "title": null, "controls": [ - "V-75567" + "V-75543" ], - "id": "controls/V-75567.rb" + "id": "controls/V-75543.rb" }, { "title": null, "controls": [ - "V-75661" + "V-75819" ], - "id": "controls/V-75661.rb" + "id": "controls/V-75819.rb" }, { "title": null, "controls": [ - "V-75793" + "V-75531" ], - "id": "controls/V-75793.rb" + "id": "controls/V-75531.rb" }, { "title": null, "controls": [ - "V-75745" + "V-75857" ], - "id": "controls/V-75745.rb" + "id": "controls/V-75857.rb" }, { "title": null, "controls": [ - "V-75727" + "V-75809" ], - "id": "controls/V-75727.rb" + "id": "controls/V-75809.rb" }, { "title": null, "controls": [ - "V-75817" + "V-75815" ], - "id": "controls/V-75817.rb" + "id": "controls/V-75815.rb" }, { "title": null, "controls": [ - "V-75887" + "V-75587" ], - "id": "controls/V-75887.rb" + "id": "controls/V-75587.rb" }, { "title": null, "controls": [ - "V-75737" + "V-75451" ], - "id": "controls/V-75737.rb" + "id": "controls/V-75451.rb" }, { "title": null, "controls": [ - "V-75883" + "V-75629" ], - "id": "controls/V-75883.rb" + "id": "controls/V-75629.rb" }, { "title": null, "controls": [ - "V-75625" + "V-75481" ], - "id": "controls/V-75625.rb" + "id": "controls/V-75481.rb" }, { "title": null, "controls": [ - "V-75775" + "V-75623" ], - "id": "controls/V-75775.rb" + "id": "controls/V-75623.rb" }, { "title": null, "controls": [ - "V-75613" + "V-75469" ], - "id": "controls/V-75613.rb" + "id": "controls/V-75469.rb" }, { "title": null, "controls": [ - "V-75743" + "V-75811" ], - "id": "controls/V-75743.rb" + "id": "controls/V-75811.rb" }, { "title": null, "controls": [ - "V-75725" + "V-75563" ], - "id": "controls/V-75725.rb" + "id": "controls/V-75563.rb" }, { "title": null, "controls": [ - "V-75907" + "V-75585" ], - "id": "controls/V-75907.rb" + "id": "controls/V-75585.rb" }, { "title": null, "controls": [ - "V-75559" + "V-75719" ], - "id": "controls/V-75559.rb" + "id": "controls/V-75719.rb" }, { "title": null, "controls": [ - "V-75629" + "V-75791" ], - "id": "controls/V-75629.rb" + "id": "controls/V-75791.rb" }, { "title": null, "controls": [ - "V-75835" + "V-75463" ], - "id": "controls/V-75835.rb" + "id": "controls/V-75463.rb" }, { "title": null, "controls": [ - "V-75825" + "V-75887" ], - "id": "controls/V-75825.rb" + "id": "controls/V-75887.rb" }, { "title": null, "controls": [ - "V-75761" + "V-75449" ], - "id": "controls/V-75761.rb" + "id": "controls/V-75449.rb" }, { "title": null, "controls": [ - "V-75781" + "V-75733" ], - "id": "controls/V-75781.rb" + "id": "controls/V-75733.rb" }, { "title": null, "controls": [ - "V-75453" + "V-75571" ], - "id": "controls/V-75453.rb" + "id": "controls/V-75571.rb" }, { "title": null, "controls": [ - "V-75885" + "V-75801" ], - "id": "controls/V-75885.rb" + "id": "controls/V-75801.rb" }, { "title": null, "controls": [ - "V-75803" + "V-78005" ], - "id": "controls/V-75803.rb" + "id": "controls/V-78005.rb" }, { "title": null, "controls": [ - "V-75547" + "V-75771" ], - "id": "controls/V-75547.rb" + "id": "controls/V-75771.rb" }, { "title": null, "controls": [ - "V-75643" + "V-75519" ], - "id": "controls/V-75643.rb" + "id": "controls/V-75519.rb" }, { "title": null, "controls": [ - "V-75783" + "V-75869" ], - "id": "controls/V-75783.rb" + "id": "controls/V-75869.rb" }, { "title": null, "controls": [ - "V-75849" + "V-75825" ], - "id": "controls/V-75849.rb" + "id": "controls/V-75825.rb" }, { "title": null, "controls": [ - "V-75785" + "V-75647" ], - "id": "controls/V-75785.rb" + "id": "controls/V-75647.rb" }, { "title": null, "controls": [ - "V-75439" + "V-75645" ], - "id": "controls/V-75439.rb" + "id": "controls/V-75645.rb" }, { "title": null, "controls": [ - "V-75719" + "V-75793" ], - "id": "controls/V-75719.rb" + "id": "controls/V-75793.rb" }, { "title": null, "controls": [ - "V-75751" + "V-75639" ], - "id": "controls/V-75751.rb" + "id": "controls/V-75639.rb" }, { "title": null, "controls": [ - "V-75573" + "V-75607" ], - "id": "controls/V-75573.rb" + "id": "controls/V-75607.rb" }, { "title": null, "controls": [ - "V-75455" + "V-75517" ], - "id": "controls/V-75455.rb" + "id": "controls/V-75517.rb" }, { "title": null, "controls": [ - "V-75717" + "V-75867" ], - "id": "controls/V-75717.rb" + "id": "controls/V-75867.rb" }, { "title": null, "controls": [ - "V-75809" + "V-75541" ], - "id": "controls/V-75809.rb" + "id": "controls/V-75541.rb" }, { "title": null, "controls": [ - "V-75611" + "V-75881" ], - "id": "controls/V-75611.rb" + "id": "controls/V-75881.rb" }, { "title": null, "controls": [ - "V-75555" + "V-75813" ], - "id": "controls/V-75555.rb" + "id": "controls/V-75813.rb" }, { "title": null, "controls": [ - "V-75733" + "V-75501" ], - "id": "controls/V-75733.rb" + "id": "controls/V-75501.rb" }, { "title": null, "controls": [ - "V-75609" + "V-75849" ], - "id": "controls/V-75609.rb" + "id": "controls/V-75849.rb" }, { "title": null, "controls": [ - "V-75789" + "V-75775" ], - "id": "controls/V-75789.rb" + "id": "controls/V-75775.rb" }, { "title": null, "controls": [ - "V-75457" + "V-75507" ], - "id": "controls/V-75457.rb" + "id": "controls/V-75507.rb" }, { "title": null, "controls": [ - "V-75693" + "V-80961" ], - "id": "controls/V-75693.rb" + "id": "controls/V-80961.rb" }, { "title": null, "controls": [ - "V-75519" + "V-75549" ], - "id": "controls/V-75519.rb" + "id": "controls/V-75549.rb" }, { "title": null, "controls": [ - "V-75487" + "V-75611" ], - "id": "controls/V-75487.rb" + "id": "controls/V-75611.rb" }, { "title": null, "controls": [ - "V-75497" + "V-75713" ], - "id": "controls/V-75497.rb" + "id": "controls/V-75713.rb" }, { "title": null, "controls": [ - "V-75709" + "V-75835" ], - "id": "controls/V-75709.rb" + "id": "controls/V-75835.rb" }, { "title": null, "controls": [ - "V-75843" + "V-75499" ], - "id": "controls/V-75843.rb" + "id": "controls/V-75499.rb" }, { "title": null, "controls": [ - "V-75909" + "V-75663" ], - "id": "controls/V-75909.rb" + "id": "controls/V-75663.rb" }, { "title": null, "controls": [ - "V-75813" + "V-75773" ], - "id": "controls/V-75813.rb" + "id": "controls/V-75773.rb" }, { "title": null, "controls": [ - "V-75563" + "V-78007" ], - "id": "controls/V-75563.rb" + "id": "controls/V-78007.rb" }, { "title": null, "controls": [ - "V-75771" + "V-75525" ], - "id": "controls/V-75771.rb" + "id": "controls/V-75525.rb" }, { "title": null, "controls": [ - "V-75451" + "V-75617" ], - "id": "controls/V-75451.rb" + "id": "controls/V-75617.rb" }, { "title": null, "controls": [ - "V-80965" + "V-75879" ], - "id": "controls/V-80965.rb" + "id": "controls/V-75879.rb" }, { "title": null, "controls": [ - "V-75501" + "V-75769" ], - "id": "controls/V-75501.rb" + "id": "controls/V-75769.rb" }, { "title": null, "controls": [ - "V-75507" + "V-75471" ], - "id": "controls/V-75507.rb" + "id": "controls/V-75471.rb" }, { "title": null, "controls": [ - "V-75529" + "V-75827" ], - "id": "controls/V-75529.rb" + "id": "controls/V-75827.rb" }, { "title": null, "controls": [ - "V-75903" + "V-75643" ], - "id": "controls/V-75903.rb" + "id": "controls/V-75643.rb" }, { "title": null, "controls": [ - "V-75509" + "V-75783" ], - "id": "controls/V-75509.rb" + "id": "controls/V-75783.rb" }, { "title": null, "controls": [ - "V-75857" + "V-75393" ], - "id": "controls/V-75857.rb" + "id": "controls/V-75393.rb" }, { "title": null, "controls": [ - "V-75511" + "V-75461" ], - "id": "controls/V-75511.rb" + "id": "controls/V-75461.rb" }, { "title": null, "controls": [ - "V-75755" + "V-75553" ], - "id": "controls/V-75755.rb" + "id": "controls/V-75553.rb" }, { "title": null, "controls": [ - "V-75841" + "V-75515" ], - "id": "controls/V-75841.rb" + "id": "controls/V-75515.rb" }, { "title": null, "controls": [ - "V-75391" + "V-75603" ], - "id": "controls/V-75391.rb" + "id": "controls/V-75603.rb" }, { "title": null, "controls": [ - "V-75535" + "V-75743" ], - "id": "controls/V-75535.rb" + "id": "controls/V-75743.rb" }, { "title": null, "controls": [ - "V-75549" + "V-75555" ], - "id": "controls/V-75549.rb" + "id": "controls/V-75555.rb" }, { "title": null, "controls": [ - "V-75713" + "V-75505" ], - "id": "controls/V-75713.rb" + "id": "controls/V-75505.rb" }, { "title": null, "controls": [ - "V-75855" + "V-75637" ], - "id": "controls/V-75855.rb" + "id": "controls/V-75637.rb" }, { "title": null, "controls": [ - "V-75527" + "V-75741" ], - "id": "controls/V-75527.rb" + "id": "controls/V-75741.rb" }, { "title": null, "controls": [ - "V-75499" + "V-75723" ], - "id": "controls/V-75499.rb" + "id": "controls/V-75723.rb" }, { "title": null, "controls": [ - "V-75639" + "V-75877" ], - "id": "controls/V-75639.rb" + "id": "controls/V-75877.rb" }, { "title": null, "controls": [ - "V-75807" + "V-75823" ], - "id": "controls/V-75807.rb" + "id": "controls/V-75823.rb" }, { "title": null, "controls": [ - "V-75515" + "V-75737" ], - "id": "controls/V-75515.rb" + "id": "controls/V-75737.rb" }, { "title": null, "controls": [ - "V-75607" + "V-75569" ], - "id": "controls/V-75607.rb" + "id": "controls/V-75569.rb" }, { "title": null, "controls": [ - "V-80969" + "V-75715" ], - "id": "controls/V-80969.rb" + "id": "controls/V-75715.rb" }, { "title": null, "controls": [ - "V-75623" + "V-75441" ], - "id": "controls/V-75623.rb" + "id": "controls/V-75441.rb" }, { "title": null, "controls": [ - "V-75589" + "V-75875" ], - "id": "controls/V-75589.rb" + "id": "controls/V-75875.rb" }, { "title": null, "controls": [ - "V-75711" + "V-75777" ], - "id": "controls/V-75711.rb" + "id": "controls/V-75777.rb" }, { "title": null, "controls": [ - "V-75697" + "V-75717" ], - "id": "controls/V-75697.rb" + "id": "controls/V-75717.rb" }, { "title": null, "controls": [ - "V-75815" + "V-75731" ], - "id": "controls/V-75815.rb" + "id": "controls/V-75731.rb" }, { "title": null, "controls": [ - "V-75637" + "V-75605" ], - "id": "controls/V-75637.rb" + "id": "controls/V-75605.rb" }, { "title": null, "controls": [ - "V-75591" + "V-75833" ], - "id": "controls/V-75591.rb" + "id": "controls/V-75833.rb" }, { "title": null, "controls": [ - "V-75463" + "V-75817" ], - "id": "controls/V-75463.rb" + "id": "controls/V-75817.rb" }, { "title": null, "controls": [ - "V-75513" + "V-75391" ], - "id": "controls/V-75513.rb" + "id": "controls/V-75391.rb" }, { "title": null, "controls": [ - "V-75889" + "V-75621" ], - "id": "controls/V-75889.rb" + "id": "controls/V-75621.rb" }, { "title": null, @@ -11461,884 +11461,884 @@ { "title": null, "controls": [ - "V-75557" + "V-75735" ], - "id": "controls/V-75557.rb" + "id": "controls/V-75735.rb" }, { "title": null, "controls": [ - "V-75579" + "V-75497" ], - "id": "controls/V-75579.rb" + "id": "controls/V-75497.rb" }, { "title": null, "controls": [ - "V-75911" + "V-75567" ], - "id": "controls/V-75911.rb" + "id": "controls/V-75567.rb" }, { "title": null, "controls": [ - "V-75615" + "V-75853" ], - "id": "controls/V-75615.rb" + "id": "controls/V-75853.rb" }, { "title": null, "controls": [ - "V-75881" + "V-75855" ], - "id": "controls/V-75881.rb" + "id": "controls/V-75855.rb" }, { "title": null, "controls": [ - "V-75797" + "V-75445" ], - "id": "controls/V-75797.rb" + "id": "controls/V-75445.rb" }, { "title": null, "controls": [ - "V-75845" + "V-80963" ], - "id": "controls/V-75845.rb" + "id": "controls/V-80963.rb" }, { "title": null, "controls": [ - "V-78007" + "V-75893" ], - "id": "controls/V-78007.rb" + "id": "controls/V-75893.rb" }, { "title": null, "controls": [ - "V-75597" + "V-75489" ], - "id": "controls/V-75597.rb" + "id": "controls/V-75489.rb" }, { "title": null, "controls": [ - "V-75575" + "V-75475" ], - "id": "controls/V-75575.rb" + "id": "controls/V-75475.rb" }, { "title": null, "controls": [ - "V-75723" + "V-75899" ], - "id": "controls/V-75723.rb" + "id": "controls/V-75899.rb" }, { "title": null, "controls": [ - "V-75561" + "V-75831" ], - "id": "controls/V-75561.rb" + "id": "controls/V-75831.rb" }, { "title": null, "controls": [ - "V-75827" + "V-75601" ], - "id": "controls/V-75827.rb" + "id": "controls/V-75601.rb" }, { "title": null, "controls": [ - "V-75837" + "V-75901" ], - "id": "controls/V-75837.rb" + "id": "controls/V-75901.rb" }, { "title": null, "controls": [ - "V-75587" + "V-75863" ], - "id": "controls/V-75587.rb" + "id": "controls/V-75863.rb" }, { "title": null, "controls": [ - "V-75739" + "V-75487" ], - "id": "controls/V-75739.rb" + "id": "controls/V-75487.rb" }, { "title": null, "controls": [ - "V-80959" + "V-75699" ], - "id": "controls/V-80959.rb" + "id": "controls/V-75699.rb" }, { "title": null, "controls": [ - "V-75465" + "V-75729" ], - "id": "controls/V-75465.rb" + "id": "controls/V-75729.rb" }, { "title": null, "controls": [ - "V-75777" + "V-75581" ], - "id": "controls/V-75777.rb" + "id": "controls/V-75581.rb" }, { "title": null, "controls": [ - "V-75893" + "V-75657" ], - "id": "controls/V-75893.rb" + "id": "controls/V-75657.rb" }, { "title": null, "controls": [ - "V-75531" + "V-75649" ], - "id": "controls/V-75531.rb" + "id": "controls/V-75649.rb" }, { "title": null, "controls": [ - "V-75875" + "V-75785" ], - "id": "controls/V-75875.rb" + "id": "controls/V-75785.rb" }, { "title": null, "controls": [ - "V-75895" + "V-75725" ], - "id": "controls/V-75895.rb" + "id": "controls/V-75725.rb" }, { "title": null, "controls": [ - "V-75443" + "V-75755" ], - "id": "controls/V-75443.rb" + "id": "controls/V-75755.rb" }, { "title": null, "controls": [ - "V-75537" + "V-75711" ], - "id": "controls/V-75537.rb" + "id": "controls/V-75711.rb" }, { "title": null, "controls": [ - "V-75581" + "V-75483" ], - "id": "controls/V-75581.rb" + "id": "controls/V-75483.rb" }, { "title": null, "controls": [ - "V-75863" + "V-75787" ], - "id": "controls/V-75863.rb" + "id": "controls/V-75787.rb" }, { "title": null, "controls": [ - "V-75483" + "V-75491" ], - "id": "controls/V-75483.rb" + "id": "controls/V-75491.rb" }, { "title": null, "controls": [ - "V-75707" + "V-75753" ], - "id": "controls/V-75707.rb" + "id": "controls/V-75753.rb" }, { "title": null, "controls": [ - "V-75479" + "V-75695" ], - "id": "controls/V-75479.rb" + "id": "controls/V-75695.rb" }, { "title": null, "controls": [ - "V-75867" + "V-75821" ], - "id": "controls/V-75867.rb" + "id": "controls/V-75821.rb" }, { "title": null, "controls": [ - "V-75481" + "V-75547" ], - "id": "controls/V-75481.rb" + "id": "controls/V-75547.rb" }, { "title": null, "controls": [ - "V-75823" + "V-75641" ], - "id": "controls/V-75823.rb" + "id": "controls/V-75641.rb" }, { "title": null, "controls": [ - "V-75877" + "V-75575" ], - "id": "controls/V-75877.rb" + "id": "controls/V-75575.rb" }, { "title": null, "controls": [ - "V-75749" + "V-75509" ], - "id": "controls/V-75749.rb" + "id": "controls/V-75509.rb" }, { "title": null, "controls": [ - "V-75699" + "V-75527" ], - "id": "controls/V-75699.rb" + "id": "controls/V-75527.rb" }, { "title": null, "controls": [ - "V-75521" + "V-75653" ], - "id": "controls/V-75521.rb" + "id": "controls/V-75653.rb" }, { "title": null, "controls": [ - "V-75667" + "V-75757" ], - "id": "controls/V-75667.rb" + "id": "controls/V-75757.rb" }, { "title": null, "controls": [ - "V-75543" + "V-75803" ], - "id": "controls/V-75543.rb" + "id": "controls/V-75803.rb" }, { "title": null, "controls": [ - "V-75805" + "V-75453" ], - "id": "controls/V-75805.rb" + "id": "controls/V-75453.rb" }, { "title": null, "controls": [ - "V-75449" + "V-75865" ], - "id": "controls/V-75449.rb" + "id": "controls/V-75865.rb" }, { "title": null, "controls": [ - "V-75741" + "V-80965" ], - "id": "controls/V-75741.rb" + "id": "controls/V-80965.rb" }, { "title": null, "controls": [ - "V-75631" + "V-75521" ], - "id": "controls/V-75631.rb" + "id": "controls/V-75521.rb" }, { "title": null, "controls": [ - "V-75475" + "V-75523" ], - "id": "controls/V-75475.rb" + "id": "controls/V-75523.rb" }, { "title": null, "controls": [ - "V-75523" + "V-75841" ], - "id": "controls/V-75523.rb" + "id": "controls/V-75841.rb" }, { "title": null, "controls": [ - "V-75721" + "V-75739" ], - "id": "controls/V-75721.rb" + "id": "controls/V-75739.rb" }, { "title": null, "controls": [ - "V-80963" + "V-75845" ], - "id": "controls/V-80963.rb" + "id": "controls/V-75845.rb" }, { "title": null, "controls": [ - "V-75647" + "V-75593" ], - "id": "controls/V-75647.rb" + "id": "controls/V-75593.rb" }, { "title": null, "controls": [ - "V-75731" + "V-75889" ], - "id": "controls/V-75731.rb" + "id": "controls/V-75889.rb" }, { "title": null, "controls": [ - "V-75659" + "V-75561" ], - "id": "controls/V-75659.rb" + "id": "controls/V-75561.rb" }, { "title": null, "controls": [ - "V-75553" + "V-75625" ], - "id": "controls/V-75553.rb" + "id": "controls/V-75625.rb" }, { "title": null, "controls": [ - "V-75645" + "V-75907" ], - "id": "controls/V-75645.rb" + "id": "controls/V-75907.rb" }, { "title": null, "controls": [ - "V-75571" + "V-75745" ], - "id": "controls/V-75571.rb" + "id": "controls/V-75745.rb" }, { "title": null, "controls": [ - "V-75585" + "V-75439" ], - "id": "controls/V-75585.rb" + "id": "controls/V-75439.rb" }, { "title": null, "controls": [ - "V-75477" + "V-75721" ], - "id": "controls/V-75477.rb" + "id": "controls/V-75721.rb" }, { "title": null, "controls": [ - "V-78005" + "V-75895" ], - "id": "controls/V-78005.rb" + "id": "controls/V-75895.rb" }, { "title": null, "controls": [ - "V-75901" + "V-75631" ], - "id": "controls/V-75901.rb" + "id": "controls/V-75631.rb" }, { "title": null, "controls": [ - "V-75503" + "V-75911" ], - "id": "controls/V-75503.rb" + "id": "controls/V-75911.rb" }, { "title": null, "controls": [ - "V-75801" + "V-75591" ], - "id": "controls/V-75801.rb" + "id": "controls/V-75591.rb" }, { "title": null, "controls": [ - "V-75493" + "V-80957" ], - "id": "controls/V-75493.rb" + "id": "controls/V-80957.rb" }, { "title": null, "controls": [ - "V-75649" + "V-75689" ], - "id": "controls/V-75649.rb" + "id": "controls/V-75689.rb" }, { "title": null, "controls": [ - "V-75655" + "V-75707" ], - "id": "controls/V-75655.rb" + "id": "controls/V-75707.rb" }, { "title": null, "controls": [ - "V-75821" + "V-75565" ], - "id": "controls/V-75821.rb" + "id": "controls/V-75565.rb" }, { "title": null, "controls": [ - "V-75691" + "V-75891" ], - "id": "controls/V-75691.rb" + "id": "controls/V-75891.rb" }, { "title": null, "controls": [ - "V-75811" + "V-75761" ], - "id": "controls/V-75811.rb" + "id": "controls/V-75761.rb" }, { "title": null, "controls": [ - "V-75735" + "V-75807" ], - "id": "controls/V-75735.rb" + "id": "controls/V-75807.rb" }, { "title": null, "controls": [ - "V-80961" + "V-75847" ], - "id": "controls/V-80961.rb" + "id": "controls/V-75847.rb" }, { "title": null, "controls": [ - "V-75689" + "V-75903" ], - "id": "controls/V-75689.rb" + "id": "controls/V-75903.rb" }, { "title": null, "controls": [ - "V-75665" + "V-75843" ], - "id": "controls/V-75665.rb" + "id": "controls/V-75843.rb" }, { "title": null, "controls": [ - "V-75569" + "V-75829" ], - "id": "controls/V-75569.rb" + "id": "controls/V-75829.rb" }, { "title": null, "controls": [ - "V-75899" + "V-75479" ], - "id": "controls/V-75899.rb" + "id": "controls/V-75479.rb" }, { "title": null, "controls": [ - "V-75765" + "V-75599" ], - "id": "controls/V-75765.rb" + "id": "controls/V-75599.rb" }, { "title": null, "controls": [ - "V-75435" + "V-75655" ], - "id": "controls/V-75435.rb" + "id": "controls/V-75655.rb" }, { "title": null, "controls": [ - "V-75441" + "V-75513" ], - "id": "controls/V-75441.rb" + "id": "controls/V-75513.rb" }, { "title": null, "controls": [ - "V-75853" + "V-75797" ], - "id": "controls/V-75853.rb" + "id": "controls/V-75797.rb" }, { "title": null, "controls": [ - "V-80957" + "V-75851" ], - "id": "controls/V-80957.rb" + "id": "controls/V-75851.rb" }, { "title": null, "controls": [ - "V-75869" + "V-75635" ], - "id": "controls/V-75869.rb" + "id": "controls/V-75635.rb" }, { "title": null, "controls": [ - "V-75897" + "V-75473" ], - "id": "controls/V-75897.rb" + "id": "controls/V-75473.rb" }, { "title": null, "controls": [ - "V-75799" + "V-75533" ], - "id": "controls/V-75799.rb" + "id": "controls/V-75533.rb" }, { "title": null, "controls": [ - "V-75635" + "V-80969" ], - "id": "controls/V-75635.rb" + "id": "controls/V-80969.rb" }, { "title": null, "controls": [ - "V-75599" + "V-75389" ], - "id": "controls/V-75599.rb" + "id": "controls/V-75389.rb" }, { "title": null, "controls": [ - "V-75851" + "V-75795" ], - "id": "controls/V-75851.rb" + "id": "controls/V-75795.rb" }, { "title": null, "controls": [ - "V-75583" + "V-75779" ], - "id": "controls/V-75583.rb" + "id": "controls/V-75779.rb" }, { "title": null, "controls": [ - "V-75795" + "V-75687" ], - "id": "controls/V-75795.rb" + "id": "controls/V-75687.rb" }, { "title": null, "controls": [ - "V-75891" + "V-75697" ], - "id": "controls/V-75891.rb" + "id": "controls/V-75697.rb" }, { "title": null, "controls": [ - "V-75437" + "V-75709" ], - "id": "controls/V-75437.rb" + "id": "controls/V-75709.rb" }, { "title": null, "controls": [ - "V-75865" + "V-75665" ], - "id": "controls/V-75865.rb" + "id": "controls/V-75665.rb" }, { "title": null, "controls": [ - "V-75505" + "V-75465" ], - "id": "controls/V-75505.rb" + "id": "controls/V-75465.rb" }, { "title": null, "controls": [ - "V-75759" + "V-75659" ], - "id": "controls/V-75759.rb" + "id": "controls/V-75659.rb" }, { "title": null, "controls": [ - "V-75593" + "V-75615" ], - "id": "controls/V-75593.rb" + "id": "controls/V-75615.rb" }, { "title": null, "controls": [ - "V-75525" + "V-75909" ], - "id": "controls/V-75525.rb" + "id": "controls/V-75909.rb" }, { "title": null, "controls": [ - "V-75461" + "V-75477" ], - "id": "controls/V-75461.rb" + "id": "controls/V-75477.rb" }, { "title": null, "controls": [ - "V-75747" + "V-75727" ], - "id": "controls/V-75747.rb" + "id": "controls/V-75727.rb" }, { "title": null, "controls": [ - "V-75473" + "V-75609" ], - "id": "controls/V-75473.rb" + "id": "controls/V-75609.rb" }, { "title": null, "controls": [ - "V-75603" + "V-75667" ], - "id": "controls/V-75603.rb" + "id": "controls/V-75667.rb" }, { "title": null, "controls": [ - "V-75695" + "V-75597" ], - "id": "controls/V-75695.rb" + "id": "controls/V-75597.rb" }, { "title": null, "controls": [ - "V-75847" + "V-75579" ], - "id": "controls/V-75847.rb" + "id": "controls/V-75579.rb" }, { "title": null, "controls": [ - "V-75633" + "V-75883" ], - "id": "controls/V-75633.rb" + "id": "controls/V-75883.rb" }, { "title": null, "controls": [ - "V-75445" + "V-75457" ], - "id": "controls/V-75445.rb" + "id": "controls/V-75457.rb" }, { "title": null, "controls": [ - "V-75641" + "V-75459" ], - "id": "controls/V-75641.rb" + "id": "controls/V-75459.rb" }, { "title": null, "controls": [ - "V-75565" + "V-80959" ], - "id": "controls/V-75565.rb" + "id": "controls/V-80959.rb" }, { "title": null, "controls": [ - "V-75769" + "V-75749" ], - "id": "controls/V-75769.rb" + "id": "controls/V-75749.rb" }, { "title": null, "controls": [ - "V-75471" + "V-75873" ], - "id": "controls/V-75471.rb" + "id": "controls/V-75873.rb" }, { "title": null, "controls": [ - "V-75627" + "V-75837" ], - "id": "controls/V-75627.rb" + "id": "controls/V-75837.rb" }, { "title": null, "controls": [ - "V-75653" + "V-75765" ], - "id": "controls/V-75653.rb" + "id": "controls/V-75765.rb" }, { "title": null, "controls": [ - "V-75551" + "V-75577" ], - "id": "controls/V-75551.rb" + "id": "controls/V-75577.rb" }, { "title": null, "controls": [ - "V-75491" + "V-75435" ], - "id": "controls/V-75491.rb" + "id": "controls/V-75435.rb" }, { "title": null, "controls": [ - "V-75657" + "V-75767" ], - "id": "controls/V-75657.rb" + "id": "controls/V-75767.rb" }, { "title": null, "controls": [ - "V-75545" + "V-75437" ], - "id": "controls/V-75545.rb" + "id": "controls/V-75437.rb" }, { "title": null, "controls": [ - "V-75819" + "V-75511" ], - "id": "controls/V-75819.rb" + "id": "controls/V-75511.rb" }, { "title": null, "controls": [ - "V-75577" + "V-75589" ], - "id": "controls/V-75577.rb" + "id": "controls/V-75589.rb" }, { "title": null, "controls": [ - "V-75489" + "V-75805" ], - "id": "controls/V-75489.rb" + "id": "controls/V-75805.rb" }, { "title": null, "controls": [ - "V-75729" + "V-75493" ], - "id": "controls/V-75729.rb" + "id": "controls/V-75493.rb" }, { "title": null, "controls": [ - "V-75757" + "V-75503" ], - "id": "controls/V-75757.rb" + "id": "controls/V-75503.rb" }, { "title": null, "controls": [ - "V-75601" + "V-75443" ], - "id": "controls/V-75601.rb" + "id": "controls/V-75443.rb" }, { "title": null, "controls": [ - "V-75605" + "V-75693" ], - "id": "controls/V-75605.rb" + "id": "controls/V-75693.rb" }, { "title": null, "controls": [ - "V-75389" + "V-75781" ], - "id": "controls/V-75389.rb" + "id": "controls/V-75781.rb" }, { "title": null, "controls": [ - "V-75873" + "V-75535" ], - "id": "controls/V-75873.rb" + "id": "controls/V-75535.rb" }, { "title": null, "controls": [ - "V-75459" + "V-75573" ], - "id": "controls/V-75459.rb" + "id": "controls/V-75573.rb" }, { "title": null, "controls": [ - "V-75787" + "V-75627" ], - "id": "controls/V-75787.rb" + "id": "controls/V-75627.rb" }, { "title": null, "controls": [ - "V-75767" + "V-75545" ], - "id": "controls/V-75767.rb" + "id": "controls/V-75545.rb" }, { "title": null, "controls": [ - "V-75687" + "V-75485" ], - "id": "controls/V-75687.rb" + "id": "controls/V-75485.rb" }, { "title": null, "controls": [ - "V-75831" + "V-75799" ], - "id": "controls/V-75831.rb" + "id": "controls/V-75799.rb" }, { "title": null, "controls": [ - "V-75905" + "V-75871" ], - "id": "controls/V-75905.rb" + "id": "controls/V-75871.rb" }, { "title": null, "controls": [ - "V-75485" + "V-75613" ], - "id": "controls/V-75485.rb" + "id": "controls/V-75613.rb" }, { "title": null, "controls": [ - "V-75469" + "V-75559" ], - "id": "controls/V-75469.rb" + "id": "controls/V-75559.rb" } ], "sha256": "ec8e3e2a216b9a6aaf9f6fcc205b9d2679329618816acb0795f5cd2210ce7b7a", diff --git a/src/assets/data/baselineProfiles/microsoft-windows-10-stig-baseline.json b/src/assets/data/baselineProfiles/microsoft-windows-10-stig-baseline.json index 3ab1ad53..545904d6 100644 --- a/src/assets/data/baselineProfiles/microsoft-windows-10-stig-baseline.json +++ b/src/assets/data/baselineProfiles/microsoft-windows-10-stig-baseline.json @@ -12,27 +12,27 @@ "supports": [], "controls": [ { - "title": "Audit policy using subcategories must be enabled.", - "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior. This setting\n allows administrators to enable more precise auditing capabilities.", + "title": "Windows 10 systems must have Unified Extensible Firmware Interface\n (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS.", + "desc": "UEFI provides additional security features in comparison to legacy\n BIOS firmware, including Secure Boot. UEFI is required to support additional\n security features in Windows 10, including Virtualization Based Security and\n Credential Guard. Systems with UEFI that are operating in Legacy BIOS mode will\n not support these security features.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior. This setting\n allows administrators to enable more precise auditing capabilities.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Control\\Lsa\\\n\n Value Name: SCENoApplyLegacyAuditPolicy\n\n Value Type: REG_DWORD\n Value: 1", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> \"Audit:\n Force audit policy subcategory settings (Windows Vista or later) to override\n audit policy category settings\" to \"Enabled\"." + "default": "UEFI provides additional security features in comparison to legacy\n BIOS firmware, including Secure Boot. UEFI is required to support additional\n security features in Windows 10, including Virtualization Based Security and\n Credential Guard. Systems with UEFI that are operating in Legacy BIOS mode will\n not support these security features.", + "check": "For virtual desktop implementations (VDIs) where the virtual\n desktop instance is deleted or refreshed upon logoff, this is NA.\n\n Verify the system firmware is configured to run in UEFI mode, not Legacy BIOS.\n\n Run \"System Information\".\n\n Under \"System Summary\", if \"BIOS Mode\" does not display \"UEFI\", this is\n finding.", + "fix": "Configure UEFI firmware to run in UEFI mode, not Legacy BIOS mode." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-SO-000030", - "gid": "V-63635", - "rid": "SV-78125r1_rule", - "stig_id": "WN10-SO-000030", - "fix_id": "F-69563r1_fix", + "gtitle": "WN10-00-000015", + "gid": "V-77083", + "rid": "SV-91779r3_rule", + "stig_id": "WN10-00-000015", + "fix_id": "F-83781r1_fix", "cci": [ - "CCI-000169" + "CCI-000366" ], "nist": [ - "AU-12 a", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -46,35 +46,37 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63635' do\n title 'Audit policy using subcategories must be enabled.'\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior. This setting\n allows administrators to enable more precise auditing capabilities.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-SO-000030'\n tag gid: 'V-63635'\n tag rid: 'SV-78125r1_rule'\n tag stig_id: 'WN10-SO-000030'\n tag fix_id: 'F-69563r1_fix'\n tag cci: ['CCI-000169']\n tag nist: ['AU-12 a', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\\n\n Value Name: SCENoApplyLegacyAuditPolicy\n\n Value Type: REG_DWORD\n Value: 1\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> \\\"Audit:\n Force audit policy subcategory settings (Windows Vista or later) to override\n audit policy category settings\\\" to \\\"Enabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa') do\n it { should have_property 'SCENoApplyLegacyAuditPolicy' }\n its('SCENoApplyLegacyAuditPolicy') { should cmp 1 }\n end\nend\n", + "code": "control 'V-77083' do\n title \"Windows 10 systems must have Unified Extensible Firmware Interface\n (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS.\"\n desc \"UEFI provides additional security features in comparison to legacy\n BIOS firmware, including Secure Boot. UEFI is required to support additional\n security features in Windows 10, including Virtualization Based Security and\n Credential Guard. Systems with UEFI that are operating in Legacy BIOS mode will\n not support these security features.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-00-000015'\n tag gid: 'V-77083'\n tag rid: 'SV-91779r3_rule'\n tag stig_id: 'WN10-00-000015'\n tag fix_id: 'F-83781r1_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"For virtual desktop implementations (VDIs) where the virtual\n desktop instance is deleted or refreshed upon logoff, this is NA.\n\n Verify the system firmware is configured to run in UEFI mode, not Legacy BIOS.\n\n Run \\\"System Information\\\".\n\n Under \\\"System Summary\\\", if \\\"BIOS Mode\\\" does not display \\\"UEFI\\\", this is\n finding.\"\n desc \"fix\", 'Configure UEFI firmware to run in UEFI mode, not Legacy BIOS mode.'\n\n if sys_info.manufacturer != 'VMware, Inc.'\n describe 'Configure UEFI firmware to run in UEFI mode, not Legacy BIOS mode' do\n skip 'Configure UEFI firmware to run in UEFI mode, not Legacy BIOS mode'\n end\n else\n impact 0.0\n describe 'This is a VDI System; This System is NA for Control V-77083.' do\n skip 'This is a VDI System; This System is NA for Control V-77083.'\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63635.rb", + "ref": "./Windows 10 STIG/controls/V-77083.rb", "line": 3 }, - "id": "V-63635" + "id": "V-77083" }, { - "title": "Windows 10 must be configured to prioritize ECC Curves with longer key lengths first.", - "desc": "Use of weak or untested encryption algorithms undermines the purposes\n of utilizing encryption to protect data. By default Windows uses ECC curves\n with shorter key lengths first. Requiring ECC curves with longer key lengths\n to be prioritized first helps ensure more secure algorithms are used.", + "title": "The period of time before the bad logon counter is reset must be\n configured to 15 minutes.", + "desc": "The account lockout feature, when enabled, prevents brute-force\n password attacks on the system. This parameter specifies the period of time\n that must pass after failed logon attempts before the counter is reset to 0.\n The smaller this value is, the less effective the account lockout feature will\n be in protecting the local system.", "descriptions": { - "default": "Use of weak or untested encryption algorithms undermines the purposes\n of utilizing encryption to protect data. By default Windows uses ECC curves\n with shorter key lengths first. Requiring ECC curves with longer key lengths\n to be prioritized first helps ensure more secure algorithms are used.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SOFTWARE\\Policies\\Microsoft\\Cryptography\\Configuration\\SSL\\00010002\\\n\n Value Name: EccCurves\n\n Value Type: REG_MULTI_SZ\n Value: NistP384 NistP256", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Network >> SSL Configuration Settings >> \"ECC\n Curve Order\" to \"Enabled\" with \"ECC Curve Order:\" including the following\n in the order listed:\n\n NistP384\n NistP256" + "default": "The account lockout feature, when enabled, prevents brute-force\n password attacks on the system. This parameter specifies the period of time\n that must pass after failed logon attempts before the counter is reset to 0.\n The smaller this value is, the less effective the account lockout feature will\n be in protecting the local system.", + "check": "Verify the effective setting in Local Group Policy Editor.\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Account Policies >> Account Lockout Policy.\n\n If the \"Reset account lockout counter after\" value is less than 15\n minutes, this is a finding.", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Account Policies >> Account Lockout Policy >>\n \"Reset account lockout counter after\" to 15 minutes." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-CC-000052", - "gid": "V-74413", - "rid": "SV-89087r2_rule", - "stig_id": "WN10-CC-000052", - "fix_id": "F-80955r1_fix", + "gtitle": "WN10-AC-000015", + "gid": "V-63413", + "rid": "SV-77903r1_rule", + "stig_id": "WN10-AC-000015", + "fix_id": "F-69341r1_fix", "cci": [ - "CCI-000803" + "CCI-000044", + "CCI-002238" ], "nist": [ - "IA-7", + "AC-7 a", + "AC-7 b", "Rev_4" ], "false_negatives": null, @@ -88,35 +90,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-74413' do\n title 'Windows 10 must be configured to prioritize ECC Curves with longer key lengths first.'\n desc \"Use of weak or untested encryption algorithms undermines the purposes\n of utilizing encryption to protect data. By default Windows uses ECC curves\n with shorter key lengths first. Requiring ECC curves with longer key lengths\n to be prioritized first helps ensure more secure algorithms are used.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000052'\n tag gid: 'V-74413'\n tag rid: 'SV-89087r2_rule'\n tag stig_id: 'WN10-CC-000052'\n tag fix_id: 'F-80955r1_fix'\n tag cci: ['CCI-000803']\n tag nist: %w[IA-7 Rev_4]\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Cryptography\\\\Configuration\\\\SSL\\\\00010002\\\\\n\n Value Name: EccCurves\n\n Value Type: REG_MULTI_SZ\n Value: NistP384 NistP256\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Network >> SSL Configuration Settings >> \\\"ECC\n Curve Order\\\" to \\\"Enabled\\\" with \\\"ECC Curve Order:\\\" including the following\n in the order listed:\n\n NistP384\n NistP256\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Cryptography\\Configuration\\SSL\\00010002') do\n it { should have_property 'EccCurves' }\n end\n \n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Cryptography\\Configuration\\SSL\\00010002') do\n its('EccCurves') { should include 'NistP384' }\n its('EccCurves') { should include 'NistP256' }\n end\nend\n", + "code": "control 'V-63413' do\n title \"The period of time before the bad logon counter is reset must be\n configured to #{input('pass_lock_time')} minutes.\"\n desc \"The account lockout feature, when enabled, prevents brute-force\n password attacks on the system. This parameter specifies the period of time\n that must pass after failed logon attempts before the counter is reset to 0.\n The smaller this value is, the less effective the account lockout feature will\n be in protecting the local system.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-AC-000015'\n tag gid: 'V-63413'\n tag rid: 'SV-77903r1_rule'\n tag stig_id: 'WN10-AC-000015'\n tag fix_id: 'F-69341r1_fix'\n tag cci: %w[CCI-000044 CCI-002238]\n tag nist: ['AC-7 a', 'AC-7 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Account Policies >> Account Lockout Policy.\n\n If the \\\"Reset account lockout counter after\\\" value is less than #{input('pass_lock_time')}\n minutes, this is a finding.\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Account Policies >> Account Lockout Policy >>\n \\\"Reset account lockout counter after\\\" to #{input('pass_lock_time')} minutes.\"\n\n describe security_policy do\n its('ResetLockoutCount') { should be >= input('pass_lock_time') }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-74413.rb", + "ref": "./Windows 10 STIG/controls/V-63413.rb", "line": 3 }, - "id": "V-74413" + "id": "V-63413" }, { - "title": "User Account Control must only elevate UIAccess applications that are\n installed in secure locations.", - "desc": "User Account Control (UAC) is a security mechanism for limiting the\n elevation of privileges, including administrative accounts, unless authorized.\n This setting configures Windows to only allow applications installed in a\n secure location on the file system, such as the Program Files or the\n Windows\\System32 folders, to run with elevated privileges.", + "title": "The system must notify the user when a Bluetooth device attempts to connect.", + "desc": "If not configured properly, Bluetooth may allow rogue devices to\n communicate with a system. If a rogue device is paired with a system, there is\n potential for sensitive information to be compromised", "descriptions": { - "default": "User Account Control (UAC) is a security mechanism for limiting the\n elevation of privileges, including administrative accounts, unless authorized.\n This setting configures Windows to only allow applications installed in a\n secure location on the file system, such as the Program Files or the\n Windows\\System32 folders, to run with elevated privileges.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\\n\n Value Name: EnableSecureUIAPaths\n\n Value Type: REG_DWORD\n Value: 1", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> \"User\n Account Control: Only elevate UIAccess applications that are installed in\n secure locations\" to \"Enabled\"." + "default": "If not configured properly, Bluetooth may allow rogue devices to\n communicate with a system. If a rogue device is paired with a system, there is\n potential for sensitive information to be compromised", + "check": "This is NA if the system does not have Bluetooth.\n\n Search for \"Bluetooth\".\n View Bluetooth Settings.\n Select \"More Bluetooth Options\"\n If \"Alert me when a new Bluetooth device wants to connect\" is not checked,\n this is a finding.", + "fix": "Configure Bluetooth to notify users if devices attempt to connect.\n View Bluetooth Settings.\n Ensure \"Alert me when a new Bluetooth device wants to connect\" is checked." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-SO-000265", - "gid": "V-63827", - "rid": "SV-78317r1_rule", - "stig_id": "WN10-SO-000265", - "fix_id": "F-69755r1_fix", + "gtitle": "WN10-00-000230", + "gid": "V-72769", + "rid": "SV-87407r1_rule", + "stig_id": "WN10-00-000230", + "fix_id": "F-79179r1_fix", "cci": [ - "CCI-001084" + "CCI-000366" ], "nist": [ - "SC-3", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -130,35 +132,41 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63827' do\n title \"User Account Control must only elevate UIAccess applications that are\n installed in secure locations.\"\n desc \"User Account Control (UAC) is a security mechanism for limiting the\n elevation of privileges, including administrative accounts, unless authorized.\n This setting configures Windows to only allow applications installed in a\n secure location on the file system, such as the Program Files or the\n Windows\\\\System32 folders, to run with elevated privileges.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-SO-000265'\n tag gid: 'V-63827'\n tag rid: 'SV-78317r1_rule'\n tag stig_id: 'WN10-SO-000265'\n tag fix_id: 'F-69755r1_fix'\n tag cci: ['CCI-001084']\n tag nist: %w[SC-3 Rev_4]\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\\n\n Value Name: EnableSecureUIAPaths\n\n Value Type: REG_DWORD\n Value: 1\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> \\\"User\n Account Control: Only elevate UIAccess applications that are installed in\n secure locations\\\" to \\\"Enabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System') do\n it { should have_property 'EnableSecureUIAPaths' }\n its('EnableSecureUIAPaths') { should cmp 1 }\n end\nend\n", + "code": "control 'V-72769' do\n title 'The system must notify the user when a Bluetooth device attempts to connect.'\n desc \"If not configured properly, Bluetooth may allow rogue devices to\n communicate with a system. If a rogue device is paired with a system, there is\n potential for sensitive information to be compromised\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-00-000230'\n tag gid: 'V-72769'\n tag rid: 'SV-87407r1_rule'\n tag stig_id: 'WN10-00-000230'\n tag fix_id: 'F-79179r1_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"This is NA if the system does not have Bluetooth.\n\n Search for \\\"Bluetooth\\\".\n View Bluetooth Settings.\n Select \\\"More Bluetooth Options\\\"\n If \\\"Alert me when a new Bluetooth device wants to connect\\\" is not checked,\n this is a finding.\"\n desc \"fix\", \"Configure Bluetooth to notify users if devices attempt to connect.\n View Bluetooth Settings.\n Ensure \\\"Alert me when a new Bluetooth device wants to connect\\\" is checked.\"\n\n if sys_info.manufacturer != 'VMware, Inc.'\n describe 'Configure Bluetooth to notify users if devices attempt to connect.\n View Bluetooth Settings. Ensure \"Alert me when a new Bluetooth device \n wants to connect\" is checked' do\n skip 'This is NA if the system does not have Bluetooth'\n end\n else\n impact 0.0\n describe 'This is a VDI System; This System is NA for Control V-72769.' do\n skip 'This is a VDI System; This System is NA for Control V-72769.'\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63827.rb", + "ref": "./Windows 10 STIG/controls/V-72769.rb", "line": 3 }, - "id": "V-63827" + "id": "V-72769" }, { - "title": "Permissions for system files and directories must conform to minimum\n requirements.", - "desc": "Changing the system's file and directory permissions allows the\n possibility of unauthorized and anonymous modification to the operating system\n and installed applications.", + "title": "The built-in Microsoft password complexity filter must be enabled.", + "desc": "The use of complex passwords increases their strength against guessing\n and brute-force attacks. This setting configures the system to verify that\n newly created passwords conform to the Windows password complexity policy.", "descriptions": { - "default": "Changing the system's file and directory permissions allows the\n possibility of unauthorized and anonymous modification to the operating system\n and installed applications.", - "check": "The default file system permissions are adequate when the\n Security Option \"Network access: Let Everyone permissions apply to anonymous\n users\" is set to \"Disabled\" (WN10-SO-000160).\n\n If the default file system permissions are maintained and the referenced option\n is set to \"Disabled\", this is not a finding.\n\n Verify the default permissions for the sample directories below. Non-privileged\n groups such as Users or Authenticated Users must not have greater than Read &\n execute permissions except where noted as defaults. (Individual accounts must\n not be used to assign permissions.)\n\n Viewing in File Explorer:\n Select the \"Security\" tab, and the \"Advanced\" button.\n\n C:\\\n Type - \"Allow\" for all\n Inherited from - \"None\" for all\n Principal - Access - Applies to\n Administrators - Full control - This folder, subfolders and files\n SYSTEM - Full control - This folder, subfolders and files\n Users - Read & execute - This folder, subfolders and files\n Authenticated Users - Modify - Subfolders and files only\n Authenticated Users - Create folders / append data - This folder only\n\n \\Program Files\n Type - \"Allow\" for all\n Inherited from - \"None\" for all\n Principal - Access - Applies to\n TrustedInstaller - Full control - This folder and subfolders\n SYSTEM - Modify - This folder only\n SYSTEM - Full control - Subfolders and files only\n Administrators - Modify - This folder only\n Administrators - Full control - Subfolders and files only\n Users - Read & execute - This folder, subfolders and files\n CREATOR OWNER - Full control - Subfolders and files only\n ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders and files\n ALL RESTRICTED APPLICATION PACKAGES - Read & execute - This folder, subfolders\n and files\n\n \\Windows\n Type - \"Allow\" for all\n Inherited from - \"None\" for all\n Principal - Access - Applies to\n TrustedInstaller - Full control - This folder and subfolders\n SYSTEM - Modify - This folder only\n SYSTEM - Full control - Subfolders and files only\n Administrators - Modify - This folder only\n Administrators - Full control - Subfolders and files only\n Users - Read & execute - This folder, subfolders and files\n CREATOR OWNER - Full control - Subfolders and files only\n ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders and files\n ALL RESTRICTED APPLICATION PACKAGES - Read & execute - This folder, subfolders\n and files\n\n Alternately use icacls.\n\n Run \"CMD\" as administrator.\n Enter \"icacls\" followed by the directory.\n\n icacls c:\\\n icacls \"c:\\program files\"\n icacls c:\\windows\n\n The following results will be displayed as each is entered:\n\n c:\\\n BUILTIN\\Administrators:(OI)(CI)(F)\n NT AUTHORITY\\SYSTEM:(OI)(CI)(F)\n BUILTIN\\Users:(OI)(CI)(RX)\n NT AUTHORITY\\Authenticated Users:(OI)(CI)(IO)(M)\n NT AUTHORITY\\Authenticated Users:(AD)\n Mandatory Label\\High Mandatory Level:(OI)(NP)(IO)(NW)\n Successfully processed 1 files; Failed processing 0 files\n\n c:\\program files\n NT SERVICE\\TrustedInstaller:(F)\n NT SERVICE\\TrustedInstaller:(CI)(IO)(F)\n NT AUTHORITY\\SYSTEM:(M)\n NT AUTHORITY\\SYSTEM:(OI)(CI)(IO)(F)\n BUILTIN\\Administrators:(M)\n BUILTIN\\Administrators:(OI)(CI)(IO)(F)\n BUILTIN\\Users:(RX)\n BUILTIN\\Users:(OI)(CI)(IO)(GR,GE)\n CREATOR OWNER:(OI)(CI)(IO)(F)\n APPLICATION PACKAGE AUTHORITY\\ALL APPLICATION PACKAGES:(RX)\n APPLICATION PACKAGE AUTHORITY\\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE)\n APPLICATION PACKAGE AUTHORITY\\ALL RESTRICTED APPLICATION PACKAGES:(RX)\n APPLICATION PACKAGE AUTHORITY\\ALL RESTRICTED APPLICATION\n PACKAGES:(OI)(CI)(IO)(GR,GE)\n Successfully processed 1 files; Failed processing 0 files\n\n c:\\windows\n NT SERVICE\\TrustedInstaller:(F)\n NT SERVICE\\TrustedInstaller:(CI)(IO)(F)\n NT AUTHORITY\\SYSTEM:(M)\n NT AUTHORITY\\SYSTEM:(OI)(CI)(IO)(F)\n BUILTIN\\Administrators:(M)\n BUILTIN\\Administrators:(OI)(CI)(IO)(F)\n BUILTIN\\Users:(RX)\n BUILTIN\\Users:(OI)(CI)(IO)(GR,GE)\n CREATOR OWNER:(OI)(CI)(IO)(F)\n APPLICATION PACKAGE AUTHORITY\\ALL APPLICATION PACKAGES:(RX)\n APPLICATION PACKAGE AUTHORITY\\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE)\n APPLICATION PACKAGE AUTHORITY\\ALL RESTRICTED APPLICATION PACKAGES:(RX)\n APPLICATION PACKAGE AUTHORITY\\ALL RESTRICTED APPLICATION\n PACKAGES:(OI)(CI)(IO)(GR,GE)\n Successfully processed 1 files; Failed processing 0 files", - "fix": "Maintain the default file system permissions and configure the\n Security Option: \"Network access: Let everyone permissions apply to anonymous\n users\" to \"Disabled\" (WN10-SO-000160)." + "default": "The use of complex passwords increases their strength against guessing\n and brute-force attacks. This setting configures the system to verify that\n newly created passwords conform to the Windows password complexity policy.", + "check": "Verify the effective setting in Local Group Policy Editor.\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Account Policies >> Password Policy.\n\n If the value for \"Password must meet complexity requirements\" is not set to\n \"Enabled\", this is a finding.\n\n If the site is using a password filter that requires this setting be set to\n \"Disabled\" for the filter to be used, this would not be considered a finding.", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Account Policies >> Password Policy >>\n \"Password must meet complexity requirements\" to \"Enabled\"." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-00-000095", - "gid": "V-63373", - "rid": "SV-77863r2_rule", - "stig_id": "WN10-00-000095", - "fix_id": "F-69295r1_fix", + "gtitle": "WN10-AC-000040", + "gid": "V-63427", + "rid": "SV-77917r1_rule", + "stig_id": "WN10-AC-000040", + "fix_id": "F-69355r1_fix", "cci": [ - "CCI-002165" + "CCI-000192", + "CCI-000193", + "CCI-000194", + "CCI-001619" ], "nist": [ - "AC-3 (4)", + "IA-5 (1) (a)", + "IA-5 (1) (a)", + "IA-5 (1) (a)", + "IA-5 (1) (a)", "Rev_4" ], "false_negatives": null, @@ -172,35 +180,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63373' do\n title \"Permissions for system files and directories must conform to minimum\n requirements.\"\n desc \"Changing the system's file and directory permissions allows the\n possibility of unauthorized and anonymous modification to the operating system\n and installed applications.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-00-000095'\n tag gid: 'V-63373'\n tag rid: 'SV-77863r2_rule'\n tag stig_id: 'WN10-00-000095'\n tag fix_id: 'F-69295r1_fix'\n tag cci: ['CCI-002165']\n tag nist: ['AC-3 (4)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc 'check', \"The default file system permissions are adequate when the\n Security Option \\\"Network access: Let Everyone permissions apply to anonymous\n users\\\" is set to \\\"Disabled\\\" (WN10-SO-000160).\n\n If the default file system permissions are maintained and the referenced option\n is set to \\\"Disabled\\\", this is not a finding.\n\n Verify the default permissions for the sample directories below. Non-privileged\n groups such as Users or Authenticated Users must not have greater than Read &\n execute permissions except where noted as defaults. (Individual accounts must\n not be used to assign permissions.)\n\n Viewing in File Explorer:\n Select the \\\"Security\\\" tab, and the \\\"Advanced\\\" button.\n\n C:\\\\\n Type - \\\"Allow\\\" for all\n Inherited from - \\\"None\\\" for all\n Principal - Access - Applies to\n Administrators - Full control - This folder, subfolders and files\n SYSTEM - Full control - This folder, subfolders and files\n Users - Read & execute - This folder, subfolders and files\n Authenticated Users - Modify - Subfolders and files only\n Authenticated Users - Create folders / append data - This folder only\n\n \\\\Program Files\n Type - \\\"Allow\\\" for all\n Inherited from - \\\"None\\\" for all\n Principal - Access - Applies to\n TrustedInstaller - Full control - This folder and subfolders\n SYSTEM - Modify - This folder only\n SYSTEM - Full control - Subfolders and files only\n Administrators - Modify - This folder only\n Administrators - Full control - Subfolders and files only\n Users - Read & execute - This folder, subfolders and files\n CREATOR OWNER - Full control - Subfolders and files only\n ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders and files\n ALL RESTRICTED APPLICATION PACKAGES - Read & execute - This folder, subfolders\n and files\n\n \\\\Windows\n Type - \\\"Allow\\\" for all\n Inherited from - \\\"None\\\" for all\n Principal - Access - Applies to\n TrustedInstaller - Full control - This folder and subfolders\n SYSTEM - Modify - This folder only\n SYSTEM - Full control - Subfolders and files only\n Administrators - Modify - This folder only\n Administrators - Full control - Subfolders and files only\n Users - Read & execute - This folder, subfolders and files\n CREATOR OWNER - Full control - Subfolders and files only\n ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders and files\n ALL RESTRICTED APPLICATION PACKAGES - Read & execute - This folder, subfolders\n and files\n\n Alternately use icacls.\n\n Run \\\"CMD\\\" as administrator.\n Enter \\\"icacls\\\" followed by the directory.\n\n icacls c:\\\\\n icacls \\\"c:\\\\program files\\\"\n icacls c:\\\\windows\n\n The following results will be displayed as each is entered:\n\n c:\\\\\n BUILTIN\\\\Administrators:(OI)(CI)(F)\n NT AUTHORITY\\\\SYSTEM:(OI)(CI)(F)\n BUILTIN\\\\Users:(OI)(CI)(RX)\n NT AUTHORITY\\\\Authenticated Users:(OI)(CI)(IO)(M)\n NT AUTHORITY\\\\Authenticated Users:(AD)\n Mandatory Label\\\\High Mandatory Level:(OI)(NP)(IO)(NW)\n Successfully processed 1 files; Failed processing 0 files\n\n c:\\\\program files\n NT SERVICE\\\\TrustedInstaller:(F)\n NT SERVICE\\\\TrustedInstaller:(CI)(IO)(F)\n NT AUTHORITY\\\\SYSTEM:(M)\n NT AUTHORITY\\\\SYSTEM:(OI)(CI)(IO)(F)\n BUILTIN\\\\Administrators:(M)\n BUILTIN\\\\Administrators:(OI)(CI)(IO)(F)\n BUILTIN\\\\Users:(RX)\n BUILTIN\\\\Users:(OI)(CI)(IO)(GR,GE)\n CREATOR OWNER:(OI)(CI)(IO)(F)\n APPLICATION PACKAGE AUTHORITY\\\\ALL APPLICATION PACKAGES:(RX)\n APPLICATION PACKAGE AUTHORITY\\\\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE)\n APPLICATION PACKAGE AUTHORITY\\\\ALL RESTRICTED APPLICATION PACKAGES:(RX)\n APPLICATION PACKAGE AUTHORITY\\\\ALL RESTRICTED APPLICATION\n PACKAGES:(OI)(CI)(IO)(GR,GE)\n Successfully processed 1 files; Failed processing 0 files\n\n c:\\\\windows\n NT SERVICE\\\\TrustedInstaller:(F)\n NT SERVICE\\\\TrustedInstaller:(CI)(IO)(F)\n NT AUTHORITY\\\\SYSTEM:(M)\n NT AUTHORITY\\\\SYSTEM:(OI)(CI)(IO)(F)\n BUILTIN\\\\Administrators:(M)\n BUILTIN\\\\Administrators:(OI)(CI)(IO)(F)\n BUILTIN\\\\Users:(RX)\n BUILTIN\\\\Users:(OI)(CI)(IO)(GR,GE)\n CREATOR OWNER:(OI)(CI)(IO)(F)\n APPLICATION PACKAGE AUTHORITY\\\\ALL APPLICATION PACKAGES:(RX)\n APPLICATION PACKAGE AUTHORITY\\\\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE)\n APPLICATION PACKAGE AUTHORITY\\\\ALL RESTRICTED APPLICATION PACKAGES:(RX)\n APPLICATION PACKAGE AUTHORITY\\\\ALL RESTRICTED APPLICATION\n PACKAGES:(OI)(CI)(IO)(GR,GE)\n Successfully processed 1 files; Failed processing 0 files\"\n\n desc 'fix', \"Maintain the default file system permissions and configure the\n Security Option: \\\"Network access: Let everyone permissions apply to anonymous\n users\\\" to \\\"Disabled\\\" (WN10-SO-000160).\"\n\n\n c_windows_permission = JSON.parse(input('c_windows_folder_permissions').to_json)\n c_permission = JSON.parse(input('c_folder_permissions').to_json)\n c_program_files_permissions = JSON.parse(input('c_program_files_folder_permissions').to_json)\n\n query_c_windows = json({ command: 'icacls \"c:\\\\windows\" | ConvertTo-Json' }).params.map { |e| e.strip }[0..-3].map{ |e| e.gsub(\"c:\\\\windows \", '') }\n query_c = json( command: \"icacls 'C:\\\\' | ConvertTo-Json\").params.map { |e| e.strip }[0..-3].map{ |e| e.gsub(\"C:\\\\ \", '') }\n query_c_program_files = json({ command: 'icacls \"c:\\\\Program Files\" | ConvertTo-Json' }).params.map { |e| e.strip }[0..-3].map{ |e| e.gsub(\"c:\\\\Program Files \", '') }\n\n describe 'The ACL on C:\\Windows are set to the right permissions' do\n subject { query_c_windows }\n it { should be_in c_windows_permission }\n end\n describe 'The ACL on C:\\ are set to the right permissions' do\n subject { query_c }\n it { should be_in c_permission }\n end\n describe 'The ACL on C:\\Program Files are set to the right permissions' do\n subject { query_c_program_files }\n it { should be_in c_program_files_permissions }\n end\nend\n", + "code": "control 'V-63427' do\n title 'The built-in Microsoft password complexity filter must be enabled.'\n desc \"The use of complex passwords increases their strength against guessing\n and brute-force attacks. This setting configures the system to verify that\n newly created passwords conform to the Windows password complexity policy.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-AC-000040'\n tag gid: 'V-63427'\n tag rid: 'SV-77917r1_rule'\n tag stig_id: 'WN10-AC-000040'\n tag fix_id: 'F-69355r1_fix'\n tag cci: %w[CCI-000192 CCI-000193 CCI-000194 CCI-001619]\n tag nist: ['IA-5 (1) (a)', 'IA-5 (1) (a)', 'IA-5 (1) (a)', 'IA-5 (1) (a)',\n 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Account Policies >> Password Policy.\n\n If the value for \\\"Password must meet complexity requirements\\\" is not set to\n \\\"Enabled\\\", this is a finding.\n\n If the site is using a password filter that requires this setting be set to\n \\\"Disabled\\\" for the filter to be used, this would not be considered a finding.\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Account Policies >> Password Policy >>\n \\\"Password must meet complexity requirements\\\" to \\\"Enabled\\\".\"\n\n describe security_policy do\n its('PasswordComplexity') { should eq input('enable_pass_complexity') }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63373.rb", + "ref": "./Windows 10 STIG/controls/V-63427.rb", "line": 3 }, - "id": "V-63373" + "id": "V-63427" }, { - "title": "The Windows PowerShell 2.0 feature must be disabled on the system.", - "desc": "Windows PowerShell 5.0 added advanced logging features which can\n provide additional detail when malware has been run on a system. Disabling the\n Windows PowerShell 2.0 mitigates against a downgrade attack that evades the\n Windows PowerShell 5.0 script block logging feature.", + "title": "The system must be configured to audit Detailed Tracking - Process\n Creation successes.", + "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Process creation records events related to the creation of a process and\n the source.", "descriptions": { - "default": "Windows PowerShell 5.0 added advanced logging features which can\n provide additional detail when malware has been run on a system. Disabling the\n Windows PowerShell 2.0 mitigates against a downgrade attack that evades the\n Windows PowerShell 5.0 script block logging feature.", - "check": "Run \"Windows PowerShell\" with elevated privileges (run as\n administrator).\n\n Enter the following:\n Get-WindowsOptionalFeature -Online | Where FeatureName -like *PowerShellv2*\n\n If either of the following have a \"State\" of \"Enabled\", this is a finding.\n\n FeatureName : MicrosoftWindowsPowerShellV2\n State : Enabled\n FeatureName : MicrosoftWindowsPowerShellV2Root\n State : Enabled\n\n Alternately:\n Search for \"Features\".\n\n Select \"Turn Windows features on or off\".\n\n If \"Windows PowerShell 2.0\" (whether the subcategory of \"Windows PowerShell\n 2.0 Engine\" is selected or not) is selected, this is a finding.", - "fix": "Disable \"Windows PowerShell 2.0\" on the system.\n\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n Enter the following:\n Disable-WindowsOptionalFeature -Online -FeatureName\n MicrosoftWindowsPowerShellV2Root\n\n This command should disable both \"MicrosoftWindowsPowerShellV2Root\" and\n \"MicrosoftWindowsPowerShellV2\" which correspond to \"Windows PowerShell 2.0\"\n and \"Windows PowerShell 2.0 Engine\" respectively in \"Turn Windows features\n on or off\".\n\n Alternately:\n Search for \"Features\".\n Select \"Turn Windows features on or off\".\n De-select \"Windows PowerShell 2.0\"." + "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Process creation records events related to the creation of a process and\n the source.", + "check": "Security Option \"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\" must be\n set to \"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\"Run as Administrator\").\n Enter \"AuditPol /get /category:*\".\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding:\n\n Detailed Tracking >> Process Creation - Success", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Detailed Tracking >> \"Audit Process Creation\" with\n \"Success\" selected." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-00-000155", - "gid": "V-70637", - "rid": "SV-85259r2_rule", - "stig_id": "WN10-00-000155", - "fix_id": "F-76869r1_fix", + "gtitle": "WN10-AU-000050", + "gid": "V-63453", + "rid": "SV-77943r1_rule", + "stig_id": "WN10-AU-000050", + "fix_id": "F-69381r1_fix", "cci": [ - "CCI-000381" + "CCI-000172" ], "nist": [ - "CM-7 a", + "AU-12 c", "Rev_4" ], "false_negatives": null, @@ -214,79 +222,80 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-70637' do\n title 'The Windows PowerShell 2.0 feature must be disabled on the system.'\n desc \"Windows PowerShell 5.0 added advanced logging features which can\n provide additional detail when malware has been run on a system. Disabling the\n Windows PowerShell 2.0 mitigates against a downgrade attack that evades the\n Windows PowerShell 5.0 script block logging feature.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-00-000155'\n tag gid: 'V-70637'\n tag rid: 'SV-85259r2_rule'\n tag stig_id: 'WN10-00-000155'\n tag fix_id: 'F-76869r1_fix'\n tag cci: ['CCI-000381']\n tag nist: ['CM-7 a', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"Run \\\"Windows PowerShell\\\" with elevated privileges (run as\n administrator).\n\n Enter the following:\n Get-WindowsOptionalFeature -Online | Where FeatureName -like *PowerShellv2*\n\n If either of the following have a \\\"State\\\" of \\\"Enabled\\\", this is a finding.\n\n FeatureName : MicrosoftWindowsPowerShellV2\n State : Enabled\n FeatureName : MicrosoftWindowsPowerShellV2Root\n State : Enabled\n\n Alternately:\n Search for \\\"Features\\\".\n\n Select \\\"Turn Windows features on or off\\\".\n\n If \\\"Windows PowerShell 2.0\\\" (whether the subcategory of \\\"Windows PowerShell\n 2.0 Engine\\\" is selected or not) is selected, this is a finding.\"\n desc \"fix\", \"Disable \\\"Windows PowerShell 2.0\\\" on the system.\n\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n Enter the following:\n Disable-WindowsOptionalFeature -Online -FeatureName\n MicrosoftWindowsPowerShellV2Root\n\n This command should disable both \\\"MicrosoftWindowsPowerShellV2Root\\\" and\n \\\"MicrosoftWindowsPowerShellV2\\\" which correspond to \\\"Windows PowerShell 2.0\\\"\n and \\\"Windows PowerShell 2.0 Engine\\\" respectively in \\\"Turn Windows features\n on or off\\\".\n\n Alternately:\n Search for \\\"Features\\\".\n Select \\\"Turn Windows features on or off\\\".\n De-select \\\"Windows PowerShell 2.0\\\".\"\n\n powershellv2 = json( command: 'Get-WindowsOptionalFeature -Online | Where FeatureName -eq MicrosoftWindowsPowerShellV2 | ConvertTo-Csv | ConvertFrom-Csv | ConvertTo-Json').params\n powershellv2root = json( command: 'Get-WindowsOptionalFeature -Online | Where FeatureName -eq MicrosoftWindowsPowerShellV2Root | ConvertTo-Csv | ConvertFrom-Csv | ConvertTo-Json').params \n\n describe 'Feature Name MicrosoftWindowsPowerShellV2 should not be Enabled' do\n subject { powershellv2 }\n its(['State']) { should_not eq \"Enabled\" }\n end\n describe 'Feature Name MicrosoftWindowsPowerShellV2Root should not be Enabled' do\n subject { powershellv2root }\n its(['State']) { should_not eq \"Enabled\" }\n end\nend", + "code": "control 'V-63453' do\n title \"The system must be configured to audit Detailed Tracking - Process\n Creation successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Process creation records events related to the creation of a process and\n the source.\"\n\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-AU-000050'\n tag gid: 'V-63453'\n tag rid: 'SV-77943r1_rule'\n tag stig_id: 'WN10-AU-000050'\n tag fix_id: 'F-69381r1_fix'\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Security Option \\\"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\\\" must be\n set to \\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\n Enter \\\"AuditPol /get /category:*\\\".\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding:\n\n Detailed Tracking >> Process Creation - Success\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Detailed Tracking >> \\\"Audit Process Creation\\\" with\n \\\"Success\\\" selected.\"\n\n describe.one do\n describe audit_policy do\n its('Process Creation') { should eq 'Success' }\n end\n describe audit_policy do\n its('Process Creation') { should eq 'Success and Failure' }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-70637.rb", + "ref": "./Windows 10 STIG/controls/V-63453.rb", "line": 3 }, - "id": "V-70637" + "id": "V-63453" }, { - "title": "Passwords must, at a minimum, be 14 characters.", - "desc": "Information systems not protected with strong password schemes\n (including passwords of minimum length) provide the opportunity for anyone to\n crack the password, thus gaining access to the system and compromising the\n device, information, or the local network.", + "title": "Passwords for the built-in local Administrator account must be changed\nat least every 60 days.", + "desc": "The longer a password is in use, the greater the opportunity for\nsomeone to gain unauthorized knowledge of the password. The built-in local\nAdministrator account is not generally used and its password not may be changed\nas frequently as necessary. Changing the password for the built-in local\nAdministrator account on a regular basis will limit its exposure.\n\n Organizations that use an automated tool, such Microsoft's Local\nAdministrator Password Solution (LAPS), on domain-joined systems can configure\nthis to occur more frequently. LAPS will change the password every \"30\" days\nby default.", "descriptions": { - "default": "Information systems not protected with strong password schemes\n (including passwords of minimum length) provide the opportunity for anyone to\n crack the password, thus gaining access to the system and compromising the\n device, information, or the local network.", - "check": "Verify the effective setting in Local Group Policy Editor.\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Account Policies >> Password Policy.\n\n If the value for the \"Minimum password length,\" is less than 14\n characters, this is a finding.", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Account Policies >> Password Policy >>\n \"Minimum password length\" to 14 characters." + "default": "The longer a password is in use, the greater the opportunity for\nsomeone to gain unauthorized knowledge of the password. The built-in local\nAdministrator account is not generally used and its password not may be changed\nas frequently as necessary. Changing the password for the built-in local\nAdministrator account on a regular basis will limit its exposure.\n\n Organizations that use an automated tool, such Microsoft's Local\nAdministrator Password Solution (LAPS), on domain-joined systems can configure\nthis to occur more frequently. LAPS will change the password every \"30\" days\nby default.", + "rationale": "", + "check": "Review the password last set date for the built-in Administrator account.\n\n On the local domain joined workstation:\n\n Open \"PowerShell\".\n\n Enter \"Get-LocalUser –Name * | Select-Object *”\n\n If the \"PasswordLastSet\" date is greater than \"60\" days old for the\nBuilt-in account for administering the computer/domain, this is a finding", + "fix": "Change the built-in Administrator account password at least every \"60\"\ndays.\n\n Automated tools, such as Microsoft's LAPS, may be used on domain-joined\nmember servers to meet this requirement." }, "impact": 0.5, "refs": [], "tags": { - "severity": "medium", - "gtitle": "WN10-AC-000035", - "gid": "V-63423", - "rid": "SV-77913r1_rule", - "stig_id": "WN10-AC-000035", - "fix_id": "F-69351r1_fix", + "severity": null, + "gtitle": "WN10-SO-000280", + "gid": "V-99555", + "rid": "SV-108659r1_rule", + "stig_id": "WN10-SO-000280", + "fix_id": "F-105239r1_fix", "cci": [ - "CCI-000205" + "CCI-000199" ], "nist": [ - "IA-5 (1) (a)", + "IA-5 (1) (d)", "Rev_4" - ], - "false_negatives": null, - "false_positives": null, - "documentable": false, - "mitigations": null, - "severity_override_guidance": false, - "potential_impacts": null, - "third_party_tools": null, - "mitigation_controls": null, - "responsibility": null, - "ia_controls": null + ] }, - "code": "control 'V-63423' do\n title 'Passwords must, at a minimum, be 14 characters.'\n desc \"Information systems not protected with strong password schemes\n (including passwords of minimum length) provide the opportunity for anyone to\n crack the password, thus gaining access to the system and compromising the\n device, information, or the local network.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-AC-000035'\n tag gid: 'V-63423'\n tag rid: 'SV-77913r1_rule'\n tag stig_id: 'WN10-AC-000035'\n tag fix_id: 'F-69351r1_fix'\n tag cci: ['CCI-000205']\n tag nist: ['IA-5 (1) (a)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Account Policies >> Password Policy.\n\n If the value for the \\\"Minimum password length,\\\" is less than #{input('min_pass_len')}\n characters, this is a finding.\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Account Policies >> Password Policy >>\n \\\"Minimum password length\\\" to #{input('min_pass_len')} characters.\"\n\n describe security_policy do\n its('MinimumPasswordLength') { should be >= input('min_pass_len') }\n end\nend\n", + "code": "control \"V-99555\" do\n title \"Passwords for the built-in local Administrator account must be changed\nat least every 60 days.\"\n desc \"The longer a password is in use, the greater the opportunity for\nsomeone to gain unauthorized knowledge of the password. The built-in local\nAdministrator account is not generally used and its password not may be changed\nas frequently as necessary. Changing the password for the built-in local\nAdministrator account on a regular basis will limit its exposure.\n\n Organizations that use an automated tool, such Microsoft's Local\nAdministrator Password Solution (LAPS), on domain-joined systems can configure\nthis to occur more frequently. LAPS will change the password every \\\"30\\\" days\nby default.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"WN10-SO-000280\"\n tag gid: \"V-99555\"\n tag rid: \"SV-108659r1_rule\"\n tag stig_id: \"WN10-SO-000280\"\n tag fix_id: \"F-105239r1_fix\"\n tag cci: [\"CCI-000199\"]\n tag nist: [\"IA-5 (1) (d)\", \"Rev_4\"]\n desc \"rationale\", \"\"\n desc \"check\", \"\n Review the password last set date for the built-in Administrator account.\n\n On the local domain joined workstation:\n\n Open \\\"PowerShell\\\".\n\n Enter \\\"Get-LocalUser –Name * | Select-Object *”\n\n If the \\\"PasswordLastSet\\\" date is greater than \\\"60\\\" days old for the\nBuilt-in account for administering the computer/domain, this is a finding\"\n desc \"fix\", \"Change the built-in Administrator account password at least every \\\"60\\\"\ndays.\n\n Automated tools, such as Microsoft's LAPS, may be used on domain-joined\nmember servers to meet this requirement.\"\n \n administrator = input('local_administrator')\n local_password_set_date = json({ command: \"Get-LocalUser -name #{administrator} | Where-Object {$_.PasswordLastSet -le (Get-Date).AddDays(-60)} | Select-Object -ExpandProperty PasswordLastSet | ConvertTo-Json\"})\n local_date = local_password_set_date[\"DateTime\"]\n if (local_date == nil)\n describe 'Local Administrator Account is within 365 days since password change' do\n skip 'Local Administrator Account is within 365 days since password change'\n end\n else\n describe 'Password Last Set' do\n it 'Local Administrator Account Password Last Set Date is' do\n failure_message = \"Password Date should not be more that 365 Days: #{local_date}\"\n expect(local_date).to be_empty, failure_message\n end\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63423.rb", + "ref": "./Windows 10 STIG/controls/V-99555.rb", "line": 3 }, - "id": "V-63423" + "id": "V-99555" }, { - "title": "The system must be configured to require a strong session key.", - "desc": "A computer connecting to a domain controller will establish a secure\n channel. Requiring strong session keys enforces 128-bit encryption between\n systems.", + "title": "The system must be configured to audit Account Management - User\n Account Management successes.", + "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n User Account Management records events such as creating, changing,\n deleting, renaming, disabling, or enabling user accounts.", "descriptions": { - "default": "A computer connecting to a domain controller will establish a secure\n channel. Requiring strong session keys enforces 128-bit encryption between\n systems.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\Netlogon\\Parameters\\\n\n Value Name: RequireStrongKey\n\n Value Type: REG_DWORD\n Value: 1\n\n Warning: This setting may prevent a system from being joined to a domain if not\n configured consistently between systems.", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> \"Domain\n member: Require strong (Windows 2000 or Later) session key\" to \"Enabled\"." + "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n User Account Management records events such as creating, changing,\n deleting, renaming, disabling, or enabling user accounts.", + "check": "Security Option \"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\" must be\n set to \"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\"Run as Administrator\").\n Enter \"AuditPol /get /category:*\".\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding:\n\n Account Management >> User Account Management - Success", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Account Management >> \"Audit User Account Management\" with\n \"Success\" selected." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-SO-000060", - "gid": "V-63665", - "rid": "SV-78155r1_rule", - "stig_id": "WN10-SO-000060", - "fix_id": "F-69593r1_fix", + "gtitle": "WN10-AU-000040", + "gid": "V-63449", + "rid": "SV-77939r1_rule", + "stig_id": "WN10-AU-000040", + "fix_id": "F-69377r1_fix", "cci": [ - "CCI-002418", - "CCI-002421" + "CCI-000018", + "CCI-000172", + "CCI-001403", + "CCI-001404", + "CCI-001405", + "CCI-002130", + "CCI-002234" ], "nist": [ - "SC-8", - "SC-8 (1)", + "AC-2 (4)", + "AU-12 c", + "AC-2 (4)", + "AC-2 (4)", + "AC-2 (4)", + "AC-2\n(4)", + "AC-6 (9)", "Rev_4" ], "false_negatives": null, @@ -300,77 +309,68 @@ "responsibility": null, "ia_controls": null }, - "code": "control \"V-63665\" do\n title \"The system must be configured to require a strong session key.\"\n desc \"A computer connecting to a domain controller will establish a secure\n channel. Requiring strong session keys enforces 128-bit encryption between\n systems.\"\n impact 0.5\n tag severity: \"medium\"\n tag gtitle: \"WN10-SO-000060\"\n tag gid: \"V-63665\"\n tag rid: \"SV-78155r1_rule\"\n tag stig_id: \"WN10-SO-000060\"\n tag fix_id: \"F-69593r1_fix\"\n tag cci: [\"CCI-002418\", \"CCI-002421\"]\n tag nist: [\"SC-8\", \"SC-8 (1)\", \"Rev_4\"]\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\Netlogon\\\\Parameters\\\\\n\n Value Name: RequireStrongKey\n\n Value Type: REG_DWORD\n Value: 1\n\n Warning: This setting may prevent a system from being joined to a domain if not\n configured consistently between systems.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> \\\"Domain\n member: Require strong (Windows 2000 or Later) session key\\\" to \\\"Enabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Netlogon\\Parameters') do\n it { should have_property 'RequireStrongKey' }\n its('RequireStrongKey') { should cmp 1 }\n end\nend\n", + "code": "control 'V-63449' do\n title \"The system must be configured to audit Account Management - User\n Account Management successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n User Account Management records events such as creating, changing,\n deleting, renaming, disabling, or enabling user accounts.\"\n\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-AU-000040'\n tag gid: 'V-63449'\n tag rid: 'SV-77939r1_rule'\n tag stig_id: 'WN10-AU-000040'\n tag fix_id: 'F-69377r1_fix'\n tag cci: %w[CCI-000018 CCI-000172 CCI-001403 CCI-001404\n CCI-001405 CCI-002130 CCI-002234]\n tag nist: ['AC-2 (4)', 'AU-12 c', 'AC-2 (4)', 'AC-2 (4)', 'AC-2 (4)', \"AC-2\n(4)\", 'AC-6 (9)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Security Option \\\"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\\\" must be\n set to \\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\n Enter \\\"AuditPol /get /category:*\\\".\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding:\n\n Account Management >> User Account Management - Success\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Account Management >> \\\"Audit User Account Management\\\" with\n \\\"Success\\\" selected.\"\n\n describe.one do\n describe audit_policy do\n its('User Account Management') { should eq 'Success' }\n end\n describe audit_policy do\n its('User Account Management') { should eq 'Success and Failure' }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63665.rb", - "line": 2 + "ref": "./Windows 10 STIG/controls/V-63449.rb", + "line": 3 }, - "id": "V-63665" + "id": "V-63449" }, { - "title": "Local drives must be prevented from sharing with Remote Desktop\n Session Hosts.", - "desc": "Preventing users from sharing the local drives on their client\n computers to Remote Session Hosts that they access helps reduce possible\n exposure of sensitive data.", + "title": "Windows 10 must be configured to audit MPSSVC Rule-Level Policy Change\nFailures.", + "desc": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Audit MPSSVC Rule-Level Policy Change determines whether the operating\nsystem generates audit events when changes are made to policy rules for the\nMicrosoft Protection Service (MPSSVC.exe).", "descriptions": { - "default": "Preventing users from sharing the local drives on their client\n computers to Remote Session Hosts that they access helps reduce possible\n exposure of sensitive data.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services\\\n\n Value Name: fDisableCdm\n\n Value Type: REG_DWORD\n Value: 1", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Remote Desktop Services >>\n Remote Desktop Session Host >> Device and Resource Redirection >> \"Do not\n allow drive redirection\" to \"Enabled\"." + "default": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Audit MPSSVC Rule-Level Policy Change determines whether the operating\nsystem generates audit events when changes are made to policy rules for the\nMicrosoft Protection Service (MPSSVC.exe).", + "rationale": "", + "check": "Security Option \"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\" must be set to\n\"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to be\neffective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\"Run as Administrator\").\n Enter \"AuditPol /get /category:*\".\n\n Compare the AuditPol settings with the following. If the system does not\naudit the following, this is a finding:\n\n Policy Change >> MPSSVC Rule-Level Policy Change - Failure", + "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Policy Change >> “Audit MPSSVC Rule-Level Policy\nChange\" with \"Failure\" selected." }, "impact": 0.5, "refs": [], "tags": { - "severity": "medium", - "gtitle": "WN10-CC-000275", - "gid": "V-63731", - "rid": "SV-78221r1_rule", - "stig_id": "WN10-CC-000275", - "fix_id": "F-69659r1_fix", + "severity": null, + "gtitle": "WN10-AU-000580", + "gid": "V-99549", + "rid": "SV-108653r1_rule", + "stig_id": "WN10-AU-000580", + "fix_id": "F-105233r1_fix", "cci": [ - "CCI-001090" + "CCI-000130" ], "nist": [ - "SC-4", + "AU-3", "Rev_4" - ], - "false_negatives": null, - "false_positives": null, - "documentable": false, - "mitigations": null, - "severity_override_guidance": false, - "potential_impacts": null, - "third_party_tools": null, - "mitigation_controls": null, - "responsibility": null, - "ia_controls": null + ] }, - "code": "control 'V-63731' do\n title \"Local drives must be prevented from sharing with Remote Desktop\n Session Hosts.\"\n desc \"Preventing users from sharing the local drives on their client\n computers to Remote Session Hosts that they access helps reduce possible\n exposure of sensitive data.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000275'\n tag gid: 'V-63731'\n tag rid: 'SV-78221r1_rule'\n tag stig_id: 'WN10-CC-000275'\n tag fix_id: 'F-69659r1_fix'\n tag cci: ['CCI-001090']\n tag nist: %w[SC-4 Rev_4]\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\\n\n Value Name: fDisableCdm\n\n Value Type: REG_DWORD\n Value: 1\"\n \n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Remote Desktop Services >>\n Remote Desktop Session Host >> Device and Resource Redirection >> \\\"Do not\n allow drive redirection\\\" to \\\"Enabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services') do\n it { should have_property 'fDisableCdm' }\n its('fDisableCdm') { should cmp 1 }\n end\nend\n", + "code": "control \"V-99549\" do\n title \"Windows 10 must be configured to audit MPSSVC Rule-Level Policy Change\nFailures.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Audit MPSSVC Rule-Level Policy Change determines whether the operating\nsystem generates audit events when changes are made to policy rules for the\nMicrosoft Protection Service (MPSSVC.exe).\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"WN10-AU-000580\"\n tag gid: \"V-99549\"\n tag rid: \"SV-108653r1_rule\"\n tag stig_id: \"WN10-AU-000580\"\n tag fix_id: \"F-105233r1_fix\"\n tag cci: [\"CCI-000130\"]\n tag nist: [\"AU-3\", \"Rev_4\"]\n desc \"rationale\", \"\"\n desc \"check\", \"Security Option \\\"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\\\" must be set to\n\\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to be\neffective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\n Enter \\\"AuditPol /get /category:*\\\".\n\n Compare the AuditPol settings with the following. If the system does not\naudit the following, this is a finding:\n\n Policy Change >> MPSSVC Rule-Level Policy Change - Failure\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Policy Change >> “Audit MPSSVC Rule-Level Policy\nChange\\\" with \\\"Failure\\\" selected.\"\n \n describe.one do\n describe audit_policy do\n its('MPSSVC Rule-Level Policy Change') { should eq 'Failure' }\n end\n describe audit_policy do\n its('MPSSVC Rule-Level Policy Change') { should eq 'Success and Failure' }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63731.rb", + "ref": "./Windows 10 STIG/controls/V-99549.rb", "line": 3 }, - "id": "V-63731" + "id": "V-99549" }, { - "title": "Bluetooth must be turned off unless approved by the organization.", - "desc": "If not configured properly, Bluetooth may allow rogue devices to\n communicate with a system. If a rogue device is paired with a system, there is\n potential for sensitive information to be compromised.", + "title": "Standard local user accounts must not exist on a system in a domain.", + "desc": "To minimize potential points of attack, local user accounts, other\n than built-in accounts and local administrator accounts, must not exist on a\n workstation in a domain. Users must log onto workstations in a domain with\n their domain accounts.", "descriptions": { - "default": "If not configured properly, Bluetooth may allow rogue devices to\n communicate with a system. If a rogue device is paired with a system, there is\n potential for sensitive information to be compromised.", - "check": "This is NA if the system does not have Bluetooth.\n\n Verify the Bluetooth radio is turned off unless approved by the organization.\n If it is not, this is a finding.\n\n Approval must be documented with the ISSO.", - "fix": "Turn off Bluetooth radios not organizationally approved. Establish\n an organizational policy for the use of Bluetooth." + "default": "To minimize potential points of attack, local user accounts, other\n than built-in accounts and local administrator accounts, must not exist on a\n workstation in a domain. Users must log onto workstations in a domain with\n their domain accounts.", + "check": "Run \"Computer Management\".\n Navigate to System Tools >> Local Users and Groups >> Users.\n\n If local users other than the accounts listed below exist on a workstation in a\n domain, this is a finding.\n\n Built-in Administrator account (Disabled)\n Built-in Guest account (Disabled)\n Built-in DefaultAccount (Disabled)\n Built-in defaultuser0 (Disabled)\n Built-in WDAGUtilityAccount (Disabled)\n Local administrator account(s)\n\n All of the built-in accounts may not exist on a system, depending on the\n Windows 10 version.", + "fix": "Limit local user accounts on domain-joined systems. Remove any\n unauthorized local accounts." }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { - "severity": "medium", - "gtitle": "WN10-00-000210", - "gid": "V-72765", - "rid": "SV-87403r1_rule", - "stig_id": "WN10-00-000210", - "fix_id": "F-79175r1_fix", + "severity": "low", + "gtitle": "WN10-00-000085", + "gid": "V-63367", + "rid": "SV-77857r2_rule", + "stig_id": "WN10-00-000085", + "fix_id": "F-69287r1_fix", "cci": [ - "CCI-000381" + "CCI-000366" ], "nist": [ - "CM-7 a", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -384,35 +384,37 @@ "responsibility": null, "ia_controls": null }, - "code": "control \"V-72765\" do\n title \"Bluetooth must be turned off unless approved by the organization.\"\n desc \"If not configured properly, Bluetooth may allow rogue devices to\n communicate with a system. If a rogue device is paired with a system, there is\n potential for sensitive information to be compromised.\"\n impact 0.5\n tag severity: \"medium\"\n tag gtitle: \"WN10-00-000210\"\n tag gid: \"V-72765\"\n tag rid: \"SV-87403r1_rule\"\n tag stig_id: \"WN10-00-000210\"\n tag fix_id: \"F-79175r1_fix\"\n tag cci: [\"CCI-000381\"]\n tag nist: [\"CM-7 a\", \"Rev_4\"]\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"This is NA if the system does not have Bluetooth.\n\n Verify the Bluetooth radio is turned off unless approved by the organization.\n If it is not, this is a finding.\n\n Approval must be documented with the ISSO.\"\n desc \"fix\", \"Turn off Bluetooth radios not organizationally approved. Establish\n an organizational policy for the use of Bluetooth.\"\n\nif(sys_info).manufacturer != \"VMware, Inc.\"\n describe \"Turn off Bluetooth radios when not in use. Establish an organizational policy for the use of Bluetooth to include training of personnel\" do\n skip 'This is NA if the system does not have Bluetooth'\n end\nelse\n impact 0.0\n describe \"This is a VDI System this control is NA.\" do\n skip 'This is a VDI System this control is NA.'\n end\n end\nend\n", + "code": "control 'V-63367' do\n title 'Standard local user accounts must not exist on a system in a domain.'\n desc \"To minimize potential points of attack, local user accounts, other\n than built-in accounts and local administrator accounts, must not exist on a\n workstation in a domain. Users must log onto workstations in a domain with\n their domain accounts.\"\n impact 0.3\n tag severity: 'low'\n tag gtitle: 'WN10-00-000085'\n tag gid: 'V-63367'\n tag rid: 'SV-77857r2_rule'\n tag stig_id: 'WN10-00-000085'\n tag fix_id: 'F-69287r1_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc 'check', \"Run \\\"Computer Management\\\".\n Navigate to System Tools >> Local Users and Groups >> Users.\n\n If local users other than the accounts listed below exist on a workstation in a\n domain, this is a finding.\n\n Built-in Administrator account (Disabled)\n Built-in Guest account (Disabled)\n Built-in DefaultAccount (Disabled)\n Built-in defaultuser0 (Disabled)\n Built-in WDAGUtilityAccount (Disabled)\n Local administrator account(s)\n\n All of the built-in accounts may not exist on a system, depending on the\n Windows 10 version.\"\n\n desc 'fix', \"Limit local user accounts on domain-joined systems. Remove any\n unauthorized local accounts.\"\n\n admin_script = <<-EOH\n $convert_json = Get-LocalUser -Name \"*Administrator*\" | ConvertTo-Json\n $convert_out_json = ConvertFrom-Json -InputObject $convert_json\n $select_object_admin = $convert_out_json.Enabled\n write-output $select_object_admin\n EOH\n\n guest_script = <<-EOH\n $convert_json = Get-LocalUser -Name \"Guest\" | ConvertTo-Json\n $convert_out_json = ConvertFrom-Json -InputObject $convert_json\n $select_object_guest = $convert_out_json.Enabled\n write-output $select_object_guest\n EOH\n\n default_account_script = <<-EOH\n $convert_json = Get-LocalUser -Name \"*DefaultAccount*\" | ConvertTo-Json\n $convert_out_json = ConvertFrom-Json -InputObject $convert_json\n $select_object_default_account = $convert_out_json.Enabled\n write-output $select_object_default_account\n EOH\n\n wdagutacc_script = <<-EOH\n $convert_json = Get-LocalUser -Name \"*WDAGUtilityAccount*\" | ConvertTo-Json\n $convert_out_json = ConvertFrom-Json -InputObject $convert_json\n $select_object_wdagutacc = $convert_out_json.Enabled\n write-output $select_object_wdagutacc\n EOH\n\n describe 'Administrator built-in account needs to be disabled as part of security' do\n subject { powershell(admin_script).strip }\n it { should_not eq 'True' }\n end\n describe 'Guest built-in account needs to be disabled as part of security' do\n subject { powershell(guest_script).strip }\n it { should_not eq 'True' }\n end\n describe 'Default Account built-in account needs to be disabled as part of security' do\n subject { powershell(default_account_script).strip }\n it { should_not eq 'True' }\n end\n describe 'WDAGUtilityAccount built-in account needs to be disabled as part of security' do\n subject { powershell(wdagutacc_script).strip }\n it { should_not eq 'True' }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-72765.rb", - "line": 2 + "ref": "./Windows 10 STIG/controls/V-63367.rb", + "line": 3 }, - "id": "V-72765" + "id": "V-63367" }, { - "title": "Alternate operating systems must not be permitted on the same system.", - "desc": "Allowing other operating systems to run on a secure system may allow\n security to be circumvented.", + "title": "The system must be configured to audit System - Security System\n Extension successes.", + "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Security System Extension records events related to extension code being\n loaded by the security subsystem.", "descriptions": { - "default": "Allowing other operating systems to run on a secure system may allow\n security to be circumvented.", - "check": "Verify the system does not include other operating system\n installations.\n\n Run \"Advanced System Settings\".\n Select the \"Advanced\" tab.\n Click the \"Settings\" button in the \"Startup and Recovery\" section.\n\n If the drop-down list box \"Default operating system:\" shows any operating\n system other than Windows 10, this is a finding.", - "fix": "Ensure Windows 10 is the only operating system on a device. Remove\n alternate operating systems." + "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Security System Extension records events related to extension code being\n loaded by the security subsystem.", + "check": "Security Option \"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\" must be\n set to \"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\"Run as Administrator\").\n Enter \"AuditPol /get /category:*\".\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding:\n\n System >> Security System Extension - Success", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> System >> \"Audit Security System Extension\" with\n \"Success\" selected." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-00-000055", - "gid": "V-63355", - "rid": "SV-77845r1_rule", - "stig_id": "WN10-00-000055", - "fix_id": "F-69275r1_fix", + "gtitle": "WN10-AU-000150", + "gid": "V-63513", + "rid": "SV-78003r1_rule", + "stig_id": "WN10-AU-000150", + "fix_id": "F-69443r1_fix", "cci": [ - "CCI-000366" + "CCI-000172", + "CCI-002234" ], "nist": [ - "CM-6 b", + "AU-12 c", + "AC-6 (9)", "Rev_4" ], "false_negatives": null, @@ -426,63 +428,72 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63355' do\n title 'Alternate operating systems must not be permitted on the same system.'\n desc \"Allowing other operating systems to run on a secure system may allow\n security to be circumvented.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-00-000055'\n tag gid: 'V-63355'\n tag rid: 'SV-77845r1_rule'\n tag stig_id: 'WN10-00-000055'\n tag fix_id: 'F-69275r1_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"Verify the system does not include other operating system\n installations.\n\n Run \\\"Advanced System Settings\\\".\n Select the \\\"Advanced\\\" tab.\n Click the \\\"Settings\\\" button in the \\\"Startup and Recovery\\\" section.\n\n If the drop-down list box \\\"Default operating system:\\\" shows any operating\n system other than Windows 10, this is a finding.\"\n\n desc \"fix\", \"Ensure Windows 10 is the only operating system on a device. Remove\n alternate operating systems.\"\n\n describe command(\"bcdedit | Findstr description | Findstr /v /c:'Windows Boot Manager'\") do\n its('stdout') { should eq \"description Windows 10\\r\\n\" }\n end\nend\n", + "code": "control 'V-63513' do\n title \"The system must be configured to audit System - Security System\n Extension successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Security System Extension records events related to extension code being\n loaded by the security subsystem.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-AU-000150'\n tag gid: 'V-63513'\n tag rid: 'SV-78003r1_rule'\n tag stig_id: 'WN10-AU-000150'\n tag fix_id: 'F-69443r1_fix'\n tag cci: %w[CCI-000172 CCI-002234]\n tag nist: ['AU-12 c', 'AC-6 (9)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Security Option \\\"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\\\" must be\n set to \\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\n Enter \\\"AuditPol /get /category:*\\\".\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding:\n\n System >> Security System Extension - Success\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> System >> \\\"Audit Security System Extension\\\" with\n \\\"Success\\\" selected.\"\n\n describe.one do\n describe audit_policy do\n its('Security System Extension') { should eq 'Success' }\n end\n describe audit_policy do\n its('Security System Extension') { should eq 'Success and Failure' }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63355.rb", + "ref": "./Windows 10 STIG/controls/V-63513.rb", "line": 3 }, - "id": "V-63355" + "id": "V-63513" }, { - "title": "Windows 10 Kernel (Direct Memory Access) DMA Protection must be\nenabled.", - "desc": "Kernel DMA Protection to protect PCs against drive-by Direct Memory\nAccess (DMA) attacks using PCI hot plug devices connected to Thunderbolt™ 3\nports. Drive-by DMA attacks can lead to disclosure of sensitive information\nresiding on a PC, or even injection of malware that allows attackers to bypass\nthe lock screen or control PCs remotely.", + "title": "The Change the system time user right must only be assigned to\n Administrators and Local Service.", + "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n Accounts with the \"Change the system time\" user right can change the\n system time, which can impact authentication, as well as affect time stamps on\n event log entries.", "descriptions": { - "default": "Kernel DMA Protection to protect PCs against drive-by Direct Memory\nAccess (DMA) attacks using PCI hot plug devices connected to Thunderbolt™ 3\nports. Drive-by DMA attacks can lead to disclosure of sensitive information\nresiding on a PC, or even injection of malware that allows attackers to bypass\nthe lock screen or control PCs remotely.", - "rationale": "", - "check": "This is NA prior to v1803 of Windows 10.\n\n If the following registry value does not exist or is not configured as\nspecified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\Software\\Policies\\Microsoft\\Windows\\Kernel DMA\nProtection\n\n Value Name: DeviceEnumerationPolicy\n Value Type: REG_DWORD\n Value: 0", - "fix": "Configure the policy value for Computer Configuration >>\nAdministrative Templates >> System >> Kernel DMA Protection >> \"Enumeration\npolicy for external devices incompatible with Kernel DMA Protection\" to\n\"Enabled\" with \"Enumeration Policy\" set to \"Block All\"." + "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n Accounts with the \"Change the system time\" user right can change the\n system time, which can impact authentication, as well as affect time stamps on\n event log entries.", + "check": "Verify the effective setting in Local Group Policy Editor.\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any groups or accounts other than the following are granted the \"Change the\n system time\" user right, this is a finding:\n\n Administrators\n LOCAL SERVICE", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n \"Change the system time\" to only include the following groups or accounts:\n\n Administrators\n LOCAL SERVICE" }, "impact": 0.5, "refs": [], "tags": { - "severity": null, - "gtitle": "WN10-EP-000310", - "gid": "V-99557", - "rid": "SV-108661r1_rule", - "stig_id": "WN10-EP-000310", - "fix_id": "F-105241r4_fix", + "severity": "medium", + "gtitle": "WN10-UR-000035", + "gid": "V-63855", + "rid": "SV-78345r1_rule", + "stig_id": "WN10-UR-000035", + "fix_id": "F-69783r1_fix", "cci": [ - "CCI-001090" + "CCI-002235" ], "nist": [ - "SC-4", + "AC-6 (10)", "Rev_4" - ] + ], + "false_negatives": null, + "false_positives": null, + "documentable": false, + "mitigations": null, + "severity_override_guidance": false, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_controls": null, + "responsibility": null, + "ia_controls": null }, - "code": "control \"V-99557\" do\n title \"Windows 10 Kernel (Direct Memory Access) DMA Protection must be\nenabled.\"\n desc \"Kernel DMA Protection to protect PCs against drive-by Direct Memory\nAccess (DMA) attacks using PCI hot plug devices connected to Thunderbolt™ 3\nports. Drive-by DMA attacks can lead to disclosure of sensitive information\nresiding on a PC, or even injection of malware that allows attackers to bypass\nthe lock screen or control PCs remotely.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"WN10-EP-000310\"\n tag gid: \"V-99557\"\n tag rid: \"SV-108661r1_rule\"\n tag stig_id: \"WN10-EP-000310\"\n tag fix_id: \"F-105241r4_fix\"\n tag cci: [\"CCI-001090\"]\n tag nist: [\"SC-4\", \"Rev_4\"]\n desc \"rationale\", \"\"\n desc \"check\", \"This is NA prior to v1803 of Windows 10.\n\n If the following registry value does not exist or is not configured as\nspecified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\Kernel DMA\nProtection\n\n Value Name: DeviceEnumerationPolicy\n Value Type: REG_DWORD\n Value: 0\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\nAdministrative Templates >> System >> Kernel DMA Protection >> \\\"Enumeration\npolicy for external devices incompatible with Kernel DMA Protection\\\" to\n\\\"Enabled\\\" with \\\"Enumeration Policy\\\" set to \\\"Block All\\\".\"\n\n if registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion').ReleaseId >= '1803'\n impact 0.0\n describe 'This setting requires v1507 does not include this setting; it is NA for version.' do\n skip 'This setting requires v1507 does not include this setting; it is NA for version.'\n end\n else\n describe registry_key('HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\Kernel DMA Protection') do\n it { should have_property 'DeviceEnumerationPolicy' }\n its('DeviceEnumerationPolicy') { should cmp 0 }\n end\n end\nend\n", + "code": "control 'V-63855' do\n title \"The Change the system time user right must only be assigned to\n Administrators and Local Service.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n Accounts with the \\\"Change the system time\\\" user right can change the\n system time, which can impact authentication, as well as affect time stamps on\n event log entries.\"\n\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-UR-000035'\n tag gid: 'V-63855'\n tag rid: 'SV-78345r1_rule'\n tag stig_id: 'WN10-UR-000035'\n tag fix_id: 'F-69783r1_fix'\n tag cci: ['CCI-002235']\n tag nist: ['AC-6 (10)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any groups or accounts other than the following are granted the \\\"Change the\n system time\\\" user right, this is a finding:\n\n Administrators\n LOCAL SERVICE\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n \\\"Change the system time\\\" to only include the following groups or accounts:\n\n Administrators\n LOCAL SERVICE\"\n\n describe security_policy do\n its('SeSystemtimePrivilege') { should be_in ['S-1-5-32-544', 'S-1-5-19'] }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-99557.rb", + "ref": "./Windows 10 STIG/controls/V-63855.rb", "line": 3 }, - "id": "V-99557" + "id": "V-63855" }, { - "title": "Hardened UNC Paths must be defined to require mutual authentication\n and integrity for at least the \\\\*\\SYSVOL and \\\\*\\NETLOGON shares.", - "desc": "Additional security requirements are applied to Universal Naming\n Convention (UNC) paths specified in Hardened UNC paths before allowing access\n them. This aids in preventing tampering with or spoofing of connections to\n these paths.", + "title": "Exploit Protection mitigations in Windows 10 must be configured for firefox.exe.", + "desc": "Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.", "descriptions": { - "default": "Additional security requirements are applied to Universal Naming\n Convention (UNC) paths specified in Hardened UNC paths before allowing access\n them. This aids in preventing tampering with or spoofing of connections to\n these paths.", - "check": "This requirement is applicable to domain-joined systems, for\n standalone systems this is NA.\n\n If the following registry values do not exist or are not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SOFTWARE\\Policies\\Microsoft\\Windows\\NetworkProvider\\HardenedPaths\\\n\n Value Name: \\\\*\\NETLOGON\n Value Type: REG_SZ\n Value: RequireMutualAuthentication=1, RequireIntegrity=1\n\n Value Name: \\\\*\\SYSVOL\n Value Type: REG_SZ\n Value: RequireMutualAuthentication=1, RequireIntegrity=1\n\n Additional entries would not be a finding.", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Network >> Network Provider >> \"Hardened UNC\n Paths\" to \"Enabled\" with at least the following configured in \"Hardened UNC\n Paths:\" (click the \"Show\" button to display).\n\n Value Name: \\\\*\\SYSVOL\n Value: RequireMutualAuthentication=1, RequireIntegrity=1\n\n Value Name: \\\\*\\NETLOGON\n Value: RequireMutualAuthentication=1, RequireIntegrity=1" + "default": "Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.", + "check": "This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n\n Enter \"Get-ProcessMitigation -Name firefox.exe\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of\n all application mitigations configured.)\n\n If the following mitigations do not have a status of \"ON\", this is a finding:\n\n DEP:\n Override DEP: False\n\n ASLR:\n BottomUp: ON\n ForceRelocateImages: ON\n\n The PowerShell command produces a list of mitigations; only those with a\n required status of \"ON\" are listed here. If the PowerShell command does not\n produce results, ensure the letter case of the filename within the command\n syntax matches the letter case of the actual filename on the system.", + "fix": "Ensure the following mitigations are turned \"ON\" for firefox.exe:\n\n DEP:\n Override DEP: False\n\n ASLR:\n BottomUp: ON\n ForceRelocateImages: ON\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file\n included with the Windows 10 STIG package in the \"Supporting Files\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \"Use a common set of exploit protection settings\"\n configured to \"Enabled\" with file name and location defined under\n \"Options:\". It is recommended the file be in a read-only network location." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-CC-000050", - "gid": "V-63577", - "rid": "SV-78067r1_rule", - "stig_id": "WN10-CC-000050", - "fix_id": "F-69507r1_fix", + "gtitle": "WN10-EP-000110", + "gid": "V-77205", + "rid": "SV-91901r3_rule", + "stig_id": "WN10-EP-000110", + "fix_id": "F-86915r1_fix", "cci": [ "CCI-000366" ], @@ -501,68 +512,87 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63577' do\n title \"Hardened UNC Paths must be defined to require mutual authentication\n and integrity for at least the \\\\\\\\*\\\\SYSVOL and \\\\\\\\*\\\\NETLOGON shares.\"\n desc \"Additional security requirements are applied to Universal Naming\n Convention (UNC) paths specified in Hardened UNC paths before allowing access\n them. This aids in preventing tampering with or spoofing of connections to\n these paths.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000050'\n tag gid: 'V-63577'\n tag rid: 'SV-78067r1_rule'\n tag stig_id: 'WN10-CC-000050'\n tag fix_id: 'F-69507r1_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc 'check', \"This requirement is applicable to domain-joined systems, for\n standalone systems this is NA.\n\n If the following registry values do not exist or are not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\NetworkProvider\\\\HardenedPaths\\\\\n\n Value Name: \\\\\\\\*\\\\NETLOGON\n Value Type: REG_SZ\n Value: RequireMutualAuthentication=1, RequireIntegrity=1\n\n Value Name: \\\\\\\\*\\\\SYSVOL\n Value Type: REG_SZ\n Value: RequireMutualAuthentication=1, RequireIntegrity=1\n\n Additional entries would not be a finding.\"\n\n desc 'fix', \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Network >> Network Provider >> \\\"Hardened UNC\n Paths\\\" to \\\"Enabled\\\" with at least the following configured in \\\"Hardened UNC\n Paths:\\\" (click the \\\"Show\\\" button to display).\n\n Value Name: \\\\\\\\*\\\\SYSVOL\n Value: RequireMutualAuthentication=1, RequireIntegrity=1\n\n Value Name: \\\\\\\\*\\\\NETLOGON\n Value: RequireMutualAuthentication=1, RequireIntegrity=1\"\n\n is_domain = command('wmic computersystem get domain | FINDSTR /V Domain').stdout.strip\n keyvalue_netlogon = '\\\\\\\\*\\\\NETLOGON'\n keyvalue_sysvol = '\\\\\\\\*\\\\SYSVOL'\n\n if is_domain == 'WORKGROUP'\n impact 0.0\n describe 'The system is not a member of a domain, control is NA' do\n skip 'The system is not a member of a domain, control is NA'\n end\n elsif\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\NetworkProvider\\HardenedPaths') do\n it { should have_property keyvalue_sysvol.gsub('\\\\', '\\\\\\\\\\\\\\\\') }\n its (keyvalue_sysvol.gsub('\\\\', '\\\\\\\\\\\\\\\\')) { should cmp 'RequireMutualAuthentication=1, RequireIntegrity=1'}\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\NetworkProvider\\HardenedPaths') do\n it { should have_property keyvalue_netlogon.gsub('\\\\', '\\\\\\\\\\\\\\\\') }\n its (keyvalue_netlogon.gsub('\\\\', '\\\\\\\\\\\\\\\\')) { should cmp 'RequireMutualAuthentication=1, RequireIntegrity=1'}\n end\n end\nend\n", + "code": "control 'V-77205' do\n title 'Exploit Protection mitigations in Windows 10 must be configured for firefox.exe.'\n desc \"Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-EP-000110'\n tag gid: 'V-77205'\n tag rid: 'SV-91901r3_rule'\n tag stig_id: 'WN10-EP-000110'\n tag fix_id: 'F-86915r1_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc 'check', \"This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n\n Enter \\\"Get-ProcessMitigation -Name firefox.exe\\\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of\n all application mitigations configured.)\n\n If the following mitigations do not have a status of \\\"ON\\\", this is a finding:\n\n DEP:\n Override DEP: False\n\n ASLR:\n BottomUp: ON\n ForceRelocateImages: ON\n\n The PowerShell command produces a list of mitigations; only those with a\n required status of \\\"ON\\\" are listed here. If the PowerShell command does not\n produce results, ensure the letter case of the filename within the command\n syntax matches the letter case of the actual filename on the system.\"\n desc 'fix', \"Ensure the following mitigations are turned \\\"ON\\\" for firefox.exe:\n\n DEP:\n Override DEP: False\n\n ASLR:\n BottomUp: ON\n ForceRelocateImages: ON\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file\n included with the Windows 10 STIG package in the \\\"Supporting Files\\\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\"\n configured to \\\"Enabled\\\" with file name and location defined under\n \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n\n if input('sensitive_system') == 'true' || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion').ReleaseId < '1709'\n impact 0.0\n describe 'This STIG does not apply to Prior Versions before 1709.' do\n skip 'This STIG does not apply to Prior Versions before 1709.'\n end\n else\n dep = json( command: 'Get-ProcessMitigation -Name firefox.exe | Select DEP | ConvertTo-Json').params\n describe 'OverRide DEP is required to be enabled on Firefox' do\n subject { dep }\n its(['OverrideDEP']) { should_not eq 'true' }\n end\n\n aslr = json( command: 'Get-ProcessMitigation -Name firefox.exe | Select Aslr | ConvertTo-Json').params\n describe 'Alsr BottomUp and Force Relocate Images are required to be enabled on Firefox' do\n subject { aslr }\n its(['BottomUp']) { should_not eq '2' }\n its(['ForceRelocateImages']) { should_not eq '2' }\n end\n end\nend", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63577.rb", + "ref": "./Windows 10 STIG/controls/V-77205.rb", "line": 3 }, - "id": "V-63577" + "id": "V-77205" }, { - "title": "Windows 10 must be configured to audit Detailed File Share Failures.", - "desc": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Audit Detailed File Share allows you to audit attempts to access files and\nfolders on a shared folder.\n The Detailed File Share setting logs an event every time a file or folder\nis accessed, whereas the File Share setting only records one event for any\nconnection established between a client and file share. Detailed File Share\naudit events include detailed information about the permissions or other\ncriteria used to grant or deny access.", + "title": "The Lock pages in memory user right must not be assigned to any groups\n or accounts.", + "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n The \"Lock pages in memory\" user right allows physical memory to be\n assigned to processes, which could cause performance issues or a DoS.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Audit Detailed File Share allows you to audit attempts to access files and\nfolders on a shared folder.\n The Detailed File Share setting logs an event every time a file or folder\nis accessed, whereas the File Share setting only records one event for any\nconnection established between a client and file share. Detailed File Share\naudit events include detailed information about the permissions or other\ncriteria used to grant or deny access.", - "rationale": "", - "check": "Security Option \"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\" must be set to\n\"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to be\neffective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\"Run as Administrator\").\n Enter \"AuditPol /get /category:*\".\n\n Compare the AuditPol settings with the following. If the system does not\naudit the following, this is a finding:\n\n Object Access >> Detailed File Share - Failure", - "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Object Access >> “Detailed File Share\" with\n\"Failure\" selected." + "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n The \"Lock pages in memory\" user right allows physical memory to be\n assigned to processes, which could cause performance issues or a DoS.", + "check": "Verify the effective setting in Local Group Policy Editor.\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any groups or accounts are granted the \"Lock pages in memory\" user right,\n this is a finding.", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n \"Lock pages in memory\" to be defined but containing no entries (blank)." }, "impact": 0.5, "refs": [], "tags": { - "severity": null, - "gtitle": "WN10-AU-000570", - "gid": "V-99545", - "rid": "SV-108649r1_rule", - "stig_id": "WN10-AU-000570", - "fix_id": "F-105229r1_fix", + "severity": "medium", + "gtitle": "WN10-UR-000125", + "gid": "V-63925", + "rid": "SV-78415r1_rule", + "stig_id": "WN10-UR-000125", + "fix_id": "F-69853r1_fix", "cci": [ - "CCI-000130" + "CCI-002235" ], "nist": [ - "AU-3", + "AC-6 (10)", "Rev_4" - ] + ], + "false_negatives": null, + "false_positives": null, + "documentable": false, + "mitigations": null, + "severity_override_guidance": false, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_controls": null, + "responsibility": null, + "ia_controls": null }, - "code": "control \"V-99545\" do\n title \"Windows 10 must be configured to audit Detailed File Share Failures.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Audit Detailed File Share allows you to audit attempts to access files and\nfolders on a shared folder.\n The Detailed File Share setting logs an event every time a file or folder\nis accessed, whereas the File Share setting only records one event for any\nconnection established between a client and file share. Detailed File Share\naudit events include detailed information about the permissions or other\ncriteria used to grant or deny access.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"WN10-AU-000570\"\n tag gid: \"V-99545\"\n tag rid: \"SV-108649r1_rule\"\n tag stig_id: \"WN10-AU-000570\"\n tag fix_id: \"F-105229r1_fix\"\n tag cci: [\"CCI-000130\"]\n tag nist: [\"AU-3\", \"Rev_4\"]\n desc \"rationale\", \"\"\n desc \"check\", \"Security Option \\\"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\\\" must be set to\n\\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to be\neffective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\n Enter \\\"AuditPol /get /category:*\\\".\n\n Compare the AuditPol settings with the following. If the system does not\naudit the following, this is a finding:\n\n Object Access >> Detailed File Share - Failure\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Object Access >> “Detailed File Share\\\" with\n\\\"Failure\\\" selected.\"\n \n describe.one do\n describe audit_policy do\n its('Detailed File Share') { should eq 'Failure' }\n end\n describe audit_policy do\n its('Detailed File Share') { should eq 'Success and Failure' }\n end\n end\nend", + "code": "control 'V-63925' do\n title \"The Lock pages in memory user right must not be assigned to any groups\n or accounts.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n The \\\"Lock pages in memory\\\" user right allows physical memory to be\n assigned to processes, which could cause performance issues or a DoS.\"\n\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-UR-000125'\n tag gid: 'V-63925'\n tag rid: 'SV-78415r1_rule'\n tag stig_id: 'WN10-UR-000125'\n tag fix_id: 'F-69853r1_fix'\n tag cci: ['CCI-002235']\n tag nist: ['AC-6 (10)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any groups or accounts are granted the \\\"Lock pages in memory\\\" user right,\n this is a finding.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n \\\"Lock pages in memory\\\" to be defined but containing no entries (blank).\"\n\n describe security_policy do\n its('SeLockMemoryPrivilege') { should eq [] }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-99545.rb", + "ref": "./Windows 10 STIG/controls/V-63925.rb", "line": 3 }, - "id": "V-99545" + "id": "V-63925" }, { - "title": "Caching of logon credentials must be limited.", - "desc": "The default Windows configuration caches the last logon credentials\n for users who log on interactively to a system. This feature is provided for\n system availability reasons, such as the user's machine being disconnected from\n the network or domain controllers being unavailable. Even though the\n credential cache is well-protected, if a system is attacked, an unauthorized\n individual may isolate the password to a domain user account using a\n password-cracking program and gain access to the domain.", + "title": "The Windows dialog box title for the legal banner must be configured.", + "desc": "Failure to display the logon banner prior to a logon attempt will\n negate legal proceedings resulting from unauthorized access to system\n resources.", "descriptions": { - "default": "The default Windows configuration caches the last logon credentials\n for users who log on interactively to a system. This feature is provided for\n system availability reasons, such as the user's machine being disconnected from\n the network or domain controllers being unavailable. Even though the\n credential cache is well-protected, if a system is attacked, an unauthorized\n individual may isolate the password to a domain user account using a\n password-cracking program and gain access to the domain.", - "check": "This is the default configuration for this setting (10 logons to\n cache).\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\\n\n Value Name: CachedLogonsCount\n\n Value Type: REG_SZ\n Value: 10 (or less)\n\n This setting only applies to domain-joined systems, however, it is configured\n by default on all systems.", - "fix": "This is the default configuration for this setting (10 logons to\n cache).\n\n Configure the policy value for Computer Configuration >> Windows Settings >>\n Security Settings >> Local Policies >> Security Options >> \"Interactive logon:\n Number of previous logons to cache (in case domain controller is not\n available)\" to \"10\" logons or less.\n\n This setting only applies to domain-joined systems, however, it is configured\n by default on all systems." + "default": "Failure to display the logon banner prior to a logon attempt will\n negate legal proceedings resulting from unauthorized access to system\n resources.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\\n\n Value Name: LegalNoticeCaption\n\n Value Type: REG_SZ\n Value: See message title above\n\n \"DoD Notice and Consent Banner\", \"US Department of Defense Warning\n Statement\" or a site-defined equivalent, this is a finding.\n\n If a site-defined title is used, it can in no case contravene or modify the\n language of the banner text required in WN10-SO-000075.", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n \"Interactive logon: Message title for users attempting to log on\" to \"DoD\n Notice and Consent Banner\", \"US Department of Defense Warning Statement\", or\n a site-defined equivalent.\n\n If a site-defined title is used, it can in no case contravene or modify the\n language of the banner text required in WN10-SO-000075." }, "impact": 0.3, "refs": [], "tags": { "severity": "low", - "gtitle": "WN10-SO-000085", - "gid": "V-63687", - "rid": "SV-78177r1_rule", - "stig_id": "WN10-SO-000085", - "fix_id": "F-69615r1_fix", + "gtitle": "WN10-SO-000080", + "gid": "V-63681", + "rid": "SV-78171r1_rule", + "stig_id": "WN10-SO-000080", + "fix_id": "F-69609r1_fix", "cci": [ - "CCI-000366" + "CCI-000048", + "CCI-001384", + "CCI-001385", + "CCI-001386", + "CCI-001387", + "CCI-001388" ], "nist": [ - "CM-6 b", + "AC-8 a", + "AC-8 c 1", + "AC-8 c 2", + "AC-8 c 2", + "AC-8 c 2", + "AC-8 c3", "Rev_4" ], "false_negatives": null, @@ -576,37 +606,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63687' do\n title 'Caching of logon credentials must be limited.'\n desc \"The default Windows configuration caches the last logon credentials\n for users who log on interactively to a system. This feature is provided for\n system availability reasons, such as the user's machine being disconnected from\n the network or domain controllers being unavailable. Even though the\n credential cache is well-protected, if a system is attacked, an unauthorized\n individual may isolate the password to a domain user account using a\n password-cracking program and gain access to the domain.\"\n impact 0.3\n tag severity: 'low'\n tag gtitle: 'WN10-SO-000085'\n tag gid: 'V-63687'\n tag rid: 'SV-78177r1_rule'\n tag stig_id: 'WN10-SO-000085'\n tag fix_id: 'F-69615r1_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n \n desc \"check\", \"This is the default configuration for this setting (10 logons to\n cache).\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\\n\n Value Name: CachedLogonsCount\n\n Value Type: REG_SZ\n Value: 10 (or less)\n\n This setting only applies to domain-joined systems, however, it is configured\n by default on all systems.\"\n \n desc \"fix\", \"This is the default configuration for this setting (10 logons to\n cache).\n\n Configure the policy value for Computer Configuration >> Windows Settings >>\n Security Settings >> Local Policies >> Security Options >> \\\"Interactive logon:\n Number of previous logons to cache (in case domain controller is not\n available)\\\" to \\\"10\\\" logons or less.\n\n This setting only applies to domain-joined systems, however, it is configured\n by default on all systems.\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon') do\n it { should have_property 'CachedLogonsCount' }\n its('CachedLogonsCount') { should cmp <= 10 }\n end\nend\n", + "code": "control 'V-63681' do\n title 'The Windows dialog box title for the legal banner must be configured.'\n desc \"Failure to display the logon banner prior to a logon attempt will\n negate legal proceedings resulting from unauthorized access to system\n resources.\"\n impact 0.3\n tag severity: 'low'\n tag gtitle: 'WN10-SO-000080'\n tag gid: 'V-63681'\n tag rid: 'SV-78171r1_rule'\n tag stig_id: 'WN10-SO-000080'\n tag fix_id: 'F-69609r1_fix'\n tag cci: %w[CCI-000048 CCI-001384 CCI-001385 CCI-001386 CCI-001387 CCI-001388]\n tag nist: ['AC-8 a', 'AC-8 c 1', 'AC-8 c 2', 'AC-8 c 2', 'AC-8 c 2', 'AC-8 c3', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\\n\n Value Name: LegalNoticeCaption\n\n Value Type: REG_SZ\n Value: See message title above\n\n \\\"DoD Notice and Consent Banner\\\", \\\"US Department of Defense Warning\n Statement\\\" or a site-defined equivalent, this is a finding.\n\n If a site-defined title is used, it can in no case contravene or modify the\n language of the banner text required in WN10-SO-000075.\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n \\\"Interactive logon: Message title for users attempting to log on\\\" to \\\"DoD\n Notice and Consent Banner\\\", \\\"US Department of Defense Warning Statement\\\", or\n a site-defined equivalent.\n\n If a site-defined title is used, it can in no case contravene or modify the\n language of the banner text required in WN10-SO-000075.\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System') do\n it { should have_property 'LegalNoticeCaption' }\n end\n\n key = registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System').LegalNoticeCaption.to_s\n\n legal_notice_caption = input('LegalNoticeCaption')\n\n describe 'The required legal notice caption' do\n subject { key.scan(/[\\w().;,!]/).join }\n it { should cmp legal_notice_caption.scan(/[\\w().;,!]/).join }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63687.rb", + "ref": "./Windows 10 STIG/controls/V-63681.rb", "line": 3 }, - "id": "V-63687" + "id": "V-63681" }, { - "title": "The system must be configured to audit Logon/Logoff - Logoff\n successes.", - "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Logoff records user logoffs. If this is an interactive logoff, it is\n recorded on the local system. If it is to a network share, it is recorded on\n the system accessed.", + "title": "Remote calls to the Security Account Manager (SAM) must be restricted\n to Administrators.", + "desc": "The Windows Security Account Manager (SAM) stores users' passwords.\n Restricting remote rpc connections to the SAM to Administrators helps protect\n those credentials.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Logoff records user logoffs. If this is an interactive logoff, it is\n recorded on the local system. If it is to a network share, it is recorded on\n the system accessed.", - "check": "Security Option \"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\" must be\n set to \"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\"Run as Administrator\").\n Enter \"AuditPol /get /category:*\".\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding:\n\n Logon/Logoff >> Logoff - Success", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Logon/Logoff >> \"Audit Logoff\" with \"Success\" selected." + "default": "The Windows Security Account Manager (SAM) stores users' passwords.\n Restricting remote rpc connections to the SAM to Administrators helps protect\n those credentials.", + "check": "Windows 10 v1507 LTSB version does not include this setting, it\n is NA for those systems.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Control\\Lsa\\\n\n Value Name: RestrictRemoteSAM\n\n Value Type: REG_SZ\n Value: O:BAG:BAD:(A;;RC;;;BA)", + "fix": "Navigate to the policy Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> Security Options >> \"Network access:\n Restrict clients allowed to make remote calls to SAM\".\n\n Select \"Edit Security\" to configure the \"Security descriptor:\".\n\n Add \"Administrators\" in \"Group or user names:\" if it is not already listed\n (this is the default).\n\n Select \"Administrators\" in \"Group or user names:\".\n\n Select \"Allow\" for \"Remote Access\" in \"Permissions for \"Administrators\".\n\n Click \"OK\".\n\n The \"Security descriptor:\" must be populated with \"O:BAG:BAD:(A;;RC;;;BA)\n for the policy to be enforced." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-AU-000065", - "gid": "V-63459", - "rid": "SV-77951r1_rule", - "stig_id": "WN10-AU-000065", - "fix_id": "F-69387r1_fix", + "gtitle": "WN10-SO-000167", + "gid": "V-71769", + "rid": "SV-86393r3_rule", + "stig_id": "WN10-SO-000167", + "fix_id": "F-78121r3_fix", "cci": [ - "CCI-000067", - "CCI-000172" + "CCI-002235" ], "nist": [ - "AC-17 (1)", - "AU-12 c", + "AC-6 (10)", "Rev_4" ], "false_negatives": null, @@ -620,87 +648,68 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63459' do\n title \"The system must be configured to audit Logon/Logoff - Logoff\n successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Logoff records user logoffs. If this is an interactive logoff, it is\n recorded on the local system. If it is to a network share, it is recorded on\n the system accessed.\"\n\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-AU-000065'\n tag gid: 'V-63459'\n tag rid: 'SV-77951r1_rule'\n tag stig_id: 'WN10-AU-000065'\n tag fix_id: 'F-69387r1_fix'\n tag cci: %w[CCI-000067 CCI-000172]\n tag nist: ['AC-17 (1)', 'AU-12 c', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Security Option \\\"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\\\" must be\n set to \\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\n Enter \\\"AuditPol /get /category:*\\\".\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding:\n\n Logon/Logoff >> Logoff - Success\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Logon/Logoff >> \\\"Audit Logoff\\\" with \\\"Success\\\" selected.\"\n\n describe.one do\n describe audit_policy do\n its('Logoff') { should eq 'Success' }\n end\n describe audit_policy do\n its('Logoff') { should eq 'Success and Failure' }\n end\n end\nend\n", + "code": "control 'V-71769' do\n title \"Remote calls to the Security Account Manager (SAM) must be restricted\n to Administrators.\"\n desc \"The Windows Security Account Manager (SAM) stores users' passwords.\n Restricting remote rpc connections to the SAM to Administrators helps protect\n those credentials.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-SO-000167'\n tag gid: 'V-71769'\n tag rid: 'SV-86393r3_rule'\n tag stig_id: 'WN10-SO-000167'\n tag fix_id: 'F-78121r3_fix'\n tag cci: ['CCI-002235']\n tag nist: ['AC-6 (10)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Windows 10 v1507 LTSB version does not include this setting, it\n is NA for those systems.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\\n\n Value Name: RestrictRemoteSAM\n\n Value Type: REG_SZ\n Value: O:BAG:BAD:(A;;RC;;;BA)\"\n \n desc \"fix\", \"Navigate to the policy Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> Security Options >> \\\"Network access:\n Restrict clients allowed to make remote calls to SAM\\\".\n\n Select \\\"Edit Security\\\" to configure the \\\"Security descriptor:\\\".\n\n Add \\\"Administrators\\\" in \\\"Group or user names:\\\" if it is not already listed\n (this is the default).\n\n Select \\\"Administrators\\\" in \\\"Group or user names:\\\".\n\n Select \\\"Allow\\\" for \\\"Remote Access\\\" in \\\"Permissions for \\\"Administrators\\\".\n\n Click \\\"OK\\\".\n\n The \\\"Security descriptor:\\\" must be populated with \\\"O:BAG:BAD:(A;;RC;;;BA)\n for the policy to be enforced.\"\n\n if registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion').ReleaseId != '1507'\n describe registry_key('HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa') do\n it { should have_property 'RestrictRemoteSAM' }\n its('RestrictRemoteSAM') { should cmp 'O:BAG:BAD:(A;;RC;;;BA)' }\n end\n else\n impact 0.0\n describe 'Windows 10 v1507 LTSB version does not include this setting, it is NA for those systems.' do\n skip 'Windows 10 v1507 LTSB version does not include this setting, it is NA for those systems.'\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63459.rb", + "ref": "./Windows 10 STIG/controls/V-71769.rb", "line": 3 }, - "id": "V-63459" + "id": "V-71769" }, { - "title": "The Windows dialog box title for the legal banner must be configured.", - "desc": "Failure to display the logon banner prior to a logon attempt will\n negate legal proceedings resulting from unauthorized access to system\n resources.", + "title": "Windows 10 must be configured to audit Other Policy Change Events\nFailures.", + "desc": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Audit Other Policy Change Events contains events about EFS Data Recovery\nAgent policy changes, changes in Windows Filtering Platform filter, status on\nSecurity policy settings updates for local Group Policy settings, Central\nAccess Policy changes, and detailed troubleshooting events for Cryptographic\nNext Generation (CNG) operations.", "descriptions": { - "default": "Failure to display the logon banner prior to a logon attempt will\n negate legal proceedings resulting from unauthorized access to system\n resources.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\\n\n Value Name: LegalNoticeCaption\n\n Value Type: REG_SZ\n Value: See message title above\n\n \"DoD Notice and Consent Banner\", \"US Department of Defense Warning\n Statement\" or a site-defined equivalent, this is a finding.\n\n If a site-defined title is used, it can in no case contravene or modify the\n language of the banner text required in WN10-SO-000075.", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n \"Interactive logon: Message title for users attempting to log on\" to \"DoD\n Notice and Consent Banner\", \"US Department of Defense Warning Statement\", or\n a site-defined equivalent.\n\n If a site-defined title is used, it can in no case contravene or modify the\n language of the banner text required in WN10-SO-000075." + "default": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Audit Other Policy Change Events contains events about EFS Data Recovery\nAgent policy changes, changes in Windows Filtering Platform filter, status on\nSecurity policy settings updates for local Group Policy settings, Central\nAccess Policy changes, and detailed troubleshooting events for Cryptographic\nNext Generation (CNG) operations.", + "rationale": "", + "check": "Security Option \"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\" must be set to\n\"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to be\neffective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\"Run as Administrator\").\n Enter \"AuditPol /get /category:*\".\n\n Compare the AuditPol settings with the following. If the system does not\naudit the following, this is a finding:\n\n Policy Change >> Other Policy Change Events - Failure", + "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Policy Change>> \"Audit Other Policy Change Events\"\nwith \"Failure\" selected." }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { - "severity": "low", - "gtitle": "WN10-SO-000080", - "gid": "V-63681", - "rid": "SV-78171r1_rule", - "stig_id": "WN10-SO-000080", - "fix_id": "F-69609r1_fix", + "severity": null, + "gtitle": "WN10-AU-000555", + "gid": "V-99553", + "rid": "SV-108657r1_rule", + "stig_id": "WN10-AU-000555", + "fix_id": "F-105237r1_fix", "cci": [ - "CCI-000048", - "CCI-001384", - "CCI-001385", - "CCI-001386", - "CCI-001387", - "CCI-001388" + "CCI-000130" ], "nist": [ - "AC-8 a", - "AC-8 c 1", - "AC-8 c 2", - "AC-8 c 2", - "AC-8 c 2", - "AC-8 c3", + "AU-3", "Rev_4" - ], - "false_negatives": null, - "false_positives": null, - "documentable": false, - "mitigations": null, - "severity_override_guidance": false, - "potential_impacts": null, - "third_party_tools": null, - "mitigation_controls": null, - "responsibility": null, - "ia_controls": null + ] }, - "code": "control 'V-63681' do\n title 'The Windows dialog box title for the legal banner must be configured.'\n desc \"Failure to display the logon banner prior to a logon attempt will\n negate legal proceedings resulting from unauthorized access to system\n resources.\"\n impact 0.3\n tag severity: 'low'\n tag gtitle: 'WN10-SO-000080'\n tag gid: 'V-63681'\n tag rid: 'SV-78171r1_rule'\n tag stig_id: 'WN10-SO-000080'\n tag fix_id: 'F-69609r1_fix'\n tag cci: %w[CCI-000048 CCI-001384 CCI-001385 CCI-001386 CCI-001387 CCI-001388]\n tag nist: ['AC-8 a', 'AC-8 c 1', 'AC-8 c 2', 'AC-8 c 2', 'AC-8 c 2', 'AC-8 c3', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\\n\n Value Name: LegalNoticeCaption\n\n Value Type: REG_SZ\n Value: See message title above\n\n \\\"DoD Notice and Consent Banner\\\", \\\"US Department of Defense Warning\n Statement\\\" or a site-defined equivalent, this is a finding.\n\n If a site-defined title is used, it can in no case contravene or modify the\n language of the banner text required in WN10-SO-000075.\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n \\\"Interactive logon: Message title for users attempting to log on\\\" to \\\"DoD\n Notice and Consent Banner\\\", \\\"US Department of Defense Warning Statement\\\", or\n a site-defined equivalent.\n\n If a site-defined title is used, it can in no case contravene or modify the\n language of the banner text required in WN10-SO-000075.\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System') do\n it { should have_property 'LegalNoticeCaption' }\n end\n\n key = registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System').LegalNoticeCaption.to_s\n\n legal_notice_caption = input('LegalNoticeCaption')\n\n describe 'The required legal notice caption' do\n subject { key.scan(/[\\w().;,!]/).join }\n it { should cmp legal_notice_caption.scan(/[\\w().;,!]/).join }\n end\nend\n", + "code": "control \"V-99553\" do\n title \"Windows 10 must be configured to audit Other Policy Change Events\nFailures.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Audit Other Policy Change Events contains events about EFS Data Recovery\nAgent policy changes, changes in Windows Filtering Platform filter, status on\nSecurity policy settings updates for local Group Policy settings, Central\nAccess Policy changes, and detailed troubleshooting events for Cryptographic\nNext Generation (CNG) operations.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"WN10-AU-000555\"\n tag gid: \"V-99553\"\n tag rid: \"SV-108657r1_rule\"\n tag stig_id: \"WN10-AU-000555\"\n tag fix_id: \"F-105237r1_fix\"\n tag cci: [\"CCI-000130\"]\n tag nist: [\"AU-3\", \"Rev_4\"]\n desc \"rationale\", \"\"\n desc \"check\", \"\n Security Option \\\"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\\\" must be set to\n\\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to be\neffective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\n Enter \\\"AuditPol /get /category:*\\\".\n\n Compare the AuditPol settings with the following. If the system does not\naudit the following, this is a finding:\n\n Policy Change >> Other Policy Change Events - Failure\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Policy Change>> \\\"Audit Other Policy Change Events\\\"\nwith \\\"Failure\\\" selected.\"\n \n describe.one do\n describe audit_policy do\n its('Other Policy Change Events') { should eq 'Failure' }\n end\n describe audit_policy do\n its('Other Policy Change Events') { should eq 'Success and Failure' }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63681.rb", + "ref": "./Windows 10 STIG/controls/V-99553.rb", "line": 3 }, - "id": "V-63681" + "id": "V-99553" }, { - "title": "The Perform volume maintenance tasks user right must only be assigned\n to the Administrators group.", - "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n Accounts with the \"Perform volume maintenance tasks\" user right can\n manage volume and disk configurations. They could potentially delete volumes,\n resulting in, data loss or a DoS.", + "title": "The system must be configured to audit Object Access - Removable\n Storage failures.", + "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Auditing object access for removable media records events related to access\n attempts on file system objects on removable storage devices.", "descriptions": { - "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n Accounts with the \"Perform volume maintenance tasks\" user right can\n manage volume and disk configurations. They could potentially delete volumes,\n resulting in, data loss or a DoS.", - "check": "Verify the effective setting in Local Group Policy Editor.\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any groups or accounts other than the following are granted the \"Perform\n volume maintenance tasks\" user right, this is a finding:\n\n Administrators", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n \"Perform volume maintenance tasks\" to only include the following groups or\n accounts:\n\n Administrators" + "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Auditing object access for removable media records events related to access\n attempts on file system objects on removable storage devices.", + "check": "Security Option \"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\" must be\n set to \"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\"Run as Administrator\").\n Enter \"AuditPol /get /category:*\"\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding:\n\n Object Access >> Removable Storage - Failure\n\n Some virtual machines may generate excessive audit events for access to the\n virtual hard disk itself when this setting is enabled. This may be set to Not\n Configured in such cases and would not be a finding. This must be documented\n with the ISSO to include mitigations such as monitoring or restricting any\n actual removable storage connected to the VM.", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Object Access >> \"Audit Removable Storage\" with \"Failure\"\n selected." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-UR-000145", - "gid": "V-63933", - "rid": "SV-78423r1_rule", - "stig_id": "WN10-UR-000145", - "fix_id": "F-69861r1_fix", + "gtitle": "WN10-AU-000085", + "gid": "V-63471", + "rid": "SV-77961r2_rule", + "stig_id": "WN10-AU-000085", + "fix_id": "F-69401r1_fix", "cci": [ - "CCI-002235" + "CCI-000172" ], "nist": [ - "AC-6 (10)", + "AU-12 c", "Rev_4" ], "false_negatives": null, @@ -714,12 +723,12 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63933' do\n title \"The Perform volume maintenance tasks user right must only be assigned\n to the Administrators group.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n Accounts with the \\\"Perform volume maintenance tasks\\\" user right can\n manage volume and disk configurations. They could potentially delete volumes,\n resulting in, data loss or a DoS.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-UR-000145'\n tag gid: 'V-63933'\n tag rid: 'SV-78423r1_rule'\n tag stig_id: 'WN10-UR-000145'\n tag fix_id: 'F-69861r1_fix'\n tag cci: ['CCI-002235']\n tag nist: ['AC-6 (10)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any groups or accounts other than the following are granted the \\\"Perform\n volume maintenance tasks\\\" user right, this is a finding:\n\n Administrators\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n \\\"Perform volume maintenance tasks\\\" to only include the following groups or\n accounts:\n\n Administrators\"\n\n describe security_policy do\n its('SeManageVolumePrivilege') { should eq ['S-1-5-32-544'] }\n end\nend\n", + "code": "control 'V-63471' do\n title \"The system must be configured to audit Object Access - Removable\n Storage failures.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Auditing object access for removable media records events related to access\n attempts on file system objects on removable storage devices.\"\n\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-AU-000085'\n tag gid: 'V-63471'\n tag rid: 'SV-77961r2_rule'\n tag stig_id: 'WN10-AU-000085'\n tag fix_id: 'F-69401r1_fix'\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Security Option \\\"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\\\" must be\n set to \\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\n Enter \\\"AuditPol /get /category:*\\\"\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding:\n\n Object Access >> Removable Storage - Failure\n\n Some virtual machines may generate excessive audit events for access to the\n virtual hard disk itself when this setting is enabled. This may be set to Not\n Configured in such cases and would not be a finding. This must be documented\n with the ISSO to include mitigations such as monitoring or restricting any\n actual removable storage connected to the VM.\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Object Access >> \\\"Audit Removable Storage\\\" with \\\"Failure\\\"\n selected.\"\n\n describe.one do\n describe audit_policy do\n its('Removable Storage') { should eq 'Failure' }\n end\n describe audit_policy do\n its('Removable Storage') { should eq 'Success and Failure' }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63933.rb", + "ref": "./Windows 10 STIG/controls/V-63471.rb", "line": 3 }, - "id": "V-63933" + "id": "V-63471" }, { "title": "The system must be configured to meet the minimum session security\n requirement for NTLM SSP based clients.", @@ -764,22 +773,22 @@ "id": "V-63805" }, { - "title": "The Modify firmware environment values user right must only be\n assigned to the Administrators group.", - "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n Accounts with the \"Modify firmware environment values\" user right can\n change hardware configuration environment variables. This could result in\n hardware failures or a DoS.", + "title": "The Create symbolic links user right must only be assigned to the\n Administrators group.", + "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n Accounts with the \"Create symbolic links\" user right can create pointers\n to other objects, which could potentially expose the system to attack.", "descriptions": { - "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n Accounts with the \"Modify firmware environment values\" user right can\n change hardware configuration environment variables. This could result in\n hardware failures or a DoS.", - "check": "Verify the effective setting in Local Group Policy Editor.\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any groups or accounts other than the following are granted the \"Modify\n firmware environment values\" user right, this is a finding:\n\n Administrators", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n \"Modify firmware environment values\" to only include the following groups or\n accounts:\n\n Administrators" + "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n Accounts with the \"Create symbolic links\" user right can create pointers\n to other objects, which could potentially expose the system to attack.", + "check": "Verify the effective setting in Local Group Policy Editor.\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any groups or accounts other than the following are granted the \"Create\n symbolic links\" user right, this is a finding:\n\n Administrators\n\n If the workstation has an approved use of Hyper-V, such as being used as a\n dedicated admin workstation using Hyper-V to separate administration and\n standard user functions, \"NT VIRTUAL MACHINES\\VIRTUAL MACHINE\" may be\n assigned this user right and is not a finding.", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n \"Create symbolic links\" to only include the following groups or accounts:\n\n Administrators" }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-UR-000140", - "gid": "V-63931", - "rid": "SV-78421r1_rule", - "stig_id": "WN10-UR-000140", - "fix_id": "F-69859r1_fix", + "gtitle": "WN10-UR-000060", + "gid": "V-63865", + "rid": "SV-78355r2_rule", + "stig_id": "WN10-UR-000060", + "fix_id": "F-69793r1_fix", "cci": [ "CCI-002235" ], @@ -798,35 +807,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63931' do\n title \"The Modify firmware environment values user right must only be\n assigned to the Administrators group.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n Accounts with the \\\"Modify firmware environment values\\\" user right can\n change hardware configuration environment variables. This could result in\n hardware failures or a DoS.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-UR-000140'\n tag gid: 'V-63931'\n tag rid: 'SV-78421r1_rule'\n tag stig_id: 'WN10-UR-000140'\n tag fix_id: 'F-69859r1_fix'\n tag cci: ['CCI-002235']\n tag nist: ['AC-6 (10)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any groups or accounts other than the following are granted the \\\"Modify\n firmware environment values\\\" user right, this is a finding:\n\n Administrators\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n \\\"Modify firmware environment values\\\" to only include the following groups or\n accounts:\n\n Administrators\"\n\n describe security_policy do\n its('SeSystemEnvironmentPrivilege') { should eq ['S-1-5-32-544'] }\n end\nend\n", + "code": "control 'V-63865' do\n title \"The Create symbolic links user right must only be assigned to the\n Administrators group.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n Accounts with the \\\"Create symbolic links\\\" user right can create pointers\n to other objects, which could potentially expose the system to attack.\"\n\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-UR-000060'\n tag gid: 'V-63865'\n tag rid: 'SV-78355r2_rule'\n tag stig_id: 'WN10-UR-000060'\n tag fix_id: 'F-69793r1_fix'\n tag cci: ['CCI-002235']\n tag nist: ['AC-6 (10)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any groups or accounts other than the following are granted the \\\"Create\n symbolic links\\\" user right, this is a finding:\n\n Administrators\n\n If the workstation has an approved use of Hyper-V, such as being used as a\n dedicated admin workstation using Hyper-V to separate administration and\n standard user functions, \\\"NT VIRTUAL MACHINES\\\\VIRTUAL MACHINE\\\" may be\n assigned this user right and is not a finding.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n \\\"Create symbolic links\\\" to only include the following groups or accounts:\n\n Administrators\"\n\n describe security_policy do\n its('SeCreateSymbolicLinkPrivilege') { should eq ['S-1-5-32-544'] }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63931.rb", + "ref": "./Windows 10 STIG/controls/V-63865.rb", "line": 3 }, - "id": "V-63931" + "id": "V-63865" }, { - "title": "The Impersonate a client after authentication user right must only be\n assigned to Administrators, Service, Local Service, and Network Service.", - "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n The \"Impersonate a client after authentication\" user right allows a\n program to impersonate another user or account to run on their behalf. An\n attacker could potentially use this to elevate privileges.", + "title": "Exploit Protection mitigations in Windows 10 must be configured for MSPUB.EXE.", + "desc": "Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.", "descriptions": { - "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n The \"Impersonate a client after authentication\" user right allows a\n program to impersonate another user or account to run on their behalf. An\n attacker could potentially use this to elevate privileges.", - "check": "Verify the effective setting in Local Group Policy Editor.\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any groups or accounts other than the following are granted the\n \"Impersonate a client after authentication\" user right, this is a finding:\n\n Administrators\n LOCAL SERVICE\n NETWORK SERVICE\n SERVICE", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n \"Impersonate a client after authentication\" to only include the following\n groups or accounts:\n\n Administrators\n LOCAL SERVICE\n NETWORK SERVICE\n SERVICE" + "default": "Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.", + "check": "This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n\n Enter \"Get-ProcessMitigation -Name MSPUB.EXE\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of\n all application mitigations configured.)\n\n If the following mitigations do not have a status of \"ON\", this is a finding:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n The PowerShell command produces a list of mitigations; only those with a\n required status of \"ON\" are listed here. If the PowerShell command does not\n produce results, ensure the letter case of the filename within the command\n syntax matches the letter case of the actual filename on the system.", + "fix": "Ensure the following mitigations are turned \"ON\" for MSPUB.EXE:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file\n included with the Windows 10 STIG package in the \"Supporting Files\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \"Use a common set of exploit protection settings\"\n configured to \"Enabled\" with file name and location defined under\n \"Options:\". It is recommended the file be in a read-only network location." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-UR-000110", - "gid": "V-63889", - "rid": "SV-78379r1_rule", - "stig_id": "WN10-UR-000110", - "fix_id": "F-69817r1_fix", + "gtitle": "WN10-EP-000190", + "gid": "V-77233", + "rid": "SV-91929r3_rule", + "stig_id": "WN10-EP-000190", + "fix_id": "F-84361r4_fix", "cci": [ - "CCI-002235" + "CCI-000366" ], "nist": [ - "AC-6 (10)", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -840,35 +849,39 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63889' do\n title \"The Impersonate a client after authentication user right must only be\n assigned to Administrators, Service, Local Service, and Network Service.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n The \\\"Impersonate a client after authentication\\\" user right allows a\n program to impersonate another user or account to run on their behalf. An\n attacker could potentially use this to elevate privileges.\"\n\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-UR-000110'\n tag gid: 'V-63889'\n tag rid: 'SV-78379r1_rule'\n tag stig_id: 'WN10-UR-000110'\n tag fix_id: 'F-69817r1_fix'\n tag cci: ['CCI-002235']\n tag nist: ['AC-6 (10)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any groups or accounts other than the following are granted the\n \\\"Impersonate a client after authentication\\\" user right, this is a finding:\n\n Administrators\n LOCAL SERVICE\n NETWORK SERVICE\n SERVICE\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n \\\"Impersonate a client after authentication\\\" to only include the following\n groups or accounts:\n\n Administrators\n LOCAL SERVICE\n NETWORK SERVICE\n SERVICE\"\n\n describe security_policy do\n its('SeAuditPrivilege') { should be_in ['S-1-5-32-544', 'S-1-5-19', 'S-1-5-20', 'S-1-5-6'] }\n end\nend\n", + "code": "control 'V-77233' do\n title 'Exploit Protection mitigations in Windows 10 must be configured for MSPUB.EXE.'\n desc \"Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-EP-000190'\n tag gid: 'V-77233'\n tag rid: 'SV-91929r3_rule'\n tag stig_id: 'WN10-EP-000190'\n tag fix_id: 'F-84361r4_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc 'check', \"This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n\n Enter \\\"Get-ProcessMitigation -Name MSPUB.EXE\\\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of\n all application mitigations configured.)\n\n If the following mitigations do not have a status of \\\"ON\\\", this is a finding:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n The PowerShell command produces a list of mitigations; only those with a\n required status of \\\"ON\\\" are listed here. If the PowerShell command does not\n produce results, ensure the letter case of the filename within the command\n syntax matches the letter case of the actual filename on the system.\"\n desc 'fix', \"Ensure the following mitigations are turned \\\"ON\\\" for MSPUB.EXE:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file\n included with the Windows 10 STIG package in the \\\"Supporting Files\\\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\"\n configured to \\\"Enabled\\\" with file name and location defined under\n \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n \n if input('sensitive_system') == 'true'\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion').ReleaseId < '1709'\n impact 0.0\n describe 'This STIG does not apply to Prior Versions before 1709.' do\n skip 'This STIG does not apply to Prior Versions before 1709.'\n end\n else\n dep = json( command: 'Get-ProcessMitigation -Name MSPUB.EXE | Select DEP | ConvertTo-Json').params\n describe 'OverRide DEP is required to be false on Microsoft Office Publisher' do\n subject { dep }\n its(['OverrideDEP']) { should_not eq 'true' }\n end\n aslr = json( command: 'Get-ProcessMitigation -Name MSPUB.EXE | Select Aslr | ConvertTo-Json').params\n describe 'Alsr BottomUp and Force Relocate Images are required to be enabled on Microsoft Office Publisher' do\n subject { aslr }\n its(['ForceRelocateImages']) { should_not eq '2' }\n end\n payload = json( command: 'Get-ProcessMitigation -Name MSPUB.EXE | Select Payload | ConvertTo-Json').params\n describe 'Override Payload Enable Export Address Filter, Override Payload Enable Export Address Filter Plus, Override EnableImportAddressFilter, Override EnableRopStackPivot, Override EnableRopCallerCheck, and Override EnableRopSimExec are required to be false on Microsoft Office Publisher' do\n subject { payload }\n its(['OverrideEnableExportAddressFilter']) { should_not eq 'true' }\n its(['OverrideEnableExportAddressFilterPlus']) { should_not eq 'true' }\n its(['OverrideEnableImportAddressFilter']) { should_not eq 'true' }\n its(['OverrideEnableRopStackPivot']) { should_not eq 'true' }\n its(['OverrideEnableRopCallerCheck']) { should_not eq 'true' }\n its(['OverrideEnableRopSimExec']) { should_not eq 'true' }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63889.rb", + "ref": "./Windows 10 STIG/controls/V-77233.rb", "line": 3 }, - "id": "V-63889" + "id": "V-77233" }, { - "title": "Bluetooth must be turned off when not in use.", - "desc": "If not configured properly, Bluetooth may allow rogue devices to\n communicate with a system. If a rogue device is paired with a system, there is\n potential for sensitive information to be compromised.", + "title": "Windows 10 permissions for the Security event log must prevent access\n by non-privileged accounts.", + "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised. The\n Security event log may disclose sensitive information or be susceptible to\n tampering if proper permissions are not applied.", "descriptions": { - "default": "If not configured properly, Bluetooth may allow rogue devices to\n communicate with a system. If a rogue device is paired with a system, there is\n potential for sensitive information to be compromised.", - "check": "This is NA if the system does not have Bluetooth.\n\n Verify the organization has a policy to turn off Bluetooth when not in use and\n personnel are trained. If it does not, this is a finding.", - "fix": "Turn off Bluetooth radios when not in use. Establish an\n organizational policy for the use of Bluetooth to include training of\n personnel." + "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised. The\n Security event log may disclose sensitive information or be susceptible to\n tampering if proper permissions are not applied.", + "check": "Verify the permissions on the Security event log (Security.evtx).\n Standard user accounts or groups must not have access. The default permissions\n listed below satisfy this requirement.\n\n Eventlog - Full Control\n SYSTEM - Full Control\n Administrators - Full Control\n\n The default location is the \"%SystemRoot%\\SYSTEM32\\WINEVT\\LOGS\" directory.\n They may have been moved to another folder.\n\n If the permissions for these files are not as restrictive as the ACLs listed,\n this is a finding.\n\n NOTE: If \"APPLICATION PACKAGE AUTHORITY\\ALL APPLICATION PACKAGES\" has\n Special Permissions, this would not be a finding.", + "fix": "Ensure the permissions on the Security event log (Security.evtx)\n are configured to prevent standard user accounts or groups from having access.\n The default permissions listed below satisfy this requirement.\n\n Eventlog - Full Control\n SYSTEM - Full Control\n Administrators - Full Control\n\n The default location is the \"%SystemRoot%\\SYSTEM32\\WINEVT\\LOGS\" directory.\n\n If the location of the logs has been changed, when adding Eventlog to the\n permissions, it must be entered as \"NT Service\\Eventlog\"." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-00-000220", - "gid": "V-72767", - "rid": "SV-87405r1_rule", - "stig_id": "WN10-00-000220", - "fix_id": "F-79177r1_fix", + "gtitle": "WN10-AU-000520", + "gid": "V-63537", + "rid": "SV-78027r2_rule", + "stig_id": "WN10-AU-000520", + "fix_id": "F-69467r1_fix", "cci": [ - "CCI-000381" + "CCI-000162", + "CCI-000163", + "CCI-000164" ], "nist": [ - "CM-7 a", + "AU-9", + "AU-9", + "AU-9", "Rev_4" ], "false_negatives": null, @@ -882,96 +895,114 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-72767' do\n title 'Bluetooth must be turned off when not in use.'\n desc \"If not configured properly, Bluetooth may allow rogue devices to\n communicate with a system. If a rogue device is paired with a system, there is\n potential for sensitive information to be compromised.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-00-000220'\n tag gid: 'V-72767'\n tag rid: 'SV-87405r1_rule'\n tag stig_id: 'WN10-00-000220'\n tag fix_id: 'F-79177r1_fix'\n tag cci: ['CCI-000381']\n tag nist: ['CM-7 a', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"This is NA if the system does not have Bluetooth.\n\n Verify the organization has a policy to turn off Bluetooth when not in use and\n personnel are trained. If it does not, this is a finding.\"\n desc \"fix\", \"Turn off Bluetooth radios when not in use. Establish an\n organizational policy for the use of Bluetooth to include training of\n personnel.\"\n\n if sys_info.manufacturer != 'VMware, Inc.'\n describe 'Turn off Bluetooth radios when not in use. Establish an organizational policy for the use of Bluetooth to include training of personnel' do\n skip 'This is NA if the system does not have Bluetooth'\n end\n else\n impact 0.0\n describe 'This is a VDI System; This Control is NA.' do\n skip 'This is a VDI System; This Control is NA'\n end\n end\nend\n", + "code": "control 'V-63537' do\n title \"Windows 10 permissions for the Security event log must prevent access\n by non-privileged accounts.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised. The\n Security event log may disclose sensitive information or be susceptible to\n tampering if proper permissions are not applied.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-AU-000520'\n tag gid: 'V-63537'\n tag rid: 'SV-78027r2_rule'\n tag stig_id: 'WN10-AU-000520'\n tag fix_id: 'F-69467r1_fix'\n tag cci: %w[CCI-000162 CCI-000163 CCI-000164]\n tag nist: %w[AU-9 AU-9 AU-9 Rev_4]\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Verify the permissions on the Security event log (Security.evtx).\n Standard user accounts or groups must not have access. The default permissions\n listed below satisfy this requirement.\n\n Eventlog - Full Control\n SYSTEM - Full Control\n Administrators - Full Control\n\n The default location is the \\\"%SystemRoot%\\\\SYSTEM32\\\\WINEVT\\\\LOGS\\\" directory.\n They may have been moved to another folder.\n\n If the permissions for these files are not as restrictive as the ACLs listed,\n this is a finding.\n\n NOTE: If \\\"APPLICATION PACKAGE AUTHORITY\\\\ALL APPLICATION PACKAGES\\\" has\n Special Permissions, this would not be a finding.\"\n\n desc \"fix\", \"Ensure the permissions on the Security event log (Security.evtx)\n are configured to prevent standard user accounts or groups from having access.\n The default permissions listed below satisfy this requirement.\n\n Eventlog - Full Control\n SYSTEM - Full Control\n Administrators - Full Control\n\n The default location is the \\\"%SystemRoot%\\\\SYSTEM32\\\\WINEVT\\\\LOGS\\\" directory.\n\n If the location of the logs has been changed, when adding Eventlog to the\n permissions, it must be entered as \\\"NT Service\\\\Eventlog\\\".\"\n\n get_system_root = command('Get-ChildItem Env: | Findstr SystemRoot').stdout.strip\n system_root = get_system_root[11..get_system_root.length]\n systemroot = system_root.strip\n\n describe file(\"#{systemroot}\\\\SYSTEM32\\\\WINEVT\\\\LOGS\\\\Security.evtx\") do\n it { should be_allowed('full-control', by_user: 'NT SERVICE\\\\EventLog') }\n it { should be_allowed('full-control', by_user: 'NT AUTHORITY\\\\SYSTEM') }\n it { should be_allowed('full-control', by_user: 'BUILTIN\\\\Administrators') }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-72767.rb", + "ref": "./Windows 10 STIG/controls/V-63537.rb", "line": 3 }, - "id": "V-72767" + "id": "V-63537" }, { - "title": "Windows 10 must be configured to audit MPSSVC Rule-Level Policy Change\nSuccesses.", - "desc": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Audit MPSSVC Rule-Level Policy Change determines whether the operating\nsystem generates audit events when changes are made to policy rules for the\nMicrosoft Protection Service (MPSSVC.exe).", + "title": "Exploit Protection mitigations in Windows 10 must be configured for\n POWERPNT.EXE.", + "desc": "Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Audit MPSSVC Rule-Level Policy Change determines whether the operating\nsystem generates audit events when changes are made to policy rules for the\nMicrosoft Protection Service (MPSSVC.exe).", - "rationale": "", - "check": "Security Option \"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\" must be set to\n\"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to be\neffective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\"Run as Administrator\").\n Enter \"AuditPol /get /category:*\".\n\n Compare the AuditPol settings with the following. If the system does not\naudit the following, this is a finding:\n\n Policy Change >> MPSSVC Rule-Level Policy Change - Success", - "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Policy Change >> “Audit MPSSVC Rule-Level Policy\nChange\" with \"Success\" selected." + "default": "Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.", + "check": "This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n\n Enter \"Get-ProcessMitigation -Name POWERPNT.EXE\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of\n all application mitigations configured.)\n\n If the following mitigations do not have a status of \"ON\", this is a finding:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n The PowerShell command produces a list of mitigations; only those with a\n required status of \"ON\" are listed here. If the PowerShell command does not\n produce results, ensure the letter case of the filename within the command\n syntax matches the letter case of the actual filename on the system.", + "fix": "Ensure the following mitigations are turned \"ON\" for POWERPNT.EXE:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file\n included with the Windows 10 STIG package in the \"Supporting Files\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \"Use a common set of exploit protection settings\"\n configured to \"Enabled\" with file name and location defined under\n \"Options:\". It is recommended the file be in a read-only network location." }, "impact": 0.5, "refs": [], "tags": { - "severity": null, - "gtitle": "WN10-AU-000575", - "gid": "V-99547", - "rid": "SV-108651r1_rule", - "stig_id": "WN10-AU-000575", - "fix_id": "F-105231r1_fix", + "severity": "medium", + "gtitle": "WN10-EP-000240", + "gid": "V-77247", + "rid": "SV-91943r3_rule", + "stig_id": "WN10-EP-000240", + "fix_id": "F-84503r5_fix", "cci": [ - "CCI-000130" + "CCI-000366" ], "nist": [ - "AU-3", + "CM-6 b", "Rev_4" - ] + ], + "false_negatives": null, + "false_positives": null, + "documentable": false, + "mitigations": null, + "severity_override_guidance": false, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_controls": null, + "responsibility": null, + "ia_controls": null }, - "code": "control \"V-99547\" do\n title \"Windows 10 must be configured to audit MPSSVC Rule-Level Policy Change\nSuccesses.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Audit MPSSVC Rule-Level Policy Change determines whether the operating\nsystem generates audit events when changes are made to policy rules for the\nMicrosoft Protection Service (MPSSVC.exe).\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"WN10-AU-000575\"\n tag gid: \"V-99547\"\n tag rid: \"SV-108651r1_rule\"\n tag stig_id: \"WN10-AU-000575\"\n tag fix_id: \"F-105231r1_fix\"\n tag cci: [\"CCI-000130\"]\n tag nist: [\"AU-3\", \"Rev_4\"]\n desc \"rationale\", \"\"\n desc \"check\", \"Security Option \\\"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\\\" must be set to\n\\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to be\neffective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\n Enter \\\"AuditPol /get /category:*\\\".\n\n Compare the AuditPol settings with the following. If the system does not\naudit the following, this is a finding:\n\n Policy Change >> MPSSVC Rule-Level Policy Change - Success\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Policy Change >> “Audit MPSSVC Rule-Level Policy\nChange\\\" with \\\"Success\\\" selected.\"\n \n describe.one do\n describe audit_policy do\n its('MPSSVC Rule-Level Policy Change') { should eq 'Success' }\n end\n describe audit_policy do\n its('MPSSVC Rule-Level Policy Change') { should eq 'Success and Failure' }\n end\n end\nend\n", + "code": "control 'V-77247' do\n title \"Exploit Protection mitigations in Windows 10 must be configured for\n POWERPNT.EXE.\"\n desc \"Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-EP-000240'\n tag gid: 'V-77247'\n tag rid: 'SV-91943r3_rule'\n tag stig_id: 'WN10-EP-000240'\n tag fix_id: 'F-84503r5_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc 'check', \"This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n\n Enter \\\"Get-ProcessMitigation -Name POWERPNT.EXE\\\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of\n all application mitigations configured.)\n\n If the following mitigations do not have a status of \\\"ON\\\", this is a finding:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n The PowerShell command produces a list of mitigations; only those with a\n required status of \\\"ON\\\" are listed here. If the PowerShell command does not\n produce results, ensure the letter case of the filename within the command\n syntax matches the letter case of the actual filename on the system.\"\n\n desc 'fix', \"Ensure the following mitigations are turned \\\"ON\\\" for POWERPNT.EXE:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file\n included with the Windows 10 STIG package in the \\\"Supporting Files\\\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\"\n configured to \\\"Enabled\\\" with file name and location defined under\n \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n\n if input('sensitive_system') == 'true' || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion').ReleaseId < '1709'\n impact 0.0\n describe 'This STIG does not apply to Prior Versions before 1709.' do\n skip 'This STIG does not apply to Prior Versions before 1709.'\n end\n else\n dep = json( command: 'Get-ProcessMitigation -Name POWERPNT.EXE | Select DEP | ConvertTo-Json').params\n describe 'OverRide DEP is required to be false on Microsoft Office PowerPoint' do\n subject { dep }\n its(['OverrideDEP']) { should_not eq 'true' }\n end\n aslr = json( command: 'Get-ProcessMitigation -Name POWERPNT.EXE | Select Aslr | ConvertTo-Json').params\n describe 'Alsr BottomUp and Force Relocate Images are required to be enabled on Microsoft Office PowerPoint' do\n subject { aslr }\n its(['ForceRelocateImages']) { should_not eq '2' }\n end\n payload = json( command: 'Get-ProcessMitigation -Name POWERPNT.EXE | Select Payload | ConvertTo-Json').params\n describe 'Override Payload Enable Export Address Filter, Override Payload Enable Export Address Filter Plus, Override EnableImportAddressFilter, Override EnableRopStackPivot, Override EnableRopCallerCheck, and Override EnableRopSimExec are required to be false on Microsoft Office PowerPoint' do\n subject { payload }\n its(['OverrideEnableExportAddressFilter']) { should_not eq 'true' }\n its(['OverrideEnableExportAddressFilterPlus']) { should_not eq 'true' }\n its(['OverrideEnableImportAddressFilter']) { should_not eq 'true' }\n its(['OverrideEnableRopStackPivot']) { should_not eq 'true' }\n its(['OverrideEnableRopCallerCheck']) { should_not eq 'true' }\n its(['OverrideEnableRopSimExec']) { should_not eq 'true' }\n end \n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-99547.rb", + "ref": "./Windows 10 STIG/controls/V-77247.rb", "line": 3 }, - "id": "V-99547" + "id": "V-77247" }, { - "title": "Windows Ink Workspace configured but disallow access above the lock. ", - "desc": "Securing Windows Ink which contains application and features oriented\ntowards pen computing.", + "title": "Accounts must be configured to require password expiration.", + "desc": "Passwords that do not expire increase exposure with a greater\n probability of being discovered or cracked.", "descriptions": { - "default": "Securing Windows Ink which contains application and features oriented\ntowards pen computing.", - "rationale": "", - "check": "If the following registry value does not exist or is not configured as\nspecified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\Software\\Policies\\Microsoft\\WindowsInkWorkspace\n\n Value Name: AllowWindowsInkWorkspace\n Value Type: REG_DWORD\n Value data: 1", - "fix": "Disable the convenience PIN sign-in.\n\n If this needs to be corrected configure the policy value for Computer\nConfiguration >> Administrative Templates >> Windows Components >> Windows Ink\nWorkspace >> Set \" Allow Windows Ink Workspace\" to \"Enabled” Set Options\n‘On, but disallow access above lock”." + "default": "Passwords that do not expire increase exposure with a greater\n probability of being discovered or cracked.", + "check": "Run \"Computer Management\".\n Navigate to System Tools >> Local Users and Groups >> Users.\n Double click each active account.\n\n If \"Password never expires\" is selected for any account, this is a finding.", + "fix": "Configure all passwords to expire.\n Run \"Computer Management\".\n Navigate to System Tools >> Local Users and Groups >> Users.\n Double click each active account.\n Ensure \"Password never expires\" is not checked on all active accounts." }, "impact": 0.5, "refs": [], "tags": { - "severity": null, - "gtitle": "WN10-CC-000385", - "gid": "V-99561", - "rid": "SV-108665r1_rule", - "stig_id": "WN10-CC-000385", - "fix_id": "F-105245r1_fix", + "severity": "medium", + "gtitle": "WN10-00-000090", + "gid": "V-63371", + "rid": "SV-77861r1_rule", + "stig_id": "WN10-00-000090", + "fix_id": "F-69291r1_fix", "cci": [ - "CCI-000381" + "CCI-000199" ], "nist": [ - "CM-7 a", + "IA-5 (1) (d)", "Rev_4" - ] + ], + "false_negatives": null, + "false_positives": null, + "documentable": false, + "mitigations": null, + "severity_override_guidance": false, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_controls": null, + "responsibility": null, + "ia_controls": null }, - "code": "control \"V-99561\" do\n title \"Windows Ink Workspace configured but disallow access above the lock. \"\n desc \"Securing Windows Ink which contains application and features oriented\ntowards pen computing. \"\n impact 0.5\n tag severity: nil\n tag gtitle: \"WN10-CC-000385\"\n tag gid: \"V-99561\"\n tag rid: \"SV-108665r1_rule\"\n tag stig_id: \"WN10-CC-000385\"\n tag fix_id: \"F-105245r1_fix\"\n tag cci: [\"CCI-000381\"]\n tag nist: [\"CM-7 a\", \"Rev_4\"]\n desc \"rationale\", \"\"\n desc \"check\", \"If the following registry value does not exist or is not configured as\nspecified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\Software\\\\Policies\\\\Microsoft\\\\WindowsInkWorkspace\n\n Value Name: AllowWindowsInkWorkspace\n Value Type: REG_DWORD\n Value data: 1\"\n desc \"fix\", \"Disable the convenience PIN sign-in.\n\n If this needs to be corrected configure the policy value for Computer\nConfiguration >> Administrative Templates >> Windows Components >> Windows Ink\nWorkspace >> Set \\\" Allow Windows Ink Workspace\\\" to \\\"Enabled” Set Options\n‘On, but disallow access above lock”.\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\WindowsInkWorkspace') do\n it { should have_property 'AllowWindowsInkWorkspace' }\n its('AllowWindowsInkWorkspace') { should cmp 1 }\n end\n end\n", + "code": "control 'V-63371' do\n title 'Accounts must be configured to require password expiration.'\n desc \"Passwords that do not expire increase exposure with a greater\n probability of being discovered or cracked.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-00-000090'\n tag gid: 'V-63371'\n tag rid: 'SV-77861r1_rule'\n tag stig_id: 'WN10-00-000090'\n tag fix_id: 'F-69291r1_fix'\n tag cci: ['CCI-000199']\n tag nist: ['IA-5 (1) (d)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Run \\\"Computer Management\\\".\n Navigate to System Tools >> Local Users and Groups >> Users.\n Double click each active account.\n\n If \\\"Password never expires\\\" is selected for any account, this is a finding.\"\n\n desc \"fix\", \"Configure all passwords to expire.\n Run \\\"Computer Management\\\".\n Navigate to System Tools >> Local Users and Groups >> Users.\n Double click each active account.\n Ensure \\\"Password never expires\\\" is not checked on all active accounts.\"\n\n describe command(\"Get-CimInstance -Class Win32_Useraccount -Filter 'PasswordExpires=False\n and LocalAccount=True and Disabled=False' | FT Name | Findstr /V 'Name --'\") do\n its('stdout') { should eq '' }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-99561.rb", + "ref": "./Windows 10 STIG/controls/V-63371.rb", "line": 3 }, - "id": "V-99561" + "id": "V-63371" }, { - "title": "Zone information must be preserved when saving attachments.", - "desc": "Preserving zone of origin (internet, intranet, local, restricted)\n information on file attachments allows Windows to determine risk.", + "title": "Exploit Protection mitigations in Windows 10 must be configured for chrome.exe.", + "desc": "Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.", "descriptions": { - "default": "Preserving zone of origin (internet, intranet, local, restricted)\n information on file attachments allows Windows to determine risk.", - "check": "The default behavior is for Windows to mark file attachments with\n their zone information.\n\n If the registry Value Name below does not exist, this is not a finding.\n\n If it exists and is configured with a value of \"2\", this is not a finding.\n\n If it exists and is configured with a value of \"1\", this is a finding.\n\n Registry Hive: HKEY_CURRENT_USER\n Registry Path:\n \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Attachments\\\n\n Value Name: SaveZoneInformation\n\n Value Type: REG_DWORD\n Value: 0x00000002 (2) (or if the Value Name does not exist)", - "fix": "The default behavior is for Windows to mark file attachments with\n their zone information.\n\n If this needs to be corrected, configure the policy value for User\n Configuration >> Administrative Templates >> Windows Components >> Attachment\n Manager >> \"Do not preserve zone information in file attachments\" to \"Not\n Configured\" or \"Disabled\"." + "default": "Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.", + "check": "This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n\n Enter \"Get-ProcessMitigation -Name chrome.exe\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of\n all application mitigations configured.)\n\n If the following mitigations do not have a status of \"ON\", this is a finding:\n\n DEP:\n OverrideDEP: False\n\n The PowerShell command produces a list of mitigations; only those with a\n required status of \"ON\" are listed here. If the PowerShell command does not\n produce results, ensure the letter case of the filename within the command\n syntax matches the letter case of the actual filename on the system.", + "fix": "Ensure the following mitigations are turned \"ON\" for chrome.exe:\n\n DEP:\n OverrideDEP: False\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file\n included with the Windows 10 STIG package in the \"Supporting Files\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \"Use a common set of exploit protection settings\"\n configured to \"Enabled\" with file name and location defined under\n \"Options:\". It is recommended the file be in a read-only network location." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-UC-000020", - "gid": "V-63841", - "rid": "SV-78331r2_rule", - "stig_id": "WN10-UC-000020", - "fix_id": "F-78717r1_fix", + "gtitle": "WN10-EP-000090", + "gid": "V-77195", + "rid": "SV-91891r3_rule", + "stig_id": "WN10-EP-000090", + "fix_id": "F-84333r4_fix", "cci": [ "CCI-000366" ], @@ -990,37 +1021,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63841' do\n title 'Zone information must be preserved when saving attachments.'\n desc \"Preserving zone of origin (internet, intranet, local, restricted)\n information on file attachments allows Windows to determine risk.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-UC-000020'\n tag gid: 'V-63841'\n tag rid: 'SV-78331r2_rule'\n tag stig_id: 'WN10-UC-000020'\n tag fix_id: 'F-78717r1_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"The default behavior is for Windows to mark file attachments with\n their zone information.\n\n If the registry Value Name below does not exist, this is not a finding.\n\n If it exists and is configured with a value of \\\"2\\\", this is not a finding.\n\n If it exists and is configured with a value of \\\"1\\\", this is a finding.\n\n Registry Hive: HKEY_CURRENT_USER\n Registry Path:\n \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Attachments\\\\\n\n Value Name: SaveZoneInformation\n\n Value Type: REG_DWORD\n Value: 0x00000002 (2) (or if the Value Name does not exist)\"\n desc \"fix\", \"The default behavior is for Windows to mark file attachments with\n their zone information.\n\n If this needs to be corrected, configure the policy value for User\n Configuration >> Administrative Templates >> Windows Components >> Attachment\n Manager >> \\\"Do not preserve zone information in file attachments\\\" to \\\"Not\n Configured\\\" or \\\"Disabled\\\".\"\n\n describe.one do\n describe registry_key('HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Attachments') do\n it { should have_property 'SaveZoneInformation' }\n its('SaveZoneInformation') { should_not be 1 }\n end\n describe registry_key('HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Attachments') do\n it { should_not have_property 'SaveZoneInformation' }\n end\n end\nend\n", + "code": "control 'V-77195' do\n title 'Exploit Protection mitigations in Windows 10 must be configured for chrome.exe.'\n desc \"Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-EP-000090'\n tag gid: 'V-77195'\n tag rid: 'SV-91891r3_rule'\n tag stig_id: 'WN10-EP-000090'\n tag fix_id: 'F-84333r4_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc 'check', \"This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n\n Enter \\\"Get-ProcessMitigation -Name chrome.exe\\\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of\n all application mitigations configured.)\n\n If the following mitigations do not have a status of \\\"ON\\\", this is a finding:\n\n DEP:\n OverrideDEP: False\n\n The PowerShell command produces a list of mitigations; only those with a\n required status of \\\"ON\\\" are listed here. If the PowerShell command does not\n produce results, ensure the letter case of the filename within the command\n syntax matches the letter case of the actual filename on the system.\"\n desc 'fix', \"Ensure the following mitigations are turned \\\"ON\\\" for chrome.exe:\n\n DEP:\n OverrideDEP: False\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file\n included with the Windows 10 STIG package in the \\\"Supporting Files\\\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\"\n configured to \\\"Enabled\\\" with file name and location defined under\n \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n\n if input('sensitive_system') == 'true' || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion').ReleaseId < '1709'\n impact 0.0\n describe 'This STIG does not apply to Prior Versions before 1709.' do\n skip 'This STIG does not apply to Prior Versions before 1709.'\n end\n else\n dep = json( command: 'Get-ProcessMitigation -Name chrome.exe | Select DEP | ConvertTo-Json').params\n describe 'OverRide DEP is required to be false on Chrome' do\n subject { dep }\n its(['OverrideDEP']) { should_not eq 'true' }\n end\n end\nend", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63841.rb", + "ref": "./Windows 10 STIG/controls/V-77195.rb", "line": 3 }, - "id": "V-63841" + "id": "V-77195" }, { - "title": "The system must be configured to audit Privilege Use - Sensitive\n Privilege Use failures.", - "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Sensitive Privilege Use records events related to use of sensitive\n privileges, such as \"Act as part of the operating system\" or \"Debug\n programs\".", + "title": "Indexing of encrypted files must be turned off.", + "desc": "Indexing of encrypted files may expose sensitive data. This setting\n prevents encrypted files from being indexed.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Sensitive Privilege Use records events related to use of sensitive\n privileges, such as \"Act as part of the operating system\" or \"Debug\n programs\".", - "check": "Security Option \"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\" must be\n set to \"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\"Run as Administrator\").\n Enter \"AuditPol /get /category:*\".\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding:\n\n Privilege Use >> Sensitive Privilege Use - Failure", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Privilege Use >> \"Audit Sensitive Privilege Use\" with\n \"Failure\" selected." + "default": "Indexing of encrypted files may expose sensitive data. This setting\n prevents encrypted files from being indexed.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Search\\\n\n Value Name: AllowIndexingEncryptedStoresOrItems\n\n Value Type: REG_DWORD\n Value: 0", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Search >> \"Allow indexing of\n encrypted files\" to \"Disabled\"." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-AU-000110", - "gid": "V-63483", - "rid": "SV-77973r1_rule", - "stig_id": "WN10-AU-000110", - "fix_id": "F-69413r1_fix", + "gtitle": "WN10-CC-000305", + "gid": "V-63751", + "rid": "SV-78241r1_rule", + "stig_id": "WN10-CC-000305", + "fix_id": "F-69679r1_fix", "cci": [ - "CCI-000172", - "CCI-002234" + "CCI-000381" ], "nist": [ - "AU-12 c", - "AC-6 (9)", + "CM-7 a", "Rev_4" ], "false_negatives": null, @@ -1034,39 +1063,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63483' do\n title \"The system must be configured to audit Privilege Use - Sensitive\n Privilege Use failures.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Sensitive Privilege Use records events related to use of sensitive\n privileges, such as \\\"Act as part of the operating system\\\" or \\\"Debug\n programs\\\".\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-AU-000110'\n tag gid: 'V-63483'\n tag rid: 'SV-77973r1_rule'\n tag stig_id: 'WN10-AU-000110'\n tag fix_id: 'F-69413r1_fix'\n tag cci: %w[CCI-000172 CCI-002234]\n tag nist: ['AU-12 c', 'AC-6 (9)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Security Option \\\"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\\\" must be\n set to \\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\n Enter \\\"AuditPol /get /category:*\\\".\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding:\n\n Privilege Use >> Sensitive Privilege Use - Failure\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Privilege Use >> \\\"Audit Sensitive Privilege Use\\\" with\n \\\"Failure\\\" selected.\"\n\n describe.one do\n describe audit_policy do\n its('Sensitive Privilege Use') { should eq 'Failure' }\n end\n describe audit_policy do\n its('Sensitive Privilege Use') { should eq 'Success and Failure' }\n end\n end\nend\n", + "code": "control 'V-63751' do\n title 'Indexing of encrypted files must be turned off.'\n desc \"Indexing of encrypted files may expose sensitive data. This setting\n prevents encrypted files from being indexed.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000305'\n tag gid: 'V-63751'\n tag rid: 'SV-78241r1_rule'\n tag stig_id: 'WN10-CC-000305'\n tag fix_id: 'F-69679r1_fix'\n tag cci: ['CCI-000381']\n tag nist: ['CM-7 a', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\Windows Search\\\\\n\n Value Name: AllowIndexingEncryptedStoresOrItems\n\n Value Type: REG_DWORD\n Value: 0\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Search >> \\\"Allow indexing of\n encrypted files\\\" to \\\"Disabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Search') do\n it { should have_property 'AllowIndexingEncryptedStoresOrItems' }\n its('AllowIndexingEncryptedStoresOrItems') { should cmp 0 }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63483.rb", + "ref": "./Windows 10 STIG/controls/V-63751.rb", "line": 3 }, - "id": "V-63483" + "id": "V-63751" }, { - "title": "Windows 10 systems must use a BitLocker PIN with a minimum length of 6\n digits for pre-boot authentication.", - "desc": "If data at rest is unencrypted, it is vulnerable to disclosure. Even\n if the operating system enforces permissions on data access, an adversary can\n remove non-volatile memory and read it directly, thereby circumventing\n operating system controls. Encrypting the data ensures that confidentiality is\n protected even when the operating system is not running. Pre-boot\n authentication prevents unauthorized users from accessing encrypted drives.\n Increasing the pin length requires a greater number of guesses for an attacker.", + "title": "Passwords must not be saved in the Remote Desktop Client.", + "desc": "Saving passwords in the Remote Desktop Client could allow an\n unauthorized user to establish a remote desktop session to another system. The\n system must be configured to prevent users from saving passwords in the Remote\n Desktop Client.", "descriptions": { - "default": "If data at rest is unencrypted, it is vulnerable to disclosure. Even\n if the operating system enforces permissions on data access, an adversary can\n remove non-volatile memory and read it directly, thereby circumventing\n operating system controls. Encrypting the data ensures that confidentiality is\n protected even when the operating system is not running. Pre-boot\n authentication prevents unauthorized users from accessing encrypted drives.\n Increasing the pin length requires a greater number of guesses for an attacker.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Value Name: MinimumPIN\n Type: REG_DWORD\n Value: 0x00000006 (6) or greater", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> BitLocker Drive Encryption >>\n Operating System Drives \"Configure minimum PIN length for startup\" to\n \"Enabled\" with \"Minimum characters:\" set to 6 or greater." + "default": "Saving passwords in the Remote Desktop Client could allow an\n unauthorized user to establish a remote desktop session to another system. The\n system must be configured to prevent users from saving passwords in the Remote\n Desktop Client.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services\\\n\n Value Name: DisablePasswordSaving\n\n Value Type: REG_DWORD\n Value: 1", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Remote Desktop Services >>\n Remote Desktop Connection Client >> \"Do not allow passwords to be saved\" to\n \"Enabled\"." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-00-000032", - "gid": "V-94861", - "rid": "SV-104691r1_rule", - "stig_id": "WN10-00-000032", - "fix_id": "F-100985r1_fix", + "gtitle": "WN10-CC-000270", + "gid": "V-63729", + "rid": "SV-78219r1_rule", + "stig_id": "WN10-CC-000270", + "fix_id": "F-69657r1_fix", "cci": [ - "CCI-001199", - "CCI-002475", - "CCI-002476" + "CCI-002038" ], "nist": [ - "SC-28", - "SC-28 (1)", - "SC-28 (1)", + "IA-11", "Rev_4" ], "false_negatives": null, @@ -1080,35 +1105,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-94861' do\n title \"Windows 10 systems must use a BitLocker PIN with a minimum length of #{input('bitlocker_pin_len')}\n digits for pre-boot authentication.\"\n desc \"If data at rest is unencrypted, it is vulnerable to disclosure. Even\n if the operating system enforces permissions on data access, an adversary can\n remove non-volatile memory and read it directly, thereby circumventing\n operating system controls. Encrypting the data ensures that confidentiality is\n protected even when the operating system is not running. Pre-boot\n authentication prevents unauthorized users from accessing encrypted drives.\n Increasing the pin length requires a greater number of guesses for an attacker.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-00-000032'\n tag gid: 'V-94861'\n tag rid: 'SV-104691r1_rule'\n tag stig_id: 'WN10-00-000032'\n tag fix_id: 'F-100985r1_fix'\n tag cci: %w[CCI-001199 CCI-002475 CCI-002476]\n tag nist: ['SC-28', 'SC-28 (1)', 'SC-28 (1)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Value Name: MinimumPIN\n Type: REG_DWORD\n Value: 0x0000000#{input('bitlocker_pin_len')} (#{input('bitlocker_pin_len')}) or greater\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> BitLocker Drive Encryption >>\n Operating System Drives \\\"Configure minimum PIN length for startup\\\" to\n \\\"Enabled\\\" with \\\"Minimum characters:\\\" set to #{input('bitlocker_pin_len')} or greater.\"\n\n if sys_info.manufacturer == \"VMware, Inc.\"\n impact 0.0\n describe 'This is a VDI System; This System is NA for Control V-94861.' do\n skip 'This is a VDI System; This System is NA for Control V-94861'\n end\n else\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Bitlocker') do\n it { should have_property 'MinimumPIN' }\n its('MinimumPIN') { should be >= input('bitlocker_pin_len') }\n end\n end\nend\n", + "code": "control 'V-63729' do\n title 'Passwords must not be saved in the Remote Desktop Client.'\n desc \"Saving passwords in the Remote Desktop Client could allow an\n unauthorized user to establish a remote desktop session to another system. The\n system must be configured to prevent users from saving passwords in the Remote\n Desktop Client.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000270'\n tag gid: 'V-63729'\n tag rid: 'SV-78219r1_rule'\n tag stig_id: 'WN10-CC-000270'\n tag fix_id: 'F-69657r1_fix'\n tag cci: ['CCI-002038']\n tag nist: %w[IA-11 Rev_4]\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\\n\n Value Name: DisablePasswordSaving\n\n Value Type: REG_DWORD\n Value: 1\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Remote Desktop Services >>\n Remote Desktop Connection Client >> \\\"Do not allow passwords to be saved\\\" to\n \\\"Enabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services') do\n it { should have_property 'DisablePasswordSaving' }\n its('DisablePasswordSaving') { should cmp 1 }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-94861.rb", + "ref": "./Windows 10 STIG/controls/V-63729.rb", "line": 3 }, - "id": "V-94861" + "id": "V-63729" }, { - "title": "The system must be configured to audit Detailed Tracking - PNP\n Activity successes.", - "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Plug and Play activity records events related to the successful connection\n of external devices.", + "title": "Exploit Protection mitigations in Windows 10 must be configured for\n wmplayer.exe.", + "desc": "Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Plug and Play activity records events related to the successful connection\n of external devices.", - "check": "Security Option \"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\" must be\n set to \"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\"Run as Administrator\").\n Enter \"AuditPol /get /category:*\"\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding:\n\n Detailed Tracking >> Plug and Play Events - Success", - "fix": "Computer Configuration >> Windows Settings >> Advanced Audit Policy\n Configuration >> System Audit Policies >> Detailed Tracking >> \"Audit PNP\n Activity\" with \"Success\" selected." + "default": "Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.", + "check": "This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n\n Enter \"Get-ProcessMitigation -Name wmplayer.exe\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of\n all application mitigations configured.)\n\n If the following mitigations do not have a status of \"ON\", this is a finding:\n\n DEP:\n OverrideDEP: False\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n The PowerShell command produces a list of mitigations; only those with a\n required status of \"ON\" are listed here. If the PowerShell command does not\n produce results, ensure the letter case of the filename within the command\n syntax matches the letter case of the actual filename on the system.", + "fix": "Ensure the following mitigations are turned \"ON\" for wmplayer.exe:\n\n DEP:\n OverrideDEP: False\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file\n included with the Windows 10 STIG package in the \"Supporting Files\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \"Use a common set of exploit protection settings\"\n configured to \"Enabled\" with file name and location defined under\n \"Options:\". It is recommended the file be in a read-only network location." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-AU-000045", - "gid": "V-63451", - "rid": "SV-77941r1_rule", - "stig_id": "WN10-AU-000045", - "fix_id": "F-69379r1_fix", + "gtitle": "WN10-EP-000290", + "gid": "V-77267", + "rid": "SV-91963r3_rule", + "stig_id": "WN10-EP-000290", + "fix_id": "F-84513r4_fix", "cci": [ - "CCI-000172" + "CCI-000366" ], "nist": [ - "AU-12 c", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -1122,89 +1147,70 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63451' do\n title \"The system must be configured to audit Detailed Tracking - PNP\n Activity successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Plug and Play activity records events related to the successful connection\n of external devices.\"\n\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-AU-000045'\n tag gid: 'V-63451'\n tag rid: 'SV-77941r1_rule'\n tag stig_id: 'WN10-AU-000045'\n tag fix_id: 'F-69379r1_fix'\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Security Option \\\"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\\\" must be\n set to \\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\n Enter \\\"AuditPol /get /category:*\\\"\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding:\n\n Detailed Tracking >> Plug and Play Events - Success\"\n\n desc \"fix\", \"Computer Configuration >> Windows Settings >> Advanced Audit Policy\n Configuration >> System Audit Policies >> Detailed Tracking >> \\\"Audit PNP\n Activity\\\" with \\\"Success\\\" selected.\"\n\n describe.one do\n describe audit_policy do\n its('Plug and Play Events') { should eq 'Success' }\n end\n describe audit_policy do\n its('Plug and Play Events') { should eq 'Success and Failure' }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Plug and Play Events'\") do\n its('stdout') { should match /Plug and Play Events Success/ }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Plug and Play Events'\") do\n its('stdout') { should match /Plug and Play Events Success and Failure/ }\n end\n end\nend\n", + "code": "control 'V-77267' do\n title \"Exploit Protection mitigations in Windows 10 must be configured for\n wmplayer.exe.\"\n desc \"Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-EP-000290'\n tag gid: 'V-77267'\n tag rid: 'SV-91963r3_rule'\n tag stig_id: 'WN10-EP-000290'\n tag fix_id: 'F-84513r4_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc 'check', \"This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n\n Enter \\\"Get-ProcessMitigation -Name wmplayer.exe\\\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of\n all application mitigations configured.)\n\n If the following mitigations do not have a status of \\\"ON\\\", this is a finding:\n\n DEP:\n OverrideDEP: False\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n The PowerShell command produces a list of mitigations; only those with a\n required status of \\\"ON\\\" are listed here. If the PowerShell command does not\n produce results, ensure the letter case of the filename within the command\n syntax matches the letter case of the actual filename on the system.\"\n\n desc 'fix', \"Ensure the following mitigations are turned \\\"ON\\\" for wmplayer.exe:\n\n DEP:\n OverrideDEP: False\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file\n included with the Windows 10 STIG package in the \\\"Supporting Files\\\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\"\n configured to \\\"Enabled\\\" with file name and location defined under\n \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n\n if input('sensitive_system') == 'true' || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion').ReleaseId < '1709'\n impact 0.0\n describe 'This STIG does not apply to Prior Versions before 1709.' do\n skip 'This STIG does not apply to Prior Versions before 1709.'\n end\n else\n dep = json( command: 'Get-ProcessMitigation -Name wmplayer.exe | Select DEP | ConvertTo-Json').params\n describe 'OverRide DEP is required to be false on Windows Media Player' do\n subject { dep }\n its(['OverrideDEP']) { should_not eq 'true' }\n end\n payload = json( command: 'Get-ProcessMitigation -Name wmplayer.exe | Select Payload | ConvertTo-Json').params\n describe 'Override Payload Enable Export Address Filter, Override Payload Enable Export Address Filter Plus, Override EnableImportAddressFilter, Override EnableRopStackPivot, Override EnableRopCallerCheck, and Override EnableRopSimExec are required to be false on Windows Media Player' do\n subject { payload }\n its(['OverrideEnableExportAddressFilter']) { should_not eq 'true' }\n its(['OverrideEnableExportAddressFilterPlus']) { should_not eq 'true' }\n its(['OverrideEnableImportAddressFilter']) { should_not eq 'true' }\n its(['OverrideEnableRopStackPivot']) { should_not eq 'true' }\n its(['OverrideEnableRopCallerCheck']) { should_not eq 'true' }\n its(['OverrideEnableRopSimExec']) { should_not eq 'true' }\n end\n end\nend", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63451.rb", + "ref": "./Windows 10 STIG/controls/V-77267.rb", "line": 3 }, - "id": "V-63451" + "id": "V-77267" }, { - "title": "The system must be configured to audit Account Management - Security\n Group Management successes.", - "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Security Group Management records events such as creating, deleting or\n changing of security groups, including changes in group members.", + "title": "Windows Ink Workspace configured but disallow access above the lock. ", + "desc": "Securing Windows Ink which contains application and features oriented\ntowards pen computing.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Security Group Management records events such as creating, deleting or\n changing of security groups, including changes in group members.", - "check": "Security Option \"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\" must be\n set to \"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\"Run as Administrator\").\n Enter \"AuditPol /get /category:*\".\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding:\n\n Account Management >> Security Group Management - Success", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Account Management >> \"Audit Security Group Management\"\n with \"Success\" selected." + "default": "Securing Windows Ink which contains application and features oriented\ntowards pen computing.", + "rationale": "", + "check": "If the following registry value does not exist or is not configured as\nspecified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\Software\\Policies\\Microsoft\\WindowsInkWorkspace\n\n Value Name: AllowWindowsInkWorkspace\n Value Type: REG_DWORD\n Value data: 1", + "fix": "Disable the convenience PIN sign-in.\n\n If this needs to be corrected configure the policy value for Computer\nConfiguration >> Administrative Templates >> Windows Components >> Windows Ink\nWorkspace >> Set \" Allow Windows Ink Workspace\" to \"Enabled” Set Options\n‘On, but disallow access above lock”." }, "impact": 0.5, "refs": [], "tags": { - "severity": "medium", - "gtitle": "WN10-AU-000030", - "gid": "V-63445", - "rid": "SV-77935r1_rule", - "stig_id": "WN10-AU-000030", - "fix_id": "F-69373r1_fix", + "severity": null, + "gtitle": "WN10-CC-000385", + "gid": "V-99561", + "rid": "SV-108665r1_rule", + "stig_id": "WN10-CC-000385", + "fix_id": "F-105245r1_fix", "cci": [ - "CCI-000018", - "CCI-000172", - "CCI-001403", - "CCI-001404", - "CCI-001405", - "CCI-002130", - "CCI-002234" + "CCI-000381" ], "nist": [ - "AC-2 (4)", - "AU-12 c", - "AC-2 (4)", - "AC-2 (4)", - "AC-2 (4)", - "AC-2\n(4)", - "AC-6 (9)", + "CM-7 a", "Rev_4" - ], - "false_negatives": null, - "false_positives": null, - "documentable": false, - "mitigations": null, - "severity_override_guidance": false, - "potential_impacts": null, - "third_party_tools": null, - "mitigation_controls": null, - "responsibility": null, - "ia_controls": null + ] }, - "code": "control 'V-63445' do\n title \"The system must be configured to audit Account Management - Security\n Group Management successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Security Group Management records events such as creating, deleting or\n changing of security groups, including changes in group members.\"\n\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-AU-000030'\n tag gid: 'V-63445'\n tag rid: 'SV-77935r1_rule'\n tag stig_id: 'WN10-AU-000030'\n tag fix_id: 'F-69373r1_fix'\n tag cci: %w[CCI-000018 CCI-000172 CCI-001403 CCI-001404\n CCI-001405 CCI-002130 CCI-002234]\n tag nist: ['AC-2 (4)', 'AU-12 c', 'AC-2 (4)', 'AC-2 (4)', 'AC-2 (4)', \"AC-2\n(4)\", 'AC-6 (9)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"Security Option \\\"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\\\" must be\n set to \\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\n Enter \\\"AuditPol /get /category:*\\\".\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding:\n\n Account Management >> Security Group Management - Success\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Account Management >> \\\"Audit Security Group Management\\\"\n with \\\"Success\\\" selected.\"\n\n describe.one do\n describe audit_policy do\n its('Security Group Management') { should eq 'Success' }\n end\n describe audit_policy do\n its('Security Group Management') { should eq 'Success and Failure' }\n end\n end\nend\n", + "code": "control \"V-99561\" do\n title \"Windows Ink Workspace configured but disallow access above the lock. \"\n desc \"Securing Windows Ink which contains application and features oriented\ntowards pen computing. \"\n impact 0.5\n tag severity: nil\n tag gtitle: \"WN10-CC-000385\"\n tag gid: \"V-99561\"\n tag rid: \"SV-108665r1_rule\"\n tag stig_id: \"WN10-CC-000385\"\n tag fix_id: \"F-105245r1_fix\"\n tag cci: [\"CCI-000381\"]\n tag nist: [\"CM-7 a\", \"Rev_4\"]\n desc \"rationale\", \"\"\n desc \"check\", \"If the following registry value does not exist or is not configured as\nspecified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\Software\\\\Policies\\\\Microsoft\\\\WindowsInkWorkspace\n\n Value Name: AllowWindowsInkWorkspace\n Value Type: REG_DWORD\n Value data: 1\"\n desc \"fix\", \"Disable the convenience PIN sign-in.\n\n If this needs to be corrected configure the policy value for Computer\nConfiguration >> Administrative Templates >> Windows Components >> Windows Ink\nWorkspace >> Set \\\" Allow Windows Ink Workspace\\\" to \\\"Enabled” Set Options\n‘On, but disallow access above lock”.\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\WindowsInkWorkspace') do\n it { should have_property 'AllowWindowsInkWorkspace' }\n its('AllowWindowsInkWorkspace') { should cmp 1 }\n end\n end\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63445.rb", + "ref": "./Windows 10 STIG/controls/V-99561.rb", "line": 3 }, - "id": "V-63445" + "id": "V-99561" }, { - "title": "Printing over HTTP must be prevented.", - "desc": "Some features may communicate with the vendor, sending system\n information or downloading data or components for the feature. Turning off\n this capability will prevent potentially sensitive information from being sent\n outside the enterprise and uncontrolled updates to the system. This setting\n prevents the client computer from printing over HTTP, which allows the computer\n to print to printers on the intranet as well as the Internet.", + "title": "The DoD Interoperability Root CA cross-certificates must be installed\n in the Untrusted Certificates Store on unclassified systems.", + "desc": "To ensure users do not experience denial of service when performing\n certificate-based authentication to DoD websites due to the system chaining to\n a root other than DoD Root CAs, the DoD Interoperability Root CA\n cross-certificates must be installed in the Untrusted Certificate Store. This\n requirement only applies to unclassified systems.", "descriptions": { - "default": "Some features may communicate with the vendor, sending system\n information or downloading data or components for the feature. Turning off\n this capability will prevent potentially sensitive information from being sent\n outside the enterprise and uncontrolled updates to the system. This setting\n prevents the client computer from printing over HTTP, which allows the computer\n to print to printers on the intranet as well as the Internet.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers\\\n\n Value Name: DisableHTTPPrinting\n\n Value Type: REG_DWORD\n Value: 1", - "fix": "Configure the policy value for Computer Configuration >>\nAdministrative Templates >> System >> Internet Communication Management >>\nInternet Communication settings >> \"Turn off printing over HTTP\" to\n\"Enabled\"." + "default": "To ensure users do not experience denial of service when performing\n certificate-based authentication to DoD websites due to the system chaining to\n a root other than DoD Root CAs, the DoD Interoperability Root CA\n cross-certificates must be installed in the Untrusted Certificate Store. This\n requirement only applies to unclassified systems.", + "check": "Verify the DoD Interoperability cross-certificates are installed\n on unclassified systems as Untrusted Certificates.\n\n Run \"PowerShell\" as an administrator.\n\n Execute the following command:\n\n Get-ChildItem -Path Cert:Localmachine\\disallowed | Where {$_.Issuer -Like\n \"*DoD Interoperability*\" -and $_.Subject -Like \"*DoD*\"} | FL Subject,\n Issuer, Thumbprint, NotAfter\n\n If the following certificate \"Subject\", \"Issuer\", and \"Thumbprint\",\n information is not displayed, this is finding.\n\n If an expired certificate (\"NotAfter\" date) is not listed in the results,\n this is not a finding.\n\n\n Subject: CN=DoD Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Issuer: CN=DoD Interoperability Root CA 1, OU=PKI, OU=DoD, O=U.S. Government,\n C=US\n Thumbprint: 22BBE981F0694D246CC1472ED2B021DC8540A22F\n NotAfter: 9/6/2019\n\n Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Issuer: CN=DoD Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government,\n C=US\n Thumbprint: AC06108CA348CC03B53795C64BF84403C1DBD341\n NotAfter: 1/22/2022\n\n Alternately use the Certificates MMC snap-in:\n\n Run \"MMC\".\n\n Select \"File\", \"Add/Remove Snap-in\".\n\n Select \"Certificates\", click \"Add\".\n\n Select \"Computer account\", click \"Next\".\n\n Select \"Local computer: (the computer this console is running on)\", click\n \"Finish\".\n\n Click \"OK\".\n\n Expand \"Certificates\" and navigate to \"Untrusted Certificates >>\n Certificates\".\n\n For each certificate with \"DoD Root CA…\" under \"Issued To\" and \"DoD\n Interoperability Root CA…\" under \"Issued By\":\n\n Right-click on the certificate and select \"Open\".\n\n Select the \"Details\" Tab.\n\n Scroll to the bottom and select \"Thumbprint\".\n\n If the certificates below are not listed or the value for the \"Thumbprint\"\n field is not as noted, this is a finding.\n\n If an expired certificate (\"Valid to\" date) is not listed in the results,\n this is not a finding.\n\n Issued To: DoD Root CA 2\n Issued By: DoD Interoperability Root CA 1\n Thumbprint: 22BBE981F0694D246CC1472ED2B021DC8540A22F\n Valid to: Friday, September 6, 2019\n\n Issued To: DoD Root CA 3\n Issued By: DoD Interoperability Root CA 2\n Thumbprint: AC06108CA348CC03B53795C64BF84403C1DBD341\n Valid to: Saturday, January 22, 2022", + "fix": "Install the DoD Interoperability Root CA cross-certificates on\n unclassified systems.\n\n Issued To - Issued By - Thumbprint\n DoD Root CA 2 - DoD Interoperability Root CA 1 -\n 22BBE981F0694D246CC1472ED2B021DC8540A22F\n DoD Root CA 3 - DoD Interoperability Root CA 2 -\n AC06108CA348CC03B53795C64BF84403C1DBD341\n\n The certificates can be installed using the InstallRoot tool. The tool and user\n guide are available on IASE at http://iase.disa.mil/pki-pke/Pages/tools.aspx." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-CC-000110", - "gid": "V-63623", - "rid": "SV-78113r1_rule", - "stig_id": "WN10-CC-000110", - "fix_id": "F-69553r1_fix", + "gtitle": "WN10-PK-000015", + "gid": "V-63587", + "rid": "SV-78077r5_rule", + "stig_id": "WN10-PK-000015", + "fix_id": "F-98441r3_fix", "cci": [ - "CCI-000381" + "CCI-000185", + "CCI-002470" ], "nist": [ - "CM-7 a", + "IA-5 (2) (a)", + "SC-23 (5)", "Rev_4" ], "false_negatives": null, @@ -1218,37 +1224,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63623' do\n title 'Printing over HTTP must be prevented.'\n desc \"Some features may communicate with the vendor, sending system\n information or downloading data or components for the feature. Turning off\n this capability will prevent potentially sensitive information from being sent\n outside the enterprise and uncontrolled updates to the system. This setting\n prevents the client computer from printing over HTTP, which allows the computer\n to print to printers on the intranet as well as the Internet.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000110'\n tag gid: 'V-63623'\n tag rid: 'SV-78113r1_rule'\n tag stig_id: 'WN10-CC-000110'\n tag fix_id: 'F-69553r1_fix'\n tag cci: ['CCI-000381']\n tag nist: ['CM-7 a', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Printers\\\\\n\n Value Name: DisableHTTPPrinting\n\n Value Type: REG_DWORD\n Value: 1\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\nAdministrative Templates >> System >> Internet Communication Management >>\nInternet Communication settings >> \\\"Turn off printing over HTTP\\\" to\n\\\"Enabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers') do\n it { should have_property 'DisableHTTPPrinting' }\n its('DisableHTTPPrinting') { should cmp 1 }\n end\nend\n", + "code": "control 'V-63587' do\n title \"The DoD Interoperability Root CA cross-certificates must be installed\n in the Untrusted Certificates Store on unclassified systems.\"\n desc \"To ensure users do not experience denial of service when performing\n certificate-based authentication to DoD websites due to the system chaining to\n a root other than DoD Root CAs, the DoD Interoperability Root CA\n cross-certificates must be installed in the Untrusted Certificate Store. This\n requirement only applies to unclassified systems.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-PK-000015'\n tag gid: 'V-63587'\n tag rid: 'SV-78077r5_rule'\n tag stig_id: 'WN10-PK-000015'\n tag fix_id: 'F-98441r3_fix'\n tag cci: %w[CCI-000185 CCI-002470]\n tag nist: ['IA-5 (2) (a)', 'SC-23 (5)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc 'check', \"Verify the DoD Interoperability cross-certificates are installed\n on unclassified systems as Untrusted Certificates.\n\n Run \\\"PowerShell\\\" as an administrator.\n\n Execute the following command:\n\n Get-ChildItem -Path Cert:Localmachine\\\\disallowed | Where {$_.Issuer -Like\n \\\"*DoD Interoperability*\\\" -and $_.Subject -Like \\\"*DoD*\\\"} | FL Subject,\n Issuer, Thumbprint, NotAfter\n\n If the following certificate \\\"Subject\\\", \\\"Issuer\\\", and \\\"Thumbprint\\\",\n information is not displayed, this is finding.\n\n If an expired certificate (\\\"NotAfter\\\" date) is not listed in the results,\n this is not a finding.\n\n\n Subject: CN=DoD Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Issuer: CN=DoD Interoperability Root CA 1, OU=PKI, OU=DoD, O=U.S. Government,\n C=US\n Thumbprint: 22BBE981F0694D246CC1472ED2B021DC8540A22F\n NotAfter: 9/6/2019\n\n Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Issuer: CN=DoD Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government,\n C=US\n Thumbprint: AC06108CA348CC03B53795C64BF84403C1DBD341\n NotAfter: 1/22/2022\n\n Alternately use the Certificates MMC snap-in:\n\n Run \\\"MMC\\\".\n\n Select \\\"File\\\", \\\"Add/Remove Snap-in\\\".\n\n Select \\\"Certificates\\\", click \\\"Add\\\".\n\n Select \\\"Computer account\\\", click \\\"Next\\\".\n\n Select \\\"Local computer: (the computer this console is running on)\\\", click\n \\\"Finish\\\".\n\n Click \\\"OK\\\".\n\n Expand \\\"Certificates\\\" and navigate to \\\"Untrusted Certificates >>\n Certificates\\\".\n\n For each certificate with \\\"DoD Root CA…\\\" under \\\"Issued To\\\" and \\\"DoD\n Interoperability Root CA…\\\" under \\\"Issued By\\\":\n\n Right-click on the certificate and select \\\"Open\\\".\n\n Select the \\\"Details\\\" Tab.\n\n Scroll to the bottom and select \\\"Thumbprint\\\".\n\n If the certificates below are not listed or the value for the \\\"Thumbprint\\\"\n field is not as noted, this is a finding.\n\n If an expired certificate (\\\"Valid to\\\" date) is not listed in the results,\n this is not a finding.\n\n Issued To: DoD Root CA 2\n Issued By: DoD Interoperability Root CA 1\n Thumbprint: 22BBE981F0694D246CC1472ED2B021DC8540A22F\n Valid to: Friday, September 6, 2019\n\n Issued To: DoD Root CA 3\n Issued By: DoD Interoperability Root CA 2\n Thumbprint: AC06108CA348CC03B53795C64BF84403C1DBD341\n Valid to: Saturday, January 22, 2022\"\n\n desc 'fix', \"Install the DoD Interoperability Root CA cross-certificates on\n unclassified systems.\n\n Issued To - Issued By - Thumbprint\n DoD Root CA 2 - DoD Interoperability Root CA 1 -\n 22BBE981F0694D246CC1472ED2B021DC8540A22F\n DoD Root CA 3 - DoD Interoperability Root CA 2 -\n AC06108CA348CC03B53795C64BF84403C1DBD341\n\n The certificates can be installed using the InstallRoot tool. The tool and user\n guide are available on IASE at http://iase.disa.mil/pki-pke/Pages/tools.aspx.\"\n\n # NOTE: DoD Root CA 2 - DoD Interoperability Root CA 1 - 22BBE981F0694D246CC1472ED2B021DC8540A22F does not exist on Install Root 5.5\n\n if input('sensitive_system') == 'true'\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n else\n dod_certificates = JSON.parse(input('dod_certificates').to_json)\n query = json({ command: 'Get-ChildItem -Path Cert:Localmachine\\\\\\\\disallowed | Where {$_.Issuer -Like \"*DoD Interoperability*\" -and $_.Subject -Like \"*DoD*\"} | Select Subject, Issuer, Thumbprint, @{Name=\\'NotAfter\\';Expression={\"{0:dddd, MMMM dd, yyyy}\" -f [datetime]$_.NotAfter}} | ConvertTo-Json' })\n describe 'The DoD Interoperability Root CA cross-certificates are installed' do\n subject { query.params }\n it { should be_in dod_certificates }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63623.rb", + "ref": "./Windows 10 STIG/controls/V-63587.rb", "line": 3 }, - "id": "V-63623" + "id": "V-63587" }, { - "title": "The system must be configured to audit System - System Integrity\n successes.", - "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n System Integrity records events related to violations of integrity to the\n security subsystem.", + "title": "Data Execution Prevention (DEP) must be configured to at least OptOut.", + "desc": "Attackers are constantly looking for vulnerabilities in systems and\n applications. Data Execution Prevention (DEP) prevents harmful code from\n running in protected memory locations reserved for Windows and other programs.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n System Integrity records events related to violations of integrity to the\n security subsystem.", - "check": "Security Option \"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\" must be\n set to \"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\"Run as Administrator\").\n Enter \"AuditPol /get /category:*\".\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding:\n\n System >> System Integrity - Success", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> System >> \"Audit System Integrity\" with \"Success\"\n selected." + "default": "Attackers are constantly looking for vulnerabilities in systems and\n applications. Data Execution Prevention (DEP) prevents harmful code from\n running in protected memory locations reserved for Windows and other programs.", + "check": "Verify the DEP configuration.\n Open a command prompt (cmd.exe) or PowerShell with elevated privileges (Run as\n administrator).\n Enter \"BCDEdit /enum {current}\". (If using PowerShell \"{current}\" must be\n enclosed in quotes.)\n If the value for \"nx\" is not \"OptOut\", this is a finding.\n (The more restrictive configuration of \"AlwaysOn\" would not be a finding.)", + "fix": "Configure DEP to at least OptOut.\n\n Note: Suspend BitLocker before making changes to the DEP configuration.\n\n Open a command prompt (cmd.exe) or PowerShell with elevated privileges (Run as\n administrator).\n Enter \"BCDEDIT /set {current} nx OptOut\". (If using PowerShell \"{current}\"\n must be enclosed in quotes.)\n \"AlwaysOn\", a more restrictive selection, is also valid but does not allow\n applications that do not function properly to be opted out of DEP.\n\n Opted out exceptions can be configured in the \"System Properties\".\n\n Open \"System\" in Control Panel.\n Select \"Advanced system settings\".\n Click \"Settings\" in the \"Performance\" section.\n Select the \"Data Execution Prevention\" tab.\n Applications that are opted out are configured in the window below the\n selection \"Turn on DEP for all programs and services except those I select:\"." }, - "impact": 0.5, + "impact": 0.7, "refs": [], "tags": { - "severity": "medium", - "gtitle": "WN10-AU-000160", - "gid": "V-63517", - "rid": "SV-78007r1_rule", - "stig_id": "WN10-AU-000160", - "fix_id": "F-69447r1_fix", + "severity": "high", + "gtitle": "WN10-00-000145", + "gid": "V-68845", + "rid": "SV-83439r2_rule", + "stig_id": "WN10-00-000145", + "fix_id": "F-75017r2_fix", "cci": [ - "CCI-000172", - "CCI-002234" + "CCI-002824" ], "nist": [ - "AU-12 c", - "AC-6 (9)", + "SI-16", "Rev_4" ], "false_negatives": null, @@ -1262,35 +1266,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63517' do\n title \"The system must be configured to audit System - System Integrity\n successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n System Integrity records events related to violations of integrity to the\n security subsystem.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-AU-000160'\n tag gid: 'V-63517'\n tag rid: 'SV-78007r1_rule'\n tag stig_id: 'WN10-AU-000160'\n tag fix_id: 'F-69447r1_fix'\n tag cci: %w[CCI-000172 CCI-002234]\n tag nist: ['AU-12 c', 'AC-6 (9)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"Security Option \\\"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\\\" must be\n set to \\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\n Enter \\\"AuditPol /get /category:*\\\".\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding:\n\n System >> System Integrity - Success\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> System >> \\\"Audit System Integrity\\\" with \\\"Success\\\"\n selected.\"\n\n describe.one do\n describe audit_policy do\n its('System Integrity') { should eq 'Success' }\n end\n describe audit_policy do\n its('System Integrity') { should eq 'Success and Failure' }\n end\n end\nend\n", + "code": "control 'V-68845' do\n title 'Data Execution Prevention (DEP) must be configured to at least OptOut.'\n desc \"Attackers are constantly looking for vulnerabilities in systems and\n applications. Data Execution Prevention (DEP) prevents harmful code from\n running in protected memory locations reserved for Windows and other programs.\"\n impact 0.7\n tag severity: 'high'\n tag gtitle: 'WN10-00-000145'\n tag gid: 'V-68845'\n tag rid: 'SV-83439r2_rule'\n tag stig_id: 'WN10-00-000145'\n tag fix_id: 'F-75017r2_fix'\n tag cci: ['CCI-002824']\n tag nist: %w[SI-16 Rev_4]\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"Verify the DEP configuration.\n Open a command prompt (cmd.exe) or PowerShell with elevated privileges (Run as\n administrator).\n Enter \\\"BCDEdit /enum {current}\\\". (If using PowerShell \\\"{current}\\\" must be\n enclosed in quotes.)\n If the value for \\\"nx\\\" is not \\\"OptOut\\\", this is a finding.\n (The more restrictive configuration of \\\"AlwaysOn\\\" would not be a finding.)\"\n desc \"fix\", \"Configure DEP to at least OptOut.\n\n Note: Suspend BitLocker before making changes to the DEP configuration.\n\n Open a command prompt (cmd.exe) or PowerShell with elevated privileges (Run as\n administrator).\n Enter \\\"BCDEDIT /set {current} nx OptOut\\\". (If using PowerShell \\\"{current}\\\"\n must be enclosed in quotes.)\n \\\"AlwaysOn\\\", a more restrictive selection, is also valid but does not allow\n applications that do not function properly to be opted out of DEP.\n\n Opted out exceptions can be configured in the \\\"System Properties\\\".\n\n Open \\\"System\\\" in Control Panel.\n Select \\\"Advanced system settings\\\".\n Click \\\"Settings\\\" in the \\\"Performance\\\" section.\n Select the \\\"Data Execution Prevention\\\" tab.\n Applications that are opted out are configured in the window below the\n selection \\\"Turn on DEP for all programs and services except those I select:\\\".\"\n\n bcdedit = json(command: 'bcdedit /enum \"{current}\" | FindStr \"nx\" | ConvertTo-Json').params\n describe 'Verify the DEP configuration' do\n subject { bcdedit }\n it { should eq 'nx OptOut' }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63517.rb", + "ref": "./Windows 10 STIG/controls/V-68845.rb", "line": 3 }, - "id": "V-63517" + "id": "V-68845" }, { - "title": "The default permissions of global system objects must be increased.", - "desc": "Windows systems maintain a global list of shared system resources such\n as DOS device names, mutexes, and semaphores. Each type of object is created\n with a default DACL that specifies who can access the objects with what\n permissions. If this policy is enabled, the default DACL is stronger, allowing\n non-admin users to read shared objects, but not modify shared objects that they\n did not create.", + "title": "Internet Information System (IIS) or its subcomponents must not be\n installed on a workstation.", + "desc": "Installation of Internet Information System (IIS) may allow\n unauthorized internet services to be hosted. Websites must only be hosted on\n servers that have been designed for that purpose and can be adequately secured.", "descriptions": { - "default": "Windows systems maintain a global list of shared system resources such\n as DOS device names, mutexes, and semaphores. Each type of object is created\n with a default DACL that specifies who can access the objects with what\n permissions. If this policy is enabled, the default DACL is stronger, allowing\n non-admin users to read shared objects, but not modify shared objects that they\n did not create.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\\n\n Value Name: ProtectionMode\n\n Value Type: REG_DWORD\n Value: 1", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> \"System\n objects: Strengthen default permissions of internal system objects (e.g.\n Symbolic links)\" to \"Enabled\"." + "default": "Installation of Internet Information System (IIS) may allow\n unauthorized internet services to be hosted. Websites must only be hosted on\n servers that have been designed for that purpose and can be adequately secured.", + "check": "IIS is not installed by default. Verify it has not been\n installed on the system.\n\n Run \"Programs and Features\".\n Select \"Turn Windows features on or off\".\n\n If the entries for \"Internet Information Services\" or \"Internet Information\n Services Hostable Web Core\" are selected, this is a finding.\n\n If an application requires IIS or a subset to be installed to function, this\n needs be documented with the ISSO. In addition, any applicable requirements\n from the IIS STIG must be addressed.", + "fix": "Uninstall \"Internet Information Services\" or \"Internet\n Information Services Hostable Web Core\" from the system." }, - "impact": 0.3, + "impact": 0.7, "refs": [], "tags": { - "severity": "low", - "gtitle": "WN10-SO-000240", - "gid": "V-63815", - "rid": "SV-78305r1_rule", - "stig_id": "WN10-SO-000240", - "fix_id": "F-69743r1_fix", + "severity": "high", + "gtitle": "WN10-00-000100", + "gid": "V-63377", + "rid": "SV-77867r1_rule", + "stig_id": "WN10-00-000100", + "fix_id": "F-69297r1_fix", "cci": [ - "CCI-000366" + "CCI-000381" ], "nist": [ - "CM-6 b", + "CM-7 a", "Rev_4" ], "false_negatives": null, @@ -1304,30 +1308,30 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63815' do\n title 'The default permissions of global system objects must be increased.'\n desc \"Windows systems maintain a global list of shared system resources such\n as DOS device names, mutexes, and semaphores. Each type of object is created\n with a default DACL that specifies who can access the objects with what\n permissions. If this policy is enabled, the default DACL is stronger, allowing\n non-admin users to read shared objects, but not modify shared objects that they\n did not create.\"\n impact 0.3\n tag severity: 'low'\n tag gtitle: 'WN10-SO-000240'\n tag gid: 'V-63815'\n tag rid: 'SV-78305r1_rule'\n tag stig_id: 'WN10-SO-000240'\n tag fix_id: 'F-69743r1_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Session Manager\\\\\n\n Value Name: ProtectionMode\n\n Value Type: REG_DWORD\n Value: 1\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> \\\"System\n objects: Strengthen default permissions of internal system objects (e.g.\n Symbolic links)\\\" to \\\"Enabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager') do\n it { should have_property 'ProtectionMode' }\n its('ProtectionMode') { should cmp 1 }\n end\nend\n", + "code": "control 'V-63377' do\n title \"Internet Information System (IIS) or its subcomponents must not be\n installed on a workstation.\"\n desc \"Installation of Internet Information System (IIS) may allow\n unauthorized internet services to be hosted. Websites must only be hosted on\n servers that have been designed for that purpose and can be adequately secured.\"\n impact 0.7\n tag severity: 'high'\n tag gtitle: 'WN10-00-000100'\n tag gid: 'V-63377'\n tag rid: 'SV-77867r1_rule'\n tag stig_id: 'WN10-00-000100'\n tag fix_id: 'F-69297r1_fix'\n tag cci: ['CCI-000381']\n tag nist: ['CM-7 a', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"IIS is not installed by default. Verify it has not been\n installed on the system.\n\n Run \\\"Programs and Features\\\".\n Select \\\"Turn Windows features on or off\\\".\n\n If the entries for \\\"Internet Information Services\\\" or \\\"Internet Information\n Services Hostable Web Core\\\" are selected, this is a finding.\n\n If an application requires IIS or a subset to be installed to function, this\n needs be documented with the ISSO. In addition, any applicable requirements\n from the IIS STIG must be addressed.\"\n\n desc \"fix\", \"Uninstall \\\"Internet Information Services\\\" or \\\"Internet\n Information Services Hostable Web Core\\\" from the system.\"\n\n describe windows_feature('Internet Information Services') do\n it { should_not be_installed }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63815.rb", + "ref": "./Windows 10 STIG/controls/V-63377.rb", "line": 3 }, - "id": "V-63815" + "id": "V-63377" }, { - "title": "Systems must at least attempt device authentication using\n certificates.", - "desc": "Using certificates to authenticate devices to the domain provides\n increased security over passwords. By default systems will attempt to\n authenticate using certificates and fall back to passwords if the domain\n controller does not support certificates for devices. This may also be\n configured to always use certificates for device authentication.", + "title": "Domain-joined systems must use Windows 10 Enterprise Edition 64-bit\n version.", + "desc": "Features such as Credential Guard use virtualization based security to\n protect information that could be used in credential theft attacks if\n compromised. There are a number of system requirements that must be met in\n order for Credential Guard to be configured and enabled properly.\n Virtualization based security and Credential Guard are only available with\n Windows 10 Enterprise 64-bit version.", "descriptions": { - "default": "Using certificates to authenticate devices to the domain provides\n increased security over passwords. By default systems will attempt to\n authenticate using certificates and fall back to passwords if the domain\n controller does not support certificates for devices. This may also be\n configured to always use certificates for device authentication.", - "check": "This requirement is applicable to domain-joined systems, for\n standalone systems this is NA.\n\n The default behavior for \"Support device authentication using certificate\" is\n \"Automatic\".\n\n If the registry value name below does not exist, this is not a finding.\n\n If it exists and is configured with a value of \"1\", this is not a finding.\n\n If it exists and is configured with a value of \"0\", this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\Parameters\\\n\n Value Name: DevicePKInitEnabled\n Value Type: REG_DWORD\n Value: 1 (or if the Value Name does not exist)", - "fix": "This requirement is applicable to domain-joined systems, for\n standalone systems this is NA.\n\n The default behavior for \"Support device authentication using certificate\" is\n \"Automatic\".\n\n If this needs to be corrected, configured the policy value for Computer\n Configuration >> Administrative Templates >> System >> Kerberos >> \"Support\n device authentication using certificate\" to \"Not Configured or \"Enabled\"\n with either option selected in \"Device authentication behavior using\n certificate:\"." + "default": "Features such as Credential Guard use virtualization based security to\n protect information that could be used in credential theft attacks if\n compromised. There are a number of system requirements that must be met in\n order for Credential Guard to be configured and enabled properly.\n Virtualization based security and Credential Guard are only available with\n Windows 10 Enterprise 64-bit version.", + "check": "Verify domain-joined systems are using Windows 10 Enterprise\n Edition 64-bit version.\n\n For standalone systems, this is NA.\n\n Open \"Settings\".\n\n Select \"System\", then \"About\".\n\n If \"Edition\" is not \"Windows 10 Enterprise\", this is a finding.\n\n If \"System type\" is not \"64-bit operating system…\", this is a finding.", + "fix": "Use Windows 10 Enterprise 64-bit version for domain-joined systems." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-CC-000115", - "gid": "V-63627", - "rid": "SV-78117r1_rule", - "stig_id": "WN10-CC-000115", - "fix_id": "F-69557r1_fix", + "gtitle": "WN10-00-000005", + "gid": "V-63319", + "rid": "SV-77809r3_rule", + "stig_id": "WN10-00-000005", + "fix_id": "F-69237r2_fix", "cci": [ "CCI-000366" ], @@ -1346,35 +1350,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63627' do\n title \"Systems must at least attempt device authentication using\n certificates.\"\n desc \"Using certificates to authenticate devices to the domain provides\n increased security over passwords. By default systems will attempt to\n authenticate using certificates and fall back to passwords if the domain\n controller does not support certificates for devices. This may also be\n configured to always use certificates for device authentication.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000115'\n tag gid: 'V-63627'\n tag rid: 'SV-78117r1_rule'\n tag stig_id: 'WN10-CC-000115'\n tag fix_id: 'F-69557r1_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n \n desc \"check\", \"This requirement is applicable to domain-joined systems, for\n standalone systems this is NA.\n\n The default behavior for \\\"Support device authentication using certificate\\\" is\n \\\"Automatic\\\".\n\n If the registry value name below does not exist, this is not a finding.\n\n If it exists and is configured with a value of \\\"1\\\", this is not a finding.\n\n If it exists and is configured with a value of \\\"0\\\", this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Kerberos\\\\Parameters\\\\\n\n Value Name: DevicePKInitEnabled\n Value Type: REG_DWORD\n Value: 1 (or if the Value Name does not exist)\"\n\n desc \"fix\", \"This requirement is applicable to domain-joined systems, for\n standalone systems this is NA.\n\n The default behavior for \\\"Support device authentication using certificate\\\" is\n \\\"Automatic\\\".\n\n If this needs to be corrected, configured the policy value for Computer\n Configuration >> Administrative Templates >> System >> Kerberos >> \\\"Support\n device authentication using certificate\\\" to \\\"Not Configured or \\\"Enabled\\\"\n with either option selected in \\\"Device authentication behavior using\n certificate:\\\".\"\n\n is_domain = command('wmic computersystem get domain | FINDSTR /V Domain').stdout.strip\n\n if is_domain == 'WORKGROUP'\n impact 0.0\n describe 'The system is not a member of a domain, control is NA' do\n skip 'The system is not a member of a domain, control is NA'\n end\n else\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\Parameters') do\n it { should have_property 'DevicePKInitEnabled' }\n its('DevicePKInitEnabled') { should cmp 1 }\n end\n end\nend\n", + "code": "control 'V-63319' do\n title \"Domain-joined systems must use Windows 10 Enterprise Edition 64-bit\n version.\"\n desc \"Features such as Credential Guard use virtualization based security to\n protect information that could be used in credential theft attacks if\n compromised. There are a number of system requirements that must be met in\n order for Credential Guard to be configured and enabled properly.\n Virtualization based security and Credential Guard are only available with\n Windows 10 Enterprise 64-bit version.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-00-000005'\n tag gid: 'V-63319'\n tag rid: 'SV-77809r3_rule'\n tag stig_id: 'WN10-00-000005'\n tag fix_id: 'F-69237r2_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Verify domain-joined systems are using Windows 10 Enterprise\n Edition 64-bit version.\n\n For standalone systems, this is NA.\n\n Open \\\"Settings\\\".\n\n Select \\\"System\\\", then \\\"About\\\".\n\n If \\\"Edition\\\" is not \\\"Windows 10 Enterprise\\\", this is a finding.\n\n If \\\"System type\\\" is not \\\"64-bit operating system…\\\", this is a finding.\"\n\n desc \"fix\", 'Use Windows 10 Enterprise 64-bit version for domain-joined systems.'\n\n describe os.arch do\n it { should eq 'x86_64' }\n end\n\n describe os.name do\n it { should eq 'windows_10_enterprise' }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63627.rb", + "ref": "./Windows 10 STIG/controls/V-63319.rb", "line": 3 }, - "id": "V-63627" + "id": "V-63319" }, { - "title": "The default autorun behavior must be configured to prevent autorun\n commands.", - "desc": "Allowing autorun commands to execute may introduce malicious code to a\n system. Configuring this setting prevents autorun commands from executing.", + "title": "Attachments must be prevented from being downloaded from RSS feeds.", + "desc": "Attachments from RSS feeds may not be secure. This setting will\n prevent attachments from being downloaded from RSS feeds.", "descriptions": { - "default": "Allowing autorun commands to execute may introduce malicious code to a\n system. Configuring this setting prevents autorun commands from executing.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\\n\n Value Name: NoAutorun\n\n Value Type: REG_DWORD\n Value: 1", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> AutoPlay Policies >> \"Set\n the default behavior for AutoRun\" to \"Enabled:Do not execute any autorun\n commands\"." + "default": "Attachments from RSS feeds may not be secure. This setting will\n prevent attachments from being downloaded from RSS feeds.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Feeds\\\n\n Value Name: DisableEnclosureDownload\n\n Value Type: REG_DWORD\n Value: 1", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> RSS Feeds >> \"Prevent\n downloading of enclosures\" to \"Enabled\"." }, - "impact": 0.7, + "impact": 0.5, "refs": [], "tags": { - "severity": "high", - "gtitle": "WN10-CC-000185", - "gid": "V-63671", - "rid": "SV-78161r1_rule", - "stig_id": "WN10-CC-000185", - "fix_id": "F-69599r1_fix", + "severity": "medium", + "gtitle": "WN10-CC-000295", + "gid": "V-63743", + "rid": "SV-78233r1_rule", + "stig_id": "WN10-CC-000295", + "fix_id": "F-69671r1_fix", "cci": [ - "CCI-001764" + "CCI-000366" ], "nist": [ - "CM-7 (2)", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -1388,35 +1392,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63671' do\n title \"The default autorun behavior must be configured to prevent autorun\n commands.\"\n desc \"Allowing autorun commands to execute may introduce malicious code to a\n system. Configuring this setting prevents autorun commands from executing.\"\n impact 0.7\n tag severity: 'high'\n tag gtitle: 'WN10-CC-000185'\n tag gid: 'V-63671'\n tag rid: 'SV-78161r1_rule'\n tag stig_id: 'WN10-CC-000185'\n tag fix_id: 'F-69599r1_fix'\n tag cci: ['CCI-001764']\n tag nist: ['CM-7 (2)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\\n\n Value Name: NoAutorun\n\n Value Type: REG_DWORD\n Value: 1\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> AutoPlay Policies >> \\\"Set\n the default behavior for AutoRun\\\" to \\\"Enabled:Do not execute any autorun\n commands\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer') do\n it { should have_property 'NoAutorun' }\n its('NoAutorun') { should cmp 1 }\n end\nend\n", + "code": "control 'V-63743' do\n title 'Attachments must be prevented from being downloaded from RSS feeds.'\n desc \"Attachments from RSS feeds may not be secure. This setting will\n prevent attachments from being downloaded from RSS feeds.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000295'\n tag gid: 'V-63743'\n tag rid: 'SV-78233r1_rule'\n tag stig_id: 'WN10-CC-000295'\n tag fix_id: 'F-69671r1_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Internet Explorer\\\\Feeds\\\\\n\n Value Name: DisableEnclosureDownload\n\n Value Type: REG_DWORD\n Value: 1\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> RSS Feeds >> \\\"Prevent\n downloading of enclosures\\\" to \\\"Enabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Feeds') do\n it { should have_property 'DisableEnclosureDownload' }\n its('DisableEnclosureDownload') { should cmp 1 }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63671.rb", + "ref": "./Windows 10 STIG/controls/V-63743.rb", "line": 3 }, - "id": "V-63671" + "id": "V-63743" }, { - "title": "Windows 10 account lockout duration must be configured to 15 minutes\n or greater.", - "desc": "The account lockout feature, when enabled, prevents brute-force\n password attacks on the system. This parameter specifies the amount of time\n that an account will remain locked after the specified number of failed logon\n attempts.", + "title": "Systems must at least attempt device authentication using\n certificates.", + "desc": "Using certificates to authenticate devices to the domain provides\n increased security over passwords. By default systems will attempt to\n authenticate using certificates and fall back to passwords if the domain\n controller does not support certificates for devices. This may also be\n configured to always use certificates for device authentication.", "descriptions": { - "default": "The account lockout feature, when enabled, prevents brute-force\n password attacks on the system. This parameter specifies the amount of time\n that an account will remain locked after the specified number of failed logon\n attempts.", - "check": "Verify the effective setting in Local Group Policy Editor.\nRun \"gpedit.msc\".\n\nNavigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n>> Security Settings >> Account Policies >> Account Lockout Policy.\n\nIf the \"Account lockout duration\" is less than 15 minutes (excluding\n\"0\"), this is a finding.\n\nConfiguring this to \"0\", requiring an administrator to unlock the account, is\nmore restrictive and is not a finding.", - "fix": "Configure the policy value for Computer Configuration >> Windows\nSettings >> Security Settings >> Account Policies >> Account Lockout Policy >>\n\"Account lockout duration\" to 15 minutes or greater.\n\nA value of \"0\" is also acceptable, requiring an administrator to unlock the\naccount." + "default": "Using certificates to authenticate devices to the domain provides\n increased security over passwords. By default systems will attempt to\n authenticate using certificates and fall back to passwords if the domain\n controller does not support certificates for devices. This may also be\n configured to always use certificates for device authentication.", + "check": "This requirement is applicable to domain-joined systems, for\n standalone systems this is NA.\n\n The default behavior for \"Support device authentication using certificate\" is\n \"Automatic\".\n\n If the registry value name below does not exist, this is not a finding.\n\n If it exists and is configured with a value of \"1\", this is not a finding.\n\n If it exists and is configured with a value of \"0\", this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\Parameters\\\n\n Value Name: DevicePKInitEnabled\n Value Type: REG_DWORD\n Value: 1 (or if the Value Name does not exist)", + "fix": "This requirement is applicable to domain-joined systems, for\n standalone systems this is NA.\n\n The default behavior for \"Support device authentication using certificate\" is\n \"Automatic\".\n\n If this needs to be corrected, configured the policy value for Computer\n Configuration >> Administrative Templates >> System >> Kerberos >> \"Support\n device authentication using certificate\" to \"Not Configured or \"Enabled\"\n with either option selected in \"Device authentication behavior using\n certificate:\"." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-AC-000005", - "gid": "V-63405", - "rid": "SV-77895r2_rule", - "stig_id": "WN10-AC-000005", - "fix_id": "F-81277r1_fix", + "gtitle": "WN10-CC-000115", + "gid": "V-63627", + "rid": "SV-78117r1_rule", + "stig_id": "WN10-CC-000115", + "fix_id": "F-69557r1_fix", "cci": [ - "CCI-002238" + "CCI-000366" ], "nist": [ - "AC-7 b", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -1430,39 +1434,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63405' do\n title \"Windows 10 account lockout duration must be configured to #{input('pass_lock_time')} minutes\n or greater.\"\n desc \"The account lockout feature, when enabled, prevents brute-force\n password attacks on the system. This parameter specifies the amount of time\n that an account will remain locked after the specified number of failed logon\n attempts.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-AC-000005'\n tag gid: 'V-63405'\n tag rid: 'SV-77895r2_rule'\n tag stig_id: 'WN10-AC-000005'\n tag fix_id: 'F-81277r1_fix'\n tag cci: ['CCI-002238']\n tag nist: ['AC-7 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc 'check', \"Verify the effective setting in Local Group Policy Editor.\nRun \\\"gpedit.msc\\\".\n\nNavigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n>> Security Settings >> Account Policies >> Account Lockout Policy.\n\nIf the \\\"Account lockout duration\\\" is less than #{input('pass_lock_time')} minutes (excluding\n\\\"0\\\"), this is a finding.\n\nConfiguring this to \\\"0\\\", requiring an administrator to unlock the account, is\nmore restrictive and is not a finding.\"\n desc 'fix', \"Configure the policy value for Computer Configuration >> Windows\nSettings >> Security Settings >> Account Policies >> Account Lockout Policy >>\n\\\"Account lockout duration\\\" to #{input('pass_lock_time')} minutes or greater.\n\nA value of \\\"0\\\" is also acceptable, requiring an administrator to unlock the\naccount.\"\n\n # issues has been raised to fix the IF statement for describe.one to allow for inputs\n pass_lock_time = input('pass_lock_time')\n\n describe.one do\n describe security_policy do\n its('LockoutDuration') { should cmp >= pass_lock_time }\n end\n describe security_policy do\n its('LockoutDuration') { should cmp 0 }\n end\n end\nend\n", + "code": "control 'V-63627' do\n title \"Systems must at least attempt device authentication using\n certificates.\"\n desc \"Using certificates to authenticate devices to the domain provides\n increased security over passwords. By default systems will attempt to\n authenticate using certificates and fall back to passwords if the domain\n controller does not support certificates for devices. This may also be\n configured to always use certificates for device authentication.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000115'\n tag gid: 'V-63627'\n tag rid: 'SV-78117r1_rule'\n tag stig_id: 'WN10-CC-000115'\n tag fix_id: 'F-69557r1_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n \n desc \"check\", \"This requirement is applicable to domain-joined systems, for\n standalone systems this is NA.\n\n The default behavior for \\\"Support device authentication using certificate\\\" is\n \\\"Automatic\\\".\n\n If the registry value name below does not exist, this is not a finding.\n\n If it exists and is configured with a value of \\\"1\\\", this is not a finding.\n\n If it exists and is configured with a value of \\\"0\\\", this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Kerberos\\\\Parameters\\\\\n\n Value Name: DevicePKInitEnabled\n Value Type: REG_DWORD\n Value: 1 (or if the Value Name does not exist)\"\n\n desc \"fix\", \"This requirement is applicable to domain-joined systems, for\n standalone systems this is NA.\n\n The default behavior for \\\"Support device authentication using certificate\\\" is\n \\\"Automatic\\\".\n\n If this needs to be corrected, configured the policy value for Computer\n Configuration >> Administrative Templates >> System >> Kerberos >> \\\"Support\n device authentication using certificate\\\" to \\\"Not Configured or \\\"Enabled\\\"\n with either option selected in \\\"Device authentication behavior using\n certificate:\\\".\"\n\n is_domain = command('wmic computersystem get domain | FINDSTR /V Domain').stdout.strip\n\n if is_domain == 'WORKGROUP'\n impact 0.0\n describe 'The system is not a member of a domain, control is NA' do\n skip 'The system is not a member of a domain, control is NA'\n end\n else\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\Parameters') do\n it { should have_property 'DevicePKInitEnabled' }\n its('DevicePKInitEnabled') { should cmp 1 }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63405.rb", + "ref": "./Windows 10 STIG/controls/V-63627.rb", "line": 3 }, - "id": "V-63405" + "id": "V-63627" }, { - "title": "Windows 10 permissions for the Security event log must prevent access\n by non-privileged accounts.", - "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised. The\n Security event log may disclose sensitive information or be susceptible to\n tampering if proper permissions are not applied.", + "title": "Basic authentication for RSS feeds over HTTP must not be used.", + "desc": "Basic authentication uses plain text passwords that could be used to\n compromise a system.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised. The\n Security event log may disclose sensitive information or be susceptible to\n tampering if proper permissions are not applied.", - "check": "Verify the permissions on the Security event log (Security.evtx).\n Standard user accounts or groups must not have access. The default permissions\n listed below satisfy this requirement.\n\n Eventlog - Full Control\n SYSTEM - Full Control\n Administrators - Full Control\n\n The default location is the \"%SystemRoot%\\SYSTEM32\\WINEVT\\LOGS\" directory.\n They may have been moved to another folder.\n\n If the permissions for these files are not as restrictive as the ACLs listed,\n this is a finding.\n\n NOTE: If \"APPLICATION PACKAGE AUTHORITY\\ALL APPLICATION PACKAGES\" has\n Special Permissions, this would not be a finding.", - "fix": "Ensure the permissions on the Security event log (Security.evtx)\n are configured to prevent standard user accounts or groups from having access.\n The default permissions listed below satisfy this requirement.\n\n Eventlog - Full Control\n SYSTEM - Full Control\n Administrators - Full Control\n\n The default location is the \"%SystemRoot%\\SYSTEM32\\WINEVT\\LOGS\" directory.\n\n If the location of the logs has been changed, when adding Eventlog to the\n permissions, it must be entered as \"NT Service\\Eventlog\"." + "default": "Basic authentication uses plain text passwords that could be used to\n compromise a system.", + "check": "The default behavior is for the Windows RSS platform to not use\n Basic authentication over HTTP connections.\n\n If the registry value name below does not exist, this is not a finding.\n\n If it exists and is configured with a value of \"0\", this is not a finding.\n\n If it exists and is configured with a value of \"1\", this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Feeds\\\n\n Value Name: AllowBasicAuthInClear\n\n Value Type: REG_DWORD\n Value: 0 (or if the Value Name does not exist)", + "fix": "The default behavior is for the Windows RSS platform to not use\n Basic authentication over HTTP connections.\n\n If this needs to be corrected, configure the policy value for Computer\n Configuration >> Administrative Templates >> Windows Components >> RSS Feeds >>\n \"Turn on Basic feed authentication over HTTP\" to \"Not Configured\" or\n \"Disabled\"." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-AU-000520", - "gid": "V-63537", - "rid": "SV-78027r2_rule", - "stig_id": "WN10-AU-000520", - "fix_id": "F-69467r1_fix", + "gtitle": "WN10-CC-000300", + "gid": "V-63747", + "rid": "SV-78237r1_rule", + "stig_id": "WN10-CC-000300", + "fix_id": "F-69675r1_fix", "cci": [ - "CCI-000162", - "CCI-000163", - "CCI-000164" + "CCI-000381" ], "nist": [ - "AU-9", - "AU-9", - "AU-9", + "CM-7 a", "Rev_4" ], "false_negatives": null, @@ -1476,35 +1476,68 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63537' do\n title \"Windows 10 permissions for the Security event log must prevent access\n by non-privileged accounts.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised. The\n Security event log may disclose sensitive information or be susceptible to\n tampering if proper permissions are not applied.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-AU-000520'\n tag gid: 'V-63537'\n tag rid: 'SV-78027r2_rule'\n tag stig_id: 'WN10-AU-000520'\n tag fix_id: 'F-69467r1_fix'\n tag cci: %w[CCI-000162 CCI-000163 CCI-000164]\n tag nist: %w[AU-9 AU-9 AU-9 Rev_4]\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Verify the permissions on the Security event log (Security.evtx).\n Standard user accounts or groups must not have access. The default permissions\n listed below satisfy this requirement.\n\n Eventlog - Full Control\n SYSTEM - Full Control\n Administrators - Full Control\n\n The default location is the \\\"%SystemRoot%\\\\SYSTEM32\\\\WINEVT\\\\LOGS\\\" directory.\n They may have been moved to another folder.\n\n If the permissions for these files are not as restrictive as the ACLs listed,\n this is a finding.\n\n NOTE: If \\\"APPLICATION PACKAGE AUTHORITY\\\\ALL APPLICATION PACKAGES\\\" has\n Special Permissions, this would not be a finding.\"\n\n desc \"fix\", \"Ensure the permissions on the Security event log (Security.evtx)\n are configured to prevent standard user accounts or groups from having access.\n The default permissions listed below satisfy this requirement.\n\n Eventlog - Full Control\n SYSTEM - Full Control\n Administrators - Full Control\n\n The default location is the \\\"%SystemRoot%\\\\SYSTEM32\\\\WINEVT\\\\LOGS\\\" directory.\n\n If the location of the logs has been changed, when adding Eventlog to the\n permissions, it must be entered as \\\"NT Service\\\\Eventlog\\\".\"\n\n get_system_root = command('Get-ChildItem Env: | Findstr SystemRoot').stdout.strip\n system_root = get_system_root[11..get_system_root.length]\n systemroot = system_root.strip\n\n describe file(\"#{systemroot}\\\\SYSTEM32\\\\WINEVT\\\\LOGS\\\\Security.evtx\") do\n it { should be_allowed('full-control', by_user: 'NT SERVICE\\\\EventLog') }\n it { should be_allowed('full-control', by_user: 'NT AUTHORITY\\\\SYSTEM') }\n it { should be_allowed('full-control', by_user: 'BUILTIN\\\\Administrators') }\n end\nend\n", + "code": "control 'V-63747' do\n title 'Basic authentication for RSS feeds over HTTP must not be used.'\n desc \"Basic authentication uses plain text passwords that could be used to\n compromise a system.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000300'\n tag gid: 'V-63747'\n tag rid: 'SV-78237r1_rule'\n tag stig_id: 'WN10-CC-000300'\n tag fix_id: 'F-69675r1_fix'\n tag cci: ['CCI-000381']\n tag nist: ['CM-7 a', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"The default behavior is for the Windows RSS platform to not use\n Basic authentication over HTTP connections.\n\n If the registry value name below does not exist, this is not a finding.\n\n If it exists and is configured with a value of \\\"0\\\", this is not a finding.\n\n If it exists and is configured with a value of \\\"1\\\", this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Internet Explorer\\\\Feeds\\\\\n\n Value Name: AllowBasicAuthInClear\n\n Value Type: REG_DWORD\n Value: 0 (or if the Value Name does not exist)\"\n \n desc \"fix\", \"The default behavior is for the Windows RSS platform to not use\n Basic authentication over HTTP connections.\n\n If this needs to be corrected, configure the policy value for Computer\n Configuration >> Administrative Templates >> Windows Components >> RSS Feeds >>\n \\\"Turn on Basic feed authentication over HTTP\\\" to \\\"Not Configured\\\" or\n \\\"Disabled\\\".\"\n\n describe.one do\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Feeds') do\n it { should have_property 'AllowBasicAuthInClear' }\n its('AllowBasicAuthInClear') { should_not be 1 }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Feeds') do\n it { should_not have_property 'AllowBasicAuthInClear' }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63537.rb", + "ref": "./Windows 10 STIG/controls/V-63747.rb", "line": 3 }, - "id": "V-63537" + "id": "V-63747" }, { - "title": "The system must be configured to audit Detailed Tracking - Process\n Creation successes.", - "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Process creation records events related to the creation of a process and\n the source.", + "title": "The convenience PIN for Windows 10 must be disabled. ", + "desc": "This policy controls whether a domain user can sign in using a\nconvenience PIN to prevent enabling (Password Stuffer).", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Process creation records events related to the creation of a process and\n the source.", - "check": "Security Option \"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\" must be\n set to \"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\"Run as Administrator\").\n Enter \"AuditPol /get /category:*\".\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding:\n\n Detailed Tracking >> Process Creation - Success", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Detailed Tracking >> \"Audit Process Creation\" with\n \"Success\" selected." + "default": "This policy controls whether a domain user can sign in using a\nconvenience PIN to prevent enabling (Password Stuffer).", + "rationale": "", + "check": "If the following registry value does not exist or is not configured as\nspecified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\Software\\Policies\\Microsoft\\Windows\\System\n\n Value Name: AllowDomainPINLogon\n Value Type: REG_DWORD\n Value data: 0", + "fix": "Disable the convenience PIN sign-in.\n\n If this needs to be corrected configure the policy value for Computer\nConfiguration >> Administrative Templates >> System >> Logon >> Set \"Turn on\nconvenience PIN sign-in\" to \"Disabled”." + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": null, + "gtitle": "WN10-CC-000370", + "gid": "V-99559", + "rid": "SV-108663r1_rule", + "stig_id": "WN10-CC-000370", + "fix_id": "F-105243r1_fix", + "cci": [ + "CCI-000381" + ], + "nist": [ + "CM-7 a", + "Rev_4" + ] + }, + "code": "control \"V-99559\" do\n title \"The convenience PIN for Windows 10 must be disabled. \"\n desc \"This policy controls whether a domain user can sign in using a\nconvenience PIN to prevent enabling (Password Stuffer).\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"WN10-CC-000370\"\n tag gid: \"V-99559\"\n tag rid: \"SV-108663r1_rule\"\n tag stig_id: \"WN10-CC-000370\"\n tag fix_id: \"F-105243r1_fix\"\n tag cci: [\"CCI-000381\"]\n tag nist: [\"CM-7 a\", \"Rev_4\"]\n desc \"rationale\", \"\"\n desc \"check\", \"If the following registry value does not exist or is not configured as\nspecified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\System\n\n Value Name: AllowDomainPINLogon\n Value Type: REG_DWORD\n Value data: 0 \"\n desc \"fix\", \"Disable the convenience PIN sign-in.\n\n If this needs to be corrected configure the policy value for Computer\nConfiguration >> Administrative Templates >> System >> Logon >> Set \\\"Turn on\nconvenience PIN sign-in\\\" to \\\"Disabled”.\"\n \n describe registry_key('HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\System') do\n it { should have_property 'AllowDomainPINLogon' }\n its('AllowDomainPINLogon') { should cmp 0 }\n end\nend\n", + "source_location": { + "ref": "./Windows 10 STIG/controls/V-99559.rb", + "line": 3 + }, + "id": "V-99559" + }, + { + "title": "Zone information must be preserved when saving attachments.", + "desc": "Preserving zone of origin (internet, intranet, local, restricted)\n information on file attachments allows Windows to determine risk.", + "descriptions": { + "default": "Preserving zone of origin (internet, intranet, local, restricted)\n information on file attachments allows Windows to determine risk.", + "check": "The default behavior is for Windows to mark file attachments with\n their zone information.\n\n If the registry Value Name below does not exist, this is not a finding.\n\n If it exists and is configured with a value of \"2\", this is not a finding.\n\n If it exists and is configured with a value of \"1\", this is a finding.\n\n Registry Hive: HKEY_CURRENT_USER\n Registry Path:\n \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Attachments\\\n\n Value Name: SaveZoneInformation\n\n Value Type: REG_DWORD\n Value: 0x00000002 (2) (or if the Value Name does not exist)", + "fix": "The default behavior is for Windows to mark file attachments with\n their zone information.\n\n If this needs to be corrected, configure the policy value for User\n Configuration >> Administrative Templates >> Windows Components >> Attachment\n Manager >> \"Do not preserve zone information in file attachments\" to \"Not\n Configured\" or \"Disabled\"." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-AU-000050", - "gid": "V-63453", - "rid": "SV-77943r1_rule", - "stig_id": "WN10-AU-000050", - "fix_id": "F-69381r1_fix", + "gtitle": "WN10-UC-000020", + "gid": "V-63841", + "rid": "SV-78331r2_rule", + "stig_id": "WN10-UC-000020", + "fix_id": "F-78717r1_fix", "cci": [ - "CCI-000172" + "CCI-000366" ], "nist": [ - "AU-12 c", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -1518,35 +1551,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63453' do\n title \"The system must be configured to audit Detailed Tracking - Process\n Creation successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Process creation records events related to the creation of a process and\n the source.\"\n\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-AU-000050'\n tag gid: 'V-63453'\n tag rid: 'SV-77943r1_rule'\n tag stig_id: 'WN10-AU-000050'\n tag fix_id: 'F-69381r1_fix'\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Security Option \\\"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\\\" must be\n set to \\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\n Enter \\\"AuditPol /get /category:*\\\".\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding:\n\n Detailed Tracking >> Process Creation - Success\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Detailed Tracking >> \\\"Audit Process Creation\\\" with\n \\\"Success\\\" selected.\"\n\n describe.one do\n describe audit_policy do\n its('Process Creation') { should eq 'Success' }\n end\n describe audit_policy do\n its('Process Creation') { should eq 'Success and Failure' }\n end\n end\nend\n", + "code": "control 'V-63841' do\n title 'Zone information must be preserved when saving attachments.'\n desc \"Preserving zone of origin (internet, intranet, local, restricted)\n information on file attachments allows Windows to determine risk.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-UC-000020'\n tag gid: 'V-63841'\n tag rid: 'SV-78331r2_rule'\n tag stig_id: 'WN10-UC-000020'\n tag fix_id: 'F-78717r1_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"The default behavior is for Windows to mark file attachments with\n their zone information.\n\n If the registry Value Name below does not exist, this is not a finding.\n\n If it exists and is configured with a value of \\\"2\\\", this is not a finding.\n\n If it exists and is configured with a value of \\\"1\\\", this is a finding.\n\n Registry Hive: HKEY_CURRENT_USER\n Registry Path:\n \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Attachments\\\\\n\n Value Name: SaveZoneInformation\n\n Value Type: REG_DWORD\n Value: 0x00000002 (2) (or if the Value Name does not exist)\"\n desc \"fix\", \"The default behavior is for Windows to mark file attachments with\n their zone information.\n\n If this needs to be corrected, configure the policy value for User\n Configuration >> Administrative Templates >> Windows Components >> Attachment\n Manager >> \\\"Do not preserve zone information in file attachments\\\" to \\\"Not\n Configured\\\" or \\\"Disabled\\\".\"\n\n describe.one do\n describe registry_key('HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Attachments') do\n it { should have_property 'SaveZoneInformation' }\n its('SaveZoneInformation') { should_not be 1 }\n end\n describe registry_key('HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Attachments') do\n it { should_not have_property 'SaveZoneInformation' }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63453.rb", + "ref": "./Windows 10 STIG/controls/V-63841.rb", "line": 3 }, - "id": "V-63453" + "id": "V-63841" }, { - "title": "Data Execution Prevention (DEP) must be configured to at least OptOut.", - "desc": "Attackers are constantly looking for vulnerabilities in systems and\n applications. Data Execution Prevention (DEP) prevents harmful code from\n running in protected memory locations reserved for Windows and other programs.", + "title": "The network selection user interface (UI) must not be displayed on the\n logon screen.", + "desc": "Enabling interaction with the network selection UI allows users to\n change connections to available networks without signing into Windows.", "descriptions": { - "default": "Attackers are constantly looking for vulnerabilities in systems and\n applications. Data Execution Prevention (DEP) prevents harmful code from\n running in protected memory locations reserved for Windows and other programs.", - "check": "Verify the DEP configuration.\n Open a command prompt (cmd.exe) or PowerShell with elevated privileges (Run as\n administrator).\n Enter \"BCDEdit /enum {current}\". (If using PowerShell \"{current}\" must be\n enclosed in quotes.)\n If the value for \"nx\" is not \"OptOut\", this is a finding.\n (The more restrictive configuration of \"AlwaysOn\" would not be a finding.)", - "fix": "Configure DEP to at least OptOut.\n\n Note: Suspend BitLocker before making changes to the DEP configuration.\n\n Open a command prompt (cmd.exe) or PowerShell with elevated privileges (Run as\n administrator).\n Enter \"BCDEDIT /set {current} nx OptOut\". (If using PowerShell \"{current}\"\n must be enclosed in quotes.)\n \"AlwaysOn\", a more restrictive selection, is also valid but does not allow\n applications that do not function properly to be opted out of DEP.\n\n Opted out exceptions can be configured in the \"System Properties\".\n\n Open \"System\" in Control Panel.\n Select \"Advanced system settings\".\n Click \"Settings\" in the \"Performance\" section.\n Select the \"Data Execution Prevention\" tab.\n Applications that are opted out are configured in the window below the\n selection \"Turn on DEP for all programs and services except those I select:\"." + "default": "Enabling interaction with the network selection UI allows users to\n change connections to available networks without signing into Windows.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\\n\n Value Name: DontDisplayNetworkSelectionUI\n\n Value Type: REG_DWORD\n Value: 1", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> System >> Logon >> \"Do not display network\n selection UI\" to \"Enabled\"." }, - "impact": 0.7, + "impact": 0.5, "refs": [], "tags": { - "severity": "high", - "gtitle": "WN10-00-000145", - "gid": "V-68845", - "rid": "SV-83439r2_rule", - "stig_id": "WN10-00-000145", - "fix_id": "F-75017r2_fix", + "severity": "medium", + "gtitle": "WN10-CC-000120", + "gid": "V-63629", + "rid": "SV-78119r1_rule", + "stig_id": "WN10-CC-000120", + "fix_id": "F-69559r1_fix", "cci": [ - "CCI-002824" + "CCI-000381" ], "nist": [ - "SI-16", + "CM-7 a", "Rev_4" ], "false_negatives": null, @@ -1560,30 +1593,30 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-68845' do\n title 'Data Execution Prevention (DEP) must be configured to at least OptOut.'\n desc \"Attackers are constantly looking for vulnerabilities in systems and\n applications. Data Execution Prevention (DEP) prevents harmful code from\n running in protected memory locations reserved for Windows and other programs.\"\n impact 0.7\n tag severity: 'high'\n tag gtitle: 'WN10-00-000145'\n tag gid: 'V-68845'\n tag rid: 'SV-83439r2_rule'\n tag stig_id: 'WN10-00-000145'\n tag fix_id: 'F-75017r2_fix'\n tag cci: ['CCI-002824']\n tag nist: %w[SI-16 Rev_4]\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"Verify the DEP configuration.\n Open a command prompt (cmd.exe) or PowerShell with elevated privileges (Run as\n administrator).\n Enter \\\"BCDEdit /enum {current}\\\". (If using PowerShell \\\"{current}\\\" must be\n enclosed in quotes.)\n If the value for \\\"nx\\\" is not \\\"OptOut\\\", this is a finding.\n (The more restrictive configuration of \\\"AlwaysOn\\\" would not be a finding.)\"\n desc \"fix\", \"Configure DEP to at least OptOut.\n\n Note: Suspend BitLocker before making changes to the DEP configuration.\n\n Open a command prompt (cmd.exe) or PowerShell with elevated privileges (Run as\n administrator).\n Enter \\\"BCDEDIT /set {current} nx OptOut\\\". (If using PowerShell \\\"{current}\\\"\n must be enclosed in quotes.)\n \\\"AlwaysOn\\\", a more restrictive selection, is also valid but does not allow\n applications that do not function properly to be opted out of DEP.\n\n Opted out exceptions can be configured in the \\\"System Properties\\\".\n\n Open \\\"System\\\" in Control Panel.\n Select \\\"Advanced system settings\\\".\n Click \\\"Settings\\\" in the \\\"Performance\\\" section.\n Select the \\\"Data Execution Prevention\\\" tab.\n Applications that are opted out are configured in the window below the\n selection \\\"Turn on DEP for all programs and services except those I select:\\\".\"\n\n bcdedit = json(command: 'bcdedit /enum \"{current}\" | FindStr \"nx\" | ConvertTo-Json').params\n describe 'Verify the DEP configuration' do\n subject { bcdedit }\n it { should eq 'nx OptOut' }\n end\nend\n", + "code": "control 'V-63629' do\n title \"The network selection user interface (UI) must not be displayed on the\n logon screen.\"\n desc \"Enabling interaction with the network selection UI allows users to\n change connections to available networks without signing into Windows.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000120'\n tag gid: 'V-63629'\n tag rid: 'SV-78119r1_rule'\n tag stig_id: 'WN10-CC-000120'\n tag fix_id: 'F-69559r1_fix'\n tag cci: ['CCI-000381']\n tag nist: ['CM-7 a', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n \n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\\n\n Value Name: DontDisplayNetworkSelectionUI\n\n Value Type: REG_DWORD\n Value: 1\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> System >> Logon >> \\\"Do not display network\n selection UI\\\" to \\\"Enabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\System') do\n it { should have_property 'DontDisplayNetworkSelectionUI' }\n its('DontDisplayNetworkSelectionUI') { should cmp 1 }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-68845.rb", + "ref": "./Windows 10 STIG/controls/V-63629.rb", "line": 3 }, - "id": "V-68845" + "id": "V-63629" }, { - "title": "PKU2U authentication using online identities must be prevented.", - "desc": "PKU2U is a peer-to-peer authentication protocol. This setting\n prevents online identities from authenticating to domain-joined systems.\n Authentication will be centrally managed with Windows user accounts.", + "title": "A host-based firewall must be installed and enabled on the system.", + "desc": "A firewall provides a line of defense against attack, allowing or\n blocking inbound and outbound connections based on a set of rules.", "descriptions": { - "default": "PKU2U is a peer-to-peer authentication protocol. This setting\n prevents online identities from authenticating to domain-joined systems.\n Authentication will be centrally managed with Windows user accounts.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Control\\LSA\\pku2u\\\n\n Value Name: AllowOnlineID\n\n Value Type: REG_DWORD\n Value: 0", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n \"Network security: Allow PKU2U authentication requests to this computer to use\n online identities\" to \"Disabled\"." + "default": "A firewall provides a line of defense against attack, allowing or\n blocking inbound and outbound connections based on a set of rules.", + "check": "Determine if a host-based firewall is installed and enabled on\n the system. If a host-based firewall is not installed and enabled on the\n system, this is a finding.\n\n The configuration requirements will be determined by the applicable firewall\n STIG.", + "fix": "Install and enable a host-based firewall on the system." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-SO-000185", - "gid": "V-63767", - "rid": "SV-78257r1_rule", - "stig_id": "WN10-SO-000185", - "fix_id": "F-69695r1_fix", + "gtitle": "WN10-00-000135", + "gid": "V-63399", + "rid": "SV-77889r1_rule", + "stig_id": "WN10-00-000135", + "fix_id": "F-69327r1_fix", "cci": [ "CCI-000366" ], @@ -1602,12 +1635,12 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63767' do\n title 'PKU2U authentication using online identities must be prevented.'\n desc \"PKU2U is a peer-to-peer authentication protocol. This setting\n prevents online identities from authenticating to domain-joined systems.\n Authentication will be centrally managed with Windows user accounts.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-SO-000185'\n tag gid: 'V-63767'\n tag rid: 'SV-78257r1_rule'\n tag stig_id: 'WN10-SO-000185'\n tag fix_id: 'F-69695r1_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\LSA\\\\pku2u\\\\\n\n Value Name: AllowOnlineID\n\n Value Type: REG_DWORD\n Value: 0\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n \\\"Network security: Allow PKU2U authentication requests to this computer to use\n online identities\\\" to \\\"Disabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\LSA\\pku2u') do\n it { should have_property 'AllowOnlineID' }\n its('AllowOnlineID') { should cmp 0 }\n end\nend\n", + "code": "control 'V-63399' do\n title 'A host-based firewall must be installed and enabled on the system.'\n desc \"A firewall provides a line of defense against attack, allowing or\n blocking inbound and outbound connections based on a set of rules.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-00-000135'\n tag gid: 'V-63399'\n tag rid: 'SV-77889r1_rule'\n tag stig_id: 'WN10-00-000135'\n tag fix_id: 'F-69327r1_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Determine if a host-based firewall is installed and enabled on\n the system. If a host-based firewall is not installed and enabled on the\n system, this is a finding.\n\n The configuration requirements will be determined by the applicable firewall\n STIG.\"\n\n desc \"fix\", 'Install and enable a host-based firewall on the system.'\n \n query_domain = json({ command: \"Get-WmiObject -NameSpace 'root\\\\standardcimv2' -Class MSFT_NetFirewallProfile | Where {$_.Name -Like 'Domain' } | Select Enabled | ConvertTo-Json\" })\n query_private = json({ command: \"Get-WmiObject -NameSpace 'root\\\\standardcimv2' -Class MSFT_NetFirewallProfile | Where {$_.Name -Like 'Private' } | Select Enabled | ConvertTo-Json\" })\n query_public = json({ command: \"Get-WmiObject -NameSpace 'root\\\\standardcimv2' -Class MSFT_NetFirewallProfile | Where {$_.Name -Like 'Public' } | Select Enabled | ConvertTo-Json\" })\n \n describe.one do\n describe 'Windows Firewall should be Enabled' do\n subject { query_public.params[\"Enabled\"] }\n it 'The Public host-based firewall' do\n failure_message = \"is not Enabled\"\n expect(subject).to eql(1), failure_message\n end\n end\n describe 'Windows Firewall should be Enabled' do\n subject { query_private.params[\"Enabled\"] }\n it 'The Private host-based firewall' do\n failure_message = \"is not enabled\"\n expect(subject).to eql(1), failure_message\n end\n end\n describe 'Windows Firewall should be Enabled' do\n subject { query_domain.params[\"Enabled\"] }\n it 'The Domain host-based firewall' do\n failure_message = \"is not Enabled\"\n expect(subject).to eql(1), failure_message\n end\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63767.rb", + "ref": "./Windows 10 STIG/controls/V-63399.rb", "line": 3 }, - "id": "V-63767" + "id": "V-63399" }, { "title": "Windows 10 Exploit Protection system-level mitigation, Validate heap integrity, must be on.", @@ -1652,29 +1685,27 @@ "id": "V-77103" }, { - "title": "The system must be configured to audit Logon/Logoff - Logon failures.", - "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Logon records user logons. If this is an interactive logon, it is recorded\n on the local system. If it is to a network share, it is recorded on the system\n accessed.", + "title": "Windows 10 systems must be maintained at a supported servicing level.", + "desc": "Windows 10 is maintained by Microsoft at servicing levels for specific\n periods of time to support Windows as a Service. Systems at unsupported\n servicing levels or releases will not receive security updates for new\n vulnerabilities which leaves them subject to exploitation.\n\n New versions with feature updates are planned to be released on a\n semi-annual basis with an estimated support timeframe of 18 to 30 months\n depending on the release. Support for previously released versions has been\n extended for Enterprise editions.\n\n A separate servicing branch intended for special purpose systems is the\n Long-Term Servicing Channel (LTSC, formerly Branch - LTSB) which will receive\n security updates for 10 years but excludes feature updates.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Logon records user logons. If this is an interactive logon, it is recorded\n on the local system. If it is to a network share, it is recorded on the system\n accessed.", - "check": "Security Option \"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\" must be\n set to \"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\"Run as Administrator\").\n Enter \"AuditPol /get /category:*\".\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding:\n\n Logon/Logoff >> Logon - Failure", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Logon/Logoff >> \"Audit Logon\" with \"Failure\" selected." + "default": "Windows 10 is maintained by Microsoft at servicing levels for specific\n periods of time to support Windows as a Service. Systems at unsupported\n servicing levels or releases will not receive security updates for new\n vulnerabilities which leaves them subject to exploitation.\n\n New versions with feature updates are planned to be released on a\n semi-annual basis with an estimated support timeframe of 18 to 30 months\n depending on the release. Support for previously released versions has been\n extended for Enterprise editions.\n\n A separate servicing branch intended for special purpose systems is the\n Long-Term Servicing Channel (LTSC, formerly Branch - LTSB) which will receive\n security updates for 10 years but excludes feature updates.", + "check": "Run \"winver.exe\".\n\n If the \"About Windows\" dialog box does not display:\n\n \"Microsoft Windows Version 1703 (OS Build 15063.0)\"\n\n or greater, this is a finding.\n\n Note: Microsoft has extended support for previous versions providing critical\n and important updates for Windows 10 Enterprise.\n\n Microsoft scheduled end of support dates for current Semi-Annual Channel\n versions:\n v1703 - 8 October 2019\n v1709 - 14 April 2020\n v1803 - 10 November 2020\n v1809 - 13 April 2021\n v1903 - 8 December 2020\n\n No preview versions will be used in a production environment.\n\n Special purpose systems using the Long-Term Servicing Branch\\Channel (LTSC\\B)\n may be at following versions which are not a finding:\n\n v1507 (Build 10240)\n v1607 (Build 14393)\n v1809 (Build 17763)", + "fix": "Update systems on the Semi-Annual Channel to \"Microsoft Windows\n Version 1703 (OS Build 15063.0)\" or greater.\n\n It is recommended systems be upgraded to the most recently released version.\n\n Special purpose systems using the Long-Term Servicing Branch\\Channel (LTSC\\B)\n may be at the following versions:\n\n v1507 (Build 10240)\n v1607 (Build 14393)\n v1809 (Build 17763)" }, - "impact": 0.5, + "impact": 0.7, "refs": [], "tags": { - "severity": "medium", - "gtitle": "WN10-AU-000070", - "gid": "V-63463", - "rid": "SV-77953r1_rule", - "stig_id": "WN10-AU-000070", - "fix_id": "F-69391r1_fix", + "severity": "high", + "gtitle": "WN10-00-000040", + "gid": "V-63349", + "rid": "SV-77839r9_rule", + "stig_id": "WN10-00-000040", + "fix_id": "F-98031r2_fix", "cci": [ - "CCI-000067", - "CCI-000172" + "CCI-000366" ], "nist": [ - "AC-17 (1)", - "AU-12 c", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -1688,35 +1719,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63463' do\n title 'The system must be configured to audit Logon/Logoff - Logon failures.'\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Logon records user logons. If this is an interactive logon, it is recorded\n on the local system. If it is to a network share, it is recorded on the system\n accessed.\"\n\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-AU-000070'\n tag gid: 'V-63463'\n tag rid: 'SV-77953r1_rule'\n tag stig_id: 'WN10-AU-000070'\n tag fix_id: 'F-69391r1_fix'\n tag cci: %w[CCI-000067 CCI-000172]\n tag nist: ['AC-17 (1)', 'AU-12 c', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Security Option \\\"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\\\" must be\n set to \\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\n Enter \\\"AuditPol /get /category:*\\\".\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding:\n\n Logon/Logoff >> Logon - Failure\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Logon/Logoff >> \\\"Audit Logon\\\" with \\\"Failure\\\" selected.\"\n\n describe.one do\n describe audit_policy do\n its('Logon') { should eq 'Failure' }\n end\n describe audit_policy do\n its('Logon') { should eq 'Success and Failure' }\n end\n end\nend\n", + "code": "control 'V-63349' do\n title 'Windows 10 systems must be maintained at a supported servicing level.'\n desc \"Windows 10 is maintained by Microsoft at servicing levels for specific\n periods of time to support Windows as a Service. Systems at unsupported\n servicing levels or releases will not receive security updates for new\n vulnerabilities which leaves them subject to exploitation.\n\n New versions with feature updates are planned to be released on a\n semi-annual basis with an estimated support timeframe of 18 to 30 months\n depending on the release. Support for previously released versions has been\n extended for Enterprise editions.\n\n A separate servicing branch intended for special purpose systems is the\n Long-Term Servicing Channel (LTSC, formerly Branch - LTSB) which will receive\n security updates for 10 years but excludes feature updates.\"\n impact 0.7\n tag severity: 'high'\n tag gtitle: 'WN10-00-000040'\n tag gid: 'V-63349'\n tag rid: 'SV-77839r9_rule'\n tag stig_id: 'WN10-00-000040'\n tag fix_id: 'F-98031r2_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Run \\\"winver.exe\\\".\n\n If the \\\"About Windows\\\" dialog box does not display:\n\n \\\"Microsoft Windows Version 1703 (OS Build 15063.0)\\\"\n\n or greater, this is a finding.\n\n Note: Microsoft has extended support for previous versions providing critical\n and important updates for Windows 10 Enterprise.\n\n Microsoft scheduled end of support dates for current Semi-Annual Channel\n versions:\n v1703 - 8 October 2019\n v1709 - 14 April 2020\n v1803 - 10 November 2020\n v1809 - 13 April 2021\n v1903 - 8 December 2020\n\n No preview versions will be used in a production environment.\n\n Special purpose systems using the Long-Term Servicing Branch\\\\Channel (LTSC\\\\B)\n may be at following versions which are not a finding:\n\n v1507 (Build 10240)\n v1607 (Build 14393)\n v1809 (Build 17763)\"\n\n desc \"fix\", \"Update systems on the Semi-Annual Channel to \\\"Microsoft Windows\n Version 1703 (OS Build 15063.0)\\\" or greater.\n\n It is recommended systems be upgraded to the most recently released version.\n\n Special purpose systems using the Long-Term Servicing Branch\\\\Channel (LTSC\\\\B)\n may be at the following versions:\n\n v1507 (Build 10240)\n v1607 (Build 14393)\n v1809 (Build 17763)\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion') do\n it { should have_property 'CurrentVersion' }\n its('CurrentVersion') { should be >= '6.3' }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion') do\n it { should have_property 'CurrentBuildNumber' }\n its('ReleaseId') { should be >= '1703' }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63463.rb", + "ref": "./Windows 10 STIG/controls/V-63349.rb", "line": 3 }, - "id": "V-63463" + "id": "V-63349" }, { - "title": "Internet connection sharing must be disabled.", - "desc": "Internet connection sharing makes it possible for an existing internet\n connection, such as through wireless, to be shared and used by other systems\n essentially creating a mobile hotspot. This exposes the system sharing the\n connection to others with potentially malicious purpose.", + "title": "The Enable computer and user accounts to be trusted for delegation\n user right must not be assigned to any groups or accounts.", + "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n The \"Enable computer and user accounts to be trusted for delegation\" user\n right allows the \"Trusted for Delegation\" setting to be changed. This could\n potentially allow unauthorized users to impersonate other users.", "descriptions": { - "default": "Internet connection sharing makes it possible for an existing internet\n connection, such as through wireless, to be shared and used by other systems\n essentially creating a mobile hotspot. This exposes the system sharing the\n connection to others with potentially malicious purpose.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\Network Connections\\\n\n Value Name: NC_ShowSharedAccessUI\n\n Type: REG_DWORD\n Value: 0x00000000 (0)", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Network >> Network Connections >> \"Prohibit use of\n Internet Connection Sharing on your DNS domain network\" to \"Enabled\"." + "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n The \"Enable computer and user accounts to be trusted for delegation\" user\n right allows the \"Trusted for Delegation\" setting to be changed. This could\n potentially allow unauthorized users to impersonate other users.", + "check": "Verify the effective setting in Local Group Policy Editor.\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any groups or accounts are granted the \"Enable computer and user accounts\n to be trusted for delegation\" user right, this is a finding.", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n \"Enable computer and user accounts to be trusted for delegation\" to be\n defined but containing no entries (blank)." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-CC-000044", - "gid": "V-71765", - "rid": "SV-86389r1_rule", - "stig_id": "WN10-CC-000044", - "fix_id": "F-78117r2_fix", + "gtitle": "WN10-UR-000095", + "gid": "V-63881", + "rid": "SV-78371r1_rule", + "stig_id": "WN10-UR-000095", + "fix_id": "F-69809r1_fix", "cci": [ - "CCI-000381" + "CCI-002235" ], "nist": [ - "CM-7 a", + "AC-6 (10)", "Rev_4" ], "false_negatives": null, @@ -1730,35 +1761,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-71765' do\n title 'Internet connection sharing must be disabled.'\n desc \"Internet connection sharing makes it possible for an existing internet\n connection, such as through wireless, to be shared and used by other systems\n essentially creating a mobile hotspot. This exposes the system sharing the\n connection to others with potentially malicious purpose.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000044'\n tag gid: 'V-71765'\n tag rid: 'SV-86389r1_rule'\n tag stig_id: 'WN10-CC-000044'\n tag fix_id: 'F-78117r2_fix'\n tag cci: ['CCI-000381']\n tag nist: ['CM-7 a', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\Network Connections\\\\\n\n Value Name: NC_ShowSharedAccessUI\n\n Type: REG_DWORD\n Value: 0x00000000 (0)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Network >> Network Connections >> \\\"Prohibit use of\n Internet Connection Sharing on your DNS domain network\\\" to \\\"Enabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Network Connections') do\n it { should have_property 'NC_ShowSharedAccessUI' }\n its('NC_ShowSharedAccessUI') { should cmp 0 }\n end\nend\n", + "code": "control 'V-63881' do\n title \"The Enable computer and user accounts to be trusted for delegation\n user right must not be assigned to any groups or accounts.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n The \\\"Enable computer and user accounts to be trusted for delegation\\\" user\n right allows the \\\"Trusted for Delegation\\\" setting to be changed. This could\n potentially allow unauthorized users to impersonate other users.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-UR-000095'\n tag gid: 'V-63881'\n tag rid: 'SV-78371r1_rule'\n tag stig_id: 'WN10-UR-000095'\n tag fix_id: 'F-69809r1_fix'\n tag cci: ['CCI-002235']\n tag nist: ['AC-6 (10)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any groups or accounts are granted the \\\"Enable computer and user accounts\n to be trusted for delegation\\\" user right, this is a finding.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n \\\"Enable computer and user accounts to be trusted for delegation\\\" to be\n defined but containing no entries (blank).\"\n\n describe security_policy do\n its('SeEnableDelegationPrivilege') { should eq [] }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-71765.rb", + "ref": "./Windows 10 STIG/controls/V-63881.rb", "line": 3 }, - "id": "V-71765" + "id": "V-63881" }, { - "title": "The Lock pages in memory user right must not be assigned to any groups\n or accounts.", - "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n The \"Lock pages in memory\" user right allows physical memory to be\n assigned to processes, which could cause performance issues or a DoS.", + "title": "The Windows Defender SmartScreen filter for Microsoft Edge must be\n enabled.", + "desc": "The Windows Defender SmartScreen filter in Microsoft Edge provides\n warning messages and blocks potentially malicious websites.", "descriptions": { - "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n The \"Lock pages in memory\" user right allows physical memory to be\n assigned to processes, which could cause performance issues or a DoS.", - "check": "Verify the effective setting in Local Group Policy Editor.\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any groups or accounts are granted the \"Lock pages in memory\" user right,\n this is a finding.", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n \"Lock pages in memory\" to be defined but containing no entries (blank)." + "default": "The Windows Defender SmartScreen filter in Microsoft Edge provides\n warning messages and blocks potentially malicious websites.", + "check": "This is applicable to unclassified systems, for other systems\n this is NA.\n\n Windows 10 LTSC\\B versions do not include Microsoft Edge, this is NA for those\n systems.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\PhishingFilter\\\n\n Value Name: EnabledV9\n\n Type: REG_DWORD\n Value: 0x00000001 (1)", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Microsoft Edge >> \"Configure\n Windows Defender SmartScreen\" to \"Enabled\".\n\n Windows 10 includes duplicate policies for this setting. It can also be\n configured under Computer Configuration >> Administrative Templates >> Windows\n Components >> Windows Defender SmartScreen >> Microsoft Edge." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-UR-000125", - "gid": "V-63925", - "rid": "SV-78415r1_rule", - "stig_id": "WN10-UR-000125", - "fix_id": "F-69853r1_fix", + "gtitle": "WN10-CC-000250", + "gid": "V-63713", + "rid": "SV-78203r6_rule", + "stig_id": "WN10-CC-000250", + "fix_id": "F-98467r1_fix", "cci": [ - "CCI-002235" + "CCI-000366" ], "nist": [ - "AC-6 (10)", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -1772,35 +1803,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63925' do\n title \"The Lock pages in memory user right must not be assigned to any groups\n or accounts.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n The \\\"Lock pages in memory\\\" user right allows physical memory to be\n assigned to processes, which could cause performance issues or a DoS.\"\n\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-UR-000125'\n tag gid: 'V-63925'\n tag rid: 'SV-78415r1_rule'\n tag stig_id: 'WN10-UR-000125'\n tag fix_id: 'F-69853r1_fix'\n tag cci: ['CCI-002235']\n tag nist: ['AC-6 (10)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any groups or accounts are granted the \\\"Lock pages in memory\\\" user right,\n this is a finding.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n \\\"Lock pages in memory\\\" to be defined but containing no entries (blank).\"\n\n describe security_policy do\n its('SeLockMemoryPrivilege') { should eq [] }\n end\nend\n", + "code": "control 'V-63713' do\n title \"The Windows Defender SmartScreen filter for Microsoft Edge must be\n enabled.\"\n desc \"The Windows Defender SmartScreen filter in Microsoft Edge provides\n warning messages and blocks potentially malicious websites.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000250'\n tag gid: 'V-63713'\n tag rid: 'SV-78203r6_rule'\n tag stig_id: 'WN10-CC-000250'\n tag fix_id: 'F-98467r1_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc 'check', \"This is applicable to unclassified systems, for other systems\n this is NA.\n\n Windows 10 LTSC\\\\B versions do not include Microsoft Edge, this is NA for those\n systems.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\MicrosoftEdge\\\\PhishingFilter\\\\\n\n Value Name: EnabledV9\n\n Type: REG_DWORD\n Value: 0x00000001 (1)\"\n\n desc 'fix', \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Microsoft Edge >> \\\"Configure\n Windows Defender SmartScreen\\\" to \\\"Enabled\\\".\n\n Windows 10 includes duplicate policies for this setting. It can also be\n configured under Computer Configuration >> Administrative Templates >> Windows\n Components >> Windows Defender SmartScreen >> Microsoft Edge.\"\n\n\n if input('sensitive_system') == 'true'\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion').ProductName == 'Windows 10 Enterprise 2016 LTSB' || registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion').ProductName == 'Windows 10 Enterprise 2016 LTSC'\n impact 0.0\n describe 'This System is running either Windows 10 LTSB or Windows 10 LTSC, The Control is NA' do\n skip 'This System is running either Windows 10 LTSB or Windows 10 LTSC, The Control is NA'\n end\n else\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\PhishingFilter') do\n it { should have_property 'EnabledV9' }\n its('EnabledV9') { should cmp 1 }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63925.rb", + "ref": "./Windows 10 STIG/controls/V-63713.rb", "line": 3 }, - "id": "V-63925" + "id": "V-63713" }, { - "title": "The Create global objects user right must only be assigned to\n Administrators, Service, Local Service, and Network Service.", - "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n Accounts with the \"Create global objects\" user right can create objects\n that are available to all sessions, which could affect processes in other\n users' sessions.", + "title": "Alternate operating systems must not be permitted on the same system.", + "desc": "Allowing other operating systems to run on a secure system may allow\n security to be circumvented.", "descriptions": { - "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n Accounts with the \"Create global objects\" user right can create objects\n that are available to all sessions, which could affect processes in other\n users' sessions.", - "check": "Verify the effective setting in Local Group Policy Editor.\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any groups or accounts other than the following are granted the \"Create\n global objects\" user right, this is a finding:\n\n Administrators\n LOCAL SERVICE\n NETWORK SERVICE\n SERVICE", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n \"Create global objects\" to only include the following groups or accounts:\n\n Administrators\n LOCAL SERVICE\n NETWORK SERVICE\n SERVICE" + "default": "Allowing other operating systems to run on a secure system may allow\n security to be circumvented.", + "check": "Verify the system does not include other operating system\n installations.\n\n Run \"Advanced System Settings\".\n Select the \"Advanced\" tab.\n Click the \"Settings\" button in the \"Startup and Recovery\" section.\n\n If the drop-down list box \"Default operating system:\" shows any operating\n system other than Windows 10, this is a finding.", + "fix": "Ensure Windows 10 is the only operating system on a device. Remove\n alternate operating systems." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-UR-000050", - "gid": "V-63861", - "rid": "SV-78351r1_rule", - "stig_id": "WN10-UR-000050", - "fix_id": "F-69789r1_fix", + "gtitle": "WN10-00-000055", + "gid": "V-63355", + "rid": "SV-77845r1_rule", + "stig_id": "WN10-00-000055", + "fix_id": "F-69275r1_fix", "cci": [ - "CCI-002235" + "CCI-000366" ], "nist": [ - "AC-6 (10)", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -1814,35 +1845,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63861' do\n title \"The Create global objects user right must only be assigned to\n Administrators, Service, Local Service, and Network Service.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n Accounts with the \\\"Create global objects\\\" user right can create objects\n that are available to all sessions, which could affect processes in other\n users' sessions.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-UR-000050'\n tag gid: 'V-63861'\n tag rid: 'SV-78351r1_rule'\n tag stig_id: 'WN10-UR-000050'\n tag fix_id: 'F-69789r1_fix'\n tag cci: ['CCI-002235']\n tag nist: ['AC-6 (10)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any groups or accounts other than the following are granted the \\\"Create\n global objects\\\" user right, this is a finding:\n\n Administrators\n LOCAL SERVICE\n NETWORK SERVICE\n SERVICE\"\n \n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n \\\"Create global objects\\\" to only include the following groups or accounts:\n\n Administrators\n LOCAL SERVICE\n NETWORK SERVICE\n SERVICE\"\n\n describe security_policy do\n its('SeCreateGlobalPrivilege') { should be_in ['S-1-5-32-544', 'S-1-5-19', 'S-1-5-20', 'S-1-5-6'] }\n end\nend\n", + "code": "control 'V-63355' do\n title 'Alternate operating systems must not be permitted on the same system.'\n desc \"Allowing other operating systems to run on a secure system may allow\n security to be circumvented.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-00-000055'\n tag gid: 'V-63355'\n tag rid: 'SV-77845r1_rule'\n tag stig_id: 'WN10-00-000055'\n tag fix_id: 'F-69275r1_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"Verify the system does not include other operating system\n installations.\n\n Run \\\"Advanced System Settings\\\".\n Select the \\\"Advanced\\\" tab.\n Click the \\\"Settings\\\" button in the \\\"Startup and Recovery\\\" section.\n\n If the drop-down list box \\\"Default operating system:\\\" shows any operating\n system other than Windows 10, this is a finding.\"\n\n desc \"fix\", \"Ensure Windows 10 is the only operating system on a device. Remove\n alternate operating systems.\"\n\n describe command(\"bcdedit | Findstr description | Findstr /v /c:'Windows Boot Manager'\") do\n its('stdout') { should eq \"description Windows 10\\r\\n\" }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63861.rb", + "ref": "./Windows 10 STIG/controls/V-63355.rb", "line": 3 }, - "id": "V-63861" + "id": "V-63355" }, { - "title": "The password manager function in the Edge browser must be disabled.", - "desc": "Passwords save locally for re-use when browsing may be subject to\n compromise. Disabling the Edge password manager will prevent this for the\n browser.", + "title": "The Application event log size must be configured to 32768 KB or\n greater.", + "desc": "Inadequate log size will cause the log to fill up quickly. This may\n prevent audit events from being recorded properly and require frequent\n attention by administrative personnel.", "descriptions": { - "default": "Passwords save locally for re-use when browsing may be subject to\n compromise. Disabling the Edge password manager will prevent this for the\n browser.", - "check": "Windows 10 LTSC\\B versions do not include Microsoft Edge, this\n is NA for those systems.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Main\\\n\n Value Name: FormSuggest Passwords\n\n Type: REG_SZ\n Value: no", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Microsoft Edge >> \"Configure\n Password Manager\" to \"Disabled\"." + "default": "Inadequate log size will cause the log to fill up quickly. This may\n prevent audit events from being recorded properly and require frequent\n attention by administrative personnel.", + "check": "If the system is configured to send audit records directly to an\n audit server, this is NA. This must be documented with the ISSO.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SOFTWARE\\Policies\\Microsoft\\Windows\\EventLog\\Application\\\n\n Value Name: MaxSize\n\n Value Type: REG_DWORD\n Value: 0x00008000 (32768) (or greater)", + "fix": "If the system is configured to send audit records directly to an\n audit server, this is NA. This must be documented with the ISSO.\n\n Configure the policy value for Computer Configuration >> Administrative\n Templates >> Windows Components >> Event Log Service >> Application >>\n \"Specify the maximum log file size (KB)\" to \"Enabled\" with a \"Maximum Log\n Size (KB)\" of \"32768\" or greater." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-CC-000245", - "gid": "V-63709", - "rid": "SV-78199r4_rule", - "stig_id": "WN10-CC-000245", - "fix_id": "F-83245r1_fix", + "gtitle": "WN10-AU-000500", + "gid": "V-63519", + "rid": "SV-78009r1_rule", + "stig_id": "WN10-AU-000500", + "fix_id": "F-69449r1_fix", "cci": [ - "CCI-000366" + "CCI-001849" ], "nist": [ - "CM-6 b", + "AU-4", "Rev_4" ], "false_negatives": null, @@ -1856,37 +1887,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63709' do\n title 'The password manager function in the Edge browser must be disabled.'\n desc \"Passwords save locally for re-use when browsing may be subject to\n compromise. Disabling the Edge password manager will prevent this for the\n browser.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000245'\n tag gid: 'V-63709'\n tag rid: 'SV-78199r4_rule'\n tag stig_id: 'WN10-CC-000245'\n tag fix_id: 'F-83245r1_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"Windows 10 LTSC\\\\B versions do not include Microsoft Edge, this\n is NA for those systems.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\MicrosoftEdge\\\\Main\\\\\n\n Value Name: FormSuggest Passwords\n\n Type: REG_SZ\n Value: no\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Microsoft Edge >> \\\"Configure\n Password Manager\\\" to \\\"Disabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Main') do\n it { should have_property 'FormSuggest Passwords' }\n its('FormSuggest Passwords') { should cmp 'no' }\n end\nend\n", + "code": "control 'V-63519' do\n title \"The Application event log size must be configured to 32768 KB or\n greater.\"\n desc \"Inadequate log size will cause the log to fill up quickly. This may\n prevent audit events from being recorded properly and require frequent\n attention by administrative personnel.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-AU-000500'\n tag gid: 'V-63519'\n tag rid: 'SV-78009r1_rule'\n tag stig_id: 'WN10-AU-000500'\n tag fix_id: 'F-69449r1_fix'\n tag cci: ['CCI-001849']\n tag nist: %w[AU-4 Rev_4]\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"If the system is configured to send audit records directly to an\n audit server, this is NA. This must be documented with the ISSO.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\EventLog\\\\Application\\\\\n\n Value Name: MaxSize\n\n Value Type: REG_DWORD\n Value: 0x00008000 (32768) (or greater)\"\n\n desc \"fix\", \"If the system is configured to send audit records directly to an\n audit server, this is NA. This must be documented with the ISSO.\n\n Configure the policy value for Computer Configuration >> Administrative\n Templates >> Windows Components >> Event Log Service >> Application >>\n \\\"Specify the maximum log file size (KB)\\\" to \\\"Enabled\\\" with a \\\"Maximum Log\n Size (KB)\\\" of \\\"32768\\\" or greater.\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\EventLog\\Application') do\n it { should have_property 'MaxSize' }\n its('MaxSize') { should be >= 32_768 }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63709.rb", + "ref": "./Windows 10 STIG/controls/V-63519.rb", "line": 3 }, - "id": "V-63709" + "id": "V-63519" }, { - "title": "The system must be configured to audit Logon/Logoff - Logon successes.", - "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Logon records user logons. If this is an interactive logon, it is recorded\n on the local system. If it is to a network share, it is recorded on the system\n accessed.", + "title": "The Server Message Block (SMB) v1 protocol must be disabled on the SMB client.", + "desc": "SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB.\n MD5 is known to be vulnerable to a number of attacks such as collision and\n preimage attacks as well as not being FIPS compliant.\n\n Disabling SMBv1 support may prevent access to file or print sharing\n resources with systems or devices that only support SMBv1. File shares and\n print services hosted on Windows Server 2003 are an example, however Windows\n Server 2003 is no longer a supported operating system. Some older network\n attached devices may only support SMBv1.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Logon records user logons. If this is an interactive logon, it is recorded\n on the local system. If it is to a network share, it is recorded on the system\n accessed.", - "check": "Security Option \"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\" must be\n set to \"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\"Run as Administrator\").\n Enter \"AuditPol /get /category:*\".\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding:\n\n Logon/Logoff >> Logon - Success", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Logon/Logoff >> \"Audit Logon\" with \"Success\" selected." + "default": "SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB.\n MD5 is known to be vulnerable to a number of attacks such as collision and\n preimage attacks as well as not being FIPS compliant.\n\n Disabling SMBv1 support may prevent access to file or print sharing\n resources with systems or devices that only support SMBv1. File shares and\n print services hosted on Windows Server 2003 are an example, however Windows\n Server 2003 is no longer a supported operating system. Some older network\n attached devices may only support SMBv1.", + "check": "Different methods are available to disable SMBv1 on Windows 10,\n if V-70639 is configured, this is NA.\n\n If the following registry value is not configured as specified, this is a\n finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\mrxsmb10\\\n\n Value Name: Start\n\n Type: REG_DWORD\n Value: 0x00000004 (4)", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> MS Security Guide >> \"Configure SMBv1 client\n driver\" to \"Enabled\" with \"Disable driver (recommended)\" selected for\n \"Configure MrxSmb10 driver\".\n\n This policy setting requires the installation of the SecGuide custom templates\n included with the STIG package. \"SecGuide.admx\" and \"SecGuide.adml\" must be\n copied to the \\Windows\\PolicyDefinitions and\n \\Windows\\PolicyDefinitions\\en-US directories respectively.\n\n The system must be restarted for the changes to take effect." }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-AU-000075", - "gid": "V-63467", - "rid": "SV-77957r1_rule", - "stig_id": "WN10-AU-000075", - "fix_id": "F-69395r1_fix", + "gtitle": "WN10-00-000170", + "gid": "V-74725", + "rid": "SV-89399r1_rule", + "stig_id": "WN10-00-000170", + "fix_id": "F-81339r3_fix", "cci": [ - "CCI-000067", - "CCI-000172" + "CCI-000381" ], "nist": [ - "AC-17 (1)", - "AU-12 c", + "CM-7 a", "Rev_4" ], "false_negatives": null, @@ -1900,35 +1929,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63467' do\n title 'The system must be configured to audit Logon/Logoff - Logon successes.'\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Logon records user logons. If this is an interactive logon, it is recorded\n on the local system. If it is to a network share, it is recorded on the system\n accessed.\"\n\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-AU-000075'\n tag gid: 'V-63467'\n tag rid: 'SV-77957r1_rule'\n tag stig_id: 'WN10-AU-000075'\n tag fix_id: 'F-69395r1_fix'\n tag cci: %w[CCI-000067 CCI-000172]\n tag nist: ['AC-17 (1)', 'AU-12 c', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Security Option \\\"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\\\" must be\n set to \\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\n Enter \\\"AuditPol /get /category:*\\\".\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding:\n\n Logon/Logoff >> Logon - Success\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Logon/Logoff >> \\\"Audit Logon\\\" with \\\"Success\\\" selected.\"\n\n describe.one do\n describe audit_policy do\n its('Logon') { should eq 'Success' }\n end\n describe audit_policy do\n its('Logon') { should eq 'Success and Failure' }\n end\n end\nend\n", + "code": "control 'V-74725' do\n title 'The Server Message Block (SMB) v1 protocol must be disabled on the SMB client.'\n desc \"SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB.\n MD5 is known to be vulnerable to a number of attacks such as collision and\n preimage attacks as well as not being FIPS compliant.\n\n Disabling SMBv1 support may prevent access to file or print sharing\n resources with systems or devices that only support SMBv1. File shares and\n print services hosted on Windows Server 2003 are an example, however Windows\n Server 2003 is no longer a supported operating system. Some older network\n attached devices may only support SMBv1.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-00-000170'\n tag gid: 'V-74725'\n tag rid: 'SV-89399r1_rule'\n tag stig_id: 'WN10-00-000170'\n tag fix_id: 'F-81339r3_fix'\n tag cci: ['CCI-000381']\n tag nist: ['CM-7 a', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"Different methods are available to disable SMBv1 on Windows 10,\n if V-70639 is configured, this is NA.\n\n If the following registry value is not configured as specified, this is a\n finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\mrxsmb10\\\\\n\n Value Name: Start\n\n Type: REG_DWORD\n Value: 0x00000004 (4)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> MS Security Guide >> \\\"Configure SMBv1 client\n driver\\\" to \\\"Enabled\\\" with \\\"Disable driver (recommended)\\\" selected for\n \\\"Configure MrxSmb10 driver\\\".\n\n This policy setting requires the installation of the SecGuide custom templates\n included with the STIG package. \\\"SecGuide.admx\\\" and \\\"SecGuide.adml\\\" must be\n copied to the \\\\Windows\\\\PolicyDefinitions and\n \\\\Windows\\\\PolicyDefinitions\\\\en-US directories respectively.\n\n The system must be restarted for the changes to take effect. \"\n\n smb1protocol = json( command: 'Get-WindowsOptionalFeature -Online | Where FeatureName -eq SMB1Protocol | ConvertTo-Csv | ConvertFrom-Csv | ConvertTo-Json').params\n state = smb1protocol['State']\n\n if state == \"Disabled\"\n impact 0.0\n describe 'V-70639 is configured, this control is NA' do\n skip 'V-70639 is configured, this control is NA'\n end\n elsif windows_feature('FS-SMB1').installed?\n describe registry_key('HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\mrxsmb10') do\n it { should have_property 'Start' }\n its('Start') { should cmp 4 }\n end\n else\n impact 0.0\n describe 'SMBv1 is not installed on this system, therefore this control is not applicable' do\n skip 'SMBv1 is not installed on this system, therefore this control is not applicable'\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63467.rb", + "ref": "./Windows 10 STIG/controls/V-74725.rb", "line": 3 }, - "id": "V-63467" + "id": "V-74725" }, { - "title": "Exploit Protection mitigations in Windows 10 must be configured for firefox.exe.", - "desc": "Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.", + "title": "The password history must be configured to 24 passwords remembered.", + "desc": "A system is more vulnerable to unauthorized access when system users\n recycle the same password several times without being required to change a\n password to a unique password on a regularly scheduled basis. This enables\n users to effectively negate the purpose of mandating periodic password changes.\n The default value is 24 for Windows domain systems. DoD has decided this is\n the appropriate value for all Windows systems.", "descriptions": { - "default": "Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.", - "check": "This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n\n Enter \"Get-ProcessMitigation -Name firefox.exe\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of\n all application mitigations configured.)\n\n If the following mitigations do not have a status of \"ON\", this is a finding:\n\n DEP:\n Override DEP: False\n\n ASLR:\n BottomUp: ON\n ForceRelocateImages: ON\n\n The PowerShell command produces a list of mitigations; only those with a\n required status of \"ON\" are listed here. If the PowerShell command does not\n produce results, ensure the letter case of the filename within the command\n syntax matches the letter case of the actual filename on the system.", - "fix": "Ensure the following mitigations are turned \"ON\" for firefox.exe:\n\n DEP:\n Override DEP: False\n\n ASLR:\n BottomUp: ON\n ForceRelocateImages: ON\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file\n included with the Windows 10 STIG package in the \"Supporting Files\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \"Use a common set of exploit protection settings\"\n configured to \"Enabled\" with file name and location defined under\n \"Options:\". It is recommended the file be in a read-only network location." + "default": "A system is more vulnerable to unauthorized access when system users\n recycle the same password several times without being required to change a\n password to a unique password on a regularly scheduled basis. This enables\n users to effectively negate the purpose of mandating periodic password changes.\n The default value is 24 for Windows domain systems. DoD has decided this is\n the appropriate value for all Windows systems.", + "check": "Verify the effective setting in Local Group Policy Editor.\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Account Policies >> Password Policy.\n\n If the value for \"Enforce password history\" is less than 24 passwords\n remembered, this is a finding.", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Account Policies >> Password Policy >>\n \"Enforce password history\" to 24 passwords remembered." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-EP-000110", - "gid": "V-77205", - "rid": "SV-91901r3_rule", - "stig_id": "WN10-EP-000110", - "fix_id": "F-86915r1_fix", + "gtitle": "WN10-AC-000020", + "gid": "V-63415", + "rid": "SV-77905r2_rule", + "stig_id": "WN10-AC-000020", + "fix_id": "F-69343r1_fix", "cci": [ - "CCI-000366" + "CCI-000200" ], "nist": [ - "CM-6 b", + "IA-5 (1) (e)", "Rev_4" ], "false_negatives": null, @@ -1942,30 +1971,30 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-77205' do\n title 'Exploit Protection mitigations in Windows 10 must be configured for firefox.exe.'\n desc \"Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-EP-000110'\n tag gid: 'V-77205'\n tag rid: 'SV-91901r3_rule'\n tag stig_id: 'WN10-EP-000110'\n tag fix_id: 'F-86915r1_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc 'check', \"This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n\n Enter \\\"Get-ProcessMitigation -Name firefox.exe\\\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of\n all application mitigations configured.)\n\n If the following mitigations do not have a status of \\\"ON\\\", this is a finding:\n\n DEP:\n Override DEP: False\n\n ASLR:\n BottomUp: ON\n ForceRelocateImages: ON\n\n The PowerShell command produces a list of mitigations; only those with a\n required status of \\\"ON\\\" are listed here. If the PowerShell command does not\n produce results, ensure the letter case of the filename within the command\n syntax matches the letter case of the actual filename on the system.\"\n desc 'fix', \"Ensure the following mitigations are turned \\\"ON\\\" for firefox.exe:\n\n DEP:\n Override DEP: False\n\n ASLR:\n BottomUp: ON\n ForceRelocateImages: ON\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file\n included with the Windows 10 STIG package in the \\\"Supporting Files\\\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\"\n configured to \\\"Enabled\\\" with file name and location defined under\n \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n\n if input('sensitive_system') == 'true' || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion').ReleaseId < '1709'\n impact 0.0\n describe 'This STIG does not apply to Prior Versions before 1709.' do\n skip 'This STIG does not apply to Prior Versions before 1709.'\n end\n else\n dep = json( command: 'Get-ProcessMitigation -Name firefox.exe | Select DEP | ConvertTo-Json').params\n describe 'OverRide DEP is required to be enabled on Firefox' do\n subject { dep }\n its(['OverrideDEP']) { should_not eq 'true' }\n end\n\n aslr = json( command: 'Get-ProcessMitigation -Name firefox.exe | Select Aslr | ConvertTo-Json').params\n describe 'Alsr BottomUp and Force Relocate Images are required to be enabled on Firefox' do\n subject { aslr }\n its(['BottomUp']) { should_not eq '2' }\n its(['ForceRelocateImages']) { should_not eq '2' }\n end\n end\nend", + "code": "control 'V-63415' do\n title 'The password history must be configured to 24 passwords remembered.'\n desc \"A system is more vulnerable to unauthorized access when system users\n recycle the same password several times without being required to change a\n password to a unique password on a regularly scheduled basis. This enables\n users to effectively negate the purpose of mandating periodic password changes.\n The default value is 24 for Windows domain systems. DoD has decided this is\n the appropriate value for all Windows systems.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-AC-000020'\n tag gid: 'V-63415'\n tag rid: 'SV-77905r2_rule'\n tag stig_id: 'WN10-AC-000020'\n tag fix_id: 'F-69343r1_fix'\n tag cci: ['CCI-000200']\n tag nist: ['IA-5 (1) (e)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Account Policies >> Password Policy.\n\n If the value for \\\"Enforce password history\\\" is less than #{input('pass_hist_size')} passwords\n remembered, this is a finding.\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Account Policies >> Password Policy >>\n \\\"Enforce password history\\\" to #{input('pass_hist_size')} passwords remembered.\"\n\n describe security_policy do\n its('PasswordHistorySize') { should be >= input('pass_hist_size') }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-77205.rb", + "ref": "./Windows 10 STIG/controls/V-63415.rb", "line": 3 }, - "id": "V-77205" + "id": "V-63415" }, { - "title": "Software certificate installation files must be removed from Windows 10.", - "desc": "Use of software certificates and their accompanying installation files\n for end users to access resources is less secure than the use of hardware-based\n certificates.", + "title": "Group Policy objects must be reprocessed even if they have not\n changed.", + "desc": "Enabling this setting and then selecting the \"Process even if the\n Group Policy objects have not changed\" option ensures that the policies will\n be reprocessed even if none have been changed. This way, any unauthorized\n changes are forced to match the domain-based group policy settings again.", "descriptions": { - "default": "Use of software certificates and their accompanying installation files\n for end users to access resources is less secure than the use of hardware-based\n certificates.", - "check": "Search all drives for *.p12 and *.pfx files.\n\n If any files with these extensions exist, this is a finding.\n\n This does not apply to server-based applications that have a requirement for\n .p12 certificate files (e.g., Oracle Wallet Manager) or Adobe PreFlight\n certificate files. Some applications create files with extensions of .p12 that\n are not certificate installation files. Removal of non-certificate installation\n files from systems is not required. These must be documented with the ISSO.", - "fix": "Remove any certificate installation files (*.p12 and *.pfx) found\n on a system.\n\n Note: This does not apply to server-based applications that have a requirement\n for .p12 certificate files (e.g., Oracle Wallet Manager) or Adobe PreFlight\n certificate files." + "default": "Enabling this setting and then selecting the \"Process even if the\n Group Policy objects have not changed\" option ensures that the policies will\n be reprocessed even if none have been changed. This way, any unauthorized\n changes are forced to match the domain-based group policy settings again.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\Group\n Policy\\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\n\n Value Name: NoGPOListChanges\n\n Value Type: REG_DWORD\n Value: 0", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> System >> Group Policy >> \"Configure registry\n policy processing\" to \"Enabled\" and select the option \"Process even if the\n Group Policy objects have not changed\"." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-00-000130", - "gid": "V-63393", - "rid": "SV-77883r2_rule", - "stig_id": "WN10-00-000130", - "fix_id": "F-100989r1_fix", + "gtitle": "WN10-CC-000090", + "gid": "V-63609", + "rid": "SV-78099r1_rule", + "stig_id": "WN10-CC-000090", + "fix_id": "F-69539r1_fix", "cci": [ "CCI-000366" ], @@ -1984,35 +2013,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63393' do\n title 'Software certificate installation files must be removed from Windows 10.'\n desc \"Use of software certificates and their accompanying installation files\n for end users to access resources is less secure than the use of hardware-based\n certificates.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-00-000130'\n tag gid: 'V-63393'\n tag rid: 'SV-77883r2_rule'\n tag stig_id: 'WN10-00-000130'\n tag fix_id: 'F-100989r1_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Search all drives for *.p12 and *.pfx files.\n\n If any files with these extensions exist, this is a finding.\n\n This does not apply to server-based applications that have a requirement for\n .p12 certificate files (e.g., Oracle Wallet Manager) or Adobe PreFlight\n certificate files. Some applications create files with extensions of .p12 that\n are not certificate installation files. Removal of non-certificate installation\n files from systems is not required. These must be documented with the ISSO.\"\n\n desc \"fix\", \"Remove any certificate installation files (*.p12 and *.pfx) found\n on a system.\n\n Note: This does not apply to server-based applications that have a requirement\n for .p12 certificate files (e.g., Oracle Wallet Manager) or Adobe PreFlight\n certificate files.\"\n\n describe command('where /R c: *.p12 *.pfx') do\n its('stdout') { should eq '' }\n end\nend\n", + "code": "control 'V-63609' do\n title \"Group Policy objects must be reprocessed even if they have not\n changed.\"\n desc \"Enabling this setting and then selecting the \\\"Process even if the\n Group Policy objects have not changed\\\" option ensures that the policies will\n be reprocessed even if none have been changed. This way, any unauthorized\n changes are forced to match the domain-based group policy settings again.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000090'\n tag gid: 'V-63609'\n tag rid: 'SV-78099r1_rule'\n tag stig_id: 'WN10-CC-000090'\n tag fix_id: 'F-69539r1_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\Group\n Policy\\\\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\n\n Value Name: NoGPOListChanges\n\n Value Type: REG_DWORD\n Value: 0\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> System >> Group Policy >> \\\"Configure registry\n policy processing\\\" to \\\"Enabled\\\" and select the option \\\"Process even if the\n Group Policy objects have not changed\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Group Policy\\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}') do\n it { should have_property 'NoGPOListChanges' }\n its('NoGPOListChanges') { should cmp 0 }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63393.rb", + "ref": "./Windows 10 STIG/controls/V-63609.rb", "line": 3 }, - "id": "V-63393" + "id": "V-63609" }, { - "title": "Turning off File Explorer heap termination on corruption must be\n disabled.", - "desc": "Legacy plug-in applications may continue to function when a File\n Explorer session has become corrupt. Disabling this feature will prevent this.", + "title": "Exploit Protection mitigations in Windows 10 must be configured for\n wordpad.exe.", + "desc": "Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.", "descriptions": { - "default": "Legacy plug-in applications may continue to function when a File\n Explorer session has become corrupt. Disabling this feature will prevent this.", - "check": "The default behavior is for File Explorer heap termination on\n corruption to be enabled.\n\n If the registry Value Name below does not exist, this is not a finding.\n\n If it exists and is configured with a value of \"0\", this is not a finding.\n\n If it exists and is configured with a value of \"1\", this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\Explorer\\\n\n Value Name: NoHeapTerminationOnCorruption\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0) (or if the Value Name does not exist)", - "fix": "The default behavior is for File Explorer heap termination on\n corruption to be enabled.\n\n If this needs to be corrected, configure the policy value for Computer\n Configuration >> Administrative Templates >> Windows Components >> File\n Explorer >> \"Turn off heap termination on corruption\" to \"Not Configured\"\n or \"Disabled\"." + "default": "Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.", + "check": "This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n\n Enter \"Get-ProcessMitigation -Name wordpad.exe\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of\n all application mitigations configured.)\n\n If the following mitigations do not have a status of \"ON\", this is a finding:\n\n DEP:\n OverrideDEP: False\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n\n The PowerShell command produces a list of mitigations; only those with a\n required status of \"ON\" are listed here. If the PowerShell command does not\n produce results, ensure the letter case of the filename within the command\n syntax matches the letter case of the actual filename on the system.", + "fix": "Ensure the following mitigations are turned \"ON\" for wordpad.exe:\n\n DEP:\n OverrideDEP: False\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file\n included with the Windows 10 STIG package in the \"Supporting Files\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \"Use a common set of exploit protection settings\"\n configured to \"Enabled\" with file name and location defined under\n \"Options:\". It is recommended the file be in a read-only network location." }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { - "severity": "low", - "gtitle": "WN10-CC-000220", - "gid": "V-63691", - "rid": "SV-78181r3_rule", - "stig_id": "WN10-CC-000220", - "fix_id": "F-78109r3_fix", + "severity": "medium", + "gtitle": "WN10-EP-000300", + "gid": "V-77269", + "rid": "SV-91965r3_rule", + "stig_id": "WN10-EP-000300", + "fix_id": "F-84515r4_fix", "cci": [ - "CCI-002385" + "CCI-000366" ], "nist": [ - "SC-5", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -2026,35 +2055,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63691' do\n title \"Turning off File Explorer heap termination on corruption must be\n disabled.\"\n desc \"Legacy plug-in applications may continue to function when a File\n Explorer session has become corrupt. Disabling this feature will prevent this.\"\n impact 0.3\n tag severity: 'low'\n tag gtitle: 'WN10-CC-000220'\n tag gid: 'V-63691'\n tag rid: 'SV-78181r3_rule'\n tag stig_id: 'WN10-CC-000220'\n tag fix_id: 'F-78109r3_fix'\n tag cci: ['CCI-002385']\n tag nist: %w[SC-5 Rev_4]\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"The default behavior is for File Explorer heap termination on\n corruption to be enabled.\n\n If the registry Value Name below does not exist, this is not a finding.\n\n If it exists and is configured with a value of \\\"0\\\", this is not a finding.\n\n If it exists and is configured with a value of \\\"1\\\", this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\Explorer\\\\\n\n Value Name: NoHeapTerminationOnCorruption\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0) (or if the Value Name does not exist)\"\n desc \"fix\", \"The default behavior is for File Explorer heap termination on\n corruption to be enabled.\n\n If this needs to be corrected, configure the policy value for Computer\n Configuration >> Administrative Templates >> Windows Components >> File\n Explorer >> \\\"Turn off heap termination on corruption\\\" to \\\"Not Configured\\\"\n or \\\"Disabled\\\".\"\n\n describe.one do\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Explorer') do\n it { should_not have_property 'NoHeapTerminationOnCorruption' }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Explorer') do\n it { should have_property 'NoHeapTerminationOnCorruption' }\n its('NoHeapTerminationOnCorruption') { should_not be 1 }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Explorer') do\n it { should have_property 'NoHeapTerminationOnCorruption' }\n its('NoHeapTerminationOnCorruption') { should cmp 0 }\n end\n end\nend\n", + "code": "control 'V-77269' do\n title \"Exploit Protection mitigations in Windows 10 must be configured for\n wordpad.exe.\"\n desc \"Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-EP-000300'\n tag gid: 'V-77269'\n tag rid: 'SV-91965r3_rule'\n tag stig_id: 'WN10-EP-000300'\n tag fix_id: 'F-84515r4_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc 'check', \"This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n\n Enter \\\"Get-ProcessMitigation -Name wordpad.exe\\\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of\n all application mitigations configured.)\n\n If the following mitigations do not have a status of \\\"ON\\\", this is a finding:\n\n DEP:\n OverrideDEP: False\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n\n The PowerShell command produces a list of mitigations; only those with a\n required status of \\\"ON\\\" are listed here. If the PowerShell command does not\n produce results, ensure the letter case of the filename within the command\n syntax matches the letter case of the actual filename on the system.\"\n\n desc 'fix', \"Ensure the following mitigations are turned \\\"ON\\\" for wordpad.exe:\n\n DEP:\n OverrideDEP: False\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file\n included with the Windows 10 STIG package in the \\\"Supporting Files\\\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\"\n configured to \\\"Enabled\\\" with file name and location defined under\n \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n\n if input('sensitive_system') == 'true' || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion').ReleaseId <= '1709'\n impact 0.0\n describe 'This STIG does not apply to Prior Versions before 1709.' do\n skip 'This STIG does not apply to Prior Versions before 1709.'\n end\n else\n dep = json( command: 'Get-ProcessMitigation -Name wordpad.exe | Select DEP | ConvertTo-Json').params\n describe 'OverRide DEP is required to be false on WordPad' do\n subject { dep }\n its(['OverrideDEP']) { should_not eq 'true' }\n end\n payload = json( command: 'Get-ProcessMitigation -Name wordpad.exe | Select Payload | ConvertTo-Json').params\n describe 'Override Payload Enable Export Address Filter, Override Payload Enable Export Address Filter Plus, Override EnableImportAddressFilter, Override EnableRopStackPivot, Override EnableRopCallerCheck, and Override EnableRopSimExec are required to be false on WordPad' do\n subject { payload }\n its(['OverrideEnableExportAddressFilter']) { should_not eq 'true' }\n its(['OverrideEnableExportAddressFilterPlus']) { should_not eq 'true' }\n its(['OverrideEnableImportAddressFilter']) { should_not eq 'true' }\n its(['OverrideEnableRopStackPivot']) { should_not eq 'true' }\n its(['OverrideEnableRopCallerCheck']) { should_not eq 'true' }\n its(['OverrideEnableRopSimExec']) { should_not eq 'true' }\n end\n end\nend", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63691.rb", + "ref": "./Windows 10 STIG/controls/V-77269.rb", "line": 3 }, - "id": "V-63691" + "id": "V-77269" }, { - "title": "Orphaned security identifiers (SIDs) must be removed from user rights on Windows 10.", - "desc": "Accounts or groups given rights on a system may show up as unresolved\n SIDs for various reasons including deletion of the accounts or groups. If the\n account or group objects are reanimated, there is a potential they may still\n have rights no longer intended. Valid domain accounts or groups may also show\n up as unresolved SIDs if a connection to the domain cannot be established for\n some reason.", + "title": "Local administrator accounts must have their privileged token filtered\n to prevent elevated privileges from being used over the network on domain\n systems.", + "desc": "A compromised local administrator account can provide means for an\n attacker to move laterally between domain systems.\n\n With User Account Control enabled, filtering the privileged token for\n built-in administrator accounts will prevent the elevated privileges of these\n accounts from being used over the network.", "descriptions": { - "default": "Accounts or groups given rights on a system may show up as unresolved\n SIDs for various reasons including deletion of the accounts or groups. If the\n account or group objects are reanimated, there is a potential they may still\n have rights no longer intended. Valid domain accounts or groups may also show\n up as unresolved SIDs if a connection to the domain cannot be established for\n some reason.", - "check": "Review the effective User Rights setting in Local Group Policy\n Editor.\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n Review each User Right listed for any unresolved SIDs to determine whether they\n are valid, such as due to being temporarily disconnected from the domain.\n (Unresolved SIDs have the format of \"*S-1-…\".)\n\n If any unresolved SIDs exist and are not for currently valid accounts or\n groups, this is a finding.", - "fix": "Remove any unresolved SIDs found in User Rights assignments and\n determined to not be for currently valid accounts or groups by removing the\n accounts or groups from the appropriate group policy." + "default": "A compromised local administrator account can provide means for an\n attacker to move laterally between domain systems.\n\n With User Account Control enabled, filtering the privileged token for\n built-in administrator accounts will prevent the elevated privileges of these\n accounts from being used over the network.", + "check": "If the system is not a member of a domain, this is NA.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\\n\n Value Name: LocalAccountTokenFilterPolicy\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0)", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> MS Security Guide >> \"Apply UAC restrictions to\n local accounts on network logons\" to \"Enabled\".\n\n This policy setting requires the installation of the SecGuide custom templates\n included with the STIG package. \"SecGuide.admx\" and \"SecGuide.adml\" must\n be copied to the \\Windows\\PolicyDefinitions and\n \\Windows\\PolicyDefinitions\\en-US directories respectively." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-00-000190", - "gid": "V-76505", - "rid": "SV-91201r1_rule", - "stig_id": "WN10-00-000190", - "fix_id": "F-83185r1_fix", + "gtitle": "WN10-CC-000037", + "gid": "V-63597", + "rid": "SV-78087r2_rule", + "stig_id": "WN10-CC-000037", + "fix_id": "F-78099r3_fix", "cci": [ - "CCI-000366" + "CCI-001084" ], "nist": [ - "CM-6 b", + "SC-3", "Rev_4" ], "false_negatives": null, @@ -2068,47 +2097,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-76505' do\n title 'Orphaned security identifiers (SIDs) must be removed from user rights on Windows 10.'\n desc \"Accounts or groups given rights on a system may show up as unresolved\n SIDs for various reasons including deletion of the accounts or groups. If the\n account or group objects are reanimated, there is a potential they may still\n have rights no longer intended. Valid domain accounts or groups may also show\n up as unresolved SIDs if a connection to the domain cannot be established for\n some reason.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-00-000190'\n tag gid: 'V-76505'\n tag rid: 'SV-91201r1_rule'\n tag stig_id: 'WN10-00-000190'\n tag fix_id: 'F-83185r1_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"Review the effective User Rights setting in Local Group Policy\n Editor.\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n Review each User Right listed for any unresolved SIDs to determine whether they\n are valid, such as due to being temporarily disconnected from the domain.\n (Unresolved SIDs have the format of \\\"*S-1-…\\\".)\n\n If any unresolved SIDs exist and are not for currently valid accounts or\n groups, this is a finding.\"\n desc \"fix\", \"Remove any unresolved SIDs found in User Rights assignments and\n determined to not be for currently valid accounts or groups by removing the\n accounts or groups from the appropriate group policy.\"\n\n describe 'A manual review is required to ensure orphaned security identifiers (SIDs) are removed from user rights on Windows 2012 / 2012 R2' do\n skip 'A manual review is required to ensure orphaned security identifiers (SIDs) are removed from user rights on Windows 2012 / 2012 R2'\n end\nend\n", + "code": "control 'V-63597' do\n title \"Local administrator accounts must have their privileged token filtered\n to prevent elevated privileges from being used over the network on domain\n systems.\"\n\n desc \"A compromised local administrator account can provide means for an\n attacker to move laterally between domain systems.\n\n With User Account Control enabled, filtering the privileged token for\n built-in administrator accounts will prevent the elevated privileges of these\n accounts from being used over the network.\"\n\n impact 0.5\n\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000037'\n tag gid: 'V-63597'\n tag rid: 'SV-78087r2_rule'\n tag stig_id: 'WN10-CC-000037'\n tag fix_id: 'F-78099r3_fix'\n tag cci: ['CCI-001084']\n tag nist: %w[SC-3 Rev_4]\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"If the system is not a member of a domain, this is NA.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\\n\n Value Name: LocalAccountTokenFilterPolicy\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0)\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> MS Security Guide >> \\\"Apply UAC restrictions to\n local accounts on network logons\\\" to \\\"Enabled\\\".\n\n This policy setting requires the installation of the SecGuide custom templates\n included with the STIG package. \\\"SecGuide.admx\\\" and \\\"SecGuide.adml\\\" must\n be copied to the \\\\Windows\\\\PolicyDefinitions and\n \\\\Windows\\\\PolicyDefinitions\\\\en-US directories respectively.\"\n\n is_domain = command('wmic computersystem get domain | FINDSTR /V Domain').stdout.strip\n\n if is_domain == 'WORKGROUP'\n impact 0.0\n describe 'The system is not a member of a domain, control is NA' do\n skip 'The system is not a member of a domain, control is NA'\n end\n else\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System') do\n it { should have_property 'LocalAccountTokenFilterPolicy' }\n its('LocalAccountTokenFilterPolicy') { should cmp 0 }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-76505.rb", + "ref": "./Windows 10 STIG/controls/V-63597.rb", "line": 3 }, - "id": "V-76505" + "id": "V-63597" }, { - "title": "The system must be configured to audit Account Management - User\n Account Management failures.", - "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n User Account Management records events such as creating, changing,\n deleting, renaming, disabling, or enabling user accounts.", + "title": "Permissions for system files and directories must conform to minimum\n requirements.", + "desc": "Changing the system's file and directory permissions allows the\n possibility of unauthorized and anonymous modification to the operating system\n and installed applications.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n User Account Management records events such as creating, changing,\n deleting, renaming, disabling, or enabling user accounts.", - "check": "Security Option \"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\" must be\n set to \"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\"Run as Administrator\").\n Enter \"AuditPol /get /category:*\".\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding:\n\n Account Management >> User Account Management - Failure", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Account Management >> \"Audit User Account Management\" with\n \"Failure\" selected." + "default": "Changing the system's file and directory permissions allows the\n possibility of unauthorized and anonymous modification to the operating system\n and installed applications.", + "check": "The default file system permissions are adequate when the\n Security Option \"Network access: Let Everyone permissions apply to anonymous\n users\" is set to \"Disabled\" (WN10-SO-000160).\n\n If the default file system permissions are maintained and the referenced option\n is set to \"Disabled\", this is not a finding.\n\n Verify the default permissions for the sample directories below. Non-privileged\n groups such as Users or Authenticated Users must not have greater than Read &\n execute permissions except where noted as defaults. (Individual accounts must\n not be used to assign permissions.)\n\n Viewing in File Explorer:\n Select the \"Security\" tab, and the \"Advanced\" button.\n\n C:\\\n Type - \"Allow\" for all\n Inherited from - \"None\" for all\n Principal - Access - Applies to\n Administrators - Full control - This folder, subfolders and files\n SYSTEM - Full control - This folder, subfolders and files\n Users - Read & execute - This folder, subfolders and files\n Authenticated Users - Modify - Subfolders and files only\n Authenticated Users - Create folders / append data - This folder only\n\n \\Program Files\n Type - \"Allow\" for all\n Inherited from - \"None\" for all\n Principal - Access - Applies to\n TrustedInstaller - Full control - This folder and subfolders\n SYSTEM - Modify - This folder only\n SYSTEM - Full control - Subfolders and files only\n Administrators - Modify - This folder only\n Administrators - Full control - Subfolders and files only\n Users - Read & execute - This folder, subfolders and files\n CREATOR OWNER - Full control - Subfolders and files only\n ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders and files\n ALL RESTRICTED APPLICATION PACKAGES - Read & execute - This folder, subfolders\n and files\n\n \\Windows\n Type - \"Allow\" for all\n Inherited from - \"None\" for all\n Principal - Access - Applies to\n TrustedInstaller - Full control - This folder and subfolders\n SYSTEM - Modify - This folder only\n SYSTEM - Full control - Subfolders and files only\n Administrators - Modify - This folder only\n Administrators - Full control - Subfolders and files only\n Users - Read & execute - This folder, subfolders and files\n CREATOR OWNER - Full control - Subfolders and files only\n ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders and files\n ALL RESTRICTED APPLICATION PACKAGES - Read & execute - This folder, subfolders\n and files\n\n Alternately use icacls.\n\n Run \"CMD\" as administrator.\n Enter \"icacls\" followed by the directory.\n\n icacls c:\\\n icacls \"c:\\program files\"\n icacls c:\\windows\n\n The following results will be displayed as each is entered:\n\n c:\\\n BUILTIN\\Administrators:(OI)(CI)(F)\n NT AUTHORITY\\SYSTEM:(OI)(CI)(F)\n BUILTIN\\Users:(OI)(CI)(RX)\n NT AUTHORITY\\Authenticated Users:(OI)(CI)(IO)(M)\n NT AUTHORITY\\Authenticated Users:(AD)\n Mandatory Label\\High Mandatory Level:(OI)(NP)(IO)(NW)\n Successfully processed 1 files; Failed processing 0 files\n\n c:\\program files\n NT SERVICE\\TrustedInstaller:(F)\n NT SERVICE\\TrustedInstaller:(CI)(IO)(F)\n NT AUTHORITY\\SYSTEM:(M)\n NT AUTHORITY\\SYSTEM:(OI)(CI)(IO)(F)\n BUILTIN\\Administrators:(M)\n BUILTIN\\Administrators:(OI)(CI)(IO)(F)\n BUILTIN\\Users:(RX)\n BUILTIN\\Users:(OI)(CI)(IO)(GR,GE)\n CREATOR OWNER:(OI)(CI)(IO)(F)\n APPLICATION PACKAGE AUTHORITY\\ALL APPLICATION PACKAGES:(RX)\n APPLICATION PACKAGE AUTHORITY\\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE)\n APPLICATION PACKAGE AUTHORITY\\ALL RESTRICTED APPLICATION PACKAGES:(RX)\n APPLICATION PACKAGE AUTHORITY\\ALL RESTRICTED APPLICATION\n PACKAGES:(OI)(CI)(IO)(GR,GE)\n Successfully processed 1 files; Failed processing 0 files\n\n c:\\windows\n NT SERVICE\\TrustedInstaller:(F)\n NT SERVICE\\TrustedInstaller:(CI)(IO)(F)\n NT AUTHORITY\\SYSTEM:(M)\n NT AUTHORITY\\SYSTEM:(OI)(CI)(IO)(F)\n BUILTIN\\Administrators:(M)\n BUILTIN\\Administrators:(OI)(CI)(IO)(F)\n BUILTIN\\Users:(RX)\n BUILTIN\\Users:(OI)(CI)(IO)(GR,GE)\n CREATOR OWNER:(OI)(CI)(IO)(F)\n APPLICATION PACKAGE AUTHORITY\\ALL APPLICATION PACKAGES:(RX)\n APPLICATION PACKAGE AUTHORITY\\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE)\n APPLICATION PACKAGE AUTHORITY\\ALL RESTRICTED APPLICATION PACKAGES:(RX)\n APPLICATION PACKAGE AUTHORITY\\ALL RESTRICTED APPLICATION\n PACKAGES:(OI)(CI)(IO)(GR,GE)\n Successfully processed 1 files; Failed processing 0 files", + "fix": "Maintain the default file system permissions and configure the\n Security Option: \"Network access: Let everyone permissions apply to anonymous\n users\" to \"Disabled\" (WN10-SO-000160)." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-AU-000035", - "gid": "V-63447", - "rid": "SV-77937r1_rule", - "stig_id": "WN10-AU-000035", - "fix_id": "F-69375r1_fix", + "gtitle": "WN10-00-000095", + "gid": "V-63373", + "rid": "SV-77863r2_rule", + "stig_id": "WN10-00-000095", + "fix_id": "F-69295r1_fix", "cci": [ - "CCI-000018", - "CCI-000172", - "CCI-001403", - "CCI-001404", - "CCI-001405", - "CCI-002130", - "CCI-002234" + "CCI-002165" ], "nist": [ - "AC-2 (4)", - "AU-12 c", - "AC-2 (4)", - "AC-2 (4)", - "AC-2 (4)", - "AC-2\n(4)", - "AC-6 (9)", + "AC-3 (4)", "Rev_4" ], "false_negatives": null, @@ -2122,30 +2139,30 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63447' do\n title \"The system must be configured to audit Account Management - User\n Account Management failures.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n User Account Management records events such as creating, changing,\n deleting, renaming, disabling, or enabling user accounts.\"\n\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-AU-000035'\n tag gid: 'V-63447'\n tag rid: 'SV-77937r1_rule'\n tag stig_id: 'WN10-AU-000035'\n tag fix_id: 'F-69375r1_fix'\n tag cci: %w[CCI-000018 CCI-000172 CCI-001403 CCI-001404\n CCI-001405 CCI-002130 CCI-002234]\n tag nist: ['AC-2 (4)', 'AU-12 c', 'AC-2 (4)', 'AC-2 (4)', 'AC-2 (4)', \"AC-2\n(4)\", 'AC-6 (9)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Security Option \\\"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\\\" must be\n set to \\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\n Enter \\\"AuditPol /get /category:*\\\".\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding:\n\n Account Management >> User Account Management - Failure\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Account Management >> \\\"Audit User Account Management\\\" with\n \\\"Failure\\\" selected.\"\n\n describe.one do\n describe audit_policy do\n its('User Account Management') { should eq 'Failure' }\n end\n describe audit_policy do\n its('User Account Management') { should eq 'Success and Failure' }\n end\n end\nend\n", + "code": "control 'V-63373' do\n title \"Permissions for system files and directories must conform to minimum\n requirements.\"\n desc \"Changing the system's file and directory permissions allows the\n possibility of unauthorized and anonymous modification to the operating system\n and installed applications.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-00-000095'\n tag gid: 'V-63373'\n tag rid: 'SV-77863r2_rule'\n tag stig_id: 'WN10-00-000095'\n tag fix_id: 'F-69295r1_fix'\n tag cci: ['CCI-002165']\n tag nist: ['AC-3 (4)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc 'check', \"The default file system permissions are adequate when the\n Security Option \\\"Network access: Let Everyone permissions apply to anonymous\n users\\\" is set to \\\"Disabled\\\" (WN10-SO-000160).\n\n If the default file system permissions are maintained and the referenced option\n is set to \\\"Disabled\\\", this is not a finding.\n\n Verify the default permissions for the sample directories below. Non-privileged\n groups such as Users or Authenticated Users must not have greater than Read &\n execute permissions except where noted as defaults. (Individual accounts must\n not be used to assign permissions.)\n\n Viewing in File Explorer:\n Select the \\\"Security\\\" tab, and the \\\"Advanced\\\" button.\n\n C:\\\\\n Type - \\\"Allow\\\" for all\n Inherited from - \\\"None\\\" for all\n Principal - Access - Applies to\n Administrators - Full control - This folder, subfolders and files\n SYSTEM - Full control - This folder, subfolders and files\n Users - Read & execute - This folder, subfolders and files\n Authenticated Users - Modify - Subfolders and files only\n Authenticated Users - Create folders / append data - This folder only\n\n \\\\Program Files\n Type - \\\"Allow\\\" for all\n Inherited from - \\\"None\\\" for all\n Principal - Access - Applies to\n TrustedInstaller - Full control - This folder and subfolders\n SYSTEM - Modify - This folder only\n SYSTEM - Full control - Subfolders and files only\n Administrators - Modify - This folder only\n Administrators - Full control - Subfolders and files only\n Users - Read & execute - This folder, subfolders and files\n CREATOR OWNER - Full control - Subfolders and files only\n ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders and files\n ALL RESTRICTED APPLICATION PACKAGES - Read & execute - This folder, subfolders\n and files\n\n \\\\Windows\n Type - \\\"Allow\\\" for all\n Inherited from - \\\"None\\\" for all\n Principal - Access - Applies to\n TrustedInstaller - Full control - This folder and subfolders\n SYSTEM - Modify - This folder only\n SYSTEM - Full control - Subfolders and files only\n Administrators - Modify - This folder only\n Administrators - Full control - Subfolders and files only\n Users - Read & execute - This folder, subfolders and files\n CREATOR OWNER - Full control - Subfolders and files only\n ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders and files\n ALL RESTRICTED APPLICATION PACKAGES - Read & execute - This folder, subfolders\n and files\n\n Alternately use icacls.\n\n Run \\\"CMD\\\" as administrator.\n Enter \\\"icacls\\\" followed by the directory.\n\n icacls c:\\\\\n icacls \\\"c:\\\\program files\\\"\n icacls c:\\\\windows\n\n The following results will be displayed as each is entered:\n\n c:\\\\\n BUILTIN\\\\Administrators:(OI)(CI)(F)\n NT AUTHORITY\\\\SYSTEM:(OI)(CI)(F)\n BUILTIN\\\\Users:(OI)(CI)(RX)\n NT AUTHORITY\\\\Authenticated Users:(OI)(CI)(IO)(M)\n NT AUTHORITY\\\\Authenticated Users:(AD)\n Mandatory Label\\\\High Mandatory Level:(OI)(NP)(IO)(NW)\n Successfully processed 1 files; Failed processing 0 files\n\n c:\\\\program files\n NT SERVICE\\\\TrustedInstaller:(F)\n NT SERVICE\\\\TrustedInstaller:(CI)(IO)(F)\n NT AUTHORITY\\\\SYSTEM:(M)\n NT AUTHORITY\\\\SYSTEM:(OI)(CI)(IO)(F)\n BUILTIN\\\\Administrators:(M)\n BUILTIN\\\\Administrators:(OI)(CI)(IO)(F)\n BUILTIN\\\\Users:(RX)\n BUILTIN\\\\Users:(OI)(CI)(IO)(GR,GE)\n CREATOR OWNER:(OI)(CI)(IO)(F)\n APPLICATION PACKAGE AUTHORITY\\\\ALL APPLICATION PACKAGES:(RX)\n APPLICATION PACKAGE AUTHORITY\\\\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE)\n APPLICATION PACKAGE AUTHORITY\\\\ALL RESTRICTED APPLICATION PACKAGES:(RX)\n APPLICATION PACKAGE AUTHORITY\\\\ALL RESTRICTED APPLICATION\n PACKAGES:(OI)(CI)(IO)(GR,GE)\n Successfully processed 1 files; Failed processing 0 files\n\n c:\\\\windows\n NT SERVICE\\\\TrustedInstaller:(F)\n NT SERVICE\\\\TrustedInstaller:(CI)(IO)(F)\n NT AUTHORITY\\\\SYSTEM:(M)\n NT AUTHORITY\\\\SYSTEM:(OI)(CI)(IO)(F)\n BUILTIN\\\\Administrators:(M)\n BUILTIN\\\\Administrators:(OI)(CI)(IO)(F)\n BUILTIN\\\\Users:(RX)\n BUILTIN\\\\Users:(OI)(CI)(IO)(GR,GE)\n CREATOR OWNER:(OI)(CI)(IO)(F)\n APPLICATION PACKAGE AUTHORITY\\\\ALL APPLICATION PACKAGES:(RX)\n APPLICATION PACKAGE AUTHORITY\\\\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE)\n APPLICATION PACKAGE AUTHORITY\\\\ALL RESTRICTED APPLICATION PACKAGES:(RX)\n APPLICATION PACKAGE AUTHORITY\\\\ALL RESTRICTED APPLICATION\n PACKAGES:(OI)(CI)(IO)(GR,GE)\n Successfully processed 1 files; Failed processing 0 files\"\n\n desc 'fix', \"Maintain the default file system permissions and configure the\n Security Option: \\\"Network access: Let everyone permissions apply to anonymous\n users\\\" to \\\"Disabled\\\" (WN10-SO-000160).\"\n\n\n c_windows_permission = JSON.parse(input('c_windows_folder_permissions').to_json)\n c_permission = JSON.parse(input('c_folder_permissions').to_json)\n c_program_files_permissions = JSON.parse(input('c_program_files_folder_permissions').to_json)\n\n query_c_windows = json({ command: 'icacls \"c:\\\\windows\" | ConvertTo-Json' }).params.map { |e| e.strip }[0..-3].map{ |e| e.gsub(\"c:\\\\windows \", '') }\n query_c = json( command: \"icacls 'C:\\\\' | ConvertTo-Json\").params.map { |e| e.strip }[0..-3].map{ |e| e.gsub(\"C:\\\\ \", '') }\n query_c_program_files = json({ command: 'icacls \"c:\\\\Program Files\" | ConvertTo-Json' }).params.map { |e| e.strip }[0..-3].map{ |e| e.gsub(\"c:\\\\Program Files \", '') }\n\n describe 'The ACL on C:\\Windows are set to the right permissions' do\n subject { query_c_windows }\n it { should be_in c_windows_permission }\n end\n describe 'The ACL on C:\\ are set to the right permissions' do\n subject { query_c }\n it { should be_in c_permission }\n end\n describe 'The ACL on C:\\Program Files are set to the right permissions' do\n subject { query_c_program_files }\n it { should be_in c_program_files_permissions }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63447.rb", + "ref": "./Windows 10 STIG/controls/V-63373.rb", "line": 3 }, - "id": "V-63447" + "id": "V-63373" }, { - "title": "Exploit Protection mitigations in Windows 10 must be configured for OIS.EXE.", - "desc": "Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.", + "title": "Windows 10 must be configured to enable Remote host allows delegation\n of non-exportable credentials.", + "desc": "An exportable version of credentials is provided to remote hosts when\n using credential delegation which exposes them to theft on the remote host.\n Restricted Admin mode or Remote Credential Guard allow delegation of\n non-exportable credentials providing additional protection of the credentials.\n Enabling this configures the host to support Restricted Admin mode or Remote\n Credential Guard.", "descriptions": { - "default": "Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.", - "check": "This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n\n Enter \"Get-ProcessMitigation -Name OIS.EXE\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of\n all application mitigations configured.)\n\n If the following mitigations do not have a status of \"ON\", this is a finding:\n\n DEP:\n OverrideDEP: False\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n The PowerShell command produces a list of mitigations; only those with a\n required status of \"ON\" are listed here. If the PowerShell command does not\n produce results, ensure the letter case of the filename within the command\n syntax matches the letter case of the actual filename on the system.", - "fix": "Ensure the following mitigations are turned \"ON\" for OIS.EXE:\n\n DEP:\n OverrideDEP: False\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file\n included with the Windows 10 STIG package in the \"Supporting Files\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \"Use a common set of exploit protection settings\"\n configured to \"Enabled\" with file name and location defined under\n \"Options:\". It is recommended the file be in a read-only network location." + "default": "An exportable version of credentials is provided to remote hosts when\n using credential delegation which exposes them to theft on the remote host.\n Restricted Admin mode or Remote Credential Guard allow delegation of\n non-exportable credentials providing additional protection of the credentials.\n Enabling this configures the host to support Restricted Admin mode or Remote\n Credential Guard.", + "check": "This is NA for Windows 10 LTSC\\B versions 1507 and 1607.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\CredentialsDelegation\\\n\n Value Name: AllowProtectedCreds\n\n Type: REG_DWORD\n Value: 0x00000001 (1)", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> System >> Credentials Delegation >> \"Remote host\n allows delegation of non-exportable credentials\" to \"Enabled\"." }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-EP-000200", - "gid": "V-77239", - "rid": "SV-91935r3_rule", - "stig_id": "WN10-EP-000200", - "fix_id": "F-84315r4_fix", + "gtitle": "WN10-CC-000068", + "gid": "V-74699", + "rid": "SV-89373r2_rule", + "stig_id": "WN10-CC-000068", + "fix_id": "F-81317r1_fix", "cci": [ "CCI-000366" ], @@ -2164,35 +2181,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-77239' do\n title 'Exploit Protection mitigations in Windows 10 must be configured for OIS.EXE.'\n desc \"Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-EP-000200'\n tag gid: 'V-77239'\n tag rid: 'SV-91935r3_rule'\n tag stig_id: 'WN10-EP-000200'\n tag fix_id: 'F-84315r4_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc 'check', \"This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n\n Enter \\\"Get-ProcessMitigation -Name OIS.EXE\\\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of\n all application mitigations configured.)\n\n If the following mitigations do not have a status of \\\"ON\\\", this is a finding:\n\n DEP:\n OverrideDEP: False\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n The PowerShell command produces a list of mitigations; only those with a\n required status of \\\"ON\\\" are listed here. If the PowerShell command does not\n produce results, ensure the letter case of the filename within the command\n syntax matches the letter case of the actual filename on the system.\"\n desc 'fix', \"Ensure the following mitigations are turned \\\"ON\\\" for OIS.EXE:\n\n DEP:\n OverrideDEP: False\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file\n included with the Windows 10 STIG package in the \\\"Supporting Files\\\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\"\n configured to \\\"Enabled\\\" with file name and location defined under\n \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n\n if input('sensitive_system') == 'true' || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion').ReleaseId < '1709'\n impact 0.0\n describe 'This STIG does not apply to Prior Versions before 1709.' do\n skip 'This STIG does not apply to Prior Versions before 1709.'\n end\n else\n dep = json( command: 'Get-ProcessMitigation -Name OIS.EXE | Select DEP | ConvertTo-Json').params\n describe 'OverRide DEP is required to be false on Microsoft Office Picture Manager' do\n subject { dep }\n its(['OverrideDEP']) { should_not eq 'true' }\n end\n payload = json( command: 'Get-ProcessMitigation -Name OIS.EXE | Select Payload | ConvertTo-Json').params\n describe 'Override Payload Enable Export Address Filter, Override Payload Enable Export Address Filter Plus, Override EnableImportAddressFilter, Override EnableRopStackPivot, Override EnableRopCallerCheck, and Override EnableRopSimExec are required to be false on Microsoft Office Picture Manager' do\n subject { payload }\n its(['OverrideEnableExportAddressFilter']) { should_not eq 'true' }\n its(['OverrideEnableExportAddressFilterPlus']) { should_not eq 'true' }\n its(['OverrideEnableImportAddressFilter']) { should_not eq 'true' }\n its(['OverrideEnableRopStackPivot']) { should_not eq 'true' }\n its(['OverrideEnableRopCallerCheck']) { should_not eq 'true' }\n its(['OverrideEnableRopSimExec']) { should_not eq 'true' }\n end\n end\nend\n", + "code": "control 'V-74699' do\n title \"Windows 10 must be configured to enable Remote host allows delegation\n of non-exportable credentials.\"\n desc \"An exportable version of credentials is provided to remote hosts when\n using credential delegation which exposes them to theft on the remote host.\n Restricted Admin mode or Remote Credential Guard allow delegation of\n non-exportable credentials providing additional protection of the credentials.\n Enabling this configures the host to support Restricted Admin mode or Remote\n Credential Guard.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000068'\n tag gid: 'V-74699'\n tag rid: 'SV-89373r2_rule'\n tag stig_id: 'WN10-CC-000068'\n tag fix_id: 'F-81317r1_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"This is NA for Windows 10 LTSC\\\\B versions 1507 and 1607.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\CredentialsDelegation\\\\\n\n Value Name: AllowProtectedCreds\n\n Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> System >> Credentials Delegation >> \\\"Remote host\n allows delegation of non-exportable credentials\\\" to \\\"Enabled\\\".\"\n\n releaseID = registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion').ReleaseId.to_i\n\n if ( releaseID == 1607 || releaseID <= 1507 )\n impact 0.0\n describe 'This STIG does not apply to Prior Versions before 1507 and 1607.' do\n skip 'This STIG does not apply to Prior Versions before 1507 and 1607.'\n end\n else\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CredentialsDelegation') do\n it { should have_property 'AllowProtectedCreds' }\n its('AllowProtectedCreds') { should cmp 1 }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-77239.rb", + "ref": "./Windows 10 STIG/controls/V-74699.rb", "line": 3 }, - "id": "V-77239" + "id": "V-74699" }, { - "title": "Local administrator accounts must have their privileged token filtered\n to prevent elevated privileges from being used over the network on domain\n systems.", - "desc": "A compromised local administrator account can provide means for an\n attacker to move laterally between domain systems.\n\n With User Account Control enabled, filtering the privileged token for\n built-in administrator accounts will prevent the elevated privileges of these\n accounts from being used over the network.", + "title": "The Create a token object user right must not be assigned to any\n groups or accounts.", + "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n The \"Create a token object\" user right allows a process to create an\n access token. This could be used to provide elevated rights and compromise a\n system.", "descriptions": { - "default": "A compromised local administrator account can provide means for an\n attacker to move laterally between domain systems.\n\n With User Account Control enabled, filtering the privileged token for\n built-in administrator accounts will prevent the elevated privileges of these\n accounts from being used over the network.", - "check": "If the system is not a member of a domain, this is NA.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\\n\n Value Name: LocalAccountTokenFilterPolicy\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0)", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> MS Security Guide >> \"Apply UAC restrictions to\n local accounts on network logons\" to \"Enabled\".\n\n This policy setting requires the installation of the SecGuide custom templates\n included with the STIG package. \"SecGuide.admx\" and \"SecGuide.adml\" must\n be copied to the \\Windows\\PolicyDefinitions and\n \\Windows\\PolicyDefinitions\\en-US directories respectively." + "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n The \"Create a token object\" user right allows a process to create an\n access token. This could be used to provide elevated rights and compromise a\n system.", + "check": "Verify the effective setting in Local Group Policy Editor.\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any groups or accounts are granted the \"Create a token object\" user right,\n this is a finding.", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n \"Create a token object\" to be defined but containing no entries (blank)." }, - "impact": 0.5, + "impact": 0.7, "refs": [], "tags": { - "severity": "medium", - "gtitle": "WN10-CC-000037", - "gid": "V-63597", - "rid": "SV-78087r2_rule", - "stig_id": "WN10-CC-000037", - "fix_id": "F-78099r3_fix", + "severity": "high", + "gtitle": "WN10-UR-000045", + "gid": "V-63859", + "rid": "SV-78349r1_rule", + "stig_id": "WN10-UR-000045", + "fix_id": "F-69787r2_fix", "cci": [ - "CCI-001084" + "CCI-002235" ], "nist": [ - "SC-3", + "AC-6 (10)", "Rev_4" ], "false_negatives": null, @@ -2206,35 +2223,37 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63597' do\n title \"Local administrator accounts must have their privileged token filtered\n to prevent elevated privileges from being used over the network on domain\n systems.\"\n\n desc \"A compromised local administrator account can provide means for an\n attacker to move laterally between domain systems.\n\n With User Account Control enabled, filtering the privileged token for\n built-in administrator accounts will prevent the elevated privileges of these\n accounts from being used over the network.\"\n\n impact 0.5\n\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000037'\n tag gid: 'V-63597'\n tag rid: 'SV-78087r2_rule'\n tag stig_id: 'WN10-CC-000037'\n tag fix_id: 'F-78099r3_fix'\n tag cci: ['CCI-001084']\n tag nist: %w[SC-3 Rev_4]\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"If the system is not a member of a domain, this is NA.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\\n\n Value Name: LocalAccountTokenFilterPolicy\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0)\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> MS Security Guide >> \\\"Apply UAC restrictions to\n local accounts on network logons\\\" to \\\"Enabled\\\".\n\n This policy setting requires the installation of the SecGuide custom templates\n included with the STIG package. \\\"SecGuide.admx\\\" and \\\"SecGuide.adml\\\" must\n be copied to the \\\\Windows\\\\PolicyDefinitions and\n \\\\Windows\\\\PolicyDefinitions\\\\en-US directories respectively.\"\n\n is_domain = command('wmic computersystem get domain | FINDSTR /V Domain').stdout.strip\n\n if is_domain == 'WORKGROUP'\n impact 0.0\n describe 'The system is not a member of a domain, control is NA' do\n skip 'The system is not a member of a domain, control is NA'\n end\n else\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System') do\n it { should have_property 'LocalAccountTokenFilterPolicy' }\n its('LocalAccountTokenFilterPolicy') { should cmp 0 }\n end\n end\nend\n", + "code": "control 'V-63859' do\n title \"The Create a token object user right must not be assigned to any\n groups or accounts.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n The \\\"Create a token object\\\" user right allows a process to create an\n access token. This could be used to provide elevated rights and compromise a\n system.\"\n\n impact 0.7\n tag severity: 'high'\n tag gtitle: 'WN10-UR-000045'\n tag gid: 'V-63859'\n tag rid: 'SV-78349r1_rule'\n tag stig_id: 'WN10-UR-000045'\n tag fix_id: 'F-69787r2_fix'\n tag cci: ['CCI-002235']\n tag nist: ['AC-6 (10)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any groups or accounts are granted the \\\"Create a token object\\\" user right,\n this is a finding.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n \\\"Create a token object\\\" to be defined but containing no entries (blank).\"\n\n describe security_policy do\n its('SeCreateTokenPrivilege') { should eq [] }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63597.rb", + "ref": "./Windows 10 STIG/controls/V-63859.rb", "line": 3 }, - "id": "V-63597" + "id": "V-63859" }, { - "title": "Users must be prompted for a password on resume from sleep (on\n battery).", - "desc": "Authentication must always be required when accessing a system. This\n setting ensures the user is prompted for a password on resume from sleep (on\n battery).", + "title": "The Windows SMB server must be configured to always perform SMB packet\n signing.", + "desc": "The server message block (SMB) protocol provides the basis for many\n network operations. Digitally signed SMB packets aid in preventing\n man-in-the-middle attacks. If this policy is enabled, the SMB server will only\n communicate with an SMB client that performs SMB packet signing.", "descriptions": { - "default": "Authentication must always be required when accessing a system. This\n setting ensures the user is prompted for a password on resume from sleep (on\n battery).", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SOFTWARE\\Policies\\Microsoft\\Power\\PowerSettings\\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\\\n\n Value Name: DCSettingIndex\n\n Value Type: REG_DWORD\n Value: 1", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> System >> Power Management >> Sleep Settings >>\n \"Require a password when a computer wakes (on battery)\" to \"Enabled\"." + "default": "The server message block (SMB) protocol provides the basis for many\n network operations. Digitally signed SMB packets aid in preventing\n man-in-the-middle attacks. If this policy is enabled, the SMB server will only\n communicate with an SMB client that performs SMB packet signing.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\LanManServer\\Parameters\\\n\n Value Name: RequireSecuritySignature\n\n Value Type: REG_DWORD\n Value: 1", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n \"Microsoft network server: Digitally sign communications (always)\" to\n \"Enabled\"." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-CC-000145", - "gid": "V-63645", - "rid": "SV-78135r1_rule", - "stig_id": "WN10-CC-000145", - "fix_id": "F-69575r1_fix", + "gtitle": "WN10-SO-000120", + "gid": "V-63719", + "rid": "SV-78209r1_rule", + "stig_id": "WN10-SO-000120", + "fix_id": "F-69647r1_fix", "cci": [ - "CCI-002038" + "CCI-002418", + "CCI-002421" ], "nist": [ - "IA-11", + "SC-8", + "SC-8 (1)", "Rev_4" ], "false_negatives": null, @@ -2248,30 +2267,30 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63645' do\n title \"Users must be prompted for a password on resume from sleep (on\n battery).\"\n desc \"Authentication must always be required when accessing a system. This\n setting ensures the user is prompted for a password on resume from sleep (on\n battery).\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000145'\n tag gid: 'V-63645'\n tag rid: 'SV-78135r1_rule'\n tag stig_id: 'WN10-CC-000145'\n tag fix_id: 'F-69575r1_fix'\n tag cci: ['CCI-002038']\n tag nist: %w[IA-11 Rev_4]\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Power\\\\PowerSettings\\\\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\\\\\n\n Value Name: DCSettingIndex\n\n Value Type: REG_DWORD\n Value: 1\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> System >> Power Management >> Sleep Settings >>\n \\\"Require a password when a computer wakes (on battery)\\\" to \\\"Enabled\\\".\"\n\n if sys_info.manufacturer == 'VMware, Inc.'\n impact 0.0\n describe 'This is a VDI System; This System is NA for Control V-63645.' do\n skip 'This is a VDI System; This System is NA for Control V-63645.'\n end\n else\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Power\\PowerSettings\\0e796bdb-100d-47d6-a2d5-f7d2daa51f51') do\n it { should have_property 'DCSettingIndex' }\n its('DCSettingIndex') { should cmp 1 }\n end\n end\nend\n", + "code": "control 'V-63719' do\n title \"The Windows SMB server must be configured to always perform SMB packet\n signing.\"\n desc \"The server message block (SMB) protocol provides the basis for many\n network operations. Digitally signed SMB packets aid in preventing\n man-in-the-middle attacks. If this policy is enabled, the SMB server will only\n communicate with an SMB client that performs SMB packet signing.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-SO-000120'\n tag gid: 'V-63719'\n tag rid: 'SV-78209r1_rule'\n tag stig_id: 'WN10-SO-000120'\n tag fix_id: 'F-69647r1_fix'\n tag cci: %w[CCI-002418 CCI-002421]\n tag nist: ['SC-8', 'SC-8 (1)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\LanManServer\\\\Parameters\\\\\n\n Value Name: RequireSecuritySignature\n\n Value Type: REG_DWORD\n Value: 1\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n \\\"Microsoft network server: Digitally sign communications (always)\\\" to\n \\\"Enabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\LanManServer\\Parameters') do\n it { should have_property 'RequireSecuritySignature' }\n its('RequireSecuritySignature') { should cmp 1 }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63645.rb", + "ref": "./Windows 10 STIG/controls/V-63719.rb", "line": 3 }, - "id": "V-63645" + "id": "V-63719" }, { - "title": "Inbound exceptions to the firewall on Windows 10 domain workstations\n must only allow authorized remote management hosts.", - "desc": "Allowing inbound access to domain workstations from other systems may\n allow lateral movement across systems if credentials are compromised. Limiting\n inbound connections only from authorized remote management systems will help\n limit this exposure.", + "title": "File Explorer shell protocol must run in protected mode.", + "desc": "The shell protocol will limit the set of folders applications can\n open when run in protected mode. Restricting files an application can open, to\n a limited set of folders, increases the security of Windows.", "descriptions": { - "default": "Allowing inbound access to domain workstations from other systems may\n allow lateral movement across systems if credentials are compromised. Limiting\n inbound connections only from authorized remote management systems will help\n limit this exposure.", - "check": "Verify firewall exceptions to inbound connections on domain\n workstations include only authorized remote management hosts.\n\n If allowed inbound exceptions are not limited to authorized remote management\n hosts, this is a finding.\n\n Review inbound firewall exceptions.\n Computer Configuration >> Windows Settings >> Security Settings >> Windows\n Defender Firewall with Advanced Security >> Windows Defender Firewall with\n Advanced Security >> Inbound Rules (this link will be in the right pane)\n\n For any inbound rules that allow connections view the Scope for Remote IP\n address. This may be defined as an IP address, subnet, or range. The rule must\n apply to all firewall profiles.\n\n If a third-party firewall is used, ensure comparable settings are in place.", - "fix": "Configure firewall exceptions to inbound connections on domain\n workstations to include only authorized remote management hosts.\n\n Configure only inbound connection exceptions for authorized remote management\n hosts.\n Computer Configuration >> Windows Settings >> Security Settings >> Windows\n Defender Firewall with Advanced Security >> Windows Defender Firewall with\n Advanced Security >> Inbound Rules (this link will be in the right pane)\n\n For any inbound rules that allow connections, configure the Scope for Remote IP\n address to those of authorized remote management hosts. This may be defined as\n an IP address, subnet or range. Apply the rule to all firewall profiles.\n\n If a third-party firewall is used, configure inbound exceptions to only include\n authorized remote management hosts." + "default": "The shell protocol will limit the set of folders applications can\n open when run in protected mode. Restricting files an application can open, to\n a limited set of folders, increases the security of Windows.", + "check": "The default behavior is for shell protected mode to be turned on\n for file explorer.\n\n If the registry value name below does not exist, this is not a finding.\n\n If it exists and is configured with a value of \"0\", this is not a finding.\n\n If it exists and is configured with a value of \"1\", this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\\n\n Value Name: PreXPSP2ShellProtocolBehavior\n\n Value Type: REG_DWORD\n Value: 0 (or if the Value Name does not exist)", + "fix": "The default behavior is for shell protected mode to be turned on\n for file explorer.\n\n If this needs to be corrected, configure the policy value for Computer\n Configuration >> Administrative Templates >> Windows Components >> File\n Explorer >> \"Turn off shell protocol protected mode\" to \"Not Configured\" or\n \"Disabled\"." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-00-000140", - "gid": "V-63403", - "rid": "SV-77893r2_rule", - "stig_id": "WN10-00-000140", - "fix_id": "F-100991r1_fix", + "gtitle": "WN10-CC-000225", + "gid": "V-63695", + "rid": "SV-78185r1_rule", + "stig_id": "WN10-CC-000225", + "fix_id": "F-69623r1_fix", "cci": [ "CCI-000366" ], @@ -2290,35 +2309,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63403' do\n title \"Inbound exceptions to the firewall on Windows 10 domain workstations\n must only allow authorized remote management hosts.\"\n desc \"Allowing inbound access to domain workstations from other systems may\n allow lateral movement across systems if credentials are compromised. Limiting\n inbound connections only from authorized remote management systems will help\n limit this exposure.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-00-000140'\n tag gid: 'V-63403'\n tag rid: 'SV-77893r2_rule'\n tag stig_id: 'WN10-00-000140'\n tag fix_id: 'F-100991r1_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Verify firewall exceptions to inbound connections on domain\n workstations include only authorized remote management hosts.\n\n If allowed inbound exceptions are not limited to authorized remote management\n hosts, this is a finding.\n\n Review inbound firewall exceptions.\n Computer Configuration >> Windows Settings >> Security Settings >> Windows\n Defender Firewall with Advanced Security >> Windows Defender Firewall with\n Advanced Security >> Inbound Rules (this link will be in the right pane)\n\n For any inbound rules that allow connections view the Scope for Remote IP\n address. This may be defined as an IP address, subnet, or range. The rule must\n apply to all firewall profiles.\n\n If a third-party firewall is used, ensure comparable settings are in place.\"\n\n desc \"fix\", \"Configure firewall exceptions to inbound connections on domain\n workstations to include only authorized remote management hosts.\n\n Configure only inbound connection exceptions for authorized remote management\n hosts.\n Computer Configuration >> Windows Settings >> Security Settings >> Windows\n Defender Firewall with Advanced Security >> Windows Defender Firewall with\n Advanced Security >> Inbound Rules (this link will be in the right pane)\n\n For any inbound rules that allow connections, configure the Scope for Remote IP\n address to those of authorized remote management hosts. This may be defined as\n an IP address, subnet or range. Apply the rule to all firewall profiles.\n\n If a third-party firewall is used, configure inbound exceptions to only include\n authorized remote management hosts.\"\n\n describe 'A manual review of any inbound firewall rules that allow connections to unauthorized connections. Also check for third-party firewalls' do\n skip 'A manual review of any inbound firewall rules that allow connections'\n end\nend\n", + "code": "control 'V-63695' do\n title 'File Explorer shell protocol must run in protected mode.'\n desc \"The shell protocol will limit the set of folders applications can\n open when run in protected mode. Restricting files an application can open, to\n a limited set of folders, increases the security of Windows.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000225'\n tag gid: 'V-63695'\n tag rid: 'SV-78185r1_rule'\n tag stig_id: 'WN10-CC-000225'\n tag fix_id: 'F-69623r1_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"The default behavior is for shell protected mode to be turned on\n for file explorer.\n\n If the registry value name below does not exist, this is not a finding.\n\n If it exists and is configured with a value of \\\"0\\\", this is not a finding.\n\n If it exists and is configured with a value of \\\"1\\\", this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\\n\n Value Name: PreXPSP2ShellProtocolBehavior\n\n Value Type: REG_DWORD\n Value: 0 (or if the Value Name does not exist)\"\n\n desc \"fix\", \"The default behavior is for shell protected mode to be turned on\n for file explorer.\n\n If this needs to be corrected, configure the policy value for Computer\n Configuration >> Administrative Templates >> Windows Components >> File\n Explorer >> \\\"Turn off shell protocol protected mode\\\" to \\\"Not Configured\\\" or\n \\\"Disabled\\\".\"\n\n describe.one do\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer') do\n it { should have_property 'PreXPSP2ShellProtocolBehavior' }\n its('PreXPSP2ShellProtocolBehavior') { should_not be 1 }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer') do\n it { should_not have_property 'PreXPSP2ShellProtocolBehavior' }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63403.rb", + "ref": "./Windows 10 STIG/controls/V-63695.rb", "line": 3 }, - "id": "V-63403" + "id": "V-63695" }, { - "title": "Autoplay must be disabled for all drives.", - "desc": "Allowing autoplay to execute may introduce malicious code to a system.\n Autoplay begins reading from a drive as soon as you insert media in the drive.\n As a result, the setup file of programs or music on audio media may start. By\n default, autoplay is disabled on removable drives, such as the floppy disk\n drive (but not the CD-ROM drive) and on network drives. If you enable this\n policy, you can also disable autoplay on all drives.", + "title": "The Force shutdown from a remote system user right must only be\n assigned to the Administrators group.", + "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n Accounts with the \"Force shutdown from a remote system\" user right can\n remotely shut down a system which could result in a DoS.", "descriptions": { - "default": "Allowing autoplay to execute may introduce malicious code to a system.\n Autoplay begins reading from a drive as soon as you insert media in the drive.\n As a result, the setup file of programs or music on audio media may start. By\n default, autoplay is disabled on removable drives, such as the floppy disk\n drive (but not the CD-ROM drive) and on network drives. If you enable this\n policy, you can also disable autoplay on all drives.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\policies\\Explorer\\\n\n Value Name: NoDriveTypeAutoRun\n\n Value Type: REG_DWORD\n Value: 0x000000ff (255)\n\n Note: If the value for NoDriveTypeAutorun is entered manually, it must be\n entered as \"ff\" when Hexadecimal is selected, or \"255\" with Decimal\n selected. Using the policy value specified in the Fix section will enter it\n correctly.", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> AutoPlay Policies >> \"Turn\n off AutoPlay\" to \"Enabled:All Drives\"." + "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n Accounts with the \"Force shutdown from a remote system\" user right can\n remotely shut down a system which could result in a DoS.", + "check": "Verify the effective setting in Local Group Policy Editor.\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any groups or accounts other than the following are granted the \"Force\n shutdown from a remote system\" user right, this is a finding:\n\n Administrators", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n \"Force shutdown from a remote system\" to only include the following groups or\n accounts:\n\n Administrators" }, - "impact": 0.7, + "impact": 0.5, "refs": [], "tags": { - "severity": "high", - "gtitle": "WN10-CC-000190", - "gid": "V-63673", - "rid": "SV-78163r1_rule", - "stig_id": "WN10-CC-000190", - "fix_id": "F-69603r1_fix", + "severity": "medium", + "gtitle": "WN10-UR-000100", + "gid": "V-63883", + "rid": "SV-78373r1_rule", + "stig_id": "WN10-UR-000100", + "fix_id": "F-69811r1_fix", "cci": [ - "CCI-001764" + "CCI-002235" ], "nist": [ - "CM-7 (2)", + "AC-6 (10)", "Rev_4" ], "false_negatives": null, @@ -2332,35 +2351,39 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63673' do\n title 'Autoplay must be disabled for all drives.'\n desc \"Allowing autoplay to execute may introduce malicious code to a system.\n Autoplay begins reading from a drive as soon as you insert media in the drive.\n As a result, the setup file of programs or music on audio media may start. By\n default, autoplay is disabled on removable drives, such as the floppy disk\n drive (but not the CD-ROM drive) and on network drives. If you enable this\n policy, you can also disable autoplay on all drives.\"\n impact 0.7\n tag severity: 'high'\n tag gtitle: 'WN10-CC-000190'\n tag gid: 'V-63673'\n tag rid: 'SV-78163r1_rule'\n tag stig_id: 'WN10-CC-000190'\n tag fix_id: 'F-69603r1_fix'\n tag cci: ['CCI-001764']\n tag nist: ['CM-7 (2)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\policies\\\\Explorer\\\\\n\n Value Name: NoDriveTypeAutoRun\n\n Value Type: REG_DWORD\n Value: 0x000000ff (255)\n\n Note: If the value for NoDriveTypeAutorun is entered manually, it must be\n entered as \\\"ff\\\" when Hexadecimal is selected, or \\\"255\\\" with Decimal\n selected. Using the policy value specified in the Fix section will enter it\n correctly.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> AutoPlay Policies >> \\\"Turn\n off AutoPlay\\\" to \\\"Enabled:All Drives\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\policies\\Explorer') do\n it { should have_property 'NoDriveTypeAutoRun' }\n its('NoDriveTypeAutoRun') { should cmp 255 }\n end\nend\n", + "code": "control 'V-63883' do\n title \"The Force shutdown from a remote system user right must only be\n assigned to the Administrators group.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n Accounts with the \\\"Force shutdown from a remote system\\\" user right can\n remotely shut down a system which could result in a DoS.\"\n\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-UR-000100'\n tag gid: 'V-63883'\n tag rid: 'SV-78373r1_rule'\n tag stig_id: 'WN10-UR-000100'\n tag fix_id: 'F-69811r1_fix'\n tag cci: ['CCI-002235']\n tag nist: ['AC-6 (10)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any groups or accounts other than the following are granted the \\\"Force\n shutdown from a remote system\\\" user right, this is a finding:\n\n Administrators\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n \\\"Force shutdown from a remote system\\\" to only include the following groups or\n accounts:\n\n Administrators\"\n\n describe security_policy do\n its('SeRemoteShutdownPrivilege') { should eq ['S-1-5-32-544'] }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63673.rb", + "ref": "./Windows 10 STIG/controls/V-63883.rb", "line": 3 }, - "id": "V-63673" + "id": "V-63883" }, { - "title": "Exploit Protection mitigations in Windows 10 must be configured for plugin-container.exe.", - "desc": "Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.", + "title": "Windows 10 information systems must use BitLocker to encrypt all disks\n to protect the confidentiality and integrity of all information at rest.", + "desc": "If data at rest is unencrypted, it is vulnerable to disclosure. Even\n if the operating system enforces permissions on data access, an adversary can\n remove non-volatile memory and read it directly, thereby circumventing\n operating system controls. Encrypting the data ensures that confidentiality\n is protected even when the operating system is not running.", "descriptions": { - "default": "Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.", - "check": "This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n\n Enter \"Get-ProcessMitigation -Name plugin-container.exe\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of\n all application mitigations configured.)\n\n If the following mitigations do not have a status of \"ON\", this is a finding:\n\n DEP:\n Enable: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n The PowerShell command produces a list of mitigations; only those with a\n required status of \"ON\" are listed here. If the PowerShell command does not\n produce results, ensure the letter case of the filename within the command\n syntax matches the letter case of the actual filename on the system.", - "fix": "Ensure the following mitigations are turned \"ON\" for\n plugin-container.exe:\n\n DEP:\n Enable: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file\n included with the Windows 10 STIG package in the \"Supporting Files\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \"Use a common set of exploit protection settings\"\n configured to \"Enabled\" with file name and location defined under\n \"Options:\". It is recommended the file be in a read-only network location." + "default": "If data at rest is unencrypted, it is vulnerable to disclosure. Even\n if the operating system enforces permissions on data access, an adversary can\n remove non-volatile memory and read it directly, thereby circumventing\n operating system controls. Encrypting the data ensures that confidentiality\n is protected even when the operating system is not running.", + "check": "Verify all Windows 10 information systems (including SIPRNET)\n employ BitLocker for full disk encryption.\n\n If full disk encryption using BitLocker is not implemented, this is a finding.\n\n Verify BitLocker is turned on for the operating system drive and any fixed data\n drives.\n\n Open \"BitLocker Drive Encryption\" from the Control Panel.\n\n If the operating system drive or any fixed data drives have \"Turn on\n BitLocker\", this is a finding.\n\n NOTE: An alternate encryption application may be used in lieu of BitLocker\n providing it is configured for full disk encryption and satisfies the pre-boot\n authentication requirements (WN10-00-000031 and WN10-00-000032).", + "fix": "Enable full disk encryption on all information systems (including\n SIPRNET) using BitLocker.\n\n BitLocker, included in Windows, can be enabled in the Control Panel under\n \"BitLocker Drive Encryption\" as well as other management tools.\n\n NOTE: An alternate encryption application may be used in lieu of BitLocker\n providing it is configured for full disk encryption and satisfies the pre-boot\n authentication requirements (WN10-00-000031 and WN10-00-000032)." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-EP-000230", - "gid": "V-77245", - "rid": "SV-91941r3_rule", - "stig_id": "WN10-EP-000230", - "fix_id": "F-84365r4_fix", + "gtitle": "WN10-00-000030", + "gid": "V-63337", + "rid": "SV-77827r4_rule", + "stig_id": "WN10-00-000030", + "fix_id": "F-100987r1_fix", "cci": [ - "CCI-000366" + "CCI-001199", + "CCI-002475", + "CCI-002476" ], "nist": [ - "CM-6 b", + "SC-28", + "SC-28 (1)", + "SC-28 (1)", "Rev_4" ], "false_negatives": null, @@ -2374,35 +2397,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-77245' do\n title 'Exploit Protection mitigations in Windows 10 must be configured for plugin-container.exe.'\n desc \"Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-EP-000230'\n tag gid: 'V-77245'\n tag rid: 'SV-91941r3_rule'\n tag stig_id: 'WN10-EP-000230'\n tag fix_id: 'F-84365r4_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc 'check', \"This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n\n Enter \\\"Get-ProcessMitigation -Name plugin-container.exe\\\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of\n all application mitigations configured.)\n\n If the following mitigations do not have a status of \\\"ON\\\", this is a finding:\n\n DEP:\n Enable: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n The PowerShell command produces a list of mitigations; only those with a\n required status of \\\"ON\\\" are listed here. If the PowerShell command does not\n produce results, ensure the letter case of the filename within the command\n syntax matches the letter case of the actual filename on the system.\"\n\n desc 'fix', \"Ensure the following mitigations are turned \\\"ON\\\" for\n plugin-container.exe:\n\n DEP:\n Enable: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file\n included with the Windows 10 STIG package in the \\\"Supporting Files\\\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\"\n configured to \\\"Enabled\\\" with file name and location defined under\n \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n\n if input('sensitive_system') == 'true' || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion').ReleaseId < '1709'\n impact 0.0\n describe 'This STIG does not apply to Prior Versions before 1709.' do\n skip 'This STIG does not apply to Prior Versions before 1709.'\n end\n else\n dep = json( command: 'Get-ProcessMitigation -Name plugin-container.exe | Select DEP | ConvertTo-Json').params\n describe 'DEP is required to be Enabled on Plugin-Container' do\n subject { dep }\n its(['Enable']) { should_not eq '2' }\n end\n payload = json( command: 'Get-ProcessMitigation -Name plugin-container.exe | Select Payload | ConvertTo-Json').params\n describe 'Payload Enable Export Address Filter, Payload Enable Export Address Filter Plus, EnableImportAddressFilter, EnableRopStackPivot, EnableRopCallerCheck, and Override EnableRopSimExec are required to be false on Plugin-Container' do\n subject { payload }\n its(['EnableExportAddressFilter']) { should_not eq '2' }\n its(['EnableExportAddressFilterPlus']) { should_not eq '2' }\n its(['EnableImportAddressFilter']) { should_not eq '2' }\n its(['EnableRopStackPivot']) { should_not eq '2' }\n its(['EnableRopCallerCheck']) { should_not eq '2' }\n its(['EnableRopSimExec']) { should_not eq '2' }\n end \n end\nend\n", + "code": "control 'V-63337' do\n title \"Windows 10 information systems must use BitLocker to encrypt all disks\n to protect the confidentiality and integrity of all information at rest.\"\n desc \"If data at rest is unencrypted, it is vulnerable to disclosure. Even\n if the operating system enforces permissions on data access, an adversary can\n remove non-volatile memory and read it directly, thereby circumventing\n operating system controls. Encrypting the data ensures that confidentiality\n is protected even when the operating system is not running.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-00-000030'\n tag gid: 'V-63337'\n tag rid: 'SV-77827r4_rule'\n tag stig_id: 'WN10-00-000030'\n tag fix_id: 'F-100987r1_fix'\n tag cci: %w[CCI-001199 CCI-002475 CCI-002476]\n tag nist: ['SC-28', 'SC-28 (1)', 'SC-28 (1)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc 'check', \"Verify all Windows 10 information systems (including SIPRNET)\n employ BitLocker for full disk encryption.\n\n If full disk encryption using BitLocker is not implemented, this is a finding.\n\n Verify BitLocker is turned on for the operating system drive and any fixed data\n drives.\n\n Open \\\"BitLocker Drive Encryption\\\" from the Control Panel.\n\n If the operating system drive or any fixed data drives have \\\"Turn on\n BitLocker\\\", this is a finding.\n\n NOTE: An alternate encryption application may be used in lieu of BitLocker\n providing it is configured for full disk encryption and satisfies the pre-boot\n authentication requirements (WN10-00-000031 and WN10-00-000032).\"\n\n desc 'fix', \"Enable full disk encryption on all information systems (including\n SIPRNET) using BitLocker.\n\n BitLocker, included in Windows, can be enabled in the Control Panel under\n \\\"BitLocker Drive Encryption\\\" as well as other management tools.\n\n NOTE: An alternate encryption application may be used in lieu of BitLocker\n providing it is configured for full disk encryption and satisfies the pre-boot\n authentication requirements (WN10-00-000031 and WN10-00-000032).\"\n\n if sys_info.manufacturer == 'VMware, Inc.'\n impact 0.0\n describe 'This is a VDI System; This System is NA for Control V-63337.' do\n skip 'This is a VDI System; This System is NA for Control V-63337.'\n end\n else\n # Code needs to be worked on for Parsing the Output of the Command\n bitlocker_status = JSON.parse(input('bitlocker_status').to_json)\n query = json({ command: 'Get-BitlockerVolume | Select ProtectionStatus | ConvertTo-Json' })\n describe 'Verify all Windows 10 information systems (including SIPRNET) employ BitLocker for full disk encryption.' do\n subject { query.params }\n its(['ProtectionStatus']) { should be 1 }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-77245.rb", + "ref": "./Windows 10 STIG/controls/V-63337.rb", "line": 3 }, - "id": "V-77245" + "id": "V-63337" }, { - "title": "Exploit Protection mitigations in Windows 10 must be configured for\n PPTVIEW.EXE.", - "desc": "Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.", + "title": "Local volumes must be formatted using NTFS.", + "desc": "The ability to set access permissions and auditing is critical to\n maintaining the security and proper access controls of a system. To support\n this, volumes must be formatted using the NTFS file system.", "descriptions": { - "default": "Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.", - "check": "This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n\n Enter \"Get-ProcessMitigation -Name PPTVIEW.EXE\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of\n all application mitigations configured.)\n\n If the following mitigations do not have a status of \"ON\", this is a finding:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n The PowerShell command produces a list of mitigations; only those with a\n required status of \"ON\" are listed here. If the PowerShell command does not\n produce results, ensure the letter case of the filename within the command\n syntax matches the letter case of the actual filename on the system.", - "fix": "Ensure the following mitigations are turned \"ON\" for PPTVIEW.EXE:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file\n included with the Windows 10 STIG package in the \"Supporting Files\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \"Use a common set of exploit protection settings\"\n configured to \"Enabled\" with file name and location defined under\n \"Options:\". It is recommended the file be in a read-only network location." + "default": "The ability to set access permissions and auditing is critical to\n maintaining the security and proper access controls of a system. To support\n this, volumes must be formatted using the NTFS file system.", + "check": "Run \"Computer Management\".\n Navigate to Storage >> Disk Management.\n\n If the \"File System\" column does not indicate \"NTFS\" for each volume\n assigned a drive letter, this is a finding.\n\n This does not apply to system partitions such the Recovery and EFI System\n Partition.", + "fix": "Format all local volumes to use NTFS." }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { - "severity": "medium", - "gtitle": "WN10-EP-000250", - "gid": "V-77249", - "rid": "SV-91945r3_rule", - "stig_id": "WN10-EP-000250", - "fix_id": "F-84505r4_fix", + "severity": "high", + "gtitle": "WN10-00-000050", + "gid": "V-63353", + "rid": "SV-77843r2_rule", + "stig_id": "WN10-00-000050", + "fix_id": "F-69273r1_fix", "cci": [ - "CCI-000366" + "CCI-000213" ], "nist": [ - "CM-6 b", + "AC-3", "Rev_4" ], "false_negatives": null, @@ -2416,35 +2439,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-77249' do\n title \"Exploit Protection mitigations in Windows 10 must be configured for\n PPTVIEW.EXE.\"\n desc \"Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-EP-000250'\n tag gid: 'V-77249'\n tag rid: 'SV-91945r3_rule'\n tag stig_id: 'WN10-EP-000250'\n tag fix_id: 'F-84505r4_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc 'check', \"This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n\n Enter \\\"Get-ProcessMitigation -Name PPTVIEW.EXE\\\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of\n all application mitigations configured.)\n\n If the following mitigations do not have a status of \\\"ON\\\", this is a finding:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n The PowerShell command produces a list of mitigations; only those with a\n required status of \\\"ON\\\" are listed here. If the PowerShell command does not\n produce results, ensure the letter case of the filename within the command\n syntax matches the letter case of the actual filename on the system.\"\n\n desc 'fix', \"Ensure the following mitigations are turned \\\"ON\\\" for PPTVIEW.EXE:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file\n included with the Windows 10 STIG package in the \\\"Supporting Files\\\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\"\n configured to \\\"Enabled\\\" with file name and location defined under\n \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n\n if input('sensitive_system') == 'true' || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion').ReleaseId < '1709'\n impact 0.0\n describe 'This STIG does not apply to Prior Versions before 1709.' do\n skip 'This STIG does not apply to Prior Versions before 1709.'\n end\n else\n dep = json( command: 'Get-ProcessMitigation -Name PPTVIEW.EXE | Select DEP | ConvertTo-Json').params\n describe 'OverRide DEP is required to be false on Microsoft Office PowerPoint Viewer' do\n subject { dep }\n its(['OverrideDEP']) { should_not eq 'true' }\n end\n aslr = json( command: 'Get-ProcessMitigation -Name PPTVIEW.EXE | Select Aslr | ConvertTo-Json').params\n describe 'Alsr BottomUp and Force Relocate Images are required to be enabled on Microsoft Office PowerPoint Viewer' do\n subject { aslr }\n its(['ForceRelocateImages']) { should_not eq '2' }\n end\n payload = json( command: 'Get-ProcessMitigation -Name PPTVIEW.EXE | Select Payload | ConvertTo-Json').params\n describe 'Override Payload Enable Export Address Filter, Override Payload Enable Export Address Filter Plus, Override EnableImportAddressFilter, Override EnableRopStackPivot, Override EnableRopCallerCheck, and Override EnableRopSimExec are required to be false on Microsoft Office PowerPoint Viewer' do\n subject { payload }\n its(['OverrideEnableExportAddressFilter']) { should_not eq 'true' }\n its(['OverrideEnableExportAddressFilterPlus']) { should_not eq 'true' }\n its(['OverrideEnableImportAddressFilter']) { should_not eq 'true' }\n its(['OverrideEnableRopStackPivot']) { should_not eq 'true' }\n its(['OverrideEnableRopCallerCheck']) { should_not eq 'true' }\n its(['OverrideEnableRopSimExec']) { should_not eq 'true' }\n end \n end\nend", + "code": "control \"V-63353\" do\n title \"Local volumes must be formatted using NTFS.\"\n desc \"The ability to set access permissions and auditing is critical to\n maintaining the security and proper access controls of a system. To support\n this, volumes must be formatted using the NTFS file system.\"\n impact 0.7\n tag severity: \"high\"\n tag gtitle: \"WN10-00-000050\"\n tag gid: \"V-63353\"\n tag rid: \"SV-77843r2_rule\"\n tag stig_id: \"WN10-00-000050\"\n tag fix_id: \"F-69273r1_fix\"\n tag cci: [\"CCI-000213\"]\n tag nist: [\"AC-3\", \"Rev_4\"]\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Run \\\"Computer Management\\\".\n Navigate to Storage >> Disk Management.\n\n If the \\\"File System\\\" column does not indicate \\\"NTFS\\\" for each volume\n assigned a drive letter, this is a finding.\n\n This does not apply to system partitions such the Recovery and EFI System\n Partition.\"\n\n desc \"fix\", \"Format all local volumes to use NTFS.\"\n\nget_volumes = command(\"wmic logicaldisk get FileSystem | findstr /r /v '^$' |Findstr /v 'FileSystem'\").stdout.strip.split(\"\\r\\n\")\n\n if get_volumes.empty?\n impact 0.0\n describe 'There are no local volumes' do\n skip 'This control is not applicable'\n end\n else\n get_volumes.each do |volume|\n volumes = volume.strip\n describe.one do\n describe 'The format local volumes' do\n subject { volumes }\n it { should eq 'NTFS' }\n end\n describe 'The format local volumes' do\n subject { volumes }\n it { should eq 'ReFS' }\n end\n end\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-77249.rb", - "line": 3 + "ref": "./Windows 10 STIG/controls/V-63353.rb", + "line": 2 }, - "id": "V-77249" + "id": "V-63353" }, { - "title": "The system must be configured to audit Account Logon - Credential\n Validation failures.", - "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Credential validation records events related to validation tests on\n credentials for a user account logon.", + "title": "The Windows Defender SmartScreen for Explorer must be enabled.", + "desc": "Windows Defender SmartScreen helps protect systems from programs\n downloaded from the internet that may be malicious. Enabling Windows Defender\n SmartScreen will warn or prevent users from running potentially malicious\n programs.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Credential validation records events related to validation tests on\n credentials for a user account logon.", - "check": "Security Option \"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\" must be\n set to \"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\"Run as Administrator\").\n Enter \"AuditPol /get /category:*\".\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding:\n\n Account Logon >> Credential Validation - Failure", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Account Logon >> \"Audit Credential Validation\" with\n \"Failure\" selected." + "default": "Windows Defender SmartScreen helps protect systems from programs\n downloaded from the internet that may be malicious. Enabling Windows Defender\n SmartScreen will warn or prevent users from running potentially malicious\n programs.", + "check": "This is applicable to unclassified systems, for other systems\n this is NA.\n\n If the following registry values do not exist or are not configured as\n specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\\n\n Value Name: EnableSmartScreen\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\n\n And\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\\n\n Value Name: ShellSmartScreenLevel\n\n Value Type: REG_SZ\n Value: Block\n\n v1607 LTSB:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\\n\n Value Name: EnableSmartScreen\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\n\n v1507 LTSB:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\\n\n Value Name: EnableSmartScreen\n\n Value Type: REG_DWORD\n Value: 0x00000002 (2)", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> File Explorer >> \"Configure\n Windows Defender SmartScreen\" to \"Enabled\" with \"Warn and prevent bypass\"\n selected.\n\n Windows 10 includes duplicate policies for this setting. It can also be\n configured under Computer Configuration >> Administrative Templates >> Windows\n Components >> Windows Defender SmartScreen >> Explorer.\n\n v1607 LTSB:\n Configure the policy value for Computer Configuration >> Administrative\n Templates >> Windows Components >> File Explorer >> \"Configure Windows\n SmartScreen\" to \"Enabled\". (Selection options are not available.)\n\n v1507 LTSB:\n Configure the policy value for Computer Configuration >> Administrative\n Templates >> Windows Components >> File Explorer >> \"Configure Windows\n SmartScreen\" to \"Enabled\" with \"Require approval from an administrator\n before running downloaded unknown software\" selected." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-AU-000005", - "gid": "V-63431", - "rid": "SV-77921r1_rule", - "stig_id": "WN10-AU-000005", - "fix_id": "F-69359r1_fix", + "gtitle": "WN10-CC-000210", + "gid": "V-63685", + "rid": "SV-78175r6_rule", + "stig_id": "WN10-CC-000210", + "fix_id": "F-98461r1_fix", "cci": [ - "CCI-000172" + "CCI-000381" ], "nist": [ - "AU-12 c", + "CM-7 a", "Rev_4" ], "false_negatives": null, @@ -2458,43 +2481,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63431' do\n title \"The system must be configured to audit Account Logon - Credential\n Validation failures.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Credential validation records events related to validation tests on\n credentials for a user account logon.\"\n\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-AU-000005'\n tag gid: 'V-63431'\n tag rid: 'SV-77921r1_rule'\n tag stig_id: 'WN10-AU-000005'\n tag fix_id: 'F-69359r1_fix'\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Security Option \\\"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\\\" must be\n set to \\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\n Enter \\\"AuditPol /get /category:*\\\".\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding:\n\n Account Logon >> Credential Validation - Failure\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Account Logon >> \\\"Audit Credential Validation\\\" with\n \\\"Failure\\\" selected.\"\n\n describe.one do\n describe audit_policy do\n its('Credential Validation') { should eq 'Failure' }\n end\n describe audit_policy do\n its('Credential Validation') { should eq 'Success and Failure' }\n end\n end\nend\n", + "code": "control 'V-63685' do\n title 'The Windows Defender SmartScreen for Explorer must be enabled.'\n desc \"Windows Defender SmartScreen helps protect systems from programs\n downloaded from the internet that may be malicious. Enabling Windows Defender\n SmartScreen will warn or prevent users from running potentially malicious\n programs.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000210'\n tag gid: 'V-63685'\n tag rid: 'SV-78175r6_rule'\n tag stig_id: 'WN10-CC-000210'\n tag fix_id: 'F-98461r1_fix'\n tag cci: ['CCI-000381']\n tag nist: ['CM-7 a', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc 'check', \"This is applicable to unclassified systems, for other systems\n this is NA.\n\n If the following registry values do not exist or are not configured as\n specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\\n\n Value Name: EnableSmartScreen\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\n\n And\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\\n\n Value Name: ShellSmartScreenLevel\n\n Value Type: REG_SZ\n Value: Block\n\n v1607 LTSB:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\\n\n Value Name: EnableSmartScreen\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\n\n v1507 LTSB:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\\n\n Value Name: EnableSmartScreen\n\n Value Type: REG_DWORD\n Value: 0x00000002 (2)\"\n\n desc 'fix', \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> File Explorer >> \\\"Configure\n Windows Defender SmartScreen\\\" to \\\"Enabled\\\" with \\\"Warn and prevent bypass\\\"\n selected.\n\n Windows 10 includes duplicate policies for this setting. It can also be\n configured under Computer Configuration >> Administrative Templates >> Windows\n Components >> Windows Defender SmartScreen >> Explorer.\n\n v1607 LTSB:\n Configure the policy value for Computer Configuration >> Administrative\n Templates >> Windows Components >> File Explorer >> \\\"Configure Windows\n SmartScreen\\\" to \\\"Enabled\\\". (Selection options are not available.)\n\n v1507 LTSB:\n Configure the policy value for Computer Configuration >> Administrative\n Templates >> Windows Components >> File Explorer >> \\\"Configure Windows\n SmartScreen\\\" to \\\"Enabled\\\" with \\\"Require approval from an administrator\n before running downloaded unknown software\\\" selected.\"\n\n if input('sensitive_system') == 'true'\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n else\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\System') do\n it { should have_property 'ShellSmartScreenLevel' }\n its('ShellSmartScreenLevel') { should cmp 'Block' }\n end\n describe.one do\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\System') do\n it { should have_property 'EnableSmartScreen' }\n its('EnableSmartScreen') { should cmp 1 }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\System') do\n it { should have_property 'EnableSmartScreen' }\n its('EnableSmartScreen') { should cmp 2 }\n end\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63431.rb", + "ref": "./Windows 10 STIG/controls/V-63685.rb", "line": 3 }, - "id": "V-63431" + "id": "V-63685" }, { - "title": "Windows 10 systems must use a BitLocker PIN for pre-boot\n authentication.", - "desc": "If data at rest is unencrypted, it is vulnerable to disclosure. Even\n if the operating system enforces permissions on data access, an adversary can\n remove non-volatile memory and read it directly, thereby circumventing\n operating system controls. Encrypting the data ensures that confidentiality is\n protected even when the operating system is not running. Pre-boot\n authentication prevents unauthorized users from accessing encrypted drives.", + "title": "Inbound exceptions to the firewall on Windows 10 domain workstations\n must only allow authorized remote management hosts.", + "desc": "Allowing inbound access to domain workstations from other systems may\n allow lateral movement across systems if credentials are compromised. Limiting\n inbound connections only from authorized remote management systems will help\n limit this exposure.", "descriptions": { - "default": "If data at rest is unencrypted, it is vulnerable to disclosure. Even\n if the operating system enforces permissions on data access, an adversary can\n remove non-volatile memory and read it directly, thereby circumventing\n operating system controls. Encrypting the data ensures that confidentiality is\n protected even when the operating system is not running. Pre-boot\n authentication prevents unauthorized users from accessing encrypted drives.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\FVE\\\n\n Value Name: UseAdvancedStartup\n Type: REG_DWORD\n Value: 0x00000001 (1)\n\n If one of the following registry values does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\FVE\\\n\n Value Name: UseTPMPIN\n Type: REG_DWORD\n Value: 0x00000001 (1)\n\n Value Name: UseTPMKeyPIN\n Type: REG_DWORD\n Value: 0x00000001 (1)\n\n\n BitLocker network unlock may be used in conjunction with a BitLocker PIN. See\n the article below regarding information about network unlock.", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> BitLocker Drive Encryption >>\n Operating System Drives \"Require additional authentication at startup\" to\n \"Enabled\" with \"Configure TPM Startup PIN:\" set to \"Require startup PIN\n with TPM\" or with \"Configure TPM startup key and PIN:\" set to \"Require\n startup key and PIN with TPM\"." + "default": "Allowing inbound access to domain workstations from other systems may\n allow lateral movement across systems if credentials are compromised. Limiting\n inbound connections only from authorized remote management systems will help\n limit this exposure.", + "check": "Verify firewall exceptions to inbound connections on domain\n workstations include only authorized remote management hosts.\n\n If allowed inbound exceptions are not limited to authorized remote management\n hosts, this is a finding.\n\n Review inbound firewall exceptions.\n Computer Configuration >> Windows Settings >> Security Settings >> Windows\n Defender Firewall with Advanced Security >> Windows Defender Firewall with\n Advanced Security >> Inbound Rules (this link will be in the right pane)\n\n For any inbound rules that allow connections view the Scope for Remote IP\n address. This may be defined as an IP address, subnet, or range. The rule must\n apply to all firewall profiles.\n\n If a third-party firewall is used, ensure comparable settings are in place.", + "fix": "Configure firewall exceptions to inbound connections on domain\n workstations to include only authorized remote management hosts.\n\n Configure only inbound connection exceptions for authorized remote management\n hosts.\n Computer Configuration >> Windows Settings >> Security Settings >> Windows\n Defender Firewall with Advanced Security >> Windows Defender Firewall with\n Advanced Security >> Inbound Rules (this link will be in the right pane)\n\n For any inbound rules that allow connections, configure the Scope for Remote IP\n address to those of authorized remote management hosts. This may be defined as\n an IP address, subnet or range. Apply the rule to all firewall profiles.\n\n If a third-party firewall is used, configure inbound exceptions to only include\n authorized remote management hosts." }, "impact": 0.5, - "refs": [ - { - "ref": "https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock" - } - ], + "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-00-000031", - "gid": "V-94859", - "rid": "SV-104689r1_rule", - "stig_id": "WN10-00-000031", - "fix_id": "F-100983r2_fix", + "gtitle": "WN10-00-000140", + "gid": "V-63403", + "rid": "SV-77893r2_rule", + "stig_id": "WN10-00-000140", + "fix_id": "F-100991r1_fix", "cci": [ - "CCI-001199", - "CCI-002475", - "CCI-002476" + "CCI-000366" ], "nist": [ - "SC-28", - "SC-28 (1)", - "SC-28 (1)", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -2508,35 +2523,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-94859' do\n title \"Windows 10 systems must use a BitLocker PIN for pre-boot\n authentication.\"\n desc \"If data at rest is unencrypted, it is vulnerable to disclosure. Even\n if the operating system enforces permissions on data access, an adversary can\n remove non-volatile memory and read it directly, thereby circumventing\n operating system controls. Encrypting the data ensures that confidentiality is\n protected even when the operating system is not running. Pre-boot\n authentication prevents unauthorized users from accessing encrypted drives.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-00-000031'\n tag gid: 'V-94859'\n tag rid: 'SV-104689r1_rule'\n tag stig_id: 'WN10-00-000031'\n tag fix_id: 'F-100983r2_fix'\n tag cci: %w[CCI-001199 CCI-002475 CCI-002476]\n tag nist: ['SC-28', 'SC-28 (1)', 'SC-28 (1)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\FVE\\\\\n\n Value Name: UseAdvancedStartup\n Type: REG_DWORD\n Value: 0x00000001 (1)\n\n If one of the following registry values does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\FVE\\\\\n\n Value Name: UseTPMPIN\n Type: REG_DWORD\n Value: 0x00000001 (1)\n\n Value Name: UseTPMKeyPIN\n Type: REG_DWORD\n Value: 0x00000001 (1)\n\n\n BitLocker network unlock may be used in conjunction with a BitLocker PIN. See\n the article below regarding information about network unlock.\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> BitLocker Drive Encryption >>\n Operating System Drives \\\"Require additional authentication at startup\\\" to\n \\\"Enabled\\\" with \\\"Configure TPM Startup PIN:\\\" set to \\\"Require startup PIN\n with TPM\\\" or with \\\"Configure TPM startup key and PIN:\\\" set to \\\"Require\n startup key and PIN with TPM\\\".\"\n\n ref 'https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock'\n\n if sys_info.manufacturer == \"VMware, Inc.\"\n impact 0.0\n describe 'This is a VDI System; This System is NA for Control V-94859' do\n skip 'This is a VDI System; This System is NA for Control V-94859'\n end\n else\n describe.one do\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\FVE') do\n it { should have_property 'UseAdvancedStartup' }\n its('UseAdvancedStartup') { should cmp 1 }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\FVE') do\n it { should have_property 'UseTPMPIN' }\n its('UseTPMPIN') { should cmp 1 }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\FVE') do\n it { should have_property 'UseTPMKeyPIN' }\n its('UseTPMKeyPIN') { should cmp 1 }\n end\n end\n end\nend\n", + "code": "control 'V-63403' do\n title \"Inbound exceptions to the firewall on Windows 10 domain workstations\n must only allow authorized remote management hosts.\"\n desc \"Allowing inbound access to domain workstations from other systems may\n allow lateral movement across systems if credentials are compromised. Limiting\n inbound connections only from authorized remote management systems will help\n limit this exposure.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-00-000140'\n tag gid: 'V-63403'\n tag rid: 'SV-77893r2_rule'\n tag stig_id: 'WN10-00-000140'\n tag fix_id: 'F-100991r1_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Verify firewall exceptions to inbound connections on domain\n workstations include only authorized remote management hosts.\n\n If allowed inbound exceptions are not limited to authorized remote management\n hosts, this is a finding.\n\n Review inbound firewall exceptions.\n Computer Configuration >> Windows Settings >> Security Settings >> Windows\n Defender Firewall with Advanced Security >> Windows Defender Firewall with\n Advanced Security >> Inbound Rules (this link will be in the right pane)\n\n For any inbound rules that allow connections view the Scope for Remote IP\n address. This may be defined as an IP address, subnet, or range. The rule must\n apply to all firewall profiles.\n\n If a third-party firewall is used, ensure comparable settings are in place.\"\n\n desc \"fix\", \"Configure firewall exceptions to inbound connections on domain\n workstations to include only authorized remote management hosts.\n\n Configure only inbound connection exceptions for authorized remote management\n hosts.\n Computer Configuration >> Windows Settings >> Security Settings >> Windows\n Defender Firewall with Advanced Security >> Windows Defender Firewall with\n Advanced Security >> Inbound Rules (this link will be in the right pane)\n\n For any inbound rules that allow connections, configure the Scope for Remote IP\n address to those of authorized remote management hosts. This may be defined as\n an IP address, subnet or range. Apply the rule to all firewall profiles.\n\n If a third-party firewall is used, configure inbound exceptions to only include\n authorized remote management hosts.\"\n\n describe 'A manual review of any inbound firewall rules that allow connections to unauthorized connections. Also check for third-party firewalls' do\n skip 'A manual review of any inbound firewall rules that allow connections'\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-94859.rb", + "ref": "./Windows 10 STIG/controls/V-63403.rb", "line": 3 }, - "id": "V-94859" + "id": "V-63403" }, { - "title": "Windows 10 Exploit Protection system-level mitigation, Randomize memory allocations (Bottom-Up ASLR), must be on.", - "desc": "Exploit protection in Windows 10 enables mitigations against potential\n threats at the system and application level. Several mitigations, including\n \"Randomize memory allocations (Bottom-Up ASLR)\", are enabled by default at\n the system level. Bottom-Up ASLR (address space layout randomization)\n randomizes locations for virtual memory allocations, including those for system\n structures. If this is turned off, Windows 10 may be subject to various\n exploits.", + "title": "The maximum password age must be configured to 60 days or less.", + "desc": "The longer a password is in use, the greater the opportunity for\n someone to gain unauthorized knowledge of the passwords. Scheduled changing\n of passwords hinders the ability of unauthorized system users to crack\n passwords and gain access to a system.", "descriptions": { - "default": "Exploit protection in Windows 10 enables mitigations against potential\n threats at the system and application level. Several mitigations, including\n \"Randomize memory allocations (Bottom-Up ASLR)\", are enabled by default at\n the system level. Bottom-Up ASLR (address space layout randomization)\n randomizes locations for virtual memory allocations, including those for system\n structures. If this is turned off, Windows 10 may be subject to various\n exploits.", - "check": "This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n The default configuration in Exploit Protection is \"On by default\" which\n meets this requirement. The PowerShell query results for this show as\n \"NOTSET\".\n\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n\n Enter \"Get-ProcessMitigation -System\".\n\n If the status of \"ASLR: BottomUp\" is \"OFF\", this is a finding.\n\n Values that would not be a finding include:\n ON\n NOTSET (Default configuration)", - "fix": "Ensure Exploit Protection system-level mitigation, \"Randomize\n memory allocations (Bottom-Up ASLR)\" is turned on. The default configuration\n in Exploit Protection is \"On by default\" which meets this requirement.\n\n Open \"Windows Defender Security Center\".\n\n Select \"App & browser control\".\n\n Select \"Exploit protection settings\".\n\n Under \"System settings\", configure \"Randomize memory allocations (Bottom-Up\n ASLR)\" to \"On by default\" or \"Use default ()\".\n\n The STIG package includes a DoD EP XML file in the \"Supporting Files\" folder\n for configuring application mitigations defined in the STIG. This can also be\n modified to explicitly enforce the system level requirements. Adding the\n following to the XML file will explicitly turn Bottom-Up ASLR on (other system\n level EP requirements can be combined under ):\n\n \n \n \n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \"Use a common set of exploit protection settings\"\n configured to \"Enabled\" with file name and location defined under\n \"Options:\". It is recommended the file be in a read-only network location." + "default": "The longer a password is in use, the greater the opportunity for\n someone to gain unauthorized knowledge of the passwords. Scheduled changing\n of passwords hinders the ability of unauthorized system users to crack\n passwords and gain access to a system.", + "check": "Verify the effective setting in Local Group Policy Editor.\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Account Policies >> Password Policy.\n\n If the value for the \"Maximum password age\" is greater than 60 days, this\n is a finding. If the value is set to \"0\" (never expires), this is a finding.", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Account Policies >> Password Policy >>\n \"Maximum Password Age\" to 60 days or less (excluding \"0\" which is\n unacceptable)." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-EP-000030", - "gid": "V-77095", - "rid": "SV-91791r4_rule", - "stig_id": "WN10-EP-000030", - "fix_id": "F-86719r3_fix", + "gtitle": "WN10-AC-000025", + "gid": "V-63419", + "rid": "SV-77909r1_rule", + "stig_id": "WN10-AC-000025", + "fix_id": "F-69347r1_fix", "cci": [ - "CCI-002824" + "CCI-000199" ], "nist": [ - "SI-16", + "IA-5 (1) (d)", "Rev_4" ], "false_negatives": null, @@ -2550,35 +2565,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-77095' do\n title 'Windows 10 Exploit Protection system-level mitigation, Randomize memory allocations (Bottom-Up ASLR), must be on.'\n desc \"Exploit protection in Windows 10 enables mitigations against potential\n threats at the system and application level. Several mitigations, including\n \\\"Randomize memory allocations (Bottom-Up ASLR)\\\", are enabled by default at\n the system level. Bottom-Up ASLR (address space layout randomization)\n randomizes locations for virtual memory allocations, including those for system\n structures. If this is turned off, Windows 10 may be subject to various\n exploits.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-EP-000030'\n tag gid: 'V-77095'\n tag rid: 'SV-91791r4_rule'\n tag stig_id: 'WN10-EP-000030'\n tag fix_id: 'F-86719r3_fix'\n tag cci: ['CCI-002824']\n tag nist: %w[SI-16 Rev_4]\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc 'check', \"This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n The default configuration in Exploit Protection is \\\"On by default\\\" which\n meets this requirement. The PowerShell query results for this show as\n \\\"NOTSET\\\".\n\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n\n Enter \\\"Get-ProcessMitigation -System\\\".\n\n If the status of \\\"ASLR: BottomUp\\\" is \\\"OFF\\\", this is a finding.\n\n Values that would not be a finding include:\n ON\n NOTSET (Default configuration)\"\n desc 'fix', \"Ensure Exploit Protection system-level mitigation, \\\"Randomize\n memory allocations (Bottom-Up ASLR)\\\" is turned on. The default configuration\n in Exploit Protection is \\\"On by default\\\" which meets this requirement.\n\n Open \\\"Windows Defender Security Center\\\".\n\n Select \\\"App & browser control\\\".\n\n Select \\\"Exploit protection settings\\\".\n\n Under \\\"System settings\\\", configure \\\"Randomize memory allocations (Bottom-Up\n ASLR)\\\" to \\\"On by default\\\" or \\\"Use default ()\\\".\n\n The STIG package includes a DoD EP XML file in the \\\"Supporting Files\\\" folder\n for configuring application mitigations defined in the STIG. This can also be\n modified to explicitly enforce the system level requirements. Adding the\n following to the XML file will explicitly turn Bottom-Up ASLR on (other system\n level EP requirements can be combined under ):\n\n \n \n \n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\"\n configured to \\\"Enabled\\\" with file name and location defined under\n \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n\n if input('sensitive_system') == 'true' || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion').ReleaseId < '1709'\n impact 0.0\n describe 'This STIG does not apply to Prior Versions before 1709.' do\n skip 'This STIG does not apply to Prior Versions before 1709.'\n end\n else\n aslr = json( command: 'Get-ProcessMitigation -System | Select Aslr | ConvertTo-Json').params\n describe 'Alsr BottomUp is required to be enabled on System' do\n subject { aslr }\n its(['BottomUp']) { should_not eq '2' }\n end\n end\nend\n", + "code": "control 'V-63419' do\n title 'The maximum password age must be configured to 60 days or less.'\n desc \"The longer a password is in use, the greater the opportunity for\n someone to gain unauthorized knowledge of the passwords. Scheduled changing\n of passwords hinders the ability of unauthorized system users to crack\n passwords and gain access to a system.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-AC-000025'\n tag gid: 'V-63419'\n tag rid: 'SV-77909r1_rule'\n tag stig_id: 'WN10-AC-000025'\n tag fix_id: 'F-69347r1_fix'\n tag cci: ['CCI-000199']\n tag nist: ['IA-5 (1) (d)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Account Policies >> Password Policy.\n\n If the value for the \\\"Maximum password age\\\" is greater than #{input('max_pass_age')} days, this\n is a finding. If the value is set to \\\"0\\\" (never expires), this is a finding.\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Account Policies >> Password Policy >>\n \\\"Maximum Password Age\\\" to #{input('max_pass_age')} days or less (excluding \\\"0\\\" which is\n unacceptable).\"\n\n describe security_policy do\n its('MaximumPasswordAge') { should be <= input('max_pass_age') }\n end\n describe \"The password policy is set to expire after #{input('max_pass_age')}\" do\n subject { security_policy }\n its('MaximumPasswordAge') { should be_positive }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-77095.rb", + "ref": "./Windows 10 STIG/controls/V-63419.rb", "line": 3 }, - "id": "V-77095" + "id": "V-63419" }, { - "title": "The Enable computer and user accounts to be trusted for delegation\n user right must not be assigned to any groups or accounts.", - "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n The \"Enable computer and user accounts to be trusted for delegation\" user\n right allows the \"Trusted for Delegation\" setting to be changed. This could\n potentially allow unauthorized users to impersonate other users.", + "title": "Exploit Protection mitigations in Windows 10 must be configured for\n VPREVIEW.EXE.", + "desc": "Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.", "descriptions": { - "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n The \"Enable computer and user accounts to be trusted for delegation\" user\n right allows the \"Trusted for Delegation\" setting to be changed. This could\n potentially allow unauthorized users to impersonate other users.", - "check": "Verify the effective setting in Local Group Policy Editor.\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any groups or accounts are granted the \"Enable computer and user accounts\n to be trusted for delegation\" user right, this is a finding.", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n \"Enable computer and user accounts to be trusted for delegation\" to be\n defined but containing no entries (blank)." + "default": "Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.", + "check": "This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n\n Enter \"Get-ProcessMitigation -Name VPREVIEW.EXE\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of\n all application mitigations configured.)\n\n If the following mitigations do not have a status of \"ON\", this is a finding:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n The PowerShell command produces a list of mitigations; only those with a\n required status of \"ON\" are listed here. If the PowerShell command does not\n produce results, ensure the letter case of the filename within the command\n syntax matches the letter case of the actual filename on the system.", + "fix": "Ensure the following mitigations are turned \"ON\" for VPREVIEW.EXE:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file\n included with the Windows 10 STIG package in the \"Supporting Files\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \"Use a common set of exploit protection settings\"\n configured to \"Enabled\" with file name and location defined under\n \"Options:\". It is recommended the file be in a read-only network location." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-UR-000095", - "gid": "V-63881", - "rid": "SV-78371r1_rule", - "stig_id": "WN10-UR-000095", - "fix_id": "F-69809r1_fix", + "gtitle": "WN10-EP-000270", + "gid": "V-77259", + "rid": "SV-91955r3_rule", + "stig_id": "WN10-EP-000270", + "fix_id": "F-84509r4_fix", "cci": [ - "CCI-002235" + "CCI-000366" ], "nist": [ - "AC-6 (10)", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -2592,35 +2607,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63881' do\n title \"The Enable computer and user accounts to be trusted for delegation\n user right must not be assigned to any groups or accounts.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n The \\\"Enable computer and user accounts to be trusted for delegation\\\" user\n right allows the \\\"Trusted for Delegation\\\" setting to be changed. This could\n potentially allow unauthorized users to impersonate other users.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-UR-000095'\n tag gid: 'V-63881'\n tag rid: 'SV-78371r1_rule'\n tag stig_id: 'WN10-UR-000095'\n tag fix_id: 'F-69809r1_fix'\n tag cci: ['CCI-002235']\n tag nist: ['AC-6 (10)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any groups or accounts are granted the \\\"Enable computer and user accounts\n to be trusted for delegation\\\" user right, this is a finding.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n \\\"Enable computer and user accounts to be trusted for delegation\\\" to be\n defined but containing no entries (blank).\"\n\n describe security_policy do\n its('SeEnableDelegationPrivilege') { should eq [] }\n end\nend\n", + "code": "control 'V-77259' do\n title \"Exploit Protection mitigations in Windows 10 must be configured for\n VPREVIEW.EXE.\"\n desc \"Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-EP-000270'\n tag gid: 'V-77259'\n tag rid: 'SV-91955r3_rule'\n tag stig_id: 'WN10-EP-000270'\n tag fix_id: 'F-84509r4_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc 'check', \"This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n\n Enter \\\"Get-ProcessMitigation -Name VPREVIEW.EXE\\\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of\n all application mitigations configured.)\n\n If the following mitigations do not have a status of \\\"ON\\\", this is a finding:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n The PowerShell command produces a list of mitigations; only those with a\n required status of \\\"ON\\\" are listed here. If the PowerShell command does not\n produce results, ensure the letter case of the filename within the command\n syntax matches the letter case of the actual filename on the system.\"\n\n desc 'fix', \"Ensure the following mitigations are turned \\\"ON\\\" for VPREVIEW.EXE:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file\n included with the Windows 10 STIG package in the \\\"Supporting Files\\\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\"\n configured to \\\"Enabled\\\" with file name and location defined under\n \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n\n if input('sensitive_system') == 'true' || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion').ReleaseId < '1709'\n impact 0.0\n describe 'This STIG does not apply to Prior Versions before 1709.' do\n skip 'This STIG does not apply to Prior Versions before 1709.'\n end\n else\n dep = json( command: 'Get-ProcessMitigation -Name VPREVIEW.EXE | Select DEP | ConvertTo-Json').params\n describe 'OverRide DEP is required to be false on Microsoft Office Visio Previewer' do\n subject { dep }\n its(['OverrideDEP']) { should_not eq 'true' }\n end\n aslr = json( command: 'Get-ProcessMitigation -Name VPREVIEW.EXE | Select Aslr | ConvertTo-Json').params\n describe 'Alsr BottomUp and Force Relocate Images are required to be enabled on Microsoft Office Visio Previewer' do\n subject { aslr }\n its(['ForceRelocateImages']) { should_not eq '2' }\n end\n payload = json( command: 'Get-ProcessMitigation -Name VPREVIEW.EXE | Select Payload | ConvertTo-Json').params\n describe 'Override Payload Enable Export Address Filter, Override Payload Enable Export Address Filter Plus, Override EnableImportAddressFilter, Override EnableRopStackPivot, Override EnableRopCallerCheck, and Override EnableRopSimExec are required to be false on Microsoft Office Visio Previewer' do\n subject { payload }\n its(['OverrideEnableExportAddressFilter']) { should_not eq 'true' }\n its(['OverrideEnableExportAddressFilterPlus']) { should_not eq 'true' }\n its(['OverrideEnableImportAddressFilter']) { should_not eq 'true' }\n its(['OverrideEnableRopStackPivot']) { should_not eq 'true' }\n its(['OverrideEnableRopCallerCheck']) { should_not eq 'true' }\n its(['OverrideEnableRopSimExec']) { should_not eq 'true' }\n end\n end\nend", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63881.rb", + "ref": "./Windows 10 STIG/controls/V-77259.rb", "line": 3 }, - "id": "V-63881" + "id": "V-77259" }, { - "title": "Windows 10 must be configured to audit Object Access - Other Object\n Access Events successes.", - "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Auditing for other object access records events related to the management\n of task scheduler jobs and COM+ objects.", + "title": "PKU2U authentication using online identities must be prevented.", + "desc": "PKU2U is a peer-to-peer authentication protocol. This setting\n prevents online identities from authenticating to domain-joined systems.\n Authentication will be centrally managed with Windows user accounts.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Auditing for other object access records events related to the management\n of task scheduler jobs and COM+ objects.", - "check": "Security Option \"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\" must be\n set to \"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open PowerShell or a Command Prompt with elevated privileges (\"Run as\n Administrator\").\n\n Enter \"AuditPol /get /category:*\"\n\n Compare the AuditPol settings with the following:\n\n Object Access >> Other Object Access Events - Success\n\n If the system does not audit the above, this is a finding.", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Object Access >> \"Audit Other Object Access Events\" with\n \"Success\" selected." + "default": "PKU2U is a peer-to-peer authentication protocol. This setting\n prevents online identities from authenticating to domain-joined systems.\n Authentication will be centrally managed with Windows user accounts.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Control\\LSA\\pku2u\\\n\n Value Name: AllowOnlineID\n\n Value Type: REG_DWORD\n Value: 0", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n \"Network security: Allow PKU2U authentication requests to this computer to use\n online identities\" to \"Disabled\"." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-AU-000083", - "gid": "V-74411", - "rid": "SV-89085r1_rule", - "stig_id": "WN10-AU-000083", - "fix_id": "F-80953r2_fix", + "gtitle": "WN10-SO-000185", + "gid": "V-63767", + "rid": "SV-78257r1_rule", + "stig_id": "WN10-SO-000185", + "fix_id": "F-69695r1_fix", "cci": [ - "CCI-000172" + "CCI-000366" ], "nist": [ - "AU-12 c", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -2634,37 +2649,37 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-74411' do\n title \"Windows 10 must be configured to audit Object Access - Other Object\n Access Events successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Auditing for other object access records events related to the management\n of task scheduler jobs and COM+ objects.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-AU-000083'\n tag gid: 'V-74411'\n tag rid: 'SV-89085r1_rule'\n tag stig_id: 'WN10-AU-000083'\n tag fix_id: 'F-80953r2_fix'\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"Security Option \\\"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\\\" must be\n set to \\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open PowerShell or a Command Prompt with elevated privileges (\\\"Run as\n Administrator\\\").\n\n Enter \\\"AuditPol /get /category:*\\\"\n\n Compare the AuditPol settings with the following:\n\n Object Access >> Other Object Access Events - Success\n\n If the system does not audit the above, this is a finding.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Object Access >> \\\"Audit Other Object Access Events\\\" with\n \\\"Success\\\" selected.\"\n\n describe.one do\n describe audit_policy do\n its('Other Object Access Events') { should eq 'Success' }\n end\n describe audit_policy do\n its('Other Object Access Events') { should eq 'Success and Failure' }\n end\n end\nend\n", + "code": "control 'V-63767' do\n title 'PKU2U authentication using online identities must be prevented.'\n desc \"PKU2U is a peer-to-peer authentication protocol. This setting\n prevents online identities from authenticating to domain-joined systems.\n Authentication will be centrally managed with Windows user accounts.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-SO-000185'\n tag gid: 'V-63767'\n tag rid: 'SV-78257r1_rule'\n tag stig_id: 'WN10-SO-000185'\n tag fix_id: 'F-69695r1_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\LSA\\\\pku2u\\\\\n\n Value Name: AllowOnlineID\n\n Value Type: REG_DWORD\n Value: 0\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n \\\"Network security: Allow PKU2U authentication requests to this computer to use\n online identities\\\" to \\\"Disabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\LSA\\pku2u') do\n it { should have_property 'AllowOnlineID' }\n its('AllowOnlineID') { should cmp 0 }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-74411.rb", + "ref": "./Windows 10 STIG/controls/V-63767.rb", "line": 3 }, - "id": "V-74411" + "id": "V-63767" }, { - "title": "The system must be configured to audit System - Security State Change\n successes.", - "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Security State Change records events related to changes in the security\n state, such as startup and shutdown of the system.", + "title": "Outgoing secure channel traffic must be signed when possible.", + "desc": "Requests sent on the secure channel are authenticated, and sensitive\n information (such as passwords) is encrypted, but the channel is not integrity\n checked. If this policy is enabled, outgoing secure channel traffic will be\n signed.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Security State Change records events related to changes in the security\n state, such as startup and shutdown of the system.", - "check": "Security Option \"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\" must be\n set to \"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\"Run as Administrator\").\n Enter \"AuditPol /get /category:*\".\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding:\n\n System >> Security State Change - Success", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> System >> \"Audit Security State Change\" with \"Success\"\n selected." + "default": "Requests sent on the secure channel are authenticated, and sensitive\n information (such as passwords) is encrypted, but the channel is not integrity\n checked. If this policy is enabled, outgoing secure channel traffic will be\n signed.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\Netlogon\\Parameters\\\n\n Value Name: SignSecureChannel\n\n Value Type: REG_DWORD\n Value: 1", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> \"Domain\n member: Digitally sign secure channel data (when possible)\" to \"Enabled\"." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-AU-000140", - "gid": "V-63507", - "rid": "SV-77997r1_rule", - "stig_id": "WN10-AU-000140", - "fix_id": "F-69437r1_fix", + "gtitle": "WN10-SO-000045", + "gid": "V-63647", + "rid": "SV-78137r1_rule", + "stig_id": "WN10-SO-000045", + "fix_id": "F-69577r1_fix", "cci": [ - "CCI-000172", - "CCI-002234" + "CCI-002418", + "CCI-002421" ], "nist": [ - "AU-12 c", - "AC-6 (9)", + "SC-8", + "SC-8 (1)", "Rev_4" ], "false_negatives": null, @@ -2678,35 +2693,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control \"V-63507\" do\n title \"The system must be configured to audit System - Security State Change\n successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Security State Change records events related to changes in the security\n state, such as startup and shutdown of the system.\"\n impact 0.5\n tag severity: \"medium\"\n tag gtitle: \"WN10-AU-000140\"\n tag gid: \"V-63507\"\n tag rid: \"SV-77997r1_rule\"\n tag stig_id: \"WN10-AU-000140\"\n tag fix_id: \"F-69437r1_fix\"\n tag cci: [\"CCI-000172\", \"CCI-002234\"]\n tag nist: [\"AU-12 c\", \"AC-6 (9)\", \"Rev_4\"]\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Security Option \\\"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\\\" must be\n set to \\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\n Enter \\\"AuditPol /get /category:*\\\".\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding:\n\n System >> Security State Change - Success\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> System >> \\\"Audit Security State Change\\\" with \\\"Success\\\"\n selected.\"\n\n describe.one do\n describe audit_policy do\n its('Security State Change') { should eq 'Success' }\n end\n describe audit_policy do\n its('Security State Change') { should eq 'Success and Failure' }\n end\n end \nend\n", + "code": "control 'V-63647' do\n title 'Outgoing secure channel traffic must be signed when possible.'\n desc \"Requests sent on the secure channel are authenticated, and sensitive\n information (such as passwords) is encrypted, but the channel is not integrity\n checked. If this policy is enabled, outgoing secure channel traffic will be\n signed.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-SO-000045'\n tag gid: 'V-63647'\n tag rid: 'SV-78137r1_rule'\n tag stig_id: 'WN10-SO-000045'\n tag fix_id: 'F-69577r1_fix'\n tag cci: %w[CCI-002418 CCI-002421]\n tag nist: ['SC-8', 'SC-8 (1)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\Netlogon\\\\Parameters\\\\\n\n Value Name: SignSecureChannel\n\n Value Type: REG_DWORD\n Value: 1\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> \\\"Domain\n member: Digitally sign secure channel data (when possible)\\\" to \\\"Enabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Netlogon\\Parameters') do\n it { should have_property 'SignSecureChannel' }\n its('SignSecureChannel') { should cmp 1 }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63507.rb", - "line": 2 + "ref": "./Windows 10 STIG/controls/V-63647.rb", + "line": 3 }, - "id": "V-63507" + "id": "V-63647" }, { - "title": "Exploit Protection mitigations in Windows 10 must be configured for\n OUTLOOK.EXE.", - "desc": "Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.", + "title": "The minimum password age must be configured to at least 1 day.", + "desc": "Permitting passwords to be changed in immediate succession within the\n same day allows users to cycle passwords through their history database. This\n enables users to effectively negate the purpose of mandating periodic password\n changes.", "descriptions": { - "default": "Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.", - "check": "This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n\n Enter \"Get-ProcessMitigation -Name OUTLOOK.EXE\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of\n all application mitigations configured.)\n\n If the following mitigations do not have a status of \"ON\", this is a finding:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n The PowerShell command produces a list of mitigations; only those with a\n required status of \"ON\" are listed here. If the PowerShell command does not\n produce results, ensure the letter case of the filename within the command\n syntax matches the letter case of the actual filename on the system.", - "fix": "Ensure the following mitigations are turned \"ON\" for OUTLOOK.EXE:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file\n included with the Windows 10 STIG package in the \"Supporting Files\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \"Use a common set of exploit protection settings\"\n configured to \"Enabled\" with file name and location defined under\n \"Options:\". It is recommended the file be in a read-only network location." + "default": "Permitting passwords to be changed in immediate succession within the\n same day allows users to cycle passwords through their history database. This\n enables users to effectively negate the purpose of mandating periodic password\n changes.", + "check": "Verify the effective setting in Local Group Policy Editor.\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Account Policies >> Password Policy.\n\n If the value for the \"Minimum password age\" is less than 1 day, this is a\n finding.", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Account Policies >> Password Policy >>\n \"Minimum Password Age\" to at least 1 day." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-EP-000220", - "gid": "V-77243", - "rid": "SV-91939r3_rule", - "stig_id": "WN10-EP-000220", - "fix_id": "F-84363r4_fix", + "gtitle": "WN10-AC-000030", + "gid": "V-63421", + "rid": "SV-77911r1_rule", + "stig_id": "WN10-AC-000030", + "fix_id": "F-69349r1_fix", "cci": [ - "CCI-000366" + "CCI-000198" ], "nist": [ - "CM-6 b", + "IA-5 (1) (d)", "Rev_4" ], "false_negatives": null, @@ -2720,35 +2735,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-77243' do\n title \"Exploit Protection mitigations in Windows 10 must be configured for\n OUTLOOK.EXE.\"\n desc \"Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-EP-000220'\n tag gid: 'V-77243'\n tag rid: 'SV-91939r3_rule'\n tag stig_id: 'WN10-EP-000220'\n tag fix_id: 'F-84363r4_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc 'check', \"This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n\n Enter \\\"Get-ProcessMitigation -Name OUTLOOK.EXE\\\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of\n all application mitigations configured.)\n\n If the following mitigations do not have a status of \\\"ON\\\", this is a finding:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n The PowerShell command produces a list of mitigations; only those with a\n required status of \\\"ON\\\" are listed here. If the PowerShell command does not\n produce results, ensure the letter case of the filename within the command\n syntax matches the letter case of the actual filename on the system.\"\n\n desc 'fix', \"Ensure the following mitigations are turned \\\"ON\\\" for OUTLOOK.EXE:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file\n included with the Windows 10 STIG package in the \\\"Supporting Files\\\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\"\n configured to \\\"Enabled\\\" with file name and location defined under\n \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n\n if input('sensitive_system') == 'true' || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion').ReleaseId < '1709'\n impact 0.0\n describe 'This STIG does not apply to Prior Versions before 1709.' do\n skip 'This STIG does not apply to Prior Versions before 1709.'\n end\n else\n dep = json( command: 'Get-ProcessMitigation -Name OUTLOOK.EXE | Select DEP | ConvertTo-Json').params\n describe 'OverRide DEP is required to be false on Microsoft Office Outlook' do\n subject { dep }\n its(['OverrideDEP']) { should_not eq 'true' }\n end\n aslr = json( command: 'Get-ProcessMitigation -Name OUTLOOK.EXE | Select Aslr | ConvertTo-Json').params\n describe 'Alsr BottomUp and Force Relocate Images are required to be enabled on Microsoft Office Outlook' do\n subject { aslr }\n its(['ForceRelocateImages']) { should_not eq '2' }\n end\n payload = json( command: 'Get-ProcessMitigation -Name OUTLOOK.EXE | Select Payload | ConvertTo-Json').params\n describe 'Override Payload Enable Export Address Filter, Override Payload Enable Export Address Filter Plus, Override EnableImportAddressFilter, Override EnableRopStackPivot, Override EnableRopCallerCheck, and Override EnableRopSimExec are required to be false on Microsoft Office Outlook' do\n subject { payload }\n its(['OverrideEnableExportAddressFilter']) { should_not eq 'true' }\n its(['OverrideEnableExportAddressFilterPlus']) { should_not eq 'true' }\n its(['OverrideEnableImportAddressFilter']) { should_not eq 'true' }\n its(['OverrideEnableRopStackPivot']) { should_not eq 'true' }\n its(['OverrideEnableRopCallerCheck']) { should_not eq 'true' }\n its(['OverrideEnableRopSimExec']) { should_not eq 'true' }\n end \n end\nend", + "code": "control 'V-63421' do\n title 'The minimum password age must be configured to at least 1 day.'\n desc \"Permitting passwords to be changed in immediate succession within the\n same day allows users to cycle passwords through their history database. This\n enables users to effectively negate the purpose of mandating periodic password\n changes.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-AC-000030'\n tag gid: 'V-63421'\n tag rid: 'SV-77911r1_rule'\n tag stig_id: 'WN10-AC-000030'\n tag fix_id: 'F-69349r1_fix'\n tag cci: ['CCI-000198']\n tag nist: ['IA-5 (1) (d)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Account Policies >> Password Policy.\n\n If the value for the \\\"Minimum password age\\\" is less than #{input('min_pass_age')} day, this is a\n finding.\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Account Policies >> Password Policy >>\n \\\"Minimum Password Age\\\" to at least #{input('min_pass_age')} day.\"\n\n describe security_policy do\n its('MinimumPasswordAge') { should be >= input('min_pass_age') }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-77243.rb", + "ref": "./Windows 10 STIG/controls/V-63421.rb", "line": 3 }, - "id": "V-77243" + "id": "V-63421" }, { - "title": "Automatically signing in the last interactive user after a\n system-initiated restart must be disabled.", - "desc": "Windows can be configured to automatically sign the user back in after\n a Windows Update restart. Some protections are in place to help ensure this is\n done in a secure fashion; however, disabling this will prevent the caching of\n credentials for this purpose and also ensure the user is aware of the restart.", + "title": "Windows 10 Exploit Protection system-level mitigation, Randomize memory allocations (Bottom-Up ASLR), must be on.", + "desc": "Exploit protection in Windows 10 enables mitigations against potential\n threats at the system and application level. Several mitigations, including\n \"Randomize memory allocations (Bottom-Up ASLR)\", are enabled by default at\n the system level. Bottom-Up ASLR (address space layout randomization)\n randomizes locations for virtual memory allocations, including those for system\n structures. If this is turned off, Windows 10 may be subject to various\n exploits.", "descriptions": { - "default": "Windows can be configured to automatically sign the user back in after\n a Windows Update restart. Some protections are in place to help ensure this is\n done in a secure fashion; however, disabling this will prevent the caching of\n credentials for this purpose and also ensure the user is aware of the restart.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\\n\n Value Name: DisableAutomaticRestartSignOn\n\n Value Type: REG_DWORD\n Value: 1", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Windows Logon Options >>\n \"Sign-in last interactive user automatically after a system-initiated\n restart\" to \"Disabled\"." + "default": "Exploit protection in Windows 10 enables mitigations against potential\n threats at the system and application level. Several mitigations, including\n \"Randomize memory allocations (Bottom-Up ASLR)\", are enabled by default at\n the system level. Bottom-Up ASLR (address space layout randomization)\n randomizes locations for virtual memory allocations, including those for system\n structures. If this is turned off, Windows 10 may be subject to various\n exploits.", + "check": "This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n The default configuration in Exploit Protection is \"On by default\" which\n meets this requirement. The PowerShell query results for this show as\n \"NOTSET\".\n\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n\n Enter \"Get-ProcessMitigation -System\".\n\n If the status of \"ASLR: BottomUp\" is \"OFF\", this is a finding.\n\n Values that would not be a finding include:\n ON\n NOTSET (Default configuration)", + "fix": "Ensure Exploit Protection system-level mitigation, \"Randomize\n memory allocations (Bottom-Up ASLR)\" is turned on. The default configuration\n in Exploit Protection is \"On by default\" which meets this requirement.\n\n Open \"Windows Defender Security Center\".\n\n Select \"App & browser control\".\n\n Select \"Exploit protection settings\".\n\n Under \"System settings\", configure \"Randomize memory allocations (Bottom-Up\n ASLR)\" to \"On by default\" or \"Use default ()\".\n\n The STIG package includes a DoD EP XML file in the \"Supporting Files\" folder\n for configuring application mitigations defined in the STIG. This can also be\n modified to explicitly enforce the system level requirements. Adding the\n following to the XML file will explicitly turn Bottom-Up ASLR on (other system\n level EP requirements can be combined under ):\n\n \n \n \n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \"Use a common set of exploit protection settings\"\n configured to \"Enabled\" with file name and location defined under\n \"Options:\". It is recommended the file be in a read-only network location." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-CC-000325", - "gid": "V-63333", - "rid": "SV-77823r1_rule", - "stig_id": "WN10-CC-000325", - "fix_id": "F-69251r1_fix", + "gtitle": "WN10-EP-000030", + "gid": "V-77095", + "rid": "SV-91791r4_rule", + "stig_id": "WN10-EP-000030", + "fix_id": "F-86719r3_fix", "cci": [ - "CCI-000366" + "CCI-002824" ], "nist": [ - "CM-6 b", + "SI-16", "Rev_4" ], "false_negatives": null, @@ -2762,35 +2777,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63333' do\n title \"Automatically signing in the last interactive user after a\n system-initiated restart must be disabled.\"\n desc \"Windows can be configured to automatically sign the user back in after\n a Windows Update restart. Some protections are in place to help ensure this is\n done in a secure fashion; however, disabling this will prevent the caching of\n credentials for this purpose and also ensure the user is aware of the restart.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000325'\n tag gid: 'V-63333'\n tag rid: 'SV-77823r1_rule'\n tag stig_id: 'WN10-CC-000325'\n tag fix_id: 'F-69251r1_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\\n\n Value Name: DisableAutomaticRestartSignOn\n\n Value Type: REG_DWORD\n Value: 1\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Windows Logon Options >>\n \\\"Sign-in last interactive user automatically after a system-initiated\n restart\\\" to \\\"Disabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System') do\n it { should have_property 'DisableAutomaticRestartSignOn' }\n its('DisableAutomaticRestartSignOn') { should cmp 1 }\n end\nend\n", + "code": "control 'V-77095' do\n title 'Windows 10 Exploit Protection system-level mitigation, Randomize memory allocations (Bottom-Up ASLR), must be on.'\n desc \"Exploit protection in Windows 10 enables mitigations against potential\n threats at the system and application level. Several mitigations, including\n \\\"Randomize memory allocations (Bottom-Up ASLR)\\\", are enabled by default at\n the system level. Bottom-Up ASLR (address space layout randomization)\n randomizes locations for virtual memory allocations, including those for system\n structures. If this is turned off, Windows 10 may be subject to various\n exploits.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-EP-000030'\n tag gid: 'V-77095'\n tag rid: 'SV-91791r4_rule'\n tag stig_id: 'WN10-EP-000030'\n tag fix_id: 'F-86719r3_fix'\n tag cci: ['CCI-002824']\n tag nist: %w[SI-16 Rev_4]\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc 'check', \"This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n The default configuration in Exploit Protection is \\\"On by default\\\" which\n meets this requirement. The PowerShell query results for this show as\n \\\"NOTSET\\\".\n\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n\n Enter \\\"Get-ProcessMitigation -System\\\".\n\n If the status of \\\"ASLR: BottomUp\\\" is \\\"OFF\\\", this is a finding.\n\n Values that would not be a finding include:\n ON\n NOTSET (Default configuration)\"\n desc 'fix', \"Ensure Exploit Protection system-level mitigation, \\\"Randomize\n memory allocations (Bottom-Up ASLR)\\\" is turned on. The default configuration\n in Exploit Protection is \\\"On by default\\\" which meets this requirement.\n\n Open \\\"Windows Defender Security Center\\\".\n\n Select \\\"App & browser control\\\".\n\n Select \\\"Exploit protection settings\\\".\n\n Under \\\"System settings\\\", configure \\\"Randomize memory allocations (Bottom-Up\n ASLR)\\\" to \\\"On by default\\\" or \\\"Use default ()\\\".\n\n The STIG package includes a DoD EP XML file in the \\\"Supporting Files\\\" folder\n for configuring application mitigations defined in the STIG. This can also be\n modified to explicitly enforce the system level requirements. Adding the\n following to the XML file will explicitly turn Bottom-Up ASLR on (other system\n level EP requirements can be combined under ):\n\n \n \n \n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\"\n configured to \\\"Enabled\\\" with file name and location defined under\n \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n\n if input('sensitive_system') == 'true' || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion').ReleaseId < '1709'\n impact 0.0\n describe 'This STIG does not apply to Prior Versions before 1709.' do\n skip 'This STIG does not apply to Prior Versions before 1709.'\n end\n else\n aslr = json( command: 'Get-ProcessMitigation -System | Select Aslr | ConvertTo-Json').params\n describe 'Alsr BottomUp is required to be enabled on System' do\n subject { aslr }\n its(['BottomUp']) { should_not eq '2' }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63333.rb", + "ref": "./Windows 10 STIG/controls/V-77095.rb", "line": 3 }, - "id": "V-63333" + "id": "V-77095" }, { - "title": "Windows 10 must be configured to audit Object Access - File Share failures.", - "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Auditing file shares records events related to connection to shares on a\n system including system shares such as C$.", + "title": "Exploit Protection mitigations in Windows 10 must be configured for FLTLDR.EXE.", + "desc": "Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Auditing file shares records events related to connection to shares on a\n system including system shares such as C$.", - "check": "Security Option \"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\" must be\n set to \"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open PowerShell or a Command Prompt with elevated privileges (\"Run as\n Administrator\").\n\n Enter \"AuditPol /get /category:*\"\n\n Compare the AuditPol settings with the following:\n\n Object Access >> File Share - Failure\n\n If the system does not audit the above, this is a finding.", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Object Access >> \"Audit File Share\" with \"Failure\"\n selected." + "default": "Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.", + "check": "This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n\n Enter \"Get-ProcessMitigation -Name FLTLDR.EXE\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of\n all application mitigations configured.)\n\n If the following mitigations do not have a status of \"ON\", this is a finding:\n\n DEP:\n Override DEP: False\n\n ImageLoad:\n ImageLoad OverrideBlockRemoteImagesLoads: False\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n Child Process:\n OverrideChildProcess: False\n\n The PowerShell command produces a list of mitigations; only those with a\n required status of \"ON\" are listed here. If the PowerShell command does not\n produce results, ensure the letter case of the filename within the command\n syntax matches the letter case of the actual filename on the system.", + "fix": "Ensure the following mitigations are turned \"ON\" for FLTLDR.EXE:\n\n DEP:\n Override DEP: False\n\n ImageLoad:\n ImageLoad OverrideBlockRemoteImagesLoads: False\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n Child Process:\n OverrideChildProcess: False\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file\n included with the Windows 10 STIG package in the \"Supporting Files\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \"Use a common set of exploit protection settings\"\n configured to \"Enabled\" with file name and location defined under\n \"Options:\". It is recommended the file be in a read-only network location." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-AU-000081", - "gid": "V-75027", - "rid": "SV-89701r1_rule", - "stig_id": "WN10-AU-000081", - "fix_id": "F-81643r1_fix", + "gtitle": "WN10-EP-000120", + "gid": "V-77209", + "rid": "SV-91905r3_rule", + "stig_id": "WN10-EP-000120", + "fix_id": "F-84341r4_fix", "cci": [ - "CCI-000172" + "CCI-000366" ], "nist": [ - "AU-12 c", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -2804,35 +2819,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-75027' do\n title 'Windows 10 must be configured to audit Object Access - File Share failures.'\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Auditing file shares records events related to connection to shares on a\n system including system shares such as C$.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-AU-000081'\n tag gid: 'V-75027'\n tag rid: 'SV-89701r1_rule'\n tag stig_id: 'WN10-AU-000081'\n tag fix_id: 'F-81643r1_fix'\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"Security Option \\\"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\\\" must be\n set to \\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open PowerShell or a Command Prompt with elevated privileges (\\\"Run as\n Administrator\\\").\n\n Enter \\\"AuditPol /get /category:*\\\"\n\n Compare the AuditPol settings with the following:\n\n Object Access >> File Share - Failure\n\n If the system does not audit the above, this is a finding.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Object Access >> \\\"Audit File Share\\\" with \\\"Failure\\\"\n selected.\"\n\n describe.one do\n describe audit_policy do\n its('File Share') { should eq 'Failure' }\n end\n describe audit_policy do\n its('File Share') { should eq 'Success and Failure' }\n end\n end\nend\n", + "code": "control 'V-77209' do\n title 'Exploit Protection mitigations in Windows 10 must be configured for FLTLDR.EXE.'\n desc \"Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-EP-000120'\n tag gid: 'V-77209'\n tag rid: 'SV-91905r3_rule'\n tag stig_id: 'WN10-EP-000120'\n tag fix_id: 'F-84341r4_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc 'check', \"This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n\n Enter \\\"Get-ProcessMitigation -Name FLTLDR.EXE\\\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of\n all application mitigations configured.)\n\n If the following mitigations do not have a status of \\\"ON\\\", this is a finding:\n\n DEP:\n Override DEP: False\n\n ImageLoad:\n ImageLoad OverrideBlockRemoteImagesLoads: False\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n Child Process:\n OverrideChildProcess: False\n\n The PowerShell command produces a list of mitigations; only those with a\n required status of \\\"ON\\\" are listed here. If the PowerShell command does not\n produce results, ensure the letter case of the filename within the command\n syntax matches the letter case of the actual filename on the system.\"\n desc 'fix', \"Ensure the following mitigations are turned \\\"ON\\\" for FLTLDR.EXE:\n\n DEP:\n Override DEP: False\n\n ImageLoad:\n ImageLoad OverrideBlockRemoteImagesLoads: False\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n Child Process:\n OverrideChildProcess: False\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file\n included with the Windows 10 STIG package in the \\\"Supporting Files\\\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\"\n configured to \\\"Enabled\\\" with file name and location defined under\n \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n\n if input('sensitive_system') == 'true' || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion').ReleaseId < '1709'\n impact 0.0\n describe 'This STIG does not apply to Prior Versions before 1709.' do\n skip 'This STIG does not apply to Prior Versions before 1709.'\n end\n else\n dep = json( command: 'Get-ProcessMitigation -Name FLTLDR.EXE | Select DEP | ConvertTo-Json').params\n describe 'OverRide DEP is required to be enabled on FLTLDR' do\n subject { dep }\n its(['OverrideDEP']) { should_not eq 'true' }\n end\n imageload = json( command: 'Get-ProcessMitigation -Name FLTLDR.EXE | Select ImageLoad | ConvertTo-Json').params\n describe 'OverRide ImageLoad Block Remote Image Loads is required to be false on FLTLDR' do\n subject { imageload }\n its(['OverrideBlockRemoteImageLoads']) { should_not eq 'true' }\n end\n payload = json( command: 'Get-ProcessMitigation -Name FLTLDR.EXE | Select Payload | ConvertTo-Json').params\n describe 'Override Payload Enable Export Address Filter, Override Payload Enable Export Address Filter Plus, Override EnableImportAddressFilter, Override EnableRopStackPivot, Override EnableRopCallerCheck, and Override EnableRopSimExec are required to be false on Adobe Reader' do\n subject { payload }\n its(['OverrideEnableExportAddressFilter']) { should_not eq 'true' }\n its(['OverrideEnableExportAddressFilterPlus']) { should_not eq 'true' }\n its(['OverrideEnableImportAddressFilter']) { should_not eq 'true' }\n its(['OverrideEnableRopStackPivot']) { should_not eq 'true' }\n its(['OverrideEnableRopCallerCheck']) { should_not eq 'true' }\n its(['OverrideEnableRopSimExec']) { should_not eq 'true' }\n end\n child_process = json( command: 'Get-ProcessMitigation -Name FLTLDR.EXE | Select ChildProcess | ConvertTo-Json').params\n describe 'OverRide Child Process is required to be false on FLTLDR' do\n subject { child_process }\n its(['OverrideChildProcess']) { should_not eq 'true' }\n end\n end\nend", "source_location": { - "ref": "./Windows 10 STIG/controls/V-75027.rb", + "ref": "./Windows 10 STIG/controls/V-77209.rb", "line": 3 }, - "id": "V-75027" + "id": "V-77209" }, { - "title": "The Remote Desktop Session Host must require secure RPC\n communications.", - "desc": "Allowing unsecure RPC communication exposes the system to man in the\n middle attacks and data disclosure attacks. A man in the middle attack occurs\n when an intruder captures packets between a client and server and modifies them\n before allowing the packets to be exchanged. Usually the attacker will modify\n the information in the packets in an attempt to cause either the client or\n server to reveal sensitive information.", + "title": "Audit policy using subcategories must be enabled.", + "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior. This setting\n allows administrators to enable more precise auditing capabilities.", "descriptions": { - "default": "Allowing unsecure RPC communication exposes the system to man in the\n middle attacks and data disclosure attacks. A man in the middle attack occurs\n when an intruder captures packets between a client and server and modifies them\n before allowing the packets to be exchanged. Usually the attacker will modify\n the information in the packets in an attempt to cause either the client or\n server to reveal sensitive information.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services\\\n\n Value Name: fEncryptRPCTraffic\n\n Value Type: REG_DWORD\n Value: 1", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Remote Desktop Services >>\n Remote Desktop Session Host >> Security \"Require secure RPC communication\" to\n \"Enabled\"." + "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior. This setting\n allows administrators to enable more precise auditing capabilities.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Control\\Lsa\\\n\n Value Name: SCENoApplyLegacyAuditPolicy\n\n Value Type: REG_DWORD\n Value: 1", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> \"Audit:\n Force audit policy subcategory settings (Windows Vista or later) to override\n audit policy category settings\" to \"Enabled\"." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-CC-000285", - "gid": "V-63737", - "rid": "SV-78227r1_rule", - "stig_id": "WN10-CC-000285", - "fix_id": "F-69665r1_fix", + "gtitle": "WN10-SO-000030", + "gid": "V-63635", + "rid": "SV-78125r1_rule", + "stig_id": "WN10-SO-000030", + "fix_id": "F-69563r1_fix", "cci": [ - "CCI-001453" + "CCI-000169" ], "nist": [ - "AC-17 (2)", + "AU-12 a", "Rev_4" ], "false_negatives": null, @@ -2846,35 +2861,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63737' do\n title \"The Remote Desktop Session Host must require secure RPC\n communications.\"\n desc \"Allowing unsecure RPC communication exposes the system to man in the\n middle attacks and data disclosure attacks. A man in the middle attack occurs\n when an intruder captures packets between a client and server and modifies them\n before allowing the packets to be exchanged. Usually the attacker will modify\n the information in the packets in an attempt to cause either the client or\n server to reveal sensitive information.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000285'\n tag gid: 'V-63737'\n tag rid: 'SV-78227r1_rule'\n tag stig_id: 'WN10-CC-000285'\n tag fix_id: 'F-69665r1_fix'\n tag cci: ['CCI-001453']\n tag nist: ['AC-17 (2)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\\n\n Value Name: fEncryptRPCTraffic\n\n Value Type: REG_DWORD\n Value: 1\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Remote Desktop Services >>\n Remote Desktop Session Host >> Security \\\"Require secure RPC communication\\\" to\n \\\"Enabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services') do\n it { should have_property 'fEncryptRPCTraffic' }\n its('fEncryptRPCTraffic') { should cmp 1 }\n end\nend\n", + "code": "control 'V-63635' do\n title 'Audit policy using subcategories must be enabled.'\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior. This setting\n allows administrators to enable more precise auditing capabilities.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-SO-000030'\n tag gid: 'V-63635'\n tag rid: 'SV-78125r1_rule'\n tag stig_id: 'WN10-SO-000030'\n tag fix_id: 'F-69563r1_fix'\n tag cci: ['CCI-000169']\n tag nist: ['AU-12 a', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\\n\n Value Name: SCENoApplyLegacyAuditPolicy\n\n Value Type: REG_DWORD\n Value: 1\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> \\\"Audit:\n Force audit policy subcategory settings (Windows Vista or later) to override\n audit policy category settings\\\" to \\\"Enabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa') do\n it { should have_property 'SCENoApplyLegacyAuditPolicy' }\n its('SCENoApplyLegacyAuditPolicy') { should cmp 1 }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63737.rb", + "ref": "./Windows 10 STIG/controls/V-63635.rb", "line": 3 }, - "id": "V-63737" + "id": "V-63635" }, { - "title": "Web publishing and online ordering wizards must be prevented from\n downloading a list of providers.", - "desc": "Some features may communicate with the vendor, sending system\n information or downloading data or components for the feature. Turning off\n this capability will prevent potentially sensitive information from being sent\n outside the enterprise and uncontrolled updates to the system. This setting\n prevents Windows from downloading a list of providers for the Web publishing\n and online ordering wizards.", + "title": "Users must not be allowed to ignore Windows Defender SmartScreen\n filter warnings for unverified files in Microsoft Edge.", + "desc": "The Windows Defender SmartScreen filter in Microsoft Edge provides\n warning messages and blocks potentially malicious websites and file downloads.\n If users are allowed to ignore warnings from the Windows Defender SmartScreen\n filter they could still download potentially malicious files.", "descriptions": { - "default": "Some features may communicate with the vendor, sending system\n information or downloading data or components for the feature. Turning off\n this capability will prevent potentially sensitive information from being sent\n outside the enterprise and uncontrolled updates to the system. This setting\n prevents Windows from downloading a list of providers for the Web publishing\n and online ordering wizards.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\\n\n Value Name: NoWebServices\n\n Value Type: REG_DWORD\n Value: 1", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> System >> Internet Communication Management >>\n Internet Communication settings >> \"Turn off Internet download for Web\n publishing and online ordering wizards\" to \"Enabled\"." + "default": "The Windows Defender SmartScreen filter in Microsoft Edge provides\n warning messages and blocks potentially malicious websites and file downloads.\n If users are allowed to ignore warnings from the Windows Defender SmartScreen\n filter they could still download potentially malicious files.", + "check": "This is applicable to unclassified systems, for other systems\nthis is NA.\n\nWindows 10 LTSC\\B versions do not include Microsoft Edge, this is NA for those\nsystems.\n\nIf the following registry value does not exist or is not configured as\nspecified, this is a finding.\n\nRegistry Hive: HKEY_LOCAL_MACHINE\nRegistry Path: \\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\PhishingFilter\\\n\nValue Name: PreventOverrideAppRepUnknown\n\nType: REG_DWORD\nValue: 0x00000001 (1)", + "fix": "Configure the policy value for Computer Configuration >>\nAdministrative Templates >> Windows Components >> Microsoft Edge >> \"Prevent\nbypassing Windows Defender SmartScreen prompts for files\" to \"Enabled\".\n\nWindows 10 includes duplicate policies for this setting. It can also be\nconfigured under Computer Configuration >> Administrative Templates >> Windows\nComponents >> Windows Defender SmartScreen >> Microsoft Edge." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-CC-000105", - "gid": "V-63621", - "rid": "SV-78111r1_rule", - "stig_id": "WN10-CC-000105", - "fix_id": "F-69549r1_fix", + "gtitle": "WN10-CC-000235", + "gid": "V-63701", + "rid": "SV-78191r6_rule", + "stig_id": "WN10-CC-000235", + "fix_id": "F-98465r1_fix", "cci": [ - "CCI-000381" + "CCI-000366" ], "nist": [ - "CM-7 a", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -2888,35 +2903,37 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63621' do\n title \"Web publishing and online ordering wizards must be prevented from\n downloading a list of providers.\"\n desc \"Some features may communicate with the vendor, sending system\n information or downloading data or components for the feature. Turning off\n this capability will prevent potentially sensitive information from being sent\n outside the enterprise and uncontrolled updates to the system. This setting\n prevents Windows from downloading a list of providers for the Web publishing\n and online ordering wizards.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000105'\n tag gid: 'V-63621'\n tag rid: 'SV-78111r1_rule'\n tag stig_id: 'WN10-CC-000105'\n tag fix_id: 'F-69549r1_fix'\n tag cci: ['CCI-000381']\n tag nist: ['CM-7 a', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\\n\n Value Name: NoWebServices\n\n Value Type: REG_DWORD\n Value: 1\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> System >> Internet Communication Management >>\n Internet Communication settings >> \\\"Turn off Internet download for Web\n publishing and online ordering wizards\\\" to \\\"Enabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer') do\n it { should have_property 'NoWebServices' }\n its('NoWebServices') { should cmp 1 }\n end\nend\n", + "code": "control 'V-63701' do\n title \"Users must not be allowed to ignore Windows Defender SmartScreen\n filter warnings for unverified files in Microsoft Edge.\"\n desc \"The Windows Defender SmartScreen filter in Microsoft Edge provides\n warning messages and blocks potentially malicious websites and file downloads.\n If users are allowed to ignore warnings from the Windows Defender SmartScreen\n filter they could still download potentially malicious files.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000235'\n tag gid: 'V-63701'\n tag rid: 'SV-78191r6_rule'\n tag stig_id: 'WN10-CC-000235'\n tag fix_id: 'F-98465r1_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc 'check', \"This is applicable to unclassified systems, for other systems\nthis is NA.\n\nWindows 10 LTSC\\\\B versions do not include Microsoft Edge, this is NA for those\nsystems.\n\nIf the following registry value does not exist or is not configured as\nspecified, this is a finding.\n\nRegistry Hive: HKEY_LOCAL_MACHINE\nRegistry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\MicrosoftEdge\\\\PhishingFilter\\\\\n\nValue Name: PreventOverrideAppRepUnknown\n\nType: REG_DWORD\nValue: 0x00000001 (1)\"\n\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nAdministrative Templates >> Windows Components >> Microsoft Edge >> \\\"Prevent\nbypassing Windows Defender SmartScreen prompts for files\\\" to \\\"Enabled\\\".\n\nWindows 10 includes duplicate policies for this setting. It can also be\nconfigured under Computer Configuration >> Administrative Templates >> Windows\nComponents >> Windows Defender SmartScreen >> Microsoft Edge.\"\n\n if input('sensitive_system') == 'true'\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n else\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\PhishingFilter') do\n it { should have_property 'PreventOverrideAppRepUnknown' }\n its('PreventOverrideAppRepUnknown') { should cmp 1 }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63621.rb", + "ref": "./Windows 10 STIG/controls/V-63701.rb", "line": 3 }, - "id": "V-63621" + "id": "V-63701" }, { - "title": "Reversible password encryption must be disabled.", - "desc": "Storing passwords using reversible encryption is essentially the same\n as storing clear-text versions of the passwords. For this reason, this policy\n must never be enabled.", + "title": "The system must be configured to require a strong session key.", + "desc": "A computer connecting to a domain controller will establish a secure\n channel. Requiring strong session keys enforces 128-bit encryption between\n systems.", "descriptions": { - "default": "Storing passwords using reversible encryption is essentially the same\n as storing clear-text versions of the passwords. For this reason, this policy\n must never be enabled.", - "check": "Verify the effective setting in Local Group Policy Editor.\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Account Policies >> Password Policy.\n\n If the value for \"Store password using reversible encryption\" is not set to\n \"Disabled\", this is a finding.", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Account Policies >> Password Policy >> \"Store\n passwords using reversible encryption\" to \"Disabled\"." + "default": "A computer connecting to a domain controller will establish a secure\n channel. Requiring strong session keys enforces 128-bit encryption between\n systems.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\Netlogon\\Parameters\\\n\n Value Name: RequireStrongKey\n\n Value Type: REG_DWORD\n Value: 1\n\n Warning: This setting may prevent a system from being joined to a domain if not\n configured consistently between systems.", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> \"Domain\n member: Require strong (Windows 2000 or Later) session key\" to \"Enabled\"." }, - "impact": 0.7, + "impact": 0.5, "refs": [], "tags": { - "severity": "high", - "gtitle": "WN10-AC-000045", - "gid": "V-63429", - "rid": "SV-77919r1_rule", - "stig_id": "WN10-AC-000045", - "fix_id": "F-69357r1_fix", + "severity": "medium", + "gtitle": "WN10-SO-000060", + "gid": "V-63665", + "rid": "SV-78155r1_rule", + "stig_id": "WN10-SO-000060", + "fix_id": "F-69593r1_fix", "cci": [ - "CCI-000196" + "CCI-002418", + "CCI-002421" ], "nist": [ - "IA-5 (1) (c)", + "SC-8", + "SC-8 (1)", "Rev_4" ], "false_negatives": null, @@ -2930,35 +2947,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63429' do\n title 'Reversible password encryption must be disabled.'\n desc \"Storing passwords using reversible encryption is essentially the same\n as storing clear-text versions of the passwords. For this reason, this policy\n must never be enabled.\"\n impact 0.7\n tag severity: 'high'\n tag gtitle: 'WN10-AC-000045'\n tag gid: 'V-63429'\n tag rid: 'SV-77919r1_rule'\n tag stig_id: 'WN10-AC-000045'\n tag fix_id: 'F-69357r1_fix'\n tag cci: ['CCI-000196']\n tag nist: ['IA-5 (1) (c)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Account Policies >> Password Policy.\n\n If the value for \\\"Store password using reversible encryption\\\" is not set to\n \\\"Disabled\\\", this is a finding.\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Account Policies >> Password Policy >> \\\"Store\n passwords using reversible encryption\\\" to \\\"Disabled\\\".\"\n\n describe security_policy do\n its('ClearTextPassword') { should eq 0 }\n end\nend\n", + "code": "control \"V-63665\" do\n title \"The system must be configured to require a strong session key.\"\n desc \"A computer connecting to a domain controller will establish a secure\n channel. Requiring strong session keys enforces 128-bit encryption between\n systems.\"\n impact 0.5\n tag severity: \"medium\"\n tag gtitle: \"WN10-SO-000060\"\n tag gid: \"V-63665\"\n tag rid: \"SV-78155r1_rule\"\n tag stig_id: \"WN10-SO-000060\"\n tag fix_id: \"F-69593r1_fix\"\n tag cci: [\"CCI-002418\", \"CCI-002421\"]\n tag nist: [\"SC-8\", \"SC-8 (1)\", \"Rev_4\"]\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\Netlogon\\\\Parameters\\\\\n\n Value Name: RequireStrongKey\n\n Value Type: REG_DWORD\n Value: 1\n\n Warning: This setting may prevent a system from being joined to a domain if not\n configured consistently between systems.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> \\\"Domain\n member: Require strong (Windows 2000 or Later) session key\\\" to \\\"Enabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Netlogon\\Parameters') do\n it { should have_property 'RequireStrongKey' }\n its('RequireStrongKey') { should cmp 1 }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63429.rb", - "line": 3 + "ref": "./Windows 10 STIG/controls/V-63665.rb", + "line": 2 }, - "id": "V-63429" + "id": "V-63665" }, { - "title": "The Telnet Client must not be installed on the system.", - "desc": "Some protocols and services do not support required security features,\n such as encrypting passwords or traffic.", + "title": "Microsoft consumer experiences must be turned off.", + "desc": "Microsoft consumer experiences provides suggestions and notifications\n to users, which may include the installation of Windows Store apps.\n Organizations may control the execution of applications through other means\n such as whitelisting. Turning off Microsoft consumer experiences will help\n prevent the unwanted installation of suggested applications.", "descriptions": { - "default": "Some protocols and services do not support required security features,\n such as encrypting passwords or traffic.", - "check": "The \"Telnet Client\" is not installed by default. Verify it has\n not been installed.\n\n Navigate to the Windows\\System32 directory.\n\n If the \"telnet\" application exists, this is a finding.", - "fix": "Uninstall \"Telnet Client\" from the system.\n\n Run \"Programs and Features\".\n Select \"Turn Windows Features on or off\".\n\n De-select \"Telnet Client\"." + "default": "Microsoft consumer experiences provides suggestions and notifications\n to users, which may include the installation of Windows Store apps.\n Organizations may control the execution of applications through other means\n such as whitelisting. Turning off Microsoft consumer experiences will help\n prevent the unwanted installation of suggested applications.", + "check": "Windows 10 v1507 LTSB version does not include this setting; it\n is NA for those systems.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent\\\n\n Value Name: DisableWindowsConsumerFeatures\n\n Type: REG_DWORD\n Value: 0x00000001 (1)", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Cloud Content >> \"Turn off\n Microsoft consumer experiences\" to \"Enabled\"." }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { - "severity": "medium", - "gtitle": "WN10-00-000115", - "gid": "V-63385", - "rid": "SV-77875r1_rule", - "stig_id": "WN10-00-000115", - "fix_id": "F-69307r1_fix", + "severity": "low", + "gtitle": "WN10-CC-000197", + "gid": "V-71771", + "rid": "SV-86395r2_rule", + "stig_id": "WN10-CC-000197", + "fix_id": "F-78123r1_fix", "cci": [ - "CCI-000382" + "CCI-000381" ], "nist": [ - "CM-7 b", + "CM-7 a", "Rev_4" ], "false_negatives": null, @@ -2972,35 +2989,37 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63385' do\n title 'The Telnet Client must not be installed on the system.'\n desc \"Some protocols and services do not support required security features,\n such as encrypting passwords or traffic.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-00-000115'\n tag gid: 'V-63385'\n tag rid: 'SV-77875r1_rule'\n tag stig_id: 'WN10-00-000115'\n tag fix_id: 'F-69307r1_fix'\n tag cci: ['CCI-000382']\n tag nist: ['CM-7 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"The \\\"Telnet Client\\\" is not installed by default. Verify it has\n not been installed.\n\n Navigate to the Windows\\\\System32 directory.\n\n If the \\\"telnet\\\" application exists, this is a finding.\"\n\n desc \"fix\", \"Uninstall \\\"Telnet Client\\\" from the system.\n\n Run \\\"Programs and Features\\\".\n Select \\\"Turn Windows Features on or off\\\".\n\n De-select \\\"Telnet Client\\\".\"\n\n describe windows_feature('Telnet Client') do\n it { should_not be_installed }\n end\nend\n", + "code": "control \"V-71771\" do\n title \"Microsoft consumer experiences must be turned off.\"\n desc \"Microsoft consumer experiences provides suggestions and notifications\n to users, which may include the installation of Windows Store apps.\n Organizations may control the execution of applications through other means\n such as whitelisting. Turning off Microsoft consumer experiences will help\n prevent the unwanted installation of suggested applications.\"\n impact 0.3\n tag severity: \"low\"\n tag gtitle: \"WN10-CC-000197\"\n tag gid: \"V-71771\"\n tag rid: \"SV-86395r2_rule\"\n tag stig_id: \"WN10-CC-000197\"\n tag fix_id: \"F-78123r1_fix\"\n tag cci: [\"CCI-000381\"]\n tag nist: [\"CM-7 a\", \"Rev_4\"]\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"Windows 10 v1507 LTSB version does not include this setting; it\n is NA for those systems.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\CloudContent\\\\\n\n Value Name: DisableWindowsConsumerFeatures\n\n Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Cloud Content >> \\\"Turn off\n Microsoft consumer experiences\\\" to \\\"Enabled\\\".\"\n\nif (registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion').ReleaseId != \"1507\" )\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent') do\n it { should have_property 'DisableWindowsConsumerFeatures' }\n its('DisableWindowsConsumerFeatures') { should cmp 1 } \n end\nelse \n impact 0.0\n describe \"Windows 10 v1507 LTSB version does not include this setting, it is NA for those systems.\" do\n skip 'Windows 10 v1507 LTSB version does not include this setting, it is NA for those systems.'\n end \n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63385.rb", - "line": 3 + "ref": "./Windows 10 STIG/controls/V-71771.rb", + "line": 2 }, - "id": "V-63385" + "id": "V-71771" }, { - "title": "Exploit Protection mitigations in Windows 10 must be configured for lync.exe.", - "desc": "Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.", + "title": "The Deny log on through Remote Desktop Services user right on Windows\n 10 workstations must at a minimum be configured to prevent access from highly\n privileged domain accounts and local accounts on domain systems and\n unauthenticated access on all systems.", + "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The \"Deny log on through Remote Desktop Services\" right defines the\n accounts that are prevented from logging on using Remote Desktop Services.\n\n If Remote Desktop Services is not used by the organization, the Everyone\n group must be assigned this right to prevent all access.\n\n In an Active Directory Domain, denying logons to the Enterprise Admins and\n Domain Admins groups on lower trust systems helps mitigate the risk of\n privilege escalation from credential theft attacks, which could lead to the\n compromise of an entire domain.\n\n Local accounts on domain-joined systems must also be assigned this right to\n decrease the risk of lateral movement resulting from credential theft attacks.\n\n The Guests group must be assigned this right to prevent unauthenticated\n access.", "descriptions": { - "default": "Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.", - "check": "This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n\n Enter \"Get-ProcessMitigation -Name lync.exe\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of\n all application mitigations configured.)\n\n If the following mitigations do not have a status of \"ON\", this is a finding:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n The PowerShell command produces a list of mitigations; only those with a\n required status of \"ON\" are listed here. If the PowerShell command does not\n produce results, ensure the letter case of the filename within the command\n syntax matches the letter case of the actual filename on the system.", - "fix": "Ensure the following mitigations are turned \"ON\" for lync.exe:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file\n included with the Windows 10 STIG package in the \"Supporting Files\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \"Use a common set of exploit protection settings\"\n configured to \"Enabled\" with file name and location defined under\n \"Options:\". It is recommended the file be in a read-only network location." + "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The \"Deny log on through Remote Desktop Services\" right defines the\n accounts that are prevented from logging on using Remote Desktop Services.\n\n If Remote Desktop Services is not used by the organization, the Everyone\n group must be assigned this right to prevent all access.\n\n In an Active Directory Domain, denying logons to the Enterprise Admins and\n Domain Admins groups on lower trust systems helps mitigate the risk of\n privilege escalation from credential theft attacks, which could lead to the\n compromise of an entire domain.\n\n Local accounts on domain-joined systems must also be assigned this right to\n decrease the risk of lateral movement resulting from credential theft attacks.\n\n The Guests group must be assigned this right to prevent unauthenticated\n access.", + "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If the following groups or accounts are not defined for the \"Deny log on\n through Remote Desktop Services\" right, this is a finding:\n\n If Remote Desktop Services is not used by the organization, the \"Everyone\"\n group can replace all of the groups listed below.\n\n Domain Systems Only:\n Enterprise Admins group\n Domain Admins group\n Local account (see Note below)\n\n All Systems:\n Guests group\n\n Privileged Access Workstations (PAWs) dedicated to the management of Active\n Directory are exempt from denying the Enterprise Admins and Domain Admins\n groups. (See the Windows Privileged Access Workstation STIG for PAW\n requirements.)\n\n Note: \"Local account\" is a built-in security group used to assign user rights\n and permissions to all local accounts.", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n \"Deny log on through Remote Desktop Services\" to include the following.\n\n If Remote Desktop Services is not used by the organization, assign the Everyone\n group this right to prevent all access.\n\n Domain Systems Only:\n Enterprise Admins group\n Domain Admins group\n Local account (see Note below)\n\n All Systems:\n Guests group\n\n Privileged Access Workstations (PAWs) dedicated to the management of Active\n Directory are exempt from denying the Enterprise Admins and Domain Admins\n groups. (See the Windows Privileged Access Workstation STIG for PAW\n requirements.)\n\n Note: \"Local account\" is a built-in security group used to assign user rights\n and permissions to all local accounts." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-EP-000170", - "gid": "V-77227", - "rid": "SV-91923r3_rule", - "stig_id": "WN10-EP-000170", - "fix_id": "F-84357r4_fix", + "gtitle": "WN10-UR-000090", + "gid": "V-63879", + "rid": "SV-78369r4_rule", + "stig_id": "WN10-UR-000090", + "fix_id": "F-88445r1_fix", "cci": [ - "CCI-000366" + "CCI-000213", + "CCI-002314" ], "nist": [ - "CM-6 b", + "AC-3", + "AC-17 (1)", "Rev_4" ], "false_negatives": null, @@ -3014,35 +3033,37 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-77227' do\n title 'Exploit Protection mitigations in Windows 10 must be configured for lync.exe.'\n desc \"Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-EP-000170'\n tag gid: 'V-77227'\n tag rid: 'SV-91923r3_rule'\n tag stig_id: 'WN10-EP-000170'\n tag fix_id: 'F-84357r4_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc 'check', \"This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n\n Enter \\\"Get-ProcessMitigation -Name lync.exe\\\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of\n all application mitigations configured.)\n\n If the following mitigations do not have a status of \\\"ON\\\", this is a finding:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n The PowerShell command produces a list of mitigations; only those with a\n required status of \\\"ON\\\" are listed here. If the PowerShell command does not\n produce results, ensure the letter case of the filename within the command\n syntax matches the letter case of the actual filename on the system.\"\n desc 'fix', \"Ensure the following mitigations are turned \\\"ON\\\" for lync.exe:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file\n included with the Windows 10 STIG package in the \\\"Supporting Files\\\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\"\n configured to \\\"Enabled\\\" with file name and location defined under\n \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n\n if input('sensitive_system') == 'true' || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion').ReleaseId < '1709'\n impact 0.0\n describe 'This STIG does not apply to Prior Versions before 1709.' do\n skip 'This STIG does not apply to Prior Versions before 1709.'\n end\n else\n dep = json( command: 'Get-ProcessMitigation -Name lync.exe | Select DEP | ConvertTo-Json').params\n describe 'OverRide DEP is required to be false on Lync' do\n subject { dep }\n its(['OverrideDEP']) { should_not eq 'true' }\n end\n aslr = json( command: 'Get-ProcessMitigation -Name lync.exe| Select Aslr | ConvertTo-Json').params\n describe 'Alsr BottomUp and Force Relocate Images are required to be enabled on Lync' do\n subject { aslr }\n its(['ForceRelocateImages']) { should_not eq '2' }\n end\n payload = json( command: 'Get-ProcessMitigation -Name lync.exe | Select Payload | ConvertTo-Json').params\n describe 'Override Payload Enable Export Address Filter, Override Payload Enable Export Address Filter Plus, Override EnableImportAddressFilter, Override EnableRopStackPivot, Override EnableRopCallerCheck, and Override EnableRopSimExec are required to be false on Lync' do\n subject { payload }\n its(['OverrideEnableExportAddressFilter']) { should_not eq 'true' }\n its(['OverrideEnableExportAddressFilterPlus']) { should_not eq 'true' }\n its(['OverrideEnableImportAddressFilter']) { should_not eq 'true' }\n its(['OverrideEnableRopStackPivot']) { should_not eq 'true' }\n its(['OverrideEnableRopCallerCheck']) { should_not eq 'true' }\n its(['OverrideEnableRopSimExec']) { should_not eq 'true' }\n end\n end\nend\n", + "code": "control 'V-63879' do\n title \"The Deny log on through Remote Desktop Services user right on Windows\n 10 workstations must at a minimum be configured to prevent access from highly\n privileged domain accounts and local accounts on domain systems and\n unauthenticated access on all systems.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The \\\"Deny log on through Remote Desktop Services\\\" right defines the\n accounts that are prevented from logging on using Remote Desktop Services.\n\n If Remote Desktop Services is not used by the organization, the Everyone\n group must be assigned this right to prevent all access.\n\n In an Active Directory Domain, denying logons to the Enterprise Admins and\n Domain Admins groups on lower trust systems helps mitigate the risk of\n privilege escalation from credential theft attacks, which could lead to the\n compromise of an entire domain.\n\n Local accounts on domain-joined systems must also be assigned this right to\n decrease the risk of lateral movement resulting from credential theft attacks.\n\n The Guests group must be assigned this right to prevent unauthenticated\n access.\"\n\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-UR-000090'\n tag gid: 'V-63879'\n tag rid: 'SV-78369r4_rule'\n tag stig_id: 'WN10-UR-000090'\n tag fix_id: 'F-88445r1_fix'\n tag cci: %w[CCI-000213 CCI-002314]\n tag nist: ['AC-3', 'AC-17 (1)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc 'check', \"Verify the effective setting in Local Group Policy Editor.\n\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If the following groups or accounts are not defined for the \\\"Deny log on\n through Remote Desktop Services\\\" right, this is a finding:\n\n If Remote Desktop Services is not used by the organization, the \\\"Everyone\\\"\n group can replace all of the groups listed below.\n\n Domain Systems Only:\n Enterprise Admins group\n Domain Admins group\n Local account (see Note below)\n\n All Systems:\n Guests group\n\n Privileged Access Workstations (PAWs) dedicated to the management of Active\n Directory are exempt from denying the Enterprise Admins and Domain Admins\n groups. (See the Windows Privileged Access Workstation STIG for PAW\n requirements.)\n\n Note: \\\"Local account\\\" is a built-in security group used to assign user rights\n and permissions to all local accounts.\"\n desc 'fix', \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n \\\"Deny log on through Remote Desktop Services\\\" to include the following.\n\n If Remote Desktop Services is not used by the organization, assign the Everyone\n group this right to prevent all access.\n\n Domain Systems Only:\n Enterprise Admins group\n Domain Admins group\n Local account (see Note below)\n\n All Systems:\n Guests group\n\n Privileged Access Workstations (PAWs) dedicated to the management of Active\n Directory are exempt from denying the Enterprise Admins and Domain Admins\n groups. (See the Windows Privileged Access Workstation STIG for PAW\n requirements.)\n\n Note: \\\"Local account\\\" is a built-in security group used to assign user rights\n and permissions to all local accounts.\"\n\n is_domain = command('wmic computersystem get domain | FINDSTR /V Domain').stdout.strip\n\n if is_domain == 'WORKGROUP'\n describe security_policy do\n its('SeDenyRemoteInteractiveLogonRight') { should eq ['S-1-5-32-546'] }\n end\n else\n domain_query = <<-EOH\n $group = New-Object System.Security.Principal.NTAccount('Domain Admins')\n $sid = ($group.Translate([security.principal.securityidentifier])).value\n $sid | ConvertTo-Json\n EOH\n\n domain_admin_sid = json(command: domain_query).params\n enterprise_admin_query = <<-EOH\n $group = New-Object System.Security.Principal.NTAccount('Enterprise Admins')\n $sid = ($group.Translate([security.principal.securityidentifier])).value\n $sid | ConvertTo-Json\n EOH\n\n enterprise_admin_sid = json(command: enterprise_admin_query).params\n\n describe security_policy do\n\n its('SeDenyNetworkLogonRight') { should include \"#{enterprise_admin_sid}\" }\n end\n describe security_policy do\n its('SeDenyNetworkLogonRight') { should include \"#{domain_admin_sid}\" }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-77227.rb", + "ref": "./Windows 10 STIG/controls/V-63879.rb", "line": 3 }, - "id": "V-77227" + "id": "V-63879" }, { - "title": "The system must be configured to prevent Internet Control Message\n Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF)\n generated routes.", - "desc": "Allowing ICMP redirect of routes can lead to traffic not being routed\n properly. When disabled, this forces ICMP to be routed via shortest path\n first.", + "title": "The system must be configured to audit System - System Integrity\n failures.", + "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n System Integrity records events related to violations of integrity to the\n security subsystem.", "descriptions": { - "default": "Allowing ICMP redirect of routes can lead to traffic not being routed\n properly. When disabled, this forces ICMP to be routed via shortest path\n first.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters\\\n\n Value Name: EnableICMPRedirect\n\n Value Type: REG_DWORD\n Value: 0", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> MSS (Legacy) >> \"MSS: (EnableICMPRedirect) Allow\n ICMP redirects to override OSPF generated routes\" to \"Disabled\".\n\n This policy setting requires the installation of the MSS-Legacy custom\n templates included with the STIG package. \"MSS-Legacy.admx\" and \"\n MSS-Legacy.adml\" must be copied to the \\Windows\\PolicyDefinitions and\n \\Windows\\PolicyDefinitions\\en-US directories respectively." + "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n System Integrity records events related to violations of integrity to the\n security subsystem.", + "check": "Security Option \"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\" must be\n set to \"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\"Run as Administrator\").\n Enter \"AuditPol /get /category:*\".\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding:\n\n System >> System Integrity - Failure", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> System >> \"Audit System Integrity\" with \"Failure\"\n selected." }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { - "severity": "low", - "gtitle": "WN10-CC-000030", - "gid": "V-63563", - "rid": "SV-78053r1_rule", - "stig_id": "WN10-CC-000030", - "fix_id": "F-69493r1_fix", + "severity": "medium", + "gtitle": "WN10-AU-000155", + "gid": "V-63515", + "rid": "SV-78005r1_rule", + "stig_id": "WN10-AU-000155", + "fix_id": "F-69445r1_fix", "cci": [ - "CCI-000366" + "CCI-000172", + "CCI-002234" ], "nist": [ - "CM-6 b", + "AU-12 c", + "AC-6 (9)", "Rev_4" ], "false_negatives": null, @@ -3056,35 +3077,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63563' do\n title \"The system must be configured to prevent Internet Control Message\n Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF)\n generated routes.\"\n desc \"Allowing ICMP redirect of routes can lead to traffic not being routed\n properly. When disabled, this forces ICMP to be routed via shortest path\n first.\"\n\n impact 0.3\n\n tag severity: 'low'\n tag gtitle: 'WN10-CC-000030'\n tag gid: 'V-63563'\n tag rid: 'SV-78053r1_rule'\n tag stig_id: 'WN10-CC-000030'\n tag fix_id: 'F-69493r1_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\Tcpip\\\\Parameters\\\\\n\n Value Name: EnableICMPRedirect\n\n Value Type: REG_DWORD\n Value: 0\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> MSS (Legacy) >> \\\"MSS: (EnableICMPRedirect) Allow\n ICMP redirects to override OSPF generated routes\\\" to \\\"Disabled\\\".\n\n This policy setting requires the installation of the MSS-Legacy custom\n templates included with the STIG package. \\\"MSS-Legacy.admx\\\" and \\\"\n MSS-Legacy.adml\\\" must be copied to the \\\\Windows\\\\PolicyDefinitions and\n \\\\Windows\\\\PolicyDefinitions\\\\en-US directories respectively.\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters') do\n it { should have_property 'EnableICMPRedirect' }\n its('EnableICMPRedirect') { should cmp 0 }\n end\nend\n", + "code": "control 'V-63515' do\n title \"The system must be configured to audit System - System Integrity\n failures.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n System Integrity records events related to violations of integrity to the\n security subsystem.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-AU-000155'\n tag gid: 'V-63515'\n tag rid: 'SV-78005r1_rule'\n tag stig_id: 'WN10-AU-000155'\n tag fix_id: 'F-69445r1_fix'\n tag cci: %w[CCI-000172 CCI-002234]\n tag nist: ['AU-12 c', 'AC-6 (9)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Security Option \\\"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\\\" must be\n set to \\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\n Enter \\\"AuditPol /get /category:*\\\".\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding:\n\n System >> System Integrity - Failure\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> System >> \\\"Audit System Integrity\\\" with \\\"Failure\\\"\n selected.\"\n\n describe.one do\n describe audit_policy do\n its('System Integrity') { should eq 'Failure' }\n end\n describe audit_policy do\n its('System Integrity') { should eq 'Success and Failure' }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63563.rb", + "ref": "./Windows 10 STIG/controls/V-63515.rb", "line": 3 }, - "id": "V-63563" + "id": "V-63515" }, { - "title": "Exploit Protection mitigations in Windows 10 must be configured for OneDrive.exe.", - "desc": "Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.", + "title": "Simple TCP/IP Services must not be installed on the system.", + "desc": "Some protocols and services do not support required security features,\n such as encrypting passwords or traffic.", "descriptions": { - "default": "Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.", - "check": "This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n\n Enter \"Get-ProcessMitigation -Name OneDrive.exe\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of\n all application mitigations configured.)\n\n If the following mitigations do not have a status of \"ON\", this is a finding:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n OverrideRelocateImages: False\n\n ImageLoad:\n OverrideBlockRemoteImages: False\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n The PowerShell command produces a list of mitigations; only those with a\n required status of \"ON\" are listed here. If the PowerShell command does not\n produce results, ensure the letter case of the filename within the command\n syntax matches the letter case of the actual filename on the system.", - "fix": "Ensure the following mitigations are turned \"ON\" for OneDrive.exe:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n OverrideRelocateImages: False\n\n ImageLoad:\n OverrideBlockRemoteImages: False\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file\n included with the Windows 10 STIG package in the \"Supporting Files\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \"Use a common set of exploit protection settings\"\n configured to \"Enabled\" with file name and location defined under\n \"Options:\". It is recommended the file be in a read-only network location." + "default": "Some protocols and services do not support required security features,\n such as encrypting passwords or traffic.", + "check": "\"Simple TCP/IP Services\" is not installed by default. Verify\n it has not been installed.\n\n Run \"Services.msc\".\n\n If \"Simple TCP/IP Services\" is listed, this is a finding.", + "fix": "Uninstall \"Simple TCPIP Services (i.e. echo, daytime etc)\" from\n the system.\n\n Run \"Programs and Features\".\n Select \"Turn Windows Features on or off\".\n De-select \"Simple TCPIP Services (i.e. echo, daytime etc)\"." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-EP-000210", - "gid": "V-77235", - "rid": "SV-91931r3_rule", - "stig_id": "WN10-EP-000210", - "fix_id": "F-84321r5_fix", + "gtitle": "WN10-00-000110", + "gid": "V-63383", + "rid": "SV-77873r1_rule", + "stig_id": "WN10-00-000110", + "fix_id": "F-69305r1_fix", "cci": [ - "CCI-000366" + "CCI-000381" ], "nist": [ - "CM-6 b", + "CM-7 a", "Rev_4" ], "false_negatives": null, @@ -3098,37 +3119,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-77235' do\n title 'Exploit Protection mitigations in Windows 10 must be configured for OneDrive.exe.'\n desc \"Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-EP-000210'\n tag gid: 'V-77235'\n tag rid: 'SV-91931r3_rule'\n tag stig_id: 'WN10-EP-000210'\n tag fix_id: 'F-84321r5_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc 'check', \"This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n\n Enter \\\"Get-ProcessMitigation -Name OneDrive.exe\\\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of\n all application mitigations configured.)\n\n If the following mitigations do not have a status of \\\"ON\\\", this is a finding:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n OverrideRelocateImages: False\n\n ImageLoad:\n OverrideBlockRemoteImages: False\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n The PowerShell command produces a list of mitigations; only those with a\n required status of \\\"ON\\\" are listed here. If the PowerShell command does not\n produce results, ensure the letter case of the filename within the command\n syntax matches the letter case of the actual filename on the system.\"\n desc 'fix', \"Ensure the following mitigations are turned \\\"ON\\\" for OneDrive.exe:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n OverrideRelocateImages: False\n\n ImageLoad:\n OverrideBlockRemoteImages: False\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file\n included with the Windows 10 STIG package in the \\\"Supporting Files\\\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\"\n configured to \\\"Enabled\\\" with file name and location defined under\n \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n\n\n if input('sensitive_system') == 'true' || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion').ReleaseId < '1709'\n impact 0.0\n describe 'This STIG does not apply to Prior Versions before 1709.' do\n skip 'This STIG does not apply to Prior Versions before 1709.'\n end\n else\n dep = json( command: 'Get-ProcessMitigation -Name OneDrive.exe | Select DEP | ConvertTo-Json').params\n describe 'OverRide DEP is required to be false on Microsoft Onedrive' do\n subject { dep }\n its(['OverrideDEP']) { should_not eq 'true' }\n end\n aslr = json( command: 'Get-ProcessMitigation -Name OneDrive.exe | Select Aslr | ConvertTo-Json').params\n describe 'Alsr OverRide Force Relocate Images are required to be enabled on Microsoft Onedrive' do\n subject { aslr }\n its(['OverrideForceRelocateImages']) { should_not eq 'true' }\n end\n imageload = json( command: 'Get-ProcessMitigation -Name OneDrive.exe | Select ImageLoad | ConvertTo-Json').params\n describe 'Override ImageLoad Block Remote Image Loads is required to be false on Microsoft Onedrive' do\n subject { imageload }\n its(['OverrideBlockRemoteImages']) { should_not eq 'true' }\n end\n payload = json( command: 'Get-ProcessMitigation -Name OneDrive.exe | Select Payload | ConvertTo-Json').params\n describe 'Override Payload Enable Export Address Filter, Override Payload Enable Export Address Filter Plus, Override EnableImportAddressFilter, Override EnableRopStackPivot, Override EnableRopCallerCheck, and Override EnableRopSimExec are required to be false on Microsoft Onedrive' do\n subject { payload }\n its(['OverrideEnableExportAddressFilter']) { should_not eq 'true' }\n its(['OverrideEnableExportAddressFilterPlus']) { should_not eq 'true' }\n its(['OverrideEnableImportAddressFilter']) { should_not eq 'true' }\n its(['OverrideEnableRopStackPivot']) { should_not eq 'true' }\n its(['OverrideEnableRopCallerCheck']) { should_not eq 'true' }\n its(['OverrideEnableRopSimExec']) { should_not eq 'true' }\n end\n end\nend\n", + "code": "control 'V-63383' do\n title 'Simple TCP/IP Services must not be installed on the system.'\n desc \"Some protocols and services do not support required security features,\n such as encrypting passwords or traffic.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-00-000110'\n tag gid: 'V-63383'\n tag rid: 'SV-77873r1_rule'\n tag stig_id: 'WN10-00-000110'\n tag fix_id: 'F-69305r1_fix'\n tag cci: ['CCI-000381']\n tag nist: ['CM-7 a', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"\\\"Simple TCP/IP Services\\\" is not installed by default. Verify\n it has not been installed.\n\n Run \\\"Services.msc\\\".\n\n If \\\"Simple TCP/IP Services\\\" is listed, this is a finding.\"\n\n desc \"fix\", \"Uninstall \\\"Simple TCPIP Services (i.e. echo, daytime etc)\\\" from\n the system.\n\n Run \\\"Programs and Features\\\".\n Select \\\"Turn Windows Features on or off\\\".\n De-select \\\"Simple TCPIP Services (i.e. echo, daytime etc)\\\".\"\n\n describe windows_feature('Simple TCP/IP Services') do\n it { should_not be_installed }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-77235.rb", + "ref": "./Windows 10 STIG/controls/V-63383.rb", "line": 3 }, - "id": "V-77235" + "id": "V-63383" }, { - "title": "The system must be configured to audit Privilege Use - Sensitive\n Privilege Use successes.", - "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Sensitive Privilege Use records events related to use of sensitive\n privileges, such as \"Act as part of the operating system\" or \"Debug\n programs\"", + "title": "Windows 10 must be configured to disable Windows Game Recording and Broadcasting.", + "desc": "Windows Game Recording and Broadcasting is intended for use with\n games, however it could potentially record screen shots of other applications\n and expose sensitive data. Disabling the feature will prevent this from\n occurring.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Sensitive Privilege Use records events related to use of sensitive\n privileges, such as \"Act as part of the operating system\" or \"Debug\n programs\"", - "check": "Security Option \"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\" must be\n set to \"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\"Run as Administrator\").\n Enter \"AuditPol /get /category:*\".\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding:\n\n Privilege Use >> Sensitive Privilege Use - Success", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Privilege Use >> \"Audit Sensitive Privilege Use\" with\n \"Success\" selected." + "default": "Windows Game Recording and Broadcasting is intended for use with\n games, however it could potentially record screen shots of other applications\n and expose sensitive data. Disabling the feature will prevent this from\n occurring.", + "check": "This is NA for Windows 10 LTSC\\B versions 1507 and 1607.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\GameDVR\\\n\n Value Name: AllowGameDVR\n\n Type: REG_DWORD\n Value: 0x00000000 (0)", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Windows Game Recording and\n Broadcasting >> \"Enables or disables Windows Game Recording and Broadcasting\"\n to \"Disabled\"." }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-AU-000115", - "gid": "V-63487", - "rid": "SV-77977r1_rule", - "stig_id": "WN10-AU-000115", - "fix_id": "F-69417r1_fix", + "gtitle": "WN10-CC-000252", + "gid": "V-74417", + "rid": "SV-89091r2_rule", + "stig_id": "WN10-CC-000252", + "fix_id": "F-80959r1_fix", "cci": [ - "CCI-000172", - "CCI-002234" + "CCI-000381" ], "nist": [ - "AU-12 c", - "AC-6 (9)", + "CM-7 a", "Rev_4" ], "false_negatives": null, @@ -3142,30 +3161,30 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63487' do\n title \"The system must be configured to audit Privilege Use - Sensitive\n Privilege Use successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Sensitive Privilege Use records events related to use of sensitive\n privileges, such as \\\"Act as part of the operating system\\\" or \\\"Debug\n programs\\\"\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-AU-000115'\n tag gid: 'V-63487'\n tag rid: 'SV-77977r1_rule'\n tag stig_id: 'WN10-AU-000115'\n tag fix_id: 'F-69417r1_fix'\n tag cci: %w[CCI-000172 CCI-002234]\n tag nist: ['AU-12 c', 'AC-6 (9)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Security Option \\\"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\\\" must be\n set to \\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\n Enter \\\"AuditPol /get /category:*\\\".\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding:\n\n Privilege Use >> Sensitive Privilege Use - Success\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Privilege Use >> \\\"Audit Sensitive Privilege Use\\\" with\n \\\"Success\\\" selected.\"\n\n describe.one do\n describe audit_policy do\n its('Sensitive Privilege Use') { should eq 'Success' }\n end\n describe audit_policy do\n its('Sensitive Privilege Use') { should eq 'Success and Failure' }\n end\n end\nend\n", + "code": "control 'V-74417' do\n title 'Windows 10 must be configured to disable Windows Game Recording and Broadcasting.'\n desc \"Windows Game Recording and Broadcasting is intended for use with\n games, however it could potentially record screen shots of other applications\n and expose sensitive data. Disabling the feature will prevent this from\n occurring.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000252'\n tag gid: 'V-74417'\n tag rid: 'SV-89091r2_rule'\n tag stig_id: 'WN10-CC-000252'\n tag fix_id: 'F-80959r1_fix'\n tag cci: ['CCI-000381']\n tag nist: ['CM-7 a', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"This is NA for Windows 10 LTSC\\\\B versions 1507 and 1607.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\GameDVR\\\\\n\n Value Name: AllowGameDVR\n\n Type: REG_DWORD\n Value: 0x00000000 (0)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Windows Game Recording and\n Broadcasting >> \\\"Enables or disables Windows Game Recording and Broadcasting\\\"\n to \\\"Disabled\\\".\"\n\n releaseID = registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion').ReleaseId.to_i\n\n if ( releaseID == 1607 || releaseID <= 1507 )\n impact 0.0\n describe 'This STIG does not apply to Prior Versions before 1507 and 1607.' do\n skip 'This STIG does not apply to Prior Versions before 1507 and 1607.'\n end\n else\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\GameDVR') do\n it { should have_property 'AllowGameDVR' }\n its('AllowGameDVR') { should cmp 0 }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63487.rb", + "ref": "./Windows 10 STIG/controls/V-74417.rb", "line": 3 }, - "id": "V-63487" + "id": "V-74417" }, { - "title": "Exploit Protection mitigations in Windows 10 must be configured for\n VISIO.EXE.", - "desc": "Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.", + "title": "The system must be configured to the required LDAP client signing\n level.", + "desc": "This setting controls the signing requirements for LDAP clients. This\n setting must be set to Negotiate signing or Require signing, depending on the\n environment and type of LDAP server in use.", "descriptions": { - "default": "Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.", - "check": "This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n\n Enter \"Get-ProcessMitigation -Name VISIO.EXE\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of\n all application mitigations configured.)\n\n If the following mitigations do not have a status of \"ON\", this is a finding:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n The PowerShell command produces a list of mitigations; only those with a\n required status of \"ON\" are listed here. If the PowerShell command does not\n produce results, ensure the letter case of the filename within the command\n syntax matches the letter case of the actual filename on the system.", - "fix": "Ensure the following mitigations are turned \"ON\" for VISIO.EXE:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file\n included with the Windows 10 STIG package in the \"Supporting Files\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \"Use a common set of exploit protection settings\"\n configured to \"Enabled\" with file name and location defined under\n \"Options:\". It is recommended the file be in a read-only network location." + "default": "This setting controls the signing requirements for LDAP clients. This\n setting must be set to Negotiate signing or Require signing, depending on the\n environment and type of LDAP server in use.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\LDAP\\\n\n Value Name: LDAPClientIntegrity\n\n Value Type: REG_DWORD\n Value: 1", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n \"Network security: LDAP client signing requirements\" to \"Negotiate signing\"\n at a minimum." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-EP-000260", - "gid": "V-77255", - "rid": "SV-91951r3_rule", - "stig_id": "WN10-EP-000260", - "fix_id": "F-84507r4_fix", + "gtitle": "WN10-SO-000210", + "gid": "V-63803", + "rid": "SV-78293r1_rule", + "stig_id": "WN10-SO-000210", + "fix_id": "F-69731r1_fix", "cci": [ "CCI-000366" ], @@ -3184,35 +3203,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-77255' do\n title \"Exploit Protection mitigations in Windows 10 must be configured for\n VISIO.EXE.\"\n desc \"Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-EP-000260'\n tag gid: 'V-77255'\n tag rid: 'SV-91951r3_rule'\n tag stig_id: 'WN10-EP-000260'\n tag fix_id: 'F-84507r4_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc 'check', \"This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n\n Enter \\\"Get-ProcessMitigation -Name VISIO.EXE\\\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of\n all application mitigations configured.)\n\n If the following mitigations do not have a status of \\\"ON\\\", this is a finding:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n The PowerShell command produces a list of mitigations; only those with a\n required status of \\\"ON\\\" are listed here. If the PowerShell command does not\n produce results, ensure the letter case of the filename within the command\n syntax matches the letter case of the actual filename on the system.\"\n\n desc 'fix', \"Ensure the following mitigations are turned \\\"ON\\\" for VISIO.EXE:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file\n included with the Windows 10 STIG package in the \\\"Supporting Files\\\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\"\n configured to \\\"Enabled\\\" with file name and location defined under\n \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n\n if input('sensitive_system') == 'true' || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion').ReleaseId < '1709'\n impact 0.0\n describe 'This STIG does not apply to Prior Versions before 1709.' do\n skip 'This STIG does not apply to Prior Versions before 1709.'\n end\n else\n dep = json( command: 'Get-ProcessMitigation -Name VISIO.EXE | Select DEP | ConvertTo-Json').params\n describe 'OverRide DEP is required to be false on Microsoft Office Visio' do\n subject { dep }\n its(['OverrideDEP']) { should_not eq 'true' }\n end\n aslr = json( command: 'Get-ProcessMitigation -Name VISIO.EXE | Select Aslr | ConvertTo-Json').params\n describe 'Alsr BottomUp and Force Relocate Images are required to be enabled on Microsoft Office Visio' do\n subject { aslr }\n its(['ForceRelocateImages']) { should_not eq '2' }\n end\n payload = json( command: 'Get-ProcessMitigation -Name VISIO.EXE | Select Payload | ConvertTo-Json').params\n describe 'Override Payload Enable Export Address Filter, Override Payload Enable Export Address Filter Plus, Override EnableImportAddressFilter, Override EnableRopStackPivot, Override EnableRopCallerCheck, and Override EnableRopSimExec are required to be false on Microsoft Office Visio' do\n subject { payload }\n its(['OverrideEnableExportAddressFilter']) { should_not eq 'true' }\n its(['OverrideEnableExportAddressFilterPlus']) { should_not eq 'true' }\n its(['OverrideEnableImportAddressFilter']) { should_not eq 'true' }\n its(['OverrideEnableRopStackPivot']) { should_not eq 'true' }\n its(['OverrideEnableRopCallerCheck']) { should_not eq 'true' }\n its(['OverrideEnableRopSimExec']) { should_not eq 'true' }\n end \n end\nend", + "code": "control 'V-63803' do\n title \"The system must be configured to the required LDAP client signing\n level.\"\n desc \"This setting controls the signing requirements for LDAP clients. This\n setting must be set to Negotiate signing or Require signing, depending on the\n environment and type of LDAP server in use.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-SO-000210'\n tag gid: 'V-63803'\n tag rid: 'SV-78293r1_rule'\n tag stig_id: 'WN10-SO-000210'\n tag fix_id: 'F-69731r1_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\LDAP\\\\\n\n Value Name: LDAPClientIntegrity\n\n Value Type: REG_DWORD\n Value: 1\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n \\\"Network security: LDAP client signing requirements\\\" to \\\"Negotiate signing\\\"\n at a minimum.\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\LDAP') do\n it { should have_property 'LDAPClientIntegrity' }\n its('LDAPClientIntegrity') { should cmp 1 }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-77255.rb", + "ref": "./Windows 10 STIG/controls/V-63803.rb", "line": 3 }, - "id": "V-77255" + "id": "V-63803" }, { - "title": "Administrator accounts must not be enumerated during elevation.", - "desc": "Enumeration of administrator accounts when elevating can provide part\n of the logon information to an unauthorized user. This setting configures the\n system to always require users to type in a username and password to elevate a\n running application.", + "title": "Anonymous SID/Name translation must not be allowed.", + "desc": "Allowing anonymous SID/Name translation can provide sensitive\n information for accessing a system. Only authorized users must be able to\n perform such translations.", "descriptions": { - "default": "Enumeration of administrator accounts when elevating can provide part\n of the logon information to an unauthorized user. This setting configures the\n system to always require users to type in a username and password to elevate a\n running application.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\CredUI\\\n\n Value Name: EnumerateAdministrators\n\n Value Type: REG_DWORD\n Value: 0", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Credential User Interface >>\n \"Enumerate administrator accounts on elevation\" to \"Disabled\"." + "default": "Allowing anonymous SID/Name translation can provide sensitive\n information for accessing a system. Only authorized users must be able to\n perform such translations.", + "check": "Verify the effective setting in Local Group Policy Editor.\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> Security Options.\n\n If the value for \"Network access: Allow anonymous SID/Name translation\" is\n not set to \"Disabled\", this is a finding.", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n \"Network access: Allow anonymous SID/Name translation\" to \"Disabled\"." }, - "impact": 0.5, + "impact": 0.7, "refs": [], "tags": { - "severity": "medium", - "gtitle": "WN10-CC-000200", - "gid": "V-63679", - "rid": "SV-78169r1_rule", - "stig_id": "WN10-CC-000200", - "fix_id": "F-69607r1_fix", + "severity": "high", + "gtitle": "WN10-SO-000140", + "gid": "V-63739", + "rid": "SV-78229r1_rule", + "stig_id": "WN10-SO-000140", + "fix_id": "F-69667r1_fix", "cci": [ - "CCI-001084" + "CCI-000366" ], "nist": [ - "SC-3", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -3226,37 +3245,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63679' do\n title 'Administrator accounts must not be enumerated during elevation.'\n desc \"Enumeration of administrator accounts when elevating can provide part\n of the logon information to an unauthorized user. This setting configures the\n system to always require users to type in a username and password to elevate a\n running application.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000200'\n tag gid: 'V-63679'\n tag rid: 'SV-78169r1_rule'\n tag stig_id: 'WN10-CC-000200'\n tag fix_id: 'F-69607r1_fix'\n tag cci: ['CCI-001084']\n tag nist: %w[SC-3 Rev_4]\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\CredUI\\\\\n\n Value Name: EnumerateAdministrators\n\n Value Type: REG_DWORD\n Value: 0\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Credential User Interface >>\n \\\"Enumerate administrator accounts on elevation\\\" to \\\"Disabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\CredUI') do\n it { should have_property 'EnumerateAdministrators' }\n its('EnumerateAdministrators') { should cmp 0 }\n end\nend\n", + "code": "control 'V-63739' do\n title 'Anonymous SID/Name translation must not be allowed.'\n desc \"Allowing anonymous SID/Name translation can provide sensitive\n information for accessing a system. Only authorized users must be able to\n perform such translations.\"\n impact 0.7\n tag severity: 'high'\n tag gtitle: 'WN10-SO-000140'\n tag gid: 'V-63739'\n tag rid: 'SV-78229r1_rule'\n tag stig_id: 'WN10-SO-000140'\n tag fix_id: 'F-69667r1_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> Security Options.\n\n If the value for \\\"Network access: Allow anonymous SID/Name translation\\\" is\n not set to \\\"Disabled\\\", this is a finding.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n \\\"Network access: Allow anonymous SID/Name translation\\\" to \\\"Disabled\\\".\"\n\n describe security_policy do\n its('LSAAnonymousNameLookup') { should eq 0 }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63679.rb", + "ref": "./Windows 10 STIG/controls/V-63739.rb", "line": 3 }, - "id": "V-63679" + "id": "V-63739" }, { - "title": "The Deny log on through Remote Desktop Services user right on Windows\n 10 workstations must at a minimum be configured to prevent access from highly\n privileged domain accounts and local accounts on domain systems and\n unauthenticated access on all systems.", - "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The \"Deny log on through Remote Desktop Services\" right defines the\n accounts that are prevented from logging on using Remote Desktop Services.\n\n If Remote Desktop Services is not used by the organization, the Everyone\n group must be assigned this right to prevent all access.\n\n In an Active Directory Domain, denying logons to the Enterprise Admins and\n Domain Admins groups on lower trust systems helps mitigate the risk of\n privilege escalation from credential theft attacks, which could lead to the\n compromise of an entire domain.\n\n Local accounts on domain-joined systems must also be assigned this right to\n decrease the risk of lateral movement resulting from credential theft attacks.\n\n The Guests group must be assigned this right to prevent unauthenticated\n access.", + "title": "Anonymous enumeration of SAM accounts must not be allowed.", + "desc": "Anonymous enumeration of SAM accounts allows anonymous log on users\n (null session connections) to list all accounts names, thus providing a list of\n potential points to attack the system.", "descriptions": { - "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The \"Deny log on through Remote Desktop Services\" right defines the\n accounts that are prevented from logging on using Remote Desktop Services.\n\n If Remote Desktop Services is not used by the organization, the Everyone\n group must be assigned this right to prevent all access.\n\n In an Active Directory Domain, denying logons to the Enterprise Admins and\n Domain Admins groups on lower trust systems helps mitigate the risk of\n privilege escalation from credential theft attacks, which could lead to the\n compromise of an entire domain.\n\n Local accounts on domain-joined systems must also be assigned this right to\n decrease the risk of lateral movement resulting from credential theft attacks.\n\n The Guests group must be assigned this right to prevent unauthenticated\n access.", - "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If the following groups or accounts are not defined for the \"Deny log on\n through Remote Desktop Services\" right, this is a finding:\n\n If Remote Desktop Services is not used by the organization, the \"Everyone\"\n group can replace all of the groups listed below.\n\n Domain Systems Only:\n Enterprise Admins group\n Domain Admins group\n Local account (see Note below)\n\n All Systems:\n Guests group\n\n Privileged Access Workstations (PAWs) dedicated to the management of Active\n Directory are exempt from denying the Enterprise Admins and Domain Admins\n groups. (See the Windows Privileged Access Workstation STIG for PAW\n requirements.)\n\n Note: \"Local account\" is a built-in security group used to assign user rights\n and permissions to all local accounts.", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n \"Deny log on through Remote Desktop Services\" to include the following.\n\n If Remote Desktop Services is not used by the organization, assign the Everyone\n group this right to prevent all access.\n\n Domain Systems Only:\n Enterprise Admins group\n Domain Admins group\n Local account (see Note below)\n\n All Systems:\n Guests group\n\n Privileged Access Workstations (PAWs) dedicated to the management of Active\n Directory are exempt from denying the Enterprise Admins and Domain Admins\n groups. (See the Windows Privileged Access Workstation STIG for PAW\n requirements.)\n\n Note: \"Local account\" is a built-in security group used to assign user rights\n and permissions to all local accounts." + "default": "Anonymous enumeration of SAM accounts allows anonymous log on users\n (null session connections) to list all accounts names, thus providing a list of\n potential points to attack the system.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Control\\Lsa\\\n\n Value Name: RestrictAnonymousSAM\n\n Value Type: REG_DWORD\n Value: 1", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n \"Network access: Do not allow anonymous enumeration of SAM accounts\" to\n \"Enabled\"." }, - "impact": 0.5, + "impact": 0.7, "refs": [], "tags": { - "severity": "medium", - "gtitle": "WN10-UR-000090", - "gid": "V-63879", - "rid": "SV-78369r4_rule", - "stig_id": "WN10-UR-000090", - "fix_id": "F-88445r1_fix", + "severity": "high", + "gtitle": "WN10-SO-000145", + "gid": "V-63745", + "rid": "SV-78235r1_rule", + "stig_id": "WN10-SO-000145", + "fix_id": "F-69673r1_fix", "cci": [ - "CCI-000213", - "CCI-002314" + "CCI-000366" ], "nist": [ - "AC-3", - "AC-17 (1)", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -3270,30 +3287,30 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63879' do\n title \"The Deny log on through Remote Desktop Services user right on Windows\n 10 workstations must at a minimum be configured to prevent access from highly\n privileged domain accounts and local accounts on domain systems and\n unauthenticated access on all systems.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The \\\"Deny log on through Remote Desktop Services\\\" right defines the\n accounts that are prevented from logging on using Remote Desktop Services.\n\n If Remote Desktop Services is not used by the organization, the Everyone\n group must be assigned this right to prevent all access.\n\n In an Active Directory Domain, denying logons to the Enterprise Admins and\n Domain Admins groups on lower trust systems helps mitigate the risk of\n privilege escalation from credential theft attacks, which could lead to the\n compromise of an entire domain.\n\n Local accounts on domain-joined systems must also be assigned this right to\n decrease the risk of lateral movement resulting from credential theft attacks.\n\n The Guests group must be assigned this right to prevent unauthenticated\n access.\"\n\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-UR-000090'\n tag gid: 'V-63879'\n tag rid: 'SV-78369r4_rule'\n tag stig_id: 'WN10-UR-000090'\n tag fix_id: 'F-88445r1_fix'\n tag cci: %w[CCI-000213 CCI-002314]\n tag nist: ['AC-3', 'AC-17 (1)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc 'check', \"Verify the effective setting in Local Group Policy Editor.\n\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If the following groups or accounts are not defined for the \\\"Deny log on\n through Remote Desktop Services\\\" right, this is a finding:\n\n If Remote Desktop Services is not used by the organization, the \\\"Everyone\\\"\n group can replace all of the groups listed below.\n\n Domain Systems Only:\n Enterprise Admins group\n Domain Admins group\n Local account (see Note below)\n\n All Systems:\n Guests group\n\n Privileged Access Workstations (PAWs) dedicated to the management of Active\n Directory are exempt from denying the Enterprise Admins and Domain Admins\n groups. (See the Windows Privileged Access Workstation STIG for PAW\n requirements.)\n\n Note: \\\"Local account\\\" is a built-in security group used to assign user rights\n and permissions to all local accounts.\"\n desc 'fix', \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n \\\"Deny log on through Remote Desktop Services\\\" to include the following.\n\n If Remote Desktop Services is not used by the organization, assign the Everyone\n group this right to prevent all access.\n\n Domain Systems Only:\n Enterprise Admins group\n Domain Admins group\n Local account (see Note below)\n\n All Systems:\n Guests group\n\n Privileged Access Workstations (PAWs) dedicated to the management of Active\n Directory are exempt from denying the Enterprise Admins and Domain Admins\n groups. (See the Windows Privileged Access Workstation STIG for PAW\n requirements.)\n\n Note: \\\"Local account\\\" is a built-in security group used to assign user rights\n and permissions to all local accounts.\"\n\n is_domain = command('wmic computersystem get domain | FINDSTR /V Domain').stdout.strip\n\n if is_domain == 'WORKGROUP'\n describe security_policy do\n its('SeDenyRemoteInteractiveLogonRight') { should eq ['S-1-5-32-546'] }\n end\n else\n domain_query = <<-EOH\n $group = New-Object System.Security.Principal.NTAccount('Domain Admins')\n $sid = ($group.Translate([security.principal.securityidentifier])).value\n $sid | ConvertTo-Json\n EOH\n\n domain_admin_sid = json(command: domain_query).params\n enterprise_admin_query = <<-EOH\n $group = New-Object System.Security.Principal.NTAccount('Enterprise Admins')\n $sid = ($group.Translate([security.principal.securityidentifier])).value\n $sid | ConvertTo-Json\n EOH\n\n enterprise_admin_sid = json(command: enterprise_admin_query).params\n\n describe security_policy do\n\n its('SeDenyNetworkLogonRight') { should include \"#{enterprise_admin_sid}\" }\n end\n describe security_policy do\n its('SeDenyNetworkLogonRight') { should include \"#{domain_admin_sid}\" }\n end\n end\nend\n", + "code": "control 'V-63745' do\n title 'Anonymous enumeration of SAM accounts must not be allowed.'\n desc \"Anonymous enumeration of SAM accounts allows anonymous log on users\n (null session connections) to list all accounts names, thus providing a list of\n potential points to attack the system.\"\n impact 0.7\n tag severity: 'high'\n tag gtitle: 'WN10-SO-000145'\n tag gid: 'V-63745'\n tag rid: 'SV-78235r1_rule'\n tag stig_id: 'WN10-SO-000145'\n tag fix_id: 'F-69673r1_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\\n\n Value Name: RestrictAnonymousSAM\n\n Value Type: REG_DWORD\n Value: 1\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n \\\"Network access: Do not allow anonymous enumeration of SAM accounts\\\" to\n \\\"Enabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa') do\n it { should have_property 'RestrictAnonymousSAM' }\n its('RestrictAnonymousSAM') { should cmp 1 }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63879.rb", + "ref": "./Windows 10 STIG/controls/V-63745.rb", "line": 3 }, - "id": "V-63879" + "id": "V-63745" }, { - "title": "Run as different user must be removed from context menus.", - "desc": "The \"Run as different user\" selection from context menus allows the\n use of credentials other than the currently logged on user. Using privileged\n credentials in a standard user session can expose those credentials to theft.\n Removing this option from context menus helps prevent this from occurring.", + "title": "Bluetooth must be turned off when not in use.", + "desc": "If not configured properly, Bluetooth may allow rogue devices to\n communicate with a system. If a rogue device is paired with a system, there is\n potential for sensitive information to be compromised.", "descriptions": { - "default": "The \"Run as different user\" selection from context menus allows the\n use of credentials other than the currently logged on user. Using privileged\n credentials in a standard user session can expose those credentials to theft.\n Removing this option from context menus helps prevent this from occurring.", - "check": "If the following registry values do not exist or are not\n configured as specified, this is a finding.\n The policy configures the same Value Name, Type and Value under four different\n registry paths.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Paths:\n \\SOFTWARE\\Classes\\batfile\\shell unasuser\\\n \\SOFTWARE\\Classes\\cmdfile\\shell unasuser\\\n \\SOFTWARE\\Classes\\exefile\\shell unasuser\\\n \\SOFTWARE\\Classes\\mscfile\\shell unasuser\\\n\n Value Name: SuppressionPolicy\n\n Type: REG_DWORD\n Value: 0x00001000 (4096)", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> MS Security Guide >> \"Remove \"Run as Different\n User\" from context menus\" to \"Enabled\".\n\n This policy setting requires the installation of the SecGuide custom templates\n included with the STIG package. \"SecGuide.admx\" and \"SecGuide.adml\" must\n be copied to the \\Windows\\PolicyDefinitions and\n \\Windows\\PolicyDefinitions\\en-US directories respectively." + "default": "If not configured properly, Bluetooth may allow rogue devices to\n communicate with a system. If a rogue device is paired with a system, there is\n potential for sensitive information to be compromised.", + "check": "This is NA if the system does not have Bluetooth.\n\n Verify the organization has a policy to turn off Bluetooth when not in use and\n personnel are trained. If it does not, this is a finding.", + "fix": "Turn off Bluetooth radios when not in use. Establish an\n organizational policy for the use of Bluetooth to include training of\n personnel." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-CC-000039", - "gid": "V-72329", - "rid": "SV-86953r1_rule", - "stig_id": "WN10-CC-000039", - "fix_id": "F-78683r2_fix", + "gtitle": "WN10-00-000220", + "gid": "V-72767", + "rid": "SV-87405r1_rule", + "stig_id": "WN10-00-000220", + "fix_id": "F-79177r1_fix", "cci": [ "CCI-000381" ], @@ -3312,35 +3329,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-72329' do\n title 'Run as different user must be removed from context menus.'\n desc \"The \\\"Run as different user\\\" selection from context menus allows the\n use of credentials other than the currently logged on user. Using privileged\n credentials in a standard user session can expose those credentials to theft.\n Removing this option from context menus helps prevent this from occurring.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000039'\n tag gid: 'V-72329'\n tag rid: 'SV-86953r1_rule'\n tag stig_id: 'WN10-CC-000039'\n tag fix_id: 'F-78683r2_fix'\n tag cci: ['CCI-000381']\n tag nist: ['CM-7 a', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"If the following registry values do not exist or are not\n configured as specified, this is a finding.\n The policy configures the same Value Name, Type and Value under four different\n registry paths.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Paths:\n \\\\SOFTWARE\\\\Classes\\\\batfile\\\\shell\\\n unasuser\\\\\n \\\\SOFTWARE\\\\Classes\\\\cmdfile\\\\shell\\\n unasuser\\\\\n \\\\SOFTWARE\\\\Classes\\\\exefile\\\\shell\\\n unasuser\\\\\n \\\\SOFTWARE\\\\Classes\\\\mscfile\\\\shell\\\n unasuser\\\\\n\n Value Name: SuppressionPolicy\n\n Type: REG_DWORD\n Value: 0x00001000 (4096)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> MS Security Guide >> \\\"Remove \\\"Run as Different\n User\\\" from context menus\\\" to \\\"Enabled\\\".\n\n This policy setting requires the installation of the SecGuide custom templates\n included with the STIG package. \\\"SecGuide.admx\\\" and \\\"SecGuide.adml\\\" must\n be copied to the \\\\Windows\\\\PolicyDefinitions and\n \\\\Windows\\\\PolicyDefinitions\\\\en-US directories respectively.\"\n\n describe.one do\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\batfile\\shell\\runasuser') do\n it { should have_property 'SuppressionPolicy' }\n its('SuppressionPolicy') { should cmp 4096 }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\cmdfile\\shell\\runasuser') do\n it { should have_property 'SuppressionPolicy' }\n its('SuppressionPolicy') { should cmp 4096 }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runasuser') do\n it { should have_property 'SuppressionPolicy' }\n its('SuppressionPolicy') { should cmp 4096 }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\mscfile\\shell\\runasuser') do\n it { should have_property 'SuppressionPolicy' }\n its('SuppressionPolicy') { should cmp 4096 }\n end\n end\nend\n", + "code": "control 'V-72767' do\n title 'Bluetooth must be turned off when not in use.'\n desc \"If not configured properly, Bluetooth may allow rogue devices to\n communicate with a system. If a rogue device is paired with a system, there is\n potential for sensitive information to be compromised.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-00-000220'\n tag gid: 'V-72767'\n tag rid: 'SV-87405r1_rule'\n tag stig_id: 'WN10-00-000220'\n tag fix_id: 'F-79177r1_fix'\n tag cci: ['CCI-000381']\n tag nist: ['CM-7 a', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"This is NA if the system does not have Bluetooth.\n\n Verify the organization has a policy to turn off Bluetooth when not in use and\n personnel are trained. If it does not, this is a finding.\"\n desc \"fix\", \"Turn off Bluetooth radios when not in use. Establish an\n organizational policy for the use of Bluetooth to include training of\n personnel.\"\n\n if sys_info.manufacturer != 'VMware, Inc.'\n describe 'Turn off Bluetooth radios when not in use. Establish an organizational policy for the use of Bluetooth to include training of personnel' do\n skip 'This is NA if the system does not have Bluetooth'\n end\n else\n impact 0.0\n describe 'This is a VDI System; This Control is NA.' do\n skip 'This is a VDI System; This Control is NA'\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-72329.rb", + "ref": "./Windows 10 STIG/controls/V-72767.rb", "line": 3 }, - "id": "V-72329" + "id": "V-72767" }, { - "title": "The built-in guest account must be disabled.", - "desc": "A system faces an increased vulnerability threat if the built-in guest\n account is not disabled. This account is a known account that exists on all\n Windows systems and cannot be deleted. This account is initialized during the\n installation of the operating system with no password assigned.", + "title": "Run as different user must be removed from context menus.", + "desc": "The \"Run as different user\" selection from context menus allows the\n use of credentials other than the currently logged on user. Using privileged\n credentials in a standard user session can expose those credentials to theft.\n Removing this option from context menus helps prevent this from occurring.", "descriptions": { - "default": "A system faces an increased vulnerability threat if the built-in guest\n account is not disabled. This account is a known account that exists on all\n Windows systems and cannot be deleted. This account is initialized during the\n installation of the operating system with no password assigned.", - "check": "Verify the effective setting in Local Group Policy Editor.\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> Security Options.\n\n If the value for \"Accounts: Guest account status\" is not set to \"Disabled\",\n this is a finding.", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n \"Accounts: Guest account status\" to \"Disabled\"." + "default": "The \"Run as different user\" selection from context menus allows the\n use of credentials other than the currently logged on user. Using privileged\n credentials in a standard user session can expose those credentials to theft.\n Removing this option from context menus helps prevent this from occurring.", + "check": "If the following registry values do not exist or are not\n configured as specified, this is a finding.\n The policy configures the same Value Name, Type and Value under four different\n registry paths.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Paths:\n \\SOFTWARE\\Classes\\batfile\\shell unasuser\\\n \\SOFTWARE\\Classes\\cmdfile\\shell unasuser\\\n \\SOFTWARE\\Classes\\exefile\\shell unasuser\\\n \\SOFTWARE\\Classes\\mscfile\\shell unasuser\\\n\n Value Name: SuppressionPolicy\n\n Type: REG_DWORD\n Value: 0x00001000 (4096)", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> MS Security Guide >> \"Remove \"Run as Different\n User\" from context menus\" to \"Enabled\".\n\n This policy setting requires the installation of the SecGuide custom templates\n included with the STIG package. \"SecGuide.admx\" and \"SecGuide.adml\" must\n be copied to the \\Windows\\PolicyDefinitions and\n \\Windows\\PolicyDefinitions\\en-US directories respectively." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-SO-000010", - "gid": "V-63611", - "rid": "SV-78101r1_rule", - "stig_id": "WN10-SO-000010", - "fix_id": "F-69541r1_fix", + "gtitle": "WN10-CC-000039", + "gid": "V-72329", + "rid": "SV-86953r1_rule", + "stig_id": "WN10-CC-000039", + "fix_id": "F-78683r2_fix", "cci": [ - "CCI-000804" + "CCI-000381" ], "nist": [ - "IA-8", + "CM-7 a", "Rev_4" ], "false_negatives": null, @@ -3354,35 +3371,37 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63611' do\n title 'The built-in guest account must be disabled.'\n desc \"A system faces an increased vulnerability threat if the built-in guest\n account is not disabled. This account is a known account that exists on all\n Windows systems and cannot be deleted. This account is initialized during the\n installation of the operating system with no password assigned.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-SO-000010'\n tag gid: 'V-63611'\n tag rid: 'SV-78101r1_rule'\n tag stig_id: 'WN10-SO-000010'\n tag fix_id: 'F-69541r1_fix'\n tag cci: ['CCI-000804']\n tag nist: %w[IA-8 Rev_4]\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> Security Options.\n\n If the value for \\\"Accounts: Guest account status\\\" is not set to \\\"Disabled\\\",\n this is a finding.\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n \\\"Accounts: Guest account status\\\" to \\\"Disabled\\\".\"\n\n describe security_policy do\n its('EnableGuestAccount') { should cmp 0 }\n end\nend\n", + "code": "control 'V-72329' do\n title 'Run as different user must be removed from context menus.'\n desc \"The \\\"Run as different user\\\" selection from context menus allows the\n use of credentials other than the currently logged on user. Using privileged\n credentials in a standard user session can expose those credentials to theft.\n Removing this option from context menus helps prevent this from occurring.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000039'\n tag gid: 'V-72329'\n tag rid: 'SV-86953r1_rule'\n tag stig_id: 'WN10-CC-000039'\n tag fix_id: 'F-78683r2_fix'\n tag cci: ['CCI-000381']\n tag nist: ['CM-7 a', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"If the following registry values do not exist or are not\n configured as specified, this is a finding.\n The policy configures the same Value Name, Type and Value under four different\n registry paths.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Paths:\n \\\\SOFTWARE\\\\Classes\\\\batfile\\\\shell\\\n unasuser\\\\\n \\\\SOFTWARE\\\\Classes\\\\cmdfile\\\\shell\\\n unasuser\\\\\n \\\\SOFTWARE\\\\Classes\\\\exefile\\\\shell\\\n unasuser\\\\\n \\\\SOFTWARE\\\\Classes\\\\mscfile\\\\shell\\\n unasuser\\\\\n\n Value Name: SuppressionPolicy\n\n Type: REG_DWORD\n Value: 0x00001000 (4096)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> MS Security Guide >> \\\"Remove \\\"Run as Different\n User\\\" from context menus\\\" to \\\"Enabled\\\".\n\n This policy setting requires the installation of the SecGuide custom templates\n included with the STIG package. \\\"SecGuide.admx\\\" and \\\"SecGuide.adml\\\" must\n be copied to the \\\\Windows\\\\PolicyDefinitions and\n \\\\Windows\\\\PolicyDefinitions\\\\en-US directories respectively.\"\n\n describe.one do\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\batfile\\shell\\runasuser') do\n it { should have_property 'SuppressionPolicy' }\n its('SuppressionPolicy') { should cmp 4096 }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\cmdfile\\shell\\runasuser') do\n it { should have_property 'SuppressionPolicy' }\n its('SuppressionPolicy') { should cmp 4096 }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runasuser') do\n it { should have_property 'SuppressionPolicy' }\n its('SuppressionPolicy') { should cmp 4096 }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\mscfile\\shell\\runasuser') do\n it { should have_property 'SuppressionPolicy' }\n its('SuppressionPolicy') { should cmp 4096 }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63611.rb", + "ref": "./Windows 10 STIG/controls/V-72329.rb", "line": 3 }, - "id": "V-63611" + "id": "V-72329" }, { - "title": "The system must be configured to the required LDAP client signing\n level.", - "desc": "This setting controls the signing requirements for LDAP clients. This\n setting must be set to Negotiate signing or Require signing, depending on the\n environment and type of LDAP server in use.", + "title": "The system must be configured to audit Logon/Logoff - Logon successes.", + "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Logon records user logons. If this is an interactive logon, it is recorded\n on the local system. If it is to a network share, it is recorded on the system\n accessed.", "descriptions": { - "default": "This setting controls the signing requirements for LDAP clients. This\n setting must be set to Negotiate signing or Require signing, depending on the\n environment and type of LDAP server in use.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\LDAP\\\n\n Value Name: LDAPClientIntegrity\n\n Value Type: REG_DWORD\n Value: 1", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n \"Network security: LDAP client signing requirements\" to \"Negotiate signing\"\n at a minimum." + "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Logon records user logons. If this is an interactive logon, it is recorded\n on the local system. If it is to a network share, it is recorded on the system\n accessed.", + "check": "Security Option \"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\" must be\n set to \"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\"Run as Administrator\").\n Enter \"AuditPol /get /category:*\".\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding:\n\n Logon/Logoff >> Logon - Success", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Logon/Logoff >> \"Audit Logon\" with \"Success\" selected." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-SO-000210", - "gid": "V-63803", - "rid": "SV-78293r1_rule", - "stig_id": "WN10-SO-000210", - "fix_id": "F-69731r1_fix", + "gtitle": "WN10-AU-000075", + "gid": "V-63467", + "rid": "SV-77957r1_rule", + "stig_id": "WN10-AU-000075", + "fix_id": "F-69395r1_fix", "cci": [ - "CCI-000366" + "CCI-000067", + "CCI-000172" ], "nist": [ - "CM-6 b", + "AC-17 (1)", + "AU-12 c", "Rev_4" ], "false_negatives": null, @@ -3396,35 +3415,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63803' do\n title \"The system must be configured to the required LDAP client signing\n level.\"\n desc \"This setting controls the signing requirements for LDAP clients. This\n setting must be set to Negotiate signing or Require signing, depending on the\n environment and type of LDAP server in use.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-SO-000210'\n tag gid: 'V-63803'\n tag rid: 'SV-78293r1_rule'\n tag stig_id: 'WN10-SO-000210'\n tag fix_id: 'F-69731r1_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\LDAP\\\\\n\n Value Name: LDAPClientIntegrity\n\n Value Type: REG_DWORD\n Value: 1\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n \\\"Network security: LDAP client signing requirements\\\" to \\\"Negotiate signing\\\"\n at a minimum.\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\LDAP') do\n it { should have_property 'LDAPClientIntegrity' }\n its('LDAPClientIntegrity') { should cmp 1 }\n end\nend\n", + "code": "control 'V-63467' do\n title 'The system must be configured to audit Logon/Logoff - Logon successes.'\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Logon records user logons. If this is an interactive logon, it is recorded\n on the local system. If it is to a network share, it is recorded on the system\n accessed.\"\n\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-AU-000075'\n tag gid: 'V-63467'\n tag rid: 'SV-77957r1_rule'\n tag stig_id: 'WN10-AU-000075'\n tag fix_id: 'F-69395r1_fix'\n tag cci: %w[CCI-000067 CCI-000172]\n tag nist: ['AC-17 (1)', 'AU-12 c', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Security Option \\\"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\\\" must be\n set to \\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\n Enter \\\"AuditPol /get /category:*\\\".\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding:\n\n Logon/Logoff >> Logon - Success\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Logon/Logoff >> \\\"Audit Logon\\\" with \\\"Success\\\" selected.\"\n\n describe.one do\n describe audit_policy do\n its('Logon') { should eq 'Success' }\n end\n describe audit_policy do\n its('Logon') { should eq 'Success and Failure' }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63803.rb", + "ref": "./Windows 10 STIG/controls/V-63467.rb", "line": 3 }, - "id": "V-63803" + "id": "V-63467" }, { - "title": "Windows 10 must be configured to audit Object Access - Other Object\n Access Events failures.", - "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Auditing for other object access records events related to the management\n of task scheduler jobs and COM+ objects.", + "title": "Downloading print driver packages over HTTP must be prevented.", + "desc": "Some features may communicate with the vendor, sending system\n information or downloading data or components for the feature. Turning off\n this capability will prevent potentially sensitive information from being sent\n outside the enterprise and uncontrolled updates to the system. This setting\n prevents the computer from downloading print driver packages over HTTP.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Auditing for other object access records events related to the management\n of task scheduler jobs and COM+ objects.", - "check": "Security Option \"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\" must be\n set to \"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open PowerShell or a Command Prompt with elevated privileges (\"Run as\n Administrator\").\n\n Enter \"AuditPol /get /category:*\"\n\n Compare the AuditPol settings with the following:\n\n Object Access >> Other Object Access Events - Failure\n\n If the system does not audit the above, this is a finding.", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Object Access >> \"Audit Other Object Access Events\" with\n \"Failure\" selected." + "default": "Some features may communicate with the vendor, sending system\n information or downloading data or components for the feature. Turning off\n this capability will prevent potentially sensitive information from being sent\n outside the enterprise and uncontrolled updates to the system. This setting\n prevents the computer from downloading print driver packages over HTTP.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers\\\n\n Value Name: DisableWebPnPDownload\n\n Value Type: REG_DWORD\n Value: 1", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> System >> Internet Communication Management >>\n Internet Communication settings >> \"Turn off downloading of print drivers over\n HTTP\" to \"Enabled\"." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-AU-000084", - "gid": "V-74409", - "rid": "SV-89083r1_rule", - "stig_id": "WN10-AU-000084", - "fix_id": "F-80951r4_fix", + "gtitle": "WN10-CC-000100", + "gid": "V-63615", + "rid": "SV-78105r1_rule", + "stig_id": "WN10-CC-000100", + "fix_id": "F-69545r1_fix", "cci": [ - "CCI-000172" + "CCI-000381" ], "nist": [ - "AU-12 c", + "CM-7 a", "Rev_4" ], "false_negatives": null, @@ -3438,35 +3457,37 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-74409' do\n title \"Windows 10 must be configured to audit Object Access - Other Object\n Access Events failures.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Auditing for other object access records events related to the management\n of task scheduler jobs and COM+ objects.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-AU-000084'\n tag gid: 'V-74409'\n tag rid: 'SV-89083r1_rule'\n tag stig_id: 'WN10-AU-000084'\n tag fix_id: 'F-80951r4_fix'\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"Security Option \\\"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\\\" must be\n set to \\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open PowerShell or a Command Prompt with elevated privileges (\\\"Run as\n Administrator\\\").\n\n Enter \\\"AuditPol /get /category:*\\\"\n\n Compare the AuditPol settings with the following:\n\n Object Access >> Other Object Access Events - Failure\n\n If the system does not audit the above, this is a finding.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Object Access >> \\\"Audit Other Object Access Events\\\" with\n \\\"Failure\\\" selected.\"\n\n describe.one do\n describe audit_policy do\n its('Other Object Access Events') { should eq 'Failure' }\n end\n describe audit_policy do\n its('Other Object Access Events') { should eq 'Success and Failure' }\n end\n end\nend\n", + "code": "control 'V-63615' do\n title 'Downloading print driver packages over HTTP must be prevented.'\n desc \"Some features may communicate with the vendor, sending system\n information or downloading data or components for the feature. Turning off\n this capability will prevent potentially sensitive information from being sent\n outside the enterprise and uncontrolled updates to the system. This setting\n prevents the computer from downloading print driver packages over HTTP.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000100'\n tag gid: 'V-63615'\n tag rid: 'SV-78105r1_rule'\n tag stig_id: 'WN10-CC-000100'\n tag fix_id: 'F-69545r1_fix'\n tag cci: ['CCI-000381']\n tag nist: ['CM-7 a', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Printers\\\\\n\n Value Name: DisableWebPnPDownload\n\n Value Type: REG_DWORD\n Value: 1\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> System >> Internet Communication Management >>\n Internet Communication settings >> \\\"Turn off downloading of print drivers over\n HTTP\\\" to \\\"Enabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers') do\n it { should have_property 'DisableWebPnPDownload' }\n its('DisableWebPnPDownload') { should cmp 1 }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-74409.rb", + "ref": "./Windows 10 STIG/controls/V-63615.rb", "line": 3 }, - "id": "V-74409" + "id": "V-63615" }, { - "title": "The Windows Remote Management (WinRM) service must not use Basic\n authentication.", - "desc": "Basic authentication uses plain text passwords that could be used to\n compromise a system.", + "title": "The system must be configured to audit Privilege Use - Sensitive\n Privilege Use successes.", + "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Sensitive Privilege Use records events related to use of sensitive\n privileges, such as \"Act as part of the operating system\" or \"Debug\n programs\"", "descriptions": { - "default": "Basic authentication uses plain text passwords that could be used to\n compromise a system.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\WinRM\\Service\\\n\n Value Name: AllowBasic\n\n Value Type: REG_DWORD\n Value: 0", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Windows Remote Management\n (WinRM) >> WinRM Service >> \"Allow Basic authentication\" to \"Disabled\"." + "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Sensitive Privilege Use records events related to use of sensitive\n privileges, such as \"Act as part of the operating system\" or \"Debug\n programs\"", + "check": "Security Option \"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\" must be\n set to \"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\"Run as Administrator\").\n Enter \"AuditPol /get /category:*\".\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding:\n\n Privilege Use >> Sensitive Privilege Use - Success", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Privilege Use >> \"Audit Sensitive Privilege Use\" with\n \"Success\" selected." }, - "impact": 0.7, + "impact": 0.5, "refs": [], "tags": { - "severity": "high", - "gtitle": "WN10-CC-000345", - "gid": "V-63347", - "rid": "SV-77837r1_rule", - "stig_id": "WN10-CC-000345", - "fix_id": "F-69265r1_fix", + "severity": "medium", + "gtitle": "WN10-AU-000115", + "gid": "V-63487", + "rid": "SV-77977r1_rule", + "stig_id": "WN10-AU-000115", + "fix_id": "F-69417r1_fix", "cci": [ - "CCI-000877" + "CCI-000172", + "CCI-002234" ], "nist": [ - "MA-4 c", + "AU-12 c", + "AC-6 (9)", "Rev_4" ], "false_negatives": null, @@ -3480,35 +3501,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63347' do\n title \"The Windows Remote Management (WinRM) service must not use Basic\n authentication.\"\n desc \"Basic authentication uses plain text passwords that could be used to\n compromise a system.\"\n impact 0.7\n tag severity: 'high'\n tag gtitle: 'WN10-CC-000345'\n tag gid: 'V-63347'\n tag rid: 'SV-77837r1_rule'\n tag stig_id: 'WN10-CC-000345'\n tag fix_id: 'F-69265r1_fix'\n tag cci: ['CCI-000877']\n tag nist: ['MA-4 c', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc 'check', \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WinRM\\\\Service\\\\\n\n Value Name: AllowBasic\n\n Value Type: REG_DWORD\n Value: 0\"\n\n desc 'fix', \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Windows Remote Management\n (WinRM) >> WinRM Service >> \\\"Allow Basic authentication\\\" to \\\"Disabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WinRM\\Service') do\n it { should have_property 'AllowBasic' }\n its('AllowBasic') { should cmp 0 }\n end\nend\n", + "code": "control 'V-63487' do\n title \"The system must be configured to audit Privilege Use - Sensitive\n Privilege Use successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Sensitive Privilege Use records events related to use of sensitive\n privileges, such as \\\"Act as part of the operating system\\\" or \\\"Debug\n programs\\\"\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-AU-000115'\n tag gid: 'V-63487'\n tag rid: 'SV-77977r1_rule'\n tag stig_id: 'WN10-AU-000115'\n tag fix_id: 'F-69417r1_fix'\n tag cci: %w[CCI-000172 CCI-002234]\n tag nist: ['AU-12 c', 'AC-6 (9)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Security Option \\\"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\\\" must be\n set to \\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\n Enter \\\"AuditPol /get /category:*\\\".\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding:\n\n Privilege Use >> Sensitive Privilege Use - Success\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Privilege Use >> \\\"Audit Sensitive Privilege Use\\\" with\n \\\"Success\\\" selected.\"\n\n describe.one do\n describe audit_policy do\n its('Sensitive Privilege Use') { should eq 'Success' }\n end\n describe audit_policy do\n its('Sensitive Privilege Use') { should eq 'Success and Failure' }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63347.rb", + "ref": "./Windows 10 STIG/controls/V-63487.rb", "line": 3 }, - "id": "V-63347" + "id": "V-63487" }, { - "title": "Anonymous enumeration of shares must be restricted.", - "desc": "Allowing anonymous logon users (null session connections) to list all\n account names and enumerate all shared resources can provide a map of potential\n points to attack the system.", + "title": "The default autorun behavior must be configured to prevent autorun\n commands.", + "desc": "Allowing autorun commands to execute may introduce malicious code to a\n system. Configuring this setting prevents autorun commands from executing.", "descriptions": { - "default": "Allowing anonymous logon users (null session connections) to list all\n account names and enumerate all shared resources can provide a map of potential\n points to attack the system.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Control\\Lsa\\\n\n Value Name: RestrictAnonymous\n\n Value Type: REG_DWORD\n Value: 1", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n \"Network access: Do not allow anonymous enumeration of SAM accounts and\n shares\" to \"Enabled\"." + "default": "Allowing autorun commands to execute may introduce malicious code to a\n system. Configuring this setting prevents autorun commands from executing.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\\n\n Value Name: NoAutorun\n\n Value Type: REG_DWORD\n Value: 1", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> AutoPlay Policies >> \"Set\n the default behavior for AutoRun\" to \"Enabled:Do not execute any autorun\n commands\"." }, "impact": 0.7, "refs": [], "tags": { "severity": "high", - "gtitle": "WN10-SO-000150", - "gid": "V-63749", - "rid": "SV-78239r1_rule", - "stig_id": "WN10-SO-000150", - "fix_id": "F-69677r1_fix", + "gtitle": "WN10-CC-000185", + "gid": "V-63671", + "rid": "SV-78161r1_rule", + "stig_id": "WN10-CC-000185", + "fix_id": "F-69599r1_fix", "cci": [ - "CCI-001090" + "CCI-001764" ], "nist": [ - "SC-4", + "CM-7 (2)", "Rev_4" ], "false_negatives": null, @@ -3522,30 +3543,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63749' do\n title 'Anonymous enumeration of shares must be restricted.'\n desc \"Allowing anonymous logon users (null session connections) to list all\n account names and enumerate all shared resources can provide a map of potential\n points to attack the system.\"\n impact 0.7\n tag severity: 'high'\n tag gtitle: 'WN10-SO-000150'\n tag gid: 'V-63749'\n tag rid: 'SV-78239r1_rule'\n tag stig_id: 'WN10-SO-000150'\n tag fix_id: 'F-69677r1_fix'\n tag cci: ['CCI-001090']\n tag nist: %w[SC-4 Rev_4]\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\\n\n Value Name: RestrictAnonymous\n\n Value Type: REG_DWORD\n Value: 1\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n \\\"Network access: Do not allow anonymous enumeration of SAM accounts and\n shares\\\" to \\\"Enabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa') do\n it { should have_property 'RestrictAnonymous' }\n its('RestrictAnonymous') { should cmp 1 }\n end\nend\n", + "code": "control 'V-63671' do\n title \"The default autorun behavior must be configured to prevent autorun\n commands.\"\n desc \"Allowing autorun commands to execute may introduce malicious code to a\n system. Configuring this setting prevents autorun commands from executing.\"\n impact 0.7\n tag severity: 'high'\n tag gtitle: 'WN10-CC-000185'\n tag gid: 'V-63671'\n tag rid: 'SV-78161r1_rule'\n tag stig_id: 'WN10-CC-000185'\n tag fix_id: 'F-69599r1_fix'\n tag cci: ['CCI-001764']\n tag nist: ['CM-7 (2)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\\n\n Value Name: NoAutorun\n\n Value Type: REG_DWORD\n Value: 1\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> AutoPlay Policies >> \\\"Set\n the default behavior for AutoRun\\\" to \\\"Enabled:Do not execute any autorun\n commands\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer') do\n it { should have_property 'NoAutorun' }\n its('NoAutorun') { should cmp 1 }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63749.rb", + "ref": "./Windows 10 STIG/controls/V-63671.rb", "line": 3 }, - "id": "V-63749" + "id": "V-63671" }, { - "title": "The maximum age for machine account passwords must be configured to 30\n days or less.", - "desc": "Computer account passwords are changed automatically on a regular\n basis. This setting controls the maximum password age that a machine account\n may have. This setting must be set to no more than 30 days, ensuring the\n machine changes its password monthly.", + "title": "Virtualization Based Security must be enabled on Windows 10 with the\n platform security level configured to Secure Boot or Secure Boot with DMA\n Protection.", + "desc": "Virtualization Based Security (VBS) provides the platform for the\n additional security features, Credential Guard and Virtualization based\n protection of code integrity. Secure Boot is the minimum security level with\n DMA protection providing additional memory protection. DMA Protection requires\n a CPU that supports input/output memory management unit (IOMMU).", "descriptions": { - "default": "Computer account passwords are changed automatically on a regular\n basis. This setting controls the maximum password age that a machine account\n may have. This setting must be set to no more than 30 days, ensuring the\n machine changes its password monthly.", - "check": "This is the default configuration for this setting (30 days).\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\Netlogon\\Parameters\\\n\n Value Name: MaximumPasswordAge\n\n Value Type: REG_DWORD\n Value: 0x0000001e (30) (or less, excluding 0)", - "fix": "This is the default configuration for this setting (30 days).\n\n Configure the policy value for Computer Configuration >> Windows Settings >>\n Security Settings >> Local Policies >> Security Options >> \"Domain member:\n Maximum machine account password age\" to \"30\" or less (excluding 0 which is\n unacceptable)." + "default": "Virtualization Based Security (VBS) provides the platform for the\n additional security features, Credential Guard and Virtualization based\n protection of code integrity. Secure Boot is the minimum security level with\n DMA protection providing additional memory protection. DMA Protection requires\n a CPU that supports input/output memory management unit (IOMMU).", + "check": "Confirm Virtualization Based Security is enabled and running with\n Secure Boot or Secure Boot and DMA Protection.\n\n For those devices that support virtualization based security (VBS) features,\n including Credential Guard or protection of code integrity, this must be\n enabled. If the system meets the hardware and firmware dependencies for\n enabling VBS but it is not enabled, this is a CAT III finding.\n\n Virtualization based security, including Credential Guard, currently cannot be\n implemented in virtual desktop implementations (VDI) due to specific supporting\n requirements including a TPM, UEFI with Secure Boot, and the capability to run\n the Hyper-V feature within the virtual desktop.\n\n For VDIs where the virtual desktop instance is deleted or refreshed upon\n logoff, this is NA.\n\n Run \"PowerShell\" with elevated privileges (run as administrator).\n\n Enter the following:\n\n \"Get-CimInstance -ClassName Win32_DeviceGuard -Namespace\n root\\Microsoft\\Windows\\DeviceGuard\"\n\n If \"RequiredSecurityProperties\" does not include a value of \"2\" indicating\n \"Secure Boot\" (e.g., \"{1, 2}\"), this is a finding.\n\n If \"Secure Boot and DMA Protection\" is configured, \"3\" will also be\n displayed in the results (e.g., \"{1, 2, 3}\").\n\n If \"VirtualizationBasedSecurityStatus\" is not a value of \"2\" indicating\n \"Running\", this is a finding.\n\n Alternately:\n\n Run \"System Information\".\n\n Under \"System Summary\", verify the following:\n\n If \"Device Guard Virtualization based security\" does not display \"Running\",\n this is finding.\n\n If \"Device Guard Required Security Properties\" does not display \"Base\n Virtualization Support, Secure Boot\", this is finding.\n\n If \"Secure Boot and DMA Protection\" is configured, \"DMA Protection\" will\n also be displayed (e.g., \"Base Virtualization Support, Secure Boot, DMA\n Protection\").\n\n The policy settings referenced in the Fix section will configure the following\n registry values. However due to hardware requirements, the registry values\n alone do not ensure proper function.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceGuard\\\n\n Value Name: EnableVirtualizationBasedSecurity\n Value Type: REG_DWORD\n Value: 1\n\n Value Name: RequirePlatformSecurityFeatures\n Value Type: REG_DWORD\n Value: 1 (Secure Boot only) or 3 (Secure Boot and DMA Protection)\n\n A Microsoft article on Credential Guard system requirement can be found at the\n following link:\n\n https://technet.microsoft.com/en-us/itpro/windows/keep-secure/credential-guard-requirements\n\n NOTE: The severity level for the requirement will be upgraded to CAT II\n starting January 2020.", + "fix": "Virtualization based security, including Credential Guard,\n currently cannot be implemented in virtual desktop implementations (VDI) due to\n specific supporting requirements including a TPM, UEFI with Secure Boot, and\n the capability to run the Hyper-V feature within the virtual desktop.\n\n For VDIs where the virtual desktop instance is deleted or refreshed upon\n logoff, this is NA.\n\n Configure the policy value for Computer Configuration >> Administrative\n Templates >> System >> Device Guard >> \"Turn On Virtualization Based\n Security\" to \"Enabled\" with \"Secure Boot\" or \"Secure Boot and DMA\n Protection\" selected for \"Select Platform Security Level:\".\n\n A Microsoft article on Credential Guard system requirement can be found at the\n following link." }, "impact": 0.3, - "refs": [], + "refs": [ + { + "ref": "https://technet.microsoft.com/en-us/itpro/windows/keep-secure/credential-guard-requirements" + } + ], "tags": { "severity": "low", - "gtitle": "WN10-SO-000055", - "gid": "V-63661", - "rid": "SV-78151r1_rule", - "stig_id": "WN10-SO-000055", - "fix_id": "F-69589r1_fix", + "gtitle": "WN10-CC-000070", + "gid": "V-63595", + "rid": "SV-78085r6_rule", + "stig_id": "WN10-CC-000070", + "fix_id": "F-74851r3_fix", "cci": [ "CCI-000366" ], @@ -3564,35 +3589,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63661' do\n title \"The maximum age for machine account passwords must be configured to 30\n days or less.\"\n desc \"Computer account passwords are changed automatically on a regular\n basis. This setting controls the maximum password age that a machine account\n may have. This setting must be set to no more than 30 days, ensuring the\n machine changes its password monthly.\"\n impact 0.3\n tag severity: 'low'\n tag gtitle: 'WN10-SO-000055'\n tag gid: 'V-63661'\n tag rid: 'SV-78151r1_rule'\n tag stig_id: 'WN10-SO-000055'\n tag fix_id: 'F-69589r1_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"This is the default configuration for this setting (30 days).\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\Netlogon\\\\Parameters\\\\\n\n Value Name: MaximumPasswordAge\n\n Value Type: REG_DWORD\n Value: 0x0000001e (30) (or less, excluding 0)\"\n\n desc \"fix\", \"This is the default configuration for this setting (30 days).\n\n Configure the policy value for Computer Configuration >> Windows Settings >>\n Security Settings >> Local Policies >> Security Options >> \\\"Domain member:\n Maximum machine account password age\\\" to \\\"30\\\" or less (excluding 0 which is\n unacceptable).\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Netlogon\\Parameters') do\n it { should have_property 'MaximumPasswordAge' }\n its('MaximumPasswordAge') { should be <= 30 }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Netlogon\\Parameters') do\n its('MaximumPasswordAge') { should be_positive }\n end\nend\n", + "code": "control 'V-63595' do\n title \"Virtualization Based Security must be enabled on Windows 10 with the\n platform security level configured to Secure Boot or Secure Boot with DMA\n Protection.\"\n desc \"Virtualization Based Security (VBS) provides the platform for the\n additional security features, Credential Guard and Virtualization based\n protection of code integrity. Secure Boot is the minimum security level with\n DMA protection providing additional memory protection. DMA Protection requires\n a CPU that supports input/output memory management unit (IOMMU).\"\n impact 0.3\n tag severity: 'low'\n tag gtitle: 'WN10-CC-000070'\n tag gid: 'V-63595'\n tag rid: 'SV-78085r6_rule'\n tag stig_id: 'WN10-CC-000070'\n tag fix_id: 'F-74851r3_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Confirm Virtualization Based Security is enabled and running with\n Secure Boot or Secure Boot and DMA Protection.\n\n For those devices that support virtualization based security (VBS) features,\n including Credential Guard or protection of code integrity, this must be\n enabled. If the system meets the hardware and firmware dependencies for\n enabling VBS but it is not enabled, this is a CAT III finding.\n\n Virtualization based security, including Credential Guard, currently cannot be\n implemented in virtual desktop implementations (VDI) due to specific supporting\n requirements including a TPM, UEFI with Secure Boot, and the capability to run\n the Hyper-V feature within the virtual desktop.\n\n For VDIs where the virtual desktop instance is deleted or refreshed upon\n logoff, this is NA.\n\n Run \\\"PowerShell\\\" with elevated privileges (run as administrator).\n\n Enter the following:\n\n \\\"Get-CimInstance -ClassName Win32_DeviceGuard -Namespace\n root\\\\Microsoft\\\\Windows\\\\DeviceGuard\\\"\n\n If \\\"RequiredSecurityProperties\\\" does not include a value of \\\"2\\\" indicating\n \\\"Secure Boot\\\" (e.g., \\\"{1, 2}\\\"), this is a finding.\n\n If \\\"Secure Boot and DMA Protection\\\" is configured, \\\"3\\\" will also be\n displayed in the results (e.g., \\\"{1, 2, 3}\\\").\n\n If \\\"VirtualizationBasedSecurityStatus\\\" is not a value of \\\"2\\\" indicating\n \\\"Running\\\", this is a finding.\n\n Alternately:\n\n Run \\\"System Information\\\".\n\n Under \\\"System Summary\\\", verify the following:\n\n If \\\"Device Guard Virtualization based security\\\" does not display \\\"Running\\\",\n this is finding.\n\n If \\\"Device Guard Required Security Properties\\\" does not display \\\"Base\n Virtualization Support, Secure Boot\\\", this is finding.\n\n If \\\"Secure Boot and DMA Protection\\\" is configured, \\\"DMA Protection\\\" will\n also be displayed (e.g., \\\"Base Virtualization Support, Secure Boot, DMA\n Protection\\\").\n\n The policy settings referenced in the Fix section will configure the following\n registry values. However due to hardware requirements, the registry values\n alone do not ensure proper function.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\DeviceGuard\\\\\n\n Value Name: EnableVirtualizationBasedSecurity\n Value Type: REG_DWORD\n Value: 1\n\n Value Name: RequirePlatformSecurityFeatures\n Value Type: REG_DWORD\n Value: 1 (Secure Boot only) or 3 (Secure Boot and DMA Protection)\n\n A Microsoft article on Credential Guard system requirement can be found at the\n following link:\n\n https://technet.microsoft.com/en-us/itpro/windows/keep-secure/credential-guard-requirements\n\n NOTE: The severity level for the requirement will be upgraded to CAT II\n starting January 2020.\"\n\n desc \"fix\", \"Virtualization based security, including Credential Guard,\n currently cannot be implemented in virtual desktop implementations (VDI) due to\n specific supporting requirements including a TPM, UEFI with Secure Boot, and\n the capability to run the Hyper-V feature within the virtual desktop.\n\n For VDIs where the virtual desktop instance is deleted or refreshed upon\n logoff, this is NA.\n\n Configure the policy value for Computer Configuration >> Administrative\n Templates >> System >> Device Guard >> \\\"Turn On Virtualization Based\n Security\\\" to \\\"Enabled\\\" with \\\"Secure Boot\\\" or \\\"Secure Boot and DMA\n Protection\\\" selected for \\\"Select Platform Security Level:\\\".\n\n A Microsoft article on Credential Guard system requirement can be found at the\n following link.\"\n\n ref 'https://technet.microsoft.com/en-us/itpro/windows/keep-secure/credential-guard-requirements'\n\n if sys_info.manufacturer == 'VMware, Inc.'\n impact 0.0\n describe 'This is a VDI System; This System is NA for Control V-63595.' do\n skip 'This is a VDI System; This System is NA for Control V-63595.'\n end\n else\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceGuard') do\n it { should have_property 'EnableVirtualizationBasedSecurity' }\n its('EnableVirtualizationBasedSecurity') { should cmp 1 }\n end\n describe.one do\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceGuard') do\n it { should have_property 'RequirePlatformSecurityFeatures' }\n its('RequirePlatformSecurityFeatures') { should cmp 1 }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceGuard') do\n it { should have_property 'RequirePlatformSecurityFeatures' }\n its('RequirePlatformSecurityFeatures') { should cmp 3 }\n end\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63661.rb", + "ref": "./Windows 10 STIG/controls/V-63595.rb", "line": 3 }, - "id": "V-63661" + "id": "V-63595" }, { - "title": "The system must be configured to use FIPS-compliant algorithms for\n encryption, hashing, and signing.", - "desc": "This setting ensures that the system uses algorithms that are\n FIPS-compliant for encryption, hashing, and signing. FIPS-compliant algorithms\n meet specific standards established by the U.S. Government and must be the\n algorithms used for all OS encryption functions.", + "title": "Turning off File Explorer heap termination on corruption must be\n disabled.", + "desc": "Legacy plug-in applications may continue to function when a File\n Explorer session has become corrupt. Disabling this feature will prevent this.", "descriptions": { - "default": "This setting ensures that the system uses algorithms that are\n FIPS-compliant for encryption, hashing, and signing. FIPS-compliant algorithms\n meet specific standards established by the U.S. Government and must be the\n algorithms used for all OS encryption functions.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Control\\Lsa\\FIPSAlgorithmPolicy\\\n\n Value Name: Enabled\n\n Value Type: REG_DWORD\n Value: 1\n\n Warning: Clients with this setting enabled will not be able to communicate via\n digitally encrypted or signed protocols with servers that do not support these\n algorithms. Both the browser and web server must be configured to use TLS\n otherwise the browser will not be able to connect to a secure site.", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> \"System\n cryptography: Use FIPS compliant algorithms for encryption, hashing, and\n signing\" to \"Enabled\"." + "default": "Legacy plug-in applications may continue to function when a File\n Explorer session has become corrupt. Disabling this feature will prevent this.", + "check": "The default behavior is for File Explorer heap termination on\n corruption to be enabled.\n\n If the registry Value Name below does not exist, this is not a finding.\n\n If it exists and is configured with a value of \"0\", this is not a finding.\n\n If it exists and is configured with a value of \"1\", this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\Explorer\\\n\n Value Name: NoHeapTerminationOnCorruption\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0) (or if the Value Name does not exist)", + "fix": "The default behavior is for File Explorer heap termination on\n corruption to be enabled.\n\n If this needs to be corrected, configure the policy value for Computer\n Configuration >> Administrative Templates >> Windows Components >> File\n Explorer >> \"Turn off heap termination on corruption\" to \"Not Configured\"\n or \"Disabled\"." }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { - "severity": "medium", - "gtitle": "WN10-SO-000230", - "gid": "V-63811", - "rid": "SV-78301r1_rule", - "stig_id": "WN10-SO-000230", - "fix_id": "F-69739r1_fix", + "severity": "low", + "gtitle": "WN10-CC-000220", + "gid": "V-63691", + "rid": "SV-78181r3_rule", + "stig_id": "WN10-CC-000220", + "fix_id": "F-78109r3_fix", "cci": [ - "CCI-002450" + "CCI-002385" ], "nist": [ - "SC-13", + "SC-5", "Rev_4" ], "false_negatives": null, @@ -3606,35 +3631,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63811' do\n title \"The system must be configured to use FIPS-compliant algorithms for\n encryption, hashing, and signing.\"\n desc \"This setting ensures that the system uses algorithms that are\n FIPS-compliant for encryption, hashing, and signing. FIPS-compliant algorithms\n meet specific standards established by the U.S. Government and must be the\n algorithms used for all OS encryption functions.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-SO-000230'\n tag gid: 'V-63811'\n tag rid: 'SV-78301r1_rule'\n tag stig_id: 'WN10-SO-000230'\n tag fix_id: 'F-69739r1_fix'\n tag cci: ['CCI-002450']\n tag nist: %w[SC-13 Rev_4]\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\FIPSAlgorithmPolicy\\\\\n\n Value Name: Enabled\n\n Value Type: REG_DWORD\n Value: 1\n\n Warning: Clients with this setting enabled will not be able to communicate via\n digitally encrypted or signed protocols with servers that do not support these\n algorithms. Both the browser and web server must be configured to use TLS\n otherwise the browser will not be able to connect to a secure site.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> \\\"System\n cryptography: Use FIPS compliant algorithms for encryption, hashing, and\n signing\\\" to \\\"Enabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\FIPSAlgorithmPolicy') do\n it { should have_property 'Enabled' }\n its('Enabled') { should cmp 1 }\n end\nend\n", + "code": "control 'V-63691' do\n title \"Turning off File Explorer heap termination on corruption must be\n disabled.\"\n desc \"Legacy plug-in applications may continue to function when a File\n Explorer session has become corrupt. Disabling this feature will prevent this.\"\n impact 0.3\n tag severity: 'low'\n tag gtitle: 'WN10-CC-000220'\n tag gid: 'V-63691'\n tag rid: 'SV-78181r3_rule'\n tag stig_id: 'WN10-CC-000220'\n tag fix_id: 'F-78109r3_fix'\n tag cci: ['CCI-002385']\n tag nist: %w[SC-5 Rev_4]\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"The default behavior is for File Explorer heap termination on\n corruption to be enabled.\n\n If the registry Value Name below does not exist, this is not a finding.\n\n If it exists and is configured with a value of \\\"0\\\", this is not a finding.\n\n If it exists and is configured with a value of \\\"1\\\", this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\Explorer\\\\\n\n Value Name: NoHeapTerminationOnCorruption\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0) (or if the Value Name does not exist)\"\n desc \"fix\", \"The default behavior is for File Explorer heap termination on\n corruption to be enabled.\n\n If this needs to be corrected, configure the policy value for Computer\n Configuration >> Administrative Templates >> Windows Components >> File\n Explorer >> \\\"Turn off heap termination on corruption\\\" to \\\"Not Configured\\\"\n or \\\"Disabled\\\".\"\n\n describe.one do\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Explorer') do\n it { should_not have_property 'NoHeapTerminationOnCorruption' }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Explorer') do\n it { should have_property 'NoHeapTerminationOnCorruption' }\n its('NoHeapTerminationOnCorruption') { should_not be 1 }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Explorer') do\n it { should have_property 'NoHeapTerminationOnCorruption' }\n its('NoHeapTerminationOnCorruption') { should cmp 0 }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63811.rb", + "ref": "./Windows 10 STIG/controls/V-63691.rb", "line": 3 }, - "id": "V-63811" + "id": "V-63691" }, { - "title": "Exploit Protection mitigations in Windows 10 must be configured for INFOPATH.EXE.", - "desc": "Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.", + "title": "Solicited Remote Assistance must not be allowed.", + "desc": "Remote assistance allows another user to view or take control of the\n local session of a user. Solicited assistance is help that is specifically\n requested by the local user. This may allow unauthorized parties access to the\n resources on the computer.", "descriptions": { - "default": "Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.", - "check": "This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n\n Enter \"Get-ProcessMitigation -Name INFOPATH.EXE\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of\n all application mitigations configured.)\n\n If the following mitigations do not have a status of \"ON\", this is a finding:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n The PowerShell command produces a list of mitigations; only those with a\n required status of \"ON\" are listed here. If the PowerShell command does not\n produce results, ensure the letter case of the filename within the command\n syntax matches the letter case of the actual filename on the system.", - "fix": "Ensure the following mitigations are turned \"ON\" for INFOPATH.EXE:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file\n included with the Windows 10 STIG package in the \"Supporting Files\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \"Use a common set of exploit protection settings\"\n configured to \"Enabled\" with file name and location defined under\n \"Options:\". It is recommended the file be in a read-only network location." + "default": "Remote assistance allows another user to view or take control of the\n local session of a user. Solicited assistance is help that is specifically\n requested by the local user. This may allow unauthorized parties access to the\n resources on the computer.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services\\\n\n Value Name: fAllowToGetHelp\n\n Value Type: REG_DWORD\n Value: 0", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> System >> Remote Assistance >> \"Configure\n Solicited Remote Assistance\" to \"Disabled\"." }, - "impact": 0.5, + "impact": 0.7, "refs": [], "tags": { - "severity": "medium", - "gtitle": "WN10-EP-000150", - "gid": "V-77221", - "rid": "SV-91917r3_rule", - "stig_id": "WN10-EP-000150", - "fix_id": "F-84349r4_fix", + "severity": "high", + "gtitle": "WN10-CC-000155", + "gid": "V-63651", + "rid": "SV-78141r1_rule", + "stig_id": "WN10-CC-000155", + "fix_id": "F-69581r1_fix", "cci": [ - "CCI-000366" + "CCI-001090" ], "nist": [ - "CM-6 b", + "SC-4", "Rev_4" ], "false_negatives": null, @@ -3648,35 +3673,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-77221' do\n title 'Exploit Protection mitigations in Windows 10 must be configured for INFOPATH.EXE.'\n desc \"Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-EP-000150'\n tag gid: 'V-77221'\n tag rid: 'SV-91917r3_rule'\n tag stig_id: 'WN10-EP-000150'\n tag fix_id: 'F-84349r4_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc 'check', \"This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n\n Enter \\\"Get-ProcessMitigation -Name INFOPATH.EXE\\\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of\n all application mitigations configured.)\n\n If the following mitigations do not have a status of \\\"ON\\\", this is a finding:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n The PowerShell command produces a list of mitigations; only those with a\n required status of \\\"ON\\\" are listed here. If the PowerShell command does not\n produce results, ensure the letter case of the filename within the command\n syntax matches the letter case of the actual filename on the system.\"\n desc 'fix', \"Ensure the following mitigations are turned \\\"ON\\\" for INFOPATH.EXE:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file\n included with the Windows 10 STIG package in the \\\"Supporting Files\\\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\"\n configured to \\\"Enabled\\\" with file name and location defined under\n \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n\n if input('sensitive_system') == 'true' || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion').ReleaseId < '1709'\n impact 0.0\n describe 'This STIG does not apply to Prior Versions before 1709.' do\n skip 'This STIG does not apply to Prior Versions before 1709.'\n end\n else\n dep = json( command: 'Get-ProcessMitigation -Name INFOPATH.EXE | Select DEP | ConvertTo-Json').params\n describe 'OverRide DEP is required to be false on Microsoft InfoPath' do\n subject { dep }\n its(['OverrideDEP']) { should_not eq 'true' }\n end\n aslr = json( command: 'Get-ProcessMitigation -Name INFOPATH.EXE| Select Aslr | ConvertTo-Json').params\n describe 'Alsr BottomUp and Force Relocate Images are required to be enabled on Microsoft InfoPath' do\n subject { aslr }\n its(['ForceRelocateImages']) { should_not eq '2' }\n end\n payload = json( command: 'Get-ProcessMitigation -Name INFOPATH.EXE | Select Payload | ConvertTo-Json').params\n describe 'Override Payload Enable Export Address Filter, Override Payload Enable Export Address Filter Plus, Override EnableImportAddressFilter, Override EnableRopStackPivot, Override EnableRopCallerCheck, and Override EnableRopSimExec are required to be false on Microsoft InfoPath' do\n subject { payload }\n its(['OverrideEnableExportAddressFilter']) { should_not eq 'true' }\n its(['OverrideEnableExportAddressFilterPlus']) { should_not eq 'true' }\n its(['OverrideEnableImportAddressFilter']) { should_not eq 'true' }\n its(['OverrideEnableRopStackPivot']) { should_not eq 'true' }\n its(['OverrideEnableRopCallerCheck']) { should_not eq 'true' }\n its(['OverrideEnableRopSimExec']) { should_not eq 'true' }\n end\n end\nend", + "code": "control 'V-63651' do\n title 'Solicited Remote Assistance must not be allowed.'\n desc \"Remote assistance allows another user to view or take control of the\n local session of a user. Solicited assistance is help that is specifically\n requested by the local user. This may allow unauthorized parties access to the\n resources on the computer.\"\n\n impact 0.7\n\n tag severity: 'high'\n tag gtitle: 'WN10-CC-000155'\n tag gid: 'V-63651'\n tag rid: 'SV-78141r1_rule'\n tag stig_id: 'WN10-CC-000155'\n tag fix_id: 'F-69581r1_fix'\n tag cci: ['CCI-001090']\n tag nist: %w[SC-4 Rev_4]\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\\n\n Value Name: fAllowToGetHelp\n\n Value Type: REG_DWORD\n Value: 0\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> System >> Remote Assistance >> \\\"Configure\n Solicited Remote Assistance\\\" to \\\"Disabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services') do\n it { should have_property 'fAllowToGetHelp' }\n its('fAllowToGetHelp') { should cmp 0 }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-77221.rb", + "ref": "./Windows 10 STIG/controls/V-63651.rb", "line": 3 }, - "id": "V-77221" + "id": "V-63651" }, { - "title": "The System event log size must be configured to 32768 KB or greater.", - "desc": "Inadequate log size will cause the log to fill up quickly. This may\n prevent audit events from being recorded properly and require frequent\n attention by administrative personnel.", + "title": "The Act as part of the operating system user right must not be\n assigned to any groups or accounts.", + "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n Accounts with the \"Act as part of the operating system\" user right can\n assume the identity of any user and gain access to resources that user is\n authorized to access. Any accounts with this right can take complete control\n of a system.", "descriptions": { - "default": "Inadequate log size will cause the log to fill up quickly. This may\n prevent audit events from being recorded properly and require frequent\n attention by administrative personnel.", - "check": "If the system is configured to send audit records directly to an\n audit server, this is NA. This must be documented with the ISSO.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\EventLog\\System\\\n\n Value Name: MaxSize\n\n Value Type: REG_DWORD\n Value: 0x00008000 (32768) (or greater)", - "fix": "If the system is configured to send audit records directly to an\n audit server, this is NA. This must be documented with the ISSO.\n\n Configure the policy value for Computer Configuration >> Administrative\n Templates >> Windows Components >> Event Log Service >> System >> \"Specify the\n maximum log file size (KB)\" to \"Enabled\" with a \"Maximum Log Size (KB)\" of\n \"32768\" or greater." + "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n Accounts with the \"Act as part of the operating system\" user right can\n assume the identity of any user and gain access to resources that user is\n authorized to access. Any accounts with this right can take complete control\n of a system.", + "check": "Verify the effective setting in Local Group Policy Editor.\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any groups or accounts (to include administrators), are granted the \"Act as\n part of the operating system\" user right, this is a finding.", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n \"Act as part of the operating system\" to be defined but containing no entries\n (blank)." }, - "impact": 0.5, + "impact": 0.7, "refs": [], "tags": { - "severity": "medium", - "gtitle": "WN10-AU-000510", - "gid": "V-63527", - "rid": "SV-78017r1_rule", - "stig_id": "WN10-AU-000510", - "fix_id": "F-69457r1_fix", + "severity": "high", + "gtitle": "WN10-UR-000015", + "gid": "V-63847", + "rid": "SV-78337r1_rule", + "stig_id": "WN10-UR-000015", + "fix_id": "F-69775r1_fix", "cci": [ - "CCI-001849" + "CCI-002235" ], "nist": [ - "AU-4", + "AC-6 (10)", "Rev_4" ], "false_negatives": null, @@ -3690,35 +3715,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63527' do\n title 'The System event log size must be configured to 32768 KB or greater.'\n desc \"Inadequate log size will cause the log to fill up quickly. This may\n prevent audit events from being recorded properly and require frequent\n attention by administrative personnel.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-AU-000510'\n tag gid: 'V-63527'\n tag rid: 'SV-78017r1_rule'\n tag stig_id: 'WN10-AU-000510'\n tag fix_id: 'F-69457r1_fix'\n tag cci: ['CCI-001849']\n tag nist: %w[AU-4 Rev_4]\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"If the system is configured to send audit records directly to an\n audit server, this is NA. This must be documented with the ISSO.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\EventLog\\\\System\\\\\n\n Value Name: MaxSize\n\n Value Type: REG_DWORD\n Value: 0x00008000 (32768) (or greater)\"\n\n desc \"fix\", \"If the system is configured to send audit records directly to an\n audit server, this is NA. This must be documented with the ISSO.\n\n Configure the policy value for Computer Configuration >> Administrative\n Templates >> Windows Components >> Event Log Service >> System >> \\\"Specify the\n maximum log file size (KB)\\\" to \\\"Enabled\\\" with a \\\"Maximum Log Size (KB)\\\" of\n \\\"32768\\\" or greater.\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\EventLog\\System') do\n it { should have_property 'MaxSize' }\n its('MaxSize') { should be >= 32_768 }\n end\nend\n", + "code": "control 'V-63847' do\n title \"The Act as part of the operating system user right must not be\n assigned to any groups or accounts.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n Accounts with the \\\"Act as part of the operating system\\\" user right can\n assume the identity of any user and gain access to resources that user is\n authorized to access. Any accounts with this right can take complete control\n of a system.\"\n\n impact 0.7\n tag severity: 'high'\n tag gtitle: 'WN10-UR-000015'\n tag gid: 'V-63847'\n tag rid: 'SV-78337r1_rule'\n tag stig_id: 'WN10-UR-000015'\n tag fix_id: 'F-69775r1_fix'\n tag cci: ['CCI-002235']\n tag nist: ['AC-6 (10)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any groups or accounts (to include administrators), are granted the \\\"Act as\n part of the operating system\\\" user right, this is a finding.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n \\\"Act as part of the operating system\\\" to be defined but containing no entries\n (blank).\"\n\n describe security_policy do\n its('SeTcbPrivilege') { should eq [] }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63527.rb", + "ref": "./Windows 10 STIG/controls/V-63847.rb", "line": 3 }, - "id": "V-63527" + "id": "V-63847" }, { - "title": "Only authorized user accounts must be allowed to create or run virtual\n machines on Windows 10 systems.", - "desc": "Allowing other operating systems to run on a secure system may allow\n users to circumvent security. For Hyper-V, preventing unauthorized users from\n being assigned to the Hyper-V Administrators group will prevent them from\n accessing or creating virtual machines on the system. The Hyper-V Hypervisor is\n used by Virtualization Based Security features such as Credential Guard on\n Windows 10; however, it is not the full Hyper-V installation.", + "title": "The Create global objects user right must only be assigned to\n Administrators, Service, Local Service, and Network Service.", + "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n Accounts with the \"Create global objects\" user right can create objects\n that are available to all sessions, which could affect processes in other\n users' sessions.", "descriptions": { - "default": "Allowing other operating systems to run on a secure system may allow\n users to circumvent security. For Hyper-V, preventing unauthorized users from\n being assigned to the Hyper-V Administrators group will prevent them from\n accessing or creating virtual machines on the system. The Hyper-V Hypervisor is\n used by Virtualization Based Security features such as Credential Guard on\n Windows 10; however, it is not the full Hyper-V installation.", - "check": "If a hosted hypervisor (Hyper-V, VMware Workstation, etc.) is\n installed on the system, verify only authorized user accounts are allowed to\n run virtual machines.\n\n For Hyper-V, Run \"Computer Management\".\n Navigate to System Tools >> Local Users and Groups >> Groups.\n Double click on \"Hyper-V Administrators\".\n\n If any unauthorized groups or user accounts are listed in \"Members:\", this is\n a finding.\n\n For hosted hypervisors other than Hyper-V, verify only authorized user accounts\n have access to run the virtual machines. Restrictions may be enforced by access\n to the physical system, software restriction policies, or access restrictions\n built in to the application.\n\n If any unauthorized groups or user accounts have access to create or run\n virtual machines, this is a finding.\n\n All users authorized to create or run virtual machines must be documented with\n the ISSM/ISSO. Accounts nested within group accounts must be documented as\n individual accounts and not the group accounts.", - "fix": "For Hyper-V, remove any unauthorized groups or user accounts from\n the \"Hyper-V Administrators\" group.\n\n For hosted hypervisors other than Hyper-V, restrict access to create or run\n virtual machines to authorized user accounts only." + "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n Accounts with the \"Create global objects\" user right can create objects\n that are available to all sessions, which could affect processes in other\n users' sessions.", + "check": "Verify the effective setting in Local Group Policy Editor.\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any groups or accounts other than the following are granted the \"Create\n global objects\" user right, this is a finding:\n\n Administrators\n LOCAL SERVICE\n NETWORK SERVICE\n SERVICE", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n \"Create global objects\" to only include the following groups or accounts:\n\n Administrators\n LOCAL SERVICE\n NETWORK SERVICE\n SERVICE" }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-00-000080", - "gid": "V-63365", - "rid": "SV-77855r3_rule", - "stig_id": "WN10-00-000080", - "fix_id": "F-100933r1_fix", + "gtitle": "WN10-UR-000050", + "gid": "V-63861", + "rid": "SV-78351r1_rule", + "stig_id": "WN10-UR-000050", + "fix_id": "F-69789r1_fix", "cci": [ - "CCI-000381" + "CCI-002235" ], "nist": [ - "CM-7 a", + "AC-6 (10)", "Rev_4" ], "false_negatives": null, @@ -3732,30 +3757,30 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63365' do\n title \"Only authorized user accounts must be allowed to create or run virtual\n machines on Windows 10 systems.\"\n desc \"Allowing other operating systems to run on a secure system may allow\n users to circumvent security. For Hyper-V, preventing unauthorized users from\n being assigned to the Hyper-V Administrators group will prevent them from\n accessing or creating virtual machines on the system. The Hyper-V Hypervisor is\n used by Virtualization Based Security features such as Credential Guard on\n Windows 10; however, it is not the full Hyper-V installation.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-00-000080'\n tag gid: 'V-63365'\n tag rid: 'SV-77855r3_rule'\n tag stig_id: 'WN10-00-000080'\n tag fix_id: 'F-100933r1_fix'\n tag cci: ['CCI-000381']\n tag nist: ['CM-7 a', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"If a hosted hypervisor (Hyper-V, VMware Workstation, etc.) is\n installed on the system, verify only authorized user accounts are allowed to\n run virtual machines.\n\n For Hyper-V, Run \\\"Computer Management\\\".\n Navigate to System Tools >> Local Users and Groups >> Groups.\n Double click on \\\"Hyper-V Administrators\\\".\n\n If any unauthorized groups or user accounts are listed in \\\"Members:\\\", this is\n a finding.\n\n For hosted hypervisors other than Hyper-V, verify only authorized user accounts\n have access to run the virtual machines. Restrictions may be enforced by access\n to the physical system, software restriction policies, or access restrictions\n built in to the application.\n\n If any unauthorized groups or user accounts have access to create or run\n virtual machines, this is a finding.\n\n All users authorized to create or run virtual machines must be documented with\n the ISSM/ISSO. Accounts nested within group accounts must be documented as\n individual accounts and not the group accounts.\"\n\n desc \"fix\", \"For Hyper-V, remove any unauthorized groups or user accounts from\n the \\\"Hyper-V Administrators\\\" group.\n\n For hosted hypervisors other than Hyper-V, restrict access to create or run\n virtual machines to authorized user accounts only.\"\n\n hyper_v_administrator_group = command(\"net localgroup Hyper-V Administrators | Format-List | Findstr /V 'Alias Name Comment Members - command'\").stdout.strip.split(\"\\r\\n\")\n\n hyper_v_administrator_group.each do |user|\n describe user.to_s do\n it { should be_in input('hyper_v_admin') }\n end\n end\n if hyper_v_administrator_group.empty?\n impact 0.0\n describe 'There are no users with administrative privileges' do\n skip 'This control is not applicable'\n end\n end\nend\n", + "code": "control 'V-63861' do\n title \"The Create global objects user right must only be assigned to\n Administrators, Service, Local Service, and Network Service.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n Accounts with the \\\"Create global objects\\\" user right can create objects\n that are available to all sessions, which could affect processes in other\n users' sessions.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-UR-000050'\n tag gid: 'V-63861'\n tag rid: 'SV-78351r1_rule'\n tag stig_id: 'WN10-UR-000050'\n tag fix_id: 'F-69789r1_fix'\n tag cci: ['CCI-002235']\n tag nist: ['AC-6 (10)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any groups or accounts other than the following are granted the \\\"Create\n global objects\\\" user right, this is a finding:\n\n Administrators\n LOCAL SERVICE\n NETWORK SERVICE\n SERVICE\"\n \n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n \\\"Create global objects\\\" to only include the following groups or accounts:\n\n Administrators\n LOCAL SERVICE\n NETWORK SERVICE\n SERVICE\"\n\n describe security_policy do\n its('SeCreateGlobalPrivilege') { should be_in ['S-1-5-32-544', 'S-1-5-19', 'S-1-5-20', 'S-1-5-6'] }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63365.rb", + "ref": "./Windows 10 STIG/controls/V-63861.rb", "line": 3 }, - "id": "V-63365" + "id": "V-63861" }, { - "title": "Exploit Protection mitigations in Windows 10 must be configured for AcroRd32.exe.", - "desc": "Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.", + "title": "If Enhanced diagnostic data is enabled it must be limited to the\n minimum required to support Windows Analytics.", + "desc": "Some features may communicate with the vendor, sending system\n information or downloading data or components for the feature. Limiting this\n capability will prevent potentially sensitive information from being sent\n outside the enterprise. The \"Enhanced\" level for telemetry includes\n additional information beyond \"Security\" and \"Basic\" on how Windows and\n apps are used and advanced reliability data. Windows Analytics can use a\n \"limited enhanced\" level to provide information such as health data for\n devices.", "descriptions": { - "default": "Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.", - "check": "This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n\n Enter \"Get-ProcessMitigation -Name AcroRd32.exe\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of\n all application mitigations configured.)\n\n If the following mitigations do not have a status of \"ON\", this is a finding:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n The PowerShell command produces a list of mitigations; only those with a\n required status of \"ON\" are listed here. If the PowerShell command does not\n produce results, ensure the letter case of the filename within the command\n syntax matches the letter case of the actual filename on the system.", - "fix": "Ensure the following mitigations are turned \"ON\" for AcroRd32.exe:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file\n included with the Windows 10 STIG package in the \"Supporting Files\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \"Use a common set of exploit protection settings\"\n configured to \"Enabled\" with file name and location defined under\n \"Options:\". It is recommended the file be in a read-only network location." + "default": "Some features may communicate with the vendor, sending system\n information or downloading data or components for the feature. Limiting this\n capability will prevent potentially sensitive information from being sent\n outside the enterprise. The \"Enhanced\" level for telemetry includes\n additional information beyond \"Security\" and \"Basic\" on how Windows and\n apps are used and advanced reliability data. Windows Analytics can use a\n \"limited enhanced\" level to provide information such as health data for\n devices.", + "check": "This setting requires v1709 or later of Windows 10; it is NA for\n prior versions.\n\n If \"Enhanced\" level is enabled for telemetry, this must be configured. If\n \"Security\" or \"Basic\" are configured, this is NA. (See V-63683).\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\\n\n Value Name: LimitEnhancedDiagnosticDataWindowsAnalytics\n\n Type: REG_DWORD\n Value: 0x00000001 (1)", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Data Collection and Preview\n Builds >> \"Limit Enhanced diagnostic data to the minimum required by Windows\n Analytics\" to \"Enabled\" with \"Enable Windows Analytics collection\"\n selected in \"Options:\"." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-EP-000080", - "gid": "V-77191", - "rid": "SV-91887r3_rule", - "stig_id": "WN10-EP-000080", - "fix_id": "F-84329r4_fix", + "gtitle": "WN10-CC-000204", + "gid": "V-82145", + "rid": "SV-96859r1_rule", + "stig_id": "WN10-CC-000204", + "fix_id": "F-88997r2_fix", "cci": [ "CCI-000366" ], @@ -3774,35 +3799,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-77191' do\n title 'Exploit Protection mitigations in Windows 10 must be configured for AcroRd32.exe.'\n desc \"Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-EP-000080'\n tag gid: 'V-77191'\n tag rid: 'SV-91887r3_rule'\n tag stig_id: 'WN10-EP-000080'\n tag fix_id: 'F-84329r4_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc 'check', \"This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n\n Enter \\\"Get-ProcessMitigation -Name AcroRd32.exe\\\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of\n all application mitigations configured.)\n\n If the following mitigations do not have a status of \\\"ON\\\", this is a finding:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n The PowerShell command produces a list of mitigations; only those with a\n required status of \\\"ON\\\" are listed here. If the PowerShell command does not\n produce results, ensure the letter case of the filename within the command\n syntax matches the letter case of the actual filename on the system.\"\n desc 'fix', \"Ensure the following mitigations are turned \\\"ON\\\" for AcroRd32.exe:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file\n included with the Windows 10 STIG package in the \\\"Supporting Files\\\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\"\n configured to \\\"Enabled\\\" with file name and location defined under\n \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n\n if input('sensitive_system') == 'true' || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion').ReleaseId < '1709'\n impact 0.0\n describe 'This STIG does not apply to Prior Versions before 1709.' do\n skip 'This STIG does not apply to Prior Versions before 1709.'\n end\n else\n dep = json( command: 'Get-ProcessMitigation -Name AcroRd32.exe | Select DEP | ConvertTo-Json').params\n describe 'OverRide DEP is required to be false on Adobe Reader' do\n subject { dep }\n its(['OverrideDEP']) { should_not eq 'true' }\n end\n\n aslr = json( command: 'Get-ProcessMitigation -Name AcroRd32.exe | Select Aslr | ConvertTo-Json').params\n describe 'Alsr BottomUp and Force Relocate Images are required to be enabled on Adobe Reader' do\n subject { aslr }\n its(['ForceRelocateImages']) { should_not eq '2' }\n end\n\n payload = json( command: 'Get-ProcessMitigation -Name AcroRd32.exe | Select Payload | ConvertTo-Json').params\n describe 'Override Payload Enable Export Address Filter, Override Payload Enable Export Address Filter Plus, Override EnableImportAddressFilter, Override EnableRopStackPivot, Override EnableRopCallerCheck, and Override EnableRopSimExec are required to be false on Adobe Reader' do\n subject { payload }\n its(['OverrideEnableExportAddressFilter']) { should_not eq 'true' }\n its(['OverrideEnableExportAddressFilterPlus']) { should_not eq 'true' }\n its(['OverrideEnableImportAddressFilter']) { should_not eq 'true' }\n its(['OverrideEnableRopStackPivot']) { should_not eq 'true' }\n its(['OverrideEnableRopCallerCheck']) { should_not eq 'true' }\n its(['OverrideEnableRopSimExec']) { should_not eq 'true' }\n end\n end\nend", + "code": "control 'V-82145' do\n title \"If Enhanced diagnostic data is enabled it must be limited to the\n minimum required to support Windows Analytics.\"\n desc \"Some features may communicate with the vendor, sending system\n information or downloading data or components for the feature. Limiting this\n capability will prevent potentially sensitive information from being sent\n outside the enterprise. The \\\"Enhanced\\\" level for telemetry includes\n additional information beyond \\\"Security\\\" and \\\"Basic\\\" on how Windows and\n apps are used and advanced reliability data. Windows Analytics can use a\n \\\"limited enhanced\\\" level to provide information such as health data for\n devices.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000204'\n tag gid: 'V-82145'\n tag rid: 'SV-96859r1_rule'\n tag stig_id: 'WN10-CC-000204'\n tag fix_id: 'F-88997r2_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"This setting requires v1709 or later of Windows 10; it is NA for\n prior versions.\n\n If \\\"Enhanced\\\" level is enabled for telemetry, this must be configured. If\n \\\"Security\\\" or \\\"Basic\\\" are configured, this is NA. (See V-63683).\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\DataCollection\\\\\n\n Value Name: LimitEnhancedDiagnosticDataWindowsAnalytics\n\n Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Data Collection and Preview\n Builds >> \\\"Limit Enhanced diagnostic data to the minimum required by Windows\n Analytics\\\" to \\\"Enabled\\\" with \\\"Enable Windows Analytics collection\\\"\n selected in \\\"Options:\\\".\"\n\n if registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion').ReleaseId >= '1709'\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection') do\n it { should have_property 'LimitEnhancedDiagnosticDataWindowsAnalytics' }\n its('LimitEnhancedDiagnosticDataWindowsAnalytics') { should cmp 1 }\n end\n else\n impact 0.0\n describe 'This setting is applicable starting with v1709 or later of Windows 10; it is NA for prior versions' do\n skip 'This setting is applicable starting with v1709 or later of Windows 10; it is NA for prior versions.'\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-77191.rb", + "ref": "./Windows 10 STIG/controls/V-82145.rb", "line": 3 }, - "id": "V-77191" + "id": "V-82145" }, { - "title": "The system must be configured to audit Policy Change - Audit Policy\n Change successes.", - "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Audit Policy Change records events related to changes in audit policy.", + "title": "OneDrive must only allow synchronizing of accounts for DoD\n organization instances.", + "desc": "OneDrive provides access to external services for data storage, which\n must be restricted to authorized instances if enabled. Configuring this setting\n will restrict synchronizing of OneDrive accounts to DoD organization instances.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Audit Policy Change records events related to changes in audit policy.", - "check": "Security Option \"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\" must be\n set to \"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\"Run as Administrator\").\n Enter \"AuditPol /get /category:*\".\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding:\n\n Policy Change >> Audit Policy Change - Success", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Policy Change >> \"Audit Audit Policy Change\" with\n \"Success\" selected." + "default": "OneDrive provides access to external services for data storage, which\n must be restricted to authorized instances if enabled. Configuring this setting\n will restrict synchronizing of OneDrive accounts to DoD organization instances.", + "check": "If the organization is using a DoD instance of OneDrive, verify\n synchronizing is only allowed to the organization's DoD instance.\n\n If the organization does not have an instance of OneDrive, verify this is\n configured with the noted dummy entry to prevent synchronizing with other\n instances.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\OneDrive\\AllowTenantList\\\n\n Value Name: Organization's Tenant GUID\n\n Value Type: REG_SZ\n Value: Organization's Tenant GUID\n\n If the organization does not have an instance of OneDrive the Value Name and\n Value must be 1111-2222-3333-4444, if not this is a finding.", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> OneDrive >> \"Allow syncing OneDrive accounts for\n only specific organizations\", with the Tenant GUID of the organization's DoD\n instance in the format 1111-2222-3333-4444.\n\n If the organization does not have an instance of OneDrive, configure the Tenant\n GUID with \"1111-2222-3333-4444\".\n\n Group policy files for OneDrive are located on a system with OneDrive in\n \"%localappdata%\\Microsoft\\OneDrive\\BuildNumber\\adm\\\".\n\n Copy the OneDrive.admx and .adml files to the \\Windows\\PolicyDefinitions and\n \\Windows\\PolicyDefinitions\\en-US directories respectively." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-AU-000100", - "gid": "V-63479", - "rid": "SV-77969r2_rule", - "stig_id": "WN10-AU-000100", - "fix_id": "F-69409r2_fix", + "gtitle": "WN10-CC-000360", + "gid": "V-88203", + "rid": "SV-98853r2_rule", + "stig_id": "WN10-CC-000360", + "fix_id": "F-94945r4_fix", "cci": [ - "CCI-000172" + "CCI-000366" ], "nist": [ - "AU-12 c", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -3816,35 +3841,39 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63479' do\n title \"The system must be configured to audit Policy Change - Audit Policy\n Change successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Audit Policy Change records events related to changes in audit policy.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-AU-000100'\n tag gid: 'V-63479'\n tag rid: 'SV-77969r2_rule'\n tag stig_id: 'WN10-AU-000100'\n tag fix_id: 'F-69409r2_fix'\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Security Option \\\"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\\\" must be\n set to \\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\n Enter \\\"AuditPol /get /category:*\\\".\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding:\n\n Policy Change >> Audit Policy Change - Success\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Policy Change >> \\\"Audit Audit Policy Change\\\" with\n \\\"Success\\\" selected.\"\n\n describe.one do\n describe audit_policy do\n its('Audit Policy Change') { should eq 'Success' }\n end\n describe audit_policy do\n its('Audit Policy Change') { should eq 'Success and Failure' }\n end\n end\nend\n", + "code": "control 'V-88203' do\n title \"OneDrive must only allow synchronizing of accounts for DoD\n organization instances.\"\n desc \"OneDrive provides access to external services for data storage, which\n must be restricted to authorized instances if enabled. Configuring this setting\n will restrict synchronizing of OneDrive accounts to DoD organization instances.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000360'\n tag gid: 'V-88203'\n tag rid: 'SV-98853r2_rule'\n tag stig_id: 'WN10-CC-000360'\n tag fix_id: 'F-94945r4_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"If the organization is using a DoD instance of OneDrive, verify\n synchronizing is only allowed to the organization's DoD instance.\n\n If the organization does not have an instance of OneDrive, verify this is\n configured with the noted dummy entry to prevent synchronizing with other\n instances.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\OneDrive\\\\AllowTenantList\\\\\n\n Value Name: Organization's Tenant GUID\n\n Value Type: REG_SZ\n Value: Organization's Tenant GUID\n\n If the organization does not have an instance of OneDrive the Value Name and\n Value must be 1111-2222-3333-4444, if not this is a finding.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> OneDrive >> \\\"Allow syncing OneDrive accounts for\n only specific organizations\\\", with the Tenant GUID of the organization's DoD\n instance in the format 1111-2222-3333-4444.\n\n If the organization does not have an instance of OneDrive, configure the Tenant\n GUID with \\\"1111-2222-3333-4444\\\".\n\n Group policy files for OneDrive are located on a system with OneDrive in\n \\\"%localappdata%\\\\Microsoft\\\\OneDrive\\\\BuildNumber\\\\adm\\\\\\\".\n\n Copy the OneDrive.admx and .adml files to the \\\\Windows\\\\PolicyDefinitions and\n \\\\Windows\\\\PolicyDefinitions\\\\en-US directories respectively.\"\n\n \n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\OneDrive\\AllowTenantList') do\n it { should have_property input('onedrive_tenant_guid') }\n its(input('onedrive_tenant_guid')) { should cmp input('onedrive_tenant_guid') }\n end\nend", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63479.rb", + "ref": "./Windows 10 STIG/controls/V-88203.rb", "line": 3 }, - "id": "V-63479" + "id": "V-88203" }, { - "title": "The Application Compatibility Program Inventory must be prevented from\n collecting data and sending the information to Microsoft.", - "desc": "Some features may communicate with the vendor, sending system\n information or downloading data or components for the feature. Turning off\n this capability will prevent potentially sensitive information from being sent\n outside the enterprise and uncontrolled updates to the system. This setting\n will prevent the Program Inventory from collecting data about a system and\n sending the information to Microsoft.", + "title": "The operating system must employ a deny-all, permit-by-exception\n policy to allow the execution of authorized software programs.", + "desc": "Utilizing a whitelist provides a configuration management method for\n allowing the execution of only authorized software. Using only authorized\n software decreases risk by limiting the number of potential vulnerabilities.\n\n The organization must identify authorized software programs and only permit\n execution of authorized software. The process used to identify software\n programs that are authorized to execute on organizational information systems\n is commonly referred to as whitelisting.", "descriptions": { - "default": "Some features may communicate with the vendor, sending system\n information or downloading data or components for the feature. Turning off\n this capability will prevent potentially sensitive information from being sent\n outside the enterprise and uncontrolled updates to the system. This setting\n will prevent the Program Inventory from collecting data about a system and\n sending the information to Microsoft.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\AppCompat\\\n\n Value Name: DisableInventory\n\n Value Type: REG_DWORD\n Value: 1", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Application Compatibility >>\n \"Turn off Inventory Collector\" to \"Enabled\"." + "default": "Utilizing a whitelist provides a configuration management method for\n allowing the execution of only authorized software. Using only authorized\n software decreases risk by limiting the number of potential vulnerabilities.\n\n The organization must identify authorized software programs and only permit\n execution of authorized software. The process used to identify software\n programs that are authorized to execute on organizational information systems\n is commonly referred to as whitelisting.", + "check": "This is applicable to unclassified systems; for other systems\n this is NA.\n\n Verify the operating system employs a deny-all, permit-by-exception policy to\n allow the execution of authorized software programs. This must include packaged\n apps such as the universals apps installed by default on systems.\n\n If an application whitelisting program is not in use on the system, this is a\n finding.\n\n Configuration of whitelisting applications will vary by the program.\n\n AppLocker is a whitelisting application built into Windows 10 Enterprise. A\n deny-by-default implementation is initiated by enabling any AppLocker rules\n within a category, only allowing what is specified by defined rules.\n\n If AppLocker is used, perform the following to view the configuration of\n AppLocker:\n Run \"PowerShell\".\n\n Execute the following command, substituting [c:\\temp\\file.xml] with a\n location and file name appropriate for the system:\n Get-AppLockerPolicy -Effective -XML > c:\\temp\\file.xml\n\n This will produce an xml file with the effective settings that can be viewed in\n a browser or opened in a program such as Excel for review.\n\n Implementation guidance for AppLocker is available in the NSA paper\n \"Application Whitelisting using Microsoft AppLocker\" at the following link:\n\n https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", + "fix": "Configure an application whitelisting program to employ a deny-all,\n permit-by-exception policy to allow the execution of authorized software\n programs.\n\n Configuration of whitelisting applications will vary by the program. AppLocker\n is a whitelisting application built into Windows 10 Enterprise.\n\n If AppLocker is used, it is configured through group policy in Computer\n Configuration >> Windows Settings >> Security Settings >> Application Control\n Policies >> AppLocker.\n\n Implementation guidance for AppLocker is available in the NSA paper\n \"Application Whitelisting using Microsoft AppLocker\" at the following link:\n\n https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm" }, - "impact": 0.3, - "refs": [], + "impact": 0.5, + "refs": [ + { + "ref": "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm" + } + ], "tags": { - "severity": "low", - "gtitle": "WN10-CC-000175", - "gid": "V-63663", - "rid": "SV-78153r1_rule", - "stig_id": "WN10-CC-000175", - "fix_id": "F-69591r1_fix", + "severity": "medium", + "gtitle": "WN10-00-000035", + "gid": "V-63345", + "rid": "SV-77835r3_rule", + "stig_id": "WN10-00-000035", + "fix_id": "F-69267r3_fix", "cci": [ - "CCI-000381" + "CCI-001774" ], "nist": [ - "CM-7 a", + "CM-7 (5) (b)", "Rev_4" ], "false_negatives": null, @@ -3858,35 +3887,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63663' do\n title \"The Application Compatibility Program Inventory must be prevented from\n collecting data and sending the information to Microsoft.\"\n desc \"Some features may communicate with the vendor, sending system\n information or downloading data or components for the feature. Turning off\n this capability will prevent potentially sensitive information from being sent\n outside the enterprise and uncontrolled updates to the system. This setting\n will prevent the Program Inventory from collecting data about a system and\n sending the information to Microsoft.\"\n impact 0.3\n tag severity: 'low'\n tag gtitle: 'WN10-CC-000175'\n tag gid: 'V-63663'\n tag rid: 'SV-78153r1_rule'\n tag stig_id: 'WN10-CC-000175'\n tag fix_id: 'F-69591r1_fix'\n tag cci: ['CCI-000381']\n tag nist: ['CM-7 a', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\AppCompat\\\\\n\n Value Name: DisableInventory\n\n Value Type: REG_DWORD\n Value: 1\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Application Compatibility >>\n \\\"Turn off Inventory Collector\\\" to \\\"Enabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\AppCompat') do\n it { should have_property 'DisableInventory' }\n its('DisableInventory') { should cmp 1 }\n end\nend\n", + "code": "control 'V-63345' do\n title \"The operating system must employ a deny-all, permit-by-exception\n policy to allow the execution of authorized software programs.\"\n desc \"Utilizing a whitelist provides a configuration management method for\n allowing the execution of only authorized software. Using only authorized\n software decreases risk by limiting the number of potential vulnerabilities.\n\n The organization must identify authorized software programs and only permit\n execution of authorized software. The process used to identify software\n programs that are authorized to execute on organizational information systems\n is commonly referred to as whitelisting.\"\n\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-00-000035'\n tag gid: 'V-63345'\n tag rid: 'SV-77835r3_rule'\n tag stig_id: 'WN10-00-000035'\n tag fix_id: 'F-69267r3_fix'\n tag cci: ['CCI-001774']\n tag nist: ['CM-7 (5) (b)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc 'check', \"This is applicable to unclassified systems; for other systems\n this is NA.\n\n Verify the operating system employs a deny-all, permit-by-exception policy to\n allow the execution of authorized software programs. This must include packaged\n apps such as the universals apps installed by default on systems.\n\n If an application whitelisting program is not in use on the system, this is a\n finding.\n\n Configuration of whitelisting applications will vary by the program.\n\n AppLocker is a whitelisting application built into Windows 10 Enterprise. A\n deny-by-default implementation is initiated by enabling any AppLocker rules\n within a category, only allowing what is specified by defined rules.\n\n If AppLocker is used, perform the following to view the configuration of\n AppLocker:\n Run \\\"PowerShell\\\".\n\n Execute the following command, substituting [c:\\\\temp\\\\file.xml] with a\n location and file name appropriate for the system:\n Get-AppLockerPolicy -Effective -XML > c:\\\\temp\\\\file.xml\n\n This will produce an xml file with the effective settings that can be viewed in\n a browser or opened in a program such as Excel for review.\n\n Implementation guidance for AppLocker is available in the NSA paper\n \\\"Application Whitelisting using Microsoft AppLocker\\\" at the following link:\n\n https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm\"\n\n desc 'fix', \"Configure an application whitelisting program to employ a deny-all,\n permit-by-exception policy to allow the execution of authorized software\n programs.\n\n Configuration of whitelisting applications will vary by the program. AppLocker\n is a whitelisting application built into Windows 10 Enterprise.\n\n If AppLocker is used, it is configured through group policy in Computer\n Configuration >> Windows Settings >> Security Settings >> Application Control\n Policies >> AppLocker.\n\n Implementation guidance for AppLocker is available in the NSA paper\n \\\"Application Whitelisting using Microsoft AppLocker\\\" at the following link:\n\n https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm\"\n\n ref 'https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm'\n\n if input('sensitive_system') == 'true'\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n else\n describe 'A manual review is required to ensure the operating system employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs' do\n skip 'A manual review is required to ensure the operating system employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs'\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63663.rb", + "ref": "./Windows 10 STIG/controls/V-63345.rb", "line": 3 }, - "id": "V-63663" + "id": "V-63345" }, { - "title": "The Force shutdown from a remote system user right must only be\n assigned to the Administrators group.", - "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n Accounts with the \"Force shutdown from a remote system\" user right can\n remotely shut down a system which could result in a DoS.", + "title": "Exploit Protection mitigations in Windows 10 must be configured for plugin-container.exe.", + "desc": "Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.", "descriptions": { - "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n Accounts with the \"Force shutdown from a remote system\" user right can\n remotely shut down a system which could result in a DoS.", - "check": "Verify the effective setting in Local Group Policy Editor.\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any groups or accounts other than the following are granted the \"Force\n shutdown from a remote system\" user right, this is a finding:\n\n Administrators", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n \"Force shutdown from a remote system\" to only include the following groups or\n accounts:\n\n Administrators" + "default": "Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.", + "check": "This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n\n Enter \"Get-ProcessMitigation -Name plugin-container.exe\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of\n all application mitigations configured.)\n\n If the following mitigations do not have a status of \"ON\", this is a finding:\n\n DEP:\n Enable: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n The PowerShell command produces a list of mitigations; only those with a\n required status of \"ON\" are listed here. If the PowerShell command does not\n produce results, ensure the letter case of the filename within the command\n syntax matches the letter case of the actual filename on the system.", + "fix": "Ensure the following mitigations are turned \"ON\" for\n plugin-container.exe:\n\n DEP:\n Enable: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file\n included with the Windows 10 STIG package in the \"Supporting Files\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \"Use a common set of exploit protection settings\"\n configured to \"Enabled\" with file name and location defined under\n \"Options:\". It is recommended the file be in a read-only network location." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-UR-000100", - "gid": "V-63883", - "rid": "SV-78373r1_rule", - "stig_id": "WN10-UR-000100", - "fix_id": "F-69811r1_fix", + "gtitle": "WN10-EP-000230", + "gid": "V-77245", + "rid": "SV-91941r3_rule", + "stig_id": "WN10-EP-000230", + "fix_id": "F-84365r4_fix", "cci": [ - "CCI-002235" + "CCI-000366" ], "nist": [ - "AC-6 (10)", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -3900,35 +3929,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63883' do\n title \"The Force shutdown from a remote system user right must only be\n assigned to the Administrators group.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n Accounts with the \\\"Force shutdown from a remote system\\\" user right can\n remotely shut down a system which could result in a DoS.\"\n\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-UR-000100'\n tag gid: 'V-63883'\n tag rid: 'SV-78373r1_rule'\n tag stig_id: 'WN10-UR-000100'\n tag fix_id: 'F-69811r1_fix'\n tag cci: ['CCI-002235']\n tag nist: ['AC-6 (10)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any groups or accounts other than the following are granted the \\\"Force\n shutdown from a remote system\\\" user right, this is a finding:\n\n Administrators\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n \\\"Force shutdown from a remote system\\\" to only include the following groups or\n accounts:\n\n Administrators\"\n\n describe security_policy do\n its('SeRemoteShutdownPrivilege') { should eq ['S-1-5-32-544'] }\n end\nend\n", + "code": "control 'V-77245' do\n title 'Exploit Protection mitigations in Windows 10 must be configured for plugin-container.exe.'\n desc \"Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-EP-000230'\n tag gid: 'V-77245'\n tag rid: 'SV-91941r3_rule'\n tag stig_id: 'WN10-EP-000230'\n tag fix_id: 'F-84365r4_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc 'check', \"This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n\n Enter \\\"Get-ProcessMitigation -Name plugin-container.exe\\\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of\n all application mitigations configured.)\n\n If the following mitigations do not have a status of \\\"ON\\\", this is a finding:\n\n DEP:\n Enable: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n The PowerShell command produces a list of mitigations; only those with a\n required status of \\\"ON\\\" are listed here. If the PowerShell command does not\n produce results, ensure the letter case of the filename within the command\n syntax matches the letter case of the actual filename on the system.\"\n\n desc 'fix', \"Ensure the following mitigations are turned \\\"ON\\\" for\n plugin-container.exe:\n\n DEP:\n Enable: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file\n included with the Windows 10 STIG package in the \\\"Supporting Files\\\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\"\n configured to \\\"Enabled\\\" with file name and location defined under\n \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n\n if input('sensitive_system') == 'true' || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion').ReleaseId < '1709'\n impact 0.0\n describe 'This STIG does not apply to Prior Versions before 1709.' do\n skip 'This STIG does not apply to Prior Versions before 1709.'\n end\n else\n dep = json( command: 'Get-ProcessMitigation -Name plugin-container.exe | Select DEP | ConvertTo-Json').params\n describe 'DEP is required to be Enabled on Plugin-Container' do\n subject { dep }\n its(['Enable']) { should_not eq '2' }\n end\n payload = json( command: 'Get-ProcessMitigation -Name plugin-container.exe | Select Payload | ConvertTo-Json').params\n describe 'Payload Enable Export Address Filter, Payload Enable Export Address Filter Plus, EnableImportAddressFilter, EnableRopStackPivot, EnableRopCallerCheck, and Override EnableRopSimExec are required to be false on Plugin-Container' do\n subject { payload }\n its(['EnableExportAddressFilter']) { should_not eq '2' }\n its(['EnableExportAddressFilterPlus']) { should_not eq '2' }\n its(['EnableImportAddressFilter']) { should_not eq '2' }\n its(['EnableRopStackPivot']) { should_not eq '2' }\n its(['EnableRopCallerCheck']) { should_not eq '2' }\n its(['EnableRopSimExec']) { should_not eq '2' }\n end \n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63883.rb", + "ref": "./Windows 10 STIG/controls/V-77245.rb", "line": 3 }, - "id": "V-63883" + "id": "V-77245" }, { - "title": "The system must notify the user when a Bluetooth device attempts to connect.", - "desc": "If not configured properly, Bluetooth may allow rogue devices to\n communicate with a system. If a rogue device is paired with a system, there is\n potential for sensitive information to be compromised", + "title": "Windows 10 must be configured to audit Object Access - File Share successes.", + "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Auditing file shares records events related to connection to shares on a\n system including system shares such as C$.", "descriptions": { - "default": "If not configured properly, Bluetooth may allow rogue devices to\n communicate with a system. If a rogue device is paired with a system, there is\n potential for sensitive information to be compromised", - "check": "This is NA if the system does not have Bluetooth.\n\n Search for \"Bluetooth\".\n View Bluetooth Settings.\n Select \"More Bluetooth Options\"\n If \"Alert me when a new Bluetooth device wants to connect\" is not checked,\n this is a finding.", - "fix": "Configure Bluetooth to notify users if devices attempt to connect.\n View Bluetooth Settings.\n Ensure \"Alert me when a new Bluetooth device wants to connect\" is checked." + "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Auditing file shares records events related to connection to shares on a\n system including system shares such as C$.", + "check": "Security Option \"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\" must be\n set to \"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open PowerShell or a Command Prompt with elevated privileges (\"Run as\n Administrator\").\n Enter \"AuditPol /get /category:*\"\n\n Compare the AuditPol settings with the following:\n\n Object Access >> File Share - Success\n\n If the system does not audit the above, this is a finding.", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Object Access >> \"Audit File Share\" with \"Success\"\n selected." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-00-000230", - "gid": "V-72769", - "rid": "SV-87407r1_rule", - "stig_id": "WN10-00-000230", - "fix_id": "F-79179r1_fix", + "gtitle": "WN10-AU-000082", + "gid": "V-74721", + "rid": "SV-89395r1_rule", + "stig_id": "WN10-AU-000082", + "fix_id": "F-81335r3_fix", "cci": [ - "CCI-000366" + "CCI-000172" ], "nist": [ - "CM-6 b", + "AU-12 c", "Rev_4" ], "false_negatives": null, @@ -3942,37 +3971,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-72769' do\n title 'The system must notify the user when a Bluetooth device attempts to connect.'\n desc \"If not configured properly, Bluetooth may allow rogue devices to\n communicate with a system. If a rogue device is paired with a system, there is\n potential for sensitive information to be compromised\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-00-000230'\n tag gid: 'V-72769'\n tag rid: 'SV-87407r1_rule'\n tag stig_id: 'WN10-00-000230'\n tag fix_id: 'F-79179r1_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"This is NA if the system does not have Bluetooth.\n\n Search for \\\"Bluetooth\\\".\n View Bluetooth Settings.\n Select \\\"More Bluetooth Options\\\"\n If \\\"Alert me when a new Bluetooth device wants to connect\\\" is not checked,\n this is a finding.\"\n desc \"fix\", \"Configure Bluetooth to notify users if devices attempt to connect.\n View Bluetooth Settings.\n Ensure \\\"Alert me when a new Bluetooth device wants to connect\\\" is checked.\"\n\n if sys_info.manufacturer != 'VMware, Inc.'\n describe 'Configure Bluetooth to notify users if devices attempt to connect.\n View Bluetooth Settings. Ensure \"Alert me when a new Bluetooth device \n wants to connect\" is checked' do\n skip 'This is NA if the system does not have Bluetooth'\n end\n else\n impact 0.0\n describe 'This is a VDI System; This System is NA for Control V-72769.' do\n skip 'This is a VDI System; This System is NA for Control V-72769.'\n end\n end\nend\n", + "code": "control 'V-74721' do\n title 'Windows 10 must be configured to audit Object Access - File Share successes.'\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Auditing file shares records events related to connection to shares on a\n system including system shares such as C$.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-AU-000082'\n tag gid: 'V-74721'\n tag rid: 'SV-89395r1_rule'\n tag stig_id: 'WN10-AU-000082'\n tag fix_id: 'F-81335r3_fix'\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"Security Option \\\"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\\\" must be\n set to \\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open PowerShell or a Command Prompt with elevated privileges (\\\"Run as\n Administrator\\\").\n Enter \\\"AuditPol /get /category:*\\\"\n\n Compare the AuditPol settings with the following:\n\n Object Access >> File Share - Success\n\n If the system does not audit the above, this is a finding.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Object Access >> \\\"Audit File Share\\\" with \\\"Success\\\"\n selected.\"\n\n describe.one do\n describe audit_policy do\n its('File Share') { should eq 'Success' }\n end\n describe audit_policy do\n its('File Share') { should eq 'Success and Failure' }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-72769.rb", + "ref": "./Windows 10 STIG/controls/V-74721.rb", "line": 3 }, - "id": "V-72769" + "id": "V-74721" }, { - "title": "The system must be configured to audit Policy Change - Authentication\n Policy Change successes.", - "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Authentication Policy Change records events related to changes in\n authentication policy including Kerberos policy and Trust changes.", + "title": "Internet connection sharing must be disabled.", + "desc": "Internet connection sharing makes it possible for an existing internet\n connection, such as through wireless, to be shared and used by other systems\n essentially creating a mobile hotspot. This exposes the system sharing the\n connection to others with potentially malicious purpose.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Authentication Policy Change records events related to changes in\n authentication policy including Kerberos policy and Trust changes.", - "check": "Security Option \"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\" must be\n set to \"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\"Run as Administrator\").\n Enter \"AuditPol /get /category:*\".\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding:\n\n Policy Change >> Authentication Policy Change - Success", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Policy Change >> \"Audit Authentication Policy Change\" with\n \"Success\" selected." + "default": "Internet connection sharing makes it possible for an existing internet\n connection, such as through wireless, to be shared and used by other systems\n essentially creating a mobile hotspot. This exposes the system sharing the\n connection to others with potentially malicious purpose.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\Network Connections\\\n\n Value Name: NC_ShowSharedAccessUI\n\n Type: REG_DWORD\n Value: 0x00000000 (0)", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Network >> Network Connections >> \"Prohibit use of\n Internet Connection Sharing on your DNS domain network\" to \"Enabled\"." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-AU-000105", - "gid": "V-63481", - "rid": "SV-77971r1_rule", - "stig_id": "WN10-AU-000105", - "fix_id": "F-69411r1_fix", + "gtitle": "WN10-CC-000044", + "gid": "V-71765", + "rid": "SV-86389r1_rule", + "stig_id": "WN10-CC-000044", + "fix_id": "F-78117r2_fix", "cci": [ - "CCI-000172", - "CCI-002234" + "CCI-000381" ], "nist": [ - "AU-12 c", - "AC-6 (9)", + "CM-7 a", "Rev_4" ], "false_negatives": null, @@ -3986,35 +4013,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63481' do\n title \"The system must be configured to audit Policy Change - Authentication\n Policy Change successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Authentication Policy Change records events related to changes in\n authentication policy including Kerberos policy and Trust changes.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-AU-000105'\n tag gid: 'V-63481'\n tag rid: 'SV-77971r1_rule'\n tag stig_id: 'WN10-AU-000105'\n tag fix_id: 'F-69411r1_fix'\n tag cci: %w[CCI-000172 CCI-002234]\n tag nist: ['AU-12 c', 'AC-6 (9)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Security Option \\\"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\\\" must be\n set to \\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\n Enter \\\"AuditPol /get /category:*\\\".\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding:\n\n Policy Change >> Authentication Policy Change - Success\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Policy Change >> \\\"Audit Authentication Policy Change\\\" with\n \\\"Success\\\" selected.\"\n\n describe.one do\n describe audit_policy do\n its('Authentication Policy Change') { should eq 'Success' }\n end\n describe audit_policy do\n its('Authentication Policy Change') { should eq 'Success and Failure' }\n end\n end\nend\n", + "code": "control 'V-71765' do\n title 'Internet connection sharing must be disabled.'\n desc \"Internet connection sharing makes it possible for an existing internet\n connection, such as through wireless, to be shared and used by other systems\n essentially creating a mobile hotspot. This exposes the system sharing the\n connection to others with potentially malicious purpose.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000044'\n tag gid: 'V-71765'\n tag rid: 'SV-86389r1_rule'\n tag stig_id: 'WN10-CC-000044'\n tag fix_id: 'F-78117r2_fix'\n tag cci: ['CCI-000381']\n tag nist: ['CM-7 a', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\Network Connections\\\\\n\n Value Name: NC_ShowSharedAccessUI\n\n Type: REG_DWORD\n Value: 0x00000000 (0)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Network >> Network Connections >> \\\"Prohibit use of\n Internet Connection Sharing on your DNS domain network\\\" to \\\"Enabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Network Connections') do\n it { should have_property 'NC_ShowSharedAccessUI' }\n its('NC_ShowSharedAccessUI') { should cmp 0 }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63481.rb", + "ref": "./Windows 10 STIG/controls/V-71765.rb", "line": 3 }, - "id": "V-63481" + "id": "V-71765" }, { - "title": "OneDrive must only allow synchronizing of accounts for DoD\n organization instances.", - "desc": "OneDrive provides access to external services for data storage, which\n must be restricted to authorized instances if enabled. Configuring this setting\n will restrict synchronizing of OneDrive accounts to DoD organization instances.", + "title": "The Windows Remote Management (WinRM) client must not use Digest\n authentication.", + "desc": "Digest authentication is not as strong as other options and may be\n subject to man-in-the-middle attacks.", "descriptions": { - "default": "OneDrive provides access to external services for data storage, which\n must be restricted to authorized instances if enabled. Configuring this setting\n will restrict synchronizing of OneDrive accounts to DoD organization instances.", - "check": "If the organization is using a DoD instance of OneDrive, verify\n synchronizing is only allowed to the organization's DoD instance.\n\n If the organization does not have an instance of OneDrive, verify this is\n configured with the noted dummy entry to prevent synchronizing with other\n instances.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\OneDrive\\AllowTenantList\\\n\n Value Name: Organization's Tenant GUID\n\n Value Type: REG_SZ\n Value: Organization's Tenant GUID\n\n If the organization does not have an instance of OneDrive the Value Name and\n Value must be 1111-2222-3333-4444, if not this is a finding.", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> OneDrive >> \"Allow syncing OneDrive accounts for\n only specific organizations\", with the Tenant GUID of the organization's DoD\n instance in the format 1111-2222-3333-4444.\n\n If the organization does not have an instance of OneDrive, configure the Tenant\n GUID with \"1111-2222-3333-4444\".\n\n Group policy files for OneDrive are located on a system with OneDrive in\n \"%localappdata%\\Microsoft\\OneDrive\\BuildNumber\\adm\\\".\n\n Copy the OneDrive.admx and .adml files to the \\Windows\\PolicyDefinitions and\n \\Windows\\PolicyDefinitions\\en-US directories respectively." + "default": "Digest authentication is not as strong as other options and may be\n subject to man-in-the-middle attacks.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\WinRM\\Client\\\n\n Value Name: AllowDigest\n\n Value Type: REG_DWORD\n Value: 0", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Windows Remote Management\n (WinRM) >> WinRM Client >> \"Disallow Digest authentication\" to \"Enabled\"." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", "gtitle": "WN10-CC-000360", - "gid": "V-88203", - "rid": "SV-98853r2_rule", + "gid": "V-63341", + "rid": "SV-77831r2_rule", "stig_id": "WN10-CC-000360", - "fix_id": "F-94945r4_fix", + "fix_id": "F-69263r1_fix", "cci": [ - "CCI-000366" + "CCI-000877" ], "nist": [ - "CM-6 b", + "MA-4 c", "Rev_4" ], "false_negatives": null, @@ -4028,35 +4055,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-88203' do\n title \"OneDrive must only allow synchronizing of accounts for DoD\n organization instances.\"\n desc \"OneDrive provides access to external services for data storage, which\n must be restricted to authorized instances if enabled. Configuring this setting\n will restrict synchronizing of OneDrive accounts to DoD organization instances.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000360'\n tag gid: 'V-88203'\n tag rid: 'SV-98853r2_rule'\n tag stig_id: 'WN10-CC-000360'\n tag fix_id: 'F-94945r4_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"If the organization is using a DoD instance of OneDrive, verify\n synchronizing is only allowed to the organization's DoD instance.\n\n If the organization does not have an instance of OneDrive, verify this is\n configured with the noted dummy entry to prevent synchronizing with other\n instances.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\OneDrive\\\\AllowTenantList\\\\\n\n Value Name: Organization's Tenant GUID\n\n Value Type: REG_SZ\n Value: Organization's Tenant GUID\n\n If the organization does not have an instance of OneDrive the Value Name and\n Value must be 1111-2222-3333-4444, if not this is a finding.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> OneDrive >> \\\"Allow syncing OneDrive accounts for\n only specific organizations\\\", with the Tenant GUID of the organization's DoD\n instance in the format 1111-2222-3333-4444.\n\n If the organization does not have an instance of OneDrive, configure the Tenant\n GUID with \\\"1111-2222-3333-4444\\\".\n\n Group policy files for OneDrive are located on a system with OneDrive in\n \\\"%localappdata%\\\\Microsoft\\\\OneDrive\\\\BuildNumber\\\\adm\\\\\\\".\n\n Copy the OneDrive.admx and .adml files to the \\\\Windows\\\\PolicyDefinitions and\n \\\\Windows\\\\PolicyDefinitions\\\\en-US directories respectively.\"\n\n \n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\OneDrive\\AllowTenantList') do\n it { should have_property input('onedrive_tenant_guid') }\n its(input('onedrive_tenant_guid')) { should cmp input('onedrive_tenant_guid') }\n end\nend", + "code": "control 'V-63341' do\n title \"The Windows Remote Management (WinRM) client must not use Digest\n authentication.\"\n desc \"Digest authentication is not as strong as other options and may be\n subject to man-in-the-middle attacks.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000360'\n tag gid: 'V-63341'\n tag rid: 'SV-77831r2_rule'\n tag stig_id: 'WN10-CC-000360'\n tag fix_id: 'F-69263r1_fix'\n tag cci: ['CCI-000877']\n tag nist: ['MA-4 c', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WinRM\\\\Client\\\\\n\n Value Name: AllowDigest\n\n Value Type: REG_DWORD\n Value: 0\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Windows Remote Management\n (WinRM) >> WinRM Client >> \\\"Disallow Digest authentication\\\" to \\\"Enabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WinRM\\Client') do\n it { should have_property 'AllowDigest' }\n its('AllowDigest') { should cmp 0 }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-88203.rb", + "ref": "./Windows 10 STIG/controls/V-63341.rb", "line": 3 }, - "id": "V-88203" + "id": "V-63341" }, { - "title": "User Account Control must run all administrators in Admin Approval\n Mode, enabling UAC.", - "desc": "User Account Control (UAC) is a security mechanism for limiting the\n elevation of privileges, including administrative accounts, unless authorized.\n This setting enables UAC.", + "title": "Windows 10 must be configured to audit Object Access - Other Object\n Access Events successes.", + "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Auditing for other object access records events related to the management\n of task scheduler jobs and COM+ objects.", "descriptions": { - "default": "User Account Control (UAC) is a security mechanism for limiting the\n elevation of privileges, including administrative accounts, unless authorized.\n This setting enables UAC.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\\n\n Value Name: EnableLUA\n\n Value Type: REG_DWORD\n Value: 1", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> \"User\n Account Control: Run all administrators in Admin Approval Mode\" to\n \"Enabled\"." + "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Auditing for other object access records events related to the management\n of task scheduler jobs and COM+ objects.", + "check": "Security Option \"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\" must be\n set to \"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open PowerShell or a Command Prompt with elevated privileges (\"Run as\n Administrator\").\n\n Enter \"AuditPol /get /category:*\"\n\n Compare the AuditPol settings with the following:\n\n Object Access >> Other Object Access Events - Success\n\n If the system does not audit the above, this is a finding.", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Object Access >> \"Audit Other Object Access Events\" with\n \"Success\" selected." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-SO-000270", - "gid": "V-63829", - "rid": "SV-78319r1_rule", - "stig_id": "WN10-SO-000270", - "fix_id": "F-69757r1_fix", + "gtitle": "WN10-AU-000083", + "gid": "V-74411", + "rid": "SV-89085r1_rule", + "stig_id": "WN10-AU-000083", + "fix_id": "F-80953r2_fix", "cci": [ - "CCI-002038" + "CCI-000172" ], "nist": [ - "IA-11", + "AU-12 c", "Rev_4" ], "false_negatives": null, @@ -4070,68 +4097,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63829' do\n title \"User Account Control must run all administrators in Admin Approval\n Mode, enabling UAC.\"\n desc \"User Account Control (UAC) is a security mechanism for limiting the\n elevation of privileges, including administrative accounts, unless authorized.\n This setting enables UAC.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-SO-000270'\n tag gid: 'V-63829'\n tag rid: 'SV-78319r1_rule'\n tag stig_id: 'WN10-SO-000270'\n tag fix_id: 'F-69757r1_fix'\n tag cci: ['CCI-002038']\n tag nist: %w[IA-11 Rev_4]\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\\n\n Value Name: EnableLUA\n\n Value Type: REG_DWORD\n Value: 1\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> \\\"User\n Account Control: Run all administrators in Admin Approval Mode\\\" to\n \\\"Enabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System') do\n it { should have_property 'EnableLUAs' }\n its('EnableLUA') { should cmp 1 }\n end\nend\n", - "source_location": { - "ref": "./Windows 10 STIG/controls/V-63829.rb", - "line": 3 - }, - "id": "V-63829" - }, - { - "title": "Windows 10 should be configured to prevent users from receiving\nsuggestions for third-party or additional applications. ", - "desc": "Windows spotlight features may suggest apps and content from\nthird-party software publishers in addition to Microsoft apps and content.", - "descriptions": { - "default": "Windows spotlight features may suggest apps and content from\nthird-party software publishers in addition to Microsoft apps and content.", - "rationale": "", - "check": "If the following registry value does not exist or is not configured as\nspecified, this is a finding.\n\n If the following registry value does not exist or is not configured as\nspecified, this is a finding:\n\n Registry Hive: HKEY_CURRENT_USER\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent\\\n\n Value Name: DisableThirdPartySuggestions\n\n Type: REG_DWORD\n Value: 0x00000001 (1)", - "fix": "Configure the policy value for User Configuration >>\nAdministrative Templates >> Windows Components >> Cloud Content >> \"Do not\nsuggest third-party content in Windows spotlight\" to \"Enabled" - }, - "impact": 0.3, - "refs": [], - "tags": { - "severity": null, - "gtitle": "WN10-CC-000390", - "gid": "V-99563", - "rid": "SV-108667r1_rule", - "stig_id": "WN10-CC-000390", - "fix_id": "F-105247r1_fix", - "cci": [ - "CCI-000381" - ], - "nist": [ - "CM-7 a", - "Rev_4" - ] - }, - "code": "control \"V-99563\" do\n title \"Windows 10 should be configured to prevent users from receiving\nsuggestions for third-party or additional applications. \"\n desc \"Windows spotlight features may suggest apps and content from\nthird-party software publishers in addition to Microsoft apps and content. \"\n impact 0.3\n tag severity: nil\n tag gtitle: \"WN10-CC-000390\"\n tag gid: \"V-99563\"\n tag rid: \"SV-108667r1_rule\"\n tag stig_id: \"WN10-CC-000390\"\n tag fix_id: \"F-105247r1_fix\"\n tag cci: [\"CCI-000381\"]\n tag nist: [\"CM-7 a\", \"Rev_4\"]\n desc \"rationale\", \"\"\n desc \"check\", \"If the following registry value does not exist or is not configured as\nspecified, this is a finding.\n\n If the following registry value does not exist or is not configured as\nspecified, this is a finding:\n\n Registry Hive: HKEY_CURRENT_USER\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\CloudContent\\\\\n\n Value Name: DisableThirdPartySuggestions\n\n Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for User Configuration >>\nAdministrative Templates >> Windows Components >> Cloud Content >> \\\"Do not\nsuggest third-party content in Windows spotlight\\\" to \\\"Enabled\"\n \n describe registry_key('HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CloudContent') do\n it { should have_property 'DisableThirdPartySuggestions' }\n its('DisableThirdPartySuggestions') { should cmp 1 }\n end\nend\n", + "code": "control 'V-74411' do\n title \"Windows 10 must be configured to audit Object Access - Other Object\n Access Events successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Auditing for other object access records events related to the management\n of task scheduler jobs and COM+ objects.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-AU-000083'\n tag gid: 'V-74411'\n tag rid: 'SV-89085r1_rule'\n tag stig_id: 'WN10-AU-000083'\n tag fix_id: 'F-80953r2_fix'\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"Security Option \\\"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\\\" must be\n set to \\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open PowerShell or a Command Prompt with elevated privileges (\\\"Run as\n Administrator\\\").\n\n Enter \\\"AuditPol /get /category:*\\\"\n\n Compare the AuditPol settings with the following:\n\n Object Access >> Other Object Access Events - Success\n\n If the system does not audit the above, this is a finding.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Object Access >> \\\"Audit Other Object Access Events\\\" with\n \\\"Success\\\" selected.\"\n\n describe.one do\n describe audit_policy do\n its('Other Object Access Events') { should eq 'Success' }\n end\n describe audit_policy do\n its('Other Object Access Events') { should eq 'Success and Failure' }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-99563.rb", + "ref": "./Windows 10 STIG/controls/V-74411.rb", "line": 3 }, - "id": "V-99563" + "id": "V-74411" }, { - "title": "Exploit Protection mitigations in Windows 10 must be configured for\n VPREVIEW.EXE.", - "desc": "Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.", + "title": "The Windows Remote Management (WinRM) service must not use Basic\n authentication.", + "desc": "Basic authentication uses plain text passwords that could be used to\n compromise a system.", "descriptions": { - "default": "Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.", - "check": "This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n\n Enter \"Get-ProcessMitigation -Name VPREVIEW.EXE\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of\n all application mitigations configured.)\n\n If the following mitigations do not have a status of \"ON\", this is a finding:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n The PowerShell command produces a list of mitigations; only those with a\n required status of \"ON\" are listed here. If the PowerShell command does not\n produce results, ensure the letter case of the filename within the command\n syntax matches the letter case of the actual filename on the system.", - "fix": "Ensure the following mitigations are turned \"ON\" for VPREVIEW.EXE:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file\n included with the Windows 10 STIG package in the \"Supporting Files\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \"Use a common set of exploit protection settings\"\n configured to \"Enabled\" with file name and location defined under\n \"Options:\". It is recommended the file be in a read-only network location." + "default": "Basic authentication uses plain text passwords that could be used to\n compromise a system.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\WinRM\\Service\\\n\n Value Name: AllowBasic\n\n Value Type: REG_DWORD\n Value: 0", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Windows Remote Management\n (WinRM) >> WinRM Service >> \"Allow Basic authentication\" to \"Disabled\"." }, - "impact": 0.5, + "impact": 0.7, "refs": [], "tags": { - "severity": "medium", - "gtitle": "WN10-EP-000270", - "gid": "V-77259", - "rid": "SV-91955r3_rule", - "stig_id": "WN10-EP-000270", - "fix_id": "F-84509r4_fix", + "severity": "high", + "gtitle": "WN10-CC-000345", + "gid": "V-63347", + "rid": "SV-77837r1_rule", + "stig_id": "WN10-CC-000345", + "fix_id": "F-69265r1_fix", "cci": [ - "CCI-000366" + "CCI-000877" ], "nist": [ - "CM-6 b", + "MA-4 c", "Rev_4" ], "false_negatives": null, @@ -4145,35 +4139,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-77259' do\n title \"Exploit Protection mitigations in Windows 10 must be configured for\n VPREVIEW.EXE.\"\n desc \"Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-EP-000270'\n tag gid: 'V-77259'\n tag rid: 'SV-91955r3_rule'\n tag stig_id: 'WN10-EP-000270'\n tag fix_id: 'F-84509r4_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc 'check', \"This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n\n Enter \\\"Get-ProcessMitigation -Name VPREVIEW.EXE\\\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of\n all application mitigations configured.)\n\n If the following mitigations do not have a status of \\\"ON\\\", this is a finding:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n The PowerShell command produces a list of mitigations; only those with a\n required status of \\\"ON\\\" are listed here. If the PowerShell command does not\n produce results, ensure the letter case of the filename within the command\n syntax matches the letter case of the actual filename on the system.\"\n\n desc 'fix', \"Ensure the following mitigations are turned \\\"ON\\\" for VPREVIEW.EXE:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file\n included with the Windows 10 STIG package in the \\\"Supporting Files\\\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\"\n configured to \\\"Enabled\\\" with file name and location defined under\n \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n\n if input('sensitive_system') == 'true' || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion').ReleaseId < '1709'\n impact 0.0\n describe 'This STIG does not apply to Prior Versions before 1709.' do\n skip 'This STIG does not apply to Prior Versions before 1709.'\n end\n else\n dep = json( command: 'Get-ProcessMitigation -Name VPREVIEW.EXE | Select DEP | ConvertTo-Json').params\n describe 'OverRide DEP is required to be false on Microsoft Office Visio Previewer' do\n subject { dep }\n its(['OverrideDEP']) { should_not eq 'true' }\n end\n aslr = json( command: 'Get-ProcessMitigation -Name VPREVIEW.EXE | Select Aslr | ConvertTo-Json').params\n describe 'Alsr BottomUp and Force Relocate Images are required to be enabled on Microsoft Office Visio Previewer' do\n subject { aslr }\n its(['ForceRelocateImages']) { should_not eq '2' }\n end\n payload = json( command: 'Get-ProcessMitigation -Name VPREVIEW.EXE | Select Payload | ConvertTo-Json').params\n describe 'Override Payload Enable Export Address Filter, Override Payload Enable Export Address Filter Plus, Override EnableImportAddressFilter, Override EnableRopStackPivot, Override EnableRopCallerCheck, and Override EnableRopSimExec are required to be false on Microsoft Office Visio Previewer' do\n subject { payload }\n its(['OverrideEnableExportAddressFilter']) { should_not eq 'true' }\n its(['OverrideEnableExportAddressFilterPlus']) { should_not eq 'true' }\n its(['OverrideEnableImportAddressFilter']) { should_not eq 'true' }\n its(['OverrideEnableRopStackPivot']) { should_not eq 'true' }\n its(['OverrideEnableRopCallerCheck']) { should_not eq 'true' }\n its(['OverrideEnableRopSimExec']) { should_not eq 'true' }\n end\n end\nend", + "code": "control 'V-63347' do\n title \"The Windows Remote Management (WinRM) service must not use Basic\n authentication.\"\n desc \"Basic authentication uses plain text passwords that could be used to\n compromise a system.\"\n impact 0.7\n tag severity: 'high'\n tag gtitle: 'WN10-CC-000345'\n tag gid: 'V-63347'\n tag rid: 'SV-77837r1_rule'\n tag stig_id: 'WN10-CC-000345'\n tag fix_id: 'F-69265r1_fix'\n tag cci: ['CCI-000877']\n tag nist: ['MA-4 c', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc 'check', \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WinRM\\\\Service\\\\\n\n Value Name: AllowBasic\n\n Value Type: REG_DWORD\n Value: 0\"\n\n desc 'fix', \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Windows Remote Management\n (WinRM) >> WinRM Service >> \\\"Allow Basic authentication\\\" to \\\"Disabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WinRM\\Service') do\n it { should have_property 'AllowBasic' }\n its('AllowBasic') { should cmp 0 }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-77259.rb", + "ref": "./Windows 10 STIG/controls/V-63347.rb", "line": 3 }, - "id": "V-77259" + "id": "V-63347" }, { - "title": "Kerberos encryption types must be configured to prevent the use of DES\n and RC4 encryption suites.", - "desc": "Certain encryption types are no longer considered secure. This\n setting configures a minimum encryption type for Kerberos, preventing the use\n of the DES and RC4 encryption suites.", + "title": "The Profile single process user right must only be assigned to the\n Administrators group.", + "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n Accounts with the \"Profile single process\" user right can monitor\n non-system processes performance. An attacker could potentially use this to\n identify processes to attack.", "descriptions": { - "default": "Certain encryption types are no longer considered secure. This\n setting configures a minimum encryption type for Kerberos, preventing the use\n of the DES and RC4 encryption suites.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\Parameters\\\n\n Value Name: SupportedEncryptionTypes\n\n Value Type: REG_DWORD\n Value: 0x7ffffff8 (2147483640)", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n \"Network security: Configure encryption types allowed for Kerberos\" to\n \"Enabled\" with only the following selected:\n\n AES128_HMAC_SHA1\n AES256_HMAC_SHA1\n Future encryption types" + "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n Accounts with the \"Profile single process\" user right can monitor\n non-system processes performance. An attacker could potentially use this to\n identify processes to attack.", + "check": "Verify the effective setting in Local Group Policy Editor.\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any groups or accounts other than the following are granted the \"Profile\n single process\" user right, this is a finding:\n\n Administrators", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n \"Profile single process\" to only include the following groups or accounts:\n\n Administrators" }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-SO-000190", - "gid": "V-63795", - "rid": "SV-78285r1_rule", - "stig_id": "WN10-SO-000190", - "fix_id": "F-69723r2_fix", + "gtitle": "WN10-UR-000150", + "gid": "V-63935", + "rid": "SV-78425r1_rule", + "stig_id": "WN10-UR-000150", + "fix_id": "F-69863r1_fix", "cci": [ - "CCI-000803" + "CCI-002235" ], "nist": [ - "IA-7", + "AC-6 (10)", "Rev_4" ], "false_negatives": null, @@ -4187,35 +4181,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63795' do\n title \"Kerberos encryption types must be configured to prevent the use of DES\n and RC4 encryption suites.\"\n desc \"Certain encryption types are no longer considered secure. This\n setting configures a minimum encryption type for Kerberos, preventing the use\n of the DES and RC4 encryption suites.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-SO-000190'\n tag gid: 'V-63795'\n tag rid: 'SV-78285r1_rule'\n tag stig_id: 'WN10-SO-000190'\n tag fix_id: 'F-69723r2_fix'\n tag cci: ['CCI-000803']\n tag nist: %w[IA-7 Rev_4]\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc 'check', \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Kerberos\\\\Parameters\\\\\n\n Value Name: SupportedEncryptionTypes\n\n Value Type: REG_DWORD\n Value: 0x7ffffff8 (2147483640)\"\n desc 'fix', \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n \\\"Network security: Configure encryption types allowed for Kerberos\\\" to\n \\\"Enabled\\\" with only the following selected:\n\n AES128_HMAC_SHA1\n AES256_HMAC_SHA1\n Future encryption types\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\Parameters') do\n it { should have_property 'SupportedEncryptionTypes' }\n its('SupportedEncryptionTypes') { should cmp 2_147_483_640 }\n end\nend\n", + "code": "control 'V-63935' do\n title \"The Profile single process user right must only be assigned to the\n Administrators group.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n Accounts with the \\\"Profile single process\\\" user right can monitor\n non-system processes performance. An attacker could potentially use this to\n identify processes to attack.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-UR-000150'\n tag gid: 'V-63935'\n tag rid: 'SV-78425r1_rule'\n tag stig_id: 'WN10-UR-000150'\n tag fix_id: 'F-69863r1_fix'\n tag cci: ['CCI-002235']\n tag nist: ['AC-6 (10)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any groups or accounts other than the following are granted the \\\"Profile\n single process\\\" user right, this is a finding:\n\n Administrators\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n \\\"Profile single process\\\" to only include the following groups or accounts:\n\n Administrators\"\n\n describe security_policy do\n its('SeProfileSingleProcessPrivilege') { should eq ['S-1-5-32-544'] }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63795.rb", + "ref": "./Windows 10 STIG/controls/V-63935.rb", "line": 3 }, - "id": "V-63795" + "id": "V-63935" }, { - "title": "File Explorer shell protocol must run in protected mode.", - "desc": "The shell protocol will limit the set of folders applications can\n open when run in protected mode. Restricting files an application can open, to\n a limited set of folders, increases the security of Windows.", + "title": "The system must be configured to audit Detailed Tracking - PNP\n Activity successes.", + "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Plug and Play activity records events related to the successful connection\n of external devices.", "descriptions": { - "default": "The shell protocol will limit the set of folders applications can\n open when run in protected mode. Restricting files an application can open, to\n a limited set of folders, increases the security of Windows.", - "check": "The default behavior is for shell protected mode to be turned on\n for file explorer.\n\n If the registry value name below does not exist, this is not a finding.\n\n If it exists and is configured with a value of \"0\", this is not a finding.\n\n If it exists and is configured with a value of \"1\", this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\\n\n Value Name: PreXPSP2ShellProtocolBehavior\n\n Value Type: REG_DWORD\n Value: 0 (or if the Value Name does not exist)", - "fix": "The default behavior is for shell protected mode to be turned on\n for file explorer.\n\n If this needs to be corrected, configure the policy value for Computer\n Configuration >> Administrative Templates >> Windows Components >> File\n Explorer >> \"Turn off shell protocol protected mode\" to \"Not Configured\" or\n \"Disabled\"." + "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Plug and Play activity records events related to the successful connection\n of external devices.", + "check": "Security Option \"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\" must be\n set to \"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\"Run as Administrator\").\n Enter \"AuditPol /get /category:*\"\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding:\n\n Detailed Tracking >> Plug and Play Events - Success", + "fix": "Computer Configuration >> Windows Settings >> Advanced Audit Policy\n Configuration >> System Audit Policies >> Detailed Tracking >> \"Audit PNP\n Activity\" with \"Success\" selected." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-CC-000225", - "gid": "V-63695", - "rid": "SV-78185r1_rule", - "stig_id": "WN10-CC-000225", - "fix_id": "F-69623r1_fix", + "gtitle": "WN10-AU-000045", + "gid": "V-63451", + "rid": "SV-77941r1_rule", + "stig_id": "WN10-AU-000045", + "fix_id": "F-69379r1_fix", "cci": [ - "CCI-000366" + "CCI-000172" ], "nist": [ - "CM-6 b", + "AU-12 c", "Rev_4" ], "false_negatives": null, @@ -4229,30 +4223,30 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63695' do\n title 'File Explorer shell protocol must run in protected mode.'\n desc \"The shell protocol will limit the set of folders applications can\n open when run in protected mode. Restricting files an application can open, to\n a limited set of folders, increases the security of Windows.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000225'\n tag gid: 'V-63695'\n tag rid: 'SV-78185r1_rule'\n tag stig_id: 'WN10-CC-000225'\n tag fix_id: 'F-69623r1_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"The default behavior is for shell protected mode to be turned on\n for file explorer.\n\n If the registry value name below does not exist, this is not a finding.\n\n If it exists and is configured with a value of \\\"0\\\", this is not a finding.\n\n If it exists and is configured with a value of \\\"1\\\", this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\\n\n Value Name: PreXPSP2ShellProtocolBehavior\n\n Value Type: REG_DWORD\n Value: 0 (or if the Value Name does not exist)\"\n\n desc \"fix\", \"The default behavior is for shell protected mode to be turned on\n for file explorer.\n\n If this needs to be corrected, configure the policy value for Computer\n Configuration >> Administrative Templates >> Windows Components >> File\n Explorer >> \\\"Turn off shell protocol protected mode\\\" to \\\"Not Configured\\\" or\n \\\"Disabled\\\".\"\n\n describe.one do\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer') do\n it { should have_property 'PreXPSP2ShellProtocolBehavior' }\n its('PreXPSP2ShellProtocolBehavior') { should_not be 1 }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer') do\n it { should_not have_property 'PreXPSP2ShellProtocolBehavior' }\n end\n end\nend\n", + "code": "control 'V-63451' do\n title \"The system must be configured to audit Detailed Tracking - PNP\n Activity successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Plug and Play activity records events related to the successful connection\n of external devices.\"\n\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-AU-000045'\n tag gid: 'V-63451'\n tag rid: 'SV-77941r1_rule'\n tag stig_id: 'WN10-AU-000045'\n tag fix_id: 'F-69379r1_fix'\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Security Option \\\"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\\\" must be\n set to \\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\n Enter \\\"AuditPol /get /category:*\\\"\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding:\n\n Detailed Tracking >> Plug and Play Events - Success\"\n\n desc \"fix\", \"Computer Configuration >> Windows Settings >> Advanced Audit Policy\n Configuration >> System Audit Policies >> Detailed Tracking >> \\\"Audit PNP\n Activity\\\" with \\\"Success\\\" selected.\"\n\n describe.one do\n describe audit_policy do\n its('Plug and Play Events') { should eq 'Success' }\n end\n describe audit_policy do\n its('Plug and Play Events') { should eq 'Success and Failure' }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Plug and Play Events'\") do\n its('stdout') { should match /Plug and Play Events Success/ }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Plug and Play Events'\") do\n its('stdout') { should match /Plug and Play Events Success and Failure/ }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63695.rb", + "ref": "./Windows 10 STIG/controls/V-63451.rb", "line": 3 }, - "id": "V-63695" + "id": "V-63451" }, { - "title": "Internet Information System (IIS) or its subcomponents must not be\n installed on a workstation.", - "desc": "Installation of Internet Information System (IIS) may allow\n unauthorized internet services to be hosted. Websites must only be hosted on\n servers that have been designed for that purpose and can be adequately secured.", + "title": "Toast notifications to the lock screen must be turned off.", + "desc": "Toast notifications that are displayed on the lock screen could\n display sensitive information to unauthorized personnel. Turning off this\n feature will limit access to the information to a logged on user.", "descriptions": { - "default": "Installation of Internet Information System (IIS) may allow\n unauthorized internet services to be hosted. Websites must only be hosted on\n servers that have been designed for that purpose and can be adequately secured.", - "check": "IIS is not installed by default. Verify it has not been\n installed on the system.\n\n Run \"Programs and Features\".\n Select \"Turn Windows features on or off\".\n\n If the entries for \"Internet Information Services\" or \"Internet Information\n Services Hostable Web Core\" are selected, this is a finding.\n\n If an application requires IIS or a subset to be installed to function, this\n needs be documented with the ISSO. In addition, any applicable requirements\n from the IIS STIG must be addressed.", - "fix": "Uninstall \"Internet Information Services\" or \"Internet\n Information Services Hostable Web Core\" from the system." + "default": "Toast notifications that are displayed on the lock screen could\n display sensitive information to unauthorized personnel. Turning off this\n feature will limit access to the information to a logged on user.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_CURRENT_USER\n Registry Path:\n \\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\PushNotifications\\\n\n Value Name: NoToastApplicationNotificationOnLockScreen\n\n Value Type: REG_DWORD\n Value: 1", + "fix": "Configure the policy value for User Configuration >> Administrative\n Templates >> Start Menu and Taskbar >> Notifications >> \"Turn off toast\n notifications on the lock screen\" to \"Enabled\"." }, - "impact": 0.7, + "impact": 0.3, "refs": [], "tags": { - "severity": "high", - "gtitle": "WN10-00-000100", - "gid": "V-63377", - "rid": "SV-77867r1_rule", - "stig_id": "WN10-00-000100", - "fix_id": "F-69297r1_fix", + "severity": "low", + "gtitle": "WN10-UC-000015", + "gid": "V-63839", + "rid": "SV-78329r1_rule", + "stig_id": "WN10-UC-000015", + "fix_id": "F-69767r1_fix", "cci": [ "CCI-000381" ], @@ -4271,35 +4265,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63377' do\n title \"Internet Information System (IIS) or its subcomponents must not be\n installed on a workstation.\"\n desc \"Installation of Internet Information System (IIS) may allow\n unauthorized internet services to be hosted. Websites must only be hosted on\n servers that have been designed for that purpose and can be adequately secured.\"\n impact 0.7\n tag severity: 'high'\n tag gtitle: 'WN10-00-000100'\n tag gid: 'V-63377'\n tag rid: 'SV-77867r1_rule'\n tag stig_id: 'WN10-00-000100'\n tag fix_id: 'F-69297r1_fix'\n tag cci: ['CCI-000381']\n tag nist: ['CM-7 a', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"IIS is not installed by default. Verify it has not been\n installed on the system.\n\n Run \\\"Programs and Features\\\".\n Select \\\"Turn Windows features on or off\\\".\n\n If the entries for \\\"Internet Information Services\\\" or \\\"Internet Information\n Services Hostable Web Core\\\" are selected, this is a finding.\n\n If an application requires IIS or a subset to be installed to function, this\n needs be documented with the ISSO. In addition, any applicable requirements\n from the IIS STIG must be addressed.\"\n\n desc \"fix\", \"Uninstall \\\"Internet Information Services\\\" or \\\"Internet\n Information Services Hostable Web Core\\\" from the system.\"\n\n describe windows_feature('Internet Information Services') do\n it { should_not be_installed }\n end\nend\n", + "code": "control 'V-63839' do\n title 'Toast notifications to the lock screen must be turned off.'\n desc \"Toast notifications that are displayed on the lock screen could\n display sensitive information to unauthorized personnel. Turning off this\n feature will limit access to the information to a logged on user.\"\n impact 0.3\n tag severity: 'low'\n tag gtitle: 'WN10-UC-000015'\n tag gid: 'V-63839'\n tag rid: 'SV-78329r1_rule'\n tag stig_id: 'WN10-UC-000015'\n tag fix_id: 'F-69767r1_fix'\n tag cci: ['CCI-000381']\n tag nist: ['CM-7 a', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_CURRENT_USER\n Registry Path:\n \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\PushNotifications\\\\\n\n Value Name: NoToastApplicationNotificationOnLockScreen\n\n Value Type: REG_DWORD\n Value: 1\"\n desc \"fix\", \"Configure the policy value for User Configuration >> Administrative\n Templates >> Start Menu and Taskbar >> Notifications >> \\\"Turn off toast\n notifications on the lock screen\\\" to \\\"Enabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\PushNotifications') do\n it { should have_property 'NoToastApplicationNotificationOnLockScreen' }\n its('NoToastApplicationNotificationOnLockScreen') { should cmp 1 }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63377.rb", + "ref": "./Windows 10 STIG/controls/V-63839.rb", "line": 3 }, - "id": "V-63377" + "id": "V-63839" }, { - "title": "Windows Update must not obtain updates from other PCs on the Internet.", - "desc": "Windows 10 allows Windows Update to obtain updates from additional\n sources instead of Microsoft. In addition to Microsoft, updates can be obtained\n from and sent to PCs on the local network as well as on the Internet. This is\n part of the Windows Update trusted process, however to minimize outside\n exposure, obtaining updates from or sending to systems on the Internet must be\n prevented.", + "title": "User Account Control must automatically deny elevation requests for \n standard users.", + "desc": "User Account Control (UAC) is a security mechanism for limiting the\n elevation of privileges, including administrative accounts, unless authorized.\n Denying elevation requests from standard user accounts requires tasks that need\n elevation to be initiated by accounts with administrative privileges. This\n ensures correct accounts are used on the system for privileged tasks to help\n mitigate credential theft.", "descriptions": { - "default": "Windows 10 allows Windows Update to obtain updates from additional\n sources instead of Microsoft. In addition to Microsoft, updates can be obtained\n from and sent to PCs on the local network as well as on the Internet. This is\n part of the Windows Update trusted process, however to minimize outside\n exposure, obtaining updates from or sending to systems on the Internet must be\n prevented.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\DeliveryOptimization\\\n\n Value Name: DODownloadMode\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0) - No peering (HTTP Only)\n 0x00000001 (1) - Peers on same NAT only (LAN)\n 0x00000002 (2) - Local Network / Private group peering (Group)\n 0x00000063 (99) - Simple download mode, no peering (Simple)\n 0x00000064 (100) - Bypass mode, Delivery Optimization not used (Bypass)\n\n A value of 0x00000003 (3), Internet, is a finding.\n\n v1507 LTSB:\n Domain joined systems:\n Verify the registry value above.\n If the value is not 0x00000000 (0) or 0x00000001 (1), this is a finding.\n\n Standalone systems (configured in Settings):\n If the following registry value does not exist or is not configured as\n specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\DeliveryOptimization\\Config\\\n\n Value Name: DODownloadMode\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0) - Off\n 0x00000001 (1) - LAN", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Delivery Optimization >>\n \"Download Mode\" to \"Enabled\" with any option except \"Internet\" selected.\n\n Acceptable selections include:\n Bypass (100)\n Group (2)\n HTTP only (0)\n LAN (1)\n Simple (99)\n\n v1507 (LTSB) does not include this group policy setting locally. For domain\n joined systems, configure through domain group policy as \"HTTP only (0)\" or\n \"Lan (1)\". Standalone systems configure using Settings >> Update & Security\n >> Windows Update >> Advanced Options >> \"Choose how updates are delivered\"\n with either \"Off\" or \"PCs on my local network\" selected." - }, - "impact": 0.3, + "default": "User Account Control (UAC) is a security mechanism for limiting the\n elevation of privileges, including administrative accounts, unless authorized.\n Denying elevation requests from standard user accounts requires tasks that need\n elevation to be initiated by accounts with administrative privileges. This\n ensures correct accounts are used on the system for privileged tasks to help\n mitigate credential theft.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\\n\n Value Name: ConsentPromptBehaviorUser\n\n Value Type: REG_DWORD\n Value: 0", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> \"User\n Account Control: Behavior of the elevation prompt for standard users\" to\n \"Automatically deny elevation requests\"." + }, + "impact": 0.5, "refs": [], "tags": { - "severity": "low", - "gtitle": "WN10-CC-000206", - "gid": "V-65681", - "rid": "SV-80171r3_rule", - "stig_id": "WN10-CC-000206", - "fix_id": "F-83251r4_fix", + "severity": "medium", + "gtitle": "WN10-SO-000255", + "gid": "V-63821", + "rid": "SV-78311r1_rule", + "stig_id": "WN10-SO-000255", + "fix_id": "F-69749r1_fix", "cci": [ - "CCI-000366" + "CCI-002038" ], "nist": [ - "CM-6 b", + "IA-11", "Rev_4" ], "false_negatives": null, @@ -4313,41 +4307,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-65681' do\n title 'Windows Update must not obtain updates from other PCs on the Internet.'\n desc \"Windows 10 allows Windows Update to obtain updates from additional\n sources instead of Microsoft. In addition to Microsoft, updates can be obtained\n from and sent to PCs on the local network as well as on the Internet. This is\n part of the Windows Update trusted process, however to minimize outside\n exposure, obtaining updates from or sending to systems on the Internet must be\n prevented.\"\n impact 0.3\n tag severity: 'low'\n tag gtitle: 'WN10-CC-000206'\n tag gid: 'V-65681'\n tag rid: 'SV-80171r3_rule'\n tag stig_id: 'WN10-CC-000206'\n tag fix_id: 'F-83251r4_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\DeliveryOptimization\\\\\n\n Value Name: DODownloadMode\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0) - No peering (HTTP Only)\n 0x00000001 (1) - Peers on same NAT only (LAN)\n 0x00000002 (2) - Local Network / Private group peering (Group)\n 0x00000063 (99) - Simple download mode, no peering (Simple)\n 0x00000064 (100) - Bypass mode, Delivery Optimization not used (Bypass)\n\n A value of 0x00000003 (3), Internet, is a finding.\n\n v1507 LTSB:\n Domain joined systems:\n Verify the registry value above.\n If the value is not 0x00000000 (0) or 0x00000001 (1), this is a finding.\n\n Standalone systems (configured in Settings):\n If the following registry value does not exist or is not configured as\n specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\DeliveryOptimization\\\\Config\\\\\n\n Value Name: DODownloadMode\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0) - Off\n 0x00000001 (1) - LAN\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Delivery Optimization >>\n \\\"Download Mode\\\" to \\\"Enabled\\\" with any option except \\\"Internet\\\" selected.\n\n Acceptable selections include:\n Bypass (100)\n Group (2)\n HTTP only (0)\n LAN (1)\n Simple (99)\n\n v1507 (LTSB) does not include this group policy setting locally. For domain\n joined systems, configure through domain group policy as \\\"HTTP only (0)\\\" or\n \\\"Lan (1)\\\". Standalone systems configure using Settings >> Update & Security\n >> Windows Update >> Advanced Options >> \\\"Choose how updates are delivered\\\"\n with either \\\"Off\\\" or \\\"PCs on my local network\\\" selected.\"\n\n if registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion').ReleaseId == '1507'\n describe.one do\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\DeliveryOptimization\\Config') do\n it { should have_property 'DODownloadMode' }\n its('DODownloadMode') { should cmp 0 }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\DeliveryOptimization\\Config') do\n it { should have_property 'DODownloadMode' }\n its('DODownloadMode') { should cmp 1 }\n end\n end\n else\n describe.one do\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\DeliveryOptimization\\Config') do\n it { should have_property 'DODownloadMode' }\n its('DODownloadMode') { should cmp 0 }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\DeliveryOptimization\\Config') do\n it { should have_property 'DODownloadMode' }\n its('DODownloadMode') { should cmp 1 }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\DeliveryOptimization\\Config') do\n it { should have_property 'DODownloadMode' }\n its('DODownloadMode') { should cmp 2 }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\DeliveryOptimization\\Config') do\n it { should have_property 'DODownloadMode' }\n its('DODownloadMode') { should cmp 99 }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\DeliveryOptimization\\Config') do\n it { should have_property 'DODownloadMode' }\n its('DODownloadMode') { should cmp 100 }\n end\n end\n end\nend\n", + "code": "control \"V-63821\" do\n title \"User Account Control must automatically deny elevation requests for \n standard users.\"\n desc \"User Account Control (UAC) is a security mechanism for limiting the\n elevation of privileges, including administrative accounts, unless authorized.\n Denying elevation requests from standard user accounts requires tasks that need\n elevation to be initiated by accounts with administrative privileges. This\n ensures correct accounts are used on the system for privileged tasks to help\n mitigate credential theft.\"\n impact 0.5\n tag severity: \"medium\"\n tag gtitle: \"WN10-SO-000255\"\n tag gid: \"V-63821\"\n tag rid: \"SV-78311r1_rule\"\n tag stig_id: \"WN10-SO-000255\"\n tag fix_id: \"F-69749r1_fix\"\n tag cci: [\"CCI-002038\"]\n tag nist: [\"IA-11\", \"Rev_4\"]\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\\n\n Value Name: ConsentPromptBehaviorUser\n\n Value Type: REG_DWORD\n Value: 0\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> \\\"User\n Account Control: Behavior of the elevation prompt for standard users\\\" to\n \\\"Automatically deny elevation requests\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System') do\n it { should have_property 'ConsentPromptBehaviorUser' }\n its('ConsentPromptBehaviorUser') { should cmp 0 }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-65681.rb", - "line": 3 + "ref": "./Windows 10 STIG/controls/V-63821.rb", + "line": 2 }, - "id": "V-65681" + "id": "V-63821" }, { - "title": "The built-in Microsoft password complexity filter must be enabled.", - "desc": "The use of complex passwords increases their strength against guessing\n and brute-force attacks. This setting configures the system to verify that\n newly created passwords conform to the Windows password complexity policy.", + "title": "Simple Network Management Protocol (SNMP) must not be installed on the\n system.", + "desc": "Some protocols and services do not support required security features,\n such as encrypting passwords or traffic.", "descriptions": { - "default": "The use of complex passwords increases their strength against guessing\n and brute-force attacks. This setting configures the system to verify that\n newly created passwords conform to the Windows password complexity policy.", - "check": "Verify the effective setting in Local Group Policy Editor.\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Account Policies >> Password Policy.\n\n If the value for \"Password must meet complexity requirements\" is not set to\n \"Enabled\", this is a finding.\n\n If the site is using a password filter that requires this setting be set to\n \"Disabled\" for the filter to be used, this would not be considered a finding.", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Account Policies >> Password Policy >>\n \"Password must meet complexity requirements\" to \"Enabled\"." + "default": "Some protocols and services do not support required security features,\n such as encrypting passwords or traffic.", + "check": "\"SNMP\" is not installed by default. Verify it has not been\n installed.\n\n Navigate to the Windows\\System32 directory.\n\n If the \"SNMP\" application exists, this is a finding.", + "fix": "Uninstall \"Simple Network Management Protocol (SNMP)\" from the\n system.\n\n Run \"Programs and Features\".\n Select \"Turn Windows Features on or off\".\n De-select \"Simple Network Management Protocol (SNMP)\"." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-AC-000040", - "gid": "V-63427", - "rid": "SV-77917r1_rule", - "stig_id": "WN10-AC-000040", - "fix_id": "F-69355r1_fix", + "gtitle": "WN10-00-000105", + "gid": "V-63381", + "rid": "SV-77871r1_rule", + "stig_id": "WN10-00-000105", + "fix_id": "F-69301r1_fix", "cci": [ - "CCI-000192", - "CCI-000193", - "CCI-000194", - "CCI-001619" + "CCI-000382" ], "nist": [ - "IA-5 (1) (a)", - "IA-5 (1) (a)", - "IA-5 (1) (a)", - "IA-5 (1) (a)", + "CM-7 b", "Rev_4" ], "false_negatives": null, @@ -4361,35 +4349,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63427' do\n title 'The built-in Microsoft password complexity filter must be enabled.'\n desc \"The use of complex passwords increases their strength against guessing\n and brute-force attacks. This setting configures the system to verify that\n newly created passwords conform to the Windows password complexity policy.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-AC-000040'\n tag gid: 'V-63427'\n tag rid: 'SV-77917r1_rule'\n tag stig_id: 'WN10-AC-000040'\n tag fix_id: 'F-69355r1_fix'\n tag cci: %w[CCI-000192 CCI-000193 CCI-000194 CCI-001619]\n tag nist: ['IA-5 (1) (a)', 'IA-5 (1) (a)', 'IA-5 (1) (a)', 'IA-5 (1) (a)',\n 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Account Policies >> Password Policy.\n\n If the value for \\\"Password must meet complexity requirements\\\" is not set to\n \\\"Enabled\\\", this is a finding.\n\n If the site is using a password filter that requires this setting be set to\n \\\"Disabled\\\" for the filter to be used, this would not be considered a finding.\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Account Policies >> Password Policy >>\n \\\"Password must meet complexity requirements\\\" to \\\"Enabled\\\".\"\n\n describe security_policy do\n its('PasswordComplexity') { should eq input('enable_pass_complexity') }\n end\nend\n", + "code": "control 'V-63381' do\n title \"Simple Network Management Protocol (SNMP) must not be installed on the\n system.\"\n desc \"Some protocols and services do not support required security features,\n such as encrypting passwords or traffic.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-00-000105'\n tag gid: 'V-63381'\n tag rid: 'SV-77871r1_rule'\n tag stig_id: 'WN10-00-000105'\n tag fix_id: 'F-69301r1_fix'\n tag cci: ['CCI-000382']\n tag nist: ['CM-7 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"\\\"SNMP\\\" is not installed by default. Verify it has not been\n installed.\n\n Navigate to the Windows\\\\System32 directory.\n\n If the \\\"SNMP\\\" application exists, this is a finding.\"\n\n desc \"fix\", \"Uninstall \\\"Simple Network Management Protocol (SNMP)\\\" from the\n system.\n\n Run \\\"Programs and Features\\\".\n Select \\\"Turn Windows Features on or off\\\".\n De-select \\\"Simple Network Management Protocol (SNMP)\\\".\"\n\n describe windows_feature('SNMP') do\n it { should_not be_installed }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63427.rb", + "ref": "./Windows 10 STIG/controls/V-63381.rb", "line": 3 }, - "id": "V-63427" + "id": "V-63381" }, { - "title": "The built-in administrator account must be disabled.", - "desc": "The built-in administrator account is a well-known account subject to\n attack. It also provides no accountability to individual administrators on a\n system. It must be disabled to prevent its use.", + "title": "Administrator accounts must not be enumerated during elevation.", + "desc": "Enumeration of administrator accounts when elevating can provide part\n of the logon information to an unauthorized user. This setting configures the\n system to always require users to type in a username and password to elevate a\n running application.", "descriptions": { - "default": "The built-in administrator account is a well-known account subject to\n attack. It also provides no accountability to individual administrators on a\n system. It must be disabled to prevent its use.", - "check": "Verify the effective setting in Local Group Policy Editor.\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> Security Options.\n\n If the value for \"Accounts: Administrator account status\" is not set to\n \"Disabled\", this is a finding.", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n \"Accounts: Administrator account status\" to \"Disabled\"." + "default": "Enumeration of administrator accounts when elevating can provide part\n of the logon information to an unauthorized user. This setting configures the\n system to always require users to type in a username and password to elevate a\n running application.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\CredUI\\\n\n Value Name: EnumerateAdministrators\n\n Value Type: REG_DWORD\n Value: 0", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Credential User Interface >>\n \"Enumerate administrator accounts on elevation\" to \"Disabled\"." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-SO-000005", - "gid": "V-63601", - "rid": "SV-78091r1_rule", - "stig_id": "WN10-SO-000005", - "fix_id": "F-69531r1_fix", + "gtitle": "WN10-CC-000200", + "gid": "V-63679", + "rid": "SV-78169r1_rule", + "stig_id": "WN10-CC-000200", + "fix_id": "F-69607r1_fix", "cci": [ - "CCI-000764" + "CCI-001084" ], "nist": [ - "IA-2", + "SC-3", "Rev_4" ], "false_negatives": null, @@ -4403,30 +4391,30 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63601' do\n title 'The built-in administrator account must be disabled.'\n desc \"The built-in administrator account is a well-known account subject to\n attack. It also provides no accountability to individual administrators on a\n system. It must be disabled to prevent its use.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-SO-000005'\n tag gid: 'V-63601'\n tag rid: 'SV-78091r1_rule'\n tag stig_id: 'WN10-SO-000005'\n tag fix_id: 'F-69531r1_fix'\n tag cci: ['CCI-000764']\n tag nist: %w[IA-2 Rev_4]\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> Security Options.\n\n If the value for \\\"Accounts: Administrator account status\\\" is not set to\n \\\"Disabled\\\", this is a finding.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n \\\"Accounts: Administrator account status\\\" to \\\"Disabled\\\".\"\n\n describe security_policy do\n its('EnableAdminAccount') { should cmp 0 }\n end\nend\n", + "code": "control 'V-63679' do\n title 'Administrator accounts must not be enumerated during elevation.'\n desc \"Enumeration of administrator accounts when elevating can provide part\n of the logon information to an unauthorized user. This setting configures the\n system to always require users to type in a username and password to elevate a\n running application.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000200'\n tag gid: 'V-63679'\n tag rid: 'SV-78169r1_rule'\n tag stig_id: 'WN10-CC-000200'\n tag fix_id: 'F-69607r1_fix'\n tag cci: ['CCI-001084']\n tag nist: %w[SC-3 Rev_4]\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\CredUI\\\\\n\n Value Name: EnumerateAdministrators\n\n Value Type: REG_DWORD\n Value: 0\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Credential User Interface >>\n \\\"Enumerate administrator accounts on elevation\\\" to \\\"Disabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\CredUI') do\n it { should have_property 'EnumerateAdministrators' }\n its('EnumerateAdministrators') { should cmp 0 }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63601.rb", + "ref": "./Windows 10 STIG/controls/V-63679.rb", "line": 3 }, - "id": "V-63601" + "id": "V-63679" }, { - "title": "The Back up files and directories user right must only be assigned to\n the Administrators group.", - "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n Accounts with the \"Back up files and directories\" user right can\n circumvent file and directory permissions and could allow access to sensitive\n data.", + "title": "The Create a pagefile user right must only be assigned to the\n Administrators group.", + "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n Accounts with the \"Create a pagefile\" user right can change the size of a\n pagefile, which could affect system performance.", "descriptions": { - "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n Accounts with the \"Back up files and directories\" user right can\n circumvent file and directory permissions and could allow access to sensitive\n data.", - "check": "Verify the effective setting in Local Group Policy Editor.\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any groups or accounts other than the following are granted the \"Back up\n files and directories\" user right, this is a finding:\n\n Administrators", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n \"Back up files and directories\" to only include the following groups or\n accounts:\n\n Administrators" + "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n Accounts with the \"Create a pagefile\" user right can change the size of a\n pagefile, which could affect system performance.", + "check": "Verify the effective setting in Local Group Policy Editor.\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any groups or accounts other than the following are granted the \"Create a\n pagefile\" user right, this is a finding:\n\n Administrators", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n \"Create a pagefile\" to only include the following groups or accounts:\n\n Administrators" }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-UR-000030", - "gid": "V-63853", - "rid": "SV-78343r1_rule", - "stig_id": "WN10-UR-000030", - "fix_id": "F-69781r1_fix", + "gtitle": "WN10-UR-000040", + "gid": "V-63857", + "rid": "SV-78347r1_rule", + "stig_id": "WN10-UR-000040", + "fix_id": "F-69785r1_fix", "cci": [ "CCI-002235" ], @@ -4445,35 +4433,37 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63853' do\n title \"The Back up files and directories user right must only be assigned to\n the Administrators group.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n Accounts with the \\\"Back up files and directories\\\" user right can\n circumvent file and directory permissions and could allow access to sensitive\n data.\"\n\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-UR-000030'\n tag gid: 'V-63853'\n tag rid: 'SV-78343r1_rule'\n tag stig_id: 'WN10-UR-000030'\n tag fix_id: 'F-69781r1_fix'\n tag cci: ['CCI-002235']\n tag nist: ['AC-6 (10)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any groups or accounts other than the following are granted the \\\"Back up\n files and directories\\\" user right, this is a finding:\n\n Administrators\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n \\\"Back up files and directories\\\" to only include the following groups or\n accounts:\n\n Administrators\"\n\n describe security_policy do\n its('SeBackupPrivilege') { should eq ['S-1-5-32-544'] }\n end\nend\n", + "code": "control 'V-63857' do\n title \"The Create a pagefile user right must only be assigned to the\n Administrators group.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n Accounts with the \\\"Create a pagefile\\\" user right can change the size of a\n pagefile, which could affect system performance.\"\n\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-UR-000040'\n tag gid: 'V-63857'\n tag rid: 'SV-78347r1_rule'\n tag stig_id: 'WN10-UR-000040'\n tag fix_id: 'F-69785r1_fix'\n tag cci: ['CCI-002235']\n tag nist: ['AC-6 (10)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any groups or accounts other than the following are granted the \\\"Create a\n pagefile\\\" user right, this is a finding:\n\n Administrators\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n \\\"Create a pagefile\\\" to only include the following groups or accounts:\n\n Administrators\"\n\n describe security_policy do\n its('SeCreatePagefilePrivilege') { should eq ['S-1-5-32-544'] }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63853.rb", + "ref": "./Windows 10 STIG/controls/V-63857.rb", "line": 3 }, - "id": "V-63853" + "id": "V-63857" }, { - "title": "Remote Desktop Services must always prompt a client for passwords upon\n connection.", - "desc": "This setting controls the ability of users to supply passwords\n automatically as part of their remote desktop connection. Disabling this\n setting would allow anyone to use the stored credentials in a connection item\n to connect to the terminal server.", + "title": "Outgoing secure channel traffic must be encrypted or signed.", + "desc": "Requests sent on the secure channel are authenticated, and sensitive\n information (such as passwords) is encrypted, but not all information is\n encrypted. If this policy is enabled, outgoing secure channel traffic will be\n encrypted and signed.", "descriptions": { - "default": "This setting controls the ability of users to supply passwords\n automatically as part of their remote desktop connection. Disabling this\n setting would allow anyone to use the stored credentials in a connection item\n to connect to the terminal server.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services\\\n\n Value Name: fPromptForPassword\n\n Value Type: REG_DWORD\n Value: 1", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Remote Desktop Services >>\n Remote Desktop Session Host >> Security >> \"Always prompt for password upon\n connection\" to \"Enabled\"." + "default": "Requests sent on the secure channel are authenticated, and sensitive\n information (such as passwords) is encrypted, but not all information is\n encrypted. If this policy is enabled, outgoing secure channel traffic will be\n encrypted and signed.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\Netlogon\\Parameters\\\n\n Value Name: RequireSignOrSeal\n\n Value Type: REG_DWORD\n Value: 1", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> \"Domain\n member: Digitally encrypt or sign secure channel data (always)\" to\n \"Enabled\"." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-CC-000280", - "gid": "V-63733", - "rid": "SV-78223r1_rule", - "stig_id": "WN10-CC-000280", - "fix_id": "F-69661r1_fix", + "gtitle": "WN10-SO-000035", + "gid": "V-63639", + "rid": "SV-78129r1_rule", + "stig_id": "WN10-SO-000035", + "fix_id": "F-69567r1_fix", "cci": [ - "CCI-002038" + "CCI-002418", + "CCI-002421" ], "nist": [ - "IA-11", + "SC-8", + "SC-8 (1)", "Rev_4" ], "false_negatives": null, @@ -4487,35 +4477,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63733' do\n title \"Remote Desktop Services must always prompt a client for passwords upon\n connection.\"\n desc \"This setting controls the ability of users to supply passwords\n automatically as part of their remote desktop connection. Disabling this\n setting would allow anyone to use the stored credentials in a connection item\n to connect to the terminal server.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000280'\n tag gid: 'V-63733'\n tag rid: 'SV-78223r1_rule'\n tag stig_id: 'WN10-CC-000280'\n tag fix_id: 'F-69661r1_fix'\n tag cci: ['CCI-002038']\n tag nist: %w[IA-11 Rev_4]\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\\n\n Value Name: fPromptForPassword\n\n Value Type: REG_DWORD\n Value: 1\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Remote Desktop Services >>\n Remote Desktop Session Host >> Security >> \\\"Always prompt for password upon\n connection\\\" to \\\"Enabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services') do\n it { should have_property 'fPromptForPassword' }\n its('fPromptForPassword') { should cmp 1 }\n end\nend\n", + "code": "control 'V-63639' do\n title 'Outgoing secure channel traffic must be encrypted or signed.'\n desc \"Requests sent on the secure channel are authenticated, and sensitive\n information (such as passwords) is encrypted, but not all information is\n encrypted. If this policy is enabled, outgoing secure channel traffic will be\n encrypted and signed.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-SO-000035'\n tag gid: 'V-63639'\n tag rid: 'SV-78129r1_rule'\n tag stig_id: 'WN10-SO-000035'\n tag fix_id: 'F-69567r1_fix'\n tag cci: %w[CCI-002418 CCI-002421]\n tag nist: ['SC-8', 'SC-8 (1)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\Netlogon\\\\Parameters\\\\\n\n Value Name: RequireSignOrSeal\n\n Value Type: REG_DWORD\n Value: 1\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> \\\"Domain\n member: Digitally encrypt or sign secure channel data (always)\\\" to\n \\\"Enabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Netlogon\\Parameters') do\n it { should have_property 'RequireSignOrSeal' }\n its('RequireSignOrSeal') { should cmp 1 }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63733.rb", + "ref": "./Windows 10 STIG/controls/V-63639.rb", "line": 3 }, - "id": "V-63733" + "id": "V-63639" }, { - "title": "Passwords must not be saved in the Remote Desktop Client.", - "desc": "Saving passwords in the Remote Desktop Client could allow an\n unauthorized user to establish a remote desktop session to another system. The\n system must be configured to prevent users from saving passwords in the Remote\n Desktop Client.", + "title": "Exploit Protection mitigations in Windows 10 must be configured for iexplore.exe.", + "desc": "Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.", "descriptions": { - "default": "Saving passwords in the Remote Desktop Client could allow an\n unauthorized user to establish a remote desktop session to another system. The\n system must be configured to prevent users from saving passwords in the Remote\n Desktop Client.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services\\\n\n Value Name: DisablePasswordSaving\n\n Value Type: REG_DWORD\n Value: 1", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Remote Desktop Services >>\n Remote Desktop Connection Client >> \"Do not allow passwords to be saved\" to\n \"Enabled\"." + "default": "Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.", + "check": "This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n\n Enter \"Get-ProcessMitigation -Name iexplore.exe\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of\n all application mitigations configured.)\n\n If the following mitigations do not have a status of \"ON\", this is a finding:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n The PowerShell command produces a list of mitigations; only those with a\n required status of \"ON\" are listed here. If the PowerShell command does not\n produce results, ensure the letter case of the filename within the command\n syntax matches the letter case of the actual filename on the system.", + "fix": "Ensure the following mitigations are turned \"ON\" for iexplore.exe:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file\n included with the Windows 10 STIG package in the \"Supporting Files\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \"Use a common set of exploit protection settings\"\n configured to \"Enabled\" with file name and location defined under\n \"Options:\". It is recommended the file be in a read-only network location." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-CC-000270", - "gid": "V-63729", - "rid": "SV-78219r1_rule", - "stig_id": "WN10-CC-000270", - "fix_id": "F-69657r1_fix", + "gtitle": "WN10-EP-000140", + "gid": "V-77217", + "rid": "SV-91913r3_rule", + "stig_id": "WN10-EP-000140", + "fix_id": "F-84347r4_fix", "cci": [ - "CCI-002038" + "CCI-000366" ], "nist": [ - "IA-11", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -4529,30 +4519,30 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63729' do\n title 'Passwords must not be saved in the Remote Desktop Client.'\n desc \"Saving passwords in the Remote Desktop Client could allow an\n unauthorized user to establish a remote desktop session to another system. The\n system must be configured to prevent users from saving passwords in the Remote\n Desktop Client.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000270'\n tag gid: 'V-63729'\n tag rid: 'SV-78219r1_rule'\n tag stig_id: 'WN10-CC-000270'\n tag fix_id: 'F-69657r1_fix'\n tag cci: ['CCI-002038']\n tag nist: %w[IA-11 Rev_4]\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\\n\n Value Name: DisablePasswordSaving\n\n Value Type: REG_DWORD\n Value: 1\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Remote Desktop Services >>\n Remote Desktop Connection Client >> \\\"Do not allow passwords to be saved\\\" to\n \\\"Enabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services') do\n it { should have_property 'DisablePasswordSaving' }\n its('DisablePasswordSaving') { should cmp 1 }\n end\nend\n", + "code": "control 'V-77217' do\n title 'Exploit Protection mitigations in Windows 10 must be configured for iexplore.exe.'\n desc \"Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-EP-000140'\n tag gid: 'V-77217'\n tag rid: 'SV-91913r3_rule'\n tag stig_id: 'WN10-EP-000140'\n tag fix_id: 'F-84347r4_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc 'check', \"This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n\n Enter \\\"Get-ProcessMitigation -Name iexplore.exe\\\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of\n all application mitigations configured.)\n\n If the following mitigations do not have a status of \\\"ON\\\", this is a finding:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n The PowerShell command produces a list of mitigations; only those with a\n required status of \\\"ON\\\" are listed here. If the PowerShell command does not\n produce results, ensure the letter case of the filename within the command\n syntax matches the letter case of the actual filename on the system.\"\n desc 'fix', \"Ensure the following mitigations are turned \\\"ON\\\" for iexplore.exe:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file\n included with the Windows 10 STIG package in the \\\"Supporting Files\\\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\"\n configured to \\\"Enabled\\\" with file name and location defined under\n \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n\n if input('sensitive_system') == 'true' || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion').ReleaseId < '1709'\n impact 0.0\n describe 'This STIG does not apply to Prior Versions before 1709.' do\n skip 'This STIG does not apply to Prior Versions before 1709.'\n end\n else\n dep = json( command: 'Get-ProcessMitigation -Name iexplore.exe | Select DEP | ConvertTo-Json').params\n describe 'OverRide DEP is required to be false on Internet Explorer' do\n subject { dep }\n its(['OverrideDEP']) { should_not eq 'true' }\n end\n aslr = json( command: 'Get-ProcessMitigation -Name iexplore.exe| Select Aslr | ConvertTo-Json').params\n describe 'Alsr BottomUp and Force Relocate Images are required to be enabled on Internet Explorer' do\n subject { aslr }\n its(['ForceRelocateImages']) { should_not eq '2' }\n end\n payload = json( command: 'Get-ProcessMitigation -Name iexplore.exe | Select Payload | ConvertTo-Json').params\n describe 'Override Payload Enable Export Address Filter, Override Payload Enable Export Address Filter Plus, Override EnableImportAddressFilter, Override EnableRopStackPivot, Override EnableRopCallerCheck, and Override EnableRopSimExec are required to be false on Internet Explorer' do\n subject { payload }\n its(['OverrideEnableExportAddressFilter']) { should_not eq 'true' }\n its(['OverrideEnableExportAddressFilterPlus']) { should_not eq 'true' }\n its(['OverrideEnableImportAddressFilter']) { should_not eq 'true' }\n its(['OverrideEnableRopStackPivot']) { should_not eq 'true' }\n its(['OverrideEnableRopCallerCheck']) { should_not eq 'true' }\n its(['OverrideEnableRopSimExec']) { should_not eq 'true' }\n end\n end\nend", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63729.rb", + "ref": "./Windows 10 STIG/controls/V-77217.rb", "line": 3 }, - "id": "V-63729" + "id": "V-77217" }, { - "title": "Windows 10 Exploit Protection system-level mitigation, Validate exception chains (SEHOP), must be on.", - "desc": "Exploit protection in Windows 10 enables mitigations against potential\n threats at the system and application level. Several mitigations, including\n \"Validate exception chains (SEHOP)\", are enabled by default at the system\n level. SEHOP (structured exception handling overwrite protection) ensures the\n integrity of an exception chain during exception dispatch. If this is turned\n off, Windows 10 may be subject to various exploits.", + "title": "The default permissions of global system objects must be increased.", + "desc": "Windows systems maintain a global list of shared system resources such\n as DOS device names, mutexes, and semaphores. Each type of object is created\n with a default DACL that specifies who can access the objects with what\n permissions. If this policy is enabled, the default DACL is stronger, allowing\n non-admin users to read shared objects, but not modify shared objects that they\n did not create.", "descriptions": { - "default": "Exploit protection in Windows 10 enables mitigations against potential\n threats at the system and application level. Several mitigations, including\n \"Validate exception chains (SEHOP)\", are enabled by default at the system\n level. SEHOP (structured exception handling overwrite protection) ensures the\n integrity of an exception chain during exception dispatch. If this is turned\n off, Windows 10 may be subject to various exploits.", - "check": "This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n The default configuration in Exploit Protection is \"On by default\" which\n meets this requirement. The PowerShell query results for this show as\n \"NOTSET\".\n\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n\n Enter \"Get-ProcessMitigation -System\".\n\n If the status of \"SEHOP: Enable\" is \"OFF\", this is a finding.\n\n Values that would not be a finding include:\n ON\n NOTSET (Default configuration)", - "fix": "Ensure Exploit Protection system-level mitigation, \"Validate\n exception chains (SEHOP)\", is turned on. The default configuration in Exploit\n Protection is \"On by default\" which meets this requirement.\n\n Open \"Windows Defender Security Center\".\n\n Select \"App & browser control\".\n\n Select \"Exploit protection settings\".\n\n Under \"System settings\", configure \"Validate exception chains (SEHOP)\" to\n \"On by default\" or \"Use default ()\".\n\n The STIG package includes a DoD EP XML file in the \"Supporting Files\" folder\n for configuring application mitigations defined in the STIG. This can also be\n modified to explicitly enforce the system level requirements. Adding the\n following to the XML file will explicitly turn SEHOP on (other system level EP\n requirements can be combined under ):\n\n \n \n \n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \"Use a common set of exploit protection settings\"\n configured to \"Enabled\" with file name and location defined under\n \"Options:\". It is recommended the file be in a read-only network location." + "default": "Windows systems maintain a global list of shared system resources such\n as DOS device names, mutexes, and semaphores. Each type of object is created\n with a default DACL that specifies who can access the objects with what\n permissions. If this policy is enabled, the default DACL is stronger, allowing\n non-admin users to read shared objects, but not modify shared objects that they\n did not create.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\\n\n Value Name: ProtectionMode\n\n Value Type: REG_DWORD\n Value: 1", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> \"System\n objects: Strengthen default permissions of internal system objects (e.g.\n Symbolic links)\" to \"Enabled\"." }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { - "severity": "medium", - "gtitle": "WN10-EP-000050", - "gid": "V-77101", - "rid": "SV-91797r3_rule", - "stig_id": "WN10-EP-000050", - "fix_id": "F-86723r2_fix", + "severity": "low", + "gtitle": "WN10-SO-000240", + "gid": "V-63815", + "rid": "SV-78305r1_rule", + "stig_id": "WN10-SO-000240", + "fix_id": "F-69743r1_fix", "cci": [ "CCI-000366" ], @@ -4571,35 +4561,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-77101' do\n title 'Windows 10 Exploit Protection system-level mitigation, Validate exception chains (SEHOP), must be on.'\n desc \"Exploit protection in Windows 10 enables mitigations against potential\n threats at the system and application level. Several mitigations, including\n \\\"Validate exception chains (SEHOP)\\\", are enabled by default at the system\n level. SEHOP (structured exception handling overwrite protection) ensures the\n integrity of an exception chain during exception dispatch. If this is turned\n off, Windows 10 may be subject to various exploits.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-EP-000050'\n tag gid: 'V-77101'\n tag rid: 'SV-91797r3_rule'\n tag stig_id: 'WN10-EP-000050'\n tag fix_id: 'F-86723r2_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc 'check', \"This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n The default configuration in Exploit Protection is \\\"On by default\\\" which\n meets this requirement. The PowerShell query results for this show as\n \\\"NOTSET\\\".\n\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n\n Enter \\\"Get-ProcessMitigation -System\\\".\n\n If the status of \\\"SEHOP: Enable\\\" is \\\"OFF\\\", this is a finding.\n\n Values that would not be a finding include:\n ON\n NOTSET (Default configuration)\"\n\n desc 'fix', \"Ensure Exploit Protection system-level mitigation, \\\"Validate\n exception chains (SEHOP)\\\", is turned on. The default configuration in Exploit\n Protection is \\\"On by default\\\" which meets this requirement.\n\n Open \\\"Windows Defender Security Center\\\".\n\n Select \\\"App & browser control\\\".\n\n Select \\\"Exploit protection settings\\\".\n\n Under \\\"System settings\\\", configure \\\"Validate exception chains (SEHOP)\\\" to\n \\\"On by default\\\" or \\\"Use default ()\\\".\n\n The STIG package includes a DoD EP XML file in the \\\"Supporting Files\\\" folder\n for configuring application mitigations defined in the STIG. This can also be\n modified to explicitly enforce the system level requirements. Adding the\n following to the XML file will explicitly turn SEHOP on (other system level EP\n requirements can be combined under ):\n\n \n \n \n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\"\n configured to \\\"Enabled\\\" with file name and location defined under\n \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n\n if input('sensitive_system') == 'true' || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion').ReleaseId < '1709'\n impact 0.0\n describe 'This STIG does not apply to Prior Versions before 1709.' do\n skip 'This STIG does not apply to Prior Versions before 1709.'\n end\n else\n sehop = json( command: 'Get-ProcessMitigation -System | Select SEHOP | ConvertTo-Json').params\n describe 'SEHOP is required to be enabled on System' do\n subject { sehop }\n its(['Enable']) { should_not eq '2' }\n end\n end\nend", + "code": "control 'V-63815' do\n title 'The default permissions of global system objects must be increased.'\n desc \"Windows systems maintain a global list of shared system resources such\n as DOS device names, mutexes, and semaphores. Each type of object is created\n with a default DACL that specifies who can access the objects with what\n permissions. If this policy is enabled, the default DACL is stronger, allowing\n non-admin users to read shared objects, but not modify shared objects that they\n did not create.\"\n impact 0.3\n tag severity: 'low'\n tag gtitle: 'WN10-SO-000240'\n tag gid: 'V-63815'\n tag rid: 'SV-78305r1_rule'\n tag stig_id: 'WN10-SO-000240'\n tag fix_id: 'F-69743r1_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Session Manager\\\\\n\n Value Name: ProtectionMode\n\n Value Type: REG_DWORD\n Value: 1\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> \\\"System\n objects: Strengthen default permissions of internal system objects (e.g.\n Symbolic links)\\\" to \\\"Enabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager') do\n it { should have_property 'ProtectionMode' }\n its('ProtectionMode') { should cmp 1 }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-77101.rb", + "ref": "./Windows 10 STIG/controls/V-63815.rb", "line": 3 }, - "id": "V-77101" + "id": "V-63815" }, { - "title": "Unauthenticated RPC clients must be restricted from connecting to the\n RPC server.", - "desc": "Configuring RPC to restrict unauthenticated RPC clients from\n connecting to the RPC server will prevent anonymous connections.", + "title": "The computer account password must not be prevented from being reset.", + "desc": "Computer account passwords are changed automatically on a regular\n basis. Disabling automatic password changes can make the system more\n vulnerable to malicious access. Frequent password changes can be a significant\n safeguard for your system. A new password for the computer account will be\n generated every 30 days.", "descriptions": { - "default": "Configuring RPC to restrict unauthenticated RPC clients from\n connecting to the RPC server will prevent anonymous connections.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Rpc\\\n\n Value Name: RestrictRemoteClients\n\n Value Type: REG_DWORD\n Value: 1", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> System >> Remote Procedure Call >> \"Restrict\n Unauthenticated RPC clients\" to \"Enabled\" and \"Authenticated\"." + "default": "Computer account passwords are changed automatically on a regular\n basis. Disabling automatic password changes can make the system more\n vulnerable to malicious access. Frequent password changes can be a significant\n safeguard for your system. A new password for the computer account will be\n generated every 30 days.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\Netlogon\\Parameters\\\n\n Value Name: DisablePasswordChange\n\n Value Type: REG_DWORD\n Value: 0", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> \"Domain\n member: Disable machine account password changes\" to \"Disabled\"." }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { - "severity": "medium", - "gtitle": "WN10-CC-000165", - "gid": "V-63657", - "rid": "SV-78147r1_rule", - "stig_id": "WN10-CC-000165", - "fix_id": "F-69585r1_fix", + "severity": "low", + "gtitle": "WN10-SO-000050", + "gid": "V-63653", + "rid": "SV-78143r1_rule", + "stig_id": "WN10-SO-000050", + "fix_id": "F-69885r1_fix", "cci": [ - "CCI-001967" + "CCI-000366" ], "nist": [ - "IA-3 (1)", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -4613,35 +4603,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63657' do\n title \"Unauthenticated RPC clients must be restricted from connecting to the\n RPC server.\"\n desc \"Configuring RPC to restrict unauthenticated RPC clients from\n connecting to the RPC server will prevent anonymous connections.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000165'\n tag gid: 'V-63657'\n tag rid: 'SV-78147r1_rule'\n tag stig_id: 'WN10-CC-000165'\n tag fix_id: 'F-69585r1_fix'\n tag cci: ['CCI-001967']\n tag nist: ['IA-3 (1)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Rpc\\\\\n\n Value Name: RestrictRemoteClients\n\n Value Type: REG_DWORD\n Value: 1\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> System >> Remote Procedure Call >> \\\"Restrict\n Unauthenticated RPC clients\\\" to \\\"Enabled\\\" and \\\"Authenticated\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Rpc') do\n it { should have_property 'RestrictRemoteClients' }\n its('RestrictRemoteClients') { should cmp 1 }\n end\nend\n", + "code": "control 'V-63653' do\n title 'The computer account password must not be prevented from being reset.'\n desc \"Computer account passwords are changed automatically on a regular\n basis. Disabling automatic password changes can make the system more\n vulnerable to malicious access. Frequent password changes can be a significant\n safeguard for your system. A new password for the computer account will be\n generated every 30 days.\"\n impact 0.3\n tag severity: 'low'\n tag gtitle: 'WN10-SO-000050'\n tag gid: 'V-63653'\n tag rid: 'SV-78143r1_rule'\n tag stig_id: 'WN10-SO-000050'\n tag fix_id: 'F-69885r1_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\Netlogon\\\\Parameters\\\\\n\n Value Name: DisablePasswordChange\n\n Value Type: REG_DWORD\n Value: 0\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> \\\"Domain\n member: Disable machine account password changes\\\" to \\\"Disabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Netlogon\\Parameters') do\n it { should have_property 'DisablePasswordChange' }\n its('DisablePasswordChange') { should cmp 0 }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63657.rb", + "ref": "./Windows 10 STIG/controls/V-63653.rb", "line": 3 }, - "id": "V-63657" + "id": "V-63653" }, { - "title": "The system must be configured to prevent anonymous users from having\n the same rights as the Everyone group.", - "desc": "Access by anonymous users must be restricted. If this setting is\n enabled, then anonymous users have the same rights and permissions as the\n built-in Everyone group. Anonymous users must not have these permissions or\n rights.", + "title": "Windows 10 must be configured to audit Object Access - File Share failures.", + "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Auditing file shares records events related to connection to shares on a\n system including system shares such as C$.", "descriptions": { - "default": "Access by anonymous users must be restricted. If this setting is\n enabled, then anonymous users have the same rights and permissions as the\n built-in Everyone group. Anonymous users must not have these permissions or\n rights.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Control\\Lsa\\\n\n Value Name: EveryoneIncludesAnonymous\n\n Value Type: REG_DWORD\n Value: 0", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n \"Network access: Let Everyone permissions apply to anonymous users\" to\n \"Disabled\"." - }, + "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Auditing file shares records events related to connection to shares on a\n system including system shares such as C$.", + "check": "Security Option \"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\" must be\n set to \"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open PowerShell or a Command Prompt with elevated privileges (\"Run as\n Administrator\").\n\n Enter \"AuditPol /get /category:*\"\n\n Compare the AuditPol settings with the following:\n\n Object Access >> File Share - Failure\n\n If the system does not audit the above, this is a finding.", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Object Access >> \"Audit File Share\" with \"Failure\"\n selected." + }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-SO-000160", - "gid": "V-63755", - "rid": "SV-78245r1_rule", - "stig_id": "WN10-SO-000160", - "fix_id": "F-69683r1_fix", + "gtitle": "WN10-AU-000081", + "gid": "V-75027", + "rid": "SV-89701r1_rule", + "stig_id": "WN10-AU-000081", + "fix_id": "F-81643r1_fix", "cci": [ - "CCI-000366" + "CCI-000172" ], "nist": [ - "CM-6 b", + "AU-12 c", "Rev_4" ], "false_negatives": null, @@ -4655,35 +4645,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63755' do\n title \"The system must be configured to prevent anonymous users from having\n the same rights as the Everyone group.\"\n desc \"Access by anonymous users must be restricted. If this setting is\n enabled, then anonymous users have the same rights and permissions as the\n built-in Everyone group. Anonymous users must not have these permissions or\n rights.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-SO-000160'\n tag gid: 'V-63755'\n tag rid: 'SV-78245r1_rule'\n tag stig_id: 'WN10-SO-000160'\n tag fix_id: 'F-69683r1_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\\n\n Value Name: EveryoneIncludesAnonymous\n\n Value Type: REG_DWORD\n Value: 0\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n \\\"Network access: Let Everyone permissions apply to anonymous users\\\" to\n \\\"Disabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa') do\n it { should have_property 'EveryoneIncludesAnonymous' }\n its('EveryoneIncludesAnonymous') { should cmp 0 }\n end\nend\n", + "code": "control 'V-75027' do\n title 'Windows 10 must be configured to audit Object Access - File Share failures.'\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Auditing file shares records events related to connection to shares on a\n system including system shares such as C$.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-AU-000081'\n tag gid: 'V-75027'\n tag rid: 'SV-89701r1_rule'\n tag stig_id: 'WN10-AU-000081'\n tag fix_id: 'F-81643r1_fix'\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"Security Option \\\"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\\\" must be\n set to \\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open PowerShell or a Command Prompt with elevated privileges (\\\"Run as\n Administrator\\\").\n\n Enter \\\"AuditPol /get /category:*\\\"\n\n Compare the AuditPol settings with the following:\n\n Object Access >> File Share - Failure\n\n If the system does not audit the above, this is a finding.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Object Access >> \\\"Audit File Share\\\" with \\\"Failure\\\"\n selected.\"\n\n describe.one do\n describe audit_policy do\n its('File Share') { should eq 'Failure' }\n end\n describe audit_policy do\n its('File Share') { should eq 'Success and Failure' }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63755.rb", + "ref": "./Windows 10 STIG/controls/V-75027.rb", "line": 3 }, - "id": "V-63755" + "id": "V-75027" }, { - "title": "The Security event log size must be configured to 1024000 KB or\n greater.", - "desc": "Inadequate log size will cause the log to fill up quickly. This may\n prevent audit events from being recorded properly and require frequent\n attention by administrative personnel.", + "title": "IPv6 source routing must be configured to highest protection.", + "desc": "Configuring the system to disable IPv6 source routing protects against\n spoofing.", "descriptions": { - "default": "Inadequate log size will cause the log to fill up quickly. This may\n prevent audit events from being recorded properly and require frequent\n attention by administrative personnel.", - "check": "If the system is configured to send audit records directly to an\n audit server, this is NA. This must be documented with the ISSO.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\EventLog\\Security\\\n\n Value Name: MaxSize\n\n Value Type: REG_DWORD\n Value: 0x000fa000 (1024000) (or greater)", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Event Log Service >> Security\n >> \"Specify the maximum log file size (KB)\" to \"Enabled\" with a \"Maximum\n Log Size (KB)\" of \"1024000\" or greater.\n\n If the system is configured to send audit records directly to an audit server,\n documented with the ISSO." + "default": "Configuring the system to disable IPv6 source routing protects against\n spoofing.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\Tcpip6\\Parameters\\\n\n Value Name: DisableIpSourceRouting\n\n Value Type: REG_DWORD\n Value: 2", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> MSS (Legacy) >> \"MSS: (DisableIPSourceRouting\n IPv6) IP source routing protection level (protects against packet spoofing)\"\n to \"Highest protection, source routing is completely disabled\".\n\n This policy setting requires the installation of the MSS-Legacy custom\n templates included with the STIG package. \"MSS-Legacy.admx\" and \"\n MSS-Legacy.adml\" must be copied to the \\Windows\\PolicyDefinitions and\n \\Windows\\PolicyDefinitions\\en-US directories respectively." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-AU-000505", - "gid": "V-63523", - "rid": "SV-78013r2_rule", - "stig_id": "WN10-AU-000505", - "fix_id": "F-86735r1_fix", + "gtitle": "WN10-CC-000020", + "gid": "V-63555", + "rid": "SV-78045r1_rule", + "stig_id": "WN10-CC-000020", + "fix_id": "F-69485r1_fix", "cci": [ - "CCI-001849" + "CCI-000366" ], "nist": [ - "AU-4", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -4697,35 +4687,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63523' do\n title \"The Security event log size must be configured to 1024000 KB or\n greater.\"\n desc \"Inadequate log size will cause the log to fill up quickly. This may\n prevent audit events from being recorded properly and require frequent\n attention by administrative personnel.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-AU-000505'\n tag gid: 'V-63523'\n tag rid: 'SV-78013r2_rule'\n tag stig_id: 'WN10-AU-000505'\n tag fix_id: 'F-86735r1_fix'\n tag cci: ['CCI-001849']\n tag nist: %w[AU-4 Rev_4]\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc 'check', \"If the system is configured to send audit records directly to an\n audit server, this is NA. This must be documented with the ISSO.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\EventLog\\\\Security\\\\\n\n Value Name: MaxSize\n\n Value Type: REG_DWORD\n Value: 0x000fa000 (1024000) (or greater)\"\n\n desc 'fix', \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Event Log Service >> Security\n >> \\\"Specify the maximum log file size (KB)\\\" to \\\"Enabled\\\" with a \\\"Maximum\n Log Size (KB)\\\" of \\\"1024000\\\" or greater.\n\n If the system is configured to send audit records directly to an audit server,\n documented with the ISSO.\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\EventLog\\Security') do\n it { should have_property 'MaxSize' }\n its('MaxSize') { should be >= 1_024_000 }\n end\nend\n", + "code": "control 'V-63555' do\n title 'IPv6 source routing must be configured to highest protection.'\n desc \"Configuring the system to disable IPv6 source routing protects against\n spoofing.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000020'\n tag gid: 'V-63555'\n tag rid: 'SV-78045r1_rule'\n tag stig_id: 'WN10-CC-000020'\n tag fix_id: 'F-69485r1_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\Tcpip6\\\\Parameters\\\\\n\n Value Name: DisableIpSourceRouting\n\n Value Type: REG_DWORD\n Value: 2\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> MSS (Legacy) >> \\\"MSS: (DisableIPSourceRouting\n IPv6) IP source routing protection level (protects against packet spoofing)\\\"\n to \\\"Highest protection, source routing is completely disabled\\\".\n\n This policy setting requires the installation of the MSS-Legacy custom\n templates included with the STIG package. \\\"MSS-Legacy.admx\\\" and \\\"\n MSS-Legacy.adml\\\" must be copied to the \\\\Windows\\\\PolicyDefinitions and\n \\\\Windows\\\\PolicyDefinitions\\\\en-US directories respectively.\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip6\\Parameters') do\n it { should have_property 'DisableIPSourceRouting' }\n its('DisableIPSourceRouting') { should cmp 2 }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63523.rb", + "ref": "./Windows 10 STIG/controls/V-63555.rb", "line": 3 }, - "id": "V-63523" + "id": "V-63555" }, { - "title": "Unused accounts must be disabled or removed from the system after\n 35 days of inactivity.", - "desc": "Outdated or unused accounts provide penetration points that may go\n undetected. Inactive accounts must be deleted if no longer necessary or, if\n still required, disable until needed.", + "title": "Exploit Protection mitigations in Windows 10 must be configured for\n PPTVIEW.EXE.", + "desc": "Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.", "descriptions": { - "default": "Outdated or unused accounts provide penetration points that may go\n undetected. Inactive accounts must be deleted if no longer necessary or, if\n still required, disable until needed.", - "check": "Run \"PowerShell\".\n Copy the lines below to the PowerShell window and enter.\n\n \"([ADSI]('WinNT://{0}' -f $env:COMPUTERNAME)).Children | Where {\n $_.SchemaClassName -eq 'user' } | ForEach {\n $user = ([ADSI]$_.Path)\n $lastLogin = $user.Properties.LastLogin.Value\n $enabled = ($user.Properties.UserFlags.Value -band 0x2) -ne 0x2\n if ($lastLogin -eq $null) {\n $lastLogin = 'Never'\n }\n Write-Host $user.Name $lastLogin $enabled\n }\"\n\n This will return a list of local accounts with the account name, last logon,\n and if the account is enabled (True/False).\n For example: User1 10/31/2015 5:49:56 AM True\n\n Review the list to determine the finding validity for each account reported.\n\n Exclude the following accounts:\n Built-in administrator account (Disabled, SID ending in 500)\n Built-in guest account (Disabled, SID ending in 501)\n Built-in DefaultAccount (Disabled, SID ending in 503)\n Local administrator account\n\n If any enabled accounts have not been logged on to within the past 35 days,\n this is a finding.\n\n Inactive accounts that have been reviewed and deemed to be required must be\n documented with the ISSO.", - "fix": "Regularly review local accounts and verify their necessity.\n Disable or delete any active accounts that have not been used in\n the last 35 days." + "default": "Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.", + "check": "This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n\n Enter \"Get-ProcessMitigation -Name PPTVIEW.EXE\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of\n all application mitigations configured.)\n\n If the following mitigations do not have a status of \"ON\", this is a finding:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n The PowerShell command produces a list of mitigations; only those with a\n required status of \"ON\" are listed here. If the PowerShell command does not\n produce results, ensure the letter case of the filename within the command\n syntax matches the letter case of the actual filename on the system.", + "fix": "Ensure the following mitigations are turned \"ON\" for PPTVIEW.EXE:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file\n included with the Windows 10 STIG package in the \"Supporting Files\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \"Use a common set of exploit protection settings\"\n configured to \"Enabled\" with file name and location defined under\n \"Options:\". It is recommended the file be in a read-only network location." }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { - "severity": "low", - "gtitle": "WN10-00-000065", - "gid": "V-63359", - "rid": "SV-77849r1_rule", - "stig_id": "WN10-00-000065", - "fix_id": "F-69279r1_fix", + "severity": "medium", + "gtitle": "WN10-EP-000250", + "gid": "V-77249", + "rid": "SV-91945r3_rule", + "stig_id": "WN10-EP-000250", + "fix_id": "F-84505r4_fix", "cci": [ - "CCI-000795" + "CCI-000366" ], "nist": [ - "IA-4 e", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -4739,35 +4729,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63359' do\n title \"Unused accounts must be disabled or removed from the system after\n #{input('max_inactive_days')} days of inactivity.\"\n desc \"Outdated or unused accounts provide penetration points that may go\n undetected. Inactive accounts must be deleted if no longer necessary or, if\n still required, disable until needed.\"\n impact 0.3\n tag severity: 'low'\n tag gtitle: 'WN10-00-000065'\n tag gid: 'V-63359'\n tag rid: 'SV-77849r1_rule'\n tag stig_id: 'WN10-00-000065'\n tag fix_id: 'F-69279r1_fix'\n tag cci: ['CCI-000795']\n tag nist: ['IA-4 e', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Run \\\"PowerShell\\\".\n Copy the lines below to the PowerShell window and enter.\n\n \\\"([ADSI]('WinNT://{0}' -f $env:COMPUTERNAME)).Children | Where {\n $_.SchemaClassName -eq 'user' } | ForEach {\n $user = ([ADSI]$_.Path)\n $lastLogin = $user.Properties.LastLogin.Value\n $enabled = ($user.Properties.UserFlags.Value -band 0x2) -ne 0x2\n if ($lastLogin -eq $null) {\n $lastLogin = 'Never'\n }\n Write-Host $user.Name $lastLogin $enabled\n }\\\"\n\n This will return a list of local accounts with the account name, last logon,\n and if the account is enabled (True/False).\n For example: User1 10/31/2015 5:49:56 AM True\n\n Review the list to determine the finding validity for each account reported.\n\n Exclude the following accounts:\n Built-in administrator account (Disabled, SID ending in 500)\n Built-in guest account (Disabled, SID ending in 501)\n Built-in DefaultAccount (Disabled, SID ending in 503)\n Local administrator account\n\n If any enabled accounts have not been logged on to within the past 35 days,\n this is a finding.\n\n Inactive accounts that have been reviewed and deemed to be required must be\n documented with the ISSO.\"\n\n desc \"fix\", \"Regularly review local accounts and verify their necessity.\n Disable or delete any active accounts that have not been used in\n the last #{input('max_inactive_days')} days.\"\n\n # userList = users.where { uid !~ /S\\-1\\-5\\-21\\-\\d+\\-\\d+\\-\\d+\\-50[0-3]/ }\n # PR submitted to return the last logon property via users.\n # https://github.com/inspec/inspec/issues/4723\n\n users = command(\"Get-CimInstance -Class Win32_Useraccount -Filter 'LocalAccount=True and Disabled=False' | FT Name | Findstr /V 'Name --'\").stdout.strip.split(' ')\n\n get_sids = []\n get_names = []\n names = []\n inactive_accounts = []\n\n unless users.empty?\n users.each do |user|\n get_sids = command(\"wmic useraccount where \\\"Name='#{user}'\\\" get name',' sid| Findstr /v SID\").stdout.strip\n get_last = get_sids[get_sids.length - 3, 3]\n\n loc_space = get_sids.index(' ')\n names = get_sids[0, loc_space]\n if get_last != '500' && get_last != '501' && get_last != '503'\n get_names.push(names)\n end\n end\n end\n\n unless get_names.empty?\n get_names.each do |user|\n get_last_logon = command(\"Net User #{user} | Findstr /i 'Last Logon' | Findstr /v 'Password script hours'\").stdout.strip\n last_logon = get_last_logon[29..33]\n if last_logon != 'Never'\n month = get_last_logon[28..29]\n day = get_last_logon[31..32]\n year = get_last_logon[34..37]\n\n if get_last_logon[32] == '/'\n month = get_last_logon[28..29]\n day = get_last_logon[31]\n year = get_last_logon[33..37]\n end\n date = day + '/' + month + '/' + year\n\n date_last_logged_on = DateTime.now.mjd - DateTime.parse(date).mjd\n if date_last_logged_on > input('max_inactive_days')\n inactive_accounts.push(user)\n end\n\n unless inactive_accounts.empty?\n describe \"#{user}'s last logon\" do\n describe date_last_logged_on do\n it { should be <= input('max_inactive_days') }\n end\n end\n end\n end\n\n next if inactive_accounts.empty?\n\n next unless last_logon == 'Never'\n\n date_last_logged_on = 'Never'\n describe \"#{user}'s last logon\" do\n describe date_last_logged_on do\n it { should_not == 'Never' }\n end\n end\n end\n end\n\n if inactive_accounts.empty?\n impact 0.0\n describe 'The system does not have any inactive accounts, control is NA' do\n skip 'The system does not have any inactive accounts, controls is NA'\n end\n end\nend\n", + "code": "control 'V-77249' do\n title \"Exploit Protection mitigations in Windows 10 must be configured for\n PPTVIEW.EXE.\"\n desc \"Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-EP-000250'\n tag gid: 'V-77249'\n tag rid: 'SV-91945r3_rule'\n tag stig_id: 'WN10-EP-000250'\n tag fix_id: 'F-84505r4_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc 'check', \"This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n\n Enter \\\"Get-ProcessMitigation -Name PPTVIEW.EXE\\\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of\n all application mitigations configured.)\n\n If the following mitigations do not have a status of \\\"ON\\\", this is a finding:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n The PowerShell command produces a list of mitigations; only those with a\n required status of \\\"ON\\\" are listed here. If the PowerShell command does not\n produce results, ensure the letter case of the filename within the command\n syntax matches the letter case of the actual filename on the system.\"\n\n desc 'fix', \"Ensure the following mitigations are turned \\\"ON\\\" for PPTVIEW.EXE:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file\n included with the Windows 10 STIG package in the \\\"Supporting Files\\\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\"\n configured to \\\"Enabled\\\" with file name and location defined under\n \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n\n if input('sensitive_system') == 'true' || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion').ReleaseId < '1709'\n impact 0.0\n describe 'This STIG does not apply to Prior Versions before 1709.' do\n skip 'This STIG does not apply to Prior Versions before 1709.'\n end\n else\n dep = json( command: 'Get-ProcessMitigation -Name PPTVIEW.EXE | Select DEP | ConvertTo-Json').params\n describe 'OverRide DEP is required to be false on Microsoft Office PowerPoint Viewer' do\n subject { dep }\n its(['OverrideDEP']) { should_not eq 'true' }\n end\n aslr = json( command: 'Get-ProcessMitigation -Name PPTVIEW.EXE | Select Aslr | ConvertTo-Json').params\n describe 'Alsr BottomUp and Force Relocate Images are required to be enabled on Microsoft Office PowerPoint Viewer' do\n subject { aslr }\n its(['ForceRelocateImages']) { should_not eq '2' }\n end\n payload = json( command: 'Get-ProcessMitigation -Name PPTVIEW.EXE | Select Payload | ConvertTo-Json').params\n describe 'Override Payload Enable Export Address Filter, Override Payload Enable Export Address Filter Plus, Override EnableImportAddressFilter, Override EnableRopStackPivot, Override EnableRopCallerCheck, and Override EnableRopSimExec are required to be false on Microsoft Office PowerPoint Viewer' do\n subject { payload }\n its(['OverrideEnableExportAddressFilter']) { should_not eq 'true' }\n its(['OverrideEnableExportAddressFilterPlus']) { should_not eq 'true' }\n its(['OverrideEnableImportAddressFilter']) { should_not eq 'true' }\n its(['OverrideEnableRopStackPivot']) { should_not eq 'true' }\n its(['OverrideEnableRopCallerCheck']) { should_not eq 'true' }\n its(['OverrideEnableRopSimExec']) { should_not eq 'true' }\n end \n end\nend", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63359.rb", + "ref": "./Windows 10 STIG/controls/V-77249.rb", "line": 3 }, - "id": "V-63359" + "id": "V-77249" }, { - "title": "Insecure logons to an SMB server must be disabled.", - "desc": "Insecure guest logons allow unauthenticated access to shared folders.\n Shared resources on a system must require authentication to establish proper\n access.", + "title": "The Windows PowerShell 2.0 feature must be disabled on the system.", + "desc": "Windows PowerShell 5.0 added advanced logging features which can\n provide additional detail when malware has been run on a system. Disabling the\n Windows PowerShell 2.0 mitigates against a downgrade attack that evades the\n Windows PowerShell 5.0 script block logging feature.", "descriptions": { - "default": "Insecure guest logons allow unauthenticated access to shared folders.\n Shared resources on a system must require authentication to establish proper\n access.", - "check": "Windows 10 v1507 LTSB version does not include this setting; it\n is NA for those systems.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\LanmanWorkstation\\\n\n Value Name: AllowInsecureGuestAuth\n\n Type: REG_DWORD\n Value: 0x00000000 (0)", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Network >> Lanman Workstation >> \"Enable insecure\n guest logons\" to \"Disabled\"." + "default": "Windows PowerShell 5.0 added advanced logging features which can\n provide additional detail when malware has been run on a system. Disabling the\n Windows PowerShell 2.0 mitigates against a downgrade attack that evades the\n Windows PowerShell 5.0 script block logging feature.", + "check": "Run \"Windows PowerShell\" with elevated privileges (run as\n administrator).\n\n Enter the following:\n Get-WindowsOptionalFeature -Online | Where FeatureName -like *PowerShellv2*\n\n If either of the following have a \"State\" of \"Enabled\", this is a finding.\n\n FeatureName : MicrosoftWindowsPowerShellV2\n State : Enabled\n FeatureName : MicrosoftWindowsPowerShellV2Root\n State : Enabled\n\n Alternately:\n Search for \"Features\".\n\n Select \"Turn Windows features on or off\".\n\n If \"Windows PowerShell 2.0\" (whether the subcategory of \"Windows PowerShell\n 2.0 Engine\" is selected or not) is selected, this is a finding.", + "fix": "Disable \"Windows PowerShell 2.0\" on the system.\n\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n Enter the following:\n Disable-WindowsOptionalFeature -Online -FeatureName\n MicrosoftWindowsPowerShellV2Root\n\n This command should disable both \"MicrosoftWindowsPowerShellV2Root\" and\n \"MicrosoftWindowsPowerShellV2\" which correspond to \"Windows PowerShell 2.0\"\n and \"Windows PowerShell 2.0 Engine\" respectively in \"Turn Windows features\n on or off\".\n\n Alternately:\n Search for \"Features\".\n Select \"Turn Windows features on or off\".\n De-select \"Windows PowerShell 2.0\"." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-CC-000040", - "gid": "V-63569", - "rid": "SV-78059r2_rule", - "stig_id": "WN10-CC-000040", - "fix_id": "F-69499r2_fix", + "gtitle": "WN10-00-000155", + "gid": "V-70637", + "rid": "SV-85259r2_rule", + "stig_id": "WN10-00-000155", + "fix_id": "F-76869r1_fix", "cci": [ - "CCI-000366" + "CCI-000381" ], "nist": [ - "CM-6 b", + "CM-7 a", "Rev_4" ], "false_negatives": null, @@ -4781,35 +4771,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63569' do\n title 'Insecure logons to an SMB server must be disabled.'\n desc \"Insecure guest logons allow unauthenticated access to shared folders.\n Shared resources on a system must require authentication to establish proper\n access.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000040'\n tag gid: 'V-63569'\n tag rid: 'SV-78059r2_rule'\n tag stig_id: 'WN10-CC-000040'\n tag fix_id: 'F-69499r2_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"Windows 10 v1507 LTSB version does not include this setting; it\n is NA for those systems.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\LanmanWorkstation\\\\\n\n Value Name: AllowInsecureGuestAuth\n\n Type: REG_DWORD\n Value: 0x00000000 (0)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Network >> Lanman Workstation >> \\\"Enable insecure\n guest logons\\\" to \\\"Disabled\\\".\"\n\n if registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion').ReleaseId == '1507'\n impact 0.0\n describe 'This setting requires v1507 does not include this setting; it is NA for version.' do\n skip 'This setting requires v1507 does not include this setting; it is NA for version.'\n end\n else\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\LanmanWorkstation') do\n it { should have_property 'AllowInsecureGuestAuth' }\n its('AllowInsecureGuestAuth') { should cmp 0 }\n end\n end\nend\n", + "code": "control 'V-70637' do\n title 'The Windows PowerShell 2.0 feature must be disabled on the system.'\n desc \"Windows PowerShell 5.0 added advanced logging features which can\n provide additional detail when malware has been run on a system. Disabling the\n Windows PowerShell 2.0 mitigates against a downgrade attack that evades the\n Windows PowerShell 5.0 script block logging feature.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-00-000155'\n tag gid: 'V-70637'\n tag rid: 'SV-85259r2_rule'\n tag stig_id: 'WN10-00-000155'\n tag fix_id: 'F-76869r1_fix'\n tag cci: ['CCI-000381']\n tag nist: ['CM-7 a', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"Run \\\"Windows PowerShell\\\" with elevated privileges (run as\n administrator).\n\n Enter the following:\n Get-WindowsOptionalFeature -Online | Where FeatureName -like *PowerShellv2*\n\n If either of the following have a \\\"State\\\" of \\\"Enabled\\\", this is a finding.\n\n FeatureName : MicrosoftWindowsPowerShellV2\n State : Enabled\n FeatureName : MicrosoftWindowsPowerShellV2Root\n State : Enabled\n\n Alternately:\n Search for \\\"Features\\\".\n\n Select \\\"Turn Windows features on or off\\\".\n\n If \\\"Windows PowerShell 2.0\\\" (whether the subcategory of \\\"Windows PowerShell\n 2.0 Engine\\\" is selected or not) is selected, this is a finding.\"\n desc \"fix\", \"Disable \\\"Windows PowerShell 2.0\\\" on the system.\n\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n Enter the following:\n Disable-WindowsOptionalFeature -Online -FeatureName\n MicrosoftWindowsPowerShellV2Root\n\n This command should disable both \\\"MicrosoftWindowsPowerShellV2Root\\\" and\n \\\"MicrosoftWindowsPowerShellV2\\\" which correspond to \\\"Windows PowerShell 2.0\\\"\n and \\\"Windows PowerShell 2.0 Engine\\\" respectively in \\\"Turn Windows features\n on or off\\\".\n\n Alternately:\n Search for \\\"Features\\\".\n Select \\\"Turn Windows features on or off\\\".\n De-select \\\"Windows PowerShell 2.0\\\".\"\n\n powershellv2 = json( command: 'Get-WindowsOptionalFeature -Online | Where FeatureName -eq MicrosoftWindowsPowerShellV2 | ConvertTo-Csv | ConvertFrom-Csv | ConvertTo-Json').params\n powershellv2root = json( command: 'Get-WindowsOptionalFeature -Online | Where FeatureName -eq MicrosoftWindowsPowerShellV2Root | ConvertTo-Csv | ConvertFrom-Csv | ConvertTo-Json').params \n\n describe 'Feature Name MicrosoftWindowsPowerShellV2 should not be Enabled' do\n subject { powershellv2 }\n its(['State']) { should_not eq \"Enabled\" }\n end\n describe 'Feature Name MicrosoftWindowsPowerShellV2Root should not be Enabled' do\n subject { powershellv2root }\n its(['State']) { should_not eq \"Enabled\" }\n end\nend", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63569.rb", + "ref": "./Windows 10 STIG/controls/V-70637.rb", "line": 3 }, - "id": "V-63569" + "id": "V-70637" }, { - "title": "Users must be prevented from changing installation options.", - "desc": "Installation options for applications are typically controlled by\n administrators. This setting prevents users from changing installation options\n that may bypass security features.", + "title": "The system must be configured to audit Account Logon - Credential\n Validation successes.", + "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Credential validation records events related to validation tests on\n credentials for a user account logon.", "descriptions": { - "default": "Installation options for applications are typically controlled by\n administrators. This setting prevents users from changing installation options\n that may bypass security features.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\Installer\\\n\n Value Name: EnableUserControl\n\n Value Type: REG_DWORD\n Value: 0", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Windows Installer >> \"Allow\n user control over installs\" to \"Disabled\"." + "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Credential validation records events related to validation tests on\n credentials for a user account logon.", + "check": "Security Option \"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\" must be\n set to \"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\"Run as Administrator\").\n Enter \"AuditPol /get /category:*\".\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding:\n\n Account Logon >> Credential Validation - Success", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Account Logon >> \"Audit Credential Validation\" with\n \"Success\" selected." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-CC-000310", - "gid": "V-63321", - "rid": "SV-77811r1_rule", - "stig_id": "WN10-CC-000310", - "fix_id": "F-69239r1_fix", + "gtitle": "WN10-AU-000010", + "gid": "V-63435", + "rid": "SV-77925r1_rule", + "stig_id": "WN10-AU-000010", + "fix_id": "F-69363r1_fix", "cci": [ - "CCI-001812" + "CCI-000172" ], "nist": [ - "CM-11 (2)", + "AU-12 c", "Rev_4" ], "false_negatives": null, @@ -4823,35 +4813,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63321' do\n title 'Users must be prevented from changing installation options.'\n desc \"Installation options for applications are typically controlled by\n administrators. This setting prevents users from changing installation options\n that may bypass security features.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000310'\n tag gid: 'V-63321'\n tag rid: 'SV-77811r1_rule'\n tag stig_id: 'WN10-CC-000310'\n tag fix_id: 'F-69239r1_fix'\n tag cci: ['CCI-001812']\n tag nist: ['CM-11 (2)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\Installer\\\\\n\n Value Name: EnableUserControl\n\n Value Type: REG_DWORD\n Value: 0\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Windows Installer >> \\\"Allow\n user control over installs\\\" to \\\"Disabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Installer') do\n it { should have_property 'EnableUserControl' }\n its('EnableUserControl') { should cmp 0 }\n end\nend\n", + "code": "control 'V-63435' do\n title \"The system must be configured to audit Account Logon - Credential\n Validation successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Credential validation records events related to validation tests on\n credentials for a user account logon.\"\n\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-AU-000010'\n tag gid: 'V-63435'\n tag rid: 'SV-77925r1_rule'\n tag stig_id: 'WN10-AU-000010'\n tag fix_id: 'F-69363r1_fix'\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Security Option \\\"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\\\" must be\n set to \\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\n Enter \\\"AuditPol /get /category:*\\\".\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding:\n\n Account Logon >> Credential Validation - Success\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Account Logon >> \\\"Audit Credential Validation\\\" with\n \\\"Success\\\" selected.\"\n\n describe.one do\n describe audit_policy do\n its('Credential Validation') { should eq 'Success' }\n end\n describe audit_policy do\n its('Credential Validation') { should eq 'Success and Failure' }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63321.rb", + "ref": "./Windows 10 STIG/controls/V-63435.rb", "line": 3 }, - "id": "V-63321" + "id": "V-63435" }, { - "title": "The Access this computer from the network user right must only be\n assigned to the Administrators and Remote Desktop Users groups.", - "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n Accounts with the \"Access this computer from the network\" user right may\n access resources on the system, and must be limited to those that require it.", + "title": "Windows 10 must be configured to prevent certificate error overrides\n in Microsoft Edge.", + "desc": "Web security certificates provide an indication whether a site is\n legitimate. This policy setting prevents the user from ignoring Secure Sockets\n Layer/Transport Layer Security (SSL/TLS) certificate errors that interrupt\n browsing.", "descriptions": { - "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n Accounts with the \"Access this computer from the network\" user right may\n access resources on the system, and must be limited to those that require it.", - "check": "Verify the effective setting in Local Group Policy Editor.\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any groups or accounts other than the following are granted the \"Access\n this computer from the network\" user right, this is a finding:\n\n Administrators\n Remote Desktop Users\n\n If a domain application account such as for a management tool requires this\n user right, this would not be a finding.\n\n Vendor documentation must support the requirement for having the user right.\n\n The requirement must be documented with the ISSO.\n\n The application account, managed at the domain level, must meet requirements\n for application account passwords, such as length and frequency of changes as\n defined in the Windows server STIGs.", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n \"Access this computer from the network\" to only include the following groups\n or accounts:\n\n Administrators\n Remote Desktop Users" + "default": "Web security certificates provide an indication whether a site is\n legitimate. This policy setting prevents the user from ignoring Secure Sockets\n Layer/Transport Layer Security (SSL/TLS) certificate errors that interrupt\n browsing.", + "check": "This setting is applicable starting with v1809 of Windows 10; it\n is NA for prior versions.\n\n Windows 10 LTSC\\B versions do not include Microsoft Edge; this is NA for those\n systems.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Internet\n Settings\\\n\n Value Name: PreventCertErrorOverrides\n\n Type: REG_DWORD\n Value: 0x00000001 (1)", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Microsoft Edge >> \"Prevent\n certificate error overrides\" to \"Enabled\"." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-UR-000010", - "gid": "V-63845", - "rid": "SV-78335r3_rule", - "stig_id": "WN10-UR-000010", - "fix_id": "F-81289r1_fix", + "gtitle": "WN10-CC-000238", + "gid": "V-82139", + "rid": "SV-96853r1_rule", + "stig_id": "WN10-CC-000238", + "fix_id": "F-88993r1_fix", "cci": [ - "CCI-000213" + "CCI-000366" ], "nist": [ - "AC-3", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -4865,35 +4855,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63845' do\n title \"The Access this computer from the network user right must only be\n assigned to the Administrators and Remote Desktop Users groups.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n Accounts with the \\\"Access this computer from the network\\\" user right may\n access resources on the system, and must be limited to those that require it.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-UR-000010'\n tag gid: 'V-63845'\n tag rid: 'SV-78335r3_rule'\n tag stig_id: 'WN10-UR-000010'\n tag fix_id: 'F-81289r1_fix'\n tag cci: ['CCI-000213']\n tag nist: %w[AC-3 Rev_4]\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any groups or accounts other than the following are granted the \\\"Access\n this computer from the network\\\" user right, this is a finding:\n\n Administrators\n Remote Desktop Users\n\n If a domain application account such as for a management tool requires this\n user right, this would not be a finding.\n\n Vendor documentation must support the requirement for having the user right.\n\n The requirement must be documented with the ISSO.\n\n The application account, managed at the domain level, must meet requirements\n for application account passwords, such as length and frequency of changes as\n defined in the Windows server STIGs.\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n \\\"Access this computer from the network\\\" to only include the following groups\n or accounts:\n\n Administrators\n Remote Desktop Users\"\n\n describe security_policy do\n its('SeNetworkLogonRight') { should be_in ['S-1-5-32-544', 'S-1-5-32-555'] }\n end\nend\n", + "code": "control 'V-82139' do\n title \"Windows 10 must be configured to prevent certificate error overrides\n in Microsoft Edge.\"\n desc \"Web security certificates provide an indication whether a site is\n legitimate. This policy setting prevents the user from ignoring Secure Sockets\n Layer/Transport Layer Security (SSL/TLS) certificate errors that interrupt\n browsing.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000238'\n tag gid: 'V-82139'\n tag rid: 'SV-96853r1_rule'\n tag stig_id: 'WN10-CC-000238'\n tag fix_id: 'F-88993r1_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"This setting is applicable starting with v1809 of Windows 10; it\n is NA for prior versions.\n\n Windows 10 LTSC\\\\B versions do not include Microsoft Edge; this is NA for those\n systems.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\MicrosoftEdge\\\\Internet\n Settings\\\\\n\n Value Name: PreventCertErrorOverrides\n\n Type: REG_DWORD\n Value: 0x00000001 (1)\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Microsoft Edge >> \\\"Prevent\n certificate error overrides\\\" to \\\"Enabled\\\".\"\n\n if registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion').ReleaseId >= '1809'\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Internet Settings') do\n it { should have_property 'PreventCertErrorOverrides' }\n its('PreventCertErrorOverrides') { should cmp 1 }\n end\n else\n impact 0.0\n describe 'This setting is applicable starting with v1809 of Windows 10; it is NA for prior versions' do\n skip 'This setting is applicable starting with v1809 of Windows 10; it is NA for prior versions.'\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63845.rb", + "ref": "./Windows 10 STIG/controls/V-82139.rb", "line": 3 }, - "id": "V-63845" + "id": "V-82139" }, { - "title": "The system must be configured to ignore NetBIOS name release requests\n except from WINS servers.", - "desc": "Configuring the system to ignore name release requests, except from\n WINS servers, prevents a denial of service (DoS) attack. The DoS consists of\n sending a NetBIOS name release request to the server for each entry in the\n server's cache, causing a response delay in the normal operation of the servers\n WINS resolution capability.", + "title": "The Modify firmware environment values user right must only be\n assigned to the Administrators group.", + "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n Accounts with the \"Modify firmware environment values\" user right can\n change hardware configuration environment variables. This could result in\n hardware failures or a DoS.", "descriptions": { - "default": "Configuring the system to ignore name release requests, except from\n WINS servers, prevents a denial of service (DoS) attack. The DoS consists of\n sending a NetBIOS name release request to the server for each entry in the\n server's cache, causing a response delay in the normal operation of the servers\n WINS resolution capability.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\Netbt\\Parameters\\\n\n Value Name: NoNameReleaseOnDemand\n\n Value Type: REG_DWORD\n Value: 1", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> MSS (Legacy) >> \"MSS: (NoNameReleaseOnDemand)\n Allow the computer to ignore NetBIOS name release requests except from WINS\n servers\" to \"Enabled\".\n\n This policy setting requires the installation of the MSS-Legacy custom\n templates included with the STIG package. \"MSS-Legacy.admx\" and \"\n MSS-Legacy.adml\" must be copied to the \\Windows\\PolicyDefinitions and\n \\Windows\\PolicyDefinitions\\en-US directories respectively." + "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n Accounts with the \"Modify firmware environment values\" user right can\n change hardware configuration environment variables. This could result in\n hardware failures or a DoS.", + "check": "Verify the effective setting in Local Group Policy Editor.\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any groups or accounts other than the following are granted the \"Modify\n firmware environment values\" user right, this is a finding:\n\n Administrators", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n \"Modify firmware environment values\" to only include the following groups or\n accounts:\n\n Administrators" }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { - "severity": "low", - "gtitle": "WN10-CC-000035", - "gid": "V-63567", - "rid": "SV-78057r1_rule", - "stig_id": "WN10-CC-000035", - "fix_id": "F-69497r1_fix", + "severity": "medium", + "gtitle": "WN10-UR-000140", + "gid": "V-63931", + "rid": "SV-78421r1_rule", + "stig_id": "WN10-UR-000140", + "fix_id": "F-69859r1_fix", "cci": [ - "CCI-002385" + "CCI-002235" ], "nist": [ - "SC-5", + "AC-6 (10)", "Rev_4" ], "false_negatives": null, @@ -4907,35 +4897,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63567' do\n title \"The system must be configured to ignore NetBIOS name release requests\n except from WINS servers.\"\n desc \"Configuring the system to ignore name release requests, except from\n WINS servers, prevents a denial of service (DoS) attack. The DoS consists of\n sending a NetBIOS name release request to the server for each entry in the\n server's cache, causing a response delay in the normal operation of the servers\n WINS resolution capability.\"\n\n impact 0.3\n\n tag severity: 'low'\n tag gtitle: 'WN10-CC-000035'\n tag gid: 'V-63567'\n tag rid: 'SV-78057r1_rule'\n tag stig_id: 'WN10-CC-000035'\n tag fix_id: 'F-69497r1_fix'\n tag cci: ['CCI-002385']\n tag nist: %w[SC-5 Rev_4]\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\Netbt\\\\Parameters\\\\\n\n Value Name: NoNameReleaseOnDemand\n\n Value Type: REG_DWORD\n Value: 1\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> MSS (Legacy) >> \\\"MSS: (NoNameReleaseOnDemand)\n Allow the computer to ignore NetBIOS name release requests except from WINS\n servers\\\" to \\\"Enabled\\\".\n\n This policy setting requires the installation of the MSS-Legacy custom\n templates included with the STIG package. \\\"MSS-Legacy.admx\\\" and \\\"\n MSS-Legacy.adml\\\" must be copied to the \\\\Windows\\\\PolicyDefinitions and\n \\\\Windows\\\\PolicyDefinitions\\\\en-US directories respectively.\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Netbt\\Parameters') do\n it { should have_property 'NoNameReleaseOnDemand' }\n its('NoNameReleaseOnDemand') { should cmp 1 }\n end\nend\n", + "code": "control 'V-63931' do\n title \"The Modify firmware environment values user right must only be\n assigned to the Administrators group.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n Accounts with the \\\"Modify firmware environment values\\\" user right can\n change hardware configuration environment variables. This could result in\n hardware failures or a DoS.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-UR-000140'\n tag gid: 'V-63931'\n tag rid: 'SV-78421r1_rule'\n tag stig_id: 'WN10-UR-000140'\n tag fix_id: 'F-69859r1_fix'\n tag cci: ['CCI-002235']\n tag nist: ['AC-6 (10)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any groups or accounts other than the following are granted the \\\"Modify\n firmware environment values\\\" user right, this is a finding:\n\n Administrators\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n \\\"Modify firmware environment values\\\" to only include the following groups or\n accounts:\n\n Administrators\"\n\n describe security_policy do\n its('SeSystemEnvironmentPrivilege') { should eq ['S-1-5-32-544'] }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63567.rb", + "ref": "./Windows 10 STIG/controls/V-63931.rb", "line": 3 }, - "id": "V-63567" + "id": "V-63931" }, { - "title": "Camera access from the lock screen must be disabled.", - "desc": "Enabling camera access from the lock screen could allow for\n unauthorized use. Requiring logon will ensure the device is only used by\n authorized personnel.", + "title": "The Remote Desktop Session Host must require secure RPC\n communications.", + "desc": "Allowing unsecure RPC communication exposes the system to man in the\n middle attacks and data disclosure attacks. A man in the middle attack occurs\n when an intruder captures packets between a client and server and modifies them\n before allowing the packets to be exchanged. Usually the attacker will modify\n the information in the packets in an attempt to cause either the client or\n server to reveal sensitive information.", "descriptions": { - "default": "Enabling camera access from the lock screen could allow for\n unauthorized use. Requiring logon will ensure the device is only used by\n authorized personnel.", - "check": "If the device does not have a camera, this is NA.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\Personalization\\\n\n Value Name: NoLockScreenCamera\n\n Value Type: REG_DWORD\n Value: 1", - "fix": "If the device does not have a camera, this is NA.\n\n Configure the policy value for Computer Configuration >> Administrative\n Templates >> Control Panel >> Personalization >> \"Prevent enabling lock screen\n camera\" to \"Enabled\"." + "default": "Allowing unsecure RPC communication exposes the system to man in the\n middle attacks and data disclosure attacks. A man in the middle attack occurs\n when an intruder captures packets between a client and server and modifies them\n before allowing the packets to be exchanged. Usually the attacker will modify\n the information in the packets in an attempt to cause either the client or\n server to reveal sensitive information.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services\\\n\n Value Name: fEncryptRPCTraffic\n\n Value Type: REG_DWORD\n Value: 1", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Remote Desktop Services >>\n Remote Desktop Session Host >> Security \"Require secure RPC communication\" to\n \"Enabled\"." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-CC-000005", - "gid": "V-63545", - "rid": "SV-78035r1_rule", - "stig_id": "WN10-CC-000005", - "fix_id": "F-69475r1_fix", + "gtitle": "WN10-CC-000285", + "gid": "V-63737", + "rid": "SV-78227r1_rule", + "stig_id": "WN10-CC-000285", + "fix_id": "F-69665r1_fix", "cci": [ - "CCI-000381" + "CCI-001453" ], "nist": [ - "CM-7 a", + "AC-17 (2)", "Rev_4" ], "false_negatives": null, @@ -4949,43 +4939,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63545' do\n title 'Camera access from the lock screen must be disabled.'\n desc \"Enabling camera access from the lock screen could allow for\n unauthorized use. Requiring logon will ensure the device is only used by\n authorized personnel.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000005'\n tag gid: 'V-63545'\n tag rid: 'SV-78035r1_rule'\n tag stig_id: 'WN10-CC-000005'\n tag fix_id: 'F-69475r1_fix'\n tag cci: ['CCI-000381']\n tag nist: ['CM-7 a', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc 'check', \"If the device does not have a camera, this is NA.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\Personalization\\\\\n\n Value Name: NoLockScreenCamera\n\n Value Type: REG_DWORD\n Value: 1\"\n\n desc 'fix', \"If the device does not have a camera, this is NA.\n\n Configure the policy value for Computer Configuration >> Administrative\n Templates >> Control Panel >> Personalization >> \\\"Prevent enabling lock screen\n camera\\\" to \\\"Enabled\\\".\"\n\n if sys_info.manufacturer == 'VMware, Inc.'\n impact 0.0\n describe 'This is a VDI System; This System is NA for Control V-63545.' do\n skip 'This is a VDI System; This System is NA for Control V-63545.'\n end\n else\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Personalization') do\n it { should have_property 'NoLockScreenCamera' }\n its('NoLockScreenCamera') { should cmp 1 }\n end\n end\nend\n", + "code": "control 'V-63737' do\n title \"The Remote Desktop Session Host must require secure RPC\n communications.\"\n desc \"Allowing unsecure RPC communication exposes the system to man in the\n middle attacks and data disclosure attacks. A man in the middle attack occurs\n when an intruder captures packets between a client and server and modifies them\n before allowing the packets to be exchanged. Usually the attacker will modify\n the information in the packets in an attempt to cause either the client or\n server to reveal sensitive information.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000285'\n tag gid: 'V-63737'\n tag rid: 'SV-78227r1_rule'\n tag stig_id: 'WN10-CC-000285'\n tag fix_id: 'F-69665r1_fix'\n tag cci: ['CCI-001453']\n tag nist: ['AC-17 (2)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\\n\n Value Name: fEncryptRPCTraffic\n\n Value Type: REG_DWORD\n Value: 1\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Remote Desktop Services >>\n Remote Desktop Session Host >> Security \\\"Require secure RPC communication\\\" to\n \\\"Enabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services') do\n it { should have_property 'fEncryptRPCTraffic' }\n its('fEncryptRPCTraffic') { should cmp 1 }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63545.rb", + "ref": "./Windows 10 STIG/controls/V-63737.rb", "line": 3 }, - "id": "V-63545" + "id": "V-63737" }, { - "title": "The Manage auditing and security log user right must only be assigned\n to the Administrators group.", - "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n Accounts with the \"Manage auditing and security log\" user right can\n manage the security log and change auditing configurations. This could be used\n to clear evidence of tampering.", + "title": "The password manager function in the Edge browser must be disabled.", + "desc": "Passwords save locally for re-use when browsing may be subject to\n compromise. Disabling the Edge password manager will prevent this for the\n browser.", "descriptions": { - "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n Accounts with the \"Manage auditing and security log\" user right can\n manage the security log and change auditing configurations. This could be used\n to clear evidence of tampering.", - "check": "Verify the effective setting in Local Group Policy Editor.\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any groups or accounts other than the following are granted the \"Manage\n auditing and security log\" user right, this is a finding:\n\n Administrators\n\n If the organization has an \"Auditors\" group the assignment of this group to\n the user right would not be a finding.", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n \"Manage auditing and security log\" to only include the following groups or\n accounts:\n\n Administrators" + "default": "Passwords save locally for re-use when browsing may be subject to\n compromise. Disabling the Edge password manager will prevent this for the\n browser.", + "check": "Windows 10 LTSC\\B versions do not include Microsoft Edge, this\n is NA for those systems.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Main\\\n\n Value Name: FormSuggest Passwords\n\n Type: REG_SZ\n Value: no", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Microsoft Edge >> \"Configure\n Password Manager\" to \"Disabled\"." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-UR-000130", - "gid": "V-63927", - "rid": "SV-78417r1_rule", - "stig_id": "WN10-UR-000130", - "fix_id": "F-69855r1_fix", + "gtitle": "WN10-CC-000245", + "gid": "V-63709", + "rid": "SV-78199r4_rule", + "stig_id": "WN10-CC-000245", + "fix_id": "F-83245r1_fix", "cci": [ - "CCI-000162", - "CCI-000163", - "CCI-000164", - "CCI-000171", - "CCI-001914" + "CCI-000366" ], "nist": [ - "AU-9", - "AU-9", - "AU-9", - "AU-12 b", - "AU-12 (3)", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -4999,35 +4981,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63927' do\n title \"The Manage auditing and security log user right must only be assigned\n to the Administrators group.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n Accounts with the \\\"Manage auditing and security log\\\" user right can\n manage the security log and change auditing configurations. This could be used\n to clear evidence of tampering.\"\n\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-UR-000130'\n tag gid: 'V-63927'\n tag rid: 'SV-78417r1_rule'\n tag stig_id: 'WN10-UR-000130'\n tag fix_id: 'F-69855r1_fix'\n tag cci: %w[CCI-000162 CCI-000163 CCI-000164 CCI-000171 CCI-001914]\n tag nist: ['AU-9', 'AU-9', 'AU-9', 'AU-12 b', 'AU-12 (3)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any groups or accounts other than the following are granted the \\\"Manage\n auditing and security log\\\" user right, this is a finding:\n\n Administrators\n\n If the organization has an \\\"Auditors\\\" group the assignment of this group to\n the user right would not be a finding.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n \\\"Manage auditing and security log\\\" to only include the following groups or\n accounts:\n\n Administrators\"\n\n describe security_policy do\n its('SeSecurityPrivilege') { should eq ['S-1-5-32-544'] }\n end\nend\n", + "code": "control 'V-63709' do\n title 'The password manager function in the Edge browser must be disabled.'\n desc \"Passwords save locally for re-use when browsing may be subject to\n compromise. Disabling the Edge password manager will prevent this for the\n browser.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000245'\n tag gid: 'V-63709'\n tag rid: 'SV-78199r4_rule'\n tag stig_id: 'WN10-CC-000245'\n tag fix_id: 'F-83245r1_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"Windows 10 LTSC\\\\B versions do not include Microsoft Edge, this\n is NA for those systems.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\MicrosoftEdge\\\\Main\\\\\n\n Value Name: FormSuggest Passwords\n\n Type: REG_SZ\n Value: no\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Microsoft Edge >> \\\"Configure\n Password Manager\\\" to \\\"Disabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Main') do\n it { should have_property 'FormSuggest Passwords' }\n its('FormSuggest Passwords') { should cmp 'no' }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63927.rb", + "ref": "./Windows 10 STIG/controls/V-63709.rb", "line": 3 }, - "id": "V-63927" + "id": "V-63709" }, { - "title": "Autoplay must be turned off for non-volume devices.", - "desc": "Allowing autoplay to execute may introduce malicious code to a system.\n Autoplay begins reading from a drive as soon as you insert media in the drive.\n As a result, the setup file of programs or music on audio media may start.\n This setting will disable autoplay for non-volume devices (such as Media\n Transfer Protocol (MTP) devices).", + "title": "The Deny access to this computer from the network user right on\n workstations must be configured to prevent access from highly privileged domain\n accounts and local accounts on domain systems and unauthenticated access on all\n systems.", + "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The \"Deny access to this computer from the network\" right defines the\n accounts that are prevented from logging on from the network.\n\n In an Active Directory Domain, denying logons to the Enterprise Admins and\n Domain Admins groups on lower trust systems helps mitigate the risk of\n privilege escalation from credential theft attacks, which could lead to the\n compromise of an entire domain.\n\n Local accounts on domain-joined systems must also be assigned this right to\n decrease the risk of lateral movement resulting from credential theft attacks.\n\n The Guests group must be assigned this right to prevent unauthenticated\n access.", "descriptions": { - "default": "Allowing autoplay to execute may introduce malicious code to a system.\n Autoplay begins reading from a drive as soon as you insert media in the drive.\n As a result, the setup file of programs or music on audio media may start.\n This setting will disable autoplay for non-volume devices (such as Media\n Transfer Protocol (MTP) devices).", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\Explorer\\\n\n Value Name: NoAutoplayfornonVolume\n\n Value Type: REG_DWORD\n Value: 1", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> AutoPlay Policies >>\n \"Disallow Autoplay for non-volume devices\" to \"Enabled\"." + "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The \"Deny access to this computer from the network\" right defines the\n accounts that are prevented from logging on from the network.\n\n In an Active Directory Domain, denying logons to the Enterprise Admins and\n Domain Admins groups on lower trust systems helps mitigate the risk of\n privilege escalation from credential theft attacks, which could lead to the\n compromise of an entire domain.\n\n Local accounts on domain-joined systems must also be assigned this right to\n decrease the risk of lateral movement resulting from credential theft attacks.\n\n The Guests group must be assigned this right to prevent unauthenticated\n access.", + "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If the following groups or accounts are not defined for the \"Deny access to\n this computer from the network\" right, this is a finding:\n\n Domain Systems Only:\n Enterprise Admins group\n Domain Admins group\n Local account (see Note below)\n\n All Systems:\n Guests group\n\n Privileged Access Workstations (PAWs) dedicated to the management of Active\n Directory are exempt from denying the Enterprise Admins and Domain Admins\n groups. (See the Windows Privileged Access Workstation STIG for PAW\n requirements.)\n\n Note: \"Local account\" is a built-in security group used to assign user rights\n and permissions to all local accounts.", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n \"Deny access to this computer from the network\" to include the following.\n\n Domain Systems Only:\n Enterprise Admins group\n Domain Admins group\n Local account (see Note below)\n\n All Systems:\n Guests group\n\n Privileged Access Workstations (PAWs) dedicated to the management of Active\n Directory are exempt from denying the Enterprise Admins and Domain Admins\n groups. (See the Windows Privileged Access Workstation STIG for PAW\n requirements.)\n\n Note: \"Local account\" is a built-in security group used to assign user rights\n and permissions to all local accounts." }, - "impact": 0.7, + "impact": 0.5, "refs": [], "tags": { - "severity": "high", - "gtitle": "WN10-CC-000180", - "gid": "V-63667", - "rid": "SV-78157r1_rule", - "stig_id": "WN10-CC-000180", - "fix_id": "F-69595r1_fix", + "severity": "medium", + "gtitle": "WN10-UR-000070", + "gid": "V-63871", + "rid": "SV-78361r3_rule", + "stig_id": "WN10-UR-000070", + "fix_id": "F-88441r1_fix", "cci": [ - "CCI-001764" + "CCI-000213" ], "nist": [ - "CM-7 (2)", + "AC-3", "Rev_4" ], "false_negatives": null, @@ -5041,35 +5023,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control \"V-63667\" do\n title \"Autoplay must be turned off for non-volume devices.\"\n desc \"Allowing autoplay to execute may introduce malicious code to a system.\n Autoplay begins reading from a drive as soon as you insert media in the drive.\n As a result, the setup file of programs or music on audio media may start.\n This setting will disable autoplay for non-volume devices (such as Media\n Transfer Protocol (MTP) devices).\"\n impact 0.7\n tag severity: \"high\"\n tag gtitle: \"WN10-CC-000180\"\n tag gid: \"V-63667\"\n tag rid: \"SV-78157r1_rule\"\n tag stig_id: \"WN10-CC-000180\"\n tag fix_id: \"F-69595r1_fix\"\n tag cci: [\"CCI-001764\"]\n tag nist: [\"CM-7 (2)\", \"Rev_4\"]\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\Explorer\\\\\n\n Value Name: NoAutoplayfornonVolume\n\n Value Type: REG_DWORD\n Value: 1\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> AutoPlay Policies >>\n \\\"Disallow Autoplay for non-volume devices\\\" to \\\"Enabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Explorer') do\n it { should have_property 'NoAutoplayfornonVolume' }\n its('NoAutoplayfornonVolume') { should cmp 1 }\n end\nend\n", + "code": "control 'V-63871' do\n title \"The Deny access to this computer from the network user right on\n workstations must be configured to prevent access from highly privileged domain\n accounts and local accounts on domain systems and unauthenticated access on all\n systems.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The \\\"Deny access to this computer from the network\\\" right defines the\n accounts that are prevented from logging on from the network.\n\n In an Active Directory Domain, denying logons to the Enterprise Admins and\n Domain Admins groups on lower trust systems helps mitigate the risk of\n privilege escalation from credential theft attacks, which could lead to the\n compromise of an entire domain.\n\n Local accounts on domain-joined systems must also be assigned this right to\n decrease the risk of lateral movement resulting from credential theft attacks.\n\n The Guests group must be assigned this right to prevent unauthenticated\n access.\"\n\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-UR-000070'\n tag gid: 'V-63871'\n tag rid: 'SV-78361r3_rule'\n tag stig_id: 'WN10-UR-000070'\n tag fix_id: 'F-88441r1_fix'\n tag cci: ['CCI-000213']\n tag nist: %w[AC-3 Rev_4]\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc 'check', \"Verify the effective setting in Local Group Policy Editor.\n\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If the following groups or accounts are not defined for the \\\"Deny access to\n this computer from the network\\\" right, this is a finding:\n\n Domain Systems Only:\n Enterprise Admins group\n Domain Admins group\n Local account (see Note below)\n\n All Systems:\n Guests group\n\n Privileged Access Workstations (PAWs) dedicated to the management of Active\n Directory are exempt from denying the Enterprise Admins and Domain Admins\n groups. (See the Windows Privileged Access Workstation STIG for PAW\n requirements.)\n\n Note: \\\"Local account\\\" is a built-in security group used to assign user rights\n and permissions to all local accounts.\"\n\n desc 'fix', \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n \\\"Deny access to this computer from the network\\\" to include the following.\n\n Domain Systems Only:\n Enterprise Admins group\n Domain Admins group\n Local account (see Note below)\n\n All Systems:\n Guests group\n\n Privileged Access Workstations (PAWs) dedicated to the management of Active\n Directory are exempt from denying the Enterprise Admins and Domain Admins\n groups. (See the Windows Privileged Access Workstation STIG for PAW\n requirements.)\n\n Note: \\\"Local account\\\" is a built-in security group used to assign user rights\n and permissions to all local accounts.\"\n\n is_domain = command('wmic computersystem get domain | FINDSTR /V Domain').stdout.strip\n\n if is_domain == 'WORKGROUP'\n describe security_policy do\n its('SeDenyNetworkLogonRight') { should include 'S-1-5-32-546' }\n end\n else\n domain_query = <<-EOH\n $group = New-Object System.Security.Principal.NTAccount('Domain Admins')\n $sid = ($group.Translate([security.principal.securityidentifier])).value\n $sid | ConvertTo-Json\n EOH\n\n domain_admin_sid = json(command: domain_query).params\n enterprise_admin_query = <<-EOH\n $group = New-Object System.Security.Principal.NTAccount('Enterprise Admins')\n $sid = ($group.Translate([security.principal.securityidentifier])).value\n $sid | ConvertTo-Json\n EOH\n\n enterprise_admin_sid = json(command: enterprise_admin_query).params\n\n describe security_policy do\n its('SeDenyNetworkLogonRight') { should be_in [\"#{enterprise_admin_sid}\", \"#{domain_admin_sid}\", 'S-1-5-32-546'] }\n end\n end\nend", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63667.rb", - "line": 2 + "ref": "./Windows 10 STIG/controls/V-63871.rb", + "line": 3 }, - "id": "V-63667" + "id": "V-63871" }, { - "title": "Users must be notified if a web-based program attempts to install\n software.", - "desc": "Web-based programs may attempt to install malicious software on a\n system. Ensuring users are notified if a web-based program attempts to install\n software allows them to refuse the installation.", + "title": "Bluetooth must be turned off unless approved by the organization.", + "desc": "If not configured properly, Bluetooth may allow rogue devices to\n communicate with a system. If a rogue device is paired with a system, there is\n potential for sensitive information to be compromised.", "descriptions": { - "default": "Web-based programs may attempt to install malicious software on a\n system. Ensuring users are notified if a web-based program attempts to install\n software allows them to refuse the installation.", - "check": "The default behavior is for Internet Explorer to warn users and\n select whether to allow or refuse installation when a web-based program\n attempts to install software on the system.\n\n If the registry value name below does not exist, this is not a finding.\n\n If it exists and is configured with a value of \"0\", this is not a finding.\n\n If it exists and is configured with a value of \"1\", this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\Installer\\\n\n Value Name: SafeForScripting\n\n Value Type: REG_DWORD\n Value: 0 (or if the Value Name does not exist)", - "fix": "The default behavior is for Internet Explorer to warn users and\n select whether to allow or refuse installation when a web-based program\n attempts to install software on the system.\n\n If this needs to be corrected, configure the policy value for Computer\n Configuration >> Administrative Templates >> Windows Components >> Windows\n Installer >> \"Prevent Internet Explorer security prompt for Windows Installer\n scripts\" to \"Not Configured\" or \"Disabled\"." + "default": "If not configured properly, Bluetooth may allow rogue devices to\n communicate with a system. If a rogue device is paired with a system, there is\n potential for sensitive information to be compromised.", + "check": "This is NA if the system does not have Bluetooth.\n\n Verify the Bluetooth radio is turned off unless approved by the organization.\n If it is not, this is a finding.\n\n Approval must be documented with the ISSO.", + "fix": "Turn off Bluetooth radios not organizationally approved. Establish\n an organizational policy for the use of Bluetooth." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-CC-000320", - "gid": "V-63329", - "rid": "SV-77819r1_rule", - "stig_id": "WN10-CC-000320", - "fix_id": "F-69245r1_fix", + "gtitle": "WN10-00-000210", + "gid": "V-72765", + "rid": "SV-87403r1_rule", + "stig_id": "WN10-00-000210", + "fix_id": "F-79175r1_fix", "cci": [ - "CCI-000366" + "CCI-000381" ], "nist": [ - "CM-6 b", + "CM-7 a", "Rev_4" ], "false_negatives": null, @@ -5083,34 +5065,30 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63329' do\n title \"Users must be notified if a web-based program attempts to install\n software.\"\n desc \"Web-based programs may attempt to install malicious software on a\n system. Ensuring users are notified if a web-based program attempts to install\n software allows them to refuse the installation.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000320'\n tag gid: 'V-63329'\n tag rid: 'SV-77819r1_rule'\n tag stig_id: 'WN10-CC-000320'\n tag fix_id: 'F-69245r1_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"The default behavior is for Internet Explorer to warn users and\n select whether to allow or refuse installation when a web-based program\n attempts to install software on the system.\n\n If the registry value name below does not exist, this is not a finding.\n\n If it exists and is configured with a value of \\\"0\\\", this is not a finding.\n\n If it exists and is configured with a value of \\\"1\\\", this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\Installer\\\\\n\n Value Name: SafeForScripting\n\n Value Type: REG_DWORD\n Value: 0 (or if the Value Name does not exist)\"\n\n desc \"fix\", \"The default behavior is for Internet Explorer to warn users and\n select whether to allow or refuse installation when a web-based program\n attempts to install software on the system.\n\n If this needs to be corrected, configure the policy value for Computer\n Configuration >> Administrative Templates >> Windows Components >> Windows\n Installer >> \\\"Prevent Internet Explorer security prompt for Windows Installer\n scripts\\\" to \\\"Not Configured\\\" or \\\"Disabled\\\".\"\n\n describe.one do\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Installer') do\n it { should_not have_property 'SafeForScripting' }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Installer') do\n its('SafeForScripting') { should_not cmp 1 }\n end\n end\nend\n", + "code": "control \"V-72765\" do\n title \"Bluetooth must be turned off unless approved by the organization.\"\n desc \"If not configured properly, Bluetooth may allow rogue devices to\n communicate with a system. If a rogue device is paired with a system, there is\n potential for sensitive information to be compromised.\"\n impact 0.5\n tag severity: \"medium\"\n tag gtitle: \"WN10-00-000210\"\n tag gid: \"V-72765\"\n tag rid: \"SV-87403r1_rule\"\n tag stig_id: \"WN10-00-000210\"\n tag fix_id: \"F-79175r1_fix\"\n tag cci: [\"CCI-000381\"]\n tag nist: [\"CM-7 a\", \"Rev_4\"]\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"This is NA if the system does not have Bluetooth.\n\n Verify the Bluetooth radio is turned off unless approved by the organization.\n If it is not, this is a finding.\n\n Approval must be documented with the ISSO.\"\n desc \"fix\", \"Turn off Bluetooth radios not organizationally approved. Establish\n an organizational policy for the use of Bluetooth.\"\n\nif(sys_info).manufacturer != \"VMware, Inc.\"\n describe \"Turn off Bluetooth radios when not in use. Establish an organizational policy for the use of Bluetooth to include training of personnel\" do\n skip 'This is NA if the system does not have Bluetooth'\n end\nelse\n impact 0.0\n describe \"This is a VDI System this control is NA.\" do\n skip 'This is a VDI System this control is NA.'\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63329.rb", - "line": 3 + "ref": "./Windows 10 STIG/controls/V-72765.rb", + "line": 2 }, - "id": "V-63329" + "id": "V-72765" }, { - "title": "Virtualization Based Security must be enabled on Windows 10 with the\n platform security level configured to Secure Boot or Secure Boot with DMA\n Protection.", - "desc": "Virtualization Based Security (VBS) provides the platform for the\n additional security features, Credential Guard and Virtualization based\n protection of code integrity. Secure Boot is the minimum security level with\n DMA protection providing additional memory protection. DMA Protection requires\n a CPU that supports input/output memory management unit (IOMMU).", + "title": "The maximum age for machine account passwords must be configured to 30\n days or less.", + "desc": "Computer account passwords are changed automatically on a regular\n basis. This setting controls the maximum password age that a machine account\n may have. This setting must be set to no more than 30 days, ensuring the\n machine changes its password monthly.", "descriptions": { - "default": "Virtualization Based Security (VBS) provides the platform for the\n additional security features, Credential Guard and Virtualization based\n protection of code integrity. Secure Boot is the minimum security level with\n DMA protection providing additional memory protection. DMA Protection requires\n a CPU that supports input/output memory management unit (IOMMU).", - "check": "Confirm Virtualization Based Security is enabled and running with\n Secure Boot or Secure Boot and DMA Protection.\n\n For those devices that support virtualization based security (VBS) features,\n including Credential Guard or protection of code integrity, this must be\n enabled. If the system meets the hardware and firmware dependencies for\n enabling VBS but it is not enabled, this is a CAT III finding.\n\n Virtualization based security, including Credential Guard, currently cannot be\n implemented in virtual desktop implementations (VDI) due to specific supporting\n requirements including a TPM, UEFI with Secure Boot, and the capability to run\n the Hyper-V feature within the virtual desktop.\n\n For VDIs where the virtual desktop instance is deleted or refreshed upon\n logoff, this is NA.\n\n Run \"PowerShell\" with elevated privileges (run as administrator).\n\n Enter the following:\n\n \"Get-CimInstance -ClassName Win32_DeviceGuard -Namespace\n root\\Microsoft\\Windows\\DeviceGuard\"\n\n If \"RequiredSecurityProperties\" does not include a value of \"2\" indicating\n \"Secure Boot\" (e.g., \"{1, 2}\"), this is a finding.\n\n If \"Secure Boot and DMA Protection\" is configured, \"3\" will also be\n displayed in the results (e.g., \"{1, 2, 3}\").\n\n If \"VirtualizationBasedSecurityStatus\" is not a value of \"2\" indicating\n \"Running\", this is a finding.\n\n Alternately:\n\n Run \"System Information\".\n\n Under \"System Summary\", verify the following:\n\n If \"Device Guard Virtualization based security\" does not display \"Running\",\n this is finding.\n\n If \"Device Guard Required Security Properties\" does not display \"Base\n Virtualization Support, Secure Boot\", this is finding.\n\n If \"Secure Boot and DMA Protection\" is configured, \"DMA Protection\" will\n also be displayed (e.g., \"Base Virtualization Support, Secure Boot, DMA\n Protection\").\n\n The policy settings referenced in the Fix section will configure the following\n registry values. However due to hardware requirements, the registry values\n alone do not ensure proper function.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceGuard\\\n\n Value Name: EnableVirtualizationBasedSecurity\n Value Type: REG_DWORD\n Value: 1\n\n Value Name: RequirePlatformSecurityFeatures\n Value Type: REG_DWORD\n Value: 1 (Secure Boot only) or 3 (Secure Boot and DMA Protection)\n\n A Microsoft article on Credential Guard system requirement can be found at the\n following link:\n\n https://technet.microsoft.com/en-us/itpro/windows/keep-secure/credential-guard-requirements\n\n NOTE: The severity level for the requirement will be upgraded to CAT II\n starting January 2020.", - "fix": "Virtualization based security, including Credential Guard,\n currently cannot be implemented in virtual desktop implementations (VDI) due to\n specific supporting requirements including a TPM, UEFI with Secure Boot, and\n the capability to run the Hyper-V feature within the virtual desktop.\n\n For VDIs where the virtual desktop instance is deleted or refreshed upon\n logoff, this is NA.\n\n Configure the policy value for Computer Configuration >> Administrative\n Templates >> System >> Device Guard >> \"Turn On Virtualization Based\n Security\" to \"Enabled\" with \"Secure Boot\" or \"Secure Boot and DMA\n Protection\" selected for \"Select Platform Security Level:\".\n\n A Microsoft article on Credential Guard system requirement can be found at the\n following link." + "default": "Computer account passwords are changed automatically on a regular\n basis. This setting controls the maximum password age that a machine account\n may have. This setting must be set to no more than 30 days, ensuring the\n machine changes its password monthly.", + "check": "This is the default configuration for this setting (30 days).\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\Netlogon\\Parameters\\\n\n Value Name: MaximumPasswordAge\n\n Value Type: REG_DWORD\n Value: 0x0000001e (30) (or less, excluding 0)", + "fix": "This is the default configuration for this setting (30 days).\n\n Configure the policy value for Computer Configuration >> Windows Settings >>\n Security Settings >> Local Policies >> Security Options >> \"Domain member:\n Maximum machine account password age\" to \"30\" or less (excluding 0 which is\n unacceptable)." }, "impact": 0.3, - "refs": [ - { - "ref": "https://technet.microsoft.com/en-us/itpro/windows/keep-secure/credential-guard-requirements" - } - ], + "refs": [], "tags": { "severity": "low", - "gtitle": "WN10-CC-000070", - "gid": "V-63595", - "rid": "SV-78085r6_rule", - "stig_id": "WN10-CC-000070", - "fix_id": "F-74851r3_fix", + "gtitle": "WN10-SO-000055", + "gid": "V-63661", + "rid": "SV-78151r1_rule", + "stig_id": "WN10-SO-000055", + "fix_id": "F-69589r1_fix", "cci": [ "CCI-000366" ], @@ -5129,35 +5107,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63595' do\n title \"Virtualization Based Security must be enabled on Windows 10 with the\n platform security level configured to Secure Boot or Secure Boot with DMA\n Protection.\"\n desc \"Virtualization Based Security (VBS) provides the platform for the\n additional security features, Credential Guard and Virtualization based\n protection of code integrity. Secure Boot is the minimum security level with\n DMA protection providing additional memory protection. DMA Protection requires\n a CPU that supports input/output memory management unit (IOMMU).\"\n impact 0.3\n tag severity: 'low'\n tag gtitle: 'WN10-CC-000070'\n tag gid: 'V-63595'\n tag rid: 'SV-78085r6_rule'\n tag stig_id: 'WN10-CC-000070'\n tag fix_id: 'F-74851r3_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Confirm Virtualization Based Security is enabled and running with\n Secure Boot or Secure Boot and DMA Protection.\n\n For those devices that support virtualization based security (VBS) features,\n including Credential Guard or protection of code integrity, this must be\n enabled. If the system meets the hardware and firmware dependencies for\n enabling VBS but it is not enabled, this is a CAT III finding.\n\n Virtualization based security, including Credential Guard, currently cannot be\n implemented in virtual desktop implementations (VDI) due to specific supporting\n requirements including a TPM, UEFI with Secure Boot, and the capability to run\n the Hyper-V feature within the virtual desktop.\n\n For VDIs where the virtual desktop instance is deleted or refreshed upon\n logoff, this is NA.\n\n Run \\\"PowerShell\\\" with elevated privileges (run as administrator).\n\n Enter the following:\n\n \\\"Get-CimInstance -ClassName Win32_DeviceGuard -Namespace\n root\\\\Microsoft\\\\Windows\\\\DeviceGuard\\\"\n\n If \\\"RequiredSecurityProperties\\\" does not include a value of \\\"2\\\" indicating\n \\\"Secure Boot\\\" (e.g., \\\"{1, 2}\\\"), this is a finding.\n\n If \\\"Secure Boot and DMA Protection\\\" is configured, \\\"3\\\" will also be\n displayed in the results (e.g., \\\"{1, 2, 3}\\\").\n\n If \\\"VirtualizationBasedSecurityStatus\\\" is not a value of \\\"2\\\" indicating\n \\\"Running\\\", this is a finding.\n\n Alternately:\n\n Run \\\"System Information\\\".\n\n Under \\\"System Summary\\\", verify the following:\n\n If \\\"Device Guard Virtualization based security\\\" does not display \\\"Running\\\",\n this is finding.\n\n If \\\"Device Guard Required Security Properties\\\" does not display \\\"Base\n Virtualization Support, Secure Boot\\\", this is finding.\n\n If \\\"Secure Boot and DMA Protection\\\" is configured, \\\"DMA Protection\\\" will\n also be displayed (e.g., \\\"Base Virtualization Support, Secure Boot, DMA\n Protection\\\").\n\n The policy settings referenced in the Fix section will configure the following\n registry values. However due to hardware requirements, the registry values\n alone do not ensure proper function.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\DeviceGuard\\\\\n\n Value Name: EnableVirtualizationBasedSecurity\n Value Type: REG_DWORD\n Value: 1\n\n Value Name: RequirePlatformSecurityFeatures\n Value Type: REG_DWORD\n Value: 1 (Secure Boot only) or 3 (Secure Boot and DMA Protection)\n\n A Microsoft article on Credential Guard system requirement can be found at the\n following link:\n\n https://technet.microsoft.com/en-us/itpro/windows/keep-secure/credential-guard-requirements\n\n NOTE: The severity level for the requirement will be upgraded to CAT II\n starting January 2020.\"\n\n desc \"fix\", \"Virtualization based security, including Credential Guard,\n currently cannot be implemented in virtual desktop implementations (VDI) due to\n specific supporting requirements including a TPM, UEFI with Secure Boot, and\n the capability to run the Hyper-V feature within the virtual desktop.\n\n For VDIs where the virtual desktop instance is deleted or refreshed upon\n logoff, this is NA.\n\n Configure the policy value for Computer Configuration >> Administrative\n Templates >> System >> Device Guard >> \\\"Turn On Virtualization Based\n Security\\\" to \\\"Enabled\\\" with \\\"Secure Boot\\\" or \\\"Secure Boot and DMA\n Protection\\\" selected for \\\"Select Platform Security Level:\\\".\n\n A Microsoft article on Credential Guard system requirement can be found at the\n following link.\"\n\n ref 'https://technet.microsoft.com/en-us/itpro/windows/keep-secure/credential-guard-requirements'\n\n if sys_info.manufacturer == 'VMware, Inc.'\n impact 0.0\n describe 'This is a VDI System; This System is NA for Control V-63595.' do\n skip 'This is a VDI System; This System is NA for Control V-63595.'\n end\n else\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceGuard') do\n it { should have_property 'EnableVirtualizationBasedSecurity' }\n its('EnableVirtualizationBasedSecurity') { should cmp 1 }\n end\n describe.one do\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceGuard') do\n it { should have_property 'RequirePlatformSecurityFeatures' }\n its('RequirePlatformSecurityFeatures') { should cmp 1 }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceGuard') do\n it { should have_property 'RequirePlatformSecurityFeatures' }\n its('RequirePlatformSecurityFeatures') { should cmp 3 }\n end\n end\n end\nend\n", + "code": "control 'V-63661' do\n title \"The maximum age for machine account passwords must be configured to 30\n days or less.\"\n desc \"Computer account passwords are changed automatically on a regular\n basis. This setting controls the maximum password age that a machine account\n may have. This setting must be set to no more than 30 days, ensuring the\n machine changes its password monthly.\"\n impact 0.3\n tag severity: 'low'\n tag gtitle: 'WN10-SO-000055'\n tag gid: 'V-63661'\n tag rid: 'SV-78151r1_rule'\n tag stig_id: 'WN10-SO-000055'\n tag fix_id: 'F-69589r1_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"This is the default configuration for this setting (30 days).\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\Netlogon\\\\Parameters\\\\\n\n Value Name: MaximumPasswordAge\n\n Value Type: REG_DWORD\n Value: 0x0000001e (30) (or less, excluding 0)\"\n\n desc \"fix\", \"This is the default configuration for this setting (30 days).\n\n Configure the policy value for Computer Configuration >> Windows Settings >>\n Security Settings >> Local Policies >> Security Options >> \\\"Domain member:\n Maximum machine account password age\\\" to \\\"30\\\" or less (excluding 0 which is\n unacceptable).\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Netlogon\\Parameters') do\n it { should have_property 'MaximumPasswordAge' }\n its('MaximumPasswordAge') { should be <= 30 }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Netlogon\\Parameters') do\n its('MaximumPasswordAge') { should be_positive }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63595.rb", + "ref": "./Windows 10 STIG/controls/V-63661.rb", "line": 3 }, - "id": "V-63595" + "id": "V-63661" }, { - "title": "Exploit Protection mitigations in Windows 10 must be configured for\n WINWORD.EXE.", - "desc": "Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.", + "title": "Reversible password encryption must be disabled.", + "desc": "Storing passwords using reversible encryption is essentially the same\n as storing clear-text versions of the passwords. For this reason, this policy\n must never be enabled.", "descriptions": { - "default": "Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.", - "check": "This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n\n Enter \"Get-ProcessMitigation -Name WINWORD.EXE\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of\n all application mitigations configured.)\n\n If the following mitigations do not have a status of \"ON\", this is a finding:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n The PowerShell command produces a list of mitigations; only those with a\n required status of \"ON\" are listed here. If the PowerShell command does not\n produce results, ensure the letter case of the filename within the command\n syntax matches the letter case of the actual filename on the system.", - "fix": "Ensure the following mitigations are turned \"ON\" for WINWORD.EXE:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file\n included with the Windows 10 STIG package in the \"Supporting Files\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \"Use a common set of exploit protection settings\"\n configured to \"Enabled\" with file name and location defined under\n \"Options:\". It is recommended the file be in a read-only network location." + "default": "Storing passwords using reversible encryption is essentially the same\n as storing clear-text versions of the passwords. For this reason, this policy\n must never be enabled.", + "check": "Verify the effective setting in Local Group Policy Editor.\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Account Policies >> Password Policy.\n\n If the value for \"Store password using reversible encryption\" is not set to\n \"Disabled\", this is a finding.", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Account Policies >> Password Policy >> \"Store\n passwords using reversible encryption\" to \"Disabled\"." }, - "impact": 0.5, + "impact": 0.7, "refs": [], "tags": { - "severity": "medium", - "gtitle": "WN10-EP-000280", - "gid": "V-77263", - "rid": "SV-91959r3_rule", - "stig_id": "WN10-EP-000280", - "fix_id": "F-84511r4_fix", + "severity": "high", + "gtitle": "WN10-AC-000045", + "gid": "V-63429", + "rid": "SV-77919r1_rule", + "stig_id": "WN10-AC-000045", + "fix_id": "F-69357r1_fix", "cci": [ - "CCI-000366" + "CCI-000196" ], "nist": [ - "CM-6 b", + "IA-5 (1) (c)", "Rev_4" ], "false_negatives": null, @@ -5171,30 +5149,30 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-77263' do\n title \"Exploit Protection mitigations in Windows 10 must be configured for\n WINWORD.EXE.\"\n desc \"Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-EP-000280'\n tag gid: 'V-77263'\n tag rid: 'SV-91959r3_rule'\n tag stig_id: 'WN10-EP-000280'\n tag fix_id: 'F-84511r4_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc 'check', \"This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n\n Enter \\\"Get-ProcessMitigation -Name WINWORD.EXE\\\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of\n all application mitigations configured.)\n\n If the following mitigations do not have a status of \\\"ON\\\", this is a finding:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n The PowerShell command produces a list of mitigations; only those with a\n required status of \\\"ON\\\" are listed here. If the PowerShell command does not\n produce results, ensure the letter case of the filename within the command\n syntax matches the letter case of the actual filename on the system.\"\n\n desc 'fix', \"Ensure the following mitigations are turned \\\"ON\\\" for WINWORD.EXE:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file\n included with the Windows 10 STIG package in the \\\"Supporting Files\\\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\"\n configured to \\\"Enabled\\\" with file name and location defined under\n \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n\n if input('sensitive_system') == 'true' || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion').ReleaseId < '1709'\n impact 0.0\n describe 'This STIG does not apply to Prior Versions before 1709.' do\n skip 'This STIG does not apply to Prior Versions before 1709.'\n end\n else\n dep = json( command: 'Get-ProcessMitigation -Name WINWORD.EXE | Select DEP | ConvertTo-Json').params\n describe 'OverRide DEP is required to be false on Microsoft Office Word' do\n subject { dep }\n its(['OverrideDEP']) { should_not eq 'true' }\n end\n aslr = json( command: 'Get-ProcessMitigation -Name WINWORD.EXE | Select Aslr | ConvertTo-Json').params\n describe 'Alsr BottomUp and Force Relocate Images are required to be enabled on Microsoft Office Word' do\n subject { aslr }\n its(['ForceRelocateImages']) { should_not eq '2' }\n end\n payload = json( command: 'Get-ProcessMitigation -Name WINWORD.EXE | Select Payload | ConvertTo-Json').params\n describe 'Override Payload Enable Export Address Filter, Override Payload Enable Export Address Filter Plus, Override EnableImportAddressFilter, Override EnableRopStackPivot, Override EnableRopCallerCheck, and Override EnableRopSimExec are required to be false on Microsoft Office Word' do\n subject { payload }\n its(['OverrideEnableExportAddressFilter']) { should_not eq 'true' }\n its(['OverrideEnableExportAddressFilterPlus']) { should_not eq 'true' }\n its(['OverrideEnableImportAddressFilter']) { should_not eq 'true' }\n its(['OverrideEnableRopStackPivot']) { should_not eq 'true' }\n its(['OverrideEnableRopCallerCheck']) { should_not eq 'true' }\n its(['OverrideEnableRopSimExec']) { should_not eq 'true' }\n end\n end\nend\n", + "code": "control 'V-63429' do\n title 'Reversible password encryption must be disabled.'\n desc \"Storing passwords using reversible encryption is essentially the same\n as storing clear-text versions of the passwords. For this reason, this policy\n must never be enabled.\"\n impact 0.7\n tag severity: 'high'\n tag gtitle: 'WN10-AC-000045'\n tag gid: 'V-63429'\n tag rid: 'SV-77919r1_rule'\n tag stig_id: 'WN10-AC-000045'\n tag fix_id: 'F-69357r1_fix'\n tag cci: ['CCI-000196']\n tag nist: ['IA-5 (1) (c)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Account Policies >> Password Policy.\n\n If the value for \\\"Store password using reversible encryption\\\" is not set to\n \\\"Disabled\\\", this is a finding.\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Account Policies >> Password Policy >> \\\"Store\n passwords using reversible encryption\\\" to \\\"Disabled\\\".\"\n\n describe security_policy do\n its('ClearTextPassword') { should eq 0 }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-77263.rb", + "ref": "./Windows 10 STIG/controls/V-63429.rb", "line": 3 }, - "id": "V-77263" + "id": "V-63429" }, { - "title": "Early Launch Antimalware, Boot-Start Driver Initialization Policy must\n prevent boot drivers identified as bad.", - "desc": "Compromised boot drivers can introduce malware prior to protection\n mechanisms that load after initialization. The Early Launch Antimalware driver\n can limit allowed drivers based on classifications determined by the malware\n protection application. At a minimum, drivers determined to be bad must not be\n allowed.", + "title": "Hardened UNC Paths must be defined to require mutual authentication\n and integrity for at least the \\\\*\\SYSVOL and \\\\*\\NETLOGON shares.", + "desc": "Additional security requirements are applied to Universal Naming\n Convention (UNC) paths specified in Hardened UNC paths before allowing access\n them. This aids in preventing tampering with or spoofing of connections to\n these paths.", "descriptions": { - "default": "Compromised boot drivers can introduce malware prior to protection\n mechanisms that load after initialization. The Early Launch Antimalware driver\n can limit allowed drivers based on classifications determined by the malware\n protection application. At a minimum, drivers determined to be bad must not be\n allowed.", - "check": "The default behavior is for Early Launch Antimalware - Boot-Start\n Driver Initialization policy is to enforce \"Good, unknown and bad but\n critical\" (preventing \"bad\").\n\n If the registry value name below does not exist, this is not a finding.\n\n If it exists and is configured with a value of \"7\", this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Policies\\EarlyLaunch\\\n\n Value Name: DriverLoadPolicy\n\n Value Type: REG_DWORD\n Value: 1, 3, or 8 (or if the Value Name does not exist)\n\n Possible values for this setting are:\n 8 - Good only\n 1 - Good and unknown\n 3 - Good, unknown and bad but critical\n 7 - All (which includes \"Bad\" and would be a finding)", - "fix": "The default behavior is for Early Launch Antimalware - Boot-Start\n Driver Initialization policy is to enforce \"Good, unknown and bad but\n critical\" (preventing \"bad\").\n\n If this needs to be corrected or a more secure setting is desired, configure\n the policy value for Computer Configuration >> Administrative Templates >>\n System >> Early Launch Antimalware >> \"Boot-Start Driver Initialization\n Policy\" to \"Not Configured\" or \"Enabled\" with any option other than\n \"All\" selected." + "default": "Additional security requirements are applied to Universal Naming\n Convention (UNC) paths specified in Hardened UNC paths before allowing access\n them. This aids in preventing tampering with or spoofing of connections to\n these paths.", + "check": "This requirement is applicable to domain-joined systems, for\n standalone systems this is NA.\n\n If the following registry values do not exist or are not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SOFTWARE\\Policies\\Microsoft\\Windows\\NetworkProvider\\HardenedPaths\\\n\n Value Name: \\\\*\\NETLOGON\n Value Type: REG_SZ\n Value: RequireMutualAuthentication=1, RequireIntegrity=1\n\n Value Name: \\\\*\\SYSVOL\n Value Type: REG_SZ\n Value: RequireMutualAuthentication=1, RequireIntegrity=1\n\n Additional entries would not be a finding.", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Network >> Network Provider >> \"Hardened UNC\n Paths\" to \"Enabled\" with at least the following configured in \"Hardened UNC\n Paths:\" (click the \"Show\" button to display).\n\n Value Name: \\\\*\\SYSVOL\n Value: RequireMutualAuthentication=1, RequireIntegrity=1\n\n Value Name: \\\\*\\NETLOGON\n Value: RequireMutualAuthentication=1, RequireIntegrity=1" }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-CC-000085", - "gid": "V-63607", - "rid": "SV-78097r1_rule", - "stig_id": "WN10-CC-000085", - "fix_id": "F-69537r1_fix", + "gtitle": "WN10-CC-000050", + "gid": "V-63577", + "rid": "SV-78067r1_rule", + "stig_id": "WN10-CC-000050", + "fix_id": "F-69507r1_fix", "cci": [ "CCI-000366" ], @@ -5213,35 +5191,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63607' do\n title \"Early Launch Antimalware, Boot-Start Driver Initialization Policy must\n prevent boot drivers identified as bad.\"\n desc \"Compromised boot drivers can introduce malware prior to protection\n mechanisms that load after initialization. The Early Launch Antimalware driver\n can limit allowed drivers based on classifications determined by the malware\n protection application. At a minimum, drivers determined to be bad must not be\n allowed.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000085'\n tag gid: 'V-63607'\n tag rid: 'SV-78097r1_rule'\n tag stig_id: 'WN10-CC-000085'\n tag fix_id: 'F-69537r1_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"The default behavior is for Early Launch Antimalware - Boot-Start\n Driver Initialization policy is to enforce \\\"Good, unknown and bad but\n critical\\\" (preventing \\\"bad\\\").\n\n If the registry value name below does not exist, this is not a finding.\n\n If it exists and is configured with a value of \\\"7\\\", this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Policies\\\\EarlyLaunch\\\\\n\n Value Name: DriverLoadPolicy\n\n Value Type: REG_DWORD\n Value: 1, 3, or 8 (or if the Value Name does not exist)\n\n Possible values for this setting are:\n 8 - Good only\n 1 - Good and unknown\n 3 - Good, unknown and bad but critical\n 7 - All (which includes \\\"Bad\\\" and would be a finding)\"\n\n desc \"fix\", \"The default behavior is for Early Launch Antimalware - Boot-Start\n Driver Initialization policy is to enforce \\\"Good, unknown and bad but\n critical\\\" (preventing \\\"bad\\\").\n\n If this needs to be corrected or a more secure setting is desired, configure\n the policy value for Computer Configuration >> Administrative Templates >>\n System >> Early Launch Antimalware >> \\\"Boot-Start Driver Initialization\n Policy\\\" to \\\"Not Configured\\\" or \\\"Enabled\\\" with any option other than\n \\\"All\\\" selected.\"\n\n describe.one do\n describe registry_key('HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Policies\\EarlyLaunch') do\n it { should_not have_property 'DriverLoadPolicy' }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Policies\\EarlyLaunch') do\n its('DriverLoadPolicy') { should_not be 7 }\n end\n end\nend\n", + "code": "control 'V-63577' do\n title \"Hardened UNC Paths must be defined to require mutual authentication\n and integrity for at least the \\\\\\\\*\\\\SYSVOL and \\\\\\\\*\\\\NETLOGON shares.\"\n desc \"Additional security requirements are applied to Universal Naming\n Convention (UNC) paths specified in Hardened UNC paths before allowing access\n them. This aids in preventing tampering with or spoofing of connections to\n these paths.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000050'\n tag gid: 'V-63577'\n tag rid: 'SV-78067r1_rule'\n tag stig_id: 'WN10-CC-000050'\n tag fix_id: 'F-69507r1_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc 'check', \"This requirement is applicable to domain-joined systems, for\n standalone systems this is NA.\n\n If the following registry values do not exist or are not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\NetworkProvider\\\\HardenedPaths\\\\\n\n Value Name: \\\\\\\\*\\\\NETLOGON\n Value Type: REG_SZ\n Value: RequireMutualAuthentication=1, RequireIntegrity=1\n\n Value Name: \\\\\\\\*\\\\SYSVOL\n Value Type: REG_SZ\n Value: RequireMutualAuthentication=1, RequireIntegrity=1\n\n Additional entries would not be a finding.\"\n\n desc 'fix', \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Network >> Network Provider >> \\\"Hardened UNC\n Paths\\\" to \\\"Enabled\\\" with at least the following configured in \\\"Hardened UNC\n Paths:\\\" (click the \\\"Show\\\" button to display).\n\n Value Name: \\\\\\\\*\\\\SYSVOL\n Value: RequireMutualAuthentication=1, RequireIntegrity=1\n\n Value Name: \\\\\\\\*\\\\NETLOGON\n Value: RequireMutualAuthentication=1, RequireIntegrity=1\"\n\n is_domain = command('wmic computersystem get domain | FINDSTR /V Domain').stdout.strip\n keyvalue_netlogon = '\\\\\\\\*\\\\NETLOGON'\n keyvalue_sysvol = '\\\\\\\\*\\\\SYSVOL'\n\n if is_domain == 'WORKGROUP'\n impact 0.0\n describe 'The system is not a member of a domain, control is NA' do\n skip 'The system is not a member of a domain, control is NA'\n end\n elsif\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\NetworkProvider\\HardenedPaths') do\n it { should have_property keyvalue_sysvol.gsub('\\\\', '\\\\\\\\\\\\\\\\') }\n its (keyvalue_sysvol.gsub('\\\\', '\\\\\\\\\\\\\\\\')) { should cmp 'RequireMutualAuthentication=1, RequireIntegrity=1'}\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\NetworkProvider\\HardenedPaths') do\n it { should have_property keyvalue_netlogon.gsub('\\\\', '\\\\\\\\\\\\\\\\') }\n its (keyvalue_netlogon.gsub('\\\\', '\\\\\\\\\\\\\\\\')) { should cmp 'RequireMutualAuthentication=1, RequireIntegrity=1'}\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63607.rb", + "ref": "./Windows 10 STIG/controls/V-63577.rb", "line": 3 }, - "id": "V-63607" + "id": "V-63577" }, { - "title": "Non system-created file shares on a system must limit access to groups\n that require it.", - "desc": "Shares which provide network access, should not typically exist on a\n workstation except for system-created administrative shares, and could\n potentially expose sensitive information. If a share is necessary, share\n permissions, as well as NTFS permissions, must be reconfigured to give the\n minimum access to those accounts that require it.", + "title": "Automatically signing in the last interactive user after a\n system-initiated restart must be disabled.", + "desc": "Windows can be configured to automatically sign the user back in after\n a Windows Update restart. Some protections are in place to help ensure this is\n done in a secure fashion; however, disabling this will prevent the caching of\n credentials for this purpose and also ensure the user is aware of the restart.", "descriptions": { - "default": "Shares which provide network access, should not typically exist on a\n workstation except for system-created administrative shares, and could\n potentially expose sensitive information. If a share is necessary, share\n permissions, as well as NTFS permissions, must be reconfigured to give the\n minimum access to those accounts that require it.", - "check": "Non system-created shares should not typically exist on\n workstations.\n\n If only system-created shares exist on the system this is NA.\n\n Run \"Computer Management\".\n Navigate to System Tools >> Shared Folders >> Shares.\n\n If the only shares listed are \"ADMIN$\", \"C$\" and \"IPC$\", this is NA.\n (Selecting Properties for system-created shares will display a message that it\n has been shared for administrative purposes.)\n\n Right click any non-system-created shares.\n Select \"Properties\".\n Select the \"Share Permissions\" tab.\n\n Verify the necessity of any shares found.\n If the file shares have not been reconfigured to restrict permissions to the\n specific groups or accounts that require access, this is a finding.\n\n Select the \"Security\" tab.\n\n If the NTFS permissions have not been reconfigured to restrict permissions to\n the specific groups or accounts that require access, this is a finding.", - "fix": "If a non system-created share is required on a system, configure\n the share and NTFS permissions to limit access to the specific groups or\n accounts that require it.\n\n Remove any unnecessary non-system created shares." + "default": "Windows can be configured to automatically sign the user back in after\n a Windows Update restart. Some protections are in place to help ensure this is\n done in a secure fashion; however, disabling this will prevent the caching of\n credentials for this purpose and also ensure the user is aware of the restart.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\\n\n Value Name: DisableAutomaticRestartSignOn\n\n Value Type: REG_DWORD\n Value: 1", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Windows Logon Options >>\n \"Sign-in last interactive user automatically after a system-initiated\n restart\" to \"Disabled\"." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-00-000060", - "gid": "V-63357", - "rid": "SV-77847r1_rule", - "stig_id": "WN10-00-000060", - "fix_id": "F-69277r1_fix", + "gtitle": "WN10-CC-000325", + "gid": "V-63333", + "rid": "SV-77823r1_rule", + "stig_id": "WN10-CC-000325", + "fix_id": "F-69251r1_fix", "cci": [ - "CCI-001090" + "CCI-000366" ], "nist": [ - "SC-4", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -5255,35 +5233,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63357' do\n title \"Non system-created file shares on a system must limit access to groups\n that require it.\"\n desc \"Shares which provide network access, should not typically exist on a\n workstation except for system-created administrative shares, and could\n potentially expose sensitive information. If a share is necessary, share\n permissions, as well as NTFS permissions, must be reconfigured to give the\n minimum access to those accounts that require it.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-00-000060'\n tag gid: 'V-63357'\n tag rid: 'SV-77847r1_rule'\n tag stig_id: 'WN10-00-000060'\n tag fix_id: 'F-69277r1_fix'\n tag cci: ['CCI-001090']\n tag nist: %w[SC-4 Rev_4]\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Non system-created shares should not typically exist on\n workstations.\n\n If only system-created shares exist on the system this is NA.\n\n Run \\\"Computer Management\\\".\n Navigate to System Tools >> Shared Folders >> Shares.\n\n If the only shares listed are \\\"ADMIN$\\\", \\\"C$\\\" and \\\"IPC$\\\", this is NA.\n (Selecting Properties for system-created shares will display a message that it\n has been shared for administrative purposes.)\n\n Right click any non-system-created shares.\n Select \\\"Properties\\\".\n Select the \\\"Share Permissions\\\" tab.\n\n Verify the necessity of any shares found.\n If the file shares have not been reconfigured to restrict permissions to the\n specific groups or accounts that require access, this is a finding.\n\n Select the \\\"Security\\\" tab.\n\n If the NTFS permissions have not been reconfigured to restrict permissions to\n the specific groups or accounts that require access, this is a finding.\"\n\n desc \"fix\", \"If a non system-created share is required on a system, configure\n the share and NTFS permissions to limit access to the specific groups or\n accounts that require it.\n\n Remove any unnecessary non-system created shares.\"\n\n share_names = []\n share_paths = []\n get = command('Get-WMIObject -Query \"SELECT * FROM Win32_Share\" | Findstr /V \"Name --\"').stdout.strip.split(\"\\n\")\n\n get.each do |share|\n loc_space = share.index(' ')\n\n names = share[0..loc_space - 1]\n\n share_names.push(names)\n path = share[9..50]\n share_paths.push(path)\n end\n\n share_names_string = share_names.join(',')\n\n if share_names_string != 'ADMIN$,C$,IPC$'\n\n [share_paths, share_names].each do |path1, _name1|\n describe command(\"Get-Acl -Path '#{path1}' | Format-List | Findstr /i /C:'Everyone Allow'\") do\n its('stdout') { should eq '' }\n end\n end\n end\n\n if share_names_string == 'ADMIN$,C$,IPC$'\n impact 0.0\n describe 'The default files shares exist' do\n skip 'This control is NA'\n end\n end\nend\n", + "code": "control 'V-63333' do\n title \"Automatically signing in the last interactive user after a\n system-initiated restart must be disabled.\"\n desc \"Windows can be configured to automatically sign the user back in after\n a Windows Update restart. Some protections are in place to help ensure this is\n done in a secure fashion; however, disabling this will prevent the caching of\n credentials for this purpose and also ensure the user is aware of the restart.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000325'\n tag gid: 'V-63333'\n tag rid: 'SV-77823r1_rule'\n tag stig_id: 'WN10-CC-000325'\n tag fix_id: 'F-69251r1_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\\n\n Value Name: DisableAutomaticRestartSignOn\n\n Value Type: REG_DWORD\n Value: 1\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Windows Logon Options >>\n \\\"Sign-in last interactive user automatically after a system-initiated\n restart\\\" to \\\"Disabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System') do\n it { should have_property 'DisableAutomaticRestartSignOn' }\n its('DisableAutomaticRestartSignOn') { should cmp 1 }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63357.rb", + "ref": "./Windows 10 STIG/controls/V-63333.rb", "line": 3 }, - "id": "V-63357" + "id": "V-63333" }, { - "title": "Windows 10 must be configured to audit Object Access - File Share successes.", - "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Auditing file shares records events related to connection to shares on a\n system including system shares such as C$.", + "title": "Windows 10 domain-joined systems must have a Trusted Platform Module\n (TPM) enabled and ready for use.", + "desc": "Credential Guard uses virtualization based security to protect\n information that could be used in credential theft attacks if compromised.\n There are a number of system requirements that must be met in order for\n Credential Guard to be configured and enabled properly. Without a TPM enabled\n and ready for use, Credential Guard keys are stored in a less secure method\n using software.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Auditing file shares records events related to connection to shares on a\n system including system shares such as C$.", - "check": "Security Option \"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\" must be\n set to \"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open PowerShell or a Command Prompt with elevated privileges (\"Run as\n Administrator\").\n Enter \"AuditPol /get /category:*\"\n\n Compare the AuditPol settings with the following:\n\n Object Access >> File Share - Success\n\n If the system does not audit the above, this is a finding.", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Object Access >> \"Audit File Share\" with \"Success\"\n selected." + "default": "Credential Guard uses virtualization based security to protect\n information that could be used in credential theft attacks if compromised.\n There are a number of system requirements that must be met in order for\n Credential Guard to be configured and enabled properly. Without a TPM enabled\n and ready for use, Credential Guard keys are stored in a less secure method\n using software.", + "check": "Verify domain-joined systems have a TPM enabled and ready for use.\n\n For standalone systems, this is NA.\n\n Virtualization based security, including Credential Guard, currently cannot be\n implemented in virtual desktop implementations (VDI) due to specific supporting\n requirements including a TPM, UEFI with Secure Boot, and the capability to run\n the Hyper-V feature within the virtual desktop.\n\n For VDIs where the virtual desktop instance is deleted or refreshed upon\n logoff, this is NA.\n\n Verify the system has a TPM and is ready for use.\n Run \"tpm.msc\".\n Review the sections in the center pane.\n \"Status\" must indicate it has been configured with a message such as \"The\n TPM is ready for use\" or \"The TPM is on and ownership has been taken\".\n TPM Manufacturer Information - Specific Version = 2.0 or 1.2\n\n If a TPM is not found or is not ready for use, this is a finding.\n\n NOTE: The severity level for the requirement will be upgraded to CAT II\n starting January 2020.", + "fix": "For standalone systems, this is NA.\n\n Virtualization based security, including Credential Guard, currently cannot be\n implemented in virtual desktop implementations (VDI) due to specific supporting\n requirements including a TPM, UEFI with Secure Boot, and the capability to run\n the Hyper-V feature within the virtual desktop.\n\n For VDIs where the virtual desktop instance is deleted or refreshed upon\n logoff, this is NA.\n\n Ensure domain-joined systems must have a Trusted Platform Module (TPM) that is\n configured for use. (Versions 2.0 or 1.2 support Credential Guard.)\n\n The TPM must be enabled in the firmware.\n Run \"tpm.msc\" for configuration options in Windows." }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { - "severity": "medium", - "gtitle": "WN10-AU-000082", - "gid": "V-74721", - "rid": "SV-89395r1_rule", - "stig_id": "WN10-AU-000082", - "fix_id": "F-81335r3_fix", + "severity": "low", + "gtitle": "WN10-00-000010", + "gid": "V-63323", + "rid": "SV-77813r5_rule", + "stig_id": "WN10-00-000010", + "fix_id": "F-71517r1_fix", "cci": [ - "CCI-000172" + "CCI-000366" ], "nist": [ - "AU-12 c", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -5297,35 +5275,37 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-74721' do\n title 'Windows 10 must be configured to audit Object Access - File Share successes.'\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Auditing file shares records events related to connection to shares on a\n system including system shares such as C$.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-AU-000082'\n tag gid: 'V-74721'\n tag rid: 'SV-89395r1_rule'\n tag stig_id: 'WN10-AU-000082'\n tag fix_id: 'F-81335r3_fix'\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"Security Option \\\"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\\\" must be\n set to \\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open PowerShell or a Command Prompt with elevated privileges (\\\"Run as\n Administrator\\\").\n Enter \\\"AuditPol /get /category:*\\\"\n\n Compare the AuditPol settings with the following:\n\n Object Access >> File Share - Success\n\n If the system does not audit the above, this is a finding.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Object Access >> \\\"Audit File Share\\\" with \\\"Success\\\"\n selected.\"\n\n describe.one do\n describe audit_policy do\n its('File Share') { should eq 'Success' }\n end\n describe audit_policy do\n its('File Share') { should eq 'Success and Failure' }\n end\n end\nend\n", + "code": "control 'V-63323' do\n title \"Windows 10 domain-joined systems must have a Trusted Platform Module\n (TPM) enabled and ready for use.\"\n desc \"Credential Guard uses virtualization based security to protect\n information that could be used in credential theft attacks if compromised.\n There are a number of system requirements that must be met in order for\n Credential Guard to be configured and enabled properly. Without a TPM enabled\n and ready for use, Credential Guard keys are stored in a less secure method\n using software.\"\n impact 0.3\n tag severity: 'low'\n tag gtitle: 'WN10-00-000010'\n tag gid: 'V-63323'\n tag rid: 'SV-77813r5_rule'\n tag stig_id: 'WN10-00-000010'\n tag fix_id: 'F-71517r1_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Verify domain-joined systems have a TPM enabled and ready for use.\n\n For standalone systems, this is NA.\n\n Virtualization based security, including Credential Guard, currently cannot be\n implemented in virtual desktop implementations (VDI) due to specific supporting\n requirements including a TPM, UEFI with Secure Boot, and the capability to run\n the Hyper-V feature within the virtual desktop.\n\n For VDIs where the virtual desktop instance is deleted or refreshed upon\n logoff, this is NA.\n\n Verify the system has a TPM and is ready for use.\n Run \\\"tpm.msc\\\".\n Review the sections in the center pane.\n \\\"Status\\\" must indicate it has been configured with a message such as \\\"The\n TPM is ready for use\\\" or \\\"The TPM is on and ownership has been taken\\\".\n TPM Manufacturer Information - Specific Version = 2.0 or 1.2\n\n If a TPM is not found or is not ready for use, this is a finding.\n\n NOTE: The severity level for the requirement will be upgraded to CAT II\n starting January 2020.\"\n\n desc \"fix\", \"For standalone systems, this is NA.\n\n Virtualization based security, including Credential Guard, currently cannot be\n implemented in virtual desktop implementations (VDI) due to specific supporting\n requirements including a TPM, UEFI with Secure Boot, and the capability to run\n the Hyper-V feature within the virtual desktop.\n\n For VDIs where the virtual desktop instance is deleted or refreshed upon\n logoff, this is NA.\n\n Ensure domain-joined systems must have a Trusted Platform Module (TPM) that is\n configured for use. (Versions 2.0 or 1.2 support Credential Guard.)\n\n The TPM must be enabled in the firmware.\n Run \\\"tpm.msc\\\" for configuration options in Windows.\"\n\n is_domain = command('wmic computersystem get domain | FINDSTR /V Domain').stdout.strip\n\n if sys_info.manufacturer == \"VMware, Inc.\"\n impact 0.0\n describe 'This is a VDI System; This System is NA for Control V-63323.' do\n skip 'This is a VDI System; This System is NA for Control V-63323.'\n end\n elsif is_domain == 'WORKGROUP'\n impact 0.0\n describe 'This system is not joined to a domain, therefore this control is Not Applicable' do\n skip 'This system is not joined to a domain, therefore this control is Not Applicable'\n end\n else\n tpm_ready = command('Get-Tpm | select -expand TpmReady').stdout.strip\n tpm_present = command('Get-Tpm | select -expand TpmPresent').stdout.strip\n describe 'Trusted Platform Module (TPM) TpmReady' do\n subject { tpm_ready }\n it { should eq 'True' }\n end\n describe 'Trusted Platform Module (TPM) TpmPresent' do\n subject { tpm_present }\n it { should eq 'True' }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-74721.rb", + "ref": "./Windows 10 STIG/controls/V-63323.rb", "line": 3 }, - "id": "V-74721" + "id": "V-63323" }, { - "title": "WDigest Authentication must be disabled.", - "desc": "When the WDigest Authentication protocol is enabled, plain text\n passwords are stored in the Local Security Authority Subsystem Service (LSASS)\n exposing them to theft. WDigest is disabled by default in Windows 10. This\n setting ensures this is enforced.", + "title": "The system must be configured to audit Privilege Use - Sensitive\n Privilege Use failures.", + "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Sensitive Privilege Use records events related to use of sensitive\n privileges, such as \"Act as part of the operating system\" or \"Debug\n programs\".", "descriptions": { - "default": "When the WDigest Authentication protocol is enabled, plain text\n passwords are stored in the Local Security Authority Subsystem Service (LSASS)\n exposing them to theft. WDigest is disabled by default in Windows 10. This\n setting ensures this is enforced.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\Wdigest\\\n\n Value Name: UseLogonCredential\n\n Type: REG_DWORD\n Value: 0x00000000 (0)", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> MS Security Guide >> \"WDigest Authentication\n (disabling may require KB2871997)\" to \"Disabled\".\n\n The patch referenced in the policy title is not required for Windows 10.\n\n This policy setting requires the installation of the SecGuide custom templates\n included with the STIG package. \"SecGuide.admx\" and \"SecGuide.adml\" must\n be copied to the \\Windows\\PolicyDefinitions and\n \\Windows\\PolicyDefinitions\\en-US directories respectively." - }, + "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Sensitive Privilege Use records events related to use of sensitive\n privileges, such as \"Act as part of the operating system\" or \"Debug\n programs\".", + "check": "Security Option \"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\" must be\n set to \"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\"Run as Administrator\").\n Enter \"AuditPol /get /category:*\".\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding:\n\n Privilege Use >> Sensitive Privilege Use - Failure", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Privilege Use >> \"Audit Sensitive Privilege Use\" with\n \"Failure\" selected." + }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-CC-000038", - "gid": "V-71763", - "rid": "SV-86387r1_rule", - "stig_id": "WN10-CC-000038", - "fix_id": "F-78115r4_fix", + "gtitle": "WN10-AU-000110", + "gid": "V-63483", + "rid": "SV-77973r1_rule", + "stig_id": "WN10-AU-000110", + "fix_id": "F-69413r1_fix", "cci": [ - "CCI-000381" + "CCI-000172", + "CCI-002234" ], "nist": [ - "CM-7 a", + "AU-12 c", + "AC-6 (9)", "Rev_4" ], "false_negatives": null, @@ -5339,35 +5319,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-71763' do\n title 'WDigest Authentication must be disabled.'\n desc \"When the WDigest Authentication protocol is enabled, plain text\n passwords are stored in the Local Security Authority Subsystem Service (LSASS)\n exposing them to theft. WDigest is disabled by default in Windows 10. This\n setting ensures this is enforced.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000038'\n tag gid: 'V-71763'\n tag rid: 'SV-86387r1_rule'\n tag stig_id: 'WN10-CC-000038'\n tag fix_id: 'F-78115r4_fix'\n tag cci: ['CCI-000381']\n tag nist: ['CM-7 a', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SecurityProviders\\\\Wdigest\\\\\n\n Value Name: UseLogonCredential\n\n Type: REG_DWORD\n Value: 0x00000000 (0)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> MS Security Guide >> \\\"WDigest Authentication\n (disabling may require KB2871997)\\\" to \\\"Disabled\\\".\n\n The patch referenced in the policy title is not required for Windows 10.\n\n This policy setting requires the installation of the SecGuide custom templates\n included with the STIG package. \\\"SecGuide.admx\\\" and \\\"SecGuide.adml\\\" must\n be copied to the \\\\Windows\\\\PolicyDefinitions and\n \\\\Windows\\\\PolicyDefinitions\\\\en-US directories respectively.\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\Wdigest') do\n it { should have_property 'UseLogonCredential' }\n its('UseLogonCredential') { should cmp 0 }\n end\nend\n", + "code": "control 'V-63483' do\n title \"The system must be configured to audit Privilege Use - Sensitive\n Privilege Use failures.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Sensitive Privilege Use records events related to use of sensitive\n privileges, such as \\\"Act as part of the operating system\\\" or \\\"Debug\n programs\\\".\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-AU-000110'\n tag gid: 'V-63483'\n tag rid: 'SV-77973r1_rule'\n tag stig_id: 'WN10-AU-000110'\n tag fix_id: 'F-69413r1_fix'\n tag cci: %w[CCI-000172 CCI-002234]\n tag nist: ['AU-12 c', 'AC-6 (9)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Security Option \\\"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\\\" must be\n set to \\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\n Enter \\\"AuditPol /get /category:*\\\".\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding:\n\n Privilege Use >> Sensitive Privilege Use - Failure\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Privilege Use >> \\\"Audit Sensitive Privilege Use\\\" with\n \\\"Failure\\\" selected.\"\n\n describe.one do\n describe audit_policy do\n its('Sensitive Privilege Use') { should eq 'Failure' }\n end\n describe audit_policy do\n its('Sensitive Privilege Use') { should eq 'Success and Failure' }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-71763.rb", + "ref": "./Windows 10 STIG/controls/V-63483.rb", "line": 3 }, - "id": "V-71763" + "id": "V-63483" }, { - "title": "Only accounts responsible for the administration of a system must have\n Administrator rights on the system.", - "desc": "An account that does not have Administrator duties must not have\n Administrator rights. Such rights would allow the account to bypass or modify\n required security restrictions on that machine and make it vulnerable to attack.\n\n System administrators must log on to systems only using accounts with the\n minimum level of authority necessary.\n\n For domain-joined workstations, the Domain Admins group must be replaced by\n a domain workstation administrator group (see V-36434 in the Active Directory\n Domain STIG). Restricting highly privileged accounts from the local\n Administrators group helps mitigate the risk of privilege escalation resulting\n from credential theft attacks.\n\n Standard user accounts must not be members of the local administrators\n group.", + "title": "Exploit Protection mitigations in Windows 10 must be configured for INFOPATH.EXE.", + "desc": "Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.", "descriptions": { - "default": "An account that does not have Administrator duties must not have\n Administrator rights. Such rights would allow the account to bypass or modify\n required security restrictions on that machine and make it vulnerable to attack.\n\n System administrators must log on to systems only using accounts with the\n minimum level of authority necessary.\n\n For domain-joined workstations, the Domain Admins group must be replaced by\n a domain workstation administrator group (see V-36434 in the Active Directory\n Domain STIG). Restricting highly privileged accounts from the local\n Administrators group helps mitigate the risk of privilege escalation resulting\n from credential theft attacks.\n\n Standard user accounts must not be members of the local administrators\n group.", - "check": "Run \"Computer Management\".\n Navigate to System Tools >> Local Users and Groups >> Groups.\n Review the members of the Administrators group.\n Only the appropriate administrator groups or accounts responsible for\n administration of the system may be members of the group.\n\n For domain-joined workstations, the Domain Admins group must be replaced by a\n domain workstation administrator group.\n\n Standard user accounts must not be members of the local administrator group.\n\n If prohibited accounts are members of the local administrators group, this is a\n finding.\n\n The built-in Administrator account or other required administrative accounts\n would not be a finding.", - "fix": "Configure the system to include only administrator groups or\n accounts that are responsible for the system in the local Administrators group.\n\n For domain-joined workstations, the Domain Admins group must be replaced by a\n domain workstation administrator group.\n\n Remove any standard user accounts." + "default": "Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.", + "check": "This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n\n Enter \"Get-ProcessMitigation -Name INFOPATH.EXE\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of\n all application mitigations configured.)\n\n If the following mitigations do not have a status of \"ON\", this is a finding:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n The PowerShell command produces a list of mitigations; only those with a\n required status of \"ON\" are listed here. If the PowerShell command does not\n produce results, ensure the letter case of the filename within the command\n syntax matches the letter case of the actual filename on the system.", + "fix": "Ensure the following mitigations are turned \"ON\" for INFOPATH.EXE:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file\n included with the Windows 10 STIG package in the \"Supporting Files\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \"Use a common set of exploit protection settings\"\n configured to \"Enabled\" with file name and location defined under\n \"Options:\". It is recommended the file be in a read-only network location." }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { - "severity": "high", - "gtitle": "WN10-00-000070", - "gid": "V-63361", - "rid": "SV-77851r2_rule", - "stig_id": "WN10-00-000070", - "fix_id": "F-88437r1_fix", + "severity": "medium", + "gtitle": "WN10-EP-000150", + "gid": "V-77221", + "rid": "SV-91917r3_rule", + "stig_id": "WN10-EP-000150", + "fix_id": "F-84349r4_fix", "cci": [ - "CCI-002235" + "CCI-000366" ], "nist": [ - "AC-6 (10)", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -5381,35 +5361,39 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63361' do\n title \"Only accounts responsible for the administration of a system must have\n Administrator rights on the system.\"\n desc \"An account that does not have Administrator duties must not have\n Administrator rights. Such rights would allow the account to bypass or modify\n required security restrictions on that machine and make it vulnerable to attack.\n\n System administrators must log on to systems only using accounts with the\n minimum level of authority necessary.\n\n For domain-joined workstations, the Domain Admins group must be replaced by\n a domain workstation administrator group (see V-36434 in the Active Directory\n Domain STIG). Restricting highly privileged accounts from the local\n Administrators group helps mitigate the risk of privilege escalation resulting\n from credential theft attacks.\n\n Standard user accounts must not be members of the local administrators\n group.\"\n\n impact 0.7\n tag severity: 'high'\n tag gtitle: 'WN10-00-000070'\n tag gid: 'V-63361'\n tag rid: 'SV-77851r2_rule'\n tag stig_id: 'WN10-00-000070'\n tag fix_id: 'F-88437r1_fix'\n tag cci: ['CCI-002235']\n tag nist: ['AC-6 (10)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Run \\\"Computer Management\\\".\n Navigate to System Tools >> Local Users and Groups >> Groups.\n Review the members of the Administrators group.\n Only the appropriate administrator groups or accounts responsible for\n administration of the system may be members of the group.\n\n For domain-joined workstations, the Domain Admins group must be replaced by a\n domain workstation administrator group.\n\n Standard user accounts must not be members of the local administrator group.\n\n If prohibited accounts are members of the local administrators group, this is a\n finding.\n\n The built-in Administrator account or other required administrative accounts\n would not be a finding.\"\n\n desc \"fix\", \"Configure the system to include only administrator groups or\n accounts that are responsible for the system in the local Administrators group.\n\n For domain-joined workstations, the Domain Admins group must be replaced by a\n domain workstation administrator group.\n\n Remove any standard user accounts.\"\n\n administrator_group = command(\"net localgroup Administrators | Format-List | Findstr /V 'Alias Name Comment Members - command'\").stdout.strip.split(\"\\r\\n\")\n administrator_group.each do |user|\n describe user.to_s do\n it { should be_in input('administrators') }\n end\n end\n if administrator_group.empty?\n impact 0.0\n describe 'There are no users with administrative privileges' do\n skip 'This control is not applicable'\n end\n end\nend\n", + "code": "control 'V-77221' do\n title 'Exploit Protection mitigations in Windows 10 must be configured for INFOPATH.EXE.'\n desc \"Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-EP-000150'\n tag gid: 'V-77221'\n tag rid: 'SV-91917r3_rule'\n tag stig_id: 'WN10-EP-000150'\n tag fix_id: 'F-84349r4_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc 'check', \"This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n\n Enter \\\"Get-ProcessMitigation -Name INFOPATH.EXE\\\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of\n all application mitigations configured.)\n\n If the following mitigations do not have a status of \\\"ON\\\", this is a finding:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n The PowerShell command produces a list of mitigations; only those with a\n required status of \\\"ON\\\" are listed here. If the PowerShell command does not\n produce results, ensure the letter case of the filename within the command\n syntax matches the letter case of the actual filename on the system.\"\n desc 'fix', \"Ensure the following mitigations are turned \\\"ON\\\" for INFOPATH.EXE:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file\n included with the Windows 10 STIG package in the \\\"Supporting Files\\\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\"\n configured to \\\"Enabled\\\" with file name and location defined under\n \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n\n if input('sensitive_system') == 'true' || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion').ReleaseId < '1709'\n impact 0.0\n describe 'This STIG does not apply to Prior Versions before 1709.' do\n skip 'This STIG does not apply to Prior Versions before 1709.'\n end\n else\n dep = json( command: 'Get-ProcessMitigation -Name INFOPATH.EXE | Select DEP | ConvertTo-Json').params\n describe 'OverRide DEP is required to be false on Microsoft InfoPath' do\n subject { dep }\n its(['OverrideDEP']) { should_not eq 'true' }\n end\n aslr = json( command: 'Get-ProcessMitigation -Name INFOPATH.EXE| Select Aslr | ConvertTo-Json').params\n describe 'Alsr BottomUp and Force Relocate Images are required to be enabled on Microsoft InfoPath' do\n subject { aslr }\n its(['ForceRelocateImages']) { should_not eq '2' }\n end\n payload = json( command: 'Get-ProcessMitigation -Name INFOPATH.EXE | Select Payload | ConvertTo-Json').params\n describe 'Override Payload Enable Export Address Filter, Override Payload Enable Export Address Filter Plus, Override EnableImportAddressFilter, Override EnableRopStackPivot, Override EnableRopCallerCheck, and Override EnableRopSimExec are required to be false on Microsoft InfoPath' do\n subject { payload }\n its(['OverrideEnableExportAddressFilter']) { should_not eq 'true' }\n its(['OverrideEnableExportAddressFilterPlus']) { should_not eq 'true' }\n its(['OverrideEnableImportAddressFilter']) { should_not eq 'true' }\n its(['OverrideEnableRopStackPivot']) { should_not eq 'true' }\n its(['OverrideEnableRopCallerCheck']) { should_not eq 'true' }\n its(['OverrideEnableRopSimExec']) { should_not eq 'true' }\n end\n end\nend", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63361.rb", + "ref": "./Windows 10 STIG/controls/V-77221.rb", "line": 3 }, - "id": "V-63361" + "id": "V-77221" }, { - "title": "Local volumes must be formatted using NTFS.", - "desc": "The ability to set access permissions and auditing is critical to\n maintaining the security and proper access controls of a system. To support\n this, volumes must be formatted using the NTFS file system.", + "title": "Windows 10 permissions for the System event log must prevent access by\n non-privileged accounts.", + "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised. The\n System event log may be susceptible to tampering if proper permissions are not\n applied.", "descriptions": { - "default": "The ability to set access permissions and auditing is critical to\n maintaining the security and proper access controls of a system. To support\n this, volumes must be formatted using the NTFS file system.", - "check": "Run \"Computer Management\".\n Navigate to Storage >> Disk Management.\n\n If the \"File System\" column does not indicate \"NTFS\" for each volume\n assigned a drive letter, this is a finding.\n\n This does not apply to system partitions such the Recovery and EFI System\n Partition.", - "fix": "Format all local volumes to use NTFS." + "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised. The\n System event log may be susceptible to tampering if proper permissions are not\n applied.", + "check": "Verify the permissions on the System event log (System.evtx).\n Standard user accounts or groups must not have access. The default permissions\n listed below satisfy this requirement.\n\n Eventlog - Full Control\n SYSTEM - Full Control\n Administrators - Full Control\n\n The default location is the \"%SystemRoot%\\SYSTEM32\\WINEVT\\LOGS\" directory.\n They may have been moved to another folder.\n\n If the permissions for these files are not as restrictive as the ACLs listed,\n this is a finding.\n\n NOTE: If \"APPLICATION PACKAGE AUTHORITY\\ALL APPLICATION PACKAGES\" has\n Special Permissions, this would not be a finding.", + "fix": "Ensure the permissions on the System event log (System.evtx) are\n configured to prevent standard user accounts or groups from having access. The\n default permissions listed below satisfy this requirement.\n\n Eventlog - Full Control\n SYSTEM - Full Control\n Administrators - Full Control\n\n The default location is the \"%SystemRoot%\\SYSTEM32\\WINEVT\\LOGS\" directory.\n\n If the location of the logs has been changed, when adding Eventlog to the\n permissions, it must be entered as \"NT Service\\Eventlog\"." }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { - "severity": "high", - "gtitle": "WN10-00-000050", - "gid": "V-63353", - "rid": "SV-77843r2_rule", - "stig_id": "WN10-00-000050", - "fix_id": "F-69273r1_fix", + "severity": "medium", + "gtitle": "WN10-AU-000525", + "gid": "V-63541", + "rid": "SV-78031r2_rule", + "stig_id": "WN10-AU-000525", + "fix_id": "F-69471r1_fix", "cci": [ - "CCI-000213" + "CCI-000162", + "CCI-000163", + "CCI-000164" ], "nist": [ - "AC-3", + "AU-9", + "AU-9", + "AU-9", "Rev_4" ], "false_negatives": null, @@ -5423,35 +5407,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control \"V-63353\" do\n title \"Local volumes must be formatted using NTFS.\"\n desc \"The ability to set access permissions and auditing is critical to\n maintaining the security and proper access controls of a system. To support\n this, volumes must be formatted using the NTFS file system.\"\n impact 0.7\n tag severity: \"high\"\n tag gtitle: \"WN10-00-000050\"\n tag gid: \"V-63353\"\n tag rid: \"SV-77843r2_rule\"\n tag stig_id: \"WN10-00-000050\"\n tag fix_id: \"F-69273r1_fix\"\n tag cci: [\"CCI-000213\"]\n tag nist: [\"AC-3\", \"Rev_4\"]\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Run \\\"Computer Management\\\".\n Navigate to Storage >> Disk Management.\n\n If the \\\"File System\\\" column does not indicate \\\"NTFS\\\" for each volume\n assigned a drive letter, this is a finding.\n\n This does not apply to system partitions such the Recovery and EFI System\n Partition.\"\n\n desc \"fix\", \"Format all local volumes to use NTFS.\"\n\nget_volumes = command(\"wmic logicaldisk get FileSystem | findstr /r /v '^$' |Findstr /v 'FileSystem'\").stdout.strip.split(\"\\r\\n\")\n\n if get_volumes.empty?\n impact 0.0\n describe 'There are no local volumes' do\n skip 'This control is not applicable'\n end\n else\n get_volumes.each do |volume|\n volumes = volume.strip\n describe.one do\n describe 'The format local volumes' do\n subject { volumes }\n it { should eq 'NTFS' }\n end\n describe 'The format local volumes' do\n subject { volumes }\n it { should eq 'ReFS' }\n end\n end\n end\n end\nend\n", + "code": "control 'V-63541' do\n title \"Windows 10 permissions for the System event log must prevent access by\n non-privileged accounts.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised. The\n System event log may be susceptible to tampering if proper permissions are not\n applied.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-AU-000525'\n tag gid: 'V-63541'\n tag rid: 'SV-78031r2_rule'\n tag stig_id: 'WN10-AU-000525'\n tag fix_id: 'F-69471r1_fix'\n tag cci: %w[CCI-000162 CCI-000163 CCI-000164]\n tag nist: %w[AU-9 AU-9 AU-9 Rev_4]\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Verify the permissions on the System event log (System.evtx).\n Standard user accounts or groups must not have access. The default permissions\n listed below satisfy this requirement.\n\n Eventlog - Full Control\n SYSTEM - Full Control\n Administrators - Full Control\n\n The default location is the \\\"%SystemRoot%\\\\SYSTEM32\\\\WINEVT\\\\LOGS\\\" directory.\n They may have been moved to another folder.\n\n If the permissions for these files are not as restrictive as the ACLs listed,\n this is a finding.\n\n NOTE: If \\\"APPLICATION PACKAGE AUTHORITY\\\\ALL APPLICATION PACKAGES\\\" has\n Special Permissions, this would not be a finding.\"\n\n desc \"fix\", \"Ensure the permissions on the System event log (System.evtx) are\n configured to prevent standard user accounts or groups from having access. The\n default permissions listed below satisfy this requirement.\n\n Eventlog - Full Control\n SYSTEM - Full Control\n Administrators - Full Control\n\n The default location is the \\\"%SystemRoot%\\\\SYSTEM32\\\\WINEVT\\\\LOGS\\\" directory.\n\n If the location of the logs has been changed, when adding Eventlog to the\n permissions, it must be entered as \\\"NT Service\\\\Eventlog\\\".\"\n\n get_system_root = command('Get-ChildItem Env: | Findstr SystemRoot').stdout.strip\n system_root = get_system_root[11..get_system_root.length]\n systemroot = system_root.strip\n\n describe file(\"#{systemroot}\\\\SYSTEM32\\\\WINEVT\\\\LOGS\\\\System.evtx\") do\n it { should be_allowed('full-control', by_user: 'NT SERVICE\\\\EventLog') }\n it { should be_allowed('full-control', by_user: 'NT AUTHORITY\\\\SYSTEM') }\n it { should be_allowed('full-control', by_user: 'BUILTIN\\\\Administrators') }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63353.rb", - "line": 2 + "ref": "./Windows 10 STIG/controls/V-63541.rb", + "line": 3 }, - "id": "V-63353" + "id": "V-63541" }, { - "title": "The number of allowed bad logon attempts must be configured to\n 3 or less.", - "desc": "The account lockout feature, when enabled, prevents brute-force\n password attacks on the system. The higher this value is, the less effective\n the account lockout feature will be in protecting the local system. The number\n of bad logon attempts must be reasonably small to minimize the possibility of a\n successful password attack, while allowing for honest errors made during a\n normal user logon.", + "title": "The system must be configured to audit Account Logon - Credential\n Validation failures.", + "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Credential validation records events related to validation tests on\n credentials for a user account logon.", "descriptions": { - "default": "The account lockout feature, when enabled, prevents brute-force\n password attacks on the system. The higher this value is, the less effective\n the account lockout feature will be in protecting the local system. The number\n of bad logon attempts must be reasonably small to minimize the possibility of a\n successful password attack, while allowing for honest errors made during a\n normal user logon.", - "check": "Verify the effective setting in Local Group Policy Editor.\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Account Policies >> Account Lockout Policy.\n\n If the \"Account lockout threshold\" is \"0\" or more than 3 attempts,\n this is a finding.", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Account Policies >> Account Lockout Policy >>\n \"Account lockout threshold\" to 3 or less invalid logon attempts\n (excluding \"0\" which is unacceptable)." + "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Credential validation records events related to validation tests on\n credentials for a user account logon.", + "check": "Security Option \"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\" must be\n set to \"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\"Run as Administrator\").\n Enter \"AuditPol /get /category:*\".\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding:\n\n Account Logon >> Credential Validation - Failure", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Account Logon >> \"Audit Credential Validation\" with\n \"Failure\" selected." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-AC-000010", - "gid": "V-63409", - "rid": "SV-77899r1_rule", - "stig_id": "WN10-AC-000010", - "fix_id": "F-69337r1_fix", + "gtitle": "WN10-AU-000005", + "gid": "V-63431", + "rid": "SV-77921r1_rule", + "stig_id": "WN10-AU-000005", + "fix_id": "F-69359r1_fix", "cci": [ - "CCI-000044" + "CCI-000172" ], "nist": [ - "AC-7 a", + "AU-12 c", "Rev_4" ], "false_negatives": null, @@ -5465,35 +5449,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63409' do\n title \"The number of allowed bad logon attempts must be configured to\n #{input('max_pass_lockout')} or less.\"\n desc \"The account lockout feature, when enabled, prevents brute-force\n password attacks on the system. The higher this value is, the less effective\n the account lockout feature will be in protecting the local system. The number\n of bad logon attempts must be reasonably small to minimize the possibility of a\n successful password attack, while allowing for honest errors made during a\n normal user logon.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-AC-000010'\n tag gid: 'V-63409'\n tag rid: 'SV-77899r1_rule'\n tag stig_id: 'WN10-AC-000010'\n tag fix_id: 'F-69337r1_fix'\n tag cci: ['CCI-000044']\n tag nist: ['AC-7 a', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Account Policies >> Account Lockout Policy.\n\n If the \\\"Account lockout threshold\\\" is \\\"0\\\" or more than #{input('max_pass_lockout')} attempts,\n this is a finding.\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Account Policies >> Account Lockout Policy >>\n \\\"Account lockout threshold\\\" to #{input('max_pass_lockout')} or less invalid logon attempts\n (excluding \\\"0\\\" which is unacceptable).\"\n\n describe security_policy do\n its('LockoutBadCount') { should be <= input('max_pass_lockout') }\n end\n describe security_policy do\n its('LockoutBadCount') { should be_positive }\n end\nend\n", + "code": "control 'V-63431' do\n title \"The system must be configured to audit Account Logon - Credential\n Validation failures.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Credential validation records events related to validation tests on\n credentials for a user account logon.\"\n\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-AU-000005'\n tag gid: 'V-63431'\n tag rid: 'SV-77921r1_rule'\n tag stig_id: 'WN10-AU-000005'\n tag fix_id: 'F-69359r1_fix'\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Security Option \\\"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\\\" must be\n set to \\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\n Enter \\\"AuditPol /get /category:*\\\".\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding:\n\n Account Logon >> Credential Validation - Failure\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Account Logon >> \\\"Audit Credential Validation\\\" with\n \\\"Failure\\\" selected.\"\n\n describe.one do\n describe audit_policy do\n its('Credential Validation') { should eq 'Failure' }\n end\n describe audit_policy do\n its('Credential Validation') { should eq 'Success and Failure' }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63409.rb", + "ref": "./Windows 10 STIG/controls/V-63431.rb", "line": 3 }, - "id": "V-63409" + "id": "V-63431" }, { - "title": "Exploit Protection mitigations in Windows 10 must be configured for\n wordpad.exe.", - "desc": "Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.", + "title": "User Account Control must run all administrators in Admin Approval\n Mode, enabling UAC.", + "desc": "User Account Control (UAC) is a security mechanism for limiting the\n elevation of privileges, including administrative accounts, unless authorized.\n This setting enables UAC.", "descriptions": { - "default": "Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.", - "check": "This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n\n Enter \"Get-ProcessMitigation -Name wordpad.exe\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of\n all application mitigations configured.)\n\n If the following mitigations do not have a status of \"ON\", this is a finding:\n\n DEP:\n OverrideDEP: False\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n\n The PowerShell command produces a list of mitigations; only those with a\n required status of \"ON\" are listed here. If the PowerShell command does not\n produce results, ensure the letter case of the filename within the command\n syntax matches the letter case of the actual filename on the system.", - "fix": "Ensure the following mitigations are turned \"ON\" for wordpad.exe:\n\n DEP:\n OverrideDEP: False\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file\n included with the Windows 10 STIG package in the \"Supporting Files\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \"Use a common set of exploit protection settings\"\n configured to \"Enabled\" with file name and location defined under\n \"Options:\". It is recommended the file be in a read-only network location." + "default": "User Account Control (UAC) is a security mechanism for limiting the\n elevation of privileges, including administrative accounts, unless authorized.\n This setting enables UAC.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\\n\n Value Name: EnableLUA\n\n Value Type: REG_DWORD\n Value: 1", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> \"User\n Account Control: Run all administrators in Admin Approval Mode\" to\n \"Enabled\"." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-EP-000300", - "gid": "V-77269", - "rid": "SV-91965r3_rule", - "stig_id": "WN10-EP-000300", - "fix_id": "F-84515r4_fix", + "gtitle": "WN10-SO-000270", + "gid": "V-63829", + "rid": "SV-78319r1_rule", + "stig_id": "WN10-SO-000270", + "fix_id": "F-69757r1_fix", "cci": [ - "CCI-000366" + "CCI-002038" ], "nist": [ - "CM-6 b", + "IA-11", "Rev_4" ], "false_negatives": null, @@ -5507,35 +5491,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-77269' do\n title \"Exploit Protection mitigations in Windows 10 must be configured for\n wordpad.exe.\"\n desc \"Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-EP-000300'\n tag gid: 'V-77269'\n tag rid: 'SV-91965r3_rule'\n tag stig_id: 'WN10-EP-000300'\n tag fix_id: 'F-84515r4_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc 'check', \"This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n\n Enter \\\"Get-ProcessMitigation -Name wordpad.exe\\\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of\n all application mitigations configured.)\n\n If the following mitigations do not have a status of \\\"ON\\\", this is a finding:\n\n DEP:\n OverrideDEP: False\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n\n The PowerShell command produces a list of mitigations; only those with a\n required status of \\\"ON\\\" are listed here. If the PowerShell command does not\n produce results, ensure the letter case of the filename within the command\n syntax matches the letter case of the actual filename on the system.\"\n\n desc 'fix', \"Ensure the following mitigations are turned \\\"ON\\\" for wordpad.exe:\n\n DEP:\n OverrideDEP: False\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file\n included with the Windows 10 STIG package in the \\\"Supporting Files\\\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\"\n configured to \\\"Enabled\\\" with file name and location defined under\n \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n\n if input('sensitive_system') == 'true' || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion').ReleaseId <= '1709'\n impact 0.0\n describe 'This STIG does not apply to Prior Versions before 1709.' do\n skip 'This STIG does not apply to Prior Versions before 1709.'\n end\n else\n dep = json( command: 'Get-ProcessMitigation -Name wordpad.exe | Select DEP | ConvertTo-Json').params\n describe 'OverRide DEP is required to be false on WordPad' do\n subject { dep }\n its(['OverrideDEP']) { should_not eq 'true' }\n end\n payload = json( command: 'Get-ProcessMitigation -Name wordpad.exe | Select Payload | ConvertTo-Json').params\n describe 'Override Payload Enable Export Address Filter, Override Payload Enable Export Address Filter Plus, Override EnableImportAddressFilter, Override EnableRopStackPivot, Override EnableRopCallerCheck, and Override EnableRopSimExec are required to be false on WordPad' do\n subject { payload }\n its(['OverrideEnableExportAddressFilter']) { should_not eq 'true' }\n its(['OverrideEnableExportAddressFilterPlus']) { should_not eq 'true' }\n its(['OverrideEnableImportAddressFilter']) { should_not eq 'true' }\n its(['OverrideEnableRopStackPivot']) { should_not eq 'true' }\n its(['OverrideEnableRopCallerCheck']) { should_not eq 'true' }\n its(['OverrideEnableRopSimExec']) { should_not eq 'true' }\n end\n end\nend", + "code": "control 'V-63829' do\n title \"User Account Control must run all administrators in Admin Approval\n Mode, enabling UAC.\"\n desc \"User Account Control (UAC) is a security mechanism for limiting the\n elevation of privileges, including administrative accounts, unless authorized.\n This setting enables UAC.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-SO-000270'\n tag gid: 'V-63829'\n tag rid: 'SV-78319r1_rule'\n tag stig_id: 'WN10-SO-000270'\n tag fix_id: 'F-69757r1_fix'\n tag cci: ['CCI-002038']\n tag nist: %w[IA-11 Rev_4]\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\\n\n Value Name: EnableLUA\n\n Value Type: REG_DWORD\n Value: 1\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> \\\"User\n Account Control: Run all administrators in Admin Approval Mode\\\" to\n \\\"Enabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System') do\n it { should have_property 'EnableLUAs' }\n its('EnableLUA') { should cmp 1 }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-77269.rb", + "ref": "./Windows 10 STIG/controls/V-63829.rb", "line": 3 }, - "id": "V-77269" + "id": "V-63829" }, { - "title": "User Account Control must automatically deny elevation requests for \n standard users.", - "desc": "User Account Control (UAC) is a security mechanism for limiting the\n elevation of privileges, including administrative accounts, unless authorized.\n Denying elevation requests from standard user accounts requires tasks that need\n elevation to be initiated by accounts with administrative privileges. This\n ensures correct accounts are used on the system for privileged tasks to help\n mitigate credential theft.", + "title": "Exploit Protection mitigations in Windows 10 must be configured for lync.exe.", + "desc": "Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.", "descriptions": { - "default": "User Account Control (UAC) is a security mechanism for limiting the\n elevation of privileges, including administrative accounts, unless authorized.\n Denying elevation requests from standard user accounts requires tasks that need\n elevation to be initiated by accounts with administrative privileges. This\n ensures correct accounts are used on the system for privileged tasks to help\n mitigate credential theft.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\\n\n Value Name: ConsentPromptBehaviorUser\n\n Value Type: REG_DWORD\n Value: 0", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> \"User\n Account Control: Behavior of the elevation prompt for standard users\" to\n \"Automatically deny elevation requests\"." + "default": "Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.", + "check": "This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n\n Enter \"Get-ProcessMitigation -Name lync.exe\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of\n all application mitigations configured.)\n\n If the following mitigations do not have a status of \"ON\", this is a finding:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n The PowerShell command produces a list of mitigations; only those with a\n required status of \"ON\" are listed here. If the PowerShell command does not\n produce results, ensure the letter case of the filename within the command\n syntax matches the letter case of the actual filename on the system.", + "fix": "Ensure the following mitigations are turned \"ON\" for lync.exe:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file\n included with the Windows 10 STIG package in the \"Supporting Files\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \"Use a common set of exploit protection settings\"\n configured to \"Enabled\" with file name and location defined under\n \"Options:\". It is recommended the file be in a read-only network location." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-SO-000255", - "gid": "V-63821", - "rid": "SV-78311r1_rule", - "stig_id": "WN10-SO-000255", - "fix_id": "F-69749r1_fix", + "gtitle": "WN10-EP-000170", + "gid": "V-77227", + "rid": "SV-91923r3_rule", + "stig_id": "WN10-EP-000170", + "fix_id": "F-84357r4_fix", "cci": [ - "CCI-002038" + "CCI-000366" ], "nist": [ - "IA-11", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -5549,30 +5533,34 @@ "responsibility": null, "ia_controls": null }, - "code": "control \"V-63821\" do\n title \"User Account Control must automatically deny elevation requests for \n standard users.\"\n desc \"User Account Control (UAC) is a security mechanism for limiting the\n elevation of privileges, including administrative accounts, unless authorized.\n Denying elevation requests from standard user accounts requires tasks that need\n elevation to be initiated by accounts with administrative privileges. This\n ensures correct accounts are used on the system for privileged tasks to help\n mitigate credential theft.\"\n impact 0.5\n tag severity: \"medium\"\n tag gtitle: \"WN10-SO-000255\"\n tag gid: \"V-63821\"\n tag rid: \"SV-78311r1_rule\"\n tag stig_id: \"WN10-SO-000255\"\n tag fix_id: \"F-69749r1_fix\"\n tag cci: [\"CCI-002038\"]\n tag nist: [\"IA-11\", \"Rev_4\"]\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\\n\n Value Name: ConsentPromptBehaviorUser\n\n Value Type: REG_DWORD\n Value: 0\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> \\\"User\n Account Control: Behavior of the elevation prompt for standard users\\\" to\n \\\"Automatically deny elevation requests\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System') do\n it { should have_property 'ConsentPromptBehaviorUser' }\n its('ConsentPromptBehaviorUser') { should cmp 0 }\n end\nend\n", + "code": "control 'V-77227' do\n title 'Exploit Protection mitigations in Windows 10 must be configured for lync.exe.'\n desc \"Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-EP-000170'\n tag gid: 'V-77227'\n tag rid: 'SV-91923r3_rule'\n tag stig_id: 'WN10-EP-000170'\n tag fix_id: 'F-84357r4_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc 'check', \"This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n\n Enter \\\"Get-ProcessMitigation -Name lync.exe\\\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of\n all application mitigations configured.)\n\n If the following mitigations do not have a status of \\\"ON\\\", this is a finding:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n The PowerShell command produces a list of mitigations; only those with a\n required status of \\\"ON\\\" are listed here. If the PowerShell command does not\n produce results, ensure the letter case of the filename within the command\n syntax matches the letter case of the actual filename on the system.\"\n desc 'fix', \"Ensure the following mitigations are turned \\\"ON\\\" for lync.exe:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file\n included with the Windows 10 STIG package in the \\\"Supporting Files\\\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\"\n configured to \\\"Enabled\\\" with file name and location defined under\n \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n\n if input('sensitive_system') == 'true' || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion').ReleaseId < '1709'\n impact 0.0\n describe 'This STIG does not apply to Prior Versions before 1709.' do\n skip 'This STIG does not apply to Prior Versions before 1709.'\n end\n else\n dep = json( command: 'Get-ProcessMitigation -Name lync.exe | Select DEP | ConvertTo-Json').params\n describe 'OverRide DEP is required to be false on Lync' do\n subject { dep }\n its(['OverrideDEP']) { should_not eq 'true' }\n end\n aslr = json( command: 'Get-ProcessMitigation -Name lync.exe| Select Aslr | ConvertTo-Json').params\n describe 'Alsr BottomUp and Force Relocate Images are required to be enabled on Lync' do\n subject { aslr }\n its(['ForceRelocateImages']) { should_not eq '2' }\n end\n payload = json( command: 'Get-ProcessMitigation -Name lync.exe | Select Payload | ConvertTo-Json').params\n describe 'Override Payload Enable Export Address Filter, Override Payload Enable Export Address Filter Plus, Override EnableImportAddressFilter, Override EnableRopStackPivot, Override EnableRopCallerCheck, and Override EnableRopSimExec are required to be false on Lync' do\n subject { payload }\n its(['OverrideEnableExportAddressFilter']) { should_not eq 'true' }\n its(['OverrideEnableExportAddressFilterPlus']) { should_not eq 'true' }\n its(['OverrideEnableImportAddressFilter']) { should_not eq 'true' }\n its(['OverrideEnableRopStackPivot']) { should_not eq 'true' }\n its(['OverrideEnableRopCallerCheck']) { should_not eq 'true' }\n its(['OverrideEnableRopSimExec']) { should_not eq 'true' }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63821.rb", - "line": 2 + "ref": "./Windows 10 STIG/controls/V-77227.rb", + "line": 3 }, - "id": "V-63821" + "id": "V-77227" }, { - "title": "A host-based firewall must be installed and enabled on the system.", - "desc": "A firewall provides a line of defense against attack, allowing or\n blocking inbound and outbound connections based on a set of rules.", + "title": "Credential Guard must be running on Windows 10 domain-joined systems.", + "desc": "Credential Guard uses virtualization based security to protect\n information that could be used in credential theft attacks if compromised. This\n authentication information, which was stored in the Local Security Authority\n (LSA) in previous versions of Windows, is isolated from the rest of operating\n system and can only be accessed by privileged system software.", "descriptions": { - "default": "A firewall provides a line of defense against attack, allowing or\n blocking inbound and outbound connections based on a set of rules.", - "check": "Determine if a host-based firewall is installed and enabled on\n the system. If a host-based firewall is not installed and enabled on the\n system, this is a finding.\n\n The configuration requirements will be determined by the applicable firewall\n STIG.", - "fix": "Install and enable a host-based firewall on the system." + "default": "Credential Guard uses virtualization based security to protect\n information that could be used in credential theft attacks if compromised. This\n authentication information, which was stored in the Local Security Authority\n (LSA) in previous versions of Windows, is isolated from the rest of operating\n system and can only be accessed by privileged system software.", + "check": "Confirm Credential Guard is running on domain-joined systems.\n\n For standalone systems, this is NA.\n\n For those devices that support Credential Guard, this feature must be enabled.\n For devices that do not support it, there is currently an enterprise risk\n acceptance in effect, thus this check is currently categorized as a CAT III.\n Organizations need to take the appropriate action to acquire and implement\n compatible hardware with Credential Guard enabled.\n\n Virtualization based security, including Credential Guard, currently cannot be\n implemented in virtual desktop implementations (VDI) due to specific supporting\n requirements including a TPM, UEFI with Secure Boot, and the capability to run\n the Hyper-V feature within the virtual desktop.\n\n For VDIs where the virtual desktop instance is deleted or refreshed upon\n logoff, this is NA.\n\n Run \"PowerShell\" with elevated privileges (run as administrator).\n Enter the following:\n \"Get-CimInstance -ClassName Win32_DeviceGuard -Namespace\n root\\Microsoft\\Windows\\DeviceGuard\"\n\n If \"SecurityServicesRunning\" does not include a value of \"1\" (e.g., \"{1,\n 2}\"), this is a finding.\n\n Alternately:\n\n Run \"System Information\".\n Under \"System Summary\", verify the following:\n If \"Device Guard Security Services Running\" does not list \"Credential\n Guard\", this is finding.\n\n The policy settings referenced in the Fix section will configure the following\n registry value. However, due to hardware requirements, the registry value alone\n does not ensure proper function.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceGuard\\\n\n Value Name: LsaCfgFlags\n Value Type: REG_DWORD\n Value: 0x00000001 (1) (Enabled with UEFI lock)\n\n NOTE: The severity level for the requirement will be upgraded to CAT I\n starting January 2020.", + "fix": "Virtualization based security, including Credential Guard,\n currently cannot be implemented in virtual desktop implementations (VDI) due to\n specific supporting requirements including a TPM, UEFI with Secure Boot, and\n the capability to run the Hyper-V feature within the virtual desktop.\n\n For VDIs where the virtual desktop instance is deleted or refreshed upon\n logoff, this is NA.\n\n For VDIs with persistent desktops, this may be downgraded to a CAT II only\n where administrators have specific tokens for the VDI. Administrator accounts\n on virtual desktops must only be used on systems in the VDI; they may not have\n administrative privileges on any other systems such as servers and physical\n workstations.\n\n Configure the policy value for Computer Configuration >> Administrative\n Templates >> System >> Device Guard >> \"Turn On Virtualization Based\n Security\" to \"Enabled\" with \"Enabled with UEFI lock\" selected for\n \"Credential Guard Configuration:\".\n\n v1507 LTSB does not include selection options; select \"Enable Credential\n Guard\".\n\n A Microsoft TechNet article on Credential Guard, including system requirement\n details, can be found at the following link:" }, - "impact": 0.5, - "refs": [], + "impact": 0.3, + "refs": [ + { + "ref": "https://docs.microsoft.com/en-us/windows/access-protection/credential-guard/credential-guard" + } + ], "tags": { - "severity": "medium", - "gtitle": "WN10-00-000135", - "gid": "V-63399", - "rid": "SV-77889r1_rule", - "stig_id": "WN10-00-000135", - "fix_id": "F-69327r1_fix", + "severity": "low", + "gtitle": "WN10-CC-000075", + "gid": "V-63599", + "rid": "SV-78089r8_rule", + "stig_id": "WN10-CC-000075", + "fix_id": "F-88433r2_fix", "cci": [ "CCI-000366" ], @@ -5591,35 +5579,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63399' do\n title 'A host-based firewall must be installed and enabled on the system.'\n desc \"A firewall provides a line of defense against attack, allowing or\n blocking inbound and outbound connections based on a set of rules.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-00-000135'\n tag gid: 'V-63399'\n tag rid: 'SV-77889r1_rule'\n tag stig_id: 'WN10-00-000135'\n tag fix_id: 'F-69327r1_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Determine if a host-based firewall is installed and enabled on\n the system. If a host-based firewall is not installed and enabled on the\n system, this is a finding.\n\n The configuration requirements will be determined by the applicable firewall\n STIG.\"\n\n desc \"fix\", 'Install and enable a host-based firewall on the system.'\n \n query_domain = json({ command: \"Get-WmiObject -NameSpace 'root\\\\standardcimv2' -Class MSFT_NetFirewallProfile | Where {$_.Name -Like 'Domain' } | Select Enabled | ConvertTo-Json\" })\n query_private = json({ command: \"Get-WmiObject -NameSpace 'root\\\\standardcimv2' -Class MSFT_NetFirewallProfile | Where {$_.Name -Like 'Private' } | Select Enabled | ConvertTo-Json\" })\n query_public = json({ command: \"Get-WmiObject -NameSpace 'root\\\\standardcimv2' -Class MSFT_NetFirewallProfile | Where {$_.Name -Like 'Public' } | Select Enabled | ConvertTo-Json\" })\n \n describe.one do\n describe 'Windows Firewall should be Enabled' do\n subject { query_public.params[\"Enabled\"] }\n it 'The Public host-based firewall' do\n failure_message = \"is not Enabled\"\n expect(subject).to eql(1), failure_message\n end\n end\n describe 'Windows Firewall should be Enabled' do\n subject { query_private.params[\"Enabled\"] }\n it 'The Private host-based firewall' do\n failure_message = \"is not enabled\"\n expect(subject).to eql(1), failure_message\n end\n end\n describe 'Windows Firewall should be Enabled' do\n subject { query_domain.params[\"Enabled\"] }\n it 'The Domain host-based firewall' do\n failure_message = \"is not Enabled\"\n expect(subject).to eql(1), failure_message\n end\n end\n end\nend\n", + "code": "control 'V-63599' do\n title 'Credential Guard must be running on Windows 10 domain-joined systems.'\n desc \"Credential Guard uses virtualization based security to protect\n information that could be used in credential theft attacks if compromised. This\n authentication information, which was stored in the Local Security Authority\n (LSA) in previous versions of Windows, is isolated from the rest of operating\n system and can only be accessed by privileged system software.\"\n impact 0.3\n tag severity: 'low'\n tag gtitle: 'WN10-CC-000075'\n tag gid: 'V-63599'\n tag rid: 'SV-78089r8_rule'\n tag stig_id: 'WN10-CC-000075'\n tag fix_id: 'F-88433r2_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"Confirm Credential Guard is running on domain-joined systems.\n\n For standalone systems, this is NA.\n\n For those devices that support Credential Guard, this feature must be enabled.\n For devices that do not support it, there is currently an enterprise risk\n acceptance in effect, thus this check is currently categorized as a CAT III.\n Organizations need to take the appropriate action to acquire and implement\n compatible hardware with Credential Guard enabled.\n\n Virtualization based security, including Credential Guard, currently cannot be\n implemented in virtual desktop implementations (VDI) due to specific supporting\n requirements including a TPM, UEFI with Secure Boot, and the capability to run\n the Hyper-V feature within the virtual desktop.\n\n For VDIs where the virtual desktop instance is deleted or refreshed upon\n logoff, this is NA.\n\n Run \\\"PowerShell\\\" with elevated privileges (run as administrator).\n Enter the following:\n \\\"Get-CimInstance -ClassName Win32_DeviceGuard -Namespace\n root\\\\Microsoft\\\\Windows\\\\DeviceGuard\\\"\n\n If \\\"SecurityServicesRunning\\\" does not include a value of \\\"1\\\" (e.g., \\\"{1,\n 2}\\\"), this is a finding.\n\n Alternately:\n\n Run \\\"System Information\\\".\n Under \\\"System Summary\\\", verify the following:\n If \\\"Device Guard Security Services Running\\\" does not list \\\"Credential\n Guard\\\", this is finding.\n\n The policy settings referenced in the Fix section will configure the following\n registry value. However, due to hardware requirements, the registry value alone\n does not ensure proper function.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\DeviceGuard\\\\\n\n Value Name: LsaCfgFlags\n Value Type: REG_DWORD\n Value: 0x00000001 (1) (Enabled with UEFI lock)\n\n NOTE: The severity level for the requirement will be upgraded to CAT I\n starting January 2020.\"\n desc \"fix\", \"Virtualization based security, including Credential Guard,\n currently cannot be implemented in virtual desktop implementations (VDI) due to\n specific supporting requirements including a TPM, UEFI with Secure Boot, and\n the capability to run the Hyper-V feature within the virtual desktop.\n\n For VDIs where the virtual desktop instance is deleted or refreshed upon\n logoff, this is NA.\n\n For VDIs with persistent desktops, this may be downgraded to a CAT II only\n where administrators have specific tokens for the VDI. Administrator accounts\n on virtual desktops must only be used on systems in the VDI; they may not have\n administrative privileges on any other systems such as servers and physical\n workstations.\n\n Configure the policy value for Computer Configuration >> Administrative\n Templates >> System >> Device Guard >> \\\"Turn On Virtualization Based\n Security\\\" to \\\"Enabled\\\" with \\\"Enabled with UEFI lock\\\" selected for\n \\\"Credential Guard Configuration:\\\".\n\n v1507 LTSB does not include selection options; select \\\"Enable Credential\n Guard\\\".\n\n A Microsoft TechNet article on Credential Guard, including system requirement\n details, can be found at the following link:\"\n\n ref 'https://docs.microsoft.com/en-us/windows/access-protection/credential-guard/credential-guard'\n\n is_domain = command('wmic computersystem get domain | FINDSTR /V Domain').stdout.strip\n\n if sys_info.manufacturer == 'VMware, Inc.'\n impact 0.0\n describe 'This is a VDI System; This System is NA for Control V-63599.' do\n skip 'This is a VDI System; This System is NA for Control V-63599.'\n end\n elsif is_domain == 'WORKGROUP'\n impact 0.0\n describe 'The system is not a member of a domain, control is NA' do\n skip 'The system is not a member of a domain, control is NA'\n end\n else\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceGuard') do\n it { should have_property 'LsaCfgFlags' }\n its('LsaCfgFlags') { should cmp 1 }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63399.rb", + "ref": "./Windows 10 STIG/controls/V-63599.rb", "line": 3 }, - "id": "V-63399" + "id": "V-63599" }, { - "title": "The Create permanent shared objects user right must not be assigned to\n any groups or accounts.", - "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n Accounts with the \"Create permanent shared objects\" user right could\n expose sensitive data by creating shared objects.", + "title": "The system must be configured to audit Logon/Logoff - Account Lockout failures.", + "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Account Lockout events can be used to identify potentially malicious logon\n attempts.", "descriptions": { - "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n Accounts with the \"Create permanent shared objects\" user right could\n expose sensitive data by creating shared objects.", - "check": "Verify the effective setting in Local Group Policy Editor.\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any groups or accounts are granted the \"Create permanent shared objects\"\n user right, this is a finding.", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n \"Create permanent shared objects\" to be defined but containing no entries\n (blank)." + "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Account Lockout events can be used to identify potentially malicious logon\n attempts.", + "check": "Security Option \"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\" must be\n set to \"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open a Command Prompt with elevated privileges (\"Run as Administrator\").\n\n Enter \"AuditPol /get /category:*\"\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding:\n\n Logon/Logoff >> Account Lockout - Failure", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Logon/Logoff >> \"Audit Account Lockout\" with \"Failure\"\n selected." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-UR-000055", - "gid": "V-63863", - "rid": "SV-78353r1_rule", - "stig_id": "WN10-UR-000055", - "fix_id": "F-69791r1_fix", + "gtitle": "WN10-AU-000054", + "gid": "V-71759", + "rid": "SV-86383r2_rule", + "stig_id": "WN10-AU-000054", + "fix_id": "F-78111r2_fix", "cci": [ - "CCI-002235" + "CCI-000172" ], "nist": [ - "AC-6 (10)", + "AU-12 c", "Rev_4" ], "false_negatives": null, @@ -5633,35 +5621,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63863' do\n title \"The Create permanent shared objects user right must not be assigned to\n any groups or accounts.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n Accounts with the \\\"Create permanent shared objects\\\" user right could\n expose sensitive data by creating shared objects.\"\n\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-UR-000055'\n tag gid: 'V-63863'\n tag rid: 'SV-78353r1_rule'\n tag stig_id: 'WN10-UR-000055'\n tag fix_id: 'F-69791r1_fix'\n tag cci: ['CCI-002235']\n tag nist: ['AC-6 (10)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any groups or accounts are granted the \\\"Create permanent shared objects\\\"\n user right, this is a finding.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n \\\"Create permanent shared objects\\\" to be defined but containing no entries\n (blank).\"\n\n describe security_policy do\n its('SeCreatePermanentPrivilege') { should eq [] }\n end\nend\n", + "code": "control 'V-71759' do\n title 'The system must be configured to audit Logon/Logoff - Account Lockout failures.'\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Account Lockout events can be used to identify potentially malicious logon\n attempts.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-AU-000054'\n tag gid: 'V-71759'\n tag rid: 'SV-86383r2_rule'\n tag stig_id: 'WN10-AU-000054'\n tag fix_id: 'F-78111r2_fix'\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"Security Option \\\"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\\\" must be\n set to \\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\n\n Enter \\\"AuditPol /get /category:*\\\"\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding:\n\n Logon/Logoff >> Account Lockout - Failure\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Logon/Logoff >> \\\"Audit Account Lockout\\\" with \\\"Failure\\\"\n selected.\"\n\n describe.one do\n describe audit_policy do\n its('Account Lockout') { should eq 'Failure' }\n end\n describe audit_policy do\n its('Account Lockout') { should eq 'Success and Failure' }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63863.rb", + "ref": "./Windows 10 STIG/controls/V-71759.rb", "line": 3 }, - "id": "V-63863" + "id": "V-71759" }, { - "title": "Exploit Protection mitigations in Windows 10 must be configured for FLTLDR.EXE.", - "desc": "Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.", + "title": "The Access this computer from the network user right must only be\n assigned to the Administrators and Remote Desktop Users groups.", + "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n Accounts with the \"Access this computer from the network\" user right may\n access resources on the system, and must be limited to those that require it.", "descriptions": { - "default": "Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.", - "check": "This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n\n Enter \"Get-ProcessMitigation -Name FLTLDR.EXE\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of\n all application mitigations configured.)\n\n If the following mitigations do not have a status of \"ON\", this is a finding:\n\n DEP:\n Override DEP: False\n\n ImageLoad:\n ImageLoad OverrideBlockRemoteImagesLoads: False\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n Child Process:\n OverrideChildProcess: False\n\n The PowerShell command produces a list of mitigations; only those with a\n required status of \"ON\" are listed here. If the PowerShell command does not\n produce results, ensure the letter case of the filename within the command\n syntax matches the letter case of the actual filename on the system.", - "fix": "Ensure the following mitigations are turned \"ON\" for FLTLDR.EXE:\n\n DEP:\n Override DEP: False\n\n ImageLoad:\n ImageLoad OverrideBlockRemoteImagesLoads: False\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n Child Process:\n OverrideChildProcess: False\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file\n included with the Windows 10 STIG package in the \"Supporting Files\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \"Use a common set of exploit protection settings\"\n configured to \"Enabled\" with file name and location defined under\n \"Options:\". It is recommended the file be in a read-only network location." + "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n Accounts with the \"Access this computer from the network\" user right may\n access resources on the system, and must be limited to those that require it.", + "check": "Verify the effective setting in Local Group Policy Editor.\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any groups or accounts other than the following are granted the \"Access\n this computer from the network\" user right, this is a finding:\n\n Administrators\n Remote Desktop Users\n\n If a domain application account such as for a management tool requires this\n user right, this would not be a finding.\n\n Vendor documentation must support the requirement for having the user right.\n\n The requirement must be documented with the ISSO.\n\n The application account, managed at the domain level, must meet requirements\n for application account passwords, such as length and frequency of changes as\n defined in the Windows server STIGs.", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n \"Access this computer from the network\" to only include the following groups\n or accounts:\n\n Administrators\n Remote Desktop Users" }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-EP-000120", - "gid": "V-77209", - "rid": "SV-91905r3_rule", - "stig_id": "WN10-EP-000120", - "fix_id": "F-84341r4_fix", + "gtitle": "WN10-UR-000010", + "gid": "V-63845", + "rid": "SV-78335r3_rule", + "stig_id": "WN10-UR-000010", + "fix_id": "F-81289r1_fix", "cci": [ - "CCI-000366" + "CCI-000213" ], "nist": [ - "CM-6 b", + "AC-3", "Rev_4" ], "false_negatives": null, @@ -5675,35 +5663,47 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-77209' do\n title 'Exploit Protection mitigations in Windows 10 must be configured for FLTLDR.EXE.'\n desc \"Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-EP-000120'\n tag gid: 'V-77209'\n tag rid: 'SV-91905r3_rule'\n tag stig_id: 'WN10-EP-000120'\n tag fix_id: 'F-84341r4_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc 'check', \"This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n\n Enter \\\"Get-ProcessMitigation -Name FLTLDR.EXE\\\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of\n all application mitigations configured.)\n\n If the following mitigations do not have a status of \\\"ON\\\", this is a finding:\n\n DEP:\n Override DEP: False\n\n ImageLoad:\n ImageLoad OverrideBlockRemoteImagesLoads: False\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n Child Process:\n OverrideChildProcess: False\n\n The PowerShell command produces a list of mitigations; only those with a\n required status of \\\"ON\\\" are listed here. If the PowerShell command does not\n produce results, ensure the letter case of the filename within the command\n syntax matches the letter case of the actual filename on the system.\"\n desc 'fix', \"Ensure the following mitigations are turned \\\"ON\\\" for FLTLDR.EXE:\n\n DEP:\n Override DEP: False\n\n ImageLoad:\n ImageLoad OverrideBlockRemoteImagesLoads: False\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n Child Process:\n OverrideChildProcess: False\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file\n included with the Windows 10 STIG package in the \\\"Supporting Files\\\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\"\n configured to \\\"Enabled\\\" with file name and location defined under\n \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n\n if input('sensitive_system') == 'true' || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion').ReleaseId < '1709'\n impact 0.0\n describe 'This STIG does not apply to Prior Versions before 1709.' do\n skip 'This STIG does not apply to Prior Versions before 1709.'\n end\n else\n dep = json( command: 'Get-ProcessMitigation -Name FLTLDR.EXE | Select DEP | ConvertTo-Json').params\n describe 'OverRide DEP is required to be enabled on FLTLDR' do\n subject { dep }\n its(['OverrideDEP']) { should_not eq 'true' }\n end\n imageload = json( command: 'Get-ProcessMitigation -Name FLTLDR.EXE | Select ImageLoad | ConvertTo-Json').params\n describe 'OverRide ImageLoad Block Remote Image Loads is required to be false on FLTLDR' do\n subject { imageload }\n its(['OverrideBlockRemoteImageLoads']) { should_not eq 'true' }\n end\n payload = json( command: 'Get-ProcessMitigation -Name FLTLDR.EXE | Select Payload | ConvertTo-Json').params\n describe 'Override Payload Enable Export Address Filter, Override Payload Enable Export Address Filter Plus, Override EnableImportAddressFilter, Override EnableRopStackPivot, Override EnableRopCallerCheck, and Override EnableRopSimExec are required to be false on Adobe Reader' do\n subject { payload }\n its(['OverrideEnableExportAddressFilter']) { should_not eq 'true' }\n its(['OverrideEnableExportAddressFilterPlus']) { should_not eq 'true' }\n its(['OverrideEnableImportAddressFilter']) { should_not eq 'true' }\n its(['OverrideEnableRopStackPivot']) { should_not eq 'true' }\n its(['OverrideEnableRopCallerCheck']) { should_not eq 'true' }\n its(['OverrideEnableRopSimExec']) { should_not eq 'true' }\n end\n child_process = json( command: 'Get-ProcessMitigation -Name FLTLDR.EXE | Select ChildProcess | ConvertTo-Json').params\n describe 'OverRide Child Process is required to be false on FLTLDR' do\n subject { child_process }\n its(['OverrideChildProcess']) { should_not eq 'true' }\n end\n end\nend", + "code": "control 'V-63845' do\n title \"The Access this computer from the network user right must only be\n assigned to the Administrators and Remote Desktop Users groups.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n Accounts with the \\\"Access this computer from the network\\\" user right may\n access resources on the system, and must be limited to those that require it.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-UR-000010'\n tag gid: 'V-63845'\n tag rid: 'SV-78335r3_rule'\n tag stig_id: 'WN10-UR-000010'\n tag fix_id: 'F-81289r1_fix'\n tag cci: ['CCI-000213']\n tag nist: %w[AC-3 Rev_4]\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any groups or accounts other than the following are granted the \\\"Access\n this computer from the network\\\" user right, this is a finding:\n\n Administrators\n Remote Desktop Users\n\n If a domain application account such as for a management tool requires this\n user right, this would not be a finding.\n\n Vendor documentation must support the requirement for having the user right.\n\n The requirement must be documented with the ISSO.\n\n The application account, managed at the domain level, must meet requirements\n for application account passwords, such as length and frequency of changes as\n defined in the Windows server STIGs.\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n \\\"Access this computer from the network\\\" to only include the following groups\n or accounts:\n\n Administrators\n Remote Desktop Users\"\n\n describe security_policy do\n its('SeNetworkLogonRight') { should be_in ['S-1-5-32-544', 'S-1-5-32-555'] }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-77209.rb", + "ref": "./Windows 10 STIG/controls/V-63845.rb", "line": 3 }, - "id": "V-77209" + "id": "V-63845" }, { - "title": "The Windows Defender SmartScreen for Explorer must be enabled.", - "desc": "Windows Defender SmartScreen helps protect systems from programs\n downloaded from the internet that may be malicious. Enabling Windows Defender\n SmartScreen will warn or prevent users from running potentially malicious\n programs.", + "title": "The system must be configured to audit Account Management - User\n Account Management failures.", + "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n User Account Management records events such as creating, changing,\n deleting, renaming, disabling, or enabling user accounts.", "descriptions": { - "default": "Windows Defender SmartScreen helps protect systems from programs\n downloaded from the internet that may be malicious. Enabling Windows Defender\n SmartScreen will warn or prevent users from running potentially malicious\n programs.", - "check": "This is applicable to unclassified systems, for other systems\n this is NA.\n\n If the following registry values do not exist or are not configured as\n specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\\n\n Value Name: EnableSmartScreen\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\n\n And\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\\n\n Value Name: ShellSmartScreenLevel\n\n Value Type: REG_SZ\n Value: Block\n\n v1607 LTSB:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\\n\n Value Name: EnableSmartScreen\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\n\n v1507 LTSB:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\\n\n Value Name: EnableSmartScreen\n\n Value Type: REG_DWORD\n Value: 0x00000002 (2)", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> File Explorer >> \"Configure\n Windows Defender SmartScreen\" to \"Enabled\" with \"Warn and prevent bypass\"\n selected.\n\n Windows 10 includes duplicate policies for this setting. It can also be\n configured under Computer Configuration >> Administrative Templates >> Windows\n Components >> Windows Defender SmartScreen >> Explorer.\n\n v1607 LTSB:\n Configure the policy value for Computer Configuration >> Administrative\n Templates >> Windows Components >> File Explorer >> \"Configure Windows\n SmartScreen\" to \"Enabled\". (Selection options are not available.)\n\n v1507 LTSB:\n Configure the policy value for Computer Configuration >> Administrative\n Templates >> Windows Components >> File Explorer >> \"Configure Windows\n SmartScreen\" to \"Enabled\" with \"Require approval from an administrator\n before running downloaded unknown software\" selected." + "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n User Account Management records events such as creating, changing,\n deleting, renaming, disabling, or enabling user accounts.", + "check": "Security Option \"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\" must be\n set to \"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\"Run as Administrator\").\n Enter \"AuditPol /get /category:*\".\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding:\n\n Account Management >> User Account Management - Failure", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Account Management >> \"Audit User Account Management\" with\n \"Failure\" selected." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-CC-000210", - "gid": "V-63685", - "rid": "SV-78175r6_rule", - "stig_id": "WN10-CC-000210", - "fix_id": "F-98461r1_fix", + "gtitle": "WN10-AU-000035", + "gid": "V-63447", + "rid": "SV-77937r1_rule", + "stig_id": "WN10-AU-000035", + "fix_id": "F-69375r1_fix", "cci": [ - "CCI-000381" + "CCI-000018", + "CCI-000172", + "CCI-001403", + "CCI-001404", + "CCI-001405", + "CCI-002130", + "CCI-002234" ], "nist": [ - "CM-7 a", + "AC-2 (4)", + "AU-12 c", + "AC-2 (4)", + "AC-2 (4)", + "AC-2 (4)", + "AC-2\n(4)", + "AC-6 (9)", "Rev_4" ], "false_negatives": null, @@ -5717,30 +5717,30 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63685' do\n title 'The Windows Defender SmartScreen for Explorer must be enabled.'\n desc \"Windows Defender SmartScreen helps protect systems from programs\n downloaded from the internet that may be malicious. Enabling Windows Defender\n SmartScreen will warn or prevent users from running potentially malicious\n programs.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000210'\n tag gid: 'V-63685'\n tag rid: 'SV-78175r6_rule'\n tag stig_id: 'WN10-CC-000210'\n tag fix_id: 'F-98461r1_fix'\n tag cci: ['CCI-000381']\n tag nist: ['CM-7 a', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc 'check', \"This is applicable to unclassified systems, for other systems\n this is NA.\n\n If the following registry values do not exist or are not configured as\n specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\\n\n Value Name: EnableSmartScreen\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\n\n And\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\\n\n Value Name: ShellSmartScreenLevel\n\n Value Type: REG_SZ\n Value: Block\n\n v1607 LTSB:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\\n\n Value Name: EnableSmartScreen\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\n\n v1507 LTSB:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\\n\n Value Name: EnableSmartScreen\n\n Value Type: REG_DWORD\n Value: 0x00000002 (2)\"\n\n desc 'fix', \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> File Explorer >> \\\"Configure\n Windows Defender SmartScreen\\\" to \\\"Enabled\\\" with \\\"Warn and prevent bypass\\\"\n selected.\n\n Windows 10 includes duplicate policies for this setting. It can also be\n configured under Computer Configuration >> Administrative Templates >> Windows\n Components >> Windows Defender SmartScreen >> Explorer.\n\n v1607 LTSB:\n Configure the policy value for Computer Configuration >> Administrative\n Templates >> Windows Components >> File Explorer >> \\\"Configure Windows\n SmartScreen\\\" to \\\"Enabled\\\". (Selection options are not available.)\n\n v1507 LTSB:\n Configure the policy value for Computer Configuration >> Administrative\n Templates >> Windows Components >> File Explorer >> \\\"Configure Windows\n SmartScreen\\\" to \\\"Enabled\\\" with \\\"Require approval from an administrator\n before running downloaded unknown software\\\" selected.\"\n\n if input('sensitive_system') == 'true'\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n else\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\System') do\n it { should have_property 'ShellSmartScreenLevel' }\n its('ShellSmartScreenLevel') { should cmp 'Block' }\n end\n describe.one do\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\System') do\n it { should have_property 'EnableSmartScreen' }\n its('EnableSmartScreen') { should cmp 1 }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\System') do\n it { should have_property 'EnableSmartScreen' }\n its('EnableSmartScreen') { should cmp 2 }\n end\n end\n end\nend\n", + "code": "control 'V-63447' do\n title \"The system must be configured to audit Account Management - User\n Account Management failures.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n User Account Management records events such as creating, changing,\n deleting, renaming, disabling, or enabling user accounts.\"\n\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-AU-000035'\n tag gid: 'V-63447'\n tag rid: 'SV-77937r1_rule'\n tag stig_id: 'WN10-AU-000035'\n tag fix_id: 'F-69375r1_fix'\n tag cci: %w[CCI-000018 CCI-000172 CCI-001403 CCI-001404\n CCI-001405 CCI-002130 CCI-002234]\n tag nist: ['AC-2 (4)', 'AU-12 c', 'AC-2 (4)', 'AC-2 (4)', 'AC-2 (4)', \"AC-2\n(4)\", 'AC-6 (9)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Security Option \\\"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\\\" must be\n set to \\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\n Enter \\\"AuditPol /get /category:*\\\".\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding:\n\n Account Management >> User Account Management - Failure\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Account Management >> \\\"Audit User Account Management\\\" with\n \\\"Failure\\\" selected.\"\n\n describe.one do\n describe audit_policy do\n its('User Account Management') { should eq 'Failure' }\n end\n describe audit_policy do\n its('User Account Management') { should eq 'Success and Failure' }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63685.rb", + "ref": "./Windows 10 STIG/controls/V-63447.rb", "line": 3 }, - "id": "V-63685" + "id": "V-63447" }, { - "title": "The Windows Defender SmartScreen filter for Microsoft Edge must be\n enabled.", - "desc": "The Windows Defender SmartScreen filter in Microsoft Edge provides\n warning messages and blocks potentially malicious websites.", + "title": "The system must be configured to meet the minimum session security\n requirement for NTLM SSP based servers.", + "desc": "Microsoft has implemented a variety of security support providers for\n use with RPC sessions. All of the options must be enabled to ensure the\n maximum security level.", "descriptions": { - "default": "The Windows Defender SmartScreen filter in Microsoft Edge provides\n warning messages and blocks potentially malicious websites.", - "check": "This is applicable to unclassified systems, for other systems\n this is NA.\n\n Windows 10 LTSC\\B versions do not include Microsoft Edge, this is NA for those\n systems.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\PhishingFilter\\\n\n Value Name: EnabledV9\n\n Type: REG_DWORD\n Value: 0x00000001 (1)", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Microsoft Edge >> \"Configure\n Windows Defender SmartScreen\" to \"Enabled\".\n\n Windows 10 includes duplicate policies for this setting. It can also be\n configured under Computer Configuration >> Administrative Templates >> Windows\n Components >> Windows Defender SmartScreen >> Microsoft Edge." + "default": "Microsoft has implemented a variety of security support providers for\n use with RPC sessions. All of the options must be enabled to ensure the\n maximum security level.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Control\\Lsa\\MSV1_0\\\n\n Value Name: NTLMMinServerSec\n\n Value Type: REG_DWORD\n Value: 0x20080000 (537395200)", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n \"Network security: Minimum session security for NTLM SSP based (including\n secure RPC) servers\" to \"Require NTLMv2 session security\" and \"Require\n 128-bit encryption\" (all options selected)." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-CC-000250", - "gid": "V-63713", - "rid": "SV-78203r6_rule", - "stig_id": "WN10-CC-000250", - "fix_id": "F-98467r1_fix", + "gtitle": "WN10-SO-000220", + "gid": "V-63807", + "rid": "SV-78297r1_rule", + "stig_id": "WN10-SO-000220", + "fix_id": "F-69735r1_fix", "cci": [ "CCI-000366" ], @@ -5759,35 +5759,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63713' do\n title \"The Windows Defender SmartScreen filter for Microsoft Edge must be\n enabled.\"\n desc \"The Windows Defender SmartScreen filter in Microsoft Edge provides\n warning messages and blocks potentially malicious websites.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000250'\n tag gid: 'V-63713'\n tag rid: 'SV-78203r6_rule'\n tag stig_id: 'WN10-CC-000250'\n tag fix_id: 'F-98467r1_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc 'check', \"This is applicable to unclassified systems, for other systems\n this is NA.\n\n Windows 10 LTSC\\\\B versions do not include Microsoft Edge, this is NA for those\n systems.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\MicrosoftEdge\\\\PhishingFilter\\\\\n\n Value Name: EnabledV9\n\n Type: REG_DWORD\n Value: 0x00000001 (1)\"\n\n desc 'fix', \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Microsoft Edge >> \\\"Configure\n Windows Defender SmartScreen\\\" to \\\"Enabled\\\".\n\n Windows 10 includes duplicate policies for this setting. It can also be\n configured under Computer Configuration >> Administrative Templates >> Windows\n Components >> Windows Defender SmartScreen >> Microsoft Edge.\"\n\n\n if input('sensitive_system') == 'true'\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion').ProductName == 'Windows 10 Enterprise 2016 LTSB' || registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion').ProductName == 'Windows 10 Enterprise 2016 LTSC'\n impact 0.0\n describe 'This System is running either Windows 10 LTSB or Windows 10 LTSC, The Control is NA' do\n skip 'This System is running either Windows 10 LTSB or Windows 10 LTSC, The Control is NA'\n end\n else\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\PhishingFilter') do\n it { should have_property 'EnabledV9' }\n its('EnabledV9') { should cmp 1 }\n end\n end\nend\n", + "code": "control 'V-63807' do\n title \"The system must be configured to meet the minimum session security\n requirement for NTLM SSP based servers.\"\n desc \"Microsoft has implemented a variety of security support providers for\n use with RPC sessions. All of the options must be enabled to ensure the\n maximum security level.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-SO-000220'\n tag gid: 'V-63807'\n tag rid: 'SV-78297r1_rule'\n tag stig_id: 'WN10-SO-000220'\n tag fix_id: 'F-69735r1_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\MSV1_0\\\\\n\n Value Name: NTLMMinServerSec\n\n Value Type: REG_DWORD\n Value: 0x20080000 (537395200)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n \\\"Network security: Minimum session security for NTLM SSP based (including\n secure RPC) servers\\\" to \\\"Require NTLMv2 session security\\\" and \\\"Require\n 128-bit encryption\\\" (all options selected).\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\MSV1_0') do\n it { should have_property 'NTLMMinServerSec' }\n its('NTLMMinServerSec') { should cmp 537_395_200 }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63713.rb", + "ref": "./Windows 10 STIG/controls/V-63807.rb", "line": 3 }, - "id": "V-63713" + "id": "V-63807" }, { - "title": "The External Root CA certificates must be installed in the Trusted\n Root Store on unclassified systems.", - "desc": "To ensure secure websites protected with External Certificate\n Authority (ECA) server certificates are properly validated, the system must\n trust the ECA Root CAs. The ECA root certificates will ensure the trust chain\n is established for server certificates issued from the External CAs. This\n requirement only applies to unclassified systems.", + "title": "The Deny log on as a batch job user right on domain-joined\n workstations must be configured to prevent access from highly privileged domain\n accounts.", + "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n The \"Deny log on as a batch job\" right defines accounts that are\n prevented from logging on to the system as a batch job, such as Task Scheduler.\n\n In an Active Directory Domain, denying logons to the Enterprise Admins and\n Domain Admins groups on lower trust systems helps mitigate the risk of\n privilege escalation from credential theft attacks which could lead to the\n compromise of an entire domain.", "descriptions": { - "default": "To ensure secure websites protected with External Certificate\n Authority (ECA) server certificates are properly validated, the system must\n trust the ECA Root CAs. The ECA root certificates will ensure the trust chain\n is established for server certificates issued from the External CAs. This\n requirement only applies to unclassified systems.", - "check": "Verify the ECA Root CA certificates are installed on unclassified\n systems as Trusted Root Certification Authorities.\n\n Run \"PowerShell\" as an administrator.\n\n Execute the following command:\n\n Get-ChildItem -Path Cert:Localmachine oot | Where Subject -Like \"*ECA*\" | FL Subject, Thumbprint, NotAfter\n\n If the following certificate \"Subject\" and \"Thumbprint\" information is not\n displayed, this is finding.\n\n If an expired certificate (\"NotAfter\" date) is not listed in the results,\n this is not a finding.\n\n Subject: CN=ECA Root CA 2, OU=ECA, O=U.S. Government, C=US\n Thumbprint: C313F919A6ED4E0E8451AFA930FB419A20F181E4\n NotAfter: 3/30/2028\n\n Subject: CN=ECA Root CA 4, OU=ECA, O=U.S. Government, C=US\n Thumbprint: 73E8BB08E337D6A5A6AEF90CFFDD97D9176CB582\n NotAfter: 12/30/2029\n\n Alternately use the Certificates MMC snap-in:\n\n Run \"MMC\".\n\n Select \"File\", \"Add/Remove Snap-in\".\n\n Select \"Certificates\", click \"Add\".\n\n Select \"Computer account\", click \"Next\".\n\n Select \"Local computer: (the computer this console is running on)\", click\n \"Finish\".\n\n Click \"OK\".\n\n Expand \"Certificates\" and navigate to \"Trusted Root Certification\n Authorities >> Certificates\".\n\n For each of the ECA Root CA certificates noted below:\n\n Right-click on the certificate and select \"Open\".\n\n Select the \"Details\" Tab.\n\n Scroll to the bottom and select \"Thumbprint\".\n\n If the ECA Root CA certificates below are not listed or the value for the\n \"Thumbprint\" field is not as noted, this is a finding.\n\n If an expired certificate (\"Valid to\" date) is not listed in the results,\n this is not a finding.\n\n ECA Root CA 2\n Thumbprint: C313F919A6ED4E0E8451AFA930FB419A20F181E4\n Valid to: Thursday, March 30, 2028\n\n ECA Root CA 4\n Thumbprint: 73E8BB08E337D6A5A6AEF90CFFDD97D9176CB582\n Valid to: Sunday, December 30, 2029", - "fix": "Install the ECA Root CA certificates on unclassified systems.\n ECA Root CA 2\n ECA Root CA 4\n\n The InstallRoot tool is available on IASE at\n http://iase.disa.mil/pki-pke/Pages/tools.aspx." + "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n The \"Deny log on as a batch job\" right defines accounts that are\n prevented from logging on to the system as a batch job, such as Task Scheduler.\n\n In an Active Directory Domain, denying logons to the Enterprise Admins and\n Domain Admins groups on lower trust systems helps mitigate the risk of\n privilege escalation from credential theft attacks which could lead to the\n compromise of an entire domain.", + "check": "This requirement is applicable to domain-joined systems, for\n standalone systems this is NA.\n\n Verify the effective setting in Local Group Policy Editor.\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If the following groups or accounts are not defined for the \"Deny log on as a\n batch job\" right, this is a finding:\n\n Domain Systems Only:\n Enterprise Admin Group\n Domain Admin Group", + "fix": "This requirement is applicable to domain-joined systems, for\n standalone systems this is NA.\n\n Configure the policy value for Computer Configuration >> Windows Settings >>\n Security Settings >> Local Policies >> User Rights Assignment >> \"Deny log on\n as a batch job\" to include the following.\n\n Domain Systems Only:\n Enterprise Admin Group\n Domain Admin Group" }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-PK-000010", - "gid": "V-63583", - "rid": "SV-78073r3_rule", - "stig_id": "WN10-PK-000010", - "fix_id": "F-76981r2_fix", + "gtitle": "WN10-UR-000075", + "gid": "V-63873", + "rid": "SV-78363r1_rule", + "stig_id": "WN10-UR-000075", + "fix_id": "F-69801r1_fix", "cci": [ - "CCI-000185" + "CCI-000213" ], "nist": [ - "IA-5 (2) (a)", + "AC-3", "Rev_4" ], "false_negatives": null, @@ -5801,35 +5801,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63583' do\n title \"The External Root CA certificates must be installed in the Trusted\n Root Store on unclassified systems.\"\n desc \"To ensure secure websites protected with External Certificate\n Authority (ECA) server certificates are properly validated, the system must\n trust the ECA Root CAs. The ECA root certificates will ensure the trust chain\n is established for server certificates issued from the External CAs. This\n requirement only applies to unclassified systems.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-PK-000010'\n tag gid: 'V-63583'\n tag rid: 'SV-78073r3_rule'\n tag stig_id: 'WN10-PK-000010'\n tag fix_id: 'F-76981r2_fix'\n tag cci: ['CCI-000185']\n tag nist: ['IA-5 (2) (a)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc 'check', \"Verify the ECA Root CA certificates are installed on unclassified\n systems as Trusted Root Certification Authorities.\n\n Run \\\"PowerShell\\\" as an administrator.\n\n Execute the following command:\n\n Get-ChildItem -Path Cert:Localmachine\\\n oot | Where Subject -Like \\\"*ECA*\\\" | FL Subject, Thumbprint, NotAfter\n\n If the following certificate \\\"Subject\\\" and \\\"Thumbprint\\\" information is not\n displayed, this is finding.\n\n If an expired certificate (\\\"NotAfter\\\" date) is not listed in the results,\n this is not a finding.\n\n Subject: CN=ECA Root CA 2, OU=ECA, O=U.S. Government, C=US\n Thumbprint: C313F919A6ED4E0E8451AFA930FB419A20F181E4\n NotAfter: 3/30/2028\n\n Subject: CN=ECA Root CA 4, OU=ECA, O=U.S. Government, C=US\n Thumbprint: 73E8BB08E337D6A5A6AEF90CFFDD97D9176CB582\n NotAfter: 12/30/2029\n\n Alternately use the Certificates MMC snap-in:\n\n Run \\\"MMC\\\".\n\n Select \\\"File\\\", \\\"Add/Remove Snap-in\\\".\n\n Select \\\"Certificates\\\", click \\\"Add\\\".\n\n Select \\\"Computer account\\\", click \\\"Next\\\".\n\n Select \\\"Local computer: (the computer this console is running on)\\\", click\n \\\"Finish\\\".\n\n Click \\\"OK\\\".\n\n Expand \\\"Certificates\\\" and navigate to \\\"Trusted Root Certification\n Authorities >> Certificates\\\".\n\n For each of the ECA Root CA certificates noted below:\n\n Right-click on the certificate and select \\\"Open\\\".\n\n Select the \\\"Details\\\" Tab.\n\n Scroll to the bottom and select \\\"Thumbprint\\\".\n\n If the ECA Root CA certificates below are not listed or the value for the\n \\\"Thumbprint\\\" field is not as noted, this is a finding.\n\n If an expired certificate (\\\"Valid to\\\" date) is not listed in the results,\n this is not a finding.\n\n ECA Root CA 2\n Thumbprint: C313F919A6ED4E0E8451AFA930FB419A20F181E4\n Valid to: Thursday, March 30, 2028\n\n ECA Root CA 4\n Thumbprint: 73E8BB08E337D6A5A6AEF90CFFDD97D9176CB582\n Valid to: Sunday, December 30, 2029\"\n\n desc 'fix', \"Install the ECA Root CA certificates on unclassified systems.\n ECA Root CA 2\n ECA Root CA 4\n\n The InstallRoot tool is available on IASE at\n http://iase.disa.mil/pki-pke/Pages/tools.aspx.\"\n\n if input('sensitive_system') == 'true'\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n else\n dod_eca_certificates = JSON.parse(input('dod_eca_certificates').to_json)\n query = json({ command: 'Get-ChildItem -Path Cert:Localmachine\\\\\\\\root | Where {$_.Subject -Like \"*ECA Root*\"} | Select Subject, Thumbprint, @{Name=\\'NotAfter\\';Expression={\"{0:dddd, MMMM dd, yyyy}\" -f [datetime]$_.NotAfter}} | ConvertTo-Json' })\n describe 'The ECA Root CA certificates cross-certificates installed' do\n subject { query.params }\n it { should be_in dod_eca_certificates }\n end\n end\nend\n", + "code": "control 'V-63873' do\n title \"The Deny log on as a batch job user right on domain-joined\n workstations must be configured to prevent access from highly privileged domain\n accounts.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n The \\\"Deny log on as a batch job\\\" right defines accounts that are\n prevented from logging on to the system as a batch job, such as Task Scheduler.\n\n In an Active Directory Domain, denying logons to the Enterprise Admins and\n Domain Admins groups on lower trust systems helps mitigate the risk of\n privilege escalation from credential theft attacks which could lead to the\n compromise of an entire domain.\"\n\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-UR-000075'\n tag gid: 'V-63873'\n tag rid: 'SV-78363r1_rule'\n tag stig_id: 'WN10-UR-000075'\n tag fix_id: 'F-69801r1_fix'\n tag cci: ['CCI-000213']\n tag nist: %w[AC-3 Rev_4]\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc 'check', \"This requirement is applicable to domain-joined systems, for\n standalone systems this is NA.\n\n Verify the effective setting in Local Group Policy Editor.\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If the following groups or accounts are not defined for the \\\"Deny log on as a\n batch job\\\" right, this is a finding:\n\n Domain Systems Only:\n Enterprise Admin Group\n Domain Admin Group\"\n desc 'fix', \"This requirement is applicable to domain-joined systems, for\n standalone systems this is NA.\n\n Configure the policy value for Computer Configuration >> Windows Settings >>\n Security Settings >> Local Policies >> User Rights Assignment >> \\\"Deny log on\n as a batch job\\\" to include the following.\n\n Domain Systems Only:\n Enterprise Admin Group\n Domain Admin Group\"\n\n is_domain = command('wmic computersystem get domain | FINDSTR /V Domain').stdout.strip\n\n if is_domain == 'WORKGROUP'\n impact 0.0\n describe 'This requirement is applicable to domain-joined systems, for standalone systems this is NA' do\n skip 'This requirement is applicable to domain-joined systems, for standalone systems this is NA'\n end\n else\n domain_query = <<-EOH\n $group = New-Object System.Security.Principal.NTAccount('Domain Admins')\n $sid = ($group.Translate([security.principal.securityidentifier])).value\n $sid | ConvertTo-Json\n EOH\n\n domain_admin_sid = json(command: domain_query).params\n enterprise_admin_query = <<-EOH\n $group = New-Object System.Security.Principal.NTAccount('Enterprise Admins')\n $sid = ($group.Translate([security.principal.securityidentifier])).value\n $sid | ConvertTo-Json\n EOH\n\n enterprise_admin_sid = json(command: enterprise_admin_query).params\n\n describe security_policy do\n its('SeDenyBatchLogonRight') { should be_in [\"#{domain_admin_sid}\", \"#{enterprise_admin_sid}\"] }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63583.rb", + "ref": "./Windows 10 STIG/controls/V-63873.rb", "line": 3 }, - "id": "V-63583" + "id": "V-63873" }, { - "title": "Exploit Protection mitigations in Windows 10 must be configured for MSPUB.EXE.", - "desc": "Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.", + "title": "The system must be configured to audit Policy Change - Audit Policy\n Change successes.", + "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Audit Policy Change records events related to changes in audit policy.", "descriptions": { - "default": "Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.", - "check": "This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n\n Enter \"Get-ProcessMitigation -Name MSPUB.EXE\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of\n all application mitigations configured.)\n\n If the following mitigations do not have a status of \"ON\", this is a finding:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n The PowerShell command produces a list of mitigations; only those with a\n required status of \"ON\" are listed here. If the PowerShell command does not\n produce results, ensure the letter case of the filename within the command\n syntax matches the letter case of the actual filename on the system.", - "fix": "Ensure the following mitigations are turned \"ON\" for MSPUB.EXE:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file\n included with the Windows 10 STIG package in the \"Supporting Files\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \"Use a common set of exploit protection settings\"\n configured to \"Enabled\" with file name and location defined under\n \"Options:\". It is recommended the file be in a read-only network location." + "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Audit Policy Change records events related to changes in audit policy.", + "check": "Security Option \"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\" must be\n set to \"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\"Run as Administrator\").\n Enter \"AuditPol /get /category:*\".\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding:\n\n Policy Change >> Audit Policy Change - Success", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Policy Change >> \"Audit Audit Policy Change\" with\n \"Success\" selected." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-EP-000190", - "gid": "V-77233", - "rid": "SV-91929r3_rule", - "stig_id": "WN10-EP-000190", - "fix_id": "F-84361r4_fix", + "gtitle": "WN10-AU-000100", + "gid": "V-63479", + "rid": "SV-77969r2_rule", + "stig_id": "WN10-AU-000100", + "fix_id": "F-69409r2_fix", "cci": [ - "CCI-000366" + "CCI-000172" ], "nist": [ - "CM-6 b", + "AU-12 c", "Rev_4" ], "false_negatives": null, @@ -5843,35 +5843,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-77233' do\n title 'Exploit Protection mitigations in Windows 10 must be configured for MSPUB.EXE.'\n desc \"Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-EP-000190'\n tag gid: 'V-77233'\n tag rid: 'SV-91929r3_rule'\n tag stig_id: 'WN10-EP-000190'\n tag fix_id: 'F-84361r4_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc 'check', \"This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n\n Enter \\\"Get-ProcessMitigation -Name MSPUB.EXE\\\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of\n all application mitigations configured.)\n\n If the following mitigations do not have a status of \\\"ON\\\", this is a finding:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n The PowerShell command produces a list of mitigations; only those with a\n required status of \\\"ON\\\" are listed here. If the PowerShell command does not\n produce results, ensure the letter case of the filename within the command\n syntax matches the letter case of the actual filename on the system.\"\n desc 'fix', \"Ensure the following mitigations are turned \\\"ON\\\" for MSPUB.EXE:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file\n included with the Windows 10 STIG package in the \\\"Supporting Files\\\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\"\n configured to \\\"Enabled\\\" with file name and location defined under\n \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n \n if input('sensitive_system') == 'true'\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion').ReleaseId < '1709'\n impact 0.0\n describe 'This STIG does not apply to Prior Versions before 1709.' do\n skip 'This STIG does not apply to Prior Versions before 1709.'\n end\n else\n dep = json( command: 'Get-ProcessMitigation -Name MSPUB.EXE | Select DEP | ConvertTo-Json').params\n describe 'OverRide DEP is required to be false on Microsoft Office Publisher' do\n subject { dep }\n its(['OverrideDEP']) { should_not eq 'true' }\n end\n aslr = json( command: 'Get-ProcessMitigation -Name MSPUB.EXE | Select Aslr | ConvertTo-Json').params\n describe 'Alsr BottomUp and Force Relocate Images are required to be enabled on Microsoft Office Publisher' do\n subject { aslr }\n its(['ForceRelocateImages']) { should_not eq '2' }\n end\n payload = json( command: 'Get-ProcessMitigation -Name MSPUB.EXE | Select Payload | ConvertTo-Json').params\n describe 'Override Payload Enable Export Address Filter, Override Payload Enable Export Address Filter Plus, Override EnableImportAddressFilter, Override EnableRopStackPivot, Override EnableRopCallerCheck, and Override EnableRopSimExec are required to be false on Microsoft Office Publisher' do\n subject { payload }\n its(['OverrideEnableExportAddressFilter']) { should_not eq 'true' }\n its(['OverrideEnableExportAddressFilterPlus']) { should_not eq 'true' }\n its(['OverrideEnableImportAddressFilter']) { should_not eq 'true' }\n its(['OverrideEnableRopStackPivot']) { should_not eq 'true' }\n its(['OverrideEnableRopCallerCheck']) { should_not eq 'true' }\n its(['OverrideEnableRopSimExec']) { should_not eq 'true' }\n end\n end\nend\n", + "code": "control 'V-63479' do\n title \"The system must be configured to audit Policy Change - Audit Policy\n Change successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Audit Policy Change records events related to changes in audit policy.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-AU-000100'\n tag gid: 'V-63479'\n tag rid: 'SV-77969r2_rule'\n tag stig_id: 'WN10-AU-000100'\n tag fix_id: 'F-69409r2_fix'\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Security Option \\\"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\\\" must be\n set to \\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\n Enter \\\"AuditPol /get /category:*\\\".\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding:\n\n Policy Change >> Audit Policy Change - Success\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Policy Change >> \\\"Audit Audit Policy Change\\\" with\n \\\"Success\\\" selected.\"\n\n describe.one do\n describe audit_policy do\n its('Audit Policy Change') { should eq 'Success' }\n end\n describe audit_policy do\n its('Audit Policy Change') { should eq 'Success and Failure' }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-77233.rb", + "ref": "./Windows 10 STIG/controls/V-63479.rb", "line": 3 }, - "id": "V-77233" + "id": "V-63479" }, { - "title": "The system must be configured to audit System - IPSec Driver failures.", - "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n IPSec Driver records events related to the IPSec Driver such as dropped\n packets.", + "title": "Local accounts with blank passwords must be restricted to prevent\n access from the network.", + "desc": "An account without a password can allow unauthorized access to a\n system as only the username would be required. Password policies should\n prevent accounts with blank passwords from existing on a system. However, if a\n local account with a blank password did exist, enabling this setting will\n prevent network access, limiting the account to local console logon only.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n IPSec Driver records events related to the IPSec Driver such as dropped\n packets.", - "check": "Security Option \"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\" must be\n set to \"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\"Run as Administrator\").\n Enter \"AuditPol /get /category:*\".\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding:\n\n System >> IPSec Driver - Failure", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> System >> \"Audit IPSec Driver\" with \"Failure\" selected." + "default": "An account without a password can allow unauthorized access to a\n system as only the username would be required. Password policies should\n prevent accounts with blank passwords from existing on a system. However, if a\n local account with a blank password did exist, enabling this setting will\n prevent network access, limiting the account to local console logon only.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Control\\Lsa\\\n\n Value Name: LimitBlankPasswordUse\n\n Value Type: REG_DWORD\n Value: 1", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n \"Accounts: Limit local account use of blank passwords to console logon only\"\n to \"Enabled\"." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-AU-000120", - "gid": "V-63491", - "rid": "SV-77981r1_rule", - "stig_id": "WN10-AU-000120", - "fix_id": "F-69421r1_fix", + "gtitle": "WN10-SO-000015", + "gid": "V-63617", + "rid": "SV-78107r1_rule", + "stig_id": "WN10-SO-000015", + "fix_id": "F-69547r1_fix", "cci": [ - "CCI-000172" + "CCI-000366" ], "nist": [ - "AU-12 c", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -5885,35 +5885,68 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63491' do\n title 'The system must be configured to audit System - IPSec Driver failures.'\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n IPSec Driver records events related to the IPSec Driver such as dropped\n packets.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-AU-000120'\n tag gid: 'V-63491'\n tag rid: 'SV-77981r1_rule'\n tag stig_id: 'WN10-AU-000120'\n tag fix_id: 'F-69421r1_fix'\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"Security Option \\\"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\\\" must be\n set to \\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\n Enter \\\"AuditPol /get /category:*\\\".\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding:\n\n System >> IPSec Driver - Failure\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> System >> \\\"Audit IPSec Driver\\\" with \\\"Failure\\\" selected.\"\n\n describe.one do\n describe audit_policy do\n its('IPsec Driver') { should eq 'Failure' }\n end\n describe audit_policy do\n its('IPsec Driver') { should eq 'Success and Failure' }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'IPsec Driver'\") do\n its('stdout') { should match /IPsec Driver Failure/ }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'IPsec Driver'\") do\n its('stdout') { should match /IPsec Driver Success and Failure/ }\n end\n end\nend\n", + "code": "control 'V-63617' do\n title \"Local accounts with blank passwords must be restricted to prevent\n access from the network.\"\n desc \"An account without a password can allow unauthorized access to a\n system as only the username would be required. Password policies should\n prevent accounts with blank passwords from existing on a system. However, if a\n local account with a blank password did exist, enabling this setting will\n prevent network access, limiting the account to local console logon only.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-SO-000015'\n tag gid: 'V-63617'\n tag rid: 'SV-78107r1_rule'\n tag stig_id: 'WN10-SO-000015'\n tag fix_id: 'F-69547r1_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\\n\n Value Name: LimitBlankPasswordUse\n\n Value Type: REG_DWORD\n Value: 1\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n \\\"Accounts: Limit local account use of blank passwords to console logon only\\\"\n to \\\"Enabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa') do\n it { should have_property 'LimitBlankPasswordUse' }\n its('LimitBlankPasswordUse') { should cmp 1 }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63491.rb", + "ref": "./Windows 10 STIG/controls/V-63617.rb", "line": 3 }, - "id": "V-63491" + "id": "V-63617" }, { - "title": "Connections to non-domain networks when connected to a domain\n authenticated network must be blocked.", - "desc": "Multiple network connections can provide additional attack vectors to\n a system and should be limited. When connected to a domain, communication must\n go through the domain connection.", + "title": "Windows 10 must be configured to audit Detailed File Share Failures.", + "desc": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Audit Detailed File Share allows you to audit attempts to access files and\nfolders on a shared folder.\n The Detailed File Share setting logs an event every time a file or folder\nis accessed, whereas the File Share setting only records one event for any\nconnection established between a client and file share. Detailed File Share\naudit events include detailed information about the permissions or other\ncriteria used to grant or deny access.", "descriptions": { - "default": "Multiple network connections can provide additional attack vectors to\n a system and should be limited. When connected to a domain, communication must\n go through the domain connection.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\WcmSvc\\GroupPolicy\\\n\n Value Name: fBlockNonDomain\n\n Value Type: REG_DWORD\n Value: 1", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Network >> Windows Connection Manager >> \"Prohibit\n connection to non-domain networks when connected to domain authenticated\n network\" to \"Enabled\"." + "default": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Audit Detailed File Share allows you to audit attempts to access files and\nfolders on a shared folder.\n The Detailed File Share setting logs an event every time a file or folder\nis accessed, whereas the File Share setting only records one event for any\nconnection established between a client and file share. Detailed File Share\naudit events include detailed information about the permissions or other\ncriteria used to grant or deny access.", + "rationale": "", + "check": "Security Option \"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\" must be set to\n\"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to be\neffective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\"Run as Administrator\").\n Enter \"AuditPol /get /category:*\".\n\n Compare the AuditPol settings with the following. If the system does not\naudit the following, this is a finding:\n\n Object Access >> Detailed File Share - Failure", + "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Object Access >> “Detailed File Share\" with\n\"Failure\" selected." + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": null, + "gtitle": "WN10-AU-000570", + "gid": "V-99545", + "rid": "SV-108649r1_rule", + "stig_id": "WN10-AU-000570", + "fix_id": "F-105229r1_fix", + "cci": [ + "CCI-000130" + ], + "nist": [ + "AU-3", + "Rev_4" + ] + }, + "code": "control \"V-99545\" do\n title \"Windows 10 must be configured to audit Detailed File Share Failures.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Audit Detailed File Share allows you to audit attempts to access files and\nfolders on a shared folder.\n The Detailed File Share setting logs an event every time a file or folder\nis accessed, whereas the File Share setting only records one event for any\nconnection established between a client and file share. Detailed File Share\naudit events include detailed information about the permissions or other\ncriteria used to grant or deny access.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"WN10-AU-000570\"\n tag gid: \"V-99545\"\n tag rid: \"SV-108649r1_rule\"\n tag stig_id: \"WN10-AU-000570\"\n tag fix_id: \"F-105229r1_fix\"\n tag cci: [\"CCI-000130\"]\n tag nist: [\"AU-3\", \"Rev_4\"]\n desc \"rationale\", \"\"\n desc \"check\", \"Security Option \\\"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\\\" must be set to\n\\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to be\neffective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\n Enter \\\"AuditPol /get /category:*\\\".\n\n Compare the AuditPol settings with the following. If the system does not\naudit the following, this is a finding:\n\n Object Access >> Detailed File Share - Failure\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Object Access >> “Detailed File Share\\\" with\n\\\"Failure\\\" selected.\"\n \n describe.one do\n describe audit_policy do\n its('Detailed File Share') { should eq 'Failure' }\n end\n describe audit_policy do\n its('Detailed File Share') { should eq 'Success and Failure' }\n end\n end\nend", + "source_location": { + "ref": "./Windows 10 STIG/controls/V-99545.rb", + "line": 3 + }, + "id": "V-99545" + }, + { + "title": "Non system-created file shares on a system must limit access to groups\n that require it.", + "desc": "Shares which provide network access, should not typically exist on a\n workstation except for system-created administrative shares, and could\n potentially expose sensitive information. If a share is necessary, share\n permissions, as well as NTFS permissions, must be reconfigured to give the\n minimum access to those accounts that require it.", + "descriptions": { + "default": "Shares which provide network access, should not typically exist on a\n workstation except for system-created administrative shares, and could\n potentially expose sensitive information. If a share is necessary, share\n permissions, as well as NTFS permissions, must be reconfigured to give the\n minimum access to those accounts that require it.", + "check": "Non system-created shares should not typically exist on\n workstations.\n\n If only system-created shares exist on the system this is NA.\n\n Run \"Computer Management\".\n Navigate to System Tools >> Shared Folders >> Shares.\n\n If the only shares listed are \"ADMIN$\", \"C$\" and \"IPC$\", this is NA.\n (Selecting Properties for system-created shares will display a message that it\n has been shared for administrative purposes.)\n\n Right click any non-system-created shares.\n Select \"Properties\".\n Select the \"Share Permissions\" tab.\n\n Verify the necessity of any shares found.\n If the file shares have not been reconfigured to restrict permissions to the\n specific groups or accounts that require access, this is a finding.\n\n Select the \"Security\" tab.\n\n If the NTFS permissions have not been reconfigured to restrict permissions to\n the specific groups or accounts that require access, this is a finding.", + "fix": "If a non system-created share is required on a system, configure\n the share and NTFS permissions to limit access to the specific groups or\n accounts that require it.\n\n Remove any unnecessary non-system created shares." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-CC-000060", - "gid": "V-63585", - "rid": "SV-78075r1_rule", - "stig_id": "WN10-CC-000060", - "fix_id": "F-69515r1_fix", + "gtitle": "WN10-00-000060", + "gid": "V-63357", + "rid": "SV-77847r1_rule", + "stig_id": "WN10-00-000060", + "fix_id": "F-69277r1_fix", "cci": [ - "CCI-000366" + "CCI-001090" ], "nist": [ - "CM-6 b", + "SC-4", "Rev_4" ], "false_negatives": null, @@ -5927,37 +5960,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63585' do\n title \"Connections to non-domain networks when connected to a domain\n authenticated network must be blocked.\"\n desc \"Multiple network connections can provide additional attack vectors to\n a system and should be limited. When connected to a domain, communication must\n go through the domain connection.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000060'\n tag gid: 'V-63585'\n tag rid: 'SV-78075r1_rule'\n tag stig_id: 'WN10-CC-000060'\n tag fix_id: 'F-69515r1_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WcmSvc\\\\GroupPolicy\\\\\n\n Value Name: fBlockNonDomain\n\n Value Type: REG_DWORD\n Value: 1\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Network >> Windows Connection Manager >> \\\"Prohibit\n connection to non-domain networks when connected to domain authenticated\n network\\\" to \\\"Enabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WcmSvc\\GroupPolicy') do\n it { should have_property 'fBlockNonDomain' }\n its('fBlockNonDomain') { should cmp 1 }\n end\nend\n", + "code": "control 'V-63357' do\n title \"Non system-created file shares on a system must limit access to groups\n that require it.\"\n desc \"Shares which provide network access, should not typically exist on a\n workstation except for system-created administrative shares, and could\n potentially expose sensitive information. If a share is necessary, share\n permissions, as well as NTFS permissions, must be reconfigured to give the\n minimum access to those accounts that require it.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-00-000060'\n tag gid: 'V-63357'\n tag rid: 'SV-77847r1_rule'\n tag stig_id: 'WN10-00-000060'\n tag fix_id: 'F-69277r1_fix'\n tag cci: ['CCI-001090']\n tag nist: %w[SC-4 Rev_4]\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Non system-created shares should not typically exist on\n workstations.\n\n If only system-created shares exist on the system this is NA.\n\n Run \\\"Computer Management\\\".\n Navigate to System Tools >> Shared Folders >> Shares.\n\n If the only shares listed are \\\"ADMIN$\\\", \\\"C$\\\" and \\\"IPC$\\\", this is NA.\n (Selecting Properties for system-created shares will display a message that it\n has been shared for administrative purposes.)\n\n Right click any non-system-created shares.\n Select \\\"Properties\\\".\n Select the \\\"Share Permissions\\\" tab.\n\n Verify the necessity of any shares found.\n If the file shares have not been reconfigured to restrict permissions to the\n specific groups or accounts that require access, this is a finding.\n\n Select the \\\"Security\\\" tab.\n\n If the NTFS permissions have not been reconfigured to restrict permissions to\n the specific groups or accounts that require access, this is a finding.\"\n\n desc \"fix\", \"If a non system-created share is required on a system, configure\n the share and NTFS permissions to limit access to the specific groups or\n accounts that require it.\n\n Remove any unnecessary non-system created shares.\"\n\n share_names = []\n share_paths = []\n get = command('Get-WMIObject -Query \"SELECT * FROM Win32_Share\" | Findstr /V \"Name --\"').stdout.strip.split(\"\\n\")\n\n get.each do |share|\n loc_space = share.index(' ')\n\n names = share[0..loc_space - 1]\n\n share_names.push(names)\n path = share[9..50]\n share_paths.push(path)\n end\n\n share_names_string = share_names.join(',')\n\n if share_names_string != 'ADMIN$,C$,IPC$'\n\n [share_paths, share_names].each do |path1, _name1|\n describe command(\"Get-Acl -Path '#{path1}' | Format-List | Findstr /i /C:'Everyone Allow'\") do\n its('stdout') { should eq '' }\n end\n end\n end\n\n if share_names_string == 'ADMIN$,C$,IPC$'\n impact 0.0\n describe 'The default files shares exist' do\n skip 'This control is NA'\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63585.rb", + "ref": "./Windows 10 STIG/controls/V-63357.rb", "line": 3 }, - "id": "V-63585" + "id": "V-63357" }, { - "title": "The DoD Interoperability Root CA cross-certificates must be installed\n in the Untrusted Certificates Store on unclassified systems.", - "desc": "To ensure users do not experience denial of service when performing\n certificate-based authentication to DoD websites due to the system chaining to\n a root other than DoD Root CAs, the DoD Interoperability Root CA\n cross-certificates must be installed in the Untrusted Certificate Store. This\n requirement only applies to unclassified systems.", - "descriptions": { - "default": "To ensure users do not experience denial of service when performing\n certificate-based authentication to DoD websites due to the system chaining to\n a root other than DoD Root CAs, the DoD Interoperability Root CA\n cross-certificates must be installed in the Untrusted Certificate Store. This\n requirement only applies to unclassified systems.", - "check": "Verify the DoD Interoperability cross-certificates are installed\n on unclassified systems as Untrusted Certificates.\n\n Run \"PowerShell\" as an administrator.\n\n Execute the following command:\n\n Get-ChildItem -Path Cert:Localmachine\\disallowed | Where {$_.Issuer -Like\n \"*DoD Interoperability*\" -and $_.Subject -Like \"*DoD*\"} | FL Subject,\n Issuer, Thumbprint, NotAfter\n\n If the following certificate \"Subject\", \"Issuer\", and \"Thumbprint\",\n information is not displayed, this is finding.\n\n If an expired certificate (\"NotAfter\" date) is not listed in the results,\n this is not a finding.\n\n\n Subject: CN=DoD Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Issuer: CN=DoD Interoperability Root CA 1, OU=PKI, OU=DoD, O=U.S. Government,\n C=US\n Thumbprint: 22BBE981F0694D246CC1472ED2B021DC8540A22F\n NotAfter: 9/6/2019\n\n Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Issuer: CN=DoD Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government,\n C=US\n Thumbprint: AC06108CA348CC03B53795C64BF84403C1DBD341\n NotAfter: 1/22/2022\n\n Alternately use the Certificates MMC snap-in:\n\n Run \"MMC\".\n\n Select \"File\", \"Add/Remove Snap-in\".\n\n Select \"Certificates\", click \"Add\".\n\n Select \"Computer account\", click \"Next\".\n\n Select \"Local computer: (the computer this console is running on)\", click\n \"Finish\".\n\n Click \"OK\".\n\n Expand \"Certificates\" and navigate to \"Untrusted Certificates >>\n Certificates\".\n\n For each certificate with \"DoD Root CA…\" under \"Issued To\" and \"DoD\n Interoperability Root CA…\" under \"Issued By\":\n\n Right-click on the certificate and select \"Open\".\n\n Select the \"Details\" Tab.\n\n Scroll to the bottom and select \"Thumbprint\".\n\n If the certificates below are not listed or the value for the \"Thumbprint\"\n field is not as noted, this is a finding.\n\n If an expired certificate (\"Valid to\" date) is not listed in the results,\n this is not a finding.\n\n Issued To: DoD Root CA 2\n Issued By: DoD Interoperability Root CA 1\n Thumbprint: 22BBE981F0694D246CC1472ED2B021DC8540A22F\n Valid to: Friday, September 6, 2019\n\n Issued To: DoD Root CA 3\n Issued By: DoD Interoperability Root CA 2\n Thumbprint: AC06108CA348CC03B53795C64BF84403C1DBD341\n Valid to: Saturday, January 22, 2022", - "fix": "Install the DoD Interoperability Root CA cross-certificates on\n unclassified systems.\n\n Issued To - Issued By - Thumbprint\n DoD Root CA 2 - DoD Interoperability Root CA 1 -\n 22BBE981F0694D246CC1472ED2B021DC8540A22F\n DoD Root CA 3 - DoD Interoperability Root CA 2 -\n AC06108CA348CC03B53795C64BF84403C1DBD341\n\n The certificates can be installed using the InstallRoot tool. The tool and user\n guide are available on IASE at http://iase.disa.mil/pki-pke/Pages/tools.aspx." + "title": "User Account Control must, at minimum, prompt administrators for\n consent on the secure desktop.", + "desc": "User Account Control (UAC) is a security mechanism for limiting the\n elevation of privileges, including administrative accounts, unless authorized.\n This setting configures the elevation requirements for logged on administrators\n to complete a task that requires raised privileges.", + "descriptions": { + "default": "User Account Control (UAC) is a security mechanism for limiting the\n elevation of privileges, including administrative accounts, unless authorized.\n This setting configures the elevation requirements for logged on administrators\n to complete a task that requires raised privileges.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\\n\n Value Name: ConsentPromptBehaviorAdmin\n\n Value Type: REG_DWORD\n Value: 2 (Prompt for consent on the secure desktop)", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> \"User\n Account Control: Behavior of the elevation prompt for administrators in Admin\n Approval Mode\" to \"Prompt for consent on the secure desktop\"." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-PK-000015", - "gid": "V-63587", - "rid": "SV-78077r5_rule", - "stig_id": "WN10-PK-000015", - "fix_id": "F-98441r3_fix", + "gtitle": "WN10-SO-000250", + "gid": "V-63819", + "rid": "SV-78309r1_rule", + "stig_id": "WN10-SO-000250", + "fix_id": "F-69747r1_fix", "cci": [ - "CCI-000185", - "CCI-002470" + "CCI-001084" ], "nist": [ - "IA-5 (2) (a)", - "SC-23 (5)", + "SC-3", "Rev_4" ], "false_negatives": null, @@ -5971,35 +6002,37 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63587' do\n title \"The DoD Interoperability Root CA cross-certificates must be installed\n in the Untrusted Certificates Store on unclassified systems.\"\n desc \"To ensure users do not experience denial of service when performing\n certificate-based authentication to DoD websites due to the system chaining to\n a root other than DoD Root CAs, the DoD Interoperability Root CA\n cross-certificates must be installed in the Untrusted Certificate Store. This\n requirement only applies to unclassified systems.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-PK-000015'\n tag gid: 'V-63587'\n tag rid: 'SV-78077r5_rule'\n tag stig_id: 'WN10-PK-000015'\n tag fix_id: 'F-98441r3_fix'\n tag cci: %w[CCI-000185 CCI-002470]\n tag nist: ['IA-5 (2) (a)', 'SC-23 (5)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc 'check', \"Verify the DoD Interoperability cross-certificates are installed\n on unclassified systems as Untrusted Certificates.\n\n Run \\\"PowerShell\\\" as an administrator.\n\n Execute the following command:\n\n Get-ChildItem -Path Cert:Localmachine\\\\disallowed | Where {$_.Issuer -Like\n \\\"*DoD Interoperability*\\\" -and $_.Subject -Like \\\"*DoD*\\\"} | FL Subject,\n Issuer, Thumbprint, NotAfter\n\n If the following certificate \\\"Subject\\\", \\\"Issuer\\\", and \\\"Thumbprint\\\",\n information is not displayed, this is finding.\n\n If an expired certificate (\\\"NotAfter\\\" date) is not listed in the results,\n this is not a finding.\n\n\n Subject: CN=DoD Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Issuer: CN=DoD Interoperability Root CA 1, OU=PKI, OU=DoD, O=U.S. Government,\n C=US\n Thumbprint: 22BBE981F0694D246CC1472ED2B021DC8540A22F\n NotAfter: 9/6/2019\n\n Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Issuer: CN=DoD Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government,\n C=US\n Thumbprint: AC06108CA348CC03B53795C64BF84403C1DBD341\n NotAfter: 1/22/2022\n\n Alternately use the Certificates MMC snap-in:\n\n Run \\\"MMC\\\".\n\n Select \\\"File\\\", \\\"Add/Remove Snap-in\\\".\n\n Select \\\"Certificates\\\", click \\\"Add\\\".\n\n Select \\\"Computer account\\\", click \\\"Next\\\".\n\n Select \\\"Local computer: (the computer this console is running on)\\\", click\n \\\"Finish\\\".\n\n Click \\\"OK\\\".\n\n Expand \\\"Certificates\\\" and navigate to \\\"Untrusted Certificates >>\n Certificates\\\".\n\n For each certificate with \\\"DoD Root CA…\\\" under \\\"Issued To\\\" and \\\"DoD\n Interoperability Root CA…\\\" under \\\"Issued By\\\":\n\n Right-click on the certificate and select \\\"Open\\\".\n\n Select the \\\"Details\\\" Tab.\n\n Scroll to the bottom and select \\\"Thumbprint\\\".\n\n If the certificates below are not listed or the value for the \\\"Thumbprint\\\"\n field is not as noted, this is a finding.\n\n If an expired certificate (\\\"Valid to\\\" date) is not listed in the results,\n this is not a finding.\n\n Issued To: DoD Root CA 2\n Issued By: DoD Interoperability Root CA 1\n Thumbprint: 22BBE981F0694D246CC1472ED2B021DC8540A22F\n Valid to: Friday, September 6, 2019\n\n Issued To: DoD Root CA 3\n Issued By: DoD Interoperability Root CA 2\n Thumbprint: AC06108CA348CC03B53795C64BF84403C1DBD341\n Valid to: Saturday, January 22, 2022\"\n\n desc 'fix', \"Install the DoD Interoperability Root CA cross-certificates on\n unclassified systems.\n\n Issued To - Issued By - Thumbprint\n DoD Root CA 2 - DoD Interoperability Root CA 1 -\n 22BBE981F0694D246CC1472ED2B021DC8540A22F\n DoD Root CA 3 - DoD Interoperability Root CA 2 -\n AC06108CA348CC03B53795C64BF84403C1DBD341\n\n The certificates can be installed using the InstallRoot tool. The tool and user\n guide are available on IASE at http://iase.disa.mil/pki-pke/Pages/tools.aspx.\"\n\n # NOTE: DoD Root CA 2 - DoD Interoperability Root CA 1 - 22BBE981F0694D246CC1472ED2B021DC8540A22F does not exist on Install Root 5.5\n\n if input('sensitive_system') == 'true'\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n else\n dod_certificates = JSON.parse(input('dod_certificates').to_json)\n query = json({ command: 'Get-ChildItem -Path Cert:Localmachine\\\\\\\\disallowed | Where {$_.Issuer -Like \"*DoD Interoperability*\" -and $_.Subject -Like \"*DoD*\"} | Select Subject, Issuer, Thumbprint, @{Name=\\'NotAfter\\';Expression={\"{0:dddd, MMMM dd, yyyy}\" -f [datetime]$_.NotAfter}} | ConvertTo-Json' })\n describe 'The DoD Interoperability Root CA cross-certificates are installed' do\n subject { query.params }\n it { should be_in dod_certificates }\n end\n end\nend\n", + "code": "control 'V-63819' do\n title \"User Account Control must, at minimum, prompt administrators for\n consent on the secure desktop.\"\n desc \"User Account Control (UAC) is a security mechanism for limiting the\n elevation of privileges, including administrative accounts, unless authorized.\n This setting configures the elevation requirements for logged on administrators\n to complete a task that requires raised privileges.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-SO-000250'\n tag gid: 'V-63819'\n tag rid: 'SV-78309r1_rule'\n tag stig_id: 'WN10-SO-000250'\n tag fix_id: 'F-69747r1_fix'\n tag cci: ['CCI-001084']\n tag nist: %w[SC-3 Rev_4]\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\\n\n Value Name: ConsentPromptBehaviorAdmin\n\n Value Type: REG_DWORD\n Value: 2 (Prompt for consent on the secure desktop)\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> \\\"User\n Account Control: Behavior of the elevation prompt for administrators in Admin\n Approval Mode\\\" to \\\"Prompt for consent on the secure desktop\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System') do\n it { should have_property 'ConsentPromptBehaviorAdmin' }\n its('ConsentPromptBehaviorAdmin') { should cmp 2 }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63587.rb", + "ref": "./Windows 10 STIG/controls/V-63819.rb", "line": 3 }, - "id": "V-63587" + "id": "V-63819" }, { - "title": "Toast notifications to the lock screen must be turned off.", - "desc": "Toast notifications that are displayed on the lock screen could\n display sensitive information to unauthorized personnel. Turning off this\n feature will limit access to the information to a logged on user.", + "title": "The system must be configured to audit Policy Change - Authentication\n Policy Change successes.", + "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Authentication Policy Change records events related to changes in\n authentication policy including Kerberos policy and Trust changes.", "descriptions": { - "default": "Toast notifications that are displayed on the lock screen could\n display sensitive information to unauthorized personnel. Turning off this\n feature will limit access to the information to a logged on user.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_CURRENT_USER\n Registry Path:\n \\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\PushNotifications\\\n\n Value Name: NoToastApplicationNotificationOnLockScreen\n\n Value Type: REG_DWORD\n Value: 1", - "fix": "Configure the policy value for User Configuration >> Administrative\n Templates >> Start Menu and Taskbar >> Notifications >> \"Turn off toast\n notifications on the lock screen\" to \"Enabled\"." + "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Authentication Policy Change records events related to changes in\n authentication policy including Kerberos policy and Trust changes.", + "check": "Security Option \"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\" must be\n set to \"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\"Run as Administrator\").\n Enter \"AuditPol /get /category:*\".\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding:\n\n Policy Change >> Authentication Policy Change - Success", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Policy Change >> \"Audit Authentication Policy Change\" with\n \"Success\" selected." }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { - "severity": "low", - "gtitle": "WN10-UC-000015", - "gid": "V-63839", - "rid": "SV-78329r1_rule", - "stig_id": "WN10-UC-000015", - "fix_id": "F-69767r1_fix", + "severity": "medium", + "gtitle": "WN10-AU-000105", + "gid": "V-63481", + "rid": "SV-77971r1_rule", + "stig_id": "WN10-AU-000105", + "fix_id": "F-69411r1_fix", "cci": [ - "CCI-000381" + "CCI-000172", + "CCI-002234" ], "nist": [ - "CM-7 a", + "AU-12 c", + "AC-6 (9)", "Rev_4" ], "false_negatives": null, @@ -6013,35 +6046,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63839' do\n title 'Toast notifications to the lock screen must be turned off.'\n desc \"Toast notifications that are displayed on the lock screen could\n display sensitive information to unauthorized personnel. Turning off this\n feature will limit access to the information to a logged on user.\"\n impact 0.3\n tag severity: 'low'\n tag gtitle: 'WN10-UC-000015'\n tag gid: 'V-63839'\n tag rid: 'SV-78329r1_rule'\n tag stig_id: 'WN10-UC-000015'\n tag fix_id: 'F-69767r1_fix'\n tag cci: ['CCI-000381']\n tag nist: ['CM-7 a', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_CURRENT_USER\n Registry Path:\n \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\PushNotifications\\\\\n\n Value Name: NoToastApplicationNotificationOnLockScreen\n\n Value Type: REG_DWORD\n Value: 1\"\n desc \"fix\", \"Configure the policy value for User Configuration >> Administrative\n Templates >> Start Menu and Taskbar >> Notifications >> \\\"Turn off toast\n notifications on the lock screen\\\" to \\\"Enabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\PushNotifications') do\n it { should have_property 'NoToastApplicationNotificationOnLockScreen' }\n its('NoToastApplicationNotificationOnLockScreen') { should cmp 1 }\n end\nend\n", + "code": "control 'V-63481' do\n title \"The system must be configured to audit Policy Change - Authentication\n Policy Change successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Authentication Policy Change records events related to changes in\n authentication policy including Kerberos policy and Trust changes.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-AU-000105'\n tag gid: 'V-63481'\n tag rid: 'SV-77971r1_rule'\n tag stig_id: 'WN10-AU-000105'\n tag fix_id: 'F-69411r1_fix'\n tag cci: %w[CCI-000172 CCI-002234]\n tag nist: ['AU-12 c', 'AC-6 (9)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Security Option \\\"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\\\" must be\n set to \\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\n Enter \\\"AuditPol /get /category:*\\\".\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding:\n\n Policy Change >> Authentication Policy Change - Success\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Policy Change >> \\\"Audit Authentication Policy Change\\\" with\n \\\"Success\\\" selected.\"\n\n describe.one do\n describe audit_policy do\n its('Authentication Policy Change') { should eq 'Success' }\n end\n describe audit_policy do\n its('Authentication Policy Change') { should eq 'Success and Failure' }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63839.rb", + "ref": "./Windows 10 STIG/controls/V-63481.rb", "line": 3 }, - "id": "V-63839" + "id": "V-63481" }, { - "title": "The maximum password age must be configured to 60 days or less.", - "desc": "The longer a password is in use, the greater the opportunity for\n someone to gain unauthorized knowledge of the passwords. Scheduled changing\n of passwords hinders the ability of unauthorized system users to crack\n passwords and gain access to a system.", + "title": "The External Root CA certificates must be installed in the Trusted\n Root Store on unclassified systems.", + "desc": "To ensure secure websites protected with External Certificate\n Authority (ECA) server certificates are properly validated, the system must\n trust the ECA Root CAs. The ECA root certificates will ensure the trust chain\n is established for server certificates issued from the External CAs. This\n requirement only applies to unclassified systems.", "descriptions": { - "default": "The longer a password is in use, the greater the opportunity for\n someone to gain unauthorized knowledge of the passwords. Scheduled changing\n of passwords hinders the ability of unauthorized system users to crack\n passwords and gain access to a system.", - "check": "Verify the effective setting in Local Group Policy Editor.\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Account Policies >> Password Policy.\n\n If the value for the \"Maximum password age\" is greater than 60 days, this\n is a finding. If the value is set to \"0\" (never expires), this is a finding.", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Account Policies >> Password Policy >>\n \"Maximum Password Age\" to 60 days or less (excluding \"0\" which is\n unacceptable)." + "default": "To ensure secure websites protected with External Certificate\n Authority (ECA) server certificates are properly validated, the system must\n trust the ECA Root CAs. The ECA root certificates will ensure the trust chain\n is established for server certificates issued from the External CAs. This\n requirement only applies to unclassified systems.", + "check": "Verify the ECA Root CA certificates are installed on unclassified\n systems as Trusted Root Certification Authorities.\n\n Run \"PowerShell\" as an administrator.\n\n Execute the following command:\n\n Get-ChildItem -Path Cert:Localmachine oot | Where Subject -Like \"*ECA*\" | FL Subject, Thumbprint, NotAfter\n\n If the following certificate \"Subject\" and \"Thumbprint\" information is not\n displayed, this is finding.\n\n If an expired certificate (\"NotAfter\" date) is not listed in the results,\n this is not a finding.\n\n Subject: CN=ECA Root CA 2, OU=ECA, O=U.S. Government, C=US\n Thumbprint: C313F919A6ED4E0E8451AFA930FB419A20F181E4\n NotAfter: 3/30/2028\n\n Subject: CN=ECA Root CA 4, OU=ECA, O=U.S. Government, C=US\n Thumbprint: 73E8BB08E337D6A5A6AEF90CFFDD97D9176CB582\n NotAfter: 12/30/2029\n\n Alternately use the Certificates MMC snap-in:\n\n Run \"MMC\".\n\n Select \"File\", \"Add/Remove Snap-in\".\n\n Select \"Certificates\", click \"Add\".\n\n Select \"Computer account\", click \"Next\".\n\n Select \"Local computer: (the computer this console is running on)\", click\n \"Finish\".\n\n Click \"OK\".\n\n Expand \"Certificates\" and navigate to \"Trusted Root Certification\n Authorities >> Certificates\".\n\n For each of the ECA Root CA certificates noted below:\n\n Right-click on the certificate and select \"Open\".\n\n Select the \"Details\" Tab.\n\n Scroll to the bottom and select \"Thumbprint\".\n\n If the ECA Root CA certificates below are not listed or the value for the\n \"Thumbprint\" field is not as noted, this is a finding.\n\n If an expired certificate (\"Valid to\" date) is not listed in the results,\n this is not a finding.\n\n ECA Root CA 2\n Thumbprint: C313F919A6ED4E0E8451AFA930FB419A20F181E4\n Valid to: Thursday, March 30, 2028\n\n ECA Root CA 4\n Thumbprint: 73E8BB08E337D6A5A6AEF90CFFDD97D9176CB582\n Valid to: Sunday, December 30, 2029", + "fix": "Install the ECA Root CA certificates on unclassified systems.\n ECA Root CA 2\n ECA Root CA 4\n\n The InstallRoot tool is available on IASE at\n http://iase.disa.mil/pki-pke/Pages/tools.aspx." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-AC-000025", - "gid": "V-63419", - "rid": "SV-77909r1_rule", - "stig_id": "WN10-AC-000025", - "fix_id": "F-69347r1_fix", + "gtitle": "WN10-PK-000010", + "gid": "V-63583", + "rid": "SV-78073r3_rule", + "stig_id": "WN10-PK-000010", + "fix_id": "F-76981r2_fix", "cci": [ - "CCI-000199" + "CCI-000185" ], "nist": [ - "IA-5 (1) (d)", + "IA-5 (2) (a)", "Rev_4" ], "false_negatives": null, @@ -6055,35 +6088,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63419' do\n title 'The maximum password age must be configured to 60 days or less.'\n desc \"The longer a password is in use, the greater the opportunity for\n someone to gain unauthorized knowledge of the passwords. Scheduled changing\n of passwords hinders the ability of unauthorized system users to crack\n passwords and gain access to a system.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-AC-000025'\n tag gid: 'V-63419'\n tag rid: 'SV-77909r1_rule'\n tag stig_id: 'WN10-AC-000025'\n tag fix_id: 'F-69347r1_fix'\n tag cci: ['CCI-000199']\n tag nist: ['IA-5 (1) (d)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Account Policies >> Password Policy.\n\n If the value for the \\\"Maximum password age\\\" is greater than #{input('max_pass_age')} days, this\n is a finding. If the value is set to \\\"0\\\" (never expires), this is a finding.\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Account Policies >> Password Policy >>\n \\\"Maximum Password Age\\\" to #{input('max_pass_age')} days or less (excluding \\\"0\\\" which is\n unacceptable).\"\n\n describe security_policy do\n its('MaximumPasswordAge') { should be <= input('max_pass_age') }\n end\n describe \"The password policy is set to expire after #{input('max_pass_age')}\" do\n subject { security_policy }\n its('MaximumPasswordAge') { should be_positive }\n end\nend\n", + "code": "control 'V-63583' do\n title \"The External Root CA certificates must be installed in the Trusted\n Root Store on unclassified systems.\"\n desc \"To ensure secure websites protected with External Certificate\n Authority (ECA) server certificates are properly validated, the system must\n trust the ECA Root CAs. The ECA root certificates will ensure the trust chain\n is established for server certificates issued from the External CAs. This\n requirement only applies to unclassified systems.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-PK-000010'\n tag gid: 'V-63583'\n tag rid: 'SV-78073r3_rule'\n tag stig_id: 'WN10-PK-000010'\n tag fix_id: 'F-76981r2_fix'\n tag cci: ['CCI-000185']\n tag nist: ['IA-5 (2) (a)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc 'check', \"Verify the ECA Root CA certificates are installed on unclassified\n systems as Trusted Root Certification Authorities.\n\n Run \\\"PowerShell\\\" as an administrator.\n\n Execute the following command:\n\n Get-ChildItem -Path Cert:Localmachine\\\n oot | Where Subject -Like \\\"*ECA*\\\" | FL Subject, Thumbprint, NotAfter\n\n If the following certificate \\\"Subject\\\" and \\\"Thumbprint\\\" information is not\n displayed, this is finding.\n\n If an expired certificate (\\\"NotAfter\\\" date) is not listed in the results,\n this is not a finding.\n\n Subject: CN=ECA Root CA 2, OU=ECA, O=U.S. Government, C=US\n Thumbprint: C313F919A6ED4E0E8451AFA930FB419A20F181E4\n NotAfter: 3/30/2028\n\n Subject: CN=ECA Root CA 4, OU=ECA, O=U.S. Government, C=US\n Thumbprint: 73E8BB08E337D6A5A6AEF90CFFDD97D9176CB582\n NotAfter: 12/30/2029\n\n Alternately use the Certificates MMC snap-in:\n\n Run \\\"MMC\\\".\n\n Select \\\"File\\\", \\\"Add/Remove Snap-in\\\".\n\n Select \\\"Certificates\\\", click \\\"Add\\\".\n\n Select \\\"Computer account\\\", click \\\"Next\\\".\n\n Select \\\"Local computer: (the computer this console is running on)\\\", click\n \\\"Finish\\\".\n\n Click \\\"OK\\\".\n\n Expand \\\"Certificates\\\" and navigate to \\\"Trusted Root Certification\n Authorities >> Certificates\\\".\n\n For each of the ECA Root CA certificates noted below:\n\n Right-click on the certificate and select \\\"Open\\\".\n\n Select the \\\"Details\\\" Tab.\n\n Scroll to the bottom and select \\\"Thumbprint\\\".\n\n If the ECA Root CA certificates below are not listed or the value for the\n \\\"Thumbprint\\\" field is not as noted, this is a finding.\n\n If an expired certificate (\\\"Valid to\\\" date) is not listed in the results,\n this is not a finding.\n\n ECA Root CA 2\n Thumbprint: C313F919A6ED4E0E8451AFA930FB419A20F181E4\n Valid to: Thursday, March 30, 2028\n\n ECA Root CA 4\n Thumbprint: 73E8BB08E337D6A5A6AEF90CFFDD97D9176CB582\n Valid to: Sunday, December 30, 2029\"\n\n desc 'fix', \"Install the ECA Root CA certificates on unclassified systems.\n ECA Root CA 2\n ECA Root CA 4\n\n The InstallRoot tool is available on IASE at\n http://iase.disa.mil/pki-pke/Pages/tools.aspx.\"\n\n if input('sensitive_system') == 'true'\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n else\n dod_eca_certificates = JSON.parse(input('dod_eca_certificates').to_json)\n query = json({ command: 'Get-ChildItem -Path Cert:Localmachine\\\\\\\\root | Where {$_.Subject -Like \"*ECA Root*\"} | Select Subject, Thumbprint, @{Name=\\'NotAfter\\';Expression={\"{0:dddd, MMMM dd, yyyy}\" -f [datetime]$_.NotAfter}} | ConvertTo-Json' })\n describe 'The ECA Root CA certificates cross-certificates installed' do\n subject { query.params }\n it { should be_in dod_eca_certificates }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63419.rb", + "ref": "./Windows 10 STIG/controls/V-63583.rb", "line": 3 }, - "id": "V-63419" + "id": "V-63583" }, { - "title": "The Debug programs user right must only be assigned to the\n Administrators group.", - "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n Accounts with the \"Debug Programs\" user right can attach a debugger to\n any process or to the kernel, providing complete access to sensitive and\n critical operating system components. This right is given to Administrators in\n the default configuration.", + "title": "The Smart Card removal option must be configured to Force Logoff or\n Lock Workstation.", + "desc": "Unattended systems are susceptible to unauthorized use and must be\n locked. Configuring a system to lock when a smart card is removed will ensure\n the system is inaccessible when unattended.", "descriptions": { - "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n Accounts with the \"Debug Programs\" user right can attach a debugger to\n any process or to the kernel, providing complete access to sensitive and\n critical operating system components. This right is given to Administrators in\n the default configuration.", - "check": "Verify the effective setting in Local Group Policy Editor.\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any groups or accounts other than the following are granted the \"Debug\n Programs\" user right, this is a finding:\n\n Administrators", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n \"Debug programs\" to only include the following groups or accounts:\n\n Administrators" + "default": "Unattended systems are susceptible to unauthorized use and must be\n locked. Configuring a system to lock when a smart card is removed will ensure\n the system is inaccessible when unattended.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\\n\n Value Name: SCRemoveOption\n\n Value Type: REG_SZ\n Value: 1 (Lock Workstation) or 2 (Force Logoff)\n\n This can be left not configured or set to \"No action\" on workstations with\n the following conditions. This must be documented with the ISSO.\n -The setting cannot be configured due to mission needs, or because it\n interferes with applications.\n -Policy must be in place that users manually lock workstations when leaving\n them unattended.\n -The screen saver is properly configured to lock as required.", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n \"Interactive logon: Smart card removal behavior\" to \"Lock Workstation\" or\n \"Force Logoff\"." }, - "impact": 0.7, + "impact": 0.5, "refs": [], "tags": { - "severity": "high", - "gtitle": "WN10-UR-000065", - "gid": "V-63869", - "rid": "SV-78359r1_rule", - "stig_id": "WN10-UR-000065", - "fix_id": "F-69797r1_fix", + "severity": "medium", + "gtitle": "WN10-SO-000095", + "gid": "V-63697", + "rid": "SV-78187r1_rule", + "stig_id": "WN10-SO-000095", + "fix_id": "F-69625r1_fix", "cci": [ - "CCI-002235" + "CCI-000366" ], "nist": [ - "AC-6 (10)", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -6097,37 +6130,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63869' do\n title \"The Debug programs user right must only be assigned to the\n Administrators group.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n Accounts with the \\\"Debug Programs\\\" user right can attach a debugger to\n any process or to the kernel, providing complete access to sensitive and\n critical operating system components. This right is given to Administrators in\n the default configuration.\"\n\n impact 0.7\n tag severity: 'high'\n tag gtitle: 'WN10-UR-000065'\n tag gid: 'V-63869'\n tag rid: 'SV-78359r1_rule'\n tag stig_id: 'WN10-UR-000065'\n tag fix_id: 'F-69797r1_fix'\n tag cci: ['CCI-002235']\n tag nist: ['AC-6 (10)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any groups or accounts other than the following are granted the \\\"Debug\n Programs\\\" user right, this is a finding:\n\n Administrators\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n \\\"Debug programs\\\" to only include the following groups or accounts:\n\n Administrators\"\n\n describe security_policy do\n its('SeDebugPrivilege') { should eq ['S-1-5-32-544'] }\n end\nend\n", + "code": "control 'V-63697' do\n title \"The Smart Card removal option must be configured to Force Logoff or\n Lock Workstation.\"\n desc \"Unattended systems are susceptible to unauthorized use and must be\n locked. Configuring a system to lock when a smart card is removed will ensure\n the system is inaccessible when unattended.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-SO-000095'\n tag gid: 'V-63697'\n tag rid: 'SV-78187r1_rule'\n tag stig_id: 'WN10-SO-000095'\n tag fix_id: 'F-69625r1_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\\n\n Value Name: SCRemoveOption\n\n Value Type: REG_SZ\n Value: 1 (Lock Workstation) or 2 (Force Logoff)\n\n This can be left not configured or set to \\\"No action\\\" on workstations with\n the following conditions. This must be documented with the ISSO.\n -The setting cannot be configured due to mission needs, or because it\n interferes with applications.\n -Policy must be in place that users manually lock workstations when leaving\n them unattended.\n -The screen saver is properly configured to lock as required.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n \\\"Interactive logon: Smart card removal behavior\\\" to \\\"Lock Workstation\\\" or\n \\\"Force Logoff\\\".\"\n\n describe.one do\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon') do\n it { should have_property 'SCRemoveOption' }\n its('SCRemoveOption') { should cmp 1 }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon') do\n it { should have_property 'SCRemoveOption' }\n its('SCRemoveOption') { should cmp 2 }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63869.rb", + "ref": "./Windows 10 STIG/controls/V-63697.rb", "line": 3 }, - "id": "V-63869" + "id": "V-63697" }, { - "title": "The Windows SMB client must be configured to always perform SMB packet\n signing.", - "desc": "The server message block (SMB) protocol provides the basis for many\n network operations. Digitally signed SMB packets aid in preventing\n man-in-the-middle attacks. If this policy is enabled, the SMB client will only\n communicate with an SMB server that performs SMB packet signing.", + "title": "The system must be configured to audit System - Other System Events\n failures.", + "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Audit Other System Events records information related to cryptographic key\n operations and the Windows Firewall service.", "descriptions": { - "default": "The server message block (SMB) protocol provides the basis for many\n network operations. Digitally signed SMB packets aid in preventing\n man-in-the-middle attacks. If this policy is enabled, the SMB client will only\n communicate with an SMB server that performs SMB packet signing.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SYSTEM\\CurrentControlSet\\Services\\LanmanWorkstation\\Parameters\\\n\n Value Name: RequireSecuritySignature\n\n Value Type: REG_DWORD\n Value: 1", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n \"Microsoft network client: Digitally sign communications (always)\" to\n \"Enabled\"." + "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Audit Other System Events records information related to cryptographic key\n operations and the Windows Firewall service.", + "check": "Security Option \"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\" must be\n set to \"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\"Run as Administrator\").\n Enter \"AuditPol /get /category:*\"\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding:\n\n System >> Other System Events - Failure", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> System >> \"Audit Other System Events\" with \"Failure\"\n selected." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-SO-000100", - "gid": "V-63703", - "rid": "SV-78193r1_rule", - "stig_id": "WN10-SO-000100", - "fix_id": "F-69629r1_fix", + "gtitle": "WN10-AU-000135", + "gid": "V-63503", + "rid": "SV-77993r2_rule", + "stig_id": "WN10-AU-000135", + "fix_id": "F-69433r2_fix", "cci": [ - "CCI-002418", - "CCI-002421" + "CCI-000172" ], "nist": [ - "SC-8", - "SC-8 (1)", + "AU-12 c", "Rev_4" ], "false_negatives": null, @@ -6141,30 +6172,30 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63703' do\n title \"The Windows SMB client must be configured to always perform SMB packet\n signing.\"\n desc \"The server message block (SMB) protocol provides the basis for many\n network operations. Digitally signed SMB packets aid in preventing\n man-in-the-middle attacks. If this policy is enabled, the SMB client will only\n communicate with an SMB server that performs SMB packet signing.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-SO-000100'\n tag gid: 'V-63703'\n tag rid: 'SV-78193r1_rule'\n tag stig_id: 'WN10-SO-000100'\n tag fix_id: 'F-69629r1_fix'\n tag cci: %w[CCI-002418 CCI-002421]\n tag nist: ['SC-8', 'SC-8 (1)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\LanmanWorkstation\\\\Parameters\\\\\n\n Value Name: RequireSecuritySignature\n\n Value Type: REG_DWORD\n Value: 1\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n \\\"Microsoft network client: Digitally sign communications (always)\\\" to\n \\\"Enabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\LanmanWorkstation\\Parameters') do\n it { should have_property 'RequireSecuritySignature' }\n its('RequireSecuritySignature') { should cmp 1 }\n end\nend\n", + "code": "control 'V-63503' do\n title \"The system must be configured to audit System - Other System Events\n failures.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Audit Other System Events records information related to cryptographic key\n operations and the Windows Firewall service.\"\n\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-AU-000135'\n tag gid: 'V-63503'\n tag rid: 'SV-77993r2_rule'\n tag stig_id: 'WN10-AU-000135'\n tag fix_id: 'F-69433r2_fix'\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"Security Option \\\"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\\\" must be\n set to \\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\n Enter \\\"AuditPol /get /category:*\\\"\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding:\n\n System >> Other System Events - Failure\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> System >> \\\"Audit Other System Events\\\" with \\\"Failure\\\"\n selected.\"\n\n describe.one do\n describe audit_policy do\n its('Other System Events') { should eq 'Failure' }\n end\n describe audit_policy do\n its('Other System Events') { should eq 'Success and Failure' }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63703.rb", + "ref": "./Windows 10 STIG/controls/V-63503.rb", "line": 3 }, - "id": "V-63703" + "id": "V-63503" }, { - "title": "Local accounts with blank passwords must be restricted to prevent\n access from the network.", - "desc": "An account without a password can allow unauthorized access to a\n system as only the username would be required. Password policies should\n prevent accounts with blank passwords from existing on a system. However, if a\n local account with a blank password did exist, enabling this setting will\n prevent network access, limiting the account to local console logon only.", + "title": "The system must be configured to prevent anonymous users from having\n the same rights as the Everyone group.", + "desc": "Access by anonymous users must be restricted. If this setting is\n enabled, then anonymous users have the same rights and permissions as the\n built-in Everyone group. Anonymous users must not have these permissions or\n rights.", "descriptions": { - "default": "An account without a password can allow unauthorized access to a\n system as only the username would be required. Password policies should\n prevent accounts with blank passwords from existing on a system. However, if a\n local account with a blank password did exist, enabling this setting will\n prevent network access, limiting the account to local console logon only.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Control\\Lsa\\\n\n Value Name: LimitBlankPasswordUse\n\n Value Type: REG_DWORD\n Value: 1", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n \"Accounts: Limit local account use of blank passwords to console logon only\"\n to \"Enabled\"." + "default": "Access by anonymous users must be restricted. If this setting is\n enabled, then anonymous users have the same rights and permissions as the\n built-in Everyone group. Anonymous users must not have these permissions or\n rights.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Control\\Lsa\\\n\n Value Name: EveryoneIncludesAnonymous\n\n Value Type: REG_DWORD\n Value: 0", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n \"Network access: Let Everyone permissions apply to anonymous users\" to\n \"Disabled\"." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-SO-000015", - "gid": "V-63617", - "rid": "SV-78107r1_rule", - "stig_id": "WN10-SO-000015", - "fix_id": "F-69547r1_fix", + "gtitle": "WN10-SO-000160", + "gid": "V-63755", + "rid": "SV-78245r1_rule", + "stig_id": "WN10-SO-000160", + "fix_id": "F-69683r1_fix", "cci": [ "CCI-000366" ], @@ -6183,35 +6214,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63617' do\n title \"Local accounts with blank passwords must be restricted to prevent\n access from the network.\"\n desc \"An account without a password can allow unauthorized access to a\n system as only the username would be required. Password policies should\n prevent accounts with blank passwords from existing on a system. However, if a\n local account with a blank password did exist, enabling this setting will\n prevent network access, limiting the account to local console logon only.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-SO-000015'\n tag gid: 'V-63617'\n tag rid: 'SV-78107r1_rule'\n tag stig_id: 'WN10-SO-000015'\n tag fix_id: 'F-69547r1_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\\n\n Value Name: LimitBlankPasswordUse\n\n Value Type: REG_DWORD\n Value: 1\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n \\\"Accounts: Limit local account use of blank passwords to console logon only\\\"\n to \\\"Enabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa') do\n it { should have_property 'LimitBlankPasswordUse' }\n its('LimitBlankPasswordUse') { should cmp 1 }\n end\nend\n", + "code": "control 'V-63755' do\n title \"The system must be configured to prevent anonymous users from having\n the same rights as the Everyone group.\"\n desc \"Access by anonymous users must be restricted. If this setting is\n enabled, then anonymous users have the same rights and permissions as the\n built-in Everyone group. Anonymous users must not have these permissions or\n rights.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-SO-000160'\n tag gid: 'V-63755'\n tag rid: 'SV-78245r1_rule'\n tag stig_id: 'WN10-SO-000160'\n tag fix_id: 'F-69683r1_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\\n\n Value Name: EveryoneIncludesAnonymous\n\n Value Type: REG_DWORD\n Value: 0\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n \\\"Network access: Let Everyone permissions apply to anonymous users\\\" to\n \\\"Disabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa') do\n it { should have_property 'EveryoneIncludesAnonymous' }\n its('EveryoneIncludesAnonymous') { should cmp 0 }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63617.rb", + "ref": "./Windows 10 STIG/controls/V-63755.rb", "line": 3 }, - "id": "V-63617" + "id": "V-63755" }, { - "title": "Exploit Protection mitigations in Windows 10 must be configured for MSACCESS.EXE.", - "desc": "Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.", + "title": "The system must be configured to audit System - IPSec Driver failures.", + "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n IPSec Driver records events related to the IPSec Driver such as dropped\n packets.", "descriptions": { - "default": "Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.", - "check": "This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n\n Enter \"Get-ProcessMitigation -Name MSACCESS.EXE\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of\n all application mitigations configured.)\n\n If the following mitigations do not have a status of \"ON\", this is a finding:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False \n\n The PowerShell command produces a list of mitigations; only those with a\n required status of \"ON\" are listed here. If the PowerShell command does not\n produce results, ensure the letter case of the filename within the command\n syntax matches the letter case of the actual filename on the system.", - "fix": "Ensure the following mitigations are turned \"ON\" for MSACCESS.EXE:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file\n included with the Windows 10 STIG package in the \"Supporting Files\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \"Use a common set of exploit protection settings\"\n configured to \"Enabled\" with file name and location defined under\n \"Options:\". It is recommended the file be in a read-only network location." + "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n IPSec Driver records events related to the IPSec Driver such as dropped\n packets.", + "check": "Security Option \"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\" must be\n set to \"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\"Run as Administrator\").\n Enter \"AuditPol /get /category:*\".\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding:\n\n System >> IPSec Driver - Failure", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> System >> \"Audit IPSec Driver\" with \"Failure\" selected." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-EP-000180", - "gid": "V-77231", - "rid": "SV-91927r3_rule", - "stig_id": "WN10-EP-000180", - "fix_id": "F-84359r4_fix", + "gtitle": "WN10-AU-000120", + "gid": "V-63491", + "rid": "SV-77981r1_rule", + "stig_id": "WN10-AU-000120", + "fix_id": "F-69421r1_fix", "cci": [ - "CCI-000366" + "CCI-000172" ], "nist": [ - "CM-6 b", + "AU-12 c", "Rev_4" ], "false_negatives": null, @@ -6225,35 +6256,37 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-77231' do\n title 'Exploit Protection mitigations in Windows 10 must be configured for MSACCESS.EXE.'\n desc \"Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-EP-000180'\n tag gid: 'V-77231'\n tag rid: 'SV-91927r3_rule'\n tag stig_id: 'WN10-EP-000180'\n tag fix_id: 'F-84359r4_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc 'check', \"This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n\n Enter \\\"Get-ProcessMitigation -Name MSACCESS.EXE\\\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of\n all application mitigations configured.)\n\n If the following mitigations do not have a status of \\\"ON\\\", this is a finding:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False \n\n The PowerShell command produces a list of mitigations; only those with a\n required status of \\\"ON\\\" are listed here. If the PowerShell command does not\n produce results, ensure the letter case of the filename within the command\n syntax matches the letter case of the actual filename on the system.\"\n desc 'fix', \"Ensure the following mitigations are turned \\\"ON\\\" for MSACCESS.EXE:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file\n included with the Windows 10 STIG package in the \\\"Supporting Files\\\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\"\n configured to \\\"Enabled\\\" with file name and location defined under\n \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n\n if input('sensitive_system') == 'true' || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion').ReleaseId < '1709'\n impact 0.0\n describe 'This STIG does not apply to Prior Versions before 1709.' do\n skip 'This STIG does not apply to Prior Versions before 1709.'\n end\n else\n dep = json( command: 'Get-ProcessMitigation -Name MSACCESS.EXE | Select DEP | ConvertTo-Json').params\n describe 'OverRide DEP is required to be false on Microsoft Office Access' do\n subject { dep }\n its(['OverrideDEP']) { should_not eq 'true' }\n end\n aslr = json( command: 'Get-ProcessMitigation -Name MSACCESS.EXE| Select Aslr | ConvertTo-Json').params\n describe 'Alsr BottomUp and Force Relocate Images are required to be enabled on Microsoft Office Access' do\n subject { aslr }\n its(['ForceRelocateImages']) { should_not eq '2' }\n end\n payload = json( command: 'Get-ProcessMitigation -Name MSACCESS.EXE | Select Payload | ConvertTo-Json').params\n describe 'Override Payload Enable Export Address Filter, Override Payload Enable Export Address Filter Plus, Override EnableImportAddressFilter, Override EnableRopStackPivot, Override EnableRopCallerCheck, and Override EnableRopSimExec are required to be false on Microsoft Office Access' do\n subject { payload }\n its(['OverrideEnableExportAddressFilter']) { should_not eq 'true' }\n its(['OverrideEnableExportAddressFilterPlus']) { should_not eq 'true' }\n its(['OverrideEnableImportAddressFilter']) { should_not eq 'true' }\n its(['OverrideEnableRopStackPivot']) { should_not eq 'true' }\n its(['OverrideEnableRopCallerCheck']) { should_not eq 'true' }\n its(['OverrideEnableRopSimExec']) { should_not eq 'true' }\n end\n end\nend\n", + "code": "control 'V-63491' do\n title 'The system must be configured to audit System - IPSec Driver failures.'\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n IPSec Driver records events related to the IPSec Driver such as dropped\n packets.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-AU-000120'\n tag gid: 'V-63491'\n tag rid: 'SV-77981r1_rule'\n tag stig_id: 'WN10-AU-000120'\n tag fix_id: 'F-69421r1_fix'\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"Security Option \\\"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\\\" must be\n set to \\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\n Enter \\\"AuditPol /get /category:*\\\".\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding:\n\n System >> IPSec Driver - Failure\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> System >> \\\"Audit IPSec Driver\\\" with \\\"Failure\\\" selected.\"\n\n describe.one do\n describe audit_policy do\n its('IPsec Driver') { should eq 'Failure' }\n end\n describe audit_policy do\n its('IPsec Driver') { should eq 'Success and Failure' }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'IPsec Driver'\") do\n its('stdout') { should match /IPsec Driver Failure/ }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'IPsec Driver'\") do\n its('stdout') { should match /IPsec Driver Success and Failure/ }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-77231.rb", + "ref": "./Windows 10 STIG/controls/V-63491.rb", "line": 3 }, - "id": "V-77231" + "id": "V-63491" }, { - "title": "The Server Message Block (SMB) v1 protocol must be disabled on the SMB server.", - "desc": "SMBv1 is not installed on this system, therefore this control is not applicable", + "title": "The Windows Remote Management (WinRM) client must not allow\n unencrypted traffic.", + "desc": "Unencrypted remote access to a system can allow sensitive information\n to be compromised. Windows remote management connections must be encrypted to\n prevent this.", "descriptions": { - "default": "SMBv1 is not installed on this system, therefore this control is not applicable", - "check": "Different methods are available to disable SMBv1 on Windows 10,\n if V-70639 is configured, this is NA.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters\\\n\n Value Name: SMB1\n\n Type: REG_DWORD\n Value: 0x00000000 (0)", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> MS Security Guide >> \"Configure SMBv1 Server\" to\n \"Disabled\".\n\n This policy setting requires the installation of the SecGuide custom templates\n included with the STIG package. \"SecGuide.admx\" and \"SecGuide.adml\" must be\n copied to the \\Windows\\PolicyDefinitions and\n \\Windows\\PolicyDefinitions\\en-US directories respectively.\n\n The system must be restarted for the change to take effect." + "default": "Unencrypted remote access to a system can allow sensitive information\n to be compromised. Windows remote management connections must be encrypted to\n prevent this.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\WinRM\\Client\\\n\n Value Name: AllowUnencryptedTraffic\n\n Value Type: REG_DWORD\n Value: 0", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Windows Remote Management\n (WinRM) >> WinRM Client >> \"Allow unencrypted traffic\" to \"Disabled\"." }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-00-000165", - "gid": "V-74723", - "rid": "SV-89397r1_rule", - "stig_id": "WN10-00-000165", - "fix_id": "F-81337r2_fix", + "gtitle": "WN10-CC-000335", + "gid": "V-63339", + "rid": "SV-77829r1_rule", + "stig_id": "WN10-CC-000335", + "fix_id": "F-69259r1_fix", "cci": [ - "CCI-000381" + "CCI-002890", + "CCI-003123" ], "nist": [ - "CM-7 a", + "MA-4 (6)", + "MA-4 (6)", "Rev_4" ], "false_negatives": null, @@ -6267,35 +6300,39 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-74723' do\n title 'The Server Message Block (SMB) v1 protocol must be disabled on the SMB server.'\n desc \"SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB.\n MD5 is known to be vulnerable to a number of attacks such as collision and\n preimage attacks as well as not being FIPS compliant.\n\n Disabling SMBv1 support may prevent access to file or print sharing\n resources with systems or devices that only support SMBv1. File shares and\n print services hosted on Windows Server 2003 are an example, however Windows\n Server 2003 is no longer a supported operating system. Some older network\n attached devices may only support SMBv1.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-00-000165'\n tag gid: 'V-74723'\n tag rid: 'SV-89397r1_rule'\n tag stig_id: 'WN10-00-000165'\n tag fix_id: 'F-81337r2_fix'\n tag cci: ['CCI-000381']\n tag nist: ['CM-7 a', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"Different methods are available to disable SMBv1 on Windows 10,\n if V-70639 is configured, this is NA.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\LanmanServer\\\\Parameters\\\\\n\n Value Name: SMB1\n\n Type: REG_DWORD\n Value: 0x00000000 (0)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> MS Security Guide >> \\\"Configure SMBv1 Server\\\" to\n \\\"Disabled\\\".\n\n This policy setting requires the installation of the SecGuide custom templates\n included with the STIG package. \\\"SecGuide.admx\\\" and \\\"SecGuide.adml\\\" must be\n copied to the \\\\Windows\\\\PolicyDefinitions and\n \\\\Windows\\\\PolicyDefinitions\\\\en-US directories respectively.\n\n The system must be restarted for the change to take effect.\"\n\n smb1protocol = json( command: 'Get-WindowsOptionalFeature -Online | Where FeatureName -eq SMB1Protocol | ConvertTo-Csv | ConvertFrom-Csv | ConvertTo-Json').params\n state = smb1protocol['State']\n\n if state == \"Disabled\"\n impact 0.0\n describe 'V-70639 is configured, this control is NA' do\n skip 'V-70639 is configured, this control is NA'\n end\n elsif windows_feature('FS-SMB1').installed?\n describe registry_key('HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters') do\n it { should have_property 'SMB1' }\n its('SMB1') { should cmp 0 }\n end\n else\n impact 0.0\n desc 'SMBv1 is not installed on this system, therefore this control is not applicable'\n describe 'SMBv1 is not installed on this system, therefore this control is not applicable' do\n skip 'SMBv1 is not installed on this system, therefore this control is not applicable'\n end\n end\nend", + "code": "control 'V-63339' do\n title \"The Windows Remote Management (WinRM) client must not allow\n unencrypted traffic.\"\n desc \"Unencrypted remote access to a system can allow sensitive information\n to be compromised. Windows remote management connections must be encrypted to\n prevent this.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000335'\n tag gid: 'V-63339'\n tag rid: 'SV-77829r1_rule'\n tag stig_id: 'WN10-CC-000335'\n tag fix_id: 'F-69259r1_fix'\n tag cci: %w[CCI-002890 CCI-003123]\n tag nist: ['MA-4 (6)', 'MA-4 (6)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WinRM\\\\Client\\\\\n\n Value Name: AllowUnencryptedTraffic\n\n Value Type: REG_DWORD\n Value: 0\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Windows Remote Management\n (WinRM) >> WinRM Client >> \\\"Allow unencrypted traffic\\\" to \\\"Disabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WinRM\\Client') do\n it { should have_property 'AllowUnencryptedTraffic' }\n its('AllowUnencryptedTraffic') { should cmp 0 }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-74723.rb", + "ref": "./Windows 10 STIG/controls/V-63339.rb", "line": 3 }, - "id": "V-74723" + "id": "V-63339" }, { - "title": "Users must not be allowed to ignore Windows Defender SmartScreen\n filter warnings for unverified files in Microsoft Edge.", - "desc": "The Windows Defender SmartScreen filter in Microsoft Edge provides\n warning messages and blocks potentially malicious websites and file downloads.\n If users are allowed to ignore warnings from the Windows Defender SmartScreen\n filter they could still download potentially malicious files.", - "descriptions": { - "default": "The Windows Defender SmartScreen filter in Microsoft Edge provides\n warning messages and blocks potentially malicious websites and file downloads.\n If users are allowed to ignore warnings from the Windows Defender SmartScreen\n filter they could still download potentially malicious files.", - "check": "This is applicable to unclassified systems, for other systems\nthis is NA.\n\nWindows 10 LTSC\\B versions do not include Microsoft Edge, this is NA for those\nsystems.\n\nIf the following registry value does not exist or is not configured as\nspecified, this is a finding.\n\nRegistry Hive: HKEY_LOCAL_MACHINE\nRegistry Path: \\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\PhishingFilter\\\n\nValue Name: PreventOverrideAppRepUnknown\n\nType: REG_DWORD\nValue: 0x00000001 (1)", - "fix": "Configure the policy value for Computer Configuration >>\nAdministrative Templates >> Windows Components >> Microsoft Edge >> \"Prevent\nbypassing Windows Defender SmartScreen prompts for files\" to \"Enabled\".\n\nWindows 10 includes duplicate policies for this setting. It can also be\nconfigured under Computer Configuration >> Administrative Templates >> Windows\nComponents >> Windows Defender SmartScreen >> Microsoft Edge." + "title": "Windows 10 permissions for the Application event log must prevent\n access by non-privileged accounts.", + "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised. The\n Application event log may be susceptible to tampering if proper permissions\n are not applied.", + "descriptions": { + "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised. The\n Application event log may be susceptible to tampering if proper permissions\n are not applied.", + "check": "Verify the permissions on the Application event log\n (Application.evtx). Standard user accounts or groups must not have access. The\n default permissions listed below satisfy this requirement.\n\n Eventlog - Full Control\n SYSTEM - Full Control\n Administrators - Full Control\n\n The default location is the \"%SystemRoot%\\SYSTEM32\\WINEVT\\LOGS\" directory.\n They may have been moved to another folder.\n\n If the permissions for these files are not as restrictive as the ACLs listed,\n this is a finding.\n\n NOTE: If \"APPLICATION PACKAGE AUTHORITY\\ALL APPLICATION PACKAGES\" has\n Special Permissions, this would not be a finding.", + "fix": "Ensure the permissions on the Application event log\n (Application.evtx) are configured to prevent standard user accounts or groups\n from having access. The default permissions listed below satisfy this\n requirement.\n\n Eventlog - Full Control\n SYSTEM - Full Control\n Administrators - Full Control\n\n The default location is the \"%SystemRoot%\\SYSTEM32\\WINEVT\\LOGS\" directory.\n\n If the location of the logs has been changed, when adding Eventlog to the\n permissions, it must be entered as \"NT Service\\Eventlog\"." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-CC-000235", - "gid": "V-63701", - "rid": "SV-78191r6_rule", - "stig_id": "WN10-CC-000235", - "fix_id": "F-98465r1_fix", + "gtitle": "WN10-AU-000515", + "gid": "V-63533", + "rid": "SV-78023r2_rule", + "stig_id": "WN10-AU-000515", + "fix_id": "F-69463r1_fix", "cci": [ - "CCI-000366" + "CCI-000162", + "CCI-000163", + "CCI-000164" ], "nist": [ - "CM-6 b", + "AU-9", + "AU-9", + "AU-9", "Rev_4" ], "false_negatives": null, @@ -6309,30 +6346,30 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63701' do\n title \"Users must not be allowed to ignore Windows Defender SmartScreen\n filter warnings for unverified files in Microsoft Edge.\"\n desc \"The Windows Defender SmartScreen filter in Microsoft Edge provides\n warning messages and blocks potentially malicious websites and file downloads.\n If users are allowed to ignore warnings from the Windows Defender SmartScreen\n filter they could still download potentially malicious files.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000235'\n tag gid: 'V-63701'\n tag rid: 'SV-78191r6_rule'\n tag stig_id: 'WN10-CC-000235'\n tag fix_id: 'F-98465r1_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc 'check', \"This is applicable to unclassified systems, for other systems\nthis is NA.\n\nWindows 10 LTSC\\\\B versions do not include Microsoft Edge, this is NA for those\nsystems.\n\nIf the following registry value does not exist or is not configured as\nspecified, this is a finding.\n\nRegistry Hive: HKEY_LOCAL_MACHINE\nRegistry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\MicrosoftEdge\\\\PhishingFilter\\\\\n\nValue Name: PreventOverrideAppRepUnknown\n\nType: REG_DWORD\nValue: 0x00000001 (1)\"\n\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nAdministrative Templates >> Windows Components >> Microsoft Edge >> \\\"Prevent\nbypassing Windows Defender SmartScreen prompts for files\\\" to \\\"Enabled\\\".\n\nWindows 10 includes duplicate policies for this setting. It can also be\nconfigured under Computer Configuration >> Administrative Templates >> Windows\nComponents >> Windows Defender SmartScreen >> Microsoft Edge.\"\n\n if input('sensitive_system') == 'true'\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n else\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\PhishingFilter') do\n it { should have_property 'PreventOverrideAppRepUnknown' }\n its('PreventOverrideAppRepUnknown') { should cmp 1 }\n end\n end\nend\n", + "code": "control 'V-63533' do\n title \"Windows 10 permissions for the Application event log must prevent\n access by non-privileged accounts.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised. The\n Application event log may be susceptible to tampering if proper permissions\n are not applied.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-AU-000515'\n tag gid: 'V-63533'\n tag rid: 'SV-78023r2_rule'\n tag stig_id: 'WN10-AU-000515'\n tag fix_id: 'F-69463r1_fix'\n tag cci: %w[CCI-000162 CCI-000163 CCI-000164]\n tag nist: %w[AU-9 AU-9 AU-9 Rev_4]\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Verify the permissions on the Application event log\n (Application.evtx). Standard user accounts or groups must not have access. The\n default permissions listed below satisfy this requirement.\n\n Eventlog - Full Control\n SYSTEM - Full Control\n Administrators - Full Control\n\n The default location is the \\\"%SystemRoot%\\\\SYSTEM32\\\\WINEVT\\\\LOGS\\\" directory.\n They may have been moved to another folder.\n\n If the permissions for these files are not as restrictive as the ACLs listed,\n this is a finding.\n\n NOTE: If \\\"APPLICATION PACKAGE AUTHORITY\\\\ALL APPLICATION PACKAGES\\\" has\n Special Permissions, this would not be a finding.\"\n\n desc \"fix\", \"Ensure the permissions on the Application event log\n (Application.evtx) are configured to prevent standard user accounts or groups\n from having access. The default permissions listed below satisfy this\n requirement.\n\n Eventlog - Full Control\n SYSTEM - Full Control\n Administrators - Full Control\n\n The default location is the \\\"%SystemRoot%\\\\SYSTEM32\\\\WINEVT\\\\LOGS\\\" directory.\n\n If the location of the logs has been changed, when adding Eventlog to the\n permissions, it must be entered as \\\"NT Service\\\\Eventlog\\\".\"\n\n get_system_root = command('Get-ChildItem Env: | Findstr SystemRoot').stdout.strip\n system_root = get_system_root[11..get_system_root.length]\n systemroot = system_root.strip\n\n describe file(\"#{systemroot}\\\\SYSTEM32\\\\WINEVT\\\\LOGS\\\\Application.evtx\") do\n it { should be_allowed('full-control', by_user: 'NT SERVICE\\\\EventLog') }\n it { should be_allowed('full-control', by_user: 'NT AUTHORITY\\\\SYSTEM') }\n it { should be_allowed('full-control', by_user: 'BUILTIN\\\\Administrators') }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63701.rb", + "ref": "./Windows 10 STIG/controls/V-63533.rb", "line": 3 }, - "id": "V-63701" + "id": "V-63533" }, { - "title": "The Load and unload device drivers user right must only be assigned to\n the Administrators group.", - "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n The \"Load and unload device drivers\" user right allows device drivers to\n dynamically be loaded on a system by a user. This could potentially be used to\n install malicious code by an attacker.", + "title": "The Restore files and directories user right must only be assigned to\n the Administrators group.", + "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n Accounts with the \"Restore files and directories\" user right can\n circumvent file and directory permissions and could allow access to sensitive\n data. It could also be used to over-write more current data.", "descriptions": { - "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n The \"Load and unload device drivers\" user right allows device drivers to\n dynamically be loaded on a system by a user. This could potentially be used to\n install malicious code by an attacker.", - "check": "Verify the effective setting in Local Group Policy Editor.\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any groups or accounts other than the following are granted the \"Load and\n unload device drivers\" user right, this is a finding:\n\n Administrators", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n \"Load and unload device drivers\" to only include the following groups or\n accounts:\n\n Administrators" + "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n Accounts with the \"Restore files and directories\" user right can\n circumvent file and directory permissions and could allow access to sensitive\n data. It could also be used to over-write more current data.", + "check": "Verify the effective setting in Local Group Policy Editor.\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any groups or accounts other than the following are granted the \"Restore\n files and directories\" user right, this is a finding:\n\n Administrators", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n \"Restore files and directories\" to only include the following groups or\n accounts:\n\n Administrators" }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-UR-000120", - "gid": "V-63917", - "rid": "SV-78407r1_rule", - "stig_id": "WN10-UR-000120", - "fix_id": "F-69845r1_fix", + "gtitle": "WN10-UR-000160", + "gid": "V-63939", + "rid": "SV-78429r1_rule", + "stig_id": "WN10-UR-000160", + "fix_id": "F-69867r1_fix", "cci": [ "CCI-002235" ], @@ -6351,35 +6388,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63917' do\n title \"The Load and unload device drivers user right must only be assigned to\n the Administrators group.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n The \\\"Load and unload device drivers\\\" user right allows device drivers to\n dynamically be loaded on a system by a user. This could potentially be used to\n install malicious code by an attacker.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-UR-000120'\n tag gid: 'V-63917'\n tag rid: 'SV-78407r1_rule'\n tag stig_id: 'WN10-UR-000120'\n tag fix_id: 'F-69845r1_fix'\n tag cci: ['CCI-002235']\n tag nist: ['AC-6 (10)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n \n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any groups or accounts other than the following are granted the \\\"Load and\n unload device drivers\\\" user right, this is a finding:\n\n Administrators\"\n \n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n \\\"Load and unload device drivers\\\" to only include the following groups or\n accounts:\n\n Administrators\"\n\n describe security_policy do\n its('SeLoadDriverPrivilege') { should eq ['S-1-5-32-544'] }\n end\nend\n", + "code": "control 'V-63939' do\n title \"The Restore files and directories user right must only be assigned to\n the Administrators group.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n Accounts with the \\\"Restore files and directories\\\" user right can\n circumvent file and directory permissions and could allow access to sensitive\n data. It could also be used to over-write more current data.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-UR-000160'\n tag gid: 'V-63939'\n tag rid: 'SV-78429r1_rule'\n tag stig_id: 'WN10-UR-000160'\n tag fix_id: 'F-69867r1_fix'\n tag cci: ['CCI-002235']\n tag nist: ['AC-6 (10)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any groups or accounts other than the following are granted the \\\"Restore\n files and directories\\\" user right, this is a finding:\n\n Administrators\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n \\\"Restore files and directories\\\" to only include the following groups or\n accounts:\n\n Administrators\"\n\n describe security_policy do\n its('SeRestorePrivilege') { should eq ['S-1-5-32-544'] }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63917.rb", + "ref": "./Windows 10 STIG/controls/V-63939.rb", "line": 3 }, - "id": "V-63917" + "id": "V-63939" }, { - "title": "Explorer Data Execution Prevention must be enabled.", - "desc": "Data Execution Prevention (DEP) provides additional protection by\n performing checks on memory to help prevent malicious code from running. This\n setting will prevent Data Execution Prevention from being turned off for File\n Explorer.", + "title": "The system must be configured to audit Logon/Logoff - Special Logon\n successes.", + "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Special Logon records special logons which have administrative privileges\n and can be used to elevate processes.", "descriptions": { - "default": "Data Execution Prevention (DEP) provides additional protection by\n performing checks on memory to help prevent malicious code from running. This\n setting will prevent Data Execution Prevention from being turned off for File\n Explorer.", - "check": "The default behavior is for data execution prevention to be\n turned on for file explorer.\n\n If the registry value name below does not exist, this is not a finding.\n\n If it exists and is configured with a value of \"0\", this is not a finding.\n\n If it exists and is configured with a value of \"1\", this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\Explorer\\\n\n Value Name: NoDataExecutionPrevention\n\n Value Type: REG_DWORD\n Value: 0 (or if the Value Name does not exist)", - "fix": "The default behavior is for data execution prevention to be turned\n on for file explorer.\n\n If this needs to be corrected, configure the policy value for Computer\n Configuration >> Administrative Templates >> Windows Components >> File\n Explorer >> \"Turn off Data Execution Prevention for Explorer\" to \"Not\n Configured\" or \"Disabled\"." + "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Special Logon records special logons which have administrative privileges\n and can be used to elevate processes.", + "check": "Security Option \"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\" must be\n set to \"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\"Run as Administrator\").\n Enter \"AuditPol /get /category:*\".\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding:\n\n Logon/Logoff >> Special Logon - Success", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Logon/Logoff >> \"Audit Special Logon\" with \"Success\"\n selected." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-CC-000215", - "gid": "V-63689", - "rid": "SV-78179r1_rule", - "stig_id": "WN10-CC-000215", - "fix_id": "F-69617r1_fix", + "gtitle": "WN10-AU-000080", + "gid": "V-63469", + "rid": "SV-77959r1_rule", + "stig_id": "WN10-AU-000080", + "fix_id": "F-69399r1_fix", "cci": [ - "CCI-002824" + "CCI-000172" ], "nist": [ - "SI-16", + "AU-12 c", "Rev_4" ], "false_negatives": null, @@ -6393,12 +6430,12 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63689' do\n title 'Explorer Data Execution Prevention must be enabled.'\n desc \"Data Execution Prevention (DEP) provides additional protection by\n performing checks on memory to help prevent malicious code from running. This\n setting will prevent Data Execution Prevention from being turned off for File\n Explorer.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000215'\n tag gid: 'V-63689'\n tag rid: 'SV-78179r1_rule'\n tag stig_id: 'WN10-CC-000215'\n tag fix_id: 'F-69617r1_fix'\n tag cci: ['CCI-002824']\n tag nist: %w[SI-16 Rev_4]\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"The default behavior is for data execution prevention to be\n turned on for file explorer.\n\n If the registry value name below does not exist, this is not a finding.\n\n If it exists and is configured with a value of \\\"0\\\", this is not a finding.\n\n If it exists and is configured with a value of \\\"1\\\", this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\Explorer\\\\\n\n Value Name: NoDataExecutionPrevention\n\n Value Type: REG_DWORD\n Value: 0 (or if the Value Name does not exist)\"\n desc \"fix\", \"The default behavior is for data execution prevention to be turned\n on for file explorer.\n\n If this needs to be corrected, configure the policy value for Computer\n Configuration >> Administrative Templates >> Windows Components >> File\n Explorer >> \\\"Turn off Data Execution Prevention for Explorer\\\" to \\\"Not\n Configured\\\" or \\\"Disabled\\\".\"\n\n describe.one do\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Explorer') do\n it { should have_property 'NoDataExecutionPrevention' }\n its('NoDataExecutionPrevention') { should_not be 1 }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Explorer') do\n it { should_not have_property 'NoDataExecutionPrevention' }\n end\n end\nend\n", + "code": "control 'V-63469' do\n title \"The system must be configured to audit Logon/Logoff - Special Logon\n successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Special Logon records special logons which have administrative privileges\n and can be used to elevate processes.\"\n\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-AU-000080'\n tag gid: 'V-63469'\n tag rid: 'SV-77959r1_rule'\n tag stig_id: 'WN10-AU-000080'\n tag fix_id: 'F-69399r1_fix'\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Security Option \\\"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\\\" must be\n set to \\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\n Enter \\\"AuditPol /get /category:*\\\".\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding:\n\n Logon/Logoff >> Special Logon - Success\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Logon/Logoff >> \\\"Audit Special Logon\\\" with \\\"Success\\\"\n selected.\"\n\n describe.one do\n describe audit_policy do\n its('Special Logon') { should eq 'Success' }\n end\n describe audit_policy do\n its('Special Logon') { should eq 'Success and Failure' }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63689.rb", + "ref": "./Windows 10 STIG/controls/V-63469.rb", "line": 3 }, - "id": "V-63689" + "id": "V-63469" }, { "title": "Windows 10 must employ automated mechanisms to determine the state of\n system components with regard to flaw remediation using the following\n frequency: continuously, where HBSS is used; 30 days, for any additional\n internal network scans not covered by HBSS; and annually, for external scans by\n Computer Network Defense Service Provider (CNDSP).", @@ -6443,22 +6480,22 @@ "id": "V-63343" }, { - "title": "Enhanced anti-spoofing for facial recognition must be enabled on\n Window 10.", - "desc": "Enhanced anti-spoofing provides additional protections when using\n facial recognition with devices that support it.", + "title": "Windows 10 must be configured to require a minimum pin length of six\n characters or greater.", + "desc": "Windows allows the use of PINs as well as biometrics for\n authentication without sending a password to a network or website where it\n could be compromised. Longer minimum PIN lengths increase the available\n combinations an attacker would have to attempt. Shorter minimum length\n significantly reduces the strength.", "descriptions": { - "default": "Enhanced anti-spoofing provides additional protections when using\n facial recognition with devices that support it.", - "check": "Windows 10 v1507 LTSB version does not include this setting; it\n is NA for those systems.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Biometrics\\FacialFeatures\\\n\n Value Name: EnhancedAntiSpoofing\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Biometrics >> Facial Features\n >> \"Configure enhanced anti-spoofing\" to \"Enabled\".\n\n v1607:\n The policy name is \"Use enhanced anti-spoofing when available\"." + "default": "Windows allows the use of PINs as well as biometrics for\n authentication without sending a password to a network or website where it\n could be compromised. Longer minimum PIN lengths increase the available\n combinations an attacker would have to attempt. Shorter minimum length\n significantly reduces the strength.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SOFTWARE\\Policies\\Microsoft\\PassportForWork\\PINComplexity\\\n\n Value Name: MinimumPINLength\n\n Type: REG_DWORD\n Value: 6 (or greater)", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> System >> PIN Complexity >> \"Minimum PIN length\"\n to \"6\" or greater.\n\n v1607 LTSB:\n The policy path is Computer Configuration >> Administrative Templates >>\n Windows Components >> Windows Hello for Business >> Pin Complexity.\n\n v1507 LTSB:\n The policy path is Computer Configuration >> Administrative Templates >>\n Windows Components >> Microsoft Passport for Work >> Pin Complexity." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-CC-000195", - "gid": "V-63677", - "rid": "SV-78167r3_rule", - "stig_id": "WN10-CC-000195", - "fix_id": "F-88435r1_fix", + "gtitle": "WN10-CC-000260", + "gid": "V-63721", + "rid": "SV-78211r6_rule", + "stig_id": "WN10-CC-000260", + "fix_id": "F-98469r2_fix", "cci": [ "CCI-000366" ], @@ -6477,37 +6514,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63677' do\n title \"Enhanced anti-spoofing for facial recognition must be enabled on\n Window 10.\"\n desc \"Enhanced anti-spoofing provides additional protections when using\n facial recognition with devices that support it.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000195'\n tag gid: 'V-63677'\n tag rid: 'SV-78167r3_rule'\n tag stig_id: 'WN10-CC-000195'\n tag fix_id: 'F-88435r1_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"Windows 10 v1507 LTSB version does not include this setting; it\n is NA for those systems.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Biometrics\\\\FacialFeatures\\\\\n\n Value Name: EnhancedAntiSpoofing\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Biometrics >> Facial Features\n >> \\\"Configure enhanced anti-spoofing\\\" to \\\"Enabled\\\".\n\n v1607:\n The policy name is \\\"Use enhanced anti-spoofing when available\\\".\"\n\n if registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion').ReleaseId == '1507'\n impact 0.0\n describe 'Windows 10 v1507 LTSB version does not include this setting.' do\n skip 'Windows 10 v1507 LTSB version does not include this setting.'\n end\n else\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Biometrics\\FacialFeatures') do\n it { should have_property 'EnhancedAntiSpoofing' }\n its('EnhancedAntiSpoofing') { should cmp 1 }\n end\n end\nend\n", + "code": "control 'V-63721' do\n title \"Windows 10 must be configured to require a minimum pin length of six\n characters or greater.\"\n desc \"Windows allows the use of PINs as well as biometrics for\n authentication without sending a password to a network or website where it\n could be compromised. Longer minimum PIN lengths increase the available\n combinations an attacker would have to attempt. Shorter minimum length\n significantly reduces the strength.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000260'\n tag gid: 'V-63721'\n tag rid: 'SV-78211r6_rule'\n tag stig_id: 'WN10-CC-000260'\n tag fix_id: 'F-98469r2_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\PassportForWork\\\\PINComplexity\\\\\n\n Value Name: MinimumPINLength\n\n Type: REG_DWORD\n Value: 6 (or greater)\"\n \n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> System >> PIN Complexity >> \\\"Minimum PIN length\\\"\n to \\\"6\\\" or greater.\n\n v1607 LTSB:\n The policy path is Computer Configuration >> Administrative Templates >>\n Windows Components >> Windows Hello for Business >> Pin Complexity.\n\n v1507 LTSB:\n The policy path is Computer Configuration >> Administrative Templates >>\n Windows Components >> Microsoft Passport for Work >> Pin Complexity.\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PassportForWork\\PINComplexity') do\n it { should have_property 'MinimumPINLength' }\n its('MinimumPINLength') { should be >= 6 }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63677.rb", + "ref": "./Windows 10 STIG/controls/V-63721.rb", "line": 3 }, - "id": "V-63677" + "id": "V-63721" }, { - "title": "The DoD Root CA certificates must be installed in the Trusted Root\n Store.", - "desc": "To ensure secure DoD websites and DoD-signed code are properly\n validated, the system must trust the DoD Root Certificate Authorities (CAs).\n The DoD root certificates will ensure that the trust chain is established for\n server certificates issued from the DoD CAs.", + "title": "The Create permanent shared objects user right must not be assigned to\n any groups or accounts.", + "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n Accounts with the \"Create permanent shared objects\" user right could\n expose sensitive data by creating shared objects.", "descriptions": { - "default": "To ensure secure DoD websites and DoD-signed code are properly\n validated, the system must trust the DoD Root Certificate Authorities (CAs).\n The DoD root certificates will ensure that the trust chain is established for\n server certificates issued from the DoD CAs.", - "check": "Verify the DoD Root CA certificates are installed as Trusted Root\n Certification Authorities.\n\n The certificates and thumbprints referenced below apply to unclassified\n systems; see PKE documentation for other networks.\n\n Run \"PowerShell\" as an administrator.\n\n Execute the following command:\n\n Get-ChildItem -Path Cert:Localmachine oot | Where Subject -Like \"*DoD*\" | FL Subject, Thumbprint, NotAfter\n\n If the following certificate \"Subject\" and \"Thumbprint\" information is not\n displayed, this is finding.\n\n If an expired certificate (\"NotAfter\" date) is not listed in the results,\n this is not a finding.\n\n Subject: CN=DoD Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Thumbprint: 8C941B34EA1EA6ED9AE2BC54CF687252B4C9B561\n NotAfter: 12/5/2029\n\n Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Thumbprint: D73CA91102A2204A36459ED32213B467D7CE97FB\n NotAfter: 12/30/2029\n\n Subject: CN=DoD Root CA 4, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Thumbprint: B8269F25DBD937ECAFD4C35A9838571723F2D026\n NotAfter: 7/25/2032\n\n Subject: CN=DoD Root CA 5, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Thumbprint: 4ECB5CC3095670454DA1CBD410FC921F46B8564B\n NotAfter: 6/14/2041\n\n Alternately use the Certificates MMC snap-in:\n\n Run \"MMC\".\n\n Select \"File\", \"Add/Remove Snap-in\".\n\n Select \"Certificates\", click \"Add\".\n\n Select \"Computer account\", click \"Next\".\n\n Select \"Local computer: (the computer this console is running on)\", click\n \"Finish\".\n\n Click \"OK\".\n\n Expand \"Certificates\" and navigate to \"Trusted Root Certification\n Authorities >> Certificates\".\n\n For each of the DoD Root CA certificates noted below:\n\n Right-click on the certificate and select \"Open\".\n\n Select the \"Details\" Tab.\n\n Scroll to the bottom and select \"Thumbprint\".\n\n If the DoD Root CA certificates below are not listed or the value for the\n \"Thumbprint\" field is not as noted, this is a finding.\n\n If an expired certificate (\"Valid to\" date) is not listed in the results,\n this is not a finding.\n\n DoD Root CA 2\n Thumbprint: 8C941B34EA1EA6ED9AE2BC54CF687252B4C9B561\n Valid to: Wednesday, December 5, 2029\n\n DoD Root CA 3\n Thumbprint: D73CA91102A2204A36459ED32213B467D7CE97FB\n Valid to: Sunday, December 30, 2029\n\n DoD Root CA 4\n Thumbprint: B8269F25DBD937ECAFD4C35A9838571723F2D026\n Valid to: Sunday, July 25, 2032\n\n DoD Root CA 5\n Thumbprint: 4ECB5CC3095670454DA1CBD410FC921F46B8564B\n Valid to: Friday, June 14, 2041", - "fix": "Install the DoD Root CA certificates.\n DoD Root CA 2\n DoD Root CA 3\n DoD Root CA 4\n DoD Root CA 5\n\n The InstallRoot tool is available on IASE at\n http://iase.disa.mil/pki-pke/Pages/tools.aspx." + "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n Accounts with the \"Create permanent shared objects\" user right could\n expose sensitive data by creating shared objects.", + "check": "Verify the effective setting in Local Group Policy Editor.\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any groups or accounts are granted the \"Create permanent shared objects\"\n user right, this is a finding.", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n \"Create permanent shared objects\" to be defined but containing no entries\n (blank)." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-PK-000005", - "gid": "V-63579", - "rid": "SV-78069r4_rule", - "stig_id": "WN10-PK-000005", - "fix_id": "F-87307r1_fix", + "gtitle": "WN10-UR-000055", + "gid": "V-63863", + "rid": "SV-78353r1_rule", + "stig_id": "WN10-UR-000055", + "fix_id": "F-69791r1_fix", "cci": [ - "CCI-000185", - "CCI-002470" + "CCI-002235" ], "nist": [ - "IA-5 (2) (a)", - "SC-23 (5)", + "AC-6 (10)", "Rev_4" ], "false_negatives": null, @@ -6521,35 +6556,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63579' do\n title \"The DoD Root CA certificates must be installed in the Trusted Root\n Store.\"\n desc \"To ensure secure DoD websites and DoD-signed code are properly\n validated, the system must trust the DoD Root Certificate Authorities (CAs).\n The DoD root certificates will ensure that the trust chain is established for\n server certificates issued from the DoD CAs.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-PK-000005'\n tag gid: 'V-63579'\n tag rid: 'SV-78069r4_rule'\n tag stig_id: 'WN10-PK-000005'\n tag fix_id: 'F-87307r1_fix'\n tag cci: %w[CCI-000185 CCI-002470]\n tag nist: ['IA-5 (2) (a)', 'SC-23 (5)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc 'check', \"Verify the DoD Root CA certificates are installed as Trusted Root\n Certification Authorities.\n\n The certificates and thumbprints referenced below apply to unclassified\n systems; see PKE documentation for other networks.\n\n Run \\\"PowerShell\\\" as an administrator.\n\n Execute the following command:\n\n Get-ChildItem -Path Cert:Localmachine\\\n oot | Where Subject -Like \\\"*DoD*\\\" | FL Subject, Thumbprint, NotAfter\n\n If the following certificate \\\"Subject\\\" and \\\"Thumbprint\\\" information is not\n displayed, this is finding.\n\n If an expired certificate (\\\"NotAfter\\\" date) is not listed in the results,\n this is not a finding.\n\n Subject: CN=DoD Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Thumbprint: 8C941B34EA1EA6ED9AE2BC54CF687252B4C9B561\n NotAfter: 12/5/2029\n\n Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Thumbprint: D73CA91102A2204A36459ED32213B467D7CE97FB\n NotAfter: 12/30/2029\n\n Subject: CN=DoD Root CA 4, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Thumbprint: B8269F25DBD937ECAFD4C35A9838571723F2D026\n NotAfter: 7/25/2032\n\n Subject: CN=DoD Root CA 5, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Thumbprint: 4ECB5CC3095670454DA1CBD410FC921F46B8564B\n NotAfter: 6/14/2041\n\n Alternately use the Certificates MMC snap-in:\n\n Run \\\"MMC\\\".\n\n Select \\\"File\\\", \\\"Add/Remove Snap-in\\\".\n\n Select \\\"Certificates\\\", click \\\"Add\\\".\n\n Select \\\"Computer account\\\", click \\\"Next\\\".\n\n Select \\\"Local computer: (the computer this console is running on)\\\", click\n \\\"Finish\\\".\n\n Click \\\"OK\\\".\n\n Expand \\\"Certificates\\\" and navigate to \\\"Trusted Root Certification\n Authorities >> Certificates\\\".\n\n For each of the DoD Root CA certificates noted below:\n\n Right-click on the certificate and select \\\"Open\\\".\n\n Select the \\\"Details\\\" Tab.\n\n Scroll to the bottom and select \\\"Thumbprint\\\".\n\n If the DoD Root CA certificates below are not listed or the value for the\n \\\"Thumbprint\\\" field is not as noted, this is a finding.\n\n If an expired certificate (\\\"Valid to\\\" date) is not listed in the results,\n this is not a finding.\n\n DoD Root CA 2\n Thumbprint: 8C941B34EA1EA6ED9AE2BC54CF687252B4C9B561\n Valid to: Wednesday, December 5, 2029\n\n DoD Root CA 3\n Thumbprint: D73CA91102A2204A36459ED32213B467D7CE97FB\n Valid to: Sunday, December 30, 2029\n\n DoD Root CA 4\n Thumbprint: B8269F25DBD937ECAFD4C35A9838571723F2D026\n Valid to: Sunday, July 25, 2032\n\n DoD Root CA 5\n Thumbprint: 4ECB5CC3095670454DA1CBD410FC921F46B8564B\n Valid to: Friday, June 14, 2041\"\n\n desc 'fix', \"Install the DoD Root CA certificates.\n DoD Root CA 2\n DoD Root CA 3\n DoD Root CA 4\n DoD Root CA 5\n\n The InstallRoot tool is available on IASE at\n http://iase.disa.mil/pki-pke/Pages/tools.aspx.\"\n\n if input('sensitive_system') == 'true'\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n else\n dod_trusted_certificates = JSON.parse(input('dod_trusted_certificates').to_json)\n query = json({ command: 'Get-ChildItem -Path Cert:Localmachine\\\\\\\\root | Where {$_.Subject -Like \"*DoD Root*\"} | Select Subject, Thumbprint, @{Name=\\'NotAfter\\';Expression={\"{0:dddd, MMMM dd, yyyy}\" -f [datetime]$_.NotAfter}} | ConvertTo-Json' })\n describe 'The DoD Interoperability Root CA cross-certificates installed' do\n subject { query.params }\n it { should be_in dod_trusted_certificates }\n end\n end\nend\n", + "code": "control 'V-63863' do\n title \"The Create permanent shared objects user right must not be assigned to\n any groups or accounts.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n Accounts with the \\\"Create permanent shared objects\\\" user right could\n expose sensitive data by creating shared objects.\"\n\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-UR-000055'\n tag gid: 'V-63863'\n tag rid: 'SV-78353r1_rule'\n tag stig_id: 'WN10-UR-000055'\n tag fix_id: 'F-69791r1_fix'\n tag cci: ['CCI-002235']\n tag nist: ['AC-6 (10)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any groups or accounts are granted the \\\"Create permanent shared objects\\\"\n user right, this is a finding.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n \\\"Create permanent shared objects\\\" to be defined but containing no entries\n (blank).\"\n\n describe security_policy do\n its('SeCreatePermanentPrivilege') { should eq [] }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63579.rb", + "ref": "./Windows 10 STIG/controls/V-63863.rb", "line": 3 }, - "id": "V-63579" + "id": "V-63863" }, { - "title": "Exploit Protection mitigations in Windows 10 must be configured for EXCEL.EXE.", - "desc": "Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.", + "title": "Anonymous enumeration of shares must be restricted.", + "desc": "Allowing anonymous logon users (null session connections) to list all\n account names and enumerate all shared resources can provide a map of potential\n points to attack the system.", "descriptions": { - "default": "Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.", - "check": "This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n\n Enter \"Get-ProcessMitigation -Name EXCEL.EXE\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of\n all application mitigations configured.)\n\n If the following mitigations do not have a status of \"ON\", this is a finding:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n The PowerShell command produces a list of mitigations; only those with a\n required status of \"ON\" are listed here. If the PowerShell command does not\n produce results, ensure the letter case of the filename within the command\n syntax matches the letter case of the actual filename on the system.", - "fix": "Ensure the following mitigations are turned \"ON\" for EXCEL.EXE:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file\n included with the Windows 10 STIG package in the \"Supporting Files\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \"Use a common set of exploit protection settings\"\n configured to \"Enabled\" with file name and location defined under\n \"Options:\". It is recommended the file be in a read-only network location." + "default": "Allowing anonymous logon users (null session connections) to list all\n account names and enumerate all shared resources can provide a map of potential\n points to attack the system.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Control\\Lsa\\\n\n Value Name: RestrictAnonymous\n\n Value Type: REG_DWORD\n Value: 1", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n \"Network access: Do not allow anonymous enumeration of SAM accounts and\n shares\" to \"Enabled\"." }, - "impact": 0.5, + "impact": 0.7, "refs": [], "tags": { - "severity": "medium", - "gtitle": "WN10-EP-000100", - "gid": "V-77201", - "rid": "SV-91897r3_rule", - "stig_id": "WN10-EP-000100", - "fix_id": "F-84337r4_fix", + "severity": "high", + "gtitle": "WN10-SO-000150", + "gid": "V-63749", + "rid": "SV-78239r1_rule", + "stig_id": "WN10-SO-000150", + "fix_id": "F-69677r1_fix", "cci": [ - "CCI-000366" + "CCI-001090" ], "nist": [ - "CM-6 b", + "SC-4", "Rev_4" ], "false_negatives": null, @@ -6563,35 +6598,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-77201' do\n title 'Exploit Protection mitigations in Windows 10 must be configured for EXCEL.EXE.'\n desc \"Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-EP-000100'\n tag gid: 'V-77201'\n tag rid: 'SV-91897r3_rule'\n tag stig_id: 'WN10-EP-000100'\n tag fix_id: 'F-84337r4_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc 'check', \"This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n\n Enter \\\"Get-ProcessMitigation -Name EXCEL.EXE\\\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of\n all application mitigations configured.)\n\n If the following mitigations do not have a status of \\\"ON\\\", this is a finding:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n The PowerShell command produces a list of mitigations; only those with a\n required status of \\\"ON\\\" are listed here. If the PowerShell command does not\n produce results, ensure the letter case of the filename within the command\n syntax matches the letter case of the actual filename on the system.\"\n desc 'fix', \"Ensure the following mitigations are turned \\\"ON\\\" for EXCEL.EXE:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file\n included with the Windows 10 STIG package in the \\\"Supporting Files\\\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\"\n configured to \\\"Enabled\\\" with file name and location defined under\n \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n\n if input('sensitive_system') == 'true' || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion').ReleaseId < '1709'\n impact 0.0\n describe 'This STIG does not apply to Prior Versions before 1709.' do\n skip 'This STIG does not apply to Prior Versions before 1709.'\n end\n else\n dep = json( command: 'Get-ProcessMitigation -Name EXCEL.EXE | Select DEP | ConvertTo-Json').params\n describe 'OverRide DEP is required to be false on Microsoft Office Excel' do\n subject { dep }\n its(['OverrideDEP']) { should_not eq 'true' }\n end\n aslr = json( command: 'Get-ProcessMitigation -Name EXCEL.EXE | Select Aslr | ConvertTo-Json').params\n describe 'Alsr Force Relocate Images are required to be enabled on Microsoft Office Excel' do\n subject { aslr }\n its(['ForceRelocateImages']) { should_not eq '2' }\n end\n payload = json( command: 'Get-ProcessMitigation -Name EXCEL.EXE | Select Payload | ConvertTo-Json').params\n describe 'Override Payload Enable Export Address Filter, Override Payload Enable Export Address Filter Plus, Override EnableImportAddressFilter, Override EnableRopStackPivot, Override EnableRopCallerCheck, and Override EnableRopSimExec are required to be false onAdobe Reader' do\n subject { payload }\n its(['OverrideEnableExportAddressFilter']) { should_not eq 'true' }\n its(['OverrideEnableExportAddressFilterPlus']) { should_not eq 'true' }\n its(['OverrideEnableImportAddressFilter']) { should_not eq 'true' }\n its(['OverrideEnableRopStackPivot']) { should_not eq 'true' }\n its(['OverrideEnableRopCallerCheck']) { should_not eq 'true' }\n its(['OverrideEnableRopSimExec']) { should_not eq 'true' }\n end\n end\nend", + "code": "control 'V-63749' do\n title 'Anonymous enumeration of shares must be restricted.'\n desc \"Allowing anonymous logon users (null session connections) to list all\n account names and enumerate all shared resources can provide a map of potential\n points to attack the system.\"\n impact 0.7\n tag severity: 'high'\n tag gtitle: 'WN10-SO-000150'\n tag gid: 'V-63749'\n tag rid: 'SV-78239r1_rule'\n tag stig_id: 'WN10-SO-000150'\n tag fix_id: 'F-69677r1_fix'\n tag cci: ['CCI-001090']\n tag nist: %w[SC-4 Rev_4]\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\\n\n Value Name: RestrictAnonymous\n\n Value Type: REG_DWORD\n Value: 1\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n \\\"Network access: Do not allow anonymous enumeration of SAM accounts and\n shares\\\" to \\\"Enabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa') do\n it { should have_property 'RestrictAnonymous' }\n its('RestrictAnonymous') { should cmp 1 }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-77201.rb", + "ref": "./Windows 10 STIG/controls/V-63749.rb", "line": 3 }, - "id": "V-77201" + "id": "V-63749" }, { - "title": "Windows 10 systems must have Unified Extensible Firmware Interface\n (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS.", - "desc": "UEFI provides additional security features in comparison to legacy\n BIOS firmware, including Secure Boot. UEFI is required to support additional\n security features in Windows 10, including Virtualization Based Security and\n Credential Guard. Systems with UEFI that are operating in Legacy BIOS mode will\n not support these security features.", + "title": "PowerShell script block logging must be enabled on Windows 10.", + "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Enabling PowerShell script block logging will record detailed information\n from the processing of PowerShell commands and scripts. This can provide\n additional detail when malware has run on a system.", "descriptions": { - "default": "UEFI provides additional security features in comparison to legacy\n BIOS firmware, including Secure Boot. UEFI is required to support additional\n security features in Windows 10, including Virtualization Based Security and\n Credential Guard. Systems with UEFI that are operating in Legacy BIOS mode will\n not support these security features.", - "check": "For virtual desktop implementations (VDIs) where the virtual\n desktop instance is deleted or refreshed upon logoff, this is NA.\n\n Verify the system firmware is configured to run in UEFI mode, not Legacy BIOS.\n\n Run \"System Information\".\n\n Under \"System Summary\", if \"BIOS Mode\" does not display \"UEFI\", this is\n finding.", - "fix": "Configure UEFI firmware to run in UEFI mode, not Legacy BIOS mode." + "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Enabling PowerShell script block logging will record detailed information\n from the processing of PowerShell commands and scripts. This can provide\n additional detail when malware has run on a system.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\\\n\n Value Name: EnableScriptBlockLogging\n\n Value Type: REG_DWORD\n Value: 1", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Windows PowerShell >> \"Turn\n on PowerShell Script Block Logging\" to \"Enabled\"." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-00-000015", - "gid": "V-77083", - "rid": "SV-91779r3_rule", - "stig_id": "WN10-00-000015", - "fix_id": "F-83781r1_fix", + "gtitle": "WN10-CC-000326", + "gid": "V-68819", + "rid": "SV-83411r2_rule", + "stig_id": "WN10-CC-000326", + "fix_id": "F-74989r1_fix", "cci": [ - "CCI-000366" + "CCI-000135" ], "nist": [ - "CM-6 b", + "AU-3 (1)", "Rev_4" ], "false_negatives": null, @@ -6605,35 +6640,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-77083' do\n title \"Windows 10 systems must have Unified Extensible Firmware Interface\n (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS.\"\n desc \"UEFI provides additional security features in comparison to legacy\n BIOS firmware, including Secure Boot. UEFI is required to support additional\n security features in Windows 10, including Virtualization Based Security and\n Credential Guard. Systems with UEFI that are operating in Legacy BIOS mode will\n not support these security features.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-00-000015'\n tag gid: 'V-77083'\n tag rid: 'SV-91779r3_rule'\n tag stig_id: 'WN10-00-000015'\n tag fix_id: 'F-83781r1_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"For virtual desktop implementations (VDIs) where the virtual\n desktop instance is deleted or refreshed upon logoff, this is NA.\n\n Verify the system firmware is configured to run in UEFI mode, not Legacy BIOS.\n\n Run \\\"System Information\\\".\n\n Under \\\"System Summary\\\", if \\\"BIOS Mode\\\" does not display \\\"UEFI\\\", this is\n finding.\"\n desc \"fix\", 'Configure UEFI firmware to run in UEFI mode, not Legacy BIOS mode.'\n\n if sys_info.manufacturer != 'VMware, Inc.'\n describe 'Configure UEFI firmware to run in UEFI mode, not Legacy BIOS mode' do\n skip 'Configure UEFI firmware to run in UEFI mode, not Legacy BIOS mode'\n end\n else\n impact 0.0\n describe 'This is a VDI System; This System is NA for Control V-77083.' do\n skip 'This is a VDI System; This System is NA for Control V-77083.'\n end\n end\nend\n", + "code": "control 'V-68819' do\n title 'PowerShell script block logging must be enabled on Windows 10.'\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Enabling PowerShell script block logging will record detailed information\n from the processing of PowerShell commands and scripts. This can provide\n additional detail when malware has run on a system.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000326'\n tag gid: 'V-68819'\n tag rid: 'SV-83411r2_rule'\n tag stig_id: 'WN10-CC-000326'\n tag fix_id: 'F-74989r1_fix'\n tag cci: ['CCI-000135']\n tag nist: ['AU-3 (1)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\\\n\n Value Name: EnableScriptBlockLogging\n\n Value Type: REG_DWORD\n Value: 1\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Windows PowerShell >> \\\"Turn\n on PowerShell Script Block Logging\\\" to \\\"Enabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging') do\n it { should have_property 'EnableScriptBlockLogging' }\n its('EnableScriptBlockLogging') { should cmp 1 }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-77083.rb", + "ref": "./Windows 10 STIG/controls/V-68819.rb", "line": 3 }, - "id": "V-77083" + "id": "V-68819" }, { - "title": "The Deny access to this computer from the network user right on\n workstations must be configured to prevent access from highly privileged domain\n accounts and local accounts on domain systems and unauthenticated access on all\n systems.", - "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The \"Deny access to this computer from the network\" right defines the\n accounts that are prevented from logging on from the network.\n\n In an Active Directory Domain, denying logons to the Enterprise Admins and\n Domain Admins groups on lower trust systems helps mitigate the risk of\n privilege escalation from credential theft attacks, which could lead to the\n compromise of an entire domain.\n\n Local accounts on domain-joined systems must also be assigned this right to\n decrease the risk of lateral movement resulting from credential theft attacks.\n\n The Guests group must be assigned this right to prevent unauthenticated\n access.", + "title": "NTLM must be prevented from falling back to a Null session.", + "desc": "NTLM sessions that are allowed to fall back to Null (unauthenticated)\n sessions may gain unauthorized access.", "descriptions": { - "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The \"Deny access to this computer from the network\" right defines the\n accounts that are prevented from logging on from the network.\n\n In an Active Directory Domain, denying logons to the Enterprise Admins and\n Domain Admins groups on lower trust systems helps mitigate the risk of\n privilege escalation from credential theft attacks, which could lead to the\n compromise of an entire domain.\n\n Local accounts on domain-joined systems must also be assigned this right to\n decrease the risk of lateral movement resulting from credential theft attacks.\n\n The Guests group must be assigned this right to prevent unauthenticated\n access.", - "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If the following groups or accounts are not defined for the \"Deny access to\n this computer from the network\" right, this is a finding:\n\n Domain Systems Only:\n Enterprise Admins group\n Domain Admins group\n Local account (see Note below)\n\n All Systems:\n Guests group\n\n Privileged Access Workstations (PAWs) dedicated to the management of Active\n Directory are exempt from denying the Enterprise Admins and Domain Admins\n groups. (See the Windows Privileged Access Workstation STIG for PAW\n requirements.)\n\n Note: \"Local account\" is a built-in security group used to assign user rights\n and permissions to all local accounts.", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n \"Deny access to this computer from the network\" to include the following.\n\n Domain Systems Only:\n Enterprise Admins group\n Domain Admins group\n Local account (see Note below)\n\n All Systems:\n Guests group\n\n Privileged Access Workstations (PAWs) dedicated to the management of Active\n Directory are exempt from denying the Enterprise Admins and Domain Admins\n groups. (See the Windows Privileged Access Workstation STIG for PAW\n requirements.)\n\n Note: \"Local account\" is a built-in security group used to assign user rights\n and permissions to all local accounts." + "default": "NTLM sessions that are allowed to fall back to Null (unauthenticated)\n sessions may gain unauthorized access.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Control\\LSA\\MSV1_0\\\n\n Value Name: allownullsessionfallback\n\n Value Type: REG_DWORD\n Value: 0", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n \"Network security: Allow LocalSystem NULL session fallback\" to \"Disabled\"." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-UR-000070", - "gid": "V-63871", - "rid": "SV-78361r3_rule", - "stig_id": "WN10-UR-000070", - "fix_id": "F-88441r1_fix", + "gtitle": "WN10-SO-000180", + "gid": "V-63765", + "rid": "SV-78255r1_rule", + "stig_id": "WN10-SO-000180", + "fix_id": "F-69693r1_fix", "cci": [ - "CCI-000213" + "CCI-000366" ], "nist": [ - "AC-3", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -6647,35 +6682,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63871' do\n title \"The Deny access to this computer from the network user right on\n workstations must be configured to prevent access from highly privileged domain\n accounts and local accounts on domain systems and unauthenticated access on all\n systems.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The \\\"Deny access to this computer from the network\\\" right defines the\n accounts that are prevented from logging on from the network.\n\n In an Active Directory Domain, denying logons to the Enterprise Admins and\n Domain Admins groups on lower trust systems helps mitigate the risk of\n privilege escalation from credential theft attacks, which could lead to the\n compromise of an entire domain.\n\n Local accounts on domain-joined systems must also be assigned this right to\n decrease the risk of lateral movement resulting from credential theft attacks.\n\n The Guests group must be assigned this right to prevent unauthenticated\n access.\"\n\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-UR-000070'\n tag gid: 'V-63871'\n tag rid: 'SV-78361r3_rule'\n tag stig_id: 'WN10-UR-000070'\n tag fix_id: 'F-88441r1_fix'\n tag cci: ['CCI-000213']\n tag nist: %w[AC-3 Rev_4]\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc 'check', \"Verify the effective setting in Local Group Policy Editor.\n\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If the following groups or accounts are not defined for the \\\"Deny access to\n this computer from the network\\\" right, this is a finding:\n\n Domain Systems Only:\n Enterprise Admins group\n Domain Admins group\n Local account (see Note below)\n\n All Systems:\n Guests group\n\n Privileged Access Workstations (PAWs) dedicated to the management of Active\n Directory are exempt from denying the Enterprise Admins and Domain Admins\n groups. (See the Windows Privileged Access Workstation STIG for PAW\n requirements.)\n\n Note: \\\"Local account\\\" is a built-in security group used to assign user rights\n and permissions to all local accounts.\"\n\n desc 'fix', \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n \\\"Deny access to this computer from the network\\\" to include the following.\n\n Domain Systems Only:\n Enterprise Admins group\n Domain Admins group\n Local account (see Note below)\n\n All Systems:\n Guests group\n\n Privileged Access Workstations (PAWs) dedicated to the management of Active\n Directory are exempt from denying the Enterprise Admins and Domain Admins\n groups. (See the Windows Privileged Access Workstation STIG for PAW\n requirements.)\n\n Note: \\\"Local account\\\" is a built-in security group used to assign user rights\n and permissions to all local accounts.\"\n\n is_domain = command('wmic computersystem get domain | FINDSTR /V Domain').stdout.strip\n\n if is_domain == 'WORKGROUP'\n describe security_policy do\n its('SeDenyNetworkLogonRight') { should include 'S-1-5-32-546' }\n end\n else\n domain_query = <<-EOH\n $group = New-Object System.Security.Principal.NTAccount('Domain Admins')\n $sid = ($group.Translate([security.principal.securityidentifier])).value\n $sid | ConvertTo-Json\n EOH\n\n domain_admin_sid = json(command: domain_query).params\n enterprise_admin_query = <<-EOH\n $group = New-Object System.Security.Principal.NTAccount('Enterprise Admins')\n $sid = ($group.Translate([security.principal.securityidentifier])).value\n $sid | ConvertTo-Json\n EOH\n\n enterprise_admin_sid = json(command: enterprise_admin_query).params\n\n describe security_policy do\n its('SeDenyNetworkLogonRight') { should be_in [\"#{enterprise_admin_sid}\", \"#{domain_admin_sid}\", 'S-1-5-32-546'] }\n end\n end\nend", + "code": "control 'V-63765' do\n title 'NTLM must be prevented from falling back to a Null session.'\n desc \"NTLM sessions that are allowed to fall back to Null (unauthenticated)\n sessions may gain unauthorized access.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-SO-000180'\n tag gid: 'V-63765'\n tag rid: 'SV-78255r1_rule'\n tag stig_id: 'WN10-SO-000180'\n tag fix_id: 'F-69693r1_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\LSA\\\\MSV1_0\\\\\n\n Value Name: allownullsessionfallback\n\n Value Type: REG_DWORD\n Value: 0\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n \\\"Network security: Allow LocalSystem NULL session fallback\\\" to \\\"Disabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\LSA\\MSV1_0') do\n it { should have_property 'allownullsessionfallback' }\n its('allownullsessionfallback') { should cmp 0 }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63871.rb", + "ref": "./Windows 10 STIG/controls/V-63765.rb", "line": 3 }, - "id": "V-63871" + "id": "V-63765" }, { - "title": "The system must be configured to meet the minimum session security\n requirement for NTLM SSP based servers.", - "desc": "Microsoft has implemented a variety of security support providers for\n use with RPC sessions. All of the options must be enabled to ensure the\n maximum security level.", + "title": "The built-in guest account must be disabled.", + "desc": "A system faces an increased vulnerability threat if the built-in guest\n account is not disabled. This account is a known account that exists on all\n Windows systems and cannot be deleted. This account is initialized during the\n installation of the operating system with no password assigned.", "descriptions": { - "default": "Microsoft has implemented a variety of security support providers for\n use with RPC sessions. All of the options must be enabled to ensure the\n maximum security level.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Control\\Lsa\\MSV1_0\\\n\n Value Name: NTLMMinServerSec\n\n Value Type: REG_DWORD\n Value: 0x20080000 (537395200)", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n \"Network security: Minimum session security for NTLM SSP based (including\n secure RPC) servers\" to \"Require NTLMv2 session security\" and \"Require\n 128-bit encryption\" (all options selected)." + "default": "A system faces an increased vulnerability threat if the built-in guest\n account is not disabled. This account is a known account that exists on all\n Windows systems and cannot be deleted. This account is initialized during the\n installation of the operating system with no password assigned.", + "check": "Verify the effective setting in Local Group Policy Editor.\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> Security Options.\n\n If the value for \"Accounts: Guest account status\" is not set to \"Disabled\",\n this is a finding.", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n \"Accounts: Guest account status\" to \"Disabled\"." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-SO-000220", - "gid": "V-63807", - "rid": "SV-78297r1_rule", - "stig_id": "WN10-SO-000220", - "fix_id": "F-69735r1_fix", + "gtitle": "WN10-SO-000010", + "gid": "V-63611", + "rid": "SV-78101r1_rule", + "stig_id": "WN10-SO-000010", + "fix_id": "F-69541r1_fix", "cci": [ - "CCI-000366" + "CCI-000804" ], "nist": [ - "CM-6 b", + "IA-8", "Rev_4" ], "false_negatives": null, @@ -6689,35 +6724,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63807' do\n title \"The system must be configured to meet the minimum session security\n requirement for NTLM SSP based servers.\"\n desc \"Microsoft has implemented a variety of security support providers for\n use with RPC sessions. All of the options must be enabled to ensure the\n maximum security level.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-SO-000220'\n tag gid: 'V-63807'\n tag rid: 'SV-78297r1_rule'\n tag stig_id: 'WN10-SO-000220'\n tag fix_id: 'F-69735r1_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\MSV1_0\\\\\n\n Value Name: NTLMMinServerSec\n\n Value Type: REG_DWORD\n Value: 0x20080000 (537395200)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n \\\"Network security: Minimum session security for NTLM SSP based (including\n secure RPC) servers\\\" to \\\"Require NTLMv2 session security\\\" and \\\"Require\n 128-bit encryption\\\" (all options selected).\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\MSV1_0') do\n it { should have_property 'NTLMMinServerSec' }\n its('NTLMMinServerSec') { should cmp 537_395_200 }\n end\nend\n", + "code": "control 'V-63611' do\n title 'The built-in guest account must be disabled.'\n desc \"A system faces an increased vulnerability threat if the built-in guest\n account is not disabled. This account is a known account that exists on all\n Windows systems and cannot be deleted. This account is initialized during the\n installation of the operating system with no password assigned.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-SO-000010'\n tag gid: 'V-63611'\n tag rid: 'SV-78101r1_rule'\n tag stig_id: 'WN10-SO-000010'\n tag fix_id: 'F-69541r1_fix'\n tag cci: ['CCI-000804']\n tag nist: %w[IA-8 Rev_4]\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> Security Options.\n\n If the value for \\\"Accounts: Guest account status\\\" is not set to \\\"Disabled\\\",\n this is a finding.\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n \\\"Accounts: Guest account status\\\" to \\\"Disabled\\\".\"\n\n describe security_policy do\n its('EnableGuestAccount') { should cmp 0 }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63807.rb", + "ref": "./Windows 10 STIG/controls/V-63611.rb", "line": 3 }, - "id": "V-63807" + "id": "V-63611" }, { - "title": "The setting to allow Microsoft accounts to be optional for modern\n style apps must be enabled.", - "desc": "Control of credentials and the system must be maintained within the\n enterprise. Enabling this setting allows enterprise credentials to be used\n with modern style apps that support this, instead of Microsoft accounts.", + "title": "The machine inactivity limit must be set to 15 minutes, locking the\n system with the screensaver.", + "desc": "Unattended systems are susceptible to unauthorized use and should be\n locked when unattended. The screen saver should be set at a maximum of 15\n minutes and be password protected. This protects critical and sensitive data\n from exposure to unauthorized personnel with physical access to the computer.", "descriptions": { - "default": "Control of credentials and the system must be maintained within the\n enterprise. Enabling this setting allows enterprise credentials to be used\n with modern style apps that support this, instead of Microsoft accounts.", - "check": "Windows 10 LTSC\\B versions do not support the Microsoft Store\n and modern apps; this is NA for those systems.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\\n\n Value Name: MSAOptional\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> App Runtime >> \"Allow\n Microsoft accounts to be optional\" to \"Enabled\"." + "default": "Unattended systems are susceptible to unauthorized use and should be\n locked when unattended. The screen saver should be set at a maximum of 15\n minutes and be password protected. This protects critical and sensitive data\n from exposure to unauthorized personnel with physical access to the computer.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\\n\n Value Name: InactivityTimeoutSecs\n\n Value Type: REG_DWORD\n Value: 0x00000384 (900) (or less, excluding \"0\" which is effectively\n disabled)", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n \"Interactive logon: Machine inactivity limit\" to \"900\" seconds\" or less,\n excluding \"0\" which is effectively disabled." }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { - "severity": "low", - "gtitle": "WN10-CC-000170", - "gid": "V-63659", - "rid": "SV-78149r2_rule", - "stig_id": "WN10-CC-000170", - "fix_id": "F-69587r1_fix", + "severity": "medium", + "gtitle": "WN10-SO-000070", + "gid": "V-63669", + "rid": "SV-78159r2_rule", + "stig_id": "WN10-SO-000070", + "fix_id": "F-88429r1_fix", "cci": [ - "CCI-000366" + "CCI-000057" ], "nist": [ - "CM-6 b", + "AC-11 a", "Rev_4" ], "false_negatives": null, @@ -6731,35 +6766,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63659' do\n title \"The setting to allow Microsoft accounts to be optional for modern\n style apps must be enabled.\"\n desc \"Control of credentials and the system must be maintained within the\n enterprise. Enabling this setting allows enterprise credentials to be used\n with modern style apps that support this, instead of Microsoft accounts.\"\n impact 0.3\n tag severity: 'low'\n tag gtitle: 'WN10-CC-000170'\n tag gid: 'V-63659'\n tag rid: 'SV-78149r2_rule'\n tag stig_id: 'WN10-CC-000170'\n tag fix_id: 'F-69587r1_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Windows 10 LTSC\\\\B versions do not support the Microsoft Store\n and modern apps; this is NA for those systems.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\\n\n Value Name: MSAOptional\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> App Runtime >> \\\"Allow\n Microsoft accounts to be optional\\\" to \\\"Enabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System') do\n it { should have_property 'MSAOptional' }\n its('MSAOptional') { should cmp 1 }\n end\nend\n", + "code": "control 'V-63669' do\n title \"The machine inactivity limit must be set to 15 minutes, locking the\n system with the screensaver.\"\n desc \"Unattended systems are susceptible to unauthorized use and should be\n locked when unattended. The screen saver should be set at a maximum of 15\n minutes and be password protected. This protects critical and sensitive data\n from exposure to unauthorized personnel with physical access to the computer.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-SO-000070'\n tag gid: 'V-63669'\n tag rid: 'SV-78159r2_rule'\n tag stig_id: 'WN10-SO-000070'\n tag fix_id: 'F-88429r1_fix'\n tag cci: ['CCI-000057']\n tag nist: ['AC-11 a', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\\n\n Value Name: InactivityTimeoutSecs\n\n Value Type: REG_DWORD\n Value: 0x00000384 (900) (or less, excluding \\\"0\\\" which is effectively\n disabled)\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n \\\"Interactive logon: Machine inactivity limit\\\" to \\\"900\\\" seconds\\\" or less,\n excluding \\\"0\\\" which is effectively disabled.\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System') do\n it { should have_property 'InactivityTimeoutSecs' }\n its('InactivityTimeoutSecs') { should be <= 900 }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System') do\n its('InactivityTimeoutSecs') { should be_positive }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63659.rb", + "ref": "./Windows 10 STIG/controls/V-63669.rb", "line": 3 }, - "id": "V-63659" + "id": "V-63669" }, { - "title": "User Account Control must virtualize file and registry write failures\n to per-user locations.", - "desc": "User Account Control (UAC) is a security mechanism for limiting the\n elevation of privileges, including administrative accounts, unless authorized.\n This setting configures non-UAC compliant applications to run in virtualized\n file and registry entries in per-user locations, allowing them to run.", + "title": "Connections to non-domain networks when connected to a domain\n authenticated network must be blocked.", + "desc": "Multiple network connections can provide additional attack vectors to\n a system and should be limited. When connected to a domain, communication must\n go through the domain connection.", "descriptions": { - "default": "User Account Control (UAC) is a security mechanism for limiting the\n elevation of privileges, including administrative accounts, unless authorized.\n This setting configures non-UAC compliant applications to run in virtualized\n file and registry entries in per-user locations, allowing them to run.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\\n\n Value Name: EnableVirtualization\n\n Value Type: REG_DWORD\n Value: 1", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> \"User\n Account Control: Virtualize file and registry write failures to per-user\n locations\" to \"Enabled\"." + "default": "Multiple network connections can provide additional attack vectors to\n a system and should be limited. When connected to a domain, communication must\n go through the domain connection.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\WcmSvc\\GroupPolicy\\\n\n Value Name: fBlockNonDomain\n\n Value Type: REG_DWORD\n Value: 1", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Network >> Windows Connection Manager >> \"Prohibit\n connection to non-domain networks when connected to domain authenticated\n network\" to \"Enabled\"." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-SO-000275", - "gid": "V-63831", - "rid": "SV-78321r1_rule", - "stig_id": "WN10-SO-000275", - "fix_id": "F-69759r1_fix", + "gtitle": "WN10-CC-000060", + "gid": "V-63585", + "rid": "SV-78075r1_rule", + "stig_id": "WN10-CC-000060", + "fix_id": "F-69515r1_fix", "cci": [ - "CCI-001084" + "CCI-000366" ], "nist": [ - "SC-3", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -6773,47 +6808,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63831' do\n title \"User Account Control must virtualize file and registry write failures\n to per-user locations.\"\n desc \"User Account Control (UAC) is a security mechanism for limiting the\n elevation of privileges, including administrative accounts, unless authorized.\n This setting configures non-UAC compliant applications to run in virtualized\n file and registry entries in per-user locations, allowing them to run.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-SO-000275'\n tag gid: 'V-63831'\n tag rid: 'SV-78321r1_rule'\n tag stig_id: 'WN10-SO-000275'\n tag fix_id: 'F-69759r1_fix'\n tag cci: ['CCI-001084']\n tag nist: %w[SC-3 Rev_4]\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\\n\n Value Name: EnableVirtualization\n\n Value Type: REG_DWORD\n Value: 1\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> \\\"User\n Account Control: Virtualize file and registry write failures to per-user\n locations\\\" to \\\"Enabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System') do\n it { should have_property 'EnableVirtualization' }\n its('EnableVirtualization') { should cmp 1 }\n end\nend\n", + "code": "control 'V-63585' do\n title \"Connections to non-domain networks when connected to a domain\n authenticated network must be blocked.\"\n desc \"Multiple network connections can provide additional attack vectors to\n a system and should be limited. When connected to a domain, communication must\n go through the domain connection.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000060'\n tag gid: 'V-63585'\n tag rid: 'SV-78075r1_rule'\n tag stig_id: 'WN10-CC-000060'\n tag fix_id: 'F-69515r1_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WcmSvc\\\\GroupPolicy\\\\\n\n Value Name: fBlockNonDomain\n\n Value Type: REG_DWORD\n Value: 1\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Network >> Windows Connection Manager >> \\\"Prohibit\n connection to non-domain networks when connected to domain authenticated\n network\\\" to \\\"Enabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WcmSvc\\GroupPolicy') do\n it { should have_property 'fBlockNonDomain' }\n its('fBlockNonDomain') { should cmp 1 }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63831.rb", + "ref": "./Windows 10 STIG/controls/V-63585.rb", "line": 3 }, - "id": "V-63831" + "id": "V-63585" }, { - "title": "The system must be configured to audit Account Management - User\n Account Management successes.", - "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n User Account Management records events such as creating, changing,\n deleting, renaming, disabling, or enabling user accounts.", + "title": "The Deny log on locally user right on workstations must be configured\n to prevent access from highly privileged domain accounts on domain systems and\n unauthenticated access on all systems.", + "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The \"Deny log on locally\" right defines accounts that are prevented from\n logging on interactively.\n\n In an Active Directory Domain, denying logons to the Enterprise Admins and\n Domain Admins groups on lower trust systems helps mitigate the risk of\n privilege escalation from credential theft attacks, which could lead to the\n compromise of an entire domain.\n\n The Guests group must be assigned this right to prevent unauthenticated\n access.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n User Account Management records events such as creating, changing,\n deleting, renaming, disabling, or enabling user accounts.", - "check": "Security Option \"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\" must be\n set to \"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\"Run as Administrator\").\n Enter \"AuditPol /get /category:*\".\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding:\n\n Account Management >> User Account Management - Success", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Account Management >> \"Audit User Account Management\" with\n \"Success\" selected." + "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The \"Deny log on locally\" right defines accounts that are prevented from\n logging on interactively.\n\n In an Active Directory Domain, denying logons to the Enterprise Admins and\n Domain Admins groups on lower trust systems helps mitigate the risk of\n privilege escalation from credential theft attacks, which could lead to the\n compromise of an entire domain.\n\n The Guests group must be assigned this right to prevent unauthenticated\n access.", + "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If the following groups or accounts are not defined for the \"Deny log on\n locally\" right, this is a finding.\n\n Domain Systems Only:\n Enterprise Admins Group\n Domain Admins Group\n\n Privileged Access Workstations (PAWs) dedicated to the management of Active\n Directory are exempt from denying the Enterprise Admins and Domain Admins\n groups. (See the Windows Privileged Access Workstation STIG for PAW\n requirements.)\n\n All Systems:\n Guests Group", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n \"Deny log on locally\" to include the following.\n\n Domain Systems Only:\n Enterprise Admins Group\n Domain Admins Group\n\n Privileged Access Workstations (PAWs) dedicated to the management of Active\n Directory are exempt from denying the Enterprise Admins and Domain Admins\n groups. (See the Windows Privileged Access Workstation STIG for PAW\n requirements.)\n\n All Systems:\n Guests Group" }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-AU-000040", - "gid": "V-63449", - "rid": "SV-77939r1_rule", - "stig_id": "WN10-AU-000040", - "fix_id": "F-69377r1_fix", + "gtitle": "WN10-UR-000085", + "gid": "V-63877", + "rid": "SV-78367r2_rule", + "stig_id": "WN10-UR-000085", + "fix_id": "F-88443r1_fix", "cci": [ - "CCI-000018", - "CCI-000172", - "CCI-001403", - "CCI-001404", - "CCI-001405", - "CCI-002130", - "CCI-002234" + "CCI-000213" ], "nist": [ - "AC-2 (4)", - "AU-12 c", - "AC-2 (4)", - "AC-2 (4)", - "AC-2 (4)", - "AC-2\n(4)", - "AC-6 (9)", + "AC-3", "Rev_4" ], "false_negatives": null, @@ -6827,35 +6850,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63449' do\n title \"The system must be configured to audit Account Management - User\n Account Management successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n User Account Management records events such as creating, changing,\n deleting, renaming, disabling, or enabling user accounts.\"\n\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-AU-000040'\n tag gid: 'V-63449'\n tag rid: 'SV-77939r1_rule'\n tag stig_id: 'WN10-AU-000040'\n tag fix_id: 'F-69377r1_fix'\n tag cci: %w[CCI-000018 CCI-000172 CCI-001403 CCI-001404\n CCI-001405 CCI-002130 CCI-002234]\n tag nist: ['AC-2 (4)', 'AU-12 c', 'AC-2 (4)', 'AC-2 (4)', 'AC-2 (4)', \"AC-2\n(4)\", 'AC-6 (9)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Security Option \\\"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\\\" must be\n set to \\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\n Enter \\\"AuditPol /get /category:*\\\".\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding:\n\n Account Management >> User Account Management - Success\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Account Management >> \\\"Audit User Account Management\\\" with\n \\\"Success\\\" selected.\"\n\n describe.one do\n describe audit_policy do\n its('User Account Management') { should eq 'Success' }\n end\n describe audit_policy do\n its('User Account Management') { should eq 'Success and Failure' }\n end\n end\nend\n", + "code": "control 'V-63877' do\n title \"The Deny log on locally user right on workstations must be configured\n to prevent access from highly privileged domain accounts on domain systems and\n unauthenticated access on all systems.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The \\\"Deny log on locally\\\" right defines accounts that are prevented from\n logging on interactively.\n\n In an Active Directory Domain, denying logons to the Enterprise Admins and\n Domain Admins groups on lower trust systems helps mitigate the risk of\n privilege escalation from credential theft attacks, which could lead to the\n compromise of an entire domain.\n\n The Guests group must be assigned this right to prevent unauthenticated\n access.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-UR-000085'\n tag gid: 'V-63877'\n tag rid: 'SV-78367r2_rule'\n tag stig_id: 'WN10-UR-000085'\n tag fix_id: 'F-88443r1_fix'\n tag cci: ['CCI-000213']\n tag nist: %w[AC-3 Rev_4]\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc 'check', \"Verify the effective setting in Local Group Policy Editor.\n\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If the following groups or accounts are not defined for the \\\"Deny log on\n locally\\\" right, this is a finding.\n\n Domain Systems Only:\n Enterprise Admins Group\n Domain Admins Group\n\n Privileged Access Workstations (PAWs) dedicated to the management of Active\n Directory are exempt from denying the Enterprise Admins and Domain Admins\n groups. (See the Windows Privileged Access Workstation STIG for PAW\n requirements.)\n\n All Systems:\n Guests Group\"\n\n desc 'fix', \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n \\\"Deny log on locally\\\" to include the following.\n\n Domain Systems Only:\n Enterprise Admins Group\n Domain Admins Group\n\n Privileged Access Workstations (PAWs) dedicated to the management of Active\n Directory are exempt from denying the Enterprise Admins and Domain Admins\n groups. (See the Windows Privileged Access Workstation STIG for PAW\n requirements.)\n\n All Systems:\n Guests Group\"\n\n is_domain = command('wmic computersystem get domain | FINDSTR /V Domain').stdout.strip\n\n if is_domain == 'WORKGROUP'\n describe security_policy do\n its('SeDenyInteractiveLogonRight') { should eq ['S-1-5-32-546'] }\n end\n else\n domain_query = <<-EOH\n $group = New-Object System.Security.Principal.NTAccount('Domain Admins')\n $sid = ($group.Translate([security.principal.securityidentifier])).value\n $sid | ConvertTo-Json\n EOH\n\n domain_admin_sid = json(command: domain_query).params\n enterprise_admin_query = <<-EOH\n $group = New-Object System.Security.Principal.NTAccount('Enterprise Admins')\n $sid = ($group.Translate([security.principal.securityidentifier])).value\n $sid | ConvertTo-Json\n EOH\n\n enterprise_admin_sid = json(command: enterprise_admin_query).params\n describe security_policy do\n its('SeDenyInteractiveLogonRight') { should be_in [\"#{domain_admin_sid}\", \"#{enterprise_admin_sid}\"] }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63449.rb", + "ref": "./Windows 10 STIG/controls/V-63877.rb", "line": 3 }, - "id": "V-63449" + "id": "V-63877" }, { - "title": "Windows 10 must be configured to enable Remote host allows delegation\n of non-exportable credentials.", - "desc": "An exportable version of credentials is provided to remote hosts when\n using credential delegation which exposes them to theft on the remote host.\n Restricted Admin mode or Remote Credential Guard allow delegation of\n non-exportable credentials providing additional protection of the credentials.\n Enabling this configures the host to support Restricted Admin mode or Remote\n Credential Guard.", + "title": "The built-in administrator account must be disabled.", + "desc": "The built-in administrator account is a well-known account subject to\n attack. It also provides no accountability to individual administrators on a\n system. It must be disabled to prevent its use.", "descriptions": { - "default": "An exportable version of credentials is provided to remote hosts when\n using credential delegation which exposes them to theft on the remote host.\n Restricted Admin mode or Remote Credential Guard allow delegation of\n non-exportable credentials providing additional protection of the credentials.\n Enabling this configures the host to support Restricted Admin mode or Remote\n Credential Guard.", - "check": "This is NA for Windows 10 LTSC\\B versions 1507 and 1607.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\CredentialsDelegation\\\n\n Value Name: AllowProtectedCreds\n\n Type: REG_DWORD\n Value: 0x00000001 (1)", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> System >> Credentials Delegation >> \"Remote host\n allows delegation of non-exportable credentials\" to \"Enabled\"." + "default": "The built-in administrator account is a well-known account subject to\n attack. It also provides no accountability to individual administrators on a\n system. It must be disabled to prevent its use.", + "check": "Verify the effective setting in Local Group Policy Editor.\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> Security Options.\n\n If the value for \"Accounts: Administrator account status\" is not set to\n \"Disabled\", this is a finding.", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n \"Accounts: Administrator account status\" to \"Disabled\"." }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-CC-000068", - "gid": "V-74699", - "rid": "SV-89373r2_rule", - "stig_id": "WN10-CC-000068", - "fix_id": "F-81317r1_fix", + "gtitle": "WN10-SO-000005", + "gid": "V-63601", + "rid": "SV-78091r1_rule", + "stig_id": "WN10-SO-000005", + "fix_id": "F-69531r1_fix", "cci": [ - "CCI-000366" + "CCI-000764" ], "nist": [ - "CM-6 b", + "IA-2", "Rev_4" ], "false_negatives": null, @@ -6869,39 +6892,37 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-74699' do\n title \"Windows 10 must be configured to enable Remote host allows delegation\n of non-exportable credentials.\"\n desc \"An exportable version of credentials is provided to remote hosts when\n using credential delegation which exposes them to theft on the remote host.\n Restricted Admin mode or Remote Credential Guard allow delegation of\n non-exportable credentials providing additional protection of the credentials.\n Enabling this configures the host to support Restricted Admin mode or Remote\n Credential Guard.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000068'\n tag gid: 'V-74699'\n tag rid: 'SV-89373r2_rule'\n tag stig_id: 'WN10-CC-000068'\n tag fix_id: 'F-81317r1_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"This is NA for Windows 10 LTSC\\\\B versions 1507 and 1607.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\CredentialsDelegation\\\\\n\n Value Name: AllowProtectedCreds\n\n Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> System >> Credentials Delegation >> \\\"Remote host\n allows delegation of non-exportable credentials\\\" to \\\"Enabled\\\".\"\n\n releaseID = registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion').ReleaseId.to_i\n\n if ( releaseID == 1607 || releaseID <= 1507 )\n impact 0.0\n describe 'This STIG does not apply to Prior Versions before 1507 and 1607.' do\n skip 'This STIG does not apply to Prior Versions before 1507 and 1607.'\n end\n else\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CredentialsDelegation') do\n it { should have_property 'AllowProtectedCreds' }\n its('AllowProtectedCreds') { should cmp 1 }\n end\n end\nend\n", + "code": "control 'V-63601' do\n title 'The built-in administrator account must be disabled.'\n desc \"The built-in administrator account is a well-known account subject to\n attack. It also provides no accountability to individual administrators on a\n system. It must be disabled to prevent its use.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-SO-000005'\n tag gid: 'V-63601'\n tag rid: 'SV-78091r1_rule'\n tag stig_id: 'WN10-SO-000005'\n tag fix_id: 'F-69531r1_fix'\n tag cci: ['CCI-000764']\n tag nist: %w[IA-2 Rev_4]\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> Security Options.\n\n If the value for \\\"Accounts: Administrator account status\\\" is not set to\n \\\"Disabled\\\", this is a finding.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n \\\"Accounts: Administrator account status\\\" to \\\"Disabled\\\".\"\n\n describe security_policy do\n its('EnableAdminAccount') { should cmp 0 }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-74699.rb", + "ref": "./Windows 10 STIG/controls/V-63601.rb", "line": 3 }, - "id": "V-74699" + "id": "V-63601" }, { - "title": "Windows 10 permissions for the System event log must prevent access by\n non-privileged accounts.", - "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised. The\n System event log may be susceptible to tampering if proper permissions are not\n applied.", + "title": "Remote Desktop Services must be configured with the client connection\n encryption set to the required level.", + "desc": "Remote connections must be encrypted to prevent interception of data\n or sensitive information. Selecting \"High Level\" will ensure encryption of\n Remote Desktop Services sessions in both directions.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised. The\n System event log may be susceptible to tampering if proper permissions are not\n applied.", - "check": "Verify the permissions on the System event log (System.evtx).\n Standard user accounts or groups must not have access. The default permissions\n listed below satisfy this requirement.\n\n Eventlog - Full Control\n SYSTEM - Full Control\n Administrators - Full Control\n\n The default location is the \"%SystemRoot%\\SYSTEM32\\WINEVT\\LOGS\" directory.\n They may have been moved to another folder.\n\n If the permissions for these files are not as restrictive as the ACLs listed,\n this is a finding.\n\n NOTE: If \"APPLICATION PACKAGE AUTHORITY\\ALL APPLICATION PACKAGES\" has\n Special Permissions, this would not be a finding.", - "fix": "Ensure the permissions on the System event log (System.evtx) are\n configured to prevent standard user accounts or groups from having access. The\n default permissions listed below satisfy this requirement.\n\n Eventlog - Full Control\n SYSTEM - Full Control\n Administrators - Full Control\n\n The default location is the \"%SystemRoot%\\SYSTEM32\\WINEVT\\LOGS\" directory.\n\n If the location of the logs has been changed, when adding Eventlog to the\n permissions, it must be entered as \"NT Service\\Eventlog\"." + "default": "Remote connections must be encrypted to prevent interception of data\n or sensitive information. Selecting \"High Level\" will ensure encryption of\n Remote Desktop Services sessions in both directions.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services\\\n\n Value Name: MinEncryptionLevel\n\n Value Type: REG_DWORD\n Value: 3", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Remote Desktop Services >>\n Remote Desktop Session Host >> Security >> \"Set client connection encryption\n level\" to \"Enabled\" and \"High Level\"." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-AU-000525", - "gid": "V-63541", - "rid": "SV-78031r2_rule", - "stig_id": "WN10-AU-000525", - "fix_id": "F-69471r1_fix", + "gtitle": "WN10-CC-000290", + "gid": "V-63741", + "rid": "SV-78231r1_rule", + "stig_id": "WN10-CC-000290", + "fix_id": "F-69669r1_fix", "cci": [ - "CCI-000162", - "CCI-000163", - "CCI-000164" + "CCI-000068", + "CCI-002890" ], "nist": [ - "AU-9", - "AU-9", - "AU-9", + "AC-17 (2)", + "MA-4 (6)", "Rev_4" ], "false_negatives": null, @@ -6915,30 +6936,30 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63541' do\n title \"Windows 10 permissions for the System event log must prevent access by\n non-privileged accounts.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised. The\n System event log may be susceptible to tampering if proper permissions are not\n applied.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-AU-000525'\n tag gid: 'V-63541'\n tag rid: 'SV-78031r2_rule'\n tag stig_id: 'WN10-AU-000525'\n tag fix_id: 'F-69471r1_fix'\n tag cci: %w[CCI-000162 CCI-000163 CCI-000164]\n tag nist: %w[AU-9 AU-9 AU-9 Rev_4]\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Verify the permissions on the System event log (System.evtx).\n Standard user accounts or groups must not have access. The default permissions\n listed below satisfy this requirement.\n\n Eventlog - Full Control\n SYSTEM - Full Control\n Administrators - Full Control\n\n The default location is the \\\"%SystemRoot%\\\\SYSTEM32\\\\WINEVT\\\\LOGS\\\" directory.\n They may have been moved to another folder.\n\n If the permissions for these files are not as restrictive as the ACLs listed,\n this is a finding.\n\n NOTE: If \\\"APPLICATION PACKAGE AUTHORITY\\\\ALL APPLICATION PACKAGES\\\" has\n Special Permissions, this would not be a finding.\"\n\n desc \"fix\", \"Ensure the permissions on the System event log (System.evtx) are\n configured to prevent standard user accounts or groups from having access. The\n default permissions listed below satisfy this requirement.\n\n Eventlog - Full Control\n SYSTEM - Full Control\n Administrators - Full Control\n\n The default location is the \\\"%SystemRoot%\\\\SYSTEM32\\\\WINEVT\\\\LOGS\\\" directory.\n\n If the location of the logs has been changed, when adding Eventlog to the\n permissions, it must be entered as \\\"NT Service\\\\Eventlog\\\".\"\n\n get_system_root = command('Get-ChildItem Env: | Findstr SystemRoot').stdout.strip\n system_root = get_system_root[11..get_system_root.length]\n systemroot = system_root.strip\n\n describe file(\"#{systemroot}\\\\SYSTEM32\\\\WINEVT\\\\LOGS\\\\System.evtx\") do\n it { should be_allowed('full-control', by_user: 'NT SERVICE\\\\EventLog') }\n it { should be_allowed('full-control', by_user: 'NT AUTHORITY\\\\SYSTEM') }\n it { should be_allowed('full-control', by_user: 'BUILTIN\\\\Administrators') }\n end\nend\n", + "code": "control 'V-63741' do\n title \"Remote Desktop Services must be configured with the client connection\n encryption set to the required level.\"\n desc \"Remote connections must be encrypted to prevent interception of data\n or sensitive information. Selecting \\\"High Level\\\" will ensure encryption of\n Remote Desktop Services sessions in both directions.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000290'\n tag gid: 'V-63741'\n tag rid: 'SV-78231r1_rule'\n tag stig_id: 'WN10-CC-000290'\n tag fix_id: 'F-69669r1_fix'\n tag cci: %w[CCI-000068 CCI-002890]\n tag nist: ['AC-17 (2)', 'MA-4 (6)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\\n\n Value Name: MinEncryptionLevel\n\n Value Type: REG_DWORD\n Value: 3\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Remote Desktop Services >>\n Remote Desktop Session Host >> Security >> \\\"Set client connection encryption\n level\\\" to \\\"Enabled\\\" and \\\"High Level\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services') do\n it { should have_property 'MinEncryptionLevel' }\n its('MinEncryptionLevel') { should cmp 3 }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63541.rb", + "ref": "./Windows 10 STIG/controls/V-63741.rb", "line": 3 }, - "id": "V-63541" + "id": "V-63741" }, { - "title": "The use of a hardware security device with Windows Hello for Business\n must be enabled.", - "desc": "The use of a Trusted Platform Module (TPM) to store keys for Windows\n Hello for Business provides additional security. Keys stored in the TPM may\n only be used on that system while keys stored using software are more\n susceptible to compromise and could be used on other systems.", + "title": "Caching of logon credentials must be limited.", + "desc": "The default Windows configuration caches the last logon credentials\n for users who log on interactively to a system. This feature is provided for\n system availability reasons, such as the user's machine being disconnected from\n the network or domain controllers being unavailable. Even though the\n credential cache is well-protected, if a system is attacked, an unauthorized\n individual may isolate the password to a domain user account using a\n password-cracking program and gain access to the domain.", "descriptions": { - "default": "The use of a Trusted Platform Module (TPM) to store keys for Windows\n Hello for Business provides additional security. Keys stored in the TPM may\n only be used on that system while keys stored using software are more\n susceptible to compromise and could be used on other systems.", - "check": "Virtual desktop implementations currently may not support the use\n of TPMs. For virtual desktop implementations where the virtual desktop instance\n is deleted or refreshed upon logoff, this is NA.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\PassportForWork\\\n\n Value Name: RequireSecurityDevice\n\n Type: REG_DWORD\n Value: 1", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Windows Hello for Business >>\n \"Use a hardware security device\" to \"Enabled\".\n\n v1507 LTSB:\n The policy path is Computer Configuration >> Administrative Templates >>\n Windows Components >> Microsoft Passport for Work." + "default": "The default Windows configuration caches the last logon credentials\n for users who log on interactively to a system. This feature is provided for\n system availability reasons, such as the user's machine being disconnected from\n the network or domain controllers being unavailable. Even though the\n credential cache is well-protected, if a system is attacked, an unauthorized\n individual may isolate the password to a domain user account using a\n password-cracking program and gain access to the domain.", + "check": "This is the default configuration for this setting (10 logons to\n cache).\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\\n\n Value Name: CachedLogonsCount\n\n Value Type: REG_SZ\n Value: 10 (or less)\n\n This setting only applies to domain-joined systems, however, it is configured\n by default on all systems.", + "fix": "This is the default configuration for this setting (10 logons to\n cache).\n\n Configure the policy value for Computer Configuration >> Windows Settings >>\n Security Settings >> Local Policies >> Security Options >> \"Interactive logon:\n Number of previous logons to cache (in case domain controller is not\n available)\" to \"10\" logons or less.\n\n This setting only applies to domain-joined systems, however, it is configured\n by default on all systems." }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { - "severity": "medium", - "gtitle": "WN10-CC-000255", - "gid": "V-63717", - "rid": "SV-78207r5_rule", - "stig_id": "WN10-CC-000255", - "fix_id": "F-83247r2_fix", + "severity": "low", + "gtitle": "WN10-SO-000085", + "gid": "V-63687", + "rid": "SV-78177r1_rule", + "stig_id": "WN10-SO-000085", + "fix_id": "F-69615r1_fix", "cci": [ "CCI-000366" ], @@ -6957,37 +6978,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63717' do\n title \"The use of a hardware security device with Windows Hello for Business\n must be enabled.\"\n desc \"The use of a Trusted Platform Module (TPM) to store keys for Windows\n Hello for Business provides additional security. Keys stored in the TPM may\n only be used on that system while keys stored using software are more\n susceptible to compromise and could be used on other systems.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000255'\n tag gid: 'V-63717'\n tag rid: 'SV-78207r5_rule'\n tag stig_id: 'WN10-CC-000255'\n tag fix_id: 'F-83247r2_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Virtual desktop implementations currently may not support the use\n of TPMs. For virtual desktop implementations where the virtual desktop instance\n is deleted or refreshed upon logoff, this is NA.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\PassportForWork\\\\\n\n Value Name: RequireSecurityDevice\n\n Type: REG_DWORD\n Value: 1\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Windows Hello for Business >>\n \\\"Use a hardware security device\\\" to \\\"Enabled\\\".\n\n v1507 LTSB:\n The policy path is Computer Configuration >> Administrative Templates >>\n Windows Components >> Microsoft Passport for Work.\"\n\n if sys_info.manufacturer == 'VMware, Inc.'\n impact 0.0\n describe 'This is a VDI System; This System is NA for Control V-63717.' do\n skip 'This is a VDI System; This System is NA for Control V-63717.'\n end\n else\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PassportForWork') do\n it { should have_property 'RequireSecurityDevice' }\n its('RequireSecurityDevice') { should cmp 1 }\n end\n end\nend\n", + "code": "control 'V-63687' do\n title 'Caching of logon credentials must be limited.'\n desc \"The default Windows configuration caches the last logon credentials\n for users who log on interactively to a system. This feature is provided for\n system availability reasons, such as the user's machine being disconnected from\n the network or domain controllers being unavailable. Even though the\n credential cache is well-protected, if a system is attacked, an unauthorized\n individual may isolate the password to a domain user account using a\n password-cracking program and gain access to the domain.\"\n impact 0.3\n tag severity: 'low'\n tag gtitle: 'WN10-SO-000085'\n tag gid: 'V-63687'\n tag rid: 'SV-78177r1_rule'\n tag stig_id: 'WN10-SO-000085'\n tag fix_id: 'F-69615r1_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n \n desc \"check\", \"This is the default configuration for this setting (10 logons to\n cache).\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\\n\n Value Name: CachedLogonsCount\n\n Value Type: REG_SZ\n Value: 10 (or less)\n\n This setting only applies to domain-joined systems, however, it is configured\n by default on all systems.\"\n \n desc \"fix\", \"This is the default configuration for this setting (10 logons to\n cache).\n\n Configure the policy value for Computer Configuration >> Windows Settings >>\n Security Settings >> Local Policies >> Security Options >> \\\"Interactive logon:\n Number of previous logons to cache (in case domain controller is not\n available)\\\" to \\\"10\\\" logons or less.\n\n This setting only applies to domain-joined systems, however, it is configured\n by default on all systems.\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon') do\n it { should have_property 'CachedLogonsCount' }\n its('CachedLogonsCount') { should cmp <= 10 }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63717.rb", + "ref": "./Windows 10 STIG/controls/V-63687.rb", "line": 3 }, - "id": "V-63717" + "id": "V-63687" }, { - "title": "The system must be configured to audit System - Security System\n Extension successes.", - "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Security System Extension records events related to extension code being\n loaded by the security subsystem.", + "title": "Users must be prevented from changing installation options.", + "desc": "Installation options for applications are typically controlled by\n administrators. This setting prevents users from changing installation options\n that may bypass security features.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Security System Extension records events related to extension code being\n loaded by the security subsystem.", - "check": "Security Option \"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\" must be\n set to \"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\"Run as Administrator\").\n Enter \"AuditPol /get /category:*\".\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding:\n\n System >> Security System Extension - Success", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> System >> \"Audit Security System Extension\" with\n \"Success\" selected." + "default": "Installation options for applications are typically controlled by\n administrators. This setting prevents users from changing installation options\n that may bypass security features.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\Installer\\\n\n Value Name: EnableUserControl\n\n Value Type: REG_DWORD\n Value: 0", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Windows Installer >> \"Allow\n user control over installs\" to \"Disabled\"." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-AU-000150", - "gid": "V-63513", - "rid": "SV-78003r1_rule", - "stig_id": "WN10-AU-000150", - "fix_id": "F-69443r1_fix", + "gtitle": "WN10-CC-000310", + "gid": "V-63321", + "rid": "SV-77811r1_rule", + "stig_id": "WN10-CC-000310", + "fix_id": "F-69239r1_fix", "cci": [ - "CCI-000172", - "CCI-002234" + "CCI-001812" ], "nist": [ - "AU-12 c", - "AC-6 (9)", + "CM-11 (2)", "Rev_4" ], "false_negatives": null, @@ -7001,35 +7020,43 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63513' do\n title \"The system must be configured to audit System - Security System\n Extension successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Security System Extension records events related to extension code being\n loaded by the security subsystem.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-AU-000150'\n tag gid: 'V-63513'\n tag rid: 'SV-78003r1_rule'\n tag stig_id: 'WN10-AU-000150'\n tag fix_id: 'F-69443r1_fix'\n tag cci: %w[CCI-000172 CCI-002234]\n tag nist: ['AU-12 c', 'AC-6 (9)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Security Option \\\"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\\\" must be\n set to \\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\n Enter \\\"AuditPol /get /category:*\\\".\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding:\n\n System >> Security System Extension - Success\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> System >> \\\"Audit Security System Extension\\\" with\n \\\"Success\\\" selected.\"\n\n describe.one do\n describe audit_policy do\n its('Security System Extension') { should eq 'Success' }\n end\n describe audit_policy do\n its('Security System Extension') { should eq 'Success and Failure' }\n end\n end\nend\n", + "code": "control 'V-63321' do\n title 'Users must be prevented from changing installation options.'\n desc \"Installation options for applications are typically controlled by\n administrators. This setting prevents users from changing installation options\n that may bypass security features.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000310'\n tag gid: 'V-63321'\n tag rid: 'SV-77811r1_rule'\n tag stig_id: 'WN10-CC-000310'\n tag fix_id: 'F-69239r1_fix'\n tag cci: ['CCI-001812']\n tag nist: ['CM-11 (2)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\Installer\\\\\n\n Value Name: EnableUserControl\n\n Value Type: REG_DWORD\n Value: 0\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Windows Installer >> \\\"Allow\n user control over installs\\\" to \\\"Disabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Installer') do\n it { should have_property 'EnableUserControl' }\n its('EnableUserControl') { should cmp 0 }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63513.rb", + "ref": "./Windows 10 STIG/controls/V-63321.rb", "line": 3 }, - "id": "V-63513" + "id": "V-63321" }, { - "title": "Exploit Protection mitigations in Windows 10 must be configured for\n POWERPNT.EXE.", - "desc": "Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.", + "title": "The Manage auditing and security log user right must only be assigned\n to the Administrators group.", + "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n Accounts with the \"Manage auditing and security log\" user right can\n manage the security log and change auditing configurations. This could be used\n to clear evidence of tampering.", "descriptions": { - "default": "Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.", - "check": "This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n\n Enter \"Get-ProcessMitigation -Name POWERPNT.EXE\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of\n all application mitigations configured.)\n\n If the following mitigations do not have a status of \"ON\", this is a finding:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n The PowerShell command produces a list of mitigations; only those with a\n required status of \"ON\" are listed here. If the PowerShell command does not\n produce results, ensure the letter case of the filename within the command\n syntax matches the letter case of the actual filename on the system.", - "fix": "Ensure the following mitigations are turned \"ON\" for POWERPNT.EXE:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file\n included with the Windows 10 STIG package in the \"Supporting Files\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \"Use a common set of exploit protection settings\"\n configured to \"Enabled\" with file name and location defined under\n \"Options:\". It is recommended the file be in a read-only network location." + "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n Accounts with the \"Manage auditing and security log\" user right can\n manage the security log and change auditing configurations. This could be used\n to clear evidence of tampering.", + "check": "Verify the effective setting in Local Group Policy Editor.\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any groups or accounts other than the following are granted the \"Manage\n auditing and security log\" user right, this is a finding:\n\n Administrators\n\n If the organization has an \"Auditors\" group the assignment of this group to\n the user right would not be a finding.", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n \"Manage auditing and security log\" to only include the following groups or\n accounts:\n\n Administrators" }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-EP-000240", - "gid": "V-77247", - "rid": "SV-91943r3_rule", - "stig_id": "WN10-EP-000240", - "fix_id": "F-84503r5_fix", + "gtitle": "WN10-UR-000130", + "gid": "V-63927", + "rid": "SV-78417r1_rule", + "stig_id": "WN10-UR-000130", + "fix_id": "F-69855r1_fix", "cci": [ - "CCI-000366" + "CCI-000162", + "CCI-000163", + "CCI-000164", + "CCI-000171", + "CCI-001914" ], "nist": [ - "CM-6 b", + "AU-9", + "AU-9", + "AU-9", + "AU-12 b", + "AU-12 (3)", "Rev_4" ], "false_negatives": null, @@ -7043,35 +7070,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-77247' do\n title \"Exploit Protection mitigations in Windows 10 must be configured for\n POWERPNT.EXE.\"\n desc \"Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-EP-000240'\n tag gid: 'V-77247'\n tag rid: 'SV-91943r3_rule'\n tag stig_id: 'WN10-EP-000240'\n tag fix_id: 'F-84503r5_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc 'check', \"This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n\n Enter \\\"Get-ProcessMitigation -Name POWERPNT.EXE\\\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of\n all application mitigations configured.)\n\n If the following mitigations do not have a status of \\\"ON\\\", this is a finding:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n The PowerShell command produces a list of mitigations; only those with a\n required status of \\\"ON\\\" are listed here. If the PowerShell command does not\n produce results, ensure the letter case of the filename within the command\n syntax matches the letter case of the actual filename on the system.\"\n\n desc 'fix', \"Ensure the following mitigations are turned \\\"ON\\\" for POWERPNT.EXE:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file\n included with the Windows 10 STIG package in the \\\"Supporting Files\\\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\"\n configured to \\\"Enabled\\\" with file name and location defined under\n \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n\n if input('sensitive_system') == 'true' || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion').ReleaseId < '1709'\n impact 0.0\n describe 'This STIG does not apply to Prior Versions before 1709.' do\n skip 'This STIG does not apply to Prior Versions before 1709.'\n end\n else\n dep = json( command: 'Get-ProcessMitigation -Name POWERPNT.EXE | Select DEP | ConvertTo-Json').params\n describe 'OverRide DEP is required to be false on Microsoft Office PowerPoint' do\n subject { dep }\n its(['OverrideDEP']) { should_not eq 'true' }\n end\n aslr = json( command: 'Get-ProcessMitigation -Name POWERPNT.EXE | Select Aslr | ConvertTo-Json').params\n describe 'Alsr BottomUp and Force Relocate Images are required to be enabled on Microsoft Office PowerPoint' do\n subject { aslr }\n its(['ForceRelocateImages']) { should_not eq '2' }\n end\n payload = json( command: 'Get-ProcessMitigation -Name POWERPNT.EXE | Select Payload | ConvertTo-Json').params\n describe 'Override Payload Enable Export Address Filter, Override Payload Enable Export Address Filter Plus, Override EnableImportAddressFilter, Override EnableRopStackPivot, Override EnableRopCallerCheck, and Override EnableRopSimExec are required to be false on Microsoft Office PowerPoint' do\n subject { payload }\n its(['OverrideEnableExportAddressFilter']) { should_not eq 'true' }\n its(['OverrideEnableExportAddressFilterPlus']) { should_not eq 'true' }\n its(['OverrideEnableImportAddressFilter']) { should_not eq 'true' }\n its(['OverrideEnableRopStackPivot']) { should_not eq 'true' }\n its(['OverrideEnableRopCallerCheck']) { should_not eq 'true' }\n its(['OverrideEnableRopSimExec']) { should_not eq 'true' }\n end \n end\nend\n", + "code": "control 'V-63927' do\n title \"The Manage auditing and security log user right must only be assigned\n to the Administrators group.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n Accounts with the \\\"Manage auditing and security log\\\" user right can\n manage the security log and change auditing configurations. This could be used\n to clear evidence of tampering.\"\n\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-UR-000130'\n tag gid: 'V-63927'\n tag rid: 'SV-78417r1_rule'\n tag stig_id: 'WN10-UR-000130'\n tag fix_id: 'F-69855r1_fix'\n tag cci: %w[CCI-000162 CCI-000163 CCI-000164 CCI-000171 CCI-001914]\n tag nist: ['AU-9', 'AU-9', 'AU-9', 'AU-12 b', 'AU-12 (3)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any groups or accounts other than the following are granted the \\\"Manage\n auditing and security log\\\" user right, this is a finding:\n\n Administrators\n\n If the organization has an \\\"Auditors\\\" group the assignment of this group to\n the user right would not be a finding.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n \\\"Manage auditing and security log\\\" to only include the following groups or\n accounts:\n\n Administrators\"\n\n describe security_policy do\n its('SeSecurityPrivilege') { should eq ['S-1-5-32-544'] }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-77247.rb", + "ref": "./Windows 10 STIG/controls/V-63927.rb", "line": 3 }, - "id": "V-77247" + "id": "V-63927" }, { - "title": "NTLM must be prevented from falling back to a Null session.", - "desc": "NTLM sessions that are allowed to fall back to Null (unauthenticated)\n sessions may gain unauthorized access.", + "title": "Windows 10 must be configured to prevent Windows apps from being\n activated by voice while the system is locked.", + "desc": "Allowing Windows apps to be activated by voice from the lock screen\n could allow for unauthorized use. Requiring logon will ensure the apps are only\n used by authorized personnel.", "descriptions": { - "default": "NTLM sessions that are allowed to fall back to Null (unauthenticated)\n sessions may gain unauthorized access.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Control\\LSA\\MSV1_0\\\n\n Value Name: allownullsessionfallback\n\n Value Type: REG_DWORD\n Value: 0", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n \"Network security: Allow LocalSystem NULL session fallback\" to \"Disabled\"." + "default": "Allowing Windows apps to be activated by voice from the lock screen\n could allow for unauthorized use. Requiring logon will ensure the apps are only\n used by authorized personnel.", + "check": "This setting requires v1903 or later of Windows 10; it is NA for\n prior versions. The setting is NA when the “Allow voice activation” policy is\n configured to disallow applications to be activated with voice for all users.\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\AppPrivacy\\\n\n Value Name: LetAppsActivateWithVoiceAboveLock\n\n Type: REG_DWORD\n Value: 0x00000002 (2)\n\n If the following registry value exists and is configured as specified,\n requirement is NA.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\AppPrivacy\\\n\n Value Name: LetAppsActivateWithVoice\n\n Type: REG_DWORD\n Value: 0x00000002 (2)", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> App Privacy >> \"Let Windows\n apps activate with voice while the system is locked\" to \"Enabled\" with\n “Default for all Apps:” set to “Force Deny”.\n\n The requirement is NA if the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> App Privacy >> \"Let Windows\n apps activate with voice\" is configured to \"Enabled\" with “Default for all\n Apps:” set to “Force Deny”." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-SO-000180", - "gid": "V-63765", - "rid": "SV-78255r1_rule", - "stig_id": "WN10-SO-000180", - "fix_id": "F-69693r1_fix", + "gtitle": "WN10-CC-000365", + "gid": "V-94719", + "rid": "SV-104549r1_rule", + "stig_id": "WN10-CC-000365", + "fix_id": "F-100837r3_fix", "cci": [ - "CCI-000366" + "CCI-000056" ], "nist": [ - "CM-6 b", + "AC-11 b", "Rev_4" ], "false_negatives": null, @@ -7085,35 +7112,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63765' do\n title 'NTLM must be prevented from falling back to a Null session.'\n desc \"NTLM sessions that are allowed to fall back to Null (unauthenticated)\n sessions may gain unauthorized access.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-SO-000180'\n tag gid: 'V-63765'\n tag rid: 'SV-78255r1_rule'\n tag stig_id: 'WN10-SO-000180'\n tag fix_id: 'F-69693r1_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\LSA\\\\MSV1_0\\\\\n\n Value Name: allownullsessionfallback\n\n Value Type: REG_DWORD\n Value: 0\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n \\\"Network security: Allow LocalSystem NULL session fallback\\\" to \\\"Disabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\LSA\\MSV1_0') do\n it { should have_property 'allownullsessionfallback' }\n its('allownullsessionfallback') { should cmp 0 }\n end\nend\n", + "code": "control 'V-94719' do\n title \"Windows 10 must be configured to prevent Windows apps from being\n activated by voice while the system is locked.\"\n desc \"Allowing Windows apps to be activated by voice from the lock screen\n could allow for unauthorized use. Requiring logon will ensure the apps are only\n used by authorized personnel.\"\n\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000365'\n tag gid: 'V-94719'\n tag rid: 'SV-104549r1_rule'\n tag stig_id: 'WN10-CC-000365'\n tag fix_id: 'F-100837r3_fix'\n tag cci: ['CCI-000056']\n tag nist: ['AC-11 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"This setting requires v1903 or later of Windows 10; it is NA for\n prior versions. The setting is NA when the “Allow voice activation” policy is\n configured to disallow applications to be activated with voice for all users.\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\AppPrivacy\\\\\n\n Value Name: LetAppsActivateWithVoiceAboveLock\n\n Type: REG_DWORD\n Value: 0x00000002 (2)\n\n If the following registry value exists and is configured as specified,\n requirement is NA.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\AppPrivacy\\\\\n\n Value Name: LetAppsActivateWithVoice\n\n Type: REG_DWORD\n Value: 0x00000002 (2)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> App Privacy >> \\\"Let Windows\n apps activate with voice while the system is locked\\\" to \\\"Enabled\\\" with\n “Default for all Apps:” set to “Force Deny”.\n\n The requirement is NA if the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> App Privacy >> \\\"Let Windows\n apps activate with voice\\\" is configured to \\\"Enabled\\\" with “Default for all\n Apps:” set to “Force Deny”.\"\n\n if registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion').ReleaseId >= '1903'\n describe.one do\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\AppPrivacy') do\n it { should have_property 'LetAppsActivateWithVoiceAboveLock' }\n its('LetAppsActivateWithVoiceAboveLock') { should cmp 2 }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\AppPrivacy') do\n it { should have_property 'LetAppsActivateWithVoice' }\n its('LetAppsActivateWithVoice') { should cmp 2 }\n end\n end\n else\n impact 0.0\n describe 'This setting requires v1903 or later of Windows 10; it is NA for prior versions.' do\n skip 'This setting requires v1903 or later of Windows 10; it is NA for prior versions.'\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63765.rb", + "ref": "./Windows 10 STIG/controls/V-94719.rb", "line": 3 }, - "id": "V-63765" + "id": "V-94719" }, { - "title": "Windows 10 Exploit Protection system-level mitigation, Control flow guard (CFG), must be on.", - "desc": "Exploit protection in Windows 10 enables mitigations against potential\n threats at the system and application level. Several mitigations, including\n \"Control flow guard (CFG)\", are enabled by default at the system level. CFG\n ensures flow integrity for indirect calls. If this is turned off, Windows 10\n may be subject to various exploits.", + "title": "Explorer Data Execution Prevention must be enabled.", + "desc": "Data Execution Prevention (DEP) provides additional protection by\n performing checks on memory to help prevent malicious code from running. This\n setting will prevent Data Execution Prevention from being turned off for File\n Explorer.", "descriptions": { - "default": "Exploit protection in Windows 10 enables mitigations against potential\n threats at the system and application level. Several mitigations, including\n \"Control flow guard (CFG)\", are enabled by default at the system level. CFG\n ensures flow integrity for indirect calls. If this is turned off, Windows 10\n may be subject to various exploits.", - "check": "This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n The default configuration in Exploit Protection is \"On by default\" which\n meets this requirement. The PowerShell query results for this show as\n \"NOTSET\".\n\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n\n Enter \"Get-ProcessMitigation -System\".\n\n If the status of \"CFG: Enable\" is \"OFF\", this is a finding.\n\n Values that would not be a finding include:\n ON\n NOTSET (Default configuration)", - "fix": "Ensure Exploit Protection system-level mitigation, \"Control flow\n guard (CFG)\", is turned on. The default configuration in Exploit Protection is\n \"On by default\" which meets this requirement.\n\n Open \"Windows Defender Security Center\".\n\n Select \"App & browser control\".\n\n Select \"Exploit protection settings\".\n\n Under \"System settings\", configure \"Control flow guard (CFG)\" to \"On by\n default\" or \"Use default ()\".\n\n The STIG package includes a DoD EP XML file in the \"Supporting Files\" folder\n for configuring application mitigations defined in the STIG. This can also be\n modified to explicitly enforce the system level requirements. Adding the\n following to the XML file will explicitly turn CFG on (other system level EP\n requirements can be combined under ):\n\n \n \n \n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \"Use a common set of exploit protection settings\"\n configured to \"Enabled\" with file name and location defined under\n \"Options:\". It is recommended the file be in a read-only network location." + "default": "Data Execution Prevention (DEP) provides additional protection by\n performing checks on memory to help prevent malicious code from running. This\n setting will prevent Data Execution Prevention from being turned off for File\n Explorer.", + "check": "The default behavior is for data execution prevention to be\n turned on for file explorer.\n\n If the registry value name below does not exist, this is not a finding.\n\n If it exists and is configured with a value of \"0\", this is not a finding.\n\n If it exists and is configured with a value of \"1\", this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\Explorer\\\n\n Value Name: NoDataExecutionPrevention\n\n Value Type: REG_DWORD\n Value: 0 (or if the Value Name does not exist)", + "fix": "The default behavior is for data execution prevention to be turned\n on for file explorer.\n\n If this needs to be corrected, configure the policy value for Computer\n Configuration >> Administrative Templates >> Windows Components >> File\n Explorer >> \"Turn off Data Execution Prevention for Explorer\" to \"Not\n Configured\" or \"Disabled\"." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-EP-000040", - "gid": "V-77097", - "rid": "SV-91793r3_rule", - "stig_id": "WN10-EP-000040", - "fix_id": "F-86721r2_fix", + "gtitle": "WN10-CC-000215", + "gid": "V-63689", + "rid": "SV-78179r1_rule", + "stig_id": "WN10-CC-000215", + "fix_id": "F-69617r1_fix", "cci": [ - "CCI-000366" + "CCI-002824" ], "nist": [ - "CM-6 b", + "SI-16", "Rev_4" ], "false_negatives": null, @@ -7127,63 +7154,30 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-77097' do\n title 'Windows 10 Exploit Protection system-level mitigation, Control flow guard (CFG), must be on.'\n desc \"Exploit protection in Windows 10 enables mitigations against potential\n threats at the system and application level. Several mitigations, including\n \\\"Control flow guard (CFG)\\\", are enabled by default at the system level. CFG\n ensures flow integrity for indirect calls. If this is turned off, Windows 10\n may be subject to various exploits.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-EP-000040'\n tag gid: 'V-77097'\n tag rid: 'SV-91793r3_rule'\n tag stig_id: 'WN10-EP-000040'\n tag fix_id: 'F-86721r2_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc 'check', \"This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n The default configuration in Exploit Protection is \\\"On by default\\\" which\n meets this requirement. The PowerShell query results for this show as\n \\\"NOTSET\\\".\n\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n\n Enter \\\"Get-ProcessMitigation -System\\\".\n\n If the status of \\\"CFG: Enable\\\" is \\\"OFF\\\", this is a finding.\n\n Values that would not be a finding include:\n ON\n NOTSET (Default configuration)\"\n desc 'fix', \"Ensure Exploit Protection system-level mitigation, \\\"Control flow\n guard (CFG)\\\", is turned on. The default configuration in Exploit Protection is\n \\\"On by default\\\" which meets this requirement.\n\n Open \\\"Windows Defender Security Center\\\".\n\n Select \\\"App & browser control\\\".\n\n Select \\\"Exploit protection settings\\\".\n\n Under \\\"System settings\\\", configure \\\"Control flow guard (CFG)\\\" to \\\"On by\n default\\\" or \\\"Use default ()\\\".\n\n The STIG package includes a DoD EP XML file in the \\\"Supporting Files\\\" folder\n for configuring application mitigations defined in the STIG. This can also be\n modified to explicitly enforce the system level requirements. Adding the\n following to the XML file will explicitly turn CFG on (other system level EP\n requirements can be combined under ):\n\n \n \n \n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\"\n configured to \\\"Enabled\\\" with file name and location defined under\n \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n\n if input('sensitive_system') == 'true' || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion').ReleaseId < '1709'\n impact 0.0\n describe 'This STIG does not apply to Prior Versions before 1709.' do\n skip 'This STIG does not apply to Prior Versions before 1709.'\n end\n else\n cfg = json( command: 'Get-ProcessMitigation -System | Select CFG | ConvertTo-Json').params\n describe 'ControlFlowGuard is required to be enabled on System' do\n subject { cfg }\n its(['Enable']) { should_not eq '2' }\n end\n end\nend\n", + "code": "control 'V-63689' do\n title 'Explorer Data Execution Prevention must be enabled.'\n desc \"Data Execution Prevention (DEP) provides additional protection by\n performing checks on memory to help prevent malicious code from running. This\n setting will prevent Data Execution Prevention from being turned off for File\n Explorer.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000215'\n tag gid: 'V-63689'\n tag rid: 'SV-78179r1_rule'\n tag stig_id: 'WN10-CC-000215'\n tag fix_id: 'F-69617r1_fix'\n tag cci: ['CCI-002824']\n tag nist: %w[SI-16 Rev_4]\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"The default behavior is for data execution prevention to be\n turned on for file explorer.\n\n If the registry value name below does not exist, this is not a finding.\n\n If it exists and is configured with a value of \\\"0\\\", this is not a finding.\n\n If it exists and is configured with a value of \\\"1\\\", this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\Explorer\\\\\n\n Value Name: NoDataExecutionPrevention\n\n Value Type: REG_DWORD\n Value: 0 (or if the Value Name does not exist)\"\n desc \"fix\", \"The default behavior is for data execution prevention to be turned\n on for file explorer.\n\n If this needs to be corrected, configure the policy value for Computer\n Configuration >> Administrative Templates >> Windows Components >> File\n Explorer >> \\\"Turn off Data Execution Prevention for Explorer\\\" to \\\"Not\n Configured\\\" or \\\"Disabled\\\".\"\n\n describe.one do\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Explorer') do\n it { should have_property 'NoDataExecutionPrevention' }\n its('NoDataExecutionPrevention') { should_not be 1 }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Explorer') do\n it { should_not have_property 'NoDataExecutionPrevention' }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-77097.rb", + "ref": "./Windows 10 STIG/controls/V-63689.rb", "line": 3 }, - "id": "V-77097" + "id": "V-63689" }, { - "title": "Passwords for the built-in local Administrator account must be changed\nat least every 60 days.", - "desc": "The longer a password is in use, the greater the opportunity for\nsomeone to gain unauthorized knowledge of the password. The built-in local\nAdministrator account is not generally used and its password not may be changed\nas frequently as necessary. Changing the password for the built-in local\nAdministrator account on a regular basis will limit its exposure.\n\n Organizations that use an automated tool, such Microsoft's Local\nAdministrator Password Solution (LAPS), on domain-joined systems can configure\nthis to occur more frequently. LAPS will change the password every \"30\" days\nby default.", + "title": "The use of a hardware security device with Windows Hello for Business\n must be enabled.", + "desc": "The use of a Trusted Platform Module (TPM) to store keys for Windows\n Hello for Business provides additional security. Keys stored in the TPM may\n only be used on that system while keys stored using software are more\n susceptible to compromise and could be used on other systems.", "descriptions": { - "default": "The longer a password is in use, the greater the opportunity for\nsomeone to gain unauthorized knowledge of the password. The built-in local\nAdministrator account is not generally used and its password not may be changed\nas frequently as necessary. Changing the password for the built-in local\nAdministrator account on a regular basis will limit its exposure.\n\n Organizations that use an automated tool, such Microsoft's Local\nAdministrator Password Solution (LAPS), on domain-joined systems can configure\nthis to occur more frequently. LAPS will change the password every \"30\" days\nby default.", - "rationale": "", - "check": "Review the password last set date for the built-in Administrator account.\n\n On the local domain joined workstation:\n\n Open \"PowerShell\".\n\n Enter \"Get-LocalUser –Name * | Select-Object *”\n\n If the \"PasswordLastSet\" date is greater than \"60\" days old for the\nBuilt-in account for administering the computer/domain, this is a finding", - "fix": "Change the built-in Administrator account password at least every \"60\"\ndays.\n\n Automated tools, such as Microsoft's LAPS, may be used on domain-joined\nmember servers to meet this requirement." + "default": "The use of a Trusted Platform Module (TPM) to store keys for Windows\n Hello for Business provides additional security. Keys stored in the TPM may\n only be used on that system while keys stored using software are more\n susceptible to compromise and could be used on other systems.", + "check": "Virtual desktop implementations currently may not support the use\n of TPMs. For virtual desktop implementations where the virtual desktop instance\n is deleted or refreshed upon logoff, this is NA.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\PassportForWork\\\n\n Value Name: RequireSecurityDevice\n\n Type: REG_DWORD\n Value: 1", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Windows Hello for Business >>\n \"Use a hardware security device\" to \"Enabled\".\n\n v1507 LTSB:\n The policy path is Computer Configuration >> Administrative Templates >>\n Windows Components >> Microsoft Passport for Work." }, "impact": 0.5, "refs": [], "tags": { - "severity": null, - "gtitle": "WN10-SO-000280", - "gid": "V-99555", - "rid": "SV-108659r1_rule", - "stig_id": "WN10-SO-000280", - "fix_id": "F-105239r1_fix", - "cci": [ - "CCI-000199" - ], - "nist": [ - "IA-5 (1) (d)", - "Rev_4" - ] - }, - "code": "control \"V-99555\" do\n title \"Passwords for the built-in local Administrator account must be changed\nat least every 60 days.\"\n desc \"The longer a password is in use, the greater the opportunity for\nsomeone to gain unauthorized knowledge of the password. The built-in local\nAdministrator account is not generally used and its password not may be changed\nas frequently as necessary. Changing the password for the built-in local\nAdministrator account on a regular basis will limit its exposure.\n\n Organizations that use an automated tool, such Microsoft's Local\nAdministrator Password Solution (LAPS), on domain-joined systems can configure\nthis to occur more frequently. LAPS will change the password every \\\"30\\\" days\nby default.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"WN10-SO-000280\"\n tag gid: \"V-99555\"\n tag rid: \"SV-108659r1_rule\"\n tag stig_id: \"WN10-SO-000280\"\n tag fix_id: \"F-105239r1_fix\"\n tag cci: [\"CCI-000199\"]\n tag nist: [\"IA-5 (1) (d)\", \"Rev_4\"]\n desc \"rationale\", \"\"\n desc \"check\", \"\n Review the password last set date for the built-in Administrator account.\n\n On the local domain joined workstation:\n\n Open \\\"PowerShell\\\".\n\n Enter \\\"Get-LocalUser –Name * | Select-Object *”\n\n If the \\\"PasswordLastSet\\\" date is greater than \\\"60\\\" days old for the\nBuilt-in account for administering the computer/domain, this is a finding\"\n desc \"fix\", \"Change the built-in Administrator account password at least every \\\"60\\\"\ndays.\n\n Automated tools, such as Microsoft's LAPS, may be used on domain-joined\nmember servers to meet this requirement.\"\n \n administrator = input('local_administrator')\n local_password_set_date = json({ command: \"Get-LocalUser -name #{administrator} | Where-Object {$_.PasswordLastSet -le (Get-Date).AddDays(-60)} | Select-Object -ExpandProperty PasswordLastSet | ConvertTo-Json\"})\n local_date = local_password_set_date[\"DateTime\"]\n if (local_date == nil)\n describe 'Local Administrator Account is within 365 days since password change' do\n skip 'Local Administrator Account is within 365 days since password change'\n end\n else\n describe 'Password Last Set' do\n it 'Local Administrator Account Password Last Set Date is' do\n failure_message = \"Password Date should not be more that 365 Days: #{local_date}\"\n expect(local_date).to be_empty, failure_message\n end\n end\n end\nend\n", - "source_location": { - "ref": "./Windows 10 STIG/controls/V-99555.rb", - "line": 3 - }, - "id": "V-99555" - }, - { - "title": "The Windows 10 system must use an anti-virus program.", - "desc": "Malicious software can establish a base on individual desktops and\n servers. Employing an automated mechanism to detect this type of software will\n aid in elimination of the software from the operating system.", - "descriptions": { - "default": "Malicious software can establish a base on individual desktops and\n servers. Employing an automated mechanism to detect this type of software will\n aid in elimination of the software from the operating system.", - "check": "Verify an anti-virus solution is installed on the system. The\n anti-virus solution may be bundled with an approved host-based security\n solution.\n\n If there is no anti-virus solution installed on the system, this is a finding.", - "fix": "Install an anti-virus solution on the system." - }, - "impact": 0.7, - "refs": [], - "tags": { - "severity": "high", - "gtitle": "WN10-00-000045", - "gid": "V-63351", - "rid": "SV-77841r4_rule", - "stig_id": "WN10-00-000045", - "fix_id": "F-83183r1_fix", + "severity": "medium", + "gtitle": "WN10-CC-000255", + "gid": "V-63717", + "rid": "SV-78207r5_rule", + "stig_id": "WN10-CC-000255", + "fix_id": "F-83247r2_fix", "cci": [ "CCI-000366" ], @@ -7202,35 +7196,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63351' do\n title 'The Windows 10 system must use an anti-virus program.'\n desc \"Malicious software can establish a base on individual desktops and\n servers. Employing an automated mechanism to detect this type of software will\n aid in elimination of the software from the operating system.\"\n impact 0.7\n tag severity: 'high'\n tag gtitle: 'WN10-00-000045'\n tag gid: 'V-63351'\n tag rid: 'SV-77841r4_rule'\n tag stig_id: 'WN10-00-000045'\n tag fix_id: 'F-83183r1_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc 'check', \"Verify an anti-virus solution is installed on the system. The\n anti-virus solution may be bundled with an approved host-based security\n solution.\n\n If there is no anti-virus solution installed on the system, this is a finding.\"\n\n desc 'fix', 'Install an anti-virus solution on the system.'\n\n anti_virus_product_name = <<-EOH\n #script came from: https://www.404techsupport.com/2015/04/27/powershell-script-detect-antivirus-product-and-status/\n\n $computername=$env:computername\n $AntiVirusProduct = Get-WmiObject -Namespace root\\\\SecurityCenter2 -Class AntiVirusProduct -ComputerName $computername\n\n #Switch to determine the status of antivirus definitions and real-time protection.\n #Write-Output $AntiVirusProduct.productState\n switch ($AntiVirusProduct.productState) {\n \"262144\" {$defstatus = \"Up to date\" ;$rtstatus = \"Disabled\"}\n \"262160\" {$defstatus = \"Out of date\" ;$rtstatus = \"Disabled\"}\n \"266240\" {$defstatus = \"Up to date\" ;$rtstatus = \"Enabled\"}\n \"266256\" {$defstatus = \"Out of date\" ;$rtstatus = \"Enabled\"}\n \"393216\" {$defstatus = \"Up to date\" ;$rtstatus = \"Disabled\"}\n \"393232\" {$defstatus = \"Out of date\" ;$rtstatus = \"Disabled\"}\n \"393488\" {$defstatus = \"Out of date\" ;$rtstatus = \"Disabled\"}\n \"397312\" {$defstatus = \"Up to date\" ;$rtstatus = \"Enabled\"}\n \"397328\" {$defstatus = \"Out of date\" ;$rtstatus = \"Enabled\"}\n \"397584\" {$defstatus = \"Out of date\" ;$rtstatus = \"Enabled\"}\n \"397568\" {$defstatus = \"Up to date\"; $rtstatus = \"Enabled\"}\n \"393472\" {$defstatus = \"Up to date\" ;$rtstatus = \"Disabled\"}\n default {$defstatus = \"Unknown\" ;$rtstatus = \"Unknown\"}\n }\n\n Write-Output $AntiVirusProduct.displayName\n EOH\n\n anti_virus_def_status = <<-EOH\n #script came from: https://www.404techsupport.com/2015/04/27/powershell-script-detect-antivirus-product-and-status/\n\n $computername=$env:computername\n $AntiVirusProduct = Get-WmiObject -Namespace root\\\\SecurityCenter2 -Class AntiVirusProduct -ComputerName $computername\n\n #Switch to determine the status of antivirus definitions and real-time protection.\n #Write-Output $AntiVirusProduct.productState\n switch ($AntiVirusProduct.productState) {\n \"262144\" {$defstatus = \"Up to date\" ;$rtstatus = \"Disabled\"}\n \"262160\" {$defstatus = \"Out of date\" ;$rtstatus = \"Disabled\"}\n \"266240\" {$defstatus = \"Up to date\" ;$rtstatus = \"Enabled\"}\n \"266256\" {$defstatus = \"Out of date\" ;$rtstatus = \"Enabled\"}\n \"393216\" {$defstatus = \"Up to date\" ;$rtstatus = \"Disabled\"}\n \"393232\" {$defstatus = \"Out of date\" ;$rtstatus = \"Disabled\"}\n \"393488\" {$defstatus = \"Out of date\" ;$rtstatus = \"Disabled\"}\n \"397312\" {$defstatus = \"Up to date\" ;$rtstatus = \"Enabled\"}\n \"397328\" {$defstatus = \"Out of date\" ;$rtstatus = \"Enabled\"}\n \"397584\" {$defstatus = \"Out of date\" ;$rtstatus = \"Enabled\"}\n \"397568\" {$defstatus = \"Up to date\"; $rtstatus = \"Enabled\"}\n \"393472\" {$defstatus = \"Up to date\" ;$rtstatus = \"Disabled\"}\n default {$defstatus = \"Unknown\" ;$rtstatus = \"Unknown\"}\n }\n\n Write-Output $defstatus\n EOH\n\n anti_virus_status = <<-EOH\n #script came from: https://www.404techsupport.com/2015/04/27/powershell-script-detect-antivirus-product-and-status/\n\n $computername=$env:computername\n $AntiVirusProduct = Get-WmiObject -Namespace root\\\\SecurityCenter2 -Class AntiVirusProduct -ComputerName $computername\n\n #Switch to determine the status of antivirus definitions and real-time protection.\n #Write-Output $AntiVirusProduct.productState\n switch ($AntiVirusProduct.productState) {\n \"262144\" {$defstatus = \"Up to date\" ;$rtstatus = \"Disabled\"}\n \"262160\" {$defstatus = \"Out of date\" ;$rtstatus = \"Disabled\"}\n \"266240\" {$defstatus = \"Up to date\" ;$rtstatus = \"Enabled\"}\n \"266256\" {$defstatus = \"Out of date\" ;$rtstatus = \"Enabled\"}\n \"393216\" {$defstatus = \"Up to date\" ;$rtstatus = \"Disabled\"}\n \"393232\" {$defstatus = \"Out of date\" ;$rtstatus = \"Disabled\"}\n \"393488\" {$defstatus = \"Out of date\" ;$rtstatus = \"Disabled\"}\n \"397312\" {$defstatus = \"Up to date\" ;$rtstatus = \"Enabled\"}\n \"397328\" {$defstatus = \"Out of date\" ;$rtstatus = \"Enabled\"}\n \"397584\" {$defstatus = \"Out of date\" ;$rtstatus = \"Enabled\"}\n \"397568\" {$defstatus = \"Up to date\"; $rtstatus = \"Enabled\"}\n \"393472\" {$defstatus = \"Up to date\" ;$rtstatus = \"Disabled\"}\n default {$defstatus = \"Unknown\" ;$rtstatus = \"Unknown\"}\n }\n\n Write-Output $rtstatus\n EOH\n\n check_product = powershell(anti_virus_product_name).stdout.strip.split(\"\\n\").map(&:strip)\n\n describe \"The installed anti-virus: #{check_product} is on the Approved Sofware List\" do\n subject { check_product }\n it { should be_in input('av_approved_software') }\n end\n describe 'The anti-virus software is enabled on the system' do\n subject { powershell(anti_virus_status).strip }\n it { should cmp 'Enabled' }\n end\n describe 'The anti-virus signature definitions are up to date' do\n subject { powershell(anti_virus_def_status).strip }\n it { should cmp 'Up to date' }\n end\nend\n", + "code": "control 'V-63717' do\n title \"The use of a hardware security device with Windows Hello for Business\n must be enabled.\"\n desc \"The use of a Trusted Platform Module (TPM) to store keys for Windows\n Hello for Business provides additional security. Keys stored in the TPM may\n only be used on that system while keys stored using software are more\n susceptible to compromise and could be used on other systems.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000255'\n tag gid: 'V-63717'\n tag rid: 'SV-78207r5_rule'\n tag stig_id: 'WN10-CC-000255'\n tag fix_id: 'F-83247r2_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Virtual desktop implementations currently may not support the use\n of TPMs. For virtual desktop implementations where the virtual desktop instance\n is deleted or refreshed upon logoff, this is NA.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\PassportForWork\\\\\n\n Value Name: RequireSecurityDevice\n\n Type: REG_DWORD\n Value: 1\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Windows Hello for Business >>\n \\\"Use a hardware security device\\\" to \\\"Enabled\\\".\n\n v1507 LTSB:\n The policy path is Computer Configuration >> Administrative Templates >>\n Windows Components >> Microsoft Passport for Work.\"\n\n if sys_info.manufacturer == 'VMware, Inc.'\n impact 0.0\n describe 'This is a VDI System; This System is NA for Control V-63717.' do\n skip 'This is a VDI System; This System is NA for Control V-63717.'\n end\n else\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PassportForWork') do\n it { should have_property 'RequireSecurityDevice' }\n its('RequireSecurityDevice') { should cmp 1 }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63351.rb", + "ref": "./Windows 10 STIG/controls/V-63717.rb", "line": 3 }, - "id": "V-63351" + "id": "V-63717" }, { - "title": "Attachments must be prevented from being downloaded from RSS feeds.", - "desc": "Attachments from RSS feeds may not be secure. This setting will\n prevent attachments from being downloaded from RSS feeds.", + "title": "The user must be prompted for a password on resume from sleep (plugged\n in).", + "desc": "Authentication must always be required when accessing a system. This\n setting ensures the user is prompted for a password on resume from sleep\n (plugged in).", "descriptions": { - "default": "Attachments from RSS feeds may not be secure. This setting will\n prevent attachments from being downloaded from RSS feeds.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Feeds\\\n\n Value Name: DisableEnclosureDownload\n\n Value Type: REG_DWORD\n Value: 1", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> RSS Feeds >> \"Prevent\n downloading of enclosures\" to \"Enabled\"." + "default": "Authentication must always be required when accessing a system. This\n setting ensures the user is prompted for a password on resume from sleep\n (plugged in).", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SOFTWARE\\Policies\\Microsoft\\Power\\PowerSettings\\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\\\n\n Value Name: ACSettingIndex\n\n Value Type: REG_DWORD\n Value: 1", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> System >> Power Management >> Sleep Settings >>\n \"Require a password when a computer wakes (plugged in)\" to \"Enabled\"." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-CC-000295", - "gid": "V-63743", - "rid": "SV-78233r1_rule", - "stig_id": "WN10-CC-000295", - "fix_id": "F-69671r1_fix", + "gtitle": "WN10-CC-000150", + "gid": "V-63649", + "rid": "SV-78139r1_rule", + "stig_id": "WN10-CC-000150", + "fix_id": "F-69579r1_fix", "cci": [ - "CCI-000366" + "CCI-002038" ], "nist": [ - "CM-6 b", + "IA-11", "Rev_4" ], "false_negatives": null, @@ -7244,35 +7238,37 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63743' do\n title 'Attachments must be prevented from being downloaded from RSS feeds.'\n desc \"Attachments from RSS feeds may not be secure. This setting will\n prevent attachments from being downloaded from RSS feeds.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000295'\n tag gid: 'V-63743'\n tag rid: 'SV-78233r1_rule'\n tag stig_id: 'WN10-CC-000295'\n tag fix_id: 'F-69671r1_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Internet Explorer\\\\Feeds\\\\\n\n Value Name: DisableEnclosureDownload\n\n Value Type: REG_DWORD\n Value: 1\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> RSS Feeds >> \\\"Prevent\n downloading of enclosures\\\" to \\\"Enabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Feeds') do\n it { should have_property 'DisableEnclosureDownload' }\n its('DisableEnclosureDownload') { should cmp 1 }\n end\nend\n", + "code": "control 'V-63649' do\n title \"The user must be prompted for a password on resume from sleep (plugged\n in).\"\n desc \"Authentication must always be required when accessing a system. This\n setting ensures the user is prompted for a password on resume from sleep\n (plugged in).\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000150'\n tag gid: 'V-63649'\n tag rid: 'SV-78139r1_rule'\n tag stig_id: 'WN10-CC-000150'\n tag fix_id: 'F-69579r1_fix'\n tag cci: ['CCI-002038']\n tag nist: %w[IA-11 Rev_4]\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Power\\\\PowerSettings\\\\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\\\\\n\n Value Name: ACSettingIndex\n\n Value Type: REG_DWORD\n Value: 1\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> System >> Power Management >> Sleep Settings >>\n \\\"Require a password when a computer wakes (plugged in)\\\" to \\\"Enabled\\\".\"\n\n if sys_info.manufacturer == 'VMware, Inc.'\n impact 0.0\n describe 'This is a VDI System; This System is NA for Control V-63649.' do\n skip 'This is a VDI System; This System is NA for Control V-63649.'\n end\n else\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Power\\PowerSettings\\0e796bdb-100d-47d6-a2d5-f7d2daa51f51') do\n it { should have_property 'ACSettingIndex' }\n its('ACSettingIndex') { should cmp 1 }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63743.rb", + "ref": "./Windows 10 STIG/controls/V-63649.rb", "line": 3 }, - "id": "V-63743" + "id": "V-63649" }, { - "title": "The system must be configured to audit Logon/Logoff - Group Membership\n successes.", - "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Audit Group Membership records information related to the group membership\n of a user's logon token.", + "title": "The Windows SMB client must be configured to always perform SMB packet\n signing.", + "desc": "The server message block (SMB) protocol provides the basis for many\n network operations. Digitally signed SMB packets aid in preventing\n man-in-the-middle attacks. If this policy is enabled, the SMB client will only\n communicate with an SMB server that performs SMB packet signing.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Audit Group Membership records information related to the group membership\n of a user's logon token.", - "check": "Security Option \"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\" must be\n set to \"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\"Run as Administrator\").\n Enter \"AuditPol /get /category:*\"\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding:\n\n Logon/Logoff >> Group Membership - Success", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Advanced Audit Policy Configuration >> System Audit Policies >>\n Logon/Logoff >> \"Audit Group Membership\" with \"Success\" selected." + "default": "The server message block (SMB) protocol provides the basis for many\n network operations. Digitally signed SMB packets aid in preventing\n man-in-the-middle attacks. If this policy is enabled, the SMB client will only\n communicate with an SMB server that performs SMB packet signing.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SYSTEM\\CurrentControlSet\\Services\\LanmanWorkstation\\Parameters\\\n\n Value Name: RequireSecuritySignature\n\n Value Type: REG_DWORD\n Value: 1", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n \"Microsoft network client: Digitally sign communications (always)\" to\n \"Enabled\"." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-AU-000060", - "gid": "V-63457", - "rid": "SV-77947r2_rule", - "stig_id": "WN10-AU-000060", - "fix_id": "F-69385r2_fix", + "gtitle": "WN10-SO-000100", + "gid": "V-63703", + "rid": "SV-78193r1_rule", + "stig_id": "WN10-SO-000100", + "fix_id": "F-69629r1_fix", "cci": [ - "CCI-000172" + "CCI-002418", + "CCI-002421" ], "nist": [ - "AU-12 c", + "SC-8", + "SC-8 (1)", "Rev_4" ], "false_negatives": null, @@ -7286,37 +7282,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63457' do\n title \"The system must be configured to audit Logon/Logoff - Group Membership\n successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Audit Group Membership records information related to the group membership\n of a user's logon token.\"\n\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-AU-000060'\n tag gid: 'V-63457'\n tag rid: 'SV-77947r2_rule'\n tag stig_id: 'WN10-AU-000060'\n tag fix_id: 'F-69385r2_fix'\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Security Option \\\"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\\\" must be\n set to \\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\n Enter \\\"AuditPol /get /category:*\\\"\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding:\n\n Logon/Logoff >> Group Membership - Success\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Advanced Audit Policy Configuration >> System Audit Policies >>\n Logon/Logoff >> \\\"Audit Group Membership\\\" with \\\"Success\\\" selected.\"\n\n describe.one do\n describe audit_policy do\n its('Group Membership') { should eq 'Success' }\n end\n describe audit_policy do\n its('Group Membership') { should eq 'Success and Failure' }\n end\n end\nend\n", + "code": "control 'V-63703' do\n title \"The Windows SMB client must be configured to always perform SMB packet\n signing.\"\n desc \"The server message block (SMB) protocol provides the basis for many\n network operations. Digitally signed SMB packets aid in preventing\n man-in-the-middle attacks. If this policy is enabled, the SMB client will only\n communicate with an SMB server that performs SMB packet signing.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-SO-000100'\n tag gid: 'V-63703'\n tag rid: 'SV-78193r1_rule'\n tag stig_id: 'WN10-SO-000100'\n tag fix_id: 'F-69629r1_fix'\n tag cci: %w[CCI-002418 CCI-002421]\n tag nist: ['SC-8', 'SC-8 (1)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\LanmanWorkstation\\\\Parameters\\\\\n\n Value Name: RequireSecuritySignature\n\n Value Type: REG_DWORD\n Value: 1\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n \\\"Microsoft network client: Digitally sign communications (always)\\\" to\n \\\"Enabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\LanmanWorkstation\\Parameters') do\n it { should have_property 'RequireSecuritySignature' }\n its('RequireSecuritySignature') { should cmp 1 }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63457.rb", + "ref": "./Windows 10 STIG/controls/V-63703.rb", "line": 3 }, - "id": "V-63457" + "id": "V-63703" }, { - "title": "The Windows SMB server must be configured to always perform SMB packet\n signing.", - "desc": "The server message block (SMB) protocol provides the basis for many\n network operations. Digitally signed SMB packets aid in preventing\n man-in-the-middle attacks. If this policy is enabled, the SMB server will only\n communicate with an SMB client that performs SMB packet signing.", + "title": "Orphaned security identifiers (SIDs) must be removed from user rights on Windows 10.", + "desc": "Accounts or groups given rights on a system may show up as unresolved\n SIDs for various reasons including deletion of the accounts or groups. If the\n account or group objects are reanimated, there is a potential they may still\n have rights no longer intended. Valid domain accounts or groups may also show\n up as unresolved SIDs if a connection to the domain cannot be established for\n some reason.", "descriptions": { - "default": "The server message block (SMB) protocol provides the basis for many\n network operations. Digitally signed SMB packets aid in preventing\n man-in-the-middle attacks. If this policy is enabled, the SMB server will only\n communicate with an SMB client that performs SMB packet signing.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\LanManServer\\Parameters\\\n\n Value Name: RequireSecuritySignature\n\n Value Type: REG_DWORD\n Value: 1", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n \"Microsoft network server: Digitally sign communications (always)\" to\n \"Enabled\"." + "default": "Accounts or groups given rights on a system may show up as unresolved\n SIDs for various reasons including deletion of the accounts or groups. If the\n account or group objects are reanimated, there is a potential they may still\n have rights no longer intended. Valid domain accounts or groups may also show\n up as unresolved SIDs if a connection to the domain cannot be established for\n some reason.", + "check": "Review the effective User Rights setting in Local Group Policy\n Editor.\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n Review each User Right listed for any unresolved SIDs to determine whether they\n are valid, such as due to being temporarily disconnected from the domain.\n (Unresolved SIDs have the format of \"*S-1-…\".)\n\n If any unresolved SIDs exist and are not for currently valid accounts or\n groups, this is a finding.", + "fix": "Remove any unresolved SIDs found in User Rights assignments and\n determined to not be for currently valid accounts or groups by removing the\n accounts or groups from the appropriate group policy." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-SO-000120", - "gid": "V-63719", - "rid": "SV-78209r1_rule", - "stig_id": "WN10-SO-000120", - "fix_id": "F-69647r1_fix", + "gtitle": "WN10-00-000190", + "gid": "V-76505", + "rid": "SV-91201r1_rule", + "stig_id": "WN10-00-000190", + "fix_id": "F-83185r1_fix", "cci": [ - "CCI-002418", - "CCI-002421" + "CCI-000366" ], "nist": [ - "SC-8", - "SC-8 (1)", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -7330,35 +7324,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63719' do\n title \"The Windows SMB server must be configured to always perform SMB packet\n signing.\"\n desc \"The server message block (SMB) protocol provides the basis for many\n network operations. Digitally signed SMB packets aid in preventing\n man-in-the-middle attacks. If this policy is enabled, the SMB server will only\n communicate with an SMB client that performs SMB packet signing.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-SO-000120'\n tag gid: 'V-63719'\n tag rid: 'SV-78209r1_rule'\n tag stig_id: 'WN10-SO-000120'\n tag fix_id: 'F-69647r1_fix'\n tag cci: %w[CCI-002418 CCI-002421]\n tag nist: ['SC-8', 'SC-8 (1)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\LanManServer\\\\Parameters\\\\\n\n Value Name: RequireSecuritySignature\n\n Value Type: REG_DWORD\n Value: 1\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n \\\"Microsoft network server: Digitally sign communications (always)\\\" to\n \\\"Enabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\LanManServer\\Parameters') do\n it { should have_property 'RequireSecuritySignature' }\n its('RequireSecuritySignature') { should cmp 1 }\n end\nend\n", + "code": "control 'V-76505' do\n title 'Orphaned security identifiers (SIDs) must be removed from user rights on Windows 10.'\n desc \"Accounts or groups given rights on a system may show up as unresolved\n SIDs for various reasons including deletion of the accounts or groups. If the\n account or group objects are reanimated, there is a potential they may still\n have rights no longer intended. Valid domain accounts or groups may also show\n up as unresolved SIDs if a connection to the domain cannot be established for\n some reason.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-00-000190'\n tag gid: 'V-76505'\n tag rid: 'SV-91201r1_rule'\n tag stig_id: 'WN10-00-000190'\n tag fix_id: 'F-83185r1_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"Review the effective User Rights setting in Local Group Policy\n Editor.\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n Review each User Right listed for any unresolved SIDs to determine whether they\n are valid, such as due to being temporarily disconnected from the domain.\n (Unresolved SIDs have the format of \\\"*S-1-…\\\".)\n\n If any unresolved SIDs exist and are not for currently valid accounts or\n groups, this is a finding.\"\n desc \"fix\", \"Remove any unresolved SIDs found in User Rights assignments and\n determined to not be for currently valid accounts or groups by removing the\n accounts or groups from the appropriate group policy.\"\n\n describe 'A manual review is required to ensure orphaned security identifiers (SIDs) are removed from user rights on Windows 2012 / 2012 R2' do\n skip 'A manual review is required to ensure orphaned security identifiers (SIDs) are removed from user rights on Windows 2012 / 2012 R2'\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63719.rb", + "ref": "./Windows 10 STIG/controls/V-76505.rb", "line": 3 }, - "id": "V-63719" + "id": "V-76505" }, { - "title": "The system must be configured to audit Object Access - Removable\n Storage successes.", - "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Auditing object access for removable media records events related to access\n attempts on file system objects on removable storage devices.", + "title": "The Secondary Logon service must be disabled on Windows 10.", + "desc": "The Secondary Logon service provides a means for entering alternate\n credentials, typically used to run commands with elevated privileges. Using\n privileged credentials in a standard user session can expose those credentials\n to theft.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Auditing object access for removable media records events related to access\n attempts on file system objects on removable storage devices.", - "check": "Security Option \"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\" must be\n set to \"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\"Run as Administrator\").\n Enter \"AuditPol /get /category:*\"\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding:\n\n Object Access >> Removable Storage - Success\n\n Some virtual machines may generate excessive audit events for access to the\n virtual hard disk itself when this setting is enabled. This may be set to Not\n Configured in such cases and would not be a finding. This must be documented\n with the ISSO to include mitigations such as monitoring or restricting any\n actual removable storage connected to the VM.", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Object Access >> \"Audit Removable Storage\" with \"Success\"\n selected." - }, + "default": "The Secondary Logon service provides a means for entering alternate\n credentials, typically used to run commands with elevated privileges. Using\n privileged credentials in a standard user session can expose those credentials\n to theft.", + "check": "Run \"Services.msc\".\n\n Locate the \"Secondary Logon\" service.\n\n If the \"Startup Type\" is not \"Disabled\" or the \"Status\" is \"Running\",\n this is a finding.", + "fix": "Configure the \"Secondary Logon\" service \"Startup Type\" to \"Disabled\"." + }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-AU-000090", - "gid": "V-63473", - "rid": "SV-77963r2_rule", - "stig_id": "WN10-AU-000090", - "fix_id": "F-69403r1_fix", + "gtitle": "WN10-00-000175", + "gid": "V-74719", + "rid": "SV-89393r2_rule", + "stig_id": "WN10-00-000175", + "fix_id": "F-81333r1_fix", "cci": [ - "CCI-000172" + "CCI-000381" ], "nist": [ - "AU-12 c", + "CM-7 a", "Rev_4" ], "false_negatives": null, @@ -7372,37 +7366,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63473' do\n title \"The system must be configured to audit Object Access - Removable\n Storage successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Auditing object access for removable media records events related to access\n attempts on file system objects on removable storage devices.\"\n\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-AU-000090'\n tag gid: 'V-63473'\n tag rid: 'SV-77963r2_rule'\n tag stig_id: 'WN10-AU-000090'\n tag fix_id: 'F-69403r1_fix'\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Security Option \\\"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\\\" must be\n set to \\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\n Enter \\\"AuditPol /get /category:*\\\"\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding:\n\n Object Access >> Removable Storage - Success\n\n Some virtual machines may generate excessive audit events for access to the\n virtual hard disk itself when this setting is enabled. This may be set to Not\n Configured in such cases and would not be a finding. This must be documented\n with the ISSO to include mitigations such as monitoring or restricting any\n actual removable storage connected to the VM.\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Object Access >> \\\"Audit Removable Storage\\\" with \\\"Success\\\"\n selected.\"\n\n describe.one do\n describe audit_policy do\n its('Removable Storage') { should eq 'Success' }\n end\n describe audit_policy do\n its('Removable Storage') { should eq 'Success and Failure' }\n end\n end\nend\n", + "code": "control 'V-74719' do\n title 'The Secondary Logon service must be disabled on Windows 10.'\n desc \"The Secondary Logon service provides a means for entering alternate\n credentials, typically used to run commands with elevated privileges. Using\n privileged credentials in a standard user session can expose those credentials\n to theft.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-00-000175'\n tag gid: 'V-74719'\n tag rid: 'SV-89393r2_rule'\n tag stig_id: 'WN10-00-000175'\n tag fix_id: 'F-81333r1_fix'\n tag cci: ['CCI-000381']\n tag nist: ['CM-7 a', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"Run \\\"Services.msc\\\".\n\n Locate the \\\"Secondary Logon\\\" service.\n\n If the \\\"Startup Type\\\" is not \\\"Disabled\\\" or the \\\"Status\\\" is \\\"Running\\\",\n this is a finding.\"\n desc \"fix\", 'Configure the \"Secondary Logon\" service \"Startup Type\" to \"Disabled\".'\n\n describe.one do\n describe service('Secondary Logon') do\n it { should_not be_enabled }\n end\n describe service('Secondary Logon') do\n it { should_not be_running }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63473.rb", + "ref": "./Windows 10 STIG/controls/V-74719.rb", "line": 3 }, - "id": "V-63473" + "id": "V-74719" }, { - "title": "Outgoing secure channel traffic must be encrypted when possible.", - "desc": "Requests sent on the secure channel are authenticated, and sensitive\n information (such as passwords) is encrypted, but not all information is\n encrypted. If this policy is enabled, outgoing secure channel traffic will be\n encrypted.", + "title": "The system must be configured to use FIPS-compliant algorithms for\n encryption, hashing, and signing.", + "desc": "This setting ensures that the system uses algorithms that are\n FIPS-compliant for encryption, hashing, and signing. FIPS-compliant algorithms\n meet specific standards established by the U.S. Government and must be the\n algorithms used for all OS encryption functions.", "descriptions": { - "default": "Requests sent on the secure channel are authenticated, and sensitive\n information (such as passwords) is encrypted, but not all information is\n encrypted. If this policy is enabled, outgoing secure channel traffic will be\n encrypted.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\Netlogon\\Parameters\\\n\n Value Name: SealSecureChannel\n\n Value Type: REG_DWORD\n Value: 1", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> \"Domain\n member: Digitally encrypt secure channel data (when possible)\" to \"Enabled\"." + "default": "This setting ensures that the system uses algorithms that are\n FIPS-compliant for encryption, hashing, and signing. FIPS-compliant algorithms\n meet specific standards established by the U.S. Government and must be the\n algorithms used for all OS encryption functions.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Control\\Lsa\\FIPSAlgorithmPolicy\\\n\n Value Name: Enabled\n\n Value Type: REG_DWORD\n Value: 1\n\n Warning: Clients with this setting enabled will not be able to communicate via\n digitally encrypted or signed protocols with servers that do not support these\n algorithms. Both the browser and web server must be configured to use TLS\n otherwise the browser will not be able to connect to a secure site.", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> \"System\n cryptography: Use FIPS compliant algorithms for encryption, hashing, and\n signing\" to \"Enabled\"." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-SO-000040", - "gid": "V-63643", - "rid": "SV-78133r1_rule", - "stig_id": "WN10-SO-000040", - "fix_id": "F-69573r1_fix", + "gtitle": "WN10-SO-000230", + "gid": "V-63811", + "rid": "SV-78301r1_rule", + "stig_id": "WN10-SO-000230", + "fix_id": "F-69739r1_fix", "cci": [ - "CCI-002418", - "CCI-002421" + "CCI-002450" ], "nist": [ - "SC-8", - "SC-8 (1)", + "SC-13", "Rev_4" ], "false_negatives": null, @@ -7416,35 +7408,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63643' do\n title 'Outgoing secure channel traffic must be encrypted when possible.'\n desc \"Requests sent on the secure channel are authenticated, and sensitive\n information (such as passwords) is encrypted, but not all information is\n encrypted. If this policy is enabled, outgoing secure channel traffic will be\n encrypted.\"\n\n impact 0.5\n\n tag severity: 'medium'\n tag gtitle: 'WN10-SO-000040'\n tag gid: 'V-63643'\n tag rid: 'SV-78133r1_rule'\n tag stig_id: 'WN10-SO-000040'\n tag fix_id: 'F-69573r1_fix'\n tag cci: %w[CCI-002418 CCI-002421]\n tag nist: ['SC-8', 'SC-8 (1)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\Netlogon\\\\Parameters\\\\\n\n Value Name: SealSecureChannel\n\n Value Type: REG_DWORD\n Value: 1\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> \\\"Domain\n member: Digitally encrypt secure channel data (when possible)\\\" to \\\"Enabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Netlogon\\Parameters') do\n it { should have_property 'SealSecureChannel' }\n its('SealSecureChannel') { should cmp 1 }\n end\nend\n", + "code": "control 'V-63811' do\n title \"The system must be configured to use FIPS-compliant algorithms for\n encryption, hashing, and signing.\"\n desc \"This setting ensures that the system uses algorithms that are\n FIPS-compliant for encryption, hashing, and signing. FIPS-compliant algorithms\n meet specific standards established by the U.S. Government and must be the\n algorithms used for all OS encryption functions.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-SO-000230'\n tag gid: 'V-63811'\n tag rid: 'SV-78301r1_rule'\n tag stig_id: 'WN10-SO-000230'\n tag fix_id: 'F-69739r1_fix'\n tag cci: ['CCI-002450']\n tag nist: %w[SC-13 Rev_4]\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\FIPSAlgorithmPolicy\\\\\n\n Value Name: Enabled\n\n Value Type: REG_DWORD\n Value: 1\n\n Warning: Clients with this setting enabled will not be able to communicate via\n digitally encrypted or signed protocols with servers that do not support these\n algorithms. Both the browser and web server must be configured to use TLS\n otherwise the browser will not be able to connect to a secure site.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> \\\"System\n cryptography: Use FIPS compliant algorithms for encryption, hashing, and\n signing\\\" to \\\"Enabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\FIPSAlgorithmPolicy') do\n it { should have_property 'Enabled' }\n its('Enabled') { should cmp 1 }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63643.rb", + "ref": "./Windows 10 STIG/controls/V-63811.rb", "line": 3 }, - "id": "V-63643" + "id": "V-63811" }, { - "title": "Exploit Protection mitigations in Windows 10 must be configured for\n wmplayer.exe.", - "desc": "Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.", + "title": "The Allow log on locally user right must only be assigned to the Administrators and Users groups.", + "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the \"Allow log on locally\" user right can log on\n interactively to a system.", "descriptions": { - "default": "Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.", - "check": "This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n\n Enter \"Get-ProcessMitigation -Name wmplayer.exe\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of\n all application mitigations configured.)\n\n If the following mitigations do not have a status of \"ON\", this is a finding:\n\n DEP:\n OverrideDEP: False\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n The PowerShell command produces a list of mitigations; only those with a\n required status of \"ON\" are listed here. If the PowerShell command does not\n produce results, ensure the letter case of the filename within the command\n syntax matches the letter case of the actual filename on the system.", - "fix": "Ensure the following mitigations are turned \"ON\" for wmplayer.exe:\n\n DEP:\n OverrideDEP: False\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file\n included with the Windows 10 STIG package in the \"Supporting Files\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \"Use a common set of exploit protection settings\"\n configured to \"Enabled\" with file name and location defined under\n \"Options:\". It is recommended the file be in a read-only network location." + "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the \"Allow log on locally\" user right can log on\n interactively to a system.", + "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any groups or accounts other than the following are granted the \"Allow log\n on locally\" user right, this is a finding:\n\n Administrators\n Users", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n \"Allow log on locally\" to only include the following groups or accounts:\n\n Administrators\n Users" }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-EP-000290", - "gid": "V-77267", - "rid": "SV-91963r3_rule", - "stig_id": "WN10-EP-000290", - "fix_id": "F-84513r4_fix", + "gtitle": "WN10-UR-000025", + "gid": "V-63851", + "rid": "SV-78341r2_rule", + "stig_id": "WN10-UR-000025", + "fix_id": "F-88439r1_fix", "cci": [ - "CCI-000366" + "CCI-000213" ], "nist": [ - "CM-6 b", + "AC-3", "Rev_4" ], "false_negatives": null, @@ -7458,35 +7450,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-77267' do\n title \"Exploit Protection mitigations in Windows 10 must be configured for\n wmplayer.exe.\"\n desc \"Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-EP-000290'\n tag gid: 'V-77267'\n tag rid: 'SV-91963r3_rule'\n tag stig_id: 'WN10-EP-000290'\n tag fix_id: 'F-84513r4_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc 'check', \"This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n\n Enter \\\"Get-ProcessMitigation -Name wmplayer.exe\\\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of\n all application mitigations configured.)\n\n If the following mitigations do not have a status of \\\"ON\\\", this is a finding:\n\n DEP:\n OverrideDEP: False\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n The PowerShell command produces a list of mitigations; only those with a\n required status of \\\"ON\\\" are listed here. If the PowerShell command does not\n produce results, ensure the letter case of the filename within the command\n syntax matches the letter case of the actual filename on the system.\"\n\n desc 'fix', \"Ensure the following mitigations are turned \\\"ON\\\" for wmplayer.exe:\n\n DEP:\n OverrideDEP: False\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file\n included with the Windows 10 STIG package in the \\\"Supporting Files\\\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\"\n configured to \\\"Enabled\\\" with file name and location defined under\n \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n\n if input('sensitive_system') == 'true' || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion').ReleaseId < '1709'\n impact 0.0\n describe 'This STIG does not apply to Prior Versions before 1709.' do\n skip 'This STIG does not apply to Prior Versions before 1709.'\n end\n else\n dep = json( command: 'Get-ProcessMitigation -Name wmplayer.exe | Select DEP | ConvertTo-Json').params\n describe 'OverRide DEP is required to be false on Windows Media Player' do\n subject { dep }\n its(['OverrideDEP']) { should_not eq 'true' }\n end\n payload = json( command: 'Get-ProcessMitigation -Name wmplayer.exe | Select Payload | ConvertTo-Json').params\n describe 'Override Payload Enable Export Address Filter, Override Payload Enable Export Address Filter Plus, Override EnableImportAddressFilter, Override EnableRopStackPivot, Override EnableRopCallerCheck, and Override EnableRopSimExec are required to be false on Windows Media Player' do\n subject { payload }\n its(['OverrideEnableExportAddressFilter']) { should_not eq 'true' }\n its(['OverrideEnableExportAddressFilterPlus']) { should_not eq 'true' }\n its(['OverrideEnableImportAddressFilter']) { should_not eq 'true' }\n its(['OverrideEnableRopStackPivot']) { should_not eq 'true' }\n its(['OverrideEnableRopCallerCheck']) { should_not eq 'true' }\n its(['OverrideEnableRopSimExec']) { should_not eq 'true' }\n end\n end\nend", + "code": "control 'V-63851' do\n title 'The Allow log on locally user right must only be assigned to the Administrators and Users groups.'\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the \\\"Allow log on locally\\\" user right can log on\n interactively to a system.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-UR-000025'\n tag gid: 'V-63851'\n tag rid: 'SV-78341r2_rule'\n tag stig_id: 'WN10-UR-000025'\n tag fix_id: 'F-88439r1_fix'\n tag cci: ['CCI-000213']\n tag nist: %w[AC-3 Rev_4]\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any groups or accounts other than the following are granted the \\\"Allow log\n on locally\\\" user right, this is a finding:\n\n Administrators\n Users\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n \\\"Allow log on locally\\\" to only include the following groups or accounts:\n\n Administrators\n Users\"\n\n describe security_policy do\n its('SeInteractiveLogonRight') { should be_in ['S-1-5-32-544', 'S-1-5-32-545'] }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-77267.rb", + "ref": "./Windows 10 STIG/controls/V-63851.rb", "line": 3 }, - "id": "V-77267" + "id": "V-63851" }, { - "title": "User Account Control approval mode for the built-in Administrator must\n be enabled.", - "desc": "User Account Control (UAC) is a security mechanism for limiting the\n elevation of privileges, including administrative accounts, unless authorized.\n This setting configures the built-in Administrator account so that it runs in\n Admin Approval Mode.", + "title": "Secure Boot must be enabled on Windows 10 systems.", + "desc": "Secure Boot is a standard that ensures systems boot only to a trusted\n operating system. Secure Boot is required to support additional security\n features in Windows 10, including Virtualization Based Security and Credential\n Guard. If Secure Boot is turned off, these security features will not function.", "descriptions": { - "default": "User Account Control (UAC) is a security mechanism for limiting the\n elevation of privileges, including administrative accounts, unless authorized.\n This setting configures the built-in Administrator account so that it runs in\n Admin Approval Mode.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\\n\n Value Name: FilterAdministratorToken\n\n Value Type: REG_DWORD\n Value: 1", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> \"User\n Account Control: Admin Approval Mode for the Built-in Administrator account\"\n to \"Enabled\"." + "default": "Secure Boot is a standard that ensures systems boot only to a trusted\n operating system. Secure Boot is required to support additional security\n features in Windows 10, including Virtualization Based Security and Credential\n Guard. If Secure Boot is turned off, these security features will not function.", + "check": "Some older systems may not have UEFI firmware. This is currently\n a CAT III; it will be raised in severity at a future date when broad support of\n Windows 10 hardware and firmware requirements are expected to be met. Devices\n that have UEFI firmware must have Secure Boot enabled.\n\n For virtual desktop implementations (VDIs) where the virtual desktop instance\n is deleted or refreshed upon logoff, this is NA.\n\n Run \"System Information\".\n\n Under \"System Summary\", if \"Secure Boot State\" does not display \"On\",\n this is finding.", + "fix": "Enable Secure Boot in the system firmware." }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { - "severity": "medium", - "gtitle": "WN10-SO-000245", - "gid": "V-63817", - "rid": "SV-78307r1_rule", - "stig_id": "WN10-SO-000245", - "fix_id": "F-69745r1_fix", + "severity": "low", + "gtitle": "WN10-00-000020", + "gid": "V-77085", + "rid": "SV-91781r2_rule", + "stig_id": "WN10-00-000020", + "fix_id": "F-83783r1_fix", "cci": [ - "CCI-002038" + "CCI-000366" ], "nist": [ - "IA-11", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -7500,35 +7492,37 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63817' do\n title \"User Account Control approval mode for the built-in Administrator must\n be enabled.\"\n desc \"User Account Control (UAC) is a security mechanism for limiting the\n elevation of privileges, including administrative accounts, unless authorized.\n This setting configures the built-in Administrator account so that it runs in\n Admin Approval Mode.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-SO-000245'\n tag gid: 'V-63817'\n tag rid: 'SV-78307r1_rule'\n tag stig_id: 'WN10-SO-000245'\n tag fix_id: 'F-69745r1_fix'\n tag cci: ['CCI-002038']\n tag nist: %w[IA-11 Rev_4]\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\\n\n Value Name: FilterAdministratorToken\n\n Value Type: REG_DWORD\n Value: 1\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> \\\"User\n Account Control: Admin Approval Mode for the Built-in Administrator account\\\"\n to \\\"Enabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System') do\n it { should have_property 'FilterAdministratorToken' }\n its('FilterAdministratorToken') { should cmp 1 }\n end\nend\n", + "code": "control 'V-77085' do\n title 'Secure Boot must be enabled on Windows 10 systems.'\n desc \"Secure Boot is a standard that ensures systems boot only to a trusted\n operating system. Secure Boot is required to support additional security\n features in Windows 10, including Virtualization Based Security and Credential\n Guard. If Secure Boot is turned off, these security features will not function.\"\n impact 0.3\n tag severity: 'low'\n tag gtitle: 'WN10-00-000020'\n tag gid: 'V-77085'\n tag rid: 'SV-91781r2_rule'\n tag stig_id: 'WN10-00-000020'\n tag fix_id: 'F-83783r1_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc 'check', \"Some older systems may not have UEFI firmware. This is currently\n a CAT III; it will be raised in severity at a future date when broad support of\n Windows 10 hardware and firmware requirements are expected to be met. Devices\n that have UEFI firmware must have Secure Boot enabled.\n\n For virtual desktop implementations (VDIs) where the virtual desktop instance\n is deleted or refreshed upon logoff, this is NA.\n\n Run \\\"System Information\\\".\n\n Under \\\"System Summary\\\", if \\\"Secure Boot State\\\" does not display \\\"On\\\",\n this is finding.\"\n desc 'fix', 'Enable Secure Boot in the system firmware.'\n\n\n uefi_boot = json( command: 'Confirm-SecureBootUEFI | ConvertTo-Json').params\n if sys_info.manufacturer != 'VMware, Inc.' || nil\n describe 'Confirm-Secure Boot UEFI is required to be enabled on System' do\n subject { uefi_boot }\n it { should_not eq 'False' }\n end\n else\n impact 0.0\n describe 'This is a VDI System; This System is NA for Control V-77085.' do\n skip 'This is a VDI System; This System is NA for Control V-77085.'\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63817.rb", + "ref": "./Windows 10 STIG/controls/V-77085.rb", "line": 3 }, - "id": "V-63817" + "id": "V-77085" }, { - "title": "The display of slide shows on the lock screen must be disabled.", - "desc": "Slide shows that are displayed on the lock screen could display\n sensitive information to unauthorized personnel. Turning off this feature will\n limit access to the information to a logged on user.", + "title": "Outgoing secure channel traffic must be encrypted when possible.", + "desc": "Requests sent on the secure channel are authenticated, and sensitive\n information (such as passwords) is encrypted, but not all information is\n encrypted. If this policy is enabled, outgoing secure channel traffic will be\n encrypted.", "descriptions": { - "default": "Slide shows that are displayed on the lock screen could display\n sensitive information to unauthorized personnel. Turning off this feature will\n limit access to the information to a logged on user.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\Personalization\\\n\n Value Name: NoLockScreenSlideshow\n\n Value Type: REG_DWORD\n Value: 1", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Control Panel >> Personalization >> \"Prevent\n enabling lock screen slide show\" to \"Enabled\"." + "default": "Requests sent on the secure channel are authenticated, and sensitive\n information (such as passwords) is encrypted, but not all information is\n encrypted. If this policy is enabled, outgoing secure channel traffic will be\n encrypted.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\Netlogon\\Parameters\\\n\n Value Name: SealSecureChannel\n\n Value Type: REG_DWORD\n Value: 1", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> \"Domain\n member: Digitally encrypt secure channel data (when possible)\" to \"Enabled\"." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-CC-000010", - "gid": "V-63549", - "rid": "SV-78039r1_rule", - "stig_id": "WN10-CC-000010", - "fix_id": "F-69479r1_fix", + "gtitle": "WN10-SO-000040", + "gid": "V-63643", + "rid": "SV-78133r1_rule", + "stig_id": "WN10-SO-000040", + "fix_id": "F-69573r1_fix", "cci": [ - "CCI-000381" + "CCI-002418", + "CCI-002421" ], "nist": [ - "CM-7 a", + "SC-8", + "SC-8 (1)", "Rev_4" ], "false_negatives": null, @@ -7542,35 +7536,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63549' do\n title 'The display of slide shows on the lock screen must be disabled.'\n desc \"Slide shows that are displayed on the lock screen could display\n sensitive information to unauthorized personnel. Turning off this feature will\n limit access to the information to a logged on user.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000010'\n tag gid: 'V-63549'\n tag rid: 'SV-78039r1_rule'\n tag stig_id: 'WN10-CC-000010'\n tag fix_id: 'F-69479r1_fix'\n tag cci: ['CCI-000381']\n tag nist: ['CM-7 a', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\Personalization\\\\\n\n Value Name: NoLockScreenSlideshow\n\n Value Type: REG_DWORD\n Value: 1\"\n \n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Control Panel >> Personalization >> \\\"Prevent\n enabling lock screen slide show\\\" to \\\"Enabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Personalization') do\n it { should have_property 'NoLockScreenSlideshow' }\n its('NoLockScreenSlideshow') { should cmp 1 }\n end\nend\n", + "code": "control 'V-63643' do\n title 'Outgoing secure channel traffic must be encrypted when possible.'\n desc \"Requests sent on the secure channel are authenticated, and sensitive\n information (such as passwords) is encrypted, but not all information is\n encrypted. If this policy is enabled, outgoing secure channel traffic will be\n encrypted.\"\n\n impact 0.5\n\n tag severity: 'medium'\n tag gtitle: 'WN10-SO-000040'\n tag gid: 'V-63643'\n tag rid: 'SV-78133r1_rule'\n tag stig_id: 'WN10-SO-000040'\n tag fix_id: 'F-69573r1_fix'\n tag cci: %w[CCI-002418 CCI-002421]\n tag nist: ['SC-8', 'SC-8 (1)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\Netlogon\\\\Parameters\\\\\n\n Value Name: SealSecureChannel\n\n Value Type: REG_DWORD\n Value: 1\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> \\\"Domain\n member: Digitally encrypt secure channel data (when possible)\\\" to \\\"Enabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Netlogon\\Parameters') do\n it { should have_property 'SealSecureChannel' }\n its('SealSecureChannel') { should cmp 1 }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63549.rb", + "ref": "./Windows 10 STIG/controls/V-63643.rb", "line": 3 }, - "id": "V-63549" + "id": "V-63643" }, { - "title": "The system must be configured to audit System - Other System Events\n failures.", - "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Audit Other System Events records information related to cryptographic key\n operations and the Windows Firewall service.", + "title": "The Windows Remote Management (WinRM) client must not use Basic\n authentication.", + "desc": "Basic authentication uses plain text passwords that could be used to\n compromise a system.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Audit Other System Events records information related to cryptographic key\n operations and the Windows Firewall service.", - "check": "Security Option \"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\" must be\n set to \"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\"Run as Administrator\").\n Enter \"AuditPol /get /category:*\"\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding:\n\n System >> Other System Events - Failure", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> System >> \"Audit Other System Events\" with \"Failure\"\n selected." + "default": "Basic authentication uses plain text passwords that could be used to\n compromise a system.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\WinRM\\Client\\\n\n Value Name: AllowBasic\n\n Value Type: REG_DWORD\n Value: 0", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Windows Remote Management\n (WinRM) >> WinRM Client >> \"Allow Basic authentication\" to \"Disabled\"." }, - "impact": 0.5, + "impact": 0.7, "refs": [], "tags": { - "severity": "medium", - "gtitle": "WN10-AU-000135", - "gid": "V-63503", - "rid": "SV-77993r2_rule", - "stig_id": "WN10-AU-000135", - "fix_id": "F-69433r2_fix", + "severity": "high", + "gtitle": "WN10-CC-000330", + "gid": "V-63335", + "rid": "SV-77825r1_rule", + "stig_id": "WN10-CC-000330", + "fix_id": "F-69255r1_fix", "cci": [ - "CCI-000172" + "CCI-000877" ], "nist": [ - "AU-12 c", + "MA-4 c", "Rev_4" ], "false_negatives": null, @@ -7584,30 +7578,30 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63503' do\n title \"The system must be configured to audit System - Other System Events\n failures.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Audit Other System Events records information related to cryptographic key\n operations and the Windows Firewall service.\"\n\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-AU-000135'\n tag gid: 'V-63503'\n tag rid: 'SV-77993r2_rule'\n tag stig_id: 'WN10-AU-000135'\n tag fix_id: 'F-69433r2_fix'\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"Security Option \\\"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\\\" must be\n set to \\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\n Enter \\\"AuditPol /get /category:*\\\"\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding:\n\n System >> Other System Events - Failure\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> System >> \\\"Audit Other System Events\\\" with \\\"Failure\\\"\n selected.\"\n\n describe.one do\n describe audit_policy do\n its('Other System Events') { should eq 'Failure' }\n end\n describe audit_policy do\n its('Other System Events') { should eq 'Success and Failure' }\n end\n end\nend\n", + "code": "control 'V-63335' do\n title \"The Windows Remote Management (WinRM) client must not use Basic\n authentication.\"\n desc \"Basic authentication uses plain text passwords that could be used to\n compromise a system.\"\n impact 0.7\n tag severity: 'high'\n tag gtitle: 'WN10-CC-000330'\n tag gid: 'V-63335'\n tag rid: 'SV-77825r1_rule'\n tag stig_id: 'WN10-CC-000330'\n tag fix_id: 'F-69255r1_fix'\n tag cci: ['CCI-000877']\n tag nist: ['MA-4 c', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WinRM\\\\Client\\\\\n\n Value Name: AllowBasic\n\n Value Type: REG_DWORD\n Value: 0\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Windows Remote Management\n (WinRM) >> WinRM Client >> \\\"Allow Basic authentication\\\" to \\\"Disabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WinRM\\Client') do\n it { should have_property 'AllowBasic' }\n its('AllowBasic') { should cmp 0 }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63503.rb", + "ref": "./Windows 10 STIG/controls/V-63335.rb", "line": 3 }, - "id": "V-63503" + "id": "V-63335" }, { - "title": "Wi-Fi Sense must be disabled.", - "desc": "Wi-Fi Sense automatically connects the system to known hotspots and\n networks that contacts have shared. It also allows the sharing of the system's\n known networks to contacts. Automatically connecting to hotspots and shared\n networks can expose a system to unsecured or potentially malicious systems.", + "title": "The built-in guest account must be renamed.", + "desc": "The built-in guest account is a well-known user account on all Windows\n systems and, as initially installed, does not require a password. This can\n allow access to system resources by unauthorized users. Renaming this account\n to an unidentified name improves the protection of this account and the system.", "descriptions": { - "default": "Wi-Fi Sense automatically connects the system to known hotspots and\n networks that contacts have shared. It also allows the sharing of the system's\n known networks to contacts. Automatically connecting to hotspots and shared\n networks can expose a system to unsecured or potentially malicious systems.", - "check": "This is NA as of v1803 of Windows 10; Wi-Fi sense is no longer\n available.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Microsoft\\WcmSvc\\wifinetworkmanager\\config\\\n\n Value Name: AutoConnectAllowedOEM\n\n Type: REG_DWORD\n Value: 0x00000000 (0)", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Network >> WLAN Service >> WLAN Settings>> \"Allow\n Windows to automatically connect to suggested open hotspots, to networks shared\n by contacts, and to hotspots offering paid services\" to \"Disabled\".\n\n v1507 LTSB does not include this group policy setting. It may be configured\n through other means such as using group policy from a later version of Windows\n 10 or a registry update." + "default": "The built-in guest account is a well-known user account on all Windows\n systems and, as initially installed, does not require a password. This can\n allow access to system resources by unauthorized users. Renaming this account\n to an unidentified name improves the protection of this account and the system.", + "check": "Verify the effective setting in Local Group Policy Editor.\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> Security Options.\n\n If the value for \"Accounts: Rename guest account\" is set to \"Guest\", this\n is a finding.", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n \"Accounts: Rename guest account\" to a name other than \"Guest\"." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-CC-000065", - "gid": "V-63591", - "rid": "SV-78081r2_rule", - "stig_id": "WN10-CC-000065", - "fix_id": "F-88431r2_fix", + "gtitle": "WN10-SO-000025", + "gid": "V-63625", + "rid": "SV-78115r1_rule", + "stig_id": "WN10-SO-000025", + "fix_id": "F-69555r1_fix", "cci": [ "CCI-000366" ], @@ -7626,35 +7620,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63591' do\n title 'Wi-Fi Sense must be disabled.'\n desc \"Wi-Fi Sense automatically connects the system to known hotspots and\n networks that contacts have shared. It also allows the sharing of the system's\n known networks to contacts. Automatically connecting to hotspots and shared\n networks can expose a system to unsecured or potentially malicious systems.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000065'\n tag gid: 'V-63591'\n tag rid: 'SV-78081r2_rule'\n tag stig_id: 'WN10-CC-000065'\n tag fix_id: 'F-88431r2_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"This is NA as of v1803 of Windows 10; Wi-Fi sense is no longer\n available.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Microsoft\\\\WcmSvc\\\\wifinetworkmanager\\\\config\\\\\n\n Value Name: AutoConnectAllowedOEM\n\n Type: REG_DWORD\n Value: 0x00000000 (0)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Network >> WLAN Service >> WLAN Settings>> \\\"Allow\n Windows to automatically connect to suggested open hotspots, to networks shared\n by contacts, and to hotspots offering paid services\\\" to \\\"Disabled\\\".\n\n v1507 LTSB does not include this group policy setting. It may be configured\n through other means such as using group policy from a later version of Windows\n 10 or a registry update.\"\n\n if registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion').ReleaseId >= '1803'\n impact 0.0\n describe 'This is NA as of v1803 of Windows 10; Wi-Fi sense is no longer available.' do\n skip 'This is NA as of v1803 of Windows 10; Wi-Fi sense is no longer available.'\n end\n else\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WcmSvc\\wifinetworkmanager\\config') do\n it { should have_property 'AutoConnectAllowedOEM' }\n its('AutoConnectAllowedOEM') { should cmp 0 }\n end\n end\nend\n", + "code": "control 'V-63625' do\n title 'The built-in guest account must be renamed.'\n desc \"The built-in guest account is a well-known user account on all Windows\n systems and, as initially installed, does not require a password. This can\n allow access to system resources by unauthorized users. Renaming this account\n to an unidentified name improves the protection of this account and the system.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-SO-000025'\n tag gid: 'V-63625'\n tag rid: 'SV-78115r1_rule'\n tag stig_id: 'WN10-SO-000025'\n tag fix_id: 'F-69555r1_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n \n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> Security Options.\n\n If the value for \\\"Accounts: Rename guest account\\\" is set to \\\"Guest\\\", this\n is a finding.\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n \\\"Accounts: Rename guest account\\\" to a name other than \\\"Guest\\\".\"\n\n describe user('Guest') do\n it { should_not exist }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63591.rb", + "ref": "./Windows 10 STIG/controls/V-63625.rb", "line": 3 }, - "id": "V-63591" + "id": "V-63625" }, { - "title": "The Create a token object user right must not be assigned to any\n groups or accounts.", - "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n The \"Create a token object\" user right allows a process to create an\n access token. This could be used to provide elevated rights and compromise a\n system.", + "title": "Exploit Protection mitigations in Windows 10 must be configured for OneDrive.exe.", + "desc": "Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.", "descriptions": { - "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n The \"Create a token object\" user right allows a process to create an\n access token. This could be used to provide elevated rights and compromise a\n system.", - "check": "Verify the effective setting in Local Group Policy Editor.\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any groups or accounts are granted the \"Create a token object\" user right,\n this is a finding.", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n \"Create a token object\" to be defined but containing no entries (blank)." + "default": "Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.", + "check": "This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n\n Enter \"Get-ProcessMitigation -Name OneDrive.exe\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of\n all application mitigations configured.)\n\n If the following mitigations do not have a status of \"ON\", this is a finding:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n OverrideRelocateImages: False\n\n ImageLoad:\n OverrideBlockRemoteImages: False\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n The PowerShell command produces a list of mitigations; only those with a\n required status of \"ON\" are listed here. If the PowerShell command does not\n produce results, ensure the letter case of the filename within the command\n syntax matches the letter case of the actual filename on the system.", + "fix": "Ensure the following mitigations are turned \"ON\" for OneDrive.exe:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n OverrideRelocateImages: False\n\n ImageLoad:\n OverrideBlockRemoteImages: False\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file\n included with the Windows 10 STIG package in the \"Supporting Files\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \"Use a common set of exploit protection settings\"\n configured to \"Enabled\" with file name and location defined under\n \"Options:\". It is recommended the file be in a read-only network location." }, - "impact": 0.7, + "impact": 0.5, "refs": [], "tags": { - "severity": "high", - "gtitle": "WN10-UR-000045", - "gid": "V-63859", - "rid": "SV-78349r1_rule", - "stig_id": "WN10-UR-000045", - "fix_id": "F-69787r2_fix", + "severity": "medium", + "gtitle": "WN10-EP-000210", + "gid": "V-77235", + "rid": "SV-91931r3_rule", + "stig_id": "WN10-EP-000210", + "fix_id": "F-84321r5_fix", "cci": [ - "CCI-002235" + "CCI-000366" ], "nist": [ - "AC-6 (10)", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -7668,77 +7662,68 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63859' do\n title \"The Create a token object user right must not be assigned to any\n groups or accounts.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n The \\\"Create a token object\\\" user right allows a process to create an\n access token. This could be used to provide elevated rights and compromise a\n system.\"\n\n impact 0.7\n tag severity: 'high'\n tag gtitle: 'WN10-UR-000045'\n tag gid: 'V-63859'\n tag rid: 'SV-78349r1_rule'\n tag stig_id: 'WN10-UR-000045'\n tag fix_id: 'F-69787r2_fix'\n tag cci: ['CCI-002235']\n tag nist: ['AC-6 (10)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any groups or accounts are granted the \\\"Create a token object\\\" user right,\n this is a finding.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n \\\"Create a token object\\\" to be defined but containing no entries (blank).\"\n\n describe security_policy do\n its('SeCreateTokenPrivilege') { should eq [] }\n end\nend\n", + "code": "control 'V-77235' do\n title 'Exploit Protection mitigations in Windows 10 must be configured for OneDrive.exe.'\n desc \"Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-EP-000210'\n tag gid: 'V-77235'\n tag rid: 'SV-91931r3_rule'\n tag stig_id: 'WN10-EP-000210'\n tag fix_id: 'F-84321r5_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc 'check', \"This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n\n Enter \\\"Get-ProcessMitigation -Name OneDrive.exe\\\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of\n all application mitigations configured.)\n\n If the following mitigations do not have a status of \\\"ON\\\", this is a finding:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n OverrideRelocateImages: False\n\n ImageLoad:\n OverrideBlockRemoteImages: False\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n The PowerShell command produces a list of mitigations; only those with a\n required status of \\\"ON\\\" are listed here. If the PowerShell command does not\n produce results, ensure the letter case of the filename within the command\n syntax matches the letter case of the actual filename on the system.\"\n desc 'fix', \"Ensure the following mitigations are turned \\\"ON\\\" for OneDrive.exe:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n OverrideRelocateImages: False\n\n ImageLoad:\n OverrideBlockRemoteImages: False\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file\n included with the Windows 10 STIG package in the \\\"Supporting Files\\\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\"\n configured to \\\"Enabled\\\" with file name and location defined under\n \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n\n\n if input('sensitive_system') == 'true' || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion').ReleaseId < '1709'\n impact 0.0\n describe 'This STIG does not apply to Prior Versions before 1709.' do\n skip 'This STIG does not apply to Prior Versions before 1709.'\n end\n else\n dep = json( command: 'Get-ProcessMitigation -Name OneDrive.exe | Select DEP | ConvertTo-Json').params\n describe 'OverRide DEP is required to be false on Microsoft Onedrive' do\n subject { dep }\n its(['OverrideDEP']) { should_not eq 'true' }\n end\n aslr = json( command: 'Get-ProcessMitigation -Name OneDrive.exe | Select Aslr | ConvertTo-Json').params\n describe 'Alsr OverRide Force Relocate Images are required to be enabled on Microsoft Onedrive' do\n subject { aslr }\n its(['OverrideForceRelocateImages']) { should_not eq 'true' }\n end\n imageload = json( command: 'Get-ProcessMitigation -Name OneDrive.exe | Select ImageLoad | ConvertTo-Json').params\n describe 'Override ImageLoad Block Remote Image Loads is required to be false on Microsoft Onedrive' do\n subject { imageload }\n its(['OverrideBlockRemoteImages']) { should_not eq 'true' }\n end\n payload = json( command: 'Get-ProcessMitigation -Name OneDrive.exe | Select Payload | ConvertTo-Json').params\n describe 'Override Payload Enable Export Address Filter, Override Payload Enable Export Address Filter Plus, Override EnableImportAddressFilter, Override EnableRopStackPivot, Override EnableRopCallerCheck, and Override EnableRopSimExec are required to be false on Microsoft Onedrive' do\n subject { payload }\n its(['OverrideEnableExportAddressFilter']) { should_not eq 'true' }\n its(['OverrideEnableExportAddressFilterPlus']) { should_not eq 'true' }\n its(['OverrideEnableImportAddressFilter']) { should_not eq 'true' }\n its(['OverrideEnableRopStackPivot']) { should_not eq 'true' }\n its(['OverrideEnableRopCallerCheck']) { should_not eq 'true' }\n its(['OverrideEnableRopSimExec']) { should_not eq 'true' }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63859.rb", + "ref": "./Windows 10 STIG/controls/V-77235.rb", "line": 3 }, - "id": "V-63859" + "id": "V-77235" }, { - "title": "The TFTP Client must not be installed on the system.", - "desc": "Some protocols and services do not support required security features,\n such as encrypting passwords or traffic.", + "title": "Windows 10 must be configured to audit Other Policy Change Events\nSuccesses.", + "desc": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Audit Other Policy Change Events contains events about EFS Data Recovery\nAgent policy changes, changes in Windows Filtering Platform filter, status on\nSecurity policy settings updates for local Group Policy settings, Central\nAccess Policy changes, and detailed troubleshooting events for Cryptographic\nNext Generation (CNG) operations.", "descriptions": { - "default": "Some protocols and services do not support required security features,\n such as encrypting passwords or traffic.", - "check": "The \"TFTP Client\" is not installed by default. Verify it has\n not been installed.\n\n Navigate to the Windows\\System32 directory.\n\n If the \"TFTP\" application exists, this is a finding.", - "fix": "Uninstall \"TFTP Client\" from the system.\n\n Run \"Programs and Features\".\n Select \"Turn Windows Features on or off\".\n\n De-select \"TFTP Client\"." - }, - "impact": 0.5, - "refs": [], + "default": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Audit Other Policy Change Events contains events about EFS Data Recovery\nAgent policy changes, changes in Windows Filtering Platform filter, status on\nSecurity policy settings updates for local Group Policy settings, Central\nAccess Policy changes, and detailed troubleshooting events for Cryptographic\nNext Generation (CNG) operations.", + "rationale": "", + "check": "Security Option \"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\" must be set to\n\"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to be\neffective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\"Run as Administrator\").\n Enter \"AuditPol /get /category:*\".\n\n Compare the AuditPol settings with the following. If the system does not\naudit the following, this is a finding:\n\n Policy Change >> Other Policy Change Events - Success", + "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Policy Change>> \"Audit Other Policy Change Events\"\nwith \"Success\" selected." + }, + "impact": 0.5, + "refs": [], "tags": { - "severity": "medium", - "gtitle": "WN10-00-000120", - "gid": "V-63389", - "rid": "SV-77879r1_rule", - "stig_id": "WN10-00-000120", - "fix_id": "F-69313r1_fix", + "severity": null, + "gtitle": "WN10-AU-000550", + "gid": "V-99551", + "rid": "SV-108655r1_rule", + "stig_id": "WN10-AU-000550", + "fix_id": "F-105235r1_fix", "cci": [ - "CCI-000382" + "CCI-000130" ], "nist": [ - "CM-7 b", + "AU-3", "Rev_4" - ], - "false_negatives": null, - "false_positives": null, - "documentable": false, - "mitigations": null, - "severity_override_guidance": false, - "potential_impacts": null, - "third_party_tools": null, - "mitigation_controls": null, - "responsibility": null, - "ia_controls": null + ] }, - "code": "control 'V-63389' do\n title 'The TFTP Client must not be installed on the system.'\n desc \"Some protocols and services do not support required security features,\n such as encrypting passwords or traffic.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-00-000120'\n tag gid: 'V-63389'\n tag rid: 'SV-77879r1_rule'\n tag stig_id: 'WN10-00-000120'\n tag fix_id: 'F-69313r1_fix'\n tag cci: ['CCI-000382']\n tag nist: ['CM-7 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"The \\\"TFTP Client\\\" is not installed by default. Verify it has\n not been installed.\n\n Navigate to the Windows\\\\System32 directory.\n\n If the \\\"TFTP\\\" application exists, this is a finding.\"\n\n desc \"fix\", \"Uninstall \\\"TFTP Client\\\" from the system.\n\n Run \\\"Programs and Features\\\".\n Select \\\"Turn Windows Features on or off\\\".\n\n De-select \\\"TFTP Client\\\".\"\n\n describe windows_feature('TFTP Client') do\n it { should_not be_installed }\n end\nend\n", + "code": "control \"V-99551\" do\n title \"Windows 10 must be configured to audit Other Policy Change Events\nSuccesses.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Audit Other Policy Change Events contains events about EFS Data Recovery\nAgent policy changes, changes in Windows Filtering Platform filter, status on\nSecurity policy settings updates for local Group Policy settings, Central\nAccess Policy changes, and detailed troubleshooting events for Cryptographic\nNext Generation (CNG) operations.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"WN10-AU-000550\"\n tag gid: \"V-99551\"\n tag rid: \"SV-108655r1_rule\"\n tag stig_id: \"WN10-AU-000550\"\n tag fix_id: \"F-105235r1_fix\"\n tag cci: [\"CCI-000130\"]\n tag nist: [\"AU-3\", \"Rev_4\"]\n desc \"rationale\", \"\"\n desc \"check\", \"Security Option \\\"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\\\" must be set to\n\\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to be\neffective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\n Enter \\\"AuditPol /get /category:*\\\".\n\n Compare the AuditPol settings with the following. If the system does not\naudit the following, this is a finding:\n\n Policy Change >> Other Policy Change Events - Success\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Policy Change>> \\\"Audit Other Policy Change Events\\\"\nwith \\\"Success\\\" selected.\"\n \n describe.one do\n describe audit_policy do\n its('Other Policy Change Events') { should eq 'Success' }\n end\n describe audit_policy do\n its('Other Policy Change Events') { should eq 'Success and Failure' }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63389.rb", + "ref": "./Windows 10 STIG/controls/V-99551.rb", "line": 3 }, - "id": "V-63389" + "id": "V-99551" }, { - "title": "Simple Network Management Protocol (SNMP) must not be installed on the\n system.", - "desc": "Some protocols and services do not support required security features,\n such as encrypting passwords or traffic.", + "title": "The system must be configured to prevent the storage of the LAN\n Manager hash of passwords.", + "desc": "The LAN Manager hash uses a weak encryption algorithm and there are\n several tools available that use this hash to retrieve account passwords. This\n setting controls whether or not a LAN Manager hash of the password is stored in\n the SAM the next time the password is changed.", "descriptions": { - "default": "Some protocols and services do not support required security features,\n such as encrypting passwords or traffic.", - "check": "\"SNMP\" is not installed by default. Verify it has not been\n installed.\n\n Navigate to the Windows\\System32 directory.\n\n If the \"SNMP\" application exists, this is a finding.", - "fix": "Uninstall \"Simple Network Management Protocol (SNMP)\" from the\n system.\n\n Run \"Programs and Features\".\n Select \"Turn Windows Features on or off\".\n De-select \"Simple Network Management Protocol (SNMP)\"." + "default": "The LAN Manager hash uses a weak encryption algorithm and there are\n several tools available that use this hash to retrieve account passwords. This\n setting controls whether or not a LAN Manager hash of the password is stored in\n the SAM the next time the password is changed.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Control\\Lsa\\\n\n Value Name: NoLMHash\n\n Value Type: REG_DWORD\n Value: 1", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n \"Network security: Do not store LAN Manager hash value on next password\n change\" to \"Enabled\"." }, - "impact": 0.5, + "impact": 0.7, "refs": [], "tags": { - "severity": "medium", - "gtitle": "WN10-00-000105", - "gid": "V-63381", - "rid": "SV-77871r1_rule", - "stig_id": "WN10-00-000105", - "fix_id": "F-69301r1_fix", + "severity": "high", + "gtitle": "WN10-SO-000195", + "gid": "V-63797", + "rid": "SV-78287r1_rule", + "stig_id": "WN10-SO-000195", + "fix_id": "F-69725r1_fix", "cci": [ - "CCI-000382" + "CCI-000196" ], "nist": [ - "CM-7 b", + "IA-5 (1) (c)", "Rev_4" ], "false_negatives": null, @@ -7752,35 +7737,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63381' do\n title \"Simple Network Management Protocol (SNMP) must not be installed on the\n system.\"\n desc \"Some protocols and services do not support required security features,\n such as encrypting passwords or traffic.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-00-000105'\n tag gid: 'V-63381'\n tag rid: 'SV-77871r1_rule'\n tag stig_id: 'WN10-00-000105'\n tag fix_id: 'F-69301r1_fix'\n tag cci: ['CCI-000382']\n tag nist: ['CM-7 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"\\\"SNMP\\\" is not installed by default. Verify it has not been\n installed.\n\n Navigate to the Windows\\\\System32 directory.\n\n If the \\\"SNMP\\\" application exists, this is a finding.\"\n\n desc \"fix\", \"Uninstall \\\"Simple Network Management Protocol (SNMP)\\\" from the\n system.\n\n Run \\\"Programs and Features\\\".\n Select \\\"Turn Windows Features on or off\\\".\n De-select \\\"Simple Network Management Protocol (SNMP)\\\".\"\n\n describe windows_feature('SNMP') do\n it { should_not be_installed }\n end\nend\n", + "code": "control 'V-63797' do\n title \"The system must be configured to prevent the storage of the LAN\n Manager hash of passwords.\"\n desc \"The LAN Manager hash uses a weak encryption algorithm and there are\n several tools available that use this hash to retrieve account passwords. This\n setting controls whether or not a LAN Manager hash of the password is stored in\n the SAM the next time the password is changed.\"\n impact 0.7\n tag severity: 'high'\n tag gtitle: 'WN10-SO-000195'\n tag gid: 'V-63797'\n tag rid: 'SV-78287r1_rule'\n tag stig_id: 'WN10-SO-000195'\n tag fix_id: 'F-69725r1_fix'\n tag cci: ['CCI-000196']\n tag nist: ['IA-5 (1) (c)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\\n\n Value Name: NoLMHash\n\n Value Type: REG_DWORD\n Value: 1\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n \\\"Network security: Do not store LAN Manager hash value on next password\n change\\\" to \\\"Enabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa') do\n it { should have_property 'NoLMHash' }\n its('NoLMHash') { should cmp 1 }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63381.rb", + "ref": "./Windows 10 STIG/controls/V-63797.rb", "line": 3 }, - "id": "V-63381" + "id": "V-63797" }, { - "title": "Downloading print driver packages over HTTP must be prevented.", - "desc": "Some features may communicate with the vendor, sending system\n information or downloading data or components for the feature. Turning off\n this capability will prevent potentially sensitive information from being sent\n outside the enterprise and uncontrolled updates to the system. This setting\n prevents the computer from downloading print driver packages over HTTP.", + "title": "User Account Control must be configured to detect application\n installations and prompt for elevation.", + "desc": "User Account Control (UAC) is a security mechanism for limiting the\n elevation of privileges, including administrative accounts, unless authorized.\n This setting requires Windows to respond to application installation requests\n by prompting for credentials.", "descriptions": { - "default": "Some features may communicate with the vendor, sending system\n information or downloading data or components for the feature. Turning off\n this capability will prevent potentially sensitive information from being sent\n outside the enterprise and uncontrolled updates to the system. This setting\n prevents the computer from downloading print driver packages over HTTP.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers\\\n\n Value Name: DisableWebPnPDownload\n\n Value Type: REG_DWORD\n Value: 1", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> System >> Internet Communication Management >>\n Internet Communication settings >> \"Turn off downloading of print drivers over\n HTTP\" to \"Enabled\"." + "default": "User Account Control (UAC) is a security mechanism for limiting the\n elevation of privileges, including administrative accounts, unless authorized.\n This setting requires Windows to respond to application installation requests\n by prompting for credentials.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\\n\n Value Name: EnableInstallerDetection\n\n Value Type: REG_DWORD\n Value: 1", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> \"User\n Account Control: Detect application installations and prompt for elevation\" to\n \"Enabled\"." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-CC-000100", - "gid": "V-63615", - "rid": "SV-78105r1_rule", - "stig_id": "WN10-CC-000100", - "fix_id": "F-69545r1_fix", + "gtitle": "WN10-SO-000260", + "gid": "V-63825", + "rid": "SV-78315r1_rule", + "stig_id": "WN10-SO-000260", + "fix_id": "F-69753r1_fix", "cci": [ - "CCI-000381" + "CCI-001084" ], "nist": [ - "CM-7 a", + "SC-3", "Rev_4" ], "false_negatives": null, @@ -7794,35 +7779,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63615' do\n title 'Downloading print driver packages over HTTP must be prevented.'\n desc \"Some features may communicate with the vendor, sending system\n information or downloading data or components for the feature. Turning off\n this capability will prevent potentially sensitive information from being sent\n outside the enterprise and uncontrolled updates to the system. This setting\n prevents the computer from downloading print driver packages over HTTP.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000100'\n tag gid: 'V-63615'\n tag rid: 'SV-78105r1_rule'\n tag stig_id: 'WN10-CC-000100'\n tag fix_id: 'F-69545r1_fix'\n tag cci: ['CCI-000381']\n tag nist: ['CM-7 a', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Printers\\\\\n\n Value Name: DisableWebPnPDownload\n\n Value Type: REG_DWORD\n Value: 1\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> System >> Internet Communication Management >>\n Internet Communication settings >> \\\"Turn off downloading of print drivers over\n HTTP\\\" to \\\"Enabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers') do\n it { should have_property 'DisableWebPnPDownload' }\n its('DisableWebPnPDownload') { should cmp 1 }\n end\nend\n", + "code": "control 'V-63825' do\n title \"User Account Control must be configured to detect application\n installations and prompt for elevation.\"\n desc \"User Account Control (UAC) is a security mechanism for limiting the\n elevation of privileges, including administrative accounts, unless authorized.\n This setting requires Windows to respond to application installation requests\n by prompting for credentials.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-SO-000260'\n tag gid: 'V-63825'\n tag rid: 'SV-78315r1_rule'\n tag stig_id: 'WN10-SO-000260'\n tag fix_id: 'F-69753r1_fix'\n tag cci: ['CCI-001084']\n tag nist: %w[SC-3 Rev_4]\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\\n\n Value Name: EnableInstallerDetection\n\n Value Type: REG_DWORD\n Value: 1\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> \\\"User\n Account Control: Detect application installations and prompt for elevation\\\" to\n \\\"Enabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System') do\n it { should have_property 'EnableInstallerDetection' }\n its('EnableInstallerDetection') { should cmp 1 }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63615.rb", + "ref": "./Windows 10 STIG/controls/V-63825.rb", "line": 3 }, - "id": "V-63615" + "id": "V-63825" }, { - "title": "PowerShell script block logging must be enabled on Windows 10.", - "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Enabling PowerShell script block logging will record detailed information\n from the processing of PowerShell commands and scripts. This can provide\n additional detail when malware has run on a system.", + "title": "Exploit Protection mitigations in Windows 10 must be configured for EXCEL.EXE.", + "desc": "Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Enabling PowerShell script block logging will record detailed information\n from the processing of PowerShell commands and scripts. This can provide\n additional detail when malware has run on a system.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\\\n\n Value Name: EnableScriptBlockLogging\n\n Value Type: REG_DWORD\n Value: 1", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Windows PowerShell >> \"Turn\n on PowerShell Script Block Logging\" to \"Enabled\"." + "default": "Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.", + "check": "This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n\n Enter \"Get-ProcessMitigation -Name EXCEL.EXE\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of\n all application mitigations configured.)\n\n If the following mitigations do not have a status of \"ON\", this is a finding:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n The PowerShell command produces a list of mitigations; only those with a\n required status of \"ON\" are listed here. If the PowerShell command does not\n produce results, ensure the letter case of the filename within the command\n syntax matches the letter case of the actual filename on the system.", + "fix": "Ensure the following mitigations are turned \"ON\" for EXCEL.EXE:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file\n included with the Windows 10 STIG package in the \"Supporting Files\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \"Use a common set of exploit protection settings\"\n configured to \"Enabled\" with file name and location defined under\n \"Options:\". It is recommended the file be in a read-only network location." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-CC-000326", - "gid": "V-68819", - "rid": "SV-83411r2_rule", - "stig_id": "WN10-CC-000326", - "fix_id": "F-74989r1_fix", + "gtitle": "WN10-EP-000100", + "gid": "V-77201", + "rid": "SV-91897r3_rule", + "stig_id": "WN10-EP-000100", + "fix_id": "F-84337r4_fix", "cci": [ - "CCI-000135" + "CCI-000366" ], "nist": [ - "AU-3 (1)", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -7836,35 +7821,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-68819' do\n title 'PowerShell script block logging must be enabled on Windows 10.'\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Enabling PowerShell script block logging will record detailed information\n from the processing of PowerShell commands and scripts. This can provide\n additional detail when malware has run on a system.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000326'\n tag gid: 'V-68819'\n tag rid: 'SV-83411r2_rule'\n tag stig_id: 'WN10-CC-000326'\n tag fix_id: 'F-74989r1_fix'\n tag cci: ['CCI-000135']\n tag nist: ['AU-3 (1)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\\\n\n Value Name: EnableScriptBlockLogging\n\n Value Type: REG_DWORD\n Value: 1\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Windows PowerShell >> \\\"Turn\n on PowerShell Script Block Logging\\\" to \\\"Enabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging') do\n it { should have_property 'EnableScriptBlockLogging' }\n its('EnableScriptBlockLogging') { should cmp 1 }\n end\nend\n", + "code": "control 'V-77201' do\n title 'Exploit Protection mitigations in Windows 10 must be configured for EXCEL.EXE.'\n desc \"Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-EP-000100'\n tag gid: 'V-77201'\n tag rid: 'SV-91897r3_rule'\n tag stig_id: 'WN10-EP-000100'\n tag fix_id: 'F-84337r4_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc 'check', \"This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n\n Enter \\\"Get-ProcessMitigation -Name EXCEL.EXE\\\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of\n all application mitigations configured.)\n\n If the following mitigations do not have a status of \\\"ON\\\", this is a finding:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n The PowerShell command produces a list of mitigations; only those with a\n required status of \\\"ON\\\" are listed here. If the PowerShell command does not\n produce results, ensure the letter case of the filename within the command\n syntax matches the letter case of the actual filename on the system.\"\n desc 'fix', \"Ensure the following mitigations are turned \\\"ON\\\" for EXCEL.EXE:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file\n included with the Windows 10 STIG package in the \\\"Supporting Files\\\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\"\n configured to \\\"Enabled\\\" with file name and location defined under\n \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n\n if input('sensitive_system') == 'true' || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion').ReleaseId < '1709'\n impact 0.0\n describe 'This STIG does not apply to Prior Versions before 1709.' do\n skip 'This STIG does not apply to Prior Versions before 1709.'\n end\n else\n dep = json( command: 'Get-ProcessMitigation -Name EXCEL.EXE | Select DEP | ConvertTo-Json').params\n describe 'OverRide DEP is required to be false on Microsoft Office Excel' do\n subject { dep }\n its(['OverrideDEP']) { should_not eq 'true' }\n end\n aslr = json( command: 'Get-ProcessMitigation -Name EXCEL.EXE | Select Aslr | ConvertTo-Json').params\n describe 'Alsr Force Relocate Images are required to be enabled on Microsoft Office Excel' do\n subject { aslr }\n its(['ForceRelocateImages']) { should_not eq '2' }\n end\n payload = json( command: 'Get-ProcessMitigation -Name EXCEL.EXE | Select Payload | ConvertTo-Json').params\n describe 'Override Payload Enable Export Address Filter, Override Payload Enable Export Address Filter Plus, Override EnableImportAddressFilter, Override EnableRopStackPivot, Override EnableRopCallerCheck, and Override EnableRopSimExec are required to be false onAdobe Reader' do\n subject { payload }\n its(['OverrideEnableExportAddressFilter']) { should_not eq 'true' }\n its(['OverrideEnableExportAddressFilterPlus']) { should_not eq 'true' }\n its(['OverrideEnableImportAddressFilter']) { should_not eq 'true' }\n its(['OverrideEnableRopStackPivot']) { should_not eq 'true' }\n its(['OverrideEnableRopCallerCheck']) { should_not eq 'true' }\n its(['OverrideEnableRopSimExec']) { should_not eq 'true' }\n end\n end\nend", "source_location": { - "ref": "./Windows 10 STIG/controls/V-68819.rb", + "ref": "./Windows 10 STIG/controls/V-77201.rb", "line": 3 }, - "id": "V-68819" + "id": "V-77201" }, { - "title": "Exploit Protection mitigations in Windows 10 must be configured for iexplore.exe.", - "desc": "Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.", + "title": "Default permissions for the HKEY_LOCAL_MACHINE registry hive must be\n maintained.", + "desc": "The registry is integral to the function, security, and stability of\n the Windows system. Changing the system's registry permissions allows the\n possibility of unauthorized and anonymous modification to the operating system.", "descriptions": { - "default": "Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.", - "check": "This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n\n Enter \"Get-ProcessMitigation -Name iexplore.exe\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of\n all application mitigations configured.)\n\n If the following mitigations do not have a status of \"ON\", this is a finding:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n The PowerShell command produces a list of mitigations; only those with a\n required status of \"ON\" are listed here. If the PowerShell command does not\n produce results, ensure the letter case of the filename within the command\n syntax matches the letter case of the actual filename on the system.", - "fix": "Ensure the following mitigations are turned \"ON\" for iexplore.exe:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file\n included with the Windows 10 STIG package in the \"Supporting Files\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \"Use a common set of exploit protection settings\"\n configured to \"Enabled\" with file name and location defined under\n \"Options:\". It is recommended the file be in a read-only network location." + "default": "The registry is integral to the function, security, and stability of\n the Windows system. Changing the system's registry permissions allows the\n possibility of unauthorized and anonymous modification to the operating system.", + "check": "Verify the default registry permissions for the keys note below\n of the HKEY_LOCAL_MACHINE hive.\n\n If any non-privileged groups such as Everyone, Users or Authenticated Users\n have greater than Read permission, this is a finding.\n\n Run \"Regedit\".\n Right click on the registry areas noted below.\n Select \"Permissions...\" and the \"Advanced\" button.\n\n HKEY_LOCAL_MACHINE\\SECURITY\n Type - \"Allow\" for all\n Inherited from - \"None\" for all\n Principal - Access - Applies to\n SYSTEM - Full Control - This key and subkeys\n Administrators - Special - This key and subkeys\n\n HKEY_LOCAL_MACHINE\\SOFTWARE\n Type - \"Allow\" for all\n Inherited from - \"None\" for all\n Principal - Access - Applies to\n Users - Read - This key and subkeys\n Administrators - Full Control - This key and subkeys\n SYSTEM - Full Control - This key and subkeys\n CREATOR OWNER - Full Control - This key and subkeys\n ALL APPLICATION PACKAGES - Read - This key and subkeys\n\n HKEY_LOCAL_MACHINE\\SYSTEM\n Type - \"Allow\" for all\n Inherited from - \"None\" for all\n Principal - Access - Applies to\n Users - Read - This key and subkeys\n Administrators - Full Control - This key and subkeys\n SYSTEM - Full Control - This key and subkeys\n CREATOR OWNER - Full Control - This key and subkeys\n ALL APPLICATION PACKAGES - Read - This key and subkeys\n\n Other subkeys under the noted keys may also be sampled. There may be some\n instances where non-privileged groups have greater than Read permission.\n\n Microsoft has given Read permission to the SOFTWARE and SYSTEM registry keys in\n later versions of Windows 10 to the following SID, this is currently not a\n finding.\n\n S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681\n\n If the defaults have not been changed, these are not a finding.", + "fix": "Maintain the default permissions for the HKEY_LOCAL_MACHINE\n registry hive.\n\n The default permissions of the higher level keys are noted below.\n\n HKEY_LOCAL_MACHINE\\SECURITY\n Type - \"Allow\" for all\n Inherited from - \"None\" for all\n Principal - Access - Applies to\n SYSTEM - Full Control - This key and subkeys\n Administrators - Special - This key and subkeys\n\n HKEY_LOCAL_MACHINE\\SOFTWARE\n Type - \"Allow\" for all\n Inherited from - \"None\" for all\n Principal - Access - Applies to\n Users - Read - This key and subkeys\n Administrators - Full Control - This key and subkeys\n SYSTEM - Full Control - This key and subkeys\n CREATOR OWNER - Full Control - This key and subkeys\n ALL APPLICATION PACKAGES - Read - This key and subkeys\n\n HKEY_LOCAL_MACHINE\\SYSTEM\n Type - \"Allow\" for all\n Inherited from - \"None\" for all\n Principal - Access - Applies to\n Users - Read - This key and subkeys\n Administrators - Full Control - This key and subkeys\n SYSTEM - Full Control - This key and subkeys\n CREATOR OWNER - Full Control - This key and subkeys\n ALL APPLICATION PACKAGES - Read - This key and subkeys\n\n Microsoft has also given Read permission to the SOFTWARE and SYSTEM registry\n keys in later versions of Windows 10 to the following SID.\n\n S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681" }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-EP-000140", - "gid": "V-77217", - "rid": "SV-91913r3_rule", - "stig_id": "WN10-EP-000140", - "fix_id": "F-84347r4_fix", + "gtitle": "WN10-RG-000005", + "gid": "V-63593", + "rid": "SV-78083r2_rule", + "stig_id": "WN10-RG-000005", + "fix_id": "F-98471r1_fix", "cci": [ - "CCI-000366" + "CCI-002235" ], "nist": [ - "CM-6 b", + "AC-6 (10)", "Rev_4" ], "false_negatives": null, @@ -7878,35 +7863,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-77217' do\n title 'Exploit Protection mitigations in Windows 10 must be configured for iexplore.exe.'\n desc \"Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-EP-000140'\n tag gid: 'V-77217'\n tag rid: 'SV-91913r3_rule'\n tag stig_id: 'WN10-EP-000140'\n tag fix_id: 'F-84347r4_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc 'check', \"This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n\n Enter \\\"Get-ProcessMitigation -Name iexplore.exe\\\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of\n all application mitigations configured.)\n\n If the following mitigations do not have a status of \\\"ON\\\", this is a finding:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n The PowerShell command produces a list of mitigations; only those with a\n required status of \\\"ON\\\" are listed here. If the PowerShell command does not\n produce results, ensure the letter case of the filename within the command\n syntax matches the letter case of the actual filename on the system.\"\n desc 'fix', \"Ensure the following mitigations are turned \\\"ON\\\" for iexplore.exe:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file\n included with the Windows 10 STIG package in the \\\"Supporting Files\\\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\"\n configured to \\\"Enabled\\\" with file name and location defined under\n \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n\n if input('sensitive_system') == 'true' || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion').ReleaseId < '1709'\n impact 0.0\n describe 'This STIG does not apply to Prior Versions before 1709.' do\n skip 'This STIG does not apply to Prior Versions before 1709.'\n end\n else\n dep = json( command: 'Get-ProcessMitigation -Name iexplore.exe | Select DEP | ConvertTo-Json').params\n describe 'OverRide DEP is required to be false on Internet Explorer' do\n subject { dep }\n its(['OverrideDEP']) { should_not eq 'true' }\n end\n aslr = json( command: 'Get-ProcessMitigation -Name iexplore.exe| Select Aslr | ConvertTo-Json').params\n describe 'Alsr BottomUp and Force Relocate Images are required to be enabled on Internet Explorer' do\n subject { aslr }\n its(['ForceRelocateImages']) { should_not eq '2' }\n end\n payload = json( command: 'Get-ProcessMitigation -Name iexplore.exe | Select Payload | ConvertTo-Json').params\n describe 'Override Payload Enable Export Address Filter, Override Payload Enable Export Address Filter Plus, Override EnableImportAddressFilter, Override EnableRopStackPivot, Override EnableRopCallerCheck, and Override EnableRopSimExec are required to be false on Internet Explorer' do\n subject { payload }\n its(['OverrideEnableExportAddressFilter']) { should_not eq 'true' }\n its(['OverrideEnableExportAddressFilterPlus']) { should_not eq 'true' }\n its(['OverrideEnableImportAddressFilter']) { should_not eq 'true' }\n its(['OverrideEnableRopStackPivot']) { should_not eq 'true' }\n its(['OverrideEnableRopCallerCheck']) { should_not eq 'true' }\n its(['OverrideEnableRopSimExec']) { should_not eq 'true' }\n end\n end\nend", + "code": "control 'V-63593' do\n title \"Default permissions for the HKEY_LOCAL_MACHINE registry hive must be\n maintained.\"\n desc \"The registry is integral to the function, security, and stability of\n the Windows system. Changing the system's registry permissions allows the\n possibility of unauthorized and anonymous modification to the operating system.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-RG-000005'\n tag gid: 'V-63593'\n tag rid: 'SV-78083r2_rule'\n tag stig_id: 'WN10-RG-000005'\n tag fix_id: 'F-98471r1_fix'\n tag cci: ['CCI-002235']\n tag nist: ['AC-6 (10)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc 'check', \"Verify the default registry permissions for the keys note below\n of the HKEY_LOCAL_MACHINE hive.\n\n If any non-privileged groups such as Everyone, Users or Authenticated Users\n have greater than Read permission, this is a finding.\n\n Run \\\"Regedit\\\".\n Right click on the registry areas noted below.\n Select \\\"Permissions...\\\" and the \\\"Advanced\\\" button.\n\n HKEY_LOCAL_MACHINE\\\\SECURITY\n Type - \\\"Allow\\\" for all\n Inherited from - \\\"None\\\" for all\n Principal - Access - Applies to\n SYSTEM - Full Control - This key and subkeys\n Administrators - Special - This key and subkeys\n\n HKEY_LOCAL_MACHINE\\\\SOFTWARE\n Type - \\\"Allow\\\" for all\n Inherited from - \\\"None\\\" for all\n Principal - Access - Applies to\n Users - Read - This key and subkeys\n Administrators - Full Control - This key and subkeys\n SYSTEM - Full Control - This key and subkeys\n CREATOR OWNER - Full Control - This key and subkeys\n ALL APPLICATION PACKAGES - Read - This key and subkeys\n\n HKEY_LOCAL_MACHINE\\\\SYSTEM\n Type - \\\"Allow\\\" for all\n Inherited from - \\\"None\\\" for all\n Principal - Access - Applies to\n Users - Read - This key and subkeys\n Administrators - Full Control - This key and subkeys\n SYSTEM - Full Control - This key and subkeys\n CREATOR OWNER - Full Control - This key and subkeys\n ALL APPLICATION PACKAGES - Read - This key and subkeys\n\n Other subkeys under the noted keys may also be sampled. There may be some\n instances where non-privileged groups have greater than Read permission.\n\n Microsoft has given Read permission to the SOFTWARE and SYSTEM registry keys in\n later versions of Windows 10 to the following SID, this is currently not a\n finding.\n\n S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681\n\n If the defaults have not been changed, these are not a finding.\"\n\n desc 'fix', \"Maintain the default permissions for the HKEY_LOCAL_MACHINE\n registry hive.\n\n The default permissions of the higher level keys are noted below.\n\n HKEY_LOCAL_MACHINE\\\\SECURITY\n Type - \\\"Allow\\\" for all\n Inherited from - \\\"None\\\" for all\n Principal - Access - Applies to\n SYSTEM - Full Control - This key and subkeys\n Administrators - Special - This key and subkeys\n\n HKEY_LOCAL_MACHINE\\\\SOFTWARE\n Type - \\\"Allow\\\" for all\n Inherited from - \\\"None\\\" for all\n Principal - Access - Applies to\n Users - Read - This key and subkeys\n Administrators - Full Control - This key and subkeys\n SYSTEM - Full Control - This key and subkeys\n CREATOR OWNER - Full Control - This key and subkeys\n ALL APPLICATION PACKAGES - Read - This key and subkeys\n\n HKEY_LOCAL_MACHINE\\\\SYSTEM\n Type - \\\"Allow\\\" for all\n Inherited from - \\\"None\\\" for all\n Principal - Access - Applies to\n Users - Read - This key and subkeys\n Administrators - Full Control - This key and subkeys\n SYSTEM - Full Control - This key and subkeys\n CREATOR OWNER - Full Control - This key and subkeys\n ALL APPLICATION PACKAGES - Read - This key and subkeys\n\n Microsoft has also given Read permission to the SOFTWARE and SYSTEM registry\n keys in later versions of Windows 10 to the following SID.\n\n S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681\"\n\n # Adding Read permission for Security for Administrators to allow for read of key permissions\n\n hklm_software = powershell(\"(Get-Acl -Path HKLM:Software).AccessToString\").stdout.lines.collect(&:strip)\n describe \"Registry Key Software permissions are set correctly on folder structure\" do\n subject { hklm_software.eql? input('reg_software_perms')}\n it { should eq true }\n end\n\n hklm_security = powershell(\"(Get-Acl -Path HKLM:Security).AccessToString\").stdout.lines.collect(&:strip)\n describe \"Registry Key Security are set correctly on folder structure\" do\n subject { hklm_security.eql? input('reg_security_perms')}\n it { should eq true }\n end\n\n hklm_system = powershell(\"(Get-Acl -Path HKLM:System).AccessToString\").stdout.lines.collect(&:strip)\n describe \"Registry Key Security are set correctly on folder structure\" do\n subject { hklm_system.eql? input('reg_system_perms')}\n it { should eq true }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-77217.rb", + "ref": "./Windows 10 STIG/controls/V-63593.rb", "line": 3 }, - "id": "V-77217" + "id": "V-63593" }, { - "title": "The system must be configured to audit Logon/Logoff - Special Logon\n successes.", - "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Special Logon records special logons which have administrative privileges\n and can be used to elevate processes.", + "title": "Local users on domain-joined computers must not be enumerated.", + "desc": "The username is one part of logon credentials that could be used to\n gain access to a system. Preventing the enumeration of users limits this\n information to authorized personnel.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Special Logon records special logons which have administrative privileges\n and can be used to elevate processes.", - "check": "Security Option \"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\" must be\n set to \"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\"Run as Administrator\").\n Enter \"AuditPol /get /category:*\".\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding:\n\n Logon/Logoff >> Special Logon - Success", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Logon/Logoff >> \"Audit Special Logon\" with \"Success\"\n selected." + "default": "The username is one part of logon credentials that could be used to\n gain access to a system. Preventing the enumeration of users limits this\n information to authorized personnel.", + "check": "This requirement is applicable to domain-joined systems, for\n standalone systems this is NA.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\\n\n Value Name: EnumerateLocalUsers\n\n Value Type: REG_DWORD\n Value: 0", + "fix": "This requirement is applicable to domain-joined systems, for\n standalone systems this is NA.\n\n Configure the policy value for Computer Configuration >> Administrative\n Templates >> System >> Logon >> \"Enumerate local users on domain-joined\n computers\" to \"Disabled\"." }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-AU-000080", - "gid": "V-63469", - "rid": "SV-77959r1_rule", - "stig_id": "WN10-AU-000080", - "fix_id": "F-69399r1_fix", + "gtitle": "WN10-CC-000130", + "gid": "V-63633", + "rid": "SV-78123r1_rule", + "stig_id": "WN10-CC-000130", + "fix_id": "F-69565r1_fix", "cci": [ - "CCI-000172" + "CCI-000381" ], "nist": [ - "AU-12 c", + "CM-7 a", "Rev_4" ], "false_negatives": null, @@ -7920,77 +7905,68 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63469' do\n title \"The system must be configured to audit Logon/Logoff - Special Logon\n successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Special Logon records special logons which have administrative privileges\n and can be used to elevate processes.\"\n\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-AU-000080'\n tag gid: 'V-63469'\n tag rid: 'SV-77959r1_rule'\n tag stig_id: 'WN10-AU-000080'\n tag fix_id: 'F-69399r1_fix'\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Security Option \\\"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\\\" must be\n set to \\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\n Enter \\\"AuditPol /get /category:*\\\".\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding:\n\n Logon/Logoff >> Special Logon - Success\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Logon/Logoff >> \\\"Audit Special Logon\\\" with \\\"Success\\\"\n selected.\"\n\n describe.one do\n describe audit_policy do\n its('Special Logon') { should eq 'Success' }\n end\n describe audit_policy do\n its('Special Logon') { should eq 'Success and Failure' }\n end\n end\nend\n", + "code": "control 'V-63633' do\n title 'Local users on domain-joined computers must not be enumerated.'\n desc \"The username is one part of logon credentials that could be used to\n gain access to a system. Preventing the enumeration of users limits this\n information to authorized personnel.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000130'\n tag gid: 'V-63633'\n tag rid: 'SV-78123r1_rule'\n tag stig_id: 'WN10-CC-000130'\n tag fix_id: 'F-69565r1_fix'\n tag cci: ['CCI-000381']\n tag nist: ['CM-7 a', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"This requirement is applicable to domain-joined systems, for\n standalone systems this is NA.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\\n\n Value Name: EnumerateLocalUsers\n\n Value Type: REG_DWORD\n Value: 0\"\n\n desc \"fix\", \"This requirement is applicable to domain-joined systems, for\n standalone systems this is NA.\n\n Configure the policy value for Computer Configuration >> Administrative\n Templates >> System >> Logon >> \\\"Enumerate local users on domain-joined\n computers\\\" to \\\"Disabled\\\".\"\n\n is_domain = command('wmic computersystem get domain | FINDSTR /V Domain').stdout.strip\n\n if is_domain != 'WORKGROUP'\n impact 0.0\n describe 'The system is not a member of a domain, control is NA' do\n skip 'The system is not a member of a domain, control is NA'\n end\n else\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\System') do\n it { should have_property 'EnumerateLocalUsers' }\n its('EnumerateLocalUsers') { should cmp 0 }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63469.rb", + "ref": "./Windows 10 STIG/controls/V-63633.rb", "line": 3 }, - "id": "V-63469" + "id": "V-63633" }, { - "title": "Remote calls to the Security Account Manager (SAM) must be restricted\n to Administrators.", - "desc": "The Windows Security Account Manager (SAM) stores users' passwords.\n Restricting remote rpc connections to the SAM to Administrators helps protect\n those credentials.", + "title": "Windows 10 Kernel (Direct Memory Access) DMA Protection must be\nenabled.", + "desc": "Kernel DMA Protection to protect PCs against drive-by Direct Memory\nAccess (DMA) attacks using PCI hot plug devices connected to Thunderbolt™ 3\nports. Drive-by DMA attacks can lead to disclosure of sensitive information\nresiding on a PC, or even injection of malware that allows attackers to bypass\nthe lock screen or control PCs remotely.", "descriptions": { - "default": "The Windows Security Account Manager (SAM) stores users' passwords.\n Restricting remote rpc connections to the SAM to Administrators helps protect\n those credentials.", - "check": "Windows 10 v1507 LTSB version does not include this setting, it\n is NA for those systems.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Control\\Lsa\\\n\n Value Name: RestrictRemoteSAM\n\n Value Type: REG_SZ\n Value: O:BAG:BAD:(A;;RC;;;BA)", - "fix": "Navigate to the policy Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> Security Options >> \"Network access:\n Restrict clients allowed to make remote calls to SAM\".\n\n Select \"Edit Security\" to configure the \"Security descriptor:\".\n\n Add \"Administrators\" in \"Group or user names:\" if it is not already listed\n (this is the default).\n\n Select \"Administrators\" in \"Group or user names:\".\n\n Select \"Allow\" for \"Remote Access\" in \"Permissions for \"Administrators\".\n\n Click \"OK\".\n\n The \"Security descriptor:\" must be populated with \"O:BAG:BAD:(A;;RC;;;BA)\n for the policy to be enforced." + "default": "Kernel DMA Protection to protect PCs against drive-by Direct Memory\nAccess (DMA) attacks using PCI hot plug devices connected to Thunderbolt™ 3\nports. Drive-by DMA attacks can lead to disclosure of sensitive information\nresiding on a PC, or even injection of malware that allows attackers to bypass\nthe lock screen or control PCs remotely.", + "rationale": "", + "check": "This is NA prior to v1803 of Windows 10.\n\n If the following registry value does not exist or is not configured as\nspecified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\Software\\Policies\\Microsoft\\Windows\\Kernel DMA\nProtection\n\n Value Name: DeviceEnumerationPolicy\n Value Type: REG_DWORD\n Value: 0", + "fix": "Configure the policy value for Computer Configuration >>\nAdministrative Templates >> System >> Kernel DMA Protection >> \"Enumeration\npolicy for external devices incompatible with Kernel DMA Protection\" to\n\"Enabled\" with \"Enumeration Policy\" set to \"Block All\"." }, "impact": 0.5, "refs": [], "tags": { - "severity": "medium", - "gtitle": "WN10-SO-000167", - "gid": "V-71769", - "rid": "SV-86393r3_rule", - "stig_id": "WN10-SO-000167", - "fix_id": "F-78121r3_fix", + "severity": null, + "gtitle": "WN10-EP-000310", + "gid": "V-99557", + "rid": "SV-108661r1_rule", + "stig_id": "WN10-EP-000310", + "fix_id": "F-105241r4_fix", "cci": [ - "CCI-002235" + "CCI-001090" ], "nist": [ - "AC-6 (10)", + "SC-4", "Rev_4" - ], - "false_negatives": null, - "false_positives": null, - "documentable": false, - "mitigations": null, - "severity_override_guidance": false, - "potential_impacts": null, - "third_party_tools": null, - "mitigation_controls": null, - "responsibility": null, - "ia_controls": null + ] }, - "code": "control 'V-71769' do\n title \"Remote calls to the Security Account Manager (SAM) must be restricted\n to Administrators.\"\n desc \"The Windows Security Account Manager (SAM) stores users' passwords.\n Restricting remote rpc connections to the SAM to Administrators helps protect\n those credentials.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-SO-000167'\n tag gid: 'V-71769'\n tag rid: 'SV-86393r3_rule'\n tag stig_id: 'WN10-SO-000167'\n tag fix_id: 'F-78121r3_fix'\n tag cci: ['CCI-002235']\n tag nist: ['AC-6 (10)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Windows 10 v1507 LTSB version does not include this setting, it\n is NA for those systems.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\\n\n Value Name: RestrictRemoteSAM\n\n Value Type: REG_SZ\n Value: O:BAG:BAD:(A;;RC;;;BA)\"\n \n desc \"fix\", \"Navigate to the policy Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> Security Options >> \\\"Network access:\n Restrict clients allowed to make remote calls to SAM\\\".\n\n Select \\\"Edit Security\\\" to configure the \\\"Security descriptor:\\\".\n\n Add \\\"Administrators\\\" in \\\"Group or user names:\\\" if it is not already listed\n (this is the default).\n\n Select \\\"Administrators\\\" in \\\"Group or user names:\\\".\n\n Select \\\"Allow\\\" for \\\"Remote Access\\\" in \\\"Permissions for \\\"Administrators\\\".\n\n Click \\\"OK\\\".\n\n The \\\"Security descriptor:\\\" must be populated with \\\"O:BAG:BAD:(A;;RC;;;BA)\n for the policy to be enforced.\"\n\n if registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion').ReleaseId != '1507'\n describe registry_key('HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa') do\n it { should have_property 'RestrictRemoteSAM' }\n its('RestrictRemoteSAM') { should cmp 'O:BAG:BAD:(A;;RC;;;BA)' }\n end\n else\n impact 0.0\n describe 'Windows 10 v1507 LTSB version does not include this setting, it is NA for those systems.' do\n skip 'Windows 10 v1507 LTSB version does not include this setting, it is NA for those systems.'\n end\n end\nend\n", + "code": "control \"V-99557\" do\n title \"Windows 10 Kernel (Direct Memory Access) DMA Protection must be\nenabled.\"\n desc \"Kernel DMA Protection to protect PCs against drive-by Direct Memory\nAccess (DMA) attacks using PCI hot plug devices connected to Thunderbolt™ 3\nports. Drive-by DMA attacks can lead to disclosure of sensitive information\nresiding on a PC, or even injection of malware that allows attackers to bypass\nthe lock screen or control PCs remotely.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"WN10-EP-000310\"\n tag gid: \"V-99557\"\n tag rid: \"SV-108661r1_rule\"\n tag stig_id: \"WN10-EP-000310\"\n tag fix_id: \"F-105241r4_fix\"\n tag cci: [\"CCI-001090\"]\n tag nist: [\"SC-4\", \"Rev_4\"]\n desc \"rationale\", \"\"\n desc \"check\", \"This is NA prior to v1803 of Windows 10.\n\n If the following registry value does not exist or is not configured as\nspecified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\Kernel DMA\nProtection\n\n Value Name: DeviceEnumerationPolicy\n Value Type: REG_DWORD\n Value: 0\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\nAdministrative Templates >> System >> Kernel DMA Protection >> \\\"Enumeration\npolicy for external devices incompatible with Kernel DMA Protection\\\" to\n\\\"Enabled\\\" with \\\"Enumeration Policy\\\" set to \\\"Block All\\\".\"\n\n if registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion').ReleaseId >= '1803'\n impact 0.0\n describe 'This setting requires v1507 does not include this setting; it is NA for version.' do\n skip 'This setting requires v1507 does not include this setting; it is NA for version.'\n end\n else\n describe registry_key('HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\Kernel DMA Protection') do\n it { should have_property 'DeviceEnumerationPolicy' }\n its('DeviceEnumerationPolicy') { should cmp 0 }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-71769.rb", + "ref": "./Windows 10 STIG/controls/V-99557.rb", "line": 3 }, - "id": "V-71769" + "id": "V-99557" }, { - "title": "Standard local user accounts must not exist on a system in a domain.", - "desc": "To minimize potential points of attack, local user accounts, other\n than built-in accounts and local administrator accounts, must not exist on a\n workstation in a domain. Users must log onto workstations in a domain with\n their domain accounts.", + "title": "The Application Compatibility Program Inventory must be prevented from\n collecting data and sending the information to Microsoft.", + "desc": "Some features may communicate with the vendor, sending system\n information or downloading data or components for the feature. Turning off\n this capability will prevent potentially sensitive information from being sent\n outside the enterprise and uncontrolled updates to the system. This setting\n will prevent the Program Inventory from collecting data about a system and\n sending the information to Microsoft.", "descriptions": { - "default": "To minimize potential points of attack, local user accounts, other\n than built-in accounts and local administrator accounts, must not exist on a\n workstation in a domain. Users must log onto workstations in a domain with\n their domain accounts.", - "check": "Run \"Computer Management\".\n Navigate to System Tools >> Local Users and Groups >> Users.\n\n If local users other than the accounts listed below exist on a workstation in a\n domain, this is a finding.\n\n Built-in Administrator account (Disabled)\n Built-in Guest account (Disabled)\n Built-in DefaultAccount (Disabled)\n Built-in defaultuser0 (Disabled)\n Built-in WDAGUtilityAccount (Disabled)\n Local administrator account(s)\n\n All of the built-in accounts may not exist on a system, depending on the\n Windows 10 version.", - "fix": "Limit local user accounts on domain-joined systems. Remove any\n unauthorized local accounts." + "default": "Some features may communicate with the vendor, sending system\n information or downloading data or components for the feature. Turning off\n this capability will prevent potentially sensitive information from being sent\n outside the enterprise and uncontrolled updates to the system. This setting\n will prevent the Program Inventory from collecting data about a system and\n sending the information to Microsoft.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\AppCompat\\\n\n Value Name: DisableInventory\n\n Value Type: REG_DWORD\n Value: 1", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Application Compatibility >>\n \"Turn off Inventory Collector\" to \"Enabled\"." }, "impact": 0.3, "refs": [], "tags": { "severity": "low", - "gtitle": "WN10-00-000085", - "gid": "V-63367", - "rid": "SV-77857r2_rule", - "stig_id": "WN10-00-000085", - "fix_id": "F-69287r1_fix", + "gtitle": "WN10-CC-000175", + "gid": "V-63663", + "rid": "SV-78153r1_rule", + "stig_id": "WN10-CC-000175", + "fix_id": "F-69591r1_fix", "cci": [ - "CCI-000366" + "CCI-000381" ], "nist": [ - "CM-6 b", + "CM-7 a", "Rev_4" ], "false_negatives": null, @@ -8004,35 +7980,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63367' do\n title 'Standard local user accounts must not exist on a system in a domain.'\n desc \"To minimize potential points of attack, local user accounts, other\n than built-in accounts and local administrator accounts, must not exist on a\n workstation in a domain. Users must log onto workstations in a domain with\n their domain accounts.\"\n impact 0.3\n tag severity: 'low'\n tag gtitle: 'WN10-00-000085'\n tag gid: 'V-63367'\n tag rid: 'SV-77857r2_rule'\n tag stig_id: 'WN10-00-000085'\n tag fix_id: 'F-69287r1_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc 'check', \"Run \\\"Computer Management\\\".\n Navigate to System Tools >> Local Users and Groups >> Users.\n\n If local users other than the accounts listed below exist on a workstation in a\n domain, this is a finding.\n\n Built-in Administrator account (Disabled)\n Built-in Guest account (Disabled)\n Built-in DefaultAccount (Disabled)\n Built-in defaultuser0 (Disabled)\n Built-in WDAGUtilityAccount (Disabled)\n Local administrator account(s)\n\n All of the built-in accounts may not exist on a system, depending on the\n Windows 10 version.\"\n\n desc 'fix', \"Limit local user accounts on domain-joined systems. Remove any\n unauthorized local accounts.\"\n\n admin_script = <<-EOH\n $convert_json = Get-LocalUser -Name \"*Administrator*\" | ConvertTo-Json\n $convert_out_json = ConvertFrom-Json -InputObject $convert_json\n $select_object_admin = $convert_out_json.Enabled\n write-output $select_object_admin\n EOH\n\n guest_script = <<-EOH\n $convert_json = Get-LocalUser -Name \"Guest\" | ConvertTo-Json\n $convert_out_json = ConvertFrom-Json -InputObject $convert_json\n $select_object_guest = $convert_out_json.Enabled\n write-output $select_object_guest\n EOH\n\n default_account_script = <<-EOH\n $convert_json = Get-LocalUser -Name \"*DefaultAccount*\" | ConvertTo-Json\n $convert_out_json = ConvertFrom-Json -InputObject $convert_json\n $select_object_default_account = $convert_out_json.Enabled\n write-output $select_object_default_account\n EOH\n\n wdagutacc_script = <<-EOH\n $convert_json = Get-LocalUser -Name \"*WDAGUtilityAccount*\" | ConvertTo-Json\n $convert_out_json = ConvertFrom-Json -InputObject $convert_json\n $select_object_wdagutacc = $convert_out_json.Enabled\n write-output $select_object_wdagutacc\n EOH\n\n describe 'Administrator built-in account needs to be disabled as part of security' do\n subject { powershell(admin_script).strip }\n it { should_not eq 'True' }\n end\n describe 'Guest built-in account needs to be disabled as part of security' do\n subject { powershell(guest_script).strip }\n it { should_not eq 'True' }\n end\n describe 'Default Account built-in account needs to be disabled as part of security' do\n subject { powershell(default_account_script).strip }\n it { should_not eq 'True' }\n end\n describe 'WDAGUtilityAccount built-in account needs to be disabled as part of security' do\n subject { powershell(wdagutacc_script).strip }\n it { should_not eq 'True' }\n end\nend\n", + "code": "control 'V-63663' do\n title \"The Application Compatibility Program Inventory must be prevented from\n collecting data and sending the information to Microsoft.\"\n desc \"Some features may communicate with the vendor, sending system\n information or downloading data or components for the feature. Turning off\n this capability will prevent potentially sensitive information from being sent\n outside the enterprise and uncontrolled updates to the system. This setting\n will prevent the Program Inventory from collecting data about a system and\n sending the information to Microsoft.\"\n impact 0.3\n tag severity: 'low'\n tag gtitle: 'WN10-CC-000175'\n tag gid: 'V-63663'\n tag rid: 'SV-78153r1_rule'\n tag stig_id: 'WN10-CC-000175'\n tag fix_id: 'F-69591r1_fix'\n tag cci: ['CCI-000381']\n tag nist: ['CM-7 a', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\AppCompat\\\\\n\n Value Name: DisableInventory\n\n Value Type: REG_DWORD\n Value: 1\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Application Compatibility >>\n \\\"Turn off Inventory Collector\\\" to \\\"Enabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\AppCompat') do\n it { should have_property 'DisableInventory' }\n its('DisableInventory') { should cmp 1 }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63367.rb", + "ref": "./Windows 10 STIG/controls/V-63663.rb", "line": 3 }, - "id": "V-63367" + "id": "V-63663" }, { - "title": "Structured Exception Handling Overwrite Protection (SEHOP) must be enabled.", - "desc": "Attackers are constantly looking for vulnerabilities in systems and\n applications. Structured Exception Handling Overwrite Protection (SEHOP) blocks\n exploits that use the Structured Exception Handling overwrite technique, a\n common buffer overflow attack.", + "title": "The Take ownership of files or other objects user right must only be\n assigned to the Administrators group.", + "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities. Accounts with the \"Take ownership\n of files or other objects\" user right can take ownership of objects and make changes.", "descriptions": { - "default": "Attackers are constantly looking for vulnerabilities in systems and\n applications. Structured Exception Handling Overwrite Protection (SEHOP) blocks\n exploits that use the Structured Exception Handling overwrite technique, a\n common buffer overflow attack.", - "check": "This is applicable to Windows 10 prior to v1709.\n\n Verify SEHOP is turned on.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\kernel\\\n\n Value Name: DisableExceptionChainValidation\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0)", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> MS Security Guide >> \"Enable Structured Exception\n Handling Overwrite Protection (SEHOP)\" to \"Enabled\".\n\n This policy setting requires the installation of the SecGuide custom templates\n included with the STIG package. \"SecGuide.admx\" and \"SecGuide.adml\" must be\n copied to the \\Windows\\PolicyDefinitions and\n \\Windows\\PolicyDefinitions\\en-US directories respectively." + "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities. Accounts with the \"Take ownership\n of files or other objects\" user right can take ownership of objects and make changes.", + "check": "Verify the effective setting in Local Group Policy Editor.\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any groups or accounts other than the following are granted the \"Take\n ownership of files or other objects\" user right, this is a finding:\n\n Administrators", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n \"Take ownership of files or other objects\" to only include the following\n groups or accounts: Administrators" }, - "impact": 0.7, + "impact": 0.5, "refs": [], "tags": { - "severity": "high", - "gtitle": "WN10-00-000150", - "gid": "V-68849", - "rid": "SV-83445r4_rule", - "stig_id": "WN10-00-000150", - "fix_id": "F-87295r1_fix", + "severity": "medium", + "gtitle": "WN10-UR-000165", + "gid": "V-63941", + "rid": "SV-78431r1_rule", + "stig_id": "WN10-UR-000165", + "fix_id": "F-69869r1_fix", "cci": [ - "CCI-002824" + "CCI-002235" ], "nist": [ - "SI-16", + "AC-6 (10)", "Rev_4" ], "false_negatives": null, @@ -8046,63 +8022,72 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-68849' do\n title 'Structured Exception Handling Overwrite Protection (SEHOP) must be enabled.'\n desc \"Attackers are constantly looking for vulnerabilities in systems and\n applications. Structured Exception Handling Overwrite Protection (SEHOP) blocks\n exploits that use the Structured Exception Handling overwrite technique, a\n common buffer overflow attack.\"\n impact 0.7\n tag severity: 'high'\n tag gtitle: 'WN10-00-000150'\n tag gid: 'V-68849'\n tag rid: 'SV-83445r4_rule'\n tag stig_id: 'WN10-00-000150'\n tag fix_id: 'F-87295r1_fix'\n tag cci: ['CCI-002824']\n tag nist: %w[SI-16 Rev_4]\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"This is applicable to Windows 10 prior to v1709.\n\n Verify SEHOP is turned on.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Session Manager\\\\kernel\\\\\n\n Value Name: DisableExceptionChainValidation\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> MS Security Guide >> \\\"Enable Structured Exception\n Handling Overwrite Protection (SEHOP)\\\" to \\\"Enabled\\\".\n\n This policy setting requires the installation of the SecGuide custom templates\n included with the STIG package. \\\"SecGuide.admx\\\" and \\\"SecGuide.adml\\\" must be\n copied to the \\\\Windows\\\\PolicyDefinitions and\n \\\\Windows\\\\PolicyDefinitions\\\\en-US directories respectively.\"\n\n if registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion').ReleaseId < '1709'\n impact 0.0\n describe 'This is applicable to Windows 10 prior to v1709.' do\n skip 'This is applicable to Windows 10 prior to v1709.'\n end\n else\n describe registry_key('HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\kernel') do\n it { should have_property 'DisableExceptionChainValidation' }\n its('DisableExceptionChainValidation') { should cmp 0 }\n end\n end\nend\n", + "code": "control 'V-63941' do\n title \"The Take ownership of files or other objects user right must only be\n assigned to the Administrators group.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities. Accounts with the \\\"Take ownership\n of files or other objects\\\" user right can take ownership of objects and make changes.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-UR-000165'\n tag gid: 'V-63941'\n tag rid: 'SV-78431r1_rule'\n tag stig_id: 'WN10-UR-000165'\n tag fix_id: 'F-69869r1_fix'\n tag cci: ['CCI-002235']\n tag nist: ['AC-6 (10)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any groups or accounts other than the following are granted the \\\"Take\n ownership of files or other objects\\\" user right, this is a finding:\n\n Administrators\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n \\\"Take ownership of files or other objects\\\" to only include the following\n groups or accounts: Administrators\"\n\n describe security_policy do\n its('SeTakeOwnershipPrivilege') { should eq ['S-1-5-32-544'] }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-68849.rb", + "ref": "./Windows 10 STIG/controls/V-63941.rb", "line": 3 }, - "id": "V-68849" + "id": "V-63941" }, { - "title": "Windows 10 must be configured to audit Other Policy Change Events\nFailures.", - "desc": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Audit Other Policy Change Events contains events about EFS Data Recovery\nAgent policy changes, changes in Windows Filtering Platform filter, status on\nSecurity policy settings updates for local Group Policy settings, Central\nAccess Policy changes, and detailed troubleshooting events for Cryptographic\nNext Generation (CNG) operations.", + "title": "The Back up files and directories user right must only be assigned to\n the Administrators group.", + "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n Accounts with the \"Back up files and directories\" user right can\n circumvent file and directory permissions and could allow access to sensitive\n data.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Audit Other Policy Change Events contains events about EFS Data Recovery\nAgent policy changes, changes in Windows Filtering Platform filter, status on\nSecurity policy settings updates for local Group Policy settings, Central\nAccess Policy changes, and detailed troubleshooting events for Cryptographic\nNext Generation (CNG) operations.", - "rationale": "", - "check": "Security Option \"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\" must be set to\n\"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to be\neffective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\"Run as Administrator\").\n Enter \"AuditPol /get /category:*\".\n\n Compare the AuditPol settings with the following. If the system does not\naudit the following, this is a finding:\n\n Policy Change >> Other Policy Change Events - Failure", - "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Policy Change>> \"Audit Other Policy Change Events\"\nwith \"Failure\" selected." + "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n Accounts with the \"Back up files and directories\" user right can\n circumvent file and directory permissions and could allow access to sensitive\n data.", + "check": "Verify the effective setting in Local Group Policy Editor.\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any groups or accounts other than the following are granted the \"Back up\n files and directories\" user right, this is a finding:\n\n Administrators", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n \"Back up files and directories\" to only include the following groups or\n accounts:\n\n Administrators" }, "impact": 0.5, "refs": [], "tags": { - "severity": null, - "gtitle": "WN10-AU-000555", - "gid": "V-99553", - "rid": "SV-108657r1_rule", - "stig_id": "WN10-AU-000555", - "fix_id": "F-105237r1_fix", + "severity": "medium", + "gtitle": "WN10-UR-000030", + "gid": "V-63853", + "rid": "SV-78343r1_rule", + "stig_id": "WN10-UR-000030", + "fix_id": "F-69781r1_fix", "cci": [ - "CCI-000130" + "CCI-002235" ], "nist": [ - "AU-3", + "AC-6 (10)", "Rev_4" - ] + ], + "false_negatives": null, + "false_positives": null, + "documentable": false, + "mitigations": null, + "severity_override_guidance": false, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_controls": null, + "responsibility": null, + "ia_controls": null }, - "code": "control \"V-99553\" do\n title \"Windows 10 must be configured to audit Other Policy Change Events\nFailures.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Audit Other Policy Change Events contains events about EFS Data Recovery\nAgent policy changes, changes in Windows Filtering Platform filter, status on\nSecurity policy settings updates for local Group Policy settings, Central\nAccess Policy changes, and detailed troubleshooting events for Cryptographic\nNext Generation (CNG) operations.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"WN10-AU-000555\"\n tag gid: \"V-99553\"\n tag rid: \"SV-108657r1_rule\"\n tag stig_id: \"WN10-AU-000555\"\n tag fix_id: \"F-105237r1_fix\"\n tag cci: [\"CCI-000130\"]\n tag nist: [\"AU-3\", \"Rev_4\"]\n desc \"rationale\", \"\"\n desc \"check\", \"\n Security Option \\\"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\\\" must be set to\n\\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to be\neffective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\n Enter \\\"AuditPol /get /category:*\\\".\n\n Compare the AuditPol settings with the following. If the system does not\naudit the following, this is a finding:\n\n Policy Change >> Other Policy Change Events - Failure\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Policy Change>> \\\"Audit Other Policy Change Events\\\"\nwith \\\"Failure\\\" selected.\"\n \n describe.one do\n describe audit_policy do\n its('Other Policy Change Events') { should eq 'Failure' }\n end\n describe audit_policy do\n its('Other Policy Change Events') { should eq 'Success and Failure' }\n end\n end\nend\n", + "code": "control 'V-63853' do\n title \"The Back up files and directories user right must only be assigned to\n the Administrators group.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n Accounts with the \\\"Back up files and directories\\\" user right can\n circumvent file and directory permissions and could allow access to sensitive\n data.\"\n\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-UR-000030'\n tag gid: 'V-63853'\n tag rid: 'SV-78343r1_rule'\n tag stig_id: 'WN10-UR-000030'\n tag fix_id: 'F-69781r1_fix'\n tag cci: ['CCI-002235']\n tag nist: ['AC-6 (10)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any groups or accounts other than the following are granted the \\\"Back up\n files and directories\\\" user right, this is a finding:\n\n Administrators\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n \\\"Back up files and directories\\\" to only include the following groups or\n accounts:\n\n Administrators\"\n\n describe security_policy do\n its('SeBackupPrivilege') { should eq ['S-1-5-32-544'] }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-99553.rb", + "ref": "./Windows 10 STIG/controls/V-63853.rb", "line": 3 }, - "id": "V-99553" + "id": "V-63853" }, { - "title": "Windows 10 must be configured to prevent certificate error overrides\n in Microsoft Edge.", - "desc": "Web security certificates provide an indication whether a site is\n legitimate. This policy setting prevents the user from ignoring Secure Sockets\n Layer/Transport Layer Security (SSL/TLS) certificate errors that interrupt\n browsing.", + "title": "Software certificate installation files must be removed from Windows 10.", + "desc": "Use of software certificates and their accompanying installation files\n for end users to access resources is less secure than the use of hardware-based\n certificates.", "descriptions": { - "default": "Web security certificates provide an indication whether a site is\n legitimate. This policy setting prevents the user from ignoring Secure Sockets\n Layer/Transport Layer Security (SSL/TLS) certificate errors that interrupt\n browsing.", - "check": "This setting is applicable starting with v1809 of Windows 10; it\n is NA for prior versions.\n\n Windows 10 LTSC\\B versions do not include Microsoft Edge; this is NA for those\n systems.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Internet\n Settings\\\n\n Value Name: PreventCertErrorOverrides\n\n Type: REG_DWORD\n Value: 0x00000001 (1)", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Microsoft Edge >> \"Prevent\n certificate error overrides\" to \"Enabled\"." + "default": "Use of software certificates and their accompanying installation files\n for end users to access resources is less secure than the use of hardware-based\n certificates.", + "check": "Search all drives for *.p12 and *.pfx files.\n\n If any files with these extensions exist, this is a finding.\n\n This does not apply to server-based applications that have a requirement for\n .p12 certificate files (e.g., Oracle Wallet Manager) or Adobe PreFlight\n certificate files. Some applications create files with extensions of .p12 that\n are not certificate installation files. Removal of non-certificate installation\n files from systems is not required. These must be documented with the ISSO.", + "fix": "Remove any certificate installation files (*.p12 and *.pfx) found\n on a system.\n\n Note: This does not apply to server-based applications that have a requirement\n for .p12 certificate files (e.g., Oracle Wallet Manager) or Adobe PreFlight\n certificate files." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-CC-000238", - "gid": "V-82139", - "rid": "SV-96853r1_rule", - "stig_id": "WN10-CC-000238", - "fix_id": "F-88993r1_fix", + "gtitle": "WN10-00-000130", + "gid": "V-63393", + "rid": "SV-77883r2_rule", + "stig_id": "WN10-00-000130", + "fix_id": "F-100989r1_fix", "cci": [ "CCI-000366" ], @@ -8121,35 +8106,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-82139' do\n title \"Windows 10 must be configured to prevent certificate error overrides\n in Microsoft Edge.\"\n desc \"Web security certificates provide an indication whether a site is\n legitimate. This policy setting prevents the user from ignoring Secure Sockets\n Layer/Transport Layer Security (SSL/TLS) certificate errors that interrupt\n browsing.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000238'\n tag gid: 'V-82139'\n tag rid: 'SV-96853r1_rule'\n tag stig_id: 'WN10-CC-000238'\n tag fix_id: 'F-88993r1_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"This setting is applicable starting with v1809 of Windows 10; it\n is NA for prior versions.\n\n Windows 10 LTSC\\\\B versions do not include Microsoft Edge; this is NA for those\n systems.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\MicrosoftEdge\\\\Internet\n Settings\\\\\n\n Value Name: PreventCertErrorOverrides\n\n Type: REG_DWORD\n Value: 0x00000001 (1)\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Microsoft Edge >> \\\"Prevent\n certificate error overrides\\\" to \\\"Enabled\\\".\"\n\n if registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion').ReleaseId >= '1809'\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Internet Settings') do\n it { should have_property 'PreventCertErrorOverrides' }\n its('PreventCertErrorOverrides') { should cmp 1 }\n end\n else\n impact 0.0\n describe 'This setting is applicable starting with v1809 of Windows 10; it is NA for prior versions' do\n skip 'This setting is applicable starting with v1809 of Windows 10; it is NA for prior versions.'\n end\n end\nend\n", + "code": "control 'V-63393' do\n title 'Software certificate installation files must be removed from Windows 10.'\n desc \"Use of software certificates and their accompanying installation files\n for end users to access resources is less secure than the use of hardware-based\n certificates.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-00-000130'\n tag gid: 'V-63393'\n tag rid: 'SV-77883r2_rule'\n tag stig_id: 'WN10-00-000130'\n tag fix_id: 'F-100989r1_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Search all drives for *.p12 and *.pfx files.\n\n If any files with these extensions exist, this is a finding.\n\n This does not apply to server-based applications that have a requirement for\n .p12 certificate files (e.g., Oracle Wallet Manager) or Adobe PreFlight\n certificate files. Some applications create files with extensions of .p12 that\n are not certificate installation files. Removal of non-certificate installation\n files from systems is not required. These must be documented with the ISSO.\"\n\n desc \"fix\", \"Remove any certificate installation files (*.p12 and *.pfx) found\n on a system.\n\n Note: This does not apply to server-based applications that have a requirement\n for .p12 certificate files (e.g., Oracle Wallet Manager) or Adobe PreFlight\n certificate files.\"\n\n describe command('where /R c: *.p12 *.pfx') do\n its('stdout') { should eq '' }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-82139.rb", + "ref": "./Windows 10 STIG/controls/V-63393.rb", "line": 3 }, - "id": "V-82139" + "id": "V-63393" }, { - "title": "The Allow log on locally user right must only be assigned to the Administrators and Users groups.", - "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the \"Allow log on locally\" user right can log on\n interactively to a system.", + "title": "Exploit Protection mitigations in Windows 10 must be configured for\n VISIO.EXE.", + "desc": "Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.", "descriptions": { - "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the \"Allow log on locally\" user right can log on\n interactively to a system.", - "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any groups or accounts other than the following are granted the \"Allow log\n on locally\" user right, this is a finding:\n\n Administrators\n Users", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n \"Allow log on locally\" to only include the following groups or accounts:\n\n Administrators\n Users" + "default": "Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.", + "check": "This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n\n Enter \"Get-ProcessMitigation -Name VISIO.EXE\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of\n all application mitigations configured.)\n\n If the following mitigations do not have a status of \"ON\", this is a finding:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n The PowerShell command produces a list of mitigations; only those with a\n required status of \"ON\" are listed here. If the PowerShell command does not\n produce results, ensure the letter case of the filename within the command\n syntax matches the letter case of the actual filename on the system.", + "fix": "Ensure the following mitigations are turned \"ON\" for VISIO.EXE:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file\n included with the Windows 10 STIG package in the \"Supporting Files\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \"Use a common set of exploit protection settings\"\n configured to \"Enabled\" with file name and location defined under\n \"Options:\". It is recommended the file be in a read-only network location." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-UR-000025", - "gid": "V-63851", - "rid": "SV-78341r2_rule", - "stig_id": "WN10-UR-000025", - "fix_id": "F-88439r1_fix", + "gtitle": "WN10-EP-000260", + "gid": "V-77255", + "rid": "SV-91951r3_rule", + "stig_id": "WN10-EP-000260", + "fix_id": "F-84507r4_fix", "cci": [ - "CCI-000213" + "CCI-000366" ], "nist": [ - "AC-3", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -8163,35 +8148,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63851' do\n title 'The Allow log on locally user right must only be assigned to the Administrators and Users groups.'\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the \\\"Allow log on locally\\\" user right can log on\n interactively to a system.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-UR-000025'\n tag gid: 'V-63851'\n tag rid: 'SV-78341r2_rule'\n tag stig_id: 'WN10-UR-000025'\n tag fix_id: 'F-88439r1_fix'\n tag cci: ['CCI-000213']\n tag nist: %w[AC-3 Rev_4]\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any groups or accounts other than the following are granted the \\\"Allow log\n on locally\\\" user right, this is a finding:\n\n Administrators\n Users\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n \\\"Allow log on locally\\\" to only include the following groups or accounts:\n\n Administrators\n Users\"\n\n describe security_policy do\n its('SeInteractiveLogonRight') { should be_in ['S-1-5-32-544', 'S-1-5-32-545'] }\n end\nend\n", + "code": "control 'V-77255' do\n title \"Exploit Protection mitigations in Windows 10 must be configured for\n VISIO.EXE.\"\n desc \"Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-EP-000260'\n tag gid: 'V-77255'\n tag rid: 'SV-91951r3_rule'\n tag stig_id: 'WN10-EP-000260'\n tag fix_id: 'F-84507r4_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc 'check', \"This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n\n Enter \\\"Get-ProcessMitigation -Name VISIO.EXE\\\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of\n all application mitigations configured.)\n\n If the following mitigations do not have a status of \\\"ON\\\", this is a finding:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n The PowerShell command produces a list of mitigations; only those with a\n required status of \\\"ON\\\" are listed here. If the PowerShell command does not\n produce results, ensure the letter case of the filename within the command\n syntax matches the letter case of the actual filename on the system.\"\n\n desc 'fix', \"Ensure the following mitigations are turned \\\"ON\\\" for VISIO.EXE:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file\n included with the Windows 10 STIG package in the \\\"Supporting Files\\\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\"\n configured to \\\"Enabled\\\" with file name and location defined under\n \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n\n if input('sensitive_system') == 'true' || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion').ReleaseId < '1709'\n impact 0.0\n describe 'This STIG does not apply to Prior Versions before 1709.' do\n skip 'This STIG does not apply to Prior Versions before 1709.'\n end\n else\n dep = json( command: 'Get-ProcessMitigation -Name VISIO.EXE | Select DEP | ConvertTo-Json').params\n describe 'OverRide DEP is required to be false on Microsoft Office Visio' do\n subject { dep }\n its(['OverrideDEP']) { should_not eq 'true' }\n end\n aslr = json( command: 'Get-ProcessMitigation -Name VISIO.EXE | Select Aslr | ConvertTo-Json').params\n describe 'Alsr BottomUp and Force Relocate Images are required to be enabled on Microsoft Office Visio' do\n subject { aslr }\n its(['ForceRelocateImages']) { should_not eq '2' }\n end\n payload = json( command: 'Get-ProcessMitigation -Name VISIO.EXE | Select Payload | ConvertTo-Json').params\n describe 'Override Payload Enable Export Address Filter, Override Payload Enable Export Address Filter Plus, Override EnableImportAddressFilter, Override EnableRopStackPivot, Override EnableRopCallerCheck, and Override EnableRopSimExec are required to be false on Microsoft Office Visio' do\n subject { payload }\n its(['OverrideEnableExportAddressFilter']) { should_not eq 'true' }\n its(['OverrideEnableExportAddressFilterPlus']) { should_not eq 'true' }\n its(['OverrideEnableImportAddressFilter']) { should_not eq 'true' }\n its(['OverrideEnableRopStackPivot']) { should_not eq 'true' }\n its(['OverrideEnableRopCallerCheck']) { should_not eq 'true' }\n its(['OverrideEnableRopSimExec']) { should_not eq 'true' }\n end \n end\nend", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63851.rb", + "ref": "./Windows 10 STIG/controls/V-77255.rb", "line": 3 }, - "id": "V-63851" + "id": "V-77255" }, { - "title": "The system must be configured to audit Object Access - Removable\n Storage failures.", - "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Auditing object access for removable media records events related to access\n attempts on file system objects on removable storage devices.", + "title": "The system must be configured to prevent IP source routing.", + "desc": "Configuring the system to disable IP source routing protects against\n spoofing.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Auditing object access for removable media records events related to access\n attempts on file system objects on removable storage devices.", - "check": "Security Option \"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\" must be\n set to \"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\"Run as Administrator\").\n Enter \"AuditPol /get /category:*\"\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding:\n\n Object Access >> Removable Storage - Failure\n\n Some virtual machines may generate excessive audit events for access to the\n virtual hard disk itself when this setting is enabled. This may be set to Not\n Configured in such cases and would not be a finding. This must be documented\n with the ISSO to include mitigations such as monitoring or restricting any\n actual removable storage connected to the VM.", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Object Access >> \"Audit Removable Storage\" with \"Failure\"\n selected." + "default": "Configuring the system to disable IP source routing protects against\n spoofing.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters\\\n\n Value Name: DisableIPSourceRouting\n\n Value Type: REG_DWORD\n Value: 2", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> MSS (Legacy) >> \"MSS: (DisableIPSourceRouting) IP\n source routing protection level (protects against packet spoofing)\" to\n \"Highest protection, source routing is completely disabled\".\n\n This policy setting requires the installation of the MSS-Legacy custom\n templates included with the STIG package. \"MSS-Legacy.admx\" and \"\n MSS-Legacy.adml\" must be copied to the \\Windows\\PolicyDefinitions and\n \\Windows\\PolicyDefinitions\\en-US directories respectively." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-AU-000085", - "gid": "V-63471", - "rid": "SV-77961r2_rule", - "stig_id": "WN10-AU-000085", - "fix_id": "F-69401r1_fix", + "gtitle": "WN10-CC-000025", + "gid": "V-63559", + "rid": "SV-78049r1_rule", + "stig_id": "WN10-CC-000025", + "fix_id": "F-69489r1_fix", "cci": [ - "CCI-000172" + "CCI-000366" ], "nist": [ - "AU-12 c", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -8205,35 +8190,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63471' do\n title \"The system must be configured to audit Object Access - Removable\n Storage failures.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Auditing object access for removable media records events related to access\n attempts on file system objects on removable storage devices.\"\n\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-AU-000085'\n tag gid: 'V-63471'\n tag rid: 'SV-77961r2_rule'\n tag stig_id: 'WN10-AU-000085'\n tag fix_id: 'F-69401r1_fix'\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Security Option \\\"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\\\" must be\n set to \\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\n Enter \\\"AuditPol /get /category:*\\\"\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding:\n\n Object Access >> Removable Storage - Failure\n\n Some virtual machines may generate excessive audit events for access to the\n virtual hard disk itself when this setting is enabled. This may be set to Not\n Configured in such cases and would not be a finding. This must be documented\n with the ISSO to include mitigations such as monitoring or restricting any\n actual removable storage connected to the VM.\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Object Access >> \\\"Audit Removable Storage\\\" with \\\"Failure\\\"\n selected.\"\n\n describe.one do\n describe audit_policy do\n its('Removable Storage') { should eq 'Failure' }\n end\n describe audit_policy do\n its('Removable Storage') { should eq 'Success and Failure' }\n end\n end\nend\n", + "code": "control 'V-63559' do\n title 'The system must be configured to prevent IP source routing.'\n desc \"Configuring the system to disable IP source routing protects against\n spoofing.\"\n\n impact 0.5\n\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000025'\n tag gid: 'V-63559'\n tag rid: 'SV-78049r1_rule'\n tag stig_id: 'WN10-CC-000025'\n tag fix_id: 'F-69489r1_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\Tcpip\\\\Parameters\\\\\n\n Value Name: DisableIPSourceRouting\n\n Value Type: REG_DWORD\n Value: 2\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> MSS (Legacy) >> \\\"MSS: (DisableIPSourceRouting) IP\n source routing protection level (protects against packet spoofing)\\\" to\n \\\"Highest protection, source routing is completely disabled\\\".\n\n This policy setting requires the installation of the MSS-Legacy custom\n templates included with the STIG package. \\\"MSS-Legacy.admx\\\" and \\\"\n MSS-Legacy.adml\\\" must be copied to the \\\\Windows\\\\PolicyDefinitions and\n \\\\Windows\\\\PolicyDefinitions\\\\en-US directories respectively.\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip6\\Parameters') do\n it { should have_property 'DisableIPSourceRouting' }\n its('DisableIPSourceRouting') { should cmp 2 }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63471.rb", + "ref": "./Windows 10 STIG/controls/V-63559.rb", "line": 3 }, - "id": "V-63471" + "id": "V-63559" }, { - "title": "The system must be configured to audit Policy Change - Authorization\n Policy Change successes.", - "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Authorization Policy Change records events related to changes in user\n rights, such as Create a token object.", + "title": "Unauthenticated RPC clients must be restricted from connecting to the\n RPC server.", + "desc": "Configuring RPC to restrict unauthenticated RPC clients from\n connecting to the RPC server will prevent anonymous connections.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Authorization Policy Change records events related to changes in user\n rights, such as Create a token object.", - "check": "Security Option \"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\" must be\n set to \"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n -Open a Command Prompt with elevated privileges (\"Run as Administrator\").\n -Enter \"AuditPol /get /category:*\".\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding.\n\n Policy Change >> Authorization Policy Change - Success", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Policy Change >> \"Audit Authorization Policy Change\" with\n \"Success\" selected." + "default": "Configuring RPC to restrict unauthenticated RPC clients from\n connecting to the RPC server will prevent anonymous connections.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Rpc\\\n\n Value Name: RestrictRemoteClients\n\n Value Type: REG_DWORD\n Value: 1", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> System >> Remote Procedure Call >> \"Restrict\n Unauthenticated RPC clients\" to \"Enabled\" and \"Authenticated\"." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-AU-000107", - "gid": "V-71761", - "rid": "SV-86385r1_rule", - "stig_id": "WN10-AU-000107", - "fix_id": "F-78113r1_fix", + "gtitle": "WN10-CC-000165", + "gid": "V-63657", + "rid": "SV-78147r1_rule", + "stig_id": "WN10-CC-000165", + "fix_id": "F-69585r1_fix", "cci": [ - "CCI-000172" + "CCI-001967" ], "nist": [ - "AU-12 c", + "IA-3 (1)", "Rev_4" ], "false_negatives": null, @@ -8247,35 +8232,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-71761' do\n title \"The system must be configured to audit Policy Change - Authorization\n Policy Change successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Authorization Policy Change records events related to changes in user\n rights, such as Create a token object.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-AU-000107'\n tag gid: 'V-71761'\n tag rid: 'SV-86385r1_rule'\n tag stig_id: 'WN10-AU-000107'\n tag fix_id: 'F-78113r1_fix'\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"Security Option \\\"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\\\" must be\n set to \\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n -Open a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\n -Enter \\\"AuditPol /get /category:*\\\".\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding.\n\n Policy Change >> Authorization Policy Change - Success\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Policy Change >> \\\"Audit Authorization Policy Change\\\" with\n \\\"Success\\\" selected.\"\n\n describe.one do\n describe audit_policy do\n its('Authorization Policy Change') { should eq 'Success' }\n end\n describe audit_policy do\n its('Authorization Policy Change') { should eq 'Success and Failure' }\n end\n end\nend\n", + "code": "control 'V-63657' do\n title \"Unauthenticated RPC clients must be restricted from connecting to the\n RPC server.\"\n desc \"Configuring RPC to restrict unauthenticated RPC clients from\n connecting to the RPC server will prevent anonymous connections.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000165'\n tag gid: 'V-63657'\n tag rid: 'SV-78147r1_rule'\n tag stig_id: 'WN10-CC-000165'\n tag fix_id: 'F-69585r1_fix'\n tag cci: ['CCI-001967']\n tag nist: ['IA-3 (1)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Rpc\\\\\n\n Value Name: RestrictRemoteClients\n\n Value Type: REG_DWORD\n Value: 1\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> System >> Remote Procedure Call >> \\\"Restrict\n Unauthenticated RPC clients\\\" to \\\"Enabled\\\" and \\\"Authenticated\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Rpc') do\n it { should have_property 'RestrictRemoteClients' }\n its('RestrictRemoteClients') { should cmp 1 }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-71761.rb", + "ref": "./Windows 10 STIG/controls/V-63657.rb", "line": 3 }, - "id": "V-71761" + "id": "V-63657" }, { - "title": "Solicited Remote Assistance must not be allowed.", - "desc": "Remote assistance allows another user to view or take control of the\n local session of a user. Solicited assistance is help that is specifically\n requested by the local user. This may allow unauthorized parties access to the\n resources on the computer.", + "title": "The Debug programs user right must only be assigned to the\n Administrators group.", + "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n Accounts with the \"Debug Programs\" user right can attach a debugger to\n any process or to the kernel, providing complete access to sensitive and\n critical operating system components. This right is given to Administrators in\n the default configuration.", "descriptions": { - "default": "Remote assistance allows another user to view or take control of the\n local session of a user. Solicited assistance is help that is specifically\n requested by the local user. This may allow unauthorized parties access to the\n resources on the computer.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services\\\n\n Value Name: fAllowToGetHelp\n\n Value Type: REG_DWORD\n Value: 0", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> System >> Remote Assistance >> \"Configure\n Solicited Remote Assistance\" to \"Disabled\"." + "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n Accounts with the \"Debug Programs\" user right can attach a debugger to\n any process or to the kernel, providing complete access to sensitive and\n critical operating system components. This right is given to Administrators in\n the default configuration.", + "check": "Verify the effective setting in Local Group Policy Editor.\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any groups or accounts other than the following are granted the \"Debug\n Programs\" user right, this is a finding:\n\n Administrators", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n \"Debug programs\" to only include the following groups or accounts:\n\n Administrators" }, "impact": 0.7, "refs": [], "tags": { "severity": "high", - "gtitle": "WN10-CC-000155", - "gid": "V-63651", - "rid": "SV-78141r1_rule", - "stig_id": "WN10-CC-000155", - "fix_id": "F-69581r1_fix", + "gtitle": "WN10-UR-000065", + "gid": "V-63869", + "rid": "SV-78359r1_rule", + "stig_id": "WN10-UR-000065", + "fix_id": "F-69797r1_fix", "cci": [ - "CCI-001090" + "CCI-002235" ], "nist": [ - "SC-4", + "AC-6 (10)", "Rev_4" ], "false_negatives": null, @@ -8289,35 +8274,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63651' do\n title 'Solicited Remote Assistance must not be allowed.'\n desc \"Remote assistance allows another user to view or take control of the\n local session of a user. Solicited assistance is help that is specifically\n requested by the local user. This may allow unauthorized parties access to the\n resources on the computer.\"\n\n impact 0.7\n\n tag severity: 'high'\n tag gtitle: 'WN10-CC-000155'\n tag gid: 'V-63651'\n tag rid: 'SV-78141r1_rule'\n tag stig_id: 'WN10-CC-000155'\n tag fix_id: 'F-69581r1_fix'\n tag cci: ['CCI-001090']\n tag nist: %w[SC-4 Rev_4]\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\\n\n Value Name: fAllowToGetHelp\n\n Value Type: REG_DWORD\n Value: 0\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> System >> Remote Assistance >> \\\"Configure\n Solicited Remote Assistance\\\" to \\\"Disabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services') do\n it { should have_property 'fAllowToGetHelp' }\n its('fAllowToGetHelp') { should cmp 0 }\n end\nend\n", + "code": "control 'V-63869' do\n title \"The Debug programs user right must only be assigned to the\n Administrators group.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n Accounts with the \\\"Debug Programs\\\" user right can attach a debugger to\n any process or to the kernel, providing complete access to sensitive and\n critical operating system components. This right is given to Administrators in\n the default configuration.\"\n\n impact 0.7\n tag severity: 'high'\n tag gtitle: 'WN10-UR-000065'\n tag gid: 'V-63869'\n tag rid: 'SV-78359r1_rule'\n tag stig_id: 'WN10-UR-000065'\n tag fix_id: 'F-69797r1_fix'\n tag cci: ['CCI-002235']\n tag nist: ['AC-6 (10)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any groups or accounts other than the following are granted the \\\"Debug\n Programs\\\" user right, this is a finding:\n\n Administrators\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n \\\"Debug programs\\\" to only include the following groups or accounts:\n\n Administrators\"\n\n describe security_policy do\n its('SeDebugPrivilege') { should eq ['S-1-5-32-544'] }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63651.rb", + "ref": "./Windows 10 STIG/controls/V-63869.rb", "line": 3 }, - "id": "V-63651" + "id": "V-63869" }, { - "title": "Only accounts responsible for the backup operations must be members of\n the Backup Operators group.", - "desc": "Backup Operators are able to read and write to any file in the system,\n regardless of the rights assigned to it. Backup and restore rights permit\n users to circumvent the file access restrictions present on NTFS disk drives\n for backup and restore purposes. Members of the Backup Operators group must\n have separate logon accounts for performing backup duties.", + "title": "The Impersonate a client after authentication user right must only be\n assigned to Administrators, Service, Local Service, and Network Service.", + "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n The \"Impersonate a client after authentication\" user right allows a\n program to impersonate another user or account to run on their behalf. An\n attacker could potentially use this to elevate privileges.", "descriptions": { - "default": "Backup Operators are able to read and write to any file in the system,\n regardless of the rights assigned to it. Backup and restore rights permit\n users to circumvent the file access restrictions present on NTFS disk drives\n for backup and restore purposes. Members of the Backup Operators group must\n have separate logon accounts for performing backup duties.", - "check": "Run \"Computer Management\".\n Navigate to System Tools >> Local Users and Groups >> Groups.\n Review the members of the Backup Operators group.\n\n If the group contains no accounts, this is not a finding.\n\n If the group contains any accounts, the accounts must be specifically for\n backup functions.\n\n If the group contains any standard user accounts used for performing normal\n user tasks, this is a finding.", - "fix": "Create separate accounts for backup operations for users with this\n privilege." + "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n The \"Impersonate a client after authentication\" user right allows a\n program to impersonate another user or account to run on their behalf. An\n attacker could potentially use this to elevate privileges.", + "check": "Verify the effective setting in Local Group Policy Editor.\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any groups or accounts other than the following are granted the\n \"Impersonate a client after authentication\" user right, this is a finding:\n\n Administrators\n LOCAL SERVICE\n NETWORK SERVICE\n SERVICE", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n \"Impersonate a client after authentication\" to only include the following\n groups or accounts:\n\n Administrators\n LOCAL SERVICE\n NETWORK SERVICE\n SERVICE" }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-00-000075", - "gid": "V-63363", - "rid": "SV-77853r1_rule", - "stig_id": "WN10-00-000075", - "fix_id": "F-69283r1_fix", + "gtitle": "WN10-UR-000110", + "gid": "V-63889", + "rid": "SV-78379r1_rule", + "stig_id": "WN10-UR-000110", + "fix_id": "F-69817r1_fix", "cci": [ - "CCI-000366" + "CCI-002235" ], "nist": [ - "CM-6 b", + "AC-6 (10)", "Rev_4" ], "false_negatives": null, @@ -8331,35 +8316,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63363' do\n title \"Only accounts responsible for the backup operations must be members of\n the Backup Operators group.\"\n desc \"Backup Operators are able to read and write to any file in the system,\n regardless of the rights assigned to it. Backup and restore rights permit\n users to circumvent the file access restrictions present on NTFS disk drives\n for backup and restore purposes. Members of the Backup Operators group must\n have separate logon accounts for performing backup duties.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-00-000075'\n tag gid: 'V-63363'\n tag rid: 'SV-77853r1_rule'\n tag stig_id: 'WN10-00-000075'\n tag fix_id: 'F-69283r1_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Run \\\"Computer Management\\\".\n Navigate to System Tools >> Local Users and Groups >> Groups.\n Review the members of the Backup Operators group.\n\n If the group contains no accounts, this is not a finding.\n\n If the group contains any accounts, the accounts must be specifically for\n backup functions.\n\n If the group contains any standard user accounts used for performing normal\n user tasks, this is a finding.\"\n\n desc \"fix\", \"Create separate accounts for backup operations for users with this\n privilege.\"\n\n backup_operators = input('backup_operators')\n backup_operators_group = command(\"net localgroup Backup Operators | Format-List | Findstr /V 'Alias Name Comment Members - command'\").stdout.strip.split(\"\\r\\n\")\n\n backup_operators_group.each do |user|\n describe user.to_s do\n it { should be_in backup_operators }\n end\n end\n if backup_operators_group.empty?\n impact 0.0\n describe 'There are no users with administrative privileges' do\n skip 'This control is not applicable'\n end\n end\nend\n", + "code": "control 'V-63889' do\n title \"The Impersonate a client after authentication user right must only be\n assigned to Administrators, Service, Local Service, and Network Service.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n The \\\"Impersonate a client after authentication\\\" user right allows a\n program to impersonate another user or account to run on their behalf. An\n attacker could potentially use this to elevate privileges.\"\n\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-UR-000110'\n tag gid: 'V-63889'\n tag rid: 'SV-78379r1_rule'\n tag stig_id: 'WN10-UR-000110'\n tag fix_id: 'F-69817r1_fix'\n tag cci: ['CCI-002235']\n tag nist: ['AC-6 (10)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any groups or accounts other than the following are granted the\n \\\"Impersonate a client after authentication\\\" user right, this is a finding:\n\n Administrators\n LOCAL SERVICE\n NETWORK SERVICE\n SERVICE\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n \\\"Impersonate a client after authentication\\\" to only include the following\n groups or accounts:\n\n Administrators\n LOCAL SERVICE\n NETWORK SERVICE\n SERVICE\"\n\n describe security_policy do\n its('SeAuditPrivilege') { should be_in ['S-1-5-32-544', 'S-1-5-19', 'S-1-5-20', 'S-1-5-6'] }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63363.rb", + "ref": "./Windows 10 STIG/controls/V-63889.rb", "line": 3 }, - "id": "V-63363" + "id": "V-63889" }, { - "title": "Default permissions for the HKEY_LOCAL_MACHINE registry hive must be\n maintained.", - "desc": "The registry is integral to the function, security, and stability of\n the Windows system. Changing the system's registry permissions allows the\n possibility of unauthorized and anonymous modification to the operating system.", + "title": "The Windows Installer Always install with elevated privileges must be\n disabled.", + "desc": "Standard user accounts must not be granted elevated privileges.\n Enabling Windows Installer to elevate privileges when installing applications\n can allow malicious persons and applications to gain full control of a system.", "descriptions": { - "default": "The registry is integral to the function, security, and stability of\n the Windows system. Changing the system's registry permissions allows the\n possibility of unauthorized and anonymous modification to the operating system.", - "check": "Verify the default registry permissions for the keys note below\n of the HKEY_LOCAL_MACHINE hive.\n\n If any non-privileged groups such as Everyone, Users or Authenticated Users\n have greater than Read permission, this is a finding.\n\n Run \"Regedit\".\n Right click on the registry areas noted below.\n Select \"Permissions...\" and the \"Advanced\" button.\n\n HKEY_LOCAL_MACHINE\\SECURITY\n Type - \"Allow\" for all\n Inherited from - \"None\" for all\n Principal - Access - Applies to\n SYSTEM - Full Control - This key and subkeys\n Administrators - Special - This key and subkeys\n\n HKEY_LOCAL_MACHINE\\SOFTWARE\n Type - \"Allow\" for all\n Inherited from - \"None\" for all\n Principal - Access - Applies to\n Users - Read - This key and subkeys\n Administrators - Full Control - This key and subkeys\n SYSTEM - Full Control - This key and subkeys\n CREATOR OWNER - Full Control - This key and subkeys\n ALL APPLICATION PACKAGES - Read - This key and subkeys\n\n HKEY_LOCAL_MACHINE\\SYSTEM\n Type - \"Allow\" for all\n Inherited from - \"None\" for all\n Principal - Access - Applies to\n Users - Read - This key and subkeys\n Administrators - Full Control - This key and subkeys\n SYSTEM - Full Control - This key and subkeys\n CREATOR OWNER - Full Control - This key and subkeys\n ALL APPLICATION PACKAGES - Read - This key and subkeys\n\n Other subkeys under the noted keys may also be sampled. There may be some\n instances where non-privileged groups have greater than Read permission.\n\n Microsoft has given Read permission to the SOFTWARE and SYSTEM registry keys in\n later versions of Windows 10 to the following SID, this is currently not a\n finding.\n\n S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681\n\n If the defaults have not been changed, these are not a finding.", - "fix": "Maintain the default permissions for the HKEY_LOCAL_MACHINE\n registry hive.\n\n The default permissions of the higher level keys are noted below.\n\n HKEY_LOCAL_MACHINE\\SECURITY\n Type - \"Allow\" for all\n Inherited from - \"None\" for all\n Principal - Access - Applies to\n SYSTEM - Full Control - This key and subkeys\n Administrators - Special - This key and subkeys\n\n HKEY_LOCAL_MACHINE\\SOFTWARE\n Type - \"Allow\" for all\n Inherited from - \"None\" for all\n Principal - Access - Applies to\n Users - Read - This key and subkeys\n Administrators - Full Control - This key and subkeys\n SYSTEM - Full Control - This key and subkeys\n CREATOR OWNER - Full Control - This key and subkeys\n ALL APPLICATION PACKAGES - Read - This key and subkeys\n\n HKEY_LOCAL_MACHINE\\SYSTEM\n Type - \"Allow\" for all\n Inherited from - \"None\" for all\n Principal - Access - Applies to\n Users - Read - This key and subkeys\n Administrators - Full Control - This key and subkeys\n SYSTEM - Full Control - This key and subkeys\n CREATOR OWNER - Full Control - This key and subkeys\n ALL APPLICATION PACKAGES - Read - This key and subkeys\n\n Microsoft has also given Read permission to the SOFTWARE and SYSTEM registry\n keys in later versions of Windows 10 to the following SID.\n\n S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681" + "default": "Standard user accounts must not be granted elevated privileges.\n Enabling Windows Installer to elevate privileges when installing applications\n can allow malicious persons and applications to gain full control of a system.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\Installer\\\n\n Value Name: AlwaysInstallElevated\n\n Value Type: REG_DWORD\n Value: 0", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Windows Installer >> \"Always\n install with elevated privileges\" to \"Disabled\"." }, - "impact": 0.5, + "impact": 0.7, "refs": [], "tags": { - "severity": "medium", - "gtitle": "WN10-RG-000005", - "gid": "V-63593", - "rid": "SV-78083r2_rule", - "stig_id": "WN10-RG-000005", - "fix_id": "F-98471r1_fix", + "severity": "high", + "gtitle": "WN10-CC-000315", + "gid": "V-63325", + "rid": "SV-77815r1_rule", + "stig_id": "WN10-CC-000315", + "fix_id": "F-69243r1_fix", "cci": [ - "CCI-002235" + "CCI-001812" ], "nist": [ - "AC-6 (10)", + "CM-11 (2)", "Rev_4" ], "false_negatives": null, @@ -8373,35 +8358,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63593' do\n title \"Default permissions for the HKEY_LOCAL_MACHINE registry hive must be\n maintained.\"\n desc \"The registry is integral to the function, security, and stability of\n the Windows system. Changing the system's registry permissions allows the\n possibility of unauthorized and anonymous modification to the operating system.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-RG-000005'\n tag gid: 'V-63593'\n tag rid: 'SV-78083r2_rule'\n tag stig_id: 'WN10-RG-000005'\n tag fix_id: 'F-98471r1_fix'\n tag cci: ['CCI-002235']\n tag nist: ['AC-6 (10)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc 'check', \"Verify the default registry permissions for the keys note below\n of the HKEY_LOCAL_MACHINE hive.\n\n If any non-privileged groups such as Everyone, Users or Authenticated Users\n have greater than Read permission, this is a finding.\n\n Run \\\"Regedit\\\".\n Right click on the registry areas noted below.\n Select \\\"Permissions...\\\" and the \\\"Advanced\\\" button.\n\n HKEY_LOCAL_MACHINE\\\\SECURITY\n Type - \\\"Allow\\\" for all\n Inherited from - \\\"None\\\" for all\n Principal - Access - Applies to\n SYSTEM - Full Control - This key and subkeys\n Administrators - Special - This key and subkeys\n\n HKEY_LOCAL_MACHINE\\\\SOFTWARE\n Type - \\\"Allow\\\" for all\n Inherited from - \\\"None\\\" for all\n Principal - Access - Applies to\n Users - Read - This key and subkeys\n Administrators - Full Control - This key and subkeys\n SYSTEM - Full Control - This key and subkeys\n CREATOR OWNER - Full Control - This key and subkeys\n ALL APPLICATION PACKAGES - Read - This key and subkeys\n\n HKEY_LOCAL_MACHINE\\\\SYSTEM\n Type - \\\"Allow\\\" for all\n Inherited from - \\\"None\\\" for all\n Principal - Access - Applies to\n Users - Read - This key and subkeys\n Administrators - Full Control - This key and subkeys\n SYSTEM - Full Control - This key and subkeys\n CREATOR OWNER - Full Control - This key and subkeys\n ALL APPLICATION PACKAGES - Read - This key and subkeys\n\n Other subkeys under the noted keys may also be sampled. There may be some\n instances where non-privileged groups have greater than Read permission.\n\n Microsoft has given Read permission to the SOFTWARE and SYSTEM registry keys in\n later versions of Windows 10 to the following SID, this is currently not a\n finding.\n\n S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681\n\n If the defaults have not been changed, these are not a finding.\"\n\n desc 'fix', \"Maintain the default permissions for the HKEY_LOCAL_MACHINE\n registry hive.\n\n The default permissions of the higher level keys are noted below.\n\n HKEY_LOCAL_MACHINE\\\\SECURITY\n Type - \\\"Allow\\\" for all\n Inherited from - \\\"None\\\" for all\n Principal - Access - Applies to\n SYSTEM - Full Control - This key and subkeys\n Administrators - Special - This key and subkeys\n\n HKEY_LOCAL_MACHINE\\\\SOFTWARE\n Type - \\\"Allow\\\" for all\n Inherited from - \\\"None\\\" for all\n Principal - Access - Applies to\n Users - Read - This key and subkeys\n Administrators - Full Control - This key and subkeys\n SYSTEM - Full Control - This key and subkeys\n CREATOR OWNER - Full Control - This key and subkeys\n ALL APPLICATION PACKAGES - Read - This key and subkeys\n\n HKEY_LOCAL_MACHINE\\\\SYSTEM\n Type - \\\"Allow\\\" for all\n Inherited from - \\\"None\\\" for all\n Principal - Access - Applies to\n Users - Read - This key and subkeys\n Administrators - Full Control - This key and subkeys\n SYSTEM - Full Control - This key and subkeys\n CREATOR OWNER - Full Control - This key and subkeys\n ALL APPLICATION PACKAGES - Read - This key and subkeys\n\n Microsoft has also given Read permission to the SOFTWARE and SYSTEM registry\n keys in later versions of Windows 10 to the following SID.\n\n S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681\"\n\n # Adding Read permission for Security for Administrators to allow for read of key permissions\n\n hklm_software = powershell(\"(Get-Acl -Path HKLM:Software).AccessToString\").stdout.lines.collect(&:strip)\n describe \"Registry Key Software permissions are set correctly on folder structure\" do\n subject { hklm_software.eql? input('reg_software_perms')}\n it { should eq true }\n end\n\n hklm_security = powershell(\"(Get-Acl -Path HKLM:Security).AccessToString\").stdout.lines.collect(&:strip)\n describe \"Registry Key Security are set correctly on folder structure\" do\n subject { hklm_security.eql? input('reg_security_perms')}\n it { should eq true }\n end\n\n hklm_system = powershell(\"(Get-Acl -Path HKLM:System).AccessToString\").stdout.lines.collect(&:strip)\n describe \"Registry Key Security are set correctly on folder structure\" do\n subject { hklm_system.eql? input('reg_system_perms')}\n it { should eq true }\n end\nend\n", + "code": "control 'V-63325' do\n title \"The Windows Installer Always install with elevated privileges must be\n disabled.\"\n desc \"Standard user accounts must not be granted elevated privileges.\n Enabling Windows Installer to elevate privileges when installing applications\n can allow malicious persons and applications to gain full control of a system.\"\n impact 0.7\n tag severity: 'high'\n tag gtitle: 'WN10-CC-000315'\n tag gid: 'V-63325'\n tag rid: 'SV-77815r1_rule'\n tag stig_id: 'WN10-CC-000315'\n tag fix_id: 'F-69243r1_fix'\n tag cci: ['CCI-001812']\n tag nist: ['CM-11 (2)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\Installer\\\\\n\n Value Name: AlwaysInstallElevated\n\n Value Type: REG_DWORD\n Value: 0\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Windows Installer >> \\\"Always\n install with elevated privileges\\\" to \\\"Disabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Installer') do\n it { should have_property 'AlwaysInstallElevated' }\n its('AlwaysInstallElevated') { should cmp 0 }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63593.rb", + "ref": "./Windows 10 STIG/controls/V-63325.rb", "line": 3 }, - "id": "V-63593" + "id": "V-63325" }, { - "title": "The Smart Card removal option must be configured to Force Logoff or\n Lock Workstation.", - "desc": "Unattended systems are susceptible to unauthorized use and must be\n locked. Configuring a system to lock when a smart card is removed will ensure\n the system is inaccessible when unattended.", + "title": "Windows 10 must be configured to prioritize ECC Curves with longer key lengths first.", + "desc": "Use of weak or untested encryption algorithms undermines the purposes\n of utilizing encryption to protect data. By default Windows uses ECC curves\n with shorter key lengths first. Requiring ECC curves with longer key lengths\n to be prioritized first helps ensure more secure algorithms are used.", "descriptions": { - "default": "Unattended systems are susceptible to unauthorized use and must be\n locked. Configuring a system to lock when a smart card is removed will ensure\n the system is inaccessible when unattended.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\\n\n Value Name: SCRemoveOption\n\n Value Type: REG_SZ\n Value: 1 (Lock Workstation) or 2 (Force Logoff)\n\n This can be left not configured or set to \"No action\" on workstations with\n the following conditions. This must be documented with the ISSO.\n -The setting cannot be configured due to mission needs, or because it\n interferes with applications.\n -Policy must be in place that users manually lock workstations when leaving\n them unattended.\n -The screen saver is properly configured to lock as required.", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n \"Interactive logon: Smart card removal behavior\" to \"Lock Workstation\" or\n \"Force Logoff\"." + "default": "Use of weak or untested encryption algorithms undermines the purposes\n of utilizing encryption to protect data. By default Windows uses ECC curves\n with shorter key lengths first. Requiring ECC curves with longer key lengths\n to be prioritized first helps ensure more secure algorithms are used.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SOFTWARE\\Policies\\Microsoft\\Cryptography\\Configuration\\SSL\\00010002\\\n\n Value Name: EccCurves\n\n Value Type: REG_MULTI_SZ\n Value: NistP384 NistP256", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Network >> SSL Configuration Settings >> \"ECC\n Curve Order\" to \"Enabled\" with \"ECC Curve Order:\" including the following\n in the order listed:\n\n NistP384\n NistP256" }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-SO-000095", - "gid": "V-63697", - "rid": "SV-78187r1_rule", - "stig_id": "WN10-SO-000095", - "fix_id": "F-69625r1_fix", + "gtitle": "WN10-CC-000052", + "gid": "V-74413", + "rid": "SV-89087r2_rule", + "stig_id": "WN10-CC-000052", + "fix_id": "F-80955r1_fix", "cci": [ - "CCI-000366" + "CCI-000803" ], "nist": [ - "CM-6 b", + "IA-7", "Rev_4" ], "false_negatives": null, @@ -8415,37 +8400,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63697' do\n title \"The Smart Card removal option must be configured to Force Logoff or\n Lock Workstation.\"\n desc \"Unattended systems are susceptible to unauthorized use and must be\n locked. Configuring a system to lock when a smart card is removed will ensure\n the system is inaccessible when unattended.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-SO-000095'\n tag gid: 'V-63697'\n tag rid: 'SV-78187r1_rule'\n tag stig_id: 'WN10-SO-000095'\n tag fix_id: 'F-69625r1_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\\n\n Value Name: SCRemoveOption\n\n Value Type: REG_SZ\n Value: 1 (Lock Workstation) or 2 (Force Logoff)\n\n This can be left not configured or set to \\\"No action\\\" on workstations with\n the following conditions. This must be documented with the ISSO.\n -The setting cannot be configured due to mission needs, or because it\n interferes with applications.\n -Policy must be in place that users manually lock workstations when leaving\n them unattended.\n -The screen saver is properly configured to lock as required.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n \\\"Interactive logon: Smart card removal behavior\\\" to \\\"Lock Workstation\\\" or\n \\\"Force Logoff\\\".\"\n\n describe.one do\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon') do\n it { should have_property 'SCRemoveOption' }\n its('SCRemoveOption') { should cmp 1 }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon') do\n it { should have_property 'SCRemoveOption' }\n its('SCRemoveOption') { should cmp 2 }\n end\n end\nend\n", + "code": "control 'V-74413' do\n title 'Windows 10 must be configured to prioritize ECC Curves with longer key lengths first.'\n desc \"Use of weak or untested encryption algorithms undermines the purposes\n of utilizing encryption to protect data. By default Windows uses ECC curves\n with shorter key lengths first. Requiring ECC curves with longer key lengths\n to be prioritized first helps ensure more secure algorithms are used.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000052'\n tag gid: 'V-74413'\n tag rid: 'SV-89087r2_rule'\n tag stig_id: 'WN10-CC-000052'\n tag fix_id: 'F-80955r1_fix'\n tag cci: ['CCI-000803']\n tag nist: %w[IA-7 Rev_4]\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Cryptography\\\\Configuration\\\\SSL\\\\00010002\\\\\n\n Value Name: EccCurves\n\n Value Type: REG_MULTI_SZ\n Value: NistP384 NistP256\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Network >> SSL Configuration Settings >> \\\"ECC\n Curve Order\\\" to \\\"Enabled\\\" with \\\"ECC Curve Order:\\\" including the following\n in the order listed:\n\n NistP384\n NistP256\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Cryptography\\Configuration\\SSL\\00010002') do\n it { should have_property 'EccCurves' }\n end\n \n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Cryptography\\Configuration\\SSL\\00010002') do\n its('EccCurves') { should include 'NistP384' }\n its('EccCurves') { should include 'NistP256' }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63697.rb", + "ref": "./Windows 10 STIG/controls/V-74413.rb", "line": 3 }, - "id": "V-63697" + "id": "V-74413" }, { - "title": "The Windows Remote Management (WinRM) service must not allow\n unencrypted traffic.", - "desc": "Unencrypted remote access to a system can allow sensitive information\n to be compromised. Windows remote management connections must be encrypted to\n prevent this.", + "title": "Local drives must be prevented from sharing with Remote Desktop\n Session Hosts.", + "desc": "Preventing users from sharing the local drives on their client\n computers to Remote Session Hosts that they access helps reduce possible\n exposure of sensitive data.", "descriptions": { - "default": "Unencrypted remote access to a system can allow sensitive information\n to be compromised. Windows remote management connections must be encrypted to\n prevent this.", - "check": "If the following registry value does not exist or is not\nconfigured as specified, this is a finding:\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\WinRM\\Service\\\n Value Name: AllowUnencryptedTraffic\n Value Type: REG_DWORD\n Value: 0", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Windows Remote Management\n (WinRM) >> WinRM Service >> \"Allow unencrypted traffic\" to \"Disabled\"." + "default": "Preventing users from sharing the local drives on their client\n computers to Remote Session Hosts that they access helps reduce possible\n exposure of sensitive data.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services\\\n\n Value Name: fDisableCdm\n\n Value Type: REG_DWORD\n Value: 1", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Remote Desktop Services >>\n Remote Desktop Session Host >> Device and Resource Redirection >> \"Do not\n allow drive redirection\" to \"Enabled\"." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-CC-000350", - "gid": "V-63369", - "rid": "SV-77859r1_rule", - "stig_id": "WN10-CC-000350", - "fix_id": "F-69289r1_fix", + "gtitle": "WN10-CC-000275", + "gid": "V-63731", + "rid": "SV-78221r1_rule", + "stig_id": "WN10-CC-000275", + "fix_id": "F-69659r1_fix", "cci": [ - "CCI-002890", - "CCI-003123" + "CCI-001090" ], "nist": [ - "MA-4 (6)", - "MA-4 (6)", + "SC-4", "Rev_4" ], "false_negatives": null, @@ -8459,35 +8442,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63369' do\n title \"The Windows Remote Management (WinRM) service must not allow\n unencrypted traffic.\"\n desc \"Unencrypted remote access to a system can allow sensitive information\n to be compromised. Windows remote management connections must be encrypted to\n prevent this.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000350'\n tag gid: 'V-63369'\n tag rid: 'SV-77859r1_rule'\n tag stig_id: 'WN10-CC-000350'\n tag fix_id: 'F-69289r1_fix'\n tag cci: %w[CCI-002890 CCI-003123]\n tag nist: ['MA-4 (6)', 'MA-4 (6)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"If the following registry value does not exist or is not\nconfigured as specified, this is a finding:\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WinRM\\\\Service\\\\\n Value Name: AllowUnencryptedTraffic\n Value Type: REG_DWORD\n Value: 0\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Windows Remote Management\n (WinRM) >> WinRM Service >> \\\"Allow unencrypted traffic\\\" to \\\"Disabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WinRM\\Service') do\n it { should have_property 'AllowUnencryptedTraffic' }\n its('AllowUnencryptedTraffic') { should cmp 0 }\n end\nend\n", + "code": "control 'V-63731' do\n title \"Local drives must be prevented from sharing with Remote Desktop\n Session Hosts.\"\n desc \"Preventing users from sharing the local drives on their client\n computers to Remote Session Hosts that they access helps reduce possible\n exposure of sensitive data.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000275'\n tag gid: 'V-63731'\n tag rid: 'SV-78221r1_rule'\n tag stig_id: 'WN10-CC-000275'\n tag fix_id: 'F-69659r1_fix'\n tag cci: ['CCI-001090']\n tag nist: %w[SC-4 Rev_4]\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\\n\n Value Name: fDisableCdm\n\n Value Type: REG_DWORD\n Value: 1\"\n \n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Remote Desktop Services >>\n Remote Desktop Session Host >> Device and Resource Redirection >> \\\"Do not\n allow drive redirection\\\" to \\\"Enabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services') do\n it { should have_property 'fDisableCdm' }\n its('fDisableCdm') { should cmp 1 }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63369.rb", + "ref": "./Windows 10 STIG/controls/V-63731.rb", "line": 3 }, - "id": "V-63369" + "id": "V-63731" }, { - "title": "Indexing of encrypted files must be turned off.", - "desc": "Indexing of encrypted files may expose sensitive data. This setting\n prevents encrypted files from being indexed.", + "title": "Kerberos encryption types must be configured to prevent the use of DES\n and RC4 encryption suites.", + "desc": "Certain encryption types are no longer considered secure. This\n setting configures a minimum encryption type for Kerberos, preventing the use\n of the DES and RC4 encryption suites.", "descriptions": { - "default": "Indexing of encrypted files may expose sensitive data. This setting\n prevents encrypted files from being indexed.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Search\\\n\n Value Name: AllowIndexingEncryptedStoresOrItems\n\n Value Type: REG_DWORD\n Value: 0", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Search >> \"Allow indexing of\n encrypted files\" to \"Disabled\"." + "default": "Certain encryption types are no longer considered secure. This\n setting configures a minimum encryption type for Kerberos, preventing the use\n of the DES and RC4 encryption suites.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\Parameters\\\n\n Value Name: SupportedEncryptionTypes\n\n Value Type: REG_DWORD\n Value: 0x7ffffff8 (2147483640)", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n \"Network security: Configure encryption types allowed for Kerberos\" to\n \"Enabled\" with only the following selected:\n\n AES128_HMAC_SHA1\n AES256_HMAC_SHA1\n Future encryption types" }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-CC-000305", - "gid": "V-63751", - "rid": "SV-78241r1_rule", - "stig_id": "WN10-CC-000305", - "fix_id": "F-69679r1_fix", + "gtitle": "WN10-SO-000190", + "gid": "V-63795", + "rid": "SV-78285r1_rule", + "stig_id": "WN10-SO-000190", + "fix_id": "F-69723r2_fix", "cci": [ - "CCI-000381" + "CCI-000803" ], "nist": [ - "CM-7 a", + "IA-7", "Rev_4" ], "false_negatives": null, @@ -8501,68 +8484,79 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63751' do\n title 'Indexing of encrypted files must be turned off.'\n desc \"Indexing of encrypted files may expose sensitive data. This setting\n prevents encrypted files from being indexed.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000305'\n tag gid: 'V-63751'\n tag rid: 'SV-78241r1_rule'\n tag stig_id: 'WN10-CC-000305'\n tag fix_id: 'F-69679r1_fix'\n tag cci: ['CCI-000381']\n tag nist: ['CM-7 a', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\Windows Search\\\\\n\n Value Name: AllowIndexingEncryptedStoresOrItems\n\n Value Type: REG_DWORD\n Value: 0\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Search >> \\\"Allow indexing of\n encrypted files\\\" to \\\"Disabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Search') do\n it { should have_property 'AllowIndexingEncryptedStoresOrItems' }\n its('AllowIndexingEncryptedStoresOrItems') { should cmp 0 }\n end\nend\n", + "code": "control 'V-63795' do\n title \"Kerberos encryption types must be configured to prevent the use of DES\n and RC4 encryption suites.\"\n desc \"Certain encryption types are no longer considered secure. This\n setting configures a minimum encryption type for Kerberos, preventing the use\n of the DES and RC4 encryption suites.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-SO-000190'\n tag gid: 'V-63795'\n tag rid: 'SV-78285r1_rule'\n tag stig_id: 'WN10-SO-000190'\n tag fix_id: 'F-69723r2_fix'\n tag cci: ['CCI-000803']\n tag nist: %w[IA-7 Rev_4]\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc 'check', \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Kerberos\\\\Parameters\\\\\n\n Value Name: SupportedEncryptionTypes\n\n Value Type: REG_DWORD\n Value: 0x7ffffff8 (2147483640)\"\n desc 'fix', \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n \\\"Network security: Configure encryption types allowed for Kerberos\\\" to\n \\\"Enabled\\\" with only the following selected:\n\n AES128_HMAC_SHA1\n AES256_HMAC_SHA1\n Future encryption types\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\Parameters') do\n it { should have_property 'SupportedEncryptionTypes' }\n its('SupportedEncryptionTypes') { should cmp 2_147_483_640 }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63751.rb", + "ref": "./Windows 10 STIG/controls/V-63795.rb", "line": 3 }, - "id": "V-63751" + "id": "V-63795" }, { - "title": "Windows 10 must be configured to audit other Logon/Logoff Events\nFailures.", - "desc": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Audit Other Logon/Logoff Events determines whether Windows generates audit\nevents for other logon or logoff events. Logon events are essential to\nunderstanding user activity and detecting potential attacks.", + "title": "The Windows Remote Management (WinRM) service must not allow\n unencrypted traffic.", + "desc": "Unencrypted remote access to a system can allow sensitive information\n to be compromised. Windows remote management connections must be encrypted to\n prevent this.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Audit Other Logon/Logoff Events determines whether Windows generates audit\nevents for other logon or logoff events. Logon events are essential to\nunderstanding user activity and detecting potential attacks.", - "rationale": "", - "check": "Security Option \"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\" must be set to\n\"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to be\neffective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\"Run as Administrator\").\n Enter \"AuditPol /get /category:*\".\n\n Compare the AuditPol settings with the following. If the system does not\naudit the following, this is a finding:\n\n Logon/Logoff >> Other Logon/Logoff Events - Failure", - "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Logon/Logoff >> \"Audit Other Logon/Logoff Events\"\nwith \"Failure\" selected." + "default": "Unencrypted remote access to a system can allow sensitive information\n to be compromised. Windows remote management connections must be encrypted to\n prevent this.", + "check": "If the following registry value does not exist or is not\nconfigured as specified, this is a finding:\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\WinRM\\Service\\\n Value Name: AllowUnencryptedTraffic\n Value Type: REG_DWORD\n Value: 0", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Windows Remote Management\n (WinRM) >> WinRM Service >> \"Allow unencrypted traffic\" to \"Disabled\"." }, "impact": 0.5, "refs": [], "tags": { - "severity": null, - "gtitle": "WN10-AU-000565", - "gid": "V-99541", - "rid": "SV-108645r1_rule", - "stig_id": "WN10-AU-000565", - "fix_id": "F-105225r1_fix", + "severity": "medium", + "gtitle": "WN10-CC-000350", + "gid": "V-63369", + "rid": "SV-77859r1_rule", + "stig_id": "WN10-CC-000350", + "fix_id": "F-69289r1_fix", "cci": [ - "CCI-000130" + "CCI-002890", + "CCI-003123" ], "nist": [ - "AU-3", + "MA-4 (6)", + "MA-4 (6)", "Rev_4" - ] + ], + "false_negatives": null, + "false_positives": null, + "documentable": false, + "mitigations": null, + "severity_override_guidance": false, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_controls": null, + "responsibility": null, + "ia_controls": null }, - "code": "control \"V-99541\" do\n title \"Windows 10 must be configured to audit other Logon/Logoff Events\nFailures.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Audit Other Logon/Logoff Events determines whether Windows generates audit\nevents for other logon or logoff events. Logon events are essential to\nunderstanding user activity and detecting potential attacks.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"WN10-AU-000565\"\n tag gid: \"V-99541\"\n tag rid: \"SV-108645r1_rule\"\n tag stig_id: \"WN10-AU-000565\"\n tag fix_id: \"F-105225r1_fix\"\n tag cci: [\"CCI-000130\"]\n tag nist: [\"AU-3\", \"Rev_4\"]\n desc \"rationale\", \"\"\n desc \"check\", \"Security Option \\\"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\\\" must be set to\n\\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to be\neffective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\n Enter \\\"AuditPol /get /category:*\\\".\n\n Compare the AuditPol settings with the following. If the system does not\naudit the following, this is a finding:\n\n Logon/Logoff >> Other Logon/Logoff Events - Failure\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Logon/Logoff >> \\\"Audit Other Logon/Logoff Events\\\"\nwith \\\"Failure\\\" selected.\"\n \n describe.one do\n describe audit_policy do\n its('Other Logon/Logoff Events') { should eq 'Failure' }\n end\n describe audit_policy do\n its('Other Logon/Logoff Events') { should eq 'Success and Failure' }\n end\n end\nend\n", + "code": "control 'V-63369' do\n title \"The Windows Remote Management (WinRM) service must not allow\n unencrypted traffic.\"\n desc \"Unencrypted remote access to a system can allow sensitive information\n to be compromised. Windows remote management connections must be encrypted to\n prevent this.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000350'\n tag gid: 'V-63369'\n tag rid: 'SV-77859r1_rule'\n tag stig_id: 'WN10-CC-000350'\n tag fix_id: 'F-69289r1_fix'\n tag cci: %w[CCI-002890 CCI-003123]\n tag nist: ['MA-4 (6)', 'MA-4 (6)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"If the following registry value does not exist or is not\nconfigured as specified, this is a finding:\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WinRM\\\\Service\\\\\n Value Name: AllowUnencryptedTraffic\n Value Type: REG_DWORD\n Value: 0\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Windows Remote Management\n (WinRM) >> WinRM Service >> \\\"Allow unencrypted traffic\\\" to \\\"Disabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WinRM\\Service') do\n it { should have_property 'AllowUnencryptedTraffic' }\n its('AllowUnencryptedTraffic') { should cmp 0 }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-99541.rb", + "ref": "./Windows 10 STIG/controls/V-63369.rb", "line": 3 }, - "id": "V-99541" + "id": "V-63369" }, { - "title": "The Create a pagefile user right must only be assigned to the\n Administrators group.", - "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n Accounts with the \"Create a pagefile\" user right can change the size of a\n pagefile, which could affect system performance.", + "title": "Wi-Fi Sense must be disabled.", + "desc": "Wi-Fi Sense automatically connects the system to known hotspots and\n networks that contacts have shared. It also allows the sharing of the system's\n known networks to contacts. Automatically connecting to hotspots and shared\n networks can expose a system to unsecured or potentially malicious systems.", "descriptions": { - "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n Accounts with the \"Create a pagefile\" user right can change the size of a\n pagefile, which could affect system performance.", - "check": "Verify the effective setting in Local Group Policy Editor.\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any groups or accounts other than the following are granted the \"Create a\n pagefile\" user right, this is a finding:\n\n Administrators", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n \"Create a pagefile\" to only include the following groups or accounts:\n\n Administrators" + "default": "Wi-Fi Sense automatically connects the system to known hotspots and\n networks that contacts have shared. It also allows the sharing of the system's\n known networks to contacts. Automatically connecting to hotspots and shared\n networks can expose a system to unsecured or potentially malicious systems.", + "check": "This is NA as of v1803 of Windows 10; Wi-Fi sense is no longer\n available.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Microsoft\\WcmSvc\\wifinetworkmanager\\config\\\n\n Value Name: AutoConnectAllowedOEM\n\n Type: REG_DWORD\n Value: 0x00000000 (0)", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Network >> WLAN Service >> WLAN Settings>> \"Allow\n Windows to automatically connect to suggested open hotspots, to networks shared\n by contacts, and to hotspots offering paid services\" to \"Disabled\".\n\n v1507 LTSB does not include this group policy setting. It may be configured\n through other means such as using group policy from a later version of Windows\n 10 or a registry update." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-UR-000040", - "gid": "V-63857", - "rid": "SV-78347r1_rule", - "stig_id": "WN10-UR-000040", - "fix_id": "F-69785r1_fix", + "gtitle": "WN10-CC-000065", + "gid": "V-63591", + "rid": "SV-78081r2_rule", + "stig_id": "WN10-CC-000065", + "fix_id": "F-88431r2_fix", "cci": [ - "CCI-002235" + "CCI-000366" ], "nist": [ - "AC-6 (10)", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -8576,35 +8570,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63857' do\n title \"The Create a pagefile user right must only be assigned to the\n Administrators group.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n Accounts with the \\\"Create a pagefile\\\" user right can change the size of a\n pagefile, which could affect system performance.\"\n\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-UR-000040'\n tag gid: 'V-63857'\n tag rid: 'SV-78347r1_rule'\n tag stig_id: 'WN10-UR-000040'\n tag fix_id: 'F-69785r1_fix'\n tag cci: ['CCI-002235']\n tag nist: ['AC-6 (10)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any groups or accounts other than the following are granted the \\\"Create a\n pagefile\\\" user right, this is a finding:\n\n Administrators\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n \\\"Create a pagefile\\\" to only include the following groups or accounts:\n\n Administrators\"\n\n describe security_policy do\n its('SeCreatePagefilePrivilege') { should eq ['S-1-5-32-544'] }\n end\nend\n", + "code": "control 'V-63591' do\n title 'Wi-Fi Sense must be disabled.'\n desc \"Wi-Fi Sense automatically connects the system to known hotspots and\n networks that contacts have shared. It also allows the sharing of the system's\n known networks to contacts. Automatically connecting to hotspots and shared\n networks can expose a system to unsecured or potentially malicious systems.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000065'\n tag gid: 'V-63591'\n tag rid: 'SV-78081r2_rule'\n tag stig_id: 'WN10-CC-000065'\n tag fix_id: 'F-88431r2_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"This is NA as of v1803 of Windows 10; Wi-Fi sense is no longer\n available.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Microsoft\\\\WcmSvc\\\\wifinetworkmanager\\\\config\\\\\n\n Value Name: AutoConnectAllowedOEM\n\n Type: REG_DWORD\n Value: 0x00000000 (0)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Network >> WLAN Service >> WLAN Settings>> \\\"Allow\n Windows to automatically connect to suggested open hotspots, to networks shared\n by contacts, and to hotspots offering paid services\\\" to \\\"Disabled\\\".\n\n v1507 LTSB does not include this group policy setting. It may be configured\n through other means such as using group policy from a later version of Windows\n 10 or a registry update.\"\n\n if registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion').ReleaseId >= '1803'\n impact 0.0\n describe 'This is NA as of v1803 of Windows 10; Wi-Fi sense is no longer available.' do\n skip 'This is NA as of v1803 of Windows 10; Wi-Fi sense is no longer available.'\n end\n else\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WcmSvc\\wifinetworkmanager\\config') do\n it { should have_property 'AutoConnectAllowedOEM' }\n its('AutoConnectAllowedOEM') { should cmp 0 }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63857.rb", + "ref": "./Windows 10 STIG/controls/V-63591.rb", "line": 3 }, - "id": "V-63857" + "id": "V-63591" }, { - "title": "The Restore files and directories user right must only be assigned to\n the Administrators group.", - "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n Accounts with the \"Restore files and directories\" user right can\n circumvent file and directory permissions and could allow access to sensitive\n data. It could also be used to over-write more current data.", + "title": "Command line data must be included in process creation events.", + "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Enabling \"Include command line data for process creation events\" will\n record the command line information with the process creation events in the\n log. This can provide additional detail when malware has run on a system.", "descriptions": { - "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n Accounts with the \"Restore files and directories\" user right can\n circumvent file and directory permissions and could allow access to sensitive\n data. It could also be used to over-write more current data.", - "check": "Verify the effective setting in Local Group Policy Editor.\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any groups or accounts other than the following are granted the \"Restore\n files and directories\" user right, this is a finding:\n\n Administrators", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n \"Restore files and directories\" to only include the following groups or\n accounts:\n\n Administrators" + "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Enabling \"Include command line data for process creation events\" will\n record the command line information with the process creation events in the\n log. This can provide additional detail when malware has run on a system.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Audit\\\n\n Value Name: ProcessCreationIncludeCmdLine_Enabled\n\n Value Type: REG_DWORD\n Value: 1", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> System >> Audit Process Creation >> \"Include\n command line in process creation events\" to \"Enabled\"." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-UR-000160", - "gid": "V-63939", - "rid": "SV-78429r1_rule", - "stig_id": "WN10-UR-000160", - "fix_id": "F-69867r1_fix", + "gtitle": "WN10-CC-000066", + "gid": "V-68817", + "rid": "SV-83409r1_rule", + "stig_id": "WN10-CC-000066", + "fix_id": "F-74987r1_fix", "cci": [ - "CCI-002235" + "CCI-000135" ], "nist": [ - "AC-6 (10)", + "AU-3 (1)", "Rev_4" ], "false_negatives": null, @@ -8618,35 +8612,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63939' do\n title \"The Restore files and directories user right must only be assigned to\n the Administrators group.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n Accounts with the \\\"Restore files and directories\\\" user right can\n circumvent file and directory permissions and could allow access to sensitive\n data. It could also be used to over-write more current data.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-UR-000160'\n tag gid: 'V-63939'\n tag rid: 'SV-78429r1_rule'\n tag stig_id: 'WN10-UR-000160'\n tag fix_id: 'F-69867r1_fix'\n tag cci: ['CCI-002235']\n tag nist: ['AC-6 (10)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any groups or accounts other than the following are granted the \\\"Restore\n files and directories\\\" user right, this is a finding:\n\n Administrators\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n \\\"Restore files and directories\\\" to only include the following groups or\n accounts:\n\n Administrators\"\n\n describe security_policy do\n its('SeRestorePrivilege') { should eq ['S-1-5-32-544'] }\n end\nend\n", + "code": "control 'V-68817' do\n title 'Command line data must be included in process creation events.'\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Enabling \\\"Include command line data for process creation events\\\" will\n record the command line information with the process creation events in the\n log. This can provide additional detail when malware has run on a system.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000066'\n tag gid: 'V-68817'\n tag rid: 'SV-83409r1_rule'\n tag stig_id: 'WN10-CC-000066'\n tag fix_id: 'F-74987r1_fix'\n tag cci: ['CCI-000135']\n tag nist: ['AU-3 (1)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Audit\\\\\n\n Value Name: ProcessCreationIncludeCmdLine_Enabled\n\n Value Type: REG_DWORD\n Value: 1\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> System >> Audit Process Creation >> \\\"Include\n command line in process creation events\\\" to \\\"Enabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Audit') do\n it { should have_property 'ProcessCreationIncludeCmdLine_Enabled' }\n its('ProcessCreationIncludeCmdLine_Enabled') { should cmp 1 }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63939.rb", + "ref": "./Windows 10 STIG/controls/V-68817.rb", "line": 3 }, - "id": "V-63939" + "id": "V-68817" }, { - "title": "Windows Telemetry must not be configured to Full.", - "desc": "Some features may communicate with the vendor, sending system\n information or downloading data or components for the feature. Limiting this\n capability will prevent potentially sensitive information from being sent\n outside the enterprise. The \"Security\" option for Telemetry configures the\n lowest amount of data, effectively none outside of the Malicious Software\n Removal Tool (MSRT), Defender and telemetry client settings. \"Basic\" sends\n basic diagnostic and usage data and may be required to support some Microsoft\n services. \"Enhanced\" includes additional information on how Windows and apps\n are used and advanced reliability data. Windows Analytics can use a \"limited\n enhanced\" level to provide information such as health data for devices. This\n requires the configuration of an additional setting available with v1709 and\n later of Windows 10.", + "title": "Unused accounts must be disabled or removed from the system after\n 35 days of inactivity.", + "desc": "Outdated or unused accounts provide penetration points that may go\n undetected. Inactive accounts must be deleted if no longer necessary or, if\n still required, disable until needed.", "descriptions": { - "default": "Some features may communicate with the vendor, sending system\n information or downloading data or components for the feature. Limiting this\n capability will prevent potentially sensitive information from being sent\n outside the enterprise. The \"Security\" option for Telemetry configures the\n lowest amount of data, effectively none outside of the Malicious Software\n Removal Tool (MSRT), Defender and telemetry client settings. \"Basic\" sends\n basic diagnostic and usage data and may be required to support some Microsoft\n services. \"Enhanced\" includes additional information on how Windows and apps\n are used and advanced reliability data. Windows Analytics can use a \"limited\n enhanced\" level to provide information such as health data for devices. This\n requires the configuration of an additional setting available with v1709 and\n later of Windows 10.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\\n\n Value Name: AllowTelemetry\n\n Type: REG_DWORD\n Value: 0x00000000 (0) (Security)\n 0x00000001 (1) (Basic)\n\n If an organization is using v1709 or later of Windows 10 this may be configured\n to \"Enhanced\" to support Windows Analytics. V-82145 must also be configured\n to limit the Enhanced diagnostic data to the minimum required by Windows\n Analytics. This registry value will then be 0x00000002 (2).", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Data Collection and Preview\n Builds >> \"Allow Telemetry\" to \"Enabled\" with \"0 - Security [Enterprise\n Only]\" or \"1 - Basic\" selected in \"Options:\".\n\n If an organization is using v1709 or later of Windows 10 this may be configured\n to \"2 - Enhanced\" to support Windows Analytics. V-82145 must also be\n configured to limit the Enhanced diagnostic data to the minimum required by\n Windows Analytics." + "default": "Outdated or unused accounts provide penetration points that may go\n undetected. Inactive accounts must be deleted if no longer necessary or, if\n still required, disable until needed.", + "check": "Run \"PowerShell\".\n Copy the lines below to the PowerShell window and enter.\n\n \"([ADSI]('WinNT://{0}' -f $env:COMPUTERNAME)).Children | Where {\n $_.SchemaClassName -eq 'user' } | ForEach {\n $user = ([ADSI]$_.Path)\n $lastLogin = $user.Properties.LastLogin.Value\n $enabled = ($user.Properties.UserFlags.Value -band 0x2) -ne 0x2\n if ($lastLogin -eq $null) {\n $lastLogin = 'Never'\n }\n Write-Host $user.Name $lastLogin $enabled\n }\"\n\n This will return a list of local accounts with the account name, last logon,\n and if the account is enabled (True/False).\n For example: User1 10/31/2015 5:49:56 AM True\n\n Review the list to determine the finding validity for each account reported.\n\n Exclude the following accounts:\n Built-in administrator account (Disabled, SID ending in 500)\n Built-in guest account (Disabled, SID ending in 501)\n Built-in DefaultAccount (Disabled, SID ending in 503)\n Local administrator account\n\n If any enabled accounts have not been logged on to within the past 35 days,\n this is a finding.\n\n Inactive accounts that have been reviewed and deemed to be required must be\n documented with the ISSO.", + "fix": "Regularly review local accounts and verify their necessity.\n Disable or delete any active accounts that have not been used in\n the last 35 days." }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { - "severity": "medium", - "gtitle": "WN10-CC-000205", - "gid": "V-63683", - "rid": "SV-78173r3_rule", - "stig_id": "WN10-CC-000205", - "fix_id": "F-89003r2_fix", + "severity": "low", + "gtitle": "WN10-00-000065", + "gid": "V-63359", + "rid": "SV-77849r1_rule", + "stig_id": "WN10-00-000065", + "fix_id": "F-69279r1_fix", "cci": [ - "CCI-000366" + "CCI-000795" ], "nist": [ - "CM-6 b", + "IA-4 e", "Rev_4" ], "false_negatives": null, @@ -8660,35 +8654,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63683' do\n title 'Windows Telemetry must not be configured to Full.'\n desc \"Some features may communicate with the vendor, sending system\n information or downloading data or components for the feature. Limiting this\n capability will prevent potentially sensitive information from being sent\n outside the enterprise. The \\\"Security\\\" option for Telemetry configures the\n lowest amount of data, effectively none outside of the Malicious Software\n Removal Tool (MSRT), Defender and telemetry client settings. \\\"Basic\\\" sends\n basic diagnostic and usage data and may be required to support some Microsoft\n services. \\\"Enhanced\\\" includes additional information on how Windows and apps\n are used and advanced reliability data. Windows Analytics can use a \\\"limited\n enhanced\\\" level to provide information such as health data for devices. This\n requires the configuration of an additional setting available with v1709 and\n later of Windows 10. \"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000205'\n tag gid: 'V-63683'\n tag rid: 'SV-78173r3_rule'\n tag stig_id: 'WN10-CC-000205'\n tag fix_id: 'F-89003r2_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\DataCollection\\\\\n\n Value Name: AllowTelemetry\n\n Type: REG_DWORD\n Value: 0x00000000 (0) (Security)\n 0x00000001 (1) (Basic)\n\n If an organization is using v1709 or later of Windows 10 this may be configured\n to \\\"Enhanced\\\" to support Windows Analytics. V-82145 must also be configured\n to limit the Enhanced diagnostic data to the minimum required by Windows\n Analytics. This registry value will then be 0x00000002 (2).\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Data Collection and Preview\n Builds >> \\\"Allow Telemetry\\\" to \\\"Enabled\\\" with \\\"0 - Security [Enterprise\n Only]\\\" or \\\"1 - Basic\\\" selected in \\\"Options:\\\".\n\n If an organization is using v1709 or later of Windows 10 this may be configured\n to \\\"2 - Enhanced\\\" to support Windows Analytics. V-82145 must also be\n configured to limit the Enhanced diagnostic data to the minimum required by\n Windows Analytics.\"\n\n describe.one do\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection') do\n it { should have_property 'AllowTelemetry' }\n its('AllowTelemetry') { should cmp 0 }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection') do\n it { should have_property 'AllowTelemetry' }\n its('AllowTelemetry') { should cmp 1 }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection') do\n it { should have_property 'AllowTelemetry' }\n its('AllowTelemetry') { should cmp 2 }\n end\n end\nend\n", + "code": "control 'V-63359' do\n title \"Unused accounts must be disabled or removed from the system after\n #{input('max_inactive_days')} days of inactivity.\"\n desc \"Outdated or unused accounts provide penetration points that may go\n undetected. Inactive accounts must be deleted if no longer necessary or, if\n still required, disable until needed.\"\n impact 0.3\n tag severity: 'low'\n tag gtitle: 'WN10-00-000065'\n tag gid: 'V-63359'\n tag rid: 'SV-77849r1_rule'\n tag stig_id: 'WN10-00-000065'\n tag fix_id: 'F-69279r1_fix'\n tag cci: ['CCI-000795']\n tag nist: ['IA-4 e', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Run \\\"PowerShell\\\".\n Copy the lines below to the PowerShell window and enter.\n\n \\\"([ADSI]('WinNT://{0}' -f $env:COMPUTERNAME)).Children | Where {\n $_.SchemaClassName -eq 'user' } | ForEach {\n $user = ([ADSI]$_.Path)\n $lastLogin = $user.Properties.LastLogin.Value\n $enabled = ($user.Properties.UserFlags.Value -band 0x2) -ne 0x2\n if ($lastLogin -eq $null) {\n $lastLogin = 'Never'\n }\n Write-Host $user.Name $lastLogin $enabled\n }\\\"\n\n This will return a list of local accounts with the account name, last logon,\n and if the account is enabled (True/False).\n For example: User1 10/31/2015 5:49:56 AM True\n\n Review the list to determine the finding validity for each account reported.\n\n Exclude the following accounts:\n Built-in administrator account (Disabled, SID ending in 500)\n Built-in guest account (Disabled, SID ending in 501)\n Built-in DefaultAccount (Disabled, SID ending in 503)\n Local administrator account\n\n If any enabled accounts have not been logged on to within the past 35 days,\n this is a finding.\n\n Inactive accounts that have been reviewed and deemed to be required must be\n documented with the ISSO.\"\n\n desc \"fix\", \"Regularly review local accounts and verify their necessity.\n Disable or delete any active accounts that have not been used in\n the last #{input('max_inactive_days')} days.\"\n\n # userList = users.where { uid !~ /S\\-1\\-5\\-21\\-\\d+\\-\\d+\\-\\d+\\-50[0-3]/ }\n # PR submitted to return the last logon property via users.\n # https://github.com/inspec/inspec/issues/4723\n\n users = command(\"Get-CimInstance -Class Win32_Useraccount -Filter 'LocalAccount=True and Disabled=False' | FT Name | Findstr /V 'Name --'\").stdout.strip.split(' ')\n\n get_sids = []\n get_names = []\n names = []\n inactive_accounts = []\n\n unless users.empty?\n users.each do |user|\n get_sids = command(\"wmic useraccount where \\\"Name='#{user}'\\\" get name',' sid| Findstr /v SID\").stdout.strip\n get_last = get_sids[get_sids.length - 3, 3]\n\n loc_space = get_sids.index(' ')\n names = get_sids[0, loc_space]\n if get_last != '500' && get_last != '501' && get_last != '503'\n get_names.push(names)\n end\n end\n end\n\n unless get_names.empty?\n get_names.each do |user|\n get_last_logon = command(\"Net User #{user} | Findstr /i 'Last Logon' | Findstr /v 'Password script hours'\").stdout.strip\n last_logon = get_last_logon[29..33]\n if last_logon != 'Never'\n month = get_last_logon[28..29]\n day = get_last_logon[31..32]\n year = get_last_logon[34..37]\n\n if get_last_logon[32] == '/'\n month = get_last_logon[28..29]\n day = get_last_logon[31]\n year = get_last_logon[33..37]\n end\n date = day + '/' + month + '/' + year\n\n date_last_logged_on = DateTime.now.mjd - DateTime.parse(date).mjd\n if date_last_logged_on > input('max_inactive_days')\n inactive_accounts.push(user)\n end\n\n unless inactive_accounts.empty?\n describe \"#{user}'s last logon\" do\n describe date_last_logged_on do\n it { should be <= input('max_inactive_days') }\n end\n end\n end\n end\n\n next if inactive_accounts.empty?\n\n next unless last_logon == 'Never'\n\n date_last_logged_on = 'Never'\n describe \"#{user}'s last logon\" do\n describe date_last_logged_on do\n it { should_not == 'Never' }\n end\n end\n end\n end\n\n if inactive_accounts.empty?\n impact 0.0\n describe 'The system does not have any inactive accounts, control is NA' do\n skip 'The system does not have any inactive accounts, controls is NA'\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63683.rb", + "ref": "./Windows 10 STIG/controls/V-63359.rb", "line": 3 }, - "id": "V-63683" + "id": "V-63359" }, { - "title": "The Windows Remote Management (WinRM) service must not store RunAs\n credentials.", - "desc": "Storage of administrative credentials could allow unauthorized access.\n Disallowing the storage of RunAs credentials for Windows Remote Management\n will prevent them from being used with plug-ins.", + "title": "Exploit Protection mitigations in Windows 10 must be configured for OIS.EXE.", + "desc": "Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.", "descriptions": { - "default": "Storage of administrative credentials could allow unauthorized access.\n Disallowing the storage of RunAs credentials for Windows Remote Management\n will prevent them from being used with plug-ins.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\WinRM\\Service\\\n Value Name: DisableRunAs\n Value Type: REG_DWORD\n Value: 1", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Windows Remote Management\n (WinRM) >> WinRM Service >> \"Disallow WinRM from storing RunAs credentials\"\n to \"Enabled\"." + "default": "Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.", + "check": "This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n\n Enter \"Get-ProcessMitigation -Name OIS.EXE\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of\n all application mitigations configured.)\n\n If the following mitigations do not have a status of \"ON\", this is a finding:\n\n DEP:\n OverrideDEP: False\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n The PowerShell command produces a list of mitigations; only those with a\n required status of \"ON\" are listed here. If the PowerShell command does not\n produce results, ensure the letter case of the filename within the command\n syntax matches the letter case of the actual filename on the system.", + "fix": "Ensure the following mitigations are turned \"ON\" for OIS.EXE:\n\n DEP:\n OverrideDEP: False\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file\n included with the Windows 10 STIG package in the \"Supporting Files\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \"Use a common set of exploit protection settings\"\n configured to \"Enabled\" with file name and location defined under\n \"Options:\". It is recommended the file be in a read-only network location." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-CC-000355", - "gid": "V-63375", - "rid": "SV-77865r1_rule", - "stig_id": "WN10-CC-000355", - "fix_id": "F-69293r1_fix", + "gtitle": "WN10-EP-000200", + "gid": "V-77239", + "rid": "SV-91935r3_rule", + "stig_id": "WN10-EP-000200", + "fix_id": "F-84315r4_fix", "cci": [ - "CCI-002038" + "CCI-000366" ], "nist": [ - "IA-11", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -8702,30 +8696,30 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63375' do\n title \"The Windows Remote Management (WinRM) service must not store RunAs\n credentials.\"\n desc \"Storage of administrative credentials could allow unauthorized access.\n Disallowing the storage of RunAs credentials for Windows Remote Management\n will prevent them from being used with plug-ins.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000355'\n tag gid: 'V-63375'\n tag rid: 'SV-77865r1_rule'\n tag stig_id: 'WN10-CC-000355'\n tag fix_id: 'F-69293r1_fix'\n tag cci: ['CCI-002038']\n tag nist: %w[IA-11 Rev_4]\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WinRM\\\\Service\\\\\n Value Name: DisableRunAs\n Value Type: REG_DWORD\n Value: 1\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Windows Remote Management\n (WinRM) >> WinRM Service >> \\\"Disallow WinRM from storing RunAs credentials\\\"\n to \\\"Enabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WinRM\\Service') do\n it { should have_property 'DisableRunAs' }\n its('DisableRunAs') { should cmp 1 }\n end\nend\n", + "code": "control 'V-77239' do\n title 'Exploit Protection mitigations in Windows 10 must be configured for OIS.EXE.'\n desc \"Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-EP-000200'\n tag gid: 'V-77239'\n tag rid: 'SV-91935r3_rule'\n tag stig_id: 'WN10-EP-000200'\n tag fix_id: 'F-84315r4_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc 'check', \"This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n\n Enter \\\"Get-ProcessMitigation -Name OIS.EXE\\\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of\n all application mitigations configured.)\n\n If the following mitigations do not have a status of \\\"ON\\\", this is a finding:\n\n DEP:\n OverrideDEP: False\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n The PowerShell command produces a list of mitigations; only those with a\n required status of \\\"ON\\\" are listed here. If the PowerShell command does not\n produce results, ensure the letter case of the filename within the command\n syntax matches the letter case of the actual filename on the system.\"\n desc 'fix', \"Ensure the following mitigations are turned \\\"ON\\\" for OIS.EXE:\n\n DEP:\n OverrideDEP: False\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file\n included with the Windows 10 STIG package in the \\\"Supporting Files\\\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\"\n configured to \\\"Enabled\\\" with file name and location defined under\n \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n\n if input('sensitive_system') == 'true' || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion').ReleaseId < '1709'\n impact 0.0\n describe 'This STIG does not apply to Prior Versions before 1709.' do\n skip 'This STIG does not apply to Prior Versions before 1709.'\n end\n else\n dep = json( command: 'Get-ProcessMitigation -Name OIS.EXE | Select DEP | ConvertTo-Json').params\n describe 'OverRide DEP is required to be false on Microsoft Office Picture Manager' do\n subject { dep }\n its(['OverrideDEP']) { should_not eq 'true' }\n end\n payload = json( command: 'Get-ProcessMitigation -Name OIS.EXE | Select Payload | ConvertTo-Json').params\n describe 'Override Payload Enable Export Address Filter, Override Payload Enable Export Address Filter Plus, Override EnableImportAddressFilter, Override EnableRopStackPivot, Override EnableRopCallerCheck, and Override EnableRopSimExec are required to be false on Microsoft Office Picture Manager' do\n subject { payload }\n its(['OverrideEnableExportAddressFilter']) { should_not eq 'true' }\n its(['OverrideEnableExportAddressFilterPlus']) { should_not eq 'true' }\n its(['OverrideEnableImportAddressFilter']) { should_not eq 'true' }\n its(['OverrideEnableRopStackPivot']) { should_not eq 'true' }\n its(['OverrideEnableRopCallerCheck']) { should_not eq 'true' }\n its(['OverrideEnableRopSimExec']) { should_not eq 'true' }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63375.rb", + "ref": "./Windows 10 STIG/controls/V-77239.rb", "line": 3 }, - "id": "V-63375" + "id": "V-77239" }, { - "title": "IPv6 source routing must be configured to highest protection.", - "desc": "Configuring the system to disable IPv6 source routing protects against\n spoofing.", + "title": "Early Launch Antimalware, Boot-Start Driver Initialization Policy must\n prevent boot drivers identified as bad.", + "desc": "Compromised boot drivers can introduce malware prior to protection\n mechanisms that load after initialization. The Early Launch Antimalware driver\n can limit allowed drivers based on classifications determined by the malware\n protection application. At a minimum, drivers determined to be bad must not be\n allowed.", "descriptions": { - "default": "Configuring the system to disable IPv6 source routing protects against\n spoofing.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\Tcpip6\\Parameters\\\n\n Value Name: DisableIpSourceRouting\n\n Value Type: REG_DWORD\n Value: 2", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> MSS (Legacy) >> \"MSS: (DisableIPSourceRouting\n IPv6) IP source routing protection level (protects against packet spoofing)\"\n to \"Highest protection, source routing is completely disabled\".\n\n This policy setting requires the installation of the MSS-Legacy custom\n templates included with the STIG package. \"MSS-Legacy.admx\" and \"\n MSS-Legacy.adml\" must be copied to the \\Windows\\PolicyDefinitions and\n \\Windows\\PolicyDefinitions\\en-US directories respectively." + "default": "Compromised boot drivers can introduce malware prior to protection\n mechanisms that load after initialization. The Early Launch Antimalware driver\n can limit allowed drivers based on classifications determined by the malware\n protection application. At a minimum, drivers determined to be bad must not be\n allowed.", + "check": "The default behavior is for Early Launch Antimalware - Boot-Start\n Driver Initialization policy is to enforce \"Good, unknown and bad but\n critical\" (preventing \"bad\").\n\n If the registry value name below does not exist, this is not a finding.\n\n If it exists and is configured with a value of \"7\", this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Policies\\EarlyLaunch\\\n\n Value Name: DriverLoadPolicy\n\n Value Type: REG_DWORD\n Value: 1, 3, or 8 (or if the Value Name does not exist)\n\n Possible values for this setting are:\n 8 - Good only\n 1 - Good and unknown\n 3 - Good, unknown and bad but critical\n 7 - All (which includes \"Bad\" and would be a finding)", + "fix": "The default behavior is for Early Launch Antimalware - Boot-Start\n Driver Initialization policy is to enforce \"Good, unknown and bad but\n critical\" (preventing \"bad\").\n\n If this needs to be corrected or a more secure setting is desired, configure\n the policy value for Computer Configuration >> Administrative Templates >>\n System >> Early Launch Antimalware >> \"Boot-Start Driver Initialization\n Policy\" to \"Not Configured\" or \"Enabled\" with any option other than\n \"All\" selected." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-CC-000020", - "gid": "V-63555", - "rid": "SV-78045r1_rule", - "stig_id": "WN10-CC-000020", - "fix_id": "F-69485r1_fix", + "gtitle": "WN10-CC-000085", + "gid": "V-63607", + "rid": "SV-78097r1_rule", + "stig_id": "WN10-CC-000085", + "fix_id": "F-69537r1_fix", "cci": [ "CCI-000366" ], @@ -8744,35 +8738,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63555' do\n title 'IPv6 source routing must be configured to highest protection.'\n desc \"Configuring the system to disable IPv6 source routing protects against\n spoofing.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000020'\n tag gid: 'V-63555'\n tag rid: 'SV-78045r1_rule'\n tag stig_id: 'WN10-CC-000020'\n tag fix_id: 'F-69485r1_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\Tcpip6\\\\Parameters\\\\\n\n Value Name: DisableIpSourceRouting\n\n Value Type: REG_DWORD\n Value: 2\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> MSS (Legacy) >> \\\"MSS: (DisableIPSourceRouting\n IPv6) IP source routing protection level (protects against packet spoofing)\\\"\n to \\\"Highest protection, source routing is completely disabled\\\".\n\n This policy setting requires the installation of the MSS-Legacy custom\n templates included with the STIG package. \\\"MSS-Legacy.admx\\\" and \\\"\n MSS-Legacy.adml\\\" must be copied to the \\\\Windows\\\\PolicyDefinitions and\n \\\\Windows\\\\PolicyDefinitions\\\\en-US directories respectively.\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip6\\Parameters') do\n it { should have_property 'DisableIPSourceRouting' }\n its('DisableIPSourceRouting') { should cmp 2 }\n end\nend\n", + "code": "control 'V-63607' do\n title \"Early Launch Antimalware, Boot-Start Driver Initialization Policy must\n prevent boot drivers identified as bad.\"\n desc \"Compromised boot drivers can introduce malware prior to protection\n mechanisms that load after initialization. The Early Launch Antimalware driver\n can limit allowed drivers based on classifications determined by the malware\n protection application. At a minimum, drivers determined to be bad must not be\n allowed.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000085'\n tag gid: 'V-63607'\n tag rid: 'SV-78097r1_rule'\n tag stig_id: 'WN10-CC-000085'\n tag fix_id: 'F-69537r1_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"The default behavior is for Early Launch Antimalware - Boot-Start\n Driver Initialization policy is to enforce \\\"Good, unknown and bad but\n critical\\\" (preventing \\\"bad\\\").\n\n If the registry value name below does not exist, this is not a finding.\n\n If it exists and is configured with a value of \\\"7\\\", this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Policies\\\\EarlyLaunch\\\\\n\n Value Name: DriverLoadPolicy\n\n Value Type: REG_DWORD\n Value: 1, 3, or 8 (or if the Value Name does not exist)\n\n Possible values for this setting are:\n 8 - Good only\n 1 - Good and unknown\n 3 - Good, unknown and bad but critical\n 7 - All (which includes \\\"Bad\\\" and would be a finding)\"\n\n desc \"fix\", \"The default behavior is for Early Launch Antimalware - Boot-Start\n Driver Initialization policy is to enforce \\\"Good, unknown and bad but\n critical\\\" (preventing \\\"bad\\\").\n\n If this needs to be corrected or a more secure setting is desired, configure\n the policy value for Computer Configuration >> Administrative Templates >>\n System >> Early Launch Antimalware >> \\\"Boot-Start Driver Initialization\n Policy\\\" to \\\"Not Configured\\\" or \\\"Enabled\\\" with any option other than\n \\\"All\\\" selected.\"\n\n describe.one do\n describe registry_key('HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Policies\\EarlyLaunch') do\n it { should_not have_property 'DriverLoadPolicy' }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Policies\\EarlyLaunch') do\n its('DriverLoadPolicy') { should_not be 7 }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63555.rb", + "ref": "./Windows 10 STIG/controls/V-63607.rb", "line": 3 }, - "id": "V-63555" + "id": "V-63607" }, { - "title": "The Profile single process user right must only be assigned to the\n Administrators group.", - "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n Accounts with the \"Profile single process\" user right can monitor\n non-system processes performance. An attacker could potentially use this to\n identify processes to attack.", + "title": "Only accounts responsible for the backup operations must be members of\n the Backup Operators group.", + "desc": "Backup Operators are able to read and write to any file in the system,\n regardless of the rights assigned to it. Backup and restore rights permit\n users to circumvent the file access restrictions present on NTFS disk drives\n for backup and restore purposes. Members of the Backup Operators group must\n have separate logon accounts for performing backup duties.", "descriptions": { - "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n Accounts with the \"Profile single process\" user right can monitor\n non-system processes performance. An attacker could potentially use this to\n identify processes to attack.", - "check": "Verify the effective setting in Local Group Policy Editor.\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any groups or accounts other than the following are granted the \"Profile\n single process\" user right, this is a finding:\n\n Administrators", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n \"Profile single process\" to only include the following groups or accounts:\n\n Administrators" + "default": "Backup Operators are able to read and write to any file in the system,\n regardless of the rights assigned to it. Backup and restore rights permit\n users to circumvent the file access restrictions present on NTFS disk drives\n for backup and restore purposes. Members of the Backup Operators group must\n have separate logon accounts for performing backup duties.", + "check": "Run \"Computer Management\".\n Navigate to System Tools >> Local Users and Groups >> Groups.\n Review the members of the Backup Operators group.\n\n If the group contains no accounts, this is not a finding.\n\n If the group contains any accounts, the accounts must be specifically for\n backup functions.\n\n If the group contains any standard user accounts used for performing normal\n user tasks, this is a finding.", + "fix": "Create separate accounts for backup operations for users with this\n privilege." }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-UR-000150", - "gid": "V-63935", - "rid": "SV-78425r1_rule", - "stig_id": "WN10-UR-000150", - "fix_id": "F-69863r1_fix", + "gtitle": "WN10-00-000075", + "gid": "V-63363", + "rid": "SV-77853r1_rule", + "stig_id": "WN10-00-000075", + "fix_id": "F-69283r1_fix", "cci": [ - "CCI-002235" + "CCI-000366" ], "nist": [ - "AC-6 (10)", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -8786,30 +8780,30 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63935' do\n title \"The Profile single process user right must only be assigned to the\n Administrators group.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n Accounts with the \\\"Profile single process\\\" user right can monitor\n non-system processes performance. An attacker could potentially use this to\n identify processes to attack.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-UR-000150'\n tag gid: 'V-63935'\n tag rid: 'SV-78425r1_rule'\n tag stig_id: 'WN10-UR-000150'\n tag fix_id: 'F-69863r1_fix'\n tag cci: ['CCI-002235']\n tag nist: ['AC-6 (10)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any groups or accounts other than the following are granted the \\\"Profile\n single process\\\" user right, this is a finding:\n\n Administrators\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n \\\"Profile single process\\\" to only include the following groups or accounts:\n\n Administrators\"\n\n describe security_policy do\n its('SeProfileSingleProcessPrivilege') { should eq ['S-1-5-32-544'] }\n end\nend\n", + "code": "control 'V-63363' do\n title \"Only accounts responsible for the backup operations must be members of\n the Backup Operators group.\"\n desc \"Backup Operators are able to read and write to any file in the system,\n regardless of the rights assigned to it. Backup and restore rights permit\n users to circumvent the file access restrictions present on NTFS disk drives\n for backup and restore purposes. Members of the Backup Operators group must\n have separate logon accounts for performing backup duties.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-00-000075'\n tag gid: 'V-63363'\n tag rid: 'SV-77853r1_rule'\n tag stig_id: 'WN10-00-000075'\n tag fix_id: 'F-69283r1_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Run \\\"Computer Management\\\".\n Navigate to System Tools >> Local Users and Groups >> Groups.\n Review the members of the Backup Operators group.\n\n If the group contains no accounts, this is not a finding.\n\n If the group contains any accounts, the accounts must be specifically for\n backup functions.\n\n If the group contains any standard user accounts used for performing normal\n user tasks, this is a finding.\"\n\n desc \"fix\", \"Create separate accounts for backup operations for users with this\n privilege.\"\n\n backup_operators = input('backup_operators')\n backup_operators_group = command(\"net localgroup Backup Operators | Format-List | Findstr /V 'Alias Name Comment Members - command'\").stdout.strip.split(\"\\r\\n\")\n\n backup_operators_group.each do |user|\n describe user.to_s do\n it { should be_in backup_operators }\n end\n end\n if backup_operators_group.empty?\n impact 0.0\n describe 'There are no users with administrative privileges' do\n skip 'This control is not applicable'\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63935.rb", + "ref": "./Windows 10 STIG/controls/V-63363.rb", "line": 3 }, - "id": "V-63935" + "id": "V-63363" }, { - "title": "If Enhanced diagnostic data is enabled it must be limited to the\n minimum required to support Windows Analytics.", - "desc": "Some features may communicate with the vendor, sending system\n information or downloading data or components for the feature. Limiting this\n capability will prevent potentially sensitive information from being sent\n outside the enterprise. The \"Enhanced\" level for telemetry includes\n additional information beyond \"Security\" and \"Basic\" on how Windows and\n apps are used and advanced reliability data. Windows Analytics can use a\n \"limited enhanced\" level to provide information such as health data for\n devices.", + "title": "Windows 10 Exploit Protection system-level mitigation, Data Execution Prevention (DEP), must be on.", + "desc": "Exploit protection in Windows 10 enables mitigations against potential\n threats at the system and application level. Several mitigations, including\n \"Data Execution Prevention (DEP)\", are enabled by default at the system\n level. DEP prevents code from being run from data-only memory pages. If this is\n turned off, Windows 10 may be subject to various exploits.", "descriptions": { - "default": "Some features may communicate with the vendor, sending system\n information or downloading data or components for the feature. Limiting this\n capability will prevent potentially sensitive information from being sent\n outside the enterprise. The \"Enhanced\" level for telemetry includes\n additional information beyond \"Security\" and \"Basic\" on how Windows and\n apps are used and advanced reliability data. Windows Analytics can use a\n \"limited enhanced\" level to provide information such as health data for\n devices.", - "check": "This setting requires v1709 or later of Windows 10; it is NA for\n prior versions.\n\n If \"Enhanced\" level is enabled for telemetry, this must be configured. If\n \"Security\" or \"Basic\" are configured, this is NA. (See V-63683).\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\\n\n Value Name: LimitEnhancedDiagnosticDataWindowsAnalytics\n\n Type: REG_DWORD\n Value: 0x00000001 (1)", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Data Collection and Preview\n Builds >> \"Limit Enhanced diagnostic data to the minimum required by Windows\n Analytics\" to \"Enabled\" with \"Enable Windows Analytics collection\"\n selected in \"Options:\"." + "default": "Exploit protection in Windows 10 enables mitigations against potential\n threats at the system and application level. Several mitigations, including\n \"Data Execution Prevention (DEP)\", are enabled by default at the system\n level. DEP prevents code from being run from data-only memory pages. If this is\n turned off, Windows 10 may be subject to various exploits.", + "check": "This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n The default configuration in Exploit Protection is \"On by default\" which\n meets this requirement. The PowerShell query results for this show as\n \"NOTSET\".\n\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n\n Enter \"Get-ProcessMitigation -System\".\n\n If the status of \"DEP: Enable\" is \"OFF\", this is a finding.\n\n Values that would not be a finding include:\n ON\n NOTSET (Default configuration)", + "fix": "Ensure Exploit Protection system-level mitigation, \"Data Execution\n Prevention (DEP)\", is turned on. The default configuration in Exploit\n Protection is \"On by default\" which meets this requirement.\n\n Open \"Windows Defender Security Center\".\n\n Select \"App & browser control\".\n\n Select \"Exploit protection settings\".\n\n Under \"System settings\", configure \"Data Execution Prevention (DEP)\" to\n \"On by default\" or \"Use default ()\".\n\n The STIG package includes a DoD EP XML file in the \"Supporting Files\" folder\n for configuring application mitigations defined in the STIG. This can also be\n modified to explicitly enforce the system level requirements. Adding the\n following to the XML file will explicitly turn DEP on (other system level EP\n requirements can be combined under ):\n\n \n \n \n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \"Use a common set of exploit protection settings\"\n configured to \"Enabled\" with file name and location defined under\n \"Options:\". It is recommended the file be in a read-only network location." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-CC-000204", - "gid": "V-82145", - "rid": "SV-96859r1_rule", - "stig_id": "WN10-CC-000204", - "fix_id": "F-88997r2_fix", + "gtitle": "WN10-EP-000020", + "gid": "V-77091", + "rid": "SV-91787r3_rule", + "stig_id": "WN10-EP-000020", + "fix_id": "F-86717r3_fix", "cci": [ "CCI-000366" ], @@ -8828,35 +8822,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-82145' do\n title \"If Enhanced diagnostic data is enabled it must be limited to the\n minimum required to support Windows Analytics.\"\n desc \"Some features may communicate with the vendor, sending system\n information or downloading data or components for the feature. Limiting this\n capability will prevent potentially sensitive information from being sent\n outside the enterprise. The \\\"Enhanced\\\" level for telemetry includes\n additional information beyond \\\"Security\\\" and \\\"Basic\\\" on how Windows and\n apps are used and advanced reliability data. Windows Analytics can use a\n \\\"limited enhanced\\\" level to provide information such as health data for\n devices.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000204'\n tag gid: 'V-82145'\n tag rid: 'SV-96859r1_rule'\n tag stig_id: 'WN10-CC-000204'\n tag fix_id: 'F-88997r2_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"This setting requires v1709 or later of Windows 10; it is NA for\n prior versions.\n\n If \\\"Enhanced\\\" level is enabled for telemetry, this must be configured. If\n \\\"Security\\\" or \\\"Basic\\\" are configured, this is NA. (See V-63683).\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\DataCollection\\\\\n\n Value Name: LimitEnhancedDiagnosticDataWindowsAnalytics\n\n Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Data Collection and Preview\n Builds >> \\\"Limit Enhanced diagnostic data to the minimum required by Windows\n Analytics\\\" to \\\"Enabled\\\" with \\\"Enable Windows Analytics collection\\\"\n selected in \\\"Options:\\\".\"\n\n if registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion').ReleaseId >= '1709'\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection') do\n it { should have_property 'LimitEnhancedDiagnosticDataWindowsAnalytics' }\n its('LimitEnhancedDiagnosticDataWindowsAnalytics') { should cmp 1 }\n end\n else\n impact 0.0\n describe 'This setting is applicable starting with v1709 or later of Windows 10; it is NA for prior versions' do\n skip 'This setting is applicable starting with v1709 or later of Windows 10; it is NA for prior versions.'\n end\n end\nend\n", + "code": "control 'V-77091' do\n title 'Windows 10 Exploit Protection system-level mitigation, Data Execution Prevention (DEP), must be on.'\n desc \"Exploit protection in Windows 10 enables mitigations against potential\n threats at the system and application level. Several mitigations, including\n \\\"Data Execution Prevention (DEP)\\\", are enabled by default at the system\n level. DEP prevents code from being run from data-only memory pages. If this is\n turned off, Windows 10 may be subject to various exploits.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-EP-000020'\n tag gid: 'V-77091'\n tag rid: 'SV-91787r3_rule'\n tag stig_id: 'WN10-EP-000020'\n tag fix_id: 'F-86717r3_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n \n desc 'check', \"This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n The default configuration in Exploit Protection is \\\"On by default\\\" which\n meets this requirement. The PowerShell query results for this show as\n \\\"NOTSET\\\".\n\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n\n Enter \\\"Get-ProcessMitigation -System\\\".\n\n If the status of \\\"DEP: Enable\\\" is \\\"OFF\\\", this is a finding.\n\n Values that would not be a finding include:\n ON\n NOTSET (Default configuration)\"\n\n desc 'fix', \"Ensure Exploit Protection system-level mitigation, \\\"Data Execution\n Prevention (DEP)\\\", is turned on. The default configuration in Exploit\n Protection is \\\"On by default\\\" which meets this requirement.\n\n Open \\\"Windows Defender Security Center\\\".\n\n Select \\\"App & browser control\\\".\n\n Select \\\"Exploit protection settings\\\".\n\n Under \\\"System settings\\\", configure \\\"Data Execution Prevention (DEP)\\\" to\n \\\"On by default\\\" or \\\"Use default ()\\\".\n\n The STIG package includes a DoD EP XML file in the \\\"Supporting Files\\\" folder\n for configuring application mitigations defined in the STIG. This can also be\n modified to explicitly enforce the system level requirements. Adding the\n following to the XML file will explicitly turn DEP on (other system level EP\n requirements can be combined under ):\n\n \n \n \n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\"\n configured to \\\"Enabled\\\" with file name and location defined under\n \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n\n\n\n if input('sensitive_system') == 'true' || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion').ReleaseId < '1709'\n impact 0.0\n describe 'This STIG does not apply to Prior Versions before 1709.' do\n skip 'This STIG does not apply to Prior Versions before 1709.'\n end\n else\n dep_enable = json( command: 'Get-ProcessMitigation -System | Select DEP | ConvertTo-Json').params\n describe 'DEP is required to be enabled on System' do\n subject { dep_enable }\n its(['Enable']) { should_not eq '2' }\n end\n end\nend", "source_location": { - "ref": "./Windows 10 STIG/controls/V-82145.rb", + "ref": "./Windows 10 STIG/controls/V-77091.rb", "line": 3 }, - "id": "V-82145" + "id": "V-77091" }, { - "title": "Unencrypted passwords must not be sent to third-party SMB Servers.", - "desc": "Some non-Microsoft SMB servers only support unencrypted (plain text)\n password authentication. Sending plain text passwords across the network, when\n authenticating to an SMB server, reduces the overall security of the\n environment. Check with the vendor of the SMB server to see if there is a way\n to support encrypted password authentication.", + "title": "The Deny log on as a service user right on Windows 10 domain-joined\n workstations must be configured to prevent access from highly privileged domain\n accounts.", + "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n The \"Deny log on as a service\" right defines accounts that are denied log\n on as a service.\n\n In an Active Directory Domain, denying logons to the Enterprise Admins and\n Domain Admins groups on lower trust systems helps mitigate the risk of\n privilege escalation from credential theft attacks which could lead to the\n compromise of an entire domain.\n\n Incorrect configurations could prevent services from starting and result in\n a DoS.", "descriptions": { - "default": "Some non-Microsoft SMB servers only support unencrypted (plain text)\n password authentication. Sending plain text passwords across the network, when\n authenticating to an SMB server, reduces the overall security of the\n environment. Check with the vendor of the SMB server to see if there is a way\n to support encrypted password authentication.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SYSTEM\\CurrentControlSet\\Services\\LanmanWorkstation\\Parameters\\\n\n Value Name: EnablePlainTextPassword\n\n Value Type: REG_DWORD\n Value: 0", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n \"Microsoft network client: Send unencrypted password to third-party SMB\n servers\" to \"Disabled\"." + "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n The \"Deny log on as a service\" right defines accounts that are denied log\n on as a service.\n\n In an Active Directory Domain, denying logons to the Enterprise Admins and\n Domain Admins groups on lower trust systems helps mitigate the risk of\n privilege escalation from credential theft attacks which could lead to the\n compromise of an entire domain.\n\n Incorrect configurations could prevent services from starting and result in\n a DoS.", + "check": "This requirement is applicable to domain-joined systems, for\n standalone systems this is NA.\n\n Verify the effective setting in Local Group Policy Editor.\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If the following groups or accounts are not defined for the \"Deny log on as a\n service\" right , this is a finding:\n\n Domain Systems Only:\n Enterprise Admins Group\n Domain Admins Group", + "fix": "This requirement is applicable to domain-joined systems, for\n standalone systems this is NA.\n\n Configure the policy value for Computer Configuration >> Windows Settings >>\n Security Settings >> Local Policies >> User Rights Assignment >> \"Deny log on\n as a service\" to include the following.\n\n Domain Systems Only:\n Enterprise Admins Group\n Domain Admins Group" }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-SO-000110", - "gid": "V-63711", - "rid": "SV-78201r1_rule", - "stig_id": "WN10-SO-000110", - "fix_id": "F-69639r1_fix", + "gtitle": "WN10-UR-000080", + "gid": "V-63875", + "rid": "SV-78365r2_rule", + "stig_id": "WN10-UR-000080", + "fix_id": "F-100993r1_fix", "cci": [ - "CCI-000197" + "CCI-000213" ], "nist": [ - "IA-5 (1) (c)", + "AC-3", "Rev_4" ], "false_negatives": null, @@ -8870,72 +8864,83 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63711' do\n title 'Unencrypted passwords must not be sent to third-party SMB Servers.'\n desc \"Some non-Microsoft SMB servers only support unencrypted (plain text)\n password authentication. Sending plain text passwords across the network, when\n authenticating to an SMB server, reduces the overall security of the\n environment. Check with the vendor of the SMB server to see if there is a way\n to support encrypted password authentication.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-SO-000110'\n tag gid: 'V-63711'\n tag rid: 'SV-78201r1_rule'\n tag stig_id: 'WN10-SO-000110'\n tag fix_id: 'F-69639r1_fix'\n tag cci: ['CCI-000197']\n tag nist: ['IA-5 (1) (c)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\LanmanWorkstation\\\\Parameters\\\\\n\n Value Name: EnablePlainTextPassword\n\n Value Type: REG_DWORD\n Value: 0\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n \\\"Microsoft network client: Send unencrypted password to third-party SMB\n servers\\\" to \\\"Disabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\LanmanWorkstation\\Parameters') do\n it { should have_property 'EnablePlainTextPassword' }\n its('EnablePlainTextPassword') { should cmp 0 }\n end\nend\n", + "code": "control 'V-63875' do\n title \"The Deny log on as a service user right on Windows 10 domain-joined\n workstations must be configured to prevent access from highly privileged domain\n accounts.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n The \\\"Deny log on as a service\\\" right defines accounts that are denied log\n on as a service.\n\n In an Active Directory Domain, denying logons to the Enterprise Admins and\n Domain Admins groups on lower trust systems helps mitigate the risk of\n privilege escalation from credential theft attacks which could lead to the\n compromise of an entire domain.\n\n Incorrect configurations could prevent services from starting and result in\n a DoS.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-UR-000080'\n tag gid: 'V-63875'\n tag rid: 'SV-78365r2_rule'\n tag stig_id: 'WN10-UR-000080'\n tag fix_id: 'F-100993r1_fix'\n tag cci: ['CCI-000213']\n tag nist: %w[AC-3 Rev_4]\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc 'check', \"This requirement is applicable to domain-joined systems, for\n standalone systems this is NA.\n\n Verify the effective setting in Local Group Policy Editor.\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If the following groups or accounts are not defined for the \\\"Deny log on as a\n service\\\" right , this is a finding:\n\n Domain Systems Only:\n Enterprise Admins Group\n Domain Admins Group\"\n desc 'fix', \"This requirement is applicable to domain-joined systems, for\n standalone systems this is NA.\n\n Configure the policy value for Computer Configuration >> Windows Settings >>\n Security Settings >> Local Policies >> User Rights Assignment >> \\\"Deny log on\n as a service\\\" to include the following.\n\n Domain Systems Only:\n Enterprise Admins Group\n Domain Admins Group\"\n\n is_domain = command('wmic computersystem get domain | FINDSTR /V Domain').stdout.strip\n\n if is_domain == 'WORKGROUP'\n impact 0.0\n describe 'This requirement is applicable to domain-joined systems, for standalone systems this is NA' do\n skip 'This requirement is applicable to domain-joined systems, for standalone systems this is NA'\n end\n else\n domain_query = <<-EOH\n $group = New-Object System.Security.Principal.NTAccount('Domain Admins')\n $sid = ($group.Translate([security.principal.securityidentifier])).value\n $sid | ConvertTo-Json\n EOH\n\n domain_admin_sid = json(command: domain_query).params\n enterprise_admin_query = <<-EOH\n $group = New-Object System.Security.Principal.NTAccount('Enterprise Admins')\n $sid = ($group.Translate([security.principal.securityidentifier])).value\n $sid | ConvertTo-Json\n EOH\n\n enterprise_admin_sid = json(command: enterprise_admin_query).params\n\n describe security_policy do\n its('SeDenyServiceLogonRight') { should be_in [\"#{domain_admin_sid}\", \"#{enterprise_admin_sid}\"] }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63711.rb", + "ref": "./Windows 10 STIG/controls/V-63875.rb", "line": 3 }, - "id": "V-63711" + "id": "V-63875" }, { - "title": "Windows 10 must be configured to audit MPSSVC Rule-Level Policy Change\nFailures.", - "desc": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Audit MPSSVC Rule-Level Policy Change determines whether the operating\nsystem generates audit events when changes are made to policy rules for the\nMicrosoft Protection Service (MPSSVC.exe).", + "title": "The system must be configured to audit System - Other System Events\n successes.", + "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Audit Other System Events records information related to cryptographic key\n operations and the Windows Firewall service.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Audit MPSSVC Rule-Level Policy Change determines whether the operating\nsystem generates audit events when changes are made to policy rules for the\nMicrosoft Protection Service (MPSSVC.exe).", - "rationale": "", - "check": "Security Option \"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\" must be set to\n\"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to be\neffective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\"Run as Administrator\").\n Enter \"AuditPol /get /category:*\".\n\n Compare the AuditPol settings with the following. If the system does not\naudit the following, this is a finding:\n\n Policy Change >> MPSSVC Rule-Level Policy Change - Failure", - "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Policy Change >> “Audit MPSSVC Rule-Level Policy\nChange\" with \"Failure\" selected." + "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Audit Other System Events records information related to cryptographic key\n operations and the Windows Firewall service.", + "check": "Security Option \"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\" must be\n set to \"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\"Run as Administrator\").\n Enter \"AuditPol /get /category:*\"\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding:\n\n System >> Other System Events - Success", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> System >> \"Audit Other System Events\" with \"Success\"\n selected." }, "impact": 0.5, "refs": [], "tags": { - "severity": null, - "gtitle": "WN10-AU-000580", - "gid": "V-99549", - "rid": "SV-108653r1_rule", - "stig_id": "WN10-AU-000580", - "fix_id": "F-105233r1_fix", + "severity": "medium", + "gtitle": "WN10-AU-000130", + "gid": "V-63499", + "rid": "SV-77989r2_rule", + "stig_id": "WN10-AU-000130", + "fix_id": "F-69429r2_fix", "cci": [ - "CCI-000130" + "CCI-000172" ], "nist": [ - "AU-3", + "AU-12 c", "Rev_4" - ] + ], + "false_negatives": null, + "false_positives": null, + "documentable": false, + "mitigations": null, + "severity_override_guidance": false, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_controls": null, + "responsibility": null, + "ia_controls": null }, - "code": "control \"V-99549\" do\n title \"Windows 10 must be configured to audit MPSSVC Rule-Level Policy Change\nFailures.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Audit MPSSVC Rule-Level Policy Change determines whether the operating\nsystem generates audit events when changes are made to policy rules for the\nMicrosoft Protection Service (MPSSVC.exe).\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"WN10-AU-000580\"\n tag gid: \"V-99549\"\n tag rid: \"SV-108653r1_rule\"\n tag stig_id: \"WN10-AU-000580\"\n tag fix_id: \"F-105233r1_fix\"\n tag cci: [\"CCI-000130\"]\n tag nist: [\"AU-3\", \"Rev_4\"]\n desc \"rationale\", \"\"\n desc \"check\", \"Security Option \\\"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\\\" must be set to\n\\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to be\neffective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\n Enter \\\"AuditPol /get /category:*\\\".\n\n Compare the AuditPol settings with the following. If the system does not\naudit the following, this is a finding:\n\n Policy Change >> MPSSVC Rule-Level Policy Change - Failure\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Policy Change >> “Audit MPSSVC Rule-Level Policy\nChange\\\" with \\\"Failure\\\" selected.\"\n \n describe.one do\n describe audit_policy do\n its('MPSSVC Rule-Level Policy Change') { should eq 'Failure' }\n end\n describe audit_policy do\n its('MPSSVC Rule-Level Policy Change') { should eq 'Success and Failure' }\n end\n end\nend\n", + "code": "control 'V-63499' do\n title \"The system must be configured to audit System - Other System Events\n successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Audit Other System Events records information related to cryptographic key\n operations and the Windows Firewall service.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-AU-000130'\n tag gid: 'V-63499'\n tag rid: 'SV-77989r2_rule'\n tag stig_id: 'WN10-AU-000130'\n tag fix_id: 'F-69429r2_fix'\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Security Option \\\"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\\\" must be\n set to \\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\n Enter \\\"AuditPol /get /category:*\\\"\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding:\n\n System >> Other System Events - Success\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> System >> \\\"Audit Other System Events\\\" with \\\"Success\\\"\n selected.\"\n\n describe.one do\n describe audit_policy do\n its('Other System Events') { should eq 'Success' }\n end\n describe audit_policy do\n its('Other System Events') { should eq 'Success and Failure' }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-99549.rb", + "ref": "./Windows 10 STIG/controls/V-63499.rb", "line": 3 }, - "id": "V-99549" + "id": "V-63499" }, { - "title": "The operating system must employ a deny-all, permit-by-exception\n policy to allow the execution of authorized software programs.", - "desc": "Utilizing a whitelist provides a configuration management method for\n allowing the execution of only authorized software. Using only authorized\n software decreases risk by limiting the number of potential vulnerabilities.\n\n The organization must identify authorized software programs and only permit\n execution of authorized software. The process used to identify software\n programs that are authorized to execute on organizational information systems\n is commonly referred to as whitelisting.", + "title": "The US DoD CCEB Interoperability Root CA cross-certificates must be\n installed in the Untrusted Certificates Store on unclassified systems.", + "desc": "To ensure users do not experience denial of service when performing\n certificate-based authentication to DoD websites due to the system chaining to\n a root other than DoD Root CAs, the US DoD CCEB Interoperability Root CA\n cross-certificates must be installed in the Untrusted Certificate Store. This\n requirement only applies to unclassified systems.", "descriptions": { - "default": "Utilizing a whitelist provides a configuration management method for\n allowing the execution of only authorized software. Using only authorized\n software decreases risk by limiting the number of potential vulnerabilities.\n\n The organization must identify authorized software programs and only permit\n execution of authorized software. The process used to identify software\n programs that are authorized to execute on organizational information systems\n is commonly referred to as whitelisting.", - "check": "This is applicable to unclassified systems; for other systems\n this is NA.\n\n Verify the operating system employs a deny-all, permit-by-exception policy to\n allow the execution of authorized software programs. This must include packaged\n apps such as the universals apps installed by default on systems.\n\n If an application whitelisting program is not in use on the system, this is a\n finding.\n\n Configuration of whitelisting applications will vary by the program.\n\n AppLocker is a whitelisting application built into Windows 10 Enterprise. A\n deny-by-default implementation is initiated by enabling any AppLocker rules\n within a category, only allowing what is specified by defined rules.\n\n If AppLocker is used, perform the following to view the configuration of\n AppLocker:\n Run \"PowerShell\".\n\n Execute the following command, substituting [c:\\temp\\file.xml] with a\n location and file name appropriate for the system:\n Get-AppLockerPolicy -Effective -XML > c:\\temp\\file.xml\n\n This will produce an xml file with the effective settings that can be viewed in\n a browser or opened in a program such as Excel for review.\n\n Implementation guidance for AppLocker is available in the NSA paper\n \"Application Whitelisting using Microsoft AppLocker\" at the following link:\n\n https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", - "fix": "Configure an application whitelisting program to employ a deny-all,\n permit-by-exception policy to allow the execution of authorized software\n programs.\n\n Configuration of whitelisting applications will vary by the program. AppLocker\n is a whitelisting application built into Windows 10 Enterprise.\n\n If AppLocker is used, it is configured through group policy in Computer\n Configuration >> Windows Settings >> Security Settings >> Application Control\n Policies >> AppLocker.\n\n Implementation guidance for AppLocker is available in the NSA paper\n \"Application Whitelisting using Microsoft AppLocker\" at the following link:\n\n https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm" + "default": "To ensure users do not experience denial of service when performing\n certificate-based authentication to DoD websites due to the system chaining to\n a root other than DoD Root CAs, the US DoD CCEB Interoperability Root CA\n cross-certificates must be installed in the Untrusted Certificate Store. This\n requirement only applies to unclassified systems.", + "check": "Verify the US DoD CCEB Interoperability Root CA cross-certificate\n is installed on unclassified systems as an Untrusted Certificate.\n\n Run \"PowerShell\" as an administrator.\n\n Execute the following command:\n\n Get-ChildItem -Path Cert:Localmachine\\disallowed | Where Issuer -Like \"*CCEB\n Interoperability*\" | FL Subject, Issuer, Thumbprint, NotAfter\n\n If the following certificate \"Subject\", \"Issuer\", and \"Thumbprint\",\n information is not displayed, this is finding.\n\n If an expired certificate (\"NotAfter\" date) is not listed in the results,\n this is not a finding.\n\n Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Issuer: CN=US DoD CCEB Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S.\n Government, C=US\n Thumbprint: 929BF3196896994C0A201DF4A5B71F603FEFBF2E\n NotAfter: 9/27/2019\n\n Alternately use the Certificates MMC snap-in:\n\n Run \"MMC\".\n\n Select \"File\", \"Add/Remove Snap-in\".\n\n Select \"Certificates\", click \"Add\".\n\n Select \"Computer account\", click \"Next\".\n\n Select \"Local computer: (the computer this console is running on)\", click\n \"Finish\".\n\n Click \"OK\".\n\n Expand \"Certificates\" and navigate to \"Untrusted Certificates >>\n Certificates\".\n\n For each certificate with \"US DoD CCEB Interoperability Root CA …\" under\n \"Issued By\":\n\n Right-click on the certificate and select \"Open\".\n\n Select the \"Details\" tab.\n\n Scroll to the bottom and select \"Thumbprint\".\n\n If the certificate below is not listed or the value for the \"Thumbprint\"\n field is not as noted, this is a finding.\n\n If an expired certificate (\"Valid to\" date) is not listed in the results,\n this is not a finding.\n\n Issued To: DoD Root CA 3\n Issuer by: US DoD CCEB Interoperability Root CA 2\n Thumbprint: 929BF3196896994C0A201DF4A5B71F603FEFBF2E\n Valid: Friday, September 27, 2019", + "fix": "Install the US DoD CCEB Interoperability Root CA cross-certificate\n on unclassified systems.\n\n Issued To - Issued By - Thumbprint\n DoD Root CA 3 - US DoD CCEB Interoperability Root CA 2 -\n 929BF3196896994C0A201DF4A5B71F603FEFBF2E\n\n The certificates can be installed using the InstallRoot tool. The tool and user\n guide are available on IASE at http://iase.disa.mil/pki-pke/Pages/tools.aspx." }, "impact": 0.5, "refs": [ { - "ref": "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm" + "ref": "http://iase.disa.mil/pki-pke/Pages/tools.aspx" } ], "tags": { "severity": "medium", - "gtitle": "WN10-00-000035", - "gid": "V-63345", - "rid": "SV-77835r3_rule", - "stig_id": "WN10-00-000035", - "fix_id": "F-69267r3_fix", + "gtitle": "WN10-PK-000020", + "gid": "V-63589", + "rid": "SV-78079r4_rule", + "stig_id": "WN10-PK-000020", + "fix_id": "F-98443r3_fix", "cci": [ - "CCI-001774" + "CCI-000185", + "CCI-002470" ], "nist": [ - "CM-7 (5) (b)", + "IA-5 (2) (a)", + "SC-23 (5)", "Rev_4" ], "false_negatives": null, @@ -8949,35 +8954,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63345' do\n title \"The operating system must employ a deny-all, permit-by-exception\n policy to allow the execution of authorized software programs.\"\n desc \"Utilizing a whitelist provides a configuration management method for\n allowing the execution of only authorized software. Using only authorized\n software decreases risk by limiting the number of potential vulnerabilities.\n\n The organization must identify authorized software programs and only permit\n execution of authorized software. The process used to identify software\n programs that are authorized to execute on organizational information systems\n is commonly referred to as whitelisting.\"\n\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-00-000035'\n tag gid: 'V-63345'\n tag rid: 'SV-77835r3_rule'\n tag stig_id: 'WN10-00-000035'\n tag fix_id: 'F-69267r3_fix'\n tag cci: ['CCI-001774']\n tag nist: ['CM-7 (5) (b)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc 'check', \"This is applicable to unclassified systems; for other systems\n this is NA.\n\n Verify the operating system employs a deny-all, permit-by-exception policy to\n allow the execution of authorized software programs. This must include packaged\n apps such as the universals apps installed by default on systems.\n\n If an application whitelisting program is not in use on the system, this is a\n finding.\n\n Configuration of whitelisting applications will vary by the program.\n\n AppLocker is a whitelisting application built into Windows 10 Enterprise. A\n deny-by-default implementation is initiated by enabling any AppLocker rules\n within a category, only allowing what is specified by defined rules.\n\n If AppLocker is used, perform the following to view the configuration of\n AppLocker:\n Run \\\"PowerShell\\\".\n\n Execute the following command, substituting [c:\\\\temp\\\\file.xml] with a\n location and file name appropriate for the system:\n Get-AppLockerPolicy -Effective -XML > c:\\\\temp\\\\file.xml\n\n This will produce an xml file with the effective settings that can be viewed in\n a browser or opened in a program such as Excel for review.\n\n Implementation guidance for AppLocker is available in the NSA paper\n \\\"Application Whitelisting using Microsoft AppLocker\\\" at the following link:\n\n https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm\"\n\n desc 'fix', \"Configure an application whitelisting program to employ a deny-all,\n permit-by-exception policy to allow the execution of authorized software\n programs.\n\n Configuration of whitelisting applications will vary by the program. AppLocker\n is a whitelisting application built into Windows 10 Enterprise.\n\n If AppLocker is used, it is configured through group policy in Computer\n Configuration >> Windows Settings >> Security Settings >> Application Control\n Policies >> AppLocker.\n\n Implementation guidance for AppLocker is available in the NSA paper\n \\\"Application Whitelisting using Microsoft AppLocker\\\" at the following link:\n\n https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm\"\n\n ref 'https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm'\n\n if input('sensitive_system') == 'true'\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n else\n describe 'A manual review is required to ensure the operating system employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs' do\n skip 'A manual review is required to ensure the operating system employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs'\n end\n end\nend\n", + "code": "control 'V-63589' do\n title \"The US DoD CCEB Interoperability Root CA cross-certificates must be\n installed in the Untrusted Certificates Store on unclassified systems.\"\n desc \"To ensure users do not experience denial of service when performing\n certificate-based authentication to DoD websites due to the system chaining to\n a root other than DoD Root CAs, the US DoD CCEB Interoperability Root CA\n cross-certificates must be installed in the Untrusted Certificate Store. This\n requirement only applies to unclassified systems.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-PK-000020'\n tag gid: 'V-63589'\n tag rid: 'SV-78079r4_rule'\n tag stig_id: 'WN10-PK-000020'\n tag fix_id: 'F-98443r3_fix'\n tag cci: %w[CCI-000185 CCI-002470]\n tag nist: ['IA-5 (2) (a)', 'SC-23 (5)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc 'check', \"Verify the US DoD CCEB Interoperability Root CA cross-certificate\n is installed on unclassified systems as an Untrusted Certificate.\n\n Run \\\"PowerShell\\\" as an administrator.\n\n Execute the following command:\n\n Get-ChildItem -Path Cert:Localmachine\\\\disallowed | Where Issuer -Like \\\"*CCEB\n Interoperability*\\\" | FL Subject, Issuer, Thumbprint, NotAfter\n\n If the following certificate \\\"Subject\\\", \\\"Issuer\\\", and \\\"Thumbprint\\\",\n information is not displayed, this is finding.\n\n If an expired certificate (\\\"NotAfter\\\" date) is not listed in the results,\n this is not a finding.\n\n Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Issuer: CN=US DoD CCEB Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S.\n Government, C=US\n Thumbprint: 929BF3196896994C0A201DF4A5B71F603FEFBF2E\n NotAfter: 9/27/2019\n\n Alternately use the Certificates MMC snap-in:\n\n Run \\\"MMC\\\".\n\n Select \\\"File\\\", \\\"Add/Remove Snap-in\\\".\n\n Select \\\"Certificates\\\", click \\\"Add\\\".\n\n Select \\\"Computer account\\\", click \\\"Next\\\".\n\n Select \\\"Local computer: (the computer this console is running on)\\\", click\n \\\"Finish\\\".\n\n Click \\\"OK\\\".\n\n Expand \\\"Certificates\\\" and navigate to \\\"Untrusted Certificates >>\n Certificates\\\".\n\n For each certificate with \\\"US DoD CCEB Interoperability Root CA …\\\" under\n \\\"Issued By\\\":\n\n Right-click on the certificate and select \\\"Open\\\".\n\n Select the \\\"Details\\\" tab.\n\n Scroll to the bottom and select \\\"Thumbprint\\\".\n\n If the certificate below is not listed or the value for the \\\"Thumbprint\\\"\n field is not as noted, this is a finding.\n\n If an expired certificate (\\\"Valid to\\\" date) is not listed in the results,\n this is not a finding.\n\n Issued To: DoD Root CA 3\n Issuer by: US DoD CCEB Interoperability Root CA 2\n Thumbprint: 929BF3196896994C0A201DF4A5B71F603FEFBF2E\n Valid: Friday, September 27, 2019\"\n\n desc 'fix', \"Install the US DoD CCEB Interoperability Root CA cross-certificate\n on unclassified systems.\n\n Issued To - Issued By - Thumbprint\n DoD Root CA 3 - US DoD CCEB Interoperability Root CA 2 -\n 929BF3196896994C0A201DF4A5B71F603FEFBF2E\n\n The certificates can be installed using the InstallRoot tool. The tool and user\n guide are available on IASE at http://iase.disa.mil/pki-pke/Pages/tools.aspx.\"\n\n ref 'http://iase.disa.mil/pki-pke/Pages/tools.aspx'\n\n dod_cceb_certificates = JSON.parse(input('dod_cceb_certificates').to_json)\n\n if input('sensitive_system') == 'true'\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n else\n query = json({ command: 'Get-ChildItem -Path Cert:Localmachine\\\\\\\\disallowed | Where {$_.Issuer -Like \"*DoD CCEB Interoperability*\" -and $_.Subject -Like \"*DoD*\"} | Select Subject, Issuer, Thumbprint, @{Name=\\'NotAfter\\';Expression={\"{0:dddd, MMMM dd, yyyy}\" -f [datetime]$_.NotAfter}} | ConvertTo-Json' })\n describe 'The DoD CCEB Interoperability CA cross-certificates installed' do\n subject { query.params }\n it { should be_in dod_cceb_certificates }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63345.rb", + "ref": "./Windows 10 STIG/controls/V-63589.rb", "line": 3 }, - "id": "V-63345" + "id": "V-63589" }, { - "title": "Windows 10 must be configured to disable Windows Game Recording and Broadcasting.", - "desc": "Windows Game Recording and Broadcasting is intended for use with\n games, however it could potentially record screen shots of other applications\n and expose sensitive data. Disabling the feature will prevent this from\n occurring.", + "title": "The Windows 10 system must use an anti-virus program.", + "desc": "Malicious software can establish a base on individual desktops and\n servers. Employing an automated mechanism to detect this type of software will\n aid in elimination of the software from the operating system.", "descriptions": { - "default": "Windows Game Recording and Broadcasting is intended for use with\n games, however it could potentially record screen shots of other applications\n and expose sensitive data. Disabling the feature will prevent this from\n occurring.", - "check": "This is NA for Windows 10 LTSC\\B versions 1507 and 1607.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\GameDVR\\\n\n Value Name: AllowGameDVR\n\n Type: REG_DWORD\n Value: 0x00000000 (0)", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Windows Game Recording and\n Broadcasting >> \"Enables or disables Windows Game Recording and Broadcasting\"\n to \"Disabled\"." + "default": "Malicious software can establish a base on individual desktops and\n servers. Employing an automated mechanism to detect this type of software will\n aid in elimination of the software from the operating system.", + "check": "Verify an anti-virus solution is installed on the system. The\n anti-virus solution may be bundled with an approved host-based security\n solution.\n\n If there is no anti-virus solution installed on the system, this is a finding.", + "fix": "Install an anti-virus solution on the system." }, - "impact": 0, + "impact": 0.7, "refs": [], "tags": { - "severity": "medium", - "gtitle": "WN10-CC-000252", - "gid": "V-74417", - "rid": "SV-89091r2_rule", - "stig_id": "WN10-CC-000252", - "fix_id": "F-80959r1_fix", + "severity": "high", + "gtitle": "WN10-00-000045", + "gid": "V-63351", + "rid": "SV-77841r4_rule", + "stig_id": "WN10-00-000045", + "fix_id": "F-83183r1_fix", "cci": [ - "CCI-000381" + "CCI-000366" ], "nist": [ - "CM-7 a", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -8991,35 +8996,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-74417' do\n title 'Windows 10 must be configured to disable Windows Game Recording and Broadcasting.'\n desc \"Windows Game Recording and Broadcasting is intended for use with\n games, however it could potentially record screen shots of other applications\n and expose sensitive data. Disabling the feature will prevent this from\n occurring.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000252'\n tag gid: 'V-74417'\n tag rid: 'SV-89091r2_rule'\n tag stig_id: 'WN10-CC-000252'\n tag fix_id: 'F-80959r1_fix'\n tag cci: ['CCI-000381']\n tag nist: ['CM-7 a', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"This is NA for Windows 10 LTSC\\\\B versions 1507 and 1607.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\GameDVR\\\\\n\n Value Name: AllowGameDVR\n\n Type: REG_DWORD\n Value: 0x00000000 (0)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Windows Game Recording and\n Broadcasting >> \\\"Enables or disables Windows Game Recording and Broadcasting\\\"\n to \\\"Disabled\\\".\"\n\n releaseID = registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion').ReleaseId.to_i\n\n if ( releaseID == 1607 || releaseID <= 1507 )\n impact 0.0\n describe 'This STIG does not apply to Prior Versions before 1507 and 1607.' do\n skip 'This STIG does not apply to Prior Versions before 1507 and 1607.'\n end\n else\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\GameDVR') do\n it { should have_property 'AllowGameDVR' }\n its('AllowGameDVR') { should cmp 0 }\n end\n end\nend\n", + "code": "control 'V-63351' do\n title 'The Windows 10 system must use an anti-virus program.'\n desc \"Malicious software can establish a base on individual desktops and\n servers. Employing an automated mechanism to detect this type of software will\n aid in elimination of the software from the operating system.\"\n impact 0.7\n tag severity: 'high'\n tag gtitle: 'WN10-00-000045'\n tag gid: 'V-63351'\n tag rid: 'SV-77841r4_rule'\n tag stig_id: 'WN10-00-000045'\n tag fix_id: 'F-83183r1_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc 'check', \"Verify an anti-virus solution is installed on the system. The\n anti-virus solution may be bundled with an approved host-based security\n solution.\n\n If there is no anti-virus solution installed on the system, this is a finding.\"\n\n desc 'fix', 'Install an anti-virus solution on the system.'\n\n anti_virus_product_name = <<-EOH\n #script came from: https://www.404techsupport.com/2015/04/27/powershell-script-detect-antivirus-product-and-status/\n\n $computername=$env:computername\n $AntiVirusProduct = Get-WmiObject -Namespace root\\\\SecurityCenter2 -Class AntiVirusProduct -ComputerName $computername\n\n #Switch to determine the status of antivirus definitions and real-time protection.\n #Write-Output $AntiVirusProduct.productState\n switch ($AntiVirusProduct.productState) {\n \"262144\" {$defstatus = \"Up to date\" ;$rtstatus = \"Disabled\"}\n \"262160\" {$defstatus = \"Out of date\" ;$rtstatus = \"Disabled\"}\n \"266240\" {$defstatus = \"Up to date\" ;$rtstatus = \"Enabled\"}\n \"266256\" {$defstatus = \"Out of date\" ;$rtstatus = \"Enabled\"}\n \"393216\" {$defstatus = \"Up to date\" ;$rtstatus = \"Disabled\"}\n \"393232\" {$defstatus = \"Out of date\" ;$rtstatus = \"Disabled\"}\n \"393488\" {$defstatus = \"Out of date\" ;$rtstatus = \"Disabled\"}\n \"397312\" {$defstatus = \"Up to date\" ;$rtstatus = \"Enabled\"}\n \"397328\" {$defstatus = \"Out of date\" ;$rtstatus = \"Enabled\"}\n \"397584\" {$defstatus = \"Out of date\" ;$rtstatus = \"Enabled\"}\n \"397568\" {$defstatus = \"Up to date\"; $rtstatus = \"Enabled\"}\n \"393472\" {$defstatus = \"Up to date\" ;$rtstatus = \"Disabled\"}\n default {$defstatus = \"Unknown\" ;$rtstatus = \"Unknown\"}\n }\n\n Write-Output $AntiVirusProduct.displayName\n EOH\n\n anti_virus_def_status = <<-EOH\n #script came from: https://www.404techsupport.com/2015/04/27/powershell-script-detect-antivirus-product-and-status/\n\n $computername=$env:computername\n $AntiVirusProduct = Get-WmiObject -Namespace root\\\\SecurityCenter2 -Class AntiVirusProduct -ComputerName $computername\n\n #Switch to determine the status of antivirus definitions and real-time protection.\n #Write-Output $AntiVirusProduct.productState\n switch ($AntiVirusProduct.productState) {\n \"262144\" {$defstatus = \"Up to date\" ;$rtstatus = \"Disabled\"}\n \"262160\" {$defstatus = \"Out of date\" ;$rtstatus = \"Disabled\"}\n \"266240\" {$defstatus = \"Up to date\" ;$rtstatus = \"Enabled\"}\n \"266256\" {$defstatus = \"Out of date\" ;$rtstatus = \"Enabled\"}\n \"393216\" {$defstatus = \"Up to date\" ;$rtstatus = \"Disabled\"}\n \"393232\" {$defstatus = \"Out of date\" ;$rtstatus = \"Disabled\"}\n \"393488\" {$defstatus = \"Out of date\" ;$rtstatus = \"Disabled\"}\n \"397312\" {$defstatus = \"Up to date\" ;$rtstatus = \"Enabled\"}\n \"397328\" {$defstatus = \"Out of date\" ;$rtstatus = \"Enabled\"}\n \"397584\" {$defstatus = \"Out of date\" ;$rtstatus = \"Enabled\"}\n \"397568\" {$defstatus = \"Up to date\"; $rtstatus = \"Enabled\"}\n \"393472\" {$defstatus = \"Up to date\" ;$rtstatus = \"Disabled\"}\n default {$defstatus = \"Unknown\" ;$rtstatus = \"Unknown\"}\n }\n\n Write-Output $defstatus\n EOH\n\n anti_virus_status = <<-EOH\n #script came from: https://www.404techsupport.com/2015/04/27/powershell-script-detect-antivirus-product-and-status/\n\n $computername=$env:computername\n $AntiVirusProduct = Get-WmiObject -Namespace root\\\\SecurityCenter2 -Class AntiVirusProduct -ComputerName $computername\n\n #Switch to determine the status of antivirus definitions and real-time protection.\n #Write-Output $AntiVirusProduct.productState\n switch ($AntiVirusProduct.productState) {\n \"262144\" {$defstatus = \"Up to date\" ;$rtstatus = \"Disabled\"}\n \"262160\" {$defstatus = \"Out of date\" ;$rtstatus = \"Disabled\"}\n \"266240\" {$defstatus = \"Up to date\" ;$rtstatus = \"Enabled\"}\n \"266256\" {$defstatus = \"Out of date\" ;$rtstatus = \"Enabled\"}\n \"393216\" {$defstatus = \"Up to date\" ;$rtstatus = \"Disabled\"}\n \"393232\" {$defstatus = \"Out of date\" ;$rtstatus = \"Disabled\"}\n \"393488\" {$defstatus = \"Out of date\" ;$rtstatus = \"Disabled\"}\n \"397312\" {$defstatus = \"Up to date\" ;$rtstatus = \"Enabled\"}\n \"397328\" {$defstatus = \"Out of date\" ;$rtstatus = \"Enabled\"}\n \"397584\" {$defstatus = \"Out of date\" ;$rtstatus = \"Enabled\"}\n \"397568\" {$defstatus = \"Up to date\"; $rtstatus = \"Enabled\"}\n \"393472\" {$defstatus = \"Up to date\" ;$rtstatus = \"Disabled\"}\n default {$defstatus = \"Unknown\" ;$rtstatus = \"Unknown\"}\n }\n\n Write-Output $rtstatus\n EOH\n\n check_product = powershell(anti_virus_product_name).stdout.strip.split(\"\\n\").map(&:strip)\n\n describe \"The installed anti-virus: #{check_product} is on the Approved Sofware List\" do\n subject { check_product }\n it { should be_in input('av_approved_software') }\n end\n describe 'The anti-virus software is enabled on the system' do\n subject { powershell(anti_virus_status).strip }\n it { should cmp 'Enabled' }\n end\n describe 'The anti-virus signature definitions are up to date' do\n subject { powershell(anti_virus_def_status).strip }\n it { should cmp 'Up to date' }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-74417.rb", + "ref": "./Windows 10 STIG/controls/V-63351.rb", "line": 3 }, - "id": "V-74417" + "id": "V-63351" }, { - "title": "Users must not be allowed to ignore Windows Defender SmartScreen\n filter warnings for malicious websites in Microsoft Edge.", - "desc": "The Windows Defender SmartScreen filter in Microsoft Edge provides\n warning messages and blocks potentially malicious websites and file downloads.\n If users are allowed to ignore warnings from the Windows Defender SmartScreen\n filter they could still access malicious websites.", + "title": "Passwords must, at a minimum, be 14 characters.", + "desc": "Information systems not protected with strong password schemes\n (including passwords of minimum length) provide the opportunity for anyone to\n crack the password, thus gaining access to the system and compromising the\n device, information, or the local network.", "descriptions": { - "default": "The Windows Defender SmartScreen filter in Microsoft Edge provides\n warning messages and blocks potentially malicious websites and file downloads.\n If users are allowed to ignore warnings from the Windows Defender SmartScreen\n filter they could still access malicious websites.", - "check": "This is applicable to unclassified systems, for other systems\n this is NA.\n\n Windows 10 LTSC\\B versions do not include Microsoft Edge, this is NA for those\n systems.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\PhishingFilter\\\n\n Value Name: PreventOverride\n\n Type: REG_DWORD\n Value: 0x00000001 (1)", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Microsoft Edge >> \"Prevent\n bypassing Windows Defender SmartScreen prompts for sites\" to \"Enabled\".\n\n Windows 10 includes duplicate policies for this setting. It can also be\n configured under Computer Configuration >> Administrative Templates >> Windows\n Components >> Windows Defender SmartScreen >> Microsoft Edge." + "default": "Information systems not protected with strong password schemes\n (including passwords of minimum length) provide the opportunity for anyone to\n crack the password, thus gaining access to the system and compromising the\n device, information, or the local network.", + "check": "Verify the effective setting in Local Group Policy Editor.\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Account Policies >> Password Policy.\n\n If the value for the \"Minimum password length,\" is less than 14\n characters, this is a finding.", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Account Policies >> Password Policy >>\n \"Minimum password length\" to 14 characters." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-CC-000230", - "gid": "V-63699", - "rid": "SV-78189r6_rule", - "stig_id": "WN10-CC-000230", - "fix_id": "F-98463r1_fix", + "gtitle": "WN10-AC-000035", + "gid": "V-63423", + "rid": "SV-77913r1_rule", + "stig_id": "WN10-AC-000035", + "fix_id": "F-69351r1_fix", "cci": [ - "CCI-000366" + "CCI-000205" ], "nist": [ - "CM-6 b", + "IA-5 (1) (a)", "Rev_4" ], "false_negatives": null, @@ -9033,37 +9038,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63699' do\n title \"Users must not be allowed to ignore Windows Defender SmartScreen\n filter warnings for malicious websites in Microsoft Edge.\"\n desc \"The Windows Defender SmartScreen filter in Microsoft Edge provides\n warning messages and blocks potentially malicious websites and file downloads.\n If users are allowed to ignore warnings from the Windows Defender SmartScreen\n filter they could still access malicious websites.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000230'\n tag gid: 'V-63699'\n tag rid: 'SV-78189r6_rule'\n tag stig_id: 'WN10-CC-000230'\n tag fix_id: 'F-98463r1_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc 'check', \"This is applicable to unclassified systems, for other systems\n this is NA.\n\n Windows 10 LTSC\\\\B versions do not include Microsoft Edge, this is NA for those\n systems.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\MicrosoftEdge\\\\PhishingFilter\\\\\n\n Value Name: PreventOverride\n\n Type: REG_DWORD\n Value: 0x00000001 (1)\"\n\n desc 'fix', \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Microsoft Edge >> \\\"Prevent\n bypassing Windows Defender SmartScreen prompts for sites\\\" to \\\"Enabled\\\".\n\n Windows 10 includes duplicate policies for this setting. It can also be\n configured under Computer Configuration >> Administrative Templates >> Windows\n Components >> Windows Defender SmartScreen >> Microsoft Edge.\"\n\n if input('sensitive_system') == 'true'\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n else\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\PhishingFilter') do\n it { should have_property 'PreventOverride' }\n its('PreventOverride') { should cmp 1 }\n end\n end\nend\n", + "code": "control 'V-63423' do\n title 'Passwords must, at a minimum, be 14 characters.'\n desc \"Information systems not protected with strong password schemes\n (including passwords of minimum length) provide the opportunity for anyone to\n crack the password, thus gaining access to the system and compromising the\n device, information, or the local network.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-AC-000035'\n tag gid: 'V-63423'\n tag rid: 'SV-77913r1_rule'\n tag stig_id: 'WN10-AC-000035'\n tag fix_id: 'F-69351r1_fix'\n tag cci: ['CCI-000205']\n tag nist: ['IA-5 (1) (a)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Account Policies >> Password Policy.\n\n If the value for the \\\"Minimum password length,\\\" is less than #{input('min_pass_len')}\n characters, this is a finding.\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Account Policies >> Password Policy >>\n \\\"Minimum password length\\\" to #{input('min_pass_len')} characters.\"\n\n describe security_policy do\n its('MinimumPasswordLength') { should be >= input('min_pass_len') }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63699.rb", + "ref": "./Windows 10 STIG/controls/V-63423.rb", "line": 3 }, - "id": "V-63699" + "id": "V-63423" }, { - "title": "Remote Desktop Services must be configured with the client connection\n encryption set to the required level.", - "desc": "Remote connections must be encrypted to prevent interception of data\n or sensitive information. Selecting \"High Level\" will ensure encryption of\n Remote Desktop Services sessions in both directions.", + "title": "Anonymous access to Named Pipes and Shares must be restricted.", + "desc": "Allowing anonymous access to named pipes or shares provides the\n potential for unauthorized system access. This setting restricts access to\n those defined in \"Network access: Named Pipes that can be accessed\n anonymously\" and \"Network access: Shares that can be accessed anonymously\",\n both of which must be blank under other requirements.", "descriptions": { - "default": "Remote connections must be encrypted to prevent interception of data\n or sensitive information. Selecting \"High Level\" will ensure encryption of\n Remote Desktop Services sessions in both directions.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services\\\n\n Value Name: MinEncryptionLevel\n\n Value Type: REG_DWORD\n Value: 3", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Remote Desktop Services >>\n Remote Desktop Session Host >> Security >> \"Set client connection encryption\n level\" to \"Enabled\" and \"High Level\"." + "default": "Allowing anonymous access to named pipes or shares provides the\n potential for unauthorized system access. This setting restricts access to\n those defined in \"Network access: Named Pipes that can be accessed\n anonymously\" and \"Network access: Shares that can be accessed anonymously\",\n both of which must be blank under other requirements.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\LanManServer\\Parameters\\\n\n Value Name: RestrictNullSessAccess\n\n Value Type: REG_DWORD\n Value: 1", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n \"Network access: Restrict anonymous access to Named Pipes and Shares\" to\n \"Enabled\"." }, - "impact": 0.5, + "impact": 0.7, "refs": [], "tags": { - "severity": "medium", - "gtitle": "WN10-CC-000290", - "gid": "V-63741", - "rid": "SV-78231r1_rule", - "stig_id": "WN10-CC-000290", - "fix_id": "F-69669r1_fix", + "severity": "high", + "gtitle": "WN10-SO-000165", + "gid": "V-63759", + "rid": "SV-78249r1_rule", + "stig_id": "WN10-SO-000165", + "fix_id": "F-69687r1_fix", "cci": [ - "CCI-000068", - "CCI-002890" + "CCI-001090" ], "nist": [ - "AC-17 (2)", - "MA-4 (6)", + "SC-4", "Rev_4" ], "false_negatives": null, @@ -9077,35 +9080,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63741' do\n title \"Remote Desktop Services must be configured with the client connection\n encryption set to the required level.\"\n desc \"Remote connections must be encrypted to prevent interception of data\n or sensitive information. Selecting \\\"High Level\\\" will ensure encryption of\n Remote Desktop Services sessions in both directions.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000290'\n tag gid: 'V-63741'\n tag rid: 'SV-78231r1_rule'\n tag stig_id: 'WN10-CC-000290'\n tag fix_id: 'F-69669r1_fix'\n tag cci: %w[CCI-000068 CCI-002890]\n tag nist: ['AC-17 (2)', 'MA-4 (6)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\\n\n Value Name: MinEncryptionLevel\n\n Value Type: REG_DWORD\n Value: 3\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Remote Desktop Services >>\n Remote Desktop Session Host >> Security >> \\\"Set client connection encryption\n level\\\" to \\\"Enabled\\\" and \\\"High Level\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services') do\n it { should have_property 'MinEncryptionLevel' }\n its('MinEncryptionLevel') { should cmp 3 }\n end\nend\n", + "code": "control 'V-63759' do\n title 'Anonymous access to Named Pipes and Shares must be restricted.'\n desc \"Allowing anonymous access to named pipes or shares provides the\n potential for unauthorized system access. This setting restricts access to\n those defined in \\\"Network access: Named Pipes that can be accessed\n anonymously\\\" and \\\"Network access: Shares that can be accessed anonymously\\\",\n both of which must be blank under other requirements.\"\n impact 0.7\n tag severity: 'high'\n tag gtitle: 'WN10-SO-000165'\n tag gid: 'V-63759'\n tag rid: 'SV-78249r1_rule'\n tag stig_id: 'WN10-SO-000165'\n tag fix_id: 'F-69687r1_fix'\n tag cci: ['CCI-001090']\n tag nist: %w[SC-4 Rev_4]\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\LanManServer\\\\Parameters\\\\\n\n Value Name: RestrictNullSessAccess\n\n Value Type: REG_DWORD\n Value: 1\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n \\\"Network access: Restrict anonymous access to Named Pipes and Shares\\\" to\n \\\"Enabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\LanManServer\\Parameters') do\n it { should have_property 'RestrictNullSessAccess' }\n its('RestrictNullSessAccess') { should cmp 1 }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63741.rb", + "ref": "./Windows 10 STIG/controls/V-63759.rb", "line": 3 }, - "id": "V-63741" + "id": "V-63759" }, { - "title": "The built-in administrator account must be renamed.", - "desc": "The built-in administrator account is a well-known account subject to\n attack. Renaming this account to an unidentified name improves the protection\n of this account and the system.", + "title": "The display of slide shows on the lock screen must be disabled.", + "desc": "Slide shows that are displayed on the lock screen could display\n sensitive information to unauthorized personnel. Turning off this feature will\n limit access to the information to a logged on user.", "descriptions": { - "default": "The built-in administrator account is a well-known account subject to\n attack. Renaming this account to an unidentified name improves the protection\n of this account and the system.", - "check": "Verify the effective setting in Local Group Policy Editor.\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> Security Options.\n\n If the value for \"Accounts: Rename administrator account\" is set to\n \"Administrator\", this is a finding.", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n \"Accounts: Rename administrator account\" to a name other than\n \"Administrator\"." + "default": "Slide shows that are displayed on the lock screen could display\n sensitive information to unauthorized personnel. Turning off this feature will\n limit access to the information to a logged on user.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\Personalization\\\n\n Value Name: NoLockScreenSlideshow\n\n Value Type: REG_DWORD\n Value: 1", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Control Panel >> Personalization >> \"Prevent\n enabling lock screen slide show\" to \"Enabled\"." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-SO-000020", - "gid": "V-63619", - "rid": "SV-78109r1_rule", - "stig_id": "WN10-SO-000020", - "fix_id": "F-69551r1_fix", + "gtitle": "WN10-CC-000010", + "gid": "V-63549", + "rid": "SV-78039r1_rule", + "stig_id": "WN10-CC-000010", + "fix_id": "F-69479r1_fix", "cci": [ - "CCI-000366" + "CCI-000381" ], "nist": [ - "CM-6 b", + "CM-7 a", "Rev_4" ], "false_negatives": null, @@ -9119,35 +9122,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63619' do\n title 'The built-in administrator account must be renamed.'\n desc \"The built-in administrator account is a well-known account subject to\n attack. Renaming this account to an unidentified name improves the protection\n of this account and the system.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-SO-000020'\n tag gid: 'V-63619'\n tag rid: 'SV-78109r1_rule'\n tag stig_id: 'WN10-SO-000020'\n tag fix_id: 'F-69551r1_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> Security Options.\n\n If the value for \\\"Accounts: Rename administrator account\\\" is set to\n \\\"Administrator\\\", this is a finding.\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n \\\"Accounts: Rename administrator account\\\" to a name other than\n \\\"Administrator\\\".\"\n\n describe user('Administrator') do\n it { should_not exist }\n end\nend\n", + "code": "control 'V-63549' do\n title 'The display of slide shows on the lock screen must be disabled.'\n desc \"Slide shows that are displayed on the lock screen could display\n sensitive information to unauthorized personnel. Turning off this feature will\n limit access to the information to a logged on user.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000010'\n tag gid: 'V-63549'\n tag rid: 'SV-78039r1_rule'\n tag stig_id: 'WN10-CC-000010'\n tag fix_id: 'F-69479r1_fix'\n tag cci: ['CCI-000381']\n tag nist: ['CM-7 a', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\Personalization\\\\\n\n Value Name: NoLockScreenSlideshow\n\n Value Type: REG_DWORD\n Value: 1\"\n \n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Control Panel >> Personalization >> \\\"Prevent\n enabling lock screen slide show\\\" to \\\"Enabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Personalization') do\n it { should have_property 'NoLockScreenSlideshow' }\n its('NoLockScreenSlideshow') { should cmp 1 }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63619.rb", + "ref": "./Windows 10 STIG/controls/V-63549.rb", "line": 3 }, - "id": "V-63619" + "id": "V-63549" }, { - "title": "The Create symbolic links user right must only be assigned to the\n Administrators group.", - "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n Accounts with the \"Create symbolic links\" user right can create pointers\n to other objects, which could potentially expose the system to attack.", + "title": "The Windows Remote Management (WinRM) service must not store RunAs\n credentials.", + "desc": "Storage of administrative credentials could allow unauthorized access.\n Disallowing the storage of RunAs credentials for Windows Remote Management\n will prevent them from being used with plug-ins.", "descriptions": { - "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n Accounts with the \"Create symbolic links\" user right can create pointers\n to other objects, which could potentially expose the system to attack.", - "check": "Verify the effective setting in Local Group Policy Editor.\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any groups or accounts other than the following are granted the \"Create\n symbolic links\" user right, this is a finding:\n\n Administrators\n\n If the workstation has an approved use of Hyper-V, such as being used as a\n dedicated admin workstation using Hyper-V to separate administration and\n standard user functions, \"NT VIRTUAL MACHINES\\VIRTUAL MACHINE\" may be\n assigned this user right and is not a finding.", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n \"Create symbolic links\" to only include the following groups or accounts:\n\n Administrators" + "default": "Storage of administrative credentials could allow unauthorized access.\n Disallowing the storage of RunAs credentials for Windows Remote Management\n will prevent them from being used with plug-ins.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\WinRM\\Service\\\n Value Name: DisableRunAs\n Value Type: REG_DWORD\n Value: 1", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Windows Remote Management\n (WinRM) >> WinRM Service >> \"Disallow WinRM from storing RunAs credentials\"\n to \"Enabled\"." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-UR-000060", - "gid": "V-63865", - "rid": "SV-78355r2_rule", - "stig_id": "WN10-UR-000060", - "fix_id": "F-69793r1_fix", + "gtitle": "WN10-CC-000355", + "gid": "V-63375", + "rid": "SV-77865r1_rule", + "stig_id": "WN10-CC-000355", + "fix_id": "F-69293r1_fix", "cci": [ - "CCI-002235" + "CCI-002038" ], "nist": [ - "AC-6 (10)", + "IA-11", "Rev_4" ], "false_negatives": null, @@ -9161,30 +9164,30 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63865' do\n title \"The Create symbolic links user right must only be assigned to the\n Administrators group.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n Accounts with the \\\"Create symbolic links\\\" user right can create pointers\n to other objects, which could potentially expose the system to attack.\"\n\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-UR-000060'\n tag gid: 'V-63865'\n tag rid: 'SV-78355r2_rule'\n tag stig_id: 'WN10-UR-000060'\n tag fix_id: 'F-69793r1_fix'\n tag cci: ['CCI-002235']\n tag nist: ['AC-6 (10)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any groups or accounts other than the following are granted the \\\"Create\n symbolic links\\\" user right, this is a finding:\n\n Administrators\n\n If the workstation has an approved use of Hyper-V, such as being used as a\n dedicated admin workstation using Hyper-V to separate administration and\n standard user functions, \\\"NT VIRTUAL MACHINES\\\\VIRTUAL MACHINE\\\" may be\n assigned this user right and is not a finding.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n \\\"Create symbolic links\\\" to only include the following groups or accounts:\n\n Administrators\"\n\n describe security_policy do\n its('SeCreateSymbolicLinkPrivilege') { should eq ['S-1-5-32-544'] }\n end\nend\n", + "code": "control 'V-63375' do\n title \"The Windows Remote Management (WinRM) service must not store RunAs\n credentials.\"\n desc \"Storage of administrative credentials could allow unauthorized access.\n Disallowing the storage of RunAs credentials for Windows Remote Management\n will prevent them from being used with plug-ins.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000355'\n tag gid: 'V-63375'\n tag rid: 'SV-77865r1_rule'\n tag stig_id: 'WN10-CC-000355'\n tag fix_id: 'F-69293r1_fix'\n tag cci: ['CCI-002038']\n tag nist: %w[IA-11 Rev_4]\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WinRM\\\\Service\\\\\n Value Name: DisableRunAs\n Value Type: REG_DWORD\n Value: 1\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Windows Remote Management\n (WinRM) >> WinRM Service >> \\\"Disallow WinRM from storing RunAs credentials\\\"\n to \\\"Enabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WinRM\\Service') do\n it { should have_property 'DisableRunAs' }\n its('DisableRunAs') { should cmp 1 }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63865.rb", + "ref": "./Windows 10 STIG/controls/V-63375.rb", "line": 3 }, - "id": "V-63865" + "id": "V-63375" }, { - "title": "Anonymous SID/Name translation must not be allowed.", - "desc": "Allowing anonymous SID/Name translation can provide sensitive\n information for accessing a system. Only authorized users must be able to\n perform such translations.", + "title": "The LanMan authentication level must be set to send NTLMv2 response\n only, and to refuse LM and NTLM.", + "desc": "The Kerberos v5 authentication protocol is the default for\n authentication of users who are logging on to domain accounts. NTLM, which is\n less secure, is retained in later Windows versions for compatibility with\n clients and servers that are running earlier versions of Windows or\n applications that still use it. It is also used to authenticate logons to\n stand-alone computers that are running later versions.", "descriptions": { - "default": "Allowing anonymous SID/Name translation can provide sensitive\n information for accessing a system. Only authorized users must be able to\n perform such translations.", - "check": "Verify the effective setting in Local Group Policy Editor.\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> Security Options.\n\n If the value for \"Network access: Allow anonymous SID/Name translation\" is\n not set to \"Disabled\", this is a finding.", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n \"Network access: Allow anonymous SID/Name translation\" to \"Disabled\"." + "default": "The Kerberos v5 authentication protocol is the default for\n authentication of users who are logging on to domain accounts. NTLM, which is\n less secure, is retained in later Windows versions for compatibility with\n clients and servers that are running earlier versions of Windows or\n applications that still use it. It is also used to authenticate logons to\n stand-alone computers that are running later versions.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Control\\Lsa\\\n\n Value Name: LmCompatibilityLevel\n\n Value Type: REG_DWORD\n Value: 5", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n \"Network security: LAN Manager authentication level\" to \"Send NTLMv2\n response only. Refuse LM & NTLM\"." }, "impact": 0.7, "refs": [], "tags": { "severity": "high", - "gtitle": "WN10-SO-000140", - "gid": "V-63739", - "rid": "SV-78229r1_rule", - "stig_id": "WN10-SO-000140", - "fix_id": "F-69667r1_fix", + "gtitle": "WN10-SO-000205", + "gid": "V-63801", + "rid": "SV-78291r1_rule", + "stig_id": "WN10-SO-000205", + "fix_id": "F-69729r1_fix", "cci": [ "CCI-000366" ], @@ -9203,37 +9206,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63739' do\n title 'Anonymous SID/Name translation must not be allowed.'\n desc \"Allowing anonymous SID/Name translation can provide sensitive\n information for accessing a system. Only authorized users must be able to\n perform such translations.\"\n impact 0.7\n tag severity: 'high'\n tag gtitle: 'WN10-SO-000140'\n tag gid: 'V-63739'\n tag rid: 'SV-78229r1_rule'\n tag stig_id: 'WN10-SO-000140'\n tag fix_id: 'F-69667r1_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> Security Options.\n\n If the value for \\\"Network access: Allow anonymous SID/Name translation\\\" is\n not set to \\\"Disabled\\\", this is a finding.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n \\\"Network access: Allow anonymous SID/Name translation\\\" to \\\"Disabled\\\".\"\n\n describe security_policy do\n its('LSAAnonymousNameLookup') { should eq 0 }\n end\nend\n", + "code": "control 'V-63801' do\n title \"The LanMan authentication level must be set to send NTLMv2 response\n only, and to refuse LM and NTLM.\"\n desc \"The Kerberos v5 authentication protocol is the default for\n authentication of users who are logging on to domain accounts. NTLM, which is\n less secure, is retained in later Windows versions for compatibility with\n clients and servers that are running earlier versions of Windows or\n applications that still use it. It is also used to authenticate logons to\n stand-alone computers that are running later versions.\"\n impact 0.7\n tag severity: 'high'\n tag gtitle: 'WN10-SO-000205'\n tag gid: 'V-63801'\n tag rid: 'SV-78291r1_rule'\n tag stig_id: 'WN10-SO-000205'\n tag fix_id: 'F-69729r1_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\\n\n Value Name: LmCompatibilityLevel\n\n Value Type: REG_DWORD\n Value: 5\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n \\\"Network security: LAN Manager authentication level\\\" to \\\"Send NTLMv2\n response only. Refuse LM & NTLM\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa') do\n it { should have_property 'LmCompatibilityLevel' }\n its('LmCompatibilityLevel') { should cmp 5 }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63739.rb", + "ref": "./Windows 10 STIG/controls/V-63801.rb", "line": 3 }, - "id": "V-63739" + "id": "V-63801" }, { - "title": "Outgoing secure channel traffic must be signed when possible.", - "desc": "Requests sent on the secure channel are authenticated, and sensitive\n information (such as passwords) is encrypted, but the channel is not integrity\n checked. If this policy is enabled, outgoing secure channel traffic will be\n signed.", + "title": "The TFTP Client must not be installed on the system.", + "desc": "Some protocols and services do not support required security features,\n such as encrypting passwords or traffic.", "descriptions": { - "default": "Requests sent on the secure channel are authenticated, and sensitive\n information (such as passwords) is encrypted, but the channel is not integrity\n checked. If this policy is enabled, outgoing secure channel traffic will be\n signed.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\Netlogon\\Parameters\\\n\n Value Name: SignSecureChannel\n\n Value Type: REG_DWORD\n Value: 1", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> \"Domain\n member: Digitally sign secure channel data (when possible)\" to \"Enabled\"." + "default": "Some protocols and services do not support required security features,\n such as encrypting passwords or traffic.", + "check": "The \"TFTP Client\" is not installed by default. Verify it has\n not been installed.\n\n Navigate to the Windows\\System32 directory.\n\n If the \"TFTP\" application exists, this is a finding.", + "fix": "Uninstall \"TFTP Client\" from the system.\n\n Run \"Programs and Features\".\n Select \"Turn Windows Features on or off\".\n\n De-select \"TFTP Client\"." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-SO-000045", - "gid": "V-63647", - "rid": "SV-78137r1_rule", - "stig_id": "WN10-SO-000045", - "fix_id": "F-69577r1_fix", + "gtitle": "WN10-00-000120", + "gid": "V-63389", + "rid": "SV-77879r1_rule", + "stig_id": "WN10-00-000120", + "fix_id": "F-69313r1_fix", "cci": [ - "CCI-002418", - "CCI-002421" + "CCI-000382" ], "nist": [ - "SC-8", - "SC-8 (1)", + "CM-7 b", "Rev_4" ], "false_negatives": null, @@ -9247,35 +9248,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63647' do\n title 'Outgoing secure channel traffic must be signed when possible.'\n desc \"Requests sent on the secure channel are authenticated, and sensitive\n information (such as passwords) is encrypted, but the channel is not integrity\n checked. If this policy is enabled, outgoing secure channel traffic will be\n signed.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-SO-000045'\n tag gid: 'V-63647'\n tag rid: 'SV-78137r1_rule'\n tag stig_id: 'WN10-SO-000045'\n tag fix_id: 'F-69577r1_fix'\n tag cci: %w[CCI-002418 CCI-002421]\n tag nist: ['SC-8', 'SC-8 (1)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\Netlogon\\\\Parameters\\\\\n\n Value Name: SignSecureChannel\n\n Value Type: REG_DWORD\n Value: 1\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> \\\"Domain\n member: Digitally sign secure channel data (when possible)\\\" to \\\"Enabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Netlogon\\Parameters') do\n it { should have_property 'SignSecureChannel' }\n its('SignSecureChannel') { should cmp 1 }\n end\nend\n", + "code": "control 'V-63389' do\n title 'The TFTP Client must not be installed on the system.'\n desc \"Some protocols and services do not support required security features,\n such as encrypting passwords or traffic.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-00-000120'\n tag gid: 'V-63389'\n tag rid: 'SV-77879r1_rule'\n tag stig_id: 'WN10-00-000120'\n tag fix_id: 'F-69313r1_fix'\n tag cci: ['CCI-000382']\n tag nist: ['CM-7 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"The \\\"TFTP Client\\\" is not installed by default. Verify it has\n not been installed.\n\n Navigate to the Windows\\\\System32 directory.\n\n If the \\\"TFTP\\\" application exists, this is a finding.\"\n\n desc \"fix\", \"Uninstall \\\"TFTP Client\\\" from the system.\n\n Run \\\"Programs and Features\\\".\n Select \\\"Turn Windows Features on or off\\\".\n\n De-select \\\"TFTP Client\\\".\"\n\n describe windows_feature('TFTP Client') do\n it { should_not be_installed }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63647.rb", + "ref": "./Windows 10 STIG/controls/V-63389.rb", "line": 3 }, - "id": "V-63647" + "id": "V-63389" }, { - "title": "The password history must be configured to 24 passwords remembered.", - "desc": "A system is more vulnerable to unauthorized access when system users\n recycle the same password several times without being required to change a\n password to a unique password on a regularly scheduled basis. This enables\n users to effectively negate the purpose of mandating periodic password changes.\n The default value is 24 for Windows domain systems. DoD has decided this is\n the appropriate value for all Windows systems.", + "title": "The Perform volume maintenance tasks user right must only be assigned\n to the Administrators group.", + "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n Accounts with the \"Perform volume maintenance tasks\" user right can\n manage volume and disk configurations. They could potentially delete volumes,\n resulting in, data loss or a DoS.", "descriptions": { - "default": "A system is more vulnerable to unauthorized access when system users\n recycle the same password several times without being required to change a\n password to a unique password on a regularly scheduled basis. This enables\n users to effectively negate the purpose of mandating periodic password changes.\n The default value is 24 for Windows domain systems. DoD has decided this is\n the appropriate value for all Windows systems.", - "check": "Verify the effective setting in Local Group Policy Editor.\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Account Policies >> Password Policy.\n\n If the value for \"Enforce password history\" is less than 24 passwords\n remembered, this is a finding.", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Account Policies >> Password Policy >>\n \"Enforce password history\" to 24 passwords remembered." + "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n Accounts with the \"Perform volume maintenance tasks\" user right can\n manage volume and disk configurations. They could potentially delete volumes,\n resulting in, data loss or a DoS.", + "check": "Verify the effective setting in Local Group Policy Editor.\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any groups or accounts other than the following are granted the \"Perform\n volume maintenance tasks\" user right, this is a finding:\n\n Administrators", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n \"Perform volume maintenance tasks\" to only include the following groups or\n accounts:\n\n Administrators" }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-AC-000020", - "gid": "V-63415", - "rid": "SV-77905r2_rule", - "stig_id": "WN10-AC-000020", - "fix_id": "F-69343r1_fix", + "gtitle": "WN10-UR-000145", + "gid": "V-63933", + "rid": "SV-78423r1_rule", + "stig_id": "WN10-UR-000145", + "fix_id": "F-69861r1_fix", "cci": [ - "CCI-000200" + "CCI-002235" ], "nist": [ - "IA-5 (1) (e)", + "AC-6 (10)", "Rev_4" ], "false_negatives": null, @@ -9289,35 +9290,39 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63415' do\n title 'The password history must be configured to 24 passwords remembered.'\n desc \"A system is more vulnerable to unauthorized access when system users\n recycle the same password several times without being required to change a\n password to a unique password on a regularly scheduled basis. This enables\n users to effectively negate the purpose of mandating periodic password changes.\n The default value is 24 for Windows domain systems. DoD has decided this is\n the appropriate value for all Windows systems.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-AC-000020'\n tag gid: 'V-63415'\n tag rid: 'SV-77905r2_rule'\n tag stig_id: 'WN10-AC-000020'\n tag fix_id: 'F-69343r1_fix'\n tag cci: ['CCI-000200']\n tag nist: ['IA-5 (1) (e)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Account Policies >> Password Policy.\n\n If the value for \\\"Enforce password history\\\" is less than #{input('pass_hist_size')} passwords\n remembered, this is a finding.\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Account Policies >> Password Policy >>\n \\\"Enforce password history\\\" to #{input('pass_hist_size')} passwords remembered.\"\n\n describe security_policy do\n its('PasswordHistorySize') { should be >= input('pass_hist_size') }\n end\nend\n", + "code": "control 'V-63933' do\n title \"The Perform volume maintenance tasks user right must only be assigned\n to the Administrators group.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n Accounts with the \\\"Perform volume maintenance tasks\\\" user right can\n manage volume and disk configurations. They could potentially delete volumes,\n resulting in, data loss or a DoS.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-UR-000145'\n tag gid: 'V-63933'\n tag rid: 'SV-78423r1_rule'\n tag stig_id: 'WN10-UR-000145'\n tag fix_id: 'F-69861r1_fix'\n tag cci: ['CCI-002235']\n tag nist: ['AC-6 (10)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any groups or accounts other than the following are granted the \\\"Perform\n volume maintenance tasks\\\" user right, this is a finding:\n\n Administrators\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n \\\"Perform volume maintenance tasks\\\" to only include the following groups or\n accounts:\n\n Administrators\"\n\n describe security_policy do\n its('SeManageVolumePrivilege') { should eq ['S-1-5-32-544'] }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63415.rb", + "ref": "./Windows 10 STIG/controls/V-63933.rb", "line": 3 }, - "id": "V-63415" + "id": "V-63933" }, { - "title": "The Access Credential Manager as a trusted caller user right must not\n be assigned to any groups or accounts.", - "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n Accounts with the \"Access Credential Manager as a trusted caller\" user\n right may be able to retrieve the credentials of other accounts from Credential\n Manager.", + "title": "Windows 10 systems must use a BitLocker PIN with a minimum length of 6\n digits for pre-boot authentication.", + "desc": "If data at rest is unencrypted, it is vulnerable to disclosure. Even\n if the operating system enforces permissions on data access, an adversary can\n remove non-volatile memory and read it directly, thereby circumventing\n operating system controls. Encrypting the data ensures that confidentiality is\n protected even when the operating system is not running. Pre-boot\n authentication prevents unauthorized users from accessing encrypted drives.\n Increasing the pin length requires a greater number of guesses for an attacker.", "descriptions": { - "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n Accounts with the \"Access Credential Manager as a trusted caller\" user\n right may be able to retrieve the credentials of other accounts from Credential\n Manager.", - "check": "Verify the effective setting in Local Group Policy Editor.\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any groups or accounts are granted the \"Access Credential Manager as a\n trusted caller\" user right, this is a finding.", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n \"Access Credential Manager as a trusted caller\" to be defined but containing\n no entries (blank)." + "default": "If data at rest is unencrypted, it is vulnerable to disclosure. Even\n if the operating system enforces permissions on data access, an adversary can\n remove non-volatile memory and read it directly, thereby circumventing\n operating system controls. Encrypting the data ensures that confidentiality is\n protected even when the operating system is not running. Pre-boot\n authentication prevents unauthorized users from accessing encrypted drives.\n Increasing the pin length requires a greater number of guesses for an attacker.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Value Name: MinimumPIN\n Type: REG_DWORD\n Value: 0x00000006 (6) or greater", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> BitLocker Drive Encryption >>\n Operating System Drives \"Configure minimum PIN length for startup\" to\n \"Enabled\" with \"Minimum characters:\" set to 6 or greater." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-UR-000005", - "gid": "V-63843", - "rid": "SV-78333r1_rule", - "stig_id": "WN10-UR-000005", - "fix_id": "F-69771r1_fix", + "gtitle": "WN10-00-000032", + "gid": "V-94861", + "rid": "SV-104691r1_rule", + "stig_id": "WN10-00-000032", + "fix_id": "F-100985r1_fix", "cci": [ - "CCI-002235" + "CCI-001199", + "CCI-002475", + "CCI-002476" ], "nist": [ - "AC-6 (10)", + "SC-28", + "SC-28 (1)", + "SC-28 (1)", "Rev_4" ], "false_negatives": null, @@ -9331,35 +9336,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63843' do\n title \"The Access Credential Manager as a trusted caller user right must not\n be assigned to any groups or accounts.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n Accounts with the \\\"Access Credential Manager as a trusted caller\\\" user\n right may be able to retrieve the credentials of other accounts from Credential\n Manager.\"\n\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-UR-000005'\n tag gid: 'V-63843'\n tag rid: 'SV-78333r1_rule'\n tag stig_id: 'WN10-UR-000005'\n tag fix_id: 'F-69771r1_fix'\n tag cci: ['CCI-002235']\n tag nist: ['AC-6 (10)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any groups or accounts are granted the \\\"Access Credential Manager as a\n trusted caller\\\" user right, this is a finding.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n \\\"Access Credential Manager as a trusted caller\\\" to be defined but containing\n no entries (blank).\"\n\n describe security_policy do\n its('SeTrustedCredManAccessPrivilege') { should eq [] }\n end\nend\n", + "code": "control 'V-94861' do\n title \"Windows 10 systems must use a BitLocker PIN with a minimum length of #{input('bitlocker_pin_len')}\n digits for pre-boot authentication.\"\n desc \"If data at rest is unencrypted, it is vulnerable to disclosure. Even\n if the operating system enforces permissions on data access, an adversary can\n remove non-volatile memory and read it directly, thereby circumventing\n operating system controls. Encrypting the data ensures that confidentiality is\n protected even when the operating system is not running. Pre-boot\n authentication prevents unauthorized users from accessing encrypted drives.\n Increasing the pin length requires a greater number of guesses for an attacker.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-00-000032'\n tag gid: 'V-94861'\n tag rid: 'SV-104691r1_rule'\n tag stig_id: 'WN10-00-000032'\n tag fix_id: 'F-100985r1_fix'\n tag cci: %w[CCI-001199 CCI-002475 CCI-002476]\n tag nist: ['SC-28', 'SC-28 (1)', 'SC-28 (1)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Value Name: MinimumPIN\n Type: REG_DWORD\n Value: 0x0000000#{input('bitlocker_pin_len')} (#{input('bitlocker_pin_len')}) or greater\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> BitLocker Drive Encryption >>\n Operating System Drives \\\"Configure minimum PIN length for startup\\\" to\n \\\"Enabled\\\" with \\\"Minimum characters:\\\" set to #{input('bitlocker_pin_len')} or greater.\"\n\n if sys_info.manufacturer == \"VMware, Inc.\"\n impact 0.0\n describe 'This is a VDI System; This System is NA for Control V-94861.' do\n skip 'This is a VDI System; This System is NA for Control V-94861'\n end\n else\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Bitlocker') do\n it { should have_property 'MinimumPIN' }\n its('MinimumPIN') { should be >= input('bitlocker_pin_len') }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63843.rb", + "ref": "./Windows 10 STIG/controls/V-94861.rb", "line": 3 }, - "id": "V-63843" + "id": "V-94861" }, { - "title": "The Act as part of the operating system user right must not be\n assigned to any groups or accounts.", - "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n Accounts with the \"Act as part of the operating system\" user right can\n assume the identity of any user and gain access to resources that user is\n authorized to access. Any accounts with this right can take complete control\n of a system.", + "title": "Structured Exception Handling Overwrite Protection (SEHOP) must be enabled.", + "desc": "Attackers are constantly looking for vulnerabilities in systems and\n applications. Structured Exception Handling Overwrite Protection (SEHOP) blocks\n exploits that use the Structured Exception Handling overwrite technique, a\n common buffer overflow attack.", "descriptions": { - "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n Accounts with the \"Act as part of the operating system\" user right can\n assume the identity of any user and gain access to resources that user is\n authorized to access. Any accounts with this right can take complete control\n of a system.", - "check": "Verify the effective setting in Local Group Policy Editor.\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any groups or accounts (to include administrators), are granted the \"Act as\n part of the operating system\" user right, this is a finding.", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n \"Act as part of the operating system\" to be defined but containing no entries\n (blank)." + "default": "Attackers are constantly looking for vulnerabilities in systems and\n applications. Structured Exception Handling Overwrite Protection (SEHOP) blocks\n exploits that use the Structured Exception Handling overwrite technique, a\n common buffer overflow attack.", + "check": "This is applicable to Windows 10 prior to v1709.\n\n Verify SEHOP is turned on.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\kernel\\\n\n Value Name: DisableExceptionChainValidation\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0)", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> MS Security Guide >> \"Enable Structured Exception\n Handling Overwrite Protection (SEHOP)\" to \"Enabled\".\n\n This policy setting requires the installation of the SecGuide custom templates\n included with the STIG package. \"SecGuide.admx\" and \"SecGuide.adml\" must be\n copied to the \\Windows\\PolicyDefinitions and\n \\Windows\\PolicyDefinitions\\en-US directories respectively." }, "impact": 0.7, "refs": [], "tags": { "severity": "high", - "gtitle": "WN10-UR-000015", - "gid": "V-63847", - "rid": "SV-78337r1_rule", - "stig_id": "WN10-UR-000015", - "fix_id": "F-69775r1_fix", + "gtitle": "WN10-00-000150", + "gid": "V-68849", + "rid": "SV-83445r4_rule", + "stig_id": "WN10-00-000150", + "fix_id": "F-87295r1_fix", "cci": [ - "CCI-002235" + "CCI-002824" ], "nist": [ - "AC-6 (10)", + "SI-16", "Rev_4" ], "false_negatives": null, @@ -9373,35 +9378,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63847' do\n title \"The Act as part of the operating system user right must not be\n assigned to any groups or accounts.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n Accounts with the \\\"Act as part of the operating system\\\" user right can\n assume the identity of any user and gain access to resources that user is\n authorized to access. Any accounts with this right can take complete control\n of a system.\"\n\n impact 0.7\n tag severity: 'high'\n tag gtitle: 'WN10-UR-000015'\n tag gid: 'V-63847'\n tag rid: 'SV-78337r1_rule'\n tag stig_id: 'WN10-UR-000015'\n tag fix_id: 'F-69775r1_fix'\n tag cci: ['CCI-002235']\n tag nist: ['AC-6 (10)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any groups or accounts (to include administrators), are granted the \\\"Act as\n part of the operating system\\\" user right, this is a finding.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n \\\"Act as part of the operating system\\\" to be defined but containing no entries\n (blank).\"\n\n describe security_policy do\n its('SeTcbPrivilege') { should eq [] }\n end\nend\n", + "code": "control 'V-68849' do\n title 'Structured Exception Handling Overwrite Protection (SEHOP) must be enabled.'\n desc \"Attackers are constantly looking for vulnerabilities in systems and\n applications. Structured Exception Handling Overwrite Protection (SEHOP) blocks\n exploits that use the Structured Exception Handling overwrite technique, a\n common buffer overflow attack.\"\n impact 0.7\n tag severity: 'high'\n tag gtitle: 'WN10-00-000150'\n tag gid: 'V-68849'\n tag rid: 'SV-83445r4_rule'\n tag stig_id: 'WN10-00-000150'\n tag fix_id: 'F-87295r1_fix'\n tag cci: ['CCI-002824']\n tag nist: %w[SI-16 Rev_4]\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"This is applicable to Windows 10 prior to v1709.\n\n Verify SEHOP is turned on.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Session Manager\\\\kernel\\\\\n\n Value Name: DisableExceptionChainValidation\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> MS Security Guide >> \\\"Enable Structured Exception\n Handling Overwrite Protection (SEHOP)\\\" to \\\"Enabled\\\".\n\n This policy setting requires the installation of the SecGuide custom templates\n included with the STIG package. \\\"SecGuide.admx\\\" and \\\"SecGuide.adml\\\" must be\n copied to the \\\\Windows\\\\PolicyDefinitions and\n \\\\Windows\\\\PolicyDefinitions\\\\en-US directories respectively.\"\n\n if registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion').ReleaseId < '1709'\n impact 0.0\n describe 'This is applicable to Windows 10 prior to v1709.' do\n skip 'This is applicable to Windows 10 prior to v1709.'\n end\n else\n describe registry_key('HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\kernel') do\n it { should have_property 'DisableExceptionChainValidation' }\n its('DisableExceptionChainValidation') { should cmp 0 }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63847.rb", + "ref": "./Windows 10 STIG/controls/V-68849.rb", "line": 3 }, - "id": "V-63847" + "id": "V-68849" }, { - "title": "The Deny log on as a service user right on Windows 10 domain-joined\n workstations must be configured to prevent access from highly privileged domain\n accounts.", - "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n The \"Deny log on as a service\" right defines accounts that are denied log\n on as a service.\n\n In an Active Directory Domain, denying logons to the Enterprise Admins and\n Domain Admins groups on lower trust systems helps mitigate the risk of\n privilege escalation from credential theft attacks which could lead to the\n compromise of an entire domain.\n\n Incorrect configurations could prevent services from starting and result in\n a DoS.", + "title": "Exploit Protection mitigations in Windows 10 must be configured for\n OUTLOOK.EXE.", + "desc": "Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.", "descriptions": { - "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n The \"Deny log on as a service\" right defines accounts that are denied log\n on as a service.\n\n In an Active Directory Domain, denying logons to the Enterprise Admins and\n Domain Admins groups on lower trust systems helps mitigate the risk of\n privilege escalation from credential theft attacks which could lead to the\n compromise of an entire domain.\n\n Incorrect configurations could prevent services from starting and result in\n a DoS.", - "check": "This requirement is applicable to domain-joined systems, for\n standalone systems this is NA.\n\n Verify the effective setting in Local Group Policy Editor.\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If the following groups or accounts are not defined for the \"Deny log on as a\n service\" right , this is a finding:\n\n Domain Systems Only:\n Enterprise Admins Group\n Domain Admins Group", - "fix": "This requirement is applicable to domain-joined systems, for\n standalone systems this is NA.\n\n Configure the policy value for Computer Configuration >> Windows Settings >>\n Security Settings >> Local Policies >> User Rights Assignment >> \"Deny log on\n as a service\" to include the following.\n\n Domain Systems Only:\n Enterprise Admins Group\n Domain Admins Group" + "default": "Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.", + "check": "This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n\n Enter \"Get-ProcessMitigation -Name OUTLOOK.EXE\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of\n all application mitigations configured.)\n\n If the following mitigations do not have a status of \"ON\", this is a finding:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n The PowerShell command produces a list of mitigations; only those with a\n required status of \"ON\" are listed here. If the PowerShell command does not\n produce results, ensure the letter case of the filename within the command\n syntax matches the letter case of the actual filename on the system.", + "fix": "Ensure the following mitigations are turned \"ON\" for OUTLOOK.EXE:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file\n included with the Windows 10 STIG package in the \"Supporting Files\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \"Use a common set of exploit protection settings\"\n configured to \"Enabled\" with file name and location defined under\n \"Options:\". It is recommended the file be in a read-only network location." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-UR-000080", - "gid": "V-63875", - "rid": "SV-78365r2_rule", - "stig_id": "WN10-UR-000080", - "fix_id": "F-100993r1_fix", + "gtitle": "WN10-EP-000220", + "gid": "V-77243", + "rid": "SV-91939r3_rule", + "stig_id": "WN10-EP-000220", + "fix_id": "F-84363r4_fix", "cci": [ - "CCI-000213" + "CCI-000366" ], "nist": [ - "AC-3", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -9415,35 +9420,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63875' do\n title \"The Deny log on as a service user right on Windows 10 domain-joined\n workstations must be configured to prevent access from highly privileged domain\n accounts.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n The \\\"Deny log on as a service\\\" right defines accounts that are denied log\n on as a service.\n\n In an Active Directory Domain, denying logons to the Enterprise Admins and\n Domain Admins groups on lower trust systems helps mitigate the risk of\n privilege escalation from credential theft attacks which could lead to the\n compromise of an entire domain.\n\n Incorrect configurations could prevent services from starting and result in\n a DoS.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-UR-000080'\n tag gid: 'V-63875'\n tag rid: 'SV-78365r2_rule'\n tag stig_id: 'WN10-UR-000080'\n tag fix_id: 'F-100993r1_fix'\n tag cci: ['CCI-000213']\n tag nist: %w[AC-3 Rev_4]\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc 'check', \"This requirement is applicable to domain-joined systems, for\n standalone systems this is NA.\n\n Verify the effective setting in Local Group Policy Editor.\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If the following groups or accounts are not defined for the \\\"Deny log on as a\n service\\\" right , this is a finding:\n\n Domain Systems Only:\n Enterprise Admins Group\n Domain Admins Group\"\n desc 'fix', \"This requirement is applicable to domain-joined systems, for\n standalone systems this is NA.\n\n Configure the policy value for Computer Configuration >> Windows Settings >>\n Security Settings >> Local Policies >> User Rights Assignment >> \\\"Deny log on\n as a service\\\" to include the following.\n\n Domain Systems Only:\n Enterprise Admins Group\n Domain Admins Group\"\n\n is_domain = command('wmic computersystem get domain | FINDSTR /V Domain').stdout.strip\n\n if is_domain == 'WORKGROUP'\n impact 0.0\n describe 'This requirement is applicable to domain-joined systems, for standalone systems this is NA' do\n skip 'This requirement is applicable to domain-joined systems, for standalone systems this is NA'\n end\n else\n domain_query = <<-EOH\n $group = New-Object System.Security.Principal.NTAccount('Domain Admins')\n $sid = ($group.Translate([security.principal.securityidentifier])).value\n $sid | ConvertTo-Json\n EOH\n\n domain_admin_sid = json(command: domain_query).params\n enterprise_admin_query = <<-EOH\n $group = New-Object System.Security.Principal.NTAccount('Enterprise Admins')\n $sid = ($group.Translate([security.principal.securityidentifier])).value\n $sid | ConvertTo-Json\n EOH\n\n enterprise_admin_sid = json(command: enterprise_admin_query).params\n\n describe security_policy do\n its('SeDenyServiceLogonRight') { should be_in [\"#{domain_admin_sid}\", \"#{enterprise_admin_sid}\"] }\n end\n end\nend\n", + "code": "control 'V-77243' do\n title \"Exploit Protection mitigations in Windows 10 must be configured for\n OUTLOOK.EXE.\"\n desc \"Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-EP-000220'\n tag gid: 'V-77243'\n tag rid: 'SV-91939r3_rule'\n tag stig_id: 'WN10-EP-000220'\n tag fix_id: 'F-84363r4_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc 'check', \"This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n\n Enter \\\"Get-ProcessMitigation -Name OUTLOOK.EXE\\\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of\n all application mitigations configured.)\n\n If the following mitigations do not have a status of \\\"ON\\\", this is a finding:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n The PowerShell command produces a list of mitigations; only those with a\n required status of \\\"ON\\\" are listed here. If the PowerShell command does not\n produce results, ensure the letter case of the filename within the command\n syntax matches the letter case of the actual filename on the system.\"\n\n desc 'fix', \"Ensure the following mitigations are turned \\\"ON\\\" for OUTLOOK.EXE:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file\n included with the Windows 10 STIG package in the \\\"Supporting Files\\\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\"\n configured to \\\"Enabled\\\" with file name and location defined under\n \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n\n if input('sensitive_system') == 'true' || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion').ReleaseId < '1709'\n impact 0.0\n describe 'This STIG does not apply to Prior Versions before 1709.' do\n skip 'This STIG does not apply to Prior Versions before 1709.'\n end\n else\n dep = json( command: 'Get-ProcessMitigation -Name OUTLOOK.EXE | Select DEP | ConvertTo-Json').params\n describe 'OverRide DEP is required to be false on Microsoft Office Outlook' do\n subject { dep }\n its(['OverrideDEP']) { should_not eq 'true' }\n end\n aslr = json( command: 'Get-ProcessMitigation -Name OUTLOOK.EXE | Select Aslr | ConvertTo-Json').params\n describe 'Alsr BottomUp and Force Relocate Images are required to be enabled on Microsoft Office Outlook' do\n subject { aslr }\n its(['ForceRelocateImages']) { should_not eq '2' }\n end\n payload = json( command: 'Get-ProcessMitigation -Name OUTLOOK.EXE | Select Payload | ConvertTo-Json').params\n describe 'Override Payload Enable Export Address Filter, Override Payload Enable Export Address Filter Plus, Override EnableImportAddressFilter, Override EnableRopStackPivot, Override EnableRopCallerCheck, and Override EnableRopSimExec are required to be false on Microsoft Office Outlook' do\n subject { payload }\n its(['OverrideEnableExportAddressFilter']) { should_not eq 'true' }\n its(['OverrideEnableExportAddressFilterPlus']) { should_not eq 'true' }\n its(['OverrideEnableImportAddressFilter']) { should_not eq 'true' }\n its(['OverrideEnableRopStackPivot']) { should_not eq 'true' }\n its(['OverrideEnableRopCallerCheck']) { should_not eq 'true' }\n its(['OverrideEnableRopSimExec']) { should_not eq 'true' }\n end \n end\nend", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63875.rb", + "ref": "./Windows 10 STIG/controls/V-77243.rb", "line": 3 }, - "id": "V-63875" + "id": "V-77243" }, { - "title": "The Windows Remote Management (WinRM) client must not use Basic\n authentication.", - "desc": "Basic authentication uses plain text passwords that could be used to\n compromise a system.", + "title": "Windows 10 account lockout duration must be configured to 15 minutes\n or greater.", + "desc": "The account lockout feature, when enabled, prevents brute-force\n password attacks on the system. This parameter specifies the amount of time\n that an account will remain locked after the specified number of failed logon\n attempts.", "descriptions": { - "default": "Basic authentication uses plain text passwords that could be used to\n compromise a system.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\WinRM\\Client\\\n\n Value Name: AllowBasic\n\n Value Type: REG_DWORD\n Value: 0", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Windows Remote Management\n (WinRM) >> WinRM Client >> \"Allow Basic authentication\" to \"Disabled\"." + "default": "The account lockout feature, when enabled, prevents brute-force\n password attacks on the system. This parameter specifies the amount of time\n that an account will remain locked after the specified number of failed logon\n attempts.", + "check": "Verify the effective setting in Local Group Policy Editor.\nRun \"gpedit.msc\".\n\nNavigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n>> Security Settings >> Account Policies >> Account Lockout Policy.\n\nIf the \"Account lockout duration\" is less than 15 minutes (excluding\n\"0\"), this is a finding.\n\nConfiguring this to \"0\", requiring an administrator to unlock the account, is\nmore restrictive and is not a finding.", + "fix": "Configure the policy value for Computer Configuration >> Windows\nSettings >> Security Settings >> Account Policies >> Account Lockout Policy >>\n\"Account lockout duration\" to 15 minutes or greater.\n\nA value of \"0\" is also acceptable, requiring an administrator to unlock the\naccount." }, - "impact": 0.7, + "impact": 0.5, "refs": [], "tags": { - "severity": "high", - "gtitle": "WN10-CC-000330", - "gid": "V-63335", - "rid": "SV-77825r1_rule", - "stig_id": "WN10-CC-000330", - "fix_id": "F-69255r1_fix", + "severity": "medium", + "gtitle": "WN10-AC-000005", + "gid": "V-63405", + "rid": "SV-77895r2_rule", + "stig_id": "WN10-AC-000005", + "fix_id": "F-81277r1_fix", "cci": [ - "CCI-000877" + "CCI-002238" ], "nist": [ - "MA-4 c", + "AC-7 b", "Rev_4" ], "false_negatives": null, @@ -9457,30 +9462,30 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63335' do\n title \"The Windows Remote Management (WinRM) client must not use Basic\n authentication.\"\n desc \"Basic authentication uses plain text passwords that could be used to\n compromise a system.\"\n impact 0.7\n tag severity: 'high'\n tag gtitle: 'WN10-CC-000330'\n tag gid: 'V-63335'\n tag rid: 'SV-77825r1_rule'\n tag stig_id: 'WN10-CC-000330'\n tag fix_id: 'F-69255r1_fix'\n tag cci: ['CCI-000877']\n tag nist: ['MA-4 c', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WinRM\\\\Client\\\\\n\n Value Name: AllowBasic\n\n Value Type: REG_DWORD\n Value: 0\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Windows Remote Management\n (WinRM) >> WinRM Client >> \\\"Allow Basic authentication\\\" to \\\"Disabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WinRM\\Client') do\n it { should have_property 'AllowBasic' }\n its('AllowBasic') { should cmp 0 }\n end\nend\n", + "code": "control 'V-63405' do\n title \"Windows 10 account lockout duration must be configured to #{input('pass_lock_time')} minutes\n or greater.\"\n desc \"The account lockout feature, when enabled, prevents brute-force\n password attacks on the system. This parameter specifies the amount of time\n that an account will remain locked after the specified number of failed logon\n attempts.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-AC-000005'\n tag gid: 'V-63405'\n tag rid: 'SV-77895r2_rule'\n tag stig_id: 'WN10-AC-000005'\n tag fix_id: 'F-81277r1_fix'\n tag cci: ['CCI-002238']\n tag nist: ['AC-7 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc 'check', \"Verify the effective setting in Local Group Policy Editor.\nRun \\\"gpedit.msc\\\".\n\nNavigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n>> Security Settings >> Account Policies >> Account Lockout Policy.\n\nIf the \\\"Account lockout duration\\\" is less than #{input('pass_lock_time')} minutes (excluding\n\\\"0\\\"), this is a finding.\n\nConfiguring this to \\\"0\\\", requiring an administrator to unlock the account, is\nmore restrictive and is not a finding.\"\n desc 'fix', \"Configure the policy value for Computer Configuration >> Windows\nSettings >> Security Settings >> Account Policies >> Account Lockout Policy >>\n\\\"Account lockout duration\\\" to #{input('pass_lock_time')} minutes or greater.\n\nA value of \\\"0\\\" is also acceptable, requiring an administrator to unlock the\naccount.\"\n\n # issues has been raised to fix the IF statement for describe.one to allow for inputs\n pass_lock_time = input('pass_lock_time')\n\n describe.one do\n describe security_policy do\n its('LockoutDuration') { should cmp >= pass_lock_time }\n end\n describe security_policy do\n its('LockoutDuration') { should cmp 0 }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63335.rb", + "ref": "./Windows 10 STIG/controls/V-63405.rb", "line": 3 }, - "id": "V-63335" + "id": "V-63405" }, { - "title": "The computer account password must not be prevented from being reset.", - "desc": "Computer account passwords are changed automatically on a regular\n basis. Disabling automatic password changes can make the system more\n vulnerable to malicious access. Frequent password changes can be a significant\n safeguard for your system. A new password for the computer account will be\n generated every 30 days.", + "title": "Simultaneous connections to the Internet or a Windows domain must be\n limited.", + "desc": "Multiple network connections can provide additional attack vectors to\n a system and must be limited. The \"Minimize the number of simultaneous\n connections to the Internet or a Windows Domain\" setting prevents systems from\n automatically establishing multiple connections. When both wired and wireless\n connections are available, for example, the less preferred connection\n (typically wireless) will be disconnected.", "descriptions": { - "default": "Computer account passwords are changed automatically on a regular\n basis. Disabling automatic password changes can make the system more\n vulnerable to malicious access. Frequent password changes can be a significant\n safeguard for your system. A new password for the computer account will be\n generated every 30 days.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\Netlogon\\Parameters\\\n\n Value Name: DisablePasswordChange\n\n Value Type: REG_DWORD\n Value: 0", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> \"Domain\n member: Disable machine account password changes\" to \"Disabled\"." + "default": "Multiple network connections can provide additional attack vectors to\n a system and must be limited. The \"Minimize the number of simultaneous\n connections to the Internet or a Windows Domain\" setting prevents systems from\n automatically establishing multiple connections. When both wired and wireless\n connections are available, for example, the less preferred connection\n (typically wireless) will be disconnected.", + "check": "The default behavior for \"Minimize the number of simultaneous\n connections to the Internet or a Windows Domain\" is \"Enabled\".\n\n If the registry value name below does not exist, this is not a finding.\n\n If it exists and is configured with a value of \"1\", this is not a finding.\n\n If it exists and is configured with a value of \"0\", this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\WcmSvc\\GroupPolicy\\\n\n Value Name: fMinimizeConnections\n\n Value Type: REG_DWORD\n Value: 1 (or if the Value Name does not exist)", + "fix": "The default behavior for \"Minimize the number of simultaneous\n connections to the Internet or a Windows Domain\" is \"Enabled\".\n\n If this needs to be corrected, configure the policy value for Computer\n Configuration >> Administrative Templates >> Network >> Windows Connection\n Manager >> \"Minimize the number of simultaneous connections to the Internet or\n a Windows Domain\" to \"Enabled\"." }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { - "severity": "low", - "gtitle": "WN10-SO-000050", - "gid": "V-63653", - "rid": "SV-78143r1_rule", - "stig_id": "WN10-SO-000050", - "fix_id": "F-69885r1_fix", + "severity": "medium", + "gtitle": "WN10-CC-000055", + "gid": "V-63581", + "rid": "SV-78071r2_rule", + "stig_id": "WN10-CC-000055", + "fix_id": "F-69511r1_fix", "cci": [ "CCI-000366" ], @@ -9499,35 +9504,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63653' do\n title 'The computer account password must not be prevented from being reset.'\n desc \"Computer account passwords are changed automatically on a regular\n basis. Disabling automatic password changes can make the system more\n vulnerable to malicious access. Frequent password changes can be a significant\n safeguard for your system. A new password for the computer account will be\n generated every 30 days.\"\n impact 0.3\n tag severity: 'low'\n tag gtitle: 'WN10-SO-000050'\n tag gid: 'V-63653'\n tag rid: 'SV-78143r1_rule'\n tag stig_id: 'WN10-SO-000050'\n tag fix_id: 'F-69885r1_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\Netlogon\\\\Parameters\\\\\n\n Value Name: DisablePasswordChange\n\n Value Type: REG_DWORD\n Value: 0\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> \\\"Domain\n member: Disable machine account password changes\\\" to \\\"Disabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Netlogon\\Parameters') do\n it { should have_property 'DisablePasswordChange' }\n its('DisablePasswordChange') { should cmp 0 }\n end\nend\n", + "code": "control 'V-63581' do\n title \"Simultaneous connections to the Internet or a Windows domain must be\n limited.\"\n desc \"Multiple network connections can provide additional attack vectors to\n a system and must be limited. The \\\"Minimize the number of simultaneous\n connections to the Internet or a Windows Domain\\\" setting prevents systems from\n automatically establishing multiple connections. When both wired and wireless\n connections are available, for example, the less preferred connection\n (typically wireless) will be disconnected.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000055'\n tag gid: 'V-63581'\n tag rid: 'SV-78071r2_rule'\n tag stig_id: 'WN10-CC-000055'\n tag fix_id: 'F-69511r1_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"The default behavior for \\\"Minimize the number of simultaneous\n connections to the Internet or a Windows Domain\\\" is \\\"Enabled\\\".\n\n If the registry value name below does not exist, this is not a finding.\n\n If it exists and is configured with a value of \\\"1\\\", this is not a finding.\n\n If it exists and is configured with a value of \\\"0\\\", this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WcmSvc\\\\GroupPolicy\\\\\n\n Value Name: fMinimizeConnections\n\n Value Type: REG_DWORD\n Value: 1 (or if the Value Name does not exist)\"\n\n desc \"fix\", \"The default behavior for \\\"Minimize the number of simultaneous\n connections to the Internet or a Windows Domain\\\" is \\\"Enabled\\\".\n\n If this needs to be corrected, configure the policy value for Computer\n Configuration >> Administrative Templates >> Network >> Windows Connection\n Manager >> \\\"Minimize the number of simultaneous connections to the Internet or\n a Windows Domain\\\" to \\\"Enabled\\\".\"\n\n is_domain = command('wmic computersystem get domain | FINDSTR /V Domain').stdout.strip\n\n if is_domain == 'WORKGROUP'\n impact 0.0\n describe 'The system is not a member of a domain, control is NA' do\n skip 'The system is not a member of a domain, control is NA'\n end\n else\n describe.one do\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WcmSvc\\GroupPolicy') do\n it { should_not have_property 'fMinimizeConnections' }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WcmSvc\\GroupPolicy') do\n its('fMinimizeConnections') { should cmp 1 }\n end\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63653.rb", + "ref": "./Windows 10 STIG/controls/V-63581.rb", "line": 3 }, - "id": "V-63653" + "id": "V-63581" }, { - "title": "The Application event log size must be configured to 32768 KB or\n greater.", - "desc": "Inadequate log size will cause the log to fill up quickly. This may\n prevent audit events from being recorded properly and require frequent\n attention by administrative personnel.", + "title": "Camera access from the lock screen must be disabled.", + "desc": "Enabling camera access from the lock screen could allow for\n unauthorized use. Requiring logon will ensure the device is only used by\n authorized personnel.", "descriptions": { - "default": "Inadequate log size will cause the log to fill up quickly. This may\n prevent audit events from being recorded properly and require frequent\n attention by administrative personnel.", - "check": "If the system is configured to send audit records directly to an\n audit server, this is NA. This must be documented with the ISSO.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SOFTWARE\\Policies\\Microsoft\\Windows\\EventLog\\Application\\\n\n Value Name: MaxSize\n\n Value Type: REG_DWORD\n Value: 0x00008000 (32768) (or greater)", - "fix": "If the system is configured to send audit records directly to an\n audit server, this is NA. This must be documented with the ISSO.\n\n Configure the policy value for Computer Configuration >> Administrative\n Templates >> Windows Components >> Event Log Service >> Application >>\n \"Specify the maximum log file size (KB)\" to \"Enabled\" with a \"Maximum Log\n Size (KB)\" of \"32768\" or greater." + "default": "Enabling camera access from the lock screen could allow for\n unauthorized use. Requiring logon will ensure the device is only used by\n authorized personnel.", + "check": "If the device does not have a camera, this is NA.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\Personalization\\\n\n Value Name: NoLockScreenCamera\n\n Value Type: REG_DWORD\n Value: 1", + "fix": "If the device does not have a camera, this is NA.\n\n Configure the policy value for Computer Configuration >> Administrative\n Templates >> Control Panel >> Personalization >> \"Prevent enabling lock screen\n camera\" to \"Enabled\"." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-AU-000500", - "gid": "V-63519", - "rid": "SV-78009r1_rule", - "stig_id": "WN10-AU-000500", - "fix_id": "F-69449r1_fix", + "gtitle": "WN10-CC-000005", + "gid": "V-63545", + "rid": "SV-78035r1_rule", + "stig_id": "WN10-CC-000005", + "fix_id": "F-69475r1_fix", "cci": [ - "CCI-001849" + "CCI-000381" ], "nist": [ - "AU-4", + "CM-7 a", "Rev_4" ], "false_negatives": null, @@ -9541,35 +9546,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63519' do\n title \"The Application event log size must be configured to 32768 KB or\n greater.\"\n desc \"Inadequate log size will cause the log to fill up quickly. This may\n prevent audit events from being recorded properly and require frequent\n attention by administrative personnel.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-AU-000500'\n tag gid: 'V-63519'\n tag rid: 'SV-78009r1_rule'\n tag stig_id: 'WN10-AU-000500'\n tag fix_id: 'F-69449r1_fix'\n tag cci: ['CCI-001849']\n tag nist: %w[AU-4 Rev_4]\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"If the system is configured to send audit records directly to an\n audit server, this is NA. This must be documented with the ISSO.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\EventLog\\\\Application\\\\\n\n Value Name: MaxSize\n\n Value Type: REG_DWORD\n Value: 0x00008000 (32768) (or greater)\"\n\n desc \"fix\", \"If the system is configured to send audit records directly to an\n audit server, this is NA. This must be documented with the ISSO.\n\n Configure the policy value for Computer Configuration >> Administrative\n Templates >> Windows Components >> Event Log Service >> Application >>\n \\\"Specify the maximum log file size (KB)\\\" to \\\"Enabled\\\" with a \\\"Maximum Log\n Size (KB)\\\" of \\\"32768\\\" or greater.\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\EventLog\\Application') do\n it { should have_property 'MaxSize' }\n its('MaxSize') { should be >= 32_768 }\n end\nend\n", + "code": "control 'V-63545' do\n title 'Camera access from the lock screen must be disabled.'\n desc \"Enabling camera access from the lock screen could allow for\n unauthorized use. Requiring logon will ensure the device is only used by\n authorized personnel.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000005'\n tag gid: 'V-63545'\n tag rid: 'SV-78035r1_rule'\n tag stig_id: 'WN10-CC-000005'\n tag fix_id: 'F-69475r1_fix'\n tag cci: ['CCI-000381']\n tag nist: ['CM-7 a', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc 'check', \"If the device does not have a camera, this is NA.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\Personalization\\\\\n\n Value Name: NoLockScreenCamera\n\n Value Type: REG_DWORD\n Value: 1\"\n\n desc 'fix', \"If the device does not have a camera, this is NA.\n\n Configure the policy value for Computer Configuration >> Administrative\n Templates >> Control Panel >> Personalization >> \\\"Prevent enabling lock screen\n camera\\\" to \\\"Enabled\\\".\"\n\n if sys_info.manufacturer == 'VMware, Inc.'\n impact 0.0\n describe 'This is a VDI System; This System is NA for Control V-63545.' do\n skip 'This is a VDI System; This System is NA for Control V-63545.'\n end\n else\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Personalization') do\n it { should have_property 'NoLockScreenCamera' }\n its('NoLockScreenCamera') { should cmp 1 }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63519.rb", + "ref": "./Windows 10 STIG/controls/V-63545.rb", "line": 3 }, - "id": "V-63519" + "id": "V-63545" }, { - "title": "The Deny log on as a batch job user right on domain-joined\n workstations must be configured to prevent access from highly privileged domain\n accounts.", - "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n The \"Deny log on as a batch job\" right defines accounts that are\n prevented from logging on to the system as a batch job, such as Task Scheduler.\n\n In an Active Directory Domain, denying logons to the Enterprise Admins and\n Domain Admins groups on lower trust systems helps mitigate the risk of\n privilege escalation from credential theft attacks which could lead to the\n compromise of an entire domain.", + "title": "Only authorized user accounts must be allowed to create or run virtual\n machines on Windows 10 systems.", + "desc": "Allowing other operating systems to run on a secure system may allow\n users to circumvent security. For Hyper-V, preventing unauthorized users from\n being assigned to the Hyper-V Administrators group will prevent them from\n accessing or creating virtual machines on the system. The Hyper-V Hypervisor is\n used by Virtualization Based Security features such as Credential Guard on\n Windows 10; however, it is not the full Hyper-V installation.", "descriptions": { - "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n The \"Deny log on as a batch job\" right defines accounts that are\n prevented from logging on to the system as a batch job, such as Task Scheduler.\n\n In an Active Directory Domain, denying logons to the Enterprise Admins and\n Domain Admins groups on lower trust systems helps mitigate the risk of\n privilege escalation from credential theft attacks which could lead to the\n compromise of an entire domain.", - "check": "This requirement is applicable to domain-joined systems, for\n standalone systems this is NA.\n\n Verify the effective setting in Local Group Policy Editor.\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If the following groups or accounts are not defined for the \"Deny log on as a\n batch job\" right, this is a finding:\n\n Domain Systems Only:\n Enterprise Admin Group\n Domain Admin Group", - "fix": "This requirement is applicable to domain-joined systems, for\n standalone systems this is NA.\n\n Configure the policy value for Computer Configuration >> Windows Settings >>\n Security Settings >> Local Policies >> User Rights Assignment >> \"Deny log on\n as a batch job\" to include the following.\n\n Domain Systems Only:\n Enterprise Admin Group\n Domain Admin Group" + "default": "Allowing other operating systems to run on a secure system may allow\n users to circumvent security. For Hyper-V, preventing unauthorized users from\n being assigned to the Hyper-V Administrators group will prevent them from\n accessing or creating virtual machines on the system. The Hyper-V Hypervisor is\n used by Virtualization Based Security features such as Credential Guard on\n Windows 10; however, it is not the full Hyper-V installation.", + "check": "If a hosted hypervisor (Hyper-V, VMware Workstation, etc.) is\n installed on the system, verify only authorized user accounts are allowed to\n run virtual machines.\n\n For Hyper-V, Run \"Computer Management\".\n Navigate to System Tools >> Local Users and Groups >> Groups.\n Double click on \"Hyper-V Administrators\".\n\n If any unauthorized groups or user accounts are listed in \"Members:\", this is\n a finding.\n\n For hosted hypervisors other than Hyper-V, verify only authorized user accounts\n have access to run the virtual machines. Restrictions may be enforced by access\n to the physical system, software restriction policies, or access restrictions\n built in to the application.\n\n If any unauthorized groups or user accounts have access to create or run\n virtual machines, this is a finding.\n\n All users authorized to create or run virtual machines must be documented with\n the ISSM/ISSO. Accounts nested within group accounts must be documented as\n individual accounts and not the group accounts.", + "fix": "For Hyper-V, remove any unauthorized groups or user accounts from\n the \"Hyper-V Administrators\" group.\n\n For hosted hypervisors other than Hyper-V, restrict access to create or run\n virtual machines to authorized user accounts only." }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-UR-000075", - "gid": "V-63873", - "rid": "SV-78363r1_rule", - "stig_id": "WN10-UR-000075", - "fix_id": "F-69801r1_fix", + "gtitle": "WN10-00-000080", + "gid": "V-63365", + "rid": "SV-77855r3_rule", + "stig_id": "WN10-00-000080", + "fix_id": "F-100933r1_fix", "cci": [ - "CCI-000213" + "CCI-000381" ], "nist": [ - "AC-3", + "CM-7 a", "Rev_4" ], "false_negatives": null, @@ -9583,35 +9588,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63873' do\n title \"The Deny log on as a batch job user right on domain-joined\n workstations must be configured to prevent access from highly privileged domain\n accounts.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n The \\\"Deny log on as a batch job\\\" right defines accounts that are\n prevented from logging on to the system as a batch job, such as Task Scheduler.\n\n In an Active Directory Domain, denying logons to the Enterprise Admins and\n Domain Admins groups on lower trust systems helps mitigate the risk of\n privilege escalation from credential theft attacks which could lead to the\n compromise of an entire domain.\"\n\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-UR-000075'\n tag gid: 'V-63873'\n tag rid: 'SV-78363r1_rule'\n tag stig_id: 'WN10-UR-000075'\n tag fix_id: 'F-69801r1_fix'\n tag cci: ['CCI-000213']\n tag nist: %w[AC-3 Rev_4]\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc 'check', \"This requirement is applicable to domain-joined systems, for\n standalone systems this is NA.\n\n Verify the effective setting in Local Group Policy Editor.\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If the following groups or accounts are not defined for the \\\"Deny log on as a\n batch job\\\" right, this is a finding:\n\n Domain Systems Only:\n Enterprise Admin Group\n Domain Admin Group\"\n desc 'fix', \"This requirement is applicable to domain-joined systems, for\n standalone systems this is NA.\n\n Configure the policy value for Computer Configuration >> Windows Settings >>\n Security Settings >> Local Policies >> User Rights Assignment >> \\\"Deny log on\n as a batch job\\\" to include the following.\n\n Domain Systems Only:\n Enterprise Admin Group\n Domain Admin Group\"\n\n is_domain = command('wmic computersystem get domain | FINDSTR /V Domain').stdout.strip\n\n if is_domain == 'WORKGROUP'\n impact 0.0\n describe 'This requirement is applicable to domain-joined systems, for standalone systems this is NA' do\n skip 'This requirement is applicable to domain-joined systems, for standalone systems this is NA'\n end\n else\n domain_query = <<-EOH\n $group = New-Object System.Security.Principal.NTAccount('Domain Admins')\n $sid = ($group.Translate([security.principal.securityidentifier])).value\n $sid | ConvertTo-Json\n EOH\n\n domain_admin_sid = json(command: domain_query).params\n enterprise_admin_query = <<-EOH\n $group = New-Object System.Security.Principal.NTAccount('Enterprise Admins')\n $sid = ($group.Translate([security.principal.securityidentifier])).value\n $sid | ConvertTo-Json\n EOH\n\n enterprise_admin_sid = json(command: enterprise_admin_query).params\n\n describe security_policy do\n its('SeDenyBatchLogonRight') { should be_in [\"#{domain_admin_sid}\", \"#{enterprise_admin_sid}\"] }\n end\n end\nend\n", + "code": "control 'V-63365' do\n title \"Only authorized user accounts must be allowed to create or run virtual\n machines on Windows 10 systems.\"\n desc \"Allowing other operating systems to run on a secure system may allow\n users to circumvent security. For Hyper-V, preventing unauthorized users from\n being assigned to the Hyper-V Administrators group will prevent them from\n accessing or creating virtual machines on the system. The Hyper-V Hypervisor is\n used by Virtualization Based Security features such as Credential Guard on\n Windows 10; however, it is not the full Hyper-V installation.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-00-000080'\n tag gid: 'V-63365'\n tag rid: 'SV-77855r3_rule'\n tag stig_id: 'WN10-00-000080'\n tag fix_id: 'F-100933r1_fix'\n tag cci: ['CCI-000381']\n tag nist: ['CM-7 a', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"If a hosted hypervisor (Hyper-V, VMware Workstation, etc.) is\n installed on the system, verify only authorized user accounts are allowed to\n run virtual machines.\n\n For Hyper-V, Run \\\"Computer Management\\\".\n Navigate to System Tools >> Local Users and Groups >> Groups.\n Double click on \\\"Hyper-V Administrators\\\".\n\n If any unauthorized groups or user accounts are listed in \\\"Members:\\\", this is\n a finding.\n\n For hosted hypervisors other than Hyper-V, verify only authorized user accounts\n have access to run the virtual machines. Restrictions may be enforced by access\n to the physical system, software restriction policies, or access restrictions\n built in to the application.\n\n If any unauthorized groups or user accounts have access to create or run\n virtual machines, this is a finding.\n\n All users authorized to create or run virtual machines must be documented with\n the ISSM/ISSO. Accounts nested within group accounts must be documented as\n individual accounts and not the group accounts.\"\n\n desc \"fix\", \"For Hyper-V, remove any unauthorized groups or user accounts from\n the \\\"Hyper-V Administrators\\\" group.\n\n For hosted hypervisors other than Hyper-V, restrict access to create or run\n virtual machines to authorized user accounts only.\"\n\n hyper_v_administrator_group = command(\"net localgroup Hyper-V Administrators | Format-List | Findstr /V 'Alias Name Comment Members - command'\").stdout.strip.split(\"\\r\\n\")\n\n hyper_v_administrator_group.each do |user|\n describe user.to_s do\n it { should be_in input('hyper_v_admin') }\n end\n end\n if hyper_v_administrator_group.empty?\n impact 0.0\n describe 'There are no users with administrative privileges' do\n skip 'This control is not applicable'\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63873.rb", + "ref": "./Windows 10 STIG/controls/V-63365.rb", "line": 3 }, - "id": "V-63873" + "id": "V-63365" }, { - "title": "Exploit Protection mitigations in Windows 10 must be configured for Acrobat.exe.", - "desc": "Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.", + "title": "Windows 10 must be configured to audit Object Access - Other Object\n Access Events failures.", + "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Auditing for other object access records events related to the management\n of task scheduler jobs and COM+ objects.", "descriptions": { - "default": "Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.", - "check": "This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n\n Enter \"Get-ProcessMitigation -Name Acrobat.exe\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of\n all application mitigations configured.)\n\n If the following mitigations do not have a status of \"ON\", this is a finding:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False \n\n The PowerShell command produces a list of mitigations; only those with a\n required status of \"ON\" are listed here. If the PowerShell command does not\n produce results, ensure the letter case of the filename within the command\n syntax matches the letter case of the actual filename on the system.", - "fix": "Ensure the following mitigations are turned \"ON\" for Acrobat.exe:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False \n\n Application mitigations defined in the STIG are configured by a DoD EP XML file\n included with the Windows 10 STIG package in the \"Supporting Files\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \"Use a common set of exploit protection settings\"\n configured to \"Enabled\" with file name and location defined under\n \"Options:\". It is recommended the file be in a read-only network location." + "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Auditing for other object access records events related to the management\n of task scheduler jobs and COM+ objects.", + "check": "Security Option \"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\" must be\n set to \"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open PowerShell or a Command Prompt with elevated privileges (\"Run as\n Administrator\").\n\n Enter \"AuditPol /get /category:*\"\n\n Compare the AuditPol settings with the following:\n\n Object Access >> Other Object Access Events - Failure\n\n If the system does not audit the above, this is a finding.", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Object Access >> \"Audit Other Object Access Events\" with\n \"Failure\" selected." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-EP-000070", - "gid": "V-77189", - "rid": "SV-91885r3_rule", - "stig_id": "WN10-EP-000070", - "fix_id": "F-84325r4_fix", + "gtitle": "WN10-AU-000084", + "gid": "V-74409", + "rid": "SV-89083r1_rule", + "stig_id": "WN10-AU-000084", + "fix_id": "F-80951r4_fix", "cci": [ - "CCI-000366" + "CCI-000172" ], "nist": [ - "CM-6 b", + "AU-12 c", "Rev_4" ], "false_negatives": null, @@ -9625,35 +9630,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-77189' do\n title 'Exploit Protection mitigations in Windows 10 must be configured for Acrobat.exe.'\n desc \"Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-EP-000070'\n tag gid: 'V-77189'\n tag rid: 'SV-91885r3_rule'\n tag stig_id: 'WN10-EP-000070'\n tag fix_id: 'F-84325r4_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc 'check', \"This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n\n Enter \\\"Get-ProcessMitigation -Name Acrobat.exe\\\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of\n all application mitigations configured.)\n\n If the following mitigations do not have a status of \\\"ON\\\", this is a finding:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False \n\n The PowerShell command produces a list of mitigations; only those with a\n required status of \\\"ON\\\" are listed here. If the PowerShell command does not\n produce results, ensure the letter case of the filename within the command\n syntax matches the letter case of the actual filename on the system.\"\n desc 'fix', \"Ensure the following mitigations are turned \\\"ON\\\" for Acrobat.exe:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False \n\n Application mitigations defined in the STIG are configured by a DoD EP XML file\n included with the Windows 10 STIG package in the \\\"Supporting Files\\\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\"\n configured to \\\"Enabled\\\" with file name and location defined under\n \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n\n if input('sensitive_system') == 'true' || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion').ReleaseId < '1709'\n impact 0.0\n describe 'This STIG does not apply to Prior Versions before 1709.' do\n skip 'This STIG does not apply to Prior Versions before 1709.'\n end\n else\n dep = json( command: 'Get-ProcessMitigation -Name Acrobat.exe | Select DEP | ConvertTo-Json').params\n describe 'OverRide DEP is required to be false on Acrobat' do\n subject { dep }\n its(['OverrideDEP']) { should_not eq 'true' }\n end\n aslr = json( command: 'Get-ProcessMitigation -Name Acrobat.exe | Select Aslr | ConvertTo-Json').params\n describe 'Alsr BottomUp and Force Relocate Images are required to be enabled on Acrobat' do\n subject { aslr }\n its(['ForceRelocateImages']) { should_not eq '2' }\n end\n payload = json( command: 'Get-ProcessMitigation -Name Acrobat.exe | Select Payload | ConvertTo-Json').params\n describe 'Override Payload Enable Export Address Filter, Override Payload Enable Export Address Filter Plus, Override EnableImportAddressFilter, Override EnableRopStackPivot, Override EnableRopCallerCheck, and Override EnableRopSimExec are required to be false on Acrobat' do\n subject { payload }\n its(['OverrideEnableExportAddressFilter']) { should_not eq 'true' }\n its(['OverrideEnableExportAddressFilterPlus']) { should_not eq 'true' }\n its(['OverrideEnableImportAddressFilter']) { should_not eq 'true' }\n its(['OverrideEnableRopStackPivot']) { should_not eq 'true' }\n its(['OverrideEnableRopCallerCheck']) { should_not eq 'true' }\n its(['OverrideEnableRopSimExec']) { should_not eq 'true' }\n end\n end\nend", + "code": "control 'V-74409' do\n title \"Windows 10 must be configured to audit Object Access - Other Object\n Access Events failures.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Auditing for other object access records events related to the management\n of task scheduler jobs and COM+ objects.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-AU-000084'\n tag gid: 'V-74409'\n tag rid: 'SV-89083r1_rule'\n tag stig_id: 'WN10-AU-000084'\n tag fix_id: 'F-80951r4_fix'\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"Security Option \\\"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\\\" must be\n set to \\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open PowerShell or a Command Prompt with elevated privileges (\\\"Run as\n Administrator\\\").\n\n Enter \\\"AuditPol /get /category:*\\\"\n\n Compare the AuditPol settings with the following:\n\n Object Access >> Other Object Access Events - Failure\n\n If the system does not audit the above, this is a finding.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Object Access >> \\\"Audit Other Object Access Events\\\" with\n \\\"Failure\\\" selected.\"\n\n describe.one do\n describe audit_policy do\n its('Other Object Access Events') { should eq 'Failure' }\n end\n describe audit_policy do\n its('Other Object Access Events') { should eq 'Success and Failure' }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-77189.rb", + "ref": "./Windows 10 STIG/controls/V-74409.rb", "line": 3 }, - "id": "V-77189" + "id": "V-74409" }, { - "title": "The network selection user interface (UI) must not be displayed on the\n logon screen.", - "desc": "Enabling interaction with the network selection UI allows users to\n change connections to available networks without signing into Windows.", + "title": "Windows 10 Exploit Protection system-level mitigation, Control flow guard (CFG), must be on.", + "desc": "Exploit protection in Windows 10 enables mitigations against potential\n threats at the system and application level. Several mitigations, including\n \"Control flow guard (CFG)\", are enabled by default at the system level. CFG\n ensures flow integrity for indirect calls. If this is turned off, Windows 10\n may be subject to various exploits.", "descriptions": { - "default": "Enabling interaction with the network selection UI allows users to\n change connections to available networks without signing into Windows.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\\n\n Value Name: DontDisplayNetworkSelectionUI\n\n Value Type: REG_DWORD\n Value: 1", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> System >> Logon >> \"Do not display network\n selection UI\" to \"Enabled\"." + "default": "Exploit protection in Windows 10 enables mitigations against potential\n threats at the system and application level. Several mitigations, including\n \"Control flow guard (CFG)\", are enabled by default at the system level. CFG\n ensures flow integrity for indirect calls. If this is turned off, Windows 10\n may be subject to various exploits.", + "check": "This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n The default configuration in Exploit Protection is \"On by default\" which\n meets this requirement. The PowerShell query results for this show as\n \"NOTSET\".\n\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n\n Enter \"Get-ProcessMitigation -System\".\n\n If the status of \"CFG: Enable\" is \"OFF\", this is a finding.\n\n Values that would not be a finding include:\n ON\n NOTSET (Default configuration)", + "fix": "Ensure Exploit Protection system-level mitigation, \"Control flow\n guard (CFG)\", is turned on. The default configuration in Exploit Protection is\n \"On by default\" which meets this requirement.\n\n Open \"Windows Defender Security Center\".\n\n Select \"App & browser control\".\n\n Select \"Exploit protection settings\".\n\n Under \"System settings\", configure \"Control flow guard (CFG)\" to \"On by\n default\" or \"Use default ()\".\n\n The STIG package includes a DoD EP XML file in the \"Supporting Files\" folder\n for configuring application mitigations defined in the STIG. This can also be\n modified to explicitly enforce the system level requirements. Adding the\n following to the XML file will explicitly turn CFG on (other system level EP\n requirements can be combined under ):\n\n \n \n \n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \"Use a common set of exploit protection settings\"\n configured to \"Enabled\" with file name and location defined under\n \"Options:\". It is recommended the file be in a read-only network location." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-CC-000120", - "gid": "V-63629", - "rid": "SV-78119r1_rule", - "stig_id": "WN10-CC-000120", - "fix_id": "F-69559r1_fix", - "cci": [ - "CCI-000381" - ], - "nist": [ - "CM-7 a", + "gtitle": "WN10-EP-000040", + "gid": "V-77097", + "rid": "SV-91793r3_rule", + "stig_id": "WN10-EP-000040", + "fix_id": "F-86721r2_fix", + "cci": [ + "CCI-000366" + ], + "nist": [ + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -9667,30 +9672,30 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63629' do\n title \"The network selection user interface (UI) must not be displayed on the\n logon screen.\"\n desc \"Enabling interaction with the network selection UI allows users to\n change connections to available networks without signing into Windows.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000120'\n tag gid: 'V-63629'\n tag rid: 'SV-78119r1_rule'\n tag stig_id: 'WN10-CC-000120'\n tag fix_id: 'F-69559r1_fix'\n tag cci: ['CCI-000381']\n tag nist: ['CM-7 a', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n \n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\\n\n Value Name: DontDisplayNetworkSelectionUI\n\n Value Type: REG_DWORD\n Value: 1\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> System >> Logon >> \\\"Do not display network\n selection UI\\\" to \\\"Enabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\System') do\n it { should have_property 'DontDisplayNetworkSelectionUI' }\n its('DontDisplayNetworkSelectionUI') { should cmp 1 }\n end\nend\n", + "code": "control 'V-77097' do\n title 'Windows 10 Exploit Protection system-level mitigation, Control flow guard (CFG), must be on.'\n desc \"Exploit protection in Windows 10 enables mitigations against potential\n threats at the system and application level. Several mitigations, including\n \\\"Control flow guard (CFG)\\\", are enabled by default at the system level. CFG\n ensures flow integrity for indirect calls. If this is turned off, Windows 10\n may be subject to various exploits.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-EP-000040'\n tag gid: 'V-77097'\n tag rid: 'SV-91793r3_rule'\n tag stig_id: 'WN10-EP-000040'\n tag fix_id: 'F-86721r2_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc 'check', \"This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n The default configuration in Exploit Protection is \\\"On by default\\\" which\n meets this requirement. The PowerShell query results for this show as\n \\\"NOTSET\\\".\n\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n\n Enter \\\"Get-ProcessMitigation -System\\\".\n\n If the status of \\\"CFG: Enable\\\" is \\\"OFF\\\", this is a finding.\n\n Values that would not be a finding include:\n ON\n NOTSET (Default configuration)\"\n desc 'fix', \"Ensure Exploit Protection system-level mitigation, \\\"Control flow\n guard (CFG)\\\", is turned on. The default configuration in Exploit Protection is\n \\\"On by default\\\" which meets this requirement.\n\n Open \\\"Windows Defender Security Center\\\".\n\n Select \\\"App & browser control\\\".\n\n Select \\\"Exploit protection settings\\\".\n\n Under \\\"System settings\\\", configure \\\"Control flow guard (CFG)\\\" to \\\"On by\n default\\\" or \\\"Use default ()\\\".\n\n The STIG package includes a DoD EP XML file in the \\\"Supporting Files\\\" folder\n for configuring application mitigations defined in the STIG. This can also be\n modified to explicitly enforce the system level requirements. Adding the\n following to the XML file will explicitly turn CFG on (other system level EP\n requirements can be combined under ):\n\n \n \n \n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\"\n configured to \\\"Enabled\\\" with file name and location defined under\n \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n\n if input('sensitive_system') == 'true' || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion').ReleaseId < '1709'\n impact 0.0\n describe 'This STIG does not apply to Prior Versions before 1709.' do\n skip 'This STIG does not apply to Prior Versions before 1709.'\n end\n else\n cfg = json( command: 'Get-ProcessMitigation -System | Select CFG | ConvertTo-Json').params\n describe 'ControlFlowGuard is required to be enabled on System' do\n subject { cfg }\n its(['Enable']) { should_not eq '2' }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63629.rb", + "ref": "./Windows 10 STIG/controls/V-77097.rb", "line": 3 }, - "id": "V-63629" + "id": "V-77097" }, { - "title": "Exploit Protection mitigations in Windows 10 must be configured for chrome.exe.", + "title": "Exploit Protection mitigations in Windows 10 must be configured for AcroRd32.exe.", "desc": "Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.", "descriptions": { "default": "Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.", - "check": "This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n\n Enter \"Get-ProcessMitigation -Name chrome.exe\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of\n all application mitigations configured.)\n\n If the following mitigations do not have a status of \"ON\", this is a finding:\n\n DEP:\n OverrideDEP: False\n\n The PowerShell command produces a list of mitigations; only those with a\n required status of \"ON\" are listed here. If the PowerShell command does not\n produce results, ensure the letter case of the filename within the command\n syntax matches the letter case of the actual filename on the system.", - "fix": "Ensure the following mitigations are turned \"ON\" for chrome.exe:\n\n DEP:\n OverrideDEP: False\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file\n included with the Windows 10 STIG package in the \"Supporting Files\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \"Use a common set of exploit protection settings\"\n configured to \"Enabled\" with file name and location defined under\n \"Options:\". It is recommended the file be in a read-only network location." + "check": "This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n\n Enter \"Get-ProcessMitigation -Name AcroRd32.exe\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of\n all application mitigations configured.)\n\n If the following mitigations do not have a status of \"ON\", this is a finding:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n The PowerShell command produces a list of mitigations; only those with a\n required status of \"ON\" are listed here. If the PowerShell command does not\n produce results, ensure the letter case of the filename within the command\n syntax matches the letter case of the actual filename on the system.", + "fix": "Ensure the following mitigations are turned \"ON\" for AcroRd32.exe:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file\n included with the Windows 10 STIG package in the \"Supporting Files\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \"Use a common set of exploit protection settings\"\n configured to \"Enabled\" with file name and location defined under\n \"Options:\". It is recommended the file be in a read-only network location." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-EP-000090", - "gid": "V-77195", - "rid": "SV-91891r3_rule", - "stig_id": "WN10-EP-000090", - "fix_id": "F-84333r4_fix", + "gtitle": "WN10-EP-000080", + "gid": "V-77191", + "rid": "SV-91887r3_rule", + "stig_id": "WN10-EP-000080", + "fix_id": "F-84329r4_fix", "cci": [ "CCI-000366" ], @@ -9709,35 +9714,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-77195' do\n title 'Exploit Protection mitigations in Windows 10 must be configured for chrome.exe.'\n desc \"Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-EP-000090'\n tag gid: 'V-77195'\n tag rid: 'SV-91891r3_rule'\n tag stig_id: 'WN10-EP-000090'\n tag fix_id: 'F-84333r4_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc 'check', \"This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n\n Enter \\\"Get-ProcessMitigation -Name chrome.exe\\\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of\n all application mitigations configured.)\n\n If the following mitigations do not have a status of \\\"ON\\\", this is a finding:\n\n DEP:\n OverrideDEP: False\n\n The PowerShell command produces a list of mitigations; only those with a\n required status of \\\"ON\\\" are listed here. If the PowerShell command does not\n produce results, ensure the letter case of the filename within the command\n syntax matches the letter case of the actual filename on the system.\"\n desc 'fix', \"Ensure the following mitigations are turned \\\"ON\\\" for chrome.exe:\n\n DEP:\n OverrideDEP: False\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file\n included with the Windows 10 STIG package in the \\\"Supporting Files\\\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\"\n configured to \\\"Enabled\\\" with file name and location defined under\n \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n\n if input('sensitive_system') == 'true' || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion').ReleaseId < '1709'\n impact 0.0\n describe 'This STIG does not apply to Prior Versions before 1709.' do\n skip 'This STIG does not apply to Prior Versions before 1709.'\n end\n else\n dep = json( command: 'Get-ProcessMitigation -Name chrome.exe | Select DEP | ConvertTo-Json').params\n describe 'OverRide DEP is required to be false on Chrome' do\n subject { dep }\n its(['OverrideDEP']) { should_not eq 'true' }\n end\n end\nend", + "code": "control 'V-77191' do\n title 'Exploit Protection mitigations in Windows 10 must be configured for AcroRd32.exe.'\n desc \"Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-EP-000080'\n tag gid: 'V-77191'\n tag rid: 'SV-91887r3_rule'\n tag stig_id: 'WN10-EP-000080'\n tag fix_id: 'F-84329r4_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc 'check', \"This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n\n Enter \\\"Get-ProcessMitigation -Name AcroRd32.exe\\\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of\n all application mitigations configured.)\n\n If the following mitigations do not have a status of \\\"ON\\\", this is a finding:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n The PowerShell command produces a list of mitigations; only those with a\n required status of \\\"ON\\\" are listed here. If the PowerShell command does not\n produce results, ensure the letter case of the filename within the command\n syntax matches the letter case of the actual filename on the system.\"\n desc 'fix', \"Ensure the following mitigations are turned \\\"ON\\\" for AcroRd32.exe:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file\n included with the Windows 10 STIG package in the \\\"Supporting Files\\\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\"\n configured to \\\"Enabled\\\" with file name and location defined under\n \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n\n if input('sensitive_system') == 'true' || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion').ReleaseId < '1709'\n impact 0.0\n describe 'This STIG does not apply to Prior Versions before 1709.' do\n skip 'This STIG does not apply to Prior Versions before 1709.'\n end\n else\n dep = json( command: 'Get-ProcessMitigation -Name AcroRd32.exe | Select DEP | ConvertTo-Json').params\n describe 'OverRide DEP is required to be false on Adobe Reader' do\n subject { dep }\n its(['OverrideDEP']) { should_not eq 'true' }\n end\n\n aslr = json( command: 'Get-ProcessMitigation -Name AcroRd32.exe | Select Aslr | ConvertTo-Json').params\n describe 'Alsr BottomUp and Force Relocate Images are required to be enabled on Adobe Reader' do\n subject { aslr }\n its(['ForceRelocateImages']) { should_not eq '2' }\n end\n\n payload = json( command: 'Get-ProcessMitigation -Name AcroRd32.exe | Select Payload | ConvertTo-Json').params\n describe 'Override Payload Enable Export Address Filter, Override Payload Enable Export Address Filter Plus, Override EnableImportAddressFilter, Override EnableRopStackPivot, Override EnableRopCallerCheck, and Override EnableRopSimExec are required to be false on Adobe Reader' do\n subject { payload }\n its(['OverrideEnableExportAddressFilter']) { should_not eq 'true' }\n its(['OverrideEnableExportAddressFilterPlus']) { should_not eq 'true' }\n its(['OverrideEnableImportAddressFilter']) { should_not eq 'true' }\n its(['OverrideEnableRopStackPivot']) { should_not eq 'true' }\n its(['OverrideEnableRopCallerCheck']) { should_not eq 'true' }\n its(['OverrideEnableRopSimExec']) { should_not eq 'true' }\n end\n end\nend", "source_location": { - "ref": "./Windows 10 STIG/controls/V-77195.rb", + "ref": "./Windows 10 STIG/controls/V-77191.rb", "line": 3 }, - "id": "V-77195" + "id": "V-77191" }, { - "title": "User Account Control must be configured to detect application\n installations and prompt for elevation.", - "desc": "User Account Control (UAC) is a security mechanism for limiting the\n elevation of privileges, including administrative accounts, unless authorized.\n This setting requires Windows to respond to application installation requests\n by prompting for credentials.", + "title": "The system must be configured to audit Policy Change - Authorization\n Policy Change successes.", + "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Authorization Policy Change records events related to changes in user\n rights, such as Create a token object.", "descriptions": { - "default": "User Account Control (UAC) is a security mechanism for limiting the\n elevation of privileges, including administrative accounts, unless authorized.\n This setting requires Windows to respond to application installation requests\n by prompting for credentials.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\\n\n Value Name: EnableInstallerDetection\n\n Value Type: REG_DWORD\n Value: 1", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> \"User\n Account Control: Detect application installations and prompt for elevation\" to\n \"Enabled\"." + "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Authorization Policy Change records events related to changes in user\n rights, such as Create a token object.", + "check": "Security Option \"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\" must be\n set to \"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n -Open a Command Prompt with elevated privileges (\"Run as Administrator\").\n -Enter \"AuditPol /get /category:*\".\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding.\n\n Policy Change >> Authorization Policy Change - Success", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Policy Change >> \"Audit Authorization Policy Change\" with\n \"Success\" selected." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-SO-000260", - "gid": "V-63825", - "rid": "SV-78315r1_rule", - "stig_id": "WN10-SO-000260", - "fix_id": "F-69753r1_fix", + "gtitle": "WN10-AU-000107", + "gid": "V-71761", + "rid": "SV-86385r1_rule", + "stig_id": "WN10-AU-000107", + "fix_id": "F-78113r1_fix", "cci": [ - "CCI-001084" + "CCI-000172" ], "nist": [ - "SC-3", + "AU-12 c", "Rev_4" ], "false_negatives": null, @@ -9751,72 +9756,63 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63825' do\n title \"User Account Control must be configured to detect application\n installations and prompt for elevation.\"\n desc \"User Account Control (UAC) is a security mechanism for limiting the\n elevation of privileges, including administrative accounts, unless authorized.\n This setting requires Windows to respond to application installation requests\n by prompting for credentials.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-SO-000260'\n tag gid: 'V-63825'\n tag rid: 'SV-78315r1_rule'\n tag stig_id: 'WN10-SO-000260'\n tag fix_id: 'F-69753r1_fix'\n tag cci: ['CCI-001084']\n tag nist: %w[SC-3 Rev_4]\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\\n\n Value Name: EnableInstallerDetection\n\n Value Type: REG_DWORD\n Value: 1\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> \\\"User\n Account Control: Detect application installations and prompt for elevation\\\" to\n \\\"Enabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System') do\n it { should have_property 'EnableInstallerDetection' }\n its('EnableInstallerDetection') { should cmp 1 }\n end\nend\n", + "code": "control 'V-71761' do\n title \"The system must be configured to audit Policy Change - Authorization\n Policy Change successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Authorization Policy Change records events related to changes in user\n rights, such as Create a token object.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-AU-000107'\n tag gid: 'V-71761'\n tag rid: 'SV-86385r1_rule'\n tag stig_id: 'WN10-AU-000107'\n tag fix_id: 'F-78113r1_fix'\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"Security Option \\\"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\\\" must be\n set to \\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n -Open a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\n -Enter \\\"AuditPol /get /category:*\\\".\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding.\n\n Policy Change >> Authorization Policy Change - Success\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Policy Change >> \\\"Audit Authorization Policy Change\\\" with\n \\\"Success\\\" selected.\"\n\n describe.one do\n describe audit_policy do\n its('Authorization Policy Change') { should eq 'Success' }\n end\n describe audit_policy do\n its('Authorization Policy Change') { should eq 'Success and Failure' }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63825.rb", + "ref": "./Windows 10 STIG/controls/V-71761.rb", "line": 3 }, - "id": "V-63825" + "id": "V-71761" }, { - "title": "The system must be configured to prevent IP source routing.", - "desc": "Configuring the system to disable IP source routing protects against\n spoofing.", + "title": "Windows 10 must be configured to audit other Logon/Logoff Events\nSuccesses.", + "desc": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Audit Other Logon/Logoff Events determines whether Windows generates audit\nevents for other logon or logoff events. Logon events are essential to\nunderstanding user activity and detecting potential attacks.", "descriptions": { - "default": "Configuring the system to disable IP source routing protects against\n spoofing.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters\\\n\n Value Name: DisableIPSourceRouting\n\n Value Type: REG_DWORD\n Value: 2", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> MSS (Legacy) >> \"MSS: (DisableIPSourceRouting) IP\n source routing protection level (protects against packet spoofing)\" to\n \"Highest protection, source routing is completely disabled\".\n\n This policy setting requires the installation of the MSS-Legacy custom\n templates included with the STIG package. \"MSS-Legacy.admx\" and \"\n MSS-Legacy.adml\" must be copied to the \\Windows\\PolicyDefinitions and\n \\Windows\\PolicyDefinitions\\en-US directories respectively." + "default": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Audit Other Logon/Logoff Events determines whether Windows generates audit\nevents for other logon or logoff events. Logon events are essential to\nunderstanding user activity and detecting potential attacks.", + "rationale": "", + "check": "Security Option \"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\" must be set to\n\"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to be\neffective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\"Run as Administrator\").\n Enter \"AuditPol /get /category:*\".\n\n Compare the AuditPol settings with the following. If the system does not\naudit the following, this is a finding:\n\n Logon/Logoff >> Other Logon/Logoff Events - Success", + "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Logon/Logoff >> \"Audit Other Logon/Logoff Events\"\nwith \"Success\" selected." }, "impact": 0.5, "refs": [], "tags": { - "severity": "medium", - "gtitle": "WN10-CC-000025", - "gid": "V-63559", - "rid": "SV-78049r1_rule", - "stig_id": "WN10-CC-000025", - "fix_id": "F-69489r1_fix", + "severity": null, + "gtitle": "WN10-AU-000560", + "gid": "V-99543", + "rid": "SV-108647r1_rule", + "stig_id": "WN10-AU-000560", + "fix_id": "F-105227r1_fix", "cci": [ - "CCI-000366" + "CCI-000130" ], "nist": [ - "CM-6 b", + "AU-3", "Rev_4" - ], - "false_negatives": null, - "false_positives": null, - "documentable": false, - "mitigations": null, - "severity_override_guidance": false, - "potential_impacts": null, - "third_party_tools": null, - "mitigation_controls": null, - "responsibility": null, - "ia_controls": null + ] }, - "code": "control 'V-63559' do\n title 'The system must be configured to prevent IP source routing.'\n desc \"Configuring the system to disable IP source routing protects against\n spoofing.\"\n\n impact 0.5\n\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000025'\n tag gid: 'V-63559'\n tag rid: 'SV-78049r1_rule'\n tag stig_id: 'WN10-CC-000025'\n tag fix_id: 'F-69489r1_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\Tcpip\\\\Parameters\\\\\n\n Value Name: DisableIPSourceRouting\n\n Value Type: REG_DWORD\n Value: 2\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> MSS (Legacy) >> \\\"MSS: (DisableIPSourceRouting) IP\n source routing protection level (protects against packet spoofing)\\\" to\n \\\"Highest protection, source routing is completely disabled\\\".\n\n This policy setting requires the installation of the MSS-Legacy custom\n templates included with the STIG package. \\\"MSS-Legacy.admx\\\" and \\\"\n MSS-Legacy.adml\\\" must be copied to the \\\\Windows\\\\PolicyDefinitions and\n \\\\Windows\\\\PolicyDefinitions\\\\en-US directories respectively.\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip6\\Parameters') do\n it { should have_property 'DisableIPSourceRouting' }\n its('DisableIPSourceRouting') { should cmp 2 }\n end\nend\n", + "code": "control \"V-99543\" do\n title \"Windows 10 must be configured to audit other Logon/Logoff Events\nSuccesses.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Audit Other Logon/Logoff Events determines whether Windows generates audit\nevents for other logon or logoff events. Logon events are essential to\nunderstanding user activity and detecting potential attacks.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"WN10-AU-000560\"\n tag gid: \"V-99543\"\n tag rid: \"SV-108647r1_rule\"\n tag stig_id: \"WN10-AU-000560\"\n tag fix_id: \"F-105227r1_fix\"\n tag cci: [\"CCI-000130\"]\n tag nist: [\"AU-3\", \"Rev_4\"]\n desc \"rationale\", \"\"\n desc \"check\", \"Security Option \\\"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\\\" must be set to\n\\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to be\neffective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\n Enter \\\"AuditPol /get /category:*\\\".\n\n Compare the AuditPol settings with the following. If the system does not\naudit the following, this is a finding:\n\n Logon/Logoff >> Other Logon/Logoff Events - Success\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Logon/Logoff >> \\\"Audit Other Logon/Logoff Events\\\"\nwith \\\"Success\\\" selected.\"\n\n describe.one do\n describe audit_policy do\n its('Other Logon/Logoff Events') { should eq 'Success' }\n end\n describe audit_policy do\n its('Other Logon/Logoff Events') { should eq 'Success and Failure' }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63559.rb", + "ref": "./Windows 10 STIG/controls/V-99543.rb", "line": 3 }, - "id": "V-63559" + "id": "V-99543" }, { - "title": "Group Policy objects must be reprocessed even if they have not\n changed.", - "desc": "Enabling this setting and then selecting the \"Process even if the\n Group Policy objects have not changed\" option ensures that the policies will\n be reprocessed even if none have been changed. This way, any unauthorized\n changes are forced to match the domain-based group policy settings again.", + "title": "Windows Update must not obtain updates from other PCs on the Internet.", + "desc": "Windows 10 allows Windows Update to obtain updates from additional\n sources instead of Microsoft. In addition to Microsoft, updates can be obtained\n from and sent to PCs on the local network as well as on the Internet. This is\n part of the Windows Update trusted process, however to minimize outside\n exposure, obtaining updates from or sending to systems on the Internet must be\n prevented.", "descriptions": { - "default": "Enabling this setting and then selecting the \"Process even if the\n Group Policy objects have not changed\" option ensures that the policies will\n be reprocessed even if none have been changed. This way, any unauthorized\n changes are forced to match the domain-based group policy settings again.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\Group\n Policy\\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\n\n Value Name: NoGPOListChanges\n\n Value Type: REG_DWORD\n Value: 0", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> System >> Group Policy >> \"Configure registry\n policy processing\" to \"Enabled\" and select the option \"Process even if the\n Group Policy objects have not changed\"." + "default": "Windows 10 allows Windows Update to obtain updates from additional\n sources instead of Microsoft. In addition to Microsoft, updates can be obtained\n from and sent to PCs on the local network as well as on the Internet. This is\n part of the Windows Update trusted process, however to minimize outside\n exposure, obtaining updates from or sending to systems on the Internet must be\n prevented.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\DeliveryOptimization\\\n\n Value Name: DODownloadMode\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0) - No peering (HTTP Only)\n 0x00000001 (1) - Peers on same NAT only (LAN)\n 0x00000002 (2) - Local Network / Private group peering (Group)\n 0x00000063 (99) - Simple download mode, no peering (Simple)\n 0x00000064 (100) - Bypass mode, Delivery Optimization not used (Bypass)\n\n A value of 0x00000003 (3), Internet, is a finding.\n\n v1507 LTSB:\n Domain joined systems:\n Verify the registry value above.\n If the value is not 0x00000000 (0) or 0x00000001 (1), this is a finding.\n\n Standalone systems (configured in Settings):\n If the following registry value does not exist or is not configured as\n specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\DeliveryOptimization\\Config\\\n\n Value Name: DODownloadMode\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0) - Off\n 0x00000001 (1) - LAN", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Delivery Optimization >>\n \"Download Mode\" to \"Enabled\" with any option except \"Internet\" selected.\n\n Acceptable selections include:\n Bypass (100)\n Group (2)\n HTTP only (0)\n LAN (1)\n Simple (99)\n\n v1507 (LTSB) does not include this group policy setting locally. For domain\n joined systems, configure through domain group policy as \"HTTP only (0)\" or\n \"Lan (1)\". Standalone systems configure using Settings >> Update & Security\n >> Windows Update >> Advanced Options >> \"Choose how updates are delivered\"\n with either \"Off\" or \"PCs on my local network\" selected." }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { - "severity": "medium", - "gtitle": "WN10-CC-000090", - "gid": "V-63609", - "rid": "SV-78099r1_rule", - "stig_id": "WN10-CC-000090", - "fix_id": "F-69539r1_fix", + "severity": "low", + "gtitle": "WN10-CC-000206", + "gid": "V-65681", + "rid": "SV-80171r3_rule", + "stig_id": "WN10-CC-000206", + "fix_id": "F-83251r4_fix", "cci": [ "CCI-000366" ], @@ -9835,35 +9831,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63609' do\n title \"Group Policy objects must be reprocessed even if they have not\n changed.\"\n desc \"Enabling this setting and then selecting the \\\"Process even if the\n Group Policy objects have not changed\\\" option ensures that the policies will\n be reprocessed even if none have been changed. This way, any unauthorized\n changes are forced to match the domain-based group policy settings again.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000090'\n tag gid: 'V-63609'\n tag rid: 'SV-78099r1_rule'\n tag stig_id: 'WN10-CC-000090'\n tag fix_id: 'F-69539r1_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\Group\n Policy\\\\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\n\n Value Name: NoGPOListChanges\n\n Value Type: REG_DWORD\n Value: 0\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> System >> Group Policy >> \\\"Configure registry\n policy processing\\\" to \\\"Enabled\\\" and select the option \\\"Process even if the\n Group Policy objects have not changed\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Group Policy\\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}') do\n it { should have_property 'NoGPOListChanges' }\n its('NoGPOListChanges') { should cmp 0 }\n end\nend\n", + "code": "control 'V-65681' do\n title 'Windows Update must not obtain updates from other PCs on the Internet.'\n desc \"Windows 10 allows Windows Update to obtain updates from additional\n sources instead of Microsoft. In addition to Microsoft, updates can be obtained\n from and sent to PCs on the local network as well as on the Internet. This is\n part of the Windows Update trusted process, however to minimize outside\n exposure, obtaining updates from or sending to systems on the Internet must be\n prevented.\"\n impact 0.3\n tag severity: 'low'\n tag gtitle: 'WN10-CC-000206'\n tag gid: 'V-65681'\n tag rid: 'SV-80171r3_rule'\n tag stig_id: 'WN10-CC-000206'\n tag fix_id: 'F-83251r4_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\DeliveryOptimization\\\\\n\n Value Name: DODownloadMode\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0) - No peering (HTTP Only)\n 0x00000001 (1) - Peers on same NAT only (LAN)\n 0x00000002 (2) - Local Network / Private group peering (Group)\n 0x00000063 (99) - Simple download mode, no peering (Simple)\n 0x00000064 (100) - Bypass mode, Delivery Optimization not used (Bypass)\n\n A value of 0x00000003 (3), Internet, is a finding.\n\n v1507 LTSB:\n Domain joined systems:\n Verify the registry value above.\n If the value is not 0x00000000 (0) or 0x00000001 (1), this is a finding.\n\n Standalone systems (configured in Settings):\n If the following registry value does not exist or is not configured as\n specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\DeliveryOptimization\\\\Config\\\\\n\n Value Name: DODownloadMode\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0) - Off\n 0x00000001 (1) - LAN\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Delivery Optimization >>\n \\\"Download Mode\\\" to \\\"Enabled\\\" with any option except \\\"Internet\\\" selected.\n\n Acceptable selections include:\n Bypass (100)\n Group (2)\n HTTP only (0)\n LAN (1)\n Simple (99)\n\n v1507 (LTSB) does not include this group policy setting locally. For domain\n joined systems, configure through domain group policy as \\\"HTTP only (0)\\\" or\n \\\"Lan (1)\\\". Standalone systems configure using Settings >> Update & Security\n >> Windows Update >> Advanced Options >> \\\"Choose how updates are delivered\\\"\n with either \\\"Off\\\" or \\\"PCs on my local network\\\" selected.\"\n\n if registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion').ReleaseId == '1507'\n describe.one do\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\DeliveryOptimization\\Config') do\n it { should have_property 'DODownloadMode' }\n its('DODownloadMode') { should cmp 0 }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\DeliveryOptimization\\Config') do\n it { should have_property 'DODownloadMode' }\n its('DODownloadMode') { should cmp 1 }\n end\n end\n else\n describe.one do\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\DeliveryOptimization\\Config') do\n it { should have_property 'DODownloadMode' }\n its('DODownloadMode') { should cmp 0 }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\DeliveryOptimization\\Config') do\n it { should have_property 'DODownloadMode' }\n its('DODownloadMode') { should cmp 1 }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\DeliveryOptimization\\Config') do\n it { should have_property 'DODownloadMode' }\n its('DODownloadMode') { should cmp 2 }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\DeliveryOptimization\\Config') do\n it { should have_property 'DODownloadMode' }\n its('DODownloadMode') { should cmp 99 }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\DeliveryOptimization\\Config') do\n it { should have_property 'DODownloadMode' }\n its('DODownloadMode') { should cmp 100 }\n end\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63609.rb", + "ref": "./Windows 10 STIG/controls/V-65681.rb", "line": 3 }, - "id": "V-63609" + "id": "V-65681" }, { - "title": "The Windows Remote Management (WinRM) client must not use Digest\n authentication.", - "desc": "Digest authentication is not as strong as other options and may be\n subject to man-in-the-middle attacks.", + "title": "Remote Desktop Services must always prompt a client for passwords upon\n connection.", + "desc": "This setting controls the ability of users to supply passwords\n automatically as part of their remote desktop connection. Disabling this\n setting would allow anyone to use the stored credentials in a connection item\n to connect to the terminal server.", "descriptions": { - "default": "Digest authentication is not as strong as other options and may be\n subject to man-in-the-middle attacks.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\WinRM\\Client\\\n\n Value Name: AllowDigest\n\n Value Type: REG_DWORD\n Value: 0", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Windows Remote Management\n (WinRM) >> WinRM Client >> \"Disallow Digest authentication\" to \"Enabled\"." + "default": "This setting controls the ability of users to supply passwords\n automatically as part of their remote desktop connection. Disabling this\n setting would allow anyone to use the stored credentials in a connection item\n to connect to the terminal server.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services\\\n\n Value Name: fPromptForPassword\n\n Value Type: REG_DWORD\n Value: 1", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Remote Desktop Services >>\n Remote Desktop Session Host >> Security >> \"Always prompt for password upon\n connection\" to \"Enabled\"." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-CC-000360", - "gid": "V-63341", - "rid": "SV-77831r2_rule", - "stig_id": "WN10-CC-000360", - "fix_id": "F-69263r1_fix", + "gtitle": "WN10-CC-000280", + "gid": "V-63733", + "rid": "SV-78223r1_rule", + "stig_id": "WN10-CC-000280", + "fix_id": "F-69661r1_fix", "cci": [ - "CCI-000877" + "CCI-002038" ], "nist": [ - "MA-4 c", + "IA-11", "Rev_4" ], "false_negatives": null, @@ -9877,12 +9873,12 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63341' do\n title \"The Windows Remote Management (WinRM) client must not use Digest\n authentication.\"\n desc \"Digest authentication is not as strong as other options and may be\n subject to man-in-the-middle attacks.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000360'\n tag gid: 'V-63341'\n tag rid: 'SV-77831r2_rule'\n tag stig_id: 'WN10-CC-000360'\n tag fix_id: 'F-69263r1_fix'\n tag cci: ['CCI-000877']\n tag nist: ['MA-4 c', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WinRM\\\\Client\\\\\n\n Value Name: AllowDigest\n\n Value Type: REG_DWORD\n Value: 0\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Windows Remote Management\n (WinRM) >> WinRM Client >> \\\"Disallow Digest authentication\\\" to \\\"Enabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WinRM\\Client') do\n it { should have_property 'AllowDigest' }\n its('AllowDigest') { should cmp 0 }\n end\nend\n", + "code": "control 'V-63733' do\n title \"Remote Desktop Services must always prompt a client for passwords upon\n connection.\"\n desc \"This setting controls the ability of users to supply passwords\n automatically as part of their remote desktop connection. Disabling this\n setting would allow anyone to use the stored credentials in a connection item\n to connect to the terminal server.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000280'\n tag gid: 'V-63733'\n tag rid: 'SV-78223r1_rule'\n tag stig_id: 'WN10-CC-000280'\n tag fix_id: 'F-69661r1_fix'\n tag cci: ['CCI-002038']\n tag nist: %w[IA-11 Rev_4]\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\\n\n Value Name: fPromptForPassword\n\n Value Type: REG_DWORD\n Value: 1\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Remote Desktop Services >>\n Remote Desktop Session Host >> Security >> \\\"Always prompt for password upon\n connection\\\" to \\\"Enabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services') do\n it { should have_property 'fPromptForPassword' }\n its('fPromptForPassword') { should cmp 1 }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63341.rb", + "ref": "./Windows 10 STIG/controls/V-63733.rb", "line": 3 }, - "id": "V-63341" + "id": "V-63733" }, { "title": "Administrative accounts must not be used with applications that access\n the Internet, such as web browsers, or with potential Internet sources, such as\n email.", @@ -9927,27 +9923,27 @@ "id": "V-78129" }, { - "title": "The system must be configured to audit System - Other System Events\n successes.", - "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Audit Other System Events records information related to cryptographic key\n operations and the Windows Firewall service.", + "title": "Users must be notified if a web-based program attempts to install\n software.", + "desc": "Web-based programs may attempt to install malicious software on a\n system. Ensuring users are notified if a web-based program attempts to install\n software allows them to refuse the installation.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Audit Other System Events records information related to cryptographic key\n operations and the Windows Firewall service.", - "check": "Security Option \"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\" must be\n set to \"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\"Run as Administrator\").\n Enter \"AuditPol /get /category:*\"\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding:\n\n System >> Other System Events - Success", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> System >> \"Audit Other System Events\" with \"Success\"\n selected." + "default": "Web-based programs may attempt to install malicious software on a\n system. Ensuring users are notified if a web-based program attempts to install\n software allows them to refuse the installation.", + "check": "The default behavior is for Internet Explorer to warn users and\n select whether to allow or refuse installation when a web-based program\n attempts to install software on the system.\n\n If the registry value name below does not exist, this is not a finding.\n\n If it exists and is configured with a value of \"0\", this is not a finding.\n\n If it exists and is configured with a value of \"1\", this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\Installer\\\n\n Value Name: SafeForScripting\n\n Value Type: REG_DWORD\n Value: 0 (or if the Value Name does not exist)", + "fix": "The default behavior is for Internet Explorer to warn users and\n select whether to allow or refuse installation when a web-based program\n attempts to install software on the system.\n\n If this needs to be corrected, configure the policy value for Computer\n Configuration >> Administrative Templates >> Windows Components >> Windows\n Installer >> \"Prevent Internet Explorer security prompt for Windows Installer\n scripts\" to \"Not Configured\" or \"Disabled\"." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-AU-000130", - "gid": "V-63499", - "rid": "SV-77989r2_rule", - "stig_id": "WN10-AU-000130", - "fix_id": "F-69429r2_fix", + "gtitle": "WN10-CC-000320", + "gid": "V-63329", + "rid": "SV-77819r1_rule", + "stig_id": "WN10-CC-000320", + "fix_id": "F-69245r1_fix", "cci": [ - "CCI-000172" + "CCI-000366" ], "nist": [ - "AU-12 c", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -9961,35 +9957,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63499' do\n title \"The system must be configured to audit System - Other System Events\n successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Audit Other System Events records information related to cryptographic key\n operations and the Windows Firewall service.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-AU-000130'\n tag gid: 'V-63499'\n tag rid: 'SV-77989r2_rule'\n tag stig_id: 'WN10-AU-000130'\n tag fix_id: 'F-69429r2_fix'\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Security Option \\\"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\\\" must be\n set to \\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\n Enter \\\"AuditPol /get /category:*\\\"\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding:\n\n System >> Other System Events - Success\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> System >> \\\"Audit Other System Events\\\" with \\\"Success\\\"\n selected.\"\n\n describe.one do\n describe audit_policy do\n its('Other System Events') { should eq 'Success' }\n end\n describe audit_policy do\n its('Other System Events') { should eq 'Success and Failure' }\n end\n end\nend\n", + "code": "control 'V-63329' do\n title \"Users must be notified if a web-based program attempts to install\n software.\"\n desc \"Web-based programs may attempt to install malicious software on a\n system. Ensuring users are notified if a web-based program attempts to install\n software allows them to refuse the installation.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000320'\n tag gid: 'V-63329'\n tag rid: 'SV-77819r1_rule'\n tag stig_id: 'WN10-CC-000320'\n tag fix_id: 'F-69245r1_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"The default behavior is for Internet Explorer to warn users and\n select whether to allow or refuse installation when a web-based program\n attempts to install software on the system.\n\n If the registry value name below does not exist, this is not a finding.\n\n If it exists and is configured with a value of \\\"0\\\", this is not a finding.\n\n If it exists and is configured with a value of \\\"1\\\", this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\Installer\\\\\n\n Value Name: SafeForScripting\n\n Value Type: REG_DWORD\n Value: 0 (or if the Value Name does not exist)\"\n\n desc \"fix\", \"The default behavior is for Internet Explorer to warn users and\n select whether to allow or refuse installation when a web-based program\n attempts to install software on the system.\n\n If this needs to be corrected, configure the policy value for Computer\n Configuration >> Administrative Templates >> Windows Components >> Windows\n Installer >> \\\"Prevent Internet Explorer security prompt for Windows Installer\n scripts\\\" to \\\"Not Configured\\\" or \\\"Disabled\\\".\"\n\n describe.one do\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Installer') do\n it { should_not have_property 'SafeForScripting' }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Installer') do\n its('SafeForScripting') { should_not cmp 1 }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63499.rb", + "ref": "./Windows 10 STIG/controls/V-63329.rb", "line": 3 }, - "id": "V-63499" + "id": "V-63329" }, { - "title": "The Change the system time user right must only be assigned to\n Administrators and Local Service.", - "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n Accounts with the \"Change the system time\" user right can change the\n system time, which can impact authentication, as well as affect time stamps on\n event log entries.", + "title": "The use of personal accounts for OneDrive synchronization must be\n disabled.", + "desc": "OneDrive provides access to external services for data storage, which\n must be restricted to authorized instances. Enabling this setting will prevent\n the use of personal OneDrive accounts for synchronization.", "descriptions": { - "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n Accounts with the \"Change the system time\" user right can change the\n system time, which can impact authentication, as well as affect time stamps on\n event log entries.", - "check": "Verify the effective setting in Local Group Policy Editor.\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any groups or accounts other than the following are granted the \"Change the\n system time\" user right, this is a finding:\n\n Administrators\n LOCAL SERVICE", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n \"Change the system time\" to only include the following groups or accounts:\n\n Administrators\n LOCAL SERVICE" + "default": "OneDrive provides access to external services for data storage, which\n must be restricted to authorized instances. Enabling this setting will prevent\n the use of personal OneDrive accounts for synchronization.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_CURRENT_USER\n Registry Path: \\Software\\Policies\\Microsoft\\OneDrive\\\n\n Value Name: DisablePersonalSync\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", + "fix": "Configure the policy value for User Configuration >> Administrative\n Templates >> OneDrive >> \"Prevent users from synchronizing personal OneDrive\n accounts\" to \"Enabled\".\n\n Group policy files for OneDrive are located on a system with OneDrive in\n \"%localappdata%\\Microsoft\\OneDrive\\BuildNumber\\adm\\\".\n\n Copy the OneDrive.admx and .adml files to the \\Windows\\PolicyDefinitions and\n \\Windows\\PolicyDefinitions\\en-US directories respectively." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-UR-000035", - "gid": "V-63855", - "rid": "SV-78345r1_rule", - "stig_id": "WN10-UR-000035", - "fix_id": "F-69783r1_fix", + "gtitle": "WN10-UC-000005", + "gid": "V-82137", + "rid": "SV-96851r1_rule", + "stig_id": "WN10-UC-000005", + "fix_id": "F-88989r2_fix", "cci": [ - "CCI-002235" + "CCI-000381" ], "nist": [ - "AC-6 (10)", + "CM-7 a", "Rev_4" ], "false_negatives": null, @@ -10003,30 +9999,30 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63855' do\n title \"The Change the system time user right must only be assigned to\n Administrators and Local Service.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n Accounts with the \\\"Change the system time\\\" user right can change the\n system time, which can impact authentication, as well as affect time stamps on\n event log entries.\"\n\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-UR-000035'\n tag gid: 'V-63855'\n tag rid: 'SV-78345r1_rule'\n tag stig_id: 'WN10-UR-000035'\n tag fix_id: 'F-69783r1_fix'\n tag cci: ['CCI-002235']\n tag nist: ['AC-6 (10)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any groups or accounts other than the following are granted the \\\"Change the\n system time\\\" user right, this is a finding:\n\n Administrators\n LOCAL SERVICE\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n \\\"Change the system time\\\" to only include the following groups or accounts:\n\n Administrators\n LOCAL SERVICE\"\n\n describe security_policy do\n its('SeSystemtimePrivilege') { should be_in ['S-1-5-32-544', 'S-1-5-19'] }\n end\nend\n", + "code": "control 'V-82137' do\n title \"The use of personal accounts for OneDrive synchronization must be\n disabled.\"\n desc \"OneDrive provides access to external services for data storage, which\n must be restricted to authorized instances. Enabling this setting will prevent\n the use of personal OneDrive accounts for synchronization.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-UC-000005'\n tag gid: 'V-82137'\n tag rid: 'SV-96851r1_rule'\n tag stig_id: 'WN10-UC-000005'\n tag fix_id: 'F-88989r2_fix'\n tag cci: ['CCI-000381']\n tag nist: ['CM-7 a', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_CURRENT_USER\n Registry Path: \\\\Software\\\\Policies\\\\Microsoft\\\\OneDrive\\\\\n\n Value Name: DisablePersonalSync\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for User Configuration >> Administrative\n Templates >> OneDrive >> \\\"Prevent users from synchronizing personal OneDrive\n accounts\\\" to \\\"Enabled\\\".\n\n Group policy files for OneDrive are located on a system with OneDrive in\n \\\"%localappdata%\\\\Microsoft\\\\OneDrive\\\\BuildNumber\\\\adm\\\\\\\".\n\n Copy the OneDrive.admx and .adml files to the \\\\Windows\\\\PolicyDefinitions and\n \\\\Windows\\\\PolicyDefinitions\\\\en-US directories respectively.\"\n\n describe registry_key('HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\OneDrive') do\n it { should have_property 'DisablePersonalSync' }\n its('DisablePersonalSync') { should cmp 1 }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63855.rb", + "ref": "./Windows 10 STIG/controls/V-82137.rb", "line": 3 }, - "id": "V-63855" + "id": "V-82137" }, { - "title": "The Secondary Logon service must be disabled on Windows 10.", - "desc": "The Secondary Logon service provides a means for entering alternate\n credentials, typically used to run commands with elevated privileges. Using\n privileged credentials in a standard user session can expose those credentials\n to theft.", + "title": "Printing over HTTP must be prevented.", + "desc": "Some features may communicate with the vendor, sending system\n information or downloading data or components for the feature. Turning off\n this capability will prevent potentially sensitive information from being sent\n outside the enterprise and uncontrolled updates to the system. This setting\n prevents the client computer from printing over HTTP, which allows the computer\n to print to printers on the intranet as well as the Internet.", "descriptions": { - "default": "The Secondary Logon service provides a means for entering alternate\n credentials, typically used to run commands with elevated privileges. Using\n privileged credentials in a standard user session can expose those credentials\n to theft.", - "check": "Run \"Services.msc\".\n\n Locate the \"Secondary Logon\" service.\n\n If the \"Startup Type\" is not \"Disabled\" or the \"Status\" is \"Running\",\n this is a finding.", - "fix": "Configure the \"Secondary Logon\" service \"Startup Type\" to \"Disabled\"." + "default": "Some features may communicate with the vendor, sending system\n information or downloading data or components for the feature. Turning off\n this capability will prevent potentially sensitive information from being sent\n outside the enterprise and uncontrolled updates to the system. This setting\n prevents the client computer from printing over HTTP, which allows the computer\n to print to printers on the intranet as well as the Internet.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers\\\n\n Value Name: DisableHTTPPrinting\n\n Value Type: REG_DWORD\n Value: 1", + "fix": "Configure the policy value for Computer Configuration >>\nAdministrative Templates >> System >> Internet Communication Management >>\nInternet Communication settings >> \"Turn off printing over HTTP\" to\n\"Enabled\"." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-00-000175", - "gid": "V-74719", - "rid": "SV-89393r2_rule", - "stig_id": "WN10-00-000175", - "fix_id": "F-81333r1_fix", + "gtitle": "WN10-CC-000110", + "gid": "V-63623", + "rid": "SV-78113r1_rule", + "stig_id": "WN10-CC-000110", + "fix_id": "F-69553r1_fix", "cci": [ "CCI-000381" ], @@ -10045,35 +10041,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-74719' do\n title 'The Secondary Logon service must be disabled on Windows 10.'\n desc \"The Secondary Logon service provides a means for entering alternate\n credentials, typically used to run commands with elevated privileges. Using\n privileged credentials in a standard user session can expose those credentials\n to theft.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-00-000175'\n tag gid: 'V-74719'\n tag rid: 'SV-89393r2_rule'\n tag stig_id: 'WN10-00-000175'\n tag fix_id: 'F-81333r1_fix'\n tag cci: ['CCI-000381']\n tag nist: ['CM-7 a', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"Run \\\"Services.msc\\\".\n\n Locate the \\\"Secondary Logon\\\" service.\n\n If the \\\"Startup Type\\\" is not \\\"Disabled\\\" or the \\\"Status\\\" is \\\"Running\\\",\n this is a finding.\"\n desc \"fix\", 'Configure the \"Secondary Logon\" service \"Startup Type\" to \"Disabled\".'\n\n describe.one do\n describe service('Secondary Logon') do\n it { should_not be_enabled }\n end\n describe service('Secondary Logon') do\n it { should_not be_running }\n end\n end\nend\n", + "code": "control 'V-63623' do\n title 'Printing over HTTP must be prevented.'\n desc \"Some features may communicate with the vendor, sending system\n information or downloading data or components for the feature. Turning off\n this capability will prevent potentially sensitive information from being sent\n outside the enterprise and uncontrolled updates to the system. This setting\n prevents the client computer from printing over HTTP, which allows the computer\n to print to printers on the intranet as well as the Internet.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000110'\n tag gid: 'V-63623'\n tag rid: 'SV-78113r1_rule'\n tag stig_id: 'WN10-CC-000110'\n tag fix_id: 'F-69553r1_fix'\n tag cci: ['CCI-000381']\n tag nist: ['CM-7 a', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Printers\\\\\n\n Value Name: DisableHTTPPrinting\n\n Value Type: REG_DWORD\n Value: 1\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\nAdministrative Templates >> System >> Internet Communication Management >>\nInternet Communication settings >> \\\"Turn off printing over HTTP\\\" to\n\\\"Enabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers') do\n it { should have_property 'DisableHTTPPrinting' }\n its('DisableHTTPPrinting') { should cmp 1 }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-74719.rb", + "ref": "./Windows 10 STIG/controls/V-63623.rb", "line": 3 }, - "id": "V-74719" + "id": "V-63623" }, { - "title": "The system must be configured to prevent the storage of the LAN\n Manager hash of passwords.", - "desc": "The LAN Manager hash uses a weak encryption algorithm and there are\n several tools available that use this hash to retrieve account passwords. This\n setting controls whether or not a LAN Manager hash of the password is stored in\n the SAM the next time the password is changed.", + "title": "User Account Control must virtualize file and registry write failures\n to per-user locations.", + "desc": "User Account Control (UAC) is a security mechanism for limiting the\n elevation of privileges, including administrative accounts, unless authorized.\n This setting configures non-UAC compliant applications to run in virtualized\n file and registry entries in per-user locations, allowing them to run.", "descriptions": { - "default": "The LAN Manager hash uses a weak encryption algorithm and there are\n several tools available that use this hash to retrieve account passwords. This\n setting controls whether or not a LAN Manager hash of the password is stored in\n the SAM the next time the password is changed.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Control\\Lsa\\\n\n Value Name: NoLMHash\n\n Value Type: REG_DWORD\n Value: 1", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n \"Network security: Do not store LAN Manager hash value on next password\n change\" to \"Enabled\"." + "default": "User Account Control (UAC) is a security mechanism for limiting the\n elevation of privileges, including administrative accounts, unless authorized.\n This setting configures non-UAC compliant applications to run in virtualized\n file and registry entries in per-user locations, allowing them to run.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\\n\n Value Name: EnableVirtualization\n\n Value Type: REG_DWORD\n Value: 1", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> \"User\n Account Control: Virtualize file and registry write failures to per-user\n locations\" to \"Enabled\"." }, - "impact": 0.7, + "impact": 0.5, "refs": [], "tags": { - "severity": "high", - "gtitle": "WN10-SO-000195", - "gid": "V-63797", - "rid": "SV-78287r1_rule", - "stig_id": "WN10-SO-000195", - "fix_id": "F-69725r1_fix", + "severity": "medium", + "gtitle": "WN10-SO-000275", + "gid": "V-63831", + "rid": "SV-78321r1_rule", + "stig_id": "WN10-SO-000275", + "fix_id": "F-69759r1_fix", "cci": [ - "CCI-000196" + "CCI-001084" ], "nist": [ - "IA-5 (1) (c)", + "SC-3", "Rev_4" ], "false_negatives": null, @@ -10087,35 +10083,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63797' do\n title \"The system must be configured to prevent the storage of the LAN\n Manager hash of passwords.\"\n desc \"The LAN Manager hash uses a weak encryption algorithm and there are\n several tools available that use this hash to retrieve account passwords. This\n setting controls whether or not a LAN Manager hash of the password is stored in\n the SAM the next time the password is changed.\"\n impact 0.7\n tag severity: 'high'\n tag gtitle: 'WN10-SO-000195'\n tag gid: 'V-63797'\n tag rid: 'SV-78287r1_rule'\n tag stig_id: 'WN10-SO-000195'\n tag fix_id: 'F-69725r1_fix'\n tag cci: ['CCI-000196']\n tag nist: ['IA-5 (1) (c)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\\n\n Value Name: NoLMHash\n\n Value Type: REG_DWORD\n Value: 1\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n \\\"Network security: Do not store LAN Manager hash value on next password\n change\\\" to \\\"Enabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa') do\n it { should have_property 'NoLMHash' }\n its('NoLMHash') { should cmp 1 }\n end\nend\n", + "code": "control 'V-63831' do\n title \"User Account Control must virtualize file and registry write failures\n to per-user locations.\"\n desc \"User Account Control (UAC) is a security mechanism for limiting the\n elevation of privileges, including administrative accounts, unless authorized.\n This setting configures non-UAC compliant applications to run in virtualized\n file and registry entries in per-user locations, allowing them to run.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-SO-000275'\n tag gid: 'V-63831'\n tag rid: 'SV-78321r1_rule'\n tag stig_id: 'WN10-SO-000275'\n tag fix_id: 'F-69759r1_fix'\n tag cci: ['CCI-001084']\n tag nist: %w[SC-3 Rev_4]\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\\n\n Value Name: EnableVirtualization\n\n Value Type: REG_DWORD\n Value: 1\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> \\\"User\n Account Control: Virtualize file and registry write failures to per-user\n locations\\\" to \\\"Enabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System') do\n it { should have_property 'EnableVirtualization' }\n its('EnableVirtualization') { should cmp 1 }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63797.rb", + "ref": "./Windows 10 STIG/controls/V-63831.rb", "line": 3 }, - "id": "V-63797" + "id": "V-63831" }, { - "title": "Windows 10 must be configured to prevent Windows apps from being\n activated by voice while the system is locked.", - "desc": "Allowing Windows apps to be activated by voice from the lock screen\n could allow for unauthorized use. Requiring logon will ensure the apps are only\n used by authorized personnel.", + "title": "Enhanced anti-spoofing for facial recognition must be enabled on\n Window 10.", + "desc": "Enhanced anti-spoofing provides additional protections when using\n facial recognition with devices that support it.", "descriptions": { - "default": "Allowing Windows apps to be activated by voice from the lock screen\n could allow for unauthorized use. Requiring logon will ensure the apps are only\n used by authorized personnel.", - "check": "This setting requires v1903 or later of Windows 10; it is NA for\n prior versions. The setting is NA when the “Allow voice activation” policy is\n configured to disallow applications to be activated with voice for all users.\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\AppPrivacy\\\n\n Value Name: LetAppsActivateWithVoiceAboveLock\n\n Type: REG_DWORD\n Value: 0x00000002 (2)\n\n If the following registry value exists and is configured as specified,\n requirement is NA.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\AppPrivacy\\\n\n Value Name: LetAppsActivateWithVoice\n\n Type: REG_DWORD\n Value: 0x00000002 (2)", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> App Privacy >> \"Let Windows\n apps activate with voice while the system is locked\" to \"Enabled\" with\n “Default for all Apps:” set to “Force Deny”.\n\n The requirement is NA if the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> App Privacy >> \"Let Windows\n apps activate with voice\" is configured to \"Enabled\" with “Default for all\n Apps:” set to “Force Deny”." + "default": "Enhanced anti-spoofing provides additional protections when using\n facial recognition with devices that support it.", + "check": "Windows 10 v1507 LTSB version does not include this setting; it\n is NA for those systems.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Biometrics\\FacialFeatures\\\n\n Value Name: EnhancedAntiSpoofing\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Biometrics >> Facial Features\n >> \"Configure enhanced anti-spoofing\" to \"Enabled\".\n\n v1607:\n The policy name is \"Use enhanced anti-spoofing when available\"." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-CC-000365", - "gid": "V-94719", - "rid": "SV-104549r1_rule", - "stig_id": "WN10-CC-000365", - "fix_id": "F-100837r3_fix", + "gtitle": "WN10-CC-000195", + "gid": "V-63677", + "rid": "SV-78167r3_rule", + "stig_id": "WN10-CC-000195", + "fix_id": "F-88435r1_fix", "cci": [ - "CCI-000056" + "CCI-000366" ], "nist": [ - "AC-11 b", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -10129,35 +10125,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-94719' do\n title \"Windows 10 must be configured to prevent Windows apps from being\n activated by voice while the system is locked.\"\n desc \"Allowing Windows apps to be activated by voice from the lock screen\n could allow for unauthorized use. Requiring logon will ensure the apps are only\n used by authorized personnel.\"\n\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000365'\n tag gid: 'V-94719'\n tag rid: 'SV-104549r1_rule'\n tag stig_id: 'WN10-CC-000365'\n tag fix_id: 'F-100837r3_fix'\n tag cci: ['CCI-000056']\n tag nist: ['AC-11 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"This setting requires v1903 or later of Windows 10; it is NA for\n prior versions. The setting is NA when the “Allow voice activation” policy is\n configured to disallow applications to be activated with voice for all users.\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\AppPrivacy\\\\\n\n Value Name: LetAppsActivateWithVoiceAboveLock\n\n Type: REG_DWORD\n Value: 0x00000002 (2)\n\n If the following registry value exists and is configured as specified,\n requirement is NA.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\AppPrivacy\\\\\n\n Value Name: LetAppsActivateWithVoice\n\n Type: REG_DWORD\n Value: 0x00000002 (2)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> App Privacy >> \\\"Let Windows\n apps activate with voice while the system is locked\\\" to \\\"Enabled\\\" with\n “Default for all Apps:” set to “Force Deny”.\n\n The requirement is NA if the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> App Privacy >> \\\"Let Windows\n apps activate with voice\\\" is configured to \\\"Enabled\\\" with “Default for all\n Apps:” set to “Force Deny”.\"\n\n if registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion').ReleaseId >= '1903'\n describe.one do\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\AppPrivacy') do\n it { should have_property 'LetAppsActivateWithVoiceAboveLock' }\n its('LetAppsActivateWithVoiceAboveLock') { should cmp 2 }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\AppPrivacy') do\n it { should have_property 'LetAppsActivateWithVoice' }\n its('LetAppsActivateWithVoice') { should cmp 2 }\n end\n end\n else\n impact 0.0\n describe 'This setting requires v1903 or later of Windows 10; it is NA for prior versions.' do\n skip 'This setting requires v1903 or later of Windows 10; it is NA for prior versions.'\n end\n end\nend\n", + "code": "control 'V-63677' do\n title \"Enhanced anti-spoofing for facial recognition must be enabled on\n Window 10.\"\n desc \"Enhanced anti-spoofing provides additional protections when using\n facial recognition with devices that support it.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000195'\n tag gid: 'V-63677'\n tag rid: 'SV-78167r3_rule'\n tag stig_id: 'WN10-CC-000195'\n tag fix_id: 'F-88435r1_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"Windows 10 v1507 LTSB version does not include this setting; it\n is NA for those systems.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Biometrics\\\\FacialFeatures\\\\\n\n Value Name: EnhancedAntiSpoofing\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Biometrics >> Facial Features\n >> \\\"Configure enhanced anti-spoofing\\\" to \\\"Enabled\\\".\n\n v1607:\n The policy name is \\\"Use enhanced anti-spoofing when available\\\".\"\n\n if registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion').ReleaseId == '1507'\n impact 0.0\n describe 'Windows 10 v1507 LTSB version does not include this setting.' do\n skip 'Windows 10 v1507 LTSB version does not include this setting.'\n end\n else\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Biometrics\\FacialFeatures') do\n it { should have_property 'EnhancedAntiSpoofing' }\n its('EnhancedAntiSpoofing') { should cmp 1 }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-94719.rb", + "ref": "./Windows 10 STIG/controls/V-63677.rb", "line": 3 }, - "id": "V-94719" + "id": "V-63677" }, { - "title": "The Take ownership of files or other objects user right must only be\n assigned to the Administrators group.", - "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities. Accounts with the \"Take ownership\n of files or other objects\" user right can take ownership of objects and make changes.", + "title": "The system must be configured to audit Logon/Logoff - Group Membership\n successes.", + "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Audit Group Membership records information related to the group membership\n of a user's logon token.", "descriptions": { - "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities. Accounts with the \"Take ownership\n of files or other objects\" user right can take ownership of objects and make changes.", - "check": "Verify the effective setting in Local Group Policy Editor.\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any groups or accounts other than the following are granted the \"Take\n ownership of files or other objects\" user right, this is a finding:\n\n Administrators", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n \"Take ownership of files or other objects\" to only include the following\n groups or accounts: Administrators" + "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Audit Group Membership records information related to the group membership\n of a user's logon token.", + "check": "Security Option \"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\" must be\n set to \"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\"Run as Administrator\").\n Enter \"AuditPol /get /category:*\"\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding:\n\n Logon/Logoff >> Group Membership - Success", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Advanced Audit Policy Configuration >> System Audit Policies >>\n Logon/Logoff >> \"Audit Group Membership\" with \"Success\" selected." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-UR-000165", - "gid": "V-63941", - "rid": "SV-78431r1_rule", - "stig_id": "WN10-UR-000165", - "fix_id": "F-69869r1_fix", + "gtitle": "WN10-AU-000060", + "gid": "V-63457", + "rid": "SV-77947r2_rule", + "stig_id": "WN10-AU-000060", + "fix_id": "F-69385r2_fix", "cci": [ - "CCI-002235" + "CCI-000172" ], "nist": [ - "AC-6 (10)", + "AU-12 c", "Rev_4" ], "false_negatives": null, @@ -10171,30 +10167,30 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63941' do\n title \"The Take ownership of files or other objects user right must only be\n assigned to the Administrators group.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities. Accounts with the \\\"Take ownership\n of files or other objects\\\" user right can take ownership of objects and make changes.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-UR-000165'\n tag gid: 'V-63941'\n tag rid: 'SV-78431r1_rule'\n tag stig_id: 'WN10-UR-000165'\n tag fix_id: 'F-69869r1_fix'\n tag cci: ['CCI-002235']\n tag nist: ['AC-6 (10)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any groups or accounts other than the following are granted the \\\"Take\n ownership of files or other objects\\\" user right, this is a finding:\n\n Administrators\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n \\\"Take ownership of files or other objects\\\" to only include the following\n groups or accounts: Administrators\"\n\n describe security_policy do\n its('SeTakeOwnershipPrivilege') { should eq ['S-1-5-32-544'] }\n end\nend\n", + "code": "control 'V-63457' do\n title \"The system must be configured to audit Logon/Logoff - Group Membership\n successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Audit Group Membership records information related to the group membership\n of a user's logon token.\"\n\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-AU-000060'\n tag gid: 'V-63457'\n tag rid: 'SV-77947r2_rule'\n tag stig_id: 'WN10-AU-000060'\n tag fix_id: 'F-69385r2_fix'\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Security Option \\\"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\\\" must be\n set to \\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\n Enter \\\"AuditPol /get /category:*\\\"\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding:\n\n Logon/Logoff >> Group Membership - Success\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Advanced Audit Policy Configuration >> System Audit Policies >>\n Logon/Logoff >> \\\"Audit Group Membership\\\" with \\\"Success\\\" selected.\"\n\n describe.one do\n describe audit_policy do\n its('Group Membership') { should eq 'Success' }\n end\n describe audit_policy do\n its('Group Membership') { should eq 'Success and Failure' }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63941.rb", + "ref": "./Windows 10 STIG/controls/V-63457.rb", "line": 3 }, - "id": "V-63941" + "id": "V-63457" }, { - "title": "Simultaneous connections to the Internet or a Windows domain must be\n limited.", - "desc": "Multiple network connections can provide additional attack vectors to\n a system and must be limited. The \"Minimize the number of simultaneous\n connections to the Internet or a Windows Domain\" setting prevents systems from\n automatically establishing multiple connections. When both wired and wireless\n connections are available, for example, the less preferred connection\n (typically wireless) will be disconnected.", + "title": "Exploit Protection mitigations in Windows 10 must be configured for Acrobat.exe.", + "desc": "Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.", "descriptions": { - "default": "Multiple network connections can provide additional attack vectors to\n a system and must be limited. The \"Minimize the number of simultaneous\n connections to the Internet or a Windows Domain\" setting prevents systems from\n automatically establishing multiple connections. When both wired and wireless\n connections are available, for example, the less preferred connection\n (typically wireless) will be disconnected.", - "check": "The default behavior for \"Minimize the number of simultaneous\n connections to the Internet or a Windows Domain\" is \"Enabled\".\n\n If the registry value name below does not exist, this is not a finding.\n\n If it exists and is configured with a value of \"1\", this is not a finding.\n\n If it exists and is configured with a value of \"0\", this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\WcmSvc\\GroupPolicy\\\n\n Value Name: fMinimizeConnections\n\n Value Type: REG_DWORD\n Value: 1 (or if the Value Name does not exist)", - "fix": "The default behavior for \"Minimize the number of simultaneous\n connections to the Internet or a Windows Domain\" is \"Enabled\".\n\n If this needs to be corrected, configure the policy value for Computer\n Configuration >> Administrative Templates >> Network >> Windows Connection\n Manager >> \"Minimize the number of simultaneous connections to the Internet or\n a Windows Domain\" to \"Enabled\"." + "default": "Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.", + "check": "This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n\n Enter \"Get-ProcessMitigation -Name Acrobat.exe\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of\n all application mitigations configured.)\n\n If the following mitigations do not have a status of \"ON\", this is a finding:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False \n\n The PowerShell command produces a list of mitigations; only those with a\n required status of \"ON\" are listed here. If the PowerShell command does not\n produce results, ensure the letter case of the filename within the command\n syntax matches the letter case of the actual filename on the system.", + "fix": "Ensure the following mitigations are turned \"ON\" for Acrobat.exe:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False \n\n Application mitigations defined in the STIG are configured by a DoD EP XML file\n included with the Windows 10 STIG package in the \"Supporting Files\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \"Use a common set of exploit protection settings\"\n configured to \"Enabled\" with file name and location defined under\n \"Options:\". It is recommended the file be in a read-only network location." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-CC-000055", - "gid": "V-63581", - "rid": "SV-78071r2_rule", - "stig_id": "WN10-CC-000055", - "fix_id": "F-69511r1_fix", + "gtitle": "WN10-EP-000070", + "gid": "V-77189", + "rid": "SV-91885r3_rule", + "stig_id": "WN10-EP-000070", + "fix_id": "F-84325r4_fix", "cci": [ "CCI-000366" ], @@ -10213,35 +10209,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63581' do\n title \"Simultaneous connections to the Internet or a Windows domain must be\n limited.\"\n desc \"Multiple network connections can provide additional attack vectors to\n a system and must be limited. The \\\"Minimize the number of simultaneous\n connections to the Internet or a Windows Domain\\\" setting prevents systems from\n automatically establishing multiple connections. When both wired and wireless\n connections are available, for example, the less preferred connection\n (typically wireless) will be disconnected.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000055'\n tag gid: 'V-63581'\n tag rid: 'SV-78071r2_rule'\n tag stig_id: 'WN10-CC-000055'\n tag fix_id: 'F-69511r1_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"The default behavior for \\\"Minimize the number of simultaneous\n connections to the Internet or a Windows Domain\\\" is \\\"Enabled\\\".\n\n If the registry value name below does not exist, this is not a finding.\n\n If it exists and is configured with a value of \\\"1\\\", this is not a finding.\n\n If it exists and is configured with a value of \\\"0\\\", this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WcmSvc\\\\GroupPolicy\\\\\n\n Value Name: fMinimizeConnections\n\n Value Type: REG_DWORD\n Value: 1 (or if the Value Name does not exist)\"\n\n desc \"fix\", \"The default behavior for \\\"Minimize the number of simultaneous\n connections to the Internet or a Windows Domain\\\" is \\\"Enabled\\\".\n\n If this needs to be corrected, configure the policy value for Computer\n Configuration >> Administrative Templates >> Network >> Windows Connection\n Manager >> \\\"Minimize the number of simultaneous connections to the Internet or\n a Windows Domain\\\" to \\\"Enabled\\\".\"\n\n is_domain = command('wmic computersystem get domain | FINDSTR /V Domain').stdout.strip\n\n if is_domain == 'WORKGROUP'\n impact 0.0\n describe 'The system is not a member of a domain, control is NA' do\n skip 'The system is not a member of a domain, control is NA'\n end\n else\n describe.one do\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WcmSvc\\GroupPolicy') do\n it { should_not have_property 'fMinimizeConnections' }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WcmSvc\\GroupPolicy') do\n its('fMinimizeConnections') { should cmp 1 }\n end\n end\n end\nend\n", + "code": "control 'V-77189' do\n title 'Exploit Protection mitigations in Windows 10 must be configured for Acrobat.exe.'\n desc \"Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-EP-000070'\n tag gid: 'V-77189'\n tag rid: 'SV-91885r3_rule'\n tag stig_id: 'WN10-EP-000070'\n tag fix_id: 'F-84325r4_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc 'check', \"This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n\n Enter \\\"Get-ProcessMitigation -Name Acrobat.exe\\\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of\n all application mitigations configured.)\n\n If the following mitigations do not have a status of \\\"ON\\\", this is a finding:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False \n\n The PowerShell command produces a list of mitigations; only those with a\n required status of \\\"ON\\\" are listed here. If the PowerShell command does not\n produce results, ensure the letter case of the filename within the command\n syntax matches the letter case of the actual filename on the system.\"\n desc 'fix', \"Ensure the following mitigations are turned \\\"ON\\\" for Acrobat.exe:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False \n\n Application mitigations defined in the STIG are configured by a DoD EP XML file\n included with the Windows 10 STIG package in the \\\"Supporting Files\\\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\"\n configured to \\\"Enabled\\\" with file name and location defined under\n \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n\n if input('sensitive_system') == 'true' || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion').ReleaseId < '1709'\n impact 0.0\n describe 'This STIG does not apply to Prior Versions before 1709.' do\n skip 'This STIG does not apply to Prior Versions before 1709.'\n end\n else\n dep = json( command: 'Get-ProcessMitigation -Name Acrobat.exe | Select DEP | ConvertTo-Json').params\n describe 'OverRide DEP is required to be false on Acrobat' do\n subject { dep }\n its(['OverrideDEP']) { should_not eq 'true' }\n end\n aslr = json( command: 'Get-ProcessMitigation -Name Acrobat.exe | Select Aslr | ConvertTo-Json').params\n describe 'Alsr BottomUp and Force Relocate Images are required to be enabled on Acrobat' do\n subject { aslr }\n its(['ForceRelocateImages']) { should_not eq '2' }\n end\n payload = json( command: 'Get-ProcessMitigation -Name Acrobat.exe | Select Payload | ConvertTo-Json').params\n describe 'Override Payload Enable Export Address Filter, Override Payload Enable Export Address Filter Plus, Override EnableImportAddressFilter, Override EnableRopStackPivot, Override EnableRopCallerCheck, and Override EnableRopSimExec are required to be false on Acrobat' do\n subject { payload }\n its(['OverrideEnableExportAddressFilter']) { should_not eq 'true' }\n its(['OverrideEnableExportAddressFilterPlus']) { should_not eq 'true' }\n its(['OverrideEnableImportAddressFilter']) { should_not eq 'true' }\n its(['OverrideEnableRopStackPivot']) { should_not eq 'true' }\n its(['OverrideEnableRopCallerCheck']) { should_not eq 'true' }\n its(['OverrideEnableRopSimExec']) { should_not eq 'true' }\n end\n end\nend", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63581.rb", + "ref": "./Windows 10 STIG/controls/V-77189.rb", "line": 3 }, - "id": "V-63581" + "id": "V-77189" }, { - "title": "The Deny log on locally user right on workstations must be configured\n to prevent access from highly privileged domain accounts on domain systems and\n unauthenticated access on all systems.", - "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The \"Deny log on locally\" right defines accounts that are prevented from\n logging on interactively.\n\n In an Active Directory Domain, denying logons to the Enterprise Admins and\n Domain Admins groups on lower trust systems helps mitigate the risk of\n privilege escalation from credential theft attacks, which could lead to the\n compromise of an entire domain.\n\n The Guests group must be assigned this right to prevent unauthenticated\n access.", + "title": "Insecure logons to an SMB server must be disabled.", + "desc": "Insecure guest logons allow unauthenticated access to shared folders.\n Shared resources on a system must require authentication to establish proper\n access.", "descriptions": { - "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The \"Deny log on locally\" right defines accounts that are prevented from\n logging on interactively.\n\n In an Active Directory Domain, denying logons to the Enterprise Admins and\n Domain Admins groups on lower trust systems helps mitigate the risk of\n privilege escalation from credential theft attacks, which could lead to the\n compromise of an entire domain.\n\n The Guests group must be assigned this right to prevent unauthenticated\n access.", - "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If the following groups or accounts are not defined for the \"Deny log on\n locally\" right, this is a finding.\n\n Domain Systems Only:\n Enterprise Admins Group\n Domain Admins Group\n\n Privileged Access Workstations (PAWs) dedicated to the management of Active\n Directory are exempt from denying the Enterprise Admins and Domain Admins\n groups. (See the Windows Privileged Access Workstation STIG for PAW\n requirements.)\n\n All Systems:\n Guests Group", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n \"Deny log on locally\" to include the following.\n\n Domain Systems Only:\n Enterprise Admins Group\n Domain Admins Group\n\n Privileged Access Workstations (PAWs) dedicated to the management of Active\n Directory are exempt from denying the Enterprise Admins and Domain Admins\n groups. (See the Windows Privileged Access Workstation STIG for PAW\n requirements.)\n\n All Systems:\n Guests Group" + "default": "Insecure guest logons allow unauthenticated access to shared folders.\n Shared resources on a system must require authentication to establish proper\n access.", + "check": "Windows 10 v1507 LTSB version does not include this setting; it\n is NA for those systems.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\LanmanWorkstation\\\n\n Value Name: AllowInsecureGuestAuth\n\n Type: REG_DWORD\n Value: 0x00000000 (0)", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Network >> Lanman Workstation >> \"Enable insecure\n guest logons\" to \"Disabled\"." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-UR-000085", - "gid": "V-63877", - "rid": "SV-78367r2_rule", - "stig_id": "WN10-UR-000085", - "fix_id": "F-88443r1_fix", + "gtitle": "WN10-CC-000040", + "gid": "V-63569", + "rid": "SV-78059r2_rule", + "stig_id": "WN10-CC-000040", + "fix_id": "F-69499r2_fix", "cci": [ - "CCI-000213" + "CCI-000366" ], "nist": [ - "AC-3", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -10255,30 +10251,30 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63877' do\n title \"The Deny log on locally user right on workstations must be configured\n to prevent access from highly privileged domain accounts on domain systems and\n unauthenticated access on all systems.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The \\\"Deny log on locally\\\" right defines accounts that are prevented from\n logging on interactively.\n\n In an Active Directory Domain, denying logons to the Enterprise Admins and\n Domain Admins groups on lower trust systems helps mitigate the risk of\n privilege escalation from credential theft attacks, which could lead to the\n compromise of an entire domain.\n\n The Guests group must be assigned this right to prevent unauthenticated\n access.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-UR-000085'\n tag gid: 'V-63877'\n tag rid: 'SV-78367r2_rule'\n tag stig_id: 'WN10-UR-000085'\n tag fix_id: 'F-88443r1_fix'\n tag cci: ['CCI-000213']\n tag nist: %w[AC-3 Rev_4]\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc 'check', \"Verify the effective setting in Local Group Policy Editor.\n\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If the following groups or accounts are not defined for the \\\"Deny log on\n locally\\\" right, this is a finding.\n\n Domain Systems Only:\n Enterprise Admins Group\n Domain Admins Group\n\n Privileged Access Workstations (PAWs) dedicated to the management of Active\n Directory are exempt from denying the Enterprise Admins and Domain Admins\n groups. (See the Windows Privileged Access Workstation STIG for PAW\n requirements.)\n\n All Systems:\n Guests Group\"\n\n desc 'fix', \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n \\\"Deny log on locally\\\" to include the following.\n\n Domain Systems Only:\n Enterprise Admins Group\n Domain Admins Group\n\n Privileged Access Workstations (PAWs) dedicated to the management of Active\n Directory are exempt from denying the Enterprise Admins and Domain Admins\n groups. (See the Windows Privileged Access Workstation STIG for PAW\n requirements.)\n\n All Systems:\n Guests Group\"\n\n is_domain = command('wmic computersystem get domain | FINDSTR /V Domain').stdout.strip\n\n if is_domain == 'WORKGROUP'\n describe security_policy do\n its('SeDenyInteractiveLogonRight') { should eq ['S-1-5-32-546'] }\n end\n else\n domain_query = <<-EOH\n $group = New-Object System.Security.Principal.NTAccount('Domain Admins')\n $sid = ($group.Translate([security.principal.securityidentifier])).value\n $sid | ConvertTo-Json\n EOH\n\n domain_admin_sid = json(command: domain_query).params\n enterprise_admin_query = <<-EOH\n $group = New-Object System.Security.Principal.NTAccount('Enterprise Admins')\n $sid = ($group.Translate([security.principal.securityidentifier])).value\n $sid | ConvertTo-Json\n EOH\n\n enterprise_admin_sid = json(command: enterprise_admin_query).params\n describe security_policy do\n its('SeDenyInteractiveLogonRight') { should be_in [\"#{domain_admin_sid}\", \"#{enterprise_admin_sid}\"] }\n end\n end\nend\n", + "code": "control 'V-63569' do\n title 'Insecure logons to an SMB server must be disabled.'\n desc \"Insecure guest logons allow unauthenticated access to shared folders.\n Shared resources on a system must require authentication to establish proper\n access.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000040'\n tag gid: 'V-63569'\n tag rid: 'SV-78059r2_rule'\n tag stig_id: 'WN10-CC-000040'\n tag fix_id: 'F-69499r2_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"Windows 10 v1507 LTSB version does not include this setting; it\n is NA for those systems.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\LanmanWorkstation\\\\\n\n Value Name: AllowInsecureGuestAuth\n\n Type: REG_DWORD\n Value: 0x00000000 (0)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Network >> Lanman Workstation >> \\\"Enable insecure\n guest logons\\\" to \\\"Disabled\\\".\"\n\n if registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion').ReleaseId == '1507'\n impact 0.0\n describe 'This setting requires v1507 does not include this setting; it is NA for version.' do\n skip 'This setting requires v1507 does not include this setting; it is NA for version.'\n end\n else\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\LanmanWorkstation') do\n it { should have_property 'AllowInsecureGuestAuth' }\n its('AllowInsecureGuestAuth') { should cmp 0 }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63877.rb", + "ref": "./Windows 10 STIG/controls/V-63569.rb", "line": 3 }, - "id": "V-63877" + "id": "V-63569" }, { - "title": "Windows 10 systems must be maintained at a supported servicing level.", - "desc": "Windows 10 is maintained by Microsoft at servicing levels for specific\n periods of time to support Windows as a Service. Systems at unsupported\n servicing levels or releases will not receive security updates for new\n vulnerabilities which leaves them subject to exploitation.\n\n New versions with feature updates are planned to be released on a\n semi-annual basis with an estimated support timeframe of 18 to 30 months\n depending on the release. Support for previously released versions has been\n extended for Enterprise editions.\n\n A separate servicing branch intended for special purpose systems is the\n Long-Term Servicing Channel (LTSC, formerly Branch - LTSB) which will receive\n security updates for 10 years but excludes feature updates.", + "title": "The setting to allow Microsoft accounts to be optional for modern\n style apps must be enabled.", + "desc": "Control of credentials and the system must be maintained within the\n enterprise. Enabling this setting allows enterprise credentials to be used\n with modern style apps that support this, instead of Microsoft accounts.", "descriptions": { - "default": "Windows 10 is maintained by Microsoft at servicing levels for specific\n periods of time to support Windows as a Service. Systems at unsupported\n servicing levels or releases will not receive security updates for new\n vulnerabilities which leaves them subject to exploitation.\n\n New versions with feature updates are planned to be released on a\n semi-annual basis with an estimated support timeframe of 18 to 30 months\n depending on the release. Support for previously released versions has been\n extended for Enterprise editions.\n\n A separate servicing branch intended for special purpose systems is the\n Long-Term Servicing Channel (LTSC, formerly Branch - LTSB) which will receive\n security updates for 10 years but excludes feature updates.", - "check": "Run \"winver.exe\".\n\n If the \"About Windows\" dialog box does not display:\n\n \"Microsoft Windows Version 1703 (OS Build 15063.0)\"\n\n or greater, this is a finding.\n\n Note: Microsoft has extended support for previous versions providing critical\n and important updates for Windows 10 Enterprise.\n\n Microsoft scheduled end of support dates for current Semi-Annual Channel\n versions:\n v1703 - 8 October 2019\n v1709 - 14 April 2020\n v1803 - 10 November 2020\n v1809 - 13 April 2021\n v1903 - 8 December 2020\n\n No preview versions will be used in a production environment.\n\n Special purpose systems using the Long-Term Servicing Branch\\Channel (LTSC\\B)\n may be at following versions which are not a finding:\n\n v1507 (Build 10240)\n v1607 (Build 14393)\n v1809 (Build 17763)", - "fix": "Update systems on the Semi-Annual Channel to \"Microsoft Windows\n Version 1703 (OS Build 15063.0)\" or greater.\n\n It is recommended systems be upgraded to the most recently released version.\n\n Special purpose systems using the Long-Term Servicing Branch\\Channel (LTSC\\B)\n may be at the following versions:\n\n v1507 (Build 10240)\n v1607 (Build 14393)\n v1809 (Build 17763)" + "default": "Control of credentials and the system must be maintained within the\n enterprise. Enabling this setting allows enterprise credentials to be used\n with modern style apps that support this, instead of Microsoft accounts.", + "check": "Windows 10 LTSC\\B versions do not support the Microsoft Store\n and modern apps; this is NA for those systems.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\\n\n Value Name: MSAOptional\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> App Runtime >> \"Allow\n Microsoft accounts to be optional\" to \"Enabled\"." }, - "impact": 0.7, + "impact": 0.3, "refs": [], "tags": { - "severity": "high", - "gtitle": "WN10-00-000040", - "gid": "V-63349", - "rid": "SV-77839r9_rule", - "stig_id": "WN10-00-000040", - "fix_id": "F-98031r2_fix", + "severity": "low", + "gtitle": "WN10-CC-000170", + "gid": "V-63659", + "rid": "SV-78149r2_rule", + "stig_id": "WN10-CC-000170", + "fix_id": "F-69587r1_fix", "cci": [ "CCI-000366" ], @@ -10297,70 +10293,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63349' do\n title 'Windows 10 systems must be maintained at a supported servicing level.'\n desc \"Windows 10 is maintained by Microsoft at servicing levels for specific\n periods of time to support Windows as a Service. Systems at unsupported\n servicing levels or releases will not receive security updates for new\n vulnerabilities which leaves them subject to exploitation.\n\n New versions with feature updates are planned to be released on a\n semi-annual basis with an estimated support timeframe of 18 to 30 months\n depending on the release. Support for previously released versions has been\n extended for Enterprise editions.\n\n A separate servicing branch intended for special purpose systems is the\n Long-Term Servicing Channel (LTSC, formerly Branch - LTSB) which will receive\n security updates for 10 years but excludes feature updates.\"\n impact 0.7\n tag severity: 'high'\n tag gtitle: 'WN10-00-000040'\n tag gid: 'V-63349'\n tag rid: 'SV-77839r9_rule'\n tag stig_id: 'WN10-00-000040'\n tag fix_id: 'F-98031r2_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Run \\\"winver.exe\\\".\n\n If the \\\"About Windows\\\" dialog box does not display:\n\n \\\"Microsoft Windows Version 1703 (OS Build 15063.0)\\\"\n\n or greater, this is a finding.\n\n Note: Microsoft has extended support for previous versions providing critical\n and important updates for Windows 10 Enterprise.\n\n Microsoft scheduled end of support dates for current Semi-Annual Channel\n versions:\n v1703 - 8 October 2019\n v1709 - 14 April 2020\n v1803 - 10 November 2020\n v1809 - 13 April 2021\n v1903 - 8 December 2020\n\n No preview versions will be used in a production environment.\n\n Special purpose systems using the Long-Term Servicing Branch\\\\Channel (LTSC\\\\B)\n may be at following versions which are not a finding:\n\n v1507 (Build 10240)\n v1607 (Build 14393)\n v1809 (Build 17763)\"\n\n desc \"fix\", \"Update systems on the Semi-Annual Channel to \\\"Microsoft Windows\n Version 1703 (OS Build 15063.0)\\\" or greater.\n\n It is recommended systems be upgraded to the most recently released version.\n\n Special purpose systems using the Long-Term Servicing Branch\\\\Channel (LTSC\\\\B)\n may be at the following versions:\n\n v1507 (Build 10240)\n v1607 (Build 14393)\n v1809 (Build 17763)\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion') do\n it { should have_property 'CurrentVersion' }\n its('CurrentVersion') { should be >= '6.3' }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion') do\n it { should have_property 'CurrentBuildNumber' }\n its('ReleaseId') { should be >= '1703' }\n end\nend\n", - "source_location": { - "ref": "./Windows 10 STIG/controls/V-63349.rb", - "line": 3 - }, - "id": "V-63349" - }, - { - "title": "Windows 10 must be configured to audit other Logon/Logoff Events\nSuccesses.", - "desc": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Audit Other Logon/Logoff Events determines whether Windows generates audit\nevents for other logon or logoff events. Logon events are essential to\nunderstanding user activity and detecting potential attacks.", - "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Audit Other Logon/Logoff Events determines whether Windows generates audit\nevents for other logon or logoff events. Logon events are essential to\nunderstanding user activity and detecting potential attacks.", - "rationale": "", - "check": "Security Option \"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\" must be set to\n\"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to be\neffective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\"Run as Administrator\").\n Enter \"AuditPol /get /category:*\".\n\n Compare the AuditPol settings with the following. If the system does not\naudit the following, this is a finding:\n\n Logon/Logoff >> Other Logon/Logoff Events - Success", - "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Logon/Logoff >> \"Audit Other Logon/Logoff Events\"\nwith \"Success\" selected." - }, - "impact": 0.5, - "refs": [], - "tags": { - "severity": null, - "gtitle": "WN10-AU-000560", - "gid": "V-99543", - "rid": "SV-108647r1_rule", - "stig_id": "WN10-AU-000560", - "fix_id": "F-105227r1_fix", - "cci": [ - "CCI-000130" - ], - "nist": [ - "AU-3", - "Rev_4" - ] - }, - "code": "control \"V-99543\" do\n title \"Windows 10 must be configured to audit other Logon/Logoff Events\nSuccesses.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Audit Other Logon/Logoff Events determines whether Windows generates audit\nevents for other logon or logoff events. Logon events are essential to\nunderstanding user activity and detecting potential attacks.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"WN10-AU-000560\"\n tag gid: \"V-99543\"\n tag rid: \"SV-108647r1_rule\"\n tag stig_id: \"WN10-AU-000560\"\n tag fix_id: \"F-105227r1_fix\"\n tag cci: [\"CCI-000130\"]\n tag nist: [\"AU-3\", \"Rev_4\"]\n desc \"rationale\", \"\"\n desc \"check\", \"Security Option \\\"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\\\" must be set to\n\\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to be\neffective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\n Enter \\\"AuditPol /get /category:*\\\".\n\n Compare the AuditPol settings with the following. If the system does not\naudit the following, this is a finding:\n\n Logon/Logoff >> Other Logon/Logoff Events - Success\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Logon/Logoff >> \\\"Audit Other Logon/Logoff Events\\\"\nwith \\\"Success\\\" selected.\"\n\n describe.one do\n describe audit_policy do\n its('Other Logon/Logoff Events') { should eq 'Success' }\n end\n describe audit_policy do\n its('Other Logon/Logoff Events') { should eq 'Success and Failure' }\n end\n end\nend\n", + "code": "control 'V-63659' do\n title \"The setting to allow Microsoft accounts to be optional for modern\n style apps must be enabled.\"\n desc \"Control of credentials and the system must be maintained within the\n enterprise. Enabling this setting allows enterprise credentials to be used\n with modern style apps that support this, instead of Microsoft accounts.\"\n impact 0.3\n tag severity: 'low'\n tag gtitle: 'WN10-CC-000170'\n tag gid: 'V-63659'\n tag rid: 'SV-78149r2_rule'\n tag stig_id: 'WN10-CC-000170'\n tag fix_id: 'F-69587r1_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Windows 10 LTSC\\\\B versions do not support the Microsoft Store\n and modern apps; this is NA for those systems.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\\n\n Value Name: MSAOptional\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> App Runtime >> \\\"Allow\n Microsoft accounts to be optional\\\" to \\\"Enabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System') do\n it { should have_property 'MSAOptional' }\n its('MSAOptional') { should cmp 1 }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-99543.rb", + "ref": "./Windows 10 STIG/controls/V-63659.rb", "line": 3 }, - "id": "V-99543" + "id": "V-63659" }, { - "title": "Outgoing secure channel traffic must be encrypted or signed.", - "desc": "Requests sent on the secure channel are authenticated, and sensitive\n information (such as passwords) is encrypted, but not all information is\n encrypted. If this policy is enabled, outgoing secure channel traffic will be\n encrypted and signed.", + "title": "The Server Message Block (SMB) v1 protocol must be disabled on the SMB server.", + "desc": "SMBv1 is not installed on this system, therefore this control is not applicable", "descriptions": { - "default": "Requests sent on the secure channel are authenticated, and sensitive\n information (such as passwords) is encrypted, but not all information is\n encrypted. If this policy is enabled, outgoing secure channel traffic will be\n encrypted and signed.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\Netlogon\\Parameters\\\n\n Value Name: RequireSignOrSeal\n\n Value Type: REG_DWORD\n Value: 1", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> \"Domain\n member: Digitally encrypt or sign secure channel data (always)\" to\n \"Enabled\"." + "default": "SMBv1 is not installed on this system, therefore this control is not applicable", + "check": "Different methods are available to disable SMBv1 on Windows 10,\n if V-70639 is configured, this is NA.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters\\\n\n Value Name: SMB1\n\n Type: REG_DWORD\n Value: 0x00000000 (0)", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> MS Security Guide >> \"Configure SMBv1 Server\" to\n \"Disabled\".\n\n This policy setting requires the installation of the SecGuide custom templates\n included with the STIG package. \"SecGuide.admx\" and \"SecGuide.adml\" must be\n copied to the \\Windows\\PolicyDefinitions and\n \\Windows\\PolicyDefinitions\\en-US directories respectively.\n\n The system must be restarted for the change to take effect." }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-SO-000035", - "gid": "V-63639", - "rid": "SV-78129r1_rule", - "stig_id": "WN10-SO-000035", - "fix_id": "F-69567r1_fix", + "gtitle": "WN10-00-000165", + "gid": "V-74723", + "rid": "SV-89397r1_rule", + "stig_id": "WN10-00-000165", + "fix_id": "F-81337r2_fix", "cci": [ - "CCI-002418", - "CCI-002421" + "CCI-000381" ], "nist": [ - "SC-8", - "SC-8 (1)", + "CM-7 a", "Rev_4" ], "false_negatives": null, @@ -10374,37 +10335,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63639' do\n title 'Outgoing secure channel traffic must be encrypted or signed.'\n desc \"Requests sent on the secure channel are authenticated, and sensitive\n information (such as passwords) is encrypted, but not all information is\n encrypted. If this policy is enabled, outgoing secure channel traffic will be\n encrypted and signed.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-SO-000035'\n tag gid: 'V-63639'\n tag rid: 'SV-78129r1_rule'\n tag stig_id: 'WN10-SO-000035'\n tag fix_id: 'F-69567r1_fix'\n tag cci: %w[CCI-002418 CCI-002421]\n tag nist: ['SC-8', 'SC-8 (1)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\Netlogon\\\\Parameters\\\\\n\n Value Name: RequireSignOrSeal\n\n Value Type: REG_DWORD\n Value: 1\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> \\\"Domain\n member: Digitally encrypt or sign secure channel data (always)\\\" to\n \\\"Enabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Netlogon\\Parameters') do\n it { should have_property 'RequireSignOrSeal' }\n its('RequireSignOrSeal') { should cmp 1 }\n end\nend\n", + "code": "control 'V-74723' do\n title 'The Server Message Block (SMB) v1 protocol must be disabled on the SMB server.'\n desc \"SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB.\n MD5 is known to be vulnerable to a number of attacks such as collision and\n preimage attacks as well as not being FIPS compliant.\n\n Disabling SMBv1 support may prevent access to file or print sharing\n resources with systems or devices that only support SMBv1. File shares and\n print services hosted on Windows Server 2003 are an example, however Windows\n Server 2003 is no longer a supported operating system. Some older network\n attached devices may only support SMBv1.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-00-000165'\n tag gid: 'V-74723'\n tag rid: 'SV-89397r1_rule'\n tag stig_id: 'WN10-00-000165'\n tag fix_id: 'F-81337r2_fix'\n tag cci: ['CCI-000381']\n tag nist: ['CM-7 a', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"Different methods are available to disable SMBv1 on Windows 10,\n if V-70639 is configured, this is NA.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\LanmanServer\\\\Parameters\\\\\n\n Value Name: SMB1\n\n Type: REG_DWORD\n Value: 0x00000000 (0)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> MS Security Guide >> \\\"Configure SMBv1 Server\\\" to\n \\\"Disabled\\\".\n\n This policy setting requires the installation of the SecGuide custom templates\n included with the STIG package. \\\"SecGuide.admx\\\" and \\\"SecGuide.adml\\\" must be\n copied to the \\\\Windows\\\\PolicyDefinitions and\n \\\\Windows\\\\PolicyDefinitions\\\\en-US directories respectively.\n\n The system must be restarted for the change to take effect.\"\n\n smb1protocol = json( command: 'Get-WindowsOptionalFeature -Online | Where FeatureName -eq SMB1Protocol | ConvertTo-Csv | ConvertFrom-Csv | ConvertTo-Json').params\n state = smb1protocol['State']\n\n if state == \"Disabled\"\n impact 0.0\n describe 'V-70639 is configured, this control is NA' do\n skip 'V-70639 is configured, this control is NA'\n end\n elsif windows_feature('FS-SMB1').installed?\n describe registry_key('HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters') do\n it { should have_property 'SMB1' }\n its('SMB1') { should cmp 0 }\n end\n else\n impact 0.0\n desc 'SMBv1 is not installed on this system, therefore this control is not applicable'\n describe 'SMBv1 is not installed on this system, therefore this control is not applicable' do\n skip 'SMBv1 is not installed on this system, therefore this control is not applicable'\n end\n end\nend", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63639.rb", + "ref": "./Windows 10 STIG/controls/V-74723.rb", "line": 3 }, - "id": "V-63639" + "id": "V-74723" }, { - "title": "The system must be configured to audit System - System Integrity\n failures.", - "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n System Integrity records events related to violations of integrity to the\n security subsystem.", + "title": "Autoplay must be turned off for non-volume devices.", + "desc": "Allowing autoplay to execute may introduce malicious code to a system.\n Autoplay begins reading from a drive as soon as you insert media in the drive.\n As a result, the setup file of programs or music on audio media may start.\n This setting will disable autoplay for non-volume devices (such as Media\n Transfer Protocol (MTP) devices).", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n System Integrity records events related to violations of integrity to the\n security subsystem.", - "check": "Security Option \"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\" must be\n set to \"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\"Run as Administrator\").\n Enter \"AuditPol /get /category:*\".\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding:\n\n System >> System Integrity - Failure", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> System >> \"Audit System Integrity\" with \"Failure\"\n selected." + "default": "Allowing autoplay to execute may introduce malicious code to a system.\n Autoplay begins reading from a drive as soon as you insert media in the drive.\n As a result, the setup file of programs or music on audio media may start.\n This setting will disable autoplay for non-volume devices (such as Media\n Transfer Protocol (MTP) devices).", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\Explorer\\\n\n Value Name: NoAutoplayfornonVolume\n\n Value Type: REG_DWORD\n Value: 1", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> AutoPlay Policies >>\n \"Disallow Autoplay for non-volume devices\" to \"Enabled\"." }, - "impact": 0.5, + "impact": 0.7, "refs": [], "tags": { - "severity": "medium", - "gtitle": "WN10-AU-000155", - "gid": "V-63515", - "rid": "SV-78005r1_rule", - "stig_id": "WN10-AU-000155", - "fix_id": "F-69445r1_fix", + "severity": "high", + "gtitle": "WN10-CC-000180", + "gid": "V-63667", + "rid": "SV-78157r1_rule", + "stig_id": "WN10-CC-000180", + "fix_id": "F-69595r1_fix", "cci": [ - "CCI-000172", - "CCI-002234" + "CCI-001764" ], "nist": [ - "AU-12 c", - "AC-6 (9)", + "CM-7 (2)", "Rev_4" ], "false_negatives": null, @@ -10418,35 +10377,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63515' do\n title \"The system must be configured to audit System - System Integrity\n failures.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n System Integrity records events related to violations of integrity to the\n security subsystem.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-AU-000155'\n tag gid: 'V-63515'\n tag rid: 'SV-78005r1_rule'\n tag stig_id: 'WN10-AU-000155'\n tag fix_id: 'F-69445r1_fix'\n tag cci: %w[CCI-000172 CCI-002234]\n tag nist: ['AU-12 c', 'AC-6 (9)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Security Option \\\"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\\\" must be\n set to \\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\n Enter \\\"AuditPol /get /category:*\\\".\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding:\n\n System >> System Integrity - Failure\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> System >> \\\"Audit System Integrity\\\" with \\\"Failure\\\"\n selected.\"\n\n describe.one do\n describe audit_policy do\n its('System Integrity') { should eq 'Failure' }\n end\n describe audit_policy do\n its('System Integrity') { should eq 'Success and Failure' }\n end\n end\nend\n", + "code": "control \"V-63667\" do\n title \"Autoplay must be turned off for non-volume devices.\"\n desc \"Allowing autoplay to execute may introduce malicious code to a system.\n Autoplay begins reading from a drive as soon as you insert media in the drive.\n As a result, the setup file of programs or music on audio media may start.\n This setting will disable autoplay for non-volume devices (such as Media\n Transfer Protocol (MTP) devices).\"\n impact 0.7\n tag severity: \"high\"\n tag gtitle: \"WN10-CC-000180\"\n tag gid: \"V-63667\"\n tag rid: \"SV-78157r1_rule\"\n tag stig_id: \"WN10-CC-000180\"\n tag fix_id: \"F-69595r1_fix\"\n tag cci: [\"CCI-001764\"]\n tag nist: [\"CM-7 (2)\", \"Rev_4\"]\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\Explorer\\\\\n\n Value Name: NoAutoplayfornonVolume\n\n Value Type: REG_DWORD\n Value: 1\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> AutoPlay Policies >>\n \\\"Disallow Autoplay for non-volume devices\\\" to \\\"Enabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Explorer') do\n it { should have_property 'NoAutoplayfornonVolume' }\n its('NoAutoplayfornonVolume') { should cmp 1 }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63515.rb", - "line": 3 + "ref": "./Windows 10 STIG/controls/V-63667.rb", + "line": 2 }, - "id": "V-63515" + "id": "V-63667" }, { - "title": "The user must be prompted for a password on resume from sleep (plugged\n in).", - "desc": "Authentication must always be required when accessing a system. This\n setting ensures the user is prompted for a password on resume from sleep\n (plugged in).", + "title": "The Telnet Client must not be installed on the system.", + "desc": "Some protocols and services do not support required security features,\n such as encrypting passwords or traffic.", "descriptions": { - "default": "Authentication must always be required when accessing a system. This\n setting ensures the user is prompted for a password on resume from sleep\n (plugged in).", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SOFTWARE\\Policies\\Microsoft\\Power\\PowerSettings\\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\\\n\n Value Name: ACSettingIndex\n\n Value Type: REG_DWORD\n Value: 1", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> System >> Power Management >> Sleep Settings >>\n \"Require a password when a computer wakes (plugged in)\" to \"Enabled\"." + "default": "Some protocols and services do not support required security features,\n such as encrypting passwords or traffic.", + "check": "The \"Telnet Client\" is not installed by default. Verify it has\n not been installed.\n\n Navigate to the Windows\\System32 directory.\n\n If the \"telnet\" application exists, this is a finding.", + "fix": "Uninstall \"Telnet Client\" from the system.\n\n Run \"Programs and Features\".\n Select \"Turn Windows Features on or off\".\n\n De-select \"Telnet Client\"." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-CC-000150", - "gid": "V-63649", - "rid": "SV-78139r1_rule", - "stig_id": "WN10-CC-000150", - "fix_id": "F-69579r1_fix", + "gtitle": "WN10-00-000115", + "gid": "V-63385", + "rid": "SV-77875r1_rule", + "stig_id": "WN10-00-000115", + "fix_id": "F-69307r1_fix", "cci": [ - "CCI-002038" + "CCI-000382" ], "nist": [ - "IA-11", + "CM-7 b", "Rev_4" ], "false_negatives": null, @@ -10460,30 +10419,30 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63649' do\n title \"The user must be prompted for a password on resume from sleep (plugged\n in).\"\n desc \"Authentication must always be required when accessing a system. This\n setting ensures the user is prompted for a password on resume from sleep\n (plugged in).\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000150'\n tag gid: 'V-63649'\n tag rid: 'SV-78139r1_rule'\n tag stig_id: 'WN10-CC-000150'\n tag fix_id: 'F-69579r1_fix'\n tag cci: ['CCI-002038']\n tag nist: %w[IA-11 Rev_4]\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Power\\\\PowerSettings\\\\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\\\\\n\n Value Name: ACSettingIndex\n\n Value Type: REG_DWORD\n Value: 1\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> System >> Power Management >> Sleep Settings >>\n \\\"Require a password when a computer wakes (plugged in)\\\" to \\\"Enabled\\\".\"\n\n if sys_info.manufacturer == 'VMware, Inc.'\n impact 0.0\n describe 'This is a VDI System; This System is NA for Control V-63649.' do\n skip 'This is a VDI System; This System is NA for Control V-63649.'\n end\n else\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Power\\PowerSettings\\0e796bdb-100d-47d6-a2d5-f7d2daa51f51') do\n it { should have_property 'ACSettingIndex' }\n its('ACSettingIndex') { should cmp 1 }\n end\n end\nend\n", + "code": "control 'V-63385' do\n title 'The Telnet Client must not be installed on the system.'\n desc \"Some protocols and services do not support required security features,\n such as encrypting passwords or traffic.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-00-000115'\n tag gid: 'V-63385'\n tag rid: 'SV-77875r1_rule'\n tag stig_id: 'WN10-00-000115'\n tag fix_id: 'F-69307r1_fix'\n tag cci: ['CCI-000382']\n tag nist: ['CM-7 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"The \\\"Telnet Client\\\" is not installed by default. Verify it has\n not been installed.\n\n Navigate to the Windows\\\\System32 directory.\n\n If the \\\"telnet\\\" application exists, this is a finding.\"\n\n desc \"fix\", \"Uninstall \\\"Telnet Client\\\" from the system.\n\n Run \\\"Programs and Features\\\".\n Select \\\"Turn Windows Features on or off\\\".\n\n De-select \\\"Telnet Client\\\".\"\n\n describe windows_feature('Telnet Client') do\n it { should_not be_installed }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63649.rb", + "ref": "./Windows 10 STIG/controls/V-63385.rb", "line": 3 }, - "id": "V-63649" + "id": "V-63385" }, { - "title": "Domain-joined systems must use Windows 10 Enterprise Edition 64-bit\n version.", - "desc": "Features such as Credential Guard use virtualization based security to\n protect information that could be used in credential theft attacks if\n compromised. There are a number of system requirements that must be met in\n order for Credential Guard to be configured and enabled properly.\n Virtualization based security and Credential Guard are only available with\n Windows 10 Enterprise 64-bit version.", + "title": "Users must not be allowed to ignore Windows Defender SmartScreen\n filter warnings for malicious websites in Microsoft Edge.", + "desc": "The Windows Defender SmartScreen filter in Microsoft Edge provides\n warning messages and blocks potentially malicious websites and file downloads.\n If users are allowed to ignore warnings from the Windows Defender SmartScreen\n filter they could still access malicious websites.", "descriptions": { - "default": "Features such as Credential Guard use virtualization based security to\n protect information that could be used in credential theft attacks if\n compromised. There are a number of system requirements that must be met in\n order for Credential Guard to be configured and enabled properly.\n Virtualization based security and Credential Guard are only available with\n Windows 10 Enterprise 64-bit version.", - "check": "Verify domain-joined systems are using Windows 10 Enterprise\n Edition 64-bit version.\n\n For standalone systems, this is NA.\n\n Open \"Settings\".\n\n Select \"System\", then \"About\".\n\n If \"Edition\" is not \"Windows 10 Enterprise\", this is a finding.\n\n If \"System type\" is not \"64-bit operating system…\", this is a finding.", - "fix": "Use Windows 10 Enterprise 64-bit version for domain-joined systems." + "default": "The Windows Defender SmartScreen filter in Microsoft Edge provides\n warning messages and blocks potentially malicious websites and file downloads.\n If users are allowed to ignore warnings from the Windows Defender SmartScreen\n filter they could still access malicious websites.", + "check": "This is applicable to unclassified systems, for other systems\n this is NA.\n\n Windows 10 LTSC\\B versions do not include Microsoft Edge, this is NA for those\n systems.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\PhishingFilter\\\n\n Value Name: PreventOverride\n\n Type: REG_DWORD\n Value: 0x00000001 (1)", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Microsoft Edge >> \"Prevent\n bypassing Windows Defender SmartScreen prompts for sites\" to \"Enabled\".\n\n Windows 10 includes duplicate policies for this setting. It can also be\n configured under Computer Configuration >> Administrative Templates >> Windows\n Components >> Windows Defender SmartScreen >> Microsoft Edge." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-00-000005", - "gid": "V-63319", - "rid": "SV-77809r3_rule", - "stig_id": "WN10-00-000005", - "fix_id": "F-69237r2_fix", + "gtitle": "WN10-CC-000230", + "gid": "V-63699", + "rid": "SV-78189r6_rule", + "stig_id": "WN10-CC-000230", + "fix_id": "F-98463r1_fix", "cci": [ "CCI-000366" ], @@ -10502,30 +10461,30 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63319' do\n title \"Domain-joined systems must use Windows 10 Enterprise Edition 64-bit\n version.\"\n desc \"Features such as Credential Guard use virtualization based security to\n protect information that could be used in credential theft attacks if\n compromised. There are a number of system requirements that must be met in\n order for Credential Guard to be configured and enabled properly.\n Virtualization based security and Credential Guard are only available with\n Windows 10 Enterprise 64-bit version.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-00-000005'\n tag gid: 'V-63319'\n tag rid: 'SV-77809r3_rule'\n tag stig_id: 'WN10-00-000005'\n tag fix_id: 'F-69237r2_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Verify domain-joined systems are using Windows 10 Enterprise\n Edition 64-bit version.\n\n For standalone systems, this is NA.\n\n Open \\\"Settings\\\".\n\n Select \\\"System\\\", then \\\"About\\\".\n\n If \\\"Edition\\\" is not \\\"Windows 10 Enterprise\\\", this is a finding.\n\n If \\\"System type\\\" is not \\\"64-bit operating system…\\\", this is a finding.\"\n\n desc \"fix\", 'Use Windows 10 Enterprise 64-bit version for domain-joined systems.'\n\n describe os.arch do\n it { should eq 'x86_64' }\n end\n\n describe os.name do\n it { should eq 'windows_10_enterprise' }\n end\nend\n", + "code": "control 'V-63699' do\n title \"Users must not be allowed to ignore Windows Defender SmartScreen\n filter warnings for malicious websites in Microsoft Edge.\"\n desc \"The Windows Defender SmartScreen filter in Microsoft Edge provides\n warning messages and blocks potentially malicious websites and file downloads.\n If users are allowed to ignore warnings from the Windows Defender SmartScreen\n filter they could still access malicious websites.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000230'\n tag gid: 'V-63699'\n tag rid: 'SV-78189r6_rule'\n tag stig_id: 'WN10-CC-000230'\n tag fix_id: 'F-98463r1_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc 'check', \"This is applicable to unclassified systems, for other systems\n this is NA.\n\n Windows 10 LTSC\\\\B versions do not include Microsoft Edge, this is NA for those\n systems.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\MicrosoftEdge\\\\PhishingFilter\\\\\n\n Value Name: PreventOverride\n\n Type: REG_DWORD\n Value: 0x00000001 (1)\"\n\n desc 'fix', \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Microsoft Edge >> \\\"Prevent\n bypassing Windows Defender SmartScreen prompts for sites\\\" to \\\"Enabled\\\".\n\n Windows 10 includes duplicate policies for this setting. It can also be\n configured under Computer Configuration >> Administrative Templates >> Windows\n Components >> Windows Defender SmartScreen >> Microsoft Edge.\"\n\n if input('sensitive_system') == 'true'\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n else\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\PhishingFilter') do\n it { should have_property 'PreventOverride' }\n its('PreventOverride') { should cmp 1 }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63319.rb", + "ref": "./Windows 10 STIG/controls/V-63699.rb", "line": 3 }, - "id": "V-63319" + "id": "V-63699" }, { - "title": "The Server Message Block (SMB) v1 protocol must be disabled on the system.", - "desc": "SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB.\n MD5 is known to be vulnerable to a number of attacks such as collision and\n preimage attacks as well as not being FIPS compliant.\n\n Disabling SMBv1 support may prevent access to file or print sharing\n resources with systems or devices that only support SMBv1. File shares and\n print services hosted on Windows Server 2003 are an example, however Windows\n Server 2003 is no longer a supported operating system. Some older Network\n Attached Storage (NAS) devices may only support SMBv1.", + "title": "WDigest Authentication must be disabled.", + "desc": "When the WDigest Authentication protocol is enabled, plain text\n passwords are stored in the Local Security Authority Subsystem Service (LSASS)\n exposing them to theft. WDigest is disabled by default in Windows 10. This\n setting ensures this is enforced.", "descriptions": { - "default": "SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB.\n MD5 is known to be vulnerable to a number of attacks such as collision and\n preimage attacks as well as not being FIPS compliant.\n\n Disabling SMBv1 support may prevent access to file or print sharing\n resources with systems or devices that only support SMBv1. File shares and\n print services hosted on Windows Server 2003 are an example, however Windows\n Server 2003 is no longer a supported operating system. Some older Network\n Attached Storage (NAS) devices may only support SMBv1.", - "check": "Different methods are available to disable SMBv1 on Windows 10.\n This is the preferred method, however if V-74723 and V-74725 are configured,\n this is NA.\n\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n\n Enter the following:\n Get-WindowsOptionalFeature -Online | Where FeatureName -eq SMB1Protocol\n\n If \"State : Enabled\" is returned, this is a finding.\n\n Alternately:\n Search for \"Features\".\n\n Select \"Turn Windows features on or off\".\n\n If \"SMB 1.0/CIFS File Sharing Support\" is selected, this is a finding.", - "fix": "Disable the SMBv1 protocol.\n\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n\n Enter the following:\n Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol\n\n Alternately:\n Search for \"Features\".\n\n Select \"Turn Windows features on or off\".\n\n De-select \"SMB 1.0/CIFS File Sharing Support\"." + "default": "When the WDigest Authentication protocol is enabled, plain text\n passwords are stored in the Local Security Authority Subsystem Service (LSASS)\n exposing them to theft. WDigest is disabled by default in Windows 10. This\n setting ensures this is enforced.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\Wdigest\\\n\n Value Name: UseLogonCredential\n\n Type: REG_DWORD\n Value: 0x00000000 (0)", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> MS Security Guide >> \"WDigest Authentication\n (disabling may require KB2871997)\" to \"Disabled\".\n\n The patch referenced in the policy title is not required for Windows 10.\n\n This policy setting requires the installation of the SecGuide custom templates\n included with the STIG package. \"SecGuide.admx\" and \"SecGuide.adml\" must\n be copied to the \\Windows\\PolicyDefinitions and\n \\Windows\\PolicyDefinitions\\en-US directories respectively." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-00-000160", - "gid": "V-70639", - "rid": "SV-85261r2_rule", - "stig_id": "WN10-00-000160", - "fix_id": "F-76871r2_fix", + "gtitle": "WN10-CC-000038", + "gid": "V-71763", + "rid": "SV-86387r1_rule", + "stig_id": "WN10-CC-000038", + "fix_id": "F-78115r4_fix", "cci": [ "CCI-000381" ], @@ -10544,35 +10503,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-70639' do\n title 'The Server Message Block (SMB) v1 protocol must be disabled on the system.'\n desc \"SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB.\n MD5 is known to be vulnerable to a number of attacks such as collision and\n preimage attacks as well as not being FIPS compliant.\n\n Disabling SMBv1 support may prevent access to file or print sharing\n resources with systems or devices that only support SMBv1. File shares and\n print services hosted on Windows Server 2003 are an example, however Windows\n Server 2003 is no longer a supported operating system. Some older Network\n Attached Storage (NAS) devices may only support SMBv1.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-00-000160'\n tag gid: 'V-70639'\n tag rid: 'SV-85261r2_rule'\n tag stig_id: 'WN10-00-000160'\n tag fix_id: 'F-76871r2_fix'\n tag cci: ['CCI-000381']\n tag nist: ['CM-7 a', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"Different methods are available to disable SMBv1 on Windows 10.\n This is the preferred method, however if V-74723 and V-74725 are configured,\n this is NA.\n\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n\n Enter the following:\n Get-WindowsOptionalFeature -Online | Where FeatureName -eq SMB1Protocol\n\n If \\\"State : Enabled\\\" is returned, this is a finding.\n\n Alternately:\n Search for \\\"Features\\\".\n\n Select \\\"Turn Windows features on or off\\\".\n\n If \\\"SMB 1.0/CIFS File Sharing Support\\\" is selected, this is a finding.\"\n desc \"fix\", \"Disable the SMBv1 protocol.\n\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n\n Enter the following:\n Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol\n\n Alternately:\n Search for \\\"Features\\\".\n\n Select \\\"Turn Windows features on or off\\\".\n\n De-select \\\"SMB 1.0/CIFS File Sharing Support\\\".\"\n\n if registry_key('HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\mrxsmb10').has_property_value?('Start', :dword, 4) \n impact 0.0\n desc 'This control is not applicable, as controls V-74725 is configured'\n else\n smb1protocol = json( command: 'Get-WindowsOptionalFeature -Online | Where FeatureName -eq SMB1Protocol | ConvertTo-Csv | ConvertFrom-Csv | ConvertTo-Json').params\n describe 'Feature Name SMB1Protocol should not be Enabled' do\n subject { smb1protocol }\n its(['State']) { should_not eq \"Enabled\" }\n end\n end\nend\n", + "code": "control 'V-71763' do\n title 'WDigest Authentication must be disabled.'\n desc \"When the WDigest Authentication protocol is enabled, plain text\n passwords are stored in the Local Security Authority Subsystem Service (LSASS)\n exposing them to theft. WDigest is disabled by default in Windows 10. This\n setting ensures this is enforced.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000038'\n tag gid: 'V-71763'\n tag rid: 'SV-86387r1_rule'\n tag stig_id: 'WN10-CC-000038'\n tag fix_id: 'F-78115r4_fix'\n tag cci: ['CCI-000381']\n tag nist: ['CM-7 a', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SecurityProviders\\\\Wdigest\\\\\n\n Value Name: UseLogonCredential\n\n Type: REG_DWORD\n Value: 0x00000000 (0)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> MS Security Guide >> \\\"WDigest Authentication\n (disabling may require KB2871997)\\\" to \\\"Disabled\\\".\n\n The patch referenced in the policy title is not required for Windows 10.\n\n This policy setting requires the installation of the SecGuide custom templates\n included with the STIG package. \\\"SecGuide.admx\\\" and \\\"SecGuide.adml\\\" must\n be copied to the \\\\Windows\\\\PolicyDefinitions and\n \\\\Windows\\\\PolicyDefinitions\\\\en-US directories respectively.\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\Wdigest') do\n it { should have_property 'UseLogonCredential' }\n its('UseLogonCredential') { should cmp 0 }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-70639.rb", + "ref": "./Windows 10 STIG/controls/V-71763.rb", "line": 3 }, - "id": "V-70639" + "id": "V-71763" }, { - "title": "Windows 10 domain-joined systems must have a Trusted Platform Module\n (TPM) enabled and ready for use.", - "desc": "Credential Guard uses virtualization based security to protect\n information that could be used in credential theft attacks if compromised.\n There are a number of system requirements that must be met in order for\n Credential Guard to be configured and enabled properly. Without a TPM enabled\n and ready for use, Credential Guard keys are stored in a less secure method\n using software.", + "title": "The System event log size must be configured to 32768 KB or greater.", + "desc": "Inadequate log size will cause the log to fill up quickly. This may\n prevent audit events from being recorded properly and require frequent\n attention by administrative personnel.", "descriptions": { - "default": "Credential Guard uses virtualization based security to protect\n information that could be used in credential theft attacks if compromised.\n There are a number of system requirements that must be met in order for\n Credential Guard to be configured and enabled properly. Without a TPM enabled\n and ready for use, Credential Guard keys are stored in a less secure method\n using software.", - "check": "Verify domain-joined systems have a TPM enabled and ready for use.\n\n For standalone systems, this is NA.\n\n Virtualization based security, including Credential Guard, currently cannot be\n implemented in virtual desktop implementations (VDI) due to specific supporting\n requirements including a TPM, UEFI with Secure Boot, and the capability to run\n the Hyper-V feature within the virtual desktop.\n\n For VDIs where the virtual desktop instance is deleted or refreshed upon\n logoff, this is NA.\n\n Verify the system has a TPM and is ready for use.\n Run \"tpm.msc\".\n Review the sections in the center pane.\n \"Status\" must indicate it has been configured with a message such as \"The\n TPM is ready for use\" or \"The TPM is on and ownership has been taken\".\n TPM Manufacturer Information - Specific Version = 2.0 or 1.2\n\n If a TPM is not found or is not ready for use, this is a finding.\n\n NOTE: The severity level for the requirement will be upgraded to CAT II\n starting January 2020.", - "fix": "For standalone systems, this is NA.\n\n Virtualization based security, including Credential Guard, currently cannot be\n implemented in virtual desktop implementations (VDI) due to specific supporting\n requirements including a TPM, UEFI with Secure Boot, and the capability to run\n the Hyper-V feature within the virtual desktop.\n\n For VDIs where the virtual desktop instance is deleted or refreshed upon\n logoff, this is NA.\n\n Ensure domain-joined systems must have a Trusted Platform Module (TPM) that is\n configured for use. (Versions 2.0 or 1.2 support Credential Guard.)\n\n The TPM must be enabled in the firmware.\n Run \"tpm.msc\" for configuration options in Windows." + "default": "Inadequate log size will cause the log to fill up quickly. This may\n prevent audit events from being recorded properly and require frequent\n attention by administrative personnel.", + "check": "If the system is configured to send audit records directly to an\n audit server, this is NA. This must be documented with the ISSO.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\EventLog\\System\\\n\n Value Name: MaxSize\n\n Value Type: REG_DWORD\n Value: 0x00008000 (32768) (or greater)", + "fix": "If the system is configured to send audit records directly to an\n audit server, this is NA. This must be documented with the ISSO.\n\n Configure the policy value for Computer Configuration >> Administrative\n Templates >> Windows Components >> Event Log Service >> System >> \"Specify the\n maximum log file size (KB)\" to \"Enabled\" with a \"Maximum Log Size (KB)\" of\n \"32768\" or greater." }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { - "severity": "low", - "gtitle": "WN10-00-000010", - "gid": "V-63323", - "rid": "SV-77813r5_rule", - "stig_id": "WN10-00-000010", - "fix_id": "F-71517r1_fix", + "severity": "medium", + "gtitle": "WN10-AU-000510", + "gid": "V-63527", + "rid": "SV-78017r1_rule", + "stig_id": "WN10-AU-000510", + "fix_id": "F-69457r1_fix", "cci": [ - "CCI-000366" + "CCI-001849" ], "nist": [ - "CM-6 b", + "AU-4", "Rev_4" ], "false_negatives": null, @@ -10586,30 +10545,30 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63323' do\n title \"Windows 10 domain-joined systems must have a Trusted Platform Module\n (TPM) enabled and ready for use.\"\n desc \"Credential Guard uses virtualization based security to protect\n information that could be used in credential theft attacks if compromised.\n There are a number of system requirements that must be met in order for\n Credential Guard to be configured and enabled properly. Without a TPM enabled\n and ready for use, Credential Guard keys are stored in a less secure method\n using software.\"\n impact 0.3\n tag severity: 'low'\n tag gtitle: 'WN10-00-000010'\n tag gid: 'V-63323'\n tag rid: 'SV-77813r5_rule'\n tag stig_id: 'WN10-00-000010'\n tag fix_id: 'F-71517r1_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Verify domain-joined systems have a TPM enabled and ready for use.\n\n For standalone systems, this is NA.\n\n Virtualization based security, including Credential Guard, currently cannot be\n implemented in virtual desktop implementations (VDI) due to specific supporting\n requirements including a TPM, UEFI with Secure Boot, and the capability to run\n the Hyper-V feature within the virtual desktop.\n\n For VDIs where the virtual desktop instance is deleted or refreshed upon\n logoff, this is NA.\n\n Verify the system has a TPM and is ready for use.\n Run \\\"tpm.msc\\\".\n Review the sections in the center pane.\n \\\"Status\\\" must indicate it has been configured with a message such as \\\"The\n TPM is ready for use\\\" or \\\"The TPM is on and ownership has been taken\\\".\n TPM Manufacturer Information - Specific Version = 2.0 or 1.2\n\n If a TPM is not found or is not ready for use, this is a finding.\n\n NOTE: The severity level for the requirement will be upgraded to CAT II\n starting January 2020.\"\n\n desc \"fix\", \"For standalone systems, this is NA.\n\n Virtualization based security, including Credential Guard, currently cannot be\n implemented in virtual desktop implementations (VDI) due to specific supporting\n requirements including a TPM, UEFI with Secure Boot, and the capability to run\n the Hyper-V feature within the virtual desktop.\n\n For VDIs where the virtual desktop instance is deleted or refreshed upon\n logoff, this is NA.\n\n Ensure domain-joined systems must have a Trusted Platform Module (TPM) that is\n configured for use. (Versions 2.0 or 1.2 support Credential Guard.)\n\n The TPM must be enabled in the firmware.\n Run \\\"tpm.msc\\\" for configuration options in Windows.\"\n\n is_domain = command('wmic computersystem get domain | FINDSTR /V Domain').stdout.strip\n\n if sys_info.manufacturer == \"VMware, Inc.\"\n impact 0.0\n describe 'This is a VDI System; This System is NA for Control V-63323.' do\n skip 'This is a VDI System; This System is NA for Control V-63323.'\n end\n elsif is_domain == 'WORKGROUP'\n impact 0.0\n describe 'This system is not joined to a domain, therefore this control is Not Applicable' do\n skip 'This system is not joined to a domain, therefore this control is Not Applicable'\n end\n else\n tpm_ready = command('Get-Tpm | select -expand TpmReady').stdout.strip\n tpm_present = command('Get-Tpm | select -expand TpmPresent').stdout.strip\n describe 'Trusted Platform Module (TPM) TpmReady' do\n subject { tpm_ready }\n it { should eq 'True' }\n end\n describe 'Trusted Platform Module (TPM) TpmPresent' do\n subject { tpm_present }\n it { should eq 'True' }\n end\n end\nend\n", + "code": "control 'V-63527' do\n title 'The System event log size must be configured to 32768 KB or greater.'\n desc \"Inadequate log size will cause the log to fill up quickly. This may\n prevent audit events from being recorded properly and require frequent\n attention by administrative personnel.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-AU-000510'\n tag gid: 'V-63527'\n tag rid: 'SV-78017r1_rule'\n tag stig_id: 'WN10-AU-000510'\n tag fix_id: 'F-69457r1_fix'\n tag cci: ['CCI-001849']\n tag nist: %w[AU-4 Rev_4]\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"If the system is configured to send audit records directly to an\n audit server, this is NA. This must be documented with the ISSO.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\EventLog\\\\System\\\\\n\n Value Name: MaxSize\n\n Value Type: REG_DWORD\n Value: 0x00008000 (32768) (or greater)\"\n\n desc \"fix\", \"If the system is configured to send audit records directly to an\n audit server, this is NA. This must be documented with the ISSO.\n\n Configure the policy value for Computer Configuration >> Administrative\n Templates >> Windows Components >> Event Log Service >> System >> \\\"Specify the\n maximum log file size (KB)\\\" to \\\"Enabled\\\" with a \\\"Maximum Log Size (KB)\\\" of\n \\\"32768\\\" or greater.\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\EventLog\\System') do\n it { should have_property 'MaxSize' }\n its('MaxSize') { should be >= 32_768 }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63323.rb", + "ref": "./Windows 10 STIG/controls/V-63527.rb", "line": 3 }, - "id": "V-63323" + "id": "V-63527" }, { - "title": "The LanMan authentication level must be set to send NTLMv2 response\n only, and to refuse LM and NTLM.", - "desc": "The Kerberos v5 authentication protocol is the default for\n authentication of users who are logging on to domain accounts. NTLM, which is\n less secure, is retained in later Windows versions for compatibility with\n clients and servers that are running earlier versions of Windows or\n applications that still use it. It is also used to authenticate logons to\n stand-alone computers that are running later versions.", + "title": "Windows Telemetry must not be configured to Full.", + "desc": "Some features may communicate with the vendor, sending system\n information or downloading data or components for the feature. Limiting this\n capability will prevent potentially sensitive information from being sent\n outside the enterprise. The \"Security\" option for Telemetry configures the\n lowest amount of data, effectively none outside of the Malicious Software\n Removal Tool (MSRT), Defender and telemetry client settings. \"Basic\" sends\n basic diagnostic and usage data and may be required to support some Microsoft\n services. \"Enhanced\" includes additional information on how Windows and apps\n are used and advanced reliability data. Windows Analytics can use a \"limited\n enhanced\" level to provide information such as health data for devices. This\n requires the configuration of an additional setting available with v1709 and\n later of Windows 10.", "descriptions": { - "default": "The Kerberos v5 authentication protocol is the default for\n authentication of users who are logging on to domain accounts. NTLM, which is\n less secure, is retained in later Windows versions for compatibility with\n clients and servers that are running earlier versions of Windows or\n applications that still use it. It is also used to authenticate logons to\n stand-alone computers that are running later versions.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Control\\Lsa\\\n\n Value Name: LmCompatibilityLevel\n\n Value Type: REG_DWORD\n Value: 5", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n \"Network security: LAN Manager authentication level\" to \"Send NTLMv2\n response only. Refuse LM & NTLM\"." + "default": "Some features may communicate with the vendor, sending system\n information or downloading data or components for the feature. Limiting this\n capability will prevent potentially sensitive information from being sent\n outside the enterprise. The \"Security\" option for Telemetry configures the\n lowest amount of data, effectively none outside of the Malicious Software\n Removal Tool (MSRT), Defender and telemetry client settings. \"Basic\" sends\n basic diagnostic and usage data and may be required to support some Microsoft\n services. \"Enhanced\" includes additional information on how Windows and apps\n are used and advanced reliability data. Windows Analytics can use a \"limited\n enhanced\" level to provide information such as health data for devices. This\n requires the configuration of an additional setting available with v1709 and\n later of Windows 10.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\\n\n Value Name: AllowTelemetry\n\n Type: REG_DWORD\n Value: 0x00000000 (0) (Security)\n 0x00000001 (1) (Basic)\n\n If an organization is using v1709 or later of Windows 10 this may be configured\n to \"Enhanced\" to support Windows Analytics. V-82145 must also be configured\n to limit the Enhanced diagnostic data to the minimum required by Windows\n Analytics. This registry value will then be 0x00000002 (2).", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Data Collection and Preview\n Builds >> \"Allow Telemetry\" to \"Enabled\" with \"0 - Security [Enterprise\n Only]\" or \"1 - Basic\" selected in \"Options:\".\n\n If an organization is using v1709 or later of Windows 10 this may be configured\n to \"2 - Enhanced\" to support Windows Analytics. V-82145 must also be\n configured to limit the Enhanced diagnostic data to the minimum required by\n Windows Analytics." }, - "impact": 0.7, + "impact": 0.5, "refs": [], "tags": { - "severity": "high", - "gtitle": "WN10-SO-000205", - "gid": "V-63801", - "rid": "SV-78291r1_rule", - "stig_id": "WN10-SO-000205", - "fix_id": "F-69729r1_fix", + "severity": "medium", + "gtitle": "WN10-CC-000205", + "gid": "V-63683", + "rid": "SV-78173r3_rule", + "stig_id": "WN10-CC-000205", + "fix_id": "F-89003r2_fix", "cci": [ "CCI-000366" ], @@ -10628,35 +10587,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63801' do\n title \"The LanMan authentication level must be set to send NTLMv2 response\n only, and to refuse LM and NTLM.\"\n desc \"The Kerberos v5 authentication protocol is the default for\n authentication of users who are logging on to domain accounts. NTLM, which is\n less secure, is retained in later Windows versions for compatibility with\n clients and servers that are running earlier versions of Windows or\n applications that still use it. It is also used to authenticate logons to\n stand-alone computers that are running later versions.\"\n impact 0.7\n tag severity: 'high'\n tag gtitle: 'WN10-SO-000205'\n tag gid: 'V-63801'\n tag rid: 'SV-78291r1_rule'\n tag stig_id: 'WN10-SO-000205'\n tag fix_id: 'F-69729r1_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\\n\n Value Name: LmCompatibilityLevel\n\n Value Type: REG_DWORD\n Value: 5\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n \\\"Network security: LAN Manager authentication level\\\" to \\\"Send NTLMv2\n response only. Refuse LM & NTLM\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa') do\n it { should have_property 'LmCompatibilityLevel' }\n its('LmCompatibilityLevel') { should cmp 5 }\n end\nend\n", + "code": "control 'V-63683' do\n title 'Windows Telemetry must not be configured to Full.'\n desc \"Some features may communicate with the vendor, sending system\n information or downloading data or components for the feature. Limiting this\n capability will prevent potentially sensitive information from being sent\n outside the enterprise. The \\\"Security\\\" option for Telemetry configures the\n lowest amount of data, effectively none outside of the Malicious Software\n Removal Tool (MSRT), Defender and telemetry client settings. \\\"Basic\\\" sends\n basic diagnostic and usage data and may be required to support some Microsoft\n services. \\\"Enhanced\\\" includes additional information on how Windows and apps\n are used and advanced reliability data. Windows Analytics can use a \\\"limited\n enhanced\\\" level to provide information such as health data for devices. This\n requires the configuration of an additional setting available with v1709 and\n later of Windows 10. \"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000205'\n tag gid: 'V-63683'\n tag rid: 'SV-78173r3_rule'\n tag stig_id: 'WN10-CC-000205'\n tag fix_id: 'F-89003r2_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\DataCollection\\\\\n\n Value Name: AllowTelemetry\n\n Type: REG_DWORD\n Value: 0x00000000 (0) (Security)\n 0x00000001 (1) (Basic)\n\n If an organization is using v1709 or later of Windows 10 this may be configured\n to \\\"Enhanced\\\" to support Windows Analytics. V-82145 must also be configured\n to limit the Enhanced diagnostic data to the minimum required by Windows\n Analytics. This registry value will then be 0x00000002 (2).\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Data Collection and Preview\n Builds >> \\\"Allow Telemetry\\\" to \\\"Enabled\\\" with \\\"0 - Security [Enterprise\n Only]\\\" or \\\"1 - Basic\\\" selected in \\\"Options:\\\".\n\n If an organization is using v1709 or later of Windows 10 this may be configured\n to \\\"2 - Enhanced\\\" to support Windows Analytics. V-82145 must also be\n configured to limit the Enhanced diagnostic data to the minimum required by\n Windows Analytics.\"\n\n describe.one do\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection') do\n it { should have_property 'AllowTelemetry' }\n its('AllowTelemetry') { should cmp 0 }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection') do\n it { should have_property 'AllowTelemetry' }\n its('AllowTelemetry') { should cmp 1 }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection') do\n it { should have_property 'AllowTelemetry' }\n its('AllowTelemetry') { should cmp 2 }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63801.rb", + "ref": "./Windows 10 STIG/controls/V-63683.rb", "line": 3 }, - "id": "V-63801" + "id": "V-63683" }, { - "title": "Anonymous enumeration of SAM accounts must not be allowed.", - "desc": "Anonymous enumeration of SAM accounts allows anonymous log on users\n (null session connections) to list all accounts names, thus providing a list of\n potential points to attack the system.", + "title": "The Access Credential Manager as a trusted caller user right must not\n be assigned to any groups or accounts.", + "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n Accounts with the \"Access Credential Manager as a trusted caller\" user\n right may be able to retrieve the credentials of other accounts from Credential\n Manager.", "descriptions": { - "default": "Anonymous enumeration of SAM accounts allows anonymous log on users\n (null session connections) to list all accounts names, thus providing a list of\n potential points to attack the system.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Control\\Lsa\\\n\n Value Name: RestrictAnonymousSAM\n\n Value Type: REG_DWORD\n Value: 1", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n \"Network access: Do not allow anonymous enumeration of SAM accounts\" to\n \"Enabled\"." + "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n Accounts with the \"Access Credential Manager as a trusted caller\" user\n right may be able to retrieve the credentials of other accounts from Credential\n Manager.", + "check": "Verify the effective setting in Local Group Policy Editor.\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any groups or accounts are granted the \"Access Credential Manager as a\n trusted caller\" user right, this is a finding.", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n \"Access Credential Manager as a trusted caller\" to be defined but containing\n no entries (blank)." }, - "impact": 0.7, + "impact": 0.5, "refs": [], "tags": { - "severity": "high", - "gtitle": "WN10-SO-000145", - "gid": "V-63745", - "rid": "SV-78235r1_rule", - "stig_id": "WN10-SO-000145", - "fix_id": "F-69673r1_fix", + "severity": "medium", + "gtitle": "WN10-UR-000005", + "gid": "V-63843", + "rid": "SV-78333r1_rule", + "stig_id": "WN10-UR-000005", + "fix_id": "F-69771r1_fix", "cci": [ - "CCI-000366" + "CCI-002235" ], "nist": [ - "CM-6 b", + "AC-6 (10)", "Rev_4" ], "false_negatives": null, @@ -10670,30 +10629,30 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63745' do\n title 'Anonymous enumeration of SAM accounts must not be allowed.'\n desc \"Anonymous enumeration of SAM accounts allows anonymous log on users\n (null session connections) to list all accounts names, thus providing a list of\n potential points to attack the system.\"\n impact 0.7\n tag severity: 'high'\n tag gtitle: 'WN10-SO-000145'\n tag gid: 'V-63745'\n tag rid: 'SV-78235r1_rule'\n tag stig_id: 'WN10-SO-000145'\n tag fix_id: 'F-69673r1_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\\n\n Value Name: RestrictAnonymousSAM\n\n Value Type: REG_DWORD\n Value: 1\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n \\\"Network access: Do not allow anonymous enumeration of SAM accounts\\\" to\n \\\"Enabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa') do\n it { should have_property 'RestrictAnonymousSAM' }\n its('RestrictAnonymousSAM') { should cmp 1 }\n end\nend\n", + "code": "control 'V-63843' do\n title \"The Access Credential Manager as a trusted caller user right must not\n be assigned to any groups or accounts.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n Accounts with the \\\"Access Credential Manager as a trusted caller\\\" user\n right may be able to retrieve the credentials of other accounts from Credential\n Manager.\"\n\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-UR-000005'\n tag gid: 'V-63843'\n tag rid: 'SV-78333r1_rule'\n tag stig_id: 'WN10-UR-000005'\n tag fix_id: 'F-69771r1_fix'\n tag cci: ['CCI-002235']\n tag nist: ['AC-6 (10)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any groups or accounts are granted the \\\"Access Credential Manager as a\n trusted caller\\\" user right, this is a finding.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n \\\"Access Credential Manager as a trusted caller\\\" to be defined but containing\n no entries (blank).\"\n\n describe security_policy do\n its('SeTrustedCredManAccessPrivilege') { should eq [] }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63745.rb", + "ref": "./Windows 10 STIG/controls/V-63843.rb", "line": 3 }, - "id": "V-63745" + "id": "V-63843" }, { - "title": "The built-in guest account must be renamed.", - "desc": "The built-in guest account is a well-known user account on all Windows\n systems and, as initially installed, does not require a password. This can\n allow access to system resources by unauthorized users. Renaming this account\n to an unidentified name improves the protection of this account and the system.", + "title": "The system must be configured to prevent Internet Control Message\n Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF)\n generated routes.", + "desc": "Allowing ICMP redirect of routes can lead to traffic not being routed\n properly. When disabled, this forces ICMP to be routed via shortest path\n first.", "descriptions": { - "default": "The built-in guest account is a well-known user account on all Windows\n systems and, as initially installed, does not require a password. This can\n allow access to system resources by unauthorized users. Renaming this account\n to an unidentified name improves the protection of this account and the system.", - "check": "Verify the effective setting in Local Group Policy Editor.\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> Security Options.\n\n If the value for \"Accounts: Rename guest account\" is set to \"Guest\", this\n is a finding.", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n \"Accounts: Rename guest account\" to a name other than \"Guest\"." + "default": "Allowing ICMP redirect of routes can lead to traffic not being routed\n properly. When disabled, this forces ICMP to be routed via shortest path\n first.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters\\\n\n Value Name: EnableICMPRedirect\n\n Value Type: REG_DWORD\n Value: 0", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> MSS (Legacy) >> \"MSS: (EnableICMPRedirect) Allow\n ICMP redirects to override OSPF generated routes\" to \"Disabled\".\n\n This policy setting requires the installation of the MSS-Legacy custom\n templates included with the STIG package. \"MSS-Legacy.admx\" and \"\n MSS-Legacy.adml\" must be copied to the \\Windows\\PolicyDefinitions and\n \\Windows\\PolicyDefinitions\\en-US directories respectively." }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { - "severity": "medium", - "gtitle": "WN10-SO-000025", - "gid": "V-63625", - "rid": "SV-78115r1_rule", - "stig_id": "WN10-SO-000025", - "fix_id": "F-69555r1_fix", + "severity": "low", + "gtitle": "WN10-CC-000030", + "gid": "V-63563", + "rid": "SV-78053r1_rule", + "stig_id": "WN10-CC-000030", + "fix_id": "F-69493r1_fix", "cci": [ "CCI-000366" ], @@ -10712,35 +10671,37 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63625' do\n title 'The built-in guest account must be renamed.'\n desc \"The built-in guest account is a well-known user account on all Windows\n systems and, as initially installed, does not require a password. This can\n allow access to system resources by unauthorized users. Renaming this account\n to an unidentified name improves the protection of this account and the system.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-SO-000025'\n tag gid: 'V-63625'\n tag rid: 'SV-78115r1_rule'\n tag stig_id: 'WN10-SO-000025'\n tag fix_id: 'F-69555r1_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n \n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> Security Options.\n\n If the value for \\\"Accounts: Rename guest account\\\" is set to \\\"Guest\\\", this\n is a finding.\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n \\\"Accounts: Rename guest account\\\" to a name other than \\\"Guest\\\".\"\n\n describe user('Guest') do\n it { should_not exist }\n end\nend\n", + "code": "control 'V-63563' do\n title \"The system must be configured to prevent Internet Control Message\n Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF)\n generated routes.\"\n desc \"Allowing ICMP redirect of routes can lead to traffic not being routed\n properly. When disabled, this forces ICMP to be routed via shortest path\n first.\"\n\n impact 0.3\n\n tag severity: 'low'\n tag gtitle: 'WN10-CC-000030'\n tag gid: 'V-63563'\n tag rid: 'SV-78053r1_rule'\n tag stig_id: 'WN10-CC-000030'\n tag fix_id: 'F-69493r1_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\Tcpip\\\\Parameters\\\\\n\n Value Name: EnableICMPRedirect\n\n Value Type: REG_DWORD\n Value: 0\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> MSS (Legacy) >> \\\"MSS: (EnableICMPRedirect) Allow\n ICMP redirects to override OSPF generated routes\\\" to \\\"Disabled\\\".\n\n This policy setting requires the installation of the MSS-Legacy custom\n templates included with the STIG package. \\\"MSS-Legacy.admx\\\" and \\\"\n MSS-Legacy.adml\\\" must be copied to the \\\\Windows\\\\PolicyDefinitions and\n \\\\Windows\\\\PolicyDefinitions\\\\en-US directories respectively.\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters') do\n it { should have_property 'EnableICMPRedirect' }\n its('EnableICMPRedirect') { should cmp 0 }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63625.rb", + "ref": "./Windows 10 STIG/controls/V-63563.rb", "line": 3 }, - "id": "V-63625" + "id": "V-63563" }, { - "title": "Microsoft consumer experiences must be turned off.", - "desc": "Microsoft consumer experiences provides suggestions and notifications\n to users, which may include the installation of Windows Store apps.\n Organizations may control the execution of applications through other means\n such as whitelisting. Turning off Microsoft consumer experiences will help\n prevent the unwanted installation of suggested applications.", + "title": "The system must be configured to audit System - Security State Change\n successes.", + "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Security State Change records events related to changes in the security\n state, such as startup and shutdown of the system.", "descriptions": { - "default": "Microsoft consumer experiences provides suggestions and notifications\n to users, which may include the installation of Windows Store apps.\n Organizations may control the execution of applications through other means\n such as whitelisting. Turning off Microsoft consumer experiences will help\n prevent the unwanted installation of suggested applications.", - "check": "Windows 10 v1507 LTSB version does not include this setting; it\n is NA for those systems.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent\\\n\n Value Name: DisableWindowsConsumerFeatures\n\n Type: REG_DWORD\n Value: 0x00000001 (1)", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Cloud Content >> \"Turn off\n Microsoft consumer experiences\" to \"Enabled\"." + "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Security State Change records events related to changes in the security\n state, such as startup and shutdown of the system.", + "check": "Security Option \"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\" must be\n set to \"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\"Run as Administrator\").\n Enter \"AuditPol /get /category:*\".\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding:\n\n System >> Security State Change - Success", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> System >> \"Audit Security State Change\" with \"Success\"\n selected." }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { - "severity": "low", - "gtitle": "WN10-CC-000197", - "gid": "V-71771", - "rid": "SV-86395r2_rule", - "stig_id": "WN10-CC-000197", - "fix_id": "F-78123r1_fix", + "severity": "medium", + "gtitle": "WN10-AU-000140", + "gid": "V-63507", + "rid": "SV-77997r1_rule", + "stig_id": "WN10-AU-000140", + "fix_id": "F-69437r1_fix", "cci": [ - "CCI-000381" + "CCI-000172", + "CCI-002234" ], "nist": [ - "CM-7 a", + "AU-12 c", + "AC-6 (9)", "Rev_4" ], "false_negatives": null, @@ -10754,35 +10715,37 @@ "responsibility": null, "ia_controls": null }, - "code": "control \"V-71771\" do\n title \"Microsoft consumer experiences must be turned off.\"\n desc \"Microsoft consumer experiences provides suggestions and notifications\n to users, which may include the installation of Windows Store apps.\n Organizations may control the execution of applications through other means\n such as whitelisting. Turning off Microsoft consumer experiences will help\n prevent the unwanted installation of suggested applications.\"\n impact 0.3\n tag severity: \"low\"\n tag gtitle: \"WN10-CC-000197\"\n tag gid: \"V-71771\"\n tag rid: \"SV-86395r2_rule\"\n tag stig_id: \"WN10-CC-000197\"\n tag fix_id: \"F-78123r1_fix\"\n tag cci: [\"CCI-000381\"]\n tag nist: [\"CM-7 a\", \"Rev_4\"]\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"Windows 10 v1507 LTSB version does not include this setting; it\n is NA for those systems.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\CloudContent\\\\\n\n Value Name: DisableWindowsConsumerFeatures\n\n Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Cloud Content >> \\\"Turn off\n Microsoft consumer experiences\\\" to \\\"Enabled\\\".\"\n\nif (registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion').ReleaseId != \"1507\" )\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent') do\n it { should have_property 'DisableWindowsConsumerFeatures' }\n its('DisableWindowsConsumerFeatures') { should cmp 1 } \n end\nelse \n impact 0.0\n describe \"Windows 10 v1507 LTSB version does not include this setting, it is NA for those systems.\" do\n skip 'Windows 10 v1507 LTSB version does not include this setting, it is NA for those systems.'\n end \n end\nend\n", + "code": "control \"V-63507\" do\n title \"The system must be configured to audit System - Security State Change\n successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Security State Change records events related to changes in the security\n state, such as startup and shutdown of the system.\"\n impact 0.5\n tag severity: \"medium\"\n tag gtitle: \"WN10-AU-000140\"\n tag gid: \"V-63507\"\n tag rid: \"SV-77997r1_rule\"\n tag stig_id: \"WN10-AU-000140\"\n tag fix_id: \"F-69437r1_fix\"\n tag cci: [\"CCI-000172\", \"CCI-002234\"]\n tag nist: [\"AU-12 c\", \"AC-6 (9)\", \"Rev_4\"]\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Security Option \\\"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\\\" must be\n set to \\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\n Enter \\\"AuditPol /get /category:*\\\".\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding:\n\n System >> Security State Change - Success\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> System >> \\\"Audit Security State Change\\\" with \\\"Success\\\"\n selected.\"\n\n describe.one do\n describe audit_policy do\n its('Security State Change') { should eq 'Success' }\n end\n describe audit_policy do\n its('Security State Change') { should eq 'Success and Failure' }\n end\n end \nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-71771.rb", + "ref": "./Windows 10 STIG/controls/V-63507.rb", "line": 2 }, - "id": "V-71771" + "id": "V-63507" }, { - "title": "Anonymous access to Named Pipes and Shares must be restricted.", - "desc": "Allowing anonymous access to named pipes or shares provides the\n potential for unauthorized system access. This setting restricts access to\n those defined in \"Network access: Named Pipes that can be accessed\n anonymously\" and \"Network access: Shares that can be accessed anonymously\",\n both of which must be blank under other requirements.", + "title": "The system must be configured to audit System - System Integrity\n successes.", + "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n System Integrity records events related to violations of integrity to the\n security subsystem.", "descriptions": { - "default": "Allowing anonymous access to named pipes or shares provides the\n potential for unauthorized system access. This setting restricts access to\n those defined in \"Network access: Named Pipes that can be accessed\n anonymously\" and \"Network access: Shares that can be accessed anonymously\",\n both of which must be blank under other requirements.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\LanManServer\\Parameters\\\n\n Value Name: RestrictNullSessAccess\n\n Value Type: REG_DWORD\n Value: 1", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n \"Network access: Restrict anonymous access to Named Pipes and Shares\" to\n \"Enabled\"." + "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n System Integrity records events related to violations of integrity to the\n security subsystem.", + "check": "Security Option \"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\" must be\n set to \"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\"Run as Administrator\").\n Enter \"AuditPol /get /category:*\".\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding:\n\n System >> System Integrity - Success", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> System >> \"Audit System Integrity\" with \"Success\"\n selected." }, - "impact": 0.7, + "impact": 0.5, "refs": [], "tags": { - "severity": "high", - "gtitle": "WN10-SO-000165", - "gid": "V-63759", - "rid": "SV-78249r1_rule", - "stig_id": "WN10-SO-000165", - "fix_id": "F-69687r1_fix", + "severity": "medium", + "gtitle": "WN10-AU-000160", + "gid": "V-63517", + "rid": "SV-78007r1_rule", + "stig_id": "WN10-AU-000160", + "fix_id": "F-69447r1_fix", "cci": [ - "CCI-001090" + "CCI-000172", + "CCI-002234" ], "nist": [ - "SC-4", + "AU-12 c", + "AC-6 (9)", "Rev_4" ], "false_negatives": null, @@ -10796,39 +10759,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63759' do\n title 'Anonymous access to Named Pipes and Shares must be restricted.'\n desc \"Allowing anonymous access to named pipes or shares provides the\n potential for unauthorized system access. This setting restricts access to\n those defined in \\\"Network access: Named Pipes that can be accessed\n anonymously\\\" and \\\"Network access: Shares that can be accessed anonymously\\\",\n both of which must be blank under other requirements.\"\n impact 0.7\n tag severity: 'high'\n tag gtitle: 'WN10-SO-000165'\n tag gid: 'V-63759'\n tag rid: 'SV-78249r1_rule'\n tag stig_id: 'WN10-SO-000165'\n tag fix_id: 'F-69687r1_fix'\n tag cci: ['CCI-001090']\n tag nist: %w[SC-4 Rev_4]\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\LanManServer\\\\Parameters\\\\\n\n Value Name: RestrictNullSessAccess\n\n Value Type: REG_DWORD\n Value: 1\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n \\\"Network access: Restrict anonymous access to Named Pipes and Shares\\\" to\n \\\"Enabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\LanManServer\\Parameters') do\n it { should have_property 'RestrictNullSessAccess' }\n its('RestrictNullSessAccess') { should cmp 1 }\n end\nend\n", + "code": "control 'V-63517' do\n title \"The system must be configured to audit System - System Integrity\n successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n System Integrity records events related to violations of integrity to the\n security subsystem.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-AU-000160'\n tag gid: 'V-63517'\n tag rid: 'SV-78007r1_rule'\n tag stig_id: 'WN10-AU-000160'\n tag fix_id: 'F-69447r1_fix'\n tag cci: %w[CCI-000172 CCI-002234]\n tag nist: ['AU-12 c', 'AC-6 (9)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"Security Option \\\"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\\\" must be\n set to \\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\n Enter \\\"AuditPol /get /category:*\\\".\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding:\n\n System >> System Integrity - Success\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> System >> \\\"Audit System Integrity\\\" with \\\"Success\\\"\n selected.\"\n\n describe.one do\n describe audit_policy do\n its('System Integrity') { should eq 'Success' }\n end\n describe audit_policy do\n its('System Integrity') { should eq 'Success and Failure' }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63759.rb", + "ref": "./Windows 10 STIG/controls/V-63517.rb", "line": 3 }, - "id": "V-63759" + "id": "V-63517" }, { - "title": "Windows 10 permissions for the Application event log must prevent\n access by non-privileged accounts.", - "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised. The\n Application event log may be susceptible to tampering if proper permissions\n are not applied.", + "title": "The Load and unload device drivers user right must only be assigned to\n the Administrators group.", + "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n The \"Load and unload device drivers\" user right allows device drivers to\n dynamically be loaded on a system by a user. This could potentially be used to\n install malicious code by an attacker.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised. The\n Application event log may be susceptible to tampering if proper permissions\n are not applied.", - "check": "Verify the permissions on the Application event log\n (Application.evtx). Standard user accounts or groups must not have access. The\n default permissions listed below satisfy this requirement.\n\n Eventlog - Full Control\n SYSTEM - Full Control\n Administrators - Full Control\n\n The default location is the \"%SystemRoot%\\SYSTEM32\\WINEVT\\LOGS\" directory.\n They may have been moved to another folder.\n\n If the permissions for these files are not as restrictive as the ACLs listed,\n this is a finding.\n\n NOTE: If \"APPLICATION PACKAGE AUTHORITY\\ALL APPLICATION PACKAGES\" has\n Special Permissions, this would not be a finding.", - "fix": "Ensure the permissions on the Application event log\n (Application.evtx) are configured to prevent standard user accounts or groups\n from having access. The default permissions listed below satisfy this\n requirement.\n\n Eventlog - Full Control\n SYSTEM - Full Control\n Administrators - Full Control\n\n The default location is the \"%SystemRoot%\\SYSTEM32\\WINEVT\\LOGS\" directory.\n\n If the location of the logs has been changed, when adding Eventlog to the\n permissions, it must be entered as \"NT Service\\Eventlog\"." + "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n The \"Load and unload device drivers\" user right allows device drivers to\n dynamically be loaded on a system by a user. This could potentially be used to\n install malicious code by an attacker.", + "check": "Verify the effective setting in Local Group Policy Editor.\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any groups or accounts other than the following are granted the \"Load and\n unload device drivers\" user right, this is a finding:\n\n Administrators", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n \"Load and unload device drivers\" to only include the following groups or\n accounts:\n\n Administrators" }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-AU-000515", - "gid": "V-63533", - "rid": "SV-78023r2_rule", - "stig_id": "WN10-AU-000515", - "fix_id": "F-69463r1_fix", + "gtitle": "WN10-UR-000120", + "gid": "V-63917", + "rid": "SV-78407r1_rule", + "stig_id": "WN10-UR-000120", + "fix_id": "F-69845r1_fix", "cci": [ - "CCI-000162", - "CCI-000163", - "CCI-000164" + "CCI-002235" ], "nist": [ - "AU-9", - "AU-9", - "AU-9", + "AC-6 (10)", "Rev_4" ], "false_negatives": null, @@ -10842,35 +10801,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63533' do\n title \"Windows 10 permissions for the Application event log must prevent\n access by non-privileged accounts.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised. The\n Application event log may be susceptible to tampering if proper permissions\n are not applied.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-AU-000515'\n tag gid: 'V-63533'\n tag rid: 'SV-78023r2_rule'\n tag stig_id: 'WN10-AU-000515'\n tag fix_id: 'F-69463r1_fix'\n tag cci: %w[CCI-000162 CCI-000163 CCI-000164]\n tag nist: %w[AU-9 AU-9 AU-9 Rev_4]\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Verify the permissions on the Application event log\n (Application.evtx). Standard user accounts or groups must not have access. The\n default permissions listed below satisfy this requirement.\n\n Eventlog - Full Control\n SYSTEM - Full Control\n Administrators - Full Control\n\n The default location is the \\\"%SystemRoot%\\\\SYSTEM32\\\\WINEVT\\\\LOGS\\\" directory.\n They may have been moved to another folder.\n\n If the permissions for these files are not as restrictive as the ACLs listed,\n this is a finding.\n\n NOTE: If \\\"APPLICATION PACKAGE AUTHORITY\\\\ALL APPLICATION PACKAGES\\\" has\n Special Permissions, this would not be a finding.\"\n\n desc \"fix\", \"Ensure the permissions on the Application event log\n (Application.evtx) are configured to prevent standard user accounts or groups\n from having access. The default permissions listed below satisfy this\n requirement.\n\n Eventlog - Full Control\n SYSTEM - Full Control\n Administrators - Full Control\n\n The default location is the \\\"%SystemRoot%\\\\SYSTEM32\\\\WINEVT\\\\LOGS\\\" directory.\n\n If the location of the logs has been changed, when adding Eventlog to the\n permissions, it must be entered as \\\"NT Service\\\\Eventlog\\\".\"\n\n get_system_root = command('Get-ChildItem Env: | Findstr SystemRoot').stdout.strip\n system_root = get_system_root[11..get_system_root.length]\n systemroot = system_root.strip\n\n describe file(\"#{systemroot}\\\\SYSTEM32\\\\WINEVT\\\\LOGS\\\\Application.evtx\") do\n it { should be_allowed('full-control', by_user: 'NT SERVICE\\\\EventLog') }\n it { should be_allowed('full-control', by_user: 'NT AUTHORITY\\\\SYSTEM') }\n it { should be_allowed('full-control', by_user: 'BUILTIN\\\\Administrators') }\n end\nend\n", + "code": "control 'V-63917' do\n title \"The Load and unload device drivers user right must only be assigned to\n the Administrators group.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high level capabilities.\n\n The \\\"Load and unload device drivers\\\" user right allows device drivers to\n dynamically be loaded on a system by a user. This could potentially be used to\n install malicious code by an attacker.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-UR-000120'\n tag gid: 'V-63917'\n tag rid: 'SV-78407r1_rule'\n tag stig_id: 'WN10-UR-000120'\n tag fix_id: 'F-69845r1_fix'\n tag cci: ['CCI-002235']\n tag nist: ['AC-6 (10)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n \n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any groups or accounts other than the following are granted the \\\"Load and\n unload device drivers\\\" user right, this is a finding:\n\n Administrators\"\n \n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n \\\"Load and unload device drivers\\\" to only include the following groups or\n accounts:\n\n Administrators\"\n\n describe security_policy do\n its('SeLoadDriverPrivilege') { should eq ['S-1-5-32-544'] }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63533.rb", + "ref": "./Windows 10 STIG/controls/V-63917.rb", "line": 3 }, - "id": "V-63533" + "id": "V-63917" }, { - "title": "The use of personal accounts for OneDrive synchronization must be\n disabled.", - "desc": "OneDrive provides access to external services for data storage, which\n must be restricted to authorized instances. Enabling this setting will prevent\n the use of personal OneDrive accounts for synchronization.", + "title": "Exploit Protection mitigations in Windows 10 must be configured for MSACCESS.EXE.", + "desc": "Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.", "descriptions": { - "default": "OneDrive provides access to external services for data storage, which\n must be restricted to authorized instances. Enabling this setting will prevent\n the use of personal OneDrive accounts for synchronization.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_CURRENT_USER\n Registry Path: \\Software\\Policies\\Microsoft\\OneDrive\\\n\n Value Name: DisablePersonalSync\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", - "fix": "Configure the policy value for User Configuration >> Administrative\n Templates >> OneDrive >> \"Prevent users from synchronizing personal OneDrive\n accounts\" to \"Enabled\".\n\n Group policy files for OneDrive are located on a system with OneDrive in\n \"%localappdata%\\Microsoft\\OneDrive\\BuildNumber\\adm\\\".\n\n Copy the OneDrive.admx and .adml files to the \\Windows\\PolicyDefinitions and\n \\Windows\\PolicyDefinitions\\en-US directories respectively." + "default": "Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.", + "check": "This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n\n Enter \"Get-ProcessMitigation -Name MSACCESS.EXE\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of\n all application mitigations configured.)\n\n If the following mitigations do not have a status of \"ON\", this is a finding:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False \n\n The PowerShell command produces a list of mitigations; only those with a\n required status of \"ON\" are listed here. If the PowerShell command does not\n produce results, ensure the letter case of the filename within the command\n syntax matches the letter case of the actual filename on the system.", + "fix": "Ensure the following mitigations are turned \"ON\" for MSACCESS.EXE:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file\n included with the Windows 10 STIG package in the \"Supporting Files\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \"Use a common set of exploit protection settings\"\n configured to \"Enabled\" with file name and location defined under\n \"Options:\". It is recommended the file be in a read-only network location." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-UC-000005", - "gid": "V-82137", - "rid": "SV-96851r1_rule", - "stig_id": "WN10-UC-000005", - "fix_id": "F-88989r2_fix", + "gtitle": "WN10-EP-000180", + "gid": "V-77231", + "rid": "SV-91927r3_rule", + "stig_id": "WN10-EP-000180", + "fix_id": "F-84359r4_fix", "cci": [ - "CCI-000381" + "CCI-000366" ], "nist": [ - "CM-7 a", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -10884,35 +10843,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-82137' do\n title \"The use of personal accounts for OneDrive synchronization must be\n disabled.\"\n desc \"OneDrive provides access to external services for data storage, which\n must be restricted to authorized instances. Enabling this setting will prevent\n the use of personal OneDrive accounts for synchronization.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-UC-000005'\n tag gid: 'V-82137'\n tag rid: 'SV-96851r1_rule'\n tag stig_id: 'WN10-UC-000005'\n tag fix_id: 'F-88989r2_fix'\n tag cci: ['CCI-000381']\n tag nist: ['CM-7 a', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_CURRENT_USER\n Registry Path: \\\\Software\\\\Policies\\\\Microsoft\\\\OneDrive\\\\\n\n Value Name: DisablePersonalSync\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for User Configuration >> Administrative\n Templates >> OneDrive >> \\\"Prevent users from synchronizing personal OneDrive\n accounts\\\" to \\\"Enabled\\\".\n\n Group policy files for OneDrive are located on a system with OneDrive in\n \\\"%localappdata%\\\\Microsoft\\\\OneDrive\\\\BuildNumber\\\\adm\\\\\\\".\n\n Copy the OneDrive.admx and .adml files to the \\\\Windows\\\\PolicyDefinitions and\n \\\\Windows\\\\PolicyDefinitions\\\\en-US directories respectively.\"\n\n describe registry_key('HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\OneDrive') do\n it { should have_property 'DisablePersonalSync' }\n its('DisablePersonalSync') { should cmp 1 }\n end\nend\n", + "code": "control 'V-77231' do\n title 'Exploit Protection mitigations in Windows 10 must be configured for MSACCESS.EXE.'\n desc \"Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-EP-000180'\n tag gid: 'V-77231'\n tag rid: 'SV-91927r3_rule'\n tag stig_id: 'WN10-EP-000180'\n tag fix_id: 'F-84359r4_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc 'check', \"This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n\n Enter \\\"Get-ProcessMitigation -Name MSACCESS.EXE\\\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of\n all application mitigations configured.)\n\n If the following mitigations do not have a status of \\\"ON\\\", this is a finding:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False \n\n The PowerShell command produces a list of mitigations; only those with a\n required status of \\\"ON\\\" are listed here. If the PowerShell command does not\n produce results, ensure the letter case of the filename within the command\n syntax matches the letter case of the actual filename on the system.\"\n desc 'fix', \"Ensure the following mitigations are turned \\\"ON\\\" for MSACCESS.EXE:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file\n included with the Windows 10 STIG package in the \\\"Supporting Files\\\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\"\n configured to \\\"Enabled\\\" with file name and location defined under\n \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n\n if input('sensitive_system') == 'true' || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion').ReleaseId < '1709'\n impact 0.0\n describe 'This STIG does not apply to Prior Versions before 1709.' do\n skip 'This STIG does not apply to Prior Versions before 1709.'\n end\n else\n dep = json( command: 'Get-ProcessMitigation -Name MSACCESS.EXE | Select DEP | ConvertTo-Json').params\n describe 'OverRide DEP is required to be false on Microsoft Office Access' do\n subject { dep }\n its(['OverrideDEP']) { should_not eq 'true' }\n end\n aslr = json( command: 'Get-ProcessMitigation -Name MSACCESS.EXE| Select Aslr | ConvertTo-Json').params\n describe 'Alsr BottomUp and Force Relocate Images are required to be enabled on Microsoft Office Access' do\n subject { aslr }\n its(['ForceRelocateImages']) { should_not eq '2' }\n end\n payload = json( command: 'Get-ProcessMitigation -Name MSACCESS.EXE | Select Payload | ConvertTo-Json').params\n describe 'Override Payload Enable Export Address Filter, Override Payload Enable Export Address Filter Plus, Override EnableImportAddressFilter, Override EnableRopStackPivot, Override EnableRopCallerCheck, and Override EnableRopSimExec are required to be false on Microsoft Office Access' do\n subject { payload }\n its(['OverrideEnableExportAddressFilter']) { should_not eq 'true' }\n its(['OverrideEnableExportAddressFilterPlus']) { should_not eq 'true' }\n its(['OverrideEnableImportAddressFilter']) { should_not eq 'true' }\n its(['OverrideEnableRopStackPivot']) { should_not eq 'true' }\n its(['OverrideEnableRopCallerCheck']) { should_not eq 'true' }\n its(['OverrideEnableRopSimExec']) { should_not eq 'true' }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-82137.rb", + "ref": "./Windows 10 STIG/controls/V-77231.rb", "line": 3 }, - "id": "V-82137" + "id": "V-77231" }, { - "title": "Secure Boot must be enabled on Windows 10 systems.", - "desc": "Secure Boot is a standard that ensures systems boot only to a trusted\n operating system. Secure Boot is required to support additional security\n features in Windows 10, including Virtualization Based Security and Credential\n Guard. If Secure Boot is turned off, these security features will not function.", + "title": "The number of allowed bad logon attempts must be configured to\n 3 or less.", + "desc": "The account lockout feature, when enabled, prevents brute-force\n password attacks on the system. The higher this value is, the less effective\n the account lockout feature will be in protecting the local system. The number\n of bad logon attempts must be reasonably small to minimize the possibility of a\n successful password attack, while allowing for honest errors made during a\n normal user logon.", "descriptions": { - "default": "Secure Boot is a standard that ensures systems boot only to a trusted\n operating system. Secure Boot is required to support additional security\n features in Windows 10, including Virtualization Based Security and Credential\n Guard. If Secure Boot is turned off, these security features will not function.", - "check": "Some older systems may not have UEFI firmware. This is currently\n a CAT III; it will be raised in severity at a future date when broad support of\n Windows 10 hardware and firmware requirements are expected to be met. Devices\n that have UEFI firmware must have Secure Boot enabled.\n\n For virtual desktop implementations (VDIs) where the virtual desktop instance\n is deleted or refreshed upon logoff, this is NA.\n\n Run \"System Information\".\n\n Under \"System Summary\", if \"Secure Boot State\" does not display \"On\",\n this is finding.", - "fix": "Enable Secure Boot in the system firmware." + "default": "The account lockout feature, when enabled, prevents brute-force\n password attacks on the system. The higher this value is, the less effective\n the account lockout feature will be in protecting the local system. The number\n of bad logon attempts must be reasonably small to minimize the possibility of a\n successful password attack, while allowing for honest errors made during a\n normal user logon.", + "check": "Verify the effective setting in Local Group Policy Editor.\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Account Policies >> Account Lockout Policy.\n\n If the \"Account lockout threshold\" is \"0\" or more than 3 attempts,\n this is a finding.", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Account Policies >> Account Lockout Policy >>\n \"Account lockout threshold\" to 3 or less invalid logon attempts\n (excluding \"0\" which is unacceptable)." }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { - "severity": "low", - "gtitle": "WN10-00-000020", - "gid": "V-77085", - "rid": "SV-91781r2_rule", - "stig_id": "WN10-00-000020", - "fix_id": "F-83783r1_fix", + "severity": "medium", + "gtitle": "WN10-AC-000010", + "gid": "V-63409", + "rid": "SV-77899r1_rule", + "stig_id": "WN10-AC-000010", + "fix_id": "F-69337r1_fix", "cci": [ - "CCI-000366" + "CCI-000044" ], "nist": [ - "CM-6 b", + "AC-7 a", "Rev_4" ], "false_negatives": null, @@ -10926,35 +10885,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-77085' do\n title 'Secure Boot must be enabled on Windows 10 systems.'\n desc \"Secure Boot is a standard that ensures systems boot only to a trusted\n operating system. Secure Boot is required to support additional security\n features in Windows 10, including Virtualization Based Security and Credential\n Guard. If Secure Boot is turned off, these security features will not function.\"\n impact 0.3\n tag severity: 'low'\n tag gtitle: 'WN10-00-000020'\n tag gid: 'V-77085'\n tag rid: 'SV-91781r2_rule'\n tag stig_id: 'WN10-00-000020'\n tag fix_id: 'F-83783r1_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc 'check', \"Some older systems may not have UEFI firmware. This is currently\n a CAT III; it will be raised in severity at a future date when broad support of\n Windows 10 hardware and firmware requirements are expected to be met. Devices\n that have UEFI firmware must have Secure Boot enabled.\n\n For virtual desktop implementations (VDIs) where the virtual desktop instance\n is deleted or refreshed upon logoff, this is NA.\n\n Run \\\"System Information\\\".\n\n Under \\\"System Summary\\\", if \\\"Secure Boot State\\\" does not display \\\"On\\\",\n this is finding.\"\n desc 'fix', 'Enable Secure Boot in the system firmware.'\n\n\n uefi_boot = json( command: 'Confirm-SecureBootUEFI | ConvertTo-Json').params\n if sys_info.manufacturer != 'VMware, Inc.' || nil\n describe 'Confirm-Secure Boot UEFI is required to be enabled on System' do\n subject { uefi_boot }\n it { should_not eq 'False' }\n end\n else\n impact 0.0\n describe 'This is a VDI System; This System is NA for Control V-77085.' do\n skip 'This is a VDI System; This System is NA for Control V-77085.'\n end\n end\nend\n", + "code": "control 'V-63409' do\n title \"The number of allowed bad logon attempts must be configured to\n #{input('max_pass_lockout')} or less.\"\n desc \"The account lockout feature, when enabled, prevents brute-force\n password attacks on the system. The higher this value is, the less effective\n the account lockout feature will be in protecting the local system. The number\n of bad logon attempts must be reasonably small to minimize the possibility of a\n successful password attack, while allowing for honest errors made during a\n normal user logon.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-AC-000010'\n tag gid: 'V-63409'\n tag rid: 'SV-77899r1_rule'\n tag stig_id: 'WN10-AC-000010'\n tag fix_id: 'F-69337r1_fix'\n tag cci: ['CCI-000044']\n tag nist: ['AC-7 a', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Account Policies >> Account Lockout Policy.\n\n If the \\\"Account lockout threshold\\\" is \\\"0\\\" or more than #{input('max_pass_lockout')} attempts,\n this is a finding.\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Account Policies >> Account Lockout Policy >>\n \\\"Account lockout threshold\\\" to #{input('max_pass_lockout')} or less invalid logon attempts\n (excluding \\\"0\\\" which is unacceptable).\"\n\n describe security_policy do\n its('LockoutBadCount') { should be <= input('max_pass_lockout') }\n end\n describe security_policy do\n its('LockoutBadCount') { should be_positive }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-77085.rb", + "ref": "./Windows 10 STIG/controls/V-63409.rb", "line": 3 }, - "id": "V-77085" + "id": "V-63409" }, { - "title": "Basic authentication for RSS feeds over HTTP must not be used.", - "desc": "Basic authentication uses plain text passwords that could be used to\n compromise a system.", + "title": "The system must be configured to ignore NetBIOS name release requests\n except from WINS servers.", + "desc": "Configuring the system to ignore name release requests, except from\n WINS servers, prevents a denial of service (DoS) attack. The DoS consists of\n sending a NetBIOS name release request to the server for each entry in the\n server's cache, causing a response delay in the normal operation of the servers\n WINS resolution capability.", "descriptions": { - "default": "Basic authentication uses plain text passwords that could be used to\n compromise a system.", - "check": "The default behavior is for the Windows RSS platform to not use\n Basic authentication over HTTP connections.\n\n If the registry value name below does not exist, this is not a finding.\n\n If it exists and is configured with a value of \"0\", this is not a finding.\n\n If it exists and is configured with a value of \"1\", this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Feeds\\\n\n Value Name: AllowBasicAuthInClear\n\n Value Type: REG_DWORD\n Value: 0 (or if the Value Name does not exist)", - "fix": "The default behavior is for the Windows RSS platform to not use\n Basic authentication over HTTP connections.\n\n If this needs to be corrected, configure the policy value for Computer\n Configuration >> Administrative Templates >> Windows Components >> RSS Feeds >>\n \"Turn on Basic feed authentication over HTTP\" to \"Not Configured\" or\n \"Disabled\"." + "default": "Configuring the system to ignore name release requests, except from\n WINS servers, prevents a denial of service (DoS) attack. The DoS consists of\n sending a NetBIOS name release request to the server for each entry in the\n server's cache, causing a response delay in the normal operation of the servers\n WINS resolution capability.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\Netbt\\Parameters\\\n\n Value Name: NoNameReleaseOnDemand\n\n Value Type: REG_DWORD\n Value: 1", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> MSS (Legacy) >> \"MSS: (NoNameReleaseOnDemand)\n Allow the computer to ignore NetBIOS name release requests except from WINS\n servers\" to \"Enabled\".\n\n This policy setting requires the installation of the MSS-Legacy custom\n templates included with the STIG package. \"MSS-Legacy.admx\" and \"\n MSS-Legacy.adml\" must be copied to the \\Windows\\PolicyDefinitions and\n \\Windows\\PolicyDefinitions\\en-US directories respectively." }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { - "severity": "medium", - "gtitle": "WN10-CC-000300", - "gid": "V-63747", - "rid": "SV-78237r1_rule", - "stig_id": "WN10-CC-000300", - "fix_id": "F-69675r1_fix", + "severity": "low", + "gtitle": "WN10-CC-000035", + "gid": "V-63567", + "rid": "SV-78057r1_rule", + "stig_id": "WN10-CC-000035", + "fix_id": "F-69497r1_fix", "cci": [ - "CCI-000381" + "CCI-002385" ], "nist": [ - "CM-7 a", + "SC-5", "Rev_4" ], "false_negatives": null, @@ -10968,39 +10927,47 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63747' do\n title 'Basic authentication for RSS feeds over HTTP must not be used.'\n desc \"Basic authentication uses plain text passwords that could be used to\n compromise a system.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000300'\n tag gid: 'V-63747'\n tag rid: 'SV-78237r1_rule'\n tag stig_id: 'WN10-CC-000300'\n tag fix_id: 'F-69675r1_fix'\n tag cci: ['CCI-000381']\n tag nist: ['CM-7 a', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"The default behavior is for the Windows RSS platform to not use\n Basic authentication over HTTP connections.\n\n If the registry value name below does not exist, this is not a finding.\n\n If it exists and is configured with a value of \\\"0\\\", this is not a finding.\n\n If it exists and is configured with a value of \\\"1\\\", this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Internet Explorer\\\\Feeds\\\\\n\n Value Name: AllowBasicAuthInClear\n\n Value Type: REG_DWORD\n Value: 0 (or if the Value Name does not exist)\"\n \n desc \"fix\", \"The default behavior is for the Windows RSS platform to not use\n Basic authentication over HTTP connections.\n\n If this needs to be corrected, configure the policy value for Computer\n Configuration >> Administrative Templates >> Windows Components >> RSS Feeds >>\n \\\"Turn on Basic feed authentication over HTTP\\\" to \\\"Not Configured\\\" or\n \\\"Disabled\\\".\"\n\n describe.one do\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Feeds') do\n it { should have_property 'AllowBasicAuthInClear' }\n its('AllowBasicAuthInClear') { should_not be 1 }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Feeds') do\n it { should_not have_property 'AllowBasicAuthInClear' }\n end\n end\nend\n", + "code": "control 'V-63567' do\n title \"The system must be configured to ignore NetBIOS name release requests\n except from WINS servers.\"\n desc \"Configuring the system to ignore name release requests, except from\n WINS servers, prevents a denial of service (DoS) attack. The DoS consists of\n sending a NetBIOS name release request to the server for each entry in the\n server's cache, causing a response delay in the normal operation of the servers\n WINS resolution capability.\"\n\n impact 0.3\n\n tag severity: 'low'\n tag gtitle: 'WN10-CC-000035'\n tag gid: 'V-63567'\n tag rid: 'SV-78057r1_rule'\n tag stig_id: 'WN10-CC-000035'\n tag fix_id: 'F-69497r1_fix'\n tag cci: ['CCI-002385']\n tag nist: %w[SC-5 Rev_4]\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\Netbt\\\\Parameters\\\\\n\n Value Name: NoNameReleaseOnDemand\n\n Value Type: REG_DWORD\n Value: 1\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> MSS (Legacy) >> \\\"MSS: (NoNameReleaseOnDemand)\n Allow the computer to ignore NetBIOS name release requests except from WINS\n servers\\\" to \\\"Enabled\\\".\n\n This policy setting requires the installation of the MSS-Legacy custom\n templates included with the STIG package. \\\"MSS-Legacy.admx\\\" and \\\"\n MSS-Legacy.adml\\\" must be copied to the \\\\Windows\\\\PolicyDefinitions and\n \\\\Windows\\\\PolicyDefinitions\\\\en-US directories respectively.\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Netbt\\Parameters') do\n it { should have_property 'NoNameReleaseOnDemand' }\n its('NoNameReleaseOnDemand') { should cmp 1 }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63747.rb", + "ref": "./Windows 10 STIG/controls/V-63567.rb", "line": 3 }, - "id": "V-63747" + "id": "V-63567" }, { - "title": "Windows 10 information systems must use BitLocker to encrypt all disks\n to protect the confidentiality and integrity of all information at rest.", - "desc": "If data at rest is unencrypted, it is vulnerable to disclosure. Even\n if the operating system enforces permissions on data access, an adversary can\n remove non-volatile memory and read it directly, thereby circumventing\n operating system controls. Encrypting the data ensures that confidentiality\n is protected even when the operating system is not running.", + "title": "The system must be configured to audit Account Management - Security\n Group Management successes.", + "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Security Group Management records events such as creating, deleting or\n changing of security groups, including changes in group members.", "descriptions": { - "default": "If data at rest is unencrypted, it is vulnerable to disclosure. Even\n if the operating system enforces permissions on data access, an adversary can\n remove non-volatile memory and read it directly, thereby circumventing\n operating system controls. Encrypting the data ensures that confidentiality\n is protected even when the operating system is not running.", - "check": "Verify all Windows 10 information systems (including SIPRNET)\n employ BitLocker for full disk encryption.\n\n If full disk encryption using BitLocker is not implemented, this is a finding.\n\n Verify BitLocker is turned on for the operating system drive and any fixed data\n drives.\n\n Open \"BitLocker Drive Encryption\" from the Control Panel.\n\n If the operating system drive or any fixed data drives have \"Turn on\n BitLocker\", this is a finding.\n\n NOTE: An alternate encryption application may be used in lieu of BitLocker\n providing it is configured for full disk encryption and satisfies the pre-boot\n authentication requirements (WN10-00-000031 and WN10-00-000032).", - "fix": "Enable full disk encryption on all information systems (including\n SIPRNET) using BitLocker.\n\n BitLocker, included in Windows, can be enabled in the Control Panel under\n \"BitLocker Drive Encryption\" as well as other management tools.\n\n NOTE: An alternate encryption application may be used in lieu of BitLocker\n providing it is configured for full disk encryption and satisfies the pre-boot\n authentication requirements (WN10-00-000031 and WN10-00-000032)." + "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Security Group Management records events such as creating, deleting or\n changing of security groups, including changes in group members.", + "check": "Security Option \"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\" must be\n set to \"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\"Run as Administrator\").\n Enter \"AuditPol /get /category:*\".\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding:\n\n Account Management >> Security Group Management - Success", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Account Management >> \"Audit Security Group Management\"\n with \"Success\" selected." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-00-000030", - "gid": "V-63337", - "rid": "SV-77827r4_rule", - "stig_id": "WN10-00-000030", - "fix_id": "F-100987r1_fix", + "gtitle": "WN10-AU-000030", + "gid": "V-63445", + "rid": "SV-77935r1_rule", + "stig_id": "WN10-AU-000030", + "fix_id": "F-69373r1_fix", "cci": [ - "CCI-001199", - "CCI-002475", - "CCI-002476" + "CCI-000018", + "CCI-000172", + "CCI-001403", + "CCI-001404", + "CCI-001405", + "CCI-002130", + "CCI-002234" ], "nist": [ - "SC-28", - "SC-28 (1)", - "SC-28 (1)", + "AC-2 (4)", + "AU-12 c", + "AC-2 (4)", + "AC-2 (4)", + "AC-2 (4)", + "AC-2\n(4)", + "AC-6 (9)", "Rev_4" ], "false_negatives": null, @@ -11014,35 +10981,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63337' do\n title \"Windows 10 information systems must use BitLocker to encrypt all disks\n to protect the confidentiality and integrity of all information at rest.\"\n desc \"If data at rest is unencrypted, it is vulnerable to disclosure. Even\n if the operating system enforces permissions on data access, an adversary can\n remove non-volatile memory and read it directly, thereby circumventing\n operating system controls. Encrypting the data ensures that confidentiality\n is protected even when the operating system is not running.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-00-000030'\n tag gid: 'V-63337'\n tag rid: 'SV-77827r4_rule'\n tag stig_id: 'WN10-00-000030'\n tag fix_id: 'F-100987r1_fix'\n tag cci: %w[CCI-001199 CCI-002475 CCI-002476]\n tag nist: ['SC-28', 'SC-28 (1)', 'SC-28 (1)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc 'check', \"Verify all Windows 10 information systems (including SIPRNET)\n employ BitLocker for full disk encryption.\n\n If full disk encryption using BitLocker is not implemented, this is a finding.\n\n Verify BitLocker is turned on for the operating system drive and any fixed data\n drives.\n\n Open \\\"BitLocker Drive Encryption\\\" from the Control Panel.\n\n If the operating system drive or any fixed data drives have \\\"Turn on\n BitLocker\\\", this is a finding.\n\n NOTE: An alternate encryption application may be used in lieu of BitLocker\n providing it is configured for full disk encryption and satisfies the pre-boot\n authentication requirements (WN10-00-000031 and WN10-00-000032).\"\n\n desc 'fix', \"Enable full disk encryption on all information systems (including\n SIPRNET) using BitLocker.\n\n BitLocker, included in Windows, can be enabled in the Control Panel under\n \\\"BitLocker Drive Encryption\\\" as well as other management tools.\n\n NOTE: An alternate encryption application may be used in lieu of BitLocker\n providing it is configured for full disk encryption and satisfies the pre-boot\n authentication requirements (WN10-00-000031 and WN10-00-000032).\"\n\n if sys_info.manufacturer == 'VMware, Inc.'\n impact 0.0\n describe 'This is a VDI System; This System is NA for Control V-63337.' do\n skip 'This is a VDI System; This System is NA for Control V-63337.'\n end\n else\n # Code needs to be worked on for Parsing the Output of the Command\n bitlocker_status = JSON.parse(input('bitlocker_status').to_json)\n query = json({ command: 'Get-BitlockerVolume | Select ProtectionStatus | ConvertTo-Json' })\n describe 'Verify all Windows 10 information systems (including SIPRNET) employ BitLocker for full disk encryption.' do\n subject { query.params }\n its(['ProtectionStatus']) { should be 1 }\n end\n end\nend\n", + "code": "control 'V-63445' do\n title \"The system must be configured to audit Account Management - Security\n Group Management successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Security Group Management records events such as creating, deleting or\n changing of security groups, including changes in group members.\"\n\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-AU-000030'\n tag gid: 'V-63445'\n tag rid: 'SV-77935r1_rule'\n tag stig_id: 'WN10-AU-000030'\n tag fix_id: 'F-69373r1_fix'\n tag cci: %w[CCI-000018 CCI-000172 CCI-001403 CCI-001404\n CCI-001405 CCI-002130 CCI-002234]\n tag nist: ['AC-2 (4)', 'AU-12 c', 'AC-2 (4)', 'AC-2 (4)', 'AC-2 (4)', \"AC-2\n(4)\", 'AC-6 (9)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"Security Option \\\"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\\\" must be\n set to \\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\n Enter \\\"AuditPol /get /category:*\\\".\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding:\n\n Account Management >> Security Group Management - Success\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Account Management >> \\\"Audit Security Group Management\\\"\n with \\\"Success\\\" selected.\"\n\n describe.one do\n describe audit_policy do\n its('Security Group Management') { should eq 'Success' }\n end\n describe audit_policy do\n its('Security Group Management') { should eq 'Success and Failure' }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63337.rb", + "ref": "./Windows 10 STIG/controls/V-63445.rb", "line": 3 }, - "id": "V-63337" + "id": "V-63445" }, { - "title": "The Windows Installer Always install with elevated privileges must be\n disabled.", - "desc": "Standard user accounts must not be granted elevated privileges.\n Enabling Windows Installer to elevate privileges when installing applications\n can allow malicious persons and applications to gain full control of a system.", + "title": "User Account Control approval mode for the built-in Administrator must\n be enabled.", + "desc": "User Account Control (UAC) is a security mechanism for limiting the\n elevation of privileges, including administrative accounts, unless authorized.\n This setting configures the built-in Administrator account so that it runs in\n Admin Approval Mode.", "descriptions": { - "default": "Standard user accounts must not be granted elevated privileges.\n Enabling Windows Installer to elevate privileges when installing applications\n can allow malicious persons and applications to gain full control of a system.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\Installer\\\n\n Value Name: AlwaysInstallElevated\n\n Value Type: REG_DWORD\n Value: 0", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Windows Installer >> \"Always\n install with elevated privileges\" to \"Disabled\"." + "default": "User Account Control (UAC) is a security mechanism for limiting the\n elevation of privileges, including administrative accounts, unless authorized.\n This setting configures the built-in Administrator account so that it runs in\n Admin Approval Mode.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\\n\n Value Name: FilterAdministratorToken\n\n Value Type: REG_DWORD\n Value: 1", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> \"User\n Account Control: Admin Approval Mode for the Built-in Administrator account\"\n to \"Enabled\"." }, - "impact": 0.7, + "impact": 0.5, "refs": [], "tags": { - "severity": "high", - "gtitle": "WN10-CC-000315", - "gid": "V-63325", - "rid": "SV-77815r1_rule", - "stig_id": "WN10-CC-000315", - "fix_id": "F-69243r1_fix", - "cci": [ - "CCI-001812" + "severity": "medium", + "gtitle": "WN10-SO-000245", + "gid": "V-63817", + "rid": "SV-78307r1_rule", + "stig_id": "WN10-SO-000245", + "fix_id": "F-69745r1_fix", + "cci": [ + "CCI-002038" ], "nist": [ - "CM-11 (2)", + "IA-11", "Rev_4" ], "false_negatives": null, @@ -11056,37 +11023,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63325' do\n title \"The Windows Installer Always install with elevated privileges must be\n disabled.\"\n desc \"Standard user accounts must not be granted elevated privileges.\n Enabling Windows Installer to elevate privileges when installing applications\n can allow malicious persons and applications to gain full control of a system.\"\n impact 0.7\n tag severity: 'high'\n tag gtitle: 'WN10-CC-000315'\n tag gid: 'V-63325'\n tag rid: 'SV-77815r1_rule'\n tag stig_id: 'WN10-CC-000315'\n tag fix_id: 'F-69243r1_fix'\n tag cci: ['CCI-001812']\n tag nist: ['CM-11 (2)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\Installer\\\\\n\n Value Name: AlwaysInstallElevated\n\n Value Type: REG_DWORD\n Value: 0\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Windows Installer >> \\\"Always\n install with elevated privileges\\\" to \\\"Disabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Installer') do\n it { should have_property 'AlwaysInstallElevated' }\n its('AlwaysInstallElevated') { should cmp 0 }\n end\nend\n", + "code": "control 'V-63817' do\n title \"User Account Control approval mode for the built-in Administrator must\n be enabled.\"\n desc \"User Account Control (UAC) is a security mechanism for limiting the\n elevation of privileges, including administrative accounts, unless authorized.\n This setting configures the built-in Administrator account so that it runs in\n Admin Approval Mode.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-SO-000245'\n tag gid: 'V-63817'\n tag rid: 'SV-78307r1_rule'\n tag stig_id: 'WN10-SO-000245'\n tag fix_id: 'F-69745r1_fix'\n tag cci: ['CCI-002038']\n tag nist: %w[IA-11 Rev_4]\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\\n\n Value Name: FilterAdministratorToken\n\n Value Type: REG_DWORD\n Value: 1\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> \\\"User\n Account Control: Admin Approval Mode for the Built-in Administrator account\\\"\n to \\\"Enabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System') do\n it { should have_property 'FilterAdministratorToken' }\n its('FilterAdministratorToken') { should cmp 1 }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63325.rb", + "ref": "./Windows 10 STIG/controls/V-63817.rb", "line": 3 }, - "id": "V-63325" + "id": "V-63817" }, { - "title": "The Windows Remote Management (WinRM) client must not allow\n unencrypted traffic.", - "desc": "Unencrypted remote access to a system can allow sensitive information\n to be compromised. Windows remote management connections must be encrypted to\n prevent this.", + "title": "Exploit Protection mitigations in Windows 10 must be configured for GROOVE.EXE.", + "desc": "Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.", "descriptions": { - "default": "Unencrypted remote access to a system can allow sensitive information\n to be compromised. Windows remote management connections must be encrypted to\n prevent this.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\WinRM\\Client\\\n\n Value Name: AllowUnencryptedTraffic\n\n Value Type: REG_DWORD\n Value: 0", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Windows Remote Management\n (WinRM) >> WinRM Client >> \"Allow unencrypted traffic\" to \"Disabled\"." + "default": "Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.", + "check": "This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n\n Enter \"Get-ProcessMitigation -Name GROOVE.EXE\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of\n all application mitigations configured.)\n\n If the following mitigations do not have a status of \"ON\", this is a finding:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n ImageLoad:\n OverrideBlockRemoteImages: False\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n Child Process:\n OverrideChildProcess: False\n\n The PowerShell command produces a list of mitigations; only those with a\n required status of \"ON\" are listed here. If the PowerShell command does not\n produce results, ensure the letter case of the filename within the command\n syntax matches the letter case of the actual filename on the system.", + "fix": "Ensure the following mitigations are turned \"ON\" for GROOVE.EXE:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n ImageLoad:\n OverrideBlockRemoteImages: False\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n Child Process:\n OverrideChildProcess: False\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file\n included with the Windows 10 STIG package in the \"Supporting Files\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \"Use a common set of exploit protection settings\"\n configured to \"Enabled\" with file name and location defined under\n \"Options:\". It is recommended the file be in a read-only network location." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-CC-000335", - "gid": "V-63339", - "rid": "SV-77829r1_rule", - "stig_id": "WN10-CC-000335", - "fix_id": "F-69259r1_fix", + "gtitle": "WN10-EP-000130", + "gid": "V-77213", + "rid": "SV-91909r3_rule", + "stig_id": "WN10-EP-000130", + "fix_id": "F-84343r4_fix", "cci": [ - "CCI-002890", - "CCI-003123" + "CCI-000366" ], "nist": [ - "MA-4 (6)", - "MA-4 (6)", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -11100,35 +11065,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63339' do\n title \"The Windows Remote Management (WinRM) client must not allow\n unencrypted traffic.\"\n desc \"Unencrypted remote access to a system can allow sensitive information\n to be compromised. Windows remote management connections must be encrypted to\n prevent this.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000335'\n tag gid: 'V-63339'\n tag rid: 'SV-77829r1_rule'\n tag stig_id: 'WN10-CC-000335'\n tag fix_id: 'F-69259r1_fix'\n tag cci: %w[CCI-002890 CCI-003123]\n tag nist: ['MA-4 (6)', 'MA-4 (6)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WinRM\\\\Client\\\\\n\n Value Name: AllowUnencryptedTraffic\n\n Value Type: REG_DWORD\n Value: 0\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Windows Remote Management\n (WinRM) >> WinRM Client >> \\\"Allow unencrypted traffic\\\" to \\\"Disabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WinRM\\Client') do\n it { should have_property 'AllowUnencryptedTraffic' }\n its('AllowUnencryptedTraffic') { should cmp 0 }\n end\nend\n", + "code": "control 'V-77213' do\n title 'Exploit Protection mitigations in Windows 10 must be configured for GROOVE.EXE.'\n desc \"Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-EP-000130'\n tag gid: 'V-77213'\n tag rid: 'SV-91909r3_rule'\n tag stig_id: 'WN10-EP-000130'\n tag fix_id: 'F-84343r4_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc 'check', \"This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n\n Enter \\\"Get-ProcessMitigation -Name GROOVE.EXE\\\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of\n all application mitigations configured.)\n\n If the following mitigations do not have a status of \\\"ON\\\", this is a finding:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n ImageLoad:\n OverrideBlockRemoteImages: False\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n Child Process:\n OverrideChildProcess: False\n\n The PowerShell command produces a list of mitigations; only those with a\n required status of \\\"ON\\\" are listed here. If the PowerShell command does not\n produce results, ensure the letter case of the filename within the command\n syntax matches the letter case of the actual filename on the system.\"\n desc 'fix', \"Ensure the following mitigations are turned \\\"ON\\\" for GROOVE.EXE:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n ImageLoad:\n OverrideBlockRemoteImages: False\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n Child Process:\n OverrideChildProcess: False\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file\n included with the Windows 10 STIG package in the \\\"Supporting Files\\\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\"\n configured to \\\"Enabled\\\" with file name and location defined under\n \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n\n if input('sensitive_system') == 'true' || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion').ReleaseId < '1709'\n impact 0.0\n describe 'This STIG does not apply to Prior Versions before 1709.' do\n skip 'This STIG does not apply to Prior Versions before 1709.'\n end\n else\n dep = json( command: 'Get-ProcessMitigation -Name GROOVE.EXE | Select DEP | ConvertTo-Json').params\n describe 'OverRide DEP is required to be false Groove' do\n subject { dep }\n its(['OverrideDEP']) { should_not eq 'true' }\n end\n aslr = json( command: 'Get-ProcessMitigation -Name GROOVE.exe | Select Aslr | ConvertTo-Json').params\n describe 'Force Relocate Images are required to be enabled on Groove' do\n subject { aslr }\n its(['ForceRelocateImages']) { should_not eq '2' }\n end\n imageload = json( command: 'Get-ProcessMitigation -Name GROOVE.EXE | Select ImageLoad | ConvertTo-Json').params\n describe 'Override ImageLoad Block Remote Image Loads is required to be false on Groove' do\n subject { imageload }\n its(['OverrideBlockRemoteImages']) { should_not eq 'true' }\n end\n payload = json( command: 'Get-ProcessMitigation -Name GROOVE.EXE | Select Payload | ConvertTo-Json').params\n describe 'Override Payload Enable Export Address Filter, Override Payload Enable Export Address Filter Plus, Override EnableImportAddressFilter, Override EnableRopStackPivot, Override EnableRopCallerCheck, and Override EnableRopSimExec are required to be false on Adobe Reader' do\n subject { payload }\n its(['OverrideEnableExportAddressFilter']) { should_not eq 'true' }\n its(['OverrideEnableExportAddressFilterPlus']) { should_not eq 'true' }\n its(['OverrideEnableImportAddressFilter']) { should_not eq 'true' }\n its(['OverrideEnableRopStackPivot']) { should_not eq 'true' }\n its(['OverrideEnableRopCallerCheck']) { should_not eq 'true' }\n its(['OverrideEnableRopSimExec']) { should_not eq 'true' }\n end\n child_process = json( command: 'Get-ProcessMitigation -Name GROOVE.EXE | Select ChildProcess | ConvertTo-Json').params\n describe 'OverRide Child Process is required to be false on Groove' do\n subject { child_process }\n its(['OverrideChildProcess']) { should_not eq 'true' }\n end\n end\nend", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63339.rb", + "ref": "./Windows 10 STIG/controls/V-77213.rb", "line": 3 }, - "id": "V-63339" + "id": "V-77213" }, { - "title": "Exploit Protection mitigations in Windows 10 must be configured for java.exe, javaw.exe, and javaws.exe.", - "desc": "Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.", + "title": "Users must be prompted for a password on resume from sleep (on\n battery).", + "desc": "Authentication must always be required when accessing a system. This\n setting ensures the user is prompted for a password on resume from sleep (on\n battery).", "descriptions": { - "default": "Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.", - "check": "This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n\n Enter \"Get-ProcessMitigation -Name [application name]\" with each of the\n following substituted for [application name]:\n java.exe, javaw.exe, and javaws.exe\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of\n all application mitigations configured.)\n\n If the following mitigations do not have a status of \"ON\" for each, this is a\n finding:\n\n DEP:\n OverrideDEP: False\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n The PowerShell command produces a list of mitigations; only those with a\n required status of \"ON\" are listed here. If the PowerShell command does not\n produce results, ensure the letter case of the filename within the command\n syntax matches the letter case of the actual filename on the system.", - "fix": "Ensure the following mitigations are turned \"ON\" for java.exe,\n javaw.exe, and javaws.exe:\n\n DEP:\n OverrideDEP: False\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file\n included with the Windows 10 STIG package in the \"Supporting Files\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \"Use a common set of exploit protection settings\"\n configured to \"Enabled\" with file name and location defined under\n \"Options:\". It is recommended the file be in a read-only network location." + "default": "Authentication must always be required when accessing a system. This\n setting ensures the user is prompted for a password on resume from sleep (on\n battery).", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SOFTWARE\\Policies\\Microsoft\\Power\\PowerSettings\\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\\\n\n Value Name: DCSettingIndex\n\n Value Type: REG_DWORD\n Value: 1", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> System >> Power Management >> Sleep Settings >>\n \"Require a password when a computer wakes (on battery)\" to \"Enabled\"." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-EP-000160", - "gid": "V-77223", - "rid": "SV-91919r3_rule", - "stig_id": "WN10-EP-000160", - "fix_id": "F-84353r3_fix", + "gtitle": "WN10-CC-000145", + "gid": "V-63645", + "rid": "SV-78135r1_rule", + "stig_id": "WN10-CC-000145", + "fix_id": "F-69575r1_fix", "cci": [ - "CCI-000366" + "CCI-002038" ], "nist": [ - "CM-6 b", + "IA-11", "Rev_4" ], "false_negatives": null, @@ -11142,35 +11107,37 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-77223' do\n title 'Exploit Protection mitigations in Windows 10 must be configured for java.exe, javaw.exe, and javaws.exe.'\n desc \"Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-EP-000160'\n tag gid: 'V-77223'\n tag rid: 'SV-91919r3_rule'\n tag stig_id: 'WN10-EP-000160'\n tag fix_id: 'F-84353r3_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc 'check', \"This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n\n Enter \\\"Get-ProcessMitigation -Name [application name]\\\" with each of the\n following substituted for [application name]:\n java.exe, javaw.exe, and javaws.exe\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of\n all application mitigations configured.)\n\n If the following mitigations do not have a status of \\\"ON\\\" for each, this is a\n finding:\n\n DEP:\n OverrideDEP: False\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n The PowerShell command produces a list of mitigations; only those with a\n required status of \\\"ON\\\" are listed here. If the PowerShell command does not\n produce results, ensure the letter case of the filename within the command\n syntax matches the letter case of the actual filename on the system.\"\n desc 'fix', \"Ensure the following mitigations are turned \\\"ON\\\" for java.exe,\n javaw.exe, and javaws.exe:\n\n DEP:\n OverrideDEP: False\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file\n included with the Windows 10 STIG package in the \\\"Supporting Files\\\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\"\n configured to \\\"Enabled\\\" with file name and location defined under\n \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n\n if input('sensitive_system') == 'true' || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion').ReleaseId < '1709'\n impact 0.0\n describe 'This STIG does not apply to Prior Versions before 1709.' do\n skip 'This STIG does not apply to Prior Versions before 1709.'\n end\n else\n dep = json( command: 'Get-ProcessMitigation -Name java.exe | Select DEP | ConvertTo-Json').params\n describe 'OverRide DEP is required to be false on Java' do\n subject { dep }\n its(['OverrideDEP']) { should_not eq 'true' }\n end\n payload = json( command: 'Get-ProcessMitigation -Name java.exe | Select Payload | ConvertTo-Json').params\n describe 'Override Payload Enable Export Address Filter, Override Payload Enable Export Address Filter Plus, Override EnableImportAddressFilter, Override EnableRopStackPivot, Override EnableRopCallerCheck, and Override EnableRopSimExec are required to be false on Java' do\n subject { payload }\n its(['OverrideEnableExportAddressFilter']) { should_not eq 'true' }\n its(['OverrideEnableExportAddressFilterPlus']) { should_not eq 'true' }\n its(['OverrideEnableImportAddressFilter']) { should_not eq 'true' }\n its(['OverrideEnableRopStackPivot']) { should_not eq 'true' }\n its(['OverrideEnableRopCallerCheck']) { should_not eq 'true' }\n its(['OverrideEnableRopSimExec']) { should_not eq 'true' }\n end\n end\nend", + "code": "control 'V-63645' do\n title \"Users must be prompted for a password on resume from sleep (on\n battery).\"\n desc \"Authentication must always be required when accessing a system. This\n setting ensures the user is prompted for a password on resume from sleep (on\n battery).\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000145'\n tag gid: 'V-63645'\n tag rid: 'SV-78135r1_rule'\n tag stig_id: 'WN10-CC-000145'\n tag fix_id: 'F-69575r1_fix'\n tag cci: ['CCI-002038']\n tag nist: %w[IA-11 Rev_4]\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Power\\\\PowerSettings\\\\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\\\\\n\n Value Name: DCSettingIndex\n\n Value Type: REG_DWORD\n Value: 1\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> System >> Power Management >> Sleep Settings >>\n \\\"Require a password when a computer wakes (on battery)\\\" to \\\"Enabled\\\".\"\n\n if sys_info.manufacturer == 'VMware, Inc.'\n impact 0.0\n describe 'This is a VDI System; This System is NA for Control V-63645.' do\n skip 'This is a VDI System; This System is NA for Control V-63645.'\n end\n else\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Power\\PowerSettings\\0e796bdb-100d-47d6-a2d5-f7d2daa51f51') do\n it { should have_property 'DCSettingIndex' }\n its('DCSettingIndex') { should cmp 1 }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-77223.rb", + "ref": "./Windows 10 STIG/controls/V-63645.rb", "line": 3 }, - "id": "V-77223" + "id": "V-63645" }, { - "title": "The Server Message Block (SMB) v1 protocol must be disabled on the SMB client.", - "desc": "SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB.\n MD5 is known to be vulnerable to a number of attacks such as collision and\n preimage attacks as well as not being FIPS compliant.\n\n Disabling SMBv1 support may prevent access to file or print sharing\n resources with systems or devices that only support SMBv1. File shares and\n print services hosted on Windows Server 2003 are an example, however Windows\n Server 2003 is no longer a supported operating system. Some older network\n attached devices may only support SMBv1.", + "title": "The system must be configured to audit Logon/Logoff - Logoff\n successes.", + "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Logoff records user logoffs. If this is an interactive logoff, it is\n recorded on the local system. If it is to a network share, it is recorded on\n the system accessed.", "descriptions": { - "default": "SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB.\n MD5 is known to be vulnerable to a number of attacks such as collision and\n preimage attacks as well as not being FIPS compliant.\n\n Disabling SMBv1 support may prevent access to file or print sharing\n resources with systems or devices that only support SMBv1. File shares and\n print services hosted on Windows Server 2003 are an example, however Windows\n Server 2003 is no longer a supported operating system. Some older network\n attached devices may only support SMBv1.", - "check": "Different methods are available to disable SMBv1 on Windows 10,\n if V-70639 is configured, this is NA.\n\n If the following registry value is not configured as specified, this is a\n finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\mrxsmb10\\\n\n Value Name: Start\n\n Type: REG_DWORD\n Value: 0x00000004 (4)", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> MS Security Guide >> \"Configure SMBv1 client\n driver\" to \"Enabled\" with \"Disable driver (recommended)\" selected for\n \"Configure MrxSmb10 driver\".\n\n This policy setting requires the installation of the SecGuide custom templates\n included with the STIG package. \"SecGuide.admx\" and \"SecGuide.adml\" must be\n copied to the \\Windows\\PolicyDefinitions and\n \\Windows\\PolicyDefinitions\\en-US directories respectively.\n\n The system must be restarted for the changes to take effect." + "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Logoff records user logoffs. If this is an interactive logoff, it is\n recorded on the local system. If it is to a network share, it is recorded on\n the system accessed.", + "check": "Security Option \"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\" must be\n set to \"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\"Run as Administrator\").\n Enter \"AuditPol /get /category:*\".\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding:\n\n Logon/Logoff >> Logoff - Success", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Logon/Logoff >> \"Audit Logoff\" with \"Success\" selected." }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-00-000170", - "gid": "V-74725", - "rid": "SV-89399r1_rule", - "stig_id": "WN10-00-000170", - "fix_id": "F-81339r3_fix", + "gtitle": "WN10-AU-000065", + "gid": "V-63459", + "rid": "SV-77951r1_rule", + "stig_id": "WN10-AU-000065", + "fix_id": "F-69387r1_fix", "cci": [ - "CCI-000381" + "CCI-000067", + "CCI-000172" ], "nist": [ - "CM-7 a", + "AC-17 (1)", + "AU-12 c", "Rev_4" ], "false_negatives": null, @@ -11184,35 +11151,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-74725' do\n title 'The Server Message Block (SMB) v1 protocol must be disabled on the SMB client.'\n desc \"SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB.\n MD5 is known to be vulnerable to a number of attacks such as collision and\n preimage attacks as well as not being FIPS compliant.\n\n Disabling SMBv1 support may prevent access to file or print sharing\n resources with systems or devices that only support SMBv1. File shares and\n print services hosted on Windows Server 2003 are an example, however Windows\n Server 2003 is no longer a supported operating system. Some older network\n attached devices may only support SMBv1.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-00-000170'\n tag gid: 'V-74725'\n tag rid: 'SV-89399r1_rule'\n tag stig_id: 'WN10-00-000170'\n tag fix_id: 'F-81339r3_fix'\n tag cci: ['CCI-000381']\n tag nist: ['CM-7 a', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"Different methods are available to disable SMBv1 on Windows 10,\n if V-70639 is configured, this is NA.\n\n If the following registry value is not configured as specified, this is a\n finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\mrxsmb10\\\\\n\n Value Name: Start\n\n Type: REG_DWORD\n Value: 0x00000004 (4)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> MS Security Guide >> \\\"Configure SMBv1 client\n driver\\\" to \\\"Enabled\\\" with \\\"Disable driver (recommended)\\\" selected for\n \\\"Configure MrxSmb10 driver\\\".\n\n This policy setting requires the installation of the SecGuide custom templates\n included with the STIG package. \\\"SecGuide.admx\\\" and \\\"SecGuide.adml\\\" must be\n copied to the \\\\Windows\\\\PolicyDefinitions and\n \\\\Windows\\\\PolicyDefinitions\\\\en-US directories respectively.\n\n The system must be restarted for the changes to take effect. \"\n\n smb1protocol = json( command: 'Get-WindowsOptionalFeature -Online | Where FeatureName -eq SMB1Protocol | ConvertTo-Csv | ConvertFrom-Csv | ConvertTo-Json').params\n state = smb1protocol['State']\n\n if state == \"Disabled\"\n impact 0.0\n describe 'V-70639 is configured, this control is NA' do\n skip 'V-70639 is configured, this control is NA'\n end\n elsif windows_feature('FS-SMB1').installed?\n describe registry_key('HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\mrxsmb10') do\n it { should have_property 'Start' }\n its('Start') { should cmp 4 }\n end\n else\n impact 0.0\n describe 'SMBv1 is not installed on this system, therefore this control is not applicable' do\n skip 'SMBv1 is not installed on this system, therefore this control is not applicable'\n end\n end\nend\n", + "code": "control 'V-63459' do\n title \"The system must be configured to audit Logon/Logoff - Logoff\n successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Logoff records user logoffs. If this is an interactive logoff, it is\n recorded on the local system. If it is to a network share, it is recorded on\n the system accessed.\"\n\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-AU-000065'\n tag gid: 'V-63459'\n tag rid: 'SV-77951r1_rule'\n tag stig_id: 'WN10-AU-000065'\n tag fix_id: 'F-69387r1_fix'\n tag cci: %w[CCI-000067 CCI-000172]\n tag nist: ['AC-17 (1)', 'AU-12 c', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Security Option \\\"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\\\" must be\n set to \\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\n Enter \\\"AuditPol /get /category:*\\\".\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding:\n\n Logon/Logoff >> Logoff - Success\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Logon/Logoff >> \\\"Audit Logoff\\\" with \\\"Success\\\" selected.\"\n\n describe.one do\n describe audit_policy do\n its('Logoff') { should eq 'Success' }\n end\n describe audit_policy do\n its('Logoff') { should eq 'Success and Failure' }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-74725.rb", + "ref": "./Windows 10 STIG/controls/V-63459.rb", "line": 3 }, - "id": "V-74725" + "id": "V-63459" }, { - "title": "The system must be configured to audit Account Logon - Credential\n Validation successes.", - "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Credential validation records events related to validation tests on\n credentials for a user account logon.", + "title": "The Security event log size must be configured to 1024000 KB or\n greater.", + "desc": "Inadequate log size will cause the log to fill up quickly. This may\n prevent audit events from being recorded properly and require frequent\n attention by administrative personnel.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Credential validation records events related to validation tests on\n credentials for a user account logon.", - "check": "Security Option \"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\" must be\n set to \"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\"Run as Administrator\").\n Enter \"AuditPol /get /category:*\".\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding:\n\n Account Logon >> Credential Validation - Success", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Account Logon >> \"Audit Credential Validation\" with\n \"Success\" selected." + "default": "Inadequate log size will cause the log to fill up quickly. This may\n prevent audit events from being recorded properly and require frequent\n attention by administrative personnel.", + "check": "If the system is configured to send audit records directly to an\n audit server, this is NA. This must be documented with the ISSO.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\EventLog\\Security\\\n\n Value Name: MaxSize\n\n Value Type: REG_DWORD\n Value: 0x000fa000 (1024000) (or greater)", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Event Log Service >> Security\n >> \"Specify the maximum log file size (KB)\" to \"Enabled\" with a \"Maximum\n Log Size (KB)\" of \"1024000\" or greater.\n\n If the system is configured to send audit records directly to an audit server,\n documented with the ISSO." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-AU-000010", - "gid": "V-63435", - "rid": "SV-77925r1_rule", - "stig_id": "WN10-AU-000010", - "fix_id": "F-69363r1_fix", + "gtitle": "WN10-AU-000505", + "gid": "V-63523", + "rid": "SV-78013r2_rule", + "stig_id": "WN10-AU-000505", + "fix_id": "F-86735r1_fix", "cci": [ - "CCI-000172" + "CCI-001849" ], "nist": [ - "AU-12 c", + "AU-4", "Rev_4" ], "false_negatives": null, @@ -11226,34 +11193,30 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63435' do\n title \"The system must be configured to audit Account Logon - Credential\n Validation successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Credential validation records events related to validation tests on\n credentials for a user account logon.\"\n\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-AU-000010'\n tag gid: 'V-63435'\n tag rid: 'SV-77925r1_rule'\n tag stig_id: 'WN10-AU-000010'\n tag fix_id: 'F-69363r1_fix'\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Security Option \\\"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\\\" must be\n set to \\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\n Enter \\\"AuditPol /get /category:*\\\".\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding:\n\n Account Logon >> Credential Validation - Success\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Account Logon >> \\\"Audit Credential Validation\\\" with\n \\\"Success\\\" selected.\"\n\n describe.one do\n describe audit_policy do\n its('Credential Validation') { should eq 'Success' }\n end\n describe audit_policy do\n its('Credential Validation') { should eq 'Success and Failure' }\n end\n end\nend\n", + "code": "control 'V-63523' do\n title \"The Security event log size must be configured to 1024000 KB or\n greater.\"\n desc \"Inadequate log size will cause the log to fill up quickly. This may\n prevent audit events from being recorded properly and require frequent\n attention by administrative personnel.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-AU-000505'\n tag gid: 'V-63523'\n tag rid: 'SV-78013r2_rule'\n tag stig_id: 'WN10-AU-000505'\n tag fix_id: 'F-86735r1_fix'\n tag cci: ['CCI-001849']\n tag nist: %w[AU-4 Rev_4]\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc 'check', \"If the system is configured to send audit records directly to an\n audit server, this is NA. This must be documented with the ISSO.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\EventLog\\\\Security\\\\\n\n Value Name: MaxSize\n\n Value Type: REG_DWORD\n Value: 0x000fa000 (1024000) (or greater)\"\n\n desc 'fix', \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Event Log Service >> Security\n >> \\\"Specify the maximum log file size (KB)\\\" to \\\"Enabled\\\" with a \\\"Maximum\n Log Size (KB)\\\" of \\\"1024000\\\" or greater.\n\n If the system is configured to send audit records directly to an audit server,\n documented with the ISSO.\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\EventLog\\Security') do\n it { should have_property 'MaxSize' }\n its('MaxSize') { should be >= 1_024_000 }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63435.rb", + "ref": "./Windows 10 STIG/controls/V-63523.rb", "line": 3 }, - "id": "V-63435" + "id": "V-63523" }, { - "title": "Credential Guard must be running on Windows 10 domain-joined systems.", - "desc": "Credential Guard uses virtualization based security to protect\n information that could be used in credential theft attacks if compromised. This\n authentication information, which was stored in the Local Security Authority\n (LSA) in previous versions of Windows, is isolated from the rest of operating\n system and can only be accessed by privileged system software.", + "title": "Exploit Protection mitigations in Windows 10 must be configured for java.exe, javaw.exe, and javaws.exe.", + "desc": "Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.", "descriptions": { - "default": "Credential Guard uses virtualization based security to protect\n information that could be used in credential theft attacks if compromised. This\n authentication information, which was stored in the Local Security Authority\n (LSA) in previous versions of Windows, is isolated from the rest of operating\n system and can only be accessed by privileged system software.", - "check": "Confirm Credential Guard is running on domain-joined systems.\n\n For standalone systems, this is NA.\n\n For those devices that support Credential Guard, this feature must be enabled.\n For devices that do not support it, there is currently an enterprise risk\n acceptance in effect, thus this check is currently categorized as a CAT III.\n Organizations need to take the appropriate action to acquire and implement\n compatible hardware with Credential Guard enabled.\n\n Virtualization based security, including Credential Guard, currently cannot be\n implemented in virtual desktop implementations (VDI) due to specific supporting\n requirements including a TPM, UEFI with Secure Boot, and the capability to run\n the Hyper-V feature within the virtual desktop.\n\n For VDIs where the virtual desktop instance is deleted or refreshed upon\n logoff, this is NA.\n\n Run \"PowerShell\" with elevated privileges (run as administrator).\n Enter the following:\n \"Get-CimInstance -ClassName Win32_DeviceGuard -Namespace\n root\\Microsoft\\Windows\\DeviceGuard\"\n\n If \"SecurityServicesRunning\" does not include a value of \"1\" (e.g., \"{1,\n 2}\"), this is a finding.\n\n Alternately:\n\n Run \"System Information\".\n Under \"System Summary\", verify the following:\n If \"Device Guard Security Services Running\" does not list \"Credential\n Guard\", this is finding.\n\n The policy settings referenced in the Fix section will configure the following\n registry value. However, due to hardware requirements, the registry value alone\n does not ensure proper function.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceGuard\\\n\n Value Name: LsaCfgFlags\n Value Type: REG_DWORD\n Value: 0x00000001 (1) (Enabled with UEFI lock)\n\n NOTE: The severity level for the requirement will be upgraded to CAT I\n starting January 2020.", - "fix": "Virtualization based security, including Credential Guard,\n currently cannot be implemented in virtual desktop implementations (VDI) due to\n specific supporting requirements including a TPM, UEFI with Secure Boot, and\n the capability to run the Hyper-V feature within the virtual desktop.\n\n For VDIs where the virtual desktop instance is deleted or refreshed upon\n logoff, this is NA.\n\n For VDIs with persistent desktops, this may be downgraded to a CAT II only\n where administrators have specific tokens for the VDI. Administrator accounts\n on virtual desktops must only be used on systems in the VDI; they may not have\n administrative privileges on any other systems such as servers and physical\n workstations.\n\n Configure the policy value for Computer Configuration >> Administrative\n Templates >> System >> Device Guard >> \"Turn On Virtualization Based\n Security\" to \"Enabled\" with \"Enabled with UEFI lock\" selected for\n \"Credential Guard Configuration:\".\n\n v1507 LTSB does not include selection options; select \"Enable Credential\n Guard\".\n\n A Microsoft TechNet article on Credential Guard, including system requirement\n details, can be found at the following link:" + "default": "Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.", + "check": "This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n\n Enter \"Get-ProcessMitigation -Name [application name]\" with each of the\n following substituted for [application name]:\n java.exe, javaw.exe, and javaws.exe\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of\n all application mitigations configured.)\n\n If the following mitigations do not have a status of \"ON\" for each, this is a\n finding:\n\n DEP:\n OverrideDEP: False\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n The PowerShell command produces a list of mitigations; only those with a\n required status of \"ON\" are listed here. If the PowerShell command does not\n produce results, ensure the letter case of the filename within the command\n syntax matches the letter case of the actual filename on the system.", + "fix": "Ensure the following mitigations are turned \"ON\" for java.exe,\n javaw.exe, and javaws.exe:\n\n DEP:\n OverrideDEP: False\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file\n included with the Windows 10 STIG package in the \"Supporting Files\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \"Use a common set of exploit protection settings\"\n configured to \"Enabled\" with file name and location defined under\n \"Options:\". It is recommended the file be in a read-only network location." }, - "impact": 0.3, - "refs": [ - { - "ref": "https://docs.microsoft.com/en-us/windows/access-protection/credential-guard/credential-guard" - } - ], + "impact": 0.5, + "refs": [], "tags": { - "severity": "low", - "gtitle": "WN10-CC-000075", - "gid": "V-63599", - "rid": "SV-78089r8_rule", - "stig_id": "WN10-CC-000075", - "fix_id": "F-88433r2_fix", + "severity": "medium", + "gtitle": "WN10-EP-000160", + "gid": "V-77223", + "rid": "SV-91919r3_rule", + "stig_id": "WN10-EP-000160", + "fix_id": "F-84353r3_fix", "cci": [ "CCI-000366" ], @@ -11272,35 +11235,37 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63599' do\n title 'Credential Guard must be running on Windows 10 domain-joined systems.'\n desc \"Credential Guard uses virtualization based security to protect\n information that could be used in credential theft attacks if compromised. This\n authentication information, which was stored in the Local Security Authority\n (LSA) in previous versions of Windows, is isolated from the rest of operating\n system and can only be accessed by privileged system software.\"\n impact 0.3\n tag severity: 'low'\n tag gtitle: 'WN10-CC-000075'\n tag gid: 'V-63599'\n tag rid: 'SV-78089r8_rule'\n tag stig_id: 'WN10-CC-000075'\n tag fix_id: 'F-88433r2_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"Confirm Credential Guard is running on domain-joined systems.\n\n For standalone systems, this is NA.\n\n For those devices that support Credential Guard, this feature must be enabled.\n For devices that do not support it, there is currently an enterprise risk\n acceptance in effect, thus this check is currently categorized as a CAT III.\n Organizations need to take the appropriate action to acquire and implement\n compatible hardware with Credential Guard enabled.\n\n Virtualization based security, including Credential Guard, currently cannot be\n implemented in virtual desktop implementations (VDI) due to specific supporting\n requirements including a TPM, UEFI with Secure Boot, and the capability to run\n the Hyper-V feature within the virtual desktop.\n\n For VDIs where the virtual desktop instance is deleted or refreshed upon\n logoff, this is NA.\n\n Run \\\"PowerShell\\\" with elevated privileges (run as administrator).\n Enter the following:\n \\\"Get-CimInstance -ClassName Win32_DeviceGuard -Namespace\n root\\\\Microsoft\\\\Windows\\\\DeviceGuard\\\"\n\n If \\\"SecurityServicesRunning\\\" does not include a value of \\\"1\\\" (e.g., \\\"{1,\n 2}\\\"), this is a finding.\n\n Alternately:\n\n Run \\\"System Information\\\".\n Under \\\"System Summary\\\", verify the following:\n If \\\"Device Guard Security Services Running\\\" does not list \\\"Credential\n Guard\\\", this is finding.\n\n The policy settings referenced in the Fix section will configure the following\n registry value. However, due to hardware requirements, the registry value alone\n does not ensure proper function.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\DeviceGuard\\\\\n\n Value Name: LsaCfgFlags\n Value Type: REG_DWORD\n Value: 0x00000001 (1) (Enabled with UEFI lock)\n\n NOTE: The severity level for the requirement will be upgraded to CAT I\n starting January 2020.\"\n desc \"fix\", \"Virtualization based security, including Credential Guard,\n currently cannot be implemented in virtual desktop implementations (VDI) due to\n specific supporting requirements including a TPM, UEFI with Secure Boot, and\n the capability to run the Hyper-V feature within the virtual desktop.\n\n For VDIs where the virtual desktop instance is deleted or refreshed upon\n logoff, this is NA.\n\n For VDIs with persistent desktops, this may be downgraded to a CAT II only\n where administrators have specific tokens for the VDI. Administrator accounts\n on virtual desktops must only be used on systems in the VDI; they may not have\n administrative privileges on any other systems such as servers and physical\n workstations.\n\n Configure the policy value for Computer Configuration >> Administrative\n Templates >> System >> Device Guard >> \\\"Turn On Virtualization Based\n Security\\\" to \\\"Enabled\\\" with \\\"Enabled with UEFI lock\\\" selected for\n \\\"Credential Guard Configuration:\\\".\n\n v1507 LTSB does not include selection options; select \\\"Enable Credential\n Guard\\\".\n\n A Microsoft TechNet article on Credential Guard, including system requirement\n details, can be found at the following link:\"\n\n ref 'https://docs.microsoft.com/en-us/windows/access-protection/credential-guard/credential-guard'\n\n is_domain = command('wmic computersystem get domain | FINDSTR /V Domain').stdout.strip\n\n if sys_info.manufacturer == 'VMware, Inc.'\n impact 0.0\n describe 'This is a VDI System; This System is NA for Control V-63599.' do\n skip 'This is a VDI System; This System is NA for Control V-63599.'\n end\n elsif is_domain == 'WORKGROUP'\n impact 0.0\n describe 'The system is not a member of a domain, control is NA' do\n skip 'The system is not a member of a domain, control is NA'\n end\n else\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceGuard') do\n it { should have_property 'LsaCfgFlags' }\n its('LsaCfgFlags') { should cmp 1 }\n end\n end\nend\n", + "code": "control 'V-77223' do\n title 'Exploit Protection mitigations in Windows 10 must be configured for java.exe, javaw.exe, and javaws.exe.'\n desc \"Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-EP-000160'\n tag gid: 'V-77223'\n tag rid: 'SV-91919r3_rule'\n tag stig_id: 'WN10-EP-000160'\n tag fix_id: 'F-84353r3_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc 'check', \"This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n\n Enter \\\"Get-ProcessMitigation -Name [application name]\\\" with each of the\n following substituted for [application name]:\n java.exe, javaw.exe, and javaws.exe\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of\n all application mitigations configured.)\n\n If the following mitigations do not have a status of \\\"ON\\\" for each, this is a\n finding:\n\n DEP:\n OverrideDEP: False\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n The PowerShell command produces a list of mitigations; only those with a\n required status of \\\"ON\\\" are listed here. If the PowerShell command does not\n produce results, ensure the letter case of the filename within the command\n syntax matches the letter case of the actual filename on the system.\"\n desc 'fix', \"Ensure the following mitigations are turned \\\"ON\\\" for java.exe,\n javaw.exe, and javaws.exe:\n\n DEP:\n OverrideDEP: False\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file\n included with the Windows 10 STIG package in the \\\"Supporting Files\\\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\"\n configured to \\\"Enabled\\\" with file name and location defined under\n \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n\n if input('sensitive_system') == 'true' || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion').ReleaseId < '1709'\n impact 0.0\n describe 'This STIG does not apply to Prior Versions before 1709.' do\n skip 'This STIG does not apply to Prior Versions before 1709.'\n end\n else\n dep = json( command: 'Get-ProcessMitigation -Name java.exe | Select DEP | ConvertTo-Json').params\n describe 'OverRide DEP is required to be false on Java' do\n subject { dep }\n its(['OverrideDEP']) { should_not eq 'true' }\n end\n payload = json( command: 'Get-ProcessMitigation -Name java.exe | Select Payload | ConvertTo-Json').params\n describe 'Override Payload Enable Export Address Filter, Override Payload Enable Export Address Filter Plus, Override EnableImportAddressFilter, Override EnableRopStackPivot, Override EnableRopCallerCheck, and Override EnableRopSimExec are required to be false on Java' do\n subject { payload }\n its(['OverrideEnableExportAddressFilter']) { should_not eq 'true' }\n its(['OverrideEnableExportAddressFilterPlus']) { should_not eq 'true' }\n its(['OverrideEnableImportAddressFilter']) { should_not eq 'true' }\n its(['OverrideEnableRopStackPivot']) { should_not eq 'true' }\n its(['OverrideEnableRopCallerCheck']) { should_not eq 'true' }\n its(['OverrideEnableRopSimExec']) { should_not eq 'true' }\n end\n end\nend", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63599.rb", + "ref": "./Windows 10 STIG/controls/V-77223.rb", "line": 3 }, - "id": "V-63599" + "id": "V-77223" }, { - "title": "The machine inactivity limit must be set to 15 minutes, locking the\n system with the screensaver.", - "desc": "Unattended systems are susceptible to unauthorized use and should be\n locked when unattended. The screen saver should be set at a maximum of 15\n minutes and be password protected. This protects critical and sensitive data\n from exposure to unauthorized personnel with physical access to the computer.", + "title": "The DoD Root CA certificates must be installed in the Trusted Root\n Store.", + "desc": "To ensure secure DoD websites and DoD-signed code are properly\n validated, the system must trust the DoD Root Certificate Authorities (CAs).\n The DoD root certificates will ensure that the trust chain is established for\n server certificates issued from the DoD CAs.", "descriptions": { - "default": "Unattended systems are susceptible to unauthorized use and should be\n locked when unattended. The screen saver should be set at a maximum of 15\n minutes and be password protected. This protects critical and sensitive data\n from exposure to unauthorized personnel with physical access to the computer.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\\n\n Value Name: InactivityTimeoutSecs\n\n Value Type: REG_DWORD\n Value: 0x00000384 (900) (or less, excluding \"0\" which is effectively\n disabled)", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n \"Interactive logon: Machine inactivity limit\" to \"900\" seconds\" or less,\n excluding \"0\" which is effectively disabled." + "default": "To ensure secure DoD websites and DoD-signed code are properly\n validated, the system must trust the DoD Root Certificate Authorities (CAs).\n The DoD root certificates will ensure that the trust chain is established for\n server certificates issued from the DoD CAs.", + "check": "Verify the DoD Root CA certificates are installed as Trusted Root\n Certification Authorities.\n\n The certificates and thumbprints referenced below apply to unclassified\n systems; see PKE documentation for other networks.\n\n Run \"PowerShell\" as an administrator.\n\n Execute the following command:\n\n Get-ChildItem -Path Cert:Localmachine oot | Where Subject -Like \"*DoD*\" | FL Subject, Thumbprint, NotAfter\n\n If the following certificate \"Subject\" and \"Thumbprint\" information is not\n displayed, this is finding.\n\n If an expired certificate (\"NotAfter\" date) is not listed in the results,\n this is not a finding.\n\n Subject: CN=DoD Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Thumbprint: 8C941B34EA1EA6ED9AE2BC54CF687252B4C9B561\n NotAfter: 12/5/2029\n\n Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Thumbprint: D73CA91102A2204A36459ED32213B467D7CE97FB\n NotAfter: 12/30/2029\n\n Subject: CN=DoD Root CA 4, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Thumbprint: B8269F25DBD937ECAFD4C35A9838571723F2D026\n NotAfter: 7/25/2032\n\n Subject: CN=DoD Root CA 5, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Thumbprint: 4ECB5CC3095670454DA1CBD410FC921F46B8564B\n NotAfter: 6/14/2041\n\n Alternately use the Certificates MMC snap-in:\n\n Run \"MMC\".\n\n Select \"File\", \"Add/Remove Snap-in\".\n\n Select \"Certificates\", click \"Add\".\n\n Select \"Computer account\", click \"Next\".\n\n Select \"Local computer: (the computer this console is running on)\", click\n \"Finish\".\n\n Click \"OK\".\n\n Expand \"Certificates\" and navigate to \"Trusted Root Certification\n Authorities >> Certificates\".\n\n For each of the DoD Root CA certificates noted below:\n\n Right-click on the certificate and select \"Open\".\n\n Select the \"Details\" Tab.\n\n Scroll to the bottom and select \"Thumbprint\".\n\n If the DoD Root CA certificates below are not listed or the value for the\n \"Thumbprint\" field is not as noted, this is a finding.\n\n If an expired certificate (\"Valid to\" date) is not listed in the results,\n this is not a finding.\n\n DoD Root CA 2\n Thumbprint: 8C941B34EA1EA6ED9AE2BC54CF687252B4C9B561\n Valid to: Wednesday, December 5, 2029\n\n DoD Root CA 3\n Thumbprint: D73CA91102A2204A36459ED32213B467D7CE97FB\n Valid to: Sunday, December 30, 2029\n\n DoD Root CA 4\n Thumbprint: B8269F25DBD937ECAFD4C35A9838571723F2D026\n Valid to: Sunday, July 25, 2032\n\n DoD Root CA 5\n Thumbprint: 4ECB5CC3095670454DA1CBD410FC921F46B8564B\n Valid to: Friday, June 14, 2041", + "fix": "Install the DoD Root CA certificates.\n DoD Root CA 2\n DoD Root CA 3\n DoD Root CA 4\n DoD Root CA 5\n\n The InstallRoot tool is available on IASE at\n http://iase.disa.mil/pki-pke/Pages/tools.aspx." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-SO-000070", - "gid": "V-63669", - "rid": "SV-78159r2_rule", - "stig_id": "WN10-SO-000070", - "fix_id": "F-88429r1_fix", + "gtitle": "WN10-PK-000005", + "gid": "V-63579", + "rid": "SV-78069r4_rule", + "stig_id": "WN10-PK-000005", + "fix_id": "F-87307r1_fix", "cci": [ - "CCI-000057" + "CCI-000185", + "CCI-002470" ], "nist": [ - "AC-11 a", + "IA-5 (2) (a)", + "SC-23 (5)", "Rev_4" ], "false_negatives": null, @@ -11314,117 +11279,140 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63669' do\n title \"The machine inactivity limit must be set to 15 minutes, locking the\n system with the screensaver.\"\n desc \"Unattended systems are susceptible to unauthorized use and should be\n locked when unattended. The screen saver should be set at a maximum of 15\n minutes and be password protected. This protects critical and sensitive data\n from exposure to unauthorized personnel with physical access to the computer.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-SO-000070'\n tag gid: 'V-63669'\n tag rid: 'SV-78159r2_rule'\n tag stig_id: 'WN10-SO-000070'\n tag fix_id: 'F-88429r1_fix'\n tag cci: ['CCI-000057']\n tag nist: ['AC-11 a', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\\n\n Value Name: InactivityTimeoutSecs\n\n Value Type: REG_DWORD\n Value: 0x00000384 (900) (or less, excluding \\\"0\\\" which is effectively\n disabled)\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n \\\"Interactive logon: Machine inactivity limit\\\" to \\\"900\\\" seconds\\\" or less,\n excluding \\\"0\\\" which is effectively disabled.\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System') do\n it { should have_property 'InactivityTimeoutSecs' }\n its('InactivityTimeoutSecs') { should be <= 900 }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System') do\n its('InactivityTimeoutSecs') { should be_positive }\n end\nend\n", + "code": "control 'V-63579' do\n title \"The DoD Root CA certificates must be installed in the Trusted Root\n Store.\"\n desc \"To ensure secure DoD websites and DoD-signed code are properly\n validated, the system must trust the DoD Root Certificate Authorities (CAs).\n The DoD root certificates will ensure that the trust chain is established for\n server certificates issued from the DoD CAs.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-PK-000005'\n tag gid: 'V-63579'\n tag rid: 'SV-78069r4_rule'\n tag stig_id: 'WN10-PK-000005'\n tag fix_id: 'F-87307r1_fix'\n tag cci: %w[CCI-000185 CCI-002470]\n tag nist: ['IA-5 (2) (a)', 'SC-23 (5)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc 'check', \"Verify the DoD Root CA certificates are installed as Trusted Root\n Certification Authorities.\n\n The certificates and thumbprints referenced below apply to unclassified\n systems; see PKE documentation for other networks.\n\n Run \\\"PowerShell\\\" as an administrator.\n\n Execute the following command:\n\n Get-ChildItem -Path Cert:Localmachine\\\n oot | Where Subject -Like \\\"*DoD*\\\" | FL Subject, Thumbprint, NotAfter\n\n If the following certificate \\\"Subject\\\" and \\\"Thumbprint\\\" information is not\n displayed, this is finding.\n\n If an expired certificate (\\\"NotAfter\\\" date) is not listed in the results,\n this is not a finding.\n\n Subject: CN=DoD Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Thumbprint: 8C941B34EA1EA6ED9AE2BC54CF687252B4C9B561\n NotAfter: 12/5/2029\n\n Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Thumbprint: D73CA91102A2204A36459ED32213B467D7CE97FB\n NotAfter: 12/30/2029\n\n Subject: CN=DoD Root CA 4, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Thumbprint: B8269F25DBD937ECAFD4C35A9838571723F2D026\n NotAfter: 7/25/2032\n\n Subject: CN=DoD Root CA 5, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Thumbprint: 4ECB5CC3095670454DA1CBD410FC921F46B8564B\n NotAfter: 6/14/2041\n\n Alternately use the Certificates MMC snap-in:\n\n Run \\\"MMC\\\".\n\n Select \\\"File\\\", \\\"Add/Remove Snap-in\\\".\n\n Select \\\"Certificates\\\", click \\\"Add\\\".\n\n Select \\\"Computer account\\\", click \\\"Next\\\".\n\n Select \\\"Local computer: (the computer this console is running on)\\\", click\n \\\"Finish\\\".\n\n Click \\\"OK\\\".\n\n Expand \\\"Certificates\\\" and navigate to \\\"Trusted Root Certification\n Authorities >> Certificates\\\".\n\n For each of the DoD Root CA certificates noted below:\n\n Right-click on the certificate and select \\\"Open\\\".\n\n Select the \\\"Details\\\" Tab.\n\n Scroll to the bottom and select \\\"Thumbprint\\\".\n\n If the DoD Root CA certificates below are not listed or the value for the\n \\\"Thumbprint\\\" field is not as noted, this is a finding.\n\n If an expired certificate (\\\"Valid to\\\" date) is not listed in the results,\n this is not a finding.\n\n DoD Root CA 2\n Thumbprint: 8C941B34EA1EA6ED9AE2BC54CF687252B4C9B561\n Valid to: Wednesday, December 5, 2029\n\n DoD Root CA 3\n Thumbprint: D73CA91102A2204A36459ED32213B467D7CE97FB\n Valid to: Sunday, December 30, 2029\n\n DoD Root CA 4\n Thumbprint: B8269F25DBD937ECAFD4C35A9838571723F2D026\n Valid to: Sunday, July 25, 2032\n\n DoD Root CA 5\n Thumbprint: 4ECB5CC3095670454DA1CBD410FC921F46B8564B\n Valid to: Friday, June 14, 2041\"\n\n desc 'fix', \"Install the DoD Root CA certificates.\n DoD Root CA 2\n DoD Root CA 3\n DoD Root CA 4\n DoD Root CA 5\n\n The InstallRoot tool is available on IASE at\n http://iase.disa.mil/pki-pke/Pages/tools.aspx.\"\n\n if input('sensitive_system') == 'true'\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n else\n dod_trusted_certificates = JSON.parse(input('dod_trusted_certificates').to_json)\n query = json({ command: 'Get-ChildItem -Path Cert:Localmachine\\\\\\\\root | Where {$_.Subject -Like \"*DoD Root*\"} | Select Subject, Thumbprint, @{Name=\\'NotAfter\\';Expression={\"{0:dddd, MMMM dd, yyyy}\" -f [datetime]$_.NotAfter}} | ConvertTo-Json' })\n describe 'The DoD Interoperability Root CA cross-certificates installed' do\n subject { query.params }\n it { should be_in dod_trusted_certificates }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63669.rb", + "ref": "./Windows 10 STIG/controls/V-63579.rb", "line": 3 }, - "id": "V-63669" + "id": "V-63579" }, { - "title": "The required legal notice must be configured to display before console\n logon.", - "desc": "Failure to display the logon banner prior to a logon attempt will\n negate legal proceedings resulting from unauthorized access to system\n resources.", + "title": "Windows 10 must be configured to audit MPSSVC Rule-Level Policy Change\nSuccesses.", + "desc": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Audit MPSSVC Rule-Level Policy Change determines whether the operating\nsystem generates audit events when changes are made to policy rules for the\nMicrosoft Protection Service (MPSSVC.exe).", "descriptions": { - "default": "Failure to display the logon banner prior to a logon attempt will\n negate legal proceedings resulting from unauthorized access to system\n resources.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\\n\n Value Name: LegalNoticeText\n\n Value Type: REG_SZ\n Value:\n You are accessing a U.S. Government (USG) Information System (IS) that is\n provided for USG-authorized use only.\n\n By using this IS (which includes any device attached to this IS), you consent\n to the following conditions:\n\n -The USG routinely intercepts and monitors communications on this IS for\n purposes including, but not limited to, penetration testing, COMSEC monitoring,\n network operations and defense, personnel misconduct (PM), law enforcement\n (LE), and counterintelligence (CI) investigations.\n\n -At any time, the USG may inspect and seize data stored on this IS.\n\n -Communications using, or data stored on, this IS are not private, are subject\n to routine monitoring, interception, and search, and may be disclosed or used\n for any USG-authorized purpose.\n\n -This IS includes security measures (e.g., authentication and access controls)\n to protect USG interests--not for your personal benefit or privacy.\n\n -Notwithstanding the above, using this IS does not constitute consent to PM, LE\n or CI investigative searching or monitoring of the content of privileged\n communications, or work product, related to personal representation or services\n by attorneys, psychotherapists, or clergy, and their assistants. Such\n communications and work product are private and confidential. See User\n Agreement for details.", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n \"Interactive logon: Message text for users attempting to log on\" to the\n following.\n\n You are accessing a U.S. Government (USG) Information System (IS) that is\n provided for USG-authorized use only.\n\n By using this IS (which includes any device attached to this IS), you consent\n to the following conditions:\n\n -The USG routinely intercepts and monitors communications on this IS for\n purposes including, but not limited to, penetration testing, COMSEC monitoring,\n network operations and defense, personnel misconduct (PM), law enforcement\n (LE), and counterintelligence (CI) investigations.\n\n -At any time, the USG may inspect and seize data stored on this IS.\n\n -Communications using, or data stored on, this IS are not private, are subject\n to routine monitoring, interception, and search, and may be disclosed or used\n for any USG-authorized purpose.\n\n -This IS includes security measures (e.g., authentication and access controls)\n to protect USG interests--not for your personal benefit or privacy.\n\n -Notwithstanding the above, using this IS does not constitute consent to PM, LE\n or CI investigative searching or monitoring of the content of privileged\n communications, or work product, related to personal representation or services\n by attorneys, psychotherapists, or clergy, and their assistants. Such\n communications and work product are private and confidential. See User\n Agreement for details." + "default": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Audit MPSSVC Rule-Level Policy Change determines whether the operating\nsystem generates audit events when changes are made to policy rules for the\nMicrosoft Protection Service (MPSSVC.exe).", + "rationale": "", + "check": "Security Option \"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\" must be set to\n\"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to be\neffective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\"Run as Administrator\").\n Enter \"AuditPol /get /category:*\".\n\n Compare the AuditPol settings with the following. If the system does not\naudit the following, this is a finding:\n\n Policy Change >> MPSSVC Rule-Level Policy Change - Success", + "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Policy Change >> “Audit MPSSVC Rule-Level Policy\nChange\" with \"Success\" selected." }, "impact": 0.5, "refs": [], "tags": { - "severity": "medium", - "gtitle": "WN10-SO-000075", - "gid": "V-63675", - "rid": "SV-78165r2_rule", - "stig_id": "WN10-SO-000075", - "fix_id": "F-69601r2_fix", + "severity": null, + "gtitle": "WN10-AU-000575", + "gid": "V-99547", + "rid": "SV-108651r1_rule", + "stig_id": "WN10-AU-000575", + "fix_id": "F-105231r1_fix", "cci": [ - "CCI-000048", - "CCI-000050", - "CCI-001384", - "CCI-001385", - "CCI-001386", - "CCI-001387", - "CCI-001388" + "CCI-000130" ], "nist": [ - "AC-8 a", - "AC-8 b", - "AC-8 c 1", - "AC-8 c 2", - "AC-8 c 2", - "AC-8 c\n2", - "AC-8 c 3", + "AU-3", "Rev_4" - ], - "false_negatives": null, - "false_positives": null, - "documentable": false, - "mitigations": null, - "severity_override_guidance": false, - "potential_impacts": null, - "third_party_tools": null, - "mitigation_controls": null, - "responsibility": null, - "ia_controls": null + ] }, - "code": "control 'V-63675' do\n title \"The required legal notice must be configured to display before console\n logon.\"\n desc \"Failure to display the logon banner prior to a logon attempt will\n negate legal proceedings resulting from unauthorized access to system\n resources.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-SO-000075'\n tag gid: 'V-63675'\n tag rid: 'SV-78165r2_rule'\n tag stig_id: 'WN10-SO-000075'\n tag fix_id: 'F-69601r2_fix'\n tag cci: %w[CCI-000048 CCI-000050 CCI-001384 CCI-001385\n CCI-001386 CCI-001387 CCI-001388]\n tag nist: ['AC-8 a', 'AC-8 b', 'AC-8 c 1', 'AC-8 c 2', 'AC-8 c 2', \"AC-8 c\n2\", 'AC-8 c 3', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\\n\n Value Name: LegalNoticeText\n\n Value Type: REG_SZ\n Value:\n You are accessing a U.S. Government (USG) Information System (IS) that is\n provided for USG-authorized use only.\n\n By using this IS (which includes any device attached to this IS), you consent\n to the following conditions:\n\n -The USG routinely intercepts and monitors communications on this IS for\n purposes including, but not limited to, penetration testing, COMSEC monitoring,\n network operations and defense, personnel misconduct (PM), law enforcement\n (LE), and counterintelligence (CI) investigations.\n\n -At any time, the USG may inspect and seize data stored on this IS.\n\n -Communications using, or data stored on, this IS are not private, are subject\n to routine monitoring, interception, and search, and may be disclosed or used\n for any USG-authorized purpose.\n\n -This IS includes security measures (e.g., authentication and access controls)\n to protect USG interests--not for your personal benefit or privacy.\n\n -Notwithstanding the above, using this IS does not constitute consent to PM, LE\n or CI investigative searching or monitoring of the content of privileged\n communications, or work product, related to personal representation or services\n by attorneys, psychotherapists, or clergy, and their assistants. Such\n communications and work product are private and confidential. See User\n Agreement for details.\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n \\\"Interactive logon: Message text for users attempting to log on\\\" to the\n following.\n\n You are accessing a U.S. Government (USG) Information System (IS) that is\n provided for USG-authorized use only.\n\n By using this IS (which includes any device attached to this IS), you consent\n to the following conditions:\n\n -The USG routinely intercepts and monitors communications on this IS for\n purposes including, but not limited to, penetration testing, COMSEC monitoring,\n network operations and defense, personnel misconduct (PM), law enforcement\n (LE), and counterintelligence (CI) investigations.\n\n -At any time, the USG may inspect and seize data stored on this IS.\n\n -Communications using, or data stored on, this IS are not private, are subject\n to routine monitoring, interception, and search, and may be disclosed or used\n for any USG-authorized purpose.\n\n -This IS includes security measures (e.g., authentication and access controls)\n to protect USG interests--not for your personal benefit or privacy.\n\n -Notwithstanding the above, using this IS does not constitute consent to PM, LE\n or CI investigative searching or monitoring of the content of privileged\n communications, or work product, related to personal representation or services\n by attorneys, psychotherapists, or clergy, and their assistants. Such\n communications and work product are private and confidential. See User\n Agreement for details.\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System') do\n it { should have_property 'LegalNoticeText' }\n end\n\n key = registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System').LegalNoticeText.to_s\n k = key.gsub(\"\\u0000\", '')\n legal_notice_text = input('LegalNoticeText')\n\n describe 'The required legal notice text' do\n subject { k.scan(/[\\w().;,!]/).join }\n it { should cmp legal_notice_text.scan(/[\\w().;,!]/).join }\n end\nend\n", + "code": "control \"V-99547\" do\n title \"Windows 10 must be configured to audit MPSSVC Rule-Level Policy Change\nSuccesses.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Audit MPSSVC Rule-Level Policy Change determines whether the operating\nsystem generates audit events when changes are made to policy rules for the\nMicrosoft Protection Service (MPSSVC.exe).\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"WN10-AU-000575\"\n tag gid: \"V-99547\"\n tag rid: \"SV-108651r1_rule\"\n tag stig_id: \"WN10-AU-000575\"\n tag fix_id: \"F-105231r1_fix\"\n tag cci: [\"CCI-000130\"]\n tag nist: [\"AU-3\", \"Rev_4\"]\n desc \"rationale\", \"\"\n desc \"check\", \"Security Option \\\"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\\\" must be set to\n\\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to be\neffective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\n Enter \\\"AuditPol /get /category:*\\\".\n\n Compare the AuditPol settings with the following. If the system does not\naudit the following, this is a finding:\n\n Policy Change >> MPSSVC Rule-Level Policy Change - Success\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Policy Change >> “Audit MPSSVC Rule-Level Policy\nChange\\\" with \\\"Success\\\" selected.\"\n \n describe.one do\n describe audit_policy do\n its('MPSSVC Rule-Level Policy Change') { should eq 'Success' }\n end\n describe audit_policy do\n its('MPSSVC Rule-Level Policy Change') { should eq 'Success and Failure' }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63675.rb", + "ref": "./Windows 10 STIG/controls/V-99547.rb", "line": 3 }, - "id": "V-63675" + "id": "V-99547" }, { - "title": "Windows 10 must be configured to audit Other Policy Change Events\nSuccesses.", - "desc": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Audit Other Policy Change Events contains events about EFS Data Recovery\nAgent policy changes, changes in Windows Filtering Platform filter, status on\nSecurity policy settings updates for local Group Policy settings, Central\nAccess Policy changes, and detailed troubleshooting events for Cryptographic\nNext Generation (CNG) operations.", + "title": "Windows 10 should be configured to prevent users from receiving\nsuggestions for third-party or additional applications. ", + "desc": "Windows spotlight features may suggest apps and content from\nthird-party software publishers in addition to Microsoft apps and content.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Audit Other Policy Change Events contains events about EFS Data Recovery\nAgent policy changes, changes in Windows Filtering Platform filter, status on\nSecurity policy settings updates for local Group Policy settings, Central\nAccess Policy changes, and detailed troubleshooting events for Cryptographic\nNext Generation (CNG) operations.", + "default": "Windows spotlight features may suggest apps and content from\nthird-party software publishers in addition to Microsoft apps and content.", "rationale": "", - "check": "Security Option \"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\" must be set to\n\"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to be\neffective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\"Run as Administrator\").\n Enter \"AuditPol /get /category:*\".\n\n Compare the AuditPol settings with the following. If the system does not\naudit the following, this is a finding:\n\n Policy Change >> Other Policy Change Events - Success", - "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Policy Change>> \"Audit Other Policy Change Events\"\nwith \"Success\" selected." + "check": "If the following registry value does not exist or is not configured as\nspecified, this is a finding.\n\n If the following registry value does not exist or is not configured as\nspecified, this is a finding:\n\n Registry Hive: HKEY_CURRENT_USER\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent\\\n\n Value Name: DisableThirdPartySuggestions\n\n Type: REG_DWORD\n Value: 0x00000001 (1)", + "fix": "Configure the policy value for User Configuration >>\nAdministrative Templates >> Windows Components >> Cloud Content >> \"Do not\nsuggest third-party content in Windows spotlight\" to \"Enabled" }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { "severity": null, - "gtitle": "WN10-AU-000550", - "gid": "V-99551", - "rid": "SV-108655r1_rule", - "stig_id": "WN10-AU-000550", - "fix_id": "F-105235r1_fix", + "gtitle": "WN10-CC-000390", + "gid": "V-99563", + "rid": "SV-108667r1_rule", + "stig_id": "WN10-CC-000390", + "fix_id": "F-105247r1_fix", "cci": [ - "CCI-000130" + "CCI-000381" ], "nist": [ - "AU-3", + "CM-7 a", "Rev_4" ] }, - "code": "control \"V-99551\" do\n title \"Windows 10 must be configured to audit Other Policy Change Events\nSuccesses.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Audit Other Policy Change Events contains events about EFS Data Recovery\nAgent policy changes, changes in Windows Filtering Platform filter, status on\nSecurity policy settings updates for local Group Policy settings, Central\nAccess Policy changes, and detailed troubleshooting events for Cryptographic\nNext Generation (CNG) operations.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"WN10-AU-000550\"\n tag gid: \"V-99551\"\n tag rid: \"SV-108655r1_rule\"\n tag stig_id: \"WN10-AU-000550\"\n tag fix_id: \"F-105235r1_fix\"\n tag cci: [\"CCI-000130\"]\n tag nist: [\"AU-3\", \"Rev_4\"]\n desc \"rationale\", \"\"\n desc \"check\", \"Security Option \\\"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\\\" must be set to\n\\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to be\neffective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\n Enter \\\"AuditPol /get /category:*\\\".\n\n Compare the AuditPol settings with the following. If the system does not\naudit the following, this is a finding:\n\n Policy Change >> Other Policy Change Events - Success\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Policy Change>> \\\"Audit Other Policy Change Events\\\"\nwith \\\"Success\\\" selected.\"\n \n describe.one do\n describe audit_policy do\n its('Other Policy Change Events') { should eq 'Success' }\n end\n describe audit_policy do\n its('Other Policy Change Events') { should eq 'Success and Failure' }\n end\n end\nend\n", + "code": "control \"V-99563\" do\n title \"Windows 10 should be configured to prevent users from receiving\nsuggestions for third-party or additional applications. \"\n desc \"Windows spotlight features may suggest apps and content from\nthird-party software publishers in addition to Microsoft apps and content. \"\n impact 0.3\n tag severity: nil\n tag gtitle: \"WN10-CC-000390\"\n tag gid: \"V-99563\"\n tag rid: \"SV-108667r1_rule\"\n tag stig_id: \"WN10-CC-000390\"\n tag fix_id: \"F-105247r1_fix\"\n tag cci: [\"CCI-000381\"]\n tag nist: [\"CM-7 a\", \"Rev_4\"]\n desc \"rationale\", \"\"\n desc \"check\", \"If the following registry value does not exist or is not configured as\nspecified, this is a finding.\n\n If the following registry value does not exist or is not configured as\nspecified, this is a finding:\n\n Registry Hive: HKEY_CURRENT_USER\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\CloudContent\\\\\n\n Value Name: DisableThirdPartySuggestions\n\n Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for User Configuration >>\nAdministrative Templates >> Windows Components >> Cloud Content >> \\\"Do not\nsuggest third-party content in Windows spotlight\\\" to \\\"Enabled\"\n \n describe registry_key('HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CloudContent') do\n it { should have_property 'DisableThirdPartySuggestions' }\n its('DisableThirdPartySuggestions') { should cmp 1 }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-99551.rb", + "ref": "./Windows 10 STIG/controls/V-99563.rb", "line": 3 }, - "id": "V-99551" + "id": "V-99563" }, { - "title": "Windows 10 Exploit Protection system-level mitigation, Data Execution Prevention (DEP), must be on.", - "desc": "Exploit protection in Windows 10 enables mitigations against potential\n threats at the system and application level. Several mitigations, including\n \"Data Execution Prevention (DEP)\", are enabled by default at the system\n level. DEP prevents code from being run from data-only memory pages. If this is\n turned off, Windows 10 may be subject to various exploits.", + "title": "The system must be configured to audit Logon/Logoff - Logon failures.", + "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Logon records user logons. If this is an interactive logon, it is recorded\n on the local system. If it is to a network share, it is recorded on the system\n accessed.", "descriptions": { - "default": "Exploit protection in Windows 10 enables mitigations against potential\n threats at the system and application level. Several mitigations, including\n \"Data Execution Prevention (DEP)\", are enabled by default at the system\n level. DEP prevents code from being run from data-only memory pages. If this is\n turned off, Windows 10 may be subject to various exploits.", - "check": "This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n The default configuration in Exploit Protection is \"On by default\" which\n meets this requirement. The PowerShell query results for this show as\n \"NOTSET\".\n\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n\n Enter \"Get-ProcessMitigation -System\".\n\n If the status of \"DEP: Enable\" is \"OFF\", this is a finding.\n\n Values that would not be a finding include:\n ON\n NOTSET (Default configuration)", - "fix": "Ensure Exploit Protection system-level mitigation, \"Data Execution\n Prevention (DEP)\", is turned on. The default configuration in Exploit\n Protection is \"On by default\" which meets this requirement.\n\n Open \"Windows Defender Security Center\".\n\n Select \"App & browser control\".\n\n Select \"Exploit protection settings\".\n\n Under \"System settings\", configure \"Data Execution Prevention (DEP)\" to\n \"On by default\" or \"Use default ()\".\n\n The STIG package includes a DoD EP XML file in the \"Supporting Files\" folder\n for configuring application mitigations defined in the STIG. This can also be\n modified to explicitly enforce the system level requirements. Adding the\n following to the XML file will explicitly turn DEP on (other system level EP\n requirements can be combined under ):\n\n \n \n \n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \"Use a common set of exploit protection settings\"\n configured to \"Enabled\" with file name and location defined under\n \"Options:\". It is recommended the file be in a read-only network location." + "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Logon records user logons. If this is an interactive logon, it is recorded\n on the local system. If it is to a network share, it is recorded on the system\n accessed.", + "check": "Security Option \"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\" must be\n set to \"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\"Run as Administrator\").\n Enter \"AuditPol /get /category:*\".\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding:\n\n Logon/Logoff >> Logon - Failure", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Logon/Logoff >> \"Audit Logon\" with \"Failure\" selected." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-EP-000020", - "gid": "V-77091", - "rid": "SV-91787r3_rule", - "stig_id": "WN10-EP-000020", - "fix_id": "F-86717r3_fix", + "gtitle": "WN10-AU-000070", + "gid": "V-63463", + "rid": "SV-77953r1_rule", + "stig_id": "WN10-AU-000070", + "fix_id": "F-69391r1_fix", + "cci": [ + "CCI-000067", + "CCI-000172" + ], + "nist": [ + "AC-17 (1)", + "AU-12 c", + "Rev_4" + ], + "false_negatives": null, + "false_positives": null, + "documentable": false, + "mitigations": null, + "severity_override_guidance": false, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_controls": null, + "responsibility": null, + "ia_controls": null + }, + "code": "control 'V-63463' do\n title 'The system must be configured to audit Logon/Logoff - Logon failures.'\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Logon records user logons. If this is an interactive logon, it is recorded\n on the local system. If it is to a network share, it is recorded on the system\n accessed.\"\n\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-AU-000070'\n tag gid: 'V-63463'\n tag rid: 'SV-77953r1_rule'\n tag stig_id: 'WN10-AU-000070'\n tag fix_id: 'F-69391r1_fix'\n tag cci: %w[CCI-000067 CCI-000172]\n tag nist: ['AC-17 (1)', 'AU-12 c', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Security Option \\\"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\\\" must be\n set to \\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\n Enter \\\"AuditPol /get /category:*\\\".\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding:\n\n Logon/Logoff >> Logon - Failure\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Logon/Logoff >> \\\"Audit Logon\\\" with \\\"Failure\\\" selected.\"\n\n describe.one do\n describe audit_policy do\n its('Logon') { should eq 'Failure' }\n end\n describe audit_policy do\n its('Logon') { should eq 'Success and Failure' }\n end\n end\nend\n", + "source_location": { + "ref": "./Windows 10 STIG/controls/V-63463.rb", + "line": 3 + }, + "id": "V-63463" + }, + { + "title": "Windows 10 Exploit Protection system-level mitigation, Validate exception chains (SEHOP), must be on.", + "desc": "Exploit protection in Windows 10 enables mitigations against potential\n threats at the system and application level. Several mitigations, including\n \"Validate exception chains (SEHOP)\", are enabled by default at the system\n level. SEHOP (structured exception handling overwrite protection) ensures the\n integrity of an exception chain during exception dispatch. If this is turned\n off, Windows 10 may be subject to various exploits.", + "descriptions": { + "default": "Exploit protection in Windows 10 enables mitigations against potential\n threats at the system and application level. Several mitigations, including\n \"Validate exception chains (SEHOP)\", are enabled by default at the system\n level. SEHOP (structured exception handling overwrite protection) ensures the\n integrity of an exception chain during exception dispatch. If this is turned\n off, Windows 10 may be subject to various exploits.", + "check": "This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n The default configuration in Exploit Protection is \"On by default\" which\n meets this requirement. The PowerShell query results for this show as\n \"NOTSET\".\n\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n\n Enter \"Get-ProcessMitigation -System\".\n\n If the status of \"SEHOP: Enable\" is \"OFF\", this is a finding.\n\n Values that would not be a finding include:\n ON\n NOTSET (Default configuration)", + "fix": "Ensure Exploit Protection system-level mitigation, \"Validate\n exception chains (SEHOP)\", is turned on. The default configuration in Exploit\n Protection is \"On by default\" which meets this requirement.\n\n Open \"Windows Defender Security Center\".\n\n Select \"App & browser control\".\n\n Select \"Exploit protection settings\".\n\n Under \"System settings\", configure \"Validate exception chains (SEHOP)\" to\n \"On by default\" or \"Use default ()\".\n\n The STIG package includes a DoD EP XML file in the \"Supporting Files\" folder\n for configuring application mitigations defined in the STIG. This can also be\n modified to explicitly enforce the system level requirements. Adding the\n following to the XML file will explicitly turn SEHOP on (other system level EP\n requirements can be combined under ):\n\n \n \n \n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \"Use a common set of exploit protection settings\"\n configured to \"Enabled\" with file name and location defined under\n \"Options:\". It is recommended the file be in a read-only network location." + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium", + "gtitle": "WN10-EP-000050", + "gid": "V-77101", + "rid": "SV-91797r3_rule", + "stig_id": "WN10-EP-000050", + "fix_id": "F-86723r2_fix", "cci": [ "CCI-000366" ], @@ -11443,35 +11431,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-77091' do\n title 'Windows 10 Exploit Protection system-level mitigation, Data Execution Prevention (DEP), must be on.'\n desc \"Exploit protection in Windows 10 enables mitigations against potential\n threats at the system and application level. Several mitigations, including\n \\\"Data Execution Prevention (DEP)\\\", are enabled by default at the system\n level. DEP prevents code from being run from data-only memory pages. If this is\n turned off, Windows 10 may be subject to various exploits.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-EP-000020'\n tag gid: 'V-77091'\n tag rid: 'SV-91787r3_rule'\n tag stig_id: 'WN10-EP-000020'\n tag fix_id: 'F-86717r3_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n \n desc 'check', \"This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n The default configuration in Exploit Protection is \\\"On by default\\\" which\n meets this requirement. The PowerShell query results for this show as\n \\\"NOTSET\\\".\n\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n\n Enter \\\"Get-ProcessMitigation -System\\\".\n\n If the status of \\\"DEP: Enable\\\" is \\\"OFF\\\", this is a finding.\n\n Values that would not be a finding include:\n ON\n NOTSET (Default configuration)\"\n\n desc 'fix', \"Ensure Exploit Protection system-level mitigation, \\\"Data Execution\n Prevention (DEP)\\\", is turned on. The default configuration in Exploit\n Protection is \\\"On by default\\\" which meets this requirement.\n\n Open \\\"Windows Defender Security Center\\\".\n\n Select \\\"App & browser control\\\".\n\n Select \\\"Exploit protection settings\\\".\n\n Under \\\"System settings\\\", configure \\\"Data Execution Prevention (DEP)\\\" to\n \\\"On by default\\\" or \\\"Use default ()\\\".\n\n The STIG package includes a DoD EP XML file in the \\\"Supporting Files\\\" folder\n for configuring application mitigations defined in the STIG. This can also be\n modified to explicitly enforce the system level requirements. Adding the\n following to the XML file will explicitly turn DEP on (other system level EP\n requirements can be combined under ):\n\n \n \n \n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\"\n configured to \\\"Enabled\\\" with file name and location defined under\n \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n\n\n\n if input('sensitive_system') == 'true' || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion').ReleaseId < '1709'\n impact 0.0\n describe 'This STIG does not apply to Prior Versions before 1709.' do\n skip 'This STIG does not apply to Prior Versions before 1709.'\n end\n else\n dep_enable = json( command: 'Get-ProcessMitigation -System | Select DEP | ConvertTo-Json').params\n describe 'DEP is required to be enabled on System' do\n subject { dep_enable }\n its(['Enable']) { should_not eq '2' }\n end\n end\nend", + "code": "control 'V-77101' do\n title 'Windows 10 Exploit Protection system-level mitigation, Validate exception chains (SEHOP), must be on.'\n desc \"Exploit protection in Windows 10 enables mitigations against potential\n threats at the system and application level. Several mitigations, including\n \\\"Validate exception chains (SEHOP)\\\", are enabled by default at the system\n level. SEHOP (structured exception handling overwrite protection) ensures the\n integrity of an exception chain during exception dispatch. If this is turned\n off, Windows 10 may be subject to various exploits.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-EP-000050'\n tag gid: 'V-77101'\n tag rid: 'SV-91797r3_rule'\n tag stig_id: 'WN10-EP-000050'\n tag fix_id: 'F-86723r2_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc 'check', \"This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n The default configuration in Exploit Protection is \\\"On by default\\\" which\n meets this requirement. The PowerShell query results for this show as\n \\\"NOTSET\\\".\n\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n\n Enter \\\"Get-ProcessMitigation -System\\\".\n\n If the status of \\\"SEHOP: Enable\\\" is \\\"OFF\\\", this is a finding.\n\n Values that would not be a finding include:\n ON\n NOTSET (Default configuration)\"\n\n desc 'fix', \"Ensure Exploit Protection system-level mitigation, \\\"Validate\n exception chains (SEHOP)\\\", is turned on. The default configuration in Exploit\n Protection is \\\"On by default\\\" which meets this requirement.\n\n Open \\\"Windows Defender Security Center\\\".\n\n Select \\\"App & browser control\\\".\n\n Select \\\"Exploit protection settings\\\".\n\n Under \\\"System settings\\\", configure \\\"Validate exception chains (SEHOP)\\\" to\n \\\"On by default\\\" or \\\"Use default ()\\\".\n\n The STIG package includes a DoD EP XML file in the \\\"Supporting Files\\\" folder\n for configuring application mitigations defined in the STIG. This can also be\n modified to explicitly enforce the system level requirements. Adding the\n following to the XML file will explicitly turn SEHOP on (other system level EP\n requirements can be combined under ):\n\n \n \n \n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\"\n configured to \\\"Enabled\\\" with file name and location defined under\n \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n\n if input('sensitive_system') == 'true' || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion').ReleaseId < '1709'\n impact 0.0\n describe 'This STIG does not apply to Prior Versions before 1709.' do\n skip 'This STIG does not apply to Prior Versions before 1709.'\n end\n else\n sehop = json( command: 'Get-ProcessMitigation -System | Select SEHOP | ConvertTo-Json').params\n describe 'SEHOP is required to be enabled on System' do\n subject { sehop }\n its(['Enable']) { should_not eq '2' }\n end\n end\nend", "source_location": { - "ref": "./Windows 10 STIG/controls/V-77091.rb", + "ref": "./Windows 10 STIG/controls/V-77101.rb", "line": 3 }, - "id": "V-77091" + "id": "V-77101" }, { - "title": "The minimum password age must be configured to at least 1 day.", - "desc": "Permitting passwords to be changed in immediate succession within the\n same day allows users to cycle passwords through their history database. This\n enables users to effectively negate the purpose of mandating periodic password\n changes.", + "title": "User Account Control must only elevate UIAccess applications that are\n installed in secure locations.", + "desc": "User Account Control (UAC) is a security mechanism for limiting the\n elevation of privileges, including administrative accounts, unless authorized.\n This setting configures Windows to only allow applications installed in a\n secure location on the file system, such as the Program Files or the\n Windows\\System32 folders, to run with elevated privileges.", "descriptions": { - "default": "Permitting passwords to be changed in immediate succession within the\n same day allows users to cycle passwords through their history database. This\n enables users to effectively negate the purpose of mandating periodic password\n changes.", - "check": "Verify the effective setting in Local Group Policy Editor.\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Account Policies >> Password Policy.\n\n If the value for the \"Minimum password age\" is less than 1 day, this is a\n finding.", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Account Policies >> Password Policy >>\n \"Minimum Password Age\" to at least 1 day." + "default": "User Account Control (UAC) is a security mechanism for limiting the\n elevation of privileges, including administrative accounts, unless authorized.\n This setting configures Windows to only allow applications installed in a\n secure location on the file system, such as the Program Files or the\n Windows\\System32 folders, to run with elevated privileges.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\\n\n Value Name: EnableSecureUIAPaths\n\n Value Type: REG_DWORD\n Value: 1", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> \"User\n Account Control: Only elevate UIAccess applications that are installed in\n secure locations\" to \"Enabled\"." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-AC-000030", - "gid": "V-63421", - "rid": "SV-77911r1_rule", - "stig_id": "WN10-AC-000030", - "fix_id": "F-69349r1_fix", + "gtitle": "WN10-SO-000265", + "gid": "V-63827", + "rid": "SV-78317r1_rule", + "stig_id": "WN10-SO-000265", + "fix_id": "F-69755r1_fix", "cci": [ - "CCI-000198" + "CCI-001084" ], "nist": [ - "IA-5 (1) (d)", + "SC-3", "Rev_4" ], "false_negatives": null, @@ -11485,37 +11473,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63421' do\n title 'The minimum password age must be configured to at least 1 day.'\n desc \"Permitting passwords to be changed in immediate succession within the\n same day allows users to cycle passwords through their history database. This\n enables users to effectively negate the purpose of mandating periodic password\n changes.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-AC-000030'\n tag gid: 'V-63421'\n tag rid: 'SV-77911r1_rule'\n tag stig_id: 'WN10-AC-000030'\n tag fix_id: 'F-69349r1_fix'\n tag cci: ['CCI-000198']\n tag nist: ['IA-5 (1) (d)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Account Policies >> Password Policy.\n\n If the value for the \\\"Minimum password age\\\" is less than #{input('min_pass_age')} day, this is a\n finding.\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Account Policies >> Password Policy >>\n \\\"Minimum Password Age\\\" to at least #{input('min_pass_age')} day.\"\n\n describe security_policy do\n its('MinimumPasswordAge') { should be >= input('min_pass_age') }\n end\nend\n", + "code": "control 'V-63827' do\n title \"User Account Control must only elevate UIAccess applications that are\n installed in secure locations.\"\n desc \"User Account Control (UAC) is a security mechanism for limiting the\n elevation of privileges, including administrative accounts, unless authorized.\n This setting configures Windows to only allow applications installed in a\n secure location on the file system, such as the Program Files or the\n Windows\\\\System32 folders, to run with elevated privileges.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-SO-000265'\n tag gid: 'V-63827'\n tag rid: 'SV-78317r1_rule'\n tag stig_id: 'WN10-SO-000265'\n tag fix_id: 'F-69755r1_fix'\n tag cci: ['CCI-001084']\n tag nist: %w[SC-3 Rev_4]\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\\n\n Value Name: EnableSecureUIAPaths\n\n Value Type: REG_DWORD\n Value: 1\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> \\\"User\n Account Control: Only elevate UIAccess applications that are installed in\n secure locations\\\" to \\\"Enabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System') do\n it { should have_property 'EnableSecureUIAPaths' }\n its('EnableSecureUIAPaths') { should cmp 1 }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63421.rb", + "ref": "./Windows 10 STIG/controls/V-63827.rb", "line": 3 }, - "id": "V-63421" + "id": "V-63827" }, { - "title": "The period of time before the bad logon counter is reset must be\n configured to 15 minutes.", - "desc": "The account lockout feature, when enabled, prevents brute-force\n password attacks on the system. This parameter specifies the period of time\n that must pass after failed logon attempts before the counter is reset to 0.\n The smaller this value is, the less effective the account lockout feature will\n be in protecting the local system.", + "title": "Web publishing and online ordering wizards must be prevented from\n downloading a list of providers.", + "desc": "Some features may communicate with the vendor, sending system\n information or downloading data or components for the feature. Turning off\n this capability will prevent potentially sensitive information from being sent\n outside the enterprise and uncontrolled updates to the system. This setting\n prevents Windows from downloading a list of providers for the Web publishing\n and online ordering wizards.", "descriptions": { - "default": "The account lockout feature, when enabled, prevents brute-force\n password attacks on the system. This parameter specifies the period of time\n that must pass after failed logon attempts before the counter is reset to 0.\n The smaller this value is, the less effective the account lockout feature will\n be in protecting the local system.", - "check": "Verify the effective setting in Local Group Policy Editor.\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Account Policies >> Account Lockout Policy.\n\n If the \"Reset account lockout counter after\" value is less than 15\n minutes, this is a finding.", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Account Policies >> Account Lockout Policy >>\n \"Reset account lockout counter after\" to 15 minutes." + "default": "Some features may communicate with the vendor, sending system\n information or downloading data or components for the feature. Turning off\n this capability will prevent potentially sensitive information from being sent\n outside the enterprise and uncontrolled updates to the system. This setting\n prevents Windows from downloading a list of providers for the Web publishing\n and online ordering wizards.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\\n\n Value Name: NoWebServices\n\n Value Type: REG_DWORD\n Value: 1", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> System >> Internet Communication Management >>\n Internet Communication settings >> \"Turn off Internet download for Web\n publishing and online ordering wizards\" to \"Enabled\"." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-AC-000015", - "gid": "V-63413", - "rid": "SV-77903r1_rule", - "stig_id": "WN10-AC-000015", - "fix_id": "F-69341r1_fix", + "gtitle": "WN10-CC-000105", + "gid": "V-63621", + "rid": "SV-78111r1_rule", + "stig_id": "WN10-CC-000105", + "fix_id": "F-69549r1_fix", "cci": [ - "CCI-000044", - "CCI-002238" + "CCI-000381" ], "nist": [ - "AC-7 a", - "AC-7 b", + "CM-7 a", "Rev_4" ], "false_negatives": null, @@ -11529,35 +11515,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63413' do\n title \"The period of time before the bad logon counter is reset must be\n configured to #{input('pass_lock_time')} minutes.\"\n desc \"The account lockout feature, when enabled, prevents brute-force\n password attacks on the system. This parameter specifies the period of time\n that must pass after failed logon attempts before the counter is reset to 0.\n The smaller this value is, the less effective the account lockout feature will\n be in protecting the local system.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-AC-000015'\n tag gid: 'V-63413'\n tag rid: 'SV-77903r1_rule'\n tag stig_id: 'WN10-AC-000015'\n tag fix_id: 'F-69341r1_fix'\n tag cci: %w[CCI-000044 CCI-002238]\n tag nist: ['AC-7 a', 'AC-7 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Account Policies >> Account Lockout Policy.\n\n If the \\\"Reset account lockout counter after\\\" value is less than #{input('pass_lock_time')}\n minutes, this is a finding.\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Account Policies >> Account Lockout Policy >>\n \\\"Reset account lockout counter after\\\" to #{input('pass_lock_time')} minutes.\"\n\n describe security_policy do\n its('ResetLockoutCount') { should be >= input('pass_lock_time') }\n end\nend\n", + "code": "control 'V-63621' do\n title \"Web publishing and online ordering wizards must be prevented from\n downloading a list of providers.\"\n desc \"Some features may communicate with the vendor, sending system\n information or downloading data or components for the feature. Turning off\n this capability will prevent potentially sensitive information from being sent\n outside the enterprise and uncontrolled updates to the system. This setting\n prevents Windows from downloading a list of providers for the Web publishing\n and online ordering wizards.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000105'\n tag gid: 'V-63621'\n tag rid: 'SV-78111r1_rule'\n tag stig_id: 'WN10-CC-000105'\n tag fix_id: 'F-69549r1_fix'\n tag cci: ['CCI-000381']\n tag nist: ['CM-7 a', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\\n\n Value Name: NoWebServices\n\n Value Type: REG_DWORD\n Value: 1\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> System >> Internet Communication Management >>\n Internet Communication settings >> \\\"Turn off Internet download for Web\n publishing and online ordering wizards\\\" to \\\"Enabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer') do\n it { should have_property 'NoWebServices' }\n its('NoWebServices') { should cmp 1 }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63413.rb", + "ref": "./Windows 10 STIG/controls/V-63621.rb", "line": 3 }, - "id": "V-63413" + "id": "V-63621" }, { - "title": "The system must be configured to audit Logon/Logoff - Account Lockout failures.", - "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Account Lockout events can be used to identify potentially malicious logon\n attempts.", + "title": "Unencrypted passwords must not be sent to third-party SMB Servers.", + "desc": "Some non-Microsoft SMB servers only support unencrypted (plain text)\n password authentication. Sending plain text passwords across the network, when\n authenticating to an SMB server, reduces the overall security of the\n environment. Check with the vendor of the SMB server to see if there is a way\n to support encrypted password authentication.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Account Lockout events can be used to identify potentially malicious logon\n attempts.", - "check": "Security Option \"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\" must be\n set to \"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open a Command Prompt with elevated privileges (\"Run as Administrator\").\n\n Enter \"AuditPol /get /category:*\"\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding:\n\n Logon/Logoff >> Account Lockout - Failure", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Logon/Logoff >> \"Audit Account Lockout\" with \"Failure\"\n selected." + "default": "Some non-Microsoft SMB servers only support unencrypted (plain text)\n password authentication. Sending plain text passwords across the network, when\n authenticating to an SMB server, reduces the overall security of the\n environment. Check with the vendor of the SMB server to see if there is a way\n to support encrypted password authentication.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SYSTEM\\CurrentControlSet\\Services\\LanmanWorkstation\\Parameters\\\n\n Value Name: EnablePlainTextPassword\n\n Value Type: REG_DWORD\n Value: 0", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n \"Microsoft network client: Send unencrypted password to third-party SMB\n servers\" to \"Disabled\"." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-AU-000054", - "gid": "V-71759", - "rid": "SV-86383r2_rule", - "stig_id": "WN10-AU-000054", - "fix_id": "F-78111r2_fix", + "gtitle": "WN10-SO-000110", + "gid": "V-63711", + "rid": "SV-78201r1_rule", + "stig_id": "WN10-SO-000110", + "fix_id": "F-69639r1_fix", "cci": [ - "CCI-000172" + "CCI-000197" ], "nist": [ - "AU-12 c", + "IA-5 (1) (c)", "Rev_4" ], "false_negatives": null, @@ -11571,35 +11557,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-71759' do\n title 'The system must be configured to audit Logon/Logoff - Account Lockout failures.'\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Account Lockout events can be used to identify potentially malicious logon\n attempts.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-AU-000054'\n tag gid: 'V-71759'\n tag rid: 'SV-86383r2_rule'\n tag stig_id: 'WN10-AU-000054'\n tag fix_id: 'F-78111r2_fix'\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"Security Option \\\"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\\\" must be\n set to \\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\n\n Enter \\\"AuditPol /get /category:*\\\"\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding:\n\n Logon/Logoff >> Account Lockout - Failure\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Logon/Logoff >> \\\"Audit Account Lockout\\\" with \\\"Failure\\\"\n selected.\"\n\n describe.one do\n describe audit_policy do\n its('Account Lockout') { should eq 'Failure' }\n end\n describe audit_policy do\n its('Account Lockout') { should eq 'Success and Failure' }\n end\n end\nend\n", + "code": "control 'V-63711' do\n title 'Unencrypted passwords must not be sent to third-party SMB Servers.'\n desc \"Some non-Microsoft SMB servers only support unencrypted (plain text)\n password authentication. Sending plain text passwords across the network, when\n authenticating to an SMB server, reduces the overall security of the\n environment. Check with the vendor of the SMB server to see if there is a way\n to support encrypted password authentication.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-SO-000110'\n tag gid: 'V-63711'\n tag rid: 'SV-78201r1_rule'\n tag stig_id: 'WN10-SO-000110'\n tag fix_id: 'F-69639r1_fix'\n tag cci: ['CCI-000197']\n tag nist: ['IA-5 (1) (c)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\LanmanWorkstation\\\\Parameters\\\\\n\n Value Name: EnablePlainTextPassword\n\n Value Type: REG_DWORD\n Value: 0\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n \\\"Microsoft network client: Send unencrypted password to third-party SMB\n servers\\\" to \\\"Disabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\LanmanWorkstation\\Parameters') do\n it { should have_property 'EnablePlainTextPassword' }\n its('EnablePlainTextPassword') { should cmp 0 }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-71759.rb", + "ref": "./Windows 10 STIG/controls/V-63711.rb", "line": 3 }, - "id": "V-71759" + "id": "V-63711" }, { - "title": "Local users on domain-joined computers must not be enumerated.", - "desc": "The username is one part of logon credentials that could be used to\n gain access to a system. Preventing the enumeration of users limits this\n information to authorized personnel.", + "title": "Exploit Protection mitigations in Windows 10 must be configured for\n WINWORD.EXE.", + "desc": "Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.", "descriptions": { - "default": "The username is one part of logon credentials that could be used to\n gain access to a system. Preventing the enumeration of users limits this\n information to authorized personnel.", - "check": "This requirement is applicable to domain-joined systems, for\n standalone systems this is NA.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\\n\n Value Name: EnumerateLocalUsers\n\n Value Type: REG_DWORD\n Value: 0", - "fix": "This requirement is applicable to domain-joined systems, for\n standalone systems this is NA.\n\n Configure the policy value for Computer Configuration >> Administrative\n Templates >> System >> Logon >> \"Enumerate local users on domain-joined\n computers\" to \"Disabled\"." + "default": "Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.", + "check": "This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n\n Enter \"Get-ProcessMitigation -Name WINWORD.EXE\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of\n all application mitigations configured.)\n\n If the following mitigations do not have a status of \"ON\", this is a finding:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n The PowerShell command produces a list of mitigations; only those with a\n required status of \"ON\" are listed here. If the PowerShell command does not\n produce results, ensure the letter case of the filename within the command\n syntax matches the letter case of the actual filename on the system.", + "fix": "Ensure the following mitigations are turned \"ON\" for WINWORD.EXE:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file\n included with the Windows 10 STIG package in the \"Supporting Files\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \"Use a common set of exploit protection settings\"\n configured to \"Enabled\" with file name and location defined under\n \"Options:\". It is recommended the file be in a read-only network location." }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-CC-000130", - "gid": "V-63633", - "rid": "SV-78123r1_rule", - "stig_id": "WN10-CC-000130", - "fix_id": "F-69565r1_fix", + "gtitle": "WN10-EP-000280", + "gid": "V-77263", + "rid": "SV-91959r3_rule", + "stig_id": "WN10-EP-000280", + "fix_id": "F-84511r4_fix", "cci": [ - "CCI-000381" + "CCI-000366" ], "nist": [ - "CM-7 a", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -11613,35 +11599,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63633' do\n title 'Local users on domain-joined computers must not be enumerated.'\n desc \"The username is one part of logon credentials that could be used to\n gain access to a system. Preventing the enumeration of users limits this\n information to authorized personnel.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000130'\n tag gid: 'V-63633'\n tag rid: 'SV-78123r1_rule'\n tag stig_id: 'WN10-CC-000130'\n tag fix_id: 'F-69565r1_fix'\n tag cci: ['CCI-000381']\n tag nist: ['CM-7 a', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"This requirement is applicable to domain-joined systems, for\n standalone systems this is NA.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\\n\n Value Name: EnumerateLocalUsers\n\n Value Type: REG_DWORD\n Value: 0\"\n\n desc \"fix\", \"This requirement is applicable to domain-joined systems, for\n standalone systems this is NA.\n\n Configure the policy value for Computer Configuration >> Administrative\n Templates >> System >> Logon >> \\\"Enumerate local users on domain-joined\n computers\\\" to \\\"Disabled\\\".\"\n\n is_domain = command('wmic computersystem get domain | FINDSTR /V Domain').stdout.strip\n\n if is_domain != 'WORKGROUP'\n impact 0.0\n describe 'The system is not a member of a domain, control is NA' do\n skip 'The system is not a member of a domain, control is NA'\n end\n else\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\System') do\n it { should have_property 'EnumerateLocalUsers' }\n its('EnumerateLocalUsers') { should cmp 0 }\n end\n end\nend\n", + "code": "control 'V-77263' do\n title \"Exploit Protection mitigations in Windows 10 must be configured for\n WINWORD.EXE.\"\n desc \"Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-EP-000280'\n tag gid: 'V-77263'\n tag rid: 'SV-91959r3_rule'\n tag stig_id: 'WN10-EP-000280'\n tag fix_id: 'F-84511r4_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc 'check', \"This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n\n Enter \\\"Get-ProcessMitigation -Name WINWORD.EXE\\\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of\n all application mitigations configured.)\n\n If the following mitigations do not have a status of \\\"ON\\\", this is a finding:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n The PowerShell command produces a list of mitigations; only those with a\n required status of \\\"ON\\\" are listed here. If the PowerShell command does not\n produce results, ensure the letter case of the filename within the command\n syntax matches the letter case of the actual filename on the system.\"\n\n desc 'fix', \"Ensure the following mitigations are turned \\\"ON\\\" for WINWORD.EXE:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file\n included with the Windows 10 STIG package in the \\\"Supporting Files\\\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\"\n configured to \\\"Enabled\\\" with file name and location defined under\n \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n\n if input('sensitive_system') == 'true' || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion').ReleaseId < '1709'\n impact 0.0\n describe 'This STIG does not apply to Prior Versions before 1709.' do\n skip 'This STIG does not apply to Prior Versions before 1709.'\n end\n else\n dep = json( command: 'Get-ProcessMitigation -Name WINWORD.EXE | Select DEP | ConvertTo-Json').params\n describe 'OverRide DEP is required to be false on Microsoft Office Word' do\n subject { dep }\n its(['OverrideDEP']) { should_not eq 'true' }\n end\n aslr = json( command: 'Get-ProcessMitigation -Name WINWORD.EXE | Select Aslr | ConvertTo-Json').params\n describe 'Alsr BottomUp and Force Relocate Images are required to be enabled on Microsoft Office Word' do\n subject { aslr }\n its(['ForceRelocateImages']) { should_not eq '2' }\n end\n payload = json( command: 'Get-ProcessMitigation -Name WINWORD.EXE | Select Payload | ConvertTo-Json').params\n describe 'Override Payload Enable Export Address Filter, Override Payload Enable Export Address Filter Plus, Override EnableImportAddressFilter, Override EnableRopStackPivot, Override EnableRopCallerCheck, and Override EnableRopSimExec are required to be false on Microsoft Office Word' do\n subject { payload }\n its(['OverrideEnableExportAddressFilter']) { should_not eq 'true' }\n its(['OverrideEnableExportAddressFilterPlus']) { should_not eq 'true' }\n its(['OverrideEnableImportAddressFilter']) { should_not eq 'true' }\n its(['OverrideEnableRopStackPivot']) { should_not eq 'true' }\n its(['OverrideEnableRopCallerCheck']) { should_not eq 'true' }\n its(['OverrideEnableRopSimExec']) { should_not eq 'true' }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63633.rb", + "ref": "./Windows 10 STIG/controls/V-77263.rb", "line": 3 }, - "id": "V-63633" + "id": "V-77263" }, { - "title": "Accounts must be configured to require password expiration.", - "desc": "Passwords that do not expire increase exposure with a greater\n probability of being discovered or cracked.", + "title": "Autoplay must be disabled for all drives.", + "desc": "Allowing autoplay to execute may introduce malicious code to a system.\n Autoplay begins reading from a drive as soon as you insert media in the drive.\n As a result, the setup file of programs or music on audio media may start. By\n default, autoplay is disabled on removable drives, such as the floppy disk\n drive (but not the CD-ROM drive) and on network drives. If you enable this\n policy, you can also disable autoplay on all drives.", "descriptions": { - "default": "Passwords that do not expire increase exposure with a greater\n probability of being discovered or cracked.", - "check": "Run \"Computer Management\".\n Navigate to System Tools >> Local Users and Groups >> Users.\n Double click each active account.\n\n If \"Password never expires\" is selected for any account, this is a finding.", - "fix": "Configure all passwords to expire.\n Run \"Computer Management\".\n Navigate to System Tools >> Local Users and Groups >> Users.\n Double click each active account.\n Ensure \"Password never expires\" is not checked on all active accounts." + "default": "Allowing autoplay to execute may introduce malicious code to a system.\n Autoplay begins reading from a drive as soon as you insert media in the drive.\n As a result, the setup file of programs or music on audio media may start. By\n default, autoplay is disabled on removable drives, such as the floppy disk\n drive (but not the CD-ROM drive) and on network drives. If you enable this\n policy, you can also disable autoplay on all drives.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\policies\\Explorer\\\n\n Value Name: NoDriveTypeAutoRun\n\n Value Type: REG_DWORD\n Value: 0x000000ff (255)\n\n Note: If the value for NoDriveTypeAutorun is entered manually, it must be\n entered as \"ff\" when Hexadecimal is selected, or \"255\" with Decimal\n selected. Using the policy value specified in the Fix section will enter it\n correctly.", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> AutoPlay Policies >> \"Turn\n off AutoPlay\" to \"Enabled:All Drives\"." }, - "impact": 0.5, + "impact": 0.7, "refs": [], "tags": { - "severity": "medium", - "gtitle": "WN10-00-000090", - "gid": "V-63371", - "rid": "SV-77861r1_rule", - "stig_id": "WN10-00-000090", - "fix_id": "F-69291r1_fix", + "severity": "high", + "gtitle": "WN10-CC-000190", + "gid": "V-63673", + "rid": "SV-78163r1_rule", + "stig_id": "WN10-CC-000190", + "fix_id": "F-69603r1_fix", "cci": [ - "CCI-000199" + "CCI-001764" ], "nist": [ - "IA-5 (1) (d)", + "CM-7 (2)", "Rev_4" ], "false_negatives": null, @@ -11655,35 +11641,43 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63371' do\n title 'Accounts must be configured to require password expiration.'\n desc \"Passwords that do not expire increase exposure with a greater\n probability of being discovered or cracked.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-00-000090'\n tag gid: 'V-63371'\n tag rid: 'SV-77861r1_rule'\n tag stig_id: 'WN10-00-000090'\n tag fix_id: 'F-69291r1_fix'\n tag cci: ['CCI-000199']\n tag nist: ['IA-5 (1) (d)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Run \\\"Computer Management\\\".\n Navigate to System Tools >> Local Users and Groups >> Users.\n Double click each active account.\n\n If \\\"Password never expires\\\" is selected for any account, this is a finding.\"\n\n desc \"fix\", \"Configure all passwords to expire.\n Run \\\"Computer Management\\\".\n Navigate to System Tools >> Local Users and Groups >> Users.\n Double click each active account.\n Ensure \\\"Password never expires\\\" is not checked on all active accounts.\"\n\n describe command(\"Get-CimInstance -Class Win32_Useraccount -Filter 'PasswordExpires=False\n and LocalAccount=True and Disabled=False' | FT Name | Findstr /V 'Name --'\") do\n its('stdout') { should eq '' }\n end\nend\n", + "code": "control 'V-63673' do\n title 'Autoplay must be disabled for all drives.'\n desc \"Allowing autoplay to execute may introduce malicious code to a system.\n Autoplay begins reading from a drive as soon as you insert media in the drive.\n As a result, the setup file of programs or music on audio media may start. By\n default, autoplay is disabled on removable drives, such as the floppy disk\n drive (but not the CD-ROM drive) and on network drives. If you enable this\n policy, you can also disable autoplay on all drives.\"\n impact 0.7\n tag severity: 'high'\n tag gtitle: 'WN10-CC-000190'\n tag gid: 'V-63673'\n tag rid: 'SV-78163r1_rule'\n tag stig_id: 'WN10-CC-000190'\n tag fix_id: 'F-69603r1_fix'\n tag cci: ['CCI-001764']\n tag nist: ['CM-7 (2)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\policies\\\\Explorer\\\\\n\n Value Name: NoDriveTypeAutoRun\n\n Value Type: REG_DWORD\n Value: 0x000000ff (255)\n\n Note: If the value for NoDriveTypeAutorun is entered manually, it must be\n entered as \\\"ff\\\" when Hexadecimal is selected, or \\\"255\\\" with Decimal\n selected. Using the policy value specified in the Fix section will enter it\n correctly.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> AutoPlay Policies >> \\\"Turn\n off AutoPlay\\\" to \\\"Enabled:All Drives\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\policies\\Explorer') do\n it { should have_property 'NoDriveTypeAutoRun' }\n its('NoDriveTypeAutoRun') { should cmp 255 }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63371.rb", + "ref": "./Windows 10 STIG/controls/V-63673.rb", "line": 3 }, - "id": "V-63371" + "id": "V-63673" }, { - "title": "User Account Control must, at minimum, prompt administrators for\n consent on the secure desktop.", - "desc": "User Account Control (UAC) is a security mechanism for limiting the\n elevation of privileges, including administrative accounts, unless authorized.\n This setting configures the elevation requirements for logged on administrators\n to complete a task that requires raised privileges.", + "title": "Windows 10 systems must use a BitLocker PIN for pre-boot\n authentication.", + "desc": "If data at rest is unencrypted, it is vulnerable to disclosure. Even\n if the operating system enforces permissions on data access, an adversary can\n remove non-volatile memory and read it directly, thereby circumventing\n operating system controls. Encrypting the data ensures that confidentiality is\n protected even when the operating system is not running. Pre-boot\n authentication prevents unauthorized users from accessing encrypted drives.", "descriptions": { - "default": "User Account Control (UAC) is a security mechanism for limiting the\n elevation of privileges, including administrative accounts, unless authorized.\n This setting configures the elevation requirements for logged on administrators\n to complete a task that requires raised privileges.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\\n\n Value Name: ConsentPromptBehaviorAdmin\n\n Value Type: REG_DWORD\n Value: 2 (Prompt for consent on the secure desktop)", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> \"User\n Account Control: Behavior of the elevation prompt for administrators in Admin\n Approval Mode\" to \"Prompt for consent on the secure desktop\"." + "default": "If data at rest is unencrypted, it is vulnerable to disclosure. Even\n if the operating system enforces permissions on data access, an adversary can\n remove non-volatile memory and read it directly, thereby circumventing\n operating system controls. Encrypting the data ensures that confidentiality is\n protected even when the operating system is not running. Pre-boot\n authentication prevents unauthorized users from accessing encrypted drives.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\FVE\\\n\n Value Name: UseAdvancedStartup\n Type: REG_DWORD\n Value: 0x00000001 (1)\n\n If one of the following registry values does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\FVE\\\n\n Value Name: UseTPMPIN\n Type: REG_DWORD\n Value: 0x00000001 (1)\n\n Value Name: UseTPMKeyPIN\n Type: REG_DWORD\n Value: 0x00000001 (1)\n\n\n BitLocker network unlock may be used in conjunction with a BitLocker PIN. See\n the article below regarding information about network unlock.", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> BitLocker Drive Encryption >>\n Operating System Drives \"Require additional authentication at startup\" to\n \"Enabled\" with \"Configure TPM Startup PIN:\" set to \"Require startup PIN\n with TPM\" or with \"Configure TPM startup key and PIN:\" set to \"Require\n startup key and PIN with TPM\"." }, "impact": 0.5, - "refs": [], + "refs": [ + { + "ref": "https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock" + } + ], "tags": { "severity": "medium", - "gtitle": "WN10-SO-000250", - "gid": "V-63819", - "rid": "SV-78309r1_rule", - "stig_id": "WN10-SO-000250", - "fix_id": "F-69747r1_fix", + "gtitle": "WN10-00-000031", + "gid": "V-94859", + "rid": "SV-104689r1_rule", + "stig_id": "WN10-00-000031", + "fix_id": "F-100983r2_fix", "cci": [ - "CCI-001084" + "CCI-001199", + "CCI-002475", + "CCI-002476" ], "nist": [ - "SC-3", + "SC-28", + "SC-28 (1)", + "SC-28 (1)", "Rev_4" ], "false_negatives": null, @@ -11697,30 +11691,30 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63819' do\n title \"User Account Control must, at minimum, prompt administrators for\n consent on the secure desktop.\"\n desc \"User Account Control (UAC) is a security mechanism for limiting the\n elevation of privileges, including administrative accounts, unless authorized.\n This setting configures the elevation requirements for logged on administrators\n to complete a task that requires raised privileges.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-SO-000250'\n tag gid: 'V-63819'\n tag rid: 'SV-78309r1_rule'\n tag stig_id: 'WN10-SO-000250'\n tag fix_id: 'F-69747r1_fix'\n tag cci: ['CCI-001084']\n tag nist: %w[SC-3 Rev_4]\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\\n\n Value Name: ConsentPromptBehaviorAdmin\n\n Value Type: REG_DWORD\n Value: 2 (Prompt for consent on the secure desktop)\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> \\\"User\n Account Control: Behavior of the elevation prompt for administrators in Admin\n Approval Mode\\\" to \\\"Prompt for consent on the secure desktop\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System') do\n it { should have_property 'ConsentPromptBehaviorAdmin' }\n its('ConsentPromptBehaviorAdmin') { should cmp 2 }\n end\nend\n", + "code": "control 'V-94859' do\n title \"Windows 10 systems must use a BitLocker PIN for pre-boot\n authentication.\"\n desc \"If data at rest is unencrypted, it is vulnerable to disclosure. Even\n if the operating system enforces permissions on data access, an adversary can\n remove non-volatile memory and read it directly, thereby circumventing\n operating system controls. Encrypting the data ensures that confidentiality is\n protected even when the operating system is not running. Pre-boot\n authentication prevents unauthorized users from accessing encrypted drives.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-00-000031'\n tag gid: 'V-94859'\n tag rid: 'SV-104689r1_rule'\n tag stig_id: 'WN10-00-000031'\n tag fix_id: 'F-100983r2_fix'\n tag cci: %w[CCI-001199 CCI-002475 CCI-002476]\n tag nist: ['SC-28', 'SC-28 (1)', 'SC-28 (1)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\FVE\\\\\n\n Value Name: UseAdvancedStartup\n Type: REG_DWORD\n Value: 0x00000001 (1)\n\n If one of the following registry values does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\FVE\\\\\n\n Value Name: UseTPMPIN\n Type: REG_DWORD\n Value: 0x00000001 (1)\n\n Value Name: UseTPMKeyPIN\n Type: REG_DWORD\n Value: 0x00000001 (1)\n\n\n BitLocker network unlock may be used in conjunction with a BitLocker PIN. See\n the article below regarding information about network unlock.\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> BitLocker Drive Encryption >>\n Operating System Drives \\\"Require additional authentication at startup\\\" to\n \\\"Enabled\\\" with \\\"Configure TPM Startup PIN:\\\" set to \\\"Require startup PIN\n with TPM\\\" or with \\\"Configure TPM startup key and PIN:\\\" set to \\\"Require\n startup key and PIN with TPM\\\".\"\n\n ref 'https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock'\n\n if sys_info.manufacturer == \"VMware, Inc.\"\n impact 0.0\n describe 'This is a VDI System; This System is NA for Control V-94859' do\n skip 'This is a VDI System; This System is NA for Control V-94859'\n end\n else\n describe.one do\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\FVE') do\n it { should have_property 'UseAdvancedStartup' }\n its('UseAdvancedStartup') { should cmp 1 }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\FVE') do\n it { should have_property 'UseTPMPIN' }\n its('UseTPMPIN') { should cmp 1 }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\FVE') do\n it { should have_property 'UseTPMKeyPIN' }\n its('UseTPMKeyPIN') { should cmp 1 }\n end\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63819.rb", + "ref": "./Windows 10 STIG/controls/V-94859.rb", "line": 3 }, - "id": "V-63819" + "id": "V-94859" }, { - "title": "Exploit Protection mitigations in Windows 10 must be configured for GROOVE.EXE.", - "desc": "Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.", + "title": "The built-in administrator account must be renamed.", + "desc": "The built-in administrator account is a well-known account subject to\n attack. Renaming this account to an unidentified name improves the protection\n of this account and the system.", "descriptions": { - "default": "Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.", - "check": "This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n\n Enter \"Get-ProcessMitigation -Name GROOVE.EXE\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of\n all application mitigations configured.)\n\n If the following mitigations do not have a status of \"ON\", this is a finding:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n ImageLoad:\n OverrideBlockRemoteImages: False\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n Child Process:\n OverrideChildProcess: False\n\n The PowerShell command produces a list of mitigations; only those with a\n required status of \"ON\" are listed here. If the PowerShell command does not\n produce results, ensure the letter case of the filename within the command\n syntax matches the letter case of the actual filename on the system.", - "fix": "Ensure the following mitigations are turned \"ON\" for GROOVE.EXE:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n ImageLoad:\n OverrideBlockRemoteImages: False\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n Child Process:\n OverrideChildProcess: False\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file\n included with the Windows 10 STIG package in the \"Supporting Files\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \"Use a common set of exploit protection settings\"\n configured to \"Enabled\" with file name and location defined under\n \"Options:\". It is recommended the file be in a read-only network location." + "default": "The built-in administrator account is a well-known account subject to\n attack. Renaming this account to an unidentified name improves the protection\n of this account and the system.", + "check": "Verify the effective setting in Local Group Policy Editor.\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> Security Options.\n\n If the value for \"Accounts: Rename administrator account\" is set to\n \"Administrator\", this is a finding.", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n \"Accounts: Rename administrator account\" to a name other than\n \"Administrator\"." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-EP-000130", - "gid": "V-77213", - "rid": "SV-91909r3_rule", - "stig_id": "WN10-EP-000130", - "fix_id": "F-84343r4_fix", + "gtitle": "WN10-SO-000020", + "gid": "V-63619", + "rid": "SV-78109r1_rule", + "stig_id": "WN10-SO-000020", + "fix_id": "F-69551r1_fix", "cci": [ "CCI-000366" ], @@ -11739,68 +11733,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-77213' do\n title 'Exploit Protection mitigations in Windows 10 must be configured for GROOVE.EXE.'\n desc \"Exploit protection in Windows 10 provides a means of enabling\n additional mitigations against potential threats at the system and application\n level. Without these additional application protections, Windows 10 may be\n subject to various exploits.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-EP-000130'\n tag gid: 'V-77213'\n tag rid: 'SV-91909r3_rule'\n tag stig_id: 'WN10-EP-000130'\n tag fix_id: 'F-84343r4_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc 'check', \"This is NA prior to v1709 of Windows 10.\n\n This is applicable to unclassified systems, for other systems this is NA.\n\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n\n Enter \\\"Get-ProcessMitigation -Name GROOVE.EXE\\\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of\n all application mitigations configured.)\n\n If the following mitigations do not have a status of \\\"ON\\\", this is a finding:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n ImageLoad:\n OverrideBlockRemoteImages: False\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n Child Process:\n OverrideChildProcess: False\n\n The PowerShell command produces a list of mitigations; only those with a\n required status of \\\"ON\\\" are listed here. If the PowerShell command does not\n produce results, ensure the letter case of the filename within the command\n syntax matches the letter case of the actual filename on the system.\"\n desc 'fix', \"Ensure the following mitigations are turned \\\"ON\\\" for GROOVE.EXE:\n\n DEP:\n OverrideDEP: False\n\n ASLR:\n ForceRelocateImages: ON\n\n ImageLoad:\n OverrideBlockRemoteImages: False\n\n Payload:\n OverrideEnableExportAddressFilter: False\n OverrideEnableExportAddressFilterPlus: False\n OverrideEnableImportAddressFilter: False\n OverrideEnableRopStackPivot: False\n OverrideEnableRopCallerCheck: False\n OverrideEnableRopSimExec: False\n\n Child Process:\n OverrideChildProcess: False\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file\n included with the Windows 10 STIG package in the \\\"Supporting Files\\\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >>\n Administrative Settings >> Windows Components >> Windows Defender Exploit Guard\n >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\"\n configured to \\\"Enabled\\\" with file name and location defined under\n \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n\n if input('sensitive_system') == 'true' || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion').ReleaseId < '1709'\n impact 0.0\n describe 'This STIG does not apply to Prior Versions before 1709.' do\n skip 'This STIG does not apply to Prior Versions before 1709.'\n end\n else\n dep = json( command: 'Get-ProcessMitigation -Name GROOVE.EXE | Select DEP | ConvertTo-Json').params\n describe 'OverRide DEP is required to be false Groove' do\n subject { dep }\n its(['OverrideDEP']) { should_not eq 'true' }\n end\n aslr = json( command: 'Get-ProcessMitigation -Name GROOVE.exe | Select Aslr | ConvertTo-Json').params\n describe 'Force Relocate Images are required to be enabled on Groove' do\n subject { aslr }\n its(['ForceRelocateImages']) { should_not eq '2' }\n end\n imageload = json( command: 'Get-ProcessMitigation -Name GROOVE.EXE | Select ImageLoad | ConvertTo-Json').params\n describe 'Override ImageLoad Block Remote Image Loads is required to be false on Groove' do\n subject { imageload }\n its(['OverrideBlockRemoteImages']) { should_not eq 'true' }\n end\n payload = json( command: 'Get-ProcessMitigation -Name GROOVE.EXE | Select Payload | ConvertTo-Json').params\n describe 'Override Payload Enable Export Address Filter, Override Payload Enable Export Address Filter Plus, Override EnableImportAddressFilter, Override EnableRopStackPivot, Override EnableRopCallerCheck, and Override EnableRopSimExec are required to be false on Adobe Reader' do\n subject { payload }\n its(['OverrideEnableExportAddressFilter']) { should_not eq 'true' }\n its(['OverrideEnableExportAddressFilterPlus']) { should_not eq 'true' }\n its(['OverrideEnableImportAddressFilter']) { should_not eq 'true' }\n its(['OverrideEnableRopStackPivot']) { should_not eq 'true' }\n its(['OverrideEnableRopCallerCheck']) { should_not eq 'true' }\n its(['OverrideEnableRopSimExec']) { should_not eq 'true' }\n end\n child_process = json( command: 'Get-ProcessMitigation -Name GROOVE.EXE | Select ChildProcess | ConvertTo-Json').params\n describe 'OverRide Child Process is required to be false on Groove' do\n subject { child_process }\n its(['OverrideChildProcess']) { should_not eq 'true' }\n end\n end\nend", - "source_location": { - "ref": "./Windows 10 STIG/controls/V-77213.rb", - "line": 3 - }, - "id": "V-77213" - }, - { - "title": "The convenience PIN for Windows 10 must be disabled. ", - "desc": "This policy controls whether a domain user can sign in using a\nconvenience PIN to prevent enabling (Password Stuffer).", - "descriptions": { - "default": "This policy controls whether a domain user can sign in using a\nconvenience PIN to prevent enabling (Password Stuffer).", - "rationale": "", - "check": "If the following registry value does not exist or is not configured as\nspecified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\Software\\Policies\\Microsoft\\Windows\\System\n\n Value Name: AllowDomainPINLogon\n Value Type: REG_DWORD\n Value data: 0", - "fix": "Disable the convenience PIN sign-in.\n\n If this needs to be corrected configure the policy value for Computer\nConfiguration >> Administrative Templates >> System >> Logon >> Set \"Turn on\nconvenience PIN sign-in\" to \"Disabled”." - }, - "impact": 0.5, - "refs": [], - "tags": { - "severity": null, - "gtitle": "WN10-CC-000370", - "gid": "V-99559", - "rid": "SV-108663r1_rule", - "stig_id": "WN10-CC-000370", - "fix_id": "F-105243r1_fix", - "cci": [ - "CCI-000381" - ], - "nist": [ - "CM-7 a", - "Rev_4" - ] - }, - "code": "control \"V-99559\" do\n title \"The convenience PIN for Windows 10 must be disabled. \"\n desc \"This policy controls whether a domain user can sign in using a\nconvenience PIN to prevent enabling (Password Stuffer).\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"WN10-CC-000370\"\n tag gid: \"V-99559\"\n tag rid: \"SV-108663r1_rule\"\n tag stig_id: \"WN10-CC-000370\"\n tag fix_id: \"F-105243r1_fix\"\n tag cci: [\"CCI-000381\"]\n tag nist: [\"CM-7 a\", \"Rev_4\"]\n desc \"rationale\", \"\"\n desc \"check\", \"If the following registry value does not exist or is not configured as\nspecified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\System\n\n Value Name: AllowDomainPINLogon\n Value Type: REG_DWORD\n Value data: 0 \"\n desc \"fix\", \"Disable the convenience PIN sign-in.\n\n If this needs to be corrected configure the policy value for Computer\nConfiguration >> Administrative Templates >> System >> Logon >> Set \\\"Turn on\nconvenience PIN sign-in\\\" to \\\"Disabled”.\"\n \n describe registry_key('HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\System') do\n it { should have_property 'AllowDomainPINLogon' }\n its('AllowDomainPINLogon') { should cmp 0 }\n end\nend\n", + "code": "control 'V-63619' do\n title 'The built-in administrator account must be renamed.'\n desc \"The built-in administrator account is a well-known account subject to\n attack. Renaming this account to an unidentified name improves the protection\n of this account and the system.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-SO-000020'\n tag gid: 'V-63619'\n tag rid: 'SV-78109r1_rule'\n tag stig_id: 'WN10-SO-000020'\n tag fix_id: 'F-69551r1_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> Security Options.\n\n If the value for \\\"Accounts: Rename administrator account\\\" is set to\n \\\"Administrator\\\", this is a finding.\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n \\\"Accounts: Rename administrator account\\\" to a name other than\n \\\"Administrator\\\".\"\n\n describe user('Administrator') do\n it { should_not exist }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-99559.rb", + "ref": "./Windows 10 STIG/controls/V-63619.rb", "line": 3 }, - "id": "V-99559" + "id": "V-63619" }, { - "title": "Windows 10 must be configured to require a minimum pin length of six\n characters or greater.", - "desc": "Windows allows the use of PINs as well as biometrics for\n authentication without sending a password to a network or website where it\n could be compromised. Longer minimum PIN lengths increase the available\n combinations an attacker would have to attempt. Shorter minimum length\n significantly reduces the strength.", + "title": "The Server Message Block (SMB) v1 protocol must be disabled on the system.", + "desc": "SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB.\n MD5 is known to be vulnerable to a number of attacks such as collision and\n preimage attacks as well as not being FIPS compliant.\n\n Disabling SMBv1 support may prevent access to file or print sharing\n resources with systems or devices that only support SMBv1. File shares and\n print services hosted on Windows Server 2003 are an example, however Windows\n Server 2003 is no longer a supported operating system. Some older Network\n Attached Storage (NAS) devices may only support SMBv1.", "descriptions": { - "default": "Windows allows the use of PINs as well as biometrics for\n authentication without sending a password to a network or website where it\n could be compromised. Longer minimum PIN lengths increase the available\n combinations an attacker would have to attempt. Shorter minimum length\n significantly reduces the strength.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SOFTWARE\\Policies\\Microsoft\\PassportForWork\\PINComplexity\\\n\n Value Name: MinimumPINLength\n\n Type: REG_DWORD\n Value: 6 (or greater)", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> System >> PIN Complexity >> \"Minimum PIN length\"\n to \"6\" or greater.\n\n v1607 LTSB:\n The policy path is Computer Configuration >> Administrative Templates >>\n Windows Components >> Windows Hello for Business >> Pin Complexity.\n\n v1507 LTSB:\n The policy path is Computer Configuration >> Administrative Templates >>\n Windows Components >> Microsoft Passport for Work >> Pin Complexity." + "default": "SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB.\n MD5 is known to be vulnerable to a number of attacks such as collision and\n preimage attacks as well as not being FIPS compliant.\n\n Disabling SMBv1 support may prevent access to file or print sharing\n resources with systems or devices that only support SMBv1. File shares and\n print services hosted on Windows Server 2003 are an example, however Windows\n Server 2003 is no longer a supported operating system. Some older Network\n Attached Storage (NAS) devices may only support SMBv1.", + "check": "Different methods are available to disable SMBv1 on Windows 10.\n This is the preferred method, however if V-74723 and V-74725 are configured,\n this is NA.\n\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n\n Enter the following:\n Get-WindowsOptionalFeature -Online | Where FeatureName -eq SMB1Protocol\n\n If \"State : Enabled\" is returned, this is a finding.\n\n Alternately:\n Search for \"Features\".\n\n Select \"Turn Windows features on or off\".\n\n If \"SMB 1.0/CIFS File Sharing Support\" is selected, this is a finding.", + "fix": "Disable the SMBv1 protocol.\n\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n\n Enter the following:\n Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol\n\n Alternately:\n Search for \"Features\".\n\n Select \"Turn Windows features on or off\".\n\n De-select \"SMB 1.0/CIFS File Sharing Support\"." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-CC-000260", - "gid": "V-63721", - "rid": "SV-78211r6_rule", - "stig_id": "WN10-CC-000260", - "fix_id": "F-98469r2_fix", + "gtitle": "WN10-00-000160", + "gid": "V-70639", + "rid": "SV-85261r2_rule", + "stig_id": "WN10-00-000160", + "fix_id": "F-76871r2_fix", "cci": [ - "CCI-000366" + "CCI-000381" ], "nist": [ - "CM-6 b", + "CM-7 a", "Rev_4" ], "false_negatives": null, @@ -11814,41 +11775,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63721' do\n title \"Windows 10 must be configured to require a minimum pin length of six\n characters or greater.\"\n desc \"Windows allows the use of PINs as well as biometrics for\n authentication without sending a password to a network or website where it\n could be compromised. Longer minimum PIN lengths increase the available\n combinations an attacker would have to attempt. Shorter minimum length\n significantly reduces the strength.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000260'\n tag gid: 'V-63721'\n tag rid: 'SV-78211r6_rule'\n tag stig_id: 'WN10-CC-000260'\n tag fix_id: 'F-98469r2_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\PassportForWork\\\\PINComplexity\\\\\n\n Value Name: MinimumPINLength\n\n Type: REG_DWORD\n Value: 6 (or greater)\"\n \n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> System >> PIN Complexity >> \\\"Minimum PIN length\\\"\n to \\\"6\\\" or greater.\n\n v1607 LTSB:\n The policy path is Computer Configuration >> Administrative Templates >>\n Windows Components >> Windows Hello for Business >> Pin Complexity.\n\n v1507 LTSB:\n The policy path is Computer Configuration >> Administrative Templates >>\n Windows Components >> Microsoft Passport for Work >> Pin Complexity.\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PassportForWork\\PINComplexity') do\n it { should have_property 'MinimumPINLength' }\n its('MinimumPINLength') { should be >= 6 }\n end\nend\n", + "code": "control 'V-70639' do\n title 'The Server Message Block (SMB) v1 protocol must be disabled on the system.'\n desc \"SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB.\n MD5 is known to be vulnerable to a number of attacks such as collision and\n preimage attacks as well as not being FIPS compliant.\n\n Disabling SMBv1 support may prevent access to file or print sharing\n resources with systems or devices that only support SMBv1. File shares and\n print services hosted on Windows Server 2003 are an example, however Windows\n Server 2003 is no longer a supported operating system. Some older Network\n Attached Storage (NAS) devices may only support SMBv1.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-00-000160'\n tag gid: 'V-70639'\n tag rid: 'SV-85261r2_rule'\n tag stig_id: 'WN10-00-000160'\n tag fix_id: 'F-76871r2_fix'\n tag cci: ['CCI-000381']\n tag nist: ['CM-7 a', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"Different methods are available to disable SMBv1 on Windows 10.\n This is the preferred method, however if V-74723 and V-74725 are configured,\n this is NA.\n\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n\n Enter the following:\n Get-WindowsOptionalFeature -Online | Where FeatureName -eq SMB1Protocol\n\n If \\\"State : Enabled\\\" is returned, this is a finding.\n\n Alternately:\n Search for \\\"Features\\\".\n\n Select \\\"Turn Windows features on or off\\\".\n\n If \\\"SMB 1.0/CIFS File Sharing Support\\\" is selected, this is a finding.\"\n desc \"fix\", \"Disable the SMBv1 protocol.\n\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n\n Enter the following:\n Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol\n\n Alternately:\n Search for \\\"Features\\\".\n\n Select \\\"Turn Windows features on or off\\\".\n\n De-select \\\"SMB 1.0/CIFS File Sharing Support\\\".\"\n\n if registry_key('HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\mrxsmb10').has_property_value?('Start', :dword, 4) \n impact 0.0\n desc 'This control is not applicable, as controls V-74725 is configured'\n else\n smb1protocol = json( command: 'Get-WindowsOptionalFeature -Online | Where FeatureName -eq SMB1Protocol | ConvertTo-Csv | ConvertFrom-Csv | ConvertTo-Json').params\n describe 'Feature Name SMB1Protocol should not be Enabled' do\n subject { smb1protocol }\n its(['State']) { should_not eq \"Enabled\" }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63721.rb", + "ref": "./Windows 10 STIG/controls/V-70639.rb", "line": 3 }, - "id": "V-63721" + "id": "V-70639" }, { - "title": "The US DoD CCEB Interoperability Root CA cross-certificates must be\n installed in the Untrusted Certificates Store on unclassified systems.", - "desc": "To ensure users do not experience denial of service when performing\n certificate-based authentication to DoD websites due to the system chaining to\n a root other than DoD Root CAs, the US DoD CCEB Interoperability Root CA\n cross-certificates must be installed in the Untrusted Certificate Store. This\n requirement only applies to unclassified systems.", + "title": "The system must be configured to audit Object Access - Removable\n Storage successes.", + "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Auditing object access for removable media records events related to access\n attempts on file system objects on removable storage devices.", "descriptions": { - "default": "To ensure users do not experience denial of service when performing\n certificate-based authentication to DoD websites due to the system chaining to\n a root other than DoD Root CAs, the US DoD CCEB Interoperability Root CA\n cross-certificates must be installed in the Untrusted Certificate Store. This\n requirement only applies to unclassified systems.", - "check": "Verify the US DoD CCEB Interoperability Root CA cross-certificate\n is installed on unclassified systems as an Untrusted Certificate.\n\n Run \"PowerShell\" as an administrator.\n\n Execute the following command:\n\n Get-ChildItem -Path Cert:Localmachine\\disallowed | Where Issuer -Like \"*CCEB\n Interoperability*\" | FL Subject, Issuer, Thumbprint, NotAfter\n\n If the following certificate \"Subject\", \"Issuer\", and \"Thumbprint\",\n information is not displayed, this is finding.\n\n If an expired certificate (\"NotAfter\" date) is not listed in the results,\n this is not a finding.\n\n Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Issuer: CN=US DoD CCEB Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S.\n Government, C=US\n Thumbprint: 929BF3196896994C0A201DF4A5B71F603FEFBF2E\n NotAfter: 9/27/2019\n\n Alternately use the Certificates MMC snap-in:\n\n Run \"MMC\".\n\n Select \"File\", \"Add/Remove Snap-in\".\n\n Select \"Certificates\", click \"Add\".\n\n Select \"Computer account\", click \"Next\".\n\n Select \"Local computer: (the computer this console is running on)\", click\n \"Finish\".\n\n Click \"OK\".\n\n Expand \"Certificates\" and navigate to \"Untrusted Certificates >>\n Certificates\".\n\n For each certificate with \"US DoD CCEB Interoperability Root CA …\" under\n \"Issued By\":\n\n Right-click on the certificate and select \"Open\".\n\n Select the \"Details\" tab.\n\n Scroll to the bottom and select \"Thumbprint\".\n\n If the certificate below is not listed or the value for the \"Thumbprint\"\n field is not as noted, this is a finding.\n\n If an expired certificate (\"Valid to\" date) is not listed in the results,\n this is not a finding.\n\n Issued To: DoD Root CA 3\n Issuer by: US DoD CCEB Interoperability Root CA 2\n Thumbprint: 929BF3196896994C0A201DF4A5B71F603FEFBF2E\n Valid: Friday, September 27, 2019", - "fix": "Install the US DoD CCEB Interoperability Root CA cross-certificate\n on unclassified systems.\n\n Issued To - Issued By - Thumbprint\n DoD Root CA 3 - US DoD CCEB Interoperability Root CA 2 -\n 929BF3196896994C0A201DF4A5B71F603FEFBF2E\n\n The certificates can be installed using the InstallRoot tool. The tool and user\n guide are available on IASE at http://iase.disa.mil/pki-pke/Pages/tools.aspx." + "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Auditing object access for removable media records events related to access\n attempts on file system objects on removable storage devices.", + "check": "Security Option \"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\" must be\n set to \"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\"Run as Administrator\").\n Enter \"AuditPol /get /category:*\"\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding:\n\n Object Access >> Removable Storage - Success\n\n Some virtual machines may generate excessive audit events for access to the\n virtual hard disk itself when this setting is enabled. This may be set to Not\n Configured in such cases and would not be a finding. This must be documented\n with the ISSO to include mitigations such as monitoring or restricting any\n actual removable storage connected to the VM.", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Object Access >> \"Audit Removable Storage\" with \"Success\"\n selected." }, "impact": 0.5, - "refs": [ - { - "ref": "http://iase.disa.mil/pki-pke/Pages/tools.aspx" - } - ], + "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-PK-000020", - "gid": "V-63589", - "rid": "SV-78079r4_rule", - "stig_id": "WN10-PK-000020", - "fix_id": "F-98443r3_fix", + "gtitle": "WN10-AU-000090", + "gid": "V-63473", + "rid": "SV-77963r2_rule", + "stig_id": "WN10-AU-000090", + "fix_id": "F-69403r1_fix", "cci": [ - "CCI-000185", - "CCI-002470" + "CCI-000172" ], "nist": [ - "IA-5 (2) (a)", - "SC-23 (5)", + "AU-12 c", "Rev_4" ], "false_negatives": null, @@ -11862,35 +11817,35 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63589' do\n title \"The US DoD CCEB Interoperability Root CA cross-certificates must be\n installed in the Untrusted Certificates Store on unclassified systems.\"\n desc \"To ensure users do not experience denial of service when performing\n certificate-based authentication to DoD websites due to the system chaining to\n a root other than DoD Root CAs, the US DoD CCEB Interoperability Root CA\n cross-certificates must be installed in the Untrusted Certificate Store. This\n requirement only applies to unclassified systems.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-PK-000020'\n tag gid: 'V-63589'\n tag rid: 'SV-78079r4_rule'\n tag stig_id: 'WN10-PK-000020'\n tag fix_id: 'F-98443r3_fix'\n tag cci: %w[CCI-000185 CCI-002470]\n tag nist: ['IA-5 (2) (a)', 'SC-23 (5)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc 'check', \"Verify the US DoD CCEB Interoperability Root CA cross-certificate\n is installed on unclassified systems as an Untrusted Certificate.\n\n Run \\\"PowerShell\\\" as an administrator.\n\n Execute the following command:\n\n Get-ChildItem -Path Cert:Localmachine\\\\disallowed | Where Issuer -Like \\\"*CCEB\n Interoperability*\\\" | FL Subject, Issuer, Thumbprint, NotAfter\n\n If the following certificate \\\"Subject\\\", \\\"Issuer\\\", and \\\"Thumbprint\\\",\n information is not displayed, this is finding.\n\n If an expired certificate (\\\"NotAfter\\\" date) is not listed in the results,\n this is not a finding.\n\n Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Issuer: CN=US DoD CCEB Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S.\n Government, C=US\n Thumbprint: 929BF3196896994C0A201DF4A5B71F603FEFBF2E\n NotAfter: 9/27/2019\n\n Alternately use the Certificates MMC snap-in:\n\n Run \\\"MMC\\\".\n\n Select \\\"File\\\", \\\"Add/Remove Snap-in\\\".\n\n Select \\\"Certificates\\\", click \\\"Add\\\".\n\n Select \\\"Computer account\\\", click \\\"Next\\\".\n\n Select \\\"Local computer: (the computer this console is running on)\\\", click\n \\\"Finish\\\".\n\n Click \\\"OK\\\".\n\n Expand \\\"Certificates\\\" and navigate to \\\"Untrusted Certificates >>\n Certificates\\\".\n\n For each certificate with \\\"US DoD CCEB Interoperability Root CA …\\\" under\n \\\"Issued By\\\":\n\n Right-click on the certificate and select \\\"Open\\\".\n\n Select the \\\"Details\\\" tab.\n\n Scroll to the bottom and select \\\"Thumbprint\\\".\n\n If the certificate below is not listed or the value for the \\\"Thumbprint\\\"\n field is not as noted, this is a finding.\n\n If an expired certificate (\\\"Valid to\\\" date) is not listed in the results,\n this is not a finding.\n\n Issued To: DoD Root CA 3\n Issuer by: US DoD CCEB Interoperability Root CA 2\n Thumbprint: 929BF3196896994C0A201DF4A5B71F603FEFBF2E\n Valid: Friday, September 27, 2019\"\n\n desc 'fix', \"Install the US DoD CCEB Interoperability Root CA cross-certificate\n on unclassified systems.\n\n Issued To - Issued By - Thumbprint\n DoD Root CA 3 - US DoD CCEB Interoperability Root CA 2 -\n 929BF3196896994C0A201DF4A5B71F603FEFBF2E\n\n The certificates can be installed using the InstallRoot tool. The tool and user\n guide are available on IASE at http://iase.disa.mil/pki-pke/Pages/tools.aspx.\"\n\n ref 'http://iase.disa.mil/pki-pke/Pages/tools.aspx'\n\n dod_cceb_certificates = JSON.parse(input('dod_cceb_certificates').to_json)\n\n if input('sensitive_system') == 'true'\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n else\n query = json({ command: 'Get-ChildItem -Path Cert:Localmachine\\\\\\\\disallowed | Where {$_.Issuer -Like \"*DoD CCEB Interoperability*\" -and $_.Subject -Like \"*DoD*\"} | Select Subject, Issuer, Thumbprint, @{Name=\\'NotAfter\\';Expression={\"{0:dddd, MMMM dd, yyyy}\" -f [datetime]$_.NotAfter}} | ConvertTo-Json' })\n describe 'The DoD CCEB Interoperability CA cross-certificates installed' do\n subject { query.params }\n it { should be_in dod_cceb_certificates }\n end\n end\nend\n", + "code": "control 'V-63473' do\n title \"The system must be configured to audit Object Access - Removable\n Storage successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Auditing object access for removable media records events related to access\n attempts on file system objects on removable storage devices.\"\n\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-AU-000090'\n tag gid: 'V-63473'\n tag rid: 'SV-77963r2_rule'\n tag stig_id: 'WN10-AU-000090'\n tag fix_id: 'F-69403r1_fix'\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Security Option \\\"Audit: Force audit policy subcategory settings\n (Windows Vista or later) to override audit policy category settings\\\" must be\n set to \\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to\n be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\n Enter \\\"AuditPol /get /category:*\\\"\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding:\n\n Object Access >> Removable Storage - Success\n\n Some virtual machines may generate excessive audit events for access to the\n virtual hard disk itself when this setting is enabled. This may be set to Not\n Configured in such cases and would not be a finding. This must be documented\n with the ISSO to include mitigations such as monitoring or restricting any\n actual removable storage connected to the VM.\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Object Access >> \\\"Audit Removable Storage\\\" with \\\"Success\\\"\n selected.\"\n\n describe.one do\n describe audit_policy do\n its('Removable Storage') { should eq 'Success' }\n end\n describe audit_policy do\n its('Removable Storage') { should eq 'Success and Failure' }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63589.rb", + "ref": "./Windows 10 STIG/controls/V-63473.rb", "line": 3 }, - "id": "V-63589" + "id": "V-63473" }, { - "title": "Simple TCP/IP Services must not be installed on the system.", - "desc": "Some protocols and services do not support required security features,\n such as encrypting passwords or traffic.", + "title": "Only accounts responsible for the administration of a system must have\n Administrator rights on the system.", + "desc": "An account that does not have Administrator duties must not have\n Administrator rights. Such rights would allow the account to bypass or modify\n required security restrictions on that machine and make it vulnerable to attack.\n\n System administrators must log on to systems only using accounts with the\n minimum level of authority necessary.\n\n For domain-joined workstations, the Domain Admins group must be replaced by\n a domain workstation administrator group (see V-36434 in the Active Directory\n Domain STIG). Restricting highly privileged accounts from the local\n Administrators group helps mitigate the risk of privilege escalation resulting\n from credential theft attacks.\n\n Standard user accounts must not be members of the local administrators\n group.", "descriptions": { - "default": "Some protocols and services do not support required security features,\n such as encrypting passwords or traffic.", - "check": "\"Simple TCP/IP Services\" is not installed by default. Verify\n it has not been installed.\n\n Run \"Services.msc\".\n\n If \"Simple TCP/IP Services\" is listed, this is a finding.", - "fix": "Uninstall \"Simple TCPIP Services (i.e. echo, daytime etc)\" from\n the system.\n\n Run \"Programs and Features\".\n Select \"Turn Windows Features on or off\".\n De-select \"Simple TCPIP Services (i.e. echo, daytime etc)\"." + "default": "An account that does not have Administrator duties must not have\n Administrator rights. Such rights would allow the account to bypass or modify\n required security restrictions on that machine and make it vulnerable to attack.\n\n System administrators must log on to systems only using accounts with the\n minimum level of authority necessary.\n\n For domain-joined workstations, the Domain Admins group must be replaced by\n a domain workstation administrator group (see V-36434 in the Active Directory\n Domain STIG). Restricting highly privileged accounts from the local\n Administrators group helps mitigate the risk of privilege escalation resulting\n from credential theft attacks.\n\n Standard user accounts must not be members of the local administrators\n group.", + "check": "Run \"Computer Management\".\n Navigate to System Tools >> Local Users and Groups >> Groups.\n Review the members of the Administrators group.\n Only the appropriate administrator groups or accounts responsible for\n administration of the system may be members of the group.\n\n For domain-joined workstations, the Domain Admins group must be replaced by a\n domain workstation administrator group.\n\n Standard user accounts must not be members of the local administrator group.\n\n If prohibited accounts are members of the local administrators group, this is a\n finding.\n\n The built-in Administrator account or other required administrative accounts\n would not be a finding.", + "fix": "Configure the system to include only administrator groups or\n accounts that are responsible for the system in the local Administrators group.\n\n For domain-joined workstations, the Domain Admins group must be replaced by a\n domain workstation administrator group.\n\n Remove any standard user accounts." }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { - "severity": "medium", - "gtitle": "WN10-00-000110", - "gid": "V-63383", - "rid": "SV-77873r1_rule", - "stig_id": "WN10-00-000110", - "fix_id": "F-69305r1_fix", + "severity": "high", + "gtitle": "WN10-00-000070", + "gid": "V-63361", + "rid": "SV-77851r2_rule", + "stig_id": "WN10-00-000070", + "fix_id": "F-88437r1_fix", "cci": [ - "CCI-000381" + "CCI-002235" ], "nist": [ - "CM-7 a", + "AC-6 (10)", "Rev_4" ], "false_negatives": null, @@ -11904,35 +11859,47 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-63383' do\n title 'Simple TCP/IP Services must not be installed on the system.'\n desc \"Some protocols and services do not support required security features,\n such as encrypting passwords or traffic.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-00-000110'\n tag gid: 'V-63383'\n tag rid: 'SV-77873r1_rule'\n tag stig_id: 'WN10-00-000110'\n tag fix_id: 'F-69305r1_fix'\n tag cci: ['CCI-000381']\n tag nist: ['CM-7 a', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"\\\"Simple TCP/IP Services\\\" is not installed by default. Verify\n it has not been installed.\n\n Run \\\"Services.msc\\\".\n\n If \\\"Simple TCP/IP Services\\\" is listed, this is a finding.\"\n\n desc \"fix\", \"Uninstall \\\"Simple TCPIP Services (i.e. echo, daytime etc)\\\" from\n the system.\n\n Run \\\"Programs and Features\\\".\n Select \\\"Turn Windows Features on or off\\\".\n De-select \\\"Simple TCPIP Services (i.e. echo, daytime etc)\\\".\"\n\n describe windows_feature('Simple TCP/IP Services') do\n it { should_not be_installed }\n end\nend\n", + "code": "control 'V-63361' do\n title \"Only accounts responsible for the administration of a system must have\n Administrator rights on the system.\"\n desc \"An account that does not have Administrator duties must not have\n Administrator rights. Such rights would allow the account to bypass or modify\n required security restrictions on that machine and make it vulnerable to attack.\n\n System administrators must log on to systems only using accounts with the\n minimum level of authority necessary.\n\n For domain-joined workstations, the Domain Admins group must be replaced by\n a domain workstation administrator group (see V-36434 in the Active Directory\n Domain STIG). Restricting highly privileged accounts from the local\n Administrators group helps mitigate the risk of privilege escalation resulting\n from credential theft attacks.\n\n Standard user accounts must not be members of the local administrators\n group.\"\n\n impact 0.7\n tag severity: 'high'\n tag gtitle: 'WN10-00-000070'\n tag gid: 'V-63361'\n tag rid: 'SV-77851r2_rule'\n tag stig_id: 'WN10-00-000070'\n tag fix_id: 'F-88437r1_fix'\n tag cci: ['CCI-002235']\n tag nist: ['AC-6 (10)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"Run \\\"Computer Management\\\".\n Navigate to System Tools >> Local Users and Groups >> Groups.\n Review the members of the Administrators group.\n Only the appropriate administrator groups or accounts responsible for\n administration of the system may be members of the group.\n\n For domain-joined workstations, the Domain Admins group must be replaced by a\n domain workstation administrator group.\n\n Standard user accounts must not be members of the local administrator group.\n\n If prohibited accounts are members of the local administrators group, this is a\n finding.\n\n The built-in Administrator account or other required administrative accounts\n would not be a finding.\"\n\n desc \"fix\", \"Configure the system to include only administrator groups or\n accounts that are responsible for the system in the local Administrators group.\n\n For domain-joined workstations, the Domain Admins group must be replaced by a\n domain workstation administrator group.\n\n Remove any standard user accounts.\"\n\n administrator_group = command(\"net localgroup Administrators | Format-List | Findstr /V 'Alias Name Comment Members - command'\").stdout.strip.split(\"\\r\\n\")\n administrator_group.each do |user|\n describe user.to_s do\n it { should be_in input('administrators') }\n end\n end\n if administrator_group.empty?\n impact 0.0\n describe 'There are no users with administrative privileges' do\n skip 'This control is not applicable'\n end\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-63383.rb", + "ref": "./Windows 10 STIG/controls/V-63361.rb", "line": 3 }, - "id": "V-63383" + "id": "V-63361" }, { - "title": "Command line data must be included in process creation events.", - "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Enabling \"Include command line data for process creation events\" will\n record the command line information with the process creation events in the\n log. This can provide additional detail when malware has run on a system.", + "title": "The required legal notice must be configured to display before console\n logon.", + "desc": "Failure to display the logon banner prior to a logon attempt will\n negate legal proceedings resulting from unauthorized access to system\n resources.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Enabling \"Include command line data for process creation events\" will\n record the command line information with the process creation events in the\n log. This can provide additional detail when malware has run on a system.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Audit\\\n\n Value Name: ProcessCreationIncludeCmdLine_Enabled\n\n Value Type: REG_DWORD\n Value: 1", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> System >> Audit Process Creation >> \"Include\n command line in process creation events\" to \"Enabled\"." + "default": "Failure to display the logon banner prior to a logon attempt will\n negate legal proceedings resulting from unauthorized access to system\n resources.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\\n\n Value Name: LegalNoticeText\n\n Value Type: REG_SZ\n Value:\n You are accessing a U.S. Government (USG) Information System (IS) that is\n provided for USG-authorized use only.\n\n By using this IS (which includes any device attached to this IS), you consent\n to the following conditions:\n\n -The USG routinely intercepts and monitors communications on this IS for\n purposes including, but not limited to, penetration testing, COMSEC monitoring,\n network operations and defense, personnel misconduct (PM), law enforcement\n (LE), and counterintelligence (CI) investigations.\n\n -At any time, the USG may inspect and seize data stored on this IS.\n\n -Communications using, or data stored on, this IS are not private, are subject\n to routine monitoring, interception, and search, and may be disclosed or used\n for any USG-authorized purpose.\n\n -This IS includes security measures (e.g., authentication and access controls)\n to protect USG interests--not for your personal benefit or privacy.\n\n -Notwithstanding the above, using this IS does not constitute consent to PM, LE\n or CI investigative searching or monitoring of the content of privileged\n communications, or work product, related to personal representation or services\n by attorneys, psychotherapists, or clergy, and their assistants. Such\n communications and work product are private and confidential. See User\n Agreement for details.", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n \"Interactive logon: Message text for users attempting to log on\" to the\n following.\n\n You are accessing a U.S. Government (USG) Information System (IS) that is\n provided for USG-authorized use only.\n\n By using this IS (which includes any device attached to this IS), you consent\n to the following conditions:\n\n -The USG routinely intercepts and monitors communications on this IS for\n purposes including, but not limited to, penetration testing, COMSEC monitoring,\n network operations and defense, personnel misconduct (PM), law enforcement\n (LE), and counterintelligence (CI) investigations.\n\n -At any time, the USG may inspect and seize data stored on this IS.\n\n -Communications using, or data stored on, this IS are not private, are subject\n to routine monitoring, interception, and search, and may be disclosed or used\n for any USG-authorized purpose.\n\n -This IS includes security measures (e.g., authentication and access controls)\n to protect USG interests--not for your personal benefit or privacy.\n\n -Notwithstanding the above, using this IS does not constitute consent to PM, LE\n or CI investigative searching or monitoring of the content of privileged\n communications, or work product, related to personal representation or services\n by attorneys, psychotherapists, or clergy, and their assistants. Such\n communications and work product are private and confidential. See User\n Agreement for details." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "WN10-CC-000066", - "gid": "V-68817", - "rid": "SV-83409r1_rule", - "stig_id": "WN10-CC-000066", - "fix_id": "F-74987r1_fix", + "gtitle": "WN10-SO-000075", + "gid": "V-63675", + "rid": "SV-78165r2_rule", + "stig_id": "WN10-SO-000075", + "fix_id": "F-69601r2_fix", "cci": [ - "CCI-000135" + "CCI-000048", + "CCI-000050", + "CCI-001384", + "CCI-001385", + "CCI-001386", + "CCI-001387", + "CCI-001388" ], "nist": [ - "AU-3 (1)", + "AC-8 a", + "AC-8 b", + "AC-8 c 1", + "AC-8 c 2", + "AC-8 c 2", + "AC-8 c\n2", + "AC-8 c 3", "Rev_4" ], "false_negatives": null, @@ -11946,133 +11913,166 @@ "responsibility": null, "ia_controls": null }, - "code": "control 'V-68817' do\n title 'Command line data must be included in process creation events.'\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Enabling \\\"Include command line data for process creation events\\\" will\n record the command line information with the process creation events in the\n log. This can provide additional detail when malware has run on a system.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-CC-000066'\n tag gid: 'V-68817'\n tag rid: 'SV-83409r1_rule'\n tag stig_id: 'WN10-CC-000066'\n tag fix_id: 'F-74987r1_fix'\n tag cci: ['CCI-000135']\n tag nist: ['AU-3 (1)', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Audit\\\\\n\n Value Name: ProcessCreationIncludeCmdLine_Enabled\n\n Value Type: REG_DWORD\n Value: 1\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> System >> Audit Process Creation >> \\\"Include\n command line in process creation events\\\" to \\\"Enabled\\\".\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Audit') do\n it { should have_property 'ProcessCreationIncludeCmdLine_Enabled' }\n its('ProcessCreationIncludeCmdLine_Enabled') { should cmp 1 }\n end\nend\n", + "code": "control 'V-63675' do\n title \"The required legal notice must be configured to display before console\n logon.\"\n desc \"Failure to display the logon banner prior to a logon attempt will\n negate legal proceedings resulting from unauthorized access to system\n resources.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'WN10-SO-000075'\n tag gid: 'V-63675'\n tag rid: 'SV-78165r2_rule'\n tag stig_id: 'WN10-SO-000075'\n tag fix_id: 'F-69601r2_fix'\n tag cci: %w[CCI-000048 CCI-000050 CCI-001384 CCI-001385\n CCI-001386 CCI-001387 CCI-001388]\n tag nist: ['AC-8 a', 'AC-8 b', 'AC-8 c 1', 'AC-8 c 2', 'AC-8 c 2', \"AC-8 c\n2\", 'AC-8 c 3', 'Rev_4']\n tag false_negatives: nil\n tag false_positives: nil\n tag documentable: false\n tag mitigations: nil\n tag severity_override_guidance: false\n tag potential_impacts: nil\n tag third_party_tools: nil\n tag mitigation_controls: nil\n tag responsibility: nil\n tag ia_controls: nil\n\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\\n\n Value Name: LegalNoticeText\n\n Value Type: REG_SZ\n Value:\n You are accessing a U.S. Government (USG) Information System (IS) that is\n provided for USG-authorized use only.\n\n By using this IS (which includes any device attached to this IS), you consent\n to the following conditions:\n\n -The USG routinely intercepts and monitors communications on this IS for\n purposes including, but not limited to, penetration testing, COMSEC monitoring,\n network operations and defense, personnel misconduct (PM), law enforcement\n (LE), and counterintelligence (CI) investigations.\n\n -At any time, the USG may inspect and seize data stored on this IS.\n\n -Communications using, or data stored on, this IS are not private, are subject\n to routine monitoring, interception, and search, and may be disclosed or used\n for any USG-authorized purpose.\n\n -This IS includes security measures (e.g., authentication and access controls)\n to protect USG interests--not for your personal benefit or privacy.\n\n -Notwithstanding the above, using this IS does not constitute consent to PM, LE\n or CI investigative searching or monitoring of the content of privileged\n communications, or work product, related to personal representation or services\n by attorneys, psychotherapists, or clergy, and their assistants. Such\n communications and work product are private and confidential. See User\n Agreement for details.\"\n\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n \\\"Interactive logon: Message text for users attempting to log on\\\" to the\n following.\n\n You are accessing a U.S. Government (USG) Information System (IS) that is\n provided for USG-authorized use only.\n\n By using this IS (which includes any device attached to this IS), you consent\n to the following conditions:\n\n -The USG routinely intercepts and monitors communications on this IS for\n purposes including, but not limited to, penetration testing, COMSEC monitoring,\n network operations and defense, personnel misconduct (PM), law enforcement\n (LE), and counterintelligence (CI) investigations.\n\n -At any time, the USG may inspect and seize data stored on this IS.\n\n -Communications using, or data stored on, this IS are not private, are subject\n to routine monitoring, interception, and search, and may be disclosed or used\n for any USG-authorized purpose.\n\n -This IS includes security measures (e.g., authentication and access controls)\n to protect USG interests--not for your personal benefit or privacy.\n\n -Notwithstanding the above, using this IS does not constitute consent to PM, LE\n or CI investigative searching or monitoring of the content of privileged\n communications, or work product, related to personal representation or services\n by attorneys, psychotherapists, or clergy, and their assistants. Such\n communications and work product are private and confidential. See User\n Agreement for details.\"\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System') do\n it { should have_property 'LegalNoticeText' }\n end\n\n key = registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System').LegalNoticeText.to_s\n k = key.gsub(\"\\u0000\", '')\n legal_notice_text = input('LegalNoticeText')\n\n describe 'The required legal notice text' do\n subject { k.scan(/[\\w().;,!]/).join }\n it { should cmp legal_notice_text.scan(/[\\w().;,!]/).join }\n end\nend\n", "source_location": { - "ref": "./Windows 10 STIG/controls/V-68817.rb", + "ref": "./Windows 10 STIG/controls/V-63675.rb", "line": 3 }, - "id": "V-68817" + "id": "V-63675" + }, + { + "title": "Windows 10 must be configured to audit other Logon/Logoff Events\nFailures.", + "desc": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Audit Other Logon/Logoff Events determines whether Windows generates audit\nevents for other logon or logoff events. Logon events are essential to\nunderstanding user activity and detecting potential attacks.", + "descriptions": { + "default": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Audit Other Logon/Logoff Events determines whether Windows generates audit\nevents for other logon or logoff events. Logon events are essential to\nunderstanding user activity and detecting potential attacks.", + "rationale": "", + "check": "Security Option \"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\" must be set to\n\"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to be\neffective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\"Run as Administrator\").\n Enter \"AuditPol /get /category:*\".\n\n Compare the AuditPol settings with the following. If the system does not\naudit the following, this is a finding:\n\n Logon/Logoff >> Other Logon/Logoff Events - Failure", + "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Logon/Logoff >> \"Audit Other Logon/Logoff Events\"\nwith \"Failure\" selected." + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": null, + "gtitle": "WN10-AU-000565", + "gid": "V-99541", + "rid": "SV-108645r1_rule", + "stig_id": "WN10-AU-000565", + "fix_id": "F-105225r1_fix", + "cci": [ + "CCI-000130" + ], + "nist": [ + "AU-3", + "Rev_4" + ] + }, + "code": "control \"V-99541\" do\n title \"Windows 10 must be configured to audit other Logon/Logoff Events\nFailures.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Audit Other Logon/Logoff Events determines whether Windows generates audit\nevents for other logon or logoff events. Logon events are essential to\nunderstanding user activity and detecting potential attacks.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"WN10-AU-000565\"\n tag gid: \"V-99541\"\n tag rid: \"SV-108645r1_rule\"\n tag stig_id: \"WN10-AU-000565\"\n tag fix_id: \"F-105225r1_fix\"\n tag cci: [\"CCI-000130\"]\n tag nist: [\"AU-3\", \"Rev_4\"]\n desc \"rationale\", \"\"\n desc \"check\", \"Security Option \\\"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\\\" must be set to\n\\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to be\neffective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n Open a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\n Enter \\\"AuditPol /get /category:*\\\".\n\n Compare the AuditPol settings with the following. If the system does not\naudit the following, this is a finding:\n\n Logon/Logoff >> Other Logon/Logoff Events - Failure\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Logon/Logoff >> \\\"Audit Other Logon/Logoff Events\\\"\nwith \\\"Failure\\\" selected.\"\n \n describe.one do\n describe audit_policy do\n its('Other Logon/Logoff Events') { should eq 'Failure' }\n end\n describe audit_policy do\n its('Other Logon/Logoff Events') { should eq 'Success and Failure' }\n end\n end\nend\n", + "source_location": { + "ref": "./Windows 10 STIG/controls/V-99541.rb", + "line": 3 + }, + "id": "V-99541" } ], "groups": [ { "title": null, "controls": [ - "V-63635" + "V-77083" ], - "id": "controls/V-63635.rb" + "id": "controls/V-77083.rb" }, { "title": null, "controls": [ - "V-74413" + "V-63413" ], - "id": "controls/V-74413.rb" + "id": "controls/V-63413.rb" }, { "title": null, "controls": [ - "V-63827" + "V-72769" ], - "id": "controls/V-63827.rb" + "id": "controls/V-72769.rb" }, { "title": null, "controls": [ - "V-63373" + "V-63427" ], - "id": "controls/V-63373.rb" + "id": "controls/V-63427.rb" }, { "title": null, "controls": [ - "V-70637" + "V-63453" ], - "id": "controls/V-70637.rb" + "id": "controls/V-63453.rb" }, { "title": null, "controls": [ - "V-63423" + "V-99555" ], - "id": "controls/V-63423.rb" + "id": "controls/V-99555.rb" }, { "title": null, "controls": [ - "V-63665" + "V-63449" ], - "id": "controls/V-63665.rb" + "id": "controls/V-63449.rb" }, { "title": null, "controls": [ - "V-63731" + "V-99549" ], - "id": "controls/V-63731.rb" + "id": "controls/V-99549.rb" }, { "title": null, "controls": [ - "V-72765" + "V-63367" ], - "id": "controls/V-72765.rb" + "id": "controls/V-63367.rb" }, { "title": null, "controls": [ - "V-63355" + "V-63513" ], - "id": "controls/V-63355.rb" + "id": "controls/V-63513.rb" }, { "title": null, "controls": [ - "V-99557" + "V-63855" ], - "id": "controls/V-99557.rb" + "id": "controls/V-63855.rb" }, { "title": null, "controls": [ - "V-63577" + "V-77205" ], - "id": "controls/V-63577.rb" + "id": "controls/V-77205.rb" }, { "title": null, "controls": [ - "V-99545" + "V-63925" ], - "id": "controls/V-99545.rb" + "id": "controls/V-63925.rb" }, { "title": null, "controls": [ - "V-63687" + "V-63681" ], - "id": "controls/V-63687.rb" + "id": "controls/V-63681.rb" }, { "title": null, "controls": [ - "V-63459" + "V-71769" ], - "id": "controls/V-63459.rb" + "id": "controls/V-71769.rb" }, { "title": null, "controls": [ - "V-63681" + "V-99553" ], - "id": "controls/V-63681.rb" + "id": "controls/V-99553.rb" }, { "title": null, "controls": [ - "V-63933" + "V-63471" ], - "id": "controls/V-63933.rb" + "id": "controls/V-63471.rb" }, { "title": null, @@ -12084,1514 +12084,1514 @@ { "title": null, "controls": [ - "V-63931" + "V-63865" ], - "id": "controls/V-63931.rb" + "id": "controls/V-63865.rb" }, { "title": null, "controls": [ - "V-63889" + "V-77233" ], - "id": "controls/V-63889.rb" + "id": "controls/V-77233.rb" }, { "title": null, "controls": [ - "V-72767" + "V-63537" ], - "id": "controls/V-72767.rb" + "id": "controls/V-63537.rb" }, { "title": null, "controls": [ - "V-99547" + "V-77247" ], - "id": "controls/V-99547.rb" + "id": "controls/V-77247.rb" }, { "title": null, "controls": [ - "V-99561" + "V-63371" ], - "id": "controls/V-99561.rb" + "id": "controls/V-63371.rb" }, { "title": null, "controls": [ - "V-63841" + "V-77195" ], - "id": "controls/V-63841.rb" + "id": "controls/V-77195.rb" }, { "title": null, "controls": [ - "V-63483" + "V-63751" ], - "id": "controls/V-63483.rb" + "id": "controls/V-63751.rb" }, { "title": null, "controls": [ - "V-94861" + "V-63729" ], - "id": "controls/V-94861.rb" + "id": "controls/V-63729.rb" }, { "title": null, "controls": [ - "V-63451" + "V-77267" ], - "id": "controls/V-63451.rb" + "id": "controls/V-77267.rb" }, { "title": null, "controls": [ - "V-63445" + "V-99561" ], - "id": "controls/V-63445.rb" + "id": "controls/V-99561.rb" }, { "title": null, "controls": [ - "V-63623" + "V-63587" ], - "id": "controls/V-63623.rb" + "id": "controls/V-63587.rb" }, { "title": null, "controls": [ - "V-63517" + "V-68845" ], - "id": "controls/V-63517.rb" + "id": "controls/V-68845.rb" }, { "title": null, "controls": [ - "V-63815" + "V-63377" ], - "id": "controls/V-63815.rb" + "id": "controls/V-63377.rb" }, { "title": null, "controls": [ - "V-63627" + "V-63319" ], - "id": "controls/V-63627.rb" + "id": "controls/V-63319.rb" }, { "title": null, "controls": [ - "V-63671" + "V-63743" ], - "id": "controls/V-63671.rb" + "id": "controls/V-63743.rb" }, { "title": null, "controls": [ - "V-63405" + "V-63627" ], - "id": "controls/V-63405.rb" + "id": "controls/V-63627.rb" }, { "title": null, "controls": [ - "V-63537" + "V-63747" ], - "id": "controls/V-63537.rb" + "id": "controls/V-63747.rb" }, { "title": null, "controls": [ - "V-63453" + "V-99559" ], - "id": "controls/V-63453.rb" + "id": "controls/V-99559.rb" }, { "title": null, "controls": [ - "V-68845" + "V-63841" ], - "id": "controls/V-68845.rb" + "id": "controls/V-63841.rb" }, { "title": null, "controls": [ - "V-63767" + "V-63629" ], - "id": "controls/V-63767.rb" + "id": "controls/V-63629.rb" }, { "title": null, "controls": [ - "V-77103" + "V-63399" ], - "id": "controls/V-77103.rb" + "id": "controls/V-63399.rb" }, { "title": null, "controls": [ - "V-63463" + "V-77103" ], - "id": "controls/V-63463.rb" + "id": "controls/V-77103.rb" }, { "title": null, "controls": [ - "V-71765" + "V-63349" ], - "id": "controls/V-71765.rb" + "id": "controls/V-63349.rb" }, { "title": null, "controls": [ - "V-63925" + "V-63881" ], - "id": "controls/V-63925.rb" + "id": "controls/V-63881.rb" }, { "title": null, "controls": [ - "V-63861" + "V-63713" ], - "id": "controls/V-63861.rb" + "id": "controls/V-63713.rb" }, { "title": null, "controls": [ - "V-63709" + "V-63355" ], - "id": "controls/V-63709.rb" + "id": "controls/V-63355.rb" }, { "title": null, "controls": [ - "V-63467" + "V-63519" ], - "id": "controls/V-63467.rb" + "id": "controls/V-63519.rb" }, { "title": null, "controls": [ - "V-77205" + "V-74725" ], - "id": "controls/V-77205.rb" + "id": "controls/V-74725.rb" }, { "title": null, "controls": [ - "V-63393" + "V-63415" ], - "id": "controls/V-63393.rb" + "id": "controls/V-63415.rb" }, { "title": null, "controls": [ - "V-63691" + "V-63609" ], - "id": "controls/V-63691.rb" + "id": "controls/V-63609.rb" }, { "title": null, "controls": [ - "V-76505" + "V-77269" ], - "id": "controls/V-76505.rb" + "id": "controls/V-77269.rb" }, { "title": null, "controls": [ - "V-63447" + "V-63597" ], - "id": "controls/V-63447.rb" + "id": "controls/V-63597.rb" }, { "title": null, "controls": [ - "V-77239" + "V-63373" ], - "id": "controls/V-77239.rb" + "id": "controls/V-63373.rb" }, { "title": null, "controls": [ - "V-63597" + "V-74699" ], - "id": "controls/V-63597.rb" + "id": "controls/V-74699.rb" }, { "title": null, "controls": [ - "V-63645" + "V-63859" ], - "id": "controls/V-63645.rb" + "id": "controls/V-63859.rb" }, { "title": null, "controls": [ - "V-63403" + "V-63719" ], - "id": "controls/V-63403.rb" + "id": "controls/V-63719.rb" }, { "title": null, "controls": [ - "V-63673" + "V-63695" ], - "id": "controls/V-63673.rb" + "id": "controls/V-63695.rb" }, { "title": null, "controls": [ - "V-77245" + "V-63883" ], - "id": "controls/V-77245.rb" + "id": "controls/V-63883.rb" }, { "title": null, "controls": [ - "V-77249" + "V-63337" ], - "id": "controls/V-77249.rb" + "id": "controls/V-63337.rb" }, { "title": null, "controls": [ - "V-63431" + "V-63353" ], - "id": "controls/V-63431.rb" + "id": "controls/V-63353.rb" }, { "title": null, "controls": [ - "V-94859" + "V-63685" ], - "id": "controls/V-94859.rb" + "id": "controls/V-63685.rb" }, { "title": null, "controls": [ - "V-77095" + "V-63403" ], - "id": "controls/V-77095.rb" + "id": "controls/V-63403.rb" }, { "title": null, "controls": [ - "V-63881" + "V-63419" ], - "id": "controls/V-63881.rb" + "id": "controls/V-63419.rb" }, { "title": null, "controls": [ - "V-74411" + "V-77259" ], - "id": "controls/V-74411.rb" + "id": "controls/V-77259.rb" }, { "title": null, "controls": [ - "V-63507" + "V-63767" ], - "id": "controls/V-63507.rb" + "id": "controls/V-63767.rb" }, { "title": null, "controls": [ - "V-77243" + "V-63647" ], - "id": "controls/V-77243.rb" + "id": "controls/V-63647.rb" }, { "title": null, "controls": [ - "V-63333" + "V-63421" ], - "id": "controls/V-63333.rb" + "id": "controls/V-63421.rb" }, { "title": null, "controls": [ - "V-75027" + "V-77095" ], - "id": "controls/V-75027.rb" + "id": "controls/V-77095.rb" }, { "title": null, "controls": [ - "V-63737" + "V-77209" ], - "id": "controls/V-63737.rb" + "id": "controls/V-77209.rb" }, { "title": null, "controls": [ - "V-63621" + "V-63635" ], - "id": "controls/V-63621.rb" + "id": "controls/V-63635.rb" }, { "title": null, "controls": [ - "V-63429" + "V-63701" ], - "id": "controls/V-63429.rb" + "id": "controls/V-63701.rb" }, { "title": null, "controls": [ - "V-63385" + "V-63665" ], - "id": "controls/V-63385.rb" + "id": "controls/V-63665.rb" }, { "title": null, "controls": [ - "V-77227" + "V-71771" ], - "id": "controls/V-77227.rb" + "id": "controls/V-71771.rb" }, { "title": null, "controls": [ - "V-63563" + "V-63879" ], - "id": "controls/V-63563.rb" + "id": "controls/V-63879.rb" }, { "title": null, "controls": [ - "V-77235" + "V-63515" ], - "id": "controls/V-77235.rb" + "id": "controls/V-63515.rb" }, { "title": null, "controls": [ - "V-63487" + "V-63383" ], - "id": "controls/V-63487.rb" + "id": "controls/V-63383.rb" }, { "title": null, "controls": [ - "V-77255" + "V-74417" ], - "id": "controls/V-77255.rb" + "id": "controls/V-74417.rb" }, { "title": null, "controls": [ - "V-63679" + "V-63803" ], - "id": "controls/V-63679.rb" + "id": "controls/V-63803.rb" }, { "title": null, "controls": [ - "V-63879" + "V-63739" ], - "id": "controls/V-63879.rb" + "id": "controls/V-63739.rb" }, { "title": null, "controls": [ - "V-72329" + "V-63745" ], - "id": "controls/V-72329.rb" + "id": "controls/V-63745.rb" }, { "title": null, "controls": [ - "V-63611" + "V-72767" ], - "id": "controls/V-63611.rb" + "id": "controls/V-72767.rb" }, { "title": null, "controls": [ - "V-63803" + "V-72329" ], - "id": "controls/V-63803.rb" + "id": "controls/V-72329.rb" }, { "title": null, "controls": [ - "V-74409" + "V-63467" ], - "id": "controls/V-74409.rb" + "id": "controls/V-63467.rb" }, { "title": null, "controls": [ - "V-63347" + "V-63615" ], - "id": "controls/V-63347.rb" + "id": "controls/V-63615.rb" }, { "title": null, "controls": [ - "V-63749" + "V-63487" ], - "id": "controls/V-63749.rb" + "id": "controls/V-63487.rb" }, { "title": null, "controls": [ - "V-63661" + "V-63671" ], - "id": "controls/V-63661.rb" + "id": "controls/V-63671.rb" }, { "title": null, "controls": [ - "V-63811" + "V-63595" ], - "id": "controls/V-63811.rb" + "id": "controls/V-63595.rb" }, { "title": null, "controls": [ - "V-77221" + "V-63691" ], - "id": "controls/V-77221.rb" + "id": "controls/V-63691.rb" }, { "title": null, "controls": [ - "V-63527" + "V-63651" ], - "id": "controls/V-63527.rb" + "id": "controls/V-63651.rb" }, { "title": null, "controls": [ - "V-63365" + "V-63847" ], - "id": "controls/V-63365.rb" + "id": "controls/V-63847.rb" }, { "title": null, "controls": [ - "V-77191" + "V-63861" ], - "id": "controls/V-77191.rb" + "id": "controls/V-63861.rb" }, { "title": null, "controls": [ - "V-63479" + "V-82145" ], - "id": "controls/V-63479.rb" + "id": "controls/V-82145.rb" }, { "title": null, "controls": [ - "V-63663" + "V-88203" ], - "id": "controls/V-63663.rb" + "id": "controls/V-88203.rb" }, { "title": null, "controls": [ - "V-63883" + "V-63345" ], - "id": "controls/V-63883.rb" + "id": "controls/V-63345.rb" }, { "title": null, "controls": [ - "V-72769" + "V-77245" ], - "id": "controls/V-72769.rb" + "id": "controls/V-77245.rb" }, { "title": null, "controls": [ - "V-63481" + "V-74721" ], - "id": "controls/V-63481.rb" + "id": "controls/V-74721.rb" }, { "title": null, "controls": [ - "V-88203" + "V-71765" ], - "id": "controls/V-88203.rb" + "id": "controls/V-71765.rb" }, { "title": null, "controls": [ - "V-63829" + "V-63341" ], - "id": "controls/V-63829.rb" + "id": "controls/V-63341.rb" }, { "title": null, "controls": [ - "V-99563" + "V-74411" ], - "id": "controls/V-99563.rb" + "id": "controls/V-74411.rb" }, { "title": null, "controls": [ - "V-77259" + "V-63347" ], - "id": "controls/V-77259.rb" + "id": "controls/V-63347.rb" }, { "title": null, "controls": [ - "V-63795" + "V-63935" ], - "id": "controls/V-63795.rb" + "id": "controls/V-63935.rb" }, { "title": null, "controls": [ - "V-63695" + "V-63451" ], - "id": "controls/V-63695.rb" + "id": "controls/V-63451.rb" }, { "title": null, "controls": [ - "V-63377" + "V-63839" ], - "id": "controls/V-63377.rb" + "id": "controls/V-63839.rb" }, { "title": null, "controls": [ - "V-65681" + "V-63821" ], - "id": "controls/V-65681.rb" + "id": "controls/V-63821.rb" }, { "title": null, "controls": [ - "V-63427" + "V-63381" ], - "id": "controls/V-63427.rb" + "id": "controls/V-63381.rb" }, { "title": null, "controls": [ - "V-63601" + "V-63679" ], - "id": "controls/V-63601.rb" + "id": "controls/V-63679.rb" }, { "title": null, "controls": [ - "V-63853" + "V-63857" ], - "id": "controls/V-63853.rb" + "id": "controls/V-63857.rb" }, { "title": null, "controls": [ - "V-63733" + "V-63639" ], - "id": "controls/V-63733.rb" + "id": "controls/V-63639.rb" }, { "title": null, "controls": [ - "V-63729" + "V-77217" ], - "id": "controls/V-63729.rb" + "id": "controls/V-77217.rb" }, { "title": null, "controls": [ - "V-77101" + "V-63815" ], - "id": "controls/V-77101.rb" + "id": "controls/V-63815.rb" }, { "title": null, "controls": [ - "V-63657" + "V-63653" ], - "id": "controls/V-63657.rb" + "id": "controls/V-63653.rb" }, { "title": null, "controls": [ - "V-63755" + "V-75027" ], - "id": "controls/V-63755.rb" + "id": "controls/V-75027.rb" }, { "title": null, "controls": [ - "V-63523" + "V-63555" ], - "id": "controls/V-63523.rb" + "id": "controls/V-63555.rb" }, { "title": null, "controls": [ - "V-63359" + "V-77249" ], - "id": "controls/V-63359.rb" + "id": "controls/V-77249.rb" }, { "title": null, "controls": [ - "V-63569" + "V-70637" ], - "id": "controls/V-63569.rb" + "id": "controls/V-70637.rb" }, { "title": null, "controls": [ - "V-63321" + "V-63435" ], - "id": "controls/V-63321.rb" + "id": "controls/V-63435.rb" }, { "title": null, "controls": [ - "V-63845" + "V-82139" ], - "id": "controls/V-63845.rb" + "id": "controls/V-82139.rb" }, { "title": null, "controls": [ - "V-63567" + "V-63931" ], - "id": "controls/V-63567.rb" + "id": "controls/V-63931.rb" }, { "title": null, "controls": [ - "V-63545" + "V-63737" ], - "id": "controls/V-63545.rb" + "id": "controls/V-63737.rb" }, { "title": null, "controls": [ - "V-63927" + "V-63709" ], - "id": "controls/V-63927.rb" + "id": "controls/V-63709.rb" }, { "title": null, "controls": [ - "V-63667" + "V-63871" ], - "id": "controls/V-63667.rb" + "id": "controls/V-63871.rb" }, { "title": null, "controls": [ - "V-63329" + "V-72765" ], - "id": "controls/V-63329.rb" + "id": "controls/V-72765.rb" }, { "title": null, "controls": [ - "V-63595" + "V-63661" ], - "id": "controls/V-63595.rb" + "id": "controls/V-63661.rb" }, { "title": null, "controls": [ - "V-77263" + "V-63429" ], - "id": "controls/V-77263.rb" + "id": "controls/V-63429.rb" }, { "title": null, "controls": [ - "V-63607" + "V-63577" ], - "id": "controls/V-63607.rb" + "id": "controls/V-63577.rb" }, { "title": null, "controls": [ - "V-63357" + "V-63333" ], - "id": "controls/V-63357.rb" + "id": "controls/V-63333.rb" }, { "title": null, "controls": [ - "V-74721" + "V-63323" ], - "id": "controls/V-74721.rb" + "id": "controls/V-63323.rb" }, { "title": null, "controls": [ - "V-71763" + "V-63483" ], - "id": "controls/V-71763.rb" + "id": "controls/V-63483.rb" }, { "title": null, "controls": [ - "V-63361" + "V-77221" ], - "id": "controls/V-63361.rb" + "id": "controls/V-77221.rb" }, { "title": null, "controls": [ - "V-63353" + "V-63541" ], - "id": "controls/V-63353.rb" + "id": "controls/V-63541.rb" }, { "title": null, "controls": [ - "V-63409" + "V-63431" ], - "id": "controls/V-63409.rb" + "id": "controls/V-63431.rb" }, { "title": null, "controls": [ - "V-77269" + "V-63829" ], - "id": "controls/V-77269.rb" + "id": "controls/V-63829.rb" }, { "title": null, "controls": [ - "V-63821" + "V-77227" ], - "id": "controls/V-63821.rb" + "id": "controls/V-77227.rb" }, { "title": null, "controls": [ - "V-63399" + "V-63599" ], - "id": "controls/V-63399.rb" + "id": "controls/V-63599.rb" }, { "title": null, "controls": [ - "V-63863" + "V-71759" ], - "id": "controls/V-63863.rb" + "id": "controls/V-71759.rb" }, { "title": null, "controls": [ - "V-77209" + "V-63845" ], - "id": "controls/V-77209.rb" + "id": "controls/V-63845.rb" }, { "title": null, "controls": [ - "V-63685" + "V-63447" ], - "id": "controls/V-63685.rb" + "id": "controls/V-63447.rb" }, { "title": null, "controls": [ - "V-63713" + "V-63807" ], - "id": "controls/V-63713.rb" + "id": "controls/V-63807.rb" }, { "title": null, "controls": [ - "V-63583" + "V-63873" ], - "id": "controls/V-63583.rb" + "id": "controls/V-63873.rb" }, { "title": null, "controls": [ - "V-77233" + "V-63479" ], - "id": "controls/V-77233.rb" + "id": "controls/V-63479.rb" }, { "title": null, "controls": [ - "V-63491" + "V-63617" ], - "id": "controls/V-63491.rb" + "id": "controls/V-63617.rb" }, { "title": null, "controls": [ - "V-63585" + "V-99545" ], - "id": "controls/V-63585.rb" + "id": "controls/V-99545.rb" }, { "title": null, "controls": [ - "V-63587" + "V-63357" ], - "id": "controls/V-63587.rb" + "id": "controls/V-63357.rb" }, { "title": null, "controls": [ - "V-63839" + "V-63819" ], - "id": "controls/V-63839.rb" + "id": "controls/V-63819.rb" }, { "title": null, "controls": [ - "V-63419" + "V-63481" ], - "id": "controls/V-63419.rb" + "id": "controls/V-63481.rb" }, { "title": null, "controls": [ - "V-63869" + "V-63583" ], - "id": "controls/V-63869.rb" + "id": "controls/V-63583.rb" }, { "title": null, "controls": [ - "V-63703" + "V-63697" ], - "id": "controls/V-63703.rb" + "id": "controls/V-63697.rb" }, { "title": null, "controls": [ - "V-63617" + "V-63503" ], - "id": "controls/V-63617.rb" + "id": "controls/V-63503.rb" }, { "title": null, "controls": [ - "V-77231" + "V-63755" ], - "id": "controls/V-77231.rb" + "id": "controls/V-63755.rb" }, { "title": null, "controls": [ - "V-74723" + "V-63491" ], - "id": "controls/V-74723.rb" + "id": "controls/V-63491.rb" }, { "title": null, "controls": [ - "V-63701" + "V-63339" ], - "id": "controls/V-63701.rb" + "id": "controls/V-63339.rb" }, { "title": null, "controls": [ - "V-63917" + "V-63533" ], - "id": "controls/V-63917.rb" + "id": "controls/V-63533.rb" }, { "title": null, "controls": [ - "V-63689" + "V-63939" ], - "id": "controls/V-63689.rb" + "id": "controls/V-63939.rb" }, { "title": null, "controls": [ - "V-63343" + "V-63469" ], - "id": "controls/V-63343.rb" + "id": "controls/V-63469.rb" }, { "title": null, "controls": [ - "V-63677" + "V-63343" ], - "id": "controls/V-63677.rb" + "id": "controls/V-63343.rb" }, { "title": null, "controls": [ - "V-63579" + "V-63721" ], - "id": "controls/V-63579.rb" + "id": "controls/V-63721.rb" }, { "title": null, "controls": [ - "V-77201" + "V-63863" ], - "id": "controls/V-77201.rb" + "id": "controls/V-63863.rb" }, { "title": null, "controls": [ - "V-77083" + "V-63749" ], - "id": "controls/V-77083.rb" + "id": "controls/V-63749.rb" }, { "title": null, "controls": [ - "V-63871" + "V-68819" ], - "id": "controls/V-63871.rb" + "id": "controls/V-68819.rb" }, { "title": null, "controls": [ - "V-63807" + "V-63765" ], - "id": "controls/V-63807.rb" + "id": "controls/V-63765.rb" }, { "title": null, "controls": [ - "V-63659" + "V-63611" ], - "id": "controls/V-63659.rb" + "id": "controls/V-63611.rb" }, { "title": null, "controls": [ - "V-63831" + "V-63669" ], - "id": "controls/V-63831.rb" + "id": "controls/V-63669.rb" }, { "title": null, "controls": [ - "V-63449" + "V-63585" ], - "id": "controls/V-63449.rb" + "id": "controls/V-63585.rb" }, { "title": null, "controls": [ - "V-74699" + "V-63877" ], - "id": "controls/V-74699.rb" + "id": "controls/V-63877.rb" }, { "title": null, "controls": [ - "V-63541" + "V-63601" ], - "id": "controls/V-63541.rb" + "id": "controls/V-63601.rb" }, { "title": null, "controls": [ - "V-63717" + "V-63741" ], - "id": "controls/V-63717.rb" + "id": "controls/V-63741.rb" }, { "title": null, "controls": [ - "V-63513" + "V-63687" ], - "id": "controls/V-63513.rb" + "id": "controls/V-63687.rb" }, { "title": null, "controls": [ - "V-77247" + "V-63321" ], - "id": "controls/V-77247.rb" + "id": "controls/V-63321.rb" }, { "title": null, "controls": [ - "V-63765" + "V-63927" ], - "id": "controls/V-63765.rb" + "id": "controls/V-63927.rb" }, { "title": null, "controls": [ - "V-77097" + "V-94719" ], - "id": "controls/V-77097.rb" + "id": "controls/V-94719.rb" }, { "title": null, "controls": [ - "V-99555" + "V-63689" ], - "id": "controls/V-99555.rb" + "id": "controls/V-63689.rb" }, { "title": null, "controls": [ - "V-63351" + "V-63717" ], - "id": "controls/V-63351.rb" + "id": "controls/V-63717.rb" }, { "title": null, "controls": [ - "V-63743" + "V-63649" ], - "id": "controls/V-63743.rb" + "id": "controls/V-63649.rb" }, { "title": null, "controls": [ - "V-63457" + "V-63703" ], - "id": "controls/V-63457.rb" + "id": "controls/V-63703.rb" }, { "title": null, "controls": [ - "V-63719" + "V-76505" ], - "id": "controls/V-63719.rb" + "id": "controls/V-76505.rb" }, { "title": null, "controls": [ - "V-63473" + "V-74719" ], - "id": "controls/V-63473.rb" + "id": "controls/V-74719.rb" }, { "title": null, "controls": [ - "V-63643" + "V-63811" ], - "id": "controls/V-63643.rb" + "id": "controls/V-63811.rb" }, { "title": null, "controls": [ - "V-77267" + "V-63851" ], - "id": "controls/V-77267.rb" + "id": "controls/V-63851.rb" }, { "title": null, "controls": [ - "V-63817" + "V-77085" ], - "id": "controls/V-63817.rb" + "id": "controls/V-77085.rb" }, { "title": null, "controls": [ - "V-63549" + "V-63643" ], - "id": "controls/V-63549.rb" + "id": "controls/V-63643.rb" }, { "title": null, "controls": [ - "V-63503" + "V-63335" ], - "id": "controls/V-63503.rb" + "id": "controls/V-63335.rb" }, { "title": null, "controls": [ - "V-63591" + "V-63625" ], - "id": "controls/V-63591.rb" + "id": "controls/V-63625.rb" }, { "title": null, "controls": [ - "V-63859" + "V-77235" ], - "id": "controls/V-63859.rb" + "id": "controls/V-77235.rb" }, { "title": null, "controls": [ - "V-63389" + "V-99551" ], - "id": "controls/V-63389.rb" + "id": "controls/V-99551.rb" }, { "title": null, "controls": [ - "V-63381" + "V-63797" ], - "id": "controls/V-63381.rb" + "id": "controls/V-63797.rb" }, { "title": null, "controls": [ - "V-63615" + "V-63825" ], - "id": "controls/V-63615.rb" + "id": "controls/V-63825.rb" }, { "title": null, "controls": [ - "V-68819" + "V-77201" ], - "id": "controls/V-68819.rb" + "id": "controls/V-77201.rb" }, { "title": null, "controls": [ - "V-77217" + "V-63593" ], - "id": "controls/V-77217.rb" + "id": "controls/V-63593.rb" }, { "title": null, "controls": [ - "V-63469" + "V-63633" ], - "id": "controls/V-63469.rb" + "id": "controls/V-63633.rb" }, { "title": null, "controls": [ - "V-71769" + "V-99557" ], - "id": "controls/V-71769.rb" + "id": "controls/V-99557.rb" }, { "title": null, "controls": [ - "V-63367" + "V-63663" ], - "id": "controls/V-63367.rb" + "id": "controls/V-63663.rb" }, { "title": null, "controls": [ - "V-68849" + "V-63941" ], - "id": "controls/V-68849.rb" + "id": "controls/V-63941.rb" }, { "title": null, "controls": [ - "V-99553" + "V-63853" ], - "id": "controls/V-99553.rb" + "id": "controls/V-63853.rb" }, { "title": null, "controls": [ - "V-82139" + "V-63393" ], - "id": "controls/V-82139.rb" + "id": "controls/V-63393.rb" }, { "title": null, "controls": [ - "V-63851" + "V-77255" ], - "id": "controls/V-63851.rb" + "id": "controls/V-77255.rb" }, { "title": null, "controls": [ - "V-63471" + "V-63559" ], - "id": "controls/V-63471.rb" + "id": "controls/V-63559.rb" }, { "title": null, "controls": [ - "V-71761" + "V-63657" ], - "id": "controls/V-71761.rb" + "id": "controls/V-63657.rb" }, { "title": null, "controls": [ - "V-63651" + "V-63869" ], - "id": "controls/V-63651.rb" + "id": "controls/V-63869.rb" }, { "title": null, "controls": [ - "V-63363" + "V-63889" ], - "id": "controls/V-63363.rb" + "id": "controls/V-63889.rb" }, { "title": null, "controls": [ - "V-63593" + "V-63325" ], - "id": "controls/V-63593.rb" + "id": "controls/V-63325.rb" }, { "title": null, "controls": [ - "V-63697" + "V-74413" ], - "id": "controls/V-63697.rb" + "id": "controls/V-74413.rb" }, { "title": null, "controls": [ - "V-63369" + "V-63731" ], - "id": "controls/V-63369.rb" + "id": "controls/V-63731.rb" }, { "title": null, "controls": [ - "V-63751" + "V-63795" ], - "id": "controls/V-63751.rb" + "id": "controls/V-63795.rb" }, { "title": null, "controls": [ - "V-99541" + "V-63369" ], - "id": "controls/V-99541.rb" + "id": "controls/V-63369.rb" }, { "title": null, "controls": [ - "V-63857" + "V-63591" ], - "id": "controls/V-63857.rb" + "id": "controls/V-63591.rb" }, { "title": null, "controls": [ - "V-63939" + "V-68817" ], - "id": "controls/V-63939.rb" + "id": "controls/V-68817.rb" }, { "title": null, "controls": [ - "V-63683" + "V-63359" ], - "id": "controls/V-63683.rb" + "id": "controls/V-63359.rb" }, { "title": null, "controls": [ - "V-63375" + "V-77239" ], - "id": "controls/V-63375.rb" + "id": "controls/V-77239.rb" }, { "title": null, "controls": [ - "V-63555" + "V-63607" ], - "id": "controls/V-63555.rb" + "id": "controls/V-63607.rb" }, { "title": null, "controls": [ - "V-63935" + "V-63363" ], - "id": "controls/V-63935.rb" + "id": "controls/V-63363.rb" }, { "title": null, "controls": [ - "V-82145" + "V-77091" ], - "id": "controls/V-82145.rb" + "id": "controls/V-77091.rb" }, { "title": null, "controls": [ - "V-63711" + "V-63875" ], - "id": "controls/V-63711.rb" + "id": "controls/V-63875.rb" }, { "title": null, "controls": [ - "V-99549" + "V-63499" ], - "id": "controls/V-99549.rb" + "id": "controls/V-63499.rb" }, { "title": null, "controls": [ - "V-63345" + "V-63589" ], - "id": "controls/V-63345.rb" + "id": "controls/V-63589.rb" }, { "title": null, "controls": [ - "V-74417" + "V-63351" ], - "id": "controls/V-74417.rb" + "id": "controls/V-63351.rb" }, { "title": null, "controls": [ - "V-63699" + "V-63423" ], - "id": "controls/V-63699.rb" + "id": "controls/V-63423.rb" }, { "title": null, "controls": [ - "V-63741" + "V-63759" ], - "id": "controls/V-63741.rb" + "id": "controls/V-63759.rb" }, { "title": null, "controls": [ - "V-63619" + "V-63549" ], - "id": "controls/V-63619.rb" + "id": "controls/V-63549.rb" }, { "title": null, "controls": [ - "V-63865" + "V-63375" ], - "id": "controls/V-63865.rb" + "id": "controls/V-63375.rb" }, { "title": null, "controls": [ - "V-63739" + "V-63801" ], - "id": "controls/V-63739.rb" + "id": "controls/V-63801.rb" }, { "title": null, "controls": [ - "V-63647" + "V-63389" ], - "id": "controls/V-63647.rb" + "id": "controls/V-63389.rb" }, { "title": null, "controls": [ - "V-63415" + "V-63933" ], - "id": "controls/V-63415.rb" + "id": "controls/V-63933.rb" }, { "title": null, "controls": [ - "V-63843" + "V-94861" ], - "id": "controls/V-63843.rb" + "id": "controls/V-94861.rb" }, { "title": null, "controls": [ - "V-63847" + "V-68849" ], - "id": "controls/V-63847.rb" + "id": "controls/V-68849.rb" }, { "title": null, "controls": [ - "V-63875" + "V-77243" ], - "id": "controls/V-63875.rb" + "id": "controls/V-77243.rb" }, { "title": null, "controls": [ - "V-63335" + "V-63405" ], - "id": "controls/V-63335.rb" + "id": "controls/V-63405.rb" }, { "title": null, "controls": [ - "V-63653" + "V-63581" ], - "id": "controls/V-63653.rb" + "id": "controls/V-63581.rb" }, { "title": null, "controls": [ - "V-63519" + "V-63545" ], - "id": "controls/V-63519.rb" + "id": "controls/V-63545.rb" }, { "title": null, "controls": [ - "V-63873" + "V-63365" ], - "id": "controls/V-63873.rb" + "id": "controls/V-63365.rb" }, { "title": null, "controls": [ - "V-77189" + "V-74409" ], - "id": "controls/V-77189.rb" + "id": "controls/V-74409.rb" }, { "title": null, "controls": [ - "V-63629" + "V-77097" ], - "id": "controls/V-63629.rb" + "id": "controls/V-77097.rb" }, { "title": null, "controls": [ - "V-77195" + "V-77191" ], - "id": "controls/V-77195.rb" + "id": "controls/V-77191.rb" }, { "title": null, "controls": [ - "V-63825" + "V-71761" ], - "id": "controls/V-63825.rb" + "id": "controls/V-71761.rb" }, { "title": null, "controls": [ - "V-63559" + "V-99543" ], - "id": "controls/V-63559.rb" + "id": "controls/V-99543.rb" }, { "title": null, "controls": [ - "V-63609" + "V-65681" ], - "id": "controls/V-63609.rb" + "id": "controls/V-65681.rb" }, { "title": null, "controls": [ - "V-63341" + "V-63733" ], - "id": "controls/V-63341.rb" + "id": "controls/V-63733.rb" }, { "title": null, @@ -13603,338 +13603,338 @@ { "title": null, "controls": [ - "V-63499" + "V-63329" ], - "id": "controls/V-63499.rb" + "id": "controls/V-63329.rb" }, { "title": null, "controls": [ - "V-63855" + "V-82137" ], - "id": "controls/V-63855.rb" + "id": "controls/V-82137.rb" }, { "title": null, "controls": [ - "V-74719" + "V-63623" ], - "id": "controls/V-74719.rb" + "id": "controls/V-63623.rb" }, { "title": null, "controls": [ - "V-63797" + "V-63831" ], - "id": "controls/V-63797.rb" + "id": "controls/V-63831.rb" }, { "title": null, "controls": [ - "V-94719" + "V-63677" ], - "id": "controls/V-94719.rb" + "id": "controls/V-63677.rb" }, { "title": null, "controls": [ - "V-63941" + "V-63457" ], - "id": "controls/V-63941.rb" + "id": "controls/V-63457.rb" }, { "title": null, "controls": [ - "V-63581" + "V-77189" ], - "id": "controls/V-63581.rb" + "id": "controls/V-77189.rb" }, { "title": null, "controls": [ - "V-63877" + "V-63569" ], - "id": "controls/V-63877.rb" + "id": "controls/V-63569.rb" }, { "title": null, "controls": [ - "V-63349" + "V-63659" ], - "id": "controls/V-63349.rb" + "id": "controls/V-63659.rb" }, { "title": null, "controls": [ - "V-99543" + "V-74723" ], - "id": "controls/V-99543.rb" + "id": "controls/V-74723.rb" }, { "title": null, "controls": [ - "V-63639" + "V-63667" ], - "id": "controls/V-63639.rb" + "id": "controls/V-63667.rb" }, { "title": null, "controls": [ - "V-63515" + "V-63385" ], - "id": "controls/V-63515.rb" + "id": "controls/V-63385.rb" }, { "title": null, "controls": [ - "V-63649" + "V-63699" ], - "id": "controls/V-63649.rb" + "id": "controls/V-63699.rb" }, { "title": null, "controls": [ - "V-63319" + "V-71763" ], - "id": "controls/V-63319.rb" + "id": "controls/V-71763.rb" }, { "title": null, "controls": [ - "V-70639" + "V-63527" ], - "id": "controls/V-70639.rb" + "id": "controls/V-63527.rb" }, { "title": null, "controls": [ - "V-63323" + "V-63683" ], - "id": "controls/V-63323.rb" + "id": "controls/V-63683.rb" }, { "title": null, "controls": [ - "V-63801" + "V-63843" ], - "id": "controls/V-63801.rb" + "id": "controls/V-63843.rb" }, { "title": null, "controls": [ - "V-63745" + "V-63563" ], - "id": "controls/V-63745.rb" + "id": "controls/V-63563.rb" }, { "title": null, "controls": [ - "V-63625" + "V-63507" ], - "id": "controls/V-63625.rb" + "id": "controls/V-63507.rb" }, { "title": null, "controls": [ - "V-71771" + "V-63517" ], - "id": "controls/V-71771.rb" + "id": "controls/V-63517.rb" }, { "title": null, "controls": [ - "V-63759" + "V-63917" ], - "id": "controls/V-63759.rb" + "id": "controls/V-63917.rb" }, { "title": null, "controls": [ - "V-63533" + "V-77231" ], - "id": "controls/V-63533.rb" + "id": "controls/V-77231.rb" }, { "title": null, "controls": [ - "V-82137" + "V-63409" ], - "id": "controls/V-82137.rb" + "id": "controls/V-63409.rb" }, { "title": null, "controls": [ - "V-77085" + "V-63567" ], - "id": "controls/V-77085.rb" + "id": "controls/V-63567.rb" }, { "title": null, "controls": [ - "V-63747" + "V-63445" ], - "id": "controls/V-63747.rb" + "id": "controls/V-63445.rb" }, { "title": null, "controls": [ - "V-63337" + "V-63817" ], - "id": "controls/V-63337.rb" + "id": "controls/V-63817.rb" }, { "title": null, "controls": [ - "V-63325" + "V-77213" ], - "id": "controls/V-63325.rb" + "id": "controls/V-77213.rb" }, { "title": null, "controls": [ - "V-63339" + "V-63645" ], - "id": "controls/V-63339.rb" + "id": "controls/V-63645.rb" }, { "title": null, "controls": [ - "V-77223" + "V-63459" ], - "id": "controls/V-77223.rb" + "id": "controls/V-63459.rb" }, { "title": null, "controls": [ - "V-74725" + "V-63523" ], - "id": "controls/V-74725.rb" + "id": "controls/V-63523.rb" }, { "title": null, "controls": [ - "V-63435" + "V-77223" ], - "id": "controls/V-63435.rb" + "id": "controls/V-77223.rb" }, { "title": null, "controls": [ - "V-63599" + "V-63579" ], - "id": "controls/V-63599.rb" + "id": "controls/V-63579.rb" }, { "title": null, "controls": [ - "V-63669" + "V-99547" ], - "id": "controls/V-63669.rb" + "id": "controls/V-99547.rb" }, { "title": null, "controls": [ - "V-63675" + "V-99563" ], - "id": "controls/V-63675.rb" + "id": "controls/V-99563.rb" }, { "title": null, "controls": [ - "V-99551" + "V-63463" ], - "id": "controls/V-99551.rb" + "id": "controls/V-63463.rb" }, { "title": null, "controls": [ - "V-77091" + "V-77101" ], - "id": "controls/V-77091.rb" + "id": "controls/V-77101.rb" }, { "title": null, "controls": [ - "V-63421" + "V-63827" ], - "id": "controls/V-63421.rb" + "id": "controls/V-63827.rb" }, { "title": null, "controls": [ - "V-63413" + "V-63621" ], - "id": "controls/V-63413.rb" + "id": "controls/V-63621.rb" }, { "title": null, "controls": [ - "V-71759" + "V-63711" ], - "id": "controls/V-71759.rb" + "id": "controls/V-63711.rb" }, { "title": null, "controls": [ - "V-63633" + "V-77263" ], - "id": "controls/V-63633.rb" + "id": "controls/V-77263.rb" }, { "title": null, "controls": [ - "V-63371" + "V-63673" ], - "id": "controls/V-63371.rb" + "id": "controls/V-63673.rb" }, { "title": null, "controls": [ - "V-63819" + "V-94859" ], - "id": "controls/V-63819.rb" + "id": "controls/V-94859.rb" }, { "title": null, "controls": [ - "V-77213" + "V-63619" ], - "id": "controls/V-77213.rb" + "id": "controls/V-63619.rb" }, { "title": null, "controls": [ - "V-99559" + "V-70639" ], - "id": "controls/V-99559.rb" + "id": "controls/V-70639.rb" }, { "title": null, "controls": [ - "V-63721" + "V-63473" ], - "id": "controls/V-63721.rb" + "id": "controls/V-63473.rb" }, { "title": null, "controls": [ - "V-63589" + "V-63361" ], - "id": "controls/V-63589.rb" + "id": "controls/V-63361.rb" }, { "title": null, "controls": [ - "V-63383" + "V-63675" ], - "id": "controls/V-63383.rb" + "id": "controls/V-63675.rb" }, { "title": null, "controls": [ - "V-68817" + "V-99541" ], - "id": "controls/V-68817.rb" + "id": "controls/V-99541.rb" } ], "sha256": "b9c1de5d0b700821ec9222a27e978580412be8bdc10a6782f3fab87796800b87", diff --git a/src/assets/data/baselineProfiles/microsoft-windows-server-2016-stig-baseline.json b/src/assets/data/baselineProfiles/microsoft-windows-server-2016-stig-baseline.json index a78d5485..9613bd1e 100644 --- a/src/assets/data/baselineProfiles/microsoft-windows-server-2016-stig-baseline.json +++ b/src/assets/data/baselineProfiles/microsoft-windows-server-2016-stig-baseline.json @@ -12,21 +12,21 @@ "supports": [], "controls": [ { - "title": "Domain-joined systems must have a Trusted Platform Module (TPM)\n enabled and ready for use.", - "desc": "Credential Guard uses virtualization-based security to protect data\n that could be used in credential theft attacks if compromised. A number of\n system requirements must be met in order for Credential Guard to be configured\n and enabled properly. Without a TPM enabled and ready for use, Credential Guard\n keys are stored in a less secure method using software.", + "title": "Domain controllers must be configured to allow reset of machine\n account passwords.", + "desc": "Enabling this setting on all domain controllers in a domain prevents\n domain members from changing their computer account passwords. If these\n passwords are weak or compromised, the inability to change them may leave these\n computers vulnerable.", "descriptions": { - "default": "Credential Guard uses virtualization-based security to protect data\n that could be used in credential theft attacks if compromised. A number of\n system requirements must be met in order for Credential Guard to be configured\n and enabled properly. Without a TPM enabled and ready for use, Credential Guard\n keys are stored in a less secure method using software.", - "check": "For standalone systems, this is NA.\n\n Current hardware and virtual environments may not support virtualization-based\n security features, including Credential Guard, due to specific supporting\n requirements including a TPM, UEFI with Secure Boot, and the capability to run\n the Hyper-V feature within a virtual machine.\n\n Verify the system has a TPM and it is ready for use.\n\n Run tpm.msc.\n\n Review the sections in the center pane.\n\n Status must indicate it has been configured with a message such as The\n TPM is ready for use or The TPM is on and ownership has been taken.\n\n TPM Manufacturer Information - Specific Version = 2.0 or 1.2\n\n If a TPM is not found or is not ready for use, this is a finding.", - "fix": "Ensure domain-joined systems have a TPM that is configured for\n use. (Versions 2.0 or 1.2 support Credential Guard.)\n\n The TPM must be enabled in the firmware.\n\n Run tpm.msc for configuration options in Windows." + "default": "Enabling this setting on all domain controllers in a domain prevents\n domain members from changing their computer account passwords. If these\n passwords are weak or compromised, the inability to change them may leave these\n computers vulnerable.", + "check": "This applies to domain controllers. It is NA for other systems.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\Netlogon\\Parameters\\\n\n Value Name: RefusePasswordChange\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0)", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> Domain\n controller: Refuse machine account password changes to Disabled." }, - "impact": 0.3, + "impact": 0, "refs": [], "tags": { "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-73237", - "rid": "SV-87889r1_rule", - "stig_id": "WN16-00-000100", - "fix_id": "F-79681r1_fix", + "gid": "V-73631", + "rid": "SV-88295r1_rule", + "stig_id": "WN16-DC-000330", + "fix_id": "F-80081r1_fix", "cci": [ "CCI-000366" ], @@ -36,133 +36,125 @@ ], "documentable": false }, - "code": "control 'V-73237' do\n title \"Domain-joined systems must have a Trusted Platform Module (TPM)\n enabled and ready for use.\"\n desc \"Credential Guard uses virtualization-based security to protect data\n that could be used in credential theft attacks if compromised. A number of\n system requirements must be met in order for Credential Guard to be configured\n and enabled properly. Without a TPM enabled and ready for use, Credential Guard\n keys are stored in a less secure method using software.\"\n impact 0.3\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-73237'\n tag \"rid\": 'SV-87889r1_rule'\n tag \"stig_id\": 'WN16-00-000100'\n tag \"fix_id\": 'F-79681r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"For standalone systems, this is NA.\n\n Current hardware and virtual environments may not support virtualization-based\n security features, including Credential Guard, due to specific supporting\n requirements including a TPM, UEFI with Secure Boot, and the capability to run\n the Hyper-V feature within a virtual machine.\n\n Verify the system has a TPM and it is ready for use.\n\n Run tpm.msc.\n\n Review the sections in the center pane.\n\n Status must indicate it has been configured with a message such as The\n TPM is ready for use or The TPM is on and ownership has been taken.\n\n TPM Manufacturer Information - Specific Version = 2.0 or 1.2\n\n If a TPM is not found or is not ready for use, this is a finding.\"\n desc \"fix\", \"Ensure domain-joined systems have a TPM that is configured for\n use. (Versions 2.0 or 1.2 support Credential Guard.)\n\n The TPM must be enabled in the firmware.\n\n Run tpm.msc for configuration options in Windows.\"\n is_domain = command('wmic computersystem get domain | FINDSTR /V Domain').stdout.strip\n\n if is_domain == 'WORKGROUP'\n impact 0.0\n desc 'This system is not joined to a domain, therfore this control is not appliable as it does not apply to standalone systems'\n end\n\n if is_domain != 'WORKGROUP'\n tpm_ready = command('Get-Tpm | select -expand TpmReady').stdout.strip\n tpm_present = command('Get-Tpm | select -expand TpmPresent').stdout.strip\n describe 'Trusted Platform Module (TPM) TpmReady' do\n subject { tpm_ready }\n it { should eq 'True' }\n end\n describe 'Trusted Platform Module (TPM) TpmPresent' do\n subject { tpm_present }\n it { should eq 'True' }\n end\n end\nend\n", + "code": "control 'V-73631' do\n title \"Domain controllers must be configured to allow reset of machine\n account passwords.\"\n desc \"Enabling this setting on all domain controllers in a domain prevents\n domain members from changing their computer account passwords. If these\n passwords are weak or compromised, the inability to change them may leave these\n computers vulnerable.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-73631'\n tag \"rid\": 'SV-88295r1_rule'\n tag \"stig_id\": 'WN16-DC-000330'\n tag \"fix_id\": 'F-80081r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to domain controllers. It is NA for other systems.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\Netlogon\\\\Parameters\\\\\n\n Value Name: RefusePasswordChange\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> Domain\n controller: Refuse machine account password changes to Disabled.\"\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n if domain_role == '4' || domain_role == '5'\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Services\\\\Netlogon\\\\Parameters') do\n it { should have_property 'RefusePasswordChange' }\n its('RefusePasswordChange') { should cmp 0 }\n end\n end\n\n if !(domain_role == '4') && !(domain_role == '5')\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73237.rb", + "ref": "./Windows 2016 STIG/controls/V-73631.rb", "line": 1 }, - "id": "V-73237" + "id": "V-73631" }, { - "title": "FTP servers must be configured to prevent access to the system drive.", - "desc": "The FTP service allows remote users to access shared files and\n directories that could provide access to system resources and compromise the\n system, especially if the user can gain access to the root directory of the\n boot drive.", + "title": "The Telnet Client must not be installed.", + "desc": "Unnecessary services increase the attack surface of a system. Some of\n these services may not support required levels of authentication or encryption\n or may provide unauthorized access to the system.", "descriptions": { - "default": "The FTP service allows remote users to access shared files and\n directories that could provide access to system resources and compromise the\n system, especially if the user can gain access to the root directory of the\n boot drive.", - "check": "If FTP is not installed on the system, this is NA.\n\n Open Internet Information Services (IIS) Manager.\n\n Select Sites under the server name.\n\n For any sites with a Binding that lists FTP, right-click the site and select\n Explore.\n\n If the site is not defined to a specific folder for shared FTP resources, this\n is a finding.\n\n If the site includes any system areas such as root of the drive, Program Files,\n or Windows directories, this is a finding.", - "fix": "Configure the FTP sites to allow access only to specific FTP\n shared resources. Do not allow access to other areas of the system." + "default": "Unnecessary services increase the attack surface of a system. Some of\n these services may not support required levels of authentication or encryption\n or may provide unauthorized access to the system.", + "check": "Open PowerShell.\n\n Enter Get-WindowsFeature | Where Name -eq Telnet-Client.\n\n If Installed State is Installed, this is a finding.\n\n An Installed State of Available or Removed is not a finding.", + "fix": "Uninstall the Telnet Client feature.\n\n Start Server Manager.\n\n Select the server with the feature.\n\n Scroll down to ROLES AND FEATURES in the right pane.\n\n Select Remove Roles and Features from the drop-down TASKS list.\n\n Select the appropriate server on the Server Selection page and click\n Next.\n\n Deselect Telnet Client on the Features page.\n\n Click Next and Remove as prompted." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-73305", - "rid": "SV-87957r1_rule", - "stig_id": "WN16-00-000440", - "fix_id": "F-79747r1_fix", + "gtitle": "SRG-OS-000096-GPOS-00050", + "gid": "V-73295", + "rid": "SV-87947r1_rule", + "stig_id": "WN16-00-000390", + "fix_id": "F-79737r1_fix", "cci": [ - "CCI-000366" + "CCI-000382" ], "nist": [ - "CM-6 b", + "CM-7", "Rev_4" ], "documentable": false }, - "code": "control 'V-73305' do\n title 'FTP servers must be configured to prevent access to the system drive.'\n desc \"The FTP service allows remote users to access shared files and\n directories that could provide access to system resources and compromise the\n system, especially if the user can gain access to the root directory of the\n boot drive.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-73305'\n tag \"rid\": 'SV-87957r1_rule'\n tag \"stig_id\": 'WN16-00-000440'\n tag \"fix_id\": 'F-79747r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If FTP is not installed on the system, this is NA.\n\n Open Internet Information Services (IIS) Manager.\n\n Select Sites under the server name.\n\n For any sites with a Binding that lists FTP, right-click the site and select\n Explore.\n\n If the site is not defined to a specific folder for shared FTP resources, this\n is a finding.\n\n If the site includes any system areas such as root of the drive, Program Files,\n or Windows directories, this is a finding.\"\n desc \"fix\", \"Configure the FTP sites to allow access only to specific FTP\n shared resources. Do not allow access to other areas of the system.\"\n is_ftp_installed = command('Get-WindowsFeature Web-Ftp-Server | Select -Expand Installed').stdout.strip\n if is_ftp_installed == 'False'\n describe 'FTP is not installed on this system, therefore this control is not applicable' do\n skip 'FTP is not installed on this system, therefore this control is not applicable'\n end\n else\n describe 'A manual review is required to ensure File Transfer Protocol (FTP) servers are configured to prevent\n anonymous logons' do\n skip 'A manual review is required to ensure File Transfer Protocol (FTP) servers are configured to prevent\n anonymous logons'\n end\n end\nend\n", + "code": "control 'V-73295' do\n title 'The Telnet Client must not be installed.'\n desc \"Unnecessary services increase the attack surface of a system. Some of\n these services may not support required levels of authentication or encryption\n or may provide unauthorized access to the system.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000096-GPOS-00050'\n tag \"gid\": 'V-73295'\n tag \"rid\": 'SV-87947r1_rule'\n tag \"stig_id\": 'WN16-00-000390'\n tag \"fix_id\": 'F-79737r1_fix'\n tag \"cci\": ['CCI-000382']\n tag \"nist\": ['CM-7', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Open PowerShell.\n\n Enter Get-WindowsFeature | Where Name -eq Telnet-Client.\n\n If Installed State is Installed, this is a finding.\n\n An Installed State of Available or Removed is not a finding.\"\n desc \"fix\", \"Uninstall the Telnet Client feature.\n\n Start Server Manager.\n\n Select the server with the feature.\n\n Scroll down to ROLES AND FEATURES in the right pane.\n\n Select Remove Roles and Features from the drop-down TASKS list.\n\n Select the appropriate server on the Server Selection page and click\n Next.\n\n Deselect Telnet Client on the Features page.\n\n Click Next and Remove as prompted.\"\n describe windows_feature('Telnet-Client') do\n it { should_not be_installed }\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73305.rb", + "ref": "./Windows 2016 STIG/controls/V-73295.rb", "line": 1 }, - "id": "V-73305" + "id": "V-73295" }, { - "title": "Windows Server 2016 must be configured to audit Policy Change -\n Authorization Policy Change successes.", - "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Authorization Policy Change records events related to changes in user\n rights, such as Create a token object.", + "title": "Administrator accounts must not be enumerated during elevation.", + "desc": "Enumeration of administrator accounts when elevating can provide part\n of the logon information to an unauthorized user. This setting configures the\n system to always require users to type in a username and password to elevate a\n running application.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Authorization Policy Change records events related to changes in user\n rights, such as Create a token object.", - "check": "Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n Policy Change >> Authorization Policy Change - Success", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Policy Change >> Audit Authorization Policy Change with\n Success selected." + "default": "Enumeration of administrator accounts when elevating can provide part\n of the logon information to an unauthorized user. This setting configures the\n system to always require users to type in a username and password to elevate a\n running application.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\CredUI\\\n\n Value Name: EnumerateAdministrators\n\n Type: REG_DWORD\n Value: 0x00000000 (0)", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Credential User Interface >>\n Enumerate administrator accounts on elevation to Disabled." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000327-GPOS-00127", - "satisfies": [ - "SRG-OS-000327-GPOS-00127", - "SRG-OS-000064-GPOS-00033", - "SRG-OS-000462-GPOS-00206", - "SRG-OS-000466-GPOS-00210" - ], - "gid": "V-73467", - "rid": "SV-88119r1_rule", - "stig_id": "WN16-AU-000340", - "fix_id": "F-79909r1_fix", + "gtitle": "SRG-OS-000134-GPOS-00068", + "gid": "V-73487", + "rid": "SV-88139r1_rule", + "stig_id": "WN16-CC-000280", + "fix_id": "F-79929r1_fix", "cci": [ - "CCI-000172", - "CCI-002234" + "CCI-001084" ], "nist": [ - "AU-12 c", - "AC-6 (9)", + "SC-3", "Rev_4" ], "documentable": false }, - "code": "control 'V-73467' do\n title \"Windows Server 2016 must be configured to audit Policy Change -\n Authorization Policy Change successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Authorization Policy Change records events related to changes in user\n rights, such as Create a token object.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000327-GPOS-00127'\n tag \"satisfies\": ['SRG-OS-000327-GPOS-00127', 'SRG-OS-000064-GPOS-00033',\n 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000466-GPOS-00210']\n tag \"gid\": 'V-73467'\n tag \"rid\": 'SV-88119r1_rule'\n tag \"stig_id\": 'WN16-AU-000340'\n tag \"fix_id\": 'F-79909r1_fix'\n tag \"cci\": ['CCI-000172', 'CCI-002234']\n tag \"nist\": ['AU-12 c', 'AC-6 (9)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n Policy Change >> Authorization Policy Change - Success\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Policy Change >> Audit Authorization Policy Change with\n Success selected.\"\n describe.one do\n describe audit_policy do\n its('Authorization Policy Change') { should eq 'Success' }\n end\n describe audit_policy do\n its('Authorization Policy Change') { should eq 'Success and Failure' }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Authorization Policy Change'\") do\n its('stdout') { should match /Authorization Policy Change Success/ }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Authorization Policy Change'\") do\n its('stdout') { should match /Authorization Policy Change Success and Failure/ }\n end\n end\nend\n", + "code": "control 'V-73487' do\n title 'Administrator accounts must not be enumerated during elevation.'\n desc \"Enumeration of administrator accounts when elevating can provide part\n of the logon information to an unauthorized user. This setting configures the\n system to always require users to type in a username and password to elevate a\n running application.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000134-GPOS-00068'\n tag \"gid\": 'V-73487'\n tag \"rid\": 'SV-88139r1_rule'\n tag \"stig_id\": 'WN16-CC-000280'\n tag \"fix_id\": 'F-79929r1_fix'\n tag \"cci\": ['CCI-001084']\n tag \"nist\": ['SC-3', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\CredUI\\\\\n\n Value Name: EnumerateAdministrators\n\n Type: REG_DWORD\n Value: 0x00000000 (0)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Credential User Interface >>\n Enumerate administrator accounts on elevation to Disabled.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\CredUI') do\n it { should have_property 'EnumerateAdministrators' }\n its('EnumerateAdministrators') { should cmp 0 }\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73467.rb", + "ref": "./Windows 2016 STIG/controls/V-73487.rb", "line": 1 }, - "id": "V-73467" + "id": "V-73487" }, { - "title": "The LAN Manager authentication level must be set to send NTLMv2\n response only and to refuse LM and NTLM.", - "desc": "The Kerberos v5 authentication protocol is the default for\n authentication of users who are logging on to domain accounts. NTLM, which is\n less secure, is retained in later Windows versions for compatibility with\n clients and servers that are running earlier versions of Windows or\n applications that still use it. It is also used to authenticate logons to\n standalone computers that are running later versions.", + "title": "The Create symbolic links user right must only be assigned to the\n Administrators group.", + "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Create symbolic links user right can create pointers\n to other objects, which could expose the system to attack.", "descriptions": { - "default": "The Kerberos v5 authentication protocol is the default for\n authentication of users who are logging on to domain accounts. NTLM, which is\n less secure, is retained in later Windows versions for compatibility with\n clients and servers that are running earlier versions of Windows or\n applications that still use it. It is also used to authenticate logons to\n standalone computers that are running later versions.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Control\\Lsa\\\n\n Value Name: LmCompatibilityLevel\n\n Value Type: REG_DWORD\n Value: 0x00000005 (5)", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Network security: LAN Manager authentication level to Send NTLMv2\n response only. Refuse LM & NTLM." + "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Create symbolic links user right can create pointers\n to other objects, which could expose the system to attack.", + "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the Create\n symbolic links user right, this is a finding.\n\n - Administrators\n\n Systems that have the Hyper-V role will also have Virtual Machines given\n this user right (this may be displayed as NT Virtual Machine\\Virtual\n Machines). This is not a finding.", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Create symbolic links to include only the following accounts or groups:\n\n - Administrators\n\n Systems that have the Hyper-V role will also have Virtual Machines given\n this user right. If this needs to be added manually, enter it as NT Virtual\n Machine\\Virtual Machines." }, - "impact": 0.7, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-73691", - "rid": "SV-88355r1_rule", - "stig_id": "WN16-SO-000380", - "fix_id": "F-80141r1_fix", + "gtitle": "SRG-OS-000324-GPOS-00125", + "gid": "V-73753", + "rid": "SV-88417r1_rule", + "stig_id": "WN16-UR-000120", + "fix_id": "F-80203r1_fix", "cci": [ - "CCI-000366" + "CCI-002235" ], "nist": [ - "CM-6 b", + "AC-6 (10)", "Rev_4" ], "documentable": false }, - "code": "control 'V-73691' do\n title \"The LAN Manager authentication level must be set to send NTLMv2\n response only and to refuse LM and NTLM.\"\n desc \"The Kerberos v5 authentication protocol is the default for\n authentication of users who are logging on to domain accounts. NTLM, which is\n less secure, is retained in later Windows versions for compatibility with\n clients and servers that are running earlier versions of Windows or\n applications that still use it. It is also used to authenticate logons to\n standalone computers that are running later versions.\"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-73691'\n tag \"rid\": 'SV-88355r1_rule'\n tag \"stig_id\": 'WN16-SO-000380'\n tag \"fix_id\": 'F-80141r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\\n\n Value Name: LmCompatibilityLevel\n\n Value Type: REG_DWORD\n Value: 0x00000005 (5)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Network security: LAN Manager authentication level to Send NTLMv2\n response only. Refuse LM & NTLM.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa') do\n it { should have_property 'LmCompatibilityLevel' }\n its('LmCompatibilityLevel') { should cmp 5 }\n end\nend\n", + "code": "control 'V-73753' do\n title \"The Create symbolic links user right must only be assigned to the\n Administrators group.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Create symbolic links user right can create pointers\n to other objects, which could expose the system to attack.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000324-GPOS-00125'\n tag \"gid\": 'V-73753'\n tag \"rid\": 'SV-88417r1_rule'\n tag \"stig_id\": 'WN16-UR-000120'\n tag \"fix_id\": 'F-80203r1_fix'\n tag \"cci\": ['CCI-002235']\n tag \"nist\": ['AC-6 (10)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the Create\n symbolic links user right, this is a finding.\n\n - Administrators\n\n Systems that have the Hyper-V role will also have Virtual Machines given\n this user right (this may be displayed as NT Virtual Machine\\\\Virtual\n Machines). This is not a finding.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Create symbolic links to include only the following accounts or groups:\n\n - Administrators\n\n Systems that have the Hyper-V role will also have Virtual Machines given\n this user right. If this needs to be added manually, enter it as NT Virtual\n Machine\\\\Virtual Machines.\"\n describe.one do\n describe security_policy do\n its('SeCreateSymbolicLinkPrivilege') { should eq ['S-1-5-32-544'] }\n end\n describe security_policy do\n its('SeCreateSymbolicLinkPrivilege') { should eq [] }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73691.rb", + "ref": "./Windows 2016 STIG/controls/V-73753.rb", "line": 1 }, - "id": "V-73691" + "id": "V-73753" }, { - "title": "The Modify firmware environment values user right must only be\n assigned to the Administrators group.", - "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Modify firmware environment values user right can\n change hardware configuration environment variables. This could result in\n hardware failures or a denial of service.", + "title": "The Increase scheduling priority user right must only be assigned to\n the Administrators group.", + "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Increase scheduling priority user right can change a\n scheduling priority, causing performance issues or a denial of service.", "descriptions": { - "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Modify firmware environment values user right can\n change hardware configuration environment variables. This could result in\n hardware failures or a denial of service.", - "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the Modify\n firmware environment values user right, this is a finding.\n\n - Administrators", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Modify firmware environment values to include only the following accounts\n or groups:\n\n - Administrators" + "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Increase scheduling priority user right can change a\n scheduling priority, causing performance issues or a denial of service.", + "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the Increase\n scheduling priority user right, this is a finding.\n\n - Administrators\n\n If an application requires this user right, this would not be a finding.\n\n Vendor documentation must support the requirement for having the user right.\n\n The requirement must be documented with the ISSO.\n\n The application account must meet requirements for application account\n passwords, such as length (WN16-00-000060) and required frequency of changes\n (WN16-00-000070).", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Increase scheduling priority to include only the following accounts or\n groups:\n\n - Administrators" }, "impact": 0.5, "refs": [], "tags": { "gtitle": "SRG-OS-000324-GPOS-00125", - "gid": "V-73795", - "rid": "SV-88459r1_rule", - "stig_id": "WN16-UR-000270", - "fix_id": "F-80245r1_fix", + "gid": "V-73787", + "rid": "SV-88451r1_rule", + "stig_id": "WN16-UR-000230", + "fix_id": "F-80237r1_fix", "cci": [ "CCI-002235" ], @@ -172,61 +164,61 @@ ], "documentable": false }, - "code": "control 'V-73795' do\n title \"The Modify firmware environment values user right must only be\n assigned to the Administrators group.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Modify firmware environment values user right can\n change hardware configuration environment variables. This could result in\n hardware failures or a denial of service.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000324-GPOS-00125'\n tag \"gid\": 'V-73795'\n tag \"rid\": 'SV-88459r1_rule'\n tag \"stig_id\": 'WN16-UR-000270'\n tag \"fix_id\": 'F-80245r1_fix'\n tag \"cci\": ['CCI-002235']\n tag \"nist\": ['AC-6 (10)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the Modify\n firmware environment values user right, this is a finding.\n\n - Administrators\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Modify firmware environment values to include only the following accounts\n or groups:\n\n - Administrators\"\n describe.one do\n describe security_policy do\n its('SeSystemEnvironmentPrivilege') { should eq ['S-1-5-32-544'] }\n end\n describe security_policy do\n its('SeSystemEnvironmentPrivilege') { should eq [] }\n end\n end\nend\n", + "code": "control 'V-73787' do\n title \"The Increase scheduling priority user right must only be assigned to\n the Administrators group.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Increase scheduling priority user right can change a\n scheduling priority, causing performance issues or a denial of service.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000324-GPOS-00125'\n tag \"gid\": 'V-73787'\n tag \"rid\": 'SV-88451r1_rule'\n tag \"stig_id\": 'WN16-UR-000230'\n tag \"fix_id\": 'F-80237r1_fix'\n tag \"cci\": ['CCI-002235']\n tag \"nist\": ['AC-6 (10)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the Increase\n scheduling priority user right, this is a finding.\n\n - Administrators\n\n If an application requires this user right, this would not be a finding.\n\n Vendor documentation must support the requirement for having the user right.\n\n The requirement must be documented with the ISSO.\n\n The application account must meet requirements for application account\n passwords, such as length (WN16-00-000060) and required frequency of changes\n (WN16-00-000070).\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Increase scheduling priority to include only the following accounts or\n groups:\n\n - Administrators\"\n describe.one do\n describe security_policy do\n its('SeIncreaseBasePriorityPrivilege') { should eq ['S-1-5-32-544'] }\n end\n describe security_policy do\n its('SeIncreaseBasePriorityPrivilege') { should eq [] }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73795.rb", + "ref": "./Windows 2016 STIG/controls/V-73787.rb", "line": 1 }, - "id": "V-73795" + "id": "V-73787" }, { - "title": "FTP servers must be configured to prevent anonymous logons.", - "desc": "The FTP service allows remote users to access shared files and\n directories. Allowing anonymous FTP connections makes user auditing difficult.\n\n Using accounts that have administrator privileges to log on to FTP risks\n that the userid and password will be captured on the network and give\n administrator access to an unauthorized user.", + "title": "Passwords for the built-in Administrator account must be changed at\n least every 60 days.", + "desc": "The longer a password is in use, the greater the opportunity for\n someone to gain unauthorized knowledge of the password. The built-in\n Administrator account is not generally used and its password may not be changed\n as frequently as necessary. Changing the password for the built-in\n Administrator account on a regular basis will limit its exposure.\n\n Organizations that use an automated tool, such as Microsoft's Local\n Administrator Password Solution (LAPS), on domain-joined systems can configure\n this to occur more frequently. LAPS will change the password every 30 days\n by default.", "descriptions": { - "default": "The FTP service allows remote users to access shared files and\n directories. Allowing anonymous FTP connections makes user auditing difficult.\n\n Using accounts that have administrator privileges to log on to FTP risks\n that the userid and password will be captured on the network and give\n administrator access to an unauthorized user.", - "check": "If FTP is not installed on the system, this is NA.\n\n Open Internet Information Services (IIS) Manager.\n\n Select the server.\n\n Double-click FTP Authentication.\n\n If the Anonymous Authentication status is Enabled, this is a finding.", - "fix": "Configure the FTP service to prevent anonymous logons.\n\n Open Internet Information Services (IIS) Manager.\n\n Select the server.\n\n Double-click FTP Authentication.\n\n Select Anonymous Authentication.\n\n Select Disabled under Actions" + "default": "The longer a password is in use, the greater the opportunity for\n someone to gain unauthorized knowledge of the password. The built-in\n Administrator account is not generally used and its password may not be changed\n as frequently as necessary. Changing the password for the built-in\n Administrator account on a regular basis will limit its exposure.\n\n Organizations that use an automated tool, such as Microsoft's Local\n Administrator Password Solution (LAPS), on domain-joined systems can configure\n this to occur more frequently. LAPS will change the password every 30 days\n by default.", + "check": "Review the password last set date for the built-in\n Administrator account.\n \n Domain controllers:\n\n Open PowerShell.\n\n Enter Get-ADUser -Filter * -Properties SID, PasswordLastSet | Where SID -Like\n *-500 | Ft Name, SID, PasswordLastSet.\n\n If the PasswordLastSet date is greater than 60 days old, this is a\n finding.\n\n Member servers and standalone systems:\n\n Open Command Prompt.\n\n Enter 'Net User [account name] | Find /i Password Last Set', where [account\n name] is the name of the built-in administrator account.\n\n (The name of the built-in Administrator account must be changed to something\n other than Administrator per STIG requirements.)\n\n If the PasswordLastSet date is greater than 60 days old, this is a\n finding.", + "fix": "Change the built-in Administrator account password at least every\n 60 days.\n\n Automated tools, such as Microsoft's LAPS, may be used on domain-joined member\n servers to accomplish this." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-73303", - "rid": "SV-87955r1_rule", - "stig_id": "WN16-00-000430", - "fix_id": "F-79745r1_fix", + "gtitle": "SRG-OS-000076-GPOS-00044", + "gid": "V-73223", + "rid": "SV-87875r2_rule", + "stig_id": "WN16-00-000030", + "fix_id": "F-79667r2_fix", "cci": [ - "CCI-000366" + "CCI-000199" ], "nist": [ - "CM-6 b", + "IA-5 (1) (d)", "Rev_4" ], "documentable": false }, - "code": "control 'V-73303' do\n title 'FTP servers must be configured to prevent anonymous logons.'\n desc \"The FTP service allows remote users to access shared files and\n directories. Allowing anonymous FTP connections makes user auditing difficult.\n\n Using accounts that have administrator privileges to log on to FTP risks\n that the userid and password will be captured on the network and give\n administrator access to an unauthorized user.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-73303'\n tag \"rid\": 'SV-87955r1_rule'\n tag \"stig_id\": 'WN16-00-000430'\n tag \"fix_id\": 'F-79745r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If FTP is not installed on the system, this is NA.\n\n Open Internet Information Services (IIS) Manager.\n\n Select the server.\n\n Double-click FTP Authentication.\n\n If the Anonymous Authentication status is Enabled, this is a finding.\"\n desc \"fix\", \"Configure the FTP service to prevent anonymous logons.\n\n Open Internet Information Services (IIS) Manager.\n\n Select the server.\n\n Double-click FTP Authentication.\n\n Select Anonymous Authentication.\n\n Select Disabled under Actions\"\n is_ftp_installed = command('Get-WindowsFeature Web-Ftp-Server | Select -Expand Installed').stdout.strip\n if is_ftp_installed == 'False'\n impact 0.0\n describe 'FTP is not installed on this system, therefore this control is not applicable' do\n skip 'FTP is not installed on this system, therefore this control is not applicable'\n end\n else\n describe 'A manual review is required to ensure File Transfer Protocol (FTP) servers are configured to prevent\n anonymous logons' do\n skip 'A manual review is required to ensure File Transfer Protocol (FTP) servers are configured to prevent\n anonymous logons'\n end\n end\nend\n", + "code": "control 'V-73223' do\n title \"Passwords for the built-in Administrator account must be changed at\n least every 60 days.\"\n desc \"The longer a password is in use, the greater the opportunity for\n someone to gain unauthorized knowledge of the password. The built-in\n Administrator account is not generally used and its password may not be changed\n as frequently as necessary. Changing the password for the built-in\n Administrator account on a regular basis will limit its exposure.\n\n Organizations that use an automated tool, such as Microsoft's Local\n Administrator Password Solution (LAPS), on domain-joined systems can configure\n this to occur more frequently. LAPS will change the password every 30 days\n by default.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000076-GPOS-00044'\n tag \"gid\": 'V-73223'\n tag \"rid\": 'SV-87875r2_rule'\n tag \"stig_id\": 'WN16-00-000030'\n tag \"fix_id\": 'F-79667r2_fix'\n tag \"cci\": ['CCI-000199']\n tag \"nist\": ['IA-5 (1) (d)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Review the password last set date for the built-in\n Administrator account.\n \n Domain controllers:\n\n Open PowerShell.\n\n Enter Get-ADUser -Filter * -Properties SID, PasswordLastSet | Where SID -Like\n *-500 | Ft Name, SID, PasswordLastSet.\n\n If the PasswordLastSet date is greater than 60 days old, this is a\n finding.\n\n Member servers and standalone systems:\n\n Open Command Prompt.\n\n Enter 'Net User [account name] | Find /i Password Last Set', where [account\n name] is the name of the built-in administrator account.\n\n (The name of the built-in Administrator account must be changed to something\n other than Administrator per STIG requirements.)\n\n If the PasswordLastSet date is greater than 60 days old, this is a\n finding.\"\n desc \"fix\", \"Change the built-in Administrator account password at least every\n 60 days.\n\n Automated tools, such as Microsoft's LAPS, may be used on domain-joined member\n servers to accomplish this.\"\n\n built_in_admin_account = input('built_in_admin_account')\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n query = 'Get-ADUser -Filter * -Properties SID, PasswordLastSet | Where SID -Like *-500 | Select @{Name=\"Name\";Expression={$_.SamAccountName}}, SID, @{Name=\"PasswordLastSet\";Expression={New-TimeSpan -Start ($_.PasswordLastSet) -End (Get-Date) | Select Days, Hours}}| ConvertTo-JSON'\n else\n query = 'Get-LocalUser | Where SID -Like *-500 | Select Name, SID, @{Name=\"PasswordLastSet\";Expression={New-TimeSpan -Start ($_.PasswordLastSet) -End (Get-Date) | Select Days}} | ConvertTo-JSON'\n end\n\n admin_account = json({command: query})\n sid = admin_account['SID']['Value']\n pwd_last_set_days = admin_account['PasswordLastSet']['Days']\n account_name = admin_account['Name']\n\n if !admin_account.empty? && sid.to_s.end_with?('-500') && account_name.to_s.eql?(built_in_admin_account)\n describe \"Password age for built-in Adminstrator account\" do\n subject { pwd_last_set_days }\n it { should cmp <= 60 }\n end\n describe \"The built-in Administrator account name\" do\n subject { account_name }\n it { should_not cmp 'Administrator' }\n end\n else\n describe 'There are no administrative accounts on this system' do\n skip 'There are no administrative accounts on this system'\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73303.rb", + "ref": "./Windows 2016 STIG/controls/V-73223.rb", "line": 1 }, - "id": "V-73303" + "id": "V-73223" }, { - "title": "Users must be notified if a web-based program attempts to install\n software.", - "desc": "Web-based programs may attempt to install malicious software on a\n system. Ensuring users are notified if a web-based program attempts to install\n software allows them to refuse the installation.", + "title": "Systems must be maintained at a supported servicing level.", + "desc": "Systems at unsupported servicing levels will not receive security\n updates for new vulnerabilities, which leave them subject to exploitation.\n Systems must be maintained at a servicing level supported by the vendor with\n new security updates.", "descriptions": { - "default": "Web-based programs may attempt to install malicious software on a\n system. Ensuring users are notified if a web-based program attempts to install\n software allows them to refuse the installation.", - "check": "The default behavior is for Internet Explorer to warn users and\n select whether to allow or refuse installation when a web-based program\n attempts to install software on the system.\n\n If the registry value name below does not exist, this is not a finding.\n\n If it exists and is configured with a value of 0, this is not a finding.\n\n If it exists and is configured with a value of 1, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\Installer\\\n\n Value Name: SafeForScripting\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0) (or if the Value Name does not exist)", - "fix": "The default behavior is for Internet Explorer to warn users and\n select whether to allow or refuse installation when a web-based program\n attempts to install software on the system.\n\n If this needs to be corrected, configure the policy value for Computer\n Configuration >> Administrative Templates >> Windows Components >> Windows\n Installer >> Prevent Internet Explorer security prompt for Windows Installer\n scripts to Not Configured or Disabled." + "default": "Systems at unsupported servicing levels will not receive security\n updates for new vulnerabilities, which leave them subject to exploitation.\n Systems must be maintained at a servicing level supported by the vendor with\n new security updates.", + "check": "Open Command Prompt.\n\n Enter winver.exe.\n\n If the About Windows dialog box does not display Microsoft Windows Server\n Version 1607 (Build 14393.xxx) or greater, this is a finding.\n\n Preview versions must not be used in a production environment.", + "fix": "Update the system to a Version 1607 (Build 14393.xxx) or greater." }, - "impact": 0.5, + "impact": 0.7, "refs": [], "tags": { "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-73587", - "rid": "SV-88251r1_rule", - "stig_id": "WN16-CC-000470", - "fix_id": "F-80037r1_fix", + "gid": "V-73239", + "rid": "SV-87891r1_rule", + "stig_id": "WN16-00-000110", + "fix_id": "F-79683r1_fix", "cci": [ "CCI-000366" ], @@ -236,914 +228,977 @@ ], "documentable": false }, - "code": "control 'V-73587' do\n title \"Users must be notified if a web-based program attempts to install\n software.\"\n desc \"Web-based programs may attempt to install malicious software on a\n system. Ensuring users are notified if a web-based program attempts to install\n software allows them to refuse the installation.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-73587'\n tag \"rid\": 'SV-88251r1_rule'\n tag \"stig_id\": 'WN16-CC-000470'\n tag \"fix_id\": 'F-80037r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"The default behavior is for Internet Explorer to warn users and\n select whether to allow or refuse installation when a web-based program\n attempts to install software on the system.\n\n If the registry value name below does not exist, this is not a finding.\n\n If it exists and is configured with a value of 0, this is not a finding.\n\n If it exists and is configured with a value of 1, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\Installer\\\\\n\n Value Name: SafeForScripting\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0) (or if the Value Name does not exist)\"\n desc \"fix\", \"The default behavior is for Internet Explorer to warn users and\n select whether to allow or refuse installation when a web-based program\n attempts to install software on the system.\n\n If this needs to be corrected, configure the policy value for Computer\n Configuration >> Administrative Templates >> Windows Components >> Windows\n Installer >> Prevent Internet Explorer security prompt for Windows Installer\n scripts to Not Configured or Disabled.\"\n describe.one do\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\Installer') do\n it { should_not have_property 'SafeForScripting' }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\Installer') do\n its('SafeForScripting') { should cmp 0 }\n end\n end\nend\n", + "code": "control 'V-73239' do\n title 'Systems must be maintained at a supported servicing level.'\n desc \"Systems at unsupported servicing levels will not receive security\n updates for new vulnerabilities, which leave them subject to exploitation.\n Systems must be maintained at a servicing level supported by the vendor with\n new security updates.\"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-73239'\n tag \"rid\": 'SV-87891r1_rule'\n tag \"stig_id\": 'WN16-00-000110'\n tag \"fix_id\": 'F-79683r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Open Command Prompt.\n\n Enter winver.exe.\n\n If the About Windows dialog box does not display Microsoft Windows Server\n Version 1607 (Build 14393.xxx) or greater, this is a finding.\n\n Preview versions must not be used in a production environment.\"\n desc \"fix\", 'Update the system to a Version 1607 (Build 14393.xxx) or greater.'\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion') do\n it { should have_property 'CurrentMajorVersionNumber' }\n its('CurrentMajorVersionNumber') { should be >= 10 }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion') do\n it { should have_property 'CurrentBuildNumber' }\n its('CurrentBuildNumber') { should be >= '14393' }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion') do\n it { should have_property 'ReleaseId' }\n its('ReleaseId') { should be >= '1607' }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion') do\n it { should have_property 'CurrentBuild' }\n its('CurrentBuild') { should be >= '14393' }\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73587.rb", + "ref": "./Windows 2016 STIG/controls/V-73239.rb", "line": 1 }, - "id": "V-73587" + "id": "V-73239" }, { - "title": "The Host Based Security System (HBSS) McAfee Agent must be installed.", - "desc": "The McAfee Agent is the client side distributed component of McAfee\n ePolicy Orchestrator (McAfee ePO), which provides a secure communication\n channel between the ePO server and managed point products.", + "title": "Windows Server 2016 must employ a deny-all, permit-by-exception policy\n to allow the execution of authorized software programs.", + "desc": "Using a whitelist provides a configuration management method to allow\n the execution of only authorized software. Using only authorized software\n decreases risk by limiting the number of potential vulnerabilities.\n\n The organization must identify authorized software programs and only permit\n execution of authorized software. The process used to identify software\n programs that are authorized to execute on organizational information systems\n is commonly referred to as whitelisting.", "descriptions": { - "default": "The McAfee Agent is the client side distributed component of McAfee\n ePolicy Orchestrator (McAfee ePO), which provides a secure communication\n channel between the ePO server and managed point products.", - "check": "Run Services.msc.\n Verify the service is running, depending on the McAfee Agent version installed.\n\n McAfee Agent v5.x - McAfee Agent Service\n\n McAfee Agent v4.x - McAfee Framework Service\n\n If the service is not listed or does not have a Status of Started, this is\n a finding.", - "fix": "Deploy the McAfee Agent as detailed in accordance with the DoD\n HBSS STIG." + "default": "Using a whitelist provides a configuration management method to allow\n the execution of only authorized software. Using only authorized software\n decreases risk by limiting the number of potential vulnerabilities.\n\n The organization must identify authorized software programs and only permit\n execution of authorized software. The process used to identify software\n programs that are authorized to execute on organizational information systems\n is commonly referred to as whitelisting.", + "check": "This is applicable to unclassified systems. For other systems,\n this is NA.\n\n Verify the operating system employs a deny-all, permit-by-exception policy to\n allow the execution of authorized software programs.\n\n If an application whitelisting program is not in use on the system, this is a\n finding.\n\n Configuration of whitelisting applications will vary by the program.\n\n AppLocker is a whitelisting application built into Windows Server. A\n deny-by-default implementation is initiated by enabling any AppLocker rules\n within a category, only allowing what is specified by defined rules.\n\n If AppLocker is used, perform the following to view the configuration of\n AppLocker:\n\n Open PowerShell.\n\n If the AppLocker PowerShell module has not been imported previously, execute\n the following first:\n\n Import-Module AppLocker\n\n Execute the following command, substituting [c:\\temp\\file.xml] with a\n location and file name appropriate for the system:\n\n Get-AppLockerPolicy -Effective -XML > c:\\temp\\file.xml\n\n This will produce an xml file with the effective settings that can be viewed in\n a browser or opened in a program such as Excel for review.\n\n Implementation guidance for AppLocker is available in the NSA paper\n Application Whitelisting using Microsoft AppLocker at the following link:\n\n https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", + "fix": "Configure an application whitelisting program to employ a\n deny-all, permit-by-exception policy to allow the execution of authorized\n software programs.\n\n Configuration of whitelisting applications will vary by the program. AppLocker\n is a whitelisting application built into Windows Server.\n\n If AppLocker is used, it is configured through group policy in Computer\n Configuration >> Windows Settings >> Security Settings >> Application Control\n Policies >> AppLocker.\n\n Implementation guidance for AppLocker is available in the NSA paper\n Application Whitelisting using Microsoft AppLocker at the following link:\n\n https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-73269", - "rid": "SV-87921r1_rule", - "stig_id": "WN16-00-000260", - "fix_id": "F-79713r1_fix", + "gtitle": "SRG-OS-000370-GPOS-00155", + "gid": "V-73235", + "rid": "SV-87887r2_rule", + "stig_id": "WN16-00-000090", + "fix_id": "F-79679r2_fix", "cci": [ - "CCI-000366" + "CCI-001774" ], "nist": [ - "CM-6 b", + "CM-7 (5) (b)", "Rev_4" ], "documentable": false }, - "code": "control 'V-73269' do\n title 'The Host Based Security System (HBSS) McAfee Agent must be installed.'\n desc \"The McAfee Agent is the client side distributed component of McAfee\n ePolicy Orchestrator (McAfee ePO), which provides a secure communication\n channel between the ePO server and managed point products.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-73269'\n tag \"rid\": 'SV-87921r1_rule'\n tag \"stig_id\": 'WN16-00-000260'\n tag \"fix_id\": 'F-79713r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Run Services.msc.\n Verify the service is running, depending on the McAfee Agent version installed.\n\n McAfee Agent v5.x - McAfee Agent Service\n\n McAfee Agent v4.x - McAfee Framework Service\n\n If the service is not listed or does not have a Status of Started, this is\n a finding.\"\n desc \"fix\", \"Deploy the McAfee Agent as detailed in accordance with the DoD\n HBSS STIG.\"\n describe.one do\n describe service('McAfee Agent Service') do\n it { should be_running }\n end\n describe service('McAfee Framework Service') do\n it { should be_running }\n end\n end\nend\n", + "code": "control 'V-73235' do\n title \"Windows Server 2016 must employ a deny-all, permit-by-exception policy\n to allow the execution of authorized software programs.\"\n desc \"Using a whitelist provides a configuration management method to allow\n the execution of only authorized software. Using only authorized software\n decreases risk by limiting the number of potential vulnerabilities.\n\n The organization must identify authorized software programs and only permit\n execution of authorized software. The process used to identify software\n programs that are authorized to execute on organizational information systems\n is commonly referred to as whitelisting.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000370-GPOS-00155'\n tag \"gid\": 'V-73235'\n tag \"rid\": 'SV-87887r2_rule'\n tag \"stig_id\": 'WN16-00-000090'\n tag \"fix_id\": 'F-79679r2_fix'\n tag \"cci\": ['CCI-001774']\n tag \"nist\": ['CM-7 (5) (b)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This is applicable to unclassified systems. For other systems,\n this is NA.\n\n Verify the operating system employs a deny-all, permit-by-exception policy to\n allow the execution of authorized software programs.\n\n If an application whitelisting program is not in use on the system, this is a\n finding.\n\n Configuration of whitelisting applications will vary by the program.\n\n AppLocker is a whitelisting application built into Windows Server. A\n deny-by-default implementation is initiated by enabling any AppLocker rules\n within a category, only allowing what is specified by defined rules.\n\n If AppLocker is used, perform the following to view the configuration of\n AppLocker:\n\n Open PowerShell.\n\n If the AppLocker PowerShell module has not been imported previously, execute\n the following first:\n\n Import-Module AppLocker\n\n Execute the following command, substituting [c:\\\\temp\\\\file.xml] with a\n location and file name appropriate for the system:\n\n Get-AppLockerPolicy -Effective -XML > c:\\\\temp\\\\file.xml\n\n This will produce an xml file with the effective settings that can be viewed in\n a browser or opened in a program such as Excel for review.\n\n Implementation guidance for AppLocker is available in the NSA paper\n Application Whitelisting using Microsoft AppLocker at the following link:\n\n https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm\"\n desc \"fix\", \"Configure an application whitelisting program to employ a\n deny-all, permit-by-exception policy to allow the execution of authorized\n software programs.\n\n Configuration of whitelisting applications will vary by the program. AppLocker\n is a whitelisting application built into Windows Server.\n\n If AppLocker is used, it is configured through group policy in Computer\n Configuration >> Windows Settings >> Security Settings >> Application Control\n Policies >> AppLocker.\n\n Implementation guidance for AppLocker is available in the NSA paper\n Application Whitelisting using Microsoft AppLocker at the following link:\n\n https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm\"\n describe \"A manual review is required to verify the operating system employs a deny-all, permit-by-exception\n policy to allow the execution of authorized software programs\" do\n skip \"A manual review is required to verify the operating system employs a deny-all, permit-by-exception\n policy to allow the execution of authorized software programs\"\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73269.rb", + "ref": "./Windows 2016 STIG/controls/V-73235.rb", "line": 1 }, - "id": "V-73269" + "id": "V-73235" }, { - "title": "The Application event log size must be configured to 32768 KB or\n greater.", - "desc": "Inadequate log size will cause the log to fill up quickly. This may\n prevent audit events from being recorded properly and require frequent\n attention by administrative personnel.", + "title": "The Windows dialog box title for the legal banner must be configured\n with the appropriate text.", + "desc": "Failure to display the logon banner prior to a logon attempt will\n negate legal proceedings resulting from unauthorized access to system resources.", "descriptions": { - "default": "Inadequate log size will cause the log to fill up quickly. This may\n prevent audit events from being recorded properly and require frequent\n attention by administrative personnel.", - "check": "If the system is configured to write events directly to an\n audit server, this is NA.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\EventLog\\Application\\\n\n Value Name: MaxSize\n\n Type: REG_DWORD\n Value: 0x00008000 (32768) (or greater)", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Event Log Service >>\n Application >> Specify the maximum log file size (KB) to Enabled with a\n Maximum Log Size (KB) of 32768 or greater." + "default": "Failure to display the logon banner prior to a logon attempt will\n negate legal proceedings resulting from unauthorized access to system resources.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\\n\n Value Name: LegalNoticeCaption\n\n Value Type: REG_SZ\n Value: See message title options below\n\n DoD Notice and Consent Banner, US Department of Defense Warning\n Statement, or an organization-defined equivalent.\n\n If an organization-defined title is used, it can in no case contravene or\n modify the language of the banner text required in WN16-SO-000150.\n\n Automated tools may only search for the titles defined above. If an\n organization-defined title is used, a manual review will be required.", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Interactive Logon: Message title for users attempting to log on to DoD\n Notice and Consent Banner, US Department of Defense Warning Statement, or\n an organization-defined equivalent.\n\n If an organization-defined title is used, it can in no case contravene or\n modify the language of the message text required in WN16-SO-000150." }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { - "gtitle": "SRG-OS-000341-GPOS-00132", - "gid": "V-73553", - "rid": "SV-88217r1_rule", - "stig_id": "WN16-CC-000300", - "fix_id": "F-80003r1_fix", - "cci": [ - "CCI-001849" - ], + "gtitle": "SRG-OS-000023-GPOS-00006", + "satisfies": [ + "SRG-OS-000023-GPOS-00006", + "SRG-OS-000228-GPOS-00088" + ], + "gid": "V-73649", + "rid": "SV-88313r1_rule", + "stig_id": "WN16-SO-000160", + "fix_id": "F-80099r1_fix", + "cci": [ + "CCI-000048", + "CCI-001384", + "CCI-001385", + "CCI-001386", + "CCI-001387", + "CCI-001388" + ], "nist": [ - "AU-4", + "AC-8 a", + "AC-8 b", + "AC-8 c 1", + "AC-8 c 2", + "AC-8 c 3", "Rev_4" ], "documentable": false }, - "code": "control 'V-73553' do\n title \"The Application event log size must be configured to 32768 KB or\n greater.\"\n desc \"Inadequate log size will cause the log to fill up quickly. This may\n prevent audit events from being recorded properly and require frequent\n attention by administrative personnel.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000341-GPOS-00132'\n tag \"gid\": 'V-73553'\n tag \"rid\": 'SV-88217r1_rule'\n tag \"stig_id\": 'WN16-CC-000300'\n tag \"fix_id\": 'F-80003r1_fix'\n tag \"cci\": ['CCI-001849']\n tag \"nist\": ['AU-4', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the system is configured to write events directly to an\n audit server, this is NA.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\EventLog\\\\Application\\\\\n\n Value Name: MaxSize\n\n Type: REG_DWORD\n Value: 0x00008000 (32768) (or greater)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Event Log Service >>\n Application >> Specify the maximum log file size (KB) to Enabled with a\n Maximum Log Size (KB) of 32768 or greater.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\EventLog\\\\Application') do\n it { should have_property 'MaxSize' }\n its('MaxSize') { should be >= 32768 }\n end\nend\n", + "code": "control 'V-73649' do\n title \"The Windows dialog box title for the legal banner must be configured\n with the appropriate text.\"\n desc \"Failure to display the logon banner prior to a logon attempt will\n negate legal proceedings resulting from unauthorized access to system resources.\n \"\n impact 0.3 \n tag \"gtitle\": 'SRG-OS-000023-GPOS-00006'\n tag \"satisfies\": ['SRG-OS-000023-GPOS-00006', 'SRG-OS-000228-GPOS-00088']\n tag \"gid\": 'V-73649'\n tag \"rid\": 'SV-88313r1_rule'\n tag \"stig_id\": 'WN16-SO-000160'\n tag \"fix_id\": 'F-80099r1_fix'\n tag \"cci\": ['CCI-000048', 'CCI-001384', 'CCI-001385', 'CCI-001386',\n 'CCI-001387', 'CCI-001388']\n tag \"nist\": ['AC-8 a', 'AC-8 b', 'AC-8 c 1', 'AC-8 c 2', 'AC-8 c 3', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\\n\n Value Name: LegalNoticeCaption\n\n Value Type: REG_SZ\n Value: See message title options below\n\n DoD Notice and Consent Banner, US Department of Defense Warning\n Statement, or an organization-defined equivalent.\n\n If an organization-defined title is used, it can in no case contravene or\n modify the language of the banner text required in WN16-SO-000150.\n\n Automated tools may only search for the titles defined above. If an\n organization-defined title is used, a manual review will be required.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Interactive Logon: Message title for users attempting to log on to DoD\n Notice and Consent Banner, US Department of Defense Warning Statement, or\n an organization-defined equivalent.\n\n If an organization-defined title is used, it can in no case contravene or\n modify the language of the message text required in WN16-SO-000150.\"\n legal_notice_caption = input('legal_notice_caption')\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System') do\n it { should have_property 'LegalNoticeCaption' }\n end \n\n key = registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System').LegalNoticeCaption.to_s\n \n describe 'The required legal notice caption' do\n subject { key.scan(/[\\w().;,!]/).join}\n it {should cmp legal_notice_caption.scan(/[\\w().;,!]/).join }\n end\n\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73553.rb", + "ref": "./Windows 2016 STIG/controls/V-73649.rb", "line": 1 }, - "id": "V-73553" + "id": "V-73649" }, { - "title": "The Deny log on as a batch job user right on member servers must be\n configured to prevent access from highly privileged domain accounts on domain\n systems and from unauthenticated access on all systems.", - "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The Deny log on as a batch job user right defines accounts that are\n prevented from logging on to the system as a batch job, such as Task Scheduler.\n\n In an Active Directory Domain, denying logons to the Enterprise Admins and\n Domain Admins groups on lower-trust systems helps mitigate the risk of\n privilege escalation from credential theft attacks, which could lead to the\n compromise of an entire domain.\n\n The Guests group must be assigned to prevent unauthenticated access.", + "title": "Permissions for the Application event log must prevent access by\n non-privileged accounts.", + "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised. The\n Application event log may be susceptible to tampering if proper permissions are\n not applied.", "descriptions": { - "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The Deny log on as a batch job user right defines accounts that are\n prevented from logging on to the system as a batch job, such as Task Scheduler.\n\n In an Active Directory Domain, denying logons to the Enterprise Admins and\n Domain Admins groups on lower-trust systems helps mitigate the risk of\n privilege escalation from credential theft attacks, which could lead to the\n compromise of an entire domain.\n\n The Guests group must be assigned to prevent unauthenticated access.", - "check": "This applies to member servers and standalone systems. A\n separate version applies to domain controllers.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If the following accounts or groups are not defined for the Deny log on as a\n batch job user right, this is a finding.\n\n Domain Systems Only:\n - Enterprise Admins Group\n - Domain Admins Group\n\n All Systems:\n - Guests Group", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Deny log on as a batch job to include the following:\n\n Domain Systems Only:\n - Enterprise Admins group \n - Domain Admins group \n\n All Systems:\n - Guests group" + "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised. The\n Application event log may be susceptible to tampering if proper permissions are\n not applied.", + "check": "Navigate to the Application event log file.\n\n The default location is the %SystemRoot%\\System32\\winevt\\Logs folder.\n However, the logs may have been moved to another folder.\n\n If the permissions for the Application.evtx file are not as restrictive as\n the default permissions listed below, this is a finding.\n\n Eventlog - Full Control\n SYSTEM - Full Control\n Administrators - Full Control", + "fix": "Configure the permissions on the Application event log file\n (Application.evtx) to prevent access by non-privileged accounts. The default\n permissions listed below satisfy this requirement:\n\n Eventlog - Full Control\n SYSTEM - Full Control\n Administrators - Full Control\n\n The default location is the \"%SystemRoot%\\ System32\\winevt\\Logs\" folder.\n\n If the location of the logs has been changed, when adding Eventlog to the\n permissions, it must be entered as \"NT Service\\Eventlog\"." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000080-GPOS-00048", - "gid": "V-73763", - "rid": "SV-88427r1_rule", - "stig_id": "WN16-MS-000380", - "fix_id": "F-80213r1_fix", + "gtitle": "SRG-OS-000057-GPOS-00027", + "satisfies": [ + "SRG-OS-000057-GPOS-00027", + "SRG-OS-000058-GPOS-00028", + "SRG-OS-000059-GPOS-00029" + ], + "gid": "V-73405", + "rid": "SV-88057r1_rule", + "stig_id": "WN16-AU-000030", + "fix_id": "F-79847r1_fix", "cci": [ - "CCI-000213" + "CCI-000162", + "CCI-000163", + "CCI-000164" ], "nist": [ - "AC-3", + "AU-9", "Rev_4" ], "documentable": false }, - "code": "control 'V-73763' do\n title \"The Deny log on as a batch job user right on member servers must be\n configured to prevent access from highly privileged domain accounts on domain\n systems and from unauthenticated access on all systems.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The Deny log on as a batch job user right defines accounts that are\n prevented from logging on to the system as a batch job, such as Task Scheduler.\n\n In an Active Directory Domain, denying logons to the Enterprise Admins and\n Domain Admins groups on lower-trust systems helps mitigate the risk of\n privilege escalation from credential theft attacks, which could lead to the\n compromise of an entire domain.\n\n The Guests group must be assigned to prevent unauthenticated access.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000080-GPOS-00048'\n tag \"gid\": 'V-73763'\n tag \"rid\": 'SV-88427r1_rule'\n tag \"stig_id\": 'WN16-MS-000380'\n tag \"fix_id\": 'F-80213r1_fix'\n tag \"cci\": ['CCI-000213']\n tag \"nist\": ['AC-3', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to member servers and standalone systems. A\n separate version applies to domain controllers.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If the following accounts or groups are not defined for the Deny log on as a\n batch job user right, this is a finding.\n\n Domain Systems Only:\n - Enterprise Admins Group\n - Domain Admins Group\n\n All Systems:\n - Guests Group\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Deny log on as a batch job to include the following:\n\n Domain Systems Only:\n - Enterprise Admins group \n - Domain Admins group \n\n All Systems:\n - Guests group \"\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n impact 0.0\n describe 'This system is a domain controller, therefore this control is not applicable as it only applies to member servers and standalone systems' do\n skip 'This system is a domain controller, therefore this control is not applicable as it only applies to member servers and standalone systems'\n end\n else\n describe security_policy do\n its('SeDenyBatchLogonRight') { should include 'S-1-5-32-546' }\n end\n if domain_role == '3'\n domain_admin_sid_query = <<-EOH\n $group = New-Object System.Security.Principal.NTAccount('Domain Admins')\n $sid = $group.Translate([security.principal.securityidentifier]).value\n $sid | ConvertTo-Json\n EOH\n domain_admin_sid = json(command: domain_admin_sid_query).params\n \n enterprise_admin_sid_query = <<-EOH\n $group = New-Object System.Security.Principal.NTAccount('Enterprise Admins')\n $sid = $group.Translate([security.principal.securityidentifier]).value\n $sid | ConvertTo-Json\n EOH\n enterprise_admin_sid = json(command: enterprise_admin_sid_query).params\n\n describe security_policy do\n its('SeDenyBatchLogonRight') { should include \"#{domain_admin_sid}\" }\n end\n describe security_policy do\n its('SeDenyBatchLogonRight') { should include \"#{enterprise_admin_sid}\" }\n end\n end\n end\nend", + "code": "control 'V-73405' do\n title \"Permissions for the Application event log must prevent access by\n non-privileged accounts.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised. The\n Application event log may be susceptible to tampering if proper permissions are\n not applied.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000057-GPOS-00027'\n tag \"satisfies\": ['SRG-OS-000057-GPOS-00027', 'SRG-OS-000058-GPOS-00028',\n 'SRG-OS-000059-GPOS-00029']\n tag \"gid\": 'V-73405'\n tag \"rid\": 'SV-88057r1_rule'\n tag \"stig_id\": 'WN16-AU-000030'\n tag \"fix_id\": 'F-79847r1_fix'\n tag \"cci\": ['CCI-000162', 'CCI-000163', 'CCI-000164']\n tag \"nist\": ['AU-9', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Navigate to the Application event log file.\n\n The default location is the %SystemRoot%\\\\System32\\\\winevt\\\\Logs folder.\n However, the logs may have been moved to another folder.\n\n If the permissions for the Application.evtx file are not as restrictive as\n the default permissions listed below, this is a finding.\n\n Eventlog - Full Control\n SYSTEM - Full Control\n Administrators - Full Control\"\n desc \"fix\", \"Configure the permissions on the Application event log file\n (Application.evtx) to prevent access by non-privileged accounts. The default\n permissions listed below satisfy this requirement:\n\n Eventlog - Full Control\n SYSTEM - Full Control\n Administrators - Full Control\n\n The default location is the \\\"%SystemRoot%\\\\ System32\\\\winevt\\\\Logs\\\" folder.\n\n If the location of the logs has been changed, when adding Eventlog to the\n permissions, it must be entered as \\\"NT Service\\\\Eventlog\\\".\"\n\n system_root = command('$env:SystemRoot').stdout.strip\n\n describe file(\"#{system_root}\\\\SYSTEM32\\\\WINEVT\\\\LOGS\\\\Application.evtx\") do\n it { should be_allowed('full-control', by_user: 'NT SERVICE\\\\EventLog') }\n it { should be_allowed('full-control', by_user: 'NT AUTHORITY\\\\SYSTEM') }\n it { should be_allowed('full-control', by_user: 'BUILTIN\\\\Administrators') }\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73763.rb", + "ref": "./Windows 2016 STIG/controls/V-73405.rb", "line": 1 }, - "id": "V-73763" + "id": "V-73405" }, { - "title": "User Account Control must virtualize file and registry write failures\n to per-user locations.", - "desc": "User Account Control (UAC) is a security mechanism for limiting the\n elevation of privileges, including administrative accounts, unless authorized.\n This setting configures non-UAC-compliant applications to run in virtualized\n file and registry entries in per-user locations, allowing them to run.", + "title": "The Server Message Block (SMB) v1 protocol must be disabled on the SMB\n server.", + "desc": "SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB.\n MD5 is known to be vulnerable to a number of attacks such as collision and\n preimage attacks as well as not being FIPS compliant.", "descriptions": { - "default": "User Account Control (UAC) is a security mechanism for limiting the\n elevation of privileges, including administrative accounts, unless authorized.\n This setting configures non-UAC-compliant applications to run in virtualized\n file and registry entries in per-user locations, allowing them to run.", - "check": "UAC requirements are NA for Server Core installations (this is\n the default installation option for Windows Server 2016 versus Server with\n Desktop Experience) as well as Nano Server.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\\n\n Value Name: EnableVirtualization\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> User\n Account Control: Virtualize file and registry write failures to per-user\n locations to Enabled." + "default": "SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB.\n MD5 is known to be vulnerable to a number of attacks such as collision and\n preimage attacks as well as not being FIPS compliant.", + "check": "Different methods are available to disable SMBv1 on Windows\n 2016, if V-73299 is configured, this is NA.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters\\\n\n Value Name: SMB1\n\n Type: REG_DWORD\n Value: 0x00000000 (0)", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> MS Security Guide >> Configure SMBv1 Server to\n Disabled.\n\n The system must be restarted for the change to take effect.\n\n This policy setting requires the installation of the SecGuide custom templates\n included with the STIG package. SecGuide.admx and SecGuide.adml must be\n copied to the \\Windows\\PolicyDefinitions and\n \\Windows\\PolicyDefinitions\\en-US directories respectively." }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { - "gtitle": "SRG-OS-000134-GPOS-00068", - "gid": "V-73721", - "rid": "SV-88385r1_rule", - "stig_id": "WN16-SO-000530", - "fix_id": "F-80171r1_fix", + "gtitle": "SRG-OS-000095-GPOS-00049", + "gid": "V-78123", + "rid": "SV-92829r1_rule", + "stig_id": "WN16-00-000411", + "fix_id": "F-84845r2_fix", "cci": [ - "CCI-001084" + "CCI-000381" ], "nist": [ - "SC-3", + "CM-7 a", "Rev_4" ], "documentable": false }, - "code": "control 'V-73721' do\n title \"User Account Control must virtualize file and registry write failures\n to per-user locations.\"\n desc \"User Account Control (UAC) is a security mechanism for limiting the\n elevation of privileges, including administrative accounts, unless authorized.\n This setting configures non-UAC-compliant applications to run in virtualized\n file and registry entries in per-user locations, allowing them to run.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000134-GPOS-00068'\n tag \"gid\": 'V-73721'\n tag \"rid\": 'SV-88385r1_rule'\n tag \"stig_id\": 'WN16-SO-000530'\n tag \"fix_id\": 'F-80171r1_fix'\n tag \"cci\": ['CCI-001084']\n tag \"nist\": ['SC-3', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"UAC requirements are NA for Server Core installations (this is\n the default installation option for Windows Server 2016 versus Server with\n Desktop Experience) as well as Nano Server.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\\n\n Value Name: EnableVirtualization\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> User\n Account Control: Virtualize file and registry write failures to per-user\n locations to Enabled.\"\n if registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Server\\ServerLevels').has_property_value?('ServerCore', :dword, 1) && registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Server\\ServerLevels').has_property_value?('Server-Gui-Mgmt', :dword, 1) && registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Server\\ServerLevels').has_property_value?('Server-Gui-Shell', :dword, 1)\n impact 0.0\n desc 'This system is a Server Core Installation, therefore this control is not applicable'\n else\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System') do\n it { should have_property 'EnableVirtualization' }\n its('EnableVirtualization') { should cmp 1 }\n end\n end\nend\n", + "code": "control 'V-78123' do\n title \"The Server Message Block (SMB) v1 protocol must be disabled on the SMB\n server.\"\n desc \"SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB.\n MD5 is known to be vulnerable to a number of attacks such as collision and\n preimage attacks as well as not being FIPS compliant.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000095-GPOS-00049'\n tag \"gid\": 'V-78123'\n tag \"rid\": 'SV-92829r1_rule'\n tag \"stig_id\": 'WN16-00-000411'\n tag \"fix_id\": 'F-84845r2_fix'\n tag \"cci\": ['CCI-000381']\n tag \"nist\": ['CM-7 a', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Different methods are available to disable SMBv1 on Windows\n 2016, if V-73299 is configured, this is NA.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\LanmanServer\\\\Parameters\\\\\n\n Value Name: SMB1\n\n Type: REG_DWORD\n Value: 0x00000000 (0)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> MS Security Guide >> Configure SMBv1 Server to\n Disabled.\n\n The system must be restarted for the change to take effect.\n\n This policy setting requires the installation of the SecGuide custom templates\n included with the STIG package. SecGuide.admx and SecGuide.adml must be\n copied to the \\\\Windows\\\\PolicyDefinitions and\n \\\\Windows\\\\PolicyDefinitions\\\\en-US directories respectively.\"\n if windows_feature('FS-SMB1').installed?\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\LanmanServer\\\\Parameters') do\n it { should have_property 'SMB1' }\n its('SMB1') { should cmp 0 }\n end\n else\n impact 0.0\n describe 'SMBv1 is not installed on this system, therefore this control is not applicable' do\n skip 'SMBv1 is not installed on this system, therefore this control is not applicable'\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73721.rb", + "ref": "./Windows 2016 STIG/controls/V-78123.rb", "line": 1 }, - "id": "V-73721" + "id": "V-78123" }, { - "title": "The Take ownership of files or other objects user right must only be\n assigned to the Administrators group.", - "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Take ownership of files or other objects user right\n can take ownership of objects and make changes.", + "title": "Windows Server 2016 must be configured to audit System - Other System\n Events successes.", + "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Audit Other System Events records information related to cryptographic key\n operations and the Windows Firewall service.", "descriptions": { - "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Take ownership of files or other objects user right\n can take ownership of objects and make changes.", - "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the Take\n ownership of files or other objects user right, this is a finding.\n\n - Administrators\n\n If an application requires this user right, this would not be a finding.\n\n Vendor documentation must support the requirement for having the user right.\n\n The requirement must be documented with the ISSO.\n\n The application account must meet requirements for application account\n passwords, such as length (WN16-00-000060) and required frequency of changes\n (WN16-00-000070).", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Take ownership of files or other objects to include only the following\n accounts or groups:\n\n - Administrators" + "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Audit Other System Events records information related to cryptographic key\n operations and the Windows Firewall service.", + "check": "Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n System >> Other System Events - Success", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Advanced Audit Policy Configuration >> System Audit Policies >>\n System >> Audit Other System Events with Success selected." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000324-GPOS-00125", - "gid": "V-73803", - "rid": "SV-88467r1_rule", - "stig_id": "WN16-UR-000310", - "fix_id": "F-80253r1_fix", + "gtitle": "SRG-OS-000327-GPOS-00127", + "satisfies": [ + "SRG-OS-000327-GPOS-00127", + "SRG-OS-000458-GPOS-00203", + "SRG-OS-000463-GPOS-00207", + "SRG-OS-000468-GPOS-00212" + ], + "gid": "V-73477", + "rid": "SV-88129r2_rule", + "stig_id": "WN16-AU-000390", + "fix_id": "F-79919r1_fix", "cci": [ - "CCI-002235" + "CCI-000172", + "CCI-002234" ], "nist": [ - "AC-6 (10)", + "AU-12 c", + "AC-6 (9)", "Rev_4" ], "documentable": false }, - "code": "control 'V-73803' do\n title \"The Take ownership of files or other objects user right must only be\n assigned to the Administrators group.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Take ownership of files or other objects user right\n can take ownership of objects and make changes.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000324-GPOS-00125'\n tag \"gid\": 'V-73803'\n tag \"rid\": 'SV-88467r1_rule'\n tag \"stig_id\": 'WN16-UR-000310'\n tag \"fix_id\": 'F-80253r1_fix'\n tag \"cci\": ['CCI-002235']\n tag \"nist\": ['AC-6 (10)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the Take\n ownership of files or other objects user right, this is a finding.\n\n - Administrators\n\n If an application requires this user right, this would not be a finding.\n\n Vendor documentation must support the requirement for having the user right.\n\n The requirement must be documented with the ISSO.\n\n The application account must meet requirements for application account\n passwords, such as length (WN16-00-000060) and required frequency of changes\n (WN16-00-000070).\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Take ownership of files or other objects to include only the following\n accounts or groups:\n\n - Administrators\"\n describe.one do\n describe security_policy do\n its('SeTakeOwnershipPrivilege') { should eq ['S-1-5-32-544'] }\n end\n describe security_policy do\n its('SeTakeOwnershipPrivilege') { should eq [] }\n end\n end\nend\n", + "code": "control 'V-73477' do\n title \"Windows Server 2016 must be configured to audit System - Other System\n Events successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Audit Other System Events records information related to cryptographic key\n operations and the Windows Firewall service.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000327-GPOS-00127'\n tag \"satisfies\": ['SRG-OS-000327-GPOS-00127', 'SRG-OS-000458-GPOS-00203',\n 'SRG-OS-000463-GPOS-00207', 'SRG-OS-000468-GPOS-00212']\n tag \"gid\": 'V-73477'\n tag \"rid\": 'SV-88129r2_rule'\n tag \"stig_id\": 'WN16-AU-000390'\n tag \"fix_id\": 'F-79919r1_fix'\n tag \"cci\": ['CCI-000172', 'CCI-002234']\n tag \"nist\": ['AU-12 c', 'AC-6 (9)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n System >> Other System Events - Success\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Advanced Audit Policy Configuration >> System Audit Policies >>\n System >> Audit Other System Events with Success selected.\"\n describe.one do\n describe audit_policy do\n its('Other System Events') { should eq 'Success and Failure' }\n end\n describe audit_policy do\n its('Other System Events') { should eq 'Success' }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Other System Events'\") do\n its('stdout') { should match /Other System Events Success/ }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Other System Events'\") do\n its('stdout') { should match /Other System Events Success and Failure/ }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73803.rb", + "ref": "./Windows 2016 STIG/controls/V-73477.rb", "line": 1 }, - "id": "V-73803" + "id": "V-73477" }, { - "title": "The Server Message Block (SMB) v1 protocol must be disabled on the SMB\n server.", - "desc": "SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB.\n MD5 is known to be vulnerable to a number of attacks such as collision and\n preimage attacks as well as not being FIPS compliant.", + "title": "PKI certificates associated with user accounts must be issued by the\n DoD PKI or an approved External Certificate Authority (ECA).", + "desc": "A PKI implementation depends on the practices established by the\n Certificate Authority (CA) to ensure the implementation is secure. Without\n proper practices, the certificates issued by a CA have limited value in\n authentication functions.", "descriptions": { - "default": "SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB.\n MD5 is known to be vulnerable to a number of attacks such as collision and\n preimage attacks as well as not being FIPS compliant.", - "check": "Different methods are available to disable SMBv1 on Windows\n 2016, if V-73299 is configured, this is NA.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters\\\n\n Value Name: SMB1\n\n Type: REG_DWORD\n Value: 0x00000000 (0)", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> MS Security Guide >> Configure SMBv1 Server to\n Disabled.\n\n The system must be restarted for the change to take effect.\n\n This policy setting requires the installation of the SecGuide custom templates\n included with the STIG package. SecGuide.admx and SecGuide.adml must be\n copied to the \\Windows\\PolicyDefinitions and\n \\Windows\\PolicyDefinitions\\en-US directories respectively." + "default": "A PKI implementation depends on the practices established by the\n Certificate Authority (CA) to ensure the implementation is secure. Without\n proper practices, the certificates issued by a CA have limited value in\n authentication functions.", + "check": "This applies to domain controllers. It is NA for other systems.\n\n Review user account mappings to PKI certificates.\n\n Open Windows PowerShell.\n\n Enter Get-ADUser -Filter * | FT Name, UserPrincipalName, Enabled.\n\n Exclude disabled accounts (e.g., DefaultAccount, Guest) and the krbtgt account.\n\n If the User Principal Name (UPN) is not in the format of an individual's\n identifier for the certificate type and for the appropriate domain suffix, this\n is a finding.\n\n For standard NIPRNet certificates the individual's identifier is in the format\n of an Electronic Data Interchange - Personnel Identifier (EDI-PI).\n\n Alt Tokens and other certificates may use a different UPN format than the\n EDI-PI which vary by organization. Verified these with the organization.\n\n NIPRNet Example:\n Name - User Principal Name\n User1 - 1234567890@mil\n\n See PKE documentation for other network domain suffixes.\n\n If the mappings are to certificates issued by a CA authorized by the\n Component's CIO, this is a CAT II finding.", + "fix": "Map user accounts to PKI certificates using the appropriate User\n Principal Name (UPN) for the network. See PKE documentation for details." }, "impact": 0, "refs": [], "tags": { - "gtitle": "SRG-OS-000095-GPOS-00049", - "gid": "V-78123", - "rid": "SV-92829r1_rule", - "stig_id": "WN16-00-000411", - "fix_id": "F-84845r2_fix", + "gtitle": "SRG-OS-000066-GPOS-00034", + "gid": "V-73615", + "rid": "SV-88279r2_rule", + "stig_id": "WN16-DC-000300", + "fix_id": "F-80065r1_fix", "cci": [ - "CCI-000381" + "CCI-000185" ], "nist": [ - "CM-7 a", + "IA-5 (2) (a)", "Rev_4" ], "documentable": false }, - "code": "control 'V-78123' do\n title \"The Server Message Block (SMB) v1 protocol must be disabled on the SMB\n server.\"\n desc \"SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB.\n MD5 is known to be vulnerable to a number of attacks such as collision and\n preimage attacks as well as not being FIPS compliant.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000095-GPOS-00049'\n tag \"gid\": 'V-78123'\n tag \"rid\": 'SV-92829r1_rule'\n tag \"stig_id\": 'WN16-00-000411'\n tag \"fix_id\": 'F-84845r2_fix'\n tag \"cci\": ['CCI-000381']\n tag \"nist\": ['CM-7 a', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Different methods are available to disable SMBv1 on Windows\n 2016, if V-73299 is configured, this is NA.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\LanmanServer\\\\Parameters\\\\\n\n Value Name: SMB1\n\n Type: REG_DWORD\n Value: 0x00000000 (0)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> MS Security Guide >> Configure SMBv1 Server to\n Disabled.\n\n The system must be restarted for the change to take effect.\n\n This policy setting requires the installation of the SecGuide custom templates\n included with the STIG package. SecGuide.admx and SecGuide.adml must be\n copied to the \\\\Windows\\\\PolicyDefinitions and\n \\\\Windows\\\\PolicyDefinitions\\\\en-US directories respectively.\"\n if windows_feature('FS-SMB1').installed?\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\LanmanServer\\\\Parameters') do\n it { should have_property 'SMB1' }\n its('SMB1') { should cmp 0 }\n end\n else\n impact 0.0\n describe 'SMBv1 is not installed on this system, therefore this control is not applicable' do\n skip 'SMBv1 is not installed on this system, therefore this control is not applicable'\n end\n end\nend\n", + "code": "control 'V-73615' do\n title \"PKI certificates associated with user accounts must be issued by the\n DoD PKI or an approved External Certificate Authority (ECA).\"\n desc \"A PKI implementation depends on the practices established by the\n Certificate Authority (CA) to ensure the implementation is secure. Without\n proper practices, the certificates issued by a CA have limited value in\n authentication functions.\"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000066-GPOS-00034'\n tag \"gid\": 'V-73615'\n tag \"rid\": 'SV-88279r2_rule'\n tag \"stig_id\": 'WN16-DC-000300'\n tag \"fix_id\": 'F-80065r1_fix'\n tag \"cci\": ['CCI-000185']\n tag \"nist\": ['IA-5 (2) (a)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to domain controllers. It is NA for other systems.\n\n Review user account mappings to PKI certificates.\n\n Open Windows PowerShell.\n\n Enter Get-ADUser -Filter * | FT Name, UserPrincipalName, Enabled.\n\n Exclude disabled accounts (e.g., DefaultAccount, Guest) and the krbtgt account.\n\n If the User Principal Name (UPN) is not in the format of an individual's\n identifier for the certificate type and for the appropriate domain suffix, this\n is a finding.\n\n For standard NIPRNet certificates the individual's identifier is in the format\n of an Electronic Data Interchange - Personnel Identifier (EDI-PI).\n\n Alt Tokens and other certificates may use a different UPN format than the\n EDI-PI which vary by organization. Verified these with the organization.\n\n NIPRNet Example:\n Name - User Principal Name\n User1 - 1234567890@mil\n\n See PKE documentation for other network domain suffixes.\n\n If the mappings are to certificates issued by a CA authorized by the\n Component's CIO, this is a CAT II finding.\"\n desc \"fix\", \"Map user accounts to PKI certificates using the appropriate User\n Principal Name (UPN) for the network. See PKE documentation for details.\"\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.to_s.strip\n query = 'Get-ADUser -Filter \\'enabled -eq $true\\' | Select-Object -Property Name, UserPrincipalName | ConvertTo-Json'\n\n if domain_role == '4' || domain_role == '5'\n json({ command: query }).each do |user|\n describe json({ content: user.to_json }) do\n its('UserPrincipalName') { should match(/[\\w*]@mil/) }\n end\n end\n end\n\n if !(domain_role == '4') && !(domain_role == '5')\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-78123.rb", + "ref": "./Windows 2016 STIG/controls/V-73615.rb", "line": 1 }, - "id": "V-78123" + "id": "V-73615" }, { - "title": "Local drives must be prevented from sharing with Remote Desktop\n Session Hosts.", - "desc": "Preventing users from sharing the local drives on their client\n computers with Remote Session Hosts that they access helps reduce possible\n exposure of sensitive data.", + "title": "The Enable computer and user accounts to be trusted for delegation\n user right must only be assigned to the Administrators group on domain\n controllers.", + "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The Enable computer and user accounts to be trusted for delegation user\n right allows the Trusted for Delegation setting to be changed. This could\n allow unauthorized users to impersonate other users.", "descriptions": { - "default": "Preventing users from sharing the local drives on their client\n computers with Remote Session Hosts that they access helps reduce possible\n exposure of sensitive data.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services\\\n\n Value Name: fDisableCdm\n\n Type: REG_DWORD\n Value: 0x00000001 (1)", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Remote Desktop Services >>\n Remote Desktop Session Host >> Device and Resource Redirection >> \"Do not\n allow drive redirection to Enabled." + "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The Enable computer and user accounts to be trusted for delegation user\n right allows the Trusted for Delegation setting to be changed. This could\n allow unauthorized users to impersonate other users.", + "check": "This applies to domain controllers. A separate version applies\n to other systems.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the Enable\n computer and user accounts to be trusted for delegation user right, this is a\n finding.\n\n - Administrators", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Enable computer and user accounts to be trusted for delegation to include\n only the following accounts or groups:\n\n - Administrators" }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { - "gtitle": "SRG-OS-000138-GPOS-00069", - "gid": "V-73569", - "rid": "SV-88233r1_rule", - "stig_id": "WN16-CC-000380", - "fix_id": "F-80019r1_fix", + "gtitle": "SRG-OS-000324-GPOS-00125", + "gid": "V-73777", + "rid": "SV-88441r1_rule", + "stig_id": "WN16-DC-000420", + "fix_id": "F-80227r1_fix", "cci": [ - "CCI-001090" + "CCI-002235" ], "nist": [ - "SC-4", + "AC-6 (10)", "Rev_4" ], "documentable": false }, - "code": "control 'V-73569' do\n title \"Local drives must be prevented from sharing with Remote Desktop\n Session Hosts.\"\n desc \"Preventing users from sharing the local drives on their client\n computers with Remote Session Hosts that they access helps reduce possible\n exposure of sensitive data.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000138-GPOS-00069'\n tag \"gid\": 'V-73569'\n tag \"rid\": 'SV-88233r1_rule'\n tag \"stig_id\": 'WN16-CC-000380'\n tag \"fix_id\": 'F-80019r1_fix'\n tag \"cci\": ['CCI-001090']\n tag \"nist\": ['SC-4', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\\n\n Value Name: fDisableCdm\n\n Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Remote Desktop Services >>\n Remote Desktop Session Host >> Device and Resource Redirection >> \\\"Do not\n allow drive redirection to Enabled.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services') do\n it { should have_property 'fDisableCdm' }\n its('fDisableCdm') { should cmp 1 }\n end\nend\n", + "code": "control 'V-73777' do\n title \"The Enable computer and user accounts to be trusted for delegation\n user right must only be assigned to the Administrators group on domain\n controllers.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The Enable computer and user accounts to be trusted for delegation user\n right allows the Trusted for Delegation setting to be changed. This could\n allow unauthorized users to impersonate other users.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000324-GPOS-00125'\n tag \"gid\": 'V-73777'\n tag \"rid\": 'SV-88441r1_rule'\n tag \"stig_id\": 'WN16-DC-000420'\n tag \"fix_id\": 'F-80227r1_fix'\n tag \"cci\": ['CCI-002235']\n tag \"nist\": ['AC-6 (10)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to domain controllers. A separate version applies\n to other systems.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the Enable\n computer and user accounts to be trusted for delegation user right, this is a\n finding.\n\n - Administrators\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Enable computer and user accounts to be trusted for delegation to include\n only the following accounts or groups:\n\n - Administrators\"\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n describe.one do\n describe security_policy do\n its('SeEnableDelegationPrivilege') { should eq ['S-1-5-32-544'] }\n end\n describe security_policy do\n its('SeEnableDelegationPrivilege') { should eq [] }\n end\n end\n end\n\n if !(domain_role == '4') && !(domain_role == '5')\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73569.rb", + "ref": "./Windows 2016 STIG/controls/V-73777.rb", "line": 1 }, - "id": "V-73569" + "id": "V-73777" }, { - "title": "Systems requiring data at rest protections must employ cryptographic\n mechanisms to prevent unauthorized disclosure and modification of the\n information at rest.", - "desc": "This requirement addresses protection of user-generated data as well\n as operating system-specific configuration data. Organizations may choose to\n employ different mechanisms to achieve confidentiality and integrity\n protections, as appropriate, in accordance with the security category and/or\n classification of the information.\n\n Selection of a cryptographic mechanism is based on the need to protect the\n integrity of organizational information. The strength of the mechanism is\n commensurate with the security category and/or classification of the\n information. Organizations have the flexibility to either encrypt all\n information on storage devices (i.e., full disk encryption) or encrypt specific\n data structures (e.g., files, records, or fields).", + "title": "Windows Server 2016 must be configured to audit Logon/Logoff - Account\n Lockout successes.", + "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Account Lockout events can be used to identify potentially malicious logon\n attempts.", "descriptions": { - "default": "This requirement addresses protection of user-generated data as well\n as operating system-specific configuration data. Organizations may choose to\n employ different mechanisms to achieve confidentiality and integrity\n protections, as appropriate, in accordance with the security category and/or\n classification of the information.\n\n Selection of a cryptographic mechanism is based on the need to protect the\n integrity of organizational information. The strength of the mechanism is\n commensurate with the security category and/or classification of the\n information. Organizations have the flexibility to either encrypt all\n information on storage devices (i.e., full disk encryption) or encrypt specific\n data structures (e.g., files, records, or fields).", - "check": "Verify systems that require additional protections due to\n factors such as inadequate physical protection or sensitivity of the data\n employ encryption to protect the confidentiality and integrity of all\n information at rest.\n\n If they do not, this is a finding.", - "fix": "Configure systems that require additional protections due to\n factors such as inadequate physical protection or sensitivity of the data to\n employ encryption to protect the confidentiality and integrity of all\n information at rest." + "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Account Lockout events can be used to identify potentially malicious logon\n attempts.", + "check": "Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n Logon/Logoff >> Account Lockout - Success", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Advanced Audit Policy Configuration >> System Audit Policies >>\n Logon/Logoff >> Audit Account Lockout with Success selected." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000185-GPOS-00079", + "gtitle": "SRG-OS-000240-GPOS-00090", "satisfies": [ - "SRG-OS-000185-GPOS-00079", - "SRG-OS-000404-GPOS-00183", - "SRG-OS-000405-GPOS-00184" + "SRG-OS-000240-GPOS-00090", + "SRG-OS-000470-GPOS-00214" ], - "gid": "V-73273", - "rid": "SV-87925r1_rule", - "stig_id": "WN16-00-000280", - "fix_id": "F-79717r1_fix", + "gid": "V-73443", + "rid": "SV-88095r2_rule", + "stig_id": "WN16-AU-000220", + "fix_id": "F-79885r1_fix", "cci": [ - "CCI-001199", - "CCI-002475", - "CCI-002476" + "CCI-000172", + "CCI-001404" ], "nist": [ - "SC-28", - "SC-28 (1)", + "AU-12 c", + "AC-2 (4)", "Rev_4" ], "documentable": false }, - "code": "control 'V-73273' do\n title \"Systems requiring data at rest protections must employ cryptographic\n mechanisms to prevent unauthorized disclosure and modification of the\n information at rest.\"\n desc \"This requirement addresses protection of user-generated data as well\n as operating system-specific configuration data. Organizations may choose to\n employ different mechanisms to achieve confidentiality and integrity\n protections, as appropriate, in accordance with the security category and/or\n classification of the information.\n\n Selection of a cryptographic mechanism is based on the need to protect the\n integrity of organizational information. The strength of the mechanism is\n commensurate with the security category and/or classification of the\n information. Organizations have the flexibility to either encrypt all\n information on storage devices (i.e., full disk encryption) or encrypt specific\n data structures (e.g., files, records, or fields).\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000185-GPOS-00079'\n tag \"satisfies\": ['SRG-OS-000185-GPOS-00079', 'SRG-OS-000404-GPOS-00183',\n 'SRG-OS-000405-GPOS-00184']\n tag \"gid\": 'V-73273'\n tag \"rid\": 'SV-87925r1_rule'\n tag \"stig_id\": 'WN16-00-000280'\n tag \"fix_id\": 'F-79717r1_fix'\n tag \"cci\": ['CCI-001199', 'CCI-002475', 'CCI-002476']\n tag \"nist\": ['SC-28', 'SC-28 (1)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Verify systems that require additional protections due to\n factors such as inadequate physical protection or sensitivity of the data\n employ encryption to protect the confidentiality and integrity of all\n information at rest.\n\n If they do not, this is a finding.\"\n desc \"fix\", \"Configure systems that require additional protections due to\n factors such as inadequate physical protection or sensitivity of the data to\n employ encryption to protect the confidentiality and integrity of all\n information at rest.\"\n describe \"A manual review is required to verify that systems requiring data at rest protections are employing cryptographic\n mechanisms to prevent unauthorized disclosure and modification of the\n information at rest.\" do\n skip \"A manual review is required to verify that systems requiring data at rest protections are employing cryptographic\n mechanisms to prevent unauthorized disclosure and modification of the\n information at rest.\"\n end\nend\n", + "code": "control 'V-73443' do\n title \"Windows Server 2016 must be configured to audit Logon/Logoff - Account\n Lockout successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Account Lockout events can be used to identify potentially malicious logon\n attempts.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000240-GPOS-00090'\n tag \"satisfies\": ['SRG-OS-000240-GPOS-00090', 'SRG-OS-000470-GPOS-00214']\n tag \"gid\": 'V-73443'\n tag \"rid\": 'SV-88095r2_rule'\n tag \"stig_id\": 'WN16-AU-000220'\n tag \"fix_id\": 'F-79885r1_fix'\n tag \"cci\": ['CCI-000172', 'CCI-001404']\n tag \"nist\": ['AU-12 c', 'AC-2 (4)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n Logon/Logoff >> Account Lockout - Success\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Advanced Audit Policy Configuration >> System Audit Policies >>\n Logon/Logoff >> Audit Account Lockout with Success selected.\"\n describe.one do\n describe audit_policy do\n its('Account Lockout') { should eq 'Success and Failure' }\n end\n describe audit_policy do\n its('Account Lockout') { should eq 'Success' }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Account Lockout'\") do\n its('stdout') { should match /Account Lockout Success/ }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Account Lockout'\") do\n its('stdout') { should match /Account Lockout Success and Failure/ }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73273.rb", + "ref": "./Windows 2016 STIG/controls/V-73443.rb", "line": 1 }, - "id": "V-73273" + "id": "V-73443" }, { - "title": "Windows Server 2016 must be configured to audit System - IPsec Driver\n successes.", - "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n IPsec Driver records events related to the IPsec Driver, such as dropped\n packets.", + "title": "Insecure logons to an SMB server must be disabled.", + "desc": "Insecure guest logons allow unauthenticated access to shared folders.\n Shared resources on a system must require authentication to establish proper\n access.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n IPsec Driver records events related to the IPsec Driver, such as dropped\n packets.", - "check": "Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n System >> IPsec Driver - Success", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> System >> Audit IPsec Driver with Success selected." + "default": "Insecure guest logons allow unauthenticated access to shared folders.\n Shared resources on a system must require authentication to establish proper\n access.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\LanmanWorkstation\\\n\n Value Name: AllowInsecureGuestAuth\n\n Type: REG_DWORD\n Value: 0x00000000 (0)", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Network >> Lanman Workstation >> Enable insecure\n guest logons to Disabled." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000327-GPOS-00127", - "satisfies": [ - "SRG-OS-000327-GPOS-00127", - "SRG-OS-000458-GPOS-00203", - "SRG-OS-000463-GPOS-00207", - "SRG-OS-000468-GPOS-00212" - ], - "gid": "V-73473", - "rid": "SV-88125r1_rule", - "stig_id": "WN16-AU-000370", - "fix_id": "F-79915r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-73507", + "rid": "SV-88159r1_rule", + "stig_id": "WN16-CC-000080", + "fix_id": "F-79949r1_fix", "cci": [ - "CCI-000172", - "CCI-002234" + "CCI-000366" ], "nist": [ - "AU-12 c", - "AC-6 (9)", + "CM-6 b", "Rev_4" ], "documentable": false }, - "code": "control 'V-73473' do\n title \"Windows Server 2016 must be configured to audit System - IPsec Driver\n successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n IPsec Driver records events related to the IPsec Driver, such as dropped\n packets.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000327-GPOS-00127'\n tag \"satisfies\": ['SRG-OS-000327-GPOS-00127', 'SRG-OS-000458-GPOS-00203',\n 'SRG-OS-000463-GPOS-00207', 'SRG-OS-000468-GPOS-00212']\n tag \"gid\": 'V-73473'\n tag \"rid\": 'SV-88125r1_rule'\n tag \"stig_id\": 'WN16-AU-000370'\n tag \"fix_id\": 'F-79915r1_fix'\n tag \"cci\": ['CCI-000172', 'CCI-002234']\n tag \"nist\": ['AU-12 c', 'AC-6 (9)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n System >> IPsec Driver - Success\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> System >> Audit IPsec Driver with Success selected.\"\n describe.one do\n describe audit_policy do\n its('IPsec Driver') { should eq 'Success' }\n end\n describe audit_policy do\n its('IPsec Driver') { should eq 'Success and Failure' }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'IPsec Driver'\") do\n its('stdout') { should match /IPsec Driver Success/ }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'IPsec Driver'\") do\n its('stdout') { should match /IPsec Driver Success and Failure/ }\n end\n end\nend\n", + "code": "control 'V-73507' do\n title 'Insecure logons to an SMB server must be disabled.'\n desc \"Insecure guest logons allow unauthenticated access to shared folders.\n Shared resources on a system must require authentication to establish proper\n access.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-73507'\n tag \"rid\": 'SV-88159r1_rule'\n tag \"stig_id\": 'WN16-CC-000080'\n tag \"fix_id\": 'F-79949r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\LanmanWorkstation\\\\\n\n Value Name: AllowInsecureGuestAuth\n\n Type: REG_DWORD\n Value: 0x00000000 (0)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Network >> Lanman Workstation >> Enable insecure\n guest logons to Disabled.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\LanmanWorkstation') do\n it { should have_property 'AllowInsecureGuestAuth' }\n its('AllowInsecureGuestAuth') { should cmp 0 }\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73473.rb", + "ref": "./Windows 2016 STIG/controls/V-73507.rb", "line": 1 }, - "id": "V-73473" + "id": "V-73507" }, { - "title": "Domain-created Active Directory Organizational Unit (OU) objects must\nhave proper access control permissions.", - "desc": "When directory service database objects do not have appropriate access\ncontrol permissions, it may be possible for malicious users to create, read,\nupdate, or delete the objects and degrade or destroy the integrity of the data.\nWhen the directory service is used for identification, authentication, or\nauthorization functions, a compromise of the database objects could lead to a\ncompromise of all systems that rely on the directory service.\n\n For Active Directory, the OU objects require special attention. In a\ndistributed administration model (i.e., help desk), OU objects are more likely\nto have access permissions changed from the secure defaults. If inappropriate\naccess permissions are defined for OU objects, it could allow an intruder to\nadd or delete users in the OU. This could result in unauthorized access to data\nor a denial of service to authorized users.", + "title": "The computer clock synchronization tolerance must be limited to 5\n minutes or less.", + "desc": "This setting determines the maximum time difference (in minutes) that\n Kerberos will tolerate between the time on a client's clock and the time on a\n server's clock while still considering the two clocks synchronous. In order to\n prevent replay attacks, Kerberos uses timestamps as part of its protocol\n definition. For timestamps to work properly, the clocks of the client and the\n server need to be in sync as much as possible.", "descriptions": { - "default": "When directory service database objects do not have appropriate access\ncontrol permissions, it may be possible for malicious users to create, read,\nupdate, or delete the objects and degrade or destroy the integrity of the data.\nWhen the directory service is used for identification, authentication, or\nauthorization functions, a compromise of the database objects could lead to a\ncompromise of all systems that rely on the directory service.\n\n For Active Directory, the OU objects require special attention. In a\ndistributed administration model (i.e., help desk), OU objects are more likely\nto have access permissions changed from the secure defaults. If inappropriate\naccess permissions are defined for OU objects, it could allow an intruder to\nadd or delete users in the OU. This could result in unauthorized access to data\nor a denial of service to authorized users.", - "check": "This applies to domain controllers. It is NA for other systems.\n\nReview the permissions on domain-defined OUs.\n\nOpen Active Directory Users and Computers (available from various menus or\nrun dsa.msc).\n\nEnsure Advanced Features is selected in the View menu.\n\nFor each OU that is defined (folder in folder icon) excluding the Domain\nControllers OU:\n\nRight-click the OU and select Properties.\n\nSelect the Security tab.\n\nIf the permissions on the OU are not at least as restrictive as those below,\nthis is a finding.\n\nThe permissions shown are at the summary level. More detailed permissions can\nbe viewed by selecting the Advanced button, the desired Permission entry,\nand the Edit or View button.\n\nExcept where noted otherwise, the special permissions may include a wide range\nof permissions and properties and are acceptable for this requirement.\n\nCREATOR OWNER - Special permissions\n\nSelf - Special permissions\n\nAuthenticated Users - Read, Special permissions\n\nThe Special permissions for Authenticated Users are Read type. If detailed\npermissions include any Create, Delete, Modify, or Write Permissions or\nProperties, this is a finding.\n\nSYSTEM - Full Control\n\nDomain Admins - Full Control\n\nEnterprise Admins - Full Control\n\nKey Admins - Special permissions\n\nEnterprise Key Admins - Special permissions\n\nAdministrators - Read, Write, Create all child objects, Generate resultant set\nof policy (logging), Generate resultant set of policy (planning), Special\npermissions\n\nPre-Windows 2000 Compatible Access - Special permissions\n\nThe Special permissions for Pre-Windows 2000 Compatible Access are for Read\ntypes. If detailed permissions include any Create, Delete, Modify, or Write\nPermissions or Properties, this is a finding.\n\nENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions\n\nIf an ISSO-approved distributed administration model (help desk or other user\nsupport staff) is implemented, permissions above Read may be allowed for groups\ndocumented by the ISSO.\n\nIf any OU with improper permissions includes identification or authentication\ndata (e.g., accounts, passwords, or password hash data) used by systems to\ndetermine access control, the severity is CAT I (e.g., OUs that include user\naccounts, including service/application accounts).\n\nIf an OU with improper permissions does not include identification and\nauthentication data used by systems to determine access control, the severity\nis CAT II (e.g., Workstation, Printer OUs).", - "fix": "Maintain the permissions on domain-defined OUs to be at least as\nrestrictive as the defaults below.\n\nDocument any additional permissions above Read with the ISSO if an approved\ndistributed administration model (help desk or other user support staff) is\nimplemented.\n\nCREATOR OWNER - Special permissions\n\nSelf - Special permissions\n\nAuthenticated Users - Read, Special permissions\n\nThe special permissions for Authenticated Users are Read type.\n\nSYSTEM - Full Control\n\nDomain Admins - Full Control\n\nEnterprise Admins - Full Control\n\nKey Admins - Special permissions\n\nEnterprise Key Admins - Special permissions\n\nAdministrators - Read, Write, Create all child objects, Generate resultant set\nof policy (logging), Generate resultant set of policy (planning), Special\npermissions\n\nPre-Windows 2000 Compatible Access - Special permissions\n\nThe special permissions for Pre-Windows 2000 Compatible Access are for Read\ntypes.\n\nENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions:" + "default": "This setting determines the maximum time difference (in minutes) that\n Kerberos will tolerate between the time on a client's clock and the time on a\n server's clock while still considering the two clocks synchronous. In order to\n prevent replay attacks, Kerberos uses timestamps as part of its protocol\n definition. For timestamps to work properly, the clocks of the client and the\n server need to be in sync as much as possible.", + "check": "This applies to domain controllers. It is NA for other systems.\n\n Verify the following is configured in the Default Domain Policy.\n\n Open Group Policy Management.\n\n Navigate to Group Policy Objects in the Domain being reviewed (Forest >>\n Domains >> Domain).\n\n Right-click on the Default Domain Policy.\n\n Select Edit.\n\n Navigate to Computer Configuration >> Policies >> Windows Settings >> Security\n Settings >> Account Policies >> Kerberos Policy.\n\n If the Maximum tolerance for computer clock synchronization is greater than\n 5 minutes, this is a finding.", + "fix": "Configure the policy value in the Default Domain Policy for\n Computer Configuration >> Windows Settings >> Security Settings >> Account\n Policies >> Kerberos Policy >> Maximum tolerance for computer clock\n synchronization to a maximum of 5 minutes or less." }, "impact": 0, "refs": [], "tags": { - "gtitle": "SRG-OS-000324-GPOS-00125", - "gid": "V-73377", - "rid": "SV-88029r1_rule", - "stig_id": "WN16-DC-000110", - "fix_id": "F-79819r1_fix", + "gtitle": "SRG-OS-000112-GPOS-00057", + "satisfies": [ + "SRG-OS-000112-GPOS-00057", + "SRG-OS-000113-GPOS-00058" + ], + "gid": "V-73367", + "rid": "SV-88019r1_rule", + "stig_id": "WN16-DC-000060", + "fix_id": "F-79809r1_fix", "cci": [ - "CCI-002235" + "CCI-001941", + "CCI-001942" ], "nist": [ - "AC-6 (10)", + "IA-2 (8)", + "IA-2 (9)", "Rev_4" ], "documentable": false }, - "code": "control 'V-73377' do\n title \"Domain-created Active Directory Organizational Unit (OU) objects must\nhave proper access control permissions.\"\n desc \"When directory service database objects do not have appropriate access\ncontrol permissions, it may be possible for malicious users to create, read,\nupdate, or delete the objects and degrade or destroy the integrity of the data.\nWhen the directory service is used for identification, authentication, or\nauthorization functions, a compromise of the database objects could lead to a\ncompromise of all systems that rely on the directory service.\n\n For Active Directory, the OU objects require special attention. In a\ndistributed administration model (i.e., help desk), OU objects are more likely\nto have access permissions changed from the secure defaults. If inappropriate\naccess permissions are defined for OU objects, it could allow an intruder to\nadd or delete users in the OU. This could result in unauthorized access to data\nor a denial of service to authorized users.\n \"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000324-GPOS-00125'\n tag \"gid\": 'V-73377'\n tag \"rid\": 'SV-88029r1_rule'\n tag \"stig_id\": 'WN16-DC-000110'\n tag \"fix_id\": 'F-79819r1_fix'\n tag \"cci\": ['CCI-002235']\n tag \"nist\": ['AC-6 (10)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to domain controllers. It is NA for other systems.\n\nReview the permissions on domain-defined OUs.\n\nOpen Active Directory Users and Computers (available from various menus or\nrun dsa.msc).\n\nEnsure Advanced Features is selected in the View menu.\n\nFor each OU that is defined (folder in folder icon) excluding the Domain\nControllers OU:\n\nRight-click the OU and select Properties.\n\nSelect the Security tab.\n\nIf the permissions on the OU are not at least as restrictive as those below,\nthis is a finding.\n\nThe permissions shown are at the summary level. More detailed permissions can\nbe viewed by selecting the Advanced button, the desired Permission entry,\nand the Edit or View button.\n\nExcept where noted otherwise, the special permissions may include a wide range\nof permissions and properties and are acceptable for this requirement.\n\nCREATOR OWNER - Special permissions\n\nSelf - Special permissions\n\nAuthenticated Users - Read, Special permissions\n\nThe Special permissions for Authenticated Users are Read type. If detailed\npermissions include any Create, Delete, Modify, or Write Permissions or\nProperties, this is a finding.\n\nSYSTEM - Full Control\n\nDomain Admins - Full Control\n\nEnterprise Admins - Full Control\n\nKey Admins - Special permissions\n\nEnterprise Key Admins - Special permissions\n\nAdministrators - Read, Write, Create all child objects, Generate resultant set\nof policy (logging), Generate resultant set of policy (planning), Special\npermissions\n\nPre-Windows 2000 Compatible Access - Special permissions\n\nThe Special permissions for Pre-Windows 2000 Compatible Access are for Read\ntypes. If detailed permissions include any Create, Delete, Modify, or Write\nPermissions or Properties, this is a finding.\n\nENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions\n\nIf an ISSO-approved distributed administration model (help desk or other user\nsupport staff) is implemented, permissions above Read may be allowed for groups\ndocumented by the ISSO.\n\nIf any OU with improper permissions includes identification or authentication\ndata (e.g., accounts, passwords, or password hash data) used by systems to\ndetermine access control, the severity is CAT I (e.g., OUs that include user\naccounts, including service/application accounts).\n\nIf an OU with improper permissions does not include identification and\nauthentication data used by systems to determine access control, the severity\nis CAT II (e.g., Workstation, Printer OUs).\"\n desc \"fix\", \"Maintain the permissions on domain-defined OUs to be at least as\nrestrictive as the defaults below.\n\nDocument any additional permissions above Read with the ISSO if an approved\ndistributed administration model (help desk or other user support staff) is\nimplemented.\n\nCREATOR OWNER - Special permissions\n\nSelf - Special permissions\n\nAuthenticated Users - Read, Special permissions\n\nThe special permissions for Authenticated Users are Read type.\n\nSYSTEM - Full Control\n\nDomain Admins - Full Control\n\nEnterprise Admins - Full Control\n\nKey Admins - Special permissions\n\nEnterprise Key Admins - Special permissions\n\nAdministrators - Read, Write, Create all child objects, Generate resultant set\nof policy (logging), Generate resultant set of policy (planning), Special\npermissions\n\nPre-Windows 2000 Compatible Access - Special permissions\n\nThe special permissions for Pre-Windows 2000 Compatible Access are for Read\ntypes.\n\nENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions\"':'\ndomain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n if domain_role == '4' || domain_role == '5'\n distinguishedName = json(command: '(Get-ADDomain).DistinguishedName | ConvertTo-JSON').params\n netbiosname = json(command: 'Get-ADDomain | Select NetBIOSName | ConvertTo-JSON').params['NetBIOSName']\n \n \n ous = json(command: \"Get-ADOrganizationalUnit -Filter * | Select Name, DistinguishedName | ConvertTo-JSON\").params\n if ous.is_a?(Hash)\n ous = [JSON.parse(ous.to_json)]\n end\n if ous.count == 1 && ous[0]['Name'] == 'Domain Controllers'\n impact 0.0\n desc 'This system does not have any other OUs other than Domain Controller OU, therefore this control is not applicable as it only applies to OUs that are not Domain Controllers'\n describe 'This system does not have any other OUs other than Domain Controller OU, therefore this control is not applicable as it only applies to OUs that are not Domain Controllers' do\n skip 'This system does not have any other OUs other than Domain Controller OU, therefore this control is not applicable as it only applies to OUs that are not Domain Controllers'\n end\n end\n\n ous.each do |ou|\n acl_rules = json(command: \"(Get-ACL -Path AD:'#{ou},#{distinguishedName}').Access | ConvertTo-CSV | ConvertFrom-CSV | ConvertTo-JSON\").params\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The #{acl_rule['IdentityReference']} principal\\'s access rule property\" do\n subject { acl_rule }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"NT AUTHORITY\\\\System\" }\n its(['ActiveDirectoryRights']) { should cmp \"GenericAll\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The #{acl_rule['IdentityReference']} principal\\'s access rule property\" do\n subject { acl_rule }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"#{netbiosname}\\\\Enterprise Admins\" }\n its(['ActiveDirectoryRights']) { should cmp \"GenericAll\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The #{acl_rule['IdentityReference']} principal\\'s access rule property\" do\n subject { acl_rule }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"BUILTIN\\\\Administrators\" }\n its(['ActiveDirectoryRights']) { should match (/(read)|(write)|(create)|(extendedright)/i) }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The #{acl_rule['IdentityReference']} principal\\'s access rule property\" do\n subject { acl_rule }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"#{netbiosname}\\\\Domain Admins\" }\n its(['ActiveDirectoryRights']) { should cmp \"GenericAll\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The #{acl_rule['IdentityReference']} principal\\'s access rule property\" do\n subject { acl_rule }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"CREATOR OWNER\" }\n its(['ActiveDirectoryRights']) { should_not match (/(genericwrite)|(genericread)|(genericall)|(genericexecute)/i) }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The #{acl_rule['IdentityReference']} principal\\'s access rule property\" do\n subject { acl_rule }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"NT AUTHORITY\\\\SELF\" }\n its(['ActiveDirectoryRights']) { should_not match (/(genericwrite)|(genericread)|(genericall)|(genericexecute)/i) }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The #{acl_rule['IdentityReference']} principal\\'s access rule property\" do\n subject { acl_rule }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"#{netbiosname}\\\\Key Admins\" }\n its(['ActiveDirectoryRights']) { should_not match (/(genericwrite)|(genericread)|(genericall)|(genericexecute)/i) }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The #{acl_rule['IdentityReference']} principal\\'s access rule property\" do\n subject { acl_rule }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"#{netbiosname}\\\\Enterprise Key Admins\" }\n its(['ActiveDirectoryRights']) { should match (/(read)|(write)|(create)|(extendedright)/i) }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The #{acl_rule['IdentityReference']} principal\\'s access rule property\" do\n subject { acl_rule }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"NT AUTHORITY\\\\ENTERPRISE DOMAIN CONTROLLERS\" }\n its(['ActiveDirectoryRights']) { should_not match (/(genericwrite)|(genericall)|(genericexecute)/i) }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The #{acl_rule['IdentityReference']} principal\\'s access rule property\" do\n subject { acl_rule }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"NT AUTHORITY\\\\Authenticated Users\" }\n its(['ActiveDirectoryRights']) { should match (/(read)/i) }\n its(['ActiveDirectoryRights']) { should_not match (/(write)|(delete)|(create)|(extendedright)/i) }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The #{acl_rule['IdentityReference']} principal\\'s access rule property\" do\n subject { acl_rule }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"BUILTIN\\\\Pre-Windows 2000 Compatible Access\" }\n its(['ActiveDirectoryRights']) { should match (/(read)/i) }\n its(['ActiveDirectoryRights']) { should_not match (/(write)|(delete)|(create)|(extendedright)/i) }\n end\n end\n end\n end\n\n \n else\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", + "code": "control 'V-73367' do\n title \"The computer clock synchronization tolerance must be limited to 5\n minutes or less.\"\n desc \"This setting determines the maximum time difference (in minutes) that\n Kerberos will tolerate between the time on a client's clock and the time on a\n server's clock while still considering the two clocks synchronous. In order to\n prevent replay attacks, Kerberos uses timestamps as part of its protocol\n definition. For timestamps to work properly, the clocks of the client and the\n server need to be in sync as much as possible.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000112-GPOS-00057'\n tag \"satisfies\": ['SRG-OS-000112-GPOS-00057', 'SRG-OS-000113-GPOS-00058']\n tag \"gid\": 'V-73367'\n tag \"rid\": 'SV-88019r1_rule'\n tag \"stig_id\": 'WN16-DC-000060'\n tag \"fix_id\": 'F-79809r1_fix'\n tag \"cci\": ['CCI-001941', 'CCI-001942']\n tag \"nist\": ['IA-2 (8)', 'IA-2 (9)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to domain controllers. It is NA for other systems.\n\n Verify the following is configured in the Default Domain Policy.\n\n Open Group Policy Management.\n\n Navigate to Group Policy Objects in the Domain being reviewed (Forest >>\n Domains >> Domain).\n\n Right-click on the Default Domain Policy.\n\n Select Edit.\n\n Navigate to Computer Configuration >> Policies >> Windows Settings >> Security\n Settings >> Account Policies >> Kerberos Policy.\n\n If the Maximum tolerance for computer clock synchronization is greater than\n 5 minutes, this is a finding.\"\n desc \"fix\", \"Configure the policy value in the Default Domain Policy for\n Computer Configuration >> Windows Settings >> Security Settings >> Account\n Policies >> Kerberos Policy >> Maximum tolerance for computer clock\n synchronization to a maximum of 5 minutes or less.\"\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n describe security_policy do\n its('MaxClockSkew') { should be <= 5 }\n end\n end\n\n if domain_role != '4' && domain_role != '5'\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73377.rb", + "ref": "./Windows 2016 STIG/controls/V-73367.rb", "line": 1 }, - "id": "V-73377" + "id": "V-73367" }, { - "title": "Accounts must require passwords.", - "desc": "The lack of password protection enables anyone to gain access to the\n information system, which opens a backdoor opportunity for intruders to\n compromise the system as well as other resources. Accounts on a system must\n require passwords.", + "title": "The Restore files and directories user right must only be assigned to\n the Administrators group.", + "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Restore files and directories user right can\n circumvent file and directory permissions and could allow access to sensitive\n data. It could also be used to overwrite more current data.", "descriptions": { - "default": "The lack of password protection enables anyone to gain access to the\n information system, which opens a backdoor opportunity for intruders to\n compromise the system as well as other resources. Accounts on a system must\n require passwords.", - "check": "Review the password required status for enabled user accounts.\n\n Open PowerShell.\n\n Domain Controllers:\n\n Enter Get-Aduser -Filter * -Properties Passwordnotrequired |FT Name,\n Passwordnotrequired, Enabled.\n\n Exclude disabled accounts (e.g., DefaultAccount, Guest) and the krbtgt account.\n\n If Passwordnotrequired is True or blank for any enabled user account,\n this is a finding.\n\n Member servers and standalone systems:\n\n Enter 'Get-CimInstance -Class Win32_Useraccount -Filter\n PasswordRequired=False and LocalAccount=True | FT Name, PasswordRequired,\n Disabled, LocalAccount'.\n\n Exclude disabled accounts (e.g., DefaultAccount, Guest).\n\n If any enabled user accounts are returned with a PasswordRequired status of\n False, this is a finding.", - "fix": "Configure all enabled accounts to require passwords.\n\n The password required flag can be set by entering the following on a command\n line: Net user [username] /passwordreq:yes, substituting [username] with\n the name of the user account." + "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Restore files and directories user right can\n circumvent file and directory permissions and could allow access to sensitive\n data. It could also be used to overwrite more current data.", + "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the Restore\n files and directories user right, this is a finding.\n\n - Administrators\n\n If an application requires this user right, this would not be a finding.\n\n Vendor documentation must support the requirement for having the user right.\n\n The requirement must be documented with the ISSO.\n\n The application account must meet requirements for application account\n passwords, such as length (WN16-00-000060) and required frequency of changes\n (WN16-00-000070).", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Restore files and directories to include only the following accounts or\n groups:\n\n - Administrators" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000104-GPOS-00051", - "gid": "V-73261", - "rid": "SV-87913r2_rule", - "stig_id": "WN16-00-000220", - "fix_id": "F-79705r1_fix", + "gtitle": "SRG-OS-000324-GPOS-00125", + "gid": "V-73801", + "rid": "SV-88465r1_rule", + "stig_id": "WN16-UR-000300", + "fix_id": "F-80251r1_fix", "cci": [ - "CCI-000764" + "CCI-002235" ], "nist": [ - "IA-2", + "AC-6 (10)", "Rev_4" ], "documentable": false }, - "code": "control 'V-73261' do\n title 'Accounts must require passwords.'\n desc \"The lack of password protection enables anyone to gain access to the\n information system, which opens a backdoor opportunity for intruders to\n compromise the system as well as other resources. Accounts on a system must\n require passwords.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000104-GPOS-00051'\n tag \"gid\": 'V-73261'\n tag \"rid\": 'SV-87913r2_rule'\n tag \"stig_id\": 'WN16-00-000220'\n tag \"fix_id\": 'F-79705r1_fix'\n tag \"cci\": ['CCI-000764']\n tag \"nist\": ['IA-2', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Review the password required status for enabled user accounts.\n\n Open PowerShell.\n\n Domain Controllers:\n\n Enter Get-Aduser -Filter * -Properties Passwordnotrequired |FT Name,\n Passwordnotrequired, Enabled.\n\n Exclude disabled accounts (e.g., DefaultAccount, Guest) and the krbtgt account.\n\n If Passwordnotrequired is True or blank for any enabled user account,\n this is a finding.\n\n Member servers and standalone systems:\n\n Enter 'Get-CimInstance -Class Win32_Useraccount -Filter\n PasswordRequired=False and LocalAccount=True | FT Name, PasswordRequired,\n Disabled, LocalAccount'.\n\n Exclude disabled accounts (e.g., DefaultAccount, Guest).\n\n If any enabled user accounts are returned with a PasswordRequired status of\n False, this is a finding.\"\n desc \"fix\", \"Configure all enabled accounts to require passwords.\n\n The password required flag can be set by entering the following on a command\n line: Net user [username] /passwordreq:yes, substituting [username] with\n the name of the user account.\"\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n if domain_role == '4' || domain_role == '5'\n users_with_no_password_required = command('Get-Aduser -Filter * -Properties Passwordnotrequired | Select Name, Passwordnotrequired, Enabled | Where Enabled -eq $True | Where Passwordnotrequired -eq $True | FT Name | Findstr /V \\'Name --\\'').stdout\n else\n users_with_no_password_required = command(\"Get-CimInstance -Class Win32_Useraccount -Filter 'PasswordRequired=False and LocalAccount=True and Disabled=False' | FT Name | Findstr /V 'Name --'\").stdout\n end\n describe \"Windows 2016 accounts configured to not require passwords\" do\n subject {users_with_no_password_required}\n it { should be_empty }\n end\nend \n", + "code": "control 'V-73801' do\n title \"The Restore files and directories user right must only be assigned to\n the Administrators group.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Restore files and directories user right can\n circumvent file and directory permissions and could allow access to sensitive\n data. It could also be used to overwrite more current data.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000324-GPOS-00125'\n tag \"gid\": 'V-73801'\n tag \"rid\": 'SV-88465r1_rule'\n tag \"stig_id\": 'WN16-UR-000300'\n tag \"fix_id\": 'F-80251r1_fix'\n tag \"cci\": ['CCI-002235']\n tag \"nist\": ['AC-6 (10)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the Restore\n files and directories user right, this is a finding.\n\n - Administrators\n\n If an application requires this user right, this would not be a finding.\n\n Vendor documentation must support the requirement for having the user right.\n\n The requirement must be documented with the ISSO.\n\n The application account must meet requirements for application account\n passwords, such as length (WN16-00-000060) and required frequency of changes\n (WN16-00-000070).\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Restore files and directories to include only the following accounts or\n groups:\n\n - Administrators\"\n describe.one do\n describe security_policy do\n its('SeRestorePrivilege') { should eq ['S-1-5-32-544'] }\n end\n describe security_policy do\n its('SeRestorePrivilege') { should eq [] }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73261.rb", + "ref": "./Windows 2016 STIG/controls/V-73801.rb", "line": 1 }, - "id": "V-73261" + "id": "V-73801" }, { - "title": "Domain controllers must require LDAP access signing.", - "desc": "Unsigned network traffic is susceptible to man-in-the-middle attacks,\n where an intruder captures packets between the server and the client and\n modifies them before forwarding them to the client. In the case of an LDAP\n server, this means that an attacker could cause a client to make decisions\n based on false records from the LDAP directory. The risk of an attacker pulling\n this off can be decreased by implementing strong physical security measures to\n protect the network infrastructure. Furthermore, implementing Internet Protocol\n security (IPsec) authentication header mode (AH), which performs mutual\n authentication and packet integrity for Internet Protocol (IP) traffic, can\n make all types of man-in-the-middle attacks extremely difficult.", + "title": "Reversible password encryption must be disabled.", + "desc": "Storing passwords using reversible encryption is essentially the same\n as storing clear-text versions of the passwords, which are easily compromised.\n For this reason, this policy must never be enabled.", "descriptions": { - "default": "Unsigned network traffic is susceptible to man-in-the-middle attacks,\n where an intruder captures packets between the server and the client and\n modifies them before forwarding them to the client. In the case of an LDAP\n server, this means that an attacker could cause a client to make decisions\n based on false records from the LDAP directory. The risk of an attacker pulling\n this off can be decreased by implementing strong physical security measures to\n protect the network infrastructure. Furthermore, implementing Internet Protocol\n security (IPsec) authentication header mode (AH), which performs mutual\n authentication and packet integrity for Internet Protocol (IP) traffic, can\n make all types of man-in-the-middle attacks extremely difficult.", - "check": "This applies to domain controllers. It is NA for other systems.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\NTDS\\Parameters\\\n\n Value Name: LDAPServerIntegrity\n\n Value Type: REG_DWORD\n Value: 0x00000002 (2)", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> Domain\n controller: LDAP server signing requirements to Require signing." + "default": "Storing passwords using reversible encryption is essentially the same\n as storing clear-text versions of the passwords, which are easily compromised.\n For this reason, this policy must never be enabled.", + "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Account Policies >> Password Policy.\n\n If the value for Store passwords using reversible encryption is not set to\n Disabled, this is a finding.", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Account Policies >> Password Policy >> Store\n passwords using reversible encryption to Disabled." }, - "impact": 0, + "impact": 0.7, "refs": [], "tags": { - "gtitle": "SRG-OS-000423-GPOS-00187", - "satisfies": [ - "SRG-OS-000423-GPOS-00187", - "SRG-OS-000424-GPOS-00188" - ], - "gid": "V-73629", - "rid": "SV-88293r1_rule", - "stig_id": "WN16-DC-000320", - "fix_id": "F-80079r1_fix", + "gtitle": "SRG-OS-000073-GPOS-00041", + "gid": "V-73325", + "rid": "SV-87977r1_rule", + "stig_id": "WN16-AC-000090", + "fix_id": "F-79767r1_fix", "cci": [ - "CCI-002418", - "CCI-002421" + "CCI-000196" ], "nist": [ - "CM-6 b", + "IA-5 (1) (c)", "Rev_4" ], "documentable": false }, - "code": "control 'V-73629' do\n title 'Domain controllers must require LDAP access signing.'\n desc \"Unsigned network traffic is susceptible to man-in-the-middle attacks,\n where an intruder captures packets between the server and the client and\n modifies them before forwarding them to the client. In the case of an LDAP\n server, this means that an attacker could cause a client to make decisions\n based on false records from the LDAP directory. The risk of an attacker pulling\n this off can be decreased by implementing strong physical security measures to\n protect the network infrastructure. Furthermore, implementing Internet Protocol\n security (IPsec) authentication header mode (AH), which performs mutual\n authentication and packet integrity for Internet Protocol (IP) traffic, can\n make all types of man-in-the-middle attacks extremely difficult.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000423-GPOS-00187'\n tag \"satisfies\": ['SRG-OS-000423-GPOS-00187', 'SRG-OS-000424-GPOS-00188']\n tag \"gid\": 'V-73629'\n tag \"rid\": 'SV-88293r1_rule'\n tag \"stig_id\": 'WN16-DC-000320'\n tag \"fix_id\": 'F-80079r1_fix'\n tag \"cci\": ['CCI-002418', 'CCI-002421']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to domain controllers. It is NA for other systems.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\Parameters\\\\\n\n Value Name: LDAPServerIntegrity\n\n Value Type: REG_DWORD\n Value: 0x00000002 (2)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> Domain\n controller: LDAP server signing requirements to Require signing.\"\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\Parameters') do\n it { should have_property 'LDAPServerIntegrity' }\n its('LDAPServerIntegrity') { should cmp 2 }\n end\n end\n\n if !(domain_role == '4') && !(domain_role == '5')\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", + "code": "control 'V-73325' do\n title 'Reversible password encryption must be disabled.'\n desc \"Storing passwords using reversible encryption is essentially the same\n as storing clear-text versions of the passwords, which are easily compromised.\n For this reason, this policy must never be enabled.\"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000073-GPOS-00041'\n tag \"gid\": 'V-73325'\n tag \"rid\": 'SV-87977r1_rule'\n tag \"stig_id\": 'WN16-AC-000090'\n tag \"fix_id\": 'F-79767r1_fix'\n tag \"cci\": ['CCI-000196']\n tag \"nist\": ['IA-5 (1) (c)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Account Policies >> Password Policy.\n\n If the value for Store passwords using reversible encryption is not set to\n Disabled, this is a finding.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Account Policies >> Password Policy >> Store\n passwords using reversible encryption to Disabled.\"\n describe security_policy do\n its('ClearTextPassword') { should eq 0 }\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73629.rb", + "ref": "./Windows 2016 STIG/controls/V-73325.rb", "line": 1 }, - "id": "V-73629" + "id": "V-73325" }, { - "title": "System files must be monitored for unauthorized changes.", - "desc": "Monitoring system files for changes against a baseline on a regular\n basis may help detect the possible introduction of malicious code on a system.", + "title": "Anonymous SID/Name translation must not be allowed.", + "desc": "Allowing anonymous SID/Name translation can provide sensitive\n information for accessing a system. Only authorized users must be able to\n perform such translations.", "descriptions": { - "default": "Monitoring system files for changes against a baseline on a regular\n basis may help detect the possible introduction of malicious code on a system.", - "check": "Determine whether the system is monitored for unauthorized\n changes to system files (e.g., *.exe, *.bat, *.com, *.cmd, and *.dll) against a\n baseline on a weekly basis.\n\n If system files are not monitored for unauthorized changes, this is a finding.\n\n A properly configured HBSS Policy Auditor 5.2 or later File Integrity Monitor\n (FIM) module will meet the requirement for file integrity checking. The Asset\n module within HBSS does not meet this requirement.", - "fix": "Monitor the system for unauthorized changes to system files\n (e.g., *.exe, *.bat, *.com, *.cmd, and *.dll) against a baseline on a weekly\n basis. This can be done with the use of various monitoring tools." + "default": "Allowing anonymous SID/Name translation can provide sensitive\n information for accessing a system. Only authorized users must be able to\n perform such translations.", + "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> Security Options.\n\n If the value for Network access: Allow anonymous SID/Name translation is\n not set to Disabled, this is a finding.", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Network access: Allow anonymous SID/Name translation to Disabled." }, - "impact": 0.5, + "impact": 0.7, "refs": [], "tags": { - "gtitle": "SRG-OS-000363-GPOS-00150", - "gid": "V-73265", - "rid": "SV-87917r1_rule", - "stig_id": "WN16-00-000240", - "fix_id": "F-79709r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-73665", + "rid": "SV-88329r1_rule", + "stig_id": "WN16-SO-000250", + "fix_id": "F-80115r1_fix", "cci": [ - "CCI-001744" + "CCI-000366" ], "nist": [ - "CM-3 (5)", + "CM-6 b", "Rev_4" ], "documentable": false }, - "code": "control 'V-73265' do\n title 'System files must be monitored for unauthorized changes.'\n desc \"Monitoring system files for changes against a baseline on a regular\n basis may help detect the possible introduction of malicious code on a system.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000363-GPOS-00150'\n tag \"gid\": 'V-73265'\n tag \"rid\": 'SV-87917r1_rule'\n tag \"stig_id\": 'WN16-00-000240'\n tag \"fix_id\": 'F-79709r1_fix'\n tag \"cci\": ['CCI-001744']\n tag \"nist\": ['CM-3 (5)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Determine whether the system is monitored for unauthorized\n changes to system files (e.g., *.exe, *.bat, *.com, *.cmd, and *.dll) against a\n baseline on a weekly basis.\n\n If system files are not monitored for unauthorized changes, this is a finding.\n\n A properly configured HBSS Policy Auditor 5.2 or later File Integrity Monitor\n (FIM) module will meet the requirement for file integrity checking. The Asset\n module within HBSS does not meet this requirement.\"\n desc \"fix\", \"Monitor the system for unauthorized changes to system files\n (e.g., *.exe, *.bat, *.com, *.cmd, and *.dll) against a baseline on a weekly\n basis. This can be done with the use of various monitoring tools.\"\n describe 'A manual review is required to verify that system files are monitored for unauthorized changes' do\n skip 'A manual review is required to verify that system files are monitored for unauthorized changes'\n end\nend\n", + "code": "control 'V-73665' do\n title 'Anonymous SID/Name translation must not be allowed.'\n desc \"Allowing anonymous SID/Name translation can provide sensitive\n information for accessing a system. Only authorized users must be able to\n perform such translations.\"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-73665'\n tag \"rid\": 'SV-88329r1_rule'\n tag \"stig_id\": 'WN16-SO-000250'\n tag \"fix_id\": 'F-80115r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> Security Options.\n\n If the value for Network access: Allow anonymous SID/Name translation is\n not set to Disabled, this is a finding.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Network access: Allow anonymous SID/Name translation to Disabled.\"\n describe security_policy do\n its('LSAAnonymousNameLookup') { should eq 0 }\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73265.rb", + "ref": "./Windows 2016 STIG/controls/V-73665.rb", "line": 1 }, - "id": "V-73265" + "id": "V-73665" }, { - "title": "Windows Server 2016 must be configured to prevent the storage of the\n LAN Manager hash of passwords.", - "desc": "The LAN Manager hash uses a weak encryption algorithm and there are\n several tools available that use this hash to retrieve account passwords. This\n setting controls whether a LAN Manager hash of the password is stored in the\n SAM the next time the password is changed.", + "title": "Session security for NTLM SSP-based clients must be configured to\n require NTLMv2 session security and 128-bit encryption.", + "desc": "Microsoft has implemented a variety of security support providers for\n use with Remote Procedure Call (RPC) sessions. All of the options must be\n enabled to ensure the maximum security level.", "descriptions": { - "default": "The LAN Manager hash uses a weak encryption algorithm and there are\n several tools available that use this hash to retrieve account passwords. This\n setting controls whether a LAN Manager hash of the password is stored in the\n SAM the next time the password is changed.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Control\\Lsa\\\n\n Value Name: NoLMHash\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Network security: Do not store LAN Manager hash value on next password\n change to Enabled." + "default": "Microsoft has implemented a variety of security support providers for\n use with Remote Procedure Call (RPC) sessions. All of the options must be\n enabled to ensure the maximum security level.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Control\\Lsa\\MSV1_0\\\n\n Value Name: NTLMMinClientSec\n\n Value Type: REG_DWORD\n Value: 0x20080000 (537395200)", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Network security: Minimum session security for NTLM SSP based (including\n secure RPC) clients to Require NTLMv2 session security and Require\n 128-bit encryption (all options selected)." }, - "impact": 0.7, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000073-GPOS-00041", - "gid": "V-73687", - "rid": "SV-88351r1_rule", - "stig_id": "WN16-SO-000360", - "fix_id": "F-80137r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-73695", + "rid": "SV-88359r1_rule", + "stig_id": "WN16-SO-000400", + "fix_id": "F-80145r1_fix", "cci": [ - "CCI-000196" + "CCI-000366" ], "nist": [ - "IA-5 (1) (c)", + "CM-6 b", "Rev_4" ], "documentable": false }, - "code": "control 'V-73687' do\n title \"Windows Server 2016 must be configured to prevent the storage of the\n LAN Manager hash of passwords.\"\n desc \"The LAN Manager hash uses a weak encryption algorithm and there are\n several tools available that use this hash to retrieve account passwords. This\n setting controls whether a LAN Manager hash of the password is stored in the\n SAM the next time the password is changed.\"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000073-GPOS-00041'\n tag \"gid\": 'V-73687'\n tag \"rid\": 'SV-88351r1_rule'\n tag \"stig_id\": 'WN16-SO-000360'\n tag \"fix_id\": 'F-80137r1_fix'\n tag \"cci\": ['CCI-000196']\n tag \"nist\": ['IA-5 (1) (c)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\\n\n Value Name: NoLMHash\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Network security: Do not store LAN Manager hash value on next password\n change to Enabled.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa') do\n it { should have_property 'NoLMHash' }\n its('NoLMHash') { should cmp 1 }\n end\nend\n", + "code": "control 'V-73695' do\n title \"Session security for NTLM SSP-based clients must be configured to\n require NTLMv2 session security and 128-bit encryption.\"\n desc \"Microsoft has implemented a variety of security support providers for\n use with Remote Procedure Call (RPC) sessions. All of the options must be\n enabled to ensure the maximum security level.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-73695'\n tag \"rid\": 'SV-88359r1_rule'\n tag \"stig_id\": 'WN16-SO-000400'\n tag \"fix_id\": 'F-80145r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\MSV1_0\\\\\n\n Value Name: NTLMMinClientSec\n\n Value Type: REG_DWORD\n Value: 0x20080000 (537395200)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Network security: Minimum session security for NTLM SSP based (including\n secure RPC) clients to Require NTLMv2 session security and Require\n 128-bit encryption (all options selected).\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\MSV1_0') do\n it { should have_property 'NTLMMinClientSec' }\n its('NTLMMinClientSec') { should cmp 537395200 }\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73687.rb", + "ref": "./Windows 2016 STIG/controls/V-73695.rb", "line": 1 }, - "id": "V-73687" + "id": "V-73695" }, { - "title": "Users must be prevented from changing installation options.", - "desc": "Installation options for applications are typically controlled by\n administrators. This setting prevents users from changing installation options\n that may bypass security features.", + "title": "Group Policy objects must be reprocessed even if they have not\n changed.", + "desc": "Registry entries for group policy settings can potentially be changed\n from the required configuration. This could occur as part of troubleshooting or\n by a malicious process on a compromised system. Enabling this setting and then\n selecting the Process even if the Group Policy objects have not changed\n option ensures the policies will be reprocessed even if none have been changed.\n This way, any unauthorized changes are forced to match the domain-based group\n policy settings again.", "descriptions": { - "default": "Installation options for applications are typically controlled by\n administrators. This setting prevents users from changing installation options\n that may bypass security features.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\Installer\\\n\n Value Name: EnableUserControl\n\n Type: REG_DWORD\n Value: 0x00000000 (0)", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Windows Installer >> Allow\n user control over installs to Disabled." + "default": "Registry entries for group policy settings can potentially be changed\n from the required configuration. This could occur as part of troubleshooting or\n by a malicious process on a compromised system. Enabling this setting and then\n selecting the Process even if the Group Policy objects have not changed\n option ensures the policies will be reprocessed even if none have been changed.\n This way, any unauthorized changes are forced to match the domain-based group\n policy settings again.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\Group\n Policy\\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\\\n\n Value Name: NoGPOListChanges\n\n Type: REG_DWORD\n Value: 0x00000000 (0)", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> System >> Group Policy >> Configure registry\n policy processing to Enabled with the option Process even if the Group\n Policy objects have not changed selected." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000362-GPOS-00149", - "gid": "V-73583", - "rid": "SV-88247r1_rule", - "stig_id": "WN16-CC-000450", - "fix_id": "F-80033r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-73525", + "rid": "SV-88177r1_rule", + "stig_id": "WN16-CC-000150", + "fix_id": "F-79965r1_fix", "cci": [ - "CCI-001812" + "CCI-000366" ], "nist": [ - "CM-11 (2)", + "CM-6 b", "Rev_4" ], "documentable": false }, - "code": "control 'V-73583' do\n title 'Users must be prevented from changing installation options.'\n desc \"Installation options for applications are typically controlled by\n administrators. This setting prevents users from changing installation options\n that may bypass security features.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000362-GPOS-00149'\n tag \"gid\": 'V-73583'\n tag \"rid\": 'SV-88247r1_rule'\n tag \"stig_id\": 'WN16-CC-000450'\n tag \"fix_id\": 'F-80033r1_fix'\n tag \"cci\": ['CCI-001812']\n tag \"nist\": ['CM-11 (2)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\Installer\\\\\n\n Value Name: EnableUserControl\n\n Type: REG_DWORD\n Value: 0x00000000 (0)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Windows Installer >> Allow\n user control over installs to Disabled.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\Installer') do\n it { should have_property 'EnableUserControl' }\n its('EnableUserControl') { should cmp 0 }\n end\nend\n", + "code": "control 'V-73525' do\n title \"Group Policy objects must be reprocessed even if they have not\n changed.\"\n desc \"Registry entries for group policy settings can potentially be changed\n from the required configuration. This could occur as part of troubleshooting or\n by a malicious process on a compromised system. Enabling this setting and then\n selecting the Process even if the Group Policy objects have not changed\n option ensures the policies will be reprocessed even if none have been changed.\n This way, any unauthorized changes are forced to match the domain-based group\n policy settings again.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-73525'\n tag \"rid\": 'SV-88177r1_rule'\n tag \"stig_id\": 'WN16-CC-000150'\n tag \"fix_id\": 'F-79965r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\Group\n Policy\\\\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\\\\\n\n Value Name: NoGPOListChanges\n\n Type: REG_DWORD\n Value: 0x00000000 (0)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> System >> Group Policy >> Configure registry\n policy processing to Enabled with the option Process even if the Group\n Policy objects have not changed selected.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\Group Policy\\\\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}') do\n it { should have_property 'NoGPOListChanges' }\n its('NoGPOListChanges') { should cmp 0 }\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73583.rb", + "ref": "./Windows 2016 STIG/controls/V-73525.rb", "line": 1 }, - "id": "V-73583" + "id": "V-73525" }, { - "title": "Windows Server 2016 must be configured to audit Object Access -\n Removable Storage failures.", - "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Removable Storage auditing under Object Access records events related to\n access attempts on file system objects on removable storage devices.", + "title": "The Windows Remote Management (WinRM) service must not store RunAs\n credentials.", + "desc": "Storage of administrative credentials could allow unauthorized access.\n Disallowing the storage of RunAs credentials for Windows Remote Management will\n prevent them from being used with plug-ins.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Removable Storage auditing under Object Access records events related to\n access attempts on file system objects on removable storage devices.", - "check": "Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n Object Access >> Removable Storage - Failure\n\n Virtual machines or systems that use network attached storage may generate\n excessive audit events for secondary virtual drives or the network attached\n storage when this setting is enabled. This may be set to Not Configured in such\n cases and would not be a finding.", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Object Access >> Audit Removable Storage with Failure\n selected." + "default": "Storage of administrative credentials could allow unauthorized access.\n Disallowing the storage of RunAs credentials for Windows Remote Management will\n prevent them from being used with plug-ins.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\WinRM\\Service\\\n\n Value Name: DisableRunAs\n\n Type: REG_DWORD\n Value: 0x00000001 (1)", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Windows Remote Management\n (WinRM) >> WinRM Service >> Disallow WinRM from storing RunAs credentials\n to Enabled." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000474-GPOS-00219", - "gid": "V-73459", - "rid": "SV-88111r1_rule", - "stig_id": "WN16-AU-000300", - "fix_id": "F-79901r1_fix", + "gtitle": "SRG-OS-000373-GPOS-00157", + "satisfies": [ + "SRG-OS-000373-GPOS-00157", + "SRG-OS-000373-GPOS-00156" + ], + "gid": "V-73603", + "rid": "SV-88267r1_rule", + "stig_id": "WN16-CC-000550", + "fix_id": "F-80053r1_fix", "cci": [ - "CCI-000172" + "CCI-002038" ], "nist": [ - "AU-12 c", + "IA-11", "Rev_4" ], "documentable": false }, - "code": "control 'V-73459' do\n title \"Windows Server 2016 must be configured to audit Object Access -\n Removable Storage failures.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Removable Storage auditing under Object Access records events related to\n access attempts on file system objects on removable storage devices.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000474-GPOS-00219'\n tag \"gid\": 'V-73459'\n tag \"rid\": 'SV-88111r1_rule'\n tag \"stig_id\": 'WN16-AU-000300'\n tag \"fix_id\": 'F-79901r1_fix'\n tag \"cci\": ['CCI-000172']\n tag \"nist\": ['AU-12 c', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n Object Access >> Removable Storage - Failure\n\n Virtual machines or systems that use network attached storage may generate\n excessive audit events for secondary virtual drives or the network attached\n storage when this setting is enabled. This may be set to Not Configured in such\n cases and would not be a finding.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Object Access >> Audit Removable Storage with Failure\n selected.\"\n describe.one do\n describe audit_policy do\n its('Removable Storage') { should eq 'Failure' }\n end\n describe audit_policy do\n its('Removable Storage') { should eq 'Success and Failure' }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Removable Storage'\") do\n its('stdout') { should match /Removable Storage Failure/ }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Removable Storage'\") do\n its('stdout') { should match /Removable Storage Success and Failure/ }\n end\n end\nend\n", + "code": "control 'V-73603' do\n title \"The Windows Remote Management (WinRM) service must not store RunAs\n credentials.\"\n desc \"Storage of administrative credentials could allow unauthorized access.\n Disallowing the storage of RunAs credentials for Windows Remote Management will\n prevent them from being used with plug-ins.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000373-GPOS-00157'\n tag \"satisfies\": ['SRG-OS-000373-GPOS-00157', 'SRG-OS-000373-GPOS-00156']\n tag \"gid\": 'V-73603'\n tag \"rid\": 'SV-88267r1_rule'\n tag \"stig_id\": 'WN16-CC-000550'\n tag \"fix_id\": 'F-80053r1_fix'\n tag \"cci\": ['CCI-002038']\n tag \"nist\": ['IA-11', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WinRM\\\\Service\\\\\n\n Value Name: DisableRunAs\n\n Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Windows Remote Management\n (WinRM) >> WinRM Service >> Disallow WinRM from storing RunAs credentials\n to Enabled.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\WinRM\\\\Service') do\n it { should have_property 'DisableRunAs' }\n its('DisableRunAs') { should cmp 1 }\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73459.rb", + "ref": "./Windows 2016 STIG/controls/V-73603.rb", "line": 1 }, - "id": "V-73459" + "id": "V-73603" }, { - "title": "The default permissions of global system objects must be strengthened.", - "desc": "Windows systems maintain a global list of shared system resources such\n as DOS device names, mutexes, and semaphores. Each type of object is created\n with a default Discretionary Access Control List (DACL) that specifies who can\n access the objects with what permissions. When this policy is enabled, the\n default DACL is stronger, allowing non-administrative users to read shared\n objects but not to modify shared objects they did not create.", + "title": "Windows Server 2016 must be configured to audit Privilege Use -\n Sensitive Privilege Use successes.", + "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Sensitive Privilege Use records events related to use of sensitive\n privileges, such as Act as part of the operating system or Debug\n programs.", "descriptions": { - "default": "Windows systems maintain a global list of shared system resources such\n as DOS device names, mutexes, and semaphores. Each type of object is created\n with a default Discretionary Access Control List (DACL) that specifies who can\n access the objects with what permissions. When this policy is enabled, the\n default DACL is stronger, allowing non-administrative users to read shared\n objects but not to modify shared objects they did not create.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\\n\n Value Name: ProtectionMode\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> System\n objects: Strengthen default permissions of internal system objects (e.g.,\n Symbolic Links) to Enabled." + "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Sensitive Privilege Use records events related to use of sensitive\n privileges, such as Act as part of the operating system or Debug\n programs.", + "check": "Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n Privilege Use >> Sensitive Privilege Use - Success", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Privilege Use >> Audit Sensitive Privilege Use with\n Success selected." }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-73705", - "rid": "SV-88369r1_rule", - "stig_id": "WN16-SO-000450", - "fix_id": "F-80155r1_fix", + "gtitle": "SRG-OS-000327-GPOS-00127", + "satisfies": [ + "SRG-OS-000327-GPOS-00127", + "SRG-OS-000064-GPOS-00033", + "SRG-OS-000462-GPOS-00206", + "SRG-OS-000466-GPOS-00210" + ], + "gid": "V-73469", + "rid": "SV-88121r1_rule", + "stig_id": "WN16-AU-000350", + "fix_id": "F-79911r1_fix", "cci": [ - "CCI-000366" + "CCI-000172", + "CCI-002234" ], "nist": [ - "CM-6 b", + "AU-12 c", + "AC-6 (9)", "Rev_4" ], "documentable": false }, - "code": "control 'V-73705' do\n title 'The default permissions of global system objects must be strengthened.'\n desc \"Windows systems maintain a global list of shared system resources such\n as DOS device names, mutexes, and semaphores. Each type of object is created\n with a default Discretionary Access Control List (DACL) that specifies who can\n access the objects with what permissions. When this policy is enabled, the\n default DACL is stronger, allowing non-administrative users to read shared\n objects but not to modify shared objects they did not create.\"\n impact 0.3\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-73705'\n tag \"rid\": 'SV-88369r1_rule'\n tag \"stig_id\": 'WN16-SO-000450'\n tag \"fix_id\": 'F-80155r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Session Manager\\\\\n\n Value Name: ProtectionMode\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> System\n objects: Strengthen default permissions of internal system objects (e.g.,\n Symbolic Links) to Enabled.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Session Manager') do\n it { should have_property 'ProtectionMode' }\n its('ProtectionMode') { should cmp 1 }\n end\nend\n", + "code": "control 'V-73469' do\n title \"Windows Server 2016 must be configured to audit Privilege Use -\n Sensitive Privilege Use successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Sensitive Privilege Use records events related to use of sensitive\n privileges, such as Act as part of the operating system or Debug\n programs.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000327-GPOS-00127'\n tag \"satisfies\": ['SRG-OS-000327-GPOS-00127', 'SRG-OS-000064-GPOS-00033',\n 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000466-GPOS-00210']\n tag \"gid\": 'V-73469'\n tag \"rid\": 'SV-88121r1_rule'\n tag \"stig_id\": 'WN16-AU-000350'\n tag \"fix_id\": 'F-79911r1_fix'\n tag \"cci\": ['CCI-000172', 'CCI-002234']\n tag \"nist\": ['AU-12 c', 'AC-6 (9)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n Privilege Use >> Sensitive Privilege Use - Success\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Privilege Use >> Audit Sensitive Privilege Use with\n Success selected.\"\n describe.one do\n describe audit_policy do\n its('Sensitive Privilege Use') { should eq 'Success' }\n end\n describe audit_policy do\n its('Sensitive Privilege Use') { should eq 'Success and Failure' }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Sensitive Privilege Use'\") do\n its('stdout') { should match /Sensitive Privilege Use Success/ }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Sensitive Privilege Use'\") do\n its('stdout') { should match /Sensitive Privilege Use Success and Failure/ }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73705.rb", + "ref": "./Windows 2016 STIG/controls/V-73469.rb", "line": 1 }, - "id": "V-73705" + "id": "V-73469" }, { - "title": "The Lock pages in memory user right must not be assigned to any groups\n or accounts.", - "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The Lock pages in memory user right allows physical memory to be\n assigned to processes, which could cause performance issues or a denial of\n service.", + "title": "The setting Microsoft network server: Digitally sign communications\n (if client agrees) must be configured to Enabled.", + "desc": "The server message block (SMB) protocol provides the basis for many\n network operations. Digitally signed SMB packets aid in preventing\n man-in-the-middle attacks. If this policy is enabled, the SMB server will\n negotiate SMB packet signing as requested by the client.", "descriptions": { - "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The Lock pages in memory user right allows physical memory to be\n assigned to processes, which could cause performance issues or a denial of\n service.", - "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups are granted the Lock pages in memory user right,\n this is a finding.\n\n If an application requires this user right, this would not be a finding.\n\n Vendor documentation must support the requirement for having the user right.\n\n The requirement must be documented with the ISSO.\n\n The application account must meet requirements for application account\n passwords, such as length (WN16-00-000060) and required frequency of changes\n (WN16-00-000070).", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Lock pages in memory to be defined but containing no entries (blank)." + "default": "The server message block (SMB) protocol provides the basis for many\n network operations. Digitally signed SMB packets aid in preventing\n man-in-the-middle attacks. If this policy is enabled, the SMB server will\n negotiate SMB packet signing as requested by the client.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\LanManServer\\Parameters\\\n\n Value Name: EnableSecuritySignature\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Microsoft network server: Digitally sign communications (if client agrees)\n to Enabled." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000324-GPOS-00125", - "gid": "V-73791", - "rid": "SV-88455r1_rule", - "stig_id": "WN16-UR-000250", - "fix_id": "F-80241r1_fix", + "gtitle": "SRG-OS-000423-GPOS-00187", + "satisfies": [ + "SRG-OS-000423-GPOS-00187", + "SRG-OS-000424-GPOS-00188" + ], + "gid": "V-73663", + "rid": "SV-88327r1_rule", + "stig_id": "WN16-SO-000240", + "fix_id": "F-80113r1_fix", "cci": [ - "CCI-002235" + "CCI-002418", + "CCI-002421" ], "nist": [ - "AC-6 (10)", + "SC-8", + "SC-8 (1)", "Rev_4" ], "documentable": false }, - "code": "control 'V-73791' do\n title \"The Lock pages in memory user right must not be assigned to any groups\n or accounts.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The Lock pages in memory user right allows physical memory to be\n assigned to processes, which could cause performance issues or a denial of\n service.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000324-GPOS-00125'\n tag \"gid\": 'V-73791'\n tag \"rid\": 'SV-88455r1_rule'\n tag \"stig_id\": 'WN16-UR-000250'\n tag \"fix_id\": 'F-80241r1_fix'\n tag \"cci\": ['CCI-002235']\n tag \"nist\": ['AC-6 (10)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups are granted the Lock pages in memory user right,\n this is a finding.\n\n If an application requires this user right, this would not be a finding.\n\n Vendor documentation must support the requirement for having the user right.\n\n The requirement must be documented with the ISSO.\n\n The application account must meet requirements for application account\n passwords, such as length (WN16-00-000060) and required frequency of changes\n (WN16-00-000070).\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Lock pages in memory to be defined but containing no entries (blank).\"\n describe security_policy do\n its('SeLockMemoryPrivilege') { should eq [] }\n end\nend\n", + "code": "control 'V-73663' do\n title \"The setting Microsoft network server: Digitally sign communications\n (if client agrees) must be configured to Enabled.\"\n desc \"The server message block (SMB) protocol provides the basis for many\n network operations. Digitally signed SMB packets aid in preventing\n man-in-the-middle attacks. If this policy is enabled, the SMB server will\n negotiate SMB packet signing as requested by the client.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000423-GPOS-00187'\n tag \"satisfies\": ['SRG-OS-000423-GPOS-00187', 'SRG-OS-000424-GPOS-00188']\n tag \"gid\": 'V-73663'\n tag \"rid\": 'SV-88327r1_rule'\n tag \"stig_id\": 'WN16-SO-000240'\n tag \"fix_id\": 'F-80113r1_fix'\n tag \"cci\": ['CCI-002418', 'CCI-002421']\n tag \"nist\": ['SC-8', 'SC-8 (1)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\LanManServer\\\\Parameters\\\\\n\n Value Name: EnableSecuritySignature\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Microsoft network server: Digitally sign communications (if client agrees)\n to Enabled.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\LanManServer\\\\Parameters') do\n it { should have_property 'EnableSecuritySignature' }\n its('EnableSecuritySignature') { should cmp 1 }\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73791.rb", + "ref": "./Windows 2016 STIG/controls/V-73663.rb", "line": 1 }, - "id": "V-73791" + "id": "V-73663" }, { - "title": "The display of slide shows on the lock screen must be disabled.", - "desc": "Slide shows that are displayed on the lock screen could display\n sensitive information to unauthorized personnel. Turning off this feature will\n limit access to the information to a logged-on user.", + "title": "The setting Microsoft network client: Digitally sign communications\n (if server agrees) must be configured to Enabled.", + "desc": "The server message block (SMB) protocol provides the basis for many\n network operations. If this policy is enabled, the SMB client will request\n packet signing when communicating with an SMB server that is enabled or\n required to perform SMB packet signing.", "descriptions": { - "default": "Slide shows that are displayed on the lock screen could display\n sensitive information to unauthorized personnel. Turning off this feature will\n limit access to the information to a logged-on user.", - "check": "Verify the registry value below.\n\n If it does not exist or is not configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\Personalization\\\n\n Value Name: NoLockScreenSlideshow\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Control Panel >> Personalization >> Prevent\n enabling lock screen slide show to Enabled." + "default": "The server message block (SMB) protocol provides the basis for many\n network operations. If this policy is enabled, the SMB client will request\n packet signing when communicating with an SMB server that is enabled or\n required to perform SMB packet signing.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SYSTEM\\CurrentControlSet\\Services\\LanmanWorkstation\\Parameters\\\n\n Value Name: EnableSecuritySignature\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Microsoft network client: Digitally sign communications (if server agrees)\n to Enabled." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000095-GPOS-00049", - "gid": "V-73493", - "rid": "SV-88145r1_rule", - "stig_id": "WN16-CC-000010", - "fix_id": "F-79935r1_fix", + "gtitle": "SRG-OS-000423-GPOS-00187", + "satisfies": [ + "SRG-OS-000423-GPOS-00187", + "SRG-OS-000424-GPOS-00188" + ], + "gid": "V-73655", + "rid": "SV-88319r1_rule", + "stig_id": "WN16-SO-000200", + "fix_id": "F-80105r1_fix", "cci": [ - "CCI-000381" + "CCI-002418", + "CCI-002421" ], "nist": [ - "CM-7 a", + "SC-8", + "SC-8 (1)", "Rev_4" ], "documentable": false }, - "code": "control 'V-73493' do\n title 'The display of slide shows on the lock screen must be disabled.'\n desc \"Slide shows that are displayed on the lock screen could display\n sensitive information to unauthorized personnel. Turning off this feature will\n limit access to the information to a logged-on user.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000095-GPOS-00049'\n tag \"gid\": 'V-73493'\n tag \"rid\": 'SV-88145r1_rule'\n tag \"stig_id\": 'WN16-CC-000010'\n tag \"fix_id\": 'F-79935r1_fix'\n tag \"cci\": ['CCI-000381']\n tag \"nist\": ['CM-7 a', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Verify the registry value below.\n\n If it does not exist or is not configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\Personalization\\\\\n\n Value Name: NoLockScreenSlideshow\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Control Panel >> Personalization >> Prevent\n enabling lock screen slide show to Enabled.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\Personalization') do\n it { should have_property 'NoLockScreenSlideshow' }\n its('NoLockScreenSlideshow') { should cmp 1 }\n end\nend\n", + "code": "control 'V-73655' do\n title \"The setting Microsoft network client: Digitally sign communications\n (if server agrees) must be configured to Enabled.\"\n desc \"The server message block (SMB) protocol provides the basis for many\n network operations. If this policy is enabled, the SMB client will request\n packet signing when communicating with an SMB server that is enabled or\n required to perform SMB packet signing.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000423-GPOS-00187'\n tag \"satisfies\": ['SRG-OS-000423-GPOS-00187', 'SRG-OS-000424-GPOS-00188']\n tag \"gid\": 'V-73655'\n tag \"rid\": 'SV-88319r1_rule'\n tag \"stig_id\": 'WN16-SO-000200'\n tag \"fix_id\": 'F-80105r1_fix'\n tag \"cci\": ['CCI-002418', 'CCI-002421']\n tag \"nist\": ['SC-8', 'SC-8 (1)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\LanmanWorkstation\\\\Parameters\\\\\n\n Value Name: EnableSecuritySignature\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Microsoft network client: Digitally sign communications (if server agrees)\n to Enabled.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Services\\\\LanmanWorkstation\\\\Parameters') do\n it { should have_property 'EnableSecuritySignature' }\n its('EnableSecuritySignature') { should cmp 1 }\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73493.rb", + "ref": "./Windows 2016 STIG/controls/V-73655.rb", "line": 1 }, - "id": "V-73493" + "id": "V-73655" }, { - "title": "Users must be required to enter a password to access private keys\n stored on the computer.", - "desc": "If the private key is discovered, an attacker can use the key to\n authenticate as an authorized user and gain access to the network\n infrastructure.\n\n The cornerstone of the PKI is the private key used to encrypt or digitally\n sign information.\n\n If the private key is stolen, this will lead to the compromise of the\n authentication and non-repudiation gained through PKI because the attacker can\n use the private key to digitally sign documents and pretend to be the\n authorized user.\n\n Both the holders of a digital certificate and the issuing authority must\n protect the computers, storage devices, or whatever they use to keep the\n private keys.", + "title": "Windows Server 2016 must be configured to audit Logon/Logoff - Special\n Logon successes.", + "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Special Logon records special logons that have administrative privileges\n and can be used to elevate processes.", "descriptions": { - "default": "If the private key is discovered, an attacker can use the key to\n authenticate as an authorized user and gain access to the network\n infrastructure.\n\n The cornerstone of the PKI is the private key used to encrypt or digitally\n sign information.\n\n If the private key is stolen, this will lead to the compromise of the\n authentication and non-repudiation gained through PKI because the attacker can\n use the private key to digitally sign documents and pretend to be the\n authorized user.\n\n Both the holders of a digital certificate and the issuing authority must\n protect the computers, storage devices, or whatever they use to keep the\n private keys.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Cryptography\\\n\n Value Name: ForceKeyProtection\n\n Type: REG_DWORD\n Value: 0x00000002 (2)", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> System\n cryptography: Force strong key protection for user keys stored on the\n computer to User must enter a password each time they use a key." + "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Special Logon records special logons that have administrative privileges\n and can be used to elevate processes.", + "check": "Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n Logon/Logoff >> Special Logon - Success", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Logon/Logoff >> Audit Special Logon with Success\n selected." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000067-GPOS-00035", - "gid": "V-73699", - "rid": "SV-88363r1_rule", - "stig_id": "WN16-SO-000420", - "fix_id": "F-80149r1_fix", + "gtitle": "SRG-OS-000470-GPOS-00214", + "satisfies": [ + "SRG-OS-000470-GPOS-00214", + "SRG-OS-000472-GPOS-00217", + "SRG-OS-000473-GPOS-00218", + "SRG-OS-000475-GPOS-00220" + ], + "gid": "V-73455", + "rid": "SV-88107r1_rule", + "stig_id": "WN16-AU-000280", + "fix_id": "F-79897r1_fix", "cci": [ - "CCI-000186" + "CCI-000172" ], "nist": [ - "IA-5 (2) (b)", + "AU-12 c", "Rev_4" ], "documentable": false }, - "code": "control 'V-73699' do\n title \"Users must be required to enter a password to access private keys\n stored on the computer.\"\n desc \"If the private key is discovered, an attacker can use the key to\n authenticate as an authorized user and gain access to the network\n infrastructure.\n\n The cornerstone of the PKI is the private key used to encrypt or digitally\n sign information.\n\n If the private key is stolen, this will lead to the compromise of the\n authentication and non-repudiation gained through PKI because the attacker can\n use the private key to digitally sign documents and pretend to be the\n authorized user.\n\n Both the holders of a digital certificate and the issuing authority must\n protect the computers, storage devices, or whatever they use to keep the\n private keys.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000067-GPOS-00035'\n tag \"gid\": 'V-73699'\n tag \"rid\": 'SV-88363r1_rule'\n tag \"stig_id\": 'WN16-SO-000420'\n tag \"fix_id\": 'F-80149r1_fix'\n tag \"cci\": ['CCI-000186']\n tag \"nist\": ['IA-5 (2) (b)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Cryptography\\\\\n\n Value Name: ForceKeyProtection\n\n Type: REG_DWORD\n Value: 0x00000002 (2)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> System\n cryptography: Force strong key protection for user keys stored on the\n computer to User must enter a password each time they use a key.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Cryptography') do\n it { should have_property 'ForceKeyProtection' }\n its('ForceKeyProtection') { should cmp 2 }\n end\nend\n", + "code": "control 'V-73455' do\n title \"Windows Server 2016 must be configured to audit Logon/Logoff - Special\n Logon successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Special Logon records special logons that have administrative privileges\n and can be used to elevate processes.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000470-GPOS-00214'\n tag \"satisfies\": ['SRG-OS-000470-GPOS-00214', 'SRG-OS-000472-GPOS-00217',\n 'SRG-OS-000473-GPOS-00218', 'SRG-OS-000475-GPOS-00220']\n tag \"gid\": 'V-73455'\n tag \"rid\": 'SV-88107r1_rule'\n tag \"stig_id\": 'WN16-AU-000280'\n tag \"fix_id\": 'F-79897r1_fix'\n tag \"cci\": ['CCI-000172']\n tag \"nist\": ['AU-12 c', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n Logon/Logoff >> Special Logon - Success\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Logon/Logoff >> Audit Special Logon with Success\n selected.\"\n describe.one do\n describe audit_policy do\n its('Special Logon') { should eq 'Success' }\n end\n describe audit_policy do\n its('Special Logon') { should eq 'Success and Failure' }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Special Logon'\") do\n its('stdout') { should match /Special Logon Success/ }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Special Logon'\") do\n its('stdout') { should match /Special Logon Success and Failure/ }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73699.rb", + "ref": "./Windows 2016 STIG/controls/V-73455.rb", "line": 1 }, - "id": "V-73699" + "id": "V-73455" }, { - "title": "The Smart Card removal option must be configured to Force Logoff or\n Lock Workstation.", - "desc": "Unattended systems are susceptible to unauthorized use and must be\n locked. Configuring a system to lock when a smart card is removed will ensure\n the system is inaccessible when unattended.", + "title": "The directory service must be configured to terminate LDAP-based\n network connections to the directory server after 5 minutes of inactivity.", + "desc": "The failure to terminate inactive network connections increases the\n risk of a successful attack on the directory server. The longer an established\n session is in progress, the more time an attacker has to hijack the session,\n implement a means to passively intercept data, or compromise any protections on\n client access. For example, if an attacker gains control of a client computer,\n an existing (already authenticated) session with the directory server could\n allow access to the directory. The lack of confidentiality protection in\n LDAP-based sessions increases exposure to this vulnerability.", "descriptions": { - "default": "Unattended systems are susceptible to unauthorized use and must be\n locked. Configuring a system to lock when a smart card is removed will ensure\n the system is inaccessible when unattended.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\\n\n Value Name: scremoveoption\n\n Value Type: REG_SZ\n Value: 1 (Lock Workstation) or 2 (Force Logoff)\n\n If configuring this on servers causes issues, such as terminating users' remote\n sessions, and the organization has a policy in place that any other sessions on\n the servers, such as administrative console logons, are manually locked or\n logged off when unattended or not in use, this would be acceptable. This must\n be documented with the ISSO.", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Interactive logon: Smart card removal behavior to Lock Workstation or\n Force Logoff." + "default": "The failure to terminate inactive network connections increases the\n risk of a successful attack on the directory server. The longer an established\n session is in progress, the more time an attacker has to hijack the session,\n implement a means to passively intercept data, or compromise any protections on\n client access. For example, if an attacker gains control of a client computer,\n an existing (already authenticated) session with the directory server could\n allow access to the directory. The lack of confidentiality protection in\n LDAP-based sessions increases exposure to this vulnerability.", + "check": "This applies to domain controllers. It is NA for other systems.\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter ntdsutil.\n\n At the ntdsutil: prompt, enter LDAP policies.\n\n At the ldap policy: prompt, enter connections.\n\n At the server connections: prompt, enter connect to server [host-name]\n (where [host-name] is the computer name of the domain controller).\n\n At the server connections: prompt, enter q.\n\n At the ldap policy: prompt, enter show values.\n\n If the value for MaxConnIdleTime is greater than 300 (5 minutes) or is not\n specified, this is a finding.\n\n Enter q at the ldap policy: and ntdsutil: prompts to exit.\n\n Alternately, Dsquery can be used to display MaxConnIdleTime:\n\n Open Command Prompt (Admin).\n Enter the following command (on a single line).\n\n dsquery * cn=Default Query Policy,cn=Query-Policies,cn=Directory Service,\n cn=Windows NT,cn=Services,cn=Configuration,dc=[forest-name] -attr\n LDAPAdminLimits\n\n The quotes are required and dc=[forest-name] is the fully qualified LDAP name\n of the domain being reviewed (e.g., dc=disaost,dc=mil).\n\n If the results do not specify a MaxConnIdleTime or it has a value greater\n than 300 (5 minutes), this is a finding.", + "fix": "Configure the directory service to terminate LDAP-based network\n connections to the directory server after 5 minutes of inactivity.\n\n Open an elevated Command prompt (run as administrator).\n\n Enter ntdsutil.\n\n At the ntdsutil: prompt, enter LDAP policies.\n\n At the ldap policy: prompt, enter connections.\n\n At the server connections: prompt, enter connect to server [host-name]\n (where [host-name] is the computer name of the domain controller).\n\n At the server connections: prompt, enter q.\n\n At the ldap policy: prompt, enter Set MaxConnIdleTime to 300.\n\n Enter Commit Changes to save.\n\n Enter Show values to verify changes.\n\n Enter q at the ldap policy: and ntdsutil: prompts to exit." }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-73807", - "rid": "SV-88473r1_rule", - "stig_id": "WN16-SO-000180", - "fix_id": "F-80265r1_fix", + "gtitle": "SRG-OS-000163-GPOS-00072", + "gid": "V-73387", + "rid": "SV-88039r1_rule", + "stig_id": "WN16-DC-000160", + "fix_id": "F-79829r1_fix", "cci": [ - "CCI-000366" + "CCI-001133" ], "nist": [ - "CM-6 b)", + "SC-10", "Rev_4" ], "documentable": false }, - "code": "control 'V-73807' do\n title \"The Smart Card removal option must be configured to Force Logoff or\n Lock Workstation.\"\n desc \"Unattended systems are susceptible to unauthorized use and must be\n locked. Configuring a system to lock when a smart card is removed will ensure\n the system is inaccessible when unattended.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-73807'\n tag \"rid\": 'SV-88473r1_rule'\n tag \"stig_id\": 'WN16-SO-000180'\n tag \"fix_id\": 'F-80265r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\\n\n Value Name: scremoveoption\n\n Value Type: REG_SZ\n Value: 1 (Lock Workstation) or 2 (Force Logoff)\n\n If configuring this on servers causes issues, such as terminating users' remote\n sessions, and the organization has a policy in place that any other sessions on\n the servers, such as administrative console logons, are manually locked or\n logged off when unattended or not in use, this would be acceptable. This must\n be documented with the ISSO.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Interactive logon: Smart card removal behavior to Lock Workstation or\n Force Logoff.\"\n describe.one do\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon') do\n it { should have_property 'scremoveoption' }\n its('scremoveoption') { should cmp 1 }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon') do\n it { should have_property 'scremoveoption' }\n its('scremoveoption') { should cmp 2 }\n end\n end\nend\n", + "code": "control 'V-73387' do\n title \"The directory service must be configured to terminate LDAP-based\n network connections to the directory server after 5 minutes of inactivity.\"\n desc \"The failure to terminate inactive network connections increases the\n risk of a successful attack on the directory server. The longer an established\n session is in progress, the more time an attacker has to hijack the session,\n implement a means to passively intercept data, or compromise any protections on\n client access. For example, if an attacker gains control of a client computer,\n an existing (already authenticated) session with the directory server could\n allow access to the directory. The lack of confidentiality protection in\n LDAP-based sessions increases exposure to this vulnerability.\"\n impact 0.3\n tag \"gtitle\": 'SRG-OS-000163-GPOS-00072'\n tag \"gid\": 'V-73387'\n tag \"rid\": 'SV-88039r1_rule'\n tag \"stig_id\": 'WN16-DC-000160'\n tag \"fix_id\": 'F-79829r1_fix'\n tag \"cci\": ['CCI-001133']\n tag \"nist\": ['SC-10', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to domain controllers. It is NA for other systems.\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter ntdsutil.\n\n At the ntdsutil: prompt, enter LDAP policies.\n\n At the ldap policy: prompt, enter connections.\n\n At the server connections: prompt, enter connect to server [host-name]\n (where [host-name] is the computer name of the domain controller).\n\n At the server connections: prompt, enter q.\n\n At the ldap policy: prompt, enter show values.\n\n If the value for MaxConnIdleTime is greater than 300 (5 minutes) or is not\n specified, this is a finding.\n\n Enter q at the ldap policy: and ntdsutil: prompts to exit.\n\n Alternately, Dsquery can be used to display MaxConnIdleTime:\n\n Open Command Prompt (Admin).\n Enter the following command (on a single line).\n\n dsquery * cn=Default Query Policy,cn=Query-Policies,cn=Directory Service,\n cn=Windows NT,cn=Services,cn=Configuration,dc=[forest-name] -attr\n LDAPAdminLimits\n\n The quotes are required and dc=[forest-name] is the fully qualified LDAP name\n of the domain being reviewed (e.g., dc=disaost,dc=mil).\n\n If the results do not specify a MaxConnIdleTime or it has a value greater\n than 300 (5 minutes), this is a finding.\"\n desc \"fix\", \"Configure the directory service to terminate LDAP-based network\n connections to the directory server after 5 minutes of inactivity.\n\n Open an elevated Command prompt (run as administrator).\n\n Enter ntdsutil.\n\n At the ntdsutil: prompt, enter LDAP policies.\n\n At the ldap policy: prompt, enter connections.\n\n At the server connections: prompt, enter connect to server [host-name]\n (where [host-name] is the computer name of the domain controller).\n\n At the server connections: prompt, enter q.\n\n At the ldap policy: prompt, enter Set MaxConnIdleTime to 300.\n\n Enter Commit Changes to save.\n\n Enter Show values to verify changes.\n\n Enter q at the ldap policy: and ntdsutil: prompts to exit.\"\n max_conn_idle_time = input('max_conn_idle_time')\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n if domain_role == '4' || domain_role == '5'\n query = command(\"dsquery * \\\"cn=Default Query Policy,cn=Query-Policies,cn=Directory Service, cn=Windows NT,cn=Services,cn=Configuration,\" + input('forrest') + \"\\\" -attr LDAPAdminLimits\").stdout\n ldap_admin_limits = parse_config(query.gsub(/;/, \"\\n\")).params\n describe \"MaxConnIdleTime is configured\" do\n subject { ldap_admin_limits }\n it { should include 'MaxConnIdleTime' }\n end\n describe \"The MaxConnIdleTime\" do\n subject { ldap_admin_limits['MaxConnIdleTime'] }\n it { should cmp <= 300 }\n end\n else\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73807.rb", + "ref": "./Windows 2016 STIG/controls/V-73387.rb", "line": 1 }, - "id": "V-73807" + "id": "V-73387" }, { - "title": "Servers must have a host-based intrusion detection or prevention\n system.", - "desc": "A properly configured Host-based Intrusion Detection System (HIDS) or\n Host-based Intrusion Prevention System (HIPS) provides another level of defense\n against unauthorized access to critical servers. With proper configuration and\n logging enabled, such a system can stop and/or alert for many attempts to gain\n unauthorized access to resources.", + "title": "The Active Directory AdminSDHolder object must be configured with\n proper audit settings.", + "desc": "When inappropriate audit settings are configured for directory service\n database objects, it may be possible for a user or process to update the data\n without generating any tracking data. The impact of missing audit data is\n related to the type of object. A failure to capture audit data for objects used\n by identification, authentication, or authorization functions could degrade or\n eliminate the ability to track changes to access policy for systems or data.\n\n For Active Directory (AD), there are a number of critical object types in\n the domain naming context of the AD database for which auditing is essential.\n This includes the AdminSDHolder object. Because changes to these objects can\n significantly impact access controls or the availability of systems, the\n absence of auditing data makes it impossible to identify the source of changes\n that impact the confidentiality, integrity, and availability of data and\n systems throughout an AD domain. The lack of proper auditing can result in\n insufficient forensic evidence needed to investigate an incident and prosecute\n the intruder.", "descriptions": { - "default": "A properly configured Host-based Intrusion Detection System (HIDS) or\n Host-based Intrusion Prevention System (HIPS) provides another level of defense\n against unauthorized access to critical servers. With proper configuration and\n logging enabled, such a system can stop and/or alert for many attempts to gain\n unauthorized access to resources.", - "check": "Determine whether there is a HIDS or HIPS on each server.\n\n If the HIPS component of HBSS is installed and active on the host and the\n alerts of blocked activity are being logged and monitored, this meets the\n requirement.\n\n A HIDS device is not required on a system that has the role as the Network\n Intrusion Device (NID). However, this exception needs to be documented with the\n ISSO.\n\n If a HIDS is not installed on the system, this is a finding.", - "fix": "Install a HIDS or HIPS on each server." + "default": "When inappropriate audit settings are configured for directory service\n database objects, it may be possible for a user or process to update the data\n without generating any tracking data. The impact of missing audit data is\n related to the type of object. A failure to capture audit data for objects used\n by identification, authentication, or authorization functions could degrade or\n eliminate the ability to track changes to access policy for systems or data.\n\n For Active Directory (AD), there are a number of critical object types in\n the domain naming context of the AD database for which auditing is essential.\n This includes the AdminSDHolder object. Because changes to these objects can\n significantly impact access controls or the availability of systems, the\n absence of auditing data makes it impossible to identify the source of changes\n that impact the confidentiality, integrity, and availability of data and\n systems throughout an AD domain. The lack of proper auditing can result in\n insufficient forensic evidence needed to investigate an incident and prosecute\n the intruder.", + "check": "This applies to domain controllers. It is NA for other systems.\n\n Review the auditing configuration for the AdminSDHolder object.\n\n Open Active Directory Users and Computers (available from various menus or\n run dsa.msc).\n\n Ensure Advanced Features is selected in the View menu.\n\n Select System under the domain being reviewed in the left pane.\n\n Right-click the AdminSDHolder object in the right pane and select\n Properties.\n\n Select the Security tab.\n\n Select the Advanced button and then the Auditing tab.\n\n If the audit settings on the AdminSDHolder object are not at least as\n inclusive as those below, this is a finding.\n\n Type - Fail\n Principal - Everyone\n Access - Full Control\n Inherited from - None\n Applies to - This object only\n\n The success types listed below are defaults. Where Special is listed in the\n summary screens for Access, detailed Permissions are provided for reference.\n Various Properties selections may also exist by default.\n\n Type - Success\n Principal - Everyone\n Access - Special\n Inherited from - None\n Applies to - This object only\n (Access - Special = Write all properties, Modify permissions, Modify owner)\n\n Two instances with the following summary information will be listed.\n\n Type - Success\n Principal - Everyone\n Access - (blank)\n Inherited from - (CN of domain)\n Applies to - Descendant Organizational Unit objects", + "fix": "Open Active Directory Users and Computers (available from\n various menus or run dsa.msc).\n\n Ensure Advanced Features is selected in the View menu.\n\n Select System under the domain being reviewed in the left pane.\n\n Right-click the AdminSDHolder object in the right pane and select\n Properties.\n\n Select the Security tab.\n\n Select the Advanced button and then the Auditing tab.\n\n Configure the audit settings for AdminSDHolder object to include the following.\n\n Type - Fail\n Principal - Everyone\n Access - Full Control\n Inherited from - None\n Applies to - This object only\n\n The success types listed below are defaults. Where Special is listed in the\n summary screens for Access, detailed Permissions are provided for reference.\n Various Properties selections may also exist by default.\n\n Type - Success\n Principal - Everyone\n Access - Special\n Inherited from - None\n Applies to - This object only\n (Access - Special = Write all properties, Modify permissions, Modify owner)\n\n Two instances with the following summary information will be listed.\n\n Type - Success\n Principal - Everyone\n Access - (blank)\n Inherited from - (CN of domain)\n Applies to - Descendant Organizational Unit objects" }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-73245", - "rid": "SV-87897r1_rule", - "stig_id": "WN16-00-000140", - "fix_id": "F-79689r1_fix", + "gtitle": "SRG-OS-000327-GPOS-00127", + "satisfies": [ + "SRG-OS-000327-GPOS-00127", + "SRG-OS-000458-GPOS-00203", + "SRG-OS-000463-GPOS-00207", + "SRG-OS-000468-GPOS-00212" + ], + "gid": "V-73397", + "rid": "SV-88049r1_rule", + "stig_id": "WN16-DC-000210", + "fix_id": "F-79839r1_fix", "cci": [ - "CCI-000366" + "CCI-000172", + "CCI-002234" ], "nist": [ - "CM-6 b", + "AU-12 c", + "AC-6 (9)", "Rev_4" ], "documentable": false }, - "code": "control 'V-73245' do\n title \"Servers must have a host-based intrusion detection or prevention\n system.\"\n desc \"A properly configured Host-based Intrusion Detection System (HIDS) or\n Host-based Intrusion Prevention System (HIPS) provides another level of defense\n against unauthorized access to critical servers. With proper configuration and\n logging enabled, such a system can stop and/or alert for many attempts to gain\n unauthorized access to resources.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-73245'\n tag \"rid\": 'SV-87897r1_rule'\n tag \"stig_id\": 'WN16-00-000140'\n tag \"fix_id\": 'F-79689r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Determine whether there is a HIDS or HIPS on each server.\n\n If the HIPS component of HBSS is installed and active on the host and the\n alerts of blocked activity are being logged and monitored, this meets the\n requirement.\n\n A HIDS device is not required on a system that has the role as the Network\n Intrusion Device (NID). However, this exception needs to be documented with the\n ISSO.\n\n If a HIDS is not installed on the system, this is a finding.\"\n desc \"fix\", 'Install a HIDS or HIPS on each server.'\n describe 'A manual review is required to determine whether this server has a host-based Intrusion Detection System installed' do\n skip 'A manual review is required to determine whether this server has a host-based Intrusion Detection System installed'\n end\nend\n", + "code": "control 'V-73397' do\n title \"The Active Directory AdminSDHolder object must be configured with\n proper audit settings.\"\n desc \"When inappropriate audit settings are configured for directory service\n database objects, it may be possible for a user or process to update the data\n without generating any tracking data. The impact of missing audit data is\n related to the type of object. A failure to capture audit data for objects used\n by identification, authentication, or authorization functions could degrade or\n eliminate the ability to track changes to access policy for systems or data.\n\n For Active Directory (AD), there are a number of critical object types in\n the domain naming context of the AD database for which auditing is essential.\n This includes the AdminSDHolder object. Because changes to these objects can\n significantly impact access controls or the availability of systems, the\n absence of auditing data makes it impossible to identify the source of changes\n that impact the confidentiality, integrity, and availability of data and\n systems throughout an AD domain. The lack of proper auditing can result in\n insufficient forensic evidence needed to investigate an incident and prosecute\n the intruder.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000327-GPOS-00127'\n tag \"satisfies\": ['SRG-OS-000327-GPOS-00127', 'SRG-OS-000458-GPOS-00203',\n 'SRG-OS-000463-GPOS-00207', 'SRG-OS-000468-GPOS-00212']\n tag \"gid\": 'V-73397'\n tag \"rid\": 'SV-88049r1_rule'\n tag \"stig_id\": 'WN16-DC-000210'\n tag \"fix_id\": 'F-79839r1_fix'\n tag \"cci\": ['CCI-000172', 'CCI-002234'] \n tag \"nist\": ['AU-12 c', 'AC-6 (9)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to domain controllers. It is NA for other systems.\n\n Review the auditing configuration for the AdminSDHolder object.\n\n Open Active Directory Users and Computers (available from various menus or\n run dsa.msc).\n\n Ensure Advanced Features is selected in the View menu.\n\n Select System under the domain being reviewed in the left pane.\n\n Right-click the AdminSDHolder object in the right pane and select\n Properties.\n\n Select the Security tab.\n\n Select the Advanced button and then the Auditing tab.\n\n If the audit settings on the AdminSDHolder object are not at least as\n inclusive as those below, this is a finding.\n\n Type - Fail\n Principal - Everyone\n Access - Full Control\n Inherited from - None\n Applies to - This object only\n\n The success types listed below are defaults. Where Special is listed in the\n summary screens for Access, detailed Permissions are provided for reference.\n Various Properties selections may also exist by default.\n\n Type - Success\n Principal - Everyone\n Access - Special\n Inherited from - None\n Applies to - This object only\n (Access - Special = Write all properties, Modify permissions, Modify owner)\n\n Two instances with the following summary information will be listed.\n\n Type - Success\n Principal - Everyone\n Access - (blank)\n Inherited from - (CN of domain)\n Applies to - Descendant Organizational Unit objects\"\n desc \"fix\", \"Open Active Directory Users and Computers (available from\n various menus or run dsa.msc).\n\n Ensure Advanced Features is selected in the View menu.\n\n Select System under the domain being reviewed in the left pane.\n\n Right-click the AdminSDHolder object in the right pane and select\n Properties.\n\n Select the Security tab.\n\n Select the Advanced button and then the Auditing tab.\n\n Configure the audit settings for AdminSDHolder object to include the following.\n\n Type - Fail\n Principal - Everyone\n Access - Full Control\n Inherited from - None\n Applies to - This object only\n\n The success types listed below are defaults. Where Special is listed in the\n summary screens for Access, detailed Permissions are provided for reference.\n Various Properties selections may also exist by default.\n\n Type - Success\n Principal - Everyone\n Access - Special\n Inherited from - None\n Applies to - This object only\n (Access - Special = Write all properties, Modify permissions, Modify owner)\n\n Two instances with the following summary information will be listed.\n\n Type - Success\n Principal - Everyone\n Access - (blank)\n Inherited from - (CN of domain)\n Applies to - Descendant Organizational Unit objects\"\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n distinguishedName = json(command: '(Get-ADDomain).DistinguishedName | ConvertTo-JSON').params\n netbiosname = json(command: 'Get-ADDomain | Select NetBIOSName | ConvertTo-JSON').params['NetBIOSName']\n acl_rules = json(command: \"(Get-ACL -Audit -Path AD:'CN=AdminSDHolder,CN=System,#{distinguishedName}').Audit | ConvertTo-CSV | ConvertFrom-CSV | ConvertTo-JSON\").params\n\n if acl_rules.is_a?(Hash)\n acl_rules = [JSON.parse(acl_rules.to_json)]\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['AuditFlags']) { should cmp \"Fail\" }\n its(['IdentityReference']) { should cmp \"Everyone\" }\n its(['ActiveDirectoryRights']) { should cmp \"GenericAll\" }\n its(['InheritanceFlags']) { should cmp \"None\" }\n its(['InheritanceType']) { should cmp \"None\" }\n its(['PropagationFlags']) { should cmp \"None\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['AuditFlags']) { should cmp \"Success\" }\n its(['IdentityReference']) { should cmp \"Everyone\" }\n its(['ActiveDirectoryRights']) { should match /^(?=.*?\\bWriteProperty\\b)(?=.*?\\bWriteDacl\\b)(?=.*?\\bWriteOwner\\b).*$/ }\n its(['InheritanceFlags']) { should cmp \"None\" }\n its(['InheritanceType']) { should cmp \"None\" }\n its(['PropagationFlags']) { should cmp \"None\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['AuditFlags']) { should cmp \"Success\" }\n its(['IdentityReference']) { should cmp \"Everyone\" }\n its(['ActiveDirectoryRights']) { should cmp \"WriteProperty\" }\n its(['IsInherited']) { should cmp \"True\" }\n its(['InheritanceFlags']) { should cmp \"ContainerInherit\" }\n its(['InheritanceType']) { should cmp \"Descendents\" }\n its(['PropagationFlags']) { should cmp \"InheritOnly\" }\n end\n end\n end\n\n else\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73245.rb", + "ref": "./Windows 2016 STIG/controls/V-73397.rb", "line": 1 }, - "id": "V-73245" + "id": "V-73397" }, { - "title": "Windows Server 2016 must employ automated mechanisms to determine the\n state of system components with regard to flaw remediation using the following\n frequency: continuously, where Host Based Security System (HBSS) is used; 30\n days, for any additional internal network scans not covered by HBSS; and\n annually, for external scans by Computer Network Defense Service Provider\n (CNDSP).", - "desc": "Without the use of automated mechanisms to scan for security flaws on\n a continuous and/or periodic basis, the operating system or other system\n components may remain vulnerable to the exploits presented by undetected\n software flaws. The operating system may have an integrated solution\n incorporating continuous scanning using HBSS and periodic scanning using other\n tools.", + "title": "Users with Administrative privileges must have separate accounts for\n administrative duties and normal operational tasks.", + "desc": "Using a privileged account to perform routine functions makes the\n computer vulnerable to malicious software inadvertently introduced during a\n session that has been granted full privileges.", "descriptions": { - "default": "Without the use of automated mechanisms to scan for security flaws on\n a continuous and/or periodic basis, the operating system or other system\n components may remain vulnerable to the exploits presented by undetected\n software flaws. The operating system may have an integrated solution\n incorporating continuous scanning using HBSS and periodic scanning using other\n tools.", - "check": "Verify the operating system employs automated mechanisms to\n determine the state of system components with regard to flaw remediation using\n the following frequency: continuously, where HBSS is used; 30 days, for any\n additional internal network scans not covered by HBSS; and annually, for\n external scans by CNDSP.\n\n If it does not, this is a finding.", - "fix": "Configure the operating system to employ automated mechanisms to\n determine the state of system components with regard to flaw remediation using\n the following frequency: continuously, where HBSS is used; 30 days, for any\n additional internal network scans not covered by HBSS; and annually, for\n external scans by CNDSP." + "default": "Using a privileged account to perform routine functions makes the\n computer vulnerable to malicious software inadvertently introduced during a\n session that has been granted full privileges.", + "check": "Verify each user with administrative privileges has been\n assigned a unique administrative account separate from their standard user\n account.\n If users with administrative privileges do not have separate accounts for\n administrative functions and standard user functions, this is a finding.", + "fix": "Ensure each user with administrative privileges has a separate account for user duties and one for privileged duties." }, - "impact": 0.5, + "impact": 0.7, "refs": [], "tags": { - "gtitle": "SRG-OS-000191-GPOS-00080", - "gid": "V-73281", - "rid": "SV-87933r1_rule", - "stig_id": "WN16-00-000320", - "fix_id": "F-79725r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-73217", + "rid": "SV-87869r1_rule", + "stig_id": "WN16-00-000010", + "fix_id": "F-79663r1_fix", "cci": [ - "CCI-001233" + "CCI-000366" ], "nist": [ - "SI-2 (2)", + "CM-6 b", "Rev_4" ], "documentable": false }, - "code": "control 'V-73281' do\n title \"Windows Server 2016 must employ automated mechanisms to determine the\n state of system components with regard to flaw remediation using the following\n frequency: continuously, where Host Based Security System (HBSS) is used; 30\n days, for any additional internal network scans not covered by HBSS; and\n annually, for external scans by Computer Network Defense Service Provider\n (CNDSP).\"\n desc \"Without the use of automated mechanisms to scan for security flaws on\n a continuous and/or periodic basis, the operating system or other system\n components may remain vulnerable to the exploits presented by undetected\n software flaws. The operating system may have an integrated solution\n incorporating continuous scanning using HBSS and periodic scanning using other\n tools.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000191-GPOS-00080'\n tag \"gid\": 'V-73281'\n tag \"rid\": 'SV-87933r1_rule'\n tag \"stig_id\": 'WN16-00-000320'\n tag \"fix_id\": 'F-79725r1_fix'\n tag \"cci\": ['CCI-001233']\n tag \"nist\": ['SI-2 (2)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Verify the operating system employs automated mechanisms to\n determine the state of system components with regard to flaw remediation using\n the following frequency: continuously, where HBSS is used; 30 days, for any\n additional internal network scans not covered by HBSS; and annually, for\n external scans by CNDSP.\n\n If it does not, this is a finding.\"\n desc \"fix\", \"Configure the operating system to employ automated mechanisms to\n determine the state of system components with regard to flaw remediation using\n the following frequency: continuously, where HBSS is used; 30 days, for any\n additional internal network scans not covered by HBSS; and annually, for\n external scans by CNDSP.\"\n describe \"A manual review is required to verify the operating system employs automated mechanisms to determine the\n state of system components with regard to flaw remediation using the following\n frequency: continuously, where HBSS is used; 30 days, for any additional\n internal network scans not covered by HBSS; and annually, for external scans by\n Computer Network Defense Service Provider (CNDSP).\" do\n skip \"A manual review is required to verify the operating system employs automated mechanisms to determine the\n state of system components with regard to flaw remediation using the following\n frequency: continuously, where HBSS is used; 30 days, for any additional\n internal network scans not covered by HBSS; and annually, for external scans by\n Computer Network Defense Service Provider (CNDSP).\"\n end\nend\n", + "code": "control 'V-73217' do\n title \"Users with Administrative privileges must have separate accounts for\n administrative duties and normal operational tasks.\"\n desc \"Using a privileged account to perform routine functions makes the\n computer vulnerable to malicious software inadvertently introduced during a\n session that has been granted full privileges.\"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-73217'\n tag \"rid\": 'SV-87869r1_rule'\n tag \"stig_id\": 'WN16-00-000010'\n tag \"fix_id\": 'F-79663r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Verify each user with administrative privileges has been\n assigned a unique administrative account separate from their standard user\n account.\n If users with administrative privileges do not have separate accounts for\n administrative functions and standard user functions, this is a finding.\"\n desc \"fix\", \"Ensure each user with administrative privileges has a separate account for user duties and one for privileged duties.\"\n\n describe \"A manual review is required to verify that each user with administrative privileges has a separate account for user duties and one for privileged duties.\" do\n skip \"A manual review is required to verify that each user with administrative privileges has a separate account for user duties and one for privileged duties.\"\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73281.rb", + "ref": "./Windows 2016 STIG/controls/V-73217.rb", "line": 1 }, - "id": "V-73281" + "id": "V-73217" }, { - "title": "User Account Control must only elevate UIAccess applications that are\n installed in secure locations.", - "desc": "User Account Control (UAC) is a security mechanism for limiting the\n elevation of privileges, including administrative accounts, unless authorized.\n This setting configures Windows to only allow applications installed in a\n secure location on the file system, such as the Program Files or the\n Windows\\System32 folders, to run with elevated privileges.", + "title": "The Deny log on locally user right on member servers must be\n configured to prevent access from highly privileged domain accounts on domain\n systems and from unauthenticated access on all systems.", + "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The Deny log on locally user right defines accounts that are prevented\n from logging on interactively.\n\n In an Active Directory Domain, denying logons to the Enterprise Admins and\n Domain Admins groups on lower-trust systems helps mitigate the risk of\n privilege escalation from credential theft attacks, which could lead to the\n compromise of an entire domain.\n\n The Guests group must be assigned this right to prevent unauthenticated\n access.", "descriptions": { - "default": "User Account Control (UAC) is a security mechanism for limiting the\n elevation of privileges, including administrative accounts, unless authorized.\n This setting configures Windows to only allow applications installed in a\n secure location on the file system, such as the Program Files or the\n Windows\\System32 folders, to run with elevated privileges.", - "check": "UAC requirements are NA for Server Core installations (this is\n the default installation option for Windows Server 2016 versus Server with\n Desktop Experience) as well as Nano Server.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\\n\n Value Name: EnableSecureUIAPaths\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> User\n Account Control: Only elevate UIAccess applications that are installed in\n secure locations to Enabled." - }, - "impact": 0.5, + "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The Deny log on locally user right defines accounts that are prevented\n from logging on interactively.\n\n In an Active Directory Domain, denying logons to the Enterprise Admins and\n Domain Admins groups on lower-trust systems helps mitigate the risk of\n privilege escalation from credential theft attacks, which could lead to the\n compromise of an entire domain.\n\n The Guests group must be assigned this right to prevent unauthenticated\n access.", + "check": "This applies to member servers and standalone systems. A\n separate version applies to domain controllers.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If the following accounts or groups are not defined for the Deny log on\n locally user right, this is a finding.\n\n Domain Systems Only:\n - Enterprise Admins Group\n - Domain Admins Group\n\n Systems dedicated to the management of Active Directory (AD admin platforms,\n see V-36436 in the Active Directory Domain STIG) are exempt from this.\n\n All Systems:\n - Guests Group", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Deny log on locally to include the following:\n\n\n Domain Systems Only:\n - Enterprise Admins group \n - Domain Admins group \n\n Systems dedicated to the management of Active Directory (AD admin platforms,\n see V-36436 in the Active Directory Domain STIG) are exempt from this.\n\n All Systems:\n - Guests group" + }, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000134-GPOS-00068", - "gid": "V-73717", - "rid": "SV-88381r1_rule", - "stig_id": "WN16-SO-000510", - "fix_id": "F-80167r1_fix", + "gtitle": "SRG-OS-000080-GPOS-00048", + "gid": "V-73771", + "rid": "SV-88435r1_rule", + "stig_id": "WN16-MS-000400", + "fix_id": "F-80221r1_fix", "cci": [ - "CCI-001084" + "CCI-000213" ], "nist": [ - "SC-3", + "AC-3", "Rev_4" ], "documentable": false }, - "code": "control 'V-73717' do\n title \"User Account Control must only elevate UIAccess applications that are\n installed in secure locations.\"\n desc \"User Account Control (UAC) is a security mechanism for limiting the\n elevation of privileges, including administrative accounts, unless authorized.\n This setting configures Windows to only allow applications installed in a\n secure location on the file system, such as the Program Files or the\n Windows\\\\System32 folders, to run with elevated privileges.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000134-GPOS-00068'\n tag \"gid\": 'V-73717'\n tag \"rid\": 'SV-88381r1_rule'\n tag \"stig_id\": 'WN16-SO-000510'\n tag \"fix_id\": 'F-80167r1_fix'\n tag \"cci\": ['CCI-001084']\n tag \"nist\": ['SC-3', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"UAC requirements are NA for Server Core installations (this is\n the default installation option for Windows Server 2016 versus Server with\n Desktop Experience) as well as Nano Server.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\\n\n Value Name: EnableSecureUIAPaths\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> User\n Account Control: Only elevate UIAccess applications that are installed in\n secure locations to Enabled.\"\n if registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Server\\ServerLevels').has_property_value?('ServerCore', :dword, 1) && registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Server\\ServerLevels').has_property_value?('Server-Gui-Mgmt', :dword, 1) && registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Server\\ServerLevels').has_property_value?('Server-Gui-Shell', :dword, 1)\n impact 0.0\n desc 'This system is a Server Core Installation, therefore this control is not applicable'\n else\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System') do\n it { should have_property 'EnableSecureUIAPaths' }\n its('EnableSecureUIAPaths') { should cmp 1 }\n end\n end\nend\n", + "code": "control 'V-73771' do\n title \"The Deny log on locally user right on member servers must be\n configured to prevent access from highly privileged domain accounts on domain\n systems and from unauthenticated access on all systems.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The Deny log on locally user right defines accounts that are prevented\n from logging on interactively.\n\n In an Active Directory Domain, denying logons to the Enterprise Admins and\n Domain Admins groups on lower-trust systems helps mitigate the risk of\n privilege escalation from credential theft attacks, which could lead to the\n compromise of an entire domain.\n\n The Guests group must be assigned this right to prevent unauthenticated\n access.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000080-GPOS-00048'\n tag \"gid\": 'V-73771'\n tag \"rid\": 'SV-88435r1_rule'\n tag \"stig_id\": 'WN16-MS-000400'\n tag \"fix_id\": 'F-80221r1_fix'\n tag \"cci\": ['CCI-000213']\n tag \"nist\": ['AC-3', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to member servers and standalone systems. A\n separate version applies to domain controllers.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If the following accounts or groups are not defined for the Deny log on\n locally user right, this is a finding.\n\n Domain Systems Only:\n - Enterprise Admins Group\n - Domain Admins Group\n\n Systems dedicated to the management of Active Directory (AD admin platforms,\n see V-36436 in the Active Directory Domain STIG) are exempt from this.\n\n All Systems:\n - Guests Group\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Deny log on locally to include the following:\n\n\n Domain Systems Only:\n - Enterprise Admins group \n - Domain Admins group \n\n Systems dedicated to the management of Active Directory (AD admin platforms,\n see V-36436 in the Active Directory Domain STIG) are exempt from this.\n\n All Systems:\n - Guests group \"\n\n is_AD_only_system = input('is_AD_only_system')\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n impact 0.0\n describe 'This system is a domain controller, therefore this control is not applicable as it only applies to member servers and standalone systems' do\n skip 'This system is a domain controller, therefore this control is not applicable as it only applies to member servers and standalone systems'\n end\n elsif is_AD_only_system\n impact 0.0\n describe 'This system is dedicated to the management of Active Directory, therefore this system is exempt from this control' do\n skip 'This system is dedicated to the management of Active Directory, therefore this system is exempt from this control'\n end\n else\n describe security_policy do\n its('SeDenyInteractiveLogonRight') { should include 'S-1-5-32-546' }\n end\n if domain_role == '3'\n domain_admin_sid_query = <<-EOH\n $group = New-Object System.Security.Principal.NTAccount('Domain Admins')\n $sid = $group.Translate([security.principal.securityidentifier]).value\n $sid | ConvertTo-Json\n EOH\n domain_admin_sid = json(command: domain_admin_sid_query).params\n \n enterprise_admin_sid_query = <<-EOH\n $group = New-Object System.Security.Principal.NTAccount('Enterprise Admins')\n $sid = $group.Translate([security.principal.securityidentifier]).value\n $sid | ConvertTo-Json\n EOH\n enterprise_admin_sid = json(command: enterprise_admin_sid_query).params\n\n describe security_policy do\n its('SeDenyInteractiveLogonRight') { should include \"#{domain_admin_sid}\" }\n end\n describe security_policy do\n its('SeDenyInteractiveLogonRight') { should include \"#{enterprise_admin_sid}\" }\n end\n end\n end\nend", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73717.rb", + "ref": "./Windows 2016 STIG/controls/V-73771.rb", "line": 1 }, - "id": "V-73717" + "id": "V-73771" }, { - "title": "Windows Server 2016 must be configured to audit Account Logon -\n Credential Validation failures.", - "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Credential Validation records events related to validation tests on\n credentials for a user account logon.", + "title": "The Create permanent shared objects user right must not be assigned to\n any groups or accounts.", + "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Create permanent shared objects user right could\n expose sensitive data by creating shared objects.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Credential Validation records events related to validation tests on\n credentials for a user account logon.", - "check": "Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt(run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n Account Logon >> Credential Validation - Failure", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Account Logon >> Audit Credential Validation with\n Failure selected." + "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Create permanent shared objects user right could\n expose sensitive data by creating shared objects.", + "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups are granted the Create permanent shared objects\n user right, this is a finding.", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Create permanent shared objects to be defined but containing no entries\n (blank)." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000470-GPOS-00214", - "gid": "V-73415", - "rid": "SV-88067r1_rule", - "stig_id": "WN16-AU-000080", - "fix_id": "F-79857r1_fix", + "gtitle": "SRG-OS-000324-GPOS-00125", + "gid": "V-73751", + "rid": "SV-88415r1_rule", + "stig_id": "WN16-UR-000110", + "fix_id": "F-80201r1_fix", "cci": [ - "CCI-000172" + "CCI-002235" ], "nist": [ - "AU-12 c", + "AC-6 (10)", "Rev_4" ], "documentable": false }, - "code": "control 'V-73415' do\n title \"Windows Server 2016 must be configured to audit Account Logon -\n Credential Validation failures.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Credential Validation records events related to validation tests on\n credentials for a user account logon.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000470-GPOS-00214'\n tag \"gid\": 'V-73415'\n tag \"rid\": 'SV-88067r1_rule'\n tag \"stig_id\": 'WN16-AU-000080'\n tag \"fix_id\": 'F-79857r1_fix'\n tag \"cci\": ['CCI-000172']\n tag \"nist\": ['AU-12 c', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt(run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n Account Logon >> Credential Validation - Failure\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Account Logon >> Audit Credential Validation with\n Failure selected.\"\n describe.one do\n describe audit_policy do\n its('Credential Validation') { should eq 'Failure' }\n end\n describe audit_policy do\n its('Credential Validation') { should eq 'Success and Failure' }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Credential Validation'\") do\n its('stdout') { should match /Credential Validation Failure/ }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Credential Validation'\") do\n its('stdout') { should match /Credential Validation Success and Failure/ }\n end\n end\nend\n", + "code": "control 'V-73751' do\n title \"The Create permanent shared objects user right must not be assigned to\n any groups or accounts.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Create permanent shared objects user right could\n expose sensitive data by creating shared objects.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000324-GPOS-00125'\n tag \"gid\": 'V-73751'\n tag \"rid\": 'SV-88415r1_rule'\n tag \"stig_id\": 'WN16-UR-000110'\n tag \"fix_id\": 'F-80201r1_fix'\n tag \"cci\": ['CCI-002235']\n tag \"nist\": ['AC-6 (10)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups are granted the Create permanent shared objects\n user right, this is a finding.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Create permanent shared objects to be defined but containing no entries\n (blank).\"\n describe security_policy do\n its('SeCreatePermanentPrivilege') { should eq [] }\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73415.rb", + "ref": "./Windows 2016 STIG/controls/V-73751.rb", "line": 1 }, - "id": "V-73415" + "id": "V-73751" }, { - "title": "The built-in guest account must be renamed.", - "desc": "The built-in guest account is a well-known user account on all Windows\n systems and, as initially installed, does not require a password. This can\n allow access to system resources by unauthorized users. Renaming this account\n to an unidentified name improves the protection of this account and the system.", + "title": "The Kerberos service ticket maximum lifetime must be limited to 600\n minutes or less.", + "desc": "This setting determines the maximum amount of time (in minutes) that a\n granted session ticket can be used to access a particular service. Session\n tickets are used only to authenticate new connections with servers. Ongoing\n operations are not interrupted if the session ticket used to authenticate the\n connection expires during the connection.", "descriptions": { - "default": "The built-in guest account is a well-known user account on all Windows\n systems and, as initially installed, does not require a password. This can\n allow access to system resources by unauthorized users. Renaming this account\n to an unidentified name improves the protection of this account and the system.", - "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> Security Options.\n\n If the value for Accounts: Rename guest account is not set to a value other\n than Guest, this is a finding.", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Accounts: Rename guest account to a name other than Guest." + "default": "This setting determines the maximum amount of time (in minutes) that a\n granted session ticket can be used to access a particular service. Session\n tickets are used only to authenticate new connections with servers. Ongoing\n operations are not interrupted if the session ticket used to authenticate the\n connection expires during the connection.", + "check": "This applies to domain controllers. It is NA for other systems.\n\n Verify the following is configured in the Default Domain Policy.\n\n Open Group Policy Management.\n\n Navigate to Group Policy Objects in the Domain being reviewed (Forest >>\n Domains >> Domain).\n\n Right-click on the Default Domain Policy.\n\n Select Edit.\n\n Navigate to Computer Configuration >> Policies >> Windows Settings >> Security\n Settings >> Account Policies >> Kerberos Policy.\n\n If the value for Maximum lifetime for service ticket is 0 or greater\n than 600 minutes, this is a finding.", + "fix": "Configure the policy value in the Default Domain Policy for\n Computer Configuration >> Policies >> Windows Settings >> Security Settings >>\n Account Policies >> Kerberos Policy >> Maximum lifetime for service ticket\n to a maximum of 600 minutes, but not 0, which equates to Ticket\n doesn't expire." }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-73625", - "rid": "SV-88289r1_rule", - "stig_id": "WN16-SO-000040", - "fix_id": "F-80075r1_fix", + "gtitle": "SRG-OS-000112-GPOS-00057", + "satisfies": [ + "SRG-OS-000112-GPOS-00057", + "SRG-OS-000113-GPOS-00058" + ], + "gid": "V-73361", + "rid": "SV-88013r1_rule", + "stig_id": "WN16-DC-000030", + "fix_id": "F-79803r1_fix", "cci": [ - "CCI-000366" + "CCI-001941", + "CCI-001942" ], "nist": [ - "CM-6 b", + "IA-2 (8)", + "IA-2 (9)", "Rev_4" ], "documentable": false }, - "code": "control 'V-73625' do\n title 'The built-in guest account must be renamed.'\n desc \"The built-in guest account is a well-known user account on all Windows\n systems and, as initially installed, does not require a password. This can\n allow access to system resources by unauthorized users. Renaming this account\n to an unidentified name improves the protection of this account and the system.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-73625'\n tag \"rid\": 'SV-88289r1_rule'\n tag \"stig_id\": 'WN16-SO-000040'\n tag \"fix_id\": 'F-80075r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> Security Options.\n\n If the value for Accounts: Rename guest account is not set to a value other\n than Guest, this is a finding.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Accounts: Rename guest account to a name other than Guest.\"\n describe user('Guest') do\n it { should_not exist }\n end\nend\n", + "code": "control 'V-73361' do\n title \"The Kerberos service ticket maximum lifetime must be limited to 600\n minutes or less.\"\n desc \"This setting determines the maximum amount of time (in minutes) that a\n granted session ticket can be used to access a particular service. Session\n tickets are used only to authenticate new connections with servers. Ongoing\n operations are not interrupted if the session ticket used to authenticate the\n connection expires during the connection.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000112-GPOS-00057'\n tag \"satisfies\": ['SRG-OS-000112-GPOS-00057', 'SRG-OS-000113-GPOS-00058']\n tag \"gid\": 'V-73361'\n tag \"rid\": 'SV-88013r1_rule'\n tag \"stig_id\": 'WN16-DC-000030'\n tag \"fix_id\": 'F-79803r1_fix'\n tag \"cci\": ['CCI-001941', 'CCI-001942']\n tag \"nist\": ['IA-2 (8)', 'IA-2 (9)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to domain controllers. It is NA for other systems.\n\n Verify the following is configured in the Default Domain Policy.\n\n Open Group Policy Management.\n\n Navigate to Group Policy Objects in the Domain being reviewed (Forest >>\n Domains >> Domain).\n\n Right-click on the Default Domain Policy.\n\n Select Edit.\n\n Navigate to Computer Configuration >> Policies >> Windows Settings >> Security\n Settings >> Account Policies >> Kerberos Policy.\n\n If the value for Maximum lifetime for service ticket is 0 or greater\n than 600 minutes, this is a finding.\"\n desc \"fix\", \"Configure the policy value in the Default Domain Policy for\n Computer Configuration >> Policies >> Windows Settings >> Security Settings >>\n Account Policies >> Kerberos Policy >> Maximum lifetime for service ticket\n to a maximum of 600 minutes, but not 0, which equates to Ticket\n doesn't expire.\"\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n describe security_policy do\n its('MaxServiceAge') { should be > 0 }\n end\n describe security_policy do\n its('MaxServiceAge') { should be <= 600 }\n end\n end\n\n if domain_role != '4' && domain_role != '5'\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73625.rb", + "ref": "./Windows 2016 STIG/controls/V-73361.rb", "line": 1 }, - "id": "V-73625" + "id": "V-73361" }, { - "title": "The password history must be configured to 24 passwords remembered.", - "desc": "A system is more vulnerable to unauthorized access when system users\n recycle the same password several times without being required to change to a\n unique password on a regularly scheduled basis. This enables users to\n effectively negate the purpose of mandating periodic password changes. The\n default value is 24 for Windows domain systems. DoD has decided this is the\n appropriate value for all Windows systems.", + "title": "Anonymous access to Named Pipes and Shares must be restricted.", + "desc": "Allowing anonymous access to named pipes or shares provides the\n potential for unauthorized system access. This setting restricts access to\n those defined in Network access: Named Pipes that can be accessed\n anonymously and Network access: Shares that can be accessed anonymously,\n both of which must be blank under other requirements.", "descriptions": { - "default": "A system is more vulnerable to unauthorized access when system users\n recycle the same password several times without being required to change to a\n unique password on a regularly scheduled basis. This enables users to\n effectively negate the purpose of mandating periodic password changes. The\n default value is 24 for Windows domain systems. DoD has decided this is the\n appropriate value for all Windows systems.", - "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Account Policies >> Password Policy.\n\n If the value for Enforce password history is less than 24 passwords\n remembered, this is a finding.", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Account Policies >> Password Policy >>\n Enforce password history to 24 passwords remembered." + "default": "Allowing anonymous access to named pipes or shares provides the\n potential for unauthorized system access. This setting restricts access to\n those defined in Network access: Named Pipes that can be accessed\n anonymously and Network access: Shares that can be accessed anonymously,\n both of which must be blank under other requirements.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\LanManServer\\Parameters\\\n\n Value Name: RestrictNullSessAccess\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Network access: Restrict anonymous access to Named Pipes and Shares to\n Enabled." }, - "impact": 0.5, + "impact": 0.7, "refs": [], "tags": { - "gtitle": "SRG-OS-000077-GPOS-00045", - "gid": "V-73315", - "rid": "SV-87967r1_rule", - "stig_id": "WN16-AC-000040", - "fix_id": "F-79757r1_fix", + "gtitle": "SRG-OS-000138-GPOS-00069", + "gid": "V-73675", + "rid": "SV-88339r1_rule", + "stig_id": "WN16-SO-000300", + "fix_id": "F-80125r1_fix", "cci": [ - "CCI-000200" + "CCI-001090" ], "nist": [ - "AC-4 (12)", + "SC-4", "Rev_4" ], "documentable": false }, - "code": "control 'V-73315' do\n title 'The password history must be configured to 24 passwords remembered.'\n desc \"A system is more vulnerable to unauthorized access when system users\n recycle the same password several times without being required to change to a\n unique password on a regularly scheduled basis. This enables users to\n effectively negate the purpose of mandating periodic password changes. The\n default value is 24 for Windows domain systems. DoD has decided this is the\n appropriate value for all Windows systems.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000077-GPOS-00045'\n tag \"gid\": 'V-73315'\n tag \"rid\": 'SV-87967r1_rule'\n tag \"stig_id\": 'WN16-AC-000040'\n tag \"fix_id\": 'F-79757r1_fix'\n tag \"cci\": ['CCI-000200']\n tag \"nist\": ['AC-4 (12)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Account Policies >> Password Policy.\n\n If the value for Enforce password history is less than 24 passwords\n remembered, this is a finding.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Account Policies >> Password Policy >>\n Enforce password history to 24 passwords remembered.\"\n describe security_policy do\n its('PasswordHistorySize') { should cmp >= 24 }\n end\nend\n", + "code": "control 'V-73675' do\n title 'Anonymous access to Named Pipes and Shares must be restricted.'\n desc \"Allowing anonymous access to named pipes or shares provides the\n potential for unauthorized system access. This setting restricts access to\n those defined in Network access: Named Pipes that can be accessed\n anonymously and Network access: Shares that can be accessed anonymously,\n both of which must be blank under other requirements.\"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000138-GPOS-00069'\n tag \"gid\": 'V-73675'\n tag \"rid\": 'SV-88339r1_rule'\n tag \"stig_id\": 'WN16-SO-000300'\n tag \"fix_id\": 'F-80125r1_fix'\n tag \"cci\": ['CCI-001090']\n tag \"nist\": ['SC-4', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\LanManServer\\\\Parameters\\\\\n\n Value Name: RestrictNullSessAccess\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Network access: Restrict anonymous access to Named Pipes and Shares to\n Enabled.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Services\\\\LanManServer\\\\Parameters') do\n it { should have_property 'restrictnullsessaccess' }\n its('restrictnullsessaccess') { should cmp 1 }\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73315.rb", + "ref": "./Windows 2016 STIG/controls/V-73675.rb", "line": 1 }, - "id": "V-73315" + "id": "V-73675" }, { - "title": "Local volumes must use a format that supports NTFS attributes.", - "desc": "The ability to set access permissions and auditing is critical to\n maintaining the security and proper access controls of a system. To support\n this, volumes must be formatted using a file system that supports NTFS\n attributes.", + "title": "The Deny log on as a service user right on member servers must be\n configured to prevent access from highly privileged domain accounts on domain\n systems. No other groups or accounts must be assigned this right.", + "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The Deny log on as a service user right defines accounts that are\n denied logon as a service.\n\n In an Active Directory Domain, denying logons to the Enterprise Admins and\n Domain Admins groups on lower-trust systems helps mitigate the risk of\n privilege escalation from credential theft attacks, which could lead to the\n compromise of an entire domain.\n\n Incorrect configurations could prevent services from starting and result in\n a DoS.", "descriptions": { - "default": "The ability to set access permissions and auditing is critical to\n maintaining the security and proper access controls of a system. To support\n this, volumes must be formatted using a file system that supports NTFS\n attributes.", - "check": "Open Computer Management.\n\n Select Disk Management under Storage.\n\n For each local volume, if the file system does not indicate NTFS, this is a\n finding.\n\n ReFS (resilient file system) is also acceptable and would not be a finding.\n\n This does not apply to system partitions such the Recovery and EFI System\n Partition.", - "fix": "Format volumes to use NTFS or ReFS." + "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The Deny log on as a service user right defines accounts that are\n denied logon as a service.\n\n In an Active Directory Domain, denying logons to the Enterprise Admins and\n Domain Admins groups on lower-trust systems helps mitigate the risk of\n privilege escalation from credential theft attacks, which could lead to the\n compromise of an entire domain.\n\n Incorrect configurations could prevent services from starting and result in\n a DoS.", + "check": "This applies to member servers and standalone systems. A\n separate version applies to domain controllers.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If the following accounts or groups are not defined for the Deny log on as a\n service user right on domain-joined systems, this is a finding.\n\n - Enterprise Admins Group\n - Domain Admins Group\n\n If any accounts or groups are defined for the Deny log on as a service user\n right on non-domain-joined systems, this is a finding.", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Deny log on as a service to include the following:\n\n Domain systems:\n - Enterprise Admins group \n - Domain Admins group" }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { "gtitle": "SRG-OS-000080-GPOS-00048", - "gid": "V-73247", - "rid": "SV-87899r1_rule", - "stig_id": "WN16-00-000150", - "fix_id": "F-79691r1_fix", + "gid": "V-73767", + "rid": "SV-88431r1_rule", + "stig_id": "WN16-MS-000390", + "fix_id": "F-80217r1_fix", "cci": [ "CCI-000213" ], @@ -1153,67 +1208,61 @@ ], "documentable": false }, - "code": "control 'V-73247' do\n title 'Local volumes must use a format that supports NTFS attributes.'\n desc \"The ability to set access permissions and auditing is critical to\n maintaining the security and proper access controls of a system. To support\n this, volumes must be formatted using a file system that supports NTFS\n attributes.\"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000080-GPOS-00048'\n tag \"gid\": 'V-73247'\n tag \"rid\": 'SV-87899r1_rule'\n tag \"stig_id\": 'WN16-00-000150'\n tag \"fix_id\": 'F-79691r1_fix'\n tag \"cci\": ['CCI-000213']\n tag \"nist\": ['AC-3', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Open Computer Management.\n\n Select Disk Management under Storage.\n\n For each local volume, if the file system does not indicate NTFS, this is a\n finding.\n\n ReFS (resilient file system) is also acceptable and would not be a finding.\n\n This does not apply to system partitions such the Recovery and EFI System\n Partition.\"\n desc \"fix\", 'Format volumes to use NTFS or ReFS.'\n volumes = json(command: 'Get-WmiObject -Class Win32_LogicalDisk | Where { $_.DriveType -ne 5 } | Select Name, FileSystem, Description | ConvertTo-JSON').params\n\n if volumes.empty?\n impact 0.0\n describe 'There are no local volumes on this system, therefore this control is not applicable' do\n skip 'There are no local volumes on this system, therefore this control is not applicable'\n end\n else\n if volumes.is_a?(Hash)\n volumes = [JSON.parse(volumes.to_json)]\n end\n volumes.each do |volume|\n describe.one do\n describe \"The filesystem format for the local volume #{volume['Name']}\" do\n subject { volume['FileSystem'] }\n it { should cmp 'NTFS' }\n end\n describe \"The filesystem format for the local volume #{volume['Name']}\" do\n subject { volume['FileSystem'] }\n it { should cmp 'ReFS' }\n end\n end\n end\n end\nend\n", + "code": "control 'V-73767' do\n title \"The Deny log on as a service user right on member servers must be\n configured to prevent access from highly privileged domain accounts on domain\n systems. No other groups or accounts must be assigned this right.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The Deny log on as a service user right defines accounts that are\n denied logon as a service.\n\n In an Active Directory Domain, denying logons to the Enterprise Admins and\n Domain Admins groups on lower-trust systems helps mitigate the risk of\n privilege escalation from credential theft attacks, which could lead to the\n compromise of an entire domain.\n\n Incorrect configurations could prevent services from starting and result in\n a DoS.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000080-GPOS-00048'\n tag \"gid\": 'V-73767'\n tag \"rid\": 'SV-88431r1_rule'\n tag \"stig_id\": 'WN16-MS-000390'\n tag \"fix_id\": 'F-80217r1_fix'\n tag \"cci\": ['CCI-000213']\n tag \"nist\": ['AC-3', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to member servers and standalone systems. A\n separate version applies to domain controllers.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If the following accounts or groups are not defined for the Deny log on as a\n service user right on domain-joined systems, this is a finding.\n\n - Enterprise Admins Group\n - Domain Admins Group\n\n If any accounts or groups are defined for the Deny log on as a service user\n right on non-domain-joined systems, this is a finding.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Deny log on as a service to include the following:\n\n Domain systems:\n - Enterprise Admins group \n - Domain Admins group \"\n \n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n impact 0.0\n describe 'This system is a domain controller, therefore this control is not applicable as it only applies to member servers and standalone systems' do\n skip 'This system is a domain controller, therefore this control is not applicable as it only applies to member servers and standalone systems'\n end\n elsif domain_role == '3'\n domain_admin_sid_query = <<-EOH\n $group = New-Object System.Security.Principal.NTAccount('Domain Admins')\n $sid = $group.Translate([security.principal.securityidentifier]).value\n $sid | ConvertTo-Json\n EOH\n domain_admin_sid = json(command: domain_admin_sid_query).params\n \n enterprise_admin_sid_query = <<-EOH\n $group = New-Object System.Security.Principal.NTAccount('Enterprise Admins')\n $sid = $group.Translate([security.principal.securityidentifier]).value\n $sid | ConvertTo-Json\n EOH\n enterprise_admin_sid = json(command: enterprise_admin_sid_query).params\n\n describe security_policy do\n its('SeDenyServiceLogonRight') { should include \"#{domain_admin_sid}\" }\n end\n describe security_policy do\n its('SeDenyServiceLogonRight') { should include \"#{enterprise_admin_sid}\" }\n end\n else\n describe security_policy do\n its('SeDenyServiceLogonRight') { should eq [] }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73247.rb", + "ref": "./Windows 2016 STIG/controls/V-73767.rb", "line": 1 }, - "id": "V-73247" + "id": "V-73767" }, { - "title": "Kerberos user logon restrictions must be enforced.", - "desc": "This policy setting determines whether the Kerberos Key Distribution\n Center (KDC) validates every request for a session ticket against the user\n rights policy of the target computer. The policy is enabled by default, which\n is the most secure setting for validating that access to target resources is\n not circumvented.", + "title": "The Debug programs user right must only be assigned to the\n Administrators group.", + "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Debug programs user right can attach a debugger to\n any process or to the kernel, providing complete access to sensitive and\n critical operating system components. This right is given to Administrators in\n the default configuration.", "descriptions": { - "default": "This policy setting determines whether the Kerberos Key Distribution\n Center (KDC) validates every request for a session ticket against the user\n rights policy of the target computer. The policy is enabled by default, which\n is the most secure setting for validating that access to target resources is\n not circumvented.", - "check": "This applies to domain controllers. It is NA for other systems.\n\n Verify the following is configured in the Default Domain Policy.\n\n Open Group Policy Management.\n\n Navigate to Group Policy Objects in the Domain being reviewed (Forest >>\n Domains >> Domain).\n\n Right-click on the Default Domain Policy.\n\n Select Edit.\n\n Navigate to Computer Configuration >> Policies >> Windows Settings >> Security\n Settings >> Account Policies >> Kerberos Policy.\n\n If the Enforce user logon restrictions is not set to Enabled, this is a\n finding.", - "fix": "Configure the policy value in the Default Domain Policy for\n Computer Configuration >> Policies >> Windows Settings >> Security Settings >>\n Account Policies >> Kerberos Policy >> Enforce user logon restrictions to\n Enabled." + "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Debug programs user right can attach a debugger to\n any process or to the kernel, providing complete access to sensitive and\n critical operating system components. This right is given to Administrators in\n the default configuration.", + "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the Debug\n programs user right, this is a finding.\n\n - Administrators\n\n If an application requires this user right, this would not be a finding.\n\n Vendor documentation must support the requirement for having the user right.\n\n The requirement must be documented with the ISSO.\n\n The application account must meet requirements for application account\n passwords, such as length (WN16-00-000060) and required frequency of changes\n (WN16-00-000070).\n\n Passwords for application accounts with this user right must be protected as\n highly privileged accounts.", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Debug programs to include only the following accounts or groups:\n\n - Administrators" }, - "impact": 0, + "impact": 0.7, "refs": [], "tags": { - "gtitle": "SRG-OS-000112-GPOS-00057", - "satisfies": [ - "SRG-OS-000112-GPOS-00057", - "SRG-OS-000113-GPOS-00058" - ], - "gid": "V-73359", - "rid": "SV-88011r1_rule", - "stig_id": "WN16-DC-000020", - "fix_id": "F-79801r1_fix", + "gtitle": "SRG-OS-000324-GPOS-00125", + "gid": "V-73755", + "rid": "SV-88419r1_rule", + "stig_id": "WN16-UR-000130", + "fix_id": "F-80205r1_fix", "cci": [ - "CCI-001941", - "CCI-001942" + "CCI-002235" ], "nist": [ - "IA-2 (8)", - "IA-2 (9)", + "AC-6 (10)", "Rev_4" ], "documentable": false }, - "code": "control 'V-73359' do\n title 'Kerberos user logon restrictions must be enforced.'\n desc \"This policy setting determines whether the Kerberos Key Distribution\n Center (KDC) validates every request for a session ticket against the user\n rights policy of the target computer. The policy is enabled by default, which\n is the most secure setting for validating that access to target resources is\n not circumvented.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000112-GPOS-00057'\n tag \"satisfies\": ['SRG-OS-000112-GPOS-00057', 'SRG-OS-000113-GPOS-00058']\n tag \"gid\": 'V-73359'\n tag \"rid\": 'SV-88011r1_rule'\n tag \"stig_id\": 'WN16-DC-000020'\n tag \"fix_id\": 'F-79801r1_fix'\n tag \"cci\": ['CCI-001941', 'CCI-001942']\n tag \"nist\": ['IA-2 (8)', 'IA-2 (9)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to domain controllers. It is NA for other systems.\n\n Verify the following is configured in the Default Domain Policy.\n\n Open Group Policy Management.\n\n Navigate to Group Policy Objects in the Domain being reviewed (Forest >>\n Domains >> Domain).\n\n Right-click on the Default Domain Policy.\n\n Select Edit.\n\n Navigate to Computer Configuration >> Policies >> Windows Settings >> Security\n Settings >> Account Policies >> Kerberos Policy.\n\n If the Enforce user logon restrictions is not set to Enabled, this is a\n finding.\"\n desc \"fix\", \"Configure the policy value in the Default Domain Policy for\n Computer Configuration >> Policies >> Windows Settings >> Security Settings >>\n Account Policies >> Kerberos Policy >> Enforce user logon restrictions to\n Enabled.\"\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n describe security_policy do\n its('TicketValidateClient') { should eq 1 }\n end\n end\n\n if domain_role != '4' && domain_role != '5'\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", + "code": "control 'V-73755' do\n title \"The Debug programs user right must only be assigned to the\n Administrators group.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Debug programs user right can attach a debugger to\n any process or to the kernel, providing complete access to sensitive and\n critical operating system components. This right is given to Administrators in\n the default configuration.\n \"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000324-GPOS-00125'\n tag \"gid\": 'V-73755'\n tag \"rid\": 'SV-88419r1_rule'\n tag \"stig_id\": 'WN16-UR-000130'\n tag \"fix_id\": 'F-80205r1_fix'\n tag \"cci\": ['CCI-002235']\n tag \"nist\": ['AC-6 (10)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the Debug\n programs user right, this is a finding.\n\n - Administrators\n\n If an application requires this user right, this would not be a finding.\n\n Vendor documentation must support the requirement for having the user right.\n\n The requirement must be documented with the ISSO.\n\n The application account must meet requirements for application account\n passwords, such as length (WN16-00-000060) and required frequency of changes\n (WN16-00-000070).\n\n Passwords for application accounts with this user right must be protected as\n highly privileged accounts.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Debug programs to include only the following accounts or groups:\n\n - Administrators\"\n describe.one do\n describe security_policy do\n its('SeDebugPrivilege') { should eq ['S-1-5-32-544'] }\n end\n describe security_policy do\n its('SeDebugPrivilege') { should eq [] }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73359.rb", + "ref": "./Windows 2016 STIG/controls/V-73755.rb", "line": 1 }, - "id": "V-73359" + "id": "V-73755" }, { - "title": "The Access this computer from the network user right must only be\n assigned to the Administrators and Authenticated Users groups on member\n servers.", - "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Access this computer from the network user right may\n access resources on the system, and this right must be limited to those\n requiring it.", + "title": "The Deny access to this computer from the network user right on domain\n controllers must be configured to prevent unauthenticated access.", + "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The Deny access to this computer from the network user right defines\n the accounts that are prevented from logging on from the network.\n\n The Guests group must be assigned this right to prevent unauthenticated\n access.", "descriptions": { - "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Access this computer from the network user right may\n access resources on the system, and this right must be limited to those\n requiring it.", - "check": "This applies to member servers and standalone systems. A\n separate version applies to domain controllers.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the Access\n this computer from the network user right, this is a finding.\n\n - Administrators\n - Authenticated Users\n\n Systems dedicated to managing Active Directory (AD admin platforms, see V-36436\n in the Active Directory Domain STIG), must only allow Administrators, removing\n the Authenticated Users group.\n\n If an application requires this user right, this would not be a finding.\n\n Vendor documentation must support the requirement for having the user right.\n\n The requirement must be documented with the ISSO.\n\n The application account must meet requirements for application account\n passwords, such as length (WN16-00-000060) and required frequency of changes\n (WN16-00-000070).", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Access this computer from the network to include only the following\n accounts or groups:\n\n - Administrators\n - Authenticated Users\n\n Systems dedicated to managing Active Directory (AD admin platforms, see V-36436\n in the Active Directory Domain STIG), must only allow Administrators, removing\n the Authenticated Users group." + "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The Deny access to this computer from the network user right defines\n the accounts that are prevented from logging on from the network.\n\n The Guests group must be assigned this right to prevent unauthenticated\n access.", + "check": "This applies to domain controllers. A separate version applies\n to other systems.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If the following accounts or groups are not defined for the Deny access to\n this computer from the network user right, this is a finding.\n\n - Guests Group", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Deny access to this computer from the network to include the following:\n\n - Guests Group" }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { "gtitle": "SRG-OS-000080-GPOS-00048", - "gid": "V-73733", - "rid": "SV-88397r1_rule", - "stig_id": "WN16-MS-000340", - "fix_id": "F-80183r1_fix", + "gid": "V-73757", + "rid": "SV-88421r1_rule", + "stig_id": "WN16-DC-000370", + "fix_id": "F-80207r1_fix", "cci": [ "CCI-000213" ], @@ -1223,170 +1272,163 @@ ], "documentable": false }, - "code": "control 'V-73733' do\n title \"The Access this computer from the network user right must only be\n assigned to the Administrators and Authenticated Users groups on member\n servers.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Access this computer from the network user right may\n access resources on the system, and this right must be limited to those\n requiring it.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000080-GPOS-00048'\n tag \"gid\": 'V-73733'\n tag \"rid\": 'SV-88397r1_rule'\n tag \"stig_id\": 'WN16-MS-000340'\n tag \"fix_id\": 'F-80183r1_fix'\n tag \"cci\": ['CCI-000213']\n tag \"nist\": ['AC-3', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to member servers and standalone systems. A\n separate version applies to domain controllers.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the Access\n this computer from the network user right, this is a finding.\n\n - Administrators\n - Authenticated Users\n\n Systems dedicated to managing Active Directory (AD admin platforms, see V-36436\n in the Active Directory Domain STIG), must only allow Administrators, removing\n the Authenticated Users group.\n\n If an application requires this user right, this would not be a finding.\n\n Vendor documentation must support the requirement for having the user right.\n\n The requirement must be documented with the ISSO.\n\n The application account must meet requirements for application account\n passwords, such as length (WN16-00-000060) and required frequency of changes\n (WN16-00-000070).\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Access this computer from the network to include only the following\n accounts or groups:\n\n - Administrators\n - Authenticated Users\n\n Systems dedicated to managing Active Directory (AD admin platforms, see V-36436\n in the Active Directory Domain STIG), must only allow Administrators, removing\n the Authenticated Users group.\"\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n if !(domain_role == '4') && !(domain_role == '5')\n describe.one do\n describe security_policy do\n its('SeNetworkLogonRight') { should be_in ['S-1-5-11', 'S-1-5-32-544'] }\n end\n describe security_policy do\n its('SeNetworkLogonRight') { should eq [] }\n end\n end\n end\n\n if domain_role == '4' || domain_role == '5'\n impact 0.0\n describe 'This system is a domain controller, therefore this control is not applicable as it only applies to member servers and standalone systems' do\n skip 'This system is a domain controller, therefore this control is not applicable as it only applies to member servers and standalone systems'\n end\n end\nend\n", + "code": "control 'V-73757' do\n title \"The Deny access to this computer from the network user right on domain\n controllers must be configured to prevent unauthenticated access.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The Deny access to this computer from the network user right defines\n the accounts that are prevented from logging on from the network.\n\n The Guests group must be assigned this right to prevent unauthenticated\n access.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000080-GPOS-00048'\n tag \"gid\": 'V-73757'\n tag \"rid\": 'SV-88421r1_rule'\n tag \"stig_id\": 'WN16-DC-000370'\n tag \"fix_id\": 'F-80207r1_fix'\n tag \"cci\": ['CCI-000213']\n tag \"nist\": ['AC-3', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to domain controllers. A separate version applies\n to other systems.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If the following accounts or groups are not defined for the Deny access to\n this computer from the network user right, this is a finding.\n\n - Guests Group\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Deny access to this computer from the network to include the following:\n\n - Guests Group\"\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n describe.one do\n describe security_policy do\n its('SeDenyNetworkLogonRight') { should eq ['S-1-5-32-546'] }\n end\n describe security_policy do\n its('SeDenyNetworkLogonRight') { should eq [] }\n end\n end\n end\n\n if !(domain_role == '4') && !(domain_role == '5')\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73733.rb", + "ref": "./Windows 2016 STIG/controls/V-73757.rb", "line": 1 }, - "id": "V-73733" + "id": "V-73757" }, { - "title": "Windows Server 2016 must be configured to audit Logon/Logoff - Logon\n successes.", - "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Logon records user logons. If this is an interactive logon, it is recorded\n on the local system. If it is to a network share, it is recorded on the system\n accessed.", + "title": "The required legal notice must be configured to display before console\n logon.", + "desc": "Failure to display the logon banner prior to a logon attempt will\n negate legal proceedings resulting from unauthorized access to system resources.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Logon records user logons. If this is an interactive logon, it is recorded\n on the local system. If it is to a network share, it is recorded on the system\n accessed.", - "check": "Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n Logon/Logoff >> Logon - Success", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Logon/Logoff >> Audit Logon with Success selected." + "default": "Failure to display the logon banner prior to a logon attempt will\n negate legal proceedings resulting from unauthorized access to system resources.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\\n\n Value Name: LegalNoticeText\n\n Value Type: REG_SZ\n Value: See message text below\n\n You are accessing a U.S. Government (USG) Information System (IS) that is\n provided for USG-authorized use only.\n\n By using this IS (which includes any device attached to this IS), you consent\n to the following conditions:\n\n -The USG routinely intercepts and monitors communications on this IS for\n purposes including, but not limited to, penetration testing, COMSEC monitoring,\n network operations and defense, personnel misconduct (PM), law enforcement\n (LE), and counterintelligence (CI) investigations.\n\n -At any time, the USG may inspect and seize data stored on this IS.\n\n -Communications using, or data stored on, this IS are not private, are subject\n to routine monitoring, interception, and search, and may be disclosed or used\n for any USG-authorized purpose.\n\n -This IS includes security measures (e.g., authentication and access controls)\n to protect USG interests--not for your personal benefit or privacy.\n\n -Notwithstanding the above, using this IS does not constitute consent to PM, LE\n or CI investigative searching or monitoring of the content of privileged\n communications, or work product, related to personal representation or services\n by attorneys, psychotherapists, or clergy, and their assistants. Such\n communications and work product are private and confidential. See User\n Agreement for details.", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Interactive Logon: Message text for users attempting to log on to the\n following:\n\n You are accessing a U.S. Government (USG) Information System (IS) that is\n provided for USG-authorized use only.\n\n By using this IS (which includes any device attached to this IS), you consent\n to the following conditions:\n\n -The USG routinely intercepts and monitors communications on this IS for\n purposes including, but not limited to, penetration testing, COMSEC monitoring,\n network operations and defense, personnel misconduct (PM), law enforcement\n (LE), and counterintelligence (CI) investigations.\n\n -At any time, the USG may inspect and seize data stored on this IS.\n\n -Communications using, or data stored on, this IS are not private, are subject\n to routine monitoring, interception, and search, and may be disclosed or used\n for any USG-authorized purpose.\n\n -This IS includes security measures (e.g., authentication and access controls)\n to protect USG interests--not for your personal benefit or privacy.\n\n -Notwithstanding the above, using this IS does not constitute consent to PM, LE\n or CI investigative searching or monitoring of the content of privileged\n communications, or work product, related to personal representation or services\n by attorneys, psychotherapists, or clergy, and their assistants. Such\n communications and work product are private and confidential. See User\n Agreement for details." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000032-GPOS-00013", + "gtitle": "SRG-OS-000023-GPOS-00006", "satisfies": [ - "SRG-OS-000032-GPOS-00013", - "SRG-OS-000470-GPOS-00214", - "SRG-OS-000472-GPOS-00217", - "SRG-OS-000473-GPOS-00218", - "SRG-OS-000475-GPOS-00220" + "SRG-OS-000023-GPOS-00006", + "SRG-OS-000024-GPOS-00007", + "SRG-OS-000228-GPOS-00088" ], - "gid": "V-73451", - "rid": "SV-88103r1_rule", - "stig_id": "WN16-AU-000260", - "fix_id": "F-79893r1_fix", + "gid": "V-73647", + "rid": "SV-88311r2_rule", + "stig_id": "WN16-SO-000150", + "fix_id": "F-80097r2_fix", "cci": [ - "CCI-000067", - "CCI-000172" + "CCI-000048", + "CCI-000050", + "CCI-001384", + "CCI-001385", + "CCI-001386", + "CCI-001387", + "CCI-001388" ], "nist": [ - "AC-17 (1)", - "AU-12 c", - "Rev_4" - ], + "AC-8 a", + "AC-8 b", + "AC-8 c 1", + "AC-8 c 2", + "AC-8 c 3", + "Rev_4" + ], "documentable": false }, - "code": "control 'V-73451' do\n title \"Windows Server 2016 must be configured to audit Logon/Logoff - Logon\n successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Logon records user logons. If this is an interactive logon, it is recorded\n on the local system. If it is to a network share, it is recorded on the system\n accessed.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000032-GPOS-00013'\n tag \"satisfies\": ['SRG-OS-000032-GPOS-00013', 'SRG-OS-000470-GPOS-00214',\n 'SRG-OS-000472-GPOS-00217', 'SRG-OS-000473-GPOS-00218',\n 'SRG-OS-000475-GPOS-00220']\n tag \"gid\": 'V-73451'\n tag \"rid\": 'SV-88103r1_rule'\n tag \"stig_id\": 'WN16-AU-000260'\n tag \"fix_id\": 'F-79893r1_fix'\n tag \"cci\": ['CCI-000067', 'CCI-000172']\n tag \"nist\": ['AC-17 (1)', 'AU-12 c', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n Logon/Logoff >> Logon - Success\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Logon/Logoff >> Audit Logon with Success selected.\"\n describe.one do\n describe audit_policy do\n its('Logon') { should eq 'Success' }\n end\n describe audit_policy do\n its('Logon') { should eq 'Success and Failure' }\n end\n describe command(\"AuditPol /get /subcategory:Logon | Findstr /c:'Logon' | Findstr /v 'Logoff'\") do\n its('stdout') { should match /\\s+Logon Success/ }\n end\n describe command(\"AuditPol /get /subcategory:Logon | Findstr /c:'Logon' | Findstr /v 'Logoff'\") do\n its('stdout') { should match /\\s+Logon Success and Failure/ }\n end\n end\nend\n", + "code": "control 'V-73647' do\n title \"The required legal notice must be configured to display before console\n logon.\"\n desc \"Failure to display the logon banner prior to a logon attempt will\n negate legal proceedings resulting from unauthorized access to system resources.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000023-GPOS-00006'\n tag \"satisfies\": ['SRG-OS-000023-GPOS-00006', 'SRG-OS-000024-GPOS-00007',\n 'SRG-OS-000228-GPOS-00088']\n tag \"gid\": 'V-73647'\n tag \"rid\": 'SV-88311r2_rule'\n tag \"stig_id\": 'WN16-SO-000150'\n tag \"fix_id\": 'F-80097r2_fix'\n tag \"cci\": ['CCI-000048', 'CCI-000050', 'CCI-001384', 'CCI-001385',\n 'CCI-001386', 'CCI-001387', 'CCI-001388']\n tag \"nist\": ['AC-8 a', 'AC-8 b', 'AC-8 c 1', 'AC-8 c 2', 'AC-8 c 3', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\\n\n Value Name: LegalNoticeText\n\n Value Type: REG_SZ\n Value: See message text below\n\n You are accessing a U.S. Government (USG) Information System (IS) that is\n provided for USG-authorized use only.\n\n By using this IS (which includes any device attached to this IS), you consent\n to the following conditions:\n\n -The USG routinely intercepts and monitors communications on this IS for\n purposes including, but not limited to, penetration testing, COMSEC monitoring,\n network operations and defense, personnel misconduct (PM), law enforcement\n (LE), and counterintelligence (CI) investigations.\n\n -At any time, the USG may inspect and seize data stored on this IS.\n\n -Communications using, or data stored on, this IS are not private, are subject\n to routine monitoring, interception, and search, and may be disclosed or used\n for any USG-authorized purpose.\n\n -This IS includes security measures (e.g., authentication and access controls)\n to protect USG interests--not for your personal benefit or privacy.\n\n -Notwithstanding the above, using this IS does not constitute consent to PM, LE\n or CI investigative searching or monitoring of the content of privileged\n communications, or work product, related to personal representation or services\n by attorneys, psychotherapists, or clergy, and their assistants. Such\n communications and work product are private and confidential. See User\n Agreement for details.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Interactive Logon: Message text for users attempting to log on to the\n following:\n\n You are accessing a U.S. Government (USG) Information System (IS) that is\n provided for USG-authorized use only.\n\n By using this IS (which includes any device attached to this IS), you consent\n to the following conditions:\n\n -The USG routinely intercepts and monitors communications on this IS for\n purposes including, but not limited to, penetration testing, COMSEC monitoring,\n network operations and defense, personnel misconduct (PM), law enforcement\n (LE), and counterintelligence (CI) investigations.\n\n -At any time, the USG may inspect and seize data stored on this IS.\n\n -Communications using, or data stored on, this IS are not private, are subject\n to routine monitoring, interception, and search, and may be disclosed or used\n for any USG-authorized purpose.\n\n -This IS includes security measures (e.g., authentication and access controls)\n to protect USG interests--not for your personal benefit or privacy.\n\n -Notwithstanding the above, using this IS does not constitute consent to PM, LE\n or CI investigative searching or monitoring of the content of privileged\n communications, or work product, related to personal representation or services\n by attorneys, psychotherapists, or clergy, and their assistants. Such\n communications and work product are private and confidential. See User\n Agreement for details.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System') do\n it { should have_property 'LegalNoticeText' }\n end\n\n key = registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System').LegalNoticeText.to_s\n\n k = key.gsub(\"\\u0000\", '')\n legal_notice_text = attribute('legal_notice_text')\n\n describe 'The required legal notice text' do\n subject { k.scan(/[\\w().;,!]/).join }\n it {should cmp legal_notice_text.scan(/[\\w().;,!]/).join }\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73451.rb", - "line": 1 + "ref": "./Windows 2016 STIG/controls/V-73647.rb", + "line": 2 }, - "id": "V-73451" + "id": "V-73647" }, { - "title": "Event Viewer must be protected from unauthorized modification and\n deletion.", - "desc": "Protecting audit information also includes identifying and protecting\n the tools used to view and manipulate log data. Therefore, protecting audit\n tools is necessary to prevent unauthorized operation on audit information.\n\n Operating systems providing tools to interface with audit information will\n leverage user permissions and roles identifying the user accessing the tools\n and the corresponding rights the user enjoys in order to make access decisions\n regarding the modification or deletion of audit tools.", + "title": "The Allow log on through Remote Desktop Services user right must only\n be assigned to the Administrators group.", + "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Allow log on through Remote Desktop Services user\n right can access a system through Remote Desktop.", "descriptions": { - "default": "Protecting audit information also includes identifying and protecting\n the tools used to view and manipulate log data. Therefore, protecting audit\n tools is necessary to prevent unauthorized operation on audit information.\n\n Operating systems providing tools to interface with audit information will\n leverage user permissions and roles identifying the user accessing the tools\n and the corresponding rights the user enjoys in order to make access decisions\n regarding the modification or deletion of audit tools.", - "check": "Navigate to %SystemRoot%\\System32.\n\n View the permissions on Eventvwr.exe.\n\n If any groups or accounts other than TrustedInstaller have Full control or\n Modify permissions, this is a finding.\n\n The default permissions below satisfy this requirement:\n\n TrustedInstaller - Full Control\n Administrators, SYSTEM, Users, ALL APPLICATION PACKAGES, ALL RESTRICTED\n APPLICATION PACKAGES - Read & Execute", - "fix": "Configure the permissions on the Eventvwr.exe file to prevent\n modification by any groups or accounts other than TrustedInstaller. The default\n permissions listed below satisfy this requirement:\n\n TrustedInstaller - Full Control\n Administrators, SYSTEM, Users, ALL APPLICATION PACKAGES, ALL RESTRICTED\n APPLICATION PACKAGES - Read & Execute\n\n The default location is the %SystemRoot%\\ System32 folder." + "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Allow log on through Remote Desktop Services user\n right can access a system through Remote Desktop.", + "check": "This applies to domain controllers, it is NA for other systems.\n\n Verify the effective setting in Local Group Policy Editor.\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the Allow log\n on through Remote Desktop Services user right, this is a finding.\n\n - Administrators", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Allow log on through Remote Desktop Services to include only the following\n accounts or groups:\n\n - Administrators" }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { - "gtitle": "SRG-OS-000257-GPOS-00098", - "satisfies": [ - "SRG-OS-000257-GPOS-00098", - "SRG-OS-000258-GPOS-00099" - ], - "gid": "V-73411", - "rid": "SV-88063r1_rule", - "stig_id": "WN16-AU-000060", - "fix_id": "F-79853r1_fix", + "gtitle": "SRG-OS-000080-GPOS-00048", + "gid": "V-73741", + "rid": "SV-88405r1_rule", + "stig_id": "WN16-DC-000360", + "fix_id": "F-80191r1_fix", "cci": [ - "CCI-001494", - "CCI-001495" + "CCI-000213" ], "nist": [ - "AU-9", + "AC-3", "Rev_4" ], "documentable": false }, - "code": "control 'V-73411' do\n title \"Event Viewer must be protected from unauthorized modification and\n deletion.\"\n desc \"Protecting audit information also includes identifying and protecting\n the tools used to view and manipulate log data. Therefore, protecting audit\n tools is necessary to prevent unauthorized operation on audit information.\n\n Operating systems providing tools to interface with audit information will\n leverage user permissions and roles identifying the user accessing the tools\n and the corresponding rights the user enjoys in order to make access decisions\n regarding the modification or deletion of audit tools.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000257-GPOS-00098'\n tag \"satisfies\": ['SRG-OS-000257-GPOS-00098', 'SRG-OS-000258-GPOS-00099']\n tag \"gid\": 'V-73411'\n tag \"rid\": 'SV-88063r1_rule'\n tag \"stig_id\": 'WN16-AU-000060'\n tag \"fix_id\": 'F-79853r1_fix'\n tag \"cci\": ['CCI-001494', 'CCI-001495']\n tag \"nist\": ['AU-9', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Navigate to %SystemRoot%\\\\System32.\n\n View the permissions on Eventvwr.exe.\n\n If any groups or accounts other than TrustedInstaller have Full control or\n Modify permissions, this is a finding.\n\n The default permissions below satisfy this requirement:\n\n TrustedInstaller - Full Control\n Administrators, SYSTEM, Users, ALL APPLICATION PACKAGES, ALL RESTRICTED\n APPLICATION PACKAGES - Read & Execute\"\n desc \"fix\", \"Configure the permissions on the Eventvwr.exe file to prevent\n modification by any groups or accounts other than TrustedInstaller. The default\n permissions listed below satisfy this requirement:\n\n TrustedInstaller - Full Control\n Administrators, SYSTEM, Users, ALL APPLICATION PACKAGES, ALL RESTRICTED\n APPLICATION PACKAGES - Read & Execute\n\n The default location is the %SystemRoot%\\\\ System32 folder.\"\n\n system_root = command('$env:SystemRoot').stdout.strip\n\n describe.one do\n describe file(\"#{system_root}\\\\System32\\\\eventvwr.exe\") do\n it { should be_allowed('read', by_user: 'NT AUTHORITY\\\\SYSTEM') }\n it { should be_allowed('read', by_user: 'BUILTIN\\\\Administrators') }\n it { should be_allowed('read', by_user: 'BUILTIN\\\\Users') }\n it { should be_allowed('full-control', by_user: 'NT SERVICE\\\\TrustedInstaller') }\n it { should be_allowed('read', by_user: 'APPLICATION PACKAGE AUTHORITY\\\\ALL APPLICATION PACKAGES') }\n end\n\n describe file(\"#{system_root}\\\\System32\\\\eventvwr.exe\") do\n it { should be_allowed('read', by_user: 'NT AUTHORITY\\\\SYSTEM') }\n it { should be_allowed('read', by_user: 'BUILTIN\\\\Administrators') }\n it { should be_allowed('read', by_user: 'BUILTIN\\\\Users') }\n it { should be_allowed('full-control', by_user: 'NT SERVICE\\\\TrustedInstaller') }\n it { should be_allowed('read', by_user: 'APPLICATION PACKAGE AUTHORITY\\\\ALL APPLICATION PACKAGES') }\n it { should be_allowed('read', by_user: 'APPLICATION PACKAGE AUTHORITY\\\\ALL RESTRICTED APPLICATION PACKAGES\\\\ALL APPLICATION PACKAGES') }\n end\n end\nend\n", + "code": "control 'V-73741' do\n title \"The Allow log on through Remote Desktop Services user right must only\n be assigned to the Administrators group.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Allow log on through Remote Desktop Services user\n right can access a system through Remote Desktop.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000080-GPOS-00048'\n tag \"gid\": 'V-73741'\n tag \"rid\": 'SV-88405r1_rule'\n tag \"stig_id\": 'WN16-DC-000360'\n tag \"fix_id\": 'F-80191r1_fix'\n tag \"cci\": ['CCI-000213']\n tag \"nist\": ['AC-3', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to domain controllers, it is NA for other systems.\n\n Verify the effective setting in Local Group Policy Editor.\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the Allow log\n on through Remote Desktop Services user right, this is a finding.\n\n - Administrators\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Allow log on through Remote Desktop Services to include only the following\n accounts or groups:\n\n - Administrators\"\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n describe.one do\n describe security_policy do\n its('SeRemoteInteractiveLogonRight') { should eq ['S-1-5-32-544'] }\n end\n describe security_policy do\n its('SeRemoteInteractiveLogonRight') { should eq [] }\n end\n end\n end\n\n if !(domain_role == '4') && !(domain_role == '5')\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73411.rb", + "ref": "./Windows 2016 STIG/controls/V-73741.rb", "line": 1 }, - "id": "V-73411" + "id": "V-73741" }, { - "title": "The Active Directory Infrastructure object must be configured with\n proper audit settings.", - "desc": "When inappropriate audit settings are configured for directory service\n database objects, it may be possible for a user or process to update the data\n without generating any tracking data. The impact of missing audit data is\n related to the type of object. A failure to capture audit data for objects used\n by identification, authentication, or authorization functions could degrade or\n eliminate the ability to track changes to access policy for systems or data.\n\n For Active Directory (AD), there are a number of critical object types in\n the domain naming context of the AD database for which auditing is essential.\n This includes the Infrastructure object. Because changes to these objects can\n significantly impact access controls or the availability of systems, the\n absence of auditing data makes it impossible to identify the source of changes\n that impact the confidentiality, integrity, and availability of data and\n systems throughout an AD domain. The lack of proper auditing can result in\n insufficient forensic evidence needed to investigate an incident and prosecute\n the intruder.", + "title": "Kerberos encryption types must be configured to prevent the use of DES\n and RC4 encryption suites.", + "desc": "Certain encryption types are no longer considered secure. The DES and\n RC4 encryption suites must not be used for Kerberos encryption.", "descriptions": { - "default": "When inappropriate audit settings are configured for directory service\n database objects, it may be possible for a user or process to update the data\n without generating any tracking data. The impact of missing audit data is\n related to the type of object. A failure to capture audit data for objects used\n by identification, authentication, or authorization functions could degrade or\n eliminate the ability to track changes to access policy for systems or data.\n\n For Active Directory (AD), there are a number of critical object types in\n the domain naming context of the AD database for which auditing is essential.\n This includes the Infrastructure object. Because changes to these objects can\n significantly impact access controls or the availability of systems, the\n absence of auditing data makes it impossible to identify the source of changes\n that impact the confidentiality, integrity, and availability of data and\n systems throughout an AD domain. The lack of proper auditing can result in\n insufficient forensic evidence needed to investigate an incident and prosecute\n the intruder.", - "check": "This applies to domain controllers. It is NA for other systems.\n\n Review the auditing configuration for Infrastructure object.\n\n Open Active Directory Users and Computers (available from various menus or\n run dsa.msc).\n\n Ensure Advanced Features is selected in the View menu.\n\n Select the domain being reviewed in the left pane.\n\n Right-click the Infrastructure object in the right pane and select\n Properties.\n\n Select the Security tab.\n\n Select the Advanced button and then the Auditing tab.\n\n If the audit settings on the Infrastructure object are not at least as\n inclusive as those below, this is a finding.\n\n Type - Fail\n Principal - Everyone\n Access - Full Control\n Inherited from - None\n\n The success types listed below are defaults. Where Special is listed in the\n summary screens for Access, detailed Permissions are provided for reference.\n Various Properties selections may also exist by default.\n\n Type - Success\n Principal - Everyone\n Access - Special\n Inherited from - None\n (Access - Special = Permissions: Write all properties, All extended rights,\n Change infrastructure master)\n\n Two instances with the following summary information will be listed.\n Type - Success\n Principal - Everyone\n Access - (blank)\n Inherited from - (CN of domain)", - "fix": "Open Active Directory Users and Computers (available from\n various menus or run dsa.msc).\n\n Ensure Advanced Features is selected in the View menu.\n\n Select the domain being reviewed in the left pane.\n\n Right-click the Infrastructure object in the right pane and select\n Properties.\n\n Select the Security tab.\n\n Select the Advanced button and then the Auditing tab.\n\n Configure the audit settings for Infrastructure object to include the following.\n\n Type - Fail\n Principal - Everyone\n Access - Full Control\n Inherited from - None\n\n The success types listed below are defaults. Where Special is listed in the\n summary screens for Access, detailed Permissions are provided for reference.\n Various Properties selections may also exist by default.\n\n Type - Success\n Principal - Everyone\n Access - Special\n Inherited from - None\n (Access - Special = Permissions: Write all properties, All extended rights,\n Change infrastructure master)\n\n Two instances with the following summary information will be listed.\n\n Type - Success\n Principal - Everyone\n Access - (blank)\n Inherited from - (CN of domain)" + "default": "Certain encryption types are no longer considered secure. The DES and\n RC4 encryption suites must not be used for Kerberos encryption.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\Parameters\\\n\n Value Name: SupportedEncryptionTypes\n\n Value Type: REG_DWORD\n Value: 0x7ffffff8 (2147483640)", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Network security: Configure encryption types allowed for Kerberos to\n Enabled with only the following selected:\n\n AES128_HMAC_SHA1\n AES256_HMAC_SHA1\n Future encryption types" }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000327-GPOS-00127", - "satisfies": [ - "SRG-OS-000327-GPOS-00127", - "SRG-OS-000458-GPOS-00203", - "SRG-OS-000463-GPOS-00207", - "SRG-OS-000468-GPOS-00212" - ], - "gid": "V-73393", - "rid": "SV-88045r1_rule", - "stig_id": "WN16-DC-000190", - "fix_id": "F-79835r1_fix", + "gtitle": "SRG-OS-000120-GPOS-00061", + "gid": "V-73685", + "rid": "SV-88349r1_rule", + "stig_id": "WN16-SO-000350", + "fix_id": "F-80135r1_fix", "cci": [ - "CCI-000172", - "CCI-002234" + "CCI-000803" ], "nist": [ - "AU-12 c", - "AC-6 (9)", + "IA-7", "Rev_4" ], "documentable": false }, - "code": "control 'V-73393' do\n title \"The Active Directory Infrastructure object must be configured with\n proper audit settings.\"\n desc \"When inappropriate audit settings are configured for directory service\n database objects, it may be possible for a user or process to update the data\n without generating any tracking data. The impact of missing audit data is\n related to the type of object. A failure to capture audit data for objects used\n by identification, authentication, or authorization functions could degrade or\n eliminate the ability to track changes to access policy for systems or data.\n\n For Active Directory (AD), there are a number of critical object types in\n the domain naming context of the AD database for which auditing is essential.\n This includes the Infrastructure object. Because changes to these objects can\n significantly impact access controls or the availability of systems, the\n absence of auditing data makes it impossible to identify the source of changes\n that impact the confidentiality, integrity, and availability of data and\n systems throughout an AD domain. The lack of proper auditing can result in\n insufficient forensic evidence needed to investigate an incident and prosecute\n the intruder.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000327-GPOS-00127'\n tag \"satisfies\": ['SRG-OS-000327-GPOS-00127', 'SRG-OS-000458-GPOS-00203', 'SRG-OS-000463-GPOS-00207', 'SRG-OS-000468-GPOS-00212']\n tag \"gid\": 'V-73393'\n tag \"rid\": 'SV-88045r1_rule'\n tag \"stig_id\": 'WN16-DC-000190'\n tag \"fix_id\": 'F-79835r1_fix'\n tag \"cci\": ['CCI-000172', 'CCI-002234']\n tag \"nist\": ['AU-12 c', 'AC-6 (9)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to domain controllers. It is NA for other systems.\n\n Review the auditing configuration for Infrastructure object.\n\n Open Active Directory Users and Computers (available from various menus or\n run dsa.msc).\n\n Ensure Advanced Features is selected in the View menu.\n\n Select the domain being reviewed in the left pane.\n\n Right-click the Infrastructure object in the right pane and select\n Properties.\n\n Select the Security tab.\n\n Select the Advanced button and then the Auditing tab.\n\n If the audit settings on the Infrastructure object are not at least as\n inclusive as those below, this is a finding.\n\n Type - Fail\n Principal - Everyone\n Access - Full Control\n Inherited from - None\n\n The success types listed below are defaults. Where Special is listed in the\n summary screens for Access, detailed Permissions are provided for reference.\n Various Properties selections may also exist by default.\n\n Type - Success\n Principal - Everyone\n Access - Special\n Inherited from - None\n (Access - Special = Permissions: Write all properties, All extended rights,\n Change infrastructure master)\n\n Two instances with the following summary information will be listed.\n Type - Success\n Principal - Everyone\n Access - (blank)\n Inherited from - (CN of domain)\"\n desc \"fix\", \"Open Active Directory Users and Computers (available from\n various menus or run dsa.msc).\n\n Ensure Advanced Features is selected in the View menu.\n\n Select the domain being reviewed in the left pane.\n\n Right-click the Infrastructure object in the right pane and select\n Properties.\n\n Select the Security tab.\n\n Select the Advanced button and then the Auditing tab.\n\n Configure the audit settings for Infrastructure object to include the following.\n\n Type - Fail\n Principal - Everyone\n Access - Full Control\n Inherited from - None\n\n The success types listed below are defaults. Where Special is listed in the\n summary screens for Access, detailed Permissions are provided for reference.\n Various Properties selections may also exist by default.\n\n Type - Success\n Principal - Everyone\n Access - Special\n Inherited from - None\n (Access - Special = Permissions: Write all properties, All extended rights,\n Change infrastructure master)\n\n Two instances with the following summary information will be listed.\n\n Type - Success\n Principal - Everyone\n Access - (blank)\n Inherited from - (CN of domain)\"\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n distinguishedName = json(command: '(Get-ADDomain).DistinguishedName | ConvertTo-JSON').params\n acl_rules = json(command: \"(Get-ACL -Audit -Path AD:'CN=Infrastructure,#{distinguishedName}').Audit | ConvertTo-CSV | ConvertFrom-CSV | ConvertTo-JSON\").params\n\n if acl_rules.is_a?(Hash)\n acl_rules = [JSON.parse(acl_rules.to_json)]\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['AuditFlags']) { should cmp \"Failure\" }\n its(['IdentityReference']) { should cmp \"Everyone\" }\n its(['ActiveDirectoryRights']) { should cmp \"GenericAll\" }\n its(['IsInherited']) { should cmp \"False\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['AuditFlags']) { should cmp \"Success\" }\n its(['IdentityReference']) { should cmp \"Everyone\" }\n its(['ActiveDirectoryRights']) { should cmp \"WriteProperty, ExtendedRight\" }\n its(['IsInherited']) { should cmp \"False\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['AuditFlags']) { should cmp \"Success\" }\n its(['IdentityReference']) { should cmp \"Everyone\" }\n its(['IsInherited']) { should cmp \"True\" }\n end\n end\n end\n\n else\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", + "code": "control 'V-73685' do\n title \"Kerberos encryption types must be configured to prevent the use of DES\n and RC4 encryption suites.\"\n desc \"Certain encryption types are no longer considered secure. The DES and\n RC4 encryption suites must not be used for Kerberos encryption.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000120-GPOS-00061'\n tag \"gid\": 'V-73685'\n tag \"rid\": 'SV-88349r1_rule'\n tag \"stig_id\": 'WN16-SO-000350'\n tag \"fix_id\": 'F-80135r1_fix'\n tag \"cci\": ['CCI-000803']\n tag \"nist\": ['IA-7', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Kerberos\\\\Parameters\\\\\n\n Value Name: SupportedEncryptionTypes\n\n Value Type: REG_DWORD\n Value: 0x7ffffff8 (2147483640)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Network security: Configure encryption types allowed for Kerberos to\n Enabled with only the following selected:\n\n AES128_HMAC_SHA1\n AES256_HMAC_SHA1\n Future encryption types\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Kerberos\\\\Parameters') do\n it { should have_property 'SupportedEncryptionTypes' }\n its('SupportedEncryptionTypes') { should cmp 2_147_483_640 }\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73393.rb", + "ref": "./Windows 2016 STIG/controls/V-73685.rb", "line": 1 }, - "id": "V-73393" + "id": "V-73685" }, { - "title": "Windows Server 2016 must be configured to force users to log off when\n their allowed logon hours expire.", - "desc": "Limiting logon hours can help protect data by allowing access only\n during specified times. This setting controls whether users are forced to log\n off when their allowed logon hours expire. If logon hours are set for users,\n this must be enforced.", + "title": "Default permissions for the HKEY_LOCAL_MACHINE registry hive must be\n maintained.", + "desc": "The registry is integral to the function, security, and stability of\n the Windows system. Changing the system's registry permissions allows the\n possibility of unauthorized and anonymous modification to the operating system.", "descriptions": { - "default": "Limiting logon hours can help protect data by allowing access only\n during specified times. This setting controls whether users are forced to log\n off when their allowed logon hours expire. If logon hours are set for users,\n this must be enforced.", - "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> Security Options.\n\n If the value for Network security: Force logoff when logon hours expire is\n not set to Enabled, this is a finding.", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Network security: Force logoff when logon hours expire to Enabled." + "default": "The registry is integral to the function, security, and stability of\n the Windows system. Changing the system's registry permissions allows the\n possibility of unauthorized and anonymous modification to the operating system.", + "check": "Review the registry permissions for the keys of the\n HKEY_LOCAL_MACHINE hive noted below.\n\n If any non-privileged groups such as Everyone, Users, or Authenticated Users\n have greater than Read permission, this is a finding.\n\n If permissions are not as restrictive as the default permissions listed below,\n this is a finding.\n\n Run Regedit.\n\n Right-click on the registry areas noted below.\n\n Select Permissions... and the Advanced button.\n\n HKEY_LOCAL_MACHINE\\SECURITY\n\n Type - Allow for all\n Inherited from - None for all\n Principal - Access - Applies to\n SYSTEM - Full Control - This key and subkeys\n Administrators - Special - This key and subkeys\n\n HKEY_LOCAL_MACHINE\\SOFTWARE\n\n Type - Allow for all\n Inherited from - None for all\n Principal - Access - Applies to\n Users - Read - This key and subkeys\n Administrators - Full Control - This key and subkeys\n SYSTEM - Full Control - This key and subkeys\n CREATOR OWNER - Full Control - This key and subkeys\n ALL APPLICATION PACKAGES - Read - This key and subkeys\n\n HKEY_LOCAL_MACHINE\\SYSTEM\n\n Type - Allow for all\n Inherited from - None for all\n Principal - Access - Applies to\n Users - Read - This key and subkeys\n Administrators - Full Control - This key and subkeys\n SYSTEM - Full Control - This key and subkeys\n CREATOR OWNER - Full Control - Subkeys only\n ALL APPLICATION PACKAGES - Read - This key and subkeys\n\n Other examples under the noted keys may also be sampled. There may be some\n instances where non-privileged groups have greater than Read permission.\n\n If the defaults have not been changed, these are not a finding.", + "fix": "Maintain the default permissions for the HKEY_LOCAL_MACHINE\n registry hive.\n\n The default permissions of the higher-level keys are noted below.\n\n HKEY_LOCAL_MACHINE\\SECURITY\n\n Type - Allow for all\n Inherited from - None for all\n Principal - Access - Applies to\n SYSTEM - Full Control - This key and subkeys\n Administrators - Special - This key and subkeys\n\n HKEY_LOCAL_MACHINE\\SOFTWARE\n\n Type - Allow for all\n Inherited from - None for all\n Principal - Access - Applies to\n Users - Read - This key and subkeys\n Administrators - Full Control - This key and subkeys\n SYSTEM - Full Control - This key and subkeys\n CREATOR OWNER - Full Control - This key and subkeys\n ALL APPLICATION PACKAGES - Read - This key and subkeys\n\n HKEY_LOCAL_MACHINE\\SYSTEM\n\n Type - Allow for all\n Inherited from - None for all\n Principal - Access - Applies to\n Users - Read - This key and subkeys\n Administrators - Full Control - This key and subkeys\n SYSTEM - Full Control - This key and subkeys\n CREATOR OWNER - Full Control - Subkeys only\n ALL APPLICATION PACKAGES - Read - This key and subkeys" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000163-GPOS-00072", - "gid": "V-73689", - "rid": "SV-88353r1_rule", - "stig_id": "WN16-SO-000370", - "fix_id": "F-80139r1_fix", + "gtitle": "SRG-OS-000324-GPOS-00125", + "gid": "V-73255", + "rid": "SV-87907r1_rule", + "stig_id": "WN16-00-000190", + "fix_id": "F-79699r1_fix", "cci": [ - "CCI-001133" + "CCI-002235" ], "nist": [ - "SC-10", + "AC-6 (10)", "Rev_4" ], "documentable": false }, - "code": "control 'V-73689' do\n title \"Windows Server 2016 must be configured to force users to log off when\n their allowed logon hours expire.\"\n desc \"Limiting logon hours can help protect data by allowing access only\n during specified times. This setting controls whether users are forced to log\n off when their allowed logon hours expire. If logon hours are set for users,\n this must be enforced.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000163-GPOS-00072'\n tag \"gid\": 'V-73689'\n tag \"rid\": 'SV-88353r1_rule'\n tag \"stig_id\": 'WN16-SO-000370'\n tag \"fix_id\": 'F-80139r1_fix'\n tag \"cci\": ['CCI-001133']\n tag \"nist\": ['SC-10', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> Security Options.\n\n If the value for Network security: Force logoff when logon hours expire is\n not set to Enabled, this is a finding.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Network security: Force logoff when logon hours expire to Enabled.\"\n describe security_policy do\n its('ForceLogoffWhenHourExpire') { should eq 1 }\n end\nend\n", + "code": "control 'V-73255' do\n title \"Default permissions for the HKEY_LOCAL_MACHINE registry hive must be\n maintained.\"\n desc \"The registry is integral to the function, security, and stability of\n the Windows system. Changing the system's registry permissions allows the\n possibility of unauthorized and anonymous modification to the operating system.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000324-GPOS-00125'\n tag \"gid\": 'V-73255'\n tag \"rid\": 'SV-87907r1_rule'\n tag \"stig_id\": 'WN16-00-000190'\n tag \"fix_id\": 'F-79699r1_fix'\n tag \"cci\": ['CCI-002235']\n tag \"nist\": ['AC-6 (10)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Review the registry permissions for the keys of the\n HKEY_LOCAL_MACHINE hive noted below.\n\n If any non-privileged groups such as Everyone, Users, or Authenticated Users\n have greater than Read permission, this is a finding.\n\n If permissions are not as restrictive as the default permissions listed below,\n this is a finding.\n\n Run Regedit.\n\n Right-click on the registry areas noted below.\n\n Select Permissions... and the Advanced button.\n\n HKEY_LOCAL_MACHINE\\\\SECURITY\n\n Type - Allow for all\n Inherited from - None for all\n Principal - Access - Applies to\n SYSTEM - Full Control - This key and subkeys\n Administrators - Special - This key and subkeys\n\n HKEY_LOCAL_MACHINE\\\\SOFTWARE\n\n Type - Allow for all\n Inherited from - None for all\n Principal - Access - Applies to\n Users - Read - This key and subkeys\n Administrators - Full Control - This key and subkeys\n SYSTEM - Full Control - This key and subkeys\n CREATOR OWNER - Full Control - This key and subkeys\n ALL APPLICATION PACKAGES - Read - This key and subkeys\n\n HKEY_LOCAL_MACHINE\\\\SYSTEM\n\n Type - Allow for all\n Inherited from - None for all\n Principal - Access - Applies to\n Users - Read - This key and subkeys\n Administrators - Full Control - This key and subkeys\n SYSTEM - Full Control - This key and subkeys\n CREATOR OWNER - Full Control - Subkeys only\n ALL APPLICATION PACKAGES - Read - This key and subkeys\n\n Other examples under the noted keys may also be sampled. There may be some\n instances where non-privileged groups have greater than Read permission.\n\n If the defaults have not been changed, these are not a finding.\"\n desc \"fix\", \"Maintain the default permissions for the HKEY_LOCAL_MACHINE\n registry hive.\n\n The default permissions of the higher-level keys are noted below.\n\n HKEY_LOCAL_MACHINE\\\\SECURITY\n\n Type - Allow for all\n Inherited from - None for all\n Principal - Access - Applies to\n SYSTEM - Full Control - This key and subkeys\n Administrators - Special - This key and subkeys\n\n HKEY_LOCAL_MACHINE\\\\SOFTWARE\n\n Type - Allow for all\n Inherited from - None for all\n Principal - Access - Applies to\n Users - Read - This key and subkeys\n Administrators - Full Control - This key and subkeys\n SYSTEM - Full Control - This key and subkeys\n CREATOR OWNER - Full Control - This key and subkeys\n ALL APPLICATION PACKAGES - Read - This key and subkeys\n\n HKEY_LOCAL_MACHINE\\\\SYSTEM\n\n Type - Allow for all\n Inherited from - None for all\n Principal - Access - Applies to\n Users - Read - This key and subkeys\n Administrators - Full Control - This key and subkeys\n SYSTEM - Full Control - This key and subkeys\n CREATOR OWNER - Full Control - Subkeys only\n ALL APPLICATION PACKAGES - Read - This key and subkeys\"\n\n paths = [\n \"HKLM:\\\\\\\\Security\",\n \"HKLM:\\\\\\\\Software\",\n \"HKLM:\\\\\\\\System\"\n ]\n\n paths.each do |path|\n if path == \"HKLM:\\\\\\\\Security\"\n acl_rules = json(command: \"[Microsoft.Win32.Registry]::LocalMachine.OpenSubKey('Security', 'Default', 'ReadPermissions').GetAccessControl().access | ConvertTo-CSV | ConvertFrom-CSV | ConvertTo-JSON\").params\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The '#{path}' key\\'s access rule property:\" do\n subject { acl_rule }\n its(['RegistryRights']) { should cmp \"FullControl\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"NT AUTHORITY\\\\SYSTEM\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"ContainerInherit\" }\n its(['PropagationFlags']) { should cmp \"None\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The '#{path}' key\\'s access rule property:\" do\n subject { acl_rule }\n its(['RegistryRights']) { should cmp \"ReadPermissions, ChangePermissions\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"BUILTIN\\\\Administrators\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"ContainerInherit\" }\n its(['PropagationFlags']) { should cmp \"None\" }\n end\n end\n end\n else\n acl_rules = json(command: \"(Get-ACL -Path '#{path}').Access | ConvertTo-CSV | ConvertFrom-CSV | ConvertTo-JSON\").params\n if path == \"HKLM:\\\\\\\\Software\"\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The '#{path}' key\\'s access rule property:\" do\n subject { acl_rule }\n its(['RegistryRights']) { should cmp \"FullControl\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"CREATOR OWNER\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"ContainerInherit\" }\n its(['PropagationFlags']) { should cmp \"None\" }\n end\n end\n end\n \n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The '#{path}' key\\'s access rule property:\" do\n subject { acl_rule }\n its(['RegistryRights']) { should cmp \"FullControl\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"NT AUTHORITY\\\\SYSTEM\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"ContainerInherit\" }\n its(['PropagationFlags']) { should cmp \"None\" }\n end\n end\n end\n \n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The '#{path}' key\\'s access rule property:\" do\n subject { acl_rule }\n its(['RegistryRights']) { should cmp \"FullControl\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"BUILTIN\\\\Administrators\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"ContainerInherit\" }\n its(['PropagationFlags']) { should cmp \"None\" }\n end\n end\n end\n \n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The '#{path}' key\\'s access rule property:\" do\n subject { acl_rule }\n its(['RegistryRights']) { should cmp \"ReadKey\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"BUILTIN\\\\Users\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"ContainerInherit\" }\n its(['PropagationFlags']) { should cmp \"None\" }\n end\n end\n end\n \n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The '#{path}' key\\'s access rule property:\" do\n subject { acl_rule }\n its(['RegistryRights']) { should cmp \"ReadKey\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"APPLICATION PACKAGE AUTHORITY\\\\ALL APPLICATION PACKAGES\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"ContainerInherit\" }\n its(['PropagationFlags']) { should cmp \"None\" }\n end\n end\n end\n elsif path == \"HKLM:\\\\\\\\System\"\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The '#{path}' key\\'s access rule property:\" do\n subject { acl_rule }\n its(['RegistryRights']) { should cmp \"268435456\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"CREATOR OWNER\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"ContainerInherit\" }\n its(['PropagationFlags']) { should cmp \"InheritOnly\" }\n end\n end\n end\n \n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The '#{path}' key\\'s access rule property:\" do\n subject { acl_rule }\n its(['RegistryRights']) { should cmp \"ReadKey\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"BUILTIN\\\\Users\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"ContainerInherit\" }\n its(['PropagationFlags']) { should cmp \"None\" }\n end\n end\n end\n \n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The '#{path}' key\\'s access rule property:\" do\n subject { acl_rule }\n its(['RegistryRights']) { should cmp \"268435456\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"NT AUTHORITY\\\\SYSTEM\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"ContainerInherit\" }\n its(['PropagationFlags']) { should cmp \"InheritOnly\" }\n end\n end\n end\n \n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The '#{path}' key\\'s access rule property:\" do\n subject { acl_rule }\n its(['RegistryRights']) { should cmp \"FullControl\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"NT AUTHORITY\\\\SYSTEM\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"None\" }\n its(['PropagationFlags']) { should cmp \"None\" }\n end\n end\n end\n \n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The '#{path}' key\\'s access rule property:\" do\n subject { acl_rule }\n its(['RegistryRights']) { should cmp \"268435456\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"BUILTIN\\\\Administrators\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"ContainerInherit\" }\n its(['PropagationFlags']) { should cmp \"InheritOnly\" }\n end\n end\n end\n \n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The '#{path}' key\\'s access rule property:\" do\n subject { acl_rule }\n its(['RegistryRights']) { should cmp \"FullControl\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"BUILTIN\\\\Administrators\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"None\" }\n its(['PropagationFlags']) { should cmp \"None\" }\n end\n end\n end\n \n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The '#{path}' key\\'s access rule property:\" do\n subject { acl_rule }\n its(['RegistryRights']) { should cmp \"ReadKey\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"APPLICATION PACKAGE AUTHORITY\\\\ALL APPLICATION PACKAGES\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"None\" }\n its(['PropagationFlags']) { should cmp \"None\" }\n end\n end\n end\n \n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The '#{path}' key\\'s access rule property:\" do\n subject { acl_rule }\n its(['RegistryRights']) { should cmp \"-2147483648\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"APPLICATION PACKAGE AUTHORITY\\\\ALL APPLICATION PACKAGES\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"ContainerInherit\" }\n its(['PropagationFlags']) { should cmp \"InheritOnly\" }\n end\n end\n end\n end\n end\n end\nend \n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73689.rb", + "ref": "./Windows 2016 STIG/controls/V-73255.rb", "line": 1 }, - "id": "V-73689" + "id": "V-73255" }, { - "title": "Windows Server 2016 must be configured to audit Policy Change - Audit\n Policy Change failures.", - "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Audit Policy Change records events related to changes in audit policy.", + "title": "Windows Server 2016 must be configured to audit Policy Change -\n Authorization Policy Change successes.", + "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Authorization Policy Change records events related to changes in user\n rights, such as Create a token object.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Audit Policy Change records events related to changes in audit policy.", - "check": "Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n Policy Change >> Audit Policy Change - Failure", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Policy Change >> Audit Audit Policy Change with\n Failure selected." + "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Authorization Policy Change records events related to changes in user\n rights, such as Create a token object.", + "check": "Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n Policy Change >> Authorization Policy Change - Success", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Policy Change >> Audit Authorization Policy Change with\n Success selected." }, "impact": 0.5, "refs": [], @@ -1394,14 +1436,14 @@ "gtitle": "SRG-OS-000327-GPOS-00127", "satisfies": [ "SRG-OS-000327-GPOS-00127", - "SRG-OS-000458-GPOS-00203", - "SRG-OS-000463-GPOS-00207", - "SRG-OS-000468-GPOS-00212" + "SRG-OS-000064-GPOS-00033", + "SRG-OS-000462-GPOS-00206", + "SRG-OS-000466-GPOS-00210" ], - "gid": "V-73463", - "rid": "SV-88115r1_rule", - "stig_id": "WN16-AU-000320", - "fix_id": "F-79905r1_fix", + "gid": "V-73467", + "rid": "SV-88119r1_rule", + "stig_id": "WN16-AU-000340", + "fix_id": "F-79909r1_fix", "cci": [ "CCI-000172", "CCI-002234" @@ -1413,52 +1455,84 @@ ], "documentable": false }, - "code": "control 'V-73463' do\n title \"Windows Server 2016 must be configured to audit Policy Change - Audit\n Policy Change failures.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Audit Policy Change records events related to changes in audit policy.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000327-GPOS-00127'\n tag \"satisfies\": ['SRG-OS-000327-GPOS-00127', 'SRG-OS-000458-GPOS-00203',\n 'SRG-OS-000463-GPOS-00207', 'SRG-OS-000468-GPOS-00212']\n tag \"gid\": 'V-73463'\n tag \"rid\": 'SV-88115r1_rule'\n tag \"stig_id\": 'WN16-AU-000320'\n tag \"fix_id\": 'F-79905r1_fix'\n tag \"cci\": ['CCI-000172', 'CCI-002234']\n tag \"nist\": ['AU-12 c', 'AC-6 (9)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n Policy Change >> Audit Policy Change - Failure\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Policy Change >> Audit Audit Policy Change with\n Failure selected.\"\n describe.one do\n describe audit_policy do\n its('Audit Policy Change') { should eq 'Failure' }\n end\n describe audit_policy do\n its('Audit Policy Change') { should eq 'Success and Failure' }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Audit Policy Change'\") do\n its('stdout') { should match /Audit Policy Change Failure/ }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Audit Policy Change'\") do\n its('stdout') { should match /Audit Policy Change Success and Failure/ }\n end\n end\nend\n", + "code": "control 'V-73467' do\n title \"Windows Server 2016 must be configured to audit Policy Change -\n Authorization Policy Change successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Authorization Policy Change records events related to changes in user\n rights, such as Create a token object.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000327-GPOS-00127'\n tag \"satisfies\": ['SRG-OS-000327-GPOS-00127', 'SRG-OS-000064-GPOS-00033',\n 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000466-GPOS-00210']\n tag \"gid\": 'V-73467'\n tag \"rid\": 'SV-88119r1_rule'\n tag \"stig_id\": 'WN16-AU-000340'\n tag \"fix_id\": 'F-79909r1_fix'\n tag \"cci\": ['CCI-000172', 'CCI-002234']\n tag \"nist\": ['AU-12 c', 'AC-6 (9)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n Policy Change >> Authorization Policy Change - Success\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Policy Change >> Audit Authorization Policy Change with\n Success selected.\"\n describe.one do\n describe audit_policy do\n its('Authorization Policy Change') { should eq 'Success' }\n end\n describe audit_policy do\n its('Authorization Policy Change') { should eq 'Success and Failure' }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Authorization Policy Change'\") do\n its('stdout') { should match /Authorization Policy Change Success/ }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Authorization Policy Change'\") do\n its('stdout') { should match /Authorization Policy Change Success and Failure/ }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73463.rb", + "ref": "./Windows 2016 STIG/controls/V-73467.rb", "line": 1 }, - "id": "V-73463" + "id": "V-73467" }, { - "title": "Windows Server 2016 must automatically remove or disable temporary\n user accounts after 72 hours.", - "desc": "If temporary user accounts remain active when no longer needed or for\n an excessive period, these accounts may be used to gain unauthorized access. To\n mitigate this risk, automated termination of all temporary accounts must be set\n upon account creation.\n\n Temporary accounts are established as part of normal account activation\n procedures when there is a need for short-term accounts without the demand for\n immediacy in account activation.\n\n If temporary accounts are used, the operating system must be configured to\n automatically terminate these types of accounts after a DoD-defined time period\n of 72 hours.\n\n To address access requirements, many operating systems may be integrated\n with enterprise-level authentication/access mechanisms that meet or exceed\n access control policy requirements.", + "title": "The Deny log on as a service user right must be configured to include\n no accounts or groups (blank) on domain controllers.", + "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The Deny log on as a service user right defines accounts that are\n denied logon as a service.\n\n Incorrect configurations could prevent services from starting and result in\n a denial of service.", "descriptions": { - "default": "If temporary user accounts remain active when no longer needed or for\n an excessive period, these accounts may be used to gain unauthorized access. To\n mitigate this risk, automated termination of all temporary accounts must be set\n upon account creation.\n\n Temporary accounts are established as part of normal account activation\n procedures when there is a need for short-term accounts without the demand for\n immediacy in account activation.\n\n If temporary accounts are used, the operating system must be configured to\n automatically terminate these types of accounts after a DoD-defined time period\n of 72 hours.\n\n To address access requirements, many operating systems may be integrated\n with enterprise-level authentication/access mechanisms that meet or exceed\n access control policy requirements.", - "check": "Review temporary user accounts for expiration dates.\n\n Determine if temporary user accounts are used and identify any that exist. If\n none exist, this is NA.\n\n Domain Controllers:\n\n Open PowerShell.\n\n Enter Search-ADAccount -AccountExpiring | FT Name, AccountExpirationDate.\n\n If AccountExpirationDate has not been defined within 72 hours for any\n temporary user account, this is a finding.\n\n Member servers and standalone systems:\n\n Open Command Prompt.\n\n Run Net user [username], where [username] is the name of the temporary user\n account.\n\n If Account expires has not been defined within 72 hours for any temporary\n user account, this is a finding.", - "fix": "Configure temporary user accounts to automatically expire within\n 72 hours.\n\n Domain accounts can be configured with an account expiration date, under\n Account properties.\n \n Local accounts can be configured to expire with the command Net user\n [username] /expires:[mm/dd/yyyy], where username is the name of the temporary\n user account.\n\n Delete any temporary user accounts that are no longer necessary." + "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The Deny log on as a service user right defines accounts that are\n denied logon as a service.\n\n Incorrect configurations could prevent services from starting and result in\n a denial of service.", + "check": "This applies to domain controllers. A separate version applies\n to other systems.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups are defined for the Deny log on as a service user\n right, this is a finding.", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Deny log on as a service to include no entries (blank)." }, "impact": 0, "refs": [], "tags": { - "gtitle": "SRG-OS-000002-GPOS-00002", - "gid": "V-73283", - "rid": "SV-87935r1_rule", - "stig_id": "WN16-00-000330", - "fix_id": "F-79727r1_fix", + "gtitle": "SRG-OS-000080-GPOS-00048", + "gid": "V-73765", + "rid": "SV-88429r1_rule", + "stig_id": "WN16-DC-000390", + "fix_id": "F-80215r1_fix", "cci": [ - "CCI-000016" + "CCI-000213" ], "nist": [ - "AC-2 (2)", + "AC-3", "Rev_4" ], "documentable": false }, - "code": "control 'V-73283' do\n title \"Windows Server 2016 must automatically remove or disable temporary\n user accounts after 72 hours.\"\n desc \"If temporary user accounts remain active when no longer needed or for\n an excessive period, these accounts may be used to gain unauthorized access. To\n mitigate this risk, automated termination of all temporary accounts must be set\n upon account creation.\n\n Temporary accounts are established as part of normal account activation\n procedures when there is a need for short-term accounts without the demand for\n immediacy in account activation.\n\n If temporary accounts are used, the operating system must be configured to\n automatically terminate these types of accounts after a DoD-defined time period\n of 72 hours.\n\n To address access requirements, many operating systems may be integrated\n with enterprise-level authentication/access mechanisms that meet or exceed\n access control policy requirements.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000002-GPOS-00002'\n tag \"gid\": 'V-73283'\n tag \"rid\": 'SV-87935r1_rule'\n tag \"stig_id\": 'WN16-00-000330'\n tag \"fix_id\": 'F-79727r1_fix'\n tag \"cci\": ['CCI-000016']\n tag \"nist\": ['AC-2 (2)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Review temporary user accounts for expiration dates.\n\n Determine if temporary user accounts are used and identify any that exist. If\n none exist, this is NA.\n\n Domain Controllers:\n\n Open PowerShell.\n\n Enter Search-ADAccount -AccountExpiring | FT Name, AccountExpirationDate.\n\n If AccountExpirationDate has not been defined within 72 hours for any\n temporary user account, this is a finding.\n\n Member servers and standalone systems:\n\n Open Command Prompt.\n\n Run Net user [username], where [username] is the name of the temporary user\n account.\n\n If Account expires has not been defined within 72 hours for any temporary\n user account, this is a finding.\"\n desc \"fix\", \"Configure temporary user accounts to automatically expire within\n 72 hours.\n\n Domain accounts can be configured with an account expiration date, under\n Account properties.\n \n Local accounts can be configured to expire with the command Net user\n [username] /expires:[mm/dd/yyyy], where username is the name of the temporary\n user account.\n\n Delete any temporary user accounts that are no longer necessary.\"\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n temp_accounts_list = input('temporary_accounts')\n temp_accounts_data = []\n \n if temp_accounts_list == [nil]\n impact 0.0\n describe 'This control is not applicable as no temporary accounts were listed as an input' do\n skip 'This control is not applicable as no temporary accounts were listed as an input'\n end\n else\n if domain_role == '4' || domain_role == '5'\n temp_accounts_list.each do |temporary_account|\n temp_accounts_data << json({ command: \"Get-ADUser -Identity #{temporary_account} -Properties WhenCreated, AccountExpirationDate | Select-Object -Property SamAccountName, @{Name='WhenCreated';Expression={$_.WhenCreated.ToString('yyyy-MM-dd')}}, @{Name='AccountExpirationDate';Expression={$_.AccountExpirationDate.ToString('yyyy-MM-dd')}}| ConvertTo-Json\"}).params\n end\n if temp_accounts_data.empty?\n impact 0.0\n describe 'This control is not applicable as account information was not found for the listed temporary accounts' do\n skip 'This control is not applicable as account information was not found for the listed temporary accounts'\n end\n else\n temp_accounts_data.each do |temp_account|\n account_name = temp_account.fetch(\"SamAccountName\")\n if temp_account.fetch(\"WhenCreated\") == nil\n describe \"#{account_name} account's creation date\" do\n subject { temp_account.fetch(\"WhenCreated\") }\n it { should_not eq nil}\n end\n elsif temp_account.fetch(\"AccountExpirationDate\") == nil\n describe \"#{account_name} account's expiration date\" do\n subject { temp_account.fetch(\"AccountExpirationDate\") }\n it { should_not eq nil}\n end\n else\n creation_date = Date.parse(temp_account.fetch(\"WhenCreated\"))\n expiration_date = Date.parse(temp_account.fetch(\"AccountExpirationDate\"))\n date_difference = expiration_date.mjd - creation_date.mjd\n describe \"Account expiration set for #{account_name}\" do\n subject { date_difference }\n it { should cmp <= input('temporary_account_period')}\n end\n end\n end\n end\n\n else\n temp_accounts_list.each do |temporary_account|\n temp_accounts_data << json({ command: \"Get-LocalUser -Name #{temporary_account} | Select-Object -Property Name, @{Name='PasswordLastSet';Expression={$_.PasswordLastSet.ToString('yyyy-MM-dd')}}, @{Name='AccountExpires';Expression={$_.AccountExpires.ToString('yyyy-MM-dd')}} | ConvertTo-Json\"}).params\n end\n if temp_accounts_data.empty?\n impact 0.0\n describe 'This control is not applicable as account information was not found for the listed temporary accounts' do\n skip 'This control is not applicable as account information was not found for the listed temporary accounts'\n end\n else\n temp_accounts_data.each do |temp_account|\n user_name = temp_account.fetch(\"Name\")\n if temp_account.fetch(\"PasswordLastSet\") == nil\n describe \"#{user_name} account's password last set date\" do\n subject { temp_account.fetch(\"PasswordLastSet\") }\n it { should_not eq nil}\n end\n elsif temp_account.fetch(\"AccountExpires\") == nil\n describe \"#{user_name} account's expiration date\" do\n subject { temp_account.fetch(\"AccountExpires\") }\n it { should_not eq nil}\n end\n else\n password_date = Date.parse(temp_account.fetch(\"PasswordLastSet\"))\n expiration_date = Date.parse(temp_account.fetch(\"AccountExpires\"))\n date_difference = expiration_date.mjd - password_date.mjd\n describe \"Account expiration set for #{user_name}\" do\n subject { date_difference }\n it { should cmp <= input('temporary_account_period')}\n end\n end\n end\n end\n end\n end\nend", + "code": "control 'V-73765' do\n title \"The Deny log on as a service user right must be configured to include\n no accounts or groups (blank) on domain controllers.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The Deny log on as a service user right defines accounts that are\n denied logon as a service.\n\n Incorrect configurations could prevent services from starting and result in\n a denial of service.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000080-GPOS-00048'\n tag \"gid\": 'V-73765'\n tag \"rid\": 'SV-88429r1_rule'\n tag \"stig_id\": 'WN16-DC-000390'\n tag \"fix_id\": 'F-80215r1_fix'\n tag \"cci\": ['CCI-000213']\n tag \"nist\": ['AC-3', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to domain controllers. A separate version applies\n to other systems.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups are defined for the Deny log on as a service user\n right, this is a finding.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Deny log on as a service to include no entries (blank).\"\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n describe security_policy do\n its('SeDenyServiceLogonRight') { should eq [] }\n end\n end\n\n if !(domain_role == '4') && !(domain_role == '5')\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73283.rb", + "ref": "./Windows 2016 STIG/controls/V-73765.rb", "line": 1 }, - "id": "V-73283" + "id": "V-73765" }, { - "title": "Windows Server 2016 must be configured to audit Logon/Logoff - Account\n Lockout successes.", + "title": "The Create global objects user right must only be assigned to\n Administrators, Service, Local Service, and Network Service.", + "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Create global objects user right can create objects\n that are available to all sessions, which could affect processes in other\n users' sessions.", + "descriptions": { + "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Create global objects user right can create objects\n that are available to all sessions, which could affect processes in other\n users' sessions.", + "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the Create\n global objects user right, this is a finding.\n\n - Administrators\n - Service\n - Local Service\n - Network Service\n\n If an application requires this user right, this would not be a finding.\n\n Vendor documentation must support the requirement for having the user right.\n\n The requirement must be documented with the ISSO.\n\n The application account must meet requirements for application account\n passwords, such as length (WN16-00-000060) and required frequency of changes\n (WN16-00-000070).", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Create global objects to include only the following accounts or groups:\n\n - Administrators\n - Service\n - Local Service\n - Network Service" + }, + "impact": 0.5, + "refs": [], + "tags": { + "gtitle": "SRG-OS-000324-GPOS-00125", + "gid": "V-73749", + "rid": "SV-88413r1_rule", + "stig_id": "WN16-UR-000100", + "fix_id": "F-80199r1_fix", + "cci": [ + "CCI-002235" + ], + "nist": [ + "AC-6 (10)", + "Rev_4" + ], + "documentable": false + }, + "code": "control 'V-73749' do\n title \"The Create global objects user right must only be assigned to\n Administrators, Service, Local Service, and Network Service.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Create global objects user right can create objects\n that are available to all sessions, which could affect processes in other\n users' sessions.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000324-GPOS-00125'\n tag \"gid\": 'V-73749'\n tag \"rid\": 'SV-88413r1_rule'\n tag \"stig_id\": 'WN16-UR-000100'\n tag \"fix_id\": 'F-80199r1_fix'\n tag \"cci\": ['CCI-002235']\n tag \"nist\": ['AC-6 (10)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the Create\n global objects user right, this is a finding.\n\n - Administrators\n - Service\n - Local Service\n - Network Service\n\n If an application requires this user right, this would not be a finding.\n\n Vendor documentation must support the requirement for having the user right.\n\n The requirement must be documented with the ISSO.\n\n The application account must meet requirements for application account\n passwords, such as length (WN16-00-000060) and required frequency of changes\n (WN16-00-000070).\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Create global objects to include only the following accounts or groups:\n\n - Administrators\n - Service\n - Local Service\n - Network Service\"\n describe.one do\n describe security_policy do\n its('SeCreateGlobalPrivilege') { should be_in ['S-1-5-19', 'S-1-5-20', 'S-1-5-32-544', 'S-1-5-6'] }\n end\n describe security_policy do\n its('SeCreateGlobalPrivilege') { should eq [] }\n end\n end\nend\n", + "source_location": { + "ref": "./Windows 2016 STIG/controls/V-73749.rb", + "line": 1 + }, + "id": "V-73749" + }, + { + "title": "Windows Server 2016 must be configured to audit Logon/Logoff - Account\n Lockout failures.", "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Account Lockout events can be used to identify potentially malicious logon\n attempts.", "descriptions": { "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Account Lockout events can be used to identify potentially malicious logon\n attempts.", - "check": "Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n Logon/Logoff >> Account Lockout - Success", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Advanced Audit Policy Configuration >> System Audit Policies >>\n Logon/Logoff >> Audit Account Lockout with Success selected." + "check": "Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding.\n\n Logon/Logoff >> Account Lockout - Failure", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Advanced Audit Policy Configuration >> System Audit Policies >>\n Logon/Logoff >> Audit Account Lockout with Failure selected." }, "impact": 0.5, "refs": [], @@ -1468,10 +1542,10 @@ "SRG-OS-000240-GPOS-00090", "SRG-OS-000470-GPOS-00214" ], - "gid": "V-73443", - "rid": "SV-88095r2_rule", - "stig_id": "WN16-AU-000220", - "fix_id": "F-79885r1_fix", + "gid": "V-73445", + "rid": "SV-88097r2_rule", + "stig_id": "WN16-AU-000230", + "fix_id": "F-79887r1_fix", "cci": [ "CCI-000172", "CCI-001404" @@ -1483,22 +1557,22 @@ ], "documentable": false }, - "code": "control 'V-73443' do\n title \"Windows Server 2016 must be configured to audit Logon/Logoff - Account\n Lockout successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Account Lockout events can be used to identify potentially malicious logon\n attempts.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000240-GPOS-00090'\n tag \"satisfies\": ['SRG-OS-000240-GPOS-00090', 'SRG-OS-000470-GPOS-00214']\n tag \"gid\": 'V-73443'\n tag \"rid\": 'SV-88095r2_rule'\n tag \"stig_id\": 'WN16-AU-000220'\n tag \"fix_id\": 'F-79885r1_fix'\n tag \"cci\": ['CCI-000172', 'CCI-001404']\n tag \"nist\": ['AU-12 c', 'AC-2 (4)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n Logon/Logoff >> Account Lockout - Success\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Advanced Audit Policy Configuration >> System Audit Policies >>\n Logon/Logoff >> Audit Account Lockout with Success selected.\"\n describe.one do\n describe audit_policy do\n its('Account Lockout') { should eq 'Success and Failure' }\n end\n describe audit_policy do\n its('Account Lockout') { should eq 'Success' }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Account Lockout'\") do\n its('stdout') { should match /Account Lockout Success/ }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Account Lockout'\") do\n its('stdout') { should match /Account Lockout Success and Failure/ }\n end\n end\nend\n", + "code": "control 'V-73445' do\n title \"Windows Server 2016 must be configured to audit Logon/Logoff - Account\n Lockout failures.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Account Lockout events can be used to identify potentially malicious logon\n attempts.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000240-GPOS-00090'\n tag \"satisfies\": ['SRG-OS-000240-GPOS-00090', 'SRG-OS-000470-GPOS-00214']\n tag \"gid\": 'V-73445'\n tag \"rid\": 'SV-88097r2_rule'\n tag \"stig_id\": 'WN16-AU-000230'\n tag \"fix_id\": 'F-79887r1_fix'\n tag \"cci\": ['CCI-000172', 'CCI-001404']\n tag \"nist\": ['AU-12 c', 'AC-2 (4)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding.\n\n Logon/Logoff >> Account Lockout - Failure\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Advanced Audit Policy Configuration >> System Audit Policies >>\n Logon/Logoff >> Audit Account Lockout with Failure selected.\"\n describe.one do\n describe audit_policy do\n its('Account Lockout') { should eq 'Success and Failure' }\n end\n describe audit_policy do\n its('Account Lockout') { should eq 'Failure' }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Account Lockout'\") do\n its('stdout') { should match /Account Lockout Failure/ }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Account Lockout'\") do\n its('stdout') { should match /Account Lockout Success and Failure/ }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73443.rb", + "ref": "./Windows 2016 STIG/controls/V-73445.rb", "line": 1 }, - "id": "V-73443" + "id": "V-73445" }, { - "title": "Windows Server 2016 must be configured to audit DS Access - Directory\n Service Access successes.", - "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Audit Directory Service Access records events related to users accessing an\n Active Directory object.", + "title": "Windows Server 2016 must be configured to audit System - Other System\n Events failures.", + "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Audit Other System Events records information related to cryptographic key\n operations and the Windows Firewall service.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Audit Directory Service Access records events related to users accessing an\n Active Directory object.", - "check": "This applies to domain controllers. It is NA for other systems.\n\n Security Option Audit: Force audit policy subcategory settings (Windows Vista\n or later) to override audit policy category settings must be set to\n Enabled (WN16-SO-000050) for the detailed auditing subcategories to be\n effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n DS Access >> Directory Service Access - Success", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> DS Access >> Directory Service Access with Success\n selected." + "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Audit Other System Events records information related to cryptographic key\n operations and the Windows Firewall service.", + "check": "Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n System >> Other System Events - Failure", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Advanced Audit Policy Configuration >> System Audit Policies >>\n System >> Audit Other System Events with Failure selected." }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { "gtitle": "SRG-OS-000327-GPOS-00127", @@ -1508,10 +1582,10 @@ "SRG-OS-000463-GPOS-00207", "SRG-OS-000468-GPOS-00212" ], - "gid": "V-73435", - "rid": "SV-88087r1_rule", - "stig_id": "WN16-DC-000240", - "fix_id": "F-79877r1_fix", + "gid": "V-73479", + "rid": "SV-88131r2_rule", + "stig_id": "WN16-AU-000400", + "fix_id": "F-79921r1_fix", "cci": [ "CCI-000172", "CCI-002234" @@ -1523,52 +1597,52 @@ ], "documentable": false }, - "code": "control 'V-73435' do\n title \"Windows Server 2016 must be configured to audit DS Access - Directory\n Service Access successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Audit Directory Service Access records events related to users accessing an\n Active Directory object.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000327-GPOS-00127'\n tag \"satisfies\": ['SRG-OS-000327-GPOS-00127', 'SRG-OS-000458-GPOS-00203',\n 'SRG-OS-000463-GPOS-00207', 'SRG-OS-000468-GPOS-00212']\n tag \"gid\": 'V-73435'\n tag \"rid\": 'SV-88087r1_rule'\n tag \"stig_id\": 'WN16-DC-000240'\n tag \"fix_id\": 'F-79877r1_fix'\n tag \"cci\": ['CCI-000172', 'CCI-002234']\n tag \"nist\": ['AU-12 c', 'AC-6 (9)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to domain controllers. It is NA for other systems.\n\n Security Option Audit: Force audit policy subcategory settings (Windows Vista\n or later) to override audit policy category settings must be set to\n Enabled (WN16-SO-000050) for the detailed auditing subcategories to be\n effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n DS Access >> Directory Service Access - Success\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> DS Access >> Directory Service Access with Success\n selected.\"\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n describe.one do\n describe audit_policy do\n its('Directory Service Access') { should eq 'Success' }\n end\n describe audit_policy do\n its('Directory Service Access') { should eq 'Success and Failure' }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Directory Service Access'\") do\n its('stdout') { should match /Directory Service Access Success/ }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Directory Service Access'\") do\n its('stdout') { should match /Directory Service Access Success and Failure/ }\n end\n end\n end\n\n if domain_role != '4' && domain_role != '5'\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", + "code": "control 'V-73479' do\n title \"Windows Server 2016 must be configured to audit System - Other System\n Events failures.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Audit Other System Events records information related to cryptographic key\n operations and the Windows Firewall service.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000327-GPOS-00127'\n tag \"satisfies\": ['SRG-OS-000327-GPOS-00127', 'SRG-OS-000458-GPOS-00203',\n 'SRG-OS-000463-GPOS-00207', 'SRG-OS-000468-GPOS-00212']\n tag \"gid\": 'V-73479'\n tag \"rid\": 'SV-88131r2_rule'\n tag \"stig_id\": 'WN16-AU-000400'\n tag \"fix_id\": 'F-79921r1_fix'\n tag \"cci\": ['CCI-000172', 'CCI-002234']\n tag \"nist\": ['AU-12 c', 'AC-6 (9)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n System >> Other System Events - Failure\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Advanced Audit Policy Configuration >> System Audit Policies >>\n System >> Audit Other System Events with Failure selected.\"\n describe.one do\n describe audit_policy do\n its('Other System Events') { should eq 'Success and Failure' }\n end\n describe audit_policy do\n its('Other System Events') { should eq 'Failure' }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Other System Events'\") do\n its('stdout') { should match /Other System Events Failure/ }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Other System Events'\") do\n its('stdout') { should match /Other System Events Success and Failure/ }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73435.rb", + "ref": "./Windows 2016 STIG/controls/V-73479.rb", "line": 1 }, - "id": "V-73435" + "id": "V-73479" }, { - "title": "Turning off File Explorer heap termination on corruption must be\n disabled.", - "desc": "Legacy plug-in applications may continue to function when a File\n Explorer session has become corrupt. Disabling this feature will prevent this.", + "title": "The Remote Desktop Session Host must require secure Remote Procedure\n Call (RPC) communications.", + "desc": "Allowing unsecure RPC communication exposes the system to\n man-in-the-middle attacks and data disclosure attacks. A man-in-the-middle\n attack occurs when an intruder captures packets between a client and server and\n modifies them before allowing the packets to be exchanged. Usually the attacker\n will modify the information in the packets in an attempt to cause either the\n client or server to reveal sensitive information.", "descriptions": { - "default": "Legacy plug-in applications may continue to function when a File\n Explorer session has become corrupt. Disabling this feature will prevent this.", - "check": "The default behavior is for File Explorer heap termination on\n corruption to be enabled.\n\n If the registry Value Name below does not exist, this is not a finding.\n\n If it exists and is configured with a value of 0, this is not a finding.\n\n If it exists and is configured with a value of 1, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\Explorer\\\n\n Value Name: NoHeapTerminationOnCorruption\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0) (or if the Value Name does not exist)", - "fix": "The default behavior is for File Explorer heap termination on\n corruption to be disabled.\n\n If this needs to be corrected, configure the policy value for Computer\n Configuration >> Administrative Templates >> Windows Components >> File\n Explorer >> Turn off heap termination on corruption to Not Configured\n or Disabled." + "default": "Allowing unsecure RPC communication exposes the system to\n man-in-the-middle attacks and data disclosure attacks. A man-in-the-middle\n attack occurs when an intruder captures packets between a client and server and\n modifies them before allowing the packets to be exchanged. Usually the attacker\n will modify the information in the packets in an attempt to cause either the\n client or server to reveal sensitive information.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services\\\n\n Value Name: fEncryptRPCTraffic\n\n Type: REG_DWORD\n Value: 0x00000001 (1)", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Remote Desktop Services >>\n Remote Desktop Session Host >> Security >> Require secure RPC communication\n to Enabled." }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-73563", - "rid": "SV-88227r1_rule", - "stig_id": "WN16-CC-000350", - "fix_id": "F-80013r1_fix", + "gtitle": "SRG-OS-000250-GPOS-00093", + "gid": "V-73573", + "rid": "SV-88237r1_rule", + "stig_id": "WN16-CC-000400", + "fix_id": "F-80023r1_fix", "cci": [ - "CCI-000366" + "CCI-001453" ], "nist": [ - "CM-6 b", + "AC-17 (2)", "Rev_4" ], "documentable": false }, - "code": "control 'V-73563' do\n title \"Turning off File Explorer heap termination on corruption must be\n disabled.\"\n desc \"Legacy plug-in applications may continue to function when a File\n Explorer session has become corrupt. Disabling this feature will prevent this.\"\n impact 0.3\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-73563'\n tag \"rid\": 'SV-88227r1_rule'\n tag \"stig_id\": 'WN16-CC-000350'\n tag \"fix_id\": 'F-80013r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"The default behavior is for File Explorer heap termination on\n corruption to be enabled.\n\n If the registry Value Name below does not exist, this is not a finding.\n\n If it exists and is configured with a value of 0, this is not a finding.\n\n If it exists and is configured with a value of 1, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\Explorer\\\\\n\n Value Name: NoHeapTerminationOnCorruption\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0) (or if the Value Name does not exist)\"\n desc \"fix\", \"The default behavior is for File Explorer heap termination on\n corruption to be disabled.\n\n If this needs to be corrected, configure the policy value for Computer\n Configuration >> Administrative Templates >> Windows Components >> File\n Explorer >> Turn off heap termination on corruption to Not Configured\n or Disabled.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\Explorer') do\n it { should have_property 'NoHeapTerminationOnCorruption' }\n its('NoHeapTerminationOnCorruption') { should_not cmp 1 }\n end\nend\n", + "code": "control 'V-73573' do\n title \"The Remote Desktop Session Host must require secure Remote Procedure\n Call (RPC) communications.\"\n desc \"Allowing unsecure RPC communication exposes the system to\n man-in-the-middle attacks and data disclosure attacks. A man-in-the-middle\n attack occurs when an intruder captures packets between a client and server and\n modifies them before allowing the packets to be exchanged. Usually the attacker\n will modify the information in the packets in an attempt to cause either the\n client or server to reveal sensitive information.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000250-GPOS-00093'\n tag \"gid\": 'V-73573'\n tag \"rid\": 'SV-88237r1_rule'\n tag \"stig_id\": 'WN16-CC-000400'\n tag \"fix_id\": 'F-80023r1_fix'\n tag \"cci\": ['CCI-001453']\n tag \"nist\": ['AC-17 (2)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\\n\n Value Name: fEncryptRPCTraffic\n\n Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Remote Desktop Services >>\n Remote Desktop Session Host >> Security >> Require secure RPC communication\n to Enabled.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services') do\n it { should have_property 'fEncryptRPCTraffic' }\n its('fEncryptRPCTraffic') { should cmp 1 }\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73563.rb", + "ref": "./Windows 2016 STIG/controls/V-73573.rb", "line": 1 }, - "id": "V-73563" + "id": "V-73573" }, { - "title": "Windows Server 2016 must be configured to audit System - Security\n State Change successes.", - "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Security State Change records events related to changes in the security\n state, such as startup and shutdown of the system.", + "title": "Windows Server 2016 must be configured to audit Policy Change - Audit\n Policy Change failures.", + "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Audit Policy Change records events related to changes in audit policy.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Security State Change records events related to changes in the security\n state, such as startup and shutdown of the system.", - "check": "Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n System >> Security State Change - Success", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> System >> Audit Security State Change with Success\n selected." + "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Audit Policy Change records events related to changes in audit policy.", + "check": "Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n Policy Change >> Audit Policy Change - Failure", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Policy Change >> Audit Audit Policy Change with\n Failure selected." }, "impact": 0.5, "refs": [], @@ -1580,10 +1654,10 @@ "SRG-OS-000463-GPOS-00207", "SRG-OS-000468-GPOS-00212" ], - "gid": "V-73481", - "rid": "SV-88133r1_rule", - "stig_id": "WN16-AU-000410", - "fix_id": "F-79923r1_fix", + "gid": "V-73463", + "rid": "SV-88115r1_rule", + "stig_id": "WN16-AU-000320", + "fix_id": "F-79905r1_fix", "cci": [ "CCI-000172", "CCI-002234" @@ -1595,57 +1669,20 @@ ], "documentable": false }, - "code": "control 'V-73481' do\n title \"Windows Server 2016 must be configured to audit System - Security\n State Change successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Security State Change records events related to changes in the security\n state, such as startup and shutdown of the system.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000327-GPOS-00127'\n tag \"satisfies\": ['SRG-OS-000327-GPOS-00127', 'SRG-OS-000458-GPOS-00203',\n 'SRG-OS-000463-GPOS-00207', 'SRG-OS-000468-GPOS-00212']\n tag \"gid\": 'V-73481'\n tag \"rid\": 'SV-88133r1_rule'\n tag \"stig_id\": 'WN16-AU-000410'\n tag \"fix_id\": 'F-79923r1_fix'\n tag \"cci\": ['CCI-000172', 'CCI-002234']\n tag \"nist\": ['AU-12 c', 'AC-6 (9)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n System >> Security State Change - Success\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> System >> Audit Security State Change with Success\n selected.\"\n describe.one do\n describe audit_policy do\n its('Security State Change') { should eq 'Success' }\n end\n describe audit_policy do\n its('Security State Change') { should eq 'Success and Failure' }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Security State Change'\") do\n its('stdout') { should match /Security State Change Success/ }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Security State Change'\") do\n its('stdout') { should match /Security State Change Success and Failure/ }\n end\n end\nend\n", - "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73481.rb", - "line": 1 - }, - "id": "V-73481" - }, - { - "title": "The Windows Remote Management (WinRM) service must not allow\n unencrypted traffic.", - "desc": "Unencrypted remote access to a system can allow sensitive information\n to be compromised. Windows remote management connections must be encrypted to\n prevent this.", - "descriptions": { - "default": "Unencrypted remote access to a system can allow sensitive information\n to be compromised. Windows remote management connections must be encrypted to\n prevent this.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\WinRM\\Service\\\n\n Value Name: AllowUnencryptedTraffic\n\n Type: REG_DWORD\n Value: 0x00000000 (0)", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Windows Remote Management\n (WinRM) >> WinRM Service >> Allow unencrypted traffic to Disabled." - }, - "impact": 0.5, - "refs": [], - "tags": { - "gtitle": "SRG-OS-000393-GPOS-00173", - "satisfies": [ - "SRG-OS-000393-GPOS-00173", - "SRG-OS-000394-GPOS-00174" - ], - "gid": "V-73601", - "rid": "SV-88265r1_rule", - "stig_id": "WN16-CC-000540", - "fix_id": "F-80051r1_fix", - "cci": [ - "CCI-002890", - "CCI-003123" - ], - "nist": [ - "MA-4 (6)", - "Rev_4" - ], - "documentable": false - }, - "code": "control 'V-73601' do\n title \"The Windows Remote Management (WinRM) service must not allow\n unencrypted traffic.\"\n desc \"Unencrypted remote access to a system can allow sensitive information\n to be compromised. Windows remote management connections must be encrypted to\n prevent this.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000393-GPOS-00173'\n tag \"satisfies\": ['SRG-OS-000393-GPOS-00173', 'SRG-OS-000394-GPOS-00174']\n tag \"gid\": 'V-73601'\n tag \"rid\": 'SV-88265r1_rule'\n tag \"stig_id\": 'WN16-CC-000540'\n tag \"fix_id\": 'F-80051r1_fix'\n tag \"cci\": ['CCI-002890', 'CCI-003123']\n tag \"nist\": ['MA-4 (6)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WinRM\\\\Service\\\\\n\n Value Name: AllowUnencryptedTraffic\n\n Type: REG_DWORD\n Value: 0x00000000 (0)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Windows Remote Management\n (WinRM) >> WinRM Service >> Allow unencrypted traffic to Disabled.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\WinRM\\\\Service') do\n it { should have_property 'AllowUnencryptedTraffic' }\n its('AllowUnencryptedTraffic') { should cmp 0 }\n end\nend\n", + "code": "control 'V-73463' do\n title \"Windows Server 2016 must be configured to audit Policy Change - Audit\n Policy Change failures.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Audit Policy Change records events related to changes in audit policy.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000327-GPOS-00127'\n tag \"satisfies\": ['SRG-OS-000327-GPOS-00127', 'SRG-OS-000458-GPOS-00203',\n 'SRG-OS-000463-GPOS-00207', 'SRG-OS-000468-GPOS-00212']\n tag \"gid\": 'V-73463'\n tag \"rid\": 'SV-88115r1_rule'\n tag \"stig_id\": 'WN16-AU-000320'\n tag \"fix_id\": 'F-79905r1_fix'\n tag \"cci\": ['CCI-000172', 'CCI-002234']\n tag \"nist\": ['AU-12 c', 'AC-6 (9)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n Policy Change >> Audit Policy Change - Failure\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Policy Change >> Audit Audit Policy Change with\n Failure selected.\"\n describe.one do\n describe audit_policy do\n its('Audit Policy Change') { should eq 'Failure' }\n end\n describe audit_policy do\n its('Audit Policy Change') { should eq 'Success and Failure' }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Audit Policy Change'\") do\n its('stdout') { should match /Audit Policy Change Failure/ }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Audit Policy Change'\") do\n its('stdout') { should match /Audit Policy Change Success and Failure/ }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73601.rb", + "ref": "./Windows 2016 STIG/controls/V-73463.rb", "line": 1 }, - "id": "V-73601" + "id": "V-73463" }, { - "title": "Windows Server 2016 must be configured to audit System - System\n Integrity failures.", - "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n System Integrity records events related to violations of integrity to the\n security subsystem.", + "title": "Windows Server 2016 must be configured to audit System - IPsec Driver\n failures.", + "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n IPsec Driver records events related to the IPsec Driver, such as dropped\n packets.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n System Integrity records events related to violations of integrity to the\n security subsystem.", - "check": "Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n System >> System Integrity - Failure", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> System >> Audit System Integrity with Failure\n selected." + "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n IPsec Driver records events related to the IPsec Driver, such as dropped\n packets.", + "check": "Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n System >> IPsec Driver - Failure", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> System >> Audit IPsec Driver with Failure selected." }, "impact": 0.5, "refs": [], @@ -1653,14 +1690,14 @@ "gtitle": "SRG-OS-000327-GPOS-00127", "satisfies": [ "SRG-OS-000327-GPOS-00127", - "SRG-OS-000471-GPOS-00215", - "SRG-OS-000471-GPOS-00216", - "SRG-OS-000477-GPOS-00222" + "SRG-OS-000458-GPOS-00203", + "SRG-OS-000463-GPOS-00207", + "SRG-OS-000468-GPOS-00212" ], - "gid": "V-73491", - "rid": "SV-88143r1_rule", - "stig_id": "WN16-AU-000450", - "fix_id": "F-79933r1_fix", + "gid": "V-73475", + "rid": "SV-88127r1_rule", + "stig_id": "WN16-AU-000380", + "fix_id": "F-79917r1_fix", "cci": [ "CCI-000172", "CCI-002234" @@ -1672,44 +1709,12 @@ ], "documentable": false }, - "code": "control 'V-73491' do\n title \"Windows Server 2016 must be configured to audit System - System\n Integrity failures.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n System Integrity records events related to violations of integrity to the\n security subsystem.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000327-GPOS-00127'\n tag \"satisfies\": ['SRG-OS-000327-GPOS-00127', 'SRG-OS-000471-GPOS-00215',\n 'SRG-OS-000471-GPOS-00216', 'SRG-OS-000477-GPOS-00222']\n tag \"gid\": 'V-73491'\n tag \"rid\": 'SV-88143r1_rule'\n tag \"stig_id\": 'WN16-AU-000450'\n tag \"fix_id\": 'F-79933r1_fix'\n tag \"cci\": ['CCI-000172', 'CCI-002234']\n tag \"nist\": ['AU-12 c', 'AC-6 (9)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n System >> System Integrity - Failure\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> System >> Audit System Integrity with Failure\n selected.\"\n describe.one do\n describe audit_policy do\n its('System Integrity') { should eq 'Failure' }\n end\n describe audit_policy do\n its('System Integrity') { should eq 'Success and Failure' }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'System Integrity'\") do\n its('stdout') { should match /System Integrity Failure/ }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'System Integrity'\") do\n its('stdout') { should match /System Integrity Success and Failure/ }\n end\n end\nend\n", - "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73491.rb", - "line": 1 - }, - "id": "V-73491" - }, - { - "title": "The Telnet Client must not be installed.", - "desc": "Unnecessary services increase the attack surface of a system. Some of\n these services may not support required levels of authentication or encryption\n or may provide unauthorized access to the system.", - "descriptions": { - "default": "Unnecessary services increase the attack surface of a system. Some of\n these services may not support required levels of authentication or encryption\n or may provide unauthorized access to the system.", - "check": "Open PowerShell.\n\n Enter Get-WindowsFeature | Where Name -eq Telnet-Client.\n\n If Installed State is Installed, this is a finding.\n\n An Installed State of Available or Removed is not a finding.", - "fix": "Uninstall the Telnet Client feature.\n\n Start Server Manager.\n\n Select the server with the feature.\n\n Scroll down to ROLES AND FEATURES in the right pane.\n\n Select Remove Roles and Features from the drop-down TASKS list.\n\n Select the appropriate server on the Server Selection page and click\n Next.\n\n Deselect Telnet Client on the Features page.\n\n Click Next and Remove as prompted." - }, - "impact": 0.5, - "refs": [], - "tags": { - "gtitle": "SRG-OS-000096-GPOS-00050", - "gid": "V-73295", - "rid": "SV-87947r1_rule", - "stig_id": "WN16-00-000390", - "fix_id": "F-79737r1_fix", - "cci": [ - "CCI-000382" - ], - "nist": [ - "CM-7", - "Rev_4" - ], - "documentable": false - }, - "code": "control 'V-73295' do\n title 'The Telnet Client must not be installed.'\n desc \"Unnecessary services increase the attack surface of a system. Some of\n these services may not support required levels of authentication or encryption\n or may provide unauthorized access to the system.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000096-GPOS-00050'\n tag \"gid\": 'V-73295'\n tag \"rid\": 'SV-87947r1_rule'\n tag \"stig_id\": 'WN16-00-000390'\n tag \"fix_id\": 'F-79737r1_fix'\n tag \"cci\": ['CCI-000382']\n tag \"nist\": ['CM-7', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Open PowerShell.\n\n Enter Get-WindowsFeature | Where Name -eq Telnet-Client.\n\n If Installed State is Installed, this is a finding.\n\n An Installed State of Available or Removed is not a finding.\"\n desc \"fix\", \"Uninstall the Telnet Client feature.\n\n Start Server Manager.\n\n Select the server with the feature.\n\n Scroll down to ROLES AND FEATURES in the right pane.\n\n Select Remove Roles and Features from the drop-down TASKS list.\n\n Select the appropriate server on the Server Selection page and click\n Next.\n\n Deselect Telnet Client on the Features page.\n\n Click Next and Remove as prompted.\"\n describe windows_feature('Telnet-Client') do\n it { should_not be_installed }\n end\nend\n", + "code": "control 'V-73475' do\n title \"Windows Server 2016 must be configured to audit System - IPsec Driver\n failures.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n IPsec Driver records events related to the IPsec Driver, such as dropped\n packets.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000327-GPOS-00127'\n tag \"satisfies\": ['SRG-OS-000327-GPOS-00127', 'SRG-OS-000458-GPOS-00203',\n 'SRG-OS-000463-GPOS-00207', 'SRG-OS-000468-GPOS-00212']\n tag \"gid\": 'V-73475'\n tag \"rid\": 'SV-88127r1_rule'\n tag \"stig_id\": 'WN16-AU-000380'\n tag \"fix_id\": 'F-79917r1_fix'\n tag \"cci\": ['CCI-000172', 'CCI-002234']\n tag \"nist\": ['AU-12 c', 'AC-6 (9)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n System >> IPsec Driver - Failure\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> System >> Audit IPsec Driver with Failure selected.\"\n describe.one do\n describe audit_policy do\n its('IPsec Driver') { should eq 'Failure' }\n end\n describe audit_policy do\n its('IPsec Driver') { should eq 'Success and Failure' }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'IPsec Driver'\") do\n its('stdout') { should match /IPsec Driver Failure/ }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'IPsec Driver'\") do\n its('stdout') { should match /IPsec Driver Success and Failure/ }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73295.rb", + "ref": "./Windows 2016 STIG/controls/V-73475.rb", "line": 1 }, - "id": "V-73295" + "id": "V-73475" }, { "title": "The setting Domain member: Digitally encrypt secure channel data (when\n possible) must be configured to enabled.", @@ -1750,540 +1755,536 @@ "id": "V-73635" }, { - "title": "The screen saver must be password protected.", - "desc": "Unattended systems are susceptible to unauthorized use and must be\n locked when unattended. Enabling a password-protected screen saver to engage\n after a specified period of time helps protects critical and sensitive data\n from exposure to unauthorized personnel with physical access to the computer.", + "title": "Administrative accounts must not be used with applications that access\n the Internet, such as web browsers, or with potential Internet sources, such as\n email.", + "desc": "Using applications that access the Internet or have potential Internet\n sources using administrative privileges exposes a system to compromise. If a\n flaw in an application is exploited while running as a privileged user, the\n entire system could be compromised. Web browsers and email are common attack\n vectors for introducing malicious code and must not be run with an\n administrative account.\n\n Since administrative accounts may generally change or work around technical\n restrictions for running a web browser or other applications, it is essential\n that the policy require administrative accounts to not access the Internet or use\n applications such as email.\n\n The policy should define specific exceptions for local service\n administration. These exceptions may include HTTP(S)-based tools that are used\n for the administration of the local system, services, or attached devices.\n\n Whitelisting can be used to enforce the policy to ensure compliance.", "descriptions": { - "default": "Unattended systems are susceptible to unauthorized use and must be\n locked when unattended. Enabling a password-protected screen saver to engage\n after a specified period of time helps protects critical and sensitive data\n from exposure to unauthorized personnel with physical access to the computer.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_CURRENT_USER\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\Control\n Panel\\Desktop\\\n\n Value Name: ScreenSaverIsSecure\n\n Type: REG_SZ\n Value: 1", - "fix": "Configure the policy value for User Configuration >>\n Administrative Templates >> Control Panel >> Personalization >> Password\n protect the screen saver to Enabled." + "default": "Using applications that access the Internet or have potential Internet\n sources using administrative privileges exposes a system to compromise. If a\n flaw in an application is exploited while running as a privileged user, the\n entire system could be compromised. Web browsers and email are common attack\n vectors for introducing malicious code and must not be run with an\n administrative account.\n\n Since administrative accounts may generally change or work around technical\n restrictions for running a web browser or other applications, it is essential\n that the policy require administrative accounts to not access the Internet or use\n applications such as email.\n\n The policy should define specific exceptions for local service\n administration. These exceptions may include HTTP(S)-based tools that are used\n for the administration of the local system, services, or attached devices.\n\n Whitelisting can be used to enforce the policy to ensure compliance.", + "check": "Determine whether organization policy, at a minimum, prohibits\n administrative accounts from using applications that access the Internet, such\n as web browsers, or with potential Internet sources, such as email, except as\n necessary for local service administration.\n\n If it does not, this is a finding.\n\n The organization may use technical means such as whitelisting to prevent the\n use of browsers and mail applications to enforce this requirement.", + "fix": "Establish a policy, at minimum, to prohibit administrative\n accounts from using applications that access the Internet, such as web\n browsers, or with potential Internet sources, such as email. Ensure the policy\n is enforced.\n\n The organization may use technical means such as whitelisting to prevent the\n use of browsers and mail applications to enforce this requirement." }, - "impact": 0.5, + "impact": 0.7, "refs": [], "tags": { - "gtitle": "SRG-OS-000028-GPOS-00009", - "gid": "V-73725", - "rid": "SV-88389r1_rule", - "stig_id": "WN16-UC-000020", - "fix_id": "F-80175r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-73225", + "rid": "SV-87877r1_rule", + "stig_id": "WN16-00-000040", + "fix_id": "F-79669r1_fix", "cci": [ - "CCI-000056" + "CCI-000366" ], "nist": [ - "AC-11 b", + "CM-6 b", "Rev_4" ], "documentable": false }, - "code": "control 'V-73725' do\n title 'The screen saver must be password protected.'\n desc \"Unattended systems are susceptible to unauthorized use and must be\n locked when unattended. Enabling a password-protected screen saver to engage\n after a specified period of time helps protects critical and sensitive data\n from exposure to unauthorized personnel with physical access to the computer.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000028-GPOS-00009'\n tag \"gid\": 'V-73725'\n tag \"rid\": 'SV-88389r1_rule'\n tag \"stig_id\": 'WN16-UC-000020'\n tag \"fix_id\": 'F-80175r1_fix'\n tag \"cci\": ['CCI-000056']\n tag \"nist\": ['AC-11 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_CURRENT_USER\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\Control\n Panel\\\\Desktop\\\\\n\n Value Name: ScreenSaverIsSecure\n\n Type: REG_SZ\n Value: 1\"\n desc \"fix\", \"Configure the policy value for User Configuration >>\n Administrative Templates >> Control Panel >> Personalization >> Password\n protect the screen saver to Enabled.\"\n describe registry_key(\"HKEY_LOCAL_MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\Control\n Panel\\\\Desktop\") do\n it { should have_property 'ScreenSaverIsSecure' }\n its('ScreenSaverIsSecure') { should cmp 1 }\n end\nend\n", + "code": "control 'V-73225' do\n title \"Administrative accounts must not be used with applications that access\n the Internet, such as web browsers, or with potential Internet sources, such as\n email.\"\n desc \"Using applications that access the Internet or have potential Internet\n sources using administrative privileges exposes a system to compromise. If a\n flaw in an application is exploited while running as a privileged user, the\n entire system could be compromised. Web browsers and email are common attack\n vectors for introducing malicious code and must not be run with an\n administrative account.\n\n Since administrative accounts may generally change or work around technical\n restrictions for running a web browser or other applications, it is essential\n that the policy require administrative accounts to not access the Internet or use\n applications such as email.\n\n The policy should define specific exceptions for local service\n administration. These exceptions may include HTTP(S)-based tools that are used\n for the administration of the local system, services, or attached devices.\n\n Whitelisting can be used to enforce the policy to ensure compliance.\n \"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-73225'\n tag \"rid\": 'SV-87877r1_rule'\n tag \"stig_id\": 'WN16-00-000040'\n tag \"fix_id\": 'F-79669r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Determine whether organization policy, at a minimum, prohibits\n administrative accounts from using applications that access the Internet, such\n as web browsers, or with potential Internet sources, such as email, except as\n necessary for local service administration.\n\n If it does not, this is a finding.\n\n The organization may use technical means such as whitelisting to prevent the\n use of browsers and mail applications to enforce this requirement.\"\n desc \"fix\", \"Establish a policy, at minimum, to prohibit administrative\n accounts from using applications that access the Internet, such as web\n browsers, or with potential Internet sources, such as email. Ensure the policy\n is enforced.\n\n The organization may use technical means such as whitelisting to prevent the\n use of browsers and mail applications to enforce this requirement.\"\n describe \"A manual review is required to verify that administrative accounts are not being used with applications that access\n the Internet, such as web browsers, or with potential Internet sources, such as email\" do\n skip \"A manual review is required to verify that administrative accounts are not being used with applications that access\n the Internet, such as web browsers, or with potential Internet sources, such as email\"\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73725.rb", + "ref": "./Windows 2016 STIG/controls/V-73225.rb", "line": 1 }, - "id": "V-73725" + "id": "V-73225" }, { - "title": "Zone information must be preserved when saving attachments.", - "desc": "Attachments from outside sources may contain malicious code.\n Preserving zone of origin (Internet, intranet, local, restricted) information\n on file attachments allows Windows to determine risk.", + "title": "The Active Directory SYSVOL directory must have the proper access\n control permissions.", + "desc": "Improper access permissions for directory data files could allow\n unauthorized users to read, modify, or delete directory data.\n\n The SYSVOL directory contains public files (to the domain) such as policies\n and logon scripts. Data in shared subdirectories are replicated to all domain\n controllers in a domain.", "descriptions": { - "default": "Attachments from outside sources may contain malicious code.\n Preserving zone of origin (Internet, intranet, local, restricted) information\n on file attachments allows Windows to determine risk.", - "check": "The default behavior is for Windows to mark file attachments\n with their zone information.\n\n If the registry Value Name below does not exist, this is not a finding.\n\n If it exists and is configured with a value of 2, this is not a finding.\n\n If it exists and is configured with a value of 1, this is a finding.\n\n Registry Hive: HKEY_CURRENT_USER\n Registry Path:\n \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Attachments\\\n\n Value Name: SaveZoneInformation\n\n Value Type: REG_DWORD\n Value: 0x00000002 (2) (or if the Value Name does not exist)", - "fix": "The default behavior is for Windows to mark file attachments with\n their zone information.\n\n If this needs to be corrected, configure the policy value for User\n Configuration >> Administrative Templates >> Windows Components >> Attachment\n Manager >> Do not preserve zone information in file attachments to Not\n Configured or Disabled." + "default": "Improper access permissions for directory data files could allow\n unauthorized users to read, modify, or delete directory data.\n\n The SYSVOL directory contains public files (to the domain) such as policies\n and logon scripts. Data in shared subdirectories are replicated to all domain\n controllers in a domain.", + "check": "This applies to domain controllers. It is NA for other systems.\n\n Open a command prompt.\n\n Run net share.\n\n Make note of the directory location of the SYSVOL share.\n\n By default, this will be \\Windows\\SYSVOL\\sysvol. For this requirement,\n permissions will be verified at the first SYSVOL directory level.\n\n If any standard user accounts or groups have greater than \"Read & execute\"\n permissions, this is a finding.\n\n The default permissions noted below meet this requirement.\n\n Open Command Prompt.\n\n Run \"icacls c:\\Windows\\SYSVOL\".\n\n The following results should be displayed:\n\n NT AUTHORITY\\Authenticated Users:(RX)\n NT AUTHORITY\\Authenticated Users:(OI)(CI)(IO)(GR,GE)\n BUILTIN\\Server Operators:(RX)\n BUILTIN\\Server Operators:(OI)(CI)(IO)(GR,GE)\n BUILTIN\\Administrators:(M,WDAC,WO)\n BUILTIN\\Administrators:(OI)(CI)(IO)(F)\n NT AUTHORITY\\SYSTEM:(F)\n NT AUTHORITY\\SYSTEM:(OI)(CI)(IO)(F)\n BUILTIN\\Administrators:(M,WDAC,WO)\n CREATOR OWNER:(OI)(CI)(IO)(F)\n\n (RX) - Read & execute\n\n Run icacls /help to view definitions of other permission codes.\n\n Alternately, open File Explorer.\n\n Navigate to \\Windows\\SYSVOL (or the directory noted previously if different).\n\n Right-click the directory and select properties.\n\n Select the Security tab and click Advanced.\n\n Default permissions:\n\n C:\\Windows\\SYSVOL\n Type - \"Allow\" for all\n Inherited from - \"None\" for all\n\n Principal - Access - Applies to\n\n Authenticated Users - Read & execute - This folder, subfolder, and files\n Server Operators - Read & execute- This folder, subfolder, and files\n Administrators - Special - This folder only (Special = Basic Permissions: all\n selected except Full control)\n CREATOR OWNER - Full control - Subfolders and files only\n Administrators - Full control - Subfolders and files only\n SYSTEM - Full control - This folder, subfolders, and files", + "fix": "Maintain the permissions on the SYSVOL directory. Do not allow\n greater than Read & execute permissions for standard user accounts or\n groups. The defaults below meet this requirement.\n\n C:\\Windows\\SYSVOL\n Type - Allow for all\n Inherited from - None for all\n\n Principal - Access - Applies to\n\n Authenticated Users - Read & execute - This folder, subfolder, and files\n Server Operators - Read & execute- This folder, subfolder, and files\n Administrators - Special - This folder only (Special = Basic Permissions: all\n selected except Full control)\n CREATOR OWNER - Full control - Subfolders and files only\n Administrators - Full control - Subfolders and files only\n SYSTEM - Full control - This folder, subfolders, and files" }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-73727", - "rid": "SV-88391r1_rule", - "stig_id": "WN16-UC-000030", - "fix_id": "F-80177r1_fix", + "gtitle": "SRG-OS-000324-GPOS-00125", + "gid": "V-73371", + "rid": "SV-88023r1_rule", + "stig_id": "WN16-DC-000080", + "fix_id": "F-79813r1_fix", "cci": [ - "CCI-000366" + "CCI-002235" ], "nist": [ - "CM-6 b", + "AC-6 (10)", "Rev_4" ], "documentable": false }, - "code": "control 'V-73727' do\n title 'Zone information must be preserved when saving attachments.'\n desc \"Attachments from outside sources may contain malicious code.\n Preserving zone of origin (Internet, intranet, local, restricted) information\n on file attachments allows Windows to determine risk.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-73727'\n tag \"rid\": 'SV-88391r1_rule'\n tag \"stig_id\": 'WN16-UC-000030'\n tag \"fix_id\": 'F-80177r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"The default behavior is for Windows to mark file attachments\n with their zone information.\n\n If the registry Value Name below does not exist, this is not a finding.\n\n If it exists and is configured with a value of 2, this is not a finding.\n\n If it exists and is configured with a value of 1, this is a finding.\n\n Registry Hive: HKEY_CURRENT_USER\n Registry Path:\n \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Attachments\\\\\n\n Value Name: SaveZoneInformation\n\n Value Type: REG_DWORD\n Value: 0x00000002 (2) (or if the Value Name does not exist)\"\n desc \"fix\", \"The default behavior is for Windows to mark file attachments with\n their zone information.\n\n If this needs to be corrected, configure the policy value for User\n Configuration >> Administrative Templates >> Windows Components >> Attachment\n Manager >> Do not preserve zone information in file attachments to Not\n Configured or Disabled.\"\n describe.one do\n describe registry_key('HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Attachments') do\n it { should_not have_property 'SaveZoneInformation' }\n end\n describe registry_key('HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Attachments') do\n its('SaveZoneInformation') { should cmp 2 }\n end\n end\nend\n", + "code": "control 'V-73371' do\n title \"The Active Directory SYSVOL directory must have the proper access\n control permissions.\"\n desc \"Improper access permissions for directory data files could allow\n unauthorized users to read, modify, or delete directory data.\n\n The SYSVOL directory contains public files (to the domain) such as policies\n and logon scripts. Data in shared subdirectories are replicated to all domain\n controllers in a domain.\n \"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000324-GPOS-00125'\n tag \"gid\": 'V-73371'\n tag \"rid\": 'SV-88023r1_rule'\n tag \"stig_id\": 'WN16-DC-000080'\n tag \"fix_id\": 'F-79813r1_fix'\n tag \"cci\": ['CCI-002235']\n tag \"nist\": ['AC-6 (10)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to domain controllers. It is NA for other systems.\n\n Open a command prompt.\n\n Run net share.\n\n Make note of the directory location of the SYSVOL share.\n\n By default, this will be \\\\Windows\\\\SYSVOL\\\\sysvol. For this requirement,\n permissions will be verified at the first SYSVOL directory level.\n\n If any standard user accounts or groups have greater than \\\"Read & execute\\\"\n permissions, this is a finding.\n\n The default permissions noted below meet this requirement.\n\n Open Command Prompt.\n\n Run \\\"icacls c:\\\\Windows\\\\SYSVOL\\\".\n\n The following results should be displayed:\n\n NT AUTHORITY\\\\Authenticated Users:(RX)\n NT AUTHORITY\\\\Authenticated Users:(OI)(CI)(IO)(GR,GE)\n BUILTIN\\\\Server Operators:(RX)\n BUILTIN\\\\Server Operators:(OI)(CI)(IO)(GR,GE)\n BUILTIN\\\\Administrators:(M,WDAC,WO)\n BUILTIN\\\\Administrators:(OI)(CI)(IO)(F)\n NT AUTHORITY\\\\SYSTEM:(F)\n NT AUTHORITY\\\\SYSTEM:(OI)(CI)(IO)(F)\n BUILTIN\\\\Administrators:(M,WDAC,WO)\n CREATOR OWNER:(OI)(CI)(IO)(F)\n\n (RX) - Read & execute\n\n Run icacls /help to view definitions of other permission codes.\n\n Alternately, open File Explorer.\n\n Navigate to \\\\Windows\\\\SYSVOL (or the directory noted previously if different).\n\n Right-click the directory and select properties.\n\n Select the Security tab and click Advanced.\n\n Default permissions:\n\n C:\\\\Windows\\\\SYSVOL\n Type - \\\"Allow\\\" for all\n Inherited from - \\\"None\\\" for all\n\n Principal - Access - Applies to\n\n Authenticated Users - Read & execute - This folder, subfolder, and files\n Server Operators - Read & execute- This folder, subfolder, and files\n Administrators - Special - This folder only (Special = Basic Permissions: all\n selected except Full control)\n CREATOR OWNER - Full control - Subfolders and files only\n Administrators - Full control - Subfolders and files only\n SYSTEM - Full control - This folder, subfolders, and files\"\n desc \"fix\", \"Maintain the permissions on the SYSVOL directory. Do not allow\n greater than Read & execute permissions for standard user accounts or\n groups. The defaults below meet this requirement.\n\n C:\\\\Windows\\\\SYSVOL\n Type - Allow for all\n Inherited from - None for all\n\n Principal - Access - Applies to\n\n Authenticated Users - Read & execute - This folder, subfolder, and files\n Server Operators - Read & execute- This folder, subfolder, and files\n Administrators - Special - This folder only (Special = Basic Permissions: all\n selected except Full control)\n CREATOR OWNER - Full control - Subfolders and files only\n Administrators - Full control - Subfolders and files only\n SYSTEM - Full control - This folder, subfolders, and files\"\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n path = json(command: \"Get-WmiObject -Query \\\"SELECT * FROM Win32_Share WHERE Name = 'SYSVOL'\\\" | Select -Property Path | ConvertTo-JSON\").params['Path']\n acl_rules = json(command: \"(Get-ACL -Path '#{path}') | Select -Property PSChildName -ExpandProperty Access | ConvertTo-CSV | ConvertFrom-CSV | ConvertTo-JSON\").params\n\n if acl_rules.is_a?(Hash)\n acl_rules = [JSON.parse(acl_rules.to_json)]\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Access rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['FileSystemRights']) { should cmp \"-536084480\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"CREATOR OWNER\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"ContainerInherit, ObjectInherit\" }\n its(['PropagationFlags']) { should cmp \"InheritOnly\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Access rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['FileSystemRights']) { should cmp \"-1610612736\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"NT AUTHORITY\\\\Authenticated Users\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"ContainerInherit, ObjectInherit\" }\n its(['PropagationFlags']) { should cmp \"InheritOnly\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Access rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['FileSystemRights']) { should cmp \"ReadAndExecute, Synchronize\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"NT AUTHORITY\\\\Authenticated Users\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"None\" }\n its(['PropagationFlags']) { should cmp \"None\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Access rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['FileSystemRights']) { should cmp \"268435456\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"NT AUTHORITY\\\\SYSTEM\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"ContainerInherit, ObjectInherit\" }\n its(['PropagationFlags']) { should cmp \"InheritOnly\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Access rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['FileSystemRights']) { should cmp \"FullControl\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"NT AUTHORITY\\\\SYSTEM\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"None\" }\n its(['PropagationFlags']) { should cmp \"None\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Access rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['FileSystemRights']) { should cmp \"-536084480\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"BUILTIN\\\\Administrators\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"ContainerInherit, ObjectInherit\" }\n its(['PropagationFlags']) { should cmp \"InheritOnly\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Access rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['FileSystemRights']) { should cmp \"Write, ReadAndExecute, ChangePermissions, TakeOwnership, Synchronize\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"BUILTIN\\\\Administrators\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"None\" }\n its(['PropagationFlags']) { should cmp \"None\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Access rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['FileSystemRights']) { should cmp \"-1610612736\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"BUILTIN\\\\Server Operators\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"ContainerInherit, ObjectInherit\" }\n its(['PropagationFlags']) { should cmp \"InheritOnly\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Access rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['FileSystemRights']) { should cmp \"ReadAndExecute, Synchronize\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"BUILTIN\\\\Server Operators\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"None\" }\n its(['PropagationFlags']) { should cmp \"None\" }\n end\n end\n end\n\n else\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\n\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73727.rb", + "ref": "./Windows 2016 STIG/controls/V-73371.rb", "line": 1 }, - "id": "V-73727" + "id": "V-73371" }, { - "title": "The machine inactivity limit must be set to 15 minutes, locking the\n system with the screen saver.", - "desc": "Unattended systems are susceptible to unauthorized use and should be\n locked when unattended. The screen saver should be set at a maximum of 15\n minutes and be password protected. This protects critical and sensitive data\n from exposure to unauthorized personnel with physical access to the computer.", + "title": "PowerShell script block logging must be enabled.", + "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Enabling PowerShell script block logging will record detailed information\n from the processing of PowerShell commands and scripts. This can provide\n additional detail when malware has run on a system.", "descriptions": { - "default": "Unattended systems are susceptible to unauthorized use and should be\n locked when unattended. The screen saver should be set at a maximum of 15\n minutes and be password protected. This protects critical and sensitive data\n from exposure to unauthorized personnel with physical access to the computer.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\\n\n Value Name: InactivityTimeoutSecs\n\n Value Type: REG_DWORD\n Value: 0x00000384 (900) (or less)", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Interactive logon: Machine inactivity limit to 900 seconds or less." + "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Enabling PowerShell script block logging will record detailed information\n from the processing of PowerShell commands and scripts. This can provide\n additional detail when malware has run on a system.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\\n Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\\\n\n Value Name: EnableScriptBlockLogging\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Windows PowerShell >> Turn\n on PowerShell Script Block Logging to Enabled." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000029-GPOS-00010", - "gid": "V-73645", - "rid": "SV-88309r1_rule", - "stig_id": "WN16-SO-000140", - "fix_id": "F-80095r1_fix", + "gtitle": "SRG-OS-000042-GPOS-00020", + "gid": "V-73591", + "rid": "SV-88255r1_rule", + "stig_id": "WN16-CC-000490", + "fix_id": "F-80041r1_fix", "cci": [ - "CCI-000057" + "CCI-000135" ], "nist": [ - "AC-11 a", + "AU-3 (1)", "Rev_4" ], "documentable": false }, - "code": "control 'V-73645' do\n title \"The machine inactivity limit must be set to 15 minutes, locking the\n system with the screen saver.\"\n desc \"Unattended systems are susceptible to unauthorized use and should be\n locked when unattended. The screen saver should be set at a maximum of 15\n minutes and be password protected. This protects critical and sensitive data\n from exposure to unauthorized personnel with physical access to the computer.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000029-GPOS-00010'\n tag \"gid\": 'V-73645'\n tag \"rid\": 'SV-88309r1_rule'\n tag \"stig_id\": 'WN16-SO-000140'\n tag \"fix_id\": 'F-80095r1_fix'\n tag \"cci\": ['CCI-000057']\n tag \"nist\": ['AC-11 a', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\\n\n Value Name: InactivityTimeoutSecs\n\n Value Type: REG_DWORD\n Value: 0x00000384 (900) (or less)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Interactive logon: Machine inactivity limit to 900 seconds or less.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System') do\n it { should have_property 'InactivityTimeoutSecs' }\n its('InactivityTimeoutSecs') { should be <= 900 }\n end\nend\n", + "code": "control 'V-73591' do\n title 'PowerShell script block logging must be enabled.'\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Enabling PowerShell script block logging will record detailed information\n from the processing of PowerShell commands and scripts. This can provide\n additional detail when malware has run on a system.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000042-GPOS-00020'\n tag \"gid\": 'V-73591'\n tag \"rid\": 'SV-88255r1_rule'\n tag \"stig_id\": 'WN16-CC-000490'\n tag \"fix_id\": 'F-80041r1_fix'\n tag \"cci\": ['CCI-000135']\n tag \"nist\": ['AU-3 (1)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\\n Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\\\n\n Value Name: EnableScriptBlockLogging\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Windows PowerShell >> Turn\n on PowerShell Script Block Logging to Enabled.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging') do\n it { should have_property 'EnableScriptBlockLogging' }\n its('EnableScriptBlockLogging') { should cmp 1 }\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73645.rb", + "ref": "./Windows 2016 STIG/controls/V-73591.rb", "line": 1 }, - "id": "V-73645" + "id": "V-73591" }, { - "title": "UIAccess applications must not be allowed to prompt for elevation\n without using the secure desktop.", - "desc": "User Account Control (UAC) is a security mechanism for limiting the\n elevation of privileges, including administrative accounts, unless authorized.\n This setting prevents User Interface Accessibility programs from disabling the\n secure desktop for elevation prompts.", - "descriptions": { - "default": "User Account Control (UAC) is a security mechanism for limiting the\n elevation of privileges, including administrative accounts, unless authorized.\n This setting prevents User Interface Accessibility programs from disabling the\n secure desktop for elevation prompts.", - "check": "UAC requirements are NA for Server Core installations (this is\n the default installation option for Windows Server 2016 versus Server with\n Desktop Experience) as well as Nano Server.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\\n\n Value Name: EnableUIADesktopToggle\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0)", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> User\n Account Control: Allow UIAccess applications to prompt for elevation without\n using the secure desktop to Disabled." + "title": "The password history must be configured to 24 passwords remembered.", + "desc": "A system is more vulnerable to unauthorized access when system users\n recycle the same password several times without being required to change to a\n unique password on a regularly scheduled basis. This enables users to\n effectively negate the purpose of mandating periodic password changes. The\n default value is 24 for Windows domain systems. DoD has decided this is the\n appropriate value for all Windows systems.", + "descriptions": { + "default": "A system is more vulnerable to unauthorized access when system users\n recycle the same password several times without being required to change to a\n unique password on a regularly scheduled basis. This enables users to\n effectively negate the purpose of mandating periodic password changes. The\n default value is 24 for Windows domain systems. DoD has decided this is the\n appropriate value for all Windows systems.", + "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Account Policies >> Password Policy.\n\n If the value for Enforce password history is less than 24 passwords\n remembered, this is a finding.", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Account Policies >> Password Policy >>\n Enforce password history to 24 passwords remembered." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000134-GPOS-00068", - "gid": "V-73709", - "rid": "SV-88373r1_rule", - "stig_id": "WN16-SO-000470", - "fix_id": "F-80159r1_fix", + "gtitle": "SRG-OS-000077-GPOS-00045", + "gid": "V-73315", + "rid": "SV-87967r1_rule", + "stig_id": "WN16-AC-000040", + "fix_id": "F-79757r1_fix", "cci": [ - "CCI-001084" + "CCI-000200" ], "nist": [ - "SC-3", + "AC-4 (12)", "Rev_4" ], "documentable": false }, - "code": "control 'V-73709' do\n title \"UIAccess applications must not be allowed to prompt for elevation\n without using the secure desktop.\"\n desc \"User Account Control (UAC) is a security mechanism for limiting the\n elevation of privileges, including administrative accounts, unless authorized.\n This setting prevents User Interface Accessibility programs from disabling the\n secure desktop for elevation prompts.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000134-GPOS-00068'\n tag \"gid\": 'V-73709'\n tag \"rid\": 'SV-88373r1_rule'\n tag \"stig_id\": 'WN16-SO-000470'\n tag \"fix_id\": 'F-80159r1_fix'\n tag \"cci\": ['CCI-001084']\n tag \"nist\": ['SC-3', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"UAC requirements are NA for Server Core installations (this is\n the default installation option for Windows Server 2016 versus Server with\n Desktop Experience) as well as Nano Server.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\\n\n Value Name: EnableUIADesktopToggle\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> User\n Account Control: Allow UIAccess applications to prompt for elevation without\n using the secure desktop to Disabled.\"\n if registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Server\\ServerLevels').has_property_value?('ServerCore', :dword, 1) && registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Server\\ServerLevels').has_property_value?('Server-Gui-Mgmt', :dword, 1) && registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Server\\ServerLevels').has_property_value?('Server-Gui-Shell', :dword, 1)\n impact 0.0\n desc 'This system is a Server Core Installation, therefore this control is not applicable'\n else\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System') do\n it { should have_property 'EnableUIADesktopToggle' }\n its('EnableUIADesktopToggle') { should cmp 0 }\n end\n end\nend\n", + "code": "control 'V-73315' do\n title 'The password history must be configured to 24 passwords remembered.'\n desc \"A system is more vulnerable to unauthorized access when system users\n recycle the same password several times without being required to change to a\n unique password on a regularly scheduled basis. This enables users to\n effectively negate the purpose of mandating periodic password changes. The\n default value is 24 for Windows domain systems. DoD has decided this is the\n appropriate value for all Windows systems.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000077-GPOS-00045'\n tag \"gid\": 'V-73315'\n tag \"rid\": 'SV-87967r1_rule'\n tag \"stig_id\": 'WN16-AC-000040'\n tag \"fix_id\": 'F-79757r1_fix'\n tag \"cci\": ['CCI-000200']\n tag \"nist\": ['AC-4 (12)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Account Policies >> Password Policy.\n\n If the value for Enforce password history is less than 24 passwords\n remembered, this is a finding.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Account Policies >> Password Policy >>\n Enforce password history to 24 passwords remembered.\"\n describe security_policy do\n its('PasswordHistorySize') { should cmp >= 24 }\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73709.rb", + "ref": "./Windows 2016 STIG/controls/V-73315.rb", "line": 1 }, - "id": "V-73709" + "id": "V-73315" }, { - "title": "The Windows Server 2016 system must use an anti-virus program.", - "desc": "Malicious software can establish a base on individual desktops and\n servers. Employing an automated mechanism to detect this type of software will\n aid in elimination of the software from the operating system.", + "title": "The Active Directory Domain Controllers Organizational Unit (OU)\n object must have the proper access control permissions.", + "desc": "When Active Directory objects do not have appropriate access control\n permissions, it may be possible for malicious users to create, read, update, or\n delete the objects and degrade or destroy the integrity of the data. When the\n directory service is used for identification, authentication, or authorization\n functions, a compromise of the database objects could lead to a compromise of\n all systems that rely on the directory service.\n\n The Domain Controllers OU object requires special attention as the Domain\n Controllers are central to the configuration and management of the domain.\n Inappropriate access permissions defined for the Domain Controllers OU could\n allow an intruder or unauthorized personnel to make changes that could lead to\n the compromise of the domain.", "descriptions": { - "default": "Malicious software can establish a base on individual desktops and\n servers. Employing an automated mechanism to detect this type of software will\n aid in elimination of the software from the operating system.", - "check": "Verify an anti-virus solution is installed on the system. The\n anti-virus solution may be bundled with an approved host-based security\n solution.\n\n If there is no anti-virus solution installed on the system, this is a finding.", - "fix": "Install an anti-virus solution on the system." + "default": "When Active Directory objects do not have appropriate access control\n permissions, it may be possible for malicious users to create, read, update, or\n delete the objects and degrade or destroy the integrity of the data. When the\n directory service is used for identification, authentication, or authorization\n functions, a compromise of the database objects could lead to a compromise of\n all systems that rely on the directory service.\n\n The Domain Controllers OU object requires special attention as the Domain\n Controllers are central to the configuration and management of the domain.\n Inappropriate access permissions defined for the Domain Controllers OU could\n allow an intruder or unauthorized personnel to make changes that could lead to\n the compromise of the domain.", + "check": "This applies to domain controllers. It is NA for other systems.\n\n Review the permissions on the Domain Controllers OU.\n\n Open Active Directory Users and Computers (available from various menus or\n run dsa.msc).\n\n Select Advanced Features in the View menu if not previously selected.\n\n Select the Domain Controllers OU (folder in folder icon).\n\n Right-click and select Properties.\n\n Select the Security tab.\n\n If the permissions on the Domain Controllers OU do not restrict changes to\n System, Domain Admins, Enterprise Admins and Administrators, this is a finding.\n\n The default permissions listed below satisfy this requirement.\n\n Domains supporting Microsoft Exchange will have additional Exchange related\n permissions on the Domain Controllers OU. These may include some change\n related permissions and are not a finding.\n\n The permissions shown are at the summary level. More detailed permissions can\n be viewed by selecting the Advanced button, the desired Permission entry,\n and the View or Edit button.\n\n Except where noted otherwise, the special permissions may include a wide range\n of permissions and properties and are acceptable for this requirement.\n\n CREATOR OWNER - Special permissions\n\n SELF - Special permissions\n\n Authenticated Users - Read, Special permissions\n\n The special permissions for Authenticated Users are Read types.\n\n If detailed permissions include any Create, Delete, Modify, or Write\n Permissions or Properties, this is a finding.\n\n SYSTEM - Full Control\n\n Domain Admins - Read, Write, Create all child objects, Generate resultant set\n of policy (logging), Generate resultant set of policy (planning), Special\n permissions\n\n Enterprise Admins - Full Control\n\n Key Admins - Special permissions\n\n Enterprise Key Admins - Special permissions\n\n Administrators - Read, Write, Create all child objects, Generate resultant set\n of policy (logging), Generate resultant set of policy (planning), Special\n permissions\n\n Pre-Windows 2000 Compatible Access - Special permissions\n\n The Special permissions for Pre-Windows 2000 Compatible Access are Read types.\n\n If detailed permissions include any Create, Delete, Modify, or Write\n Permissions or Properties, this is a finding.\n\n ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions", + "fix": "Limit the permissions on the Domain Controllers OU to restrict\n changes to System, Domain Admins, Enterprise Admins and Administrators.\n\n The default permissions listed below satisfy this requirement.\n\n Domains supporting Microsoft Exchange will have additional Exchange related\n permissions on the Domain Controllers OU. These may include some change\n related permissions.\n\n CREATOR OWNER - Special permissions\n\n SELF - Special permissions\n\n Authenticated Users - Read, Special permissions\n\n The special permissions for Authenticated Users are Read types.\n\n SYSTEM - Full Control\n\n Domain Admins - Read, Write, Create all child objects, Generate resultant set\n of policy (logging), Generate resultant set of policy (planning), Special\n permissions\n\n Enterprise Admins - Full Control\n\n Key Admins - Special permissions\n\n Enterprise Key Admins - Special permissions\n\n Administrators - Read, Write, Create all child objects, Generate resultant set\n of policy (logging), Generate resultant set of policy (planning), Special\n permissions\n\n Pre-Windows 2000 Compatible Access - Special permissions\n\n The special permissions for Pre-Windows 2000 Compatible Access are Read types.\n\n ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions" }, - "impact": 0.7, + "impact": 0, "refs": [], "tags": { - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-73241", - "rid": "SV-87893r2_rule", - "stig_id": "WN16-00-000120", - "fix_id": "F-84913r1_fix", + "gtitle": "SRG-OS-000324-GPOS-00125", + "gid": "V-73375", + "rid": "SV-88027r2_rule", + "stig_id": "WN16-DC-000100", + "fix_id": "F-84911r1_fix", "cci": [ - "CCI-000366" + "CCI-002235" ], "nist": [ - "CM-6 b", + "AC-6 (10)", "Rev_4" ], "documentable": false }, - "code": "control 'V-73241' do\n title 'The Windows Server 2016 system must use an anti-virus program.'\n desc \"Malicious software can establish a base on individual desktops and\n servers. Employing an automated mechanism to detect this type of software will\n aid in elimination of the software from the operating system.\"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-73241'\n tag \"rid\": 'SV-87893r2_rule'\n tag \"stig_id\": 'WN16-00-000120'\n tag \"fix_id\": 'F-84913r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Verify an anti-virus solution is installed on the system. The\n anti-virus solution may be bundled with an approved host-based security\n solution.\n\n If there is no anti-virus solution installed on the system, this is a finding.\"\n desc \"fix\", 'Install an anti-virus solution on the system.'\n\n windefend = powershell('Get-Service -Name windefend | Select-Object -ExpandProperty Status').stdout.strip\n\n describe.one do\n describe registry_key('HKLM\\SOFTWARE\\Symantec\\Symantec Endpoint Protection\\CurrentVersion') do\n it { should exist }\n end\n describe registry_key('HKLM\\SOFTWARE\\McAfee/DesktopProtection\\szProductVer') do\n it { should exist }\n end\n describe registry_key('HKLM\\SOFTWARE\\McAfee\\Endpoint\\AV\\ProductVersion') do\n it { should exist }\n end\n describe \"Windows Defender\" do\n subject { windefend }\n it { should eq \"Running\" }\n end\n end\nend\n", + "code": "control 'V-73375' do\n title \"The Active Directory Domain Controllers Organizational Unit (OU)\n object must have the proper access control permissions.\"\n desc \"When Active Directory objects do not have appropriate access control\n permissions, it may be possible for malicious users to create, read, update, or\n delete the objects and degrade or destroy the integrity of the data. When the\n directory service is used for identification, authentication, or authorization\n functions, a compromise of the database objects could lead to a compromise of\n all systems that rely on the directory service.\n\n The Domain Controllers OU object requires special attention as the Domain\n Controllers are central to the configuration and management of the domain.\n Inappropriate access permissions defined for the Domain Controllers OU could\n allow an intruder or unauthorized personnel to make changes that could lead to\n the compromise of the domain.\n \"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000324-GPOS-00125'\n tag \"gid\": 'V-73375'\n tag \"rid\": 'SV-88027r2_rule'\n tag \"stig_id\": 'WN16-DC-000100'\n tag \"fix_id\": 'F-84911r1_fix'\n tag \"cci\": ['CCI-002235']\n tag \"nist\": ['AC-6 (10)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to domain controllers. It is NA for other systems.\n\n Review the permissions on the Domain Controllers OU.\n\n Open Active Directory Users and Computers (available from various menus or\n run dsa.msc).\n\n Select Advanced Features in the View menu if not previously selected.\n\n Select the Domain Controllers OU (folder in folder icon).\n\n Right-click and select Properties.\n\n Select the Security tab.\n\n If the permissions on the Domain Controllers OU do not restrict changes to\n System, Domain Admins, Enterprise Admins and Administrators, this is a finding.\n\n The default permissions listed below satisfy this requirement.\n\n Domains supporting Microsoft Exchange will have additional Exchange related\n permissions on the Domain Controllers OU. These may include some change\n related permissions and are not a finding.\n\n The permissions shown are at the summary level. More detailed permissions can\n be viewed by selecting the Advanced button, the desired Permission entry,\n and the View or Edit button.\n\n Except where noted otherwise, the special permissions may include a wide range\n of permissions and properties and are acceptable for this requirement.\n\n CREATOR OWNER - Special permissions\n\n SELF - Special permissions\n\n Authenticated Users - Read, Special permissions\n\n The special permissions for Authenticated Users are Read types.\n\n If detailed permissions include any Create, Delete, Modify, or Write\n Permissions or Properties, this is a finding.\n\n SYSTEM - Full Control\n\n Domain Admins - Read, Write, Create all child objects, Generate resultant set\n of policy (logging), Generate resultant set of policy (planning), Special\n permissions\n\n Enterprise Admins - Full Control\n\n Key Admins - Special permissions\n\n Enterprise Key Admins - Special permissions\n\n Administrators - Read, Write, Create all child objects, Generate resultant set\n of policy (logging), Generate resultant set of policy (planning), Special\n permissions\n\n Pre-Windows 2000 Compatible Access - Special permissions\n\n The Special permissions for Pre-Windows 2000 Compatible Access are Read types.\n\n If detailed permissions include any Create, Delete, Modify, or Write\n Permissions or Properties, this is a finding.\n\n ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions\"\n desc \"fix\", \"Limit the permissions on the Domain Controllers OU to restrict\n changes to System, Domain Admins, Enterprise Admins and Administrators.\n\n The default permissions listed below satisfy this requirement.\n\n Domains supporting Microsoft Exchange will have additional Exchange related\n permissions on the Domain Controllers OU. These may include some change\n related permissions.\n\n CREATOR OWNER - Special permissions\n\n SELF - Special permissions\n\n Authenticated Users - Read, Special permissions\n\n The special permissions for Authenticated Users are Read types.\n\n SYSTEM - Full Control\n\n Domain Admins - Read, Write, Create all child objects, Generate resultant set\n of policy (logging), Generate resultant set of policy (planning), Special\n permissions\n\n Enterprise Admins - Full Control\n\n Key Admins - Special permissions\n\n Enterprise Key Admins - Special permissions\n\n Administrators - Read, Write, Create all child objects, Generate resultant set\n of policy (logging), Generate resultant set of policy (planning), Special\n permissions\n\n Pre-Windows 2000 Compatible Access - Special permissions\n\n The special permissions for Pre-Windows 2000 Compatible Access are Read types.\n\n ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions\"\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n if domain_role == '4' || domain_role == '5'\n distinguishedName = json(command: '(Get-ADDomain).DistinguishedName | ConvertTo-JSON').params\n netbiosname = json(command: 'Get-ADDomain | Select NetBIOSName | ConvertTo-JSON').params['NetBIOSName']\n acl_rules = json(command: \"(Get-ACL -Path AD:'OU=Domain Controllers,#{distinguishedName}').Access | ConvertTo-CSV | ConvertFrom-CSV | ConvertTo-JSON\").params\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The #{acl_rule['IdentityReference']} principal\\'s access rule property\" do\n subject { acl_rule }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"NT AUTHORITY\\\\System\" }\n its(['ActiveDirectoryRights']) { should cmp \"GenericAll\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The #{acl_rule['IdentityReference']} principal\\'s access rule property\" do\n subject { acl_rule }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"#{netbiosname}\\\\Enterprise Admins\" }\n its(['ActiveDirectoryRights']) { should cmp \"GenericAll\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The #{acl_rule['IdentityReference']} principal\\'s access rule property\" do\n subject { acl_rule }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"BUILTIN\\\\Administrators\" }\n its(['ActiveDirectoryRights']) { should match (/(read)|(write)|(create)|(extendedright)/i) }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The #{acl_rule['IdentityReference']} principal\\'s access rule property\" do\n subject { acl_rule }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"#{netbiosname}\\\\Domain Admins\" }\n its(['ActiveDirectoryRights']) { should match (/(read)|(write)|(create)|(extendedright)/i) }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The #{acl_rule['IdentityReference']} principal\\'s access rule property\" do\n subject { acl_rule }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"CREATOR OWNER\" }\n its(['ActiveDirectoryRights']) { should_not match (/(genericwrite)|(genericread)|(genericall)|(genericexecute)/i) }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The #{acl_rule['IdentityReference']} principal\\'s access rule property\" do\n subject { acl_rule }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"NT AUTHORITY\\\\SELF\" }\n its(['ActiveDirectoryRights']) { should_not match (/(genericwrite)|(genericread)|(genericall)|(genericexecute)/i) }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The #{acl_rule['IdentityReference']} principal\\'s access rule property\" do\n subject { acl_rule }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"#{netbiosname}\\\\Key Admins\" }\n its(['ActiveDirectoryRights']) { should_not match (/(genericwrite)|(genericread)|(genericall)|(genericexecute)/i) }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The #{acl_rule['IdentityReference']} principal\\'s access rule property\" do\n subject { acl_rule }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"#{netbiosname}\\\\Enterprise Key Admins\" }\n its(['ActiveDirectoryRights']) { should match (/(read)|(write)|(create)|(extendedright)/i) }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The #{acl_rule['IdentityReference']} principal\\'s access rule property\" do\n subject { acl_rule }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"NT AUTHORITY\\\\ENTERPRISE DOMAIN CONTROLLERS\" }\n its(['ActiveDirectoryRights']) { should_not match (/(genericwrite)|(genericall)|(genericexecute)/i) }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The #{acl_rule['IdentityReference']} principal\\'s access rule property\" do\n subject { acl_rule }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"NT AUTHORITY\\\\Authenticated Users\" }\n its(['ActiveDirectoryRights']) { should match (/(read)/i) }\n its(['ActiveDirectoryRights']) { should_not match (/(write)|(delete)|(create)|(extendedright)/i) }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The #{acl_rule['IdentityReference']} principal\\'s access rule property\" do\n subject { acl_rule }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"BUILTIN\\\\Pre-Windows 2000 Compatible Access\" }\n its(['ActiveDirectoryRights']) { should match (/(read)/i) }\n its(['ActiveDirectoryRights']) { should_not match (/(write)|(delete)|(create)|(extendedright)/i) }\n end\n end\n end\n else\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73241.rb", + "ref": "./Windows 2016 STIG/controls/V-73375.rb", "line": 1 }, - "id": "V-73241" + "id": "V-73375" }, { - "title": "Windows Server 2016 must be configured to require case insensitivity\n for non-Windows subsystems.", - "desc": "This setting controls the behavior of non-Windows subsystems when\n dealing with the case of arguments or commands. Case sensitivity could lead to\n the access of files or commands that must be restricted. To prevent this from\n happening, case insensitivity restrictions must be required.", + "title": "Windows 2016 account lockout duration must be configured to 15 minutes\n or greater.", + "desc": "The account lockout feature, when enabled, prevents brute-force\n password attacks on the system. This parameter specifies the period of time\n that an account will remain locked after the specified number of failed logon\n attempts.", "descriptions": { - "default": "This setting controls the behavior of non-Windows subsystems when\n dealing with the case of arguments or commands. Case sensitivity could lead to\n the access of files or commands that must be restricted. To prevent this from\n happening, case insensitivity restrictions must be required.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Kernel\\\n\n Value Name: ObCaseInsensitive\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> System\n objects: Require case insensitivity for non-Windows subsystems to\n Enabled." + "default": "The account lockout feature, when enabled, prevents brute-force\n password attacks on the system. This parameter specifies the period of time\n that an account will remain locked after the specified number of failed logon\n attempts.", + "check": "Verify the effective setting in Local Group Policy Editor.\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Account Policies >> Account Lockout Policy.\n\n If the Account lockout duration is less than 15 minutes (excluding\n 0), this is a finding.\n\n Configuring this to 0, requiring an administrator to unlock the account, is\n more restrictive and is not a finding.", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Account Policies >> Account Lockout Policy >>\n Account lockout duration to 15 minutes or greater.\n\n A value of 0 is also acceptable, requiring an administrator to unlock the\n account." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-73703", - "rid": "SV-88367r1_rule", - "stig_id": "WN16-SO-000440", - "fix_id": "F-80153r1_fix", + "gtitle": "SRG-OS-000329-GPOS-00128", + "gid": "V-73309", + "rid": "SV-87961r2_rule", + "stig_id": "WN16-AC-000010", + "fix_id": "F-80983r1_fix", "cci": [ - "CCI-000366" + "CCI-002238" ], "nist": [ - "CM-6 b", + "AC-7 b", "Rev_4" ], "documentable": false }, - "code": "control 'V-73703' do\n title \"Windows Server 2016 must be configured to require case insensitivity\n for non-Windows subsystems.\"\n desc \"This setting controls the behavior of non-Windows subsystems when\n dealing with the case of arguments or commands. Case sensitivity could lead to\n the access of files or commands that must be restricted. To prevent this from\n happening, case insensitivity restrictions must be required.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-73703'\n tag \"rid\": 'SV-88367r1_rule'\n tag \"stig_id\": 'WN16-SO-000440'\n tag \"fix_id\": 'F-80153r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Session Manager\\\\Kernel\\\\\n\n Value Name: ObCaseInsensitive\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> System\n objects: Require case insensitivity for non-Windows subsystems to\n Enabled.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Session Manager\\\\Kernel') do\n it { should have_property 'ObCaseInsensitive' }\n its('ObCaseInsensitive') { should cmp 1 }\n end\nend\n", + "code": "control 'V-73309' do\n title \"Windows 2016 account lockout duration must be configured to 15 minutes\n or greater.\"\n desc \"The account lockout feature, when enabled, prevents brute-force\n password attacks on the system. This parameter specifies the period of time\n that an account will remain locked after the specified number of failed logon\n attempts.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000329-GPOS-00128'\n tag \"gid\": 'V-73309'\n tag \"rid\": 'SV-87961r2_rule'\n tag \"stig_id\": 'WN16-AC-000010'\n tag \"fix_id\": 'F-80983r1_fix'\n tag \"cci\": ['CCI-002238']\n tag \"nist\": ['AC-7 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Account Policies >> Account Lockout Policy.\n\n If the Account lockout duration is less than 15 minutes (excluding\n 0), this is a finding.\n\n Configuring this to 0, requiring an administrator to unlock the account, is\n more restrictive and is not a finding.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Account Policies >> Account Lockout Policy >>\n Account lockout duration to 15 minutes or greater.\n\n A value of 0 is also acceptable, requiring an administrator to unlock the\n account.\"\n describe.one do\n describe security_policy do\n its('LockoutDuration') { should be >= 15 }\n end\n describe security_policy do\n its('LockoutDuration') { should eq 0 }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73703.rb", + "ref": "./Windows 2016 STIG/controls/V-73309.rb", "line": 1 }, - "id": "V-73703" + "id": "V-73309" }, { - "title": "Reversible password encryption must be disabled.", - "desc": "Storing passwords using reversible encryption is essentially the same\n as storing clear-text versions of the passwords, which are easily compromised.\n For this reason, this policy must never be enabled.", + "title": "Windows Server 2016 must be configured to use FIPS-compliant\n algorithms for encryption, hashing, and signing.", + "desc": "This setting ensures the system uses algorithms that are\n FIPS-compliant for encryption, hashing, and signing. FIPS-compliant algorithms\n meet specific standards established by the U.S. Government and must be the\n algorithms used for all OS encryption functions.", "descriptions": { - "default": "Storing passwords using reversible encryption is essentially the same\n as storing clear-text versions of the passwords, which are easily compromised.\n For this reason, this policy must never be enabled.", - "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Account Policies >> Password Policy.\n\n If the value for Store passwords using reversible encryption is not set to\n Disabled, this is a finding.", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Account Policies >> Password Policy >> Store\n passwords using reversible encryption to Disabled." + "default": "This setting ensures the system uses algorithms that are\n FIPS-compliant for encryption, hashing, and signing. FIPS-compliant algorithms\n meet specific standards established by the U.S. Government and must be the\n algorithms used for all OS encryption functions.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Control\\Lsa\\FIPSAlgorithmPolicy\\\n\n Value Name: Enabled\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\n\n Clients with this setting enabled will not be able to communicate via digitally\n encrypted or signed protocols with servers that do not support these\n algorithms. Both the browser and web server must be configured to use TLS;\n otherwise. the browser will not be able to connect to a secure site.", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> System\n cryptography: Use FIPS compliant algorithms for encryption, hashing, and\n signing to Enabled." }, - "impact": 0.7, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000073-GPOS-00041", - "gid": "V-73325", - "rid": "SV-87977r1_rule", - "stig_id": "WN16-AC-000090", - "fix_id": "F-79767r1_fix", + "gtitle": "SRG-OS-000033-GPOS-00014", + "satisfies": [ + "SRG-OS-000033-GPOS-00014", + "SRG-OS-000478-GPOS-00223" + ], + "gid": "V-73701", + "rid": "SV-88365r1_rule", + "stig_id": "WN16-SO-000430", + "fix_id": "F-80151r1_fix", "cci": [ - "CCI-000196" + "CCI-000068", + "CCI-002450" ], "nist": [ - "IA-5 (1) (c)", + "AC-17 (2)", + "SC-13", "Rev_4" ], "documentable": false }, - "code": "control 'V-73325' do\n title 'Reversible password encryption must be disabled.'\n desc \"Storing passwords using reversible encryption is essentially the same\n as storing clear-text versions of the passwords, which are easily compromised.\n For this reason, this policy must never be enabled.\"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000073-GPOS-00041'\n tag \"gid\": 'V-73325'\n tag \"rid\": 'SV-87977r1_rule'\n tag \"stig_id\": 'WN16-AC-000090'\n tag \"fix_id\": 'F-79767r1_fix'\n tag \"cci\": ['CCI-000196']\n tag \"nist\": ['IA-5 (1) (c)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Account Policies >> Password Policy.\n\n If the value for Store passwords using reversible encryption is not set to\n Disabled, this is a finding.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Account Policies >> Password Policy >> Store\n passwords using reversible encryption to Disabled.\"\n describe security_policy do\n its('ClearTextPassword') { should eq 0 }\n end\nend\n", + "code": "control 'V-73701' do\n title \"Windows Server 2016 must be configured to use FIPS-compliant\n algorithms for encryption, hashing, and signing.\"\n desc \"This setting ensures the system uses algorithms that are\n FIPS-compliant for encryption, hashing, and signing. FIPS-compliant algorithms\n meet specific standards established by the U.S. Government and must be the\n algorithms used for all OS encryption functions.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000033-GPOS-00014'\n tag \"satisfies\": ['SRG-OS-000033-GPOS-00014', 'SRG-OS-000478-GPOS-00223']\n tag \"gid\": 'V-73701'\n tag \"rid\": 'SV-88365r1_rule'\n tag \"stig_id\": 'WN16-SO-000430'\n tag \"fix_id\": 'F-80151r1_fix'\n tag \"cci\": ['CCI-000068', 'CCI-002450']\n tag \"nist\": ['AC-17 (2)', 'SC-13', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\FIPSAlgorithmPolicy\\\\\n\n Value Name: Enabled\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\n\n Clients with this setting enabled will not be able to communicate via digitally\n encrypted or signed protocols with servers that do not support these\n algorithms. Both the browser and web server must be configured to use TLS;\n otherwise. the browser will not be able to connect to a secure site.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> System\n cryptography: Use FIPS compliant algorithms for encryption, hashing, and\n signing to Enabled.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\FIPSAlgorithmPolicy') do\n it { should have_property 'Enabled' }\n its('Enabled') { should cmp 1 }\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73325.rb", + "ref": "./Windows 2016 STIG/controls/V-73701.rb", "line": 1 }, - "id": "V-73325" + "id": "V-73701" }, { - "title": "Windows Server 2016 must be configured to audit Object Access -\n Removable Storage successes.", - "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Removable Storage auditing under Object Access records events related to\n access attempts on file system objects on removable storage devices.", + "title": "User Account Control approval mode for the built-in Administrator must\n be enabled.", + "desc": "User Account Control (UAC) is a security mechanism for limiting the\n elevation of privileges, including administrative accounts, unless authorized.\n This setting configures the built-in Administrator account so that it runs in\n Admin Approval Mode.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Removable Storage auditing under Object Access records events related to\n access attempts on file system objects on removable storage devices.", - "check": "Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n Object Access >> Removable Storage - Success\n\n Virtual machines or systems that use network attached storage may generate\n excessive audit events for secondary virtual drives or the network attached\n storage when this setting is enabled. This may be set to Not Configured in such\n cases and would not be a finding.", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Object Access >> Audit Removable Storage with Success\n selected." + "default": "User Account Control (UAC) is a security mechanism for limiting the\n elevation of privileges, including administrative accounts, unless authorized.\n This setting configures the built-in Administrator account so that it runs in\n Admin Approval Mode.", + "check": "UAC requirements are NA for Server Core installations (this is\n the default installation option for Windows Server 2016 versus Server with\n Desktop Experience) as well as Nano Server.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\\n\n Value Name: FilterAdministratorToken\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> User\n Account Control: Admin Approval Mode for the Built-in Administrator account\n to Enabled." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000474-GPOS-00219", - "gid": "V-73457", - "rid": "SV-88109r1_rule", - "stig_id": "WN16-AU-000290", - "fix_id": "F-79899r1_fix", + "gtitle": "SRG-OS-000373-GPOS-00157", + "satisfies": [ + "SRG-OS-000373-GPOS-00157", + "SRG-OS-000373-GPOS-00156" + ], + "gid": "V-73707", + "rid": "SV-88371r1_rule", + "stig_id": "WN16-SO-000460", + "fix_id": "F-80157r1_fix", "cci": [ - "CCI-000172" + "CCI-002038" ], "nist": [ - "AU-12 c", + "IA-11", "Rev_4" ], "documentable": false }, - "code": "control 'V-73457' do\n title \"Windows Server 2016 must be configured to audit Object Access -\n Removable Storage successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Removable Storage auditing under Object Access records events related to\n access attempts on file system objects on removable storage devices.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000474-GPOS-00219'\n tag \"gid\": 'V-73457'\n tag \"rid\": 'SV-88109r1_rule'\n tag \"stig_id\": 'WN16-AU-000290'\n tag \"fix_id\": 'F-79899r1_fix'\n tag \"cci\": ['CCI-000172']\n tag \"nist\": ['AU-12 c', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n Object Access >> Removable Storage - Success\n\n Virtual machines or systems that use network attached storage may generate\n excessive audit events for secondary virtual drives or the network attached\n storage when this setting is enabled. This may be set to Not Configured in such\n cases and would not be a finding.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Object Access >> Audit Removable Storage with Success\n selected.\"\n describe.one do\n describe audit_policy do\n its('Removable Storage') { should eq 'Success' }\n end\n describe audit_policy do\n its('Removable Storage') { should eq 'Success and Failure' }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Removable Storage'\") do\n its('stdout') { should match /Removable Storage Success/ }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Removable Storage'\") do\n its('stdout') { should match /Removable Storage Success and Failure/ }\n end\n end\nend\n", + "code": "control 'V-73707' do\n title \"User Account Control approval mode for the built-in Administrator must\n be enabled.\"\n desc \"User Account Control (UAC) is a security mechanism for limiting the\n elevation of privileges, including administrative accounts, unless authorized.\n This setting configures the built-in Administrator account so that it runs in\n Admin Approval Mode.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000373-GPOS-00157'\n tag \"satisfies\": ['SRG-OS-000373-GPOS-00157', 'SRG-OS-000373-GPOS-00156']\n tag \"gid\": 'V-73707'\n tag \"rid\": 'SV-88371r1_rule'\n tag \"stig_id\": 'WN16-SO-000460'\n tag \"fix_id\": 'F-80157r1_fix'\n tag \"cci\": ['CCI-002038']\n tag \"nist\": ['IA-11', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"UAC requirements are NA for Server Core installations (this is\n the default installation option for Windows Server 2016 versus Server with\n Desktop Experience) as well as Nano Server.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\\n\n Value Name: FilterAdministratorToken\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> User\n Account Control: Admin Approval Mode for the Built-in Administrator account\n to Enabled.\"\n if registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Server\\ServerLevels').has_property_value?('ServerCore', :dword, 1) && registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Server\\ServerLevels').has_property_value?('Server-Gui-Mgmt', :dword, 1) && registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Server\\ServerLevels').has_property_value?('Server-Gui-Shell', :dword, 1)\n impact 0.0\n desc 'This system is a Server Core Installation, therefore this control is not applicable'\n else\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System') do\n it { should have_property 'FilterAdministratorToken' }\n its('FilterAdministratorToken') { should cmp 1 }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73457.rb", + "ref": "./Windows 2016 STIG/controls/V-73707.rb", "line": 1 }, - "id": "V-73457" + "id": "V-73707" }, { - "title": "Windows Server 2016 must be configured to audit Account Management -\n Security Group Management successes.", - "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Security Group Management records events such as creating, deleting, or\n changing security groups, including changes in group members.", + "title": "The Active Directory Domain object must be configured with proper\n audit settings.", + "desc": "When inappropriate audit settings are configured for directory service\n database objects, it may be possible for a user or process to update the data\n without generating any tracking data. The impact of missing audit data is\n related to the type of object. A failure to capture audit data for objects used\n by identification, authentication, or authorization functions could degrade or\n eliminate the ability to track changes to access policy for systems or data.\n\n For Active Directory (AD), there are a number of critical object types in\n the domain naming context of the AD database for which auditing is essential.\n This includes the Domain object. Because changes to these objects can\n significantly impact access controls or the availability of systems, the\n absence of auditing data makes it impossible to identify the source of changes\n that impact the confidentiality, integrity, and availability of data and\n systems throughout an AD domain. The lack of proper auditing can result in\n insufficient forensic evidence needed to investigate an incident and prosecute\n the intruder.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Security Group Management records events such as creating, deleting, or\n changing security groups, including changes in group members.", - "check": "Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n Account Management >> Security Group Management - Success", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Account Management >> Audit Security Group Management\n with Success selected." + "default": "When inappropriate audit settings are configured for directory service\n database objects, it may be possible for a user or process to update the data\n without generating any tracking data. The impact of missing audit data is\n related to the type of object. A failure to capture audit data for objects used\n by identification, authentication, or authorization functions could degrade or\n eliminate the ability to track changes to access policy for systems or data.\n\n For Active Directory (AD), there are a number of critical object types in\n the domain naming context of the AD database for which auditing is essential.\n This includes the Domain object. Because changes to these objects can\n significantly impact access controls or the availability of systems, the\n absence of auditing data makes it impossible to identify the source of changes\n that impact the confidentiality, integrity, and availability of data and\n systems throughout an AD domain. The lack of proper auditing can result in\n insufficient forensic evidence needed to investigate an incident and prosecute\n the intruder.", + "check": "This applies to domain controllers. It is NA for other systems.\n\n Review the auditing configuration for the Domain object.\n\n Open Active Directory Users and Computers (available from various menus or\n run dsa.msc).\n\n Ensure Advanced Features is selected in the View menu.\n\n Select the domain being reviewed in the left pane.\n\n Right-click the domain name and select Properties.\n\n Select the Security tab.\n\n Select the Advanced button and then the Auditing tab.\n\n If the audit settings on the Domain object are not at least as inclusive as\n those below, this is a finding.\n\n Type - Fail\n Principal - Everyone\n Access - Full Control\n Inherited from - None\n Applies to - This object only\n\n The success types listed below are defaults. Where Special is listed in the\n summary screens for Access, detailed Permissions are provided for reference.\n Various Properties selections may also exist by default.\n\n Two instances with the following summary information will be listed.\n\n Type - Success\n Principal - Everyone\n Access - (blank)\n Inherited from - None\n Applies to - Special\n\n Type - Success\n Principal - Domain Users\n Access - All extended rights\n Inherited from - None\n Applies to - This object only\n\n Type - Success\n Principal - Administrators\n Access - All extended rights\n Inherited from - None\n Applies to - This object only\n\n Type - Success\n Principal - Everyone\n Access - Special\n Inherited from - None\n Applies to - This object only\n (Access - Special = Permissions: Write all properties, Modify permissions,\n Modify owner)", + "fix": "Open Active Directory Users and Computers (available from\n various menus or run dsa.msc).\n\n Ensure Advanced Features is selected in the View menu.\n\n Select the domain being reviewed in the left pane.\n\n Right-click the domain name and select Properties.\n\n Select the Security tab.\n\n Select the Advanced button and then the Auditing tab.\n\n Configure the audit settings for Domain object to include the following.\n\n Type - Fail\n Principal - Everyone\n Access - Full Control\n Inherited from - None\n Applies to - This object only\n\n The success types listed below are defaults. Where Special is listed in the\n summary screens for Access, detailed Permissions are provided for reference.\n Various Properties selections may also exist by default.\n\n Two instances with the following summary information will be listed.\n\n Type - Success\n Principal - Everyone\n Access - (blank)\n Inherited from - None\n Applies to - Special\n\n Type - Success\n Principal - Domain Users\n Access - All extended rights\n Inherited from - None\n Applies to - This object only\n\n Type - Success\n Principal - Administrators\n Access - All extended rights\n Inherited from - None\n Applies to - This object only\n\n Type - Success\n Principal - Everyone\n Access - Special\n Inherited from - None\n Applies to - This object only\n (Access - Special = Permissions: Write all properties, Modify permissions,\n Modify owner.)" }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { - "gtitle": "SRG-OS-000004-GPOS-00004", + "gtitle": "SRG-OS-000327-GPOS-00127", "satisfies": [ - "SRG-OS-000004-GPOS-00004", - "SRG-OS-000239-GPOS-00089", - "SRG-OS-000240-GPOS-00090", - "SRG-OS-000241-GPOS-00091", - "SRG-OS-000303-GPOS-00120", - "SRG-OS-000476-GPOS-00221" + "SRG-OS-000327-GPOS-00127", + "SRG-OS-000458-GPOS-00203", + "SRG-OS-000463-GPOS-00207", + "SRG-OS-000468-GPOS-00212" ], - "gid": "V-73423", - "rid": "SV-88075r1_rule", - "stig_id": "WN16-AU-000120", - "fix_id": "F-79865r1_fix", + "gid": "V-73391", + "rid": "SV-88043r1_rule", + "stig_id": "WN16-DC-000180", + "fix_id": "F-79833r1_fix", "cci": [ - "CCI-000018", "CCI-000172", - "CCI-001403", - "CCI-001404", - "CCI-001405", - "CCI-002130" + "CCI-002234" ], "nist": [ - "AC-2 (4)", "AU-12 c", + "AC-6 (9)", "Rev_4" ], "documentable": false }, - "code": "control 'V-73423' do\n title \"Windows Server 2016 must be configured to audit Account Management -\n Security Group Management successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Security Group Management records events such as creating, deleting, or\n changing security groups, including changes in group members.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000004-GPOS-00004'\n tag \"satisfies\": ['SRG-OS-000004-GPOS-00004', 'SRG-OS-000239-GPOS-00089',\n 'SRG-OS-000240-GPOS-00090', 'SRG-OS-000241-GPOS-00091',\n 'SRG-OS-000303-GPOS-00120', 'SRG-OS-000476-GPOS-00221']\n tag \"gid\": 'V-73423'\n tag \"rid\": 'SV-88075r1_rule'\n tag \"stig_id\": 'WN16-AU-000120'\n tag \"fix_id\": 'F-79865r1_fix'\n tag \"cci\": ['CCI-000018', 'CCI-000172', 'CCI-001403', 'CCI-001404',\n 'CCI-001405', 'CCI-002130']\n tag \"nist\": ['AC-2 (4)', 'AU-12 c', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n Account Management >> Security Group Management - Success\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Account Management >> Audit Security Group Management\n with Success selected.\"\n describe.one do\n describe audit_policy do\n its('Security Group Management') { should eq 'Success' }\n end\n describe audit_policy do\n its('Security Group Management') { should eq 'Success and Failure' }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Security Group Management'\") do\n its('stdout') { should match /Security Group Management Success/ }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Security Group Management'\") do\n its('stdout') { should match /Security Group Management Success and Failure/ }\n end\n end\nend\n", + "code": "control 'V-73391' do\n title \"The Active Directory Domain object must be configured with proper\n audit settings.\"\n desc \"When inappropriate audit settings are configured for directory service\n database objects, it may be possible for a user or process to update the data\n without generating any tracking data. The impact of missing audit data is\n related to the type of object. A failure to capture audit data for objects used\n by identification, authentication, or authorization functions could degrade or\n eliminate the ability to track changes to access policy for systems or data.\n\n For Active Directory (AD), there are a number of critical object types in\n the domain naming context of the AD database for which auditing is essential.\n This includes the Domain object. Because changes to these objects can\n significantly impact access controls or the availability of systems, the\n absence of auditing data makes it impossible to identify the source of changes\n that impact the confidentiality, integrity, and availability of data and\n systems throughout an AD domain. The lack of proper auditing can result in\n insufficient forensic evidence needed to investigate an incident and prosecute\n the intruder.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000327-GPOS-00127'\n tag \"satisfies\": ['SRG-OS-000327-GPOS-00127', 'SRG-OS-000458-GPOS-00203',\n 'SRG-OS-000463-GPOS-00207', 'SRG-OS-000468-GPOS-00212']\n tag \"gid\": 'V-73391'\n tag \"rid\": 'SV-88043r1_rule'\n tag \"stig_id\": 'WN16-DC-000180'\n tag \"fix_id\": 'F-79833r1_fix'\n tag \"cci\": ['CCI-000172', 'CCI-002234']\n tag \"nist\": ['AU-12 c', 'AC-6 (9)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to domain controllers. It is NA for other systems.\n\n Review the auditing configuration for the Domain object.\n\n Open Active Directory Users and Computers (available from various menus or\n run dsa.msc).\n\n Ensure Advanced Features is selected in the View menu.\n\n Select the domain being reviewed in the left pane.\n\n Right-click the domain name and select Properties.\n\n Select the Security tab.\n\n Select the Advanced button and then the Auditing tab.\n\n If the audit settings on the Domain object are not at least as inclusive as\n those below, this is a finding.\n\n Type - Fail\n Principal - Everyone\n Access - Full Control\n Inherited from - None\n Applies to - This object only\n\n The success types listed below are defaults. Where Special is listed in the\n summary screens for Access, detailed Permissions are provided for reference.\n Various Properties selections may also exist by default.\n\n Two instances with the following summary information will be listed.\n\n Type - Success\n Principal - Everyone\n Access - (blank)\n Inherited from - None\n Applies to - Special\n\n Type - Success\n Principal - Domain Users\n Access - All extended rights\n Inherited from - None\n Applies to - This object only\n\n Type - Success\n Principal - Administrators\n Access - All extended rights\n Inherited from - None\n Applies to - This object only\n\n Type - Success\n Principal - Everyone\n Access - Special\n Inherited from - None\n Applies to - This object only\n (Access - Special = Permissions: Write all properties, Modify permissions,\n Modify owner)\"\n desc \"fix\", \"Open Active Directory Users and Computers (available from\n various menus or run dsa.msc).\n\n Ensure Advanced Features is selected in the View menu.\n\n Select the domain being reviewed in the left pane.\n\n Right-click the domain name and select Properties.\n\n Select the Security tab.\n\n Select the Advanced button and then the Auditing tab.\n\n Configure the audit settings for Domain object to include the following.\n\n Type - Fail\n Principal - Everyone\n Access - Full Control\n Inherited from - None\n Applies to - This object only\n\n The success types listed below are defaults. Where Special is listed in the\n summary screens for Access, detailed Permissions are provided for reference.\n Various Properties selections may also exist by default.\n\n Two instances with the following summary information will be listed.\n\n Type - Success\n Principal - Everyone\n Access - (blank)\n Inherited from - None\n Applies to - Special\n\n Type - Success\n Principal - Domain Users\n Access - All extended rights\n Inherited from - None\n Applies to - This object only\n\n Type - Success\n Principal - Administrators\n Access - All extended rights\n Inherited from - None\n Applies to - This object only\n\n Type - Success\n Principal - Everyone\n Access - Special\n Inherited from - None\n Applies to - This object only\n (Access - Special = Permissions: Write all properties, Modify permissions,\n Modify owner.)\"\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n distinguishedName = json(command: '(Get-ADDomain).DistinguishedName | ConvertTo-JSON').params\n netbiosname = json(command: 'Get-ADDomain | Select NetBIOSName | ConvertTo-JSON').params['NetBIOSName']\n acl_rules = json(command: \"(Get-ACL -Audit -Path AD:'#{distinguishedName}').Audit | ConvertTo-CSV | ConvertFrom-CSV | ConvertTo-JSON\").params\n\n if acl_rules.is_a?(Hash)\n acl_rules = [JSON.parse(acl_rules.to_json)]\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['AuditFlags']) { should cmp \"Fail\" }\n its(['IdentityReference']) { should cmp \"Everyone\" }\n its(['ActiveDirectoryRights']) { should cmp \"GenericAll\" }\n its(['InheritanceFlags']) { should cmp \"None\" }\n its(['InheritanceType']) { should cmp \"None\" }\n its(['PropagationFlags']) { should cmp \"None\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['AuditFlags']) { should cmp \"Success\" }\n its(['IdentityReference']) { should cmp \"Everyone\" }\n its(['ActiveDirectoryRights']) { should cmp \"WriteProperty\" }\n its(['InheritanceFlags']) { should cmp \"ContainerInherit\" }\n its(['InheritanceType']) { should cmp \"All\" }\n its(['PropagationFlags']) { should cmp \"None\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['AuditFlags']) { should cmp \"Success\" }\n its(['IdentityReference']) { should cmp \"#{netbiosname}\\\\Domain Users\" }\n its(['ActiveDirectoryRights']) { should cmp \"ExtendedRight\" }\n its(['InheritanceFlags']) { should cmp \"None\" }\n its(['InheritanceType']) { should cmp \"None\" }\n its(['PropagationFlags']) { should cmp \"None\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['AuditFlags']) { should cmp \"Success\" }\n its(['IdentityReference']) { should cmp \"BUILTIN\\\\Administrators\" }\n its(['ActiveDirectoryRights']) { should cmp \"ExtendedRight\" }\n its(['InheritanceFlags']) { should cmp \"None\" }\n its(['InheritanceType']) { should cmp \"None\" }\n its(['PropagationFlags']) { should cmp \"None\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['AuditFlags']) { should cmp \"Success\" }\n its(['IdentityReference']) { should cmp \"Everyone\" }\n its(['ActiveDirectoryRights']) { should cmp \"WriteProperty, WriteDacl, WriteOwner\" }\n its(['InheritanceFlags']) { should cmp \"None\" }\n its(['InheritanceType']) { should cmp \"None\" }\n its(['PropagationFlags']) { should cmp \"None\" }\n end\n end\n end\n\n else\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\n\n\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73423.rb", + "ref": "./Windows 2016 STIG/controls/V-73391.rb", "line": 1 }, - "id": "V-73423" + "id": "V-73391" }, { - "title": "Downloading print driver packages over HTTP must be prevented.", - "desc": "Some features may communicate with the vendor, sending system\n information or downloading data or components for the feature. Turning off this\n capability will prevent potentially sensitive information from being sent\n outside the enterprise and will prevent uncontrolled updates to the system.\n\n This setting prevents the computer from downloading print driver packages\n over HTTP.", + "title": "The maximum password age must be configured to 60 days or less.", + "desc": "The longer a password is in use, the greater the opportunity for\n someone to gain unauthorized knowledge of the passwords. Scheduled changing of\n passwords hinders the ability of unauthorized system users to crack passwords\n and gain access to a system.", "descriptions": { - "default": "Some features may communicate with the vendor, sending system\n information or downloading data or components for the feature. Turning off this\n capability will prevent potentially sensitive information from being sent\n outside the enterprise and will prevent uncontrolled updates to the system.\n\n This setting prevents the computer from downloading print driver packages\n over HTTP.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers\\\n\n Value Name: DisableWebPnPDownload\n\n Type: REG_DWORD\n Value: 0x00000001 (1)", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> System >> Internet Communication Management >>\n Internet Communication settings >> Turn off downloading of print drivers over\n HTTP to Enabled." + "default": "The longer a password is in use, the greater the opportunity for\n someone to gain unauthorized knowledge of the passwords. Scheduled changing of\n passwords hinders the ability of unauthorized system users to crack passwords\n and gain access to a system.", + "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Account Policies >> Password Policy.\n\n If the value for the Maximum password age is greater than 60 days, this\n is a finding.\n\n If the value is set to 0 (never expires), this is a finding.", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Account Policies >> Password Policy >>\n Maximum password age to 60 days or less (excluding 0, which is\n unacceptable)." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000095-GPOS-00049", - "gid": "V-73527", - "rid": "SV-88179r1_rule", - "stig_id": "WN16-CC-000160", - "fix_id": "F-79969r1_fix", + "gtitle": "SRG-OS-000076-GPOS-00044", + "gid": "V-73317", + "rid": "SV-87969r1_rule", + "stig_id": "WN16-AC-000050", + "fix_id": "F-79759r1_fix", "cci": [ - "CCI-000381" + "CCI-000199" ], "nist": [ - "CM-7 a", + "IA-5 (1) (d)", "Rev_4" ], "documentable": false }, - "code": "control 'V-73527' do\n title 'Downloading print driver packages over HTTP must be prevented.'\n desc \"Some features may communicate with the vendor, sending system\n information or downloading data or components for the feature. Turning off this\n capability will prevent potentially sensitive information from being sent\n outside the enterprise and will prevent uncontrolled updates to the system.\n\n This setting prevents the computer from downloading print driver packages\n over HTTP.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000095-GPOS-00049'\n tag \"gid\": 'V-73527'\n tag \"rid\": 'SV-88179r1_rule'\n tag \"stig_id\": 'WN16-CC-000160'\n tag \"fix_id\": 'F-79969r1_fix'\n tag \"cci\": ['CCI-000381']\n tag \"nist\": ['CM-7 a', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Printers\\\\\n\n Value Name: DisableWebPnPDownload\n\n Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> System >> Internet Communication Management >>\n Internet Communication settings >> Turn off downloading of print drivers over\n HTTP to Enabled.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Printers') do\n it { should have_property 'DisableWebPnPDownload' }\n its('DisableWebPnPDownload') { should cmp 1 }\n end\nend\n", + "code": "control 'V-73317' do\n title 'The maximum password age must be configured to 60 days or less.'\n desc \"The longer a password is in use, the greater the opportunity for\n someone to gain unauthorized knowledge of the passwords. Scheduled changing of\n passwords hinders the ability of unauthorized system users to crack passwords\n and gain access to a system.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000076-GPOS-00044'\n tag \"gid\": 'V-73317'\n tag \"rid\": 'SV-87969r1_rule'\n tag \"stig_id\": 'WN16-AC-000050'\n tag \"fix_id\": 'F-79759r1_fix'\n tag \"cci\": ['CCI-000199']\n tag \"nist\": ['IA-5 (1) (d)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Account Policies >> Password Policy.\n\n If the value for the Maximum password age is greater than 60 days, this\n is a finding.\n\n If the value is set to 0 (never expires), this is a finding.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Account Policies >> Password Policy >>\n Maximum password age to 60 days or less (excluding 0, which is\n unacceptable).\"\n describe security_policy do\n its('MaximumPasswordAge') { should be <= 60 }\n end\n describe security_policy do\n its('MaximumPasswordAge') { should be > 0 }\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73527.rb", + "ref": "./Windows 2016 STIG/controls/V-73317.rb", "line": 1 }, - "id": "V-73527" + "id": "V-73317" }, { - "title": "The network selection user interface (UI) must not be displayed on the\n logon screen.", - "desc": "Enabling interaction with the network selection UI allows users to\n change connections to available networks without signing in to Windows.", + "title": "Permissions for the system drive root directory (usually C:\\) must\n conform to minimum requirements.", + "desc": "Changing the system's file and directory permissions allows the\n possibility of unauthorized and anonymous modification to the operating system\n and installed applications.\n\n The default permissions are adequate when the Security Option Network\n access: Let everyone permissions apply to anonymous users is set to\n Disabled (WN16-SO-000290).", "descriptions": { - "default": "Enabling interaction with the network selection UI allows users to\n change connections to available networks without signing in to Windows.", - "check": "Verify the registry value below. If it does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\\n\n Value Name: DontDisplayNetworkSelectionUI\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> System >> Logon >> Do not display network\n selection UI to Enabled." + "default": "Changing the system's file and directory permissions allows the\n possibility of unauthorized and anonymous modification to the operating system\n and installed applications.\n\n The default permissions are adequate when the Security Option Network\n access: Let everyone permissions apply to anonymous users is set to\n Disabled (WN16-SO-000290).", + "check": "The default permissions are adequate when the Security Option\n Network access: Let everyone permissions apply to anonymous users is set to\n Disabled (WN16-SO-000290).\n\n Review the permissions for the system drive's root directory (usually C:\\).\n Non-privileged groups such as Users or Authenticated Users must not have\n greater than Read & execute permissions except where noted as defaults.\n (Individual accounts must not be used to assign permissions.)\n\n If permissions are not as restrictive as the default permissions listed below,\n this is a finding.\n\n Viewing in File Explorer:\n\n View the Properties of the system drive's root directory.\n\n Select the Security tab, and the Advanced button.\n\n Default permissions:\n C:\\\n Type - Allow for all\n Inherited from - None for all\n\n Principal - Access - Applies to\n\n SYSTEM - Full control - This folder, subfolders, and files\n Administrators - Full control - This folder, subfolders, and files\n Users - Read & execute - This folder, subfolders, and files\n Users - Create folders/append data - This folder and subfolders\n Users - Create files/write data - Subfolders only\n CREATOR OWNER - Full Control - Subfolders and files only\n\n Alternately, use icacls:\n\n Open Command Prompt (Admin).\n\n Enter icacls followed by the directory:\n\n icacls c:\\\n\n The following results should be displayed:\n\n c:\\\n NT AUTHORITY\\SYSTEM:(OI)(CI)(F)\n BUILTIN\\Administrators:(OI)(CI)(F)\n BUILTIN\\Users:(OI)(CI)(RX)\n BUILTIN\\Users:(CI)(AD)\n BUILTIN\\Users:(CI)(IO)(WD)\n CREATOR OWNER:(OI)(CI)(IO)(F)\n Successfully processed 1 files; Failed processing 0 files", + "fix": "Maintain the default permissions for the system drive's root\n directory and configure the Security Option Network access: Let everyone\n permissions apply to anonymous users to Disabled (WN16-SO-000290).\n\n Default Permissions\n C:\\\n Type - Allow for all\n Inherited from - None for all\n\n Principal - Access - Applies to\n\n SYSTEM - Full control - This folder, subfolders, and files\n Administrators - Full control - This folder, subfolders, and files\n Users - Read & execute - This folder, subfolders, and files\n Users - Create folders/append data - This folder and subfolders\n Users - Create files/write data - Subfolders only\n CREATOR OWNER - Full Control - Subfolders and files only" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000095-GPOS-00049", - "gid": "V-73531", - "rid": "SV-88185r1_rule", - "stig_id": "WN16-CC-000180", - "fix_id": "F-79973r1_fix", - "cci": [ - "CCI-000381" + "gtitle": "SRG-OS-000312-GPOS-00122", + "satisfies": [ + "SRG-OS-000312-GPOS-00122", + "SRG-OS-000312-GPOS-00123", + "SRG-OS-000312-GPOS-00124" + ], + "gid": "V-73249", + "rid": "SV-87901r1_rule", + "stig_id": "WN16-00-000160", + "fix_id": "F-79693r1_fix", + "cci": [ + "CCI-002165" ], "nist": [ - "CM-7 a", + "AC-3 (4)", "Rev_4" ], "documentable": false }, - "code": "control 'V-73531' do\n title \"The network selection user interface (UI) must not be displayed on the\n logon screen.\"\n desc \"Enabling interaction with the network selection UI allows users to\n change connections to available networks without signing in to Windows.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000095-GPOS-00049'\n tag \"gid\": 'V-73531'\n tag \"rid\": 'SV-88185r1_rule'\n tag \"stig_id\": 'WN16-CC-000180'\n tag \"fix_id\": 'F-79973r1_fix'\n tag \"cci\": ['CCI-000381']\n tag \"nist\": ['CM-7 a', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Verify the registry value below. If it does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\\n\n Value Name: DontDisplayNetworkSelectionUI\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> System >> Logon >> Do not display network\n selection UI to Enabled.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System') do\n it { should have_property 'DontDisplayNetworkSelectionUI' }\n its('DontDisplayNetworkSelectionUI') { should cmp 1 }\n end\nend\n", + "code": "control 'V-73249' do\n title \"Permissions for the system drive root directory (usually C:\\\\) must\n conform to minimum requirements.\"\n desc \"Changing the system's file and directory permissions allows the\n possibility of unauthorized and anonymous modification to the operating system\n and installed applications.\n\n The default permissions are adequate when the Security Option Network\n access: Let everyone permissions apply to anonymous users is set to\n Disabled (WN16-SO-000290).\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000312-GPOS-00122'\n tag \"satisfies\": ['SRG-OS-000312-GPOS-00122', 'SRG-OS-000312-GPOS-00123',\n 'SRG-OS-000312-GPOS-00124']\n tag \"gid\": 'V-73249'\n tag \"rid\": 'SV-87901r1_rule'\n tag \"stig_id\": 'WN16-00-000160'\n tag \"fix_id\": 'F-79693r1_fix'\n tag \"cci\": ['CCI-002165']\n tag \"nist\": ['AC-3 (4)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"The default permissions are adequate when the Security Option\n Network access: Let everyone permissions apply to anonymous users is set to\n Disabled (WN16-SO-000290).\n\n Review the permissions for the system drive's root directory (usually C:\\\\).\n Non-privileged groups such as Users or Authenticated Users must not have\n greater than Read & execute permissions except where noted as defaults.\n (Individual accounts must not be used to assign permissions.)\n\n If permissions are not as restrictive as the default permissions listed below,\n this is a finding.\n\n Viewing in File Explorer:\n\n View the Properties of the system drive's root directory.\n\n Select the Security tab, and the Advanced button.\n\n Default permissions:\n C:\\\\\n Type - Allow for all\n Inherited from - None for all\n\n Principal - Access - Applies to\n\n SYSTEM - Full control - This folder, subfolders, and files\n Administrators - Full control - This folder, subfolders, and files\n Users - Read & execute - This folder, subfolders, and files\n Users - Create folders/append data - This folder and subfolders\n Users - Create files/write data - Subfolders only\n CREATOR OWNER - Full Control - Subfolders and files only\n\n Alternately, use icacls:\n\n Open Command Prompt (Admin).\n\n Enter icacls followed by the directory:\n\n icacls c:\\\\\n\n The following results should be displayed:\n\n c:\\\\\n NT AUTHORITY\\\\SYSTEM:(OI)(CI)(F)\n BUILTIN\\\\Administrators:(OI)(CI)(F)\n BUILTIN\\\\Users:(OI)(CI)(RX)\n BUILTIN\\\\Users:(CI)(AD)\n BUILTIN\\\\Users:(CI)(IO)(WD)\n CREATOR OWNER:(OI)(CI)(IO)(F)\n Successfully processed 1 files; Failed processing 0 files\"\n desc \"fix\", \"Maintain the default permissions for the system drive's root\n directory and configure the Security Option Network access: Let everyone\n permissions apply to anonymous users to Disabled (WN16-SO-000290).\n\n Default Permissions\n C:\\\\\n Type - Allow for all\n Inherited from - None for all\n\n Principal - Access - Applies to\n\n SYSTEM - Full control - This folder, subfolders, and files\n Administrators - Full control - This folder, subfolders, and files\n Users - Read & execute - This folder, subfolders, and files\n Users - Create folders/append data - This folder and subfolders\n Users - Create files/write data - Subfolders only\n CREATOR OWNER - Full Control - Subfolders and files only\"\n\n paths = [\n \"C:\\\\\"\n ]\n\n paths.each do |path|\n acl_rules = json(command: \"(Get-ACL -Path '#{path}').Access | ConvertTo-CSV | ConvertFrom-CSV | ConvertTo-JSON\").params\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The '#{path}' folder\\'s access rule property:\" do\n subject { acl_rule }\n its(['FileSystemRights']) { should cmp \"FullControl\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"NT AUTHORITY\\\\SYSTEM\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"ContainerInherit, ObjectInherit\" }\n its(['PropagationFlags']) { should cmp \"None\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The '#{path}' folder\\'s access rule property:\" do\n subject { acl_rule }\n its(['FileSystemRights']) { should cmp \"FullControl\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"BUILTIN\\\\Administrators\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"ContainerInherit, ObjectInherit\" }\n its(['PropagationFlags']) { should cmp \"None\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The '#{path}' folder\\'s access rule property:\" do\n subject { acl_rule }\n its(['FileSystemRights']) { should cmp \"ReadAndExecute, Synchronize\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"BUILTIN\\\\Users\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"ContainerInherit, ObjectInherit\" }\n its(['PropagationFlags']) { should cmp \"None\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The '#{path}' folder\\'s access rule property:\" do\n subject { acl_rule }\n its(['FileSystemRights']) { should cmp \"AppendData\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"BUILTIN\\\\Users\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"ContainerInherit\" }\n its(['PropagationFlags']) { should cmp \"None\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The '#{path}' folder\\'s access rule property:\" do\n subject { acl_rule }\n its(['FileSystemRights']) { should cmp \"CreateFiles\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"BUILTIN\\\\Users\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"ContainerInherit\" }\n its(['PropagationFlags']) { should cmp \"InheritOnly\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The '#{path}' folder\\'s access rule property:\" do\n subject { acl_rule }\n its(['FileSystemRights']) { should cmp \"268435456\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"CREATOR OWNER\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"ContainerInherit, ObjectInherit\" }\n its(['PropagationFlags']) { should cmp \"InheritOnly\" }\n end\n end\n end\n end\n\n \nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73531.rb", + "ref": "./Windows 2016 STIG/controls/V-73249.rb", "line": 1 }, - "id": "V-73531" + "id": "V-73249" }, { - "title": "Windows Server 2016 must be configured to audit Logon/Logoff - Group\n Membership successes.", - "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Audit Group Membership records information related to the group membership\n of a user's logon token.", + "title": "Accounts must require passwords.", + "desc": "The lack of password protection enables anyone to gain access to the\n information system, which opens a backdoor opportunity for intruders to\n compromise the system as well as other resources. Accounts on a system must\n require passwords.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Audit Group Membership records information related to the group membership\n of a user's logon token.", - "check": "Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n Logon/Logoff >> Group Membership - Success", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Advanced Audit Policy Configuration >> System Audit Policies >>\n Logon/Logoff >> Audit Group Membership with Success selected." + "default": "The lack of password protection enables anyone to gain access to the\n information system, which opens a backdoor opportunity for intruders to\n compromise the system as well as other resources. Accounts on a system must\n require passwords.", + "check": "Review the password required status for enabled user accounts.\n\n Open PowerShell.\n\n Domain Controllers:\n\n Enter Get-Aduser -Filter * -Properties Passwordnotrequired |FT Name,\n Passwordnotrequired, Enabled.\n\n Exclude disabled accounts (e.g., DefaultAccount, Guest) and the krbtgt account.\n\n If Passwordnotrequired is True or blank for any enabled user account,\n this is a finding.\n\n Member servers and standalone systems:\n\n Enter 'Get-CimInstance -Class Win32_Useraccount -Filter\n PasswordRequired=False and LocalAccount=True | FT Name, PasswordRequired,\n Disabled, LocalAccount'.\n\n Exclude disabled accounts (e.g., DefaultAccount, Guest).\n\n If any enabled user accounts are returned with a PasswordRequired status of\n False, this is a finding.", + "fix": "Configure all enabled accounts to require passwords.\n\n The password required flag can be set by entering the following on a command\n line: Net user [username] /passwordreq:yes, substituting [username] with\n the name of the user account." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000470-GPOS-00214", - "gid": "V-73447", - "rid": "SV-88099r2_rule", - "stig_id": "WN16-AU-000240", - "fix_id": "F-79889r1_fix", + "gtitle": "SRG-OS-000104-GPOS-00051", + "gid": "V-73261", + "rid": "SV-87913r2_rule", + "stig_id": "WN16-00-000220", + "fix_id": "F-79705r1_fix", "cci": [ - "CCI-000172" + "CCI-000764" ], "nist": [ - "AU-12 c", + "IA-2", "Rev_4" ], "documentable": false }, - "code": "control 'V-73447' do\n title \"Windows Server 2016 must be configured to audit Logon/Logoff - Group\n Membership successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Audit Group Membership records information related to the group membership\n of a user's logon token.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000470-GPOS-00214'\n tag \"gid\": 'V-73447'\n tag \"rid\": 'SV-88099r2_rule'\n tag \"stig_id\": 'WN16-AU-000240'\n tag \"fix_id\": 'F-79889r1_fix'\n tag \"cci\": ['CCI-000172']\n tag \"nist\": ['AU-12 c', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n Logon/Logoff >> Group Membership - Success\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Advanced Audit Policy Configuration >> System Audit Policies >>\n Logon/Logoff >> Audit Group Membership with Success selected.\"\n describe.one do\n describe audit_policy do\n its('Group Membership') { should eq 'Success' }\n end\n describe audit_policy do\n its('Group Membership') { should eq 'Success and Failure' }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Group Membership'\") do\n its('stdout') { should match /Group Membership Success/ }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Group Membership'\") do\n its('stdout') { should match /Group Membership Success and Failure/ }\n end\n end\nend\n", + "code": "control 'V-73261' do\n title 'Accounts must require passwords.'\n desc \"The lack of password protection enables anyone to gain access to the\n information system, which opens a backdoor opportunity for intruders to\n compromise the system as well as other resources. Accounts on a system must\n require passwords.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000104-GPOS-00051'\n tag \"gid\": 'V-73261'\n tag \"rid\": 'SV-87913r2_rule'\n tag \"stig_id\": 'WN16-00-000220'\n tag \"fix_id\": 'F-79705r1_fix'\n tag \"cci\": ['CCI-000764']\n tag \"nist\": ['IA-2', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Review the password required status for enabled user accounts.\n\n Open PowerShell.\n\n Domain Controllers:\n\n Enter Get-Aduser -Filter * -Properties Passwordnotrequired |FT Name,\n Passwordnotrequired, Enabled.\n\n Exclude disabled accounts (e.g., DefaultAccount, Guest) and the krbtgt account.\n\n If Passwordnotrequired is True or blank for any enabled user account,\n this is a finding.\n\n Member servers and standalone systems:\n\n Enter 'Get-CimInstance -Class Win32_Useraccount -Filter\n PasswordRequired=False and LocalAccount=True | FT Name, PasswordRequired,\n Disabled, LocalAccount'.\n\n Exclude disabled accounts (e.g., DefaultAccount, Guest).\n\n If any enabled user accounts are returned with a PasswordRequired status of\n False, this is a finding.\"\n desc \"fix\", \"Configure all enabled accounts to require passwords.\n\n The password required flag can be set by entering the following on a command\n line: Net user [username] /passwordreq:yes, substituting [username] with\n the name of the user account.\"\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n if domain_role == '4' || domain_role == '5'\n users_with_no_password_required = command('Get-Aduser -Filter * -Properties Passwordnotrequired | Select Name, Passwordnotrequired, Enabled | Where Enabled -eq $True | Where Passwordnotrequired -eq $True | FT Name | Findstr /V \\'Name --\\'').stdout\n else\n users_with_no_password_required = command(\"Get-CimInstance -Class Win32_Useraccount -Filter 'PasswordRequired=False and LocalAccount=True and Disabled=False' | FT Name | Findstr /V 'Name --'\").stdout\n end\n describe \"Windows 2016 accounts configured to not require passwords\" do\n subject {users_with_no_password_required}\n it { should be_empty }\n end\nend \n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73447.rb", + "ref": "./Windows 2016 STIG/controls/V-73261.rb", "line": 1 }, - "id": "V-73447" + "id": "V-73261" }, { - "title": "The Windows dialog box title for the legal banner must be configured\n with the appropriate text.", - "desc": "Failure to display the logon banner prior to a logon attempt will\n negate legal proceedings resulting from unauthorized access to system resources.", + "title": "Kerberos user logon restrictions must be enforced.", + "desc": "This policy setting determines whether the Kerberos Key Distribution\n Center (KDC) validates every request for a session ticket against the user\n rights policy of the target computer. The policy is enabled by default, which\n is the most secure setting for validating that access to target resources is\n not circumvented.", "descriptions": { - "default": "Failure to display the logon banner prior to a logon attempt will\n negate legal proceedings resulting from unauthorized access to system resources.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\\n\n Value Name: LegalNoticeCaption\n\n Value Type: REG_SZ\n Value: See message title options below\n\n DoD Notice and Consent Banner, US Department of Defense Warning\n Statement, or an organization-defined equivalent.\n\n If an organization-defined title is used, it can in no case contravene or\n modify the language of the banner text required in WN16-SO-000150.\n\n Automated tools may only search for the titles defined above. If an\n organization-defined title is used, a manual review will be required.", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Interactive Logon: Message title for users attempting to log on to DoD\n Notice and Consent Banner, US Department of Defense Warning Statement, or\n an organization-defined equivalent.\n\n If an organization-defined title is used, it can in no case contravene or\n modify the language of the message text required in WN16-SO-000150." + "default": "This policy setting determines whether the Kerberos Key Distribution\n Center (KDC) validates every request for a session ticket against the user\n rights policy of the target computer. The policy is enabled by default, which\n is the most secure setting for validating that access to target resources is\n not circumvented.", + "check": "This applies to domain controllers. It is NA for other systems.\n\n Verify the following is configured in the Default Domain Policy.\n\n Open Group Policy Management.\n\n Navigate to Group Policy Objects in the Domain being reviewed (Forest >>\n Domains >> Domain).\n\n Right-click on the Default Domain Policy.\n\n Select Edit.\n\n Navigate to Computer Configuration >> Policies >> Windows Settings >> Security\n Settings >> Account Policies >> Kerberos Policy.\n\n If the Enforce user logon restrictions is not set to Enabled, this is a\n finding.", + "fix": "Configure the policy value in the Default Domain Policy for\n Computer Configuration >> Policies >> Windows Settings >> Security Settings >>\n Account Policies >> Kerberos Policy >> Enforce user logon restrictions to\n Enabled." }, - "impact": 0.3, + "impact": 0, "refs": [], "tags": { - "gtitle": "SRG-OS-000023-GPOS-00006", + "gtitle": "SRG-OS-000112-GPOS-00057", "satisfies": [ - "SRG-OS-000023-GPOS-00006", - "SRG-OS-000228-GPOS-00088" + "SRG-OS-000112-GPOS-00057", + "SRG-OS-000113-GPOS-00058" ], - "gid": "V-73649", - "rid": "SV-88313r1_rule", - "stig_id": "WN16-SO-000160", - "fix_id": "F-80099r1_fix", + "gid": "V-73359", + "rid": "SV-88011r1_rule", + "stig_id": "WN16-DC-000020", + "fix_id": "F-79801r1_fix", "cci": [ - "CCI-000048", - "CCI-001384", - "CCI-001385", - "CCI-001386", - "CCI-001387", - "CCI-001388" + "CCI-001941", + "CCI-001942" ], "nist": [ - "AC-8 a", - "AC-8 b", - "AC-8 c 1", - "AC-8 c 2", - "AC-8 c 3", + "IA-2 (8)", + "IA-2 (9)", "Rev_4" ], "documentable": false }, - "code": "control 'V-73649' do\n title \"The Windows dialog box title for the legal banner must be configured\n with the appropriate text.\"\n desc \"Failure to display the logon banner prior to a logon attempt will\n negate legal proceedings resulting from unauthorized access to system resources.\n \"\n impact 0.3 \n tag \"gtitle\": 'SRG-OS-000023-GPOS-00006'\n tag \"satisfies\": ['SRG-OS-000023-GPOS-00006', 'SRG-OS-000228-GPOS-00088']\n tag \"gid\": 'V-73649'\n tag \"rid\": 'SV-88313r1_rule'\n tag \"stig_id\": 'WN16-SO-000160'\n tag \"fix_id\": 'F-80099r1_fix'\n tag \"cci\": ['CCI-000048', 'CCI-001384', 'CCI-001385', 'CCI-001386',\n 'CCI-001387', 'CCI-001388']\n tag \"nist\": ['AC-8 a', 'AC-8 b', 'AC-8 c 1', 'AC-8 c 2', 'AC-8 c 3', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\\n\n Value Name: LegalNoticeCaption\n\n Value Type: REG_SZ\n Value: See message title options below\n\n DoD Notice and Consent Banner, US Department of Defense Warning\n Statement, or an organization-defined equivalent.\n\n If an organization-defined title is used, it can in no case contravene or\n modify the language of the banner text required in WN16-SO-000150.\n\n Automated tools may only search for the titles defined above. If an\n organization-defined title is used, a manual review will be required.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Interactive Logon: Message title for users attempting to log on to DoD\n Notice and Consent Banner, US Department of Defense Warning Statement, or\n an organization-defined equivalent.\n\n If an organization-defined title is used, it can in no case contravene or\n modify the language of the message text required in WN16-SO-000150.\"\n legal_notice_caption = input('legal_notice_caption')\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System') do\n it { should have_property 'LegalNoticeCaption' }\n end \n\n key = registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System').LegalNoticeCaption.to_s\n \n describe 'The required legal notice caption' do\n subject { key.scan(/[\\w().;,!]/).join}\n it {should cmp legal_notice_caption.scan(/[\\w().;,!]/).join }\n end\n\nend\n", + "code": "control 'V-73359' do\n title 'Kerberos user logon restrictions must be enforced.'\n desc \"This policy setting determines whether the Kerberos Key Distribution\n Center (KDC) validates every request for a session ticket against the user\n rights policy of the target computer. The policy is enabled by default, which\n is the most secure setting for validating that access to target resources is\n not circumvented.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000112-GPOS-00057'\n tag \"satisfies\": ['SRG-OS-000112-GPOS-00057', 'SRG-OS-000113-GPOS-00058']\n tag \"gid\": 'V-73359'\n tag \"rid\": 'SV-88011r1_rule'\n tag \"stig_id\": 'WN16-DC-000020'\n tag \"fix_id\": 'F-79801r1_fix'\n tag \"cci\": ['CCI-001941', 'CCI-001942']\n tag \"nist\": ['IA-2 (8)', 'IA-2 (9)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to domain controllers. It is NA for other systems.\n\n Verify the following is configured in the Default Domain Policy.\n\n Open Group Policy Management.\n\n Navigate to Group Policy Objects in the Domain being reviewed (Forest >>\n Domains >> Domain).\n\n Right-click on the Default Domain Policy.\n\n Select Edit.\n\n Navigate to Computer Configuration >> Policies >> Windows Settings >> Security\n Settings >> Account Policies >> Kerberos Policy.\n\n If the Enforce user logon restrictions is not set to Enabled, this is a\n finding.\"\n desc \"fix\", \"Configure the policy value in the Default Domain Policy for\n Computer Configuration >> Policies >> Windows Settings >> Security Settings >>\n Account Policies >> Kerberos Policy >> Enforce user logon restrictions to\n Enabled.\"\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n describe security_policy do\n its('TicketValidateClient') { should eq 1 }\n end\n end\n\n if domain_role != '4' && domain_role != '5'\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73649.rb", + "ref": "./Windows 2016 STIG/controls/V-73359.rb", "line": 1 }, - "id": "V-73649" + "id": "V-73359" }, { - "title": "The Kerberos policy user ticket renewal maximum lifetime must be\n limited to seven days or less.", - "desc": "This setting determines the period of time (in days) during which a\n user's Ticket Granting Ticket (TGT) may be renewed. This security configuration\n limits the amount of time an attacker has to crack the TGT and gain access.", + "title": "Remote Desktop Services must be configured with the client connection\n encryption set to High Level.", + "desc": "Remote connections must be encrypted to prevent interception of data\n or sensitive information. Selecting High Level will ensure encryption of\n Remote Desktop Services sessions in both directions.", "descriptions": { - "default": "This setting determines the period of time (in days) during which a\n user's Ticket Granting Ticket (TGT) may be renewed. This security configuration\n limits the amount of time an attacker has to crack the TGT and gain access.", - "check": "This applies to domain controllers. It is NA for other systems.\n\n Verify the following is configured in the Default Domain Policy.\n\n Open Group Policy Management.\n\n Navigate to Group Policy Objects in the Domain being reviewed (Forest >>\n Domains >> Domain).\n\n Right-click on the Default Domain Policy.\n\n Select Edit.\n\n Navigate to Computer Configuration >> Policies >> Windows Settings >> Security\n Settings >> Account Policies >> Kerberos Policy.\n\n If the Maximum lifetime for user ticket renewal is greater than 7 days,\n this is a finding.", - "fix": "Configure the policy value in the Default Domain Policy for\n Computer Configuration >> Policies >> Windows Settings >> Security Settings >>\n Account Policies >> Kerberos Policy >> Maximum lifetime for user ticket\n renewal to a maximum of 7 days or less." + "default": "Remote connections must be encrypted to prevent interception of data\n or sensitive information. Selecting High Level will ensure encryption of\n Remote Desktop Services sessions in both directions.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services\\\n\n Value Name: MinEncryptionLevel\n\n Type: REG_DWORD\n Value: 0x00000003 (3)", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Remote Desktop Services >>\n Remote Desktop Session Host >> Security >> Set client connection encryption\n level to Enabled with High Level selected." }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000112-GPOS-00057", - "satisfies": [ - "SRG-OS-000112-GPOS-00057", - "SRG-OS-000113-GPOS-00058" - ], - "gid": "V-73365", - "rid": "SV-88017r1_rule", - "stig_id": "WN16-DC-000050", - "fix_id": "F-79807r1_fix", + "gtitle": "SRG-OS-000250-GPOS-00093", + "gid": "V-73575", + "rid": "SV-88239r1_rule", + "stig_id": "WN16-CC-000410", + "fix_id": "F-80025r1_fix", "cci": [ - "CCI-001941", - "CCI-001942" + "CCI-001453" ], "nist": [ - "IA-2 (8)", - "IA-2 (9)", + "AC-17 (2)", "Rev_4" ], "documentable": false }, - "code": "control 'V-73365' do\n title \"The Kerberos policy user ticket renewal maximum lifetime must be\n limited to seven days or less.\"\n desc \"This setting determines the period of time (in days) during which a\n user's Ticket Granting Ticket (TGT) may be renewed. This security configuration\n limits the amount of time an attacker has to crack the TGT and gain access.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000112-GPOS-00057'\n tag \"satisfies\": ['SRG-OS-000112-GPOS-00057', 'SRG-OS-000113-GPOS-00058']\n tag \"gid\": 'V-73365'\n tag \"rid\": 'SV-88017r1_rule'\n tag \"stig_id\": 'WN16-DC-000050'\n tag \"fix_id\": 'F-79807r1_fix'\n tag \"cci\": ['CCI-001941', 'CCI-001942']\n tag \"nist\": ['IA-2 (8)', 'IA-2 (9)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to domain controllers. It is NA for other systems.\n\n Verify the following is configured in the Default Domain Policy.\n\n Open Group Policy Management.\n\n Navigate to Group Policy Objects in the Domain being reviewed (Forest >>\n Domains >> Domain).\n\n Right-click on the Default Domain Policy.\n\n Select Edit.\n\n Navigate to Computer Configuration >> Policies >> Windows Settings >> Security\n Settings >> Account Policies >> Kerberos Policy.\n\n If the Maximum lifetime for user ticket renewal is greater than 7 days,\n this is a finding.\"\n desc \"fix\", \"Configure the policy value in the Default Domain Policy for\n Computer Configuration >> Policies >> Windows Settings >> Security Settings >>\n Account Policies >> Kerberos Policy >> Maximum lifetime for user ticket\n renewal to a maximum of 7 days or less.\"\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n describe security_policy do\n its('MaxRenewAge') { should be <= 7 }\n end\n end\n\n if domain_role != '4' && domain_role != '5'\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", + "code": "control 'V-73575' do\n title \"Remote Desktop Services must be configured with the client connection\n encryption set to High Level.\"\n desc \"Remote connections must be encrypted to prevent interception of data\n or sensitive information. Selecting High Level will ensure encryption of\n Remote Desktop Services sessions in both directions.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000250-GPOS-00093'\n tag \"gid\": 'V-73575'\n tag \"rid\": 'SV-88239r1_rule'\n tag \"stig_id\": 'WN16-CC-000410'\n tag \"fix_id\": 'F-80025r1_fix'\n tag \"cci\": ['CCI-001453']\n tag \"nist\": ['AC-17 (2)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\\n\n Value Name: MinEncryptionLevel\n\n Type: REG_DWORD\n Value: 0x00000003 (3)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Remote Desktop Services >>\n Remote Desktop Session Host >> Security >> Set client connection encryption\n level to Enabled with High Level selected.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services') do\n it { should have_property 'MinEncryptionLevel' }\n its('MinEncryptionLevel') { should cmp 3 }\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73365.rb", + "ref": "./Windows 2016 STIG/controls/V-73575.rb", "line": 1 }, - "id": "V-73365" + "id": "V-73575" }, { - "title": "Domain controllers must have a PKI server certificate.", - "desc": "Domain controllers are part of the chain of trust for PKI\n authentications. Without the appropriate certificate, the authenticity of the\n domain controller cannot be verified. Domain controllers must have a server\n certificate to establish authenticity as part of PKI authentications in the\n domain.", + "title": "The Windows Remote Management (WinRM) service must not use Basic\n authentication.", + "desc": "Basic authentication uses plain-text passwords that could be used to\n compromise a system. Disabling Basic authentication will reduce this potential.", "descriptions": { - "default": "Domain controllers are part of the chain of trust for PKI\n authentications. Without the appropriate certificate, the authenticity of the\n domain controller cannot be verified. Domain controllers must have a server\n certificate to establish authenticity as part of PKI authentications in the\n domain.", - "check": "This applies to domain controllers. It is NA for other systems.\n\n Run MMC.\n\n Select Add/Remove Snap-in from the File menu.\n\n Select Certificates in the left pane and click the Add > button.\n\n Select Computer Account and click Next.\n\n Select the appropriate option for Select the computer you want this snap-in\n to manage and click Finish.\n\n Click OK.\n\n Select and expand the Certificates (Local Computer) entry in the left pane.\n\n Select and expand the Personal entry in the left pane.\n\n Select the Certificates entry in the left pane.\n\n If no certificate for the domain controller exists in the right pane, this is a\n finding.", - "fix": "Obtain a server certificate for the domain controller." + "default": "Basic authentication uses plain-text passwords that could be used to\n compromise a system. Disabling Basic authentication will reduce this potential.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\WinRM\\Service\\\n\n Value Name: AllowBasic\n\n Type: REG_DWORD\n Value: 0x00000000 (0)", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Windows Remote Management\n (WinRM) >> WinRM Service >> Allow Basic authentication to Disabled." }, - "impact": 0, + "impact": 0.7, "refs": [], "tags": { - "gtitle": "SRG-OS-000066-GPOS-00034", - "gid": "V-73611", - "rid": "SV-88275r1_rule", - "stig_id": "WN16-DC-000280", - "fix_id": "F-80061r1_fix", + "gtitle": "SRG-OS-000125-GPOS-00065", + "gid": "V-73599", + "rid": "SV-88263r1_rule", + "stig_id": "WN16-CC-000530", + "fix_id": "F-80049r1_fix", "cci": [ - "CCI-000185" + "CCI-000877" ], "nist": [ - "IA-5 (2) (a)", + "MA-4 c", "Rev_4" ], "documentable": false }, - "code": "control 'V-73611' do\n title 'Domain controllers must have a PKI server certificate.'\n desc \"Domain controllers are part of the chain of trust for PKI\n authentications. Without the appropriate certificate, the authenticity of the\n domain controller cannot be verified. Domain controllers must have a server\n certificate to establish authenticity as part of PKI authentications in the\n domain.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000066-GPOS-00034'\n tag \"gid\": 'V-73611'\n tag \"rid\": 'SV-88275r1_rule'\n tag \"stig_id\": 'WN16-DC-000280'\n tag \"fix_id\": 'F-80061r1_fix'\n tag \"cci\": ['CCI-000185']\n tag \"nist\": ['IA-5 (2) (a)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to domain controllers. It is NA for other systems.\n\n Run MMC.\n\n Select Add/Remove Snap-in from the File menu.\n\n Select Certificates in the left pane and click the Add > button.\n\n Select Computer Account and click Next.\n\n Select the appropriate option for Select the computer you want this snap-in\n to manage and click Finish.\n\n Click OK.\n\n Select and expand the Certificates (Local Computer) entry in the left pane.\n\n Select and expand the Personal entry in the left pane.\n\n Select the Certificates entry in the left pane.\n\n If no certificate for the domain controller exists in the right pane, this is a\n finding.\"\n desc \"fix\", 'Obtain a server certificate for the domain controller.'\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n certs = command(\"Get-ChildItem -Path Cert:\\\\LocalMachine\\\\My | ConvertTo-JSON\").stdout\n describe \"The domain controller's server certificate\" do\n subject { certs }\n it { should_not cmp '' }\n end\n end\n\n if !(domain_role == '4') && !(domain_role == '5')\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", + "code": "control 'V-73599' do\n title \"The Windows Remote Management (WinRM) service must not use Basic\n authentication.\"\n desc \"Basic authentication uses plain-text passwords that could be used to\n compromise a system. Disabling Basic authentication will reduce this potential.\"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000125-GPOS-00065'\n tag \"gid\": 'V-73599'\n tag \"rid\": 'SV-88263r1_rule'\n tag \"stig_id\": 'WN16-CC-000530'\n tag \"fix_id\": 'F-80049r1_fix'\n tag \"cci\": ['CCI-000877']\n tag \"nist\": ['MA-4 c', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WinRM\\\\Service\\\\\n\n Value Name: AllowBasic\n\n Type: REG_DWORD\n Value: 0x00000000 (0)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Windows Remote Management\n (WinRM) >> WinRM Service >> Allow Basic authentication to Disabled.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\WinRM\\\\Service') do\n it { should have_property 'AllowBasic' }\n its('AllowBasic') { should cmp 0 }\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73611.rb", + "ref": "./Windows 2016 STIG/controls/V-73599.rb", "line": 1 }, - "id": "V-73611" + "id": "V-73599" }, { - "title": "Windows Server 2016 must be configured to audit Privilege Use -\n Sensitive Privilege Use successes.", - "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Sensitive Privilege Use records events related to use of sensitive\n privileges, such as Act as part of the operating system or Debug\n programs.", + "title": "Windows Server 2016 must be configured to audit DS Access - Directory\n Service Changes failures.", + "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Audit Directory Service Changes records events related to changes made to\n objects in Active Directory Domain Services.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Sensitive Privilege Use records events related to use of sensitive\n privileges, such as Act as part of the operating system or Debug\n programs.", - "check": "Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n Privilege Use >> Sensitive Privilege Use - Success", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Privilege Use >> Audit Sensitive Privilege Use with\n Success selected." + "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Audit Directory Service Changes records events related to changes made to\n objects in Active Directory Domain Services.", + "check": "This applies to domain controllers. It is NA for other systems.\n\n Security Option Audit: Force audit policy subcategory settings (Windows Vista\n or later) to override audit policy category settings must be set to\n Enabled (WN16-SO-000050) for the detailed auditing subcategories to be\n effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n DS Access >> Directory Service Changes - Failure", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> DS Access >> Directory Service Changes with Failure\n selected." }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { "gtitle": "SRG-OS-000327-GPOS-00127", "satisfies": [ "SRG-OS-000327-GPOS-00127", - "SRG-OS-000064-GPOS-00033", - "SRG-OS-000462-GPOS-00206", - "SRG-OS-000466-GPOS-00210" + "SRG-OS-000458-GPOS-00203", + "SRG-OS-000463-GPOS-00207", + "SRG-OS-000468-GPOS-00212" ], - "gid": "V-73469", - "rid": "SV-88121r1_rule", - "stig_id": "WN16-AU-000350", - "fix_id": "F-79911r1_fix", + "gid": "V-73441", + "rid": "SV-88093r1_rule", + "stig_id": "WN16-DC-000270", + "fix_id": "F-79883r1_fix", "cci": [ "CCI-000172", "CCI-002234" @@ -2295,280 +2296,268 @@ ], "documentable": false }, - "code": "control 'V-73469' do\n title \"Windows Server 2016 must be configured to audit Privilege Use -\n Sensitive Privilege Use successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Sensitive Privilege Use records events related to use of sensitive\n privileges, such as Act as part of the operating system or Debug\n programs.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000327-GPOS-00127'\n tag \"satisfies\": ['SRG-OS-000327-GPOS-00127', 'SRG-OS-000064-GPOS-00033',\n 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000466-GPOS-00210']\n tag \"gid\": 'V-73469'\n tag \"rid\": 'SV-88121r1_rule'\n tag \"stig_id\": 'WN16-AU-000350'\n tag \"fix_id\": 'F-79911r1_fix'\n tag \"cci\": ['CCI-000172', 'CCI-002234']\n tag \"nist\": ['AU-12 c', 'AC-6 (9)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n Privilege Use >> Sensitive Privilege Use - Success\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Privilege Use >> Audit Sensitive Privilege Use with\n Success selected.\"\n describe.one do\n describe audit_policy do\n its('Sensitive Privilege Use') { should eq 'Success' }\n end\n describe audit_policy do\n its('Sensitive Privilege Use') { should eq 'Success and Failure' }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Sensitive Privilege Use'\") do\n its('stdout') { should match /Sensitive Privilege Use Success/ }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Sensitive Privilege Use'\") do\n its('stdout') { should match /Sensitive Privilege Use Success and Failure/ }\n end\n end\nend\n", + "code": "control 'V-73441' do\n title \"Windows Server 2016 must be configured to audit DS Access - Directory\n Service Changes failures.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Audit Directory Service Changes records events related to changes made to\n objects in Active Directory Domain Services.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000327-GPOS-00127'\n tag \"satisfies\": ['SRG-OS-000327-GPOS-00127', 'SRG-OS-000458-GPOS-00203',\n 'SRG-OS-000463-GPOS-00207', 'SRG-OS-000468-GPOS-00212']\n tag \"gid\": 'V-73441'\n tag \"rid\": 'SV-88093r1_rule'\n tag \"stig_id\": 'WN16-DC-000270'\n tag \"fix_id\": 'F-79883r1_fix'\n tag \"cci\": ['CCI-000172', 'CCI-002234']\n tag \"nist\": ['AU-12 c', 'AC-6 (9)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to domain controllers. It is NA for other systems.\n\n Security Option Audit: Force audit policy subcategory settings (Windows Vista\n or later) to override audit policy category settings must be set to\n Enabled (WN16-SO-000050) for the detailed auditing subcategories to be\n effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n DS Access >> Directory Service Changes - Failure\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> DS Access >> Directory Service Changes with Failure\n selected.\"\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n describe.one do\n describe audit_policy do\n its('Directory Service Changes') { should eq 'Failure' }\n end\n describe audit_policy do\n its('Directory Service Changes') { should eq 'Success and Failure' }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Directory Service Changes'\") do\n its('stdout') { should match /Directory Service Changes Failure/ }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Directory Service Changes'\") do\n its('stdout') { should match /Directory Service Changes Success and Failure/ }\n end\n end\n end\n\n if !(domain_role == '4') && !(domain_role == '5')\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73469.rb", + "ref": "./Windows 2016 STIG/controls/V-73441.rb", "line": 1 }, - "id": "V-73469" + "id": "V-73441" }, { - "title": "The TFTP Client must not be installed.", - "desc": "Unnecessary services increase the attack surface of a system. Some of\n these services may not support required levels of authentication or encryption\n or may provide unauthorized access to the system.", + "title": "Remote calls to the Security Account Manager (SAM) must be restricted\n to Administrators.", + "desc": "The Windows Security Account Manager (SAM) stores users' passwords.\n Restricting Remote Procedure Call (RPC) connections to the SAM to\n Administrators helps protect those credentials.", "descriptions": { - "default": "Unnecessary services increase the attack surface of a system. Some of\n these services may not support required levels of authentication or encryption\n or may provide unauthorized access to the system.", - "check": "Open PowerShell.\n\n Enter Get-WindowsFeature | Where Name -eq TFTP-Client.\n\n If Installed State is Installed, this is a finding.\n\n An Installed State of Available or Removed is not a finding.", - "fix": "Uninstall the TFTP Client feature.\n\n Start Server Manager.\n\n Select the server with the feature.\n\n Scroll down to ROLES AND FEATURES in the right pane.\n\n Select Remove Roles and Features from the drop-down TASKS list.\n\n Select the appropriate server on the Server Selection page and click\n Next.\n\n Deselect TFTP Client on the Features page.\n\n Click Next and Remove as prompted." + "default": "The Windows Security Account Manager (SAM) stores users' passwords.\n Restricting Remote Procedure Call (RPC) connections to the SAM to\n Administrators helps protect those credentials.", + "check": "This applies to member servers and standalone systems; it is NA\n for domain controllers.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Control\\Lsa\\\n\n Value Name: RestrictRemoteSAM\n\n Value Type: REG_SZ\n Value: O:BAG:BAD:(A;;RC;;;BA)", + "fix": "Navigate to the policy Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> Security Options >> Network access:\n Restrict clients allowed to make remote calls to SAM.\n Select Edit Security to configure the Security descriptor:.\n\n Add Administrators in Group or user names: if it is not already listed\n (this is the default).\n\n Select Administrators in Group or user names:.\n\n Select Allow for Remote Access in Permissions for Administrators.\n\n Click OK.\n\n The Security descriptor: must be populated with O:BAG:BAD:(A;;RC;;;BA)\n for the policy to be enforced." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000095-GPOS-00049", - "gid": "V-73297", - "rid": "SV-87949r1_rule", - "stig_id": "WN16-00-000400", - "fix_id": "F-79739r1_fix", + "gtitle": "SRG-OS-000324-GPOS-00125", + "gid": "V-73677", + "rid": "SV-88341r2_rule", + "stig_id": "WN16-MS-000310", + "fix_id": "F-80127r1_fix", "cci": [ - "CCI-000381" + "CCI-002235" ], "nist": [ - "CM-7", + "AC-6 (10)", "Rev_4" ], "documentable": false }, - "code": "control 'V-73297' do\n title 'The TFTP Client must not be installed.'\n desc \"Unnecessary services increase the attack surface of a system. Some of\n these services may not support required levels of authentication or encryption\n or may provide unauthorized access to the system.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000095-GPOS-00049'\n tag \"gid\": 'V-73297'\n tag \"rid\": 'SV-87949r1_rule'\n tag \"stig_id\": 'WN16-00-000400'\n tag \"fix_id\": 'F-79739r1_fix'\n tag \"cci\": ['CCI-000381']\n tag \"nist\": ['CM-7', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Open PowerShell.\n\n Enter Get-WindowsFeature | Where Name -eq TFTP-Client.\n\n If Installed State is Installed, this is a finding.\n\n An Installed State of Available or Removed is not a finding.\"\n desc \"fix\", \"Uninstall the TFTP Client feature.\n\n Start Server Manager.\n\n Select the server with the feature.\n\n Scroll down to ROLES AND FEATURES in the right pane.\n\n Select Remove Roles and Features from the drop-down TASKS list.\n\n Select the appropriate server on the Server Selection page and click\n Next.\n\n Deselect TFTP Client on the Features page.\n\n Click Next and Remove as prompted.\"\n describe windows_feature('TFTP-Client') do\n it { should_not be_installed }\n end\nend\n", + "code": "control 'V-73677' do\n title \"Remote calls to the Security Account Manager (SAM) must be restricted\n to Administrators.\"\n desc \"The Windows Security Account Manager (SAM) stores users' passwords.\n Restricting Remote Procedure Call (RPC) connections to the SAM to\n Administrators helps protect those credentials.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000324-GPOS-00125'\n tag \"gid\": 'V-73677'\n tag \"rid\": 'SV-88341r2_rule'\n tag \"stig_id\": 'WN16-MS-000310'\n tag \"fix_id\": 'F-80127r1_fix'\n tag \"cci\": ['CCI-002235']\n tag \"nist\": ['AC-6 (10)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to member servers and standalone systems; it is NA\n for domain controllers.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\\n\n Value Name: RestrictRemoteSAM\n\n Value Type: REG_SZ\n Value: O:BAG:BAD:(A;;RC;;;BA)\"\n desc \"fix\", \"Navigate to the policy Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> Security Options >> Network access:\n Restrict clients allowed to make remote calls to SAM.\n Select Edit Security to configure the Security descriptor:.\n\n Add Administrators in Group or user names: if it is not already listed\n (this is the default).\n\n Select Administrators in Group or user names:.\n\n Select Allow for Remote Access in Permissions for Administrators.\n\n Click OK.\n\n The Security descriptor: must be populated with O:BAG:BAD:(A;;RC;;;BA)\n for the policy to be enforced.\"\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n if !(domain_role == '4') && !(domain_role == '5')\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa') do\n it { should have_property 'RestrictRemoteSAM' }\n its('RestrictRemoteSAM') { should eq 'O:BAG:BAD:(A;;RC;;;BA)' }\n end\n end\n\n if domain_role == '4' || domain_role == '5'\n impact 0.0\n desc 'This system is a domain controller, therefore this control is not applicable as it only applies to member servers and standalone systems'\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73297.rb", + "ref": "./Windows 2016 STIG/controls/V-73677.rb", "line": 1 }, - "id": "V-73297" + "id": "V-73677" }, { - "title": "Windows Server 2016 must be configured to at least negotiate signing\n for LDAP client signing.", - "desc": "This setting controls the signing requirements for LDAP clients. This\n must be set to Negotiate signing or Require signing, depending on the\n environment and type of LDAP server in use.", + "title": "Unauthenticated Remote Procedure Call (RPC) clients must be restricted\n from connecting to the RPC server.", + "desc": "Unauthenticated RPC clients may allow anonymous access to sensitive\n information. Configuring RPC to restrict unauthenticated RPC clients from\n connecting to the RPC server will prevent anonymous connections.", "descriptions": { - "default": "This setting controls the signing requirements for LDAP clients. This\n must be set to Negotiate signing or Require signing, depending on the\n environment and type of LDAP server in use.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\LDAP\\\n\n Value Name: LDAPClientIntegrity\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Network security: LDAP client signing requirements to Negotiate signing\n at a minimum." + "default": "Unauthenticated RPC clients may allow anonymous access to sensitive\n information. Configuring RPC to restrict unauthenticated RPC clients from\n connecting to the RPC server will prevent anonymous connections.", + "check": "This applies to member servers and standalone systems, It is NA\n for domain controllers.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Rpc\\\n\n Value Name: RestrictRemoteClients\n\n Type: REG_DWORD\n Value: 0x00000001 (1)", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> System >> Remote Procedure Call >> Restrict\n Unauthenticated RPC clients to Enabled with Authenticated selected." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-73693", - "rid": "SV-88357r1_rule", - "stig_id": "WN16-SO-000390", - "fix_id": "F-80143r1_fix", + "gtitle": "SRG-OS-000379-GPOS-00164", + "gid": "V-73541", + "rid": "SV-88203r1_rule", + "stig_id": "WN16-MS-000040", + "fix_id": "F-79983r1_fix", "cci": [ - "CCI-000366" + "CCI-001967" ], "nist": [ - "CM-6 b", + "IA-3 (1)", "Rev_4" ], "documentable": false }, - "code": "control 'V-73693' do\n title \"Windows Server 2016 must be configured to at least negotiate signing\n for LDAP client signing.\"\n desc \"This setting controls the signing requirements for LDAP clients. This\n must be set to Negotiate signing or Require signing, depending on the\n environment and type of LDAP server in use.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-73693'\n tag \"rid\": 'SV-88357r1_rule'\n tag \"stig_id\": 'WN16-SO-000390'\n tag \"fix_id\": 'F-80143r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\LDAP\\\\\n\n Value Name: LDAPClientIntegrity\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Network security: LDAP client signing requirements to Negotiate signing\n at a minimum.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\LDAP') do\n it { should have_property 'LDAPClientIntegrity' }\n its('LDAPClientIntegrity') { should cmp 1 }\n end\nend\n", + "code": "control 'V-73541' do\n title \"Unauthenticated Remote Procedure Call (RPC) clients must be restricted\n from connecting to the RPC server.\"\n desc \"Unauthenticated RPC clients may allow anonymous access to sensitive\n information. Configuring RPC to restrict unauthenticated RPC clients from\n connecting to the RPC server will prevent anonymous connections.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000379-GPOS-00164'\n tag \"gid\": 'V-73541'\n tag \"rid\": 'SV-88203r1_rule'\n tag \"stig_id\": 'WN16-MS-000040'\n tag \"fix_id\": 'F-79983r1_fix'\n tag \"cci\": ['CCI-001967']\n tag \"nist\": ['IA-3 (1)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to member servers and standalone systems, It is NA\n for domain controllers.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Rpc\\\\\n\n Value Name: RestrictRemoteClients\n\n Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> System >> Remote Procedure Call >> Restrict\n Unauthenticated RPC clients to Enabled with Authenticated selected.\"\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if !(domain_role == '4') && !(domain_role == '5')\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Rpc') do\n it { should have_property 'RestrictRemoteClients' }\n its('RestrictRemoteClients') { should cmp 1 }\n end\n end\n\n if domain_role == '4' || domain_role == '5'\n impact 0.0\n desc 'This system is a domain controller, therefore this control is not applicable as it only applies to member servers and standalone systems'\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73693.rb", + "ref": "./Windows 2016 STIG/controls/V-73541.rb", "line": 1 }, - "id": "V-73693" + "id": "V-73541" }, { - "title": "Passwords must not be saved in the Remote Desktop Client.", - "desc": "Saving passwords in the Remote Desktop Client could allow an\n unauthorized user to establish a remote desktop session to another system. The\n system must be configured to prevent users from saving passwords in the Remote\n Desktop Client.", + "title": "Windows Server 2016 must be configured to audit System - Security\n State Change successes.", + "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Security State Change records events related to changes in the security\n state, such as startup and shutdown of the system.", "descriptions": { - "default": "Saving passwords in the Remote Desktop Client could allow an\n unauthorized user to establish a remote desktop session to another system. The\n system must be configured to prevent users from saving passwords in the Remote\n Desktop Client.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services\\\n\n Value Name: DisablePasswordSaving\n\n Type: REG_DWORD\n Value: 0x00000001 (1)", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Remote Desktop Services >>\n Remote Desktop Connection Client >> Do not allow passwords to be saved to\n Enabled." + "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Security State Change records events related to changes in the security\n state, such as startup and shutdown of the system.", + "check": "Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n System >> Security State Change - Success", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> System >> Audit Security State Change with Success\n selected." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000373-GPOS-00157", + "gtitle": "SRG-OS-000327-GPOS-00127", "satisfies": [ - "SRG-OS-000373-GPOS-00157", - "SRG-OS-000373-GPOS-00156" + "SRG-OS-000327-GPOS-00127", + "SRG-OS-000458-GPOS-00203", + "SRG-OS-000463-GPOS-00207", + "SRG-OS-000468-GPOS-00212" ], - "gid": "V-73567", - "rid": "SV-88231r1_rule", - "stig_id": "WN16-CC-000370", - "fix_id": "F-80017r1_fix", + "gid": "V-73481", + "rid": "SV-88133r1_rule", + "stig_id": "WN16-AU-000410", + "fix_id": "F-79923r1_fix", "cci": [ - "CCI-002038" + "CCI-000172", + "CCI-002234" ], "nist": [ - "IA-11", + "AU-12 c", + "AC-6 (9)", "Rev_4" ], "documentable": false }, - "code": "control 'V-73567' do\n title 'Passwords must not be saved in the Remote Desktop Client.'\n desc \"Saving passwords in the Remote Desktop Client could allow an\n unauthorized user to establish a remote desktop session to another system. The\n system must be configured to prevent users from saving passwords in the Remote\n Desktop Client.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000373-GPOS-00157'\n tag \"satisfies\": ['SRG-OS-000373-GPOS-00157', 'SRG-OS-000373-GPOS-00156']\n tag \"gid\": 'V-73567'\n tag \"rid\": 'SV-88231r1_rule'\n tag \"stig_id\": 'WN16-CC-000370'\n tag \"fix_id\": 'F-80017r1_fix'\n tag \"cci\": ['CCI-002038']\n tag \"nist\": ['IA-11', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\\n\n Value Name: DisablePasswordSaving\n\n Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Remote Desktop Services >>\n Remote Desktop Connection Client >> Do not allow passwords to be saved to\n Enabled.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services') do\n it { should have_property 'DisablePasswordSaving' }\n its('DisablePasswordSaving') { should cmp 1 }\n end\nend\n", + "code": "control 'V-73481' do\n title \"Windows Server 2016 must be configured to audit System - Security\n State Change successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Security State Change records events related to changes in the security\n state, such as startup and shutdown of the system.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000327-GPOS-00127'\n tag \"satisfies\": ['SRG-OS-000327-GPOS-00127', 'SRG-OS-000458-GPOS-00203',\n 'SRG-OS-000463-GPOS-00207', 'SRG-OS-000468-GPOS-00212']\n tag \"gid\": 'V-73481'\n tag \"rid\": 'SV-88133r1_rule'\n tag \"stig_id\": 'WN16-AU-000410'\n tag \"fix_id\": 'F-79923r1_fix'\n tag \"cci\": ['CCI-000172', 'CCI-002234']\n tag \"nist\": ['AU-12 c', 'AC-6 (9)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n System >> Security State Change - Success\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> System >> Audit Security State Change with Success\n selected.\"\n describe.one do\n describe audit_policy do\n its('Security State Change') { should eq 'Success' }\n end\n describe audit_policy do\n its('Security State Change') { should eq 'Success and Failure' }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Security State Change'\") do\n its('stdout') { should match /Security State Change Success/ }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Security State Change'\") do\n its('stdout') { should match /Security State Change Success and Failure/ }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73567.rb", + "ref": "./Windows 2016 STIG/controls/V-73481.rb", "line": 1 }, - "id": "V-73567" + "id": "V-73481" }, { - "title": "The Deny log on as a batch job user right on domain controllers must\n be configured to prevent unauthenticated access.", - "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The Deny log on as a batch job user right defines accounts that are\n prevented from logging on to the system as a batch job, such as Task Scheduler.\n\n The Guests group must be assigned to prevent unauthenticated access.", + "title": "Windows Server 2016 must be configured to audit System - IPsec Driver\n successes.", + "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n IPsec Driver records events related to the IPsec Driver, such as dropped\n packets.", "descriptions": { - "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The Deny log on as a batch job user right defines accounts that are\n prevented from logging on to the system as a batch job, such as Task Scheduler.\n\n The Guests group must be assigned to prevent unauthenticated access.", - "check": "This applies to domain controllers. A separate version applies\n to other systems.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If the following accounts or groups are not defined for the Deny log on as a\n batch job user right, this is a finding.\n\n - Guests Group", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Deny log on as a batch job to include the following:\n\n - Guests Group" + "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n IPsec Driver records events related to the IPsec Driver, such as dropped\n packets.", + "check": "Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n System >> IPsec Driver - Success", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> System >> Audit IPsec Driver with Success selected." }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000080-GPOS-00048", - "gid": "V-73761", - "rid": "SV-88425r1_rule", - "stig_id": "WN16-DC-000380", - "fix_id": "F-80211r1_fix", - "cci": [ - "CCI-000213" - ], - "nist": [ - "AC-3", - "Rev_4" + "gtitle": "SRG-OS-000327-GPOS-00127", + "satisfies": [ + "SRG-OS-000327-GPOS-00127", + "SRG-OS-000458-GPOS-00203", + "SRG-OS-000463-GPOS-00207", + "SRG-OS-000468-GPOS-00212" ], - "documentable": false - }, - "code": "control 'V-73761' do\n title \"The Deny log on as a batch job user right on domain controllers must\n be configured to prevent unauthenticated access.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The Deny log on as a batch job user right defines accounts that are\n prevented from logging on to the system as a batch job, such as Task Scheduler.\n\n The Guests group must be assigned to prevent unauthenticated access.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000080-GPOS-00048'\n tag \"gid\": 'V-73761'\n tag \"rid\": 'SV-88425r1_rule'\n tag \"stig_id\": 'WN16-DC-000380'\n tag \"fix_id\": 'F-80211r1_fix'\n tag \"cci\": ['CCI-000213']\n tag \"nist\": ['AC-3', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to domain controllers. A separate version applies\n to other systems.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If the following accounts or groups are not defined for the Deny log on as a\n batch job user right, this is a finding.\n\n - Guests Group\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Deny log on as a batch job to include the following:\n\n - Guests Group\"\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n if domain_role == '4' || domain_role == '5'\n describe.one do\n describe security_policy do\n its('SeDenyBatchLogonRight') { should eq ['S-1-5-32-546'] }\n end\n describe security_policy do\n its('SeDenyBatchLogonRight') { should eq [] }\n end\n end\n end\n\n if !(domain_role == '4') && !(domain_role == '5')\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", - "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73761.rb", - "line": 1 - }, - "id": "V-73761" - }, - { - "title": "Domain Controller PKI certificates must be issued by the DoD PKI or an\n approved External Certificate Authority (ECA).", - "desc": "A PKI implementation depends on the practices established by the\n Certificate Authority (CA) to ensure the implementation is secure. Without\n proper practices, the certificates issued by a CA have limited value in\n authentication functions. The use of multiple CAs from separate PKI\n implementations results in interoperability issues. If servers and clients do\n not have a common set of root CA certificates, they are not able to\n authenticate each other.", - "descriptions": { - "default": "A PKI implementation depends on the practices established by the\n Certificate Authority (CA) to ensure the implementation is secure. Without\n proper practices, the certificates issued by a CA have limited value in\n authentication functions. The use of multiple CAs from separate PKI\n implementations results in interoperability issues. If servers and clients do\n not have a common set of root CA certificates, they are not able to\n authenticate each other.", - "check": "This applies to domain controllers. It is NA for other systems.\n\n Run MMC.\n\n Select Add/Remove Snap-in from the File menu.\n\n Select Certificates in the left pane and click the Add > button.\n\n Select Computer Account and click Next.\n\n Select the appropriate option for Select the computer you want this snap-in\n to manage and click Finish.\n\n Click OK.\n\n Select and expand the Certificates (Local Computer) entry in the left pane.\n\n Select and expand the Personal entry in the left pane.\n\n Select the Certificates entry in the left pane.\n\n In the right pane, examine the Issued By field for the certificate to\n determine the issuing CA.\n\n If the Issued By field of the PKI certificate being used by the domain\n controller does not indicate the issuing CA is part of the DoD PKI or an\n approved ECA, this is a finding.\n\n If the certificates in use are issued by a CA authorized by the Component's\n CIO, this is a CAT II finding.\n\n There are multiple sources from which lists of valid DoD CAs and approved ECAs\n can be obtained:\n\n The Global Directory Service (GDS) website provides an online source. The\n address for this site is https://crl.gds.disa.mil.\n\n DoD Public Key Enablement (PKE) Engineering Support maintains the InstallRoot\n utility to manage DoD supported root certificates on Windows computers, which\n includes a list of authorized CAs. The utility package can be downloaded from\n the PKI and PKE Tools page on IASE:\n\n http://iase.disa.mil/pki-pke/function_pages/tools.html", - "fix": "Obtain a server certificate for the domain controller issued by\n the DoD PKI or an approved ECA." - }, - "impact": 0, - "refs": [], - "tags": { - "gtitle": "SRG-OS-000066-GPOS-00034", - "gid": "V-73613", - "rid": "SV-88277r1_rule", - "stig_id": "WN16-DC-000290", - "fix_id": "F-80063r1_fix", + "gid": "V-73473", + "rid": "SV-88125r1_rule", + "stig_id": "WN16-AU-000370", + "fix_id": "F-79915r1_fix", "cci": [ - "CCI-000185" + "CCI-000172", + "CCI-002234" ], "nist": [ - "IA-5 (2) (a)", + "AU-12 c", + "AC-6 (9)", "Rev_4" ], "documentable": false }, - "code": "control 'V-73613' do\n title \"Domain Controller PKI certificates must be issued by the DoD PKI or an\n approved External Certificate Authority (ECA).\"\n desc \"A PKI implementation depends on the practices established by the\n Certificate Authority (CA) to ensure the implementation is secure. Without\n proper practices, the certificates issued by a CA have limited value in\n authentication functions. The use of multiple CAs from separate PKI\n implementations results in interoperability issues. If servers and clients do\n not have a common set of root CA certificates, they are not able to\n authenticate each other.\"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000066-GPOS-00034'\n tag \"gid\": 'V-73613'\n tag \"rid\": 'SV-88277r1_rule'\n tag \"stig_id\": 'WN16-DC-000290'\n tag \"fix_id\": 'F-80063r1_fix'\n tag \"cci\": ['CCI-000185']\n tag \"nist\": ['IA-5 (2) (a)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to domain controllers. It is NA for other systems.\n\n Run MMC.\n\n Select Add/Remove Snap-in from the File menu.\n\n Select Certificates in the left pane and click the Add > button.\n\n Select Computer Account and click Next.\n\n Select the appropriate option for Select the computer you want this snap-in\n to manage and click Finish.\n\n Click OK.\n\n Select and expand the Certificates (Local Computer) entry in the left pane.\n\n Select and expand the Personal entry in the left pane.\n\n Select the Certificates entry in the left pane.\n\n In the right pane, examine the Issued By field for the certificate to\n determine the issuing CA.\n\n If the Issued By field of the PKI certificate being used by the domain\n controller does not indicate the issuing CA is part of the DoD PKI or an\n approved ECA, this is a finding.\n\n If the certificates in use are issued by a CA authorized by the Component's\n CIO, this is a CAT II finding.\n\n There are multiple sources from which lists of valid DoD CAs and approved ECAs\n can be obtained:\n\n The Global Directory Service (GDS) website provides an online source. The\n address for this site is https://crl.gds.disa.mil.\n\n DoD Public Key Enablement (PKE) Engineering Support maintains the InstallRoot\n utility to manage DoD supported root certificates on Windows computers, which\n includes a list of authorized CAs. The utility package can be downloaded from\n the PKI and PKE Tools page on IASE:\n\n http://iase.disa.mil/pki-pke/function_pages/tools.html\"\n desc \"fix\", \"Obtain a server certificate for the domain controller issued by\n the DoD PKI or an approved ECA.\"\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n describe command('Get-ChildItem -Path Cert:\\\\LocalMachine\\\\My | Format-List | Findstr Issuer') do\n its('stdout') { should include 'DoD' }\n end\n end\n\n if !(domain_role == '4') && !(domain_role == '5')\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", + "code": "control 'V-73473' do\n title \"Windows Server 2016 must be configured to audit System - IPsec Driver\n successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n IPsec Driver records events related to the IPsec Driver, such as dropped\n packets.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000327-GPOS-00127'\n tag \"satisfies\": ['SRG-OS-000327-GPOS-00127', 'SRG-OS-000458-GPOS-00203',\n 'SRG-OS-000463-GPOS-00207', 'SRG-OS-000468-GPOS-00212']\n tag \"gid\": 'V-73473'\n tag \"rid\": 'SV-88125r1_rule'\n tag \"stig_id\": 'WN16-AU-000370'\n tag \"fix_id\": 'F-79915r1_fix'\n tag \"cci\": ['CCI-000172', 'CCI-002234']\n tag \"nist\": ['AU-12 c', 'AC-6 (9)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n System >> IPsec Driver - Success\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> System >> Audit IPsec Driver with Success selected.\"\n describe.one do\n describe audit_policy do\n its('IPsec Driver') { should eq 'Success' }\n end\n describe audit_policy do\n its('IPsec Driver') { should eq 'Success and Failure' }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'IPsec Driver'\") do\n its('stdout') { should match /IPsec Driver Success/ }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'IPsec Driver'\") do\n its('stdout') { should match /IPsec Driver Success and Failure/ }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73613.rb", + "ref": "./Windows 2016 STIG/controls/V-73473.rb", "line": 1 }, - "id": "V-73613" + "id": "V-73473" }, { - "title": "Default permissions for the HKEY_LOCAL_MACHINE registry hive must be\n maintained.", - "desc": "The registry is integral to the function, security, and stability of\n the Windows system. Changing the system's registry permissions allows the\n possibility of unauthorized and anonymous modification to the operating system.", + "title": "User Account Control must only elevate UIAccess applications that are\n installed in secure locations.", + "desc": "User Account Control (UAC) is a security mechanism for limiting the\n elevation of privileges, including administrative accounts, unless authorized.\n This setting configures Windows to only allow applications installed in a\n secure location on the file system, such as the Program Files or the\n Windows\\System32 folders, to run with elevated privileges.", "descriptions": { - "default": "The registry is integral to the function, security, and stability of\n the Windows system. Changing the system's registry permissions allows the\n possibility of unauthorized and anonymous modification to the operating system.", - "check": "Review the registry permissions for the keys of the\n HKEY_LOCAL_MACHINE hive noted below.\n\n If any non-privileged groups such as Everyone, Users, or Authenticated Users\n have greater than Read permission, this is a finding.\n\n If permissions are not as restrictive as the default permissions listed below,\n this is a finding.\n\n Run Regedit.\n\n Right-click on the registry areas noted below.\n\n Select Permissions... and the Advanced button.\n\n HKEY_LOCAL_MACHINE\\SECURITY\n\n Type - Allow for all\n Inherited from - None for all\n Principal - Access - Applies to\n SYSTEM - Full Control - This key and subkeys\n Administrators - Special - This key and subkeys\n\n HKEY_LOCAL_MACHINE\\SOFTWARE\n\n Type - Allow for all\n Inherited from - None for all\n Principal - Access - Applies to\n Users - Read - This key and subkeys\n Administrators - Full Control - This key and subkeys\n SYSTEM - Full Control - This key and subkeys\n CREATOR OWNER - Full Control - This key and subkeys\n ALL APPLICATION PACKAGES - Read - This key and subkeys\n\n HKEY_LOCAL_MACHINE\\SYSTEM\n\n Type - Allow for all\n Inherited from - None for all\n Principal - Access - Applies to\n Users - Read - This key and subkeys\n Administrators - Full Control - This key and subkeys\n SYSTEM - Full Control - This key and subkeys\n CREATOR OWNER - Full Control - Subkeys only\n ALL APPLICATION PACKAGES - Read - This key and subkeys\n\n Other examples under the noted keys may also be sampled. There may be some\n instances where non-privileged groups have greater than Read permission.\n\n If the defaults have not been changed, these are not a finding.", - "fix": "Maintain the default permissions for the HKEY_LOCAL_MACHINE\n registry hive.\n\n The default permissions of the higher-level keys are noted below.\n\n HKEY_LOCAL_MACHINE\\SECURITY\n\n Type - Allow for all\n Inherited from - None for all\n Principal - Access - Applies to\n SYSTEM - Full Control - This key and subkeys\n Administrators - Special - This key and subkeys\n\n HKEY_LOCAL_MACHINE\\SOFTWARE\n\n Type - Allow for all\n Inherited from - None for all\n Principal - Access - Applies to\n Users - Read - This key and subkeys\n Administrators - Full Control - This key and subkeys\n SYSTEM - Full Control - This key and subkeys\n CREATOR OWNER - Full Control - This key and subkeys\n ALL APPLICATION PACKAGES - Read - This key and subkeys\n\n HKEY_LOCAL_MACHINE\\SYSTEM\n\n Type - Allow for all\n Inherited from - None for all\n Principal - Access - Applies to\n Users - Read - This key and subkeys\n Administrators - Full Control - This key and subkeys\n SYSTEM - Full Control - This key and subkeys\n CREATOR OWNER - Full Control - Subkeys only\n ALL APPLICATION PACKAGES - Read - This key and subkeys" + "default": "User Account Control (UAC) is a security mechanism for limiting the\n elevation of privileges, including administrative accounts, unless authorized.\n This setting configures Windows to only allow applications installed in a\n secure location on the file system, such as the Program Files or the\n Windows\\System32 folders, to run with elevated privileges.", + "check": "UAC requirements are NA for Server Core installations (this is\n the default installation option for Windows Server 2016 versus Server with\n Desktop Experience) as well as Nano Server.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\\n\n Value Name: EnableSecureUIAPaths\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> User\n Account Control: Only elevate UIAccess applications that are installed in\n secure locations to Enabled." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000324-GPOS-00125", - "gid": "V-73255", - "rid": "SV-87907r1_rule", - "stig_id": "WN16-00-000190", - "fix_id": "F-79699r1_fix", + "gtitle": "SRG-OS-000134-GPOS-00068", + "gid": "V-73717", + "rid": "SV-88381r1_rule", + "stig_id": "WN16-SO-000510", + "fix_id": "F-80167r1_fix", "cci": [ - "CCI-002235" + "CCI-001084" ], "nist": [ - "AC-6 (10)", + "SC-3", "Rev_4" ], "documentable": false }, - "code": "control 'V-73255' do\n title \"Default permissions for the HKEY_LOCAL_MACHINE registry hive must be\n maintained.\"\n desc \"The registry is integral to the function, security, and stability of\n the Windows system. Changing the system's registry permissions allows the\n possibility of unauthorized and anonymous modification to the operating system.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000324-GPOS-00125'\n tag \"gid\": 'V-73255'\n tag \"rid\": 'SV-87907r1_rule'\n tag \"stig_id\": 'WN16-00-000190'\n tag \"fix_id\": 'F-79699r1_fix'\n tag \"cci\": ['CCI-002235']\n tag \"nist\": ['AC-6 (10)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Review the registry permissions for the keys of the\n HKEY_LOCAL_MACHINE hive noted below.\n\n If any non-privileged groups such as Everyone, Users, or Authenticated Users\n have greater than Read permission, this is a finding.\n\n If permissions are not as restrictive as the default permissions listed below,\n this is a finding.\n\n Run Regedit.\n\n Right-click on the registry areas noted below.\n\n Select Permissions... and the Advanced button.\n\n HKEY_LOCAL_MACHINE\\\\SECURITY\n\n Type - Allow for all\n Inherited from - None for all\n Principal - Access - Applies to\n SYSTEM - Full Control - This key and subkeys\n Administrators - Special - This key and subkeys\n\n HKEY_LOCAL_MACHINE\\\\SOFTWARE\n\n Type - Allow for all\n Inherited from - None for all\n Principal - Access - Applies to\n Users - Read - This key and subkeys\n Administrators - Full Control - This key and subkeys\n SYSTEM - Full Control - This key and subkeys\n CREATOR OWNER - Full Control - This key and subkeys\n ALL APPLICATION PACKAGES - Read - This key and subkeys\n\n HKEY_LOCAL_MACHINE\\\\SYSTEM\n\n Type - Allow for all\n Inherited from - None for all\n Principal - Access - Applies to\n Users - Read - This key and subkeys\n Administrators - Full Control - This key and subkeys\n SYSTEM - Full Control - This key and subkeys\n CREATOR OWNER - Full Control - Subkeys only\n ALL APPLICATION PACKAGES - Read - This key and subkeys\n\n Other examples under the noted keys may also be sampled. There may be some\n instances where non-privileged groups have greater than Read permission.\n\n If the defaults have not been changed, these are not a finding.\"\n desc \"fix\", \"Maintain the default permissions for the HKEY_LOCAL_MACHINE\n registry hive.\n\n The default permissions of the higher-level keys are noted below.\n\n HKEY_LOCAL_MACHINE\\\\SECURITY\n\n Type - Allow for all\n Inherited from - None for all\n Principal - Access - Applies to\n SYSTEM - Full Control - This key and subkeys\n Administrators - Special - This key and subkeys\n\n HKEY_LOCAL_MACHINE\\\\SOFTWARE\n\n Type - Allow for all\n Inherited from - None for all\n Principal - Access - Applies to\n Users - Read - This key and subkeys\n Administrators - Full Control - This key and subkeys\n SYSTEM - Full Control - This key and subkeys\n CREATOR OWNER - Full Control - This key and subkeys\n ALL APPLICATION PACKAGES - Read - This key and subkeys\n\n HKEY_LOCAL_MACHINE\\\\SYSTEM\n\n Type - Allow for all\n Inherited from - None for all\n Principal - Access - Applies to\n Users - Read - This key and subkeys\n Administrators - Full Control - This key and subkeys\n SYSTEM - Full Control - This key and subkeys\n CREATOR OWNER - Full Control - Subkeys only\n ALL APPLICATION PACKAGES - Read - This key and subkeys\"\n\n paths = [\n \"HKLM:\\\\\\\\Security\",\n \"HKLM:\\\\\\\\Software\",\n \"HKLM:\\\\\\\\System\"\n ]\n\n paths.each do |path|\n if path == \"HKLM:\\\\\\\\Security\"\n acl_rules = json(command: \"[Microsoft.Win32.Registry]::LocalMachine.OpenSubKey('Security', 'Default', 'ReadPermissions').GetAccessControl().access | ConvertTo-CSV | ConvertFrom-CSV | ConvertTo-JSON\").params\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The '#{path}' key\\'s access rule property:\" do\n subject { acl_rule }\n its(['RegistryRights']) { should cmp \"FullControl\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"NT AUTHORITY\\\\SYSTEM\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"ContainerInherit\" }\n its(['PropagationFlags']) { should cmp \"None\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The '#{path}' key\\'s access rule property:\" do\n subject { acl_rule }\n its(['RegistryRights']) { should cmp \"ReadPermissions, ChangePermissions\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"BUILTIN\\\\Administrators\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"ContainerInherit\" }\n its(['PropagationFlags']) { should cmp \"None\" }\n end\n end\n end\n else\n acl_rules = json(command: \"(Get-ACL -Path '#{path}').Access | ConvertTo-CSV | ConvertFrom-CSV | ConvertTo-JSON\").params\n if path == \"HKLM:\\\\\\\\Software\"\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The '#{path}' key\\'s access rule property:\" do\n subject { acl_rule }\n its(['RegistryRights']) { should cmp \"FullControl\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"CREATOR OWNER\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"ContainerInherit\" }\n its(['PropagationFlags']) { should cmp \"None\" }\n end\n end\n end\n \n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The '#{path}' key\\'s access rule property:\" do\n subject { acl_rule }\n its(['RegistryRights']) { should cmp \"FullControl\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"NT AUTHORITY\\\\SYSTEM\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"ContainerInherit\" }\n its(['PropagationFlags']) { should cmp \"None\" }\n end\n end\n end\n \n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The '#{path}' key\\'s access rule property:\" do\n subject { acl_rule }\n its(['RegistryRights']) { should cmp \"FullControl\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"BUILTIN\\\\Administrators\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"ContainerInherit\" }\n its(['PropagationFlags']) { should cmp \"None\" }\n end\n end\n end\n \n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The '#{path}' key\\'s access rule property:\" do\n subject { acl_rule }\n its(['RegistryRights']) { should cmp \"ReadKey\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"BUILTIN\\\\Users\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"ContainerInherit\" }\n its(['PropagationFlags']) { should cmp \"None\" }\n end\n end\n end\n \n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The '#{path}' key\\'s access rule property:\" do\n subject { acl_rule }\n its(['RegistryRights']) { should cmp \"ReadKey\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"APPLICATION PACKAGE AUTHORITY\\\\ALL APPLICATION PACKAGES\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"ContainerInherit\" }\n its(['PropagationFlags']) { should cmp \"None\" }\n end\n end\n end\n elsif path == \"HKLM:\\\\\\\\System\"\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The '#{path}' key\\'s access rule property:\" do\n subject { acl_rule }\n its(['RegistryRights']) { should cmp \"268435456\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"CREATOR OWNER\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"ContainerInherit\" }\n its(['PropagationFlags']) { should cmp \"InheritOnly\" }\n end\n end\n end\n \n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The '#{path}' key\\'s access rule property:\" do\n subject { acl_rule }\n its(['RegistryRights']) { should cmp \"ReadKey\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"BUILTIN\\\\Users\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"ContainerInherit\" }\n its(['PropagationFlags']) { should cmp \"None\" }\n end\n end\n end\n \n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The '#{path}' key\\'s access rule property:\" do\n subject { acl_rule }\n its(['RegistryRights']) { should cmp \"268435456\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"NT AUTHORITY\\\\SYSTEM\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"ContainerInherit\" }\n its(['PropagationFlags']) { should cmp \"InheritOnly\" }\n end\n end\n end\n \n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The '#{path}' key\\'s access rule property:\" do\n subject { acl_rule }\n its(['RegistryRights']) { should cmp \"FullControl\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"NT AUTHORITY\\\\SYSTEM\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"None\" }\n its(['PropagationFlags']) { should cmp \"None\" }\n end\n end\n end\n \n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The '#{path}' key\\'s access rule property:\" do\n subject { acl_rule }\n its(['RegistryRights']) { should cmp \"268435456\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"BUILTIN\\\\Administrators\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"ContainerInherit\" }\n its(['PropagationFlags']) { should cmp \"InheritOnly\" }\n end\n end\n end\n \n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The '#{path}' key\\'s access rule property:\" do\n subject { acl_rule }\n its(['RegistryRights']) { should cmp \"FullControl\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"BUILTIN\\\\Administrators\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"None\" }\n its(['PropagationFlags']) { should cmp \"None\" }\n end\n end\n end\n \n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The '#{path}' key\\'s access rule property:\" do\n subject { acl_rule }\n its(['RegistryRights']) { should cmp \"ReadKey\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"APPLICATION PACKAGE AUTHORITY\\\\ALL APPLICATION PACKAGES\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"None\" }\n its(['PropagationFlags']) { should cmp \"None\" }\n end\n end\n end\n \n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The '#{path}' key\\'s access rule property:\" do\n subject { acl_rule }\n its(['RegistryRights']) { should cmp \"-2147483648\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"APPLICATION PACKAGE AUTHORITY\\\\ALL APPLICATION PACKAGES\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"ContainerInherit\" }\n its(['PropagationFlags']) { should cmp \"InheritOnly\" }\n end\n end\n end\n end\n end\n end\nend \n", + "code": "control 'V-73717' do\n title \"User Account Control must only elevate UIAccess applications that are\n installed in secure locations.\"\n desc \"User Account Control (UAC) is a security mechanism for limiting the\n elevation of privileges, including administrative accounts, unless authorized.\n This setting configures Windows to only allow applications installed in a\n secure location on the file system, such as the Program Files or the\n Windows\\\\System32 folders, to run with elevated privileges.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000134-GPOS-00068'\n tag \"gid\": 'V-73717'\n tag \"rid\": 'SV-88381r1_rule'\n tag \"stig_id\": 'WN16-SO-000510'\n tag \"fix_id\": 'F-80167r1_fix'\n tag \"cci\": ['CCI-001084']\n tag \"nist\": ['SC-3', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"UAC requirements are NA for Server Core installations (this is\n the default installation option for Windows Server 2016 versus Server with\n Desktop Experience) as well as Nano Server.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\\n\n Value Name: EnableSecureUIAPaths\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> User\n Account Control: Only elevate UIAccess applications that are installed in\n secure locations to Enabled.\"\n if registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Server\\ServerLevels').has_property_value?('ServerCore', :dword, 1) && registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Server\\ServerLevels').has_property_value?('Server-Gui-Mgmt', :dword, 1) && registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Server\\ServerLevels').has_property_value?('Server-Gui-Shell', :dword, 1)\n impact 0.0\n desc 'This system is a Server Core Installation, therefore this control is not applicable'\n else\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System') do\n it { should have_property 'EnableSecureUIAPaths' }\n its('EnableSecureUIAPaths') { should cmp 1 }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73255.rb", + "ref": "./Windows 2016 STIG/controls/V-73717.rb", "line": 1 }, - "id": "V-73255" + "id": "V-73717" }, { - "title": "PKI certificates associated with user accounts must be issued by the\n DoD PKI or an approved External Certificate Authority (ECA).", - "desc": "A PKI implementation depends on the practices established by the\n Certificate Authority (CA) to ensure the implementation is secure. Without\n proper practices, the certificates issued by a CA have limited value in\n authentication functions.", + "title": "Windows Server 2016 must be configured to audit System - System\n Integrity failures.", + "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n System Integrity records events related to violations of integrity to the\n security subsystem.", "descriptions": { - "default": "A PKI implementation depends on the practices established by the\n Certificate Authority (CA) to ensure the implementation is secure. Without\n proper practices, the certificates issued by a CA have limited value in\n authentication functions.", - "check": "This applies to domain controllers. It is NA for other systems.\n\n Review user account mappings to PKI certificates.\n\n Open Windows PowerShell.\n\n Enter Get-ADUser -Filter * | FT Name, UserPrincipalName, Enabled.\n\n Exclude disabled accounts (e.g., DefaultAccount, Guest) and the krbtgt account.\n\n If the User Principal Name (UPN) is not in the format of an individual's\n identifier for the certificate type and for the appropriate domain suffix, this\n is a finding.\n\n For standard NIPRNet certificates the individual's identifier is in the format\n of an Electronic Data Interchange - Personnel Identifier (EDI-PI).\n\n Alt Tokens and other certificates may use a different UPN format than the\n EDI-PI which vary by organization. Verified these with the organization.\n\n NIPRNet Example:\n Name - User Principal Name\n User1 - 1234567890@mil\n\n See PKE documentation for other network domain suffixes.\n\n If the mappings are to certificates issued by a CA authorized by the\n Component's CIO, this is a CAT II finding.", - "fix": "Map user accounts to PKI certificates using the appropriate User\n Principal Name (UPN) for the network. See PKE documentation for details." + "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n System Integrity records events related to violations of integrity to the\n security subsystem.", + "check": "Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n System >> System Integrity - Failure", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> System >> Audit System Integrity with Failure\n selected." }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000066-GPOS-00034", - "gid": "V-73615", - "rid": "SV-88279r2_rule", - "stig_id": "WN16-DC-000300", - "fix_id": "F-80065r1_fix", + "gtitle": "SRG-OS-000327-GPOS-00127", + "satisfies": [ + "SRG-OS-000327-GPOS-00127", + "SRG-OS-000471-GPOS-00215", + "SRG-OS-000471-GPOS-00216", + "SRG-OS-000477-GPOS-00222" + ], + "gid": "V-73491", + "rid": "SV-88143r1_rule", + "stig_id": "WN16-AU-000450", + "fix_id": "F-79933r1_fix", "cci": [ - "CCI-000185" + "CCI-000172", + "CCI-002234" ], "nist": [ - "IA-5 (2) (a)", + "AU-12 c", + "AC-6 (9)", "Rev_4" ], "documentable": false }, - "code": "control 'V-73615' do\n title \"PKI certificates associated with user accounts must be issued by the\n DoD PKI or an approved External Certificate Authority (ECA).\"\n desc \"A PKI implementation depends on the practices established by the\n Certificate Authority (CA) to ensure the implementation is secure. Without\n proper practices, the certificates issued by a CA have limited value in\n authentication functions.\"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000066-GPOS-00034'\n tag \"gid\": 'V-73615'\n tag \"rid\": 'SV-88279r2_rule'\n tag \"stig_id\": 'WN16-DC-000300'\n tag \"fix_id\": 'F-80065r1_fix'\n tag \"cci\": ['CCI-000185']\n tag \"nist\": ['IA-5 (2) (a)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to domain controllers. It is NA for other systems.\n\n Review user account mappings to PKI certificates.\n\n Open Windows PowerShell.\n\n Enter Get-ADUser -Filter * | FT Name, UserPrincipalName, Enabled.\n\n Exclude disabled accounts (e.g., DefaultAccount, Guest) and the krbtgt account.\n\n If the User Principal Name (UPN) is not in the format of an individual's\n identifier for the certificate type and for the appropriate domain suffix, this\n is a finding.\n\n For standard NIPRNet certificates the individual's identifier is in the format\n of an Electronic Data Interchange - Personnel Identifier (EDI-PI).\n\n Alt Tokens and other certificates may use a different UPN format than the\n EDI-PI which vary by organization. Verified these with the organization.\n\n NIPRNet Example:\n Name - User Principal Name\n User1 - 1234567890@mil\n\n See PKE documentation for other network domain suffixes.\n\n If the mappings are to certificates issued by a CA authorized by the\n Component's CIO, this is a CAT II finding.\"\n desc \"fix\", \"Map user accounts to PKI certificates using the appropriate User\n Principal Name (UPN) for the network. See PKE documentation for details.\"\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.to_s.strip\n query = 'Get-ADUser -Filter \\'enabled -eq $true\\' | Select-Object -Property Name, UserPrincipalName | ConvertTo-Json'\n\n if domain_role == '4' || domain_role == '5'\n json({ command: query }).each do |user|\n describe json({ content: user.to_json }) do\n its('UserPrincipalName') { should match(/[\\w*]@mil/) }\n end\n end\n end\n\n if !(domain_role == '4') && !(domain_role == '5')\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", + "code": "control 'V-73491' do\n title \"Windows Server 2016 must be configured to audit System - System\n Integrity failures.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n System Integrity records events related to violations of integrity to the\n security subsystem.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000327-GPOS-00127'\n tag \"satisfies\": ['SRG-OS-000327-GPOS-00127', 'SRG-OS-000471-GPOS-00215',\n 'SRG-OS-000471-GPOS-00216', 'SRG-OS-000477-GPOS-00222']\n tag \"gid\": 'V-73491'\n tag \"rid\": 'SV-88143r1_rule'\n tag \"stig_id\": 'WN16-AU-000450'\n tag \"fix_id\": 'F-79933r1_fix'\n tag \"cci\": ['CCI-000172', 'CCI-002234']\n tag \"nist\": ['AU-12 c', 'AC-6 (9)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n System >> System Integrity - Failure\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> System >> Audit System Integrity with Failure\n selected.\"\n describe.one do\n describe audit_policy do\n its('System Integrity') { should eq 'Failure' }\n end\n describe audit_policy do\n its('System Integrity') { should eq 'Success and Failure' }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'System Integrity'\") do\n its('stdout') { should match /System Integrity Failure/ }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'System Integrity'\") do\n its('stdout') { should match /System Integrity Success and Failure/ }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73615.rb", + "ref": "./Windows 2016 STIG/controls/V-73491.rb", "line": 1 }, - "id": "V-73615" + "id": "V-73491" }, { - "title": "The Enable computer and user accounts to be trusted for delegation\n user right must not be assigned to any groups or accounts on member servers.", - "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The Enable computer and user accounts to be trusted for delegation user\n right allows the Trusted for Delegation setting to be changed. This could\n allow unauthorized users to impersonate other users.", + "title": "Separate, NSA-approved (Type 1) cryptography must be used to protect\n the directory data in transit for directory service implementations at a\n classified confidentiality level when replication data traverses a network\n cleared to a lower level than the data.", + "desc": "Directory data that is not appropriately encrypted is subject to\n compromise. Commercial-grade encryption does not provide adequate protection\n when the classification level of directory data in transit is higher than the\n level of the network.", "descriptions": { - "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The Enable computer and user accounts to be trusted for delegation user\n right allows the Trusted for Delegation setting to be changed. This could\n allow unauthorized users to impersonate other users.", - "check": "This applies to member servers and standalone systems. A\n separate version applies to domain controllers.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups are granted the Enable computer and user accounts\n to be trusted for delegation user right, this is a finding.", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Enable computer and user accounts to be trusted for delegation to be\n defined but containing no entries (blank)." + "default": "Directory data that is not appropriately encrypted is subject to\n compromise. Commercial-grade encryption does not provide adequate protection\n when the classification level of directory data in transit is higher than the\n level of the network.", + "check": "This applies to domain controllers. It is NA for other systems.\n\n Review the organization network diagram(s) or documentation to determine the\n level of classification for the network(s) over which replication data is\n transmitted.\n\n Determine the classification level of the Windows domain controller.\n\n If the classification level of the Windows domain controller is higher than the\n level of the networks, review the organization network diagram(s) and directory\n implementation documentation to determine if NSA-approved encryption is used to\n protect the replication network traffic.\n\n If the classification level of the Windows domain controller is higher than the\n level of the network traversed and NSA-approved encryption is not used, this is\n a finding.", + "fix": "Configure NSA-approved (Type 1) cryptography to protect the\n directory data in transit for directory service implementations at a classified\n confidentiality level that transfer replication data through a network cleared\n to a lower level than the data." }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { - "gtitle": "SRG-OS-000324-GPOS-00125", - "gid": "V-73779", - "rid": "SV-88443r1_rule", - "stig_id": "WN16-MS-000420", - "fix_id": "F-80229r1_fix", + "gtitle": "SRG-OS-000396-GPOS-00176", + "gid": "V-73383", + "rid": "SV-88035r1_rule", + "stig_id": "WN16-DC-000140", + "fix_id": "F-79825r1_fix", "cci": [ - "CCI-002235" + "CCI-002450" ], "nist": [ - "AC-6 (10)", + "SC-13", "Rev_4" ], "documentable": false }, - "code": "control 'V-73779' do\n title \"The Enable computer and user accounts to be trusted for delegation\n user right must not be assigned to any groups or accounts on member servers.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The Enable computer and user accounts to be trusted for delegation user\n right allows the Trusted for Delegation setting to be changed. This could\n allow unauthorized users to impersonate other users.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000324-GPOS-00125'\n tag \"gid\": 'V-73779'\n tag \"rid\": 'SV-88443r1_rule'\n tag \"stig_id\": 'WN16-MS-000420'\n tag \"fix_id\": 'F-80229r1_fix'\n tag \"cci\": ['CCI-002235']\n tag \"nist\": ['AC-6 (10)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to member servers and standalone systems. A\n separate version applies to domain controllers.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups are granted the Enable computer and user accounts\n to be trusted for delegation user right, this is a finding.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Enable computer and user accounts to be trusted for delegation to be\n defined but containing no entries (blank).\"\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if !(domain_role == '4') && !(domain_role == '5')\n describe security_policy do\n its('SeEnableDelegationPrivilege') { should eq [] }\n end\n end\n\n if domain_role == '4' || domain_role == '5'\n impact 0.0\n describe 'This system is a domain controller, therefore this control is not applicable as it only applies to member servers and standalone systems' do\n skip 'This system is a domain controller, therefore this control is not applicable as it only applies to member servers and standalone systems'\n end\n end\nend\n", + "code": "control 'V-73383' do\n title \"Separate, NSA-approved (Type 1) cryptography must be used to protect\n the directory data in transit for directory service implementations at a\n classified confidentiality level when replication data traverses a network\n cleared to a lower level than the data.\"\n desc \"Directory data that is not appropriately encrypted is subject to\n compromise. Commercial-grade encryption does not provide adequate protection\n when the classification level of directory data in transit is higher than the\n level of the network.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000396-GPOS-00176'\n tag \"gid\": 'V-73383'\n tag \"rid\": 'SV-88035r1_rule'\n tag \"stig_id\": 'WN16-DC-000140'\n tag \"fix_id\": 'F-79825r1_fix'\n tag \"cci\": ['CCI-002450']\n tag \"nist\": ['SC-13', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to domain controllers. It is NA for other systems.\n\n Review the organization network diagram(s) or documentation to determine the\n level of classification for the network(s) over which replication data is\n transmitted.\n\n Determine the classification level of the Windows domain controller.\n\n If the classification level of the Windows domain controller is higher than the\n level of the networks, review the organization network diagram(s) and directory\n implementation documentation to determine if NSA-approved encryption is used to\n protect the replication network traffic.\n\n If the classification level of the Windows domain controller is higher than the\n level of the network traversed and NSA-approved encryption is not used, this is\n a finding.\"\n desc \"fix\", \"Configure NSA-approved (Type 1) cryptography to protect the\n directory data in transit for directory service implementations at a classified\n confidentiality level that transfer replication data through a network cleared\n to a lower level than the data.\"\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n describe \"Separate, NSA-approved (Type 1) cryptography must be used to protect\n the directory data in transit for directory service implementations at a\n classified confidentiality level when replication data traverses a network\n cleared to a lower level than the data.\" do\n skip \"Separate, NSA-approved (Type 1) cryptography must be used to protect\n the directory data in transit for directory service implementations at a\n classified confidentiality level when replication data traverses a network\n cleared to a lower level than the data is a manual check\"\n end\n end\n\n if !(domain_role == '4') && !(domain_role == '5')\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73779.rb", + "ref": "./Windows 2016 STIG/controls/V-73383.rb", "line": 1 }, - "id": "V-73779" + "id": "V-73383" }, { - "title": "Windows Server 2016 must be configured to audit System - System\n Integrity successes.", - "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n System Integrity records events related to violations of integrity to the\n security subsystem.", + "title": "Windows Server 2016 must be configured to audit Policy Change - Audit\n Policy Change successes.", + "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Audit Policy Change records events related to changes in audit policy.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n System Integrity records events related to violations of integrity to the\n security subsystem.", - "check": "Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n System >> System Integrity - Success", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> System >> Audit System Integrity with Success\n selected." + "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Audit Policy Change records events related to changes in audit policy.", + "check": "Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n Policy Change >> Audit Policy Change - Success", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Policy Change >> Audit Audit Policy Change with\n Success selected." }, "impact": 0.5, "refs": [], @@ -2576,14 +2565,14 @@ "gtitle": "SRG-OS-000327-GPOS-00127", "satisfies": [ "SRG-OS-000327-GPOS-00127", - "SRG-OS-000471-GPOS-00215", - "SRG-OS-000471-GPOS-00216", - "SRG-OS-000477-GPOS-00222" + "SRG-OS-000458-GPOS-00203", + "SRG-OS-000463-GPOS-00207", + "SRG-OS-000468-GPOS-00212" ], - "gid": "V-73489", - "rid": "SV-88141r1_rule", - "stig_id": "WN16-AU-000440", - "fix_id": "F-79931r1_fix", + "gid": "V-73461", + "rid": "SV-88113r1_rule", + "stig_id": "WN16-AU-000310", + "fix_id": "F-79903r1_fix", "cci": [ "CCI-000172", "CCI-002234" @@ -2595,890 +2584,849 @@ ], "documentable": false }, - "code": "control 'V-73489' do\n title \"Windows Server 2016 must be configured to audit System - System\n Integrity successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n System Integrity records events related to violations of integrity to the\n security subsystem.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000327-GPOS-00127'\n tag \"satisfies\": ['SRG-OS-000327-GPOS-00127', 'SRG-OS-000471-GPOS-00215',\n 'SRG-OS-000471-GPOS-00216', 'SRG-OS-000477-GPOS-00222']\n tag \"gid\": 'V-73489'\n tag \"rid\": 'SV-88141r1_rule'\n tag \"stig_id\": 'WN16-AU-000440'\n tag \"fix_id\": 'F-79931r1_fix'\n tag \"cci\": ['CCI-000172', 'CCI-002234']\n tag \"nist\": ['AU-12 c', 'AC-6 (9)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n System >> System Integrity - Success\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> System >> Audit System Integrity with Success\n selected.\"\n describe.one do\n describe audit_policy do\n its('System Integrity') { should eq 'Success' }\n end\n describe audit_policy do\n its('System Integrity') { should eq 'Success and Failure' }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'System Integrity'\") do\n its('stdout') { should match /System Integrity Success/ }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'System Integrity'\") do\n its('stdout') { should match /System Integrity Success and Failure/ }\n end\n end\nend\n", + "code": "control 'V-73461' do\n title \"Windows Server 2016 must be configured to audit Policy Change - Audit\n Policy Change successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Audit Policy Change records events related to changes in audit policy.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000327-GPOS-00127'\n tag \"satisfies\": ['SRG-OS-000327-GPOS-00127', 'SRG-OS-000458-GPOS-00203',\n 'SRG-OS-000463-GPOS-00207', 'SRG-OS-000468-GPOS-00212']\n tag \"gid\": 'V-73461'\n tag \"rid\": 'SV-88113r1_rule'\n tag \"stig_id\": 'WN16-AU-000310'\n tag \"fix_id\": 'F-79903r1_fix'\n tag \"cci\": ['CCI-000172', 'CCI-002234']\n tag \"nist\": ['AU-12 c', 'AC-6 (9)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n Policy Change >> Audit Policy Change - Success\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Policy Change >> Audit Audit Policy Change with\n Success selected.\"\n describe.one do\n describe audit_policy do\n its('Audit Policy Change') { should eq 'Success' }\n end\n describe audit_policy do\n its('Audit Policy Change') { should eq 'Success and Failure' }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Audit Policy Change'\") do\n its('stdout') { should match /Audit Policy Change Success/ }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Audit Policy Change'\") do\n its('stdout') { should match /Audit Policy Change Success and Failure/ }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73489.rb", + "ref": "./Windows 2016 STIG/controls/V-73461.rb", "line": 1 }, - "id": "V-73489" + "id": "V-73461" }, { - "title": "Directory data (outside the root DSE) of a non-public directory must\n be configured to prevent anonymous access.", - "desc": "To the extent that anonymous access to directory data (outside the\n root DSE) is permitted, read access control of the data is effectively\n disabled. If other means of controlling access (such as network restrictions)\n are compromised, there may be nothing else to protect the confidentiality of\n sensitive directory data.", + "title": "The Windows Installer Always install with elevated privileges option\n must be disabled.", + "desc": "Standard user accounts must not be granted elevated privileges.\n Enabling Windows Installer to elevate privileges when installing applications\n can allow malicious persons and applications to gain full control of a system.", "descriptions": { - "default": "To the extent that anonymous access to directory data (outside the\n root DSE) is permitted, read access control of the data is effectively\n disabled. If other means of controlling access (such as network restrictions)\n are compromised, there may be nothing else to protect the confidentiality of\n sensitive directory data.", - "check": "This applies to domain controllers. It is NA for other systems.\n\n Open Command Prompt (not elevated).\n\n Run ldp.exe.\n\n From the Connection menu, select Bind.\n\n Clear the User, Password, and Domain fields.\n\n Select Simple bind for the Bind type and click OK.\n\n Confirmation of anonymous access will be displayed at the end:\n\n res = ldap_simple_bind_s\n Authenticated as: 'NT AUTHORITY\\ANONYMOUS LOGON'\n\n From the Browse menu, select Search.\n\n In the Search dialog, enter the DN of the domain naming context (generally\n something like dc=disaost,dc=mil) in the Base DN field.\n\n Clear the Attributes field and select Run.\n\n Error messages should display related to Bind and user not authenticated.\n\n If attribute data is displayed, anonymous access is enabled to the domain\n naming context and this is a finding.\n\n The following network controls allow the finding severity to be downgraded to a\n CAT II since these measures lower the risk associated with anonymous access.\n\n Network hardware ports at the site are subject to 802.1x authentication or MAC\n address restrictions.\n\n Premise firewall or host restrictions prevent access to ports 389, 636, 3268,\n and 3269 from client hosts not explicitly identified by domain (.mil) or IP\n address.", - "fix": "Configure directory data (outside the root DSE) of a non-public\n directory to prevent anonymous access.\n\n For AD, there are multiple configuration items that could enable anonymous\n access.\n\n Changing the access permissions on the domain naming context object (from the\n secure defaults) could enable anonymous access. If the check procedures\n indicate this is the cause, the process that was used to change the permissions\n should be reversed. This could have been through the Windows Support Tools ADSI\n Edit console (adsiedit.msc).\n\n The dsHeuristics option is used. This is addressed in check V-8555 in the AD\n Forest STIG." + "default": "Standard user accounts must not be granted elevated privileges.\n Enabling Windows Installer to elevate privileges when installing applications\n can allow malicious persons and applications to gain full control of a system.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\Installer\\\n\n Value Name: AlwaysInstallElevated\n\n Type: REG_DWORD\n Value: 0x00000000 (0)", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Windows Installer >> Always\n install with elevated privileges to Disabled." }, - "impact": 0, + "impact": 0.7, "refs": [], "tags": { - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-73385", - "rid": "SV-88037r1_rule", - "stig_id": "WN16-DC-000150", - "fix_id": "F-79827r1_fix", + "gtitle": "SRG-OS-000362-GPOS-00149", + "gid": "V-73585", + "rid": "SV-88249r1_rule", + "stig_id": "WN16-CC-000460", + "fix_id": "F-80035r1_fix", "cci": [ - "CCI-000366" + "CCI-001812" ], "nist": [ - "CM-6 b", + "CM-11 (2)", "Rev_4" ], "documentable": false }, - "code": "control 'V-73385' do\n title \"Directory data (outside the root DSE) of a non-public directory must\n be configured to prevent anonymous access.\"\n desc \"To the extent that anonymous access to directory data (outside the\n root DSE) is permitted, read access control of the data is effectively\n disabled. If other means of controlling access (such as network restrictions)\n are compromised, there may be nothing else to protect the confidentiality of\n sensitive directory data.\"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-73385'\n tag \"rid\": 'SV-88037r1_rule'\n tag \"stig_id\": 'WN16-DC-000150'\n tag \"fix_id\": 'F-79827r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to domain controllers. It is NA for other systems.\n\n Open Command Prompt (not elevated).\n\n Run ldp.exe.\n\n From the Connection menu, select Bind.\n\n Clear the User, Password, and Domain fields.\n\n Select Simple bind for the Bind type and click OK.\n\n Confirmation of anonymous access will be displayed at the end:\n\n res = ldap_simple_bind_s\n Authenticated as: 'NT AUTHORITY\\\\ANONYMOUS LOGON'\n\n From the Browse menu, select Search.\n\n In the Search dialog, enter the DN of the domain naming context (generally\n something like dc=disaost,dc=mil) in the Base DN field.\n\n Clear the Attributes field and select Run.\n\n Error messages should display related to Bind and user not authenticated.\n\n If attribute data is displayed, anonymous access is enabled to the domain\n naming context and this is a finding.\n\n The following network controls allow the finding severity to be downgraded to a\n CAT II since these measures lower the risk associated with anonymous access.\n\n Network hardware ports at the site are subject to 802.1x authentication or MAC\n address restrictions.\n\n Premise firewall or host restrictions prevent access to ports 389, 636, 3268,\n and 3269 from client hosts not explicitly identified by domain (.mil) or IP\n address.\"\n desc \"fix\", \"Configure directory data (outside the root DSE) of a non-public\n directory to prevent anonymous access.\n\n For AD, there are multiple configuration items that could enable anonymous\n access.\n\n Changing the access permissions on the domain naming context object (from the\n secure defaults) could enable anonymous access. If the check procedures\n indicate this is the cause, the process that was used to change the permissions\n should be reversed. This could have been through the Windows Support Tools ADSI\n Edit console (adsiedit.msc).\n\n The dsHeuristics option is used. This is addressed in check V-8555 in the AD\n Forest STIG.\"\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n describe 'Directory data (outside the root DSE) of a non-public directory must\n be configured to prevent anonymous access.' do\n skip 'Directory data (outside the root DSE) of a non-public directory must\n be configured to prevent anonymous access is a manual control'\n end\n end\n\n if !(domain_role == '4') && !(domain_role == '5')\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", + "code": "control 'V-73585' do\n title \"The Windows Installer Always install with elevated privileges option\n must be disabled.\"\n desc \"Standard user accounts must not be granted elevated privileges.\n Enabling Windows Installer to elevate privileges when installing applications\n can allow malicious persons and applications to gain full control of a system.\"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000362-GPOS-00149'\n tag \"gid\": 'V-73585'\n tag \"rid\": 'SV-88249r1_rule'\n tag \"stig_id\": 'WN16-CC-000460'\n tag \"fix_id\": 'F-80035r1_fix'\n tag \"cci\": ['CCI-001812']\n tag \"nist\": ['CM-11 (2)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\Installer\\\\\n\n Value Name: AlwaysInstallElevated\n\n Type: REG_DWORD\n Value: 0x00000000 (0)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Windows Installer >> Always\n install with elevated privileges to Disabled.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\Installer') do\n it { should have_property 'AlwaysInstallElevated' }\n its('AlwaysInstallElevated') { should cmp 0 }\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73385.rb", + "ref": "./Windows 2016 STIG/controls/V-73585.rb", "line": 1 }, - "id": "V-73385" + "id": "V-73585" }, { - "title": "The Force shutdown from a remote system user right must only be\n assigned to the Administrators group.", - "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Force shutdown from a remote system user right can\n remotely shut down a system, which could result in a denial of service.", + "title": "User Account Control must be configured to detect application\n installations and prompt for elevation.", + "desc": "User Account Control (UAC) is a security mechanism for limiting the\n elevation of privileges, including administrative accounts, unless authorized.\n This setting requires Windows to respond to application installation requests\n by prompting for credentials.", "descriptions": { - "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Force shutdown from a remote system user right can\n remotely shut down a system, which could result in a denial of service.", - "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the Force\n shutdown from a remote system user right, this is a finding.\n\n - Administrators", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Force shutdown from a remote system to include only the following accounts\n or groups:\n\n - Administrators" + "default": "User Account Control (UAC) is a security mechanism for limiting the\n elevation of privileges, including administrative accounts, unless authorized.\n This setting requires Windows to respond to application installation requests\n by prompting for credentials.", + "check": "UAC requirements are NA for Server Core installations (this is\n the default installation option for Windows Server 2016 versus Server with\n Desktop Experience) as well as Nano Server.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\\n\n Value Name: EnableInstallerDetection\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> User\n Account Control: Detect application installations and prompt for elevation to\n Enabled." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000324-GPOS-00125", - "gid": "V-73781", - "rid": "SV-88445r1_rule", - "stig_id": "WN16-UR-000200", - "fix_id": "F-80231r1_fix", + "gtitle": "SRG-OS-000134-GPOS-00068", + "gid": "V-73715", + "rid": "SV-88379r1_rule", + "stig_id": "WN16-SO-000500", + "fix_id": "F-80165r1_fix", "cci": [ - "CCI-002235" + "CCI-001084" ], "nist": [ - "AC-6 (10)", + "SC-3", "Rev_4" ], "documentable": false }, - "code": "control 'V-73781' do\n title \"The Force shutdown from a remote system user right must only be\n assigned to the Administrators group.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Force shutdown from a remote system user right can\n remotely shut down a system, which could result in a denial of service.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000324-GPOS-00125'\n tag \"gid\": 'V-73781'\n tag \"rid\": 'SV-88445r1_rule'\n tag \"stig_id\": 'WN16-UR-000200'\n tag \"fix_id\": 'F-80231r1_fix'\n tag \"cci\": ['CCI-002235']\n tag \"nist\": ['AC-6 (10)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the Force\n shutdown from a remote system user right, this is a finding.\n\n - Administrators\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Force shutdown from a remote system to include only the following accounts\n or groups:\n\n - Administrators\"\n describe.one do\n describe security_policy do\n its('SeRemoteShutdownPrivilege') { should eq ['S-1-5-32-544'] }\n end\n describe security_policy do\n its('SeRemoteShutdownPrivilege') { should eq [] }\n end\n end\nend\n", + "code": "control 'V-73715' do\n title \"User Account Control must be configured to detect application\n installations and prompt for elevation.\"\n desc \"User Account Control (UAC) is a security mechanism for limiting the\n elevation of privileges, including administrative accounts, unless authorized.\n This setting requires Windows to respond to application installation requests\n by prompting for credentials.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000134-GPOS-00068'\n tag \"gid\": 'V-73715'\n tag \"rid\": 'SV-88379r1_rule'\n tag \"stig_id\": 'WN16-SO-000500'\n tag \"fix_id\": 'F-80165r1_fix'\n tag \"cci\": ['CCI-001084']\n tag \"nist\": ['SC-3', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"UAC requirements are NA for Server Core installations (this is\n the default installation option for Windows Server 2016 versus Server with\n Desktop Experience) as well as Nano Server.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\\n\n Value Name: EnableInstallerDetection\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> User\n Account Control: Detect application installations and prompt for elevation to\n Enabled.\"\n if registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Server\\ServerLevels').has_property_value?('ServerCore', :dword, 1) && registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Server\\ServerLevels').has_property_value?('Server-Gui-Mgmt', :dword, 1) && registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Server\\ServerLevels').has_property_value?('Server-Gui-Shell', :dword, 1)\n impact 0.0\n desc 'This system is a Server Core Installation, therefore this control is not applicable'\n else\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System') do\n it { should have_property 'EnableInstallerDetection' }\n its('EnableInstallerDetection') { should cmp 1 }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73781.rb", + "ref": "./Windows 2016 STIG/controls/V-73715.rb", "line": 1 }, - "id": "V-73781" + "id": "V-73715" }, { - "title": "The directory service must be configured to terminate LDAP-based\n network connections to the directory server after 5 minutes of inactivity.", - "desc": "The failure to terminate inactive network connections increases the\n risk of a successful attack on the directory server. The longer an established\n session is in progress, the more time an attacker has to hijack the session,\n implement a means to passively intercept data, or compromise any protections on\n client access. For example, if an attacker gains control of a client computer,\n an existing (already authenticated) session with the directory server could\n allow access to the directory. The lack of confidentiality protection in\n LDAP-based sessions increases exposure to this vulnerability.", + "title": "Windows Server 2016 must be configured to audit Account Management -\n Other Account Management Events successes.", + "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Other Account Management Events records events such as the access of a\n password hash or the Password Policy Checking API being called.", "descriptions": { - "default": "The failure to terminate inactive network connections increases the\n risk of a successful attack on the directory server. The longer an established\n session is in progress, the more time an attacker has to hijack the session,\n implement a means to passively intercept data, or compromise any protections on\n client access. For example, if an attacker gains control of a client computer,\n an existing (already authenticated) session with the directory server could\n allow access to the directory. The lack of confidentiality protection in\n LDAP-based sessions increases exposure to this vulnerability.", - "check": "This applies to domain controllers. It is NA for other systems.\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter ntdsutil.\n\n At the ntdsutil: prompt, enter LDAP policies.\n\n At the ldap policy: prompt, enter connections.\n\n At the server connections: prompt, enter connect to server [host-name]\n (where [host-name] is the computer name of the domain controller).\n\n At the server connections: prompt, enter q.\n\n At the ldap policy: prompt, enter show values.\n\n If the value for MaxConnIdleTime is greater than 300 (5 minutes) or is not\n specified, this is a finding.\n\n Enter q at the ldap policy: and ntdsutil: prompts to exit.\n\n Alternately, Dsquery can be used to display MaxConnIdleTime:\n\n Open Command Prompt (Admin).\n Enter the following command (on a single line).\n\n dsquery * cn=Default Query Policy,cn=Query-Policies,cn=Directory Service,\n cn=Windows NT,cn=Services,cn=Configuration,dc=[forest-name] -attr\n LDAPAdminLimits\n\n The quotes are required and dc=[forest-name] is the fully qualified LDAP name\n of the domain being reviewed (e.g., dc=disaost,dc=mil).\n\n If the results do not specify a MaxConnIdleTime or it has a value greater\n than 300 (5 minutes), this is a finding.", - "fix": "Configure the directory service to terminate LDAP-based network\n connections to the directory server after 5 minutes of inactivity.\n\n Open an elevated Command prompt (run as administrator).\n\n Enter ntdsutil.\n\n At the ntdsutil: prompt, enter LDAP policies.\n\n At the ldap policy: prompt, enter connections.\n\n At the server connections: prompt, enter connect to server [host-name]\n (where [host-name] is the computer name of the domain controller).\n\n At the server connections: prompt, enter q.\n\n At the ldap policy: prompt, enter Set MaxConnIdleTime to 300.\n\n Enter Commit Changes to save.\n\n Enter Show values to verify changes.\n\n Enter q at the ldap policy: and ntdsutil: prompts to exit." + "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Other Account Management Events records events such as the access of a\n password hash or the Password Policy Checking API being called.", + "check": "Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n Account Management >> Other Account Management Events - Success", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Account Management >> Audit Other Account Management\n Events with Success selected." }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000163-GPOS-00072", - "gid": "V-73387", - "rid": "SV-88039r1_rule", - "stig_id": "WN16-DC-000160", - "fix_id": "F-79829r1_fix", + "gtitle": "SRG-OS-000327-GPOS-00127", + "satisfies": [ + "SRG-OS-000327-GPOS-00127", + "SRG-OS-000064-GPOS-00033", + "SRG-OS-000462-GPOS-00206", + "SRG-OS-000466-GPOS-00210" + ], + "gid": "V-73419", + "rid": "SV-88071r1_rule", + "stig_id": "WN16-AU-000100", + "fix_id": "F-79861r1_fix", "cci": [ - "CCI-001133" + "CCI-000172", + "CCI-002234" ], "nist": [ - "SC-10", + "AU-12 c", + "AC-6 (9)", "Rev_4" ], "documentable": false }, - "code": "control 'V-73387' do\n title \"The directory service must be configured to terminate LDAP-based\n network connections to the directory server after 5 minutes of inactivity.\"\n desc \"The failure to terminate inactive network connections increases the\n risk of a successful attack on the directory server. The longer an established\n session is in progress, the more time an attacker has to hijack the session,\n implement a means to passively intercept data, or compromise any protections on\n client access. For example, if an attacker gains control of a client computer,\n an existing (already authenticated) session with the directory server could\n allow access to the directory. The lack of confidentiality protection in\n LDAP-based sessions increases exposure to this vulnerability.\"\n impact 0.3\n tag \"gtitle\": 'SRG-OS-000163-GPOS-00072'\n tag \"gid\": 'V-73387'\n tag \"rid\": 'SV-88039r1_rule'\n tag \"stig_id\": 'WN16-DC-000160'\n tag \"fix_id\": 'F-79829r1_fix'\n tag \"cci\": ['CCI-001133']\n tag \"nist\": ['SC-10', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to domain controllers. It is NA for other systems.\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter ntdsutil.\n\n At the ntdsutil: prompt, enter LDAP policies.\n\n At the ldap policy: prompt, enter connections.\n\n At the server connections: prompt, enter connect to server [host-name]\n (where [host-name] is the computer name of the domain controller).\n\n At the server connections: prompt, enter q.\n\n At the ldap policy: prompt, enter show values.\n\n If the value for MaxConnIdleTime is greater than 300 (5 minutes) or is not\n specified, this is a finding.\n\n Enter q at the ldap policy: and ntdsutil: prompts to exit.\n\n Alternately, Dsquery can be used to display MaxConnIdleTime:\n\n Open Command Prompt (Admin).\n Enter the following command (on a single line).\n\n dsquery * cn=Default Query Policy,cn=Query-Policies,cn=Directory Service,\n cn=Windows NT,cn=Services,cn=Configuration,dc=[forest-name] -attr\n LDAPAdminLimits\n\n The quotes are required and dc=[forest-name] is the fully qualified LDAP name\n of the domain being reviewed (e.g., dc=disaost,dc=mil).\n\n If the results do not specify a MaxConnIdleTime or it has a value greater\n than 300 (5 minutes), this is a finding.\"\n desc \"fix\", \"Configure the directory service to terminate LDAP-based network\n connections to the directory server after 5 minutes of inactivity.\n\n Open an elevated Command prompt (run as administrator).\n\n Enter ntdsutil.\n\n At the ntdsutil: prompt, enter LDAP policies.\n\n At the ldap policy: prompt, enter connections.\n\n At the server connections: prompt, enter connect to server [host-name]\n (where [host-name] is the computer name of the domain controller).\n\n At the server connections: prompt, enter q.\n\n At the ldap policy: prompt, enter Set MaxConnIdleTime to 300.\n\n Enter Commit Changes to save.\n\n Enter Show values to verify changes.\n\n Enter q at the ldap policy: and ntdsutil: prompts to exit.\"\n max_conn_idle_time = input('max_conn_idle_time')\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n if domain_role == '4' || domain_role == '5'\n query = command(\"dsquery * \\\"cn=Default Query Policy,cn=Query-Policies,cn=Directory Service, cn=Windows NT,cn=Services,cn=Configuration,\" + input('forrest') + \"\\\" -attr LDAPAdminLimits\").stdout\n ldap_admin_limits = parse_config(query.gsub(/;/, \"\\n\")).params\n describe \"MaxConnIdleTime is configured\" do\n subject { ldap_admin_limits }\n it { should include 'MaxConnIdleTime' }\n end\n describe \"The MaxConnIdleTime\" do\n subject { ldap_admin_limits['MaxConnIdleTime'] }\n it { should cmp <= 300 }\n end\n else\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", + "code": "control 'V-73419' do\n title \"Windows Server 2016 must be configured to audit Account Management -\n Other Account Management Events successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Other Account Management Events records events such as the access of a\n password hash or the Password Policy Checking API being called.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000327-GPOS-00127'\n tag \"satisfies\": ['SRG-OS-000327-GPOS-00127', 'SRG-OS-000064-GPOS-00033',\n 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000466-GPOS-00210']\n tag \"gid\": 'V-73419'\n tag \"rid\": 'SV-88071r1_rule'\n tag \"stig_id\": 'WN16-AU-000100'\n tag \"fix_id\": 'F-79861r1_fix'\n tag \"cci\": ['CCI-000172', 'CCI-002234']\n tag \"nist\": ['AU-12 c', 'AC-6 (9)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n Account Management >> Other Account Management Events - Success\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Account Management >> Audit Other Account Management\n Events with Success selected.\"\n describe.one do\n describe audit_policy do\n its('Other Account Management Events') { should eq 'Success' }\n end\n describe audit_policy do\n its('Other Account Management Events') { should eq 'Success and Failure' }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Other Account Management Events'\") do\n its('stdout') { should match /Other Account Management Events Success/ }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Other Account Management Events'\") do\n its('stdout') { should match /Other Account Management Events Success and Failure/ }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73387.rb", + "ref": "./Windows 2016 STIG/controls/V-73419.rb", "line": 1 }, - "id": "V-73387" + "id": "V-73419" }, { - "title": "The Windows Remote Management (WinRM) service must not use Basic\n authentication.", - "desc": "Basic authentication uses plain-text passwords that could be used to\n compromise a system. Disabling Basic authentication will reduce this potential.", + "title": "Windows Server 2016 must be configured to audit Object Access -\n Removable Storage failures.", + "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Removable Storage auditing under Object Access records events related to\n access attempts on file system objects on removable storage devices.", "descriptions": { - "default": "Basic authentication uses plain-text passwords that could be used to\n compromise a system. Disabling Basic authentication will reduce this potential.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\WinRM\\Service\\\n\n Value Name: AllowBasic\n\n Type: REG_DWORD\n Value: 0x00000000 (0)", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Windows Remote Management\n (WinRM) >> WinRM Service >> Allow Basic authentication to Disabled." + "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Removable Storage auditing under Object Access records events related to\n access attempts on file system objects on removable storage devices.", + "check": "Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n Object Access >> Removable Storage - Failure\n\n Virtual machines or systems that use network attached storage may generate\n excessive audit events for secondary virtual drives or the network attached\n storage when this setting is enabled. This may be set to Not Configured in such\n cases and would not be a finding.", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Object Access >> Audit Removable Storage with Failure\n selected." }, - "impact": 0.7, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000125-GPOS-00065", - "gid": "V-73599", - "rid": "SV-88263r1_rule", - "stig_id": "WN16-CC-000530", - "fix_id": "F-80049r1_fix", + "gtitle": "SRG-OS-000474-GPOS-00219", + "gid": "V-73459", + "rid": "SV-88111r1_rule", + "stig_id": "WN16-AU-000300", + "fix_id": "F-79901r1_fix", "cci": [ - "CCI-000877" + "CCI-000172" ], "nist": [ - "MA-4 c", + "AU-12 c", "Rev_4" ], "documentable": false }, - "code": "control 'V-73599' do\n title \"The Windows Remote Management (WinRM) service must not use Basic\n authentication.\"\n desc \"Basic authentication uses plain-text passwords that could be used to\n compromise a system. Disabling Basic authentication will reduce this potential.\"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000125-GPOS-00065'\n tag \"gid\": 'V-73599'\n tag \"rid\": 'SV-88263r1_rule'\n tag \"stig_id\": 'WN16-CC-000530'\n tag \"fix_id\": 'F-80049r1_fix'\n tag \"cci\": ['CCI-000877']\n tag \"nist\": ['MA-4 c', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WinRM\\\\Service\\\\\n\n Value Name: AllowBasic\n\n Type: REG_DWORD\n Value: 0x00000000 (0)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Windows Remote Management\n (WinRM) >> WinRM Service >> Allow Basic authentication to Disabled.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\WinRM\\\\Service') do\n it { should have_property 'AllowBasic' }\n its('AllowBasic') { should cmp 0 }\n end\nend\n", + "code": "control 'V-73459' do\n title \"Windows Server 2016 must be configured to audit Object Access -\n Removable Storage failures.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Removable Storage auditing under Object Access records events related to\n access attempts on file system objects on removable storage devices.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000474-GPOS-00219'\n tag \"gid\": 'V-73459'\n tag \"rid\": 'SV-88111r1_rule'\n tag \"stig_id\": 'WN16-AU-000300'\n tag \"fix_id\": 'F-79901r1_fix'\n tag \"cci\": ['CCI-000172']\n tag \"nist\": ['AU-12 c', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n Object Access >> Removable Storage - Failure\n\n Virtual machines or systems that use network attached storage may generate\n excessive audit events for secondary virtual drives or the network attached\n storage when this setting is enabled. This may be set to Not Configured in such\n cases and would not be a finding.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Object Access >> Audit Removable Storage with Failure\n selected.\"\n describe.one do\n describe audit_policy do\n its('Removable Storage') { should eq 'Failure' }\n end\n describe audit_policy do\n its('Removable Storage') { should eq 'Success and Failure' }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Removable Storage'\") do\n its('stdout') { should match /Removable Storage Failure/ }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Removable Storage'\") do\n its('stdout') { should match /Removable Storage Success and Failure/ }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73599.rb", + "ref": "./Windows 2016 STIG/controls/V-73459.rb", "line": 1 }, - "id": "V-73599" + "id": "V-73459" }, { - "title": "Anonymous SID/Name translation must not be allowed.", - "desc": "Allowing anonymous SID/Name translation can provide sensitive\n information for accessing a system. Only authorized users must be able to\n perform such translations.", + "title": "Windows Server 2016 must automatically remove or disable emergency\n accounts after the crisis is resolved or within 72 hours.", + "desc": "Emergency administrator accounts are privileged accounts established\n in response to crisis situations where the need for rapid account activation is\n required. Therefore, emergency account activation may bypass normal account\n authorization processes. If these accounts are automatically disabled, system\n maintenance during emergencies may not be possible, thus adversely affecting\n system availability.\n\n Emergency administrator accounts are different from infrequently used\n accounts (i.e., local logon accounts used by system administrators when network\n or normal logon/access is not available). Infrequently used accounts are not\n subject to automatic termination dates. Emergency accounts are accounts created\n in response to crisis situations, usually for use by maintenance personnel. The\n automatic expiration or disabling time period may be extended as needed until\n the crisis is resolved; however, it must not be extended indefinitely. A\n permanent account should be established for privileged users who need long-term\n maintenance accounts.\n\n To address access requirements, many operating systems can be integrated\n with enterprise-level authentication/access mechanisms that meet or exceed\n access control policy requirements.", "descriptions": { - "default": "Allowing anonymous SID/Name translation can provide sensitive\n information for accessing a system. Only authorized users must be able to\n perform such translations.", - "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> Security Options.\n\n If the value for Network access: Allow anonymous SID/Name translation is\n not set to Disabled, this is a finding.", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Network access: Allow anonymous SID/Name translation to Disabled." + "default": "Emergency administrator accounts are privileged accounts established\n in response to crisis situations where the need for rapid account activation is\n required. Therefore, emergency account activation may bypass normal account\n authorization processes. If these accounts are automatically disabled, system\n maintenance during emergencies may not be possible, thus adversely affecting\n system availability.\n\n Emergency administrator accounts are different from infrequently used\n accounts (i.e., local logon accounts used by system administrators when network\n or normal logon/access is not available). Infrequently used accounts are not\n subject to automatic termination dates. Emergency accounts are accounts created\n in response to crisis situations, usually for use by maintenance personnel. The\n automatic expiration or disabling time period may be extended as needed until\n the crisis is resolved; however, it must not be extended indefinitely. A\n permanent account should be established for privileged users who need long-term\n maintenance accounts.\n\n To address access requirements, many operating systems can be integrated\n with enterprise-level authentication/access mechanisms that meet or exceed\n access control policy requirements.", + "check": "Determine if emergency administrator accounts are used and\n identify any that exist. If none exist, this is NA.\n\n If emergency administrator accounts cannot be configured with an expiration\n date due to an ongoing crisis, the accounts must be disabled or removed when\n the crisis is resolved.\n\n If emergency administrator accounts have not been configured with an expiration\n date or have not been disabled or removed following the resolution of a crisis,\n this is a finding.\n\n Domain Controllers:\n\n Open PowerShell.\n\n Enter Search-ADAccount –AccountExpiring | FT Name, AccountExpirationDate.\n\n If AccountExpirationDate has been defined and is not within 72 hours for an\n emergency administrator account, this is a finding.\n\n Member servers and standalone systems:\n\n Open Command Prompt.\n\n Run Net user [username], where [username] is the name of the emergency\n account.\n\n If Account expires has been defined and is not within 72 hours for an\n emergency administrator account, this is a finding.", + "fix": "Remove emergency administrator accounts after a crisis has been\n resolved or configure the accounts to automatically expire within 72 hours.\n\n Domain accounts can be configured with an account expiration date, under\n Account properties.\n\n Local accounts can be configured to expire with the command Net user\n [username] /expires:[mm/dd/yyyy], where username is the name of the temporary\n user account." }, - "impact": 0.7, + "impact": 0, "refs": [], "tags": { - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-73665", - "rid": "SV-88329r1_rule", - "stig_id": "WN16-SO-000250", - "fix_id": "F-80115r1_fix", + "gtitle": "SRG-OS-000123-GPOS-00064", + "gid": "V-73285", + "rid": "SV-87937r1_rule", + "stig_id": "WN16-00-000340", + "fix_id": "F-79729r1_fix", "cci": [ - "CCI-000366" + "CCI-001682" ], "nist": [ - "CM-6 b", + "AC-2 (2)", "Rev_4" ], "documentable": false }, - "code": "control 'V-73665' do\n title 'Anonymous SID/Name translation must not be allowed.'\n desc \"Allowing anonymous SID/Name translation can provide sensitive\n information for accessing a system. Only authorized users must be able to\n perform such translations.\"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-73665'\n tag \"rid\": 'SV-88329r1_rule'\n tag \"stig_id\": 'WN16-SO-000250'\n tag \"fix_id\": 'F-80115r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> Security Options.\n\n If the value for Network access: Allow anonymous SID/Name translation is\n not set to Disabled, this is a finding.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Network access: Allow anonymous SID/Name translation to Disabled.\"\n describe security_policy do\n its('LSAAnonymousNameLookup') { should eq 0 }\n end\nend\n", + "code": "control 'V-73285' do\n title \"Windows Server 2016 must automatically remove or disable emergency\n accounts after the crisis is resolved or within 72 hours.\"\n desc \"Emergency administrator accounts are privileged accounts established\n in response to crisis situations where the need for rapid account activation is\n required. Therefore, emergency account activation may bypass normal account\n authorization processes. If these accounts are automatically disabled, system\n maintenance during emergencies may not be possible, thus adversely affecting\n system availability.\n\n Emergency administrator accounts are different from infrequently used\n accounts (i.e., local logon accounts used by system administrators when network\n or normal logon/access is not available). Infrequently used accounts are not\n subject to automatic termination dates. Emergency accounts are accounts created\n in response to crisis situations, usually for use by maintenance personnel. The\n automatic expiration or disabling time period may be extended as needed until\n the crisis is resolved; however, it must not be extended indefinitely. A\n permanent account should be established for privileged users who need long-term\n maintenance accounts.\n\n To address access requirements, many operating systems can be integrated\n with enterprise-level authentication/access mechanisms that meet or exceed\n access control policy requirements.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000123-GPOS-00064'\n tag \"gid\": 'V-73285'\n tag \"rid\": 'SV-87937r1_rule'\n tag \"stig_id\": 'WN16-00-000340'\n tag \"fix_id\": 'F-79729r1_fix'\n tag \"cci\": ['CCI-001682']\n tag \"nist\": ['AC-2 (2)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Determine if emergency administrator accounts are used and\n identify any that exist. If none exist, this is NA.\n\n If emergency administrator accounts cannot be configured with an expiration\n date due to an ongoing crisis, the accounts must be disabled or removed when\n the crisis is resolved.\n\n If emergency administrator accounts have not been configured with an expiration\n date or have not been disabled or removed following the resolution of a crisis,\n this is a finding.\n\n Domain Controllers:\n\n Open PowerShell.\n\n Enter Search-ADAccount –AccountExpiring | FT Name, AccountExpirationDate.\n\n If AccountExpirationDate has been defined and is not within 72 hours for an\n emergency administrator account, this is a finding.\n\n Member servers and standalone systems:\n\n Open Command Prompt.\n\n Run Net user [username], where [username] is the name of the emergency\n account.\n\n If Account expires has been defined and is not within 72 hours for an\n emergency administrator account, this is a finding.\"\n desc \"fix\", \"Remove emergency administrator accounts after a crisis has been\n resolved or configure the accounts to automatically expire within 72 hours.\n\n Domain accounts can be configured with an account expiration date, under\n Account properties.\n\n Local accounts can be configured to expire with the command Net user\n [username] /expires:[mm/dd/yyyy], where username is the name of the temporary\n user account.\"\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n emergency_accounts_list = input('emergency_accounts')\n emergency_accounts_data = []\n \n if emergency_accounts_list == [nil]\n impact 0.0\n describe 'This control is not applicable as no emergency accounts were listed as an input' do\n skip 'This control is not applicable as no emergency accounts were listed as an input'\n end\n else\n if domain_role == '4' || domain_role == '5'\n emergency_accounts_list.each do |emergency_account|\n emergency_accounts_data << json({ command: \"Get-ADUser -Identity #{emergency_account} -Properties WhenCreated, AccountExpirationDate | Select-Object -Property SamAccountName, @{Name='WhenCreated';Expression={$_.WhenCreated.ToString('yyyy-MM-dd')}}, @{Name='AccountExpirationDate';Expression={$_.AccountExpirationDate.ToString('yyyy-MM-dd')}}| ConvertTo-Json\"}).params\n end\n if emergency_accounts_data.empty?\n impact 0.0\n describe 'This control is not applicable as account information was not found for the listed emergency accounts' do\n skip 'This control is not applicable as account information was not found for the listed emergency accounts'\n end\n else\n emergency_accounts_data.each do |emergency_account|\n account_name = emergency_account.fetch(\"SamAccountName\")\n if emergency_account.fetch(\"WhenCreated\") == nil\n describe \"#{account_name} account's creation date\" do\n subject { emergency_account.fetch(\"WhenCreated\") }\n it { should_not eq nil}\n end\n elsif emergency_account.fetch(\"AccountExpirationDate\") == nil\n describe \"#{account_name} account's expiration date\" do\n subject { emergency_account.fetch(\"AccountExpirationDate\") }\n it { should_not eq nil}\n end\n else\n creation_date = Date.parse(emergency_account.fetch(\"WhenCreated\"))\n expiration_date = Date.parse(emergency_account.fetch(\"AccountExpirationDate\"))\n date_difference = expiration_date.mjd - creation_date.mjd\n describe \"Account expiration set for #{account_name}\" do\n subject { date_difference }\n it { should cmp <= input('emergency_account_period')}\n end\n end\n end\n end\n\n else\n emergency_accounts_list.each do |emergency_account|\n emergency_accounts_data << json({ command: \"Get-LocalUser -Name #{emergency_account} | Select-Object -Property Name, @{Name='PasswordLastSet';Expression={$_.PasswordLastSet.ToString('yyyy-MM-dd')}}, @{Name='AccountExpires';Expression={$_.AccountExpires.ToString('yyyy-MM-dd')}} | ConvertTo-Json\"}).params\n end\n if emergency_accounts_data.empty?\n impact 0.0\n describe 'This control is not applicable as account information was not found for the listed emergency accounts' do\n skip 'This control is not applicable as account information was not found for the listed emergency accounts'\n end\n else\n emergency_accounts_data.each do |emergency_account|\n user_name = emergency_account.fetch(\"Name\")\n if emergency_account.fetch(\"PasswordLastSet\") == nil\n describe \"#{user_name} account's password last set date\" do\n subject { emergency_account.fetch(\"PasswordLastSet\") }\n it { should_not eq nil}\n end\n elsif emergency_account.fetch(\"AccountExpires\") == nil\n describe \"#{user_name} account's expiration date\" do\n subject { emergency_account.fetch(\"AccountExpires\") }\n it { should_not eq nil}\n end\n else\n password_date = Date.parse(emergency_account.fetch(\"PasswordLastSet\"))\n expiration_date = Date.parse(emergency_account.fetch(\"AccountExpires\"))\n date_difference = expiration_date.mjd - password_date.mjd\n describe \"Account expiration set for #{user_name}\" do\n subject { date_difference }\n it { should cmp <= input('emergency_account_period')}\n end\n end\n end\n end\n end\n end\nend", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73665.rb", + "ref": "./Windows 2016 STIG/controls/V-73285.rb", "line": 1 }, - "id": "V-73665" + "id": "V-73285" }, { - "title": "Windows Server 2016 must be configured to audit Logon/Logoff - Logon\n failures.", - "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Logon records user logons. If this is an interactive logon, it is recorded\n on the local system. If it is to a network share, it is recorded on the system\n accessed.", + "title": "Passwords must not be saved in the Remote Desktop Client.", + "desc": "Saving passwords in the Remote Desktop Client could allow an\n unauthorized user to establish a remote desktop session to another system. The\n system must be configured to prevent users from saving passwords in the Remote\n Desktop Client.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Logon records user logons. If this is an interactive logon, it is recorded\n on the local system. If it is to a network share, it is recorded on the system\n accessed.", - "check": "Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n Logon/Logoff >> Logon - Failure", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Logon/Logoff >> Audit Logon with Failure selected." + "default": "Saving passwords in the Remote Desktop Client could allow an\n unauthorized user to establish a remote desktop session to another system. The\n system must be configured to prevent users from saving passwords in the Remote\n Desktop Client.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services\\\n\n Value Name: DisablePasswordSaving\n\n Type: REG_DWORD\n Value: 0x00000001 (1)", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Remote Desktop Services >>\n Remote Desktop Connection Client >> Do not allow passwords to be saved to\n Enabled." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000032-GPOS-00013", + "gtitle": "SRG-OS-000373-GPOS-00157", "satisfies": [ - "SRG-OS-000032-GPOS-00013", - "SRG-OS-000470-GPOS-00214", - "SRG-OS-000472-GPOS-00217", - "SRG-OS-000473-GPOS-00218", - "SRG-OS-000475-GPOS-00220" + "SRG-OS-000373-GPOS-00157", + "SRG-OS-000373-GPOS-00156" ], - "gid": "V-73453", - "rid": "SV-88105r1_rule", - "stig_id": "WN16-AU-000270", - "fix_id": "F-79895r1_fix", + "gid": "V-73567", + "rid": "SV-88231r1_rule", + "stig_id": "WN16-CC-000370", + "fix_id": "F-80017r1_fix", "cci": [ - "CCI-000067", - "CCI-000172" + "CCI-002038" ], "nist": [ - "AC-17 (1)", - "AU-12 c", + "IA-11", "Rev_4" ], "documentable": false }, - "code": "control 'V-73453' do\n title \"Windows Server 2016 must be configured to audit Logon/Logoff - Logon\n failures.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Logon records user logons. If this is an interactive logon, it is recorded\n on the local system. If it is to a network share, it is recorded on the system\n accessed.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000032-GPOS-00013'\n tag \"satisfies\": ['SRG-OS-000032-GPOS-00013', 'SRG-OS-000470-GPOS-00214',\n 'SRG-OS-000472-GPOS-00217', 'SRG-OS-000473-GPOS-00218',\n 'SRG-OS-000475-GPOS-00220']\n tag \"gid\": 'V-73453'\n tag \"rid\": 'SV-88105r1_rule'\n tag \"stig_id\": 'WN16-AU-000270'\n tag \"fix_id\": 'F-79895r1_fix'\n tag \"cci\": ['CCI-000067', 'CCI-000172']\n tag \"nist\": ['AC-17 (1)', 'AU-12 c', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n Logon/Logoff >> Logon - Failure\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Logon/Logoff >> Audit Logon with Failure selected.\"\n describe.one do\n describe audit_policy do\n its('Logon') { should eq 'Failure' }\n end\n describe audit_policy do\n its('Logon') { should eq 'Success and Failure' }\n end\n describe command(\"AuditPol /get /subcategory:Logon | Findstr /c:'Logon' | Findstr /v 'Logoff'\") do\n its('stdout') { should match /\\s+Logon Failure/ }\n end\n describe command(\"AuditPol /get /subcategory:Logon | Findstr /c:'Logon' | Findstr /v 'Logoff'\") do\n its('stdout') { should match /\\s+Logon Success and Failure/ }\n end\n end\nend\n", + "code": "control 'V-73567' do\n title 'Passwords must not be saved in the Remote Desktop Client.'\n desc \"Saving passwords in the Remote Desktop Client could allow an\n unauthorized user to establish a remote desktop session to another system. The\n system must be configured to prevent users from saving passwords in the Remote\n Desktop Client.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000373-GPOS-00157'\n tag \"satisfies\": ['SRG-OS-000373-GPOS-00157', 'SRG-OS-000373-GPOS-00156']\n tag \"gid\": 'V-73567'\n tag \"rid\": 'SV-88231r1_rule'\n tag \"stig_id\": 'WN16-CC-000370'\n tag \"fix_id\": 'F-80017r1_fix'\n tag \"cci\": ['CCI-002038']\n tag \"nist\": ['IA-11', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\\n\n Value Name: DisablePasswordSaving\n\n Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Remote Desktop Services >>\n Remote Desktop Connection Client >> Do not allow passwords to be saved to\n Enabled.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services') do\n it { should have_property 'DisablePasswordSaving' }\n its('DisablePasswordSaving') { should cmp 1 }\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73453.rb", + "ref": "./Windows 2016 STIG/controls/V-73567.rb", "line": 1 }, - "id": "V-73453" + "id": "V-73567" }, { - "title": "Outdated or unused accounts must be removed from the system or\n disabled.", - "desc": "Outdated or unused accounts provide penetration points that may go\n undetected. Inactive accounts must be deleted if no longer necessary or, if\n still required, disabled until needed.", + "title": "Windows Server 2016 must be configured to require a strong session\n key.", + "desc": "A computer connecting to a domain controller will establish a secure\n channel. The secure channel connection may be subject to compromise, such as\n hijacking or eavesdropping, if strong session keys are not used to establish\n the connection. Requiring strong session keys enforces 128-bit encryption\n between systems.", "descriptions": { - "default": "Outdated or unused accounts provide penetration points that may go\n undetected. Inactive accounts must be deleted if no longer necessary or, if\n still required, disabled until needed.", - "check": "Open Windows PowerShell.\n\n Domain Controllers:\n\n Enter Search-ADAccount -AccountInactive -UsersOnly -TimeSpan 35.00:00:00\n\n This will return accounts that have not been logged on to for 35 days, along\n with various attributes such as the Enabled status and LastLogonDate.\n\n Member servers and standalone systems:\n\n Copy or enter the lines below to the PowerShell window and enter. (Entering\n twice may be required. Do not include the quotes at the beginning and end of\n the query.)\n\n ([ADSI]('WinNT://{0}' -f $env:COMPUTERNAME)).Children | Where {\n $_.SchemaClassName -eq 'user' } | ForEach {\n $user = ([ADSI]$_.Path)\n $lastLogin = $user.Properties.LastLogin.Value\n $enabled = ($user.Properties.UserFlags.Value -band 0x2) -ne 0x2\n if ($lastLogin -eq $null) {\n $lastLogin = 'Never'\n }\n Write-Host $user.Name $lastLogin $enabled\n }\n\n This will return a list of local accounts with the account name, last logon,\n and if the account is enabled (True/False).\n For example: User1 10/31/2015 5:49:56 AM True\n\n Review the list of accounts returned by the above queries to determine the\n finding validity for each account reported.\n\n Exclude the following accounts:\n\n - Built-in administrator account (Renamed, SID ending in 500)\n - Built-in guest account (Renamed, Disabled, SID ending in 501)\n - Application accounts\n\n If any enabled accounts have not been logged on to within the past 35 days,\n this is a finding.\n\n Inactive accounts that have been reviewed and deemed to be required must be\n documented with the ISSO.", - "fix": "Regularly review accounts to determine if they are still active.\n Remove or disable accounts that have not been used in the last 35 days." + "default": "A computer connecting to a domain controller will establish a secure\n channel. The secure channel connection may be subject to compromise, such as\n hijacking or eavesdropping, if strong session keys are not used to establish\n the connection. Requiring strong session keys enforces 128-bit encryption\n between systems.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\Netlogon\\Parameters\\\n\n Value Name: RequireStrongKey\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\n\n This setting may prevent a system from being joined to a domain if not\n configured consistently between systems.", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> Domain\n member: Require strong (Windows 2000 or Later) session key to Enabled." }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000104-GPOS-00051", + "gtitle": "SRG-OS-000423-GPOS-00187", "satisfies": [ - "SRG-OS-000104-GPOS-00051", - "SRG-OS-000118-GPOS-00060" + "SRG-OS-000423-GPOS-00187", + "SRG-OS-000424-GPOS-00188" ], - "gid": "V-73259", - "rid": "SV-87911r2_rule", - "stig_id": "WN16-00-000210", - "fix_id": "F-79703r1_fix", + "gid": "V-73643", + "rid": "SV-88307r1_rule", + "stig_id": "WN16-SO-000130", + "fix_id": "F-80093r1_fix", "cci": [ - "CCI-000764", - "CCI-000795" + "CCI-002418", + "CCI-002421" ], "nist": [ - "IA-2", - "IA-5 e", + "SC-8", + "SC-8 (1)", "Rev_4" ], "documentable": false }, - "code": "control 'V-73259' do\n title \"Outdated or unused accounts must be removed from the system or\n disabled.\"\n desc \"Outdated or unused accounts provide penetration points that may go\n undetected. Inactive accounts must be deleted if no longer necessary or, if\n still required, disabled until needed.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000104-GPOS-00051'\n tag \"satisfies\": ['SRG-OS-000104-GPOS-00051', 'SRG-OS-000118-GPOS-00060']\n tag \"gid\": 'V-73259'\n tag \"rid\": 'SV-87911r2_rule'\n tag \"stig_id\": 'WN16-00-000210'\n tag \"fix_id\": 'F-79703r1_fix'\n tag \"cci\": ['CCI-000764', 'CCI-000795']\n tag \"nist\": ['IA-2', 'IA-5 e', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Open Windows PowerShell.\n\n Domain Controllers:\n\n Enter Search-ADAccount -AccountInactive -UsersOnly -TimeSpan 35.00:00:00\n\n This will return accounts that have not been logged on to for 35 days, along\n with various attributes such as the Enabled status and LastLogonDate.\n\n Member servers and standalone systems:\n\n Copy or enter the lines below to the PowerShell window and enter. (Entering\n twice may be required. Do not include the quotes at the beginning and end of\n the query.)\n\n ([ADSI]('WinNT://{0}' -f $env:COMPUTERNAME)).Children | Where {\n $_.SchemaClassName -eq 'user' } | ForEach {\n $user = ([ADSI]$_.Path)\n $lastLogin = $user.Properties.LastLogin.Value\n $enabled = ($user.Properties.UserFlags.Value -band 0x2) -ne 0x2\n if ($lastLogin -eq $null) {\n $lastLogin = 'Never'\n }\n Write-Host $user.Name $lastLogin $enabled\n }\n\n This will return a list of local accounts with the account name, last logon,\n and if the account is enabled (True/False).\n For example: User1 10/31/2015 5:49:56 AM True\n\n Review the list of accounts returned by the above queries to determine the\n finding validity for each account reported.\n\n Exclude the following accounts:\n\n - Built-in administrator account (Renamed, SID ending in 500)\n - Built-in guest account (Renamed, Disabled, SID ending in 501)\n - Application accounts\n\n If any enabled accounts have not been logged on to within the past 35 days,\n this is a finding.\n\n Inactive accounts that have been reviewed and deemed to be required must be\n documented with the ISSO.\"\n desc \"fix\", \"Regularly review accounts to determine if they are still active.\n Remove or disable accounts that have not been used in the last 35 days.\"\n \n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n \n if domain_role == '4' || domain_role == '5'\n user_query = \"Search-ADAccount -AccountInactive -UsersOnly -TimeSpan 35.00:00:00 | Where-Object { ($_.SID -notlike '*500') -and ($_.SID -notlike '*501') -and ($_.Enabled -eq $true) } | Select-Object @{Name=\\\"name\\\";Expression={$_.SamAccountName}}, @{Name=\\\"lastLogin\\\";Expression={$_.LastLogonDate}} | ConvertTo-Json\"\n else\n user_query = <<-FOO\n $users = @() \n ([ADSI]('WinNT://{0}' -f $env:COMPUTERNAME)).Children | Where {\n $_.SchemaClassName -eq 'user' } | ForEach {\n $user = ([ADSI]$_.Path)\n $lastLogin = $user.Properties.LastLogin.Value\n\n $enabled = ($user.Properties.UserFlags.Value -band 0x2) -ne 0x2\n if ($lastLogin -eq $null) {\n $lastLogin = 'Never'\n }\n else {\n $today = Get-Date\n $diff = New-TimeSpan -Start \"$lastLogin\" -End $today\n $lastLogin = $diff.Days\n }\n\n $sid = Get-LocalUser -Name $user.Name.Value | foreach { $_.SID.Value }\n\n if (($enabled -eq 'True') -and ($sid -notlike '*500') -and ($sid -notlike '*501')) {\n $users += (@{ name = $user.Name.Value; lastLogin = $lastLogin; enabled = $enabled; sid= $sid})\n }\n }\n $users | ConvertTo-Json\n FOO\n end\n\n users = json(command: user_query).params\n \n if users.empty?\n impact 0.0\n describe 'The system does not have any inactive accounts, control is NA' do\n skip 'The system does not have any inactive accounts, controls is NA'\n end\n else\n if users.is_a?(Hash)\n users = [JSON.parse(users.to_json)] \n end\n users.each do |account|\n describe \"Last login for user: #{account['name']}\" do\n subject { account['lastLogin'] }\n it \"should not be nil\" do\n expect(subject).not_to(cmp nil)\n end\n subject { account['lastLogin'] }\n it \"should not be more than 35 days\" do\n expect(subject).to(be <= 35)\n end\n end\n end\n end\nend", + "code": "control 'V-73643' do\n title \"Windows Server 2016 must be configured to require a strong session\n key.\"\n desc \"A computer connecting to a domain controller will establish a secure\n channel. The secure channel connection may be subject to compromise, such as\n hijacking or eavesdropping, if strong session keys are not used to establish\n the connection. Requiring strong session keys enforces 128-bit encryption\n between systems.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000423-GPOS-00187'\n tag \"satisfies\": ['SRG-OS-000423-GPOS-00187', 'SRG-OS-000424-GPOS-00188']\n tag \"gid\": 'V-73643'\n tag \"rid\": 'SV-88307r1_rule'\n tag \"stig_id\": 'WN16-SO-000130'\n tag \"fix_id\": 'F-80093r1_fix'\n tag \"cci\": ['CCI-002418', 'CCI-002421']\n tag \"nist\": ['SC-8', 'SC-8 (1)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\Netlogon\\\\Parameters\\\\\n\n Value Name: RequireStrongKey\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\n\n This setting may prevent a system from being joined to a domain if not\n configured consistently between systems.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> Domain\n member: Require strong (Windows 2000 or Later) session key to Enabled.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Services\\\\Netlogon\\\\Parameters') do\n it { should have_property 'RequireStrongKey' }\n its('RequireStrongKey') { should cmp 1 }\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73259.rb", + "ref": "./Windows 2016 STIG/controls/V-73643.rb", "line": 1 }, - "id": "V-73259" + "id": "V-73643" }, { - "title": "The Deny log on as a service user right must be configured to include\n no accounts or groups (blank) on domain controllers.", - "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The Deny log on as a service user right defines accounts that are\n denied logon as a service.\n\n Incorrect configurations could prevent services from starting and result in\n a denial of service.", + "title": "Users must be prevented from changing installation options.", + "desc": "Installation options for applications are typically controlled by\n administrators. This setting prevents users from changing installation options\n that may bypass security features.", "descriptions": { - "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The Deny log on as a service user right defines accounts that are\n denied logon as a service.\n\n Incorrect configurations could prevent services from starting and result in\n a denial of service.", - "check": "This applies to domain controllers. A separate version applies\n to other systems.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups are defined for the Deny log on as a service user\n right, this is a finding.", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Deny log on as a service to include no entries (blank)." + "default": "Installation options for applications are typically controlled by\n administrators. This setting prevents users from changing installation options\n that may bypass security features.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\Installer\\\n\n Value Name: EnableUserControl\n\n Type: REG_DWORD\n Value: 0x00000000 (0)", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Windows Installer >> Allow\n user control over installs to Disabled." }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000080-GPOS-00048", - "gid": "V-73765", - "rid": "SV-88429r1_rule", - "stig_id": "WN16-DC-000390", - "fix_id": "F-80215r1_fix", + "gtitle": "SRG-OS-000362-GPOS-00149", + "gid": "V-73583", + "rid": "SV-88247r1_rule", + "stig_id": "WN16-CC-000450", + "fix_id": "F-80033r1_fix", "cci": [ - "CCI-000213" + "CCI-001812" ], "nist": [ - "AC-3", + "CM-11 (2)", "Rev_4" ], "documentable": false }, - "code": "control 'V-73765' do\n title \"The Deny log on as a service user right must be configured to include\n no accounts or groups (blank) on domain controllers.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The Deny log on as a service user right defines accounts that are\n denied logon as a service.\n\n Incorrect configurations could prevent services from starting and result in\n a denial of service.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000080-GPOS-00048'\n tag \"gid\": 'V-73765'\n tag \"rid\": 'SV-88429r1_rule'\n tag \"stig_id\": 'WN16-DC-000390'\n tag \"fix_id\": 'F-80215r1_fix'\n tag \"cci\": ['CCI-000213']\n tag \"nist\": ['AC-3', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to domain controllers. A separate version applies\n to other systems.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups are defined for the Deny log on as a service user\n right, this is a finding.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Deny log on as a service to include no entries (blank).\"\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n describe security_policy do\n its('SeDenyServiceLogonRight') { should eq [] }\n end\n end\n\n if !(domain_role == '4') && !(domain_role == '5')\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", + "code": "control 'V-73583' do\n title 'Users must be prevented from changing installation options.'\n desc \"Installation options for applications are typically controlled by\n administrators. This setting prevents users from changing installation options\n that may bypass security features.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000362-GPOS-00149'\n tag \"gid\": 'V-73583'\n tag \"rid\": 'SV-88247r1_rule'\n tag \"stig_id\": 'WN16-CC-000450'\n tag \"fix_id\": 'F-80033r1_fix'\n tag \"cci\": ['CCI-001812']\n tag \"nist\": ['CM-11 (2)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\Installer\\\\\n\n Value Name: EnableUserControl\n\n Type: REG_DWORD\n Value: 0x00000000 (0)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Windows Installer >> Allow\n user control over installs to Disabled.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\Installer') do\n it { should have_property 'EnableUserControl' }\n its('EnableUserControl') { should cmp 0 }\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73765.rb", + "ref": "./Windows 2016 STIG/controls/V-73583.rb", "line": 1 }, - "id": "V-73765" + "id": "V-73583" }, { - "title": "Services using Local System that use Negotiate when reverting to NTLM\n authentication must use the computer identity instead of authenticating\n anonymously.", - "desc": "Services using Local System that use Negotiate when reverting to NTLM\n authentication may gain unauthorized access if allowed to authenticate\n anonymously versus using the computer identity.", + "title": "Non-system-created file shares on a system must limit access to groups\n that require it.", + "desc": "Shares on a system provide network access. To prevent exposing\n sensitive information, where shares are necessary, permissions must be\n reconfigured to give the minimum access to accounts that require it.", "descriptions": { - "default": "Services using Local System that use Negotiate when reverting to NTLM\n authentication may gain unauthorized access if allowed to authenticate\n anonymously versus using the computer identity.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Control\\LSA\\\n\n Value Name: UseMachineId\n\n Type: REG_DWORD\n Value: 0x00000001 (1)", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Network security: Allow Local System to use computer identity for NTLM to\n Enabled." + "default": "Shares on a system provide network access. To prevent exposing\n sensitive information, where shares are necessary, permissions must be\n reconfigured to give the minimum access to accounts that require it.", + "check": "If only system-created shares such as ADMIN$, C$, and\n IPC$ exist on the system, this is NA. (System-created shares will display a\n message that it has been shared for administrative purposes when Properties\n is selected.)\n\n Run Computer Management.\n\n Navigate to System Tools >> Shared Folders >> Shares.\n\n Right-click any non-system-created shares.\n\n Select Properties.\n\n Select the Share Permissions tab.\n\n If the file shares have not been configured to restrict permissions to the\n specific groups or accounts that require access, this is a finding.\n\n Select the Security tab.\n\n If the permissions have not been configured to restrict permissions to the\n specific groups or accounts that require access, this is a finding.", + "fix": "If a non-system-created share is required on a system, configure\n the share and NTFS permissions to limit access to the specific groups or\n accounts that require it.\n\n Remove any unnecessary non-system-created shares." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-73679", - "rid": "SV-88343r1_rule", - "stig_id": "WN16-SO-000320", - "fix_id": "F-80129r1_fix", + "gtitle": "SRG-OS-000138-GPOS-00069", + "gid": "V-73267", + "rid": "SV-87919r1_rule", + "stig_id": "WN16-00-000250", + "fix_id": "F-79711r1_fix", "cci": [ - "CCI-000366" + "CCI-001090" ], "nist": [ - "CM-6 b", + "SC-4", "Rev_4" ], "documentable": false }, - "code": "control 'V-73679' do\n title \"Services using Local System that use Negotiate when reverting to NTLM\n authentication must use the computer identity instead of authenticating\n anonymously.\"\n desc \"Services using Local System that use Negotiate when reverting to NTLM\n authentication may gain unauthorized access if allowed to authenticate\n anonymously versus using the computer identity.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-73679'\n tag \"rid\": 'SV-88343r1_rule'\n tag \"stig_id\": 'WN16-SO-000320'\n tag \"fix_id\": 'F-80129r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\LSA\\\\\n\n Value Name: UseMachineId\n\n Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Network security: Allow Local System to use computer identity for NTLM to\n Enabled.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa') do\n it { should have_property 'UseMachineId' }\n its('UseMachineId') { should cmp 1 }\n end\nend\n", + "code": "control 'V-73267' do\n title \"Non-system-created file shares on a system must limit access to groups\n that require it.\"\n desc \"Shares on a system provide network access. To prevent exposing\n sensitive information, where shares are necessary, permissions must be\n reconfigured to give the minimum access to accounts that require it.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000138-GPOS-00069'\n tag \"gid\": 'V-73267'\n tag \"rid\": 'SV-87919r1_rule'\n tag \"stig_id\": 'WN16-00-000250'\n tag \"fix_id\": 'F-79711r1_fix'\n tag \"cci\": ['CCI-001090']\n tag \"nist\": ['SC-4', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If only system-created shares such as ADMIN$, C$, and\n IPC$ exist on the system, this is NA. (System-created shares will display a\n message that it has been shared for administrative purposes when Properties\n is selected.)\n\n Run Computer Management.\n\n Navigate to System Tools >> Shared Folders >> Shares.\n\n Right-click any non-system-created shares.\n\n Select Properties.\n\n Select the Share Permissions tab.\n\n If the file shares have not been configured to restrict permissions to the\n specific groups or accounts that require access, this is a finding.\n\n Select the Security tab.\n\n If the permissions have not been configured to restrict permissions to the\n specific groups or accounts that require access, this is a finding.\"\n desc \"fix\", \"If a non-system-created share is required on a system, configure\n the share and NTFS permissions to limit access to the specific groups or\n accounts that require it.\n\n Remove any unnecessary non-system-created shares.\"\n\n get = command('Get-WMIObject -Query \"SELECT * FROM Win32_Share\" | Findstr /V \"Name --\"').stdout.strip.split(\"\\n\")\n share_names = []\n share_paths = []\n get.each do |share|\n loc_space = share.index(' ')\n\n names = share[0..loc_space-1]\n\n share_names.push(names)\n path = share[40..50]\n share_paths.push(path)\n end\n share_names_string = share_names.join(',')\n\n if share_names_string != 'ADMIN$,C$,IPC$'\n\n [share_paths, share_names].each do |path1, _name1|\n\n describe command(\"Get-Acl -Path '#{path1}' | Format-List | Findstr /i /C:'Everyone Allow'\") do\n its('stdout') { should eq '' }\n end\n end\n end\n\n if share_names_string == 'ADMIN$,C$,IPC$'\n impact 0.0\n desc 'Only the default files shares ADMIN$, C$ ,and IPC$ exist on this system, therefore this control is not applicable'\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73679.rb", + "ref": "./Windows 2016 STIG/controls/V-73267.rb", "line": 1 }, - "id": "V-73679" + "id": "V-73267" }, { - "title": "Remote Desktop Services must always prompt a client for passwords upon\n connection.", - "desc": "This setting controls the ability of users to supply passwords\n automatically as part of their remote desktop connection. Disabling this\n setting would allow anyone to use the stored credentials in a connection item\n to connect to the terminal server.", + "title": "Session security for NTLM SSP-based servers must be configured to\n require NTLMv2 session security and 128-bit encryption.", + "desc": "Microsoft has implemented a variety of security support providers for\n use with Remote Procedure Call (RPC) sessions. All of the options must be\n enabled to ensure the maximum security level.", "descriptions": { - "default": "This setting controls the ability of users to supply passwords\n automatically as part of their remote desktop connection. Disabling this\n setting would allow anyone to use the stored credentials in a connection item\n to connect to the terminal server.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services\\\n\n Value Name: fPromptForPassword\n\n Type: REG_DWORD\n Value: 0x00000001 (1)", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Remote Desktop Services >>\n Remote Desktop Session Host >> Security >> Always prompt for password upon\n connection to Enabled." + "default": "Microsoft has implemented a variety of security support providers for\n use with Remote Procedure Call (RPC) sessions. All of the options must be\n enabled to ensure the maximum security level.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Control\\Lsa\\MSV1_0\\\n\n Value Name: NTLMMinServerSec\n\n Value Type: REG_DWORD\n Value: 0x20080000 (537395200)", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Network security: Minimum session security for NTLM SSP based (including\n secure RPC) servers to Require NTLMv2 session security and Require\n 128-bit encryption (all options selected)." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000373-GPOS-00157", - "satisfies": [ - "SRG-OS-000373-GPOS-00157", - "SRG-OS-000373-GPOS-00156" - ], - "gid": "V-73571", - "rid": "SV-88235r1_rule", - "stig_id": "WN16-CC-000390", - "fix_id": "F-80021r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-73697", + "rid": "SV-88361r1_rule", + "stig_id": "WN16-SO-000410", + "fix_id": "F-80147r1_fix", "cci": [ - "CCI-002038" + "CCI-000366" ], "nist": [ - "IA-11", + "CM-6 b", "Rev_4" ], "documentable": false }, - "code": "control 'V-73571' do\n title \"Remote Desktop Services must always prompt a client for passwords upon\n connection.\"\n desc \"This setting controls the ability of users to supply passwords\n automatically as part of their remote desktop connection. Disabling this\n setting would allow anyone to use the stored credentials in a connection item\n to connect to the terminal server.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000373-GPOS-00157'\n tag \"satisfies\": ['SRG-OS-000373-GPOS-00157', 'SRG-OS-000373-GPOS-00156']\n tag \"gid\": 'V-73571'\n tag \"rid\": 'SV-88235r1_rule'\n tag \"stig_id\": 'WN16-CC-000390'\n tag \"fix_id\": 'F-80021r1_fix'\n tag \"cci\": ['CCI-002038']\n tag \"nist\": ['IA-11', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\\n\n Value Name: fPromptForPassword\n\n Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Remote Desktop Services >>\n Remote Desktop Session Host >> Security >> Always prompt for password upon\n connection to Enabled.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services') do\n it { should have_property 'fPromptForPassword' }\n its('fPromptForPassword') { should cmp 1 }\n end\nend\n", + "code": "control 'V-73697' do\n title \"Session security for NTLM SSP-based servers must be configured to\n require NTLMv2 session security and 128-bit encryption.\"\n desc \"Microsoft has implemented a variety of security support providers for\n use with Remote Procedure Call (RPC) sessions. All of the options must be\n enabled to ensure the maximum security level.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-73697'\n tag \"rid\": 'SV-88361r1_rule'\n tag \"stig_id\": 'WN16-SO-000410'\n tag \"fix_id\": 'F-80147r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\MSV1_0\\\\\n\n Value Name: NTLMMinServerSec\n\n Value Type: REG_DWORD\n Value: 0x20080000 (537395200)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Network security: Minimum session security for NTLM SSP based (including\n secure RPC) servers to Require NTLMv2 session security and Require\n 128-bit encryption (all options selected).\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\MSV1_0') do\n it { should have_property 'NTLMMinServerSec' }\n its('NTLMMinServerSec') { should cmp 537395200 }\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73571.rb", + "ref": "./Windows 2016 STIG/controls/V-73697.rb", "line": 1 }, - "id": "V-73571" + "id": "V-73697" }, { - "title": "The Server Message Block (SMB) v1 protocol must be uninstalled.", - "desc": "SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB.\n MD5 is known to be vulnerable to a number of attacks such as collision and\n preimage attacks and is not FIPS compliant.", + "title": "Caching of logon credentials must be limited.", + "desc": "The default Windows configuration caches the last logon credentials\n for users who log on interactively to a system. This feature is provided for\n system availability reasons, such as the user's machine being disconnected from\n the network or domain controllers being unavailable. Even though the credential\n cache is well protected, if a system is attacked, an unauthorized individual\n may isolate the password to a domain user account using a password-cracking\n program and gain access to the domain.", "descriptions": { - "default": "SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB.\n MD5 is known to be vulnerable to a number of attacks such as collision and\n preimage attacks and is not FIPS compliant.", - "check": "Different methods are available to disable SMBv1 on Windows\n 2016. This is the preferred method, however if V-78123 and V-78125 are\n configured, this is NA.\n\n Open Windows PowerShell with elevated privileges (run as administrator).\n\n Enter Get-WindowsFeature -Name FS-SMB1.\n\n If Installed State is Installed, this is a finding.\n\n An Installed State of Available or Removed is not a finding.", - "fix": "Uninstall the SMBv1 protocol.\n\n Open Windows PowerShell with elevated privileges (run as administrator).\n\n Enter Uninstall-WindowsFeature -Name FS-SMB1 -Restart.\n (Omit the Restart parameter if an immediate restart of the system cannot be\n done.)\n\n Alternately:\n\n Start Server Manager.\n\n Select the server with the feature.\n\n Scroll down to ROLES AND FEATURES in the right pane.\n\n Select Remove Roles and Features from the drop-down TASKS list.\n\n Select the appropriate server on the Server Selection page and click\n Next.\n\n Deselect SMB 1.0/CIFS File Sharing Support on the Features page.\n\n Click Next and Remove as prompted." + "default": "The default Windows configuration caches the last logon credentials\n for users who log on interactively to a system. This feature is provided for\n system availability reasons, such as the user's machine being disconnected from\n the network or domain controllers being unavailable. Even though the credential\n cache is well protected, if a system is attacked, an unauthorized individual\n may isolate the password to a domain user account using a password-cracking\n program and gain access to the domain.", + "check": "This applies to member servers. For domain controllers and\n standalone systems, this is NA.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\\n\n Value Name: CachedLogonsCount\n\n Value Type: REG_SZ\n Value: 4 (or less)", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Interactive Logon: Number of previous logons to cache (in case Domain\n Controller is not available) to 4 logons or less." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000095-GPOS-00049", - "gid": "V-73299", - "rid": "SV-87951r2_rule", - "stig_id": "WN16-00-000410", - "fix_id": "F-84915r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-73651", + "rid": "SV-88315r1_rule", + "stig_id": "WN16-MS-000050", + "fix_id": "F-80271r1_fix", "cci": [ - "CCI-000381" + "CCI-000366" ], "nist": [ - "CM-7", + "CM-6 b", "Rev_4" ], "documentable": false }, - "code": "control 'V-73299' do\n title 'The Server Message Block (SMB) v1 protocol must be uninstalled.'\n desc \"SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB.\n MD5 is known to be vulnerable to a number of attacks such as collision and\n preimage attacks and is not FIPS compliant.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000095-GPOS-00049'\n tag \"gid\": 'V-73299'\n tag \"rid\": 'SV-87951r2_rule'\n tag \"stig_id\": 'WN16-00-000410'\n tag \"fix_id\": 'F-84915r1_fix'\n tag \"cci\": ['CCI-000381']\n tag \"nist\": ['CM-7', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Different methods are available to disable SMBv1 on Windows\n 2016. This is the preferred method, however if V-78123 and V-78125 are\n configured, this is NA.\n\n Open Windows PowerShell with elevated privileges (run as administrator).\n\n Enter Get-WindowsFeature -Name FS-SMB1.\n\n If Installed State is Installed, this is a finding.\n\n An Installed State of Available or Removed is not a finding.\"\n desc \"fix\", \"Uninstall the SMBv1 protocol.\n\n Open Windows PowerShell with elevated privileges (run as administrator).\n\n Enter Uninstall-WindowsFeature -Name FS-SMB1 -Restart.\n (Omit the Restart parameter if an immediate restart of the system cannot be\n done.)\n\n Alternately:\n\n Start Server Manager.\n\n Select the server with the feature.\n\n Scroll down to ROLES AND FEATURES in the right pane.\n\n Select Remove Roles and Features from the drop-down TASKS list.\n\n Select the appropriate server on the Server Selection page and click\n Next.\n\n Deselect SMB 1.0/CIFS File Sharing Support on the Features page.\n\n Click Next and Remove as prompted.\"\n if registry_key('HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\LanmanServer\\\\Parameters').has_property_value?('SMB1', :dword, 0) && registry_key('HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\mrxsmb10').has_property_value?('Start', :dword, 4)\n impact 0.0\n desc 'This control is not applicable, as controls V-78123 and V-78125 are configured'\n else\n describe windows_feature('FS-SMB1') do\n it { should_not be_installed }\n end\n end\nend\n", + "code": "control 'V-73651' do\n title 'Caching of logon credentials must be limited.'\n desc \"The default Windows configuration caches the last logon credentials\n for users who log on interactively to a system. This feature is provided for\n system availability reasons, such as the user's machine being disconnected from\n the network or domain controllers being unavailable. Even though the credential\n cache is well protected, if a system is attacked, an unauthorized individual\n may isolate the password to a domain user account using a password-cracking\n program and gain access to the domain.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-73651'\n tag \"rid\": 'SV-88315r1_rule'\n tag \"stig_id\": 'WN16-MS-000050'\n tag \"fix_id\": 'F-80271r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to member servers. For domain controllers and\n standalone systems, this is NA.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\\n\n Value Name: CachedLogonsCount\n\n Value Type: REG_SZ\n Value: 4 (or less)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Interactive Logon: Number of previous logons to cache (in case Domain\n Controller is not available) to 4 logons or less.\"\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n if !(domain_role == '4') && !(domain_role == '5')\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon') do\n it { should have_property 'CachedLogonsCount' }\n its('CachedLogonsCount') { should cmp <= 4 }\n end\n end\n\n if domain_role == '4' || domain_role == '5'\n impact 0.0\n desc 'This system is a domain controller, therefore this control is not applicable as it only applies to member servers and standalone systems'\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73299.rb", + "ref": "./Windows 2016 STIG/controls/V-73651.rb", "line": 1 }, - "id": "V-73299" + "id": "V-73651" }, { - "title": "Indexing of encrypted files must be turned off.", - "desc": "Indexing of encrypted files may expose sensitive data. This setting\n prevents encrypted files from being indexed.", + "title": "The Profile single process user right must only be assigned to the\n Administrators group.", + "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Profile single process user right can monitor\n non-system processes performance. An attacker could use this to identify\n processes to attack.", "descriptions": { - "default": "Indexing of encrypted files may expose sensitive data. This setting\n prevents encrypted files from being indexed.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Search\\\n\n Value Name: AllowIndexingEncryptedStoresOrItems\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0)", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Search >> Allow indexing of\n encrypted files to Disabled." + "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Profile single process user right can monitor\n non-system processes performance. An attacker could use this to identify\n processes to attack.", + "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the Profile\n single process user right, this is a finding.\n\n - Administrators", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Profile single process to include only the following accounts or groups:\n\n - Administrators" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000095-GPOS-00049", - "gid": "V-73581", - "rid": "SV-88245r1_rule", - "stig_id": "WN16-CC-000440", - "fix_id": "F-80031r1_fix", + "gtitle": "SRG-OS-000324-GPOS-00125", + "gid": "V-73799", + "rid": "SV-88463r1_rule", + "stig_id": "WN16-UR-000290", + "fix_id": "F-80249r1_fix", "cci": [ - "CCI-000381" + "CCI-002235" ], "nist": [ - "CM-7 a", + "AC-6 (10)", "Rev_4" ], "documentable": false }, - "code": "control 'V-73581' do\n title 'Indexing of encrypted files must be turned off.'\n desc \"Indexing of encrypted files may expose sensitive data. This setting\n prevents encrypted files from being indexed.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000095-GPOS-00049'\n tag \"gid\": 'V-73581'\n tag \"rid\": 'SV-88245r1_rule'\n tag \"stig_id\": 'WN16-CC-000440'\n tag \"fix_id\": 'F-80031r1_fix'\n tag \"cci\": ['CCI-000381']\n tag \"nist\": ['CM-7 a', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\Windows Search\\\\\n\n Value Name: AllowIndexingEncryptedStoresOrItems\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Search >> Allow indexing of\n encrypted files to Disabled.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\Windows Search') do\n it { should have_property 'AllowIndexingEncryptedStoresOrItems' }\n its('AllowIndexingEncryptedStoresOrItems') { should cmp 0 }\n end\nend\n", + "code": "control 'V-73799' do\n title \"The Profile single process user right must only be assigned to the\n Administrators group.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Profile single process user right can monitor\n non-system processes performance. An attacker could use this to identify\n processes to attack.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000324-GPOS-00125'\n tag \"gid\": 'V-73799'\n tag \"rid\": 'SV-88463r1_rule'\n tag \"stig_id\": 'WN16-UR-000290'\n tag \"fix_id\": 'F-80249r1_fix'\n tag \"cci\": ['CCI-002235']\n tag \"nist\": ['AC-6 (10)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the Profile\n single process user right, this is a finding.\n\n - Administrators\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Profile single process to include only the following accounts or groups:\n\n - Administrators\"\n describe.one do\n describe security_policy do\n its('SeProfileSingleProcessPrivilege') { should eq ['S-1-5-32-544'] }\n end\n describe security_policy do\n its('SeProfileSingleProcessPrivilege') { should eq [] }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73581.rb", + "ref": "./Windows 2016 STIG/controls/V-73799.rb", "line": 1 }, - "id": "V-73581" + "id": "V-73799" }, { - "title": "Windows Server 2016 must be configured to audit Logon/Logoff - Logoff\n successes.", - "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Logoff records user logoffs. If this is an interactive logoff, it is\n recorded on the local system. If it is to a network share, it is recorded on\n the system accessed.", + "title": "The Perform volume maintenance tasks user right must only be assigned\n to the Administrators group.", + "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Perform volume maintenance tasks user right can\n manage volume and disk configurations. This could be used to delete volumes,\n resulting in data loss or a denial of service.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Logoff records user logoffs. If this is an interactive logoff, it is\n recorded on the local system. If it is to a network share, it is recorded on\n the system accessed.", - "check": "Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n Logon/Logoff >> Logoff - Success", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Logon/Logoff >> Audit Logoff with Success selected." + "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Perform volume maintenance tasks user right can\n manage volume and disk configurations. This could be used to delete volumes,\n resulting in data loss or a denial of service.", + "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the Perform\n volume maintenance tasks user right, this is a finding.\n\n - Administrators", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Perform volume maintenance tasks to include only the following accounts or\n groups:\n\n - Administrators" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000032-GPOS-00013", - "satisfies": [ - "SRG-OS-000032-GPOS-00013", - "SRG-OS-000470-GPOS-00214", - "SRG-OS-000472-GPOS-00217", - "SRG-OS-000473-GPOS-00218", - "SRG-OS-000475-GPOS-00220" - ], - "gid": "V-73449", - "rid": "SV-88101r1_rule", - "stig_id": "WN16-AU-000250", - "fix_id": "F-79891r1_fix", + "gtitle": "SRG-OS-000324-GPOS-00125", + "gid": "V-73797", + "rid": "SV-88461r1_rule", + "stig_id": "WN16-UR-000280", + "fix_id": "F-80247r1_fix", "cci": [ - "CCI-000067", - "CCI-000172" + "CCI-002235" ], "nist": [ - "AC-17 (1)", - "AU-12 c", + "AC-6 (10)", "Rev_4" ], "documentable": false }, - "code": "control 'V-73449' do\n title \"Windows Server 2016 must be configured to audit Logon/Logoff - Logoff\n successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Logoff records user logoffs. If this is an interactive logoff, it is\n recorded on the local system. If it is to a network share, it is recorded on\n the system accessed.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000032-GPOS-00013'\n tag \"satisfies\": ['SRG-OS-000032-GPOS-00013', 'SRG-OS-000470-GPOS-00214',\n 'SRG-OS-000472-GPOS-00217', 'SRG-OS-000473-GPOS-00218',\n 'SRG-OS-000475-GPOS-00220']\n tag \"gid\": 'V-73449'\n tag \"rid\": 'SV-88101r1_rule'\n tag \"stig_id\": 'WN16-AU-000250'\n tag \"fix_id\": 'F-79891r1_fix'\n tag \"cci\": ['CCI-000067', 'CCI-000172']\n tag \"nist\": ['AC-17 (1)', 'AU-12 c', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n Logon/Logoff >> Logoff - Success\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Logon/Logoff >> Audit Logoff with Success selected.\"\n describe.one do\n describe audit_policy do\n its('Logoff') { should eq 'Success' }\n end\n describe audit_policy do\n its('Logoff') { should eq 'Success and Failure' }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Logoff'\") do\n its('stdout') { should match /Logoff Success/ }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Logoff'\") do\n its('stdout') { should match /Logoff Success and Failure/ }\n end\n end\nend\n", + "code": "control 'V-73797' do\n title \"The Perform volume maintenance tasks user right must only be assigned\n to the Administrators group.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Perform volume maintenance tasks user right can\n manage volume and disk configurations. This could be used to delete volumes,\n resulting in data loss or a denial of service.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000324-GPOS-00125'\n tag \"gid\": 'V-73797'\n tag \"rid\": 'SV-88461r1_rule'\n tag \"stig_id\": 'WN16-UR-000280'\n tag \"fix_id\": 'F-80247r1_fix'\n tag \"cci\": ['CCI-002235']\n tag \"nist\": ['AC-6 (10)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the Perform\n volume maintenance tasks user right, this is a finding.\n\n - Administrators\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Perform volume maintenance tasks to include only the following accounts or\n groups:\n\n - Administrators\"\n describe.one do\n describe security_policy do\n its('SeManageVolumePrivilege') { should eq ['S-1-5-32-544'] }\n end\n describe security_policy do\n its('SeManageVolumePrivilege') { should eq [] }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73449.rb", + "ref": "./Windows 2016 STIG/controls/V-73797.rb", "line": 1 }, - "id": "V-73449" + "id": "V-73797" }, { - "title": "The Deny log on through Remote Desktop Services user right on domain\n controllers must be configured to prevent unauthenticated access.", - "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The Deny log on through Remote Desktop Services user right defines the\n accounts that are prevented from logging on using Remote Desktop Services.\n\n The Guests group must be assigned this right to prevent unauthenticated\n access.", + "title": "Anonymous enumeration of shares must not be allowed.", + "desc": "Allowing anonymous logon users (null session connections) to list all\n account names and enumerate all shared resources can provide a map of potential\n points to attack the system.", "descriptions": { - "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The Deny log on through Remote Desktop Services user right defines the\n accounts that are prevented from logging on using Remote Desktop Services.\n\n The Guests group must be assigned this right to prevent unauthenticated\n access.", - "check": "This applies to domain controllers. A separate version applies\n to other systems.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If the following accounts or groups are not defined for the Deny log on\n through Remote Desktop Services user right, this is a finding.\n\n - Guests Group", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Deny log on through Remote Desktop Services to include the following:\n\n - Guests Group" + "default": "Allowing anonymous logon users (null session connections) to list all\n account names and enumerate all shared resources can provide a map of potential\n points to attack the system.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Control\\Lsa\\\n\n Value Name: RestrictAnonymous\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Network access: Do not allow anonymous enumeration of SAM accounts and\n shares to Enabled." }, - "impact": 0, + "impact": 0.7, "refs": [], "tags": { - "gtitle": "SRG-OS-000297-GPOS-00115", - "gid": "V-73773", - "rid": "SV-88437r1_rule", - "stig_id": "WN16-DC-000410", - "fix_id": "F-80223r1_fix", + "gtitle": "SRG-OS-000138-GPOS-00069", + "gid": "V-73669", + "rid": "SV-88333r1_rule", + "stig_id": "WN16-SO-000270", + "fix_id": "F-80119r1_fix", "cci": [ - "CCI-002314" + "CCI-001090" ], "nist": [ - "AC-17 (1)", + "AU-10 (4) (b)", "Rev_4" ], "documentable": false }, - "code": "control 'V-73773' do\n title \"The Deny log on through Remote Desktop Services user right on domain\n controllers must be configured to prevent unauthenticated access.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The Deny log on through Remote Desktop Services user right defines the\n accounts that are prevented from logging on using Remote Desktop Services.\n\n The Guests group must be assigned this right to prevent unauthenticated\n access.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000297-GPOS-00115'\n tag \"gid\": 'V-73773'\n tag \"rid\": 'SV-88437r1_rule'\n tag \"stig_id\": 'WN16-DC-000410'\n tag \"fix_id\": 'F-80223r1_fix'\n tag \"cci\": ['CCI-002314']\n tag \"nist\": ['AC-17 (1)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to domain controllers. A separate version applies\n to other systems.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If the following accounts or groups are not defined for the Deny log on\n through Remote Desktop Services user right, this is a finding.\n\n - Guests Group\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Deny log on through Remote Desktop Services to include the following:\n\n - Guests Group\"\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n describe.one do\n describe security_policy do\n its('SeDenyRemoteInteractiveLogonRight') { should eq ['S-1-5-32-546'] }\n end\n describe security_policy do\n its('SeDenyRemoteInteractiveLogonRight') { should eq [] }\n end\n end\n end\n\n if !(domain_role == '4') && !(domain_role == '5')\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", + "code": "control 'V-73669' do\n title 'Anonymous enumeration of shares must not be allowed.'\n desc \"Allowing anonymous logon users (null session connections) to list all\n account names and enumerate all shared resources can provide a map of potential\n points to attack the system.\"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000138-GPOS-00069'\n tag \"gid\": 'V-73669'\n tag \"rid\": 'SV-88333r1_rule'\n tag \"stig_id\": 'WN16-SO-000270'\n tag \"fix_id\": 'F-80119r1_fix'\n tag \"cci\": ['CCI-001090']\n tag \"nist\": ['AU-10 (4) (b)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\\n\n Value Name: RestrictAnonymous\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Network access: Do not allow anonymous enumeration of SAM accounts and\n shares to Enabled.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa') do\n it { should have_property 'RestrictAnonymous' }\n its('RestrictAnonymous') { should cmp 1 }\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73773.rb", + "ref": "./Windows 2016 STIG/controls/V-73669.rb", "line": 1 }, - "id": "V-73773" + "id": "V-73669" }, { - "title": "The Deny log on locally user right on member servers must be\n configured to prevent access from highly privileged domain accounts on domain\n systems and from unauthenticated access on all systems.", - "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The Deny log on locally user right defines accounts that are prevented\n from logging on interactively.\n\n In an Active Directory Domain, denying logons to the Enterprise Admins and\n Domain Admins groups on lower-trust systems helps mitigate the risk of\n privilege escalation from credential theft attacks, which could lead to the\n compromise of an entire domain.\n\n The Guests group must be assigned this right to prevent unauthenticated\n access.", + "title": "The TFTP Client must not be installed.", + "desc": "Unnecessary services increase the attack surface of a system. Some of\n these services may not support required levels of authentication or encryption\n or may provide unauthorized access to the system.", "descriptions": { - "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The Deny log on locally user right defines accounts that are prevented\n from logging on interactively.\n\n In an Active Directory Domain, denying logons to the Enterprise Admins and\n Domain Admins groups on lower-trust systems helps mitigate the risk of\n privilege escalation from credential theft attacks, which could lead to the\n compromise of an entire domain.\n\n The Guests group must be assigned this right to prevent unauthenticated\n access.", - "check": "This applies to member servers and standalone systems. A\n separate version applies to domain controllers.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If the following accounts or groups are not defined for the Deny log on\n locally user right, this is a finding.\n\n Domain Systems Only:\n - Enterprise Admins Group\n - Domain Admins Group\n\n Systems dedicated to the management of Active Directory (AD admin platforms,\n see V-36436 in the Active Directory Domain STIG) are exempt from this.\n\n All Systems:\n - Guests Group", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Deny log on locally to include the following:\n\n\n Domain Systems Only:\n - Enterprise Admins group \n - Domain Admins group \n\n Systems dedicated to the management of Active Directory (AD admin platforms,\n see V-36436 in the Active Directory Domain STIG) are exempt from this.\n\n All Systems:\n - Guests group" + "default": "Unnecessary services increase the attack surface of a system. Some of\n these services may not support required levels of authentication or encryption\n or may provide unauthorized access to the system.", + "check": "Open PowerShell.\n\n Enter Get-WindowsFeature | Where Name -eq TFTP-Client.\n\n If Installed State is Installed, this is a finding.\n\n An Installed State of Available or Removed is not a finding.", + "fix": "Uninstall the TFTP Client feature.\n\n Start Server Manager.\n\n Select the server with the feature.\n\n Scroll down to ROLES AND FEATURES in the right pane.\n\n Select Remove Roles and Features from the drop-down TASKS list.\n\n Select the appropriate server on the Server Selection page and click\n Next.\n\n Deselect TFTP Client on the Features page.\n\n Click Next and Remove as prompted." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000080-GPOS-00048", - "gid": "V-73771", - "rid": "SV-88435r1_rule", - "stig_id": "WN16-MS-000400", - "fix_id": "F-80221r1_fix", + "gtitle": "SRG-OS-000095-GPOS-00049", + "gid": "V-73297", + "rid": "SV-87949r1_rule", + "stig_id": "WN16-00-000400", + "fix_id": "F-79739r1_fix", "cci": [ - "CCI-000213" + "CCI-000381" ], "nist": [ - "AC-3", + "CM-7", "Rev_4" ], "documentable": false }, - "code": "control 'V-73771' do\n title \"The Deny log on locally user right on member servers must be\n configured to prevent access from highly privileged domain accounts on domain\n systems and from unauthenticated access on all systems.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The Deny log on locally user right defines accounts that are prevented\n from logging on interactively.\n\n In an Active Directory Domain, denying logons to the Enterprise Admins and\n Domain Admins groups on lower-trust systems helps mitigate the risk of\n privilege escalation from credential theft attacks, which could lead to the\n compromise of an entire domain.\n\n The Guests group must be assigned this right to prevent unauthenticated\n access.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000080-GPOS-00048'\n tag \"gid\": 'V-73771'\n tag \"rid\": 'SV-88435r1_rule'\n tag \"stig_id\": 'WN16-MS-000400'\n tag \"fix_id\": 'F-80221r1_fix'\n tag \"cci\": ['CCI-000213']\n tag \"nist\": ['AC-3', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to member servers and standalone systems. A\n separate version applies to domain controllers.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If the following accounts or groups are not defined for the Deny log on\n locally user right, this is a finding.\n\n Domain Systems Only:\n - Enterprise Admins Group\n - Domain Admins Group\n\n Systems dedicated to the management of Active Directory (AD admin platforms,\n see V-36436 in the Active Directory Domain STIG) are exempt from this.\n\n All Systems:\n - Guests Group\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Deny log on locally to include the following:\n\n\n Domain Systems Only:\n - Enterprise Admins group \n - Domain Admins group \n\n Systems dedicated to the management of Active Directory (AD admin platforms,\n see V-36436 in the Active Directory Domain STIG) are exempt from this.\n\n All Systems:\n - Guests group \"\n\n is_AD_only_system = input('is_AD_only_system')\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n impact 0.0\n describe 'This system is a domain controller, therefore this control is not applicable as it only applies to member servers and standalone systems' do\n skip 'This system is a domain controller, therefore this control is not applicable as it only applies to member servers and standalone systems'\n end\n elsif is_AD_only_system\n impact 0.0\n describe 'This system is dedicated to the management of Active Directory, therefore this system is exempt from this control' do\n skip 'This system is dedicated to the management of Active Directory, therefore this system is exempt from this control'\n end\n else\n describe security_policy do\n its('SeDenyInteractiveLogonRight') { should include 'S-1-5-32-546' }\n end\n if domain_role == '3'\n domain_admin_sid_query = <<-EOH\n $group = New-Object System.Security.Principal.NTAccount('Domain Admins')\n $sid = $group.Translate([security.principal.securityidentifier]).value\n $sid | ConvertTo-Json\n EOH\n domain_admin_sid = json(command: domain_admin_sid_query).params\n \n enterprise_admin_sid_query = <<-EOH\n $group = New-Object System.Security.Principal.NTAccount('Enterprise Admins')\n $sid = $group.Translate([security.principal.securityidentifier]).value\n $sid | ConvertTo-Json\n EOH\n enterprise_admin_sid = json(command: enterprise_admin_sid_query).params\n\n describe security_policy do\n its('SeDenyInteractiveLogonRight') { should include \"#{domain_admin_sid}\" }\n end\n describe security_policy do\n its('SeDenyInteractiveLogonRight') { should include \"#{enterprise_admin_sid}\" }\n end\n end\n end\nend", + "code": "control 'V-73297' do\n title 'The TFTP Client must not be installed.'\n desc \"Unnecessary services increase the attack surface of a system. Some of\n these services may not support required levels of authentication or encryption\n or may provide unauthorized access to the system.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000095-GPOS-00049'\n tag \"gid\": 'V-73297'\n tag \"rid\": 'SV-87949r1_rule'\n tag \"stig_id\": 'WN16-00-000400'\n tag \"fix_id\": 'F-79739r1_fix'\n tag \"cci\": ['CCI-000381']\n tag \"nist\": ['CM-7', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Open PowerShell.\n\n Enter Get-WindowsFeature | Where Name -eq TFTP-Client.\n\n If Installed State is Installed, this is a finding.\n\n An Installed State of Available or Removed is not a finding.\"\n desc \"fix\", \"Uninstall the TFTP Client feature.\n\n Start Server Manager.\n\n Select the server with the feature.\n\n Scroll down to ROLES AND FEATURES in the right pane.\n\n Select Remove Roles and Features from the drop-down TASKS list.\n\n Select the appropriate server on the Server Selection page and click\n Next.\n\n Deselect TFTP Client on the Features page.\n\n Click Next and Remove as prompted.\"\n describe windows_feature('TFTP-Client') do\n it { should_not be_installed }\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73771.rb", + "ref": "./Windows 2016 STIG/controls/V-73297.rb", "line": 1 }, - "id": "V-73771" + "id": "V-73297" }, { - "title": "The setting Domain member: Digitally encrypt or sign secure channel\n data (always) must be configured to Enabled.", - "desc": "Requests sent on the secure channel are authenticated, and sensitive\n information (such as passwords) is encrypted, but not all information is\n encrypted. If this policy is enabled, outgoing secure channel traffic will be\n encrypted and signed.", + "title": "Windows Server 2016 must be configured to audit Account Management -\n User Account Management successes.", + "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n User Account Management records events such as creating, changing,\n deleting, renaming, disabling, or enabling user accounts.", "descriptions": { - "default": "Requests sent on the secure channel are authenticated, and sensitive\n information (such as passwords) is encrypted, but not all information is\n encrypted. If this policy is enabled, outgoing secure channel traffic will be\n encrypted and signed.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\Netlogon\\Parameters\\\n\n Value Name: RequireSignOrSeal\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> Domain\n member: Digitally encrypt or sign secure channel data (always) to\n Enabled." + "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n User Account Management records events such as creating, changing,\n deleting, renaming, disabling, or enabling user accounts.", + "check": "Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n Account Management >> User Account Management - Success", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Account Management >> Audit User Account Management with\n Success selected." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000423-GPOS-00187", + "gtitle": "SRG-OS-000004-GPOS-00004", "satisfies": [ - "SRG-OS-000423-GPOS-00187", - "SRG-OS-000424-GPOS-00188" + "SRG-OS-000004-GPOS-00004", + "SRG-OS-000239-GPOS-00089", + "SRG-OS-000240-GPOS-00090", + "SRG-OS-000241-GPOS-00091", + "SRG-OS-000303-GPOS-00120", + "SRG-OS-000476-GPOS-00221" ], - "gid": "V-73633", - "rid": "SV-88297r1_rule", - "stig_id": "WN16-SO-000080", - "fix_id": "F-80083r1_fix", + "gid": "V-73427", + "rid": "SV-88079r1_rule", + "stig_id": "WN16-AU-000140", + "fix_id": "F-79869r1_fix", "cci": [ - "CCI-002418", - "CCI-002421" + "CCI-000018", + "CCI-000172", + "CCI-001403", + "CCI-001404", + "CCI-001405", + "CCI-002130" ], "nist": [ - "SC-8", - "SC-8 (1)", + "AC-2 (4)", + "AU-12 c", "Rev_4" ], "documentable": false }, - "code": "control 'V-73633' do\n title \"The setting Domain member: Digitally encrypt or sign secure channel\n data (always) must be configured to Enabled.\"\n desc \"Requests sent on the secure channel are authenticated, and sensitive\n information (such as passwords) is encrypted, but not all information is\n encrypted. If this policy is enabled, outgoing secure channel traffic will be\n encrypted and signed.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000423-GPOS-00187'\n tag \"satisfies\": ['SRG-OS-000423-GPOS-00187', 'SRG-OS-000424-GPOS-00188']\n tag \"gid\": 'V-73633'\n tag \"rid\": 'SV-88297r1_rule'\n tag \"stig_id\": 'WN16-SO-000080'\n tag \"fix_id\": 'F-80083r1_fix'\n tag \"cci\": ['CCI-002418', 'CCI-002421']\n tag \"nist\": ['SC-8', 'SC-8 (1)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\Netlogon\\\\Parameters\\\\\n\n Value Name: RequireSignOrSeal\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> Domain\n member: Digitally encrypt or sign secure channel data (always) to\n Enabled.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Services\\\\Netlogon\\\\Parameters') do\n it { should have_property 'RequireSignOrSeal' }\n its('RequireSignOrSeal') { should cmp 1 }\n end\nend\n", + "code": "control 'V-73427' do\n title \"Windows Server 2016 must be configured to audit Account Management -\n User Account Management successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n User Account Management records events such as creating, changing,\n deleting, renaming, disabling, or enabling user accounts.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000004-GPOS-00004'\n tag \"satisfies\": ['SRG-OS-000004-GPOS-00004', 'SRG-OS-000239-GPOS-00089',\n 'SRG-OS-000240-GPOS-00090', 'SRG-OS-000241-GPOS-00091',\n 'SRG-OS-000303-GPOS-00120', 'SRG-OS-000476-GPOS-00221']\n tag \"gid\": 'V-73427'\n tag \"rid\": 'SV-88079r1_rule'\n tag \"stig_id\": 'WN16-AU-000140'\n tag \"fix_id\": 'F-79869r1_fix'\n tag \"cci\": ['CCI-000018', 'CCI-000172', 'CCI-001403', 'CCI-001404',\n 'CCI-001405', 'CCI-002130']\n tag \"nist\": ['AC-2 (4)', 'AU-12 c', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n Account Management >> User Account Management - Success\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Account Management >> Audit User Account Management with\n Success selected.\"\n describe.one do\n describe audit_policy do\n its('User Account Management') { should eq 'Success' }\n end\n describe audit_policy do\n its('User Account Management') { should eq 'Success and Failure' }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'User Account Management'\") do\n its('stdout') { should match /User Account Management Success/ }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'User Account Management'\") do\n its('stdout') { should match /User Account Management Success and Failure/ }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73633.rb", + "ref": "./Windows 2016 STIG/controls/V-73427.rb", "line": 1 }, - "id": "V-73633" + "id": "V-73427" }, { - "title": "Non-administrative accounts or groups must only have print permissions\n on printer shares.", - "desc": "Windows shares are a means by which files, folders, printers, and\n other resources can be published for network users to access. Improper\n configuration can permit access to devices and data beyond a user's need.", + "title": "The Create a pagefile user right must only be assigned to the\n Administrators group.", + "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Create a pagefile user right can change the size of a\n pagefile, which could affect system performance.", "descriptions": { - "default": "Windows shares are a means by which files, folders, printers, and\n other resources can be published for network users to access. Improper\n configuration can permit access to devices and data beyond a user's need.", - "check": "Open Devices and Printers.\n\n If there are no printers configured, this is NA. (Exclude Microsoft Print to\n PDF and Microsoft XPS Document Writer, which do not support sharing.)\n\n For each printer:\n\n Right-click on the printer.\n\n Select Printer Properties.\n\n Select the Sharing tab.\n\n If Share this printer is checked, select the Security tab.\n\n If any standard user accounts or groups have permissions other than Print,\n this is a finding.\n\n The default is for the Everyone group to be given Print permission.\n\n All APPLICATION PACKAGES and CREATOR OWNER are not standard user\n accounts.", - "fix": "Configure the permissions on shared printers to restrict standard\n users to only have Print permissions." + "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Create a pagefile user right can change the size of a\n pagefile, which could affect system performance.", + "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the Create a\n pagefile user right, this is a finding.\n\n - Administrators", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Create a pagefile to include only the following accounts or groups:\n\n - Administrators" }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000080-GPOS-00048", - "gid": "V-73257", - "rid": "SV-87909r1_rule", - "stig_id": "WN16-00-000200", - "fix_id": "F-79701r1_fix", + "gtitle": "SRG-OS-000324-GPOS-00125", + "gid": "V-73745", + "rid": "SV-88409r1_rule", + "stig_id": "WN16-UR-000080", + "fix_id": "F-80195r1_fix", "cci": [ - "CCI-000213" + "CCI-002235" ], "nist": [ - "AC-3", + "AC-6 (10)", "Rev_4" ], "documentable": false }, - "code": "control 'V-73257' do\n title \"Non-administrative accounts or groups must only have print permissions\n on printer shares.\"\n desc \"Windows shares are a means by which files, folders, printers, and\n other resources can be published for network users to access. Improper\n configuration can permit access to devices and data beyond a user's need.\"\n impact 0.3\n tag \"gtitle\": 'SRG-OS-000080-GPOS-00048'\n tag \"gid\": 'V-73257'\n tag \"rid\": 'SV-87909r1_rule'\n tag \"stig_id\": 'WN16-00-000200'\n tag \"fix_id\": 'F-79701r1_fix'\n tag \"cci\": ['CCI-000213']\n tag \"nist\": ['AC-3', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Open Devices and Printers.\n\n If there are no printers configured, this is NA. (Exclude Microsoft Print to\n PDF and Microsoft XPS Document Writer, which do not support sharing.)\n\n For each printer:\n\n Right-click on the printer.\n\n Select Printer Properties.\n\n Select the Sharing tab.\n\n If Share this printer is checked, select the Security tab.\n\n If any standard user accounts or groups have permissions other than Print,\n this is a finding.\n\n The default is for the Everyone group to be given Print permission.\n\n All APPLICATION PACKAGES and CREATOR OWNER are not standard user\n accounts.\"\n desc \"fix\", \"Configure the permissions on shared printers to restrict standard\n users to only have Print permissions.\"\n describe \"Nonadministrative user accounts or groups must only have print\n permissions on printer shares.\" do\n skip 'This is a manual control'\n end\n get_printers = command(\"Get-Printer | Format-List | Findstr /v 'Name ---'\")\n if get_printers == ''\n impact 0.0\n describe 'There are no printers configured on this system, therefore this control is not applicable' do\n skip 'There are no printers configured on this system, therefore this control is not applicable'\n end\n else\n describe \"A manual review is required to verify that Nonadministrative user accounts or groups only have print\n permissions on printer shares\" do\n skip 'A manual review is required to verify that Nonadministrative user accounts or groups only have print\n permissions on printer shares'\n end\n end\nend\n", + "code": "control 'V-73745' do\n title \"The Create a pagefile user right must only be assigned to the\n Administrators group.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Create a pagefile user right can change the size of a\n pagefile, which could affect system performance.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000324-GPOS-00125'\n tag \"gid\": 'V-73745'\n tag \"rid\": 'SV-88409r1_rule'\n tag \"stig_id\": 'WN16-UR-000080'\n tag \"fix_id\": 'F-80195r1_fix'\n tag \"cci\": ['CCI-002235']\n tag \"nist\": ['AC-6 (10)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the Create a\n pagefile user right, this is a finding.\n\n - Administrators\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Create a pagefile to include only the following accounts or groups:\n\n - Administrators\"\n describe.one do\n describe security_policy do\n its('SeCreatePagefilePrivilege') { should eq ['S-1-5-32-544'] }\n end\n describe security_policy do\n its('SeCreatePagefilePrivilege') { should eq [] }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73257.rb", + "ref": "./Windows 2016 STIG/controls/V-73745.rb", "line": 1 }, - "id": "V-73257" + "id": "V-73745" }, { - "title": "Windows PowerShell 2.0 must not be installed.", - "desc": "Windows PowerShell 5.0 added advanced logging features that can\n provide additional detail when malware has been run on a system. Disabling the\n Windows PowerShell 2.0 mitigates against a downgrade attack that evades the\n Windows PowerShell 5.0 script block logging feature.", + "title": "Members of the Backup Operators group must have separate accounts for\n backup duties and normal operational tasks.", + "desc": "Backup Operators are able to read and write to any file in the system,\n regardless of the rights assigned to it. Backup and restore rights permit users\n to circumvent the file access restrictions present on NTFS disk drives for\n backup and restore purposes. Members of the Backup Operators group must have\n separate logon accounts for performing backup duties.", "descriptions": { - "default": "Windows PowerShell 5.0 added advanced logging features that can\n provide additional detail when malware has been run on a system. Disabling the\n Windows PowerShell 2.0 mitigates against a downgrade attack that evades the\n Windows PowerShell 5.0 script block logging feature.", - "check": "Open PowerShell.\n\n Enter Get-WindowsFeature | Where Name -eq PowerShell-v2.\n\n If Installed State is Installed, this is a finding.\n\n An Installed State of Available or Removed is not a finding.", - "fix": "Uninstall the Windows PowerShell 2.0 Engine.\n\n Start Server Manager.\n\n Select the server with the feature.\n\n Scroll down to ROLES AND FEATURES in the right pane.\n\n Select Remove Roles and Features from the drop-down TASKS list.\n\n Select the appropriate server on the Server Selection page and click\n Next.\n\n Deselect Windows PowerShell 2.0 Engine under Windows PowerShell on the\n Features page.\n\n Click Next and Remove as prompted." + "default": "Backup Operators are able to read and write to any file in the system,\n regardless of the rights assigned to it. Backup and restore rights permit users\n to circumvent the file access restrictions present on NTFS disk drives for\n backup and restore purposes. Members of the Backup Operators group must have\n separate logon accounts for performing backup duties.", + "check": "If no accounts are members of the Backup Operators group, this\n is NA.\n\n Verify users with accounts in the Backup Operators group have a separate user\n account for backup functions and for performing normal user tasks.\n\n If users with accounts in the Backup Operators group do not have separate\n accounts for backup functions and standard user functions, this is a finding.", + "fix": "Ensure each member of the Backup Operators group has separate\n accounts for backup functions and standard user functions." }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { - "gtitle": "SRG-OS-000095-GPOS-00049", - "gid": "V-73301", - "rid": "SV-87953r1_rule", - "stig_id": "WN16-00-000420", - "fix_id": "F-79743r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-73227", + "rid": "SV-87879r1_rule", + "stig_id": "WN16-00-000050", + "fix_id": "F-79671r1_fix", "cci": [ - "CCI-000381" + "CCI-000366" ], "nist": [ - "CM-7", + "CM-6 b", "Rev_4" ], "documentable": false }, - "code": "control 'V-73301' do\n title 'Windows PowerShell 2.0 must not be installed.'\n desc \"Windows PowerShell 5.0 added advanced logging features that can\n provide additional detail when malware has been run on a system. Disabling the\n Windows PowerShell 2.0 mitigates against a downgrade attack that evades the\n Windows PowerShell 5.0 script block logging feature.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000095-GPOS-00049'\n tag \"gid\": 'V-73301'\n tag \"rid\": 'SV-87953r1_rule'\n tag \"stig_id\": 'WN16-00-000420'\n tag \"fix_id\": 'F-79743r1_fix'\n tag \"cci\": ['CCI-000381']\n tag \"nist\": ['CM-7', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Open PowerShell.\n\n Enter Get-WindowsFeature | Where Name -eq PowerShell-v2.\n\n If Installed State is Installed, this is a finding.\n\n An Installed State of Available or Removed is not a finding.\"\n desc \"fix\", \"Uninstall the Windows PowerShell 2.0 Engine.\n\n Start Server Manager.\n\n Select the server with the feature.\n\n Scroll down to ROLES AND FEATURES in the right pane.\n\n Select Remove Roles and Features from the drop-down TASKS list.\n\n Select the appropriate server on the Server Selection page and click\n Next.\n\n Deselect Windows PowerShell 2.0 Engine under Windows PowerShell on the\n Features page.\n\n Click Next and Remove as prompted.\"\n describe windows_feature('PowerShell-v2') do\n it { should_not be_installed }\n end\nend\n", + "code": "control 'V-73227' do\n title \"Members of the Backup Operators group must have separate accounts for\n backup duties and normal operational tasks.\"\n desc \"Backup Operators are able to read and write to any file in the system,\n regardless of the rights assigned to it. Backup and restore rights permit users\n to circumvent the file access restrictions present on NTFS disk drives for\n backup and restore purposes. Members of the Backup Operators group must have\n separate logon accounts for performing backup duties.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-73227'\n tag \"rid\": 'SV-87879r1_rule'\n tag \"stig_id\": 'WN16-00-000050'\n tag \"fix_id\": 'F-79671r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If no accounts are members of the Backup Operators group, this\n is NA.\n\n Verify users with accounts in the Backup Operators group have a separate user\n account for backup functions and for performing normal user tasks.\n\n If users with accounts in the Backup Operators group do not have separate\n accounts for backup functions and standard user functions, this is a finding.\"\n desc \"fix\", \"Ensure each member of the Backup Operators group has separate\n accounts for backup functions and standard user functions.\"\n\n backup_operators = attribute('backup_operators')\n backup_operators_group = command(\"net localgroup 'Backup Operators' | Format-List | Findstr /V 'Alias Name Comment Members - command'\").stdout.strip.split(\"\\r\\n\")\n\n if !backup_operators_group.empty?\n backup_operators_group.each do |user|\n describe user do\n it { should be_in backup_operators }\n end\n end\n end\n if backup_operators_group.empty?\n impact 0.0\n describe 'There are no users in the Backup Operators Group, therefore this control is not applicable' do\n skip 'There are no users in the Backup Operators Group, therefore this control is not applicable'\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73301.rb", + "ref": "./Windows 2016 STIG/controls/V-73227.rb", "line": 1 }, - "id": "V-73301" + "id": "V-73227" }, { - "title": "Virtualization-based protection of code integrity must be enabled on\n domain-joined systems.", - "desc": "Virtualization-based protection of code integrity enforces kernel mode\n memory protections as well as protecting Code Integrity validation paths. This\n isolates the processes from the rest of the operating system and can only be\n accessed by privileged system software.", + "title": "Windows Server 2016 must be configured to prevent the storage of\n passwords and credentials.", + "desc": "This setting controls the storage of passwords and credentials for\n network authentication on the local system. Such credentials must not be stored\n on the local machine, as that may lead to account compromise.", "descriptions": { - "default": "Virtualization-based protection of code integrity enforces kernel mode\n memory protections as well as protecting Code Integrity validation paths. This\n isolates the processes from the rest of the operating system and can only be\n accessed by privileged system software.", - "check": "For standalone systems, this is NA.\n\n Current hardware and virtual environments may not support virtualization-based\n security features, including Credential Guard, due to specific supporting\n requirements including a TPM, UEFI with Secure Boot, and the capability to run\n the Hyper-V feature within a virtual machine.\n\n Open PowerShell with elevated privileges (run as administrator).\n\n Enter the following:\n\n Get-CimInstance -ClassName Win32_DeviceGuard -Namespace\n root\\Microsoft\\Windows\\DeviceGuard\n\n If SecurityServicesRunning does not include a value of 2 (e.g., {1,\n 2}), this is a finding.\n\n Alternately:\n\n Run System Information.\n\n Under System Summary, verify the following:\n\n If Device Guard Security Services Running does not list Hypervisor\n enforced Code Integrity, this is a finding.\n\n The policy settings referenced in the Fix section will configure the following\n registry value. However due to hardware requirements, the registry value alone\n does not ensure proper function.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceGuard\\\n\n Value Name: HypervisorEnforcedCodeIntegrity\n Value Type: REG_DWORD\n Value: 0x00000001 (1) (Enabled with UEFI lock), or 0x00000002 (2) (Enabled\n without lock)", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> System >> Device Guard >> Turn On Virtualization\n Based Security to Enabled with Enabled with UEFI lock or Enabled\n without lock selected for Virtualization Based Protection for Code\n Integrity.\n\n Enabled with UEFI lock is preferred as more secure; however, it cannot be\n turned off remotely through a group policy change if there is an issue.\n Enabled without lock will allow this to be turned off remotely while\n testing for issues." + "default": "This setting controls the storage of passwords and credentials for\n network authentication on the local system. Such credentials must not be stored\n on the local machine, as that may lead to account compromise.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Control\\Lsa\\\n\n Value Name: DisableDomainCreds\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Network access: Do not allow storage of passwords and credentials for network\n authentication to Enabled." }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-73517", - "rid": "SV-88169r1_rule", - "stig_id": "WN16-CC-000130", - "fix_id": "F-79959r1_fix", + "gtitle": "SRG-OS-000373-GPOS-00157", + "satisfies": [ + "SRG-OS-000373-GPOS-00157", + "SRG-OS-000373-GPOS-00156" + ], + "gid": "V-73671", + "rid": "SV-88335r1_rule", + "stig_id": "WN16-SO-000280", + "fix_id": "F-80121r1_fix", "cci": [ - "CCI-000366" + "CCI-002038" ], "nist": [ - "CM-6 b", + "IA-11", "Rev_4" ], "documentable": false }, - "code": "control 'V-73517' do\n title \"Virtualization-based protection of code integrity must be enabled on\n domain-joined systems.\"\n desc \"Virtualization-based protection of code integrity enforces kernel mode\n memory protections as well as protecting Code Integrity validation paths. This\n isolates the processes from the rest of the operating system and can only be\n accessed by privileged system software.\"\n impact 0.3\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-73517'\n tag \"rid\": 'SV-88169r1_rule'\n tag \"stig_id\": 'WN16-CC-000130'\n tag \"fix_id\": 'F-79959r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"For standalone systems, this is NA.\n\n Current hardware and virtual environments may not support virtualization-based\n security features, including Credential Guard, due to specific supporting\n requirements including a TPM, UEFI with Secure Boot, and the capability to run\n the Hyper-V feature within a virtual machine.\n\n Open PowerShell with elevated privileges (run as administrator).\n\n Enter the following:\n\n Get-CimInstance -ClassName Win32_DeviceGuard -Namespace\n root\\\\Microsoft\\\\Windows\\\\DeviceGuard\n\n If SecurityServicesRunning does not include a value of 2 (e.g., {1,\n 2}), this is a finding.\n\n Alternately:\n\n Run System Information.\n\n Under System Summary, verify the following:\n\n If Device Guard Security Services Running does not list Hypervisor\n enforced Code Integrity, this is a finding.\n\n The policy settings referenced in the Fix section will configure the following\n registry value. However due to hardware requirements, the registry value alone\n does not ensure proper function.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\DeviceGuard\\\\\n\n Value Name: HypervisorEnforcedCodeIntegrity\n Value Type: REG_DWORD\n Value: 0x00000001 (1) (Enabled with UEFI lock), or 0x00000002 (2) (Enabled\n without lock)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> System >> Device Guard >> Turn On Virtualization\n Based Security to Enabled with Enabled with UEFI lock or Enabled\n without lock selected for Virtualization Based Protection for Code\n Integrity.\n\n Enabled with UEFI lock is preferred as more secure; however, it cannot be\n turned off remotely through a group policy change if there is an issue.\n Enabled without lock will allow this to be turned off remotely while\n testing for issues.\"\n is_domain = command('wmic computersystem get domain | FINDSTR /V Domain').stdout.strip\n describe.one do\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\DeviceGuard') do\n it { should have_property 'HypervisorEnforcedCodeIntegrity' }\n its('HypervisorEnforcedCodeIntegrity') { should cmp 1 }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\DeviceGuard') do\n it { should have_property 'HypervisorEnforcedCodeIntegrity' }\n its('HypervisorEnforcedCodeIntegrity') { should cmp 2 }\n end\n end\n only_if { is_domain != 'WORKGROUP' }\n\n if is_domain == 'WORKGROUP'\n impact 0.0\n describe 'This system is not joined to a domain, therfore this control is not appliable as it does not apply to standalone systems' do\n skip 'This system is not joined to a domain, therfore this control is not appliable as it does not apply to standalone systems'\n end\n end\nend\n", + "code": "control 'V-73671' do\n title \"Windows Server 2016 must be configured to prevent the storage of\n passwords and credentials.\"\n desc \"This setting controls the storage of passwords and credentials for\n network authentication on the local system. Such credentials must not be stored\n on the local machine, as that may lead to account compromise.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000373-GPOS-00157'\n tag \"satisfies\": ['SRG-OS-000373-GPOS-00157', 'SRG-OS-000373-GPOS-00156']\n tag \"gid\": 'V-73671'\n tag \"rid\": 'SV-88335r1_rule'\n tag \"stig_id\": 'WN16-SO-000280'\n tag \"fix_id\": 'F-80121r1_fix'\n tag \"cci\": ['CCI-002038']\n tag \"nist\": ['IA-11', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\\n\n Value Name: DisableDomainCreds\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Network access: Do not allow storage of passwords and credentials for network\n authentication to Enabled.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa') do\n it { should have_property 'DisableDomainCreds' }\n its('DisableDomainCreds') { should cmp 1 }\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73517.rb", + "ref": "./Windows 2016 STIG/controls/V-73671.rb", "line": 1 }, - "id": "V-73517" + "id": "V-73671" }, { - "title": "Hardened UNC paths must be defined to require mutual authentication\n and integrity for at least the \\\\*\\SYSVOL and \\\\*\\NETLOGON shares.", - "desc": "Additional security requirements are applied to Universal Naming\n Convention (UNC) paths specified in hardened UNC paths before allowing access\n to them. This aids in preventing tampering with or spoofing of connections to\n these paths.", + "title": "User Account Control must run all administrators in Admin Approval\n Mode, enabling UAC.", + "desc": "User Account Control (UAC) is a security mechanism for limiting the\n elevation of privileges, including administrative accounts, unless authorized.\n This setting enables UAC.", "descriptions": { - "default": "Additional security requirements are applied to Universal Naming\n Convention (UNC) paths specified in hardened UNC paths before allowing access\n to them. This aids in preventing tampering with or spoofing of connections to\n these paths.", - "check": "This requirement is applicable to domain-joined systems. For\n standalone systems, this is NA.\n\n If the following registry values do not exist or are not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SOFTWARE\\Policies\\Microsoft\\Windows\\NetworkProvider\\HardenedPaths\\\n\n Value Name: \\\\*\\NETLOGON\n Value Type: REG_SZ\n Value: RequireMutualAuthentication=1, RequireIntegrity=1\n\n Value Name: \\\\*\\SYSVOL\n Value Type: REG_SZ\n Value: RequireMutualAuthentication=1, RequireIntegrity=1\n\n Additional entries would not be a finding.", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Network >> Network Provider >> Hardened UNC\n Paths to Enabled with at least the following configured in Hardened UNC\n Paths: (click the Show button to display)\n\n Value Name: \\\\*\\SYSVOL\n Value: RequireMutualAuthentication=1, RequireIntegrity=1\n\n Value Name: \\\\*\\NETLOGON\n Value: RequireMutualAuthentication=1, RequireIntegrity=1" + "default": "User Account Control (UAC) is a security mechanism for limiting the\n elevation of privileges, including administrative accounts, unless authorized.\n This setting enables UAC.", + "check": "UAC requirements are NA for Server Core installations (this is\n the default installation option for Windows Server 2016 versus Server with\n Desktop Experience) as well as Nano Server.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\\n\n Value Name: EnableLUA\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> User\n Account Control: Run all administrators in Admin Approval Mode to\n Enabled." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-73509", - "rid": "SV-88161r1_rule", - "stig_id": "WN16-CC-000090", - "fix_id": "F-79951r1_fix", + "gtitle": "SRG-OS-000373-GPOS-00157", + "satisfies": [ + "SRG-OS-000373-GPOS-00157", + "SRG-OS-000373-GPOS-00156" + ], + "gid": "V-73719", + "rid": "SV-88383r1_rule", + "stig_id": "WN16-SO-000520", + "fix_id": "F-80169r1_fix", "cci": [ - "CCI-000366" + "CCI-002038" ], "nist": [ - "CM-6 b", + "IA-11", "Rev_4" ], "documentable": false }, - "code": "control 'V-73509' do\n title \"Hardened UNC paths must be defined to require mutual authentication\n and integrity for at least the \\\\\\\\*\\\\SYSVOL and \\\\\\\\*\\\\NETLOGON shares.\"\n desc \"Additional security requirements are applied to Universal Naming\n Convention (UNC) paths specified in hardened UNC paths before allowing access\n to them. This aids in preventing tampering with or spoofing of connections to\n these paths.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-73509'\n tag \"rid\": 'SV-88161r1_rule'\n tag \"stig_id\": 'WN16-CC-000090'\n tag \"fix_id\": 'F-79951r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This requirement is applicable to domain-joined systems. For\n standalone systems, this is NA.\n\n If the following registry values do not exist or are not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\NetworkProvider\\\\HardenedPaths\\\\\n\n Value Name: \\\\\\\\*\\\\NETLOGON\n Value Type: REG_SZ\n Value: RequireMutualAuthentication=1, RequireIntegrity=1\n\n Value Name: \\\\\\\\*\\\\SYSVOL\n Value Type: REG_SZ\n Value: RequireMutualAuthentication=1, RequireIntegrity=1\n\n Additional entries would not be a finding.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Network >> Network Provider >> Hardened UNC\n Paths to Enabled with at least the following configured in Hardened UNC\n Paths: (click the Show button to display)\n\n Value Name: \\\\\\\\*\\\\SYSVOL\n Value: RequireMutualAuthentication=1, RequireIntegrity=1\n\n Value Name: \\\\\\\\*\\\\NETLOGON\n Value: RequireMutualAuthentication=1, RequireIntegrity=1\"\n\n is_domain = command('wmic computersystem get domain | FINDSTR /V Domain').stdout.strip\n\n if is_domain == 'WORKGROUP'\n impact 0.0\n describe 'This control is not applicable because this is not a domain-joined system' do\n skip 'This control is not applicable because this is not a domain-joined system'\n end\n else\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\NetworkProvider\\\\HardenedPaths') do\n it { should have_property '\\\\\\\\*\\\\NETLOGON' }\n its('\\\\\\\\*\\\\NETLOGON') { should cmp 'RequireMutualAuthentication=1, RequireIntegrity=1' }\n it { should have_property '\\\\\\\\*\\\\SYSVOL' }\n its('\\\\\\\\*\\\\SYSVOL') { should cmp 'RequireMutualAuthentication=1, RequireIntegrity=1' }\n end\n end\nend\n", + "code": "control 'V-73719' do\n title \"User Account Control must run all administrators in Admin Approval\n Mode, enabling UAC.\"\n desc \"User Account Control (UAC) is a security mechanism for limiting the\n elevation of privileges, including administrative accounts, unless authorized.\n This setting enables UAC.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000373-GPOS-00157'\n tag \"satisfies\": ['SRG-OS-000373-GPOS-00157', 'SRG-OS-000373-GPOS-00156']\n tag \"gid\": 'V-73719'\n tag \"rid\": 'SV-88383r1_rule'\n tag \"stig_id\": 'WN16-SO-000520'\n tag \"fix_id\": 'F-80169r1_fix'\n tag \"cci\": ['CCI-002038']\n tag \"nist\": ['IA-11', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"UAC requirements are NA for Server Core installations (this is\n the default installation option for Windows Server 2016 versus Server with\n Desktop Experience) as well as Nano Server.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\\n\n Value Name: EnableLUA\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> User\n Account Control: Run all administrators in Admin Approval Mode to\n Enabled.\"\n if registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Server\\ServerLevels').has_property_value?('ServerCore', :dword, 1) && registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Server\\ServerLevels').has_property_value?('Server-Gui-Mgmt', :dword, 1) && registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Server\\ServerLevels').has_property_value?('Server-Gui-Shell', :dword, 1)\n impact 0.0\n desc 'This system is a Server Core Installation, therefore this control is not applicable'\n else\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System') do\n it { should have_property 'EnableLUA' }\n its('EnableLUA') { should cmp 1 }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73509.rb", + "ref": "./Windows 2016 STIG/controls/V-73719.rb", "line": 1 }, - "id": "V-73509" + "id": "V-73719" }, { - "title": "Session security for NTLM SSP-based servers must be configured to\n require NTLMv2 session security and 128-bit encryption.", - "desc": "Microsoft has implemented a variety of security support providers for\n use with Remote Procedure Call (RPC) sessions. All of the options must be\n enabled to ensure the maximum security level.", + "title": "Only administrators responsible for the member server or standalone\n system must have Administrator rights on the system.", + "desc": "An account that does not have Administrator duties must not have\n Administrator rights. Such rights would allow the account to bypass or modify\n required security restrictions on that machine and make it vulnerable to attack.\n\n System administrators must log on to systems using only accounts with the\n minimum level of authority necessary.\n\n For domain-joined member servers, the Domain Admins group must be replaced\n by a domain member server administrator group (see V-36433 in the Active\n Directory Domain STIG). Restricting highly privileged accounts from the local\n Administrators group helps mitigate the risk of privilege escalation resulting\n from credential theft attacks.\n\n Systems dedicated to the management of Active Directory (AD admin\n platforms, see V-36436 in the Active Directory Domain STIG) are exempt from\n this. AD admin platforms may use the Domain Admins group or a domain\n administrative group created specifically for AD admin platforms (see V-43711\n in the Active Directory Domain STIG).\n\n Standard user accounts must not be members of the built-in Administrators\n group.", "descriptions": { - "default": "Microsoft has implemented a variety of security support providers for\n use with Remote Procedure Call (RPC) sessions. All of the options must be\n enabled to ensure the maximum security level.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Control\\Lsa\\MSV1_0\\\n\n Value Name: NTLMMinServerSec\n\n Value Type: REG_DWORD\n Value: 0x20080000 (537395200)", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Network security: Minimum session security for NTLM SSP based (including\n secure RPC) servers to Require NTLMv2 session security and Require\n 128-bit encryption (all options selected)." + "default": "An account that does not have Administrator duties must not have\n Administrator rights. Such rights would allow the account to bypass or modify\n required security restrictions on that machine and make it vulnerable to attack.\n\n System administrators must log on to systems using only accounts with the\n minimum level of authority necessary.\n\n For domain-joined member servers, the Domain Admins group must be replaced\n by a domain member server administrator group (see V-36433 in the Active\n Directory Domain STIG). Restricting highly privileged accounts from the local\n Administrators group helps mitigate the risk of privilege escalation resulting\n from credential theft attacks.\n\n Systems dedicated to the management of Active Directory (AD admin\n platforms, see V-36436 in the Active Directory Domain STIG) are exempt from\n this. AD admin platforms may use the Domain Admins group or a domain\n administrative group created specifically for AD admin platforms (see V-43711\n in the Active Directory Domain STIG).\n\n Standard user accounts must not be members of the built-in Administrators\n group.", + "check": "This applies to member servers and standalone systems. A\n separate version applies to domain controllers.\n\n Open Computer Management.\n\n Navigate to Groups under Local Users and Groups.\n\n Review the local Administrators group.\n\n Only administrator groups or accounts responsible for administration of the\n system may be members of the group.\n\n For domain-joined member servers, the Domain Admins group must be replaced by a\n domain member server administrator group.\n\n Systems dedicated to the management of Active Directory (AD admin platforms,\n see V-36436 in the Active Directory Domain STIG) are exempt from this. AD admin\n platforms may use the Domain Admins group or a domain administrative group\n created specifically for AD admin platforms (see V-43711 in the Active\n Directory Domain STIG).\n\n Standard user accounts must not be members of the local Administrator group.\n\n If accounts that do not have responsibility for administration of the system\n are members of the local Administrators group, this is a finding.\n\n If the built-in Administrator account or other required administrative accounts\n are found on the system, this is not a finding.", + "fix": "Configure the local \"Administrators\" group to include only\n administrator groups or accounts responsible for administration of the system.\n\n For domain-joined member servers, replace the Domain Admins group with a domain\n member server administrator group.\n\n Systems dedicated to the management of Active Directory (AD admin platforms,\n see V-36436 in the Active Directory Domain STIG) are exempt from this. AD admin\n platforms may use the Domain Admins group or a domain administrative group\n created specifically for AD admin platforms (see V-43711 in the Active\n Directory Domain STIG).\n\n Remove any standard user accounts." }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-73697", - "rid": "SV-88361r1_rule", - "stig_id": "WN16-SO-000410", - "fix_id": "F-80147r1_fix", + "gtitle": "SRG-OS-000324-GPOS-00125", + "gid": "V-73221", + "rid": "SV-87873r1_rule", + "stig_id": "WN16-MS-000010", + "fix_id": "F-80263r1_fix", "cci": [ - "CCI-000366" + "CCI-002235" ], "nist": [ - "CM-6 b", + "AC-6 (10)", "Rev_4" ], "documentable": false }, - "code": "control 'V-73697' do\n title \"Session security for NTLM SSP-based servers must be configured to\n require NTLMv2 session security and 128-bit encryption.\"\n desc \"Microsoft has implemented a variety of security support providers for\n use with Remote Procedure Call (RPC) sessions. All of the options must be\n enabled to ensure the maximum security level.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-73697'\n tag \"rid\": 'SV-88361r1_rule'\n tag \"stig_id\": 'WN16-SO-000410'\n tag \"fix_id\": 'F-80147r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\MSV1_0\\\\\n\n Value Name: NTLMMinServerSec\n\n Value Type: REG_DWORD\n Value: 0x20080000 (537395200)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Network security: Minimum session security for NTLM SSP based (including\n secure RPC) servers to Require NTLMv2 session security and Require\n 128-bit encryption (all options selected).\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\MSV1_0') do\n it { should have_property 'NTLMMinServerSec' }\n its('NTLMMinServerSec') { should cmp 537395200 }\n end\nend\n", + "code": "control 'V-73221' do\n title \"Only administrators responsible for the member server or standalone\n system must have Administrator rights on the system.\"\n desc \"An account that does not have Administrator duties must not have\n Administrator rights. Such rights would allow the account to bypass or modify\n required security restrictions on that machine and make it vulnerable to attack.\n\n System administrators must log on to systems using only accounts with the\n minimum level of authority necessary.\n\n For domain-joined member servers, the Domain Admins group must be replaced\n by a domain member server administrator group (see V-36433 in the Active\n Directory Domain STIG). Restricting highly privileged accounts from the local\n Administrators group helps mitigate the risk of privilege escalation resulting\n from credential theft attacks.\n\n Systems dedicated to the management of Active Directory (AD admin\n platforms, see V-36436 in the Active Directory Domain STIG) are exempt from\n this. AD admin platforms may use the Domain Admins group or a domain\n administrative group created specifically for AD admin platforms (see V-43711\n in the Active Directory Domain STIG).\n\n Standard user accounts must not be members of the built-in Administrators\n group.\n \"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000324-GPOS-00125'\n tag \"gid\": 'V-73221'\n tag \"rid\": 'SV-87873r1_rule'\n tag \"stig_id\": 'WN16-MS-000010'\n tag \"fix_id\": 'F-80263r1_fix'\n tag \"cci\": ['CCI-002235']\n tag \"nist\": ['AC-6 (10)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to member servers and standalone systems. A\n separate version applies to domain controllers.\n\n Open Computer Management.\n\n Navigate to Groups under Local Users and Groups.\n\n Review the local Administrators group.\n\n Only administrator groups or accounts responsible for administration of the\n system may be members of the group.\n\n For domain-joined member servers, the Domain Admins group must be replaced by a\n domain member server administrator group.\n\n Systems dedicated to the management of Active Directory (AD admin platforms,\n see V-36436 in the Active Directory Domain STIG) are exempt from this. AD admin\n platforms may use the Domain Admins group or a domain administrative group\n created specifically for AD admin platforms (see V-43711 in the Active\n Directory Domain STIG).\n\n Standard user accounts must not be members of the local Administrator group.\n\n If accounts that do not have responsibility for administration of the system\n are members of the local Administrators group, this is a finding.\n\n If the built-in Administrator account or other required administrative accounts\n are found on the system, this is not a finding.\"\n desc \"fix\", \"Configure the local \\\"Administrators\\\" group to include only\n administrator groups or accounts responsible for administration of the system.\n\n For domain-joined member servers, replace the Domain Admins group with a domain\n member server administrator group.\n\n Systems dedicated to the management of Active Directory (AD admin platforms,\n see V-36436 in the Active Directory Domain STIG) are exempt from this. AD admin\n platforms may use the Domain Admins group or a domain administrative group\n created specifically for AD admin platforms (see V-43711 in the Active\n Directory Domain STIG).\n\n Remove any standard user accounts.\"\n administrators = attribute('administrators')\n is_AD_only_system = input('is_AD_only_system')\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n administrator_group = command(\"Get-LocalGroupMember -Group \\\"Administrators\\\" | select -ExpandProperty Name | ForEach-Object {$_ -replace \\\"$env:COMPUTERNAME\\\\\\\\\\\" -replace \\\"\\\"}\").stdout.strip.split(\"\\r\\n\")\n\n\n if (domain_role == '2' || domain_role == '3') && !is_AD_only_system\n administrator_group.each do |user|\n describe user.to_s do\n it { should be_in administrators }\n end\n end\n end\n\n if domain_role != '2' && domain_role != '3'\n impact 0.0\n describe 'This control applies to member servers and standalone systems. A separate version applies to domain controllers.' do\n skip 'This control applies to member servers and standalone systems. A separate version applies to domain controllers.'\n end\n end\n if is_AD_only_system\n impact 0.0\n describe 'This system is dedicated to the management of Active Directory, therefore this control is not applicable' do\n skip 'This system is dedicated to the management of Active Directory, therefore this control is not applicable'\n end\n end\n if administrator_group.empty?\n impact 0.0\n describe 'There are no users with administrative privileges on this system, therefore this control is not applicable' do\n skip 'There are no users with administrative privileges on this system, therefore this control is not applicable'\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73697.rb", + "ref": "./Windows 2016 STIG/controls/V-73221.rb", "line": 1 }, - "id": "V-73697" + "id": "V-73221" }, { - "title": "The setting Microsoft network client: Digitally sign communications\n (if server agrees) must be configured to Enabled.", - "desc": "The server message block (SMB) protocol provides the basis for many\n network operations. If this policy is enabled, the SMB client will request\n packet signing when communicating with an SMB server that is enabled or\n required to perform SMB packet signing.", + "title": "Active Directory Group Policy objects must be configured with proper\n audit settings.", + "desc": "When inappropriate audit settings are configured for directory service\n database objects, it may be possible for a user or process to update the data\n without generating any tracking data. The impact of missing audit data is\n related to the type of object. A failure to capture audit data for objects used\n by identification, authentication, or authorization functions could degrade or\n eliminate the ability to track changes to access policy for systems or data.\n\n For Active Directory (AD), there are a number of critical object types in\n the domain naming context of the AD database for which auditing is essential.\n This includes Group Policy objects. Because changes to these objects can\n significantly impact access controls or the availability of systems, the\n absence of auditing data makes it impossible to identify the source of changes\n that impact the confidentiality, integrity, and availability of data and\n systems throughout an AD domain. The lack of proper auditing can result in\n insufficient forensic evidence needed to investigate an incident and prosecute\n the intruder.", "descriptions": { - "default": "The server message block (SMB) protocol provides the basis for many\n network operations. If this policy is enabled, the SMB client will request\n packet signing when communicating with an SMB server that is enabled or\n required to perform SMB packet signing.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SYSTEM\\CurrentControlSet\\Services\\LanmanWorkstation\\Parameters\\\n\n Value Name: EnableSecuritySignature\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Microsoft network client: Digitally sign communications (if server agrees)\n to Enabled." + "default": "When inappropriate audit settings are configured for directory service\n database objects, it may be possible for a user or process to update the data\n without generating any tracking data. The impact of missing audit data is\n related to the type of object. A failure to capture audit data for objects used\n by identification, authentication, or authorization functions could degrade or\n eliminate the ability to track changes to access policy for systems or data.\n\n For Active Directory (AD), there are a number of critical object types in\n the domain naming context of the AD database for which auditing is essential.\n This includes Group Policy objects. Because changes to these objects can\n significantly impact access controls or the availability of systems, the\n absence of auditing data makes it impossible to identify the source of changes\n that impact the confidentiality, integrity, and availability of data and\n systems throughout an AD domain. The lack of proper auditing can result in\n insufficient forensic evidence needed to investigate an incident and prosecute\n the intruder.", + "check": "This applies to domain controllers. It is NA for other systems.\n\n Review the auditing configuration for all Group Policy objects.\n\n Open Group Policy Management (available from various menus or run\n gpmc.msc).\n\n Navigate to Group Policy Objects in the domain being reviewed (Forest >>\n Domains >> Domain).\n\n For each Group Policy object:\n\n Select the Group Policy object item in the left pane.\n\n Select the Delegation tab in the right pane.\n\n Select the Advanced button.\n\n Select the Advanced button again and then the Auditing tab.\n\n If the audit settings for any Group Policy object are not at least as inclusive\n as those below, this is a finding.\n\n Type - Fail\n Principal - Everyone\n Access - Full Control\n Applies to - This object and all descendant objects or Descendant\n groupPolicyContainer objects\n\n The three Success types listed below are defaults inherited from the Parent\n Object. Where Special is listed in the summary screens for Access, detailed\n Permissions are provided for reference.\n\n Type - Success\n Principal - Everyone\n Access - Special (Permissions: Write all properties, Modify permissions;\n Properties: all Write type selected)\n Inherited from - Parent Object\n Applies to - Descendant groupPolicyContainer objects\n\n Two instances with the following summary information will be listed.\n\n Type - Success\n Principal - Everyone\n Access - blank (Permissions: none selected; Properties: one instance - Write\n gPLink, one instance - Write gPOptions)\n Inherited from - Parent Object\n Applies to - Descendant Organization Unit Objects", + "fix": "Configure the audit settings for Group Policy objects to include\n the following.\n\n This can be done at the Policy level in Active Directory to apply to all group\n policies.\n\n Open Active Directory Users and Computers (available from various menus or\n run dsa.msc).\n\n Select Advanced Features from the View Menu.\n\n Navigate to [Domain] >> System >> Policies in the left panel.\n\n Right click Policies, select Properties.\n\n Select the Security tab.\n\n Select the Advanced button.\n\n Select the Auditing tab.\n\n Type - Fail\n Principal - Everyone\n Access - Full Control\n Applies to - This object and all descendant objects or Descendant\n groupPolicyContainer objects\n\n The three Success types listed below are defaults inherited from the Parent\n Object. Where Special is listed in the summary screens for Access, detailed\n Permissions are provided for reference.\n\n Type - Success\n Principal - Everyone\n Access - Special (Permissions: Write all properties, Modify permissions;\n Properties: all Write type selected)\n Inherited from - Parent Object\n Applies to - Descendant groupPolicyContainer objects\n\n Two instances with the following summary information will be listed\n\n Type - Success\n Principal - Everyone\n Access - blank (Permissions: none selected; Properties: one instance - Write\n gPLink, one instance - Write gPOptions)\n Inherited from - Parent Object\n Applies to - Descendant Organization Unit Objects" }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { - "gtitle": "SRG-OS-000423-GPOS-00187", + "gtitle": "SRG-OS-000327-GPOS-00127", "satisfies": [ - "SRG-OS-000423-GPOS-00187", - "SRG-OS-000424-GPOS-00188" + "SRG-OS-000327-GPOS-00127", + "SRG-OS-000458-GPOS-00203", + "SRG-OS-000463-GPOS-00207", + "SRG-OS-000468-GPOS-00212" ], - "gid": "V-73655", - "rid": "SV-88319r1_rule", - "stig_id": "WN16-SO-000200", - "fix_id": "F-80105r1_fix", + "gid": "V-73389", + "rid": "SV-88041r2_rule", + "stig_id": "WN16-DC-000170", + "fix_id": "F-86715r2_fix", "cci": [ - "CCI-002418", - "CCI-002421" + "CCI-000172", + "CCI-002234" ], "nist": [ - "SC-8", - "SC-8 (1)", + "AU-12 c", + "AC-6 (9)", "Rev_4" ], "documentable": false }, - "code": "control 'V-73655' do\n title \"The setting Microsoft network client: Digitally sign communications\n (if server agrees) must be configured to Enabled.\"\n desc \"The server message block (SMB) protocol provides the basis for many\n network operations. If this policy is enabled, the SMB client will request\n packet signing when communicating with an SMB server that is enabled or\n required to perform SMB packet signing.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000423-GPOS-00187'\n tag \"satisfies\": ['SRG-OS-000423-GPOS-00187', 'SRG-OS-000424-GPOS-00188']\n tag \"gid\": 'V-73655'\n tag \"rid\": 'SV-88319r1_rule'\n tag \"stig_id\": 'WN16-SO-000200'\n tag \"fix_id\": 'F-80105r1_fix'\n tag \"cci\": ['CCI-002418', 'CCI-002421']\n tag \"nist\": ['SC-8', 'SC-8 (1)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\LanmanWorkstation\\\\Parameters\\\\\n\n Value Name: EnableSecuritySignature\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Microsoft network client: Digitally sign communications (if server agrees)\n to Enabled.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Services\\\\LanmanWorkstation\\\\Parameters') do\n it { should have_property 'EnableSecuritySignature' }\n its('EnableSecuritySignature') { should cmp 1 }\n end\nend\n", + "code": "control 'V-73389' do\n title \"Active Directory Group Policy objects must be configured with proper\n audit settings.\"\n desc \"When inappropriate audit settings are configured for directory service\n database objects, it may be possible for a user or process to update the data\n without generating any tracking data. The impact of missing audit data is\n related to the type of object. A failure to capture audit data for objects used\n by identification, authentication, or authorization functions could degrade or\n eliminate the ability to track changes to access policy for systems or data.\n\n For Active Directory (AD), there are a number of critical object types in\n the domain naming context of the AD database for which auditing is essential.\n This includes Group Policy objects. Because changes to these objects can\n significantly impact access controls or the availability of systems, the\n absence of auditing data makes it impossible to identify the source of changes\n that impact the confidentiality, integrity, and availability of data and\n systems throughout an AD domain. The lack of proper auditing can result in\n insufficient forensic evidence needed to investigate an incident and prosecute\n the intruder.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000327-GPOS-00127'\n tag \"satisfies\": ['SRG-OS-000327-GPOS-00127', 'SRG-OS-000458-GPOS-00203',\n 'SRG-OS-000463-GPOS-00207', 'SRG-OS-000468-GPOS-00212']\n tag \"gid\": 'V-73389'\n tag \"rid\": 'SV-88041r2_rule'\n tag \"stig_id\": 'WN16-DC-000170'\n tag \"fix_id\": 'F-86715r2_fix'\n tag \"cci\": ['CCI-000172', 'CCI-002234']\n tag \"nist\": ['AU-12 c', 'AC-6 (9)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to domain controllers. It is NA for other systems.\n\n Review the auditing configuration for all Group Policy objects.\n\n Open Group Policy Management (available from various menus or run\n gpmc.msc).\n\n Navigate to Group Policy Objects in the domain being reviewed (Forest >>\n Domains >> Domain).\n\n For each Group Policy object:\n\n Select the Group Policy object item in the left pane.\n\n Select the Delegation tab in the right pane.\n\n Select the Advanced button.\n\n Select the Advanced button again and then the Auditing tab.\n\n If the audit settings for any Group Policy object are not at least as inclusive\n as those below, this is a finding.\n\n Type - Fail\n Principal - Everyone\n Access - Full Control\n Applies to - This object and all descendant objects or Descendant\n groupPolicyContainer objects\n\n The three Success types listed below are defaults inherited from the Parent\n Object. Where Special is listed in the summary screens for Access, detailed\n Permissions are provided for reference.\n\n Type - Success\n Principal - Everyone\n Access - Special (Permissions: Write all properties, Modify permissions;\n Properties: all Write type selected)\n Inherited from - Parent Object\n Applies to - Descendant groupPolicyContainer objects\n\n Two instances with the following summary information will be listed.\n\n Type - Success\n Principal - Everyone\n Access - blank (Permissions: none selected; Properties: one instance - Write\n gPLink, one instance - Write gPOptions)\n Inherited from - Parent Object\n Applies to - Descendant Organization Unit Objects\"\n desc \"fix\", \"Configure the audit settings for Group Policy objects to include\n the following.\n\n This can be done at the Policy level in Active Directory to apply to all group\n policies.\n\n Open Active Directory Users and Computers (available from various menus or\n run dsa.msc).\n\n Select Advanced Features from the View Menu.\n\n Navigate to [Domain] >> System >> Policies in the left panel.\n\n Right click Policies, select Properties.\n\n Select the Security tab.\n\n Select the Advanced button.\n\n Select the Auditing tab.\n\n Type - Fail\n Principal - Everyone\n Access - Full Control\n Applies to - This object and all descendant objects or Descendant\n groupPolicyContainer objects\n\n The three Success types listed below are defaults inherited from the Parent\n Object. Where Special is listed in the summary screens for Access, detailed\n Permissions are provided for reference.\n\n Type - Success\n Principal - Everyone\n Access - Special (Permissions: Write all properties, Modify permissions;\n Properties: all Write type selected)\n Inherited from - Parent Object\n Applies to - Descendant groupPolicyContainer objects\n\n Two instances with the following summary information will be listed\n\n Type - Success\n Principal - Everyone\n Access - blank (Permissions: none selected; Properties: one instance - Write\n gPLink, one instance - Write gPOptions)\n Inherited from - Parent Object\n Applies to - Descendant Organization Unit Objects\"\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n if domain_role == '4' || domain_role == '5'\n distinguishedNames = json(command: \"Get-ADObject -Filter { objectclass -eq 'groupPolicyContainer'} | foreach {$_.DistinguishedName} | ConvertTo-JSON\").params\n distinguishedNames.each do |distinguishedName|\n acl_rules = json(command: \"(Get-ACL -Audit -Path AD:'#{distinguishedName}').Audit | ConvertTo-CSV | ConvertFrom-CSV | ConvertTo-JSON\").params\n\n if acl_rules.is_a?(Hash)\n acl_rules = [JSON.parse(acl_rules.to_json)]\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['AuditFlags']) { should cmp \"Fail\" }\n its(['IdentityReference']) { should cmp \"Everyone\" }\n its(['ActiveDirectoryRights']) { should cmp /(GenericAll)/ }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['AuditFlags']) { should cmp \"Success\" }\n its(['IdentityReference']) { should cmp \"Everyone\" }\n its(['ActiveDirectoryRights']) { should cmp /(WriteProperty)|(WriteDacl)/ }\n its(['IsInherited']) { should cmp \"True\" }\n its(['InheritanceType']) { should cmp \"All\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['AuditFlags']) { should cmp \"Success\" }\n its(['IdentityReference']) { should cmp \"Everyone\" }\n its(['ActiveDirectoryRights']) { should cmp /(WriteProperty)/ }\n its(['IsInherited']) { should cmp \"True\" }\n its(['InheritanceType']) { should cmp \"Descendents\" }\n end\n end\n end\n end\n else\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend \n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73655.rb", + "ref": "./Windows 2016 STIG/controls/V-73389.rb", "line": 1 }, - "id": "V-73655" + "id": "V-73389" }, { - "title": "Simple TCP/IP Services must not be installed.", - "desc": "Unnecessary services increase the attack surface of a system. Some of\n these services may not support required levels of authentication or encryption\n or may provide unauthorized access to the system.", + "title": "Command line data must be included in process creation events.", + "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Enabling Include command line data for process creation events will\n record the command line information with the process creation events in the\n log. This can provide additional detail when malware has run on a system.", "descriptions": { - "default": "Unnecessary services increase the attack surface of a system. Some of\n these services may not support required levels of authentication or encryption\n or may provide unauthorized access to the system.", - "check": "Open PowerShell.\n\n Enter Get-WindowsFeature | Where Name -eq Simple-TCPIP.\n\n If Installed State is Installed, this is a finding.\n\n An Installed State of Available or Removed is not a finding.", - "fix": "Uninstall the Simple TCP/IP Services feature.\n\n Start Server Manager.\n\n Select the server with the feature.\n\n Scroll down to ROLES AND FEATURES in the right pane.\n\n Select Remove Roles and Features from the drop-down TASKS list.\n\n Select the appropriate server on the Server Selection page and click\n Next.\n\n Deselect Simple TCP/IP Services on the Features page.\n\n Click Next and Remove as prompted." + "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Enabling Include command line data for process creation events will\n record the command line information with the process creation events in the\n log. This can provide additional detail when malware has run on a system.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Audit\\\n\n Value Name: ProcessCreationIncludeCmdLine_Enabled\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> System >> Audit Process Creation >> Include\n command line in process creation events to Enabled." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000095-GPOS-00049", - "gid": "V-73293", - "rid": "SV-87945r1_rule", - "stig_id": "WN16-00-000380", - "fix_id": "F-79735r1_fix", + "gtitle": "SRG-OS-000042-GPOS-00020", + "gid": "V-73511", + "rid": "SV-88163r1_rule", + "stig_id": "WN16-CC-000100", + "fix_id": "F-79953r1_fix", "cci": [ - "CCI-000381" + "CCI-000135" ], "nist": [ - "CM-7", + "AU-3 (1)", "Rev_4" ], "documentable": false }, - "code": "control 'V-73293' do\n title 'Simple TCP/IP Services must not be installed.'\n desc \"Unnecessary services increase the attack surface of a system. Some of\n these services may not support required levels of authentication or encryption\n or may provide unauthorized access to the system.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000095-GPOS-00049'\n tag \"gid\": 'V-73293'\n tag \"rid\": 'SV-87945r1_rule'\n tag \"stig_id\": 'WN16-00-000380'\n tag \"fix_id\": 'F-79735r1_fix'\n tag \"cci\": ['CCI-000381']\n tag \"nist\": ['CM-7', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Open PowerShell.\n\n Enter Get-WindowsFeature | Where Name -eq Simple-TCPIP.\n\n If Installed State is Installed, this is a finding.\n\n An Installed State of Available or Removed is not a finding.\"\n desc \"fix\", \"Uninstall the Simple TCP/IP Services feature.\n\n Start Server Manager.\n\n Select the server with the feature.\n\n Scroll down to ROLES AND FEATURES in the right pane.\n\n Select Remove Roles and Features from the drop-down TASKS list.\n\n Select the appropriate server on the Server Selection page and click\n Next.\n\n Deselect Simple TCP/IP Services on the Features page.\n\n Click Next and Remove as prompted.\"\n describe windows_feature('Simple-TCPIP') do\n it { should_not be_installed }\n end\nend\n", + "code": "control 'V-73511' do\n title 'Command line data must be included in process creation events.'\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Enabling Include command line data for process creation events will\n record the command line information with the process creation events in the\n log. This can provide additional detail when malware has run on a system.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000042-GPOS-00020'\n tag \"gid\": 'V-73511'\n tag \"rid\": 'SV-88163r1_rule'\n tag \"stig_id\": 'WN16-CC-000100'\n tag \"fix_id\": 'F-79953r1_fix'\n tag \"cci\": ['CCI-000135']\n tag \"nist\": ['AU-3 (1)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Audit\\\\\n\n Value Name: ProcessCreationIncludeCmdLine_Enabled\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> System >> Audit Process Creation >> Include\n command line in process creation events to Enabled.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Audit') do\n it { should have_property 'ProcessCreationIncludeCmdLine_Enabled' }\n its('ProcessCreationIncludeCmdLine_Enabled') { should cmp 1 }\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73293.rb", + "ref": "./Windows 2016 STIG/controls/V-73511.rb", "line": 1 }, - "id": "V-73293" - }, - { - "title": "The required legal notice must be configured to display before console\n logon.", - "desc": "Failure to display the logon banner prior to a logon attempt will\n negate legal proceedings resulting from unauthorized access to system resources.", - "descriptions": { - "default": "Failure to display the logon banner prior to a logon attempt will\n negate legal proceedings resulting from unauthorized access to system resources.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\\n\n Value Name: LegalNoticeText\n\n Value Type: REG_SZ\n Value: See message text below\n\n You are accessing a U.S. Government (USG) Information System (IS) that is\n provided for USG-authorized use only.\n\n By using this IS (which includes any device attached to this IS), you consent\n to the following conditions:\n\n -The USG routinely intercepts and monitors communications on this IS for\n purposes including, but not limited to, penetration testing, COMSEC monitoring,\n network operations and defense, personnel misconduct (PM), law enforcement\n (LE), and counterintelligence (CI) investigations.\n\n -At any time, the USG may inspect and seize data stored on this IS.\n\n -Communications using, or data stored on, this IS are not private, are subject\n to routine monitoring, interception, and search, and may be disclosed or used\n for any USG-authorized purpose.\n\n -This IS includes security measures (e.g., authentication and access controls)\n to protect USG interests--not for your personal benefit or privacy.\n\n -Notwithstanding the above, using this IS does not constitute consent to PM, LE\n or CI investigative searching or monitoring of the content of privileged\n communications, or work product, related to personal representation or services\n by attorneys, psychotherapists, or clergy, and their assistants. Such\n communications and work product are private and confidential. See User\n Agreement for details.", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Interactive Logon: Message text for users attempting to log on to the\n following:\n\n You are accessing a U.S. Government (USG) Information System (IS) that is\n provided for USG-authorized use only.\n\n By using this IS (which includes any device attached to this IS), you consent\n to the following conditions:\n\n -The USG routinely intercepts and monitors communications on this IS for\n purposes including, but not limited to, penetration testing, COMSEC monitoring,\n network operations and defense, personnel misconduct (PM), law enforcement\n (LE), and counterintelligence (CI) investigations.\n\n -At any time, the USG may inspect and seize data stored on this IS.\n\n -Communications using, or data stored on, this IS are not private, are subject\n to routine monitoring, interception, and search, and may be disclosed or used\n for any USG-authorized purpose.\n\n -This IS includes security measures (e.g., authentication and access controls)\n to protect USG interests--not for your personal benefit or privacy.\n\n -Notwithstanding the above, using this IS does not constitute consent to PM, LE\n or CI investigative searching or monitoring of the content of privileged\n communications, or work product, related to personal representation or services\n by attorneys, psychotherapists, or clergy, and their assistants. Such\n communications and work product are private and confidential. See User\n Agreement for details." - }, - "impact": 0.5, - "refs": [], - "tags": { - "gtitle": "SRG-OS-000023-GPOS-00006", - "satisfies": [ - "SRG-OS-000023-GPOS-00006", - "SRG-OS-000024-GPOS-00007", - "SRG-OS-000228-GPOS-00088" - ], - "gid": "V-73647", - "rid": "SV-88311r2_rule", - "stig_id": "WN16-SO-000150", - "fix_id": "F-80097r2_fix", - "cci": [ - "CCI-000048", - "CCI-000050", - "CCI-001384", - "CCI-001385", - "CCI-001386", - "CCI-001387", - "CCI-001388" - ], - "nist": [ - "AC-8 a", - "AC-8 b", - "AC-8 c 1", - "AC-8 c 2", - "AC-8 c 3", - "Rev_4" - ], - "documentable": false - }, - "code": "control 'V-73647' do\n title \"The required legal notice must be configured to display before console\n logon.\"\n desc \"Failure to display the logon banner prior to a logon attempt will\n negate legal proceedings resulting from unauthorized access to system resources.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000023-GPOS-00006'\n tag \"satisfies\": ['SRG-OS-000023-GPOS-00006', 'SRG-OS-000024-GPOS-00007',\n 'SRG-OS-000228-GPOS-00088']\n tag \"gid\": 'V-73647'\n tag \"rid\": 'SV-88311r2_rule'\n tag \"stig_id\": 'WN16-SO-000150'\n tag \"fix_id\": 'F-80097r2_fix'\n tag \"cci\": ['CCI-000048', 'CCI-000050', 'CCI-001384', 'CCI-001385',\n 'CCI-001386', 'CCI-001387', 'CCI-001388']\n tag \"nist\": ['AC-8 a', 'AC-8 b', 'AC-8 c 1', 'AC-8 c 2', 'AC-8 c 3', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\\n\n Value Name: LegalNoticeText\n\n Value Type: REG_SZ\n Value: See message text below\n\n You are accessing a U.S. Government (USG) Information System (IS) that is\n provided for USG-authorized use only.\n\n By using this IS (which includes any device attached to this IS), you consent\n to the following conditions:\n\n -The USG routinely intercepts and monitors communications on this IS for\n purposes including, but not limited to, penetration testing, COMSEC monitoring,\n network operations and defense, personnel misconduct (PM), law enforcement\n (LE), and counterintelligence (CI) investigations.\n\n -At any time, the USG may inspect and seize data stored on this IS.\n\n -Communications using, or data stored on, this IS are not private, are subject\n to routine monitoring, interception, and search, and may be disclosed or used\n for any USG-authorized purpose.\n\n -This IS includes security measures (e.g., authentication and access controls)\n to protect USG interests--not for your personal benefit or privacy.\n\n -Notwithstanding the above, using this IS does not constitute consent to PM, LE\n or CI investigative searching or monitoring of the content of privileged\n communications, or work product, related to personal representation or services\n by attorneys, psychotherapists, or clergy, and their assistants. Such\n communications and work product are private and confidential. See User\n Agreement for details.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Interactive Logon: Message text for users attempting to log on to the\n following:\n\n You are accessing a U.S. Government (USG) Information System (IS) that is\n provided for USG-authorized use only.\n\n By using this IS (which includes any device attached to this IS), you consent\n to the following conditions:\n\n -The USG routinely intercepts and monitors communications on this IS for\n purposes including, but not limited to, penetration testing, COMSEC monitoring,\n network operations and defense, personnel misconduct (PM), law enforcement\n (LE), and counterintelligence (CI) investigations.\n\n -At any time, the USG may inspect and seize data stored on this IS.\n\n -Communications using, or data stored on, this IS are not private, are subject\n to routine monitoring, interception, and search, and may be disclosed or used\n for any USG-authorized purpose.\n\n -This IS includes security measures (e.g., authentication and access controls)\n to protect USG interests--not for your personal benefit or privacy.\n\n -Notwithstanding the above, using this IS does not constitute consent to PM, LE\n or CI investigative searching or monitoring of the content of privileged\n communications, or work product, related to personal representation or services\n by attorneys, psychotherapists, or clergy, and their assistants. Such\n communications and work product are private and confidential. See User\n Agreement for details.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System') do\n it { should have_property 'LegalNoticeText' }\n end\n\n key = registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System').LegalNoticeText.to_s\n\n k = key.gsub(\"\\u0000\", '')\n legal_notice_text = attribute('legal_notice_text')\n\n describe 'The required legal notice text' do\n subject { k.scan(/[\\w().;,!]/).join }\n it {should cmp legal_notice_text.scan(/[\\w().;,!]/).join }\n end\nend\n", - "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73647.rb", - "line": 2 - }, - "id": "V-73647" + "id": "V-73511" }, { - "title": "The Profile single process user right must only be assigned to the\n Administrators group.", - "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Profile single process user right can monitor\n non-system processes performance. An attacker could use this to identify\n processes to attack.", + "title": "The Fax Server role must not be installed.", + "desc": "Unnecessary services increase the attack surface of a system. Some of\n these services may not support required levels of authentication or encryption\n or may provide unauthorized access to the system.", "descriptions": { - "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Profile single process user right can monitor\n non-system processes performance. An attacker could use this to identify\n processes to attack.", - "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the Profile\n single process user right, this is a finding.\n\n - Administrators", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Profile single process to include only the following accounts or groups:\n\n - Administrators" + "default": "Unnecessary services increase the attack surface of a system. Some of\n these services may not support required levels of authentication or encryption\n or may provide unauthorized access to the system.", + "check": "Open PowerShell.\n Enter Get-WindowsFeature | Where Name -eq Fax.\n\n If Installed State is Installed, this is a finding.\n\n An Installed State of Available or Removed is not a finding.", + "fix": "Uninstall the Fax Server role.\n\n Start Server Manager.\n\n Select the server with the role.\n\n Scroll down to ROLES AND FEATURES in the right pane.\n\n Select Remove Roles and Features from the drop-down TASKS list.\n\n Select the appropriate server on the Server Selection page and click\n Next.\n\n Deselect Fax Server on the Roles page.\n\n Click Next and Remove as prompted." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000324-GPOS-00125", - "gid": "V-73799", - "rid": "SV-88463r1_rule", - "stig_id": "WN16-UR-000290", - "fix_id": "F-80249r1_fix", + "gtitle": "SRG-OS-000095-GPOS-00049", + "gid": "V-73287", + "rid": "SV-87939r1_rule", + "stig_id": "WN16-00-000350", + "fix_id": "F-79731r1_fix", "cci": [ - "CCI-002235" + "CCI-000381" ], "nist": [ - "AC-6 (10)", + "CM-7 a", "Rev_4" ], "documentable": false }, - "code": "control 'V-73799' do\n title \"The Profile single process user right must only be assigned to the\n Administrators group.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Profile single process user right can monitor\n non-system processes performance. An attacker could use this to identify\n processes to attack.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000324-GPOS-00125'\n tag \"gid\": 'V-73799'\n tag \"rid\": 'SV-88463r1_rule'\n tag \"stig_id\": 'WN16-UR-000290'\n tag \"fix_id\": 'F-80249r1_fix'\n tag \"cci\": ['CCI-002235']\n tag \"nist\": ['AC-6 (10)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the Profile\n single process user right, this is a finding.\n\n - Administrators\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Profile single process to include only the following accounts or groups:\n\n - Administrators\"\n describe.one do\n describe security_policy do\n its('SeProfileSingleProcessPrivilege') { should eq ['S-1-5-32-544'] }\n end\n describe security_policy do\n its('SeProfileSingleProcessPrivilege') { should eq [] }\n end\n end\nend\n", + "code": "control 'V-73287' do\n title 'The Fax Server role must not be installed.'\n desc \"Unnecessary services increase the attack surface of a system. Some of\n these services may not support required levels of authentication or encryption\n or may provide unauthorized access to the system.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000095-GPOS-00049'\n tag \"gid\": 'V-73287'\n tag \"rid\": 'SV-87939r1_rule'\n tag \"stig_id\": 'WN16-00-000350'\n tag \"fix_id\": 'F-79731r1_fix'\n tag \"cci\": ['CCI-000381']\n tag \"nist\": ['CM-7 a', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Open PowerShell.\n Enter Get-WindowsFeature | Where Name -eq Fax.\n\n If Installed State is Installed, this is a finding.\n\n An Installed State of Available or Removed is not a finding.\"\n desc \"fix\", \"Uninstall the Fax Server role.\n\n Start Server Manager.\n\n Select the server with the role.\n\n Scroll down to ROLES AND FEATURES in the right pane.\n\n Select Remove Roles and Features from the drop-down TASKS list.\n\n Select the appropriate server on the Server Selection page and click\n Next.\n\n Deselect Fax Server on the Roles page.\n\n Click Next and Remove as prompted.\"\n describe windows_feature('fax') do\n it { should_not be_installed }\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73799.rb", + "ref": "./Windows 2016 STIG/controls/V-73287.rb", "line": 1 }, - "id": "V-73799" + "id": "V-73287" }, { - "title": "Windows Server 2016 must be configured to audit DS Access - Directory\n Service Changes successes.", - "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Audit Directory Service Changes records events related to changes made to\n objects in Active Directory Domain Services.", + "title": "Windows Server 2016 must be configured to audit Detailed Tracking -\n Process Creation successes.", + "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Process Creation records events related to the creation of a process and\n the source.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Audit Directory Service Changes records events related to changes made to\n objects in Active Directory Domain Services.", - "check": "This applies to domain controllers. It is NA for other systems.\n\n Security Option Audit: Force audit policy subcategory settings (Windows Vista\n or later) to override audit policy category settings must be set to\n Enabled (WN16-SO-000050) for the detailed auditing subcategories to be\n effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n DS Access >> Directory Service Changes - Success", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> DS Access >> Directory Service Changes with Success\n selected." + "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Process Creation records events related to the creation of a process and\n the source.", + "check": "Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n Detailed Tracking >> Process Creation - Success", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Detailed Tracking >> Audit Process Creation with\n Success selected." }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { "gtitle": "SRG-OS-000327-GPOS-00127", "satisfies": [ "SRG-OS-000327-GPOS-00127", - "SRG-OS-000458-GPOS-00203", - "SRG-OS-000463-GPOS-00207", - "SRG-OS-000468-GPOS-00212" + "SRG-OS-000471-GPOS-00215" ], - "gid": "V-73439", - "rid": "SV-88091r1_rule", - "stig_id": "WN16-DC-000260", - "fix_id": "F-79881r1_fix", + "gid": "V-73433", + "rid": "SV-88085r1_rule", + "stig_id": "WN16-AU-000170", + "fix_id": "F-79875r1_fix", "cci": [ "CCI-000172", "CCI-002234" @@ -3490,1001 +3438,1082 @@ ], "documentable": false }, - "code": "control 'V-73439' do\n title \"Windows Server 2016 must be configured to audit DS Access - Directory\n Service Changes successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Audit Directory Service Changes records events related to changes made to\n objects in Active Directory Domain Services.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000327-GPOS-00127'\n tag \"satisfies\": ['SRG-OS-000327-GPOS-00127', 'SRG-OS-000458-GPOS-00203',\n 'SRG-OS-000463-GPOS-00207', 'SRG-OS-000468-GPOS-00212']\n tag \"gid\": 'V-73439'\n tag \"rid\": 'SV-88091r1_rule'\n tag \"stig_id\": 'WN16-DC-000260'\n tag \"fix_id\": 'F-79881r1_fix'\n tag \"cci\": ['CCI-000172', 'CCI-002234']\n tag \"nist\": ['AU-12 c', 'AC-6 (9)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to domain controllers. It is NA for other systems.\n\n Security Option Audit: Force audit policy subcategory settings (Windows Vista\n or later) to override audit policy category settings must be set to\n Enabled (WN16-SO-000050) for the detailed auditing subcategories to be\n effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n DS Access >> Directory Service Changes - Success\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> DS Access >> Directory Service Changes with Success\n selected.\"\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n describe.one do\n describe audit_policy do\n its('Directory Service Changes') { should eq 'Success' }\n end\n describe audit_policy do\n its('Directory Service Changes') { should eq 'Success and Failure' }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Directory Service Changes'\") do\n its('stdout') { should match /Directory Service Changes Success/ }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Directory Service Changes'\") do\n its('stdout') { should match /Directory Service Changes Success and Failure/ }\n end\n end\n end\n\n if !(domain_role == '4') && !(domain_role == '5')\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", + "code": "control 'V-73433' do\n title \"Windows Server 2016 must be configured to audit Detailed Tracking -\n Process Creation successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Process Creation records events related to the creation of a process and\n the source.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000327-GPOS-00127'\n tag \"satisfies\": ['SRG-OS-000327-GPOS-00127', 'SRG-OS-000471-GPOS-00215']\n tag \"gid\": 'V-73433'\n tag \"rid\": 'SV-88085r1_rule'\n tag \"stig_id\": 'WN16-AU-000170'\n tag \"fix_id\": 'F-79875r1_fix'\n tag \"cci\": ['CCI-000172', 'CCI-002234']\n tag \"nist\": ['AU-12 c', 'AC-6 (9)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n Detailed Tracking >> Process Creation - Success\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Detailed Tracking >> Audit Process Creation with\n Success selected.\"\n describe.one do\n describe audit_policy do\n its('Process Creation') { should eq 'Success' }\n end\n describe audit_policy do\n its('Process Creation') { should eq 'Success and Failure' }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Process Creation'\") do\n its('stdout') { should match /Process Creation Success/ }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Process Creation'\") do\n its('stdout') { should match /Process Creation Success and Failure/ }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73439.rb", + "ref": "./Windows 2016 STIG/controls/V-73433.rb", "line": 1 }, - "id": "V-73439" + "id": "V-73433" }, { - "title": "Windows Server 2016 must be configured to audit Detailed Tracking -\n Plug and Play Events successes.", - "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Plug and Play activity records events related to the successful connection\n of external devices.", + "title": "NTLM must be prevented from falling back to a Null session.", + "desc": "NTLM sessions that are allowed to fall back to Null (unauthenticated)\n sessions may gain unauthorized access.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Plug and Play activity records events related to the successful connection\n of external devices.", - "check": "Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n Detailed Tracking >> Plug and Play Events - Success", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Advanced Audit Policy Configuration >> System Audit Policies >>\n Detailed Tracking >> Audit PNP Activity with Success selected." + "default": "NTLM sessions that are allowed to fall back to Null (unauthenticated)\n sessions may gain unauthorized access.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Control\\LSA\\MSV1_0\\\n\n Value Name: allownullsessionfallback\n\n Type: REG_DWORD\n Value: 0x00000000 (0)", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Network security: Allow LocalSystem NULL session fallback to Disabled" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000474-GPOS-00219", - "gid": "V-73431", - "rid": "SV-88083r2_rule", - "stig_id": "WN16-AU-000160", - "fix_id": "F-79873r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-73681", + "rid": "SV-88345r1_rule", + "stig_id": "WN16-SO-000330", + "fix_id": "F-80131r1_fix", "cci": [ - "CCI-000172" + "CCI-000366" ], "nist": [ - "AU-12 c", + "CM-6 b", "Rev_4" ], "documentable": false }, - "code": "control 'V-73431' do\n title \"Windows Server 2016 must be configured to audit Detailed Tracking -\n Plug and Play Events successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Plug and Play activity records events related to the successful connection\n of external devices.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000474-GPOS-00219'\n tag \"gid\": 'V-73431'\n tag \"rid\": 'SV-88083r2_rule'\n tag \"stig_id\": 'WN16-AU-000160'\n tag \"fix_id\": 'F-79873r1_fix'\n tag \"cci\": ['CCI-000172']\n tag \"nist\": ['AU-12 c', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n Detailed Tracking >> Plug and Play Events - Success\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Advanced Audit Policy Configuration >> System Audit Policies >>\n Detailed Tracking >> Audit PNP Activity with Success selected.\"\n describe.one do\n describe audit_policy do\n its('Plug and Play Events') { should eq 'Success' }\n end\n describe audit_policy do\n its('Plug and Play Events') { should eq 'Success and Failure' }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Plug and Play Events'\") do\n its('stdout') { should match /Plug and Play Events Success/ }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Plug and Play Events'\") do\n its('stdout') { should match /Plug and Play Events Success and Failure/ }\n end\n end\nend\n", + "code": "control 'V-73681' do\n title 'NTLM must be prevented from falling back to a Null session.'\n desc \"NTLM sessions that are allowed to fall back to Null (unauthenticated)\n sessions may gain unauthorized access.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-73681'\n tag \"rid\": 'SV-88345r1_rule'\n tag \"stig_id\": 'WN16-SO-000330'\n tag \"fix_id\": 'F-80131r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\LSA\\\\MSV1_0\\\\\n\n Value Name: allownullsessionfallback\n\n Type: REG_DWORD\n Value: 0x00000000 (0)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Network security: Allow LocalSystem NULL session fallback to Disabled\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\MSV1_0') do\n it { should have_property 'allownullsessionfallback' }\n its('allownullsessionfallback') { should cmp 0 }\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73431.rb", + "ref": "./Windows 2016 STIG/controls/V-73681.rb", "line": 1 }, - "id": "V-73431" + "id": "V-73681" }, { - "title": "Windows 2016 account lockout duration must be configured to 15 minutes\n or greater.", - "desc": "The account lockout feature, when enabled, prevents brute-force\n password attacks on the system. This parameter specifies the period of time\n that an account will remain locked after the specified number of failed logon\n attempts.", + "title": "The Windows Server 2016 system must use an anti-virus program.", + "desc": "Malicious software can establish a base on individual desktops and\n servers. Employing an automated mechanism to detect this type of software will\n aid in elimination of the software from the operating system.", "descriptions": { - "default": "The account lockout feature, when enabled, prevents brute-force\n password attacks on the system. This parameter specifies the period of time\n that an account will remain locked after the specified number of failed logon\n attempts.", - "check": "Verify the effective setting in Local Group Policy Editor.\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Account Policies >> Account Lockout Policy.\n\n If the Account lockout duration is less than 15 minutes (excluding\n 0), this is a finding.\n\n Configuring this to 0, requiring an administrator to unlock the account, is\n more restrictive and is not a finding.", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Account Policies >> Account Lockout Policy >>\n Account lockout duration to 15 minutes or greater.\n\n A value of 0 is also acceptable, requiring an administrator to unlock the\n account." + "default": "Malicious software can establish a base on individual desktops and\n servers. Employing an automated mechanism to detect this type of software will\n aid in elimination of the software from the operating system.", + "check": "Verify an anti-virus solution is installed on the system. The\n anti-virus solution may be bundled with an approved host-based security\n solution.\n\n If there is no anti-virus solution installed on the system, this is a finding.", + "fix": "Install an anti-virus solution on the system." }, - "impact": 0.5, + "impact": 0.7, "refs": [], "tags": { - "gtitle": "SRG-OS-000329-GPOS-00128", - "gid": "V-73309", - "rid": "SV-87961r2_rule", - "stig_id": "WN16-AC-000010", - "fix_id": "F-80983r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-73241", + "rid": "SV-87893r2_rule", + "stig_id": "WN16-00-000120", + "fix_id": "F-84913r1_fix", "cci": [ - "CCI-002238" + "CCI-000366" ], "nist": [ - "AC-7 b", + "CM-6 b", "Rev_4" ], "documentable": false }, - "code": "control 'V-73309' do\n title \"Windows 2016 account lockout duration must be configured to 15 minutes\n or greater.\"\n desc \"The account lockout feature, when enabled, prevents brute-force\n password attacks on the system. This parameter specifies the period of time\n that an account will remain locked after the specified number of failed logon\n attempts.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000329-GPOS-00128'\n tag \"gid\": 'V-73309'\n tag \"rid\": 'SV-87961r2_rule'\n tag \"stig_id\": 'WN16-AC-000010'\n tag \"fix_id\": 'F-80983r1_fix'\n tag \"cci\": ['CCI-002238']\n tag \"nist\": ['AC-7 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Account Policies >> Account Lockout Policy.\n\n If the Account lockout duration is less than 15 minutes (excluding\n 0), this is a finding.\n\n Configuring this to 0, requiring an administrator to unlock the account, is\n more restrictive and is not a finding.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Account Policies >> Account Lockout Policy >>\n Account lockout duration to 15 minutes or greater.\n\n A value of 0 is also acceptable, requiring an administrator to unlock the\n account.\"\n describe.one do\n describe security_policy do\n its('LockoutDuration') { should be >= 15 }\n end\n describe security_policy do\n its('LockoutDuration') { should eq 0 }\n end\n end\nend\n", + "code": "control 'V-73241' do\n title 'The Windows Server 2016 system must use an anti-virus program.'\n desc \"Malicious software can establish a base on individual desktops and\n servers. Employing an automated mechanism to detect this type of software will\n aid in elimination of the software from the operating system.\"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-73241'\n tag \"rid\": 'SV-87893r2_rule'\n tag \"stig_id\": 'WN16-00-000120'\n tag \"fix_id\": 'F-84913r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Verify an anti-virus solution is installed on the system. The\n anti-virus solution may be bundled with an approved host-based security\n solution.\n\n If there is no anti-virus solution installed on the system, this is a finding.\"\n desc \"fix\", 'Install an anti-virus solution on the system.'\n\n windefend = powershell('Get-Service -Name windefend | Select-Object -ExpandProperty Status').stdout.strip\n\n describe.one do\n describe registry_key('HKLM\\SOFTWARE\\Symantec\\Symantec Endpoint Protection\\CurrentVersion') do\n it { should exist }\n end\n describe registry_key('HKLM\\SOFTWARE\\McAfee/DesktopProtection\\szProductVer') do\n it { should exist }\n end\n describe registry_key('HKLM\\SOFTWARE\\McAfee\\Endpoint\\AV\\ProductVersion') do\n it { should exist }\n end\n describe \"Windows Defender\" do\n subject { windefend }\n it { should eq \"Running\" }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73309.rb", + "ref": "./Windows 2016 STIG/controls/V-73241.rb", "line": 1 }, - "id": "V-73309" + "id": "V-73241" }, { - "title": "The maximum age for machine account passwords must be configured to 30\n days or less.", - "desc": "Computer account passwords are changed automatically on a regular\n basis. This setting controls the maximum password age that a machine account\n may have. This must be set to no more than 30 days, ensuring the machine\n changes its password monthly.", + "title": "User Account Control must, at a minimum, prompt administrators for\n consent on the secure desktop.", + "desc": "User Account Control (UAC) is a security mechanism for limiting the\n elevation of privileges, including administrative accounts, unless authorized.\n This setting configures the elevation requirements for logged-on administrators\n to complete a task that requires raised privileges.", "descriptions": { - "default": "Computer account passwords are changed automatically on a regular\n basis. This setting controls the maximum password age that a machine account\n may have. This must be set to no more than 30 days, ensuring the machine\n changes its password monthly.", - "check": "This is the default configuration for this setting (30 days).\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\Netlogon\\Parameters\\\n\n Value Name: MaximumPasswordAge\n\n Value Type: REG_DWORD\n Value: 0x0000001e (30) (or less, but not 0)", - "fix": "This is the default configuration for this setting (30 days).\n\n Configure the policy value for Computer Configuration >> Windows Settings >>\n Security Settings >> Local Policies >> Security Options >> Domain member:\n Maximum machine account password age to 30 or less (excluding 0,\n which is unacceptable)." + "default": "User Account Control (UAC) is a security mechanism for limiting the\n elevation of privileges, including administrative accounts, unless authorized.\n This setting configures the elevation requirements for logged-on administrators\n to complete a task that requires raised privileges.", + "check": "UAC requirements are NA for Server Core installations (this is\n default installation option for Windows Server 2016 versus Server with Desktop\n Experience) as well as Nano Server.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\\n\n Value Name: ConsentPromptBehaviorAdmin\n\n Value Type: REG_DWORD\n Value: 0x00000002 (2) (Prompt for consent on the secure desktop)\n 0x00000001 (1) (Prompt for credentials on the secure desktop)", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> User\n Account Control: Behavior of the elevation prompt for administrators in Admin\n Approval Mode to Prompt for consent on the secure desktop.\n\n The more secure option for this setting, Prompt for credentials on the secure\n desktop, would also be acceptable." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-73641", - "rid": "SV-88305r1_rule", - "stig_id": "WN16-SO-000120", - "fix_id": "F-80091r1_fix", + "gtitle": "SRG-OS-000134-GPOS-00068", + "gid": "V-73711", + "rid": "SV-88375r1_rule", + "stig_id": "WN16-SO-000480", + "fix_id": "F-80161r1_fix", "cci": [ - "CCI-000366" + "CCI-001084" ], "nist": [ - "CM-6 b", + "SC-3", "Rev_4" ], "documentable": false }, - "code": "control 'V-73641' do\n title \"The maximum age for machine account passwords must be configured to 30\n days or less.\"\n desc \"Computer account passwords are changed automatically on a regular\n basis. This setting controls the maximum password age that a machine account\n may have. This must be set to no more than 30 days, ensuring the machine\n changes its password monthly.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-73641'\n tag \"rid\": 'SV-88305r1_rule'\n tag \"stig_id\": 'WN16-SO-000120'\n tag \"fix_id\": 'F-80091r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This is the default configuration for this setting (30 days).\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\Netlogon\\\\Parameters\\\\\n\n Value Name: MaximumPasswordAge\n\n Value Type: REG_DWORD\n Value: 0x0000001e (30) (or less, but not 0)\"\n desc \"fix\", \"This is the default configuration for this setting (30 days).\n\n Configure the policy value for Computer Configuration >> Windows Settings >>\n Security Settings >> Local Policies >> Security Options >> Domain member:\n Maximum machine account password age to 30 or less (excluding 0,\n which is unacceptable).\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Services\\\\Netlogon\\\\Parameters') do\n it { should have_property 'MaximumPasswordAge' }\n its('MaximumPasswordAge') { should be <= 30 }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Services\\\\Netlogon\\\\Parameters') do\n it { should have_property 'MaximumPasswordAge' }\n its('MaximumPasswordAge') { should be > 0 }\n end\nend\n", + "code": "control 'V-73711' do\n title \"User Account Control must, at a minimum, prompt administrators for\n consent on the secure desktop.\"\n desc \"User Account Control (UAC) is a security mechanism for limiting the\n elevation of privileges, including administrative accounts, unless authorized.\n This setting configures the elevation requirements for logged-on administrators\n to complete a task that requires raised privileges.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000134-GPOS-00068'\n tag \"gid\": 'V-73711'\n tag \"rid\": 'SV-88375r1_rule'\n tag \"stig_id\": 'WN16-SO-000480'\n tag \"fix_id\": 'F-80161r1_fix'\n tag \"cci\": ['CCI-001084']\n tag \"nist\": ['SC-3', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"UAC requirements are NA for Server Core installations (this is\n default installation option for Windows Server 2016 versus Server with Desktop\n Experience) as well as Nano Server.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\\n\n Value Name: ConsentPromptBehaviorAdmin\n\n Value Type: REG_DWORD\n Value: 0x00000002 (2) (Prompt for consent on the secure desktop)\n 0x00000001 (1) (Prompt for credentials on the secure desktop)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> User\n Account Control: Behavior of the elevation prompt for administrators in Admin\n Approval Mode to Prompt for consent on the secure desktop.\n\n The more secure option for this setting, Prompt for credentials on the secure\n desktop, would also be acceptable.\"\n if registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Server\\ServerLevels').has_property_value?('ServerCore', :dword, 1) && registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Server\\ServerLevels').has_property_value?('Server-Gui-Mgmt', :dword, 1) && registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Server\\ServerLevels').has_property_value?('Server-Gui-Shell', :dword, 1)\n impact 0.0\n desc 'This system is a Server Core Installation, therefore this control is not applicable'\n else\n describe.one do\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System') do\n it { should have_property 'ConsentPromptBehaviorAdmin' }\n its('ConsentPromptBehaviorAdmin') { should cmp 2 }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System') do\n it { should have_property 'ConsentPromptBehaviorAdmin' }\n its('ConsentPromptBehaviorAdmin') { should cmp 1 }\n end\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73641.rb", + "ref": "./Windows 2016 STIG/controls/V-73711.rb", "line": 1 }, - "id": "V-73641" + "id": "V-73711" }, { - "title": "Windows Server 2016 must be configured to audit System - IPsec Driver\n failures.", - "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n IPsec Driver records events related to the IPsec Driver, such as dropped\n packets.", + "title": "The setting Domain member: Digitally encrypt or sign secure channel\n data (always) must be configured to Enabled.", + "desc": "Requests sent on the secure channel are authenticated, and sensitive\n information (such as passwords) is encrypted, but not all information is\n encrypted. If this policy is enabled, outgoing secure channel traffic will be\n encrypted and signed.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n IPsec Driver records events related to the IPsec Driver, such as dropped\n packets.", - "check": "Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n System >> IPsec Driver - Failure", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> System >> Audit IPsec Driver with Failure selected." + "default": "Requests sent on the secure channel are authenticated, and sensitive\n information (such as passwords) is encrypted, but not all information is\n encrypted. If this policy is enabled, outgoing secure channel traffic will be\n encrypted and signed.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\Netlogon\\Parameters\\\n\n Value Name: RequireSignOrSeal\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> Domain\n member: Digitally encrypt or sign secure channel data (always) to\n Enabled." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000327-GPOS-00127", + "gtitle": "SRG-OS-000423-GPOS-00187", "satisfies": [ - "SRG-OS-000327-GPOS-00127", - "SRG-OS-000458-GPOS-00203", - "SRG-OS-000463-GPOS-00207", - "SRG-OS-000468-GPOS-00212" + "SRG-OS-000423-GPOS-00187", + "SRG-OS-000424-GPOS-00188" ], - "gid": "V-73475", - "rid": "SV-88127r1_rule", - "stig_id": "WN16-AU-000380", - "fix_id": "F-79917r1_fix", + "gid": "V-73633", + "rid": "SV-88297r1_rule", + "stig_id": "WN16-SO-000080", + "fix_id": "F-80083r1_fix", "cci": [ - "CCI-000172", - "CCI-002234" + "CCI-002418", + "CCI-002421" ], "nist": [ - "AU-12 c", - "AC-6 (9)", + "SC-8", + "SC-8 (1)", "Rev_4" ], "documentable": false }, - "code": "control 'V-73475' do\n title \"Windows Server 2016 must be configured to audit System - IPsec Driver\n failures.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n IPsec Driver records events related to the IPsec Driver, such as dropped\n packets.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000327-GPOS-00127'\n tag \"satisfies\": ['SRG-OS-000327-GPOS-00127', 'SRG-OS-000458-GPOS-00203',\n 'SRG-OS-000463-GPOS-00207', 'SRG-OS-000468-GPOS-00212']\n tag \"gid\": 'V-73475'\n tag \"rid\": 'SV-88127r1_rule'\n tag \"stig_id\": 'WN16-AU-000380'\n tag \"fix_id\": 'F-79917r1_fix'\n tag \"cci\": ['CCI-000172', 'CCI-002234']\n tag \"nist\": ['AU-12 c', 'AC-6 (9)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n System >> IPsec Driver - Failure\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> System >> Audit IPsec Driver with Failure selected.\"\n describe.one do\n describe audit_policy do\n its('IPsec Driver') { should eq 'Failure' }\n end\n describe audit_policy do\n its('IPsec Driver') { should eq 'Success and Failure' }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'IPsec Driver'\") do\n its('stdout') { should match /IPsec Driver Failure/ }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'IPsec Driver'\") do\n its('stdout') { should match /IPsec Driver Success and Failure/ }\n end\n end\nend\n", + "code": "control 'V-73633' do\n title \"The setting Domain member: Digitally encrypt or sign secure channel\n data (always) must be configured to Enabled.\"\n desc \"Requests sent on the secure channel are authenticated, and sensitive\n information (such as passwords) is encrypted, but not all information is\n encrypted. If this policy is enabled, outgoing secure channel traffic will be\n encrypted and signed.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000423-GPOS-00187'\n tag \"satisfies\": ['SRG-OS-000423-GPOS-00187', 'SRG-OS-000424-GPOS-00188']\n tag \"gid\": 'V-73633'\n tag \"rid\": 'SV-88297r1_rule'\n tag \"stig_id\": 'WN16-SO-000080'\n tag \"fix_id\": 'F-80083r1_fix'\n tag \"cci\": ['CCI-002418', 'CCI-002421']\n tag \"nist\": ['SC-8', 'SC-8 (1)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\Netlogon\\\\Parameters\\\\\n\n Value Name: RequireSignOrSeal\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> Domain\n member: Digitally encrypt or sign secure channel data (always) to\n Enabled.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Services\\\\Netlogon\\\\Parameters') do\n it { should have_property 'RequireSignOrSeal' }\n its('RequireSignOrSeal') { should cmp 1 }\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73475.rb", + "ref": "./Windows 2016 STIG/controls/V-73633.rb", "line": 1 }, - "id": "V-73475" + "id": "V-73633" }, { - "title": "The Active Directory RID Manager$ object must be configured with\n proper audit settings.", - "desc": "When inappropriate audit settings are configured for directory service\n database objects, it may be possible for a user or process to update the data\n without generating any tracking data. The impact of missing audit data is\n related to the type of object. A failure to capture audit data for objects used\n by identification, authentication, or authorization functions could degrade or\n eliminate the ability to track changes to access policy for systems or data.\n\n For Active Directory (AD), there are a number of critical object types in\n the domain naming context of the AD database for which auditing is essential.\n This includes the RID Manager$ object. Because changes to these objects can\n significantly impact access controls or the availability of systems, the\n absence of auditing data makes it impossible to identify the source of changes\n that impact the confidentiality, integrity, and availability of data and\n systems throughout an AD domain. The lack of proper auditing can result in\n insufficient forensic evidence needed to investigate an incident and prosecute\n the intruder.", + "title": "Permissions for the Security event log must prevent access by\n non-privileged accounts.", + "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised. The\n Security event log may disclose sensitive information or be susceptible to\n tampering if proper permissions are not applied.", "descriptions": { - "default": "When inappropriate audit settings are configured for directory service\n database objects, it may be possible for a user or process to update the data\n without generating any tracking data. The impact of missing audit data is\n related to the type of object. A failure to capture audit data for objects used\n by identification, authentication, or authorization functions could degrade or\n eliminate the ability to track changes to access policy for systems or data.\n\n For Active Directory (AD), there are a number of critical object types in\n the domain naming context of the AD database for which auditing is essential.\n This includes the RID Manager$ object. Because changes to these objects can\n significantly impact access controls or the availability of systems, the\n absence of auditing data makes it impossible to identify the source of changes\n that impact the confidentiality, integrity, and availability of data and\n systems throughout an AD domain. The lack of proper auditing can result in\n insufficient forensic evidence needed to investigate an incident and prosecute\n the intruder.", - "check": "This applies to domain controllers. It is NA for other systems.\n\n Review the auditing configuration for the RID Manager$ object.\n\n Open Active Directory Users and Computers (available from various menus or\n run dsa.msc).\n\n Ensure Advanced Features is selected in the View menu.\n\n Select System under the domain being reviewed in the left pane.\n\n Right-click the RID Manager$ object in the right pane and select\n Properties.\n\n Select the Security tab.\n\n Select the Advanced button and then the Auditing tab.\n\n If the audit settings on the RID Manager$ object are not at least as\n inclusive as those below, this is a finding.\n\n Type - Fail\n Principal - Everyone\n Access - Full Control\n Inherited from - None\n\n The success types listed below are defaults. Where Special is listed in the\n summary screens for Access, detailed Permissions are provided for reference.\n Various Properties selections may also exist by default.\n\n Type - Success\n Principal - Everyone\n Access - Special\n Inherited from - None\n (Access - Special = Write all properties, All extended rights, Change RID\n master)\n\n Two instances with the following summary information will be listed.\n\n Type - Success\n Principal - Everyone\n Access - (blank)\n Inherited from - (CN of domain)", - "fix": "Open Active Directory Users and Computers (available from\n various menus or run dsa.msc).\n\n Ensure Advanced Features is selected in the View menu.\n\n Select System under the domain being reviewed in the left pane.\n\n Right-click the RID Manager$ object in the right pane and select\n Properties.\n\n Select the Security tab.\n\n Select the Advanced button and then the Auditing tab.\n\n Configure the audit settings for RID Manager$ object to include the following.\n\n Type - Fail\n Principal - Everyone\n Access - Full Control\n Inherited from - None\n\n The success types listed below are defaults. Where Special is listed in the\n summary screens for Access, detailed Permissions are provided for reference.\n Various Properties selections may also exist by default.\n\n Type - Success\n Principal - Everyone\n Access - Special\n Inherited from - None\n (Access - Special = Write all properties, All extended rights, Change RID\n master)\n\n Two instances with the following summary information will be listed.\n\n Type - Success\n Principal - Everyone\n Access - (blank)\n Inherited from - (CN of domain)" + "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised. The\n Security event log may disclose sensitive information or be susceptible to\n tampering if proper permissions are not applied.", + "check": "Navigate to the Security event log file.\n\n The default location is the %SystemRoot%\\System32\\winevt\\Logs folder.\n However, the logs may have been moved to another folder.\n\n If the permissions for the Security.evtx file are not as restrictive as the\n default permissions listed below, this is a finding.\n\n Eventlog - Full Control\n SYSTEM - Full Control\n Administrators - Full Control", + "fix": "Configure the permissions on the Security event log file\n (Security.evtx) to prevent access by non-privileged accounts. The default\n permissions listed below satisfy this requirement:\n\n Eventlog - Full Control\n SYSTEM - Full Control\n Administrators - Full Control\n\n The default location is the %SystemRoot%\\ System32\\winevt\\Logs folder.\n\n If the location of the logs has been changed, when adding Eventlog to the\n permissions, it must be entered as \"NT Service\\Eventlog\"." }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000327-GPOS-00127", + "gtitle": "SRG-OS-000057-GPOS-00027", "satisfies": [ - "SRG-OS-000327-GPOS-00127", - "SRG-OS-000458-GPOS-00203", - "SRG-OS-000463-GPOS-00207", - "SRG-OS-000468-GPOS-00212" + "SRG-OS-000057-GPOS-00027", + "SRG-OS-000058-GPOS-00028", + "SRG-OS-000059-GPOS-00029" ], - "gid": "V-73399", - "rid": "SV-88051r1_rule", - "stig_id": "WN16-DC-000220", - "fix_id": "F-79841r1_fix", + "gid": "V-73407", + "rid": "SV-88059r1_rule", + "stig_id": "WN16-AU-000040", + "fix_id": "F-79849r1_fix", "cci": [ - "CCI-000172", - "CCI-002234" + "CCI-000162", + "CCI-000163", + "CCI-000164" ], "nist": [ - "AU-12 c", - "AC-6 (9)", + "AU-9", "Rev_4" ], "documentable": false }, - "code": "control 'V-73399' do\n title \"The Active Directory RID Manager$ object must be configured with\n proper audit settings.\"\n desc \"When inappropriate audit settings are configured for directory service\n database objects, it may be possible for a user or process to update the data\n without generating any tracking data. The impact of missing audit data is\n related to the type of object. A failure to capture audit data for objects used\n by identification, authentication, or authorization functions could degrade or\n eliminate the ability to track changes to access policy for systems or data.\n\n For Active Directory (AD), there are a number of critical object types in\n the domain naming context of the AD database for which auditing is essential.\n This includes the RID Manager$ object. Because changes to these objects can\n significantly impact access controls or the availability of systems, the\n absence of auditing data makes it impossible to identify the source of changes\n that impact the confidentiality, integrity, and availability of data and\n systems throughout an AD domain. The lack of proper auditing can result in\n insufficient forensic evidence needed to investigate an incident and prosecute\n the intruder.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000327-GPOS-00127'\n tag \"satisfies\": ['SRG-OS-000327-GPOS-00127', 'SRG-OS-000458-GPOS-00203',\n 'SRG-OS-000463-GPOS-00207', 'SRG-OS-000468-GPOS-00212']\n tag \"gid\": 'V-73399'\n tag \"rid\": 'SV-88051r1_rule'\n tag \"stig_id\": 'WN16-DC-000220'\n tag \"fix_id\": 'F-79841r1_fix'\n tag \"cci\": ['CCI-000172', 'CCI-002234']\n tag \"nist\": ['AU-12 c', 'AC-6 (9)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to domain controllers. It is NA for other systems.\n\n Review the auditing configuration for the RID Manager$ object.\n\n Open Active Directory Users and Computers (available from various menus or\n run dsa.msc).\n\n Ensure Advanced Features is selected in the View menu.\n\n Select System under the domain being reviewed in the left pane.\n\n Right-click the RID Manager$ object in the right pane and select\n Properties.\n\n Select the Security tab.\n\n Select the Advanced button and then the Auditing tab.\n\n If the audit settings on the RID Manager$ object are not at least as\n inclusive as those below, this is a finding.\n\n Type - Fail\n Principal - Everyone\n Access - Full Control\n Inherited from - None\n\n The success types listed below are defaults. Where Special is listed in the\n summary screens for Access, detailed Permissions are provided for reference.\n Various Properties selections may also exist by default.\n\n Type - Success\n Principal - Everyone\n Access - Special\n Inherited from - None\n (Access - Special = Write all properties, All extended rights, Change RID\n master)\n\n Two instances with the following summary information will be listed.\n\n Type - Success\n Principal - Everyone\n Access - (blank)\n Inherited from - (CN of domain)\"\n desc \"fix\", \"Open Active Directory Users and Computers (available from\n various menus or run dsa.msc).\n\n Ensure Advanced Features is selected in the View menu.\n\n Select System under the domain being reviewed in the left pane.\n\n Right-click the RID Manager$ object in the right pane and select\n Properties.\n\n Select the Security tab.\n\n Select the Advanced button and then the Auditing tab.\n\n Configure the audit settings for RID Manager$ object to include the following.\n\n Type - Fail\n Principal - Everyone\n Access - Full Control\n Inherited from - None\n\n The success types listed below are defaults. Where Special is listed in the\n summary screens for Access, detailed Permissions are provided for reference.\n Various Properties selections may also exist by default.\n\n Type - Success\n Principal - Everyone\n Access - Special\n Inherited from - None\n (Access - Special = Write all properties, All extended rights, Change RID\n master)\n\n Two instances with the following summary information will be listed.\n\n Type - Success\n Principal - Everyone\n Access - (blank)\n Inherited from - (CN of domain)\"\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n distinguishedName = json(command: '(Get-ADDomain).DistinguishedName | ConvertTo-JSON').params\n netbiosname = json(command: 'Get-ADDomain | Select NetBIOSName | ConvertTo-JSON').params['NetBIOSName']\n acl_rules = json(command: \"(Get-ACL -Audit -Path AD:'CN=RID Manager$,CN=System,#{distinguishedName}').Audit | ConvertTo-CSV | ConvertFrom-CSV | ConvertTo-JSON\").params\n\n if acl_rules.is_a?(Hash)\n acl_rules = [JSON.parse(acl_rules.to_json)]\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['AuditFlags']) { should cmp \"Fail\" }\n its(['IdentityReference']) { should cmp \"Everyone\" }\n its(['ActiveDirectoryRights']) { should cmp \"GenericAll\" }\n its(['InheritanceFlags']) { should cmp \"None\" }\n its(['InheritanceType']) { should cmp \"None\" }\n its(['PropagationFlags']) { should cmp \"None\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['AuditFlags']) { should cmp \"Success\" }\n its(['IdentityReference']) { should cmp \"Everyone\" }\n its(['ActiveDirectoryRights']) { should match /^(?=.*?\\bWriteProperty\\b)(?=.*?\\ExtendedRight\\b).*$/ }\n its(['InheritanceFlags']) { should cmp \"None\" }\n its(['InheritanceType']) { should cmp \"None\" }\n its(['PropagationFlags']) { should cmp \"None\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['AuditFlags']) { should cmp \"Success\" }\n its(['IdentityReference']) { should cmp \"Everyone\" }\n its(['ActiveDirectoryRights']) { should cmp \"WriteProperty\" }\n its(['IsInherited']) { should cmp \"True\" }\n its(['InheritanceFlags']) { should cmp \"ContainerInherit\" }\n its(['InheritanceType']) { should cmp \"Descendents\" }\n its(['PropagationFlags']) { should cmp \"InheritOnly\" }\n end\n end\n end\n\n else\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", + "code": "control 'V-73407' do\n title \"Permissions for the Security event log must prevent access by\n non-privileged accounts.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised. The\n Security event log may disclose sensitive information or be susceptible to\n tampering if proper permissions are not applied.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000057-GPOS-00027'\n tag \"satisfies\": ['SRG-OS-000057-GPOS-00027', 'SRG-OS-000058-GPOS-00028',\n 'SRG-OS-000059-GPOS-00029']\n tag \"gid\": 'V-73407'\n tag \"rid\": 'SV-88059r1_rule'\n tag \"stig_id\": 'WN16-AU-000040'\n tag \"fix_id\": 'F-79849r1_fix'\n tag \"cci\": ['CCI-000162', 'CCI-000163', 'CCI-000164']\n tag \"nist\": ['AU-9', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Navigate to the Security event log file.\n\n The default location is the %SystemRoot%\\\\System32\\\\winevt\\\\Logs folder.\n However, the logs may have been moved to another folder.\n\n If the permissions for the Security.evtx file are not as restrictive as the\n default permissions listed below, this is a finding.\n\n Eventlog - Full Control\n SYSTEM - Full Control\n Administrators - Full Control\"\n desc \"fix\", \"Configure the permissions on the Security event log file\n (Security.evtx) to prevent access by non-privileged accounts. The default\n permissions listed below satisfy this requirement:\n\n Eventlog - Full Control\n SYSTEM - Full Control\n Administrators - Full Control\n\n The default location is the %SystemRoot%\\\\ System32\\\\winevt\\\\Logs folder.\n\n If the location of the logs has been changed, when adding Eventlog to the\n permissions, it must be entered as \\\"NT Service\\\\Eventlog\\\".\"\n\n system_root = command('$env:SystemRoot').stdout.strip\n\n describe file(\"#{system_root}\\\\SYSTEM32\\\\WINEVT\\\\LOGS\\\\Security.evtx\") do\n it { should be_allowed('full-control', by_user: 'NT SERVICE\\\\EventLog') }\n it { should be_allowed('full-control', by_user: 'NT AUTHORITY\\\\SYSTEM') }\n it { should be_allowed('full-control', by_user: 'BUILTIN\\\\Administrators') }\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73399.rb", + "ref": "./Windows 2016 STIG/controls/V-73407.rb", "line": 1 }, - "id": "V-73399" + "id": "V-73407" }, { - "title": "Windows Server 2016 must be configured to audit Account Management -\n Computer Account Management successes.", - "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Computer Account Management records events such as creating, changing,\n deleting, renaming, disabling, or enabling computer accounts.", + "title": "The DoD Root CA certificates must be installed in the Trusted Root\n Store.", + "desc": "To ensure secure DoD websites and DoD-signed code are properly\n validated, the system must trust the DoD Root Certificate Authorities (CAs).\n The DoD root certificates will ensure that the trust chain is established for\n server certificates issued from the DoD CAs.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Computer Account Management records events such as creating, changing,\n deleting, renaming, disabling, or enabling computer accounts.", - "check": "This applies to domain controllers. It is NA for other systems.\n\n Security Option Audit: Force audit policy subcategory settings (Windows Vista\n or later) to override audit policy category settings must be set to\n Enabled (WN16-SO-000050) for the detailed auditing subcategories to be\n effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n Account Management >> Computer Account Management - Success", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Account Management >> Audit Computer Account Management\n with Success selected." + "default": "To ensure secure DoD websites and DoD-signed code are properly\n validated, the system must trust the DoD Root Certificate Authorities (CAs).\n The DoD root certificates will ensure that the trust chain is established for\n server certificates issued from the DoD CAs.", + "check": "The certificates and thumbprints referenced below apply to\n unclassified systems; see PKE documentation for other networks.\n\n Open Windows PowerShell as an administrator.\n\n Execute the following command:\n\n Get-ChildItem -Path Cert:Localmachine oot | Where Subject -Like *DoD* | FL Subject, Thumbprint, NotAfter\n\n If the following certificate Subject and Thumbprint information is not\n displayed, this is finding.\n\n If an expired certificate (NotAfter date) is not listed in the results,\n this is not a finding.\n\n Subject: CN=DoD Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Thumbprint: 8C941B34EA1EA6ED9AE2BC54CF687252B4C9B561\n NotAfter: 12/5/2029\n\n Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Thumbprint: D73CA91102A2204A36459ED32213B467D7CE97FB\n NotAfter: 12/30/2029\n\n Subject: CN=DoD Root CA 4, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Thumbprint: B8269F25DBD937ECAFD4C35A9838571723F2D026\n NotAfter: 7/25/2032\n\n Subject: CN=DoD Root CA 5, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Thumbprint: 4ECB5CC3095670454DA1CBD410FC921F46B8564B\n NotAfter: 6/14/2041\n\n Alternately, use the Certificates MMC snap-in:\n\n Run MMC.\n\n Select File, Add/Remove Snap-in.\n\n Select Certificates and click Add.\n\n Select Computer account and click Next.\n\n Select Local computer: (the computer this console is running on) and click\n Finish.\n\n Click OK.\n\n Expand Certificates and navigate to Trusted Root Certification\n Authorities >> Certificates.\n\n For each of the DoD Root CA certificates noted below:\n\n Right-click on the certificate and select Open.\n\n Select the Details Tab.\n\n Scroll to the bottom and select Thumbprint.\n\n If the DoD Root CA certificates below are not listed or the value for the\n Thumbprint field is not as noted, this is a finding.\n\n If an expired certificate (Valid to date) is not listed in the results,\n this is not a finding.\n\n DoD Root CA 2\n Thumbprint: 8C941B34EA1EA6ED9AE2BC54CF687252B4C9B561\n Valid to: Wednesday, December 5, 2029\n\n DoD Root CA 3\n Thumbprint: D73CA91102A2204A36459ED32213B467D7CE97FB\n Valid to: Sunday, December 30, 2029\n\n DoD Root CA 4\n Thumbprint: B8269F25DBD937ECAFD4C35A9838571723F2D026\n Valid to: Sunday, July 25, 2032\n\n DoD Root CA 5\n Thumbprint: 4ECB5CC3095670454DA1CBD410FC921F46B8564B\n Valid to: Friday, June 14, 2041", + "fix": "Install the DoD Root CA certificates:\n DoD Root CA 2\n DoD Root CA 3\n DoD Root CA 4\n DoD Root CA 5\n\n The InstallRoot tool is available on IASE at\n http://iase.disa.mil/pki-pke/Pages/tools.aspx." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000004-GPOS-00004", + "gtitle": "SRG-OS-000066-GPOS-00034", "satisfies": [ - "SRG-OS-000004-GPOS-00004", - "SRG-OS-000239-GPOS-00089", - "SRG-OS-000240-GPOS-00090", - "SRG-OS-000241-GPOS-00091", - "SRG-OS-000303-GPOS-00120", - "SRG-OS-000476-GPOS-00221" + "SRG-OS-000066-GPOS-00034", + "SRG-OS-000403-GPOS-00182" ], - "gid": "V-73417", - "rid": "SV-88069r1_rule", - "stig_id": "WN16-DC-000230", - "fix_id": "F-79859r1_fix", + "gid": "V-73605", + "rid": "SV-88269r3_rule", + "stig_id": "WN16-PK-000010", + "fix_id": "F-87311r1_fix", "cci": [ - "CCI-000018", - "CCI-000172", - "CCI-001403", - "CCI-001404", - "CCI-001405", - "CCI-002130" + "CCI-000185", + "CCI-002470" ], "nist": [ - "AC-2 (4)", - "AU-12 c", + "IA-5 (2) (a)", + "SC-23 (5)", "Rev_4" ], "documentable": false }, - "code": "control 'V-73417' do\n title \"Windows Server 2016 must be configured to audit Account Management -\n Computer Account Management successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Computer Account Management records events such as creating, changing,\n deleting, renaming, disabling, or enabling computer accounts.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000004-GPOS-00004'\n tag \"satisfies\": ['SRG-OS-000004-GPOS-00004', 'SRG-OS-000239-GPOS-00089',\n 'SRG-OS-000240-GPOS-00090', 'SRG-OS-000241-GPOS-00091',\n 'SRG-OS-000303-GPOS-00120', 'SRG-OS-000476-GPOS-00221']\n tag \"gid\": 'V-73417'\n tag \"rid\": 'SV-88069r1_rule'\n tag \"stig_id\": 'WN16-DC-000230'\n tag \"fix_id\": 'F-79859r1_fix'\n tag \"cci\": ['CCI-000018', 'CCI-000172', 'CCI-001403', 'CCI-001404',\n 'CCI-001405', 'CCI-002130']\n tag \"nist\": ['AC-2 (4)', 'AU-12 c', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to domain controllers. It is NA for other systems.\n\n Security Option Audit: Force audit policy subcategory settings (Windows Vista\n or later) to override audit policy category settings must be set to\n Enabled (WN16-SO-000050) for the detailed auditing subcategories to be\n effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n Account Management >> Computer Account Management - Success\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Account Management >> Audit Computer Account Management\n with Success selected.\"\n describe.one do\n describe audit_policy do\n its('Computer Account Management') { should eq 'Success' }\n end\n describe audit_policy do\n its('Computer Account Management') { should eq 'Success and Failure' }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Computer Account Management'\") do\n its('stdout') { should match /Computer Account Management Success/ }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Computer Account Management'\") do\n its('stdout') { should match /Computer Account Management Success and Failure/ }\n end\n end\nend\n", + "code": "control 'V-73605' do\n title \"The DoD Root CA certificates must be installed in the Trusted Root\n Store.\"\n desc \"To ensure secure DoD websites and DoD-signed code are properly\n validated, the system must trust the DoD Root Certificate Authorities (CAs).\n The DoD root certificates will ensure that the trust chain is established for\n server certificates issued from the DoD CAs.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000066-GPOS-00034'\n tag \"satisfies\": ['SRG-OS-000066-GPOS-00034', 'SRG-OS-000403-GPOS-00182']\n tag \"gid\": 'V-73605'\n tag \"rid\": 'SV-88269r3_rule'\n tag \"stig_id\": 'WN16-PK-000010'\n tag \"fix_id\": 'F-87311r1_fix'\n tag \"cci\": ['CCI-000185', 'CCI-002470']\n tag \"nist\": ['IA-5 (2) (a)', 'SC-23 (5)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"The certificates and thumbprints referenced below apply to\n unclassified systems; see PKE documentation for other networks.\n\n Open Windows PowerShell as an administrator.\n\n Execute the following command:\n\n Get-ChildItem -Path Cert:Localmachine\\\n oot | Where Subject -Like *DoD* | FL Subject, Thumbprint, NotAfter\n\n If the following certificate Subject and Thumbprint information is not\n displayed, this is finding.\n\n If an expired certificate (NotAfter date) is not listed in the results,\n this is not a finding.\n\n Subject: CN=DoD Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Thumbprint: 8C941B34EA1EA6ED9AE2BC54CF687252B4C9B561\n NotAfter: 12/5/2029\n\n Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Thumbprint: D73CA91102A2204A36459ED32213B467D7CE97FB\n NotAfter: 12/30/2029\n\n Subject: CN=DoD Root CA 4, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Thumbprint: B8269F25DBD937ECAFD4C35A9838571723F2D026\n NotAfter: 7/25/2032\n\n Subject: CN=DoD Root CA 5, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Thumbprint: 4ECB5CC3095670454DA1CBD410FC921F46B8564B\n NotAfter: 6/14/2041\n\n Alternately, use the Certificates MMC snap-in:\n\n Run MMC.\n\n Select File, Add/Remove Snap-in.\n\n Select Certificates and click Add.\n\n Select Computer account and click Next.\n\n Select Local computer: (the computer this console is running on) and click\n Finish.\n\n Click OK.\n\n Expand Certificates and navigate to Trusted Root Certification\n Authorities >> Certificates.\n\n For each of the DoD Root CA certificates noted below:\n\n Right-click on the certificate and select Open.\n\n Select the Details Tab.\n\n Scroll to the bottom and select Thumbprint.\n\n If the DoD Root CA certificates below are not listed or the value for the\n Thumbprint field is not as noted, this is a finding.\n\n If an expired certificate (Valid to date) is not listed in the results,\n this is not a finding.\n\n DoD Root CA 2\n Thumbprint: 8C941B34EA1EA6ED9AE2BC54CF687252B4C9B561\n Valid to: Wednesday, December 5, 2029\n\n DoD Root CA 3\n Thumbprint: D73CA91102A2204A36459ED32213B467D7CE97FB\n Valid to: Sunday, December 30, 2029\n\n DoD Root CA 4\n Thumbprint: B8269F25DBD937ECAFD4C35A9838571723F2D026\n Valid to: Sunday, July 25, 2032\n\n DoD Root CA 5\n Thumbprint: 4ECB5CC3095670454DA1CBD410FC921F46B8564B\n Valid to: Friday, June 14, 2041\"\n desc \"fix\", \"Install the DoD Root CA certificates:\n DoD Root CA 2\n DoD Root CA 3\n DoD Root CA 4\n DoD Root CA 5\n\n The InstallRoot tool is available on IASE at\n http://iase.disa.mil/pki-pke/Pages/tools.aspx.\"\n describe.one do\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\8C941B34EA1EA6ED9AE2BC54CF687252B4C9B561') do\n it { should exist }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\D73CA91102A2204A36459ED32213B467D7CE97FB') do\n it { should exist }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\B8269F25DBD937ECAFD4C35A9838571723F2D026') do\n it { should exist }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\EnterpriseCertificates\\\\Root\\\\Certificates\\\\8C941B34EA1EA6ED9AE2BC54CF687252B4C9B561') do\n it { should exist }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\EnterpriseCertificates\\\\Root\\\\Certificates\\\\D73CA91102A2204A36459ED32213B467D7CE97FB') do\n it { should exist }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\EnterpriseCertificates\\\\Root\\\\Certificates\\\\B8269F25DBD937ECAFD4C35A9838571723F2D026') do\n it { should exist }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\8C941B34EA1EA6ED9AE2BC54CF687252B4C9B561') do\n it { should exist }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\D73CA91102A2204A36459ED32213B467D7CE97FB') do\n it { should exist }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\B8269F25DBD937ECAFD4C35A9838571723F2D026') do\n it { should exist }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\EnterpriseCertificates\\\\Root\\\\Certificates\\\\8C941B34EA1EA6ED9AE2BC54CF687252B4C9B561') do\n it { should exist }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\EnterpriseCertificates\\\\Root\\\\Certificates\\\\D73CA91102A2204A36459ED32213B467D7CE97FB') do\n it { should exist }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\EnterpriseCertificates\\\\Root\\\\Certificates\\\\B8269F25DBD937ECAFD4C35A9838571723F2D026') do\n it { should exist }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73417.rb", + "ref": "./Windows 2016 STIG/controls/V-73605.rb", "line": 1 }, - "id": "V-73417" + "id": "V-73605" }, { - "title": "The Deny log on as a service user right on member servers must be\n configured to prevent access from highly privileged domain accounts on domain\n systems. No other groups or accounts must be assigned this right.", - "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The Deny log on as a service user right defines accounts that are\n denied logon as a service.\n\n In an Active Directory Domain, denying logons to the Enterprise Admins and\n Domain Admins groups on lower-trust systems helps mitigate the risk of\n privilege escalation from credential theft attacks, which could lead to the\n compromise of an entire domain.\n\n Incorrect configurations could prevent services from starting and result in\n a DoS.", + "title": "The Microsoft FTP service must not be installed unless required.", + "desc": "Unnecessary services increase the attack surface of a system. Some of\n these services may not support required levels of authentication or encryption.", "descriptions": { - "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The Deny log on as a service user right defines accounts that are\n denied logon as a service.\n\n In an Active Directory Domain, denying logons to the Enterprise Admins and\n Domain Admins groups on lower-trust systems helps mitigate the risk of\n privilege escalation from credential theft attacks, which could lead to the\n compromise of an entire domain.\n\n Incorrect configurations could prevent services from starting and result in\n a DoS.", - "check": "This applies to member servers and standalone systems. A\n separate version applies to domain controllers.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If the following accounts or groups are not defined for the Deny log on as a\n service user right on domain-joined systems, this is a finding.\n\n - Enterprise Admins Group\n - Domain Admins Group\n\n If any accounts or groups are defined for the Deny log on as a service user\n right on non-domain-joined systems, this is a finding.", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Deny log on as a service to include the following:\n\n Domain systems:\n - Enterprise Admins group \n - Domain Admins group" + "default": "Unnecessary services increase the attack surface of a system. Some of\n these services may not support required levels of authentication or encryption.", + "check": "If the server has the role of an FTP server, this is NA.\n\n Open PowerShell.\n\n Enter Get-WindowsFeature | Where Name -eq Web-Ftp-Service.\n\n If Installed State is Installed, this is a finding.\n\n An Installed State of Available or Removed is not a finding.\n\n If the system has the role of an FTP server, this must be documented with the\n ISSO.", + "fix": "Uninstall the FTP Server role.\n\n Start Server Manager.\n\n Select the server with the role.\n\n Scroll down to ROLES AND FEATURES in the right pane.\n\n Select Remove Roles and Features from the drop-down TASKS list.\n\n Select the appropriate server on the Server Selection page and click\n Next.\n\n Deselect FTP Server under Web Server (IIS) on the Roles page.\n\n Click Next and Remove as prompted." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000080-GPOS-00048", - "gid": "V-73767", - "rid": "SV-88431r1_rule", - "stig_id": "WN16-MS-000390", - "fix_id": "F-80217r1_fix", + "gtitle": "SRG-OS-000096-GPOS-00050", + "gid": "V-73289", + "rid": "SV-87941r1_rule", + "stig_id": "WN16-00-000360", + "fix_id": "F-79733r1_fix", "cci": [ - "CCI-000213" + "CCI-000382" ], "nist": [ - "AC-3", + "CM-7", "Rev_4" ], "documentable": false }, - "code": "control 'V-73767' do\n title \"The Deny log on as a service user right on member servers must be\n configured to prevent access from highly privileged domain accounts on domain\n systems. No other groups or accounts must be assigned this right.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The Deny log on as a service user right defines accounts that are\n denied logon as a service.\n\n In an Active Directory Domain, denying logons to the Enterprise Admins and\n Domain Admins groups on lower-trust systems helps mitigate the risk of\n privilege escalation from credential theft attacks, which could lead to the\n compromise of an entire domain.\n\n Incorrect configurations could prevent services from starting and result in\n a DoS.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000080-GPOS-00048'\n tag \"gid\": 'V-73767'\n tag \"rid\": 'SV-88431r1_rule'\n tag \"stig_id\": 'WN16-MS-000390'\n tag \"fix_id\": 'F-80217r1_fix'\n tag \"cci\": ['CCI-000213']\n tag \"nist\": ['AC-3', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to member servers and standalone systems. A\n separate version applies to domain controllers.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If the following accounts or groups are not defined for the Deny log on as a\n service user right on domain-joined systems, this is a finding.\n\n - Enterprise Admins Group\n - Domain Admins Group\n\n If any accounts or groups are defined for the Deny log on as a service user\n right on non-domain-joined systems, this is a finding.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Deny log on as a service to include the following:\n\n Domain systems:\n - Enterprise Admins group \n - Domain Admins group \"\n \n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n impact 0.0\n describe 'This system is a domain controller, therefore this control is not applicable as it only applies to member servers and standalone systems' do\n skip 'This system is a domain controller, therefore this control is not applicable as it only applies to member servers and standalone systems'\n end\n elsif domain_role == '3'\n domain_admin_sid_query = <<-EOH\n $group = New-Object System.Security.Principal.NTAccount('Domain Admins')\n $sid = $group.Translate([security.principal.securityidentifier]).value\n $sid | ConvertTo-Json\n EOH\n domain_admin_sid = json(command: domain_admin_sid_query).params\n \n enterprise_admin_sid_query = <<-EOH\n $group = New-Object System.Security.Principal.NTAccount('Enterprise Admins')\n $sid = $group.Translate([security.principal.securityidentifier]).value\n $sid | ConvertTo-Json\n EOH\n enterprise_admin_sid = json(command: enterprise_admin_sid_query).params\n\n describe security_policy do\n its('SeDenyServiceLogonRight') { should include \"#{domain_admin_sid}\" }\n end\n describe security_policy do\n its('SeDenyServiceLogonRight') { should include \"#{enterprise_admin_sid}\" }\n end\n else\n describe security_policy do\n its('SeDenyServiceLogonRight') { should eq [] }\n end\n end\nend\n", + "code": "control 'V-73289' do\n title 'The Microsoft FTP service must not be installed unless required.'\n desc \"Unnecessary services increase the attack surface of a system. Some of\n these services may not support required levels of authentication or encryption.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000096-GPOS-00050'\n tag \"gid\": 'V-73289'\n tag \"rid\": 'SV-87941r1_rule'\n tag \"stig_id\": 'WN16-00-000360'\n tag \"fix_id\": 'F-79733r1_fix'\n tag \"cci\": ['CCI-000382']\n tag \"nist\": ['CM-7', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the server has the role of an FTP server, this is NA.\n\n Open PowerShell.\n\n Enter Get-WindowsFeature | Where Name -eq Web-Ftp-Service.\n\n If Installed State is Installed, this is a finding.\n\n An Installed State of Available or Removed is not a finding.\n\n If the system has the role of an FTP server, this must be documented with the\n ISSO.\"\n desc \"fix\", \"Uninstall the FTP Server role.\n\n Start Server Manager.\n\n Select the server with the role.\n\n Scroll down to ROLES AND FEATURES in the right pane.\n\n Select Remove Roles and Features from the drop-down TASKS list.\n\n Select the appropriate server on the Server Selection page and click\n Next.\n\n Deselect FTP Server under Web Server (IIS) on the Roles page.\n\n Click Next and Remove as prompted.\"\n has_ftp_server_role = attribute('has_ftp_server_role')\n\n describe windows_feature('Web-Ftp-Service') do\n it { should_not be_installed }\n end\n if has_ftp_server_role == 'True'\n impact 0.0\n desc 'This server has the role of an FTP server, therefore this control is not applicable'\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73767.rb", + "ref": "./Windows 2016 STIG/controls/V-73289.rb", "line": 1 }, - "id": "V-73767" + "id": "V-73289" }, { - "title": "Attachments must be prevented from being downloaded from RSS feeds.", - "desc": "Attachments from RSS feeds may not be secure. This setting will\n prevent attachments from being downloaded from RSS feeds.", + "title": "UIAccess applications must not be allowed to prompt for elevation\n without using the secure desktop.", + "desc": "User Account Control (UAC) is a security mechanism for limiting the\n elevation of privileges, including administrative accounts, unless authorized.\n This setting prevents User Interface Accessibility programs from disabling the\n secure desktop for elevation prompts.", "descriptions": { - "default": "Attachments from RSS feeds may not be secure. This setting will\n prevent attachments from being downloaded from RSS feeds.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Feeds\\\n\n Value Name: DisableEnclosureDownload\n\n Type: REG_DWORD\n Value: 0x00000001 (1)", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> RSS Feeds >> Prevent\n downloading of enclosures to Enabled." + "default": "User Account Control (UAC) is a security mechanism for limiting the\n elevation of privileges, including administrative accounts, unless authorized.\n This setting prevents User Interface Accessibility programs from disabling the\n secure desktop for elevation prompts.", + "check": "UAC requirements are NA for Server Core installations (this is\n the default installation option for Windows Server 2016 versus Server with\n Desktop Experience) as well as Nano Server.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\\n\n Value Name: EnableUIADesktopToggle\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0)", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> User\n Account Control: Allow UIAccess applications to prompt for elevation without\n using the secure desktop to Disabled." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-73577", - "rid": "SV-88241r1_rule", - "stig_id": "WN16-CC-000420", - "fix_id": "F-80027r1_fix", + "gtitle": "SRG-OS-000134-GPOS-00068", + "gid": "V-73709", + "rid": "SV-88373r1_rule", + "stig_id": "WN16-SO-000470", + "fix_id": "F-80159r1_fix", "cci": [ - "CCI-000366" + "CCI-001084" ], "nist": [ - "CM-6 b", + "SC-3", "Rev_4" ], "documentable": false }, - "code": "control 'V-73577' do\n title 'Attachments must be prevented from being downloaded from RSS feeds.'\n desc \"Attachments from RSS feeds may not be secure. This setting will\n prevent attachments from being downloaded from RSS feeds.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-73577'\n tag \"rid\": 'SV-88241r1_rule'\n tag \"stig_id\": 'WN16-CC-000420'\n tag \"fix_id\": 'F-80027r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Internet Explorer\\\\Feeds\\\\\n\n Value Name: DisableEnclosureDownload\n\n Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> RSS Feeds >> Prevent\n downloading of enclosures to Enabled.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Internet Explorer\\\\Feeds') do\n it { should have_property 'DisableEnclosureDownload' }\n its('DisableEnclosureDownload') { should cmp 1 }\n end\nend\n", + "code": "control 'V-73709' do\n title \"UIAccess applications must not be allowed to prompt for elevation\n without using the secure desktop.\"\n desc \"User Account Control (UAC) is a security mechanism for limiting the\n elevation of privileges, including administrative accounts, unless authorized.\n This setting prevents User Interface Accessibility programs from disabling the\n secure desktop for elevation prompts.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000134-GPOS-00068'\n tag \"gid\": 'V-73709'\n tag \"rid\": 'SV-88373r1_rule'\n tag \"stig_id\": 'WN16-SO-000470'\n tag \"fix_id\": 'F-80159r1_fix'\n tag \"cci\": ['CCI-001084']\n tag \"nist\": ['SC-3', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"UAC requirements are NA for Server Core installations (this is\n the default installation option for Windows Server 2016 versus Server with\n Desktop Experience) as well as Nano Server.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\\n\n Value Name: EnableUIADesktopToggle\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> User\n Account Control: Allow UIAccess applications to prompt for elevation without\n using the secure desktop to Disabled.\"\n if registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Server\\ServerLevels').has_property_value?('ServerCore', :dword, 1) && registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Server\\ServerLevels').has_property_value?('Server-Gui-Mgmt', :dword, 1) && registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Server\\ServerLevels').has_property_value?('Server-Gui-Shell', :dword, 1)\n impact 0.0\n desc 'This system is a Server Core Installation, therefore this control is not applicable'\n else\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System') do\n it { should have_property 'EnableUIADesktopToggle' }\n its('EnableUIADesktopToggle') { should cmp 0 }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73577.rb", + "ref": "./Windows 2016 STIG/controls/V-73709.rb", "line": 1 }, - "id": "V-73577" + "id": "V-73709" }, { - "title": "Permissions on the Active Directory data files must only allow System\n and Administrators access.", - "desc": "Improper access permissions for directory data-related files could\n allow unauthorized users to read, modify, or delete directory data or audit\n trails.", + "title": "Outdated or unused accounts must be removed from the system or\n disabled.", + "desc": "Outdated or unused accounts provide penetration points that may go\n undetected. Inactive accounts must be deleted if no longer necessary or, if\n still required, disabled until needed.", "descriptions": { - "default": "Improper access permissions for directory data-related files could\n allow unauthorized users to read, modify, or delete directory data or audit\n trails.", - "check": "This applies to domain controllers. It is NA for other systems.\n\n Run Regedit.\n\n Navigate to\n HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\NTDS\\Parameters.\n\n Note the directory locations in the values for:\n\n Database log files path\n DSA Database file\n\n By default, they will be \\Windows\\NTDS.\n\n If the locations are different, the following will need to be run for each.\n\n Open Command Prompt (Admin).\n\n Navigate to the NTDS directory (\\Windows\\NTDS by default).\n\n Run icacls *.*.\n\n If the permissions on each file are not as restrictive as the following, this\n is a finding.\n\n NT AUTHORITY\\SYSTEM:(I)(F)\n BUILTIN\\Administrators:(I)(F)\n\n (I) - permission inherited from parent container\n (F) - full access", - "fix": "Maintain the permissions on NTDS database and log files as\n follows:\n\n NT AUTHORITY\\SYSTEM:(I)(F)\n BUILTIN\\Administrators:(I)(F)\n\n (I) - permission inherited from parent container\n (F) - full access" + "default": "Outdated or unused accounts provide penetration points that may go\n undetected. Inactive accounts must be deleted if no longer necessary or, if\n still required, disabled until needed.", + "check": "Open Windows PowerShell.\n\n Domain Controllers:\n\n Enter Search-ADAccount -AccountInactive -UsersOnly -TimeSpan 35.00:00:00\n\n This will return accounts that have not been logged on to for 35 days, along\n with various attributes such as the Enabled status and LastLogonDate.\n\n Member servers and standalone systems:\n\n Copy or enter the lines below to the PowerShell window and enter. (Entering\n twice may be required. Do not include the quotes at the beginning and end of\n the query.)\n\n ([ADSI]('WinNT://{0}' -f $env:COMPUTERNAME)).Children | Where {\n $_.SchemaClassName -eq 'user' } | ForEach {\n $user = ([ADSI]$_.Path)\n $lastLogin = $user.Properties.LastLogin.Value\n $enabled = ($user.Properties.UserFlags.Value -band 0x2) -ne 0x2\n if ($lastLogin -eq $null) {\n $lastLogin = 'Never'\n }\n Write-Host $user.Name $lastLogin $enabled\n }\n\n This will return a list of local accounts with the account name, last logon,\n and if the account is enabled (True/False).\n For example: User1 10/31/2015 5:49:56 AM True\n\n Review the list of accounts returned by the above queries to determine the\n finding validity for each account reported.\n\n Exclude the following accounts:\n\n - Built-in administrator account (Renamed, SID ending in 500)\n - Built-in guest account (Renamed, Disabled, SID ending in 501)\n - Application accounts\n\n If any enabled accounts have not been logged on to within the past 35 days,\n this is a finding.\n\n Inactive accounts that have been reviewed and deemed to be required must be\n documented with the ISSO.", + "fix": "Regularly review accounts to determine if they are still active.\n Remove or disable accounts that have not been used in the last 35 days." }, "impact": 0, "refs": [], "tags": { - "gtitle": "SRG-OS-000324-GPOS-00125", - "gid": "V-73369", - "rid": "SV-88021r1_rule", - "stig_id": "WN16-DC-000070", - "fix_id": "F-79811r1_fix", + "gtitle": "SRG-OS-000104-GPOS-00051", + "satisfies": [ + "SRG-OS-000104-GPOS-00051", + "SRG-OS-000118-GPOS-00060" + ], + "gid": "V-73259", + "rid": "SV-87911r2_rule", + "stig_id": "WN16-00-000210", + "fix_id": "F-79703r1_fix", "cci": [ - "CCI-002235" + "CCI-000764", + "CCI-000795" ], "nist": [ - "AC-6 (10)", + "IA-2", + "IA-5 e", "Rev_4" ], "documentable": false }, - "code": "control 'V-73369' do\n title \"Permissions on the Active Directory data files must only allow System\n and Administrators access.\"\n desc \"Improper access permissions for directory data-related files could\n allow unauthorized users to read, modify, or delete directory data or audit\n trails.\"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000324-GPOS-00125'\n tag \"gid\": 'V-73369'\n tag \"rid\": 'SV-88021r1_rule'\n tag \"stig_id\": 'WN16-DC-000070'\n tag \"fix_id\": 'F-79811r1_fix'\n tag \"cci\": ['CCI-002235']\n tag \"nist\": ['AC-6 (10)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to domain controllers. It is NA for other systems.\n\n Run Regedit.\n\n Navigate to\n HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\Parameters.\n\n Note the directory locations in the values for:\n\n Database log files path\n DSA Database file\n\n By default, they will be \\\\Windows\\\\NTDS.\n\n If the locations are different, the following will need to be run for each.\n\n Open Command Prompt (Admin).\n\n Navigate to the NTDS directory (\\\\Windows\\\\NTDS by default).\n\n Run icacls *.*.\n\n If the permissions on each file are not as restrictive as the following, this\n is a finding.\n\n NT AUTHORITY\\\\SYSTEM:(I)(F)\n BUILTIN\\\\Administrators:(I)(F)\n\n (I) - permission inherited from parent container\n (F) - full access\"\n desc \"fix\", \"Maintain the permissions on NTDS database and log files as\n follows:\n\n NT AUTHORITY\\\\SYSTEM:(I)(F)\n BUILTIN\\\\Administrators:(I)(F)\n\n (I) - permission inherited from parent container\n (F) - full access\"\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n default_path = \"\\\\Windows\\\\NTDS\"\n reg_params = registry_key('HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\NTDS\\Parameters')\n dsa_db_file_path = reg_params['DSA Database file'].split(\":\")[1]\n db_log_files_path = reg_params['Database log files path'].split(\":\")[1]\n if !dsa_db_file_path.start_with?(default_path) || !db_log_files_path.start_with?(default_path)\n acl_rules = []\n if !dsa_db_file_path.start_with?(default_path)\n acl_rules = json(command: \"(Get-ACL -Path '#{reg_params['DSA Database file']}') | Select -Property PSChildName -ExpandProperty Access | ConvertTo-CSV | ConvertFrom-CSV | ConvertTo-JSON\").params\n end\n if !db_log_files_path.start_with?(default_path)\n acl_rules.push(*json(command: \"(Get-ACL -Path '#{reg_params['Database log files path']}\\\\\\*.\\*') | Select -Property PSChildName -ExpandProperty Access | ConvertTo-CSV | ConvertFrom-CSV | ConvertTo-JSON\").params)\n end\n acl_rules.each do |acl_rule|\n describe \"The #{acl_rule['PSChildName']} file\\'s access rule property\" do\n subject { acl_rule }\n its(['FileSystemRights']) { should cmp \"FullControl\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IsInherited']) { should cmp \"True\" }\n its(['InheritanceFlags']) { should cmp \"None\" }\n its(['PropagationFlags']) { should cmp \"None\" }\n end\n describe.one do\n describe \"The #{acl_rule['PSChildName']} file\\'s access rule property\" do\n subject { acl_rule }\n its(['IdentityReference']) { should cmp \"NT AUTHORITY\\\\SYSTEM\" }\n end\n describe \"The #{acl_rule['PSChildName']} file\\'s access rule property\" do\n subject { acl_rule }\n its(['IdentityReference']) { should cmp \"BUILTIN\\\\Administrators\" }\n end\n end\n end\n else\n describe \"Database log files path\" do\n subject { db_log_files_path }\n it { should cmp default_path }\n end\n describe \"DSA Database file\" do\n subject { dsa_db_file_path }\n it { should start_with default_path}\n end\n end\n else\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable.' do\n skip 'This system is not a domain controller, therefore this control is not applicable.'\n end\n end\nend\n", + "code": "control 'V-73259' do\n title \"Outdated or unused accounts must be removed from the system or\n disabled.\"\n desc \"Outdated or unused accounts provide penetration points that may go\n undetected. Inactive accounts must be deleted if no longer necessary or, if\n still required, disabled until needed.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000104-GPOS-00051'\n tag \"satisfies\": ['SRG-OS-000104-GPOS-00051', 'SRG-OS-000118-GPOS-00060']\n tag \"gid\": 'V-73259'\n tag \"rid\": 'SV-87911r2_rule'\n tag \"stig_id\": 'WN16-00-000210'\n tag \"fix_id\": 'F-79703r1_fix'\n tag \"cci\": ['CCI-000764', 'CCI-000795']\n tag \"nist\": ['IA-2', 'IA-5 e', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Open Windows PowerShell.\n\n Domain Controllers:\n\n Enter Search-ADAccount -AccountInactive -UsersOnly -TimeSpan 35.00:00:00\n\n This will return accounts that have not been logged on to for 35 days, along\n with various attributes such as the Enabled status and LastLogonDate.\n\n Member servers and standalone systems:\n\n Copy or enter the lines below to the PowerShell window and enter. (Entering\n twice may be required. Do not include the quotes at the beginning and end of\n the query.)\n\n ([ADSI]('WinNT://{0}' -f $env:COMPUTERNAME)).Children | Where {\n $_.SchemaClassName -eq 'user' } | ForEach {\n $user = ([ADSI]$_.Path)\n $lastLogin = $user.Properties.LastLogin.Value\n $enabled = ($user.Properties.UserFlags.Value -band 0x2) -ne 0x2\n if ($lastLogin -eq $null) {\n $lastLogin = 'Never'\n }\n Write-Host $user.Name $lastLogin $enabled\n }\n\n This will return a list of local accounts with the account name, last logon,\n and if the account is enabled (True/False).\n For example: User1 10/31/2015 5:49:56 AM True\n\n Review the list of accounts returned by the above queries to determine the\n finding validity for each account reported.\n\n Exclude the following accounts:\n\n - Built-in administrator account (Renamed, SID ending in 500)\n - Built-in guest account (Renamed, Disabled, SID ending in 501)\n - Application accounts\n\n If any enabled accounts have not been logged on to within the past 35 days,\n this is a finding.\n\n Inactive accounts that have been reviewed and deemed to be required must be\n documented with the ISSO.\"\n desc \"fix\", \"Regularly review accounts to determine if they are still active.\n Remove or disable accounts that have not been used in the last 35 days.\"\n \n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n \n if domain_role == '4' || domain_role == '5'\n user_query = \"Search-ADAccount -AccountInactive -UsersOnly -TimeSpan 35.00:00:00 | Where-Object { ($_.SID -notlike '*500') -and ($_.SID -notlike '*501') -and ($_.Enabled -eq $true) } | Select-Object @{Name=\\\"name\\\";Expression={$_.SamAccountName}}, @{Name=\\\"lastLogin\\\";Expression={$_.LastLogonDate}} | ConvertTo-Json\"\n else\n user_query = <<-FOO\n $users = @() \n ([ADSI]('WinNT://{0}' -f $env:COMPUTERNAME)).Children | Where {\n $_.SchemaClassName -eq 'user' } | ForEach {\n $user = ([ADSI]$_.Path)\n $lastLogin = $user.Properties.LastLogin.Value\n\n $enabled = ($user.Properties.UserFlags.Value -band 0x2) -ne 0x2\n if ($lastLogin -eq $null) {\n $lastLogin = 'Never'\n }\n else {\n $today = Get-Date\n $diff = New-TimeSpan -Start \"$lastLogin\" -End $today\n $lastLogin = $diff.Days\n }\n\n $sid = Get-LocalUser -Name $user.Name.Value | foreach { $_.SID.Value }\n\n if (($enabled -eq 'True') -and ($sid -notlike '*500') -and ($sid -notlike '*501')) {\n $users += (@{ name = $user.Name.Value; lastLogin = $lastLogin; enabled = $enabled; sid= $sid})\n }\n }\n $users | ConvertTo-Json\n FOO\n end\n\n users = json(command: user_query).params\n \n if users.empty?\n impact 0.0\n describe 'The system does not have any inactive accounts, control is NA' do\n skip 'The system does not have any inactive accounts, controls is NA'\n end\n else\n if users.is_a?(Hash)\n users = [JSON.parse(users.to_json)] \n end\n users.each do |account|\n describe \"Last login for user: #{account['name']}\" do\n subject { account['lastLogin'] }\n it \"should not be nil\" do\n expect(subject).not_to(cmp nil)\n end\n subject { account['lastLogin'] }\n it \"should not be more than 35 days\" do\n expect(subject).to(be <= 35)\n end\n end\n end\n end\nend", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73369.rb", + "ref": "./Windows 2016 STIG/controls/V-73259.rb", "line": 1 }, - "id": "V-73369" + "id": "V-73259" }, { - "title": "Users must be prompted to authenticate when the system wakes from\n sleep (on battery).", - "desc": "A system that does not require authentication when resuming from sleep\n may provide access to unauthorized users. Authentication must always be\n required when accessing a system. This setting ensures users are prompted for a\n password when the system wakes from sleep (on battery).", + "title": "System files must be monitored for unauthorized changes.", + "desc": "Monitoring system files for changes against a baseline on a regular\n basis may help detect the possible introduction of malicious code on a system.", "descriptions": { - "default": "A system that does not require authentication when resuming from sleep\n may provide access to unauthorized users. Authentication must always be\n required when accessing a system. This setting ensures users are prompted for a\n password when the system wakes from sleep (on battery).", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SOFTWARE\\Policies\\Microsoft\\Power\\PowerSettings\\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\\\n\n Value Name: DCSettingIndex\n\n Type: REG_DWORD\n Value: 0x00000001 (1)", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> System >> Power Management >> Sleep Settings >>\n Require a password when a computer wakes (on battery) to Enabled." + "default": "Monitoring system files for changes against a baseline on a regular\n basis may help detect the possible introduction of malicious code on a system.", + "check": "Determine whether the system is monitored for unauthorized\n changes to system files (e.g., *.exe, *.bat, *.com, *.cmd, and *.dll) against a\n baseline on a weekly basis.\n\n If system files are not monitored for unauthorized changes, this is a finding.\n\n A properly configured HBSS Policy Auditor 5.2 or later File Integrity Monitor\n (FIM) module will meet the requirement for file integrity checking. The Asset\n module within HBSS does not meet this requirement.", + "fix": "Monitor the system for unauthorized changes to system files\n (e.g., *.exe, *.bat, *.com, *.cmd, and *.dll) against a baseline on a weekly\n basis. This can be done with the use of various monitoring tools." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-73537", - "rid": "SV-88197r1_rule", - "stig_id": "WN16-CC-000210", - "fix_id": "F-79979r1_fix", + "gtitle": "SRG-OS-000363-GPOS-00150", + "gid": "V-73265", + "rid": "SV-87917r1_rule", + "stig_id": "WN16-00-000240", + "fix_id": "F-79709r1_fix", "cci": [ - "CCI-000366" + "CCI-001744" ], "nist": [ - "CM-6 b", + "CM-3 (5)", "Rev_4" ], "documentable": false }, - "code": "control 'V-73537' do\n title \"Users must be prompted to authenticate when the system wakes from\n sleep (on battery).\"\n desc \"A system that does not require authentication when resuming from sleep\n may provide access to unauthorized users. Authentication must always be\n required when accessing a system. This setting ensures users are prompted for a\n password when the system wakes from sleep (on battery).\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-73537'\n tag \"rid\": 'SV-88197r1_rule'\n tag \"stig_id\": 'WN16-CC-000210'\n tag \"fix_id\": 'F-79979r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Power\\\\PowerSettings\\\\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\\\\\n\n Value Name: DCSettingIndex\n\n Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> System >> Power Management >> Sleep Settings >>\n Require a password when a computer wakes (on battery) to Enabled.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Power\\\\PowerSettings\\\\0e796bdb-100d-47d6-a2d5-f7d2daa51f51') do\n it { should have_property 'DCSettingIndex' }\n its('DCSettingIndex') { should cmp 1 }\n end\nend\n", + "code": "control 'V-73265' do\n title 'System files must be monitored for unauthorized changes.'\n desc \"Monitoring system files for changes against a baseline on a regular\n basis may help detect the possible introduction of malicious code on a system.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000363-GPOS-00150'\n tag \"gid\": 'V-73265'\n tag \"rid\": 'SV-87917r1_rule'\n tag \"stig_id\": 'WN16-00-000240'\n tag \"fix_id\": 'F-79709r1_fix'\n tag \"cci\": ['CCI-001744']\n tag \"nist\": ['CM-3 (5)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Determine whether the system is monitored for unauthorized\n changes to system files (e.g., *.exe, *.bat, *.com, *.cmd, and *.dll) against a\n baseline on a weekly basis.\n\n If system files are not monitored for unauthorized changes, this is a finding.\n\n A properly configured HBSS Policy Auditor 5.2 or later File Integrity Monitor\n (FIM) module will meet the requirement for file integrity checking. The Asset\n module within HBSS does not meet this requirement.\"\n desc \"fix\", \"Monitor the system for unauthorized changes to system files\n (e.g., *.exe, *.bat, *.com, *.cmd, and *.dll) against a baseline on a weekly\n basis. This can be done with the use of various monitoring tools.\"\n describe 'A manual review is required to verify that system files are monitored for unauthorized changes' do\n skip 'A manual review is required to verify that system files are monitored for unauthorized changes'\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73537.rb", + "ref": "./Windows 2016 STIG/controls/V-73265.rb", "line": 1 }, - "id": "V-73537" + "id": "V-73265" }, { - "title": "The Security event log size must be configured to 196608 KB or\n greater.", - "desc": "Inadequate log size will cause the log to fill up quickly. This may\n prevent audit events from being recorded properly and require frequent\n attention by administrative personnel.", + "title": "Windows Telemetry must be configured to Security or Basic.", + "desc": "Some features may communicate with the vendor, sending system\n information or downloading data or components for the feature. Limiting this\n capability will prevent potentially sensitive information from being sent\n outside the enterprise. The Security option for Telemetry configures the\n lowest amount of data, effectively none outside of the Malicious Software\n Removal Tool (MSRT), Defender, and telemetry client settings. Basic sends\n basic diagnostic and usage data and may be required to support some Microsoft\n services.", "descriptions": { - "default": "Inadequate log size will cause the log to fill up quickly. This may\n prevent audit events from being recorded properly and require frequent\n attention by administrative personnel.", - "check": "If the system is configured to write events directly to an\n audit server, this is NA.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\EventLog\\Security\\\n\n Value Name: MaxSize\n\n Type: REG_DWORD\n Value: 0x00030000 (196608) (or greater)", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Event Log Service >> Security\n >> Specify the maximum log file size (KB) to Enabled with a Maximum\n Log Size (KB) of 196608 or greater." + "default": "Some features may communicate with the vendor, sending system\n information or downloading data or components for the feature. Limiting this\n capability will prevent potentially sensitive information from being sent\n outside the enterprise. The Security option for Telemetry configures the\n lowest amount of data, effectively none outside of the Malicious Software\n Removal Tool (MSRT), Defender, and telemetry client settings. Basic sends\n basic diagnostic and usage data and may be required to support some Microsoft\n services.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\\n\n Value Name: AllowTelemetry\n\n Type: REG_DWORD\n Value: 0x00000000 (0) (Security), 0x00000001 (1) (Basic)", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Data Collection and Preview\n Builds>> Allow Telemetry to Enabled with 0 - Security [Enterprise\n Only] or 1 - Basic selected in Options." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000341-GPOS-00132", - "gid": "V-73555", - "rid": "SV-88219r1_rule", - "stig_id": "WN16-CC-000310", - "fix_id": "F-80005r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-73551", + "rid": "SV-88215r1_rule", + "stig_id": "WN16-CC-000290", + "fix_id": "F-80001r1_fix", "cci": [ - "CCI-001849" + "CCI-000366" ], "nist": [ - "AU-4", + "CM-6 b", "Rev_4" ], "documentable": false }, - "code": "control 'V-73555' do\n title \"The Security event log size must be configured to 196608 KB or\n greater.\"\n desc \"Inadequate log size will cause the log to fill up quickly. This may\n prevent audit events from being recorded properly and require frequent\n attention by administrative personnel.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000341-GPOS-00132'\n tag \"gid\": 'V-73555'\n tag \"rid\": 'SV-88219r1_rule'\n tag \"stig_id\": 'WN16-CC-000310'\n tag \"fix_id\": 'F-80005r1_fix'\n tag \"cci\": ['CCI-001849']\n tag \"nist\": ['AU-4', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the system is configured to write events directly to an\n audit server, this is NA.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\EventLog\\\\Security\\\\\n\n Value Name: MaxSize\n\n Type: REG_DWORD\n Value: 0x00030000 (196608) (or greater)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Event Log Service >> Security\n >> Specify the maximum log file size (KB) to Enabled with a Maximum\n Log Size (KB) of 196608 or greater.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\EventLog\\\\Security') do\n it { should have_property 'MaxSize' }\n its('MaxSize') { should be >= 196608 }\n end\nend\n", + "code": "control 'V-73551' do\n title 'Windows Telemetry must be configured to Security or Basic.'\n desc \"Some features may communicate with the vendor, sending system\n information or downloading data or components for the feature. Limiting this\n capability will prevent potentially sensitive information from being sent\n outside the enterprise. The Security option for Telemetry configures the\n lowest amount of data, effectively none outside of the Malicious Software\n Removal Tool (MSRT), Defender, and telemetry client settings. Basic sends\n basic diagnostic and usage data and may be required to support some Microsoft\n services.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-73551'\n tag \"rid\": 'SV-88215r1_rule'\n tag \"stig_id\": 'WN16-CC-000290'\n tag \"fix_id\": 'F-80001r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\DataCollection\\\\\n\n Value Name: AllowTelemetry\n\n Type: REG_DWORD\n Value: 0x00000000 (0) (Security), 0x00000001 (1) (Basic)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Data Collection and Preview\n Builds>> Allow Telemetry to Enabled with 0 - Security [Enterprise\n Only] or 1 - Basic selected in Options.\"\n describe.one do\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\DataCollection') do\n it { should have_property 'AllowTelemetry' }\n its('AllowTelemetry') { should cmp 0 }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\DataCollection') do\n it { should have_property 'AllowTelemetry' }\n its('AllowTelemetry') { should cmp 1 }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73555.rb", + "ref": "./Windows 2016 STIG/controls/V-73551.rb", "line": 1 }, - "id": "V-73555" + "id": "V-73551" }, { - "title": "AutoPlay must be disabled for all drives.", - "desc": "Allowing AutoPlay to execute may introduce malicious code to a system.\n AutoPlay begins reading from a drive as soon media is inserted into the drive.\n As a result, the setup file of programs or music on audio media may start. By\n default, AutoPlay is disabled on removable drives, such as the floppy disk\n drive (but not the CD-ROM drive) and on network drives. Enabling this policy\n disables AutoPlay on all drives.", + "title": "Users must be required to enter a password to access private keys\n stored on the computer.", + "desc": "If the private key is discovered, an attacker can use the key to\n authenticate as an authorized user and gain access to the network\n infrastructure.\n\n The cornerstone of the PKI is the private key used to encrypt or digitally\n sign information.\n\n If the private key is stolen, this will lead to the compromise of the\n authentication and non-repudiation gained through PKI because the attacker can\n use the private key to digitally sign documents and pretend to be the\n authorized user.\n\n Both the holders of a digital certificate and the issuing authority must\n protect the computers, storage devices, or whatever they use to keep the\n private keys.", "descriptions": { - "default": "Allowing AutoPlay to execute may introduce malicious code to a system.\n AutoPlay begins reading from a drive as soon media is inserted into the drive.\n As a result, the setup file of programs or music on audio media may start. By\n default, AutoPlay is disabled on removable drives, such as the floppy disk\n drive (but not the CD-ROM drive) and on network drives. Enabling this policy\n disables AutoPlay on all drives.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\policies\\Explorer\\\n\n Value Name: NoDriveTypeAutoRun\n\n Type: REG_DWORD\n Value: 0x000000ff (255)", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> AutoPlay Policies >> Turn\n off AutoPlay to Enabled with All Drives selected." + "default": "If the private key is discovered, an attacker can use the key to\n authenticate as an authorized user and gain access to the network\n infrastructure.\n\n The cornerstone of the PKI is the private key used to encrypt or digitally\n sign information.\n\n If the private key is stolen, this will lead to the compromise of the\n authentication and non-repudiation gained through PKI because the attacker can\n use the private key to digitally sign documents and pretend to be the\n authorized user.\n\n Both the holders of a digital certificate and the issuing authority must\n protect the computers, storage devices, or whatever they use to keep the\n private keys.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Cryptography\\\n\n Value Name: ForceKeyProtection\n\n Type: REG_DWORD\n Value: 0x00000002 (2)", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> System\n cryptography: Force strong key protection for user keys stored on the\n computer to User must enter a password each time they use a key." }, - "impact": 0.7, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000368-GPOS-00154", - "gid": "V-73549", - "rid": "SV-88213r1_rule", - "stig_id": "WN16-CC-000270", - "fix_id": "F-79999r1_fix", + "gtitle": "SRG-OS-000067-GPOS-00035", + "gid": "V-73699", + "rid": "SV-88363r1_rule", + "stig_id": "WN16-SO-000420", + "fix_id": "F-80149r1_fix", "cci": [ - "CCI-001764" + "CCI-000186" ], "nist": [ - "CM-7 (2)", + "IA-5 (2) (b)", "Rev_4" ], "documentable": false }, - "code": "control 'V-73549' do\n title 'AutoPlay must be disabled for all drives.'\n desc \"Allowing AutoPlay to execute may introduce malicious code to a system.\n AutoPlay begins reading from a drive as soon media is inserted into the drive.\n As a result, the setup file of programs or music on audio media may start. By\n default, AutoPlay is disabled on removable drives, such as the floppy disk\n drive (but not the CD-ROM drive) and on network drives. Enabling this policy\n disables AutoPlay on all drives.\"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000368-GPOS-00154'\n tag \"gid\": 'V-73549'\n tag \"rid\": 'SV-88213r1_rule'\n tag \"stig_id\": 'WN16-CC-000270'\n tag \"fix_id\": 'F-79999r1_fix'\n tag \"cci\": ['CCI-001764']\n tag \"nist\": ['CM-7 (2)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\policies\\\\Explorer\\\\\n\n Value Name: NoDriveTypeAutoRun\n\n Type: REG_DWORD\n Value: 0x000000ff (255)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> AutoPlay Policies >> Turn\n off AutoPlay to Enabled with All Drives selected.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer') do\n it { should have_property 'NoDriveTypeAutoRun' }\n its('NoDriveTypeAutoRun') { should cmp 255 }\n end\nend\n", + "code": "control 'V-73699' do\n title \"Users must be required to enter a password to access private keys\n stored on the computer.\"\n desc \"If the private key is discovered, an attacker can use the key to\n authenticate as an authorized user and gain access to the network\n infrastructure.\n\n The cornerstone of the PKI is the private key used to encrypt or digitally\n sign information.\n\n If the private key is stolen, this will lead to the compromise of the\n authentication and non-repudiation gained through PKI because the attacker can\n use the private key to digitally sign documents and pretend to be the\n authorized user.\n\n Both the holders of a digital certificate and the issuing authority must\n protect the computers, storage devices, or whatever they use to keep the\n private keys.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000067-GPOS-00035'\n tag \"gid\": 'V-73699'\n tag \"rid\": 'SV-88363r1_rule'\n tag \"stig_id\": 'WN16-SO-000420'\n tag \"fix_id\": 'F-80149r1_fix'\n tag \"cci\": ['CCI-000186']\n tag \"nist\": ['IA-5 (2) (b)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Cryptography\\\\\n\n Value Name: ForceKeyProtection\n\n Type: REG_DWORD\n Value: 0x00000002 (2)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> System\n cryptography: Force strong key protection for user keys stored on the\n computer to User must enter a password each time they use a key.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Cryptography') do\n it { should have_property 'ForceKeyProtection' }\n its('ForceKeyProtection') { should cmp 2 }\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73549.rb", + "ref": "./Windows 2016 STIG/controls/V-73699.rb", "line": 1 }, - "id": "V-73549" + "id": "V-73699" }, { - "title": "Permissions for the Windows installation directory must conform to\n minimum requirements.", - "desc": "Changing the system's file and directory permissions allows the\n possibility of unauthorized and anonymous modification to the operating system\n and installed applications.\n\n The default permissions are adequate when the Security Option Network\n access: Let everyone permissions apply to anonymous users is set to\n Disabled (WN16-SO-000290).", + "title": "The Force shutdown from a remote system user right must only be\n assigned to the Administrators group.", + "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Force shutdown from a remote system user right can\n remotely shut down a system, which could result in a denial of service.", "descriptions": { - "default": "Changing the system's file and directory permissions allows the\n possibility of unauthorized and anonymous modification to the operating system\n and installed applications.\n\n The default permissions are adequate when the Security Option Network\n access: Let everyone permissions apply to anonymous users is set to\n Disabled (WN16-SO-000290).", - "check": "The default permissions are adequate when the Security Option\n Network access: Let everyone permissions apply to anonymous users is set to\n Disabled (WN16-SO-000290).\n\n Review the permissions for the Windows installation directory (usually\n C:\\Windows). Non-privileged groups such as Users or Authenticated Users must\n not have greater than Read & execute permissions. (Individual accounts must\n not be used to assign permissions.)\n\n If permissions are not as restrictive as the default permissions listed below,\n this is a finding.\n\n Viewing in File Explorer:\n\n For each folder, view the Properties.\n\n Select the Security tab and the Advanced button.\n\n Default permissions:\n Windows\n Type - Allow for all\n Inherited from - None for all\n\n Principal - Access - Applies to\n\n TrustedInstaller - Full control - This folder and subfolders\n SYSTEM - Modify - This folder only\n SYSTEM - Full control - Subfolders and files only\n Administrators - Modify - This folder only\n Administrators - Full control - Subfolders and files only\n Users - Read & execute - This folder, subfolders, and files\n CREATOR OWNER - Full control - Subfolders and files only\n ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders, and files\n ALL RESTRICTED APPLICATION PACKAGES - Read & execute - This folder, subfolders,\n and files\n\n Alternately, use icacls:\n\n Open a Command prompt (admin).\n\n Enter icacls followed by the directory:\n\n icacls c:\\windows\n\n The following results should be displayed for each when entered:\n\n c:\\windows\n NT SERVICE\\TrustedInstaller:(F)\n NT SERVICE\\TrustedInstaller:(CI)(IO)(F)\n NT AUTHORITY\\SYSTEM:(M)\n NT AUTHORITY\\SYSTEM:(OI)(CI)(IO)(F)\n BUILTIN\\Administrators:(M)\n BUILTIN\\Administrators:(OI)(CI)(IO)(F)\n BUILTIN\\Users:(RX)\n BUILTIN\\Users:(OI)(CI)(IO)(GR,GE)\n CREATOR OWNER:(OI)(CI)(IO)(F)\n APPLICATION PACKAGE AUTHORITY\\ALL APPLICATION PACKAGES:(RX)\n APPLICATION PACKAGE AUTHORITY\\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE)\n APPLICATION PACKAGE AUTHORITY\\ALL RESTRICTED APPLICATION PACKAGES:(RX)\n APPLICATION PACKAGE AUTHORITY\\ALL RESTRICTED APPLICATION\n PACKAGES:(OI)(CI)(IO)(GR,GE)\n Successfully processed 1 files; Failed processing 0 files", - "fix": "Maintain the default file ACLs and configure the Security Option\n Network access: Let everyone permissions apply to anonymous users to\n Disabled (WN16-SO-000290).\n\n Default permissions:\n Type - Allow for all\n Inherited from - None for all\n\n Principal - Access - Applies to\n\n TrustedInstaller - Full control - This folder and subfolders\n SYSTEM - Modify - This folder only\n SYSTEM - Full control - Subfolders and files only\n Administrators - Modify - This folder only\n Administrators - Full control - Subfolders and files only\n Users - Read & execute - This folder, subfolders, and files\n CREATOR OWNER - Full control - Subfolders and files only\n ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders, and files\n ALL RESTRICTED APPLICATION PACKAGES - Read & execute - This folder, subfolders,\n and files" + "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Force shutdown from a remote system user right can\n remotely shut down a system, which could result in a denial of service.", + "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the Force\n shutdown from a remote system user right, this is a finding.\n\n - Administrators", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Force shutdown from a remote system to include only the following accounts\n or groups:\n\n - Administrators" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000312-GPOS-00122", - "satisfies": [ - "SRG-OS-000312-GPOS-00122", - "SRG-OS-000312-GPOS-00123", - "SRG-OS-000312-GPOS-00124" - ], - "gid": "V-73253", - "rid": "SV-87905r1_rule", - "stig_id": "WN16-00-000180", - "fix_id": "F-79697r1_fix", + "gtitle": "SRG-OS-000324-GPOS-00125", + "gid": "V-73781", + "rid": "SV-88445r1_rule", + "stig_id": "WN16-UR-000200", + "fix_id": "F-80231r1_fix", "cci": [ - "CCI-002165" + "CCI-002235" ], "nist": [ - "AC-3 (4)", + "AC-6 (10)", "Rev_4" ], "documentable": false }, - "code": "control 'V-73253' do\n title \"Permissions for the Windows installation directory must conform to\n minimum requirements.\"\n desc \"Changing the system's file and directory permissions allows the\n possibility of unauthorized and anonymous modification to the operating system\n and installed applications.\n\n The default permissions are adequate when the Security Option Network\n access: Let everyone permissions apply to anonymous users is set to\n Disabled (WN16-SO-000290).\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000312-GPOS-00122'\n tag \"satisfies\": ['SRG-OS-000312-GPOS-00122', 'SRG-OS-000312-GPOS-00123',\n 'SRG-OS-000312-GPOS-00124']\n tag \"gid\": 'V-73253'\n tag \"rid\": 'SV-87905r1_rule'\n tag \"stig_id\": 'WN16-00-000180'\n tag \"fix_id\": 'F-79697r1_fix'\n tag \"cci\": ['CCI-002165']\n tag \"nist\": ['AC-3 (4)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"The default permissions are adequate when the Security Option\n Network access: Let everyone permissions apply to anonymous users is set to\n Disabled (WN16-SO-000290).\n\n Review the permissions for the Windows installation directory (usually\n C:\\\\Windows). Non-privileged groups such as Users or Authenticated Users must\n not have greater than Read & execute permissions. (Individual accounts must\n not be used to assign permissions.)\n\n If permissions are not as restrictive as the default permissions listed below,\n this is a finding.\n\n Viewing in File Explorer:\n\n For each folder, view the Properties.\n\n Select the Security tab and the Advanced button.\n\n Default permissions:\n Windows\n Type - Allow for all\n Inherited from - None for all\n\n Principal - Access - Applies to\n\n TrustedInstaller - Full control - This folder and subfolders\n SYSTEM - Modify - This folder only\n SYSTEM - Full control - Subfolders and files only\n Administrators - Modify - This folder only\n Administrators - Full control - Subfolders and files only\n Users - Read & execute - This folder, subfolders, and files\n CREATOR OWNER - Full control - Subfolders and files only\n ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders, and files\n ALL RESTRICTED APPLICATION PACKAGES - Read & execute - This folder, subfolders,\n and files\n\n Alternately, use icacls:\n\n Open a Command prompt (admin).\n\n Enter icacls followed by the directory:\n\n icacls c:\\\\windows\n\n The following results should be displayed for each when entered:\n\n c:\\\\windows\n NT SERVICE\\\\TrustedInstaller:(F)\n NT SERVICE\\\\TrustedInstaller:(CI)(IO)(F)\n NT AUTHORITY\\\\SYSTEM:(M)\n NT AUTHORITY\\\\SYSTEM:(OI)(CI)(IO)(F)\n BUILTIN\\\\Administrators:(M)\n BUILTIN\\\\Administrators:(OI)(CI)(IO)(F)\n BUILTIN\\\\Users:(RX)\n BUILTIN\\\\Users:(OI)(CI)(IO)(GR,GE)\n CREATOR OWNER:(OI)(CI)(IO)(F)\n APPLICATION PACKAGE AUTHORITY\\\\ALL APPLICATION PACKAGES:(RX)\n APPLICATION PACKAGE AUTHORITY\\\\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE)\n APPLICATION PACKAGE AUTHORITY\\\\ALL RESTRICTED APPLICATION PACKAGES:(RX)\n APPLICATION PACKAGE AUTHORITY\\\\ALL RESTRICTED APPLICATION\n PACKAGES:(OI)(CI)(IO)(GR,GE)\n Successfully processed 1 files; Failed processing 0 files\"\n desc \"fix\", \"Maintain the default file ACLs and configure the Security Option\n Network access: Let everyone permissions apply to anonymous users to\n Disabled (WN16-SO-000290).\n\n Default permissions:\n Type - Allow for all\n Inherited from - None for all\n\n Principal - Access - Applies to\n\n TrustedInstaller - Full control - This folder and subfolders\n SYSTEM - Modify - This folder only\n SYSTEM - Full control - Subfolders and files only\n Administrators - Modify - This folder only\n Administrators - Full control - Subfolders and files only\n Users - Read & execute - This folder, subfolders, and files\n CREATOR OWNER - Full control - Subfolders and files only\n ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders, and files\n ALL RESTRICTED APPLICATION PACKAGES - Read & execute - This folder, subfolders,\n and files\"\n\n paths = [\n \"C:\\\\Windows\"\n ]\n\n paths.each do |path|\n acl_rules = json(command: \"(Get-ACL -Path '#{path}').Access | ConvertTo-CSV | ConvertFrom-CSV | ConvertTo-JSON\").params\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The '#{path}' folder\\'s access rule property:\" do\n subject { acl_rule }\n its(['FileSystemRights']) { should cmp \"268435456\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"CREATOR OWNER\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"ContainerInherit, ObjectInherit\" }\n its(['PropagationFlags']) { should cmp \"InheritOnly\" }\n end\n end\n end\n \n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The '#{path}' folder\\'s access rule property:\" do\n subject { acl_rule }\n its(['FileSystemRights']) { should cmp \"268435456\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"NT AUTHORITY\\\\SYSTEM\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"ContainerInherit, ObjectInherit\" }\n its(['PropagationFlags']) { should cmp \"InheritOnly\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The '#{path}' folder\\'s access rule property:\" do\n subject { acl_rule }\n its(['FileSystemRights']) { should cmp \"Modify, Synchronize\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"NT AUTHORITY\\\\SYSTEM\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"None\" }\n its(['PropagationFlags']) { should cmp \"None\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The '#{path}' folder\\'s access rule property:\" do\n subject { acl_rule }\n its(['FileSystemRights']) { should cmp \"268435456\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"BUILTIN\\\\Administrators\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"ContainerInherit, ObjectInherit\" }\n its(['PropagationFlags']) { should cmp \"InheritOnly\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The '#{path}' folder\\'s access rule property:\" do\n subject { acl_rule }\n its(['FileSystemRights']) { should cmp \"268435456\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"NT SERVICE\\\\TrustedInstaller\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"ContainerInherit\" }\n its(['PropagationFlags']) { should cmp \"InheritOnly\" }\n end\n end\n end\n\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The '#{path}' folder\\'s access rule property:\" do\n subject { acl_rule }\n its(['FileSystemRights']) { should cmp \"-1610612736\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"BUILTIN\\\\Users\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"ContainerInherit, ObjectInherit\" }\n its(['PropagationFlags']) { should cmp \"InheritOnly\" }\n end\n end\n end\n\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The '#{path}' folder\\'s access rule property:\" do\n subject { acl_rule }\n its(['FileSystemRights']) { should cmp \"268435456\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"NT SERVICE\\\\TrustedInstaller\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"ContainerInherit\" }\n its(['PropagationFlags']) { should cmp \"InheritOnly\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The '#{path}' folder\\'s access rule property:\" do\n subject { acl_rule }\n its(['FileSystemRights']) { should cmp \"FullControl\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"NT SERVICE\\\\TrustedInstaller\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"None\" }\n its(['PropagationFlags']) { should cmp \"None\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The '#{path}' folder\\'s access rule property:\" do\n subject { acl_rule }\n its(['FileSystemRights']) { should cmp \"ReadAndExecute, Synchronize\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"APPLICATION PACKAGE AUTHORITY\\\\ALL APPLICATION PACKAGES\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"None\" }\n its(['PropagationFlags']) { should cmp \"None\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The '#{path}' folder\\'s access rule property:\" do\n subject { acl_rule }\n its(['FileSystemRights']) { should cmp \"-1610612736\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"APPLICATION PACKAGE AUTHORITY\\\\ALL APPLICATION PACKAGES\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"ContainerInherit, ObjectInherit\" }\n its(['PropagationFlags']) { should cmp \"InheritOnly\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The '#{path}' folder\\'s access rule property:\" do\n subject { acl_rule }\n its(['FileSystemRights']) { should cmp \"ReadAndExecute, Synchronize\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"APPLICATION PACKAGE AUTHORITY\\\\ALL RESTRICTED APPLICATION PACKAGES\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"None\" }\n its(['PropagationFlags']) { should cmp \"None\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The '#{path}' folder\\'s access rule property:\" do\n subject { acl_rule }\n its(['FileSystemRights']) { should cmp \"-1610612736\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"APPLICATION PACKAGE AUTHORITY\\\\ALL RESTRICTED APPLICATION PACKAGES\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"ContainerInherit, ObjectInherit\" }\n its(['PropagationFlags']) { should cmp \"InheritOnly\" }\n end\n end\n end\n end\nend\n", + "code": "control 'V-73781' do\n title \"The Force shutdown from a remote system user right must only be\n assigned to the Administrators group.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Force shutdown from a remote system user right can\n remotely shut down a system, which could result in a denial of service.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000324-GPOS-00125'\n tag \"gid\": 'V-73781'\n tag \"rid\": 'SV-88445r1_rule'\n tag \"stig_id\": 'WN16-UR-000200'\n tag \"fix_id\": 'F-80231r1_fix'\n tag \"cci\": ['CCI-002235']\n tag \"nist\": ['AC-6 (10)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the Force\n shutdown from a remote system user right, this is a finding.\n\n - Administrators\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Force shutdown from a remote system to include only the following accounts\n or groups:\n\n - Administrators\"\n describe.one do\n describe security_policy do\n its('SeRemoteShutdownPrivilege') { should eq ['S-1-5-32-544'] }\n end\n describe security_policy do\n its('SeRemoteShutdownPrivilege') { should eq [] }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73253.rb", + "ref": "./Windows 2016 STIG/controls/V-73781.rb", "line": 1 }, - "id": "V-73253" + "id": "V-73781" }, { - "title": "The Windows Installer Always install with elevated privileges option\n must be disabled.", - "desc": "Standard user accounts must not be granted elevated privileges.\n Enabling Windows Installer to elevate privileges when installing applications\n can allow malicious persons and applications to gain full control of a system.", + "title": "Servers must have a host-based intrusion detection or prevention\n system.", + "desc": "A properly configured Host-based Intrusion Detection System (HIDS) or\n Host-based Intrusion Prevention System (HIPS) provides another level of defense\n against unauthorized access to critical servers. With proper configuration and\n logging enabled, such a system can stop and/or alert for many attempts to gain\n unauthorized access to resources.", "descriptions": { - "default": "Standard user accounts must not be granted elevated privileges.\n Enabling Windows Installer to elevate privileges when installing applications\n can allow malicious persons and applications to gain full control of a system.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\Installer\\\n\n Value Name: AlwaysInstallElevated\n\n Type: REG_DWORD\n Value: 0x00000000 (0)", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Windows Installer >> Always\n install with elevated privileges to Disabled." + "default": "A properly configured Host-based Intrusion Detection System (HIDS) or\n Host-based Intrusion Prevention System (HIPS) provides another level of defense\n against unauthorized access to critical servers. With proper configuration and\n logging enabled, such a system can stop and/or alert for many attempts to gain\n unauthorized access to resources.", + "check": "Determine whether there is a HIDS or HIPS on each server.\n\n If the HIPS component of HBSS is installed and active on the host and the\n alerts of blocked activity are being logged and monitored, this meets the\n requirement.\n\n A HIDS device is not required on a system that has the role as the Network\n Intrusion Device (NID). However, this exception needs to be documented with the\n ISSO.\n\n If a HIDS is not installed on the system, this is a finding.", + "fix": "Install a HIDS or HIPS on each server." }, - "impact": 0.7, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000362-GPOS-00149", - "gid": "V-73585", - "rid": "SV-88249r1_rule", - "stig_id": "WN16-CC-000460", - "fix_id": "F-80035r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-73245", + "rid": "SV-87897r1_rule", + "stig_id": "WN16-00-000140", + "fix_id": "F-79689r1_fix", "cci": [ - "CCI-001812" + "CCI-000366" ], "nist": [ - "CM-11 (2)", + "CM-6 b", "Rev_4" ], "documentable": false }, - "code": "control 'V-73585' do\n title \"The Windows Installer Always install with elevated privileges option\n must be disabled.\"\n desc \"Standard user accounts must not be granted elevated privileges.\n Enabling Windows Installer to elevate privileges when installing applications\n can allow malicious persons and applications to gain full control of a system.\"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000362-GPOS-00149'\n tag \"gid\": 'V-73585'\n tag \"rid\": 'SV-88249r1_rule'\n tag \"stig_id\": 'WN16-CC-000460'\n tag \"fix_id\": 'F-80035r1_fix'\n tag \"cci\": ['CCI-001812']\n tag \"nist\": ['CM-11 (2)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\Installer\\\\\n\n Value Name: AlwaysInstallElevated\n\n Type: REG_DWORD\n Value: 0x00000000 (0)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Windows Installer >> Always\n install with elevated privileges to Disabled.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\Installer') do\n it { should have_property 'AlwaysInstallElevated' }\n its('AlwaysInstallElevated') { should cmp 0 }\n end\nend\n", + "code": "control 'V-73245' do\n title \"Servers must have a host-based intrusion detection or prevention\n system.\"\n desc \"A properly configured Host-based Intrusion Detection System (HIDS) or\n Host-based Intrusion Prevention System (HIPS) provides another level of defense\n against unauthorized access to critical servers. With proper configuration and\n logging enabled, such a system can stop and/or alert for many attempts to gain\n unauthorized access to resources.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-73245'\n tag \"rid\": 'SV-87897r1_rule'\n tag \"stig_id\": 'WN16-00-000140'\n tag \"fix_id\": 'F-79689r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Determine whether there is a HIDS or HIPS on each server.\n\n If the HIPS component of HBSS is installed and active on the host and the\n alerts of blocked activity are being logged and monitored, this meets the\n requirement.\n\n A HIDS device is not required on a system that has the role as the Network\n Intrusion Device (NID). However, this exception needs to be documented with the\n ISSO.\n\n If a HIDS is not installed on the system, this is a finding.\"\n desc \"fix\", 'Install a HIDS or HIPS on each server.'\n describe 'A manual review is required to determine whether this server has a host-based Intrusion Detection System installed' do\n skip 'A manual review is required to determine whether this server has a host-based Intrusion Detection System installed'\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73585.rb", + "ref": "./Windows 2016 STIG/controls/V-73245.rb", "line": 1 }, - "id": "V-73585" + "id": "V-73245" }, { - "title": "Administrator accounts must not be enumerated during elevation.", - "desc": "Enumeration of administrator accounts when elevating can provide part\n of the logon information to an unauthorized user. This setting configures the\n system to always require users to type in a username and password to elevate a\n running application.", + "title": "The Modify firmware environment values user right must only be\n assigned to the Administrators group.", + "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Modify firmware environment values user right can\n change hardware configuration environment variables. This could result in\n hardware failures or a denial of service.", "descriptions": { - "default": "Enumeration of administrator accounts when elevating can provide part\n of the logon information to an unauthorized user. This setting configures the\n system to always require users to type in a username and password to elevate a\n running application.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\CredUI\\\n\n Value Name: EnumerateAdministrators\n\n Type: REG_DWORD\n Value: 0x00000000 (0)", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Credential User Interface >>\n Enumerate administrator accounts on elevation to Disabled." + "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Modify firmware environment values user right can\n change hardware configuration environment variables. This could result in\n hardware failures or a denial of service.", + "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the Modify\n firmware environment values user right, this is a finding.\n\n - Administrators", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Modify firmware environment values to include only the following accounts\n or groups:\n\n - Administrators" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000134-GPOS-00068", - "gid": "V-73487", - "rid": "SV-88139r1_rule", - "stig_id": "WN16-CC-000280", - "fix_id": "F-79929r1_fix", + "gtitle": "SRG-OS-000324-GPOS-00125", + "gid": "V-73795", + "rid": "SV-88459r1_rule", + "stig_id": "WN16-UR-000270", + "fix_id": "F-80245r1_fix", "cci": [ - "CCI-001084" + "CCI-002235" ], "nist": [ - "SC-3", + "AC-6 (10)", "Rev_4" ], "documentable": false }, - "code": "control 'V-73487' do\n title 'Administrator accounts must not be enumerated during elevation.'\n desc \"Enumeration of administrator accounts when elevating can provide part\n of the logon information to an unauthorized user. This setting configures the\n system to always require users to type in a username and password to elevate a\n running application.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000134-GPOS-00068'\n tag \"gid\": 'V-73487'\n tag \"rid\": 'SV-88139r1_rule'\n tag \"stig_id\": 'WN16-CC-000280'\n tag \"fix_id\": 'F-79929r1_fix'\n tag \"cci\": ['CCI-001084']\n tag \"nist\": ['SC-3', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\CredUI\\\\\n\n Value Name: EnumerateAdministrators\n\n Type: REG_DWORD\n Value: 0x00000000 (0)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Credential User Interface >>\n Enumerate administrator accounts on elevation to Disabled.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\CredUI') do\n it { should have_property 'EnumerateAdministrators' }\n its('EnumerateAdministrators') { should cmp 0 }\n end\nend\n", + "code": "control 'V-73795' do\n title \"The Modify firmware environment values user right must only be\n assigned to the Administrators group.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Modify firmware environment values user right can\n change hardware configuration environment variables. This could result in\n hardware failures or a denial of service.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000324-GPOS-00125'\n tag \"gid\": 'V-73795'\n tag \"rid\": 'SV-88459r1_rule'\n tag \"stig_id\": 'WN16-UR-000270'\n tag \"fix_id\": 'F-80245r1_fix'\n tag \"cci\": ['CCI-002235']\n tag \"nist\": ['AC-6 (10)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the Modify\n firmware environment values user right, this is a finding.\n\n - Administrators\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Modify firmware environment values to include only the following accounts\n or groups:\n\n - Administrators\"\n describe.one do\n describe security_policy do\n its('SeSystemEnvironmentPrivilege') { should eq ['S-1-5-32-544'] }\n end\n describe security_policy do\n its('SeSystemEnvironmentPrivilege') { should eq [] }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73487.rb", + "ref": "./Windows 2016 STIG/controls/V-73795.rb", "line": 1 }, - "id": "V-73487" + "id": "V-73795" }, { - "title": "The Windows Remote Management (WinRM) client must not allow\n unencrypted traffic.", - "desc": "Unencrypted remote access to a system can allow sensitive information\n to be compromised. Windows remote management connections must be encrypted to\n prevent this.", + "title": "Windows Server 2016 must be configured to audit Object Access -\n Removable Storage successes.", + "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Removable Storage auditing under Object Access records events related to\n access attempts on file system objects on removable storage devices.", "descriptions": { - "default": "Unencrypted remote access to a system can allow sensitive information\n to be compromised. Windows remote management connections must be encrypted to\n prevent this.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\WinRM\\Client\\\n\n Value Name: AllowUnencryptedTraffic\n\n Type: REG_DWORD\n Value: 0x00000000 (0)", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Windows Remote Management\n (WinRM) >> WinRM Client >> Allow unencrypted traffic to Disabled." + "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Removable Storage auditing under Object Access records events related to\n access attempts on file system objects on removable storage devices.", + "check": "Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n Object Access >> Removable Storage - Success\n\n Virtual machines or systems that use network attached storage may generate\n excessive audit events for secondary virtual drives or the network attached\n storage when this setting is enabled. This may be set to Not Configured in such\n cases and would not be a finding.", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Object Access >> Audit Removable Storage with Success\n selected." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000393-GPOS-00173", - "satisfies": [ - "SRG-OS-000393-GPOS-00173", - "SRG-OS-000394-GPOS-00174" - ], - "gid": "V-73595", - "rid": "SV-88259r1_rule", - "stig_id": "WN16-CC-000510", - "fix_id": "F-80045r1_fix", + "gtitle": "SRG-OS-000474-GPOS-00219", + "gid": "V-73457", + "rid": "SV-88109r1_rule", + "stig_id": "WN16-AU-000290", + "fix_id": "F-79899r1_fix", "cci": [ - "CCI-002890", - "CCI-003123" + "CCI-000172" ], "nist": [ - "MA-4 (6)", + "AU-12 c", "Rev_4" ], "documentable": false }, - "code": "control 'V-73595' do\n title \"The Windows Remote Management (WinRM) client must not allow\n unencrypted traffic.\"\n desc \"Unencrypted remote access to a system can allow sensitive information\n to be compromised. Windows remote management connections must be encrypted to\n prevent this.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000393-GPOS-00173'\n tag \"satisfies\": ['SRG-OS-000393-GPOS-00173', 'SRG-OS-000394-GPOS-00174']\n tag \"gid\": 'V-73595'\n tag \"rid\": 'SV-88259r1_rule'\n tag \"stig_id\": 'WN16-CC-000510'\n tag \"fix_id\": 'F-80045r1_fix'\n tag \"cci\": ['CCI-002890', 'CCI-003123']\n tag \"nist\": ['MA-4 (6)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WinRM\\\\Client\\\\\n\n Value Name: AllowUnencryptedTraffic\n\n Type: REG_DWORD\n Value: 0x00000000 (0)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Windows Remote Management\n (WinRM) >> WinRM Client >> Allow unencrypted traffic to Disabled.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\WinRM\\\\Client') do\n it { should have_property 'AllowUnencryptedTraffic' }\n its('AllowUnencryptedTraffic') { should cmp 0 }\n end\nend\n", + "code": "control 'V-73457' do\n title \"Windows Server 2016 must be configured to audit Object Access -\n Removable Storage successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Removable Storage auditing under Object Access records events related to\n access attempts on file system objects on removable storage devices.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000474-GPOS-00219'\n tag \"gid\": 'V-73457'\n tag \"rid\": 'SV-88109r1_rule'\n tag \"stig_id\": 'WN16-AU-000290'\n tag \"fix_id\": 'F-79899r1_fix'\n tag \"cci\": ['CCI-000172']\n tag \"nist\": ['AU-12 c', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n Object Access >> Removable Storage - Success\n\n Virtual machines or systems that use network attached storage may generate\n excessive audit events for secondary virtual drives or the network attached\n storage when this setting is enabled. This may be set to Not Configured in such\n cases and would not be a finding.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Object Access >> Audit Removable Storage with Success\n selected.\"\n describe.one do\n describe audit_policy do\n its('Removable Storage') { should eq 'Success' }\n end\n describe audit_policy do\n its('Removable Storage') { should eq 'Success and Failure' }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Removable Storage'\") do\n its('stdout') { should match /Removable Storage Success/ }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Removable Storage'\") do\n its('stdout') { should match /Removable Storage Success and Failure/ }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73595.rb", + "ref": "./Windows 2016 STIG/controls/V-73457.rb", "line": 1 }, - "id": "V-73595" + "id": "V-73457" }, { - "title": "The Enable computer and user accounts to be trusted for delegation\n user right must only be assigned to the Administrators group on domain\n controllers.", - "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The Enable computer and user accounts to be trusted for delegation user\n right allows the Trusted for Delegation setting to be changed. This could\n allow unauthorized users to impersonate other users.", + "title": "The setting Microsoft network client: Digitally sign communications\n (always) must be configured to Enabled.", + "desc": "The server message block (SMB) protocol provides the basis for many\n network operations. Digitally signed SMB packets aid in preventing\n man-in-the-middle attacks. If this policy is enabled, the SMB client will only\n communicate with an SMB server that performs SMB packet signing.", "descriptions": { - "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The Enable computer and user accounts to be trusted for delegation user\n right allows the Trusted for Delegation setting to be changed. This could\n allow unauthorized users to impersonate other users.", - "check": "This applies to domain controllers. A separate version applies\n to other systems.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the Enable\n computer and user accounts to be trusted for delegation user right, this is a\n finding.\n\n - Administrators", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Enable computer and user accounts to be trusted for delegation to include\n only the following accounts or groups:\n\n - Administrators" + "default": "The server message block (SMB) protocol provides the basis for many\n network operations. Digitally signed SMB packets aid in preventing\n man-in-the-middle attacks. If this policy is enabled, the SMB client will only\n communicate with an SMB server that performs SMB packet signing.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SYSTEM\\CurrentControlSet\\Services\\LanmanWorkstation\\Parameters\\\n\n Value Name: RequireSecuritySignature\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Microsoft network client: Digitally sign communications (always) to\n Enabled." }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000324-GPOS-00125", - "gid": "V-73777", - "rid": "SV-88441r1_rule", - "stig_id": "WN16-DC-000420", - "fix_id": "F-80227r1_fix", + "gtitle": "SRG-OS-000423-GPOS-00187", + "satisfies": [ + "SRG-OS-000423-GPOS-00187", + "SRG-OS-000424-GPOS-00188" + ], + "gid": "V-73653", + "rid": "SV-88317r1_rule", + "stig_id": "WN16-SO-000190", + "fix_id": "F-80103r1_fix", "cci": [ - "CCI-002235" + "CCI-002418", + "CCI-002421" ], "nist": [ - "AC-6 (10)", + "SC-8", + "SC-8 (1)", "Rev_4" ], "documentable": false }, - "code": "control 'V-73777' do\n title \"The Enable computer and user accounts to be trusted for delegation\n user right must only be assigned to the Administrators group on domain\n controllers.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The Enable computer and user accounts to be trusted for delegation user\n right allows the Trusted for Delegation setting to be changed. This could\n allow unauthorized users to impersonate other users.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000324-GPOS-00125'\n tag \"gid\": 'V-73777'\n tag \"rid\": 'SV-88441r1_rule'\n tag \"stig_id\": 'WN16-DC-000420'\n tag \"fix_id\": 'F-80227r1_fix'\n tag \"cci\": ['CCI-002235']\n tag \"nist\": ['AC-6 (10)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to domain controllers. A separate version applies\n to other systems.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the Enable\n computer and user accounts to be trusted for delegation user right, this is a\n finding.\n\n - Administrators\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Enable computer and user accounts to be trusted for delegation to include\n only the following accounts or groups:\n\n - Administrators\"\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n describe.one do\n describe security_policy do\n its('SeEnableDelegationPrivilege') { should eq ['S-1-5-32-544'] }\n end\n describe security_policy do\n its('SeEnableDelegationPrivilege') { should eq [] }\n end\n end\n end\n\n if !(domain_role == '4') && !(domain_role == '5')\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", + "code": "control 'V-73653' do\n title \"The setting Microsoft network client: Digitally sign communications\n (always) must be configured to Enabled.\"\n desc \"The server message block (SMB) protocol provides the basis for many\n network operations. Digitally signed SMB packets aid in preventing\n man-in-the-middle attacks. If this policy is enabled, the SMB client will only\n communicate with an SMB server that performs SMB packet signing.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000423-GPOS-00187'\n tag \"satisfies\": ['SRG-OS-000423-GPOS-00187', 'SRG-OS-000424-GPOS-00188']\n tag \"gid\": 'V-73653'\n tag \"rid\": 'SV-88317r1_rule'\n tag \"stig_id\": 'WN16-SO-000190'\n tag \"fix_id\": 'F-80103r1_fix'\n tag \"cci\": ['CCI-002418', 'CCI-002421']\n tag \"nist\": ['SC-8', 'SC-8 (1)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\LanmanWorkstation\\\\Parameters\\\\\n\n Value Name: RequireSecuritySignature\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Microsoft network client: Digitally sign communications (always) to\n Enabled.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Services\\\\LanmanWorkstation\\\\Parameters') do\n it { should have_property 'RequireSecuritySignature' }\n its('RequireSecuritySignature') { should cmp 1 }\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73777.rb", + "ref": "./Windows 2016 STIG/controls/V-73653.rb", "line": 1 }, - "id": "V-73777" + "id": "V-73653" }, { - "title": "The Active Directory AdminSDHolder object must be configured with\n proper audit settings.", - "desc": "When inappropriate audit settings are configured for directory service\n database objects, it may be possible for a user or process to update the data\n without generating any tracking data. The impact of missing audit data is\n related to the type of object. A failure to capture audit data for objects used\n by identification, authentication, or authorization functions could degrade or\n eliminate the ability to track changes to access policy for systems or data.\n\n For Active Directory (AD), there are a number of critical object types in\n the domain naming context of the AD database for which auditing is essential.\n This includes the AdminSDHolder object. Because changes to these objects can\n significantly impact access controls or the availability of systems, the\n absence of auditing data makes it impossible to identify the source of changes\n that impact the confidentiality, integrity, and availability of data and\n systems throughout an AD domain. The lack of proper auditing can result in\n insufficient forensic evidence needed to investigate an incident and prosecute\n the intruder.", + "title": "Services using Local System that use Negotiate when reverting to NTLM\n authentication must use the computer identity instead of authenticating\n anonymously.", + "desc": "Services using Local System that use Negotiate when reverting to NTLM\n authentication may gain unauthorized access if allowed to authenticate\n anonymously versus using the computer identity.", "descriptions": { - "default": "When inappropriate audit settings are configured for directory service\n database objects, it may be possible for a user or process to update the data\n without generating any tracking data. The impact of missing audit data is\n related to the type of object. A failure to capture audit data for objects used\n by identification, authentication, or authorization functions could degrade or\n eliminate the ability to track changes to access policy for systems or data.\n\n For Active Directory (AD), there are a number of critical object types in\n the domain naming context of the AD database for which auditing is essential.\n This includes the AdminSDHolder object. Because changes to these objects can\n significantly impact access controls or the availability of systems, the\n absence of auditing data makes it impossible to identify the source of changes\n that impact the confidentiality, integrity, and availability of data and\n systems throughout an AD domain. The lack of proper auditing can result in\n insufficient forensic evidence needed to investigate an incident and prosecute\n the intruder.", - "check": "This applies to domain controllers. It is NA for other systems.\n\n Review the auditing configuration for the AdminSDHolder object.\n\n Open Active Directory Users and Computers (available from various menus or\n run dsa.msc).\n\n Ensure Advanced Features is selected in the View menu.\n\n Select System under the domain being reviewed in the left pane.\n\n Right-click the AdminSDHolder object in the right pane and select\n Properties.\n\n Select the Security tab.\n\n Select the Advanced button and then the Auditing tab.\n\n If the audit settings on the AdminSDHolder object are not at least as\n inclusive as those below, this is a finding.\n\n Type - Fail\n Principal - Everyone\n Access - Full Control\n Inherited from - None\n Applies to - This object only\n\n The success types listed below are defaults. Where Special is listed in the\n summary screens for Access, detailed Permissions are provided for reference.\n Various Properties selections may also exist by default.\n\n Type - Success\n Principal - Everyone\n Access - Special\n Inherited from - None\n Applies to - This object only\n (Access - Special = Write all properties, Modify permissions, Modify owner)\n\n Two instances with the following summary information will be listed.\n\n Type - Success\n Principal - Everyone\n Access - (blank)\n Inherited from - (CN of domain)\n Applies to - Descendant Organizational Unit objects", - "fix": "Open Active Directory Users and Computers (available from\n various menus or run dsa.msc).\n\n Ensure Advanced Features is selected in the View menu.\n\n Select System under the domain being reviewed in the left pane.\n\n Right-click the AdminSDHolder object in the right pane and select\n Properties.\n\n Select the Security tab.\n\n Select the Advanced button and then the Auditing tab.\n\n Configure the audit settings for AdminSDHolder object to include the following.\n\n Type - Fail\n Principal - Everyone\n Access - Full Control\n Inherited from - None\n Applies to - This object only\n\n The success types listed below are defaults. Where Special is listed in the\n summary screens for Access, detailed Permissions are provided for reference.\n Various Properties selections may also exist by default.\n\n Type - Success\n Principal - Everyone\n Access - Special\n Inherited from - None\n Applies to - This object only\n (Access - Special = Write all properties, Modify permissions, Modify owner)\n\n Two instances with the following summary information will be listed.\n\n Type - Success\n Principal - Everyone\n Access - (blank)\n Inherited from - (CN of domain)\n Applies to - Descendant Organizational Unit objects" + "default": "Services using Local System that use Negotiate when reverting to NTLM\n authentication may gain unauthorized access if allowed to authenticate\n anonymously versus using the computer identity.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Control\\LSA\\\n\n Value Name: UseMachineId\n\n Type: REG_DWORD\n Value: 0x00000001 (1)", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Network security: Allow Local System to use computer identity for NTLM to\n Enabled." }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000327-GPOS-00127", - "satisfies": [ - "SRG-OS-000327-GPOS-00127", - "SRG-OS-000458-GPOS-00203", - "SRG-OS-000463-GPOS-00207", - "SRG-OS-000468-GPOS-00212" - ], - "gid": "V-73397", - "rid": "SV-88049r1_rule", - "stig_id": "WN16-DC-000210", - "fix_id": "F-79839r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-73679", + "rid": "SV-88343r1_rule", + "stig_id": "WN16-SO-000320", + "fix_id": "F-80129r1_fix", "cci": [ - "CCI-000172", - "CCI-002234" + "CCI-000366" ], "nist": [ - "AU-12 c", - "AC-6 (9)", + "CM-6 b", "Rev_4" ], "documentable": false }, - "code": "control 'V-73397' do\n title \"The Active Directory AdminSDHolder object must be configured with\n proper audit settings.\"\n desc \"When inappropriate audit settings are configured for directory service\n database objects, it may be possible for a user or process to update the data\n without generating any tracking data. The impact of missing audit data is\n related to the type of object. A failure to capture audit data for objects used\n by identification, authentication, or authorization functions could degrade or\n eliminate the ability to track changes to access policy for systems or data.\n\n For Active Directory (AD), there are a number of critical object types in\n the domain naming context of the AD database for which auditing is essential.\n This includes the AdminSDHolder object. Because changes to these objects can\n significantly impact access controls or the availability of systems, the\n absence of auditing data makes it impossible to identify the source of changes\n that impact the confidentiality, integrity, and availability of data and\n systems throughout an AD domain. The lack of proper auditing can result in\n insufficient forensic evidence needed to investigate an incident and prosecute\n the intruder.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000327-GPOS-00127'\n tag \"satisfies\": ['SRG-OS-000327-GPOS-00127', 'SRG-OS-000458-GPOS-00203',\n 'SRG-OS-000463-GPOS-00207', 'SRG-OS-000468-GPOS-00212']\n tag \"gid\": 'V-73397'\n tag \"rid\": 'SV-88049r1_rule'\n tag \"stig_id\": 'WN16-DC-000210'\n tag \"fix_id\": 'F-79839r1_fix'\n tag \"cci\": ['CCI-000172', 'CCI-002234'] \n tag \"nist\": ['AU-12 c', 'AC-6 (9)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to domain controllers. It is NA for other systems.\n\n Review the auditing configuration for the AdminSDHolder object.\n\n Open Active Directory Users and Computers (available from various menus or\n run dsa.msc).\n\n Ensure Advanced Features is selected in the View menu.\n\n Select System under the domain being reviewed in the left pane.\n\n Right-click the AdminSDHolder object in the right pane and select\n Properties.\n\n Select the Security tab.\n\n Select the Advanced button and then the Auditing tab.\n\n If the audit settings on the AdminSDHolder object are not at least as\n inclusive as those below, this is a finding.\n\n Type - Fail\n Principal - Everyone\n Access - Full Control\n Inherited from - None\n Applies to - This object only\n\n The success types listed below are defaults. Where Special is listed in the\n summary screens for Access, detailed Permissions are provided for reference.\n Various Properties selections may also exist by default.\n\n Type - Success\n Principal - Everyone\n Access - Special\n Inherited from - None\n Applies to - This object only\n (Access - Special = Write all properties, Modify permissions, Modify owner)\n\n Two instances with the following summary information will be listed.\n\n Type - Success\n Principal - Everyone\n Access - (blank)\n Inherited from - (CN of domain)\n Applies to - Descendant Organizational Unit objects\"\n desc \"fix\", \"Open Active Directory Users and Computers (available from\n various menus or run dsa.msc).\n\n Ensure Advanced Features is selected in the View menu.\n\n Select System under the domain being reviewed in the left pane.\n\n Right-click the AdminSDHolder object in the right pane and select\n Properties.\n\n Select the Security tab.\n\n Select the Advanced button and then the Auditing tab.\n\n Configure the audit settings for AdminSDHolder object to include the following.\n\n Type - Fail\n Principal - Everyone\n Access - Full Control\n Inherited from - None\n Applies to - This object only\n\n The success types listed below are defaults. Where Special is listed in the\n summary screens for Access, detailed Permissions are provided for reference.\n Various Properties selections may also exist by default.\n\n Type - Success\n Principal - Everyone\n Access - Special\n Inherited from - None\n Applies to - This object only\n (Access - Special = Write all properties, Modify permissions, Modify owner)\n\n Two instances with the following summary information will be listed.\n\n Type - Success\n Principal - Everyone\n Access - (blank)\n Inherited from - (CN of domain)\n Applies to - Descendant Organizational Unit objects\"\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n distinguishedName = json(command: '(Get-ADDomain).DistinguishedName | ConvertTo-JSON').params\n netbiosname = json(command: 'Get-ADDomain | Select NetBIOSName | ConvertTo-JSON').params['NetBIOSName']\n acl_rules = json(command: \"(Get-ACL -Audit -Path AD:'CN=AdminSDHolder,CN=System,#{distinguishedName}').Audit | ConvertTo-CSV | ConvertFrom-CSV | ConvertTo-JSON\").params\n\n if acl_rules.is_a?(Hash)\n acl_rules = [JSON.parse(acl_rules.to_json)]\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['AuditFlags']) { should cmp \"Fail\" }\n its(['IdentityReference']) { should cmp \"Everyone\" }\n its(['ActiveDirectoryRights']) { should cmp \"GenericAll\" }\n its(['InheritanceFlags']) { should cmp \"None\" }\n its(['InheritanceType']) { should cmp \"None\" }\n its(['PropagationFlags']) { should cmp \"None\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['AuditFlags']) { should cmp \"Success\" }\n its(['IdentityReference']) { should cmp \"Everyone\" }\n its(['ActiveDirectoryRights']) { should match /^(?=.*?\\bWriteProperty\\b)(?=.*?\\bWriteDacl\\b)(?=.*?\\bWriteOwner\\b).*$/ }\n its(['InheritanceFlags']) { should cmp \"None\" }\n its(['InheritanceType']) { should cmp \"None\" }\n its(['PropagationFlags']) { should cmp \"None\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['AuditFlags']) { should cmp \"Success\" }\n its(['IdentityReference']) { should cmp \"Everyone\" }\n its(['ActiveDirectoryRights']) { should cmp \"WriteProperty\" }\n its(['IsInherited']) { should cmp \"True\" }\n its(['InheritanceFlags']) { should cmp \"ContainerInherit\" }\n its(['InheritanceType']) { should cmp \"Descendents\" }\n its(['PropagationFlags']) { should cmp \"InheritOnly\" }\n end\n end\n end\n\n else\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", + "code": "control 'V-73679' do\n title \"Services using Local System that use Negotiate when reverting to NTLM\n authentication must use the computer identity instead of authenticating\n anonymously.\"\n desc \"Services using Local System that use Negotiate when reverting to NTLM\n authentication may gain unauthorized access if allowed to authenticate\n anonymously versus using the computer identity.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-73679'\n tag \"rid\": 'SV-88343r1_rule'\n tag \"stig_id\": 'WN16-SO-000320'\n tag \"fix_id\": 'F-80129r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\LSA\\\\\n\n Value Name: UseMachineId\n\n Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Network security: Allow Local System to use computer identity for NTLM to\n Enabled.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa') do\n it { should have_property 'UseMachineId' }\n its('UseMachineId') { should cmp 1 }\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73397.rb", + "ref": "./Windows 2016 STIG/controls/V-73679.rb", "line": 1 }, - "id": "V-73397" + "id": "V-73679" }, { - "title": "The roles and features required by the system must be documented.", - "desc": "Unnecessary roles and features increase the attack surface of a\n system. Limiting roles and features of a system to only those necessary reduces\n this potential. The standard installation option (previously called Server\n Core) further reduces this when selected at installation.", + "title": "Turning off File Explorer heap termination on corruption must be\n disabled.", + "desc": "Legacy plug-in applications may continue to function when a File\n Explorer session has become corrupt. Disabling this feature will prevent this.", "descriptions": { - "default": "Unnecessary roles and features increase the attack surface of a\n system. Limiting roles and features of a system to only those necessary reduces\n this potential. The standard installation option (previously called Server\n Core) further reduces this when selected at installation.", - "check": "Required roles and features will vary based on the function of\n the individual system.\n\n Roles and features specifically required to be disabled per the STIG are\n identified in separate requirements.\n\n If the organization has not documented the roles and features required for the\n system(s), this is a finding.\n\n The PowerShell command Get-WindowsFeature will list all roles and features\n with an Install State.", - "fix": "Document the roles and features required for the system to\n operate. Uninstall any that are not required." + "default": "Legacy plug-in applications may continue to function when a File\n Explorer session has become corrupt. Disabling this feature will prevent this.", + "check": "The default behavior is for File Explorer heap termination on\n corruption to be enabled.\n\n If the registry Value Name below does not exist, this is not a finding.\n\n If it exists and is configured with a value of 0, this is not a finding.\n\n If it exists and is configured with a value of 1, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\Explorer\\\n\n Value Name: NoHeapTerminationOnCorruption\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0) (or if the Value Name does not exist)", + "fix": "The default behavior is for File Explorer heap termination on\n corruption to be disabled.\n\n If this needs to be corrected, configure the policy value for Computer\n Configuration >> Administrative Templates >> Windows Components >> File\n Explorer >> Turn off heap termination on corruption to Not Configured\n or Disabled." }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { - "gtitle": "SRG-OS-000095-GPOS-00049", - "gid": "V-73277", - "rid": "SV-87929r1_rule", - "stig_id": "WN16-00-000300", - "fix_id": "F-79721r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-73563", + "rid": "SV-88227r1_rule", + "stig_id": "WN16-CC-000350", + "fix_id": "F-80013r1_fix", "cci": [ - "CCI-000381" + "CCI-000366" ], "nist": [ - "CM-7 a", + "CM-6 b", "Rev_4" ], "documentable": false }, - "code": "control 'V-73277' do\n title 'The roles and features required by the system must be documented.'\n desc \"Unnecessary roles and features increase the attack surface of a\n system. Limiting roles and features of a system to only those necessary reduces\n this potential. The standard installation option (previously called Server\n Core) further reduces this when selected at installation.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000095-GPOS-00049'\n tag \"gid\": 'V-73277'\n tag \"rid\": 'SV-87929r1_rule'\n tag \"stig_id\": 'WN16-00-000300'\n tag \"fix_id\": 'F-79721r1_fix'\n tag \"cci\": ['CCI-000381']\n tag \"nist\": ['CM-7 a', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Required roles and features will vary based on the function of\n the individual system.\n\n Roles and features specifically required to be disabled per the STIG are\n identified in separate requirements.\n\n If the organization has not documented the roles and features required for the\n system(s), this is a finding.\n\n The PowerShell command Get-WindowsFeature will list all roles and features\n with an Install State.\"\n desc \"fix\", \"Document the roles and features required for the system to\n operate. Uninstall any that are not required.\"\n describe 'A manual review is required to verify that the roles and features required by the system are documented' do\n skip 'A manual review is required to verify that the roles and features required by the system are documented'\n end\nend\n", + "code": "control 'V-73563' do\n title \"Turning off File Explorer heap termination on corruption must be\n disabled.\"\n desc \"Legacy plug-in applications may continue to function when a File\n Explorer session has become corrupt. Disabling this feature will prevent this.\"\n impact 0.3\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-73563'\n tag \"rid\": 'SV-88227r1_rule'\n tag \"stig_id\": 'WN16-CC-000350'\n tag \"fix_id\": 'F-80013r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"The default behavior is for File Explorer heap termination on\n corruption to be enabled.\n\n If the registry Value Name below does not exist, this is not a finding.\n\n If it exists and is configured with a value of 0, this is not a finding.\n\n If it exists and is configured with a value of 1, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\Explorer\\\\\n\n Value Name: NoHeapTerminationOnCorruption\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0) (or if the Value Name does not exist)\"\n desc \"fix\", \"The default behavior is for File Explorer heap termination on\n corruption to be disabled.\n\n If this needs to be corrected, configure the policy value for Computer\n Configuration >> Administrative Templates >> Windows Components >> File\n Explorer >> Turn off heap termination on corruption to Not Configured\n or Disabled.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\Explorer') do\n it { should have_property 'NoHeapTerminationOnCorruption' }\n its('NoHeapTerminationOnCorruption') { should_not cmp 1 }\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73277.rb", + "ref": "./Windows 2016 STIG/controls/V-73563.rb", "line": 1 }, - "id": "V-73277" + "id": "V-73563" }, { - "title": "Windows Server 2016 must employ a deny-all, permit-by-exception policy\n to allow the execution of authorized software programs.", - "desc": "Using a whitelist provides a configuration management method to allow\n the execution of only authorized software. Using only authorized software\n decreases risk by limiting the number of potential vulnerabilities.\n\n The organization must identify authorized software programs and only permit\n execution of authorized software. The process used to identify software\n programs that are authorized to execute on organizational information systems\n is commonly referred to as whitelisting.", + "title": "Windows Server 2016 must be configured to audit DS Access - Directory\n Service Access successes.", + "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Audit Directory Service Access records events related to users accessing an\n Active Directory object.", "descriptions": { - "default": "Using a whitelist provides a configuration management method to allow\n the execution of only authorized software. Using only authorized software\n decreases risk by limiting the number of potential vulnerabilities.\n\n The organization must identify authorized software programs and only permit\n execution of authorized software. The process used to identify software\n programs that are authorized to execute on organizational information systems\n is commonly referred to as whitelisting.", - "check": "This is applicable to unclassified systems. For other systems,\n this is NA.\n\n Verify the operating system employs a deny-all, permit-by-exception policy to\n allow the execution of authorized software programs.\n\n If an application whitelisting program is not in use on the system, this is a\n finding.\n\n Configuration of whitelisting applications will vary by the program.\n\n AppLocker is a whitelisting application built into Windows Server. A\n deny-by-default implementation is initiated by enabling any AppLocker rules\n within a category, only allowing what is specified by defined rules.\n\n If AppLocker is used, perform the following to view the configuration of\n AppLocker:\n\n Open PowerShell.\n\n If the AppLocker PowerShell module has not been imported previously, execute\n the following first:\n\n Import-Module AppLocker\n\n Execute the following command, substituting [c:\\temp\\file.xml] with a\n location and file name appropriate for the system:\n\n Get-AppLockerPolicy -Effective -XML > c:\\temp\\file.xml\n\n This will produce an xml file with the effective settings that can be viewed in\n a browser or opened in a program such as Excel for review.\n\n Implementation guidance for AppLocker is available in the NSA paper\n Application Whitelisting using Microsoft AppLocker at the following link:\n\n https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", - "fix": "Configure an application whitelisting program to employ a\n deny-all, permit-by-exception policy to allow the execution of authorized\n software programs.\n\n Configuration of whitelisting applications will vary by the program. AppLocker\n is a whitelisting application built into Windows Server.\n\n If AppLocker is used, it is configured through group policy in Computer\n Configuration >> Windows Settings >> Security Settings >> Application Control\n Policies >> AppLocker.\n\n Implementation guidance for AppLocker is available in the NSA paper\n Application Whitelisting using Microsoft AppLocker at the following link:\n\n https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm" + "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Audit Directory Service Access records events related to users accessing an\n Active Directory object.", + "check": "This applies to domain controllers. It is NA for other systems.\n\n Security Option Audit: Force audit policy subcategory settings (Windows Vista\n or later) to override audit policy category settings must be set to\n Enabled (WN16-SO-000050) for the detailed auditing subcategories to be\n effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n DS Access >> Directory Service Access - Success", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> DS Access >> Directory Service Access with Success\n selected." + }, + "impact": 0, + "refs": [], + "tags": { + "gtitle": "SRG-OS-000327-GPOS-00127", + "satisfies": [ + "SRG-OS-000327-GPOS-00127", + "SRG-OS-000458-GPOS-00203", + "SRG-OS-000463-GPOS-00207", + "SRG-OS-000468-GPOS-00212" + ], + "gid": "V-73435", + "rid": "SV-88087r1_rule", + "stig_id": "WN16-DC-000240", + "fix_id": "F-79877r1_fix", + "cci": [ + "CCI-000172", + "CCI-002234" + ], + "nist": [ + "AU-12 c", + "AC-6 (9)", + "Rev_4" + ], + "documentable": false + }, + "code": "control 'V-73435' do\n title \"Windows Server 2016 must be configured to audit DS Access - Directory\n Service Access successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Audit Directory Service Access records events related to users accessing an\n Active Directory object.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000327-GPOS-00127'\n tag \"satisfies\": ['SRG-OS-000327-GPOS-00127', 'SRG-OS-000458-GPOS-00203',\n 'SRG-OS-000463-GPOS-00207', 'SRG-OS-000468-GPOS-00212']\n tag \"gid\": 'V-73435'\n tag \"rid\": 'SV-88087r1_rule'\n tag \"stig_id\": 'WN16-DC-000240'\n tag \"fix_id\": 'F-79877r1_fix'\n tag \"cci\": ['CCI-000172', 'CCI-002234']\n tag \"nist\": ['AU-12 c', 'AC-6 (9)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to domain controllers. It is NA for other systems.\n\n Security Option Audit: Force audit policy subcategory settings (Windows Vista\n or later) to override audit policy category settings must be set to\n Enabled (WN16-SO-000050) for the detailed auditing subcategories to be\n effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n DS Access >> Directory Service Access - Success\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> DS Access >> Directory Service Access with Success\n selected.\"\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n describe.one do\n describe audit_policy do\n its('Directory Service Access') { should eq 'Success' }\n end\n describe audit_policy do\n its('Directory Service Access') { should eq 'Success and Failure' }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Directory Service Access'\") do\n its('stdout') { should match /Directory Service Access Success/ }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Directory Service Access'\") do\n its('stdout') { should match /Directory Service Access Success and Failure/ }\n end\n end\n end\n\n if domain_role != '4' && domain_role != '5'\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", + "source_location": { + "ref": "./Windows 2016 STIG/controls/V-73435.rb", + "line": 1 + }, + "id": "V-73435" + }, + { + "title": "Windows Server 2016 must be configured to audit Detailed Tracking -\n Plug and Play Events successes.", + "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Plug and Play activity records events related to the successful connection\n of external devices.", + "descriptions": { + "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Plug and Play activity records events related to the successful connection\n of external devices.", + "check": "Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n Detailed Tracking >> Plug and Play Events - Success", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Advanced Audit Policy Configuration >> System Audit Policies >>\n Detailed Tracking >> Audit PNP Activity with Success selected." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000370-GPOS-00155", - "gid": "V-73235", - "rid": "SV-87887r2_rule", - "stig_id": "WN16-00-000090", - "fix_id": "F-79679r2_fix", + "gtitle": "SRG-OS-000474-GPOS-00219", + "gid": "V-73431", + "rid": "SV-88083r2_rule", + "stig_id": "WN16-AU-000160", + "fix_id": "F-79873r1_fix", "cci": [ - "CCI-001774" + "CCI-000172" ], "nist": [ - "CM-7 (5) (b)", + "AU-12 c", "Rev_4" ], "documentable": false }, - "code": "control 'V-73235' do\n title \"Windows Server 2016 must employ a deny-all, permit-by-exception policy\n to allow the execution of authorized software programs.\"\n desc \"Using a whitelist provides a configuration management method to allow\n the execution of only authorized software. Using only authorized software\n decreases risk by limiting the number of potential vulnerabilities.\n\n The organization must identify authorized software programs and only permit\n execution of authorized software. The process used to identify software\n programs that are authorized to execute on organizational information systems\n is commonly referred to as whitelisting.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000370-GPOS-00155'\n tag \"gid\": 'V-73235'\n tag \"rid\": 'SV-87887r2_rule'\n tag \"stig_id\": 'WN16-00-000090'\n tag \"fix_id\": 'F-79679r2_fix'\n tag \"cci\": ['CCI-001774']\n tag \"nist\": ['CM-7 (5) (b)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This is applicable to unclassified systems. For other systems,\n this is NA.\n\n Verify the operating system employs a deny-all, permit-by-exception policy to\n allow the execution of authorized software programs.\n\n If an application whitelisting program is not in use on the system, this is a\n finding.\n\n Configuration of whitelisting applications will vary by the program.\n\n AppLocker is a whitelisting application built into Windows Server. A\n deny-by-default implementation is initiated by enabling any AppLocker rules\n within a category, only allowing what is specified by defined rules.\n\n If AppLocker is used, perform the following to view the configuration of\n AppLocker:\n\n Open PowerShell.\n\n If the AppLocker PowerShell module has not been imported previously, execute\n the following first:\n\n Import-Module AppLocker\n\n Execute the following command, substituting [c:\\\\temp\\\\file.xml] with a\n location and file name appropriate for the system:\n\n Get-AppLockerPolicy -Effective -XML > c:\\\\temp\\\\file.xml\n\n This will produce an xml file with the effective settings that can be viewed in\n a browser or opened in a program such as Excel for review.\n\n Implementation guidance for AppLocker is available in the NSA paper\n Application Whitelisting using Microsoft AppLocker at the following link:\n\n https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm\"\n desc \"fix\", \"Configure an application whitelisting program to employ a\n deny-all, permit-by-exception policy to allow the execution of authorized\n software programs.\n\n Configuration of whitelisting applications will vary by the program. AppLocker\n is a whitelisting application built into Windows Server.\n\n If AppLocker is used, it is configured through group policy in Computer\n Configuration >> Windows Settings >> Security Settings >> Application Control\n Policies >> AppLocker.\n\n Implementation guidance for AppLocker is available in the NSA paper\n Application Whitelisting using Microsoft AppLocker at the following link:\n\n https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm\"\n describe \"A manual review is required to verify the operating system employs a deny-all, permit-by-exception\n policy to allow the execution of authorized software programs\" do\n skip \"A manual review is required to verify the operating system employs a deny-all, permit-by-exception\n policy to allow the execution of authorized software programs\"\n end\nend\n", + "code": "control 'V-73431' do\n title \"Windows Server 2016 must be configured to audit Detailed Tracking -\n Plug and Play Events successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Plug and Play activity records events related to the successful connection\n of external devices.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000474-GPOS-00219'\n tag \"gid\": 'V-73431'\n tag \"rid\": 'SV-88083r2_rule'\n tag \"stig_id\": 'WN16-AU-000160'\n tag \"fix_id\": 'F-79873r1_fix'\n tag \"cci\": ['CCI-000172']\n tag \"nist\": ['AU-12 c', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n Detailed Tracking >> Plug and Play Events - Success\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Advanced Audit Policy Configuration >> System Audit Policies >>\n Detailed Tracking >> Audit PNP Activity with Success selected.\"\n describe.one do\n describe audit_policy do\n its('Plug and Play Events') { should eq 'Success' }\n end\n describe audit_policy do\n its('Plug and Play Events') { should eq 'Success and Failure' }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Plug and Play Events'\") do\n its('stdout') { should match /Plug and Play Events Success/ }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Plug and Play Events'\") do\n its('stdout') { should match /Plug and Play Events Success and Failure/ }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73235.rb", + "ref": "./Windows 2016 STIG/controls/V-73431.rb", "line": 1 }, - "id": "V-73235" + "id": "V-73431" }, { - "title": "The Allow log on through Remote Desktop Services user right must only\n be assigned to the Administrators group.", - "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Allow log on through Remote Desktop Services user\n right can access a system through Remote Desktop.", + "title": "Windows Server 2016 must be configured to audit Logon/Logoff - Logoff\n successes.", + "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Logoff records user logoffs. If this is an interactive logoff, it is\n recorded on the local system. If it is to a network share, it is recorded on\n the system accessed.", "descriptions": { - "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Allow log on through Remote Desktop Services user\n right can access a system through Remote Desktop.", - "check": "This applies to domain controllers, it is NA for other systems.\n\n Verify the effective setting in Local Group Policy Editor.\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the Allow log\n on through Remote Desktop Services user right, this is a finding.\n\n - Administrators", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Allow log on through Remote Desktop Services to include only the following\n accounts or groups:\n\n - Administrators" + "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Logoff records user logoffs. If this is an interactive logoff, it is\n recorded on the local system. If it is to a network share, it is recorded on\n the system accessed.", + "check": "Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n Logon/Logoff >> Logoff - Success", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Logon/Logoff >> Audit Logoff with Success selected." }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000080-GPOS-00048", - "gid": "V-73741", - "rid": "SV-88405r1_rule", - "stig_id": "WN16-DC-000360", - "fix_id": "F-80191r1_fix", + "gtitle": "SRG-OS-000032-GPOS-00013", + "satisfies": [ + "SRG-OS-000032-GPOS-00013", + "SRG-OS-000470-GPOS-00214", + "SRG-OS-000472-GPOS-00217", + "SRG-OS-000473-GPOS-00218", + "SRG-OS-000475-GPOS-00220" + ], + "gid": "V-73449", + "rid": "SV-88101r1_rule", + "stig_id": "WN16-AU-000250", + "fix_id": "F-79891r1_fix", "cci": [ - "CCI-000213" + "CCI-000067", + "CCI-000172" ], "nist": [ - "AC-3", + "AC-17 (1)", + "AU-12 c", "Rev_4" ], "documentable": false }, - "code": "control 'V-73741' do\n title \"The Allow log on through Remote Desktop Services user right must only\n be assigned to the Administrators group.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Allow log on through Remote Desktop Services user\n right can access a system through Remote Desktop.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000080-GPOS-00048'\n tag \"gid\": 'V-73741'\n tag \"rid\": 'SV-88405r1_rule'\n tag \"stig_id\": 'WN16-DC-000360'\n tag \"fix_id\": 'F-80191r1_fix'\n tag \"cci\": ['CCI-000213']\n tag \"nist\": ['AC-3', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to domain controllers, it is NA for other systems.\n\n Verify the effective setting in Local Group Policy Editor.\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the Allow log\n on through Remote Desktop Services user right, this is a finding.\n\n - Administrators\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Allow log on through Remote Desktop Services to include only the following\n accounts or groups:\n\n - Administrators\"\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n describe.one do\n describe security_policy do\n its('SeRemoteInteractiveLogonRight') { should eq ['S-1-5-32-544'] }\n end\n describe security_policy do\n its('SeRemoteInteractiveLogonRight') { should eq [] }\n end\n end\n end\n\n if !(domain_role == '4') && !(domain_role == '5')\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", + "code": "control 'V-73449' do\n title \"Windows Server 2016 must be configured to audit Logon/Logoff - Logoff\n successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Logoff records user logoffs. If this is an interactive logoff, it is\n recorded on the local system. If it is to a network share, it is recorded on\n the system accessed.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000032-GPOS-00013'\n tag \"satisfies\": ['SRG-OS-000032-GPOS-00013', 'SRG-OS-000470-GPOS-00214',\n 'SRG-OS-000472-GPOS-00217', 'SRG-OS-000473-GPOS-00218',\n 'SRG-OS-000475-GPOS-00220']\n tag \"gid\": 'V-73449'\n tag \"rid\": 'SV-88101r1_rule'\n tag \"stig_id\": 'WN16-AU-000250'\n tag \"fix_id\": 'F-79891r1_fix'\n tag \"cci\": ['CCI-000067', 'CCI-000172']\n tag \"nist\": ['AC-17 (1)', 'AU-12 c', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n Logon/Logoff >> Logoff - Success\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Logon/Logoff >> Audit Logoff with Success selected.\"\n describe.one do\n describe audit_policy do\n its('Logoff') { should eq 'Success' }\n end\n describe audit_policy do\n its('Logoff') { should eq 'Success and Failure' }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Logoff'\") do\n its('stdout') { should match /Logoff Success/ }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Logoff'\") do\n its('stdout') { should match /Logoff Success and Failure/ }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73741.rb", + "ref": "./Windows 2016 STIG/controls/V-73449.rb", "line": 1 }, - "id": "V-73741" + "id": "V-73449" }, { - "title": "Remote Desktop Services must be configured with the client connection\n encryption set to High Level.", - "desc": "Remote connections must be encrypted to prevent interception of data\n or sensitive information. Selecting High Level will ensure encryption of\n Remote Desktop Services sessions in both directions.", + "title": "The Windows Remote Management (WinRM) client must not use Digest\n authentication.", + "desc": "Digest authentication is not as strong as other options and may be\n subject to man-in-the-middle attacks. Disallowing Digest authentication will\n reduce this potential.", "descriptions": { - "default": "Remote connections must be encrypted to prevent interception of data\n or sensitive information. Selecting High Level will ensure encryption of\n Remote Desktop Services sessions in both directions.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services\\\n\n Value Name: MinEncryptionLevel\n\n Type: REG_DWORD\n Value: 0x00000003 (3)", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Remote Desktop Services >>\n Remote Desktop Session Host >> Security >> Set client connection encryption\n level to Enabled with High Level selected." + "default": "Digest authentication is not as strong as other options and may be\n subject to man-in-the-middle attacks. Disallowing Digest authentication will\n reduce this potential.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\WinRM\\Client\\\n\n Value Name: AllowDigest\n\n Type: REG_DWORD\n Value: 0x00000000 (0)", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Windows Remote Management\n (WinRM) >> WinRM Client >> Disallow Digest authentication to Enabled." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000250-GPOS-00093", - "gid": "V-73575", - "rid": "SV-88239r1_rule", - "stig_id": "WN16-CC-000410", - "fix_id": "F-80025r1_fix", + "gtitle": "SRG-OS-000125-GPOS-00065", + "gid": "V-73597", + "rid": "SV-88261r1_rule", + "stig_id": "WN16-CC-000520", + "fix_id": "F-80047r1_fix", "cci": [ - "CCI-001453" + "CCI-000877" ], "nist": [ - "AC-17 (2)", + "MA-4 c", "Rev_4" ], "documentable": false }, - "code": "control 'V-73575' do\n title \"Remote Desktop Services must be configured with the client connection\n encryption set to High Level.\"\n desc \"Remote connections must be encrypted to prevent interception of data\n or sensitive information. Selecting High Level will ensure encryption of\n Remote Desktop Services sessions in both directions.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000250-GPOS-00093'\n tag \"gid\": 'V-73575'\n tag \"rid\": 'SV-88239r1_rule'\n tag \"stig_id\": 'WN16-CC-000410'\n tag \"fix_id\": 'F-80025r1_fix'\n tag \"cci\": ['CCI-001453']\n tag \"nist\": ['AC-17 (2)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\\n\n Value Name: MinEncryptionLevel\n\n Type: REG_DWORD\n Value: 0x00000003 (3)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Remote Desktop Services >>\n Remote Desktop Session Host >> Security >> Set client connection encryption\n level to Enabled with High Level selected.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services') do\n it { should have_property 'MinEncryptionLevel' }\n its('MinEncryptionLevel') { should cmp 3 }\n end\nend\n", + "code": "control 'V-73597' do\n title \"The Windows Remote Management (WinRM) client must not use Digest\n authentication.\"\n desc \"Digest authentication is not as strong as other options and may be\n subject to man-in-the-middle attacks. Disallowing Digest authentication will\n reduce this potential.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000125-GPOS-00065'\n tag \"gid\": 'V-73597'\n tag \"rid\": 'SV-88261r1_rule'\n tag \"stig_id\": 'WN16-CC-000520'\n tag \"fix_id\": 'F-80047r1_fix'\n tag \"cci\": ['CCI-000877']\n tag \"nist\": ['MA-4 c', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WinRM\\\\Client\\\\\n\n Value Name: AllowDigest\n\n Type: REG_DWORD\n Value: 0x00000000 (0)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Windows Remote Management\n (WinRM) >> WinRM Client >> Disallow Digest authentication to Enabled.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\WinRM\\\\Client') do\n it { should have_property 'AllowDigest' }\n its('AllowDigest') { should cmp 0 }\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73575.rb", + "ref": "./Windows 2016 STIG/controls/V-73597.rb", "line": 1 }, - "id": "V-73575" + "id": "V-73597" }, { - "title": "The Create a token object user right must not be assigned to any\n groups or accounts.", - "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The Create a token object user right allows a process to create an\n access token. This could be used to provide elevated rights and compromise a\n system.", + "title": "The Windows Remote Management (WinRM) service must not allow\n unencrypted traffic.", + "desc": "Unencrypted remote access to a system can allow sensitive information\n to be compromised. Windows remote management connections must be encrypted to\n prevent this.", "descriptions": { - "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The Create a token object user right allows a process to create an\n access token. This could be used to provide elevated rights and compromise a\n system.", - "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups are granted the Create a token object user right,\n this is a finding.\n\n If an application requires this user right, this would not be a finding.\n\n Vendor documentation must support the requirement for having the user right.\n\n The requirement must be documented with the ISSO.\n\n The application account must meet requirements for application account\n passwords, such as length (WN16-00-000060) and required frequency of changes\n (WN16-00-000070).\n\n Passwords for application accounts with this user right must be protected as\n highly privileged accounts.", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Create a token object to be defined but containing no entries (blank)." + "default": "Unencrypted remote access to a system can allow sensitive information\n to be compromised. Windows remote management connections must be encrypted to\n prevent this.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\WinRM\\Service\\\n\n Value Name: AllowUnencryptedTraffic\n\n Type: REG_DWORD\n Value: 0x00000000 (0)", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Windows Remote Management\n (WinRM) >> WinRM Service >> Allow unencrypted traffic to Disabled." }, - "impact": 0.7, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000324-GPOS-00125", - "gid": "V-73747", - "rid": "SV-88411r1_rule", - "stig_id": "WN16-UR-000090", - "fix_id": "F-80197r1_fix", + "gtitle": "SRG-OS-000393-GPOS-00173", + "satisfies": [ + "SRG-OS-000393-GPOS-00173", + "SRG-OS-000394-GPOS-00174" + ], + "gid": "V-73601", + "rid": "SV-88265r1_rule", + "stig_id": "WN16-CC-000540", + "fix_id": "F-80051r1_fix", "cci": [ - "CCI-002235" + "CCI-002890", + "CCI-003123" ], "nist": [ - "AC-6 (10)", + "MA-4 (6)", "Rev_4" ], "documentable": false }, - "code": "control 'V-73747' do\n title \"The Create a token object user right must not be assigned to any\n groups or accounts.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The Create a token object user right allows a process to create an\n access token. This could be used to provide elevated rights and compromise a\n system.\n \"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000324-GPOS-00125'\n tag \"gid\": 'V-73747'\n tag \"rid\": 'SV-88411r1_rule'\n tag \"stig_id\": 'WN16-UR-000090'\n tag \"fix_id\": 'F-80197r1_fix'\n tag \"cci\": ['CCI-002235']\n tag \"nist\": ['AC-6 (10)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups are granted the Create a token object user right,\n this is a finding.\n\n If an application requires this user right, this would not be a finding.\n\n Vendor documentation must support the requirement for having the user right.\n\n The requirement must be documented with the ISSO.\n\n The application account must meet requirements for application account\n passwords, such as length (WN16-00-000060) and required frequency of changes\n (WN16-00-000070).\n\n Passwords for application accounts with this user right must be protected as\n highly privileged accounts.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Create a token object to be defined but containing no entries (blank).\"\n describe security_policy do\n its('SeCreateTokenPrivilege') { should eq [] }\n end\nend\n", + "code": "control 'V-73601' do\n title \"The Windows Remote Management (WinRM) service must not allow\n unencrypted traffic.\"\n desc \"Unencrypted remote access to a system can allow sensitive information\n to be compromised. Windows remote management connections must be encrypted to\n prevent this.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000393-GPOS-00173'\n tag \"satisfies\": ['SRG-OS-000393-GPOS-00173', 'SRG-OS-000394-GPOS-00174']\n tag \"gid\": 'V-73601'\n tag \"rid\": 'SV-88265r1_rule'\n tag \"stig_id\": 'WN16-CC-000540'\n tag \"fix_id\": 'F-80051r1_fix'\n tag \"cci\": ['CCI-002890', 'CCI-003123']\n tag \"nist\": ['MA-4 (6)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WinRM\\\\Service\\\\\n\n Value Name: AllowUnencryptedTraffic\n\n Type: REG_DWORD\n Value: 0x00000000 (0)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Windows Remote Management\n (WinRM) >> WinRM Service >> Allow unencrypted traffic to Disabled.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\WinRM\\\\Service') do\n it { should have_property 'AllowUnencryptedTraffic' }\n its('AllowUnencryptedTraffic') { should cmp 0 }\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73747.rb", + "ref": "./Windows 2016 STIG/controls/V-73601.rb", "line": 1 }, - "id": "V-73747" + "id": "V-73601" }, { - "title": "The Manage auditing and security log user right must only be assigned\n to the Administrators group.", - "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Manage auditing and security log user right can\n manage the security log and change auditing configurations. This could be used\n to clear evidence of tampering.", + "title": "Windows Server 2016 must be configured to audit System - Security\n System Extension successes.", + "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Security System Extension records events related to extension code being\n loaded by the security subsystem.", "descriptions": { - "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Manage auditing and security log user right can\n manage the security log and change auditing configurations. This could be used\n to clear evidence of tampering.", - "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the Manage\n auditing and security log user right, this is a finding.\n\n - Administrators\n\n If the organization has an Auditors group, the assignment of this group to the\n user right would not be a finding.\n\n If an application requires this user right, this would not be a finding.\n\n Vendor documentation must support the requirement for having the user right.\n\n The requirement must be documented with the ISSO.\n\n The application account must meet requirements for application account\n passwords, such as length (WN16-00-000060) and required frequency of changes\n (WN16-00-000070).", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Manage auditing and security log to include only the following accounts or\n groups:\n\n - Administrators" + "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Security System Extension records events related to extension code being\n loaded by the security subsystem.", + "check": "Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n System >> Security System Extension - Success", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> System >> Audit Security System Extension with\n Success selected." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000057-GPOS-00027", + "gtitle": "SRG-OS-000327-GPOS-00127", "satisfies": [ - "SRG-OS-000057-GPOS-00027", - "SRG-OS-000058-GPOS-00028", - "SRG-OS-000059-GPOS-00029", - "SRG-OS-000063-GPOS-00032", - "SRG-OS-000337-GPOS-00129" + "SRG-OS-000327-GPOS-00127", + "SRG-OS-000458-GPOS-00203", + "SRG-OS-000463-GPOS-00207", + "SRG-OS-000468-GPOS-00212" ], - "gid": "V-73793", - "rid": "SV-88457r1_rule", - "stig_id": "WN16-UR-000260", - "fix_id": "F-80243r1_fix", + "gid": "V-73483", + "rid": "SV-88135r1_rule", + "stig_id": "WN16-AU-000420", + "fix_id": "F-79925r1_fix", "cci": [ - "CCI-000162", - "CCI-000163", - "CCI-000164", - "CCI-000171", - "CCI-001914" + "CCI-000172", + "CCI-002234" ], "nist": [ - "AU-9", - "AU-9 (1)", - "AU-12 b", - "AU-12 (3)", + "AU-12 c", + "AC-6 (9)", "Rev_4" ], "documentable": false }, - "code": "control 'V-73793' do\n title \"The Manage auditing and security log user right must only be assigned\n to the Administrators group.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Manage auditing and security log user right can\n manage the security log and change auditing configurations. This could be used\n to clear evidence of tampering.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000057-GPOS-00027'\n tag \"satisfies\": ['SRG-OS-000057-GPOS-00027', 'SRG-OS-000058-GPOS-00028',\n 'SRG-OS-000059-GPOS-00029', 'SRG-OS-000063-GPOS-00032',\n 'SRG-OS-000337-GPOS-00129']\n tag \"gid\": 'V-73793'\n tag \"rid\": 'SV-88457r1_rule'\n tag \"stig_id\": 'WN16-UR-000260'\n tag \"fix_id\": 'F-80243r1_fix'\n tag \"cci\": ['CCI-000162', 'CCI-000163', 'CCI-000164', 'CCI-000171',\n 'CCI-001914']\n tag \"nist\": ['AU-9', 'AU-9 (1)', 'AU-12 b', 'AU-12 (3)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the Manage\n auditing and security log user right, this is a finding.\n\n - Administrators\n\n If the organization has an Auditors group, the assignment of this group to the\n user right would not be a finding.\n\n If an application requires this user right, this would not be a finding.\n\n Vendor documentation must support the requirement for having the user right.\n\n The requirement must be documented with the ISSO.\n\n The application account must meet requirements for application account\n passwords, such as length (WN16-00-000060) and required frequency of changes\n (WN16-00-000070).\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Manage auditing and security log to include only the following accounts or\n groups:\n\n - Administrators\"\n describe.one do\n describe security_policy do\n its('SeSecurityPrivilege') { should eq ['S-1-5-32-544'] }\n end\n describe security_policy do\n its('SeSecurityPrivilege') { should eq [] }\n end\n end\nend\n", + "code": "control 'V-73483' do\n title \"Windows Server 2016 must be configured to audit System - Security\n System Extension successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Security System Extension records events related to extension code being\n loaded by the security subsystem.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000327-GPOS-00127'\n tag \"satisfies\": ['SRG-OS-000327-GPOS-00127', 'SRG-OS-000458-GPOS-00203',\n 'SRG-OS-000463-GPOS-00207', 'SRG-OS-000468-GPOS-00212']\n tag \"gid\": 'V-73483'\n tag \"rid\": 'SV-88135r1_rule'\n tag \"stig_id\": 'WN16-AU-000420'\n tag \"fix_id\": 'F-79925r1_fix'\n tag \"cci\": ['CCI-000172', 'CCI-002234']\n tag \"nist\": ['AU-12 c', 'AC-6 (9)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n System >> Security System Extension - Success\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> System >> Audit Security System Extension with\n Success selected.\"\n describe.one do\n describe audit_policy do\n its('Security System Extension') { should eq 'Success' }\n end\n describe audit_policy do\n its('Security System Extension') { should eq 'Success and Failure' }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Security System Extension'\") do\n its('stdout') { should match /Security System Extension Success/ }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Security System Extension'\") do\n its('stdout') { should match /Security System Extension Success and Failure/ }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73793.rb", + "ref": "./Windows 2016 STIG/controls/V-73483.rb", "line": 1 }, - "id": "V-73793" + "id": "V-73483" }, { - "title": "Administrative accounts must not be used with applications that access\n the Internet, such as web browsers, or with potential Internet sources, such as\n email.", - "desc": "Using applications that access the Internet or have potential Internet\n sources using administrative privileges exposes a system to compromise. If a\n flaw in an application is exploited while running as a privileged user, the\n entire system could be compromised. Web browsers and email are common attack\n vectors for introducing malicious code and must not be run with an\n administrative account.\n\n Since administrative accounts may generally change or work around technical\n restrictions for running a web browser or other applications, it is essential\n that the policy require administrative accounts to not access the Internet or use\n applications such as email.\n\n The policy should define specific exceptions for local service\n administration. These exceptions may include HTTP(S)-based tools that are used\n for the administration of the local system, services, or attached devices.\n\n Whitelisting can be used to enforce the policy to ensure compliance.", + "title": "The screen saver must be password protected.", + "desc": "Unattended systems are susceptible to unauthorized use and must be\n locked when unattended. Enabling a password-protected screen saver to engage\n after a specified period of time helps protects critical and sensitive data\n from exposure to unauthorized personnel with physical access to the computer.", "descriptions": { - "default": "Using applications that access the Internet or have potential Internet\n sources using administrative privileges exposes a system to compromise. If a\n flaw in an application is exploited while running as a privileged user, the\n entire system could be compromised. Web browsers and email are common attack\n vectors for introducing malicious code and must not be run with an\n administrative account.\n\n Since administrative accounts may generally change or work around technical\n restrictions for running a web browser or other applications, it is essential\n that the policy require administrative accounts to not access the Internet or use\n applications such as email.\n\n The policy should define specific exceptions for local service\n administration. These exceptions may include HTTP(S)-based tools that are used\n for the administration of the local system, services, or attached devices.\n\n Whitelisting can be used to enforce the policy to ensure compliance.", - "check": "Determine whether organization policy, at a minimum, prohibits\n administrative accounts from using applications that access the Internet, such\n as web browsers, or with potential Internet sources, such as email, except as\n necessary for local service administration.\n\n If it does not, this is a finding.\n\n The organization may use technical means such as whitelisting to prevent the\n use of browsers and mail applications to enforce this requirement.", - "fix": "Establish a policy, at minimum, to prohibit administrative\n accounts from using applications that access the Internet, such as web\n browsers, or with potential Internet sources, such as email. Ensure the policy\n is enforced.\n\n The organization may use technical means such as whitelisting to prevent the\n use of browsers and mail applications to enforce this requirement." + "default": "Unattended systems are susceptible to unauthorized use and must be\n locked when unattended. Enabling a password-protected screen saver to engage\n after a specified period of time helps protects critical and sensitive data\n from exposure to unauthorized personnel with physical access to the computer.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_CURRENT_USER\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\Control\n Panel\\Desktop\\\n\n Value Name: ScreenSaverIsSecure\n\n Type: REG_SZ\n Value: 1", + "fix": "Configure the policy value for User Configuration >>\n Administrative Templates >> Control Panel >> Personalization >> Password\n protect the screen saver to Enabled." }, - "impact": 0.7, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-73225", - "rid": "SV-87877r1_rule", - "stig_id": "WN16-00-000040", - "fix_id": "F-79669r1_fix", + "gtitle": "SRG-OS-000028-GPOS-00009", + "gid": "V-73725", + "rid": "SV-88389r1_rule", + "stig_id": "WN16-UC-000020", + "fix_id": "F-80175r1_fix", "cci": [ - "CCI-000366" + "CCI-000056" ], "nist": [ - "CM-6 b", + "AC-11 b", "Rev_4" ], "documentable": false }, - "code": "control 'V-73225' do\n title \"Administrative accounts must not be used with applications that access\n the Internet, such as web browsers, or with potential Internet sources, such as\n email.\"\n desc \"Using applications that access the Internet or have potential Internet\n sources using administrative privileges exposes a system to compromise. If a\n flaw in an application is exploited while running as a privileged user, the\n entire system could be compromised. Web browsers and email are common attack\n vectors for introducing malicious code and must not be run with an\n administrative account.\n\n Since administrative accounts may generally change or work around technical\n restrictions for running a web browser or other applications, it is essential\n that the policy require administrative accounts to not access the Internet or use\n applications such as email.\n\n The policy should define specific exceptions for local service\n administration. These exceptions may include HTTP(S)-based tools that are used\n for the administration of the local system, services, or attached devices.\n\n Whitelisting can be used to enforce the policy to ensure compliance.\n \"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-73225'\n tag \"rid\": 'SV-87877r1_rule'\n tag \"stig_id\": 'WN16-00-000040'\n tag \"fix_id\": 'F-79669r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Determine whether organization policy, at a minimum, prohibits\n administrative accounts from using applications that access the Internet, such\n as web browsers, or with potential Internet sources, such as email, except as\n necessary for local service administration.\n\n If it does not, this is a finding.\n\n The organization may use technical means such as whitelisting to prevent the\n use of browsers and mail applications to enforce this requirement.\"\n desc \"fix\", \"Establish a policy, at minimum, to prohibit administrative\n accounts from using applications that access the Internet, such as web\n browsers, or with potential Internet sources, such as email. Ensure the policy\n is enforced.\n\n The organization may use technical means such as whitelisting to prevent the\n use of browsers and mail applications to enforce this requirement.\"\n describe \"A manual review is required to verify that administrative accounts are not being used with applications that access\n the Internet, such as web browsers, or with potential Internet sources, such as email\" do\n skip \"A manual review is required to verify that administrative accounts are not being used with applications that access\n the Internet, such as web browsers, or with potential Internet sources, such as email\"\n end\nend\n", + "code": "control 'V-73725' do\n title 'The screen saver must be password protected.'\n desc \"Unattended systems are susceptible to unauthorized use and must be\n locked when unattended. Enabling a password-protected screen saver to engage\n after a specified period of time helps protects critical and sensitive data\n from exposure to unauthorized personnel with physical access to the computer.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000028-GPOS-00009'\n tag \"gid\": 'V-73725'\n tag \"rid\": 'SV-88389r1_rule'\n tag \"stig_id\": 'WN16-UC-000020'\n tag \"fix_id\": 'F-80175r1_fix'\n tag \"cci\": ['CCI-000056']\n tag \"nist\": ['AC-11 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_CURRENT_USER\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\Control\n Panel\\\\Desktop\\\\\n\n Value Name: ScreenSaverIsSecure\n\n Type: REG_SZ\n Value: 1\"\n desc \"fix\", \"Configure the policy value for User Configuration >>\n Administrative Templates >> Control Panel >> Personalization >> Password\n protect the screen saver to Enabled.\"\n describe registry_key(\"HKEY_LOCAL_MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\Control\n Panel\\\\Desktop\") do\n it { should have_property 'ScreenSaverIsSecure' }\n its('ScreenSaverIsSecure') { should cmp 1 }\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73225.rb", + "ref": "./Windows 2016 STIG/controls/V-73725.rb", "line": 1 }, - "id": "V-73225" + "id": "V-73725" }, { - "title": "Windows Server 2016 must be configured to audit Privilege Use -\n Sensitive Privilege Use failures.", - "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Sensitive Privilege Use records events related to use of sensitive\n privileges, such as Act as part of the operating system or Debug\n programs.", + "title": "The Impersonate a client after authentication user right must only be\n assigned to Administrators, Service, Local Service, and Network Service.", + "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The Impersonate a client after authentication user right allows a\n program to impersonate another user or account to run on their behalf. An\n attacker could use this to elevate privileges.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Sensitive Privilege Use records events related to use of sensitive\n privileges, such as Act as part of the operating system or Debug\n programs.", - "check": "Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n Privilege Use >> Sensitive Privilege Use - Failure", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Privilege Use >> Audit Sensitive Privilege Use with\n Failure selected." + "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The Impersonate a client after authentication user right allows a\n program to impersonate another user or account to run on their behalf. An\n attacker could use this to elevate privileges.", + "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the\n Impersonate a client after authentication user right, this is a finding.\n\n - Administrators\n - Service\n - Local Service\n - Network Service\n\n If an application requires this user right, this would not be a finding.\n\n Vendor documentation must support the requirement for having the user right.\n\n The requirement must be documented with the ISSO.\n\n The application account must meet requirements for application account\n passwords, such as length (WN16-00-000060) and required frequency of changes\n (WN16-00-000070).", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Impersonate a client after authentication to include only the following\n accounts or groups:\n\n - Administrators\n - Service\n - Local Service\n - Network Service" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000327-GPOS-00127", - "satisfies": [ - "SRG-OS-000327-GPOS-00127", - "SRG-OS-000064-GPOS-00033", - "SRG-OS-000462-GPOS-00206", - "SRG-OS-000466-GPOS-00210" + "gtitle": "SRG-OS-000324-GPOS-00125", + "gid": "V-73785", + "rid": "SV-88449r1_rule", + "stig_id": "WN16-UR-000220", + "fix_id": "F-80235r1_fix", + "cci": [ + "CCI-002235" ], - "gid": "V-73471", - "rid": "SV-88123r1_rule", - "stig_id": "WN16-AU-000360", - "fix_id": "F-79913r1_fix", + "nist": [ + "AC-6 (10)", + "Rev_4" + ], + "documentable": false + }, + "code": "control 'V-73785' do\n title \"The Impersonate a client after authentication user right must only be\n assigned to Administrators, Service, Local Service, and Network Service.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The Impersonate a client after authentication user right allows a\n program to impersonate another user or account to run on their behalf. An\n attacker could use this to elevate privileges.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000324-GPOS-00125'\n tag \"gid\": 'V-73785'\n tag \"rid\": 'SV-88449r1_rule'\n tag \"stig_id\": 'WN16-UR-000220'\n tag \"fix_id\": 'F-80235r1_fix'\n tag \"cci\": ['CCI-002235']\n tag \"nist\": ['AC-6 (10)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the\n Impersonate a client after authentication user right, this is a finding.\n\n - Administrators\n - Service\n - Local Service\n - Network Service\n\n If an application requires this user right, this would not be a finding.\n\n Vendor documentation must support the requirement for having the user right.\n\n The requirement must be documented with the ISSO.\n\n The application account must meet requirements for application account\n passwords, such as length (WN16-00-000060) and required frequency of changes\n (WN16-00-000070).\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Impersonate a client after authentication to include only the following\n accounts or groups:\n\n - Administrators\n - Service\n - Local Service\n - Network Service\"\n describe security_policy do\n its('SeImpersonatePrivilege') { should be_in ['S-1-5-19', 'S-1-5-20', 'S-1-5-32-544', 'S-1-5-6'] }\n end\nend\n", + "source_location": { + "ref": "./Windows 2016 STIG/controls/V-73785.rb", + "line": 1 + }, + "id": "V-73785" + }, + { + "title": "The Windows Remote Management (WinRM) client must not use Basic\n authentication.", + "desc": "Basic authentication uses plain-text passwords that could be used to\n compromise a system. Disabling Basic authentication will reduce this potential.", + "descriptions": { + "default": "Basic authentication uses plain-text passwords that could be used to\n compromise a system. Disabling Basic authentication will reduce this potential.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\WinRM\\Client\\\n\n Value Name: AllowBasic\n\n Type: REG_DWORD\n Value: 0x00000000 (0)", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Windows Remote Management\n (WinRM) >> WinRM Client >> Allow Basic authentication to Disabled." + }, + "impact": 0.7, + "refs": [], + "tags": { + "gtitle": "SRG-OS-000125-GPOS-00065", + "gid": "V-73593", + "rid": "SV-88257r1_rule", + "stig_id": "WN16-CC-000500", + "fix_id": "F-80043r1_fix", "cci": [ - "CCI-000172", - "CCI-002234" + "CCI-000877" ], "nist": [ - "AU-12 c", - "AC-6 (9)", + "MA-4 c", "Rev_4" ], "documentable": false }, - "code": "control 'V-73471' do\n title \"Windows Server 2016 must be configured to audit Privilege Use -\n Sensitive Privilege Use failures.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Sensitive Privilege Use records events related to use of sensitive\n privileges, such as Act as part of the operating system or Debug\n programs.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000327-GPOS-00127'\n tag \"satisfies\": ['SRG-OS-000327-GPOS-00127', 'SRG-OS-000064-GPOS-00033',\n 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000466-GPOS-00210']\n tag \"gid\": 'V-73471'\n tag \"rid\": 'SV-88123r1_rule'\n tag \"stig_id\": 'WN16-AU-000360'\n tag \"fix_id\": 'F-79913r1_fix'\n tag \"cci\": ['CCI-000172', 'CCI-002234']\n tag \"nist\": ['AU-12 c', 'AC-6 (9)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n Privilege Use >> Sensitive Privilege Use - Failure\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Privilege Use >> Audit Sensitive Privilege Use with\n Failure selected.\"\n describe.one do\n describe audit_policy do\n its('Sensitive Privilege Use') { should eq 'Failure' }\n end\n describe audit_policy do\n its('Sensitive Privilege Use') { should eq 'Success and Failure' }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Sensitive Privilege Use'\") do\n its('stdout') { should match /Sensitive Privilege Use Failure/ }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Sensitive Privilege Use'\") do\n its('stdout') { should match /Sensitive Privilege Use Success and Failure/ }\n end\n end\nend\n", + "code": "control 'V-73593' do\n title \"The Windows Remote Management (WinRM) client must not use Basic\n authentication.\"\n desc \"Basic authentication uses plain-text passwords that could be used to\n compromise a system. Disabling Basic authentication will reduce this potential.\"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000125-GPOS-00065'\n tag \"gid\": 'V-73593'\n tag \"rid\": 'SV-88257r1_rule'\n tag \"stig_id\": 'WN16-CC-000500'\n tag \"fix_id\": 'F-80043r1_fix'\n tag \"cci\": ['CCI-000877']\n tag \"nist\": ['MA-4 c', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WinRM\\\\Client\\\\\n\n Value Name: AllowBasic\n\n Type: REG_DWORD\n Value: 0x00000000 (0)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Windows Remote Management\n (WinRM) >> WinRM Client >> Allow Basic authentication to Disabled.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\WinRM\\\\Client') do\n it { should have_property 'AllowBasic' }\n its('AllowBasic') { should cmp 0 }\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73471.rb", + "ref": "./Windows 2016 STIG/controls/V-73593.rb", "line": 1 }, - "id": "V-73471" + "id": "V-73593" }, { - "title": "The Kerberos user ticket lifetime must be limited to 10 hours or less.", - "desc": "In Kerberos, there are two types of tickets: Ticket Granting Tickets\n (TGTs) and Service Tickets. Kerberos tickets have a limited lifetime so the\n time an attacker has to implement an attack is limited. This policy controls\n how long TGTs can be renewed. With Kerberos, the user's initial authentication\n to the domain controller results in a TGT, which is then used to request\n Service Tickets to resources. Upon startup, each computer gets a TGT before\n requesting a service ticket to the domain controller and any other computers it\n needs to access. For services that start up under a specified user account,\n users must always get a TGT first and then get Service Tickets to all computers\n and services accessed.", + "title": "Domain-joined systems must have a Trusted Platform Module (TPM)\n enabled and ready for use.", + "desc": "Credential Guard uses virtualization-based security to protect data\n that could be used in credential theft attacks if compromised. A number of\n system requirements must be met in order for Credential Guard to be configured\n and enabled properly. Without a TPM enabled and ready for use, Credential Guard\n keys are stored in a less secure method using software.", "descriptions": { - "default": "In Kerberos, there are two types of tickets: Ticket Granting Tickets\n (TGTs) and Service Tickets. Kerberos tickets have a limited lifetime so the\n time an attacker has to implement an attack is limited. This policy controls\n how long TGTs can be renewed. With Kerberos, the user's initial authentication\n to the domain controller results in a TGT, which is then used to request\n Service Tickets to resources. Upon startup, each computer gets a TGT before\n requesting a service ticket to the domain controller and any other computers it\n needs to access. For services that start up under a specified user account,\n users must always get a TGT first and then get Service Tickets to all computers\n and services accessed.", - "check": "This applies to domain controllers. It is NA for other systems.\n\n Verify the following is configured in the Default Domain Policy.\n\n Open Group Policy Management.\n\n Navigate to Group Policy Objects in the Domain being reviewed (Forest >>\n Domains >> Domain).\n\n Right-click on the Default Domain Policy.\n\n Select Edit.\n\n Navigate to Computer Configuration >> Policies >> Windows Settings >> Security\n Settings >> Account Policies >> Kerberos Policy.\n\n If the value for Maximum lifetime for user ticket is 0 or greater than\n 10 hours, this is a finding.", - "fix": "Configure the policy value in the Default Domain Policy for\n Computer Configuration >> Policies >> Windows Settings >> Security Settings >>\n Account Policies >> Kerberos Policy >> Maximum lifetime for user ticket to\n a maximum of 10 hours but not 0, which equates to Ticket doesn't\n expire." + "default": "Credential Guard uses virtualization-based security to protect data\n that could be used in credential theft attacks if compromised. A number of\n system requirements must be met in order for Credential Guard to be configured\n and enabled properly. Without a TPM enabled and ready for use, Credential Guard\n keys are stored in a less secure method using software.", + "check": "For standalone systems, this is NA.\n\n Current hardware and virtual environments may not support virtualization-based\n security features, including Credential Guard, due to specific supporting\n requirements including a TPM, UEFI with Secure Boot, and the capability to run\n the Hyper-V feature within a virtual machine.\n\n Verify the system has a TPM and it is ready for use.\n\n Run tpm.msc.\n\n Review the sections in the center pane.\n\n Status must indicate it has been configured with a message such as The\n TPM is ready for use or The TPM is on and ownership has been taken.\n\n TPM Manufacturer Information - Specific Version = 2.0 or 1.2\n\n If a TPM is not found or is not ready for use, this is a finding.", + "fix": "Ensure domain-joined systems have a TPM that is configured for\n use. (Versions 2.0 or 1.2 support Credential Guard.)\n\n The TPM must be enabled in the firmware.\n\n Run tpm.msc for configuration options in Windows." }, - "impact": 0, + "impact": 0.3, "refs": [], "tags": { - "gtitle": "SRG-OS-000112-GPOS-00057", - "satisfies": [ - "SRG-OS-000112-GPOS-00057", - "SRG-OS-000113-GPOS-00058" + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-73237", + "rid": "SV-87889r1_rule", + "stig_id": "WN16-00-000100", + "fix_id": "F-79681r1_fix", + "cci": [ + "CCI-000366" ], - "gid": "V-73363", - "rid": "SV-88015r1_rule", - "stig_id": "WN16-DC-000040", - "fix_id": "F-79805r1_fix", + "nist": [ + "CM-6 b", + "Rev_4" + ], + "documentable": false + }, + "code": "control 'V-73237' do\n title \"Domain-joined systems must have a Trusted Platform Module (TPM)\n enabled and ready for use.\"\n desc \"Credential Guard uses virtualization-based security to protect data\n that could be used in credential theft attacks if compromised. A number of\n system requirements must be met in order for Credential Guard to be configured\n and enabled properly. Without a TPM enabled and ready for use, Credential Guard\n keys are stored in a less secure method using software.\"\n impact 0.3\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-73237'\n tag \"rid\": 'SV-87889r1_rule'\n tag \"stig_id\": 'WN16-00-000100'\n tag \"fix_id\": 'F-79681r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"For standalone systems, this is NA.\n\n Current hardware and virtual environments may not support virtualization-based\n security features, including Credential Guard, due to specific supporting\n requirements including a TPM, UEFI with Secure Boot, and the capability to run\n the Hyper-V feature within a virtual machine.\n\n Verify the system has a TPM and it is ready for use.\n\n Run tpm.msc.\n\n Review the sections in the center pane.\n\n Status must indicate it has been configured with a message such as The\n TPM is ready for use or The TPM is on and ownership has been taken.\n\n TPM Manufacturer Information - Specific Version = 2.0 or 1.2\n\n If a TPM is not found or is not ready for use, this is a finding.\"\n desc \"fix\", \"Ensure domain-joined systems have a TPM that is configured for\n use. (Versions 2.0 or 1.2 support Credential Guard.)\n\n The TPM must be enabled in the firmware.\n\n Run tpm.msc for configuration options in Windows.\"\n is_domain = command('wmic computersystem get domain | FINDSTR /V Domain').stdout.strip\n\n if is_domain == 'WORKGROUP'\n impact 0.0\n desc 'This system is not joined to a domain, therfore this control is not appliable as it does not apply to standalone systems'\n end\n\n if is_domain != 'WORKGROUP'\n tpm_ready = command('Get-Tpm | select -expand TpmReady').stdout.strip\n tpm_present = command('Get-Tpm | select -expand TpmPresent').stdout.strip\n describe 'Trusted Platform Module (TPM) TpmReady' do\n subject { tpm_ready }\n it { should eq 'True' }\n end\n describe 'Trusted Platform Module (TPM) TpmPresent' do\n subject { tpm_present }\n it { should eq 'True' }\n end\n end\nend\n", + "source_location": { + "ref": "./Windows 2016 STIG/controls/V-73237.rb", + "line": 1 + }, + "id": "V-73237" + }, + { + "title": "Data files owned by users must be on a different logical partition\n from the directory server data files.", + "desc": "When directory service data files, especially for directories used for\n identification, authentication, or authorization, reside on the same logical\n partition as user-owned files, the directory service data may be more\n vulnerable to unauthorized access or other availability compromises. Directory\n service and user-owned data files sharing a partition may be configured with\n less restrictive permissions in order to allow access to the user data.\n\n The directory service may be vulnerable to a denial of service attack when\n user-owned files on a common partition are expanded to an extent preventing the\n directory service from acquiring more space for directory or audit data.", + "descriptions": { + "default": "When directory service data files, especially for directories used for\n identification, authentication, or authorization, reside on the same logical\n partition as user-owned files, the directory service data may be more\n vulnerable to unauthorized access or other availability compromises. Directory\n service and user-owned data files sharing a partition may be configured with\n less restrictive permissions in order to allow access to the user data.\n\n The directory service may be vulnerable to a denial of service attack when\n user-owned files on a common partition are expanded to an extent preventing the\n directory service from acquiring more space for directory or audit data.", + "check": "This applies to domain controllers. It is NA for other systems.\n\n Run Regedit.\n\n Navigate to\n HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\NTDS\\Parameters.\n\n Note the directory locations in the values for DSA Database file.\n\n Open Command Prompt.\n\n Enter net share.\n\n Note the logical drive(s) or file system partition for any organization-created\n data shares.\n\n Ignore system shares (e.g., NETLOGON, SYSVOL, and administrative shares ending\n in $). User shares that are hidden (ending with $) should not be ignored.\n\n If user shares are located on the same logical partition as the directory\n server data files, this is a finding.", + "fix": "Move shares used to store files owned by users to a different\n logical partition than the directory server data files." + }, + "impact": 0, + "refs": [], + "tags": { + "gtitle": "SRG-OS-000138-GPOS-00069", + "gid": "V-73379", + "rid": "SV-88031r1_rule", + "stig_id": "WN16-DC-000120", + "fix_id": "F-79821r1_fix", "cci": [ - "CCI-001941", - "CCI-001942" + "CCI-001090" ], "nist": [ - "IA-2 (8)", - "IA-2 (9)", + "SC-4", "Rev_4" ], "documentable": false }, - "code": "control 'V-73363' do\n title 'The Kerberos user ticket lifetime must be limited to 10 hours or less.'\n desc \"In Kerberos, there are two types of tickets: Ticket Granting Tickets\n (TGTs) and Service Tickets. Kerberos tickets have a limited lifetime so the\n time an attacker has to implement an attack is limited. This policy controls\n how long TGTs can be renewed. With Kerberos, the user's initial authentication\n to the domain controller results in a TGT, which is then used to request\n Service Tickets to resources. Upon startup, each computer gets a TGT before\n requesting a service ticket to the domain controller and any other computers it\n needs to access. For services that start up under a specified user account,\n users must always get a TGT first and then get Service Tickets to all computers\n and services accessed.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000112-GPOS-00057'\n tag \"satisfies\": ['SRG-OS-000112-GPOS-00057', 'SRG-OS-000113-GPOS-00058']\n tag \"gid\": 'V-73363'\n tag \"rid\": 'SV-88015r1_rule'\n tag \"stig_id\": 'WN16-DC-000040'\n tag \"fix_id\": 'F-79805r1_fix'\n tag \"cci\": ['CCI-001941', 'CCI-001942']\n tag \"nist\": ['IA-2 (8)', 'IA-2 (9)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to domain controllers. It is NA for other systems.\n\n Verify the following is configured in the Default Domain Policy.\n\n Open Group Policy Management.\n\n Navigate to Group Policy Objects in the Domain being reviewed (Forest >>\n Domains >> Domain).\n\n Right-click on the Default Domain Policy.\n\n Select Edit.\n\n Navigate to Computer Configuration >> Policies >> Windows Settings >> Security\n Settings >> Account Policies >> Kerberos Policy.\n\n If the value for Maximum lifetime for user ticket is 0 or greater than\n 10 hours, this is a finding.\"\n desc \"fix\", \"Configure the policy value in the Default Domain Policy for\n Computer Configuration >> Policies >> Windows Settings >> Security Settings >>\n Account Policies >> Kerberos Policy >> Maximum lifetime for user ticket to\n a maximum of 10 hours but not 0, which equates to Ticket doesn't\n expire.\"\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n describe.one do\n describe security_policy do\n its('MaxTicketAge') { should be > 0 }\n end\n describe security_policy do\n its('MaxTicketAge') { should be <= 10 }\n end\n end\n end\n\n if domain_role != '4' && domain_role != '5'\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", + "code": "control 'V-73379' do\n title \"Data files owned by users must be on a different logical partition\n from the directory server data files.\"\n desc \"When directory service data files, especially for directories used for\n identification, authentication, or authorization, reside on the same logical\n partition as user-owned files, the directory service data may be more\n vulnerable to unauthorized access or other availability compromises. Directory\n service and user-owned data files sharing a partition may be configured with\n less restrictive permissions in order to allow access to the user data.\n\n The directory service may be vulnerable to a denial of service attack when\n user-owned files on a common partition are expanded to an extent preventing the\n directory service from acquiring more space for directory or audit data.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000138-GPOS-00069'\n tag \"gid\": 'V-73379'\n tag \"rid\": 'SV-88031r1_rule'\n tag \"stig_id\": 'WN16-DC-000120'\n tag \"fix_id\": 'F-79821r1_fix'\n tag \"cci\": ['CCI-001090']\n tag \"nist\": ['SC-4', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to domain controllers. It is NA for other systems.\n\n Run Regedit.\n\n Navigate to\n HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\Parameters.\n\n Note the directory locations in the values for DSA Database file.\n\n Open Command Prompt.\n\n Enter net share.\n\n Note the logical drive(s) or file system partition for any organization-created\n data shares.\n\n Ignore system shares (e.g., NETLOGON, SYSVOL, and administrative shares ending\n in $). User shares that are hidden (ending with $) should not be ignored.\n\n If user shares are located on the same logical partition as the directory\n server data files, this is a finding.\"\n desc \"fix\", \"Move shares used to store files owned by users to a different\n logical partition than the directory server data files.\"\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n get_registry_value = command(\"Get-ItemProperty -Path 'HKLM:\\\\System\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\Parameters' | Findstr /c:'DSA Database file'\").stdout.strip\n database_file = get_registry_value[51..80]\n share_names = []\n share_paths = []\n get = command('Get-WMIObject -Query \"SELECT * FROM Win32_Share\" | Findstr /V \"Name --\"').stdout.strip.split(\"\\n\")\n \n get.each do |share|\n loc_space = share.index(' ')\n \n names = share[0..loc_space-1]\n if names != 'C$' && names != 'ADMIN$' && names != 'SYSVOL'\n share_names.push(names)\n path = share[9..50]\n share_paths.push(path)\n end\n end\n share_paths.each do |paths|\n describe \"The share path #{paths}\" do\n subject { paths }\n it { should_not eq database_file }\n end\n end\n end\n\n if !(domain_role == '4') && !(domain_role == '5')\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73363.rb", + "ref": "./Windows 2016 STIG/controls/V-73379.rb", "line": 1 }, - "id": "V-73363" + "id": "V-73379" }, { - "title": "The computer account password must not be prevented from being reset.", - "desc": "Computer account passwords are changed automatically on a regular\n basis. Disabling automatic password changes can make the system more vulnerable\n to malicious access. Frequent password changes can be a significant safeguard\n for the system. A new password for the computer account will be generated every\n 30 days.", + "title": "Local drives must be prevented from sharing with Remote Desktop\n Session Hosts.", + "desc": "Preventing users from sharing the local drives on their client\n computers with Remote Session Hosts that they access helps reduce possible\n exposure of sensitive data.", "descriptions": { - "default": "Computer account passwords are changed automatically on a regular\n basis. Disabling automatic password changes can make the system more vulnerable\n to malicious access. Frequent password changes can be a significant safeguard\n for the system. A new password for the computer account will be generated every\n 30 days.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\Netlogon\\Parameters\\\n\n Value Name: DisablePasswordChange\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0)", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> Domain\n member: Disable machine account password changes to Disabled." + "default": "Preventing users from sharing the local drives on their client\n computers with Remote Session Hosts that they access helps reduce possible\n exposure of sensitive data.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services\\\n\n Value Name: fDisableCdm\n\n Type: REG_DWORD\n Value: 0x00000001 (1)", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Remote Desktop Services >>\n Remote Desktop Session Host >> Device and Resource Redirection >> \"Do not\n allow drive redirection to Enabled." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000379-GPOS-00164", - "gid": "V-73639", - "rid": "SV-88303r1_rule", - "stig_id": "WN16-SO-000110", - "fix_id": "F-80089r1_fix", + "gtitle": "SRG-OS-000138-GPOS-00069", + "gid": "V-73569", + "rid": "SV-88233r1_rule", + "stig_id": "WN16-CC-000380", + "fix_id": "F-80019r1_fix", "cci": [ - "CCI-001967" + "CCI-001090" ], "nist": [ - "IA-3 (1)", + "SC-4", "Rev_4" ], "documentable": false }, - "code": "control 'V-73639' do\n title 'The computer account password must not be prevented from being reset.'\n desc \"Computer account passwords are changed automatically on a regular\n basis. Disabling automatic password changes can make the system more vulnerable\n to malicious access. Frequent password changes can be a significant safeguard\n for the system. A new password for the computer account will be generated every\n 30 days.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000379-GPOS-00164'\n tag \"gid\": 'V-73639'\n tag \"rid\": 'SV-88303r1_rule'\n tag \"stig_id\": 'WN16-SO-000110'\n tag \"fix_id\": 'F-80089r1_fix'\n tag \"cci\": ['CCI-001967']\n tag \"nist\": ['IA-3 (1)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\Netlogon\\\\Parameters\\\\\n\n Value Name: DisablePasswordChange\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> Domain\n member: Disable machine account password changes to Disabled.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Services\\\\Netlogon\\\\Parameters') do\n it { should have_property 'DisablePasswordChange' }\n its('DisablePasswordChange') { should cmp 0 }\n end\nend\n", + "code": "control 'V-73569' do\n title \"Local drives must be prevented from sharing with Remote Desktop\n Session Hosts.\"\n desc \"Preventing users from sharing the local drives on their client\n computers with Remote Session Hosts that they access helps reduce possible\n exposure of sensitive data.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000138-GPOS-00069'\n tag \"gid\": 'V-73569'\n tag \"rid\": 'SV-88233r1_rule'\n tag \"stig_id\": 'WN16-CC-000380'\n tag \"fix_id\": 'F-80019r1_fix'\n tag \"cci\": ['CCI-001090']\n tag \"nist\": ['SC-4', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\\n\n Value Name: fDisableCdm\n\n Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Remote Desktop Services >>\n Remote Desktop Session Host >> Device and Resource Redirection >> \\\"Do not\n allow drive redirection to Enabled.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services') do\n it { should have_property 'fDisableCdm' }\n its('fDisableCdm') { should cmp 1 }\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73639.rb", + "ref": "./Windows 2016 STIG/controls/V-73569.rb", "line": 1 }, - "id": "V-73639" + "id": "V-73569" }, { - "title": "The Deny log on through Remote Desktop Services user right on member\n servers must be configured to prevent access from highly privileged domain\n accounts and all local accounts on domain systems and from unauthenticated\n access on all systems.", - "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The Deny log on through Remote Desktop Services user right defines the\n accounts that are prevented from logging on using Remote Desktop Services.\n\n In an Active Directory Domain, denying logons to the Enterprise Admins and\n Domain Admins groups on lower-trust systems helps mitigate the risk of\n privilege escalation from credential theft attacks, which could lead to the\n compromise of an entire domain.\n\n Local accounts on domain-joined systems must also be assigned this right to\n decrease the risk of lateral movement resulting from credential theft attacks.\n\n The Guests group must be assigned this right to prevent unauthenticated\n access.", + "title": "The Deny log on through Remote Desktop Services user right on domain\n controllers must be configured to prevent unauthenticated access.", + "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The Deny log on through Remote Desktop Services user right defines the\n accounts that are prevented from logging on using Remote Desktop Services.\n\n The Guests group must be assigned this right to prevent unauthenticated\n access.", "descriptions": { - "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The Deny log on through Remote Desktop Services user right defines the\n accounts that are prevented from logging on using Remote Desktop Services.\n\n In an Active Directory Domain, denying logons to the Enterprise Admins and\n Domain Admins groups on lower-trust systems helps mitigate the risk of\n privilege escalation from credential theft attacks, which could lead to the\n compromise of an entire domain.\n\n Local accounts on domain-joined systems must also be assigned this right to\n decrease the risk of lateral movement resulting from credential theft attacks.\n\n The Guests group must be assigned this right to prevent unauthenticated\n access.", - "check": "This applies to member servers and standalone systems. A\n separate version applies to domain controllers.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If the following accounts or groups are not defined for the Deny log on\n through Remote Desktop Services user right, this is a finding.\n\n Domain Systems Only:\n - Enterprise Admins group\n - Domain Admins group\n - Local account (see Note below)\n\n All Systems:\n - Guests group\n\n Note: Local account is referring to the Windows built-in security group.\n\n Systems dedicated to the management of Active Directory (AD admin platforms,\n see V-36436 in the Active Directory Domain STIG) are exempt from denying the\n Enterprise Admins and Domain Admins groups.", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Deny log on through Remote Desktop Services to include the following:\n Domain Systems Only:\n - Enterprise Admins group \n - Domain Admins group \n - Local account and member of Administrators group or Local account\n (see Note below)\n\n All Systems:\n - Guests group \n\n Note: Local account is referring to the Windows built-in security group.\n\n Systems dedicated to the management of Active Directory (AD admin platforms,\n see V-36436 in the Active Directory Domain STIG) are exempt from denying the\n Enterprise Admins and Domain Admins groups." + "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The Deny log on through Remote Desktop Services user right defines the\n accounts that are prevented from logging on using Remote Desktop Services.\n\n The Guests group must be assigned this right to prevent unauthenticated\n access.", + "check": "This applies to domain controllers. A separate version applies\n to other systems.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If the following accounts or groups are not defined for the Deny log on\n through Remote Desktop Services user right, this is a finding.\n\n - Guests Group", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Deny log on through Remote Desktop Services to include the following:\n\n - Guests Group" }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { "gtitle": "SRG-OS-000297-GPOS-00115", - "gid": "V-73775", - "rid": "SV-88439r1_rule", - "stig_id": "WN16-MS-000410", - "fix_id": "F-80225r1_fix", + "gid": "V-73773", + "rid": "SV-88437r1_rule", + "stig_id": "WN16-DC-000410", + "fix_id": "F-80223r1_fix", "cci": [ "CCI-002314" ], @@ -4494,314 +4523,351 @@ ], "documentable": false }, - "code": "control 'V-73775' do\n title \"The Deny log on through Remote Desktop Services user right on member\n servers must be configured to prevent access from highly privileged domain\n accounts and all local accounts on domain systems and from unauthenticated\n access on all systems.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The Deny log on through Remote Desktop Services user right defines the\n accounts that are prevented from logging on using Remote Desktop Services.\n\n In an Active Directory Domain, denying logons to the Enterprise Admins and\n Domain Admins groups on lower-trust systems helps mitigate the risk of\n privilege escalation from credential theft attacks, which could lead to the\n compromise of an entire domain.\n\n Local accounts on domain-joined systems must also be assigned this right to\n decrease the risk of lateral movement resulting from credential theft attacks.\n\n The Guests group must be assigned this right to prevent unauthenticated\n access.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000297-GPOS-00115'\n tag \"gid\": 'V-73775'\n tag \"rid\": 'SV-88439r1_rule'\n tag \"stig_id\": 'WN16-MS-000410'\n tag \"fix_id\": 'F-80225r1_fix'\n tag \"cci\": ['CCI-002314']\n tag \"nist\": ['AC-17 (1)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to member servers and standalone systems. A\n separate version applies to domain controllers.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If the following accounts or groups are not defined for the Deny log on\n through Remote Desktop Services user right, this is a finding.\n\n Domain Systems Only:\n - Enterprise Admins group\n - Domain Admins group\n - Local account (see Note below)\n\n All Systems:\n - Guests group\n\n Note: Local account is referring to the Windows built-in security group.\n\n Systems dedicated to the management of Active Directory (AD admin platforms,\n see V-36436 in the Active Directory Domain STIG) are exempt from denying the\n Enterprise Admins and Domain Admins groups.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Deny log on through Remote Desktop Services to include the following:\n Domain Systems Only:\n - Enterprise Admins group \n - Domain Admins group \n - Local account and member of Administrators group or Local account\n (see Note below)\n\n All Systems:\n - Guests group \n\n Note: Local account is referring to the Windows built-in security group.\n\n Systems dedicated to the management of Active Directory (AD admin platforms,\n see V-36436 in the Active Directory Domain STIG) are exempt from denying the\n Enterprise Admins and Domain Admins groups.\"\n\n is_AD_only_system = input('is_AD_only_system')\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n impact 0.0\n describe 'This system is a domain controller, therefore this control is not applicable as it only applies to member servers and standalone systems' do\n skip 'This system is a domain controller, therefore this control is not applicable as it only applies to member servers and standalone systems'\n end\n elsif is_AD_only_system\n impact 0.0\n describe 'This system is dedicated to the management of Active Directory, therefore this system is exempt from this control' do\n skip 'This system is dedicated to the management of Active Directory, therefore this system is exempt from this control'\n end\n else\n describe security_policy do\n its('SeDenyRemoteInteractiveLogonRight') { should include 'S-1-5-32-546' }\n end\n if domain_role == '3'\n domain_admin_sid_query = <<-EOH\n $group = New-Object System.Security.Principal.NTAccount('Domain Admins')\n $sid = $group.Translate([security.principal.securityidentifier]).value\n $sid | ConvertTo-Json\n EOH\n domain_admin_sid = json(command: domain_admin_sid_query).params\n \n enterprise_admin_sid_query = <<-EOH\n $group = New-Object System.Security.Principal.NTAccount('Enterprise Admins')\n $sid = $group.Translate([security.principal.securityidentifier]).value\n $sid | ConvertTo-Json\n EOH\n enterprise_admin_sid = json(command: enterprise_admin_sid_query).params\n\n describe security_policy do\n its('SeDenyRemoteInteractiveLogonRight') { should include \"#{domain_admin_sid}\" }\n end\n describe security_policy do\n its('SeDenyRemoteInteractiveLogonRight') { should include \"#{enterprise_admin_sid}\" }\n end\n\n describe.one do\n describe security_policy do\n its('SeDenyRemoteInteractiveLogonRight') { should include \"S-1-5-113\" }\n end\n describe security_policy do\n its('SeDenyRemoteInteractiveLogonRight') { should include \"S-1-5-114\" }\n end\n end\n end\n end\nend", + "code": "control 'V-73773' do\n title \"The Deny log on through Remote Desktop Services user right on domain\n controllers must be configured to prevent unauthenticated access.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The Deny log on through Remote Desktop Services user right defines the\n accounts that are prevented from logging on using Remote Desktop Services.\n\n The Guests group must be assigned this right to prevent unauthenticated\n access.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000297-GPOS-00115'\n tag \"gid\": 'V-73773'\n tag \"rid\": 'SV-88437r1_rule'\n tag \"stig_id\": 'WN16-DC-000410'\n tag \"fix_id\": 'F-80223r1_fix'\n tag \"cci\": ['CCI-002314']\n tag \"nist\": ['AC-17 (1)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to domain controllers. A separate version applies\n to other systems.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If the following accounts or groups are not defined for the Deny log on\n through Remote Desktop Services user right, this is a finding.\n\n - Guests Group\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Deny log on through Remote Desktop Services to include the following:\n\n - Guests Group\"\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n describe.one do\n describe security_policy do\n its('SeDenyRemoteInteractiveLogonRight') { should eq ['S-1-5-32-546'] }\n end\n describe security_policy do\n its('SeDenyRemoteInteractiveLogonRight') { should eq [] }\n end\n end\n end\n\n if !(domain_role == '4') && !(domain_role == '5')\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73775.rb", + "ref": "./Windows 2016 STIG/controls/V-73773.rb", "line": 1 }, - "id": "V-73775" + "id": "V-73773" }, { - "title": "Windows Server 2016 must be configured to audit Account Management -\n User Account Management failures.", - "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n User Account Management records events such as creating, changing,\n deleting, renaming, disabling, or enabling user accounts.", + "title": "Indexing of encrypted files must be turned off.", + "desc": "Indexing of encrypted files may expose sensitive data. This setting\n prevents encrypted files from being indexed.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n User Account Management records events such as creating, changing,\n deleting, renaming, disabling, or enabling user accounts.", - "check": "Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n Account Management >> User Account Management - Failure", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Account Management >> Audit User Account Management with\n Failure selected." + "default": "Indexing of encrypted files may expose sensitive data. This setting\n prevents encrypted files from being indexed.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Search\\\n\n Value Name: AllowIndexingEncryptedStoresOrItems\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0)", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Search >> Allow indexing of\n encrypted files to Disabled." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000004-GPOS-00004", + "gtitle": "SRG-OS-000095-GPOS-00049", + "gid": "V-73581", + "rid": "SV-88245r1_rule", + "stig_id": "WN16-CC-000440", + "fix_id": "F-80031r1_fix", + "cci": [ + "CCI-000381" + ], + "nist": [ + "CM-7 a", + "Rev_4" + ], + "documentable": false + }, + "code": "control 'V-73581' do\n title 'Indexing of encrypted files must be turned off.'\n desc \"Indexing of encrypted files may expose sensitive data. This setting\n prevents encrypted files from being indexed.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000095-GPOS-00049'\n tag \"gid\": 'V-73581'\n tag \"rid\": 'SV-88245r1_rule'\n tag \"stig_id\": 'WN16-CC-000440'\n tag \"fix_id\": 'F-80031r1_fix'\n tag \"cci\": ['CCI-000381']\n tag \"nist\": ['CM-7 a', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\Windows Search\\\\\n\n Value Name: AllowIndexingEncryptedStoresOrItems\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Search >> Allow indexing of\n encrypted files to Disabled.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\Windows Search') do\n it { should have_property 'AllowIndexingEncryptedStoresOrItems' }\n its('AllowIndexingEncryptedStoresOrItems') { should cmp 0 }\n end\nend\n", + "source_location": { + "ref": "./Windows 2016 STIG/controls/V-73581.rb", + "line": 1 + }, + "id": "V-73581" + }, + { + "title": "Permissions for the System event log must prevent access by\n non-privileged accounts.", + "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised. The\n System event log may be susceptible to tampering if proper permissions are not\n applied.", + "descriptions": { + "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised. The\n System event log may be susceptible to tampering if proper permissions are not\n applied.", + "check": "Navigate to the System event log file.\n\n The default location is the %SystemRoot%\\System32\\winevt\\Logs folder.\n However, the logs may have been moved to another folder.\n\n If the permissions for the System.evtx file are not as restrictive as the\n default permissions listed below, this is a finding.\n\n Eventlog - Full Control\n SYSTEM - Full Control\n Administrators - Full Control", + "fix": "Configure the permissions on the System event log file\n (System.evtx) to prevent access by non-privileged accounts. The default\n permissions listed below satisfy this requirement:\n\n Eventlog - Full Control\n SYSTEM - Full Control\n Administrators - Full Control\n\n The default location is the %SystemRoot%\\ System32\\winevt\\Logs folder.\n\n If the location of the logs has been changed, when adding Eventlog to the\n permissions, it must be entered as NT Service\\Eventlog." + }, + "impact": 0.5, + "refs": [], + "tags": { + "gtitle": "SRG-OS-000057-GPOS-00027", "satisfies": [ - "SRG-OS-000004-GPOS-00004", - "SRG-OS-000239-GPOS-00089", - "SRG-OS-000240-GPOS-00090", - "SRG-OS-000241-GPOS-00091", - "SRG-OS-000303-GPOS-00120", - "SRG-OS-000476-GPOS-00221" + "SRG-OS-000057-GPOS-00027", + "SRG-OS-000058-GPOS-00028", + "SRG-OS-000059-GPOS-00029" ], - "gid": "V-73429", - "rid": "SV-88081r1_rule", - "stig_id": "WN16-AU-000150", - "fix_id": "F-79871r1_fix", + "gid": "V-73409", + "rid": "SV-88061r1_rule", + "stig_id": "WN16-AU-000050", + "fix_id": "F-79851r1_fix", "cci": [ - "CCI-000018", - "CCI-000172", - "CCI-001403", - "CCI-001404", - "CCI-001405", - "CCI-002130" + "CCI-000162", + "CCI-000163", + "CCI-000164" ], "nist": [ - "AC-2 (4)", - "AU-12 c", + "AU-9", "Rev_4" ], "documentable": false }, - "code": "control 'V-73429' do\n title \"Windows Server 2016 must be configured to audit Account Management -\n User Account Management failures.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n User Account Management records events such as creating, changing,\n deleting, renaming, disabling, or enabling user accounts.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000004-GPOS-00004'\n tag \"satisfies\": ['SRG-OS-000004-GPOS-00004', 'SRG-OS-000239-GPOS-00089',\n 'SRG-OS-000240-GPOS-00090', 'SRG-OS-000241-GPOS-00091',\n 'SRG-OS-000303-GPOS-00120', 'SRG-OS-000476-GPOS-00221']\n tag \"gid\": 'V-73429'\n tag \"rid\": 'SV-88081r1_rule'\n tag \"stig_id\": 'WN16-AU-000150'\n tag \"fix_id\": 'F-79871r1_fix'\n tag \"cci\": ['CCI-000018', 'CCI-000172', 'CCI-001403', 'CCI-001404',\n 'CCI-001405', 'CCI-002130']\n tag \"nist\": ['AC-2 (4)', 'AU-12 c', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n Account Management >> User Account Management - Failure\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Account Management >> Audit User Account Management with\n Failure selected.\"\n describe.one do\n describe audit_policy do\n its('User Account Management') { should eq 'Failure' }\n end\n describe audit_policy do\n its('User Account Management') { should eq 'Success and Failure' }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'User Account Management'\") do\n its('stdout') { should match /User Account Management Failure/ }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'User Account Management'\") do\n its('stdout') { should match /User Account Management Success and Failure/ }\n end\n end\nend\n", + "code": "control 'V-73409' do\n title \"Permissions for the System event log must prevent access by\n non-privileged accounts.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised. The\n System event log may be susceptible to tampering if proper permissions are not\n applied.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000057-GPOS-00027'\n tag \"satisfies\": ['SRG-OS-000057-GPOS-00027', 'SRG-OS-000058-GPOS-00028',\n 'SRG-OS-000059-GPOS-00029']\n tag \"gid\": 'V-73409'\n tag \"rid\": 'SV-88061r1_rule'\n tag \"stig_id\": 'WN16-AU-000050'\n tag \"fix_id\": 'F-79851r1_fix'\n tag \"cci\": ['CCI-000162', 'CCI-000163', 'CCI-000164']\n tag \"nist\": ['AU-9', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Navigate to the System event log file.\n\n The default location is the %SystemRoot%\\\\System32\\\\winevt\\\\Logs folder.\n However, the logs may have been moved to another folder.\n\n If the permissions for the System.evtx file are not as restrictive as the\n default permissions listed below, this is a finding.\n\n Eventlog - Full Control\n SYSTEM - Full Control\n Administrators - Full Control\"\n desc \"fix\", \"Configure the permissions on the System event log file\n (System.evtx) to prevent access by non-privileged accounts. The default\n permissions listed below satisfy this requirement:\n\n Eventlog - Full Control\n SYSTEM - Full Control\n Administrators - Full Control\n\n The default location is the %SystemRoot%\\\\ System32\\\\winevt\\\\Logs folder.\n\n If the location of the logs has been changed, when adding Eventlog to the\n permissions, it must be entered as NT Service\\\\Eventlog.\"\n system_root = command('$env:SystemRoot').stdout.strip\n\n describe file(\"#{system_root}\\\\SYSTEM32\\\\WINEVT\\\\LOGS\\\\System.evtx\") do\n it { should be_allowed('full-control', by_user: 'NT SERVICE\\\\EventLog') }\n it { should be_allowed('full-control', by_user: 'NT AUTHORITY\\\\SYSTEM') }\n it { should be_allowed('full-control', by_user: 'BUILTIN\\\\Administrators') }\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73429.rb", + "ref": "./Windows 2016 STIG/controls/V-73409.rb", "line": 1 }, - "id": "V-73429" + "id": "V-73409" }, { - "title": "A screen saver must be enabled on the system.", - "desc": "Unattended systems are susceptible to unauthorized use and must be\n locked when unattended. Enabling a password-protected screen saver to engage\n after a specified period of time helps protects critical and sensitive data\n from exposure to unauthorized personnel with physical access to the computer.", + "title": "Local users on domain-joined computers must not be enumerated.", + "desc": "The username is one part of logon credentials that could be used to\n gain access to a system. Preventing the enumeration of users limits this\n information to authorized personnel.", "descriptions": { - "default": "Unattended systems are susceptible to unauthorized use and must be\n locked when unattended. Enabling a password-protected screen saver to engage\n after a specified period of time helps protects critical and sensitive data\n from exposure to unauthorized personnel with physical access to the computer.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_CURRENT_USER\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\Control\n Panel\\Desktop\\\n\n Value Name: ScreenSaveActive\n\n Type: REG_SZ\n Value: 1\n\n Applications requiring continuous, real-time screen display (e.g., network\n management products) require the following and must be documented with the ISSO:\n\n - The logon session does not have administrator rights.\n - The display station (e.g., keyboard, monitor, etc.) is located in a\n controlled access area.", - "fix": "Configure the policy value for User Configuration >>\n Administrative Templates >> Control Panel >> Personalization >> Enable screen\n saver to Enabled." + "default": "The username is one part of logon credentials that could be used to\n gain access to a system. Preventing the enumeration of users limits this\n information to authorized personnel.", + "check": "This applies to member servers. For domain controllers and\n standalone systems, this is NA.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\\n\n Value Name: EnumerateLocalUsers\n\n Type: REG_DWORD\n Value: 0x00000000 (0)", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> System >> Logon >> Enumerate local users on\n domain-joined computers to Disabled." }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { - "gtitle": "SRG-OS-000031-GPOS-00012", - "gid": "V-73723", - "rid": "SV-88387r1_rule", - "stig_id": "WN16-UC-000010", - "fix_id": "F-80173r1_fix", + "gtitle": "SRG-OS-000095-GPOS-00049", + "gid": "V-73533", + "rid": "SV-88187r1_rule", + "stig_id": "WN16-MS-000030", + "fix_id": "F-79975r1_fix", "cci": [ - "CCI-000060" + "CCI-000381" ], "nist": [ - "AC-11 (1)", + "CM-7 a", "Rev_4" ], "documentable": false }, - "code": "control 'V-73723' do\n title 'A screen saver must be enabled on the system.'\n desc \"Unattended systems are susceptible to unauthorized use and must be\n locked when unattended. Enabling a password-protected screen saver to engage\n after a specified period of time helps protects critical and sensitive data\n from exposure to unauthorized personnel with physical access to the computer.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000031-GPOS-00012'\n tag \"gid\": 'V-73723'\n tag \"rid\": 'SV-88387r1_rule'\n tag \"stig_id\": 'WN16-UC-000010'\n tag \"fix_id\": 'F-80173r1_fix'\n tag \"cci\": ['CCI-000060']\n tag \"nist\": ['AC-11 (1)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_CURRENT_USER\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\Control\n Panel\\\\Desktop\\\\\n\n Value Name: ScreenSaveActive\n\n Type: REG_SZ\n Value: 1\n\n Applications requiring continuous, real-time screen display (e.g., network\n management products) require the following and must be documented with the ISSO:\n\n - The logon session does not have administrator rights.\n - The display station (e.g., keyboard, monitor, etc.) is located in a\n controlled access area.\"\n desc \"fix\", \"Configure the policy value for User Configuration >>\n Administrative Templates >> Control Panel >> Personalization >> Enable screen\n saver to Enabled.\"\n describe registry_key(\"HKEY_LOCAL_MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\Control\n Panel\\\\Desktop\") do\n it { should have_property 'ScreenSaveActive' }\n its('ScreenSaveActive') { should cmp 1 }\n end\nend\n", + "code": "control 'V-73533' do\n title 'Local users on domain-joined computers must not be enumerated.'\n desc \"The username is one part of logon credentials that could be used to\n gain access to a system. Preventing the enumeration of users limits this\n information to authorized personnel.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000095-GPOS-00049'\n tag \"gid\": 'V-73533'\n tag \"rid\": 'SV-88187r1_rule'\n tag \"stig_id\": 'WN16-MS-000030'\n tag \"fix_id\": 'F-79975r1_fix'\n tag \"cci\": ['CCI-000381']\n tag \"nist\": ['CM-7 a', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to member servers. For domain controllers and\n standalone systems, this is NA.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\\n\n Value Name: EnumerateLocalUsers\n\n Type: REG_DWORD\n Value: 0x00000000 (0)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> System >> Logon >> Enumerate local users on\n domain-joined computers to Disabled.\"\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '3'\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\System') do\n it { should have_property 'EnumerateLocalUsers' }\n its('EnumerateLocalUsers') { should cmp 0 }\n end\n else\n impact 0.0\n describe 'This control is not applicable as it only applies to member servers' do\n skip 'This control is not applicable as it only applies to member servers'\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73723.rb", + "ref": "./Windows 2016 STIG/controls/V-73533.rb", "line": 1 }, - "id": "V-73723" + "id": "V-73533" }, { - "title": "AutoPlay must be turned off for non-volume devices.", - "desc": "Allowing AutoPlay to execute may introduce malicious code to a system.\n AutoPlay begins reading from a drive as soon as media is inserted into the\n drive. As a result, the setup file of programs or music on audio media may\n start. This setting will disable AutoPlay for non-volume devices, such as Media\n Transfer Protocol (MTP) devices.", + "title": "The built-in Windows password complexity policy must be enabled.", + "desc": "The use of complex passwords increases their strength against attack.\n The built-in Windows password complexity policy requires passwords to contain\n at least three of the four types of characters (numbers, upper- and lower-case\n letters, and special characters) and prevents the inclusion of user names or\n parts of user names.", "descriptions": { - "default": "Allowing AutoPlay to execute may introduce malicious code to a system.\n AutoPlay begins reading from a drive as soon as media is inserted into the\n drive. As a result, the setup file of programs or music on audio media may\n start. This setting will disable AutoPlay for non-volume devices, such as Media\n Transfer Protocol (MTP) devices.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\Explorer\\\n\n Value Name: NoAutoplayfornonVolume\n\n Type: REG_DWORD\n Value: 0x00000001 (1)", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> AutoPlay Policies >>\n Disallow Autoplay for non-volume devices to Enabled." + "default": "The use of complex passwords increases their strength against attack.\n The built-in Windows password complexity policy requires passwords to contain\n at least three of the four types of characters (numbers, upper- and lower-case\n letters, and special characters) and prevents the inclusion of user names or\n parts of user names.", + "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Account Policies >> Password Policy.\n\n If the value for Password must meet complexity requirements is not set to\n Enabled, this is a finding.\n\n Note: If an external password filter is in use that enforces all four character\n types and requires this setting to be set to Disabled, this would not be\n considered a finding. If this setting does not affect the use of an external\n password filter, it must be enabled for fallback purposes.", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Account Policies >> Password Policy >>\n Password must meet complexity requirements to Enabled." }, - "impact": 0.7, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000368-GPOS-00154", - "gid": "V-73545", - "rid": "SV-88209r1_rule", - "stig_id": "WN16-CC-000250", - "fix_id": "F-79991r1_fix", + "gtitle": "SRG-OS-000069-GPOS-00037", + "satisfies": [ + "SRG-OS-000069-GPOS-00037", + "SRG-OS-000070-GPOS-00038", + "SRG-OS-000071-GPOS-00039", + "SRG-OS-000266-GPOS-00101" + ], + "gid": "V-73323", + "rid": "SV-87975r1_rule", + "stig_id": "WN16-AC-000080", + "fix_id": "F-79765r1_fix", "cci": [ - "CCI-001764" + "CCI-000192", + "CCI-000193", + "CCI-000194", + "CCI-001619" ], "nist": [ - "CM-7 (2)", + "IA-5 (1) (a)", "Rev_4" ], "documentable": false }, - "code": "control 'V-73545' do\n title 'AutoPlay must be turned off for non-volume devices.'\n desc \"Allowing AutoPlay to execute may introduce malicious code to a system.\n AutoPlay begins reading from a drive as soon as media is inserted into the\n drive. As a result, the setup file of programs or music on audio media may\n start. This setting will disable AutoPlay for non-volume devices, such as Media\n Transfer Protocol (MTP) devices.\"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000368-GPOS-00154'\n tag \"gid\": 'V-73545'\n tag \"rid\": 'SV-88209r1_rule'\n tag \"stig_id\": 'WN16-CC-000250'\n tag \"fix_id\": 'F-79991r1_fix'\n tag \"cci\": ['CCI-001764']\n tag \"nist\": ['CM-7 (2)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\Explorer\\\\\n\n Value Name: NoAutoplayfornonVolume\n\n Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> AutoPlay Policies >>\n Disallow Autoplay for non-volume devices to Enabled.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\Explorer') do\n it { should have_property 'NoAutoplayfornonVolume' }\n its('NoAutoplayfornonVolume') { should cmp 1 }\n end\nend\n", + "code": "control 'V-73323' do\n title 'The built-in Windows password complexity policy must be enabled.'\n desc \"The use of complex passwords increases their strength against attack.\n The built-in Windows password complexity policy requires passwords to contain\n at least three of the four types of characters (numbers, upper- and lower-case\n letters, and special characters) and prevents the inclusion of user names or\n parts of user names.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000069-GPOS-00037'\n tag \"satisfies\": ['SRG-OS-000069-GPOS-00037', 'SRG-OS-000070-GPOS-00038',\n 'SRG-OS-000071-GPOS-00039', 'SRG-OS-000266-GPOS-00101']\n tag \"gid\": 'V-73323'\n tag \"rid\": 'SV-87975r1_rule'\n tag \"stig_id\": 'WN16-AC-000080'\n tag \"fix_id\": 'F-79765r1_fix'\n tag \"cci\": ['CCI-000192', 'CCI-000193', 'CCI-000194', 'CCI-001619']\n tag \"nist\": ['IA-5 (1) (a)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Account Policies >> Password Policy.\n\n If the value for Password must meet complexity requirements is not set to\n Enabled, this is a finding.\n\n Note: If an external password filter is in use that enforces all four character\n types and requires this setting to be set to Disabled, this would not be\n considered a finding. If this setting does not affect the use of an external\n password filter, it must be enabled for fallback purposes.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Account Policies >> Password Policy >>\n Password must meet complexity requirements to Enabled.\"\n describe security_policy do\n its('PasswordComplexity') { should eq 1 }\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73545.rb", + "ref": "./Windows 2016 STIG/controls/V-73323.rb", "line": 1 }, - "id": "V-73545" + "id": "V-73323" }, { - "title": "Basic authentication for RSS feeds over HTTP must not be used.", - "desc": "Basic authentication uses plain-text passwords that could be used to\n compromise a system. Disabling Basic authentication will reduce this potential.", + "title": "The Manage auditing and security log user right must only be assigned\n to the Administrators group.", + "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Manage auditing and security log user right can\n manage the security log and change auditing configurations. This could be used\n to clear evidence of tampering.", "descriptions": { - "default": "Basic authentication uses plain-text passwords that could be used to\n compromise a system. Disabling Basic authentication will reduce this potential.", - "check": "The default behavior is for the Windows RSS platform to not use\n Basic authentication over HTTP connections.\n\n If the registry value name below does not exist, this is not a finding.\n\n If it exists and is configured with a value of 0, this is not a finding.\n\n If it exists and is configured with a value of 1, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Feeds\\\n\n Value Name: AllowBasicAuthInClear\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0) (or if the Value Name does not exist)", - "fix": "The default behavior is for the Windows RSS platform to not use\n Basic authentication over HTTP connections.\n\n If this needs to be corrected, configure the policy value for Computer\n Configuration >> Administrative Templates >> Windows Components >> RSS Feeds >>\n Turn on Basic feed authentication over HTTP to Not Configured or\n Disabled." + "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Manage auditing and security log user right can\n manage the security log and change auditing configurations. This could be used\n to clear evidence of tampering.", + "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the Manage\n auditing and security log user right, this is a finding.\n\n - Administrators\n\n If the organization has an Auditors group, the assignment of this group to the\n user right would not be a finding.\n\n If an application requires this user right, this would not be a finding.\n\n Vendor documentation must support the requirement for having the user right.\n\n The requirement must be documented with the ISSO.\n\n The application account must meet requirements for application account\n passwords, such as length (WN16-00-000060) and required frequency of changes\n (WN16-00-000070).", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Manage auditing and security log to include only the following accounts or\n groups:\n\n - Administrators" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000095-GPOS-00049", - "gid": "V-73579", - "rid": "SV-88243r1_rule", - "stig_id": "WN16-CC-000430", - "fix_id": "F-80029r1_fix", + "gtitle": "SRG-OS-000057-GPOS-00027", + "satisfies": [ + "SRG-OS-000057-GPOS-00027", + "SRG-OS-000058-GPOS-00028", + "SRG-OS-000059-GPOS-00029", + "SRG-OS-000063-GPOS-00032", + "SRG-OS-000337-GPOS-00129" + ], + "gid": "V-73793", + "rid": "SV-88457r1_rule", + "stig_id": "WN16-UR-000260", + "fix_id": "F-80243r1_fix", "cci": [ - "CCI-000381" + "CCI-000162", + "CCI-000163", + "CCI-000164", + "CCI-000171", + "CCI-001914" ], "nist": [ - "CM-7 a", + "AU-9", + "AU-9 (1)", + "AU-12 b", + "AU-12 (3)", "Rev_4" ], "documentable": false }, - "code": "control 'V-73579' do\n title 'Basic authentication for RSS feeds over HTTP must not be used.'\n desc \"Basic authentication uses plain-text passwords that could be used to\n compromise a system. Disabling Basic authentication will reduce this potential.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000095-GPOS-00049'\n tag \"gid\": 'V-73579'\n tag \"rid\": 'SV-88243r1_rule'\n tag \"stig_id\": 'WN16-CC-000430'\n tag \"fix_id\": 'F-80029r1_fix'\n tag \"cci\": ['CCI-000381']\n tag \"nist\": ['CM-7 a', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"The default behavior is for the Windows RSS platform to not use\n Basic authentication over HTTP connections.\n\n If the registry value name below does not exist, this is not a finding.\n\n If it exists and is configured with a value of 0, this is not a finding.\n\n If it exists and is configured with a value of 1, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Internet Explorer\\\\Feeds\\\\\n\n Value Name: AllowBasicAuthInClear\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0) (or if the Value Name does not exist)\"\n desc \"fix\", \"The default behavior is for the Windows RSS platform to not use\n Basic authentication over HTTP connections.\n\n If this needs to be corrected, configure the policy value for Computer\n Configuration >> Administrative Templates >> Windows Components >> RSS Feeds >>\n Turn on Basic feed authentication over HTTP to Not Configured or\n Disabled.\"\n describe.one do\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Internet Explorer\\\\Feeds') do\n it { should_not have_property 'AllowBasicAuthInClear' }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Internet Explorer\\\\Feeds') do\n its('AllowBasicAuthInClear') { should cmp 0 }\n end\n end\nend\n", + "code": "control 'V-73793' do\n title \"The Manage auditing and security log user right must only be assigned\n to the Administrators group.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Manage auditing and security log user right can\n manage the security log and change auditing configurations. This could be used\n to clear evidence of tampering.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000057-GPOS-00027'\n tag \"satisfies\": ['SRG-OS-000057-GPOS-00027', 'SRG-OS-000058-GPOS-00028',\n 'SRG-OS-000059-GPOS-00029', 'SRG-OS-000063-GPOS-00032',\n 'SRG-OS-000337-GPOS-00129']\n tag \"gid\": 'V-73793'\n tag \"rid\": 'SV-88457r1_rule'\n tag \"stig_id\": 'WN16-UR-000260'\n tag \"fix_id\": 'F-80243r1_fix'\n tag \"cci\": ['CCI-000162', 'CCI-000163', 'CCI-000164', 'CCI-000171',\n 'CCI-001914']\n tag \"nist\": ['AU-9', 'AU-9 (1)', 'AU-12 b', 'AU-12 (3)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the Manage\n auditing and security log user right, this is a finding.\n\n - Administrators\n\n If the organization has an Auditors group, the assignment of this group to the\n user right would not be a finding.\n\n If an application requires this user right, this would not be a finding.\n\n Vendor documentation must support the requirement for having the user right.\n\n The requirement must be documented with the ISSO.\n\n The application account must meet requirements for application account\n passwords, such as length (WN16-00-000060) and required frequency of changes\n (WN16-00-000070).\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Manage auditing and security log to include only the following accounts or\n groups:\n\n - Administrators\"\n describe.one do\n describe security_policy do\n its('SeSecurityPrivilege') { should eq ['S-1-5-32-544'] }\n end\n describe security_policy do\n its('SeSecurityPrivilege') { should eq [] }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73579.rb", + "ref": "./Windows 2016 STIG/controls/V-73793.rb", "line": 1 }, - "id": "V-73579" + "id": "V-73793" }, { - "title": "Audit records must be backed up to a different system or media than\n the system being audited.", - "desc": "Protection of log data includes assuring the log data is not\n accidentally lost or deleted. Audit information stored in one location is\n vulnerable to accidental or incidental deletion or alteration.", + "title": "The LAN Manager authentication level must be set to send NTLMv2\n response only and to refuse LM and NTLM.", + "desc": "The Kerberos v5 authentication protocol is the default for\n authentication of users who are logging on to domain accounts. NTLM, which is\n less secure, is retained in later Windows versions for compatibility with\n clients and servers that are running earlier versions of Windows or\n applications that still use it. It is also used to authenticate logons to\n standalone computers that are running later versions.", "descriptions": { - "default": "Protection of log data includes assuring the log data is not\n accidentally lost or deleted. Audit information stored in one location is\n vulnerable to accidental or incidental deletion or alteration.", - "check": "Determine if a process to back up log data to a different\n system or media than the system being audited has been implemented.\n\n If it has not, this is a finding.", - "fix": "Establish and implement a process for backing up log data to\n another system or media other than the system being audited." + "default": "The Kerberos v5 authentication protocol is the default for\n authentication of users who are logging on to domain accounts. NTLM, which is\n less secure, is retained in later Windows versions for compatibility with\n clients and servers that are running earlier versions of Windows or\n applications that still use it. It is also used to authenticate logons to\n standalone computers that are running later versions.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Control\\Lsa\\\n\n Value Name: LmCompatibilityLevel\n\n Value Type: REG_DWORD\n Value: 0x00000005 (5)", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Network security: LAN Manager authentication level to Send NTLMv2\n response only. Refuse LM & NTLM." }, - "impact": 0.5, + "impact": 0.7, "refs": [], "tags": { - "gtitle": "SRG-OS-000342-GPOS-00133", - "gid": "V-73401", - "rid": "SV-88053r1_rule", - "stig_id": "WN16-AU-000010", - "fix_id": "F-79843r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-73691", + "rid": "SV-88355r1_rule", + "stig_id": "WN16-SO-000380", + "fix_id": "F-80141r1_fix", "cci": [ - "CCI-001851" + "CCI-000366" ], "nist": [ - "AU-4 (1)", + "CM-6 b", "Rev_4" ], "documentable": false }, - "code": "control 'V-73401' do\n title \"Audit records must be backed up to a different system or media than\n the system being audited.\"\n desc \"Protection of log data includes assuring the log data is not\n accidentally lost or deleted. Audit information stored in one location is\n vulnerable to accidental or incidental deletion or alteration.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000342-GPOS-00133'\n tag \"gid\": 'V-73401'\n tag \"rid\": 'SV-88053r1_rule'\n tag \"stig_id\": 'WN16-AU-000010'\n tag \"fix_id\": 'F-79843r1_fix'\n tag \"cci\": ['CCI-001851']\n tag \"nist\": ['AU-4 (1)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Determine if a process to back up log data to a different\n system or media than the system being audited has been implemented.\n\n If it has not, this is a finding.\"\n desc \"fix\", \"Establish and implement a process for backing up log data to\n another system or media other than the system being audited.\"\n describe 'A manual review is required to verify audit records are being backed up onto a different system or media than the system being audited' do\n skip 'A manual review is required to verify audit records are being backed up onto a different system or media than the system being audited'\n end\nend\n", + "code": "control 'V-73691' do\n title \"The LAN Manager authentication level must be set to send NTLMv2\n response only and to refuse LM and NTLM.\"\n desc \"The Kerberos v5 authentication protocol is the default for\n authentication of users who are logging on to domain accounts. NTLM, which is\n less secure, is retained in later Windows versions for compatibility with\n clients and servers that are running earlier versions of Windows or\n applications that still use it. It is also used to authenticate logons to\n standalone computers that are running later versions.\"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-73691'\n tag \"rid\": 'SV-88355r1_rule'\n tag \"stig_id\": 'WN16-SO-000380'\n tag \"fix_id\": 'F-80141r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\\n\n Value Name: LmCompatibilityLevel\n\n Value Type: REG_DWORD\n Value: 0x00000005 (5)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Network security: LAN Manager authentication level to Send NTLMv2\n response only. Refuse LM & NTLM.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa') do\n it { should have_property 'LmCompatibilityLevel' }\n its('LmCompatibilityLevel') { should cmp 5 }\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73401.rb", + "ref": "./Windows 2016 STIG/controls/V-73691.rb", "line": 1 }, - "id": "V-73401" + "id": "V-73691" }, { - "title": "Permissions for the Security event log must prevent access by\n non-privileged accounts.", - "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised. The\n Security event log may disclose sensitive information or be susceptible to\n tampering if proper permissions are not applied.", + "title": "The Smart Card removal option must be configured to Force Logoff or\n Lock Workstation.", + "desc": "Unattended systems are susceptible to unauthorized use and must be\n locked. Configuring a system to lock when a smart card is removed will ensure\n the system is inaccessible when unattended.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised. The\n Security event log may disclose sensitive information or be susceptible to\n tampering if proper permissions are not applied.", - "check": "Navigate to the Security event log file.\n\n The default location is the %SystemRoot%\\System32\\winevt\\Logs folder.\n However, the logs may have been moved to another folder.\n\n If the permissions for the Security.evtx file are not as restrictive as the\n default permissions listed below, this is a finding.\n\n Eventlog - Full Control\n SYSTEM - Full Control\n Administrators - Full Control", - "fix": "Configure the permissions on the Security event log file\n (Security.evtx) to prevent access by non-privileged accounts. The default\n permissions listed below satisfy this requirement:\n\n Eventlog - Full Control\n SYSTEM - Full Control\n Administrators - Full Control\n\n The default location is the %SystemRoot%\\ System32\\winevt\\Logs folder.\n\n If the location of the logs has been changed, when adding Eventlog to the\n permissions, it must be entered as \"NT Service\\Eventlog\"." + "default": "Unattended systems are susceptible to unauthorized use and must be\n locked. Configuring a system to lock when a smart card is removed will ensure\n the system is inaccessible when unattended.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\\n\n Value Name: scremoveoption\n\n Value Type: REG_SZ\n Value: 1 (Lock Workstation) or 2 (Force Logoff)\n\n If configuring this on servers causes issues, such as terminating users' remote\n sessions, and the organization has a policy in place that any other sessions on\n the servers, such as administrative console logons, are manually locked or\n logged off when unattended or not in use, this would be acceptable. This must\n be documented with the ISSO.", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Interactive logon: Smart card removal behavior to Lock Workstation or\n Force Logoff." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000057-GPOS-00027", - "satisfies": [ - "SRG-OS-000057-GPOS-00027", - "SRG-OS-000058-GPOS-00028", - "SRG-OS-000059-GPOS-00029" - ], - "gid": "V-73407", - "rid": "SV-88059r1_rule", - "stig_id": "WN16-AU-000040", - "fix_id": "F-79849r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-73807", + "rid": "SV-88473r1_rule", + "stig_id": "WN16-SO-000180", + "fix_id": "F-80265r1_fix", "cci": [ - "CCI-000162", - "CCI-000163", - "CCI-000164" + "CCI-000366" ], "nist": [ - "AU-9", + "CM-6 b)", "Rev_4" ], "documentable": false }, - "code": "control 'V-73407' do\n title \"Permissions for the Security event log must prevent access by\n non-privileged accounts.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised. The\n Security event log may disclose sensitive information or be susceptible to\n tampering if proper permissions are not applied.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000057-GPOS-00027'\n tag \"satisfies\": ['SRG-OS-000057-GPOS-00027', 'SRG-OS-000058-GPOS-00028',\n 'SRG-OS-000059-GPOS-00029']\n tag \"gid\": 'V-73407'\n tag \"rid\": 'SV-88059r1_rule'\n tag \"stig_id\": 'WN16-AU-000040'\n tag \"fix_id\": 'F-79849r1_fix'\n tag \"cci\": ['CCI-000162', 'CCI-000163', 'CCI-000164']\n tag \"nist\": ['AU-9', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Navigate to the Security event log file.\n\n The default location is the %SystemRoot%\\\\System32\\\\winevt\\\\Logs folder.\n However, the logs may have been moved to another folder.\n\n If the permissions for the Security.evtx file are not as restrictive as the\n default permissions listed below, this is a finding.\n\n Eventlog - Full Control\n SYSTEM - Full Control\n Administrators - Full Control\"\n desc \"fix\", \"Configure the permissions on the Security event log file\n (Security.evtx) to prevent access by non-privileged accounts. The default\n permissions listed below satisfy this requirement:\n\n Eventlog - Full Control\n SYSTEM - Full Control\n Administrators - Full Control\n\n The default location is the %SystemRoot%\\\\ System32\\\\winevt\\\\Logs folder.\n\n If the location of the logs has been changed, when adding Eventlog to the\n permissions, it must be entered as \\\"NT Service\\\\Eventlog\\\".\"\n\n system_root = command('$env:SystemRoot').stdout.strip\n\n describe file(\"#{system_root}\\\\SYSTEM32\\\\WINEVT\\\\LOGS\\\\Security.evtx\") do\n it { should be_allowed('full-control', by_user: 'NT SERVICE\\\\EventLog') }\n it { should be_allowed('full-control', by_user: 'NT AUTHORITY\\\\SYSTEM') }\n it { should be_allowed('full-control', by_user: 'BUILTIN\\\\Administrators') }\n end\nend\n", + "code": "control 'V-73807' do\n title \"The Smart Card removal option must be configured to Force Logoff or\n Lock Workstation.\"\n desc \"Unattended systems are susceptible to unauthorized use and must be\n locked. Configuring a system to lock when a smart card is removed will ensure\n the system is inaccessible when unattended.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-73807'\n tag \"rid\": 'SV-88473r1_rule'\n tag \"stig_id\": 'WN16-SO-000180'\n tag \"fix_id\": 'F-80265r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\\n\n Value Name: scremoveoption\n\n Value Type: REG_SZ\n Value: 1 (Lock Workstation) or 2 (Force Logoff)\n\n If configuring this on servers causes issues, such as terminating users' remote\n sessions, and the organization has a policy in place that any other sessions on\n the servers, such as administrative console logons, are manually locked or\n logged off when unattended or not in use, this would be acceptable. This must\n be documented with the ISSO.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Interactive logon: Smart card removal behavior to Lock Workstation or\n Force Logoff.\"\n describe.one do\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon') do\n it { should have_property 'scremoveoption' }\n its('scremoveoption') { should cmp 1 }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon') do\n it { should have_property 'scremoveoption' }\n its('scremoveoption') { should cmp 2 }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73407.rb", + "ref": "./Windows 2016 STIG/controls/V-73807.rb", "line": 1 }, - "id": "V-73407" + "id": "V-73807" }, { - "title": "Explorer Data Execution Prevention must be enabled.", - "desc": "Data Execution Prevention provides additional protection by performing\n checks on memory to help prevent malicious code from running. This setting will\n prevent Data Execution Prevention from being turned off for File Explorer.", + "title": "The machine inactivity limit must be set to 15 minutes, locking the\n system with the screen saver.", + "desc": "Unattended systems are susceptible to unauthorized use and should be\n locked when unattended. The screen saver should be set at a maximum of 15\n minutes and be password protected. This protects critical and sensitive data\n from exposure to unauthorized personnel with physical access to the computer.", "descriptions": { - "default": "Data Execution Prevention provides additional protection by performing\n checks on memory to help prevent malicious code from running. This setting will\n prevent Data Execution Prevention from being turned off for File Explorer.", - "check": "The default behavior is for Data Execution Prevention to be\n turned on for File Explorer.\n\n If the registry value name below does not exist, this is not a finding.\n\n If it exists and is configured with a value of 0, this is not a finding.\n\n If it exists and is configured with a value of 1, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\Explorer\\\n\n Value Name: NoDataExecutionPrevention\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0) (or if the Value Name does not exist)", - "fix": "The default behavior is for data execution prevention to be\n turned on for File Explorer.\n\n If this needs to be corrected, configure the policy value for Computer\n Configuration >> Administrative Templates >> Windows Components >> File\n Explorer >> Turn off Data Execution Prevention for Explorer to Not\n Configured or Disabled." + "default": "Unattended systems are susceptible to unauthorized use and should be\n locked when unattended. The screen saver should be set at a maximum of 15\n minutes and be password protected. This protects critical and sensitive data\n from exposure to unauthorized personnel with physical access to the computer.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\\n\n Value Name: InactivityTimeoutSecs\n\n Value Type: REG_DWORD\n Value: 0x00000384 (900) (or less)", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Interactive logon: Machine inactivity limit to 900 seconds or less." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000433-GPOS-00192", - "gid": "V-73561", - "rid": "SV-88225r1_rule", - "stig_id": "WN16-CC-000340", - "fix_id": "F-80011r1_fix", + "gtitle": "SRG-OS-000029-GPOS-00010", + "gid": "V-73645", + "rid": "SV-88309r1_rule", + "stig_id": "WN16-SO-000140", + "fix_id": "F-80095r1_fix", "cci": [ - "CCI-002824" + "CCI-000057" ], "nist": [ - "SI-16", + "AC-11 a", "Rev_4" ], "documentable": false }, - "code": "control 'V-73561' do\n title 'Explorer Data Execution Prevention must be enabled.'\n desc \"Data Execution Prevention provides additional protection by performing\n checks on memory to help prevent malicious code from running. This setting will\n prevent Data Execution Prevention from being turned off for File Explorer.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000433-GPOS-00192'\n tag \"gid\": 'V-73561'\n tag \"rid\": 'SV-88225r1_rule'\n tag \"stig_id\": 'WN16-CC-000340'\n tag \"fix_id\": 'F-80011r1_fix'\n tag \"cci\": ['CCI-002824']\n tag \"nist\": ['SI-16', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"The default behavior is for Data Execution Prevention to be\n turned on for File Explorer.\n\n If the registry value name below does not exist, this is not a finding.\n\n If it exists and is configured with a value of 0, this is not a finding.\n\n If it exists and is configured with a value of 1, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\Explorer\\\\\n\n Value Name: NoDataExecutionPrevention\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0) (or if the Value Name does not exist)\"\n desc \"fix\", \"The default behavior is for data execution prevention to be\n turned on for File Explorer.\n\n If this needs to be corrected, configure the policy value for Computer\n Configuration >> Administrative Templates >> Windows Components >> File\n Explorer >> Turn off Data Execution Prevention for Explorer to Not\n Configured or Disabled.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\Explorer') do\n it { should have_property 'NoDataExecutionPrevention' }\n its('NoDataExecutionPrevention') { should_not cmp 1}\n end\nend\n", + "code": "control 'V-73645' do\n title \"The machine inactivity limit must be set to 15 minutes, locking the\n system with the screen saver.\"\n desc \"Unattended systems are susceptible to unauthorized use and should be\n locked when unattended. The screen saver should be set at a maximum of 15\n minutes and be password protected. This protects critical and sensitive data\n from exposure to unauthorized personnel with physical access to the computer.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000029-GPOS-00010'\n tag \"gid\": 'V-73645'\n tag \"rid\": 'SV-88309r1_rule'\n tag \"stig_id\": 'WN16-SO-000140'\n tag \"fix_id\": 'F-80095r1_fix'\n tag \"cci\": ['CCI-000057']\n tag \"nist\": ['AC-11 a', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\\n\n Value Name: InactivityTimeoutSecs\n\n Value Type: REG_DWORD\n Value: 0x00000384 (900) (or less)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Interactive logon: Machine inactivity limit to 900 seconds or less.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System') do\n it { should have_property 'InactivityTimeoutSecs' }\n its('InactivityTimeoutSecs') { should be <= 900 }\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73561.rb", + "ref": "./Windows 2016 STIG/controls/V-73645.rb", "line": 1 }, - "id": "V-73561" + "id": "V-73645" }, { - "title": "Windows Server 2016 must be configured to audit Policy Change -\n Authentication Policy Change successes.", - "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Authentication Policy Change records events related to changes in\n authentication policy, including Kerberos policy and Trust changes.", + "title": "Remote Desktop Services must always prompt a client for passwords upon\n connection.", + "desc": "This setting controls the ability of users to supply passwords\n automatically as part of their remote desktop connection. Disabling this\n setting would allow anyone to use the stored credentials in a connection item\n to connect to the terminal server.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Authentication Policy Change records events related to changes in\n authentication policy, including Kerberos policy and Trust changes.", - "check": "Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n Policy Change >> Authentication Policy Change - Success", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Policy Change >> Audit Authentication Policy Change with\n Success selected." + "default": "This setting controls the ability of users to supply passwords\n automatically as part of their remote desktop connection. Disabling this\n setting would allow anyone to use the stored credentials in a connection item\n to connect to the terminal server.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services\\\n\n Value Name: fPromptForPassword\n\n Type: REG_DWORD\n Value: 0x00000001 (1)", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Remote Desktop Services >>\n Remote Desktop Session Host >> Security >> Always prompt for password upon\n connection to Enabled." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000327-GPOS-00127", + "gtitle": "SRG-OS-000373-GPOS-00157", "satisfies": [ - "SRG-OS-000327-GPOS-00127", - "SRG-OS-000064-GPOS-00033", - "SRG-OS-000462-GPOS-00206", - "SRG-OS-000466-GPOS-00210" + "SRG-OS-000373-GPOS-00157", + "SRG-OS-000373-GPOS-00156" ], - "gid": "V-73465", - "rid": "SV-88117r1_rule", - "stig_id": "WN16-AU-000330", - "fix_id": "F-79907r1_fix", + "gid": "V-73571", + "rid": "SV-88235r1_rule", + "stig_id": "WN16-CC-000390", + "fix_id": "F-80021r1_fix", "cci": [ - "CCI-000172", - "CCI-002234" + "CCI-002038" ], "nist": [ - "AU-12 c", - "AC-6 (9)", + "IA-11", "Rev_4" ], "documentable": false }, - "code": "control 'V-73465' do\n title \"Windows Server 2016 must be configured to audit Policy Change -\n Authentication Policy Change successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Authentication Policy Change records events related to changes in\n authentication policy, including Kerberos policy and Trust changes.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000327-GPOS-00127'\n tag \"satisfies\": ['SRG-OS-000327-GPOS-00127', 'SRG-OS-000064-GPOS-00033',\n 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000466-GPOS-00210']\n tag \"gid\": 'V-73465'\n tag \"rid\": 'SV-88117r1_rule'\n tag \"stig_id\": 'WN16-AU-000330'\n tag \"fix_id\": 'F-79907r1_fix'\n tag \"cci\": ['CCI-000172', 'CCI-002234']\n tag \"nist\": ['AU-12 c', 'AC-6 (9)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n Policy Change >> Authentication Policy Change - Success\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Policy Change >> Audit Authentication Policy Change with\n Success selected.\"\n describe.one do\n describe audit_policy do\n its('Authentication Policy Change') { should eq 'Success' }\n end\n describe audit_policy do\n its('Authentication Policy Change') { should eq 'Success and Failure' }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Authentication Policy Change'\") do\n its('stdout') { should match /Authentication Policy Change Success/ }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Authentication Policy Change'\") do\n its('stdout') { should match /Authentication Policy Change Success and Failure/ }\n end\n end\nend\n", + "code": "control 'V-73571' do\n title \"Remote Desktop Services must always prompt a client for passwords upon\n connection.\"\n desc \"This setting controls the ability of users to supply passwords\n automatically as part of their remote desktop connection. Disabling this\n setting would allow anyone to use the stored credentials in a connection item\n to connect to the terminal server.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000373-GPOS-00157'\n tag \"satisfies\": ['SRG-OS-000373-GPOS-00157', 'SRG-OS-000373-GPOS-00156']\n tag \"gid\": 'V-73571'\n tag \"rid\": 'SV-88235r1_rule'\n tag \"stig_id\": 'WN16-CC-000390'\n tag \"fix_id\": 'F-80021r1_fix'\n tag \"cci\": ['CCI-002038']\n tag \"nist\": ['IA-11', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\\n\n Value Name: fPromptForPassword\n\n Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Remote Desktop Services >>\n Remote Desktop Session Host >> Security >> Always prompt for password upon\n connection to Enabled.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services') do\n it { should have_property 'fPromptForPassword' }\n its('fPromptForPassword') { should cmp 1 }\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73465.rb", + "ref": "./Windows 2016 STIG/controls/V-73571.rb", "line": 1 }, - "id": "V-73465" + "id": "V-73571" }, { - "title": "Automatically signing in the last interactive user after a\n system-initiated restart must be disabled.", - "desc": "Windows can be configured to automatically sign the user back in after\n a Windows Update restart. Some protections are in place to help ensure this is\n done in a secure fashion; however, disabling this will prevent the caching of\n credentials for this purpose and also ensure the user is aware of the restart.", + "title": "Orphaned security identifiers (SIDs) must be removed from user rights\non Windows 2016.", + "desc": "Accounts or groups given rights on a system may show up as unresolved\nSIDs for various reasons including deletion of the accounts or groups. If the\naccount or group objects are reanimated, there is a potential they may still\nhave rights no longer intended. Valid domain accounts or groups may also show\nup as unresolved SIDs if a connection to the domain cannot be established for\nsome reason.", "descriptions": { - "default": "Windows can be configured to automatically sign the user back in after\n a Windows Update restart. Some protections are in place to help ensure this is\n done in a secure fashion; however, disabling this will prevent the caching of\n credentials for this purpose and also ensure the user is aware of the restart.", - "check": "Verify the registry value below. If it does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\\n\n Value Name: DisableAutomaticRestartSignOn\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Windows Logon Options >>\n Sign-in last interactive user automatically after a system-initiated\n restart to Disabled." + "default": "Accounts or groups given rights on a system may show up as unresolved\nSIDs for various reasons including deletion of the accounts or groups. If the\naccount or group objects are reanimated, there is a potential they may still\nhave rights no longer intended. Valid domain accounts or groups may also show\nup as unresolved SIDs if a connection to the domain cannot be established for\nsome reason.", + "check": "Review the effective User Rights setting in Local Group Policy\n Editor.\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n Review each User Right listed for any unresolved SIDs to determine whether they\n are valid, such as due to being temporarily disconnected from the domain.\n (Unresolved SIDs have the format of *S-1-….)\n\n If any unresolved SIDs exist and are not for currently valid accounts or\n groups, this is a finding.", + "fix": "Remove any unresolved SIDs found in User Rights assignments and\n determined to not be for currently valid accounts or groups by removing the\n accounts or groups from the appropriate group policy." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000480-GPOS-00229", - "gid": "V-73589", - "rid": "SV-88253r1_rule", - "stig_id": "WN16-CC-000480", - "fix_id": "F-80039r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-78127", + "rid": "SV-92833r1_rule", + "stig_id": "WN16-00-000460", + "fix_id": "F-84849r1_fix", "cci": [ "CCI-000366" ], @@ -4811,163 +4877,171 @@ ], "documentable": false }, - "code": "control 'V-73589' do\n title \"Automatically signing in the last interactive user after a\n system-initiated restart must be disabled.\"\n desc \"Windows can be configured to automatically sign the user back in after\n a Windows Update restart. Some protections are in place to help ensure this is\n done in a secure fashion; however, disabling this will prevent the caching of\n credentials for this purpose and also ensure the user is aware of the restart.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00229'\n tag \"gid\": 'V-73589'\n tag \"rid\": 'SV-88253r1_rule'\n tag \"stig_id\": 'WN16-CC-000480'\n tag \"fix_id\": 'F-80039r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Verify the registry value below. If it does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\\n\n Value Name: DisableAutomaticRestartSignOn\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Windows Logon Options >>\n Sign-in last interactive user automatically after a system-initiated\n restart to Disabled.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System') do\n it { should have_property 'DisableAutomaticRestartSignOn' }\n its('DisableAutomaticRestartSignOn') { should cmp 1 }\n end\nend\n", + "code": "control 'V-78127' do\n title \"Orphaned security identifiers (SIDs) must be removed from user rights\non Windows 2016.\"\n desc \"Accounts or groups given rights on a system may show up as unresolved\nSIDs for various reasons including deletion of the accounts or groups. If the\naccount or group objects are reanimated, there is a potential they may still\nhave rights no longer intended. Valid domain accounts or groups may also show\nup as unresolved SIDs if a connection to the domain cannot be established for\nsome reason.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-78127'\n tag \"rid\": 'SV-92833r1_rule'\n tag \"stig_id\": 'WN16-00-000460'\n tag \"fix_id\": 'F-84849r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Review the effective User Rights setting in Local Group Policy\n Editor.\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n Review each User Right listed for any unresolved SIDs to determine whether they\n are valid, such as due to being temporarily disconnected from the domain.\n (Unresolved SIDs have the format of *S-1-….)\n\n If any unresolved SIDs exist and are not for currently valid accounts or\n groups, this is a finding.\"\n desc \"fix\", \"Remove any unresolved SIDs found in User Rights assignments and\n determined to not be for currently valid accounts or groups by removing the\n accounts or groups from the appropriate group policy.\"\n describe \"Orphaned security identifiers (SIDs) must be removed from user rights\n on Windows 2016\" do\n skip \"A manual review is required to verify orphaned security identifiers (SIDs) are removed from user rights\n on Windows 2016\"\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73589.rb", + "ref": "./Windows 2016 STIG/controls/V-78127.rb", "line": 1 }, - "id": "V-73589" + "id": "V-78127" }, { - "title": "The minimum password age must be configured to at least one day.", - "desc": "Permitting passwords to be changed in immediate succession within the\n same day allows users to cycle passwords through their history database. This\n enables users to effectively negate the purpose of mandating periodic password\n changes.", + "title": "Manually managed application account passwords must be changed at\n least annually or when a system administrator with knowledge of the password\n leaves the organization.", + "desc": "Setting application account passwords to expire may cause applications\n to stop functioning. However, not changing them on a regular basis exposes them\n to attack. If managed service accounts are used, this alleviates the need to\n manually change application account passwords.", "descriptions": { - "default": "Permitting passwords to be changed in immediate succession within the\n same day allows users to cycle passwords through their history database. This\n enables users to effectively negate the purpose of mandating periodic password\n changes.", - "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Account Policies >> Password Policy.\n\n If the value for the Minimum password age is set to 0 days (Password\n can be changed immediately), this is a finding.", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Account Policies >> Password Policy >>\n Minimum password age to at least 1 day." + "default": "Setting application account passwords to expire may cause applications\n to stop functioning. However, not changing them on a regular basis exposes them\n to attack. If managed service accounts are used, this alleviates the need to\n manually change application account passwords.", + "check": "Determine if manually managed application/service accounts\n exist. If none exist, this is NA.\n\n If passwords for manually managed application/service accounts are not changed\n at least annually or when an administrator with knowledge of the password\n leaves the organization, this is a finding.\n\n Identify manually managed application/service accounts.\n\n To determine the date a password was last changed:\n\n Domain controllers:\n\n Open PowerShell.\n\n Enter Get-AdUser -Identity [application account name] -Properties\n PasswordLastSet | FT Name, PasswordLastSet, where [application account name]\n is the name of the manually managed application/service account.\n\n If the PasswordLastSet date is more than one year old, this is a finding.\n\n Member servers and standalone systems:\n\n Open Command Prompt.\n\n Enter 'Net User [application account name] | Find /i Password Last Set',\n where [application account name] is the name of the manually managed\n application/service account.\n\n If the Password Last Set date is more than one year old, this is a finding.", + "fix": "Change passwords for manually managed application/service\n accounts at least annually or when an administrator with knowledge of the\n password leaves the organization.\n\n It is recommended that system-managed service accounts be used whenever\n possible." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000075-GPOS-00043", - "gid": "V-73319", - "rid": "SV-87971r1_rule", - "stig_id": "WN16-AC-000060", - "fix_id": "F-79761r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-73231", + "rid": "SV-87883r2_rule", + "stig_id": "WN16-00-000070", + "fix_id": "F-79675r1_fix", "cci": [ - "CCI-000198" + "CCI-000366" ], "nist": [ - "IA-5 (1) (d)", + "CM-6 b", "Rev_4" ], "documentable": false }, - "code": "control 'V-73319' do\n title 'The minimum password age must be configured to at least one day.'\n desc \"Permitting passwords to be changed in immediate succession within the\n same day allows users to cycle passwords through their history database. This\n enables users to effectively negate the purpose of mandating periodic password\n changes.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000075-GPOS-00043'\n tag \"gid\": 'V-73319'\n tag \"rid\": 'SV-87971r1_rule'\n tag \"stig_id\": 'WN16-AC-000060'\n tag \"fix_id\": 'F-79761r1_fix'\n tag \"cci\": ['CCI-000198']\n tag \"nist\": ['IA-5 (1) (d)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Account Policies >> Password Policy.\n\n If the value for the Minimum password age is set to 0 days (Password\n can be changed immediately), this is a finding.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Account Policies >> Password Policy >>\n Minimum password age to at least 1 day.\"\n describe security_policy do\n its('MinimumPasswordAge') { should be >= 1 }\n end\nend\n", + "code": "control 'V-73231' do\n title \"Manually managed application account passwords must be changed at\n least annually or when a system administrator with knowledge of the password\n leaves the organization.\"\n desc \"Setting application account passwords to expire may cause applications\n to stop functioning. However, not changing them on a regular basis exposes them\n to attack. If managed service accounts are used, this alleviates the need to\n manually change application account passwords.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-73231'\n tag \"rid\": 'SV-87883r2_rule'\n tag \"stig_id\": 'WN16-00-000070'\n tag \"fix_id\": 'F-79675r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Determine if manually managed application/service accounts\n exist. If none exist, this is NA.\n\n If passwords for manually managed application/service accounts are not changed\n at least annually or when an administrator with knowledge of the password\n leaves the organization, this is a finding.\n\n Identify manually managed application/service accounts.\n\n To determine the date a password was last changed:\n\n Domain controllers:\n\n Open PowerShell.\n\n Enter Get-AdUser -Identity [application account name] -Properties\n PasswordLastSet | FT Name, PasswordLastSet, where [application account name]\n is the name of the manually managed application/service account.\n\n If the PasswordLastSet date is more than one year old, this is a finding.\n\n Member servers and standalone systems:\n\n Open Command Prompt.\n\n Enter 'Net User [application account name] | Find /i Password Last Set',\n where [application account name] is the name of the manually managed\n application/service account.\n\n If the Password Last Set date is more than one year old, this is a finding.\"\n desc \"fix\", \"Change passwords for manually managed application/service\n accounts at least annually or when an administrator with knowledge of the\n password leaves the organization.\n\n It is recommended that system-managed service accounts be used whenever\n possible.\"\n manually_managed_app_service_accounts = input('manually_managed_app_service_accounts')\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if !manually_managed_app_service_accounts.empty?\n manually_managed_app_service_accounts.each do |account|\n if domain_role == '4' || domain_role == '5'\n query = \"Get-ADUser -Identity #{account} -Properties SID, PasswordLastSet | Where SID -Like *-500 | Select @{Name='Name';Expression={$_.SamAccountName}}, SID, @{Name='PasswordLastSet';Expression={New-TimeSpan -Start ($_.PasswordLastSet) -End (Get-Date) | Select Days, Hours}}| ConvertTo-JSON\"\n else\n query = \"Get-LocalUser #{account} | Where SID -Like *-500 | Select Name, SID, @{Name='PasswordLastSet';Expression={New-TimeSpan -Start ($_.PasswordLastSet) -End (Get-Date) | Select Days}} | ConvertTo-JSON\"\n end\n \n managed_account = json({command: query})\n pwd_last_set_days = managed_account['PasswordLastSet']['Days']\n account_name = managed_account['Name']\n \n describe \"Password age for managed account: #{account_name}\" do\n subject { pwd_last_set_days }\n it { should cmp <= 365 }\n end\n end\n else\n describe 'There are no manually managed application/service accounts on this system, therefore this control is not applicable' do\n skip 'There are no manually managed application/service accounts on this system, therefore this control is not applicable'\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73319.rb", + "ref": "./Windows 2016 STIG/controls/V-73231.rb", "line": 1 }, - "id": "V-73319" + "id": "V-73231" }, { - "title": "The Create symbolic links user right must only be assigned to the\n Administrators group.", - "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Create symbolic links user right can create pointers\n to other objects, which could expose the system to attack.", + "title": "Hardened UNC paths must be defined to require mutual authentication\n and integrity for at least the \\\\*\\SYSVOL and \\\\*\\NETLOGON shares.", + "desc": "Additional security requirements are applied to Universal Naming\n Convention (UNC) paths specified in hardened UNC paths before allowing access\n to them. This aids in preventing tampering with or spoofing of connections to\n these paths.", "descriptions": { - "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Create symbolic links user right can create pointers\n to other objects, which could expose the system to attack.", - "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the Create\n symbolic links user right, this is a finding.\n\n - Administrators\n\n Systems that have the Hyper-V role will also have Virtual Machines given\n this user right (this may be displayed as NT Virtual Machine\\Virtual\n Machines). This is not a finding.", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Create symbolic links to include only the following accounts or groups:\n\n - Administrators\n\n Systems that have the Hyper-V role will also have Virtual Machines given\n this user right. If this needs to be added manually, enter it as NT Virtual\n Machine\\Virtual Machines." + "default": "Additional security requirements are applied to Universal Naming\n Convention (UNC) paths specified in hardened UNC paths before allowing access\n to them. This aids in preventing tampering with or spoofing of connections to\n these paths.", + "check": "This requirement is applicable to domain-joined systems. For\n standalone systems, this is NA.\n\n If the following registry values do not exist or are not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SOFTWARE\\Policies\\Microsoft\\Windows\\NetworkProvider\\HardenedPaths\\\n\n Value Name: \\\\*\\NETLOGON\n Value Type: REG_SZ\n Value: RequireMutualAuthentication=1, RequireIntegrity=1\n\n Value Name: \\\\*\\SYSVOL\n Value Type: REG_SZ\n Value: RequireMutualAuthentication=1, RequireIntegrity=1\n\n Additional entries would not be a finding.", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Network >> Network Provider >> Hardened UNC\n Paths to Enabled with at least the following configured in Hardened UNC\n Paths: (click the Show button to display)\n\n Value Name: \\\\*\\SYSVOL\n Value: RequireMutualAuthentication=1, RequireIntegrity=1\n\n Value Name: \\\\*\\NETLOGON\n Value: RequireMutualAuthentication=1, RequireIntegrity=1" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000324-GPOS-00125", - "gid": "V-73753", - "rid": "SV-88417r1_rule", - "stig_id": "WN16-UR-000120", - "fix_id": "F-80203r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-73509", + "rid": "SV-88161r1_rule", + "stig_id": "WN16-CC-000090", + "fix_id": "F-79951r1_fix", "cci": [ - "CCI-002235" + "CCI-000366" ], "nist": [ - "AC-6 (10)", + "CM-6 b", "Rev_4" ], "documentable": false }, - "code": "control 'V-73753' do\n title \"The Create symbolic links user right must only be assigned to the\n Administrators group.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Create symbolic links user right can create pointers\n to other objects, which could expose the system to attack.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000324-GPOS-00125'\n tag \"gid\": 'V-73753'\n tag \"rid\": 'SV-88417r1_rule'\n tag \"stig_id\": 'WN16-UR-000120'\n tag \"fix_id\": 'F-80203r1_fix'\n tag \"cci\": ['CCI-002235']\n tag \"nist\": ['AC-6 (10)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the Create\n symbolic links user right, this is a finding.\n\n - Administrators\n\n Systems that have the Hyper-V role will also have Virtual Machines given\n this user right (this may be displayed as NT Virtual Machine\\\\Virtual\n Machines). This is not a finding.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Create symbolic links to include only the following accounts or groups:\n\n - Administrators\n\n Systems that have the Hyper-V role will also have Virtual Machines given\n this user right. If this needs to be added manually, enter it as NT Virtual\n Machine\\\\Virtual Machines.\"\n describe.one do\n describe security_policy do\n its('SeCreateSymbolicLinkPrivilege') { should eq ['S-1-5-32-544'] }\n end\n describe security_policy do\n its('SeCreateSymbolicLinkPrivilege') { should eq [] }\n end\n end\nend\n", + "code": "control 'V-73509' do\n title \"Hardened UNC paths must be defined to require mutual authentication\n and integrity for at least the \\\\\\\\*\\\\SYSVOL and \\\\\\\\*\\\\NETLOGON shares.\"\n desc \"Additional security requirements are applied to Universal Naming\n Convention (UNC) paths specified in hardened UNC paths before allowing access\n to them. This aids in preventing tampering with or spoofing of connections to\n these paths.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-73509'\n tag \"rid\": 'SV-88161r1_rule'\n tag \"stig_id\": 'WN16-CC-000090'\n tag \"fix_id\": 'F-79951r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This requirement is applicable to domain-joined systems. For\n standalone systems, this is NA.\n\n If the following registry values do not exist or are not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\NetworkProvider\\\\HardenedPaths\\\\\n\n Value Name: \\\\\\\\*\\\\NETLOGON\n Value Type: REG_SZ\n Value: RequireMutualAuthentication=1, RequireIntegrity=1\n\n Value Name: \\\\\\\\*\\\\SYSVOL\n Value Type: REG_SZ\n Value: RequireMutualAuthentication=1, RequireIntegrity=1\n\n Additional entries would not be a finding.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Network >> Network Provider >> Hardened UNC\n Paths to Enabled with at least the following configured in Hardened UNC\n Paths: (click the Show button to display)\n\n Value Name: \\\\\\\\*\\\\SYSVOL\n Value: RequireMutualAuthentication=1, RequireIntegrity=1\n\n Value Name: \\\\\\\\*\\\\NETLOGON\n Value: RequireMutualAuthentication=1, RequireIntegrity=1\"\n\n is_domain = command('wmic computersystem get domain | FINDSTR /V Domain').stdout.strip\n\n if is_domain == 'WORKGROUP'\n impact 0.0\n describe 'This control is not applicable because this is not a domain-joined system' do\n skip 'This control is not applicable because this is not a domain-joined system'\n end\n else\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\NetworkProvider\\\\HardenedPaths') do\n it { should have_property '\\\\\\\\*\\\\NETLOGON' }\n its('\\\\\\\\*\\\\NETLOGON') { should cmp 'RequireMutualAuthentication=1, RequireIntegrity=1' }\n it { should have_property '\\\\\\\\*\\\\SYSVOL' }\n its('\\\\\\\\*\\\\SYSVOL') { should cmp 'RequireMutualAuthentication=1, RequireIntegrity=1' }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73753.rb", + "ref": "./Windows 2016 STIG/controls/V-73509.rb", "line": 1 }, - "id": "V-73753" + "id": "V-73509" }, { - "title": "The DoD Root CA certificates must be installed in the Trusted Root\n Store.", - "desc": "To ensure secure DoD websites and DoD-signed code are properly\n validated, the system must trust the DoD Root Certificate Authorities (CAs).\n The DoD root certificates will ensure that the trust chain is established for\n server certificates issued from the DoD CAs.", + "title": "Windows Server 2016 must be configured to audit Account Management -\n Computer Account Management successes.", + "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Computer Account Management records events such as creating, changing,\n deleting, renaming, disabling, or enabling computer accounts.", "descriptions": { - "default": "To ensure secure DoD websites and DoD-signed code are properly\n validated, the system must trust the DoD Root Certificate Authorities (CAs).\n The DoD root certificates will ensure that the trust chain is established for\n server certificates issued from the DoD CAs.", - "check": "The certificates and thumbprints referenced below apply to\n unclassified systems; see PKE documentation for other networks.\n\n Open Windows PowerShell as an administrator.\n\n Execute the following command:\n\n Get-ChildItem -Path Cert:Localmachine oot | Where Subject -Like *DoD* | FL Subject, Thumbprint, NotAfter\n\n If the following certificate Subject and Thumbprint information is not\n displayed, this is finding.\n\n If an expired certificate (NotAfter date) is not listed in the results,\n this is not a finding.\n\n Subject: CN=DoD Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Thumbprint: 8C941B34EA1EA6ED9AE2BC54CF687252B4C9B561\n NotAfter: 12/5/2029\n\n Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Thumbprint: D73CA91102A2204A36459ED32213B467D7CE97FB\n NotAfter: 12/30/2029\n\n Subject: CN=DoD Root CA 4, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Thumbprint: B8269F25DBD937ECAFD4C35A9838571723F2D026\n NotAfter: 7/25/2032\n\n Subject: CN=DoD Root CA 5, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Thumbprint: 4ECB5CC3095670454DA1CBD410FC921F46B8564B\n NotAfter: 6/14/2041\n\n Alternately, use the Certificates MMC snap-in:\n\n Run MMC.\n\n Select File, Add/Remove Snap-in.\n\n Select Certificates and click Add.\n\n Select Computer account and click Next.\n\n Select Local computer: (the computer this console is running on) and click\n Finish.\n\n Click OK.\n\n Expand Certificates and navigate to Trusted Root Certification\n Authorities >> Certificates.\n\n For each of the DoD Root CA certificates noted below:\n\n Right-click on the certificate and select Open.\n\n Select the Details Tab.\n\n Scroll to the bottom and select Thumbprint.\n\n If the DoD Root CA certificates below are not listed or the value for the\n Thumbprint field is not as noted, this is a finding.\n\n If an expired certificate (Valid to date) is not listed in the results,\n this is not a finding.\n\n DoD Root CA 2\n Thumbprint: 8C941B34EA1EA6ED9AE2BC54CF687252B4C9B561\n Valid to: Wednesday, December 5, 2029\n\n DoD Root CA 3\n Thumbprint: D73CA91102A2204A36459ED32213B467D7CE97FB\n Valid to: Sunday, December 30, 2029\n\n DoD Root CA 4\n Thumbprint: B8269F25DBD937ECAFD4C35A9838571723F2D026\n Valid to: Sunday, July 25, 2032\n\n DoD Root CA 5\n Thumbprint: 4ECB5CC3095670454DA1CBD410FC921F46B8564B\n Valid to: Friday, June 14, 2041", - "fix": "Install the DoD Root CA certificates:\n DoD Root CA 2\n DoD Root CA 3\n DoD Root CA 4\n DoD Root CA 5\n\n The InstallRoot tool is available on IASE at\n http://iase.disa.mil/pki-pke/Pages/tools.aspx." + "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Computer Account Management records events such as creating, changing,\n deleting, renaming, disabling, or enabling computer accounts.", + "check": "This applies to domain controllers. It is NA for other systems.\n\n Security Option Audit: Force audit policy subcategory settings (Windows Vista\n or later) to override audit policy category settings must be set to\n Enabled (WN16-SO-000050) for the detailed auditing subcategories to be\n effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n Account Management >> Computer Account Management - Success", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Account Management >> Audit Computer Account Management\n with Success selected." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000066-GPOS-00034", + "gtitle": "SRG-OS-000004-GPOS-00004", "satisfies": [ - "SRG-OS-000066-GPOS-00034", - "SRG-OS-000403-GPOS-00182" + "SRG-OS-000004-GPOS-00004", + "SRG-OS-000239-GPOS-00089", + "SRG-OS-000240-GPOS-00090", + "SRG-OS-000241-GPOS-00091", + "SRG-OS-000303-GPOS-00120", + "SRG-OS-000476-GPOS-00221" ], - "gid": "V-73605", - "rid": "SV-88269r3_rule", - "stig_id": "WN16-PK-000010", - "fix_id": "F-87311r1_fix", + "gid": "V-73417", + "rid": "SV-88069r1_rule", + "stig_id": "WN16-DC-000230", + "fix_id": "F-79859r1_fix", "cci": [ - "CCI-000185", - "CCI-002470" + "CCI-000018", + "CCI-000172", + "CCI-001403", + "CCI-001404", + "CCI-001405", + "CCI-002130" ], "nist": [ - "IA-5 (2) (a)", - "SC-23 (5)", + "AC-2 (4)", + "AU-12 c", "Rev_4" ], "documentable": false }, - "code": "control 'V-73605' do\n title \"The DoD Root CA certificates must be installed in the Trusted Root\n Store.\"\n desc \"To ensure secure DoD websites and DoD-signed code are properly\n validated, the system must trust the DoD Root Certificate Authorities (CAs).\n The DoD root certificates will ensure that the trust chain is established for\n server certificates issued from the DoD CAs.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000066-GPOS-00034'\n tag \"satisfies\": ['SRG-OS-000066-GPOS-00034', 'SRG-OS-000403-GPOS-00182']\n tag \"gid\": 'V-73605'\n tag \"rid\": 'SV-88269r3_rule'\n tag \"stig_id\": 'WN16-PK-000010'\n tag \"fix_id\": 'F-87311r1_fix'\n tag \"cci\": ['CCI-000185', 'CCI-002470']\n tag \"nist\": ['IA-5 (2) (a)', 'SC-23 (5)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"The certificates and thumbprints referenced below apply to\n unclassified systems; see PKE documentation for other networks.\n\n Open Windows PowerShell as an administrator.\n\n Execute the following command:\n\n Get-ChildItem -Path Cert:Localmachine\\\n oot | Where Subject -Like *DoD* | FL Subject, Thumbprint, NotAfter\n\n If the following certificate Subject and Thumbprint information is not\n displayed, this is finding.\n\n If an expired certificate (NotAfter date) is not listed in the results,\n this is not a finding.\n\n Subject: CN=DoD Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Thumbprint: 8C941B34EA1EA6ED9AE2BC54CF687252B4C9B561\n NotAfter: 12/5/2029\n\n Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Thumbprint: D73CA91102A2204A36459ED32213B467D7CE97FB\n NotAfter: 12/30/2029\n\n Subject: CN=DoD Root CA 4, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Thumbprint: B8269F25DBD937ECAFD4C35A9838571723F2D026\n NotAfter: 7/25/2032\n\n Subject: CN=DoD Root CA 5, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Thumbprint: 4ECB5CC3095670454DA1CBD410FC921F46B8564B\n NotAfter: 6/14/2041\n\n Alternately, use the Certificates MMC snap-in:\n\n Run MMC.\n\n Select File, Add/Remove Snap-in.\n\n Select Certificates and click Add.\n\n Select Computer account and click Next.\n\n Select Local computer: (the computer this console is running on) and click\n Finish.\n\n Click OK.\n\n Expand Certificates and navigate to Trusted Root Certification\n Authorities >> Certificates.\n\n For each of the DoD Root CA certificates noted below:\n\n Right-click on the certificate and select Open.\n\n Select the Details Tab.\n\n Scroll to the bottom and select Thumbprint.\n\n If the DoD Root CA certificates below are not listed or the value for the\n Thumbprint field is not as noted, this is a finding.\n\n If an expired certificate (Valid to date) is not listed in the results,\n this is not a finding.\n\n DoD Root CA 2\n Thumbprint: 8C941B34EA1EA6ED9AE2BC54CF687252B4C9B561\n Valid to: Wednesday, December 5, 2029\n\n DoD Root CA 3\n Thumbprint: D73CA91102A2204A36459ED32213B467D7CE97FB\n Valid to: Sunday, December 30, 2029\n\n DoD Root CA 4\n Thumbprint: B8269F25DBD937ECAFD4C35A9838571723F2D026\n Valid to: Sunday, July 25, 2032\n\n DoD Root CA 5\n Thumbprint: 4ECB5CC3095670454DA1CBD410FC921F46B8564B\n Valid to: Friday, June 14, 2041\"\n desc \"fix\", \"Install the DoD Root CA certificates:\n DoD Root CA 2\n DoD Root CA 3\n DoD Root CA 4\n DoD Root CA 5\n\n The InstallRoot tool is available on IASE at\n http://iase.disa.mil/pki-pke/Pages/tools.aspx.\"\n describe.one do\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\8C941B34EA1EA6ED9AE2BC54CF687252B4C9B561') do\n it { should exist }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\D73CA91102A2204A36459ED32213B467D7CE97FB') do\n it { should exist }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\B8269F25DBD937ECAFD4C35A9838571723F2D026') do\n it { should exist }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\EnterpriseCertificates\\\\Root\\\\Certificates\\\\8C941B34EA1EA6ED9AE2BC54CF687252B4C9B561') do\n it { should exist }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\EnterpriseCertificates\\\\Root\\\\Certificates\\\\D73CA91102A2204A36459ED32213B467D7CE97FB') do\n it { should exist }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\EnterpriseCertificates\\\\Root\\\\Certificates\\\\B8269F25DBD937ECAFD4C35A9838571723F2D026') do\n it { should exist }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\8C941B34EA1EA6ED9AE2BC54CF687252B4C9B561') do\n it { should exist }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\D73CA91102A2204A36459ED32213B467D7CE97FB') do\n it { should exist }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\B8269F25DBD937ECAFD4C35A9838571723F2D026') do\n it { should exist }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\EnterpriseCertificates\\\\Root\\\\Certificates\\\\8C941B34EA1EA6ED9AE2BC54CF687252B4C9B561') do\n it { should exist }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\EnterpriseCertificates\\\\Root\\\\Certificates\\\\D73CA91102A2204A36459ED32213B467D7CE97FB') do\n it { should exist }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\EnterpriseCertificates\\\\Root\\\\Certificates\\\\B8269F25DBD937ECAFD4C35A9838571723F2D026') do\n it { should exist }\n end\n end\nend\n", + "code": "control 'V-73417' do\n title \"Windows Server 2016 must be configured to audit Account Management -\n Computer Account Management successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Computer Account Management records events such as creating, changing,\n deleting, renaming, disabling, or enabling computer accounts.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000004-GPOS-00004'\n tag \"satisfies\": ['SRG-OS-000004-GPOS-00004', 'SRG-OS-000239-GPOS-00089',\n 'SRG-OS-000240-GPOS-00090', 'SRG-OS-000241-GPOS-00091',\n 'SRG-OS-000303-GPOS-00120', 'SRG-OS-000476-GPOS-00221']\n tag \"gid\": 'V-73417'\n tag \"rid\": 'SV-88069r1_rule'\n tag \"stig_id\": 'WN16-DC-000230'\n tag \"fix_id\": 'F-79859r1_fix'\n tag \"cci\": ['CCI-000018', 'CCI-000172', 'CCI-001403', 'CCI-001404',\n 'CCI-001405', 'CCI-002130']\n tag \"nist\": ['AC-2 (4)', 'AU-12 c', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to domain controllers. It is NA for other systems.\n\n Security Option Audit: Force audit policy subcategory settings (Windows Vista\n or later) to override audit policy category settings must be set to\n Enabled (WN16-SO-000050) for the detailed auditing subcategories to be\n effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n Account Management >> Computer Account Management - Success\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Account Management >> Audit Computer Account Management\n with Success selected.\"\n describe.one do\n describe audit_policy do\n its('Computer Account Management') { should eq 'Success' }\n end\n describe audit_policy do\n its('Computer Account Management') { should eq 'Success and Failure' }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Computer Account Management'\") do\n its('stdout') { should match /Computer Account Management Success/ }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Computer Account Management'\") do\n its('stdout') { should match /Computer Account Management Success and Failure/ }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73605.rb", + "ref": "./Windows 2016 STIG/controls/V-73417.rb", "line": 1 }, - "id": "V-73605" + "id": "V-73417" }, { - "title": "Windows Server 2016 must be configured to prevent anonymous users from\n having the same permissions as the Everyone group.", - "desc": "Access by anonymous users must be restricted. If this setting is\n enabled, anonymous users have the same rights and permissions as the built-in\n Everyone group. Anonymous users must not have these permissions or rights.", + "title": "The Act as part of the operating system user right must not be\n assigned to any groups or accounts.", + "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Act as part of the operating system user right can\n assume the identity of any user and gain access to resources that the user is\n authorized to access. Any accounts with this right can take complete control of\n a system.", "descriptions": { - "default": "Access by anonymous users must be restricted. If this setting is\n enabled, anonymous users have the same rights and permissions as the built-in\n Everyone group. Anonymous users must not have these permissions or rights.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Control\\Lsa\\\n\n Value Name: EveryoneIncludesAnonymous\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0)", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Network access: Let everyone permissions apply to anonymous users to\n Disabled." + "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Act as part of the operating system user right can\n assume the identity of any user and gain access to resources that the user is\n authorized to access. Any accounts with this right can take complete control of\n a system.", + "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups (to include administrators), are granted the Act as\n part of the operating system user right, this is a finding.\n\n If an application requires this user right, this would not be a finding.\n\n Vendor documentation must support the requirement for having the user right.\n\n The requirement must be documented with the ISSO.\n\n The application account must meet requirements for application account\n passwords, such as length (WN16-00-000060) and required frequency of changes\n (WN16-00-000070).\n\n Passwords for accounts with this user right must be protected as highly\n privileged accounts.", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Act as part of the operating system to be defined but containing no entries\n (blank)." }, - "impact": 0.5, + "impact": 0.7, "refs": [], "tags": { - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-73673", - "rid": "SV-88337r1_rule", - "stig_id": "WN16-SO-000290", - "fix_id": "F-80123r1_fix", + "gtitle": "SRG-OS-000324-GPOS-00125", + "gid": "V-73735", + "rid": "SV-88399r1_rule", + "stig_id": "WN16-UR-000030", + "fix_id": "F-80185r1_fix", "cci": [ - "CCI-000366" + "CCI-002235" ], "nist": [ - "CM-6 b", + "AC-6 (10)", "Rev_4" ], "documentable": false }, - "code": "control 'V-73673' do\n title \"Windows Server 2016 must be configured to prevent anonymous users from\n having the same permissions as the Everyone group.\"\n desc \"Access by anonymous users must be restricted. If this setting is\n enabled, anonymous users have the same rights and permissions as the built-in\n Everyone group. Anonymous users must not have these permissions or rights.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-73673'\n tag \"rid\": 'SV-88337r1_rule'\n tag \"stig_id\": 'WN16-SO-000290'\n tag \"fix_id\": 'F-80123r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\\n\n Value Name: EveryoneIncludesAnonymous\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Network access: Let everyone permissions apply to anonymous users to\n Disabled.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa') do\n it { should have_property 'EveryoneIncludesAnonymous' }\n its('EveryoneIncludesAnonymous') { should cmp 0 }\n end\nend\n", + "code": "control 'V-73735' do\n title \"The Act as part of the operating system user right must not be\n assigned to any groups or accounts.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Act as part of the operating system user right can\n assume the identity of any user and gain access to resources that the user is\n authorized to access. Any accounts with this right can take complete control of\n a system.\n \"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000324-GPOS-00125'\n tag \"gid\": 'V-73735'\n tag \"rid\": 'SV-88399r1_rule'\n tag \"stig_id\": 'WN16-UR-000030'\n tag \"fix_id\": 'F-80185r1_fix'\n tag \"cci\": ['CCI-002235']\n tag \"nist\": ['AC-6 (10)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups (to include administrators), are granted the Act as\n part of the operating system user right, this is a finding.\n\n If an application requires this user right, this would not be a finding.\n\n Vendor documentation must support the requirement for having the user right.\n\n The requirement must be documented with the ISSO.\n\n The application account must meet requirements for application account\n passwords, such as length (WN16-00-000060) and required frequency of changes\n (WN16-00-000070).\n\n Passwords for accounts with this user right must be protected as highly\n privileged accounts.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Act as part of the operating system to be defined but containing no entries\n (blank).\"\n describe security_policy do\n its('SeTcbPrivilege') { should eq [] }\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73673.rb", + "ref": "./Windows 2016 STIG/controls/V-73735.rb", "line": 1 }, - "id": "V-73673" + "id": "V-73735" }, { - "title": "File Explorer shell protocol must run in protected mode.", - "desc": "The shell protocol will limit the set of folders that applications can\n open when run in protected mode. Restricting files an application can open to a\n limited set of folders increases the security of Windows.", + "title": "Early Launch Antimalware, Boot-Start Driver Initialization Policy must\n prevent boot drivers identified as bad.", + "desc": "Compromised boot drivers can introduce malware prior to protection\n mechanisms that load after initialization. The Early Launch Antimalware driver\n can limit allowed drivers based on classifications determined by the malware\n protection application. At a minimum, drivers determined to be bad must not be\n allowed.", "descriptions": { - "default": "The shell protocol will limit the set of folders that applications can\n open when run in protected mode. Restricting files an application can open to a\n limited set of folders increases the security of Windows.", - "check": "The default behavior is for shell protected mode to be turned\n on for File Explorer.\n\n If the registry value name below does not exist, this is not a finding.\n\n If it exists and is configured with a value of 0, this is not a finding.\n\n If it exists and is configured with a value of 1, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\\n\n Value Name: PreXPSP2ShellProtocolBehavior\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0) (or if the Value Name does not exist)", - "fix": "The default behavior is for shell protected mode to be turned on\n for File Explorer.\n\n If this needs to be corrected, configure the policy value for Computer\n Configuration >> Administrative Templates >> Windows Components >> File\n Explorer >> Turn off shell protocol protected mode to Not Configured or\n Disabled." + "default": "Compromised boot drivers can introduce malware prior to protection\n mechanisms that load after initialization. The Early Launch Antimalware driver\n can limit allowed drivers based on classifications determined by the malware\n protection application. At a minimum, drivers determined to be bad must not be\n allowed.", + "check": "The default behavior is for Early Launch Antimalware -\n Boot-Start Driver Initialization policy to enforce Good, unknown and bad but\n critical (preventing bad).\n\n If the registry value name below does not exist, this is not a finding.\n\n If it exists and is configured with a value of 0x00000007 (7), this is a\n finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Policies\\EarlyLaunch\\\n\n Value Name: DriverLoadPolicy\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1), 0x00000003 (3), or 0x00000008 (8) (or if the Value Name\n does not exist)\n\n Possible values for this setting are:\n 8 - Good only\n 1 - Good and unknown\n 3 - Good, unknown and bad but critical\n 7 - All (which includes bad and would be a finding)", + "fix": "The default behavior is for Early Launch Antimalware - Boot-Start\n Driver Initialization policy to enforce Good, unknown and bad but critical\n (preventing bad).\n\n If this needs to be corrected or a more secure setting is desired, configure\n the policy value for Computer Configuration >> Administrative Templates >>\n System >> Early Launch Antimalware >> Boot-Start Driver Initialization\n Policy to Not Configured or Enabled with any option other than\n All selected." }, "impact": 0.5, "refs": [], "tags": { "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-73565", - "rid": "SV-88229r1_rule", - "stig_id": "WN16-CC-000360", - "fix_id": "F-80015r1_fix", + "gid": "V-73521", + "rid": "SV-88173r1_rule", + "stig_id": "WN16-CC-000140", + "fix_id": "F-79961r1_fix", "cci": [ "CCI-000366" ], @@ -4977,29 +5051,29 @@ ], "documentable": false }, - "code": "control 'V-73565' do\n title 'File Explorer shell protocol must run in protected mode.'\n desc \"The shell protocol will limit the set of folders that applications can\n open when run in protected mode. Restricting files an application can open to a\n limited set of folders increases the security of Windows.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-73565'\n tag \"rid\": 'SV-88229r1_rule'\n tag \"stig_id\": 'WN16-CC-000360'\n tag \"fix_id\": 'F-80015r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"The default behavior is for shell protected mode to be turned\n on for File Explorer.\n\n If the registry value name below does not exist, this is not a finding.\n\n If it exists and is configured with a value of 0, this is not a finding.\n\n If it exists and is configured with a value of 1, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\\n\n Value Name: PreXPSP2ShellProtocolBehavior\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0) (or if the Value Name does not exist)\"\n desc \"fix\", \"The default behavior is for shell protected mode to be turned on\n for File Explorer.\n\n If this needs to be corrected, configure the policy value for Computer\n Configuration >> Administrative Templates >> Windows Components >> File\n Explorer >> Turn off shell protocol protected mode to Not Configured or\n Disabled.\"\n describe.one do\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer') do\n it { should_not have_property 'PreXPSP2ShellProtocolBehavior' }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer') do\n its('PreXPSP2ShellProtocolBehavior') { should cmp 0 }\n end\n end\nend\n", + "code": "control 'V-73521' do\n title \"Early Launch Antimalware, Boot-Start Driver Initialization Policy must\n prevent boot drivers identified as bad.\"\n desc \"Compromised boot drivers can introduce malware prior to protection\n mechanisms that load after initialization. The Early Launch Antimalware driver\n can limit allowed drivers based on classifications determined by the malware\n protection application. At a minimum, drivers determined to be bad must not be\n allowed.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-73521'\n tag \"rid\": 'SV-88173r1_rule'\n tag \"stig_id\": 'WN16-CC-000140'\n tag \"fix_id\": 'F-79961r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"The default behavior is for Early Launch Antimalware -\n Boot-Start Driver Initialization policy to enforce Good, unknown and bad but\n critical (preventing bad).\n\n If the registry value name below does not exist, this is not a finding.\n\n If it exists and is configured with a value of 0x00000007 (7), this is a\n finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Policies\\\\EarlyLaunch\\\\\n\n Value Name: DriverLoadPolicy\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1), 0x00000003 (3), or 0x00000008 (8) (or if the Value Name\n does not exist)\n\n Possible values for this setting are:\n 8 - Good only\n 1 - Good and unknown\n 3 - Good, unknown and bad but critical\n 7 - All (which includes bad and would be a finding)\"\n desc \"fix\", \"The default behavior is for Early Launch Antimalware - Boot-Start\n Driver Initialization policy to enforce Good, unknown and bad but critical\n (preventing bad).\n\n If this needs to be corrected or a more secure setting is desired, configure\n the policy value for Computer Configuration >> Administrative Templates >>\n System >> Early Launch Antimalware >> Boot-Start Driver Initialization\n Policy to Not Configured or Enabled with any option other than\n All selected.\"\n describe.one do\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Policies\\\\EarlyLaunch') do\n it { should have_property 'DriverLoadPolicy' }\n its('DriverLoadPolicy') { should cmp 1 }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Policies\\\\EarlyLaunch') do\n it { should have_property 'DriverLoadPolicy' }\n its('DriverLoadPolicy') { should cmp 3 }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Policies\\\\EarlyLaunch') do\n it { should have_property 'DriverLoadPolicy' }\n its('DriverLoadPolicy') { should cmp 8 }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Policies\\\\EarlyLaunch') do\n it { should_not have_property 'DriverLoadPolicy' }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73565.rb", + "ref": "./Windows 2016 STIG/controls/V-73521.rb", "line": 1 }, - "id": "V-73565" + "id": "V-73521" }, { - "title": "The Create permanent shared objects user right must not be assigned to\n any groups or accounts.", - "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Create permanent shared objects user right could\n expose sensitive data by creating shared objects.", + "title": "The Load and unload device drivers user right must only be assigned to\n the Administrators group.", + "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The Load and unload device drivers user right allows a user to load\n device drivers dynamically on a system. This could be used by an attacker to\n install malicious code.", "descriptions": { - "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Create permanent shared objects user right could\n expose sensitive data by creating shared objects.", - "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups are granted the Create permanent shared objects\n user right, this is a finding.", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Create permanent shared objects to be defined but containing no entries\n (blank)." + "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The Load and unload device drivers user right allows a user to load\n device drivers dynamically on a system. This could be used by an attacker to\n install malicious code.", + "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the Load and\n unload device drivers user right, this is a finding.\n\n - Administrators", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Load and unload device drivers to include only the following accounts or\n groups:\n\n - Administrators" }, "impact": 0.5, "refs": [], "tags": { "gtitle": "SRG-OS-000324-GPOS-00125", - "gid": "V-73751", - "rid": "SV-88415r1_rule", - "stig_id": "WN16-UR-000110", - "fix_id": "F-80201r1_fix", + "gid": "V-73789", + "rid": "SV-88453r1_rule", + "stig_id": "WN16-UR-000240", + "fix_id": "F-80239r1_fix", "cci": [ "CCI-002235" ], @@ -5009,100 +5083,125 @@ ], "documentable": false }, - "code": "control 'V-73751' do\n title \"The Create permanent shared objects user right must not be assigned to\n any groups or accounts.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Create permanent shared objects user right could\n expose sensitive data by creating shared objects.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000324-GPOS-00125'\n tag \"gid\": 'V-73751'\n tag \"rid\": 'SV-88415r1_rule'\n tag \"stig_id\": 'WN16-UR-000110'\n tag \"fix_id\": 'F-80201r1_fix'\n tag \"cci\": ['CCI-002235']\n tag \"nist\": ['AC-6 (10)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups are granted the Create permanent shared objects\n user right, this is a finding.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Create permanent shared objects to be defined but containing no entries\n (blank).\"\n describe security_policy do\n its('SeCreatePermanentPrivilege') { should eq [] }\n end\nend\n", + "code": "control 'V-73789' do\n title \"The Load and unload device drivers user right must only be assigned to\n the Administrators group.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The Load and unload device drivers user right allows a user to load\n device drivers dynamically on a system. This could be used by an attacker to\n install malicious code.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000324-GPOS-00125'\n tag \"gid\": 'V-73789'\n tag \"rid\": 'SV-88453r1_rule'\n tag \"stig_id\": 'WN16-UR-000240'\n tag \"fix_id\": 'F-80239r1_fix'\n tag \"cci\": ['CCI-002235']\n tag \"nist\": ['AC-6 (10)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the Load and\n unload device drivers user right, this is a finding.\n\n - Administrators\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Load and unload device drivers to include only the following accounts or\n groups:\n\n - Administrators\"\n describe.one do\n describe security_policy do\n its('SeLoadDriverPrivilege') { should eq ['S-1-5-32-544'] }\n end\n describe security_policy do\n its('SeLoadDriverPrivilege') { should eq [] }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73751.rb", + "ref": "./Windows 2016 STIG/controls/V-73789.rb", "line": 1 }, - "id": "V-73751" + "id": "V-73789" }, { - "title": "The Restore files and directories user right must only be assigned to\n the Administrators group.", - "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Restore files and directories user right can\n circumvent file and directory permissions and could allow access to sensitive\n data. It could also be used to overwrite more current data.", + "title": "Anonymous enumeration of Security Account Manager (SAM) accounts must\n not be allowed.", + "desc": "Anonymous enumeration of SAM accounts allows anonymous logon users\n (null session connections) to list all accounts names, thus providing a list of\n potential points to attack the system.", + "descriptions": { + "default": "Anonymous enumeration of SAM accounts allows anonymous logon users\n (null session connections) to list all accounts names, thus providing a list of\n potential points to attack the system.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Control\\Lsa\\\n\n Value Name: RestrictAnonymousSAM\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Network access: Do not allow anonymous enumeration of SAM accounts to\n Enabled." + }, + "impact": 0.7, + "refs": [], + "tags": { + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-73667", + "rid": "SV-88331r1_rule", + "stig_id": "WN16-SO-000260", + "fix_id": "F-80117r1_fix", + "cci": [ + "CCI-000366" + ], + "nist": [ + "CM-6 b", + "Rev_4" + ], + "documentable": false + }, + "code": "control 'V-73667' do\n title \"Anonymous enumeration of Security Account Manager (SAM) accounts must\n not be allowed.\"\n desc \"Anonymous enumeration of SAM accounts allows anonymous logon users\n (null session connections) to list all accounts names, thus providing a list of\n potential points to attack the system.\"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-73667'\n tag \"rid\": 'SV-88331r1_rule'\n tag \"stig_id\": 'WN16-SO-000260'\n tag \"fix_id\": 'F-80117r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\\n\n Value Name: RestrictAnonymousSAM\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Network access: Do not allow anonymous enumeration of SAM accounts to\n Enabled.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa') do\n it { should have_property 'RestrictAnonymousSAM' }\n its('RestrictAnonymousSAM') { should cmp 1 }\n end\nend\n", + "source_location": { + "ref": "./Windows 2016 STIG/controls/V-73667.rb", + "line": 1 + }, + "id": "V-73667" + }, + { + "title": "The Deny log on as a batch job user right on member servers must be\n configured to prevent access from highly privileged domain accounts on domain\n systems and from unauthenticated access on all systems.", + "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The Deny log on as a batch job user right defines accounts that are\n prevented from logging on to the system as a batch job, such as Task Scheduler.\n\n In an Active Directory Domain, denying logons to the Enterprise Admins and\n Domain Admins groups on lower-trust systems helps mitigate the risk of\n privilege escalation from credential theft attacks, which could lead to the\n compromise of an entire domain.\n\n The Guests group must be assigned to prevent unauthenticated access.", "descriptions": { - "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Restore files and directories user right can\n circumvent file and directory permissions and could allow access to sensitive\n data. It could also be used to overwrite more current data.", - "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the Restore\n files and directories user right, this is a finding.\n\n - Administrators\n\n If an application requires this user right, this would not be a finding.\n\n Vendor documentation must support the requirement for having the user right.\n\n The requirement must be documented with the ISSO.\n\n The application account must meet requirements for application account\n passwords, such as length (WN16-00-000060) and required frequency of changes\n (WN16-00-000070).", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Restore files and directories to include only the following accounts or\n groups:\n\n - Administrators" + "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The Deny log on as a batch job user right defines accounts that are\n prevented from logging on to the system as a batch job, such as Task Scheduler.\n\n In an Active Directory Domain, denying logons to the Enterprise Admins and\n Domain Admins groups on lower-trust systems helps mitigate the risk of\n privilege escalation from credential theft attacks, which could lead to the\n compromise of an entire domain.\n\n The Guests group must be assigned to prevent unauthenticated access.", + "check": "This applies to member servers and standalone systems. A\n separate version applies to domain controllers.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If the following accounts or groups are not defined for the Deny log on as a\n batch job user right, this is a finding.\n\n Domain Systems Only:\n - Enterprise Admins Group\n - Domain Admins Group\n\n All Systems:\n - Guests Group", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Deny log on as a batch job to include the following:\n\n Domain Systems Only:\n - Enterprise Admins group \n - Domain Admins group \n\n All Systems:\n - Guests group" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000324-GPOS-00125", - "gid": "V-73801", - "rid": "SV-88465r1_rule", - "stig_id": "WN16-UR-000300", - "fix_id": "F-80251r1_fix", + "gtitle": "SRG-OS-000080-GPOS-00048", + "gid": "V-73763", + "rid": "SV-88427r1_rule", + "stig_id": "WN16-MS-000380", + "fix_id": "F-80213r1_fix", "cci": [ - "CCI-002235" + "CCI-000213" ], "nist": [ - "AC-6 (10)", + "AC-3", "Rev_4" ], "documentable": false }, - "code": "control 'V-73801' do\n title \"The Restore files and directories user right must only be assigned to\n the Administrators group.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Restore files and directories user right can\n circumvent file and directory permissions and could allow access to sensitive\n data. It could also be used to overwrite more current data.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000324-GPOS-00125'\n tag \"gid\": 'V-73801'\n tag \"rid\": 'SV-88465r1_rule'\n tag \"stig_id\": 'WN16-UR-000300'\n tag \"fix_id\": 'F-80251r1_fix'\n tag \"cci\": ['CCI-002235']\n tag \"nist\": ['AC-6 (10)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the Restore\n files and directories user right, this is a finding.\n\n - Administrators\n\n If an application requires this user right, this would not be a finding.\n\n Vendor documentation must support the requirement for having the user right.\n\n The requirement must be documented with the ISSO.\n\n The application account must meet requirements for application account\n passwords, such as length (WN16-00-000060) and required frequency of changes\n (WN16-00-000070).\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Restore files and directories to include only the following accounts or\n groups:\n\n - Administrators\"\n describe.one do\n describe security_policy do\n its('SeRestorePrivilege') { should eq ['S-1-5-32-544'] }\n end\n describe security_policy do\n its('SeRestorePrivilege') { should eq [] }\n end\n end\nend\n", + "code": "control 'V-73763' do\n title \"The Deny log on as a batch job user right on member servers must be\n configured to prevent access from highly privileged domain accounts on domain\n systems and from unauthenticated access on all systems.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The Deny log on as a batch job user right defines accounts that are\n prevented from logging on to the system as a batch job, such as Task Scheduler.\n\n In an Active Directory Domain, denying logons to the Enterprise Admins and\n Domain Admins groups on lower-trust systems helps mitigate the risk of\n privilege escalation from credential theft attacks, which could lead to the\n compromise of an entire domain.\n\n The Guests group must be assigned to prevent unauthenticated access.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000080-GPOS-00048'\n tag \"gid\": 'V-73763'\n tag \"rid\": 'SV-88427r1_rule'\n tag \"stig_id\": 'WN16-MS-000380'\n tag \"fix_id\": 'F-80213r1_fix'\n tag \"cci\": ['CCI-000213']\n tag \"nist\": ['AC-3', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to member servers and standalone systems. A\n separate version applies to domain controllers.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If the following accounts or groups are not defined for the Deny log on as a\n batch job user right, this is a finding.\n\n Domain Systems Only:\n - Enterprise Admins Group\n - Domain Admins Group\n\n All Systems:\n - Guests Group\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Deny log on as a batch job to include the following:\n\n Domain Systems Only:\n - Enterprise Admins group \n - Domain Admins group \n\n All Systems:\n - Guests group \"\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n impact 0.0\n describe 'This system is a domain controller, therefore this control is not applicable as it only applies to member servers and standalone systems' do\n skip 'This system is a domain controller, therefore this control is not applicable as it only applies to member servers and standalone systems'\n end\n else\n describe security_policy do\n its('SeDenyBatchLogonRight') { should include 'S-1-5-32-546' }\n end\n if domain_role == '3'\n domain_admin_sid_query = <<-EOH\n $group = New-Object System.Security.Principal.NTAccount('Domain Admins')\n $sid = $group.Translate([security.principal.securityidentifier]).value\n $sid | ConvertTo-Json\n EOH\n domain_admin_sid = json(command: domain_admin_sid_query).params\n \n enterprise_admin_sid_query = <<-EOH\n $group = New-Object System.Security.Principal.NTAccount('Enterprise Admins')\n $sid = $group.Translate([security.principal.securityidentifier]).value\n $sid | ConvertTo-Json\n EOH\n enterprise_admin_sid = json(command: enterprise_admin_sid_query).params\n\n describe security_policy do\n its('SeDenyBatchLogonRight') { should include \"#{domain_admin_sid}\" }\n end\n describe security_policy do\n its('SeDenyBatchLogonRight') { should include \"#{enterprise_admin_sid}\" }\n end\n end\n end\nend", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73801.rb", + "ref": "./Windows 2016 STIG/controls/V-73763.rb", "line": 1 }, - "id": "V-73801" + "id": "V-73763" }, { - "title": "Permissions for the Application event log must prevent access by\n non-privileged accounts.", - "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised. The\n Application event log may be susceptible to tampering if proper permissions are\n not applied.", + "title": "Basic authentication for RSS feeds over HTTP must not be used.", + "desc": "Basic authentication uses plain-text passwords that could be used to\n compromise a system. Disabling Basic authentication will reduce this potential.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised. The\n Application event log may be susceptible to tampering if proper permissions are\n not applied.", - "check": "Navigate to the Application event log file.\n\n The default location is the %SystemRoot%\\System32\\winevt\\Logs folder.\n However, the logs may have been moved to another folder.\n\n If the permissions for the Application.evtx file are not as restrictive as\n the default permissions listed below, this is a finding.\n\n Eventlog - Full Control\n SYSTEM - Full Control\n Administrators - Full Control", - "fix": "Configure the permissions on the Application event log file\n (Application.evtx) to prevent access by non-privileged accounts. The default\n permissions listed below satisfy this requirement:\n\n Eventlog - Full Control\n SYSTEM - Full Control\n Administrators - Full Control\n\n The default location is the \"%SystemRoot%\\ System32\\winevt\\Logs\" folder.\n\n If the location of the logs has been changed, when adding Eventlog to the\n permissions, it must be entered as \"NT Service\\Eventlog\"." + "default": "Basic authentication uses plain-text passwords that could be used to\n compromise a system. Disabling Basic authentication will reduce this potential.", + "check": "The default behavior is for the Windows RSS platform to not use\n Basic authentication over HTTP connections.\n\n If the registry value name below does not exist, this is not a finding.\n\n If it exists and is configured with a value of 0, this is not a finding.\n\n If it exists and is configured with a value of 1, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Feeds\\\n\n Value Name: AllowBasicAuthInClear\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0) (or if the Value Name does not exist)", + "fix": "The default behavior is for the Windows RSS platform to not use\n Basic authentication over HTTP connections.\n\n If this needs to be corrected, configure the policy value for Computer\n Configuration >> Administrative Templates >> Windows Components >> RSS Feeds >>\n Turn on Basic feed authentication over HTTP to Not Configured or\n Disabled." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000057-GPOS-00027", - "satisfies": [ - "SRG-OS-000057-GPOS-00027", - "SRG-OS-000058-GPOS-00028", - "SRG-OS-000059-GPOS-00029" - ], - "gid": "V-73405", - "rid": "SV-88057r1_rule", - "stig_id": "WN16-AU-000030", - "fix_id": "F-79847r1_fix", + "gtitle": "SRG-OS-000095-GPOS-00049", + "gid": "V-73579", + "rid": "SV-88243r1_rule", + "stig_id": "WN16-CC-000430", + "fix_id": "F-80029r1_fix", "cci": [ - "CCI-000162", - "CCI-000163", - "CCI-000164" + "CCI-000381" ], "nist": [ - "AU-9", + "CM-7 a", "Rev_4" ], "documentable": false }, - "code": "control 'V-73405' do\n title \"Permissions for the Application event log must prevent access by\n non-privileged accounts.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised. The\n Application event log may be susceptible to tampering if proper permissions are\n not applied.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000057-GPOS-00027'\n tag \"satisfies\": ['SRG-OS-000057-GPOS-00027', 'SRG-OS-000058-GPOS-00028',\n 'SRG-OS-000059-GPOS-00029']\n tag \"gid\": 'V-73405'\n tag \"rid\": 'SV-88057r1_rule'\n tag \"stig_id\": 'WN16-AU-000030'\n tag \"fix_id\": 'F-79847r1_fix'\n tag \"cci\": ['CCI-000162', 'CCI-000163', 'CCI-000164']\n tag \"nist\": ['AU-9', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Navigate to the Application event log file.\n\n The default location is the %SystemRoot%\\\\System32\\\\winevt\\\\Logs folder.\n However, the logs may have been moved to another folder.\n\n If the permissions for the Application.evtx file are not as restrictive as\n the default permissions listed below, this is a finding.\n\n Eventlog - Full Control\n SYSTEM - Full Control\n Administrators - Full Control\"\n desc \"fix\", \"Configure the permissions on the Application event log file\n (Application.evtx) to prevent access by non-privileged accounts. The default\n permissions listed below satisfy this requirement:\n\n Eventlog - Full Control\n SYSTEM - Full Control\n Administrators - Full Control\n\n The default location is the \\\"%SystemRoot%\\\\ System32\\\\winevt\\\\Logs\\\" folder.\n\n If the location of the logs has been changed, when adding Eventlog to the\n permissions, it must be entered as \\\"NT Service\\\\Eventlog\\\".\"\n\n system_root = command('$env:SystemRoot').stdout.strip\n\n describe file(\"#{system_root}\\\\SYSTEM32\\\\WINEVT\\\\LOGS\\\\Application.evtx\") do\n it { should be_allowed('full-control', by_user: 'NT SERVICE\\\\EventLog') }\n it { should be_allowed('full-control', by_user: 'NT AUTHORITY\\\\SYSTEM') }\n it { should be_allowed('full-control', by_user: 'BUILTIN\\\\Administrators') }\n end\nend\n", + "code": "control 'V-73579' do\n title 'Basic authentication for RSS feeds over HTTP must not be used.'\n desc \"Basic authentication uses plain-text passwords that could be used to\n compromise a system. Disabling Basic authentication will reduce this potential.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000095-GPOS-00049'\n tag \"gid\": 'V-73579'\n tag \"rid\": 'SV-88243r1_rule'\n tag \"stig_id\": 'WN16-CC-000430'\n tag \"fix_id\": 'F-80029r1_fix'\n tag \"cci\": ['CCI-000381']\n tag \"nist\": ['CM-7 a', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"The default behavior is for the Windows RSS platform to not use\n Basic authentication over HTTP connections.\n\n If the registry value name below does not exist, this is not a finding.\n\n If it exists and is configured with a value of 0, this is not a finding.\n\n If it exists and is configured with a value of 1, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Internet Explorer\\\\Feeds\\\\\n\n Value Name: AllowBasicAuthInClear\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0) (or if the Value Name does not exist)\"\n desc \"fix\", \"The default behavior is for the Windows RSS platform to not use\n Basic authentication over HTTP connections.\n\n If this needs to be corrected, configure the policy value for Computer\n Configuration >> Administrative Templates >> Windows Components >> RSS Feeds >>\n Turn on Basic feed authentication over HTTP to Not Configured or\n Disabled.\"\n describe.one do\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Internet Explorer\\\\Feeds') do\n it { should_not have_property 'AllowBasicAuthInClear' }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Internet Explorer\\\\Feeds') do\n its('AllowBasicAuthInClear') { should cmp 0 }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73405.rb", + "ref": "./Windows 2016 STIG/controls/V-73579.rb", "line": 1 }, - "id": "V-73405" + "id": "V-73579" }, { - "title": "PKU2U authentication using online identities must be prevented.", - "desc": "PKU2U is a peer-to-peer authentication protocol. This setting prevents\n online identities from authenticating to domain-joined systems. Authentication\n will be centrally managed with Windows user accounts.", + "title": "Source routing must be configured to the highest protection level to\n prevent Internet Protocol (IP) source routing.", + "desc": "Configuring the system to disable IP source routing protects against\n spoofing.", "descriptions": { - "default": "PKU2U is a peer-to-peer authentication protocol. This setting prevents\n online identities from authenticating to domain-joined systems. Authentication\n will be centrally managed with Windows user accounts.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Control\\LSA\\pku2u\\\n\n Value Name: AllowOnlineID\n\n Type: REG_DWORD\n Value: 0x00000000 (0)", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Network security: Allow PKU2U authentication requests to this computer to use\n online identities to Disabled." + "default": "Configuring the system to disable IP source routing protects against\n spoofing.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters\\\n\n Value Name: DisableIPSourceRouting\n\n Value Type: REG_DWORD\n Value: 0x00000002 (2)", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> MSS (Legacy) >> MSS: (DisableIPSourceRouting) IP\n source routing protection level (protects against packet spoofing) to\n Enabled with Highest protection, source routing is completely disabled\n selected.\n\n This policy setting requires the installation of the MSS-Legacy custom\n templates included with the STIG package. MSS-Legacy.admx and\n MSS-Legacy.adml must be copied to the \\Windows\\PolicyDefinitions and\n \\Windows\\PolicyDefinitions\\en-US directories respectively." }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-73683", - "rid": "SV-88347r1_rule", - "stig_id": "WN16-SO-000340", - "fix_id": "F-80133r1_fix", + "gid": "V-73501", + "rid": "SV-88153r1_rule", + "stig_id": "WN16-CC-000050", + "fix_id": "F-79943r1_fix", "cci": [ "CCI-000366" ], @@ -5112,190 +5211,202 @@ ], "documentable": false }, - "code": "control 'V-73683' do\n title 'PKU2U authentication using online identities must be prevented.'\n desc \"PKU2U is a peer-to-peer authentication protocol. This setting prevents\n online identities from authenticating to domain-joined systems. Authentication\n will be centrally managed with Windows user accounts.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-73683'\n tag \"rid\": 'SV-88347r1_rule'\n tag \"stig_id\": 'WN16-SO-000340'\n tag \"fix_id\": 'F-80133r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\LSA\\\\pku2u\\\\\n\n Value Name: AllowOnlineID\n\n Type: REG_DWORD\n Value: 0x00000000 (0)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Network security: Allow PKU2U authentication requests to this computer to use\n online identities to Disabled.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\LSA\\\\pku2u') do\n it { should have_property 'AllowOnlineID' }\n its('AllowOnlineID') { should cmp 0 }\n end\nend\n", + "code": "control 'V-73501' do\n title \"Source routing must be configured to the highest protection level to\n prevent Internet Protocol (IP) source routing.\"\n desc \"Configuring the system to disable IP source routing protects against\n spoofing.\"\n impact 0.3\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-73501'\n tag \"rid\": 'SV-88153r1_rule'\n tag \"stig_id\": 'WN16-CC-000050'\n tag \"fix_id\": 'F-79943r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\Tcpip\\\\Parameters\\\\\n\n Value Name: DisableIPSourceRouting\n\n Value Type: REG_DWORD\n Value: 0x00000002 (2)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> MSS (Legacy) >> MSS: (DisableIPSourceRouting) IP\n source routing protection level (protects against packet spoofing) to\n Enabled with Highest protection, source routing is completely disabled\n selected.\n\n This policy setting requires the installation of the MSS-Legacy custom\n templates included with the STIG package. MSS-Legacy.admx and\n MSS-Legacy.adml must be copied to the \\\\Windows\\\\PolicyDefinitions and\n \\\\Windows\\\\PolicyDefinitions\\\\en-US directories respectively.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Services\\\\Tcpip\\\\Parameters') do\n it { should have_property 'DisableIPSourceRouting' }\n its('DisableIPSourceRouting') { should cmp 2 }\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73683.rb", + "ref": "./Windows 2016 STIG/controls/V-73501.rb", "line": 1 }, - "id": "V-73683" + "id": "V-73501" }, { - "title": "The Deny access to this computer from the network user right on domain\n controllers must be configured to prevent unauthenticated access.", - "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The Deny access to this computer from the network user right defines\n the accounts that are prevented from logging on from the network.\n\n The Guests group must be assigned this right to prevent unauthenticated\n access.", + "title": "The number of allowed bad logon attempts must be configured to three\n or less.", + "desc": "The account lockout feature, when enabled, prevents brute-force\n password attacks on the system. The higher this value is, the less effective\n the account lockout feature will be in protecting the local system. The number\n of bad logon attempts must be reasonably small to minimize the possibility of a\n successful password attack while allowing for honest errors made during normal\n user logon.", "descriptions": { - "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The Deny access to this computer from the network user right defines\n the accounts that are prevented from logging on from the network.\n\n The Guests group must be assigned this right to prevent unauthenticated\n access.", - "check": "This applies to domain controllers. A separate version applies\n to other systems.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If the following accounts or groups are not defined for the Deny access to\n this computer from the network user right, this is a finding.\n\n - Guests Group", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Deny access to this computer from the network to include the following:\n\n - Guests Group" + "default": "The account lockout feature, when enabled, prevents brute-force\n password attacks on the system. The higher this value is, the less effective\n the account lockout feature will be in protecting the local system. The number\n of bad logon attempts must be reasonably small to minimize the possibility of a\n successful password attack while allowing for honest errors made during normal\n user logon.", + "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Account Policies >> Account Lockout Policy.\n\n If the Account lockout threshold is 0 or more than 3 attempts, this\n is a finding.", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Account Policies >> Account Lockout Policy >>\n Account lockout threshold to 3 or fewer invalid logon attempts\n (excluding 0, which is unacceptable)." }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000080-GPOS-00048", - "gid": "V-73757", - "rid": "SV-88421r1_rule", - "stig_id": "WN16-DC-000370", - "fix_id": "F-80207r1_fix", + "gtitle": "SRG-OS-000021-GPOS-00005", + "gid": "V-73311", + "rid": "SV-87963r1_rule", + "stig_id": "WN16-AC-000020", + "fix_id": "F-79753r1_fix", "cci": [ - "CCI-000213" + "CCI-000044" ], "nist": [ - "AC-3", + "AC-7 a", "Rev_4" ], "documentable": false }, - "code": "control 'V-73757' do\n title \"The Deny access to this computer from the network user right on domain\n controllers must be configured to prevent unauthenticated access.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The Deny access to this computer from the network user right defines\n the accounts that are prevented from logging on from the network.\n\n The Guests group must be assigned this right to prevent unauthenticated\n access.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000080-GPOS-00048'\n tag \"gid\": 'V-73757'\n tag \"rid\": 'SV-88421r1_rule'\n tag \"stig_id\": 'WN16-DC-000370'\n tag \"fix_id\": 'F-80207r1_fix'\n tag \"cci\": ['CCI-000213']\n tag \"nist\": ['AC-3', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to domain controllers. A separate version applies\n to other systems.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If the following accounts or groups are not defined for the Deny access to\n this computer from the network user right, this is a finding.\n\n - Guests Group\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Deny access to this computer from the network to include the following:\n\n - Guests Group\"\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n describe.one do\n describe security_policy do\n its('SeDenyNetworkLogonRight') { should eq ['S-1-5-32-546'] }\n end\n describe security_policy do\n its('SeDenyNetworkLogonRight') { should eq [] }\n end\n end\n end\n\n if !(domain_role == '4') && !(domain_role == '5')\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", + "code": "control 'V-73311' do\n title \"The number of allowed bad logon attempts must be configured to three\n or less.\"\n desc \"The account lockout feature, when enabled, prevents brute-force\n password attacks on the system. The higher this value is, the less effective\n the account lockout feature will be in protecting the local system. The number\n of bad logon attempts must be reasonably small to minimize the possibility of a\n successful password attack while allowing for honest errors made during normal\n user logon.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000021-GPOS-00005'\n tag \"gid\": 'V-73311'\n tag \"rid\": 'SV-87963r1_rule'\n tag \"stig_id\": 'WN16-AC-000020'\n tag \"fix_id\": 'F-79753r1_fix'\n tag \"cci\": ['CCI-000044']\n tag \"nist\": ['AC-7 a', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Account Policies >> Account Lockout Policy.\n\n If the Account lockout threshold is 0 or more than 3 attempts, this\n is a finding.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Account Policies >> Account Lockout Policy >>\n Account lockout threshold to 3 or fewer invalid logon attempts\n (excluding 0, which is unacceptable).\"\n describe security_policy do\n its('LockoutBadCount') { should be <= 3 }\n end\n describe security_policy do\n its('LockoutBadCount') { should be > 0 }\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73757.rb", + "ref": "./Windows 2016 STIG/controls/V-73311.rb", "line": 1 }, - "id": "V-73757" + "id": "V-73311" }, { - "title": "Passwords must be configured to expire.", - "desc": "Passwords that do not expire or are reused increase the exposure of a\n password with greater probability of being discovered or cracked.", + "title": "Windows Server 2016 must be configured to audit Account Management -\n User Account Management failures.", + "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n User Account Management records events such as creating, changing,\n deleting, renaming, disabling, or enabling user accounts.", "descriptions": { - "default": "Passwords that do not expire or are reused increase the exposure of a\n password with greater probability of being discovered or cracked.", - "check": "Review the password never expires status for enabled user\n accounts.\n\n Open PowerShell.\n\n Domain Controllers:\n\n Enter Search-ADAccount -PasswordNeverExpires -UsersOnly | FT Name,\n PasswordNeverExpires, Enabled.\n\n Exclude application accounts, disabled accounts (e.g., DefaultAccount, Guest)\n and the krbtgt account.\n\n If any enabled user accounts are returned with a PasswordNeverExpires\n status of True, this is a finding.\n\n Member servers and standalone systems:\n\n Enter 'Get-CimInstance -Class Win32_Useraccount -Filter PasswordExpires=False\n and LocalAccount=True | FT Name, PasswordExpires, Disabled, LocalAccount'.\n\n Exclude application accounts and disabled accounts (e.g., DefaultAccount,\n Guest).\n\n If any enabled user accounts are returned with a PasswordExpires status of\n False, this is a finding.", - "fix": "Configure all enabled user account passwords to expire.\n\n Uncheck Password never expires for all enabled user accounts in Active\n Directory Users and Computers for domain accounts and Users in Computer\n Management for member servers and standalone systems. Document any exceptions\n with the ISSO." + "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n User Account Management records events such as creating, changing,\n deleting, renaming, disabling, or enabling user accounts.", + "check": "Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n Account Management >> User Account Management - Failure", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Account Management >> Audit User Account Management with\n Failure selected." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000076-GPOS-00044", - "gid": "V-73263", - "rid": "SV-87915r2_rule", - "stig_id": "WN16-00-000230", - "fix_id": "F-79707r1_fix", + "gtitle": "SRG-OS-000004-GPOS-00004", + "satisfies": [ + "SRG-OS-000004-GPOS-00004", + "SRG-OS-000239-GPOS-00089", + "SRG-OS-000240-GPOS-00090", + "SRG-OS-000241-GPOS-00091", + "SRG-OS-000303-GPOS-00120", + "SRG-OS-000476-GPOS-00221" + ], + "gid": "V-73429", + "rid": "SV-88081r1_rule", + "stig_id": "WN16-AU-000150", + "fix_id": "F-79871r1_fix", "cci": [ - "CCI-000199" + "CCI-000018", + "CCI-000172", + "CCI-001403", + "CCI-001404", + "CCI-001405", + "CCI-002130" ], "nist": [ - "IA-5 (1) (d)", + "AC-2 (4)", + "AU-12 c", "Rev_4" ], "documentable": false }, - "code": "control 'V-73263' do\n title 'Passwords must be configured to expire.'\n desc \"Passwords that do not expire or are reused increase the exposure of a\n password with greater probability of being discovered or cracked.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000076-GPOS-00044'\n tag \"gid\": 'V-73263'\n tag \"rid\": 'SV-87915r2_rule'\n tag \"stig_id\": 'WN16-00-000230'\n tag \"fix_id\": 'F-79707r1_fix'\n tag \"cci\": ['CCI-000199']\n tag \"nist\": ['IA-5 (1) (d)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Review the password never expires status for enabled user\n accounts.\n\n Open PowerShell.\n\n Domain Controllers:\n\n Enter Search-ADAccount -PasswordNeverExpires -UsersOnly | FT Name,\n PasswordNeverExpires, Enabled.\n\n Exclude application accounts, disabled accounts (e.g., DefaultAccount, Guest)\n and the krbtgt account.\n\n If any enabled user accounts are returned with a PasswordNeverExpires\n status of True, this is a finding.\n\n Member servers and standalone systems:\n\n Enter 'Get-CimInstance -Class Win32_Useraccount -Filter PasswordExpires=False\n and LocalAccount=True | FT Name, PasswordExpires, Disabled, LocalAccount'.\n\n Exclude application accounts and disabled accounts (e.g., DefaultAccount,\n Guest).\n\n If any enabled user accounts are returned with a PasswordExpires status of\n False, this is a finding.\"\n desc \"fix\", \"Configure all enabled user account passwords to expire.\n\n Uncheck Password never expires for all enabled user accounts in Active\n Directory Users and Computers for domain accounts and Users in Computer\n Management for member servers and standalone systems. Document any exceptions\n with the ISSO.\"\n users_with_passwords_set_to_not_expire = command(\"Get-CimInstance -Class Win32_Useraccount -Filter 'PasswordExpires=False\n and LocalAccount=True and Disabled=False' | FT Name | Findstr /V 'Name --'\").stdout.strip\n\n describe \"Users with password set to not expire\" do\n subject {users_with_passwords_set_to_not_expire}\n it { should be_empty }\n end\nend\n", + "code": "control 'V-73429' do\n title \"Windows Server 2016 must be configured to audit Account Management -\n User Account Management failures.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n User Account Management records events such as creating, changing,\n deleting, renaming, disabling, or enabling user accounts.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000004-GPOS-00004'\n tag \"satisfies\": ['SRG-OS-000004-GPOS-00004', 'SRG-OS-000239-GPOS-00089',\n 'SRG-OS-000240-GPOS-00090', 'SRG-OS-000241-GPOS-00091',\n 'SRG-OS-000303-GPOS-00120', 'SRG-OS-000476-GPOS-00221']\n tag \"gid\": 'V-73429'\n tag \"rid\": 'SV-88081r1_rule'\n tag \"stig_id\": 'WN16-AU-000150'\n tag \"fix_id\": 'F-79871r1_fix'\n tag \"cci\": ['CCI-000018', 'CCI-000172', 'CCI-001403', 'CCI-001404',\n 'CCI-001405', 'CCI-002130']\n tag \"nist\": ['AC-2 (4)', 'AU-12 c', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n Account Management >> User Account Management - Failure\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Account Management >> Audit User Account Management with\n Failure selected.\"\n describe.one do\n describe audit_policy do\n its('User Account Management') { should eq 'Failure' }\n end\n describe audit_policy do\n its('User Account Management') { should eq 'Success and Failure' }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'User Account Management'\") do\n its('stdout') { should match /User Account Management Failure/ }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'User Account Management'\") do\n its('stdout') { should match /User Account Management Success and Failure/ }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73263.rb", + "ref": "./Windows 2016 STIG/controls/V-73429.rb", "line": 1 }, - "id": "V-73263" + "id": "V-73429" }, { - "title": "The Windows Remote Management (WinRM) service must not store RunAs\n credentials.", - "desc": "Storage of administrative credentials could allow unauthorized access.\n Disallowing the storage of RunAs credentials for Windows Remote Management will\n prevent them from being used with plug-ins.", + "title": "Local volumes must use a format that supports NTFS attributes.", + "desc": "The ability to set access permissions and auditing is critical to\n maintaining the security and proper access controls of a system. To support\n this, volumes must be formatted using a file system that supports NTFS\n attributes.", "descriptions": { - "default": "Storage of administrative credentials could allow unauthorized access.\n Disallowing the storage of RunAs credentials for Windows Remote Management will\n prevent them from being used with plug-ins.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\WinRM\\Service\\\n\n Value Name: DisableRunAs\n\n Type: REG_DWORD\n Value: 0x00000001 (1)", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Windows Remote Management\n (WinRM) >> WinRM Service >> Disallow WinRM from storing RunAs credentials\n to Enabled." + "default": "The ability to set access permissions and auditing is critical to\n maintaining the security and proper access controls of a system. To support\n this, volumes must be formatted using a file system that supports NTFS\n attributes.", + "check": "Open Computer Management.\n\n Select Disk Management under Storage.\n\n For each local volume, if the file system does not indicate NTFS, this is a\n finding.\n\n ReFS (resilient file system) is also acceptable and would not be a finding.\n\n This does not apply to system partitions such the Recovery and EFI System\n Partition.", + "fix": "Format volumes to use NTFS or ReFS." }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { - "gtitle": "SRG-OS-000373-GPOS-00157", - "satisfies": [ - "SRG-OS-000373-GPOS-00157", - "SRG-OS-000373-GPOS-00156" - ], - "gid": "V-73603", - "rid": "SV-88267r1_rule", - "stig_id": "WN16-CC-000550", - "fix_id": "F-80053r1_fix", + "gtitle": "SRG-OS-000080-GPOS-00048", + "gid": "V-73247", + "rid": "SV-87899r1_rule", + "stig_id": "WN16-00-000150", + "fix_id": "F-79691r1_fix", "cci": [ - "CCI-002038" + "CCI-000213" ], "nist": [ - "IA-11", + "AC-3", "Rev_4" ], "documentable": false }, - "code": "control 'V-73603' do\n title \"The Windows Remote Management (WinRM) service must not store RunAs\n credentials.\"\n desc \"Storage of administrative credentials could allow unauthorized access.\n Disallowing the storage of RunAs credentials for Windows Remote Management will\n prevent them from being used with plug-ins.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000373-GPOS-00157'\n tag \"satisfies\": ['SRG-OS-000373-GPOS-00157', 'SRG-OS-000373-GPOS-00156']\n tag \"gid\": 'V-73603'\n tag \"rid\": 'SV-88267r1_rule'\n tag \"stig_id\": 'WN16-CC-000550'\n tag \"fix_id\": 'F-80053r1_fix'\n tag \"cci\": ['CCI-002038']\n tag \"nist\": ['IA-11', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WinRM\\\\Service\\\\\n\n Value Name: DisableRunAs\n\n Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Windows Remote Management\n (WinRM) >> WinRM Service >> Disallow WinRM from storing RunAs credentials\n to Enabled.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\WinRM\\\\Service') do\n it { should have_property 'DisableRunAs' }\n its('DisableRunAs') { should cmp 1 }\n end\nend\n", + "code": "control 'V-73247' do\n title 'Local volumes must use a format that supports NTFS attributes.'\n desc \"The ability to set access permissions and auditing is critical to\n maintaining the security and proper access controls of a system. To support\n this, volumes must be formatted using a file system that supports NTFS\n attributes.\"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000080-GPOS-00048'\n tag \"gid\": 'V-73247'\n tag \"rid\": 'SV-87899r1_rule'\n tag \"stig_id\": 'WN16-00-000150'\n tag \"fix_id\": 'F-79691r1_fix'\n tag \"cci\": ['CCI-000213']\n tag \"nist\": ['AC-3', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Open Computer Management.\n\n Select Disk Management under Storage.\n\n For each local volume, if the file system does not indicate NTFS, this is a\n finding.\n\n ReFS (resilient file system) is also acceptable and would not be a finding.\n\n This does not apply to system partitions such the Recovery and EFI System\n Partition.\"\n desc \"fix\", 'Format volumes to use NTFS or ReFS.'\n volumes = json(command: 'Get-WmiObject -Class Win32_LogicalDisk | Where { $_.DriveType -ne 5 } | Select Name, FileSystem, Description | ConvertTo-JSON').params\n\n if volumes.empty?\n impact 0.0\n describe 'There are no local volumes on this system, therefore this control is not applicable' do\n skip 'There are no local volumes on this system, therefore this control is not applicable'\n end\n else\n if volumes.is_a?(Hash)\n volumes = [JSON.parse(volumes.to_json)]\n end\n volumes.each do |volume|\n describe.one do\n describe \"The filesystem format for the local volume #{volume['Name']}\" do\n subject { volume['FileSystem'] }\n it { should cmp 'NTFS' }\n end\n describe \"The filesystem format for the local volume #{volume['Name']}\" do\n subject { volume['FileSystem'] }\n it { should cmp 'ReFS' }\n end\n end\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73603.rb", + "ref": "./Windows 2016 STIG/controls/V-73247.rb", "line": 1 }, - "id": "V-73603" + "id": "V-73247" }, { - "title": "Windows Server 2016 must be configured to use FIPS-compliant\n algorithms for encryption, hashing, and signing.", - "desc": "This setting ensures the system uses algorithms that are\n FIPS-compliant for encryption, hashing, and signing. FIPS-compliant algorithms\n meet specific standards established by the U.S. Government and must be the\n algorithms used for all OS encryption functions.", + "title": "The Server Message Block (SMB) v1 protocol must be uninstalled.", + "desc": "SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB.\n MD5 is known to be vulnerable to a number of attacks such as collision and\n preimage attacks and is not FIPS compliant.", "descriptions": { - "default": "This setting ensures the system uses algorithms that are\n FIPS-compliant for encryption, hashing, and signing. FIPS-compliant algorithms\n meet specific standards established by the U.S. Government and must be the\n algorithms used for all OS encryption functions.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Control\\Lsa\\FIPSAlgorithmPolicy\\\n\n Value Name: Enabled\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\n\n Clients with this setting enabled will not be able to communicate via digitally\n encrypted or signed protocols with servers that do not support these\n algorithms. Both the browser and web server must be configured to use TLS;\n otherwise. the browser will not be able to connect to a secure site.", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> System\n cryptography: Use FIPS compliant algorithms for encryption, hashing, and\n signing to Enabled." + "default": "SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB.\n MD5 is known to be vulnerable to a number of attacks such as collision and\n preimage attacks and is not FIPS compliant.", + "check": "Different methods are available to disable SMBv1 on Windows\n 2016. This is the preferred method, however if V-78123 and V-78125 are\n configured, this is NA.\n\n Open Windows PowerShell with elevated privileges (run as administrator).\n\n Enter Get-WindowsFeature -Name FS-SMB1.\n\n If Installed State is Installed, this is a finding.\n\n An Installed State of Available or Removed is not a finding.", + "fix": "Uninstall the SMBv1 protocol.\n\n Open Windows PowerShell with elevated privileges (run as administrator).\n\n Enter Uninstall-WindowsFeature -Name FS-SMB1 -Restart.\n (Omit the Restart parameter if an immediate restart of the system cannot be\n done.)\n\n Alternately:\n\n Start Server Manager.\n\n Select the server with the feature.\n\n Scroll down to ROLES AND FEATURES in the right pane.\n\n Select Remove Roles and Features from the drop-down TASKS list.\n\n Select the appropriate server on the Server Selection page and click\n Next.\n\n Deselect SMB 1.0/CIFS File Sharing Support on the Features page.\n\n Click Next and Remove as prompted." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000033-GPOS-00014", - "satisfies": [ - "SRG-OS-000033-GPOS-00014", - "SRG-OS-000478-GPOS-00223" - ], - "gid": "V-73701", - "rid": "SV-88365r1_rule", - "stig_id": "WN16-SO-000430", - "fix_id": "F-80151r1_fix", + "gtitle": "SRG-OS-000095-GPOS-00049", + "gid": "V-73299", + "rid": "SV-87951r2_rule", + "stig_id": "WN16-00-000410", + "fix_id": "F-84915r1_fix", "cci": [ - "CCI-000068", - "CCI-002450" + "CCI-000381" ], "nist": [ - "AC-17 (2)", - "SC-13", + "CM-7", "Rev_4" ], "documentable": false }, - "code": "control 'V-73701' do\n title \"Windows Server 2016 must be configured to use FIPS-compliant\n algorithms for encryption, hashing, and signing.\"\n desc \"This setting ensures the system uses algorithms that are\n FIPS-compliant for encryption, hashing, and signing. FIPS-compliant algorithms\n meet specific standards established by the U.S. Government and must be the\n algorithms used for all OS encryption functions.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000033-GPOS-00014'\n tag \"satisfies\": ['SRG-OS-000033-GPOS-00014', 'SRG-OS-000478-GPOS-00223']\n tag \"gid\": 'V-73701'\n tag \"rid\": 'SV-88365r1_rule'\n tag \"stig_id\": 'WN16-SO-000430'\n tag \"fix_id\": 'F-80151r1_fix'\n tag \"cci\": ['CCI-000068', 'CCI-002450']\n tag \"nist\": ['AC-17 (2)', 'SC-13', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\FIPSAlgorithmPolicy\\\\\n\n Value Name: Enabled\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\n\n Clients with this setting enabled will not be able to communicate via digitally\n encrypted or signed protocols with servers that do not support these\n algorithms. Both the browser and web server must be configured to use TLS;\n otherwise. the browser will not be able to connect to a secure site.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> System\n cryptography: Use FIPS compliant algorithms for encryption, hashing, and\n signing to Enabled.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\FIPSAlgorithmPolicy') do\n it { should have_property 'Enabled' }\n its('Enabled') { should cmp 1 }\n end\nend\n", + "code": "control 'V-73299' do\n title 'The Server Message Block (SMB) v1 protocol must be uninstalled.'\n desc \"SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB.\n MD5 is known to be vulnerable to a number of attacks such as collision and\n preimage attacks and is not FIPS compliant.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000095-GPOS-00049'\n tag \"gid\": 'V-73299'\n tag \"rid\": 'SV-87951r2_rule'\n tag \"stig_id\": 'WN16-00-000410'\n tag \"fix_id\": 'F-84915r1_fix'\n tag \"cci\": ['CCI-000381']\n tag \"nist\": ['CM-7', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Different methods are available to disable SMBv1 on Windows\n 2016. This is the preferred method, however if V-78123 and V-78125 are\n configured, this is NA.\n\n Open Windows PowerShell with elevated privileges (run as administrator).\n\n Enter Get-WindowsFeature -Name FS-SMB1.\n\n If Installed State is Installed, this is a finding.\n\n An Installed State of Available or Removed is not a finding.\"\n desc \"fix\", \"Uninstall the SMBv1 protocol.\n\n Open Windows PowerShell with elevated privileges (run as administrator).\n\n Enter Uninstall-WindowsFeature -Name FS-SMB1 -Restart.\n (Omit the Restart parameter if an immediate restart of the system cannot be\n done.)\n\n Alternately:\n\n Start Server Manager.\n\n Select the server with the feature.\n\n Scroll down to ROLES AND FEATURES in the right pane.\n\n Select Remove Roles and Features from the drop-down TASKS list.\n\n Select the appropriate server on the Server Selection page and click\n Next.\n\n Deselect SMB 1.0/CIFS File Sharing Support on the Features page.\n\n Click Next and Remove as prompted.\"\n if registry_key('HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\LanmanServer\\\\Parameters').has_property_value?('SMB1', :dword, 0) && registry_key('HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\mrxsmb10').has_property_value?('Start', :dword, 4)\n impact 0.0\n desc 'This control is not applicable, as controls V-78123 and V-78125 are configured'\n else\n describe windows_feature('FS-SMB1') do\n it { should_not be_installed }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73701.rb", + "ref": "./Windows 2016 STIG/controls/V-73299.rb", "line": 1 }, - "id": "V-73701" + "id": "V-73299" }, { - "title": "The Deny access to this computer from the network user right on member\n servers must be configured to prevent access from highly privileged domain\n accounts and local accounts on domain systems, and from unauthenticated access\n on all systems.", - "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The Deny access to this computer from the network user right defines\n the accounts that are prevented from logging on from the network.\n\n In an Active Directory Domain, denying logons to the Enterprise Admins and\n Domain Admins groups on lower-trust systems helps mitigate the risk of\n privilege escalation from credential theft attacks, which could lead to the\n compromise of an entire domain.\n\n Local accounts on domain-joined systems must also be assigned this right to\n decrease the risk of lateral movement resulting from credential theft attacks.\n\n The Guests group must be assigned this right to prevent unauthenticated\n access.", + "title": "The Active Directory Domain Controllers Organizational Unit (OU)\n object must be configured with proper audit settings.", + "desc": "When inappropriate audit settings are configured for directory service\n database objects, it may be possible for a user or process to update the data\n without generating any tracking data. The impact of missing audit data is\n related to the type of object. A failure to capture audit data for objects used\n by identification, authentication, or authorization functions could degrade or\n eliminate the ability to track changes to access policy for systems or data.\n\n For Active Directory (AD), there are a number of critical object types in\n the domain naming context of the AD database for which auditing is essential.\n This includes the Domain Controller OU object. Because changes to these objects\n can significantly impact access controls or the availability of systems, the\n absence of auditing data makes it impossible to identify the source of changes\n that impact the confidentiality, integrity, and availability of data and\n systems throughout an AD domain. The lack of proper auditing can result in\n insufficient forensic evidence needed to investigate an incident and prosecute\n the intruder.", "descriptions": { - "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The Deny access to this computer from the network user right defines\n the accounts that are prevented from logging on from the network.\n\n In an Active Directory Domain, denying logons to the Enterprise Admins and\n Domain Admins groups on lower-trust systems helps mitigate the risk of\n privilege escalation from credential theft attacks, which could lead to the\n compromise of an entire domain.\n\n Local accounts on domain-joined systems must also be assigned this right to\n decrease the risk of lateral movement resulting from credential theft attacks.\n\n The Guests group must be assigned this right to prevent unauthenticated\n access.", - "check": "This applies to member servers and standalone systems. A\n separate version applies to domain controllers.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If the following accounts or groups are not defined for the Deny access to\n this computer from the network user right, this is a finding.\n\n Domain Systems Only:\n - Enterprise Admins group\n - Domain Admins group\n - Local account and member of Administrators group or Local account\n (see Note below)\n\n All Systems:\n - Guests group\n\n Systems dedicated to the management of Active Directory (AD admin platforms,\n see V-36436 in the Active Directory Domain STIG) are exempt from denying the\n Enterprise Admins and Domain Admins groups.\n\n Note: These are built-in security groups. Local account is more restrictive\n but may cause issues on servers such as systems that provide failover\n clustering.", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Deny access to this computer from the network to include the following:\n\n Domain Systems Only:\n - Enterprise Admins group\n - Domain Admins group\n - Local account and member of Administrators group or Local account\n (see Note below)\n\n All Systems:\n - Guests group \n\n Systems dedicated to the management of Active Directory (AD admin platforms,\n see V-36436 in the Active Directory Domain STIG) are exempt from denying the\n Enterprise Admins and Domain Admins groups.\n\n Note: These are built-in security groups. Local account is more restrictive\n but may cause issues on servers such as systems that provide failover\n clustering." + "default": "When inappropriate audit settings are configured for directory service\n database objects, it may be possible for a user or process to update the data\n without generating any tracking data. The impact of missing audit data is\n related to the type of object. A failure to capture audit data for objects used\n by identification, authentication, or authorization functions could degrade or\n eliminate the ability to track changes to access policy for systems or data.\n\n For Active Directory (AD), there are a number of critical object types in\n the domain naming context of the AD database for which auditing is essential.\n This includes the Domain Controller OU object. Because changes to these objects\n can significantly impact access controls or the availability of systems, the\n absence of auditing data makes it impossible to identify the source of changes\n that impact the confidentiality, integrity, and availability of data and\n systems throughout an AD domain. The lack of proper auditing can result in\n insufficient forensic evidence needed to investigate an incident and prosecute\n the intruder.", + "check": "This applies to domain controllers. It is NA for other systems.\n\n Review the auditing configuration for the Domain Controller OU object.\n\n Open Active Directory Users and Computers (available from various menus or\n run dsa.msc).\n\n Ensure Advanced Features is selected in the View menu.\n\n Select the Domain Controllers OU under the domain being reviewed in the\n left pane.\n\n Right-click the Domain Controllers OU object and select Properties.\n\n Select the Security tab.\n\n Select the Advanced button and then the Auditing tab.\n\n If the audit settings on the Domain Controllers OU object are not at least as\n inclusive as those below, this is a finding.\n\n Type - Fail\n Principal - Everyone\n Access - Full Control\n Inherited from - None\n Applies to - This object and all descendant objects\n\n The success types listed below are defaults. Where Special is listed in the\n summary screens for Access, detailed Permissions are provided for reference.\n Various Properties selections may also exist by default.\n\n Type - Success\n Principal - Everyone\n Access - Special\n Inherited from - None\n Applies to - This object only\n (Access - Special = Permissions: all create, delete and modify permissions)\n\n Type - Success\n Principal - Everyone\n Access - Write all properties\n Inherited from - None\n Applies to - This object and all descendant objects\n\n Two instances with the following summary information will be listed.\n\n Type - Success\n Principal - Everyone\n Access - (blank)\n Inherited from - (CN of domain)\n Applies to - Descendant Organizational Unit objects", + "fix": "Open Active Directory Users and Computers (available from\n various menus or run dsa.msc).\n\n Ensure Advanced Features is selected in the View menu.\n\n Select the Domain Controllers OU under the domain being reviewed in the\n left pane.\n\n Right-click the Domain Controllers OU object and select Properties.\n\n Select the Security tab.\n\n Select the Advanced button and then the Auditing tab.\n\n Configure the audit settings for Domain Controllers OU object to include the\n following.\n\n Type - Fail\n Principal - Everyone\n Access - Full Control\n Inherited from - None\n\n The success types listed below are defaults. Where Special is listed in the\n summary screens for Access, detailed Permissions are provided for reference.\n Various Properties selections may also exist by default.\n\n Type - Success\n Principal - Everyone\n Access - Special\n Inherited from - None\n Applies to - This object only\n (Access - Special = Permissions: all create, delete and modify permissions)\n\n Type - Success\n Principal - Everyone\n Access - Write all properties\n Inherited from - None\n Applies to - This object and all descendant objects\n\n Two instances with the following summary information will be listed.\n\n Type - Success\n Principal - Everyone\n Access - (blank)\n Inherited from - (CN of domain)\n Applies to - Descendant Organizational Unit objects" }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { - "gtitle": "SRG-OS-000080-GPOS-00048", - "gid": "V-73759", - "rid": "SV-88423r1_rule", - "stig_id": "WN16-MS-000370", - "fix_id": "F-80209r1_fix", + "gtitle": "SRG-OS-000327-GPOS-00127", + "satisfies": [ + "SRG-OS-000327-GPOS-00127", + "SRG-OS-000458-GPOS-00203", + "SRG-OS-000463-GPOS-00207", + "SRG-OS-000468-GPOS-00212" + ], + "gid": "V-73395", + "rid": "SV-88047r1_rule", + "stig_id": "WN16-DC-000200", + "fix_id": "F-79837r1_fix", "cci": [ - "CCI-000213" + "CCI-000172", + "CCI-002234" ], "nist": [ - "AC-3", + "AU-12 c", + "AC-6 (9)", "Rev_4" ], "documentable": false }, - "code": "control 'V-73759' do\n title \"The Deny access to this computer from the network user right on member\n servers must be configured to prevent access from highly privileged domain\n accounts and local accounts on domain systems, and from unauthenticated access\n on all systems.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The Deny access to this computer from the network user right defines\n the accounts that are prevented from logging on from the network.\n\n In an Active Directory Domain, denying logons to the Enterprise Admins and\n Domain Admins groups on lower-trust systems helps mitigate the risk of\n privilege escalation from credential theft attacks, which could lead to the\n compromise of an entire domain.\n\n Local accounts on domain-joined systems must also be assigned this right to\n decrease the risk of lateral movement resulting from credential theft attacks.\n\n The Guests group must be assigned this right to prevent unauthenticated\n access.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000080-GPOS-00048'\n tag \"gid\": 'V-73759'\n tag \"rid\": 'SV-88423r1_rule'\n tag \"stig_id\": 'WN16-MS-000370'\n tag \"fix_id\": 'F-80209r1_fix'\n tag \"cci\": ['CCI-000213']\n tag \"nist\": ['AC-3', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to member servers and standalone systems. A\n separate version applies to domain controllers.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If the following accounts or groups are not defined for the Deny access to\n this computer from the network user right, this is a finding.\n\n Domain Systems Only:\n - Enterprise Admins group\n - Domain Admins group\n - Local account and member of Administrators group or Local account\n (see Note below)\n\n All Systems:\n - Guests group\n\n Systems dedicated to the management of Active Directory (AD admin platforms,\n see V-36436 in the Active Directory Domain STIG) are exempt from denying the\n Enterprise Admins and Domain Admins groups.\n\n Note: These are built-in security groups. Local account is more restrictive\n but may cause issues on servers such as systems that provide failover\n clustering.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Deny access to this computer from the network to include the following:\n\n Domain Systems Only:\n - Enterprise Admins group\n - Domain Admins group\n - Local account and member of Administrators group or Local account\n (see Note below)\n\n All Systems:\n - Guests group \n\n Systems dedicated to the management of Active Directory (AD admin platforms,\n see V-36436 in the Active Directory Domain STIG) are exempt from denying the\n Enterprise Admins and Domain Admins groups.\n\n Note: These are built-in security groups. Local account is more restrictive\n but may cause issues on servers such as systems that provide failover\n clustering.\"\n\n is_AD_only_system = input('is_AD_only_system')\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n impact 0.0\n describe 'This system is a domain controller, therefore this control is not applicable as it only applies to member servers and standalone systems' do\n skip 'This system is a domain controller, therefore this control is not applicable as it only applies to member servers and standalone systems'\n end\n elsif is_AD_only_system\n impact 0.0\n describe 'This system is dedicated to the management of Active Directory, therefore this system is exempt from this control' do\n skip 'This system is dedicated to the management of Active Directory, therefore this system is exempt from this control'\n end\n else\n describe security_policy do\n its('SeDenyNetworkLogonRight') { should include 'S-1-5-32-546' }\n end\n if domain_role == '3'\n domain_admin_sid_query = <<-EOH\n $group = New-Object System.Security.Principal.NTAccount('Domain Admins')\n $sid = $group.Translate([security.principal.securityidentifier]).value\n $sid | ConvertTo-Json\n EOH\n domain_admin_sid = json(command: domain_admin_sid_query).params\n \n enterprise_admin_sid_query = <<-EOH\n $group = New-Object System.Security.Principal.NTAccount('Enterprise Admins')\n $sid = $group.Translate([security.principal.securityidentifier]).value\n $sid | ConvertTo-Json\n EOH\n enterprise_admin_sid = json(command: enterprise_admin_sid_query).params\n\n describe security_policy do\n its('SeDenyNetworkLogonRight') { should include \"#{domain_admin_sid}\" }\n end\n describe security_policy do\n its('SeDenyNetworkLogonRight') { should include \"#{enterprise_admin_sid}\" }\n end\n\n describe.one do\n describe security_policy do\n its('SeDenyNetworkLogonRight') { should include \"S-1-5-113\" }\n end\n describe security_policy do\n its('SeDenyNetworkLogonRight') { should include \"S-1-5-114\" }\n end\n end\n end\n end\nend", + "code": "control 'V-73395' do\n title \"The Active Directory Domain Controllers Organizational Unit (OU)\n object must be configured with proper audit settings.\"\n desc \"When inappropriate audit settings are configured for directory service\n database objects, it may be possible for a user or process to update the data\n without generating any tracking data. The impact of missing audit data is\n related to the type of object. A failure to capture audit data for objects used\n by identification, authentication, or authorization functions could degrade or\n eliminate the ability to track changes to access policy for systems or data.\n\n For Active Directory (AD), there are a number of critical object types in\n the domain naming context of the AD database for which auditing is essential.\n This includes the Domain Controller OU object. Because changes to these objects\n can significantly impact access controls or the availability of systems, the\n absence of auditing data makes it impossible to identify the source of changes\n that impact the confidentiality, integrity, and availability of data and\n systems throughout an AD domain. The lack of proper auditing can result in\n insufficient forensic evidence needed to investigate an incident and prosecute\n the intruder.\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000327-GPOS-00127'\n tag \"satisfies\": ['SRG-OS-000327-GPOS-00127', 'SRG-OS-000458-GPOS-00203',\n 'SRG-OS-000463-GPOS-00207', 'SRG-OS-000468-GPOS-00212']\n tag \"gid\": 'V-73395'\n tag \"rid\": 'SV-88047r1_rule'\n tag \"stig_id\": 'WN16-DC-000200'\n tag \"fix_id\": 'F-79837r1_fix'\n tag \"cci\": ['CCI-000172', 'CCI-002234']\n tag \"nist\": ['AU-12 c', 'AC-6 (9)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to domain controllers. It is NA for other systems.\n\n Review the auditing configuration for the Domain Controller OU object.\n\n Open Active Directory Users and Computers (available from various menus or\n run dsa.msc).\n\n Ensure Advanced Features is selected in the View menu.\n\n Select the Domain Controllers OU under the domain being reviewed in the\n left pane.\n\n Right-click the Domain Controllers OU object and select Properties.\n\n Select the Security tab.\n\n Select the Advanced button and then the Auditing tab.\n\n If the audit settings on the Domain Controllers OU object are not at least as\n inclusive as those below, this is a finding.\n\n Type - Fail\n Principal - Everyone\n Access - Full Control\n Inherited from - None\n Applies to - This object and all descendant objects\n\n The success types listed below are defaults. Where Special is listed in the\n summary screens for Access, detailed Permissions are provided for reference.\n Various Properties selections may also exist by default.\n\n Type - Success\n Principal - Everyone\n Access - Special\n Inherited from - None\n Applies to - This object only\n (Access - Special = Permissions: all create, delete and modify permissions)\n\n Type - Success\n Principal - Everyone\n Access - Write all properties\n Inherited from - None\n Applies to - This object and all descendant objects\n\n Two instances with the following summary information will be listed.\n\n Type - Success\n Principal - Everyone\n Access - (blank)\n Inherited from - (CN of domain)\n Applies to - Descendant Organizational Unit objects\"\n desc \"fix\", \"Open Active Directory Users and Computers (available from\n various menus or run dsa.msc).\n\n Ensure Advanced Features is selected in the View menu.\n\n Select the Domain Controllers OU under the domain being reviewed in the\n left pane.\n\n Right-click the Domain Controllers OU object and select Properties.\n\n Select the Security tab.\n\n Select the Advanced button and then the Auditing tab.\n\n Configure the audit settings for Domain Controllers OU object to include the\n following.\n\n Type - Fail\n Principal - Everyone\n Access - Full Control\n Inherited from - None\n\n The success types listed below are defaults. Where Special is listed in the\n summary screens for Access, detailed Permissions are provided for reference.\n Various Properties selections may also exist by default.\n\n Type - Success\n Principal - Everyone\n Access - Special\n Inherited from - None\n Applies to - This object only\n (Access - Special = Permissions: all create, delete and modify permissions)\n\n Type - Success\n Principal - Everyone\n Access - Write all properties\n Inherited from - None\n Applies to - This object and all descendant objects\n\n Two instances with the following summary information will be listed.\n\n Type - Success\n Principal - Everyone\n Access - (blank)\n Inherited from - (CN of domain)\n Applies to - Descendant Organizational Unit objects\"\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n distinguishedName = json(command: '(Get-ADDomain).DistinguishedName | ConvertTo-JSON').params\n netbiosname = json(command: 'Get-ADDomain | Select NetBIOSName | ConvertTo-JSON').params['NetBIOSName']\n acl_rules = json(command: \"(Get-ACL -Audit -Path AD:'OU=Domain Controllers,#{distinguishedName}').Audit | ConvertTo-CSV | ConvertFrom-CSV | ConvertTo-JSON\").params\n\n if acl_rules.is_a?(Hash)\n acl_rules = [JSON.parse(acl_rules.to_json)]\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['AuditFlags']) { should cmp \"Fail\" }\n its(['IdentityReference']) { should cmp \"Everyone\" }\n its(['ActiveDirectoryRights']) { should cmp \"GenericAll\" }\n its(['InheritanceFlags']) { should cmp \"None\" }\n its(['InheritanceType']) { should cmp \"None\" }\n its(['PropagationFlags']) { should cmp \"None\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['AuditFlags']) { should cmp \"Success\" }\n its(['IdentityReference']) { should cmp \"Everyone\" }\n its(['ActiveDirectoryRights']) { should match /(Create)|(Delete)|(Write)/ }\n its(['InheritanceFlags']) { should cmp \"None\" }\n its(['InheritanceType']) { should cmp \"None\" }\n its(['PropagationFlags']) { should cmp \"None\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['AuditFlags']) { should cmp \"Success\" }\n its(['IdentityReference']) { should cmp \"Everyone\" }\n its(['ActiveDirectoryRights']) { should cmp \"WriteProperty\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"ContainerInherit\" }\n its(['InheritanceType']) { should cmp \"All\" }\n its(['PropagationFlags']) { should cmp \"None\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['AuditFlags']) { should cmp \"Success\" }\n its(['IdentityReference']) { should cmp \"Everyone\" }\n its(['ActiveDirectoryRights']) { should cmp \"WriteProperty\" }\n its(['IsInherited']) { should cmp \"True\" }\n its(['InheritanceFlags']) { should cmp \"ContainerInherit\" }\n its(['InheritanceType']) { should cmp \"All\" }\n its(['PropagationFlags']) { should cmp \"None\" }\n end\n end\n end\n\n else\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73759.rb", + "ref": "./Windows 2016 STIG/controls/V-73395.rb", "line": 1 }, - "id": "V-73759" + "id": "V-73395" }, { - "title": "Permissions for program file directories must conform to minimum\n requirements.", + "title": "Permissions for the Windows installation directory must conform to\n minimum requirements.", "desc": "Changing the system's file and directory permissions allows the\n possibility of unauthorized and anonymous modification to the operating system\n and installed applications.\n\n The default permissions are adequate when the Security Option Network\n access: Let everyone permissions apply to anonymous users is set to\n Disabled (WN16-SO-000290).", "descriptions": { "default": "Changing the system's file and directory permissions allows the\n possibility of unauthorized and anonymous modification to the operating system\n and installed applications.\n\n The default permissions are adequate when the Security Option Network\n access: Let everyone permissions apply to anonymous users is set to\n Disabled (WN16-SO-000290).", - "check": "The default permissions are adequate when the Security Option\n Network access: Let everyone permissions apply to anonymous users is set to\n Disabled (WN16-SO-000290).\n\n Review the permissions for the program file directories (Program Files and\n Program Files [x86]). Non-privileged groups such as Users or Authenticated\n Users must not have greater than Read & execute permissions. (Individual\n accounts must not be used to assign permissions.)\n\n If permissions are not as restrictive as the default permissions listed below,\n this is a finding.\n\n Viewing in File Explorer:\n\n For each folder, view the Properties.\n\n Select the Security tab, and the Advanced button.\n\n Default permissions:\n Program Files and Program Files (x86)\n Type - Allow for all\n Inherited from - None for all\n\n Principal - Access - Applies to\n\n TrustedInstaller - Full control - This folder and subfolders\n SYSTEM - Modify - This folder only\n SYSTEM - Full control - Subfolders and files only\n Administrators - Modify - This folder only\n Administrators - Full control - Subfolders and files only\n Users - Read & execute - This folder, subfolders and files\n CREATOR OWNER - Full control - Subfolders and files only\n ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders, and files\n ALL RESTRICTED APPLICATION PACKAGES - Read & execute - This folder, subfolders,\n and files\n\n Alternately, use icacls:\n\n Open a Command prompt (admin).\n\n Enter icacls followed by the directory:\n\n 'icacls c:\\program files'\n 'icacls c:\\program files (x86)'\n\n The following results should be displayed for each when entered:\n\n c:\\program files (c:\\program files (x86))\n NT SERVICE\\TrustedInstaller:(F)\n NT SERVICE\\TrustedInstaller:(CI)(IO)(F)\n NT AUTHORITY\\SYSTEM:(M)\n NT AUTHORITY\\SYSTEM:(OI)(CI)(IO)(F)\n BUILTIN\\Administrators:(M)\n BUILTIN\\Administrators:(OI)(CI)(IO)(F)\n BUILTIN\\Users:(RX)\n BUILTIN\\Users:(OI)(CI)(IO)(GR,GE)\n CREATOR OWNER:(OI)(CI)(IO)(F)\n APPLICATION PACKAGE AUTHORITY\\ALL APPLICATION PACKAGES:(RX)\n APPLICATION PACKAGE AUTHORITY\\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE)\n APPLICATION PACKAGE AUTHORITY\\ALL RESTRICTED APPLICATION PACKAGES:(RX)\n APPLICATION PACKAGE AUTHORITY\\ALL RESTRICTED APPLICATION\n PACKAGES:(OI)(CI)(IO)(GR,GE)\n Successfully processed 1 files; Failed processing 0 files", - "fix": "Maintain the default permissions for the program file directories\n and configure the Security Option Network access: Let everyone permissions\n apply to anonymous users to Disabled (WN16-SO-000290).\n\n Default permissions:\n Program Files and Program Files (x86)\n Type - Allow for all\n Inherited from - None for all\n\n Principal - Access - Applies to\n\n TrustedInstaller - Full control - This folder and subfolders\n SYSTEM - Modify - This folder only\n SYSTEM - Full control - Subfolders and files only\n Administrators - Modify - This folder only\n Administrators - Full control - Subfolders and files only\n Users - Read & execute - This folder, subfolders, and files\n CREATOR OWNER - Full control - Subfolders and files only\n ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders, and files\n ALL RESTRICTED APPLICATION PACKAGES - Read & execute - This folder, subfolders,\n and files" + "check": "The default permissions are adequate when the Security Option\n Network access: Let everyone permissions apply to anonymous users is set to\n Disabled (WN16-SO-000290).\n\n Review the permissions for the Windows installation directory (usually\n C:\\Windows). Non-privileged groups such as Users or Authenticated Users must\n not have greater than Read & execute permissions. (Individual accounts must\n not be used to assign permissions.)\n\n If permissions are not as restrictive as the default permissions listed below,\n this is a finding.\n\n Viewing in File Explorer:\n\n For each folder, view the Properties.\n\n Select the Security tab and the Advanced button.\n\n Default permissions:\n Windows\n Type - Allow for all\n Inherited from - None for all\n\n Principal - Access - Applies to\n\n TrustedInstaller - Full control - This folder and subfolders\n SYSTEM - Modify - This folder only\n SYSTEM - Full control - Subfolders and files only\n Administrators - Modify - This folder only\n Administrators - Full control - Subfolders and files only\n Users - Read & execute - This folder, subfolders, and files\n CREATOR OWNER - Full control - Subfolders and files only\n ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders, and files\n ALL RESTRICTED APPLICATION PACKAGES - Read & execute - This folder, subfolders,\n and files\n\n Alternately, use icacls:\n\n Open a Command prompt (admin).\n\n Enter icacls followed by the directory:\n\n icacls c:\\windows\n\n The following results should be displayed for each when entered:\n\n c:\\windows\n NT SERVICE\\TrustedInstaller:(F)\n NT SERVICE\\TrustedInstaller:(CI)(IO)(F)\n NT AUTHORITY\\SYSTEM:(M)\n NT AUTHORITY\\SYSTEM:(OI)(CI)(IO)(F)\n BUILTIN\\Administrators:(M)\n BUILTIN\\Administrators:(OI)(CI)(IO)(F)\n BUILTIN\\Users:(RX)\n BUILTIN\\Users:(OI)(CI)(IO)(GR,GE)\n CREATOR OWNER:(OI)(CI)(IO)(F)\n APPLICATION PACKAGE AUTHORITY\\ALL APPLICATION PACKAGES:(RX)\n APPLICATION PACKAGE AUTHORITY\\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE)\n APPLICATION PACKAGE AUTHORITY\\ALL RESTRICTED APPLICATION PACKAGES:(RX)\n APPLICATION PACKAGE AUTHORITY\\ALL RESTRICTED APPLICATION\n PACKAGES:(OI)(CI)(IO)(GR,GE)\n Successfully processed 1 files; Failed processing 0 files", + "fix": "Maintain the default file ACLs and configure the Security Option\n Network access: Let everyone permissions apply to anonymous users to\n Disabled (WN16-SO-000290).\n\n Default permissions:\n Type - Allow for all\n Inherited from - None for all\n\n Principal - Access - Applies to\n\n TrustedInstaller - Full control - This folder and subfolders\n SYSTEM - Modify - This folder only\n SYSTEM - Full control - Subfolders and files only\n Administrators - Modify - This folder only\n Administrators - Full control - Subfolders and files only\n Users - Read & execute - This folder, subfolders, and files\n CREATOR OWNER - Full control - Subfolders and files only\n ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders, and files\n ALL RESTRICTED APPLICATION PACKAGES - Read & execute - This folder, subfolders,\n and files" }, "impact": 0.5, "refs": [], @@ -5306,10 +5417,10 @@ "SRG-OS-000312-GPOS-00123", "SRG-OS-000312-GPOS-00124" ], - "gid": "V-73251", - "rid": "SV-87903r1_rule", - "stig_id": "WN16-00-000170", - "fix_id": "F-79695r1_fix", + "gid": "V-73253", + "rid": "SV-87905r1_rule", + "stig_id": "WN16-00-000180", + "fix_id": "F-79697r1_fix", "cci": [ "CCI-002165" ], @@ -5319,301 +5430,274 @@ ], "documentable": false }, - "code": "control 'V-73251' do\n title \"Permissions for program file directories must conform to minimum\n requirements.\"\n desc \"Changing the system's file and directory permissions allows the\n possibility of unauthorized and anonymous modification to the operating system\n and installed applications.\n\n The default permissions are adequate when the Security Option Network\n access: Let everyone permissions apply to anonymous users is set to\n Disabled (WN16-SO-000290).\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000312-GPOS-00122'\n tag \"satisfies\": ['SRG-OS-000312-GPOS-00122', 'SRG-OS-000312-GPOS-00123',\n 'SRG-OS-000312-GPOS-00124']\n tag \"gid\": 'V-73251'\n tag \"rid\": 'SV-87903r1_rule'\n tag \"stig_id\": 'WN16-00-000170'\n tag \"fix_id\": 'F-79695r1_fix'\n tag \"cci\": ['CCI-002165']\n tag \"nist\": ['AC-3 (4)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"The default permissions are adequate when the Security Option\n Network access: Let everyone permissions apply to anonymous users is set to\n Disabled (WN16-SO-000290).\n\n Review the permissions for the program file directories (Program Files and\n Program Files [x86]). Non-privileged groups such as Users or Authenticated\n Users must not have greater than Read & execute permissions. (Individual\n accounts must not be used to assign permissions.)\n\n If permissions are not as restrictive as the default permissions listed below,\n this is a finding.\n\n Viewing in File Explorer:\n\n For each folder, view the Properties.\n\n Select the Security tab, and the Advanced button.\n\n Default permissions:\n Program Files and Program Files (x86)\n Type - Allow for all\n Inherited from - None for all\n\n Principal - Access - Applies to\n\n TrustedInstaller - Full control - This folder and subfolders\n SYSTEM - Modify - This folder only\n SYSTEM - Full control - Subfolders and files only\n Administrators - Modify - This folder only\n Administrators - Full control - Subfolders and files only\n Users - Read & execute - This folder, subfolders and files\n CREATOR OWNER - Full control - Subfolders and files only\n ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders, and files\n ALL RESTRICTED APPLICATION PACKAGES - Read & execute - This folder, subfolders,\n and files\n\n Alternately, use icacls:\n\n Open a Command prompt (admin).\n\n Enter icacls followed by the directory:\n\n 'icacls c:\\\\program files'\n 'icacls c:\\\\program files (x86)'\n\n The following results should be displayed for each when entered:\n\n c:\\\\program files (c:\\\\program files (x86))\n NT SERVICE\\\\TrustedInstaller:(F)\n NT SERVICE\\\\TrustedInstaller:(CI)(IO)(F)\n NT AUTHORITY\\\\SYSTEM:(M)\n NT AUTHORITY\\\\SYSTEM:(OI)(CI)(IO)(F)\n BUILTIN\\\\Administrators:(M)\n BUILTIN\\\\Administrators:(OI)(CI)(IO)(F)\n BUILTIN\\\\Users:(RX)\n BUILTIN\\\\Users:(OI)(CI)(IO)(GR,GE)\n CREATOR OWNER:(OI)(CI)(IO)(F)\n APPLICATION PACKAGE AUTHORITY\\\\ALL APPLICATION PACKAGES:(RX)\n APPLICATION PACKAGE AUTHORITY\\\\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE)\n APPLICATION PACKAGE AUTHORITY\\\\ALL RESTRICTED APPLICATION PACKAGES:(RX)\n APPLICATION PACKAGE AUTHORITY\\\\ALL RESTRICTED APPLICATION\n PACKAGES:(OI)(CI)(IO)(GR,GE)\n Successfully processed 1 files; Failed processing 0 files\"\n desc \"fix\", \"Maintain the default permissions for the program file directories\n and configure the Security Option Network access: Let everyone permissions\n apply to anonymous users to Disabled (WN16-SO-000290).\n\n Default permissions:\n Program Files and Program Files (x86)\n Type - Allow for all\n Inherited from - None for all\n\n Principal - Access - Applies to\n\n TrustedInstaller - Full control - This folder and subfolders\n SYSTEM - Modify - This folder only\n SYSTEM - Full control - Subfolders and files only\n Administrators - Modify - This folder only\n Administrators - Full control - Subfolders and files only\n Users - Read & execute - This folder, subfolders, and files\n CREATOR OWNER - Full control - Subfolders and files only\n ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders, and files\n ALL RESTRICTED APPLICATION PACKAGES - Read & execute - This folder, subfolders,\n and files\"\n\n paths = [\n \"C:\\\\Program Files\",\n \"C:\\\\Program Files (x86)\"\n ]\n paths.each do |path|\n acl_rules = json(command: \"(Get-ACL -Path '#{path}').Access | ConvertTo-CSV | ConvertFrom-CSV | ConvertTo-JSON\").params\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The '#{path}' folder\\'s access rule property:\" do\n subject { acl_rule }\n its(['FileSystemRights']) { should cmp \"268435456\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"CREATOR OWNER\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"ContainerInherit, ObjectInherit\" }\n its(['PropagationFlags']) { should cmp \"InheritOnly\" }\n end\n end\n end\n \n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The '#{path}' folder\\'s access rule property:\" do\n subject { acl_rule }\n its(['FileSystemRights']) { should cmp \"268435456\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"NT AUTHORITY\\\\SYSTEM\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"ContainerInherit, ObjectInherit\" }\n its(['PropagationFlags']) { should cmp \"InheritOnly\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The '#{path}' folder\\'s access rule property:\" do\n subject { acl_rule }\n its(['FileSystemRights']) { should cmp \"Modify, Synchronize\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"NT AUTHORITY\\\\SYSTEM\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"None\" }\n its(['PropagationFlags']) { should cmp \"None\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The '#{path}' folder\\'s access rule property:\" do\n subject { acl_rule }\n its(['FileSystemRights']) { should cmp \"268435456\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"BUILTIN\\\\Administrators\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"ContainerInherit, ObjectInherit\" }\n its(['PropagationFlags']) { should cmp \"InheritOnly\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The '#{path}' folder\\'s access rule property:\" do\n subject { acl_rule }\n its(['FileSystemRights']) { should cmp \"Modify, Synchronize\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"BUILTIN\\\\Administrators\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"None\" }\n its(['PropagationFlags']) { should cmp \"None\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The '#{path}' folder\\'s access rule property:\" do\n subject { acl_rule }\n its(['FileSystemRights']) { should cmp \"-1610612736\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"BUILTIN\\\\Users\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"ContainerInherit, ObjectInherit\" }\n its(['PropagationFlags']) { should cmp \"InheritOnly\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The '#{path}' folder\\'s access rule property:\" do\n subject { acl_rule }\n its(['FileSystemRights']) { should cmp \"ReadAndExecute, Synchronize\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"BUILTIN\\\\Users\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"None\" }\n its(['PropagationFlags']) { should cmp \"None\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The '#{path}' folder\\'s access rule property:\" do\n subject { acl_rule }\n its(['FileSystemRights']) { should cmp \"268435456\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"NT SERVICE\\\\TrustedInstaller\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"ContainerInherit\" }\n its(['PropagationFlags']) { should cmp \"InheritOnly\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The '#{path}' folder\\'s access rule property:\" do\n subject { acl_rule }\n its(['FileSystemRights']) { should cmp \"FullControl\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"NT SERVICE\\\\TrustedInstaller\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"None\" }\n its(['PropagationFlags']) { should cmp \"None\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The '#{path}' folder\\'s access rule property:\" do\n subject { acl_rule }\n its(['FileSystemRights']) { should cmp \"ReadAndExecute, Synchronize\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"APPLICATION PACKAGE AUTHORITY\\\\ALL APPLICATION PACKAGES\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"None\" }\n its(['PropagationFlags']) { should cmp \"None\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The '#{path}' folder\\'s access rule property:\" do\n subject { acl_rule }\n its(['FileSystemRights']) { should cmp \"-1610612736\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"APPLICATION PACKAGE AUTHORITY\\\\ALL APPLICATION PACKAGES\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"ContainerInherit, ObjectInherit\" }\n its(['PropagationFlags']) { should cmp \"InheritOnly\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The '#{path}' folder\\'s access rule property:\" do\n subject { acl_rule }\n its(['FileSystemRights']) { should cmp \"ReadAndExecute, Synchronize\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"APPLICATION PACKAGE AUTHORITY\\\\ALL RESTRICTED APPLICATION PACKAGES\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"None\" }\n its(['PropagationFlags']) { should cmp \"None\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The '#{path}' folder\\'s access rule property:\" do\n subject { acl_rule }\n its(['FileSystemRights']) { should cmp \"-1610612736\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"APPLICATION PACKAGE AUTHORITY\\\\ALL RESTRICTED APPLICATION PACKAGES\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"ContainerInherit, ObjectInherit\" }\n its(['PropagationFlags']) { should cmp \"InheritOnly\" }\n end\n end\n end\n end\n\nend\n", + "code": "control 'V-73253' do\n title \"Permissions for the Windows installation directory must conform to\n minimum requirements.\"\n desc \"Changing the system's file and directory permissions allows the\n possibility of unauthorized and anonymous modification to the operating system\n and installed applications.\n\n The default permissions are adequate when the Security Option Network\n access: Let everyone permissions apply to anonymous users is set to\n Disabled (WN16-SO-000290).\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000312-GPOS-00122'\n tag \"satisfies\": ['SRG-OS-000312-GPOS-00122', 'SRG-OS-000312-GPOS-00123',\n 'SRG-OS-000312-GPOS-00124']\n tag \"gid\": 'V-73253'\n tag \"rid\": 'SV-87905r1_rule'\n tag \"stig_id\": 'WN16-00-000180'\n tag \"fix_id\": 'F-79697r1_fix'\n tag \"cci\": ['CCI-002165']\n tag \"nist\": ['AC-3 (4)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"The default permissions are adequate when the Security Option\n Network access: Let everyone permissions apply to anonymous users is set to\n Disabled (WN16-SO-000290).\n\n Review the permissions for the Windows installation directory (usually\n C:\\\\Windows). Non-privileged groups such as Users or Authenticated Users must\n not have greater than Read & execute permissions. (Individual accounts must\n not be used to assign permissions.)\n\n If permissions are not as restrictive as the default permissions listed below,\n this is a finding.\n\n Viewing in File Explorer:\n\n For each folder, view the Properties.\n\n Select the Security tab and the Advanced button.\n\n Default permissions:\n Windows\n Type - Allow for all\n Inherited from - None for all\n\n Principal - Access - Applies to\n\n TrustedInstaller - Full control - This folder and subfolders\n SYSTEM - Modify - This folder only\n SYSTEM - Full control - Subfolders and files only\n Administrators - Modify - This folder only\n Administrators - Full control - Subfolders and files only\n Users - Read & execute - This folder, subfolders, and files\n CREATOR OWNER - Full control - Subfolders and files only\n ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders, and files\n ALL RESTRICTED APPLICATION PACKAGES - Read & execute - This folder, subfolders,\n and files\n\n Alternately, use icacls:\n\n Open a Command prompt (admin).\n\n Enter icacls followed by the directory:\n\n icacls c:\\\\windows\n\n The following results should be displayed for each when entered:\n\n c:\\\\windows\n NT SERVICE\\\\TrustedInstaller:(F)\n NT SERVICE\\\\TrustedInstaller:(CI)(IO)(F)\n NT AUTHORITY\\\\SYSTEM:(M)\n NT AUTHORITY\\\\SYSTEM:(OI)(CI)(IO)(F)\n BUILTIN\\\\Administrators:(M)\n BUILTIN\\\\Administrators:(OI)(CI)(IO)(F)\n BUILTIN\\\\Users:(RX)\n BUILTIN\\\\Users:(OI)(CI)(IO)(GR,GE)\n CREATOR OWNER:(OI)(CI)(IO)(F)\n APPLICATION PACKAGE AUTHORITY\\\\ALL APPLICATION PACKAGES:(RX)\n APPLICATION PACKAGE AUTHORITY\\\\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE)\n APPLICATION PACKAGE AUTHORITY\\\\ALL RESTRICTED APPLICATION PACKAGES:(RX)\n APPLICATION PACKAGE AUTHORITY\\\\ALL RESTRICTED APPLICATION\n PACKAGES:(OI)(CI)(IO)(GR,GE)\n Successfully processed 1 files; Failed processing 0 files\"\n desc \"fix\", \"Maintain the default file ACLs and configure the Security Option\n Network access: Let everyone permissions apply to anonymous users to\n Disabled (WN16-SO-000290).\n\n Default permissions:\n Type - Allow for all\n Inherited from - None for all\n\n Principal - Access - Applies to\n\n TrustedInstaller - Full control - This folder and subfolders\n SYSTEM - Modify - This folder only\n SYSTEM - Full control - Subfolders and files only\n Administrators - Modify - This folder only\n Administrators - Full control - Subfolders and files only\n Users - Read & execute - This folder, subfolders, and files\n CREATOR OWNER - Full control - Subfolders and files only\n ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders, and files\n ALL RESTRICTED APPLICATION PACKAGES - Read & execute - This folder, subfolders,\n and files\"\n\n paths = [\n \"C:\\\\Windows\"\n ]\n\n paths.each do |path|\n acl_rules = json(command: \"(Get-ACL -Path '#{path}').Access | ConvertTo-CSV | ConvertFrom-CSV | ConvertTo-JSON\").params\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The '#{path}' folder\\'s access rule property:\" do\n subject { acl_rule }\n its(['FileSystemRights']) { should cmp \"268435456\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"CREATOR OWNER\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"ContainerInherit, ObjectInherit\" }\n its(['PropagationFlags']) { should cmp \"InheritOnly\" }\n end\n end\n end\n \n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The '#{path}' folder\\'s access rule property:\" do\n subject { acl_rule }\n its(['FileSystemRights']) { should cmp \"268435456\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"NT AUTHORITY\\\\SYSTEM\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"ContainerInherit, ObjectInherit\" }\n its(['PropagationFlags']) { should cmp \"InheritOnly\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The '#{path}' folder\\'s access rule property:\" do\n subject { acl_rule }\n its(['FileSystemRights']) { should cmp \"Modify, Synchronize\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"NT AUTHORITY\\\\SYSTEM\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"None\" }\n its(['PropagationFlags']) { should cmp \"None\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The '#{path}' folder\\'s access rule property:\" do\n subject { acl_rule }\n its(['FileSystemRights']) { should cmp \"268435456\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"BUILTIN\\\\Administrators\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"ContainerInherit, ObjectInherit\" }\n its(['PropagationFlags']) { should cmp \"InheritOnly\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The '#{path}' folder\\'s access rule property:\" do\n subject { acl_rule }\n its(['FileSystemRights']) { should cmp \"268435456\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"NT SERVICE\\\\TrustedInstaller\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"ContainerInherit\" }\n its(['PropagationFlags']) { should cmp \"InheritOnly\" }\n end\n end\n end\n\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The '#{path}' folder\\'s access rule property:\" do\n subject { acl_rule }\n its(['FileSystemRights']) { should cmp \"-1610612736\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"BUILTIN\\\\Users\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"ContainerInherit, ObjectInherit\" }\n its(['PropagationFlags']) { should cmp \"InheritOnly\" }\n end\n end\n end\n\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The '#{path}' folder\\'s access rule property:\" do\n subject { acl_rule }\n its(['FileSystemRights']) { should cmp \"268435456\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"NT SERVICE\\\\TrustedInstaller\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"ContainerInherit\" }\n its(['PropagationFlags']) { should cmp \"InheritOnly\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The '#{path}' folder\\'s access rule property:\" do\n subject { acl_rule }\n its(['FileSystemRights']) { should cmp \"FullControl\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"NT SERVICE\\\\TrustedInstaller\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"None\" }\n its(['PropagationFlags']) { should cmp \"None\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The '#{path}' folder\\'s access rule property:\" do\n subject { acl_rule }\n its(['FileSystemRights']) { should cmp \"ReadAndExecute, Synchronize\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"APPLICATION PACKAGE AUTHORITY\\\\ALL APPLICATION PACKAGES\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"None\" }\n its(['PropagationFlags']) { should cmp \"None\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The '#{path}' folder\\'s access rule property:\" do\n subject { acl_rule }\n its(['FileSystemRights']) { should cmp \"-1610612736\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"APPLICATION PACKAGE AUTHORITY\\\\ALL APPLICATION PACKAGES\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"ContainerInherit, ObjectInherit\" }\n its(['PropagationFlags']) { should cmp \"InheritOnly\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The '#{path}' folder\\'s access rule property:\" do\n subject { acl_rule }\n its(['FileSystemRights']) { should cmp \"ReadAndExecute, Synchronize\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"APPLICATION PACKAGE AUTHORITY\\\\ALL RESTRICTED APPLICATION PACKAGES\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"None\" }\n its(['PropagationFlags']) { should cmp \"None\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The '#{path}' folder\\'s access rule property:\" do\n subject { acl_rule }\n its(['FileSystemRights']) { should cmp \"-1610612736\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"APPLICATION PACKAGE AUTHORITY\\\\ALL RESTRICTED APPLICATION PACKAGES\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"ContainerInherit, ObjectInherit\" }\n its(['PropagationFlags']) { should cmp \"InheritOnly\" }\n end\n end\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73251.rb", + "ref": "./Windows 2016 STIG/controls/V-73253.rb", "line": 1 }, - "id": "V-73251" + "id": "V-73253" }, { - "title": "Windows Server 2016 must be configured to audit Policy Change - Audit\n Policy Change successes.", - "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Audit Policy Change records events related to changes in audit policy.", + "title": "The Create a token object user right must not be assigned to any\n groups or accounts.", + "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The Create a token object user right allows a process to create an\n access token. This could be used to provide elevated rights and compromise a\n system.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Audit Policy Change records events related to changes in audit policy.", - "check": "Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n Policy Change >> Audit Policy Change - Success", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Policy Change >> Audit Audit Policy Change with\n Success selected." + "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The Create a token object user right allows a process to create an\n access token. This could be used to provide elevated rights and compromise a\n system.", + "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups are granted the Create a token object user right,\n this is a finding.\n\n If an application requires this user right, this would not be a finding.\n\n Vendor documentation must support the requirement for having the user right.\n\n The requirement must be documented with the ISSO.\n\n The application account must meet requirements for application account\n passwords, such as length (WN16-00-000060) and required frequency of changes\n (WN16-00-000070).\n\n Passwords for application accounts with this user right must be protected as\n highly privileged accounts.", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Create a token object to be defined but containing no entries (blank)." }, - "impact": 0.5, + "impact": 0.7, "refs": [], "tags": { - "gtitle": "SRG-OS-000327-GPOS-00127", - "satisfies": [ - "SRG-OS-000327-GPOS-00127", - "SRG-OS-000458-GPOS-00203", - "SRG-OS-000463-GPOS-00207", - "SRG-OS-000468-GPOS-00212" - ], - "gid": "V-73461", - "rid": "SV-88113r1_rule", - "stig_id": "WN16-AU-000310", - "fix_id": "F-79903r1_fix", + "gtitle": "SRG-OS-000324-GPOS-00125", + "gid": "V-73747", + "rid": "SV-88411r1_rule", + "stig_id": "WN16-UR-000090", + "fix_id": "F-80197r1_fix", "cci": [ - "CCI-000172", - "CCI-002234" + "CCI-002235" ], "nist": [ - "AU-12 c", - "AC-6 (9)", + "AC-6 (10)", "Rev_4" ], "documentable": false }, - "code": "control 'V-73461' do\n title \"Windows Server 2016 must be configured to audit Policy Change - Audit\n Policy Change successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Audit Policy Change records events related to changes in audit policy.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000327-GPOS-00127'\n tag \"satisfies\": ['SRG-OS-000327-GPOS-00127', 'SRG-OS-000458-GPOS-00203',\n 'SRG-OS-000463-GPOS-00207', 'SRG-OS-000468-GPOS-00212']\n tag \"gid\": 'V-73461'\n tag \"rid\": 'SV-88113r1_rule'\n tag \"stig_id\": 'WN16-AU-000310'\n tag \"fix_id\": 'F-79903r1_fix'\n tag \"cci\": ['CCI-000172', 'CCI-002234']\n tag \"nist\": ['AU-12 c', 'AC-6 (9)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n Policy Change >> Audit Policy Change - Success\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Policy Change >> Audit Audit Policy Change with\n Success selected.\"\n describe.one do\n describe audit_policy do\n its('Audit Policy Change') { should eq 'Success' }\n end\n describe audit_policy do\n its('Audit Policy Change') { should eq 'Success and Failure' }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Audit Policy Change'\") do\n its('stdout') { should match /Audit Policy Change Success/ }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Audit Policy Change'\") do\n its('stdout') { should match /Audit Policy Change Success and Failure/ }\n end\n end\nend\n", + "code": "control 'V-73747' do\n title \"The Create a token object user right must not be assigned to any\n groups or accounts.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The Create a token object user right allows a process to create an\n access token. This could be used to provide elevated rights and compromise a\n system.\n \"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000324-GPOS-00125'\n tag \"gid\": 'V-73747'\n tag \"rid\": 'SV-88411r1_rule'\n tag \"stig_id\": 'WN16-UR-000090'\n tag \"fix_id\": 'F-80197r1_fix'\n tag \"cci\": ['CCI-002235']\n tag \"nist\": ['AC-6 (10)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups are granted the Create a token object user right,\n this is a finding.\n\n If an application requires this user right, this would not be a finding.\n\n Vendor documentation must support the requirement for having the user right.\n\n The requirement must be documented with the ISSO.\n\n The application account must meet requirements for application account\n passwords, such as length (WN16-00-000060) and required frequency of changes\n (WN16-00-000070).\n\n Passwords for application accounts with this user right must be protected as\n highly privileged accounts.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Create a token object to be defined but containing no entries (blank).\"\n describe security_policy do\n its('SeCreateTokenPrivilege') { should eq [] }\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73461.rb", + "ref": "./Windows 2016 STIG/controls/V-73747.rb", "line": 1 }, - "id": "V-73461" + "id": "V-73747" }, { - "title": "Audit policy using subcategories must be enabled.", - "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n This setting allows administrators to enable more precise auditing\n capabilities.", + "title": "The Application event log size must be configured to 32768 KB or\n greater.", + "desc": "Inadequate log size will cause the log to fill up quickly. This may\n prevent audit events from being recorded properly and require frequent\n attention by administrative personnel.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n This setting allows administrators to enable more precise auditing\n capabilities.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Control\\Lsa\\\n\n Value Name: SCENoApplyLegacyAuditPolicy\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> Audit:\n Force audit policy subcategory settings (Windows Vista or later) to override\n audit policy category settings to Enabled." + "default": "Inadequate log size will cause the log to fill up quickly. This may\n prevent audit events from being recorded properly and require frequent\n attention by administrative personnel.", + "check": "If the system is configured to write events directly to an\n audit server, this is NA.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\EventLog\\Application\\\n\n Value Name: MaxSize\n\n Type: REG_DWORD\n Value: 0x00008000 (32768) (or greater)", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Event Log Service >>\n Application >> Specify the maximum log file size (KB) to Enabled with a\n Maximum Log Size (KB) of 32768 or greater." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000062-GPOS-00031", - "gid": "V-73627", - "rid": "SV-88291r1_rule", - "stig_id": "WN16-SO-000050", - "fix_id": "F-80077r1_fix", + "gtitle": "SRG-OS-000341-GPOS-00132", + "gid": "V-73553", + "rid": "SV-88217r1_rule", + "stig_id": "WN16-CC-000300", + "fix_id": "F-80003r1_fix", "cci": [ - "CCI-000169" + "CCI-001849" ], "nist": [ - "AU-12 a", + "AU-4", "Rev_4" ], "documentable": false }, - "code": "control 'V-73627' do\n title 'Audit policy using subcategories must be enabled.'\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n This setting allows administrators to enable more precise auditing\n capabilities.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000062-GPOS-00031'\n tag \"gid\": 'V-73627'\n tag \"rid\": 'SV-88291r1_rule'\n tag \"stig_id\": 'WN16-SO-000050'\n tag \"fix_id\": 'F-80077r1_fix'\n tag \"cci\": ['CCI-000169']\n tag \"nist\": ['AU-12 a', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\\n\n Value Name: SCENoApplyLegacyAuditPolicy\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> Audit:\n Force audit policy subcategory settings (Windows Vista or later) to override\n audit policy category settings to Enabled.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa') do\n it { should have_property 'SCENoApplyLegacyAuditPolicy' }\n its('SCENoApplyLegacyAuditPolicy') { should cmp 1 }\n end\nend\n", + "code": "control 'V-73553' do\n title \"The Application event log size must be configured to 32768 KB or\n greater.\"\n desc \"Inadequate log size will cause the log to fill up quickly. This may\n prevent audit events from being recorded properly and require frequent\n attention by administrative personnel.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000341-GPOS-00132'\n tag \"gid\": 'V-73553'\n tag \"rid\": 'SV-88217r1_rule'\n tag \"stig_id\": 'WN16-CC-000300'\n tag \"fix_id\": 'F-80003r1_fix'\n tag \"cci\": ['CCI-001849']\n tag \"nist\": ['AU-4', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the system is configured to write events directly to an\n audit server, this is NA.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\EventLog\\\\Application\\\\\n\n Value Name: MaxSize\n\n Type: REG_DWORD\n Value: 0x00008000 (32768) (or greater)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Event Log Service >>\n Application >> Specify the maximum log file size (KB) to Enabled with a\n Maximum Log Size (KB) of 32768 or greater.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\EventLog\\\\Application') do\n it { should have_property 'MaxSize' }\n its('MaxSize') { should be >= 32768 }\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73627.rb", + "ref": "./Windows 2016 STIG/controls/V-73553.rb", "line": 1 }, - "id": "V-73627" + "id": "V-73553" }, { - "title": "The setting Domain member: Digitally sign secure channel data (when\n possible) must be configured to Enabled.", - "desc": "Requests sent on the secure channel are authenticated, and sensitive\n information (such as passwords) is encrypted, but the channel is not integrity\n checked. If this policy is enabled, outgoing secure channel traffic will be\n signed.", + "title": "The Application Compatibility Program Inventory must be prevented from\n collecting data and sending the information to Microsoft.", + "desc": "Some features may communicate with the vendor, sending system\n information or downloading data or components for the feature. Turning off this\n capability will prevent potentially sensitive information from being sent\n outside the enterprise and will prevent uncontrolled updates to the system.\n\n This setting will prevent the Program Inventory from collecting data about\n a system and sending the information to Microsoft.", "descriptions": { - "default": "Requests sent on the secure channel are authenticated, and sensitive\n information (such as passwords) is encrypted, but the channel is not integrity\n checked. If this policy is enabled, outgoing secure channel traffic will be\n signed.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\Netlogon\\Parameters\\\n\n Value Name: SignSecureChannel\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> \"Domain\n member: Digitally sign secure channel data (when possible) to Enabled." + "default": "Some features may communicate with the vendor, sending system\n information or downloading data or components for the feature. Turning off this\n capability will prevent potentially sensitive information from being sent\n outside the enterprise and will prevent uncontrolled updates to the system.\n\n This setting will prevent the Program Inventory from collecting data about\n a system and sending the information to Microsoft.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\AppCompat\\\n\n Value Name: DisableInventory\n\n Type: REG_DWORD\n Value: 0x00000001 (1)", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Application Compatibility >>\n Turn off Inventory Collector to Enabled." }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { - "gtitle": "SRG-OS-000423-GPOS-00187", - "satisfies": [ - "SRG-OS-000423-GPOS-00187", - "SRG-OS-000424-GPOS-00188" - ], - "gid": "V-73637", - "rid": "SV-88301r1_rule", - "stig_id": "WN16-SO-000100", - "fix_id": "F-80087r1_fix", + "gtitle": "SRG-OS-000095-GPOS-00049", + "gid": "V-73543", + "rid": "SV-88207r1_rule", + "stig_id": "WN16-CC-000240", + "fix_id": "F-79985r1_fix", "cci": [ - "CCI-002418", - "CCI-002421" + "CCI-000381" ], "nist": [ - "SC-8", - "SC-8 (1)", + "CM-7 a", "Rev_4" ], "documentable": false }, - "code": "control 'V-73637' do\n title \"The setting Domain member: Digitally sign secure channel data (when\n possible) must be configured to Enabled.\"\n desc \"Requests sent on the secure channel are authenticated, and sensitive\n information (such as passwords) is encrypted, but the channel is not integrity\n checked. If this policy is enabled, outgoing secure channel traffic will be\n signed.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000423-GPOS-00187'\n tag \"satisfies\": ['SRG-OS-000423-GPOS-00187', 'SRG-OS-000424-GPOS-00188']\n tag \"gid\": 'V-73637'\n tag \"rid\": 'SV-88301r1_rule'\n tag \"stig_id\": 'WN16-SO-000100'\n tag \"fix_id\": 'F-80087r1_fix'\n tag \"cci\": ['CCI-002418', 'CCI-002421']\n tag \"nist\": ['SC-8', 'SC-8 (1)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\Netlogon\\\\Parameters\\\\\n\n Value Name: SignSecureChannel\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> \\\"Domain\n member: Digitally sign secure channel data (when possible) to Enabled.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Services\\\\Netlogon\\\\Parameters') do\n it { should have_property 'SignSecureChannel' }\n its('SignSecureChannel') { should cmp 1 }\n end\nend\n", + "code": "control 'V-73543' do\n title \"The Application Compatibility Program Inventory must be prevented from\n collecting data and sending the information to Microsoft.\"\n desc \"Some features may communicate with the vendor, sending system\n information or downloading data or components for the feature. Turning off this\n capability will prevent potentially sensitive information from being sent\n outside the enterprise and will prevent uncontrolled updates to the system.\n\n This setting will prevent the Program Inventory from collecting data about\n a system and sending the information to Microsoft.\n \"\n impact 0.3\n tag \"gtitle\": 'SRG-OS-000095-GPOS-00049'\n tag \"gid\": 'V-73543'\n tag \"rid\": 'SV-88207r1_rule'\n tag \"stig_id\": 'WN16-CC-000240'\n tag \"fix_id\": 'F-79985r1_fix'\n tag \"cci\": ['CCI-000381']\n tag \"nist\": ['CM-7 a', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\AppCompat\\\\\n\n Value Name: DisableInventory\n\n Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Application Compatibility >>\n Turn off Inventory Collector to Enabled.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\AppCompat') do\n it { should have_property 'DisableInventory' }\n its('DisableInventory') { should cmp 1 }\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73637.rb", + "ref": "./Windows 2016 STIG/controls/V-73543.rb", "line": 1 }, - "id": "V-73637" + "id": "V-73543" }, { - "title": "The Access this computer from the network user right must only be\n assigned to the Administrators, Authenticated Users, and\n Enterprise Domain Controllers groups on domain controllers.", - "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Access this computer from the network right may\n access resources on the system, and this right must be limited to those\n requiring it.", + "title": "The Kerberos user ticket lifetime must be limited to 10 hours or less.", + "desc": "In Kerberos, there are two types of tickets: Ticket Granting Tickets\n (TGTs) and Service Tickets. Kerberos tickets have a limited lifetime so the\n time an attacker has to implement an attack is limited. This policy controls\n how long TGTs can be renewed. With Kerberos, the user's initial authentication\n to the domain controller results in a TGT, which is then used to request\n Service Tickets to resources. Upon startup, each computer gets a TGT before\n requesting a service ticket to the domain controller and any other computers it\n needs to access. For services that start up under a specified user account,\n users must always get a TGT first and then get Service Tickets to all computers\n and services accessed.", "descriptions": { - "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Access this computer from the network right may\n access resources on the system, and this right must be limited to those\n requiring it.", - "check": "This applies to domain controllers. It is NA for other systems.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the Access\n this computer from the network right, this is a finding.\n\n - Administrators\n - Authenticated Users\n - Enterprise Domain Controllers\n\n If an application requires this user right, this would not be a finding.\n\n Vendor documentation must support the requirement for having the user right.\n\n The requirement must be documented with the ISSO.\n\n The application account must meet requirements for application account\n passwords, such as length (WN16-00-000060) and required frequency of changes\n (WN16-00-000070).", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Access this computer from the network to include only the following\n accounts or groups:\n\n - Administrators\n - Authenticated Users\n - Enterprise Domain Controllers" + "default": "In Kerberos, there are two types of tickets: Ticket Granting Tickets\n (TGTs) and Service Tickets. Kerberos tickets have a limited lifetime so the\n time an attacker has to implement an attack is limited. This policy controls\n how long TGTs can be renewed. With Kerberos, the user's initial authentication\n to the domain controller results in a TGT, which is then used to request\n Service Tickets to resources. Upon startup, each computer gets a TGT before\n requesting a service ticket to the domain controller and any other computers it\n needs to access. For services that start up under a specified user account,\n users must always get a TGT first and then get Service Tickets to all computers\n and services accessed.", + "check": "This applies to domain controllers. It is NA for other systems.\n\n Verify the following is configured in the Default Domain Policy.\n\n Open Group Policy Management.\n\n Navigate to Group Policy Objects in the Domain being reviewed (Forest >>\n Domains >> Domain).\n\n Right-click on the Default Domain Policy.\n\n Select Edit.\n\n Navigate to Computer Configuration >> Policies >> Windows Settings >> Security\n Settings >> Account Policies >> Kerberos Policy.\n\n If the value for Maximum lifetime for user ticket is 0 or greater than\n 10 hours, this is a finding.", + "fix": "Configure the policy value in the Default Domain Policy for\n Computer Configuration >> Policies >> Windows Settings >> Security Settings >>\n Account Policies >> Kerberos Policy >> Maximum lifetime for user ticket to\n a maximum of 10 hours but not 0, which equates to Ticket doesn't\n expire." }, "impact": 0, "refs": [], "tags": { - "gtitle": "SRG-OS-000080-GPOS-00048", - "gid": "V-73731", - "rid": "SV-88395r1_rule", - "stig_id": "WN16-DC-000340", - "fix_id": "F-80181r1_fix", - "cci": [ - "CCI-000213" - ], - "nist": [ - "AC-3", - "Rev_4" + "gtitle": "SRG-OS-000112-GPOS-00057", + "satisfies": [ + "SRG-OS-000112-GPOS-00057", + "SRG-OS-000113-GPOS-00058" ], - "documentable": false - }, - "code": "control 'V-73731' do\n title \"The Access this computer from the network user right must only be\n assigned to the Administrators, Authenticated Users, and\n Enterprise Domain Controllers groups on domain controllers.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Access this computer from the network right may\n access resources on the system, and this right must be limited to those\n requiring it.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000080-GPOS-00048'\n tag \"gid\": 'V-73731'\n tag \"rid\": 'SV-88395r1_rule'\n tag \"stig_id\": 'WN16-DC-000340'\n tag \"fix_id\": 'F-80181r1_fix'\n tag \"cci\": ['CCI-000213']\n tag \"nist\": ['AC-3', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to domain controllers. It is NA for other systems.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the Access\n this computer from the network right, this is a finding.\n\n - Administrators\n - Authenticated Users\n - Enterprise Domain Controllers\n\n If an application requires this user right, this would not be a finding.\n\n Vendor documentation must support the requirement for having the user right.\n\n The requirement must be documented with the ISSO.\n\n The application account must meet requirements for application account\n passwords, such as length (WN16-00-000060) and required frequency of changes\n (WN16-00-000070).\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Access this computer from the network to include only the following\n accounts or groups:\n\n - Administrators\n - Authenticated Users\n - Enterprise Domain Controllers\"\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n describe.one do\n describe security_policy do\n its('SeNetworkLogonRight') { should be_in ['S-1-5-11', 'S-1-5-32-544', 'S-1-5-9'] }\n end\n describe security_policy do\n its('SeNetworkLogonRight') { should eq [] }\n end\n end\n end\n\n if !(domain_role == '4') && !(domain_role == '5')\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", - "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73731.rb", - "line": 1 - }, - "id": "V-73731" - }, - { - "title": "User Account Control must be configured to detect application\n installations and prompt for elevation.", - "desc": "User Account Control (UAC) is a security mechanism for limiting the\n elevation of privileges, including administrative accounts, unless authorized.\n This setting requires Windows to respond to application installation requests\n by prompting for credentials.", - "descriptions": { - "default": "User Account Control (UAC) is a security mechanism for limiting the\n elevation of privileges, including administrative accounts, unless authorized.\n This setting requires Windows to respond to application installation requests\n by prompting for credentials.", - "check": "UAC requirements are NA for Server Core installations (this is\n the default installation option for Windows Server 2016 versus Server with\n Desktop Experience) as well as Nano Server.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\\n\n Value Name: EnableInstallerDetection\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> User\n Account Control: Detect application installations and prompt for elevation to\n Enabled." - }, - "impact": 0.5, - "refs": [], - "tags": { - "gtitle": "SRG-OS-000134-GPOS-00068", - "gid": "V-73715", - "rid": "SV-88379r1_rule", - "stig_id": "WN16-SO-000500", - "fix_id": "F-80165r1_fix", + "gid": "V-73363", + "rid": "SV-88015r1_rule", + "stig_id": "WN16-DC-000040", + "fix_id": "F-79805r1_fix", "cci": [ - "CCI-001084" + "CCI-001941", + "CCI-001942" ], "nist": [ - "SC-3", + "IA-2 (8)", + "IA-2 (9)", "Rev_4" ], "documentable": false }, - "code": "control 'V-73715' do\n title \"User Account Control must be configured to detect application\n installations and prompt for elevation.\"\n desc \"User Account Control (UAC) is a security mechanism for limiting the\n elevation of privileges, including administrative accounts, unless authorized.\n This setting requires Windows to respond to application installation requests\n by prompting for credentials.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000134-GPOS-00068'\n tag \"gid\": 'V-73715'\n tag \"rid\": 'SV-88379r1_rule'\n tag \"stig_id\": 'WN16-SO-000500'\n tag \"fix_id\": 'F-80165r1_fix'\n tag \"cci\": ['CCI-001084']\n tag \"nist\": ['SC-3', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"UAC requirements are NA for Server Core installations (this is\n the default installation option for Windows Server 2016 versus Server with\n Desktop Experience) as well as Nano Server.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\\n\n Value Name: EnableInstallerDetection\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> User\n Account Control: Detect application installations and prompt for elevation to\n Enabled.\"\n if registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Server\\ServerLevels').has_property_value?('ServerCore', :dword, 1) && registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Server\\ServerLevels').has_property_value?('Server-Gui-Mgmt', :dword, 1) && registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Server\\ServerLevels').has_property_value?('Server-Gui-Shell', :dword, 1)\n impact 0.0\n desc 'This system is a Server Core Installation, therefore this control is not applicable'\n else\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System') do\n it { should have_property 'EnableInstallerDetection' }\n its('EnableInstallerDetection') { should cmp 1 }\n end\n end\nend\n", + "code": "control 'V-73363' do\n title 'The Kerberos user ticket lifetime must be limited to 10 hours or less.'\n desc \"In Kerberos, there are two types of tickets: Ticket Granting Tickets\n (TGTs) and Service Tickets. Kerberos tickets have a limited lifetime so the\n time an attacker has to implement an attack is limited. This policy controls\n how long TGTs can be renewed. With Kerberos, the user's initial authentication\n to the domain controller results in a TGT, which is then used to request\n Service Tickets to resources. Upon startup, each computer gets a TGT before\n requesting a service ticket to the domain controller and any other computers it\n needs to access. For services that start up under a specified user account,\n users must always get a TGT first and then get Service Tickets to all computers\n and services accessed.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000112-GPOS-00057'\n tag \"satisfies\": ['SRG-OS-000112-GPOS-00057', 'SRG-OS-000113-GPOS-00058']\n tag \"gid\": 'V-73363'\n tag \"rid\": 'SV-88015r1_rule'\n tag \"stig_id\": 'WN16-DC-000040'\n tag \"fix_id\": 'F-79805r1_fix'\n tag \"cci\": ['CCI-001941', 'CCI-001942']\n tag \"nist\": ['IA-2 (8)', 'IA-2 (9)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to domain controllers. It is NA for other systems.\n\n Verify the following is configured in the Default Domain Policy.\n\n Open Group Policy Management.\n\n Navigate to Group Policy Objects in the Domain being reviewed (Forest >>\n Domains >> Domain).\n\n Right-click on the Default Domain Policy.\n\n Select Edit.\n\n Navigate to Computer Configuration >> Policies >> Windows Settings >> Security\n Settings >> Account Policies >> Kerberos Policy.\n\n If the value for Maximum lifetime for user ticket is 0 or greater than\n 10 hours, this is a finding.\"\n desc \"fix\", \"Configure the policy value in the Default Domain Policy for\n Computer Configuration >> Policies >> Windows Settings >> Security Settings >>\n Account Policies >> Kerberos Policy >> Maximum lifetime for user ticket to\n a maximum of 10 hours but not 0, which equates to Ticket doesn't\n expire.\"\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n describe.one do\n describe security_policy do\n its('MaxTicketAge') { should be > 0 }\n end\n describe security_policy do\n its('MaxTicketAge') { should be <= 10 }\n end\n end\n end\n\n if domain_role != '4' && domain_role != '5'\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73715.rb", + "ref": "./Windows 2016 STIG/controls/V-73363.rb", "line": 1 }, - "id": "V-73715" + "id": "V-73363" }, { - "title": "Manually managed application account passwords must be changed at\n least annually or when a system administrator with knowledge of the password\n leaves the organization.", - "desc": "Setting application account passwords to expire may cause applications\n to stop functioning. However, not changing them on a regular basis exposes them\n to attack. If managed service accounts are used, this alleviates the need to\n manually change application account passwords.", + "title": "Downloading print driver packages over HTTP must be prevented.", + "desc": "Some features may communicate with the vendor, sending system\n information or downloading data or components for the feature. Turning off this\n capability will prevent potentially sensitive information from being sent\n outside the enterprise and will prevent uncontrolled updates to the system.\n\n This setting prevents the computer from downloading print driver packages\n over HTTP.", "descriptions": { - "default": "Setting application account passwords to expire may cause applications\n to stop functioning. However, not changing them on a regular basis exposes them\n to attack. If managed service accounts are used, this alleviates the need to\n manually change application account passwords.", - "check": "Determine if manually managed application/service accounts\n exist. If none exist, this is NA.\n\n If passwords for manually managed application/service accounts are not changed\n at least annually or when an administrator with knowledge of the password\n leaves the organization, this is a finding.\n\n Identify manually managed application/service accounts.\n\n To determine the date a password was last changed:\n\n Domain controllers:\n\n Open PowerShell.\n\n Enter Get-AdUser -Identity [application account name] -Properties\n PasswordLastSet | FT Name, PasswordLastSet, where [application account name]\n is the name of the manually managed application/service account.\n\n If the PasswordLastSet date is more than one year old, this is a finding.\n\n Member servers and standalone systems:\n\n Open Command Prompt.\n\n Enter 'Net User [application account name] | Find /i Password Last Set',\n where [application account name] is the name of the manually managed\n application/service account.\n\n If the Password Last Set date is more than one year old, this is a finding.", - "fix": "Change passwords for manually managed application/service\n accounts at least annually or when an administrator with knowledge of the\n password leaves the organization.\n\n It is recommended that system-managed service accounts be used whenever\n possible." + "default": "Some features may communicate with the vendor, sending system\n information or downloading data or components for the feature. Turning off this\n capability will prevent potentially sensitive information from being sent\n outside the enterprise and will prevent uncontrolled updates to the system.\n\n This setting prevents the computer from downloading print driver packages\n over HTTP.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers\\\n\n Value Name: DisableWebPnPDownload\n\n Type: REG_DWORD\n Value: 0x00000001 (1)", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> System >> Internet Communication Management >>\n Internet Communication settings >> Turn off downloading of print drivers over\n HTTP to Enabled." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-73231", - "rid": "SV-87883r2_rule", - "stig_id": "WN16-00-000070", - "fix_id": "F-79675r1_fix", + "gtitle": "SRG-OS-000095-GPOS-00049", + "gid": "V-73527", + "rid": "SV-88179r1_rule", + "stig_id": "WN16-CC-000160", + "fix_id": "F-79969r1_fix", "cci": [ - "CCI-000366" + "CCI-000381" ], "nist": [ - "CM-6 b", + "CM-7 a", "Rev_4" ], "documentable": false }, - "code": "control 'V-73231' do\n title \"Manually managed application account passwords must be changed at\n least annually or when a system administrator with knowledge of the password\n leaves the organization.\"\n desc \"Setting application account passwords to expire may cause applications\n to stop functioning. However, not changing them on a regular basis exposes them\n to attack. If managed service accounts are used, this alleviates the need to\n manually change application account passwords.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-73231'\n tag \"rid\": 'SV-87883r2_rule'\n tag \"stig_id\": 'WN16-00-000070'\n tag \"fix_id\": 'F-79675r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Determine if manually managed application/service accounts\n exist. If none exist, this is NA.\n\n If passwords for manually managed application/service accounts are not changed\n at least annually or when an administrator with knowledge of the password\n leaves the organization, this is a finding.\n\n Identify manually managed application/service accounts.\n\n To determine the date a password was last changed:\n\n Domain controllers:\n\n Open PowerShell.\n\n Enter Get-AdUser -Identity [application account name] -Properties\n PasswordLastSet | FT Name, PasswordLastSet, where [application account name]\n is the name of the manually managed application/service account.\n\n If the PasswordLastSet date is more than one year old, this is a finding.\n\n Member servers and standalone systems:\n\n Open Command Prompt.\n\n Enter 'Net User [application account name] | Find /i Password Last Set',\n where [application account name] is the name of the manually managed\n application/service account.\n\n If the Password Last Set date is more than one year old, this is a finding.\"\n desc \"fix\", \"Change passwords for manually managed application/service\n accounts at least annually or when an administrator with knowledge of the\n password leaves the organization.\n\n It is recommended that system-managed service accounts be used whenever\n possible.\"\n manually_managed_app_service_accounts = input('manually_managed_app_service_accounts')\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if !manually_managed_app_service_accounts.empty?\n manually_managed_app_service_accounts.each do |account|\n if domain_role == '4' || domain_role == '5'\n query = \"Get-ADUser -Identity #{account} -Properties SID, PasswordLastSet | Where SID -Like *-500 | Select @{Name='Name';Expression={$_.SamAccountName}}, SID, @{Name='PasswordLastSet';Expression={New-TimeSpan -Start ($_.PasswordLastSet) -End (Get-Date) | Select Days, Hours}}| ConvertTo-JSON\"\n else\n query = \"Get-LocalUser #{account} | Where SID -Like *-500 | Select Name, SID, @{Name='PasswordLastSet';Expression={New-TimeSpan -Start ($_.PasswordLastSet) -End (Get-Date) | Select Days}} | ConvertTo-JSON\"\n end\n \n managed_account = json({command: query})\n pwd_last_set_days = managed_account['PasswordLastSet']['Days']\n account_name = managed_account['Name']\n \n describe \"Password age for managed account: #{account_name}\" do\n subject { pwd_last_set_days }\n it { should cmp <= 365 }\n end\n end\n else\n describe 'There are no manually managed application/service accounts on this system, therefore this control is not applicable' do\n skip 'There are no manually managed application/service accounts on this system, therefore this control is not applicable'\n end\n end\nend\n", + "code": "control 'V-73527' do\n title 'Downloading print driver packages over HTTP must be prevented.'\n desc \"Some features may communicate with the vendor, sending system\n information or downloading data or components for the feature. Turning off this\n capability will prevent potentially sensitive information from being sent\n outside the enterprise and will prevent uncontrolled updates to the system.\n\n This setting prevents the computer from downloading print driver packages\n over HTTP.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000095-GPOS-00049'\n tag \"gid\": 'V-73527'\n tag \"rid\": 'SV-88179r1_rule'\n tag \"stig_id\": 'WN16-CC-000160'\n tag \"fix_id\": 'F-79969r1_fix'\n tag \"cci\": ['CCI-000381']\n tag \"nist\": ['CM-7 a', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Printers\\\\\n\n Value Name: DisableWebPnPDownload\n\n Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> System >> Internet Communication Management >>\n Internet Communication settings >> Turn off downloading of print drivers over\n HTTP to Enabled.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Printers') do\n it { should have_property 'DisableWebPnPDownload' }\n its('DisableWebPnPDownload') { should cmp 1 }\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73231.rb", + "ref": "./Windows 2016 STIG/controls/V-73527.rb", "line": 1 }, - "id": "V-73231" + "id": "V-73527" }, { - "title": "Remote calls to the Security Account Manager (SAM) must be restricted\n to Administrators.", - "desc": "The Windows Security Account Manager (SAM) stores users' passwords.\n Restricting Remote Procedure Call (RPC) connections to the SAM to\n Administrators helps protect those credentials.", + "title": "Windows Server 2016 must be configured to audit System - System\n Integrity successes.", + "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n System Integrity records events related to violations of integrity to the\n security subsystem.", "descriptions": { - "default": "The Windows Security Account Manager (SAM) stores users' passwords.\n Restricting Remote Procedure Call (RPC) connections to the SAM to\n Administrators helps protect those credentials.", - "check": "This applies to member servers and standalone systems; it is NA\n for domain controllers.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Control\\Lsa\\\n\n Value Name: RestrictRemoteSAM\n\n Value Type: REG_SZ\n Value: O:BAG:BAD:(A;;RC;;;BA)", - "fix": "Navigate to the policy Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> Security Options >> Network access:\n Restrict clients allowed to make remote calls to SAM.\n Select Edit Security to configure the Security descriptor:.\n\n Add Administrators in Group or user names: if it is not already listed\n (this is the default).\n\n Select Administrators in Group or user names:.\n\n Select Allow for Remote Access in Permissions for Administrators.\n\n Click OK.\n\n The Security descriptor: must be populated with O:BAG:BAD:(A;;RC;;;BA)\n for the policy to be enforced." + "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n System Integrity records events related to violations of integrity to the\n security subsystem.", + "check": "Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n System >> System Integrity - Success", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> System >> Audit System Integrity with Success\n selected." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000324-GPOS-00125", - "gid": "V-73677", - "rid": "SV-88341r2_rule", - "stig_id": "WN16-MS-000310", - "fix_id": "F-80127r1_fix", + "gtitle": "SRG-OS-000327-GPOS-00127", + "satisfies": [ + "SRG-OS-000327-GPOS-00127", + "SRG-OS-000471-GPOS-00215", + "SRG-OS-000471-GPOS-00216", + "SRG-OS-000477-GPOS-00222" + ], + "gid": "V-73489", + "rid": "SV-88141r1_rule", + "stig_id": "WN16-AU-000440", + "fix_id": "F-79931r1_fix", "cci": [ - "CCI-002235" + "CCI-000172", + "CCI-002234" ], "nist": [ - "AC-6 (10)", + "AU-12 c", + "AC-6 (9)", "Rev_4" ], "documentable": false }, - "code": "control 'V-73677' do\n title \"Remote calls to the Security Account Manager (SAM) must be restricted\n to Administrators.\"\n desc \"The Windows Security Account Manager (SAM) stores users' passwords.\n Restricting Remote Procedure Call (RPC) connections to the SAM to\n Administrators helps protect those credentials.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000324-GPOS-00125'\n tag \"gid\": 'V-73677'\n tag \"rid\": 'SV-88341r2_rule'\n tag \"stig_id\": 'WN16-MS-000310'\n tag \"fix_id\": 'F-80127r1_fix'\n tag \"cci\": ['CCI-002235']\n tag \"nist\": ['AC-6 (10)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to member servers and standalone systems; it is NA\n for domain controllers.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\\n\n Value Name: RestrictRemoteSAM\n\n Value Type: REG_SZ\n Value: O:BAG:BAD:(A;;RC;;;BA)\"\n desc \"fix\", \"Navigate to the policy Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> Security Options >> Network access:\n Restrict clients allowed to make remote calls to SAM.\n Select Edit Security to configure the Security descriptor:.\n\n Add Administrators in Group or user names: if it is not already listed\n (this is the default).\n\n Select Administrators in Group or user names:.\n\n Select Allow for Remote Access in Permissions for Administrators.\n\n Click OK.\n\n The Security descriptor: must be populated with O:BAG:BAD:(A;;RC;;;BA)\n for the policy to be enforced.\"\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n if !(domain_role == '4') && !(domain_role == '5')\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa') do\n it { should have_property 'RestrictRemoteSAM' }\n its('RestrictRemoteSAM') { should eq 'O:BAG:BAD:(A;;RC;;;BA)' }\n end\n end\n\n if domain_role == '4' || domain_role == '5'\n impact 0.0\n desc 'This system is a domain controller, therefore this control is not applicable as it only applies to member servers and standalone systems'\n end\nend\n", + "code": "control 'V-73489' do\n title \"Windows Server 2016 must be configured to audit System - System\n Integrity successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n System Integrity records events related to violations of integrity to the\n security subsystem.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000327-GPOS-00127'\n tag \"satisfies\": ['SRG-OS-000327-GPOS-00127', 'SRG-OS-000471-GPOS-00215',\n 'SRG-OS-000471-GPOS-00216', 'SRG-OS-000477-GPOS-00222']\n tag \"gid\": 'V-73489'\n tag \"rid\": 'SV-88141r1_rule'\n tag \"stig_id\": 'WN16-AU-000440'\n tag \"fix_id\": 'F-79931r1_fix'\n tag \"cci\": ['CCI-000172', 'CCI-002234']\n tag \"nist\": ['AU-12 c', 'AC-6 (9)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n System >> System Integrity - Success\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> System >> Audit System Integrity with Success\n selected.\"\n describe.one do\n describe audit_policy do\n its('System Integrity') { should eq 'Success' }\n end\n describe audit_policy do\n its('System Integrity') { should eq 'Success and Failure' }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'System Integrity'\") do\n its('stdout') { should match /System Integrity Success/ }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'System Integrity'\") do\n its('stdout') { should match /System Integrity Success and Failure/ }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73677.rb", + "ref": "./Windows 2016 STIG/controls/V-73489.rb", "line": 1 }, - "id": "V-73677" + "id": "V-73489" }, { - "title": "Virtualization-based security must be enabled with the platform\n security level configured to Secure Boot or Secure Boot with DMA Protection.", - "desc": "Virtualization Based Security (VBS) provides the platform for the\n additional security features Credential Guard and virtualization-based\n protection of code integrity. Secure Boot is the minimum security level, with\n DMA protection providing additional memory protection. DMA Protection requires\n a CPU that supports input/output memory management unit (IOMMU).", + "title": "Domain Controller PKI certificates must be issued by the DoD PKI or an\n approved External Certificate Authority (ECA).", + "desc": "A PKI implementation depends on the practices established by the\n Certificate Authority (CA) to ensure the implementation is secure. Without\n proper practices, the certificates issued by a CA have limited value in\n authentication functions. The use of multiple CAs from separate PKI\n implementations results in interoperability issues. If servers and clients do\n not have a common set of root CA certificates, they are not able to\n authenticate each other.", "descriptions": { - "default": "Virtualization Based Security (VBS) provides the platform for the\n additional security features Credential Guard and virtualization-based\n protection of code integrity. Secure Boot is the minimum security level, with\n DMA protection providing additional memory protection. DMA Protection requires\n a CPU that supports input/output memory management unit (IOMMU).", - "check": "For standalone systems, this is NA.\n\n Current hardware and virtual environments may not support virtualization-based\n security features, including Credential Guard, due to specific supporting\n requirements, including a TPM, UEFI with Secure Boot, and the capability to run\n the Hyper-V feature within a virtual machine.\n\n Open PowerShell with elevated privileges (run as administrator).\n\n Enter the following:\n\n Get-CimInstance -ClassName Win32_DeviceGuard -Namespace\n root\\Microsoft\\Windows\\DeviceGuard\n\n If RequiredSecurityProperties does not include a value of 2 indicating\n Secure Boot (e.g., {1, 2}), this is a finding.\n\n If Secure Boot and DMA Protection is configured, 3 will also be\n displayed in the results (e.g., {1, 2, 3}).\n\n If VirtualizationBasedSecurityStatus is not a value of 2 indicating\n Running, this is a finding.\n\n Alternately:\n\n Run System Information.\n\n Under System Summary, verify the following:\n\n If Device Guard Virtualization based security does not display Running,\n this is finding.\n\n If Device Guard Required Security Properties does not display Base\n Virtualization Support, Secure Boot, this is finding.\n\n If Secure Boot and DMA Protection is configured, DMA Protection will\n also be displayed (e.g., Base Virtualization Support, Secure Boot, DMA\n Protection).\n\n The policy settings referenced in the Fix section will configure the following\n registry values. However, due to hardware requirements, the registry values\n alone do not ensure proper function.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceGuard\\\n\n Value Name: EnableVirtualizationBasedSecurity\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\n\n Value Name: RequirePlatformSecurityFeatures\n Value Type: REG_DWORD\n Value: 0x00000001 (1) (Secure Boot only) or 0x00000003 (3) (Secure Boot and DMA\n Protection)\n\n A Microsoft TechNet article on Credential Guard, including system requirement\n details, can be found at the following link:\n\n https://technet.microsoft.com/itpro/windows/keep-secure/credential-guard", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> System >> Device Guard >> Turn On Virtualization\n Based Security to Enabled with Secure Boot or Secure Boot and DMA\n Protection selected.\n\n A Microsoft TechNet article on Credential Guard, including system requirement\n details, can be found at the following link:\n\n https://technet.microsoft.com/itpro/windows/keep-secure/credential-guard" + "default": "A PKI implementation depends on the practices established by the\n Certificate Authority (CA) to ensure the implementation is secure. Without\n proper practices, the certificates issued by a CA have limited value in\n authentication functions. The use of multiple CAs from separate PKI\n implementations results in interoperability issues. If servers and clients do\n not have a common set of root CA certificates, they are not able to\n authenticate each other.", + "check": "This applies to domain controllers. It is NA for other systems.\n\n Run MMC.\n\n Select Add/Remove Snap-in from the File menu.\n\n Select Certificates in the left pane and click the Add > button.\n\n Select Computer Account and click Next.\n\n Select the appropriate option for Select the computer you want this snap-in\n to manage and click Finish.\n\n Click OK.\n\n Select and expand the Certificates (Local Computer) entry in the left pane.\n\n Select and expand the Personal entry in the left pane.\n\n Select the Certificates entry in the left pane.\n\n In the right pane, examine the Issued By field for the certificate to\n determine the issuing CA.\n\n If the Issued By field of the PKI certificate being used by the domain\n controller does not indicate the issuing CA is part of the DoD PKI or an\n approved ECA, this is a finding.\n\n If the certificates in use are issued by a CA authorized by the Component's\n CIO, this is a CAT II finding.\n\n There are multiple sources from which lists of valid DoD CAs and approved ECAs\n can be obtained:\n\n The Global Directory Service (GDS) website provides an online source. The\n address for this site is https://crl.gds.disa.mil.\n\n DoD Public Key Enablement (PKE) Engineering Support maintains the InstallRoot\n utility to manage DoD supported root certificates on Windows computers, which\n includes a list of authorized CAs. The utility package can be downloaded from\n the PKI and PKE Tools page on IASE:\n\n http://iase.disa.mil/pki-pke/function_pages/tools.html", + "fix": "Obtain a server certificate for the domain controller issued by\n the DoD PKI or an approved ECA." }, - "impact": 0.3, + "impact": 0, "refs": [], "tags": { - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-73513", - "rid": "SV-88165r1_rule", - "stig_id": "WN16-CC-000110", - "fix_id": "F-79955r1_fix", + "gtitle": "SRG-OS-000066-GPOS-00034", + "gid": "V-73613", + "rid": "SV-88277r1_rule", + "stig_id": "WN16-DC-000290", + "fix_id": "F-80063r1_fix", "cci": [ - "CCI-000366" + "CCI-000185" ], "nist": [ - "CM-6 b", + "IA-5 (2) (a)", "Rev_4" ], "documentable": false }, - "code": "control 'V-73513' do\n title \"Virtualization-based security must be enabled with the platform\n security level configured to Secure Boot or Secure Boot with DMA Protection.\"\n desc \"Virtualization Based Security (VBS) provides the platform for the\n additional security features Credential Guard and virtualization-based\n protection of code integrity. Secure Boot is the minimum security level, with\n DMA protection providing additional memory protection. DMA Protection requires\n a CPU that supports input/output memory management unit (IOMMU).\"\n impact 0.3\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-73513'\n tag \"rid\": 'SV-88165r1_rule'\n tag \"stig_id\": 'WN16-CC-000110'\n tag \"fix_id\": 'F-79955r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"For standalone systems, this is NA.\n\n Current hardware and virtual environments may not support virtualization-based\n security features, including Credential Guard, due to specific supporting\n requirements, including a TPM, UEFI with Secure Boot, and the capability to run\n the Hyper-V feature within a virtual machine.\n\n Open PowerShell with elevated privileges (run as administrator).\n\n Enter the following:\n\n Get-CimInstance -ClassName Win32_DeviceGuard -Namespace\n root\\\\Microsoft\\\\Windows\\\\DeviceGuard\n\n If RequiredSecurityProperties does not include a value of 2 indicating\n Secure Boot (e.g., {1, 2}), this is a finding.\n\n If Secure Boot and DMA Protection is configured, 3 will also be\n displayed in the results (e.g., {1, 2, 3}).\n\n If VirtualizationBasedSecurityStatus is not a value of 2 indicating\n Running, this is a finding.\n\n Alternately:\n\n Run System Information.\n\n Under System Summary, verify the following:\n\n If Device Guard Virtualization based security does not display Running,\n this is finding.\n\n If Device Guard Required Security Properties does not display Base\n Virtualization Support, Secure Boot, this is finding.\n\n If Secure Boot and DMA Protection is configured, DMA Protection will\n also be displayed (e.g., Base Virtualization Support, Secure Boot, DMA\n Protection).\n\n The policy settings referenced in the Fix section will configure the following\n registry values. However, due to hardware requirements, the registry values\n alone do not ensure proper function.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\DeviceGuard\\\\\n\n Value Name: EnableVirtualizationBasedSecurity\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\n\n Value Name: RequirePlatformSecurityFeatures\n Value Type: REG_DWORD\n Value: 0x00000001 (1) (Secure Boot only) or 0x00000003 (3) (Secure Boot and DMA\n Protection)\n\n A Microsoft TechNet article on Credential Guard, including system requirement\n details, can be found at the following link:\n\n https://technet.microsoft.com/itpro/windows/keep-secure/credential-guard\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> System >> Device Guard >> Turn On Virtualization\n Based Security to Enabled with Secure Boot or Secure Boot and DMA\n Protection selected.\n\n A Microsoft TechNet article on Credential Guard, including system requirement\n details, can be found at the following link:\n\n https://technet.microsoft.com/itpro/windows/keep-secure/credential-guard\"\n is_domain = command('wmic computersystem get domain | FINDSTR /V Domain').stdout.strip\n\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\DeviceGuard') do\n it { should have_property 'EnableVirtualizationBasedSecurity' }\n its('EnableVirtualizationBasedSecurity') { should cmp 1 }\n end\n describe.one do\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\DeviceGuard') do\n it { should have_property 'RequirePlatformSecurityFeatures' }\n its('RequirePlatformSecurityFeatures') { should cmp 1 }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\DeviceGuard') do\n it { should have_property 'RequirePlatformSecurityFeatures' }\n its('RequirePlatformSecurityFeatures') { should cmp 3 }\n end\n end\n only_if { is_domain != 'WORKGROUP' }\n\n if is_domain == 'WORKGROUP'\n impact 0.0\n describe 'This system is not joined to a domain, therfore this control is not appliable as it does not apply to standalone systems' do\n skip 'This system is not joined to a domain, therfore this control is not appliable as it does not apply to standalone systems'\n end\n end\nend\n", + "code": "control 'V-73613' do\n title \"Domain Controller PKI certificates must be issued by the DoD PKI or an\n approved External Certificate Authority (ECA).\"\n desc \"A PKI implementation depends on the practices established by the\n Certificate Authority (CA) to ensure the implementation is secure. Without\n proper practices, the certificates issued by a CA have limited value in\n authentication functions. The use of multiple CAs from separate PKI\n implementations results in interoperability issues. If servers and clients do\n not have a common set of root CA certificates, they are not able to\n authenticate each other.\"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000066-GPOS-00034'\n tag \"gid\": 'V-73613'\n tag \"rid\": 'SV-88277r1_rule'\n tag \"stig_id\": 'WN16-DC-000290'\n tag \"fix_id\": 'F-80063r1_fix'\n tag \"cci\": ['CCI-000185']\n tag \"nist\": ['IA-5 (2) (a)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to domain controllers. It is NA for other systems.\n\n Run MMC.\n\n Select Add/Remove Snap-in from the File menu.\n\n Select Certificates in the left pane and click the Add > button.\n\n Select Computer Account and click Next.\n\n Select the appropriate option for Select the computer you want this snap-in\n to manage and click Finish.\n\n Click OK.\n\n Select and expand the Certificates (Local Computer) entry in the left pane.\n\n Select and expand the Personal entry in the left pane.\n\n Select the Certificates entry in the left pane.\n\n In the right pane, examine the Issued By field for the certificate to\n determine the issuing CA.\n\n If the Issued By field of the PKI certificate being used by the domain\n controller does not indicate the issuing CA is part of the DoD PKI or an\n approved ECA, this is a finding.\n\n If the certificates in use are issued by a CA authorized by the Component's\n CIO, this is a CAT II finding.\n\n There are multiple sources from which lists of valid DoD CAs and approved ECAs\n can be obtained:\n\n The Global Directory Service (GDS) website provides an online source. The\n address for this site is https://crl.gds.disa.mil.\n\n DoD Public Key Enablement (PKE) Engineering Support maintains the InstallRoot\n utility to manage DoD supported root certificates on Windows computers, which\n includes a list of authorized CAs. The utility package can be downloaded from\n the PKI and PKE Tools page on IASE:\n\n http://iase.disa.mil/pki-pke/function_pages/tools.html\"\n desc \"fix\", \"Obtain a server certificate for the domain controller issued by\n the DoD PKI or an approved ECA.\"\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n describe command('Get-ChildItem -Path Cert:\\\\LocalMachine\\\\My | Format-List | Findstr Issuer') do\n its('stdout') { should include 'DoD' }\n end\n end\n\n if !(domain_role == '4') && !(domain_role == '5')\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73513.rb", + "ref": "./Windows 2016 STIG/controls/V-73613.rb", "line": 1 }, - "id": "V-73513" + "id": "V-73613" }, { - "title": "Anonymous enumeration of Security Account Manager (SAM) accounts must\n not be allowed.", - "desc": "Anonymous enumeration of SAM accounts allows anonymous logon users\n (null session connections) to list all accounts names, thus providing a list of\n potential points to attack the system.", + "title": "Domain controllers must require LDAP access signing.", + "desc": "Unsigned network traffic is susceptible to man-in-the-middle attacks,\n where an intruder captures packets between the server and the client and\n modifies them before forwarding them to the client. In the case of an LDAP\n server, this means that an attacker could cause a client to make decisions\n based on false records from the LDAP directory. The risk of an attacker pulling\n this off can be decreased by implementing strong physical security measures to\n protect the network infrastructure. Furthermore, implementing Internet Protocol\n security (IPsec) authentication header mode (AH), which performs mutual\n authentication and packet integrity for Internet Protocol (IP) traffic, can\n make all types of man-in-the-middle attacks extremely difficult.", "descriptions": { - "default": "Anonymous enumeration of SAM accounts allows anonymous logon users\n (null session connections) to list all accounts names, thus providing a list of\n potential points to attack the system.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Control\\Lsa\\\n\n Value Name: RestrictAnonymousSAM\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Network access: Do not allow anonymous enumeration of SAM accounts to\n Enabled." + "default": "Unsigned network traffic is susceptible to man-in-the-middle attacks,\n where an intruder captures packets between the server and the client and\n modifies them before forwarding them to the client. In the case of an LDAP\n server, this means that an attacker could cause a client to make decisions\n based on false records from the LDAP directory. The risk of an attacker pulling\n this off can be decreased by implementing strong physical security measures to\n protect the network infrastructure. Furthermore, implementing Internet Protocol\n security (IPsec) authentication header mode (AH), which performs mutual\n authentication and packet integrity for Internet Protocol (IP) traffic, can\n make all types of man-in-the-middle attacks extremely difficult.", + "check": "This applies to domain controllers. It is NA for other systems.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\NTDS\\Parameters\\\n\n Value Name: LDAPServerIntegrity\n\n Value Type: REG_DWORD\n Value: 0x00000002 (2)", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> Domain\n controller: LDAP server signing requirements to Require signing." }, - "impact": 0.7, + "impact": 0, "refs": [], "tags": { - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-73667", - "rid": "SV-88331r1_rule", - "stig_id": "WN16-SO-000260", - "fix_id": "F-80117r1_fix", + "gtitle": "SRG-OS-000423-GPOS-00187", + "satisfies": [ + "SRG-OS-000423-GPOS-00187", + "SRG-OS-000424-GPOS-00188" + ], + "gid": "V-73629", + "rid": "SV-88293r1_rule", + "stig_id": "WN16-DC-000320", + "fix_id": "F-80079r1_fix", "cci": [ - "CCI-000366" + "CCI-002418", + "CCI-002421" ], "nist": [ "CM-6 b", @@ -5621,269 +5705,269 @@ ], "documentable": false }, - "code": "control 'V-73667' do\n title \"Anonymous enumeration of Security Account Manager (SAM) accounts must\n not be allowed.\"\n desc \"Anonymous enumeration of SAM accounts allows anonymous logon users\n (null session connections) to list all accounts names, thus providing a list of\n potential points to attack the system.\"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-73667'\n tag \"rid\": 'SV-88331r1_rule'\n tag \"stig_id\": 'WN16-SO-000260'\n tag \"fix_id\": 'F-80117r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\\n\n Value Name: RestrictAnonymousSAM\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Network access: Do not allow anonymous enumeration of SAM accounts to\n Enabled.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa') do\n it { should have_property 'RestrictAnonymousSAM' }\n its('RestrictAnonymousSAM') { should cmp 1 }\n end\nend\n", + "code": "control 'V-73629' do\n title 'Domain controllers must require LDAP access signing.'\n desc \"Unsigned network traffic is susceptible to man-in-the-middle attacks,\n where an intruder captures packets between the server and the client and\n modifies them before forwarding them to the client. In the case of an LDAP\n server, this means that an attacker could cause a client to make decisions\n based on false records from the LDAP directory. The risk of an attacker pulling\n this off can be decreased by implementing strong physical security measures to\n protect the network infrastructure. Furthermore, implementing Internet Protocol\n security (IPsec) authentication header mode (AH), which performs mutual\n authentication and packet integrity for Internet Protocol (IP) traffic, can\n make all types of man-in-the-middle attacks extremely difficult.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000423-GPOS-00187'\n tag \"satisfies\": ['SRG-OS-000423-GPOS-00187', 'SRG-OS-000424-GPOS-00188']\n tag \"gid\": 'V-73629'\n tag \"rid\": 'SV-88293r1_rule'\n tag \"stig_id\": 'WN16-DC-000320'\n tag \"fix_id\": 'F-80079r1_fix'\n tag \"cci\": ['CCI-002418', 'CCI-002421']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to domain controllers. It is NA for other systems.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\Parameters\\\\\n\n Value Name: LDAPServerIntegrity\n\n Value Type: REG_DWORD\n Value: 0x00000002 (2)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> Domain\n controller: LDAP server signing requirements to Require signing.\"\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\Parameters') do\n it { should have_property 'LDAPServerIntegrity' }\n its('LDAPServerIntegrity') { should cmp 2 }\n end\n end\n\n if !(domain_role == '4') && !(domain_role == '5')\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73667.rb", + "ref": "./Windows 2016 STIG/controls/V-73629.rb", "line": 1 }, - "id": "V-73667" + "id": "V-73629" }, { - "title": "The maximum password age must be configured to 60 days or less.", - "desc": "The longer a password is in use, the greater the opportunity for\n someone to gain unauthorized knowledge of the passwords. Scheduled changing of\n passwords hinders the ability of unauthorized system users to crack passwords\n and gain access to a system.", + "title": "The Active Directory Infrastructure object must be configured with\n proper audit settings.", + "desc": "When inappropriate audit settings are configured for directory service\n database objects, it may be possible for a user or process to update the data\n without generating any tracking data. The impact of missing audit data is\n related to the type of object. A failure to capture audit data for objects used\n by identification, authentication, or authorization functions could degrade or\n eliminate the ability to track changes to access policy for systems or data.\n\n For Active Directory (AD), there are a number of critical object types in\n the domain naming context of the AD database for which auditing is essential.\n This includes the Infrastructure object. Because changes to these objects can\n significantly impact access controls or the availability of systems, the\n absence of auditing data makes it impossible to identify the source of changes\n that impact the confidentiality, integrity, and availability of data and\n systems throughout an AD domain. The lack of proper auditing can result in\n insufficient forensic evidence needed to investigate an incident and prosecute\n the intruder.", "descriptions": { - "default": "The longer a password is in use, the greater the opportunity for\n someone to gain unauthorized knowledge of the passwords. Scheduled changing of\n passwords hinders the ability of unauthorized system users to crack passwords\n and gain access to a system.", - "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Account Policies >> Password Policy.\n\n If the value for the Maximum password age is greater than 60 days, this\n is a finding.\n\n If the value is set to 0 (never expires), this is a finding.", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Account Policies >> Password Policy >>\n Maximum password age to 60 days or less (excluding 0, which is\n unacceptable)." + "default": "When inappropriate audit settings are configured for directory service\n database objects, it may be possible for a user or process to update the data\n without generating any tracking data. The impact of missing audit data is\n related to the type of object. A failure to capture audit data for objects used\n by identification, authentication, or authorization functions could degrade or\n eliminate the ability to track changes to access policy for systems or data.\n\n For Active Directory (AD), there are a number of critical object types in\n the domain naming context of the AD database for which auditing is essential.\n This includes the Infrastructure object. Because changes to these objects can\n significantly impact access controls or the availability of systems, the\n absence of auditing data makes it impossible to identify the source of changes\n that impact the confidentiality, integrity, and availability of data and\n systems throughout an AD domain. The lack of proper auditing can result in\n insufficient forensic evidence needed to investigate an incident and prosecute\n the intruder.", + "check": "This applies to domain controllers. It is NA for other systems.\n\n Review the auditing configuration for Infrastructure object.\n\n Open Active Directory Users and Computers (available from various menus or\n run dsa.msc).\n\n Ensure Advanced Features is selected in the View menu.\n\n Select the domain being reviewed in the left pane.\n\n Right-click the Infrastructure object in the right pane and select\n Properties.\n\n Select the Security tab.\n\n Select the Advanced button and then the Auditing tab.\n\n If the audit settings on the Infrastructure object are not at least as\n inclusive as those below, this is a finding.\n\n Type - Fail\n Principal - Everyone\n Access - Full Control\n Inherited from - None\n\n The success types listed below are defaults. Where Special is listed in the\n summary screens for Access, detailed Permissions are provided for reference.\n Various Properties selections may also exist by default.\n\n Type - Success\n Principal - Everyone\n Access - Special\n Inherited from - None\n (Access - Special = Permissions: Write all properties, All extended rights,\n Change infrastructure master)\n\n Two instances with the following summary information will be listed.\n Type - Success\n Principal - Everyone\n Access - (blank)\n Inherited from - (CN of domain)", + "fix": "Open Active Directory Users and Computers (available from\n various menus or run dsa.msc).\n\n Ensure Advanced Features is selected in the View menu.\n\n Select the domain being reviewed in the left pane.\n\n Right-click the Infrastructure object in the right pane and select\n Properties.\n\n Select the Security tab.\n\n Select the Advanced button and then the Auditing tab.\n\n Configure the audit settings for Infrastructure object to include the following.\n\n Type - Fail\n Principal - Everyone\n Access - Full Control\n Inherited from - None\n\n The success types listed below are defaults. Where Special is listed in the\n summary screens for Access, detailed Permissions are provided for reference.\n Various Properties selections may also exist by default.\n\n Type - Success\n Principal - Everyone\n Access - Special\n Inherited from - None\n (Access - Special = Permissions: Write all properties, All extended rights,\n Change infrastructure master)\n\n Two instances with the following summary information will be listed.\n\n Type - Success\n Principal - Everyone\n Access - (blank)\n Inherited from - (CN of domain)" }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { - "gtitle": "SRG-OS-000076-GPOS-00044", - "gid": "V-73317", - "rid": "SV-87969r1_rule", - "stig_id": "WN16-AC-000050", - "fix_id": "F-79759r1_fix", + "gtitle": "SRG-OS-000327-GPOS-00127", + "satisfies": [ + "SRG-OS-000327-GPOS-00127", + "SRG-OS-000458-GPOS-00203", + "SRG-OS-000463-GPOS-00207", + "SRG-OS-000468-GPOS-00212" + ], + "gid": "V-73393", + "rid": "SV-88045r1_rule", + "stig_id": "WN16-DC-000190", + "fix_id": "F-79835r1_fix", "cci": [ - "CCI-000199" + "CCI-000172", + "CCI-002234" ], "nist": [ - "IA-5 (1) (d)", + "AU-12 c", + "AC-6 (9)", "Rev_4" ], "documentable": false }, - "code": "control 'V-73317' do\n title 'The maximum password age must be configured to 60 days or less.'\n desc \"The longer a password is in use, the greater the opportunity for\n someone to gain unauthorized knowledge of the passwords. Scheduled changing of\n passwords hinders the ability of unauthorized system users to crack passwords\n and gain access to a system.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000076-GPOS-00044'\n tag \"gid\": 'V-73317'\n tag \"rid\": 'SV-87969r1_rule'\n tag \"stig_id\": 'WN16-AC-000050'\n tag \"fix_id\": 'F-79759r1_fix'\n tag \"cci\": ['CCI-000199']\n tag \"nist\": ['IA-5 (1) (d)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Account Policies >> Password Policy.\n\n If the value for the Maximum password age is greater than 60 days, this\n is a finding.\n\n If the value is set to 0 (never expires), this is a finding.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Account Policies >> Password Policy >>\n Maximum password age to 60 days or less (excluding 0, which is\n unacceptable).\"\n describe security_policy do\n its('MaximumPasswordAge') { should be <= 60 }\n end\n describe security_policy do\n its('MaximumPasswordAge') { should be > 0 }\n end\nend\n", + "code": "control 'V-73393' do\n title \"The Active Directory Infrastructure object must be configured with\n proper audit settings.\"\n desc \"When inappropriate audit settings are configured for directory service\n database objects, it may be possible for a user or process to update the data\n without generating any tracking data. The impact of missing audit data is\n related to the type of object. A failure to capture audit data for objects used\n by identification, authentication, or authorization functions could degrade or\n eliminate the ability to track changes to access policy for systems or data.\n\n For Active Directory (AD), there are a number of critical object types in\n the domain naming context of the AD database for which auditing is essential.\n This includes the Infrastructure object. Because changes to these objects can\n significantly impact access controls or the availability of systems, the\n absence of auditing data makes it impossible to identify the source of changes\n that impact the confidentiality, integrity, and availability of data and\n systems throughout an AD domain. The lack of proper auditing can result in\n insufficient forensic evidence needed to investigate an incident and prosecute\n the intruder.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000327-GPOS-00127'\n tag \"satisfies\": ['SRG-OS-000327-GPOS-00127', 'SRG-OS-000458-GPOS-00203', 'SRG-OS-000463-GPOS-00207', 'SRG-OS-000468-GPOS-00212']\n tag \"gid\": 'V-73393'\n tag \"rid\": 'SV-88045r1_rule'\n tag \"stig_id\": 'WN16-DC-000190'\n tag \"fix_id\": 'F-79835r1_fix'\n tag \"cci\": ['CCI-000172', 'CCI-002234']\n tag \"nist\": ['AU-12 c', 'AC-6 (9)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to domain controllers. It is NA for other systems.\n\n Review the auditing configuration for Infrastructure object.\n\n Open Active Directory Users and Computers (available from various menus or\n run dsa.msc).\n\n Ensure Advanced Features is selected in the View menu.\n\n Select the domain being reviewed in the left pane.\n\n Right-click the Infrastructure object in the right pane and select\n Properties.\n\n Select the Security tab.\n\n Select the Advanced button and then the Auditing tab.\n\n If the audit settings on the Infrastructure object are not at least as\n inclusive as those below, this is a finding.\n\n Type - Fail\n Principal - Everyone\n Access - Full Control\n Inherited from - None\n\n The success types listed below are defaults. Where Special is listed in the\n summary screens for Access, detailed Permissions are provided for reference.\n Various Properties selections may also exist by default.\n\n Type - Success\n Principal - Everyone\n Access - Special\n Inherited from - None\n (Access - Special = Permissions: Write all properties, All extended rights,\n Change infrastructure master)\n\n Two instances with the following summary information will be listed.\n Type - Success\n Principal - Everyone\n Access - (blank)\n Inherited from - (CN of domain)\"\n desc \"fix\", \"Open Active Directory Users and Computers (available from\n various menus or run dsa.msc).\n\n Ensure Advanced Features is selected in the View menu.\n\n Select the domain being reviewed in the left pane.\n\n Right-click the Infrastructure object in the right pane and select\n Properties.\n\n Select the Security tab.\n\n Select the Advanced button and then the Auditing tab.\n\n Configure the audit settings for Infrastructure object to include the following.\n\n Type - Fail\n Principal - Everyone\n Access - Full Control\n Inherited from - None\n\n The success types listed below are defaults. Where Special is listed in the\n summary screens for Access, detailed Permissions are provided for reference.\n Various Properties selections may also exist by default.\n\n Type - Success\n Principal - Everyone\n Access - Special\n Inherited from - None\n (Access - Special = Permissions: Write all properties, All extended rights,\n Change infrastructure master)\n\n Two instances with the following summary information will be listed.\n\n Type - Success\n Principal - Everyone\n Access - (blank)\n Inherited from - (CN of domain)\"\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n distinguishedName = json(command: '(Get-ADDomain).DistinguishedName | ConvertTo-JSON').params\n acl_rules = json(command: \"(Get-ACL -Audit -Path AD:'CN=Infrastructure,#{distinguishedName}').Audit | ConvertTo-CSV | ConvertFrom-CSV | ConvertTo-JSON\").params\n\n if acl_rules.is_a?(Hash)\n acl_rules = [JSON.parse(acl_rules.to_json)]\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['AuditFlags']) { should cmp \"Failure\" }\n its(['IdentityReference']) { should cmp \"Everyone\" }\n its(['ActiveDirectoryRights']) { should cmp \"GenericAll\" }\n its(['IsInherited']) { should cmp \"False\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['AuditFlags']) { should cmp \"Success\" }\n its(['IdentityReference']) { should cmp \"Everyone\" }\n its(['ActiveDirectoryRights']) { should cmp \"WriteProperty, ExtendedRight\" }\n its(['IsInherited']) { should cmp \"False\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['AuditFlags']) { should cmp \"Success\" }\n its(['IdentityReference']) { should cmp \"Everyone\" }\n its(['IsInherited']) { should cmp \"True\" }\n end\n end\n end\n\n else\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73317.rb", + "ref": "./Windows 2016 STIG/controls/V-73393.rb", "line": 1 }, - "id": "V-73317" + "id": "V-73393" }, { - "title": "A host-based firewall must be installed and enabled on the system.", - "desc": "A firewall provides a line of defense against attack, allowing or\n blocking inbound and outbound connections based on a set of rules.", + "title": "Windows Server 2016 must be configured to audit Privilege Use -\n Sensitive Privilege Use failures.", + "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Sensitive Privilege Use records events related to use of sensitive\n privileges, such as Act as part of the operating system or Debug\n programs.", "descriptions": { - "default": "A firewall provides a line of defense against attack, allowing or\n blocking inbound and outbound connections based on a set of rules.", - "check": "Determine if a host-based firewall is installed and enabled on\n the system.\n\n If a host-based firewall is not installed and enabled on the system, this is a\n finding.\n\n The configuration requirements will be determined by the applicable firewall\n STIG.", - "fix": "Install and enable a host-based firewall on the system." + "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Sensitive Privilege Use records events related to use of sensitive\n privileges, such as Act as part of the operating system or Debug\n programs.", + "check": "Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n Privilege Use >> Sensitive Privilege Use - Failure", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Privilege Use >> Audit Sensitive Privilege Use with\n Failure selected." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000480-GPOS-00231", - "gid": "V-73279", - "rid": "SV-87931r1_rule", - "stig_id": "WN16-00-000310", - "fix_id": "F-79723r1_fix", + "gtitle": "SRG-OS-000327-GPOS-00127", + "satisfies": [ + "SRG-OS-000327-GPOS-00127", + "SRG-OS-000064-GPOS-00033", + "SRG-OS-000462-GPOS-00206", + "SRG-OS-000466-GPOS-00210" + ], + "gid": "V-73471", + "rid": "SV-88123r1_rule", + "stig_id": "WN16-AU-000360", + "fix_id": "F-79913r1_fix", "cci": [ - "CCI-000366", - "CCI-002080" + "CCI-000172", + "CCI-002234" ], "nist": [ - "CM-6 b", - "CA-3 (5)", + "AU-12 c", + "AC-6 (9)", "Rev_4" ], "documentable": false }, - "code": "control 'V-73279' do\n title 'A host-based firewall must be installed and enabled on the system.'\n desc \"A firewall provides a line of defense against attack, allowing or\n blocking inbound and outbound connections based on a set of rules.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00231'\n tag \"gid\": 'V-73279'\n tag \"rid\": 'SV-87931r1_rule'\n tag \"stig_id\": 'WN16-00-000310'\n tag \"fix_id\": 'F-79723r1_fix'\n tag \"cci\": ['CCI-000366', 'CCI-002080']\n tag \"nist\": ['CM-6 b', 'CA-3 (5)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Determine if a host-based firewall is installed and enabled on\n the system.\n\n If a host-based firewall is not installed and enabled on the system, this is a\n finding.\n\n The configuration requirements will be determined by the applicable firewall\n STIG.\"\n desc \"fix\", 'Install and enable a host-based firewall on the system.'\n describe 'A manual review is required to verify that a host-based firewall is installed and enabled on this system' do\n skip 'A manual review is required to verify that a host-based firewall is installed and enabled on this system'\n end\nend\n", + "code": "control 'V-73471' do\n title \"Windows Server 2016 must be configured to audit Privilege Use -\n Sensitive Privilege Use failures.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Sensitive Privilege Use records events related to use of sensitive\n privileges, such as Act as part of the operating system or Debug\n programs.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000327-GPOS-00127'\n tag \"satisfies\": ['SRG-OS-000327-GPOS-00127', 'SRG-OS-000064-GPOS-00033',\n 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000466-GPOS-00210']\n tag \"gid\": 'V-73471'\n tag \"rid\": 'SV-88123r1_rule'\n tag \"stig_id\": 'WN16-AU-000360'\n tag \"fix_id\": 'F-79913r1_fix'\n tag \"cci\": ['CCI-000172', 'CCI-002234']\n tag \"nist\": ['AU-12 c', 'AC-6 (9)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n Privilege Use >> Sensitive Privilege Use - Failure\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Privilege Use >> Audit Sensitive Privilege Use with\n Failure selected.\"\n describe.one do\n describe audit_policy do\n its('Sensitive Privilege Use') { should eq 'Failure' }\n end\n describe audit_policy do\n its('Sensitive Privilege Use') { should eq 'Success and Failure' }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Sensitive Privilege Use'\") do\n its('stdout') { should match /Sensitive Privilege Use Failure/ }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Sensitive Privilege Use'\") do\n its('stdout') { should match /Sensitive Privilege Use Success and Failure/ }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73279.rb", + "ref": "./Windows 2016 STIG/controls/V-73471.rb", "line": 1 }, - "id": "V-73279" + "id": "V-73471" }, { - "title": "Systems must be maintained at a supported servicing level.", - "desc": "Systems at unsupported servicing levels will not receive security\n updates for new vulnerabilities, which leave them subject to exploitation.\n Systems must be maintained at a servicing level supported by the vendor with\n new security updates.", + "title": "The Server Message Block (SMB) v1 protocol must be disabled on the SMB\n client.", + "desc": "SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB.\n MD5 is known to be vulnerable to a number of attacks such as collision and\n preimage attacks as well as not being FIPS compliant.", "descriptions": { - "default": "Systems at unsupported servicing levels will not receive security\n updates for new vulnerabilities, which leave them subject to exploitation.\n Systems must be maintained at a servicing level supported by the vendor with\n new security updates.", - "check": "Open Command Prompt.\n\n Enter winver.exe.\n\n If the About Windows dialog box does not display Microsoft Windows Server\n Version 1607 (Build 14393.xxx) or greater, this is a finding.\n\n Preview versions must not be used in a production environment.", - "fix": "Update the system to a Version 1607 (Build 14393.xxx) or greater." + "default": "SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB.\n MD5 is known to be vulnerable to a number of attacks such as collision and\n preimage attacks as well as not being FIPS compliant.", + "check": "Different methods are available to disable SMBv1 on Windows\n 2016, if V-73299 is configured, this is NA.\n\n If the following registry value is not configured as specified, this is a\n finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\mrxsmb10\\\n\n Value Name: Start\n\n Type: REG_DWORD\n Value: 0x00000004 (4)", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> MS Security Guide >> Configure SMBv1 client\n driver to Enabled with Disable driver (recommended) selected for\n Configure MrxSmb10 driver.\n\n The system must be restarted for the changes to take effect.\n\n This policy setting requires the installation of the SecGuide custom templates\n included with the STIG package. SecGuide.admx and SecGuide.adml must be\n copied to the \\Windows\\PolicyDefinitions and\n \\Windows\\PolicyDefinitions\\en-US directories respectively." }, - "impact": 0.7, + "impact": 0, "refs": [], "tags": { - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-73239", - "rid": "SV-87891r1_rule", - "stig_id": "WN16-00-000110", - "fix_id": "F-79683r1_fix", + "gtitle": "SRG-OS-000095-GPOS-00049", + "gid": "V-78125", + "rid": "SV-92831r1_rule", + "stig_id": "WN16-00-000412", + "fix_id": "F-84847r2_fix", "cci": [ - "CCI-000366" + "CCI-000381" ], "nist": [ - "CM-6 b", + "CM-7 a", "Rev_4" ], "documentable": false }, - "code": "control 'V-73239' do\n title 'Systems must be maintained at a supported servicing level.'\n desc \"Systems at unsupported servicing levels will not receive security\n updates for new vulnerabilities, which leave them subject to exploitation.\n Systems must be maintained at a servicing level supported by the vendor with\n new security updates.\"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-73239'\n tag \"rid\": 'SV-87891r1_rule'\n tag \"stig_id\": 'WN16-00-000110'\n tag \"fix_id\": 'F-79683r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Open Command Prompt.\n\n Enter winver.exe.\n\n If the About Windows dialog box does not display Microsoft Windows Server\n Version 1607 (Build 14393.xxx) or greater, this is a finding.\n\n Preview versions must not be used in a production environment.\"\n desc \"fix\", 'Update the system to a Version 1607 (Build 14393.xxx) or greater.'\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion') do\n it { should have_property 'CurrentMajorVersionNumber' }\n its('CurrentMajorVersionNumber') { should be >= 10 }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion') do\n it { should have_property 'CurrentBuildNumber' }\n its('CurrentBuildNumber') { should be >= '14393' }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion') do\n it { should have_property 'ReleaseId' }\n its('ReleaseId') { should be >= '1607' }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion') do\n it { should have_property 'CurrentBuild' }\n its('CurrentBuild') { should be >= '14393' }\n end\nend\n", + "code": "control 'V-78125' do\n title \"The Server Message Block (SMB) v1 protocol must be disabled on the SMB\n client.\"\n desc \"SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB.\n MD5 is known to be vulnerable to a number of attacks such as collision and\n preimage attacks as well as not being FIPS compliant.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000095-GPOS-00049'\n tag \"gid\": 'V-78125'\n tag \"rid\": 'SV-92831r1_rule'\n tag \"stig_id\": 'WN16-00-000412'\n tag \"fix_id\": 'F-84847r2_fix'\n tag \"cci\": ['CCI-000381']\n tag \"nist\": ['CM-7 a', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Different methods are available to disable SMBv1 on Windows\n 2016, if V-73299 is configured, this is NA.\n\n If the following registry value is not configured as specified, this is a\n finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\mrxsmb10\\\\\n\n Value Name: Start\n\n Type: REG_DWORD\n Value: 0x00000004 (4)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> MS Security Guide >> Configure SMBv1 client\n driver to Enabled with Disable driver (recommended) selected for\n Configure MrxSmb10 driver.\n\n The system must be restarted for the changes to take effect.\n\n This policy setting requires the installation of the SecGuide custom templates\n included with the STIG package. SecGuide.admx and SecGuide.adml must be\n copied to the \\\\Windows\\\\PolicyDefinitions and\n \\\\Windows\\\\PolicyDefinitions\\\\en-US directories respectively.\"\n if windows_feature('FS-SMB1').installed?\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\mrxsmb10') do\n it { should have_property 'Start' }\n its('Start') { should cmp 4 }\n end\n else\n impact 0.0\n describe 'SMBv1 is not installed on this system, therefore this control is not applicable' do\n skip 'SMBv1 is not installed on this system, therefore this control is not applicable'\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73239.rb", + "ref": "./Windows 2016 STIG/controls/V-78125.rb", "line": 1 }, - "id": "V-73239" + "id": "V-78125" }, { - "title": "Credential Guard must be running on domain-joined systems.", - "desc": "Credential Guard uses virtualization-based security to protect data\n that could be used in credential theft attacks if compromised. This\n authentication information, which was stored in the Local Security Authority\n (LSA) in previous versions of Windows, is isolated from the rest of operating\n system and can only be accessed by privileged system software.", + "title": "The System event log size must be configured to 32768 KB or greater.", + "desc": "Inadequate log size will cause the log to fill up quickly. This may\n prevent audit events from being recorded properly and require frequent\n attention by administrative personnel.", "descriptions": { - "default": "Credential Guard uses virtualization-based security to protect data\n that could be used in credential theft attacks if compromised. This\n authentication information, which was stored in the Local Security Authority\n (LSA) in previous versions of Windows, is isolated from the rest of operating\n system and can only be accessed by privileged system software.", - "check": "For standalone systems, this is NA.\n\n Current hardware and virtual environments may not support virtualization-based\n security features, including Credential Guard, due to specific supporting\n requirements, including a TPM, UEFI with Secure Boot, and the capability to run\n the Hyper-V feature within a virtual machine.\n\n Open PowerShell with elevated privileges (run as administrator).\n\n Enter the following:\n\n Get-CimInstance -ClassName Win32_DeviceGuard -Namespace\n root\\Microsoft\\Windows\\DeviceGuard\n\n If SecurityServicesRunning does not include a value of 1 (e.g., {1,\n 2}), this is a finding.\n\n Alternately:\n\n Run System Information.\n\n Under System Summary, verify the following:\n\n If Device Guard Security Services Running does not list Credential\n Guard, this is finding.\n\n The policy settings referenced in the Fix section will configure the following\n registry value. However due to hardware requirements, the registry value alone\n does not ensure proper function.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceGuard\\\n\n Value Name: LsaCfgFlags\n Value Type: REG_DWORD\n Value: 0x00000001 (1) (Enabled with UEFI lock), or 0x00000002 (2) (Enabled\n without lock)\n\n A Microsoft TechNet article on Credential Guard, including system requirement\n details, can be found at the following link:\n\n https://technet.microsoft.com/itpro/windows/keep-secure/credential-guard", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> System >> Device Guard >> Turn On Virtualization\n Based Security to Enabled with Enabled with UEFI lock or Enabled\n without lock selected for Credential Guard Configuration.\n\n Enabled with UEFI lock is preferred as more secure; however, it cannot be\n turned off remotely through a group policy change if there is an issue.\n Enabled without lock will allow this to be turned off remotely while\n testing for issues.\n\n A Microsoft TechNet article on Credential Guard, including system requirement\n details, can be found at the following link:\n\n https://technet.microsoft.com/itpro/windows/keep-secure/credential-guard" + "default": "Inadequate log size will cause the log to fill up quickly. This may\n prevent audit events from being recorded properly and require frequent\n attention by administrative personnel.", + "check": "If the system is configured to write events directly to an\n audit server, this is NA.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\EventLog\\System\\\n\n Value Name: MaxSize\n\n Type: REG_DWORD\n Value: 0x00008000 (32768) (or greater)", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Event Log Service >> System\n >> Specify the maximum log file size (KB) to Enabled with a Maximum\n Log Size (KB) of 32768 or greater." }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-73515", - "rid": "SV-88167r1_rule", - "stig_id": "WN16-CC-000120", - "fix_id": "F-79957r1_fix", + "gtitle": "SRG-OS-000341-GPOS-00132", + "gid": "V-73557", + "rid": "SV-88221r1_rule", + "stig_id": "WN16-CC-000320", + "fix_id": "F-80007r1_fix", "cci": [ - "CCI-000366" + "CCI-001849" ], "nist": [ - "CM-6 b", + "AU-4", "Rev_4" ], "documentable": false }, - "code": "control 'V-73515' do\n title 'Credential Guard must be running on domain-joined systems.'\n desc \"Credential Guard uses virtualization-based security to protect data\n that could be used in credential theft attacks if compromised. This\n authentication information, which was stored in the Local Security Authority\n (LSA) in previous versions of Windows, is isolated from the rest of operating\n system and can only be accessed by privileged system software.\"\n impact 0.3\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-73515'\n tag \"rid\": 'SV-88167r1_rule'\n tag \"stig_id\": 'WN16-CC-000120'\n tag \"fix_id\": 'F-79957r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"For standalone systems, this is NA.\n\n Current hardware and virtual environments may not support virtualization-based\n security features, including Credential Guard, due to specific supporting\n requirements, including a TPM, UEFI with Secure Boot, and the capability to run\n the Hyper-V feature within a virtual machine.\n\n Open PowerShell with elevated privileges (run as administrator).\n\n Enter the following:\n\n Get-CimInstance -ClassName Win32_DeviceGuard -Namespace\n root\\\\Microsoft\\\\Windows\\\\DeviceGuard\n\n If SecurityServicesRunning does not include a value of 1 (e.g., {1,\n 2}), this is a finding.\n\n Alternately:\n\n Run System Information.\n\n Under System Summary, verify the following:\n\n If Device Guard Security Services Running does not list Credential\n Guard, this is finding.\n\n The policy settings referenced in the Fix section will configure the following\n registry value. However due to hardware requirements, the registry value alone\n does not ensure proper function.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\DeviceGuard\\\\\n\n Value Name: LsaCfgFlags\n Value Type: REG_DWORD\n Value: 0x00000001 (1) (Enabled with UEFI lock), or 0x00000002 (2) (Enabled\n without lock)\n\n A Microsoft TechNet article on Credential Guard, including system requirement\n details, can be found at the following link:\n\n https://technet.microsoft.com/itpro/windows/keep-secure/credential-guard\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> System >> Device Guard >> Turn On Virtualization\n Based Security to Enabled with Enabled with UEFI lock or Enabled\n without lock selected for Credential Guard Configuration.\n\n Enabled with UEFI lock is preferred as more secure; however, it cannot be\n turned off remotely through a group policy change if there is an issue.\n Enabled without lock will allow this to be turned off remotely while\n testing for issues.\n\n A Microsoft TechNet article on Credential Guard, including system requirement\n details, can be found at the following link:\n\n https://technet.microsoft.com/itpro/windows/keep-secure/credential-guard\"\n is_domain = command('wmic computersystem get domain | FINDSTR /V Domain').stdout.strip\n describe.one do\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\DeviceGuard') do\n it { should have_property 'LsaCfgFlags' }\n its('LsaCfgFlags') { should cmp 1 }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\DeviceGuard') do\n it { should have_property 'LsaCfgFlags' }\n its('LsaCfgFlags') { should cmp 2 }\n end\n end\n only_if { is_domain != 'WORKGROUP' }\n\n if is_domain == 'WORKGROUP'\n impact 0.0\n describe 'This system is not joined to a domain, therfore this control is not appliable as it does not apply to standalone systems' do\n skip 'This system is not joined to a domain, therfore this control is not appliable as it does not apply to standalone systems'\n end\n end\nend\n", + "code": "control 'V-73557' do\n title 'The System event log size must be configured to 32768 KB or greater.'\n desc \"Inadequate log size will cause the log to fill up quickly. This may\n prevent audit events from being recorded properly and require frequent\n attention by administrative personnel.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000341-GPOS-00132'\n tag \"gid\": 'V-73557'\n tag \"rid\": 'SV-88221r1_rule'\n tag \"stig_id\": 'WN16-CC-000320'\n tag \"fix_id\": 'F-80007r1_fix'\n tag \"cci\": ['CCI-001849']\n tag \"nist\": ['AU-4', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the system is configured to write events directly to an\n audit server, this is NA.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\EventLog\\\\System\\\\\n\n Value Name: MaxSize\n\n Type: REG_DWORD\n Value: 0x00008000 (32768) (or greater)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Event Log Service >> System\n >> Specify the maximum log file size (KB) to Enabled with a Maximum\n Log Size (KB) of 32768 or greater.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\EventLog\\\\System') do\n it { should have_property 'MaxSize' }\n its('MaxSize') { should be >= 32768 }\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73515.rb", + "ref": "./Windows 2016 STIG/controls/V-73557.rb", "line": 1 }, - "id": "V-73515" + "id": "V-73557" }, { - "title": "The Remote Desktop Session Host must require secure Remote Procedure\n Call (RPC) communications.", - "desc": "Allowing unsecure RPC communication exposes the system to\n man-in-the-middle attacks and data disclosure attacks. A man-in-the-middle\n attack occurs when an intruder captures packets between a client and server and\n modifies them before allowing the packets to be exchanged. Usually the attacker\n will modify the information in the packets in an attempt to cause either the\n client or server to reveal sensitive information.", + "title": "Users must be notified if a web-based program attempts to install\n software.", + "desc": "Web-based programs may attempt to install malicious software on a\n system. Ensuring users are notified if a web-based program attempts to install\n software allows them to refuse the installation.", "descriptions": { - "default": "Allowing unsecure RPC communication exposes the system to\n man-in-the-middle attacks and data disclosure attacks. A man-in-the-middle\n attack occurs when an intruder captures packets between a client and server and\n modifies them before allowing the packets to be exchanged. Usually the attacker\n will modify the information in the packets in an attempt to cause either the\n client or server to reveal sensitive information.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services\\\n\n Value Name: fEncryptRPCTraffic\n\n Type: REG_DWORD\n Value: 0x00000001 (1)", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Remote Desktop Services >>\n Remote Desktop Session Host >> Security >> Require secure RPC communication\n to Enabled." + "default": "Web-based programs may attempt to install malicious software on a\n system. Ensuring users are notified if a web-based program attempts to install\n software allows them to refuse the installation.", + "check": "The default behavior is for Internet Explorer to warn users and\n select whether to allow or refuse installation when a web-based program\n attempts to install software on the system.\n\n If the registry value name below does not exist, this is not a finding.\n\n If it exists and is configured with a value of 0, this is not a finding.\n\n If it exists and is configured with a value of 1, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\Installer\\\n\n Value Name: SafeForScripting\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0) (or if the Value Name does not exist)", + "fix": "The default behavior is for Internet Explorer to warn users and\n select whether to allow or refuse installation when a web-based program\n attempts to install software on the system.\n\n If this needs to be corrected, configure the policy value for Computer\n Configuration >> Administrative Templates >> Windows Components >> Windows\n Installer >> Prevent Internet Explorer security prompt for Windows Installer\n scripts to Not Configured or Disabled." }, "impact": 0.5, "refs": [], - "tags": { - "gtitle": "SRG-OS-000250-GPOS-00093", - "gid": "V-73573", - "rid": "SV-88237r1_rule", - "stig_id": "WN16-CC-000400", - "fix_id": "F-80023r1_fix", + "tags": { + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-73587", + "rid": "SV-88251r1_rule", + "stig_id": "WN16-CC-000470", + "fix_id": "F-80037r1_fix", "cci": [ - "CCI-001453" + "CCI-000366" ], "nist": [ - "AC-17 (2)", + "CM-6 b", "Rev_4" ], "documentable": false }, - "code": "control 'V-73573' do\n title \"The Remote Desktop Session Host must require secure Remote Procedure\n Call (RPC) communications.\"\n desc \"Allowing unsecure RPC communication exposes the system to\n man-in-the-middle attacks and data disclosure attacks. A man-in-the-middle\n attack occurs when an intruder captures packets between a client and server and\n modifies them before allowing the packets to be exchanged. Usually the attacker\n will modify the information in the packets in an attempt to cause either the\n client or server to reveal sensitive information.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000250-GPOS-00093'\n tag \"gid\": 'V-73573'\n tag \"rid\": 'SV-88237r1_rule'\n tag \"stig_id\": 'WN16-CC-000400'\n tag \"fix_id\": 'F-80023r1_fix'\n tag \"cci\": ['CCI-001453']\n tag \"nist\": ['AC-17 (2)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\\n\n Value Name: fEncryptRPCTraffic\n\n Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Remote Desktop Services >>\n Remote Desktop Session Host >> Security >> Require secure RPC communication\n to Enabled.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services') do\n it { should have_property 'fEncryptRPCTraffic' }\n its('fEncryptRPCTraffic') { should cmp 1 }\n end\nend\n", + "code": "control 'V-73587' do\n title \"Users must be notified if a web-based program attempts to install\n software.\"\n desc \"Web-based programs may attempt to install malicious software on a\n system. Ensuring users are notified if a web-based program attempts to install\n software allows them to refuse the installation.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-73587'\n tag \"rid\": 'SV-88251r1_rule'\n tag \"stig_id\": 'WN16-CC-000470'\n tag \"fix_id\": 'F-80037r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"The default behavior is for Internet Explorer to warn users and\n select whether to allow or refuse installation when a web-based program\n attempts to install software on the system.\n\n If the registry value name below does not exist, this is not a finding.\n\n If it exists and is configured with a value of 0, this is not a finding.\n\n If it exists and is configured with a value of 1, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\Installer\\\\\n\n Value Name: SafeForScripting\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0) (or if the Value Name does not exist)\"\n desc \"fix\", \"The default behavior is for Internet Explorer to warn users and\n select whether to allow or refuse installation when a web-based program\n attempts to install software on the system.\n\n If this needs to be corrected, configure the policy value for Computer\n Configuration >> Administrative Templates >> Windows Components >> Windows\n Installer >> Prevent Internet Explorer security prompt for Windows Installer\n scripts to Not Configured or Disabled.\"\n describe.one do\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\Installer') do\n it { should_not have_property 'SafeForScripting' }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\Installer') do\n its('SafeForScripting') { should cmp 0 }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73573.rb", + "ref": "./Windows 2016 STIG/controls/V-73587.rb", "line": 1 }, - "id": "V-73573" + "id": "V-73587" }, { - "title": "Windows Server 2016 must be configured to audit Logon/Logoff - Special\n Logon successes.", - "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Special Logon records special logons that have administrative privileges\n and can be used to elevate processes.", + "title": "The Add workstations to domain user right must only be assigned to the\n Administrators group.", + "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Add workstations to domain right may add computers to\n a domain. This could result in unapproved or incorrectly configured systems\n being added to a domain.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Special Logon records special logons that have administrative privileges\n and can be used to elevate processes.", - "check": "Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n Logon/Logoff >> Special Logon - Success", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Logon/Logoff >> Audit Special Logon with Success\n selected." + "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Add workstations to domain right may add computers to\n a domain. This could result in unapproved or incorrectly configured systems\n being added to a domain.", + "check": "This applies to domain controllers. It is NA for other systems.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the Add\n workstations to domain right, this is a finding.\n\n - Administrators", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Add workstations to domain to include only the following accounts or groups:\n\n - Administrators" }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { - "gtitle": "SRG-OS-000470-GPOS-00214", - "satisfies": [ - "SRG-OS-000470-GPOS-00214", - "SRG-OS-000472-GPOS-00217", - "SRG-OS-000473-GPOS-00218", - "SRG-OS-000475-GPOS-00220" - ], - "gid": "V-73455", - "rid": "SV-88107r1_rule", - "stig_id": "WN16-AU-000280", - "fix_id": "F-79897r1_fix", + "gtitle": "SRG-OS-000324-GPOS-00125", + "gid": "V-73737", + "rid": "SV-88401r1_rule", + "stig_id": "WN16-DC-000350", + "fix_id": "F-80187r1_fix", "cci": [ - "CCI-000172" + "CCI-002235" ], "nist": [ - "AU-12 c", + "AC-6 (10)", "Rev_4" ], "documentable": false }, - "code": "control 'V-73455' do\n title \"Windows Server 2016 must be configured to audit Logon/Logoff - Special\n Logon successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Special Logon records special logons that have administrative privileges\n and can be used to elevate processes.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000470-GPOS-00214'\n tag \"satisfies\": ['SRG-OS-000470-GPOS-00214', 'SRG-OS-000472-GPOS-00217',\n 'SRG-OS-000473-GPOS-00218', 'SRG-OS-000475-GPOS-00220']\n tag \"gid\": 'V-73455'\n tag \"rid\": 'SV-88107r1_rule'\n tag \"stig_id\": 'WN16-AU-000280'\n tag \"fix_id\": 'F-79897r1_fix'\n tag \"cci\": ['CCI-000172']\n tag \"nist\": ['AU-12 c', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n Logon/Logoff >> Special Logon - Success\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Logon/Logoff >> Audit Special Logon with Success\n selected.\"\n describe.one do\n describe audit_policy do\n its('Special Logon') { should eq 'Success' }\n end\n describe audit_policy do\n its('Special Logon') { should eq 'Success and Failure' }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Special Logon'\") do\n its('stdout') { should match /Special Logon Success/ }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Special Logon'\") do\n its('stdout') { should match /Special Logon Success and Failure/ }\n end\n end\nend\n", + "code": "control 'V-73737' do\n title \"The Add workstations to domain user right must only be assigned to the\n Administrators group.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Add workstations to domain right may add computers to\n a domain. This could result in unapproved or incorrectly configured systems\n being added to a domain.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000324-GPOS-00125'\n tag \"gid\": 'V-73737'\n tag \"rid\": 'SV-88401r1_rule'\n tag \"stig_id\": 'WN16-DC-000350'\n tag \"fix_id\": 'F-80187r1_fix'\n tag \"cci\": ['CCI-002235']\n tag \"nist\": ['AC-6 (10)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to domain controllers. It is NA for other systems.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the Add\n workstations to domain right, this is a finding.\n\n - Administrators\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Add workstations to domain to include only the following accounts or groups:\n\n - Administrators\"\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n describe.one do\n describe security_policy do\n its('SeMachineAccountPrivilege') { should eq ['S-1-5-32-544'] }\n end\n describe security_policy do\n its('SeMachineAccountPrivilege') { should eq [] }\n end\n end\n end\n\n if !(domain_role == '4') && !(domain_role == '5')\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73455.rb", + "ref": "./Windows 2016 STIG/controls/V-73737.rb", "line": 1 }, - "id": "V-73455" + "id": "V-73737" }, { - "title": "Windows Server 2016 must be configured to audit System - Security\n System Extension successes.", - "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Security System Extension records events related to extension code being\n loaded by the security subsystem.", + "title": "Windows Server 2016 must, at a minimum, off-load audit records of\n interconnected systems in real time and off-load standalone systems weekly.", + "desc": "Protection of log data includes assuring the log data is not\n accidentally lost or deleted. Audit information stored in one location is\n vulnerable to accidental or incidental deletion or alteration.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Security System Extension records events related to extension code being\n loaded by the security subsystem.", - "check": "Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n System >> Security System Extension - Success", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> System >> Audit Security System Extension with\n Success selected." + "default": "Protection of log data includes assuring the log data is not\n accidentally lost or deleted. Audit information stored in one location is\n vulnerable to accidental or incidental deletion or alteration.", + "check": "Verify the audit records, at a minimum, are off-loaded for\n interconnected systems in real time and off-loaded for standalone systems\n weekly.\n\n If they are not, this is a finding.", + "fix": "Configure the system to, at a minimum, off-load audit records of\n interconnected systems in real time and off-load standalone systems weekly." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000327-GPOS-00127", - "satisfies": [ - "SRG-OS-000327-GPOS-00127", - "SRG-OS-000458-GPOS-00203", - "SRG-OS-000463-GPOS-00207", - "SRG-OS-000468-GPOS-00212" - ], - "gid": "V-73483", - "rid": "SV-88135r1_rule", - "stig_id": "WN16-AU-000420", - "fix_id": "F-79925r1_fix", + "gtitle": "SRG-OS-000479-GPOS-00224", + "gid": "V-73403", + "rid": "SV-88055r1_rule", + "stig_id": "WN16-AU-000020", + "fix_id": "F-79845r1_fix", "cci": [ - "CCI-000172", - "CCI-002234" + "CCI-001851" ], "nist": [ - "AU-12 c", - "AC-6 (9)", + "AU-4 (1)", "Rev_4" ], "documentable": false }, - "code": "control 'V-73483' do\n title \"Windows Server 2016 must be configured to audit System - Security\n System Extension successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Security System Extension records events related to extension code being\n loaded by the security subsystem.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000327-GPOS-00127'\n tag \"satisfies\": ['SRG-OS-000327-GPOS-00127', 'SRG-OS-000458-GPOS-00203',\n 'SRG-OS-000463-GPOS-00207', 'SRG-OS-000468-GPOS-00212']\n tag \"gid\": 'V-73483'\n tag \"rid\": 'SV-88135r1_rule'\n tag \"stig_id\": 'WN16-AU-000420'\n tag \"fix_id\": 'F-79925r1_fix'\n tag \"cci\": ['CCI-000172', 'CCI-002234']\n tag \"nist\": ['AU-12 c', 'AC-6 (9)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n System >> Security System Extension - Success\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> System >> Audit Security System Extension with\n Success selected.\"\n describe.one do\n describe audit_policy do\n its('Security System Extension') { should eq 'Success' }\n end\n describe audit_policy do\n its('Security System Extension') { should eq 'Success and Failure' }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Security System Extension'\") do\n its('stdout') { should match /Security System Extension Success/ }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Security System Extension'\") do\n its('stdout') { should match /Security System Extension Success and Failure/ }\n end\n end\nend\n", + "code": "control 'V-73403' do\n title \"Windows Server 2016 must, at a minimum, off-load audit records of\n interconnected systems in real time and off-load standalone systems weekly.\"\n desc \"Protection of log data includes assuring the log data is not\n accidentally lost or deleted. Audit information stored in one location is\n vulnerable to accidental or incidental deletion or alteration.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000479-GPOS-00224'\n tag \"gid\": 'V-73403'\n tag \"rid\": 'SV-88055r1_rule'\n tag \"stig_id\": 'WN16-AU-000020'\n tag \"fix_id\": 'F-79845r1_fix'\n tag \"cci\": ['CCI-001851']\n tag \"nist\": ['AU-4 (1)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Verify the audit records, at a minimum, are off-loaded for\n interconnected systems in real time and off-loaded for standalone systems\n weekly.\n\n If they are not, this is a finding.\"\n desc \"fix\", \"Configure the system to, at a minimum, off-load audit records of\n interconnected systems in real time and off-load standalone systems weekly.\"\n describe \"A manual review is required to verify the operating system is, at a minimum, off-loading audit records of\n interconnected systems in real time and off-loading standalone systems weekly\" do\n skip \"A manual review is required to verify the operating system is, at a minimum, off-loading audit records of\n interconnected systems in real time and off-loading standalone systems weekly\"\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73483.rb", + "ref": "./Windows 2016 STIG/controls/V-73403.rb", "line": 1 }, - "id": "V-73483" + "id": "V-73403" }, { - "title": "Internet Protocol version 6 (IPv6) source routing must be configured\n to the highest protection level to prevent IP source routing.", - "desc": "Configuring the system to disable IPv6 source routing protects against\n spoofing.", + "title": "Users must be prompted to authenticate when the system wakes from\n sleep (on battery).", + "desc": "A system that does not require authentication when resuming from sleep\n may provide access to unauthorized users. Authentication must always be\n required when accessing a system. This setting ensures users are prompted for a\n password when the system wakes from sleep (on battery).", "descriptions": { - "default": "Configuring the system to disable IPv6 source routing protects against\n spoofing.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\Tcpip6\\Parameters\\\n\n Value Name: DisableIPSourceRouting\n\n Type: REG_DWORD\n Value: 0x00000002 (2)", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> MSS (Legacy) >> MSS: (DisableIPSourceRouting\n IPv6) IP source routing protection level (protects against packet spoofing)\n to Enabled with Highest protection, source routing is completely\n disabled selected.\n\n This policy setting requires the installation of the MSS-Legacy custom\n templates included with the STIG package. MSS-Legacy.admx and\n MSS-Legacy.adml must be copied to the \\Windows\\PolicyDefinitions and\n \\Windows\\PolicyDefinitions\\en-US directories respectively." + "default": "A system that does not require authentication when resuming from sleep\n may provide access to unauthorized users. Authentication must always be\n required when accessing a system. This setting ensures users are prompted for a\n password when the system wakes from sleep (on battery).", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SOFTWARE\\Policies\\Microsoft\\Power\\PowerSettings\\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\\\n\n Value Name: DCSettingIndex\n\n Type: REG_DWORD\n Value: 0x00000001 (1)", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> System >> Power Management >> Sleep Settings >>\n Require a password when a computer wakes (on battery) to Enabled." }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-73499", - "rid": "SV-88151r1_rule", - "stig_id": "WN16-CC-000040", - "fix_id": "F-79941r1_fix", + "gid": "V-73537", + "rid": "SV-88197r1_rule", + "stig_id": "WN16-CC-000210", + "fix_id": "F-79979r1_fix", "cci": [ "CCI-000366" ], @@ -5893,29 +5977,29 @@ ], "documentable": false }, - "code": "control 'V-73499' do\n title \"Internet Protocol version 6 (IPv6) source routing must be configured\n to the highest protection level to prevent IP source routing.\"\n desc \"Configuring the system to disable IPv6 source routing protects against\n spoofing.\"\n impact 0.3\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-73499'\n tag \"rid\": 'SV-88151r1_rule'\n tag \"stig_id\": 'WN16-CC-000040'\n tag \"fix_id\": 'F-79941r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\Tcpip6\\\\Parameters\\\\\n\n Value Name: DisableIPSourceRouting\n\n Type: REG_DWORD\n Value: 0x00000002 (2)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> MSS (Legacy) >> MSS: (DisableIPSourceRouting\n IPv6) IP source routing protection level (protects against packet spoofing)\n to Enabled with Highest protection, source routing is completely\n disabled selected.\n\n This policy setting requires the installation of the MSS-Legacy custom\n templates included with the STIG package. MSS-Legacy.admx and\n MSS-Legacy.adml must be copied to the \\\\Windows\\\\PolicyDefinitions and\n \\\\Windows\\\\PolicyDefinitions\\\\en-US directories respectively.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Services\\\\Tcpip6\\\\Parameters') do\n it { should have_property 'DisableIPSourceRouting' }\n its('DisableIPSourceRouting') { should cmp 2 }\n end\nend\n", + "code": "control 'V-73537' do\n title \"Users must be prompted to authenticate when the system wakes from\n sleep (on battery).\"\n desc \"A system that does not require authentication when resuming from sleep\n may provide access to unauthorized users. Authentication must always be\n required when accessing a system. This setting ensures users are prompted for a\n password when the system wakes from sleep (on battery).\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-73537'\n tag \"rid\": 'SV-88197r1_rule'\n tag \"stig_id\": 'WN16-CC-000210'\n tag \"fix_id\": 'F-79979r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Power\\\\PowerSettings\\\\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\\\\\n\n Value Name: DCSettingIndex\n\n Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> System >> Power Management >> Sleep Settings >>\n Require a password when a computer wakes (on battery) to Enabled.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Power\\\\PowerSettings\\\\0e796bdb-100d-47d6-a2d5-f7d2daa51f51') do\n it { should have_property 'DCSettingIndex' }\n its('DCSettingIndex') { should cmp 1 }\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73499.rb", + "ref": "./Windows 2016 STIG/controls/V-73537.rb", "line": 1 }, - "id": "V-73499" + "id": "V-73537" }, { - "title": "The Impersonate a client after authentication user right must only be\n assigned to Administrators, Service, Local Service, and Network Service.", - "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The Impersonate a client after authentication user right allows a\n program to impersonate another user or account to run on their behalf. An\n attacker could use this to elevate privileges.", + "title": "The Back up files and directories user right must only be assigned to\n the Administrators group.", + "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Back up files and directories user right can\n circumvent file and directory permissions and could allow access to sensitive\n data.", "descriptions": { - "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The Impersonate a client after authentication user right allows a\n program to impersonate another user or account to run on their behalf. An\n attacker could use this to elevate privileges.", - "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the\n Impersonate a client after authentication user right, this is a finding.\n\n - Administrators\n - Service\n - Local Service\n - Network Service\n\n If an application requires this user right, this would not be a finding.\n\n Vendor documentation must support the requirement for having the user right.\n\n The requirement must be documented with the ISSO.\n\n The application account must meet requirements for application account\n passwords, such as length (WN16-00-000060) and required frequency of changes\n (WN16-00-000070).", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Impersonate a client after authentication to include only the following\n accounts or groups:\n\n - Administrators\n - Service\n - Local Service\n - Network Service" + "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Back up files and directories user right can\n circumvent file and directory permissions and could allow access to sensitive\n data.", + "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the Back up\n files and directories user right, this is a finding.\n\n - Administrators\n\n If an application requires this user right, this would not be a finding.\n\n Vendor documentation must support the requirement for having the user right.\n\n The requirement must be documented with the ISSO.\n\n The application account must meet requirements for application account\n passwords, such as length (WN16-00-000060) and required frequency of changes\n (WN16-00-000070).", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Back up files and directories to include only the following accounts or\n groups:\n\n - Administrators" }, "impact": 0.5, "refs": [], "tags": { "gtitle": "SRG-OS-000324-GPOS-00125", - "gid": "V-73785", - "rid": "SV-88449r1_rule", - "stig_id": "WN16-UR-000220", - "fix_id": "F-80235r1_fix", + "gid": "V-73743", + "rid": "SV-88407r1_rule", + "stig_id": "WN16-UR-000070", + "fix_id": "F-80193r1_fix", "cci": [ "CCI-002235" ], @@ -5925,283 +6009,270 @@ ], "documentable": false }, - "code": "control 'V-73785' do\n title \"The Impersonate a client after authentication user right must only be\n assigned to Administrators, Service, Local Service, and Network Service.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The Impersonate a client after authentication user right allows a\n program to impersonate another user or account to run on their behalf. An\n attacker could use this to elevate privileges.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000324-GPOS-00125'\n tag \"gid\": 'V-73785'\n tag \"rid\": 'SV-88449r1_rule'\n tag \"stig_id\": 'WN16-UR-000220'\n tag \"fix_id\": 'F-80235r1_fix'\n tag \"cci\": ['CCI-002235']\n tag \"nist\": ['AC-6 (10)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the\n Impersonate a client after authentication user right, this is a finding.\n\n - Administrators\n - Service\n - Local Service\n - Network Service\n\n If an application requires this user right, this would not be a finding.\n\n Vendor documentation must support the requirement for having the user right.\n\n The requirement must be documented with the ISSO.\n\n The application account must meet requirements for application account\n passwords, such as length (WN16-00-000060) and required frequency of changes\n (WN16-00-000070).\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Impersonate a client after authentication to include only the following\n accounts or groups:\n\n - Administrators\n - Service\n - Local Service\n - Network Service\"\n describe security_policy do\n its('SeImpersonatePrivilege') { should be_in ['S-1-5-19', 'S-1-5-20', 'S-1-5-32-544', 'S-1-5-6'] }\n end\nend\n", + "code": "control 'V-73743' do\n title \"The Back up files and directories user right must only be assigned to\n the Administrators group.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Back up files and directories user right can\n circumvent file and directory permissions and could allow access to sensitive\n data.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000324-GPOS-00125'\n tag \"gid\": 'V-73743'\n tag \"rid\": 'SV-88407r1_rule'\n tag \"stig_id\": 'WN16-UR-000070'\n tag \"fix_id\": 'F-80193r1_fix'\n tag \"cci\": ['CCI-002235']\n tag \"nist\": ['AC-6 (10)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the Back up\n files and directories user right, this is a finding.\n\n - Administrators\n\n If an application requires this user right, this would not be a finding.\n\n Vendor documentation must support the requirement for having the user right.\n\n The requirement must be documented with the ISSO.\n\n The application account must meet requirements for application account\n passwords, such as length (WN16-00-000060) and required frequency of changes\n (WN16-00-000070).\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Back up files and directories to include only the following accounts or\n groups:\n\n - Administrators\"\n describe.one do\n describe security_policy do\n its('SeBackupPrivilege') { should eq ['S-1-5-32-544'] }\n end\n describe security_policy do\n its('SeBackupPrivilege') { should eq [] }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73785.rb", + "ref": "./Windows 2016 STIG/controls/V-73743.rb", "line": 1 }, - "id": "V-73785" + "id": "V-73743" }, { - "title": "Protection methods such as TLS, encrypted VPNs, or IPsec must be\n implemented if the data owner has a strict requirement for ensuring data\n integrity and confidentiality is maintained at every step of the data transfer\n and handling process.", - "desc": "Information can be either unintentionally or maliciously disclosed or\n modified during preparation for transmission, for example, during aggregation,\n at protocol transformation points, and during packing/unpacking. These\n unauthorized disclosures or modifications compromise the confidentiality or\n integrity of the information.\n\n Ensuring the confidentiality of transmitted information requires the\n operating system to take measures in preparing information for transmission.\n This can be accomplished via access control and encryption.\n\n Use of this requirement will be limited to situations where the data owner\n has a strict requirement for ensuring data integrity and confidentiality is\n maintained at every step of the data transfer and handling process. When\n transmitting data, operating systems need to support transmission protection\n mechanisms such as TLS, encrypted VPNs, or IPsec.", + "title": "Explorer Data Execution Prevention must be enabled.", + "desc": "Data Execution Prevention provides additional protection by performing\n checks on memory to help prevent malicious code from running. This setting will\n prevent Data Execution Prevention from being turned off for File Explorer.", "descriptions": { - "default": "Information can be either unintentionally or maliciously disclosed or\n modified during preparation for transmission, for example, during aggregation,\n at protocol transformation points, and during packing/unpacking. These\n unauthorized disclosures or modifications compromise the confidentiality or\n integrity of the information.\n\n Ensuring the confidentiality of transmitted information requires the\n operating system to take measures in preparing information for transmission.\n This can be accomplished via access control and encryption.\n\n Use of this requirement will be limited to situations where the data owner\n has a strict requirement for ensuring data integrity and confidentiality is\n maintained at every step of the data transfer and handling process. When\n transmitting data, operating systems need to support transmission protection\n mechanisms such as TLS, encrypted VPNs, or IPsec.", - "check": "If the data owner has a strict requirement for ensuring data\n integrity and confidentiality is maintained at every step of the data transfer\n and handling process, verify protection methods such as TLS, encrypted VPNs, or\n IPsec have been implemented.\n\n If protection methods have not been implemented, this is a finding.", - "fix": "Configure protection methods such as TLS, encrypted VPNs, or\n IPsec when the data owner has a strict requirement for ensuring data integrity\n and confidentiality is maintained at every step of the data transfer and\n handling process." + "default": "Data Execution Prevention provides additional protection by performing\n checks on memory to help prevent malicious code from running. This setting will\n prevent Data Execution Prevention from being turned off for File Explorer.", + "check": "The default behavior is for Data Execution Prevention to be\n turned on for File Explorer.\n\n If the registry value name below does not exist, this is not a finding.\n\n If it exists and is configured with a value of 0, this is not a finding.\n\n If it exists and is configured with a value of 1, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\Explorer\\\n\n Value Name: NoDataExecutionPrevention\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0) (or if the Value Name does not exist)", + "fix": "The default behavior is for data execution prevention to be\n turned on for File Explorer.\n\n If this needs to be corrected, configure the policy value for Computer\n Configuration >> Administrative Templates >> Windows Components >> File\n Explorer >> Turn off Data Execution Prevention for Explorer to Not\n Configured or Disabled." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000425-GPOS-00189", - "satisfies": [ - "SRG-OS-000425-GPOS-00189", - "SRG-OS-000426-GPOS-00190" - ], - "gid": "V-73275", - "rid": "SV-87927r1_rule", - "stig_id": "WN16-00-000290", - "fix_id": "F-79719r1_fix", + "gtitle": "SRG-OS-000433-GPOS-00192", + "gid": "V-73561", + "rid": "SV-88225r1_rule", + "stig_id": "WN16-CC-000340", + "fix_id": "F-80011r1_fix", "cci": [ - "CCI-002420", - "CCI-002422" + "CCI-002824" ], "nist": [ - "SC-8 (2)", + "SI-16", "Rev_4" ], "documentable": false }, - "code": "control 'V-73275' do\n title \"Protection methods such as TLS, encrypted VPNs, or IPsec must be\n implemented if the data owner has a strict requirement for ensuring data\n integrity and confidentiality is maintained at every step of the data transfer\n and handling process.\"\n desc \"Information can be either unintentionally or maliciously disclosed or\n modified during preparation for transmission, for example, during aggregation,\n at protocol transformation points, and during packing/unpacking. These\n unauthorized disclosures or modifications compromise the confidentiality or\n integrity of the information.\n\n Ensuring the confidentiality of transmitted information requires the\n operating system to take measures in preparing information for transmission.\n This can be accomplished via access control and encryption.\n\n Use of this requirement will be limited to situations where the data owner\n has a strict requirement for ensuring data integrity and confidentiality is\n maintained at every step of the data transfer and handling process. When\n transmitting data, operating systems need to support transmission protection\n mechanisms such as TLS, encrypted VPNs, or IPsec.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000425-GPOS-00189'\n tag \"satisfies\": ['SRG-OS-000425-GPOS-00189', 'SRG-OS-000426-GPOS-00190']\n tag \"gid\": 'V-73275'\n tag \"rid\": 'SV-87927r1_rule'\n tag \"stig_id\": 'WN16-00-000290'\n tag \"fix_id\": 'F-79719r1_fix'\n tag \"cci\": ['CCI-002420', 'CCI-002422']\n tag \"nist\": ['SC-8 (2)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the data owner has a strict requirement for ensuring data\n integrity and confidentiality is maintained at every step of the data transfer\n and handling process, verify protection methods such as TLS, encrypted VPNs, or\n IPsec have been implemented.\n\n If protection methods have not been implemented, this is a finding.\"\n desc \"fix\", \"Configure protection methods such as TLS, encrypted VPNs, or\n IPsec when the data owner has a strict requirement for ensuring data integrity\n and confidentiality is maintained at every step of the data transfer and\n handling process.\"\n describe \"A manual review is required to verify that protection methods such as TLS, encrypted VPNs, or IPSEC are\n implemented if the data owner has a strict requirement for ensuring data\n integrity and confidentiality is maintained at every step of the data transfer\n and handling process.\" do\n skip \"A manual review is required to verify that protection methods such as TLS, encrypted VPNs, or IPSEC are\n implemented if the data owner has a strict requirement for ensuring data\n integrity and confidentiality is maintained at every step of the data transfer\n and handling process.\"\n end\nend\n", + "code": "control 'V-73561' do\n title 'Explorer Data Execution Prevention must be enabled.'\n desc \"Data Execution Prevention provides additional protection by performing\n checks on memory to help prevent malicious code from running. This setting will\n prevent Data Execution Prevention from being turned off for File Explorer.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000433-GPOS-00192'\n tag \"gid\": 'V-73561'\n tag \"rid\": 'SV-88225r1_rule'\n tag \"stig_id\": 'WN16-CC-000340'\n tag \"fix_id\": 'F-80011r1_fix'\n tag \"cci\": ['CCI-002824']\n tag \"nist\": ['SI-16', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"The default behavior is for Data Execution Prevention to be\n turned on for File Explorer.\n\n If the registry value name below does not exist, this is not a finding.\n\n If it exists and is configured with a value of 0, this is not a finding.\n\n If it exists and is configured with a value of 1, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\Explorer\\\\\n\n Value Name: NoDataExecutionPrevention\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0) (or if the Value Name does not exist)\"\n desc \"fix\", \"The default behavior is for data execution prevention to be\n turned on for File Explorer.\n\n If this needs to be corrected, configure the policy value for Computer\n Configuration >> Administrative Templates >> Windows Components >> File\n Explorer >> Turn off Data Execution Prevention for Explorer to Not\n Configured or Disabled.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\Explorer') do\n it { should have_property 'NoDataExecutionPrevention' }\n its('NoDataExecutionPrevention') { should_not cmp 1}\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73275.rb", + "ref": "./Windows 2016 STIG/controls/V-73561.rb", "line": 1 }, - "id": "V-73275" + "id": "V-73561" }, { - "title": "Early Launch Antimalware, Boot-Start Driver Initialization Policy must\n prevent boot drivers identified as bad.", - "desc": "Compromised boot drivers can introduce malware prior to protection\n mechanisms that load after initialization. The Early Launch Antimalware driver\n can limit allowed drivers based on classifications determined by the malware\n protection application. At a minimum, drivers determined to be bad must not be\n allowed.", + "title": "Windows SmartScreen must be enabled.", + "desc": "Windows SmartScreen helps protect systems from programs downloaded\n from the internet that may be malicious. Enabling SmartScreen will warn users\n of potentially malicious programs.", "descriptions": { - "default": "Compromised boot drivers can introduce malware prior to protection\n mechanisms that load after initialization. The Early Launch Antimalware driver\n can limit allowed drivers based on classifications determined by the malware\n protection application. At a minimum, drivers determined to be bad must not be\n allowed.", - "check": "The default behavior is for Early Launch Antimalware -\n Boot-Start Driver Initialization policy to enforce Good, unknown and bad but\n critical (preventing bad).\n\n If the registry value name below does not exist, this is not a finding.\n\n If it exists and is configured with a value of 0x00000007 (7), this is a\n finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Policies\\EarlyLaunch\\\n\n Value Name: DriverLoadPolicy\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1), 0x00000003 (3), or 0x00000008 (8) (or if the Value Name\n does not exist)\n\n Possible values for this setting are:\n 8 - Good only\n 1 - Good and unknown\n 3 - Good, unknown and bad but critical\n 7 - All (which includes bad and would be a finding)", - "fix": "The default behavior is for Early Launch Antimalware - Boot-Start\n Driver Initialization policy to enforce Good, unknown and bad but critical\n (preventing bad).\n\n If this needs to be corrected or a more secure setting is desired, configure\n the policy value for Computer Configuration >> Administrative Templates >>\n System >> Early Launch Antimalware >> Boot-Start Driver Initialization\n Policy to Not Configured or Enabled with any option other than\n All selected." + "default": "Windows SmartScreen helps protect systems from programs downloaded\n from the internet that may be malicious. Enabling SmartScreen will warn users\n of potentially malicious programs.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\\n\n Value Name: EnableSmartScreen\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> File Explorer >> Configure\n Windows SmartScreen to Enabled." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-73521", - "rid": "SV-88173r1_rule", - "stig_id": "WN16-CC-000140", - "fix_id": "F-79961r1_fix", + "gtitle": "SRG-OS-000095-GPOS-00049", + "gid": "V-73559", + "rid": "SV-88223r1_rule", + "stig_id": "WN16-CC-000330", + "fix_id": "F-80009r1_fix", "cci": [ - "CCI-000366" + "CCI-000381" ], "nist": [ - "CM-6 b", + "CM-7 a", "Rev_4" ], "documentable": false }, - "code": "control 'V-73521' do\n title \"Early Launch Antimalware, Boot-Start Driver Initialization Policy must\n prevent boot drivers identified as bad.\"\n desc \"Compromised boot drivers can introduce malware prior to protection\n mechanisms that load after initialization. The Early Launch Antimalware driver\n can limit allowed drivers based on classifications determined by the malware\n protection application. At a minimum, drivers determined to be bad must not be\n allowed.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-73521'\n tag \"rid\": 'SV-88173r1_rule'\n tag \"stig_id\": 'WN16-CC-000140'\n tag \"fix_id\": 'F-79961r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"The default behavior is for Early Launch Antimalware -\n Boot-Start Driver Initialization policy to enforce Good, unknown and bad but\n critical (preventing bad).\n\n If the registry value name below does not exist, this is not a finding.\n\n If it exists and is configured with a value of 0x00000007 (7), this is a\n finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Policies\\\\EarlyLaunch\\\\\n\n Value Name: DriverLoadPolicy\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1), 0x00000003 (3), or 0x00000008 (8) (or if the Value Name\n does not exist)\n\n Possible values for this setting are:\n 8 - Good only\n 1 - Good and unknown\n 3 - Good, unknown and bad but critical\n 7 - All (which includes bad and would be a finding)\"\n desc \"fix\", \"The default behavior is for Early Launch Antimalware - Boot-Start\n Driver Initialization policy to enforce Good, unknown and bad but critical\n (preventing bad).\n\n If this needs to be corrected or a more secure setting is desired, configure\n the policy value for Computer Configuration >> Administrative Templates >>\n System >> Early Launch Antimalware >> Boot-Start Driver Initialization\n Policy to Not Configured or Enabled with any option other than\n All selected.\"\n describe.one do\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Policies\\\\EarlyLaunch') do\n it { should have_property 'DriverLoadPolicy' }\n its('DriverLoadPolicy') { should cmp 1 }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Policies\\\\EarlyLaunch') do\n it { should have_property 'DriverLoadPolicy' }\n its('DriverLoadPolicy') { should cmp 3 }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Policies\\\\EarlyLaunch') do\n it { should have_property 'DriverLoadPolicy' }\n its('DriverLoadPolicy') { should cmp 8 }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Policies\\\\EarlyLaunch') do\n it { should_not have_property 'DriverLoadPolicy' }\n end\n end\nend\n", + "code": "control 'V-73559' do\n title 'Windows SmartScreen must be enabled.'\n desc \"Windows SmartScreen helps protect systems from programs downloaded\n from the internet that may be malicious. Enabling SmartScreen will warn users\n of potentially malicious programs.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000095-GPOS-00049'\n tag \"gid\": 'V-73559'\n tag \"rid\": 'SV-88223r1_rule'\n tag \"stig_id\": 'WN16-CC-000330'\n tag \"fix_id\": 'F-80009r1_fix'\n tag \"cci\": ['CCI-000381']\n tag \"nist\": ['CM-7 a', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\\n\n Value Name: EnableSmartScreen\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> File Explorer >> Configure\n Windows SmartScreen to Enabled.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\System') do\n it { should have_property 'EnableSmartScreen' }\n its('EnableSmartScreen') { should cmp 1 }\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73521.rb", + "ref": "./Windows 2016 STIG/controls/V-73559.rb", "line": 1 }, - "id": "V-73521" + "id": "V-73559" }, { - "title": "The Increase scheduling priority user right must only be assigned to\n the Administrators group.", - "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Increase scheduling priority user right can change a\n scheduling priority, causing performance issues or a denial of service.", + "title": "A host-based firewall must be installed and enabled on the system.", + "desc": "A firewall provides a line of defense against attack, allowing or\n blocking inbound and outbound connections based on a set of rules.", "descriptions": { - "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Increase scheduling priority user right can change a\n scheduling priority, causing performance issues or a denial of service.", - "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the Increase\n scheduling priority user right, this is a finding.\n\n - Administrators\n\n If an application requires this user right, this would not be a finding.\n\n Vendor documentation must support the requirement for having the user right.\n\n The requirement must be documented with the ISSO.\n\n The application account must meet requirements for application account\n passwords, such as length (WN16-00-000060) and required frequency of changes\n (WN16-00-000070).", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Increase scheduling priority to include only the following accounts or\n groups:\n\n - Administrators" + "default": "A firewall provides a line of defense against attack, allowing or\n blocking inbound and outbound connections based on a set of rules.", + "check": "Determine if a host-based firewall is installed and enabled on\n the system.\n\n If a host-based firewall is not installed and enabled on the system, this is a\n finding.\n\n The configuration requirements will be determined by the applicable firewall\n STIG.", + "fix": "Install and enable a host-based firewall on the system." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000324-GPOS-00125", - "gid": "V-73787", - "rid": "SV-88451r1_rule", - "stig_id": "WN16-UR-000230", - "fix_id": "F-80237r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00231", + "gid": "V-73279", + "rid": "SV-87931r1_rule", + "stig_id": "WN16-00-000310", + "fix_id": "F-79723r1_fix", "cci": [ - "CCI-002235" + "CCI-000366", + "CCI-002080" ], "nist": [ - "AC-6 (10)", + "CM-6 b", + "CA-3 (5)", "Rev_4" ], "documentable": false }, - "code": "control 'V-73787' do\n title \"The Increase scheduling priority user right must only be assigned to\n the Administrators group.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Increase scheduling priority user right can change a\n scheduling priority, causing performance issues or a denial of service.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000324-GPOS-00125'\n tag \"gid\": 'V-73787'\n tag \"rid\": 'SV-88451r1_rule'\n tag \"stig_id\": 'WN16-UR-000230'\n tag \"fix_id\": 'F-80237r1_fix'\n tag \"cci\": ['CCI-002235']\n tag \"nist\": ['AC-6 (10)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the Increase\n scheduling priority user right, this is a finding.\n\n - Administrators\n\n If an application requires this user right, this would not be a finding.\n\n Vendor documentation must support the requirement for having the user right.\n\n The requirement must be documented with the ISSO.\n\n The application account must meet requirements for application account\n passwords, such as length (WN16-00-000060) and required frequency of changes\n (WN16-00-000070).\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Increase scheduling priority to include only the following accounts or\n groups:\n\n - Administrators\"\n describe.one do\n describe security_policy do\n its('SeIncreaseBasePriorityPrivilege') { should eq ['S-1-5-32-544'] }\n end\n describe security_policy do\n its('SeIncreaseBasePriorityPrivilege') { should eq [] }\n end\n end\nend\n", + "code": "control 'V-73279' do\n title 'A host-based firewall must be installed and enabled on the system.'\n desc \"A firewall provides a line of defense against attack, allowing or\n blocking inbound and outbound connections based on a set of rules.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00231'\n tag \"gid\": 'V-73279'\n tag \"rid\": 'SV-87931r1_rule'\n tag \"stig_id\": 'WN16-00-000310'\n tag \"fix_id\": 'F-79723r1_fix'\n tag \"cci\": ['CCI-000366', 'CCI-002080']\n tag \"nist\": ['CM-6 b', 'CA-3 (5)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Determine if a host-based firewall is installed and enabled on\n the system.\n\n If a host-based firewall is not installed and enabled on the system, this is a\n finding.\n\n The configuration requirements will be determined by the applicable firewall\n STIG.\"\n desc \"fix\", 'Install and enable a host-based firewall on the system.'\n describe 'A manual review is required to verify that a host-based firewall is installed and enabled on this system' do\n skip 'A manual review is required to verify that a host-based firewall is installed and enabled on this system'\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73787.rb", + "ref": "./Windows 2016 STIG/controls/V-73279.rb", "line": 1 }, - "id": "V-73787" + "id": "V-73279" }, { - "title": "Caching of logon credentials must be limited.", - "desc": "The default Windows configuration caches the last logon credentials\n for users who log on interactively to a system. This feature is provided for\n system availability reasons, such as the user's machine being disconnected from\n the network or domain controllers being unavailable. Even though the credential\n cache is well protected, if a system is attacked, an unauthorized individual\n may isolate the password to a domain user account using a password-cracking\n program and gain access to the domain.", + "title": "Windows Server 2016 must be configured to ignore NetBIOS name release\n requests except from WINS servers.", + "desc": "Configuring the system to ignore name release requests, except from\n WINS servers, prevents a denial of service (DoS) attack. The DoS consists of\n sending a NetBIOS name release request to the server for each entry in the\n server's cache, causing a response delay in the normal operation of the\n server's WINS resolution capability.", "descriptions": { - "default": "The default Windows configuration caches the last logon credentials\n for users who log on interactively to a system. This feature is provided for\n system availability reasons, such as the user's machine being disconnected from\n the network or domain controllers being unavailable. Even though the credential\n cache is well protected, if a system is attacked, an unauthorized individual\n may isolate the password to a domain user account using a password-cracking\n program and gain access to the domain.", - "check": "This applies to member servers. For domain controllers and\n standalone systems, this is NA.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\\n\n Value Name: CachedLogonsCount\n\n Value Type: REG_SZ\n Value: 4 (or less)", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Interactive Logon: Number of previous logons to cache (in case Domain\n Controller is not available) to 4 logons or less." + "default": "Configuring the system to ignore name release requests, except from\n WINS servers, prevents a denial of service (DoS) attack. The DoS consists of\n sending a NetBIOS name release request to the server for each entry in the\n server's cache, causing a response delay in the normal operation of the\n server's WINS resolution capability.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\Netbt\\Parameters\\\n\n Value Name: NoNameReleaseOnDemand\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> MSS (Legacy) >> \"MSS: (NoNameReleaseOnDemand)\n Allow the computer to ignore NetBIOS name release requests except from WINS\n servers to Enabled.\n\n This policy setting requires the installation of the MSS-Legacy custom\n templates included with the STIG package. MSS-Legacy.admx and\n MSS-Legacy.adml must be copied to the \\Windows\\PolicyDefinitions and\n \\Windows\\PolicyDefinitions\\en-US directories respectively." }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-73651", - "rid": "SV-88315r1_rule", - "stig_id": "WN16-MS-000050", - "fix_id": "F-80271r1_fix", + "gtitle": "SRG-OS-000420-GPOS-00186", + "gid": "V-73505", + "rid": "SV-88157r1_rule", + "stig_id": "WN16-CC-000070", + "fix_id": "F-79947r1_fix", "cci": [ - "CCI-000366" + "CCI-002385" ], "nist": [ - "CM-6 b", + "SC-5", "Rev_4" ], "documentable": false }, - "code": "control 'V-73651' do\n title 'Caching of logon credentials must be limited.'\n desc \"The default Windows configuration caches the last logon credentials\n for users who log on interactively to a system. This feature is provided for\n system availability reasons, such as the user's machine being disconnected from\n the network or domain controllers being unavailable. Even though the credential\n cache is well protected, if a system is attacked, an unauthorized individual\n may isolate the password to a domain user account using a password-cracking\n program and gain access to the domain.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-73651'\n tag \"rid\": 'SV-88315r1_rule'\n tag \"stig_id\": 'WN16-MS-000050'\n tag \"fix_id\": 'F-80271r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to member servers. For domain controllers and\n standalone systems, this is NA.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\\n\n Value Name: CachedLogonsCount\n\n Value Type: REG_SZ\n Value: 4 (or less)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Interactive Logon: Number of previous logons to cache (in case Domain\n Controller is not available) to 4 logons or less.\"\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n if !(domain_role == '4') && !(domain_role == '5')\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon') do\n it { should have_property 'CachedLogonsCount' }\n its('CachedLogonsCount') { should cmp <= 4 }\n end\n end\n\n if domain_role == '4' || domain_role == '5'\n impact 0.0\n desc 'This system is a domain controller, therefore this control is not applicable as it only applies to member servers and standalone systems'\n end\nend\n", + "code": "control 'V-73505' do\n title \"Windows Server 2016 must be configured to ignore NetBIOS name release\n requests except from WINS servers.\"\n desc \"Configuring the system to ignore name release requests, except from\n WINS servers, prevents a denial of service (DoS) attack. The DoS consists of\n sending a NetBIOS name release request to the server for each entry in the\n server's cache, causing a response delay in the normal operation of the\n server's WINS resolution capability.\"\n impact 0.3\n tag \"gtitle\": 'SRG-OS-000420-GPOS-00186'\n tag \"gid\": 'V-73505'\n tag \"rid\": 'SV-88157r1_rule'\n tag \"stig_id\": 'WN16-CC-000070'\n tag \"fix_id\": 'F-79947r1_fix'\n tag \"cci\": ['CCI-002385']\n tag \"nist\": ['SC-5', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\Netbt\\\\Parameters\\\\\n\n Value Name: NoNameReleaseOnDemand\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> MSS (Legacy) >> \\\"MSS: (NoNameReleaseOnDemand)\n Allow the computer to ignore NetBIOS name release requests except from WINS\n servers to Enabled.\n\n This policy setting requires the installation of the MSS-Legacy custom\n templates included with the STIG package. MSS-Legacy.admx and\n MSS-Legacy.adml must be copied to the \\\\Windows\\\\PolicyDefinitions and\n \\\\Windows\\\\PolicyDefinitions\\\\en-US directories respectively.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Services\\\\Netbt\\\\Parameters') do\n it { should have_property 'NoNameReleaseOnDemand' }\n its('NoNameReleaseOnDemand') { should cmp 1 }\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73651.rb", + "ref": "./Windows 2016 STIG/controls/V-73505.rb", "line": 1 }, - "id": "V-73651" + "id": "V-73505" }, { - "title": "Unauthenticated Remote Procedure Call (RPC) clients must be restricted\n from connecting to the RPC server.", - "desc": "Unauthenticated RPC clients may allow anonymous access to sensitive\n information. Configuring RPC to restrict unauthenticated RPC clients from\n connecting to the RPC server will prevent anonymous connections.", + "title": "Attachments must be prevented from being downloaded from RSS feeds.", + "desc": "Attachments from RSS feeds may not be secure. This setting will\n prevent attachments from being downloaded from RSS feeds.", "descriptions": { - "default": "Unauthenticated RPC clients may allow anonymous access to sensitive\n information. Configuring RPC to restrict unauthenticated RPC clients from\n connecting to the RPC server will prevent anonymous connections.", - "check": "This applies to member servers and standalone systems, It is NA\n for domain controllers.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Rpc\\\n\n Value Name: RestrictRemoteClients\n\n Type: REG_DWORD\n Value: 0x00000001 (1)", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> System >> Remote Procedure Call >> Restrict\n Unauthenticated RPC clients to Enabled with Authenticated selected." + "default": "Attachments from RSS feeds may not be secure. This setting will\n prevent attachments from being downloaded from RSS feeds.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Feeds\\\n\n Value Name: DisableEnclosureDownload\n\n Type: REG_DWORD\n Value: 0x00000001 (1)", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> RSS Feeds >> Prevent\n downloading of enclosures to Enabled." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000379-GPOS-00164", - "gid": "V-73541", - "rid": "SV-88203r1_rule", - "stig_id": "WN16-MS-000040", - "fix_id": "F-79983r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-73577", + "rid": "SV-88241r1_rule", + "stig_id": "WN16-CC-000420", + "fix_id": "F-80027r1_fix", "cci": [ - "CCI-001967" + "CCI-000366" ], "nist": [ - "IA-3 (1)", + "CM-6 b", "Rev_4" ], "documentable": false }, - "code": "control 'V-73541' do\n title \"Unauthenticated Remote Procedure Call (RPC) clients must be restricted\n from connecting to the RPC server.\"\n desc \"Unauthenticated RPC clients may allow anonymous access to sensitive\n information. Configuring RPC to restrict unauthenticated RPC clients from\n connecting to the RPC server will prevent anonymous connections.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000379-GPOS-00164'\n tag \"gid\": 'V-73541'\n tag \"rid\": 'SV-88203r1_rule'\n tag \"stig_id\": 'WN16-MS-000040'\n tag \"fix_id\": 'F-79983r1_fix'\n tag \"cci\": ['CCI-001967']\n tag \"nist\": ['IA-3 (1)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to member servers and standalone systems, It is NA\n for domain controllers.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Rpc\\\\\n\n Value Name: RestrictRemoteClients\n\n Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> System >> Remote Procedure Call >> Restrict\n Unauthenticated RPC clients to Enabled with Authenticated selected.\"\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if !(domain_role == '4') && !(domain_role == '5')\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Rpc') do\n it { should have_property 'RestrictRemoteClients' }\n its('RestrictRemoteClients') { should cmp 1 }\n end\n end\n\n if domain_role == '4' || domain_role == '5'\n impact 0.0\n desc 'This system is a domain controller, therefore this control is not applicable as it only applies to member servers and standalone systems'\n end\nend\n", + "code": "control 'V-73577' do\n title 'Attachments must be prevented from being downloaded from RSS feeds.'\n desc \"Attachments from RSS feeds may not be secure. This setting will\n prevent attachments from being downloaded from RSS feeds.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-73577'\n tag \"rid\": 'SV-88241r1_rule'\n tag \"stig_id\": 'WN16-CC-000420'\n tag \"fix_id\": 'F-80027r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Internet Explorer\\\\Feeds\\\\\n\n Value Name: DisableEnclosureDownload\n\n Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> RSS Feeds >> Prevent\n downloading of enclosures to Enabled.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Internet Explorer\\\\Feeds') do\n it { should have_property 'DisableEnclosureDownload' }\n its('DisableEnclosureDownload') { should cmp 1 }\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73541.rb", + "ref": "./Windows 2016 STIG/controls/V-73577.rb", "line": 1 }, - "id": "V-73541" + "id": "V-73577" }, { - "title": "The DoD Interoperability Root CA cross-certificates must be installed\n in the Untrusted Certificates Store on unclassified systems.", - "desc": "To ensure users do not experience denial of service when performing\n certificate-based authentication to DoD websites due to the system chaining to\n a root other than DoD Root CAs, the DoD Interoperability Root CA\n cross-certificates must be installed in the Untrusted Certificate Store. This\n requirement only applies to unclassified systems.", + "title": "Unencrypted passwords must not be sent to third-party Server Message\n Block (SMB) servers.", + "desc": "Some non-Microsoft SMB servers only support unencrypted (plain-text)\n password authentication. Sending plain-text passwords across the network when\n authenticating to an SMB server reduces the overall security of the\n environment. Check with the vendor of the SMB server to determine if there is a\n way to support encrypted password authentication.", "descriptions": { - "default": "To ensure users do not experience denial of service when performing\n certificate-based authentication to DoD websites due to the system chaining to\n a root other than DoD Root CAs, the DoD Interoperability Root CA\n cross-certificates must be installed in the Untrusted Certificate Store. This\n requirement only applies to unclassified systems.", - "check": "This is applicable to unclassified systems. It is NA for others.\n\n Open PowerShell as an administrator.\n\n Execute the following command:\n\n Get-ChildItem -Path Cert:Localmachine\\disallowed | Where {$_.Issuer -Like\n *DoD Interoperability* -and $_.Subject -Like *DoD*} | FL Subject,\n Issuer, Thumbprint, NotAfter\n\n If the following certificate Subject, Issuer, and Thumbprint\n information is not displayed, this is finding.\n\n If an expired certificate (NotAfter date) is not listed in the results,\n this is not a finding.\n\n Subject: CN=DoD Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Issuer: CN=DoD Interoperability Root CA 1, OU=PKI, OU=DoD, O=U.S. Government,\n C=US\n Thumbprint: 22BBE981F0694D246CC1472ED2B021DC8540A22F\n NotAfter: 9/6/2019\n\n Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Issuer: CN=DoD Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government,\n C=US\n Thumbprint: FFAD03329B9E527A43EEC66A56F9CBB5393E6E13\n NotAfter: 9/23/2018\n\n Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Issuer: CN=DoD Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government,\n C=US\n Thumbprint: FCE1B1E25374DD94F5935BEB86CA643D8C8D1FF4\n NotAfter: 2/17/2019\n\n Alternately, use the Certificates MMC snap-in:\n\n Run MMC.\n\n Select File, Add/Remove Snap-in.\n\n Select Certificates and click Add.\n\n Select Computer account and click Next.\n\n Select Local computer: (the computer this console is running on) and click\n Finish.\n\n Click OK.\n\n Expand Certificates and navigate to Untrusted Certificates >>\n Certificates.\n\n For each certificate with DoD Root CA… under Issued To and DoD\n Interoperability Root CA… under Issued By:\n\n Right-click on the certificate and select Open.\n\n Select the Details Tab.\n\n Scroll to the bottom and select Thumbprint.\n\n If the certificates below are not listed or the value for the Thumbprint\n field is not as noted, this is a finding.\n\n If an expired certificate (Valid to date) is not listed in the results,\n this is not a finding.\n\n Issued To: DoD Root CA 2\n Issued By: DoD Interoperability Root CA 1\n Thumbprint: 22BBE981F0694D246CC1472ED2B021DC8540A22F\n Valid to: Friday, September 6, 2019\n\n Issued To: DoD Root CA 3\n Issued By: DoD Interoperability Root CA 2\n Thumbprint: FFAD03329B9E527A43EEC66A56F9CBB5393E6E13\n Valid to: Sunday, September 23, 2018\n\n Issued To: DoD Root CA 3\n Issued By: DoD Interoperability Root CA 2\n Thumbprint: FCE1B1E25374DD94F5935BEB86CA643D8C8D1FF4\n Valid to: Sunday, February 17, 2019", - "fix": "Install the DoD Interoperability Root CA cross-certificates on\n unclassified systems.\n\n Issued To - Issued By - Thumbprint\n DoD Root CA 2 - DoD Interoperability Root CA 1 -\n 22BBE981F0694D246CC1472ED2B021DC8540A22F\n\n DoD Root CA 3 - DoD Interoperability Root CA 2 -\n FFAD03329B9E527A43EEC66A56F9CBB5393E6E13\n\n DoD Root CA 3 - DoD Interoperability Root CA 2 -\n FCE1B1E25374DD94F5935BEB86CA643D8C8D1FF4\n\n Administrators should run the Federal Bridge Certification Authority (FBCA)\n Cross-Certificate Removal Tool once as an administrator and once as the current\n user.\n\n The FBCA Cross-Certificate Remover Tool and User Guide are available on IASE at\n http://iase.disa.mil/pki-pke/Pages/tools.aspx." + "default": "Some non-Microsoft SMB servers only support unencrypted (plain-text)\n password authentication. Sending plain-text passwords across the network when\n authenticating to an SMB server reduces the overall security of the\n environment. Check with the vendor of the SMB server to determine if there is a\n way to support encrypted password authentication.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SYSTEM\\CurrentControlSet\\Services\\LanmanWorkstation\\Parameters\\\n\n Value Name: EnablePlainTextPassword\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0)", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Microsoft Network Client: Send unencrypted password to third-party SMB\n servers to Disabled." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000066-GPOS-00034", - "satisfies": [ - "SRG-OS-000066-GPOS-00034", - "SRG-OS-000403-GPOS-00182" - ], - "gid": "V-73607", - "rid": "SV-88271r2_rule", - "stig_id": "WN16-PK-000020", - "fix_id": "F-87313r2_fix", + "gtitle": "SRG-OS-000074-GPOS-00042", + "gid": "V-73657", + "rid": "SV-88321r1_rule", + "stig_id": "WN16-SO-000210", + "fix_id": "F-80107r1_fix", "cci": [ - "CCI-000185", - "CCI-002470" + "CCI-000197" ], "nist": [ - "IA-5 (2) (a)", - "SC-23 (5)", + "IA-5 (1) (c)", "Rev_4" ], "documentable": false }, - "code": "control 'V-73607' do\n title \"The DoD Interoperability Root CA cross-certificates must be installed\n in the Untrusted Certificates Store on unclassified systems.\"\n desc \"To ensure users do not experience denial of service when performing\n certificate-based authentication to DoD websites due to the system chaining to\n a root other than DoD Root CAs, the DoD Interoperability Root CA\n cross-certificates must be installed in the Untrusted Certificate Store. This\n requirement only applies to unclassified systems.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000066-GPOS-00034'\n tag \"satisfies\": ['SRG-OS-000066-GPOS-00034', 'SRG-OS-000403-GPOS-00182']\n tag \"gid\": 'V-73607'\n tag \"rid\": 'SV-88271r2_rule'\n tag \"stig_id\": 'WN16-PK-000020'\n tag \"fix_id\": 'F-87313r2_fix'\n tag \"cci\": ['CCI-000185', 'CCI-002470']\n tag \"nist\": ['IA-5 (2) (a)', 'SC-23 (5)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This is applicable to unclassified systems. It is NA for others.\n\n Open PowerShell as an administrator.\n\n Execute the following command:\n\n Get-ChildItem -Path Cert:Localmachine\\\\disallowed | Where {$_.Issuer -Like\n *DoD Interoperability* -and $_.Subject -Like *DoD*} | FL Subject,\n Issuer, Thumbprint, NotAfter\n\n If the following certificate Subject, Issuer, and Thumbprint\n information is not displayed, this is finding.\n\n If an expired certificate (NotAfter date) is not listed in the results,\n this is not a finding.\n\n Subject: CN=DoD Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Issuer: CN=DoD Interoperability Root CA 1, OU=PKI, OU=DoD, O=U.S. Government,\n C=US\n Thumbprint: 22BBE981F0694D246CC1472ED2B021DC8540A22F\n NotAfter: 9/6/2019\n\n Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Issuer: CN=DoD Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government,\n C=US\n Thumbprint: FFAD03329B9E527A43EEC66A56F9CBB5393E6E13\n NotAfter: 9/23/2018\n\n Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Issuer: CN=DoD Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government,\n C=US\n Thumbprint: FCE1B1E25374DD94F5935BEB86CA643D8C8D1FF4\n NotAfter: 2/17/2019\n\n Alternately, use the Certificates MMC snap-in:\n\n Run MMC.\n\n Select File, Add/Remove Snap-in.\n\n Select Certificates and click Add.\n\n Select Computer account and click Next.\n\n Select Local computer: (the computer this console is running on) and click\n Finish.\n\n Click OK.\n\n Expand Certificates and navigate to Untrusted Certificates >>\n Certificates.\n\n For each certificate with DoD Root CA… under Issued To and DoD\n Interoperability Root CA… under Issued By:\n\n Right-click on the certificate and select Open.\n\n Select the Details Tab.\n\n Scroll to the bottom and select Thumbprint.\n\n If the certificates below are not listed or the value for the Thumbprint\n field is not as noted, this is a finding.\n\n If an expired certificate (Valid to date) is not listed in the results,\n this is not a finding.\n\n Issued To: DoD Root CA 2\n Issued By: DoD Interoperability Root CA 1\n Thumbprint: 22BBE981F0694D246CC1472ED2B021DC8540A22F\n Valid to: Friday, September 6, 2019\n\n Issued To: DoD Root CA 3\n Issued By: DoD Interoperability Root CA 2\n Thumbprint: FFAD03329B9E527A43EEC66A56F9CBB5393E6E13\n Valid to: Sunday, September 23, 2018\n\n Issued To: DoD Root CA 3\n Issued By: DoD Interoperability Root CA 2\n Thumbprint: FCE1B1E25374DD94F5935BEB86CA643D8C8D1FF4\n Valid to: Sunday, February 17, 2019\"\n desc \"fix\", \"Install the DoD Interoperability Root CA cross-certificates on\n unclassified systems.\n\n Issued To - Issued By - Thumbprint\n DoD Root CA 2 - DoD Interoperability Root CA 1 -\n 22BBE981F0694D246CC1472ED2B021DC8540A22F\n\n DoD Root CA 3 - DoD Interoperability Root CA 2 -\n FFAD03329B9E527A43EEC66A56F9CBB5393E6E13\n\n DoD Root CA 3 - DoD Interoperability Root CA 2 -\n FCE1B1E25374DD94F5935BEB86CA643D8C8D1FF4\n\n Administrators should run the Federal Bridge Certification Authority (FBCA)\n Cross-Certificate Removal Tool once as an administrator and once as the current\n user.\n\n The FBCA Cross-Certificate Remover Tool and User Guide are available on IASE at\n http://iase.disa.mil/pki-pke/Pages/tools.aspx.\"\n is_unclassified_system = input('is_unclassified_system')\n dod_certificates = JSON.parse(input('dod_certificates').to_json)\n if is_unclassified_system\n query = json({ command: 'Get-ChildItem -Path Cert:Localmachine\\\\\\\\disallowed | Where {$_.Issuer -Like \"*DoD Interoperability*\" -and $_.Subject -Like \"*DoD*\"} | Select Subject, Issuer, Thumbprint, @{Name=\\'NotAfter\\';Expression={\"{0:dddd, MMMM dd, yyyy}\" -f [datetime]$_.NotAfter}} | ConvertTo-Json' })\n describe 'The DoD Interoperability Root CA cross-certificates installed' do\n subject { query.params }\n it { should be_in dod_certificates }\n end\n else\n impact 0.0\n describe 'This is NOT an unclassified system, therefore this control is not applicable' do\n skip 'This is NOT an unclassified system, therefore this control is not applicable'\n end\n end\nend\n", + "code": "control 'V-73657' do\n title \"Unencrypted passwords must not be sent to third-party Server Message\n Block (SMB) servers.\"\n desc \"Some non-Microsoft SMB servers only support unencrypted (plain-text)\n password authentication. Sending plain-text passwords across the network when\n authenticating to an SMB server reduces the overall security of the\n environment. Check with the vendor of the SMB server to determine if there is a\n way to support encrypted password authentication.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000074-GPOS-00042'\n tag \"gid\": 'V-73657'\n tag \"rid\": 'SV-88321r1_rule'\n tag \"stig_id\": 'WN16-SO-000210'\n tag \"fix_id\": 'F-80107r1_fix'\n tag \"cci\": ['CCI-000197']\n tag \"nist\": ['IA-5 (1) (c)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\LanmanWorkstation\\\\Parameters\\\\\n\n Value Name: EnablePlainTextPassword\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Microsoft Network Client: Send unencrypted password to third-party SMB\n servers to Disabled.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Services\\\\LanmanWorkstation\\\\Parameters') do\n it { should have_property 'EnablePlainTextPassword' }\n its('EnablePlainTextPassword') { should cmp 0 }\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73607.rb", + "ref": "./Windows 2016 STIG/controls/V-73657.rb", "line": 1 }, - "id": "V-73607" + "id": "V-73657" }, { - "title": "User Account Control must run all administrators in Admin Approval\n Mode, enabling UAC.", - "desc": "User Account Control (UAC) is a security mechanism for limiting the\n elevation of privileges, including administrative accounts, unless authorized.\n This setting enables UAC.", + "title": "PKU2U authentication using online identities must be prevented.", + "desc": "PKU2U is a peer-to-peer authentication protocol. This setting prevents\n online identities from authenticating to domain-joined systems. Authentication\n will be centrally managed with Windows user accounts.", "descriptions": { - "default": "User Account Control (UAC) is a security mechanism for limiting the\n elevation of privileges, including administrative accounts, unless authorized.\n This setting enables UAC.", - "check": "UAC requirements are NA for Server Core installations (this is\n the default installation option for Windows Server 2016 versus Server with\n Desktop Experience) as well as Nano Server.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\\n\n Value Name: EnableLUA\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> User\n Account Control: Run all administrators in Admin Approval Mode to\n Enabled." + "default": "PKU2U is a peer-to-peer authentication protocol. This setting prevents\n online identities from authenticating to domain-joined systems. Authentication\n will be centrally managed with Windows user accounts.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Control\\LSA\\pku2u\\\n\n Value Name: AllowOnlineID\n\n Type: REG_DWORD\n Value: 0x00000000 (0)", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Network security: Allow PKU2U authentication requests to this computer to use\n online identities to Disabled." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000373-GPOS-00157", - "satisfies": [ - "SRG-OS-000373-GPOS-00157", - "SRG-OS-000373-GPOS-00156" - ], - "gid": "V-73719", - "rid": "SV-88383r1_rule", - "stig_id": "WN16-SO-000520", - "fix_id": "F-80169r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-73683", + "rid": "SV-88347r1_rule", + "stig_id": "WN16-SO-000340", + "fix_id": "F-80133r1_fix", "cci": [ - "CCI-002038" + "CCI-000366" ], "nist": [ - "IA-11", + "CM-6 b", "Rev_4" ], "documentable": false }, - "code": "control 'V-73719' do\n title \"User Account Control must run all administrators in Admin Approval\n Mode, enabling UAC.\"\n desc \"User Account Control (UAC) is a security mechanism for limiting the\n elevation of privileges, including administrative accounts, unless authorized.\n This setting enables UAC.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000373-GPOS-00157'\n tag \"satisfies\": ['SRG-OS-000373-GPOS-00157', 'SRG-OS-000373-GPOS-00156']\n tag \"gid\": 'V-73719'\n tag \"rid\": 'SV-88383r1_rule'\n tag \"stig_id\": 'WN16-SO-000520'\n tag \"fix_id\": 'F-80169r1_fix'\n tag \"cci\": ['CCI-002038']\n tag \"nist\": ['IA-11', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"UAC requirements are NA for Server Core installations (this is\n the default installation option for Windows Server 2016 versus Server with\n Desktop Experience) as well as Nano Server.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\\n\n Value Name: EnableLUA\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> User\n Account Control: Run all administrators in Admin Approval Mode to\n Enabled.\"\n if registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Server\\ServerLevels').has_property_value?('ServerCore', :dword, 1) && registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Server\\ServerLevels').has_property_value?('Server-Gui-Mgmt', :dword, 1) && registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Server\\ServerLevels').has_property_value?('Server-Gui-Shell', :dword, 1)\n impact 0.0\n desc 'This system is a Server Core Installation, therefore this control is not applicable'\n else\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System') do\n it { should have_property 'EnableLUA' }\n its('EnableLUA') { should cmp 1 }\n end\n end\nend\n", + "code": "control 'V-73683' do\n title 'PKU2U authentication using online identities must be prevented.'\n desc \"PKU2U is a peer-to-peer authentication protocol. This setting prevents\n online identities from authenticating to domain-joined systems. Authentication\n will be centrally managed with Windows user accounts.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-73683'\n tag \"rid\": 'SV-88347r1_rule'\n tag \"stig_id\": 'WN16-SO-000340'\n tag \"fix_id\": 'F-80133r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\LSA\\\\pku2u\\\\\n\n Value Name: AllowOnlineID\n\n Type: REG_DWORD\n Value: 0x00000000 (0)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Network security: Allow PKU2U authentication requests to this computer to use\n online identities to Disabled.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\LSA\\\\pku2u') do\n it { should have_property 'AllowOnlineID' }\n its('AllowOnlineID') { should cmp 0 }\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73719.rb", + "ref": "./Windows 2016 STIG/controls/V-73683.rb", "line": 1 }, - "id": "V-73719" + "id": "V-73683" }, { - "title": "Group Policy objects must be reprocessed even if they have not\n changed.", - "desc": "Registry entries for group policy settings can potentially be changed\n from the required configuration. This could occur as part of troubleshooting or\n by a malicious process on a compromised system. Enabling this setting and then\n selecting the Process even if the Group Policy objects have not changed\n option ensures the policies will be reprocessed even if none have been changed.\n This way, any unauthorized changes are forced to match the domain-based group\n policy settings again.", + "title": "Windows Server 2016 must be configured to prevent the storage of the\n LAN Manager hash of passwords.", + "desc": "The LAN Manager hash uses a weak encryption algorithm and there are\n several tools available that use this hash to retrieve account passwords. This\n setting controls whether a LAN Manager hash of the password is stored in the\n SAM the next time the password is changed.", "descriptions": { - "default": "Registry entries for group policy settings can potentially be changed\n from the required configuration. This could occur as part of troubleshooting or\n by a malicious process on a compromised system. Enabling this setting and then\n selecting the Process even if the Group Policy objects have not changed\n option ensures the policies will be reprocessed even if none have been changed.\n This way, any unauthorized changes are forced to match the domain-based group\n policy settings again.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\Group\n Policy\\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\\\n\n Value Name: NoGPOListChanges\n\n Type: REG_DWORD\n Value: 0x00000000 (0)", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> System >> Group Policy >> Configure registry\n policy processing to Enabled with the option Process even if the Group\n Policy objects have not changed selected." + "default": "The LAN Manager hash uses a weak encryption algorithm and there are\n several tools available that use this hash to retrieve account passwords. This\n setting controls whether a LAN Manager hash of the password is stored in the\n SAM the next time the password is changed.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Control\\Lsa\\\n\n Value Name: NoLMHash\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Network security: Do not store LAN Manager hash value on next password\n change to Enabled." }, - "impact": 0.5, + "impact": 0.7, "refs": [], "tags": { - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-73525", - "rid": "SV-88177r1_rule", - "stig_id": "WN16-CC-000150", - "fix_id": "F-79965r1_fix", + "gtitle": "SRG-OS-000073-GPOS-00041", + "gid": "V-73687", + "rid": "SV-88351r1_rule", + "stig_id": "WN16-SO-000360", + "fix_id": "F-80137r1_fix", "cci": [ - "CCI-000366" + "CCI-000196" ], "nist": [ - "CM-6 b", + "IA-5 (1) (c)", "Rev_4" ], "documentable": false }, - "code": "control 'V-73525' do\n title \"Group Policy objects must be reprocessed even if they have not\n changed.\"\n desc \"Registry entries for group policy settings can potentially be changed\n from the required configuration. This could occur as part of troubleshooting or\n by a malicious process on a compromised system. Enabling this setting and then\n selecting the Process even if the Group Policy objects have not changed\n option ensures the policies will be reprocessed even if none have been changed.\n This way, any unauthorized changes are forced to match the domain-based group\n policy settings again.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-73525'\n tag \"rid\": 'SV-88177r1_rule'\n tag \"stig_id\": 'WN16-CC-000150'\n tag \"fix_id\": 'F-79965r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\Group\n Policy\\\\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\\\\\n\n Value Name: NoGPOListChanges\n\n Type: REG_DWORD\n Value: 0x00000000 (0)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> System >> Group Policy >> Configure registry\n policy processing to Enabled with the option Process even if the Group\n Policy objects have not changed selected.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\Group Policy\\\\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}') do\n it { should have_property 'NoGPOListChanges' }\n its('NoGPOListChanges') { should cmp 0 }\n end\nend\n", + "code": "control 'V-73687' do\n title \"Windows Server 2016 must be configured to prevent the storage of the\n LAN Manager hash of passwords.\"\n desc \"The LAN Manager hash uses a weak encryption algorithm and there are\n several tools available that use this hash to retrieve account passwords. This\n setting controls whether a LAN Manager hash of the password is stored in the\n SAM the next time the password is changed.\"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000073-GPOS-00041'\n tag \"gid\": 'V-73687'\n tag \"rid\": 'SV-88351r1_rule'\n tag \"stig_id\": 'WN16-SO-000360'\n tag \"fix_id\": 'F-80137r1_fix'\n tag \"cci\": ['CCI-000196']\n tag \"nist\": ['IA-5 (1) (c)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\\n\n Value Name: NoLMHash\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Network security: Do not store LAN Manager hash value on next password\n change to Enabled.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa') do\n it { should have_property 'NoLMHash' }\n its('NoLMHash') { should cmp 1 }\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73525.rb", + "ref": "./Windows 2016 STIG/controls/V-73687.rb", "line": 1 }, - "id": "V-73525" + "id": "V-73687" }, { "title": "The period of time before the bad logon counter is reset must be\n configured to 15 minutes or greater.", @@ -6242,21 +6313,21 @@ "id": "V-73313" }, { - "title": "Windows Server 2016 must be configured to prevent Internet Control\n Message Protocol (ICMP) redirects from overriding Open Shortest Path First\n (OSPF)-generated routes.", - "desc": "Allowing ICMP redirect of routes can lead to traffic not being routed\n properly. When disabled, this forces ICMP to be routed via the shortest path\n first.", + "title": "Users must be prompted to authenticate when the system wakes from\n sleep (plugged in).", + "desc": "A system that does not require authentication when resuming from sleep\n may provide access to unauthorized users. Authentication must always be\n required when accessing a system. This setting ensures users are prompted for a\n password when the system wakes from sleep (plugged in).", "descriptions": { - "default": "Allowing ICMP redirect of routes can lead to traffic not being routed\n properly. When disabled, this forces ICMP to be routed via the shortest path\n first.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters\\\n\n Value Name: EnableICMPRedirect\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0)", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> MSS (Legacy) >> MSS: (EnableICMPRedirect) Allow\n ICMP redirects to override OSPF generated routes to Disabled.\n\n This policy setting requires the installation of the MSS-Legacy custom\n templates included with the STIG package. MSS-Legacy.admx and\n MSS-Legacy.adml must be copied to the \\Windows\\PolicyDefinitions and\n \\Windows\\PolicyDefinitions\\en-US directories respectively." + "default": "A system that does not require authentication when resuming from sleep\n may provide access to unauthorized users. Authentication must always be\n required when accessing a system. This setting ensures users are prompted for a\n password when the system wakes from sleep (plugged in).", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SOFTWARE\\Policies\\Microsoft\\Power\\PowerSettings\\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\\\n\n Value Name: ACSettingIndex\n\n Type: REG_DWORD\n Value: 0x00000001 (1)", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> System >> Power Management >> Sleep Settings >>\n Require a password when a computer wakes (plugged in) to Enabled." }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-73503", - "rid": "SV-88155r1_rule", - "stig_id": "WN16-CC-000060", - "fix_id": "F-79945r1_fix", + "gid": "V-73539", + "rid": "SV-88201r1_rule", + "stig_id": "WN16-CC-000220", + "fix_id": "F-79981r1_fix", "cci": [ "CCI-000366" ], @@ -6266,363 +6337,331 @@ ], "documentable": false }, - "code": "control 'V-73503' do\n title \"Windows Server 2016 must be configured to prevent Internet Control\n Message Protocol (ICMP) redirects from overriding Open Shortest Path First\n (OSPF)-generated routes.\"\n desc \"Allowing ICMP redirect of routes can lead to traffic not being routed\n properly. When disabled, this forces ICMP to be routed via the shortest path\n first.\"\n impact 0.3\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-73503'\n tag \"rid\": 'SV-88155r1_rule'\n tag \"stig_id\": 'WN16-CC-000060'\n tag \"fix_id\": 'F-79945r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\Tcpip\\\\Parameters\\\\\n\n Value Name: EnableICMPRedirect\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> MSS (Legacy) >> MSS: (EnableICMPRedirect) Allow\n ICMP redirects to override OSPF generated routes to Disabled.\n\n This policy setting requires the installation of the MSS-Legacy custom\n templates included with the STIG package. MSS-Legacy.admx and\n MSS-Legacy.adml must be copied to the \\\\Windows\\\\PolicyDefinitions and\n \\\\Windows\\\\PolicyDefinitions\\\\en-US directories respectively.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Services\\\\Tcpip\\\\Parameters') do\n it { should have_property 'EnableICMPRedirect' }\n its('EnableICMPRedirect') { should cmp 0 }\n end\nend\n", + "code": "control 'V-73539' do\n title \"Users must be prompted to authenticate when the system wakes from\n sleep (plugged in).\"\n desc \"A system that does not require authentication when resuming from sleep\n may provide access to unauthorized users. Authentication must always be\n required when accessing a system. This setting ensures users are prompted for a\n password when the system wakes from sleep (plugged in).\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-73539'\n tag \"rid\": 'SV-88201r1_rule'\n tag \"stig_id\": 'WN16-CC-000220'\n tag \"fix_id\": 'F-79981r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Power\\\\PowerSettings\\\\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\\\\\n\n Value Name: ACSettingIndex\n\n Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> System >> Power Management >> Sleep Settings >>\n Require a password when a computer wakes (plugged in) to Enabled.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Power\\\\PowerSettings\\\\0e796bdb-100d-47d6-a2d5-f7d2daa51f51') do\n it { should have_property 'ACSettingIndex' }\n its('ACSettingIndex') { should cmp 1 }\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73503.rb", + "ref": "./Windows 2016 STIG/controls/V-73539.rb", "line": 1 }, - "id": "V-73503" + "id": "V-73539" }, { - "title": "The Application Compatibility Program Inventory must be prevented from\n collecting data and sending the information to Microsoft.", - "desc": "Some features may communicate with the vendor, sending system\n information or downloading data or components for the feature. Turning off this\n capability will prevent potentially sensitive information from being sent\n outside the enterprise and will prevent uncontrolled updates to the system.\n\n This setting will prevent the Program Inventory from collecting data about\n a system and sending the information to Microsoft.", + "title": "Windows PowerShell 2.0 must not be installed.", + "desc": "Windows PowerShell 5.0 added advanced logging features that can\n provide additional detail when malware has been run on a system. Disabling the\n Windows PowerShell 2.0 mitigates against a downgrade attack that evades the\n Windows PowerShell 5.0 script block logging feature.", "descriptions": { - "default": "Some features may communicate with the vendor, sending system\n information or downloading data or components for the feature. Turning off this\n capability will prevent potentially sensitive information from being sent\n outside the enterprise and will prevent uncontrolled updates to the system.\n\n This setting will prevent the Program Inventory from collecting data about\n a system and sending the information to Microsoft.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\AppCompat\\\n\n Value Name: DisableInventory\n\n Type: REG_DWORD\n Value: 0x00000001 (1)", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Application Compatibility >>\n Turn off Inventory Collector to Enabled." + "default": "Windows PowerShell 5.0 added advanced logging features that can\n provide additional detail when malware has been run on a system. Disabling the\n Windows PowerShell 2.0 mitigates against a downgrade attack that evades the\n Windows PowerShell 5.0 script block logging feature.", + "check": "Open PowerShell.\n\n Enter Get-WindowsFeature | Where Name -eq PowerShell-v2.\n\n If Installed State is Installed, this is a finding.\n\n An Installed State of Available or Removed is not a finding.", + "fix": "Uninstall the Windows PowerShell 2.0 Engine.\n\n Start Server Manager.\n\n Select the server with the feature.\n\n Scroll down to ROLES AND FEATURES in the right pane.\n\n Select Remove Roles and Features from the drop-down TASKS list.\n\n Select the appropriate server on the Server Selection page and click\n Next.\n\n Deselect Windows PowerShell 2.0 Engine under Windows PowerShell on the\n Features page.\n\n Click Next and Remove as prompted." }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { "gtitle": "SRG-OS-000095-GPOS-00049", - "gid": "V-73543", - "rid": "SV-88207r1_rule", - "stig_id": "WN16-CC-000240", - "fix_id": "F-79985r1_fix", + "gid": "V-73301", + "rid": "SV-87953r1_rule", + "stig_id": "WN16-00-000420", + "fix_id": "F-79743r1_fix", "cci": [ "CCI-000381" ], "nist": [ - "CM-7 a", - "Rev_4" - ], - "documentable": false - }, - "code": "control 'V-73543' do\n title \"The Application Compatibility Program Inventory must be prevented from\n collecting data and sending the information to Microsoft.\"\n desc \"Some features may communicate with the vendor, sending system\n information or downloading data or components for the feature. Turning off this\n capability will prevent potentially sensitive information from being sent\n outside the enterprise and will prevent uncontrolled updates to the system.\n\n This setting will prevent the Program Inventory from collecting data about\n a system and sending the information to Microsoft.\n \"\n impact 0.3\n tag \"gtitle\": 'SRG-OS-000095-GPOS-00049'\n tag \"gid\": 'V-73543'\n tag \"rid\": 'SV-88207r1_rule'\n tag \"stig_id\": 'WN16-CC-000240'\n tag \"fix_id\": 'F-79985r1_fix'\n tag \"cci\": ['CCI-000381']\n tag \"nist\": ['CM-7 a', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\AppCompat\\\\\n\n Value Name: DisableInventory\n\n Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Application Compatibility >>\n Turn off Inventory Collector to Enabled.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\AppCompat') do\n it { should have_property 'DisableInventory' }\n its('DisableInventory') { should cmp 1 }\n end\nend\n", - "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73543.rb", - "line": 1 - }, - "id": "V-73543" - }, - { - "title": "The Windows Remote Management (WinRM) client must not use Digest\n authentication.", - "desc": "Digest authentication is not as strong as other options and may be\n subject to man-in-the-middle attacks. Disallowing Digest authentication will\n reduce this potential.", - "descriptions": { - "default": "Digest authentication is not as strong as other options and may be\n subject to man-in-the-middle attacks. Disallowing Digest authentication will\n reduce this potential.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\WinRM\\Client\\\n\n Value Name: AllowDigest\n\n Type: REG_DWORD\n Value: 0x00000000 (0)", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Windows Remote Management\n (WinRM) >> WinRM Client >> Disallow Digest authentication to Enabled." - }, - "impact": 0.5, - "refs": [], - "tags": { - "gtitle": "SRG-OS-000125-GPOS-00065", - "gid": "V-73597", - "rid": "SV-88261r1_rule", - "stig_id": "WN16-CC-000520", - "fix_id": "F-80047r1_fix", - "cci": [ - "CCI-000877" - ], - "nist": [ - "MA-4 c", + "CM-7", "Rev_4" ], "documentable": false }, - "code": "control 'V-73597' do\n title \"The Windows Remote Management (WinRM) client must not use Digest\n authentication.\"\n desc \"Digest authentication is not as strong as other options and may be\n subject to man-in-the-middle attacks. Disallowing Digest authentication will\n reduce this potential.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000125-GPOS-00065'\n tag \"gid\": 'V-73597'\n tag \"rid\": 'SV-88261r1_rule'\n tag \"stig_id\": 'WN16-CC-000520'\n tag \"fix_id\": 'F-80047r1_fix'\n tag \"cci\": ['CCI-000877']\n tag \"nist\": ['MA-4 c', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WinRM\\\\Client\\\\\n\n Value Name: AllowDigest\n\n Type: REG_DWORD\n Value: 0x00000000 (0)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Windows Remote Management\n (WinRM) >> WinRM Client >> Disallow Digest authentication to Enabled.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\WinRM\\\\Client') do\n it { should have_property 'AllowDigest' }\n its('AllowDigest') { should cmp 0 }\n end\nend\n", + "code": "control 'V-73301' do\n title 'Windows PowerShell 2.0 must not be installed.'\n desc \"Windows PowerShell 5.0 added advanced logging features that can\n provide additional detail when malware has been run on a system. Disabling the\n Windows PowerShell 2.0 mitigates against a downgrade attack that evades the\n Windows PowerShell 5.0 script block logging feature.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000095-GPOS-00049'\n tag \"gid\": 'V-73301'\n tag \"rid\": 'SV-87953r1_rule'\n tag \"stig_id\": 'WN16-00-000420'\n tag \"fix_id\": 'F-79743r1_fix'\n tag \"cci\": ['CCI-000381']\n tag \"nist\": ['CM-7', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Open PowerShell.\n\n Enter Get-WindowsFeature | Where Name -eq PowerShell-v2.\n\n If Installed State is Installed, this is a finding.\n\n An Installed State of Available or Removed is not a finding.\"\n desc \"fix\", \"Uninstall the Windows PowerShell 2.0 Engine.\n\n Start Server Manager.\n\n Select the server with the feature.\n\n Scroll down to ROLES AND FEATURES in the right pane.\n\n Select Remove Roles and Features from the drop-down TASKS list.\n\n Select the appropriate server on the Server Selection page and click\n Next.\n\n Deselect Windows PowerShell 2.0 Engine under Windows PowerShell on the\n Features page.\n\n Click Next and Remove as prompted.\"\n describe windows_feature('PowerShell-v2') do\n it { should_not be_installed }\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73597.rb", + "ref": "./Windows 2016 STIG/controls/V-73301.rb", "line": 1 }, - "id": "V-73597" + "id": "V-73301" }, { - "title": "User Account Control approval mode for the built-in Administrator must\n be enabled.", - "desc": "User Account Control (UAC) is a security mechanism for limiting the\n elevation of privileges, including administrative accounts, unless authorized.\n This setting configures the built-in Administrator account so that it runs in\n Admin Approval Mode.", + "title": "The maximum age for machine account passwords must be configured to 30\n days or less.", + "desc": "Computer account passwords are changed automatically on a regular\n basis. This setting controls the maximum password age that a machine account\n may have. This must be set to no more than 30 days, ensuring the machine\n changes its password monthly.", "descriptions": { - "default": "User Account Control (UAC) is a security mechanism for limiting the\n elevation of privileges, including administrative accounts, unless authorized.\n This setting configures the built-in Administrator account so that it runs in\n Admin Approval Mode.", - "check": "UAC requirements are NA for Server Core installations (this is\n the default installation option for Windows Server 2016 versus Server with\n Desktop Experience) as well as Nano Server.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\\n\n Value Name: FilterAdministratorToken\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> User\n Account Control: Admin Approval Mode for the Built-in Administrator account\n to Enabled." - }, - "impact": 0.5, - "refs": [], - "tags": { - "gtitle": "SRG-OS-000373-GPOS-00157", - "satisfies": [ - "SRG-OS-000373-GPOS-00157", - "SRG-OS-000373-GPOS-00156" - ], - "gid": "V-73707", - "rid": "SV-88371r1_rule", - "stig_id": "WN16-SO-000460", - "fix_id": "F-80157r1_fix", + "default": "Computer account passwords are changed automatically on a regular\n basis. This setting controls the maximum password age that a machine account\n may have. This must be set to no more than 30 days, ensuring the machine\n changes its password monthly.", + "check": "This is the default configuration for this setting (30 days).\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\Netlogon\\Parameters\\\n\n Value Name: MaximumPasswordAge\n\n Value Type: REG_DWORD\n Value: 0x0000001e (30) (or less, but not 0)", + "fix": "This is the default configuration for this setting (30 days).\n\n Configure the policy value for Computer Configuration >> Windows Settings >>\n Security Settings >> Local Policies >> Security Options >> Domain member:\n Maximum machine account password age to 30 or less (excluding 0,\n which is unacceptable)." + }, + "impact": 0.5, + "refs": [], + "tags": { + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-73641", + "rid": "SV-88305r1_rule", + "stig_id": "WN16-SO-000120", + "fix_id": "F-80091r1_fix", "cci": [ - "CCI-002038" + "CCI-000366" ], "nist": [ - "IA-11", + "CM-6 b", "Rev_4" ], "documentable": false }, - "code": "control 'V-73707' do\n title \"User Account Control approval mode for the built-in Administrator must\n be enabled.\"\n desc \"User Account Control (UAC) is a security mechanism for limiting the\n elevation of privileges, including administrative accounts, unless authorized.\n This setting configures the built-in Administrator account so that it runs in\n Admin Approval Mode.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000373-GPOS-00157'\n tag \"satisfies\": ['SRG-OS-000373-GPOS-00157', 'SRG-OS-000373-GPOS-00156']\n tag \"gid\": 'V-73707'\n tag \"rid\": 'SV-88371r1_rule'\n tag \"stig_id\": 'WN16-SO-000460'\n tag \"fix_id\": 'F-80157r1_fix'\n tag \"cci\": ['CCI-002038']\n tag \"nist\": ['IA-11', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"UAC requirements are NA for Server Core installations (this is\n the default installation option for Windows Server 2016 versus Server with\n Desktop Experience) as well as Nano Server.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\\n\n Value Name: FilterAdministratorToken\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> User\n Account Control: Admin Approval Mode for the Built-in Administrator account\n to Enabled.\"\n if registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Server\\ServerLevels').has_property_value?('ServerCore', :dword, 1) && registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Server\\ServerLevels').has_property_value?('Server-Gui-Mgmt', :dword, 1) && registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Server\\ServerLevels').has_property_value?('Server-Gui-Shell', :dword, 1)\n impact 0.0\n desc 'This system is a Server Core Installation, therefore this control is not applicable'\n else\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System') do\n it { should have_property 'FilterAdministratorToken' }\n its('FilterAdministratorToken') { should cmp 1 }\n end\n end\nend\n", + "code": "control 'V-73641' do\n title \"The maximum age for machine account passwords must be configured to 30\n days or less.\"\n desc \"Computer account passwords are changed automatically on a regular\n basis. This setting controls the maximum password age that a machine account\n may have. This must be set to no more than 30 days, ensuring the machine\n changes its password monthly.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-73641'\n tag \"rid\": 'SV-88305r1_rule'\n tag \"stig_id\": 'WN16-SO-000120'\n tag \"fix_id\": 'F-80091r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This is the default configuration for this setting (30 days).\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\Netlogon\\\\Parameters\\\\\n\n Value Name: MaximumPasswordAge\n\n Value Type: REG_DWORD\n Value: 0x0000001e (30) (or less, but not 0)\"\n desc \"fix\", \"This is the default configuration for this setting (30 days).\n\n Configure the policy value for Computer Configuration >> Windows Settings >>\n Security Settings >> Local Policies >> Security Options >> Domain member:\n Maximum machine account password age to 30 or less (excluding 0,\n which is unacceptable).\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Services\\\\Netlogon\\\\Parameters') do\n it { should have_property 'MaximumPasswordAge' }\n its('MaximumPasswordAge') { should be <= 30 }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Services\\\\Netlogon\\\\Parameters') do\n it { should have_property 'MaximumPasswordAge' }\n its('MaximumPasswordAge') { should be > 0 }\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73707.rb", + "ref": "./Windows 2016 STIG/controls/V-73641.rb", "line": 1 }, - "id": "V-73707" + "id": "V-73641" }, { - "title": "User Account Control must, at a minimum, prompt administrators for\n consent on the secure desktop.", - "desc": "User Account Control (UAC) is a security mechanism for limiting the\n elevation of privileges, including administrative accounts, unless authorized.\n This setting configures the elevation requirements for logged-on administrators\n to complete a task that requires raised privileges.", + "title": "A screen saver must be enabled on the system.", + "desc": "Unattended systems are susceptible to unauthorized use and must be\n locked when unattended. Enabling a password-protected screen saver to engage\n after a specified period of time helps protects critical and sensitive data\n from exposure to unauthorized personnel with physical access to the computer.", "descriptions": { - "default": "User Account Control (UAC) is a security mechanism for limiting the\n elevation of privileges, including administrative accounts, unless authorized.\n This setting configures the elevation requirements for logged-on administrators\n to complete a task that requires raised privileges.", - "check": "UAC requirements are NA for Server Core installations (this is\n default installation option for Windows Server 2016 versus Server with Desktop\n Experience) as well as Nano Server.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\\n\n Value Name: ConsentPromptBehaviorAdmin\n\n Value Type: REG_DWORD\n Value: 0x00000002 (2) (Prompt for consent on the secure desktop)\n 0x00000001 (1) (Prompt for credentials on the secure desktop)", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> User\n Account Control: Behavior of the elevation prompt for administrators in Admin\n Approval Mode to Prompt for consent on the secure desktop.\n\n The more secure option for this setting, Prompt for credentials on the secure\n desktop, would also be acceptable." + "default": "Unattended systems are susceptible to unauthorized use and must be\n locked when unattended. Enabling a password-protected screen saver to engage\n after a specified period of time helps protects critical and sensitive data\n from exposure to unauthorized personnel with physical access to the computer.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_CURRENT_USER\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\Control\n Panel\\Desktop\\\n\n Value Name: ScreenSaveActive\n\n Type: REG_SZ\n Value: 1\n\n Applications requiring continuous, real-time screen display (e.g., network\n management products) require the following and must be documented with the ISSO:\n\n - The logon session does not have administrator rights.\n - The display station (e.g., keyboard, monitor, etc.) is located in a\n controlled access area.", + "fix": "Configure the policy value for User Configuration >>\n Administrative Templates >> Control Panel >> Personalization >> Enable screen\n saver to Enabled." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000134-GPOS-00068", - "gid": "V-73711", - "rid": "SV-88375r1_rule", - "stig_id": "WN16-SO-000480", - "fix_id": "F-80161r1_fix", + "gtitle": "SRG-OS-000031-GPOS-00012", + "gid": "V-73723", + "rid": "SV-88387r1_rule", + "stig_id": "WN16-UC-000010", + "fix_id": "F-80173r1_fix", "cci": [ - "CCI-001084" + "CCI-000060" ], "nist": [ - "SC-3", + "AC-11 (1)", "Rev_4" ], "documentable": false }, - "code": "control 'V-73711' do\n title \"User Account Control must, at a minimum, prompt administrators for\n consent on the secure desktop.\"\n desc \"User Account Control (UAC) is a security mechanism for limiting the\n elevation of privileges, including administrative accounts, unless authorized.\n This setting configures the elevation requirements for logged-on administrators\n to complete a task that requires raised privileges.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000134-GPOS-00068'\n tag \"gid\": 'V-73711'\n tag \"rid\": 'SV-88375r1_rule'\n tag \"stig_id\": 'WN16-SO-000480'\n tag \"fix_id\": 'F-80161r1_fix'\n tag \"cci\": ['CCI-001084']\n tag \"nist\": ['SC-3', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"UAC requirements are NA for Server Core installations (this is\n default installation option for Windows Server 2016 versus Server with Desktop\n Experience) as well as Nano Server.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\\n\n Value Name: ConsentPromptBehaviorAdmin\n\n Value Type: REG_DWORD\n Value: 0x00000002 (2) (Prompt for consent on the secure desktop)\n 0x00000001 (1) (Prompt for credentials on the secure desktop)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> User\n Account Control: Behavior of the elevation prompt for administrators in Admin\n Approval Mode to Prompt for consent on the secure desktop.\n\n The more secure option for this setting, Prompt for credentials on the secure\n desktop, would also be acceptable.\"\n if registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Server\\ServerLevels').has_property_value?('ServerCore', :dword, 1) && registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Server\\ServerLevels').has_property_value?('Server-Gui-Mgmt', :dword, 1) && registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Server\\ServerLevels').has_property_value?('Server-Gui-Shell', :dword, 1)\n impact 0.0\n desc 'This system is a Server Core Installation, therefore this control is not applicable'\n else\n describe.one do\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System') do\n it { should have_property 'ConsentPromptBehaviorAdmin' }\n its('ConsentPromptBehaviorAdmin') { should cmp 2 }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System') do\n it { should have_property 'ConsentPromptBehaviorAdmin' }\n its('ConsentPromptBehaviorAdmin') { should cmp 1 }\n end\n end\n end\nend\n", + "code": "control 'V-73723' do\n title 'A screen saver must be enabled on the system.'\n desc \"Unattended systems are susceptible to unauthorized use and must be\n locked when unattended. Enabling a password-protected screen saver to engage\n after a specified period of time helps protects critical and sensitive data\n from exposure to unauthorized personnel with physical access to the computer.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000031-GPOS-00012'\n tag \"gid\": 'V-73723'\n tag \"rid\": 'SV-88387r1_rule'\n tag \"stig_id\": 'WN16-UC-000010'\n tag \"fix_id\": 'F-80173r1_fix'\n tag \"cci\": ['CCI-000060']\n tag \"nist\": ['AC-11 (1)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_CURRENT_USER\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\Control\n Panel\\\\Desktop\\\\\n\n Value Name: ScreenSaveActive\n\n Type: REG_SZ\n Value: 1\n\n Applications requiring continuous, real-time screen display (e.g., network\n management products) require the following and must be documented with the ISSO:\n\n - The logon session does not have administrator rights.\n - The display station (e.g., keyboard, monitor, etc.) is located in a\n controlled access area.\"\n desc \"fix\", \"Configure the policy value for User Configuration >>\n Administrative Templates >> Control Panel >> Personalization >> Enable screen\n saver to Enabled.\"\n describe registry_key(\"HKEY_LOCAL_MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\Control\n Panel\\\\Desktop\") do\n it { should have_property 'ScreenSaveActive' }\n its('ScreenSaveActive') { should cmp 1 }\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73711.rb", + "ref": "./Windows 2016 STIG/controls/V-73723.rb", "line": 1 }, - "id": "V-73711" + "id": "V-73723" }, { - "title": "Non-system-created file shares on a system must limit access to groups\n that require it.", - "desc": "Shares on a system provide network access. To prevent exposing\n sensitive information, where shares are necessary, permissions must be\n reconfigured to give the minimum access to accounts that require it.", + "title": "Virtualization-based protection of code integrity must be enabled on\n domain-joined systems.", + "desc": "Virtualization-based protection of code integrity enforces kernel mode\n memory protections as well as protecting Code Integrity validation paths. This\n isolates the processes from the rest of the operating system and can only be\n accessed by privileged system software.", "descriptions": { - "default": "Shares on a system provide network access. To prevent exposing\n sensitive information, where shares are necessary, permissions must be\n reconfigured to give the minimum access to accounts that require it.", - "check": "If only system-created shares such as ADMIN$, C$, and\n IPC$ exist on the system, this is NA. (System-created shares will display a\n message that it has been shared for administrative purposes when Properties\n is selected.)\n\n Run Computer Management.\n\n Navigate to System Tools >> Shared Folders >> Shares.\n\n Right-click any non-system-created shares.\n\n Select Properties.\n\n Select the Share Permissions tab.\n\n If the file shares have not been configured to restrict permissions to the\n specific groups or accounts that require access, this is a finding.\n\n Select the Security tab.\n\n If the permissions have not been configured to restrict permissions to the\n specific groups or accounts that require access, this is a finding.", - "fix": "If a non-system-created share is required on a system, configure\n the share and NTFS permissions to limit access to the specific groups or\n accounts that require it.\n\n Remove any unnecessary non-system-created shares." + "default": "Virtualization-based protection of code integrity enforces kernel mode\n memory protections as well as protecting Code Integrity validation paths. This\n isolates the processes from the rest of the operating system and can only be\n accessed by privileged system software.", + "check": "For standalone systems, this is NA.\n\n Current hardware and virtual environments may not support virtualization-based\n security features, including Credential Guard, due to specific supporting\n requirements including a TPM, UEFI with Secure Boot, and the capability to run\n the Hyper-V feature within a virtual machine.\n\n Open PowerShell with elevated privileges (run as administrator).\n\n Enter the following:\n\n Get-CimInstance -ClassName Win32_DeviceGuard -Namespace\n root\\Microsoft\\Windows\\DeviceGuard\n\n If SecurityServicesRunning does not include a value of 2 (e.g., {1,\n 2}), this is a finding.\n\n Alternately:\n\n Run System Information.\n\n Under System Summary, verify the following:\n\n If Device Guard Security Services Running does not list Hypervisor\n enforced Code Integrity, this is a finding.\n\n The policy settings referenced in the Fix section will configure the following\n registry value. However due to hardware requirements, the registry value alone\n does not ensure proper function.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceGuard\\\n\n Value Name: HypervisorEnforcedCodeIntegrity\n Value Type: REG_DWORD\n Value: 0x00000001 (1) (Enabled with UEFI lock), or 0x00000002 (2) (Enabled\n without lock)", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> System >> Device Guard >> Turn On Virtualization\n Based Security to Enabled with Enabled with UEFI lock or Enabled\n without lock selected for Virtualization Based Protection for Code\n Integrity.\n\n Enabled with UEFI lock is preferred as more secure; however, it cannot be\n turned off remotely through a group policy change if there is an issue.\n Enabled without lock will allow this to be turned off remotely while\n testing for issues." }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { - "gtitle": "SRG-OS-000138-GPOS-00069", - "gid": "V-73267", - "rid": "SV-87919r1_rule", - "stig_id": "WN16-00-000250", - "fix_id": "F-79711r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-73517", + "rid": "SV-88169r1_rule", + "stig_id": "WN16-CC-000130", + "fix_id": "F-79959r1_fix", "cci": [ - "CCI-001090" + "CCI-000366" ], "nist": [ - "SC-4", + "CM-6 b", "Rev_4" ], "documentable": false }, - "code": "control 'V-73267' do\n title \"Non-system-created file shares on a system must limit access to groups\n that require it.\"\n desc \"Shares on a system provide network access. To prevent exposing\n sensitive information, where shares are necessary, permissions must be\n reconfigured to give the minimum access to accounts that require it.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000138-GPOS-00069'\n tag \"gid\": 'V-73267'\n tag \"rid\": 'SV-87919r1_rule'\n tag \"stig_id\": 'WN16-00-000250'\n tag \"fix_id\": 'F-79711r1_fix'\n tag \"cci\": ['CCI-001090']\n tag \"nist\": ['SC-4', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If only system-created shares such as ADMIN$, C$, and\n IPC$ exist on the system, this is NA. (System-created shares will display a\n message that it has been shared for administrative purposes when Properties\n is selected.)\n\n Run Computer Management.\n\n Navigate to System Tools >> Shared Folders >> Shares.\n\n Right-click any non-system-created shares.\n\n Select Properties.\n\n Select the Share Permissions tab.\n\n If the file shares have not been configured to restrict permissions to the\n specific groups or accounts that require access, this is a finding.\n\n Select the Security tab.\n\n If the permissions have not been configured to restrict permissions to the\n specific groups or accounts that require access, this is a finding.\"\n desc \"fix\", \"If a non-system-created share is required on a system, configure\n the share and NTFS permissions to limit access to the specific groups or\n accounts that require it.\n\n Remove any unnecessary non-system-created shares.\"\n\n get = command('Get-WMIObject -Query \"SELECT * FROM Win32_Share\" | Findstr /V \"Name --\"').stdout.strip.split(\"\\n\")\n share_names = []\n share_paths = []\n get.each do |share|\n loc_space = share.index(' ')\n\n names = share[0..loc_space-1]\n\n share_names.push(names)\n path = share[40..50]\n share_paths.push(path)\n end\n share_names_string = share_names.join(',')\n\n if share_names_string != 'ADMIN$,C$,IPC$'\n\n [share_paths, share_names].each do |path1, _name1|\n\n describe command(\"Get-Acl -Path '#{path1}' | Format-List | Findstr /i /C:'Everyone Allow'\") do\n its('stdout') { should eq '' }\n end\n end\n end\n\n if share_names_string == 'ADMIN$,C$,IPC$'\n impact 0.0\n desc 'Only the default files shares ADMIN$, C$ ,and IPC$ exist on this system, therefore this control is not applicable'\n end\nend\n", + "code": "control 'V-73517' do\n title \"Virtualization-based protection of code integrity must be enabled on\n domain-joined systems.\"\n desc \"Virtualization-based protection of code integrity enforces kernel mode\n memory protections as well as protecting Code Integrity validation paths. This\n isolates the processes from the rest of the operating system and can only be\n accessed by privileged system software.\"\n impact 0.3\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-73517'\n tag \"rid\": 'SV-88169r1_rule'\n tag \"stig_id\": 'WN16-CC-000130'\n tag \"fix_id\": 'F-79959r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"For standalone systems, this is NA.\n\n Current hardware and virtual environments may not support virtualization-based\n security features, including Credential Guard, due to specific supporting\n requirements including a TPM, UEFI with Secure Boot, and the capability to run\n the Hyper-V feature within a virtual machine.\n\n Open PowerShell with elevated privileges (run as administrator).\n\n Enter the following:\n\n Get-CimInstance -ClassName Win32_DeviceGuard -Namespace\n root\\\\Microsoft\\\\Windows\\\\DeviceGuard\n\n If SecurityServicesRunning does not include a value of 2 (e.g., {1,\n 2}), this is a finding.\n\n Alternately:\n\n Run System Information.\n\n Under System Summary, verify the following:\n\n If Device Guard Security Services Running does not list Hypervisor\n enforced Code Integrity, this is a finding.\n\n The policy settings referenced in the Fix section will configure the following\n registry value. However due to hardware requirements, the registry value alone\n does not ensure proper function.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\DeviceGuard\\\\\n\n Value Name: HypervisorEnforcedCodeIntegrity\n Value Type: REG_DWORD\n Value: 0x00000001 (1) (Enabled with UEFI lock), or 0x00000002 (2) (Enabled\n without lock)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> System >> Device Guard >> Turn On Virtualization\n Based Security to Enabled with Enabled with UEFI lock or Enabled\n without lock selected for Virtualization Based Protection for Code\n Integrity.\n\n Enabled with UEFI lock is preferred as more secure; however, it cannot be\n turned off remotely through a group policy change if there is an issue.\n Enabled without lock will allow this to be turned off remotely while\n testing for issues.\"\n is_domain = command('wmic computersystem get domain | FINDSTR /V Domain').stdout.strip\n describe.one do\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\DeviceGuard') do\n it { should have_property 'HypervisorEnforcedCodeIntegrity' }\n its('HypervisorEnforcedCodeIntegrity') { should cmp 1 }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\DeviceGuard') do\n it { should have_property 'HypervisorEnforcedCodeIntegrity' }\n its('HypervisorEnforcedCodeIntegrity') { should cmp 2 }\n end\n end\n only_if { is_domain != 'WORKGROUP' }\n\n if is_domain == 'WORKGROUP'\n impact 0.0\n describe 'This system is not joined to a domain, therfore this control is not appliable as it does not apply to standalone systems' do\n skip 'This system is not joined to a domain, therfore this control is not appliable as it does not apply to standalone systems'\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73267.rb", + "ref": "./Windows 2016 STIG/controls/V-73517.rb", "line": 1 }, - "id": "V-73267" + "id": "V-73517" }, { - "title": "The US DoD CCEB Interoperability Root CA cross-certificates must be\n installed in the Untrusted Certificates Store on unclassified systems.", - "desc": "To ensure users do not experience denial of service when performing\n certificate-based authentication to DoD websites due to the system chaining to\n a root other than DoD Root CAs, the US DoD CCEB Interoperability Root CA\n cross-certificates must be installed in the Untrusted Certificate Store. This\n requirement only applies to unclassified systems.", + "title": "Software certificate installation files must be removed from Windows\n Server 2016.", + "desc": "Use of software certificates and their accompanying installation files\n for end users to access resources is less secure than the use of hardware-based\n certificates.", "descriptions": { - "default": "To ensure users do not experience denial of service when performing\n certificate-based authentication to DoD websites due to the system chaining to\n a root other than DoD Root CAs, the US DoD CCEB Interoperability Root CA\n cross-certificates must be installed in the Untrusted Certificate Store. This\n requirement only applies to unclassified systems.", - "check": "This is applicable to unclassified systems. It is NA for others.\n\n Open PowerShell as an administrator.\n\n Execute the following command:\n\n Get-ChildItem -Path Cert:Localmachine\\disallowed | Where Issuer -Like *CCEB\n Interoperability* | FL Subject, Issuer, Thumbprint, NotAfter\n\n If the following certificate Subject, Issuer, and Thumbprint\n information is not displayed, this is finding.\n\n If an expired certificate (NotAfter date) is not listed in the results,\n this is not a finding.\n\n Subject: CN=DoD Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Issuer: CN=US DoD CCEB Interoperability Root CA 1, OU=PKI, OU=DoD, O=U.S.\n Government, C=US\n Thumbprint: DA36FAF56B2F6FBA1604F5BE46D864C9FA013BA3\n NotAfter: 3/9/2019\n\n Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Issuer: CN=US DoD CCEB Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S.\n Government, C=US\n Thumbprint: 929BF3196896994C0A201DF4A5B71F603FEFBF2E\n NotAfter: 9/27/2019\n\n Alternately, use the Certificates MMC snap-in:\n\n Run MMC.\n\n Select File, Add/Remove Snap-in.\n\n Select Certificates and click Add.\n\n Select Computer account and click Next.\n\n Select Local computer: (the computer this console is running on) and click\n Finish.\n\n Click OK.\n\n Expand Certificates and navigate to Untrusted Certificates >>\n Certificates.\n\n For each certificate with US DoD CCEB Interoperability Root CA … under\n Issued By:\n\n Right-click on the certificate and select Open.\n\n Select the Details Tab.\n\n Scroll to the bottom and select Thumbprint.\n\n If the certificate below is not listed or the value for the Thumbprint\n field is not as noted, this is a finding.\n\n If an expired certificate (Valid to date) is not listed in the results,\n this is not a finding.\n\n Issued To: DoD Root CA 2\n Issued By: US DoD CCEB Interoperability Root CA 1\n Thumbprint: DA36FAF56B2F6FBA1604F5BE46D864C9FA013BA3\n Valid to: Saturday, March 9, 2019\n\n Issued To: DoD Root CA 3\n Issuer by: US DoD CCEB Interoperability Root CA 2\n Thumbprint: 929BF3196896994C0A201DF4A5B71F603FEFBF2E\n Valid: Friday, September 27, 2019", - "fix": "Install the US DoD CCEB Interoperability Root CA\n cross-certificate on unclassified systems.\n\n Issued To - Issued By - Thumbprint\n DoD Root CA 2 - US DoD CCEB Interoperability Root CA 1 -\n DA36FAF56B2F6FBA1604F5BE46D864C9FA013BA3\n\n DoD Root CA 3 - US DoD CCEB Interoperability Root CA 2 -\n 929BF3196896994C0A201DF4A5B71F603FEFBF2E\n\n Administrators should run the Federal Bridge Certification Authority (FBCA)\n Cross-Certificate Removal Tool once as an administrator and once as the current\n user.\n\n The FBCA Cross-Certificate Remover Tool and User Guide are available on IASE at\n http://iase.disa.mil/pki-pke/Pages/tools.aspx." + "default": "Use of software certificates and their accompanying installation files\n for end users to access resources is less secure than the use of hardware-based\n certificates.", + "check": "Search all drives for *.p12 and *.pfx files.\n\n If any files with these extensions exist, this is a finding.\n\n This does not apply to server-based applications that have a requirement for\n certificate files. Some applications create files with extensions of .p12 that\n are not certificate installation files. Removal of non-certificate installation\n files from systems is not required. These must be documented with the ISSO.", + "fix": "Remove any certificate installation files (*.p12 and *.pfx) found\n on a system.\n\n This does not apply to server-based applications that have a requirement for\n certificate files." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000066-GPOS-00034", - "satisfies": [ - "SRG-OS-000066-GPOS-00034", - "SRG-OS-000403-GPOS-00182" - ], - "gid": "V-73609", - "rid": "SV-88273r2_rule", - "stig_id": "WN16-PK-000030", - "fix_id": "F-87315r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-73271", + "rid": "SV-87923r1_rule", + "stig_id": "WN16-00-000270", + "fix_id": "F-79715r1_fix", "cci": [ - "CCI-000185", - "CCI-002470" + "CCI-000366" ], "nist": [ - "IA-5 (2) (a)", - "SC-23 (5)", + "CM-6 b", "Rev_4" ], "documentable": false }, - "code": "control 'V-73609' do\n title \"The US DoD CCEB Interoperability Root CA cross-certificates must be\n installed in the Untrusted Certificates Store on unclassified systems.\"\n desc \"To ensure users do not experience denial of service when performing\n certificate-based authentication to DoD websites due to the system chaining to\n a root other than DoD Root CAs, the US DoD CCEB Interoperability Root CA\n cross-certificates must be installed in the Untrusted Certificate Store. This\n requirement only applies to unclassified systems.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000066-GPOS-00034'\n tag \"satisfies\": ['SRG-OS-000066-GPOS-00034', 'SRG-OS-000403-GPOS-00182']\n tag \"gid\": 'V-73609'\n tag \"rid\": 'SV-88273r2_rule'\n tag \"stig_id\": 'WN16-PK-000030'\n tag \"fix_id\": 'F-87315r1_fix'\n tag \"cci\": ['CCI-000185', 'CCI-002470']\n tag \"nist\": ['IA-5 (2) (a)', 'SC-23 (5)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This is applicable to unclassified systems. It is NA for others.\n\n Open PowerShell as an administrator.\n\n Execute the following command:\n\n Get-ChildItem -Path Cert:Localmachine\\\\disallowed | Where Issuer -Like *CCEB\n Interoperability* | FL Subject, Issuer, Thumbprint, NotAfter\n\n If the following certificate Subject, Issuer, and Thumbprint\n information is not displayed, this is finding.\n\n If an expired certificate (NotAfter date) is not listed in the results,\n this is not a finding.\n\n Subject: CN=DoD Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Issuer: CN=US DoD CCEB Interoperability Root CA 1, OU=PKI, OU=DoD, O=U.S.\n Government, C=US\n Thumbprint: DA36FAF56B2F6FBA1604F5BE46D864C9FA013BA3\n NotAfter: 3/9/2019\n\n Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Issuer: CN=US DoD CCEB Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S.\n Government, C=US\n Thumbprint: 929BF3196896994C0A201DF4A5B71F603FEFBF2E\n NotAfter: 9/27/2019\n\n Alternately, use the Certificates MMC snap-in:\n\n Run MMC.\n\n Select File, Add/Remove Snap-in.\n\n Select Certificates and click Add.\n\n Select Computer account and click Next.\n\n Select Local computer: (the computer this console is running on) and click\n Finish.\n\n Click OK.\n\n Expand Certificates and navigate to Untrusted Certificates >>\n Certificates.\n\n For each certificate with US DoD CCEB Interoperability Root CA … under\n Issued By:\n\n Right-click on the certificate and select Open.\n\n Select the Details Tab.\n\n Scroll to the bottom and select Thumbprint.\n\n If the certificate below is not listed or the value for the Thumbprint\n field is not as noted, this is a finding.\n\n If an expired certificate (Valid to date) is not listed in the results,\n this is not a finding.\n\n Issued To: DoD Root CA 2\n Issued By: US DoD CCEB Interoperability Root CA 1\n Thumbprint: DA36FAF56B2F6FBA1604F5BE46D864C9FA013BA3\n Valid to: Saturday, March 9, 2019\n\n Issued To: DoD Root CA 3\n Issuer by: US DoD CCEB Interoperability Root CA 2\n Thumbprint: 929BF3196896994C0A201DF4A5B71F603FEFBF2E\n Valid: Friday, September 27, 2019\"\n desc \"fix\", \"Install the US DoD CCEB Interoperability Root CA\n cross-certificate on unclassified systems.\n\n Issued To - Issued By - Thumbprint\n DoD Root CA 2 - US DoD CCEB Interoperability Root CA 1 -\n DA36FAF56B2F6FBA1604F5BE46D864C9FA013BA3\n\n DoD Root CA 3 - US DoD CCEB Interoperability Root CA 2 -\n 929BF3196896994C0A201DF4A5B71F603FEFBF2E\n\n Administrators should run the Federal Bridge Certification Authority (FBCA)\n Cross-Certificate Removal Tool once as an administrator and once as the current\n user.\n\n The FBCA Cross-Certificate Remover Tool and User Guide are available on IASE at\n http://iase.disa.mil/pki-pke/Pages/tools.aspx.\"\n\n is_unclassified_system = input('is_unclassified_system')\n dod_cceb_certificates = JSON.parse(input('dod_cceb_certificates').to_json)\n if is_unclassified_system\n query = json({command: 'Get-ChildItem -Path Cert:Localmachine\\\\\\\\disallowed | Where {$_.Issuer -Like \"*CCEB Interoperability*\"} | Select Subject, Issuer, Thumbprint, @{Name=\\'NotAfter\\';Expression={\"{0:dddd, MMMM dd, yyyy}\" -f [datetime]$_.NotAfter}} | ConvertTo-Json'})\n describe 'The US DoD CCEB Interoperability Root CA cross-certificates installed' do\n subject { query.params }\n it { should be_in dod_cceb_certificates }\n end\n else\n impact 0.0\n describe 'This is NOT an unclassified system, therefore this control is not applicable' do\n skip 'This is NOT an unclassified system, therefore this control is not applicable'\n end\n end\nend \n", + "code": "control 'V-73271' do\n title \"Software certificate installation files must be removed from Windows\n Server 2016.\"\n desc \"Use of software certificates and their accompanying installation files\n for end users to access resources is less secure than the use of hardware-based\n certificates.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-73271'\n tag \"rid\": 'SV-87923r1_rule'\n tag \"stig_id\": 'WN16-00-000270'\n tag \"fix_id\": 'F-79715r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Search all drives for *.p12 and *.pfx files.\n\n If any files with these extensions exist, this is a finding.\n\n This does not apply to server-based applications that have a requirement for\n certificate files. Some applications create files with extensions of .p12 that\n are not certificate installation files. Removal of non-certificate installation\n files from systems is not required. These must be documented with the ISSO.\"\n desc \"fix\", \"Remove any certificate installation files (*.p12 and *.pfx) found\n on a system.\n\n This does not apply to server-based applications that have a requirement for\n certificate files.\"\n\n where_cmd = command('where /R c: *.p12 *.pfx').stdout\n describe \"Software certificate installation files found on this system\" do\n subject { where_cmd }\n it { should eq '' }\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73609.rb", + "ref": "./Windows 2016 STIG/controls/V-73271.rb", "line": 1 }, - "id": "V-73609" + "id": "V-73271" }, { - "title": "The Server Message Block (SMB) v1 protocol must be disabled on the SMB\n client.", - "desc": "SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB.\n MD5 is known to be vulnerable to a number of attacks such as collision and\n preimage attacks as well as not being FIPS compliant.", + "title": "The Generate security audits user right must only be assigned to Local\n Service and Network Service.", + "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The Generate security audits user right specifies users and processes\n that can generate Security Log audit records, which must only be the system\n service accounts defined.", "descriptions": { - "default": "SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB.\n MD5 is known to be vulnerable to a number of attacks such as collision and\n preimage attacks as well as not being FIPS compliant.", - "check": "Different methods are available to disable SMBv1 on Windows\n 2016, if V-73299 is configured, this is NA.\n\n If the following registry value is not configured as specified, this is a\n finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\mrxsmb10\\\n\n Value Name: Start\n\n Type: REG_DWORD\n Value: 0x00000004 (4)", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> MS Security Guide >> Configure SMBv1 client\n driver to Enabled with Disable driver (recommended) selected for\n Configure MrxSmb10 driver.\n\n The system must be restarted for the changes to take effect.\n\n This policy setting requires the installation of the SecGuide custom templates\n included with the STIG package. SecGuide.admx and SecGuide.adml must be\n copied to the \\Windows\\PolicyDefinitions and\n \\Windows\\PolicyDefinitions\\en-US directories respectively." + "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The Generate security audits user right specifies users and processes\n that can generate Security Log audit records, which must only be the system\n service accounts defined.", + "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the Generate\n security audits user right, this is a finding.\n\n - Local Service\n - Network Service\n\n If an application requires this user right, this would not be a finding.\n\n Vendor documentation must support the requirement for having the user right.\n\n The requirement must be documented with the ISSO.\n\n The application account must meet requirements for application account\n passwords, such as length (WN16-00-000060) and required frequency of changes\n (WN16-00-000070).", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Generate security audits to include only the following accounts or groups:\n\n - Local Service\n - Network Service" }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000095-GPOS-00049", - "gid": "V-78125", - "rid": "SV-92831r1_rule", - "stig_id": "WN16-00-000412", - "fix_id": "F-84847r2_fix", + "gtitle": "SRG-OS-000324-GPOS-00125", + "gid": "V-73783", + "rid": "SV-88447r1_rule", + "stig_id": "WN16-UR-000210", + "fix_id": "F-80233r1_fix", "cci": [ - "CCI-000381" + "CCI-002235" ], "nist": [ - "CM-7 a", + "AC-6 (10)", "Rev_4" ], "documentable": false }, - "code": "control 'V-78125' do\n title \"The Server Message Block (SMB) v1 protocol must be disabled on the SMB\n client.\"\n desc \"SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB.\n MD5 is known to be vulnerable to a number of attacks such as collision and\n preimage attacks as well as not being FIPS compliant.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000095-GPOS-00049'\n tag \"gid\": 'V-78125'\n tag \"rid\": 'SV-92831r1_rule'\n tag \"stig_id\": 'WN16-00-000412'\n tag \"fix_id\": 'F-84847r2_fix'\n tag \"cci\": ['CCI-000381']\n tag \"nist\": ['CM-7 a', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Different methods are available to disable SMBv1 on Windows\n 2016, if V-73299 is configured, this is NA.\n\n If the following registry value is not configured as specified, this is a\n finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\mrxsmb10\\\\\n\n Value Name: Start\n\n Type: REG_DWORD\n Value: 0x00000004 (4)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> MS Security Guide >> Configure SMBv1 client\n driver to Enabled with Disable driver (recommended) selected for\n Configure MrxSmb10 driver.\n\n The system must be restarted for the changes to take effect.\n\n This policy setting requires the installation of the SecGuide custom templates\n included with the STIG package. SecGuide.admx and SecGuide.adml must be\n copied to the \\\\Windows\\\\PolicyDefinitions and\n \\\\Windows\\\\PolicyDefinitions\\\\en-US directories respectively.\"\n if windows_feature('FS-SMB1').installed?\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\mrxsmb10') do\n it { should have_property 'Start' }\n its('Start') { should cmp 4 }\n end\n else\n impact 0.0\n describe 'SMBv1 is not installed on this system, therefore this control is not applicable' do\n skip 'SMBv1 is not installed on this system, therefore this control is not applicable'\n end\n end\nend\n", + "code": "control 'V-73783' do\n title \"The Generate security audits user right must only be assigned to Local\n Service and Network Service.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The Generate security audits user right specifies users and processes\n that can generate Security Log audit records, which must only be the system\n service accounts defined.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000324-GPOS-00125'\n tag \"gid\": 'V-73783'\n tag \"rid\": 'SV-88447r1_rule'\n tag \"stig_id\": 'WN16-UR-000210'\n tag \"fix_id\": 'F-80233r1_fix'\n tag \"cci\": ['CCI-002235']\n tag \"nist\": ['AC-6 (10)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the Generate\n security audits user right, this is a finding.\n\n - Local Service\n - Network Service\n\n If an application requires this user right, this would not be a finding.\n\n Vendor documentation must support the requirement for having the user right.\n\n The requirement must be documented with the ISSO.\n\n The application account must meet requirements for application account\n passwords, such as length (WN16-00-000060) and required frequency of changes\n (WN16-00-000070).\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Generate security audits to include only the following accounts or groups:\n\n - Local Service\n - Network Service\"\n describe.one do\n describe security_policy do\n its('SeAuditPrivilege') { should be_in ['S-1-5-19', 'S-1-5-20'] }\n end\n describe security_policy do\n its('SeAuditPrivilege') { should eq [] }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-78125.rb", + "ref": "./Windows 2016 STIG/controls/V-73783.rb", "line": 1 }, - "id": "V-78125" + "id": "V-73783" }, { - "title": "User Account Control must automatically deny standard user requests\n for elevation.", - "desc": "User Account Control (UAC) is a security mechanism for limiting the\n elevation of privileges, including administrative accounts, unless authorized.\n This setting controls the behavior of elevation when requested by a standard\n user account.", + "title": "The Deny access to this computer from the network user right on member\n servers must be configured to prevent access from highly privileged domain\n accounts and local accounts on domain systems, and from unauthenticated access\n on all systems.", + "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The Deny access to this computer from the network user right defines\n the accounts that are prevented from logging on from the network.\n\n In an Active Directory Domain, denying logons to the Enterprise Admins and\n Domain Admins groups on lower-trust systems helps mitigate the risk of\n privilege escalation from credential theft attacks, which could lead to the\n compromise of an entire domain.\n\n Local accounts on domain-joined systems must also be assigned this right to\n decrease the risk of lateral movement resulting from credential theft attacks.\n\n The Guests group must be assigned this right to prevent unauthenticated\n access.", "descriptions": { - "default": "User Account Control (UAC) is a security mechanism for limiting the\n elevation of privileges, including administrative accounts, unless authorized.\n This setting controls the behavior of elevation when requested by a standard\n user account.", - "check": "UAC requirements are NA for Server Core installations (this is\n the default installation option for Windows Server 2016 versus Server with\n Desktop Experience) as well as Nano Server.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\\n\n Value Name: ConsentPromptBehaviorUser\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0)", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> User\n Account Control: Behavior of the elevation prompt for standard users to\n Automatically deny elevation requests." + "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The Deny access to this computer from the network user right defines\n the accounts that are prevented from logging on from the network.\n\n In an Active Directory Domain, denying logons to the Enterprise Admins and\n Domain Admins groups on lower-trust systems helps mitigate the risk of\n privilege escalation from credential theft attacks, which could lead to the\n compromise of an entire domain.\n\n Local accounts on domain-joined systems must also be assigned this right to\n decrease the risk of lateral movement resulting from credential theft attacks.\n\n The Guests group must be assigned this right to prevent unauthenticated\n access.", + "check": "This applies to member servers and standalone systems. A\n separate version applies to domain controllers.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If the following accounts or groups are not defined for the Deny access to\n this computer from the network user right, this is a finding.\n\n Domain Systems Only:\n - Enterprise Admins group\n - Domain Admins group\n - Local account and member of Administrators group or Local account\n (see Note below)\n\n All Systems:\n - Guests group\n\n Systems dedicated to the management of Active Directory (AD admin platforms,\n see V-36436 in the Active Directory Domain STIG) are exempt from denying the\n Enterprise Admins and Domain Admins groups.\n\n Note: These are built-in security groups. Local account is more restrictive\n but may cause issues on servers such as systems that provide failover\n clustering.", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Deny access to this computer from the network to include the following:\n\n Domain Systems Only:\n - Enterprise Admins group\n - Domain Admins group\n - Local account and member of Administrators group or Local account\n (see Note below)\n\n All Systems:\n - Guests group \n\n Systems dedicated to the management of Active Directory (AD admin platforms,\n see V-36436 in the Active Directory Domain STIG) are exempt from denying the\n Enterprise Admins and Domain Admins groups.\n\n Note: These are built-in security groups. Local account is more restrictive\n but may cause issues on servers such as systems that provide failover\n clustering." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000373-GPOS-00157", - "satisfies": [ - "SRG-OS-000373-GPOS-00157", - "SRG-OS-000373-GPOS-00156" - ], - "gid": "V-73713", - "rid": "SV-88377r1_rule", - "stig_id": "WN16-SO-000490", - "fix_id": "F-80163r1_fix", + "gtitle": "SRG-OS-000080-GPOS-00048", + "gid": "V-73759", + "rid": "SV-88423r1_rule", + "stig_id": "WN16-MS-000370", + "fix_id": "F-80209r1_fix", "cci": [ - "CCI-002038" + "CCI-000213" ], "nist": [ - "IA-11", + "AC-3", "Rev_4" ], "documentable": false }, - "code": "control 'V-73713' do\n title \"User Account Control must automatically deny standard user requests\n for elevation.\"\n desc \"User Account Control (UAC) is a security mechanism for limiting the\n elevation of privileges, including administrative accounts, unless authorized.\n This setting controls the behavior of elevation when requested by a standard\n user account.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000373-GPOS-00157'\n tag \"satisfies\": ['SRG-OS-000373-GPOS-00157', 'SRG-OS-000373-GPOS-00156']\n tag \"gid\": 'V-73713'\n tag \"rid\": 'SV-88377r1_rule'\n tag \"stig_id\": 'WN16-SO-000490'\n tag \"fix_id\": 'F-80163r1_fix'\n tag \"cci\": ['CCI-002038']\n tag \"nist\": ['IA-11', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"UAC requirements are NA for Server Core installations (this is\n the default installation option for Windows Server 2016 versus Server with\n Desktop Experience) as well as Nano Server.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\\n\n Value Name: ConsentPromptBehaviorUser\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> User\n Account Control: Behavior of the elevation prompt for standard users to\n Automatically deny elevation requests.\"\n if registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Server\\ServerLevels').has_property_value?('ServerCore', :dword, 1) && registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Server\\ServerLevels').has_property_value?('Server-Gui-Mgmt', :dword, 1) && registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Server\\ServerLevels').has_property_value?('Server-Gui-Shell', :dword, 1)\n impact 0.0\n desc 'This system is a Server Core Installation, therefore this control is not applicable'\n else\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System') do\n it { should have_property 'ConsentPromptBehaviorUser' }\n its('ConsentPromptBehaviorUser') { should cmp 0 }\n end\n end\nend\n", + "code": "control 'V-73759' do\n title \"The Deny access to this computer from the network user right on member\n servers must be configured to prevent access from highly privileged domain\n accounts and local accounts on domain systems, and from unauthenticated access\n on all systems.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The Deny access to this computer from the network user right defines\n the accounts that are prevented from logging on from the network.\n\n In an Active Directory Domain, denying logons to the Enterprise Admins and\n Domain Admins groups on lower-trust systems helps mitigate the risk of\n privilege escalation from credential theft attacks, which could lead to the\n compromise of an entire domain.\n\n Local accounts on domain-joined systems must also be assigned this right to\n decrease the risk of lateral movement resulting from credential theft attacks.\n\n The Guests group must be assigned this right to prevent unauthenticated\n access.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000080-GPOS-00048'\n tag \"gid\": 'V-73759'\n tag \"rid\": 'SV-88423r1_rule'\n tag \"stig_id\": 'WN16-MS-000370'\n tag \"fix_id\": 'F-80209r1_fix'\n tag \"cci\": ['CCI-000213']\n tag \"nist\": ['AC-3', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to member servers and standalone systems. A\n separate version applies to domain controllers.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If the following accounts or groups are not defined for the Deny access to\n this computer from the network user right, this is a finding.\n\n Domain Systems Only:\n - Enterprise Admins group\n - Domain Admins group\n - Local account and member of Administrators group or Local account\n (see Note below)\n\n All Systems:\n - Guests group\n\n Systems dedicated to the management of Active Directory (AD admin platforms,\n see V-36436 in the Active Directory Domain STIG) are exempt from denying the\n Enterprise Admins and Domain Admins groups.\n\n Note: These are built-in security groups. Local account is more restrictive\n but may cause issues on servers such as systems that provide failover\n clustering.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Deny access to this computer from the network to include the following:\n\n Domain Systems Only:\n - Enterprise Admins group\n - Domain Admins group\n - Local account and member of Administrators group or Local account\n (see Note below)\n\n All Systems:\n - Guests group \n\n Systems dedicated to the management of Active Directory (AD admin platforms,\n see V-36436 in the Active Directory Domain STIG) are exempt from denying the\n Enterprise Admins and Domain Admins groups.\n\n Note: These are built-in security groups. Local account is more restrictive\n but may cause issues on servers such as systems that provide failover\n clustering.\"\n\n is_AD_only_system = input('is_AD_only_system')\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n impact 0.0\n describe 'This system is a domain controller, therefore this control is not applicable as it only applies to member servers and standalone systems' do\n skip 'This system is a domain controller, therefore this control is not applicable as it only applies to member servers and standalone systems'\n end\n elsif is_AD_only_system\n impact 0.0\n describe 'This system is dedicated to the management of Active Directory, therefore this system is exempt from this control' do\n skip 'This system is dedicated to the management of Active Directory, therefore this system is exempt from this control'\n end\n else\n describe security_policy do\n its('SeDenyNetworkLogonRight') { should include 'S-1-5-32-546' }\n end\n if domain_role == '3'\n domain_admin_sid_query = <<-EOH\n $group = New-Object System.Security.Principal.NTAccount('Domain Admins')\n $sid = $group.Translate([security.principal.securityidentifier]).value\n $sid | ConvertTo-Json\n EOH\n domain_admin_sid = json(command: domain_admin_sid_query).params\n \n enterprise_admin_sid_query = <<-EOH\n $group = New-Object System.Security.Principal.NTAccount('Enterprise Admins')\n $sid = $group.Translate([security.principal.securityidentifier]).value\n $sid | ConvertTo-Json\n EOH\n enterprise_admin_sid = json(command: enterprise_admin_sid_query).params\n\n describe security_policy do\n its('SeDenyNetworkLogonRight') { should include \"#{domain_admin_sid}\" }\n end\n describe security_policy do\n its('SeDenyNetworkLogonRight') { should include \"#{enterprise_admin_sid}\" }\n end\n\n describe.one do\n describe security_policy do\n its('SeDenyNetworkLogonRight') { should include \"S-1-5-113\" }\n end\n describe security_policy do\n its('SeDenyNetworkLogonRight') { should include \"S-1-5-114\" }\n end\n end\n end\n end\nend", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73713.rb", + "ref": "./Windows 2016 STIG/controls/V-73759.rb", "line": 1 }, - "id": "V-73713" + "id": "V-73759" }, { - "title": "Shared user accounts must not be permitted on the system.", - "desc": "Shared accounts (accounts where two or more people log on with the\n same user identification) do not provide adequate identification and\n authentication. There is no way to provide for non repudiation or individual\n accountability for system access and resource usage.", + "title": "Windows Server 2016 must be configured to audit Account Management -\n Security Group Management successes.", + "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Security Group Management records events such as creating, deleting, or\n changing security groups, including changes in group members.", "descriptions": { - "default": "Shared accounts (accounts where two or more people log on with the\n same user identification) do not provide adequate identification and\n authentication. There is no way to provide for non repudiation or individual\n accountability for system access and resource usage.", - "check": "Determine whether any shared accounts exist. If no shared\n accounts exist, this is NA.\n\n Shared accounts, such as required by an application, may be approved by the\n organization. This must be documented with the ISSO. Documentation must\n include the reason for the account, who has access to the account, and how the\n risk of using the shared account is mitigated to include monitoring account\n activity.\n\n If unapproved shared accounts exist, this is a finding.", - "fix": "Remove unapproved shared accounts from the system.\n\n Document required shared accounts with the ISSO. Documentation must include the\n reason for the account, who has access to the account, and how the risk of\n using the shared account is mitigated to include monitoring account activity." + "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Security Group Management records events such as creating, deleting, or\n changing security groups, including changes in group members.", + "check": "Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n Account Management >> Security Group Management - Success", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Account Management >> Audit Security Group Management\n with Success selected." }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000104-GPOS-00051", - "gid": "V-73233", - "rid": "SV-87885r2_rule", - "stig_id": "WN16-00-000080", - "fix_id": "F-86117r1_fix", + "gtitle": "SRG-OS-000004-GPOS-00004", + "satisfies": [ + "SRG-OS-000004-GPOS-00004", + "SRG-OS-000239-GPOS-00089", + "SRG-OS-000240-GPOS-00090", + "SRG-OS-000241-GPOS-00091", + "SRG-OS-000303-GPOS-00120", + "SRG-OS-000476-GPOS-00221" + ], + "gid": "V-73423", + "rid": "SV-88075r1_rule", + "stig_id": "WN16-AU-000120", + "fix_id": "F-79865r1_fix", "cci": [ - "CCI-000764" + "CCI-000018", + "CCI-000172", + "CCI-001403", + "CCI-001404", + "CCI-001405", + "CCI-002130" ], "nist": [ - "IA-2", + "AC-2 (4)", + "AU-12 c", "Rev_4" ], "documentable": false }, - "code": "control 'V-73233' do\n title 'Shared user accounts must not be permitted on the system.'\n desc \"Shared accounts (accounts where two or more people log on with the\n same user identification) do not provide adequate identification and\n authentication. There is no way to provide for non repudiation or individual\n accountability for system access and resource usage.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000104-GPOS-00051'\n tag \"gid\": 'V-73233'\n tag \"rid\": 'SV-87885r2_rule'\n tag \"stig_id\": 'WN16-00-000080'\n tag \"fix_id\": 'F-86117r1_fix'\n tag \"cci\": ['CCI-000764']\n tag \"nist\": ['IA-2', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Determine whether any shared accounts exist. If no shared\n accounts exist, this is NA.\n\n Shared accounts, such as required by an application, may be approved by the\n organization. This must be documented with the ISSO. Documentation must\n include the reason for the account, who has access to the account, and how the\n risk of using the shared account is mitigated to include monitoring account\n activity.\n\n If unapproved shared accounts exist, this is a finding.\"\n desc \"fix\", \"Remove unapproved shared accounts from the system.\n\n Document required shared accounts with the ISSO. Documentation must include the\n reason for the account, who has access to the account, and how the risk of\n using the shared account is mitigated to include monitoring account activity.\"\n get_accounts = command(\"net user | Findstr /v 'command -- accounts'\").stdout.strip.split(' ')\n shared_accounts = attribute('shared_accounts')\n\n if shared_accounts.empty?\n impact 0.0\n describe 'This system does not have any shared accounts, therefore this control is not applicable' do\n skip 'This system does not have any shared accounts, therefore this control is not applicable'\n end\n else\n get_accounts.each do |user|\n describe user do\n it { should_not be_in shared_accounts }\n end\n end\n end\nend\n", + "code": "control 'V-73423' do\n title \"Windows Server 2016 must be configured to audit Account Management -\n Security Group Management successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Security Group Management records events such as creating, deleting, or\n changing security groups, including changes in group members.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000004-GPOS-00004'\n tag \"satisfies\": ['SRG-OS-000004-GPOS-00004', 'SRG-OS-000239-GPOS-00089',\n 'SRG-OS-000240-GPOS-00090', 'SRG-OS-000241-GPOS-00091',\n 'SRG-OS-000303-GPOS-00120', 'SRG-OS-000476-GPOS-00221']\n tag \"gid\": 'V-73423'\n tag \"rid\": 'SV-88075r1_rule'\n tag \"stig_id\": 'WN16-AU-000120'\n tag \"fix_id\": 'F-79865r1_fix'\n tag \"cci\": ['CCI-000018', 'CCI-000172', 'CCI-001403', 'CCI-001404',\n 'CCI-001405', 'CCI-002130']\n tag \"nist\": ['AC-2 (4)', 'AU-12 c', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n Account Management >> Security Group Management - Success\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Account Management >> Audit Security Group Management\n with Success selected.\"\n describe.one do\n describe audit_policy do\n its('Security Group Management') { should eq 'Success' }\n end\n describe audit_policy do\n its('Security Group Management') { should eq 'Success and Failure' }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Security Group Management'\") do\n its('stdout') { should match /Security Group Management Success/ }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Security Group Management'\") do\n its('stdout') { should match /Security Group Management Success and Failure/ }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73233.rb", + "ref": "./Windows 2016 STIG/controls/V-73423.rb", "line": 1 }, - "id": "V-73233" + "id": "V-73423" }, { - "title": "Manually managed application account passwords must be at least 15\n characters in length.", - "desc": "Application/service account passwords must be of sufficient length to\n prevent being easily cracked. Application/service accounts that are manually\n managed must have passwords at least 15 characters in length.", + "title": "Permissions on the Active Directory data files must only allow System\n and Administrators access.", + "desc": "Improper access permissions for directory data-related files could\n allow unauthorized users to read, modify, or delete directory data or audit\n trails.", "descriptions": { - "default": "Application/service account passwords must be of sufficient length to\n prevent being easily cracked. Application/service accounts that are manually\n managed must have passwords at least 15 characters in length.", - "check": "Determine if manually managed application/service accounts\n exist. If none exist, this is NA.\n\n Verify the organization has a policy to ensure passwords for manually managed\n application/service accounts are at least 15 characters in length.\n\n If such a policy does not exist or has not been implemented, this is a finding.", - "fix": "Establish a policy that requires application/service account\n passwords that are manually managed to be at least 15 characters in length.\n Ensure the policy is enforced." + "default": "Improper access permissions for directory data-related files could\n allow unauthorized users to read, modify, or delete directory data or audit\n trails.", + "check": "This applies to domain controllers. It is NA for other systems.\n\n Run Regedit.\n\n Navigate to\n HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\NTDS\\Parameters.\n\n Note the directory locations in the values for:\n\n Database log files path\n DSA Database file\n\n By default, they will be \\Windows\\NTDS.\n\n If the locations are different, the following will need to be run for each.\n\n Open Command Prompt (Admin).\n\n Navigate to the NTDS directory (\\Windows\\NTDS by default).\n\n Run icacls *.*.\n\n If the permissions on each file are not as restrictive as the following, this\n is a finding.\n\n NT AUTHORITY\\SYSTEM:(I)(F)\n BUILTIN\\Administrators:(I)(F)\n\n (I) - permission inherited from parent container\n (F) - full access", + "fix": "Maintain the permissions on NTDS database and log files as\n follows:\n\n NT AUTHORITY\\SYSTEM:(I)(F)\n BUILTIN\\Administrators:(I)(F)\n\n (I) - permission inherited from parent container\n (F) - full access" }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { - "gtitle": "SRG-OS-000078-GPOS-00046", - "gid": "V-73229", - "rid": "SV-87881r1_rule", - "stig_id": "WN16-00-000060", - "fix_id": "F-79673r1_fix", + "gtitle": "SRG-OS-000324-GPOS-00125", + "gid": "V-73369", + "rid": "SV-88021r1_rule", + "stig_id": "WN16-DC-000070", + "fix_id": "F-79811r1_fix", "cci": [ - "CCI-000205" + "CCI-002235" ], "nist": [ - "IA-5 (1) (a)", + "AC-6 (10)", "Rev_4" ], "documentable": false }, - "code": "control 'V-73229' do\n title \"Manually managed application account passwords must be at least 15\n characters in length.\"\n desc \"Application/service account passwords must be of sufficient length to\n prevent being easily cracked. Application/service accounts that are manually\n managed must have passwords at least 15 characters in length.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000078-GPOS-00046'\n tag \"gid\": 'V-73229'\n tag \"rid\": 'SV-87881r1_rule'\n tag \"stig_id\": 'WN16-00-000060'\n tag \"fix_id\": 'F-79673r1_fix'\n tag \"cci\": ['CCI-000205']\n tag \"nist\": ['IA-5 (1) (a)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Determine if manually managed application/service accounts\n exist. If none exist, this is NA.\n\n Verify the organization has a policy to ensure passwords for manually managed\n application/service accounts are at least 15 characters in length.\n\n If such a policy does not exist or has not been implemented, this is a finding.\"\n desc \"fix\", \"Establish a policy that requires application/service account\n passwords that are manually managed to be at least 15 characters in length.\n Ensure the policy is enforced.\"\n describe security_policy do\n its('MinimumPasswordLength') { should be >= 15 }\n end\nend\n", + "code": "control 'V-73369' do\n title \"Permissions on the Active Directory data files must only allow System\n and Administrators access.\"\n desc \"Improper access permissions for directory data-related files could\n allow unauthorized users to read, modify, or delete directory data or audit\n trails.\"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000324-GPOS-00125'\n tag \"gid\": 'V-73369'\n tag \"rid\": 'SV-88021r1_rule'\n tag \"stig_id\": 'WN16-DC-000070'\n tag \"fix_id\": 'F-79811r1_fix'\n tag \"cci\": ['CCI-002235']\n tag \"nist\": ['AC-6 (10)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to domain controllers. It is NA for other systems.\n\n Run Regedit.\n\n Navigate to\n HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\Parameters.\n\n Note the directory locations in the values for:\n\n Database log files path\n DSA Database file\n\n By default, they will be \\\\Windows\\\\NTDS.\n\n If the locations are different, the following will need to be run for each.\n\n Open Command Prompt (Admin).\n\n Navigate to the NTDS directory (\\\\Windows\\\\NTDS by default).\n\n Run icacls *.*.\n\n If the permissions on each file are not as restrictive as the following, this\n is a finding.\n\n NT AUTHORITY\\\\SYSTEM:(I)(F)\n BUILTIN\\\\Administrators:(I)(F)\n\n (I) - permission inherited from parent container\n (F) - full access\"\n desc \"fix\", \"Maintain the permissions on NTDS database and log files as\n follows:\n\n NT AUTHORITY\\\\SYSTEM:(I)(F)\n BUILTIN\\\\Administrators:(I)(F)\n\n (I) - permission inherited from parent container\n (F) - full access\"\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n default_path = \"\\\\Windows\\\\NTDS\"\n reg_params = registry_key('HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\NTDS\\Parameters')\n dsa_db_file_path = reg_params['DSA Database file'].split(\":\")[1]\n db_log_files_path = reg_params['Database log files path'].split(\":\")[1]\n if !dsa_db_file_path.start_with?(default_path) || !db_log_files_path.start_with?(default_path)\n acl_rules = []\n if !dsa_db_file_path.start_with?(default_path)\n acl_rules = json(command: \"(Get-ACL -Path '#{reg_params['DSA Database file']}') | Select -Property PSChildName -ExpandProperty Access | ConvertTo-CSV | ConvertFrom-CSV | ConvertTo-JSON\").params\n end\n if !db_log_files_path.start_with?(default_path)\n acl_rules.push(*json(command: \"(Get-ACL -Path '#{reg_params['Database log files path']}\\\\\\*.\\*') | Select -Property PSChildName -ExpandProperty Access | ConvertTo-CSV | ConvertFrom-CSV | ConvertTo-JSON\").params)\n end\n acl_rules.each do |acl_rule|\n describe \"The #{acl_rule['PSChildName']} file\\'s access rule property\" do\n subject { acl_rule }\n its(['FileSystemRights']) { should cmp \"FullControl\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IsInherited']) { should cmp \"True\" }\n its(['InheritanceFlags']) { should cmp \"None\" }\n its(['PropagationFlags']) { should cmp \"None\" }\n end\n describe.one do\n describe \"The #{acl_rule['PSChildName']} file\\'s access rule property\" do\n subject { acl_rule }\n its(['IdentityReference']) { should cmp \"NT AUTHORITY\\\\SYSTEM\" }\n end\n describe \"The #{acl_rule['PSChildName']} file\\'s access rule property\" do\n subject { acl_rule }\n its(['IdentityReference']) { should cmp \"BUILTIN\\\\Administrators\" }\n end\n end\n end\n else\n describe \"Database log files path\" do\n subject { db_log_files_path }\n it { should cmp default_path }\n end\n describe \"DSA Database file\" do\n subject { dsa_db_file_path }\n it { should start_with default_path}\n end\n end\n else\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable.' do\n skip 'This system is not a domain controller, therefore this control is not applicable.'\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73229.rb", + "ref": "./Windows 2016 STIG/controls/V-73369.rb", "line": 1 }, - "id": "V-73229" + "id": "V-73369" }, { - "title": "The Load and unload device drivers user right must only be assigned to\n the Administrators group.", - "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The Load and unload device drivers user right allows a user to load\n device drivers dynamically on a system. This could be used by an attacker to\n install malicious code.", + "title": "Domain-created Active Directory Organizational Unit (OU) objects must\nhave proper access control permissions.", + "desc": "When directory service database objects do not have appropriate access\ncontrol permissions, it may be possible for malicious users to create, read,\nupdate, or delete the objects and degrade or destroy the integrity of the data.\nWhen the directory service is used for identification, authentication, or\nauthorization functions, a compromise of the database objects could lead to a\ncompromise of all systems that rely on the directory service.\n\n For Active Directory, the OU objects require special attention. In a\ndistributed administration model (i.e., help desk), OU objects are more likely\nto have access permissions changed from the secure defaults. If inappropriate\naccess permissions are defined for OU objects, it could allow an intruder to\nadd or delete users in the OU. This could result in unauthorized access to data\nor a denial of service to authorized users.", "descriptions": { - "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The Load and unload device drivers user right allows a user to load\n device drivers dynamically on a system. This could be used by an attacker to\n install malicious code.", - "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the Load and\n unload device drivers user right, this is a finding.\n\n - Administrators", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Load and unload device drivers to include only the following accounts or\n groups:\n\n - Administrators" + "default": "When directory service database objects do not have appropriate access\ncontrol permissions, it may be possible for malicious users to create, read,\nupdate, or delete the objects and degrade or destroy the integrity of the data.\nWhen the directory service is used for identification, authentication, or\nauthorization functions, a compromise of the database objects could lead to a\ncompromise of all systems that rely on the directory service.\n\n For Active Directory, the OU objects require special attention. In a\ndistributed administration model (i.e., help desk), OU objects are more likely\nto have access permissions changed from the secure defaults. If inappropriate\naccess permissions are defined for OU objects, it could allow an intruder to\nadd or delete users in the OU. This could result in unauthorized access to data\nor a denial of service to authorized users.", + "check": "This applies to domain controllers. It is NA for other systems.\n\nReview the permissions on domain-defined OUs.\n\nOpen Active Directory Users and Computers (available from various menus or\nrun dsa.msc).\n\nEnsure Advanced Features is selected in the View menu.\n\nFor each OU that is defined (folder in folder icon) excluding the Domain\nControllers OU:\n\nRight-click the OU and select Properties.\n\nSelect the Security tab.\n\nIf the permissions on the OU are not at least as restrictive as those below,\nthis is a finding.\n\nThe permissions shown are at the summary level. More detailed permissions can\nbe viewed by selecting the Advanced button, the desired Permission entry,\nand the Edit or View button.\n\nExcept where noted otherwise, the special permissions may include a wide range\nof permissions and properties and are acceptable for this requirement.\n\nCREATOR OWNER - Special permissions\n\nSelf - Special permissions\n\nAuthenticated Users - Read, Special permissions\n\nThe Special permissions for Authenticated Users are Read type. If detailed\npermissions include any Create, Delete, Modify, or Write Permissions or\nProperties, this is a finding.\n\nSYSTEM - Full Control\n\nDomain Admins - Full Control\n\nEnterprise Admins - Full Control\n\nKey Admins - Special permissions\n\nEnterprise Key Admins - Special permissions\n\nAdministrators - Read, Write, Create all child objects, Generate resultant set\nof policy (logging), Generate resultant set of policy (planning), Special\npermissions\n\nPre-Windows 2000 Compatible Access - Special permissions\n\nThe Special permissions for Pre-Windows 2000 Compatible Access are for Read\ntypes. If detailed permissions include any Create, Delete, Modify, or Write\nPermissions or Properties, this is a finding.\n\nENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions\n\nIf an ISSO-approved distributed administration model (help desk or other user\nsupport staff) is implemented, permissions above Read may be allowed for groups\ndocumented by the ISSO.\n\nIf any OU with improper permissions includes identification or authentication\ndata (e.g., accounts, passwords, or password hash data) used by systems to\ndetermine access control, the severity is CAT I (e.g., OUs that include user\naccounts, including service/application accounts).\n\nIf an OU with improper permissions does not include identification and\nauthentication data used by systems to determine access control, the severity\nis CAT II (e.g., Workstation, Printer OUs).", + "fix": "Maintain the permissions on domain-defined OUs to be at least as\nrestrictive as the defaults below.\n\nDocument any additional permissions above Read with the ISSO if an approved\ndistributed administration model (help desk or other user support staff) is\nimplemented.\n\nCREATOR OWNER - Special permissions\n\nSelf - Special permissions\n\nAuthenticated Users - Read, Special permissions\n\nThe special permissions for Authenticated Users are Read type.\n\nSYSTEM - Full Control\n\nDomain Admins - Full Control\n\nEnterprise Admins - Full Control\n\nKey Admins - Special permissions\n\nEnterprise Key Admins - Special permissions\n\nAdministrators - Read, Write, Create all child objects, Generate resultant set\nof policy (logging), Generate resultant set of policy (planning), Special\npermissions\n\nPre-Windows 2000 Compatible Access - Special permissions\n\nThe special permissions for Pre-Windows 2000 Compatible Access are for Read\ntypes.\n\nENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions:" }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { "gtitle": "SRG-OS-000324-GPOS-00125", - "gid": "V-73789", - "rid": "SV-88453r1_rule", - "stig_id": "WN16-UR-000240", - "fix_id": "F-80239r1_fix", + "gid": "V-73377", + "rid": "SV-88029r1_rule", + "stig_id": "WN16-DC-000110", + "fix_id": "F-79819r1_fix", "cci": [ "CCI-002235" ], @@ -6632,787 +6671,777 @@ ], "documentable": false }, - "code": "control 'V-73789' do\n title \"The Load and unload device drivers user right must only be assigned to\n the Administrators group.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The Load and unload device drivers user right allows a user to load\n device drivers dynamically on a system. This could be used by an attacker to\n install malicious code.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000324-GPOS-00125'\n tag \"gid\": 'V-73789'\n tag \"rid\": 'SV-88453r1_rule'\n tag \"stig_id\": 'WN16-UR-000240'\n tag \"fix_id\": 'F-80239r1_fix'\n tag \"cci\": ['CCI-002235']\n tag \"nist\": ['AC-6 (10)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the Load and\n unload device drivers user right, this is a finding.\n\n - Administrators\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Load and unload device drivers to include only the following accounts or\n groups:\n\n - Administrators\"\n describe.one do\n describe security_policy do\n its('SeLoadDriverPrivilege') { should eq ['S-1-5-32-544'] }\n end\n describe security_policy do\n its('SeLoadDriverPrivilege') { should eq [] }\n end\n end\nend\n", + "code": "control 'V-73377' do\n title \"Domain-created Active Directory Organizational Unit (OU) objects must\nhave proper access control permissions.\"\n desc \"When directory service database objects do not have appropriate access\ncontrol permissions, it may be possible for malicious users to create, read,\nupdate, or delete the objects and degrade or destroy the integrity of the data.\nWhen the directory service is used for identification, authentication, or\nauthorization functions, a compromise of the database objects could lead to a\ncompromise of all systems that rely on the directory service.\n\n For Active Directory, the OU objects require special attention. In a\ndistributed administration model (i.e., help desk), OU objects are more likely\nto have access permissions changed from the secure defaults. If inappropriate\naccess permissions are defined for OU objects, it could allow an intruder to\nadd or delete users in the OU. This could result in unauthorized access to data\nor a denial of service to authorized users.\n \"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000324-GPOS-00125'\n tag \"gid\": 'V-73377'\n tag \"rid\": 'SV-88029r1_rule'\n tag \"stig_id\": 'WN16-DC-000110'\n tag \"fix_id\": 'F-79819r1_fix'\n tag \"cci\": ['CCI-002235']\n tag \"nist\": ['AC-6 (10)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to domain controllers. It is NA for other systems.\n\nReview the permissions on domain-defined OUs.\n\nOpen Active Directory Users and Computers (available from various menus or\nrun dsa.msc).\n\nEnsure Advanced Features is selected in the View menu.\n\nFor each OU that is defined (folder in folder icon) excluding the Domain\nControllers OU:\n\nRight-click the OU and select Properties.\n\nSelect the Security tab.\n\nIf the permissions on the OU are not at least as restrictive as those below,\nthis is a finding.\n\nThe permissions shown are at the summary level. More detailed permissions can\nbe viewed by selecting the Advanced button, the desired Permission entry,\nand the Edit or View button.\n\nExcept where noted otherwise, the special permissions may include a wide range\nof permissions and properties and are acceptable for this requirement.\n\nCREATOR OWNER - Special permissions\n\nSelf - Special permissions\n\nAuthenticated Users - Read, Special permissions\n\nThe Special permissions for Authenticated Users are Read type. If detailed\npermissions include any Create, Delete, Modify, or Write Permissions or\nProperties, this is a finding.\n\nSYSTEM - Full Control\n\nDomain Admins - Full Control\n\nEnterprise Admins - Full Control\n\nKey Admins - Special permissions\n\nEnterprise Key Admins - Special permissions\n\nAdministrators - Read, Write, Create all child objects, Generate resultant set\nof policy (logging), Generate resultant set of policy (planning), Special\npermissions\n\nPre-Windows 2000 Compatible Access - Special permissions\n\nThe Special permissions for Pre-Windows 2000 Compatible Access are for Read\ntypes. If detailed permissions include any Create, Delete, Modify, or Write\nPermissions or Properties, this is a finding.\n\nENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions\n\nIf an ISSO-approved distributed administration model (help desk or other user\nsupport staff) is implemented, permissions above Read may be allowed for groups\ndocumented by the ISSO.\n\nIf any OU with improper permissions includes identification or authentication\ndata (e.g., accounts, passwords, or password hash data) used by systems to\ndetermine access control, the severity is CAT I (e.g., OUs that include user\naccounts, including service/application accounts).\n\nIf an OU with improper permissions does not include identification and\nauthentication data used by systems to determine access control, the severity\nis CAT II (e.g., Workstation, Printer OUs).\"\n desc \"fix\", \"Maintain the permissions on domain-defined OUs to be at least as\nrestrictive as the defaults below.\n\nDocument any additional permissions above Read with the ISSO if an approved\ndistributed administration model (help desk or other user support staff) is\nimplemented.\n\nCREATOR OWNER - Special permissions\n\nSelf - Special permissions\n\nAuthenticated Users - Read, Special permissions\n\nThe special permissions for Authenticated Users are Read type.\n\nSYSTEM - Full Control\n\nDomain Admins - Full Control\n\nEnterprise Admins - Full Control\n\nKey Admins - Special permissions\n\nEnterprise Key Admins - Special permissions\n\nAdministrators - Read, Write, Create all child objects, Generate resultant set\nof policy (logging), Generate resultant set of policy (planning), Special\npermissions\n\nPre-Windows 2000 Compatible Access - Special permissions\n\nThe special permissions for Pre-Windows 2000 Compatible Access are for Read\ntypes.\n\nENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions\"':'\ndomain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n if domain_role == '4' || domain_role == '5'\n distinguishedName = json(command: '(Get-ADDomain).DistinguishedName | ConvertTo-JSON').params\n netbiosname = json(command: 'Get-ADDomain | Select NetBIOSName | ConvertTo-JSON').params['NetBIOSName']\n \n \n ous = json(command: \"Get-ADOrganizationalUnit -Filter * | Select Name, DistinguishedName | ConvertTo-JSON\").params\n if ous.is_a?(Hash)\n ous = [JSON.parse(ous.to_json)]\n end\n if ous.count == 1 && ous[0]['Name'] == 'Domain Controllers'\n impact 0.0\n desc 'This system does not have any other OUs other than Domain Controller OU, therefore this control is not applicable as it only applies to OUs that are not Domain Controllers'\n describe 'This system does not have any other OUs other than Domain Controller OU, therefore this control is not applicable as it only applies to OUs that are not Domain Controllers' do\n skip 'This system does not have any other OUs other than Domain Controller OU, therefore this control is not applicable as it only applies to OUs that are not Domain Controllers'\n end\n end\n\n ous.each do |ou|\n acl_rules = json(command: \"(Get-ACL -Path AD:'#{ou},#{distinguishedName}').Access | ConvertTo-CSV | ConvertFrom-CSV | ConvertTo-JSON\").params\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The #{acl_rule['IdentityReference']} principal\\'s access rule property\" do\n subject { acl_rule }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"NT AUTHORITY\\\\System\" }\n its(['ActiveDirectoryRights']) { should cmp \"GenericAll\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The #{acl_rule['IdentityReference']} principal\\'s access rule property\" do\n subject { acl_rule }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"#{netbiosname}\\\\Enterprise Admins\" }\n its(['ActiveDirectoryRights']) { should cmp \"GenericAll\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The #{acl_rule['IdentityReference']} principal\\'s access rule property\" do\n subject { acl_rule }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"BUILTIN\\\\Administrators\" }\n its(['ActiveDirectoryRights']) { should match (/(read)|(write)|(create)|(extendedright)/i) }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The #{acl_rule['IdentityReference']} principal\\'s access rule property\" do\n subject { acl_rule }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"#{netbiosname}\\\\Domain Admins\" }\n its(['ActiveDirectoryRights']) { should cmp \"GenericAll\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The #{acl_rule['IdentityReference']} principal\\'s access rule property\" do\n subject { acl_rule }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"CREATOR OWNER\" }\n its(['ActiveDirectoryRights']) { should_not match (/(genericwrite)|(genericread)|(genericall)|(genericexecute)/i) }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The #{acl_rule['IdentityReference']} principal\\'s access rule property\" do\n subject { acl_rule }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"NT AUTHORITY\\\\SELF\" }\n its(['ActiveDirectoryRights']) { should_not match (/(genericwrite)|(genericread)|(genericall)|(genericexecute)/i) }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The #{acl_rule['IdentityReference']} principal\\'s access rule property\" do\n subject { acl_rule }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"#{netbiosname}\\\\Key Admins\" }\n its(['ActiveDirectoryRights']) { should_not match (/(genericwrite)|(genericread)|(genericall)|(genericexecute)/i) }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The #{acl_rule['IdentityReference']} principal\\'s access rule property\" do\n subject { acl_rule }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"#{netbiosname}\\\\Enterprise Key Admins\" }\n its(['ActiveDirectoryRights']) { should match (/(read)|(write)|(create)|(extendedright)/i) }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The #{acl_rule['IdentityReference']} principal\\'s access rule property\" do\n subject { acl_rule }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"NT AUTHORITY\\\\ENTERPRISE DOMAIN CONTROLLERS\" }\n its(['ActiveDirectoryRights']) { should_not match (/(genericwrite)|(genericall)|(genericexecute)/i) }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The #{acl_rule['IdentityReference']} principal\\'s access rule property\" do\n subject { acl_rule }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"NT AUTHORITY\\\\Authenticated Users\" }\n its(['ActiveDirectoryRights']) { should match (/(read)/i) }\n its(['ActiveDirectoryRights']) { should_not match (/(write)|(delete)|(create)|(extendedright)/i) }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The #{acl_rule['IdentityReference']} principal\\'s access rule property\" do\n subject { acl_rule }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"BUILTIN\\\\Pre-Windows 2000 Compatible Access\" }\n its(['ActiveDirectoryRights']) { should match (/(read)/i) }\n its(['ActiveDirectoryRights']) { should_not match (/(write)|(delete)|(create)|(extendedright)/i) }\n end\n end\n end\n end\n\n \n else\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73789.rb", + "ref": "./Windows 2016 STIG/controls/V-73377.rb", "line": 1 }, - "id": "V-73789" + "id": "V-73377" }, { - "title": "Only administrators responsible for the domain controller must have\n Administrator rights on the system.", - "desc": "An account that does not have Administrator duties must not have\n Administrator rights. Such rights would allow the account to bypass or modify\n required security restrictions on that machine and make it vulnerable to attack.\n\n System administrators must log on to systems using only accounts with the\n minimum level of authority necessary.\n\n Standard user accounts must not be members of the built-in Administrators\n group.", + "title": "The Security event log size must be configured to 196608 KB or\n greater.", + "desc": "Inadequate log size will cause the log to fill up quickly. This may\n prevent audit events from being recorded properly and require frequent\n attention by administrative personnel.", "descriptions": { - "default": "An account that does not have Administrator duties must not have\n Administrator rights. Such rights would allow the account to bypass or modify\n required security restrictions on that machine and make it vulnerable to attack.\n\n System administrators must log on to systems using only accounts with the\n minimum level of authority necessary.\n\n Standard user accounts must not be members of the built-in Administrators\n group.", - "check": "This applies to domain controllers. A separate version applies\n to other systems.\n\n Review the Administrators group. Only the appropriate administrator groups or\n accounts responsible for administration of the system may be members of the\n group.\n\n Standard user accounts must not be members of the local administrator group.\n\n If prohibited accounts are members of the local administrators group, this is a\n finding.\n\n If the built-in Administrator account or other required administrative accounts\n are found on the system, this is not a finding.", - "fix": "Configure the Administrators group to include only administrator\n groups or accounts that are responsible for the system.\n Remove any standard user accounts." + "default": "Inadequate log size will cause the log to fill up quickly. This may\n prevent audit events from being recorded properly and require frequent\n attention by administrative personnel.", + "check": "If the system is configured to write events directly to an\n audit server, this is NA.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\EventLog\\Security\\\n\n Value Name: MaxSize\n\n Type: REG_DWORD\n Value: 0x00030000 (196608) (or greater)", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Event Log Service >> Security\n >> Specify the maximum log file size (KB) to Enabled with a Maximum\n Log Size (KB) of 196608 or greater." }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000324-GPOS-00125", - "gid": "V-73219", - "rid": "SV-87871r1_rule", - "stig_id": "WN16-DC-000010", - "fix_id": "F-79665r1_fix", + "gtitle": "SRG-OS-000341-GPOS-00132", + "gid": "V-73555", + "rid": "SV-88219r1_rule", + "stig_id": "WN16-CC-000310", + "fix_id": "F-80005r1_fix", "cci": [ - "CCI-002235" + "CCI-001849" ], "nist": [ - "AC-6 (10)", + "AU-4", "Rev_4" ], "documentable": false }, - "code": "control 'V-73219' do\n title \"Only administrators responsible for the domain controller must have\n Administrator rights on the system.\"\n desc \"An account that does not have Administrator duties must not have\n Administrator rights. Such rights would allow the account to bypass or modify\n required security restrictions on that machine and make it vulnerable to attack.\n\n System administrators must log on to systems using only accounts with the\n minimum level of authority necessary.\n\n Standard user accounts must not be members of the built-in Administrators\n group.\"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000324-GPOS-00125'\n tag \"gid\": 'V-73219'\n tag \"rid\": 'SV-87871r1_rule'\n tag \"stig_id\": 'WN16-DC-000010'\n tag \"fix_id\": 'F-79665r1_fix'\n tag \"cci\": ['CCI-002235']\n tag \"nist\": ['AC-6 (10)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to domain controllers. A separate version applies\n to other systems.\n\n Review the Administrators group. Only the appropriate administrator groups or\n accounts responsible for administration of the system may be members of the\n group.\n\n Standard user accounts must not be members of the local administrator group.\n\n If prohibited accounts are members of the local administrators group, this is a\n finding.\n\n If the built-in Administrator account or other required administrative accounts\n are found on the system, this is not a finding.\"\n desc \"fix\", \"Configure the Administrators group to include only administrator\n groups or accounts that are responsible for the system.\n Remove any standard user accounts.\"\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n administrators_domain = input('administrators_domain')\n administrator_group = command(\"net localgroup Administrators | Format-List | Findstr /V 'Alias Name Comment Members - command'\").stdout.strip.split(\"\\n\")\n \n if domain_role == '4' || domain_role == '5'\n administrator_group.each do |user|\n a = user.strip\n describe a.to_s do\n it { should be_in administrators_domain }\n end\n end\n end\n\n if domain_role != '4' && domain_role != '5'\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\n if administrator_group.empty?\n impact 0.0\n describe 'There are no users with administrative privileges on this system, therefore this control is not applicable' do\n skip 'There are no users with administrative privileges on this system, therefore this control is not applicable'\n end\n end\nend\n", + "code": "control 'V-73555' do\n title \"The Security event log size must be configured to 196608 KB or\n greater.\"\n desc \"Inadequate log size will cause the log to fill up quickly. This may\n prevent audit events from being recorded properly and require frequent\n attention by administrative personnel.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000341-GPOS-00132'\n tag \"gid\": 'V-73555'\n tag \"rid\": 'SV-88219r1_rule'\n tag \"stig_id\": 'WN16-CC-000310'\n tag \"fix_id\": 'F-80005r1_fix'\n tag \"cci\": ['CCI-001849']\n tag \"nist\": ['AU-4', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the system is configured to write events directly to an\n audit server, this is NA.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\EventLog\\\\Security\\\\\n\n Value Name: MaxSize\n\n Type: REG_DWORD\n Value: 0x00030000 (196608) (or greater)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Event Log Service >> Security\n >> Specify the maximum log file size (KB) to Enabled with a Maximum\n Log Size (KB) of 196608 or greater.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\EventLog\\\\Security') do\n it { should have_property 'MaxSize' }\n its('MaxSize') { should be >= 196608 }\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73219.rb", + "ref": "./Windows 2016 STIG/controls/V-73555.rb", "line": 1 }, - "id": "V-73219" + "id": "V-73555" }, { - "title": "Windows Server 2016 must be configured to require a strong session\n key.", - "desc": "A computer connecting to a domain controller will establish a secure\n channel. The secure channel connection may be subject to compromise, such as\n hijacking or eavesdropping, if strong session keys are not used to establish\n the connection. Requiring strong session keys enforces 128-bit encryption\n between systems.", + "title": "Windows Server 2016 must be configured to prevent anonymous users from\n having the same permissions as the Everyone group.", + "desc": "Access by anonymous users must be restricted. If this setting is\n enabled, anonymous users have the same rights and permissions as the built-in\n Everyone group. Anonymous users must not have these permissions or rights.", "descriptions": { - "default": "A computer connecting to a domain controller will establish a secure\n channel. The secure channel connection may be subject to compromise, such as\n hijacking or eavesdropping, if strong session keys are not used to establish\n the connection. Requiring strong session keys enforces 128-bit encryption\n between systems.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\Netlogon\\Parameters\\\n\n Value Name: RequireStrongKey\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\n\n This setting may prevent a system from being joined to a domain if not\n configured consistently between systems.", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> Domain\n member: Require strong (Windows 2000 or Later) session key to Enabled." + "default": "Access by anonymous users must be restricted. If this setting is\n enabled, anonymous users have the same rights and permissions as the built-in\n Everyone group. Anonymous users must not have these permissions or rights.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Control\\Lsa\\\n\n Value Name: EveryoneIncludesAnonymous\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0)", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Network access: Let everyone permissions apply to anonymous users to\n Disabled." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000423-GPOS-00187", - "satisfies": [ - "SRG-OS-000423-GPOS-00187", - "SRG-OS-000424-GPOS-00188" - ], - "gid": "V-73643", - "rid": "SV-88307r1_rule", - "stig_id": "WN16-SO-000130", - "fix_id": "F-80093r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-73673", + "rid": "SV-88337r1_rule", + "stig_id": "WN16-SO-000290", + "fix_id": "F-80123r1_fix", "cci": [ - "CCI-002418", - "CCI-002421" + "CCI-000366" ], "nist": [ - "SC-8", - "SC-8 (1)", + "CM-6 b", "Rev_4" ], "documentable": false }, - "code": "control 'V-73643' do\n title \"Windows Server 2016 must be configured to require a strong session\n key.\"\n desc \"A computer connecting to a domain controller will establish a secure\n channel. The secure channel connection may be subject to compromise, such as\n hijacking or eavesdropping, if strong session keys are not used to establish\n the connection. Requiring strong session keys enforces 128-bit encryption\n between systems.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000423-GPOS-00187'\n tag \"satisfies\": ['SRG-OS-000423-GPOS-00187', 'SRG-OS-000424-GPOS-00188']\n tag \"gid\": 'V-73643'\n tag \"rid\": 'SV-88307r1_rule'\n tag \"stig_id\": 'WN16-SO-000130'\n tag \"fix_id\": 'F-80093r1_fix'\n tag \"cci\": ['CCI-002418', 'CCI-002421']\n tag \"nist\": ['SC-8', 'SC-8 (1)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\Netlogon\\\\Parameters\\\\\n\n Value Name: RequireStrongKey\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\n\n This setting may prevent a system from being joined to a domain if not\n configured consistently between systems.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> Domain\n member: Require strong (Windows 2000 or Later) session key to Enabled.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Services\\\\Netlogon\\\\Parameters') do\n it { should have_property 'RequireStrongKey' }\n its('RequireStrongKey') { should cmp 1 }\n end\nend\n", + "code": "control 'V-73673' do\n title \"Windows Server 2016 must be configured to prevent anonymous users from\n having the same permissions as the Everyone group.\"\n desc \"Access by anonymous users must be restricted. If this setting is\n enabled, anonymous users have the same rights and permissions as the built-in\n Everyone group. Anonymous users must not have these permissions or rights.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-73673'\n tag \"rid\": 'SV-88337r1_rule'\n tag \"stig_id\": 'WN16-SO-000290'\n tag \"fix_id\": 'F-80123r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\\n\n Value Name: EveryoneIncludesAnonymous\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Network access: Let everyone permissions apply to anonymous users to\n Disabled.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa') do\n it { should have_property 'EveryoneIncludesAnonymous' }\n its('EveryoneIncludesAnonymous') { should cmp 0 }\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73643.rb", + "ref": "./Windows 2016 STIG/controls/V-73673.rb", "line": 1 }, - "id": "V-73643" + "id": "V-73673" }, { - "title": "Only administrators responsible for the member server or standalone\n system must have Administrator rights on the system.", - "desc": "An account that does not have Administrator duties must not have\n Administrator rights. Such rights would allow the account to bypass or modify\n required security restrictions on that machine and make it vulnerable to attack.\n\n System administrators must log on to systems using only accounts with the\n minimum level of authority necessary.\n\n For domain-joined member servers, the Domain Admins group must be replaced\n by a domain member server administrator group (see V-36433 in the Active\n Directory Domain STIG). Restricting highly privileged accounts from the local\n Administrators group helps mitigate the risk of privilege escalation resulting\n from credential theft attacks.\n\n Systems dedicated to the management of Active Directory (AD admin\n platforms, see V-36436 in the Active Directory Domain STIG) are exempt from\n this. AD admin platforms may use the Domain Admins group or a domain\n administrative group created specifically for AD admin platforms (see V-43711\n in the Active Directory Domain STIG).\n\n Standard user accounts must not be members of the built-in Administrators\n group.", + "title": "Windows Server 2016 must automatically remove or disable temporary\n user accounts after 72 hours.", + "desc": "If temporary user accounts remain active when no longer needed or for\n an excessive period, these accounts may be used to gain unauthorized access. To\n mitigate this risk, automated termination of all temporary accounts must be set\n upon account creation.\n\n Temporary accounts are established as part of normal account activation\n procedures when there is a need for short-term accounts without the demand for\n immediacy in account activation.\n\n If temporary accounts are used, the operating system must be configured to\n automatically terminate these types of accounts after a DoD-defined time period\n of 72 hours.\n\n To address access requirements, many operating systems may be integrated\n with enterprise-level authentication/access mechanisms that meet or exceed\n access control policy requirements.", "descriptions": { - "default": "An account that does not have Administrator duties must not have\n Administrator rights. Such rights would allow the account to bypass or modify\n required security restrictions on that machine and make it vulnerable to attack.\n\n System administrators must log on to systems using only accounts with the\n minimum level of authority necessary.\n\n For domain-joined member servers, the Domain Admins group must be replaced\n by a domain member server administrator group (see V-36433 in the Active\n Directory Domain STIG). Restricting highly privileged accounts from the local\n Administrators group helps mitigate the risk of privilege escalation resulting\n from credential theft attacks.\n\n Systems dedicated to the management of Active Directory (AD admin\n platforms, see V-36436 in the Active Directory Domain STIG) are exempt from\n this. AD admin platforms may use the Domain Admins group or a domain\n administrative group created specifically for AD admin platforms (see V-43711\n in the Active Directory Domain STIG).\n\n Standard user accounts must not be members of the built-in Administrators\n group.", - "check": "This applies to member servers and standalone systems. A\n separate version applies to domain controllers.\n\n Open Computer Management.\n\n Navigate to Groups under Local Users and Groups.\n\n Review the local Administrators group.\n\n Only administrator groups or accounts responsible for administration of the\n system may be members of the group.\n\n For domain-joined member servers, the Domain Admins group must be replaced by a\n domain member server administrator group.\n\n Systems dedicated to the management of Active Directory (AD admin platforms,\n see V-36436 in the Active Directory Domain STIG) are exempt from this. AD admin\n platforms may use the Domain Admins group or a domain administrative group\n created specifically for AD admin platforms (see V-43711 in the Active\n Directory Domain STIG).\n\n Standard user accounts must not be members of the local Administrator group.\n\n If accounts that do not have responsibility for administration of the system\n are members of the local Administrators group, this is a finding.\n\n If the built-in Administrator account or other required administrative accounts\n are found on the system, this is not a finding.", - "fix": "Configure the local \"Administrators\" group to include only\n administrator groups or accounts responsible for administration of the system.\n\n For domain-joined member servers, replace the Domain Admins group with a domain\n member server administrator group.\n\n Systems dedicated to the management of Active Directory (AD admin platforms,\n see V-36436 in the Active Directory Domain STIG) are exempt from this. AD admin\n platforms may use the Domain Admins group or a domain administrative group\n created specifically for AD admin platforms (see V-43711 in the Active\n Directory Domain STIG).\n\n Remove any standard user accounts." + "default": "If temporary user accounts remain active when no longer needed or for\n an excessive period, these accounts may be used to gain unauthorized access. To\n mitigate this risk, automated termination of all temporary accounts must be set\n upon account creation.\n\n Temporary accounts are established as part of normal account activation\n procedures when there is a need for short-term accounts without the demand for\n immediacy in account activation.\n\n If temporary accounts are used, the operating system must be configured to\n automatically terminate these types of accounts after a DoD-defined time period\n of 72 hours.\n\n To address access requirements, many operating systems may be integrated\n with enterprise-level authentication/access mechanisms that meet or exceed\n access control policy requirements.", + "check": "Review temporary user accounts for expiration dates.\n\n Determine if temporary user accounts are used and identify any that exist. If\n none exist, this is NA.\n\n Domain Controllers:\n\n Open PowerShell.\n\n Enter Search-ADAccount -AccountExpiring | FT Name, AccountExpirationDate.\n\n If AccountExpirationDate has not been defined within 72 hours for any\n temporary user account, this is a finding.\n\n Member servers and standalone systems:\n\n Open Command Prompt.\n\n Run Net user [username], where [username] is the name of the temporary user\n account.\n\n If Account expires has not been defined within 72 hours for any temporary\n user account, this is a finding.", + "fix": "Configure temporary user accounts to automatically expire within\n 72 hours.\n\n Domain accounts can be configured with an account expiration date, under\n Account properties.\n \n Local accounts can be configured to expire with the command Net user\n [username] /expires:[mm/dd/yyyy], where username is the name of the temporary\n user account.\n\n Delete any temporary user accounts that are no longer necessary." }, "impact": 0, "refs": [], "tags": { - "gtitle": "SRG-OS-000324-GPOS-00125", - "gid": "V-73221", - "rid": "SV-87873r1_rule", - "stig_id": "WN16-MS-000010", - "fix_id": "F-80263r1_fix", + "gtitle": "SRG-OS-000002-GPOS-00002", + "gid": "V-73283", + "rid": "SV-87935r1_rule", + "stig_id": "WN16-00-000330", + "fix_id": "F-79727r1_fix", "cci": [ - "CCI-002235" + "CCI-000016" ], "nist": [ - "AC-6 (10)", + "AC-2 (2)", "Rev_4" ], "documentable": false }, - "code": "control 'V-73221' do\n title \"Only administrators responsible for the member server or standalone\n system must have Administrator rights on the system.\"\n desc \"An account that does not have Administrator duties must not have\n Administrator rights. Such rights would allow the account to bypass or modify\n required security restrictions on that machine and make it vulnerable to attack.\n\n System administrators must log on to systems using only accounts with the\n minimum level of authority necessary.\n\n For domain-joined member servers, the Domain Admins group must be replaced\n by a domain member server administrator group (see V-36433 in the Active\n Directory Domain STIG). Restricting highly privileged accounts from the local\n Administrators group helps mitigate the risk of privilege escalation resulting\n from credential theft attacks.\n\n Systems dedicated to the management of Active Directory (AD admin\n platforms, see V-36436 in the Active Directory Domain STIG) are exempt from\n this. AD admin platforms may use the Domain Admins group or a domain\n administrative group created specifically for AD admin platforms (see V-43711\n in the Active Directory Domain STIG).\n\n Standard user accounts must not be members of the built-in Administrators\n group.\n \"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000324-GPOS-00125'\n tag \"gid\": 'V-73221'\n tag \"rid\": 'SV-87873r1_rule'\n tag \"stig_id\": 'WN16-MS-000010'\n tag \"fix_id\": 'F-80263r1_fix'\n tag \"cci\": ['CCI-002235']\n tag \"nist\": ['AC-6 (10)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to member servers and standalone systems. A\n separate version applies to domain controllers.\n\n Open Computer Management.\n\n Navigate to Groups under Local Users and Groups.\n\n Review the local Administrators group.\n\n Only administrator groups or accounts responsible for administration of the\n system may be members of the group.\n\n For domain-joined member servers, the Domain Admins group must be replaced by a\n domain member server administrator group.\n\n Systems dedicated to the management of Active Directory (AD admin platforms,\n see V-36436 in the Active Directory Domain STIG) are exempt from this. AD admin\n platforms may use the Domain Admins group or a domain administrative group\n created specifically for AD admin platforms (see V-43711 in the Active\n Directory Domain STIG).\n\n Standard user accounts must not be members of the local Administrator group.\n\n If accounts that do not have responsibility for administration of the system\n are members of the local Administrators group, this is a finding.\n\n If the built-in Administrator account or other required administrative accounts\n are found on the system, this is not a finding.\"\n desc \"fix\", \"Configure the local \\\"Administrators\\\" group to include only\n administrator groups or accounts responsible for administration of the system.\n\n For domain-joined member servers, replace the Domain Admins group with a domain\n member server administrator group.\n\n Systems dedicated to the management of Active Directory (AD admin platforms,\n see V-36436 in the Active Directory Domain STIG) are exempt from this. AD admin\n platforms may use the Domain Admins group or a domain administrative group\n created specifically for AD admin platforms (see V-43711 in the Active\n Directory Domain STIG).\n\n Remove any standard user accounts.\"\n administrators = attribute('administrators')\n is_AD_only_system = input('is_AD_only_system')\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n administrator_group = command(\"Get-LocalGroupMember -Group \\\"Administrators\\\" | select -ExpandProperty Name | ForEach-Object {$_ -replace \\\"$env:COMPUTERNAME\\\\\\\\\\\" -replace \\\"\\\"}\").stdout.strip.split(\"\\r\\n\")\n\n\n if (domain_role == '2' || domain_role == '3') && !is_AD_only_system\n administrator_group.each do |user|\n describe user.to_s do\n it { should be_in administrators }\n end\n end\n end\n\n if domain_role != '2' && domain_role != '3'\n impact 0.0\n describe 'This control applies to member servers and standalone systems. A separate version applies to domain controllers.' do\n skip 'This control applies to member servers and standalone systems. A separate version applies to domain controllers.'\n end\n end\n if is_AD_only_system\n impact 0.0\n describe 'This system is dedicated to the management of Active Directory, therefore this control is not applicable' do\n skip 'This system is dedicated to the management of Active Directory, therefore this control is not applicable'\n end\n end\n if administrator_group.empty?\n impact 0.0\n describe 'There are no users with administrative privileges on this system, therefore this control is not applicable' do\n skip 'There are no users with administrative privileges on this system, therefore this control is not applicable'\n end\n end\nend\n", + "code": "control 'V-73283' do\n title \"Windows Server 2016 must automatically remove or disable temporary\n user accounts after 72 hours.\"\n desc \"If temporary user accounts remain active when no longer needed or for\n an excessive period, these accounts may be used to gain unauthorized access. To\n mitigate this risk, automated termination of all temporary accounts must be set\n upon account creation.\n\n Temporary accounts are established as part of normal account activation\n procedures when there is a need for short-term accounts without the demand for\n immediacy in account activation.\n\n If temporary accounts are used, the operating system must be configured to\n automatically terminate these types of accounts after a DoD-defined time period\n of 72 hours.\n\n To address access requirements, many operating systems may be integrated\n with enterprise-level authentication/access mechanisms that meet or exceed\n access control policy requirements.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000002-GPOS-00002'\n tag \"gid\": 'V-73283'\n tag \"rid\": 'SV-87935r1_rule'\n tag \"stig_id\": 'WN16-00-000330'\n tag \"fix_id\": 'F-79727r1_fix'\n tag \"cci\": ['CCI-000016']\n tag \"nist\": ['AC-2 (2)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Review temporary user accounts for expiration dates.\n\n Determine if temporary user accounts are used and identify any that exist. If\n none exist, this is NA.\n\n Domain Controllers:\n\n Open PowerShell.\n\n Enter Search-ADAccount -AccountExpiring | FT Name, AccountExpirationDate.\n\n If AccountExpirationDate has not been defined within 72 hours for any\n temporary user account, this is a finding.\n\n Member servers and standalone systems:\n\n Open Command Prompt.\n\n Run Net user [username], where [username] is the name of the temporary user\n account.\n\n If Account expires has not been defined within 72 hours for any temporary\n user account, this is a finding.\"\n desc \"fix\", \"Configure temporary user accounts to automatically expire within\n 72 hours.\n\n Domain accounts can be configured with an account expiration date, under\n Account properties.\n \n Local accounts can be configured to expire with the command Net user\n [username] /expires:[mm/dd/yyyy], where username is the name of the temporary\n user account.\n\n Delete any temporary user accounts that are no longer necessary.\"\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n temp_accounts_list = input('temporary_accounts')\n temp_accounts_data = []\n \n if temp_accounts_list == [nil]\n impact 0.0\n describe 'This control is not applicable as no temporary accounts were listed as an input' do\n skip 'This control is not applicable as no temporary accounts were listed as an input'\n end\n else\n if domain_role == '4' || domain_role == '5'\n temp_accounts_list.each do |temporary_account|\n temp_accounts_data << json({ command: \"Get-ADUser -Identity #{temporary_account} -Properties WhenCreated, AccountExpirationDate | Select-Object -Property SamAccountName, @{Name='WhenCreated';Expression={$_.WhenCreated.ToString('yyyy-MM-dd')}}, @{Name='AccountExpirationDate';Expression={$_.AccountExpirationDate.ToString('yyyy-MM-dd')}}| ConvertTo-Json\"}).params\n end\n if temp_accounts_data.empty?\n impact 0.0\n describe 'This control is not applicable as account information was not found for the listed temporary accounts' do\n skip 'This control is not applicable as account information was not found for the listed temporary accounts'\n end\n else\n temp_accounts_data.each do |temp_account|\n account_name = temp_account.fetch(\"SamAccountName\")\n if temp_account.fetch(\"WhenCreated\") == nil\n describe \"#{account_name} account's creation date\" do\n subject { temp_account.fetch(\"WhenCreated\") }\n it { should_not eq nil}\n end\n elsif temp_account.fetch(\"AccountExpirationDate\") == nil\n describe \"#{account_name} account's expiration date\" do\n subject { temp_account.fetch(\"AccountExpirationDate\") }\n it { should_not eq nil}\n end\n else\n creation_date = Date.parse(temp_account.fetch(\"WhenCreated\"))\n expiration_date = Date.parse(temp_account.fetch(\"AccountExpirationDate\"))\n date_difference = expiration_date.mjd - creation_date.mjd\n describe \"Account expiration set for #{account_name}\" do\n subject { date_difference }\n it { should cmp <= input('temporary_account_period')}\n end\n end\n end\n end\n\n else\n temp_accounts_list.each do |temporary_account|\n temp_accounts_data << json({ command: \"Get-LocalUser -Name #{temporary_account} | Select-Object -Property Name, @{Name='PasswordLastSet';Expression={$_.PasswordLastSet.ToString('yyyy-MM-dd')}}, @{Name='AccountExpires';Expression={$_.AccountExpires.ToString('yyyy-MM-dd')}} | ConvertTo-Json\"}).params\n end\n if temp_accounts_data.empty?\n impact 0.0\n describe 'This control is not applicable as account information was not found for the listed temporary accounts' do\n skip 'This control is not applicable as account information was not found for the listed temporary accounts'\n end\n else\n temp_accounts_data.each do |temp_account|\n user_name = temp_account.fetch(\"Name\")\n if temp_account.fetch(\"PasswordLastSet\") == nil\n describe \"#{user_name} account's password last set date\" do\n subject { temp_account.fetch(\"PasswordLastSet\") }\n it { should_not eq nil}\n end\n elsif temp_account.fetch(\"AccountExpires\") == nil\n describe \"#{user_name} account's expiration date\" do\n subject { temp_account.fetch(\"AccountExpires\") }\n it { should_not eq nil}\n end\n else\n password_date = Date.parse(temp_account.fetch(\"PasswordLastSet\"))\n expiration_date = Date.parse(temp_account.fetch(\"AccountExpires\"))\n date_difference = expiration_date.mjd - password_date.mjd\n describe \"Account expiration set for #{user_name}\" do\n subject { date_difference }\n it { should cmp <= input('temporary_account_period')}\n end\n end\n end\n end\n end\n end\nend", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73221.rb", + "ref": "./Windows 2016 STIG/controls/V-73283.rb", "line": 1 }, - "id": "V-73221" + "id": "V-73283" }, { - "title": "The System event log size must be configured to 32768 KB or greater.", - "desc": "Inadequate log size will cause the log to fill up quickly. This may\n prevent audit events from being recorded properly and require frequent\n attention by administrative personnel.", + "title": "Non-administrative accounts or groups must only have print permissions\n on printer shares.", + "desc": "Windows shares are a means by which files, folders, printers, and\n other resources can be published for network users to access. Improper\n configuration can permit access to devices and data beyond a user's need.", "descriptions": { - "default": "Inadequate log size will cause the log to fill up quickly. This may\n prevent audit events from being recorded properly and require frequent\n attention by administrative personnel.", - "check": "If the system is configured to write events directly to an\n audit server, this is NA.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\EventLog\\System\\\n\n Value Name: MaxSize\n\n Type: REG_DWORD\n Value: 0x00008000 (32768) (or greater)", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Event Log Service >> System\n >> Specify the maximum log file size (KB) to Enabled with a Maximum\n Log Size (KB) of 32768 or greater." + "default": "Windows shares are a means by which files, folders, printers, and\n other resources can be published for network users to access. Improper\n configuration can permit access to devices and data beyond a user's need.", + "check": "Open Devices and Printers.\n\n If there are no printers configured, this is NA. (Exclude Microsoft Print to\n PDF and Microsoft XPS Document Writer, which do not support sharing.)\n\n For each printer:\n\n Right-click on the printer.\n\n Select Printer Properties.\n\n Select the Sharing tab.\n\n If Share this printer is checked, select the Security tab.\n\n If any standard user accounts or groups have permissions other than Print,\n this is a finding.\n\n The default is for the Everyone group to be given Print permission.\n\n All APPLICATION PACKAGES and CREATOR OWNER are not standard user\n accounts.", + "fix": "Configure the permissions on shared printers to restrict standard\n users to only have Print permissions." }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { - "gtitle": "SRG-OS-000341-GPOS-00132", - "gid": "V-73557", - "rid": "SV-88221r1_rule", - "stig_id": "WN16-CC-000320", - "fix_id": "F-80007r1_fix", + "gtitle": "SRG-OS-000080-GPOS-00048", + "gid": "V-73257", + "rid": "SV-87909r1_rule", + "stig_id": "WN16-00-000200", + "fix_id": "F-79701r1_fix", "cci": [ - "CCI-001849" + "CCI-000213" ], "nist": [ - "AU-4", + "AC-3", "Rev_4" ], "documentable": false }, - "code": "control 'V-73557' do\n title 'The System event log size must be configured to 32768 KB or greater.'\n desc \"Inadequate log size will cause the log to fill up quickly. This may\n prevent audit events from being recorded properly and require frequent\n attention by administrative personnel.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000341-GPOS-00132'\n tag \"gid\": 'V-73557'\n tag \"rid\": 'SV-88221r1_rule'\n tag \"stig_id\": 'WN16-CC-000320'\n tag \"fix_id\": 'F-80007r1_fix'\n tag \"cci\": ['CCI-001849']\n tag \"nist\": ['AU-4', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the system is configured to write events directly to an\n audit server, this is NA.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\EventLog\\\\System\\\\\n\n Value Name: MaxSize\n\n Type: REG_DWORD\n Value: 0x00008000 (32768) (or greater)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Event Log Service >> System\n >> Specify the maximum log file size (KB) to Enabled with a Maximum\n Log Size (KB) of 32768 or greater.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\EventLog\\\\System') do\n it { should have_property 'MaxSize' }\n its('MaxSize') { should be >= 32768 }\n end\nend\n", + "code": "control 'V-73257' do\n title \"Non-administrative accounts or groups must only have print permissions\n on printer shares.\"\n desc \"Windows shares are a means by which files, folders, printers, and\n other resources can be published for network users to access. Improper\n configuration can permit access to devices and data beyond a user's need.\"\n impact 0.3\n tag \"gtitle\": 'SRG-OS-000080-GPOS-00048'\n tag \"gid\": 'V-73257'\n tag \"rid\": 'SV-87909r1_rule'\n tag \"stig_id\": 'WN16-00-000200'\n tag \"fix_id\": 'F-79701r1_fix'\n tag \"cci\": ['CCI-000213']\n tag \"nist\": ['AC-3', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Open Devices and Printers.\n\n If there are no printers configured, this is NA. (Exclude Microsoft Print to\n PDF and Microsoft XPS Document Writer, which do not support sharing.)\n\n For each printer:\n\n Right-click on the printer.\n\n Select Printer Properties.\n\n Select the Sharing tab.\n\n If Share this printer is checked, select the Security tab.\n\n If any standard user accounts or groups have permissions other than Print,\n this is a finding.\n\n The default is for the Everyone group to be given Print permission.\n\n All APPLICATION PACKAGES and CREATOR OWNER are not standard user\n accounts.\"\n desc \"fix\", \"Configure the permissions on shared printers to restrict standard\n users to only have Print permissions.\"\n describe \"Nonadministrative user accounts or groups must only have print\n permissions on printer shares.\" do\n skip 'This is a manual control'\n end\n get_printers = command(\"Get-Printer | Format-List | Findstr /v 'Name ---'\")\n if get_printers == ''\n impact 0.0\n describe 'There are no printers configured on this system, therefore this control is not applicable' do\n skip 'There are no printers configured on this system, therefore this control is not applicable'\n end\n else\n describe \"A manual review is required to verify that Nonadministrative user accounts or groups only have print\n permissions on printer shares\" do\n skip 'A manual review is required to verify that Nonadministrative user accounts or groups only have print\n permissions on printer shares'\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73557.rb", + "ref": "./Windows 2016 STIG/controls/V-73257.rb", "line": 1 }, - "id": "V-73557" + "id": "V-73257" }, { - "title": "The setting Microsoft network client: Digitally sign communications\n (always) must be configured to Enabled.", - "desc": "The server message block (SMB) protocol provides the basis for many\n network operations. Digitally signed SMB packets aid in preventing\n man-in-the-middle attacks. If this policy is enabled, the SMB client will only\n communicate with an SMB server that performs SMB packet signing.", + "title": "The Take ownership of files or other objects user right must only be\n assigned to the Administrators group.", + "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Take ownership of files or other objects user right\n can take ownership of objects and make changes.", "descriptions": { - "default": "The server message block (SMB) protocol provides the basis for many\n network operations. Digitally signed SMB packets aid in preventing\n man-in-the-middle attacks. If this policy is enabled, the SMB client will only\n communicate with an SMB server that performs SMB packet signing.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SYSTEM\\CurrentControlSet\\Services\\LanmanWorkstation\\Parameters\\\n\n Value Name: RequireSecuritySignature\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Microsoft network client: Digitally sign communications (always) to\n Enabled." + "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Take ownership of files or other objects user right\n can take ownership of objects and make changes.", + "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the Take\n ownership of files or other objects user right, this is a finding.\n\n - Administrators\n\n If an application requires this user right, this would not be a finding.\n\n Vendor documentation must support the requirement for having the user right.\n\n The requirement must be documented with the ISSO.\n\n The application account must meet requirements for application account\n passwords, such as length (WN16-00-000060) and required frequency of changes\n (WN16-00-000070).", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Take ownership of files or other objects to include only the following\n accounts or groups:\n\n - Administrators" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000423-GPOS-00187", - "satisfies": [ - "SRG-OS-000423-GPOS-00187", - "SRG-OS-000424-GPOS-00188" - ], - "gid": "V-73653", - "rid": "SV-88317r1_rule", - "stig_id": "WN16-SO-000190", - "fix_id": "F-80103r1_fix", + "gtitle": "SRG-OS-000324-GPOS-00125", + "gid": "V-73803", + "rid": "SV-88467r1_rule", + "stig_id": "WN16-UR-000310", + "fix_id": "F-80253r1_fix", "cci": [ - "CCI-002418", - "CCI-002421" + "CCI-002235" ], "nist": [ - "SC-8", - "SC-8 (1)", + "AC-6 (10)", "Rev_4" ], "documentable": false }, - "code": "control 'V-73653' do\n title \"The setting Microsoft network client: Digitally sign communications\n (always) must be configured to Enabled.\"\n desc \"The server message block (SMB) protocol provides the basis for many\n network operations. Digitally signed SMB packets aid in preventing\n man-in-the-middle attacks. If this policy is enabled, the SMB client will only\n communicate with an SMB server that performs SMB packet signing.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000423-GPOS-00187'\n tag \"satisfies\": ['SRG-OS-000423-GPOS-00187', 'SRG-OS-000424-GPOS-00188']\n tag \"gid\": 'V-73653'\n tag \"rid\": 'SV-88317r1_rule'\n tag \"stig_id\": 'WN16-SO-000190'\n tag \"fix_id\": 'F-80103r1_fix'\n tag \"cci\": ['CCI-002418', 'CCI-002421']\n tag \"nist\": ['SC-8', 'SC-8 (1)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\LanmanWorkstation\\\\Parameters\\\\\n\n Value Name: RequireSecuritySignature\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Microsoft network client: Digitally sign communications (always) to\n Enabled.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Services\\\\LanmanWorkstation\\\\Parameters') do\n it { should have_property 'RequireSecuritySignature' }\n its('RequireSecuritySignature') { should cmp 1 }\n end\nend\n", + "code": "control 'V-73803' do\n title \"The Take ownership of files or other objects user right must only be\n assigned to the Administrators group.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Take ownership of files or other objects user right\n can take ownership of objects and make changes.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000324-GPOS-00125'\n tag \"gid\": 'V-73803'\n tag \"rid\": 'SV-88467r1_rule'\n tag \"stig_id\": 'WN16-UR-000310'\n tag \"fix_id\": 'F-80253r1_fix'\n tag \"cci\": ['CCI-002235']\n tag \"nist\": ['AC-6 (10)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the Take\n ownership of files or other objects user right, this is a finding.\n\n - Administrators\n\n If an application requires this user right, this would not be a finding.\n\n Vendor documentation must support the requirement for having the user right.\n\n The requirement must be documented with the ISSO.\n\n The application account must meet requirements for application account\n passwords, such as length (WN16-00-000060) and required frequency of changes\n (WN16-00-000070).\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Take ownership of files or other objects to include only the following\n accounts or groups:\n\n - Administrators\"\n describe.one do\n describe security_policy do\n its('SeTakeOwnershipPrivilege') { should eq ['S-1-5-32-544'] }\n end\n describe security_policy do\n its('SeTakeOwnershipPrivilege') { should eq [] }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73653.rb", + "ref": "./Windows 2016 STIG/controls/V-73803.rb", "line": 1 }, - "id": "V-73653" + "id": "V-73803" }, { - "title": "The built-in guest account must be disabled.", - "desc": "A system faces an increased vulnerability threat if the built-in guest\n account is not disabled. This is a known account that exists on all Windows\n systems and cannot be deleted. This account is initialized during the\n installation of the operating system with no password assigned.", + "title": "Domain controllers must run on a machine dedicated to that function.", + "desc": "Executing application servers on the same host machine with a\n directory server may substantially weaken the security of the directory server.\n Web or database server applications usually require the addition of many\n programs and accounts, increasing the attack surface of the computer.\n\n Some applications require the addition of privileged accounts, providing\n potential sources of compromise. Some applications (such as Microsoft Exchange)\n may require the use of network ports or services conflicting with the directory\n server. In this case, non-standard ports might be selected, and this could\n interfere with intrusion detection or prevention services.", "descriptions": { - "default": "A system faces an increased vulnerability threat if the built-in guest\n account is not disabled. This is a known account that exists on all Windows\n systems and cannot be deleted. This account is initialized during the\n installation of the operating system with no password assigned.", - "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> Security Options.\n\n If the value for Accounts: Guest account status is not set to Disabled,\n this is a finding.", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Accounts: Guest account status to Disabled." + "default": "Executing application servers on the same host machine with a\n directory server may substantially weaken the security of the directory server.\n Web or database server applications usually require the addition of many\n programs and accounts, increasing the attack surface of the computer.\n\n Some applications require the addition of privileged accounts, providing\n potential sources of compromise. Some applications (such as Microsoft Exchange)\n may require the use of network ports or services conflicting with the directory\n server. In this case, non-standard ports might be selected, and this could\n interfere with intrusion detection or prevention services.", + "check": "This applies to domain controllers, It is NA for other systems.\n\n Review the installed roles the domain controller is supporting.\n\n Start Server Manager.\n\n Select AD DS in the left pane and the server name under Servers to the\n right.\n\n Select Add (or Remove) Roles and Features from Tasks in the Roles and\n Features section. (Cancel before any changes are made.)\n\n Determine if any additional server roles are installed. A basic domain\n controller setup will include the following:\n\n - Active Directory Domain Services\n - DNS Server\n - File and Storage Services\n\n If any roles not requiring installation on a domain controller are installed,\n this is a finding.\n\n A Domain Name System (DNS) server integrated with the directory server (e.g.,\n AD-integrated DNS) is an acceptable application. However, the DNS server must\n comply with the DNS STIG security requirements.\n\n Run Programs and Features.\n\n Review installed applications.\n\n If any applications are installed that are not required for the domain\n controller, this is a finding.", + "fix": "Remove additional roles or applications such as web, database,\n and email from the domain controller." }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { - "gtitle": "SRG-OS-000121-GPOS-000062", - "gid": "V-73809", - "rid": "SV-88475r1_rule", - "stig_id": "WN16-SO-000010", - "fix_id": "F-80267r1_fix", + "gtitle": "SRG-OS-000095-GPOS-00049", + "gid": "V-73381", + "rid": "SV-88033r1_rule", + "stig_id": "WN16-DC-000130", + "fix_id": "F-79823r1_fix", "cci": [ - "CCI-000804" + "CCI-000381" ], "nist": [ - "IA-8", + "CM-7", "Rev_4" ], "documentable": false }, - "code": "control 'V-73809' do\n title 'The built-in guest account must be disabled.'\n desc \"A system faces an increased vulnerability threat if the built-in guest\n account is not disabled. This is a known account that exists on all Windows\n systems and cannot be deleted. This account is initialized during the\n installation of the operating system with no password assigned.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000121-GPOS-000062'\n tag \"gid\": 'V-73809'\n tag \"rid\": 'SV-88475r1_rule'\n tag \"stig_id\": 'WN16-SO-000010'\n tag \"fix_id\": 'F-80267r1_fix'\n tag \"cci\": ['CCI-000804']\n tag \"nist\": ['IA-8', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> Security Options.\n\n If the value for Accounts: Guest account status is not set to Disabled,\n this is a finding.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Accounts: Guest account status to Disabled.\"\n describe security_policy do\n its('EnableGuestAccount') { should cmp 0 }\n end\nend\n", + "code": "control 'V-73381' do\n title 'Domain controllers must run on a machine dedicated to that function.'\n desc \"Executing application servers on the same host machine with a\n directory server may substantially weaken the security of the directory server.\n Web or database server applications usually require the addition of many\n programs and accounts, increasing the attack surface of the computer.\n\n Some applications require the addition of privileged accounts, providing\n potential sources of compromise. Some applications (such as Microsoft Exchange)\n may require the use of network ports or services conflicting with the directory\n server. In this case, non-standard ports might be selected, and this could\n interfere with intrusion detection or prevention services.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000095-GPOS-00049'\n tag \"gid\": 'V-73381'\n tag \"rid\": 'SV-88033r1_rule'\n tag \"stig_id\": 'WN16-DC-000130'\n tag \"fix_id\": 'F-79823r1_fix'\n tag \"cci\": ['CCI-000381']\n tag \"nist\": ['CM-7', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to domain controllers, It is NA for other systems.\n\n Review the installed roles the domain controller is supporting.\n\n Start Server Manager.\n\n Select AD DS in the left pane and the server name under Servers to the\n right.\n\n Select Add (or Remove) Roles and Features from Tasks in the Roles and\n Features section. (Cancel before any changes are made.)\n\n Determine if any additional server roles are installed. A basic domain\n controller setup will include the following:\n\n - Active Directory Domain Services\n - DNS Server\n - File and Storage Services\n\n If any roles not requiring installation on a domain controller are installed,\n this is a finding.\n\n A Domain Name System (DNS) server integrated with the directory server (e.g.,\n AD-integrated DNS) is an acceptable application. However, the DNS server must\n comply with the DNS STIG security requirements.\n\n Run Programs and Features.\n\n Review installed applications.\n\n If any applications are installed that are not required for the domain\n controller, this is a finding.\"\n desc \"fix\", \"Remove additional roles or applications such as web, database,\n and email from the domain controller.\"\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n role_list = [\n \"Active Directory Domain Services\",\n \"DNS Server\",\n \"File and Storage Services\"\n ]\n roles = json(command: \"Get-WindowsFeature | Where {($_.installstate -eq 'installed') -and ($_.featuretype -eq 'role')} | foreach { $_.DisplayName } | ConvertTo-JSON\").params\n describe \"The list of roles installed on the server\" do\n subject { roles }\n it { should be_in role_list }\n end\n end\n\n if !(domain_role == '4') && !(domain_role == '5')\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73809.rb", + "ref": "./Windows 2016 STIG/controls/V-73381.rb", "line": 1 }, - "id": "V-73809" + "id": "V-73381" }, { - "title": "Kerberos encryption types must be configured to prevent the use of DES\n and RC4 encryption suites.", - "desc": "Certain encryption types are no longer considered secure. The DES and\n RC4 encryption suites must not be used for Kerberos encryption.", + "title": "Active Directory user accounts, including administrators, must be\n configured to require the use of a Common Access Card (CAC), Personal Identity\n Verification (PIV)-compliant hardware token, or Alternate Logon Token (ALT) for\n user authentication.", + "desc": "Smart cards such as the CAC support a two-factor authentication\n technique. This provides a higher level of trust in the asserted identity than\n use of the username and password for authentication.", "descriptions": { - "default": "Certain encryption types are no longer considered secure. The DES and\n RC4 encryption suites must not be used for Kerberos encryption.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\Parameters\\\n\n Value Name: SupportedEncryptionTypes\n\n Value Type: REG_DWORD\n Value: 0x7ffffff8 (2147483640)", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Network security: Configure encryption types allowed for Kerberos to\n Enabled with only the following selected:\n\n AES128_HMAC_SHA1\n AES256_HMAC_SHA1\n Future encryption types" + "default": "Smart cards such as the CAC support a two-factor authentication\n technique. This provides a higher level of trust in the asserted identity than\n use of the username and password for authentication.", + "check": "This applies to domain controllers. It is NA for other systems.\n\n Open PowerShell.\n\n Enter the following:\n\n Get-ADUser -Filter {(Enabled -eq $True) -and (SmartcardLogonRequired -eq\n $False)} | FT Name\n (DistinguishedName may be substituted for Name for more detailed\n output.)\n\n If any user accounts, including administrators, are listed, this is a finding.\n\n Alternately:\n\n To view sample accounts in Active Directory Users and Computers (available\n from various menus or run dsa.msc):\n\n Select the Organizational Unit (OU) where the user accounts are located. (By\n default, this is the Users node; however, accounts may be under other\n organization-defined OUs.)\n\n Right-click the sample user account and select Properties.\n\n Select the Account tab.\n\n If any user accounts, including administrators, do not have Smart card is\n required for interactive logon checked in the Account Options area, this\n is a finding.", + "fix": "Configure all user accounts, including administrator accounts, in\n Active Directory to enable the option Smart card is required for interactive\n logon.\n\n Run Active Directory Users and Computers (available from various menus or\n run dsa.msc):\n\n Select the OU where the user accounts are located. (By default this is the\n Users node; however, accounts may be under other organization-defined OUs.)\n\n Right-click the user account and select Properties.\n\n Select the Account tab.\n\n Check Smart card is required for interactive logon in the Account\n Options area." }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { - "gtitle": "SRG-OS-000120-GPOS-00061", - "gid": "V-73685", - "rid": "SV-88349r1_rule", - "stig_id": "WN16-SO-000350", - "fix_id": "F-80135r1_fix", + "gtitle": "SRG-OS-000105-GPOS-00052", + "satisfies": [ + "SRG-OS-000105-GPOS-00052", + "SRG-OS-000106-GPOS-00053", + "SRG-OS-000107-GPOS-00054", + "SRG-OS-000108-GPOS-00055", + "SRG-OS-000375-GPOS-00160" + ], + "gid": "V-73617", + "rid": "SV-88281r1_rule", + "stig_id": "WN16-DC-000310", + "fix_id": "F-80067r1_fix", "cci": [ - "CCI-000803" + "CCI-000765", + "CCI-000766", + "CCI-000767", + "CCI-000768", + "CCI-001948" ], "nist": [ - "IA-7", + "IA-2 (1)", + "IA-2 (2)", + "IA-2 (3)", + "IA-2 (4)", + "IA-2 (11)", "Rev_4" ], "documentable": false }, - "code": "control 'V-73685' do\n title \"Kerberos encryption types must be configured to prevent the use of DES\n and RC4 encryption suites.\"\n desc \"Certain encryption types are no longer considered secure. The DES and\n RC4 encryption suites must not be used for Kerberos encryption.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000120-GPOS-00061'\n tag \"gid\": 'V-73685'\n tag \"rid\": 'SV-88349r1_rule'\n tag \"stig_id\": 'WN16-SO-000350'\n tag \"fix_id\": 'F-80135r1_fix'\n tag \"cci\": ['CCI-000803']\n tag \"nist\": ['IA-7', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Kerberos\\\\Parameters\\\\\n\n Value Name: SupportedEncryptionTypes\n\n Value Type: REG_DWORD\n Value: 0x7ffffff8 (2147483640)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Network security: Configure encryption types allowed for Kerberos to\n Enabled with only the following selected:\n\n AES128_HMAC_SHA1\n AES256_HMAC_SHA1\n Future encryption types\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Kerberos\\\\Parameters') do\n it { should have_property 'SupportedEncryptionTypes' }\n its('SupportedEncryptionTypes') { should cmp 2_147_483_640 }\n end\nend\n", + "code": "control 'V-73617' do\n title \"Active Directory user accounts, including administrators, must be\n configured to require the use of a Common Access Card (CAC), Personal Identity\n Verification (PIV)-compliant hardware token, or Alternate Logon Token (ALT) for\n user authentication.\"\n desc \"Smart cards such as the CAC support a two-factor authentication\n technique. This provides a higher level of trust in the asserted identity than\n use of the username and password for authentication.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000105-GPOS-00052'\n tag \"satisfies\": ['SRG-OS-000105-GPOS-00052', 'SRG-OS-000106-GPOS-00053',\n 'SRG-OS-000107-GPOS-00054', 'SRG-OS-000108-GPOS-00055',\n 'SRG-OS-000375-GPOS-00160']\n tag \"gid\": 'V-73617'\n tag \"rid\": 'SV-88281r1_rule'\n tag \"stig_id\": 'WN16-DC-000310'\n tag \"fix_id\": 'F-80067r1_fix'\n tag \"cci\": ['CCI-000765', 'CCI-000766', 'CCI-000767', 'CCI-000768',\n 'CCI-001948']\n tag \"nist\": ['IA-2 (1)', 'IA-2 (2)', 'IA-2 (3)', 'IA-2 (4)', 'IA-2 (11)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to domain controllers. It is NA for other systems.\n\n Open PowerShell.\n\n Enter the following:\n\n Get-ADUser -Filter {(Enabled -eq $True) -and (SmartcardLogonRequired -eq\n $False)} | FT Name\n (DistinguishedName may be substituted for Name for more detailed\n output.)\n\n If any user accounts, including administrators, are listed, this is a finding.\n\n Alternately:\n\n To view sample accounts in Active Directory Users and Computers (available\n from various menus or run dsa.msc):\n\n Select the Organizational Unit (OU) where the user accounts are located. (By\n default, this is the Users node; however, accounts may be under other\n organization-defined OUs.)\n\n Right-click the sample user account and select Properties.\n\n Select the Account tab.\n\n If any user accounts, including administrators, do not have Smart card is\n required for interactive logon checked in the Account Options area, this\n is a finding.\"\n desc \"fix\", \"Configure all user accounts, including administrator accounts, in\n Active Directory to enable the option Smart card is required for interactive\n logon.\n\n Run Active Directory Users and Computers (available from various menus or\n run dsa.msc):\n\n Select the OU where the user accounts are located. (By default this is the\n Users node; however, accounts may be under other organization-defined OUs.)\n\n Right-click the user account and select Properties.\n\n Select the Account tab.\n\n Check Smart card is required for interactive logon in the Account\n Options area.\"\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n describe command(\"Get-ADUser -Filter {(Enabled -eq $True) -and (SmartcardLogonRequired -eq $False)} | FT Name | Findstr /v 'Name ---'\") do\n its('stdout') { should eq '' }\n end\n end\n\n if !(domain_role == '4') && !(domain_role == '5')\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73685.rb", + "ref": "./Windows 2016 STIG/controls/V-73617.rb", "line": 1 }, - "id": "V-73685" + "id": "V-73617" }, { - "title": "The Active Directory Domain Controllers Organizational Unit (OU)\n object must have the proper access control permissions.", - "desc": "When Active Directory objects do not have appropriate access control\n permissions, it may be possible for malicious users to create, read, update, or\n delete the objects and degrade or destroy the integrity of the data. When the\n directory service is used for identification, authentication, or authorization\n functions, a compromise of the database objects could lead to a compromise of\n all systems that rely on the directory service.\n\n The Domain Controllers OU object requires special attention as the Domain\n Controllers are central to the configuration and management of the domain.\n Inappropriate access permissions defined for the Domain Controllers OU could\n allow an intruder or unauthorized personnel to make changes that could lead to\n the compromise of the domain.", + "title": "The time service must synchronize with an appropriate DoD time source.", + "desc": "The Windows Time Service controls time synchronization settings. Time\n synchronization is essential for authentication and auditing purposes. If the\n Windows Time Service is used, it must synchronize with a secure, authorized\n time source. Domain-joined systems are automatically configured to synchronize\n with domain controllers. If an NTP server is configured, it must synchronize\n with a secure, authorized time source.", "descriptions": { - "default": "When Active Directory objects do not have appropriate access control\n permissions, it may be possible for malicious users to create, read, update, or\n delete the objects and degrade or destroy the integrity of the data. When the\n directory service is used for identification, authentication, or authorization\n functions, a compromise of the database objects could lead to a compromise of\n all systems that rely on the directory service.\n\n The Domain Controllers OU object requires special attention as the Domain\n Controllers are central to the configuration and management of the domain.\n Inappropriate access permissions defined for the Domain Controllers OU could\n allow an intruder or unauthorized personnel to make changes that could lead to\n the compromise of the domain.", - "check": "This applies to domain controllers. It is NA for other systems.\n\n Review the permissions on the Domain Controllers OU.\n\n Open Active Directory Users and Computers (available from various menus or\n run dsa.msc).\n\n Select Advanced Features in the View menu if not previously selected.\n\n Select the Domain Controllers OU (folder in folder icon).\n\n Right-click and select Properties.\n\n Select the Security tab.\n\n If the permissions on the Domain Controllers OU do not restrict changes to\n System, Domain Admins, Enterprise Admins and Administrators, this is a finding.\n\n The default permissions listed below satisfy this requirement.\n\n Domains supporting Microsoft Exchange will have additional Exchange related\n permissions on the Domain Controllers OU. These may include some change\n related permissions and are not a finding.\n\n The permissions shown are at the summary level. More detailed permissions can\n be viewed by selecting the Advanced button, the desired Permission entry,\n and the View or Edit button.\n\n Except where noted otherwise, the special permissions may include a wide range\n of permissions and properties and are acceptable for this requirement.\n\n CREATOR OWNER - Special permissions\n\n SELF - Special permissions\n\n Authenticated Users - Read, Special permissions\n\n The special permissions for Authenticated Users are Read types.\n\n If detailed permissions include any Create, Delete, Modify, or Write\n Permissions or Properties, this is a finding.\n\n SYSTEM - Full Control\n\n Domain Admins - Read, Write, Create all child objects, Generate resultant set\n of policy (logging), Generate resultant set of policy (planning), Special\n permissions\n\n Enterprise Admins - Full Control\n\n Key Admins - Special permissions\n\n Enterprise Key Admins - Special permissions\n\n Administrators - Read, Write, Create all child objects, Generate resultant set\n of policy (logging), Generate resultant set of policy (planning), Special\n permissions\n\n Pre-Windows 2000 Compatible Access - Special permissions\n\n The Special permissions for Pre-Windows 2000 Compatible Access are Read types.\n\n If detailed permissions include any Create, Delete, Modify, or Write\n Permissions or Properties, this is a finding.\n\n ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions", - "fix": "Limit the permissions on the Domain Controllers OU to restrict\n changes to System, Domain Admins, Enterprise Admins and Administrators.\n\n The default permissions listed below satisfy this requirement.\n\n Domains supporting Microsoft Exchange will have additional Exchange related\n permissions on the Domain Controllers OU. These may include some change\n related permissions.\n\n CREATOR OWNER - Special permissions\n\n SELF - Special permissions\n\n Authenticated Users - Read, Special permissions\n\n The special permissions for Authenticated Users are Read types.\n\n SYSTEM - Full Control\n\n Domain Admins - Read, Write, Create all child objects, Generate resultant set\n of policy (logging), Generate resultant set of policy (planning), Special\n permissions\n\n Enterprise Admins - Full Control\n\n Key Admins - Special permissions\n\n Enterprise Key Admins - Special permissions\n\n Administrators - Read, Write, Create all child objects, Generate resultant set\n of policy (logging), Generate resultant set of policy (planning), Special\n permissions\n\n Pre-Windows 2000 Compatible Access - Special permissions\n\n The special permissions for Pre-Windows 2000 Compatible Access are Read types.\n\n ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions" + "default": "The Windows Time Service controls time synchronization settings. Time\n synchronization is essential for authentication and auditing purposes. If the\n Windows Time Service is used, it must synchronize with a secure, authorized\n time source. Domain-joined systems are automatically configured to synchronize\n with domain controllers. If an NTP server is configured, it must synchronize\n with a secure, authorized time source.", + "check": "Review the Windows time service configuration.\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter W32tm /query /configuration.\n\n Domain-joined systems (excluding the domain controller with the PDC emulator\n role):\n\n If the value for Type under NTP Client is not NT5DS, this is a\n finding.\n\n Other systems:\n\n If systems are configured with a Type of NTP, including standalone\n systems and the domain controller with the PDC Emulator role, and do not have a\n DoD time server defined for NTPServer, this is a finding.\n\n To determine the domain controller with the PDC Emulator role:\n\n Open PowerShell.\n\n Enter Get-ADDomain | FT PDCEmulator.", + "fix": "Configure the system to synchronize time with an appropriate DoD\n time source.\n\n Domain-joined systems use NT5DS to synchronize time from other systems in the\n domain by default.\n\n If the system needs to be configured to an NTP server, configure the system to\n point to an authorized time server by setting the policy value for Computer\n Configuration >> Administrative Templates >> System >> Windows Time Service >>\n Time Providers >> Configure Windows NTP Client to Enabled, and\n configure the NtpServer field to point to an appropriate DoD time server.\n\n The US Naval Observatory operates stratum 1 time servers, identified at\n http://tycho.usno.navy.mil/ntp.html. Time synchronization will occur through a\n hierarchy of time servers down to the local level. Clients and lower-level\n servers will synchronize with an authorized time server in the hierarchy." }, - "impact": 0, + "impact": 0.3, "refs": [], "tags": { - "gtitle": "SRG-OS-000324-GPOS-00125", - "gid": "V-73375", - "rid": "SV-88027r2_rule", - "stig_id": "WN16-DC-000100", - "fix_id": "F-84911r1_fix", + "gtitle": "SRG-OS-000355-GPOS-00143", + "gid": "V-73307", + "rid": "SV-87959r1_rule", + "stig_id": "WN16-00-000450", + "fix_id": "F-79749r1_fix", "cci": [ - "CCI-002235" + "CCI-001891" ], "nist": [ - "AC-6 (10)", + "AU-8 (1) (a)", "Rev_4" ], "documentable": false }, - "code": "control 'V-73375' do\n title \"The Active Directory Domain Controllers Organizational Unit (OU)\n object must have the proper access control permissions.\"\n desc \"When Active Directory objects do not have appropriate access control\n permissions, it may be possible for malicious users to create, read, update, or\n delete the objects and degrade or destroy the integrity of the data. When the\n directory service is used for identification, authentication, or authorization\n functions, a compromise of the database objects could lead to a compromise of\n all systems that rely on the directory service.\n\n The Domain Controllers OU object requires special attention as the Domain\n Controllers are central to the configuration and management of the domain.\n Inappropriate access permissions defined for the Domain Controllers OU could\n allow an intruder or unauthorized personnel to make changes that could lead to\n the compromise of the domain.\n \"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000324-GPOS-00125'\n tag \"gid\": 'V-73375'\n tag \"rid\": 'SV-88027r2_rule'\n tag \"stig_id\": 'WN16-DC-000100'\n tag \"fix_id\": 'F-84911r1_fix'\n tag \"cci\": ['CCI-002235']\n tag \"nist\": ['AC-6 (10)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to domain controllers. It is NA for other systems.\n\n Review the permissions on the Domain Controllers OU.\n\n Open Active Directory Users and Computers (available from various menus or\n run dsa.msc).\n\n Select Advanced Features in the View menu if not previously selected.\n\n Select the Domain Controllers OU (folder in folder icon).\n\n Right-click and select Properties.\n\n Select the Security tab.\n\n If the permissions on the Domain Controllers OU do not restrict changes to\n System, Domain Admins, Enterprise Admins and Administrators, this is a finding.\n\n The default permissions listed below satisfy this requirement.\n\n Domains supporting Microsoft Exchange will have additional Exchange related\n permissions on the Domain Controllers OU. These may include some change\n related permissions and are not a finding.\n\n The permissions shown are at the summary level. More detailed permissions can\n be viewed by selecting the Advanced button, the desired Permission entry,\n and the View or Edit button.\n\n Except where noted otherwise, the special permissions may include a wide range\n of permissions and properties and are acceptable for this requirement.\n\n CREATOR OWNER - Special permissions\n\n SELF - Special permissions\n\n Authenticated Users - Read, Special permissions\n\n The special permissions for Authenticated Users are Read types.\n\n If detailed permissions include any Create, Delete, Modify, or Write\n Permissions or Properties, this is a finding.\n\n SYSTEM - Full Control\n\n Domain Admins - Read, Write, Create all child objects, Generate resultant set\n of policy (logging), Generate resultant set of policy (planning), Special\n permissions\n\n Enterprise Admins - Full Control\n\n Key Admins - Special permissions\n\n Enterprise Key Admins - Special permissions\n\n Administrators - Read, Write, Create all child objects, Generate resultant set\n of policy (logging), Generate resultant set of policy (planning), Special\n permissions\n\n Pre-Windows 2000 Compatible Access - Special permissions\n\n The Special permissions for Pre-Windows 2000 Compatible Access are Read types.\n\n If detailed permissions include any Create, Delete, Modify, or Write\n Permissions or Properties, this is a finding.\n\n ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions\"\n desc \"fix\", \"Limit the permissions on the Domain Controllers OU to restrict\n changes to System, Domain Admins, Enterprise Admins and Administrators.\n\n The default permissions listed below satisfy this requirement.\n\n Domains supporting Microsoft Exchange will have additional Exchange related\n permissions on the Domain Controllers OU. These may include some change\n related permissions.\n\n CREATOR OWNER - Special permissions\n\n SELF - Special permissions\n\n Authenticated Users - Read, Special permissions\n\n The special permissions for Authenticated Users are Read types.\n\n SYSTEM - Full Control\n\n Domain Admins - Read, Write, Create all child objects, Generate resultant set\n of policy (logging), Generate resultant set of policy (planning), Special\n permissions\n\n Enterprise Admins - Full Control\n\n Key Admins - Special permissions\n\n Enterprise Key Admins - Special permissions\n\n Administrators - Read, Write, Create all child objects, Generate resultant set\n of policy (logging), Generate resultant set of policy (planning), Special\n permissions\n\n Pre-Windows 2000 Compatible Access - Special permissions\n\n The special permissions for Pre-Windows 2000 Compatible Access are Read types.\n\n ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions\"\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n if domain_role == '4' || domain_role == '5'\n distinguishedName = json(command: '(Get-ADDomain).DistinguishedName | ConvertTo-JSON').params\n netbiosname = json(command: 'Get-ADDomain | Select NetBIOSName | ConvertTo-JSON').params['NetBIOSName']\n acl_rules = json(command: \"(Get-ACL -Path AD:'OU=Domain Controllers,#{distinguishedName}').Access | ConvertTo-CSV | ConvertFrom-CSV | ConvertTo-JSON\").params\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The #{acl_rule['IdentityReference']} principal\\'s access rule property\" do\n subject { acl_rule }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"NT AUTHORITY\\\\System\" }\n its(['ActiveDirectoryRights']) { should cmp \"GenericAll\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The #{acl_rule['IdentityReference']} principal\\'s access rule property\" do\n subject { acl_rule }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"#{netbiosname}\\\\Enterprise Admins\" }\n its(['ActiveDirectoryRights']) { should cmp \"GenericAll\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The #{acl_rule['IdentityReference']} principal\\'s access rule property\" do\n subject { acl_rule }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"BUILTIN\\\\Administrators\" }\n its(['ActiveDirectoryRights']) { should match (/(read)|(write)|(create)|(extendedright)/i) }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The #{acl_rule['IdentityReference']} principal\\'s access rule property\" do\n subject { acl_rule }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"#{netbiosname}\\\\Domain Admins\" }\n its(['ActiveDirectoryRights']) { should match (/(read)|(write)|(create)|(extendedright)/i) }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The #{acl_rule['IdentityReference']} principal\\'s access rule property\" do\n subject { acl_rule }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"CREATOR OWNER\" }\n its(['ActiveDirectoryRights']) { should_not match (/(genericwrite)|(genericread)|(genericall)|(genericexecute)/i) }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The #{acl_rule['IdentityReference']} principal\\'s access rule property\" do\n subject { acl_rule }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"NT AUTHORITY\\\\SELF\" }\n its(['ActiveDirectoryRights']) { should_not match (/(genericwrite)|(genericread)|(genericall)|(genericexecute)/i) }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The #{acl_rule['IdentityReference']} principal\\'s access rule property\" do\n subject { acl_rule }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"#{netbiosname}\\\\Key Admins\" }\n its(['ActiveDirectoryRights']) { should_not match (/(genericwrite)|(genericread)|(genericall)|(genericexecute)/i) }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The #{acl_rule['IdentityReference']} principal\\'s access rule property\" do\n subject { acl_rule }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"#{netbiosname}\\\\Enterprise Key Admins\" }\n its(['ActiveDirectoryRights']) { should match (/(read)|(write)|(create)|(extendedright)/i) }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The #{acl_rule['IdentityReference']} principal\\'s access rule property\" do\n subject { acl_rule }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"NT AUTHORITY\\\\ENTERPRISE DOMAIN CONTROLLERS\" }\n its(['ActiveDirectoryRights']) { should_not match (/(genericwrite)|(genericall)|(genericexecute)/i) }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The #{acl_rule['IdentityReference']} principal\\'s access rule property\" do\n subject { acl_rule }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"NT AUTHORITY\\\\Authenticated Users\" }\n its(['ActiveDirectoryRights']) { should match (/(read)/i) }\n its(['ActiveDirectoryRights']) { should_not match (/(write)|(delete)|(create)|(extendedright)/i) }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The #{acl_rule['IdentityReference']} principal\\'s access rule property\" do\n subject { acl_rule }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"BUILTIN\\\\Pre-Windows 2000 Compatible Access\" }\n its(['ActiveDirectoryRights']) { should match (/(read)/i) }\n its(['ActiveDirectoryRights']) { should_not match (/(write)|(delete)|(create)|(extendedright)/i) }\n end\n end\n end\n else\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", + "code": "control 'V-73307' do\n title 'The time service must synchronize with an appropriate DoD time source.'\n desc \"The Windows Time Service controls time synchronization settings. Time\n synchronization is essential for authentication and auditing purposes. If the\n Windows Time Service is used, it must synchronize with a secure, authorized\n time source. Domain-joined systems are automatically configured to synchronize\n with domain controllers. If an NTP server is configured, it must synchronize\n with a secure, authorized time source.\"\n impact 0.3\n tag \"gtitle\": 'SRG-OS-000355-GPOS-00143'\n tag \"gid\": 'V-73307'\n tag \"rid\": 'SV-87959r1_rule'\n tag \"stig_id\": 'WN16-00-000450'\n tag \"fix_id\": 'F-79749r1_fix'\n tag \"cci\": ['CCI-001891']\n tag \"nist\": ['AU-8 (1) (a)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Review the Windows time service configuration.\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter W32tm /query /configuration.\n\n Domain-joined systems (excluding the domain controller with the PDC emulator\n role):\n\n If the value for Type under NTP Client is not NT5DS, this is a\n finding.\n\n Other systems:\n\n If systems are configured with a Type of NTP, including standalone\n systems and the domain controller with the PDC Emulator role, and do not have a\n DoD time server defined for NTPServer, this is a finding.\n\n To determine the domain controller with the PDC Emulator role:\n\n Open PowerShell.\n\n Enter Get-ADDomain | FT PDCEmulator.\"\n desc \"fix\", \"Configure the system to synchronize time with an appropriate DoD\n time source.\n\n Domain-joined systems use NT5DS to synchronize time from other systems in the\n domain by default.\n\n If the system needs to be configured to an NTP server, configure the system to\n point to an authorized time server by setting the policy value for Computer\n Configuration >> Administrative Templates >> System >> Windows Time Service >>\n Time Providers >> Configure Windows NTP Client to Enabled, and\n configure the NtpServer field to point to an appropriate DoD time server.\n\n The US Naval Observatory operates stratum 1 time servers, identified at\n http://tycho.usno.navy.mil/ntp.html. Time synchronization will occur through a\n hierarchy of time servers down to the local level. Clients and lower-level\n servers will synchronize with an authorized time server in the hierarchy.\"\n is_domain = command('wmic computersystem get domain | FINDSTR /V Domain').stdout.strip\n\n if is_domain != 'WORKGROUP'\n pdc_emulator = command('netdom query fsmo | findstr PDC').stdout.split[1]\n hostname = command('wmic computersystem get DNSHostName | findstr /V DNSHostName').stdout.strip\n if pdc_emulator != hostname + \".\" + is_domain\n describe command(' W32tm /query /configuration | Findstr Type') do\n its('stdout') { should eq \"Type: NT5DS (Local)\\r\\n\" }\n end\n else\n impact 0.0\n describe 'This system is a domain controller with the PDC Emulator role, therefore this control is not applicable.' do\n skip 'This system is a domain controller with the PDC Emulator role, therefore this control is not applicable.'\n end\n end\n else\n get_type = command('W32tm /query /configuration | Findstr Type').stdout.strip\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32time\\Parameters') do\n its('NTPServer') { should_not cmp 'time.windows.com,0x9' }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73375.rb", + "ref": "./Windows 2016 STIG/controls/V-73307.rb", "line": 1 }, - "id": "V-73375" + "id": "V-73307" }, { - "title": "Passwords for the built-in Administrator account must be changed at\n least every 60 days.", - "desc": "The longer a password is in use, the greater the opportunity for\n someone to gain unauthorized knowledge of the password. The built-in\n Administrator account is not generally used and its password may not be changed\n as frequently as necessary. Changing the password for the built-in\n Administrator account on a regular basis will limit its exposure.\n\n Organizations that use an automated tool, such as Microsoft's Local\n Administrator Password Solution (LAPS), on domain-joined systems can configure\n this to occur more frequently. LAPS will change the password every 30 days\n by default.", + "title": "Local administrator accounts must have their privileged token filtered\n to prevent elevated privileges from being used over the network on domain\n systems.", + "desc": "A compromised local administrator account can provide means for an\n attacker to move laterally between domain systems.\n\n With User Account Control enabled, filtering the privileged token for local\n administrator accounts will prevent the elevated privileges of these accounts\n from being used over the network.", "descriptions": { - "default": "The longer a password is in use, the greater the opportunity for\n someone to gain unauthorized knowledge of the password. The built-in\n Administrator account is not generally used and its password may not be changed\n as frequently as necessary. Changing the password for the built-in\n Administrator account on a regular basis will limit its exposure.\n\n Organizations that use an automated tool, such as Microsoft's Local\n Administrator Password Solution (LAPS), on domain-joined systems can configure\n this to occur more frequently. LAPS will change the password every 30 days\n by default.", - "check": "Review the password last set date for the built-in\n Administrator account.\n \n Domain controllers:\n\n Open PowerShell.\n\n Enter Get-ADUser -Filter * -Properties SID, PasswordLastSet | Where SID -Like\n *-500 | Ft Name, SID, PasswordLastSet.\n\n If the PasswordLastSet date is greater than 60 days old, this is a\n finding.\n\n Member servers and standalone systems:\n\n Open Command Prompt.\n\n Enter 'Net User [account name] | Find /i Password Last Set', where [account\n name] is the name of the built-in administrator account.\n\n (The name of the built-in Administrator account must be changed to something\n other than Administrator per STIG requirements.)\n\n If the PasswordLastSet date is greater than 60 days old, this is a\n finding.", - "fix": "Change the built-in Administrator account password at least every\n 60 days.\n\n Automated tools, such as Microsoft's LAPS, may be used on domain-joined member\n servers to accomplish this." + "default": "A compromised local administrator account can provide means for an\n attacker to move laterally between domain systems.\n\n With User Account Control enabled, filtering the privileged token for local\n administrator accounts will prevent the elevated privileges of these accounts\n from being used over the network.", + "check": "This applies to member servers. For domain controllers and\n standalone systems, this is NA.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\n\n Value Name: LocalAccountTokenFilterPolicy\n\n Type: REG_DWORD\n Value: 0x00000000 (0)\n\n This setting may cause issues with some network scanning tools if local\n administrative accounts are used remotely. Scans should use domain accounts\n where possible. If a local administrative account must be used, temporarily\n enabling the privileged token by configuring the registry value to 1 may be\n required.", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> MS Security Guide >> Apply UAC restrictions to\n local accounts on network logons to Enabled.\n\n This policy setting requires the installation of the SecGuide custom templates\n included with the STIG package. SecGuide.admx and SecGuide.adml must\n be copied to the \\Windows\\PolicyDefinitions and\n \\Windows\\PolicyDefinitions\\en-US directories respectively." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000076-GPOS-00044", - "gid": "V-73223", - "rid": "SV-87875r2_rule", - "stig_id": "WN16-00-000030", - "fix_id": "F-79667r2_fix", + "gtitle": "SRG-OS-000134-GPOS-00068", + "gid": "V-73495", + "rid": "SV-88147r1_rule", + "stig_id": "WN16-MS-000020", + "fix_id": "F-79937r1_fix", "cci": [ - "CCI-000199" + "CCI-001084" ], "nist": [ - "IA-5 (1) (d)", + "SC-3", "Rev_4" ], "documentable": false }, - "code": "control 'V-73223' do\n title \"Passwords for the built-in Administrator account must be changed at\n least every 60 days.\"\n desc \"The longer a password is in use, the greater the opportunity for\n someone to gain unauthorized knowledge of the password. The built-in\n Administrator account is not generally used and its password may not be changed\n as frequently as necessary. Changing the password for the built-in\n Administrator account on a regular basis will limit its exposure.\n\n Organizations that use an automated tool, such as Microsoft's Local\n Administrator Password Solution (LAPS), on domain-joined systems can configure\n this to occur more frequently. LAPS will change the password every 30 days\n by default.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000076-GPOS-00044'\n tag \"gid\": 'V-73223'\n tag \"rid\": 'SV-87875r2_rule'\n tag \"stig_id\": 'WN16-00-000030'\n tag \"fix_id\": 'F-79667r2_fix'\n tag \"cci\": ['CCI-000199']\n tag \"nist\": ['IA-5 (1) (d)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Review the password last set date for the built-in\n Administrator account.\n \n Domain controllers:\n\n Open PowerShell.\n\n Enter Get-ADUser -Filter * -Properties SID, PasswordLastSet | Where SID -Like\n *-500 | Ft Name, SID, PasswordLastSet.\n\n If the PasswordLastSet date is greater than 60 days old, this is a\n finding.\n\n Member servers and standalone systems:\n\n Open Command Prompt.\n\n Enter 'Net User [account name] | Find /i Password Last Set', where [account\n name] is the name of the built-in administrator account.\n\n (The name of the built-in Administrator account must be changed to something\n other than Administrator per STIG requirements.)\n\n If the PasswordLastSet date is greater than 60 days old, this is a\n finding.\"\n desc \"fix\", \"Change the built-in Administrator account password at least every\n 60 days.\n\n Automated tools, such as Microsoft's LAPS, may be used on domain-joined member\n servers to accomplish this.\"\n\n built_in_admin_account = input('built_in_admin_account')\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n query = 'Get-ADUser -Filter * -Properties SID, PasswordLastSet | Where SID -Like *-500 | Select @{Name=\"Name\";Expression={$_.SamAccountName}}, SID, @{Name=\"PasswordLastSet\";Expression={New-TimeSpan -Start ($_.PasswordLastSet) -End (Get-Date) | Select Days, Hours}}| ConvertTo-JSON'\n else\n query = 'Get-LocalUser | Where SID -Like *-500 | Select Name, SID, @{Name=\"PasswordLastSet\";Expression={New-TimeSpan -Start ($_.PasswordLastSet) -End (Get-Date) | Select Days}} | ConvertTo-JSON'\n end\n\n admin_account = json({command: query})\n sid = admin_account['SID']['Value']\n pwd_last_set_days = admin_account['PasswordLastSet']['Days']\n account_name = admin_account['Name']\n\n if !admin_account.empty? && sid.to_s.end_with?('-500') && account_name.to_s.eql?(built_in_admin_account)\n describe \"Password age for built-in Adminstrator account\" do\n subject { pwd_last_set_days }\n it { should cmp <= 60 }\n end\n describe \"The built-in Administrator account name\" do\n subject { account_name }\n it { should_not cmp 'Administrator' }\n end\n else\n describe 'There are no administrative accounts on this system' do\n skip 'There are no administrative accounts on this system'\n end\n end\nend\n", + "code": "control 'V-73495' do\n title \"Local administrator accounts must have their privileged token filtered\n to prevent elevated privileges from being used over the network on domain\n systems.\"\n desc \"A compromised local administrator account can provide means for an\n attacker to move laterally between domain systems.\n\n With User Account Control enabled, filtering the privileged token for local\n administrator accounts will prevent the elevated privileges of these accounts\n from being used over the network.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000134-GPOS-00068'\n tag \"gid\": 'V-73495'\n tag \"rid\": 'SV-88147r1_rule'\n tag \"stig_id\": 'WN16-MS-000020'\n tag \"fix_id\": 'F-79937r1_fix'\n tag \"cci\": ['CCI-001084']\n tag \"nist\": ['SC-3', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to member servers. For domain controllers and\n standalone systems, this is NA.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\n\n Value Name: LocalAccountTokenFilterPolicy\n\n Type: REG_DWORD\n Value: 0x00000000 (0)\n\n This setting may cause issues with some network scanning tools if local\n administrative accounts are used remotely. Scans should use domain accounts\n where possible. If a local administrative account must be used, temporarily\n enabling the privileged token by configuring the registry value to 1 may be\n required.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> MS Security Guide >> Apply UAC restrictions to\n local accounts on network logons to Enabled.\n\n This policy setting requires the installation of the SecGuide custom templates\n included with the STIG package. SecGuide.admx and SecGuide.adml must\n be copied to the \\\\Windows\\\\PolicyDefinitions and\n \\\\Windows\\\\PolicyDefinitions\\\\en-US directories respectively.\"\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n if !(domain_role == '4') && !(domain_role == '5')\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System') do\n it { should have_property 'LocalAccountTokenFilterPolicy' }\n its('LocalAccountTokenFilterPolicy') { should cmp 0 }\n end\n end\n\n if domain_role == '4' || domain_role == '5'\n impact 0.0\n desc 'This system is a domain controller, therefore this control is not applicable as it only applies to member servers and standalone systems'\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73223.rb", + "ref": "./Windows 2016 STIG/controls/V-73495.rb", "line": 1 }, - "id": "V-73223" + "id": "V-73495" }, { - "title": "Permissions for the system drive root directory (usually C:\\) must\n conform to minimum requirements.", - "desc": "Changing the system's file and directory permissions allows the\n possibility of unauthorized and anonymous modification to the operating system\n and installed applications.\n\n The default permissions are adequate when the Security Option Network\n access: Let everyone permissions apply to anonymous users is set to\n Disabled (WN16-SO-000290).", + "title": "Windows Server 2016 must be configured to audit Policy Change -\n Authentication Policy Change successes.", + "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Authentication Policy Change records events related to changes in\n authentication policy, including Kerberos policy and Trust changes.", "descriptions": { - "default": "Changing the system's file and directory permissions allows the\n possibility of unauthorized and anonymous modification to the operating system\n and installed applications.\n\n The default permissions are adequate when the Security Option Network\n access: Let everyone permissions apply to anonymous users is set to\n Disabled (WN16-SO-000290).", - "check": "The default permissions are adequate when the Security Option\n Network access: Let everyone permissions apply to anonymous users is set to\n Disabled (WN16-SO-000290).\n\n Review the permissions for the system drive's root directory (usually C:\\).\n Non-privileged groups such as Users or Authenticated Users must not have\n greater than Read & execute permissions except where noted as defaults.\n (Individual accounts must not be used to assign permissions.)\n\n If permissions are not as restrictive as the default permissions listed below,\n this is a finding.\n\n Viewing in File Explorer:\n\n View the Properties of the system drive's root directory.\n\n Select the Security tab, and the Advanced button.\n\n Default permissions:\n C:\\\n Type - Allow for all\n Inherited from - None for all\n\n Principal - Access - Applies to\n\n SYSTEM - Full control - This folder, subfolders, and files\n Administrators - Full control - This folder, subfolders, and files\n Users - Read & execute - This folder, subfolders, and files\n Users - Create folders/append data - This folder and subfolders\n Users - Create files/write data - Subfolders only\n CREATOR OWNER - Full Control - Subfolders and files only\n\n Alternately, use icacls:\n\n Open Command Prompt (Admin).\n\n Enter icacls followed by the directory:\n\n icacls c:\\\n\n The following results should be displayed:\n\n c:\\\n NT AUTHORITY\\SYSTEM:(OI)(CI)(F)\n BUILTIN\\Administrators:(OI)(CI)(F)\n BUILTIN\\Users:(OI)(CI)(RX)\n BUILTIN\\Users:(CI)(AD)\n BUILTIN\\Users:(CI)(IO)(WD)\n CREATOR OWNER:(OI)(CI)(IO)(F)\n Successfully processed 1 files; Failed processing 0 files", - "fix": "Maintain the default permissions for the system drive's root\n directory and configure the Security Option Network access: Let everyone\n permissions apply to anonymous users to Disabled (WN16-SO-000290).\n\n Default Permissions\n C:\\\n Type - Allow for all\n Inherited from - None for all\n\n Principal - Access - Applies to\n\n SYSTEM - Full control - This folder, subfolders, and files\n Administrators - Full control - This folder, subfolders, and files\n Users - Read & execute - This folder, subfolders, and files\n Users - Create folders/append data - This folder and subfolders\n Users - Create files/write data - Subfolders only\n CREATOR OWNER - Full Control - Subfolders and files only" + "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Authentication Policy Change records events related to changes in\n authentication policy, including Kerberos policy and Trust changes.", + "check": "Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n Policy Change >> Authentication Policy Change - Success", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Policy Change >> Audit Authentication Policy Change with\n Success selected." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000312-GPOS-00122", + "gtitle": "SRG-OS-000327-GPOS-00127", "satisfies": [ - "SRG-OS-000312-GPOS-00122", - "SRG-OS-000312-GPOS-00123", - "SRG-OS-000312-GPOS-00124" + "SRG-OS-000327-GPOS-00127", + "SRG-OS-000064-GPOS-00033", + "SRG-OS-000462-GPOS-00206", + "SRG-OS-000466-GPOS-00210" ], - "gid": "V-73249", - "rid": "SV-87901r1_rule", - "stig_id": "WN16-00-000160", - "fix_id": "F-79693r1_fix", + "gid": "V-73465", + "rid": "SV-88117r1_rule", + "stig_id": "WN16-AU-000330", + "fix_id": "F-79907r1_fix", "cci": [ - "CCI-002165" + "CCI-000172", + "CCI-002234" ], "nist": [ - "AC-3 (4)", + "AU-12 c", + "AC-6 (9)", "Rev_4" ], "documentable": false }, - "code": "control 'V-73249' do\n title \"Permissions for the system drive root directory (usually C:\\\\) must\n conform to minimum requirements.\"\n desc \"Changing the system's file and directory permissions allows the\n possibility of unauthorized and anonymous modification to the operating system\n and installed applications.\n\n The default permissions are adequate when the Security Option Network\n access: Let everyone permissions apply to anonymous users is set to\n Disabled (WN16-SO-000290).\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000312-GPOS-00122'\n tag \"satisfies\": ['SRG-OS-000312-GPOS-00122', 'SRG-OS-000312-GPOS-00123',\n 'SRG-OS-000312-GPOS-00124']\n tag \"gid\": 'V-73249'\n tag \"rid\": 'SV-87901r1_rule'\n tag \"stig_id\": 'WN16-00-000160'\n tag \"fix_id\": 'F-79693r1_fix'\n tag \"cci\": ['CCI-002165']\n tag \"nist\": ['AC-3 (4)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"The default permissions are adequate when the Security Option\n Network access: Let everyone permissions apply to anonymous users is set to\n Disabled (WN16-SO-000290).\n\n Review the permissions for the system drive's root directory (usually C:\\\\).\n Non-privileged groups such as Users or Authenticated Users must not have\n greater than Read & execute permissions except where noted as defaults.\n (Individual accounts must not be used to assign permissions.)\n\n If permissions are not as restrictive as the default permissions listed below,\n this is a finding.\n\n Viewing in File Explorer:\n\n View the Properties of the system drive's root directory.\n\n Select the Security tab, and the Advanced button.\n\n Default permissions:\n C:\\\\\n Type - Allow for all\n Inherited from - None for all\n\n Principal - Access - Applies to\n\n SYSTEM - Full control - This folder, subfolders, and files\n Administrators - Full control - This folder, subfolders, and files\n Users - Read & execute - This folder, subfolders, and files\n Users - Create folders/append data - This folder and subfolders\n Users - Create files/write data - Subfolders only\n CREATOR OWNER - Full Control - Subfolders and files only\n\n Alternately, use icacls:\n\n Open Command Prompt (Admin).\n\n Enter icacls followed by the directory:\n\n icacls c:\\\\\n\n The following results should be displayed:\n\n c:\\\\\n NT AUTHORITY\\\\SYSTEM:(OI)(CI)(F)\n BUILTIN\\\\Administrators:(OI)(CI)(F)\n BUILTIN\\\\Users:(OI)(CI)(RX)\n BUILTIN\\\\Users:(CI)(AD)\n BUILTIN\\\\Users:(CI)(IO)(WD)\n CREATOR OWNER:(OI)(CI)(IO)(F)\n Successfully processed 1 files; Failed processing 0 files\"\n desc \"fix\", \"Maintain the default permissions for the system drive's root\n directory and configure the Security Option Network access: Let everyone\n permissions apply to anonymous users to Disabled (WN16-SO-000290).\n\n Default Permissions\n C:\\\\\n Type - Allow for all\n Inherited from - None for all\n\n Principal - Access - Applies to\n\n SYSTEM - Full control - This folder, subfolders, and files\n Administrators - Full control - This folder, subfolders, and files\n Users - Read & execute - This folder, subfolders, and files\n Users - Create folders/append data - This folder and subfolders\n Users - Create files/write data - Subfolders only\n CREATOR OWNER - Full Control - Subfolders and files only\"\n\n paths = [\n \"C:\\\\\"\n ]\n\n paths.each do |path|\n acl_rules = json(command: \"(Get-ACL -Path '#{path}').Access | ConvertTo-CSV | ConvertFrom-CSV | ConvertTo-JSON\").params\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The '#{path}' folder\\'s access rule property:\" do\n subject { acl_rule }\n its(['FileSystemRights']) { should cmp \"FullControl\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"NT AUTHORITY\\\\SYSTEM\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"ContainerInherit, ObjectInherit\" }\n its(['PropagationFlags']) { should cmp \"None\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The '#{path}' folder\\'s access rule property:\" do\n subject { acl_rule }\n its(['FileSystemRights']) { should cmp \"FullControl\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"BUILTIN\\\\Administrators\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"ContainerInherit, ObjectInherit\" }\n its(['PropagationFlags']) { should cmp \"None\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The '#{path}' folder\\'s access rule property:\" do\n subject { acl_rule }\n its(['FileSystemRights']) { should cmp \"ReadAndExecute, Synchronize\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"BUILTIN\\\\Users\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"ContainerInherit, ObjectInherit\" }\n its(['PropagationFlags']) { should cmp \"None\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The '#{path}' folder\\'s access rule property:\" do\n subject { acl_rule }\n its(['FileSystemRights']) { should cmp \"AppendData\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"BUILTIN\\\\Users\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"ContainerInherit\" }\n its(['PropagationFlags']) { should cmp \"None\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The '#{path}' folder\\'s access rule property:\" do\n subject { acl_rule }\n its(['FileSystemRights']) { should cmp \"CreateFiles\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"BUILTIN\\\\Users\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"ContainerInherit\" }\n its(['PropagationFlags']) { should cmp \"InheritOnly\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The '#{path}' folder\\'s access rule property:\" do\n subject { acl_rule }\n its(['FileSystemRights']) { should cmp \"268435456\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"CREATOR OWNER\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"ContainerInherit, ObjectInherit\" }\n its(['PropagationFlags']) { should cmp \"InheritOnly\" }\n end\n end\n end\n end\n\n \nend\n", + "code": "control 'V-73465' do\n title \"Windows Server 2016 must be configured to audit Policy Change -\n Authentication Policy Change successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Authentication Policy Change records events related to changes in\n authentication policy, including Kerberos policy and Trust changes.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000327-GPOS-00127'\n tag \"satisfies\": ['SRG-OS-000327-GPOS-00127', 'SRG-OS-000064-GPOS-00033',\n 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000466-GPOS-00210']\n tag \"gid\": 'V-73465'\n tag \"rid\": 'SV-88117r1_rule'\n tag \"stig_id\": 'WN16-AU-000330'\n tag \"fix_id\": 'F-79907r1_fix'\n tag \"cci\": ['CCI-000172', 'CCI-002234']\n tag \"nist\": ['AU-12 c', 'AC-6 (9)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n Policy Change >> Authentication Policy Change - Success\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Policy Change >> Audit Authentication Policy Change with\n Success selected.\"\n describe.one do\n describe audit_policy do\n its('Authentication Policy Change') { should eq 'Success' }\n end\n describe audit_policy do\n its('Authentication Policy Change') { should eq 'Success and Failure' }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Authentication Policy Change'\") do\n its('stdout') { should match /Authentication Policy Change Success/ }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Authentication Policy Change'\") do\n its('stdout') { should match /Authentication Policy Change Success and Failure/ }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73249.rb", + "ref": "./Windows 2016 STIG/controls/V-73465.rb", "line": 1 }, - "id": "V-73249" + "id": "V-73465" }, { - "title": "Separate, NSA-approved (Type 1) cryptography must be used to protect\n the directory data in transit for directory service implementations at a\n classified confidentiality level when replication data traverses a network\n cleared to a lower level than the data.", - "desc": "Directory data that is not appropriately encrypted is subject to\n compromise. Commercial-grade encryption does not provide adequate protection\n when the classification level of directory data in transit is higher than the\n level of the network.", + "title": "Audit records must be backed up to a different system or media than\n the system being audited.", + "desc": "Protection of log data includes assuring the log data is not\n accidentally lost or deleted. Audit information stored in one location is\n vulnerable to accidental or incidental deletion or alteration.", "descriptions": { - "default": "Directory data that is not appropriately encrypted is subject to\n compromise. Commercial-grade encryption does not provide adequate protection\n when the classification level of directory data in transit is higher than the\n level of the network.", - "check": "This applies to domain controllers. It is NA for other systems.\n\n Review the organization network diagram(s) or documentation to determine the\n level of classification for the network(s) over which replication data is\n transmitted.\n\n Determine the classification level of the Windows domain controller.\n\n If the classification level of the Windows domain controller is higher than the\n level of the networks, review the organization network diagram(s) and directory\n implementation documentation to determine if NSA-approved encryption is used to\n protect the replication network traffic.\n\n If the classification level of the Windows domain controller is higher than the\n level of the network traversed and NSA-approved encryption is not used, this is\n a finding.", - "fix": "Configure NSA-approved (Type 1) cryptography to protect the\n directory data in transit for directory service implementations at a classified\n confidentiality level that transfer replication data through a network cleared\n to a lower level than the data." + "default": "Protection of log data includes assuring the log data is not\n accidentally lost or deleted. Audit information stored in one location is\n vulnerable to accidental or incidental deletion or alteration.", + "check": "Determine if a process to back up log data to a different\n system or media than the system being audited has been implemented.\n\n If it has not, this is a finding.", + "fix": "Establish and implement a process for backing up log data to\n another system or media other than the system being audited." }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000396-GPOS-00176", - "gid": "V-73383", - "rid": "SV-88035r1_rule", - "stig_id": "WN16-DC-000140", - "fix_id": "F-79825r1_fix", + "gtitle": "SRG-OS-000342-GPOS-00133", + "gid": "V-73401", + "rid": "SV-88053r1_rule", + "stig_id": "WN16-AU-000010", + "fix_id": "F-79843r1_fix", "cci": [ - "CCI-002450" + "CCI-001851" ], "nist": [ - "SC-13", + "AU-4 (1)", "Rev_4" ], "documentable": false }, - "code": "control 'V-73383' do\n title \"Separate, NSA-approved (Type 1) cryptography must be used to protect\n the directory data in transit for directory service implementations at a\n classified confidentiality level when replication data traverses a network\n cleared to a lower level than the data.\"\n desc \"Directory data that is not appropriately encrypted is subject to\n compromise. Commercial-grade encryption does not provide adequate protection\n when the classification level of directory data in transit is higher than the\n level of the network.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000396-GPOS-00176'\n tag \"gid\": 'V-73383'\n tag \"rid\": 'SV-88035r1_rule'\n tag \"stig_id\": 'WN16-DC-000140'\n tag \"fix_id\": 'F-79825r1_fix'\n tag \"cci\": ['CCI-002450']\n tag \"nist\": ['SC-13', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to domain controllers. It is NA for other systems.\n\n Review the organization network diagram(s) or documentation to determine the\n level of classification for the network(s) over which replication data is\n transmitted.\n\n Determine the classification level of the Windows domain controller.\n\n If the classification level of the Windows domain controller is higher than the\n level of the networks, review the organization network diagram(s) and directory\n implementation documentation to determine if NSA-approved encryption is used to\n protect the replication network traffic.\n\n If the classification level of the Windows domain controller is higher than the\n level of the network traversed and NSA-approved encryption is not used, this is\n a finding.\"\n desc \"fix\", \"Configure NSA-approved (Type 1) cryptography to protect the\n directory data in transit for directory service implementations at a classified\n confidentiality level that transfer replication data through a network cleared\n to a lower level than the data.\"\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n describe \"Separate, NSA-approved (Type 1) cryptography must be used to protect\n the directory data in transit for directory service implementations at a\n classified confidentiality level when replication data traverses a network\n cleared to a lower level than the data.\" do\n skip \"Separate, NSA-approved (Type 1) cryptography must be used to protect\n the directory data in transit for directory service implementations at a\n classified confidentiality level when replication data traverses a network\n cleared to a lower level than the data is a manual check\"\n end\n end\n\n if !(domain_role == '4') && !(domain_role == '5')\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", + "code": "control 'V-73401' do\n title \"Audit records must be backed up to a different system or media than\n the system being audited.\"\n desc \"Protection of log data includes assuring the log data is not\n accidentally lost or deleted. Audit information stored in one location is\n vulnerable to accidental or incidental deletion or alteration.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000342-GPOS-00133'\n tag \"gid\": 'V-73401'\n tag \"rid\": 'SV-88053r1_rule'\n tag \"stig_id\": 'WN16-AU-000010'\n tag \"fix_id\": 'F-79843r1_fix'\n tag \"cci\": ['CCI-001851']\n tag \"nist\": ['AU-4 (1)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Determine if a process to back up log data to a different\n system or media than the system being audited has been implemented.\n\n If it has not, this is a finding.\"\n desc \"fix\", \"Establish and implement a process for backing up log data to\n another system or media other than the system being audited.\"\n describe 'A manual review is required to verify audit records are being backed up onto a different system or media than the system being audited' do\n skip 'A manual review is required to verify audit records are being backed up onto a different system or media than the system being audited'\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73383.rb", + "ref": "./Windows 2016 STIG/controls/V-73401.rb", "line": 1 }, - "id": "V-73383" + "id": "V-73401" }, { - "title": "The Microsoft FTP service must not be installed unless required.", - "desc": "Unnecessary services increase the attack surface of a system. Some of\n these services may not support required levels of authentication or encryption.", + "title": "AutoPlay must be turned off for non-volume devices.", + "desc": "Allowing AutoPlay to execute may introduce malicious code to a system.\n AutoPlay begins reading from a drive as soon as media is inserted into the\n drive. As a result, the setup file of programs or music on audio media may\n start. This setting will disable AutoPlay for non-volume devices, such as Media\n Transfer Protocol (MTP) devices.", "descriptions": { - "default": "Unnecessary services increase the attack surface of a system. Some of\n these services may not support required levels of authentication or encryption.", - "check": "If the server has the role of an FTP server, this is NA.\n\n Open PowerShell.\n\n Enter Get-WindowsFeature | Where Name -eq Web-Ftp-Service.\n\n If Installed State is Installed, this is a finding.\n\n An Installed State of Available or Removed is not a finding.\n\n If the system has the role of an FTP server, this must be documented with the\n ISSO.", - "fix": "Uninstall the FTP Server role.\n\n Start Server Manager.\n\n Select the server with the role.\n\n Scroll down to ROLES AND FEATURES in the right pane.\n\n Select Remove Roles and Features from the drop-down TASKS list.\n\n Select the appropriate server on the Server Selection page and click\n Next.\n\n Deselect FTP Server under Web Server (IIS) on the Roles page.\n\n Click Next and Remove as prompted." + "default": "Allowing AutoPlay to execute may introduce malicious code to a system.\n AutoPlay begins reading from a drive as soon as media is inserted into the\n drive. As a result, the setup file of programs or music on audio media may\n start. This setting will disable AutoPlay for non-volume devices, such as Media\n Transfer Protocol (MTP) devices.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\Explorer\\\n\n Value Name: NoAutoplayfornonVolume\n\n Type: REG_DWORD\n Value: 0x00000001 (1)", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> AutoPlay Policies >>\n Disallow Autoplay for non-volume devices to Enabled." }, - "impact": 0.5, + "impact": 0.7, "refs": [], "tags": { - "gtitle": "SRG-OS-000096-GPOS-00050", - "gid": "V-73289", - "rid": "SV-87941r1_rule", - "stig_id": "WN16-00-000360", - "fix_id": "F-79733r1_fix", + "gtitle": "SRG-OS-000368-GPOS-00154", + "gid": "V-73545", + "rid": "SV-88209r1_rule", + "stig_id": "WN16-CC-000250", + "fix_id": "F-79991r1_fix", "cci": [ - "CCI-000382" + "CCI-001764" ], "nist": [ - "CM-7", + "CM-7 (2)", "Rev_4" ], "documentable": false }, - "code": "control 'V-73289' do\n title 'The Microsoft FTP service must not be installed unless required.'\n desc \"Unnecessary services increase the attack surface of a system. Some of\n these services may not support required levels of authentication or encryption.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000096-GPOS-00050'\n tag \"gid\": 'V-73289'\n tag \"rid\": 'SV-87941r1_rule'\n tag \"stig_id\": 'WN16-00-000360'\n tag \"fix_id\": 'F-79733r1_fix'\n tag \"cci\": ['CCI-000382']\n tag \"nist\": ['CM-7', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the server has the role of an FTP server, this is NA.\n\n Open PowerShell.\n\n Enter Get-WindowsFeature | Where Name -eq Web-Ftp-Service.\n\n If Installed State is Installed, this is a finding.\n\n An Installed State of Available or Removed is not a finding.\n\n If the system has the role of an FTP server, this must be documented with the\n ISSO.\"\n desc \"fix\", \"Uninstall the FTP Server role.\n\n Start Server Manager.\n\n Select the server with the role.\n\n Scroll down to ROLES AND FEATURES in the right pane.\n\n Select Remove Roles and Features from the drop-down TASKS list.\n\n Select the appropriate server on the Server Selection page and click\n Next.\n\n Deselect FTP Server under Web Server (IIS) on the Roles page.\n\n Click Next and Remove as prompted.\"\n has_ftp_server_role = attribute('has_ftp_server_role')\n\n describe windows_feature('Web-Ftp-Service') do\n it { should_not be_installed }\n end\n if has_ftp_server_role == 'True'\n impact 0.0\n desc 'This server has the role of an FTP server, therefore this control is not applicable'\n end\nend\n", + "code": "control 'V-73545' do\n title 'AutoPlay must be turned off for non-volume devices.'\n desc \"Allowing AutoPlay to execute may introduce malicious code to a system.\n AutoPlay begins reading from a drive as soon as media is inserted into the\n drive. As a result, the setup file of programs or music on audio media may\n start. This setting will disable AutoPlay for non-volume devices, such as Media\n Transfer Protocol (MTP) devices.\"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000368-GPOS-00154'\n tag \"gid\": 'V-73545'\n tag \"rid\": 'SV-88209r1_rule'\n tag \"stig_id\": 'WN16-CC-000250'\n tag \"fix_id\": 'F-79991r1_fix'\n tag \"cci\": ['CCI-001764']\n tag \"nist\": ['CM-7 (2)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\Explorer\\\\\n\n Value Name: NoAutoplayfornonVolume\n\n Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> AutoPlay Policies >>\n Disallow Autoplay for non-volume devices to Enabled.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\Explorer') do\n it { should have_property 'NoAutoplayfornonVolume' }\n its('NoAutoplayfornonVolume') { should cmp 1 }\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73289.rb", + "ref": "./Windows 2016 STIG/controls/V-73545.rb", "line": 1 }, - "id": "V-73289" + "id": "V-73545" }, { - "title": "The Create a pagefile user right must only be assigned to the\n Administrators group.", - "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Create a pagefile user right can change the size of a\n pagefile, which could affect system performance.", + "title": "The minimum password age must be configured to at least one day.", + "desc": "Permitting passwords to be changed in immediate succession within the\n same day allows users to cycle passwords through their history database. This\n enables users to effectively negate the purpose of mandating periodic password\n changes.", "descriptions": { - "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Create a pagefile user right can change the size of a\n pagefile, which could affect system performance.", - "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the Create a\n pagefile user right, this is a finding.\n\n - Administrators", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Create a pagefile to include only the following accounts or groups:\n\n - Administrators" + "default": "Permitting passwords to be changed in immediate succession within the\n same day allows users to cycle passwords through their history database. This\n enables users to effectively negate the purpose of mandating periodic password\n changes.", + "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Account Policies >> Password Policy.\n\n If the value for the Minimum password age is set to 0 days (Password\n can be changed immediately), this is a finding.", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Account Policies >> Password Policy >>\n Minimum password age to at least 1 day." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000324-GPOS-00125", - "gid": "V-73745", - "rid": "SV-88409r1_rule", - "stig_id": "WN16-UR-000080", - "fix_id": "F-80195r1_fix", + "gtitle": "SRG-OS-000075-GPOS-00043", + "gid": "V-73319", + "rid": "SV-87971r1_rule", + "stig_id": "WN16-AC-000060", + "fix_id": "F-79761r1_fix", "cci": [ - "CCI-002235" + "CCI-000198" ], "nist": [ - "AC-6 (10)", + "IA-5 (1) (d)", "Rev_4" ], "documentable": false }, - "code": "control 'V-73745' do\n title \"The Create a pagefile user right must only be assigned to the\n Administrators group.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Create a pagefile user right can change the size of a\n pagefile, which could affect system performance.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000324-GPOS-00125'\n tag \"gid\": 'V-73745'\n tag \"rid\": 'SV-88409r1_rule'\n tag \"stig_id\": 'WN16-UR-000080'\n tag \"fix_id\": 'F-80195r1_fix'\n tag \"cci\": ['CCI-002235']\n tag \"nist\": ['AC-6 (10)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the Create a\n pagefile user right, this is a finding.\n\n - Administrators\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Create a pagefile to include only the following accounts or groups:\n\n - Administrators\"\n describe.one do\n describe security_policy do\n its('SeCreatePagefilePrivilege') { should eq ['S-1-5-32-544'] }\n end\n describe security_policy do\n its('SeCreatePagefilePrivilege') { should eq [] }\n end\n end\nend\n", + "code": "control 'V-73319' do\n title 'The minimum password age must be configured to at least one day.'\n desc \"Permitting passwords to be changed in immediate succession within the\n same day allows users to cycle passwords through their history database. This\n enables users to effectively negate the purpose of mandating periodic password\n changes.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000075-GPOS-00043'\n tag \"gid\": 'V-73319'\n tag \"rid\": 'SV-87971r1_rule'\n tag \"stig_id\": 'WN16-AC-000060'\n tag \"fix_id\": 'F-79761r1_fix'\n tag \"cci\": ['CCI-000198']\n tag \"nist\": ['IA-5 (1) (d)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Account Policies >> Password Policy.\n\n If the value for the Minimum password age is set to 0 days (Password\n can be changed immediately), this is a finding.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Account Policies >> Password Policy >>\n Minimum password age to at least 1 day.\"\n describe security_policy do\n its('MinimumPasswordAge') { should be >= 1 }\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73745.rb", + "ref": "./Windows 2016 STIG/controls/V-73319.rb", "line": 1 }, - "id": "V-73745" + "id": "V-73319" }, { - "title": "The time service must synchronize with an appropriate DoD time source.", - "desc": "The Windows Time Service controls time synchronization settings. Time\n synchronization is essential for authentication and auditing purposes. If the\n Windows Time Service is used, it must synchronize with a secure, authorized\n time source. Domain-joined systems are automatically configured to synchronize\n with domain controllers. If an NTP server is configured, it must synchronize\n with a secure, authorized time source.", + "title": "The Access this computer from the network user right must only be\n assigned to the Administrators, Authenticated Users, and\n Enterprise Domain Controllers groups on domain controllers.", + "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Access this computer from the network right may\n access resources on the system, and this right must be limited to those\n requiring it.", "descriptions": { - "default": "The Windows Time Service controls time synchronization settings. Time\n synchronization is essential for authentication and auditing purposes. If the\n Windows Time Service is used, it must synchronize with a secure, authorized\n time source. Domain-joined systems are automatically configured to synchronize\n with domain controllers. If an NTP server is configured, it must synchronize\n with a secure, authorized time source.", - "check": "Review the Windows time service configuration.\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter W32tm /query /configuration.\n\n Domain-joined systems (excluding the domain controller with the PDC emulator\n role):\n\n If the value for Type under NTP Client is not NT5DS, this is a\n finding.\n\n Other systems:\n\n If systems are configured with a Type of NTP, including standalone\n systems and the domain controller with the PDC Emulator role, and do not have a\n DoD time server defined for NTPServer, this is a finding.\n\n To determine the domain controller with the PDC Emulator role:\n\n Open PowerShell.\n\n Enter Get-ADDomain | FT PDCEmulator.", - "fix": "Configure the system to synchronize time with an appropriate DoD\n time source.\n\n Domain-joined systems use NT5DS to synchronize time from other systems in the\n domain by default.\n\n If the system needs to be configured to an NTP server, configure the system to\n point to an authorized time server by setting the policy value for Computer\n Configuration >> Administrative Templates >> System >> Windows Time Service >>\n Time Providers >> Configure Windows NTP Client to Enabled, and\n configure the NtpServer field to point to an appropriate DoD time server.\n\n The US Naval Observatory operates stratum 1 time servers, identified at\n http://tycho.usno.navy.mil/ntp.html. Time synchronization will occur through a\n hierarchy of time servers down to the local level. Clients and lower-level\n servers will synchronize with an authorized time server in the hierarchy." + "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Access this computer from the network right may\n access resources on the system, and this right must be limited to those\n requiring it.", + "check": "This applies to domain controllers. It is NA for other systems.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the Access\n this computer from the network right, this is a finding.\n\n - Administrators\n - Authenticated Users\n - Enterprise Domain Controllers\n\n If an application requires this user right, this would not be a finding.\n\n Vendor documentation must support the requirement for having the user right.\n\n The requirement must be documented with the ISSO.\n\n The application account must meet requirements for application account\n passwords, such as length (WN16-00-000060) and required frequency of changes\n (WN16-00-000070).", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Access this computer from the network to include only the following\n accounts or groups:\n\n - Administrators\n - Authenticated Users\n - Enterprise Domain Controllers" }, - "impact": 0.3, + "impact": 0, "refs": [], "tags": { - "gtitle": "SRG-OS-000355-GPOS-00143", - "gid": "V-73307", - "rid": "SV-87959r1_rule", - "stig_id": "WN16-00-000450", - "fix_id": "F-79749r1_fix", + "gtitle": "SRG-OS-000080-GPOS-00048", + "gid": "V-73731", + "rid": "SV-88395r1_rule", + "stig_id": "WN16-DC-000340", + "fix_id": "F-80181r1_fix", "cci": [ - "CCI-001891" + "CCI-000213" ], "nist": [ - "AU-8 (1) (a)", + "AC-3", "Rev_4" ], "documentable": false }, - "code": "control 'V-73307' do\n title 'The time service must synchronize with an appropriate DoD time source.'\n desc \"The Windows Time Service controls time synchronization settings. Time\n synchronization is essential for authentication and auditing purposes. If the\n Windows Time Service is used, it must synchronize with a secure, authorized\n time source. Domain-joined systems are automatically configured to synchronize\n with domain controllers. If an NTP server is configured, it must synchronize\n with a secure, authorized time source.\"\n impact 0.3\n tag \"gtitle\": 'SRG-OS-000355-GPOS-00143'\n tag \"gid\": 'V-73307'\n tag \"rid\": 'SV-87959r1_rule'\n tag \"stig_id\": 'WN16-00-000450'\n tag \"fix_id\": 'F-79749r1_fix'\n tag \"cci\": ['CCI-001891']\n tag \"nist\": ['AU-8 (1) (a)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Review the Windows time service configuration.\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter W32tm /query /configuration.\n\n Domain-joined systems (excluding the domain controller with the PDC emulator\n role):\n\n If the value for Type under NTP Client is not NT5DS, this is a\n finding.\n\n Other systems:\n\n If systems are configured with a Type of NTP, including standalone\n systems and the domain controller with the PDC Emulator role, and do not have a\n DoD time server defined for NTPServer, this is a finding.\n\n To determine the domain controller with the PDC Emulator role:\n\n Open PowerShell.\n\n Enter Get-ADDomain | FT PDCEmulator.\"\n desc \"fix\", \"Configure the system to synchronize time with an appropriate DoD\n time source.\n\n Domain-joined systems use NT5DS to synchronize time from other systems in the\n domain by default.\n\n If the system needs to be configured to an NTP server, configure the system to\n point to an authorized time server by setting the policy value for Computer\n Configuration >> Administrative Templates >> System >> Windows Time Service >>\n Time Providers >> Configure Windows NTP Client to Enabled, and\n configure the NtpServer field to point to an appropriate DoD time server.\n\n The US Naval Observatory operates stratum 1 time servers, identified at\n http://tycho.usno.navy.mil/ntp.html. Time synchronization will occur through a\n hierarchy of time servers down to the local level. Clients and lower-level\n servers will synchronize with an authorized time server in the hierarchy.\"\n is_domain = command('wmic computersystem get domain | FINDSTR /V Domain').stdout.strip\n\n if is_domain != 'WORKGROUP'\n pdc_emulator = command('netdom query fsmo | findstr PDC').stdout.split[1]\n hostname = command('wmic computersystem get DNSHostName | findstr /V DNSHostName').stdout.strip\n if pdc_emulator != hostname + \".\" + is_domain\n describe command(' W32tm /query /configuration | Findstr Type') do\n its('stdout') { should eq \"Type: NT5DS (Local)\\r\\n\" }\n end\n else\n impact 0.0\n describe 'This system is a domain controller with the PDC Emulator role, therefore this control is not applicable.' do\n skip 'This system is a domain controller with the PDC Emulator role, therefore this control is not applicable.'\n end\n end\n else\n get_type = command('W32tm /query /configuration | Findstr Type').stdout.strip\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32time\\Parameters') do\n its('NTPServer') { should_not cmp 'time.windows.com,0x9' }\n end\n end\nend\n", + "code": "control 'V-73731' do\n title \"The Access this computer from the network user right must only be\n assigned to the Administrators, Authenticated Users, and\n Enterprise Domain Controllers groups on domain controllers.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Access this computer from the network right may\n access resources on the system, and this right must be limited to those\n requiring it.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000080-GPOS-00048'\n tag \"gid\": 'V-73731'\n tag \"rid\": 'SV-88395r1_rule'\n tag \"stig_id\": 'WN16-DC-000340'\n tag \"fix_id\": 'F-80181r1_fix'\n tag \"cci\": ['CCI-000213']\n tag \"nist\": ['AC-3', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to domain controllers. It is NA for other systems.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the Access\n this computer from the network right, this is a finding.\n\n - Administrators\n - Authenticated Users\n - Enterprise Domain Controllers\n\n If an application requires this user right, this would not be a finding.\n\n Vendor documentation must support the requirement for having the user right.\n\n The requirement must be documented with the ISSO.\n\n The application account must meet requirements for application account\n passwords, such as length (WN16-00-000060) and required frequency of changes\n (WN16-00-000070).\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Access this computer from the network to include only the following\n accounts or groups:\n\n - Administrators\n - Authenticated Users\n - Enterprise Domain Controllers\"\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n describe.one do\n describe security_policy do\n its('SeNetworkLogonRight') { should be_in ['S-1-5-11', 'S-1-5-32-544', 'S-1-5-9'] }\n end\n describe security_policy do\n its('SeNetworkLogonRight') { should eq [] }\n end\n end\n end\n\n if !(domain_role == '4') && !(domain_role == '5')\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73307.rb", + "ref": "./Windows 2016 STIG/controls/V-73731.rb", "line": 1 }, - "id": "V-73307" + "id": "V-73731" }, { - "title": "Windows Server 2016 must be configured to audit Account Management -\n Other Account Management Events successes.", - "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Other Account Management Events records events such as the access of a\n password hash or the Password Policy Checking API being called.", + "title": "The built-in guest account must be disabled.", + "desc": "A system faces an increased vulnerability threat if the built-in guest\n account is not disabled. This is a known account that exists on all Windows\n systems and cannot be deleted. This account is initialized during the\n installation of the operating system with no password assigned.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Other Account Management Events records events such as the access of a\n password hash or the Password Policy Checking API being called.", - "check": "Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n Account Management >> Other Account Management Events - Success", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Account Management >> Audit Other Account Management\n Events with Success selected." + "default": "A system faces an increased vulnerability threat if the built-in guest\n account is not disabled. This is a known account that exists on all Windows\n systems and cannot be deleted. This account is initialized during the\n installation of the operating system with no password assigned.", + "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> Security Options.\n\n If the value for Accounts: Guest account status is not set to Disabled,\n this is a finding.", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Accounts: Guest account status to Disabled." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000327-GPOS-00127", - "satisfies": [ - "SRG-OS-000327-GPOS-00127", - "SRG-OS-000064-GPOS-00033", - "SRG-OS-000462-GPOS-00206", - "SRG-OS-000466-GPOS-00210" - ], - "gid": "V-73419", - "rid": "SV-88071r1_rule", - "stig_id": "WN16-AU-000100", - "fix_id": "F-79861r1_fix", + "gtitle": "SRG-OS-000121-GPOS-000062", + "gid": "V-73809", + "rid": "SV-88475r1_rule", + "stig_id": "WN16-SO-000010", + "fix_id": "F-80267r1_fix", "cci": [ - "CCI-000172", - "CCI-002234" + "CCI-000804" ], "nist": [ - "AU-12 c", - "AC-6 (9)", + "IA-8", "Rev_4" ], "documentable": false }, - "code": "control 'V-73419' do\n title \"Windows Server 2016 must be configured to audit Account Management -\n Other Account Management Events successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Other Account Management Events records events such as the access of a\n password hash or the Password Policy Checking API being called.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000327-GPOS-00127'\n tag \"satisfies\": ['SRG-OS-000327-GPOS-00127', 'SRG-OS-000064-GPOS-00033',\n 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000466-GPOS-00210']\n tag \"gid\": 'V-73419'\n tag \"rid\": 'SV-88071r1_rule'\n tag \"stig_id\": 'WN16-AU-000100'\n tag \"fix_id\": 'F-79861r1_fix'\n tag \"cci\": ['CCI-000172', 'CCI-002234']\n tag \"nist\": ['AU-12 c', 'AC-6 (9)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n Account Management >> Other Account Management Events - Success\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Account Management >> Audit Other Account Management\n Events with Success selected.\"\n describe.one do\n describe audit_policy do\n its('Other Account Management Events') { should eq 'Success' }\n end\n describe audit_policy do\n its('Other Account Management Events') { should eq 'Success and Failure' }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Other Account Management Events'\") do\n its('stdout') { should match /Other Account Management Events Success/ }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Other Account Management Events'\") do\n its('stdout') { should match /Other Account Management Events Success and Failure/ }\n end\n end\nend\n", + "code": "control 'V-73809' do\n title 'The built-in guest account must be disabled.'\n desc \"A system faces an increased vulnerability threat if the built-in guest\n account is not disabled. This is a known account that exists on all Windows\n systems and cannot be deleted. This account is initialized during the\n installation of the operating system with no password assigned.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000121-GPOS-000062'\n tag \"gid\": 'V-73809'\n tag \"rid\": 'SV-88475r1_rule'\n tag \"stig_id\": 'WN16-SO-000010'\n tag \"fix_id\": 'F-80267r1_fix'\n tag \"cci\": ['CCI-000804']\n tag \"nist\": ['IA-8', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> Security Options.\n\n If the value for Accounts: Guest account status is not set to Disabled,\n this is a finding.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Accounts: Guest account status to Disabled.\"\n describe security_policy do\n its('EnableGuestAccount') { should cmp 0 }\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73419.rb", + "ref": "./Windows 2016 STIG/controls/V-73809.rb", "line": 1 }, - "id": "V-73419" + "id": "V-73809" }, { - "title": "The setting Microsoft network server: Digitally sign communications\n (if client agrees) must be configured to Enabled.", - "desc": "The server message block (SMB) protocol provides the basis for many\n network operations. Digitally signed SMB packets aid in preventing\n man-in-the-middle attacks. If this policy is enabled, the SMB server will\n negotiate SMB packet signing as requested by the client.", + "title": "The amount of idle time required before suspending a session must be\n configured to 15 minutes or less.", + "desc": "Open sessions can increase the avenues of attack on a system. This\n setting is used to control when a computer disconnects an inactive SMB session.\n If client activity resumes, the session is automatically reestablished. This\n protects critical and sensitive network data from exposure to unauthorized\n personnel with physical access to the computer.", "descriptions": { - "default": "The server message block (SMB) protocol provides the basis for many\n network operations. Digitally signed SMB packets aid in preventing\n man-in-the-middle attacks. If this policy is enabled, the SMB server will\n negotiate SMB packet signing as requested by the client.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\LanManServer\\Parameters\\\n\n Value Name: EnableSecuritySignature\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Microsoft network server: Digitally sign communications (if client agrees)\n to Enabled." + "default": "Open sessions can increase the avenues of attack on a system. This\n setting is used to control when a computer disconnects an inactive SMB session.\n If client activity resumes, the session is automatically reestablished. This\n protects critical and sensitive network data from exposure to unauthorized\n personnel with physical access to the computer.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SYSTEM\\CurrentControlSet\\Services\\LanManServer\\Parameters\\\n\n Value Name: autodisconnect\n\n Value Type: REG_DWORD\n Value: 0x0000000f (15) (or less)", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Microsoft Network Server: Amount of idle time required before suspending\n session to 15 minutes or less." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000423-GPOS-00187", + "gtitle": "SRG-OS-000163-GPOS-00072", "satisfies": [ - "SRG-OS-000423-GPOS-00187", - "SRG-OS-000424-GPOS-00188" + "SRG-OS-000163-GPOS-00072", + "SRG-OS-000279-GPOS-00109" ], - "gid": "V-73663", - "rid": "SV-88327r1_rule", - "stig_id": "WN16-SO-000240", - "fix_id": "F-80113r1_fix", + "gid": "V-73659", + "rid": "SV-88323r1_rule", + "stig_id": "WN16-SO-000220", + "fix_id": "F-80109r1_fix", "cci": [ - "CCI-002418", - "CCI-002421" + "CCI-001133", + "CCI-002361" ], "nist": [ - "SC-8", - "SC-8 (1)", + "SC-10", + "AC-12", "Rev_4" ], "documentable": false }, - "code": "control 'V-73663' do\n title \"The setting Microsoft network server: Digitally sign communications\n (if client agrees) must be configured to Enabled.\"\n desc \"The server message block (SMB) protocol provides the basis for many\n network operations. Digitally signed SMB packets aid in preventing\n man-in-the-middle attacks. If this policy is enabled, the SMB server will\n negotiate SMB packet signing as requested by the client.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000423-GPOS-00187'\n tag \"satisfies\": ['SRG-OS-000423-GPOS-00187', 'SRG-OS-000424-GPOS-00188']\n tag \"gid\": 'V-73663'\n tag \"rid\": 'SV-88327r1_rule'\n tag \"stig_id\": 'WN16-SO-000240'\n tag \"fix_id\": 'F-80113r1_fix'\n tag \"cci\": ['CCI-002418', 'CCI-002421']\n tag \"nist\": ['SC-8', 'SC-8 (1)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\LanManServer\\\\Parameters\\\\\n\n Value Name: EnableSecuritySignature\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Microsoft network server: Digitally sign communications (if client agrees)\n to Enabled.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\LanManServer\\\\Parameters') do\n it { should have_property 'EnableSecuritySignature' }\n its('EnableSecuritySignature') { should cmp 1 }\n end\nend\n", + "code": "control 'V-73659' do\n title \"The amount of idle time required before suspending a session must be\n configured to 15 minutes or less.\"\n desc \"Open sessions can increase the avenues of attack on a system. This\n setting is used to control when a computer disconnects an inactive SMB session.\n If client activity resumes, the session is automatically reestablished. This\n protects critical and sensitive network data from exposure to unauthorized\n personnel with physical access to the computer.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000163-GPOS-00072'\n tag \"satisfies\": ['SRG-OS-000163-GPOS-00072', 'SRG-OS-000279-GPOS-00109']\n tag \"gid\": 'V-73659'\n tag \"rid\": 'SV-88323r1_rule'\n tag \"stig_id\": 'WN16-SO-000220'\n tag \"fix_id\": 'F-80109r1_fix'\n tag \"cci\": ['CCI-001133', 'CCI-002361']\n tag \"nist\": ['SC-10', 'AC-12', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\LanManServer\\\\Parameters\\\\\n\n Value Name: autodisconnect\n\n Value Type: REG_DWORD\n Value: 0x0000000f (15) (or less)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Microsoft Network Server: Amount of idle time required before suspending\n session to 15 minutes or less.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Services\\\\LanmanServer\\\\Parameters') do\n it { should have_property 'AutoDisconnect' }\n its('AutoDisconnect') { should be <= 15 }\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73663.rb", + "ref": "./Windows 2016 STIG/controls/V-73659.rb", "line": 1 }, - "id": "V-73663" + "id": "V-73659" }, { - "title": "The Windows Remote Management (WinRM) client must not use Basic\n authentication.", - "desc": "Basic authentication uses plain-text passwords that could be used to\n compromise a system. Disabling Basic authentication will reduce this potential.", + "title": "The Host Based Security System (HBSS) McAfee Agent must be installed.", + "desc": "The McAfee Agent is the client side distributed component of McAfee\n ePolicy Orchestrator (McAfee ePO), which provides a secure communication\n channel between the ePO server and managed point products.", "descriptions": { - "default": "Basic authentication uses plain-text passwords that could be used to\n compromise a system. Disabling Basic authentication will reduce this potential.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\WinRM\\Client\\\n\n Value Name: AllowBasic\n\n Type: REG_DWORD\n Value: 0x00000000 (0)", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Windows Remote Management\n (WinRM) >> WinRM Client >> Allow Basic authentication to Disabled." + "default": "The McAfee Agent is the client side distributed component of McAfee\n ePolicy Orchestrator (McAfee ePO), which provides a secure communication\n channel between the ePO server and managed point products.", + "check": "Run Services.msc.\n Verify the service is running, depending on the McAfee Agent version installed.\n\n McAfee Agent v5.x - McAfee Agent Service\n\n McAfee Agent v4.x - McAfee Framework Service\n\n If the service is not listed or does not have a Status of Started, this is\n a finding.", + "fix": "Deploy the McAfee Agent as detailed in accordance with the DoD\n HBSS STIG." }, - "impact": 0.7, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000125-GPOS-00065", - "gid": "V-73593", - "rid": "SV-88257r1_rule", - "stig_id": "WN16-CC-000500", - "fix_id": "F-80043r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-73269", + "rid": "SV-87921r1_rule", + "stig_id": "WN16-00-000260", + "fix_id": "F-79713r1_fix", "cci": [ - "CCI-000877" + "CCI-000366" ], "nist": [ - "MA-4 c", + "CM-6 b", "Rev_4" ], "documentable": false }, - "code": "control 'V-73593' do\n title \"The Windows Remote Management (WinRM) client must not use Basic\n authentication.\"\n desc \"Basic authentication uses plain-text passwords that could be used to\n compromise a system. Disabling Basic authentication will reduce this potential.\"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000125-GPOS-00065'\n tag \"gid\": 'V-73593'\n tag \"rid\": 'SV-88257r1_rule'\n tag \"stig_id\": 'WN16-CC-000500'\n tag \"fix_id\": 'F-80043r1_fix'\n tag \"cci\": ['CCI-000877']\n tag \"nist\": ['MA-4 c', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WinRM\\\\Client\\\\\n\n Value Name: AllowBasic\n\n Type: REG_DWORD\n Value: 0x00000000 (0)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Windows Remote Management\n (WinRM) >> WinRM Client >> Allow Basic authentication to Disabled.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\WinRM\\\\Client') do\n it { should have_property 'AllowBasic' }\n its('AllowBasic') { should cmp 0 }\n end\nend\n", + "code": "control 'V-73269' do\n title 'The Host Based Security System (HBSS) McAfee Agent must be installed.'\n desc \"The McAfee Agent is the client side distributed component of McAfee\n ePolicy Orchestrator (McAfee ePO), which provides a secure communication\n channel between the ePO server and managed point products.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-73269'\n tag \"rid\": 'SV-87921r1_rule'\n tag \"stig_id\": 'WN16-00-000260'\n tag \"fix_id\": 'F-79713r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Run Services.msc.\n Verify the service is running, depending on the McAfee Agent version installed.\n\n McAfee Agent v5.x - McAfee Agent Service\n\n McAfee Agent v4.x - McAfee Framework Service\n\n If the service is not listed or does not have a Status of Started, this is\n a finding.\"\n desc \"fix\", \"Deploy the McAfee Agent as detailed in accordance with the DoD\n HBSS STIG.\"\n describe.one do\n describe service('McAfee Agent Service') do\n it { should be_running }\n end\n describe service('McAfee Framework Service') do\n it { should be_running }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73593.rb", + "ref": "./Windows 2016 STIG/controls/V-73269.rb", "line": 1 }, - "id": "V-73593" + "id": "V-73269" }, { - "title": "Windows Server 2016 must be configured to ignore NetBIOS name release\n requests except from WINS servers.", - "desc": "Configuring the system to ignore name release requests, except from\n WINS servers, prevents a denial of service (DoS) attack. The DoS consists of\n sending a NetBIOS name release request to the server for each entry in the\n server's cache, causing a response delay in the normal operation of the\n server's WINS resolution capability.", + "title": "Windows Server 2016 must be configured to force users to log off when\n their allowed logon hours expire.", + "desc": "Limiting logon hours can help protect data by allowing access only\n during specified times. This setting controls whether users are forced to log\n off when their allowed logon hours expire. If logon hours are set for users,\n this must be enforced.", "descriptions": { - "default": "Configuring the system to ignore name release requests, except from\n WINS servers, prevents a denial of service (DoS) attack. The DoS consists of\n sending a NetBIOS name release request to the server for each entry in the\n server's cache, causing a response delay in the normal operation of the\n server's WINS resolution capability.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\Netbt\\Parameters\\\n\n Value Name: NoNameReleaseOnDemand\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> MSS (Legacy) >> \"MSS: (NoNameReleaseOnDemand)\n Allow the computer to ignore NetBIOS name release requests except from WINS\n servers to Enabled.\n\n This policy setting requires the installation of the MSS-Legacy custom\n templates included with the STIG package. MSS-Legacy.admx and\n MSS-Legacy.adml must be copied to the \\Windows\\PolicyDefinitions and\n \\Windows\\PolicyDefinitions\\en-US directories respectively." + "default": "Limiting logon hours can help protect data by allowing access only\n during specified times. This setting controls whether users are forced to log\n off when their allowed logon hours expire. If logon hours are set for users,\n this must be enforced.", + "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> Security Options.\n\n If the value for Network security: Force logoff when logon hours expire is\n not set to Enabled, this is a finding.", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Network security: Force logoff when logon hours expire to Enabled." }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000420-GPOS-00186", - "gid": "V-73505", - "rid": "SV-88157r1_rule", - "stig_id": "WN16-CC-000070", - "fix_id": "F-79947r1_fix", + "gtitle": "SRG-OS-000163-GPOS-00072", + "gid": "V-73689", + "rid": "SV-88353r1_rule", + "stig_id": "WN16-SO-000370", + "fix_id": "F-80139r1_fix", "cci": [ - "CCI-002385" + "CCI-001133" ], "nist": [ - "SC-5", + "SC-10", "Rev_4" ], "documentable": false }, - "code": "control 'V-73505' do\n title \"Windows Server 2016 must be configured to ignore NetBIOS name release\n requests except from WINS servers.\"\n desc \"Configuring the system to ignore name release requests, except from\n WINS servers, prevents a denial of service (DoS) attack. The DoS consists of\n sending a NetBIOS name release request to the server for each entry in the\n server's cache, causing a response delay in the normal operation of the\n server's WINS resolution capability.\"\n impact 0.3\n tag \"gtitle\": 'SRG-OS-000420-GPOS-00186'\n tag \"gid\": 'V-73505'\n tag \"rid\": 'SV-88157r1_rule'\n tag \"stig_id\": 'WN16-CC-000070'\n tag \"fix_id\": 'F-79947r1_fix'\n tag \"cci\": ['CCI-002385']\n tag \"nist\": ['SC-5', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\Netbt\\\\Parameters\\\\\n\n Value Name: NoNameReleaseOnDemand\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> MSS (Legacy) >> \\\"MSS: (NoNameReleaseOnDemand)\n Allow the computer to ignore NetBIOS name release requests except from WINS\n servers to Enabled.\n\n This policy setting requires the installation of the MSS-Legacy custom\n templates included with the STIG package. MSS-Legacy.admx and\n MSS-Legacy.adml must be copied to the \\\\Windows\\\\PolicyDefinitions and\n \\\\Windows\\\\PolicyDefinitions\\\\en-US directories respectively.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Services\\\\Netbt\\\\Parameters') do\n it { should have_property 'NoNameReleaseOnDemand' }\n its('NoNameReleaseOnDemand') { should cmp 1 }\n end\nend\n", + "code": "control 'V-73689' do\n title \"Windows Server 2016 must be configured to force users to log off when\n their allowed logon hours expire.\"\n desc \"Limiting logon hours can help protect data by allowing access only\n during specified times. This setting controls whether users are forced to log\n off when their allowed logon hours expire. If logon hours are set for users,\n this must be enforced.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000163-GPOS-00072'\n tag \"gid\": 'V-73689'\n tag \"rid\": 'SV-88353r1_rule'\n tag \"stig_id\": 'WN16-SO-000370'\n tag \"fix_id\": 'F-80139r1_fix'\n tag \"cci\": ['CCI-001133']\n tag \"nist\": ['SC-10', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> Security Options.\n\n If the value for Network security: Force logoff when logon hours expire is\n not set to Enabled, this is a finding.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Network security: Force logoff when logon hours expire to Enabled.\"\n describe security_policy do\n its('ForceLogoffWhenHourExpire') { should eq 1 }\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73505.rb", + "ref": "./Windows 2016 STIG/controls/V-73689.rb", "line": 1 }, - "id": "V-73505" + "id": "V-73689" }, { - "title": "Anonymous enumeration of shares must not be allowed.", - "desc": "Allowing anonymous logon users (null session connections) to list all\n account names and enumerate all shared resources can provide a map of potential\n points to attack the system.", + "title": "Manually managed application account passwords must be at least 15\n characters in length.", + "desc": "Application/service account passwords must be of sufficient length to\n prevent being easily cracked. Application/service accounts that are manually\n managed must have passwords at least 15 characters in length.", "descriptions": { - "default": "Allowing anonymous logon users (null session connections) to list all\n account names and enumerate all shared resources can provide a map of potential\n points to attack the system.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Control\\Lsa\\\n\n Value Name: RestrictAnonymous\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Network access: Do not allow anonymous enumeration of SAM accounts and\n shares to Enabled." + "default": "Application/service account passwords must be of sufficient length to\n prevent being easily cracked. Application/service accounts that are manually\n managed must have passwords at least 15 characters in length.", + "check": "Determine if manually managed application/service accounts\n exist. If none exist, this is NA.\n\n Verify the organization has a policy to ensure passwords for manually managed\n application/service accounts are at least 15 characters in length.\n\n If such a policy does not exist or has not been implemented, this is a finding.", + "fix": "Establish a policy that requires application/service account\n passwords that are manually managed to be at least 15 characters in length.\n Ensure the policy is enforced." }, - "impact": 0.7, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000138-GPOS-00069", - "gid": "V-73669", - "rid": "SV-88333r1_rule", - "stig_id": "WN16-SO-000270", - "fix_id": "F-80119r1_fix", + "gtitle": "SRG-OS-000078-GPOS-00046", + "gid": "V-73229", + "rid": "SV-87881r1_rule", + "stig_id": "WN16-00-000060", + "fix_id": "F-79673r1_fix", "cci": [ - "CCI-001090" + "CCI-000205" ], "nist": [ - "AU-10 (4) (b)", + "IA-5 (1) (a)", "Rev_4" ], "documentable": false }, - "code": "control 'V-73669' do\n title 'Anonymous enumeration of shares must not be allowed.'\n desc \"Allowing anonymous logon users (null session connections) to list all\n account names and enumerate all shared resources can provide a map of potential\n points to attack the system.\"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000138-GPOS-00069'\n tag \"gid\": 'V-73669'\n tag \"rid\": 'SV-88333r1_rule'\n tag \"stig_id\": 'WN16-SO-000270'\n tag \"fix_id\": 'F-80119r1_fix'\n tag \"cci\": ['CCI-001090']\n tag \"nist\": ['AU-10 (4) (b)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\\n\n Value Name: RestrictAnonymous\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Network access: Do not allow anonymous enumeration of SAM accounts and\n shares to Enabled.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa') do\n it { should have_property 'RestrictAnonymous' }\n its('RestrictAnonymous') { should cmp 1 }\n end\nend\n", + "code": "control 'V-73229' do\n title \"Manually managed application account passwords must be at least 15\n characters in length.\"\n desc \"Application/service account passwords must be of sufficient length to\n prevent being easily cracked. Application/service accounts that are manually\n managed must have passwords at least 15 characters in length.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000078-GPOS-00046'\n tag \"gid\": 'V-73229'\n tag \"rid\": 'SV-87881r1_rule'\n tag \"stig_id\": 'WN16-00-000060'\n tag \"fix_id\": 'F-79673r1_fix'\n tag \"cci\": ['CCI-000205']\n tag \"nist\": ['IA-5 (1) (a)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Determine if manually managed application/service accounts\n exist. If none exist, this is NA.\n\n Verify the organization has a policy to ensure passwords for manually managed\n application/service accounts are at least 15 characters in length.\n\n If such a policy does not exist or has not been implemented, this is a finding.\"\n desc \"fix\", \"Establish a policy that requires application/service account\n passwords that are manually managed to be at least 15 characters in length.\n Ensure the policy is enforced.\"\n describe security_policy do\n its('MinimumPasswordLength') { should be >= 15 }\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73669.rb", + "ref": "./Windows 2016 STIG/controls/V-73229.rb", "line": 1 }, - "id": "V-73669" + "id": "V-73229" }, { - "title": "The built-in administrator account must be renamed.", - "desc": "The built-in administrator account is a well-known account subject to\n attack. Renaming this account to an unidentified name improves the protection\n of this account and the system.", + "title": "The computer account password must not be prevented from being reset.", + "desc": "Computer account passwords are changed automatically on a regular\n basis. Disabling automatic password changes can make the system more vulnerable\n to malicious access. Frequent password changes can be a significant safeguard\n for the system. A new password for the computer account will be generated every\n 30 days.", "descriptions": { - "default": "The built-in administrator account is a well-known account subject to\n attack. Renaming this account to an unidentified name improves the protection\n of this account and the system.", - "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> Security Options.\n\n If the value for Accounts: Rename administrator account is not set to a\n value other than Administrator, this is a finding.", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Accounts: Rename administrator account to a name other than\n Administrator." + "default": "Computer account passwords are changed automatically on a regular\n basis. Disabling automatic password changes can make the system more vulnerable\n to malicious access. Frequent password changes can be a significant safeguard\n for the system. A new password for the computer account will be generated every\n 30 days.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\Netlogon\\Parameters\\\n\n Value Name: DisablePasswordChange\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0)", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> Domain\n member: Disable machine account password changes to Disabled." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-73623", - "rid": "SV-88287r1_rule", - "stig_id": "WN16-SO-000030", - "fix_id": "F-80073r1_fix", + "gtitle": "SRG-OS-000379-GPOS-00164", + "gid": "V-73639", + "rid": "SV-88303r1_rule", + "stig_id": "WN16-SO-000110", + "fix_id": "F-80089r1_fix", "cci": [ - "CCI-000366" + "CCI-001967" ], "nist": [ - "CM-6 b", + "IA-3 (1)", "Rev_4" ], "documentable": false }, - "code": "control 'V-73623' do\n title 'The built-in administrator account must be renamed.'\n desc \"The built-in administrator account is a well-known account subject to\n attack. Renaming this account to an unidentified name improves the protection\n of this account and the system.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-73623'\n tag \"rid\": 'SV-88287r1_rule'\n tag \"stig_id\": 'WN16-SO-000030'\n tag \"fix_id\": 'F-80073r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> Security Options.\n\n If the value for Accounts: Rename administrator account is not set to a\n value other than Administrator, this is a finding.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Accounts: Rename administrator account to a name other than\n Administrator.\"\n describe user('Administrator') do\n it { should_not exist }\n end\nend\n", + "code": "control 'V-73639' do\n title 'The computer account password must not be prevented from being reset.'\n desc \"Computer account passwords are changed automatically on a regular\n basis. Disabling automatic password changes can make the system more vulnerable\n to malicious access. Frequent password changes can be a significant safeguard\n for the system. A new password for the computer account will be generated every\n 30 days.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000379-GPOS-00164'\n tag \"gid\": 'V-73639'\n tag \"rid\": 'SV-88303r1_rule'\n tag \"stig_id\": 'WN16-SO-000110'\n tag \"fix_id\": 'F-80089r1_fix'\n tag \"cci\": ['CCI-001967']\n tag \"nist\": ['IA-3 (1)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\Netlogon\\\\Parameters\\\\\n\n Value Name: DisablePasswordChange\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> Domain\n member: Disable machine account password changes to Disabled.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Services\\\\Netlogon\\\\Parameters') do\n it { should have_property 'DisablePasswordChange' }\n its('DisablePasswordChange') { should cmp 0 }\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73623.rb", + "ref": "./Windows 2016 STIG/controls/V-73639.rb", "line": 1 }, - "id": "V-73623" + "id": "V-73639" }, { - "title": "The Fax Server role must not be installed.", + "title": "The Peer Name Resolution Protocol must not be installed.", "desc": "Unnecessary services increase the attack surface of a system. Some of\n these services may not support required levels of authentication or encryption\n or may provide unauthorized access to the system.", "descriptions": { "default": "Unnecessary services increase the attack surface of a system. Some of\n these services may not support required levels of authentication or encryption\n or may provide unauthorized access to the system.", - "check": "Open PowerShell.\n Enter Get-WindowsFeature | Where Name -eq Fax.\n\n If Installed State is Installed, this is a finding.\n\n An Installed State of Available or Removed is not a finding.", - "fix": "Uninstall the Fax Server role.\n\n Start Server Manager.\n\n Select the server with the role.\n\n Scroll down to ROLES AND FEATURES in the right pane.\n\n Select Remove Roles and Features from the drop-down TASKS list.\n\n Select the appropriate server on the Server Selection page and click\n Next.\n\n Deselect Fax Server on the Roles page.\n\n Click Next and Remove as prompted." + "check": "Open PowerShell.\n\n Enter Get-WindowsFeature | Where Name -eq PNRP.\n\n If Installed State is Installed, this is a finding.\n\n An Installed State of Available or Removed is not a finding.", + "fix": "Uninstall the Peer Name Resolution Protocol feature.\n\n Start Server Manager.\n\n Select the server with the feature.\n\n Scroll down to ROLES AND FEATURES in the right pane.\n\n Select Remove Roles and Features from the drop-down TASKS list.\n\n Select the appropriate server on the Server Selection page and click\n Next.\n\n Deselect Peer Name Resolution Protoco on the Features page.\n\n Click Next and Remove as prompted." }, "impact": 0.5, "refs": [], "tags": { "gtitle": "SRG-OS-000095-GPOS-00049", - "gid": "V-73287", - "rid": "SV-87939r1_rule", - "stig_id": "WN16-00-000350", - "fix_id": "F-79731r1_fix", + "gid": "V-73291", + "rid": "SV-87943r1_rule", + "stig_id": "WN16-00-000370", + "fix_id": "F-80269r1_fix", "cci": [ "CCI-000381" ], "nist": [ - "CM-7 a", + "CM-7", "Rev_4" ], "documentable": false }, - "code": "control 'V-73287' do\n title 'The Fax Server role must not be installed.'\n desc \"Unnecessary services increase the attack surface of a system. Some of\n these services may not support required levels of authentication or encryption\n or may provide unauthorized access to the system.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000095-GPOS-00049'\n tag \"gid\": 'V-73287'\n tag \"rid\": 'SV-87939r1_rule'\n tag \"stig_id\": 'WN16-00-000350'\n tag \"fix_id\": 'F-79731r1_fix'\n tag \"cci\": ['CCI-000381']\n tag \"nist\": ['CM-7 a', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Open PowerShell.\n Enter Get-WindowsFeature | Where Name -eq Fax.\n\n If Installed State is Installed, this is a finding.\n\n An Installed State of Available or Removed is not a finding.\"\n desc \"fix\", \"Uninstall the Fax Server role.\n\n Start Server Manager.\n\n Select the server with the role.\n\n Scroll down to ROLES AND FEATURES in the right pane.\n\n Select Remove Roles and Features from the drop-down TASKS list.\n\n Select the appropriate server on the Server Selection page and click\n Next.\n\n Deselect Fax Server on the Roles page.\n\n Click Next and Remove as prompted.\"\n describe windows_feature('fax') do\n it { should_not be_installed }\n end\nend\n", + "code": "control 'V-73291' do\n title 'The Peer Name Resolution Protocol must not be installed.'\n desc \"Unnecessary services increase the attack surface of a system. Some of\n these services may not support required levels of authentication or encryption\n or may provide unauthorized access to the system.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000095-GPOS-00049'\n tag \"gid\": 'V-73291'\n tag \"rid\": 'SV-87943r1_rule'\n tag \"stig_id\": 'WN16-00-000370'\n tag \"fix_id\": 'F-80269r1_fix'\n tag \"cci\": ['CCI-000381']\n tag \"nist\": ['CM-7', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Open PowerShell.\n\n Enter Get-WindowsFeature | Where Name -eq PNRP.\n\n If Installed State is Installed, this is a finding.\n\n An Installed State of Available or Removed is not a finding.\"\n desc \"fix\", \"Uninstall the Peer Name Resolution Protocol feature.\n\n Start Server Manager.\n\n Select the server with the feature.\n\n Scroll down to ROLES AND FEATURES in the right pane.\n\n Select Remove Roles and Features from the drop-down TASKS list.\n\n Select the appropriate server on the Server Selection page and click\n Next.\n\n Deselect Peer Name Resolution Protoco on the Features page.\n\n Click Next and Remove as prompted.\"\n describe windows_feature('PNRP') do\n it { should_not be_installed }\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73287.rb", + "ref": "./Windows 2016 STIG/controls/V-73291.rb", "line": 1 }, - "id": "V-73287" + "id": "V-73291" }, { - "title": "The Active Directory Domain Controllers Organizational Unit (OU)\n object must be configured with proper audit settings.", - "desc": "When inappropriate audit settings are configured for directory service\n database objects, it may be possible for a user or process to update the data\n without generating any tracking data. The impact of missing audit data is\n related to the type of object. A failure to capture audit data for objects used\n by identification, authentication, or authorization functions could degrade or\n eliminate the ability to track changes to access policy for systems or data.\n\n For Active Directory (AD), there are a number of critical object types in\n the domain naming context of the AD database for which auditing is essential.\n This includes the Domain Controller OU object. Because changes to these objects\n can significantly impact access controls or the availability of systems, the\n absence of auditing data makes it impossible to identify the source of changes\n that impact the confidentiality, integrity, and availability of data and\n systems throughout an AD domain. The lack of proper auditing can result in\n insufficient forensic evidence needed to investigate an incident and prosecute\n the intruder.", + "title": "Windows Server 2016 must be configured to audit Logon/Logoff - Group\n Membership successes.", + "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Audit Group Membership records information related to the group membership\n of a user's logon token.", "descriptions": { - "default": "When inappropriate audit settings are configured for directory service\n database objects, it may be possible for a user or process to update the data\n without generating any tracking data. The impact of missing audit data is\n related to the type of object. A failure to capture audit data for objects used\n by identification, authentication, or authorization functions could degrade or\n eliminate the ability to track changes to access policy for systems or data.\n\n For Active Directory (AD), there are a number of critical object types in\n the domain naming context of the AD database for which auditing is essential.\n This includes the Domain Controller OU object. Because changes to these objects\n can significantly impact access controls or the availability of systems, the\n absence of auditing data makes it impossible to identify the source of changes\n that impact the confidentiality, integrity, and availability of data and\n systems throughout an AD domain. The lack of proper auditing can result in\n insufficient forensic evidence needed to investigate an incident and prosecute\n the intruder.", - "check": "This applies to domain controllers. It is NA for other systems.\n\n Review the auditing configuration for the Domain Controller OU object.\n\n Open Active Directory Users and Computers (available from various menus or\n run dsa.msc).\n\n Ensure Advanced Features is selected in the View menu.\n\n Select the Domain Controllers OU under the domain being reviewed in the\n left pane.\n\n Right-click the Domain Controllers OU object and select Properties.\n\n Select the Security tab.\n\n Select the Advanced button and then the Auditing tab.\n\n If the audit settings on the Domain Controllers OU object are not at least as\n inclusive as those below, this is a finding.\n\n Type - Fail\n Principal - Everyone\n Access - Full Control\n Inherited from - None\n Applies to - This object and all descendant objects\n\n The success types listed below are defaults. Where Special is listed in the\n summary screens for Access, detailed Permissions are provided for reference.\n Various Properties selections may also exist by default.\n\n Type - Success\n Principal - Everyone\n Access - Special\n Inherited from - None\n Applies to - This object only\n (Access - Special = Permissions: all create, delete and modify permissions)\n\n Type - Success\n Principal - Everyone\n Access - Write all properties\n Inherited from - None\n Applies to - This object and all descendant objects\n\n Two instances with the following summary information will be listed.\n\n Type - Success\n Principal - Everyone\n Access - (blank)\n Inherited from - (CN of domain)\n Applies to - Descendant Organizational Unit objects", - "fix": "Open Active Directory Users and Computers (available from\n various menus or run dsa.msc).\n\n Ensure Advanced Features is selected in the View menu.\n\n Select the Domain Controllers OU under the domain being reviewed in the\n left pane.\n\n Right-click the Domain Controllers OU object and select Properties.\n\n Select the Security tab.\n\n Select the Advanced button and then the Auditing tab.\n\n Configure the audit settings for Domain Controllers OU object to include the\n following.\n\n Type - Fail\n Principal - Everyone\n Access - Full Control\n Inherited from - None\n\n The success types listed below are defaults. Where Special is listed in the\n summary screens for Access, detailed Permissions are provided for reference.\n Various Properties selections may also exist by default.\n\n Type - Success\n Principal - Everyone\n Access - Special\n Inherited from - None\n Applies to - This object only\n (Access - Special = Permissions: all create, delete and modify permissions)\n\n Type - Success\n Principal - Everyone\n Access - Write all properties\n Inherited from - None\n Applies to - This object and all descendant objects\n\n Two instances with the following summary information will be listed.\n\n Type - Success\n Principal - Everyone\n Access - (blank)\n Inherited from - (CN of domain)\n Applies to - Descendant Organizational Unit objects" + "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Audit Group Membership records information related to the group membership\n of a user's logon token.", + "check": "Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n Logon/Logoff >> Group Membership - Success", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Advanced Audit Policy Configuration >> System Audit Policies >>\n Logon/Logoff >> Audit Group Membership with Success selected." }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000327-GPOS-00127", - "satisfies": [ - "SRG-OS-000327-GPOS-00127", - "SRG-OS-000458-GPOS-00203", - "SRG-OS-000463-GPOS-00207", - "SRG-OS-000468-GPOS-00212" - ], - "gid": "V-73395", - "rid": "SV-88047r1_rule", - "stig_id": "WN16-DC-000200", - "fix_id": "F-79837r1_fix", + "gtitle": "SRG-OS-000470-GPOS-00214", + "gid": "V-73447", + "rid": "SV-88099r2_rule", + "stig_id": "WN16-AU-000240", + "fix_id": "F-79889r1_fix", "cci": [ - "CCI-000172", - "CCI-002234" + "CCI-000172" ], "nist": [ "AU-12 c", - "AC-6 (9)", "Rev_4" ], "documentable": false }, - "code": "control 'V-73395' do\n title \"The Active Directory Domain Controllers Organizational Unit (OU)\n object must be configured with proper audit settings.\"\n desc \"When inappropriate audit settings are configured for directory service\n database objects, it may be possible for a user or process to update the data\n without generating any tracking data. The impact of missing audit data is\n related to the type of object. A failure to capture audit data for objects used\n by identification, authentication, or authorization functions could degrade or\n eliminate the ability to track changes to access policy for systems or data.\n\n For Active Directory (AD), there are a number of critical object types in\n the domain naming context of the AD database for which auditing is essential.\n This includes the Domain Controller OU object. Because changes to these objects\n can significantly impact access controls or the availability of systems, the\n absence of auditing data makes it impossible to identify the source of changes\n that impact the confidentiality, integrity, and availability of data and\n systems throughout an AD domain. The lack of proper auditing can result in\n insufficient forensic evidence needed to investigate an incident and prosecute\n the intruder.\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000327-GPOS-00127'\n tag \"satisfies\": ['SRG-OS-000327-GPOS-00127', 'SRG-OS-000458-GPOS-00203',\n 'SRG-OS-000463-GPOS-00207', 'SRG-OS-000468-GPOS-00212']\n tag \"gid\": 'V-73395'\n tag \"rid\": 'SV-88047r1_rule'\n tag \"stig_id\": 'WN16-DC-000200'\n tag \"fix_id\": 'F-79837r1_fix'\n tag \"cci\": ['CCI-000172', 'CCI-002234']\n tag \"nist\": ['AU-12 c', 'AC-6 (9)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to domain controllers. It is NA for other systems.\n\n Review the auditing configuration for the Domain Controller OU object.\n\n Open Active Directory Users and Computers (available from various menus or\n run dsa.msc).\n\n Ensure Advanced Features is selected in the View menu.\n\n Select the Domain Controllers OU under the domain being reviewed in the\n left pane.\n\n Right-click the Domain Controllers OU object and select Properties.\n\n Select the Security tab.\n\n Select the Advanced button and then the Auditing tab.\n\n If the audit settings on the Domain Controllers OU object are not at least as\n inclusive as those below, this is a finding.\n\n Type - Fail\n Principal - Everyone\n Access - Full Control\n Inherited from - None\n Applies to - This object and all descendant objects\n\n The success types listed below are defaults. Where Special is listed in the\n summary screens for Access, detailed Permissions are provided for reference.\n Various Properties selections may also exist by default.\n\n Type - Success\n Principal - Everyone\n Access - Special\n Inherited from - None\n Applies to - This object only\n (Access - Special = Permissions: all create, delete and modify permissions)\n\n Type - Success\n Principal - Everyone\n Access - Write all properties\n Inherited from - None\n Applies to - This object and all descendant objects\n\n Two instances with the following summary information will be listed.\n\n Type - Success\n Principal - Everyone\n Access - (blank)\n Inherited from - (CN of domain)\n Applies to - Descendant Organizational Unit objects\"\n desc \"fix\", \"Open Active Directory Users and Computers (available from\n various menus or run dsa.msc).\n\n Ensure Advanced Features is selected in the View menu.\n\n Select the Domain Controllers OU under the domain being reviewed in the\n left pane.\n\n Right-click the Domain Controllers OU object and select Properties.\n\n Select the Security tab.\n\n Select the Advanced button and then the Auditing tab.\n\n Configure the audit settings for Domain Controllers OU object to include the\n following.\n\n Type - Fail\n Principal - Everyone\n Access - Full Control\n Inherited from - None\n\n The success types listed below are defaults. Where Special is listed in the\n summary screens for Access, detailed Permissions are provided for reference.\n Various Properties selections may also exist by default.\n\n Type - Success\n Principal - Everyone\n Access - Special\n Inherited from - None\n Applies to - This object only\n (Access - Special = Permissions: all create, delete and modify permissions)\n\n Type - Success\n Principal - Everyone\n Access - Write all properties\n Inherited from - None\n Applies to - This object and all descendant objects\n\n Two instances with the following summary information will be listed.\n\n Type - Success\n Principal - Everyone\n Access - (blank)\n Inherited from - (CN of domain)\n Applies to - Descendant Organizational Unit objects\"\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n distinguishedName = json(command: '(Get-ADDomain).DistinguishedName | ConvertTo-JSON').params\n netbiosname = json(command: 'Get-ADDomain | Select NetBIOSName | ConvertTo-JSON').params['NetBIOSName']\n acl_rules = json(command: \"(Get-ACL -Audit -Path AD:'OU=Domain Controllers,#{distinguishedName}').Audit | ConvertTo-CSV | ConvertFrom-CSV | ConvertTo-JSON\").params\n\n if acl_rules.is_a?(Hash)\n acl_rules = [JSON.parse(acl_rules.to_json)]\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['AuditFlags']) { should cmp \"Fail\" }\n its(['IdentityReference']) { should cmp \"Everyone\" }\n its(['ActiveDirectoryRights']) { should cmp \"GenericAll\" }\n its(['InheritanceFlags']) { should cmp \"None\" }\n its(['InheritanceType']) { should cmp \"None\" }\n its(['PropagationFlags']) { should cmp \"None\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['AuditFlags']) { should cmp \"Success\" }\n its(['IdentityReference']) { should cmp \"Everyone\" }\n its(['ActiveDirectoryRights']) { should match /(Create)|(Delete)|(Write)/ }\n its(['InheritanceFlags']) { should cmp \"None\" }\n its(['InheritanceType']) { should cmp \"None\" }\n its(['PropagationFlags']) { should cmp \"None\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['AuditFlags']) { should cmp \"Success\" }\n its(['IdentityReference']) { should cmp \"Everyone\" }\n its(['ActiveDirectoryRights']) { should cmp \"WriteProperty\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"ContainerInherit\" }\n its(['InheritanceType']) { should cmp \"All\" }\n its(['PropagationFlags']) { should cmp \"None\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['AuditFlags']) { should cmp \"Success\" }\n its(['IdentityReference']) { should cmp \"Everyone\" }\n its(['ActiveDirectoryRights']) { should cmp \"WriteProperty\" }\n its(['IsInherited']) { should cmp \"True\" }\n its(['InheritanceFlags']) { should cmp \"ContainerInherit\" }\n its(['InheritanceType']) { should cmp \"All\" }\n its(['PropagationFlags']) { should cmp \"None\" }\n end\n end\n end\n\n else\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", + "code": "control 'V-73447' do\n title \"Windows Server 2016 must be configured to audit Logon/Logoff - Group\n Membership successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Audit Group Membership records information related to the group membership\n of a user's logon token.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000470-GPOS-00214'\n tag \"gid\": 'V-73447'\n tag \"rid\": 'SV-88099r2_rule'\n tag \"stig_id\": 'WN16-AU-000240'\n tag \"fix_id\": 'F-79889r1_fix'\n tag \"cci\": ['CCI-000172']\n tag \"nist\": ['AU-12 c', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n Logon/Logoff >> Group Membership - Success\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Advanced Audit Policy Configuration >> System Audit Policies >>\n Logon/Logoff >> Audit Group Membership with Success selected.\"\n describe.one do\n describe audit_policy do\n its('Group Membership') { should eq 'Success' }\n end\n describe audit_policy do\n its('Group Membership') { should eq 'Success and Failure' }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Group Membership'\") do\n its('stdout') { should match /Group Membership Success/ }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Group Membership'\") do\n its('stdout') { should match /Group Membership Success and Failure/ }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73395.rb", + "ref": "./Windows 2016 STIG/controls/V-73447.rb", "line": 1 }, - "id": "V-73395" + "id": "V-73447" }, { - "title": "Windows Telemetry must be configured to Security or Basic.", - "desc": "Some features may communicate with the vendor, sending system\n information or downloading data or components for the feature. Limiting this\n capability will prevent potentially sensitive information from being sent\n outside the enterprise. The Security option for Telemetry configures the\n lowest amount of data, effectively none outside of the Malicious Software\n Removal Tool (MSRT), Defender, and telemetry client settings. Basic sends\n basic diagnostic and usage data and may be required to support some Microsoft\n services.", + "title": "Printing over HTTP must be prevented.", + "desc": "Some features may communicate with the vendor, sending system\n information or downloading data or components for the feature. Turning off this\n capability will prevent potentially sensitive information from being sent\n outside the enterprise and will prevent uncontrolled updates to the system.\n\n This setting prevents the client computer from printing over HTTP, which\n allows the computer to print to printers on the intranet as well as the\n Internet.", "descriptions": { - "default": "Some features may communicate with the vendor, sending system\n information or downloading data or components for the feature. Limiting this\n capability will prevent potentially sensitive information from being sent\n outside the enterprise. The Security option for Telemetry configures the\n lowest amount of data, effectively none outside of the Malicious Software\n Removal Tool (MSRT), Defender, and telemetry client settings. Basic sends\n basic diagnostic and usage data and may be required to support some Microsoft\n services.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\\n\n Value Name: AllowTelemetry\n\n Type: REG_DWORD\n Value: 0x00000000 (0) (Security), 0x00000001 (1) (Basic)", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Data Collection and Preview\n Builds>> Allow Telemetry to Enabled with 0 - Security [Enterprise\n Only] or 1 - Basic selected in Options." + "default": "Some features may communicate with the vendor, sending system\n information or downloading data or components for the feature. Turning off this\n capability will prevent potentially sensitive information from being sent\n outside the enterprise and will prevent uncontrolled updates to the system.\n\n This setting prevents the client computer from printing over HTTP, which\n allows the computer to print to printers on the intranet as well as the\n Internet.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers\\\n\n Value Name: DisableHTTPPrinting\n\n Type: REG_DWORD\n Value: 0x00000001 (1)", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> System >> Internet Communication Management >>\n Internet Communication settings >> Turn off printing over HTTP to\n Enabled." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-73551", - "rid": "SV-88215r1_rule", - "stig_id": "WN16-CC-000290", - "fix_id": "F-80001r1_fix", + "gtitle": "SRG-OS-000095-GPOS-00049", + "gid": "V-73529", + "rid": "SV-88181r1_rule", + "stig_id": "WN16-CC-000170", + "fix_id": "F-79971r1_fix", "cci": [ - "CCI-000366" + "CCI-000381" ], "nist": [ - "CM-6 b", + "CM-7 a", "Rev_4" ], "documentable": false }, - "code": "control 'V-73551' do\n title 'Windows Telemetry must be configured to Security or Basic.'\n desc \"Some features may communicate with the vendor, sending system\n information or downloading data or components for the feature. Limiting this\n capability will prevent potentially sensitive information from being sent\n outside the enterprise. The Security option for Telemetry configures the\n lowest amount of data, effectively none outside of the Malicious Software\n Removal Tool (MSRT), Defender, and telemetry client settings. Basic sends\n basic diagnostic and usage data and may be required to support some Microsoft\n services.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-73551'\n tag \"rid\": 'SV-88215r1_rule'\n tag \"stig_id\": 'WN16-CC-000290'\n tag \"fix_id\": 'F-80001r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\DataCollection\\\\\n\n Value Name: AllowTelemetry\n\n Type: REG_DWORD\n Value: 0x00000000 (0) (Security), 0x00000001 (1) (Basic)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Data Collection and Preview\n Builds>> Allow Telemetry to Enabled with 0 - Security [Enterprise\n Only] or 1 - Basic selected in Options.\"\n describe.one do\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\DataCollection') do\n it { should have_property 'AllowTelemetry' }\n its('AllowTelemetry') { should cmp 0 }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\DataCollection') do\n it { should have_property 'AllowTelemetry' }\n its('AllowTelemetry') { should cmp 1 }\n end\n end\nend\n", + "code": "control 'V-73529' do\n title 'Printing over HTTP must be prevented.'\n desc \"Some features may communicate with the vendor, sending system\n information or downloading data or components for the feature. Turning off this\n capability will prevent potentially sensitive information from being sent\n outside the enterprise and will prevent uncontrolled updates to the system.\n\n This setting prevents the client computer from printing over HTTP, which\n allows the computer to print to printers on the intranet as well as the\n Internet.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000095-GPOS-00049'\n tag \"gid\": 'V-73529'\n tag \"rid\": 'SV-88181r1_rule'\n tag \"stig_id\": 'WN16-CC-000170'\n tag \"fix_id\": 'F-79971r1_fix'\n tag \"cci\": ['CCI-000381']\n tag \"nist\": ['CM-7 a', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Printers\\\\\n\n Value Name: DisableHTTPPrinting\n\n Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> System >> Internet Communication Management >>\n Internet Communication settings >> Turn off printing over HTTP to\n Enabled.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Printers') do\n it { should have_property 'DisableHTTPPrinting' }\n its('DisableHTTPPrinting') { should cmp 1 }\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73551.rb", + "ref": "./Windows 2016 STIG/controls/V-73529.rb", "line": 1 }, - "id": "V-73551" + "id": "V-73529" }, { "title": "The default AutoRun behavior must be configured to prevent AutoRun\n commands.", @@ -7447,236 +7476,280 @@ "id": "V-73547" }, { - "title": "Printing over HTTP must be prevented.", - "desc": "Some features may communicate with the vendor, sending system\n information or downloading data or components for the feature. Turning off this\n capability will prevent potentially sensitive information from being sent\n outside the enterprise and will prevent uncontrolled updates to the system.\n\n This setting prevents the client computer from printing over HTTP, which\n allows the computer to print to printers on the intranet as well as the\n Internet.", + "title": "The Allow log on locally user right must only be assigned to the\n Administrators group.", + "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Allow log on locally user right can log on\n interactively to a system.", "descriptions": { - "default": "Some features may communicate with the vendor, sending system\n information or downloading data or components for the feature. Turning off this\n capability will prevent potentially sensitive information from being sent\n outside the enterprise and will prevent uncontrolled updates to the system.\n\n This setting prevents the client computer from printing over HTTP, which\n allows the computer to print to printers on the intranet as well as the\n Internet.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers\\\n\n Value Name: DisableHTTPPrinting\n\n Type: REG_DWORD\n Value: 0x00000001 (1)", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> System >> Internet Communication Management >>\n Internet Communication settings >> Turn off printing over HTTP to\n Enabled." + "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Allow log on locally user right can log on\n interactively to a system.", + "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the Allow log\n on locally user right, this is a finding.\n\n - Administrators\n\n If an application requires this user right, this would not be a finding.\n\n Vendor documentation must support the requirement for having the user right.\n\n The requirement must be documented with the ISSO.\n\n The application account must meet requirements for application account\n passwords, such as length (WN16-00-000060) and required frequency of changes\n (WN16-00-000070).", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Allow log on locally to include only the following accounts or groups:\n\n - Administrators" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000095-GPOS-00049", - "gid": "V-73529", - "rid": "SV-88181r1_rule", - "stig_id": "WN16-CC-000170", - "fix_id": "F-79971r1_fix", + "gtitle": "SRG-OS-000080-GPOS-00048", + "gid": "V-73739", + "rid": "SV-88403r1_rule", + "stig_id": "WN16-UR-000050", + "fix_id": "F-80189r1_fix", "cci": [ - "CCI-000381" + "CCI-000213" ], "nist": [ - "CM-7 a", + "AC-3", "Rev_4" ], "documentable": false }, - "code": "control 'V-73529' do\n title 'Printing over HTTP must be prevented.'\n desc \"Some features may communicate with the vendor, sending system\n information or downloading data or components for the feature. Turning off this\n capability will prevent potentially sensitive information from being sent\n outside the enterprise and will prevent uncontrolled updates to the system.\n\n This setting prevents the client computer from printing over HTTP, which\n allows the computer to print to printers on the intranet as well as the\n Internet.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000095-GPOS-00049'\n tag \"gid\": 'V-73529'\n tag \"rid\": 'SV-88181r1_rule'\n tag \"stig_id\": 'WN16-CC-000170'\n tag \"fix_id\": 'F-79971r1_fix'\n tag \"cci\": ['CCI-000381']\n tag \"nist\": ['CM-7 a', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Printers\\\\\n\n Value Name: DisableHTTPPrinting\n\n Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> System >> Internet Communication Management >>\n Internet Communication settings >> Turn off printing over HTTP to\n Enabled.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Printers') do\n it { should have_property 'DisableHTTPPrinting' }\n its('DisableHTTPPrinting') { should cmp 1 }\n end\nend\n", + "code": "control 'V-73739' do\n title \"The Allow log on locally user right must only be assigned to the\n Administrators group.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Allow log on locally user right can log on\n interactively to a system.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000080-GPOS-00048'\n tag \"gid\": 'V-73739'\n tag \"rid\": 'SV-88403r1_rule'\n tag \"stig_id\": 'WN16-UR-000050'\n tag \"fix_id\": 'F-80189r1_fix'\n tag \"cci\": ['CCI-000213']\n tag \"nist\": ['AC-3', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the Allow log\n on locally user right, this is a finding.\n\n - Administrators\n\n If an application requires this user right, this would not be a finding.\n\n Vendor documentation must support the requirement for having the user right.\n\n The requirement must be documented with the ISSO.\n\n The application account must meet requirements for application account\n passwords, such as length (WN16-00-000060) and required frequency of changes\n (WN16-00-000070).\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Allow log on locally to include only the following accounts or groups:\n\n - Administrators\"\n describe.one do\n describe security_policy do\n its('SeInteractiveLogonRight') { should eq ['S-1-5-32-544'] }\n end\n describe security_policy do\n its('SeInteractiveLogonRight') { should eq [] }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73529.rb", + "ref": "./Windows 2016 STIG/controls/V-73739.rb", "line": 1 }, - "id": "V-73529" + "id": "V-73739" }, { - "title": "Windows Server 2016 must be configured to audit DS Access - Directory\n Service Changes failures.", - "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Audit Directory Service Changes records events related to changes made to\n objects in Active Directory Domain Services.", + "title": "Automatically signing in the last interactive user after a\n system-initiated restart must be disabled.", + "desc": "Windows can be configured to automatically sign the user back in after\n a Windows Update restart. Some protections are in place to help ensure this is\n done in a secure fashion; however, disabling this will prevent the caching of\n credentials for this purpose and also ensure the user is aware of the restart.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Audit Directory Service Changes records events related to changes made to\n objects in Active Directory Domain Services.", - "check": "This applies to domain controllers. It is NA for other systems.\n\n Security Option Audit: Force audit policy subcategory settings (Windows Vista\n or later) to override audit policy category settings must be set to\n Enabled (WN16-SO-000050) for the detailed auditing subcategories to be\n effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n DS Access >> Directory Service Changes - Failure", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> DS Access >> Directory Service Changes with Failure\n selected." + "default": "Windows can be configured to automatically sign the user back in after\n a Windows Update restart. Some protections are in place to help ensure this is\n done in a secure fashion; however, disabling this will prevent the caching of\n credentials for this purpose and also ensure the user is aware of the restart.", + "check": "Verify the registry value below. If it does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\\n\n Value Name: DisableAutomaticRestartSignOn\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Windows Logon Options >>\n Sign-in last interactive user automatically after a system-initiated\n restart to Disabled." }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000327-GPOS-00127", - "satisfies": [ - "SRG-OS-000327-GPOS-00127", - "SRG-OS-000458-GPOS-00203", - "SRG-OS-000463-GPOS-00207", - "SRG-OS-000468-GPOS-00212" - ], - "gid": "V-73441", - "rid": "SV-88093r1_rule", - "stig_id": "WN16-DC-000270", - "fix_id": "F-79883r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00229", + "gid": "V-73589", + "rid": "SV-88253r1_rule", + "stig_id": "WN16-CC-000480", + "fix_id": "F-80039r1_fix", "cci": [ - "CCI-000172", - "CCI-002234" + "CCI-000366" ], "nist": [ - "AU-12 c", - "AC-6 (9)", + "CM-6 b", "Rev_4" ], "documentable": false }, - "code": "control 'V-73441' do\n title \"Windows Server 2016 must be configured to audit DS Access - Directory\n Service Changes failures.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Audit Directory Service Changes records events related to changes made to\n objects in Active Directory Domain Services.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000327-GPOS-00127'\n tag \"satisfies\": ['SRG-OS-000327-GPOS-00127', 'SRG-OS-000458-GPOS-00203',\n 'SRG-OS-000463-GPOS-00207', 'SRG-OS-000468-GPOS-00212']\n tag \"gid\": 'V-73441'\n tag \"rid\": 'SV-88093r1_rule'\n tag \"stig_id\": 'WN16-DC-000270'\n tag \"fix_id\": 'F-79883r1_fix'\n tag \"cci\": ['CCI-000172', 'CCI-002234']\n tag \"nist\": ['AU-12 c', 'AC-6 (9)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to domain controllers. It is NA for other systems.\n\n Security Option Audit: Force audit policy subcategory settings (Windows Vista\n or later) to override audit policy category settings must be set to\n Enabled (WN16-SO-000050) for the detailed auditing subcategories to be\n effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n DS Access >> Directory Service Changes - Failure\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> DS Access >> Directory Service Changes with Failure\n selected.\"\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n describe.one do\n describe audit_policy do\n its('Directory Service Changes') { should eq 'Failure' }\n end\n describe audit_policy do\n its('Directory Service Changes') { should eq 'Success and Failure' }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Directory Service Changes'\") do\n its('stdout') { should match /Directory Service Changes Failure/ }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Directory Service Changes'\") do\n its('stdout') { should match /Directory Service Changes Success and Failure/ }\n end\n end\n end\n\n if !(domain_role == '4') && !(domain_role == '5')\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", + "code": "control 'V-73589' do\n title \"Automatically signing in the last interactive user after a\n system-initiated restart must be disabled.\"\n desc \"Windows can be configured to automatically sign the user back in after\n a Windows Update restart. Some protections are in place to help ensure this is\n done in a secure fashion; however, disabling this will prevent the caching of\n credentials for this purpose and also ensure the user is aware of the restart.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00229'\n tag \"gid\": 'V-73589'\n tag \"rid\": 'SV-88253r1_rule'\n tag \"stig_id\": 'WN16-CC-000480'\n tag \"fix_id\": 'F-80039r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Verify the registry value below. If it does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\\n\n Value Name: DisableAutomaticRestartSignOn\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Windows Logon Options >>\n Sign-in last interactive user automatically after a system-initiated\n restart to Disabled.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System') do\n it { should have_property 'DisableAutomaticRestartSignOn' }\n its('DisableAutomaticRestartSignOn') { should cmp 1 }\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73441.rb", + "ref": "./Windows 2016 STIG/controls/V-73589.rb", "line": 1 }, - "id": "V-73441" + "id": "V-73589" }, { - "title": "PowerShell script block logging must be enabled.", - "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Enabling PowerShell script block logging will record detailed information\n from the processing of PowerShell commands and scripts. This can provide\n additional detail when malware has run on a system.", + "title": "Windows Server 2016 must be configured to require case insensitivity\n for non-Windows subsystems.", + "desc": "This setting controls the behavior of non-Windows subsystems when\n dealing with the case of arguments or commands. Case sensitivity could lead to\n the access of files or commands that must be restricted. To prevent this from\n happening, case insensitivity restrictions must be required.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Enabling PowerShell script block logging will record detailed information\n from the processing of PowerShell commands and scripts. This can provide\n additional detail when malware has run on a system.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\\n Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\\\n\n Value Name: EnableScriptBlockLogging\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Windows PowerShell >> Turn\n on PowerShell Script Block Logging to Enabled." + "default": "This setting controls the behavior of non-Windows subsystems when\n dealing with the case of arguments or commands. Case sensitivity could lead to\n the access of files or commands that must be restricted. To prevent this from\n happening, case insensitivity restrictions must be required.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Kernel\\\n\n Value Name: ObCaseInsensitive\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> System\n objects: Require case insensitivity for non-Windows subsystems to\n Enabled." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000042-GPOS-00020", - "gid": "V-73591", - "rid": "SV-88255r1_rule", - "stig_id": "WN16-CC-000490", - "fix_id": "F-80041r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-73703", + "rid": "SV-88367r1_rule", + "stig_id": "WN16-SO-000440", + "fix_id": "F-80153r1_fix", "cci": [ - "CCI-000135" + "CCI-000366" ], "nist": [ - "AU-3 (1)", + "CM-6 b", "Rev_4" ], "documentable": false }, - "code": "control 'V-73591' do\n title 'PowerShell script block logging must be enabled.'\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Enabling PowerShell script block logging will record detailed information\n from the processing of PowerShell commands and scripts. This can provide\n additional detail when malware has run on a system.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000042-GPOS-00020'\n tag \"gid\": 'V-73591'\n tag \"rid\": 'SV-88255r1_rule'\n tag \"stig_id\": 'WN16-CC-000490'\n tag \"fix_id\": 'F-80041r1_fix'\n tag \"cci\": ['CCI-000135']\n tag \"nist\": ['AU-3 (1)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\\n Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\\\n\n Value Name: EnableScriptBlockLogging\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Windows PowerShell >> Turn\n on PowerShell Script Block Logging to Enabled.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging') do\n it { should have_property 'EnableScriptBlockLogging' }\n its('EnableScriptBlockLogging') { should cmp 1 }\n end\nend\n", + "code": "control 'V-73703' do\n title \"Windows Server 2016 must be configured to require case insensitivity\n for non-Windows subsystems.\"\n desc \"This setting controls the behavior of non-Windows subsystems when\n dealing with the case of arguments or commands. Case sensitivity could lead to\n the access of files or commands that must be restricted. To prevent this from\n happening, case insensitivity restrictions must be required.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-73703'\n tag \"rid\": 'SV-88367r1_rule'\n tag \"stig_id\": 'WN16-SO-000440'\n tag \"fix_id\": 'F-80153r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Session Manager\\\\Kernel\\\\\n\n Value Name: ObCaseInsensitive\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> System\n objects: Require case insensitivity for non-Windows subsystems to\n Enabled.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Session Manager\\\\Kernel') do\n it { should have_property 'ObCaseInsensitive' }\n its('ObCaseInsensitive') { should cmp 1 }\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73591.rb", + "ref": "./Windows 2016 STIG/controls/V-73703.rb", "line": 1 }, - "id": "V-73591" + "id": "V-73703" }, { - "title": "Local accounts with blank passwords must be restricted to prevent\n access from the network.", - "desc": "An account without a password can allow unauthorized access to a\n system as only the username would be required. Password policies should prevent\n accounts with blank passwords from existing on a system. However, if a local\n account with a blank password does exist, enabling this setting will prevent\n network access, limiting the account to local console logon only.", + "title": "The Kerberos policy user ticket renewal maximum lifetime must be\n limited to seven days or less.", + "desc": "This setting determines the period of time (in days) during which a\n user's Ticket Granting Ticket (TGT) may be renewed. This security configuration\n limits the amount of time an attacker has to crack the TGT and gain access.", "descriptions": { - "default": "An account without a password can allow unauthorized access to a\n system as only the username would be required. Password policies should prevent\n accounts with blank passwords from existing on a system. However, if a local\n account with a blank password does exist, enabling this setting will prevent\n network access, limiting the account to local console logon only.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Control\\Lsa\\\n\n Value Name: LimitBlankPasswordUse\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Accounts: Limit local account use of blank passwords to console logon only\n to Enabled." + "default": "This setting determines the period of time (in days) during which a\n user's Ticket Granting Ticket (TGT) may be renewed. This security configuration\n limits the amount of time an attacker has to crack the TGT and gain access.", + "check": "This applies to domain controllers. It is NA for other systems.\n\n Verify the following is configured in the Default Domain Policy.\n\n Open Group Policy Management.\n\n Navigate to Group Policy Objects in the Domain being reviewed (Forest >>\n Domains >> Domain).\n\n Right-click on the Default Domain Policy.\n\n Select Edit.\n\n Navigate to Computer Configuration >> Policies >> Windows Settings >> Security\n Settings >> Account Policies >> Kerberos Policy.\n\n If the Maximum lifetime for user ticket renewal is greater than 7 days,\n this is a finding.", + "fix": "Configure the policy value in the Default Domain Policy for\n Computer Configuration >> Policies >> Windows Settings >> Security Settings >>\n Account Policies >> Kerberos Policy >> Maximum lifetime for user ticket\n renewal to a maximum of 7 days or less." }, - "impact": 0.7, + "impact": 0, "refs": [], "tags": { - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-73621", - "rid": "SV-88285r1_rule", - "stig_id": "WN16-SO-000020", - "fix_id": "F-80071r1_fix", + "gtitle": "SRG-OS-000112-GPOS-00057", + "satisfies": [ + "SRG-OS-000112-GPOS-00057", + "SRG-OS-000113-GPOS-00058" + ], + "gid": "V-73365", + "rid": "SV-88017r1_rule", + "stig_id": "WN16-DC-000050", + "fix_id": "F-79807r1_fix", "cci": [ - "CCI-000366" + "CCI-001941", + "CCI-001942" ], "nist": [ - "CM-6 b", + "IA-2 (8)", + "IA-2 (9)", "Rev_4" ], "documentable": false }, - "code": "control 'V-73621' do\n title \"Local accounts with blank passwords must be restricted to prevent\n access from the network.\"\n desc \"An account without a password can allow unauthorized access to a\n system as only the username would be required. Password policies should prevent\n accounts with blank passwords from existing on a system. However, if a local\n account with a blank password does exist, enabling this setting will prevent\n network access, limiting the account to local console logon only.\"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-73621'\n tag \"rid\": 'SV-88285r1_rule'\n tag \"stig_id\": 'WN16-SO-000020'\n tag \"fix_id\": 'F-80071r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\\n\n Value Name: LimitBlankPasswordUse\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Accounts: Limit local account use of blank passwords to console logon only\n to Enabled.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentcontrolSet\\\\Control\\\\Lsa') do\n it { should have_property 'LimitBlankPasswordUse' }\n its('LimitBlankPasswordUse') { should cmp 1 }\n end\nend\n", + "code": "control 'V-73365' do\n title \"The Kerberos policy user ticket renewal maximum lifetime must be\n limited to seven days or less.\"\n desc \"This setting determines the period of time (in days) during which a\n user's Ticket Granting Ticket (TGT) may be renewed. This security configuration\n limits the amount of time an attacker has to crack the TGT and gain access.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000112-GPOS-00057'\n tag \"satisfies\": ['SRG-OS-000112-GPOS-00057', 'SRG-OS-000113-GPOS-00058']\n tag \"gid\": 'V-73365'\n tag \"rid\": 'SV-88017r1_rule'\n tag \"stig_id\": 'WN16-DC-000050'\n tag \"fix_id\": 'F-79807r1_fix'\n tag \"cci\": ['CCI-001941', 'CCI-001942']\n tag \"nist\": ['IA-2 (8)', 'IA-2 (9)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to domain controllers. It is NA for other systems.\n\n Verify the following is configured in the Default Domain Policy.\n\n Open Group Policy Management.\n\n Navigate to Group Policy Objects in the Domain being reviewed (Forest >>\n Domains >> Domain).\n\n Right-click on the Default Domain Policy.\n\n Select Edit.\n\n Navigate to Computer Configuration >> Policies >> Windows Settings >> Security\n Settings >> Account Policies >> Kerberos Policy.\n\n If the Maximum lifetime for user ticket renewal is greater than 7 days,\n this is a finding.\"\n desc \"fix\", \"Configure the policy value in the Default Domain Policy for\n Computer Configuration >> Policies >> Windows Settings >> Security Settings >>\n Account Policies >> Kerberos Policy >> Maximum lifetime for user ticket\n renewal to a maximum of 7 days or less.\"\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n describe security_policy do\n its('MaxRenewAge') { should be <= 7 }\n end\n end\n\n if domain_role != '4' && domain_role != '5'\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73621.rb", + "ref": "./Windows 2016 STIG/controls/V-73365.rb", "line": 1 }, - "id": "V-73621" + "id": "V-73365" }, { - "title": "The minimum password length must be configured to 14 characters.", - "desc": "Information systems not protected with strong password schemes\n (including passwords of minimum length) provide the opportunity for anyone to\n crack the password, thus gaining access to the system and compromising the\n device, information, or the local network.", + "title": "Shared user accounts must not be permitted on the system.", + "desc": "Shared accounts (accounts where two or more people log on with the\n same user identification) do not provide adequate identification and\n authentication. There is no way to provide for non repudiation or individual\n accountability for system access and resource usage.", "descriptions": { - "default": "Information systems not protected with strong password schemes\n (including passwords of minimum length) provide the opportunity for anyone to\n crack the password, thus gaining access to the system and compromising the\n device, information, or the local network.", - "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Account Policies >> Password Policy.\n\n If the value for the Minimum password length, is less than 14\n characters, this is a finding.", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Account Policies >> Password Policy >>\n Minimum password length to 14 characters." + "default": "Shared accounts (accounts where two or more people log on with the\n same user identification) do not provide adequate identification and\n authentication. There is no way to provide for non repudiation or individual\n accountability for system access and resource usage.", + "check": "Determine whether any shared accounts exist. If no shared\n accounts exist, this is NA.\n\n Shared accounts, such as required by an application, may be approved by the\n organization. This must be documented with the ISSO. Documentation must\n include the reason for the account, who has access to the account, and how the\n risk of using the shared account is mitigated to include monitoring account\n activity.\n\n If unapproved shared accounts exist, this is a finding.", + "fix": "Remove unapproved shared accounts from the system.\n\n Document required shared accounts with the ISSO. Documentation must include the\n reason for the account, who has access to the account, and how the risk of\n using the shared account is mitigated to include monitoring account activity." + }, + "impact": 0, + "refs": [], + "tags": { + "gtitle": "SRG-OS-000104-GPOS-00051", + "gid": "V-73233", + "rid": "SV-87885r2_rule", + "stig_id": "WN16-00-000080", + "fix_id": "F-86117r1_fix", + "cci": [ + "CCI-000764" + ], + "nist": [ + "IA-2", + "Rev_4" + ], + "documentable": false + }, + "code": "control 'V-73233' do\n title 'Shared user accounts must not be permitted on the system.'\n desc \"Shared accounts (accounts where two or more people log on with the\n same user identification) do not provide adequate identification and\n authentication. There is no way to provide for non repudiation or individual\n accountability for system access and resource usage.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000104-GPOS-00051'\n tag \"gid\": 'V-73233'\n tag \"rid\": 'SV-87885r2_rule'\n tag \"stig_id\": 'WN16-00-000080'\n tag \"fix_id\": 'F-86117r1_fix'\n tag \"cci\": ['CCI-000764']\n tag \"nist\": ['IA-2', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Determine whether any shared accounts exist. If no shared\n accounts exist, this is NA.\n\n Shared accounts, such as required by an application, may be approved by the\n organization. This must be documented with the ISSO. Documentation must\n include the reason for the account, who has access to the account, and how the\n risk of using the shared account is mitigated to include monitoring account\n activity.\n\n If unapproved shared accounts exist, this is a finding.\"\n desc \"fix\", \"Remove unapproved shared accounts from the system.\n\n Document required shared accounts with the ISSO. Documentation must include the\n reason for the account, who has access to the account, and how the risk of\n using the shared account is mitigated to include monitoring account activity.\"\n get_accounts = command(\"net user | Findstr /v 'command -- accounts'\").stdout.strip.split(' ')\n shared_accounts = attribute('shared_accounts')\n\n if shared_accounts.empty?\n impact 0.0\n describe 'This system does not have any shared accounts, therefore this control is not applicable' do\n skip 'This system does not have any shared accounts, therefore this control is not applicable'\n end\n else\n get_accounts.each do |user|\n describe user do\n it { should_not be_in shared_accounts }\n end\n end\n end\nend\n", + "source_location": { + "ref": "./Windows 2016 STIG/controls/V-73233.rb", + "line": 1 + }, + "id": "V-73233" + }, + { + "title": "Simple TCP/IP Services must not be installed.", + "desc": "Unnecessary services increase the attack surface of a system. Some of\n these services may not support required levels of authentication or encryption\n or may provide unauthorized access to the system.", + "descriptions": { + "default": "Unnecessary services increase the attack surface of a system. Some of\n these services may not support required levels of authentication or encryption\n or may provide unauthorized access to the system.", + "check": "Open PowerShell.\n\n Enter Get-WindowsFeature | Where Name -eq Simple-TCPIP.\n\n If Installed State is Installed, this is a finding.\n\n An Installed State of Available or Removed is not a finding.", + "fix": "Uninstall the Simple TCP/IP Services feature.\n\n Start Server Manager.\n\n Select the server with the feature.\n\n Scroll down to ROLES AND FEATURES in the right pane.\n\n Select Remove Roles and Features from the drop-down TASKS list.\n\n Select the appropriate server on the Server Selection page and click\n Next.\n\n Deselect Simple TCP/IP Services on the Features page.\n\n Click Next and Remove as prompted." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000078-GPOS-00046", - "gid": "V-73321", - "rid": "SV-87973r1_rule", - "stig_id": "WN16-AC-000070", - "fix_id": "F-79763r1_fix", + "gtitle": "SRG-OS-000095-GPOS-00049", + "gid": "V-73293", + "rid": "SV-87945r1_rule", + "stig_id": "WN16-00-000380", + "fix_id": "F-79735r1_fix", "cci": [ - "CCI-000205" + "CCI-000381" ], "nist": [ - "IA-5 (1) (a)", + "CM-7", "Rev_4" ], "documentable": false }, - "code": "control 'V-73321' do\n title 'The minimum password length must be configured to 14 characters.'\n desc \"Information systems not protected with strong password schemes\n (including passwords of minimum length) provide the opportunity for anyone to\n crack the password, thus gaining access to the system and compromising the\n device, information, or the local network.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000078-GPOS-00046'\n tag \"gid\": 'V-73321'\n tag \"rid\": 'SV-87973r1_rule'\n tag \"stig_id\": 'WN16-AC-000070'\n tag \"fix_id\": 'F-79763r1_fix'\n tag \"cci\": ['CCI-000205']\n tag \"nist\": ['IA-5 (1) (a)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Account Policies >> Password Policy.\n\n If the value for the Minimum password length, is less than 14\n characters, this is a finding.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Account Policies >> Password Policy >>\n Minimum password length to 14 characters.\"\n describe security_policy do\n its('MinimumPasswordLength') { should be >= 14 }\n end\nend\n", + "code": "control 'V-73293' do\n title 'Simple TCP/IP Services must not be installed.'\n desc \"Unnecessary services increase the attack surface of a system. Some of\n these services may not support required levels of authentication or encryption\n or may provide unauthorized access to the system.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000095-GPOS-00049'\n tag \"gid\": 'V-73293'\n tag \"rid\": 'SV-87945r1_rule'\n tag \"stig_id\": 'WN16-00-000380'\n tag \"fix_id\": 'F-79735r1_fix'\n tag \"cci\": ['CCI-000381']\n tag \"nist\": ['CM-7', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Open PowerShell.\n\n Enter Get-WindowsFeature | Where Name -eq Simple-TCPIP.\n\n If Installed State is Installed, this is a finding.\n\n An Installed State of Available or Removed is not a finding.\"\n desc \"fix\", \"Uninstall the Simple TCP/IP Services feature.\n\n Start Server Manager.\n\n Select the server with the feature.\n\n Scroll down to ROLES AND FEATURES in the right pane.\n\n Select Remove Roles and Features from the drop-down TASKS list.\n\n Select the appropriate server on the Server Selection page and click\n Next.\n\n Deselect Simple TCP/IP Services on the Features page.\n\n Click Next and Remove as prompted.\"\n describe windows_feature('Simple-TCPIP') do\n it { should_not be_installed }\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73321.rb", + "ref": "./Windows 2016 STIG/controls/V-73293.rb", "line": 1 }, - "id": "V-73321" + "id": "V-73293" }, { - "title": "Domain controllers must be configured to allow reset of machine\n account passwords.", - "desc": "Enabling this setting on all domain controllers in a domain prevents\n domain members from changing their computer account passwords. If these\n passwords are weak or compromised, the inability to change them may leave these\n computers vulnerable.", + "title": "Windows Server 2016 must be configured to audit Logon/Logoff - Logon\n successes.", + "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Logon records user logons. If this is an interactive logon, it is recorded\n on the local system. If it is to a network share, it is recorded on the system\n accessed.", "descriptions": { - "default": "Enabling this setting on all domain controllers in a domain prevents\n domain members from changing their computer account passwords. If these\n passwords are weak or compromised, the inability to change them may leave these\n computers vulnerable.", - "check": "This applies to domain controllers. It is NA for other systems.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\Netlogon\\Parameters\\\n\n Value Name: RefusePasswordChange\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0)", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> Domain\n controller: Refuse machine account password changes to Disabled." + "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Logon records user logons. If this is an interactive logon, it is recorded\n on the local system. If it is to a network share, it is recorded on the system\n accessed.", + "check": "Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n Logon/Logoff >> Logon - Success", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Logon/Logoff >> Audit Logon with Success selected." }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-73631", - "rid": "SV-88295r1_rule", - "stig_id": "WN16-DC-000330", - "fix_id": "F-80081r1_fix", + "gtitle": "SRG-OS-000032-GPOS-00013", + "satisfies": [ + "SRG-OS-000032-GPOS-00013", + "SRG-OS-000470-GPOS-00214", + "SRG-OS-000472-GPOS-00217", + "SRG-OS-000473-GPOS-00218", + "SRG-OS-000475-GPOS-00220" + ], + "gid": "V-73451", + "rid": "SV-88103r1_rule", + "stig_id": "WN16-AU-000260", + "fix_id": "F-79893r1_fix", "cci": [ - "CCI-000366" + "CCI-000067", + "CCI-000172" ], "nist": [ - "CM-6 b", + "AC-17 (1)", + "AU-12 c", "Rev_4" ], "documentable": false }, - "code": "control 'V-73631' do\n title \"Domain controllers must be configured to allow reset of machine\n account passwords.\"\n desc \"Enabling this setting on all domain controllers in a domain prevents\n domain members from changing their computer account passwords. If these\n passwords are weak or compromised, the inability to change them may leave these\n computers vulnerable.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-73631'\n tag \"rid\": 'SV-88295r1_rule'\n tag \"stig_id\": 'WN16-DC-000330'\n tag \"fix_id\": 'F-80081r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to domain controllers. It is NA for other systems.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\Netlogon\\\\Parameters\\\\\n\n Value Name: RefusePasswordChange\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> Domain\n controller: Refuse machine account password changes to Disabled.\"\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n if domain_role == '4' || domain_role == '5'\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Services\\\\Netlogon\\\\Parameters') do\n it { should have_property 'RefusePasswordChange' }\n its('RefusePasswordChange') { should cmp 0 }\n end\n end\n\n if !(domain_role == '4') && !(domain_role == '5')\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", + "code": "control 'V-73451' do\n title \"Windows Server 2016 must be configured to audit Logon/Logoff - Logon\n successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Logon records user logons. If this is an interactive logon, it is recorded\n on the local system. If it is to a network share, it is recorded on the system\n accessed.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000032-GPOS-00013'\n tag \"satisfies\": ['SRG-OS-000032-GPOS-00013', 'SRG-OS-000470-GPOS-00214',\n 'SRG-OS-000472-GPOS-00217', 'SRG-OS-000473-GPOS-00218',\n 'SRG-OS-000475-GPOS-00220']\n tag \"gid\": 'V-73451'\n tag \"rid\": 'SV-88103r1_rule'\n tag \"stig_id\": 'WN16-AU-000260'\n tag \"fix_id\": 'F-79893r1_fix'\n tag \"cci\": ['CCI-000067', 'CCI-000172']\n tag \"nist\": ['AC-17 (1)', 'AU-12 c', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n Logon/Logoff >> Logon - Success\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Logon/Logoff >> Audit Logon with Success selected.\"\n describe.one do\n describe audit_policy do\n its('Logon') { should eq 'Success' }\n end\n describe audit_policy do\n its('Logon') { should eq 'Success and Failure' }\n end\n describe command(\"AuditPol /get /subcategory:Logon | Findstr /c:'Logon' | Findstr /v 'Logoff'\") do\n its('stdout') { should match /\\s+Logon Success/ }\n end\n describe command(\"AuditPol /get /subcategory:Logon | Findstr /c:'Logon' | Findstr /v 'Logoff'\") do\n its('stdout') { should match /\\s+Logon Success and Failure/ }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73631.rb", + "ref": "./Windows 2016 STIG/controls/V-73451.rb", "line": 1 }, - "id": "V-73631" + "id": "V-73451" }, { - "title": "Windows Server 2016 must, at a minimum, off-load audit records of\n interconnected systems in real time and off-load standalone systems weekly.", - "desc": "Protection of log data includes assuring the log data is not\n accidentally lost or deleted. Audit information stored in one location is\n vulnerable to accidental or incidental deletion or alteration.", + "title": "The Windows Remote Management (WinRM) client must not allow\n unencrypted traffic.", + "desc": "Unencrypted remote access to a system can allow sensitive information\n to be compromised. Windows remote management connections must be encrypted to\n prevent this.", "descriptions": { - "default": "Protection of log data includes assuring the log data is not\n accidentally lost or deleted. Audit information stored in one location is\n vulnerable to accidental or incidental deletion or alteration.", - "check": "Verify the audit records, at a minimum, are off-loaded for\n interconnected systems in real time and off-loaded for standalone systems\n weekly.\n\n If they are not, this is a finding.", - "fix": "Configure the system to, at a minimum, off-load audit records of\n interconnected systems in real time and off-load standalone systems weekly." + "default": "Unencrypted remote access to a system can allow sensitive information\n to be compromised. Windows remote management connections must be encrypted to\n prevent this.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\WinRM\\Client\\\n\n Value Name: AllowUnencryptedTraffic\n\n Type: REG_DWORD\n Value: 0x00000000 (0)", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Windows Remote Management\n (WinRM) >> WinRM Client >> Allow unencrypted traffic to Disabled." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000479-GPOS-00224", - "gid": "V-73403", - "rid": "SV-88055r1_rule", - "stig_id": "WN16-AU-000020", - "fix_id": "F-79845r1_fix", + "gtitle": "SRG-OS-000393-GPOS-00173", + "satisfies": [ + "SRG-OS-000393-GPOS-00173", + "SRG-OS-000394-GPOS-00174" + ], + "gid": "V-73595", + "rid": "SV-88259r1_rule", + "stig_id": "WN16-CC-000510", + "fix_id": "F-80045r1_fix", "cci": [ - "CCI-001851" + "CCI-002890", + "CCI-003123" ], "nist": [ - "AU-4 (1)", + "MA-4 (6)", "Rev_4" ], "documentable": false }, - "code": "control 'V-73403' do\n title \"Windows Server 2016 must, at a minimum, off-load audit records of\n interconnected systems in real time and off-load standalone systems weekly.\"\n desc \"Protection of log data includes assuring the log data is not\n accidentally lost or deleted. Audit information stored in one location is\n vulnerable to accidental or incidental deletion or alteration.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000479-GPOS-00224'\n tag \"gid\": 'V-73403'\n tag \"rid\": 'SV-88055r1_rule'\n tag \"stig_id\": 'WN16-AU-000020'\n tag \"fix_id\": 'F-79845r1_fix'\n tag \"cci\": ['CCI-001851']\n tag \"nist\": ['AU-4 (1)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Verify the audit records, at a minimum, are off-loaded for\n interconnected systems in real time and off-loaded for standalone systems\n weekly.\n\n If they are not, this is a finding.\"\n desc \"fix\", \"Configure the system to, at a minimum, off-load audit records of\n interconnected systems in real time and off-load standalone systems weekly.\"\n describe \"A manual review is required to verify the operating system is, at a minimum, off-loading audit records of\n interconnected systems in real time and off-loading standalone systems weekly\" do\n skip \"A manual review is required to verify the operating system is, at a minimum, off-loading audit records of\n interconnected systems in real time and off-loading standalone systems weekly\"\n end\nend\n", + "code": "control 'V-73595' do\n title \"The Windows Remote Management (WinRM) client must not allow\n unencrypted traffic.\"\n desc \"Unencrypted remote access to a system can allow sensitive information\n to be compromised. Windows remote management connections must be encrypted to\n prevent this.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000393-GPOS-00173'\n tag \"satisfies\": ['SRG-OS-000393-GPOS-00173', 'SRG-OS-000394-GPOS-00174']\n tag \"gid\": 'V-73595'\n tag \"rid\": 'SV-88259r1_rule'\n tag \"stig_id\": 'WN16-CC-000510'\n tag \"fix_id\": 'F-80045r1_fix'\n tag \"cci\": ['CCI-002890', 'CCI-003123']\n tag \"nist\": ['MA-4 (6)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WinRM\\\\Client\\\\\n\n Value Name: AllowUnencryptedTraffic\n\n Type: REG_DWORD\n Value: 0x00000000 (0)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> Windows Remote Management\n (WinRM) >> WinRM Client >> Allow unencrypted traffic to Disabled.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\WinRM\\\\Client') do\n it { should have_property 'AllowUnencryptedTraffic' }\n its('AllowUnencryptedTraffic') { should cmp 0 }\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73403.rb", + "ref": "./Windows 2016 STIG/controls/V-73595.rb", "line": 1 }, - "id": "V-73403" + "id": "V-73595" }, { "title": "WDigest Authentication must be disabled.", @@ -7711,159 +7784,117 @@ "id": "V-73497" }, { - "title": "The computer clock synchronization tolerance must be limited to 5\n minutes or less.", - "desc": "This setting determines the maximum time difference (in minutes) that\n Kerberos will tolerate between the time on a client's clock and the time on a\n server's clock while still considering the two clocks synchronous. In order to\n prevent replay attacks, Kerberos uses timestamps as part of its protocol\n definition. For timestamps to work properly, the clocks of the client and the\n server need to be in sync as much as possible.", - "descriptions": { - "default": "This setting determines the maximum time difference (in minutes) that\n Kerberos will tolerate between the time on a client's clock and the time on a\n server's clock while still considering the two clocks synchronous. In order to\n prevent replay attacks, Kerberos uses timestamps as part of its protocol\n definition. For timestamps to work properly, the clocks of the client and the\n server need to be in sync as much as possible.", - "check": "This applies to domain controllers. It is NA for other systems.\n\n Verify the following is configured in the Default Domain Policy.\n\n Open Group Policy Management.\n\n Navigate to Group Policy Objects in the Domain being reviewed (Forest >>\n Domains >> Domain).\n\n Right-click on the Default Domain Policy.\n\n Select Edit.\n\n Navigate to Computer Configuration >> Policies >> Windows Settings >> Security\n Settings >> Account Policies >> Kerberos Policy.\n\n If the Maximum tolerance for computer clock synchronization is greater than\n 5 minutes, this is a finding.", - "fix": "Configure the policy value in the Default Domain Policy for\n Computer Configuration >> Windows Settings >> Security Settings >> Account\n Policies >> Kerberos Policy >> Maximum tolerance for computer clock\n synchronization to a maximum of 5 minutes or less." - }, - "impact": 0, - "refs": [], - "tags": { - "gtitle": "SRG-OS-000112-GPOS-00057", - "satisfies": [ - "SRG-OS-000112-GPOS-00057", - "SRG-OS-000113-GPOS-00058" - ], - "gid": "V-73367", - "rid": "SV-88019r1_rule", - "stig_id": "WN16-DC-000060", - "fix_id": "F-79809r1_fix", - "cci": [ - "CCI-001941", - "CCI-001942" - ], - "nist": [ - "IA-2 (8)", - "IA-2 (9)", - "Rev_4" - ], - "documentable": false - }, - "code": "control 'V-73367' do\n title \"The computer clock synchronization tolerance must be limited to 5\n minutes or less.\"\n desc \"This setting determines the maximum time difference (in minutes) that\n Kerberos will tolerate between the time on a client's clock and the time on a\n server's clock while still considering the two clocks synchronous. In order to\n prevent replay attacks, Kerberos uses timestamps as part of its protocol\n definition. For timestamps to work properly, the clocks of the client and the\n server need to be in sync as much as possible.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000112-GPOS-00057'\n tag \"satisfies\": ['SRG-OS-000112-GPOS-00057', 'SRG-OS-000113-GPOS-00058']\n tag \"gid\": 'V-73367'\n tag \"rid\": 'SV-88019r1_rule'\n tag \"stig_id\": 'WN16-DC-000060'\n tag \"fix_id\": 'F-79809r1_fix'\n tag \"cci\": ['CCI-001941', 'CCI-001942']\n tag \"nist\": ['IA-2 (8)', 'IA-2 (9)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to domain controllers. It is NA for other systems.\n\n Verify the following is configured in the Default Domain Policy.\n\n Open Group Policy Management.\n\n Navigate to Group Policy Objects in the Domain being reviewed (Forest >>\n Domains >> Domain).\n\n Right-click on the Default Domain Policy.\n\n Select Edit.\n\n Navigate to Computer Configuration >> Policies >> Windows Settings >> Security\n Settings >> Account Policies >> Kerberos Policy.\n\n If the Maximum tolerance for computer clock synchronization is greater than\n 5 minutes, this is a finding.\"\n desc \"fix\", \"Configure the policy value in the Default Domain Policy for\n Computer Configuration >> Windows Settings >> Security Settings >> Account\n Policies >> Kerberos Policy >> Maximum tolerance for computer clock\n synchronization to a maximum of 5 minutes or less.\"\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n describe security_policy do\n its('MaxClockSkew') { should be <= 5 }\n end\n end\n\n if domain_role != '4' && domain_role != '5'\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", - "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73367.rb", - "line": 1 - }, - "id": "V-73367" - }, - { - "title": "Software certificate installation files must be removed from Windows\n Server 2016.", - "desc": "Use of software certificates and their accompanying installation files\n for end users to access resources is less secure than the use of hardware-based\n certificates.", + "title": "The display of slide shows on the lock screen must be disabled.", + "desc": "Slide shows that are displayed on the lock screen could display\n sensitive information to unauthorized personnel. Turning off this feature will\n limit access to the information to a logged-on user.", "descriptions": { - "default": "Use of software certificates and their accompanying installation files\n for end users to access resources is less secure than the use of hardware-based\n certificates.", - "check": "Search all drives for *.p12 and *.pfx files.\n\n If any files with these extensions exist, this is a finding.\n\n This does not apply to server-based applications that have a requirement for\n certificate files. Some applications create files with extensions of .p12 that\n are not certificate installation files. Removal of non-certificate installation\n files from systems is not required. These must be documented with the ISSO.", - "fix": "Remove any certificate installation files (*.p12 and *.pfx) found\n on a system.\n\n This does not apply to server-based applications that have a requirement for\n certificate files." + "default": "Slide shows that are displayed on the lock screen could display\n sensitive information to unauthorized personnel. Turning off this feature will\n limit access to the information to a logged-on user.", + "check": "Verify the registry value below.\n\n If it does not exist or is not configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\Personalization\\\n\n Value Name: NoLockScreenSlideshow\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Control Panel >> Personalization >> Prevent\n enabling lock screen slide show to Enabled." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-73271", - "rid": "SV-87923r1_rule", - "stig_id": "WN16-00-000270", - "fix_id": "F-79715r1_fix", + "gtitle": "SRG-OS-000095-GPOS-00049", + "gid": "V-73493", + "rid": "SV-88145r1_rule", + "stig_id": "WN16-CC-000010", + "fix_id": "F-79935r1_fix", "cci": [ - "CCI-000366" + "CCI-000381" ], "nist": [ - "CM-6 b", + "CM-7 a", "Rev_4" ], "documentable": false }, - "code": "control 'V-73271' do\n title \"Software certificate installation files must be removed from Windows\n Server 2016.\"\n desc \"Use of software certificates and their accompanying installation files\n for end users to access resources is less secure than the use of hardware-based\n certificates.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-73271'\n tag \"rid\": 'SV-87923r1_rule'\n tag \"stig_id\": 'WN16-00-000270'\n tag \"fix_id\": 'F-79715r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Search all drives for *.p12 and *.pfx files.\n\n If any files with these extensions exist, this is a finding.\n\n This does not apply to server-based applications that have a requirement for\n certificate files. Some applications create files with extensions of .p12 that\n are not certificate installation files. Removal of non-certificate installation\n files from systems is not required. These must be documented with the ISSO.\"\n desc \"fix\", \"Remove any certificate installation files (*.p12 and *.pfx) found\n on a system.\n\n This does not apply to server-based applications that have a requirement for\n certificate files.\"\n\n where_cmd = command('where /R c: *.p12 *.pfx').stdout\n describe \"Software certificate installation files found on this system\" do\n subject { where_cmd }\n it { should eq '' }\n end\nend\n", + "code": "control 'V-73493' do\n title 'The display of slide shows on the lock screen must be disabled.'\n desc \"Slide shows that are displayed on the lock screen could display\n sensitive information to unauthorized personnel. Turning off this feature will\n limit access to the information to a logged-on user.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000095-GPOS-00049'\n tag \"gid\": 'V-73493'\n tag \"rid\": 'SV-88145r1_rule'\n tag \"stig_id\": 'WN16-CC-000010'\n tag \"fix_id\": 'F-79935r1_fix'\n tag \"cci\": ['CCI-000381']\n tag \"nist\": ['CM-7 a', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Verify the registry value below.\n\n If it does not exist or is not configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\Personalization\\\\\n\n Value Name: NoLockScreenSlideshow\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Control Panel >> Personalization >> Prevent\n enabling lock screen slide show to Enabled.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\Personalization') do\n it { should have_property 'NoLockScreenSlideshow' }\n its('NoLockScreenSlideshow') { should cmp 1 }\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73271.rb", + "ref": "./Windows 2016 STIG/controls/V-73493.rb", "line": 1 }, - "id": "V-73271" + "id": "V-73493" }, { - "title": "Windows Server 2016 must be configured to prevent the storage of\n passwords and credentials.", - "desc": "This setting controls the storage of passwords and credentials for\n network authentication on the local system. Such credentials must not be stored\n on the local machine, as that may lead to account compromise.", + "title": "Domain controllers must have a PKI server certificate.", + "desc": "Domain controllers are part of the chain of trust for PKI\n authentications. Without the appropriate certificate, the authenticity of the\n domain controller cannot be verified. Domain controllers must have a server\n certificate to establish authenticity as part of PKI authentications in the\n domain.", "descriptions": { - "default": "This setting controls the storage of passwords and credentials for\n network authentication on the local system. Such credentials must not be stored\n on the local machine, as that may lead to account compromise.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Control\\Lsa\\\n\n Value Name: DisableDomainCreds\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Network access: Do not allow storage of passwords and credentials for network\n authentication to Enabled." + "default": "Domain controllers are part of the chain of trust for PKI\n authentications. Without the appropriate certificate, the authenticity of the\n domain controller cannot be verified. Domain controllers must have a server\n certificate to establish authenticity as part of PKI authentications in the\n domain.", + "check": "This applies to domain controllers. It is NA for other systems.\n\n Run MMC.\n\n Select Add/Remove Snap-in from the File menu.\n\n Select Certificates in the left pane and click the Add > button.\n\n Select Computer Account and click Next.\n\n Select the appropriate option for Select the computer you want this snap-in\n to manage and click Finish.\n\n Click OK.\n\n Select and expand the Certificates (Local Computer) entry in the left pane.\n\n Select and expand the Personal entry in the left pane.\n\n Select the Certificates entry in the left pane.\n\n If no certificate for the domain controller exists in the right pane, this is a\n finding.", + "fix": "Obtain a server certificate for the domain controller." }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { - "gtitle": "SRG-OS-000373-GPOS-00157", - "satisfies": [ - "SRG-OS-000373-GPOS-00157", - "SRG-OS-000373-GPOS-00156" - ], - "gid": "V-73671", - "rid": "SV-88335r1_rule", - "stig_id": "WN16-SO-000280", - "fix_id": "F-80121r1_fix", + "gtitle": "SRG-OS-000066-GPOS-00034", + "gid": "V-73611", + "rid": "SV-88275r1_rule", + "stig_id": "WN16-DC-000280", + "fix_id": "F-80061r1_fix", "cci": [ - "CCI-002038" + "CCI-000185" ], "nist": [ - "IA-11", + "IA-5 (2) (a)", "Rev_4" ], "documentable": false }, - "code": "control 'V-73671' do\n title \"Windows Server 2016 must be configured to prevent the storage of\n passwords and credentials.\"\n desc \"This setting controls the storage of passwords and credentials for\n network authentication on the local system. Such credentials must not be stored\n on the local machine, as that may lead to account compromise.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000373-GPOS-00157'\n tag \"satisfies\": ['SRG-OS-000373-GPOS-00157', 'SRG-OS-000373-GPOS-00156']\n tag \"gid\": 'V-73671'\n tag \"rid\": 'SV-88335r1_rule'\n tag \"stig_id\": 'WN16-SO-000280'\n tag \"fix_id\": 'F-80121r1_fix'\n tag \"cci\": ['CCI-002038']\n tag \"nist\": ['IA-11', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\\n\n Value Name: DisableDomainCreds\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Network access: Do not allow storage of passwords and credentials for network\n authentication to Enabled.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa') do\n it { should have_property 'DisableDomainCreds' }\n its('DisableDomainCreds') { should cmp 1 }\n end\nend\n", + "code": "control 'V-73611' do\n title 'Domain controllers must have a PKI server certificate.'\n desc \"Domain controllers are part of the chain of trust for PKI\n authentications. Without the appropriate certificate, the authenticity of the\n domain controller cannot be verified. Domain controllers must have a server\n certificate to establish authenticity as part of PKI authentications in the\n domain.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000066-GPOS-00034'\n tag \"gid\": 'V-73611'\n tag \"rid\": 'SV-88275r1_rule'\n tag \"stig_id\": 'WN16-DC-000280'\n tag \"fix_id\": 'F-80061r1_fix'\n tag \"cci\": ['CCI-000185']\n tag \"nist\": ['IA-5 (2) (a)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to domain controllers. It is NA for other systems.\n\n Run MMC.\n\n Select Add/Remove Snap-in from the File menu.\n\n Select Certificates in the left pane and click the Add > button.\n\n Select Computer Account and click Next.\n\n Select the appropriate option for Select the computer you want this snap-in\n to manage and click Finish.\n\n Click OK.\n\n Select and expand the Certificates (Local Computer) entry in the left pane.\n\n Select and expand the Personal entry in the left pane.\n\n Select the Certificates entry in the left pane.\n\n If no certificate for the domain controller exists in the right pane, this is a\n finding.\"\n desc \"fix\", 'Obtain a server certificate for the domain controller.'\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n certs = command(\"Get-ChildItem -Path Cert:\\\\LocalMachine\\\\My | ConvertTo-JSON\").stdout\n describe \"The domain controller's server certificate\" do\n subject { certs }\n it { should_not cmp '' }\n end\n end\n\n if !(domain_role == '4') && !(domain_role == '5')\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73671.rb", + "ref": "./Windows 2016 STIG/controls/V-73611.rb", "line": 1 }, - "id": "V-73671" + "id": "V-73611" }, { - "title": "The Peer Name Resolution Protocol must not be installed.", - "desc": "Unnecessary services increase the attack surface of a system. Some of\n these services may not support required levels of authentication or encryption\n or may provide unauthorized access to the system.", + "title": "Windows Server 2016 must be configured to audit Account Logon -\n Credential Validation successes.", + "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Credential Validation records events related to validation tests on\n credentials for a user account logon.", "descriptions": { - "default": "Unnecessary services increase the attack surface of a system. Some of\n these services may not support required levels of authentication or encryption\n or may provide unauthorized access to the system.", - "check": "Open PowerShell.\n\n Enter Get-WindowsFeature | Where Name -eq PNRP.\n\n If Installed State is Installed, this is a finding.\n\n An Installed State of Available or Removed is not a finding.", - "fix": "Uninstall the Peer Name Resolution Protocol feature.\n\n Start Server Manager.\n\n Select the server with the feature.\n\n Scroll down to ROLES AND FEATURES in the right pane.\n\n Select Remove Roles and Features from the drop-down TASKS list.\n\n Select the appropriate server on the Server Selection page and click\n Next.\n\n Deselect Peer Name Resolution Protoco on the Features page.\n\n Click Next and Remove as prompted." + "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Credential Validation records events related to validation tests on\n credentials for a user account logon.", + "check": "Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n Account Logon >> Credential Validation - Success", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Account Logon >> Audit Credential Validation with\n Success selected." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000095-GPOS-00049", - "gid": "V-73291", - "rid": "SV-87943r1_rule", - "stig_id": "WN16-00-000370", - "fix_id": "F-80269r1_fix", + "gtitle": "SRG-OS-000470-GPOS-00214", + "gid": "V-73413", + "rid": "SV-88065r1_rule", + "stig_id": "WN16-AU-000070", + "fix_id": "F-79855r1_fix", "cci": [ - "CCI-000381" + "CCI-000172" ], "nist": [ - "CM-7", + "AU-12 c", "Rev_4" ], "documentable": false }, - "code": "control 'V-73291' do\n title 'The Peer Name Resolution Protocol must not be installed.'\n desc \"Unnecessary services increase the attack surface of a system. Some of\n these services may not support required levels of authentication or encryption\n or may provide unauthorized access to the system.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000095-GPOS-00049'\n tag \"gid\": 'V-73291'\n tag \"rid\": 'SV-87943r1_rule'\n tag \"stig_id\": 'WN16-00-000370'\n tag \"fix_id\": 'F-80269r1_fix'\n tag \"cci\": ['CCI-000381']\n tag \"nist\": ['CM-7', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Open PowerShell.\n\n Enter Get-WindowsFeature | Where Name -eq PNRP.\n\n If Installed State is Installed, this is a finding.\n\n An Installed State of Available or Removed is not a finding.\"\n desc \"fix\", \"Uninstall the Peer Name Resolution Protocol feature.\n\n Start Server Manager.\n\n Select the server with the feature.\n\n Scroll down to ROLES AND FEATURES in the right pane.\n\n Select Remove Roles and Features from the drop-down TASKS list.\n\n Select the appropriate server on the Server Selection page and click\n Next.\n\n Deselect Peer Name Resolution Protoco on the Features page.\n\n Click Next and Remove as prompted.\"\n describe windows_feature('PNRP') do\n it { should_not be_installed }\n end\nend\n", + "code": "control 'V-73413' do\n title \"Windows Server 2016 must be configured to audit Account Logon -\n Credential Validation successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Credential Validation records events related to validation tests on\n credentials for a user account logon.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000470-GPOS-00214'\n tag \"gid\": 'V-73413'\n tag \"rid\": 'SV-88065r1_rule'\n tag \"stig_id\": 'WN16-AU-000070'\n tag \"fix_id\": 'F-79855r1_fix'\n tag \"cci\": ['CCI-000172']\n tag \"nist\": ['AU-12 c', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n Account Logon >> Credential Validation - Success\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Account Logon >> Audit Credential Validation with\n Success selected.\"\n describe.one do\n describe audit_policy do\n its('Credential Validation') { should eq 'Success' }\n end\n describe audit_policy do\n its('Credential Validation') { should eq 'Success and Failure' }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Credential Validation'\") do\n its('stdout') { should match /Credential Validation Success/ }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Credential Validation'\") do\n its('stdout') { should match /Credential Validation Success and Failure/ }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73291.rb", + "ref": "./Windows 2016 STIG/controls/V-73413.rb", "line": 1 }, - "id": "V-73291" + "id": "V-73413" }, { - "title": "Users must be prompted to authenticate when the system wakes from\n sleep (plugged in).", - "desc": "A system that does not require authentication when resuming from sleep\n may provide access to unauthorized users. Authentication must always be\n required when accessing a system. This setting ensures users are prompted for a\n password when the system wakes from sleep (plugged in).", + "title": "Local accounts with blank passwords must be restricted to prevent\n access from the network.", + "desc": "An account without a password can allow unauthorized access to a\n system as only the username would be required. Password policies should prevent\n accounts with blank passwords from existing on a system. However, if a local\n account with a blank password does exist, enabling this setting will prevent\n network access, limiting the account to local console logon only.", "descriptions": { - "default": "A system that does not require authentication when resuming from sleep\n may provide access to unauthorized users. Authentication must always be\n required when accessing a system. This setting ensures users are prompted for a\n password when the system wakes from sleep (plugged in).", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SOFTWARE\\Policies\\Microsoft\\Power\\PowerSettings\\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\\\n\n Value Name: ACSettingIndex\n\n Type: REG_DWORD\n Value: 0x00000001 (1)", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> System >> Power Management >> Sleep Settings >>\n Require a password when a computer wakes (plugged in) to Enabled." + "default": "An account without a password can allow unauthorized access to a\n system as only the username would be required. Password policies should prevent\n accounts with blank passwords from existing on a system. However, if a local\n account with a blank password does exist, enabling this setting will prevent\n network access, limiting the account to local console logon only.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Control\\Lsa\\\n\n Value Name: LimitBlankPasswordUse\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Accounts: Limit local account use of blank passwords to console logon only\n to Enabled." }, - "impact": 0.5, + "impact": 0.7, "refs": [], "tags": { "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-73539", - "rid": "SV-88201r1_rule", - "stig_id": "WN16-CC-000220", - "fix_id": "F-79981r1_fix", + "gid": "V-73621", + "rid": "SV-88285r1_rule", + "stig_id": "WN16-SO-000020", + "fix_id": "F-80071r1_fix", "cci": [ "CCI-000366" ], @@ -7873,563 +7904,570 @@ ], "documentable": false }, - "code": "control 'V-73539' do\n title \"Users must be prompted to authenticate when the system wakes from\n sleep (plugged in).\"\n desc \"A system that does not require authentication when resuming from sleep\n may provide access to unauthorized users. Authentication must always be\n required when accessing a system. This setting ensures users are prompted for a\n password when the system wakes from sleep (plugged in).\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-73539'\n tag \"rid\": 'SV-88201r1_rule'\n tag \"stig_id\": 'WN16-CC-000220'\n tag \"fix_id\": 'F-79981r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Power\\\\PowerSettings\\\\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\\\\\n\n Value Name: ACSettingIndex\n\n Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> System >> Power Management >> Sleep Settings >>\n Require a password when a computer wakes (plugged in) to Enabled.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Power\\\\PowerSettings\\\\0e796bdb-100d-47d6-a2d5-f7d2daa51f51') do\n it { should have_property 'ACSettingIndex' }\n its('ACSettingIndex') { should cmp 1 }\n end\nend\n", + "code": "control 'V-73621' do\n title \"Local accounts with blank passwords must be restricted to prevent\n access from the network.\"\n desc \"An account without a password can allow unauthorized access to a\n system as only the username would be required. Password policies should prevent\n accounts with blank passwords from existing on a system. However, if a local\n account with a blank password does exist, enabling this setting will prevent\n network access, limiting the account to local console logon only.\"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-73621'\n tag \"rid\": 'SV-88285r1_rule'\n tag \"stig_id\": 'WN16-SO-000020'\n tag \"fix_id\": 'F-80071r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\\n\n Value Name: LimitBlankPasswordUse\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Accounts: Limit local account use of blank passwords to console logon only\n to Enabled.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentcontrolSet\\\\Control\\\\Lsa') do\n it { should have_property 'LimitBlankPasswordUse' }\n its('LimitBlankPasswordUse') { should cmp 1 }\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73539.rb", + "ref": "./Windows 2016 STIG/controls/V-73621.rb", "line": 1 }, - "id": "V-73539" + "id": "V-73621" }, { - "title": "Domain controllers must run on a machine dedicated to that function.", - "desc": "Executing application servers on the same host machine with a\n directory server may substantially weaken the security of the directory server.\n Web or database server applications usually require the addition of many\n programs and accounts, increasing the attack surface of the computer.\n\n Some applications require the addition of privileged accounts, providing\n potential sources of compromise. Some applications (such as Microsoft Exchange)\n may require the use of network ports or services conflicting with the directory\n server. In this case, non-standard ports might be selected, and this could\n interfere with intrusion detection or prevention services.", + "title": "The Deny log on locally user right on domain controllers must be\n configured to prevent unauthenticated access.", + "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The Deny log on locally user right defines accounts that are prevented\n from logging on interactively.\n\n The Guests group must be assigned this right to prevent unauthenticated\n access.", "descriptions": { - "default": "Executing application servers on the same host machine with a\n directory server may substantially weaken the security of the directory server.\n Web or database server applications usually require the addition of many\n programs and accounts, increasing the attack surface of the computer.\n\n Some applications require the addition of privileged accounts, providing\n potential sources of compromise. Some applications (such as Microsoft Exchange)\n may require the use of network ports or services conflicting with the directory\n server. In this case, non-standard ports might be selected, and this could\n interfere with intrusion detection or prevention services.", - "check": "This applies to domain controllers, It is NA for other systems.\n\n Review the installed roles the domain controller is supporting.\n\n Start Server Manager.\n\n Select AD DS in the left pane and the server name under Servers to the\n right.\n\n Select Add (or Remove) Roles and Features from Tasks in the Roles and\n Features section. (Cancel before any changes are made.)\n\n Determine if any additional server roles are installed. A basic domain\n controller setup will include the following:\n\n - Active Directory Domain Services\n - DNS Server\n - File and Storage Services\n\n If any roles not requiring installation on a domain controller are installed,\n this is a finding.\n\n A Domain Name System (DNS) server integrated with the directory server (e.g.,\n AD-integrated DNS) is an acceptable application. However, the DNS server must\n comply with the DNS STIG security requirements.\n\n Run Programs and Features.\n\n Review installed applications.\n\n If any applications are installed that are not required for the domain\n controller, this is a finding.", - "fix": "Remove additional roles or applications such as web, database,\n and email from the domain controller." + "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The Deny log on locally user right defines accounts that are prevented\n from logging on interactively.\n\n The Guests group must be assigned this right to prevent unauthenticated\n access.", + "check": "This applies to domain controllers. A separate version applies\n to other systems.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If the following accounts or groups are not defined for the Deny log on\n locally user right, this is a finding.\n\n - Guests Group", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Deny log on locally to include the following:\n\n - Guests Group" }, "impact": 0, "refs": [], "tags": { - "gtitle": "SRG-OS-000095-GPOS-00049", - "gid": "V-73381", - "rid": "SV-88033r1_rule", - "stig_id": "WN16-DC-000130", - "fix_id": "F-79823r1_fix", + "gtitle": "SRG-OS-000080-GPOS-00048", + "gid": "V-73769", + "rid": "SV-88433r1_rule", + "stig_id": "WN16-DC-000400", + "fix_id": "F-80219r1_fix", "cci": [ - "CCI-000381" + "CCI-000213" ], "nist": [ - "CM-7", + "AC-3", "Rev_4" ], "documentable": false }, - "code": "control 'V-73381' do\n title 'Domain controllers must run on a machine dedicated to that function.'\n desc \"Executing application servers on the same host machine with a\n directory server may substantially weaken the security of the directory server.\n Web or database server applications usually require the addition of many\n programs and accounts, increasing the attack surface of the computer.\n\n Some applications require the addition of privileged accounts, providing\n potential sources of compromise. Some applications (such as Microsoft Exchange)\n may require the use of network ports or services conflicting with the directory\n server. In this case, non-standard ports might be selected, and this could\n interfere with intrusion detection or prevention services.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000095-GPOS-00049'\n tag \"gid\": 'V-73381'\n tag \"rid\": 'SV-88033r1_rule'\n tag \"stig_id\": 'WN16-DC-000130'\n tag \"fix_id\": 'F-79823r1_fix'\n tag \"cci\": ['CCI-000381']\n tag \"nist\": ['CM-7', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to domain controllers, It is NA for other systems.\n\n Review the installed roles the domain controller is supporting.\n\n Start Server Manager.\n\n Select AD DS in the left pane and the server name under Servers to the\n right.\n\n Select Add (or Remove) Roles and Features from Tasks in the Roles and\n Features section. (Cancel before any changes are made.)\n\n Determine if any additional server roles are installed. A basic domain\n controller setup will include the following:\n\n - Active Directory Domain Services\n - DNS Server\n - File and Storage Services\n\n If any roles not requiring installation on a domain controller are installed,\n this is a finding.\n\n A Domain Name System (DNS) server integrated with the directory server (e.g.,\n AD-integrated DNS) is an acceptable application. However, the DNS server must\n comply with the DNS STIG security requirements.\n\n Run Programs and Features.\n\n Review installed applications.\n\n If any applications are installed that are not required for the domain\n controller, this is a finding.\"\n desc \"fix\", \"Remove additional roles or applications such as web, database,\n and email from the domain controller.\"\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n role_list = [\n \"Active Directory Domain Services\",\n \"DNS Server\",\n \"File and Storage Services\"\n ]\n roles = json(command: \"Get-WindowsFeature | Where {($_.installstate -eq 'installed') -and ($_.featuretype -eq 'role')} | foreach { $_.DisplayName } | ConvertTo-JSON\").params\n describe \"The list of roles installed on the server\" do\n subject { roles }\n it { should be_in role_list }\n end\n end\n\n if !(domain_role == '4') && !(domain_role == '5')\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", + "code": "control 'V-73769' do\n title \"The Deny log on locally user right on domain controllers must be\n configured to prevent unauthenticated access.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The Deny log on locally user right defines accounts that are prevented\n from logging on interactively.\n\n The Guests group must be assigned this right to prevent unauthenticated\n access.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000080-GPOS-00048'\n tag \"gid\": 'V-73769'\n tag \"rid\": 'SV-88433r1_rule'\n tag \"stig_id\": 'WN16-DC-000400'\n tag \"fix_id\": 'F-80219r1_fix'\n tag \"cci\": ['CCI-000213']\n tag \"nist\": ['AC-3', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to domain controllers. A separate version applies\n to other systems.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If the following accounts or groups are not defined for the Deny log on\n locally user right, this is a finding.\n\n - Guests Group\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Deny log on locally to include the following:\n\n - Guests Group\"\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n if domain_role == '4' || domain_role == '5'\n describe.one do\n describe security_policy do\n its('SeDenyInteractiveLogonRight') { should eq ['S-1-5-32-546'] }\n end\n describe security_policy do\n its('SeDenyInteractiveLogonRight') { should eq [] }\n end\n end\n end\n\n if !(domain_role == '4') && !(domain_role == '5')\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73381.rb", + "ref": "./Windows 2016 STIG/controls/V-73769.rb", "line": 1 }, - "id": "V-73381" + "id": "V-73769" }, { - "title": "The Back up files and directories user right must only be assigned to\n the Administrators group.", - "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Back up files and directories user right can\n circumvent file and directory permissions and could allow access to sensitive\n data.", + "title": "Windows Server 2016 must be configured to audit Logon/Logoff - Logon\n failures.", + "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Logon records user logons. If this is an interactive logon, it is recorded\n on the local system. If it is to a network share, it is recorded on the system\n accessed.", "descriptions": { - "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Back up files and directories user right can\n circumvent file and directory permissions and could allow access to sensitive\n data.", - "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the Back up\n files and directories user right, this is a finding.\n\n - Administrators\n\n If an application requires this user right, this would not be a finding.\n\n Vendor documentation must support the requirement for having the user right.\n\n The requirement must be documented with the ISSO.\n\n The application account must meet requirements for application account\n passwords, such as length (WN16-00-000060) and required frequency of changes\n (WN16-00-000070).", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Back up files and directories to include only the following accounts or\n groups:\n\n - Administrators" - }, - "impact": 0.5, - "refs": [], - "tags": { - "gtitle": "SRG-OS-000324-GPOS-00125", - "gid": "V-73743", - "rid": "SV-88407r1_rule", - "stig_id": "WN16-UR-000070", - "fix_id": "F-80193r1_fix", + "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Logon records user logons. If this is an interactive logon, it is recorded\n on the local system. If it is to a network share, it is recorded on the system\n accessed.", + "check": "Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n Logon/Logoff >> Logon - Failure", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Logon/Logoff >> Audit Logon with Failure selected." + }, + "impact": 0.5, + "refs": [], + "tags": { + "gtitle": "SRG-OS-000032-GPOS-00013", + "satisfies": [ + "SRG-OS-000032-GPOS-00013", + "SRG-OS-000470-GPOS-00214", + "SRG-OS-000472-GPOS-00217", + "SRG-OS-000473-GPOS-00218", + "SRG-OS-000475-GPOS-00220" + ], + "gid": "V-73453", + "rid": "SV-88105r1_rule", + "stig_id": "WN16-AU-000270", + "fix_id": "F-79895r1_fix", "cci": [ - "CCI-002235" + "CCI-000067", + "CCI-000172" ], "nist": [ - "AC-6 (10)", + "AC-17 (1)", + "AU-12 c", "Rev_4" ], "documentable": false }, - "code": "control 'V-73743' do\n title \"The Back up files and directories user right must only be assigned to\n the Administrators group.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Back up files and directories user right can\n circumvent file and directory permissions and could allow access to sensitive\n data.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000324-GPOS-00125'\n tag \"gid\": 'V-73743'\n tag \"rid\": 'SV-88407r1_rule'\n tag \"stig_id\": 'WN16-UR-000070'\n tag \"fix_id\": 'F-80193r1_fix'\n tag \"cci\": ['CCI-002235']\n tag \"nist\": ['AC-6 (10)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the Back up\n files and directories user right, this is a finding.\n\n - Administrators\n\n If an application requires this user right, this would not be a finding.\n\n Vendor documentation must support the requirement for having the user right.\n\n The requirement must be documented with the ISSO.\n\n The application account must meet requirements for application account\n passwords, such as length (WN16-00-000060) and required frequency of changes\n (WN16-00-000070).\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Back up files and directories to include only the following accounts or\n groups:\n\n - Administrators\"\n describe.one do\n describe security_policy do\n its('SeBackupPrivilege') { should eq ['S-1-5-32-544'] }\n end\n describe security_policy do\n its('SeBackupPrivilege') { should eq [] }\n end\n end\nend\n", + "code": "control 'V-73453' do\n title \"Windows Server 2016 must be configured to audit Logon/Logoff - Logon\n failures.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Logon records user logons. If this is an interactive logon, it is recorded\n on the local system. If it is to a network share, it is recorded on the system\n accessed.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000032-GPOS-00013'\n tag \"satisfies\": ['SRG-OS-000032-GPOS-00013', 'SRG-OS-000470-GPOS-00214',\n 'SRG-OS-000472-GPOS-00217', 'SRG-OS-000473-GPOS-00218',\n 'SRG-OS-000475-GPOS-00220']\n tag \"gid\": 'V-73453'\n tag \"rid\": 'SV-88105r1_rule'\n tag \"stig_id\": 'WN16-AU-000270'\n tag \"fix_id\": 'F-79895r1_fix'\n tag \"cci\": ['CCI-000067', 'CCI-000172']\n tag \"nist\": ['AC-17 (1)', 'AU-12 c', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n Logon/Logoff >> Logon - Failure\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Logon/Logoff >> Audit Logon with Failure selected.\"\n describe.one do\n describe audit_policy do\n its('Logon') { should eq 'Failure' }\n end\n describe audit_policy do\n its('Logon') { should eq 'Success and Failure' }\n end\n describe command(\"AuditPol /get /subcategory:Logon | Findstr /c:'Logon' | Findstr /v 'Logoff'\") do\n its('stdout') { should match /\\s+Logon Failure/ }\n end\n describe command(\"AuditPol /get /subcategory:Logon | Findstr /c:'Logon' | Findstr /v 'Logoff'\") do\n its('stdout') { should match /\\s+Logon Success and Failure/ }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73743.rb", + "ref": "./Windows 2016 STIG/controls/V-73453.rb", "line": 1 }, - "id": "V-73743" + "id": "V-73453" }, { - "title": "The Perform volume maintenance tasks user right must only be assigned\n to the Administrators group.", - "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Perform volume maintenance tasks user right can\n manage volume and disk configurations. This could be used to delete volumes,\n resulting in data loss or a denial of service.", + "title": "The US DoD CCEB Interoperability Root CA cross-certificates must be\n installed in the Untrusted Certificates Store on unclassified systems.", + "desc": "To ensure users do not experience denial of service when performing\n certificate-based authentication to DoD websites due to the system chaining to\n a root other than DoD Root CAs, the US DoD CCEB Interoperability Root CA\n cross-certificates must be installed in the Untrusted Certificate Store. This\n requirement only applies to unclassified systems.", "descriptions": { - "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Perform volume maintenance tasks user right can\n manage volume and disk configurations. This could be used to delete volumes,\n resulting in data loss or a denial of service.", - "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the Perform\n volume maintenance tasks user right, this is a finding.\n\n - Administrators", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Perform volume maintenance tasks to include only the following accounts or\n groups:\n\n - Administrators" + "default": "To ensure users do not experience denial of service when performing\n certificate-based authentication to DoD websites due to the system chaining to\n a root other than DoD Root CAs, the US DoD CCEB Interoperability Root CA\n cross-certificates must be installed in the Untrusted Certificate Store. This\n requirement only applies to unclassified systems.", + "check": "This is applicable to unclassified systems. It is NA for others.\n\n Open PowerShell as an administrator.\n\n Execute the following command:\n\n Get-ChildItem -Path Cert:Localmachine\\disallowed | Where Issuer -Like *CCEB\n Interoperability* | FL Subject, Issuer, Thumbprint, NotAfter\n\n If the following certificate Subject, Issuer, and Thumbprint\n information is not displayed, this is finding.\n\n If an expired certificate (NotAfter date) is not listed in the results,\n this is not a finding.\n\n Subject: CN=DoD Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Issuer: CN=US DoD CCEB Interoperability Root CA 1, OU=PKI, OU=DoD, O=U.S.\n Government, C=US\n Thumbprint: DA36FAF56B2F6FBA1604F5BE46D864C9FA013BA3\n NotAfter: 3/9/2019\n\n Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Issuer: CN=US DoD CCEB Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S.\n Government, C=US\n Thumbprint: 929BF3196896994C0A201DF4A5B71F603FEFBF2E\n NotAfter: 9/27/2019\n\n Alternately, use the Certificates MMC snap-in:\n\n Run MMC.\n\n Select File, Add/Remove Snap-in.\n\n Select Certificates and click Add.\n\n Select Computer account and click Next.\n\n Select Local computer: (the computer this console is running on) and click\n Finish.\n\n Click OK.\n\n Expand Certificates and navigate to Untrusted Certificates >>\n Certificates.\n\n For each certificate with US DoD CCEB Interoperability Root CA … under\n Issued By:\n\n Right-click on the certificate and select Open.\n\n Select the Details Tab.\n\n Scroll to the bottom and select Thumbprint.\n\n If the certificate below is not listed or the value for the Thumbprint\n field is not as noted, this is a finding.\n\n If an expired certificate (Valid to date) is not listed in the results,\n this is not a finding.\n\n Issued To: DoD Root CA 2\n Issued By: US DoD CCEB Interoperability Root CA 1\n Thumbprint: DA36FAF56B2F6FBA1604F5BE46D864C9FA013BA3\n Valid to: Saturday, March 9, 2019\n\n Issued To: DoD Root CA 3\n Issuer by: US DoD CCEB Interoperability Root CA 2\n Thumbprint: 929BF3196896994C0A201DF4A5B71F603FEFBF2E\n Valid: Friday, September 27, 2019", + "fix": "Install the US DoD CCEB Interoperability Root CA\n cross-certificate on unclassified systems.\n\n Issued To - Issued By - Thumbprint\n DoD Root CA 2 - US DoD CCEB Interoperability Root CA 1 -\n DA36FAF56B2F6FBA1604F5BE46D864C9FA013BA3\n\n DoD Root CA 3 - US DoD CCEB Interoperability Root CA 2 -\n 929BF3196896994C0A201DF4A5B71F603FEFBF2E\n\n Administrators should run the Federal Bridge Certification Authority (FBCA)\n Cross-Certificate Removal Tool once as an administrator and once as the current\n user.\n\n The FBCA Cross-Certificate Remover Tool and User Guide are available on IASE at\n http://iase.disa.mil/pki-pke/Pages/tools.aspx." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000324-GPOS-00125", - "gid": "V-73797", - "rid": "SV-88461r1_rule", - "stig_id": "WN16-UR-000280", - "fix_id": "F-80247r1_fix", + "gtitle": "SRG-OS-000066-GPOS-00034", + "satisfies": [ + "SRG-OS-000066-GPOS-00034", + "SRG-OS-000403-GPOS-00182" + ], + "gid": "V-73609", + "rid": "SV-88273r2_rule", + "stig_id": "WN16-PK-000030", + "fix_id": "F-87315r1_fix", "cci": [ - "CCI-002235" + "CCI-000185", + "CCI-002470" ], "nist": [ - "AC-6 (10)", + "IA-5 (2) (a)", + "SC-23 (5)", "Rev_4" ], "documentable": false }, - "code": "control 'V-73797' do\n title \"The Perform volume maintenance tasks user right must only be assigned\n to the Administrators group.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Perform volume maintenance tasks user right can\n manage volume and disk configurations. This could be used to delete volumes,\n resulting in data loss or a denial of service.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000324-GPOS-00125'\n tag \"gid\": 'V-73797'\n tag \"rid\": 'SV-88461r1_rule'\n tag \"stig_id\": 'WN16-UR-000280'\n tag \"fix_id\": 'F-80247r1_fix'\n tag \"cci\": ['CCI-002235']\n tag \"nist\": ['AC-6 (10)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the Perform\n volume maintenance tasks user right, this is a finding.\n\n - Administrators\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Perform volume maintenance tasks to include only the following accounts or\n groups:\n\n - Administrators\"\n describe.one do\n describe security_policy do\n its('SeManageVolumePrivilege') { should eq ['S-1-5-32-544'] }\n end\n describe security_policy do\n its('SeManageVolumePrivilege') { should eq [] }\n end\n end\nend\n", + "code": "control 'V-73609' do\n title \"The US DoD CCEB Interoperability Root CA cross-certificates must be\n installed in the Untrusted Certificates Store on unclassified systems.\"\n desc \"To ensure users do not experience denial of service when performing\n certificate-based authentication to DoD websites due to the system chaining to\n a root other than DoD Root CAs, the US DoD CCEB Interoperability Root CA\n cross-certificates must be installed in the Untrusted Certificate Store. This\n requirement only applies to unclassified systems.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000066-GPOS-00034'\n tag \"satisfies\": ['SRG-OS-000066-GPOS-00034', 'SRG-OS-000403-GPOS-00182']\n tag \"gid\": 'V-73609'\n tag \"rid\": 'SV-88273r2_rule'\n tag \"stig_id\": 'WN16-PK-000030'\n tag \"fix_id\": 'F-87315r1_fix'\n tag \"cci\": ['CCI-000185', 'CCI-002470']\n tag \"nist\": ['IA-5 (2) (a)', 'SC-23 (5)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This is applicable to unclassified systems. It is NA for others.\n\n Open PowerShell as an administrator.\n\n Execute the following command:\n\n Get-ChildItem -Path Cert:Localmachine\\\\disallowed | Where Issuer -Like *CCEB\n Interoperability* | FL Subject, Issuer, Thumbprint, NotAfter\n\n If the following certificate Subject, Issuer, and Thumbprint\n information is not displayed, this is finding.\n\n If an expired certificate (NotAfter date) is not listed in the results,\n this is not a finding.\n\n Subject: CN=DoD Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Issuer: CN=US DoD CCEB Interoperability Root CA 1, OU=PKI, OU=DoD, O=U.S.\n Government, C=US\n Thumbprint: DA36FAF56B2F6FBA1604F5BE46D864C9FA013BA3\n NotAfter: 3/9/2019\n\n Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Issuer: CN=US DoD CCEB Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S.\n Government, C=US\n Thumbprint: 929BF3196896994C0A201DF4A5B71F603FEFBF2E\n NotAfter: 9/27/2019\n\n Alternately, use the Certificates MMC snap-in:\n\n Run MMC.\n\n Select File, Add/Remove Snap-in.\n\n Select Certificates and click Add.\n\n Select Computer account and click Next.\n\n Select Local computer: (the computer this console is running on) and click\n Finish.\n\n Click OK.\n\n Expand Certificates and navigate to Untrusted Certificates >>\n Certificates.\n\n For each certificate with US DoD CCEB Interoperability Root CA … under\n Issued By:\n\n Right-click on the certificate and select Open.\n\n Select the Details Tab.\n\n Scroll to the bottom and select Thumbprint.\n\n If the certificate below is not listed or the value for the Thumbprint\n field is not as noted, this is a finding.\n\n If an expired certificate (Valid to date) is not listed in the results,\n this is not a finding.\n\n Issued To: DoD Root CA 2\n Issued By: US DoD CCEB Interoperability Root CA 1\n Thumbprint: DA36FAF56B2F6FBA1604F5BE46D864C9FA013BA3\n Valid to: Saturday, March 9, 2019\n\n Issued To: DoD Root CA 3\n Issuer by: US DoD CCEB Interoperability Root CA 2\n Thumbprint: 929BF3196896994C0A201DF4A5B71F603FEFBF2E\n Valid: Friday, September 27, 2019\"\n desc \"fix\", \"Install the US DoD CCEB Interoperability Root CA\n cross-certificate on unclassified systems.\n\n Issued To - Issued By - Thumbprint\n DoD Root CA 2 - US DoD CCEB Interoperability Root CA 1 -\n DA36FAF56B2F6FBA1604F5BE46D864C9FA013BA3\n\n DoD Root CA 3 - US DoD CCEB Interoperability Root CA 2 -\n 929BF3196896994C0A201DF4A5B71F603FEFBF2E\n\n Administrators should run the Federal Bridge Certification Authority (FBCA)\n Cross-Certificate Removal Tool once as an administrator and once as the current\n user.\n\n The FBCA Cross-Certificate Remover Tool and User Guide are available on IASE at\n http://iase.disa.mil/pki-pke/Pages/tools.aspx.\"\n\n is_unclassified_system = input('is_unclassified_system')\n dod_cceb_certificates = JSON.parse(input('dod_cceb_certificates').to_json)\n if is_unclassified_system\n query = json({command: 'Get-ChildItem -Path Cert:Localmachine\\\\\\\\disallowed | Where {$_.Issuer -Like \"*CCEB Interoperability*\"} | Select Subject, Issuer, Thumbprint, @{Name=\\'NotAfter\\';Expression={\"{0:dddd, MMMM dd, yyyy}\" -f [datetime]$_.NotAfter}} | ConvertTo-Json'})\n describe 'The US DoD CCEB Interoperability Root CA cross-certificates installed' do\n subject { query.params }\n it { should be_in dod_cceb_certificates }\n end\n else\n impact 0.0\n describe 'This is NOT an unclassified system, therefore this control is not applicable' do\n skip 'This is NOT an unclassified system, therefore this control is not applicable'\n end\n end\nend \n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73797.rb", + "ref": "./Windows 2016 STIG/controls/V-73609.rb", "line": 1 }, - "id": "V-73797" + "id": "V-73609" }, { - "title": "The Deny log on locally user right on domain controllers must be\n configured to prevent unauthenticated access.", - "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The Deny log on locally user right defines accounts that are prevented\n from logging on interactively.\n\n The Guests group must be assigned this right to prevent unauthenticated\n access.", + "title": "The setting Domain member: Digitally sign secure channel data (when\n possible) must be configured to Enabled.", + "desc": "Requests sent on the secure channel are authenticated, and sensitive\n information (such as passwords) is encrypted, but the channel is not integrity\n checked. If this policy is enabled, outgoing secure channel traffic will be\n signed.", "descriptions": { - "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The Deny log on locally user right defines accounts that are prevented\n from logging on interactively.\n\n The Guests group must be assigned this right to prevent unauthenticated\n access.", - "check": "This applies to domain controllers. A separate version applies\n to other systems.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If the following accounts or groups are not defined for the Deny log on\n locally user right, this is a finding.\n\n - Guests Group", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Deny log on locally to include the following:\n\n - Guests Group" + "default": "Requests sent on the secure channel are authenticated, and sensitive\n information (such as passwords) is encrypted, but the channel is not integrity\n checked. If this policy is enabled, outgoing secure channel traffic will be\n signed.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\Netlogon\\Parameters\\\n\n Value Name: SignSecureChannel\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> \"Domain\n member: Digitally sign secure channel data (when possible) to Enabled." }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000080-GPOS-00048", - "gid": "V-73769", - "rid": "SV-88433r1_rule", - "stig_id": "WN16-DC-000400", - "fix_id": "F-80219r1_fix", + "gtitle": "SRG-OS-000423-GPOS-00187", + "satisfies": [ + "SRG-OS-000423-GPOS-00187", + "SRG-OS-000424-GPOS-00188" + ], + "gid": "V-73637", + "rid": "SV-88301r1_rule", + "stig_id": "WN16-SO-000100", + "fix_id": "F-80087r1_fix", "cci": [ - "CCI-000213" + "CCI-002418", + "CCI-002421" ], "nist": [ - "AC-3", + "SC-8", + "SC-8 (1)", "Rev_4" ], "documentable": false }, - "code": "control 'V-73769' do\n title \"The Deny log on locally user right on domain controllers must be\n configured to prevent unauthenticated access.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The Deny log on locally user right defines accounts that are prevented\n from logging on interactively.\n\n The Guests group must be assigned this right to prevent unauthenticated\n access.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000080-GPOS-00048'\n tag \"gid\": 'V-73769'\n tag \"rid\": 'SV-88433r1_rule'\n tag \"stig_id\": 'WN16-DC-000400'\n tag \"fix_id\": 'F-80219r1_fix'\n tag \"cci\": ['CCI-000213']\n tag \"nist\": ['AC-3', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to domain controllers. A separate version applies\n to other systems.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If the following accounts or groups are not defined for the Deny log on\n locally user right, this is a finding.\n\n - Guests Group\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Deny log on locally to include the following:\n\n - Guests Group\"\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n if domain_role == '4' || domain_role == '5'\n describe.one do\n describe security_policy do\n its('SeDenyInteractiveLogonRight') { should eq ['S-1-5-32-546'] }\n end\n describe security_policy do\n its('SeDenyInteractiveLogonRight') { should eq [] }\n end\n end\n end\n\n if !(domain_role == '4') && !(domain_role == '5')\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", + "code": "control 'V-73637' do\n title \"The setting Domain member: Digitally sign secure channel data (when\n possible) must be configured to Enabled.\"\n desc \"Requests sent on the secure channel are authenticated, and sensitive\n information (such as passwords) is encrypted, but the channel is not integrity\n checked. If this policy is enabled, outgoing secure channel traffic will be\n signed.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000423-GPOS-00187'\n tag \"satisfies\": ['SRG-OS-000423-GPOS-00187', 'SRG-OS-000424-GPOS-00188']\n tag \"gid\": 'V-73637'\n tag \"rid\": 'SV-88301r1_rule'\n tag \"stig_id\": 'WN16-SO-000100'\n tag \"fix_id\": 'F-80087r1_fix'\n tag \"cci\": ['CCI-002418', 'CCI-002421']\n tag \"nist\": ['SC-8', 'SC-8 (1)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\Netlogon\\\\Parameters\\\\\n\n Value Name: SignSecureChannel\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> \\\"Domain\n member: Digitally sign secure channel data (when possible) to Enabled.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Services\\\\Netlogon\\\\Parameters') do\n it { should have_property 'SignSecureChannel' }\n its('SignSecureChannel') { should cmp 1 }\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73769.rb", + "ref": "./Windows 2016 STIG/controls/V-73637.rb", "line": 1 }, - "id": "V-73769" + "id": "V-73637" }, { - "title": "The Add workstations to domain user right must only be assigned to the\n Administrators group.", - "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Add workstations to domain right may add computers to\n a domain. This could result in unapproved or incorrectly configured systems\n being added to a domain.", + "title": "Systems requiring data at rest protections must employ cryptographic\n mechanisms to prevent unauthorized disclosure and modification of the\n information at rest.", + "desc": "This requirement addresses protection of user-generated data as well\n as operating system-specific configuration data. Organizations may choose to\n employ different mechanisms to achieve confidentiality and integrity\n protections, as appropriate, in accordance with the security category and/or\n classification of the information.\n\n Selection of a cryptographic mechanism is based on the need to protect the\n integrity of organizational information. The strength of the mechanism is\n commensurate with the security category and/or classification of the\n information. Organizations have the flexibility to either encrypt all\n information on storage devices (i.e., full disk encryption) or encrypt specific\n data structures (e.g., files, records, or fields).", "descriptions": { - "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Add workstations to domain right may add computers to\n a domain. This could result in unapproved or incorrectly configured systems\n being added to a domain.", - "check": "This applies to domain controllers. It is NA for other systems.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the Add\n workstations to domain right, this is a finding.\n\n - Administrators", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Add workstations to domain to include only the following accounts or groups:\n\n - Administrators" + "default": "This requirement addresses protection of user-generated data as well\n as operating system-specific configuration data. Organizations may choose to\n employ different mechanisms to achieve confidentiality and integrity\n protections, as appropriate, in accordance with the security category and/or\n classification of the information.\n\n Selection of a cryptographic mechanism is based on the need to protect the\n integrity of organizational information. The strength of the mechanism is\n commensurate with the security category and/or classification of the\n information. Organizations have the flexibility to either encrypt all\n information on storage devices (i.e., full disk encryption) or encrypt specific\n data structures (e.g., files, records, or fields).", + "check": "Verify systems that require additional protections due to\n factors such as inadequate physical protection or sensitivity of the data\n employ encryption to protect the confidentiality and integrity of all\n information at rest.\n\n If they do not, this is a finding.", + "fix": "Configure systems that require additional protections due to\n factors such as inadequate physical protection or sensitivity of the data to\n employ encryption to protect the confidentiality and integrity of all\n information at rest." }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000324-GPOS-00125", - "gid": "V-73737", - "rid": "SV-88401r1_rule", - "stig_id": "WN16-DC-000350", - "fix_id": "F-80187r1_fix", + "gtitle": "SRG-OS-000185-GPOS-00079", + "satisfies": [ + "SRG-OS-000185-GPOS-00079", + "SRG-OS-000404-GPOS-00183", + "SRG-OS-000405-GPOS-00184" + ], + "gid": "V-73273", + "rid": "SV-87925r1_rule", + "stig_id": "WN16-00-000280", + "fix_id": "F-79717r1_fix", "cci": [ - "CCI-002235" + "CCI-001199", + "CCI-002475", + "CCI-002476" ], "nist": [ - "AC-6 (10)", + "SC-28", + "SC-28 (1)", "Rev_4" ], "documentable": false }, - "code": "control 'V-73737' do\n title \"The Add workstations to domain user right must only be assigned to the\n Administrators group.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Add workstations to domain right may add computers to\n a domain. This could result in unapproved or incorrectly configured systems\n being added to a domain.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000324-GPOS-00125'\n tag \"gid\": 'V-73737'\n tag \"rid\": 'SV-88401r1_rule'\n tag \"stig_id\": 'WN16-DC-000350'\n tag \"fix_id\": 'F-80187r1_fix'\n tag \"cci\": ['CCI-002235']\n tag \"nist\": ['AC-6 (10)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to domain controllers. It is NA for other systems.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the Add\n workstations to domain right, this is a finding.\n\n - Administrators\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Add workstations to domain to include only the following accounts or groups:\n\n - Administrators\"\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n describe.one do\n describe security_policy do\n its('SeMachineAccountPrivilege') { should eq ['S-1-5-32-544'] }\n end\n describe security_policy do\n its('SeMachineAccountPrivilege') { should eq [] }\n end\n end\n end\n\n if !(domain_role == '4') && !(domain_role == '5')\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", + "code": "control 'V-73273' do\n title \"Systems requiring data at rest protections must employ cryptographic\n mechanisms to prevent unauthorized disclosure and modification of the\n information at rest.\"\n desc \"This requirement addresses protection of user-generated data as well\n as operating system-specific configuration data. Organizations may choose to\n employ different mechanisms to achieve confidentiality and integrity\n protections, as appropriate, in accordance with the security category and/or\n classification of the information.\n\n Selection of a cryptographic mechanism is based on the need to protect the\n integrity of organizational information. The strength of the mechanism is\n commensurate with the security category and/or classification of the\n information. Organizations have the flexibility to either encrypt all\n information on storage devices (i.e., full disk encryption) or encrypt specific\n data structures (e.g., files, records, or fields).\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000185-GPOS-00079'\n tag \"satisfies\": ['SRG-OS-000185-GPOS-00079', 'SRG-OS-000404-GPOS-00183',\n 'SRG-OS-000405-GPOS-00184']\n tag \"gid\": 'V-73273'\n tag \"rid\": 'SV-87925r1_rule'\n tag \"stig_id\": 'WN16-00-000280'\n tag \"fix_id\": 'F-79717r1_fix'\n tag \"cci\": ['CCI-001199', 'CCI-002475', 'CCI-002476']\n tag \"nist\": ['SC-28', 'SC-28 (1)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Verify systems that require additional protections due to\n factors such as inadequate physical protection or sensitivity of the data\n employ encryption to protect the confidentiality and integrity of all\n information at rest.\n\n If they do not, this is a finding.\"\n desc \"fix\", \"Configure systems that require additional protections due to\n factors such as inadequate physical protection or sensitivity of the data to\n employ encryption to protect the confidentiality and integrity of all\n information at rest.\"\n describe \"A manual review is required to verify that systems requiring data at rest protections are employing cryptographic\n mechanisms to prevent unauthorized disclosure and modification of the\n information at rest.\" do\n skip \"A manual review is required to verify that systems requiring data at rest protections are employing cryptographic\n mechanisms to prevent unauthorized disclosure and modification of the\n information at rest.\"\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73737.rb", + "ref": "./Windows 2016 STIG/controls/V-73273.rb", "line": 1 }, - "id": "V-73737" + "id": "V-73273" }, { - "title": "The Generate security audits user right must only be assigned to Local\n Service and Network Service.", - "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The Generate security audits user right specifies users and processes\n that can generate Security Log audit records, which must only be the system\n service accounts defined.", + "title": "FTP servers must be configured to prevent anonymous logons.", + "desc": "The FTP service allows remote users to access shared files and\n directories. Allowing anonymous FTP connections makes user auditing difficult.\n\n Using accounts that have administrator privileges to log on to FTP risks\n that the userid and password will be captured on the network and give\n administrator access to an unauthorized user.", "descriptions": { - "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The Generate security audits user right specifies users and processes\n that can generate Security Log audit records, which must only be the system\n service accounts defined.", - "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the Generate\n security audits user right, this is a finding.\n\n - Local Service\n - Network Service\n\n If an application requires this user right, this would not be a finding.\n\n Vendor documentation must support the requirement for having the user right.\n\n The requirement must be documented with the ISSO.\n\n The application account must meet requirements for application account\n passwords, such as length (WN16-00-000060) and required frequency of changes\n (WN16-00-000070).", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Generate security audits to include only the following accounts or groups:\n\n - Local Service\n - Network Service" + "default": "The FTP service allows remote users to access shared files and\n directories. Allowing anonymous FTP connections makes user auditing difficult.\n\n Using accounts that have administrator privileges to log on to FTP risks\n that the userid and password will be captured on the network and give\n administrator access to an unauthorized user.", + "check": "If FTP is not installed on the system, this is NA.\n\n Open Internet Information Services (IIS) Manager.\n\n Select the server.\n\n Double-click FTP Authentication.\n\n If the Anonymous Authentication status is Enabled, this is a finding.", + "fix": "Configure the FTP service to prevent anonymous logons.\n\n Open Internet Information Services (IIS) Manager.\n\n Select the server.\n\n Double-click FTP Authentication.\n\n Select Anonymous Authentication.\n\n Select Disabled under Actions" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000324-GPOS-00125", - "gid": "V-73783", - "rid": "SV-88447r1_rule", - "stig_id": "WN16-UR-000210", - "fix_id": "F-80233r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-73303", + "rid": "SV-87955r1_rule", + "stig_id": "WN16-00-000430", + "fix_id": "F-79745r1_fix", "cci": [ - "CCI-002235" + "CCI-000366" ], "nist": [ - "AC-6 (10)", + "CM-6 b", "Rev_4" ], "documentable": false }, - "code": "control 'V-73783' do\n title \"The Generate security audits user right must only be assigned to Local\n Service and Network Service.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The Generate security audits user right specifies users and processes\n that can generate Security Log audit records, which must only be the system\n service accounts defined.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000324-GPOS-00125'\n tag \"gid\": 'V-73783'\n tag \"rid\": 'SV-88447r1_rule'\n tag \"stig_id\": 'WN16-UR-000210'\n tag \"fix_id\": 'F-80233r1_fix'\n tag \"cci\": ['CCI-002235']\n tag \"nist\": ['AC-6 (10)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the Generate\n security audits user right, this is a finding.\n\n - Local Service\n - Network Service\n\n If an application requires this user right, this would not be a finding.\n\n Vendor documentation must support the requirement for having the user right.\n\n The requirement must be documented with the ISSO.\n\n The application account must meet requirements for application account\n passwords, such as length (WN16-00-000060) and required frequency of changes\n (WN16-00-000070).\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Generate security audits to include only the following accounts or groups:\n\n - Local Service\n - Network Service\"\n describe.one do\n describe security_policy do\n its('SeAuditPrivilege') { should be_in ['S-1-5-19', 'S-1-5-20'] }\n end\n describe security_policy do\n its('SeAuditPrivilege') { should eq [] }\n end\n end\nend\n", + "code": "control 'V-73303' do\n title 'FTP servers must be configured to prevent anonymous logons.'\n desc \"The FTP service allows remote users to access shared files and\n directories. Allowing anonymous FTP connections makes user auditing difficult.\n\n Using accounts that have administrator privileges to log on to FTP risks\n that the userid and password will be captured on the network and give\n administrator access to an unauthorized user.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-73303'\n tag \"rid\": 'SV-87955r1_rule'\n tag \"stig_id\": 'WN16-00-000430'\n tag \"fix_id\": 'F-79745r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If FTP is not installed on the system, this is NA.\n\n Open Internet Information Services (IIS) Manager.\n\n Select the server.\n\n Double-click FTP Authentication.\n\n If the Anonymous Authentication status is Enabled, this is a finding.\"\n desc \"fix\", \"Configure the FTP service to prevent anonymous logons.\n\n Open Internet Information Services (IIS) Manager.\n\n Select the server.\n\n Double-click FTP Authentication.\n\n Select Anonymous Authentication.\n\n Select Disabled under Actions\"\n is_ftp_installed = command('Get-WindowsFeature Web-Ftp-Server | Select -Expand Installed').stdout.strip\n if is_ftp_installed == 'False'\n impact 0.0\n describe 'FTP is not installed on this system, therefore this control is not applicable' do\n skip 'FTP is not installed on this system, therefore this control is not applicable'\n end\n else\n describe 'A manual review is required to ensure File Transfer Protocol (FTP) servers are configured to prevent\n anonymous logons' do\n skip 'A manual review is required to ensure File Transfer Protocol (FTP) servers are configured to prevent\n anonymous logons'\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73783.rb", + "ref": "./Windows 2016 STIG/controls/V-73303.rb", "line": 1 }, - "id": "V-73783" + "id": "V-73303" }, { - "title": "Windows Server 2016 must be configured to audit Account Management -\n User Account Management successes.", - "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n User Account Management records events such as creating, changing,\n deleting, renaming, disabling, or enabling user accounts.", + "title": "Passwords must be configured to expire.", + "desc": "Passwords that do not expire or are reused increase the exposure of a\n password with greater probability of being discovered or cracked.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n User Account Management records events such as creating, changing,\n deleting, renaming, disabling, or enabling user accounts.", - "check": "Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n Account Management >> User Account Management - Success", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Account Management >> Audit User Account Management with\n Success selected." + "default": "Passwords that do not expire or are reused increase the exposure of a\n password with greater probability of being discovered or cracked.", + "check": "Review the password never expires status for enabled user\n accounts.\n\n Open PowerShell.\n\n Domain Controllers:\n\n Enter Search-ADAccount -PasswordNeverExpires -UsersOnly | FT Name,\n PasswordNeverExpires, Enabled.\n\n Exclude application accounts, disabled accounts (e.g., DefaultAccount, Guest)\n and the krbtgt account.\n\n If any enabled user accounts are returned with a PasswordNeverExpires\n status of True, this is a finding.\n\n Member servers and standalone systems:\n\n Enter 'Get-CimInstance -Class Win32_Useraccount -Filter PasswordExpires=False\n and LocalAccount=True | FT Name, PasswordExpires, Disabled, LocalAccount'.\n\n Exclude application accounts and disabled accounts (e.g., DefaultAccount,\n Guest).\n\n If any enabled user accounts are returned with a PasswordExpires status of\n False, this is a finding.", + "fix": "Configure all enabled user account passwords to expire.\n\n Uncheck Password never expires for all enabled user accounts in Active\n Directory Users and Computers for domain accounts and Users in Computer\n Management for member servers and standalone systems. Document any exceptions\n with the ISSO." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000004-GPOS-00004", - "satisfies": [ - "SRG-OS-000004-GPOS-00004", - "SRG-OS-000239-GPOS-00089", - "SRG-OS-000240-GPOS-00090", - "SRG-OS-000241-GPOS-00091", - "SRG-OS-000303-GPOS-00120", - "SRG-OS-000476-GPOS-00221" - ], - "gid": "V-73427", - "rid": "SV-88079r1_rule", - "stig_id": "WN16-AU-000140", - "fix_id": "F-79869r1_fix", + "gtitle": "SRG-OS-000076-GPOS-00044", + "gid": "V-73263", + "rid": "SV-87915r2_rule", + "stig_id": "WN16-00-000230", + "fix_id": "F-79707r1_fix", "cci": [ - "CCI-000018", - "CCI-000172", - "CCI-001403", - "CCI-001404", - "CCI-001405", - "CCI-002130" + "CCI-000199" ], "nist": [ - "AC-2 (4)", - "AU-12 c", + "IA-5 (1) (d)", "Rev_4" ], "documentable": false }, - "code": "control 'V-73427' do\n title \"Windows Server 2016 must be configured to audit Account Management -\n User Account Management successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n User Account Management records events such as creating, changing,\n deleting, renaming, disabling, or enabling user accounts.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000004-GPOS-00004'\n tag \"satisfies\": ['SRG-OS-000004-GPOS-00004', 'SRG-OS-000239-GPOS-00089',\n 'SRG-OS-000240-GPOS-00090', 'SRG-OS-000241-GPOS-00091',\n 'SRG-OS-000303-GPOS-00120', 'SRG-OS-000476-GPOS-00221']\n tag \"gid\": 'V-73427'\n tag \"rid\": 'SV-88079r1_rule'\n tag \"stig_id\": 'WN16-AU-000140'\n tag \"fix_id\": 'F-79869r1_fix'\n tag \"cci\": ['CCI-000018', 'CCI-000172', 'CCI-001403', 'CCI-001404',\n 'CCI-001405', 'CCI-002130']\n tag \"nist\": ['AC-2 (4)', 'AU-12 c', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n Account Management >> User Account Management - Success\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Account Management >> Audit User Account Management with\n Success selected.\"\n describe.one do\n describe audit_policy do\n its('User Account Management') { should eq 'Success' }\n end\n describe audit_policy do\n its('User Account Management') { should eq 'Success and Failure' }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'User Account Management'\") do\n its('stdout') { should match /User Account Management Success/ }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'User Account Management'\") do\n its('stdout') { should match /User Account Management Success and Failure/ }\n end\n end\nend\n", + "code": "control 'V-73263' do\n title 'Passwords must be configured to expire.'\n desc \"Passwords that do not expire or are reused increase the exposure of a\n password with greater probability of being discovered or cracked.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000076-GPOS-00044'\n tag \"gid\": 'V-73263'\n tag \"rid\": 'SV-87915r2_rule'\n tag \"stig_id\": 'WN16-00-000230'\n tag \"fix_id\": 'F-79707r1_fix'\n tag \"cci\": ['CCI-000199']\n tag \"nist\": ['IA-5 (1) (d)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Review the password never expires status for enabled user\n accounts.\n\n Open PowerShell.\n\n Domain Controllers:\n\n Enter Search-ADAccount -PasswordNeverExpires -UsersOnly | FT Name,\n PasswordNeverExpires, Enabled.\n\n Exclude application accounts, disabled accounts (e.g., DefaultAccount, Guest)\n and the krbtgt account.\n\n If any enabled user accounts are returned with a PasswordNeverExpires\n status of True, this is a finding.\n\n Member servers and standalone systems:\n\n Enter 'Get-CimInstance -Class Win32_Useraccount -Filter PasswordExpires=False\n and LocalAccount=True | FT Name, PasswordExpires, Disabled, LocalAccount'.\n\n Exclude application accounts and disabled accounts (e.g., DefaultAccount,\n Guest).\n\n If any enabled user accounts are returned with a PasswordExpires status of\n False, this is a finding.\"\n desc \"fix\", \"Configure all enabled user account passwords to expire.\n\n Uncheck Password never expires for all enabled user accounts in Active\n Directory Users and Computers for domain accounts and Users in Computer\n Management for member servers and standalone systems. Document any exceptions\n with the ISSO.\"\n users_with_passwords_set_to_not_expire = command(\"Get-CimInstance -Class Win32_Useraccount -Filter 'PasswordExpires=False\n and LocalAccount=True and Disabled=False' | FT Name | Findstr /V 'Name --'\").stdout.strip\n\n describe \"Users with password set to not expire\" do\n subject {users_with_passwords_set_to_not_expire}\n it { should be_empty }\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73427.rb", + "ref": "./Windows 2016 STIG/controls/V-73263.rb", "line": 1 }, - "id": "V-73427" + "id": "V-73263" }, { - "title": "Orphaned security identifiers (SIDs) must be removed from user rights\non Windows 2016.", - "desc": "Accounts or groups given rights on a system may show up as unresolved\nSIDs for various reasons including deletion of the accounts or groups. If the\naccount or group objects are reanimated, there is a potential they may still\nhave rights no longer intended. Valid domain accounts or groups may also show\nup as unresolved SIDs if a connection to the domain cannot be established for\nsome reason.", + "title": "Windows Server 2016 must employ automated mechanisms to determine the\n state of system components with regard to flaw remediation using the following\n frequency: continuously, where Host Based Security System (HBSS) is used; 30\n days, for any additional internal network scans not covered by HBSS; and\n annually, for external scans by Computer Network Defense Service Provider\n (CNDSP).", + "desc": "Without the use of automated mechanisms to scan for security flaws on\n a continuous and/or periodic basis, the operating system or other system\n components may remain vulnerable to the exploits presented by undetected\n software flaws. The operating system may have an integrated solution\n incorporating continuous scanning using HBSS and periodic scanning using other\n tools.", "descriptions": { - "default": "Accounts or groups given rights on a system may show up as unresolved\nSIDs for various reasons including deletion of the accounts or groups. If the\naccount or group objects are reanimated, there is a potential they may still\nhave rights no longer intended. Valid domain accounts or groups may also show\nup as unresolved SIDs if a connection to the domain cannot be established for\nsome reason.", - "check": "Review the effective User Rights setting in Local Group Policy\n Editor.\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n Review each User Right listed for any unresolved SIDs to determine whether they\n are valid, such as due to being temporarily disconnected from the domain.\n (Unresolved SIDs have the format of *S-1-….)\n\n If any unresolved SIDs exist and are not for currently valid accounts or\n groups, this is a finding.", - "fix": "Remove any unresolved SIDs found in User Rights assignments and\n determined to not be for currently valid accounts or groups by removing the\n accounts or groups from the appropriate group policy." + "default": "Without the use of automated mechanisms to scan for security flaws on\n a continuous and/or periodic basis, the operating system or other system\n components may remain vulnerable to the exploits presented by undetected\n software flaws. The operating system may have an integrated solution\n incorporating continuous scanning using HBSS and periodic scanning using other\n tools.", + "check": "Verify the operating system employs automated mechanisms to\n determine the state of system components with regard to flaw remediation using\n the following frequency: continuously, where HBSS is used; 30 days, for any\n additional internal network scans not covered by HBSS; and annually, for\n external scans by CNDSP.\n\n If it does not, this is a finding.", + "fix": "Configure the operating system to employ automated mechanisms to\n determine the state of system components with regard to flaw remediation using\n the following frequency: continuously, where HBSS is used; 30 days, for any\n additional internal network scans not covered by HBSS; and annually, for\n external scans by CNDSP." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-78127", - "rid": "SV-92833r1_rule", - "stig_id": "WN16-00-000460", - "fix_id": "F-84849r1_fix", + "gtitle": "SRG-OS-000191-GPOS-00080", + "gid": "V-73281", + "rid": "SV-87933r1_rule", + "stig_id": "WN16-00-000320", + "fix_id": "F-79725r1_fix", "cci": [ - "CCI-000366" + "CCI-001233" ], "nist": [ - "CM-6 b", + "SI-2 (2)", "Rev_4" ], "documentable": false }, - "code": "control 'V-78127' do\n title \"Orphaned security identifiers (SIDs) must be removed from user rights\non Windows 2016.\"\n desc \"Accounts or groups given rights on a system may show up as unresolved\nSIDs for various reasons including deletion of the accounts or groups. If the\naccount or group objects are reanimated, there is a potential they may still\nhave rights no longer intended. Valid domain accounts or groups may also show\nup as unresolved SIDs if a connection to the domain cannot be established for\nsome reason.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-78127'\n tag \"rid\": 'SV-92833r1_rule'\n tag \"stig_id\": 'WN16-00-000460'\n tag \"fix_id\": 'F-84849r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Review the effective User Rights setting in Local Group Policy\n Editor.\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n Review each User Right listed for any unresolved SIDs to determine whether they\n are valid, such as due to being temporarily disconnected from the domain.\n (Unresolved SIDs have the format of *S-1-….)\n\n If any unresolved SIDs exist and are not for currently valid accounts or\n groups, this is a finding.\"\n desc \"fix\", \"Remove any unresolved SIDs found in User Rights assignments and\n determined to not be for currently valid accounts or groups by removing the\n accounts or groups from the appropriate group policy.\"\n describe \"Orphaned security identifiers (SIDs) must be removed from user rights\n on Windows 2016\" do\n skip \"A manual review is required to verify orphaned security identifiers (SIDs) are removed from user rights\n on Windows 2016\"\n end\nend\n", + "code": "control 'V-73281' do\n title \"Windows Server 2016 must employ automated mechanisms to determine the\n state of system components with regard to flaw remediation using the following\n frequency: continuously, where Host Based Security System (HBSS) is used; 30\n days, for any additional internal network scans not covered by HBSS; and\n annually, for external scans by Computer Network Defense Service Provider\n (CNDSP).\"\n desc \"Without the use of automated mechanisms to scan for security flaws on\n a continuous and/or periodic basis, the operating system or other system\n components may remain vulnerable to the exploits presented by undetected\n software flaws. The operating system may have an integrated solution\n incorporating continuous scanning using HBSS and periodic scanning using other\n tools.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000191-GPOS-00080'\n tag \"gid\": 'V-73281'\n tag \"rid\": 'SV-87933r1_rule'\n tag \"stig_id\": 'WN16-00-000320'\n tag \"fix_id\": 'F-79725r1_fix'\n tag \"cci\": ['CCI-001233']\n tag \"nist\": ['SI-2 (2)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Verify the operating system employs automated mechanisms to\n determine the state of system components with regard to flaw remediation using\n the following frequency: continuously, where HBSS is used; 30 days, for any\n additional internal network scans not covered by HBSS; and annually, for\n external scans by CNDSP.\n\n If it does not, this is a finding.\"\n desc \"fix\", \"Configure the operating system to employ automated mechanisms to\n determine the state of system components with regard to flaw remediation using\n the following frequency: continuously, where HBSS is used; 30 days, for any\n additional internal network scans not covered by HBSS; and annually, for\n external scans by CNDSP.\"\n describe \"A manual review is required to verify the operating system employs automated mechanisms to determine the\n state of system components with regard to flaw remediation using the following\n frequency: continuously, where HBSS is used; 30 days, for any additional\n internal network scans not covered by HBSS; and annually, for external scans by\n Computer Network Defense Service Provider (CNDSP).\" do\n skip \"A manual review is required to verify the operating system employs automated mechanisms to determine the\n state of system components with regard to flaw remediation using the following\n frequency: continuously, where HBSS is used; 30 days, for any additional\n internal network scans not covered by HBSS; and annually, for external scans by\n Computer Network Defense Service Provider (CNDSP).\"\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-78127.rb", + "ref": "./Windows 2016 STIG/controls/V-73281.rb", "line": 1 }, - "id": "V-78127" + "id": "V-73281" }, { - "title": "NTLM must be prevented from falling back to a Null session.", - "desc": "NTLM sessions that are allowed to fall back to Null (unauthenticated)\n sessions may gain unauthorized access.", + "title": "Windows Server 2016 must be configured to audit Account Logon -\n Credential Validation failures.", + "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Credential Validation records events related to validation tests on\n credentials for a user account logon.", "descriptions": { - "default": "NTLM sessions that are allowed to fall back to Null (unauthenticated)\n sessions may gain unauthorized access.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Control\\LSA\\MSV1_0\\\n\n Value Name: allownullsessionfallback\n\n Type: REG_DWORD\n Value: 0x00000000 (0)", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Network security: Allow LocalSystem NULL session fallback to Disabled" + "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Credential Validation records events related to validation tests on\n credentials for a user account logon.", + "check": "Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt(run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n Account Logon >> Credential Validation - Failure", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Account Logon >> Audit Credential Validation with\n Failure selected." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-73681", - "rid": "SV-88345r1_rule", - "stig_id": "WN16-SO-000330", - "fix_id": "F-80131r1_fix", + "gtitle": "SRG-OS-000470-GPOS-00214", + "gid": "V-73415", + "rid": "SV-88067r1_rule", + "stig_id": "WN16-AU-000080", + "fix_id": "F-79857r1_fix", "cci": [ - "CCI-000366" + "CCI-000172" ], "nist": [ - "CM-6 b", + "AU-12 c", "Rev_4" ], "documentable": false }, - "code": "control 'V-73681' do\n title 'NTLM must be prevented from falling back to a Null session.'\n desc \"NTLM sessions that are allowed to fall back to Null (unauthenticated)\n sessions may gain unauthorized access.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-73681'\n tag \"rid\": 'SV-88345r1_rule'\n tag \"stig_id\": 'WN16-SO-000330'\n tag \"fix_id\": 'F-80131r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\LSA\\\\MSV1_0\\\\\n\n Value Name: allownullsessionfallback\n\n Type: REG_DWORD\n Value: 0x00000000 (0)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Network security: Allow LocalSystem NULL session fallback to Disabled\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\MSV1_0') do\n it { should have_property 'allownullsessionfallback' }\n its('allownullsessionfallback') { should cmp 0 }\n end\nend\n", + "code": "control 'V-73415' do\n title \"Windows Server 2016 must be configured to audit Account Logon -\n Credential Validation failures.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Credential Validation records events related to validation tests on\n credentials for a user account logon.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000470-GPOS-00214'\n tag \"gid\": 'V-73415'\n tag \"rid\": 'SV-88067r1_rule'\n tag \"stig_id\": 'WN16-AU-000080'\n tag \"fix_id\": 'F-79857r1_fix'\n tag \"cci\": ['CCI-000172']\n tag \"nist\": ['AU-12 c', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt(run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n Account Logon >> Credential Validation - Failure\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Account Logon >> Audit Credential Validation with\n Failure selected.\"\n describe.one do\n describe audit_policy do\n its('Credential Validation') { should eq 'Failure' }\n end\n describe audit_policy do\n its('Credential Validation') { should eq 'Success and Failure' }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Credential Validation'\") do\n its('stdout') { should match /Credential Validation Failure/ }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Credential Validation'\") do\n its('stdout') { should match /Credential Validation Success and Failure/ }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73681.rb", + "ref": "./Windows 2016 STIG/controls/V-73415.rb", "line": 1 }, - "id": "V-73681" + "id": "V-73415" }, { - "title": "Source routing must be configured to the highest protection level to\n prevent Internet Protocol (IP) source routing.", - "desc": "Configuring the system to disable IP source routing protects against\n spoofing.", + "title": "Only administrators responsible for the domain controller must have\n Administrator rights on the system.", + "desc": "An account that does not have Administrator duties must not have\n Administrator rights. Such rights would allow the account to bypass or modify\n required security restrictions on that machine and make it vulnerable to attack.\n\n System administrators must log on to systems using only accounts with the\n minimum level of authority necessary.\n\n Standard user accounts must not be members of the built-in Administrators\n group.", "descriptions": { - "default": "Configuring the system to disable IP source routing protects against\n spoofing.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters\\\n\n Value Name: DisableIPSourceRouting\n\n Value Type: REG_DWORD\n Value: 0x00000002 (2)", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> MSS (Legacy) >> MSS: (DisableIPSourceRouting) IP\n source routing protection level (protects against packet spoofing) to\n Enabled with Highest protection, source routing is completely disabled\n selected.\n\n This policy setting requires the installation of the MSS-Legacy custom\n templates included with the STIG package. MSS-Legacy.admx and\n MSS-Legacy.adml must be copied to the \\Windows\\PolicyDefinitions and\n \\Windows\\PolicyDefinitions\\en-US directories respectively." + "default": "An account that does not have Administrator duties must not have\n Administrator rights. Such rights would allow the account to bypass or modify\n required security restrictions on that machine and make it vulnerable to attack.\n\n System administrators must log on to systems using only accounts with the\n minimum level of authority necessary.\n\n Standard user accounts must not be members of the built-in Administrators\n group.", + "check": "This applies to domain controllers. A separate version applies\n to other systems.\n\n Review the Administrators group. Only the appropriate administrator groups or\n accounts responsible for administration of the system may be members of the\n group.\n\n Standard user accounts must not be members of the local administrator group.\n\n If prohibited accounts are members of the local administrators group, this is a\n finding.\n\n If the built-in Administrator account or other required administrative accounts\n are found on the system, this is not a finding.", + "fix": "Configure the Administrators group to include only administrator\n groups or accounts that are responsible for the system.\n Remove any standard user accounts." }, - "impact": 0.3, + "impact": 0, "refs": [], "tags": { - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-73501", - "rid": "SV-88153r1_rule", - "stig_id": "WN16-CC-000050", - "fix_id": "F-79943r1_fix", + "gtitle": "SRG-OS-000324-GPOS-00125", + "gid": "V-73219", + "rid": "SV-87871r1_rule", + "stig_id": "WN16-DC-000010", + "fix_id": "F-79665r1_fix", "cci": [ - "CCI-000366" + "CCI-002235" ], "nist": [ - "CM-6 b", + "AC-6 (10)", "Rev_4" ], "documentable": false }, - "code": "control 'V-73501' do\n title \"Source routing must be configured to the highest protection level to\n prevent Internet Protocol (IP) source routing.\"\n desc \"Configuring the system to disable IP source routing protects against\n spoofing.\"\n impact 0.3\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-73501'\n tag \"rid\": 'SV-88153r1_rule'\n tag \"stig_id\": 'WN16-CC-000050'\n tag \"fix_id\": 'F-79943r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\Tcpip\\\\Parameters\\\\\n\n Value Name: DisableIPSourceRouting\n\n Value Type: REG_DWORD\n Value: 0x00000002 (2)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> MSS (Legacy) >> MSS: (DisableIPSourceRouting) IP\n source routing protection level (protects against packet spoofing) to\n Enabled with Highest protection, source routing is completely disabled\n selected.\n\n This policy setting requires the installation of the MSS-Legacy custom\n templates included with the STIG package. MSS-Legacy.admx and\n MSS-Legacy.adml must be copied to the \\\\Windows\\\\PolicyDefinitions and\n \\\\Windows\\\\PolicyDefinitions\\\\en-US directories respectively.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Services\\\\Tcpip\\\\Parameters') do\n it { should have_property 'DisableIPSourceRouting' }\n its('DisableIPSourceRouting') { should cmp 2 }\n end\nend\n", + "code": "control 'V-73219' do\n title \"Only administrators responsible for the domain controller must have\n Administrator rights on the system.\"\n desc \"An account that does not have Administrator duties must not have\n Administrator rights. Such rights would allow the account to bypass or modify\n required security restrictions on that machine and make it vulnerable to attack.\n\n System administrators must log on to systems using only accounts with the\n minimum level of authority necessary.\n\n Standard user accounts must not be members of the built-in Administrators\n group.\"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000324-GPOS-00125'\n tag \"gid\": 'V-73219'\n tag \"rid\": 'SV-87871r1_rule'\n tag \"stig_id\": 'WN16-DC-000010'\n tag \"fix_id\": 'F-79665r1_fix'\n tag \"cci\": ['CCI-002235']\n tag \"nist\": ['AC-6 (10)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to domain controllers. A separate version applies\n to other systems.\n\n Review the Administrators group. Only the appropriate administrator groups or\n accounts responsible for administration of the system may be members of the\n group.\n\n Standard user accounts must not be members of the local administrator group.\n\n If prohibited accounts are members of the local administrators group, this is a\n finding.\n\n If the built-in Administrator account or other required administrative accounts\n are found on the system, this is not a finding.\"\n desc \"fix\", \"Configure the Administrators group to include only administrator\n groups or accounts that are responsible for the system.\n Remove any standard user accounts.\"\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n administrators_domain = input('administrators_domain')\n administrator_group = command(\"net localgroup Administrators | Format-List | Findstr /V 'Alias Name Comment Members - command'\").stdout.strip.split(\"\\n\")\n \n if domain_role == '4' || domain_role == '5'\n administrator_group.each do |user|\n a = user.strip\n describe a.to_s do\n it { should be_in administrators_domain }\n end\n end\n end\n\n if domain_role != '4' && domain_role != '5'\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\n if administrator_group.empty?\n impact 0.0\n describe 'There are no users with administrative privileges on this system, therefore this control is not applicable' do\n skip 'There are no users with administrative privileges on this system, therefore this control is not applicable'\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73501.rb", + "ref": "./Windows 2016 STIG/controls/V-73219.rb", "line": 1 }, - "id": "V-73501" + "id": "V-73219" }, { - "title": "Insecure logons to an SMB server must be disabled.", - "desc": "Insecure guest logons allow unauthenticated access to shared folders.\n Shared resources on a system must require authentication to establish proper\n access.", + "title": "The Access Credential Manager as a trusted caller user right must not\n be assigned to any groups or accounts.", + "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Access Credential Manager as a trusted caller user\n right may be able to retrieve the credentials of other accounts from Credential\n Manager.", "descriptions": { - "default": "Insecure guest logons allow unauthenticated access to shared folders.\n Shared resources on a system must require authentication to establish proper\n access.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\LanmanWorkstation\\\n\n Value Name: AllowInsecureGuestAuth\n\n Type: REG_DWORD\n Value: 0x00000000 (0)", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Network >> Lanman Workstation >> Enable insecure\n guest logons to Disabled." + "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Access Credential Manager as a trusted caller user\n right may be able to retrieve the credentials of other accounts from Credential\n Manager.", + "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups are granted the Access Credential Manager as a\n trusted caller user right, this is a finding.", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Access Credential Manager as a trusted callers to be defined but containing\n no entries (blank)." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-73507", - "rid": "SV-88159r1_rule", - "stig_id": "WN16-CC-000080", - "fix_id": "F-79949r1_fix", + "gtitle": "SRG-OS-000324-GPOS-00125", + "gid": "V-73729", + "rid": "SV-88393r1_rule", + "stig_id": "WN16-UR-000010", + "fix_id": "F-80179r1_fix", "cci": [ - "CCI-000366" + "CCI-002235" ], "nist": [ - "CM-6 b", + "AC-6 (10)", "Rev_4" ], "documentable": false }, - "code": "control 'V-73507' do\n title 'Insecure logons to an SMB server must be disabled.'\n desc \"Insecure guest logons allow unauthenticated access to shared folders.\n Shared resources on a system must require authentication to establish proper\n access.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-73507'\n tag \"rid\": 'SV-88159r1_rule'\n tag \"stig_id\": 'WN16-CC-000080'\n tag \"fix_id\": 'F-79949r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\LanmanWorkstation\\\\\n\n Value Name: AllowInsecureGuestAuth\n\n Type: REG_DWORD\n Value: 0x00000000 (0)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Network >> Lanman Workstation >> Enable insecure\n guest logons to Disabled.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\LanmanWorkstation') do\n it { should have_property 'AllowInsecureGuestAuth' }\n its('AllowInsecureGuestAuth') { should cmp 0 }\n end\nend\n", + "code": "control 'V-73729' do\n title \"The Access Credential Manager as a trusted caller user right must not\n be assigned to any groups or accounts.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Access Credential Manager as a trusted caller user\n right may be able to retrieve the credentials of other accounts from Credential\n Manager.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000324-GPOS-00125'\n tag \"gid\": 'V-73729'\n tag \"rid\": 'SV-88393r1_rule'\n tag \"stig_id\": 'WN16-UR-000010'\n tag \"fix_id\": 'F-80179r1_fix'\n tag \"cci\": ['CCI-002235']\n tag \"nist\": ['AC-6 (10)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups are granted the Access Credential Manager as a\n trusted caller user right, this is a finding.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Access Credential Manager as a trusted callers to be defined but containing\n no entries (blank).\"\n describe security_policy do\n its('SeTrustedCredManAccessPrivilege') { should eq [] }\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73507.rb", + "ref": "./Windows 2016 STIG/controls/V-73729.rb", "line": 1 }, - "id": "V-73507" + "id": "V-73729" }, { - "title": "The Debug programs user right must only be assigned to the\n Administrators group.", - "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Debug programs user right can attach a debugger to\n any process or to the kernel, providing complete access to sensitive and\n critical operating system components. This right is given to Administrators in\n the default configuration.", + "title": "Protection methods such as TLS, encrypted VPNs, or IPsec must be\n implemented if the data owner has a strict requirement for ensuring data\n integrity and confidentiality is maintained at every step of the data transfer\n and handling process.", + "desc": "Information can be either unintentionally or maliciously disclosed or\n modified during preparation for transmission, for example, during aggregation,\n at protocol transformation points, and during packing/unpacking. These\n unauthorized disclosures or modifications compromise the confidentiality or\n integrity of the information.\n\n Ensuring the confidentiality of transmitted information requires the\n operating system to take measures in preparing information for transmission.\n This can be accomplished via access control and encryption.\n\n Use of this requirement will be limited to situations where the data owner\n has a strict requirement for ensuring data integrity and confidentiality is\n maintained at every step of the data transfer and handling process. When\n transmitting data, operating systems need to support transmission protection\n mechanisms such as TLS, encrypted VPNs, or IPsec.", "descriptions": { - "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Debug programs user right can attach a debugger to\n any process or to the kernel, providing complete access to sensitive and\n critical operating system components. This right is given to Administrators in\n the default configuration.", - "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the Debug\n programs user right, this is a finding.\n\n - Administrators\n\n If an application requires this user right, this would not be a finding.\n\n Vendor documentation must support the requirement for having the user right.\n\n The requirement must be documented with the ISSO.\n\n The application account must meet requirements for application account\n passwords, such as length (WN16-00-000060) and required frequency of changes\n (WN16-00-000070).\n\n Passwords for application accounts with this user right must be protected as\n highly privileged accounts.", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Debug programs to include only the following accounts or groups:\n\n - Administrators" + "default": "Information can be either unintentionally or maliciously disclosed or\n modified during preparation for transmission, for example, during aggregation,\n at protocol transformation points, and during packing/unpacking. These\n unauthorized disclosures or modifications compromise the confidentiality or\n integrity of the information.\n\n Ensuring the confidentiality of transmitted information requires the\n operating system to take measures in preparing information for transmission.\n This can be accomplished via access control and encryption.\n\n Use of this requirement will be limited to situations where the data owner\n has a strict requirement for ensuring data integrity and confidentiality is\n maintained at every step of the data transfer and handling process. When\n transmitting data, operating systems need to support transmission protection\n mechanisms such as TLS, encrypted VPNs, or IPsec.", + "check": "If the data owner has a strict requirement for ensuring data\n integrity and confidentiality is maintained at every step of the data transfer\n and handling process, verify protection methods such as TLS, encrypted VPNs, or\n IPsec have been implemented.\n\n If protection methods have not been implemented, this is a finding.", + "fix": "Configure protection methods such as TLS, encrypted VPNs, or\n IPsec when the data owner has a strict requirement for ensuring data integrity\n and confidentiality is maintained at every step of the data transfer and\n handling process." }, - "impact": 0.7, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000324-GPOS-00125", - "gid": "V-73755", - "rid": "SV-88419r1_rule", - "stig_id": "WN16-UR-000130", - "fix_id": "F-80205r1_fix", + "gtitle": "SRG-OS-000425-GPOS-00189", + "satisfies": [ + "SRG-OS-000425-GPOS-00189", + "SRG-OS-000426-GPOS-00190" + ], + "gid": "V-73275", + "rid": "SV-87927r1_rule", + "stig_id": "WN16-00-000290", + "fix_id": "F-79719r1_fix", "cci": [ - "CCI-002235" + "CCI-002420", + "CCI-002422" ], "nist": [ - "AC-6 (10)", + "SC-8 (2)", "Rev_4" ], "documentable": false }, - "code": "control 'V-73755' do\n title \"The Debug programs user right must only be assigned to the\n Administrators group.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Debug programs user right can attach a debugger to\n any process or to the kernel, providing complete access to sensitive and\n critical operating system components. This right is given to Administrators in\n the default configuration.\n \"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000324-GPOS-00125'\n tag \"gid\": 'V-73755'\n tag \"rid\": 'SV-88419r1_rule'\n tag \"stig_id\": 'WN16-UR-000130'\n tag \"fix_id\": 'F-80205r1_fix'\n tag \"cci\": ['CCI-002235']\n tag \"nist\": ['AC-6 (10)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the Debug\n programs user right, this is a finding.\n\n - Administrators\n\n If an application requires this user right, this would not be a finding.\n\n Vendor documentation must support the requirement for having the user right.\n\n The requirement must be documented with the ISSO.\n\n The application account must meet requirements for application account\n passwords, such as length (WN16-00-000060) and required frequency of changes\n (WN16-00-000070).\n\n Passwords for application accounts with this user right must be protected as\n highly privileged accounts.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Debug programs to include only the following accounts or groups:\n\n - Administrators\"\n describe.one do\n describe security_policy do\n its('SeDebugPrivilege') { should eq ['S-1-5-32-544'] }\n end\n describe security_policy do\n its('SeDebugPrivilege') { should eq [] }\n end\n end\nend\n", + "code": "control 'V-73275' do\n title \"Protection methods such as TLS, encrypted VPNs, or IPsec must be\n implemented if the data owner has a strict requirement for ensuring data\n integrity and confidentiality is maintained at every step of the data transfer\n and handling process.\"\n desc \"Information can be either unintentionally or maliciously disclosed or\n modified during preparation for transmission, for example, during aggregation,\n at protocol transformation points, and during packing/unpacking. These\n unauthorized disclosures or modifications compromise the confidentiality or\n integrity of the information.\n\n Ensuring the confidentiality of transmitted information requires the\n operating system to take measures in preparing information for transmission.\n This can be accomplished via access control and encryption.\n\n Use of this requirement will be limited to situations where the data owner\n has a strict requirement for ensuring data integrity and confidentiality is\n maintained at every step of the data transfer and handling process. When\n transmitting data, operating systems need to support transmission protection\n mechanisms such as TLS, encrypted VPNs, or IPsec.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000425-GPOS-00189'\n tag \"satisfies\": ['SRG-OS-000425-GPOS-00189', 'SRG-OS-000426-GPOS-00190']\n tag \"gid\": 'V-73275'\n tag \"rid\": 'SV-87927r1_rule'\n tag \"stig_id\": 'WN16-00-000290'\n tag \"fix_id\": 'F-79719r1_fix'\n tag \"cci\": ['CCI-002420', 'CCI-002422']\n tag \"nist\": ['SC-8 (2)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the data owner has a strict requirement for ensuring data\n integrity and confidentiality is maintained at every step of the data transfer\n and handling process, verify protection methods such as TLS, encrypted VPNs, or\n IPsec have been implemented.\n\n If protection methods have not been implemented, this is a finding.\"\n desc \"fix\", \"Configure protection methods such as TLS, encrypted VPNs, or\n IPsec when the data owner has a strict requirement for ensuring data integrity\n and confidentiality is maintained at every step of the data transfer and\n handling process.\"\n describe \"A manual review is required to verify that protection methods such as TLS, encrypted VPNs, or IPSEC are\n implemented if the data owner has a strict requirement for ensuring data\n integrity and confidentiality is maintained at every step of the data transfer\n and handling process.\" do\n skip \"A manual review is required to verify that protection methods such as TLS, encrypted VPNs, or IPSEC are\n implemented if the data owner has a strict requirement for ensuring data\n integrity and confidentiality is maintained at every step of the data transfer\n and handling process.\"\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73755.rb", + "ref": "./Windows 2016 STIG/controls/V-73275.rb", "line": 1 }, - "id": "V-73755" + "id": "V-73275" }, { - "title": "The built-in Windows password complexity policy must be enabled.", - "desc": "The use of complex passwords increases their strength against attack.\n The built-in Windows password complexity policy requires passwords to contain\n at least three of the four types of characters (numbers, upper- and lower-case\n letters, and special characters) and prevents the inclusion of user names or\n parts of user names.", + "title": "Virtualization-based security must be enabled with the platform\n security level configured to Secure Boot or Secure Boot with DMA Protection.", + "desc": "Virtualization Based Security (VBS) provides the platform for the\n additional security features Credential Guard and virtualization-based\n protection of code integrity. Secure Boot is the minimum security level, with\n DMA protection providing additional memory protection. DMA Protection requires\n a CPU that supports input/output memory management unit (IOMMU).", "descriptions": { - "default": "The use of complex passwords increases their strength against attack.\n The built-in Windows password complexity policy requires passwords to contain\n at least three of the four types of characters (numbers, upper- and lower-case\n letters, and special characters) and prevents the inclusion of user names or\n parts of user names.", - "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Account Policies >> Password Policy.\n\n If the value for Password must meet complexity requirements is not set to\n Enabled, this is a finding.\n\n Note: If an external password filter is in use that enforces all four character\n types and requires this setting to be set to Disabled, this would not be\n considered a finding. If this setting does not affect the use of an external\n password filter, it must be enabled for fallback purposes.", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Account Policies >> Password Policy >>\n Password must meet complexity requirements to Enabled." + "default": "Virtualization Based Security (VBS) provides the platform for the\n additional security features Credential Guard and virtualization-based\n protection of code integrity. Secure Boot is the minimum security level, with\n DMA protection providing additional memory protection. DMA Protection requires\n a CPU that supports input/output memory management unit (IOMMU).", + "check": "For standalone systems, this is NA.\n\n Current hardware and virtual environments may not support virtualization-based\n security features, including Credential Guard, due to specific supporting\n requirements, including a TPM, UEFI with Secure Boot, and the capability to run\n the Hyper-V feature within a virtual machine.\n\n Open PowerShell with elevated privileges (run as administrator).\n\n Enter the following:\n\n Get-CimInstance -ClassName Win32_DeviceGuard -Namespace\n root\\Microsoft\\Windows\\DeviceGuard\n\n If RequiredSecurityProperties does not include a value of 2 indicating\n Secure Boot (e.g., {1, 2}), this is a finding.\n\n If Secure Boot and DMA Protection is configured, 3 will also be\n displayed in the results (e.g., {1, 2, 3}).\n\n If VirtualizationBasedSecurityStatus is not a value of 2 indicating\n Running, this is a finding.\n\n Alternately:\n\n Run System Information.\n\n Under System Summary, verify the following:\n\n If Device Guard Virtualization based security does not display Running,\n this is finding.\n\n If Device Guard Required Security Properties does not display Base\n Virtualization Support, Secure Boot, this is finding.\n\n If Secure Boot and DMA Protection is configured, DMA Protection will\n also be displayed (e.g., Base Virtualization Support, Secure Boot, DMA\n Protection).\n\n The policy settings referenced in the Fix section will configure the following\n registry values. However, due to hardware requirements, the registry values\n alone do not ensure proper function.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceGuard\\\n\n Value Name: EnableVirtualizationBasedSecurity\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\n\n Value Name: RequirePlatformSecurityFeatures\n Value Type: REG_DWORD\n Value: 0x00000001 (1) (Secure Boot only) or 0x00000003 (3) (Secure Boot and DMA\n Protection)\n\n A Microsoft TechNet article on Credential Guard, including system requirement\n details, can be found at the following link:\n\n https://technet.microsoft.com/itpro/windows/keep-secure/credential-guard", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> System >> Device Guard >> Turn On Virtualization\n Based Security to Enabled with Secure Boot or Secure Boot and DMA\n Protection selected.\n\n A Microsoft TechNet article on Credential Guard, including system requirement\n details, can be found at the following link:\n\n https://technet.microsoft.com/itpro/windows/keep-secure/credential-guard" }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { - "gtitle": "SRG-OS-000069-GPOS-00037", - "satisfies": [ - "SRG-OS-000069-GPOS-00037", - "SRG-OS-000070-GPOS-00038", - "SRG-OS-000071-GPOS-00039", - "SRG-OS-000266-GPOS-00101" - ], - "gid": "V-73323", - "rid": "SV-87975r1_rule", - "stig_id": "WN16-AC-000080", - "fix_id": "F-79765r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-73513", + "rid": "SV-88165r1_rule", + "stig_id": "WN16-CC-000110", + "fix_id": "F-79955r1_fix", "cci": [ - "CCI-000192", - "CCI-000193", - "CCI-000194", - "CCI-001619" + "CCI-000366" ], "nist": [ - "IA-5 (1) (a)", + "CM-6 b", "Rev_4" ], "documentable": false }, - "code": "control 'V-73323' do\n title 'The built-in Windows password complexity policy must be enabled.'\n desc \"The use of complex passwords increases their strength against attack.\n The built-in Windows password complexity policy requires passwords to contain\n at least three of the four types of characters (numbers, upper- and lower-case\n letters, and special characters) and prevents the inclusion of user names or\n parts of user names.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000069-GPOS-00037'\n tag \"satisfies\": ['SRG-OS-000069-GPOS-00037', 'SRG-OS-000070-GPOS-00038',\n 'SRG-OS-000071-GPOS-00039', 'SRG-OS-000266-GPOS-00101']\n tag \"gid\": 'V-73323'\n tag \"rid\": 'SV-87975r1_rule'\n tag \"stig_id\": 'WN16-AC-000080'\n tag \"fix_id\": 'F-79765r1_fix'\n tag \"cci\": ['CCI-000192', 'CCI-000193', 'CCI-000194', 'CCI-001619']\n tag \"nist\": ['IA-5 (1) (a)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Account Policies >> Password Policy.\n\n If the value for Password must meet complexity requirements is not set to\n Enabled, this is a finding.\n\n Note: If an external password filter is in use that enforces all four character\n types and requires this setting to be set to Disabled, this would not be\n considered a finding. If this setting does not affect the use of an external\n password filter, it must be enabled for fallback purposes.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Account Policies >> Password Policy >>\n Password must meet complexity requirements to Enabled.\"\n describe security_policy do\n its('PasswordComplexity') { should eq 1 }\n end\nend\n", + "code": "control 'V-73513' do\n title \"Virtualization-based security must be enabled with the platform\n security level configured to Secure Boot or Secure Boot with DMA Protection.\"\n desc \"Virtualization Based Security (VBS) provides the platform for the\n additional security features Credential Guard and virtualization-based\n protection of code integrity. Secure Boot is the minimum security level, with\n DMA protection providing additional memory protection. DMA Protection requires\n a CPU that supports input/output memory management unit (IOMMU).\"\n impact 0.3\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-73513'\n tag \"rid\": 'SV-88165r1_rule'\n tag \"stig_id\": 'WN16-CC-000110'\n tag \"fix_id\": 'F-79955r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"For standalone systems, this is NA.\n\n Current hardware and virtual environments may not support virtualization-based\n security features, including Credential Guard, due to specific supporting\n requirements, including a TPM, UEFI with Secure Boot, and the capability to run\n the Hyper-V feature within a virtual machine.\n\n Open PowerShell with elevated privileges (run as administrator).\n\n Enter the following:\n\n Get-CimInstance -ClassName Win32_DeviceGuard -Namespace\n root\\\\Microsoft\\\\Windows\\\\DeviceGuard\n\n If RequiredSecurityProperties does not include a value of 2 indicating\n Secure Boot (e.g., {1, 2}), this is a finding.\n\n If Secure Boot and DMA Protection is configured, 3 will also be\n displayed in the results (e.g., {1, 2, 3}).\n\n If VirtualizationBasedSecurityStatus is not a value of 2 indicating\n Running, this is a finding.\n\n Alternately:\n\n Run System Information.\n\n Under System Summary, verify the following:\n\n If Device Guard Virtualization based security does not display Running,\n this is finding.\n\n If Device Guard Required Security Properties does not display Base\n Virtualization Support, Secure Boot, this is finding.\n\n If Secure Boot and DMA Protection is configured, DMA Protection will\n also be displayed (e.g., Base Virtualization Support, Secure Boot, DMA\n Protection).\n\n The policy settings referenced in the Fix section will configure the following\n registry values. However, due to hardware requirements, the registry values\n alone do not ensure proper function.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\DeviceGuard\\\\\n\n Value Name: EnableVirtualizationBasedSecurity\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\n\n Value Name: RequirePlatformSecurityFeatures\n Value Type: REG_DWORD\n Value: 0x00000001 (1) (Secure Boot only) or 0x00000003 (3) (Secure Boot and DMA\n Protection)\n\n A Microsoft TechNet article on Credential Guard, including system requirement\n details, can be found at the following link:\n\n https://technet.microsoft.com/itpro/windows/keep-secure/credential-guard\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> System >> Device Guard >> Turn On Virtualization\n Based Security to Enabled with Secure Boot or Secure Boot and DMA\n Protection selected.\n\n A Microsoft TechNet article on Credential Guard, including system requirement\n details, can be found at the following link:\n\n https://technet.microsoft.com/itpro/windows/keep-secure/credential-guard\"\n is_domain = command('wmic computersystem get domain | FINDSTR /V Domain').stdout.strip\n\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\DeviceGuard') do\n it { should have_property 'EnableVirtualizationBasedSecurity' }\n its('EnableVirtualizationBasedSecurity') { should cmp 1 }\n end\n describe.one do\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\DeviceGuard') do\n it { should have_property 'RequirePlatformSecurityFeatures' }\n its('RequirePlatformSecurityFeatures') { should cmp 1 }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\DeviceGuard') do\n it { should have_property 'RequirePlatformSecurityFeatures' }\n its('RequirePlatformSecurityFeatures') { should cmp 3 }\n end\n end\n only_if { is_domain != 'WORKGROUP' }\n\n if is_domain == 'WORKGROUP'\n impact 0.0\n describe 'This system is not joined to a domain, therfore this control is not appliable as it does not apply to standalone systems' do\n skip 'This system is not joined to a domain, therfore this control is not appliable as it does not apply to standalone systems'\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73323.rb", + "ref": "./Windows 2016 STIG/controls/V-73513.rb", "line": 1 }, - "id": "V-73323" + "id": "V-73513" }, { - "title": "Windows Server 2016 must be configured to audit Account Logon -\n Credential Validation successes.", - "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Credential Validation records events related to validation tests on\n credentials for a user account logon.", + "title": "File Explorer shell protocol must run in protected mode.", + "desc": "The shell protocol will limit the set of folders that applications can\n open when run in protected mode. Restricting files an application can open to a\n limited set of folders increases the security of Windows.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Credential Validation records events related to validation tests on\n credentials for a user account logon.", - "check": "Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n Account Logon >> Credential Validation - Success", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Account Logon >> Audit Credential Validation with\n Success selected." + "default": "The shell protocol will limit the set of folders that applications can\n open when run in protected mode. Restricting files an application can open to a\n limited set of folders increases the security of Windows.", + "check": "The default behavior is for shell protected mode to be turned\n on for File Explorer.\n\n If the registry value name below does not exist, this is not a finding.\n\n If it exists and is configured with a value of 0, this is not a finding.\n\n If it exists and is configured with a value of 1, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\\n\n Value Name: PreXPSP2ShellProtocolBehavior\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0) (or if the Value Name does not exist)", + "fix": "The default behavior is for shell protected mode to be turned on\n for File Explorer.\n\n If this needs to be corrected, configure the policy value for Computer\n Configuration >> Administrative Templates >> Windows Components >> File\n Explorer >> Turn off shell protocol protected mode to Not Configured or\n Disabled." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000470-GPOS-00214", - "gid": "V-73413", - "rid": "SV-88065r1_rule", - "stig_id": "WN16-AU-000070", - "fix_id": "F-79855r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-73565", + "rid": "SV-88229r1_rule", + "stig_id": "WN16-CC-000360", + "fix_id": "F-80015r1_fix", "cci": [ - "CCI-000172" + "CCI-000366" ], "nist": [ - "AU-12 c", + "CM-6 b", "Rev_4" ], "documentable": false }, - "code": "control 'V-73413' do\n title \"Windows Server 2016 must be configured to audit Account Logon -\n Credential Validation successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Credential Validation records events related to validation tests on\n credentials for a user account logon.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000470-GPOS-00214'\n tag \"gid\": 'V-73413'\n tag \"rid\": 'SV-88065r1_rule'\n tag \"stig_id\": 'WN16-AU-000070'\n tag \"fix_id\": 'F-79855r1_fix'\n tag \"cci\": ['CCI-000172']\n tag \"nist\": ['AU-12 c', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n Account Logon >> Credential Validation - Success\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Account Logon >> Audit Credential Validation with\n Success selected.\"\n describe.one do\n describe audit_policy do\n its('Credential Validation') { should eq 'Success' }\n end\n describe audit_policy do\n its('Credential Validation') { should eq 'Success and Failure' }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Credential Validation'\") do\n its('stdout') { should match /Credential Validation Success/ }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Credential Validation'\") do\n its('stdout') { should match /Credential Validation Success and Failure/ }\n end\n end\nend\n", + "code": "control 'V-73565' do\n title 'File Explorer shell protocol must run in protected mode.'\n desc \"The shell protocol will limit the set of folders that applications can\n open when run in protected mode. Restricting files an application can open to a\n limited set of folders increases the security of Windows.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-73565'\n tag \"rid\": 'SV-88229r1_rule'\n tag \"stig_id\": 'WN16-CC-000360'\n tag \"fix_id\": 'F-80015r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"The default behavior is for shell protected mode to be turned\n on for File Explorer.\n\n If the registry value name below does not exist, this is not a finding.\n\n If it exists and is configured with a value of 0, this is not a finding.\n\n If it exists and is configured with a value of 1, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\\n\n Value Name: PreXPSP2ShellProtocolBehavior\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0) (or if the Value Name does not exist)\"\n desc \"fix\", \"The default behavior is for shell protected mode to be turned on\n for File Explorer.\n\n If this needs to be corrected, configure the policy value for Computer\n Configuration >> Administrative Templates >> Windows Components >> File\n Explorer >> Turn off shell protocol protected mode to Not Configured or\n Disabled.\"\n describe.one do\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer') do\n it { should_not have_property 'PreXPSP2ShellProtocolBehavior' }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer') do\n its('PreXPSP2ShellProtocolBehavior') { should cmp 0 }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73413.rb", + "ref": "./Windows 2016 STIG/controls/V-73565.rb", "line": 1 }, - "id": "V-73413" + "id": "V-73565" }, { - "title": "The Active Directory Domain object must be configured with proper\n audit settings.", - "desc": "When inappropriate audit settings are configured for directory service\n database objects, it may be possible for a user or process to update the data\n without generating any tracking data. The impact of missing audit data is\n related to the type of object. A failure to capture audit data for objects used\n by identification, authentication, or authorization functions could degrade or\n eliminate the ability to track changes to access policy for systems or data.\n\n For Active Directory (AD), there are a number of critical object types in\n the domain naming context of the AD database for which auditing is essential.\n This includes the Domain object. Because changes to these objects can\n significantly impact access controls or the availability of systems, the\n absence of auditing data makes it impossible to identify the source of changes\n that impact the confidentiality, integrity, and availability of data and\n systems throughout an AD domain. The lack of proper auditing can result in\n insufficient forensic evidence needed to investigate an incident and prosecute\n the intruder.", + "title": "The default permissions of global system objects must be strengthened.", + "desc": "Windows systems maintain a global list of shared system resources such\n as DOS device names, mutexes, and semaphores. Each type of object is created\n with a default Discretionary Access Control List (DACL) that specifies who can\n access the objects with what permissions. When this policy is enabled, the\n default DACL is stronger, allowing non-administrative users to read shared\n objects but not to modify shared objects they did not create.", "descriptions": { - "default": "When inappropriate audit settings are configured for directory service\n database objects, it may be possible for a user or process to update the data\n without generating any tracking data. The impact of missing audit data is\n related to the type of object. A failure to capture audit data for objects used\n by identification, authentication, or authorization functions could degrade or\n eliminate the ability to track changes to access policy for systems or data.\n\n For Active Directory (AD), there are a number of critical object types in\n the domain naming context of the AD database for which auditing is essential.\n This includes the Domain object. Because changes to these objects can\n significantly impact access controls or the availability of systems, the\n absence of auditing data makes it impossible to identify the source of changes\n that impact the confidentiality, integrity, and availability of data and\n systems throughout an AD domain. The lack of proper auditing can result in\n insufficient forensic evidence needed to investigate an incident and prosecute\n the intruder.", - "check": "This applies to domain controllers. It is NA for other systems.\n\n Review the auditing configuration for the Domain object.\n\n Open Active Directory Users and Computers (available from various menus or\n run dsa.msc).\n\n Ensure Advanced Features is selected in the View menu.\n\n Select the domain being reviewed in the left pane.\n\n Right-click the domain name and select Properties.\n\n Select the Security tab.\n\n Select the Advanced button and then the Auditing tab.\n\n If the audit settings on the Domain object are not at least as inclusive as\n those below, this is a finding.\n\n Type - Fail\n Principal - Everyone\n Access - Full Control\n Inherited from - None\n Applies to - This object only\n\n The success types listed below are defaults. Where Special is listed in the\n summary screens for Access, detailed Permissions are provided for reference.\n Various Properties selections may also exist by default.\n\n Two instances with the following summary information will be listed.\n\n Type - Success\n Principal - Everyone\n Access - (blank)\n Inherited from - None\n Applies to - Special\n\n Type - Success\n Principal - Domain Users\n Access - All extended rights\n Inherited from - None\n Applies to - This object only\n\n Type - Success\n Principal - Administrators\n Access - All extended rights\n Inherited from - None\n Applies to - This object only\n\n Type - Success\n Principal - Everyone\n Access - Special\n Inherited from - None\n Applies to - This object only\n (Access - Special = Permissions: Write all properties, Modify permissions,\n Modify owner)", - "fix": "Open Active Directory Users and Computers (available from\n various menus or run dsa.msc).\n\n Ensure Advanced Features is selected in the View menu.\n\n Select the domain being reviewed in the left pane.\n\n Right-click the domain name and select Properties.\n\n Select the Security tab.\n\n Select the Advanced button and then the Auditing tab.\n\n Configure the audit settings for Domain object to include the following.\n\n Type - Fail\n Principal - Everyone\n Access - Full Control\n Inherited from - None\n Applies to - This object only\n\n The success types listed below are defaults. Where Special is listed in the\n summary screens for Access, detailed Permissions are provided for reference.\n Various Properties selections may also exist by default.\n\n Two instances with the following summary information will be listed.\n\n Type - Success\n Principal - Everyone\n Access - (blank)\n Inherited from - None\n Applies to - Special\n\n Type - Success\n Principal - Domain Users\n Access - All extended rights\n Inherited from - None\n Applies to - This object only\n\n Type - Success\n Principal - Administrators\n Access - All extended rights\n Inherited from - None\n Applies to - This object only\n\n Type - Success\n Principal - Everyone\n Access - Special\n Inherited from - None\n Applies to - This object only\n (Access - Special = Permissions: Write all properties, Modify permissions,\n Modify owner.)" + "default": "Windows systems maintain a global list of shared system resources such\n as DOS device names, mutexes, and semaphores. Each type of object is created\n with a default Discretionary Access Control List (DACL) that specifies who can\n access the objects with what permissions. When this policy is enabled, the\n default DACL is stronger, allowing non-administrative users to read shared\n objects but not to modify shared objects they did not create.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\\n\n Value Name: ProtectionMode\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> System\n objects: Strengthen default permissions of internal system objects (e.g.,\n Symbolic Links) to Enabled." }, - "impact": 0, + "impact": 0.3, "refs": [], "tags": { - "gtitle": "SRG-OS-000327-GPOS-00127", - "satisfies": [ - "SRG-OS-000327-GPOS-00127", - "SRG-OS-000458-GPOS-00203", - "SRG-OS-000463-GPOS-00207", - "SRG-OS-000468-GPOS-00212" - ], - "gid": "V-73391", - "rid": "SV-88043r1_rule", - "stig_id": "WN16-DC-000180", - "fix_id": "F-79833r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-73705", + "rid": "SV-88369r1_rule", + "stig_id": "WN16-SO-000450", + "fix_id": "F-80155r1_fix", "cci": [ - "CCI-000172", - "CCI-002234" + "CCI-000366" ], "nist": [ - "AU-12 c", - "AC-6 (9)", + "CM-6 b", "Rev_4" ], "documentable": false }, - "code": "control 'V-73391' do\n title \"The Active Directory Domain object must be configured with proper\n audit settings.\"\n desc \"When inappropriate audit settings are configured for directory service\n database objects, it may be possible for a user or process to update the data\n without generating any tracking data. The impact of missing audit data is\n related to the type of object. A failure to capture audit data for objects used\n by identification, authentication, or authorization functions could degrade or\n eliminate the ability to track changes to access policy for systems or data.\n\n For Active Directory (AD), there are a number of critical object types in\n the domain naming context of the AD database for which auditing is essential.\n This includes the Domain object. Because changes to these objects can\n significantly impact access controls or the availability of systems, the\n absence of auditing data makes it impossible to identify the source of changes\n that impact the confidentiality, integrity, and availability of data and\n systems throughout an AD domain. The lack of proper auditing can result in\n insufficient forensic evidence needed to investigate an incident and prosecute\n the intruder.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000327-GPOS-00127'\n tag \"satisfies\": ['SRG-OS-000327-GPOS-00127', 'SRG-OS-000458-GPOS-00203',\n 'SRG-OS-000463-GPOS-00207', 'SRG-OS-000468-GPOS-00212']\n tag \"gid\": 'V-73391'\n tag \"rid\": 'SV-88043r1_rule'\n tag \"stig_id\": 'WN16-DC-000180'\n tag \"fix_id\": 'F-79833r1_fix'\n tag \"cci\": ['CCI-000172', 'CCI-002234']\n tag \"nist\": ['AU-12 c', 'AC-6 (9)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to domain controllers. It is NA for other systems.\n\n Review the auditing configuration for the Domain object.\n\n Open Active Directory Users and Computers (available from various menus or\n run dsa.msc).\n\n Ensure Advanced Features is selected in the View menu.\n\n Select the domain being reviewed in the left pane.\n\n Right-click the domain name and select Properties.\n\n Select the Security tab.\n\n Select the Advanced button and then the Auditing tab.\n\n If the audit settings on the Domain object are not at least as inclusive as\n those below, this is a finding.\n\n Type - Fail\n Principal - Everyone\n Access - Full Control\n Inherited from - None\n Applies to - This object only\n\n The success types listed below are defaults. Where Special is listed in the\n summary screens for Access, detailed Permissions are provided for reference.\n Various Properties selections may also exist by default.\n\n Two instances with the following summary information will be listed.\n\n Type - Success\n Principal - Everyone\n Access - (blank)\n Inherited from - None\n Applies to - Special\n\n Type - Success\n Principal - Domain Users\n Access - All extended rights\n Inherited from - None\n Applies to - This object only\n\n Type - Success\n Principal - Administrators\n Access - All extended rights\n Inherited from - None\n Applies to - This object only\n\n Type - Success\n Principal - Everyone\n Access - Special\n Inherited from - None\n Applies to - This object only\n (Access - Special = Permissions: Write all properties, Modify permissions,\n Modify owner)\"\n desc \"fix\", \"Open Active Directory Users and Computers (available from\n various menus or run dsa.msc).\n\n Ensure Advanced Features is selected in the View menu.\n\n Select the domain being reviewed in the left pane.\n\n Right-click the domain name and select Properties.\n\n Select the Security tab.\n\n Select the Advanced button and then the Auditing tab.\n\n Configure the audit settings for Domain object to include the following.\n\n Type - Fail\n Principal - Everyone\n Access - Full Control\n Inherited from - None\n Applies to - This object only\n\n The success types listed below are defaults. Where Special is listed in the\n summary screens for Access, detailed Permissions are provided for reference.\n Various Properties selections may also exist by default.\n\n Two instances with the following summary information will be listed.\n\n Type - Success\n Principal - Everyone\n Access - (blank)\n Inherited from - None\n Applies to - Special\n\n Type - Success\n Principal - Domain Users\n Access - All extended rights\n Inherited from - None\n Applies to - This object only\n\n Type - Success\n Principal - Administrators\n Access - All extended rights\n Inherited from - None\n Applies to - This object only\n\n Type - Success\n Principal - Everyone\n Access - Special\n Inherited from - None\n Applies to - This object only\n (Access - Special = Permissions: Write all properties, Modify permissions,\n Modify owner.)\"\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n distinguishedName = json(command: '(Get-ADDomain).DistinguishedName | ConvertTo-JSON').params\n netbiosname = json(command: 'Get-ADDomain | Select NetBIOSName | ConvertTo-JSON').params['NetBIOSName']\n acl_rules = json(command: \"(Get-ACL -Audit -Path AD:'#{distinguishedName}').Audit | ConvertTo-CSV | ConvertFrom-CSV | ConvertTo-JSON\").params\n\n if acl_rules.is_a?(Hash)\n acl_rules = [JSON.parse(acl_rules.to_json)]\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['AuditFlags']) { should cmp \"Fail\" }\n its(['IdentityReference']) { should cmp \"Everyone\" }\n its(['ActiveDirectoryRights']) { should cmp \"GenericAll\" }\n its(['InheritanceFlags']) { should cmp \"None\" }\n its(['InheritanceType']) { should cmp \"None\" }\n its(['PropagationFlags']) { should cmp \"None\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['AuditFlags']) { should cmp \"Success\" }\n its(['IdentityReference']) { should cmp \"Everyone\" }\n its(['ActiveDirectoryRights']) { should cmp \"WriteProperty\" }\n its(['InheritanceFlags']) { should cmp \"ContainerInherit\" }\n its(['InheritanceType']) { should cmp \"All\" }\n its(['PropagationFlags']) { should cmp \"None\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['AuditFlags']) { should cmp \"Success\" }\n its(['IdentityReference']) { should cmp \"#{netbiosname}\\\\Domain Users\" }\n its(['ActiveDirectoryRights']) { should cmp \"ExtendedRight\" }\n its(['InheritanceFlags']) { should cmp \"None\" }\n its(['InheritanceType']) { should cmp \"None\" }\n its(['PropagationFlags']) { should cmp \"None\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['AuditFlags']) { should cmp \"Success\" }\n its(['IdentityReference']) { should cmp \"BUILTIN\\\\Administrators\" }\n its(['ActiveDirectoryRights']) { should cmp \"ExtendedRight\" }\n its(['InheritanceFlags']) { should cmp \"None\" }\n its(['InheritanceType']) { should cmp \"None\" }\n its(['PropagationFlags']) { should cmp \"None\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['AuditFlags']) { should cmp \"Success\" }\n its(['IdentityReference']) { should cmp \"Everyone\" }\n its(['ActiveDirectoryRights']) { should cmp \"WriteProperty, WriteDacl, WriteOwner\" }\n its(['InheritanceFlags']) { should cmp \"None\" }\n its(['InheritanceType']) { should cmp \"None\" }\n its(['PropagationFlags']) { should cmp \"None\" }\n end\n end\n end\n\n else\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\n\n\nend\n", + "code": "control 'V-73705' do\n title 'The default permissions of global system objects must be strengthened.'\n desc \"Windows systems maintain a global list of shared system resources such\n as DOS device names, mutexes, and semaphores. Each type of object is created\n with a default Discretionary Access Control List (DACL) that specifies who can\n access the objects with what permissions. When this policy is enabled, the\n default DACL is stronger, allowing non-administrative users to read shared\n objects but not to modify shared objects they did not create.\"\n impact 0.3\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-73705'\n tag \"rid\": 'SV-88369r1_rule'\n tag \"stig_id\": 'WN16-SO-000450'\n tag \"fix_id\": 'F-80155r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Session Manager\\\\\n\n Value Name: ProtectionMode\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> System\n objects: Strengthen default permissions of internal system objects (e.g.,\n Symbolic Links) to Enabled.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Session Manager') do\n it { should have_property 'ProtectionMode' }\n its('ProtectionMode') { should cmp 1 }\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73391.rb", + "ref": "./Windows 2016 STIG/controls/V-73705.rb", "line": 1 }, - "id": "V-73391" + "id": "V-73705" }, { - "title": "Active Directory Group Policy objects must have proper access control\n permissions.", - "desc": "When directory service database objects do not have appropriate access\n control permissions, it may be possible for malicious users to create, read,\n update, or delete the objects and degrade or destroy the integrity of the data.\n When the directory service is used for identification, authentication, or\n authorization functions, a compromise of the database objects could lead to a\n compromise of all systems relying on the directory service.\n\n For Active Directory (AD), the Group Policy objects require special\n attention. In a distributed administration model (i.e., help desk), Group\n Policy objects are more likely to have access permissions changed from the\n secure defaults. If inappropriate access permissions are defined for Group\n Policy objects, this could allow an intruder to change the security policy\n applied to all domain client computers (workstations and servers).", + "title": "User Account Control must automatically deny standard user requests\n for elevation.", + "desc": "User Account Control (UAC) is a security mechanism for limiting the\n elevation of privileges, including administrative accounts, unless authorized.\n This setting controls the behavior of elevation when requested by a standard\n user account.", "descriptions": { - "default": "When directory service database objects do not have appropriate access\n control permissions, it may be possible for malicious users to create, read,\n update, or delete the objects and degrade or destroy the integrity of the data.\n When the directory service is used for identification, authentication, or\n authorization functions, a compromise of the database objects could lead to a\n compromise of all systems relying on the directory service.\n\n For Active Directory (AD), the Group Policy objects require special\n attention. In a distributed administration model (i.e., help desk), Group\n Policy objects are more likely to have access permissions changed from the\n secure defaults. If inappropriate access permissions are defined for Group\n Policy objects, this could allow an intruder to change the security policy\n applied to all domain client computers (workstations and servers).", - "check": "This applies to domain controllers. It is NA for other systems.\n\n Review the permissions on Group Policy objects.\n\n Open Group Policy Management (available from various menus or run\n gpmc.msc).\n\n Navigate to Group Policy Objects in the domain being reviewed (Forest >>\n Domains >> Domain).\n\n For each Group Policy object:\n\n Select the Group Policy object item in the left pane.\n\n Select the Delegation tab in the right pane.\n\n Select the Advanced button.\n\n Select each Group or user name.\n\n View the permissions.\n\n If any standard user accounts or groups have Allow permissions greater than\n Read and Apply group policy, this is a finding.\n\n Other access permissions that allow the objects to be updated are considered\n findings unless specifically documented by the ISSO.\n\n The default permissions noted below satisfy this requirement.\n\n The permissions shown are at the summary level. More detailed permissions can\n be viewed by selecting the next Advanced button, the desired Permission\n entry, and the Edit button.\n\n Authenticated Users - Read, Apply group policy, Special permissions\n\n The special permissions for Authenticated Users are for Read-type Properties.\n If detailed permissions include any Create, Delete, Modify, or Write\n Permissions or Properties, this is a finding.\n\n The special permissions for the following default groups are not the focus of\n this requirement and may include a wide range of permissions and properties.\n\n CREATOR OWNER - Special permissions\n SYSTEM - Read, Write, Create all child objects, Delete all child objects,\n Special permissions\n Domain Admins - Read, Write, Create all child objects, Delete all child\n objects, Special permissions\n Enterprise Admins - Read, Write, Create all child objects, Delete all child\n objects, Special permissions\n ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions\n\n The Domain Admins and Enterprise Admins will not have the Delete all child\n objects permission on the two default Group Policy objects: Default Domain\n Policy and Default Domain Controllers Policy. They will have this permission on\n organization created Group Policy objects.", - "fix": "Maintain the permissions on Group Policy objects to not allow\n greater than Read and Apply group policy for standard user accounts or\n groups. The default permissions below meet this requirement.\n\n Authenticated Users - Read, Apply group policy, Special permissions\n\n The special permissions for Authenticated Users are for Read-type Properties.\n\n CREATOR OWNER - Special permissions\n SYSTEM - Read, Write, Create all child objects, Delete all child objects,\n Special permissions\n Domain Admins - Read, Write, Create all child objects, Delete all child\n objects, Special permissions\n Enterprise Admins - Read, Write, Create all child objects, Delete all child\n objects, Special permissions\n ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions\n\n Document any other access permissions that allow the objects to be updated with\n the ISSO.\n\n The Domain Admins and Enterprise Admins will not have the Delete all child\n objects permission on the two default Group Policy objects: Default Domain\n Policy and Default Domain Controllers Policy. They will have this permission on\n created Group Policy objects." + "default": "User Account Control (UAC) is a security mechanism for limiting the\n elevation of privileges, including administrative accounts, unless authorized.\n This setting controls the behavior of elevation when requested by a standard\n user account.", + "check": "UAC requirements are NA for Server Core installations (this is\n the default installation option for Windows Server 2016 versus Server with\n Desktop Experience) as well as Nano Server.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\\n\n Value Name: ConsentPromptBehaviorUser\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0)", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> User\n Account Control: Behavior of the elevation prompt for standard users to\n Automatically deny elevation requests." }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000324-GPOS-00125", - "gid": "V-73373", - "rid": "SV-88025r1_rule", - "stig_id": "WN16-DC-000090", - "fix_id": "F-79815r1_fix", + "gtitle": "SRG-OS-000373-GPOS-00157", + "satisfies": [ + "SRG-OS-000373-GPOS-00157", + "SRG-OS-000373-GPOS-00156" + ], + "gid": "V-73713", + "rid": "SV-88377r1_rule", + "stig_id": "WN16-SO-000490", + "fix_id": "F-80163r1_fix", "cci": [ - "CCI-002235" + "CCI-002038" ], "nist": [ - "AC-6 (10)", + "IA-11", "Rev_4" ], "documentable": false }, - "code": "control 'V-73373' do\n title \"Active Directory Group Policy objects must have proper access control\n permissions.\"\n desc \"When directory service database objects do not have appropriate access\n control permissions, it may be possible for malicious users to create, read,\n update, or delete the objects and degrade or destroy the integrity of the data.\n When the directory service is used for identification, authentication, or\n authorization functions, a compromise of the database objects could lead to a\n compromise of all systems relying on the directory service.\n\n For Active Directory (AD), the Group Policy objects require special\n attention. In a distributed administration model (i.e., help desk), Group\n Policy objects are more likely to have access permissions changed from the\n secure defaults. If inappropriate access permissions are defined for Group\n Policy objects, this could allow an intruder to change the security policy\n applied to all domain client computers (workstations and servers).\n \"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000324-GPOS-00125'\n tag \"gid\": 'V-73373'\n tag \"rid\": 'SV-88025r1_rule'\n tag \"stig_id\": 'WN16-DC-000090'\n tag \"fix_id\": 'F-79815r1_fix'\n tag \"cci\": ['CCI-002235']\n tag \"nist\": ['AC-6 (10)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to domain controllers. It is NA for other systems.\n\n Review the permissions on Group Policy objects.\n\n Open Group Policy Management (available from various menus or run\n gpmc.msc).\n\n Navigate to Group Policy Objects in the domain being reviewed (Forest >>\n Domains >> Domain).\n\n For each Group Policy object:\n\n Select the Group Policy object item in the left pane.\n\n Select the Delegation tab in the right pane.\n\n Select the Advanced button.\n\n Select each Group or user name.\n\n View the permissions.\n\n If any standard user accounts or groups have Allow permissions greater than\n Read and Apply group policy, this is a finding.\n\n Other access permissions that allow the objects to be updated are considered\n findings unless specifically documented by the ISSO.\n\n The default permissions noted below satisfy this requirement.\n\n The permissions shown are at the summary level. More detailed permissions can\n be viewed by selecting the next Advanced button, the desired Permission\n entry, and the Edit button.\n\n Authenticated Users - Read, Apply group policy, Special permissions\n\n The special permissions for Authenticated Users are for Read-type Properties.\n If detailed permissions include any Create, Delete, Modify, or Write\n Permissions or Properties, this is a finding.\n\n The special permissions for the following default groups are not the focus of\n this requirement and may include a wide range of permissions and properties.\n\n CREATOR OWNER - Special permissions\n SYSTEM - Read, Write, Create all child objects, Delete all child objects,\n Special permissions\n Domain Admins - Read, Write, Create all child objects, Delete all child\n objects, Special permissions\n Enterprise Admins - Read, Write, Create all child objects, Delete all child\n objects, Special permissions\n ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions\n\n The Domain Admins and Enterprise Admins will not have the Delete all child\n objects permission on the two default Group Policy objects: Default Domain\n Policy and Default Domain Controllers Policy. They will have this permission on\n organization created Group Policy objects.\"\n desc \"fix\", \"Maintain the permissions on Group Policy objects to not allow\n greater than Read and Apply group policy for standard user accounts or\n groups. The default permissions below meet this requirement.\n\n Authenticated Users - Read, Apply group policy, Special permissions\n\n The special permissions for Authenticated Users are for Read-type Properties.\n\n CREATOR OWNER - Special permissions\n SYSTEM - Read, Write, Create all child objects, Delete all child objects,\n Special permissions\n Domain Admins - Read, Write, Create all child objects, Delete all child\n objects, Special permissions\n Enterprise Admins - Read, Write, Create all child objects, Delete all child\n objects, Special permissions\n ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions\n\n Document any other access permissions that allow the objects to be updated with\n the ISSO.\n\n The Domain Admins and Enterprise Admins will not have the Delete all child\n objects permission on the two default Group Policy objects: Default Domain\n Policy and Default Domain Controllers Policy. They will have this permission on\n created Group Policy objects.\"\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n describe 'A manual review is required to ensure all Group Policies have the correct permisions' do\n skip 'A manual review is required to ensure all Group Policies have the correct permisions'\n end\n else\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable.' do\n skip 'This system is not a domain controller, therefore this control is not applicable.'\n end\n end\nend", + "code": "control 'V-73713' do\n title \"User Account Control must automatically deny standard user requests\n for elevation.\"\n desc \"User Account Control (UAC) is a security mechanism for limiting the\n elevation of privileges, including administrative accounts, unless authorized.\n This setting controls the behavior of elevation when requested by a standard\n user account.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000373-GPOS-00157'\n tag \"satisfies\": ['SRG-OS-000373-GPOS-00157', 'SRG-OS-000373-GPOS-00156']\n tag \"gid\": 'V-73713'\n tag \"rid\": 'SV-88377r1_rule'\n tag \"stig_id\": 'WN16-SO-000490'\n tag \"fix_id\": 'F-80163r1_fix'\n tag \"cci\": ['CCI-002038']\n tag \"nist\": ['IA-11', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"UAC requirements are NA for Server Core installations (this is\n the default installation option for Windows Server 2016 versus Server with\n Desktop Experience) as well as Nano Server.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\\n\n Value Name: ConsentPromptBehaviorUser\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> User\n Account Control: Behavior of the elevation prompt for standard users to\n Automatically deny elevation requests.\"\n if registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Server\\ServerLevels').has_property_value?('ServerCore', :dword, 1) && registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Server\\ServerLevels').has_property_value?('Server-Gui-Mgmt', :dword, 1) && registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Server\\ServerLevels').has_property_value?('Server-Gui-Shell', :dword, 1)\n impact 0.0\n desc 'This system is a Server Core Installation, therefore this control is not applicable'\n else\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System') do\n it { should have_property 'ConsentPromptBehaviorUser' }\n its('ConsentPromptBehaviorUser') { should cmp 0 }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73373.rb", + "ref": "./Windows 2016 STIG/controls/V-73713.rb", "line": 1 }, - "id": "V-73373" + "id": "V-73713" }, { - "title": "Windows Server 2016 must be configured to audit DS Access - Directory\n Service Access failures.", - "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Audit Directory Service Access records events related to users accessing an\n Active Directory object.", + "title": "The Active Directory RID Manager$ object must be configured with\n proper audit settings.", + "desc": "When inappropriate audit settings are configured for directory service\n database objects, it may be possible for a user or process to update the data\n without generating any tracking data. The impact of missing audit data is\n related to the type of object. A failure to capture audit data for objects used\n by identification, authentication, or authorization functions could degrade or\n eliminate the ability to track changes to access policy for systems or data.\n\n For Active Directory (AD), there are a number of critical object types in\n the domain naming context of the AD database for which auditing is essential.\n This includes the RID Manager$ object. Because changes to these objects can\n significantly impact access controls or the availability of systems, the\n absence of auditing data makes it impossible to identify the source of changes\n that impact the confidentiality, integrity, and availability of data and\n systems throughout an AD domain. The lack of proper auditing can result in\n insufficient forensic evidence needed to investigate an incident and prosecute\n the intruder.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Audit Directory Service Access records events related to users accessing an\n Active Directory object.", - "check": "This applies to domain controllers. It is NA for other systems.\n\n Security Option Audit: Force audit policy subcategory settings (Windows Vista\n or later) to override audit policy category settings must be set to\n Enabled (WN16-SO-000050) for the detailed auditing subcategories to be\n effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n DS Access >> Directory Service Access - Failure", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> DS Access >> Directory Service Access with Failure\n selected." + "default": "When inappropriate audit settings are configured for directory service\n database objects, it may be possible for a user or process to update the data\n without generating any tracking data. The impact of missing audit data is\n related to the type of object. A failure to capture audit data for objects used\n by identification, authentication, or authorization functions could degrade or\n eliminate the ability to track changes to access policy for systems or data.\n\n For Active Directory (AD), there are a number of critical object types in\n the domain naming context of the AD database for which auditing is essential.\n This includes the RID Manager$ object. Because changes to these objects can\n significantly impact access controls or the availability of systems, the\n absence of auditing data makes it impossible to identify the source of changes\n that impact the confidentiality, integrity, and availability of data and\n systems throughout an AD domain. The lack of proper auditing can result in\n insufficient forensic evidence needed to investigate an incident and prosecute\n the intruder.", + "check": "This applies to domain controllers. It is NA for other systems.\n\n Review the auditing configuration for the RID Manager$ object.\n\n Open Active Directory Users and Computers (available from various menus or\n run dsa.msc).\n\n Ensure Advanced Features is selected in the View menu.\n\n Select System under the domain being reviewed in the left pane.\n\n Right-click the RID Manager$ object in the right pane and select\n Properties.\n\n Select the Security tab.\n\n Select the Advanced button and then the Auditing tab.\n\n If the audit settings on the RID Manager$ object are not at least as\n inclusive as those below, this is a finding.\n\n Type - Fail\n Principal - Everyone\n Access - Full Control\n Inherited from - None\n\n The success types listed below are defaults. Where Special is listed in the\n summary screens for Access, detailed Permissions are provided for reference.\n Various Properties selections may also exist by default.\n\n Type - Success\n Principal - Everyone\n Access - Special\n Inherited from - None\n (Access - Special = Write all properties, All extended rights, Change RID\n master)\n\n Two instances with the following summary information will be listed.\n\n Type - Success\n Principal - Everyone\n Access - (blank)\n Inherited from - (CN of domain)", + "fix": "Open Active Directory Users and Computers (available from\n various menus or run dsa.msc).\n\n Ensure Advanced Features is selected in the View menu.\n\n Select System under the domain being reviewed in the left pane.\n\n Right-click the RID Manager$ object in the right pane and select\n Properties.\n\n Select the Security tab.\n\n Select the Advanced button and then the Auditing tab.\n\n Configure the audit settings for RID Manager$ object to include the following.\n\n Type - Fail\n Principal - Everyone\n Access - Full Control\n Inherited from - None\n\n The success types listed below are defaults. Where Special is listed in the\n summary screens for Access, detailed Permissions are provided for reference.\n Various Properties selections may also exist by default.\n\n Type - Success\n Principal - Everyone\n Access - Special\n Inherited from - None\n (Access - Special = Write all properties, All extended rights, Change RID\n master)\n\n Two instances with the following summary information will be listed.\n\n Type - Success\n Principal - Everyone\n Access - (blank)\n Inherited from - (CN of domain)" }, "impact": 0, "refs": [], @@ -8441,10 +8479,10 @@ "SRG-OS-000463-GPOS-00207", "SRG-OS-000468-GPOS-00212" ], - "gid": "V-73437", - "rid": "SV-88089r1_rule", - "stig_id": "WN16-DC-000250", - "fix_id": "F-79879r1_fix", + "gid": "V-73399", + "rid": "SV-88051r1_rule", + "stig_id": "WN16-DC-000220", + "fix_id": "F-79841r1_fix", "cci": [ "CCI-000172", "CCI-002234" @@ -8456,280 +8494,264 @@ ], "documentable": false }, - "code": "control 'V-73437' do\n title \"Windows Server 2016 must be configured to audit DS Access - Directory\n Service Access failures.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Audit Directory Service Access records events related to users accessing an\n Active Directory object.\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000327-GPOS-00127'\n tag \"satisfies\": ['SRG-OS-000327-GPOS-00127', 'SRG-OS-000458-GPOS-00203',\n 'SRG-OS-000463-GPOS-00207', 'SRG-OS-000468-GPOS-00212']\n tag \"gid\": 'V-73437'\n tag \"rid\": 'SV-88089r1_rule'\n tag \"stig_id\": 'WN16-DC-000250'\n tag \"fix_id\": 'F-79879r1_fix'\n tag \"cci\": ['CCI-000172', 'CCI-002234']\n tag \"nist\": ['AU-12 c', 'AC-6 (9)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to domain controllers. It is NA for other systems.\n\n Security Option Audit: Force audit policy subcategory settings (Windows Vista\n or later) to override audit policy category settings must be set to\n Enabled (WN16-SO-000050) for the detailed auditing subcategories to be\n effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n DS Access >> Directory Service Access - Failure\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> DS Access >> Directory Service Access with Failure\n selected.\"\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n if domain_role == '4' || domain_role == '5'\n describe.one do\n describe audit_policy do\n its('Directory Service Access') { should eq 'Failure' }\n end\n describe audit_policy do\n its('Directory Service Access') { should eq 'Success and Failure' }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Directory Service Access'\") do\n its('stdout') { should match /Directory Service Access Failure'/ }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Directory Service Access'\") do\n its('stdout') { should match /Directory Service Access Success and Failure/ }\n end\n end\n end\n\n if !(domain_role == '4') && !(domain_role == '5')\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", + "code": "control 'V-73399' do\n title \"The Active Directory RID Manager$ object must be configured with\n proper audit settings.\"\n desc \"When inappropriate audit settings are configured for directory service\n database objects, it may be possible for a user or process to update the data\n without generating any tracking data. The impact of missing audit data is\n related to the type of object. A failure to capture audit data for objects used\n by identification, authentication, or authorization functions could degrade or\n eliminate the ability to track changes to access policy for systems or data.\n\n For Active Directory (AD), there are a number of critical object types in\n the domain naming context of the AD database for which auditing is essential.\n This includes the RID Manager$ object. Because changes to these objects can\n significantly impact access controls or the availability of systems, the\n absence of auditing data makes it impossible to identify the source of changes\n that impact the confidentiality, integrity, and availability of data and\n systems throughout an AD domain. The lack of proper auditing can result in\n insufficient forensic evidence needed to investigate an incident and prosecute\n the intruder.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000327-GPOS-00127'\n tag \"satisfies\": ['SRG-OS-000327-GPOS-00127', 'SRG-OS-000458-GPOS-00203',\n 'SRG-OS-000463-GPOS-00207', 'SRG-OS-000468-GPOS-00212']\n tag \"gid\": 'V-73399'\n tag \"rid\": 'SV-88051r1_rule'\n tag \"stig_id\": 'WN16-DC-000220'\n tag \"fix_id\": 'F-79841r1_fix'\n tag \"cci\": ['CCI-000172', 'CCI-002234']\n tag \"nist\": ['AU-12 c', 'AC-6 (9)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to domain controllers. It is NA for other systems.\n\n Review the auditing configuration for the RID Manager$ object.\n\n Open Active Directory Users and Computers (available from various menus or\n run dsa.msc).\n\n Ensure Advanced Features is selected in the View menu.\n\n Select System under the domain being reviewed in the left pane.\n\n Right-click the RID Manager$ object in the right pane and select\n Properties.\n\n Select the Security tab.\n\n Select the Advanced button and then the Auditing tab.\n\n If the audit settings on the RID Manager$ object are not at least as\n inclusive as those below, this is a finding.\n\n Type - Fail\n Principal - Everyone\n Access - Full Control\n Inherited from - None\n\n The success types listed below are defaults. Where Special is listed in the\n summary screens for Access, detailed Permissions are provided for reference.\n Various Properties selections may also exist by default.\n\n Type - Success\n Principal - Everyone\n Access - Special\n Inherited from - None\n (Access - Special = Write all properties, All extended rights, Change RID\n master)\n\n Two instances with the following summary information will be listed.\n\n Type - Success\n Principal - Everyone\n Access - (blank)\n Inherited from - (CN of domain)\"\n desc \"fix\", \"Open Active Directory Users and Computers (available from\n various menus or run dsa.msc).\n\n Ensure Advanced Features is selected in the View menu.\n\n Select System under the domain being reviewed in the left pane.\n\n Right-click the RID Manager$ object in the right pane and select\n Properties.\n\n Select the Security tab.\n\n Select the Advanced button and then the Auditing tab.\n\n Configure the audit settings for RID Manager$ object to include the following.\n\n Type - Fail\n Principal - Everyone\n Access - Full Control\n Inherited from - None\n\n The success types listed below are defaults. Where Special is listed in the\n summary screens for Access, detailed Permissions are provided for reference.\n Various Properties selections may also exist by default.\n\n Type - Success\n Principal - Everyone\n Access - Special\n Inherited from - None\n (Access - Special = Write all properties, All extended rights, Change RID\n master)\n\n Two instances with the following summary information will be listed.\n\n Type - Success\n Principal - Everyone\n Access - (blank)\n Inherited from - (CN of domain)\"\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n distinguishedName = json(command: '(Get-ADDomain).DistinguishedName | ConvertTo-JSON').params\n netbiosname = json(command: 'Get-ADDomain | Select NetBIOSName | ConvertTo-JSON').params['NetBIOSName']\n acl_rules = json(command: \"(Get-ACL -Audit -Path AD:'CN=RID Manager$,CN=System,#{distinguishedName}').Audit | ConvertTo-CSV | ConvertFrom-CSV | ConvertTo-JSON\").params\n\n if acl_rules.is_a?(Hash)\n acl_rules = [JSON.parse(acl_rules.to_json)]\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['AuditFlags']) { should cmp \"Fail\" }\n its(['IdentityReference']) { should cmp \"Everyone\" }\n its(['ActiveDirectoryRights']) { should cmp \"GenericAll\" }\n its(['InheritanceFlags']) { should cmp \"None\" }\n its(['InheritanceType']) { should cmp \"None\" }\n its(['PropagationFlags']) { should cmp \"None\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['AuditFlags']) { should cmp \"Success\" }\n its(['IdentityReference']) { should cmp \"Everyone\" }\n its(['ActiveDirectoryRights']) { should match /^(?=.*?\\bWriteProperty\\b)(?=.*?\\ExtendedRight\\b).*$/ }\n its(['InheritanceFlags']) { should cmp \"None\" }\n its(['InheritanceType']) { should cmp \"None\" }\n its(['PropagationFlags']) { should cmp \"None\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['AuditFlags']) { should cmp \"Success\" }\n its(['IdentityReference']) { should cmp \"Everyone\" }\n its(['ActiveDirectoryRights']) { should cmp \"WriteProperty\" }\n its(['IsInherited']) { should cmp \"True\" }\n its(['InheritanceFlags']) { should cmp \"ContainerInherit\" }\n its(['InheritanceType']) { should cmp \"Descendents\" }\n its(['PropagationFlags']) { should cmp \"InheritOnly\" }\n end\n end\n end\n\n else\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73437.rb", + "ref": "./Windows 2016 STIG/controls/V-73399.rb", "line": 1 }, - "id": "V-73437" + "id": "V-73399" }, { - "title": "The number of allowed bad logon attempts must be configured to three\n or less.", - "desc": "The account lockout feature, when enabled, prevents brute-force\n password attacks on the system. The higher this value is, the less effective\n the account lockout feature will be in protecting the local system. The number\n of bad logon attempts must be reasonably small to minimize the possibility of a\n successful password attack while allowing for honest errors made during normal\n user logon.", + "title": "The Deny log on as a batch job user right on domain controllers must\n be configured to prevent unauthenticated access.", + "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The Deny log on as a batch job user right defines accounts that are\n prevented from logging on to the system as a batch job, such as Task Scheduler.\n\n The Guests group must be assigned to prevent unauthenticated access.", "descriptions": { - "default": "The account lockout feature, when enabled, prevents brute-force\n password attacks on the system. The higher this value is, the less effective\n the account lockout feature will be in protecting the local system. The number\n of bad logon attempts must be reasonably small to minimize the possibility of a\n successful password attack while allowing for honest errors made during normal\n user logon.", - "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Account Policies >> Account Lockout Policy.\n\n If the Account lockout threshold is 0 or more than 3 attempts, this\n is a finding.", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Account Policies >> Account Lockout Policy >>\n Account lockout threshold to 3 or fewer invalid logon attempts\n (excluding 0, which is unacceptable)." + "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The Deny log on as a batch job user right defines accounts that are\n prevented from logging on to the system as a batch job, such as Task Scheduler.\n\n The Guests group must be assigned to prevent unauthenticated access.", + "check": "This applies to domain controllers. A separate version applies\n to other systems.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If the following accounts or groups are not defined for the Deny log on as a\n batch job user right, this is a finding.\n\n - Guests Group", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Deny log on as a batch job to include the following:\n\n - Guests Group" }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { - "gtitle": "SRG-OS-000021-GPOS-00005", - "gid": "V-73311", - "rid": "SV-87963r1_rule", - "stig_id": "WN16-AC-000020", - "fix_id": "F-79753r1_fix", + "gtitle": "SRG-OS-000080-GPOS-00048", + "gid": "V-73761", + "rid": "SV-88425r1_rule", + "stig_id": "WN16-DC-000380", + "fix_id": "F-80211r1_fix", "cci": [ - "CCI-000044" + "CCI-000213" ], "nist": [ - "AC-7 a", + "AC-3", "Rev_4" ], "documentable": false }, - "code": "control 'V-73311' do\n title \"The number of allowed bad logon attempts must be configured to three\n or less.\"\n desc \"The account lockout feature, when enabled, prevents brute-force\n password attacks on the system. The higher this value is, the less effective\n the account lockout feature will be in protecting the local system. The number\n of bad logon attempts must be reasonably small to minimize the possibility of a\n successful password attack while allowing for honest errors made during normal\n user logon.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000021-GPOS-00005'\n tag \"gid\": 'V-73311'\n tag \"rid\": 'SV-87963r1_rule'\n tag \"stig_id\": 'WN16-AC-000020'\n tag \"fix_id\": 'F-79753r1_fix'\n tag \"cci\": ['CCI-000044']\n tag \"nist\": ['AC-7 a', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Account Policies >> Account Lockout Policy.\n\n If the Account lockout threshold is 0 or more than 3 attempts, this\n is a finding.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Account Policies >> Account Lockout Policy >>\n Account lockout threshold to 3 or fewer invalid logon attempts\n (excluding 0, which is unacceptable).\"\n describe security_policy do\n its('LockoutBadCount') { should be <= 3 }\n end\n describe security_policy do\n its('LockoutBadCount') { should be > 0 }\n end\nend\n", + "code": "control 'V-73761' do\n title \"The Deny log on as a batch job user right on domain controllers must\n be configured to prevent unauthenticated access.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The Deny log on as a batch job user right defines accounts that are\n prevented from logging on to the system as a batch job, such as Task Scheduler.\n\n The Guests group must be assigned to prevent unauthenticated access.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000080-GPOS-00048'\n tag \"gid\": 'V-73761'\n tag \"rid\": 'SV-88425r1_rule'\n tag \"stig_id\": 'WN16-DC-000380'\n tag \"fix_id\": 'F-80211r1_fix'\n tag \"cci\": ['CCI-000213']\n tag \"nist\": ['AC-3', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to domain controllers. A separate version applies\n to other systems.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If the following accounts or groups are not defined for the Deny log on as a\n batch job user right, this is a finding.\n\n - Guests Group\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Deny log on as a batch job to include the following:\n\n - Guests Group\"\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n if domain_role == '4' || domain_role == '5'\n describe.one do\n describe security_policy do\n its('SeDenyBatchLogonRight') { should eq ['S-1-5-32-546'] }\n end\n describe security_policy do\n its('SeDenyBatchLogonRight') { should eq [] }\n end\n end\n end\n\n if !(domain_role == '4') && !(domain_role == '5')\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73311.rb", + "ref": "./Windows 2016 STIG/controls/V-73761.rb", "line": 1 }, - "id": "V-73311" + "id": "V-73761" }, { - "title": "Windows Server 2016 must be configured to audit Detailed Tracking -\n Process Creation successes.", - "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Process Creation records events related to the creation of a process and\n the source.", + "title": "The built-in guest account must be renamed.", + "desc": "The built-in guest account is a well-known user account on all Windows\n systems and, as initially installed, does not require a password. This can\n allow access to system resources by unauthorized users. Renaming this account\n to an unidentified name improves the protection of this account and the system.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Process Creation records events related to the creation of a process and\n the source.", - "check": "Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n Detailed Tracking >> Process Creation - Success", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Detailed Tracking >> Audit Process Creation with\n Success selected." + "default": "The built-in guest account is a well-known user account on all Windows\n systems and, as initially installed, does not require a password. This can\n allow access to system resources by unauthorized users. Renaming this account\n to an unidentified name improves the protection of this account and the system.", + "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> Security Options.\n\n If the value for Accounts: Rename guest account is not set to a value other\n than Guest, this is a finding.", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Accounts: Rename guest account to a name other than Guest." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000327-GPOS-00127", - "satisfies": [ - "SRG-OS-000327-GPOS-00127", - "SRG-OS-000471-GPOS-00215" - ], - "gid": "V-73433", - "rid": "SV-88085r1_rule", - "stig_id": "WN16-AU-000170", - "fix_id": "F-79875r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-73625", + "rid": "SV-88289r1_rule", + "stig_id": "WN16-SO-000040", + "fix_id": "F-80075r1_fix", "cci": [ - "CCI-000172", - "CCI-002234" + "CCI-000366" ], "nist": [ - "AU-12 c", - "AC-6 (9)", + "CM-6 b", "Rev_4" ], "documentable": false }, - "code": "control 'V-73433' do\n title \"Windows Server 2016 must be configured to audit Detailed Tracking -\n Process Creation successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Process Creation records events related to the creation of a process and\n the source.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000327-GPOS-00127'\n tag \"satisfies\": ['SRG-OS-000327-GPOS-00127', 'SRG-OS-000471-GPOS-00215']\n tag \"gid\": 'V-73433'\n tag \"rid\": 'SV-88085r1_rule'\n tag \"stig_id\": 'WN16-AU-000170'\n tag \"fix_id\": 'F-79875r1_fix'\n tag \"cci\": ['CCI-000172', 'CCI-002234']\n tag \"nist\": ['AU-12 c', 'AC-6 (9)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n Detailed Tracking >> Process Creation - Success\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> Detailed Tracking >> Audit Process Creation with\n Success selected.\"\n describe.one do\n describe audit_policy do\n its('Process Creation') { should eq 'Success' }\n end\n describe audit_policy do\n its('Process Creation') { should eq 'Success and Failure' }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Process Creation'\") do\n its('stdout') { should match /Process Creation Success/ }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Process Creation'\") do\n its('stdout') { should match /Process Creation Success and Failure/ }\n end\n end\nend\n", + "code": "control 'V-73625' do\n title 'The built-in guest account must be renamed.'\n desc \"The built-in guest account is a well-known user account on all Windows\n systems and, as initially installed, does not require a password. This can\n allow access to system resources by unauthorized users. Renaming this account\n to an unidentified name improves the protection of this account and the system.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-73625'\n tag \"rid\": 'SV-88289r1_rule'\n tag \"stig_id\": 'WN16-SO-000040'\n tag \"fix_id\": 'F-80075r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> Security Options.\n\n If the value for Accounts: Rename guest account is not set to a value other\n than Guest, this is a finding.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Accounts: Rename guest account to a name other than Guest.\"\n describe user('Guest') do\n it { should_not exist }\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73433.rb", + "ref": "./Windows 2016 STIG/controls/V-73625.rb", "line": 1 }, - "id": "V-73433" + "id": "V-73625" }, { - "title": "Active Directory user accounts, including administrators, must be\n configured to require the use of a Common Access Card (CAC), Personal Identity\n Verification (PIV)-compliant hardware token, or Alternate Logon Token (ALT) for\n user authentication.", - "desc": "Smart cards such as the CAC support a two-factor authentication\n technique. This provides a higher level of trust in the asserted identity than\n use of the username and password for authentication.", + "title": "Credential Guard must be running on domain-joined systems.", + "desc": "Credential Guard uses virtualization-based security to protect data\n that could be used in credential theft attacks if compromised. This\n authentication information, which was stored in the Local Security Authority\n (LSA) in previous versions of Windows, is isolated from the rest of operating\n system and can only be accessed by privileged system software.", "descriptions": { - "default": "Smart cards such as the CAC support a two-factor authentication\n technique. This provides a higher level of trust in the asserted identity than\n use of the username and password for authentication.", - "check": "This applies to domain controllers. It is NA for other systems.\n\n Open PowerShell.\n\n Enter the following:\n\n Get-ADUser -Filter {(Enabled -eq $True) -and (SmartcardLogonRequired -eq\n $False)} | FT Name\n (DistinguishedName may be substituted for Name for more detailed\n output.)\n\n If any user accounts, including administrators, are listed, this is a finding.\n\n Alternately:\n\n To view sample accounts in Active Directory Users and Computers (available\n from various menus or run dsa.msc):\n\n Select the Organizational Unit (OU) where the user accounts are located. (By\n default, this is the Users node; however, accounts may be under other\n organization-defined OUs.)\n\n Right-click the sample user account and select Properties.\n\n Select the Account tab.\n\n If any user accounts, including administrators, do not have Smart card is\n required for interactive logon checked in the Account Options area, this\n is a finding.", - "fix": "Configure all user accounts, including administrator accounts, in\n Active Directory to enable the option Smart card is required for interactive\n logon.\n\n Run Active Directory Users and Computers (available from various menus or\n run dsa.msc):\n\n Select the OU where the user accounts are located. (By default this is the\n Users node; however, accounts may be under other organization-defined OUs.)\n\n Right-click the user account and select Properties.\n\n Select the Account tab.\n\n Check Smart card is required for interactive logon in the Account\n Options area." + "default": "Credential Guard uses virtualization-based security to protect data\n that could be used in credential theft attacks if compromised. This\n authentication information, which was stored in the Local Security Authority\n (LSA) in previous versions of Windows, is isolated from the rest of operating\n system and can only be accessed by privileged system software.", + "check": "For standalone systems, this is NA.\n\n Current hardware and virtual environments may not support virtualization-based\n security features, including Credential Guard, due to specific supporting\n requirements, including a TPM, UEFI with Secure Boot, and the capability to run\n the Hyper-V feature within a virtual machine.\n\n Open PowerShell with elevated privileges (run as administrator).\n\n Enter the following:\n\n Get-CimInstance -ClassName Win32_DeviceGuard -Namespace\n root\\Microsoft\\Windows\\DeviceGuard\n\n If SecurityServicesRunning does not include a value of 1 (e.g., {1,\n 2}), this is a finding.\n\n Alternately:\n\n Run System Information.\n\n Under System Summary, verify the following:\n\n If Device Guard Security Services Running does not list Credential\n Guard, this is finding.\n\n The policy settings referenced in the Fix section will configure the following\n registry value. However due to hardware requirements, the registry value alone\n does not ensure proper function.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceGuard\\\n\n Value Name: LsaCfgFlags\n Value Type: REG_DWORD\n Value: 0x00000001 (1) (Enabled with UEFI lock), or 0x00000002 (2) (Enabled\n without lock)\n\n A Microsoft TechNet article on Credential Guard, including system requirement\n details, can be found at the following link:\n\n https://technet.microsoft.com/itpro/windows/keep-secure/credential-guard", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> System >> Device Guard >> Turn On Virtualization\n Based Security to Enabled with Enabled with UEFI lock or Enabled\n without lock selected for Credential Guard Configuration.\n\n Enabled with UEFI lock is preferred as more secure; however, it cannot be\n turned off remotely through a group policy change if there is an issue.\n Enabled without lock will allow this to be turned off remotely while\n testing for issues.\n\n A Microsoft TechNet article on Credential Guard, including system requirement\n details, can be found at the following link:\n\n https://technet.microsoft.com/itpro/windows/keep-secure/credential-guard" }, - "impact": 0, + "impact": 0.3, "refs": [], "tags": { - "gtitle": "SRG-OS-000105-GPOS-00052", - "satisfies": [ - "SRG-OS-000105-GPOS-00052", - "SRG-OS-000106-GPOS-00053", - "SRG-OS-000107-GPOS-00054", - "SRG-OS-000108-GPOS-00055", - "SRG-OS-000375-GPOS-00160" - ], - "gid": "V-73617", - "rid": "SV-88281r1_rule", - "stig_id": "WN16-DC-000310", - "fix_id": "F-80067r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-73515", + "rid": "SV-88167r1_rule", + "stig_id": "WN16-CC-000120", + "fix_id": "F-79957r1_fix", "cci": [ - "CCI-000765", - "CCI-000766", - "CCI-000767", - "CCI-000768", - "CCI-001948" + "CCI-000366" ], "nist": [ - "IA-2 (1)", - "IA-2 (2)", - "IA-2 (3)", - "IA-2 (4)", - "IA-2 (11)", + "CM-6 b", "Rev_4" ], "documentable": false }, - "code": "control 'V-73617' do\n title \"Active Directory user accounts, including administrators, must be\n configured to require the use of a Common Access Card (CAC), Personal Identity\n Verification (PIV)-compliant hardware token, or Alternate Logon Token (ALT) for\n user authentication.\"\n desc \"Smart cards such as the CAC support a two-factor authentication\n technique. This provides a higher level of trust in the asserted identity than\n use of the username and password for authentication.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000105-GPOS-00052'\n tag \"satisfies\": ['SRG-OS-000105-GPOS-00052', 'SRG-OS-000106-GPOS-00053',\n 'SRG-OS-000107-GPOS-00054', 'SRG-OS-000108-GPOS-00055',\n 'SRG-OS-000375-GPOS-00160']\n tag \"gid\": 'V-73617'\n tag \"rid\": 'SV-88281r1_rule'\n tag \"stig_id\": 'WN16-DC-000310'\n tag \"fix_id\": 'F-80067r1_fix'\n tag \"cci\": ['CCI-000765', 'CCI-000766', 'CCI-000767', 'CCI-000768',\n 'CCI-001948']\n tag \"nist\": ['IA-2 (1)', 'IA-2 (2)', 'IA-2 (3)', 'IA-2 (4)', 'IA-2 (11)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to domain controllers. It is NA for other systems.\n\n Open PowerShell.\n\n Enter the following:\n\n Get-ADUser -Filter {(Enabled -eq $True) -and (SmartcardLogonRequired -eq\n $False)} | FT Name\n (DistinguishedName may be substituted for Name for more detailed\n output.)\n\n If any user accounts, including administrators, are listed, this is a finding.\n\n Alternately:\n\n To view sample accounts in Active Directory Users and Computers (available\n from various menus or run dsa.msc):\n\n Select the Organizational Unit (OU) where the user accounts are located. (By\n default, this is the Users node; however, accounts may be under other\n organization-defined OUs.)\n\n Right-click the sample user account and select Properties.\n\n Select the Account tab.\n\n If any user accounts, including administrators, do not have Smart card is\n required for interactive logon checked in the Account Options area, this\n is a finding.\"\n desc \"fix\", \"Configure all user accounts, including administrator accounts, in\n Active Directory to enable the option Smart card is required for interactive\n logon.\n\n Run Active Directory Users and Computers (available from various menus or\n run dsa.msc):\n\n Select the OU where the user accounts are located. (By default this is the\n Users node; however, accounts may be under other organization-defined OUs.)\n\n Right-click the user account and select Properties.\n\n Select the Account tab.\n\n Check Smart card is required for interactive logon in the Account\n Options area.\"\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n describe command(\"Get-ADUser -Filter {(Enabled -eq $True) -and (SmartcardLogonRequired -eq $False)} | FT Name | Findstr /v 'Name ---'\") do\n its('stdout') { should eq '' }\n end\n end\n\n if !(domain_role == '4') && !(domain_role == '5')\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", + "code": "control 'V-73515' do\n title 'Credential Guard must be running on domain-joined systems.'\n desc \"Credential Guard uses virtualization-based security to protect data\n that could be used in credential theft attacks if compromised. This\n authentication information, which was stored in the Local Security Authority\n (LSA) in previous versions of Windows, is isolated from the rest of operating\n system and can only be accessed by privileged system software.\"\n impact 0.3\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-73515'\n tag \"rid\": 'SV-88167r1_rule'\n tag \"stig_id\": 'WN16-CC-000120'\n tag \"fix_id\": 'F-79957r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"For standalone systems, this is NA.\n\n Current hardware and virtual environments may not support virtualization-based\n security features, including Credential Guard, due to specific supporting\n requirements, including a TPM, UEFI with Secure Boot, and the capability to run\n the Hyper-V feature within a virtual machine.\n\n Open PowerShell with elevated privileges (run as administrator).\n\n Enter the following:\n\n Get-CimInstance -ClassName Win32_DeviceGuard -Namespace\n root\\\\Microsoft\\\\Windows\\\\DeviceGuard\n\n If SecurityServicesRunning does not include a value of 1 (e.g., {1,\n 2}), this is a finding.\n\n Alternately:\n\n Run System Information.\n\n Under System Summary, verify the following:\n\n If Device Guard Security Services Running does not list Credential\n Guard, this is finding.\n\n The policy settings referenced in the Fix section will configure the following\n registry value. However due to hardware requirements, the registry value alone\n does not ensure proper function.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\DeviceGuard\\\\\n\n Value Name: LsaCfgFlags\n Value Type: REG_DWORD\n Value: 0x00000001 (1) (Enabled with UEFI lock), or 0x00000002 (2) (Enabled\n without lock)\n\n A Microsoft TechNet article on Credential Guard, including system requirement\n details, can be found at the following link:\n\n https://technet.microsoft.com/itpro/windows/keep-secure/credential-guard\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> System >> Device Guard >> Turn On Virtualization\n Based Security to Enabled with Enabled with UEFI lock or Enabled\n without lock selected for Credential Guard Configuration.\n\n Enabled with UEFI lock is preferred as more secure; however, it cannot be\n turned off remotely through a group policy change if there is an issue.\n Enabled without lock will allow this to be turned off remotely while\n testing for issues.\n\n A Microsoft TechNet article on Credential Guard, including system requirement\n details, can be found at the following link:\n\n https://technet.microsoft.com/itpro/windows/keep-secure/credential-guard\"\n is_domain = command('wmic computersystem get domain | FINDSTR /V Domain').stdout.strip\n describe.one do\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\DeviceGuard') do\n it { should have_property 'LsaCfgFlags' }\n its('LsaCfgFlags') { should cmp 1 }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\DeviceGuard') do\n it { should have_property 'LsaCfgFlags' }\n its('LsaCfgFlags') { should cmp 2 }\n end\n end\n only_if { is_domain != 'WORKGROUP' }\n\n if is_domain == 'WORKGROUP'\n impact 0.0\n describe 'This system is not joined to a domain, therfore this control is not appliable as it does not apply to standalone systems' do\n skip 'This system is not joined to a domain, therfore this control is not appliable as it does not apply to standalone systems'\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73617.rb", + "ref": "./Windows 2016 STIG/controls/V-73515.rb", "line": 1 }, - "id": "V-73617" + "id": "V-73515" }, { - "title": "Local users on domain-joined computers must not be enumerated.", - "desc": "The username is one part of logon credentials that could be used to\n gain access to a system. Preventing the enumeration of users limits this\n information to authorized personnel.", + "title": "Permissions for program file directories must conform to minimum\n requirements.", + "desc": "Changing the system's file and directory permissions allows the\n possibility of unauthorized and anonymous modification to the operating system\n and installed applications.\n\n The default permissions are adequate when the Security Option Network\n access: Let everyone permissions apply to anonymous users is set to\n Disabled (WN16-SO-000290).", "descriptions": { - "default": "The username is one part of logon credentials that could be used to\n gain access to a system. Preventing the enumeration of users limits this\n information to authorized personnel.", - "check": "This applies to member servers. For domain controllers and\n standalone systems, this is NA.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\\n\n Value Name: EnumerateLocalUsers\n\n Type: REG_DWORD\n Value: 0x00000000 (0)", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> System >> Logon >> Enumerate local users on\n domain-joined computers to Disabled." + "default": "Changing the system's file and directory permissions allows the\n possibility of unauthorized and anonymous modification to the operating system\n and installed applications.\n\n The default permissions are adequate when the Security Option Network\n access: Let everyone permissions apply to anonymous users is set to\n Disabled (WN16-SO-000290).", + "check": "The default permissions are adequate when the Security Option\n Network access: Let everyone permissions apply to anonymous users is set to\n Disabled (WN16-SO-000290).\n\n Review the permissions for the program file directories (Program Files and\n Program Files [x86]). Non-privileged groups such as Users or Authenticated\n Users must not have greater than Read & execute permissions. (Individual\n accounts must not be used to assign permissions.)\n\n If permissions are not as restrictive as the default permissions listed below,\n this is a finding.\n\n Viewing in File Explorer:\n\n For each folder, view the Properties.\n\n Select the Security tab, and the Advanced button.\n\n Default permissions:\n Program Files and Program Files (x86)\n Type - Allow for all\n Inherited from - None for all\n\n Principal - Access - Applies to\n\n TrustedInstaller - Full control - This folder and subfolders\n SYSTEM - Modify - This folder only\n SYSTEM - Full control - Subfolders and files only\n Administrators - Modify - This folder only\n Administrators - Full control - Subfolders and files only\n Users - Read & execute - This folder, subfolders and files\n CREATOR OWNER - Full control - Subfolders and files only\n ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders, and files\n ALL RESTRICTED APPLICATION PACKAGES - Read & execute - This folder, subfolders,\n and files\n\n Alternately, use icacls:\n\n Open a Command prompt (admin).\n\n Enter icacls followed by the directory:\n\n 'icacls c:\\program files'\n 'icacls c:\\program files (x86)'\n\n The following results should be displayed for each when entered:\n\n c:\\program files (c:\\program files (x86))\n NT SERVICE\\TrustedInstaller:(F)\n NT SERVICE\\TrustedInstaller:(CI)(IO)(F)\n NT AUTHORITY\\SYSTEM:(M)\n NT AUTHORITY\\SYSTEM:(OI)(CI)(IO)(F)\n BUILTIN\\Administrators:(M)\n BUILTIN\\Administrators:(OI)(CI)(IO)(F)\n BUILTIN\\Users:(RX)\n BUILTIN\\Users:(OI)(CI)(IO)(GR,GE)\n CREATOR OWNER:(OI)(CI)(IO)(F)\n APPLICATION PACKAGE AUTHORITY\\ALL APPLICATION PACKAGES:(RX)\n APPLICATION PACKAGE AUTHORITY\\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE)\n APPLICATION PACKAGE AUTHORITY\\ALL RESTRICTED APPLICATION PACKAGES:(RX)\n APPLICATION PACKAGE AUTHORITY\\ALL RESTRICTED APPLICATION\n PACKAGES:(OI)(CI)(IO)(GR,GE)\n Successfully processed 1 files; Failed processing 0 files", + "fix": "Maintain the default permissions for the program file directories\n and configure the Security Option Network access: Let everyone permissions\n apply to anonymous users to Disabled (WN16-SO-000290).\n\n Default permissions:\n Program Files and Program Files (x86)\n Type - Allow for all\n Inherited from - None for all\n\n Principal - Access - Applies to\n\n TrustedInstaller - Full control - This folder and subfolders\n SYSTEM - Modify - This folder only\n SYSTEM - Full control - Subfolders and files only\n Administrators - Modify - This folder only\n Administrators - Full control - Subfolders and files only\n Users - Read & execute - This folder, subfolders, and files\n CREATOR OWNER - Full control - Subfolders and files only\n ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders, and files\n ALL RESTRICTED APPLICATION PACKAGES - Read & execute - This folder, subfolders,\n and files" }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000095-GPOS-00049", - "gid": "V-73533", - "rid": "SV-88187r1_rule", - "stig_id": "WN16-MS-000030", - "fix_id": "F-79975r1_fix", + "gtitle": "SRG-OS-000312-GPOS-00122", + "satisfies": [ + "SRG-OS-000312-GPOS-00122", + "SRG-OS-000312-GPOS-00123", + "SRG-OS-000312-GPOS-00124" + ], + "gid": "V-73251", + "rid": "SV-87903r1_rule", + "stig_id": "WN16-00-000170", + "fix_id": "F-79695r1_fix", "cci": [ - "CCI-000381" + "CCI-002165" ], "nist": [ - "CM-7 a", + "AC-3 (4)", "Rev_4" ], "documentable": false }, - "code": "control 'V-73533' do\n title 'Local users on domain-joined computers must not be enumerated.'\n desc \"The username is one part of logon credentials that could be used to\n gain access to a system. Preventing the enumeration of users limits this\n information to authorized personnel.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000095-GPOS-00049'\n tag \"gid\": 'V-73533'\n tag \"rid\": 'SV-88187r1_rule'\n tag \"stig_id\": 'WN16-MS-000030'\n tag \"fix_id\": 'F-79975r1_fix'\n tag \"cci\": ['CCI-000381']\n tag \"nist\": ['CM-7 a', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to member servers. For domain controllers and\n standalone systems, this is NA.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\\n\n Value Name: EnumerateLocalUsers\n\n Type: REG_DWORD\n Value: 0x00000000 (0)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> System >> Logon >> Enumerate local users on\n domain-joined computers to Disabled.\"\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '3'\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\System') do\n it { should have_property 'EnumerateLocalUsers' }\n its('EnumerateLocalUsers') { should cmp 0 }\n end\n else\n impact 0.0\n describe 'This control is not applicable as it only applies to member servers' do\n skip 'This control is not applicable as it only applies to member servers'\n end\n end\nend\n", + "code": "control 'V-73251' do\n title \"Permissions for program file directories must conform to minimum\n requirements.\"\n desc \"Changing the system's file and directory permissions allows the\n possibility of unauthorized and anonymous modification to the operating system\n and installed applications.\n\n The default permissions are adequate when the Security Option Network\n access: Let everyone permissions apply to anonymous users is set to\n Disabled (WN16-SO-000290).\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000312-GPOS-00122'\n tag \"satisfies\": ['SRG-OS-000312-GPOS-00122', 'SRG-OS-000312-GPOS-00123',\n 'SRG-OS-000312-GPOS-00124']\n tag \"gid\": 'V-73251'\n tag \"rid\": 'SV-87903r1_rule'\n tag \"stig_id\": 'WN16-00-000170'\n tag \"fix_id\": 'F-79695r1_fix'\n tag \"cci\": ['CCI-002165']\n tag \"nist\": ['AC-3 (4)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"The default permissions are adequate when the Security Option\n Network access: Let everyone permissions apply to anonymous users is set to\n Disabled (WN16-SO-000290).\n\n Review the permissions for the program file directories (Program Files and\n Program Files [x86]). Non-privileged groups such as Users or Authenticated\n Users must not have greater than Read & execute permissions. (Individual\n accounts must not be used to assign permissions.)\n\n If permissions are not as restrictive as the default permissions listed below,\n this is a finding.\n\n Viewing in File Explorer:\n\n For each folder, view the Properties.\n\n Select the Security tab, and the Advanced button.\n\n Default permissions:\n Program Files and Program Files (x86)\n Type - Allow for all\n Inherited from - None for all\n\n Principal - Access - Applies to\n\n TrustedInstaller - Full control - This folder and subfolders\n SYSTEM - Modify - This folder only\n SYSTEM - Full control - Subfolders and files only\n Administrators - Modify - This folder only\n Administrators - Full control - Subfolders and files only\n Users - Read & execute - This folder, subfolders and files\n CREATOR OWNER - Full control - Subfolders and files only\n ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders, and files\n ALL RESTRICTED APPLICATION PACKAGES - Read & execute - This folder, subfolders,\n and files\n\n Alternately, use icacls:\n\n Open a Command prompt (admin).\n\n Enter icacls followed by the directory:\n\n 'icacls c:\\\\program files'\n 'icacls c:\\\\program files (x86)'\n\n The following results should be displayed for each when entered:\n\n c:\\\\program files (c:\\\\program files (x86))\n NT SERVICE\\\\TrustedInstaller:(F)\n NT SERVICE\\\\TrustedInstaller:(CI)(IO)(F)\n NT AUTHORITY\\\\SYSTEM:(M)\n NT AUTHORITY\\\\SYSTEM:(OI)(CI)(IO)(F)\n BUILTIN\\\\Administrators:(M)\n BUILTIN\\\\Administrators:(OI)(CI)(IO)(F)\n BUILTIN\\\\Users:(RX)\n BUILTIN\\\\Users:(OI)(CI)(IO)(GR,GE)\n CREATOR OWNER:(OI)(CI)(IO)(F)\n APPLICATION PACKAGE AUTHORITY\\\\ALL APPLICATION PACKAGES:(RX)\n APPLICATION PACKAGE AUTHORITY\\\\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE)\n APPLICATION PACKAGE AUTHORITY\\\\ALL RESTRICTED APPLICATION PACKAGES:(RX)\n APPLICATION PACKAGE AUTHORITY\\\\ALL RESTRICTED APPLICATION\n PACKAGES:(OI)(CI)(IO)(GR,GE)\n Successfully processed 1 files; Failed processing 0 files\"\n desc \"fix\", \"Maintain the default permissions for the program file directories\n and configure the Security Option Network access: Let everyone permissions\n apply to anonymous users to Disabled (WN16-SO-000290).\n\n Default permissions:\n Program Files and Program Files (x86)\n Type - Allow for all\n Inherited from - None for all\n\n Principal - Access - Applies to\n\n TrustedInstaller - Full control - This folder and subfolders\n SYSTEM - Modify - This folder only\n SYSTEM - Full control - Subfolders and files only\n Administrators - Modify - This folder only\n Administrators - Full control - Subfolders and files only\n Users - Read & execute - This folder, subfolders, and files\n CREATOR OWNER - Full control - Subfolders and files only\n ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders, and files\n ALL RESTRICTED APPLICATION PACKAGES - Read & execute - This folder, subfolders,\n and files\"\n\n paths = [\n \"C:\\\\Program Files\",\n \"C:\\\\Program Files (x86)\"\n ]\n paths.each do |path|\n acl_rules = json(command: \"(Get-ACL -Path '#{path}').Access | ConvertTo-CSV | ConvertFrom-CSV | ConvertTo-JSON\").params\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The '#{path}' folder\\'s access rule property:\" do\n subject { acl_rule }\n its(['FileSystemRights']) { should cmp \"268435456\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"CREATOR OWNER\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"ContainerInherit, ObjectInherit\" }\n its(['PropagationFlags']) { should cmp \"InheritOnly\" }\n end\n end\n end\n \n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The '#{path}' folder\\'s access rule property:\" do\n subject { acl_rule }\n its(['FileSystemRights']) { should cmp \"268435456\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"NT AUTHORITY\\\\SYSTEM\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"ContainerInherit, ObjectInherit\" }\n its(['PropagationFlags']) { should cmp \"InheritOnly\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The '#{path}' folder\\'s access rule property:\" do\n subject { acl_rule }\n its(['FileSystemRights']) { should cmp \"Modify, Synchronize\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"NT AUTHORITY\\\\SYSTEM\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"None\" }\n its(['PropagationFlags']) { should cmp \"None\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The '#{path}' folder\\'s access rule property:\" do\n subject { acl_rule }\n its(['FileSystemRights']) { should cmp \"268435456\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"BUILTIN\\\\Administrators\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"ContainerInherit, ObjectInherit\" }\n its(['PropagationFlags']) { should cmp \"InheritOnly\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The '#{path}' folder\\'s access rule property:\" do\n subject { acl_rule }\n its(['FileSystemRights']) { should cmp \"Modify, Synchronize\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"BUILTIN\\\\Administrators\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"None\" }\n its(['PropagationFlags']) { should cmp \"None\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The '#{path}' folder\\'s access rule property:\" do\n subject { acl_rule }\n its(['FileSystemRights']) { should cmp \"-1610612736\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"BUILTIN\\\\Users\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"ContainerInherit, ObjectInherit\" }\n its(['PropagationFlags']) { should cmp \"InheritOnly\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The '#{path}' folder\\'s access rule property:\" do\n subject { acl_rule }\n its(['FileSystemRights']) { should cmp \"ReadAndExecute, Synchronize\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"BUILTIN\\\\Users\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"None\" }\n its(['PropagationFlags']) { should cmp \"None\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The '#{path}' folder\\'s access rule property:\" do\n subject { acl_rule }\n its(['FileSystemRights']) { should cmp \"268435456\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"NT SERVICE\\\\TrustedInstaller\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"ContainerInherit\" }\n its(['PropagationFlags']) { should cmp \"InheritOnly\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The '#{path}' folder\\'s access rule property:\" do\n subject { acl_rule }\n its(['FileSystemRights']) { should cmp \"FullControl\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"NT SERVICE\\\\TrustedInstaller\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"None\" }\n its(['PropagationFlags']) { should cmp \"None\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The '#{path}' folder\\'s access rule property:\" do\n subject { acl_rule }\n its(['FileSystemRights']) { should cmp \"ReadAndExecute, Synchronize\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"APPLICATION PACKAGE AUTHORITY\\\\ALL APPLICATION PACKAGES\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"None\" }\n its(['PropagationFlags']) { should cmp \"None\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The '#{path}' folder\\'s access rule property:\" do\n subject { acl_rule }\n its(['FileSystemRights']) { should cmp \"-1610612736\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"APPLICATION PACKAGE AUTHORITY\\\\ALL APPLICATION PACKAGES\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"ContainerInherit, ObjectInherit\" }\n its(['PropagationFlags']) { should cmp \"InheritOnly\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The '#{path}' folder\\'s access rule property:\" do\n subject { acl_rule }\n its(['FileSystemRights']) { should cmp \"ReadAndExecute, Synchronize\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"APPLICATION PACKAGE AUTHORITY\\\\ALL RESTRICTED APPLICATION PACKAGES\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"None\" }\n its(['PropagationFlags']) { should cmp \"None\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"The '#{path}' folder\\'s access rule property:\" do\n subject { acl_rule }\n its(['FileSystemRights']) { should cmp \"-1610612736\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"APPLICATION PACKAGE AUTHORITY\\\\ALL RESTRICTED APPLICATION PACKAGES\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"ContainerInherit, ObjectInherit\" }\n its(['PropagationFlags']) { should cmp \"InheritOnly\" }\n end\n end\n end\n end\n\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73533.rb", + "ref": "./Windows 2016 STIG/controls/V-73251.rb", "line": 1 }, - "id": "V-73533" + "id": "V-73251" }, { - "title": "Session security for NTLM SSP-based clients must be configured to\n require NTLMv2 session security and 128-bit encryption.", - "desc": "Microsoft has implemented a variety of security support providers for\n use with Remote Procedure Call (RPC) sessions. All of the options must be\n enabled to ensure the maximum security level.", + "title": "The Deny log on through Remote Desktop Services user right on member\n servers must be configured to prevent access from highly privileged domain\n accounts and all local accounts on domain systems and from unauthenticated\n access on all systems.", + "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The Deny log on through Remote Desktop Services user right defines the\n accounts that are prevented from logging on using Remote Desktop Services.\n\n In an Active Directory Domain, denying logons to the Enterprise Admins and\n Domain Admins groups on lower-trust systems helps mitigate the risk of\n privilege escalation from credential theft attacks, which could lead to the\n compromise of an entire domain.\n\n Local accounts on domain-joined systems must also be assigned this right to\n decrease the risk of lateral movement resulting from credential theft attacks.\n\n The Guests group must be assigned this right to prevent unauthenticated\n access.", "descriptions": { - "default": "Microsoft has implemented a variety of security support providers for\n use with Remote Procedure Call (RPC) sessions. All of the options must be\n enabled to ensure the maximum security level.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Control\\Lsa\\MSV1_0\\\n\n Value Name: NTLMMinClientSec\n\n Value Type: REG_DWORD\n Value: 0x20080000 (537395200)", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Network security: Minimum session security for NTLM SSP based (including\n secure RPC) clients to Require NTLMv2 session security and Require\n 128-bit encryption (all options selected)." + "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The Deny log on through Remote Desktop Services user right defines the\n accounts that are prevented from logging on using Remote Desktop Services.\n\n In an Active Directory Domain, denying logons to the Enterprise Admins and\n Domain Admins groups on lower-trust systems helps mitigate the risk of\n privilege escalation from credential theft attacks, which could lead to the\n compromise of an entire domain.\n\n Local accounts on domain-joined systems must also be assigned this right to\n decrease the risk of lateral movement resulting from credential theft attacks.\n\n The Guests group must be assigned this right to prevent unauthenticated\n access.", + "check": "This applies to member servers and standalone systems. A\n separate version applies to domain controllers.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If the following accounts or groups are not defined for the Deny log on\n through Remote Desktop Services user right, this is a finding.\n\n Domain Systems Only:\n - Enterprise Admins group\n - Domain Admins group\n - Local account (see Note below)\n\n All Systems:\n - Guests group\n\n Note: Local account is referring to the Windows built-in security group.\n\n Systems dedicated to the management of Active Directory (AD admin platforms,\n see V-36436 in the Active Directory Domain STIG) are exempt from denying the\n Enterprise Admins and Domain Admins groups.", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Deny log on through Remote Desktop Services to include the following:\n Domain Systems Only:\n - Enterprise Admins group \n - Domain Admins group \n - Local account and member of Administrators group or Local account\n (see Note below)\n\n All Systems:\n - Guests group \n\n Note: Local account is referring to the Windows built-in security group.\n\n Systems dedicated to the management of Active Directory (AD admin platforms,\n see V-36436 in the Active Directory Domain STIG) are exempt from denying the\n Enterprise Admins and Domain Admins groups." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-73695", - "rid": "SV-88359r1_rule", - "stig_id": "WN16-SO-000400", - "fix_id": "F-80145r1_fix", + "gtitle": "SRG-OS-000297-GPOS-00115", + "gid": "V-73775", + "rid": "SV-88439r1_rule", + "stig_id": "WN16-MS-000410", + "fix_id": "F-80225r1_fix", "cci": [ - "CCI-000366" + "CCI-002314" ], "nist": [ - "CM-6 b", + "AC-17 (1)", "Rev_4" ], "documentable": false }, - "code": "control 'V-73695' do\n title \"Session security for NTLM SSP-based clients must be configured to\n require NTLMv2 session security and 128-bit encryption.\"\n desc \"Microsoft has implemented a variety of security support providers for\n use with Remote Procedure Call (RPC) sessions. All of the options must be\n enabled to ensure the maximum security level.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-73695'\n tag \"rid\": 'SV-88359r1_rule'\n tag \"stig_id\": 'WN16-SO-000400'\n tag \"fix_id\": 'F-80145r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\MSV1_0\\\\\n\n Value Name: NTLMMinClientSec\n\n Value Type: REG_DWORD\n Value: 0x20080000 (537395200)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Network security: Minimum session security for NTLM SSP based (including\n secure RPC) clients to Require NTLMv2 session security and Require\n 128-bit encryption (all options selected).\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\MSV1_0') do\n it { should have_property 'NTLMMinClientSec' }\n its('NTLMMinClientSec') { should cmp 537395200 }\n end\nend\n", + "code": "control 'V-73775' do\n title \"The Deny log on through Remote Desktop Services user right on member\n servers must be configured to prevent access from highly privileged domain\n accounts and all local accounts on domain systems and from unauthenticated\n access on all systems.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The Deny log on through Remote Desktop Services user right defines the\n accounts that are prevented from logging on using Remote Desktop Services.\n\n In an Active Directory Domain, denying logons to the Enterprise Admins and\n Domain Admins groups on lower-trust systems helps mitigate the risk of\n privilege escalation from credential theft attacks, which could lead to the\n compromise of an entire domain.\n\n Local accounts on domain-joined systems must also be assigned this right to\n decrease the risk of lateral movement resulting from credential theft attacks.\n\n The Guests group must be assigned this right to prevent unauthenticated\n access.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000297-GPOS-00115'\n tag \"gid\": 'V-73775'\n tag \"rid\": 'SV-88439r1_rule'\n tag \"stig_id\": 'WN16-MS-000410'\n tag \"fix_id\": 'F-80225r1_fix'\n tag \"cci\": ['CCI-002314']\n tag \"nist\": ['AC-17 (1)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to member servers and standalone systems. A\n separate version applies to domain controllers.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If the following accounts or groups are not defined for the Deny log on\n through Remote Desktop Services user right, this is a finding.\n\n Domain Systems Only:\n - Enterprise Admins group\n - Domain Admins group\n - Local account (see Note below)\n\n All Systems:\n - Guests group\n\n Note: Local account is referring to the Windows built-in security group.\n\n Systems dedicated to the management of Active Directory (AD admin platforms,\n see V-36436 in the Active Directory Domain STIG) are exempt from denying the\n Enterprise Admins and Domain Admins groups.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Deny log on through Remote Desktop Services to include the following:\n Domain Systems Only:\n - Enterprise Admins group \n - Domain Admins group \n - Local account and member of Administrators group or Local account\n (see Note below)\n\n All Systems:\n - Guests group \n\n Note: Local account is referring to the Windows built-in security group.\n\n Systems dedicated to the management of Active Directory (AD admin platforms,\n see V-36436 in the Active Directory Domain STIG) are exempt from denying the\n Enterprise Admins and Domain Admins groups.\"\n\n is_AD_only_system = input('is_AD_only_system')\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n impact 0.0\n describe 'This system is a domain controller, therefore this control is not applicable as it only applies to member servers and standalone systems' do\n skip 'This system is a domain controller, therefore this control is not applicable as it only applies to member servers and standalone systems'\n end\n elsif is_AD_only_system\n impact 0.0\n describe 'This system is dedicated to the management of Active Directory, therefore this system is exempt from this control' do\n skip 'This system is dedicated to the management of Active Directory, therefore this system is exempt from this control'\n end\n else\n describe security_policy do\n its('SeDenyRemoteInteractiveLogonRight') { should include 'S-1-5-32-546' }\n end\n if domain_role == '3'\n domain_admin_sid_query = <<-EOH\n $group = New-Object System.Security.Principal.NTAccount('Domain Admins')\n $sid = $group.Translate([security.principal.securityidentifier]).value\n $sid | ConvertTo-Json\n EOH\n domain_admin_sid = json(command: domain_admin_sid_query).params\n \n enterprise_admin_sid_query = <<-EOH\n $group = New-Object System.Security.Principal.NTAccount('Enterprise Admins')\n $sid = $group.Translate([security.principal.securityidentifier]).value\n $sid | ConvertTo-Json\n EOH\n enterprise_admin_sid = json(command: enterprise_admin_sid_query).params\n\n describe security_policy do\n its('SeDenyRemoteInteractiveLogonRight') { should include \"#{domain_admin_sid}\" }\n end\n describe security_policy do\n its('SeDenyRemoteInteractiveLogonRight') { should include \"#{enterprise_admin_sid}\" }\n end\n\n describe.one do\n describe security_policy do\n its('SeDenyRemoteInteractiveLogonRight') { should include \"S-1-5-113\" }\n end\n describe security_policy do\n its('SeDenyRemoteInteractiveLogonRight') { should include \"S-1-5-114\" }\n end\n end\n end\n end\nend", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73695.rb", + "ref": "./Windows 2016 STIG/controls/V-73775.rb", "line": 1 }, - "id": "V-73695" + "id": "V-73775" }, { - "title": "The Active Directory SYSVOL directory must have the proper access\n control permissions.", - "desc": "Improper access permissions for directory data files could allow\n unauthorized users to read, modify, or delete directory data.\n\n The SYSVOL directory contains public files (to the domain) such as policies\n and logon scripts. Data in shared subdirectories are replicated to all domain\n controllers in a domain.", + "title": "The DoD Interoperability Root CA cross-certificates must be installed\n in the Untrusted Certificates Store on unclassified systems.", + "desc": "To ensure users do not experience denial of service when performing\n certificate-based authentication to DoD websites due to the system chaining to\n a root other than DoD Root CAs, the DoD Interoperability Root CA\n cross-certificates must be installed in the Untrusted Certificate Store. This\n requirement only applies to unclassified systems.", "descriptions": { - "default": "Improper access permissions for directory data files could allow\n unauthorized users to read, modify, or delete directory data.\n\n The SYSVOL directory contains public files (to the domain) such as policies\n and logon scripts. Data in shared subdirectories are replicated to all domain\n controllers in a domain.", - "check": "This applies to domain controllers. It is NA for other systems.\n\n Open a command prompt.\n\n Run net share.\n\n Make note of the directory location of the SYSVOL share.\n\n By default, this will be \\Windows\\SYSVOL\\sysvol. For this requirement,\n permissions will be verified at the first SYSVOL directory level.\n\n If any standard user accounts or groups have greater than \"Read & execute\"\n permissions, this is a finding.\n\n The default permissions noted below meet this requirement.\n\n Open Command Prompt.\n\n Run \"icacls c:\\Windows\\SYSVOL\".\n\n The following results should be displayed:\n\n NT AUTHORITY\\Authenticated Users:(RX)\n NT AUTHORITY\\Authenticated Users:(OI)(CI)(IO)(GR,GE)\n BUILTIN\\Server Operators:(RX)\n BUILTIN\\Server Operators:(OI)(CI)(IO)(GR,GE)\n BUILTIN\\Administrators:(M,WDAC,WO)\n BUILTIN\\Administrators:(OI)(CI)(IO)(F)\n NT AUTHORITY\\SYSTEM:(F)\n NT AUTHORITY\\SYSTEM:(OI)(CI)(IO)(F)\n BUILTIN\\Administrators:(M,WDAC,WO)\n CREATOR OWNER:(OI)(CI)(IO)(F)\n\n (RX) - Read & execute\n\n Run icacls /help to view definitions of other permission codes.\n\n Alternately, open File Explorer.\n\n Navigate to \\Windows\\SYSVOL (or the directory noted previously if different).\n\n Right-click the directory and select properties.\n\n Select the Security tab and click Advanced.\n\n Default permissions:\n\n C:\\Windows\\SYSVOL\n Type - \"Allow\" for all\n Inherited from - \"None\" for all\n\n Principal - Access - Applies to\n\n Authenticated Users - Read & execute - This folder, subfolder, and files\n Server Operators - Read & execute- This folder, subfolder, and files\n Administrators - Special - This folder only (Special = Basic Permissions: all\n selected except Full control)\n CREATOR OWNER - Full control - Subfolders and files only\n Administrators - Full control - Subfolders and files only\n SYSTEM - Full control - This folder, subfolders, and files", - "fix": "Maintain the permissions on the SYSVOL directory. Do not allow\n greater than Read & execute permissions for standard user accounts or\n groups. The defaults below meet this requirement.\n\n C:\\Windows\\SYSVOL\n Type - Allow for all\n Inherited from - None for all\n\n Principal - Access - Applies to\n\n Authenticated Users - Read & execute - This folder, subfolder, and files\n Server Operators - Read & execute- This folder, subfolder, and files\n Administrators - Special - This folder only (Special = Basic Permissions: all\n selected except Full control)\n CREATOR OWNER - Full control - Subfolders and files only\n Administrators - Full control - Subfolders and files only\n SYSTEM - Full control - This folder, subfolders, and files" + "default": "To ensure users do not experience denial of service when performing\n certificate-based authentication to DoD websites due to the system chaining to\n a root other than DoD Root CAs, the DoD Interoperability Root CA\n cross-certificates must be installed in the Untrusted Certificate Store. This\n requirement only applies to unclassified systems.", + "check": "This is applicable to unclassified systems. It is NA for others.\n\n Open PowerShell as an administrator.\n\n Execute the following command:\n\n Get-ChildItem -Path Cert:Localmachine\\disallowed | Where {$_.Issuer -Like\n *DoD Interoperability* -and $_.Subject -Like *DoD*} | FL Subject,\n Issuer, Thumbprint, NotAfter\n\n If the following certificate Subject, Issuer, and Thumbprint\n information is not displayed, this is finding.\n\n If an expired certificate (NotAfter date) is not listed in the results,\n this is not a finding.\n\n Subject: CN=DoD Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Issuer: CN=DoD Interoperability Root CA 1, OU=PKI, OU=DoD, O=U.S. Government,\n C=US\n Thumbprint: 22BBE981F0694D246CC1472ED2B021DC8540A22F\n NotAfter: 9/6/2019\n\n Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Issuer: CN=DoD Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government,\n C=US\n Thumbprint: FFAD03329B9E527A43EEC66A56F9CBB5393E6E13\n NotAfter: 9/23/2018\n\n Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Issuer: CN=DoD Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government,\n C=US\n Thumbprint: FCE1B1E25374DD94F5935BEB86CA643D8C8D1FF4\n NotAfter: 2/17/2019\n\n Alternately, use the Certificates MMC snap-in:\n\n Run MMC.\n\n Select File, Add/Remove Snap-in.\n\n Select Certificates and click Add.\n\n Select Computer account and click Next.\n\n Select Local computer: (the computer this console is running on) and click\n Finish.\n\n Click OK.\n\n Expand Certificates and navigate to Untrusted Certificates >>\n Certificates.\n\n For each certificate with DoD Root CA… under Issued To and DoD\n Interoperability Root CA… under Issued By:\n\n Right-click on the certificate and select Open.\n\n Select the Details Tab.\n\n Scroll to the bottom and select Thumbprint.\n\n If the certificates below are not listed or the value for the Thumbprint\n field is not as noted, this is a finding.\n\n If an expired certificate (Valid to date) is not listed in the results,\n this is not a finding.\n\n Issued To: DoD Root CA 2\n Issued By: DoD Interoperability Root CA 1\n Thumbprint: 22BBE981F0694D246CC1472ED2B021DC8540A22F\n Valid to: Friday, September 6, 2019\n\n Issued To: DoD Root CA 3\n Issued By: DoD Interoperability Root CA 2\n Thumbprint: FFAD03329B9E527A43EEC66A56F9CBB5393E6E13\n Valid to: Sunday, September 23, 2018\n\n Issued To: DoD Root CA 3\n Issued By: DoD Interoperability Root CA 2\n Thumbprint: FCE1B1E25374DD94F5935BEB86CA643D8C8D1FF4\n Valid to: Sunday, February 17, 2019", + "fix": "Install the DoD Interoperability Root CA cross-certificates on\n unclassified systems.\n\n Issued To - Issued By - Thumbprint\n DoD Root CA 2 - DoD Interoperability Root CA 1 -\n 22BBE981F0694D246CC1472ED2B021DC8540A22F\n\n DoD Root CA 3 - DoD Interoperability Root CA 2 -\n FFAD03329B9E527A43EEC66A56F9CBB5393E6E13\n\n DoD Root CA 3 - DoD Interoperability Root CA 2 -\n FCE1B1E25374DD94F5935BEB86CA643D8C8D1FF4\n\n Administrators should run the Federal Bridge Certification Authority (FBCA)\n Cross-Certificate Removal Tool once as an administrator and once as the current\n user.\n\n The FBCA Cross-Certificate Remover Tool and User Guide are available on IASE at\n http://iase.disa.mil/pki-pke/Pages/tools.aspx." }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000324-GPOS-00125", - "gid": "V-73371", - "rid": "SV-88023r1_rule", - "stig_id": "WN16-DC-000080", - "fix_id": "F-79813r1_fix", + "gtitle": "SRG-OS-000066-GPOS-00034", + "satisfies": [ + "SRG-OS-000066-GPOS-00034", + "SRG-OS-000403-GPOS-00182" + ], + "gid": "V-73607", + "rid": "SV-88271r2_rule", + "stig_id": "WN16-PK-000020", + "fix_id": "F-87313r2_fix", "cci": [ - "CCI-002235" + "CCI-000185", + "CCI-002470" ], "nist": [ - "AC-6 (10)", + "IA-5 (2) (a)", + "SC-23 (5)", "Rev_4" ], "documentable": false }, - "code": "control 'V-73371' do\n title \"The Active Directory SYSVOL directory must have the proper access\n control permissions.\"\n desc \"Improper access permissions for directory data files could allow\n unauthorized users to read, modify, or delete directory data.\n\n The SYSVOL directory contains public files (to the domain) such as policies\n and logon scripts. Data in shared subdirectories are replicated to all domain\n controllers in a domain.\n \"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000324-GPOS-00125'\n tag \"gid\": 'V-73371'\n tag \"rid\": 'SV-88023r1_rule'\n tag \"stig_id\": 'WN16-DC-000080'\n tag \"fix_id\": 'F-79813r1_fix'\n tag \"cci\": ['CCI-002235']\n tag \"nist\": ['AC-6 (10)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to domain controllers. It is NA for other systems.\n\n Open a command prompt.\n\n Run net share.\n\n Make note of the directory location of the SYSVOL share.\n\n By default, this will be \\\\Windows\\\\SYSVOL\\\\sysvol. For this requirement,\n permissions will be verified at the first SYSVOL directory level.\n\n If any standard user accounts or groups have greater than \\\"Read & execute\\\"\n permissions, this is a finding.\n\n The default permissions noted below meet this requirement.\n\n Open Command Prompt.\n\n Run \\\"icacls c:\\\\Windows\\\\SYSVOL\\\".\n\n The following results should be displayed:\n\n NT AUTHORITY\\\\Authenticated Users:(RX)\n NT AUTHORITY\\\\Authenticated Users:(OI)(CI)(IO)(GR,GE)\n BUILTIN\\\\Server Operators:(RX)\n BUILTIN\\\\Server Operators:(OI)(CI)(IO)(GR,GE)\n BUILTIN\\\\Administrators:(M,WDAC,WO)\n BUILTIN\\\\Administrators:(OI)(CI)(IO)(F)\n NT AUTHORITY\\\\SYSTEM:(F)\n NT AUTHORITY\\\\SYSTEM:(OI)(CI)(IO)(F)\n BUILTIN\\\\Administrators:(M,WDAC,WO)\n CREATOR OWNER:(OI)(CI)(IO)(F)\n\n (RX) - Read & execute\n\n Run icacls /help to view definitions of other permission codes.\n\n Alternately, open File Explorer.\n\n Navigate to \\\\Windows\\\\SYSVOL (or the directory noted previously if different).\n\n Right-click the directory and select properties.\n\n Select the Security tab and click Advanced.\n\n Default permissions:\n\n C:\\\\Windows\\\\SYSVOL\n Type - \\\"Allow\\\" for all\n Inherited from - \\\"None\\\" for all\n\n Principal - Access - Applies to\n\n Authenticated Users - Read & execute - This folder, subfolder, and files\n Server Operators - Read & execute- This folder, subfolder, and files\n Administrators - Special - This folder only (Special = Basic Permissions: all\n selected except Full control)\n CREATOR OWNER - Full control - Subfolders and files only\n Administrators - Full control - Subfolders and files only\n SYSTEM - Full control - This folder, subfolders, and files\"\n desc \"fix\", \"Maintain the permissions on the SYSVOL directory. Do not allow\n greater than Read & execute permissions for standard user accounts or\n groups. The defaults below meet this requirement.\n\n C:\\\\Windows\\\\SYSVOL\n Type - Allow for all\n Inherited from - None for all\n\n Principal - Access - Applies to\n\n Authenticated Users - Read & execute - This folder, subfolder, and files\n Server Operators - Read & execute- This folder, subfolder, and files\n Administrators - Special - This folder only (Special = Basic Permissions: all\n selected except Full control)\n CREATOR OWNER - Full control - Subfolders and files only\n Administrators - Full control - Subfolders and files only\n SYSTEM - Full control - This folder, subfolders, and files\"\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n path = json(command: \"Get-WmiObject -Query \\\"SELECT * FROM Win32_Share WHERE Name = 'SYSVOL'\\\" | Select -Property Path | ConvertTo-JSON\").params['Path']\n acl_rules = json(command: \"(Get-ACL -Path '#{path}') | Select -Property PSChildName -ExpandProperty Access | ConvertTo-CSV | ConvertFrom-CSV | ConvertTo-JSON\").params\n\n if acl_rules.is_a?(Hash)\n acl_rules = [JSON.parse(acl_rules.to_json)]\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Access rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['FileSystemRights']) { should cmp \"-536084480\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"CREATOR OWNER\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"ContainerInherit, ObjectInherit\" }\n its(['PropagationFlags']) { should cmp \"InheritOnly\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Access rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['FileSystemRights']) { should cmp \"-1610612736\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"NT AUTHORITY\\\\Authenticated Users\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"ContainerInherit, ObjectInherit\" }\n its(['PropagationFlags']) { should cmp \"InheritOnly\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Access rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['FileSystemRights']) { should cmp \"ReadAndExecute, Synchronize\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"NT AUTHORITY\\\\Authenticated Users\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"None\" }\n its(['PropagationFlags']) { should cmp \"None\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Access rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['FileSystemRights']) { should cmp \"268435456\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"NT AUTHORITY\\\\SYSTEM\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"ContainerInherit, ObjectInherit\" }\n its(['PropagationFlags']) { should cmp \"InheritOnly\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Access rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['FileSystemRights']) { should cmp \"FullControl\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"NT AUTHORITY\\\\SYSTEM\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"None\" }\n its(['PropagationFlags']) { should cmp \"None\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Access rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['FileSystemRights']) { should cmp \"-536084480\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"BUILTIN\\\\Administrators\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"ContainerInherit, ObjectInherit\" }\n its(['PropagationFlags']) { should cmp \"InheritOnly\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Access rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['FileSystemRights']) { should cmp \"Write, ReadAndExecute, ChangePermissions, TakeOwnership, Synchronize\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"BUILTIN\\\\Administrators\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"None\" }\n its(['PropagationFlags']) { should cmp \"None\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Access rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['FileSystemRights']) { should cmp \"-1610612736\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"BUILTIN\\\\Server Operators\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"ContainerInherit, ObjectInherit\" }\n its(['PropagationFlags']) { should cmp \"InheritOnly\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Access rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['FileSystemRights']) { should cmp \"ReadAndExecute, Synchronize\" }\n its(['AccessControlType']) { should cmp \"Allow\" }\n its(['IdentityReference']) { should cmp \"BUILTIN\\\\Server Operators\" }\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceFlags']) { should cmp \"None\" }\n its(['PropagationFlags']) { should cmp \"None\" }\n end\n end\n end\n\n else\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\n\nend\n", + "code": "control 'V-73607' do\n title \"The DoD Interoperability Root CA cross-certificates must be installed\n in the Untrusted Certificates Store on unclassified systems.\"\n desc \"To ensure users do not experience denial of service when performing\n certificate-based authentication to DoD websites due to the system chaining to\n a root other than DoD Root CAs, the DoD Interoperability Root CA\n cross-certificates must be installed in the Untrusted Certificate Store. This\n requirement only applies to unclassified systems.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000066-GPOS-00034'\n tag \"satisfies\": ['SRG-OS-000066-GPOS-00034', 'SRG-OS-000403-GPOS-00182']\n tag \"gid\": 'V-73607'\n tag \"rid\": 'SV-88271r2_rule'\n tag \"stig_id\": 'WN16-PK-000020'\n tag \"fix_id\": 'F-87313r2_fix'\n tag \"cci\": ['CCI-000185', 'CCI-002470']\n tag \"nist\": ['IA-5 (2) (a)', 'SC-23 (5)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This is applicable to unclassified systems. It is NA for others.\n\n Open PowerShell as an administrator.\n\n Execute the following command:\n\n Get-ChildItem -Path Cert:Localmachine\\\\disallowed | Where {$_.Issuer -Like\n *DoD Interoperability* -and $_.Subject -Like *DoD*} | FL Subject,\n Issuer, Thumbprint, NotAfter\n\n If the following certificate Subject, Issuer, and Thumbprint\n information is not displayed, this is finding.\n\n If an expired certificate (NotAfter date) is not listed in the results,\n this is not a finding.\n\n Subject: CN=DoD Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Issuer: CN=DoD Interoperability Root CA 1, OU=PKI, OU=DoD, O=U.S. Government,\n C=US\n Thumbprint: 22BBE981F0694D246CC1472ED2B021DC8540A22F\n NotAfter: 9/6/2019\n\n Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Issuer: CN=DoD Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government,\n C=US\n Thumbprint: FFAD03329B9E527A43EEC66A56F9CBB5393E6E13\n NotAfter: 9/23/2018\n\n Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Issuer: CN=DoD Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government,\n C=US\n Thumbprint: FCE1B1E25374DD94F5935BEB86CA643D8C8D1FF4\n NotAfter: 2/17/2019\n\n Alternately, use the Certificates MMC snap-in:\n\n Run MMC.\n\n Select File, Add/Remove Snap-in.\n\n Select Certificates and click Add.\n\n Select Computer account and click Next.\n\n Select Local computer: (the computer this console is running on) and click\n Finish.\n\n Click OK.\n\n Expand Certificates and navigate to Untrusted Certificates >>\n Certificates.\n\n For each certificate with DoD Root CA… under Issued To and DoD\n Interoperability Root CA… under Issued By:\n\n Right-click on the certificate and select Open.\n\n Select the Details Tab.\n\n Scroll to the bottom and select Thumbprint.\n\n If the certificates below are not listed or the value for the Thumbprint\n field is not as noted, this is a finding.\n\n If an expired certificate (Valid to date) is not listed in the results,\n this is not a finding.\n\n Issued To: DoD Root CA 2\n Issued By: DoD Interoperability Root CA 1\n Thumbprint: 22BBE981F0694D246CC1472ED2B021DC8540A22F\n Valid to: Friday, September 6, 2019\n\n Issued To: DoD Root CA 3\n Issued By: DoD Interoperability Root CA 2\n Thumbprint: FFAD03329B9E527A43EEC66A56F9CBB5393E6E13\n Valid to: Sunday, September 23, 2018\n\n Issued To: DoD Root CA 3\n Issued By: DoD Interoperability Root CA 2\n Thumbprint: FCE1B1E25374DD94F5935BEB86CA643D8C8D1FF4\n Valid to: Sunday, February 17, 2019\"\n desc \"fix\", \"Install the DoD Interoperability Root CA cross-certificates on\n unclassified systems.\n\n Issued To - Issued By - Thumbprint\n DoD Root CA 2 - DoD Interoperability Root CA 1 -\n 22BBE981F0694D246CC1472ED2B021DC8540A22F\n\n DoD Root CA 3 - DoD Interoperability Root CA 2 -\n FFAD03329B9E527A43EEC66A56F9CBB5393E6E13\n\n DoD Root CA 3 - DoD Interoperability Root CA 2 -\n FCE1B1E25374DD94F5935BEB86CA643D8C8D1FF4\n\n Administrators should run the Federal Bridge Certification Authority (FBCA)\n Cross-Certificate Removal Tool once as an administrator and once as the current\n user.\n\n The FBCA Cross-Certificate Remover Tool and User Guide are available on IASE at\n http://iase.disa.mil/pki-pke/Pages/tools.aspx.\"\n is_unclassified_system = input('is_unclassified_system')\n dod_certificates = JSON.parse(input('dod_certificates').to_json)\n if is_unclassified_system\n query = json({ command: 'Get-ChildItem -Path Cert:Localmachine\\\\\\\\disallowed | Where {$_.Issuer -Like \"*DoD Interoperability*\" -and $_.Subject -Like \"*DoD*\"} | Select Subject, Issuer, Thumbprint, @{Name=\\'NotAfter\\';Expression={\"{0:dddd, MMMM dd, yyyy}\" -f [datetime]$_.NotAfter}} | ConvertTo-Json' })\n describe 'The DoD Interoperability Root CA cross-certificates installed' do\n subject { query.params }\n it { should be_in dod_certificates }\n end\n else\n impact 0.0\n describe 'This is NOT an unclassified system, therefore this control is not applicable' do\n skip 'This is NOT an unclassified system, therefore this control is not applicable'\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73371.rb", + "ref": "./Windows 2016 STIG/controls/V-73607.rb", "line": 1 }, - "id": "V-73371" + "id": "V-73607" }, { - "title": "The setting Microsoft network server: Digitally sign communications\n (always) must be configured to Enabled.", - "desc": "The server message block (SMB) protocol provides the basis for many\n network operations. Digitally signed SMB packets aid in preventing\n man-in-the-middle attacks. If this policy is enabled, the SMB server will only\n communicate with an SMB client that performs SMB packet signing.", + "title": "Internet Protocol version 6 (IPv6) source routing must be configured\n to the highest protection level to prevent IP source routing.", + "desc": "Configuring the system to disable IPv6 source routing protects against\n spoofing.", "descriptions": { - "default": "The server message block (SMB) protocol provides the basis for many\n network operations. Digitally signed SMB packets aid in preventing\n man-in-the-middle attacks. If this policy is enabled, the SMB server will only\n communicate with an SMB client that performs SMB packet signing.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\LanManServer\\Parameters\\\n\n Value Name: RequireSecuritySignature\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Microsoft network server: Digitally sign communications (always) to\n Enabled." + "default": "Configuring the system to disable IPv6 source routing protects against\n spoofing.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\Tcpip6\\Parameters\\\n\n Value Name: DisableIPSourceRouting\n\n Type: REG_DWORD\n Value: 0x00000002 (2)", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> MSS (Legacy) >> MSS: (DisableIPSourceRouting\n IPv6) IP source routing protection level (protects against packet spoofing)\n to Enabled with Highest protection, source routing is completely\n disabled selected.\n\n This policy setting requires the installation of the MSS-Legacy custom\n templates included with the STIG package. MSS-Legacy.admx and\n MSS-Legacy.adml must be copied to the \\Windows\\PolicyDefinitions and\n \\Windows\\PolicyDefinitions\\en-US directories respectively." }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { - "gtitle": "SRG-OS-000423-GPOS-00187", - "satisfies": [ - "SRG-OS-000423-GPOS-00187", - "SRG-OS-000424-GPOS-00188" - ], - "gid": "V-73661", - "rid": "SV-88325r1_rule", - "stig_id": "WN16-SO-000230", - "fix_id": "F-80111r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-73499", + "rid": "SV-88151r1_rule", + "stig_id": "WN16-CC-000040", + "fix_id": "F-79941r1_fix", "cci": [ - "CCI-002418", - "CCI-002421" + "CCI-000366" ], "nist": [ - "SC-8", - "SC-8 (1)", + "CM-6 b", "Rev_4" ], "documentable": false }, - "code": "control 'V-73661' do\n title \"The setting Microsoft network server: Digitally sign communications\n (always) must be configured to Enabled.\"\n desc \"The server message block (SMB) protocol provides the basis for many\n network operations. Digitally signed SMB packets aid in preventing\n man-in-the-middle attacks. If this policy is enabled, the SMB server will only\n communicate with an SMB client that performs SMB packet signing.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000423-GPOS-00187'\n tag \"satisfies\": ['SRG-OS-000423-GPOS-00187', 'SRG-OS-000424-GPOS-00188']\n tag \"gid\": 'V-73661'\n tag \"rid\": 'SV-88325r1_rule'\n tag \"stig_id\": 'WN16-SO-000230'\n tag \"fix_id\": 'F-80111r1_fix'\n tag \"cci\": ['CCI-002418', 'CCI-002421']\n tag \"nist\": ['SC-8', 'SC-8 (1)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\LanManServer\\\\Parameters\\\\\n\n Value Name: RequireSecuritySignature\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Microsoft network server: Digitally sign communications (always) to\n Enabled.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\LanManServer\\\\Parameters') do\n it { should have_property 'RequireSecuritySignature' }\n its('RequireSecuritySignature') { should cmp 1 }\n end\nend\n", + "code": "control 'V-73499' do\n title \"Internet Protocol version 6 (IPv6) source routing must be configured\n to the highest protection level to prevent IP source routing.\"\n desc \"Configuring the system to disable IPv6 source routing protects against\n spoofing.\"\n impact 0.3\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-73499'\n tag \"rid\": 'SV-88151r1_rule'\n tag \"stig_id\": 'WN16-CC-000040'\n tag \"fix_id\": 'F-79941r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\Tcpip6\\\\Parameters\\\\\n\n Value Name: DisableIPSourceRouting\n\n Type: REG_DWORD\n Value: 0x00000002 (2)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> MSS (Legacy) >> MSS: (DisableIPSourceRouting\n IPv6) IP source routing protection level (protects against packet spoofing)\n to Enabled with Highest protection, source routing is completely\n disabled selected.\n\n This policy setting requires the installation of the MSS-Legacy custom\n templates included with the STIG package. MSS-Legacy.admx and\n MSS-Legacy.adml must be copied to the \\\\Windows\\\\PolicyDefinitions and\n \\\\Windows\\\\PolicyDefinitions\\\\en-US directories respectively.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Services\\\\Tcpip6\\\\Parameters') do\n it { should have_property 'DisableIPSourceRouting' }\n its('DisableIPSourceRouting') { should cmp 2 }\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73661.rb", + "ref": "./Windows 2016 STIG/controls/V-73499.rb", "line": 1 }, - "id": "V-73661" + "id": "V-73499" }, { - "title": "Members of the Backup Operators group must have separate accounts for\n backup duties and normal operational tasks.", - "desc": "Backup Operators are able to read and write to any file in the system,\n regardless of the rights assigned to it. Backup and restore rights permit users\n to circumvent the file access restrictions present on NTFS disk drives for\n backup and restore purposes. Members of the Backup Operators group must have\n separate logon accounts for performing backup duties.", + "title": "Directory data (outside the root DSE) of a non-public directory must\n be configured to prevent anonymous access.", + "desc": "To the extent that anonymous access to directory data (outside the\n root DSE) is permitted, read access control of the data is effectively\n disabled. If other means of controlling access (such as network restrictions)\n are compromised, there may be nothing else to protect the confidentiality of\n sensitive directory data.", "descriptions": { - "default": "Backup Operators are able to read and write to any file in the system,\n regardless of the rights assigned to it. Backup and restore rights permit users\n to circumvent the file access restrictions present on NTFS disk drives for\n backup and restore purposes. Members of the Backup Operators group must have\n separate logon accounts for performing backup duties.", - "check": "If no accounts are members of the Backup Operators group, this\n is NA.\n\n Verify users with accounts in the Backup Operators group have a separate user\n account for backup functions and for performing normal user tasks.\n\n If users with accounts in the Backup Operators group do not have separate\n accounts for backup functions and standard user functions, this is a finding.", - "fix": "Ensure each member of the Backup Operators group has separate\n accounts for backup functions and standard user functions." + "default": "To the extent that anonymous access to directory data (outside the\n root DSE) is permitted, read access control of the data is effectively\n disabled. If other means of controlling access (such as network restrictions)\n are compromised, there may be nothing else to protect the confidentiality of\n sensitive directory data.", + "check": "This applies to domain controllers. It is NA for other systems.\n\n Open Command Prompt (not elevated).\n\n Run ldp.exe.\n\n From the Connection menu, select Bind.\n\n Clear the User, Password, and Domain fields.\n\n Select Simple bind for the Bind type and click OK.\n\n Confirmation of anonymous access will be displayed at the end:\n\n res = ldap_simple_bind_s\n Authenticated as: 'NT AUTHORITY\\ANONYMOUS LOGON'\n\n From the Browse menu, select Search.\n\n In the Search dialog, enter the DN of the domain naming context (generally\n something like dc=disaost,dc=mil) in the Base DN field.\n\n Clear the Attributes field and select Run.\n\n Error messages should display related to Bind and user not authenticated.\n\n If attribute data is displayed, anonymous access is enabled to the domain\n naming context and this is a finding.\n\n The following network controls allow the finding severity to be downgraded to a\n CAT II since these measures lower the risk associated with anonymous access.\n\n Network hardware ports at the site are subject to 802.1x authentication or MAC\n address restrictions.\n\n Premise firewall or host restrictions prevent access to ports 389, 636, 3268,\n and 3269 from client hosts not explicitly identified by domain (.mil) or IP\n address.", + "fix": "Configure directory data (outside the root DSE) of a non-public\n directory to prevent anonymous access.\n\n For AD, there are multiple configuration items that could enable anonymous\n access.\n\n Changing the access permissions on the domain naming context object (from the\n secure defaults) could enable anonymous access. If the check procedures\n indicate this is the cause, the process that was used to change the permissions\n should be reversed. This could have been through the Windows Support Tools ADSI\n Edit console (adsiedit.msc).\n\n The dsHeuristics option is used. This is addressed in check V-8555 in the AD\n Forest STIG." }, "impact": 0, "refs": [], "tags": { "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-73227", - "rid": "SV-87879r1_rule", - "stig_id": "WN16-00-000050", - "fix_id": "F-79671r1_fix", + "gid": "V-73385", + "rid": "SV-88037r1_rule", + "stig_id": "WN16-DC-000150", + "fix_id": "F-79827r1_fix", "cci": [ "CCI-000366" ], @@ -8739,352 +8761,328 @@ ], "documentable": false }, - "code": "control 'V-73227' do\n title \"Members of the Backup Operators group must have separate accounts for\n backup duties and normal operational tasks.\"\n desc \"Backup Operators are able to read and write to any file in the system,\n regardless of the rights assigned to it. Backup and restore rights permit users\n to circumvent the file access restrictions present on NTFS disk drives for\n backup and restore purposes. Members of the Backup Operators group must have\n separate logon accounts for performing backup duties.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-73227'\n tag \"rid\": 'SV-87879r1_rule'\n tag \"stig_id\": 'WN16-00-000050'\n tag \"fix_id\": 'F-79671r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If no accounts are members of the Backup Operators group, this\n is NA.\n\n Verify users with accounts in the Backup Operators group have a separate user\n account for backup functions and for performing normal user tasks.\n\n If users with accounts in the Backup Operators group do not have separate\n accounts for backup functions and standard user functions, this is a finding.\"\n desc \"fix\", \"Ensure each member of the Backup Operators group has separate\n accounts for backup functions and standard user functions.\"\n\n backup_operators = attribute('backup_operators')\n backup_operators_group = command(\"net localgroup 'Backup Operators' | Format-List | Findstr /V 'Alias Name Comment Members - command'\").stdout.strip.split(\"\\r\\n\")\n\n if !backup_operators_group.empty?\n backup_operators_group.each do |user|\n describe user do\n it { should be_in backup_operators }\n end\n end\n end\n if backup_operators_group.empty?\n impact 0.0\n describe 'There are no users in the Backup Operators Group, therefore this control is not applicable' do\n skip 'There are no users in the Backup Operators Group, therefore this control is not applicable'\n end\n end\nend\n", + "code": "control 'V-73385' do\n title \"Directory data (outside the root DSE) of a non-public directory must\n be configured to prevent anonymous access.\"\n desc \"To the extent that anonymous access to directory data (outside the\n root DSE) is permitted, read access control of the data is effectively\n disabled. If other means of controlling access (such as network restrictions)\n are compromised, there may be nothing else to protect the confidentiality of\n sensitive directory data.\"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-73385'\n tag \"rid\": 'SV-88037r1_rule'\n tag \"stig_id\": 'WN16-DC-000150'\n tag \"fix_id\": 'F-79827r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to domain controllers. It is NA for other systems.\n\n Open Command Prompt (not elevated).\n\n Run ldp.exe.\n\n From the Connection menu, select Bind.\n\n Clear the User, Password, and Domain fields.\n\n Select Simple bind for the Bind type and click OK.\n\n Confirmation of anonymous access will be displayed at the end:\n\n res = ldap_simple_bind_s\n Authenticated as: 'NT AUTHORITY\\\\ANONYMOUS LOGON'\n\n From the Browse menu, select Search.\n\n In the Search dialog, enter the DN of the domain naming context (generally\n something like dc=disaost,dc=mil) in the Base DN field.\n\n Clear the Attributes field and select Run.\n\n Error messages should display related to Bind and user not authenticated.\n\n If attribute data is displayed, anonymous access is enabled to the domain\n naming context and this is a finding.\n\n The following network controls allow the finding severity to be downgraded to a\n CAT II since these measures lower the risk associated with anonymous access.\n\n Network hardware ports at the site are subject to 802.1x authentication or MAC\n address restrictions.\n\n Premise firewall or host restrictions prevent access to ports 389, 636, 3268,\n and 3269 from client hosts not explicitly identified by domain (.mil) or IP\n address.\"\n desc \"fix\", \"Configure directory data (outside the root DSE) of a non-public\n directory to prevent anonymous access.\n\n For AD, there are multiple configuration items that could enable anonymous\n access.\n\n Changing the access permissions on the domain naming context object (from the\n secure defaults) could enable anonymous access. If the check procedures\n indicate this is the cause, the process that was used to change the permissions\n should be reversed. This could have been through the Windows Support Tools ADSI\n Edit console (adsiedit.msc).\n\n The dsHeuristics option is used. This is addressed in check V-8555 in the AD\n Forest STIG.\"\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n describe 'Directory data (outside the root DSE) of a non-public directory must\n be configured to prevent anonymous access.' do\n skip 'Directory data (outside the root DSE) of a non-public directory must\n be configured to prevent anonymous access is a manual control'\n end\n end\n\n if !(domain_role == '4') && !(domain_role == '5')\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73227.rb", + "ref": "./Windows 2016 STIG/controls/V-73385.rb", "line": 1 }, - "id": "V-73227" + "id": "V-73385" }, { - "title": "The Access Credential Manager as a trusted caller user right must not\n be assigned to any groups or accounts.", - "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Access Credential Manager as a trusted caller user\n right may be able to retrieve the credentials of other accounts from Credential\n Manager.", + "title": "AutoPlay must be disabled for all drives.", + "desc": "Allowing AutoPlay to execute may introduce malicious code to a system.\n AutoPlay begins reading from a drive as soon media is inserted into the drive.\n As a result, the setup file of programs or music on audio media may start. By\n default, AutoPlay is disabled on removable drives, such as the floppy disk\n drive (but not the CD-ROM drive) and on network drives. Enabling this policy\n disables AutoPlay on all drives.", "descriptions": { - "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Access Credential Manager as a trusted caller user\n right may be able to retrieve the credentials of other accounts from Credential\n Manager.", - "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups are granted the Access Credential Manager as a\n trusted caller user right, this is a finding.", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Access Credential Manager as a trusted callers to be defined but containing\n no entries (blank)." + "default": "Allowing AutoPlay to execute may introduce malicious code to a system.\n AutoPlay begins reading from a drive as soon media is inserted into the drive.\n As a result, the setup file of programs or music on audio media may start. By\n default, AutoPlay is disabled on removable drives, such as the floppy disk\n drive (but not the CD-ROM drive) and on network drives. Enabling this policy\n disables AutoPlay on all drives.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\policies\\Explorer\\\n\n Value Name: NoDriveTypeAutoRun\n\n Type: REG_DWORD\n Value: 0x000000ff (255)", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> AutoPlay Policies >> Turn\n off AutoPlay to Enabled with All Drives selected." }, - "impact": 0.5, + "impact": 0.7, "refs": [], "tags": { - "gtitle": "SRG-OS-000324-GPOS-00125", - "gid": "V-73729", - "rid": "SV-88393r1_rule", - "stig_id": "WN16-UR-000010", - "fix_id": "F-80179r1_fix", + "gtitle": "SRG-OS-000368-GPOS-00154", + "gid": "V-73549", + "rid": "SV-88213r1_rule", + "stig_id": "WN16-CC-000270", + "fix_id": "F-79999r1_fix", "cci": [ - "CCI-002235" + "CCI-001764" ], "nist": [ - "AC-6 (10)", + "CM-7 (2)", "Rev_4" ], "documentable": false }, - "code": "control 'V-73729' do\n title \"The Access Credential Manager as a trusted caller user right must not\n be assigned to any groups or accounts.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Access Credential Manager as a trusted caller user\n right may be able to retrieve the credentials of other accounts from Credential\n Manager.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000324-GPOS-00125'\n tag \"gid\": 'V-73729'\n tag \"rid\": 'SV-88393r1_rule'\n tag \"stig_id\": 'WN16-UR-000010'\n tag \"fix_id\": 'F-80179r1_fix'\n tag \"cci\": ['CCI-002235']\n tag \"nist\": ['AC-6 (10)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups are granted the Access Credential Manager as a\n trusted caller user right, this is a finding.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Access Credential Manager as a trusted callers to be defined but containing\n no entries (blank).\"\n describe security_policy do\n its('SeTrustedCredManAccessPrivilege') { should eq [] }\n end\nend\n", + "code": "control 'V-73549' do\n title 'AutoPlay must be disabled for all drives.'\n desc \"Allowing AutoPlay to execute may introduce malicious code to a system.\n AutoPlay begins reading from a drive as soon media is inserted into the drive.\n As a result, the setup file of programs or music on audio media may start. By\n default, AutoPlay is disabled on removable drives, such as the floppy disk\n drive (but not the CD-ROM drive) and on network drives. Enabling this policy\n disables AutoPlay on all drives.\"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000368-GPOS-00154'\n tag \"gid\": 'V-73549'\n tag \"rid\": 'SV-88213r1_rule'\n tag \"stig_id\": 'WN16-CC-000270'\n tag \"fix_id\": 'F-79999r1_fix'\n tag \"cci\": ['CCI-001764']\n tag \"nist\": ['CM-7 (2)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\policies\\\\Explorer\\\\\n\n Value Name: NoDriveTypeAutoRun\n\n Type: REG_DWORD\n Value: 0x000000ff (255)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> AutoPlay Policies >> Turn\n off AutoPlay to Enabled with All Drives selected.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer') do\n it { should have_property 'NoDriveTypeAutoRun' }\n its('NoDriveTypeAutoRun') { should cmp 255 }\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73729.rb", + "ref": "./Windows 2016 STIG/controls/V-73549.rb", "line": 1 }, - "id": "V-73729" + "id": "V-73549" }, { - "title": "Windows Server 2016 must be configured to audit Logon/Logoff - Account\n Lockout failures.", - "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Account Lockout events can be used to identify potentially malicious logon\n attempts.", + "title": "The Access this computer from the network user right must only be\n assigned to the Administrators and Authenticated Users groups on member\n servers.", + "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Access this computer from the network user right may\n access resources on the system, and this right must be limited to those\n requiring it.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Account Lockout events can be used to identify potentially malicious logon\n attempts.", - "check": "Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding.\n\n Logon/Logoff >> Account Lockout - Failure", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Advanced Audit Policy Configuration >> System Audit Policies >>\n Logon/Logoff >> Audit Account Lockout with Failure selected." + "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Access this computer from the network user right may\n access resources on the system, and this right must be limited to those\n requiring it.", + "check": "This applies to member servers and standalone systems. A\n separate version applies to domain controllers.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the Access\n this computer from the network user right, this is a finding.\n\n - Administrators\n - Authenticated Users\n\n Systems dedicated to managing Active Directory (AD admin platforms, see V-36436\n in the Active Directory Domain STIG), must only allow Administrators, removing\n the Authenticated Users group.\n\n If an application requires this user right, this would not be a finding.\n\n Vendor documentation must support the requirement for having the user right.\n\n The requirement must be documented with the ISSO.\n\n The application account must meet requirements for application account\n passwords, such as length (WN16-00-000060) and required frequency of changes\n (WN16-00-000070).", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Access this computer from the network to include only the following\n accounts or groups:\n\n - Administrators\n - Authenticated Users\n\n Systems dedicated to managing Active Directory (AD admin platforms, see V-36436\n in the Active Directory Domain STIG), must only allow Administrators, removing\n the Authenticated Users group." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000240-GPOS-00090", - "satisfies": [ - "SRG-OS-000240-GPOS-00090", - "SRG-OS-000470-GPOS-00214" - ], - "gid": "V-73445", - "rid": "SV-88097r2_rule", - "stig_id": "WN16-AU-000230", - "fix_id": "F-79887r1_fix", + "gtitle": "SRG-OS-000080-GPOS-00048", + "gid": "V-73733", + "rid": "SV-88397r1_rule", + "stig_id": "WN16-MS-000340", + "fix_id": "F-80183r1_fix", "cci": [ - "CCI-000172", - "CCI-001404" + "CCI-000213" ], "nist": [ - "AU-12 c", - "AC-2 (4)", + "AC-3", "Rev_4" ], "documentable": false }, - "code": "control 'V-73445' do\n title \"Windows Server 2016 must be configured to audit Logon/Logoff - Account\n Lockout failures.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Account Lockout events can be used to identify potentially malicious logon\n attempts.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000240-GPOS-00090'\n tag \"satisfies\": ['SRG-OS-000240-GPOS-00090', 'SRG-OS-000470-GPOS-00214']\n tag \"gid\": 'V-73445'\n tag \"rid\": 'SV-88097r2_rule'\n tag \"stig_id\": 'WN16-AU-000230'\n tag \"fix_id\": 'F-79887r1_fix'\n tag \"cci\": ['CCI-000172', 'CCI-001404']\n tag \"nist\": ['AU-12 c', 'AC-2 (4)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*\n\n Compare the AuditPol settings with the following. If the system does not audit\n the following, this is a finding.\n\n Logon/Logoff >> Account Lockout - Failure\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Advanced Audit Policy Configuration >> System Audit Policies >>\n Logon/Logoff >> Audit Account Lockout with Failure selected.\"\n describe.one do\n describe audit_policy do\n its('Account Lockout') { should eq 'Success and Failure' }\n end\n describe audit_policy do\n its('Account Lockout') { should eq 'Failure' }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Account Lockout'\") do\n its('stdout') { should match /Account Lockout Failure/ }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Account Lockout'\") do\n its('stdout') { should match /Account Lockout Success and Failure/ }\n end\n end\nend\n", + "code": "control 'V-73733' do\n title \"The Access this computer from the network user right must only be\n assigned to the Administrators and Authenticated Users groups on member\n servers.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Access this computer from the network user right may\n access resources on the system, and this right must be limited to those\n requiring it.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000080-GPOS-00048'\n tag \"gid\": 'V-73733'\n tag \"rid\": 'SV-88397r1_rule'\n tag \"stig_id\": 'WN16-MS-000340'\n tag \"fix_id\": 'F-80183r1_fix'\n tag \"cci\": ['CCI-000213']\n tag \"nist\": ['AC-3', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to member servers and standalone systems. A\n separate version applies to domain controllers.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the Access\n this computer from the network user right, this is a finding.\n\n - Administrators\n - Authenticated Users\n\n Systems dedicated to managing Active Directory (AD admin platforms, see V-36436\n in the Active Directory Domain STIG), must only allow Administrators, removing\n the Authenticated Users group.\n\n If an application requires this user right, this would not be a finding.\n\n Vendor documentation must support the requirement for having the user right.\n\n The requirement must be documented with the ISSO.\n\n The application account must meet requirements for application account\n passwords, such as length (WN16-00-000060) and required frequency of changes\n (WN16-00-000070).\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Access this computer from the network to include only the following\n accounts or groups:\n\n - Administrators\n - Authenticated Users\n\n Systems dedicated to managing Active Directory (AD admin platforms, see V-36436\n in the Active Directory Domain STIG), must only allow Administrators, removing\n the Authenticated Users group.\"\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n if !(domain_role == '4') && !(domain_role == '5')\n describe.one do\n describe security_policy do\n its('SeNetworkLogonRight') { should be_in ['S-1-5-11', 'S-1-5-32-544'] }\n end\n describe security_policy do\n its('SeNetworkLogonRight') { should eq [] }\n end\n end\n end\n\n if domain_role == '4' || domain_role == '5'\n impact 0.0\n describe 'This system is a domain controller, therefore this control is not applicable as it only applies to member servers and standalone systems' do\n skip 'This system is a domain controller, therefore this control is not applicable as it only applies to member servers and standalone systems'\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73445.rb", + "ref": "./Windows 2016 STIG/controls/V-73733.rb", "line": 1 }, - "id": "V-73445" + "id": "V-73733" }, { - "title": "Windows Server 2016 must automatically remove or disable emergency\n accounts after the crisis is resolved or within 72 hours.", - "desc": "Emergency administrator accounts are privileged accounts established\n in response to crisis situations where the need for rapid account activation is\n required. Therefore, emergency account activation may bypass normal account\n authorization processes. If these accounts are automatically disabled, system\n maintenance during emergencies may not be possible, thus adversely affecting\n system availability.\n\n Emergency administrator accounts are different from infrequently used\n accounts (i.e., local logon accounts used by system administrators when network\n or normal logon/access is not available). Infrequently used accounts are not\n subject to automatic termination dates. Emergency accounts are accounts created\n in response to crisis situations, usually for use by maintenance personnel. The\n automatic expiration or disabling time period may be extended as needed until\n the crisis is resolved; however, it must not be extended indefinitely. A\n permanent account should be established for privileged users who need long-term\n maintenance accounts.\n\n To address access requirements, many operating systems can be integrated\n with enterprise-level authentication/access mechanisms that meet or exceed\n access control policy requirements.", + "title": "FTP servers must be configured to prevent access to the system drive.", + "desc": "The FTP service allows remote users to access shared files and\n directories that could provide access to system resources and compromise the\n system, especially if the user can gain access to the root directory of the\n boot drive.", "descriptions": { - "default": "Emergency administrator accounts are privileged accounts established\n in response to crisis situations where the need for rapid account activation is\n required. Therefore, emergency account activation may bypass normal account\n authorization processes. If these accounts are automatically disabled, system\n maintenance during emergencies may not be possible, thus adversely affecting\n system availability.\n\n Emergency administrator accounts are different from infrequently used\n accounts (i.e., local logon accounts used by system administrators when network\n or normal logon/access is not available). Infrequently used accounts are not\n subject to automatic termination dates. Emergency accounts are accounts created\n in response to crisis situations, usually for use by maintenance personnel. The\n automatic expiration or disabling time period may be extended as needed until\n the crisis is resolved; however, it must not be extended indefinitely. A\n permanent account should be established for privileged users who need long-term\n maintenance accounts.\n\n To address access requirements, many operating systems can be integrated\n with enterprise-level authentication/access mechanisms that meet or exceed\n access control policy requirements.", - "check": "Determine if emergency administrator accounts are used and\n identify any that exist. If none exist, this is NA.\n\n If emergency administrator accounts cannot be configured with an expiration\n date due to an ongoing crisis, the accounts must be disabled or removed when\n the crisis is resolved.\n\n If emergency administrator accounts have not been configured with an expiration\n date or have not been disabled or removed following the resolution of a crisis,\n this is a finding.\n\n Domain Controllers:\n\n Open PowerShell.\n\n Enter Search-ADAccount –AccountExpiring | FT Name, AccountExpirationDate.\n\n If AccountExpirationDate has been defined and is not within 72 hours for an\n emergency administrator account, this is a finding.\n\n Member servers and standalone systems:\n\n Open Command Prompt.\n\n Run Net user [username], where [username] is the name of the emergency\n account.\n\n If Account expires has been defined and is not within 72 hours for an\n emergency administrator account, this is a finding.", - "fix": "Remove emergency administrator accounts after a crisis has been\n resolved or configure the accounts to automatically expire within 72 hours.\n\n Domain accounts can be configured with an account expiration date, under\n Account properties.\n\n Local accounts can be configured to expire with the command Net user\n [username] /expires:[mm/dd/yyyy], where username is the name of the temporary\n user account." + "default": "The FTP service allows remote users to access shared files and\n directories that could provide access to system resources and compromise the\n system, especially if the user can gain access to the root directory of the\n boot drive.", + "check": "If FTP is not installed on the system, this is NA.\n\n Open Internet Information Services (IIS) Manager.\n\n Select Sites under the server name.\n\n For any sites with a Binding that lists FTP, right-click the site and select\n Explore.\n\n If the site is not defined to a specific folder for shared FTP resources, this\n is a finding.\n\n If the site includes any system areas such as root of the drive, Program Files,\n or Windows directories, this is a finding.", + "fix": "Configure the FTP sites to allow access only to specific FTP\n shared resources. Do not allow access to other areas of the system." }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000123-GPOS-00064", - "gid": "V-73285", - "rid": "SV-87937r1_rule", - "stig_id": "WN16-00-000340", - "fix_id": "F-79729r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-73305", + "rid": "SV-87957r1_rule", + "stig_id": "WN16-00-000440", + "fix_id": "F-79747r1_fix", "cci": [ - "CCI-001682" + "CCI-000366" ], "nist": [ - "AC-2 (2)", + "CM-6 b", "Rev_4" ], "documentable": false }, - "code": "control 'V-73285' do\n title \"Windows Server 2016 must automatically remove or disable emergency\n accounts after the crisis is resolved or within 72 hours.\"\n desc \"Emergency administrator accounts are privileged accounts established\n in response to crisis situations where the need for rapid account activation is\n required. Therefore, emergency account activation may bypass normal account\n authorization processes. If these accounts are automatically disabled, system\n maintenance during emergencies may not be possible, thus adversely affecting\n system availability.\n\n Emergency administrator accounts are different from infrequently used\n accounts (i.e., local logon accounts used by system administrators when network\n or normal logon/access is not available). Infrequently used accounts are not\n subject to automatic termination dates. Emergency accounts are accounts created\n in response to crisis situations, usually for use by maintenance personnel. The\n automatic expiration or disabling time period may be extended as needed until\n the crisis is resolved; however, it must not be extended indefinitely. A\n permanent account should be established for privileged users who need long-term\n maintenance accounts.\n\n To address access requirements, many operating systems can be integrated\n with enterprise-level authentication/access mechanisms that meet or exceed\n access control policy requirements.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000123-GPOS-00064'\n tag \"gid\": 'V-73285'\n tag \"rid\": 'SV-87937r1_rule'\n tag \"stig_id\": 'WN16-00-000340'\n tag \"fix_id\": 'F-79729r1_fix'\n tag \"cci\": ['CCI-001682']\n tag \"nist\": ['AC-2 (2)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Determine if emergency administrator accounts are used and\n identify any that exist. If none exist, this is NA.\n\n If emergency administrator accounts cannot be configured with an expiration\n date due to an ongoing crisis, the accounts must be disabled or removed when\n the crisis is resolved.\n\n If emergency administrator accounts have not been configured with an expiration\n date or have not been disabled or removed following the resolution of a crisis,\n this is a finding.\n\n Domain Controllers:\n\n Open PowerShell.\n\n Enter Search-ADAccount –AccountExpiring | FT Name, AccountExpirationDate.\n\n If AccountExpirationDate has been defined and is not within 72 hours for an\n emergency administrator account, this is a finding.\n\n Member servers and standalone systems:\n\n Open Command Prompt.\n\n Run Net user [username], where [username] is the name of the emergency\n account.\n\n If Account expires has been defined and is not within 72 hours for an\n emergency administrator account, this is a finding.\"\n desc \"fix\", \"Remove emergency administrator accounts after a crisis has been\n resolved or configure the accounts to automatically expire within 72 hours.\n\n Domain accounts can be configured with an account expiration date, under\n Account properties.\n\n Local accounts can be configured to expire with the command Net user\n [username] /expires:[mm/dd/yyyy], where username is the name of the temporary\n user account.\"\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n emergency_accounts_list = input('emergency_accounts')\n emergency_accounts_data = []\n \n if emergency_accounts_list == [nil]\n impact 0.0\n describe 'This control is not applicable as no emergency accounts were listed as an input' do\n skip 'This control is not applicable as no emergency accounts were listed as an input'\n end\n else\n if domain_role == '4' || domain_role == '5'\n emergency_accounts_list.each do |emergency_account|\n emergency_accounts_data << json({ command: \"Get-ADUser -Identity #{emergency_account} -Properties WhenCreated, AccountExpirationDate | Select-Object -Property SamAccountName, @{Name='WhenCreated';Expression={$_.WhenCreated.ToString('yyyy-MM-dd')}}, @{Name='AccountExpirationDate';Expression={$_.AccountExpirationDate.ToString('yyyy-MM-dd')}}| ConvertTo-Json\"}).params\n end\n if emergency_accounts_data.empty?\n impact 0.0\n describe 'This control is not applicable as account information was not found for the listed emergency accounts' do\n skip 'This control is not applicable as account information was not found for the listed emergency accounts'\n end\n else\n emergency_accounts_data.each do |emergency_account|\n account_name = emergency_account.fetch(\"SamAccountName\")\n if emergency_account.fetch(\"WhenCreated\") == nil\n describe \"#{account_name} account's creation date\" do\n subject { emergency_account.fetch(\"WhenCreated\") }\n it { should_not eq nil}\n end\n elsif emergency_account.fetch(\"AccountExpirationDate\") == nil\n describe \"#{account_name} account's expiration date\" do\n subject { emergency_account.fetch(\"AccountExpirationDate\") }\n it { should_not eq nil}\n end\n else\n creation_date = Date.parse(emergency_account.fetch(\"WhenCreated\"))\n expiration_date = Date.parse(emergency_account.fetch(\"AccountExpirationDate\"))\n date_difference = expiration_date.mjd - creation_date.mjd\n describe \"Account expiration set for #{account_name}\" do\n subject { date_difference }\n it { should cmp <= input('emergency_account_period')}\n end\n end\n end\n end\n\n else\n emergency_accounts_list.each do |emergency_account|\n emergency_accounts_data << json({ command: \"Get-LocalUser -Name #{emergency_account} | Select-Object -Property Name, @{Name='PasswordLastSet';Expression={$_.PasswordLastSet.ToString('yyyy-MM-dd')}}, @{Name='AccountExpires';Expression={$_.AccountExpires.ToString('yyyy-MM-dd')}} | ConvertTo-Json\"}).params\n end\n if emergency_accounts_data.empty?\n impact 0.0\n describe 'This control is not applicable as account information was not found for the listed emergency accounts' do\n skip 'This control is not applicable as account information was not found for the listed emergency accounts'\n end\n else\n emergency_accounts_data.each do |emergency_account|\n user_name = emergency_account.fetch(\"Name\")\n if emergency_account.fetch(\"PasswordLastSet\") == nil\n describe \"#{user_name} account's password last set date\" do\n subject { emergency_account.fetch(\"PasswordLastSet\") }\n it { should_not eq nil}\n end\n elsif emergency_account.fetch(\"AccountExpires\") == nil\n describe \"#{user_name} account's expiration date\" do\n subject { emergency_account.fetch(\"AccountExpires\") }\n it { should_not eq nil}\n end\n else\n password_date = Date.parse(emergency_account.fetch(\"PasswordLastSet\"))\n expiration_date = Date.parse(emergency_account.fetch(\"AccountExpires\"))\n date_difference = expiration_date.mjd - password_date.mjd\n describe \"Account expiration set for #{user_name}\" do\n subject { date_difference }\n it { should cmp <= input('emergency_account_period')}\n end\n end\n end\n end\n end\n end\nend", + "code": "control 'V-73305' do\n title 'FTP servers must be configured to prevent access to the system drive.'\n desc \"The FTP service allows remote users to access shared files and\n directories that could provide access to system resources and compromise the\n system, especially if the user can gain access to the root directory of the\n boot drive.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-73305'\n tag \"rid\": 'SV-87957r1_rule'\n tag \"stig_id\": 'WN16-00-000440'\n tag \"fix_id\": 'F-79747r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If FTP is not installed on the system, this is NA.\n\n Open Internet Information Services (IIS) Manager.\n\n Select Sites under the server name.\n\n For any sites with a Binding that lists FTP, right-click the site and select\n Explore.\n\n If the site is not defined to a specific folder for shared FTP resources, this\n is a finding.\n\n If the site includes any system areas such as root of the drive, Program Files,\n or Windows directories, this is a finding.\"\n desc \"fix\", \"Configure the FTP sites to allow access only to specific FTP\n shared resources. Do not allow access to other areas of the system.\"\n is_ftp_installed = command('Get-WindowsFeature Web-Ftp-Server | Select -Expand Installed').stdout.strip\n if is_ftp_installed == 'False'\n describe 'FTP is not installed on this system, therefore this control is not applicable' do\n skip 'FTP is not installed on this system, therefore this control is not applicable'\n end\n else\n describe 'A manual review is required to ensure File Transfer Protocol (FTP) servers are configured to prevent\n anonymous logons' do\n skip 'A manual review is required to ensure File Transfer Protocol (FTP) servers are configured to prevent\n anonymous logons'\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73285.rb", + "ref": "./Windows 2016 STIG/controls/V-73305.rb", "line": 1 }, - "id": "V-73285" + "id": "V-73305" }, { - "title": "The Allow log on locally user right must only be assigned to the\n Administrators group.", - "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Allow log on locally user right can log on\n interactively to a system.", + "title": "The setting Microsoft network server: Digitally sign communications\n (always) must be configured to Enabled.", + "desc": "The server message block (SMB) protocol provides the basis for many\n network operations. Digitally signed SMB packets aid in preventing\n man-in-the-middle attacks. If this policy is enabled, the SMB server will only\n communicate with an SMB client that performs SMB packet signing.", "descriptions": { - "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Allow log on locally user right can log on\n interactively to a system.", - "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the Allow log\n on locally user right, this is a finding.\n\n - Administrators\n\n If an application requires this user right, this would not be a finding.\n\n Vendor documentation must support the requirement for having the user right.\n\n The requirement must be documented with the ISSO.\n\n The application account must meet requirements for application account\n passwords, such as length (WN16-00-000060) and required frequency of changes\n (WN16-00-000070).", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Allow log on locally to include only the following accounts or groups:\n\n - Administrators" + "default": "The server message block (SMB) protocol provides the basis for many\n network operations. Digitally signed SMB packets aid in preventing\n man-in-the-middle attacks. If this policy is enabled, the SMB server will only\n communicate with an SMB client that performs SMB packet signing.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\LanManServer\\Parameters\\\n\n Value Name: RequireSecuritySignature\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Microsoft network server: Digitally sign communications (always) to\n Enabled." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000080-GPOS-00048", - "gid": "V-73739", - "rid": "SV-88403r1_rule", - "stig_id": "WN16-UR-000050", - "fix_id": "F-80189r1_fix", + "gtitle": "SRG-OS-000423-GPOS-00187", + "satisfies": [ + "SRG-OS-000423-GPOS-00187", + "SRG-OS-000424-GPOS-00188" + ], + "gid": "V-73661", + "rid": "SV-88325r1_rule", + "stig_id": "WN16-SO-000230", + "fix_id": "F-80111r1_fix", "cci": [ - "CCI-000213" + "CCI-002418", + "CCI-002421" ], "nist": [ - "AC-3", + "SC-8", + "SC-8 (1)", "Rev_4" ], "documentable": false }, - "code": "control 'V-73739' do\n title \"The Allow log on locally user right must only be assigned to the\n Administrators group.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Allow log on locally user right can log on\n interactively to a system.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000080-GPOS-00048'\n tag \"gid\": 'V-73739'\n tag \"rid\": 'SV-88403r1_rule'\n tag \"stig_id\": 'WN16-UR-000050'\n tag \"fix_id\": 'F-80189r1_fix'\n tag \"cci\": ['CCI-000213']\n tag \"nist\": ['AC-3', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the Allow log\n on locally user right, this is a finding.\n\n - Administrators\n\n If an application requires this user right, this would not be a finding.\n\n Vendor documentation must support the requirement for having the user right.\n\n The requirement must be documented with the ISSO.\n\n The application account must meet requirements for application account\n passwords, such as length (WN16-00-000060) and required frequency of changes\n (WN16-00-000070).\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Allow log on locally to include only the following accounts or groups:\n\n - Administrators\"\n describe.one do\n describe security_policy do\n its('SeInteractiveLogonRight') { should eq ['S-1-5-32-544'] }\n end\n describe security_policy do\n its('SeInteractiveLogonRight') { should eq [] }\n end\n end\nend\n", + "code": "control 'V-73661' do\n title \"The setting Microsoft network server: Digitally sign communications\n (always) must be configured to Enabled.\"\n desc \"The server message block (SMB) protocol provides the basis for many\n network operations. Digitally signed SMB packets aid in preventing\n man-in-the-middle attacks. If this policy is enabled, the SMB server will only\n communicate with an SMB client that performs SMB packet signing.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000423-GPOS-00187'\n tag \"satisfies\": ['SRG-OS-000423-GPOS-00187', 'SRG-OS-000424-GPOS-00188']\n tag \"gid\": 'V-73661'\n tag \"rid\": 'SV-88325r1_rule'\n tag \"stig_id\": 'WN16-SO-000230'\n tag \"fix_id\": 'F-80111r1_fix'\n tag \"cci\": ['CCI-002418', 'CCI-002421']\n tag \"nist\": ['SC-8', 'SC-8 (1)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\LanManServer\\\\Parameters\\\\\n\n Value Name: RequireSecuritySignature\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Microsoft network server: Digitally sign communications (always) to\n Enabled.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\LanManServer\\\\Parameters') do\n it { should have_property 'RequireSecuritySignature' }\n its('RequireSecuritySignature') { should cmp 1 }\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73739.rb", + "ref": "./Windows 2016 STIG/controls/V-73661.rb", "line": 1 }, - "id": "V-73739" + "id": "V-73661" }, { - "title": "The Kerberos service ticket maximum lifetime must be limited to 600\n minutes or less.", - "desc": "This setting determines the maximum amount of time (in minutes) that a\n granted session ticket can be used to access a particular service. Session\n tickets are used only to authenticate new connections with servers. Ongoing\n operations are not interrupted if the session ticket used to authenticate the\n connection expires during the connection.", + "title": "The Lock pages in memory user right must not be assigned to any groups\n or accounts.", + "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The Lock pages in memory user right allows physical memory to be\n assigned to processes, which could cause performance issues or a denial of\n service.", "descriptions": { - "default": "This setting determines the maximum amount of time (in minutes) that a\n granted session ticket can be used to access a particular service. Session\n tickets are used only to authenticate new connections with servers. Ongoing\n operations are not interrupted if the session ticket used to authenticate the\n connection expires during the connection.", - "check": "This applies to domain controllers. It is NA for other systems.\n\n Verify the following is configured in the Default Domain Policy.\n\n Open Group Policy Management.\n\n Navigate to Group Policy Objects in the Domain being reviewed (Forest >>\n Domains >> Domain).\n\n Right-click on the Default Domain Policy.\n\n Select Edit.\n\n Navigate to Computer Configuration >> Policies >> Windows Settings >> Security\n Settings >> Account Policies >> Kerberos Policy.\n\n If the value for Maximum lifetime for service ticket is 0 or greater\n than 600 minutes, this is a finding.", - "fix": "Configure the policy value in the Default Domain Policy for\n Computer Configuration >> Policies >> Windows Settings >> Security Settings >>\n Account Policies >> Kerberos Policy >> Maximum lifetime for service ticket\n to a maximum of 600 minutes, but not 0, which equates to Ticket\n doesn't expire." + "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The Lock pages in memory user right allows physical memory to be\n assigned to processes, which could cause performance issues or a denial of\n service.", + "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups are granted the Lock pages in memory user right,\n this is a finding.\n\n If an application requires this user right, this would not be a finding.\n\n Vendor documentation must support the requirement for having the user right.\n\n The requirement must be documented with the ISSO.\n\n The application account must meet requirements for application account\n passwords, such as length (WN16-00-000060) and required frequency of changes\n (WN16-00-000070).", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Lock pages in memory to be defined but containing no entries (blank)." }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000112-GPOS-00057", - "satisfies": [ - "SRG-OS-000112-GPOS-00057", - "SRG-OS-000113-GPOS-00058" - ], - "gid": "V-73361", - "rid": "SV-88013r1_rule", - "stig_id": "WN16-DC-000030", - "fix_id": "F-79803r1_fix", + "gtitle": "SRG-OS-000324-GPOS-00125", + "gid": "V-73791", + "rid": "SV-88455r1_rule", + "stig_id": "WN16-UR-000250", + "fix_id": "F-80241r1_fix", "cci": [ - "CCI-001941", - "CCI-001942" + "CCI-002235" ], "nist": [ - "IA-2 (8)", - "IA-2 (9)", + "AC-6 (10)", "Rev_4" ], "documentable": false }, - "code": "control 'V-73361' do\n title \"The Kerberos service ticket maximum lifetime must be limited to 600\n minutes or less.\"\n desc \"This setting determines the maximum amount of time (in minutes) that a\n granted session ticket can be used to access a particular service. Session\n tickets are used only to authenticate new connections with servers. Ongoing\n operations are not interrupted if the session ticket used to authenticate the\n connection expires during the connection.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000112-GPOS-00057'\n tag \"satisfies\": ['SRG-OS-000112-GPOS-00057', 'SRG-OS-000113-GPOS-00058']\n tag \"gid\": 'V-73361'\n tag \"rid\": 'SV-88013r1_rule'\n tag \"stig_id\": 'WN16-DC-000030'\n tag \"fix_id\": 'F-79803r1_fix'\n tag \"cci\": ['CCI-001941', 'CCI-001942']\n tag \"nist\": ['IA-2 (8)', 'IA-2 (9)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to domain controllers. It is NA for other systems.\n\n Verify the following is configured in the Default Domain Policy.\n\n Open Group Policy Management.\n\n Navigate to Group Policy Objects in the Domain being reviewed (Forest >>\n Domains >> Domain).\n\n Right-click on the Default Domain Policy.\n\n Select Edit.\n\n Navigate to Computer Configuration >> Policies >> Windows Settings >> Security\n Settings >> Account Policies >> Kerberos Policy.\n\n If the value for Maximum lifetime for service ticket is 0 or greater\n than 600 minutes, this is a finding.\"\n desc \"fix\", \"Configure the policy value in the Default Domain Policy for\n Computer Configuration >> Policies >> Windows Settings >> Security Settings >>\n Account Policies >> Kerberos Policy >> Maximum lifetime for service ticket\n to a maximum of 600 minutes, but not 0, which equates to Ticket\n doesn't expire.\"\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n describe security_policy do\n its('MaxServiceAge') { should be > 0 }\n end\n describe security_policy do\n its('MaxServiceAge') { should be <= 600 }\n end\n end\n\n if domain_role != '4' && domain_role != '5'\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", + "code": "control 'V-73791' do\n title \"The Lock pages in memory user right must not be assigned to any groups\n or accounts.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The Lock pages in memory user right allows physical memory to be\n assigned to processes, which could cause performance issues or a denial of\n service.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000324-GPOS-00125'\n tag \"gid\": 'V-73791'\n tag \"rid\": 'SV-88455r1_rule'\n tag \"stig_id\": 'WN16-UR-000250'\n tag \"fix_id\": 'F-80241r1_fix'\n tag \"cci\": ['CCI-002235']\n tag \"nist\": ['AC-6 (10)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups are granted the Lock pages in memory user right,\n this is a finding.\n\n If an application requires this user right, this would not be a finding.\n\n Vendor documentation must support the requirement for having the user right.\n\n The requirement must be documented with the ISSO.\n\n The application account must meet requirements for application account\n passwords, such as length (WN16-00-000060) and required frequency of changes\n (WN16-00-000070).\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Lock pages in memory to be defined but containing no entries (blank).\"\n describe security_policy do\n its('SeLockMemoryPrivilege') { should eq [] }\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73361.rb", + "ref": "./Windows 2016 STIG/controls/V-73791.rb", "line": 1 }, - "id": "V-73361" + "id": "V-73791" }, { - "title": "Permissions for the System event log must prevent access by\n non-privileged accounts.", - "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised. The\n System event log may be susceptible to tampering if proper permissions are not\n applied.", + "title": "The Enable computer and user accounts to be trusted for delegation\n user right must not be assigned to any groups or accounts on member servers.", + "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The Enable computer and user accounts to be trusted for delegation user\n right allows the Trusted for Delegation setting to be changed. This could\n allow unauthorized users to impersonate other users.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised. The\n System event log may be susceptible to tampering if proper permissions are not\n applied.", - "check": "Navigate to the System event log file.\n\n The default location is the %SystemRoot%\\System32\\winevt\\Logs folder.\n However, the logs may have been moved to another folder.\n\n If the permissions for the System.evtx file are not as restrictive as the\n default permissions listed below, this is a finding.\n\n Eventlog - Full Control\n SYSTEM - Full Control\n Administrators - Full Control", - "fix": "Configure the permissions on the System event log file\n (System.evtx) to prevent access by non-privileged accounts. The default\n permissions listed below satisfy this requirement:\n\n Eventlog - Full Control\n SYSTEM - Full Control\n Administrators - Full Control\n\n The default location is the %SystemRoot%\\ System32\\winevt\\Logs folder.\n\n If the location of the logs has been changed, when adding Eventlog to the\n permissions, it must be entered as NT Service\\Eventlog." + "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The Enable computer and user accounts to be trusted for delegation user\n right allows the Trusted for Delegation setting to be changed. This could\n allow unauthorized users to impersonate other users.", + "check": "This applies to member servers and standalone systems. A\n separate version applies to domain controllers.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups are granted the Enable computer and user accounts\n to be trusted for delegation user right, this is a finding.", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Enable computer and user accounts to be trusted for delegation to be\n defined but containing no entries (blank)." }, "impact": 0.5, - "refs": [], - "tags": { - "gtitle": "SRG-OS-000057-GPOS-00027", - "satisfies": [ - "SRG-OS-000057-GPOS-00027", - "SRG-OS-000058-GPOS-00028", - "SRG-OS-000059-GPOS-00029" - ], - "gid": "V-73409", - "rid": "SV-88061r1_rule", - "stig_id": "WN16-AU-000050", - "fix_id": "F-79851r1_fix", + "refs": [], + "tags": { + "gtitle": "SRG-OS-000324-GPOS-00125", + "gid": "V-73779", + "rid": "SV-88443r1_rule", + "stig_id": "WN16-MS-000420", + "fix_id": "F-80229r1_fix", "cci": [ - "CCI-000162", - "CCI-000163", - "CCI-000164" + "CCI-002235" ], "nist": [ - "AU-9", + "AC-6 (10)", "Rev_4" ], "documentable": false }, - "code": "control 'V-73409' do\n title \"Permissions for the System event log must prevent access by\n non-privileged accounts.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised. The\n System event log may be susceptible to tampering if proper permissions are not\n applied.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000057-GPOS-00027'\n tag \"satisfies\": ['SRG-OS-000057-GPOS-00027', 'SRG-OS-000058-GPOS-00028',\n 'SRG-OS-000059-GPOS-00029']\n tag \"gid\": 'V-73409'\n tag \"rid\": 'SV-88061r1_rule'\n tag \"stig_id\": 'WN16-AU-000050'\n tag \"fix_id\": 'F-79851r1_fix'\n tag \"cci\": ['CCI-000162', 'CCI-000163', 'CCI-000164']\n tag \"nist\": ['AU-9', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Navigate to the System event log file.\n\n The default location is the %SystemRoot%\\\\System32\\\\winevt\\\\Logs folder.\n However, the logs may have been moved to another folder.\n\n If the permissions for the System.evtx file are not as restrictive as the\n default permissions listed below, this is a finding.\n\n Eventlog - Full Control\n SYSTEM - Full Control\n Administrators - Full Control\"\n desc \"fix\", \"Configure the permissions on the System event log file\n (System.evtx) to prevent access by non-privileged accounts. The default\n permissions listed below satisfy this requirement:\n\n Eventlog - Full Control\n SYSTEM - Full Control\n Administrators - Full Control\n\n The default location is the %SystemRoot%\\\\ System32\\\\winevt\\\\Logs folder.\n\n If the location of the logs has been changed, when adding Eventlog to the\n permissions, it must be entered as NT Service\\\\Eventlog.\"\n system_root = command('$env:SystemRoot').stdout.strip\n\n describe file(\"#{system_root}\\\\SYSTEM32\\\\WINEVT\\\\LOGS\\\\System.evtx\") do\n it { should be_allowed('full-control', by_user: 'NT SERVICE\\\\EventLog') }\n it { should be_allowed('full-control', by_user: 'NT AUTHORITY\\\\SYSTEM') }\n it { should be_allowed('full-control', by_user: 'BUILTIN\\\\Administrators') }\n end\nend\n", + "code": "control 'V-73779' do\n title \"The Enable computer and user accounts to be trusted for delegation\n user right must not be assigned to any groups or accounts on member servers.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n The Enable computer and user accounts to be trusted for delegation user\n right allows the Trusted for Delegation setting to be changed. This could\n allow unauthorized users to impersonate other users.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000324-GPOS-00125'\n tag \"gid\": 'V-73779'\n tag \"rid\": 'SV-88443r1_rule'\n tag \"stig_id\": 'WN16-MS-000420'\n tag \"fix_id\": 'F-80229r1_fix'\n tag \"cci\": ['CCI-002235']\n tag \"nist\": ['AC-6 (10)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to member servers and standalone systems. A\n separate version applies to domain controllers.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups are granted the Enable computer and user accounts\n to be trusted for delegation user right, this is a finding.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Enable computer and user accounts to be trusted for delegation to be\n defined but containing no entries (blank).\"\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if !(domain_role == '4') && !(domain_role == '5')\n describe security_policy do\n its('SeEnableDelegationPrivilege') { should eq [] }\n end\n end\n\n if domain_role == '4' || domain_role == '5'\n impact 0.0\n describe 'This system is a domain controller, therefore this control is not applicable as it only applies to member servers and standalone systems' do\n skip 'This system is a domain controller, therefore this control is not applicable as it only applies to member servers and standalone systems'\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73409.rb", + "ref": "./Windows 2016 STIG/controls/V-73779.rb", "line": 1 }, - "id": "V-73409" + "id": "V-73779" }, { - "title": "Local administrator accounts must have their privileged token filtered\n to prevent elevated privileges from being used over the network on domain\n systems.", - "desc": "A compromised local administrator account can provide means for an\n attacker to move laterally between domain systems.\n\n With User Account Control enabled, filtering the privileged token for local\n administrator accounts will prevent the elevated privileges of these accounts\n from being used over the network.", + "title": "The roles and features required by the system must be documented.", + "desc": "Unnecessary roles and features increase the attack surface of a\n system. Limiting roles and features of a system to only those necessary reduces\n this potential. The standard installation option (previously called Server\n Core) further reduces this when selected at installation.", "descriptions": { - "default": "A compromised local administrator account can provide means for an\n attacker to move laterally between domain systems.\n\n With User Account Control enabled, filtering the privileged token for local\n administrator accounts will prevent the elevated privileges of these accounts\n from being used over the network.", - "check": "This applies to member servers. For domain controllers and\n standalone systems, this is NA.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\n\n Value Name: LocalAccountTokenFilterPolicy\n\n Type: REG_DWORD\n Value: 0x00000000 (0)\n\n This setting may cause issues with some network scanning tools if local\n administrative accounts are used remotely. Scans should use domain accounts\n where possible. If a local administrative account must be used, temporarily\n enabling the privileged token by configuring the registry value to 1 may be\n required.", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> MS Security Guide >> Apply UAC restrictions to\n local accounts on network logons to Enabled.\n\n This policy setting requires the installation of the SecGuide custom templates\n included with the STIG package. SecGuide.admx and SecGuide.adml must\n be copied to the \\Windows\\PolicyDefinitions and\n \\Windows\\PolicyDefinitions\\en-US directories respectively." + "default": "Unnecessary roles and features increase the attack surface of a\n system. Limiting roles and features of a system to only those necessary reduces\n this potential. The standard installation option (previously called Server\n Core) further reduces this when selected at installation.", + "check": "Required roles and features will vary based on the function of\n the individual system.\n\n Roles and features specifically required to be disabled per the STIG are\n identified in separate requirements.\n\n If the organization has not documented the roles and features required for the\n system(s), this is a finding.\n\n The PowerShell command Get-WindowsFeature will list all roles and features\n with an Install State.", + "fix": "Document the roles and features required for the system to\n operate. Uninstall any that are not required." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000134-GPOS-00068", - "gid": "V-73495", - "rid": "SV-88147r1_rule", - "stig_id": "WN16-MS-000020", - "fix_id": "F-79937r1_fix", + "gtitle": "SRG-OS-000095-GPOS-00049", + "gid": "V-73277", + "rid": "SV-87929r1_rule", + "stig_id": "WN16-00-000300", + "fix_id": "F-79721r1_fix", "cci": [ - "CCI-001084" + "CCI-000381" ], "nist": [ - "SC-3", + "CM-7 a", "Rev_4" ], "documentable": false }, - "code": "control 'V-73495' do\n title \"Local administrator accounts must have their privileged token filtered\n to prevent elevated privileges from being used over the network on domain\n systems.\"\n desc \"A compromised local administrator account can provide means for an\n attacker to move laterally between domain systems.\n\n With User Account Control enabled, filtering the privileged token for local\n administrator accounts will prevent the elevated privileges of these accounts\n from being used over the network.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000134-GPOS-00068'\n tag \"gid\": 'V-73495'\n tag \"rid\": 'SV-88147r1_rule'\n tag \"stig_id\": 'WN16-MS-000020'\n tag \"fix_id\": 'F-79937r1_fix'\n tag \"cci\": ['CCI-001084']\n tag \"nist\": ['SC-3', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to member servers. For domain controllers and\n standalone systems, this is NA.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\n\n Value Name: LocalAccountTokenFilterPolicy\n\n Type: REG_DWORD\n Value: 0x00000000 (0)\n\n This setting may cause issues with some network scanning tools if local\n administrative accounts are used remotely. Scans should use domain accounts\n where possible. If a local administrative account must be used, temporarily\n enabling the privileged token by configuring the registry value to 1 may be\n required.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> MS Security Guide >> Apply UAC restrictions to\n local accounts on network logons to Enabled.\n\n This policy setting requires the installation of the SecGuide custom templates\n included with the STIG package. SecGuide.admx and SecGuide.adml must\n be copied to the \\\\Windows\\\\PolicyDefinitions and\n \\\\Windows\\\\PolicyDefinitions\\\\en-US directories respectively.\"\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n if !(domain_role == '4') && !(domain_role == '5')\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System') do\n it { should have_property 'LocalAccountTokenFilterPolicy' }\n its('LocalAccountTokenFilterPolicy') { should cmp 0 }\n end\n end\n\n if domain_role == '4' || domain_role == '5'\n impact 0.0\n desc 'This system is a domain controller, therefore this control is not applicable as it only applies to member servers and standalone systems'\n end\nend\n", + "code": "control 'V-73277' do\n title 'The roles and features required by the system must be documented.'\n desc \"Unnecessary roles and features increase the attack surface of a\n system. Limiting roles and features of a system to only those necessary reduces\n this potential. The standard installation option (previously called Server\n Core) further reduces this when selected at installation.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000095-GPOS-00049'\n tag \"gid\": 'V-73277'\n tag \"rid\": 'SV-87929r1_rule'\n tag \"stig_id\": 'WN16-00-000300'\n tag \"fix_id\": 'F-79721r1_fix'\n tag \"cci\": ['CCI-000381']\n tag \"nist\": ['CM-7 a', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Required roles and features will vary based on the function of\n the individual system.\n\n Roles and features specifically required to be disabled per the STIG are\n identified in separate requirements.\n\n If the organization has not documented the roles and features required for the\n system(s), this is a finding.\n\n The PowerShell command Get-WindowsFeature will list all roles and features\n with an Install State.\"\n desc \"fix\", \"Document the roles and features required for the system to\n operate. Uninstall any that are not required.\"\n describe 'A manual review is required to verify that the roles and features required by the system are documented' do\n skip 'A manual review is required to verify that the roles and features required by the system are documented'\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73495.rb", + "ref": "./Windows 2016 STIG/controls/V-73277.rb", "line": 1 }, - "id": "V-73495" + "id": "V-73277" }, { - "title": "Windows Server 2016 must be configured to audit System - Other System\n Events successes.", - "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Audit Other System Events records information related to cryptographic key\n operations and the Windows Firewall service.", + "title": "The minimum password length must be configured to 14 characters.", + "desc": "Information systems not protected with strong password schemes\n (including passwords of minimum length) provide the opportunity for anyone to\n crack the password, thus gaining access to the system and compromising the\n device, information, or the local network.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Audit Other System Events records information related to cryptographic key\n operations and the Windows Firewall service.", - "check": "Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n System >> Other System Events - Success", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Advanced Audit Policy Configuration >> System Audit Policies >>\n System >> Audit Other System Events with Success selected." + "default": "Information systems not protected with strong password schemes\n (including passwords of minimum length) provide the opportunity for anyone to\n crack the password, thus gaining access to the system and compromising the\n device, information, or the local network.", + "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Account Policies >> Password Policy.\n\n If the value for the Minimum password length, is less than 14\n characters, this is a finding.", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Account Policies >> Password Policy >>\n Minimum password length to 14 characters." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000327-GPOS-00127", - "satisfies": [ - "SRG-OS-000327-GPOS-00127", - "SRG-OS-000458-GPOS-00203", - "SRG-OS-000463-GPOS-00207", - "SRG-OS-000468-GPOS-00212" - ], - "gid": "V-73477", - "rid": "SV-88129r2_rule", - "stig_id": "WN16-AU-000390", - "fix_id": "F-79919r1_fix", + "gtitle": "SRG-OS-000078-GPOS-00046", + "gid": "V-73321", + "rid": "SV-87973r1_rule", + "stig_id": "WN16-AC-000070", + "fix_id": "F-79763r1_fix", "cci": [ - "CCI-000172", - "CCI-002234" + "CCI-000205" ], "nist": [ - "AU-12 c", - "AC-6 (9)", + "IA-5 (1) (a)", "Rev_4" ], "documentable": false }, - "code": "control 'V-73477' do\n title \"Windows Server 2016 must be configured to audit System - Other System\n Events successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Audit Other System Events records information related to cryptographic key\n operations and the Windows Firewall service.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000327-GPOS-00127'\n tag \"satisfies\": ['SRG-OS-000327-GPOS-00127', 'SRG-OS-000458-GPOS-00203',\n 'SRG-OS-000463-GPOS-00207', 'SRG-OS-000468-GPOS-00212']\n tag \"gid\": 'V-73477'\n tag \"rid\": 'SV-88129r2_rule'\n tag \"stig_id\": 'WN16-AU-000390'\n tag \"fix_id\": 'F-79919r1_fix'\n tag \"cci\": ['CCI-000172', 'CCI-002234']\n tag \"nist\": ['AU-12 c', 'AC-6 (9)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n System >> Other System Events - Success\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Advanced Audit Policy Configuration >> System Audit Policies >>\n System >> Audit Other System Events with Success selected.\"\n describe.one do\n describe audit_policy do\n its('Other System Events') { should eq 'Success and Failure' }\n end\n describe audit_policy do\n its('Other System Events') { should eq 'Success' }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Other System Events'\") do\n its('stdout') { should match /Other System Events Success/ }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Other System Events'\") do\n its('stdout') { should match /Other System Events Success and Failure/ }\n end\n end\nend\n", + "code": "control 'V-73321' do\n title 'The minimum password length must be configured to 14 characters.'\n desc \"Information systems not protected with strong password schemes\n (including passwords of minimum length) provide the opportunity for anyone to\n crack the password, thus gaining access to the system and compromising the\n device, information, or the local network.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000078-GPOS-00046'\n tag \"gid\": 'V-73321'\n tag \"rid\": 'SV-87973r1_rule'\n tag \"stig_id\": 'WN16-AC-000070'\n tag \"fix_id\": 'F-79763r1_fix'\n tag \"cci\": ['CCI-000205']\n tag \"nist\": ['IA-5 (1) (a)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Account Policies >> Password Policy.\n\n If the value for the Minimum password length, is less than 14\n characters, this is a finding.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Account Policies >> Password Policy >>\n Minimum password length to 14 characters.\"\n describe security_policy do\n its('MinimumPasswordLength') { should be >= 14 }\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73477.rb", + "ref": "./Windows 2016 STIG/controls/V-73321.rb", "line": 1 }, - "id": "V-73477" + "id": "V-73321" }, { - "title": "Windows Server 2016 must be configured to audit System - Other System\n Events failures.", - "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Audit Other System Events records information related to cryptographic key\n operations and the Windows Firewall service.", + "title": "Event Viewer must be protected from unauthorized modification and\n deletion.", + "desc": "Protecting audit information also includes identifying and protecting\n the tools used to view and manipulate log data. Therefore, protecting audit\n tools is necessary to prevent unauthorized operation on audit information.\n\n Operating systems providing tools to interface with audit information will\n leverage user permissions and roles identifying the user accessing the tools\n and the corresponding rights the user enjoys in order to make access decisions\n regarding the modification or deletion of audit tools.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Audit Other System Events records information related to cryptographic key\n operations and the Windows Firewall service.", - "check": "Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n System >> Other System Events - Failure", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Advanced Audit Policy Configuration >> System Audit Policies >>\n System >> Audit Other System Events with Failure selected." + "default": "Protecting audit information also includes identifying and protecting\n the tools used to view and manipulate log data. Therefore, protecting audit\n tools is necessary to prevent unauthorized operation on audit information.\n\n Operating systems providing tools to interface with audit information will\n leverage user permissions and roles identifying the user accessing the tools\n and the corresponding rights the user enjoys in order to make access decisions\n regarding the modification or deletion of audit tools.", + "check": "Navigate to %SystemRoot%\\System32.\n\n View the permissions on Eventvwr.exe.\n\n If any groups or accounts other than TrustedInstaller have Full control or\n Modify permissions, this is a finding.\n\n The default permissions below satisfy this requirement:\n\n TrustedInstaller - Full Control\n Administrators, SYSTEM, Users, ALL APPLICATION PACKAGES, ALL RESTRICTED\n APPLICATION PACKAGES - Read & Execute", + "fix": "Configure the permissions on the Eventvwr.exe file to prevent\n modification by any groups or accounts other than TrustedInstaller. The default\n permissions listed below satisfy this requirement:\n\n TrustedInstaller - Full Control\n Administrators, SYSTEM, Users, ALL APPLICATION PACKAGES, ALL RESTRICTED\n APPLICATION PACKAGES - Read & Execute\n\n The default location is the %SystemRoot%\\ System32 folder." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000327-GPOS-00127", + "gtitle": "SRG-OS-000257-GPOS-00098", "satisfies": [ - "SRG-OS-000327-GPOS-00127", - "SRG-OS-000458-GPOS-00203", - "SRG-OS-000463-GPOS-00207", - "SRG-OS-000468-GPOS-00212" + "SRG-OS-000257-GPOS-00098", + "SRG-OS-000258-GPOS-00099" ], - "gid": "V-73479", - "rid": "SV-88131r2_rule", - "stig_id": "WN16-AU-000400", - "fix_id": "F-79921r1_fix", + "gid": "V-73411", + "rid": "SV-88063r1_rule", + "stig_id": "WN16-AU-000060", + "fix_id": "F-79853r1_fix", "cci": [ - "CCI-000172", - "CCI-002234" + "CCI-001494", + "CCI-001495" ], "nist": [ - "AU-12 c", - "AC-6 (9)", + "AU-9", "Rev_4" ], "documentable": false }, - "code": "control 'V-73479' do\n title \"Windows Server 2016 must be configured to audit System - Other System\n Events failures.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Audit Other System Events records information related to cryptographic key\n operations and the Windows Firewall service.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000327-GPOS-00127'\n tag \"satisfies\": ['SRG-OS-000327-GPOS-00127', 'SRG-OS-000458-GPOS-00203',\n 'SRG-OS-000463-GPOS-00207', 'SRG-OS-000468-GPOS-00212']\n tag \"gid\": 'V-73479'\n tag \"rid\": 'SV-88131r2_rule'\n tag \"stig_id\": 'WN16-AU-000400'\n tag \"fix_id\": 'F-79921r1_fix'\n tag \"cci\": ['CCI-000172', 'CCI-002234']\n tag \"nist\": ['AU-12 c', 'AC-6 (9)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Security Option Audit: Force audit policy subcategory\n settings (Windows Vista or later) to override audit policy category settings\n must be set to Enabled (WN16-SO-000050) for the detailed auditing\n subcategories to be effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n System >> Other System Events - Failure\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Advanced Audit Policy Configuration >> System Audit Policies >>\n System >> Audit Other System Events with Failure selected.\"\n describe.one do\n describe audit_policy do\n its('Other System Events') { should eq 'Success and Failure' }\n end\n describe audit_policy do\n its('Other System Events') { should eq 'Failure' }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Other System Events'\") do\n its('stdout') { should match /Other System Events Failure/ }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Other System Events'\") do\n its('stdout') { should match /Other System Events Success and Failure/ }\n end\n end\nend\n", + "code": "control 'V-73411' do\n title \"Event Viewer must be protected from unauthorized modification and\n deletion.\"\n desc \"Protecting audit information also includes identifying and protecting\n the tools used to view and manipulate log data. Therefore, protecting audit\n tools is necessary to prevent unauthorized operation on audit information.\n\n Operating systems providing tools to interface with audit information will\n leverage user permissions and roles identifying the user accessing the tools\n and the corresponding rights the user enjoys in order to make access decisions\n regarding the modification or deletion of audit tools.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000257-GPOS-00098'\n tag \"satisfies\": ['SRG-OS-000257-GPOS-00098', 'SRG-OS-000258-GPOS-00099']\n tag \"gid\": 'V-73411'\n tag \"rid\": 'SV-88063r1_rule'\n tag \"stig_id\": 'WN16-AU-000060'\n tag \"fix_id\": 'F-79853r1_fix'\n tag \"cci\": ['CCI-001494', 'CCI-001495']\n tag \"nist\": ['AU-9', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Navigate to %SystemRoot%\\\\System32.\n\n View the permissions on Eventvwr.exe.\n\n If any groups or accounts other than TrustedInstaller have Full control or\n Modify permissions, this is a finding.\n\n The default permissions below satisfy this requirement:\n\n TrustedInstaller - Full Control\n Administrators, SYSTEM, Users, ALL APPLICATION PACKAGES, ALL RESTRICTED\n APPLICATION PACKAGES - Read & Execute\"\n desc \"fix\", \"Configure the permissions on the Eventvwr.exe file to prevent\n modification by any groups or accounts other than TrustedInstaller. The default\n permissions listed below satisfy this requirement:\n\n TrustedInstaller - Full Control\n Administrators, SYSTEM, Users, ALL APPLICATION PACKAGES, ALL RESTRICTED\n APPLICATION PACKAGES - Read & Execute\n\n The default location is the %SystemRoot%\\\\ System32 folder.\"\n\n system_root = command('$env:SystemRoot').stdout.strip\n\n describe.one do\n describe file(\"#{system_root}\\\\System32\\\\eventvwr.exe\") do\n it { should be_allowed('read', by_user: 'NT AUTHORITY\\\\SYSTEM') }\n it { should be_allowed('read', by_user: 'BUILTIN\\\\Administrators') }\n it { should be_allowed('read', by_user: 'BUILTIN\\\\Users') }\n it { should be_allowed('full-control', by_user: 'NT SERVICE\\\\TrustedInstaller') }\n it { should be_allowed('read', by_user: 'APPLICATION PACKAGE AUTHORITY\\\\ALL APPLICATION PACKAGES') }\n end\n\n describe file(\"#{system_root}\\\\System32\\\\eventvwr.exe\") do\n it { should be_allowed('read', by_user: 'NT AUTHORITY\\\\SYSTEM') }\n it { should be_allowed('read', by_user: 'BUILTIN\\\\Administrators') }\n it { should be_allowed('read', by_user: 'BUILTIN\\\\Users') }\n it { should be_allowed('full-control', by_user: 'NT SERVICE\\\\TrustedInstaller') }\n it { should be_allowed('read', by_user: 'APPLICATION PACKAGE AUTHORITY\\\\ALL APPLICATION PACKAGES') }\n it { should be_allowed('read', by_user: 'APPLICATION PACKAGE AUTHORITY\\\\ALL RESTRICTED APPLICATION PACKAGES\\\\ALL APPLICATION PACKAGES') }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73479.rb", + "ref": "./Windows 2016 STIG/controls/V-73411.rb", "line": 1 }, - "id": "V-73479" + "id": "V-73411" }, { - "title": "Users with Administrative privileges must have separate accounts for\n administrative duties and normal operational tasks.", - "desc": "Using a privileged account to perform routine functions makes the\n computer vulnerable to malicious software inadvertently introduced during a\n session that has been granted full privileges.", + "title": "Zone information must be preserved when saving attachments.", + "desc": "Attachments from outside sources may contain malicious code.\n Preserving zone of origin (Internet, intranet, local, restricted) information\n on file attachments allows Windows to determine risk.", "descriptions": { - "default": "Using a privileged account to perform routine functions makes the\n computer vulnerable to malicious software inadvertently introduced during a\n session that has been granted full privileges.", - "check": "Verify each user with administrative privileges has been\n assigned a unique administrative account separate from their standard user\n account.\n If users with administrative privileges do not have separate accounts for\n administrative functions and standard user functions, this is a finding.", - "fix": "Ensure each user with administrative privileges has a separate account for user duties and one for privileged duties." + "default": "Attachments from outside sources may contain malicious code.\n Preserving zone of origin (Internet, intranet, local, restricted) information\n on file attachments allows Windows to determine risk.", + "check": "The default behavior is for Windows to mark file attachments\n with their zone information.\n\n If the registry Value Name below does not exist, this is not a finding.\n\n If it exists and is configured with a value of 2, this is not a finding.\n\n If it exists and is configured with a value of 1, this is a finding.\n\n Registry Hive: HKEY_CURRENT_USER\n Registry Path:\n \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Attachments\\\n\n Value Name: SaveZoneInformation\n\n Value Type: REG_DWORD\n Value: 0x00000002 (2) (or if the Value Name does not exist)", + "fix": "The default behavior is for Windows to mark file attachments with\n their zone information.\n\n If this needs to be corrected, configure the policy value for User\n Configuration >> Administrative Templates >> Windows Components >> Attachment\n Manager >> Do not preserve zone information in file attachments to Not\n Configured or Disabled." }, - "impact": 0.7, + "impact": 0.5, "refs": [], "tags": { "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-73217", - "rid": "SV-87869r1_rule", - "stig_id": "WN16-00-000010", - "fix_id": "F-79663r1_fix", + "gid": "V-73727", + "rid": "SV-88391r1_rule", + "stig_id": "WN16-UC-000030", + "fix_id": "F-80177r1_fix", "cci": [ "CCI-000366" ], @@ -9094,20 +9092,20 @@ ], "documentable": false }, - "code": "control 'V-73217' do\n title \"Users with Administrative privileges must have separate accounts for\n administrative duties and normal operational tasks.\"\n desc \"Using a privileged account to perform routine functions makes the\n computer vulnerable to malicious software inadvertently introduced during a\n session that has been granted full privileges.\"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-73217'\n tag \"rid\": 'SV-87869r1_rule'\n tag \"stig_id\": 'WN16-00-000010'\n tag \"fix_id\": 'F-79663r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Verify each user with administrative privileges has been\n assigned a unique administrative account separate from their standard user\n account.\n If users with administrative privileges do not have separate accounts for\n administrative functions and standard user functions, this is a finding.\"\n desc \"fix\", \"Ensure each user with administrative privileges has a separate account for user duties and one for privileged duties.\"\n\n describe \"A manual review is required to verify that each user with administrative privileges has a separate account for user duties and one for privileged duties.\" do\n skip \"A manual review is required to verify that each user with administrative privileges has a separate account for user duties and one for privileged duties.\"\n end\nend\n", + "code": "control 'V-73727' do\n title 'Zone information must be preserved when saving attachments.'\n desc \"Attachments from outside sources may contain malicious code.\n Preserving zone of origin (Internet, intranet, local, restricted) information\n on file attachments allows Windows to determine risk.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-73727'\n tag \"rid\": 'SV-88391r1_rule'\n tag \"stig_id\": 'WN16-UC-000030'\n tag \"fix_id\": 'F-80177r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"The default behavior is for Windows to mark file attachments\n with their zone information.\n\n If the registry Value Name below does not exist, this is not a finding.\n\n If it exists and is configured with a value of 2, this is not a finding.\n\n If it exists and is configured with a value of 1, this is a finding.\n\n Registry Hive: HKEY_CURRENT_USER\n Registry Path:\n \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Attachments\\\\\n\n Value Name: SaveZoneInformation\n\n Value Type: REG_DWORD\n Value: 0x00000002 (2) (or if the Value Name does not exist)\"\n desc \"fix\", \"The default behavior is for Windows to mark file attachments with\n their zone information.\n\n If this needs to be corrected, configure the policy value for User\n Configuration >> Administrative Templates >> Windows Components >> Attachment\n Manager >> Do not preserve zone information in file attachments to Not\n Configured or Disabled.\"\n describe.one do\n describe registry_key('HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Attachments') do\n it { should_not have_property 'SaveZoneInformation' }\n end\n describe registry_key('HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Attachments') do\n its('SaveZoneInformation') { should cmp 2 }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73217.rb", + "ref": "./Windows 2016 STIG/controls/V-73727.rb", "line": 1 }, - "id": "V-73217" + "id": "V-73727" }, { - "title": "Active Directory Group Policy objects must be configured with proper\n audit settings.", - "desc": "When inappropriate audit settings are configured for directory service\n database objects, it may be possible for a user or process to update the data\n without generating any tracking data. The impact of missing audit data is\n related to the type of object. A failure to capture audit data for objects used\n by identification, authentication, or authorization functions could degrade or\n eliminate the ability to track changes to access policy for systems or data.\n\n For Active Directory (AD), there are a number of critical object types in\n the domain naming context of the AD database for which auditing is essential.\n This includes Group Policy objects. Because changes to these objects can\n significantly impact access controls or the availability of systems, the\n absence of auditing data makes it impossible to identify the source of changes\n that impact the confidentiality, integrity, and availability of data and\n systems throughout an AD domain. The lack of proper auditing can result in\n insufficient forensic evidence needed to investigate an incident and prosecute\n the intruder.", + "title": "Windows Server 2016 must be configured to audit DS Access - Directory\n Service Changes successes.", + "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Audit Directory Service Changes records events related to changes made to\n objects in Active Directory Domain Services.", "descriptions": { - "default": "When inappropriate audit settings are configured for directory service\n database objects, it may be possible for a user or process to update the data\n without generating any tracking data. The impact of missing audit data is\n related to the type of object. A failure to capture audit data for objects used\n by identification, authentication, or authorization functions could degrade or\n eliminate the ability to track changes to access policy for systems or data.\n\n For Active Directory (AD), there are a number of critical object types in\n the domain naming context of the AD database for which auditing is essential.\n This includes Group Policy objects. Because changes to these objects can\n significantly impact access controls or the availability of systems, the\n absence of auditing data makes it impossible to identify the source of changes\n that impact the confidentiality, integrity, and availability of data and\n systems throughout an AD domain. The lack of proper auditing can result in\n insufficient forensic evidence needed to investigate an incident and prosecute\n the intruder.", - "check": "This applies to domain controllers. It is NA for other systems.\n\n Review the auditing configuration for all Group Policy objects.\n\n Open Group Policy Management (available from various menus or run\n gpmc.msc).\n\n Navigate to Group Policy Objects in the domain being reviewed (Forest >>\n Domains >> Domain).\n\n For each Group Policy object:\n\n Select the Group Policy object item in the left pane.\n\n Select the Delegation tab in the right pane.\n\n Select the Advanced button.\n\n Select the Advanced button again and then the Auditing tab.\n\n If the audit settings for any Group Policy object are not at least as inclusive\n as those below, this is a finding.\n\n Type - Fail\n Principal - Everyone\n Access - Full Control\n Applies to - This object and all descendant objects or Descendant\n groupPolicyContainer objects\n\n The three Success types listed below are defaults inherited from the Parent\n Object. Where Special is listed in the summary screens for Access, detailed\n Permissions are provided for reference.\n\n Type - Success\n Principal - Everyone\n Access - Special (Permissions: Write all properties, Modify permissions;\n Properties: all Write type selected)\n Inherited from - Parent Object\n Applies to - Descendant groupPolicyContainer objects\n\n Two instances with the following summary information will be listed.\n\n Type - Success\n Principal - Everyone\n Access - blank (Permissions: none selected; Properties: one instance - Write\n gPLink, one instance - Write gPOptions)\n Inherited from - Parent Object\n Applies to - Descendant Organization Unit Objects", - "fix": "Configure the audit settings for Group Policy objects to include\n the following.\n\n This can be done at the Policy level in Active Directory to apply to all group\n policies.\n\n Open Active Directory Users and Computers (available from various menus or\n run dsa.msc).\n\n Select Advanced Features from the View Menu.\n\n Navigate to [Domain] >> System >> Policies in the left panel.\n\n Right click Policies, select Properties.\n\n Select the Security tab.\n\n Select the Advanced button.\n\n Select the Auditing tab.\n\n Type - Fail\n Principal - Everyone\n Access - Full Control\n Applies to - This object and all descendant objects or Descendant\n groupPolicyContainer objects\n\n The three Success types listed below are defaults inherited from the Parent\n Object. Where Special is listed in the summary screens for Access, detailed\n Permissions are provided for reference.\n\n Type - Success\n Principal - Everyone\n Access - Special (Permissions: Write all properties, Modify permissions;\n Properties: all Write type selected)\n Inherited from - Parent Object\n Applies to - Descendant groupPolicyContainer objects\n\n Two instances with the following summary information will be listed\n\n Type - Success\n Principal - Everyone\n Access - blank (Permissions: none selected; Properties: one instance - Write\n gPLink, one instance - Write gPOptions)\n Inherited from - Parent Object\n Applies to - Descendant Organization Unit Objects" + "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Audit Directory Service Changes records events related to changes made to\n objects in Active Directory Domain Services.", + "check": "This applies to domain controllers. It is NA for other systems.\n\n Security Option Audit: Force audit policy subcategory settings (Windows Vista\n or later) to override audit policy category settings must be set to\n Enabled (WN16-SO-000050) for the detailed auditing subcategories to be\n effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n DS Access >> Directory Service Changes - Success", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> DS Access >> Directory Service Changes with Success\n selected." }, "impact": 0, "refs": [], @@ -9119,10 +9117,10 @@ "SRG-OS-000463-GPOS-00207", "SRG-OS-000468-GPOS-00212" ], - "gid": "V-73389", - "rid": "SV-88041r2_rule", - "stig_id": "WN16-DC-000170", - "fix_id": "F-86715r2_fix", + "gid": "V-73439", + "rid": "SV-88091r1_rule", + "stig_id": "WN16-DC-000260", + "fix_id": "F-79881r1_fix", "cci": [ "CCI-000172", "CCI-002234" @@ -9134,227 +9132,229 @@ ], "documentable": false }, - "code": "control 'V-73389' do\n title \"Active Directory Group Policy objects must be configured with proper\n audit settings.\"\n desc \"When inappropriate audit settings are configured for directory service\n database objects, it may be possible for a user or process to update the data\n without generating any tracking data. The impact of missing audit data is\n related to the type of object. A failure to capture audit data for objects used\n by identification, authentication, or authorization functions could degrade or\n eliminate the ability to track changes to access policy for systems or data.\n\n For Active Directory (AD), there are a number of critical object types in\n the domain naming context of the AD database for which auditing is essential.\n This includes Group Policy objects. Because changes to these objects can\n significantly impact access controls or the availability of systems, the\n absence of auditing data makes it impossible to identify the source of changes\n that impact the confidentiality, integrity, and availability of data and\n systems throughout an AD domain. The lack of proper auditing can result in\n insufficient forensic evidence needed to investigate an incident and prosecute\n the intruder.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000327-GPOS-00127'\n tag \"satisfies\": ['SRG-OS-000327-GPOS-00127', 'SRG-OS-000458-GPOS-00203',\n 'SRG-OS-000463-GPOS-00207', 'SRG-OS-000468-GPOS-00212']\n tag \"gid\": 'V-73389'\n tag \"rid\": 'SV-88041r2_rule'\n tag \"stig_id\": 'WN16-DC-000170'\n tag \"fix_id\": 'F-86715r2_fix'\n tag \"cci\": ['CCI-000172', 'CCI-002234']\n tag \"nist\": ['AU-12 c', 'AC-6 (9)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to domain controllers. It is NA for other systems.\n\n Review the auditing configuration for all Group Policy objects.\n\n Open Group Policy Management (available from various menus or run\n gpmc.msc).\n\n Navigate to Group Policy Objects in the domain being reviewed (Forest >>\n Domains >> Domain).\n\n For each Group Policy object:\n\n Select the Group Policy object item in the left pane.\n\n Select the Delegation tab in the right pane.\n\n Select the Advanced button.\n\n Select the Advanced button again and then the Auditing tab.\n\n If the audit settings for any Group Policy object are not at least as inclusive\n as those below, this is a finding.\n\n Type - Fail\n Principal - Everyone\n Access - Full Control\n Applies to - This object and all descendant objects or Descendant\n groupPolicyContainer objects\n\n The three Success types listed below are defaults inherited from the Parent\n Object. Where Special is listed in the summary screens for Access, detailed\n Permissions are provided for reference.\n\n Type - Success\n Principal - Everyone\n Access - Special (Permissions: Write all properties, Modify permissions;\n Properties: all Write type selected)\n Inherited from - Parent Object\n Applies to - Descendant groupPolicyContainer objects\n\n Two instances with the following summary information will be listed.\n\n Type - Success\n Principal - Everyone\n Access - blank (Permissions: none selected; Properties: one instance - Write\n gPLink, one instance - Write gPOptions)\n Inherited from - Parent Object\n Applies to - Descendant Organization Unit Objects\"\n desc \"fix\", \"Configure the audit settings for Group Policy objects to include\n the following.\n\n This can be done at the Policy level in Active Directory to apply to all group\n policies.\n\n Open Active Directory Users and Computers (available from various menus or\n run dsa.msc).\n\n Select Advanced Features from the View Menu.\n\n Navigate to [Domain] >> System >> Policies in the left panel.\n\n Right click Policies, select Properties.\n\n Select the Security tab.\n\n Select the Advanced button.\n\n Select the Auditing tab.\n\n Type - Fail\n Principal - Everyone\n Access - Full Control\n Applies to - This object and all descendant objects or Descendant\n groupPolicyContainer objects\n\n The three Success types listed below are defaults inherited from the Parent\n Object. Where Special is listed in the summary screens for Access, detailed\n Permissions are provided for reference.\n\n Type - Success\n Principal - Everyone\n Access - Special (Permissions: Write all properties, Modify permissions;\n Properties: all Write type selected)\n Inherited from - Parent Object\n Applies to - Descendant groupPolicyContainer objects\n\n Two instances with the following summary information will be listed\n\n Type - Success\n Principal - Everyone\n Access - blank (Permissions: none selected; Properties: one instance - Write\n gPLink, one instance - Write gPOptions)\n Inherited from - Parent Object\n Applies to - Descendant Organization Unit Objects\"\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n if domain_role == '4' || domain_role == '5'\n distinguishedNames = json(command: \"Get-ADObject -Filter { objectclass -eq 'groupPolicyContainer'} | foreach {$_.DistinguishedName} | ConvertTo-JSON\").params\n distinguishedNames.each do |distinguishedName|\n acl_rules = json(command: \"(Get-ACL -Audit -Path AD:'#{distinguishedName}').Audit | ConvertTo-CSV | ConvertFrom-CSV | ConvertTo-JSON\").params\n\n if acl_rules.is_a?(Hash)\n acl_rules = [JSON.parse(acl_rules.to_json)]\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['AuditFlags']) { should cmp \"Fail\" }\n its(['IdentityReference']) { should cmp \"Everyone\" }\n its(['ActiveDirectoryRights']) { should cmp /(GenericAll)/ }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['AuditFlags']) { should cmp \"Success\" }\n its(['IdentityReference']) { should cmp \"Everyone\" }\n its(['ActiveDirectoryRights']) { should cmp /(WriteProperty)|(WriteDacl)/ }\n its(['IsInherited']) { should cmp \"True\" }\n its(['InheritanceType']) { should cmp \"All\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['AuditFlags']) { should cmp \"Success\" }\n its(['IdentityReference']) { should cmp \"Everyone\" }\n its(['ActiveDirectoryRights']) { should cmp /(WriteProperty)/ }\n its(['IsInherited']) { should cmp \"True\" }\n its(['InheritanceType']) { should cmp \"Descendents\" }\n end\n end\n end\n end\n else\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend \n", + "code": "control 'V-73439' do\n title \"Windows Server 2016 must be configured to audit DS Access - Directory\n Service Changes successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Audit Directory Service Changes records events related to changes made to\n objects in Active Directory Domain Services.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000327-GPOS-00127'\n tag \"satisfies\": ['SRG-OS-000327-GPOS-00127', 'SRG-OS-000458-GPOS-00203',\n 'SRG-OS-000463-GPOS-00207', 'SRG-OS-000468-GPOS-00212']\n tag \"gid\": 'V-73439'\n tag \"rid\": 'SV-88091r1_rule'\n tag \"stig_id\": 'WN16-DC-000260'\n tag \"fix_id\": 'F-79881r1_fix'\n tag \"cci\": ['CCI-000172', 'CCI-002234']\n tag \"nist\": ['AU-12 c', 'AC-6 (9)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to domain controllers. It is NA for other systems.\n\n Security Option Audit: Force audit policy subcategory settings (Windows Vista\n or later) to override audit policy category settings must be set to\n Enabled (WN16-SO-000050) for the detailed auditing subcategories to be\n effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n DS Access >> Directory Service Changes - Success\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> DS Access >> Directory Service Changes with Success\n selected.\"\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n describe.one do\n describe audit_policy do\n its('Directory Service Changes') { should eq 'Success' }\n end\n describe audit_policy do\n its('Directory Service Changes') { should eq 'Success and Failure' }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Directory Service Changes'\") do\n its('stdout') { should match /Directory Service Changes Success/ }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Directory Service Changes'\") do\n its('stdout') { should match /Directory Service Changes Success and Failure/ }\n end\n end\n end\n\n if !(domain_role == '4') && !(domain_role == '5')\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73389.rb", + "ref": "./Windows 2016 STIG/controls/V-73439.rb", "line": 1 }, - "id": "V-73389" + "id": "V-73439" }, { - "title": "Anonymous access to Named Pipes and Shares must be restricted.", - "desc": "Allowing anonymous access to named pipes or shares provides the\n potential for unauthorized system access. This setting restricts access to\n those defined in Network access: Named Pipes that can be accessed\n anonymously and Network access: Shares that can be accessed anonymously,\n both of which must be blank under other requirements.", + "title": "Windows Server 2016 must be configured to at least negotiate signing\n for LDAP client signing.", + "desc": "This setting controls the signing requirements for LDAP clients. This\n must be set to Negotiate signing or Require signing, depending on the\n environment and type of LDAP server in use.", "descriptions": { - "default": "Allowing anonymous access to named pipes or shares provides the\n potential for unauthorized system access. This setting restricts access to\n those defined in Network access: Named Pipes that can be accessed\n anonymously and Network access: Shares that can be accessed anonymously,\n both of which must be blank under other requirements.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\LanManServer\\Parameters\\\n\n Value Name: RestrictNullSessAccess\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Network access: Restrict anonymous access to Named Pipes and Shares to\n Enabled." + "default": "This setting controls the signing requirements for LDAP clients. This\n must be set to Negotiate signing or Require signing, depending on the\n environment and type of LDAP server in use.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\LDAP\\\n\n Value Name: LDAPClientIntegrity\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Network security: LDAP client signing requirements to Negotiate signing\n at a minimum." }, - "impact": 0.7, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000138-GPOS-00069", - "gid": "V-73675", - "rid": "SV-88339r1_rule", - "stig_id": "WN16-SO-000300", - "fix_id": "F-80125r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-73693", + "rid": "SV-88357r1_rule", + "stig_id": "WN16-SO-000390", + "fix_id": "F-80143r1_fix", "cci": [ - "CCI-001090" + "CCI-000366" ], "nist": [ - "SC-4", + "CM-6 b", "Rev_4" ], "documentable": false }, - "code": "control 'V-73675' do\n title 'Anonymous access to Named Pipes and Shares must be restricted.'\n desc \"Allowing anonymous access to named pipes or shares provides the\n potential for unauthorized system access. This setting restricts access to\n those defined in Network access: Named Pipes that can be accessed\n anonymously and Network access: Shares that can be accessed anonymously,\n both of which must be blank under other requirements.\"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000138-GPOS-00069'\n tag \"gid\": 'V-73675'\n tag \"rid\": 'SV-88339r1_rule'\n tag \"stig_id\": 'WN16-SO-000300'\n tag \"fix_id\": 'F-80125r1_fix'\n tag \"cci\": ['CCI-001090']\n tag \"nist\": ['SC-4', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\LanManServer\\\\Parameters\\\\\n\n Value Name: RestrictNullSessAccess\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Network access: Restrict anonymous access to Named Pipes and Shares to\n Enabled.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Services\\\\LanManServer\\\\Parameters') do\n it { should have_property 'restrictnullsessaccess' }\n its('restrictnullsessaccess') { should cmp 1 }\n end\nend\n", + "code": "control 'V-73693' do\n title \"Windows Server 2016 must be configured to at least negotiate signing\n for LDAP client signing.\"\n desc \"This setting controls the signing requirements for LDAP clients. This\n must be set to Negotiate signing or Require signing, depending on the\n environment and type of LDAP server in use.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-73693'\n tag \"rid\": 'SV-88357r1_rule'\n tag \"stig_id\": 'WN16-SO-000390'\n tag \"fix_id\": 'F-80143r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\LDAP\\\\\n\n Value Name: LDAPClientIntegrity\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Network security: LDAP client signing requirements to Negotiate signing\n at a minimum.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\LDAP') do\n it { should have_property 'LDAPClientIntegrity' }\n its('LDAPClientIntegrity') { should cmp 1 }\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73675.rb", + "ref": "./Windows 2016 STIG/controls/V-73693.rb", "line": 1 }, - "id": "V-73675" + "id": "V-73693" }, { - "title": "Windows SmartScreen must be enabled.", - "desc": "Windows SmartScreen helps protect systems from programs downloaded\n from the internet that may be malicious. Enabling SmartScreen will warn users\n of potentially malicious programs.", + "title": "The built-in administrator account must be renamed.", + "desc": "The built-in administrator account is a well-known account subject to\n attack. Renaming this account to an unidentified name improves the protection\n of this account and the system.", "descriptions": { - "default": "Windows SmartScreen helps protect systems from programs downloaded\n from the internet that may be malicious. Enabling SmartScreen will warn users\n of potentially malicious programs.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\\n\n Value Name: EnableSmartScreen\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> File Explorer >> Configure\n Windows SmartScreen to Enabled." + "default": "The built-in administrator account is a well-known account subject to\n attack. Renaming this account to an unidentified name improves the protection\n of this account and the system.", + "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> Security Options.\n\n If the value for Accounts: Rename administrator account is not set to a\n value other than Administrator, this is a finding.", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Accounts: Rename administrator account to a name other than\n Administrator." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000095-GPOS-00049", - "gid": "V-73559", - "rid": "SV-88223r1_rule", - "stig_id": "WN16-CC-000330", - "fix_id": "F-80009r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-73623", + "rid": "SV-88287r1_rule", + "stig_id": "WN16-SO-000030", + "fix_id": "F-80073r1_fix", "cci": [ - "CCI-000381" + "CCI-000366" ], "nist": [ - "CM-7 a", + "CM-6 b", "Rev_4" ], "documentable": false }, - "code": "control 'V-73559' do\n title 'Windows SmartScreen must be enabled.'\n desc \"Windows SmartScreen helps protect systems from programs downloaded\n from the internet that may be malicious. Enabling SmartScreen will warn users\n of potentially malicious programs.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000095-GPOS-00049'\n tag \"gid\": 'V-73559'\n tag \"rid\": 'SV-88223r1_rule'\n tag \"stig_id\": 'WN16-CC-000330'\n tag \"fix_id\": 'F-80009r1_fix'\n tag \"cci\": ['CCI-000381']\n tag \"nist\": ['CM-7 a', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\\n\n Value Name: EnableSmartScreen\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> Windows Components >> File Explorer >> Configure\n Windows SmartScreen to Enabled.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\System') do\n it { should have_property 'EnableSmartScreen' }\n its('EnableSmartScreen') { should cmp 1 }\n end\nend\n", + "code": "control 'V-73623' do\n title 'The built-in administrator account must be renamed.'\n desc \"The built-in administrator account is a well-known account subject to\n attack. Renaming this account to an unidentified name improves the protection\n of this account and the system.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-73623'\n tag \"rid\": 'SV-88287r1_rule'\n tag \"stig_id\": 'WN16-SO-000030'\n tag \"fix_id\": 'F-80073r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> Security Options.\n\n If the value for Accounts: Rename administrator account is not set to a\n value other than Administrator, this is a finding.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Accounts: Rename administrator account to a name other than\n Administrator.\"\n describe user('Administrator') do\n it { should_not exist }\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73559.rb", + "ref": "./Windows 2016 STIG/controls/V-73623.rb", "line": 1 }, - "id": "V-73559" + "id": "V-73623" }, { - "title": "Unencrypted passwords must not be sent to third-party Server Message\n Block (SMB) servers.", - "desc": "Some non-Microsoft SMB servers only support unencrypted (plain-text)\n password authentication. Sending plain-text passwords across the network when\n authenticating to an SMB server reduces the overall security of the\n environment. Check with the vendor of the SMB server to determine if there is a\n way to support encrypted password authentication.", + "title": "User Account Control must virtualize file and registry write failures\n to per-user locations.", + "desc": "User Account Control (UAC) is a security mechanism for limiting the\n elevation of privileges, including administrative accounts, unless authorized.\n This setting configures non-UAC-compliant applications to run in virtualized\n file and registry entries in per-user locations, allowing them to run.", "descriptions": { - "default": "Some non-Microsoft SMB servers only support unencrypted (plain-text)\n password authentication. Sending plain-text passwords across the network when\n authenticating to an SMB server reduces the overall security of the\n environment. Check with the vendor of the SMB server to determine if there is a\n way to support encrypted password authentication.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SYSTEM\\CurrentControlSet\\Services\\LanmanWorkstation\\Parameters\\\n\n Value Name: EnablePlainTextPassword\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0)", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Microsoft Network Client: Send unencrypted password to third-party SMB\n servers to Disabled." + "default": "User Account Control (UAC) is a security mechanism for limiting the\n elevation of privileges, including administrative accounts, unless authorized.\n This setting configures non-UAC-compliant applications to run in virtualized\n file and registry entries in per-user locations, allowing them to run.", + "check": "UAC requirements are NA for Server Core installations (this is\n the default installation option for Windows Server 2016 versus Server with\n Desktop Experience) as well as Nano Server.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\\n\n Value Name: EnableVirtualization\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> User\n Account Control: Virtualize file and registry write failures to per-user\n locations to Enabled." }, - "impact": 0.5, - "refs": [], - "tags": { - "gtitle": "SRG-OS-000074-GPOS-00042", - "gid": "V-73657", - "rid": "SV-88321r1_rule", - "stig_id": "WN16-SO-000210", - "fix_id": "F-80107r1_fix", + "impact": 0.5, + "refs": [], + "tags": { + "gtitle": "SRG-OS-000134-GPOS-00068", + "gid": "V-73721", + "rid": "SV-88385r1_rule", + "stig_id": "WN16-SO-000530", + "fix_id": "F-80171r1_fix", "cci": [ - "CCI-000197" + "CCI-001084" ], "nist": [ - "IA-5 (1) (c)", + "SC-3", "Rev_4" ], "documentable": false }, - "code": "control 'V-73657' do\n title \"Unencrypted passwords must not be sent to third-party Server Message\n Block (SMB) servers.\"\n desc \"Some non-Microsoft SMB servers only support unencrypted (plain-text)\n password authentication. Sending plain-text passwords across the network when\n authenticating to an SMB server reduces the overall security of the\n environment. Check with the vendor of the SMB server to determine if there is a\n way to support encrypted password authentication.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000074-GPOS-00042'\n tag \"gid\": 'V-73657'\n tag \"rid\": 'SV-88321r1_rule'\n tag \"stig_id\": 'WN16-SO-000210'\n tag \"fix_id\": 'F-80107r1_fix'\n tag \"cci\": ['CCI-000197']\n tag \"nist\": ['IA-5 (1) (c)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\LanmanWorkstation\\\\Parameters\\\\\n\n Value Name: EnablePlainTextPassword\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Microsoft Network Client: Send unencrypted password to third-party SMB\n servers to Disabled.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Services\\\\LanmanWorkstation\\\\Parameters') do\n it { should have_property 'EnablePlainTextPassword' }\n its('EnablePlainTextPassword') { should cmp 0 }\n end\nend\n", + "code": "control 'V-73721' do\n title \"User Account Control must virtualize file and registry write failures\n to per-user locations.\"\n desc \"User Account Control (UAC) is a security mechanism for limiting the\n elevation of privileges, including administrative accounts, unless authorized.\n This setting configures non-UAC-compliant applications to run in virtualized\n file and registry entries in per-user locations, allowing them to run.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000134-GPOS-00068'\n tag \"gid\": 'V-73721'\n tag \"rid\": 'SV-88385r1_rule'\n tag \"stig_id\": 'WN16-SO-000530'\n tag \"fix_id\": 'F-80171r1_fix'\n tag \"cci\": ['CCI-001084']\n tag \"nist\": ['SC-3', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"UAC requirements are NA for Server Core installations (this is\n the default installation option for Windows Server 2016 versus Server with\n Desktop Experience) as well as Nano Server.\n\n If the following registry value does not exist or is not configured as\n specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\\n\n Value Name: EnableVirtualization\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> User\n Account Control: Virtualize file and registry write failures to per-user\n locations to Enabled.\"\n if registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Server\\ServerLevels').has_property_value?('ServerCore', :dword, 1) && registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Server\\ServerLevels').has_property_value?('Server-Gui-Mgmt', :dword, 1) && registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Server\\ServerLevels').has_property_value?('Server-Gui-Shell', :dword, 1)\n impact 0.0\n desc 'This system is a Server Core Installation, therefore this control is not applicable'\n else\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System') do\n it { should have_property 'EnableVirtualization' }\n its('EnableVirtualization') { should cmp 1 }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73657.rb", + "ref": "./Windows 2016 STIG/controls/V-73721.rb", "line": 1 }, - "id": "V-73657" + "id": "V-73721" }, { - "title": "The Create global objects user right must only be assigned to\n Administrators, Service, Local Service, and Network Service.", - "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Create global objects user right can create objects\n that are available to all sessions, which could affect processes in other\n users' sessions.", + "title": "Windows Server 2016 must be configured to audit DS Access - Directory\n Service Access failures.", + "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Audit Directory Service Access records events related to users accessing an\n Active Directory object.", "descriptions": { - "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Create global objects user right can create objects\n that are available to all sessions, which could affect processes in other\n users' sessions.", - "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the Create\n global objects user right, this is a finding.\n\n - Administrators\n - Service\n - Local Service\n - Network Service\n\n If an application requires this user right, this would not be a finding.\n\n Vendor documentation must support the requirement for having the user right.\n\n The requirement must be documented with the ISSO.\n\n The application account must meet requirements for application account\n passwords, such as length (WN16-00-000060) and required frequency of changes\n (WN16-00-000070).", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Create global objects to include only the following accounts or groups:\n\n - Administrators\n - Service\n - Local Service\n - Network Service" + "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Audit Directory Service Access records events related to users accessing an\n Active Directory object.", + "check": "This applies to domain controllers. It is NA for other systems.\n\n Security Option Audit: Force audit policy subcategory settings (Windows Vista\n or later) to override audit policy category settings must be set to\n Enabled (WN16-SO-000050) for the detailed auditing subcategories to be\n effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n DS Access >> Directory Service Access - Failure", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> DS Access >> Directory Service Access with Failure\n selected." }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { - "gtitle": "SRG-OS-000324-GPOS-00125", - "gid": "V-73749", - "rid": "SV-88413r1_rule", - "stig_id": "WN16-UR-000100", - "fix_id": "F-80199r1_fix", + "gtitle": "SRG-OS-000327-GPOS-00127", + "satisfies": [ + "SRG-OS-000327-GPOS-00127", + "SRG-OS-000458-GPOS-00203", + "SRG-OS-000463-GPOS-00207", + "SRG-OS-000468-GPOS-00212" + ], + "gid": "V-73437", + "rid": "SV-88089r1_rule", + "stig_id": "WN16-DC-000250", + "fix_id": "F-79879r1_fix", "cci": [ - "CCI-002235" + "CCI-000172", + "CCI-002234" ], "nist": [ - "AC-6 (10)", + "AU-12 c", + "AC-6 (9)", "Rev_4" ], "documentable": false }, - "code": "control 'V-73749' do\n title \"The Create global objects user right must only be assigned to\n Administrators, Service, Local Service, and Network Service.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Create global objects user right can create objects\n that are available to all sessions, which could affect processes in other\n users' sessions.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000324-GPOS-00125'\n tag \"gid\": 'V-73749'\n tag \"rid\": 'SV-88413r1_rule'\n tag \"stig_id\": 'WN16-UR-000100'\n tag \"fix_id\": 'F-80199r1_fix'\n tag \"cci\": ['CCI-002235']\n tag \"nist\": ['AC-6 (10)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the Create\n global objects user right, this is a finding.\n\n - Administrators\n - Service\n - Local Service\n - Network Service\n\n If an application requires this user right, this would not be a finding.\n\n Vendor documentation must support the requirement for having the user right.\n\n The requirement must be documented with the ISSO.\n\n The application account must meet requirements for application account\n passwords, such as length (WN16-00-000060) and required frequency of changes\n (WN16-00-000070).\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Create global objects to include only the following accounts or groups:\n\n - Administrators\n - Service\n - Local Service\n - Network Service\"\n describe.one do\n describe security_policy do\n its('SeCreateGlobalPrivilege') { should be_in ['S-1-5-19', 'S-1-5-20', 'S-1-5-32-544', 'S-1-5-6'] }\n end\n describe security_policy do\n its('SeCreateGlobalPrivilege') { should eq [] }\n end\n end\nend\n", + "code": "control 'V-73437' do\n title \"Windows Server 2016 must be configured to audit DS Access - Directory\n Service Access failures.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Audit Directory Service Access records events related to users accessing an\n Active Directory object.\n\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000327-GPOS-00127'\n tag \"satisfies\": ['SRG-OS-000327-GPOS-00127', 'SRG-OS-000458-GPOS-00203',\n 'SRG-OS-000463-GPOS-00207', 'SRG-OS-000468-GPOS-00212']\n tag \"gid\": 'V-73437'\n tag \"rid\": 'SV-88089r1_rule'\n tag \"stig_id\": 'WN16-DC-000250'\n tag \"fix_id\": 'F-79879r1_fix'\n tag \"cci\": ['CCI-000172', 'CCI-002234']\n tag \"nist\": ['AU-12 c', 'AC-6 (9)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to domain controllers. It is NA for other systems.\n\n Security Option Audit: Force audit policy subcategory settings (Windows Vista\n or later) to override audit policy category settings must be set to\n Enabled (WN16-SO-000050) for the detailed auditing subcategories to be\n effective.\n\n Use the AuditPol tool to review the current Audit Policy configuration:\n\n Open an elevated Command Prompt (run as administrator).\n\n Enter AuditPol /get /category:*.\n\n Compare the AuditPol settings with the following.\n\n If the system does not audit the following, this is a finding.\n\n DS Access >> Directory Service Access - Failure\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Advanced Audit Policy Configuration >> System\n Audit Policies >> DS Access >> Directory Service Access with Failure\n selected.\"\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n if domain_role == '4' || domain_role == '5'\n describe.one do\n describe audit_policy do\n its('Directory Service Access') { should eq 'Failure' }\n end\n describe audit_policy do\n its('Directory Service Access') { should eq 'Success and Failure' }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Directory Service Access'\") do\n its('stdout') { should match /Directory Service Access Failure'/ }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Directory Service Access'\") do\n its('stdout') { should match /Directory Service Access Success and Failure/ }\n end\n end\n end\n\n if !(domain_role == '4') && !(domain_role == '5')\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73749.rb", + "ref": "./Windows 2016 STIG/controls/V-73437.rb", "line": 1 }, - "id": "V-73749" + "id": "V-73437" }, { - "title": "Data files owned by users must be on a different logical partition\n from the directory server data files.", - "desc": "When directory service data files, especially for directories used for\n identification, authentication, or authorization, reside on the same logical\n partition as user-owned files, the directory service data may be more\n vulnerable to unauthorized access or other availability compromises. Directory\n service and user-owned data files sharing a partition may be configured with\n less restrictive permissions in order to allow access to the user data.\n\n The directory service may be vulnerable to a denial of service attack when\n user-owned files on a common partition are expanded to an extent preventing the\n directory service from acquiring more space for directory or audit data.", + "title": "The network selection user interface (UI) must not be displayed on the\n logon screen.", + "desc": "Enabling interaction with the network selection UI allows users to\n change connections to available networks without signing in to Windows.", "descriptions": { - "default": "When directory service data files, especially for directories used for\n identification, authentication, or authorization, reside on the same logical\n partition as user-owned files, the directory service data may be more\n vulnerable to unauthorized access or other availability compromises. Directory\n service and user-owned data files sharing a partition may be configured with\n less restrictive permissions in order to allow access to the user data.\n\n The directory service may be vulnerable to a denial of service attack when\n user-owned files on a common partition are expanded to an extent preventing the\n directory service from acquiring more space for directory or audit data.", - "check": "This applies to domain controllers. It is NA for other systems.\n\n Run Regedit.\n\n Navigate to\n HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\NTDS\\Parameters.\n\n Note the directory locations in the values for DSA Database file.\n\n Open Command Prompt.\n\n Enter net share.\n\n Note the logical drive(s) or file system partition for any organization-created\n data shares.\n\n Ignore system shares (e.g., NETLOGON, SYSVOL, and administrative shares ending\n in $). User shares that are hidden (ending with $) should not be ignored.\n\n If user shares are located on the same logical partition as the directory\n server data files, this is a finding.", - "fix": "Move shares used to store files owned by users to a different\n logical partition than the directory server data files." + "default": "Enabling interaction with the network selection UI allows users to\n change connections to available networks without signing in to Windows.", + "check": "Verify the registry value below. If it does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\\n\n Value Name: DontDisplayNetworkSelectionUI\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> System >> Logon >> Do not display network\n selection UI to Enabled." }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000138-GPOS-00069", - "gid": "V-73379", - "rid": "SV-88031r1_rule", - "stig_id": "WN16-DC-000120", - "fix_id": "F-79821r1_fix", + "gtitle": "SRG-OS-000095-GPOS-00049", + "gid": "V-73531", + "rid": "SV-88185r1_rule", + "stig_id": "WN16-CC-000180", + "fix_id": "F-79973r1_fix", "cci": [ - "CCI-001090" + "CCI-000381" ], "nist": [ - "SC-4", + "CM-7 a", "Rev_4" ], "documentable": false }, - "code": "control 'V-73379' do\n title \"Data files owned by users must be on a different logical partition\n from the directory server data files.\"\n desc \"When directory service data files, especially for directories used for\n identification, authentication, or authorization, reside on the same logical\n partition as user-owned files, the directory service data may be more\n vulnerable to unauthorized access or other availability compromises. Directory\n service and user-owned data files sharing a partition may be configured with\n less restrictive permissions in order to allow access to the user data.\n\n The directory service may be vulnerable to a denial of service attack when\n user-owned files on a common partition are expanded to an extent preventing the\n directory service from acquiring more space for directory or audit data.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000138-GPOS-00069'\n tag \"gid\": 'V-73379'\n tag \"rid\": 'SV-88031r1_rule'\n tag \"stig_id\": 'WN16-DC-000120'\n tag \"fix_id\": 'F-79821r1_fix'\n tag \"cci\": ['CCI-001090']\n tag \"nist\": ['SC-4', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to domain controllers. It is NA for other systems.\n\n Run Regedit.\n\n Navigate to\n HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\Parameters.\n\n Note the directory locations in the values for DSA Database file.\n\n Open Command Prompt.\n\n Enter net share.\n\n Note the logical drive(s) or file system partition for any organization-created\n data shares.\n\n Ignore system shares (e.g., NETLOGON, SYSVOL, and administrative shares ending\n in $). User shares that are hidden (ending with $) should not be ignored.\n\n If user shares are located on the same logical partition as the directory\n server data files, this is a finding.\"\n desc \"fix\", \"Move shares used to store files owned by users to a different\n logical partition than the directory server data files.\"\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n get_registry_value = command(\"Get-ItemProperty -Path 'HKLM:\\\\System\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\Parameters' | Findstr /c:'DSA Database file'\").stdout.strip\n database_file = get_registry_value[51..80]\n share_names = []\n share_paths = []\n get = command('Get-WMIObject -Query \"SELECT * FROM Win32_Share\" | Findstr /V \"Name --\"').stdout.strip.split(\"\\n\")\n \n get.each do |share|\n loc_space = share.index(' ')\n \n names = share[0..loc_space-1]\n if names != 'C$' && names != 'ADMIN$' && names != 'SYSVOL'\n share_names.push(names)\n path = share[9..50]\n share_paths.push(path)\n end\n end\n share_paths.each do |paths|\n describe \"The share path #{paths}\" do\n subject { paths }\n it { should_not eq database_file }\n end\n end\n end\n\n if !(domain_role == '4') && !(domain_role == '5')\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", + "code": "control 'V-73531' do\n title \"The network selection user interface (UI) must not be displayed on the\n logon screen.\"\n desc \"Enabling interaction with the network selection UI allows users to\n change connections to available networks without signing in to Windows.\"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000095-GPOS-00049'\n tag \"gid\": 'V-73531'\n tag \"rid\": 'SV-88185r1_rule'\n tag \"stig_id\": 'WN16-CC-000180'\n tag \"fix_id\": 'F-79973r1_fix'\n tag \"cci\": ['CCI-000381']\n tag \"nist\": ['CM-7 a', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Verify the registry value below. If it does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\\n\n Value Name: DontDisplayNetworkSelectionUI\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> System >> Logon >> Do not display network\n selection UI to Enabled.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System') do\n it { should have_property 'DontDisplayNetworkSelectionUI' }\n its('DontDisplayNetworkSelectionUI') { should cmp 1 }\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73379.rb", + "ref": "./Windows 2016 STIG/controls/V-73531.rb", "line": 1 }, - "id": "V-73379" + "id": "V-73531" }, { - "title": "The amount of idle time required before suspending a session must be\n configured to 15 minutes or less.", - "desc": "Open sessions can increase the avenues of attack on a system. This\n setting is used to control when a computer disconnects an inactive SMB session.\n If client activity resumes, the session is automatically reestablished. This\n protects critical and sensitive network data from exposure to unauthorized\n personnel with physical access to the computer.", + "title": "Audit policy using subcategories must be enabled.", + "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n This setting allows administrators to enable more precise auditing\n capabilities.", "descriptions": { - "default": "Open sessions can increase the avenues of attack on a system. This\n setting is used to control when a computer disconnects an inactive SMB session.\n If client activity resumes, the session is automatically reestablished. This\n protects critical and sensitive network data from exposure to unauthorized\n personnel with physical access to the computer.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SYSTEM\\CurrentControlSet\\Services\\LanManServer\\Parameters\\\n\n Value Name: autodisconnect\n\n Value Type: REG_DWORD\n Value: 0x0000000f (15) (or less)", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Microsoft Network Server: Amount of idle time required before suspending\n session to 15 minutes or less." + "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n This setting allows administrators to enable more precise auditing\n capabilities.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Control\\Lsa\\\n\n Value Name: SCENoApplyLegacyAuditPolicy\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", + "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> Audit:\n Force audit policy subcategory settings (Windows Vista or later) to override\n audit policy category settings to Enabled." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000163-GPOS-00072", - "satisfies": [ - "SRG-OS-000163-GPOS-00072", - "SRG-OS-000279-GPOS-00109" - ], - "gid": "V-73659", - "rid": "SV-88323r1_rule", - "stig_id": "WN16-SO-000220", - "fix_id": "F-80109r1_fix", + "gtitle": "SRG-OS-000062-GPOS-00031", + "gid": "V-73627", + "rid": "SV-88291r1_rule", + "stig_id": "WN16-SO-000050", + "fix_id": "F-80077r1_fix", "cci": [ - "CCI-001133", - "CCI-002361" + "CCI-000169" ], "nist": [ - "SC-10", - "AC-12", + "AU-12 a", "Rev_4" ], "documentable": false }, - "code": "control 'V-73659' do\n title \"The amount of idle time required before suspending a session must be\n configured to 15 minutes or less.\"\n desc \"Open sessions can increase the avenues of attack on a system. This\n setting is used to control when a computer disconnects an inactive SMB session.\n If client activity resumes, the session is automatically reestablished. This\n protects critical and sensitive network data from exposure to unauthorized\n personnel with physical access to the computer.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000163-GPOS-00072'\n tag \"satisfies\": ['SRG-OS-000163-GPOS-00072', 'SRG-OS-000279-GPOS-00109']\n tag \"gid\": 'V-73659'\n tag \"rid\": 'SV-88323r1_rule'\n tag \"stig_id\": 'WN16-SO-000220'\n tag \"fix_id\": 'F-80109r1_fix'\n tag \"cci\": ['CCI-001133', 'CCI-002361']\n tag \"nist\": ['SC-10', 'AC-12', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\LanManServer\\\\Parameters\\\\\n\n Value Name: autodisconnect\n\n Value Type: REG_DWORD\n Value: 0x0000000f (15) (or less)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >>\n Microsoft Network Server: Amount of idle time required before suspending\n session to 15 minutes or less.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Services\\\\LanmanServer\\\\Parameters') do\n it { should have_property 'AutoDisconnect' }\n its('AutoDisconnect') { should be <= 15 }\n end\nend\n", + "code": "control 'V-73627' do\n title 'Audit policy using subcategories must be enabled.'\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n This setting allows administrators to enable more precise auditing\n capabilities.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000062-GPOS-00031'\n tag \"gid\": 'V-73627'\n tag \"rid\": 'SV-88291r1_rule'\n tag \"stig_id\": 'WN16-SO-000050'\n tag \"fix_id\": 'F-80077r1_fix'\n tag \"cci\": ['CCI-000169']\n tag \"nist\": ['AU-12 a', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\\n\n Value Name: SCENoApplyLegacyAuditPolicy\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> Security Options >> Audit:\n Force audit policy subcategory settings (Windows Vista or later) to override\n audit policy category settings to Enabled.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa') do\n it { should have_property 'SCENoApplyLegacyAuditPolicy' }\n its('SCENoApplyLegacyAuditPolicy') { should cmp 1 }\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73659.rb", + "ref": "./Windows 2016 STIG/controls/V-73627.rb", "line": 1 }, - "id": "V-73659" + "id": "V-73627" }, { - "title": "The Act as part of the operating system user right must not be\n assigned to any groups or accounts.", - "desc": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Act as part of the operating system user right can\n assume the identity of any user and gain access to resources that the user is\n authorized to access. Any accounts with this right can take complete control of\n a system.", + "title": "Active Directory Group Policy objects must have proper access control\n permissions.", + "desc": "When directory service database objects do not have appropriate access\n control permissions, it may be possible for malicious users to create, read,\n update, or delete the objects and degrade or destroy the integrity of the data.\n When the directory service is used for identification, authentication, or\n authorization functions, a compromise of the database objects could lead to a\n compromise of all systems relying on the directory service.\n\n For Active Directory (AD), the Group Policy objects require special\n attention. In a distributed administration model (i.e., help desk), Group\n Policy objects are more likely to have access permissions changed from the\n secure defaults. If inappropriate access permissions are defined for Group\n Policy objects, this could allow an intruder to change the security policy\n applied to all domain client computers (workstations and servers).", "descriptions": { - "default": "Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Act as part of the operating system user right can\n assume the identity of any user and gain access to resources that the user is\n authorized to access. Any accounts with this right can take complete control of\n a system.", - "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups (to include administrators), are granted the Act as\n part of the operating system user right, this is a finding.\n\n If an application requires this user right, this would not be a finding.\n\n Vendor documentation must support the requirement for having the user right.\n\n The requirement must be documented with the ISSO.\n\n The application account must meet requirements for application account\n passwords, such as length (WN16-00-000060) and required frequency of changes\n (WN16-00-000070).\n\n Passwords for accounts with this user right must be protected as highly\n privileged accounts.", - "fix": "Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Act as part of the operating system to be defined but containing no entries\n (blank)." + "default": "When directory service database objects do not have appropriate access\n control permissions, it may be possible for malicious users to create, read,\n update, or delete the objects and degrade or destroy the integrity of the data.\n When the directory service is used for identification, authentication, or\n authorization functions, a compromise of the database objects could lead to a\n compromise of all systems relying on the directory service.\n\n For Active Directory (AD), the Group Policy objects require special\n attention. In a distributed administration model (i.e., help desk), Group\n Policy objects are more likely to have access permissions changed from the\n secure defaults. If inappropriate access permissions are defined for Group\n Policy objects, this could allow an intruder to change the security policy\n applied to all domain client computers (workstations and servers).", + "check": "This applies to domain controllers. It is NA for other systems.\n\n Review the permissions on Group Policy objects.\n\n Open Group Policy Management (available from various menus or run\n gpmc.msc).\n\n Navigate to Group Policy Objects in the domain being reviewed (Forest >>\n Domains >> Domain).\n\n For each Group Policy object:\n\n Select the Group Policy object item in the left pane.\n\n Select the Delegation tab in the right pane.\n\n Select the Advanced button.\n\n Select each Group or user name.\n\n View the permissions.\n\n If any standard user accounts or groups have Allow permissions greater than\n Read and Apply group policy, this is a finding.\n\n Other access permissions that allow the objects to be updated are considered\n findings unless specifically documented by the ISSO.\n\n The default permissions noted below satisfy this requirement.\n\n The permissions shown are at the summary level. More detailed permissions can\n be viewed by selecting the next Advanced button, the desired Permission\n entry, and the Edit button.\n\n Authenticated Users - Read, Apply group policy, Special permissions\n\n The special permissions for Authenticated Users are for Read-type Properties.\n If detailed permissions include any Create, Delete, Modify, or Write\n Permissions or Properties, this is a finding.\n\n The special permissions for the following default groups are not the focus of\n this requirement and may include a wide range of permissions and properties.\n\n CREATOR OWNER - Special permissions\n SYSTEM - Read, Write, Create all child objects, Delete all child objects,\n Special permissions\n Domain Admins - Read, Write, Create all child objects, Delete all child\n objects, Special permissions\n Enterprise Admins - Read, Write, Create all child objects, Delete all child\n objects, Special permissions\n ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions\n\n The Domain Admins and Enterprise Admins will not have the Delete all child\n objects permission on the two default Group Policy objects: Default Domain\n Policy and Default Domain Controllers Policy. They will have this permission on\n organization created Group Policy objects.", + "fix": "Maintain the permissions on Group Policy objects to not allow\n greater than Read and Apply group policy for standard user accounts or\n groups. The default permissions below meet this requirement.\n\n Authenticated Users - Read, Apply group policy, Special permissions\n\n The special permissions for Authenticated Users are for Read-type Properties.\n\n CREATOR OWNER - Special permissions\n SYSTEM - Read, Write, Create all child objects, Delete all child objects,\n Special permissions\n Domain Admins - Read, Write, Create all child objects, Delete all child\n objects, Special permissions\n Enterprise Admins - Read, Write, Create all child objects, Delete all child\n objects, Special permissions\n ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions\n\n Document any other access permissions that allow the objects to be updated with\n the ISSO.\n\n The Domain Admins and Enterprise Admins will not have the Delete all child\n objects permission on the two default Group Policy objects: Default Domain\n Policy and Default Domain Controllers Policy. They will have this permission on\n created Group Policy objects." }, - "impact": 0.7, + "impact": 0, "refs": [], "tags": { "gtitle": "SRG-OS-000324-GPOS-00125", - "gid": "V-73735", - "rid": "SV-88399r1_rule", - "stig_id": "WN16-UR-000030", - "fix_id": "F-80185r1_fix", + "gid": "V-73373", + "rid": "SV-88025r1_rule", + "stig_id": "WN16-DC-000090", + "fix_id": "F-79815r1_fix", "cci": [ "CCI-002235" ], @@ -9364,1565 +9364,1565 @@ ], "documentable": false }, - "code": "control 'V-73735' do\n title \"The Act as part of the operating system user right must not be\n assigned to any groups or accounts.\"\n desc \"Inappropriate granting of user rights can provide system,\n administrative, and other high-level capabilities.\n\n Accounts with the Act as part of the operating system user right can\n assume the identity of any user and gain access to resources that the user is\n authorized to access. Any accounts with this right can take complete control of\n a system.\n \"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000324-GPOS-00125'\n tag \"gid\": 'V-73735'\n tag \"rid\": 'SV-88399r1_rule'\n tag \"stig_id\": 'WN16-UR-000030'\n tag \"fix_id\": 'F-80185r1_fix'\n tag \"cci\": ['CCI-002235']\n tag \"nist\": ['AC-6 (10)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n\n Run gpedit.msc.\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings\n >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups (to include administrators), are granted the Act as\n part of the operating system user right, this is a finding.\n\n If an application requires this user right, this would not be a finding.\n\n Vendor documentation must support the requirement for having the user right.\n\n The requirement must be documented with the ISSO.\n\n The application account must meet requirements for application account\n passwords, such as length (WN16-00-000060) and required frequency of changes\n (WN16-00-000070).\n\n Passwords for accounts with this user right must be protected as highly\n privileged accounts.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows\n Settings >> Security Settings >> Local Policies >> User Rights Assignment >>\n Act as part of the operating system to be defined but containing no entries\n (blank).\"\n describe security_policy do\n its('SeTcbPrivilege') { should eq [] }\n end\nend\n", + "code": "control 'V-73373' do\n title \"Active Directory Group Policy objects must have proper access control\n permissions.\"\n desc \"When directory service database objects do not have appropriate access\n control permissions, it may be possible for malicious users to create, read,\n update, or delete the objects and degrade or destroy the integrity of the data.\n When the directory service is used for identification, authentication, or\n authorization functions, a compromise of the database objects could lead to a\n compromise of all systems relying on the directory service.\n\n For Active Directory (AD), the Group Policy objects require special\n attention. In a distributed administration model (i.e., help desk), Group\n Policy objects are more likely to have access permissions changed from the\n secure defaults. If inappropriate access permissions are defined for Group\n Policy objects, this could allow an intruder to change the security policy\n applied to all domain client computers (workstations and servers).\n \"\n impact 0.7\n tag \"gtitle\": 'SRG-OS-000324-GPOS-00125'\n tag \"gid\": 'V-73373'\n tag \"rid\": 'SV-88025r1_rule'\n tag \"stig_id\": 'WN16-DC-000090'\n tag \"fix_id\": 'F-79815r1_fix'\n tag \"cci\": ['CCI-002235']\n tag \"nist\": ['AC-6 (10)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"This applies to domain controllers. It is NA for other systems.\n\n Review the permissions on Group Policy objects.\n\n Open Group Policy Management (available from various menus or run\n gpmc.msc).\n\n Navigate to Group Policy Objects in the domain being reviewed (Forest >>\n Domains >> Domain).\n\n For each Group Policy object:\n\n Select the Group Policy object item in the left pane.\n\n Select the Delegation tab in the right pane.\n\n Select the Advanced button.\n\n Select each Group or user name.\n\n View the permissions.\n\n If any standard user accounts or groups have Allow permissions greater than\n Read and Apply group policy, this is a finding.\n\n Other access permissions that allow the objects to be updated are considered\n findings unless specifically documented by the ISSO.\n\n The default permissions noted below satisfy this requirement.\n\n The permissions shown are at the summary level. More detailed permissions can\n be viewed by selecting the next Advanced button, the desired Permission\n entry, and the Edit button.\n\n Authenticated Users - Read, Apply group policy, Special permissions\n\n The special permissions for Authenticated Users are for Read-type Properties.\n If detailed permissions include any Create, Delete, Modify, or Write\n Permissions or Properties, this is a finding.\n\n The special permissions for the following default groups are not the focus of\n this requirement and may include a wide range of permissions and properties.\n\n CREATOR OWNER - Special permissions\n SYSTEM - Read, Write, Create all child objects, Delete all child objects,\n Special permissions\n Domain Admins - Read, Write, Create all child objects, Delete all child\n objects, Special permissions\n Enterprise Admins - Read, Write, Create all child objects, Delete all child\n objects, Special permissions\n ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions\n\n The Domain Admins and Enterprise Admins will not have the Delete all child\n objects permission on the two default Group Policy objects: Default Domain\n Policy and Default Domain Controllers Policy. They will have this permission on\n organization created Group Policy objects.\"\n desc \"fix\", \"Maintain the permissions on Group Policy objects to not allow\n greater than Read and Apply group policy for standard user accounts or\n groups. The default permissions below meet this requirement.\n\n Authenticated Users - Read, Apply group policy, Special permissions\n\n The special permissions for Authenticated Users are for Read-type Properties.\n\n CREATOR OWNER - Special permissions\n SYSTEM - Read, Write, Create all child objects, Delete all child objects,\n Special permissions\n Domain Admins - Read, Write, Create all child objects, Delete all child\n objects, Special permissions\n Enterprise Admins - Read, Write, Create all child objects, Delete all child\n objects, Special permissions\n ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions\n\n Document any other access permissions that allow the objects to be updated with\n the ISSO.\n\n The Domain Admins and Enterprise Admins will not have the Delete all child\n objects permission on the two default Group Policy objects: Default Domain\n Policy and Default Domain Controllers Policy. They will have this permission on\n created Group Policy objects.\"\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n describe 'A manual review is required to ensure all Group Policies have the correct permisions' do\n skip 'A manual review is required to ensure all Group Policies have the correct permisions'\n end\n else\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable.' do\n skip 'This system is not a domain controller, therefore this control is not applicable.'\n end\n end\nend", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73735.rb", + "ref": "./Windows 2016 STIG/controls/V-73373.rb", "line": 1 }, - "id": "V-73735" + "id": "V-73373" }, { - "title": "Command line data must be included in process creation events.", - "desc": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Enabling Include command line data for process creation events will\n record the command line information with the process creation events in the\n log. This can provide additional detail when malware has run on a system.", + "title": "Windows Server 2016 must be configured to prevent Internet Control\n Message Protocol (ICMP) redirects from overriding Open Shortest Path First\n (OSPF)-generated routes.", + "desc": "Allowing ICMP redirect of routes can lead to traffic not being routed\n properly. When disabled, this forces ICMP to be routed via the shortest path\n first.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Enabling Include command line data for process creation events will\n record the command line information with the process creation events in the\n log. This can provide additional detail when malware has run on a system.", - "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Audit\\\n\n Value Name: ProcessCreationIncludeCmdLine_Enabled\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", - "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> System >> Audit Process Creation >> Include\n command line in process creation events to Enabled." + "default": "Allowing ICMP redirect of routes can lead to traffic not being routed\n properly. When disabled, this forces ICMP to be routed via the shortest path\n first.", + "check": "If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters\\\n\n Value Name: EnableICMPRedirect\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0)", + "fix": "Configure the policy value for Computer Configuration >>\n Administrative Templates >> MSS (Legacy) >> MSS: (EnableICMPRedirect) Allow\n ICMP redirects to override OSPF generated routes to Disabled.\n\n This policy setting requires the installation of the MSS-Legacy custom\n templates included with the STIG package. MSS-Legacy.admx and\n MSS-Legacy.adml must be copied to the \\Windows\\PolicyDefinitions and\n \\Windows\\PolicyDefinitions\\en-US directories respectively." }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { - "gtitle": "SRG-OS-000042-GPOS-00020", - "gid": "V-73511", - "rid": "SV-88163r1_rule", - "stig_id": "WN16-CC-000100", - "fix_id": "F-79953r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-73503", + "rid": "SV-88155r1_rule", + "stig_id": "WN16-CC-000060", + "fix_id": "F-79945r1_fix", "cci": [ - "CCI-000135" + "CCI-000366" ], "nist": [ - "AU-3 (1)", + "CM-6 b", "Rev_4" ], "documentable": false }, - "code": "control 'V-73511' do\n title 'Command line data must be included in process creation events.'\n desc \"Maintaining an audit trail of system activity logs can help identify\n configuration errors, troubleshoot service disruptions, and analyze compromises\n that have occurred, as well as detect attacks. Audit logs are necessary to\n provide a trail of evidence in case the system or network is compromised.\n Collecting this data is essential for analyzing the security of information\n assets and detecting signs of suspicious and unexpected behavior.\n\n Enabling Include command line data for process creation events will\n record the command line information with the process creation events in the\n log. This can provide additional detail when malware has run on a system.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-OS-000042-GPOS-00020'\n tag \"gid\": 'V-73511'\n tag \"rid\": 'SV-88163r1_rule'\n tag \"stig_id\": 'WN16-CC-000100'\n tag \"fix_id\": 'F-79953r1_fix'\n tag \"cci\": ['CCI-000135']\n tag \"nist\": ['AU-3 (1)', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Audit\\\\\n\n Value Name: ProcessCreationIncludeCmdLine_Enabled\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> System >> Audit Process Creation >> Include\n command line in process creation events to Enabled.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Audit') do\n it { should have_property 'ProcessCreationIncludeCmdLine_Enabled' }\n its('ProcessCreationIncludeCmdLine_Enabled') { should cmp 1 }\n end\nend\n", + "code": "control 'V-73503' do\n title \"Windows Server 2016 must be configured to prevent Internet Control\n Message Protocol (ICMP) redirects from overriding Open Shortest Path First\n (OSPF)-generated routes.\"\n desc \"Allowing ICMP redirect of routes can lead to traffic not being routed\n properly. When disabled, this forces ICMP to be routed via the shortest path\n first.\"\n impact 0.3\n tag \"gtitle\": 'SRG-OS-000480-GPOS-00227'\n tag \"gid\": 'V-73503'\n tag \"rid\": 'SV-88155r1_rule'\n tag \"stig_id\": 'WN16-CC-000060'\n tag \"fix_id\": 'F-79945r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"documentable\": false\n desc \"check\", \"If the following registry value does not exist or is not\n configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\Tcpip\\\\Parameters\\\\\n\n Value Name: EnableICMPRedirect\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >>\n Administrative Templates >> MSS (Legacy) >> MSS: (EnableICMPRedirect) Allow\n ICMP redirects to override OSPF generated routes to Disabled.\n\n This policy setting requires the installation of the MSS-Legacy custom\n templates included with the STIG package. MSS-Legacy.admx and\n MSS-Legacy.adml must be copied to the \\\\Windows\\\\PolicyDefinitions and\n \\\\Windows\\\\PolicyDefinitions\\\\en-US directories respectively.\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Services\\\\Tcpip\\\\Parameters') do\n it { should have_property 'EnableICMPRedirect' }\n its('EnableICMPRedirect') { should cmp 0 }\n end\nend\n", "source_location": { - "ref": "./Windows 2016 STIG/controls/V-73511.rb", + "ref": "./Windows 2016 STIG/controls/V-73503.rb", "line": 1 }, - "id": "V-73511" + "id": "V-73503" } ], "groups": [ { "title": null, "controls": [ - "V-73237" + "V-73631" ], - "id": "controls/V-73237.rb" + "id": "controls/V-73631.rb" }, { "title": null, "controls": [ - "V-73305" + "V-73295" ], - "id": "controls/V-73305.rb" + "id": "controls/V-73295.rb" }, { "title": null, "controls": [ - "V-73467" + "V-73487" ], - "id": "controls/V-73467.rb" + "id": "controls/V-73487.rb" }, { "title": null, "controls": [ - "V-73691" + "V-73753" ], - "id": "controls/V-73691.rb" + "id": "controls/V-73753.rb" }, { "title": null, "controls": [ - "V-73795" + "V-73787" ], - "id": "controls/V-73795.rb" + "id": "controls/V-73787.rb" }, { "title": null, "controls": [ - "V-73303" + "V-73223" ], - "id": "controls/V-73303.rb" + "id": "controls/V-73223.rb" }, { "title": null, "controls": [ - "V-73587" + "V-73239" ], - "id": "controls/V-73587.rb" + "id": "controls/V-73239.rb" }, { "title": null, "controls": [ - "V-73269" + "V-73235" ], - "id": "controls/V-73269.rb" + "id": "controls/V-73235.rb" }, { "title": null, "controls": [ - "V-73553" + "V-73649" ], - "id": "controls/V-73553.rb" + "id": "controls/V-73649.rb" }, { "title": null, "controls": [ - "V-73763" + "V-73405" ], - "id": "controls/V-73763.rb" + "id": "controls/V-73405.rb" }, { "title": null, "controls": [ - "V-73721" + "V-78123" ], - "id": "controls/V-73721.rb" + "id": "controls/V-78123.rb" }, { "title": null, "controls": [ - "V-73803" + "V-73477" ], - "id": "controls/V-73803.rb" + "id": "controls/V-73477.rb" }, { "title": null, "controls": [ - "V-78123" + "V-73615" ], - "id": "controls/V-78123.rb" + "id": "controls/V-73615.rb" }, { "title": null, "controls": [ - "V-73569" + "V-73777" ], - "id": "controls/V-73569.rb" + "id": "controls/V-73777.rb" }, { "title": null, "controls": [ - "V-73273" + "V-73443" ], - "id": "controls/V-73273.rb" + "id": "controls/V-73443.rb" }, { "title": null, "controls": [ - "V-73473" + "V-73507" ], - "id": "controls/V-73473.rb" + "id": "controls/V-73507.rb" }, { "title": null, "controls": [ - "V-73377" + "V-73367" ], - "id": "controls/V-73377.rb" + "id": "controls/V-73367.rb" }, { "title": null, "controls": [ - "V-73261" + "V-73801" ], - "id": "controls/V-73261.rb" + "id": "controls/V-73801.rb" }, { "title": null, "controls": [ - "V-73629" + "V-73325" ], - "id": "controls/V-73629.rb" + "id": "controls/V-73325.rb" }, { "title": null, "controls": [ - "V-73265" + "V-73665" ], - "id": "controls/V-73265.rb" + "id": "controls/V-73665.rb" }, { "title": null, "controls": [ - "V-73687" + "V-73695" ], - "id": "controls/V-73687.rb" + "id": "controls/V-73695.rb" }, { "title": null, "controls": [ - "V-73583" + "V-73525" ], - "id": "controls/V-73583.rb" + "id": "controls/V-73525.rb" }, { "title": null, "controls": [ - "V-73459" + "V-73603" ], - "id": "controls/V-73459.rb" + "id": "controls/V-73603.rb" }, { "title": null, "controls": [ - "V-73705" + "V-73469" ], - "id": "controls/V-73705.rb" + "id": "controls/V-73469.rb" }, { "title": null, "controls": [ - "V-73791" + "V-73663" ], - "id": "controls/V-73791.rb" + "id": "controls/V-73663.rb" }, { "title": null, "controls": [ - "V-73493" + "V-73655" ], - "id": "controls/V-73493.rb" + "id": "controls/V-73655.rb" }, { "title": null, "controls": [ - "V-73699" + "V-73455" ], - "id": "controls/V-73699.rb" + "id": "controls/V-73455.rb" }, { "title": null, "controls": [ - "V-73807" + "V-73387" ], - "id": "controls/V-73807.rb" + "id": "controls/V-73387.rb" }, { "title": null, "controls": [ - "V-73245" + "V-73397" ], - "id": "controls/V-73245.rb" + "id": "controls/V-73397.rb" }, { "title": null, "controls": [ - "V-73281" + "V-73217" ], - "id": "controls/V-73281.rb" + "id": "controls/V-73217.rb" }, { "title": null, "controls": [ - "V-73717" + "V-73771" ], - "id": "controls/V-73717.rb" + "id": "controls/V-73771.rb" }, { "title": null, "controls": [ - "V-73415" + "V-73751" ], - "id": "controls/V-73415.rb" + "id": "controls/V-73751.rb" }, { "title": null, "controls": [ - "V-73625" + "V-73361" ], - "id": "controls/V-73625.rb" + "id": "controls/V-73361.rb" }, { "title": null, "controls": [ - "V-73315" + "V-73675" ], - "id": "controls/V-73315.rb" + "id": "controls/V-73675.rb" }, { "title": null, "controls": [ - "V-73247" + "V-73767" ], - "id": "controls/V-73247.rb" + "id": "controls/V-73767.rb" }, { "title": null, "controls": [ - "V-73359" + "V-73755" ], - "id": "controls/V-73359.rb" + "id": "controls/V-73755.rb" }, { "title": null, "controls": [ - "V-73733" + "V-73757" ], - "id": "controls/V-73733.rb" + "id": "controls/V-73757.rb" }, { "title": null, "controls": [ - "V-73451" + "V-73647" ], - "id": "controls/V-73451.rb" + "id": "controls/V-73647.rb" }, { "title": null, "controls": [ - "V-73411" + "V-73741" ], - "id": "controls/V-73411.rb" + "id": "controls/V-73741.rb" }, { "title": null, "controls": [ - "V-73393" + "V-73685" ], - "id": "controls/V-73393.rb" + "id": "controls/V-73685.rb" }, { "title": null, "controls": [ - "V-73689" + "V-73255" ], - "id": "controls/V-73689.rb" + "id": "controls/V-73255.rb" }, { "title": null, "controls": [ - "V-73463" + "V-73467" ], - "id": "controls/V-73463.rb" + "id": "controls/V-73467.rb" }, { "title": null, "controls": [ - "V-73283" + "V-73765" ], - "id": "controls/V-73283.rb" + "id": "controls/V-73765.rb" }, { "title": null, "controls": [ - "V-73443" + "V-73749" ], - "id": "controls/V-73443.rb" + "id": "controls/V-73749.rb" }, { "title": null, "controls": [ - "V-73435" + "V-73445" ], - "id": "controls/V-73435.rb" + "id": "controls/V-73445.rb" }, { "title": null, "controls": [ - "V-73563" + "V-73479" ], - "id": "controls/V-73563.rb" + "id": "controls/V-73479.rb" }, { "title": null, "controls": [ - "V-73481" + "V-73573" ], - "id": "controls/V-73481.rb" + "id": "controls/V-73573.rb" }, { "title": null, "controls": [ - "V-73601" + "V-73463" ], - "id": "controls/V-73601.rb" + "id": "controls/V-73463.rb" }, { "title": null, "controls": [ - "V-73491" + "V-73475" ], - "id": "controls/V-73491.rb" + "id": "controls/V-73475.rb" }, { "title": null, "controls": [ - "V-73295" + "V-73635" ], - "id": "controls/V-73295.rb" + "id": "controls/V-73635.rb" }, { "title": null, "controls": [ - "V-73635" + "V-73225" ], - "id": "controls/V-73635.rb" + "id": "controls/V-73225.rb" }, { "title": null, "controls": [ - "V-73725" + "V-73371" ], - "id": "controls/V-73725.rb" + "id": "controls/V-73371.rb" }, { "title": null, "controls": [ - "V-73727" + "V-73591" ], - "id": "controls/V-73727.rb" + "id": "controls/V-73591.rb" }, { "title": null, "controls": [ - "V-73645" + "V-73315" ], - "id": "controls/V-73645.rb" + "id": "controls/V-73315.rb" }, { "title": null, "controls": [ - "V-73709" + "V-73375" ], - "id": "controls/V-73709.rb" + "id": "controls/V-73375.rb" }, { "title": null, "controls": [ - "V-73241" + "V-73309" ], - "id": "controls/V-73241.rb" + "id": "controls/V-73309.rb" }, { "title": null, "controls": [ - "V-73703" + "V-73701" ], - "id": "controls/V-73703.rb" + "id": "controls/V-73701.rb" }, { "title": null, "controls": [ - "V-73325" + "V-73707" ], - "id": "controls/V-73325.rb" + "id": "controls/V-73707.rb" }, { "title": null, "controls": [ - "V-73457" + "V-73391" ], - "id": "controls/V-73457.rb" + "id": "controls/V-73391.rb" }, { "title": null, "controls": [ - "V-73423" + "V-73317" ], - "id": "controls/V-73423.rb" + "id": "controls/V-73317.rb" }, { "title": null, "controls": [ - "V-73527" + "V-73249" ], - "id": "controls/V-73527.rb" + "id": "controls/V-73249.rb" }, { "title": null, "controls": [ - "V-73531" + "V-73261" ], - "id": "controls/V-73531.rb" + "id": "controls/V-73261.rb" }, { "title": null, "controls": [ - "V-73447" + "V-73359" ], - "id": "controls/V-73447.rb" + "id": "controls/V-73359.rb" }, { "title": null, "controls": [ - "V-73649" + "V-73575" ], - "id": "controls/V-73649.rb" + "id": "controls/V-73575.rb" }, { "title": null, "controls": [ - "V-73365" + "V-73599" ], - "id": "controls/V-73365.rb" + "id": "controls/V-73599.rb" }, { "title": null, "controls": [ - "V-73611" + "V-73441" ], - "id": "controls/V-73611.rb" + "id": "controls/V-73441.rb" }, { "title": null, "controls": [ - "V-73469" + "V-73677" ], - "id": "controls/V-73469.rb" + "id": "controls/V-73677.rb" }, { "title": null, "controls": [ - "V-73297" + "V-73541" ], - "id": "controls/V-73297.rb" + "id": "controls/V-73541.rb" }, { "title": null, "controls": [ - "V-73693" + "V-73481" ], - "id": "controls/V-73693.rb" + "id": "controls/V-73481.rb" }, { "title": null, "controls": [ - "V-73567" + "V-73473" ], - "id": "controls/V-73567.rb" + "id": "controls/V-73473.rb" }, { "title": null, "controls": [ - "V-73761" + "V-73717" ], - "id": "controls/V-73761.rb" + "id": "controls/V-73717.rb" }, { "title": null, "controls": [ - "V-73613" + "V-73491" ], - "id": "controls/V-73613.rb" + "id": "controls/V-73491.rb" }, { "title": null, "controls": [ - "V-73255" + "V-73383" ], - "id": "controls/V-73255.rb" + "id": "controls/V-73383.rb" }, { "title": null, "controls": [ - "V-73615" + "V-73461" ], - "id": "controls/V-73615.rb" + "id": "controls/V-73461.rb" }, { "title": null, "controls": [ - "V-73779" + "V-73585" ], - "id": "controls/V-73779.rb" + "id": "controls/V-73585.rb" }, { "title": null, "controls": [ - "V-73489" + "V-73715" ], - "id": "controls/V-73489.rb" + "id": "controls/V-73715.rb" }, { "title": null, "controls": [ - "V-73385" + "V-73419" ], - "id": "controls/V-73385.rb" + "id": "controls/V-73419.rb" }, { "title": null, "controls": [ - "V-73781" + "V-73459" ], - "id": "controls/V-73781.rb" + "id": "controls/V-73459.rb" }, { "title": null, "controls": [ - "V-73387" + "V-73285" ], - "id": "controls/V-73387.rb" + "id": "controls/V-73285.rb" }, { "title": null, "controls": [ - "V-73599" + "V-73567" ], - "id": "controls/V-73599.rb" + "id": "controls/V-73567.rb" }, { "title": null, "controls": [ - "V-73665" + "V-73643" ], - "id": "controls/V-73665.rb" + "id": "controls/V-73643.rb" }, { "title": null, "controls": [ - "V-73453" + "V-73583" ], - "id": "controls/V-73453.rb" + "id": "controls/V-73583.rb" }, { "title": null, "controls": [ - "V-73259" + "V-73267" ], - "id": "controls/V-73259.rb" + "id": "controls/V-73267.rb" }, { "title": null, "controls": [ - "V-73765" + "V-73697" ], - "id": "controls/V-73765.rb" + "id": "controls/V-73697.rb" }, { "title": null, "controls": [ - "V-73679" + "V-73651" ], - "id": "controls/V-73679.rb" + "id": "controls/V-73651.rb" }, { "title": null, "controls": [ - "V-73571" + "V-73799" ], - "id": "controls/V-73571.rb" + "id": "controls/V-73799.rb" }, { "title": null, "controls": [ - "V-73299" + "V-73797" ], - "id": "controls/V-73299.rb" + "id": "controls/V-73797.rb" }, { "title": null, "controls": [ - "V-73581" + "V-73669" ], - "id": "controls/V-73581.rb" + "id": "controls/V-73669.rb" }, { "title": null, "controls": [ - "V-73449" + "V-73297" ], - "id": "controls/V-73449.rb" + "id": "controls/V-73297.rb" }, { "title": null, "controls": [ - "V-73773" + "V-73427" ], - "id": "controls/V-73773.rb" + "id": "controls/V-73427.rb" }, { "title": null, "controls": [ - "V-73771" + "V-73745" ], - "id": "controls/V-73771.rb" + "id": "controls/V-73745.rb" }, { "title": null, "controls": [ - "V-73633" + "V-73227" ], - "id": "controls/V-73633.rb" + "id": "controls/V-73227.rb" }, { "title": null, "controls": [ - "V-73257" + "V-73671" ], - "id": "controls/V-73257.rb" + "id": "controls/V-73671.rb" }, { "title": null, "controls": [ - "V-73301" + "V-73719" ], - "id": "controls/V-73301.rb" + "id": "controls/V-73719.rb" }, { "title": null, "controls": [ - "V-73517" + "V-73221" ], - "id": "controls/V-73517.rb" + "id": "controls/V-73221.rb" }, { "title": null, "controls": [ - "V-73509" + "V-73389" ], - "id": "controls/V-73509.rb" + "id": "controls/V-73389.rb" }, { "title": null, "controls": [ - "V-73697" + "V-73511" ], - "id": "controls/V-73697.rb" + "id": "controls/V-73511.rb" }, { "title": null, "controls": [ - "V-73655" + "V-73287" ], - "id": "controls/V-73655.rb" + "id": "controls/V-73287.rb" }, { "title": null, "controls": [ - "V-73293" + "V-73433" ], - "id": "controls/V-73293.rb" + "id": "controls/V-73433.rb" }, { "title": null, "controls": [ - "V-73647" + "V-73681" ], - "id": "controls/V-73647.rb" + "id": "controls/V-73681.rb" }, { "title": null, "controls": [ - "V-73799" + "V-73241" ], - "id": "controls/V-73799.rb" + "id": "controls/V-73241.rb" }, { "title": null, "controls": [ - "V-73439" + "V-73711" ], - "id": "controls/V-73439.rb" + "id": "controls/V-73711.rb" }, { "title": null, "controls": [ - "V-73431" + "V-73633" ], - "id": "controls/V-73431.rb" + "id": "controls/V-73633.rb" }, { "title": null, "controls": [ - "V-73309" + "V-73407" ], - "id": "controls/V-73309.rb" + "id": "controls/V-73407.rb" }, { "title": null, "controls": [ - "V-73641" + "V-73605" ], - "id": "controls/V-73641.rb" + "id": "controls/V-73605.rb" }, { "title": null, "controls": [ - "V-73475" + "V-73289" ], - "id": "controls/V-73475.rb" + "id": "controls/V-73289.rb" }, { "title": null, "controls": [ - "V-73399" + "V-73709" ], - "id": "controls/V-73399.rb" + "id": "controls/V-73709.rb" }, { "title": null, "controls": [ - "V-73417" + "V-73259" ], - "id": "controls/V-73417.rb" + "id": "controls/V-73259.rb" }, { "title": null, "controls": [ - "V-73767" + "V-73265" ], - "id": "controls/V-73767.rb" + "id": "controls/V-73265.rb" }, { "title": null, "controls": [ - "V-73577" + "V-73551" ], - "id": "controls/V-73577.rb" + "id": "controls/V-73551.rb" }, { "title": null, "controls": [ - "V-73369" + "V-73699" ], - "id": "controls/V-73369.rb" + "id": "controls/V-73699.rb" }, { "title": null, "controls": [ - "V-73537" + "V-73781" ], - "id": "controls/V-73537.rb" + "id": "controls/V-73781.rb" }, { "title": null, "controls": [ - "V-73555" + "V-73245" ], - "id": "controls/V-73555.rb" + "id": "controls/V-73245.rb" }, { "title": null, "controls": [ - "V-73549" + "V-73795" ], - "id": "controls/V-73549.rb" + "id": "controls/V-73795.rb" }, { "title": null, "controls": [ - "V-73253" + "V-73457" ], - "id": "controls/V-73253.rb" + "id": "controls/V-73457.rb" }, { "title": null, "controls": [ - "V-73585" + "V-73653" ], - "id": "controls/V-73585.rb" + "id": "controls/V-73653.rb" }, { "title": null, "controls": [ - "V-73487" + "V-73679" ], - "id": "controls/V-73487.rb" + "id": "controls/V-73679.rb" }, { "title": null, "controls": [ - "V-73595" + "V-73563" ], - "id": "controls/V-73595.rb" + "id": "controls/V-73563.rb" }, { "title": null, "controls": [ - "V-73777" + "V-73435" ], - "id": "controls/V-73777.rb" + "id": "controls/V-73435.rb" }, { "title": null, "controls": [ - "V-73397" + "V-73431" ], - "id": "controls/V-73397.rb" + "id": "controls/V-73431.rb" }, { "title": null, "controls": [ - "V-73277" + "V-73449" ], - "id": "controls/V-73277.rb" + "id": "controls/V-73449.rb" }, { "title": null, "controls": [ - "V-73235" + "V-73597" ], - "id": "controls/V-73235.rb" + "id": "controls/V-73597.rb" }, { "title": null, "controls": [ - "V-73741" + "V-73601" ], - "id": "controls/V-73741.rb" + "id": "controls/V-73601.rb" }, { "title": null, "controls": [ - "V-73575" + "V-73483" ], - "id": "controls/V-73575.rb" + "id": "controls/V-73483.rb" }, { "title": null, "controls": [ - "V-73747" + "V-73725" ], - "id": "controls/V-73747.rb" + "id": "controls/V-73725.rb" }, { "title": null, "controls": [ - "V-73793" + "V-73785" ], - "id": "controls/V-73793.rb" + "id": "controls/V-73785.rb" }, { "title": null, "controls": [ - "V-73225" + "V-73593" ], - "id": "controls/V-73225.rb" + "id": "controls/V-73593.rb" }, { "title": null, "controls": [ - "V-73471" + "V-73237" ], - "id": "controls/V-73471.rb" + "id": "controls/V-73237.rb" }, { "title": null, "controls": [ - "V-73363" + "V-73379" ], - "id": "controls/V-73363.rb" + "id": "controls/V-73379.rb" }, { "title": null, "controls": [ - "V-73639" + "V-73569" ], - "id": "controls/V-73639.rb" + "id": "controls/V-73569.rb" }, { "title": null, "controls": [ - "V-73775" + "V-73773" ], - "id": "controls/V-73775.rb" + "id": "controls/V-73773.rb" }, { "title": null, "controls": [ - "V-73429" + "V-73581" ], - "id": "controls/V-73429.rb" + "id": "controls/V-73581.rb" }, { "title": null, "controls": [ - "V-73723" + "V-73409" ], - "id": "controls/V-73723.rb" + "id": "controls/V-73409.rb" }, { "title": null, "controls": [ - "V-73545" + "V-73533" ], - "id": "controls/V-73545.rb" + "id": "controls/V-73533.rb" }, { "title": null, "controls": [ - "V-73579" + "V-73323" ], - "id": "controls/V-73579.rb" + "id": "controls/V-73323.rb" }, { "title": null, "controls": [ - "V-73401" + "V-73793" ], - "id": "controls/V-73401.rb" + "id": "controls/V-73793.rb" }, { "title": null, "controls": [ - "V-73407" + "V-73691" ], - "id": "controls/V-73407.rb" + "id": "controls/V-73691.rb" }, { "title": null, "controls": [ - "V-73561" + "V-73807" ], - "id": "controls/V-73561.rb" + "id": "controls/V-73807.rb" }, { "title": null, "controls": [ - "V-73465" + "V-73645" ], - "id": "controls/V-73465.rb" + "id": "controls/V-73645.rb" }, { "title": null, "controls": [ - "V-73589" + "V-73571" ], - "id": "controls/V-73589.rb" + "id": "controls/V-73571.rb" }, { "title": null, "controls": [ - "V-73319" + "V-78127" ], - "id": "controls/V-73319.rb" + "id": "controls/V-78127.rb" }, { "title": null, "controls": [ - "V-73753" + "V-73231" ], - "id": "controls/V-73753.rb" + "id": "controls/V-73231.rb" }, { "title": null, "controls": [ - "V-73605" + "V-73509" ], - "id": "controls/V-73605.rb" + "id": "controls/V-73509.rb" }, { "title": null, "controls": [ - "V-73673" + "V-73417" ], - "id": "controls/V-73673.rb" + "id": "controls/V-73417.rb" }, { "title": null, "controls": [ - "V-73565" + "V-73735" ], - "id": "controls/V-73565.rb" + "id": "controls/V-73735.rb" }, { "title": null, "controls": [ - "V-73751" + "V-73521" ], - "id": "controls/V-73751.rb" + "id": "controls/V-73521.rb" }, { "title": null, "controls": [ - "V-73801" + "V-73789" ], - "id": "controls/V-73801.rb" + "id": "controls/V-73789.rb" }, { "title": null, "controls": [ - "V-73405" + "V-73667" ], - "id": "controls/V-73405.rb" + "id": "controls/V-73667.rb" }, { "title": null, "controls": [ - "V-73683" + "V-73763" ], - "id": "controls/V-73683.rb" + "id": "controls/V-73763.rb" }, { "title": null, "controls": [ - "V-73757" + "V-73579" ], - "id": "controls/V-73757.rb" + "id": "controls/V-73579.rb" }, { "title": null, "controls": [ - "V-73263" + "V-73501" ], - "id": "controls/V-73263.rb" + "id": "controls/V-73501.rb" }, { "title": null, "controls": [ - "V-73603" + "V-73311" ], - "id": "controls/V-73603.rb" + "id": "controls/V-73311.rb" }, { "title": null, "controls": [ - "V-73701" + "V-73429" ], - "id": "controls/V-73701.rb" + "id": "controls/V-73429.rb" }, { "title": null, "controls": [ - "V-73759" + "V-73247" ], - "id": "controls/V-73759.rb" + "id": "controls/V-73247.rb" }, { "title": null, "controls": [ - "V-73251" + "V-73299" ], - "id": "controls/V-73251.rb" + "id": "controls/V-73299.rb" }, { "title": null, "controls": [ - "V-73461" + "V-73395" ], - "id": "controls/V-73461.rb" + "id": "controls/V-73395.rb" }, { "title": null, "controls": [ - "V-73627" + "V-73253" ], - "id": "controls/V-73627.rb" + "id": "controls/V-73253.rb" }, { "title": null, "controls": [ - "V-73637" + "V-73747" ], - "id": "controls/V-73637.rb" + "id": "controls/V-73747.rb" }, { "title": null, "controls": [ - "V-73731" + "V-73553" ], - "id": "controls/V-73731.rb" + "id": "controls/V-73553.rb" }, { "title": null, "controls": [ - "V-73715" + "V-73543" ], - "id": "controls/V-73715.rb" + "id": "controls/V-73543.rb" }, { "title": null, "controls": [ - "V-73231" + "V-73363" ], - "id": "controls/V-73231.rb" + "id": "controls/V-73363.rb" }, { "title": null, "controls": [ - "V-73677" + "V-73527" ], - "id": "controls/V-73677.rb" + "id": "controls/V-73527.rb" }, { "title": null, "controls": [ - "V-73513" + "V-73489" ], - "id": "controls/V-73513.rb" + "id": "controls/V-73489.rb" }, { "title": null, "controls": [ - "V-73667" + "V-73613" ], - "id": "controls/V-73667.rb" + "id": "controls/V-73613.rb" }, { "title": null, "controls": [ - "V-73317" + "V-73629" ], - "id": "controls/V-73317.rb" + "id": "controls/V-73629.rb" }, { "title": null, "controls": [ - "V-73279" + "V-73393" ], - "id": "controls/V-73279.rb" + "id": "controls/V-73393.rb" }, { "title": null, "controls": [ - "V-73239" + "V-73471" ], - "id": "controls/V-73239.rb" + "id": "controls/V-73471.rb" }, { "title": null, "controls": [ - "V-73515" + "V-78125" ], - "id": "controls/V-73515.rb" + "id": "controls/V-78125.rb" }, { "title": null, "controls": [ - "V-73573" + "V-73557" ], - "id": "controls/V-73573.rb" + "id": "controls/V-73557.rb" }, { "title": null, "controls": [ - "V-73455" + "V-73587" ], - "id": "controls/V-73455.rb" + "id": "controls/V-73587.rb" }, { "title": null, "controls": [ - "V-73483" + "V-73737" ], - "id": "controls/V-73483.rb" + "id": "controls/V-73737.rb" }, { "title": null, "controls": [ - "V-73499" + "V-73403" ], - "id": "controls/V-73499.rb" + "id": "controls/V-73403.rb" }, { "title": null, "controls": [ - "V-73785" + "V-73537" ], - "id": "controls/V-73785.rb" + "id": "controls/V-73537.rb" }, { "title": null, "controls": [ - "V-73275" + "V-73743" ], - "id": "controls/V-73275.rb" + "id": "controls/V-73743.rb" }, { "title": null, "controls": [ - "V-73521" + "V-73561" ], - "id": "controls/V-73521.rb" + "id": "controls/V-73561.rb" }, { "title": null, "controls": [ - "V-73787" + "V-73559" ], - "id": "controls/V-73787.rb" + "id": "controls/V-73559.rb" }, { "title": null, "controls": [ - "V-73651" + "V-73279" ], - "id": "controls/V-73651.rb" + "id": "controls/V-73279.rb" }, { "title": null, "controls": [ - "V-73541" + "V-73505" ], - "id": "controls/V-73541.rb" + "id": "controls/V-73505.rb" }, { "title": null, "controls": [ - "V-73607" + "V-73577" ], - "id": "controls/V-73607.rb" + "id": "controls/V-73577.rb" }, { "title": null, "controls": [ - "V-73719" + "V-73657" ], - "id": "controls/V-73719.rb" + "id": "controls/V-73657.rb" }, { "title": null, "controls": [ - "V-73525" + "V-73683" ], - "id": "controls/V-73525.rb" + "id": "controls/V-73683.rb" }, { "title": null, "controls": [ - "V-73313" + "V-73687" ], - "id": "controls/V-73313.rb" + "id": "controls/V-73687.rb" }, { "title": null, "controls": [ - "V-73503" + "V-73313" ], - "id": "controls/V-73503.rb" + "id": "controls/V-73313.rb" }, { "title": null, "controls": [ - "V-73543" + "V-73539" ], - "id": "controls/V-73543.rb" + "id": "controls/V-73539.rb" }, { "title": null, "controls": [ - "V-73597" + "V-73301" ], - "id": "controls/V-73597.rb" + "id": "controls/V-73301.rb" }, { "title": null, "controls": [ - "V-73707" + "V-73641" ], - "id": "controls/V-73707.rb" + "id": "controls/V-73641.rb" }, { "title": null, "controls": [ - "V-73711" + "V-73723" ], - "id": "controls/V-73711.rb" + "id": "controls/V-73723.rb" }, { "title": null, "controls": [ - "V-73267" + "V-73517" ], - "id": "controls/V-73267.rb" + "id": "controls/V-73517.rb" }, { "title": null, "controls": [ - "V-73609" + "V-73271" ], - "id": "controls/V-73609.rb" + "id": "controls/V-73271.rb" }, { "title": null, "controls": [ - "V-78125" + "V-73783" ], - "id": "controls/V-78125.rb" + "id": "controls/V-73783.rb" }, { "title": null, "controls": [ - "V-73713" + "V-73759" ], - "id": "controls/V-73713.rb" + "id": "controls/V-73759.rb" }, { "title": null, "controls": [ - "V-73233" + "V-73423" ], - "id": "controls/V-73233.rb" + "id": "controls/V-73423.rb" }, { "title": null, "controls": [ - "V-73229" + "V-73369" ], - "id": "controls/V-73229.rb" + "id": "controls/V-73369.rb" }, { "title": null, "controls": [ - "V-73789" + "V-73377" ], - "id": "controls/V-73789.rb" + "id": "controls/V-73377.rb" }, { "title": null, "controls": [ - "V-73219" + "V-73555" ], - "id": "controls/V-73219.rb" + "id": "controls/V-73555.rb" }, { "title": null, "controls": [ - "V-73643" + "V-73673" ], - "id": "controls/V-73643.rb" + "id": "controls/V-73673.rb" }, { "title": null, "controls": [ - "V-73221" + "V-73283" ], - "id": "controls/V-73221.rb" + "id": "controls/V-73283.rb" }, { "title": null, "controls": [ - "V-73557" + "V-73257" ], - "id": "controls/V-73557.rb" + "id": "controls/V-73257.rb" }, { "title": null, "controls": [ - "V-73653" + "V-73803" ], - "id": "controls/V-73653.rb" + "id": "controls/V-73803.rb" }, { "title": null, "controls": [ - "V-73809" + "V-73381" ], - "id": "controls/V-73809.rb" + "id": "controls/V-73381.rb" }, { "title": null, "controls": [ - "V-73685" + "V-73617" ], - "id": "controls/V-73685.rb" + "id": "controls/V-73617.rb" }, { "title": null, "controls": [ - "V-73375" + "V-73307" ], - "id": "controls/V-73375.rb" + "id": "controls/V-73307.rb" }, { "title": null, "controls": [ - "V-73223" + "V-73495" ], - "id": "controls/V-73223.rb" + "id": "controls/V-73495.rb" }, { "title": null, "controls": [ - "V-73249" + "V-73465" ], - "id": "controls/V-73249.rb" + "id": "controls/V-73465.rb" }, { "title": null, "controls": [ - "V-73383" + "V-73401" ], - "id": "controls/V-73383.rb" + "id": "controls/V-73401.rb" }, { "title": null, "controls": [ - "V-73289" + "V-73545" ], - "id": "controls/V-73289.rb" + "id": "controls/V-73545.rb" }, { "title": null, "controls": [ - "V-73745" + "V-73319" ], - "id": "controls/V-73745.rb" + "id": "controls/V-73319.rb" }, { "title": null, "controls": [ - "V-73307" + "V-73731" ], - "id": "controls/V-73307.rb" + "id": "controls/V-73731.rb" }, { "title": null, "controls": [ - "V-73419" + "V-73809" ], - "id": "controls/V-73419.rb" + "id": "controls/V-73809.rb" }, { "title": null, "controls": [ - "V-73663" + "V-73659" ], - "id": "controls/V-73663.rb" + "id": "controls/V-73659.rb" }, { "title": null, "controls": [ - "V-73593" + "V-73269" ], - "id": "controls/V-73593.rb" + "id": "controls/V-73269.rb" }, { "title": null, "controls": [ - "V-73505" + "V-73689" ], - "id": "controls/V-73505.rb" + "id": "controls/V-73689.rb" }, { "title": null, "controls": [ - "V-73669" + "V-73229" ], - "id": "controls/V-73669.rb" + "id": "controls/V-73229.rb" }, { "title": null, "controls": [ - "V-73623" + "V-73639" ], - "id": "controls/V-73623.rb" + "id": "controls/V-73639.rb" }, { "title": null, "controls": [ - "V-73287" + "V-73291" ], - "id": "controls/V-73287.rb" + "id": "controls/V-73291.rb" }, { "title": null, "controls": [ - "V-73395" + "V-73447" ], - "id": "controls/V-73395.rb" + "id": "controls/V-73447.rb" }, { "title": null, "controls": [ - "V-73551" + "V-73529" ], - "id": "controls/V-73551.rb" + "id": "controls/V-73529.rb" }, { "title": null, @@ -10934,401 +10934,401 @@ { "title": null, "controls": [ - "V-73529" + "V-73739" ], - "id": "controls/V-73529.rb" + "id": "controls/V-73739.rb" }, { "title": null, "controls": [ - "V-73441" + "V-73589" ], - "id": "controls/V-73441.rb" + "id": "controls/V-73589.rb" }, { "title": null, "controls": [ - "V-73591" + "V-73703" ], - "id": "controls/V-73591.rb" + "id": "controls/V-73703.rb" }, { "title": null, "controls": [ - "V-73621" + "V-73365" ], - "id": "controls/V-73621.rb" + "id": "controls/V-73365.rb" }, { "title": null, "controls": [ - "V-73321" + "V-73233" ], - "id": "controls/V-73321.rb" + "id": "controls/V-73233.rb" }, { "title": null, "controls": [ - "V-73631" + "V-73293" ], - "id": "controls/V-73631.rb" + "id": "controls/V-73293.rb" }, { "title": null, "controls": [ - "V-73403" + "V-73451" ], - "id": "controls/V-73403.rb" + "id": "controls/V-73451.rb" }, { "title": null, "controls": [ - "V-73497" + "V-73595" ], - "id": "controls/V-73497.rb" + "id": "controls/V-73595.rb" }, { "title": null, "controls": [ - "V-73367" + "V-73497" ], - "id": "controls/V-73367.rb" + "id": "controls/V-73497.rb" }, { "title": null, "controls": [ - "V-73271" + "V-73493" ], - "id": "controls/V-73271.rb" + "id": "controls/V-73493.rb" }, { "title": null, "controls": [ - "V-73671" + "V-73611" ], - "id": "controls/V-73671.rb" + "id": "controls/V-73611.rb" }, { "title": null, "controls": [ - "V-73291" + "V-73413" ], - "id": "controls/V-73291.rb" + "id": "controls/V-73413.rb" }, { "title": null, "controls": [ - "V-73539" + "V-73621" ], - "id": "controls/V-73539.rb" + "id": "controls/V-73621.rb" }, { "title": null, "controls": [ - "V-73381" + "V-73769" ], - "id": "controls/V-73381.rb" + "id": "controls/V-73769.rb" }, { "title": null, "controls": [ - "V-73743" + "V-73453" ], - "id": "controls/V-73743.rb" + "id": "controls/V-73453.rb" }, { "title": null, "controls": [ - "V-73797" + "V-73609" ], - "id": "controls/V-73797.rb" + "id": "controls/V-73609.rb" }, { "title": null, "controls": [ - "V-73769" + "V-73637" ], - "id": "controls/V-73769.rb" + "id": "controls/V-73637.rb" }, { "title": null, "controls": [ - "V-73737" + "V-73273" ], - "id": "controls/V-73737.rb" + "id": "controls/V-73273.rb" }, { "title": null, "controls": [ - "V-73783" + "V-73303" ], - "id": "controls/V-73783.rb" + "id": "controls/V-73303.rb" }, { "title": null, "controls": [ - "V-73427" + "V-73263" ], - "id": "controls/V-73427.rb" + "id": "controls/V-73263.rb" }, { "title": null, "controls": [ - "V-78127" + "V-73281" ], - "id": "controls/V-78127.rb" + "id": "controls/V-73281.rb" }, { "title": null, "controls": [ - "V-73681" + "V-73415" ], - "id": "controls/V-73681.rb" + "id": "controls/V-73415.rb" }, { "title": null, "controls": [ - "V-73501" + "V-73219" ], - "id": "controls/V-73501.rb" + "id": "controls/V-73219.rb" }, { "title": null, "controls": [ - "V-73507" + "V-73729" ], - "id": "controls/V-73507.rb" + "id": "controls/V-73729.rb" }, { "title": null, "controls": [ - "V-73755" + "V-73275" ], - "id": "controls/V-73755.rb" + "id": "controls/V-73275.rb" }, { "title": null, "controls": [ - "V-73323" + "V-73513" ], - "id": "controls/V-73323.rb" + "id": "controls/V-73513.rb" }, { "title": null, "controls": [ - "V-73413" + "V-73565" ], - "id": "controls/V-73413.rb" + "id": "controls/V-73565.rb" }, { "title": null, "controls": [ - "V-73391" + "V-73705" ], - "id": "controls/V-73391.rb" + "id": "controls/V-73705.rb" }, { "title": null, "controls": [ - "V-73373" + "V-73713" ], - "id": "controls/V-73373.rb" + "id": "controls/V-73713.rb" }, { "title": null, "controls": [ - "V-73437" + "V-73399" ], - "id": "controls/V-73437.rb" + "id": "controls/V-73399.rb" }, { "title": null, "controls": [ - "V-73311" + "V-73761" ], - "id": "controls/V-73311.rb" + "id": "controls/V-73761.rb" }, { "title": null, "controls": [ - "V-73433" + "V-73625" ], - "id": "controls/V-73433.rb" + "id": "controls/V-73625.rb" }, { "title": null, "controls": [ - "V-73617" + "V-73515" ], - "id": "controls/V-73617.rb" + "id": "controls/V-73515.rb" }, { "title": null, "controls": [ - "V-73533" + "V-73251" ], - "id": "controls/V-73533.rb" + "id": "controls/V-73251.rb" }, { "title": null, "controls": [ - "V-73695" + "V-73775" ], - "id": "controls/V-73695.rb" + "id": "controls/V-73775.rb" }, { "title": null, "controls": [ - "V-73371" + "V-73607" ], - "id": "controls/V-73371.rb" + "id": "controls/V-73607.rb" }, { "title": null, "controls": [ - "V-73661" + "V-73499" ], - "id": "controls/V-73661.rb" + "id": "controls/V-73499.rb" }, { "title": null, "controls": [ - "V-73227" + "V-73385" ], - "id": "controls/V-73227.rb" + "id": "controls/V-73385.rb" }, { "title": null, "controls": [ - "V-73729" + "V-73549" ], - "id": "controls/V-73729.rb" + "id": "controls/V-73549.rb" }, { "title": null, "controls": [ - "V-73445" + "V-73733" ], - "id": "controls/V-73445.rb" + "id": "controls/V-73733.rb" }, { "title": null, "controls": [ - "V-73285" + "V-73305" ], - "id": "controls/V-73285.rb" + "id": "controls/V-73305.rb" }, { "title": null, "controls": [ - "V-73739" + "V-73661" ], - "id": "controls/V-73739.rb" + "id": "controls/V-73661.rb" }, { "title": null, "controls": [ - "V-73361" + "V-73791" ], - "id": "controls/V-73361.rb" + "id": "controls/V-73791.rb" }, { "title": null, "controls": [ - "V-73409" + "V-73779" ], - "id": "controls/V-73409.rb" + "id": "controls/V-73779.rb" }, { "title": null, "controls": [ - "V-73495" + "V-73277" ], - "id": "controls/V-73495.rb" + "id": "controls/V-73277.rb" }, { "title": null, "controls": [ - "V-73477" + "V-73321" ], - "id": "controls/V-73477.rb" + "id": "controls/V-73321.rb" }, { "title": null, "controls": [ - "V-73479" + "V-73411" ], - "id": "controls/V-73479.rb" + "id": "controls/V-73411.rb" }, { "title": null, "controls": [ - "V-73217" + "V-73727" ], - "id": "controls/V-73217.rb" + "id": "controls/V-73727.rb" }, { "title": null, "controls": [ - "V-73389" + "V-73439" ], - "id": "controls/V-73389.rb" + "id": "controls/V-73439.rb" }, { "title": null, "controls": [ - "V-73675" + "V-73693" ], - "id": "controls/V-73675.rb" + "id": "controls/V-73693.rb" }, { "title": null, "controls": [ - "V-73559" + "V-73623" ], - "id": "controls/V-73559.rb" + "id": "controls/V-73623.rb" }, { "title": null, "controls": [ - "V-73657" + "V-73721" ], - "id": "controls/V-73657.rb" + "id": "controls/V-73721.rb" }, { "title": null, "controls": [ - "V-73749" + "V-73437" ], - "id": "controls/V-73749.rb" + "id": "controls/V-73437.rb" }, { "title": null, "controls": [ - "V-73379" + "V-73531" ], - "id": "controls/V-73379.rb" + "id": "controls/V-73531.rb" }, { "title": null, "controls": [ - "V-73659" + "V-73627" ], - "id": "controls/V-73659.rb" + "id": "controls/V-73627.rb" }, { "title": null, "controls": [ - "V-73735" + "V-73373" ], - "id": "controls/V-73735.rb" + "id": "controls/V-73373.rb" }, { "title": null, "controls": [ - "V-73511" + "V-73503" ], - "id": "controls/V-73511.rb" + "id": "controls/V-73503.rb" } ], "sha256": "57913a07510731128118d1f1f127d3346ef9aeb3810655766c600fa455ae771c", diff --git a/src/assets/data/baselineProfiles/microsoft-windows-server-2019-stig-baseline.json b/src/assets/data/baselineProfiles/microsoft-windows-server-2019-stig-baseline.json index bf94c5ca..a094e7fe 100644 --- a/src/assets/data/baselineProfiles/microsoft-windows-server-2019-stig-baseline.json +++ b/src/assets/data/baselineProfiles/microsoft-windows-server-2019-stig-baseline.json @@ -12,170 +12,155 @@ "supports": [], "controls": [ { - "title": "Windows Server 2019 Kerberos service ticket maximum lifetime must be limited to 600 minutes or less.", - "desc": "This setting determines the maximum amount of time (in minutes) that a granted session ticket can be used to access a particular service. Session tickets are used only to authenticate new connections with servers. Ongoing operations are not interrupted if the session ticket used to authenticate the connection expires during the connection.", + "title": "Windows Server 2019 must be configured to audit Logon/Logoff - Group\nMembership successes.", + "desc": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Audit Group Membership records information related to the group membership\nof a user's logon token.", "descriptions": { - "default": "This setting determines the maximum amount of time (in minutes) that a granted session ticket can be used to access a particular service. Session tickets are used only to authenticate new connections with servers. Ongoing operations are not interrupted if the session ticket used to authenticate the connection expires during the connection.", + "default": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Audit Group Membership records information related to the group membership\nof a user's logon token.", "rationale": "", - "check": "This applies to domain controllers. It is NA for other systems.\n\n Verify the following is configured in the Default Domain Policy:\n Open \"Group Policy Management\".\n Navigate to \"Group Policy Objects\" in the Domain being reviewed (Forest >> Domains >> Domain).\n Right-click on the \"Default Domain Policy\".\n Select \"Edit\".\n Navigate to Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy.\n If the value for \"Maximum lifetime for service ticket\" is \"0\" or greater than \"600\" minutes, this is a finding.", - "fix": "Configure the policy value in the Default Domain Policy for Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy >> \"Maximum lifetime for service ticket\" to a maximum of \"600\" minutes, but not \"0\", which equates to \"Ticket doesn't expire\"." + "check": "Security Option \"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\" must be set to\n\"Enabled\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \"AuditPol\" tool to review the current Audit Policy configuration:\n\n Open \"PowerShell\" or a \"Command Prompt\" with elevated privileges (\"Run\nas administrator\").\n\n Enter \"AuditPol /get /category:*\"\n\n Compare the \"AuditPol\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n Logon/Logoff >> Group Membership - Success", + "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Advanced Audit Policy Configuration >> System Audit\nPolicies >> Logon/Logoff >> \"Audit Group Membership\" with \"Success\"\nselected." }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000112-GPOS-00057", - "satisfies": [ - "SRG-OS-000112-GPOS-00057", - "SRG-OS-000113-GPOS-00058" - ], - "gid": "V-93445", - "rid": "SV-103531r1_rule", - "stig_id": "WN19-DC-000030", - "fix_id": "F-99689r1_fix", + "gtitle": "SRG-OS-000470-GPOS-00214", + "gid": "V-93159", + "rid": "SV-103247r1_rule", + "stig_id": "WN19-AU-000170", + "fix_id": "F-99405r1_fix", "cci": [ - "CCI-001941", - "CCI-001942" + "CCI-000172" ], "nist": [ - "IA-2 (8)", - "IA-2 (9)", + "AU-12 c", "Rev_4" ] }, - "code": "control \"V-93445\" do\n title \"Windows Server 2019 Kerberos service ticket maximum lifetime must be limited to 600 minutes or less.\"\n desc \"This setting determines the maximum amount of time (in minutes) that a granted session ticket can be used to access a particular service. Session tickets are used only to authenticate new connections with servers. Ongoing operations are not interrupted if the session ticket used to authenticate the connection expires during the connection.\"\n desc \"rationale\", \"\"\n desc \"check\", \"This applies to domain controllers. It is NA for other systems.\n\n Verify the following is configured in the Default Domain Policy:\n Open \\\"Group Policy Management\\\".\n Navigate to \\\"Group Policy Objects\\\" in the Domain being reviewed (Forest >> Domains >> Domain).\n Right-click on the \\\"Default Domain Policy\\\".\n Select \\\"Edit\\\".\n Navigate to Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy.\n If the value for \\\"Maximum lifetime for service ticket\\\" is \\\"0\\\" or greater than \\\"600\\\" minutes, this is a finding.\"\n desc \"fix\", \"Configure the policy value in the Default Domain Policy for Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy >> \\\"Maximum lifetime for service ticket\\\" to a maximum of \\\"600\\\" minutes, but not \\\"0\\\", which equates to \\\"Ticket doesn't expire\\\".\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000112-GPOS-00057\"\n tag satisfies: [\"SRG-OS-000112-GPOS-00057\", \"SRG-OS-000113-GPOS-00058\"]\n tag gid: \"V-93445\"\n tag rid: \"SV-103531r1_rule\"\n tag stig_id: \"WN19-DC-000030\"\n tag fix_id: \"F-99689r1_fix\"\n tag cci: [\"CCI-001941\", \"CCI-001942\"]\n tag nist: [\"IA-2 (8)\", \"IA-2 (9)\", \"Rev_4\"]\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n describe security_policy do\n its('MaxServiceAge') { should be_between(0,600) }\n end\n else\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is NA' do\n skip 'This system is not a domain controller, therefore this control is NA'\n end\n end\nend", + "code": "control \"V-93159\" do\n title \"Windows Server 2019 must be configured to audit Logon/Logoff - Group\nMembership successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Audit Group Membership records information related to the group membership\nof a user's logon token.\"\n desc \"rationale\", \"\"\n desc 'check', \"Security Option \\\"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\\\" must be set to\n\\\"Enabled\\\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \\\"AuditPol\\\" tool to review the current Audit Policy configuration:\n\n Open \\\"PowerShell\\\" or a \\\"Command Prompt\\\" with elevated privileges (\\\"Run\nas administrator\\\").\n\n Enter \\\"AuditPol /get /category:*\\\"\n\n Compare the \\\"AuditPol\\\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n Logon/Logoff >> Group Membership - Success\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Advanced Audit Policy Configuration >> System Audit\nPolicies >> Logon/Logoff >> \\\"Audit Group Membership\\\" with \\\"Success\\\"\nselected.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000470-GPOS-00214'\n tag 'gid': 'V-93159'\n tag 'rid': 'SV-103247r1_rule'\n tag 'stig_id': 'WN19-AU-000170'\n tag 'fix_id': 'F-99405r1_fix'\n tag 'cci': [\"CCI-000172\"]\n tag 'nist': [\"AU-12 c\", \"Rev_4\"]\n\n describe.one do\n describe audit_policy do\n its('Group Membership') { should eq 'Success' }\n end\n describe audit_policy do\n its('Group Membership') { should eq 'Success and Failure' }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93445.rb", + "ref": "./Windows 2019 STIG/controls/V-93159.rb", "line": 3 }, - "id": "V-93445" + "id": "V-93159" }, { - "title": "Windows Server 2019 permissions for the Security event log must\nprevent access by non-privileged accounts.", - "desc": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised. The\nSecurity event log may disclose sensitive information or be susceptible to\ntampering if proper permissions are not applied.", + "title": "Windows Server 2019 must prevent Indexing of encrypted files.", + "desc": "Indexing of encrypted files may expose sensitive data. This setting prevents encrypted files from being indexed.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised. The\nSecurity event log may disclose sensitive information or be susceptible to\ntampering if proper permissions are not applied.", + "default": "Indexing of encrypted files may expose sensitive data. This setting prevents encrypted files from being indexed.", "rationale": "", - "check": "Navigate to the Security event log file.\n\n The default location is the \"%SystemRoot%\\System32\\winevt\\Logs\"\nfolder. However, the logs may have been moved to another folder.\n\n If the permissions for the \"Security.evtx\" file are not as restrictive as\nthe default permissions listed below, this is a finding:\n\n Eventlog - Full Control\n SYSTEM - Full Control\n Administrators - Full Control", - "fix": "Configure the permissions on the Security event log file (Security.evtx) to\nprevent access by non-privileged accounts. The default permissions listed below\nsatisfy this requirement:\n\n Eventlog - Full Control\n SYSTEM - Full Control\n Administrators - Full Control\n\n The default location is the \"%SystemRoot%\\System32\\winevt\\Logs\" folder.\n\n If the location of the logs has been changed, when adding Eventlog to the\npermissions, it must be entered as \"NT Service\\Eventlog\"." + "check": "If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Search\\\n\n Value Name: AllowIndexingEncryptedStoresOrItems\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0)", + "fix": "Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Search >> \"Allow indexing of encrypted files\" to \"Disabled\"." }, "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000057-GPOS-00027", - "satisfies": [ - "SRG-OS-000057-GPOS-00027", - "SRG-OS-000058-GPOS-00028", - "SRG-OS-000059-GPOS-00029" - ], - "gid": "V-93191", - "rid": "SV-103279r1_rule", - "stig_id": "WN19-AU-000040", - "fix_id": "F-99437r1_fix", + "gtitle": "SRG-OS-000095-GPOS-00049", + "gid": "V-93415", + "rid": "SV-103501r1_rule", + "stig_id": "WN19-CC-000410", + "fix_id": "F-99659r1_fix", "cci": [ - "CCI-000162", - "CCI-000163", - "CCI-000164" + "CCI-000381" ], "nist": [ - "AU-9", - "AU-9", - "AU-9", + "CM-7 a", "Rev_4" ] }, - "code": "control \"V-93191\" do\n title \"Windows Server 2019 permissions for the Security event log must\nprevent access by non-privileged accounts.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised. The\nSecurity event log may disclose sensitive information or be susceptible to\ntampering if proper permissions are not applied.\"\n desc \"rationale\", \"\"\n desc 'check', \"Navigate to the Security event log file.\n\n The default location is the \\\"%SystemRoot%\\\\System32\\\\winevt\\\\Logs\\\"\nfolder. However, the logs may have been moved to another folder.\n\n If the permissions for the \\\"Security.evtx\\\" file are not as restrictive as\nthe default permissions listed below, this is a finding:\n\n Eventlog - Full Control\n SYSTEM - Full Control\n Administrators - Full Control\"\n desc 'fix', \"Configure the permissions on the Security event log file (Security.evtx) to\nprevent access by non-privileged accounts. The default permissions listed below\nsatisfy this requirement:\n\n Eventlog - Full Control\n SYSTEM - Full Control\n Administrators - Full Control\n\n The default location is the \\\"%SystemRoot%\\\\System32\\\\winevt\\\\Logs\\\" folder.\n\n If the location of the logs has been changed, when adding Eventlog to the\npermissions, it must be entered as \\\"NT Service\\\\Eventlog\\\".\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000057-GPOS-00027'\n tag 'satisfies': [\"SRG-OS-000057-GPOS-00027\", \"SRG-OS-000058-GPOS-00028\",\n\"SRG-OS-000059-GPOS-00029\"]\n tag 'gid': 'V-93191'\n tag 'rid': 'SV-103279r1_rule'\n tag 'stig_id': 'WN19-AU-000040'\n tag 'fix_id': 'F-99437r1_fix'\n tag 'cci': [\"CCI-000162\", \"CCI-000163\", \"CCI-000164\"]\n tag 'nist': [\"AU-9\", \"AU-9\", \"AU-9\", \"Rev_4\"]\n\n get_system_root = command('Get-ChildItem Env: | Findstr SystemRoot').stdout.strip\n system_root = get_system_root[11..get_system_root.length]\n\n systemroot = system_root.strip\n\n winevt_logs_security = <<-EOH\n $output = (Get-Acl -Path #{systemroot}\\\\SYSTEM32\\\\WINEVT\\\\LOGS\\\\Security.evtx).AccessToString\n write-output $output\n EOH\n\n # raw powershell output\n raw_logs_security = powershell(winevt_logs_security).stdout.strip\n\n # clean results cleans up the extra line breaks\n clean_logs_security = raw_logs_security.lines.collect(&:strip)\n\n describe 'Verify the default registry permissions for the keys note below of the C:\\Windows\\System32\\WINEVT\\LOGS\\Security.evtx' do\n subject { clean_logs_security }\n it { should cmp input('winevt_logs_security_perms') }\n end\nend\n", + "code": "control \"V-93415\" do\n title \"Windows Server 2019 must prevent Indexing of encrypted files.\"\n desc \"Indexing of encrypted files may expose sensitive data. This setting prevents encrypted files from being indexed.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\Windows Search\\\\\n\n Value Name: AllowIndexingEncryptedStoresOrItems\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Search >> \\\"Allow indexing of encrypted files\\\" to \\\"Disabled\\\".\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000095-GPOS-00049\"\n tag gid: \"V-93415\"\n tag rid: \"SV-103501r1_rule\"\n tag stig_id: \"WN19-CC-000410\"\n tag fix_id: \"F-99659r1_fix\"\n tag cci: [\"CCI-000381\"]\n tag nist: [\"CM-7 a\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Search') do\n it { should have_property 'AllowIndexingEncryptedStoresOrItems' }\n its('AllowIndexingEncryptedStoresOrItems') { should cmp 0 }\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93191.rb", + "ref": "./Windows 2019 STIG/controls/V-93415.rb", "line": 3 }, - "id": "V-93191" + "id": "V-93415" }, { - "title": "Windows Server 2019 Deny log on as a service user right on\ndomain-joined member servers must be configured to prevent access from highly\nprivileged domain accounts. No other groups or accounts must be assigned this\nright.", - "desc": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n The \"Deny log on as a service\" user right defines accounts that are\ndenied logon as a service.\n\n In an Active Directory Domain, denying logons to the Enterprise Admins and\nDomain Admins groups on lower-trust systems helps mitigate the risk of\nprivilege escalation from credential theft attacks, which could lead to the\ncompromise of an entire domain.\n\n Incorrect configurations could prevent services from starting and result in\na denial of service.", + "title": "Windows Server 2019 must only allow administrators responsible for the\nmember server or standalone system to have Administrator rights on the system.", + "desc": "An account that does not have Administrator duties must not have\nAdministrator rights. Such rights would allow the account to bypass or modify\nrequired security restrictions on that machine and make it vulnerable to attack.\n\n System administrators must log on to systems using only accounts with the\nminimum level of authority necessary.\n\n For domain-joined member servers, the Domain Admins group must be replaced\nby a domain member server administrator group (see V-36433 in the Active\nDirectory Domain STIG). Restricting highly privileged accounts from the local\nAdministrators group helps mitigate the risk of privilege escalation resulting\nfrom credential theft attacks.\n\n Standard user accounts must not be members of the built-in Administrators\ngroup.", "descriptions": { - "default": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n The \"Deny log on as a service\" user right defines accounts that are\ndenied logon as a service.\n\n In an Active Directory Domain, denying logons to the Enterprise Admins and\nDomain Admins groups on lower-trust systems helps mitigate the risk of\nprivilege escalation from credential theft attacks, which could lead to the\ncompromise of an entire domain.\n\n Incorrect configurations could prevent services from starting and result in\na denial of service.", + "default": "An account that does not have Administrator duties must not have\nAdministrator rights. Such rights would allow the account to bypass or modify\nrequired security restrictions on that machine and make it vulnerable to attack.\n\n System administrators must log on to systems using only accounts with the\nminimum level of authority necessary.\n\n For domain-joined member servers, the Domain Admins group must be replaced\nby a domain member server administrator group (see V-36433 in the Active\nDirectory Domain STIG). Restricting highly privileged accounts from the local\nAdministrators group helps mitigate the risk of privilege escalation resulting\nfrom credential theft attacks.\n\n Standard user accounts must not be members of the built-in Administrators\ngroup.", "rationale": "", - "check": "This applies to member servers and standalone systems. A separate version\napplies to domain controllers.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If the following accounts or groups are not defined for the \"Deny log on\nas a service\" user right on domain-joined systems, this is a finding:\n\n - Enterprise Admins Group\n - Domain Admins Group\n\n If any accounts or groups are defined for the \"Deny log on as a service\"\nuser right on non-domain-joined systems, this is a finding.\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\path\\filename.txt\n\n Review the text file.\n\n If the following SIDs are not defined for the \"SeDenyServiceLogonRight\"\nuser right on domain-joined systems, this is a finding:\n\n S-1-5-root domain-519 (Enterprise Admins)\n S-1-5-domain-512 (Domain Admins)\n\n If any SIDs are defined for the user right on non-domain-joined systems,\nthis is a finding.", - "fix": "Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> User Rights Assignment >> \"Deny log\non as a service\" to include the following:\n\n Domain systems:\n - Enterprise Admins Group\n - Domain Admins Group" + "check": "This applies to member servers and standalone systems. A separate version\napplies to domain controllers.\n\n Open \"Computer Management\".\n\n Navigate to \"Groups\" under \"Local Users and Groups\".\n\n Review the local \"Administrators\" group.\n\n Only administrator groups or accounts responsible for administration of the\nsystem may be members of the group.\n\n For domain-joined member servers, the Domain Admins group must be replaced\nby a domain member server administrator group.\n\n Standard user accounts must not be members of the local Administrator group.\n\n If accounts that do not have responsibility for administration of the\nsystem are members of the local Administrators group, this is a finding.\n\n If the built-in Administrator account or other required administrative\naccounts are found on the system, this is not a finding.", + "fix": "Configure the local \"Administrators\" group to include only administrator\ngroups or accounts responsible for administration of the system.\n\n For domain-joined member servers, replace the Domain Admins group with a\ndomain member server administrator group.\n\n Remove any standard user accounts." }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000080-GPOS-00048", - "gid": "V-93013", - "rid": "SV-103101r1_rule", - "stig_id": "WN19-MS-000100", - "fix_id": "F-99259r1_fix", + "gtitle": "SRG-OS-000324-GPOS-00125", + "gid": "V-93043", + "rid": "SV-103131r1_rule", + "stig_id": "WN19-MS-000010", + "fix_id": "F-99289r1_fix", "cci": [ - "CCI-000213" + "CCI-002235" ], "nist": [ - "AC-3", + "AC-6 (10)", "Rev_4" ] }, - "code": "control \"V-93013\" do\n title \"Windows Server 2019 Deny log on as a service user right on\ndomain-joined member servers must be configured to prevent access from highly\nprivileged domain accounts. No other groups or accounts must be assigned this\nright.\"\n desc \"Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n The \\\"Deny log on as a service\\\" user right defines accounts that are\ndenied logon as a service.\n\n In an Active Directory Domain, denying logons to the Enterprise Admins and\nDomain Admins groups on lower-trust systems helps mitigate the risk of\nprivilege escalation from credential theft attacks, which could lead to the\ncompromise of an entire domain.\n\n Incorrect configurations could prevent services from starting and result in\na denial of service.\"\n desc \"rationale\", \"\"\n desc 'check', \"This applies to member servers and standalone systems. A separate version\napplies to domain controllers.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If the following accounts or groups are not defined for the \\\"Deny log on\nas a service\\\" user right on domain-joined systems, this is a finding:\n\n - Enterprise Admins Group\n - Domain Admins Group\n\n If any accounts or groups are defined for the \\\"Deny log on as a service\\\"\nuser right on non-domain-joined systems, this is a finding.\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt\n\n Review the text file.\n\n If the following SIDs are not defined for the \\\"SeDenyServiceLogonRight\\\"\nuser right on domain-joined systems, this is a finding:\n\n S-1-5-root domain-519 (Enterprise Admins)\n S-1-5-domain-512 (Domain Admins)\n\n If any SIDs are defined for the user right on non-domain-joined systems,\nthis is a finding.\"\n desc 'fix', \"Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> User Rights Assignment >> \\\"Deny log\non as a service\\\" to include the following:\n\n Domain systems:\n - Enterprise Admins Group\n - Domain Admins Group\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000080-GPOS-00048'\n tag 'gid': 'V-93013'\n tag 'rid': 'SV-103101r1_rule'\n tag 'stig_id': 'WN19-MS-000100'\n tag 'fix_id': 'F-99259r1_fix'\n tag 'cci': [\"CCI-000213\"]\n tag 'nist': [\"AC-3\", \"Rev_4\"]\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n case domain_role\n when '4', '5'\n impact 0.0\n describe 'This system is dedicated to the management of Active Directory, therefore this system is exempt from this control' do\n skip 'This system is dedicated to the management of Active Directory, therefore this system is exempt from this control'\n end\n when '3'\n domain_query = <<-EOH\n $group = New-Object System.Security.Principal.NTAccount('Domain Admins')\n $sid = ($group.Translate([security.principal.securityidentifier])).value\n $sid | ConvertTo-Json\n EOH\n\n domain_admin_sid = json(command: domain_query).params\n enterprise_admin_query = <<-EOH\n $group = New-Object System.Security.Principal.NTAccount('Enterprise Admins')\n $sid = ($group.Translate([security.principal.securityidentifier])).value\n $sid | ConvertTo-Json\n EOH\n\n enterprise_admin_sid = json(command: enterprise_admin_query).params\n describe security_policy do\n its('SeDenyServiceLogonRight') { should include \"#{domain_admin_sid}\" }\n end\n describe security_policy do\n its('SeDenyServiceLogonRight') { should include \"#{enterprise_admin_sid}\" }\n end\n when '2'\n describe security_policy do\n its('SeDenyServiceLogonRight') { should be_empty }\n end\n end\nend\n", + "code": "control \"V-93043\" do\n title \"Windows Server 2019 must only allow administrators responsible for the\nmember server or standalone system to have Administrator rights on the system.\"\n desc \"An account that does not have Administrator duties must not have\nAdministrator rights. Such rights would allow the account to bypass or modify\nrequired security restrictions on that machine and make it vulnerable to attack.\n\n System administrators must log on to systems using only accounts with the\nminimum level of authority necessary.\n\n For domain-joined member servers, the Domain Admins group must be replaced\nby a domain member server administrator group (see V-36433 in the Active\nDirectory Domain STIG). Restricting highly privileged accounts from the local\nAdministrators group helps mitigate the risk of privilege escalation resulting\nfrom credential theft attacks.\n\n Standard user accounts must not be members of the built-in Administrators\ngroup.\"\n desc \"rationale\", \"\"\n desc 'check', \"This applies to member servers and standalone systems. A separate version\napplies to domain controllers.\n\n Open \\\"Computer Management\\\".\n\n Navigate to \\\"Groups\\\" under \\\"Local Users and Groups\\\".\n\n Review the local \\\"Administrators\\\" group.\n\n Only administrator groups or accounts responsible for administration of the\nsystem may be members of the group.\n\n For domain-joined member servers, the Domain Admins group must be replaced\nby a domain member server administrator group.\n\n Standard user accounts must not be members of the local Administrator group.\n\n If accounts that do not have responsibility for administration of the\nsystem are members of the local Administrators group, this is a finding.\n\n If the built-in Administrator account or other required administrative\naccounts are found on the system, this is not a finding.\"\n desc 'fix', \"Configure the local \\\"Administrators\\\" group to include only administrator\ngroups or accounts responsible for administration of the system.\n\n For domain-joined member servers, replace the Domain Admins group with a\ndomain member server administrator group.\n\n Remove any standard user accounts.\"\n impact 0.7\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000324-GPOS-00125'\n tag 'gid': 'V-93043'\n tag 'rid': 'SV-103131r1_rule'\n tag 'stig_id': 'WN19-MS-000010'\n tag 'fix_id': 'F-99289r1_fix'\n tag 'cci': [\"CCI-002235\"]\n tag 'nist': [\"AC-6 (10)\", \"Rev_4\"]\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n impact 0.0\n describe 'This system is a domain controller, therefore this control is not applicable as it only applies to member servers' do\n skip 'This system is a domain controller, therefore this control is not applicable as it only applies to member servers'\n end\n else\n administrators = input('local_administrators_member')\n administrator_group = command(\"Get-LocalGroupMember -Group \\\"Administrators\\\" | select -ExpandProperty Name | ForEach-Object {$_ -replace \\\"$env:COMPUTERNAME\\\\\\\\\\\" -replace \\\"\\\"}\").stdout.strip.split(\"\\r\\n\")\n if administrator_group.empty?\n impact 0.0\n describe 'There are no users with administrative privileges' do\n skip 'This control is not applicable'\n end\n else\n administrator_group.each do |user|\n describe user.to_s do\n it { should be_in administrators }\n end\n end\n end\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93013.rb", + "ref": "./Windows 2019 STIG/controls/V-93043.rb", "line": 3 }, - "id": "V-93013" + "id": "V-93043" }, { - "title": "Windows Server 2019 must not allow anonymous enumeration of shares.", - "desc": "Allowing anonymous logon users (null session connections) to list all account names and enumerate all shared resources can provide a map of potential points to attack the system.", + "title": "Windows Server 2019 Exploit Protection mitigations must be configured for wmplayer.exe.", + "desc": "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.", "descriptions": { - "default": "Allowing anonymous logon users (null session connections) to list all account names and enumerate all shared resources can provide a map of potential points to attack the system.", + "default": "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.", "rationale": "", - "check": "If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Control\\Lsa\\\n\n Value Name: RestrictAnonymous\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", - "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \"Network access: Do not allow anonymous enumeration of SAM accounts and shares\" to \"Enabled\"." + "check": "If the referenced application is not installed on the system, this is NA.\n\n This is applicable to unclassified systems, for other systems this is NA.\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n Enter \"Get-ProcessMitigation -Name wmplayer.exe\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.)\n\n If the following mitigations do not have a status of \"ON\", this is a finding:\n\n DEP:\n Enable: ON\n\n Payload:\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n The PowerShell command produces a list of mitigations; only those with a required status of \"ON\" are listed here.", + "fix": "Ensure the following mitigations are turned \"ON\" for wmplayer.exe:\n\n DEP:\n Enable: ON\n\n Payload:\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \"Supporting Files\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \"Use a common set of exploit protection settings\" configured to \"Enabled\" with file name and location defined under \"Options:\". It is recommended the file be in a read-only network location." }, - "impact": 0.7, + "impact": 0, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000138-GPOS-00069", - "gid": "V-93537", - "rid": "SV-103623r1_rule", - "stig_id": "WN19-SO-000230", - "fix_id": "F-99781r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-93365", + "rid": "SV-103453r1_rule", + "stig_id": "WN19-EP-000280", + "fix_id": "F-99611r1_fix", "cci": [ - "CCI-001090" + "CCI-000366" ], "nist": [ - "SC-4", + "CM-6 b", "Rev_4" ] }, - "code": "control \"V-93537\" do\n title \"Windows Server 2019 must not allow anonymous enumeration of shares.\"\n desc \"Allowing anonymous logon users (null session connections) to list all account names and enumerate all shared resources can provide a map of potential points to attack the system.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\\n\n Value Name: RestrictAnonymous\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \\\"Network access: Do not allow anonymous enumeration of SAM accounts and shares\\\" to \\\"Enabled\\\".\"\n impact 0.7\n tag severity: nil\n tag gtitle: \"SRG-OS-000138-GPOS-00069\"\n tag gid: \"V-93537\"\n tag rid: \"SV-103623r1_rule\"\n tag stig_id: \"WN19-SO-000230\"\n tag fix_id: \"F-99781r1_fix\"\n tag cci: [\"CCI-001090\"]\n tag nist: [\"SC-4\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa') do\n it { should have_property 'RestrictAnonymous' }\n its('RestrictAnonymous') { should cmp == 1 }\n end\nend", + "code": "control \"V-93365\" do\n title \"Windows Server 2019 Exploit Protection mitigations must be configured for wmplayer.exe.\"\n desc \"Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the referenced application is not installed on the system, this is NA.\n\n This is applicable to unclassified systems, for other systems this is NA.\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n Enter \\\"Get-ProcessMitigation -Name wmplayer.exe\\\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.)\n\n If the following mitigations do not have a status of \\\"ON\\\", this is a finding:\n\n DEP:\n Enable: ON\n\n Payload:\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n The PowerShell command produces a list of mitigations; only those with a required status of \\\"ON\\\" are listed here.\"\n desc \"fix\", \"Ensure the following mitigations are turned \\\"ON\\\" for wmplayer.exe:\n\n DEP:\n Enable: ON\n\n Payload:\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \\\"Supporting Files\\\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\" configured to \\\"Enabled\\\" with file name and location defined under \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00227\"\n tag gid: \"V-93365\"\n tag rid: \"SV-103453r1_rule\"\n tag stig_id: \"WN19-EP-000280\"\n tag fix_id: \"F-99611r1_fix\"\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n wmplayer = json({ command: \"Get-ProcessMitigation -Name wmplayer.exe | ConvertTo-Json\" }).params\n\n if input('sensitive_system') == true || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif wmplayer.empty?\n impact 0.0\n describe 'The referenced application is not installed on the system, this is NA.' do\n skip 'The referenced application is not installed on the system, this is NA.'\n end\n else\n describe \"Exploit Protection: the following mitigations must be set to 'ON' for wmplayer.exe\" do\n subject { wmplayer }\n its(['Dep','Enable']) { should eq 1 }\n its(['Payload','EnableRopStackPivot']) { should eq 1 }\n its(['Payload','EnableRopCallerCheck']) { should eq 1 }\n its(['Payload','EnableRopSimExec']) { should eq 1 }\n end\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93537.rb", + "ref": "./Windows 2019 STIG/controls/V-93365.rb", "line": 3 }, - "id": "V-93537" + "id": "V-93365" }, { - "title": "Windows Server 2019 source routing must be configured to the highest\nprotection level to prevent Internet Protocol (IP) source routing.", - "desc": "Configuring the system to disable IP source routing protects against\nspoofing.", + "title": "Windows Server 2019 must limit the caching of logon credentials to four or less on domain-joined member servers.", + "desc": "The default Windows configuration caches the last logon credentials for users who log on interactively to a system. This feature is provided for system availability reasons, such as the user's machine being disconnected from the network or domain controllers being unavailable. Even though the credential cache is well protected, if a system is attacked, an unauthorized individual may isolate the password to a domain user account using a password-cracking program and gain access to the domain.", "descriptions": { - "default": "Configuring the system to disable IP source routing protects against\nspoofing.", + "default": "The default Windows configuration caches the last logon credentials for users who log on interactively to a system. This feature is provided for system availability reasons, such as the user's machine being disconnected from the network or domain controllers being unavailable. Even though the credential cache is well protected, if a system is attacked, an unauthorized individual may isolate the password to a domain user account using a password-cracking program and gain access to the domain.", "rationale": "", - "check": "If the following registry value does not exist or is not configured as\nspecified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters\\\n\n Value Name: DisableIPSourceRouting\n\n Value Type: REG_DWORD\n Value: 0x00000002 (2)", - "fix": "Configure the policy value for Computer Configuration >> Administrative\nTemplates >> MSS (Legacy) >> \"MSS: (DisableIPSourceRouting) IP source routing\nprotection level (protects against packet spoofing)\" to \"Enabled\" with\n\"Highest protection, source routing is completely disabled\" selected.\n\n This policy setting requires the installation of the MSS-Legacy custom\ntemplates included with the STIG package. \"MSS-Legacy.admx\" and\n\"MSS-Legacy.adml\" must be copied to the \\Windows\\PolicyDefinitions and\n\\Windows\\PolicyDefinitions\\en-US directories respectively." + "check": "This applies to member servers. For domain controllers and standalone systems, this is NA.\n\n If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\\n\n Value Name: CachedLogonsCount\n\n Value Type: REG_SZ\n Value: 4 (or less)", + "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \"Interactive Logon: Number of previous logons to cache (in case Domain Controller is not available)\" to \"4\" logons or less." }, - "impact": 0.3, + "impact": 0, "refs": [], "tags": { "severity": null, "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-93235", - "rid": "SV-103323r1_rule", - "stig_id": "WN19-CC-000040", - "fix_id": "F-99481r1_fix", + "gid": "V-93275", + "rid": "SV-103363r1_rule", + "stig_id": "WN19-MS-000050", + "fix_id": "F-99521r1_fix", "cci": [ "CCI-000366" ], @@ -184,421 +169,408 @@ "Rev_4" ] }, - "code": "control \"V-93235\" do\n title \"Windows Server 2019 source routing must be configured to the highest\nprotection level to prevent Internet Protocol (IP) source routing.\"\n desc \"Configuring the system to disable IP source routing protects against\nspoofing.\"\n desc \"rationale\", \"\"\n desc 'check', \"If the following registry value does not exist or is not configured as\nspecified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\Tcpip\\\\Parameters\\\\\n\n Value Name: DisableIPSourceRouting\n\n Value Type: REG_DWORD\n Value: 0x00000002 (2)\"\n desc 'fix', \"Configure the policy value for Computer Configuration >> Administrative\nTemplates >> MSS (Legacy) >> \\\"MSS: (DisableIPSourceRouting) IP source routing\nprotection level (protects against packet spoofing)\\\" to \\\"Enabled\\\" with\n\\\"Highest protection, source routing is completely disabled\\\" selected.\n\n This policy setting requires the installation of the MSS-Legacy custom\ntemplates included with the STIG package. \\\"MSS-Legacy.admx\\\" and\n\\\"MSS-Legacy.adml\\\" must be copied to the \\\\Windows\\\\PolicyDefinitions and\n\\\\Windows\\\\PolicyDefinitions\\\\en-US directories respectively.\"\n impact 0.3\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000480-GPOS-00227'\n tag 'gid': 'V-93235'\n tag 'rid': 'SV-103323r1_rule'\n tag 'stig_id': 'WN19-CC-000040'\n tag 'fix_id': 'F-99481r1_fix'\n tag 'cci': [\"CCI-000366\"]\n tag 'nist': [\"CM-6 b\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters') do\n it { should have_property 'DisableIPSourceRouting' }\n its('DisableIPSourceRouting') { should cmp 2}\n end\nend\n", + "code": "control \"V-93275\" do\n title \"Windows Server 2019 must limit the caching of logon credentials to four or less on domain-joined member servers.\"\n desc \"The default Windows configuration caches the last logon credentials for users who log on interactively to a system. This feature is provided for system availability reasons, such as the user's machine being disconnected from the network or domain controllers being unavailable. Even though the credential cache is well protected, if a system is attacked, an unauthorized individual may isolate the password to a domain user account using a password-cracking program and gain access to the domain.\"\n desc \"rationale\", \"\"\n desc \"check\", \"This applies to member servers. For domain controllers and standalone systems, this is NA.\n\n If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\\n\n Value Name: CachedLogonsCount\n\n Value Type: REG_SZ\n Value: 4 (or less)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \\\"Interactive Logon: Number of previous logons to cache (in case Domain Controller is not available)\\\" to \\\"4\\\" logons or less.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00227\"\n tag gid: \"V-93275\"\n tag rid: \"SV-103363r1_rule\"\n tag stig_id: \"WN19-MS-000050\"\n tag fix_id: \"F-99521r1_fix\"\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '3'\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon') do\n it { should have_property 'CachedLogonsCount' }\n its('CachedLogonsCount') { should cmp <= 4 }\n end\n else\n impact 0.0\n describe 'This requirement is only applicable to member servers' do\n skip 'This control is NA as the requirement is only applicable to member servers'\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93235.rb", + "ref": "./Windows 2019 STIG/controls/V-93275.rb", "line": 3 }, - "id": "V-93235" + "id": "V-93275" }, { - "title": "Windows Server 2019 User Account Control must run all administrators in Admin Approval Mode, enabling UAC.", - "desc": "User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting enables UAC.", + "title": "Windows Server 2019 Exploit Protection mitigations must be configured for INFOPATH.EXE.", + "desc": "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.", "descriptions": { - "default": "User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting enables UAC.", + "default": "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.", "rationale": "", - "check": "UAC requirements are NA for Server Core installations (this is the default installation option for Windows Server 2019 versus Server with Desktop Experience).\n\n If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\\n\n Value Name: EnableLUA\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", - "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \"User Account Control: Run all administrators in Admin Approval Mode\" to \"Enabled\"." + "check": "If the referenced application is not installed on the system, this is NA.\n\n This is applicable to unclassified systems, for other systems this is NA.\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n Enter \"Get-ProcessMitigation -Name INFOPATH.EXE\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.)\n\n If the following mitigations do not have a status of \"ON\", this is a finding:\n\n DEP:\n Enable: ON\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n The PowerShell command produces a list of mitigations; only those with a required status of \"ON\" are listed here.", + "fix": "Ensure the following mitigations are turned \"ON\" for INFOPATH.EXE:\n\n DEP:\n Enable: ON\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \"Supporting Files\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \"Use a common set of exploit protection settings\" configured to \"Enabled\" with file name and location defined under \"Options:\". It is recommended the file be in a read-only network location." }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000373-GPOS-00157", - "satisfies": [ - "SRG-OS-000373-GPOS-00157", - "SRG-OS-000373-GPOS-00156" - ], - "gid": "V-93435", - "rid": "SV-103521r1_rule", - "stig_id": "WN19-SO-000440", - "fix_id": "F-99679r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-93337", + "rid": "SV-103425r1_rule", + "stig_id": "WN19-EP-000140", + "fix_id": "F-99583r1_fix", "cci": [ - "CCI-002038" + "CCI-000366" ], "nist": [ - "IA-11", + "CM-6 b", "Rev_4" ] }, - "code": "control \"V-93435\" do\n title \"Windows Server 2019 User Account Control must run all administrators in Admin Approval Mode, enabling UAC.\"\n desc \"User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting enables UAC.\"\n desc \"rationale\", \"\"\n desc \"check\", \"UAC requirements are NA for Server Core installations (this is the default installation option for Windows Server 2019 versus Server with Desktop Experience).\n\n If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\\n\n Value Name: EnableLUA\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \\\"User Account Control: Run all administrators in Admin Approval Mode\\\" to \\\"Enabled\\\".\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000373-GPOS-00157\"\n tag satisfies: [\"SRG-OS-000373-GPOS-00157\", \"SRG-OS-000373-GPOS-00156\"]\n tag gid: \"V-93435\"\n tag rid: \"SV-103521r1_rule\"\n tag stig_id: \"WN19-SO-000440\"\n tag fix_id: \"F-99679r1_fix\"\n tag cci: [\"CCI-002038\"]\n tag nist: [\"IA-11\", \"Rev_4\"]\n\n os_type = command('Test-Path \"$env:windir\\explorer.exe\"').stdout.strip\n\n if os_type == 'False'\n impact 0.0\n describe 'This system is a Server Core Installation, control is NA' do\n skip 'This system is a Server Core Installation control is NA'\n end\n else\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System') do\n it { should have_property 'EnableLUA' }\n its('EnableLUA') { should cmp == 1 }\n end\n end\nend", + "code": "control \"V-93337\" do\n title \"Windows Server 2019 Exploit Protection mitigations must be configured for INFOPATH.EXE.\"\n desc \"Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the referenced application is not installed on the system, this is NA.\n\n This is applicable to unclassified systems, for other systems this is NA.\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n Enter \\\"Get-ProcessMitigation -Name INFOPATH.EXE\\\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.)\n\n If the following mitigations do not have a status of \\\"ON\\\", this is a finding:\n\n DEP:\n Enable: ON\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n The PowerShell command produces a list of mitigations; only those with a required status of \\\"ON\\\" are listed here.\"\n desc \"fix\", \"Ensure the following mitigations are turned \\\"ON\\\" for INFOPATH.EXE:\n\n DEP:\n Enable: ON\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \\\"Supporting Files\\\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\" configured to \\\"Enabled\\\" with file name and location defined under \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00227\"\n tag gid: \"V-93337\"\n tag rid: \"SV-103425r1_rule\"\n tag stig_id: \"WN19-EP-000140\"\n tag fix_id: \"F-99583r1_fix\"\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n infopath = json({ command: \"Get-ProcessMitigation -Name INFOPATH.EXE | ConvertTo-Json\" }).params\n\n if input('sensitive_system') == true || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif infopath.empty?\n impact 0.0\n describe 'The referenced application is not installed on the system, this is NA.' do\n skip 'The referenced application is not installed on the system, this is NA.'\n end\n else\n describe \"Exploit Protection: the following mitigations must be set to 'ON' for INFOPATH.EXE\" do\n subject { infopath }\n its(['Dep','Enable']) { should eq 1 }\n its(['Aslr','ForceRelocateImages']) { should eq 1 }\n its(['Payload','EnableExportAddressFilter']) { should eq 1 }\n its(['Payload','EnableExportAddressFilterPlus']) { should eq 1 }\n its(['Payload','EnableImportAddressFilter']) { should eq 1 }\n its(['Payload','EnableRopStackPivot']) { should eq 1 }\n its(['Payload','EnableRopCallerCheck']) { should eq 1 }\n its(['Payload','EnableRopSimExec']) { should eq 1 }\n end\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93435.rb", + "ref": "./Windows 2019 STIG/controls/V-93337.rb", "line": 3 }, - "id": "V-93435" + "id": "V-93337" }, { - "title": "Windows Server 2019 Perform volume maintenance tasks user right must\nonly be assigned to the Administrators group.", - "desc": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n Accounts with the \"Perform volume maintenance tasks\" user right can\nmanage volume and disk configurations. This could be used to delete volumes,\nresulting in data loss or a denial of service.", + "title": "Windows Server 2019 services using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity instead of authenticating anonymously.", + "desc": "Services using Local System that use Negotiate when reverting to NTLM authentication may gain unauthorized access if allowed to authenticate anonymously versus using the computer identity.", "descriptions": { - "default": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n Accounts with the \"Perform volume maintenance tasks\" user right can\nmanage volume and disk configurations. This could be used to delete volumes,\nresulting in data loss or a denial of service.", + "default": "Services using Local System that use Negotiate when reverting to NTLM authentication may gain unauthorized access if allowed to authenticate anonymously versus using the computer identity.", "rationale": "", - "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the\n\"Perform volume maintenance tasks\" user right, this is a finding:\n\n - Administrators\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\path\\filename.txt\n\n Review the text file.\n\n If any SIDs other than the following are granted the\n\"SeManageVolumePrivilege\" user right, this is a finding:\n\n S-1-5-32-544 (Administrators)", - "fix": "Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> User Rights Assignment >> \"Perform\nvolume maintenance tasks\" to include only the following accounts or groups:\n\n - Administrators" + "check": "If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Control\\LSA\\\n\n Value Name: UseMachineId\n\n Type: REG_DWORD\n Value: 0x00000001 (1)", + "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \"Network security: Allow Local System to use computer identity for NTLM\" to \"Enabled\"." }, "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000324-GPOS-00125", - "gid": "V-93081", - "rid": "SV-103169r1_rule", - "stig_id": "WN19-UR-000190", - "fix_id": "F-99327r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-93295", + "rid": "SV-103383r1_rule", + "stig_id": "WN19-SO-000260", + "fix_id": "F-99541r1_fix", "cci": [ - "CCI-002235" + "CCI-000366" ], "nist": [ - "AC-6 (10)", + "CM-6 b", "Rev_4" ] }, - "code": "control \"V-93081\" do\n title \"Windows Server 2019 Perform volume maintenance tasks user right must\nonly be assigned to the Administrators group.\"\n desc \"Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n Accounts with the \\\"Perform volume maintenance tasks\\\" user right can\nmanage volume and disk configurations. This could be used to delete volumes,\nresulting in data loss or a denial of service.\"\n desc \"rationale\", \"\"\n desc 'check', \"Verify the effective setting in Local Group Policy Editor.\n\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the\n\\\"Perform volume maintenance tasks\\\" user right, this is a finding:\n\n - Administrators\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt\n\n Review the text file.\n\n If any SIDs other than the following are granted the\n\\\"SeManageVolumePrivilege\\\" user right, this is a finding:\n\n S-1-5-32-544 (Administrators)\"\n desc 'fix', \"Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> User Rights Assignment >> \\\"Perform\nvolume maintenance tasks\\\" to include only the following accounts or groups:\n\n - Administrators\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000324-GPOS-00125'\n tag 'gid': 'V-93081'\n tag 'rid': 'SV-103169r1_rule'\n tag 'stig_id': 'WN19-UR-000190'\n tag 'fix_id': 'F-99327r1_fix'\n tag 'cci': [\"CCI-002235\"]\n tag 'nist': [\"AC-6 (10)\", \"Rev_4\"]\n\n os_type = command('Test-Path \"$env:windir\\explorer.exe\"').stdout.strip\n\n if os_type == 'False'\n describe 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt' do\n skip 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt'\n end\n else\n describe security_policy do\n its('SeManageVolumePrivilege') { should eq ['S-1-5-32-544'] }\n end\n end\nend\n", + "code": "control \"V-93295\" do\n title \"Windows Server 2019 services using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity instead of authenticating anonymously.\"\n desc \"Services using Local System that use Negotiate when reverting to NTLM authentication may gain unauthorized access if allowed to authenticate anonymously versus using the computer identity.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\LSA\\\\\n\n Value Name: UseMachineId\n\n Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \\\"Network security: Allow Local System to use computer identity for NTLM\\\" to \\\"Enabled\\\".\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00227\"\n tag gid: \"V-93295\"\n tag rid: \"SV-103383r1_rule\"\n tag stig_id: \"WN19-SO-000260\"\n tag fix_id: \"F-99541r1_fix\"\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa') do\n it { should have_property 'UseMachineId' }\n its('UseMachineId') { should cmp == 1 }\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93081.rb", + "ref": "./Windows 2019 STIG/controls/V-93295.rb", "line": 3 }, - "id": "V-93081" + "id": "V-93295" }, { - "title": "Windows Server 2019 Turning off File Explorer heap termination on\ncorruption must be disabled.", - "desc": "Legacy plug-in applications may continue to function when a File\nExplorer session has become corrupt. Disabling this feature will prevent this.", + "title": "Windows Server 2019 must not have Windows PowerShell 2.0 installed.", + "desc": "Windows PowerShell 5.x added advanced logging features that can provide additional detail when malware has been run on a system. Disabling the Windows PowerShell 2.0 mitigates against a downgrade attack that evades the Windows PowerShell 5.x script block logging feature.", "descriptions": { - "default": "Legacy plug-in applications may continue to function when a File\nExplorer session has become corrupt. Disabling this feature will prevent this.", + "default": "Windows PowerShell 5.x added advanced logging features that can provide additional detail when malware has been run on a system. Disabling the Windows PowerShell 2.0 mitigates against a downgrade attack that evades the Windows PowerShell 5.x script block logging feature.", "rationale": "", - "check": "The default behavior is for File Explorer heap termination on corruption to\nbe enabled.\n\n If the registry Value Name below does not exist, this is not a finding.\n\n If it exists and is configured with a value of \"0\", this is not a finding.\n\n If it exists and is configured with a value of \"1\", this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\Explorer\\\n\n Value Name: NoHeapTerminationOnCorruption\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0) (or if the Value Name does not exist)", - "fix": "The default behavior is for File Explorer heap termination on corruption to\nbe disabled.\n\n If this needs to be corrected, configure the policy value for Computer\nConfiguration >> Administrative Templates >> Windows Components >> File\nExplorer >> \"Turn off heap termination on corruption\" to \"Not Configured\"\nor \"Disabled\"." + "check": "Open \"PowerShell\".\n Enter \"Get-WindowsFeature | Where Name -eq PowerShell-v2\".\n If \"Installed State\" is \"Installed\", this is a finding.\n An Installed State of \"Available\" or \"Removed\" is not a finding.", + "fix": "Uninstall the \"Windows PowerShell 2.0 Engine\".\n\n Start \"Server Manager\".\n Select the server with the feature.\n Scroll down to \"ROLES AND FEATURES\" in the right pane.\n Select \"Remove Roles and Features\" from the drop-down \"TASKS\" list.\n Select the appropriate server on the \"Server Selection\" page and click \"Next\".\n Deselect \"Windows PowerShell 2.0 Engine\" under \"Windows PowerShell\" on the \"Features\" page.\n Click \"Next\" and \"Remove\" as prompted." }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-93261", - "rid": "SV-103349r1_rule", - "stig_id": "WN19-CC-000320", - "fix_id": "F-99507r1_fix", + "gtitle": "SRG-OS-000095-GPOS-00049", + "gid": "V-93397", + "rid": "SV-103483r1_rule", + "stig_id": "WN19-00-000410", + "fix_id": "F-99641r1_fix", "cci": [ - "CCI-000366" + "CCI-000381" ], "nist": [ - "CM-6 b", + "CM-7 a", "Rev_4" ] }, - "code": "control \"V-93261\" do\n title \"Windows Server 2019 Turning off File Explorer heap termination on\ncorruption must be disabled.\"\n desc \"Legacy plug-in applications may continue to function when a File\nExplorer session has become corrupt. Disabling this feature will prevent this.\"\n desc \"rationale\", \"\"\n desc 'check', \"The default behavior is for File Explorer heap termination on corruption to\nbe enabled.\n\n If the registry Value Name below does not exist, this is not a finding.\n\n If it exists and is configured with a value of \\\"0\\\", this is not a finding.\n\n If it exists and is configured with a value of \\\"1\\\", this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\Explorer\\\\\n\n Value Name: NoHeapTerminationOnCorruption\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0) (or if the Value Name does not exist)\"\n desc 'fix', \"The default behavior is for File Explorer heap termination on corruption to\nbe disabled.\n\n If this needs to be corrected, configure the policy value for Computer\nConfiguration >> Administrative Templates >> Windows Components >> File\nExplorer >> \\\"Turn off heap termination on corruption\\\" to \\\"Not Configured\\\"\nor \\\"Disabled\\\".\"\n impact 0.3\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000480-GPOS-00227'\n tag 'gid': 'V-93261'\n tag 'rid': 'SV-103349r1_rule'\n tag 'stig_id': 'WN19-CC-000320'\n tag 'fix_id': 'F-99507r1_fix'\n tag 'cci': [\"CCI-000366\"]\n tag 'nist': [\"CM-6 b\", \"Rev_4\"]\n\n describe.one do\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Explorer') do\n it { should_not have_property 'NoHeapTerminationOnCorruption' }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Explorer') do\n it { should have_property 'NoHeapTerminationOnCorruption' }\n its('NoHeapTerminationOnCorruption') { should_not be 1 }\n its('NoHeapTerminationOnCorruption') { should cmp 0 }\n end\n \n end\nend\n", + "code": "control \"V-93397\" do\n title \"Windows Server 2019 must not have Windows PowerShell 2.0 installed.\"\n desc \"Windows PowerShell 5.x added advanced logging features that can provide additional detail when malware has been run on a system. Disabling the Windows PowerShell 2.0 mitigates against a downgrade attack that evades the Windows PowerShell 5.x script block logging feature.\"\n desc \"rationale\", \"\"\n desc \"check\", \"Open \\\"PowerShell\\\".\n Enter \\\"Get-WindowsFeature | Where Name -eq PowerShell-v2\\\".\n If \\\"Installed State\\\" is \\\"Installed\\\", this is a finding.\n An Installed State of \\\"Available\\\" or \\\"Removed\\\" is not a finding.\"\n desc \"fix\", \"Uninstall the \\\"Windows PowerShell 2.0 Engine\\\".\n\n Start \\\"Server Manager\\\".\n Select the server with the feature.\n Scroll down to \\\"ROLES AND FEATURES\\\" in the right pane.\n Select \\\"Remove Roles and Features\\\" from the drop-down \\\"TASKS\\\" list.\n Select the appropriate server on the \\\"Server Selection\\\" page and click \\\"Next\\\".\n Deselect \\\"Windows PowerShell 2.0 Engine\\\" under \\\"Windows PowerShell\\\" on the \\\"Features\\\" page.\n Click \\\"Next\\\" and \\\"Remove\\\" as prompted.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000095-GPOS-00049\"\n tag gid: \"V-93397\"\n tag rid: \"SV-103483r1_rule\"\n tag stig_id: \"WN19-00-000410\"\n tag fix_id: \"F-99641r1_fix\"\n tag cci: [\"CCI-000381\"]\n tag nist: [\"CM-7 a\", \"Rev_4\"]\n\n describe windows_feature('PowerShell-v2') do\n it { should_not be_installed }\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93261.rb", + "ref": "./Windows 2019 STIG/controls/V-93397.rb", "line": 3 }, - "id": "V-93261" + "id": "V-93397" }, { - "title": "Windows Server 2019 permissions for program file directories must\nconform to minimum requirements.", - "desc": "Changing the system's file and directory permissions allows the\npossibility of unauthorized and anonymous modification to the operating system\nand installed applications.\n\n The default permissions are adequate when the Security Option \"Network\naccess: Let Everyone permissions apply to anonymous users\" is set to\n\"Disabled\" (WN19-SO-000240).", + "title": "Windows Server 2019 Exploit Protection mitigations must be configured for AcroRd32.exe.", + "desc": "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.", "descriptions": { - "default": "Changing the system's file and directory permissions allows the\npossibility of unauthorized and anonymous modification to the operating system\nand installed applications.\n\n The default permissions are adequate when the Security Option \"Network\naccess: Let Everyone permissions apply to anonymous users\" is set to\n\"Disabled\" (WN19-SO-000240).", + "default": "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.", "rationale": "", - "check": "The default permissions are adequate when the Security Option \"Network\naccess: Let Everyone permissions apply to anonymous users\" is set to\n\"Disabled\" (WN19-SO-000240).\n\n Review the permissions for the program file directories (Program Files and\nProgram Files [x86]). Non-privileged groups such as Users or Authenticated\nUsers must not have greater than \"Read & execute\" permissions. Individual\naccounts must not be used to assign permissions.\n\n If permissions are not as restrictive as the default permissions listed\nbelow, this is a finding.\n\n Viewing in File Explorer:\n\n For each folder, view the Properties.\n\n Select the \"Security\" tab, and the \"Advanced\" button.\n\n Default permissions:\n \\Program Files and \\Program Files (x86)\n Type - \"Allow\" for all\n Inherited from - \"None\" for all\n\n Principal - Access - Applies to\n\n TrustedInstaller - Full control - This folder and subfolders\n SYSTEM - Modify - This folder only\n SYSTEM - Full control - Subfolders and files only\n Administrators - Modify - This folder only\n Administrators - Full control - Subfolders and files only\n Users - Read & execute - This folder, subfolders and files\n CREATOR OWNER - Full control - Subfolders and files only\n ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders, and\nfiles\n ALL RESTRICTED APPLICATION PACKAGES - Read & execute - This folder,\nsubfolders, and files\n\n Alternately, use icacls:\n\n Open a Command prompt (admin).\n\n Enter \"icacls\" followed by the directory:\n\n 'icacls \"c:\\program files\"'\n 'icacls \"c:\\program files (x86)\"'\n\n The following results should be displayed for each when entered:\n\n c:\\program files (c:\\program files (x86))\n NT SERVICE\\TrustedInstaller:(F)\n NT SERVICE\\TrustedInstaller:(CI)(IO)(F)\n NT AUTHORITY\\SYSTEM:(M)\n NT AUTHORITY\\SYSTEM:(OI)(CI)(IO)(F)\n BUILTIN\\Administrators:(M)\n BUILTIN\\Administrators:(OI)(CI)(IO)(F)\n BUILTIN\\Users:(RX)\n BUILTIN\\Users:(OI)(CI)(IO)(GR,GE)\n CREATOR OWNER:(OI)(CI)(IO)(F)\n APPLICATION PACKAGE AUTHORITY\\ALL APPLICATION PACKAGES:(RX)\n APPLICATION PACKAGE AUTHORITY\\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE)\n APPLICATION PACKAGE AUTHORITY\\ALL RESTRICTED APPLICATION PACKAGES:(RX)\n APPLICATION PACKAGE AUTHORITY\\ALL RESTRICTED APPLICATION\nPACKAGES:(OI)(CI)(IO)(GR,GE)\n Successfully processed 1 files; Failed processing 0 files", - "fix": "Maintain the default permissions for the program file directories and\nconfigure the Security Option \"Network access: Let Everyone permissions apply\nto anonymous users\" to \"Disabled\" (WN19-SO-000240).\n\n Default permissions:\n \\Program Files and \\Program Files (x86)\n Type - \"Allow\" for all\n Inherited from - \"None\" for all\n\n Principal - Access - Applies to\n\n TrustedInstaller - Full control - This folder and subfolders\n SYSTEM - Modify - This folder only\n SYSTEM - Full control - Subfolders and files only\n Administrators - Modify - This folder only\n Administrators - Full control - Subfolders and files only\n Users - Read & execute - This folder, subfolders, and files\n CREATOR OWNER - Full control - Subfolders and files only\n ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders, and\nfiles\n ALL RESTRICTED APPLICATION PACKAGES - Read & execute - This folder,\nsubfolders, and files" + "check": "If the referenced application is not installed on the system, this is NA.\n\n This is applicable to unclassified systems, for other systems this is NA.\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n Enter \"Get-ProcessMitigation -Name AcroRd32.exe\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.)\n\n If the following mitigations do not have a status of \"ON\", this is a finding:\n\n DEP:\n Enable: ON\n\n ASLR:\n BottomUp: ON\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n The PowerShell command produces a list of mitigations; only those with a required status of \"ON\" are listed here.", + "fix": "Ensure the following mitigations are turned \"ON\" for AcroRd32.exe:\n\n DEP:\n Enable: ON\n\n ASLR:\n BottomUp: ON\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \"Supporting Files\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \"Use a common set of exploit protection settings\" configured to \"Enabled\" with file name and location defined under \"Options:\". It is recommended the file be in a read-only network location." }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000312-GPOS-00122", - "satisfies": [ - "SRG-OS-000312-GPOS-00122", - "SRG-OS-000312-GPOS-00123", - "SRG-OS-000312-GPOS-00124" - ], - "gid": "V-93021", - "rid": "SV-103109r1_rule", - "stig_id": "WN19-00-000150", - "fix_id": "F-99267r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-93323", + "rid": "SV-103411r1_rule", + "stig_id": "WN19-EP-000070", + "fix_id": "F-99569r1_fix", "cci": [ - "CCI-002165" + "CCI-000366" ], "nist": [ - "AC-3 (4)", + "CM-6 b", "Rev_4" ] }, - "code": "control \"V-93021\" do\n title \"Windows Server 2019 permissions for program file directories must\nconform to minimum requirements.\"\n desc \"Changing the system's file and directory permissions allows the\npossibility of unauthorized and anonymous modification to the operating system\nand installed applications.\n\n The default permissions are adequate when the Security Option \\\"Network\naccess: Let Everyone permissions apply to anonymous users\\\" is set to\n\\\"Disabled\\\" (WN19-SO-000240).\"\n desc \"rationale\", \"\"\n desc 'check', \"The default permissions are adequate when the Security Option \\\"Network\naccess: Let Everyone permissions apply to anonymous users\\\" is set to\n\\\"Disabled\\\" (WN19-SO-000240).\n\n Review the permissions for the program file directories (Program Files and\nProgram Files [x86]). Non-privileged groups such as Users or Authenticated\nUsers must not have greater than \\\"Read & execute\\\" permissions. Individual\naccounts must not be used to assign permissions.\n\n If permissions are not as restrictive as the default permissions listed\nbelow, this is a finding.\n\n Viewing in File Explorer:\n\n For each folder, view the Properties.\n\n Select the \\\"Security\\\" tab, and the \\\"Advanced\\\" button.\n\n Default permissions:\n \\\\Program Files and \\\\Program Files (x86)\n Type - \\\"Allow\\\" for all\n Inherited from - \\\"None\\\" for all\n\n Principal - Access - Applies to\n\n TrustedInstaller - Full control - This folder and subfolders\n SYSTEM - Modify - This folder only\n SYSTEM - Full control - Subfolders and files only\n Administrators - Modify - This folder only\n Administrators - Full control - Subfolders and files only\n Users - Read & execute - This folder, subfolders and files\n CREATOR OWNER - Full control - Subfolders and files only\n ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders, and\nfiles\n ALL RESTRICTED APPLICATION PACKAGES - Read & execute - This folder,\nsubfolders, and files\n\n Alternately, use icacls:\n\n Open a Command prompt (admin).\n\n Enter \\\"icacls\\\" followed by the directory:\n\n 'icacls \\\"c:\\\\program files\\\"'\n 'icacls \\\"c:\\\\program files (x86)\\\"'\n\n The following results should be displayed for each when entered:\n\n c:\\\\program files (c:\\\\program files (x86))\n NT SERVICE\\\\TrustedInstaller:(F)\n NT SERVICE\\\\TrustedInstaller:(CI)(IO)(F)\n NT AUTHORITY\\\\SYSTEM:(M)\n NT AUTHORITY\\\\SYSTEM:(OI)(CI)(IO)(F)\n BUILTIN\\\\Administrators:(M)\n BUILTIN\\\\Administrators:(OI)(CI)(IO)(F)\n BUILTIN\\\\Users:(RX)\n BUILTIN\\\\Users:(OI)(CI)(IO)(GR,GE)\n CREATOR OWNER:(OI)(CI)(IO)(F)\n APPLICATION PACKAGE AUTHORITY\\\\ALL APPLICATION PACKAGES:(RX)\n APPLICATION PACKAGE AUTHORITY\\\\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE)\n APPLICATION PACKAGE AUTHORITY\\\\ALL RESTRICTED APPLICATION PACKAGES:(RX)\n APPLICATION PACKAGE AUTHORITY\\\\ALL RESTRICTED APPLICATION\nPACKAGES:(OI)(CI)(IO)(GR,GE)\n Successfully processed 1 files; Failed processing 0 files\"\n desc 'fix', \"\n Maintain the default permissions for the program file directories and\nconfigure the Security Option \\\"Network access: Let Everyone permissions apply\nto anonymous users\\\" to \\\"Disabled\\\" (WN19-SO-000240).\n\n Default permissions:\n \\\\Program Files and \\\\Program Files (x86)\n Type - \\\"Allow\\\" for all\n Inherited from - \\\"None\\\" for all\n\n Principal - Access - Applies to\n\n TrustedInstaller - Full control - This folder and subfolders\n SYSTEM - Modify - This folder only\n SYSTEM - Full control - Subfolders and files only\n Administrators - Modify - This folder only\n Administrators - Full control - Subfolders and files only\n Users - Read & execute - This folder, subfolders, and files\n CREATOR OWNER - Full control - Subfolders and files only\n ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders, and\nfiles\n ALL RESTRICTED APPLICATION PACKAGES - Read & execute - This folder,\nsubfolders, and files\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000312-GPOS-00122'\n tag 'satisfies': [\"SRG-OS-000312-GPOS-00122\", \"SRG-OS-000312-GPOS-00123\",\n\"SRG-OS-000312-GPOS-00124\"]\n tag 'gid': 'V-93021'\n tag 'rid': 'SV-103109r1_rule'\n tag 'stig_id': 'WN19-00-000150'\n tag 'fix_id': 'F-99267r1_fix'\n tag 'cci': [\"CCI-002165\"]\n tag 'nist': [\"AC-3 (4)\", \"Rev_4\"]\n\n c_program_files_perm = json( command: \"icacls 'C:\\\\Program Files' | ConvertTo-Json\").params.map { |e| e.strip }[0..-3].map{ |e| e.gsub(\"C:\\\\Program Files \", '') }\n describe \"c:\\\\Program Files permissions are set correctly on folder structure\" do\n subject { c_program_files_perm.eql? input('c_program_files_perm') }\n it { should eq true }\n end\n\n c_program_filesx86_perm = json( command: \"icacls 'C:\\\\Program Files (x86)' | ConvertTo-Json\").params.map { |e| e.strip }[0..-3].map{ |e| e.gsub(\"C:\\\\Program Files (x86) \", '') }\n describe \"c:\\\\Program Files(x86) permissions are set correctly on folder structure\" do\n subject { c_program_filesx86_perm.eql? input('c_program_files_perm') }\n it { should eq true }\n end\nend\n", + "code": "control \"V-93323\" do\n title \"Windows Server 2019 Exploit Protection mitigations must be configured for AcroRd32.exe.\"\n desc \"Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the referenced application is not installed on the system, this is NA.\n\n This is applicable to unclassified systems, for other systems this is NA.\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n Enter \\\"Get-ProcessMitigation -Name AcroRd32.exe\\\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.)\n\n If the following mitigations do not have a status of \\\"ON\\\", this is a finding:\n\n DEP:\n Enable: ON\n\n ASLR:\n BottomUp: ON\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n The PowerShell command produces a list of mitigations; only those with a required status of \\\"ON\\\" are listed here.\"\n desc \"fix\", \"Ensure the following mitigations are turned \\\"ON\\\" for AcroRd32.exe:\n\n DEP:\n Enable: ON\n\n ASLR:\n BottomUp: ON\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \\\"Supporting Files\\\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\" configured to \\\"Enabled\\\" with file name and location defined under \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00227\"\n tag gid: \"V-93323\"\n tag rid: \"SV-103411r1_rule\"\n tag stig_id: \"WN19-EP-000070\"\n tag fix_id: \"F-99569r1_fix\"\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n acroRd32 = json({ command: \"Get-ProcessMitigation -Name AcroRd32.exe | ConvertTo-Json\" }).params\n\n if input('sensitive_system') == true || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif acroRd32.empty?\n impact 0.0\n describe 'The referenced application is not installed on the system, this is NA.' do\n skip 'The referenced application is not installed on the system, this is NA.'\n end\n else\n describe \"Exploit Protection: the following mitigations must be set to 'ON' for AcroRd32.exe\" do\n subject { acroRd32 }\n its(['Dep','Enable']) { should eq 1 }\n its(['Aslr','BottomUp']) { should eq 1 }\n its(['Aslr','ForceRelocateImages']) { should eq 1 }\n its(['Payload','EnableExportAddressFilter']) { should eq 1 }\n its(['Payload','EnableExportAddressFilterPlus']) { should eq 1 }\n its(['Payload','EnableImportAddressFilter']) { should eq 1 }\n its(['Payload','EnableRopStackPivot']) { should eq 1 }\n its(['Payload','EnableRopCallerCheck']) { should eq 1 }\n its(['Payload','EnableRopSimExec']) { should eq 1 }\n end\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93021.rb", + "ref": "./Windows 2019 STIG/controls/V-93323.rb", "line": 3 }, - "id": "V-93021" + "id": "V-93323" }, { - "title": "Windows Server 2019 must automatically remove or disable temporary user accounts after 72 hours.", - "desc": "If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be used to gain unauthorized access. To mitigate this risk, automated termination of all temporary accounts must be set upon account creation.\n\n Temporary accounts are established as part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation.\n If temporary accounts are used, the operating system must be configured to automatically terminate these types of accounts after a DoD-defined time period of 72 hours.\n To address access requirements, many operating systems may be integrated with enterprise-level authentication/access mechanisms that meet or exceed access control policy requirements.", + "title": "Windows Server 2019 must be configured to audit System - System\nIntegrity successes.", + "desc": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n System Integrity records events related to violations of integrity to the\nsecurity subsystem.", "descriptions": { - "default": "If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be used to gain unauthorized access. To mitigate this risk, automated termination of all temporary accounts must be set upon account creation.\n\n Temporary accounts are established as part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation.\n If temporary accounts are used, the operating system must be configured to automatically terminate these types of accounts after a DoD-defined time period of 72 hours.\n To address access requirements, many operating systems may be integrated with enterprise-level authentication/access mechanisms that meet or exceed access control policy requirements.", + "default": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n System Integrity records events related to violations of integrity to the\nsecurity subsystem.", "rationale": "", - "check": "Review temporary user accounts for expiration dates.\n Determine if temporary user accounts are used and identify any that exist. If none exist, this is NA.\n\n Domain Controllers:\n Open \"PowerShell\".\n Enter \"Search-ADAccount -AccountExpiring | FT Name, AccountExpirationDate\".\n If \"AccountExpirationDate\" has not been defined within 72 hours for any temporary user account, this is a finding.\n\n Member servers and standalone systems:\n Open \"Command Prompt\".\n Run \"Net user [username]\", where [username] is the name of the temporary user account.\n If \"Account expires\" has not been defined within 72 hours for any temporary user account, this is a finding.", - "fix": "Configure temporary user accounts to automatically expire within 72 hours.\n Domain accounts can be configured with an account expiration date, under \"Account\" properties.\n Local accounts can be configured to expire with the command \"Net user [username] /expires:[mm/dd/yyyy]\", where username is the name of the temporary user account.\n Delete any temporary user accounts that are no longer necessary." + "check": "Security Option \"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\" must be set to\n\"Enabled\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \"AuditPol\" tool to review the current Audit Policy configuration:\n\n Open \"PowerShell\" or a \"Command Prompt\" with elevated privileges (\"Run\nas administrator\").\n\n Enter \"AuditPol /get /category:*\"\n\n Compare the \"AuditPol\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n System >> System Integrity - Success", + "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> System >> \"Audit System Integrity\" with \"Success\"\nselected." }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000002-GPOS-00002", - "gid": "V-92975", - "rid": "SV-103063r1_rule", - "stig_id": "WN19-00-000300", - "fix_id": "F-99221r1_fix", + "gtitle": "SRG-OS-000327-GPOS-00127", + "satisfies": [ + "SRG-OS-000327-GPOS-00127", + "SRG-OS-000471-GPOS-00215", + "SRG-OS-000471-GPOS-00216", + "SRG-OS-000477-GPOS-00222" + ], + "gid": "V-93117", + "rid": "SV-103205r1_rule", + "stig_id": "WN19-AU-000380", + "fix_id": "F-99363r1_fix", "cci": [ - "CCI-000016" + "CCI-000172", + "CCI-002234" ], "nist": [ - "AC-2 (2)", + "AU-12 c", + "AC-6 (9)", "Rev_4" ] }, - "code": "control 'V-92975' do\n title \"Windows Server 2019 must automatically remove or disable temporary user accounts after #{input('temporary_account_period')*24} hours.\"\n desc \"If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be used to gain unauthorized access. To mitigate this risk, automated termination of all temporary accounts must be set upon account creation.\n\n Temporary accounts are established as part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation.\n If temporary accounts are used, the operating system must be configured to automatically terminate these types of accounts after a #{input('org_name')[:acronym]}-defined time period of #{input('temporary_account_period')*24} hours.\n To address access requirements, many operating systems may be integrated with enterprise-level authentication/access mechanisms that meet or exceed access control policy requirements.\"\n desc 'rationale', ''\n desc 'check', \"Review temporary user accounts for expiration dates.\n Determine if temporary user accounts are used and identify any that exist. If none exist, this is NA.\n\n Domain Controllers:\n Open \\\"PowerShell\\\".\n Enter \\\"Search-ADAccount -AccountExpiring | FT Name, AccountExpirationDate\\\".\n If \\\"AccountExpirationDate\\\" has not been defined within #{input('temporary_account_period')*24} hours for any temporary user account, this is a finding.\n\n Member servers and standalone systems:\n Open \\\"Command Prompt\\\".\n Run \\\"Net user [username]\\\", where [username] is the name of the temporary user account.\n If \\\"Account expires\\\" has not been defined within #{input('temporary_account_period')*24} hours for any temporary user account, this is a finding.\"\n desc 'fix', \"Configure temporary user accounts to automatically expire within #{input('temporary_account_period')*24} hours.\n Domain accounts can be configured with an account expiration date, under \\\"Account\\\" properties.\n Local accounts can be configured to expire with the command \\\"Net user [username] /expires:[mm/dd/yyyy]\\\", where username is the name of the temporary user account.\n Delete any temporary user accounts that are no longer necessary.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000002-GPOS-00002'\n tag 'gid': 'V-92975'\n tag 'rid': 'SV-103063r1_rule'\n tag 'stig_id': 'WN19-00-000300'\n tag 'fix_id': 'F-99221r1_fix'\n tag 'cci': ['CCI-000016']\n tag 'nist': ['AC-2 (2)', 'Rev_4']\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n expiring_accounts = []\n temporary_accounts = input('temp_accounts_domain')\n unless temporary_accounts == [nil]\n temporary_accounts.each do |temporary_account|\n expiring_accounts << json({ command: \"Get-ADUser -Identity #{temporary_account} -Properties WhenCreated, AccountExpirationDate | Select-Object -Property SamAccountName, @{Name='WhenCreated';Expression={$_.WhenCreated.ToString('yyyy-MM-dd')}}, @{Name='AccountExpirationDate';Expression={$_.AccountExpirationDate.ToString('yyyy-MM-dd')}}| ConvertTo-Json\" }).params\n end\n end\n ad_accounts = json({ command: \"Get-ADUser -Filter 'Enabled -eq $true' -Properties WhenCreated, AccountExpirationDate | Select-Object -Property SamAccountName, @{Name='WhenCreated';Expression={$_.WhenCreated.ToString('yyyy-MM-dd')}}, @{Name='AccountExpirationDate';Expression={$_.AccountExpirationDate.ToString('yyyy-MM-dd')}}| ConvertTo-Json\" }).params\n if ad_accounts.empty?\n impact 0.0\n describe 'This control is not applicable as no user accounts were found' do\n skip 'This control is not applicable as no user accounts were found'\n end\n else\n case ad_accounts\n when Hash # One user account\n if ad_accounts.fetch('AccountExpirationDate').nil?\n impact 0.0\n describe 'This control is not applicable as no expiring user accounts were found' do\n skip 'This control is not applicable as no expiring user accounts were found'\n end\n else\n expiring_accounts << ad_accounts unless expiring_accounts.any? { |h| h['SamAccountName'] == ad_accounts.fetch('SamAccountName') }\n end\n when Array # Multiple user accounts\n ad_accounts.each do |ad_account|\n next if ad_account.fetch('AccountExpirationDate').nil?\n expiring_accounts << ad_account unless expiring_accounts.any? { |h| h['SamAccountName'] == ad_account.fetch('SamAccountName') }\n end\n end\n end\n if expiring_accounts.empty?\n impact 0.0\n describe 'This control is not applicable as no expiring user accounts were found' do\n skip 'This control is not applicable as no expiring user accounts were found'\n end\n else\n expiring_accounts.each do |expiring_account|\n account_name = expiring_account.fetch('SamAccountName')\n if expiring_account.fetch(\"WhenCreated\") == nil\n describe \"#{account_name} account's creation date\" do\n subject { expiring_account.fetch(\"WhenCreated\") }\n it { should_not eq nil}\n end\n elsif expiring_account.fetch(\"AccountExpirationDate\") == nil\n describe \"#{account_name} account's expiration date\" do\n subject { expiring_account.fetch(\"AccountExpirationDate\") }\n it { should_not eq nil}\n end\n else \n creation_date = Date.parse(expiring_account.fetch('WhenCreated'))\n expiration_date = Date.parse(expiring_account.fetch('AccountExpirationDate'))\n date_difference = expiration_date.mjd - creation_date.mjd\n describe \"Account expiration set for #{account_name}\" do\n subject { date_difference }\n it { should cmp <= input('temporary_account_period') }\n end\n end\n end\n end\n else\n expiring_users = []\n temporary_accounts = input('temp_accounts_local')\n unless temporary_accounts == [nil]\n temporary_accounts.each do |temporary_account|\n expiring_users << json({ command: \"Get-LocalUser -Name #{temporary_account} | Select-Object -Property Name, @{Name='PasswordLastSet';Expression={$_.PasswordLastSet.ToString('yyyy-MM-dd')}}, @{Name='AccountExpires';Expression={$_.AccountExpires.ToString('yyyy-MM-dd')}} | ConvertTo-Json\" }).params\n end\n end\n local_users = json({ command: \"Get-LocalUser * | Select-Object -Property Name, @{Name='PasswordLastSet';Expression={$_.PasswordLastSet.ToString('yyyy-MM-dd')}}, @{Name='AccountExpires';Expression={$_.AccountExpires.ToString('yyyy-MM-dd')}} | ConvertTo-Json\" }).params\n if local_users.empty?\n impact 0.0\n describe 'This control is not applicable as no user accounts were found' do\n skip 'This control is not applicable as no user accounts were found'\n end\n else\n case local_users\n when Hash # One user account\n if local_users.fetch('AccountExpires').nil? || local_user.fetch('PasswordLastSet').nil?\n impact 0.0\n describe 'This control is not applicable as no expiring user accounts with password last set date were found' do\n skip 'This control is not applicable as no expiring user accounts password last set date were found'\n end\n else\n expiring_users << local_users unless expiring_users.any? { |h| h['Name'] == local_users.fetch('Name') }\n end\n when Array # Multiple user accounts\n local_users.each do |local_user|\n next if local_user.fetch('AccountExpires').nil? || local_user.fetch('PasswordLastSet').nil?\n expiring_users << local_user unless expiring_users.any? { |h| h['Name'] == local_user.fetch('Name') }\n end\n end\n end\n if expiring_users.empty?\n impact 0.0\n describe 'This control is not applicable as no expiring user accounts with password last set date were found' do\n skip 'This control is not applicable as no expiring user accounts with password last set date were found'\n end\n else\n expiring_users.each do |expiring_account|\n user_name = expiring_account.fetch('Name')\n if expiring_account.fetch(\"PasswordLastSet\") == nil\n describe \"#{user_name} account's password last set date\" do\n subject { expiring_account.fetch(\"PasswordLastSet\") }\n it { should_not eq nil}\n end\n elsif expiring_account.fetch(\"AccountExpires\") == nil\n describe \"#{user_name} account's expiration date\" do\n subject { expiring_account.fetch(\"AccountExpires\") }\n it { should_not eq nil}\n end\n else\n password_date = Date.parse(expiring_account.fetch('PasswordLastSet'))\n expiration_date = Date.parse(expiring_account.fetch('AccountExpires'))\n date_difference = expiration_date.mjd - password_date.mjd\n describe \"Account expiration set for #{user_name}\" do\n subject { date_difference }\n it { should cmp <= input('temporary_account_period') }\n end\n end\n end\n end\n end\nend\n", + "code": "control \"V-93117\" do\n title \"Windows Server 2019 must be configured to audit System - System\nIntegrity successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n System Integrity records events related to violations of integrity to the\nsecurity subsystem.\"\n desc \"rationale\", \"\"\n desc 'check', \"Security Option \\\"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\\\" must be set to\n\\\"Enabled\\\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \\\"AuditPol\\\" tool to review the current Audit Policy configuration:\n\n Open \\\"PowerShell\\\" or a \\\"Command Prompt\\\" with elevated privileges (\\\"Run\nas administrator\\\").\n\n Enter \\\"AuditPol /get /category:*\\\"\n\n Compare the \\\"AuditPol\\\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n System >> System Integrity - Success\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> System >> \\\"Audit System Integrity\\\" with \\\"Success\\\"\nselected.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000327-GPOS-00127'\n tag 'satisfies': [\"SRG-OS-000327-GPOS-00127\", \"SRG-OS-000471-GPOS-00215\",\n\"SRG-OS-000471-GPOS-00216\", \"SRG-OS-000477-GPOS-00222\"]\n tag 'gid': 'V-93117'\n tag 'rid': 'SV-103205r1_rule'\n tag 'stig_id': 'WN19-AU-000380'\n tag 'fix_id': 'F-99363r1_fix'\n tag 'cci': [\"CCI-000172\", \"CCI-002234\"]\n tag 'nist': [\"AU-12 c\", \"AC-6 (9)\", \"Rev_4\"]\n\n describe.one do\n describe audit_policy do\n its('System Integrity') { should eq 'Success' }\n end\n describe audit_policy do\n its('System Integrity') { should eq 'Success and Failure' }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-92975.rb", + "ref": "./Windows 2019 STIG/controls/V-93117.rb", "line": 3 }, - "id": "V-92975" + "id": "V-93117" }, { - "title": "Windows Server 2019 domain-joined systems must have a Trusted Platform\nModule (TPM) enabled and ready for use.", - "desc": "Credential Guard uses virtualization-based security to protect data\nthat could be used in credential theft attacks if compromised. A number of\nsystem requirements must be met in order for Credential Guard to be configured\nand enabled properly. Without a TPM enabled and ready for use, Credential Guard\nkeys are stored in a less secure method using software.", + "title": "Windows Server 2019 must not the Server Message Block (SMB) v1 protocol installed.", + "desc": "SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB. MD5 is known to be vulnerable to a number of attacks such as collision and preimage attacks and is not FIPS compliant.", "descriptions": { - "default": "Credential Guard uses virtualization-based security to protect data\nthat could be used in credential theft attacks if compromised. A number of\nsystem requirements must be met in order for Credential Guard to be configured\nand enabled properly. Without a TPM enabled and ready for use, Credential Guard\nkeys are stored in a less secure method using software.", + "default": "SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB. MD5 is known to be vulnerable to a number of attacks such as collision and preimage attacks and is not FIPS compliant.", "rationale": "", - "check": "For standalone systems, this is NA.\n\n Current hardware and virtual environments may not support\nvirtualization-based security features, including Credential Guard, due to\nspecific supporting requirements including a TPM, UEFI with Secure Boot, and\nthe capability to run the Hyper-V feature within a virtual machine.\n\n Verify the system has a TPM and it is ready for use.\n\n Run \"tpm.msc\".\n\n Review the sections in the center pane.\n\n \"Status\" must indicate it has been configured with a message such as\n\"The TPM is ready for use\" or \"The TPM is on and ownership has been taken\".\n\n TPM Manufacturer Information - Specific Version = 2.0 or 1.2\n\n If a TPM is not found or is not ready for use, this is a finding.", - "fix": "Ensure domain-joined systems have a TPM that is configured for use.\n(Versions 2.0 or 1.2 support Credential Guard.)\n\n The TPM must be enabled in the firmware.\n\n Run \"tpm.msc\" for configuration options in Windows." + "check": "Different methods are available to disable SMBv1 on Windows Server 2019. This is the preferred method, however if WN19-00-000390 and WN19-00-000400 are configured, this is NA.\n\n Open \"Windows PowerShell\" with elevated privileges (run as administrator).\n Enter \"Get-WindowsFeature -Name FS-SMB1\".\n If \"Installed State\" is \"Installed\", this is a finding.\n An Installed State of \"Available\" or \"Removed\" is not a finding.", + "fix": "Uninstall the SMBv1 protocol.\n\n Open \"Windows PowerShell\" with elevated privileges (run as administrator).\n Enter \"Uninstall-WindowsFeature -Name FS-SMB1 -Restart\".\n (Omit the Restart parameter if an immediate restart of the system cannot be done.)\n\n Alternately:\n Start \"Server Manager\".\n Select the server with the feature.\n Scroll down to \"ROLES AND FEATURES\" in the right pane.\n Select \"Remove Roles and Features\" from the drop-down \"TASKS\" list.\n Select the appropriate server on the \"Server Selection\" page and click \"Next\".\n Deselect \"SMB 1.0/CIFS File Sharing Support\" on the \"Features\" page.\n Click \"Next\" and \"Remove\" as prompted." }, "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-93213", - "rid": "SV-103301r1_rule", - "stig_id": "WN19-00-000090", - "fix_id": "F-99459r1_fix", + "gtitle": "SRG-OS-000095-GPOS-00049", + "gid": "V-93391", + "rid": "SV-103477r1_rule", + "stig_id": "WN19-00-000380", + "fix_id": "F-99635r1_fix", "cci": [ - "CCI-000366" + "CCI-000381" ], "nist": [ - "CM-6 b", + "CM-7 a", "Rev_4" ] }, - "code": "control \"V-93213\" do\n title \"Windows Server 2019 domain-joined systems must have a Trusted Platform\nModule (TPM) enabled and ready for use.\"\n desc \"Credential Guard uses virtualization-based security to protect data\nthat could be used in credential theft attacks if compromised. A number of\nsystem requirements must be met in order for Credential Guard to be configured\nand enabled properly. Without a TPM enabled and ready for use, Credential Guard\nkeys are stored in a less secure method using software.\"\n desc \"rationale\", \"\"\n desc 'check', \"For standalone systems, this is NA.\n\n Current hardware and virtual environments may not support\nvirtualization-based security features, including Credential Guard, due to\nspecific supporting requirements including a TPM, UEFI with Secure Boot, and\nthe capability to run the Hyper-V feature within a virtual machine.\n\n Verify the system has a TPM and it is ready for use.\n\n Run \\\"tpm.msc\\\".\n\n Review the sections in the center pane.\n\n \\\"Status\\\" must indicate it has been configured with a message such as\n\\\"The TPM is ready for use\\\" or \\\"The TPM is on and ownership has been taken\\\".\n\n TPM Manufacturer Information - Specific Version = 2.0 or 1.2\n\n If a TPM is not found or is not ready for use, this is a finding.\"\n desc 'fix', \"Ensure domain-joined systems have a TPM that is configured for use.\n(Versions 2.0 or 1.2 support Credential Guard.)\n\n The TPM must be enabled in the firmware.\n\n Run \\\"tpm.msc\\\" for configuration options in Windows.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000480-GPOS-00227'\n tag 'gid': 'V-93213'\n tag 'rid': 'SV-103301r1_rule'\n tag 'stig_id': 'WN19-00-000090'\n tag 'fix_id': 'F-99459r1_fix'\n tag 'cci': [\"CCI-000366\"]\n tag 'nist': [\"CM-6 b\", \"Rev_4\"]\n\n is_domain = command('wmic computersystem get domain | FINDSTR /V Domain').stdout.strip\n\n if sys_info.manufacturer == \"VMware, Inc.\"\n impact 0.0\n describe 'This System is NA for Control V-93213, This is a VMware Virtual Machine.' do\n skip 'This System is NA for Control V-93213, This is a VMware Virtual Machine.'\n end\n elsif is_domain == 'WORKGROUP'\n impact 0.0\n describe 'This system is not joined to a domain, therefore this control is Not Applicable' do\n skip 'This system is not joined to a domain, therefore this control is Not Applicable'\n end\n else\n tpm_ready = command('Get-Tpm | select -expand TpmReady').stdout.strip\n tpm_present = command('Get-Tpm | select -expand TpmPresent').stdout.strip\n describe 'Trusted Platform Module (TPM) TpmReady' do\n subject { tpm_ready }\n it { should eq 'True' }\n end\n describe 'Trusted Platform Module (TPM) TpmPresent' do\n subject { tpm_present }\n it { should eq 'True' }\n end\n end\nend\n", + "code": "control \"V-93391\" do\n title \"Windows Server 2019 must not the Server Message Block (SMB) v1 protocol installed.\"\n desc \"SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB. MD5 is known to be vulnerable to a number of attacks such as collision and preimage attacks and is not FIPS compliant.\"\n desc \"rationale\", \"\"\n desc \"check\", \"Different methods are available to disable SMBv1 on Windows Server 2019. This is the preferred method, however if WN19-00-000390 and WN19-00-000400 are configured, this is NA.\n\n Open \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n Enter \\\"Get-WindowsFeature -Name FS-SMB1\\\".\n If \\\"Installed State\\\" is \\\"Installed\\\", this is a finding.\n An Installed State of \\\"Available\\\" or \\\"Removed\\\" is not a finding.\"\n desc \"fix\", \"Uninstall the SMBv1 protocol.\n\n Open \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n Enter \\\"Uninstall-WindowsFeature -Name FS-SMB1 -Restart\\\".\n (Omit the Restart parameter if an immediate restart of the system cannot be done.)\n\n Alternately:\n Start \\\"Server Manager\\\".\n Select the server with the feature.\n Scroll down to \\\"ROLES AND FEATURES\\\" in the right pane.\n Select \\\"Remove Roles and Features\\\" from the drop-down \\\"TASKS\\\" list.\n Select the appropriate server on the \\\"Server Selection\\\" page and click \\\"Next\\\".\n Deselect \\\"SMB 1.0/CIFS File Sharing Support\\\" on the \\\"Features\\\" page.\n Click \\\"Next\\\" and \\\"Remove\\\" as prompted.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000095-GPOS-00049\"\n tag gid: \"V-93391\"\n tag rid: \"SV-103477r1_rule\"\n tag stig_id: \"WN19-00-000380\"\n tag fix_id: \"F-99635r1_fix\"\n tag cci: [\"CCI-000381\"]\n tag nist: [\"CM-7 a\", \"Rev_4\"]\n\n if powershell(\"Get-ItemPropertyValue 'HKLM:\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\LanmanServer\\\\Parameters' -Name SMB1\").stdout.strip == \"0\" && powershell(\"Get-ItemPropertyValue 'HKLM:\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\mrxsmb10' -Name Start\").stdout.strip == \"4\"\n impact 0.0\n describe 'Controls V-93393 and V-93395 configuration successful' do\n skip 'This is NA as the successful configuration of Controls V-93393 (STIG ID# WN19-00-000390) and V-93395 (STIG ID# WN19-00-000400) meets the requirement'\n end\n else\n state = powershell(\"Get-WindowsFeature -Name FS-SMB1 | Select -ExpandProperty 'InstallState'\").stdout.strip\n describe \"Server Message Block (SMB) v1 protocol msut not be installed\" do\n subject { state }\n it { should_not eq \"Installed\" }\n end\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93213.rb", + "ref": "./Windows 2019 STIG/controls/V-93391.rb", "line": 3 }, - "id": "V-93213" + "id": "V-93391" }, { - "title": "Windows Server 2019 Active Directory SYSVOL directory must have the\nproper access control permissions.", - "desc": "Improper access permissions for directory data files could allow\nunauthorized users to read, modify, or delete directory data.\n\n The SYSVOL directory contains public files (to the domain) such as policies\nand logon scripts. Data in shared subdirectories are replicated to all domain\ncontrollers in a domain.", + "title": "Windows Server 2019 must be configured to audit Object Access -\nRemovable Storage failures.", + "desc": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Removable Storage auditing under Object Access records events related to\naccess attempts on file system objects on removable storage devices.", "descriptions": { - "default": "Improper access permissions for directory data files could allow\nunauthorized users to read, modify, or delete directory data.\n\n The SYSVOL directory contains public files (to the domain) such as policies\nand logon scripts. Data in shared subdirectories are replicated to all domain\ncontrollers in a domain.", + "default": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Removable Storage auditing under Object Access records events related to\naccess attempts on file system objects on removable storage devices.", "rationale": "", - "check": "This applies to domain controllers. It is NA for other systems.\n\n Open a command prompt.\n\n Run \"net share\".\n\n Make note of the directory location of the SYSVOL share.\n\n By default, this will be \\Windows\\SYSVOL\\sysvol. For this requirement,\npermissions will be verified at the first SYSVOL directory level.\n\n If any standard user accounts or groups have greater than \"Read &\nexecute\" permissions, this is a finding.\n\n The default permissions noted below meet this requirement:\n\n Open \"Command Prompt\".\n\n Run \"icacls c:\\Windows\\SYSVOL\".\n\n The following results should be displayed:\n\n NT AUTHORITY\\Authenticated Users:(RX)\n NT AUTHORITY\\Authenticated Users:(OI)(CI)(IO)(GR,GE)\n BUILTIN\\Server Operators:(RX)\n BUILTIN\\Server Operators:(OI)(CI)(IO)(GR,GE)\n BUILTIN\\Administrators:(M,WDAC,WO)\n BUILTIN\\Administrators:(OI)(CI)(IO)(F)\n NT AUTHORITY\\SYSTEM:(F)\n NT AUTHORITY\\SYSTEM:(OI)(CI)(IO)(F)\n CREATOR OWNER:(OI)(CI)(IO)(F)\n\n (RX) - Read & execute\n\n Run \"icacls /help\" to view definitions of other permission codes.\n\n Alternately, open \"File Explorer\".\n\n Navigate to \\Windows\\SYSVOL (or the directory noted previously if\ndifferent).\n\n Right-click the directory and select properties.\n\n Select the \"Security\" tab and click \"Advanced\".\n\n Default permissions:\n\n C:\\Windows\\SYSVOL\n Type - \"Allow\" for all\n Inherited from - \"None\" for all\n\n Principal - Access - Applies to\n\n Authenticated Users - Read & execute - This folder, subfolder, and files\n Server Operators - Read & execute- This folder, subfolder, and files\n Administrators - Special - This folder only (Special = Basic Permissions:\nall selected except Full control)\n CREATOR OWNER - Full control - Subfolders and files only\n Administrators - Full control - Subfolders and files only\n SYSTEM - Full control - This folder, subfolders, and files", - "fix": "Maintain the permissions on the SYSVOL directory. Do not allow greater than\n\"Read & execute\" permissions for standard user accounts or groups. The\ndefaults below meet this requirement:\n\n C:\\Windows\\SYSVOL\n Type - \"Allow\" for all\n Inherited from - \"None\" for all\n\n Principal - Access - Applies to\n\n Authenticated Users - Read & execute - This folder, subfolder, and files\n Server Operators - Read & execute- This folder, subfolder, and files\n Administrators - Special - This folder only (Special = Basic Permissions:\nall selected except Full control)\n CREATOR OWNER - Full control - Subfolders and files only\n Administrators - Full control - Subfolders and files only\n SYSTEM - Full control - This folder, subfolders, and files" + "check": "Security Option \"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\" must be set to\n\"Enabled\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \"AuditPol\" tool to review the current Audit Policy configuration:\n\n Open \"PowerShell\" or a \"Command Prompt\" with elevated privileges (\"Run\nas administrator\").\n\n Enter \"AuditPol /get /category:*\"\n\n Compare the \"AuditPol\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n Object Access >> Removable Storage - Failure\n\n Virtual machines or systems that use network attached storage may generate\nexcessive audit events for secondary virtual drives or the network attached\nstorage when this setting is enabled. This may be set to Not Configured in such\ncases and would not be a finding.", + "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Object Access >> \"Audit Removable Storage\" with\n\"Failure\" selected." }, - "impact": 0.7, + "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000324-GPOS-00125", - "gid": "V-93031", - "rid": "SV-103119r1_rule", - "stig_id": "WN19-DC-000080", - "fix_id": "F-99277r1_fix", + "gtitle": "SRG-OS-000474-GPOS-00219", + "gid": "V-93169", + "rid": "SV-103257r1_rule", + "stig_id": "WN19-AU-000250", + "fix_id": "F-99415r1_fix", "cci": [ - "CCI-002235" + "CCI-000172" ], "nist": [ - "AC-6 (10)", + "AU-12 c", "Rev_4" ] }, - "code": "control \"V-93031\" do\n title \"Windows Server 2019 Active Directory SYSVOL directory must have the\nproper access control permissions.\"\n desc \"Improper access permissions for directory data files could allow\nunauthorized users to read, modify, or delete directory data.\n\n The SYSVOL directory contains public files (to the domain) such as policies\nand logon scripts. Data in shared subdirectories are replicated to all domain\ncontrollers in a domain.\"\n desc \"rationale\", \"\"\n desc \"check\", \"This applies to domain controllers. It is NA for other systems.\n\n Open a command prompt.\n\n Run \\\"net share\\\".\n\n Make note of the directory location of the SYSVOL share.\n\n By default, this will be \\\\Windows\\\\SYSVOL\\\\sysvol. For this requirement,\npermissions will be verified at the first SYSVOL directory level.\n\n If any standard user accounts or groups have greater than \\\"Read &\nexecute\\\" permissions, this is a finding.\n\n The default permissions noted below meet this requirement:\n\n Open \\\"Command Prompt\\\".\n\n Run \\\"icacls c:\\\\Windows\\\\SYSVOL\\\".\n\n The following results should be displayed:\n\n NT AUTHORITY\\\\Authenticated Users:(RX)\n NT AUTHORITY\\\\Authenticated Users:(OI)(CI)(IO)(GR,GE)\n BUILTIN\\\\Server Operators:(RX)\n BUILTIN\\\\Server Operators:(OI)(CI)(IO)(GR,GE)\n BUILTIN\\\\Administrators:(M,WDAC,WO)\n BUILTIN\\\\Administrators:(OI)(CI)(IO)(F)\n NT AUTHORITY\\\\SYSTEM:(F)\n NT AUTHORITY\\\\SYSTEM:(OI)(CI)(IO)(F)\n CREATOR OWNER:(OI)(CI)(IO)(F)\n\n (RX) - Read & execute\n\n Run \\\"icacls /help\\\" to view definitions of other permission codes.\n\n Alternately, open \\\"File Explorer\\\".\n\n Navigate to \\\\Windows\\\\SYSVOL (or the directory noted previously if\ndifferent).\n\n Right-click the directory and select properties.\n\n Select the \\\"Security\\\" tab and click \\\"Advanced\\\".\n\n Default permissions:\n\n C:\\\\Windows\\\\SYSVOL\n Type - \\\"Allow\\\" for all\n Inherited from - \\\"None\\\" for all\n\n Principal - Access - Applies to\n\n Authenticated Users - Read & execute - This folder, subfolder, and files\n Server Operators - Read & execute- This folder, subfolder, and files\n Administrators - Special - This folder only (Special = Basic Permissions:\nall selected except Full control)\n CREATOR OWNER - Full control - Subfolders and files only\n Administrators - Full control - Subfolders and files only\n SYSTEM - Full control - This folder, subfolders, and files\"\n desc \"fix\", \"\n Maintain the permissions on the SYSVOL directory. Do not allow greater than\n\\\"Read & execute\\\" permissions for standard user accounts or groups. The\ndefaults below meet this requirement:\n\n C:\\\\Windows\\\\SYSVOL\n Type - \\\"Allow\\\" for all\n Inherited from - \\\"None\\\" for all\n\n Principal - Access - Applies to\n\n Authenticated Users - Read & execute - This folder, subfolder, and files\n Server Operators - Read & execute- This folder, subfolder, and files\n Administrators - Special - This folder only (Special = Basic Permissions:\nall selected except Full control)\n CREATOR OWNER - Full control - Subfolders and files only\n Administrators - Full control - Subfolders and files only\n SYSTEM - Full control - This folder, subfolders, and files\"\n impact 0.7\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000324-GPOS-00125'\n tag 'gid': 'V-93031'\n tag 'rid': 'SV-103119r1_rule'\n tag 'stig_id': 'WN19-DC-000080'\n tag 'fix_id': 'F-99277r1_fix'\n tag 'cci': [\"CCI-002235\"]\n tag 'nist': [\"AC-6 (10)\", \"Rev_4\"]\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n if domain_role == '4' || domain_role == '5'\n sysvol_perm = json( command: \"icacls 'c:\\\\Windows\\\\SYSVOL' | ConvertTo-Json\").params.map { |e| e.strip }[0..-3].map{ |e| e.gsub(\"c:\\\\Windows\\\\SYSVOL \", '') }\n \n describe \"c:\\\\ permissions are set correctly on folder structure\" do\n subject { sysvol_perm.eql? input('c_windows_sysvol_perm') }\n it { should eq true }\n end\n else\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", + "code": "control \"V-93169\" do\n title \"Windows Server 2019 must be configured to audit Object Access -\nRemovable Storage failures.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Removable Storage auditing under Object Access records events related to\naccess attempts on file system objects on removable storage devices.\"\n desc \"rationale\", \"\"\n desc 'check', \"Security Option \\\"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\\\" must be set to\n\\\"Enabled\\\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \\\"AuditPol\\\" tool to review the current Audit Policy configuration:\n\n Open \\\"PowerShell\\\" or a \\\"Command Prompt\\\" with elevated privileges (\\\"Run\nas administrator\\\").\n\n Enter \\\"AuditPol /get /category:*\\\"\n\n Compare the \\\"AuditPol\\\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n Object Access >> Removable Storage - Failure\n\n Virtual machines or systems that use network attached storage may generate\nexcessive audit events for secondary virtual drives or the network attached\nstorage when this setting is enabled. This may be set to Not Configured in such\ncases and would not be a finding.\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Object Access >> \\\"Audit Removable Storage\\\" with\n\\\"Failure\\\" selected.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000474-GPOS-00219'\n tag 'gid': 'V-93169'\n tag 'rid': 'SV-103257r1_rule'\n tag 'stig_id': 'WN19-AU-000250'\n tag 'fix_id': 'F-99415r1_fix'\n tag 'cci': [\"CCI-000172\"]\n tag 'nist': [\"AU-12 c\", \"Rev_4\"]\n\n describe.one do\n describe audit_policy do\n its('Removable Storage') { should eq 'Failure' }\n end\n describe audit_policy do\n its('Removable Storage') { should eq 'Success and Failure' }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93031.rb", + "ref": "./Windows 2019 STIG/controls/V-93169.rb", "line": 3 }, - "id": "V-93031" + "id": "V-93169" }, { - "title": "Windows Server 2019 members of the Backup Operators group must have\nseparate accounts for backup duties and normal operational tasks.", - "desc": "Backup Operators are able to read and write to any file in the system,\nregardless of the rights assigned to it. Backup and restore rights permit users\nto circumvent the file access restrictions present on NTFS disk drives for\nbackup and restore purposes. Members of the Backup Operators group must have\nseparate logon accounts for performing backup duties.", + "title": "Windows Server 2019 must force audit policy subcategory settings to\noverride audit policy category settings.", + "desc": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n This setting allows administrators to enable more precise auditing\ncapabilities.", "descriptions": { - "default": "Backup Operators are able to read and write to any file in the system,\nregardless of the rights assigned to it. Backup and restore rights permit users\nto circumvent the file access restrictions present on NTFS disk drives for\nbackup and restore purposes. Members of the Backup Operators group must have\nseparate logon accounts for performing backup duties.", + "default": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n This setting allows administrators to enable more precise auditing\ncapabilities.", "rationale": "", - "check": "If no accounts are members of the Backup Operators group, this is NA.\n\n Verify users with accounts in the Backup Operators group have a separate\nuser account for backup functions and for performing normal user tasks.\n\n If users with accounts in the Backup Operators group do not have separate\naccounts for backup functions and standard user functions, this is a finding.", - "fix": "Ensure each member of the Backup Operators group has separate\naccounts for backup functions and standard user functions." + "check": "If the following registry value does not exist or is not configured as\nspecified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Control\\Lsa\\\n\n Value Name: SCENoApplyLegacyAuditPolicy\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", + "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Local Policies >> Security Options >>\n\"Audit: Force audit policy subcategory settings (Windows Vista or later) to\noverride audit policy category settings\" to \"Enabled\"." }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-93207", - "rid": "SV-103295r1_rule", - "stig_id": "WN19-00-000040", - "fix_id": "F-99453r1_fix", + "gtitle": "SRG-OS-000062-GPOS-00031", + "gid": "V-93151", + "rid": "SV-103239r1_rule", + "stig_id": "WN19-SO-000050", + "fix_id": "F-99397r1_fix", "cci": [ - "CCI-000366" + "CCI-000169" ], "nist": [ - "CM-6 b", + "AU-12 a", "Rev_4" ] }, - "code": "control \"V-93207\" do\n title \"Windows Server 2019 members of the Backup Operators group must have\nseparate accounts for backup duties and normal operational tasks.\"\n desc \"Backup Operators are able to read and write to any file in the system,\nregardless of the rights assigned to it. Backup and restore rights permit users\nto circumvent the file access restrictions present on NTFS disk drives for\nbackup and restore purposes. Members of the Backup Operators group must have\nseparate logon accounts for performing backup duties.\"\n desc \"rationale\", \"\"\n desc 'check', \"If no accounts are members of the Backup Operators group, this is NA.\n\n Verify users with accounts in the Backup Operators group have a separate\nuser account for backup functions and for performing normal user tasks.\n\n If users with accounts in the Backup Operators group do not have separate\naccounts for backup functions and standard user functions, this is a finding.\"\n desc 'fix', \"Ensure each member of the Backup Operators group has separate\naccounts for backup functions and standard user functions.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000480-GPOS-00227'\n tag 'gid': 'V-93207'\n tag 'rid': 'SV-103295r1_rule'\n tag 'stig_id': 'WN19-00-000040'\n tag 'fix_id': 'F-99453r1_fix'\n tag 'cci': [\"CCI-000366\"]\n tag 'nist': [\"CM-6 b\", \"Rev_4\"]\n\n backup_operators_group = command(\"net localgroup 'Backup Operators' | Format-List | Findstr /V 'Alias Name Comment Members - command'\").stdout.strip.split(\"\\r\\n\")\n backup_operators = input('backup_operators')\n if backup_operators_group.empty?\n impact 0.0\n describe 'Backup Operators Group Empty' do\n skip 'The control is N/A as there are no users in the Backup Operators group'\n end\n else\n backup_operators_group.each do |user|\n describe user do\n it { should be_in backup_operators }\n end\n end\n end\nend\n", + "code": "control \"V-93151\" do\n title \"Windows Server 2019 must force audit policy subcategory settings to\noverride audit policy category settings.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n This setting allows administrators to enable more precise auditing\ncapabilities.\"\n desc \"rationale\", \"\"\n desc 'check', \"If the following registry value does not exist or is not configured as\nspecified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\\n\n Value Name: SCENoApplyLegacyAuditPolicy\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Local Policies >> Security Options >>\n\\\"Audit: Force audit policy subcategory settings (Windows Vista or later) to\noverride audit policy category settings\\\" to \\\"Enabled\\\".\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000062-GPOS-00031'\n tag 'gid': 'V-93151'\n tag 'rid': 'SV-103239r1_rule'\n tag 'stig_id': 'WN19-SO-000050'\n tag 'fix_id': 'F-99397r1_fix'\n tag 'cci': [\"CCI-000169\"]\n tag 'nist': [\"AU-12 a\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa') do\n it { should have_property 'SCENoApplyLegacyAuditPolicy' }\n its('SCENoApplyLegacyAuditPolicy') { should cmp 1 }\n end \nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93207.rb", + "ref": "./Windows 2019 STIG/controls/V-93151.rb", "line": 3 }, - "id": "V-93207" + "id": "V-93151" }, { - "title": "Windows Server 2019 Exploit Protection mitigations must be configured for MSACCESS.EXE.", - "desc": "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.", + "title": "Windows Server 2019 default permissions for the HKEY_LOCAL_MACHINE\nregistry hive must be maintained.", + "desc": "The registry is integral to the function, security, and stability of\nthe Windows system. Changing the system's registry permissions allows the\npossibility of unauthorized and anonymous modification to the operating system.", "descriptions": { - "default": "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.", + "default": "The registry is integral to the function, security, and stability of\nthe Windows system. Changing the system's registry permissions allows the\npossibility of unauthorized and anonymous modification to the operating system.", "rationale": "", - "check": "If the referenced application is not installed on the system, this is NA.\n\n This is applicable to unclassified systems, for other systems this is NA.\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n Enter \"Get-ProcessMitigation -Name MSACCESS.EXE\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.)\n\n If the following mitigations do not have a status of \"ON\", this is a finding:\n\n DEP:\n Enable: ON\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n The PowerShell command produces a list of mitigations; only those with a required status of \"ON\" are listed here.", - "fix": "Ensure the following mitigations are turned \"ON\" for MSACCESS.EXE:\n\n DEP:\n Enable: ON\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \"Supporting Files\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \"Use a common set of exploit protection settings\" configured to \"Enabled\" with file name and location defined under \"Options:\". It is recommended the file be in a read-only network location." + "check": "Review the registry permissions for the keys of the HKEY_LOCAL_MACHINE hive\nnoted below.\n\n If any non-privileged groups such as Everyone, Users, or Authenticated\nUsers have greater than Read permission, this is a finding.\n\n If permissions are not as restrictive as the default permissions listed\nbelow, this is a finding:\n\n Run \"Regedit\".\n\n Right-click on the registry areas noted below.\n\n Select \"Permissions\" and the \"Advanced\" button.\n\n HKEY_LOCAL_MACHINE\\SECURITY\n\n Type - \"Allow\" for all\n Inherited from - \"None\" for all\n Principal - Access - Applies to\n SYSTEM - Full Control - This key and subkeys\n Administrators - Special - This key and subkeys\n\n HKEY_LOCAL_MACHINE\\SOFTWARE\n\n Type - \"Allow\" for all\n Inherited from - \"None\" for all\n Principal - Access - Applies to\n Users - Read - This key and subkeys\n Administrators - Full Control - This key and subkeys\n SYSTEM - Full Control - This key and subkeys\n CREATOR OWNER - Full Control - This key and subkeys\n ALL APPLICATION PACKAGES - Read - This key and subkeys\n\n HKEY_LOCAL_MACHINE\\SYSTEM\n\n Type - \"Allow\" for all\n Inherited from - \"None\" for all\n Principal - Access - Applies to\n Users - Read - This key and subkeys\n Administrators - Full Control - This key and subkeys\n SYSTEM - Full Control - This key and subkeys\n CREATOR OWNER - Full Control - Subkeys only\n ALL APPLICATION PACKAGES - Read - This key and subkeys\n\n Other examples under the noted keys may also be sampled. There may be some\ninstances where non-privileged groups have greater than Read permission.\n\n Microsoft has given Read permission to the SOFTWARE and SYSTEM registry\nkeys in Windows Server 2019 to the following SID, this is currently not a\nfinding.\n\nS-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681\n\n If the defaults have not been changed, these are not a finding.", + "fix": "Maintain the default permissions for the HKEY_LOCAL_MACHINE registry hive.\n\n The default permissions of the higher-level keys are noted below.\n\n HKEY_LOCAL_MACHINE\\SECURITY\n\n Type - \"Allow\" for all\n Inherited from - \"None\" for all\n Principal - Access - Applies to\n SYSTEM - Full Control - This key and subkeys\n Administrators - Special - This key and subkeys\n\n HKEY_LOCAL_MACHINE\\SOFTWARE\n\n Type - \"Allow\" for all\n Inherited from - \"None\" for all\n Principal - Access - Applies to\n Users - Read - This key and subkeys\n Administrators - Full Control - This key and subkeys\n SYSTEM - Full Control - This key and subkeys\n CREATOR OWNER - Full Control - This key and subkeys\n ALL APPLICATION PACKAGES - Read - This key and subkeys\n\n HKEY_LOCAL_MACHINE\\SYSTEM\n\n Type - \"Allow\" for all\n Inherited from - \"None\" for all\n Principal - Access - Applies to\n Users - Read - This key and subkeys\n Administrators - Full Control - This key and subkeys\n SYSTEM - Full Control - This key and subkeys\n CREATOR OWNER - Full Control - Subkeys only\n ALL APPLICATION PACKAGES - Read - This key and subkeys\n\n Microsoft has also given Read permission to the SOFTWARE and SYSTEM\nregistry keys in Windows Server 2019 to the following SID.\n\nS-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681" }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-93343", - "rid": "SV-103431r1_rule", - "stig_id": "WN19-EP-000170", - "fix_id": "F-99589r1_fix", + "gtitle": "SRG-OS-000324-GPOS-00125", + "gid": "V-93025", + "rid": "SV-103113r1_rule", + "stig_id": "WN19-00-000170", + "fix_id": "F-99271r1_fix", "cci": [ - "CCI-000366" + "CCI-002235" ], "nist": [ - "CM-6 b", + "AC-6 (10)", "Rev_4" ] }, - "code": "control \"V-93343\" do\n title \"Windows Server 2019 Exploit Protection mitigations must be configured for MSACCESS.EXE.\"\n desc \"Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the referenced application is not installed on the system, this is NA.\n\n This is applicable to unclassified systems, for other systems this is NA.\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n Enter \\\"Get-ProcessMitigation -Name MSACCESS.EXE\\\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.)\n\n If the following mitigations do not have a status of \\\"ON\\\", this is a finding:\n\n DEP:\n Enable: ON\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n The PowerShell command produces a list of mitigations; only those with a required status of \\\"ON\\\" are listed here.\"\n desc \"fix\", \"Ensure the following mitigations are turned \\\"ON\\\" for MSACCESS.EXE:\n\n DEP:\n Enable: ON\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \\\"Supporting Files\\\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\" configured to \\\"Enabled\\\" with file name and location defined under \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00227\"\n tag gid: \"V-93343\"\n tag rid: \"SV-103431r1_rule\"\n tag stig_id: \"WN19-EP-000170\"\n tag fix_id: \"F-99589r1_fix\"\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n msaccess = json({ command: \"Get-ProcessMitigation -Name MSACCESS.EXE | ConvertTo-Json\" }).params\n\n if input('sensitive_system') == true || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif msaccess.empty?\n impact 0.0\n describe 'The referenced application is not installed on the system, this is NA.' do\n skip 'The referenced application is not installed on the system, this is NA.'\n end\n else\n describe \"Exploit Protection: the following mitigations must be set to 'ON' for MSACCESS.EXE\" do\n subject { msaccess }\n its(['Dep','Enable']) { should eq 1 }\n its(['Aslr','ForceRelocateImages']) { should eq 1 }\n its(['Payload','EnableExportAddressFilter']) { should eq 1 }\n its(['Payload','EnableExportAddressFilterPlus']) { should eq 1 }\n its(['Payload','EnableImportAddressFilter']) { should eq 1 }\n its(['Payload','EnableRopStackPivot']) { should eq 1 }\n its(['Payload','EnableRopCallerCheck']) { should eq 1 }\n its(['Payload','EnableRopSimExec']) { should eq 1 }\n end\n end\nend", + "code": "control 'V-93025' do\n title \"Windows Server 2019 default permissions for the HKEY_LOCAL_MACHINE\nregistry hive must be maintained.\"\n desc \"The registry is integral to the function, security, and stability of\nthe Windows system. Changing the system's registry permissions allows the\npossibility of unauthorized and anonymous modification to the operating system.\"\n desc 'rationale', ''\n desc 'check', \"Review the registry permissions for the keys of the HKEY_LOCAL_MACHINE hive\nnoted below.\n\n If any non-privileged groups such as Everyone, Users, or Authenticated\nUsers have greater than Read permission, this is a finding.\n\n If permissions are not as restrictive as the default permissions listed\nbelow, this is a finding:\n\n Run \\\"Regedit\\\".\n\n Right-click on the registry areas noted below.\n\n Select \\\"Permissions\\\" and the \\\"Advanced\\\" button.\n\n HKEY_LOCAL_MACHINE\\\\SECURITY\n\n Type - \\\"Allow\\\" for all\n Inherited from - \\\"None\\\" for all\n Principal - Access - Applies to\n SYSTEM - Full Control - This key and subkeys\n Administrators - Special - This key and subkeys\n\n HKEY_LOCAL_MACHINE\\\\SOFTWARE\n\n Type - \\\"Allow\\\" for all\n Inherited from - \\\"None\\\" for all\n Principal - Access - Applies to\n Users - Read - This key and subkeys\n Administrators - Full Control - This key and subkeys\n SYSTEM - Full Control - This key and subkeys\n CREATOR OWNER - Full Control - This key and subkeys\n ALL APPLICATION PACKAGES - Read - This key and subkeys\n\n HKEY_LOCAL_MACHINE\\\\SYSTEM\n\n Type - \\\"Allow\\\" for all\n Inherited from - \\\"None\\\" for all\n Principal - Access - Applies to\n Users - Read - This key and subkeys\n Administrators - Full Control - This key and subkeys\n SYSTEM - Full Control - This key and subkeys\n CREATOR OWNER - Full Control - Subkeys only\n ALL APPLICATION PACKAGES - Read - This key and subkeys\n\n Other examples under the noted keys may also be sampled. There may be some\ninstances where non-privileged groups have greater than Read permission.\n\n Microsoft has given Read permission to the SOFTWARE and SYSTEM registry\nkeys in Windows Server 2019 to the following SID, this is currently not a\nfinding.\n\nS-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681\n\n If the defaults have not been changed, these are not a finding.\"\n desc 'fix', \"\n Maintain the default permissions for the HKEY_LOCAL_MACHINE registry hive.\n\n The default permissions of the higher-level keys are noted below.\n\n HKEY_LOCAL_MACHINE\\\\SECURITY\n\n Type - \\\"Allow\\\" for all\n Inherited from - \\\"None\\\" for all\n Principal - Access - Applies to\n SYSTEM - Full Control - This key and subkeys\n Administrators - Special - This key and subkeys\n\n HKEY_LOCAL_MACHINE\\\\SOFTWARE\n\n Type - \\\"Allow\\\" for all\n Inherited from - \\\"None\\\" for all\n Principal - Access - Applies to\n Users - Read - This key and subkeys\n Administrators - Full Control - This key and subkeys\n SYSTEM - Full Control - This key and subkeys\n CREATOR OWNER - Full Control - This key and subkeys\n ALL APPLICATION PACKAGES - Read - This key and subkeys\n\n HKEY_LOCAL_MACHINE\\\\SYSTEM\n\n Type - \\\"Allow\\\" for all\n Inherited from - \\\"None\\\" for all\n Principal - Access - Applies to\n Users - Read - This key and subkeys\n Administrators - Full Control - This key and subkeys\n SYSTEM - Full Control - This key and subkeys\n CREATOR OWNER - Full Control - Subkeys only\n ALL APPLICATION PACKAGES - Read - This key and subkeys\n\n Microsoft has also given Read permission to the SOFTWARE and SYSTEM\nregistry keys in Windows Server 2019 to the following SID.\n\nS-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000324-GPOS-00125'\n tag 'gid': 'V-93025'\n tag 'rid': 'SV-103113r1_rule'\n tag 'stig_id': 'WN19-00-000170'\n tag 'fix_id': 'F-99271r1_fix'\n tag 'cci': ['CCI-002235']\n tag 'nist': ['AC-6 (10)', 'Rev_4']\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n hklm_system = powershell('(Get-Acl -Path HKLM:System).AccessToString').stdout.lines.collect(&:strip)\n describe 'Registry Key Security are set correctly on folder structure' do\n subject { hklm_system.eql? input('reg_system_perms_dc') }\n it { should eq true }\n end\n else\n hklm_software = powershell('(Get-Acl -Path HKLM:Software).AccessToString').stdout.lines.collect(&:strip)\n describe 'Registry Key Software permissions are set correctly on folder structure' do\n subject { hklm_software.eql? input('reg_software_perms') }\n it { should eq true }\n end\n\n hklm_security = powershell('(Get-Acl -Path HKLM:Security).AccessToString').stdout.lines.collect(&:strip)\n describe 'Registry Key Security are set correctly on folder structure' do\n subject { hklm_security.eql? input('reg_security_perms') }\n it { should eq true }\n end\n\n hklm_system = powershell('(Get-Acl -Path HKLM:System).AccessToString').stdout.lines.collect(&:strip)\n describe 'Registry Key System are set correctly on folder structure' do\n subject { hklm_system.eql? input('reg_system_perms') }\n it { should eq true }\n end\n end\n end\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93343.rb", - "line": 3 + "ref": "./Windows 2019 STIG/controls/V-93025.rb", + "line": 1 }, - "id": "V-93343" + "id": "V-93025" }, { - "title": "Windows Server 2019 must be configured to audit Account Management -\nUser Account Management successes.", - "desc": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n User Account Management records events such as creating, changing,\ndeleting, renaming, disabling, or enabling user accounts.", + "title": "Windows Server 2019 setting Microsoft network server: Digitally sign communications (always) must be configured to Enabled.", + "desc": "The server message block (SMB) protocol provides the basis for many network operations. Digitally signed SMB packets aid in preventing man-in-the-middle attacks. If this policy is enabled, the SMB server will only communicate with an SMB client that performs SMB packet signing.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n User Account Management records events such as creating, changing,\ndeleting, renaming, disabling, or enabling user accounts.", + "default": "The server message block (SMB) protocol provides the basis for many network operations. Digitally signed SMB packets aid in preventing man-in-the-middle attacks. If this policy is enabled, the SMB server will only communicate with an SMB client that performs SMB packet signing.", "rationale": "", - "check": "Security Option \"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\" must be set to\n\"Enabled\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \"AuditPol\" tool to review the current Audit Policy configuration:\n\n Open \"PowerShell\" or a \"Command Prompt\" with elevated privileges (\"Run\nas administrator\").\n\n Enter \"AuditPol /get /category:*\"\n\n Compare the \"AuditPol\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n Account Management >> User Account Management - Success", - "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Account Management >> \"Audit User Account\nManagement\" with \"Success\" selected." + "check": "If the following registry value does not exist or is not configured as specified, this is a finding:\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\LanManServer\\Parameters\\\n\n Value Name: RequireSecuritySignature\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", + "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \"Microsoft network server: Digitally sign communications (always)\" to \"Enabled\"." }, "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000004-GPOS-00004", + "gtitle": "SRG-OS-000423-GPOS-00187", "satisfies": [ - "SRG-OS-000004-GPOS-00004", - "SRG-OS-000239-GPOS-00089", - "SRG-OS-000240-GPOS-00090", - "SRG-OS-000241-GPOS-00091", - "SRG-OS-000303-GPOS-00120", - "SRG-OS-000476-GPOS-00221" + "SRG-OS-000423-GPOS-00187", + "SRG-OS-000424-GPOS-00188" ], - "gid": "V-92981", - "rid": "SV-103069r1_rule", - "stig_id": "WN19-AU-000110", - "fix_id": "F-99227r1_fix", + "gid": "V-93559", + "rid": "SV-103645r1_rule", + "stig_id": "WN19-SO-000190", + "fix_id": "F-99803r1_fix", "cci": [ - "CCI-000018", - "CCI-000172", - "CCI-001403", - "CCI-001404", - "CCI-001405", - "CCI-002130" + "CCI-002418", + "CCI-002421" ], "nist": [ - "AC-2 (4)", - "AU-12 c", - "AC-2 (4)", - "AC-2 (4)", - "AC-2 (4)", - "AC-2(4)", + "SC-8", + "SC-8 (1)", "Rev_4" ] }, - "code": "control \"V-92981\" do\n title \"Windows Server 2019 must be configured to audit Account Management -\nUser Account Management successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n User Account Management records events such as creating, changing,\ndeleting, renaming, disabling, or enabling user accounts.\"\n desc \"rationale\", \"\"\n desc 'check', \"Security Option \\\"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\\\" must be set to\n\\\"Enabled\\\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \\\"AuditPol\\\" tool to review the current Audit Policy configuration:\n\n Open \\\"PowerShell\\\" or a \\\"Command Prompt\\\" with elevated privileges (\\\"Run\nas administrator\\\").\n\n Enter \\\"AuditPol /get /category:*\\\"\n\n Compare the \\\"AuditPol\\\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n Account Management >> User Account Management - Success\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Account Management >> \\\"Audit User Account\nManagement\\\" with \\\"Success\\\" selected.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000004-GPOS-00004'\n tag 'satisfies': [\"SRG-OS-000004-GPOS-00004\", \"SRG-OS-000239-GPOS-00089\",\n\"SRG-OS-000240-GPOS-00090\", \"SRG-OS-000241-GPOS-00091\",\n\"SRG-OS-000303-GPOS-00120\", \"SRG-OS-000476-GPOS-00221\"]\n tag 'gid': 'V-92981'\n tag 'rid': 'SV-103069r1_rule'\n tag 'stig_id': 'WN19-AU-000110'\n tag 'fix_id': 'F-99227r1_fix'\n tag 'cci': [\"CCI-000018\", \"CCI-000172\", \"CCI-001403\", \"CCI-001404\",\n\"CCI-001405\", \"CCI-002130\"]\n tag 'nist': [\"AC-2 (4)\", \"AU-12 c\", \"AC-2 (4)\", \"AC-2 (4)\", \"AC-2 (4)\", \"AC-2(4)\", \"Rev_4\"]\n\n describe.one do\n describe audit_policy do\n its('User Account Management') { should eq 'Success' }\n end\n describe audit_policy do\n its('User Account Management') { should eq 'Success and Failure' }\n end\n end\nend\n", + "code": "control \"V-93559\" do\n title \"Windows Server 2019 setting Microsoft network server: Digitally sign communications (always) must be configured to Enabled.\"\n desc \"The server message block (SMB) protocol provides the basis for many network operations. Digitally signed SMB packets aid in preventing man-in-the-middle attacks. If this policy is enabled, the SMB server will only communicate with an SMB client that performs SMB packet signing.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the following registry value does not exist or is not configured as specified, this is a finding:\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\LanManServer\\\\Parameters\\\\\n\n Value Name: RequireSecuritySignature\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \\\"Microsoft network server: Digitally sign communications (always)\\\" to \\\"Enabled\\\".\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000423-GPOS-00187\"\n tag satisfies: [\"SRG-OS-000423-GPOS-00187\", \"SRG-OS-000424-GPOS-00188\"]\n tag gid: \"V-93559\"\n tag rid: \"SV-103645r1_rule\"\n tag stig_id: \"WN19-SO-000190\"\n tag fix_id: \"F-99803r1_fix\"\n tag cci: [\"CCI-002418\", \"CCI-002421\"]\n tag nist: [\"SC-8\", \"SC-8 (1)\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Services\\\\LanmanServer\\\\Parameters') do\n it { should have_property 'RequireSecuritySignature' }\n its('RequireSecuritySignature') { should cmp == 1 }\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-92981.rb", + "ref": "./Windows 2019 STIG/controls/V-93559.rb", "line": 3 }, - "id": "V-92981" + "id": "V-93559" }, { - "title": "Windows Server 2019 Active Directory Group Policy objects must have\nproper access control permissions.", - "desc": "When directory service database objects do not have appropriate access\ncontrol permissions, it may be possible for malicious users to create, read,\nupdate, or delete the objects and degrade or destroy the integrity of the data.\nWhen the directory service is used for identification, authentication, or\nauthorization functions, a compromise of the database objects could lead to a\ncompromise of all systems relying on the directory service.\n\n For Active Directory (AD), the Group Policy objects require special\nattention. In a distributed administration model (i.e., help desk), Group\nPolicy objects are more likely to have access permissions changed from the\nsecure defaults. If inappropriate access permissions are defined for Group\nPolicy objects, this could allow an intruder to change the security policy\napplied to all domain client computers (workstations and servers).", + "title": "Windows Server 2019 Access this computer from the network user right must only be assigned to the Administrators, Authenticated Users, and Enterprise Domain Controllers groups on domain controllers.", + "desc": "Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.\n Accounts with the \"Access this computer from the network\" right may access resources on the system, and this right must be limited to those requiring it.", "descriptions": { - "default": "When directory service database objects do not have appropriate access\ncontrol permissions, it may be possible for malicious users to create, read,\nupdate, or delete the objects and degrade or destroy the integrity of the data.\nWhen the directory service is used for identification, authentication, or\nauthorization functions, a compromise of the database objects could lead to a\ncompromise of all systems relying on the directory service.\n\n For Active Directory (AD), the Group Policy objects require special\nattention. In a distributed administration model (i.e., help desk), Group\nPolicy objects are more likely to have access permissions changed from the\nsecure defaults. If inappropriate access permissions are defined for Group\nPolicy objects, this could allow an intruder to change the security policy\napplied to all domain client computers (workstations and servers).", + "default": "Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.\n Accounts with the \"Access this computer from the network\" right may access resources on the system, and this right must be limited to those requiring it.", "rationale": "", - "check": "This applies to domain controllers. It is NA for other systems.\n\n Review the permissions on Group Policy objects.\n\n Open \"Group Policy Management\" (available from various menus or run\n\"gpmc.msc\").\n\n Navigate to \"Group Policy Objects\" in the domain being reviewed (Forest\n>> Domains >> Domain).\n\n For each Group Policy object:\n\n Select the Group Policy object item in the left pane.\n\n Select the \"Delegation\" tab in the right pane.\n\n Select the \"Advanced\" button.\n\n Select each Group or user name.\n\n View the permissions.\n\n If any standard user accounts or groups have \"Allow\" permissions greater\nthan \"Read\" and \"Apply group policy\", this is a finding.\n\n Other access permissions that allow the objects to be updated are\nconsidered findings unless specifically documented by the ISSO.\n\n The default permissions noted below satisfy this requirement.\n\n The permissions shown are at the summary level. More detailed permissions\ncan be viewed by selecting the next \"Advanced\" button, the desired Permission\nentry, and the \"Edit\" button.\n\n Authenticated Users - Read, Apply group policy, Special permissions\n\n The special permissions for Authenticated Users are for Read-type\nProperties. If detailed permissions include any Create, Delete, Modify, or\nWrite Permissions or Properties, this is a finding.\n\n The special permissions for the following default groups are not the focus\nof this requirement and may include a wide range of permissions and properties:\n\n CREATOR OWNER - Special permissions\n SYSTEM - Read, Write, Create all child objects, Delete all child objects,\nSpecial permissions\n Domain Admins - Read, Write, Create all child objects, Delete all child\nobjects, Special permissions\n Enterprise Admins - Read, Write, Create all child objects, Delete all child\nobjects, Special permissions\n ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions\n\n The Domain Admins and Enterprise Admins will not have the \"Delete all\nchild objects\" permission on the two default Group Policy objects: Default\nDomain Policy and Default Domain Controllers Policy. They will have this\npermission o'n organization created Group Policy objects.", - "fix": "Maintain the permissions on Group Policy objects to not allow greater than\n\"Read\" and \"Apply group policy\" for standard user accounts or groups. The\ndefault permissions below meet this requirement:\n\n Authenticated Users - Read, Apply group policy, Special permissions\n\n The special permissions for Authenticated Users are for Read-type\nProperties.\n\n CREATOR OWNER - Special permissions\n SYSTEM - Read, Write, Create all child objects, Delete all child objects,\nSpecial permissions\n Domain Admins - Read, Write, Create all child objects, Delete all child\nobjects, Special permissions\n Enterprise Admins - Read, Write, Create all child objects, Delete all child\nobjects, Special permissions\n ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions\n\n Document any other access permissions that allow the objects to be updated\nwith the ISSO.\n\n The Domain Admins and Enterprise Admins will not have the \"Delete all\nchild objects\" permission on the two default Group Policy objects: Default\nDomain Policy and Default Domain Controllers Policy. They will have this\npermission on created Group Policy objects." + "check": "This applies to domain controllers. It is NA for other systems.\n\n Verify the effective setting in Local Group Policy Editor.\n Run \"gpedit.msc\".\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment.\n If any accounts or groups other than the following are granted the \"Access this computer from the network\" right, this is a finding.\n - Administrators\n - Authenticated Users\n - Enterprise Domain Controllers\n\n For server core installations, run the following command:\n Secedit /Export /Areas User_Rights /cfg c:\\path\\filename.txt\n Review the text file.\n If any SIDs other than the following are granted the \"SeNetworkLogonRight\" user right, this is a finding.\n S-1-5-32-544 (Administrators)\n S-1-5-11 (Authenticated Users)\n S-1-5-9 (Enterprise Domain Controllers)\n\n If an application requires this user right, this would not be a finding.\n Vendor documentation must support the requirement for having the user right.\n The requirement must be documented with the ISSO.\n The application account must meet requirements for application account passwords, such as length (WN19-00-000050) and required frequency of changes (WN19-00-000060).", + "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> \"Access this computer from the network\" to include only the following accounts or groups:\n - Administrators\n - Authenticated Users\n - Enterprise Domain Controllers" }, - "impact": 0.7, + "impact": 0, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000324-GPOS-00125", - "gid": "V-93033", - "rid": "SV-103121r1_rule", - "stig_id": "WN19-DC-000090", - "fix_id": "F-99279r1_fix", + "gtitle": "SRG-OS-000080-GPOS-00048", + "gid": "V-92995", + "rid": "SV-103083r1_rule", + "stig_id": "WN19-DC-000340", + "fix_id": "F-99241r1_fix", "cci": [ - "CCI-002235" + "CCI-000213" ], "nist": [ - "AC-6 (10)", + "AC-3", "Rev_4" ] }, - "code": "control \"V-93033\" do\n title \"Windows Server 2019 Active Directory Group Policy objects must have\nproper access control permissions.\"\n desc \"When directory service database objects do not have appropriate access\ncontrol permissions, it may be possible for malicious users to create, read,\nupdate, or delete the objects and degrade or destroy the integrity of the data.\nWhen the directory service is used for identification, authentication, or\nauthorization functions, a compromise of the database objects could lead to a\ncompromise of all systems relying on the directory service.\n\n For Active Directory (AD), the Group Policy objects require special\nattention. In a distributed administration model (i.e., help desk), Group\nPolicy objects are more likely to have access permissions changed from the\nsecure defaults. If inappropriate access permissions are defined for Group\nPolicy objects, this could allow an intruder to change the security policy\napplied to all domain client computers (workstations and servers).\"\n desc \"rationale\", \"\"\n desc 'check', \"This applies to domain controllers. It is NA for other systems.\n\n Review the permissions on Group Policy objects.\n\n Open \\\"Group Policy Management\\\" (available from various menus or run\n\\\"gpmc.msc\\\").\n\n Navigate to \\\"Group Policy Objects\\\" in the domain being reviewed (Forest\n>> Domains >> Domain).\n\n For each Group Policy object:\n\n Select the Group Policy object item in the left pane.\n\n Select the \\\"Delegation\\\" tab in the right pane.\n\n Select the \\\"Advanced\\\" button.\n\n Select each Group or user name.\n\n View the permissions.\n\n If any standard user accounts or groups have \\\"Allow\\\" permissions greater\nthan \\\"Read\\\" and \\\"Apply group policy\\\", this is a finding.\n\n Other access permissions that allow the objects to be updated are\nconsidered findings unless specifically documented by the ISSO.\n\n The default permissions noted below satisfy this requirement.\n\n The permissions shown are at the summary level. More detailed permissions\ncan be viewed by selecting the next \\\"Advanced\\\" button, the desired Permission\nentry, and the \\\"Edit\\\" button.\n\n Authenticated Users - Read, Apply group policy, Special permissions\n\n The special permissions for Authenticated Users are for Read-type\nProperties. If detailed permissions include any Create, Delete, Modify, or\nWrite Permissions or Properties, this is a finding.\n\n The special permissions for the following default groups are not the focus\nof this requirement and may include a wide range of permissions and properties:\n\n CREATOR OWNER - Special permissions\n SYSTEM - Read, Write, Create all child objects, Delete all child objects,\nSpecial permissions\n Domain Admins - Read, Write, Create all child objects, Delete all child\nobjects, Special permissions\n Enterprise Admins - Read, Write, Create all child objects, Delete all child\nobjects, Special permissions\n ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions\n\n The Domain Admins and Enterprise Admins will not have the \\\"Delete all\nchild objects\\\" permission on the two default Group Policy objects: Default\nDomain Policy and Default Domain Controllers Policy. They will have this\npermission o'n organization created Group Policy objects.\"\n desc 'fix', \"Maintain the permissions on Group Policy objects to not allow greater than\n\\\"Read\\\" and \\\"Apply group policy\\\" for standard user accounts or groups. The\ndefault permissions below meet this requirement:\n\n Authenticated Users - Read, Apply group policy, Special permissions\n\n The special permissions for Authenticated Users are for Read-type\nProperties.\n\n CREATOR OWNER - Special permissions\n SYSTEM - Read, Write, Create all child objects, Delete all child objects,\nSpecial permissions\n Domain Admins - Read, Write, Create all child objects, Delete all child\nobjects, Special permissions\n Enterprise Admins - Read, Write, Create all child objects, Delete all child\nobjects, Special permissions\n ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions\n\n Document any other access permissions that allow the objects to be updated\nwith the ISSO.\n\n The Domain Admins and Enterprise Admins will not have the \\\"Delete all\nchild objects\\\" permission on the two default Group Policy objects: Default\nDomain Policy and Default Domain Controllers Policy. They will have this\npermission on created Group Policy objects.\"\n impact 0.7\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000324-GPOS-00125'\n tag 'gid': 'V-93033'\n tag 'rid': 'SV-103121r1_rule'\n tag 'stig_id': 'WN19-DC-000090'\n tag 'fix_id': 'F-99279r1_fix'\n tag 'cci': [\"CCI-002235\"]\n tag 'nist': [\"AC-6 (10)\", \"Rev_4\"]\n\n #Checked Code in 2016 and it is not a validate way of checking permissions, Until a command is put together that can get all GPO's in a Domain and then check all permissions, this is manually\n describe 'A manual review is required to ensure all Group Policies have the correct permisions' do\n skip 'A manual review is required to ensure all Group Policies have the correct permisions'\n end\n\nend\n", + "code": "control \"V-92995\" do\n title \"Windows Server 2019 Access this computer from the network user right must only be assigned to the Administrators, Authenticated Users, and Enterprise Domain Controllers groups on domain controllers.\"\n desc \"Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.\n Accounts with the \\\"Access this computer from the network\\\" right may access resources on the system, and this right must be limited to those requiring it.\"\n desc \"rationale\", \"\"\n desc 'check', \"This applies to domain controllers. It is NA for other systems.\n\n Verify the effective setting in Local Group Policy Editor.\n Run \\\"gpedit.msc\\\".\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment.\n If any accounts or groups other than the following are granted the \\\"Access this computer from the network\\\" right, this is a finding.\n - Administrators\n - Authenticated Users\n - Enterprise Domain Controllers\n\n For server core installations, run the following command:\n Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt\n Review the text file.\n If any SIDs other than the following are granted the \\\"SeNetworkLogonRight\\\" user right, this is a finding.\n S-1-5-32-544 (Administrators)\n S-1-5-11 (Authenticated Users)\n S-1-5-9 (Enterprise Domain Controllers)\n\n If an application requires this user right, this would not be a finding.\n Vendor documentation must support the requirement for having the user right.\n The requirement must be documented with the ISSO.\n The application account must meet requirements for application account passwords, such as length (WN19-00-000050) and required frequency of changes (WN19-00-000060).\"\n desc 'fix', \"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> \\\"Access this computer from the network\\\" to include only the following accounts or groups:\n - Administrators\n - Authenticated Users\n - Enterprise Domain Controllers\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000080-GPOS-00048'\n tag 'gid': 'V-92995'\n tag 'rid': 'SV-103083r1_rule'\n tag 'stig_id': 'WN19-DC-000340'\n tag 'fix_id': 'F-99241r1_fix'\n tag 'cci': [\"CCI-000213\"]\n tag 'nist': [\"AC-3\", \"Rev_4\"]\n\n active_network_access_users = security_policy.SeNetworkLogonRight.entries\n allowed_network_access_users = input(\"allowed_network_access_users\")\n disallowed_network_access_users = input(\"disallowed_network_access_users\")\n unauthorized_users = []\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n os_type = command('Test-Path \"$env:windir\\explorer.exe\"').stdout.strip\n\n if os_type == 'False'\n describe 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt' do\n skip 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt'\n end\n else\n if domain_role == '4' || domain_role == '5'\n active_network_access_users.each do |user|\n next if allowed_network_access_users.include?(user)\n unauthorized_users << user\n end\n disallowed_network_access_users.each do |user|\n unless disallowed_network_access_users == [nil] || unauthorized_users.include?(user)\n unauthorized_users << user\n end\n end\n describe \"Network Logon Privilege must be limited to\" do\n it \"Authorized SIDs: #{allowed_network_access_users}\" do\n failure_message = \"Unauthorized SIDs: #{unauthorized_users}\"\n expect(unauthorized_users).to be_empty, failure_message\n end\n end\n else\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93033.rb", + "ref": "./Windows 2019 STIG/controls/V-92995.rb", "line": 3 }, - "id": "V-93033" + "id": "V-92995" }, { - "title": "Windows Server 2019 must not have the TFTP Client installed.", - "desc": "Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption or may provide unauthorized access to the system.", + "title": "Windows Server 2019 Windows Defender SmartScreen must be enabled.", + "desc": "Windows Defender SmartScreen helps protect systems from programs downloaded from the internet that may be malicious. Enabling SmartScreen can block potentially malicious programs or warn users.", "descriptions": { - "default": "Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption or may provide unauthorized access to the system.", + "default": "Windows Defender SmartScreen helps protect systems from programs downloaded from the internet that may be malicious. Enabling SmartScreen can block potentially malicious programs or warn users.", "rationale": "", - "check": "Open \"PowerShell\".\n\n Enter \"Get-WindowsFeature | Where Name -eq TFTP-Client\".\n If \"Installed State\" is \"Installed\", this is a finding.\n An Installed State of \"Available\" or \"Removed\" is not a finding.", - "fix": "Uninstall the \"TFTP Client\" feature.\n\n Start \"Server Manager\".\n Select the server with the feature.\n Scroll down to \"ROLES AND FEATURES\" in the right pane.\n Select \"Remove Roles and Features\" from the drop-down \"TASKS\" list.\n Select the appropriate server on the \"Server Selection\" page and click \"Next\".\n Deselect \"TFTP Client\" on the \"Features\" page.\n Click \"Next\" and \"Remove\" as prompted." + "check": "This is applicable to unclassified systems; for other systems, this is NA.\n\n If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\\n\n Value Name: EnableSmartScreen\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", + "fix": "Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> File Explorer >> \"Configure Windows Defender SmartScreen\" to \"Enabled\" with either option \"Warn\" or \"Warn and prevent bypass\" selected.\n Windows 2019 includes duplicate policies for this setting. It can also be configured under Computer Configuration >> Administrative Templates >> Windows Components >> Windows Defender SmartScreen >> Explorer." }, "impact": 0.5, "refs": [], "tags": { "severity": null, "gtitle": "SRG-OS-000095-GPOS-00049", - "gid": "V-93389", - "rid": "SV-103475r1_rule", - "stig_id": "WN19-00-000370", - "fix_id": "F-99633r1_fix", + "gid": "V-93411", + "rid": "SV-103497r2_rule", + "stig_id": "WN19-CC-000300", + "fix_id": "F-99655r1_fix", "cci": [ "CCI-000381" ], @@ -607,815 +579,804 @@ "Rev_4" ] }, - "code": "control \"V-93389\" do\n title \"Windows Server 2019 must not have the TFTP Client installed.\"\n desc \"Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption or may provide unauthorized access to the system.\"\n desc \"rationale\", \"\"\n desc \"check\", \"Open \\\"PowerShell\\\".\n\n Enter \\\"Get-WindowsFeature | Where Name -eq TFTP-Client\\\".\n If \\\"Installed State\\\" is \\\"Installed\\\", this is a finding.\n An Installed State of \\\"Available\\\" or \\\"Removed\\\" is not a finding.\"\n desc \"fix\", \"Uninstall the \\\"TFTP Client\\\" feature.\n\n Start \\\"Server Manager\\\".\n Select the server with the feature.\n Scroll down to \\\"ROLES AND FEATURES\\\" in the right pane.\n Select \\\"Remove Roles and Features\\\" from the drop-down \\\"TASKS\\\" list.\n Select the appropriate server on the \\\"Server Selection\\\" page and click \\\"Next\\\".\n Deselect \\\"TFTP Client\\\" on the \\\"Features\\\" page.\n Click \\\"Next\\\" and \\\"Remove\\\" as prompted.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000095-GPOS-00049\"\n tag gid: \"V-93389\"\n tag rid: \"SV-103475r1_rule\"\n tag stig_id: \"WN19-00-000370\"\n tag fix_id: \"F-99633r1_fix\"\n tag cci: [\"CCI-000381\"]\n tag nist: [\"CM-7 a\", \"Rev_4\"]\n\n describe windows_feature('TFTP-Client') do\n it { should_not be_installed }\n end\nend", + "code": "control \"V-93411\" do\n title \"Windows Server 2019 Windows Defender SmartScreen must be enabled.\"\n desc \"Windows Defender SmartScreen helps protect systems from programs downloaded from the internet that may be malicious. Enabling SmartScreen can block potentially malicious programs or warn users.\"\n desc \"rationale\", \"\"\n desc \"check\", \"This is applicable to unclassified systems; for other systems, this is NA.\n\n If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\\n\n Value Name: EnableSmartScreen\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> File Explorer >> \\\"Configure Windows Defender SmartScreen\\\" to \\\"Enabled\\\" with either option \\\"Warn\\\" or \\\"Warn and prevent bypass\\\" selected.\n Windows 2019 includes duplicate policies for this setting. It can also be configured under Computer Configuration >> Administrative Templates >> Windows Components >> Windows Defender SmartScreen >> Explorer.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000095-GPOS-00049\"\n tag gid: \"V-93411\"\n tag rid: \"SV-103497r2_rule\"\n tag stig_id: \"WN19-CC-000300\"\n tag fix_id: \"F-99655r1_fix\"\n tag cci: [\"CCI-000381\"]\n tag nist: [\"CM-7 a\", \"Rev_4\"]\n\n if input('sensitive_system') == true || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n else\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\System') do\n it { should have_property 'EnableSmartScreen' }\n its('EnableSmartScreen') { should cmp 1 }\n end\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93389.rb", + "ref": "./Windows 2019 STIG/controls/V-93411.rb", "line": 3 }, - "id": "V-93389" + "id": "V-93411" }, { - "title": "Windows Server 2019 Active Directory Infrastructure object must be\nconfigured with proper audit settings.", - "desc": "When inappropriate audit settings are configured for directory service\ndatabase objects, it may be possible for a user or process to update the data\nwithout generating any tracking data. The impact of missing audit data is\nrelated to the type of object. A failure to capture audit data for objects used\nby identification, authentication, or authorization functions could degrade or\neliminate the ability to track changes to access policy for systems or data.\n\n For Active Directory (AD), there are a number of critical object types in\nthe domain naming context of the AD database for which auditing is essential.\nThis includes the Infrastructure object. Because changes to these objects can\nsignificantly impact access controls or the availability of systems, the\nabsence of auditing data makes it impossible to identify the source of changes\nthat impact the confidentiality, integrity, and availability of data and\nsystems throughout an AD domain. The lack of proper auditing can result in\ninsufficient forensic evidence needed to investigate an incident and prosecute\nthe intruder.", + "title": "Windows Server 2019 must be configured to audit Logon/Logoff - Account\nLockout successes.", + "desc": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Account Lockout events can be used to identify potentially malicious logon\nattempts.", "descriptions": { - "default": "When inappropriate audit settings are configured for directory service\ndatabase objects, it may be possible for a user or process to update the data\nwithout generating any tracking data. The impact of missing audit data is\nrelated to the type of object. A failure to capture audit data for objects used\nby identification, authentication, or authorization functions could degrade or\neliminate the ability to track changes to access policy for systems or data.\n\n For Active Directory (AD), there are a number of critical object types in\nthe domain naming context of the AD database for which auditing is essential.\nThis includes the Infrastructure object. Because changes to these objects can\nsignificantly impact access controls or the availability of systems, the\nabsence of auditing data makes it impossible to identify the source of changes\nthat impact the confidentiality, integrity, and availability of data and\nsystems throughout an AD domain. The lack of proper auditing can result in\ninsufficient forensic evidence needed to investigate an incident and prosecute\nthe intruder.", + "default": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Account Lockout events can be used to identify potentially malicious logon\nattempts.", "rationale": "", - "check": "This applies to domain controllers. It is NA for other systems.\n\n Review the auditing configuration for Infrastructure object.\n\n Open \"Active Directory Users and Computers\" (available from various menus\nor run \"dsa.msc\").\n\n Ensure \"Advanced Features\" is selected in the \"View\" menu.\n\n Select the domain being reviewed in the left pane.\n\n Right-click the \"Infrastructure\" object in the right pane and select\n\"Properties\".\n\n Select the \"Security\" tab.\n\n Select the \"Advanced\" button and then the \"Auditing\" tab.\n\n If the audit settings on the Infrastructure object are not at least as\ninclusive as those below, this is a finding:\n\n Type - Fail\n Principal - Everyone\n Access - Full Control\n Inherited from - None\n\n The success types listed below are defaults. Where Special is listed in the\nsummary screens for Access, detailed Permissions are provided for reference.\nVarious Properties selections may also exist by default.\n\n Type - Success\n Principal - Everyone\n Access - Special\n Inherited from - None\n (Access - Special = Permissions: Write all properties, All extended rights,\nChange infrastructure master)\n\n Two instances with the following summary information will be listed:\n\n Type - Success\n Principal - Everyone\n Access - (blank)\n Inherited from - (CN of domain)", - "fix": "Open \"Active Directory Users and Computers\" (available from various menus\nor run \"dsa.msc\").\n\n Ensure \"Advanced Features\" is selected in the \"View\" menu.\n\n Select the domain being reviewed in the left pane.\n\n Right-click the \"Infrastructure\" object in the right pane and select\n\"Properties\".\n\n Select the \"Security\" tab.\n\n Select the \"Advanced\" button and then the \"Auditing\" tab.\n\n Configure the audit settings for Infrastructure object to include the\nfollowing:\n\n Type - Fail\n Principal - Everyone\n Access - Full Control\n Inherited from - None\n\n The success types listed below are defaults. Where Special is listed in the\nsummary screens for Access, detailed Permissions are provided for reference.\nVarious Properties selections may also exist by default.\n\n Type - Success\n Principal - Everyone\n Access - Special\n Inherited from - None\n (Access - Special = Permissions: Write all properties, All extended rights,\nChange infrastructure master)\n\n Two instances with the following summary information will be listed:\n\n Type - Success\n Principal - Everyone\n Access - (blank)\n Inherited from - (CN of domain)" + "check": "Security Option \"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\" must be set to\n\"Enabled\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \"AuditPol\" tool to review the current Audit Policy configuration:\n\n Open \"PowerShell\" or a \"Command Prompt\" with elevated privileges (\"Run\nas administrator\").\n\n Enter \"AuditPol /get /category:*\"\n\n Compare the \"AuditPol\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n Logon/Logoff >> Account Lockout - Success", + "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Logon/Logoff >> \"Audit Account Lockout\" with\n\"Success\" selected." }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000327-GPOS-00127", + "gtitle": "SRG-OS-000240-GPOS-00090", "satisfies": [ - "SRG-OS-000327-GPOS-00127", - "SRG-OS-000458-GPOS-00203", - "SRG-OS-000463-GPOS-00207", - "SRG-OS-000468-GPOS-00212" + "SRG-OS-000240-GPOS-00090", + "SRG-OS-000470-GPOS-00214" ], - "gid": "V-93125", - "rid": "SV-103213r1_rule", - "stig_id": "WN19-DC-000190", - "fix_id": "F-99371r1_fix", + "gid": "V-92987", + "rid": "SV-103075r1_rule", + "stig_id": "WN19-AU-000150", + "fix_id": "F-99233r1_fix", "cci": [ "CCI-000172", - "CCI-002234" + "CCI-001404" ], "nist": [ "AU-12 c", - "AC-6 (9)", + "AC-2 (4)", "Rev_4" ] }, - "code": "control \"V-93125\" do\n title \"Windows Server 2019 Active Directory Infrastructure object must be\nconfigured with proper audit settings.\"\n desc \"When inappropriate audit settings are configured for directory service\ndatabase objects, it may be possible for a user or process to update the data\nwithout generating any tracking data. The impact of missing audit data is\nrelated to the type of object. A failure to capture audit data for objects used\nby identification, authentication, or authorization functions could degrade or\neliminate the ability to track changes to access policy for systems or data.\n\n For Active Directory (AD), there are a number of critical object types in\nthe domain naming context of the AD database for which auditing is essential.\nThis includes the Infrastructure object. Because changes to these objects can\nsignificantly impact access controls or the availability of systems, the\nabsence of auditing data makes it impossible to identify the source of changes\nthat impact the confidentiality, integrity, and availability of data and\nsystems throughout an AD domain. The lack of proper auditing can result in\ninsufficient forensic evidence needed to investigate an incident and prosecute\nthe intruder.\"\n desc \"rationale\", \"\"\n desc 'check', \"This applies to domain controllers. It is NA for other systems.\n\n Review the auditing configuration for Infrastructure object.\n\n Open \\\"Active Directory Users and Computers\\\" (available from various menus\nor run \\\"dsa.msc\\\").\n\n Ensure \\\"Advanced Features\\\" is selected in the \\\"View\\\" menu.\n\n Select the domain being reviewed in the left pane.\n\n Right-click the \\\"Infrastructure\\\" object in the right pane and select\n\\\"Properties\\\".\n\n Select the \\\"Security\\\" tab.\n\n Select the \\\"Advanced\\\" button and then the \\\"Auditing\\\" tab.\n\n If the audit settings on the Infrastructure object are not at least as\ninclusive as those below, this is a finding:\n\n Type - Fail\n Principal - Everyone\n Access - Full Control\n Inherited from - None\n\n The success types listed below are defaults. Where Special is listed in the\nsummary screens for Access, detailed Permissions are provided for reference.\nVarious Properties selections may also exist by default.\n\n Type - Success\n Principal - Everyone\n Access - Special\n Inherited from - None\n (Access - Special = Permissions: Write all properties, All extended rights,\nChange infrastructure master)\n\n Two instances with the following summary information will be listed:\n\n Type - Success\n Principal - Everyone\n Access - (blank)\n Inherited from - (CN of domain)\"\n desc 'fix', \"Open \\\"Active Directory Users and Computers\\\" (available from various menus\nor run \\\"dsa.msc\\\").\n\n Ensure \\\"Advanced Features\\\" is selected in the \\\"View\\\" menu.\n\n Select the domain being reviewed in the left pane.\n\n Right-click the \\\"Infrastructure\\\" object in the right pane and select\n\\\"Properties\\\".\n\n Select the \\\"Security\\\" tab.\n\n Select the \\\"Advanced\\\" button and then the \\\"Auditing\\\" tab.\n\n Configure the audit settings for Infrastructure object to include the\nfollowing:\n\n Type - Fail\n Principal - Everyone\n Access - Full Control\n Inherited from - None\n\n The success types listed below are defaults. Where Special is listed in the\nsummary screens for Access, detailed Permissions are provided for reference.\nVarious Properties selections may also exist by default.\n\n Type - Success\n Principal - Everyone\n Access - Special\n Inherited from - None\n (Access - Special = Permissions: Write all properties, All extended rights,\nChange infrastructure master)\n\n Two instances with the following summary information will be listed:\n\n Type - Success\n Principal - Everyone\n Access - (blank)\n Inherited from - (CN of domain)\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000327-GPOS-00127'\n tag 'satisfies': [\"SRG-OS-000327-GPOS-00127\", \"SRG-OS-000458-GPOS-00203\",\n\"SRG-OS-000463-GPOS-00207\", \"SRG-OS-000468-GPOS-00212\"]\n tag 'gid': 'V-93125'\n tag 'rid': 'SV-103213r1_rule'\n tag 'stig_id': 'WN19-DC-000190'\n tag 'fix_id': 'F-99371r1_fix'\n tag 'cci': [\"CCI-000172\", \"CCI-002234\"]\n tag 'nist': [\"AU-12 c\", \"AC-6 (9)\", \"Rev_4\"]\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n if domain_role == '4' || domain_role == '5'\n distinguishedName = json(command: '(Get-ADDomain).DistinguishedName | ConvertTo-JSON').params\n acl_rules = json(command: \"(Get-ACL -Audit -Path AD:'CN=Infrastructure,#{distinguishedName}').Audit | ConvertTo-CSV | ConvertFrom-CSV | ConvertTo-JSON\").params\n \n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['AuditFlags']) { should cmp \"Failure\" }\n its(['IdentityReference']) { should cmp \"Everyone\" }\n its(['ActiveDirectoryRights']) { should cmp \"GenericAll\"}\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['AuditFlags']) { should cmp \"Success\" }\n its(['IdentityReference']) { should cmp \"Everyone\" }\n its(['ActiveDirectoryRights']) { should cmp \"WriteProperty, ExtendedRight\"}\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceType']) { should cmp \"None\" }\n end\n end\n end\n\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['AuditFlags']) { should cmp \"Success\" }\n its(['IdentityReference']) { should cmp \"Everyone\" }\n its(['ActiveDirectoryRights']) { should cmp \"WriteProperty\"}\n its(['IsInherited']) { should cmp \"True\" }\n its(['InheritanceType']) { should cmp \"Descendents\" }\n end\n end\n end\n else\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend", + "code": "control \"V-92987\" do\n title \"Windows Server 2019 must be configured to audit Logon/Logoff - Account\nLockout successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Account Lockout events can be used to identify potentially malicious logon\nattempts.\"\n desc \"rationale\", \"\"\n desc 'check', \"Security Option \\\"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\\\" must be set to\n\\\"Enabled\\\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \\\"AuditPol\\\" tool to review the current Audit Policy configuration:\n\n Open \\\"PowerShell\\\" or a \\\"Command Prompt\\\" with elevated privileges (\\\"Run\nas administrator\\\").\n\n Enter \\\"AuditPol /get /category:*\\\"\n\n Compare the \\\"AuditPol\\\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n Logon/Logoff >> Account Lockout - Success\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Logon/Logoff >> \\\"Audit Account Lockout\\\" with\n\\\"Success\\\" selected.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000240-GPOS-00090'\n tag 'satisfies': [\"SRG-OS-000240-GPOS-00090\", \"SRG-OS-000470-GPOS-00214\"]\n tag 'gid': 'V-92987'\n tag 'rid': 'SV-103075r1_rule'\n tag 'stig_id': 'WN19-AU-000150'\n tag 'fix_id': 'F-99233r1_fix'\n tag 'cci': [\"CCI-000172\", \"CCI-001404\"]\n tag 'nist': [\"AU-12 c\", \"AC-2 (4)\", \"Rev_4\"]\n\n describe.one do\n describe audit_policy do\n its('Account Lockout') { should eq 'Success' }\n end\n describe audit_policy do\n its('Account Lockout') { should eq 'Success and Failure' }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93125.rb", + "ref": "./Windows 2019 STIG/controls/V-92987.rb", "line": 3 }, - "id": "V-93125" + "id": "V-92987" }, { - "title": "Windows Server 2019 must be configured to audit Account Management -\nUser Account Management failures.", - "desc": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n User Account Management records events such as creating, changing,\ndeleting, renaming, disabling, or enabling user accounts.", + "title": "Windows Server 2019 Create a pagefile user right must only be assigned\nto the Administrators group.", + "desc": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n Accounts with the \"Create a pagefile\" user right can change the size of a\npagefile, which could affect system performance.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n User Account Management records events such as creating, changing,\ndeleting, renaming, disabling, or enabling user accounts.", + "default": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n Accounts with the \"Create a pagefile\" user right can change the size of a\npagefile, which could affect system performance.", "rationale": "", - "check": "Security Option \"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\" must be set to\n\"Enabled\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \"AuditPol\" tool to review the current Audit Policy configuration:\n\n Open \"PowerShell\" or a \"Command Prompt\" with elevated privileges (\"Run\nas administrator\").\n\n Enter \"AuditPol /get /category:*\"\n\n Compare the \"AuditPol\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n Account Management >> User Account Management - Failure", - "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Account Management >> \"Audit User Account\nManagement\" with \"Failure\" selected." + "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the \"Create\na pagefile\" user right, this is a finding:\n\n - Administrators\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\path\\filename.txt\n\n Review the text file.\n\n If any SIDs other than the following are granted the\n\"SeCreatePagefilePrivilege\" user right, this is a finding:\n\n S-1-5-32-544 (Administrators)", + "fix": "Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> User Rights Assignment >> \"Create a\npagefile\" to include only the following accounts or groups:\n\n - Administrators" }, "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000004-GPOS-00004", - "satisfies": [ - "SRG-OS-000004-GPOS-00004", - "SRG-OS-000239-GPOS-00089", - "SRG-OS-000240-GPOS-00090", - "SRG-OS-000241-GPOS-00091", - "SRG-OS-000303-GPOS-00120", - "SRG-OS-000476-GPOS-00221" - ], - "gid": "V-92983", - "rid": "SV-103071r1_rule", - "stig_id": "WN19-AU-000120", - "fix_id": "F-99229r1_fix", + "gtitle": "SRG-OS-000324-GPOS-00125", + "gid": "V-93055", + "rid": "SV-103143r1_rule", + "stig_id": "WN19-UR-000050", + "fix_id": "F-99301r1_fix", "cci": [ - "CCI-000018", - "CCI-000172", - "CCI-001403", - "CCI-001404", - "CCI-001405", - "CCI-002130" + "CCI-002235" ], "nist": [ - "AC-2 (4)", - "AU-12 c", - "AC-2 (4)", - "AC-2 (4)", - "AC-2 (4)", - "AC-2(4)", + "AC-6 (10)", "Rev_4" ] }, - "code": "control \"V-92983\" do\n title \"Windows Server 2019 must be configured to audit Account Management -\nUser Account Management failures.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n User Account Management records events such as creating, changing,\ndeleting, renaming, disabling, or enabling user accounts.\"\n desc \"rationale\", \"\"\n desc 'check', \"Security Option \\\"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\\\" must be set to\n\\\"Enabled\\\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \\\"AuditPol\\\" tool to review the current Audit Policy configuration:\n\n Open \\\"PowerShell\\\" or a \\\"Command Prompt\\\" with elevated privileges (\\\"Run\nas administrator\\\").\n\n Enter \\\"AuditPol /get /category:*\\\"\n\n Compare the \\\"AuditPol\\\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n Account Management >> User Account Management - Failure\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Account Management >> \\\"Audit User Account\nManagement\\\" with \\\"Failure\\\" selected.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000004-GPOS-00004'\n tag 'satisfies': [\"SRG-OS-000004-GPOS-00004\", \"SRG-OS-000239-GPOS-00089\",\n\"SRG-OS-000240-GPOS-00090\", \"SRG-OS-000241-GPOS-00091\",\n\"SRG-OS-000303-GPOS-00120\", \"SRG-OS-000476-GPOS-00221\"]\n tag 'gid': 'V-92983'\n tag 'rid': 'SV-103071r1_rule'\n tag 'stig_id': 'WN19-AU-000120'\n tag 'fix_id': 'F-99229r1_fix'\n tag 'cci': [\"CCI-000018\", \"CCI-000172\", \"CCI-001403\", \"CCI-001404\",\n\"CCI-001405\", \"CCI-002130\"]\n tag 'nist': [\"AC-2 (4)\", \"AU-12 c\", \"AC-2 (4)\", \"AC-2 (4)\", \"AC-2 (4)\", \"AC-2(4)\", \"Rev_4\"]\n\n describe.one do\n describe audit_policy do\n its('User Account Management') { should eq 'Failure' }\n end\n describe audit_policy do\n its('User Account Management') { should eq 'Success and Failure' }\n end\n end\nend\n", + "code": "control \"V-93055\" do\n title \"Windows Server 2019 Create a pagefile user right must only be assigned\nto the Administrators group.\"\n desc \"Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n Accounts with the \\\"Create a pagefile\\\" user right can change the size of a\npagefile, which could affect system performance.\"\n desc \"rationale\", \"\"\n desc 'check', \"Verify the effective setting in Local Group Policy Editor.\n\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the \\\"Create\na pagefile\\\" user right, this is a finding:\n\n - Administrators\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt\n\n Review the text file.\n\n If any SIDs other than the following are granted the\n\\\"SeCreatePagefilePrivilege\\\" user right, this is a finding:\n\n S-1-5-32-544 (Administrators)\"\n desc 'fix', \"Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> User Rights Assignment >> \\\"Create a\npagefile\\\" to include only the following accounts or groups:\n\n - Administrators\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000324-GPOS-00125'\n tag 'gid': 'V-93055'\n tag 'rid': 'SV-103143r1_rule'\n tag 'stig_id': 'WN19-UR-000050'\n tag 'fix_id': 'F-99301r1_fix'\n tag 'cci': [\"CCI-002235\"]\n tag 'nist': [\"AC-6 (10)\", \"Rev_4\"]\n\n os_type = command('Test-Path \"$env:windir\\explorer.exe\"').stdout.strip\n\n if os_type == 'False'\n describe 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt' do\n skip 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt'\n end\n else\n describe security_policy do\n its('SeCreatePagefilePrivilege') { should eq ['S-1-5-32-544'] }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-92983.rb", + "ref": "./Windows 2019 STIG/controls/V-93055.rb", "line": 3 }, - "id": "V-92983" + "id": "V-93055" }, { - "title": "Windows Server 2019 default AutoRun behavior must be configured to prevent AutoRun commands.", - "desc": "Allowing AutoRun commands to execute may introduce malicious code to a system. Configuring this setting prevents AutoRun commands from executing.", + "title": "Windows Server 2019 must be configured to audit logon failures.", + "desc": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Logon records user logons. If this is an interactive logon, it is recorded\non the local system. If it is to a network share, it is recorded on the system\naccessed.", "descriptions": { - "default": "Allowing AutoRun commands to execute may introduce malicious code to a system. Configuring this setting prevents AutoRun commands from executing.", + "default": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Logon records user logons. If this is an interactive logon, it is recorded\non the local system. If it is to a network share, it is recorded on the system\naccessed.", "rationale": "", - "check": "If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\\n\n Value Name: NoAutorun\n\n Type: REG_DWORD\n Value: 0x00000001 (1)", - "fix": "Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> AutoPlay Policies >> \"Set the default behavior for AutoRun\" to \"Enabled\" with \"Do not execute any autorun commands\" selected." + "check": "Security Option \"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\" must be set to\n\"Enabled\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \"AuditPol\" tool to review the current Audit Policy configuration:\n\n Open \"PowerShell\" or a \"Command Prompt\" with elevated privileges (\"Run\nas administrator\").\n\n Enter \"AuditPol /get /category:*\"\n\n Compare the \"AuditPol\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n Logon/Logoff >> Logon - Failure", + "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Logon/Logoff >> \"Audit Logon\" with \"Failure\"\nselected." }, - "impact": 0.7, + "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000368-GPOS-00154", - "gid": "V-93375", - "rid": "SV-103461r1_rule", - "stig_id": "WN19-CC-000220", - "fix_id": "F-99619r1_fix", + "gtitle": "SRG-OS-000032-GPOS-00013", + "satisfies": [ + "SRG-OS-000032-GPOS-00013", + "SRG-OS-000470-GPOS-00214", + "SRG-OS-000472-GPOS-00217", + "SRG-OS-000473-GPOS-00218", + "SRG-OS-000475-GPOS-00220" + ], + "gid": "V-92969", + "rid": "SV-103057r1_rule", + "stig_id": "WN19-AU-000200", + "fix_id": "F-99215r1_fix", "cci": [ - "CCI-001764" + "CCI-000067", + "CCI-000172" ], "nist": [ - "CM-7 (2)", + "AC-17 (1)", + "AU-12 c", "Rev_4" ] }, - "code": "control \"V-93375\" do\n title \"Windows Server 2019 default AutoRun behavior must be configured to prevent AutoRun commands.\"\n desc \"Allowing AutoRun commands to execute may introduce malicious code to a system. Configuring this setting prevents AutoRun commands from executing.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\\n\n Value Name: NoAutorun\n\n Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> AutoPlay Policies >> \\\"Set the default behavior for AutoRun\\\" to \\\"Enabled\\\" with \\\"Do not execute any autorun commands\\\" selected.\"\n impact 0.7\n tag severity: nil\n tag gtitle: \"SRG-OS-000368-GPOS-00154\"\n tag gid: \"V-93375\"\n tag rid: \"SV-103461r1_rule\"\n tag stig_id: \"WN19-CC-000220\"\n tag fix_id: \"F-99619r1_fix\"\n tag cci: [\"CCI-001764\"]\n tag nist: [\"CM-7 (2)\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer') do\n it { should have_property 'NoAutorun' }\n its('NoAutorun') { should cmp == 1 }\n end\nend", + "code": "control \"V-92969\" do\n title \"Windows Server 2019 must be configured to audit logon failures.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Logon records user logons. If this is an interactive logon, it is recorded\non the local system. If it is to a network share, it is recorded on the system\naccessed.\"\n desc \"rationale\", \"\"\n desc 'check', \"Security Option \\\"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\\\" must be set to\n\\\"Enabled\\\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \\\"AuditPol\\\" tool to review the current Audit Policy configuration:\n\n Open \\\"PowerShell\\\" or a \\\"Command Prompt\\\" with elevated privileges (\\\"Run\nas administrator\\\").\n\n Enter \\\"AuditPol /get /category:*\\\"\n\n Compare the \\\"AuditPol\\\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n Logon/Logoff >> Logon - Failure\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Logon/Logoff >> \\\"Audit Logon\\\" with \\\"Failure\\\"\nselected.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000032-GPOS-00013'\n tag 'satisfies': [\"SRG-OS-000032-GPOS-00013\", \"SRG-OS-000470-GPOS-00214\",\n\"SRG-OS-000472-GPOS-00217\", \"SRG-OS-000473-GPOS-00218\",\n\"SRG-OS-000475-GPOS-00220\"]\n tag 'gid': 'V-92969'\n tag 'rid': 'SV-103057r1_rule'\n tag 'stig_id': 'WN19-AU-000200'\n tag 'fix_id': 'F-99215r1_fix'\n tag 'cci': [\"CCI-000067\", \"CCI-000172\"]\n tag 'nist': [\"AC-17 (1)\", \"AU-12 c\", \"Rev_4\"]\n\n describe.one do\n describe audit_policy do\n its('Logon') { should eq 'Failure' }\n end\n describe audit_policy do\n its('Logon') { should eq 'Success and Failure' }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93375.rb", + "ref": "./Windows 2019 STIG/controls/V-92969.rb", "line": 3 }, - "id": "V-93375" + "id": "V-92969" }, { - "title": "Windows Server 2019 users must be required to enter a password to access private keys stored on the computer.", - "desc": "If the private key is discovered, an attacker can use the key to authenticate as an authorized user and gain access to the network infrastructure.\n The cornerstone of the PKI is the private key used to encrypt or digitally sign information.\n\n If the private key is stolen, this will lead to the compromise of the authentication and non-repudiation gained through PKI because the attacker can use the private key to digitally sign documents and pretend to be the authorized user.\n\n Both the holders of a digital certificate and the issuing authority must protect the computers, storage devices, or whatever they use to keep the private keys.", + "title": "Windows Server 2019 must be configured to audit System - IPsec Driver\nsuccesses.", + "desc": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n IPsec Driver records events related to the IPsec Driver, such as dropped\npackets.", "descriptions": { - "default": "If the private key is discovered, an attacker can use the key to authenticate as an authorized user and gain access to the network infrastructure.\n The cornerstone of the PKI is the private key used to encrypt or digitally sign information.\n\n If the private key is stolen, this will lead to the compromise of the authentication and non-repudiation gained through PKI because the attacker can use the private key to digitally sign documents and pretend to be the authorized user.\n\n Both the holders of a digital certificate and the issuing authority must protect the computers, storage devices, or whatever they use to keep the private keys.", + "default": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n IPsec Driver records events related to the IPsec Driver, such as dropped\npackets.", "rationale": "", - "check": "If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Cryptography\\\n\n Value Name: ForceKeyProtection\n\n Type: REG_DWORD\n Value: 0x00000002 (2)", - "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \"System cryptography: Force strong key protection for user keys stored on the computer\" to \"User must enter a password each time they use a key\"." + "check": "Security Option \"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\" must be set to\n\"Enabled\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \"AuditPol\" tool to review the current Audit Policy configuration:\n\n Open \"PowerShell\" or a \"Command Prompt\" with elevated privileges (\"Run\nas administrator\").\n\n Enter \"AuditPol /get /category:*\"\n\n Compare the \"AuditPol\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n System >> IPsec Driver - Success", + "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> System >> \"Audit IPsec Driver\" with \"Success\"\nselected." }, "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000067-GPOS-00035", - "gid": "V-93493", - "rid": "SV-103579r1_rule", - "stig_id": "WN19-SO-000350", - "fix_id": "F-99737r1_fix", + "gtitle": "SRG-OS-000327-GPOS-00127", + "satisfies": [ + "SRG-OS-000327-GPOS-00127", + "SRG-OS-000458-GPOS-00203", + "SRG-OS-000463-GPOS-00207", + "SRG-OS-000468-GPOS-00212" + ], + "gid": "V-93105", + "rid": "SV-103193r1_rule", + "stig_id": "WN19-AU-000320", + "fix_id": "F-99351r1_fix", "cci": [ - "CCI-000186" + "CCI-000172", + "CCI-002234" ], "nist": [ - "IA-5 (2) (b)", + "AU-12 c", + "AC-6 (9)", "Rev_4" ] }, - "code": "control \"V-93493\" do\n title \"Windows Server 2019 users must be required to enter a password to access private keys stored on the computer.\"\n desc \"If the private key is discovered, an attacker can use the key to authenticate as an authorized user and gain access to the network infrastructure.\n The cornerstone of the PKI is the private key used to encrypt or digitally sign information.\n\n If the private key is stolen, this will lead to the compromise of the authentication and non-repudiation gained through PKI because the attacker can use the private key to digitally sign documents and pretend to be the authorized user.\n\n Both the holders of a digital certificate and the issuing authority must protect the computers, storage devices, or whatever they use to keep the private keys.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Cryptography\\\\\n\n Value Name: ForceKeyProtection\n\n Type: REG_DWORD\n Value: 0x00000002 (2)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \\\"System cryptography: Force strong key protection for user keys stored on the computer\\\" to \\\"User must enter a password each time they use a key\\\".\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000067-GPOS-00035\"\n tag gid: \"V-93493\"\n tag rid: \"SV-103579r1_rule\"\n tag stig_id: \"WN19-SO-000350\"\n tag fix_id: \"F-99737r1_fix\"\n tag cci: [\"CCI-000186\"]\n tag nist: [\"IA-5 (2) (b)\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Cryptography') do\n it { should have_property 'ForceKeyProtection' }\n its('ForceKeyProtection') { should cmp == 2 }\n end \nend", + "code": "control \"V-93105\" do\n title \"Windows Server 2019 must be configured to audit System - IPsec Driver\nsuccesses.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n IPsec Driver records events related to the IPsec Driver, such as dropped\npackets.\"\n desc \"rationale\", \"\"\n desc 'check', \"Security Option \\\"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\\\" must be set to\n\\\"Enabled\\\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \\\"AuditPol\\\" tool to review the current Audit Policy configuration:\n\n Open \\\"PowerShell\\\" or a \\\"Command Prompt\\\" with elevated privileges (\\\"Run\nas administrator\\\").\n\n Enter \\\"AuditPol /get /category:*\\\"\n\n Compare the \\\"AuditPol\\\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n System >> IPsec Driver - Success\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> System >> \\\"Audit IPsec Driver\\\" with \\\"Success\\\"\nselected.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000327-GPOS-00127'\n tag 'satisfies': [\"SRG-OS-000327-GPOS-00127\", \"SRG-OS-000458-GPOS-00203\",\n\"SRG-OS-000463-GPOS-00207\", \"SRG-OS-000468-GPOS-00212\"]\n tag 'gid': 'V-93105'\n tag 'rid': 'SV-103193r1_rule'\n tag 'stig_id': 'WN19-AU-000320'\n tag 'fix_id': 'F-99351r1_fix'\n tag 'cci': [\"CCI-000172\", \"CCI-002234\"]\n tag 'nist': [\"AU-12 c\", \"AC-6 (9)\", \"Rev_4\"]\n\n describe.one do\n describe audit_policy do\n its('IPsec Driver') { should eq 'Success' }\n end\n describe audit_policy do\n its('IPsec Driver') { should eq 'Success and Failure' }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93493.rb", + "ref": "./Windows 2019 STIG/controls/V-93105.rb", "line": 3 }, - "id": "V-93493" + "id": "V-93105" }, { - "title": "Windows Server 2019 Deny log on as a service user right must be\nconfigured to include no accounts or groups (blank) on domain controllers.", - "desc": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n The \"Deny log on as a service\" user right defines accounts that are\ndenied logon as a service.\n\n Incorrect configurations could prevent services from starting and result in\na denial of service.", + "title": "Windows Server 2019 User Account Control approval mode for the built-in Administrator must be enabled.", + "desc": "User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting configures the built-in Administrator account so that it runs in Admin Approval Mode.", "descriptions": { - "default": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n The \"Deny log on as a service\" user right defines accounts that are\ndenied logon as a service.\n\n Incorrect configurations could prevent services from starting and result in\na denial of service.", + "default": "User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting configures the built-in Administrator account so that it runs in Admin Approval Mode.", "rationale": "", - "check": "This applies to domain controllers. A separate version applies to other\nsystems.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups are defined for the \"Deny log on as a service\"\nuser right, this is a finding.\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\path\\filename.txt\n\n Review the text file.\n\n If any SIDs are granted the \"SeDenyServiceLogonRight\" user right, this is\na finding.", - "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Local Policies >> User Rights\nAssignment >> \"Deny log on as a service\" to include no entries (blank)." + "check": "UAC requirements are NA for Server Core installations (this is the default installation option for Windows Server 2019 versus Server with Desktop Experience).\n\n If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\\n\n Value Name: FilterAdministratorToken\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", + "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \"User Account Control: Admin Approval Mode for the Built-in Administrator account\" to \"Enabled\"." }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000080-GPOS-00048", - "gid": "V-93003", - "rid": "SV-103091r1_rule", - "stig_id": "WN19-DC-000390", - "fix_id": "F-99249r1_fix", - "cci": [ - "CCI-000213" + "gtitle": "SRG-OS-000373-GPOS-00157", + "satisfies": [ + "SRG-OS-000373-GPOS-00157", + "SRG-OS-000373-GPOS-00156" ], - "nist": [ - "AC-3", - "Rev_4" - ] + "gid": "V-93431", + "rid": "SV-103517r1_rule", + "stig_id": "WN19-SO-000380", + "fix_id": "F-99675r1_fix", + "cci": [ + "CCI-002038" + ], + "nist": [ + "IA-11", + "Rev_4" + ] }, - "code": "control \"V-93003\" do\n title \"Windows Server 2019 Deny log on as a service user right must be\nconfigured to include no accounts or groups (blank) on domain controllers.\"\n desc \"Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n The \\\"Deny log on as a service\\\" user right defines accounts that are\ndenied logon as a service.\n\n Incorrect configurations could prevent services from starting and result in\na denial of service.\"\n desc \"rationale\", \"\"\n desc 'check', \"This applies to domain controllers. A separate version applies to other\nsystems.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups are defined for the \\\"Deny log on as a service\\\"\nuser right, this is a finding.\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt\n\n Review the text file.\n\n If any SIDs are granted the \\\"SeDenyServiceLogonRight\\\" user right, this is\na finding.\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Local Policies >> User Rights\nAssignment >> \\\"Deny log on as a service\\\" to include no entries (blank).\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000080-GPOS-00048'\n tag 'gid': 'V-93003'\n tag 'rid': 'SV-103091r1_rule'\n tag 'stig_id': 'WN19-DC-000390'\n tag 'fix_id': 'F-99249r1_fix'\n tag 'cci': [\"CCI-000213\"]\n tag 'nist': [\"AC-3\", \"Rev_4\"]\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n os_type = command('Test-Path \"$env:windir\\explorer.exe\"').stdout.strip\n\n if os_type == 'False'\n describe 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt' do\n skip 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt'\n end\n end\n if domain_role == '4' || domain_role == '5'\n describe security_policy do\n its('SeDenyServiceLogonRight') { should eq [] }\n end\n else\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", + "code": "control \"V-93431\" do\n title \"Windows Server 2019 User Account Control approval mode for the built-in Administrator must be enabled.\"\n desc \"User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting configures the built-in Administrator account so that it runs in Admin Approval Mode.\"\n desc \"rationale\", \"\"\n desc \"check\", \"UAC requirements are NA for Server Core installations (this is the default installation option for Windows Server 2019 versus Server with Desktop Experience).\n\n If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\\n\n Value Name: FilterAdministratorToken\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \\\"User Account Control: Admin Approval Mode for the Built-in Administrator account\\\" to \\\"Enabled\\\".\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000373-GPOS-00157\"\n tag satisfies: [\"SRG-OS-000373-GPOS-00157\", \"SRG-OS-000373-GPOS-00156\"]\n tag gid: \"V-93431\"\n tag rid: \"SV-103517r1_rule\"\n tag stig_id: \"WN19-SO-000380\"\n tag fix_id: \"F-99675r1_fix\"\n tag cci: [\"CCI-002038\"]\n tag nist: [\"IA-11\", \"Rev_4\"]\n\n os_type = command('Test-Path \"$env:windir\\explorer.exe\"').stdout.strip\n\n if os_type == 'False'\n impact 0.0\n describe 'This system is a Server Core Installation, control is NA' do\n skip 'This system is a Server Core Installation control is NA'\n end\n else\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System') do\n it { should have_property 'FilterAdministratorToken' }\n its('FilterAdministratorToken') { should cmp == 1 }\n end\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93003.rb", + "ref": "./Windows 2019 STIG/controls/V-93431.rb", "line": 3 }, - "id": "V-93003" + "id": "V-93431" }, { - "title": "Windows Server 2019 must only allow administrators responsible for the\nmember server or standalone system to have Administrator rights on the system.", - "desc": "An account that does not have Administrator duties must not have\nAdministrator rights. Such rights would allow the account to bypass or modify\nrequired security restrictions on that machine and make it vulnerable to attack.\n\n System administrators must log on to systems using only accounts with the\nminimum level of authority necessary.\n\n For domain-joined member servers, the Domain Admins group must be replaced\nby a domain member server administrator group (see V-36433 in the Active\nDirectory Domain STIG). Restricting highly privileged accounts from the local\nAdministrators group helps mitigate the risk of privilege escalation resulting\nfrom credential theft attacks.\n\n Standard user accounts must not be members of the built-in Administrators\ngroup.", + "title": "Windows Server 2019 must be configured to audit Policy Change - Audit\nPolicy Change successes.", + "desc": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Audit Policy Change records events related to changes in audit policy.", "descriptions": { - "default": "An account that does not have Administrator duties must not have\nAdministrator rights. Such rights would allow the account to bypass or modify\nrequired security restrictions on that machine and make it vulnerable to attack.\n\n System administrators must log on to systems using only accounts with the\nminimum level of authority necessary.\n\n For domain-joined member servers, the Domain Admins group must be replaced\nby a domain member server administrator group (see V-36433 in the Active\nDirectory Domain STIG). Restricting highly privileged accounts from the local\nAdministrators group helps mitigate the risk of privilege escalation resulting\nfrom credential theft attacks.\n\n Standard user accounts must not be members of the built-in Administrators\ngroup.", + "default": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Audit Policy Change records events related to changes in audit policy.", "rationale": "", - "check": "This applies to member servers and standalone systems. A separate version\napplies to domain controllers.\n\n Open \"Computer Management\".\n\n Navigate to \"Groups\" under \"Local Users and Groups\".\n\n Review the local \"Administrators\" group.\n\n Only administrator groups or accounts responsible for administration of the\nsystem may be members of the group.\n\n For domain-joined member servers, the Domain Admins group must be replaced\nby a domain member server administrator group.\n\n Standard user accounts must not be members of the local Administrator group.\n\n If accounts that do not have responsibility for administration of the\nsystem are members of the local Administrators group, this is a finding.\n\n If the built-in Administrator account or other required administrative\naccounts are found on the system, this is not a finding.", - "fix": "Configure the local \"Administrators\" group to include only administrator\ngroups or accounts responsible for administration of the system.\n\n For domain-joined member servers, replace the Domain Admins group with a\ndomain member server administrator group.\n\n Remove any standard user accounts." + "check": "Security Option \"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\" must be set to\n\"Enabled\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \"AuditPol\" tool to review the current Audit Policy configuration:\n\n Open \"PowerShell\" or a \"Command Prompt\" with elevated privileges (\"Run\nas administrator\").\n\n Enter \"AuditPol /get /category:*\"\n\n Compare the \"AuditPol\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n Policy Change >> Audit Policy Change - Success", + "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Policy Change >> \"Audit Audit Policy Change\" with\n\"Success\" selected." }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000324-GPOS-00125", - "gid": "V-93043", - "rid": "SV-103131r1_rule", - "stig_id": "WN19-MS-000010", - "fix_id": "F-99289r1_fix", + "gtitle": "SRG-OS-000327-GPOS-00127", + "satisfies": [ + "SRG-OS-000327-GPOS-00127", + "SRG-OS-000458-GPOS-00203", + "SRG-OS-000463-GPOS-00207", + "SRG-OS-000468-GPOS-00212" + ], + "gid": "V-93093", + "rid": "SV-103181r1_rule", + "stig_id": "WN19-AU-000260", + "fix_id": "F-99339r1_fix", "cci": [ - "CCI-002235" + "CCI-000172", + "CCI-002234" ], "nist": [ - "AC-6 (10)", + "AU-12 c", + "AC-6 (9)", "Rev_4" ] }, - "code": "control \"V-93043\" do\n title \"Windows Server 2019 must only allow administrators responsible for the\nmember server or standalone system to have Administrator rights on the system.\"\n desc \"An account that does not have Administrator duties must not have\nAdministrator rights. Such rights would allow the account to bypass or modify\nrequired security restrictions on that machine and make it vulnerable to attack.\n\n System administrators must log on to systems using only accounts with the\nminimum level of authority necessary.\n\n For domain-joined member servers, the Domain Admins group must be replaced\nby a domain member server administrator group (see V-36433 in the Active\nDirectory Domain STIG). Restricting highly privileged accounts from the local\nAdministrators group helps mitigate the risk of privilege escalation resulting\nfrom credential theft attacks.\n\n Standard user accounts must not be members of the built-in Administrators\ngroup.\"\n desc \"rationale\", \"\"\n desc 'check', \"This applies to member servers and standalone systems. A separate version\napplies to domain controllers.\n\n Open \\\"Computer Management\\\".\n\n Navigate to \\\"Groups\\\" under \\\"Local Users and Groups\\\".\n\n Review the local \\\"Administrators\\\" group.\n\n Only administrator groups or accounts responsible for administration of the\nsystem may be members of the group.\n\n For domain-joined member servers, the Domain Admins group must be replaced\nby a domain member server administrator group.\n\n Standard user accounts must not be members of the local Administrator group.\n\n If accounts that do not have responsibility for administration of the\nsystem are members of the local Administrators group, this is a finding.\n\n If the built-in Administrator account or other required administrative\naccounts are found on the system, this is not a finding.\"\n desc 'fix', \"Configure the local \\\"Administrators\\\" group to include only administrator\ngroups or accounts responsible for administration of the system.\n\n For domain-joined member servers, replace the Domain Admins group with a\ndomain member server administrator group.\n\n Remove any standard user accounts.\"\n impact 0.7\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000324-GPOS-00125'\n tag 'gid': 'V-93043'\n tag 'rid': 'SV-103131r1_rule'\n tag 'stig_id': 'WN19-MS-000010'\n tag 'fix_id': 'F-99289r1_fix'\n tag 'cci': [\"CCI-002235\"]\n tag 'nist': [\"AC-6 (10)\", \"Rev_4\"]\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n impact 0.0\n describe 'This system is a domain controller, therefore this control is not applicable as it only applies to member servers' do\n skip 'This system is a domain controller, therefore this control is not applicable as it only applies to member servers'\n end\n else\n administrators = input('local_administrators_member')\n administrator_group = command(\"Get-LocalGroupMember -Group \\\"Administrators\\\" | select -ExpandProperty Name | ForEach-Object {$_ -replace \\\"$env:COMPUTERNAME\\\\\\\\\\\" -replace \\\"\\\"}\").stdout.strip.split(\"\\r\\n\")\n if administrator_group.empty?\n impact 0.0\n describe 'There are no users with administrative privileges' do\n skip 'This control is not applicable'\n end\n else\n administrator_group.each do |user|\n describe user.to_s do\n it { should be_in administrators }\n end\n end\n end\n end\nend", + "code": "control \"V-93093\" do\n title \"Windows Server 2019 must be configured to audit Policy Change - Audit\nPolicy Change successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Audit Policy Change records events related to changes in audit policy.\"\n desc \"rationale\", \"\"\n desc 'check', \"Security Option \\\"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\\\" must be set to\n\\\"Enabled\\\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \\\"AuditPol\\\" tool to review the current Audit Policy configuration:\n\n Open \\\"PowerShell\\\" or a \\\"Command Prompt\\\" with elevated privileges (\\\"Run\nas administrator\\\").\n\n Enter \\\"AuditPol /get /category:*\\\"\n\n Compare the \\\"AuditPol\\\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n Policy Change >> Audit Policy Change - Success\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Policy Change >> \\\"Audit Audit Policy Change\\\" with\n\\\"Success\\\" selected.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000327-GPOS-00127'\n tag 'satisfies': [\"SRG-OS-000327-GPOS-00127\", \"SRG-OS-000458-GPOS-00203\",\n\"SRG-OS-000463-GPOS-00207\", \"SRG-OS-000468-GPOS-00212\"]\n tag 'gid': 'V-93093'\n tag 'rid': 'SV-103181r1_rule'\n tag 'stig_id': 'WN19-AU-000260'\n tag 'fix_id': 'F-99339r1_fix'\n tag 'cci': [\"CCI-000172\", \"CCI-002234\"]\n tag 'nist': [\"AU-12 c\", \"AC-6 (9)\", \"Rev_4\"]\n\n describe.one do\n describe audit_policy do\n its('Audit Policy Change') { should eq 'Success' }\n end\n describe audit_policy do\n its('Audit Policy Change') { should eq 'Success and Failure' }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93043.rb", + "ref": "./Windows 2019 STIG/controls/V-93093.rb", "line": 3 }, - "id": "V-93043" + "id": "V-93093" }, { - "title": "Windows Server 2019 must have the Server Message Block (SMB) v1 protocol disabled on the SMB server.", - "desc": "SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB. MD5 is known to be vulnerable to a number of attacks such as collision and preimage attacks as well as not being FIPS compliant.", + "title": "Windows Server 2019 Exploit Protection mitigations must be configured for OUTLOOK.EXE.", + "desc": "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.", "descriptions": { - "default": "SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB. MD5 is known to be vulnerable to a number of attacks such as collision and preimage attacks as well as not being FIPS compliant.", + "default": "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.", "rationale": "", - "check": "Different methods are available to disable SMBv1 on Windows Server 2019, if WN19-00-000380 is configured, this is NA.\n\n If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters\\\n\n Value Name: SMB1\n\n Type: REG_DWORD\n Value: 0x00000000 (0)", - "fix": "Configure the policy value for Computer Configuration >> Administrative Templates >> MS Security Guide >> \"Configure SMBv1 Server\" to \"Disabled\".\n\n The system must be restarted for the change to take effect.\n\n This policy setting requires the installation of the SecGuide custom templates included with the STIG package. \"SecGuide.admx\" and \"SecGuide.adml\" must be copied to the \\Windows\\PolicyDefinitions and \\Windows\\PolicyDefinitions\\en-US directories respectively." + "check": "If the referenced application is not installed on the system, this is NA.\n\n This is applicable to unclassified systems, for other systems this is NA.\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n Enter \"Get-ProcessMitigation -Name OUTLOOK.EXE\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.)\n\n If the following mitigations do not have a status of \"ON\", this is a finding:\n\n DEP:\n Enable: ON\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n The PowerShell command produces a list of mitigations; only those with a required status of \"ON\" are listed here.", + "fix": "Ensure the following mitigations are turned \"ON\" for OUTLOOK.EXE:\n\n DEP:\n Enable: ON\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \"Supporting Files\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \"Use a common set of exploit protection settings\" configured to \"Enabled\" with file name and location defined under \"Options:\". It is recommended the file be in a read-only network location." }, "impact": 0, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000095-GPOS-00049", - "gid": "V-93393", - "rid": "SV-103479r1_rule", - "stig_id": "WN19-00-000390", - "fix_id": "F-99637r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-93351", + "rid": "SV-103439r1_rule", + "stig_id": "WN19-EP-000210", + "fix_id": "F-99597r1_fix", "cci": [ - "CCI-000381" + "CCI-000366" ], "nist": [ - "CM-7 a", + "CM-6 b", "Rev_4" ] }, - "code": "control \"V-93393\" do\n title \"Windows Server 2019 must have the Server Message Block (SMB) v1 protocol disabled on the SMB server.\"\n desc \"SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB. MD5 is known to be vulnerable to a number of attacks such as collision and preimage attacks as well as not being FIPS compliant.\"\n desc \"rationale\", \"\"\n desc \"check\", \"Different methods are available to disable SMBv1 on Windows Server 2019, if WN19-00-000380 is configured, this is NA.\n\n If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\LanmanServer\\\\Parameters\\\\\n\n Value Name: SMB1\n\n Type: REG_DWORD\n Value: 0x00000000 (0)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Administrative Templates >> MS Security Guide >> \\\"Configure SMBv1 Server\\\" to \\\"Disabled\\\".\n\n The system must be restarted for the change to take effect.\n\n This policy setting requires the installation of the SecGuide custom templates included with the STIG package. \\\"SecGuide.admx\\\" and \\\"SecGuide.adml\\\" must be copied to the \\\\Windows\\\\PolicyDefinitions and \\\\Windows\\\\PolicyDefinitions\\\\en-US directories respectively.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000095-GPOS-00049\"\n tag gid: \"V-93393\"\n tag rid: \"SV-103479r1_rule\"\n tag stig_id: \"WN19-00-000390\"\n tag fix_id: \"F-99637r1_fix\"\n tag cci: [\"CCI-000381\"]\n tag nist: [\"CM-7 a\", \"Rev_4\"]\n\n if powershell(\"Get-WindowsFeature -Name FS-SMB1 | Select -ExpandProperty 'InstallState'\").stdout.strip == \"Installed\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\LanmanServer\\\\Parameters') do\n it { should have_property 'SMB1' }\n its('SMB1') { should cmp == 0 }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\mrxsmb10') do\n it { should have_property 'Start' }\n its('Start') { should cmp == 4 }\n end\n else\n impact 0.0\n describe 'Control V-93391 configuration successful' do\n skip 'This is NA as the successful configuration of Control V-93391 (STIG ID# WN19-00-000380) meets the requirement'\n end\n end\nend", + "code": "control \"V-93351\" do\n title \"Windows Server 2019 Exploit Protection mitigations must be configured for OUTLOOK.EXE.\"\n desc \"Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the referenced application is not installed on the system, this is NA.\n\n This is applicable to unclassified systems, for other systems this is NA.\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n Enter \\\"Get-ProcessMitigation -Name OUTLOOK.EXE\\\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.)\n\n If the following mitigations do not have a status of \\\"ON\\\", this is a finding:\n\n DEP:\n Enable: ON\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n The PowerShell command produces a list of mitigations; only those with a required status of \\\"ON\\\" are listed here.\"\n desc \"fix\", \"Ensure the following mitigations are turned \\\"ON\\\" for OUTLOOK.EXE:\n\n DEP:\n Enable: ON\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \\\"Supporting Files\\\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\" configured to \\\"Enabled\\\" with file name and location defined under \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00227\"\n tag gid: \"V-93351\"\n tag rid: \"SV-103439r1_rule\"\n tag stig_id: \"WN19-EP-000210\"\n tag fix_id: \"F-99597r1_fix\"\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n outlook = json({ command: \"Get-ProcessMitigation -Name OUTLOOK.EXE | ConvertTo-Json\" }).params\n\n if input('sensitive_system') == true || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif outlook.empty?\n impact 0.0\n describe 'The referenced application is not installed on the system, this is NA.' do\n skip 'The referenced application is not installed on the system, this is NA.'\n end\n else\n describe \"Exploit Protection: the following mitigations must be set to 'ON' for OUTLOOK.EXE\" do\n subject { outlook }\n its(['Dep','Enable']) { should eq 1 }\n its(['Aslr','ForceRelocateImages']) { should eq 1 }\n its(['Payload','EnableExportAddressFilter']) { should eq 1 }\n its(['Payload','EnableExportAddressFilterPlus']) { should eq 1 }\n its(['Payload','EnableImportAddressFilter']) { should eq 1 }\n its(['Payload','EnableRopStackPivot']) { should eq 1 }\n its(['Payload','EnableRopCallerCheck']) { should eq 1 }\n its(['Payload','EnableRopSimExec']) { should eq 1 }\n end\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93393.rb", + "ref": "./Windows 2019 STIG/controls/V-93351.rb", "line": 3 }, - "id": "V-93393" + "id": "V-93351" }, { - "title": "Windows Server 2019 must be configured to prevent Internet Control\nMessage Protocol (ICMP) redirects from overriding Open Shortest Path First\n(OSPF)-generated routes.", - "desc": "Allowing ICMP redirect of routes can lead to traffic not being routed\nproperly. When disabled, this forces ICMP to be routed via the shortest path\nfirst.", + "title": "Windows Server 2019 UIAccess applications must not be allowed to prompt for elevation without using the secure desktop.", + "desc": "User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting prevents User Interface Accessibility programs from disabling the secure desktop for elevation prompts.", "descriptions": { - "default": "Allowing ICMP redirect of routes can lead to traffic not being routed\nproperly. When disabled, this forces ICMP to be routed via the shortest path\nfirst.", + "default": "User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting prevents User Interface Accessibility programs from disabling the secure desktop for elevation prompts.", "rationale": "", - "check": "If the following registry value does not exist or is not configured as\nspecified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters\\\n\n Value Name: EnableICMPRedirect\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0)", - "fix": "Configure the policy value for Computer Configuration >> Administrative\nTemplates >> MSS (Legacy) >> \"MSS: (EnableICMPRedirect) Allow ICMP redirects\nto override OSPF generated routes\" to \"Disabled\".\n\n This policy setting requires the installation of the MSS-Legacy custom\ntemplates included with the STIG package. \"MSS-Legacy.admx\" and\n\"MSS-Legacy.adml\" must be copied to the \\Windows\\PolicyDefinitions and\n\\Windows\\PolicyDefinitions\\en-US directories respectively." + "check": "UAC requirements are NA for Server Core installations (this is the default installation option for Windows Server 2019 versus Server with Desktop Experience).\n If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\\n\n Value Name: EnableUIADesktopToggle\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0)", + "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \"User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop\" to \"Disabled\"." }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-93237", - "rid": "SV-103325r1_rule", - "stig_id": "WN19-CC-000050", - "fix_id": "F-99483r1_fix", + "gtitle": "SRG-OS-000134-GPOS-00068", + "gid": "V-93521", + "rid": "SV-103607r1_rule", + "stig_id": "WN19-SO-000390", + "fix_id": "F-99765r1_fix", "cci": [ - "CCI-000366" + "CCI-001084" ], "nist": [ - "CM-6 b", + "SC-3", "Rev_4" ] }, - "code": "control \"V-93237\" do\n title \"Windows Server 2019 must be configured to prevent Internet Control\nMessage Protocol (ICMP) redirects from overriding Open Shortest Path First\n(OSPF)-generated routes.\"\n desc \"Allowing ICMP redirect of routes can lead to traffic not being routed\nproperly. When disabled, this forces ICMP to be routed via the shortest path\nfirst.\"\n desc \"rationale\", \"\"\n desc 'check', \"If the following registry value does not exist or is not configured as\nspecified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\Tcpip\\\\Parameters\\\\\n\n Value Name: EnableICMPRedirect\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0)\"\n desc 'fix', \"Configure the policy value for Computer Configuration >> Administrative\nTemplates >> MSS (Legacy) >> \\\"MSS: (EnableICMPRedirect) Allow ICMP redirects\nto override OSPF generated routes\\\" to \\\"Disabled\\\".\n\n This policy setting requires the installation of the MSS-Legacy custom\ntemplates included with the STIG package. \\\"MSS-Legacy.admx\\\" and\n\\\"MSS-Legacy.adml\\\" must be copied to the \\\\Windows\\\\PolicyDefinitions and\n\\\\Windows\\\\PolicyDefinitions\\\\en-US directories respectively.\"\n impact 0.3\n tag severity: nil\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-93237'\n tag rid: 'SV-103325r1_rule'\n tag stig_id: 'WN19-CC-000050'\n tag fix_id: 'F-99483r1_fix'\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters') do\n it { should have_property 'EnableICMPRedirect' }\n its('EnableICMPRedirect') { should cmp 0}\n end\nend\n", + "code": "control \"V-93521\" do\n title \"Windows Server 2019 UIAccess applications must not be allowed to prompt for elevation without using the secure desktop.\"\n desc \"User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting prevents User Interface Accessibility programs from disabling the secure desktop for elevation prompts.\"\n desc \"rationale\", \"\"\n desc \"check\", \"UAC requirements are NA for Server Core installations (this is the default installation option for Windows Server 2019 versus Server with Desktop Experience).\n If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\\n\n Value Name: EnableUIADesktopToggle\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \\\"User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop\\\" to \\\"Disabled\\\".\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000134-GPOS-00068\"\n tag gid: \"V-93521\"\n tag rid: \"SV-103607r1_rule\"\n tag stig_id: \"WN19-SO-000390\"\n tag fix_id: \"F-99765r1_fix\"\n tag cci: [\"CCI-001084\"]\n tag nist: [\"SC-3\", \"Rev_4\"]\n\n os_type = command('Test-Path \"$env:windir\\explorer.exe\"').stdout.strip\n\n if os_type == 'False'\n impact 0.0\n describe 'This system is a Server Core Installation, control is NA' do\n skip 'This system is a Server Core Installation control is NA'\n end\n else\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System') do\n it { should have_property 'EnableUIADesktopToggle' }\n its('EnableUIADesktopToggle') { should cmp == 0 }\n end\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93237.rb", + "ref": "./Windows 2019 STIG/controls/V-93521.rb", "line": 3 }, - "id": "V-93237" + "id": "V-93521" }, { - "title": "Windows Server 2019 must be configured to audit Logon/Logoff - Special\nLogon successes.", - "desc": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Special Logon records special logons that have administrative privileges\nand can be used to elevate processes.", + "title": "Windows Server 2019 must not allow anonymous enumeration of shares.", + "desc": "Allowing anonymous logon users (null session connections) to list all account names and enumerate all shared resources can provide a map of potential points to attack the system.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Special Logon records special logons that have administrative privileges\nand can be used to elevate processes.", + "default": "Allowing anonymous logon users (null session connections) to list all account names and enumerate all shared resources can provide a map of potential points to attack the system.", "rationale": "", - "check": "Security Option \"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\" must be set to\n\"Enabled\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \"AuditPol\" tool to review the current Audit Policy configuration:\n\n Open \"PowerShell\" or a \"Command Prompt\" with elevated privileges (\"Run\nas administrator\").\n\n Enter \"AuditPol /get /category:*\"\n\n Compare the \"AuditPol\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n Logon/Logoff >> Special Logon - Success", - "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Logon/Logoff >> \"Audit Special Logon\" with\n\"Success\" selected." + "check": "If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Control\\Lsa\\\n\n Value Name: RestrictAnonymous\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", + "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \"Network access: Do not allow anonymous enumeration of SAM accounts and shares\" to \"Enabled\"." }, - "impact": 0.5, + "impact": 0.7, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000470-GPOS-00214", - "satisfies": [ - "SRG-OS-000470-GPOS-00214", - "SRG-OS-000472-GPOS-00217", - "SRG-OS-000473-GPOS-00218", - "SRG-OS-000475-GPOS-00220" - ], - "gid": "V-93161", - "rid": "SV-103249r1_rule", - "stig_id": "WN19-AU-000210", - "fix_id": "F-99407r1_fix", + "gtitle": "SRG-OS-000138-GPOS-00069", + "gid": "V-93537", + "rid": "SV-103623r1_rule", + "stig_id": "WN19-SO-000230", + "fix_id": "F-99781r1_fix", "cci": [ - "CCI-000172" + "CCI-001090" ], "nist": [ - "AU-12 c", + "SC-4", "Rev_4" ] }, - "code": "control \"V-93161\" do\n title \"Windows Server 2019 must be configured to audit Logon/Logoff - Special\nLogon successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Special Logon records special logons that have administrative privileges\nand can be used to elevate processes.\"\n desc \"rationale\", \"\"\n desc 'check', \"Security Option \\\"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\\\" must be set to\n\\\"Enabled\\\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \\\"AuditPol\\\" tool to review the current Audit Policy configuration:\n\n Open \\\"PowerShell\\\" or a \\\"Command Prompt\\\" with elevated privileges (\\\"Run\nas administrator\\\").\n\n Enter \\\"AuditPol /get /category:*\\\"\n\n Compare the \\\"AuditPol\\\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n Logon/Logoff >> Special Logon - Success\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Logon/Logoff >> \\\"Audit Special Logon\\\" with\n\\\"Success\\\" selected.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000470-GPOS-00214'\n tag 'satisfies': [\"SRG-OS-000470-GPOS-00214\", \"SRG-OS-000472-GPOS-00217\",\n\"SRG-OS-000473-GPOS-00218\", \"SRG-OS-000475-GPOS-00220\"]\n tag 'gid': 'V-93161'\n tag 'rid': 'SV-103249r1_rule'\n tag 'stig_id': 'WN19-AU-000210'\n tag 'fix_id': 'F-99407r1_fix'\n tag 'cci': [\"CCI-000172\"]\n tag 'nist': [\"AU-12 c\", \"Rev_4\"]\n\n describe.one do\n describe audit_policy do\n its('Special Logon') { should eq 'Success' }\n end\n describe audit_policy do\n its('Special Logon') { should eq 'Success and Failure' }\n end\n end\nend\n", + "code": "control \"V-93537\" do\n title \"Windows Server 2019 must not allow anonymous enumeration of shares.\"\n desc \"Allowing anonymous logon users (null session connections) to list all account names and enumerate all shared resources can provide a map of potential points to attack the system.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\\n\n Value Name: RestrictAnonymous\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \\\"Network access: Do not allow anonymous enumeration of SAM accounts and shares\\\" to \\\"Enabled\\\".\"\n impact 0.7\n tag severity: nil\n tag gtitle: \"SRG-OS-000138-GPOS-00069\"\n tag gid: \"V-93537\"\n tag rid: \"SV-103623r1_rule\"\n tag stig_id: \"WN19-SO-000230\"\n tag fix_id: \"F-99781r1_fix\"\n tag cci: [\"CCI-001090\"]\n tag nist: [\"SC-4\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa') do\n it { should have_property 'RestrictAnonymous' }\n its('RestrictAnonymous') { should cmp == 1 }\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93161.rb", + "ref": "./Windows 2019 STIG/controls/V-93537.rb", "line": 3 }, - "id": "V-93161" + "id": "V-93537" }, { - "title": "Windows Server 2019 must have orphaned security identifiers (SIDs)\nremoved from user rights.", - "desc": "Accounts or groups given rights on a system may show up as unresolved\nSIDs for various reasons including deletion of the accounts or groups. If the\naccount or group objects are reanimated, there is a potential they may still\nhave rights no longer intended. Valid domain accounts or groups may also show\nup as unresolved SIDs if a connection to the domain cannot be established for\nsome reason.", + "title": "Windows Server 2019 Remote Desktop Services must prevent drive redirection.", + "desc": "Preventing users from sharing the local drives on their client computers with Remote Session Hosts that they access helps reduce possible exposure of sensitive data.", "descriptions": { - "default": "Accounts or groups given rights on a system may show up as unresolved\nSIDs for various reasons including deletion of the accounts or groups. If the\naccount or group objects are reanimated, there is a potential they may still\nhave rights no longer intended. Valid domain accounts or groups may also show\nup as unresolved SIDs if a connection to the domain cannot be established for\nsome reason.", + "default": "Preventing users from sharing the local drives on their client computers with Remote Session Hosts that they access helps reduce possible exposure of sensitive data.", "rationale": "", - "check": "Review the effective User Rights setting in Local Group Policy Editor.\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n Review each User Right listed for any unresolved SIDs to determine whether\nthey are valid, such as due to being temporarily disconnected from the domain.\n(Unresolved SIDs have the format that begins with \"*S-1-\".)\n\n If any unresolved SIDs exist and are not for currently valid accounts or\ngroups, this is a finding.\n\n For server core installations, run the following command:\n\n Secedit /export /areas USER_RIGHTS /cfg c:\\path\\UserRights.txt\n\n The results in the file identify user right assignments by SID instead of\ngroup name. Review the SIDs for unidentified ones. A list of typical SIDs \\\nGroups is below, search Microsoft for articles on well-known SIDs for others.\n\n If any unresolved SIDs exist and are not for currently valid accounts or\ngroups, this is a finding.\n\n SID - Group\n S-1-5-11 - Authenticated Users\n S-1-5-113 - Local account\n S-1-5-114 - Local account and member of Administrators group\n S-1-5-19 - Local Service\n S-1-5-20 - Network Service\n S-1-5-32-544 - Administrators\n S-1-5-32-546 - Guests\n S-1-5-6 - Service\n S-1-5-9 - Enterprise Domain Controllers\n S-1-5-domain-512 - Domain Admins\n S-1-5-root domain-519 - Enterprise Admins\n S-1-5-80-3139157870-2983391045-3678747466-658725712-1809340420 - NT\nService\\WdiServiceHost", - "fix": "Remove any unresolved SIDs found in User Rights assignments and\ndetermined to not be for currently valid accounts or groups by removing the\naccounts or groups from the appropriate group policy." + "check": "If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services\\\n\n Value Name: fDisableCdm\n\n Type: REG_DWORD\n Value: 0x00000001 (1)", + "fix": "Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Remote Desktop Services >> Remote Desktop Session Host >> Device and Resource Redirection >> \"Do not allow drive redirection\" to \"Enabled\"." }, "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-93227", - "rid": "SV-103315r1_rule", - "stig_id": "WN19-00-000450", - "fix_id": "F-99473r1_fix", + "gtitle": "SRG-OS-000138-GPOS-00069", + "gid": "V-93533", + "rid": "SV-103619r1_rule", + "stig_id": "WN19-CC-000350", + "fix_id": "F-99777r1_fix", "cci": [ - "CCI-000366" + "CCI-001090" ], "nist": [ - "CM-6 b", + "SC-4", "Rev_4" ] }, - "code": "control \"V-93227\" do\n title \"Windows Server 2019 must have orphaned security identifiers (SIDs)\nremoved from user rights.\"\n desc \"Accounts or groups given rights on a system may show up as unresolved\nSIDs for various reasons including deletion of the accounts or groups. If the\naccount or group objects are reanimated, there is a potential they may still\nhave rights no longer intended. Valid domain accounts or groups may also show\nup as unresolved SIDs if a connection to the domain cannot be established for\nsome reason.\"\n desc \"rationale\", \"\"\n desc 'check', \"Review the effective User Rights setting in Local Group Policy Editor.\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n Review each User Right listed for any unresolved SIDs to determine whether\nthey are valid, such as due to being temporarily disconnected from the domain.\n(Unresolved SIDs have the format that begins with \\\"*S-1-\\\".)\n\n If any unresolved SIDs exist and are not for currently valid accounts or\ngroups, this is a finding.\n\n For server core installations, run the following command:\n\n Secedit /export /areas USER_RIGHTS /cfg c:\\\\path\\\\UserRights.txt\n\n The results in the file identify user right assignments by SID instead of\ngroup name. Review the SIDs for unidentified ones. A list of typical SIDs \\\\\nGroups is below, search Microsoft for articles on well-known SIDs for others.\n\n If any unresolved SIDs exist and are not for currently valid accounts or\ngroups, this is a finding.\n\n SID - Group\n S-1-5-11 - Authenticated Users\n S-1-5-113 - Local account\n S-1-5-114 - Local account and member of Administrators group\n S-1-5-19 - Local Service\n S-1-5-20 - Network Service\n S-1-5-32-544 - Administrators\n S-1-5-32-546 - Guests\n S-1-5-6 - Service\n S-1-5-9 - Enterprise Domain Controllers\n S-1-5-domain-512 - Domain Admins\n S-1-5-root domain-519 - Enterprise Admins\n S-1-5-80-3139157870-2983391045-3678747466-658725712-1809340420 - NT\nService\\\\WdiServiceHost\"\n desc 'fix', \"Remove any unresolved SIDs found in User Rights assignments and\ndetermined to not be for currently valid accounts or groups by removing the\naccounts or groups from the appropriate group policy.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000480-GPOS-00227'\n tag 'gid': 'V-93227'\n tag 'rid': 'SV-103315r1_rule'\n tag 'stig_id': 'WN19-00-000450'\n tag 'fix_id': 'F-99473r1_fix'\n tag 'cci': [\"CCI-000366\"]\n tag 'nist': [\"CM-6 b\", \"Rev_4\"]\n\n describe \"A manual review is required to ensure orphaned security identifiers (SIDs) are removed from user rights on Windows Server 2019\" do\n skip 'A manual review is required to ensure orphaned security identifiers (SIDs) are removed from user rights on Windows Server 2019'\n end\n end\n", + "code": "control \"V-93533\" do\n title \"Windows Server 2019 Remote Desktop Services must prevent drive redirection.\"\n desc \"Preventing users from sharing the local drives on their client computers with Remote Session Hosts that they access helps reduce possible exposure of sensitive data.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\\n\n Value Name: fDisableCdm\n\n Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Remote Desktop Services >> Remote Desktop Session Host >> Device and Resource Redirection >> \\\"Do not allow drive redirection\\\" to \\\"Enabled\\\".\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000138-GPOS-00069\"\n tag gid: \"V-93533\"\n tag rid: \"SV-103619r1_rule\"\n tag stig_id: \"WN19-CC-000350\"\n tag fix_id: \"F-99777r1_fix\"\n tag cci: [\"CCI-001090\"]\n tag nist: [\"SC-4\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services') do\n it { should have_property 'fDisableCdm' }\n its('fDisableCdm') { should cmp == 1 }\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93227.rb", + "ref": "./Windows 2019 STIG/controls/V-93533.rb", "line": 3 }, - "id": "V-93227" + "id": "V-93533" }, { - "title": "Windows Server 2019 permissions for the system drive root directory\n (usually C:\\) must conform to minimum requirements.", - "desc": "Changing the system's file and directory permissions allows the\n possibility of unauthorized and anonymous modification to the operating system\n and installed applications.\n\n The default permissions are adequate when the Security Option \"Network\n access: Let Everyone permissions apply to anonymous users\" is set to\n \"Disabled\" (WN19-SO-000240).", + "title": "Windows Server 2019 Windows Remote Management (WinRM) client must not allow unencrypted traffic.", + "desc": "Unencrypted remote access to a system can allow sensitive information to be compromised. Windows remote management connections must be encrypted to prevent this.", "descriptions": { - "default": "Changing the system's file and directory permissions allows the\n possibility of unauthorized and anonymous modification to the operating system\n and installed applications.\n\n The default permissions are adequate when the Security Option \"Network\n access: Let Everyone permissions apply to anonymous users\" is set to\n \"Disabled\" (WN19-SO-000240).", + "default": "Unencrypted remote access to a system can allow sensitive information to be compromised. Windows remote management connections must be encrypted to prevent this.", "rationale": "", - "check": "The default permissions are adequate when the Security Option \"Network\n access: Let Everyone permissions apply to anonymous users\" is set to\n \"Disabled\" (WN19-SO-000240).\n\n Review the permissions for the system drive's root directory (usually\n C:\\). Non-privileged groups such as Users or Authenticated Users must not have\n greater than \"Read & execute\" permissions except where noted as defaults.\n Individual accounts must not be used to assign permissions.\n\n If permissions are not as restrictive as the default permissions listed\n below, this is a finding.\n\n Viewing in File Explorer:\n\n View the Properties of the system drive's root directory.\n\n Select the \"Security\" tab, and the \"Advanced\" button.\n\n Default permissions:\n C:\\\n Type - \"Allow\" for all\n Inherited from - \"None\" for all\n\n Principal - Access - Applies to\n\n SYSTEM - Full control - This folder, subfolders, and files\n Administrators - Full control - This folder, subfolders, and files\n Users - Read & execute - This folder, subfolders, and files\n Users - Create folders/append data - This folder and subfolders\n Users - Create files/write data - Subfolders only\n CREATOR OWNER - Full Control - Subfolders and files only\n\n Alternately, use icacls:\n\n Open \"Command Prompt (Admin)\".\n\n Enter \"icacls\" followed by the directory:\n\n \"icacls c:\\\"\n\n The following results should be displayed:\n\n c:\\\n NT AUTHORITY\\SYSTEM:(OI)(CI)(F)\n BUILTIN\\Administrators:(OI)(CI)(F)\n BUILTIN\\Users:(OI)(CI)(RX)\n BUILTIN\\Users:(CI)(AD)\n BUILTIN\\Users:(CI)(IO)(WD)\n CREATOR OWNER:(OI)(CI)(IO)(F)\n Successfully processed 1 files; Failed processing 0 files", - "fix": "Maintain the default permissions for the system drive's root directory and\nconfigure the Security Option \"Network access: Let Everyone permissions apply\nto anonymous users\" to \"Disabled\" (WN19-SO-000240).\n\n Default Permissions\n C:\\\n Type - \"Allow\" for all\n Inherited from - \"None\" for all\n\n Principal - Access - Applies to\n\n SYSTEM - Full control - This folder, subfolders, and files\n Administrators - Full control - This folder, subfolders, and files\n Users - Read & execute - This folder, subfolders, and files\n Users - Create folders/append data - This folder and subfolders\n Users - Create files/write data - Subfolders only\n CREATOR OWNER - Full Control - Subfolders and files only" + "check": "If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\WinRM\\Client\\\n\n Value Name: AllowUnencryptedTraffic\n\n Type: REG_DWORD\n Value: 0x00000000 (0)", + "fix": "Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Remote Management (WinRM) >> WinRM Client >> \"Allow unencrypted traffic\" to \"Disabled\"." }, "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000312-GPOS-00122", + "gtitle": "SRG-OS-000393-GPOS-00173", "satisfies": [ - "SRG-OS-000312-GPOS-00122", - "SRG-OS-000312-GPOS-00123", - "SRG-OS-000312-GPOS-00124" + "SRG-OS-000393-GPOS-00173", + "SRG-OS-000394-GPOS-00174" ], - "gid": "V-93019", - "rid": "SV-103107r1_rule", - "stig_id": "WN19-00-000140", - "fix_id": "F-99265r1_fix", + "gid": "V-93499", + "rid": "SV-103585r1_rule", + "stig_id": "WN19-CC-000480", + "fix_id": "F-99743r1_fix", "cci": [ - "CCI-002165" + "CCI-002890", + "CCI-003123" ], "nist": [ - "AC-3 (4)", + "MA-4 (6)", + "MA-4 (6)", "Rev_4" ] }, - "code": "control 'V-93019' do\n title \"Windows Server 2019 permissions for the system drive root directory\n (usually C:\\\\) must conform to minimum requirements.\"\n desc \"Changing the system's file and directory permissions allows the\n possibility of unauthorized and anonymous modification to the operating system\n and installed applications.\n\n The default permissions are adequate when the Security Option \\\"Network\n access: Let Everyone permissions apply to anonymous users\\\" is set to\n \\\"Disabled\\\" (WN19-SO-000240).\"\n desc 'rationale', ''\n desc 'check', \"The default permissions are adequate when the Security Option \\\"Network\n access: Let Everyone permissions apply to anonymous users\\\" is set to\n \\\"Disabled\\\" (WN19-SO-000240).\n\n Review the permissions for the system drive's root directory (usually\n C:\\\\). Non-privileged groups such as Users or Authenticated Users must not have\n greater than \\\"Read & execute\\\" permissions except where noted as defaults.\n Individual accounts must not be used to assign permissions.\n\n If permissions are not as restrictive as the default permissions listed\n below, this is a finding.\n\n Viewing in File Explorer:\n\n View the Properties of the system drive's root directory.\n\n Select the \\\"Security\\\" tab, and the \\\"Advanced\\\" button.\n\n Default permissions:\n C:\\\\\n Type - \\\"Allow\\\" for all\n Inherited from - \\\"None\\\" for all\n\n Principal - Access - Applies to\n\n SYSTEM - Full control - This folder, subfolders, and files\n Administrators - Full control - This folder, subfolders, and files\n Users - Read & execute - This folder, subfolders, and files\n Users - Create folders/append data - This folder and subfolders\n Users - Create files/write data - Subfolders only\n CREATOR OWNER - Full Control - Subfolders and files only\n\n Alternately, use icacls:\n\n Open \\\"Command Prompt (Admin)\\\".\n\n Enter \\\"icacls\\\" followed by the directory:\n\n \\\"icacls c:\\\\\\\"\n\n The following results should be displayed:\n\n c:\\\\\n NT AUTHORITY\\\\SYSTEM:(OI)(CI)(F)\n BUILTIN\\\\Administrators:(OI)(CI)(F)\n BUILTIN\\\\Users:(OI)(CI)(RX)\n BUILTIN\\\\Users:(CI)(AD)\n BUILTIN\\\\Users:(CI)(IO)(WD)\n CREATOR OWNER:(OI)(CI)(IO)(F)\n Successfully processed 1 files; Failed processing 0 files\"\n desc 'fix', \"\n Maintain the default permissions for the system drive's root directory and\n configure the Security Option \\\"Network access: Let Everyone permissions apply\n to anonymous users\\\" to \\\"Disabled\\\" (WN19-SO-000240).\n\n Default Permissions\n C:\\\\\n Type - \\\"Allow\\\" for all\n Inherited from - \\\"None\\\" for all\n\n Principal - Access - Applies to\n\n SYSTEM - Full control - This folder, subfolders, and files\n Administrators - Full control - This folder, subfolders, and files\n Users - Read & execute - This folder, subfolders, and files\n Users - Create folders/append data - This folder and subfolders\n Users - Create files/write data - Subfolders only\n CREATOR OWNER - Full Control - Subfolders and files only\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000312-GPOS-00122'\n tag 'satisfies': %w(SRG-OS-000312-GPOS-00122 SRG-OS-000312-GPOS-00123\nSRG-OS-000312-GPOS-00124)\n tag 'gid': 'V-93019'\n tag 'rid': 'SV-103107r1_rule'\n tag 'stig_id': 'WN19-00-000140'\n tag 'fix_id': 'F-99265r1_fix'\n tag 'cci': ['CCI-002165']\n tag 'nist': ['AC-3 (4)', 'Rev_4']\n\n expected_c_perm = input('c_perm')\n describe.one do\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa') do\n it { should have_property 'EveryoneIncludesAnonymous' }\n its('EveryoneIncludesAnonymous') { should eq 0 }\n end\n c_perm = json(command: \"icacls 'C:\\\\' | ConvertTo-Json\").params.map(&:strip)[0..-3].map { |e| e.gsub('C:\\\\ ', '') }\n describe 'C:\\\\ permissions are set correctly on folder structure' do\n subject { c_perm.eql? expected_c_perm }\n it { should eq true }\n end\n end\nend\n", + "code": "control \"V-93499\" do\n title \"Windows Server 2019 Windows Remote Management (WinRM) client must not allow unencrypted traffic.\"\n desc \"Unencrypted remote access to a system can allow sensitive information to be compromised. Windows remote management connections must be encrypted to prevent this.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WinRM\\\\Client\\\\\n\n Value Name: AllowUnencryptedTraffic\n\n Type: REG_DWORD\n Value: 0x00000000 (0)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Remote Management (WinRM) >> WinRM Client >> \\\"Allow unencrypted traffic\\\" to \\\"Disabled\\\".\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000393-GPOS-00173\"\n tag satisfies: [\"SRG-OS-000393-GPOS-00173\", \"SRG-OS-000394-GPOS-00174\"]\n tag gid: \"V-93499\"\n tag rid: \"SV-103585r1_rule\"\n tag stig_id: \"WN19-CC-000480\"\n tag fix_id: \"F-99743r1_fix\"\n tag cci: [\"CCI-002890\", \"CCI-003123\"]\n tag nist: [\"MA-4 (6)\", \"MA-4 (6)\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\WinRM\\\\Client') do\n it { should have_property 'AllowUnencryptedTraffic' }\n its('AllowUnencryptedTraffic') { should cmp == 0 }\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93019.rb", - "line": 1 + "ref": "./Windows 2019 STIG/controls/V-93499.rb", + "line": 3 }, - "id": "V-93019" + "id": "V-93499" }, { - "title": "Windows Server 2019 must be configured to audit Object Access -\nRemovable Storage failures.", - "desc": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Removable Storage auditing under Object Access records events related to\naccess attempts on file system objects on removable storage devices.", + "title": "Windows Server 2019 Exploit Protection mitigations must be configured for PPTVIEW.EXE.", + "desc": "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Removable Storage auditing under Object Access records events related to\naccess attempts on file system objects on removable storage devices.", + "default": "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.", "rationale": "", - "check": "Security Option \"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\" must be set to\n\"Enabled\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \"AuditPol\" tool to review the current Audit Policy configuration:\n\n Open \"PowerShell\" or a \"Command Prompt\" with elevated privileges (\"Run\nas administrator\").\n\n Enter \"AuditPol /get /category:*\"\n\n Compare the \"AuditPol\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n Object Access >> Removable Storage - Failure\n\n Virtual machines or systems that use network attached storage may generate\nexcessive audit events for secondary virtual drives or the network attached\nstorage when this setting is enabled. This may be set to Not Configured in such\ncases and would not be a finding.", - "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Object Access >> \"Audit Removable Storage\" with\n\"Failure\" selected." + "check": "If the referenced application is not installed on the system, this is NA.\n\n This is applicable to unclassified systems, for other systems this is NA.\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n Enter \"Get-ProcessMitigation -Name PPTVIEW.EXE\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.)\n\n If the following mitigations do not have a status of \"ON\", this is a finding:\n\n DEP:\n Enable: ON\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n The PowerShell command produces a list of mitigations; only those with a required status of \"ON\" are listed here.", + "fix": "Ensure the following mitigations are turned \"ON\" for PPTVIEW.EXE:\n\n DEP:\n Enable: ON\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \"Supporting Files\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \"Use a common set of exploit protection settings\" configured to \"Enabled\" with file name and location defined under \"Options:\". It is recommended the file be in a read-only network location." }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000474-GPOS-00219", - "gid": "V-93169", - "rid": "SV-103257r1_rule", - "stig_id": "WN19-AU-000250", - "fix_id": "F-99415r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-93357", + "rid": "SV-103445r1_rule", + "stig_id": "WN19-EP-000240", + "fix_id": "F-99603r1_fix", "cci": [ - "CCI-000172" + "CCI-000366" ], "nist": [ - "AU-12 c", + "CM-6 b", "Rev_4" ] }, - "code": "control \"V-93169\" do\n title \"Windows Server 2019 must be configured to audit Object Access -\nRemovable Storage failures.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Removable Storage auditing under Object Access records events related to\naccess attempts on file system objects on removable storage devices.\"\n desc \"rationale\", \"\"\n desc 'check', \"Security Option \\\"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\\\" must be set to\n\\\"Enabled\\\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \\\"AuditPol\\\" tool to review the current Audit Policy configuration:\n\n Open \\\"PowerShell\\\" or a \\\"Command Prompt\\\" with elevated privileges (\\\"Run\nas administrator\\\").\n\n Enter \\\"AuditPol /get /category:*\\\"\n\n Compare the \\\"AuditPol\\\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n Object Access >> Removable Storage - Failure\n\n Virtual machines or systems that use network attached storage may generate\nexcessive audit events for secondary virtual drives or the network attached\nstorage when this setting is enabled. This may be set to Not Configured in such\ncases and would not be a finding.\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Object Access >> \\\"Audit Removable Storage\\\" with\n\\\"Failure\\\" selected.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000474-GPOS-00219'\n tag 'gid': 'V-93169'\n tag 'rid': 'SV-103257r1_rule'\n tag 'stig_id': 'WN19-AU-000250'\n tag 'fix_id': 'F-99415r1_fix'\n tag 'cci': [\"CCI-000172\"]\n tag 'nist': [\"AU-12 c\", \"Rev_4\"]\n\n describe.one do\n describe audit_policy do\n its('Removable Storage') { should eq 'Failure' }\n end\n describe audit_policy do\n its('Removable Storage') { should eq 'Success and Failure' }\n end\n end\nend\n", + "code": "control \"V-93357\" do\n title \"Windows Server 2019 Exploit Protection mitigations must be configured for PPTVIEW.EXE.\"\n desc \"Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the referenced application is not installed on the system, this is NA.\n\n This is applicable to unclassified systems, for other systems this is NA.\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n Enter \\\"Get-ProcessMitigation -Name PPTVIEW.EXE\\\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.)\n\n If the following mitigations do not have a status of \\\"ON\\\", this is a finding:\n\n DEP:\n Enable: ON\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n The PowerShell command produces a list of mitigations; only those with a required status of \\\"ON\\\" are listed here.\"\n desc \"fix\", \"Ensure the following mitigations are turned \\\"ON\\\" for PPTVIEW.EXE:\n\n DEP:\n Enable: ON\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \\\"Supporting Files\\\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\" configured to \\\"Enabled\\\" with file name and location defined under \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00227\"\n tag gid: \"V-93357\"\n tag rid: \"SV-103445r1_rule\"\n tag stig_id: \"WN19-EP-000240\"\n tag fix_id: \"F-99603r1_fix\"\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n pptview = json({ command: \"Get-ProcessMitigation -Name PPTVIEW.EXE | ConvertTo-Json\" }).params\n\n if input('sensitive_system') == true || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif pptview.empty?\n impact 0.0\n describe 'The referenced application is not installed on the system, this is NA.' do\n skip 'The referenced application is not installed on the system, this is NA.'\n end\n else\n describe \"Exploit Protection: the following mitigations must be set to 'ON' for PPTVIEW.EXE\" do\n subject { pptview }\n its(['Dep','Enable']) { should eq 1 }\n its(['Aslr','ForceRelocateImages']) { should eq 1 }\n its(['Payload','EnableExportAddressFilter']) { should eq 1 }\n its(['Payload','EnableExportAddressFilterPlus']) { should eq 1 }\n its(['Payload','EnableImportAddressFilter']) { should eq 1 }\n its(['Payload','EnableRopStackPivot']) { should eq 1 }\n its(['Payload','EnableRopCallerCheck']) { should eq 1 }\n its(['Payload','EnableRopSimExec']) { should eq 1 }\n end\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93169.rb", + "ref": "./Windows 2019 STIG/controls/V-93357.rb", "line": 3 }, - "id": "V-93169" + "id": "V-93357" }, { - "title": "Windows Server 2019 unencrypted passwords must not be sent to third-party Server Message Block (SMB) servers.", - "desc": "Some non-Microsoft SMB servers only support unencrypted (plain-text) password authentication. Sending plain-text passwords across the network when authenticating to an SMB server reduces the overall security of the environment. Check with the vendor of the SMB server to determine if there is a way to support encrypted password authentication.", + "title": "Windows Server 2019 session security for NTLM SSP-based servers must be configured to require NTLMv2 session security and 128-bit encryption.", + "desc": "Microsoft has implemented a variety of security support providers for use with Remote Procedure Call (RPC) sessions. All of the options must be enabled to ensure the maximum security level.", "descriptions": { - "default": "Some non-Microsoft SMB servers only support unencrypted (plain-text) password authentication. Sending plain-text passwords across the network when authenticating to an SMB server reduces the overall security of the environment. Check with the vendor of the SMB server to determine if there is a way to support encrypted password authentication.", + "default": "Microsoft has implemented a variety of security support providers for use with Remote Procedure Call (RPC) sessions. All of the options must be enabled to ensure the maximum security level.", "rationale": "", - "check": "If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\LanmanWorkstation\\Parameters\\\n\n Value Name: EnablePlainTextPassword\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0)", - "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \"Microsoft Network Client: Send unencrypted password to third-party SMB servers\" to \"Disabled\"." + "check": "If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Control\\Lsa\\MSV1_0\\\n\n Value Name: NTLMMinServerSec\n\n Value Type: REG_DWORD\n Value: 0x20080000 (537395200)", + "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \"Network security: Minimum session security for NTLM SSP based (including secure RPC) servers\" to \"Require NTLMv2 session security\" and \"Require 128-bit encryption\" (all options selected)." }, "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000074-GPOS-00042", - "gid": "V-93469", - "rid": "SV-103555r1_rule", - "stig_id": "WN19-SO-000180", - "fix_id": "F-99713r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-93307", + "rid": "SV-103395r1_rule", + "stig_id": "WN19-SO-000340", + "fix_id": "F-99553r1_fix", "cci": [ - "CCI-000197" + "CCI-000366" ], "nist": [ - "IA-5 (1) (c)", + "CM-6 b", "Rev_4" ] }, - "code": "control \"V-93469\" do\n title \"Windows Server 2019 unencrypted passwords must not be sent to third-party Server Message Block (SMB) servers.\"\n desc \"Some non-Microsoft SMB servers only support unencrypted (plain-text) password authentication. Sending plain-text passwords across the network when authenticating to an SMB server reduces the overall security of the environment. Check with the vendor of the SMB server to determine if there is a way to support encrypted password authentication.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\LanmanWorkstation\\\\Parameters\\\\\n\n Value Name: EnablePlainTextPassword\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \\\"Microsoft Network Client: Send unencrypted password to third-party SMB servers\\\" to \\\"Disabled\\\".\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000074-GPOS-00042\"\n tag gid: \"V-93469\"\n tag rid: \"SV-103555r1_rule\"\n tag stig_id: \"WN19-SO-000180\"\n tag fix_id: \"F-99713r1_fix\"\n tag cci: [\"CCI-000197\"]\n tag nist: [\"IA-5 (1) (c)\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Services\\\\LanmanWorkstation\\\\Parameters') do\n it { should have_property 'EnablePlainTextPassword' }\n its('EnablePlainTextPassword') { should cmp == 0 }\n end\nend", + "code": "control \"V-93307\" do\n title \"Windows Server 2019 session security for NTLM SSP-based servers must be configured to require NTLMv2 session security and 128-bit encryption.\"\n desc \"Microsoft has implemented a variety of security support providers for use with Remote Procedure Call (RPC) sessions. All of the options must be enabled to ensure the maximum security level.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\MSV1_0\\\\\n\n Value Name: NTLMMinServerSec\n\n Value Type: REG_DWORD\n Value: 0x20080000 (537395200)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \\\"Network security: Minimum session security for NTLM SSP based (including secure RPC) servers\\\" to \\\"Require NTLMv2 session security\\\" and \\\"Require 128-bit encryption\\\" (all options selected).\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00227\"\n tag gid: \"V-93307\"\n tag rid: \"SV-103395r1_rule\"\n tag stig_id: \"WN19-SO-000340\"\n tag fix_id: \"F-99553r1_fix\"\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\MSV1_0') do\n it { should have_property 'NTLMMinServerSec' }\n its('NTLMMinServerSec') { should cmp == 537395200 }\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93469.rb", + "ref": "./Windows 2019 STIG/controls/V-93307.rb", "line": 3 }, - "id": "V-93469" + "id": "V-93307" }, { - "title": "Windows Server 2019 passwords for the built-in Administrator account must be changed at least every 60 days.", - "desc": "The longer a password is in use, the greater the opportunity for someone to gain unauthorized knowledge of the password. The built-in Administrator account is not generally used and its password not may be changed as frequently as necessary. Changing the password for the built-in Administrator account on a regular basis will limit its exposure.\n Organizations that use an automated tool, such Microsoft's Local Administrator Password Solution (LAPS), on domain-joined systems can configure this to occur more frequently. LAPS will change the password every \"30\" days by default.", + "title": "Windows Server 2019 Exploit Protection mitigations must be configured for plugin-container.exe.", + "desc": "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.", "descriptions": { - "default": "The longer a password is in use, the greater the opportunity for someone to gain unauthorized knowledge of the password. The built-in Administrator account is not generally used and its password not may be changed as frequently as necessary. Changing the password for the built-in Administrator account on a regular basis will limit its exposure.\n Organizations that use an automated tool, such Microsoft's Local Administrator Password Solution (LAPS), on domain-joined systems can configure this to occur more frequently. LAPS will change the password every \"30\" days by default.", + "default": "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.", "rationale": "", - "check": "Review the password last set date for the built-in Administrator account.\n\n Domain controllers:\n Open \"PowerShell\".\n Enter \"Get-ADUser -Filter * -Properties SID, PasswordLastSet | Where SID -Like \"*-500\" | Ft Name, SID, PasswordLastSet\".\n If the \"PasswordLastSet\" date is greater than \"60\" days old, this is a finding.\n\n Member servers and standalone systems:\n Open \"Command Prompt\".\n Enter 'Net User [account name] | Find /i \"Password Last Set\"', where [account name] is the name of the built-in administrator account.\n (The name of the built-in Administrator account must be changed to something other than \"Administrator\" per STIG requirements.)\n If the \"PasswordLastSet\" date is greater than \"60\" days old, this is a finding.", - "fix": "Change the built-in Administrator account password at least every \"60\" days.\n Automated tools, such as Microsoft's LAPS, may be used on domain-joined member servers to accomplish this." + "check": "If the referenced application is not installed on the system, this is NA.\n\n This is applicable to unclassified systems, for other systems this is NA.\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n Enter \"Get-ProcessMitigation -Name plugin-container.exe\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.)\n\n If the following mitigations do not have a status of \"ON\", this is a finding:\n\n DEP:\n Enable: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n The PowerShell command produces a list of mitigations; only those with a required status of \"ON\" are listed here.", + "fix": "Ensure the following mitigations are turned \"ON\" for plugin-container.exe:\n\n DEP:\n Enable: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \"Supporting Files\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \"Use a common set of exploit protection settings\" configured to \"Enabled\" with file name and location defined under \"Options:\". It is recommended the file be in a read-only network location." }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000076-GPOS-00044", - "gid": "V-93473", - "rid": "SV-103559r1_rule", - "stig_id": "WN19-00-000020", - "fix_id": "F-99717r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-93353", + "rid": "SV-103441r1_rule", + "stig_id": "WN19-EP-000220", + "fix_id": "F-99599r1_fix", "cci": [ - "CCI-000199" + "CCI-000366" ], "nist": [ - "IA-5 (1) (d)", + "CM-6 b", "Rev_4" ] }, - "code": "control \"V-93473\" do\n title \"Windows Server 2019 passwords for the built-in Administrator account must be changed at least every 60 days.\"\n desc \"The longer a password is in use, the greater the opportunity for someone to gain unauthorized knowledge of the password. The built-in Administrator account is not generally used and its password not may be changed as frequently as necessary. Changing the password for the built-in Administrator account on a regular basis will limit its exposure.\n Organizations that use an automated tool, such Microsoft's Local Administrator Password Solution (LAPS), on domain-joined systems can configure this to occur more frequently. LAPS will change the password every \\\"30\\\" days by default.\"\n desc \"rationale\", \"\"\n desc \"check\", \"Review the password last set date for the built-in Administrator account.\n\n Domain controllers:\n Open \\\"PowerShell\\\".\n Enter \\\"Get-ADUser -Filter * -Properties SID, PasswordLastSet | Where SID -Like \\\"*-500\\\" | Ft Name, SID, PasswordLastSet\\\".\n If the \\\"PasswordLastSet\\\" date is greater than \\\"60\\\" days old, this is a finding.\n\n Member servers and standalone systems:\n Open \\\"Command Prompt\\\".\n Enter 'Net User [account name] | Find /i \\\"Password Last Set\\\"', where [account name] is the name of the built-in administrator account.\n (The name of the built-in Administrator account must be changed to something other than \\\"Administrator\\\" per STIG requirements.)\n If the \\\"PasswordLastSet\\\" date is greater than \\\"60\\\" days old, this is a finding.\"\n desc \"fix\", \"Change the built-in Administrator account password at least every \\\"60\\\" days.\n Automated tools, such as Microsoft's LAPS, may be used on domain-joined member servers to accomplish this.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000076-GPOS-00044\"\n tag gid: \"V-93473\"\n tag rid: \"SV-103559r1_rule\"\n tag stig_id: \"WN19-00-000020\"\n tag fix_id: \"F-99717r1_fix\"\n tag cci: [\"CCI-000199\"]\n tag nist: [\"IA-5 (1) (d)\", \"Rev_4\"]\n\n administrator = input('local_administrator')\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n password_set_date = json({ command: \"Get-ADUser -Filter * -Properties SID, PasswordLastSet | Where-Object {$_.SID -like '*-500' -and $_.PasswordLastSet -lt ((Get-Date).AddDays(-60))} | Select-Object -ExpandProperty PasswordLastSet | ConvertTo-Json\" })\n date = password_set_date[\"DateTime\"]\n describe \"Password Last Set Date\" do\n it \"The built-in Administrator account must be changed at least every 60 days.\" do\n expect(date).to be_nil\n end\n end\n else\n if administrator == \"Administrator\"\n describe 'The name of the built-in Administrator account:' do\n it 'It must be changed to something other than \"Administrator\" per STIG requirements' do\n failure_message = \"Change the built-in Administrator account name to something other than: #{administrator}\"\n expect(administrator).not_to eq(\"Administrator\"), failure_message\n end\n end\n end\n local_password_set_date = json({ command: \"Get-LocalUser -name #{administrator} | Where-Object {$_.PasswordLastSet -le (Get-Date).AddDays(-60)} | Select-Object -ExpandProperty PasswordLastSet | ConvertTo-Json\"})\n local_date = local_password_set_date[\"DateTime\"]\n describe \"Password Last Set Date\" do\n it \"The built-in Administrator account must be changed at least every 60 days.\" do\n expect(local_date).to be_nil\n end\n end\n end\nend", + "code": "control \"V-93353\" do\n title \"Windows Server 2019 Exploit Protection mitigations must be configured for plugin-container.exe.\"\n desc \"Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the referenced application is not installed on the system, this is NA.\n\n This is applicable to unclassified systems, for other systems this is NA.\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n Enter \\\"Get-ProcessMitigation -Name plugin-container.exe\\\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.)\n\n If the following mitigations do not have a status of \\\"ON\\\", this is a finding:\n\n DEP:\n Enable: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n The PowerShell command produces a list of mitigations; only those with a required status of \\\"ON\\\" are listed here.\"\n desc \"fix\", \"Ensure the following mitigations are turned \\\"ON\\\" for plugin-container.exe:\n\n DEP:\n Enable: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \\\"Supporting Files\\\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\" configured to \\\"Enabled\\\" with file name and location defined under \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00227\"\n tag gid: \"V-93353\"\n tag rid: \"SV-103441r1_rule\"\n tag stig_id: \"WN19-EP-000220\"\n tag fix_id: \"F-99599r1_fix\"\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n container = json({ command: \"Get-ProcessMitigation -Name plugin-container.exe | ConvertTo-Json\" }).params\n\n if input('sensitive_system') == true || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif container.empty?\n impact 0.0\n describe 'The referenced application is not installed on the system, this is NA.' do\n skip 'The referenced application is not installed on the system, this is NA.'\n end\n else\n describe \"Exploit Protection: the following mitigations must be set to 'ON' for plugin-container.exe\" do\n subject { container }\n its(['Dep','Enable']) { should eq 1 }\n its(['Payload','EnableExportAddressFilter']) { should eq 1 }\n its(['Payload','EnableExportAddressFilterPlus']) { should eq 1 }\n its(['Payload','EnableImportAddressFilter']) { should eq 1 }\n its(['Payload','EnableRopStackPivot']) { should eq 1 }\n its(['Payload','EnableRopCallerCheck']) { should eq 1 }\n its(['Payload','EnableRopSimExec']) { should eq 1 }\n end\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93473.rb", + "ref": "./Windows 2019 STIG/controls/V-93353.rb", "line": 3 }, - "id": "V-93473" + "id": "V-93353" }, { - "title": "Windows Server 2019 setting Microsoft network client: Digitally sign communications (always) must be configured to Enabled.", - "desc": "The server message block (SMB) protocol provides the basis for many network operations. Digitally signed SMB packets aid in preventing man-in-the-middle attacks. If this policy is enabled, the SMB client will only communicate with an SMB server that performs SMB packet signing.", + "title": "Windows Server 2019 default AutoRun behavior must be configured to prevent AutoRun commands.", + "desc": "Allowing AutoRun commands to execute may introduce malicious code to a system. Configuring this setting prevents AutoRun commands from executing.", "descriptions": { - "default": "The server message block (SMB) protocol provides the basis for many network operations. Digitally signed SMB packets aid in preventing man-in-the-middle attacks. If this policy is enabled, the SMB client will only communicate with an SMB server that performs SMB packet signing.", + "default": "Allowing AutoRun commands to execute may introduce malicious code to a system. Configuring this setting prevents AutoRun commands from executing.", "rationale": "", - "check": "If the following registry value does not exist or is not configured as specified, this is a finding:\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\LanmanWorkstation\\Parameters\\\n\n Value Name: RequireSecuritySignature\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", - "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \"Microsoft network client: Digitally sign communications (always)\" to \"Enabled\"." + "check": "If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\\n\n Value Name: NoAutorun\n\n Type: REG_DWORD\n Value: 0x00000001 (1)", + "fix": "Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> AutoPlay Policies >> \"Set the default behavior for AutoRun\" to \"Enabled\" with \"Do not execute any autorun commands\" selected." }, - "impact": 0.5, + "impact": 0.7, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000423-GPOS-00187", - "satisfies": [ - "SRG-OS-000423-GPOS-00187", - "SRG-OS-000424-GPOS-00188" - ], - "gid": "V-93555", - "rid": "SV-103641r1_rule", - "stig_id": "WN19-SO-000160", - "fix_id": "F-99799r1_fix", + "gtitle": "SRG-OS-000368-GPOS-00154", + "gid": "V-93375", + "rid": "SV-103461r1_rule", + "stig_id": "WN19-CC-000220", + "fix_id": "F-99619r1_fix", "cci": [ - "CCI-002418", - "CCI-002421" + "CCI-001764" ], "nist": [ - "SC-8", - "SC-8 (1)", + "CM-7 (2)", "Rev_4" ] }, - "code": "control \"V-93555\" do\n title \"Windows Server 2019 setting Microsoft network client: Digitally sign communications (always) must be configured to Enabled.\"\n desc \"The server message block (SMB) protocol provides the basis for many network operations. Digitally signed SMB packets aid in preventing man-in-the-middle attacks. If this policy is enabled, the SMB client will only communicate with an SMB server that performs SMB packet signing.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the following registry value does not exist or is not configured as specified, this is a finding:\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\LanmanWorkstation\\\\Parameters\\\\\n\n Value Name: RequireSecuritySignature\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \\\"Microsoft network client: Digitally sign communications (always)\\\" to \\\"Enabled\\\".\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000423-GPOS-00187\"\n tag satisfies: [\"SRG-OS-000423-GPOS-00187\", \"SRG-OS-000424-GPOS-00188\"]\n tag gid: \"V-93555\"\n tag rid: \"SV-103641r1_rule\"\n tag stig_id: \"WN19-SO-000160\"\n tag fix_id: \"F-99799r1_fix\"\n tag cci: [\"CCI-002418\", \"CCI-002421\"]\n tag nist: [\"SC-8\", \"SC-8 (1)\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Services\\\\LanmanWorkstation\\\\Parameters') do\n it { should have_property 'RequireSecuritySignature' }\n its('RequireSecuritySignature') { should cmp == 1 }\n end\nend", + "code": "control \"V-93375\" do\n title \"Windows Server 2019 default AutoRun behavior must be configured to prevent AutoRun commands.\"\n desc \"Allowing AutoRun commands to execute may introduce malicious code to a system. Configuring this setting prevents AutoRun commands from executing.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\\n\n Value Name: NoAutorun\n\n Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> AutoPlay Policies >> \\\"Set the default behavior for AutoRun\\\" to \\\"Enabled\\\" with \\\"Do not execute any autorun commands\\\" selected.\"\n impact 0.7\n tag severity: nil\n tag gtitle: \"SRG-OS-000368-GPOS-00154\"\n tag gid: \"V-93375\"\n tag rid: \"SV-103461r1_rule\"\n tag stig_id: \"WN19-CC-000220\"\n tag fix_id: \"F-99619r1_fix\"\n tag cci: [\"CCI-001764\"]\n tag nist: [\"CM-7 (2)\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer') do\n it { should have_property 'NoAutorun' }\n its('NoAutorun') { should cmp == 1 }\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93555.rb", + "ref": "./Windows 2019 STIG/controls/V-93375.rb", "line": 3 }, - "id": "V-93555" + "id": "V-93375" }, { - "title": "Windows Server 2019 Telemetry must be configured to Security or Basic.", - "desc": "Some features may communicate with the vendor, sending system\ninformation or downloading data or components for the feature. Limiting this\ncapability will prevent potentially sensitive information from being sent\noutside the enterprise. The \"Security\" option for Telemetry configures the\nlowest amount of data, effectively none outside of the Malicious Software\nRemoval Tool (MSRT), Defender, and telemetry client settings. \"Basic\" sends\nbasic diagnostic and usage data and may be required to support some Microsoft\nservices.", + "title": "Windows Server 2019 must be configured to audit Object Access -\nRemovable Storage successes.", + "desc": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Removable Storage auditing under Object Access records events related to\naccess attempts on file system objects on removable storage devices.", "descriptions": { - "default": "Some features may communicate with the vendor, sending system\ninformation or downloading data or components for the feature. Limiting this\ncapability will prevent potentially sensitive information from being sent\noutside the enterprise. The \"Security\" option for Telemetry configures the\nlowest amount of data, effectively none outside of the Malicious Software\nRemoval Tool (MSRT), Defender, and telemetry client settings. \"Basic\" sends\nbasic diagnostic and usage data and may be required to support some Microsoft\nservices.", + "default": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Removable Storage auditing under Object Access records events related to\naccess attempts on file system objects on removable storage devices.", "rationale": "", - "check": "If the following registry value does not exist or is not configured as\nspecified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\\n\n Value Name: AllowTelemetry\n\n Type: REG_DWORD\n Value: 0x00000000 (0) (Security), 0x00000001 (1) (Basic)", - "fix": "Configure the policy value for Computer Configuration >>\nAdministrative Templates >> Windows Components >> Data Collection and Preview\nBuilds>> \"Allow Telemetry\" to \"Enabled\" with \"0 - Security [Enterprise\nOnly]\" or \"1 - Basic\" selected in \"Options\"." + "check": "Security Option \"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\" must be set to\n\"Enabled\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \"AuditPol\" tool to review the current Audit Policy configuration:\n\n Open \"PowerShell\" or a \"Command Prompt\" with elevated privileges (\"Run\nas administrator\").\n\n Enter \"AuditPol /get /category:*\"\n\n Compare the \"AuditPol\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n Object Access >> Removable Storage - Success\n\n Virtual machines or systems that use network attached storage may generate\nexcessive audit events for secondary virtual drives or the network attached\nstorage when this setting is enabled. This may be set to Not Configured in such\ncases and would not be a finding.", + "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Object Access >> \"Audit Removable Storage\" with\n\"Success\" selected." }, "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-93257", - "rid": "SV-103345r1_rule", - "stig_id": "WN19-CC-000250", - "fix_id": "F-99503r1_fix", + "gtitle": "SRG-OS-000474-GPOS-00219", + "gid": "V-93167", + "rid": "SV-103255r1_rule", + "stig_id": "WN19-AU-000240", + "fix_id": "F-99413r1_fix", "cci": [ - "CCI-000366" + "CCI-000172" ], "nist": [ - "CM-6 b", + "AU-12 c", "Rev_4" ] }, - "code": "control \"V-93257\" do\n title \"Windows Server 2019 Telemetry must be configured to Security or Basic.\"\n desc \"Some features may communicate with the vendor, sending system\ninformation or downloading data or components for the feature. Limiting this\ncapability will prevent potentially sensitive information from being sent\noutside the enterprise. The \\\"Security\\\" option for Telemetry configures the\nlowest amount of data, effectively none outside of the Malicious Software\nRemoval Tool (MSRT), Defender, and telemetry client settings. \\\"Basic\\\" sends\nbasic diagnostic and usage data and may be required to support some Microsoft\nservices.\"\n desc \"rationale\", \"\"\n desc 'check', \"If the following registry value does not exist or is not configured as\nspecified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\DataCollection\\\\\n\n Value Name: AllowTelemetry\n\n Type: REG_DWORD\n Value: 0x00000000 (0) (Security), 0x00000001 (1) (Basic)\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nAdministrative Templates >> Windows Components >> Data Collection and Preview\nBuilds>> \\\"Allow Telemetry\\\" to \\\"Enabled\\\" with \\\"0 - Security [Enterprise\nOnly]\\\" or \\\"1 - Basic\\\" selected in \\\"Options\\\".\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000480-GPOS-00227'\n tag 'gid': 'V-93257'\n tag 'rid': 'SV-103345r1_rule'\n tag 'stig_id': 'WN19-CC-000250'\n tag 'fix_id': 'F-99503r1_fix'\n tag 'cci': [\"CCI-000366\"]\n tag 'nist': [\"CM-6 b\", \"Rev_4\"]\n\n describe.one do\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection') do\n it { should have_property 'AllowTelemetry' }\n its('AllowTelemetry') { should cmp 0 }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection') do\n it { should have_property 'AllowTelemetry' }\n its('AllowTelemetry') { should cmp 1 }\n end\n end\nend\n", + "code": "control \"V-93167\" do\n title \"Windows Server 2019 must be configured to audit Object Access -\nRemovable Storage successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Removable Storage auditing under Object Access records events related to\naccess attempts on file system objects on removable storage devices.\"\n desc \"rationale\", \"\"\n desc 'check', \"Security Option \\\"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\\\" must be set to\n\\\"Enabled\\\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \\\"AuditPol\\\" tool to review the current Audit Policy configuration:\n\n Open \\\"PowerShell\\\" or a \\\"Command Prompt\\\" with elevated privileges (\\\"Run\nas administrator\\\").\n\n Enter \\\"AuditPol /get /category:*\\\"\n\n Compare the \\\"AuditPol\\\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n Object Access >> Removable Storage - Success\n\n Virtual machines or systems that use network attached storage may generate\nexcessive audit events for secondary virtual drives or the network attached\nstorage when this setting is enabled. This may be set to Not Configured in such\ncases and would not be a finding.\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Object Access >> \\\"Audit Removable Storage\\\" with\n\\\"Success\\\" selected.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000474-GPOS-00219'\n tag 'gid': 'V-93167'\n tag 'rid': 'SV-103255r1_rule'\n tag 'stig_id': 'WN19-AU-000240'\n tag 'fix_id': 'F-99413r1_fix'\n tag 'cci': [\"CCI-000172\"]\n tag 'nist': [\"AU-12 c\", \"Rev_4\"]\n\n describe.one do\n describe audit_policy do\n its('Removable Storage') { should eq 'Success' }\n end\n describe audit_policy do\n its('Removable Storage') { should eq 'Success and Failure' }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93257.rb", + "ref": "./Windows 2019 STIG/controls/V-93167.rb", "line": 3 }, - "id": "V-93257" + "id": "V-93167" }, { - "title": "Windows Server 2019 Active Directory user accounts, including administrators, must be configured to require the use of a Common Access Card (CAC), Personal Identity Verification (PIV)-compliant hardware token, or Alternate Logon Token (ALT) for user authentication.", - "desc": "Smart cards such as the CAC support a two-factor authentication technique. This provides a higher level of trust in the asserted identity than use of the username and password for authentication.", + "title": "Windows Server 2019 Take ownership of files or other objects user\nright must only be assigned to the Administrators group.", + "desc": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n Accounts with the \"Take ownership of files or other objects\" user right\ncan take ownership of objects and make changes.", "descriptions": { - "default": "Smart cards such as the CAC support a two-factor authentication technique. This provides a higher level of trust in the asserted identity than use of the username and password for authentication.", + "default": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n Accounts with the \"Take ownership of files or other objects\" user right\ncan take ownership of objects and make changes.", "rationale": "", - "check": "This applies to domain controllers. It is NA for other systems.\n\n Open \"PowerShell\".\n Enter the following:\n \"Get-ADUser -Filter {(Enabled -eq $True) -and (SmartcardLogonRequired -eq $False)} | FT Name\"\n (\"DistinguishedName\" may be substituted for \"Name\" for more detailed output.)\n If any user accounts, including administrators, are listed, this is a finding.\n\n Alternately:\n To view sample accounts in \"Active Directory Users and Computers\" (available from various menus or run \"dsa.msc\"):\n Select the Organizational Unit (OU) where the user accounts are located. (By default, this is the Users node; however, accounts may be under other organization-defined OUs.)\n Right-click the sample user account and select \"Properties\".\n Select the \"Account\" tab.\n If any user accounts, including administrators, do not have \"Smart card is required for interactive logon\" checked in the \"Account Options\" area, this is a finding.", - "fix": "Configure all user accounts, including administrator accounts, in Active Directory to enable the option \"Smart card is required for interactive logon\".\n\n Run \"Active Directory Users and Computers\" (available from various menus or run \"dsa.msc\"):\n Select the OU where the user accounts are located. (By default this is the Users node; however, accounts may be under other organization-defined OUs.)\n Right-click the user account and select \"Properties\".\n Select the \"Account\" tab.\n Check \"Smart card is required for interactive logon\" in the \"Account Options\" area." + "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the \"Take\nownership of files or other objects\" user right, this is a finding:\n\n - Administrators\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\path\\filename.txt\n\n Review the text file.\n\n If any SIDs other than the following are granted the\n\"SeTakeOwnershipPrivilege\" user right, this is a finding:\n\n S-1-5-32-544 (Administrators)\n\n If an application requires this user right, this would not be a finding.\n\n Vendor documentation must support the requirement for having the user right.\n\n The requirement must be documented with the ISSO.\n\n The application account must meet requirements for application account\npasswords, such as length (WN19-00-000050) and required frequency of changes\n(WN19-00-000060).", + "fix": "Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> User Rights Assignment >> \"Take\nownership of files or other objects\" to include only the following accounts or\ngroups:\n\n - Administrators" }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000105-GPOS-00052", - "satisfies": [ - "SRG-OS-000105-GPOS-00052", - "SRG-OS-000106-GPOS-00053", - "SRG-OS-000107-GPOS-00054", - "SRG-OS-000108-GPOS-00055", - "SRG-OS-000375-GPOS-00160" - ], - "gid": "V-93441", - "rid": "SV-103527r1_rule", - "stig_id": "WN19-DC-000310", - "fix_id": "F-99685r1_fix", + "gtitle": "SRG-OS-000324-GPOS-00125", + "gid": "V-93087", + "rid": "SV-103175r1_rule", + "stig_id": "WN19-UR-000220", + "fix_id": "F-99333r1_fix", "cci": [ - "CCI-000765", - "CCI-000766", - "CCI-000767", - "CCI-000768", - "CCI-001948" + "CCI-002235" ], "nist": [ - "IA-2 (1)", - "IA-2 (2)", - "IA-2 (3)", - "IA-2 (4)", - "IA-2 (11)", + "AC-6 (10)", "Rev_4" ] }, - "code": "control \"V-93441\" do\n title \"Windows Server 2019 Active Directory user accounts, including administrators, must be configured to require the use of a Common Access Card (CAC), Personal Identity Verification (PIV)-compliant hardware token, or Alternate Logon Token (ALT) for user authentication.\"\n desc \"Smart cards such as the CAC support a two-factor authentication technique. This provides a higher level of trust in the asserted identity than use of the username and password for authentication.\"\n desc \"rationale\", \"\"\n desc \"check\", \"This applies to domain controllers. It is NA for other systems.\n\n Open \\\"PowerShell\\\".\n Enter the following:\n \\\"Get-ADUser -Filter {(Enabled -eq $True) -and (SmartcardLogonRequired -eq $False)} | FT Name\\\"\n (\\\"DistinguishedName\\\" may be substituted for \\\"Name\\\" for more detailed output.)\n If any user accounts, including administrators, are listed, this is a finding.\n\n Alternately:\n To view sample accounts in \\\"Active Directory Users and Computers\\\" (available from various menus or run \\\"dsa.msc\\\"):\n Select the Organizational Unit (OU) where the user accounts are located. (By default, this is the Users node; however, accounts may be under other organization-defined OUs.)\n Right-click the sample user account and select \\\"Properties\\\".\n Select the \\\"Account\\\" tab.\n If any user accounts, including administrators, do not have \\\"Smart card is required for interactive logon\\\" checked in the \\\"Account Options\\\" area, this is a finding.\"\n desc \"fix\", \"Configure all user accounts, including administrator accounts, in Active Directory to enable the option \\\"Smart card is required for interactive logon\\\".\n\n Run \\\"Active Directory Users and Computers\\\" (available from various menus or run \\\"dsa.msc\\\"):\n Select the OU where the user accounts are located. (By default this is the Users node; however, accounts may be under other organization-defined OUs.)\n Right-click the user account and select \\\"Properties\\\".\n Select the \\\"Account\\\" tab.\n Check \\\"Smart card is required for interactive logon\\\" in the \\\"Account Options\\\" area.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000105-GPOS-00052\"\n tag satisfies: [\"SRG-OS-000105-GPOS-00052\", \"SRG-OS-000106-GPOS-00053\", \"SRG-OS-000107-GPOS-00054\", \"SRG-OS-000108-GPOS-00055\", \"SRG-OS-000375-GPOS-00160\"]\n tag gid: \"V-93441\"\n tag rid: \"SV-103527r1_rule\"\n tag stig_id: \"WN19-DC-000310\"\n tag fix_id: \"F-99685r1_fix\"\n tag cci: [\"CCI-000765\", \"CCI-000766\", \"CCI-000767\", \"CCI-000768\", \"CCI-001948\"]\n tag nist: [\"IA-2 (1)\", \"IA-2 (2)\", \"IA-2 (3)\", \"IA-2 (4)\", \"IA-2 (11)\", \"Rev_4\"]\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n accounts = json(command: \"Get-ADUser -Filter {(Enabled -eq $True) -and (SmartcardLogonRequired -eq $False)} | Select -ExpandProperty Name | ConvertTo-Json\").params\n describe 'Accounts without smartcard logon required' do\n it 'Accounts must be configured to require the use of a CAC, PIV or ALT' do\n failure_message = \"#{accounts}\"\n expect(accounts).to be_empty, failure_message\n end\n end\n else\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is NA' do\n skip 'This system is not a domain controller, therefore this control is NA'\n end\n end\nend", + "code": "control \"V-93087\" do\n title \"Windows Server 2019 Take ownership of files or other objects user\nright must only be assigned to the Administrators group.\"\n desc \"Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n Accounts with the \\\"Take ownership of files or other objects\\\" user right\ncan take ownership of objects and make changes.\"\n desc \"rationale\", \"\"\n desc 'check', \"Verify the effective setting in Local Group Policy Editor.\n\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the \\\"Take\nownership of files or other objects\\\" user right, this is a finding:\n\n - Administrators\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt\n\n Review the text file.\n\n If any SIDs other than the following are granted the\n\\\"SeTakeOwnershipPrivilege\\\" user right, this is a finding:\n\n S-1-5-32-544 (Administrators)\n\n If an application requires this user right, this would not be a finding.\n\n Vendor documentation must support the requirement for having the user right.\n\n The requirement must be documented with the ISSO.\n\n The application account must meet requirements for application account\npasswords, such as length (WN19-00-000050) and required frequency of changes\n(WN19-00-000060).\"\n desc 'fix', \"Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> User Rights Assignment >> \\\"Take\nownership of files or other objects\\\" to include only the following accounts or\ngroups:\n\n - Administrators\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000324-GPOS-00125'\n tag 'gid': 'V-93087'\n tag 'rid': 'SV-103175r1_rule'\n tag 'stig_id': 'WN19-UR-000220'\n tag 'fix_id': 'F-99333r1_fix'\n tag 'cci': [\"CCI-002235\"]\n tag 'nist': [\"AC-6 (10)\", \"Rev_4\"]\n\n os_type = command('Test-Path \"$env:windir\\explorer.exe\"').stdout.strip\n\n if os_type == 'False'\n describe 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt' do\n skip 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt'\n end\n else\n describe security_policy do\n its('SeTakeOwnershipPrivilege') { should eq ['S-1-5-32-544'] }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93441.rb", + "ref": "./Windows 2019 STIG/controls/V-93087.rb", "line": 3 }, - "id": "V-93441" + "id": "V-93087" }, { - "title": "Windows Server 2019 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where Host Based Security System (HBSS) is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP).", - "desc": "Without the use of automated mechanisms to scan for security flaws on a continuous and/or periodic basis, the operating system or other system components may remain vulnerable to the exploits presented by undetected software flaws. The operating system may have an integrated solution incorporating continuous scanning using HBSS and periodic scanning using other tools.", + "title": "Windows Server 2019 Exploit Protection mitigations must be configured for MSPUB.EXE.", + "desc": "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.", "descriptions": { - "default": "Without the use of automated mechanisms to scan for security flaws on a continuous and/or periodic basis, the operating system or other system components may remain vulnerable to the exploits presented by undetected software flaws. The operating system may have an integrated solution incorporating continuous scanning using HBSS and periodic scanning using other tools.", + "default": "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.", "rationale": "", - "check": "Verify DoD approved HBSS software is installed, configured, and properly operating. Ask the operator to document the HBSS software installation and configuration. If the operator is not able to provide a documented configuration for an installed HBSS or if the HBSS software is not properly configured maintained, or used, this is a finding.", - "fix": "Install a DoD approved HBSS software and ensure it is operating continuously." + "check": "If the referenced application is not installed on the system, this is NA.\n\n This is applicable to unclassified systems, for other systems this is NA.\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n Enter \"Get-ProcessMitigation -Name MSPUB.EXE\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.)\n\n If the following mitigations do not have a status of \"ON\", this is a finding:\n\n DEP:\n Enable: ON\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n The PowerShell command produces a list of mitigations; only those with a required status of \"ON\" are listed here.", + "fix": "Ensure the following mitigations are turned \"ON\" for MSPUB.EXE:\n\n DEP:\n Enable: ON\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \"Supporting Files\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \"Use a common set of exploit protection settings\" configured to \"Enabled\" with file name and location defined under \"Options:\". It is recommended the file be in a read-only network location." }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000191-GPOS-00080", - "gid": "V-93567", - "rid": "SV-103653r1_rule", - "stig_id": "WN19-00-000290", - "fix_id": "F-99811r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-93345", + "rid": "SV-103433r1_rule", + "stig_id": "WN19-EP-000180", + "fix_id": "F-99591r1_fix", "cci": [ - "CCI-001233" + "CCI-000366" ], "nist": [ - "SI-2 (2)", + "CM-6 b", "Rev_4" ] }, - "code": "control \"V-93567\" do\n title \"Windows Server 2019 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where Host Based Security System (HBSS) is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP).\"\n desc \"Without the use of automated mechanisms to scan for security flaws on a continuous and/or periodic basis, the operating system or other system components may remain vulnerable to the exploits presented by undetected software flaws. The operating system may have an integrated solution incorporating continuous scanning using HBSS and periodic scanning using other tools.\"\n desc \"rationale\", \"\"\n desc \"check\", \"Verify #{input('org_name')[:acronym]} approved HBSS software is installed, configured, and properly operating. Ask the operator to document the HBSS software installation and configuration. If the operator is not able to provide a documented configuration for an installed HBSS or if the HBSS software is not properly configured maintained, or used, this is a finding.\"\n desc \"fix\", \"Install a #{input('org_name')[:acronym]} approved HBSS software and ensure it is operating continuously.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000191-GPOS-00080\"\n tag gid: \"V-93567\"\n tag rid: \"SV-103653r1_rule\"\n tag stig_id: \"WN19-00-000290\"\n tag fix_id: \"F-99811r1_fix\"\n tag cci: [\"CCI-001233\"]\n tag nist: [\"SI-2 (2)\", \"Rev_4\"]\n\n org_name = input('org_name')\n\n describe \"A manual review is required to verify #{org_name[:acronym]} approved HBSS software is installed, configured, and properly operating. Ask the operator to document the HBSS software installation and configuration. If the operator is not able to provide a documented configuration for an installed HBSS or if the HBSS software is not properly configured maintained, or used, this is a finding.\" do\t\n skip \"A manual review is required to verify #{org_name[:acronym]} approved HBSS software is installed, configured, and properly operating. Ask the operator to document the HBSS software installation and configuration. If the operator is not able to provide a documented configuration for an installed HBSS or if the HBSS software is not properly configured maintained, or used, this is a finding.\"\t\n end\nend", + "code": "control \"V-93345\" do\n title \"Windows Server 2019 Exploit Protection mitigations must be configured for MSPUB.EXE.\"\n desc \"Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the referenced application is not installed on the system, this is NA.\n\n This is applicable to unclassified systems, for other systems this is NA.\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n Enter \\\"Get-ProcessMitigation -Name MSPUB.EXE\\\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.)\n\n If the following mitigations do not have a status of \\\"ON\\\", this is a finding:\n\n DEP:\n Enable: ON\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n The PowerShell command produces a list of mitigations; only those with a required status of \\\"ON\\\" are listed here.\"\n desc \"fix\", \"Ensure the following mitigations are turned \\\"ON\\\" for MSPUB.EXE:\n\n DEP:\n Enable: ON\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \\\"Supporting Files\\\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\" configured to \\\"Enabled\\\" with file name and location defined under \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00227\"\n tag gid: \"V-93345\"\n tag rid: \"SV-103433r1_rule\"\n tag stig_id: \"WN19-EP-000180\"\n tag fix_id: \"F-99591r1_fix\"\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n mspub = json({ command: \"Get-ProcessMitigation -Name MSPUB.EXE | ConvertTo-Json\" }).params\n\n if input('sensitive_system') == true || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif mspub.empty?\n impact 0.0\n describe 'The referenced application is not installed on the system, this is NA.' do\n skip 'The referenced application is not installed on the system, this is NA.'\n end\n else\n describe \"Exploit Protection: the following mitigations must be set to 'ON' for MSPUB.EXE\" do\n subject { mspub }\n its(['Dep','Enable']) { should eq 1 }\n its(['Aslr','ForceRelocateImages']) { should eq 1 }\n its(['Payload','EnableExportAddressFilter']) { should eq 1 }\n its(['Payload','EnableExportAddressFilterPlus']) { should eq 1 }\n its(['Payload','EnableImportAddressFilter']) { should eq 1 }\n its(['Payload','EnableRopStackPivot']) { should eq 1 }\n its(['Payload','EnableRopCallerCheck']) { should eq 1 }\n its(['Payload','EnableRopSimExec']) { should eq 1 }\n end\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93567.rb", + "ref": "./Windows 2019 STIG/controls/V-93345.rb", "line": 3 }, - "id": "V-93567" + "id": "V-93345" }, { - "title": "Windows Server 2019 FTP servers must be configured to prevent\nanonymous logons.", - "desc": "The FTP service allows remote users to access shared files and\ndirectories. Allowing anonymous FTP connections makes user auditing difficult.\n\n Using accounts that have administrator privileges to log on to FTP risks\nthat the userid and password will be captured on the network and give\nadministrator access to an unauthorized user.", + "title": "Windows Server 2019 domain controllers must have a PKI server certificate.", + "desc": "Domain controllers are part of the chain of trust for PKI authentications. Without the appropriate certificate, the authenticity of the domain controller cannot be verified. Domain controllers must have a server certificate to establish authenticity as part of PKI authentications in the domain.", "descriptions": { - "default": "The FTP service allows remote users to access shared files and\ndirectories. Allowing anonymous FTP connections makes user auditing difficult.\n\n Using accounts that have administrator privileges to log on to FTP risks\nthat the userid and password will be captured on the network and give\nadministrator access to an unauthorized user.", + "default": "Domain controllers are part of the chain of trust for PKI authentications. Without the appropriate certificate, the authenticity of the domain controller cannot be verified. Domain controllers must have a server certificate to establish authenticity as part of PKI authentications in the domain.", "rationale": "", - "check": "If FTP is not installed on the system, this is NA.\n\n Open \"Internet Information Services (IIS) Manager\".\n\n Select the server.\n\n Double-click \"FTP Authentication\".\n\n If the \"Anonymous Authentication\" status is \"Enabled\", this is a\nfinding.", - "fix": "Configure the FTP service to prevent anonymous logons.\n\n Open \"Internet Information Services (IIS) Manager\".\n\n Select the server.\n\n Double-click \"FTP Authentication\".\n\n Select \"Anonymous Authentication\".\n\n Select \"Disabled\" under \"Actions\"." + "check": "This applies to domain controllers. It is NA for other systems.\n Run \"MMC\".\n Select \"Add/Remove Snap-in\" from the \"File\" menu.\n Select \"Certificates\" in the left pane and click the \"Add >\" button.\n Select \"Computer Account\" and click \"Next\".\n Select the appropriate option for \"Select the computer you want this snap-in to manage\" and click \"Finish\".\n Click \"OK\".\n Select and expand the Certificates (Local Computer) entry in the left pane.\n Select and expand the Personal entry in the left pane.\n Select the Certificates entry in the left pane.\n If no certificate for the domain controller exists in the right pane, this is a finding.", + "fix": "Obtain a server certificate for the domain controller." }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-93223", - "rid": "SV-103311r1_rule", - "stig_id": "WN19-00-000420", - "fix_id": "F-99469r1_fix", + "gtitle": "SRG-OS-000066-GPOS-00034", + "gid": "V-93481", + "rid": "SV-103567r1_rule", + "stig_id": "WN19-DC-000280", + "fix_id": "F-99725r1_fix", "cci": [ - "CCI-000366" + "CCI-000185" ], "nist": [ - "CM-6 b", + "IA-5 (2) (a)", "Rev_4" ] }, - "code": "control \"V-93223\" do\n title \"Windows Server 2019 FTP servers must be configured to prevent\nanonymous logons.\"\n desc \"The FTP service allows remote users to access shared files and\ndirectories. Allowing anonymous FTP connections makes user auditing difficult.\n\n Using accounts that have administrator privileges to log on to FTP risks\nthat the userid and password will be captured on the network and give\nadministrator access to an unauthorized user.\"\n desc \"rationale\", \"\"\n desc 'check', \"If FTP is not installed on the system, this is NA.\n\n Open \\\"Internet Information Services (IIS) Manager\\\".\n\n Select the server.\n\n Double-click \\\"FTP Authentication\\\".\n\n If the \\\"Anonymous Authentication\\\" status is \\\"Enabled\\\", this is a\nfinding.\"\n desc 'fix', \"Configure the FTP service to prevent anonymous logons.\n\n Open \\\"Internet Information Services (IIS) Manager\\\".\n\n Select the server.\n\n Double-click \\\"FTP Authentication\\\".\n\n Select \\\"Anonymous Authentication\\\".\n\n Select \\\"Disabled\\\" under \\\"Actions\\\".\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000480-GPOS-00227'\n tag 'gid': 'V-93223'\n tag 'rid': 'SV-103311r1_rule'\n tag 'stig_id': 'WN19-00-000420'\n tag 'fix_id': 'F-99469r1_fix'\n tag 'cci': [\"CCI-000366\"]\n tag 'nist': [\"CM-6 b\", \"Rev_4\"]\n\n is_ftp_installed = command('Get-WindowsFeature Web-Ftp-Server | Select -Expand Installed').stdout.strip\n if is_ftp_installed == 'False'\n impact 0.0\n describe 'FTP is not installed' do\n skip 'Control not applicable'\n end\n else\n describe 'File Transfer Protocol (FTP) servers must be configured to prevent anonymous logons' do\n skip 'is a manual check'\n end\n end\nend\n", + "code": "control \"V-93481\" do\n title \"Windows Server 2019 domain controllers must have a PKI server certificate.\"\n desc \"Domain controllers are part of the chain of trust for PKI authentications. Without the appropriate certificate, the authenticity of the domain controller cannot be verified. Domain controllers must have a server certificate to establish authenticity as part of PKI authentications in the domain.\"\n desc \"rationale\", \"\"\n desc \"check\", \"This applies to domain controllers. It is NA for other systems.\n Run \\\"MMC\\\".\n Select \\\"Add/Remove Snap-in\\\" from the \\\"File\\\" menu.\n Select \\\"Certificates\\\" in the left pane and click the \\\"Add >\\\" button.\n Select \\\"Computer Account\\\" and click \\\"Next\\\".\n Select the appropriate option for \\\"Select the computer you want this snap-in to manage\\\" and click \\\"Finish\\\".\n Click \\\"OK\\\".\n Select and expand the Certificates (Local Computer) entry in the left pane.\n Select and expand the Personal entry in the left pane.\n Select the Certificates entry in the left pane.\n If no certificate for the domain controller exists in the right pane, this is a finding.\"\n desc \"fix\", \"Obtain a server certificate for the domain controller.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000066-GPOS-00034\"\n tag gid: \"V-93481\"\n tag rid: \"SV-103567r1_rule\"\n tag stig_id: \"WN19-DC-000280\"\n tag fix_id: \"F-99725r1_fix\"\n tag cci: [\"CCI-000185\"]\n tag nist: [\"IA-5 (2) (a)\", \"Rev_4\"]\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n certs = command(\"Get-ChildItem -Path Cert:\\\\LocalMachine\\\\My | ConvertTo-JSON\").stdout\n describe 'Verify that the domain controller has a PKI server certificate.' do\n subject { certs }\n it { should_not be_empty }\n end\n else\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is NA' do\n skip 'This system is not a domain controller, therefore this control is NA'\n end\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93223.rb", + "ref": "./Windows 2019 STIG/controls/V-93481.rb", "line": 3 }, - "id": "V-93223" + "id": "V-93481" }, { - "title": "Windows Server 2019 Deny log on through Remote Desktop Services user\nright on domain controllers must be configured to prevent unauthenticated\naccess.", - "desc": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n The \"Deny log on through Remote Desktop Services\" user right defines the\naccounts that are prevented from logging on using Remote Desktop Services.\n\n The Guests group must be assigned this right to prevent unauthenticated\naccess.", + "title": "Windows Server 2019 User Account Control (UAC) must only elevate UIAccess applications that are installed in secure locations.", + "desc": "UAC is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting configures Windows to only allow applications installed in a secure location on the file system, such as the Program Files or the Windows\\System32 folders, to run with elevated privileges.", "descriptions": { - "default": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n The \"Deny log on through Remote Desktop Services\" user right defines the\naccounts that are prevented from logging on using Remote Desktop Services.\n\n The Guests group must be assigned this right to prevent unauthenticated\naccess.", + "default": "UAC is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting configures Windows to only allow applications installed in a secure location on the file system, such as the Program Files or the Windows\\System32 folders, to run with elevated privileges.", "rationale": "", - "check": "This applies to domain controllers. A separate version applies to other\nsystems.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If the following accounts or groups are not defined for the \"Deny log on\nthrough Remote Desktop Services\" user right, this is a finding:\n\n - Guests Group\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\path\\filename.txt\n\n Review the text file.\n\n If the following SID(s) are not defined for the\n\"SeDenyRemoteInteractiveLogonRight\" user right, this is a finding.\n\n S-1-5-32-546 (Guests)", - "fix": "Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> User Rights Assignment >> \"Deny log\non through Remote Desktop Services\" to include the following:\n\n - Guests Group" + "check": "UAC requirements are NA for Server Core installations (this is the default installation option for Windows Server 2019 versus Server with Desktop Experience).\n If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\\n\n Value Name: EnableSecureUIAPaths\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", + "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \"User Account Control: Only elevate UIAccess applications that are installed in secure locations\" to \"Enabled\"." }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000297-GPOS-00115", - "gid": "V-92963", - "rid": "SV-103051r1_rule", - "stig_id": "WN19-DC-000410", - "fix_id": "F-99209r1_fix", + "gtitle": "SRG-OS-000134-GPOS-00068", + "gid": "V-93527", + "rid": "SV-103613r1_rule", + "stig_id": "WN19-SO-000430", + "fix_id": "F-99771r1_fix", "cci": [ - "CCI-002314" + "CCI-001084" ], "nist": [ - "AC-17 (1)", + "SC-3", "Rev_4" ] }, - "code": "control 'V-92963' do\n title \"Windows Server 2019 Deny log on through Remote Desktop Services user\nright on domain controllers must be configured to prevent unauthenticated\naccess.\"\n desc \"Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n The \\\"Deny log on through Remote Desktop Services\\\" user right defines the\naccounts that are prevented from logging on using Remote Desktop Services.\n\n The Guests group must be assigned this right to prevent unauthenticated\naccess.\"\n desc 'rationale', ''\n desc 'check', \"This applies to domain controllers. A separate version applies to other\nsystems.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If the following accounts or groups are not defined for the \\\"Deny log on\nthrough Remote Desktop Services\\\" user right, this is a finding:\n\n - Guests Group\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt\n\n Review the text file.\n\n If the following SID(s) are not defined for the\n\\\"SeDenyRemoteInteractiveLogonRight\\\" user right, this is a finding.\n\n S-1-5-32-546 (Guests)\"\n desc 'fix', \"Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> User Rights Assignment >> \\\"Deny log\non through Remote Desktop Services\\\" to include the following:\n\n - Guests Group\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000297-GPOS-00115'\n tag 'gid': 'V-92963'\n tag 'rid': 'SV-103051r1_rule'\n tag 'stig_id': 'WN19-DC-000410'\n tag 'fix_id': 'F-99209r1_fix'\n tag 'cci': ['CCI-002314']\n tag 'nist': ['AC-17 (1)', 'Rev_4']\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n describe security_policy do\n its('SeDenyRemoteInteractiveLogonRight') { should eq ['S-1-5-32-546'] }\n end\n else\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", + "code": "control \"V-93527\" do\n title \"Windows Server 2019 User Account Control (UAC) must only elevate UIAccess applications that are installed in secure locations.\"\n desc \"UAC is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting configures Windows to only allow applications installed in a secure location on the file system, such as the Program Files or the Windows\\\\System32 folders, to run with elevated privileges.\"\n desc \"rationale\", \"\"\n desc \"check\", \"UAC requirements are NA for Server Core installations (this is the default installation option for Windows Server 2019 versus Server with Desktop Experience).\n If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\\n\n Value Name: EnableSecureUIAPaths\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \\\"User Account Control: Only elevate UIAccess applications that are installed in secure locations\\\" to \\\"Enabled\\\".\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000134-GPOS-00068\"\n tag gid: \"V-93527\"\n tag rid: \"SV-103613r1_rule\"\n tag stig_id: \"WN19-SO-000430\"\n tag fix_id: \"F-99771r1_fix\"\n tag cci: [\"CCI-001084\"]\n tag nist: [\"SC-3\", \"Rev_4\"]\n\n os_type = command('Test-Path \"$env:windir\\explorer.exe\"').stdout.strip\n\n if os_type == 'False'\n impact 0.0\n describe 'This system is a Server Core Installation, control is NA' do\n skip 'This system is a Server Core Installation control is NA'\n end\n else\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System') do\n it { should have_property 'EnableSecureUIAPaths' }\n its('EnableSecureUIAPaths') { should cmp == 1 }\n end\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-92963.rb", + "ref": "./Windows 2019 STIG/controls/V-93527.rb", "line": 3 }, - "id": "V-92963" + "id": "V-93527" }, { - "title": "Windows Server 2019 must have WDigest Authentication disabled.", - "desc": "When the WDigest Authentication protocol is enabled, plain-text passwords are stored in the Local Security Authority Subsystem Service (LSASS),exposing them to theft. WDigest is disabled by default in Windows Server 2019. This setting ensures this is enforced.", + "title": "Windows Server 2019 users must be notified if a web-based program\nattempts to install software.", + "desc": "Web-based programs may attempt to install malicious software on a\nsystem. Ensuring users are notified if a web-based program attempts to install\nsoftware allows them to refuse the installation.", "descriptions": { - "default": "When the WDigest Authentication protocol is enabled, plain-text passwords are stored in the Local Security Authority Subsystem Service (LSASS),exposing them to theft. WDigest is disabled by default in Windows Server 2019. This setting ensures this is enforced.", + "default": "Web-based programs may attempt to install malicious software on a\nsystem. Ensuring users are notified if a web-based program attempts to install\nsoftware allows them to refuse the installation.", "rationale": "", - "check": "If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\Wdigest\\\n\n Value Name: UseLogonCredential\n\n Type: REG_DWORD\n Value: 0x00000000 (0)", - "fix": "Configure the policy value for Computer Configuration >> Administrative Templates >> MS Security Guide >> \"WDigest Authentication (disabling may require KB2871997)\" to \"Disabled\".\n\n This policy setting requires the installation of the SecGuide custom templates included with the STIG package. \"SecGuide.admx\" and \" SecGuide.adml\" must be copied to the \\Windows\\PolicyDefinitions and \\Windows\\PolicyDefinitions\\en-US directories respectively." + "check": "The default behavior is for Internet Explorer to warn users and select\nwhether to allow or refuse installation when a web-based program attempts to\ninstall software on the system.\n\n If the registry value name below does not exist, this is not a finding.\n\n If it exists and is configured with a value of \"0\", this is not a finding.\n\n If it exists and is configured with a value of \"1\", this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\Installer\\\n\n Value Name: SafeForScripting\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0) (or if the Value Name does not exist)", + "fix": "The default behavior is for Internet Explorer to warn users and select\nwhether to allow or refuse installation when a web-based program attempts to\ninstall software on the system.\n\n If this needs to be corrected, configure the policy value for Computer\nConfiguration >> Administrative Templates >> Windows Components >> Windows\nInstaller >> \"Prevent Internet Explorer security prompt for Windows Installer\nscripts\" to \"Not Configured\" or \"Disabled\"." }, "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000095-GPOS-00049", - "gid": "V-93401", - "rid": "SV-103487r1_rule", - "stig_id": "WN19-CC-000020", - "fix_id": "F-99645r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-93267", + "rid": "SV-103355r1_rule", + "stig_id": "WN19-CC-000440", + "fix_id": "F-99513r1_fix", "cci": [ - "CCI-000381" + "CCI-000366" ], "nist": [ - "CM-7 a", + "CM-6 b", "Rev_4" ] }, - "code": "control \"V-93401\" do\n title \"Windows Server 2019 must have WDigest Authentication disabled.\"\n desc \"When the WDigest Authentication protocol is enabled, plain-text passwords are stored in the Local Security Authority Subsystem Service (LSASS),exposing them to theft. WDigest is disabled by default in Windows Server 2019. This setting ensures this is enforced.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SecurityProviders\\\\Wdigest\\\\\n\n Value Name: UseLogonCredential\n\n Type: REG_DWORD\n Value: 0x00000000 (0)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Administrative Templates >> MS Security Guide >> \\\"WDigest Authentication (disabling may require KB2871997)\\\" to \\\"Disabled\\\".\n\n This policy setting requires the installation of the SecGuide custom templates included with the STIG package. \\\"SecGuide.admx\\\" and \\\" SecGuide.adml\\\" must be copied to the \\\\Windows\\\\PolicyDefinitions and \\\\Windows\\\\PolicyDefinitions\\\\en-US directories respectively.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000095-GPOS-00049\"\n tag gid: \"V-93401\"\n tag rid: \"SV-103487r1_rule\"\n tag stig_id: \"WN19-CC-000020\"\n tag fix_id: \"F-99645r1_fix\"\n tag cci: [\"CCI-000381\"]\n tag nist: [\"CM-7 a\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SecurityProviders\\\\Wdigest') do\n it { should have_property 'UseLogonCredential' }\n its('UseLogonCredential') { should cmp == 0 }\n end\nend", + "code": "control \"V-93267\" do\n title \"Windows Server 2019 users must be notified if a web-based program\nattempts to install software.\"\n desc \"Web-based programs may attempt to install malicious software on a\nsystem. Ensuring users are notified if a web-based program attempts to install\nsoftware allows them to refuse the installation.\"\n desc \"rationale\", \"\"\n desc 'check', \"The default behavior is for Internet Explorer to warn users and select\nwhether to allow or refuse installation when a web-based program attempts to\ninstall software on the system.\n\n If the registry value name below does not exist, this is not a finding.\n\n If it exists and is configured with a value of \\\"0\\\", this is not a finding.\n\n If it exists and is configured with a value of \\\"1\\\", this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\Installer\\\\\n\n Value Name: SafeForScripting\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0) (or if the Value Name does not exist)\"\n desc 'fix', \"The default behavior is for Internet Explorer to warn users and select\nwhether to allow or refuse installation when a web-based program attempts to\ninstall software on the system.\n\n If this needs to be corrected, configure the policy value for Computer\nConfiguration >> Administrative Templates >> Windows Components >> Windows\nInstaller >> \\\"Prevent Internet Explorer security prompt for Windows Installer\nscripts\\\" to \\\"Not Configured\\\" or \\\"Disabled\\\".\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000480-GPOS-00227'\n tag 'gid': 'V-93267'\n tag 'rid': 'SV-103355r1_rule'\n tag 'stig_id': 'WN19-CC-000440'\n tag 'fix_id': 'F-99513r1_fix'\n tag 'cci': [\"CCI-000366\"]\n tag 'nist': [\"CM-6 b\", \"Rev_4\"]\n\n describe.one do\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Installer') do\n it { should_not have_property 'SafeForScripting' }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Installer') do\n it { should have_property 'SafeForScripting' }\n its('SafeForScripting') { should_not cmp 1 }\n its('SafeForScripting') { should cmp 0 }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93401.rb", + "ref": "./Windows 2019 STIG/controls/V-93267.rb", "line": 3 }, - "id": "V-93401" + "id": "V-93267" }, { - "title": "Windows Server 2019 Restore files and directories user right must only\nbe assigned to the Administrators group.", - "desc": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n Accounts with the \"Restore files and directories\" user right can\ncircumvent file and directory permissions and could allow access to sensitive\ndata. It could also be used to overwrite more current data.", + "title": "Windows Server 2019 must be configured to require a strong session key.", + "desc": "A computer connecting to a domain controller will establish a secure channel. The secure channel connection may be subject to compromise, such as hijacking or eavesdropping, if strong session keys are not used to establish the connection. Requiring strong session keys enforces 128-bit encryption between systems.", "descriptions": { - "default": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n Accounts with the \"Restore files and directories\" user right can\ncircumvent file and directory permissions and could allow access to sensitive\ndata. It could also be used to overwrite more current data.", + "default": "A computer connecting to a domain controller will establish a secure channel. The secure channel connection may be subject to compromise, such as hijacking or eavesdropping, if strong session keys are not used to establish the connection. Requiring strong session keys enforces 128-bit encryption between systems.", "rationale": "", - "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the\n\"Restore files and directories\" user right, this is a finding:\n\n - Administrators\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\path\\filename.txt\n\n Review the text file.\n\n If any SIDs other than the following are granted the \"SeRestorePrivilege\"\nuser right, this is a finding:\n\n S-1-5-32-544 (Administrators)\n\n If an application requires this user right, this would not be a finding.\n\n Vendor documentation must support the requirement for having the user right.\n\n The requirement must be documented with the ISSO.\n\n The application account must meet requirements for application account\npasswords, such as length (WN19-00-000050) and required frequency of changes\n(WN19-00-000060).", - "fix": "Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> User Rights Assignment >> \"Restore\nfiles and directories\" to include only the following accounts or groups:\n\n - Administrators" + "check": "If the following registry value does not exist or is not configured as specified, this is a finding:\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\Netlogon\\Parameters\\\n\n Value Name: RequireStrongKey\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\n\n This setting may prevent a system from being joined to a domain if not configured consistently between systems.", + "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \"Domain member: Require strong (Windows 2000 or Later) session key\" to \"Enabled\"." }, "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000324-GPOS-00125", - "gid": "V-93085", - "rid": "SV-103173r1_rule", - "stig_id": "WN19-UR-000210", - "fix_id": "F-99331r1_fix", + "gtitle": "SRG-OS-000423-GPOS-00187", + "satisfies": [ + "SRG-OS-000423-GPOS-00187", + "SRG-OS-000424-GPOS-00188" + ], + "gid": "V-93553", + "rid": "SV-103639r1_rule", + "stig_id": "WN19-SO-000110", + "fix_id": "F-99797r1_fix", "cci": [ - "CCI-002235" + "CCI-002418", + "CCI-002421" ], "nist": [ - "AC-6 (10)", + "SC-8", + "SC-8 (1)", "Rev_4" ] }, - "code": "control \"V-93085\" do\n title \"Windows Server 2019 Restore files and directories user right must only\nbe assigned to the Administrators group.\"\n desc \"Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n Accounts with the \\\"Restore files and directories\\\" user right can\ncircumvent file and directory permissions and could allow access to sensitive\ndata. It could also be used to overwrite more current data.\"\n desc \"rationale\", \"\"\n desc 'check', \"Verify the effective setting in Local Group Policy Editor.\n\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the\n\\\"Restore files and directories\\\" user right, this is a finding:\n\n - Administrators\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt\n\n Review the text file.\n\n If any SIDs other than the following are granted the \\\"SeRestorePrivilege\\\"\nuser right, this is a finding:\n\n S-1-5-32-544 (Administrators)\n\n If an application requires this user right, this would not be a finding.\n\n Vendor documentation must support the requirement for having the user right.\n\n The requirement must be documented with the ISSO.\n\n The application account must meet requirements for application account\npasswords, such as length (WN19-00-000050) and required frequency of changes\n(WN19-00-000060).\"\n desc 'fix', \"Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> User Rights Assignment >> \\\"Restore\nfiles and directories\\\" to include only the following accounts or groups:\n\n - Administrators\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000324-GPOS-00125'\n tag 'gid': 'V-93085'\n tag 'rid': 'SV-103173r1_rule'\n tag 'stig_id': 'WN19-UR-000210'\n tag 'fix_id': 'F-99331r1_fix'\n tag 'cci': [\"CCI-002235\"]\n tag 'nist': [\"AC-6 (10)\", \"Rev_4\"]\n\n os_type = command('Test-Path \"$env:windir\\explorer.exe\"').stdout.strip\n\n if os_type == 'False'\n describe 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt' do\n skip 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt'\n end\n else\n describe security_policy do\n its('SeRestorePrivilege') { should eq ['S-1-5-32-544'] }\n end\n end\nend\n", + "code": "control \"V-93553\" do\n title \"Windows Server 2019 must be configured to require a strong session key.\"\n desc \"A computer connecting to a domain controller will establish a secure channel. The secure channel connection may be subject to compromise, such as hijacking or eavesdropping, if strong session keys are not used to establish the connection. Requiring strong session keys enforces 128-bit encryption between systems.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the following registry value does not exist or is not configured as specified, this is a finding:\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\Netlogon\\\\Parameters\\\\\n\n Value Name: RequireStrongKey\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\n\n This setting may prevent a system from being joined to a domain if not configured consistently between systems.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \\\"Domain member: Require strong (Windows 2000 or Later) session key\\\" to \\\"Enabled\\\".\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000423-GPOS-00187\"\n tag satisfies: [\"SRG-OS-000423-GPOS-00187\", \"SRG-OS-000424-GPOS-00188\"]\n tag gid: \"V-93553\"\n tag rid: \"SV-103639r1_rule\"\n tag stig_id: \"WN19-SO-000110\"\n tag fix_id: \"F-99797r1_fix\"\n tag cci: [\"CCI-002418\", \"CCI-002421\"]\n tag nist: [\"SC-8\", \"SC-8 (1)\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Services\\\\Netlogon\\\\Parameters') do\n it { should have_property 'RequireStrongKey' }\n its('RequireStrongKey') { should cmp == 1 }\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93085.rb", + "ref": "./Windows 2019 STIG/controls/V-93553.rb", "line": 3 }, - "id": "V-93085" + "id": "V-93553" }, { - "title": "Windows Server 2019 insecure logons to an SMB server must be disabled.", - "desc": "Insecure guest logons allow unauthenticated access to shared folders.\nShared resources on a system must require authentication to establish proper\naccess.", + "title": "Windows Server 2019 must not allow anonymous enumeration of Security Account Manager (SAM) accounts.", + "desc": "Anonymous enumeration of SAM accounts allows anonymous logon users (null session connections) to list all accounts names, thus providing a list of potential points to attack the system.", "descriptions": { - "default": "Insecure guest logons allow unauthenticated access to shared folders.\nShared resources on a system must require authentication to establish proper\naccess.", + "default": "Anonymous enumeration of SAM accounts allows anonymous logon users (null session connections) to list all accounts names, thus providing a list of potential points to attack the system.", "rationale": "", - "check": "If the following registry value does not exist or is not configured as\nspecified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\LanmanWorkstation\\\n\n Value Name: AllowInsecureGuestAuth\n\n Type: REG_DWORD\n Value: 0x00000000 (0)", - "fix": "Configure the policy value for Computer Configuration >>\nAdministrative Templates >> Network >> Lanman Workstation >> \"Enable insecure\nguest logons\" to \"Disabled\"." + "check": "If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Control\\Lsa\\\n\n Value Name: RestrictAnonymousSAM\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", + "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \"Network access: Do not allow anonymous enumeration of SAM accounts\" to \"Enabled\"." }, - "impact": 0.5, + "impact": 0.7, "refs": [], "tags": { "severity": null, "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-93239", - "rid": "SV-103327r1_rule", - "stig_id": "WN19-CC-000070", - "fix_id": "F-99485r1_fix", + "gid": "V-93291", + "rid": "SV-103379r1_rule", + "stig_id": "WN19-SO-000220", + "fix_id": "F-99537r1_fix", "cci": [ "CCI-000366" ], @@ -1424,170 +1385,207 @@ "Rev_4" ] }, - "code": "control \"V-93239\" do\n title \"Windows Server 2019 insecure logons to an SMB server must be disabled.\"\n desc \"Insecure guest logons allow unauthenticated access to shared folders.\nShared resources on a system must require authentication to establish proper\naccess.\"\n desc \"rationale\", \"\"\n desc 'check', \"If the following registry value does not exist or is not configured as\nspecified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\LanmanWorkstation\\\\\n\n Value Name: AllowInsecureGuestAuth\n\n Type: REG_DWORD\n Value: 0x00000000 (0)\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nAdministrative Templates >> Network >> Lanman Workstation >> \\\"Enable insecure\nguest logons\\\" to \\\"Disabled\\\".\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000480-GPOS-00227'\n tag 'gid': 'V-93239'\n tag 'rid': 'SV-103327r1_rule'\n tag 'stig_id': 'WN19-CC-000070'\n tag 'fix_id': 'F-99485r1_fix'\n tag 'cci': [\"CCI-000366\"]\n tag 'nist': [\"CM-6 b\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\LanmanWorkstation') do\n it { should have_property 'AllowInsecureGuestAuth' }\n its('AllowInsecureGuestAuth') { should cmp 0}\n end\nend\n", + "code": "control \"V-93291\" do\n title \"Windows Server 2019 must not allow anonymous enumeration of Security Account Manager (SAM) accounts.\"\n desc \"Anonymous enumeration of SAM accounts allows anonymous logon users (null session connections) to list all accounts names, thus providing a list of potential points to attack the system.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\\n\n Value Name: RestrictAnonymousSAM\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \\\"Network access: Do not allow anonymous enumeration of SAM accounts\\\" to \\\"Enabled\\\".\"\n impact 0.7\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00227\"\n tag gid: \"V-93291\"\n tag rid: \"SV-103379r1_rule\"\n tag stig_id: \"WN19-SO-000220\"\n tag fix_id: \"F-99537r1_fix\"\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa') do\n it { should have_property 'RestrictAnonymousSAM' }\n its('RestrictAnonymousSAM') { should cmp == 1 }\n end \nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93239.rb", + "ref": "./Windows 2019 STIG/controls/V-93291.rb", "line": 3 }, - "id": "V-93239" + "id": "V-93291" }, { - "title": "Windows Server 2019 local users on domain-joined member servers must not be enumerated.", - "desc": "The username is one part of logon credentials that could be used to gain access to a system. Preventing the enumeration of users limits this information to authorized personnel.", + "title": "Windows Server 2019 must be configured to audit Account Logon -\nCredential Validation successes.", + "desc": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Credential Validation records events related to validation tests on\ncredentials for a user account logon.", "descriptions": { - "default": "The username is one part of logon credentials that could be used to gain access to a system. Preventing the enumeration of users limits this information to authorized personnel.", + "default": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Credential Validation records events related to validation tests on\ncredentials for a user account logon.", "rationale": "", - "check": "This applies to member servers. For domain controllers and standalone systems, this is NA.\n\n If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\\n\n Value Name: EnumerateLocalUsers\n\n Type: REG_DWORD\n Value: 0x00000000 (0)", - "fix": "Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Logon >> \"Enumerate local users on domain-joined computers\" to \"Disabled\"." + "check": "Security Option \"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\" must be set to\n\"Enabled\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \"AuditPol\" tool to review the current Audit Policy configuration:\n\n Open \"PowerShell\" or a \"Command Prompt\" with elevated privileges (\"Run\nas administrator\").\n\n Enter \"AuditPol /get /category:*\"\n\n Compare the \"AuditPol\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n Account Logon >> Credential Validation - Success", + "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Account Logon >> \"Audit Credential Validation\" with\n\"Success\" selected." }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000095-GPOS-00049", - "gid": "V-93419", - "rid": "SV-103505r1_rule", - "stig_id": "WN19-MS-000030", - "fix_id": "F-99663r1_fix", + "gtitle": "SRG-OS-000470-GPOS-00214", + "gid": "V-93153", + "rid": "SV-103241r1_rule", + "stig_id": "WN19-AU-000070", + "fix_id": "F-99399r1_fix", "cci": [ - "CCI-000381" + "CCI-000172" ], "nist": [ - "CM-7 a", + "AU-12 c", "Rev_4" ] }, - "code": "control \"V-93419\" do\n title \"Windows Server 2019 local users on domain-joined member servers must not be enumerated.\"\n desc \"The username is one part of logon credentials that could be used to gain access to a system. Preventing the enumeration of users limits this information to authorized personnel.\"\n desc \"rationale\", \"\"\n desc \"check\", \"This applies to member servers. For domain controllers and standalone systems, this is NA.\n\n If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\\n\n Value Name: EnumerateLocalUsers\n\n Type: REG_DWORD\n Value: 0x00000000 (0)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Logon >> \\\"Enumerate local users on domain-joined computers\\\" to \\\"Disabled\\\".\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000095-GPOS-00049\"\n tag gid: \"V-93419\"\n tag rid: \"SV-103505r1_rule\"\n tag stig_id: \"WN19-MS-000030\"\n tag fix_id: \"F-99663r1_fix\"\n tag cci: [\"CCI-000381\"]\n tag nist: [\"CM-7 a\", \"Rev_4\"]\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '3'\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\System') do\n it { should have_property 'EnumerateLocalUsers' }\n its('EnumerateLocalUsers') { should cmp 0 }\n end\n else\n impact 0.0\n describe 'This control is not applicable as it only applies to member servers' do\n skip 'This control is not applicable as it only applies to member servers'\n end\n end\nend", + "code": "control \"V-93153\" do\n title \"Windows Server 2019 must be configured to audit Account Logon -\nCredential Validation successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Credential Validation records events related to validation tests on\ncredentials for a user account logon.\"\n desc \"rationale\", \"\"\n desc 'check', \"Security Option \\\"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\\\" must be set to\n\\\"Enabled\\\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \\\"AuditPol\\\" tool to review the current Audit Policy configuration:\n\n Open \\\"PowerShell\\\" or a \\\"Command Prompt\\\" with elevated privileges (\\\"Run\nas administrator\\\").\n\n Enter \\\"AuditPol /get /category:*\\\"\n\n Compare the \\\"AuditPol\\\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n Account Logon >> Credential Validation - Success\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Account Logon >> \\\"Audit Credential Validation\\\" with\n\\\"Success\\\" selected.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000470-GPOS-00214'\n tag 'gid': 'V-93153'\n tag 'rid': 'SV-103241r1_rule'\n tag 'stig_id': 'WN19-AU-000070'\n tag 'fix_id': 'F-99399r1_fix'\n tag 'cci': [\"CCI-000172\"]\n tag 'nist': [\"AU-12 c\", \"Rev_4\"]\n\n describe.one do\n describe audit_policy do\n its('Credential Validation') { should eq 'Success' }\n end\n describe audit_policy do\n its('Credential Validation') { should eq 'Success and Failure' }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93419.rb", + "ref": "./Windows 2019 STIG/controls/V-93153.rb", "line": 3 }, - "id": "V-93419" + "id": "V-93153" }, { - "title": "Windows Server 2019 must be configured to audit Detailed Tracking -\nProcess Creation successes.", - "desc": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Process Creation records events related to the creation of a process and\nthe source.", + "title": "Windows Server 2019 Debug programs: user right must only be assigned\nto the Administrators group.", + "desc": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n Accounts with the \"Debug programs\" user right can attach a debugger to\nany process or to the kernel, providing complete access to sensitive and\ncritical operating system components. This right is given to Administrators in\nthe default configuration.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Process Creation records events related to the creation of a process and\nthe source.", + "default": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n Accounts with the \"Debug programs\" user right can attach a debugger to\nany process or to the kernel, providing complete access to sensitive and\ncritical operating system components. This right is given to Administrators in\nthe default configuration.", "rationale": "", - "check": "Security Option \"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\" must be set to\n\"Enabled\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \"AuditPol\" tool to review the current Audit Policy configuration:\n\n Open \"PowerShell\" or a \"Command Prompt\" with elevated privileges (\"Run\nas administrator\").\n\n Enter \"AuditPol /get /category:*\"\n\n Compare the \"AuditPol\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n Detailed Tracking >> Process Creation - Success", - "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Detailed Tracking >> \"Audit Process Creation\" with\n\"Success\" selected." + "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the \"Debug\nprograms\" user right, this is a finding:\n\n - Administrators\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\path\\filename.txt\n\n Review the text file.\n\n If any SIDs other than the following are granted the \"SeDebugPrivilege\"\nuser right, this is a finding:\n\n S-1-5-32-544 (Administrators)\n\n If an application requires this user right, this would not be a finding.\n\n Vendor documentation must support the requirement for having the user right.\n\n The requirement must be documented with the ISSO.\n\n The application account must meet requirements for application account\npasswords, such as length (WN19-00-000050) and required frequency of changes\n(WN19-00-000060).\n\n Passwords for application accounts with this user right must be protected\nas highly privileged accounts.", + "fix": "Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> User Rights Assignment >> \"Debug\nprograms\" to include only the following accounts or groups:\n\n - Administrators" }, - "impact": 0.5, + "impact": 0.7, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000327-GPOS-00127", - "satisfies": [ - "SRG-OS-000327-GPOS-00127", - "SRG-OS-000471-GPOS-00215" - ], - "gid": "V-93091", - "rid": "SV-103179r1_rule", - "stig_id": "WN19-AU-000140", - "fix_id": "F-99337r1_fix", + "gtitle": "SRG-OS-000324-GPOS-00125", + "gid": "V-93065", + "rid": "SV-103153r1_rule", + "stig_id": "WN19-UR-000100", + "fix_id": "F-99311r1_fix", "cci": [ - "CCI-000172", - "CCI-002234" + "CCI-002235" ], "nist": [ - "AU-12 c", - "AC-6 (9)", + "AC-6 (10)", "Rev_4" ] }, - "code": "control \"V-93091\" do\n title \"Windows Server 2019 must be configured to audit Detailed Tracking -\nProcess Creation successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Process Creation records events related to the creation of a process and\nthe source.\"\n desc \"rationale\", \"\"\n desc 'check', \"Security Option \\\"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\\\" must be set to\n\\\"Enabled\\\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \\\"AuditPol\\\" tool to review the current Audit Policy configuration:\n\n Open \\\"PowerShell\\\" or a \\\"Command Prompt\\\" with elevated privileges (\\\"Run\nas administrator\\\").\n\n Enter \\\"AuditPol /get /category:*\\\"\n\n Compare the \\\"AuditPol\\\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n Detailed Tracking >> Process Creation - Success\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Detailed Tracking >> \\\"Audit Process Creation\\\" with\n\\\"Success\\\" selected.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000327-GPOS-00127'\n tag 'satisfies': [\"SRG-OS-000327-GPOS-00127\", \"SRG-OS-000471-GPOS-00215\"]\n tag 'gid': 'V-93091'\n tag 'rid': 'SV-103179r1_rule'\n tag 'stig_id': 'WN19-AU-000140'\n tag 'fix_id': 'F-99337r1_fix'\n tag 'cci': [\"CCI-000172\", \"CCI-002234\"]\n tag 'nist': [\"AU-12 c\", \"AC-6 (9)\", \"Rev_4\"]\n\n describe.one do\n describe audit_policy do\n its('Process Creation') { should eq 'Success' }\n end\n describe audit_policy do\n its('Process Creation') { should eq 'Success and Failure' }\n end\n end\nend\n", + "code": "control \"V-93065\" do\n title \"Windows Server 2019 Debug programs: user right must only be assigned\nto the Administrators group.\"\n desc \"Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n Accounts with the \\\"Debug programs\\\" user right can attach a debugger to\nany process or to the kernel, providing complete access to sensitive and\ncritical operating system components. This right is given to Administrators in\nthe default configuration.\"\n desc \"rationale\", \"\"\n desc 'check', \"Verify the effective setting in Local Group Policy Editor.\n\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the \\\"Debug\nprograms\\\" user right, this is a finding:\n\n - Administrators\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt\n\n Review the text file.\n\n If any SIDs other than the following are granted the \\\"SeDebugPrivilege\\\"\nuser right, this is a finding:\n\n S-1-5-32-544 (Administrators)\n\n If an application requires this user right, this would not be a finding.\n\n Vendor documentation must support the requirement for having the user right.\n\n The requirement must be documented with the ISSO.\n\n The application account must meet requirements for application account\npasswords, such as length (WN19-00-000050) and required frequency of changes\n(WN19-00-000060).\n\n Passwords for application accounts with this user right must be protected\nas highly privileged accounts.\"\n desc 'fix', \"Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> User Rights Assignment >> \\\"Debug\nprograms\\\" to include only the following accounts or groups:\n\n - Administrators\"\n impact 0.7\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000324-GPOS-00125'\n tag 'gid': 'V-93065'\n tag 'rid': 'SV-103153r1_rule'\n tag 'stig_id': 'WN19-UR-000100'\n tag 'fix_id': 'F-99311r1_fix'\n tag 'cci': [\"CCI-002235\"]\n tag 'nist': [\"AC-6 (10)\", \"Rev_4\"]\n\n os_type = command('Test-Path \"$env:windir\\explorer.exe\"').stdout.strip\n\n if os_type == 'False'\n describe 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt' do\n skip 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt'\n end\n else\n describe security_policy do\n its('SeDebugPrivilege') { should eq ['S-1-5-32-544'] }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93091.rb", + "ref": "./Windows 2019 STIG/controls/V-93065.rb", "line": 3 }, - "id": "V-93091" + "id": "V-93065" }, { - "title": "Windows Server 2019 must be configured to audit Object Access -\nRemovable Storage successes.", - "desc": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Removable Storage auditing under Object Access records events related to\naccess attempts on file system objects on removable storage devices.", + "title": "Windows Server 2019 Exploit Protection mitigations must be configured for java.exe, javaw.exe, and javaws.exe.", + "desc": "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Removable Storage auditing under Object Access records events related to\naccess attempts on file system objects on removable storage devices.", + "default": "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.", "rationale": "", - "check": "Security Option \"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\" must be set to\n\"Enabled\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \"AuditPol\" tool to review the current Audit Policy configuration:\n\n Open \"PowerShell\" or a \"Command Prompt\" with elevated privileges (\"Run\nas administrator\").\n\n Enter \"AuditPol /get /category:*\"\n\n Compare the \"AuditPol\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n Object Access >> Removable Storage - Success\n\n Virtual machines or systems that use network attached storage may generate\nexcessive audit events for secondary virtual drives or the network attached\nstorage when this setting is enabled. This may be set to Not Configured in such\ncases and would not be a finding.", - "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Object Access >> \"Audit Removable Storage\" with\n\"Success\" selected." + "check": "If the referenced application is not installed on the system, this is NA.\n\n This is applicable to unclassified systems, for other systems this is NA.\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n Enter \"Get-ProcessMitigation -Name [application name]\" with each of the following substituted for [application name]:\n java.exe, javaw.exe, and javaws.exe\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.)\n\n If the following mitigations do not have a status of \"ON\" for each, this is a finding:\n\n DEP:\n Enable: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n The PowerShell command produces a list of mitigations; only those with a required status of \"ON\" are listed here.", + "fix": "Ensure the following mitigations are turned \"ON\" for java.exe, javaw.exe, and javaws.exe:\n\n DEP:\n Enable: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \"Supporting Files\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \"Use a common set of exploit protection settings\" configured to \"Enabled\" with file name and location defined under \"Options:\". It is recommended the file be in a read-only network location." }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000474-GPOS-00219", - "gid": "V-93167", - "rid": "SV-103255r1_rule", - "stig_id": "WN19-AU-000240", - "fix_id": "F-99413r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-93339", + "rid": "SV-103427r1_rule", + "stig_id": "WN19-EP-000150", + "fix_id": "F-99585r1_fix", "cci": [ - "CCI-000172" + "CCI-000366" ], "nist": [ - "AU-12 c", + "CM-6 b", "Rev_4" ] }, - "code": "control \"V-93167\" do\n title \"Windows Server 2019 must be configured to audit Object Access -\nRemovable Storage successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Removable Storage auditing under Object Access records events related to\naccess attempts on file system objects on removable storage devices.\"\n desc \"rationale\", \"\"\n desc 'check', \"Security Option \\\"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\\\" must be set to\n\\\"Enabled\\\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \\\"AuditPol\\\" tool to review the current Audit Policy configuration:\n\n Open \\\"PowerShell\\\" or a \\\"Command Prompt\\\" with elevated privileges (\\\"Run\nas administrator\\\").\n\n Enter \\\"AuditPol /get /category:*\\\"\n\n Compare the \\\"AuditPol\\\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n Object Access >> Removable Storage - Success\n\n Virtual machines or systems that use network attached storage may generate\nexcessive audit events for secondary virtual drives or the network attached\nstorage when this setting is enabled. This may be set to Not Configured in such\ncases and would not be a finding.\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Object Access >> \\\"Audit Removable Storage\\\" with\n\\\"Success\\\" selected.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000474-GPOS-00219'\n tag 'gid': 'V-93167'\n tag 'rid': 'SV-103255r1_rule'\n tag 'stig_id': 'WN19-AU-000240'\n tag 'fix_id': 'F-99413r1_fix'\n tag 'cci': [\"CCI-000172\"]\n tag 'nist': [\"AU-12 c\", \"Rev_4\"]\n\n describe.one do\n describe audit_policy do\n its('Removable Storage') { should eq 'Success' }\n end\n describe audit_policy do\n its('Removable Storage') { should eq 'Success and Failure' }\n end\n end\nend\n", + "code": "control \"V-93339\" do\n title \"Windows Server 2019 Exploit Protection mitigations must be configured for java.exe, javaw.exe, and javaws.exe.\"\n desc \"Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the referenced application is not installed on the system, this is NA.\n\n This is applicable to unclassified systems, for other systems this is NA.\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n Enter \\\"Get-ProcessMitigation -Name [application name]\\\" with each of the following substituted for [application name]:\n java.exe, javaw.exe, and javaws.exe\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.)\n\n If the following mitigations do not have a status of \\\"ON\\\" for each, this is a finding:\n\n DEP:\n Enable: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n The PowerShell command produces a list of mitigations; only those with a required status of \\\"ON\\\" are listed here.\"\n desc \"fix\", \"Ensure the following mitigations are turned \\\"ON\\\" for java.exe, javaw.exe, and javaws.exe:\n\n DEP:\n Enable: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \\\"Supporting Files\\\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\" configured to \\\"Enabled\\\" with file name and location defined under \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00227\"\n tag gid: \"V-93339\"\n tag rid: \"SV-103427r1_rule\"\n tag stig_id: \"WN19-EP-000150\"\n tag fix_id: \"F-99585r1_fix\"\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n java = json({ command: \"Get-ProcessMitigation -Name java.exe | ConvertTo-Json\" }).params\n javaw = json({ command: \"Get-ProcessMitigation -Name javaw.exe | ConvertTo-Json\" }).params\n javaws = json({ command: \"Get-ProcessMitigation -Name javaws.exe | ConvertTo-Json\" }).params\n\n apps = [ java, javaw, javaws ]\n\n if input('sensitive_system') == true || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n else\n if java.empty? && javaw.empty? && javaws.empty?\n impact 0.0\n describe 'The referenced applications are not installed on the system, this is NA.' do\n skip 'The referenced applications are not installed on the system, this is NA.'\n end\n else\n apps.each do |app|\n next if app.empty?\n describe \"Exploit Protection: the following mitigations must be set to 'ON' for java.exe\" do\n subject { app }\n its(['Dep','Enable']) { should eq 1 }\n its(['Payload','EnableExportAddressFilter']) { should eq 1 }\n its(['Payload','EnableExportAddressFilterPlus']) { should eq 1 }\n its(['Payload','EnableImportAddressFilter']) { should eq 1 }\n its(['Payload','EnableRopStackPivot']) { should eq 1 }\n its(['Payload','EnableRopCallerCheck']) { should eq 1 }\n its(['Payload','EnableRopSimExec']) { should eq 1 }\n end\n end\n end\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93167.rb", + "ref": "./Windows 2019 STIG/controls/V-93339.rb", "line": 3 }, - "id": "V-93167" + "id": "V-93339" }, { - "title": "Windows Server 2019 must be configured to audit System - Other System\nEvents successes.", - "desc": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Audit Other System Events records information related to cryptographic key\noperations and the Windows Firewall service.", + "title": "Windows Server 2019 must be configured to audit Account Management -\nUser Account Management failures.", + "desc": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n User Account Management records events such as creating, changing,\ndeleting, renaming, disabling, or enabling user accounts.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Audit Other System Events records information related to cryptographic key\noperations and the Windows Firewall service.", + "default": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n User Account Management records events such as creating, changing,\ndeleting, renaming, disabling, or enabling user accounts.", "rationale": "", - "check": "Security Option \"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\" must be set to\n\"Enabled\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \"AuditPol\" tool to review the current Audit Policy configuration:\n\n Open \"PowerShell\" or a \"Command Prompt\" with elevated privileges (\"Run\nas administrator\").\n\n Enter \"AuditPol /get /category:*\"\n\n Compare the \"AuditPol\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n System >> Other System Events - Success", - "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> System >> \"Audit Other System Events\" with\n\"Success\" selected." + "check": "Security Option \"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\" must be set to\n\"Enabled\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \"AuditPol\" tool to review the current Audit Policy configuration:\n\n Open \"PowerShell\" or a \"Command Prompt\" with elevated privileges (\"Run\nas administrator\").\n\n Enter \"AuditPol /get /category:*\"\n\n Compare the \"AuditPol\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n Account Management >> User Account Management - Failure", + "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Account Management >> \"Audit User Account\nManagement\" with \"Failure\" selected." }, "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000327-GPOS-00127", + "gtitle": "SRG-OS-000004-GPOS-00004", "satisfies": [ - "SRG-OS-000327-GPOS-00127", - "SRG-OS-000458-GPOS-00203", - "SRG-OS-000463-GPOS-00207", - "SRG-OS-000468-GPOS-00212" + "SRG-OS-000004-GPOS-00004", + "SRG-OS-000239-GPOS-00089", + "SRG-OS-000240-GPOS-00090", + "SRG-OS-000241-GPOS-00091", + "SRG-OS-000303-GPOS-00120", + "SRG-OS-000476-GPOS-00221" ], - "gid": "V-93109", - "rid": "SV-103197r1_rule", - "stig_id": "WN19-AU-000340", - "fix_id": "F-99355r1_fix", + "gid": "V-92983", + "rid": "SV-103071r1_rule", + "stig_id": "WN19-AU-000120", + "fix_id": "F-99229r1_fix", "cci": [ + "CCI-000018", "CCI-000172", - "CCI-002234" + "CCI-001403", + "CCI-001404", + "CCI-001405", + "CCI-002130" ], "nist": [ + "AC-2 (4)", "AU-12 c", - "AC-6 (9)", + "AC-2 (4)", + "AC-2 (4)", + "AC-2 (4)", + "AC-2(4)", "Rev_4" ] }, - "code": "control \"V-93109\" do\n title \"Windows Server 2019 must be configured to audit System - Other System\nEvents successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Audit Other System Events records information related to cryptographic key\noperations and the Windows Firewall service.\"\n desc \"rationale\", \"\"\n desc 'check', \"Security Option \\\"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\\\" must be set to\n\\\"Enabled\\\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \\\"AuditPol\\\" tool to review the current Audit Policy configuration:\n\n Open \\\"PowerShell\\\" or a \\\"Command Prompt\\\" with elevated privileges (\\\"Run\nas administrator\\\").\n\n Enter \\\"AuditPol /get /category:*\\\"\n\n Compare the \\\"AuditPol\\\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n System >> Other System Events - Success\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> System >> \\\"Audit Other System Events\\\" with\n\\\"Success\\\" selected.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000327-GPOS-00127'\n tag 'satisfies': [\"SRG-OS-000327-GPOS-00127\", \"SRG-OS-000458-GPOS-00203\",\n\"SRG-OS-000463-GPOS-00207\", \"SRG-OS-000468-GPOS-00212\"]\n tag 'gid': 'V-93109'\n tag 'rid': 'SV-103197r1_rule'\n tag 'stig_id': 'WN19-AU-000340'\n tag 'fix_id': 'F-99355r1_fix'\n tag 'cci': [\"CCI-000172\", \"CCI-002234\"]\n tag 'nist': [\"AU-12 c\", \"AC-6 (9)\", \"Rev_4\"]\n\n describe.one do\n describe audit_policy do\n its('Other System Events') { should eq 'Success' }\n end\n describe audit_policy do\n its('Other System Events') { should eq 'Success and Failure' }\n end\n end\nend\n", + "code": "control \"V-92983\" do\n title \"Windows Server 2019 must be configured to audit Account Management -\nUser Account Management failures.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n User Account Management records events such as creating, changing,\ndeleting, renaming, disabling, or enabling user accounts.\"\n desc \"rationale\", \"\"\n desc 'check', \"Security Option \\\"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\\\" must be set to\n\\\"Enabled\\\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \\\"AuditPol\\\" tool to review the current Audit Policy configuration:\n\n Open \\\"PowerShell\\\" or a \\\"Command Prompt\\\" with elevated privileges (\\\"Run\nas administrator\\\").\n\n Enter \\\"AuditPol /get /category:*\\\"\n\n Compare the \\\"AuditPol\\\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n Account Management >> User Account Management - Failure\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Account Management >> \\\"Audit User Account\nManagement\\\" with \\\"Failure\\\" selected.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000004-GPOS-00004'\n tag 'satisfies': [\"SRG-OS-000004-GPOS-00004\", \"SRG-OS-000239-GPOS-00089\",\n\"SRG-OS-000240-GPOS-00090\", \"SRG-OS-000241-GPOS-00091\",\n\"SRG-OS-000303-GPOS-00120\", \"SRG-OS-000476-GPOS-00221\"]\n tag 'gid': 'V-92983'\n tag 'rid': 'SV-103071r1_rule'\n tag 'stig_id': 'WN19-AU-000120'\n tag 'fix_id': 'F-99229r1_fix'\n tag 'cci': [\"CCI-000018\", \"CCI-000172\", \"CCI-001403\", \"CCI-001404\",\n\"CCI-001405\", \"CCI-002130\"]\n tag 'nist': [\"AC-2 (4)\", \"AU-12 c\", \"AC-2 (4)\", \"AC-2 (4)\", \"AC-2 (4)\", \"AC-2(4)\", \"Rev_4\"]\n\n describe.one do\n describe audit_policy do\n its('User Account Management') { should eq 'Failure' }\n end\n describe audit_policy do\n its('User Account Management') { should eq 'Success and Failure' }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93109.rb", + "ref": "./Windows 2019 STIG/controls/V-92983.rb", "line": 3 }, - "id": "V-93109" + "id": "V-92983" }, { - "title": "Windows Server 2019 must be configured to audit DS Access - Directory\nService Changes failures.", - "desc": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Audit Directory Service Changes records events related to changes made to\nobjects in Active Directory Domain Services.", + "title": "Windows Server 2019 local users on domain-joined member servers must not be enumerated.", + "desc": "The username is one part of logon credentials that could be used to gain access to a system. Preventing the enumeration of users limits this information to authorized personnel.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Audit Directory Service Changes records events related to changes made to\nobjects in Active Directory Domain Services.", + "default": "The username is one part of logon credentials that could be used to gain access to a system. Preventing the enumeration of users limits this information to authorized personnel.", "rationale": "", - "check": "This applies to domain controllers. It is NA for other systems.\n\n Security Option \"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\" must be set to\n\"Enabled\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \"AuditPol\" tool to review the current Audit Policy configuration:\n\n Open \"PowerShell\" or a \"Command Prompt\" with elevated privileges (\"Run\nas administrator\").\n\n Enter \"AuditPol /get /category:*\"\n\n Compare the \"AuditPol\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n DS Access >> Directory Service Changes - Failure", - "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> DS Access >> \"Directory Service Changes\" with\n\"Failure\" selected." + "check": "This applies to member servers. For domain controllers and standalone systems, this is NA.\n\n If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\\n\n Value Name: EnumerateLocalUsers\n\n Type: REG_DWORD\n Value: 0x00000000 (0)", + "fix": "Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Logon >> \"Enumerate local users on domain-joined computers\" to \"Disabled\"." }, "impact": 0, "refs": [], + "tags": { + "severity": null, + "gtitle": "SRG-OS-000095-GPOS-00049", + "gid": "V-93419", + "rid": "SV-103505r1_rule", + "stig_id": "WN19-MS-000030", + "fix_id": "F-99663r1_fix", + "cci": [ + "CCI-000381" + ], + "nist": [ + "CM-7 a", + "Rev_4" + ] + }, + "code": "control \"V-93419\" do\n title \"Windows Server 2019 local users on domain-joined member servers must not be enumerated.\"\n desc \"The username is one part of logon credentials that could be used to gain access to a system. Preventing the enumeration of users limits this information to authorized personnel.\"\n desc \"rationale\", \"\"\n desc \"check\", \"This applies to member servers. For domain controllers and standalone systems, this is NA.\n\n If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\\n\n Value Name: EnumerateLocalUsers\n\n Type: REG_DWORD\n Value: 0x00000000 (0)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Logon >> \\\"Enumerate local users on domain-joined computers\\\" to \\\"Disabled\\\".\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000095-GPOS-00049\"\n tag gid: \"V-93419\"\n tag rid: \"SV-103505r1_rule\"\n tag stig_id: \"WN19-MS-000030\"\n tag fix_id: \"F-99663r1_fix\"\n tag cci: [\"CCI-000381\"]\n tag nist: [\"CM-7 a\", \"Rev_4\"]\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '3'\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\System') do\n it { should have_property 'EnumerateLocalUsers' }\n its('EnumerateLocalUsers') { should cmp 0 }\n end\n else\n impact 0.0\n describe 'This control is not applicable as it only applies to member servers' do\n skip 'This control is not applicable as it only applies to member servers'\n end\n end\nend", + "source_location": { + "ref": "./Windows 2019 STIG/controls/V-93419.rb", + "line": 3 + }, + "id": "V-93419" + }, + { + "title": "Windows Server 2019 must be configured to audit System - Other System\nEvents failures.", + "desc": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Audit Other System Events records information related to cryptographic key\noperations and the Windows Firewall service.", + "descriptions": { + "default": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Audit Other System Events records information related to cryptographic key\noperations and the Windows Firewall service.", + "rationale": "", + "check": "Security Option \"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\" must be set to\n\"Enabled\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \"AuditPol\" tool to review the current Audit Policy configuration:\n\n Open \"PowerShell\" or a \"Command Prompt\" with elevated privileges (\"Run\nas administrator\").\n\n Enter \"AuditPol /get /category:*\"\n\n Compare the \"AuditPol\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n System >> Other System Events - Failure", + "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> System >> \"Audit Other System Events\" with\n\"Failure\" selected." + }, + "impact": 0.5, + "refs": [], "tags": { "severity": null, "gtitle": "SRG-OS-000327-GPOS-00127", @@ -1597,10 +1595,10 @@ "SRG-OS-000463-GPOS-00207", "SRG-OS-000468-GPOS-00212" ], - "gid": "V-93139", - "rid": "SV-103227r1_rule", - "stig_id": "WN19-DC-000270", - "fix_id": "F-99385r1_fix", + "gid": "V-93111", + "rid": "SV-103199r1_rule", + "stig_id": "WN19-AU-000350", + "fix_id": "F-99357r1_fix", "cci": [ "CCI-000172", "CCI-002234" @@ -1611,130 +1609,130 @@ "Rev_4" ] }, - "code": "control \"V-93139\" do\n title \"Windows Server 2019 must be configured to audit DS Access - Directory\nService Changes failures.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Audit Directory Service Changes records events related to changes made to\nobjects in Active Directory Domain Services.\"\n desc \"rationale\", \"\"\n desc 'check', \"This applies to domain controllers. It is NA for other systems.\n\n Security Option \\\"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\\\" must be set to\n\\\"Enabled\\\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \\\"AuditPol\\\" tool to review the current Audit Policy configuration:\n\n Open \\\"PowerShell\\\" or a \\\"Command Prompt\\\" with elevated privileges (\\\"Run\nas administrator\\\").\n\n Enter \\\"AuditPol /get /category:*\\\"\n\n Compare the \\\"AuditPol\\\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n DS Access >> Directory Service Changes - Failure\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> DS Access >> \\\"Directory Service Changes\\\" with\n\\\"Failure\\\" selected.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000327-GPOS-00127'\n tag 'satisfies': [\"SRG-OS-000327-GPOS-00127\", \"SRG-OS-000458-GPOS-00203\",\n\"SRG-OS-000463-GPOS-00207\", \"SRG-OS-000468-GPOS-00212\"]\n tag 'gid': 'V-93139'\n tag 'rid': 'SV-103227r1_rule'\n tag 'stig_id': 'WN19-DC-000270'\n tag 'fix_id': 'F-99385r1_fix'\n tag 'cci': [\"CCI-000172\", \"CCI-002234\"]\n tag 'nist': [\"AU-12 c\", \"AC-6 (9)\", \"Rev_4\"]\n \n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n if domain_role == '4' || domain_role == '5'\n describe.one do\n describe audit_policy do\n its('Directory Service Changes') { should eq 'Failure' }\n end\n describe audit_policy do\n its('Directory Service Changes') { should eq 'Success and Failure' }\n end\n end\n else\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", + "code": "control \"V-93111\" do\n title \"Windows Server 2019 must be configured to audit System - Other System\nEvents failures.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Audit Other System Events records information related to cryptographic key\noperations and the Windows Firewall service.\"\n desc \"rationale\", \"\"\n desc 'check', \"Security Option \\\"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\\\" must be set to\n\\\"Enabled\\\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \\\"AuditPol\\\" tool to review the current Audit Policy configuration:\n\n Open \\\"PowerShell\\\" or a \\\"Command Prompt\\\" with elevated privileges (\\\"Run\nas administrator\\\").\n\n Enter \\\"AuditPol /get /category:*\\\"\n\n Compare the \\\"AuditPol\\\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n System >> Other System Events - Failure\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> System >> \\\"Audit Other System Events\\\" with\n\\\"Failure\\\" selected.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': \"SRG-OS-000327-GPOS-00127\"\n tag 'satisfies': [\"SRG-OS-000327-GPOS-00127\", \"SRG-OS-000458-GPOS-00203\",\n\"SRG-OS-000463-GPOS-00207\", \"SRG-OS-000468-GPOS-00212\"]\n tag 'gid': \"V-93111\"\n tag 'rid': \"SV-103199r1_rule\"\n tag 'stig_id': \"WN19-AU-000350\"\n tag 'fix_id': \"F-99357r1_fix\"\n tag 'cci': [\"CCI-000172\", \"CCI-002234\"]\n tag 'nist': [\"AU-12 c\", \"AC-6 (9)\", \"Rev_4\"]\n\n describe.one do\n describe audit_policy do\n its('Other System Events') { should eq 'Failure' }\n end\n describe audit_policy do\n its('Other System Events') { should eq 'Success and Failure' }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93139.rb", + "ref": "./Windows 2019 STIG/controls/V-93111.rb", "line": 3 }, - "id": "V-93139" + "id": "V-93111" }, { - "title": "Windows Server 2019 command line data must be included in process\ncreation events.", - "desc": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Enabling \"Include command line data for process creation events\" will\nrecord the command line information with the process creation events in the\nlog. This can provide additional detail when malware has run on a system.", + "title": "Windows Server 2019 minimum password age must be configured to at least one day.", + "desc": "Permitting passwords to be changed in immediate succession within the same day allows users to cycle passwords through their history database. This enables users to effectively negate the purpose of mandating periodic password changes.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Enabling \"Include command line data for process creation events\" will\nrecord the command line information with the process creation events in the\nlog. This can provide additional detail when malware has run on a system.", + "default": "Permitting passwords to be changed in immediate succession within the same day allows users to cycle passwords through their history database. This enables users to effectively negate the purpose of mandating periodic password changes.", "rationale": "", - "check": "If the following registry value does not exist or is not configured as\nspecified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Audit\\\n\n Value Name: ProcessCreationIncludeCmdLine_Enabled\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", - "fix": "Configure the policy value for Computer Configuration >>\nAdministrative Templates >> System >> Audit Process Creation >> \"Include\ncommand line in process creation events\" to \"Enabled\"." + "check": "Verify the effective setting in Local Group Policy Editor.\n Run \"gpedit.msc\".\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy.\n If the value for the \"Minimum password age\" is set to \"0\" days (\"Password can be changed immediately\"), this is a finding.\n\n For server core installations, run the following command:\n Secedit /Export /Areas SecurityPolicy /CFG C:\\Path\\FileName.Txt\n If \"MinimumPasswordAge\" equals \"0\" in the file, this is a finding.", + "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy >> \"Minimum password age\" to at least \"1\" day." }, "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000042-GPOS-00020", - "gid": "V-93173", - "rid": "SV-103261r1_rule", - "stig_id": "WN19-CC-000090", - "fix_id": "F-99419r1_fix", + "gtitle": "SRG-OS-000075-GPOS-00043", + "gid": "V-93471", + "rid": "SV-103557r1_rule", + "stig_id": "WN19-AC-000060", + "fix_id": "F-99715r1_fix", "cci": [ - "CCI-000135" + "CCI-000198" ], "nist": [ - "AU-3 (1)", + "IA-5 (1) (d)", "Rev_4" ] }, - "code": "control \"V-93173\" do\n title \"Windows Server 2019 command line data must be included in process\ncreation events.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Enabling \\\"Include command line data for process creation events\\\" will\nrecord the command line information with the process creation events in the\nlog. This can provide additional detail when malware has run on a system.\"\n desc \"rationale\", \"\"\n desc 'check', \"If the following registry value does not exist or is not configured as\nspecified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Audit\\\\\n\n Value Name: ProcessCreationIncludeCmdLine_Enabled\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nAdministrative Templates >> System >> Audit Process Creation >> \\\"Include\ncommand line in process creation events\\\" to \\\"Enabled\\\".\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000042-GPOS-00020'\n tag 'gid': 'V-93173'\n tag 'rid': 'SV-103261r1_rule'\n tag 'stig_id': 'WN19-CC-000090'\n tag 'fix_id': 'F-99419r1_fix'\n tag 'cci': [\"CCI-000135\"]\n tag 'nist': [\"AU-3 (1)\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Audit') do\n it { should have_property 'ProcessCreationIncludeCmdLine_Enabled' }\n its('ProcessCreationIncludeCmdLine_Enabled') { should cmp 1 }\n end\nend\n", + "code": "control \"V-93471\" do\n title \"Windows Server 2019 minimum password age must be configured to at least one day.\"\n desc \"Permitting passwords to be changed in immediate succession within the same day allows users to cycle passwords through their history database. This enables users to effectively negate the purpose of mandating periodic password changes.\"\n desc \"rationale\", \"\"\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n Run \\\"gpedit.msc\\\".\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy.\n If the value for the \\\"Minimum password age\\\" is set to \\\"0\\\" days (\\\"Password can be changed immediately\\\"), this is a finding.\n\n For server core installations, run the following command:\n Secedit /Export /Areas SecurityPolicy /CFG C:\\\\Path\\\\FileName.Txt\n If \\\"MinimumPasswordAge\\\" equals \\\"0\\\" in the file, this is a finding.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy >> \\\"Minimum password age\\\" to at least \\\"1\\\" day.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000075-GPOS-00043\"\n tag gid: \"V-93471\"\n tag rid: \"SV-103557r1_rule\"\n tag stig_id: \"WN19-AC-000060\"\n tag fix_id: \"F-99715r1_fix\"\n tag cci: [\"CCI-000198\"]\n tag nist: [\"IA-5 (1) (d)\", \"Rev_4\"]\n\n describe security_policy do\n its('MinimumPasswordAge') { should be >= input('minimum_password_age') }\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93173.rb", + "ref": "./Windows 2019 STIG/controls/V-93471.rb", "line": 3 }, - "id": "V-93173" + "id": "V-93471" }, { - "title": "Windows Server 2019 Exploit Protection mitigations must be configured for OUTLOOK.EXE.", - "desc": "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.", + "title": "Windows Server 2019 Active Directory SYSVOL directory must have the\nproper access control permissions.", + "desc": "Improper access permissions for directory data files could allow\nunauthorized users to read, modify, or delete directory data.\n\n The SYSVOL directory contains public files (to the domain) such as policies\nand logon scripts. Data in shared subdirectories are replicated to all domain\ncontrollers in a domain.", "descriptions": { - "default": "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.", + "default": "Improper access permissions for directory data files could allow\nunauthorized users to read, modify, or delete directory data.\n\n The SYSVOL directory contains public files (to the domain) such as policies\nand logon scripts. Data in shared subdirectories are replicated to all domain\ncontrollers in a domain.", "rationale": "", - "check": "If the referenced application is not installed on the system, this is NA.\n\n This is applicable to unclassified systems, for other systems this is NA.\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n Enter \"Get-ProcessMitigation -Name OUTLOOK.EXE\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.)\n\n If the following mitigations do not have a status of \"ON\", this is a finding:\n\n DEP:\n Enable: ON\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n The PowerShell command produces a list of mitigations; only those with a required status of \"ON\" are listed here.", - "fix": "Ensure the following mitigations are turned \"ON\" for OUTLOOK.EXE:\n\n DEP:\n Enable: ON\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \"Supporting Files\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \"Use a common set of exploit protection settings\" configured to \"Enabled\" with file name and location defined under \"Options:\". It is recommended the file be in a read-only network location." + "check": "This applies to domain controllers. It is NA for other systems.\n\n Open a command prompt.\n\n Run \"net share\".\n\n Make note of the directory location of the SYSVOL share.\n\n By default, this will be \\Windows\\SYSVOL\\sysvol. For this requirement,\npermissions will be verified at the first SYSVOL directory level.\n\n If any standard user accounts or groups have greater than \"Read &\nexecute\" permissions, this is a finding.\n\n The default permissions noted below meet this requirement:\n\n Open \"Command Prompt\".\n\n Run \"icacls c:\\Windows\\SYSVOL\".\n\n The following results should be displayed:\n\n NT AUTHORITY\\Authenticated Users:(RX)\n NT AUTHORITY\\Authenticated Users:(OI)(CI)(IO)(GR,GE)\n BUILTIN\\Server Operators:(RX)\n BUILTIN\\Server Operators:(OI)(CI)(IO)(GR,GE)\n BUILTIN\\Administrators:(M,WDAC,WO)\n BUILTIN\\Administrators:(OI)(CI)(IO)(F)\n NT AUTHORITY\\SYSTEM:(F)\n NT AUTHORITY\\SYSTEM:(OI)(CI)(IO)(F)\n CREATOR OWNER:(OI)(CI)(IO)(F)\n\n (RX) - Read & execute\n\n Run \"icacls /help\" to view definitions of other permission codes.\n\n Alternately, open \"File Explorer\".\n\n Navigate to \\Windows\\SYSVOL (or the directory noted previously if\ndifferent).\n\n Right-click the directory and select properties.\n\n Select the \"Security\" tab and click \"Advanced\".\n\n Default permissions:\n\n C:\\Windows\\SYSVOL\n Type - \"Allow\" for all\n Inherited from - \"None\" for all\n\n Principal - Access - Applies to\n\n Authenticated Users - Read & execute - This folder, subfolder, and files\n Server Operators - Read & execute- This folder, subfolder, and files\n Administrators - Special - This folder only (Special = Basic Permissions:\nall selected except Full control)\n CREATOR OWNER - Full control - Subfolders and files only\n Administrators - Full control - Subfolders and files only\n SYSTEM - Full control - This folder, subfolders, and files", + "fix": "Maintain the permissions on the SYSVOL directory. Do not allow greater than\n\"Read & execute\" permissions for standard user accounts or groups. The\ndefaults below meet this requirement:\n\n C:\\Windows\\SYSVOL\n Type - \"Allow\" for all\n Inherited from - \"None\" for all\n\n Principal - Access - Applies to\n\n Authenticated Users - Read & execute - This folder, subfolder, and files\n Server Operators - Read & execute- This folder, subfolder, and files\n Administrators - Special - This folder only (Special = Basic Permissions:\nall selected except Full control)\n CREATOR OWNER - Full control - Subfolders and files only\n Administrators - Full control - Subfolders and files only\n SYSTEM - Full control - This folder, subfolders, and files" }, - "impact": 0, + "impact": 0.7, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-93351", - "rid": "SV-103439r1_rule", - "stig_id": "WN19-EP-000210", - "fix_id": "F-99597r1_fix", + "gtitle": "SRG-OS-000324-GPOS-00125", + "gid": "V-93031", + "rid": "SV-103119r1_rule", + "stig_id": "WN19-DC-000080", + "fix_id": "F-99277r1_fix", "cci": [ - "CCI-000366" + "CCI-002235" ], "nist": [ - "CM-6 b", + "AC-6 (10)", "Rev_4" ] }, - "code": "control \"V-93351\" do\n title \"Windows Server 2019 Exploit Protection mitigations must be configured for OUTLOOK.EXE.\"\n desc \"Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the referenced application is not installed on the system, this is NA.\n\n This is applicable to unclassified systems, for other systems this is NA.\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n Enter \\\"Get-ProcessMitigation -Name OUTLOOK.EXE\\\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.)\n\n If the following mitigations do not have a status of \\\"ON\\\", this is a finding:\n\n DEP:\n Enable: ON\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n The PowerShell command produces a list of mitigations; only those with a required status of \\\"ON\\\" are listed here.\"\n desc \"fix\", \"Ensure the following mitigations are turned \\\"ON\\\" for OUTLOOK.EXE:\n\n DEP:\n Enable: ON\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \\\"Supporting Files\\\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\" configured to \\\"Enabled\\\" with file name and location defined under \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00227\"\n tag gid: \"V-93351\"\n tag rid: \"SV-103439r1_rule\"\n tag stig_id: \"WN19-EP-000210\"\n tag fix_id: \"F-99597r1_fix\"\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n outlook = json({ command: \"Get-ProcessMitigation -Name OUTLOOK.EXE | ConvertTo-Json\" }).params\n\n if input('sensitive_system') == true || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif outlook.empty?\n impact 0.0\n describe 'The referenced application is not installed on the system, this is NA.' do\n skip 'The referenced application is not installed on the system, this is NA.'\n end\n else\n describe \"Exploit Protection: the following mitigations must be set to 'ON' for OUTLOOK.EXE\" do\n subject { outlook }\n its(['Dep','Enable']) { should eq 1 }\n its(['Aslr','ForceRelocateImages']) { should eq 1 }\n its(['Payload','EnableExportAddressFilter']) { should eq 1 }\n its(['Payload','EnableExportAddressFilterPlus']) { should eq 1 }\n its(['Payload','EnableImportAddressFilter']) { should eq 1 }\n its(['Payload','EnableRopStackPivot']) { should eq 1 }\n its(['Payload','EnableRopCallerCheck']) { should eq 1 }\n its(['Payload','EnableRopSimExec']) { should eq 1 }\n end\n end\nend", + "code": "control \"V-93031\" do\n title \"Windows Server 2019 Active Directory SYSVOL directory must have the\nproper access control permissions.\"\n desc \"Improper access permissions for directory data files could allow\nunauthorized users to read, modify, or delete directory data.\n\n The SYSVOL directory contains public files (to the domain) such as policies\nand logon scripts. Data in shared subdirectories are replicated to all domain\ncontrollers in a domain.\"\n desc \"rationale\", \"\"\n desc \"check\", \"This applies to domain controllers. It is NA for other systems.\n\n Open a command prompt.\n\n Run \\\"net share\\\".\n\n Make note of the directory location of the SYSVOL share.\n\n By default, this will be \\\\Windows\\\\SYSVOL\\\\sysvol. For this requirement,\npermissions will be verified at the first SYSVOL directory level.\n\n If any standard user accounts or groups have greater than \\\"Read &\nexecute\\\" permissions, this is a finding.\n\n The default permissions noted below meet this requirement:\n\n Open \\\"Command Prompt\\\".\n\n Run \\\"icacls c:\\\\Windows\\\\SYSVOL\\\".\n\n The following results should be displayed:\n\n NT AUTHORITY\\\\Authenticated Users:(RX)\n NT AUTHORITY\\\\Authenticated Users:(OI)(CI)(IO)(GR,GE)\n BUILTIN\\\\Server Operators:(RX)\n BUILTIN\\\\Server Operators:(OI)(CI)(IO)(GR,GE)\n BUILTIN\\\\Administrators:(M,WDAC,WO)\n BUILTIN\\\\Administrators:(OI)(CI)(IO)(F)\n NT AUTHORITY\\\\SYSTEM:(F)\n NT AUTHORITY\\\\SYSTEM:(OI)(CI)(IO)(F)\n CREATOR OWNER:(OI)(CI)(IO)(F)\n\n (RX) - Read & execute\n\n Run \\\"icacls /help\\\" to view definitions of other permission codes.\n\n Alternately, open \\\"File Explorer\\\".\n\n Navigate to \\\\Windows\\\\SYSVOL (or the directory noted previously if\ndifferent).\n\n Right-click the directory and select properties.\n\n Select the \\\"Security\\\" tab and click \\\"Advanced\\\".\n\n Default permissions:\n\n C:\\\\Windows\\\\SYSVOL\n Type - \\\"Allow\\\" for all\n Inherited from - \\\"None\\\" for all\n\n Principal - Access - Applies to\n\n Authenticated Users - Read & execute - This folder, subfolder, and files\n Server Operators - Read & execute- This folder, subfolder, and files\n Administrators - Special - This folder only (Special = Basic Permissions:\nall selected except Full control)\n CREATOR OWNER - Full control - Subfolders and files only\n Administrators - Full control - Subfolders and files only\n SYSTEM - Full control - This folder, subfolders, and files\"\n desc \"fix\", \"\n Maintain the permissions on the SYSVOL directory. Do not allow greater than\n\\\"Read & execute\\\" permissions for standard user accounts or groups. The\ndefaults below meet this requirement:\n\n C:\\\\Windows\\\\SYSVOL\n Type - \\\"Allow\\\" for all\n Inherited from - \\\"None\\\" for all\n\n Principal - Access - Applies to\n\n Authenticated Users - Read & execute - This folder, subfolder, and files\n Server Operators - Read & execute- This folder, subfolder, and files\n Administrators - Special - This folder only (Special = Basic Permissions:\nall selected except Full control)\n CREATOR OWNER - Full control - Subfolders and files only\n Administrators - Full control - Subfolders and files only\n SYSTEM - Full control - This folder, subfolders, and files\"\n impact 0.7\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000324-GPOS-00125'\n tag 'gid': 'V-93031'\n tag 'rid': 'SV-103119r1_rule'\n tag 'stig_id': 'WN19-DC-000080'\n tag 'fix_id': 'F-99277r1_fix'\n tag 'cci': [\"CCI-002235\"]\n tag 'nist': [\"AC-6 (10)\", \"Rev_4\"]\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n if domain_role == '4' || domain_role == '5'\n sysvol_perm = json( command: \"icacls 'c:\\\\Windows\\\\SYSVOL' | ConvertTo-Json\").params.map { |e| e.strip }[0..-3].map{ |e| e.gsub(\"c:\\\\Windows\\\\SYSVOL \", '') }\n \n describe \"c:\\\\ permissions are set correctly on folder structure\" do\n subject { sysvol_perm.eql? input('c_windows_sysvol_perm') }\n it { should eq true }\n end\n else\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93351.rb", + "ref": "./Windows 2019 STIG/controls/V-93031.rb", "line": 3 }, - "id": "V-93351" + "id": "V-93031" }, { - "title": "Windows Server 2019 must automatically remove or disable emergency accounts after the crisis is resolved or within 72 hours.", - "desc": "Emergency administrator accounts are privileged accounts established in response to crisis situations where the need for rapid account activation is required. Therefore, emergency account activation may bypass normal account authorization processes. If these accounts are automatically disabled, system maintenance during emergencies may not be possible, thus adversely affecting system availability.\n Emergency administrator accounts are different from infrequently used accounts (i.e., local logon accounts used by system administrators when network or normal logon/access is not available). Infrequently used accounts are not subject to automatic termination dates. Emergency accounts are accounts created in response to crisis situations, usually for use by maintenance personnel. The automatic expiration or disabling time period may be extended as needed until the crisis is resolved; however, it must not be extended indefinitely. A permanent account should be established for privileged users who need long-term maintenance accounts.\n To address access requirements, many operating systems can be integrated with enterprise-level authentication/access mechanisms that meet or exceed access control policy requirements.", + "title": "Windows Server 2019 LAN Manager authentication level must be configured to send NTLMv2 response only and to refuse LM and NTLM.", + "desc": "The Kerberos v5 authentication protocol is the default for authentication of users who are logging on to domain accounts. NTLM, which is less secure, is retained in later Windows versions for compatibility with clients and servers that are running earlier versions of Windows or applications that still use it. It is also used to authenticate logons to standalone computers that are running later versions.", "descriptions": { - "default": "Emergency administrator accounts are privileged accounts established in response to crisis situations where the need for rapid account activation is required. Therefore, emergency account activation may bypass normal account authorization processes. If these accounts are automatically disabled, system maintenance during emergencies may not be possible, thus adversely affecting system availability.\n Emergency administrator accounts are different from infrequently used accounts (i.e., local logon accounts used by system administrators when network or normal logon/access is not available). Infrequently used accounts are not subject to automatic termination dates. Emergency accounts are accounts created in response to crisis situations, usually for use by maintenance personnel. The automatic expiration or disabling time period may be extended as needed until the crisis is resolved; however, it must not be extended indefinitely. A permanent account should be established for privileged users who need long-term maintenance accounts.\n To address access requirements, many operating systems can be integrated with enterprise-level authentication/access mechanisms that meet or exceed access control policy requirements.", + "default": "The Kerberos v5 authentication protocol is the default for authentication of users who are logging on to domain accounts. NTLM, which is less secure, is retained in later Windows versions for compatibility with clients and servers that are running earlier versions of Windows or applications that still use it. It is also used to authenticate logons to standalone computers that are running later versions.", "rationale": "", - "check": "Determine if emergency administrator accounts are used and identify any that exist. If none exist, this is NA.\n If emergency administrator accounts cannot be configured with an expiration date due to an ongoing crisis, the accounts must be disabled or removed when the crisis is resolved.\n If emergency administrator accounts have not been configured with an expiration date or have not been disabled or removed following the resolution of a crisis, this is a finding.\n\n Domain Controllers:\n Open \"PowerShell\".\n Enter \"Search-ADAccount -AccountExpiring | FT Name, AccountExpirationDate\".\n If \"AccountExpirationDate\" has been defined and is not within 72 hours for an emergency administrator account, this is a finding.\n\n Member servers and standalone systems:\n Open \"Command Prompt\".\n Run \"Net user [username]\", where [username] is the name of the emergency account.\n If \"Account expires\" has been defined and is not within 72 hours for an emergency administrator account, this is a finding.", - "fix": "Remove emergency administrator accounts after a crisis has been resolved or configure the accounts to automatically expire within 72 hours.\n Domain accounts can be configured with an account expiration date, under \"Account\" properties.\n Local accounts can be configured to expire with the command \"Net user [username] /expires:[mm/dd/yyyy]\", where username is the name of the temporary user account." + "check": "If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Control\\Lsa\\\n\n Value Name: LmCompatibilityLevel\n\n Value Type: REG_DWORD\n Value: 0x00000005 (5)", + "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \"Network security: LAN Manager authentication level\" to \"Send NTLMv2 response only. Refuse LM & NTLM\"." }, - "impact": 0, + "impact": 0.7, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000123-GPOS-00064", - "gid": "V-92977", - "rid": "SV-103065r1_rule", - "stig_id": "WN19-00-000310", - "fix_id": "F-99223r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-93301", + "rid": "SV-103389r1_rule", + "stig_id": "WN19-SO-000310", + "fix_id": "F-99547r1_fix", "cci": [ - "CCI-001682" + "CCI-000366" ], "nist": [ - "AC-2 (2)", + "CM-6 b", "Rev_4" ] }, - "code": "control \"V-92977\" do\n title \"Windows Server 2019 must automatically remove or disable emergency accounts after the crisis is resolved or within #{input('emergency_account_period')*24} hours.\"\n desc \"Emergency administrator accounts are privileged accounts established in response to crisis situations where the need for rapid account activation is required. Therefore, emergency account activation may bypass normal account authorization processes. If these accounts are automatically disabled, system maintenance during emergencies may not be possible, thus adversely affecting system availability.\n Emergency administrator accounts are different from infrequently used accounts (i.e., local logon accounts used by system administrators when network or normal logon/access is not available). Infrequently used accounts are not subject to automatic termination dates. Emergency accounts are accounts created in response to crisis situations, usually for use by maintenance personnel. The automatic expiration or disabling time period may be extended as needed until the crisis is resolved; however, it must not be extended indefinitely. A permanent account should be established for privileged users who need long-term maintenance accounts.\n To address access requirements, many operating systems can be integrated with enterprise-level authentication/access mechanisms that meet or exceed access control policy requirements.\"\n desc \"rationale\", \"\"\n desc 'check', \"Determine if emergency administrator accounts are used and identify any that exist. If none exist, this is NA.\n If emergency administrator accounts cannot be configured with an expiration date due to an ongoing crisis, the accounts must be disabled or removed when the crisis is resolved.\n If emergency administrator accounts have not been configured with an expiration date or have not been disabled or removed following the resolution of a crisis, this is a finding.\n\n Domain Controllers:\n Open \\\"PowerShell\\\".\n Enter \\\"Search-ADAccount -AccountExpiring | FT Name, AccountExpirationDate\\\".\n If \\\"AccountExpirationDate\\\" has been defined and is not within #{input('emergency_account_period')*24} hours for an emergency administrator account, this is a finding.\n\n Member servers and standalone systems:\n Open \\\"Command Prompt\\\".\n Run \\\"Net user [username]\\\", where [username] is the name of the emergency account.\n If \\\"Account expires\\\" has been defined and is not within #{input('emergency_account_period')*24} hours for an emergency administrator account, this is a finding.\"\n desc 'fix', \"Remove emergency administrator accounts after a crisis has been resolved or configure the accounts to automatically expire within #{input('emergency_account_period')*24} hours.\n Domain accounts can be configured with an account expiration date, under \\\"Account\\\" properties.\n Local accounts can be configured to expire with the command \\\"Net user [username] /expires:[mm/dd/yyyy]\\\", where username is the name of the temporary user account.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000123-GPOS-00064'\n tag 'gid': 'V-92977'\n tag 'rid': 'SV-103065r1_rule'\n tag 'stig_id': 'WN19-00-000310'\n tag 'fix_id': 'F-99223r1_fix'\n tag 'cci': [\"CCI-001682\"]\n tag 'nist': [\"AC-2 (2)\", \"Rev_4\"]\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n \n if domain_role == '4' || domain_role == '5'\n emergency_accounts_list = input('emergency_accounts_domain')\n if emergency_accounts_list == [nil]\n impact 0.0\n describe 'There are no Emergency Account listed for this Control' do\n skip 'This becomes a manual check if the input emergency_accounts_domain is not assigned a value'\n end\n else\n emergency_accounts = []\n emergency_accounts_list.each do |emergency_account|\n emergency_accounts << json({ command: \"Get-ADUser -Identity #{emergency_account} -Properties WhenCreated, AccountExpirationDate | Select-Object -Property SamAccountName, @{Name='WhenCreated';Expression={$_.WhenCreated.ToString('yyyy-MM-dd')}}, @{Name='AccountExpirationDate';Expression={$_.AccountExpirationDate.ToString('yyyy-MM-dd')}}| ConvertTo-Json\"}).params\n end\n emergency_accounts.each do |emergency_account|\n account_name = emergency_account.fetch(\"SamAccountName\")\n if emergency_account.fetch(\"WhenCreated\") == nil\n describe \"#{account_name} account's creation date\" do\n subject { emergency_account.fetch(\"WhenCreated\") }\n it { should_not eq nil}\n end\n elsif emergency_account.fetch(\"AccountExpirationDate\") == nil\n describe \"#{account_name} account's expiration date\" do\n subject { emergency_account.fetch(\"AccountExpirationDate\") }\n it { should_not eq nil}\n end\n else\n creation_date = Date.parse(emergency_account.fetch(\"WhenCreated\"))\n expiration_date = Date.parse(emergency_account.fetch(\"AccountExpirationDate\"))\n date_difference = expiration_date.mjd - creation_date.mjd\n describe \"Account expiration set for #{account_name}\" do\n subject { date_difference }\n it { should cmp <= input('emergency_account_period')}\n end\n end\n end\n end\n else\n emergency_accounts_list = input('emergency_accounts_local')\n if emergency_accounts_list == [nil]\n impact 0.0\n describe 'There are no Emergency Account listed for this Control' do\n skip 'This is not applicable as there are no Emergency Account listed for this Control'\n end\n else\n emergency_accounts = []\n emergency_accounts_list.each do |emergency_account|\n emergency_accounts << json({ command: \"Get-LocalUser -Name #{emergency_account} | Select-Object -Property Name, @{Name='PasswordLastSet';Expression={$_.PasswordLastSet.ToString('yyyy-MM-dd')}}, @{Name='AccountExpires';Expression={$_.AccountExpires.ToString('yyyy-MM-dd')}} | ConvertTo-Json\"}).params\n end\n emergency_accounts.each do |emergency_account|\n user_name = emergency_account.fetch(\"Name\")\n if emergency_account.fetch(\"PasswordLastSet\") == nil\n describe \"#{user_name} account's password last set date\" do\n subject { emergency_account.fetch(\"PasswordLastSet\") }\n it { should_not eq nil}\n end\n elsif emergency_account.fetch(\"AccountExpires\") == nil\n describe \"#{user_name} account's expiration date\" do\n subject { emergency_account.fetch(\"AccountExpires\") }\n it { should_not eq nil}\n end\n else\n password_date = Date.parse(emergency_account.fetch(\"PasswordLastSet\"))\n expiration_date = Date.parse(emergency_account.fetch(\"AccountExpires\"))\n date_difference = expiration_date.mjd - password_date.mjd\n describe \"Account expiration set for #{user_name}\" do\n subject { date_difference }\n it { should cmp <= input('emergency_account_period')}\n end\n end\n end\n end\n end\nend", + "code": "control \"V-93301\" do\n title \"Windows Server 2019 LAN Manager authentication level must be configured to send NTLMv2 response only and to refuse LM and NTLM.\"\n desc \"The Kerberos v5 authentication protocol is the default for authentication of users who are logging on to domain accounts. NTLM, which is less secure, is retained in later Windows versions for compatibility with clients and servers that are running earlier versions of Windows or applications that still use it. It is also used to authenticate logons to standalone computers that are running later versions.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\\n\n Value Name: LmCompatibilityLevel\n\n Value Type: REG_DWORD\n Value: 0x00000005 (5)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \\\"Network security: LAN Manager authentication level\\\" to \\\"Send NTLMv2 response only. Refuse LM & NTLM\\\".\"\n impact 0.7\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00227\"\n tag gid: \"V-93301\"\n tag rid: \"SV-103389r1_rule\"\n tag stig_id: \"WN19-SO-000310\"\n tag fix_id: \"F-99547r1_fix\"\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa') do\n it { should have_property 'LmCompatibilityLevel' }\n its('LmCompatibilityLevel') { should cmp == 5 }\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-92977.rb", + "ref": "./Windows 2019 STIG/controls/V-93301.rb", "line": 3 }, - "id": "V-92977" + "id": "V-93301" }, { - "title": "Windows Server 2019 must prevent NTLM from falling back to a Null session.", - "desc": "NTLM sessions that are allowed to fall back to Null (unauthenticated) sessions may gain unauthorized access.", + "title": "Windows Server 2019 must be configured to prevent Internet Control\nMessage Protocol (ICMP) redirects from overriding Open Shortest Path First\n(OSPF)-generated routes.", + "desc": "Allowing ICMP redirect of routes can lead to traffic not being routed\nproperly. When disabled, this forces ICMP to be routed via the shortest path\nfirst.", "descriptions": { - "default": "NTLM sessions that are allowed to fall back to Null (unauthenticated) sessions may gain unauthorized access.", + "default": "Allowing ICMP redirect of routes can lead to traffic not being routed\nproperly. When disabled, this forces ICMP to be routed via the shortest path\nfirst.", "rationale": "", - "check": "If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Control\\LSA\\MSV1_0\\\n\n Value Name: allownullsessionfallback\n\n Type: REG_DWORD\n Value: 0x00000000 (0)", - "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \"Network security: Allow LocalSystem NULL session fallback\" to \"Disabled\"." + "check": "If the following registry value does not exist or is not configured as\nspecified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters\\\n\n Value Name: EnableICMPRedirect\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0)", + "fix": "Configure the policy value for Computer Configuration >> Administrative\nTemplates >> MSS (Legacy) >> \"MSS: (EnableICMPRedirect) Allow ICMP redirects\nto override OSPF generated routes\" to \"Disabled\".\n\n This policy setting requires the installation of the MSS-Legacy custom\ntemplates included with the STIG package. \"MSS-Legacy.admx\" and\n\"MSS-Legacy.adml\" must be copied to the \\Windows\\PolicyDefinitions and\n\\Windows\\PolicyDefinitions\\en-US directories respectively." }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { "severity": null, "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-93297", - "rid": "SV-103385r1_rule", - "stig_id": "WN19-SO-000270", - "fix_id": "F-99543r1_fix", + "gid": "V-93237", + "rid": "SV-103325r1_rule", + "stig_id": "WN19-CC-000050", + "fix_id": "F-99483r1_fix", "cci": [ "CCI-000366" ], @@ -1743,105 +1741,97 @@ "Rev_4" ] }, - "code": "control \"V-93297\" do\n title \"Windows Server 2019 must prevent NTLM from falling back to a Null session.\"\n desc \"NTLM sessions that are allowed to fall back to Null (unauthenticated) sessions may gain unauthorized access.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\LSA\\\\MSV1_0\\\\\n\n Value Name: allownullsessionfallback\n\n Type: REG_DWORD\n Value: 0x00000000 (0)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \\\"Network security: Allow LocalSystem NULL session fallback\\\" to \\\"Disabled\\\".\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00227\"\n tag gid: \"V-93297\"\n tag rid: \"SV-103385r1_rule\"\n tag stig_id: \"WN19-SO-000270\"\n tag fix_id: \"F-99543r1_fix\"\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\MSV1_0') do\n it { should have_property 'allownullsessionfallback' }\n its('allownullsessionfallback') { should cmp == 0 }\n end \nend", + "code": "control \"V-93237\" do\n title \"Windows Server 2019 must be configured to prevent Internet Control\nMessage Protocol (ICMP) redirects from overriding Open Shortest Path First\n(OSPF)-generated routes.\"\n desc \"Allowing ICMP redirect of routes can lead to traffic not being routed\nproperly. When disabled, this forces ICMP to be routed via the shortest path\nfirst.\"\n desc \"rationale\", \"\"\n desc 'check', \"If the following registry value does not exist or is not configured as\nspecified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\Tcpip\\\\Parameters\\\\\n\n Value Name: EnableICMPRedirect\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0)\"\n desc 'fix', \"Configure the policy value for Computer Configuration >> Administrative\nTemplates >> MSS (Legacy) >> \\\"MSS: (EnableICMPRedirect) Allow ICMP redirects\nto override OSPF generated routes\\\" to \\\"Disabled\\\".\n\n This policy setting requires the installation of the MSS-Legacy custom\ntemplates included with the STIG package. \\\"MSS-Legacy.admx\\\" and\n\\\"MSS-Legacy.adml\\\" must be copied to the \\\\Windows\\\\PolicyDefinitions and\n\\\\Windows\\\\PolicyDefinitions\\\\en-US directories respectively.\"\n impact 0.3\n tag severity: nil\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-93237'\n tag rid: 'SV-103325r1_rule'\n tag stig_id: 'WN19-CC-000050'\n tag fix_id: 'F-99483r1_fix'\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters') do\n it { should have_property 'EnableICMPRedirect' }\n its('EnableICMPRedirect') { should cmp 0}\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93297.rb", + "ref": "./Windows 2019 STIG/controls/V-93237.rb", "line": 3 }, - "id": "V-93297" + "id": "V-93237" }, { - "title": "Windows Server 2019 shared user accounts must not be permitted.", - "desc": "Shared accounts (accounts where two or more people log on with the same user identification) do not provide adequate identification and authentication. There is no way to provide for nonrepudiation or individual accountability for system access and resource usage.", + "title": "Windows Server 2019 Access this computer from the network user right\nmust only be assigned to the Administrators and Authenticated Users groups on\ndomain-joined member servers and standalone systems.", + "desc": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n Accounts with the \"Access this computer from the network\" user right may\naccess resources on the system, and this right must be limited to those\nrequiring it.", "descriptions": { - "default": "Shared accounts (accounts where two or more people log on with the same user identification) do not provide adequate identification and authentication. There is no way to provide for nonrepudiation or individual accountability for system access and resource usage.", + "default": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n Accounts with the \"Access this computer from the network\" user right may\naccess resources on the system, and this right must be limited to those\nrequiring it.", "rationale": "", - "check": "Determine whether any shared accounts exist. If no shared accounts exist, this is NA.\n\n Shared accounts, such as required by an application, may be approved by the organization. This must be documented with the ISSO. Documentation must include the reason for the account, who has access to the account, and how the risk of using the shared account is mitigated to include monitoring account activity.\n\n If unapproved shared accounts exist, this is a finding.", - "fix": "Remove unapproved shared accounts from the system.\n\n Document required shared accounts with the ISSO. Documentation must include the reason for the account, who has access to the account, and how the risk of using the shared account is mitigated to include monitoring account activity." + "check": "This applies to member servers and standalone systems. A separate version\napplies to domain controllers.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the \"Access\nthis computer from the network\" user right, this is a finding:\n\n - Administrators\n - Authenticated Users\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\path\\filename.txt\n\n Review the text file.\n\n If any SIDs other than the following are granted the\n\"SeNetworkLogonRight\" user right, this is a finding:\n\n S-1-5-32-544 (Administrators)\n S-1-5-11 (Authenticated Users)\n\n If an application requires this user right, this would not be a finding.\n\n Vendor documentation must support the requirement for having the user right.\n\n The requirement must be documented with the ISSO.\n\n The application account must meet requirements for application account\npasswords, such as length (WN19-00-000050) and required frequency of changes\n(WN19-00-000060).", + "fix": "Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> User Rights Assignment >> \"Access\nthis computer from the network\" to include only the following accounts or\ngroups:\n\n - Administrators\n - Authenticated Users" }, "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000104-GPOS-00051", - "gid": "V-93437", - "rid": "SV-103523r1_rule", - "stig_id": "WN19-00-000070", - "fix_id": "F-99681r1_fix", + "gtitle": "SRG-OS-000080-GPOS-00048", + "gid": "V-93007", + "rid": "SV-103095r1_rule", + "stig_id": "WN19-MS-000070", + "fix_id": "F-99253r1_fix", "cci": [ - "CCI-000764" + "CCI-000213" ], "nist": [ - "IA-2", + "AC-3", "Rev_4" ] }, - "code": "control \"V-93437\" do\n title \"Windows Server 2019 shared user accounts must not be permitted.\"\n desc \"Shared accounts (accounts where two or more people log on with the same user identification) do not provide adequate identification and authentication. There is no way to provide for nonrepudiation or individual accountability for system access and resource usage.\"\n desc \"rationale\", \"\"\n desc \"check\", \"Determine whether any shared accounts exist. If no shared accounts exist, this is NA.\n\n Shared accounts, such as required by an application, may be approved by the organization. This must be documented with the ISSO. Documentation must include the reason for the account, who has access to the account, and how the risk of using the shared account is mitigated to include monitoring account activity.\n\n If unapproved shared accounts exist, this is a finding.\"\n desc \"fix\", \"Remove unapproved shared accounts from the system.\n\n Document required shared accounts with the ISSO. Documentation must include the reason for the account, who has access to the account, and how the risk of using the shared account is mitigated to include monitoring account activity.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000104-GPOS-00051\"\n tag gid: \"V-93437\"\n tag rid: \"SV-103523r1_rule\"\n tag stig_id: \"WN19-00-000070\"\n tag fix_id: \"F-99681r1_fix\"\n tag cci: [\"CCI-000764\"]\n tag nist: [\"IA-2\", \"Rev_4\"]\n\n describe 'This control needs to be check manually' do\n skip 'Control not executed as this test is manual'\n end\nend", + "code": "control \"V-93007\" do\n title \"Windows Server 2019 Access this computer from the network user right\nmust only be assigned to the Administrators and Authenticated Users groups on\ndomain-joined member servers and standalone systems.\"\n desc \"Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n Accounts with the \\\"Access this computer from the network\\\" user right may\naccess resources on the system, and this right must be limited to those\nrequiring it.\"\n desc \"rationale\", \"\"\n desc 'check', \"This applies to member servers and standalone systems. A separate version\napplies to domain controllers.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the \\\"Access\nthis computer from the network\\\" user right, this is a finding:\n\n - Administrators\n - Authenticated Users\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt\n\n Review the text file.\n\n If any SIDs other than the following are granted the\n\\\"SeNetworkLogonRight\\\" user right, this is a finding:\n\n S-1-5-32-544 (Administrators)\n S-1-5-11 (Authenticated Users)\n\n If an application requires this user right, this would not be a finding.\n\n Vendor documentation must support the requirement for having the user right.\n\n The requirement must be documented with the ISSO.\n\n The application account must meet requirements for application account\npasswords, such as length (WN19-00-000050) and required frequency of changes\n(WN19-00-000060).\"\n desc 'fix', \"\n Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> User Rights Assignment >> \\\"Access\nthis computer from the network\\\" to include only the following accounts or\ngroups:\n\n - Administrators\n - Authenticated Users\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000080-GPOS-00048'\n tag 'gid': 'V-93007'\n tag 'rid': 'SV-103095r1_rule'\n tag 'stig_id': 'WN19-MS-000070'\n tag 'fix_id': 'F-99253r1_fix'\n tag 'cci': [\"CCI-000213\"]\n tag 'nist': [\"AC-3\", \"Rev_4\"]\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n os_type = command('Test-Path \"$env:windir\\explorer.exe\"').stdout.strip\n\n if os_type == 'False'\n describe 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt' do\n skip 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt'\n end\n end\n if domain_role == '4' || domain_role == '5'\n impact 0.0\n describe 'This system is a domain controller, therefore this control is not applicable as it only applies to member servers' do\n skip 'This system is a domain controller, therefore this control is not applicable as it only applies to member servers'\n end\n else\n describe security_policy do\n its('SeNetworkLogonRight') { should eq ['S-1-5-11', 'S-1-5-32-544'] }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93437.rb", + "ref": "./Windows 2019 STIG/controls/V-93007.rb", "line": 3 }, - "id": "V-93437" + "id": "V-93007" }, { - "title": "Windows Server 2019 Active Directory Domain object must be configured\nwith proper audit settings.", - "desc": "When inappropriate audit settings are configured for directory service\ndatabase objects, it may be possible for a user or process to update the data\nwithout generating any tracking data. The impact of missing audit data is\nrelated to the type of object. A failure to capture audit data for objects used\nby identification, authentication, or authorization functions could degrade or\neliminate the ability to track changes to access policy for systems or data.\n\n For Active Directory (AD), there are a number of critical object types in\nthe domain naming context of the AD database for which auditing is essential.\nThis includes the Domain object. Because changes to these objects can\nsignificantly impact access controls or the availability of systems, the\nabsence of auditing data makes it impossible to identify the source of changes\nthat impact the confidentiality, integrity, and availability of data and\nsystems throughout an AD domain. The lack of proper auditing can result in\ninsufficient forensic evidence needed to investigate an incident and prosecute\nthe intruder.", + "title": "Windows Server 2019 Deny log on as a batch job user right on\ndomain-joined member servers must be configured to prevent access from highly\nprivileged domain accounts and from unauthenticated access on all systems.", + "desc": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n The \"Deny log on as a batch job\" user right defines accounts that are\nprevented from logging on to the system as a batch job, such as Task Scheduler.\n\n In an Active Directory Domain, denying logons to the Enterprise Admins and\nDomain Admins groups on lower-trust systems helps mitigate the risk of\nprivilege escalation from credential theft attacks, which could lead to the\ncompromise of an entire domain.\n\n The Guests group must be assigned to prevent unauthenticated access.", "descriptions": { - "default": "When inappropriate audit settings are configured for directory service\ndatabase objects, it may be possible for a user or process to update the data\nwithout generating any tracking data. The impact of missing audit data is\nrelated to the type of object. A failure to capture audit data for objects used\nby identification, authentication, or authorization functions could degrade or\neliminate the ability to track changes to access policy for systems or data.\n\n For Active Directory (AD), there are a number of critical object types in\nthe domain naming context of the AD database for which auditing is essential.\nThis includes the Domain object. Because changes to these objects can\nsignificantly impact access controls or the availability of systems, the\nabsence of auditing data makes it impossible to identify the source of changes\nthat impact the confidentiality, integrity, and availability of data and\nsystems throughout an AD domain. The lack of proper auditing can result in\ninsufficient forensic evidence needed to investigate an incident and prosecute\nthe intruder.", + "default": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n The \"Deny log on as a batch job\" user right defines accounts that are\nprevented from logging on to the system as a batch job, such as Task Scheduler.\n\n In an Active Directory Domain, denying logons to the Enterprise Admins and\nDomain Admins groups on lower-trust systems helps mitigate the risk of\nprivilege escalation from credential theft attacks, which could lead to the\ncompromise of an entire domain.\n\n The Guests group must be assigned to prevent unauthenticated access.", "rationale": "", - "check": "This applies to domain controllers. It is NA for other systems.\n\n Review the auditing configuration for the Domain object.\n\n Open \"Active Directory Users and Computers\" (available from various menus\nor run \"dsa.msc\").\n\n Ensure \"Advanced Features\" is selected in the \"View\" menu.\n\n Select the domain being reviewed in the left pane.\n\n Right-click the domain name and select \"Properties\".\n\n Select the \"Security\" tab.\n\n Select the \"Advanced\" button and then the \"Auditing\" tab.\n\n If the audit settings on the Domain object are not at least as inclusive as\nthose below, this is a finding:\n\n Type - Fail\n Principal - Everyone\n Access - Full Control\n Inherited from - None\n Applies to - This object only\n\n The success types listed below are defaults. Where Special is listed in the\nsummary screens for Access, detailed Permissions are provided for reference.\nVarious Properties selections may also exist by default.\n\n Two instances with the following summary information will be listed:\n\n Type - Success\n Principal - Everyone\n Access - (blank)\n Inherited from - None\n Applies to - Special\n\n Type - Success\n Principal - Domain Users\n Access - All extended rights\n Inherited from - None\n Applies to - This object only\n\n Type - Success\n Principal - Administrators\n Access - All extended rights\n Inherited from - None\n Applies to - This object only\n\n Type - Success\n Principal - Everyone\n Access - Special\n Inherited from - None\n Applies to - This object only\n (Access - Special = Permissions: Write all properties, Modify permissions,\nModify owner)", - "fix": "Open \"Active Directory Users and Computers\" (available from various menus\nor run \"dsa.msc\").\n\n Ensure \"Advanced Features\" is selected in the \"View\" menu.\n\n Select the domain being reviewed in the left pane.\n\n Right-click the domain name and select \"Properties\".\n\n Select the \"Security\" tab.\n\n Select the \"Advanced\" button and then the \"Auditing\" tab.\n\n Configure the audit settings for Domain object to include the following:\n\n Type - Fail\n Principal - Everyone\n Access - Full Control\n Inherited from - None\n Applies to - This object only\n\n The success types listed below are defaults. Where Special is listed in the\nsummary screens for Access, detailed Permissions are provided for reference.\nVarious Properties selections may also exist by default.\n\n Two instances with the following summary information will be listed:\n\n Type - Success\n Principal - Everyone\n Access - (blank)\n Inherited from - None\n Applies to - Special\n\n Type - Success\n Principal - Domain Users\n Access - All extended rights\n Inherited from - None\n Applies to - This object only\n\n Type - Success\n Principal - Administrators\n Access - All extended rights\n Inherited from - None\n Applies to - This object only\n\n Type - Success\n Principal - Everyone\n Access - Special\n Inherited from - None\n Applies to - This object only\n (Access - Special = Permissions: Write all properties, Modify permissions,\nModify owner.)" + "check": "This applies to member servers and standalone systems. A separate version\napplies to domain controllers.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If the following accounts or groups are not defined for the \"Deny log on\nas a batch job\" user right, this is a finding:\n\n Domain Systems Only:\n - Enterprise Admins Group\n - Domain Admins Group\n\n All Systems:\n - Guests Group\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\path\\filename.txt\n\n Review the text file.\n\n If the following SIDs are not defined for the \"SeDenyBatchLogonRight\"\nuser right, this is a finding.\n\n Domain Systems Only:\n S-1-5-root domain-519 (Enterprise Admins)\n S-1-5-domain-512 (Domain Admins)\n\n All Systems:\n S-1-5-32-546 (Guests)", + "fix": "Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> User Rights Assignment >> \"Deny log\non as a batch job\" to include the following:\n\n Domain Systems Only:\n - Enterprise Admins Group\n - Domain Admins Group\n\n All Systems:\n - Guests Group" }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000327-GPOS-00127", - "satisfies": [ - "SRG-OS-000327-GPOS-00127", - "SRG-OS-000458-GPOS-00203", - "SRG-OS-000463-GPOS-00207", - "SRG-OS-000468-GPOS-00212" - ], - "gid": "V-93123", - "rid": "SV-103211r1_rule", - "stig_id": "WN19-DC-000180", - "fix_id": "F-99369r1_fix", + "gtitle": "SRG-OS-000080-GPOS-00048", + "gid": "V-93011", + "rid": "SV-103099r1_rule", + "stig_id": "WN19-MS-000090", + "fix_id": "F-99257r1_fix", "cci": [ - "CCI-000172", - "CCI-002234" + "CCI-000213" ], "nist": [ - "AU-12 c", - "AC-6 (9)", + "AC-3", "Rev_4" ] }, - "code": "control \"V-93123\" do\n title \"Windows Server 2019 Active Directory Domain object must be configured\nwith proper audit settings.\"\n desc \"When inappropriate audit settings are configured for directory service\ndatabase objects, it may be possible for a user or process to update the data\nwithout generating any tracking data. The impact of missing audit data is\nrelated to the type of object. A failure to capture audit data for objects used\nby identification, authentication, or authorization functions could degrade or\neliminate the ability to track changes to access policy for systems or data.\n\n For Active Directory (AD), there are a number of critical object types in\nthe domain naming context of the AD database for which auditing is essential.\nThis includes the Domain object. Because changes to these objects can\nsignificantly impact access controls or the availability of systems, the\nabsence of auditing data makes it impossible to identify the source of changes\nthat impact the confidentiality, integrity, and availability of data and\nsystems throughout an AD domain. The lack of proper auditing can result in\ninsufficient forensic evidence needed to investigate an incident and prosecute\nthe intruder.\"\n desc \"rationale\", \"\"\n desc 'check', \"This applies to domain controllers. It is NA for other systems.\n\n Review the auditing configuration for the Domain object.\n\n Open \\\"Active Directory Users and Computers\\\" (available from various menus\nor run \\\"dsa.msc\\\").\n\n Ensure \\\"Advanced Features\\\" is selected in the \\\"View\\\" menu.\n\n Select the domain being reviewed in the left pane.\n\n Right-click the domain name and select \\\"Properties\\\".\n\n Select the \\\"Security\\\" tab.\n\n Select the \\\"Advanced\\\" button and then the \\\"Auditing\\\" tab.\n\n If the audit settings on the Domain object are not at least as inclusive as\nthose below, this is a finding:\n\n Type - Fail\n Principal - Everyone\n Access - Full Control\n Inherited from - None\n Applies to - This object only\n\n The success types listed below are defaults. Where Special is listed in the\nsummary screens for Access, detailed Permissions are provided for reference.\nVarious Properties selections may also exist by default.\n\n Two instances with the following summary information will be listed:\n\n Type - Success\n Principal - Everyone\n Access - (blank)\n Inherited from - None\n Applies to - Special\n\n Type - Success\n Principal - Domain Users\n Access - All extended rights\n Inherited from - None\n Applies to - This object only\n\n Type - Success\n Principal - Administrators\n Access - All extended rights\n Inherited from - None\n Applies to - This object only\n\n Type - Success\n Principal - Everyone\n Access - Special\n Inherited from - None\n Applies to - This object only\n (Access - Special = Permissions: Write all properties, Modify permissions,\nModify owner)\"\n desc 'fix', \"\n Open \\\"Active Directory Users and Computers\\\" (available from various menus\nor run \\\"dsa.msc\\\").\n\n Ensure \\\"Advanced Features\\\" is selected in the \\\"View\\\" menu.\n\n Select the domain being reviewed in the left pane.\n\n Right-click the domain name and select \\\"Properties\\\".\n\n Select the \\\"Security\\\" tab.\n\n Select the \\\"Advanced\\\" button and then the \\\"Auditing\\\" tab.\n\n Configure the audit settings for Domain object to include the following:\n\n Type - Fail\n Principal - Everyone\n Access - Full Control\n Inherited from - None\n Applies to - This object only\n\n The success types listed below are defaults. Where Special is listed in the\nsummary screens for Access, detailed Permissions are provided for reference.\nVarious Properties selections may also exist by default.\n\n Two instances with the following summary information will be listed:\n\n Type - Success\n Principal - Everyone\n Access - (blank)\n Inherited from - None\n Applies to - Special\n\n Type - Success\n Principal - Domain Users\n Access - All extended rights\n Inherited from - None\n Applies to - This object only\n\n Type - Success\n Principal - Administrators\n Access - All extended rights\n Inherited from - None\n Applies to - This object only\n\n Type - Success\n Principal - Everyone\n Access - Special\n Inherited from - None\n Applies to - This object only\n (Access - Special = Permissions: Write all properties, Modify permissions,\nModify owner.)\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000327-GPOS-00127'\n tag 'satisfies': [\"SRG-OS-000327-GPOS-00127\", \"SRG-OS-000458-GPOS-00203\",\n\"SRG-OS-000463-GPOS-00207\", \"SRG-OS-000468-GPOS-00212\"]\n tag 'gid': 'V-93123'\n tag 'rid': 'SV-103211r1_rule'\n tag 'stig_id': 'WN19-DC-000180'\n tag 'fix_id': 'F-99369r1_fix'\n tag 'cci': [\"CCI-000172\", \"CCI-002234\"]\n tag 'nist': [\"AU-12 c\", \"AC-6 (9)\", \"Rev_4\"]\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n if domain_role == '4' || domain_role == '5'\n distinguishedName = json(command: '(Get-ADDomain).DistinguishedName | ConvertTo-JSON').params\n distinguishedName = \"\\'#{distinguishedName}\\'\"\n netbiosname = json(command: 'Get-ADDomain | Select NetBIOSName | ConvertTo-JSON').params['NetBIOSName']\n acl_rules = json(command: \"(Get-ACL -Audit -Path AD:#{distinguishedName}).Audit | ConvertTo-CSV | ConvertFrom-CSV | ConvertTo-JSON\").params\n \n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['AuditFlags']) { should cmp \"Failure\" }\n its(['IdentityReference']) { should cmp \"Everyone\" }\n its(['ActiveDirectoryRights']) { should cmp \"GenericAll\"}\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['AuditFlags']) { should cmp \"Success\" }\n its(['IdentityReference']) { should cmp \"Everyone\" }\n its(['ActiveDirectoryRights']) { should cmp \"WriteProperty, WriteDacl, WriteOwner\"}\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceType']) { should cmp \"None\" }\n end\n end\n end\n\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['AuditFlags']) { should cmp \"Success\" }\n its(['IdentityReference']) { should cmp \"BUILTIN\\\\Administrators\" }\n its(['ActiveDirectoryRights']) { should cmp \"ExtendedRight\"}\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceType']) { should cmp \"None\" }\n end\n end\n end\n \n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['AuditFlags']) { should cmp \"Success\" }\n its(['IdentityReference']) { should cmp \"#{netbiosname}\\\\Domain Users\" }\n its(['ActiveDirectoryRights']) { should cmp \"ExtendedRight\"}\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceType']) { should cmp \"None\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['AuditFlags']) { should cmp \"Success\" }\n its(['IdentityReference']) { should cmp \"Everyone\" }\n its(['ActiveDirectoryRights']) { should cmp \"WriteProperty\"}\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceType']) { should cmp \"All\" }\n end\n end\n end\n else\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", + "code": "control \"V-93011\" do\n title \"Windows Server 2019 Deny log on as a batch job user right on\ndomain-joined member servers must be configured to prevent access from highly\nprivileged domain accounts and from unauthenticated access on all systems.\"\n desc \"Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n The \\\"Deny log on as a batch job\\\" user right defines accounts that are\nprevented from logging on to the system as a batch job, such as Task Scheduler.\n\n In an Active Directory Domain, denying logons to the Enterprise Admins and\nDomain Admins groups on lower-trust systems helps mitigate the risk of\nprivilege escalation from credential theft attacks, which could lead to the\ncompromise of an entire domain.\n\n The Guests group must be assigned to prevent unauthenticated access.\"\n desc \"rationale\", \"\"\n desc 'check', \"This applies to member servers and standalone systems. A separate version\napplies to domain controllers.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If the following accounts or groups are not defined for the \\\"Deny log on\nas a batch job\\\" user right, this is a finding:\n\n Domain Systems Only:\n - Enterprise Admins Group\n - Domain Admins Group\n\n All Systems:\n - Guests Group\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt\n\n Review the text file.\n\n If the following SIDs are not defined for the \\\"SeDenyBatchLogonRight\\\"\nuser right, this is a finding.\n\n Domain Systems Only:\n S-1-5-root domain-519 (Enterprise Admins)\n S-1-5-domain-512 (Domain Admins)\n\n All Systems:\n S-1-5-32-546 (Guests)\"\n desc 'fix', \"Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> User Rights Assignment >> \\\"Deny log\non as a batch job\\\" to include the following:\n\n Domain Systems Only:\n - Enterprise Admins Group\n - Domain Admins Group\n\n All Systems:\n - Guests Group\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000080-GPOS-00048'\n tag 'gid': 'V-93011'\n tag 'rid': 'SV-103099r1_rule'\n tag 'stig_id': 'WN19-MS-000090'\n tag 'fix_id': 'F-99257r1_fix'\n tag 'cci': [\"CCI-000213\"]\n tag 'nist': [\"AC-3\", \"Rev_4\"]\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n case domain_role\n when '4', '5'\n impact 0.0\n describe 'This system is dedicated to the management of Active Directory, therefore this system is exempt from this control' do\n skip 'This system is dedicated to the management of Active Directory, therefore this system is exempt from this control'\n end\n when '2'\n describe security_policy do\n its('SeDenyBatchLogonRight') { should eq ['S-1-5-32-546'] }\n end\n when '3'\n domain_query = <<-EOH\n $group = New-Object System.Security.Principal.NTAccount('Domain Admins')\n $sid = ($group.Translate([security.principal.securityidentifier])).value\n $sid | ConvertTo-Json\n EOH\n\n domain_admin_sid = json(command: domain_query).params\n enterprise_admin_query = <<-EOH\n $group = New-Object System.Security.Principal.NTAccount('Enterprise Admins')\n $sid = ($group.Translate([security.principal.securityidentifier])).value\n $sid | ConvertTo-Json\n EOH\n\n enterprise_admin_sid = json(command: enterprise_admin_query).params\n describe security_policy do\n its('SeDenyBatchLogonRight') { should include \"#{domain_admin_sid}\" }\n end\n describe security_policy do\n its('SeDenyBatchLogonRight') { should include \"#{enterprise_admin_sid}\" }\n end\n describe security_policy do\n its('SeDenyBatchLogonRight') { should include 'S-1-5-32-546' }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93123.rb", + "ref": "./Windows 2019 STIG/controls/V-93011.rb", "line": 3 }, - "id": "V-93123" + "id": "V-93011" }, { - "title": "Windows Server 2019 Exploit Protection mitigations must be configured for MSPUB.EXE.", + "title": "Windows Server 2019 Exploit Protection mitigations must be configured for chrome.exe.", "desc": "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.", "descriptions": { "default": "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.", "rationale": "", - "check": "If the referenced application is not installed on the system, this is NA.\n\n This is applicable to unclassified systems, for other systems this is NA.\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n Enter \"Get-ProcessMitigation -Name MSPUB.EXE\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.)\n\n If the following mitigations do not have a status of \"ON\", this is a finding:\n\n DEP:\n Enable: ON\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n The PowerShell command produces a list of mitigations; only those with a required status of \"ON\" are listed here.", - "fix": "Ensure the following mitigations are turned \"ON\" for MSPUB.EXE:\n\n DEP:\n Enable: ON\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \"Supporting Files\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \"Use a common set of exploit protection settings\" configured to \"Enabled\" with file name and location defined under \"Options:\". It is recommended the file be in a read-only network location." + "check": "If the referenced application is not installed on the system, this is NA.\n\n This is applicable to unclassified systems, for other systems this is NA.\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n Enter \"Get-ProcessMitigation -Name chrome.exe\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.)\n If the following mitigations do not have a status of \"ON\", this is a finding:\n\n DEP:\n Enable: ON\n\n The PowerShell command produces a list of mitigations; only those with a required status of \"ON\" are listed here.", + "fix": "Ensure the following mitigations are turned \"ON\" for chrome.exe:\n\n DEP:\n Enable: ON\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \"Supporting Files\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \"Use a common set of exploit protection settings\" configured to \"Enabled\" with file name and location defined under \"Options:\". It is recommended the file be in a read-only network location." }, "impact": 0, "refs": [], "tags": { "severity": null, "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-93345", - "rid": "SV-103433r1_rule", - "stig_id": "WN19-EP-000180", - "fix_id": "F-99591r1_fix", + "gid": "V-93325", + "rid": "SV-103413r1_rule", + "stig_id": "WN19-EP-000080", + "fix_id": "F-99571r1_fix", "cci": [ "CCI-000366" ], @@ -1850,159 +1840,126 @@ "Rev_4" ] }, - "code": "control \"V-93345\" do\n title \"Windows Server 2019 Exploit Protection mitigations must be configured for MSPUB.EXE.\"\n desc \"Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the referenced application is not installed on the system, this is NA.\n\n This is applicable to unclassified systems, for other systems this is NA.\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n Enter \\\"Get-ProcessMitigation -Name MSPUB.EXE\\\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.)\n\n If the following mitigations do not have a status of \\\"ON\\\", this is a finding:\n\n DEP:\n Enable: ON\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n The PowerShell command produces a list of mitigations; only those with a required status of \\\"ON\\\" are listed here.\"\n desc \"fix\", \"Ensure the following mitigations are turned \\\"ON\\\" for MSPUB.EXE:\n\n DEP:\n Enable: ON\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \\\"Supporting Files\\\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\" configured to \\\"Enabled\\\" with file name and location defined under \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00227\"\n tag gid: \"V-93345\"\n tag rid: \"SV-103433r1_rule\"\n tag stig_id: \"WN19-EP-000180\"\n tag fix_id: \"F-99591r1_fix\"\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n mspub = json({ command: \"Get-ProcessMitigation -Name MSPUB.EXE | ConvertTo-Json\" }).params\n\n if input('sensitive_system') == true || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif mspub.empty?\n impact 0.0\n describe 'The referenced application is not installed on the system, this is NA.' do\n skip 'The referenced application is not installed on the system, this is NA.'\n end\n else\n describe \"Exploit Protection: the following mitigations must be set to 'ON' for MSPUB.EXE\" do\n subject { mspub }\n its(['Dep','Enable']) { should eq 1 }\n its(['Aslr','ForceRelocateImages']) { should eq 1 }\n its(['Payload','EnableExportAddressFilter']) { should eq 1 }\n its(['Payload','EnableExportAddressFilterPlus']) { should eq 1 }\n its(['Payload','EnableImportAddressFilter']) { should eq 1 }\n its(['Payload','EnableRopStackPivot']) { should eq 1 }\n its(['Payload','EnableRopCallerCheck']) { should eq 1 }\n its(['Payload','EnableRopSimExec']) { should eq 1 }\n end\n end\nend", + "code": "control \"V-93325\" do\n title \"Windows Server 2019 Exploit Protection mitigations must be configured for chrome.exe.\"\n desc \"Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the referenced application is not installed on the system, this is NA.\n\n This is applicable to unclassified systems, for other systems this is NA.\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n Enter \\\"Get-ProcessMitigation -Name chrome.exe\\\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.)\n If the following mitigations do not have a status of \\\"ON\\\", this is a finding:\n\n DEP:\n Enable: ON\n\n The PowerShell command produces a list of mitigations; only those with a required status of \\\"ON\\\" are listed here.\"\n desc \"fix\", \"Ensure the following mitigations are turned \\\"ON\\\" for chrome.exe:\n\n DEP:\n Enable: ON\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \\\"Supporting Files\\\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\" configured to \\\"Enabled\\\" with file name and location defined under \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00227\"\n tag gid: \"V-93325\"\n tag rid: \"SV-103413r1_rule\"\n tag stig_id: \"WN19-EP-000080\"\n tag fix_id: \"F-99571r1_fix\"\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n chrome = json({ command: \"Get-ProcessMitigation -Name chrome.exe | ConvertTo-Json\" }).params\n\n if input('sensitive_system') == true || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif chrome.empty?\n impact 0.0\n describe 'The referenced application is not installed on the system, this is NA.' do\n skip 'The referenced application is not installed on the system, this is NA.'\n end\n else\n describe \"Exploit Protection: the following mitigations must be set to 'ON' for chrome.exe\" do\n subject { chrome }\n its(['Dep','Enable']) { should eq 1 }\n end\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93345.rb", + "ref": "./Windows 2019 STIG/controls/V-93325.rb", "line": 3 }, - "id": "V-93345" + "id": "V-93325" }, { - "title": "Windows Server 2019 Remote Desktop Services must require secure Remote\nProcedure Call (RPC) communications.", - "desc": "Allowing unsecure RPC communication exposes the system to\nman-in-the-middle attacks and data disclosure attacks. A man-in-the-middle\nattack occurs when an intruder captures packets between a client and server and\nmodifies them before allowing the packets to be exchanged. Usually the attacker\nwill modify the information in the packets in an attempt to cause either the\nclient or server to reveal sensitive information.", + "title": "Windows Server 2019 Access Credential Manager as a trusted caller user\nright must not be assigned to any groups or accounts.", + "desc": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n Accounts with the \"Access Credential Manager as a trusted caller\" user\nright may be able to retrieve the credentials of other accounts from Credential\nManager.", "descriptions": { - "default": "Allowing unsecure RPC communication exposes the system to\nman-in-the-middle attacks and data disclosure attacks. A man-in-the-middle\nattack occurs when an intruder captures packets between a client and server and\nmodifies them before allowing the packets to be exchanged. Usually the attacker\nwill modify the information in the packets in an attempt to cause either the\nclient or server to reveal sensitive information.", + "default": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n Accounts with the \"Access Credential Manager as a trusted caller\" user\nright may be able to retrieve the credentials of other accounts from Credential\nManager.", "rationale": "", - "check": "If the following registry value does not exist or is not configured as\nspecified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal\nServices\\\n\n Value Name: fEncryptRPCTraffic\n\n Type: REG_DWORD\n Value: 0x00000001 (1)", - "fix": "Configure the policy value for Computer Configuration >>\nAdministrative Templates >> Windows Components >> Remote Desktop Services >>\nRemote Desktop Session Host >> Security >> \"Require secure RPC communication\"\nto \"Enabled\"." + "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups are granted the \"Access Credential Manager as a\ntrusted caller\" user right, this is a finding.\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\path\\filename.txt\n\n Review the text file.\n\n If any SIDs are granted the \"SeTrustedCredManAccessPrivilege\" user right,\nthis is a finding.", + "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Local Policies >> User Rights\nAssignment >> \"Access Credential Manager as a trusted caller\" to be defined\nbut containing no entries (blank)." }, "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000033-GPOS-00014", - "satisfies": [ - "SRG-OS-000033-GPOS-00014", - "SRG-OS-000250-GPOS-00093" - ], - "gid": "V-92971", - "rid": "SV-103059r1_rule", - "stig_id": "WN19-CC-000370", - "fix_id": "F-99217r1_fix", + "gtitle": "SRG-OS-000324-GPOS-00125", + "gid": "V-93049", + "rid": "SV-103137r1_rule", + "stig_id": "WN19-UR-000010", + "fix_id": "F-99295r1_fix", "cci": [ - "CCI-000068", - "CCI-001453" + "CCI-002235" ], "nist": [ - "AC-17 (2)", - "AC-17 (2)", + "AC-6 (10)", "Rev_4" ] }, - "code": "control \"V-92971\" do\n title \"Windows Server 2019 Remote Desktop Services must require secure Remote\nProcedure Call (RPC) communications.\"\n desc \"Allowing unsecure RPC communication exposes the system to\nman-in-the-middle attacks and data disclosure attacks. A man-in-the-middle\nattack occurs when an intruder captures packets between a client and server and\nmodifies them before allowing the packets to be exchanged. Usually the attacker\nwill modify the information in the packets in an attempt to cause either the\nclient or server to reveal sensitive information.\"\n desc \"rationale\", \"\"\n desc 'check', \"If the following registry value does not exist or is not configured as\nspecified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal\nServices\\\\\n\n Value Name: fEncryptRPCTraffic\n\n Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nAdministrative Templates >> Windows Components >> Remote Desktop Services >>\nRemote Desktop Session Host >> Security >> \\\"Require secure RPC communication\\\"\nto \\\"Enabled\\\".\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000033-GPOS-00014'\n tag 'satisfies': [\"SRG-OS-000033-GPOS-00014\", \"SRG-OS-000250-GPOS-00093\"]\n tag 'gid': 'V-92971'\n tag 'rid': 'SV-103059r1_rule'\n tag 'stig_id': 'WN19-CC-000370'\n tag 'fix_id': 'F-99217r1_fix'\n tag 'cci': [\"CCI-000068\", \"CCI-001453\"]\n tag 'nist': [\"AC-17 (2)\", \"AC-17 (2)\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services') do\n it { should have_property \"fEncryptRPCTraffic\"}\n its(\"fEncryptRPCTraffic\") { should cmp 1 }\n end\nend\n", + "code": "control \"V-93049\" do\n title \"Windows Server 2019 Access Credential Manager as a trusted caller user\nright must not be assigned to any groups or accounts.\"\n desc \"Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n Accounts with the \\\"Access Credential Manager as a trusted caller\\\" user\nright may be able to retrieve the credentials of other accounts from Credential\nManager.\"\n desc \"rationale\", \"\"\n desc 'check', \"Verify the effective setting in Local Group Policy Editor.\n\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups are granted the \\\"Access Credential Manager as a\ntrusted caller\\\" user right, this is a finding.\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt\n\n Review the text file.\n\n If any SIDs are granted the \\\"SeTrustedCredManAccessPrivilege\\\" user right,\nthis is a finding.\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Local Policies >> User Rights\nAssignment >> \\\"Access Credential Manager as a trusted caller\\\" to be defined\nbut containing no entries (blank).\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000324-GPOS-00125'\n tag 'gid': 'V-93049'\n tag 'rid': 'SV-103137r1_rule'\n tag 'stig_id': 'WN19-UR-000010'\n tag 'fix_id': 'F-99295r1_fix'\n tag 'cci': [\"CCI-002235\"]\n tag 'nist': [\"AC-6 (10)\", \"Rev_4\"]\n\n\n os_type = command('Test-Path \"$env:windir\\explorer.exe\"').stdout.strip\n\n if os_type == 'False'\n describe 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt' do\n skip 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt'\n end\n else\n describe security_policy do\n its('SeTrustedCredManAccessPrivilege') { should eq [] }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-92971.rb", + "ref": "./Windows 2019 STIG/controls/V-93049.rb", "line": 3 }, - "id": "V-92971" + "id": "V-93049" }, { - "title": "Windows Server 2019 password history must be configured to 24 passwords remembered.", - "desc": "A system is more vulnerable to unauthorized access when system users recycle the same password several times without being required to change to a unique password on a regularly scheduled basis. This enables users to effectively negate the purpose of mandating periodic password changes. The default value is \"24\" for Windows domain systems. DoD has decided this is the appropriate value for all Windows systems.", + "title": "Windows Server 2019 minimum password length must be configured to 14 characters.", + "desc": "Information systems not protected with strong password schemes (including passwords of minimum length) provide the opportunity for anyone to crack the password, thus gaining access to the system and compromising the device, information, or the local network.", "descriptions": { - "default": "A system is more vulnerable to unauthorized access when system users recycle the same password several times without being required to change to a unique password on a regularly scheduled basis. This enables users to effectively negate the purpose of mandating periodic password changes. The default value is \"24\" for Windows domain systems. DoD has decided this is the appropriate value for all Windows systems.", + "default": "Information systems not protected with strong password schemes (including passwords of minimum length) provide the opportunity for anyone to crack the password, thus gaining access to the system and compromising the device, information, or the local network.", "rationale": "", - "check": "Verify the effective setting in Local Group Policy Editor.\n Run \"gpedit.msc\".\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy.\n If the value for \"Enforce password history\" is less than \"24\" passwords remembered, this is a finding.\n\n For server core installations, run the following command:\n Secedit /Export /Areas SecurityPolicy /CFG C:\\Path\\FileName.Txt\n If \"PasswordHistorySize\" is less than \"24\" in the file, this is a finding.", - "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy >> \"Enforce password history\" to \"24\" passwords remembered." + "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run \"gpedit.msc\".\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy.\n If the value for the \"Minimum password length,\" is less than \"14\" characters, this is a finding.\n\n For server core installations, run the following command:\n Secedit /Export /Areas SecurityPolicy /CFG C:\\Path\\FileName.Txt\n If \"MinimumPasswordLength\" is less than \"14\" in the file, this is a finding.", + "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy >> \"Minimum password length\" to \"14\" characters." }, "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000077-GPOS-00045", - "gid": "V-93479", - "rid": "SV-103565r1_rule", - "stig_id": "WN19-AC-000040", - "fix_id": "F-99723r1_fix", + "gtitle": "SRG-OS-000078-GPOS-00046", + "gid": "V-93463", + "rid": "SV-103549r1_rule", + "stig_id": "WN19-AC-000070", + "fix_id": "F-99707r1_fix", "cci": [ - "CCI-000200" + "CCI-000205" ], "nist": [ - "IA-5 (1) (e)", + "IA-5 (1) (a)", "Rev_4" ] }, - "code": "control \"V-93479\" do\n title \"Windows Server 2019 password history must be configured to #{input('password_history_size')} passwords remembered.\"\n desc \"A system is more vulnerable to unauthorized access when system users recycle the same password several times without being required to change to a unique password on a regularly scheduled basis. This enables users to effectively negate the purpose of mandating periodic password changes. The default value is \\\"#{input('password_history_size')}\\\" for Windows domain systems. #{input('org_name')[:acronym]} has decided this is the appropriate value for all Windows systems.\"\n desc \"rationale\", \"\"\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n Run \\\"gpedit.msc\\\".\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy.\n If the value for \\\"Enforce password history\\\" is less than \\\"#{input('password_history_size')}\\\" passwords remembered, this is a finding.\n\n For server core installations, run the following command:\n Secedit /Export /Areas SecurityPolicy /CFG C:\\\\Path\\\\FileName.Txt\n If \\\"PasswordHistorySize\\\" is less than \\\"#{input('password_history_size')}\\\" in the file, this is a finding.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy >> \\\"Enforce password history\\\" to \\\"#{input('password_history_size')}\\\" passwords remembered.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000077-GPOS-00045\"\n tag gid: \"V-93479\"\n tag rid: \"SV-103565r1_rule\"\n tag stig_id: \"WN19-AC-000040\"\n tag fix_id: \"F-99723r1_fix\"\n tag cci: [\"CCI-000200\"]\n tag nist: [\"IA-5 (1) (e)\", \"Rev_4\"]\n\n describe security_policy do\n its('PasswordHistorySize') { should be >= input('password_history_size') }\n end\nend\n", + "code": "control \"V-93463\" do\n title \"Windows Server 2019 minimum password length must be configured to #{input('minimum_password_length')} characters.\"\n desc \"Information systems not protected with strong password schemes (including passwords of minimum length) provide the opportunity for anyone to crack the password, thus gaining access to the system and compromising the device, information, or the local network.\"\n desc \"rationale\", \"\"\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n\n Run \\\"gpedit.msc\\\".\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy.\n If the value for the \\\"Minimum password length,\\\" is less than \\\"#{input('minimum_password_length')}\\\" characters, this is a finding.\n\n For server core installations, run the following command:\n Secedit /Export /Areas SecurityPolicy /CFG C:\\\\Path\\\\FileName.Txt\n If \\\"MinimumPasswordLength\\\" is less than \\\"#{input('minimum_password_length')}\\\" in the file, this is a finding.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy >> \\\"Minimum password length\\\" to \\\"#{input('minimum_password_length')}\\\" characters.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000078-GPOS-00046\"\n tag gid: \"V-93463\"\n tag rid: \"SV-103549r1_rule\"\n tag stig_id: \"WN19-AC-000070\"\n tag fix_id: \"F-99707r1_fix\"\n tag cci: [\"CCI-000205\"]\n tag nist: [\"IA-5 (1) (a)\", \"Rev_4\"]\n\n describe security_policy do\n its('MinimumPasswordLength') { should be >= input('minimum_password_length')}\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93479.rb", + "ref": "./Windows 2019 STIG/controls/V-93463.rb", "line": 3 }, - "id": "V-93479" + "id": "V-93463" }, { - "title": "Windows Server 2019 Load and unload device drivers user right must\nonly be assigned to the Administrators group.", - "desc": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n The \"Load and unload device drivers\" user right allows a user to load\ndevice drivers dynamically on a system. This could be used by an attacker to\ninstall malicious code.", + "title": "Windows Server 2019 must be configured to audit logoff successes.", + "desc": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Logoff records user logoffs. If this is an interactive logoff, it is\nrecorded on the local system. If it is to a network share, it is recorded on\nthe system accessed.", "descriptions": { - "default": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n The \"Load and unload device drivers\" user right allows a user to load\ndevice drivers dynamically on a system. This could be used by an attacker to\ninstall malicious code.", + "default": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Logoff records user logoffs. If this is an interactive logoff, it is\nrecorded on the local system. If it is to a network share, it is recorded on\nthe system accessed.", "rationale": "", - "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the \"Load\nand unload device drivers\" user right, this is a finding:\n\n - Administrators\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\path\\filename.txt\n\n Review the text file.\n\n If any SIDs other than the following are granted the\n\"SeLoadDriverPrivilege\" user right, this is a finding:\n\n S-1-5-32-544 (Administrators)", - "fix": "Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> User Rights Assignment >> \"Load and\nunload device drivers\" to include only the following accounts or groups:\n\n - Administrators" + "check": "Security Option \"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\" must be set to\n\"Enabled\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \"AuditPol\" tool to review the current Audit Policy configuration:\n\n Open \"PowerShell\" or a \"Command Prompt\" with elevated privileges (\"Run\nas administrator\").\n\n Enter \"AuditPol /get /category:*\"\n\n Compare the \"AuditPol\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n Logon/Logoff >> Logoff - Success", + "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Logon/Logoff >> \"Audit Logoff\" with \"Success\"\nselected." }, "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000324-GPOS-00125", - "gid": "V-93075", - "rid": "SV-103163r1_rule", - "stig_id": "WN19-UR-000150", - "fix_id": "F-99321r1_fix", - "cci": [ - "CCI-002235" + "gtitle": "SRG-OS-000472-GPOS-00217", + "satisfies": [ + "SRG-OS-000472-GPOS-00217", + "SRG-OS-000480-GPOS-00227" ], - "nist": [ - "AC-6 (10)", - "Rev_4" - ] - }, - "code": "control \"V-93075\" do\n title \"Windows Server 2019 Load and unload device drivers user right must\nonly be assigned to the Administrators group.\"\n desc \"Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n The \\\"Load and unload device drivers\\\" user right allows a user to load\ndevice drivers dynamically on a system. This could be used by an attacker to\ninstall malicious code.\"\n desc \"rationale\", \"\"\n desc 'check', \"Verify the effective setting in Local Group Policy Editor.\n\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the \\\"Load\nand unload device drivers\\\" user right, this is a finding:\n\n - Administrators\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt\n\n Review the text file.\n\n If any SIDs other than the following are granted the\n\\\"SeLoadDriverPrivilege\\\" user right, this is a finding:\n\n S-1-5-32-544 (Administrators)\"\n desc 'fix', \"Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> User Rights Assignment >> \\\"Load and\nunload device drivers\\\" to include only the following accounts or groups:\n\n - Administrators\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000324-GPOS-00125'\n tag 'gid': 'V-93075'\n tag 'rid': 'SV-103163r1_rule'\n tag 'stig_id': 'WN19-UR-000150'\n tag 'fix_id': 'F-99321r1_fix'\n tag 'cci': [\"CCI-002235\"]\n tag 'nist': [\"AC-6 (10)\", \"Rev_4\"]\n\n os_type = command('Test-Path \"$env:windir\\explorer.exe\"').stdout.strip\n\n if os_type == 'False'\n describe 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt' do\n skip 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt'\n end\n else\n describe security_policy do\n its('SeLoadDriverPrivilege') { should eq ['S-1-5-32-544'] }\n end\n end\nend\n", - "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93075.rb", - "line": 3 - }, - "id": "V-93075" - }, - { - "title": "Windows Server 2019 directory data (outside the root DSE) of a non-public directory must be configured to prevent anonymous access.", - "desc": "To the extent that anonymous access to directory data (outside the root DSE) is permitted, read access control of the data is effectively disabled. If other means of controlling access (such as network restrictions) are compromised, there may be nothing else to protect the confidentiality of sensitive directory data.", - "descriptions": { - "default": "To the extent that anonymous access to directory data (outside the root DSE) is permitted, read access control of the data is effectively disabled. If other means of controlling access (such as network restrictions) are compromised, there may be nothing else to protect the confidentiality of sensitive directory data.", - "rationale": "", - "check": "This applies to domain controllers. It is NA for other systems.\n\n Open \"Command Prompt\" (not elevated).\n Run \"ldp.exe\".\n From the \"Connection menu\", select \"Bind\".\n Clear the User, Password, and Domain fields.\n Select \"Simple bind\" for the Bind type and click \"OK\".\n Confirmation of anonymous access will be displayed at the end:\n res = ldap_simple_bind_s\n Authenticated as: 'NT AUTHORITY\\ANONYMOUS LOGON'\n From the \"Browse\" menu, select \"Search\".\n In the Search dialog, enter the DN of the domain naming context (generally something like \"dc=disaost,dc=mil\") in the Base DN field.\n Clear the Attributes field and select \"Run\".\n Error messages should display related to Bind and user not authenticated.\n\n If attribute data is displayed, anonymous access is enabled to the domain naming context and this is a finding.\n The following network controls allow the finding severity to be downgraded to a CAT II since these measures lower the risk associated with anonymous access.\n Network hardware ports at the site are subject to 802.1x authentication or MAC address restrictions.\n Premise firewall or host restrictions prevent access to ports 389, 636, 3268, and 3269 from client hosts not explicitly identified by domain (.mil) or IP address.", - "fix": "Configure directory data (outside the root DSE) of a non-public directory to prevent anonymous access.\n For AD, there are multiple configuration items that could enable anonymous access.\n Changing the access permissions on the domain naming context object (from the secure defaults) could enable anonymous access. If the check procedures indicate this is the cause, the process that was used to change the permissions should be reversed. This could have been through the Windows Support Tools ADSI Edit console (adsiedit.msc).\n The dsHeuristics option is used. This is addressed in check V-8555 in the AD Forest STIG." - }, - "impact": 0, - "refs": [], - "tags": { - "severity": null, - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-93271", - "rid": "SV-103359r1_rule", - "stig_id": "WN19-DC-000150", - "fix_id": "F-99517r1_fix", + "gid": "V-93171", + "rid": "SV-103259r1_rule", + "stig_id": "WN19-AU-000180", + "fix_id": "F-99417r1_fix", "cci": [ + "CCI-000172", "CCI-000366" ], "nist": [ + "AU-12 c", "CM-6 b", "Rev_4" ] }, - "code": "control \"V-93271\" do\n title \"Windows Server 2019 directory data (outside the root DSE) of a non-public directory must be configured to prevent anonymous access.\"\n desc \"To the extent that anonymous access to directory data (outside the root DSE) is permitted, read access control of the data is effectively disabled. If other means of controlling access (such as network restrictions) are compromised, there may be nothing else to protect the confidentiality of sensitive directory data.\"\n desc \"rationale\", \"\"\n desc \"check\", \"This applies to domain controllers. It is NA for other systems.\n\n Open \\\"Command Prompt\\\" (not elevated).\n Run \\\"ldp.exe\\\".\n From the \\\"Connection menu\\\", select \\\"Bind\\\".\n Clear the User, Password, and Domain fields.\n Select \\\"Simple bind\\\" for the Bind type and click \\\"OK\\\".\n Confirmation of anonymous access will be displayed at the end:\n res = ldap_simple_bind_s\n Authenticated as: 'NT AUTHORITY\\\\ANONYMOUS LOGON'\n From the \\\"Browse\\\" menu, select \\\"Search\\\".\n In the Search dialog, enter the DN of the domain naming context (generally something like \\\"dc=disaost,dc=mil\\\") in the Base DN field.\n Clear the Attributes field and select \\\"Run\\\".\n Error messages should display related to Bind and user not authenticated.\n\n If attribute data is displayed, anonymous access is enabled to the domain naming context and this is a finding.\n The following network controls allow the finding severity to be downgraded to a CAT II since these measures lower the risk associated with anonymous access.\n Network hardware ports at the site are subject to 802.1x authentication or MAC address restrictions.\n Premise firewall or host restrictions prevent access to ports 389, 636, 3268, and 3269 from client hosts not explicitly identified by domain (.mil) or IP address.\"\n desc \"fix\", \"Configure directory data (outside the root DSE) of a non-public directory to prevent anonymous access.\n For AD, there are multiple configuration items that could enable anonymous access.\n Changing the access permissions on the domain naming context object (from the secure defaults) could enable anonymous access. If the check procedures indicate this is the cause, the process that was used to change the permissions should be reversed. This could have been through the Windows Support Tools ADSI Edit console (adsiedit.msc).\n The dsHeuristics option is used. This is addressed in check V-8555 in the AD Forest STIG.\"\n impact 0.7\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00227\"\n tag gid: \"V-93271\"\n tag rid: \"SV-103359r1_rule\"\n tag stig_id: \"WN19-DC-000150\"\n tag fix_id: \"F-99517r1_fix\"\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n describe 'Directory data (outside the root DSE) of a non-public directory must be configured to prevent anonymous access.' do\n skip 'Directory data (outside the root DSE) of a non-public directory must be configured to prevent anonymous access is a manual control'\n end\n else\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is NA' do\n skip 'This system is not a domain controller, therefore this control is NA'\n end\n end\nend", + "code": "control \"V-93171\" do\n title \"Windows Server 2019 must be configured to audit logoff successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Logoff records user logoffs. If this is an interactive logoff, it is\nrecorded on the local system. If it is to a network share, it is recorded on\nthe system accessed.\"\n desc \"rationale\", \"\"\n desc 'check', \"Security Option \\\"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\\\" must be set to\n\\\"Enabled\\\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \\\"AuditPol\\\" tool to review the current Audit Policy configuration:\n\n Open \\\"PowerShell\\\" or a \\\"Command Prompt\\\" with elevated privileges (\\\"Run\nas administrator\\\").\n\n Enter \\\"AuditPol /get /category:*\\\"\n\n Compare the \\\"AuditPol\\\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n Logon/Logoff >> Logoff - Success\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Logon/Logoff >> \\\"Audit Logoff\\\" with \\\"Success\\\"\nselected.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000472-GPOS-00217'\n tag 'satisfies': [\"SRG-OS-000472-GPOS-00217\", \"SRG-OS-000480-GPOS-00227\"]\n tag 'gid': 'V-93171'\n tag 'rid': 'SV-103259r1_rule'\n tag 'stig_id': 'WN19-AU-000180'\n tag 'fix_id': 'F-99417r1_fix'\n tag 'cci': [\"CCI-000172\", \"CCI-000366\"]\n tag 'nist': [\"AU-12 c\", \"CM-6 b\", \"Rev_4\"]\n\n describe.one do\n describe audit_policy do\n its('Logoff') { should eq 'Success' }\n end\n describe audit_policy do\n its('Logoff') { should eq 'Success and Failure' }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93271.rb", + "ref": "./Windows 2019 STIG/controls/V-93171.rb", "line": 3 }, - "id": "V-93271" + "id": "V-93171" }, { - "title": "Windows Server 2019 must be configured to audit Policy Change - Audit\nPolicy Change successes.", + "title": "Windows Server 2019 must be configured to audit Policy Change - Audit\nPolicy Change failures.", "desc": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Audit Policy Change records events related to changes in audit policy.", "descriptions": { "default": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Audit Policy Change records events related to changes in audit policy.", "rationale": "", - "check": "Security Option \"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\" must be set to\n\"Enabled\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \"AuditPol\" tool to review the current Audit Policy configuration:\n\n Open \"PowerShell\" or a \"Command Prompt\" with elevated privileges (\"Run\nas administrator\").\n\n Enter \"AuditPol /get /category:*\"\n\n Compare the \"AuditPol\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n Policy Change >> Audit Policy Change - Success", - "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Policy Change >> \"Audit Audit Policy Change\" with\n\"Success\" selected." + "check": "Security Option \"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\" must be set to\n\"Enabled\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \"AuditPol\" tool to review the current Audit Policy configuration:\n\n Open \"PowerShell\" or a \"Command Prompt\" with elevated privileges (\"Run\nas administrator\").\n\n Enter \"AuditPol /get /category:*\"\n\n Compare the \"AuditPol\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n Policy Change >> Audit Policy Change - Failure", + "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Policy Change >> \"Audit Audit Policy Change\" with\n\"Failure\" selected." }, "impact": 0.5, "refs": [], @@ -2015,10 +1972,10 @@ "SRG-OS-000463-GPOS-00207", "SRG-OS-000468-GPOS-00212" ], - "gid": "V-93093", - "rid": "SV-103181r1_rule", - "stig_id": "WN19-AU-000260", - "fix_id": "F-99339r1_fix", + "gid": "V-93095", + "rid": "SV-103183r1_rule", + "stig_id": "WN19-AU-000270", + "fix_id": "F-99341r1_fix", "cci": [ "CCI-000172", "CCI-002234" @@ -2029,64 +1986,70 @@ "Rev_4" ] }, - "code": "control \"V-93093\" do\n title \"Windows Server 2019 must be configured to audit Policy Change - Audit\nPolicy Change successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Audit Policy Change records events related to changes in audit policy.\"\n desc \"rationale\", \"\"\n desc 'check', \"Security Option \\\"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\\\" must be set to\n\\\"Enabled\\\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \\\"AuditPol\\\" tool to review the current Audit Policy configuration:\n\n Open \\\"PowerShell\\\" or a \\\"Command Prompt\\\" with elevated privileges (\\\"Run\nas administrator\\\").\n\n Enter \\\"AuditPol /get /category:*\\\"\n\n Compare the \\\"AuditPol\\\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n Policy Change >> Audit Policy Change - Success\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Policy Change >> \\\"Audit Audit Policy Change\\\" with\n\\\"Success\\\" selected.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000327-GPOS-00127'\n tag 'satisfies': [\"SRG-OS-000327-GPOS-00127\", \"SRG-OS-000458-GPOS-00203\",\n\"SRG-OS-000463-GPOS-00207\", \"SRG-OS-000468-GPOS-00212\"]\n tag 'gid': 'V-93093'\n tag 'rid': 'SV-103181r1_rule'\n tag 'stig_id': 'WN19-AU-000260'\n tag 'fix_id': 'F-99339r1_fix'\n tag 'cci': [\"CCI-000172\", \"CCI-002234\"]\n tag 'nist': [\"AU-12 c\", \"AC-6 (9)\", \"Rev_4\"]\n\n describe.one do\n describe audit_policy do\n its('Audit Policy Change') { should eq 'Success' }\n end\n describe audit_policy do\n its('Audit Policy Change') { should eq 'Success and Failure' }\n end\n end\nend\n", + "code": "control \"V-93095\" do\n title \"Windows Server 2019 must be configured to audit Policy Change - Audit\nPolicy Change failures.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Audit Policy Change records events related to changes in audit policy.\"\n desc \"rationale\", \"\"\n desc 'check', \"Security Option \\\"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\\\" must be set to\n\\\"Enabled\\\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \\\"AuditPol\\\" tool to review the current Audit Policy configuration:\n\n Open \\\"PowerShell\\\" or a \\\"Command Prompt\\\" with elevated privileges (\\\"Run\nas administrator\\\").\n\n Enter \\\"AuditPol /get /category:*\\\"\n\n Compare the \\\"AuditPol\\\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n Policy Change >> Audit Policy Change - Failure\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Policy Change >> \\\"Audit Audit Policy Change\\\" with\n\\\"Failure\\\" selected.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000327-GPOS-00127'\n tag 'satisfies': [\"SRG-OS-000327-GPOS-00127\", \"SRG-OS-000458-GPOS-00203\",\n\"SRG-OS-000463-GPOS-00207\", \"SRG-OS-000468-GPOS-00212\"]\n tag 'gid': 'V-93095'\n tag 'rid': 'SV-103183r1_rule'\n tag 'stig_id': 'WN19-AU-000270'\n tag 'fix_id': 'F-99341r1_fix'\n tag 'cci': [\"CCI-000172\", \"CCI-002234\"]\n tag 'nist': [\"AU-12 c\", \"AC-6 (9)\", \"Rev_4\"]\n\n describe.one do\n describe audit_policy do\n its('Audit Policy Change') { should eq 'Failure' }\n end\n describe audit_policy do\n its('Audit Policy Change') { should eq 'Success and Failure' }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93093.rb", + "ref": "./Windows 2019 STIG/controls/V-93095.rb", "line": 3 }, - "id": "V-93093" + "id": "V-93095" }, { - "title": "Windows Server 2019 Windows Remote Management (WinRM) service must not use Basic authentication.", - "desc": "Basic authentication uses plain-text passwords that could be used to compromise a system. Disabling Basic authentication will reduce this potential.", + "title": "Windows Server 2019 Event Viewer must be protected from unauthorized\nmodification and deletion.", + "desc": "Protecting audit information also includes identifying and protecting\nthe tools used to view and manipulate log data. Therefore, protecting audit\ntools is necessary to prevent unauthorized operation on audit information.\n\n Operating systems providing tools to interface with audit information will\nleverage user permissions and roles identifying the user accessing the tools\nand the corresponding rights the user enjoys in order to make access decisions\nregarding the modification or deletion of audit tools.", "descriptions": { - "default": "Basic authentication uses plain-text passwords that could be used to compromise a system. Disabling Basic authentication will reduce this potential.", + "default": "Protecting audit information also includes identifying and protecting\nthe tools used to view and manipulate log data. Therefore, protecting audit\ntools is necessary to prevent unauthorized operation on audit information.\n\n Operating systems providing tools to interface with audit information will\nleverage user permissions and roles identifying the user accessing the tools\nand the corresponding rights the user enjoys in order to make access decisions\nregarding the modification or deletion of audit tools.", "rationale": "", - "check": "If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\WinRM\\Service\\\n\n Value Name: AllowBasic\n\n Type: REG_DWORD\n Value: 0x00000000 (0)", - "fix": "Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Remote Management (WinRM) >> WinRM Service >> \"Allow Basic authentication\" to \"Disabled\"." + "check": "Navigate to \"%SystemRoot%\\System32\".\n\n View the permissions on \"Eventvwr.exe\".\n\n If any groups or accounts other than TrustedInstaller have \"Full control\"\nor \"Modify\" permissions, this is a finding.\n\n The default permissions below satisfy this requirement:\n\n TrustedInstaller - Full Control\n Administrators, SYSTEM, Users, ALL APPLICATION PACKAGES, ALL RESTRICTED\nAPPLICATION PACKAGES - Read & Execute", + "fix": "Configure the permissions on the \"Eventvwr.exe\" file to prevent\nmodification by any groups or accounts other than TrustedInstaller. The default\npermissions listed below satisfy this requirement:\n\n TrustedInstaller - Full Control\n Administrators, SYSTEM, Users, ALL APPLICATION PACKAGES, ALL RESTRICTED\nAPPLICATION PACKAGES - Read & Execute\n\n The default location is the \"%SystemRoot%\\System32\" folder." }, - "impact": 0.7, + "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000125-GPOS-00065", - "gid": "V-93507", - "rid": "SV-103593r1_rule", - "stig_id": "WN19-CC-000500", - "fix_id": "F-99751r1_fix", + "gtitle": "SRG-OS-000257-GPOS-00098", + "satisfies": [ + "SRG-OS-000257-GPOS-00098", + "SRG-OS-000258-GPOS-00099" + ], + "gid": "V-93195", + "rid": "SV-103283r1_rule", + "stig_id": "WN19-AU-000060", + "fix_id": "F-99441r1_fix", "cci": [ - "CCI-000877" + "CCI-001494", + "CCI-001495" ], "nist": [ - "MA-4 c", + "AU-9", + "AU-9", "Rev_4" ] }, - "code": "control \"V-93507\" do\n title \"Windows Server 2019 Windows Remote Management (WinRM) service must not use Basic authentication.\"\n desc \"Basic authentication uses plain-text passwords that could be used to compromise a system. Disabling Basic authentication will reduce this potential.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WinRM\\\\Service\\\\\n\n Value Name: AllowBasic\n\n Type: REG_DWORD\n Value: 0x00000000 (0)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Remote Management (WinRM) >> WinRM Service >> \\\"Allow Basic authentication\\\" to \\\"Disabled\\\".\"\n impact 0.7\n tag severity: nil\n tag gtitle: \"SRG-OS-000125-GPOS-00065\"\n tag gid: \"V-93507\"\n tag rid: \"SV-103593r1_rule\"\n tag stig_id: \"WN19-CC-000500\"\n tag fix_id: \"F-99751r1_fix\"\n tag cci: [\"CCI-000877\"]\n tag nist: [\"MA-4 c\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\WinRM\\\\Service') do\n it { should have_property 'AllowBasic' }\n its('AllowBasic') { should cmp == 0 }\n end\nend", + "code": "control \"V-93195\" do\n title \"Windows Server 2019 Event Viewer must be protected from unauthorized\nmodification and deletion.\"\n desc \"Protecting audit information also includes identifying and protecting\nthe tools used to view and manipulate log data. Therefore, protecting audit\ntools is necessary to prevent unauthorized operation on audit information.\n\n Operating systems providing tools to interface with audit information will\nleverage user permissions and roles identifying the user accessing the tools\nand the corresponding rights the user enjoys in order to make access decisions\nregarding the modification or deletion of audit tools.\"\n desc \"rationale\", \"\"\n desc 'check', \"Navigate to \\\"%SystemRoot%\\\\System32\\\".\n\n View the permissions on \\\"Eventvwr.exe\\\".\n\n If any groups or accounts other than TrustedInstaller have \\\"Full control\\\"\nor \\\"Modify\\\" permissions, this is a finding.\n\n The default permissions below satisfy this requirement:\n\n TrustedInstaller - Full Control\n Administrators, SYSTEM, Users, ALL APPLICATION PACKAGES, ALL RESTRICTED\nAPPLICATION PACKAGES - Read & Execute\"\n desc 'fix', \"Configure the permissions on the \\\"Eventvwr.exe\\\" file to prevent\nmodification by any groups or accounts other than TrustedInstaller. The default\npermissions listed below satisfy this requirement:\n\n TrustedInstaller - Full Control\n Administrators, SYSTEM, Users, ALL APPLICATION PACKAGES, ALL RESTRICTED\nAPPLICATION PACKAGES - Read & Execute\n\n The default location is the \\\"%SystemRoot%\\\\System32\\\" folder.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000257-GPOS-00098'\n tag 'satisfies': [\"SRG-OS-000257-GPOS-00098\", \"SRG-OS-000258-GPOS-00099\"]\n tag 'gid': 'V-93195'\n tag 'rid': 'SV-103283r1_rule'\n tag 'stig_id': 'WN19-AU-000060'\n tag 'fix_id': 'F-99441r1_fix'\n tag 'cci': [\"CCI-001494\", \"CCI-001495\"]\n tag 'nist': [\"AU-9\", \"AU-9\", \"Rev_4\"]\n\n get_system_root = command('Get-ChildItem Env: | Findstr SystemRoot').stdout.strip\n system_root = get_system_root[11..get_system_root.length]\n\n systemroot = system_root.strip\n\n eventvwr = <<-EOH\n $output = (Get-Acl -Path #{systemroot}\\\\SYSTEM32\\\\Eventvwr.exe).AccessToString\n write-output $output\n EOH\n\n # raw powershell output\n raw_eventvwr = powershell(eventvwr).stdout.strip\n\n # clean results cleans up the extra line breaks\n clean_eventvwr = raw_eventvwr.lines.collect(&:strip)\n\n describe 'Verify the default registry permissions for the keys note below of the C:\\Windows\\System32\\Eventvwr.exe' do\n subject { clean_eventvwr }\n it { should cmp input('eventvwr_perms') }\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93507.rb", + "ref": "./Windows 2019 STIG/controls/V-93195.rb", "line": 3 }, - "id": "V-93507" + "id": "V-93195" }, { - "title": "Windows Server 2019 Access this computer from the network user right\nmust only be assigned to the Administrators and Authenticated Users groups on\ndomain-joined member servers and standalone systems.", - "desc": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n Accounts with the \"Access this computer from the network\" user right may\naccess resources on the system, and this right must be limited to those\nrequiring it.", + "title": "Windows Server 2019 Deny log on as a service user right on\ndomain-joined member servers must be configured to prevent access from highly\nprivileged domain accounts. No other groups or accounts must be assigned this\nright.", + "desc": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n The \"Deny log on as a service\" user right defines accounts that are\ndenied logon as a service.\n\n In an Active Directory Domain, denying logons to the Enterprise Admins and\nDomain Admins groups on lower-trust systems helps mitigate the risk of\nprivilege escalation from credential theft attacks, which could lead to the\ncompromise of an entire domain.\n\n Incorrect configurations could prevent services from starting and result in\na denial of service.", "descriptions": { - "default": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n Accounts with the \"Access this computer from the network\" user right may\naccess resources on the system, and this right must be limited to those\nrequiring it.", + "default": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n The \"Deny log on as a service\" user right defines accounts that are\ndenied logon as a service.\n\n In an Active Directory Domain, denying logons to the Enterprise Admins and\nDomain Admins groups on lower-trust systems helps mitigate the risk of\nprivilege escalation from credential theft attacks, which could lead to the\ncompromise of an entire domain.\n\n Incorrect configurations could prevent services from starting and result in\na denial of service.", "rationale": "", - "check": "This applies to member servers and standalone systems. A separate version\napplies to domain controllers.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the \"Access\nthis computer from the network\" user right, this is a finding:\n\n - Administrators\n - Authenticated Users\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\path\\filename.txt\n\n Review the text file.\n\n If any SIDs other than the following are granted the\n\"SeNetworkLogonRight\" user right, this is a finding:\n\n S-1-5-32-544 (Administrators)\n S-1-5-11 (Authenticated Users)\n\n If an application requires this user right, this would not be a finding.\n\n Vendor documentation must support the requirement for having the user right.\n\n The requirement must be documented with the ISSO.\n\n The application account must meet requirements for application account\npasswords, such as length (WN19-00-000050) and required frequency of changes\n(WN19-00-000060).", - "fix": "Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> User Rights Assignment >> \"Access\nthis computer from the network\" to include only the following accounts or\ngroups:\n\n - Administrators\n - Authenticated Users" + "check": "This applies to member servers and standalone systems. A separate version\napplies to domain controllers.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If the following accounts or groups are not defined for the \"Deny log on\nas a service\" user right on domain-joined systems, this is a finding:\n\n - Enterprise Admins Group\n - Domain Admins Group\n\n If any accounts or groups are defined for the \"Deny log on as a service\"\nuser right on non-domain-joined systems, this is a finding.\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\path\\filename.txt\n\n Review the text file.\n\n If the following SIDs are not defined for the \"SeDenyServiceLogonRight\"\nuser right on domain-joined systems, this is a finding:\n\n S-1-5-root domain-519 (Enterprise Admins)\n S-1-5-domain-512 (Domain Admins)\n\n If any SIDs are defined for the user right on non-domain-joined systems,\nthis is a finding.", + "fix": "Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> User Rights Assignment >> \"Deny log\non as a service\" to include the following:\n\n Domain systems:\n - Enterprise Admins Group\n - Domain Admins Group" }, "impact": 0.5, "refs": [], "tags": { "severity": null, "gtitle": "SRG-OS-000080-GPOS-00048", - "gid": "V-93007", - "rid": "SV-103095r1_rule", - "stig_id": "WN19-MS-000070", - "fix_id": "F-99253r1_fix", + "gid": "V-93013", + "rid": "SV-103101r1_rule", + "stig_id": "WN19-MS-000100", + "fix_id": "F-99259r1_fix", "cci": [ "CCI-000213" ], @@ -2095,97 +2058,97 @@ "Rev_4" ] }, - "code": "control \"V-93007\" do\n title \"Windows Server 2019 Access this computer from the network user right\nmust only be assigned to the Administrators and Authenticated Users groups on\ndomain-joined member servers and standalone systems.\"\n desc \"Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n Accounts with the \\\"Access this computer from the network\\\" user right may\naccess resources on the system, and this right must be limited to those\nrequiring it.\"\n desc \"rationale\", \"\"\n desc 'check', \"This applies to member servers and standalone systems. A separate version\napplies to domain controllers.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the \\\"Access\nthis computer from the network\\\" user right, this is a finding:\n\n - Administrators\n - Authenticated Users\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt\n\n Review the text file.\n\n If any SIDs other than the following are granted the\n\\\"SeNetworkLogonRight\\\" user right, this is a finding:\n\n S-1-5-32-544 (Administrators)\n S-1-5-11 (Authenticated Users)\n\n If an application requires this user right, this would not be a finding.\n\n Vendor documentation must support the requirement for having the user right.\n\n The requirement must be documented with the ISSO.\n\n The application account must meet requirements for application account\npasswords, such as length (WN19-00-000050) and required frequency of changes\n(WN19-00-000060).\"\n desc 'fix', \"\n Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> User Rights Assignment >> \\\"Access\nthis computer from the network\\\" to include only the following accounts or\ngroups:\n\n - Administrators\n - Authenticated Users\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000080-GPOS-00048'\n tag 'gid': 'V-93007'\n tag 'rid': 'SV-103095r1_rule'\n tag 'stig_id': 'WN19-MS-000070'\n tag 'fix_id': 'F-99253r1_fix'\n tag 'cci': [\"CCI-000213\"]\n tag 'nist': [\"AC-3\", \"Rev_4\"]\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n os_type = command('Test-Path \"$env:windir\\explorer.exe\"').stdout.strip\n\n if os_type == 'False'\n describe 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt' do\n skip 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt'\n end\n end\n if domain_role == '4' || domain_role == '5'\n impact 0.0\n describe 'This system is a domain controller, therefore this control is not applicable as it only applies to member servers' do\n skip 'This system is a domain controller, therefore this control is not applicable as it only applies to member servers'\n end\n else\n describe security_policy do\n its('SeNetworkLogonRight') { should eq ['S-1-5-11', 'S-1-5-32-544'] }\n end\n end\nend\n", + "code": "control \"V-93013\" do\n title \"Windows Server 2019 Deny log on as a service user right on\ndomain-joined member servers must be configured to prevent access from highly\nprivileged domain accounts. No other groups or accounts must be assigned this\nright.\"\n desc \"Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n The \\\"Deny log on as a service\\\" user right defines accounts that are\ndenied logon as a service.\n\n In an Active Directory Domain, denying logons to the Enterprise Admins and\nDomain Admins groups on lower-trust systems helps mitigate the risk of\nprivilege escalation from credential theft attacks, which could lead to the\ncompromise of an entire domain.\n\n Incorrect configurations could prevent services from starting and result in\na denial of service.\"\n desc \"rationale\", \"\"\n desc 'check', \"This applies to member servers and standalone systems. A separate version\napplies to domain controllers.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If the following accounts or groups are not defined for the \\\"Deny log on\nas a service\\\" user right on domain-joined systems, this is a finding:\n\n - Enterprise Admins Group\n - Domain Admins Group\n\n If any accounts or groups are defined for the \\\"Deny log on as a service\\\"\nuser right on non-domain-joined systems, this is a finding.\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt\n\n Review the text file.\n\n If the following SIDs are not defined for the \\\"SeDenyServiceLogonRight\\\"\nuser right on domain-joined systems, this is a finding:\n\n S-1-5-root domain-519 (Enterprise Admins)\n S-1-5-domain-512 (Domain Admins)\n\n If any SIDs are defined for the user right on non-domain-joined systems,\nthis is a finding.\"\n desc 'fix', \"Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> User Rights Assignment >> \\\"Deny log\non as a service\\\" to include the following:\n\n Domain systems:\n - Enterprise Admins Group\n - Domain Admins Group\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000080-GPOS-00048'\n tag 'gid': 'V-93013'\n tag 'rid': 'SV-103101r1_rule'\n tag 'stig_id': 'WN19-MS-000100'\n tag 'fix_id': 'F-99259r1_fix'\n tag 'cci': [\"CCI-000213\"]\n tag 'nist': [\"AC-3\", \"Rev_4\"]\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n case domain_role\n when '4', '5'\n impact 0.0\n describe 'This system is dedicated to the management of Active Directory, therefore this system is exempt from this control' do\n skip 'This system is dedicated to the management of Active Directory, therefore this system is exempt from this control'\n end\n when '3'\n domain_query = <<-EOH\n $group = New-Object System.Security.Principal.NTAccount('Domain Admins')\n $sid = ($group.Translate([security.principal.securityidentifier])).value\n $sid | ConvertTo-Json\n EOH\n\n domain_admin_sid = json(command: domain_query).params\n enterprise_admin_query = <<-EOH\n $group = New-Object System.Security.Principal.NTAccount('Enterprise Admins')\n $sid = ($group.Translate([security.principal.securityidentifier])).value\n $sid | ConvertTo-Json\n EOH\n\n enterprise_admin_sid = json(command: enterprise_admin_query).params\n describe security_policy do\n its('SeDenyServiceLogonRight') { should include \"#{domain_admin_sid}\" }\n end\n describe security_policy do\n its('SeDenyServiceLogonRight') { should include \"#{enterprise_admin_sid}\" }\n end\n when '2'\n describe security_policy do\n its('SeDenyServiceLogonRight') { should be_empty }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93007.rb", + "ref": "./Windows 2019 STIG/controls/V-93013.rb", "line": 3 }, - "id": "V-93007" + "id": "V-93013" }, { - "title": "Windows Server 2019 UIAccess applications must not be allowed to prompt for elevation without using the secure desktop.", - "desc": "User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting prevents User Interface Accessibility programs from disabling the secure desktop for elevation prompts.", + "title": "Windows Server 2019 Autoplay must be turned off for non-volume devices.", + "desc": "Allowing AutoPlay to execute may introduce malicious code to a system. AutoPlay begins reading from a drive as soon as media is inserted into the drive. As a result, the setup file of programs or music on audio media may start. This setting will disable AutoPlay for non-volume devices, such as Media Transfer Protocol (MTP) devices.", "descriptions": { - "default": "User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting prevents User Interface Accessibility programs from disabling the secure desktop for elevation prompts.", + "default": "Allowing AutoPlay to execute may introduce malicious code to a system. AutoPlay begins reading from a drive as soon as media is inserted into the drive. As a result, the setup file of programs or music on audio media may start. This setting will disable AutoPlay for non-volume devices, such as Media Transfer Protocol (MTP) devices.", "rationale": "", - "check": "UAC requirements are NA for Server Core installations (this is the default installation option for Windows Server 2019 versus Server with Desktop Experience).\n If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\\n\n Value Name: EnableUIADesktopToggle\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0)", - "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \"User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop\" to \"Disabled\"." + "check": "If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\Explorer\\\n\n Value Name: NoAutoplayfornonVolume\n\n Type: REG_DWORD\n Value: 0x00000001 (1)", + "fix": "Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> AutoPlay Policies >> \"Disallow Autoplay for non-volume devices\" to \"Enabled\"." }, - "impact": 0.5, + "impact": 0.7, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000134-GPOS-00068", - "gid": "V-93521", - "rid": "SV-103607r1_rule", - "stig_id": "WN19-SO-000390", - "fix_id": "F-99765r1_fix", + "gtitle": "SRG-OS-000368-GPOS-00154", + "gid": "V-93373", + "rid": "SV-103459r1_rule", + "stig_id": "WN19-CC-000210", + "fix_id": "F-99617r1_fix", "cci": [ - "CCI-001084" + "CCI-001764" ], "nist": [ - "SC-3", + "CM-7 (2)", "Rev_4" ] }, - "code": "control \"V-93521\" do\n title \"Windows Server 2019 UIAccess applications must not be allowed to prompt for elevation without using the secure desktop.\"\n desc \"User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting prevents User Interface Accessibility programs from disabling the secure desktop for elevation prompts.\"\n desc \"rationale\", \"\"\n desc \"check\", \"UAC requirements are NA for Server Core installations (this is the default installation option for Windows Server 2019 versus Server with Desktop Experience).\n If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\\n\n Value Name: EnableUIADesktopToggle\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \\\"User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop\\\" to \\\"Disabled\\\".\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000134-GPOS-00068\"\n tag gid: \"V-93521\"\n tag rid: \"SV-103607r1_rule\"\n tag stig_id: \"WN19-SO-000390\"\n tag fix_id: \"F-99765r1_fix\"\n tag cci: [\"CCI-001084\"]\n tag nist: [\"SC-3\", \"Rev_4\"]\n\n os_type = command('Test-Path \"$env:windir\\explorer.exe\"').stdout.strip\n\n if os_type == 'False'\n impact 0.0\n describe 'This system is a Server Core Installation, control is NA' do\n skip 'This system is a Server Core Installation control is NA'\n end\n else\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System') do\n it { should have_property 'EnableUIADesktopToggle' }\n its('EnableUIADesktopToggle') { should cmp == 0 }\n end\n end\nend", + "code": "control \"V-93373\" do\n title \"Windows Server 2019 Autoplay must be turned off for non-volume devices.\"\n desc \"Allowing AutoPlay to execute may introduce malicious code to a system. AutoPlay begins reading from a drive as soon as media is inserted into the drive. As a result, the setup file of programs or music on audio media may start. This setting will disable AutoPlay for non-volume devices, such as Media Transfer Protocol (MTP) devices.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\Explorer\\\\\n\n Value Name: NoAutoplayfornonVolume\n\n Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> AutoPlay Policies >> \\\"Disallow Autoplay for non-volume devices\\\" to \\\"Enabled\\\".\"\n impact 0.7\n tag severity: nil\n tag gtitle: \"SRG-OS-000368-GPOS-00154\"\n tag gid: \"V-93373\"\n tag rid: \"SV-103459r1_rule\"\n tag stig_id: \"WN19-CC-000210\"\n tag fix_id: \"F-99617r1_fix\"\n tag cci: [\"CCI-001764\"]\n tag nist: [\"CM-7 (2)\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\Explorer') do\n it { should have_property 'NoAutoplayfornonVolume' }\n its('NoAutoplayfornonVolume') { should cmp == 1 }\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93521.rb", + "ref": "./Windows 2019 STIG/controls/V-93373.rb", "line": 3 }, - "id": "V-93521" + "id": "V-93373" }, { - "title": "Windows Server 2019 must have the roles and features required by the system documented.", - "desc": "Unnecessary roles and features increase the attack surface of a system. Limiting roles and features of a system to only those necessary reduces this potential. The standard installation option (previously called Server Core) further reduces this when selected at installation.", + "title": "Windows Server 2019 local volumes must use a format that supports NTFS\nattributes.", + "desc": "The ability to set access permissions and auditing is critical to\nmaintaining the security and proper access controls of a system. To support\nthis, volumes must be formatted using a file system that supports NTFS\nattributes.", "descriptions": { - "default": "Unnecessary roles and features increase the attack surface of a system. Limiting roles and features of a system to only those necessary reduces this potential. The standard installation option (previously called Server Core) further reduces this when selected at installation.", + "default": "The ability to set access permissions and auditing is critical to\nmaintaining the security and proper access controls of a system. To support\nthis, volumes must be formatted using a file system that supports NTFS\nattributes.", "rationale": "", - "check": "Required roles and features will vary based on the function of the individual system.\n\n Roles and features specifically required to be disabled per the STIG are identified in separate requirements.\n If the organization has not documented the roles and features required for the system(s), this is a finding.\n The PowerShell command \"Get-WindowsFeature\" will list all roles and features with an \"Install State\".", - "fix": "Document the roles and features required for the system to operate. Uninstall any that are not required." + "check": "Open \"Computer Management\".\n\n Select \"Disk Management\" under \"Storage\".\n\n For each local volume, if the file system does not indicate \"NTFS\", this\nis a finding.\n\n \"ReFS\" (resilient file system) is also acceptable and would not be a\nfinding.\n\n This does not apply to system partitions such the Recovery and EFI System\nPartition.", + "fix": "Format volumes to use NTFS or ReFS." }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000095-GPOS-00049", - "gid": "V-93381", - "rid": "SV-103467r1_rule", - "stig_id": "WN19-00-000270", - "fix_id": "F-99625r1_fix", + "gtitle": "SRG-OS-000080-GPOS-00048", + "gid": "V-92991", + "rid": "SV-103079r1_rule", + "stig_id": "WN19-00-000130", + "fix_id": "F-99237r1_fix", "cci": [ - "CCI-000381" + "CCI-000213" ], "nist": [ - "CM-7 a", + "AC-3", "Rev_4" ] }, - "code": "control \"V-93381\" do\n title \"Windows Server 2019 must have the roles and features required by the system documented.\"\n desc \"Unnecessary roles and features increase the attack surface of a system. Limiting roles and features of a system to only those necessary reduces this potential. The standard installation option (previously called Server Core) further reduces this when selected at installation.\"\n desc \"rationale\", \"\"\n desc \"check\", \"Required roles and features will vary based on the function of the individual system.\n\n Roles and features specifically required to be disabled per the STIG are identified in separate requirements.\n If the organization has not documented the roles and features required for the system(s), this is a finding.\n The PowerShell command \\\"Get-WindowsFeature\\\" will list all roles and features with an \\\"Install State\\\".\"\n desc \"fix\", \"Document the roles and features required for the system to operate. Uninstall any that are not required.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000095-GPOS-00049\"\n tag gid: \"V-93381\"\n tag rid: \"SV-103467r1_rule\"\n tag stig_id: \"WN19-00-000270\"\n tag fix_id: \"F-99625r1_fix\"\n tag cci: [\"CCI-000381\"]\n tag nist: [\"CM-7 a\", \"Rev_4\"]\n\n describe 'A manual review is required to verify that the roles and features required by the system are documented' do\n skip 'A manual review is required to verify that the roles and features required by the system are documented'\n end\nend", + "code": "control \"V-92991\" do\n title \"Windows Server 2019 local volumes must use a format that supports NTFS\nattributes.\"\n desc \"The ability to set access permissions and auditing is critical to\nmaintaining the security and proper access controls of a system. To support\nthis, volumes must be formatted using a file system that supports NTFS\nattributes.\"\n desc \"rationale\", \"\"\n desc 'check', \"Open \\\"Computer Management\\\".\n\n Select \\\"Disk Management\\\" under \\\"Storage\\\".\n\n For each local volume, if the file system does not indicate \\\"NTFS\\\", this\nis a finding.\n\n \\\"ReFS\\\" (resilient file system) is also acceptable and would not be a\nfinding.\n\n This does not apply to system partitions such the Recovery and EFI System\nPartition.\"\n desc 'fix', \"Format volumes to use NTFS or ReFS.\"\n impact 0.7\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000080-GPOS-00048'\n tag 'gid': 'V-92991'\n tag 'rid': 'SV-103079r1_rule'\n tag 'stig_id': 'WN19-00-000130'\n tag 'fix_id': 'F-99237r1_fix'\n tag 'cci': [\"CCI-000213\"]\n tag 'nist': [\"AC-3\", \"Rev_4\"]\n\n get_volumes = command(\"wmic logicaldisk where DriveType=3 get FileSystem | findstr /r /v '^$' |Findstr /v 'FileSystem'\").stdout.strip.split(\"\\r\\n\")\n\n get_volumes.each do |volume|\n volumes = volume.strip\n describe.one do\n describe 'The format local volumes' do\n subject { volumes }\n it { should eq 'NTFS' }\n end\n describe 'The format local volumes' do\n subject { volumes }\n it { should eq 'ReFS' }\n end\n end\n end\n if get_volumes.empty?\n impact 0.0\n describe 'There are no local volumes' do\n skip 'This control is not applicable'\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93381.rb", + "ref": "./Windows 2019 STIG/controls/V-92991.rb", "line": 3 }, - "id": "V-93381" + "id": "V-92991" }, { - "title": "Windows Server 2019 Exploit Protection mitigations must be configured for GROOVE.EXE.", - "desc": "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.", + "title": "Windows Server 2019 hardened Universal Naming Convention (UNC) paths\n must be defined to require mutual authentication and integrity for at least the\n \\\\*\\SYSVOL and \\\\*\\NETLOGON shares.", + "desc": "Additional security requirements are applied to UNC paths specified in\n hardened UNC paths before allowing access to them. This aids in preventing\n tampering with or spoofing of connections to these paths.", "descriptions": { - "default": "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.", + "default": "Additional security requirements are applied to UNC paths specified in\n hardened UNC paths before allowing access to them. This aids in preventing\n tampering with or spoofing of connections to these paths.", "rationale": "", - "check": "If the referenced application is not installed on the system, this is NA.\n\n This is applicable to unclassified systems, for other systems this is NA.\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n Enter \"Get-ProcessMitigation -Name GROOVE.EXE\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.)\n\n If the following mitigations do not have a status of \"ON\", this is a finding:\n\n DEP:\n Enable: ON\n\n ASLR:\n ForceRelocateImages: ON\n\n ImageLoad:\n BlockRemoteImageLoads: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n Child Process:\n DisallowChildProcessCreation: ON\n\n The PowerShell command produces a list of mitigations; only those with a required status of \"ON\" are listed here.", - "fix": "Ensure the following mitigations are turned \"ON\" for GROOVE.EXE:\n\n DEP:\n Enable: ON\n\n ASLR:\n ForceRelocateImages: ON\n\n ImageLoad:\n BlockRemoteImageLoads: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n Child Process:\n DisallowChildProcessCreation: ON\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \"Supporting Files\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \"Use a common set of exploit protection settings\" configured to \"Enabled\" with file name and location defined under \"Options:\". It is recommended the file be in a read-only network location." + "check": "This requirement is applicable to domain-joined systems. For standalone\n systems, this is NA.\n\n If the following registry values do not exist or are not configured as\n specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SOFTWARE\\Policies\\Microsoft\\Windows\\NetworkProvider\\HardenedPaths\\\n\n Value Name: \\\\*\\NETLOGON\n Value Type: REG_SZ\n Value: RequireMutualAuthentication=1, RequireIntegrity=1\n\n Value Name: \\\\*\\SYSVOL\n Value Type: REG_SZ\n Value: RequireMutualAuthentication=1, RequireIntegrity=1\n\n Additional entries would not be a finding.", + "fix": "Configure the policy value for Computer Configuration >> Administrative\n Templates >> Network >> Network Provider >> \"Hardened UNC Paths\" to\n \"Enabled\" with at least the following configured in \"Hardened UNC Paths\"\n (click the \"Show\" button to display):\n\n Value Name: \\\\*\\SYSVOL\n Value: RequireMutualAuthentication=1, RequireIntegrity=1\n\n Value Name: \\\\*\\NETLOGON\n Value: RequireMutualAuthentication=1, RequireIntegrity=1" }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { "severity": null, "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-93333", - "rid": "SV-103421r1_rule", - "stig_id": "WN19-EP-000120", - "fix_id": "F-99579r1_fix", + "gid": "V-93241", + "rid": "SV-103329r1_rule", + "stig_id": "WN19-CC-000080", + "fix_id": "F-99487r1_fix", "cci": [ "CCI-000366" ], @@ -2194,377 +2157,385 @@ "Rev_4" ] }, - "code": "control \"V-93333\" do\n title \"Windows Server 2019 Exploit Protection mitigations must be configured for GROOVE.EXE.\"\n desc \"Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the referenced application is not installed on the system, this is NA.\n\n This is applicable to unclassified systems, for other systems this is NA.\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n Enter \\\"Get-ProcessMitigation -Name GROOVE.EXE\\\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.)\n\n If the following mitigations do not have a status of \\\"ON\\\", this is a finding:\n\n DEP:\n Enable: ON\n\n ASLR:\n ForceRelocateImages: ON\n\n ImageLoad:\n BlockRemoteImageLoads: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n Child Process:\n DisallowChildProcessCreation: ON\n\n The PowerShell command produces a list of mitigations; only those with a required status of \\\"ON\\\" are listed here.\"\n desc \"fix\", \"Ensure the following mitigations are turned \\\"ON\\\" for GROOVE.EXE:\n\n DEP:\n Enable: ON\n\n ASLR:\n ForceRelocateImages: ON\n\n ImageLoad:\n BlockRemoteImageLoads: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n Child Process:\n DisallowChildProcessCreation: ON\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \\\"Supporting Files\\\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\" configured to \\\"Enabled\\\" with file name and location defined under \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00227\"\n tag gid: \"V-93333\"\n tag rid: \"SV-103421r1_rule\"\n tag stig_id: \"WN19-EP-000120\"\n tag fix_id: \"F-99579r1_fix\"\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n groove = json({ command: \"Get-ProcessMitigation -Name GROOVE.EXE | ConvertTo-Json\" }).params\n\n if input('sensitive_system') == true || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif groove.empty?\n impact 0.0\n describe 'The referenced application is not installed on the system, this is NA.' do\n skip 'The referenced application is not installed on the system, this is NA.'\n end\n else\n describe \"Exploit Protection: the following mitigations must be set to 'ON' for GROOVE.EXE\" do\n subject { groove }\n its(['Dep','Enable']) { should eq 1 }\n its(['Aslr','ForceRelocateImages']) { should eq 1 }\n its(['ImageLoad','BlockRemoteImageLoads']) { should eq 1 }\n its(['Payload','EnableExportAddressFilter']) { should eq 1 }\n its(['Payload','EnableExportAddressFilterPlus']) { should eq 1 }\n its(['Payload','EnableImportAddressFilter']) { should eq 1 }\n its(['Payload','EnableRopStackPivot']) { should eq 1 }\n its(['Payload','EnableRopCallerCheck']) { should eq 1 }\n its(['Payload','EnableRopSimExec']) { should eq 1 }\n its(['ChildProcess','DisallowChildProcessCreation']) { should eq 1 }\n end\n end\nend", + "code": "control 'V-93241' do\n title \"Windows Server 2019 hardened Universal Naming Convention (UNC) paths\n must be defined to require mutual authentication and integrity for at least the\n \\\\\\\\*\\\\SYSVOL and \\\\\\\\*\\\\NETLOGON shares.\"\n desc \"Additional security requirements are applied to UNC paths specified in\n hardened UNC paths before allowing access to them. This aids in preventing\n tampering with or spoofing of connections to these paths.\"\n desc 'rationale', ''\n desc 'check', \"This requirement is applicable to domain-joined systems. For standalone\n systems, this is NA.\n\n If the following registry values do not exist or are not configured as\n specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\NetworkProvider\\\\HardenedPaths\\\\\n\n Value Name: \\\\\\\\*\\\\NETLOGON\n Value Type: REG_SZ\n Value: RequireMutualAuthentication=1, RequireIntegrity=1\n\n Value Name: \\\\\\\\*\\\\SYSVOL\n Value Type: REG_SZ\n Value: RequireMutualAuthentication=1, RequireIntegrity=1\n\n Additional entries would not be a finding.\"\n desc 'fix', \"Configure the policy value for Computer Configuration >> Administrative\n Templates >> Network >> Network Provider >> \\\"Hardened UNC Paths\\\" to\n \\\"Enabled\\\" with at least the following configured in \\\"Hardened UNC Paths\\\"\n (click the \\\"Show\\\" button to display):\n\n Value Name: \\\\\\\\*\\\\SYSVOL\n Value: RequireMutualAuthentication=1, RequireIntegrity=1\n\n Value Name: \\\\\\\\*\\\\NETLOGON\n Value: RequireMutualAuthentication=1, RequireIntegrity=1\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000480-GPOS-00227'\n tag 'gid': 'V-93241'\n tag 'rid': 'SV-103329r1_rule'\n tag 'stig_id': 'WN19-CC-000080'\n tag 'fix_id': 'F-99487r1_fix'\n tag 'cci': ['CCI-000366']\n tag 'nist': ['CM-6 b', 'Rev_4']\n\n is_domain = command('wmic computersystem get domain | FINDSTR /V Domain').stdout.strip\n\n if is_domain == 'WORKGROUP'\n impact 0.0\n describe 'The system is not a member of a domain, control is NA' do\n skip 'The system is not a member of a domain, control is NA'\n end\n else\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\NetworkProvider\\HardenedPaths') do\n it { should have_property '\\\\\\\\*\\\\SYSVOL' }\n its('\\\\\\\\*\\\\SYSVOL') { should cmp 'RequireMutualAuthentication=1, RequireIntegrity=1' }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\NetworkProvider\\HardenedPaths') do\n it { should have_property '\\\\\\\\*\\\\NETLOGON' }\n its('\\\\\\\\*\\\\NETLOGON') { should cmp 'RequireMutualAuthentication=1, RequireIntegrity=1' }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93333.rb", + "ref": "./Windows 2019 STIG/controls/V-93241.rb", "line": 3 }, - "id": "V-93333" + "id": "V-93241" }, { - "title": "Windows Server 2019 Back up files and directories user right must only\nbe assigned to the Administrators group.", - "desc": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n Accounts with the \"Back up files and directories\" user right can\ncircumvent file and directory permissions and could allow access to sensitive\ndata.", + "title": "Windows Server 2019 File Explorer shell protocol must run in protected\nmode.", + "desc": "The shell protocol will limit the set of folders that applications can\nopen when run in protected mode. Restricting files an application can open to a\nlimited set of folders increases the security of Windows.", "descriptions": { - "default": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n Accounts with the \"Back up files and directories\" user right can\ncircumvent file and directory permissions and could allow access to sensitive\ndata.", + "default": "The shell protocol will limit the set of folders that applications can\nopen when run in protected mode. Restricting files an application can open to a\nlimited set of folders increases the security of Windows.", "rationale": "", - "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the \"Back\nup files and directories\" user right, this is a finding:\n\n - Administrators\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\path\\filename.txt\n\n Review the text file.\n\n If any SIDs other than the following are granted the \"SeBackupPrivilege\"\nuser right, this is a finding:\n\n S-1-5-32-544 (Administrators)\n\n If an application requires this user right, this would not be a finding.\n\n Vendor documentation must support the requirement for having the user right.\n\n The requirement must be documented with the ISSO.\n\n The application account must meet requirements for application account\npasswords, such as length (WN19-00-000050) and required frequency of changes\n(WN19-00-000060).", - "fix": "Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> User Rights Assignment >> \"Back up\nfiles and directories\" to include only the following accounts or groups:\n\n - Administrators" + "check": "The default behavior is for shell protected mode to be turned on for File\nExplorer.\n\n If the registry value name below does not exist, this is not a finding.\n\n If it exists and is configured with a value of \"0\", this is not a finding.\n\n If it exists and is configured with a value of \"1\", this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\\n\n Value Name: PreXPSP2ShellProtocolBehavior\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0) (or if the Value Name does not exist)", + "fix": "The default behavior is for shell protected mode to be turned on for File\nExplorer.\n\n If this needs to be corrected, configure the policy value for Computer\nConfiguration >> Administrative Templates >> Windows Components >> File\nExplorer >> \"Turn off shell protocol protected mode\" to \"Not Configured\" or\n\"Disabled\"." }, "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000324-GPOS-00125", - "gid": "V-93053", - "rid": "SV-103141r1_rule", - "stig_id": "WN19-UR-000040", - "fix_id": "F-99299r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-93263", + "rid": "SV-103351r1_rule", + "stig_id": "WN19-CC-000330", + "fix_id": "F-99509r1_fix", "cci": [ - "CCI-002235" + "CCI-000366" ], "nist": [ - "AC-6 (10)", + "CM-6 b", "Rev_4" ] }, - "code": "control \"V-93053\" do\n title \"Windows Server 2019 Back up files and directories user right must only\nbe assigned to the Administrators group.\"\n desc \"Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n Accounts with the \\\"Back up files and directories\\\" user right can\ncircumvent file and directory permissions and could allow access to sensitive\ndata.\"\n desc \"rationale\", \"\"\n desc 'check', \"Verify the effective setting in Local Group Policy Editor.\n\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the \\\"Back\nup files and directories\\\" user right, this is a finding:\n\n - Administrators\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt\n\n Review the text file.\n\n If any SIDs other than the following are granted the \\\"SeBackupPrivilege\\\"\nuser right, this is a finding:\n\n S-1-5-32-544 (Administrators)\n\n If an application requires this user right, this would not be a finding.\n\n Vendor documentation must support the requirement for having the user right.\n\n The requirement must be documented with the ISSO.\n\n The application account must meet requirements for application account\npasswords, such as length (WN19-00-000050) and required frequency of changes\n(WN19-00-000060).\"\n desc 'fix', \"Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> User Rights Assignment >> \\\"Back up\nfiles and directories\\\" to include only the following accounts or groups:\n\n - Administrators\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000324-GPOS-00125'\n tag 'gid': 'V-93053'\n tag 'rid': 'SV-103141r1_rule'\n tag 'stig_id': 'WN19-UR-000040'\n tag 'fix_id': 'F-99299r1_fix'\n tag 'cci': [\"CCI-002235\"]\n tag 'nist': [\"AC-6 (10)\", \"Rev_4\"]\n\n os_type = command('Test-Path \"$env:windir\\explorer.exe\"').stdout.strip\n\n if os_type == 'False'\n describe 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt' do\n skip 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt'\n end\n else\n describe security_policy do\n its('SeBackupPrivilege') { should eq ['S-1-5-32-544'] }\n end\n end\nend\n", + "code": "control \"V-93263\" do\n title \"Windows Server 2019 File Explorer shell protocol must run in protected\nmode.\"\n desc \"The shell protocol will limit the set of folders that applications can\nopen when run in protected mode. Restricting files an application can open to a\nlimited set of folders increases the security of Windows.\"\n desc \"rationale\", \"\"\n desc 'check', \"The default behavior is for shell protected mode to be turned on for File\nExplorer.\n\n If the registry value name below does not exist, this is not a finding.\n\n If it exists and is configured with a value of \\\"0\\\", this is not a finding.\n\n If it exists and is configured with a value of \\\"1\\\", this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\\n\n Value Name: PreXPSP2ShellProtocolBehavior\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0) (or if the Value Name does not exist)\"\n desc 'fix', \"The default behavior is for shell protected mode to be turned on for File\nExplorer.\n\n If this needs to be corrected, configure the policy value for Computer\nConfiguration >> Administrative Templates >> Windows Components >> File\nExplorer >> \\\"Turn off shell protocol protected mode\\\" to \\\"Not Configured\\\" or\n\\\"Disabled\\\".\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000480-GPOS-00227'\n tag 'gid': 'V-93263'\n tag 'rid': 'SV-103351r1_rule'\n tag 'stig_id': 'WN19-CC-000330'\n tag 'fix_id': 'F-99509r1_fix'\n tag 'cci': [\"CCI-000366\"]\n tag 'nist': [\"CM-6 b\", \"Rev_4\"]\n\n describe.one do\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer') do\n it { should_not have_property 'PreXPSP2ShellProtocolBehavior' }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer') do\n it { should have_property 'PreXPSP2ShellProtocolBehavior' }\n its('PreXPSP2ShellProtocolBehavior') { should_not be 1 }\n its('PreXPSP2ShellProtocolBehavior') { should cmp 0 }\n end\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93053.rb", + "ref": "./Windows 2019 STIG/controls/V-93263.rb", "line": 3 }, - "id": "V-93053" + "id": "V-93263" }, { - "title": "Windows Server 2019 User Account Control (UAC) must only elevate UIAccess applications that are installed in secure locations.", - "desc": "UAC is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting configures Windows to only allow applications installed in a secure location on the file system, such as the Program Files or the Windows\\System32 folders, to run with elevated privileges.", + "title": "Windows Server 2019 must be configured to audit Account Management -\nComputer Account Management successes.", + "desc": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Computer Account Management records events such as creating, changing,\ndeleting, renaming, disabling, or enabling computer accounts.", "descriptions": { - "default": "UAC is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting configures Windows to only allow applications installed in a secure location on the file system, such as the Program Files or the Windows\\System32 folders, to run with elevated privileges.", + "default": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Computer Account Management records events such as creating, changing,\ndeleting, renaming, disabling, or enabling computer accounts.", "rationale": "", - "check": "UAC requirements are NA for Server Core installations (this is the default installation option for Windows Server 2019 versus Server with Desktop Experience).\n If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\\n\n Value Name: EnableSecureUIAPaths\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", - "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \"User Account Control: Only elevate UIAccess applications that are installed in secure locations\" to \"Enabled\"." + "check": "This applies to domain controllers. It is NA for other systems.\n\n Security Option \"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\" must be set to\n\"Enabled\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \"AuditPol\" tool to review the current Audit Policy configuration:\n\n Open \"PowerShell\" or a \"Command Prompt\" with elevated privileges (\"Run\nas administrator\").\n\n Enter \"AuditPol /get /category:*\"\n\n Compare the \"AuditPol\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n Account Management >> Computer Account Management - Success", + "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Account Management >> \"Audit Computer Account\nManagement\" with \"Success\" selected." }, "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000134-GPOS-00068", - "gid": "V-93527", - "rid": "SV-103613r1_rule", - "stig_id": "WN19-SO-000430", - "fix_id": "F-99771r1_fix", + "gtitle": "SRG-OS-000004-GPOS-00004", + "satisfies": [ + "SRG-OS-000004-GPOS-00004", + "SRG-OS-000239-GPOS-00089", + "SRG-OS-000240-GPOS-00090", + "SRG-OS-000241-GPOS-00091", + "SRG-OS-000303-GPOS-00120", + "SRG-OS-000476-GPOS-00221" + ], + "gid": "V-92985", + "rid": "SV-103073r1_rule", + "stig_id": "WN19-DC-000230", + "fix_id": "F-99231r1_fix", "cci": [ - "CCI-001084" + "CCI-000018", + "CCI-000172", + "CCI-001403", + "CCI-001404", + "CCI-001405", + "CCI-002130" ], "nist": [ - "SC-3", + "AC-2 (4)", + "AU-12 c", + "AC-2 (4)", + "AC-2 (4)", + "AC-2 (4)", + "AC-2(4)", "Rev_4" ] }, - "code": "control \"V-93527\" do\n title \"Windows Server 2019 User Account Control (UAC) must only elevate UIAccess applications that are installed in secure locations.\"\n desc \"UAC is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting configures Windows to only allow applications installed in a secure location on the file system, such as the Program Files or the Windows\\\\System32 folders, to run with elevated privileges.\"\n desc \"rationale\", \"\"\n desc \"check\", \"UAC requirements are NA for Server Core installations (this is the default installation option for Windows Server 2019 versus Server with Desktop Experience).\n If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\\n\n Value Name: EnableSecureUIAPaths\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \\\"User Account Control: Only elevate UIAccess applications that are installed in secure locations\\\" to \\\"Enabled\\\".\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000134-GPOS-00068\"\n tag gid: \"V-93527\"\n tag rid: \"SV-103613r1_rule\"\n tag stig_id: \"WN19-SO-000430\"\n tag fix_id: \"F-99771r1_fix\"\n tag cci: [\"CCI-001084\"]\n tag nist: [\"SC-3\", \"Rev_4\"]\n\n os_type = command('Test-Path \"$env:windir\\explorer.exe\"').stdout.strip\n\n if os_type == 'False'\n impact 0.0\n describe 'This system is a Server Core Installation, control is NA' do\n skip 'This system is a Server Core Installation control is NA'\n end\n else\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System') do\n it { should have_property 'EnableSecureUIAPaths' }\n its('EnableSecureUIAPaths') { should cmp == 1 }\n end\n end\nend", + "code": "control 'V-92989' do\n title \"Windows Server 2019 must be configured to audit Account Management -\nComputer Account Management successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Computer Account Management records events such as creating, changing,\ndeleting, renaming, disabling, or enabling computer accounts.\"\n desc 'rationale', ''\n desc 'check', \"This applies to domain controllers. It is NA for other systems.\n\n Security Option \\\"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\\\" must be set to\n\\\"Enabled\\\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \\\"AuditPol\\\" tool to review the current Audit Policy configuration:\n\n Open \\\"PowerShell\\\" or a \\\"Command Prompt\\\" with elevated privileges (\\\"Run\nas administrator\\\").\n\n Enter \\\"AuditPol /get /category:*\\\"\n\n Compare the \\\"AuditPol\\\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n Account Management >> Computer Account Management - Success\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Account Management >> \\\"Audit Computer Account\nManagement\\\" with \\\"Success\\\" selected.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000004-GPOS-00004'\n tag 'satisfies': %w(SRG-OS-000004-GPOS-00004 SRG-OS-000239-GPOS-00089\nSRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091\nSRG-OS-000303-GPOS-00120 SRG-OS-000476-GPOS-00221)\n tag 'gid': 'V-92985'\n tag 'rid': 'SV-103073r1_rule'\n tag 'stig_id': 'WN19-DC-000230'\n tag 'fix_id': 'F-99231r1_fix'\n tag 'cci': %w(CCI-000018 CCI-000172 CCI-001403 CCI-001404\nCCI-001405 CCI-002130)\n tag 'nist': ['AC-2 (4)', 'AU-12 c', 'AC-2 (4)', 'AC-2 (4)', 'AC-2 (4)', \"AC-2(4)\", 'Rev_4']\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n case domain_role\n when '4', '5'\n impact 0.5\n describe.one do\n describe audit_policy do\n its('Computer Account Management') { should eq 'Success' }\n end\n describe audit_policy do\n its('Computer Account Management') { should eq 'Success and Failure' }\n end\n end\n when '2', '3'\n impact 0.0\n describe 'This applies to domain controllers. It is NA for other systems.' do\n skip 'This applies to domain controllers. It is NA for other systems.'\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93527.rb", - "line": 3 + "ref": "./Windows 2019 STIG/controls/V-92989.rb", + "line": 2 }, - "id": "V-93527" + "id": "V-92989" }, { - "title": "Windows Server 2019 accounts must require passwords.", - "desc": "The lack of password protection enables anyone to gain access to the information system, which opens a backdoor opportunity for intruders to compromise the system as well as other resources. Accounts on a system must require passwords.", + "title": "Windows Server 2019 Exploit Protection mitigations must be configured for WINWORD.EXE.", + "desc": "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.", "descriptions": { - "default": "The lack of password protection enables anyone to gain access to the information system, which opens a backdoor opportunity for intruders to compromise the system as well as other resources. Accounts on a system must require passwords.", + "default": "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.", "rationale": "", - "check": "Review the password required status for enabled user accounts.\n Open \"PowerShell\".\n\n Domain Controllers:\n Enter \"Get-Aduser -Filter * -Properties Passwordnotrequired |FT Name, Passwordnotrequired, Enabled\".\n Exclude disabled accounts (e.g., DefaultAccount, Guest) and Trusted Domain Objects (TDOs).\n If \"Passwordnotrequired\" is \"True\" or blank for any enabled user account, this is a finding.\n\n Member servers and standalone systems:\n Enter 'Get-CimInstance -Class Win32_Useraccount -Filter \"PasswordRequired=False and LocalAccount=True\" | FT Name, PasswordRequired, Disabled, LocalAccount'.\n Exclude disabled accounts (e.g., DefaultAccount, Guest).\n If any enabled user accounts are returned with a \"PasswordRequired\" status of \"False\", this is a finding.", - "fix": "Configure all enabled accounts to require passwords.\n The password required flag can be set by entering the following on a command line: \"Net user [username] /passwordreq:yes\", substituting [username] with the name of the user account." + "check": "If the referenced application is not installed on the system, this is NA.\n\n This is applicable to unclassified systems, for other systems this is NA.\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n Enter \"Get-ProcessMitigation -Name WINWORD.EXE\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.)\n\n If the following mitigations do not have a status of \"ON\", this is a finding:\n\n DEP:\n Enable: ON\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n The PowerShell command produces a list of mitigations; only those with a required status of \"ON\" are listed here.", + "fix": "Ensure the following mitigations are turned \"ON\" for WINWORD.EXE:\n\n DEP:\n Enable: ON\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \"Supporting Files\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \"Use a common set of exploit protection settings\" configured to \"Enabled\" with file name and location defined under \"Options:\". It is recommended the file be in a read-only network location." }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000104-GPOS-00051", - "gid": "V-93439", - "rid": "SV-103525r2_rule", - "stig_id": "WN19-00-000200", - "fix_id": "F-99683r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-93363", + "rid": "SV-103451r1_rule", + "stig_id": "WN19-EP-000270", + "fix_id": "F-99609r1_fix", "cci": [ - "CCI-000764" + "CCI-000366" ], "nist": [ - "IA-2", + "CM-6 b", "Rev_4" ] }, - "code": "control \"V-93439\" do\n title \"Windows Server 2019 accounts must require passwords.\"\n desc \"The lack of password protection enables anyone to gain access to the information system, which opens a backdoor opportunity for intruders to compromise the system as well as other resources. Accounts on a system must require passwords.\"\n desc \"rationale\", \"\"\n desc \"check\", \"Review the password required status for enabled user accounts.\n Open \\\"PowerShell\\\".\n\n Domain Controllers:\n Enter \\\"Get-Aduser -Filter * -Properties Passwordnotrequired |FT Name, Passwordnotrequired, Enabled\\\".\n Exclude disabled accounts (e.g., DefaultAccount, Guest) and Trusted Domain Objects (TDOs).\n If \\\"Passwordnotrequired\\\" is \\\"True\\\" or blank for any enabled user account, this is a finding.\n\n Member servers and standalone systems:\n Enter 'Get-CimInstance -Class Win32_Useraccount -Filter \\\"PasswordRequired=False and LocalAccount=True\\\" | FT Name, PasswordRequired, Disabled, LocalAccount'.\n Exclude disabled accounts (e.g., DefaultAccount, Guest).\n If any enabled user accounts are returned with a \\\"PasswordRequired\\\" status of \\\"False\\\", this is a finding.\"\n desc \"fix\", \"Configure all enabled accounts to require passwords.\n The password required flag can be set by entering the following on a command line: \\\"Net user [username] /passwordreq:yes\\\", substituting [username] with the name of the user account.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000104-GPOS-00051\"\n tag gid: \"V-93439\"\n tag rid: \"SV-103525r2_rule\"\n tag stig_id: \"WN19-00-000200\"\n tag fix_id: \"F-99683r1_fix\"\n tag cci: [\"CCI-000764\"]\n tag nist: [\"IA-2\", \"Rev_4\"]\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n ad_accounts = json({ command: \"Get-ADUser -Filter \\\"(Enabled -eq $true) -And (PasswordNotRequired -eq $true)\\\" | Select -ExpandProperty Name | ConvertTo-Json\" }).params\n describe 'AD Accounts' do\n it 'AD should not have any Accounts that have Password Not Required' do\n failure_message = \"Users that have Password Not Required: #{ad_accounts}\"\n expect(ad_accounts).to be_empty, failure_message\n end\n end\n else\n local_accounts = json({ command: \"Get-CimInstance -Class Win32_Useraccount -Filter 'PasswordRequired=False and LocalAccount=True and Disabled=False' | Select -ExpandProperty Name | ConvertTo-Json\" }).params\n describe \"Account or Accounts exists\" do\n it 'Server should not have Accounts with No Password Set' do\n failure_message = \"User or Users that have no Password Set: #{local_accounts}\" \n expect(local_accounts).to be_empty, failure_message\n end\n end\n end\nend", + "code": "control \"V-93363\" do\n title \"Windows Server 2019 Exploit Protection mitigations must be configured for WINWORD.EXE.\"\n desc \"Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the referenced application is not installed on the system, this is NA.\n\n This is applicable to unclassified systems, for other systems this is NA.\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n Enter \\\"Get-ProcessMitigation -Name WINWORD.EXE\\\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.)\n\n If the following mitigations do not have a status of \\\"ON\\\", this is a finding:\n\n DEP:\n Enable: ON\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n The PowerShell command produces a list of mitigations; only those with a required status of \\\"ON\\\" are listed here.\"\n desc \"fix\", \"Ensure the following mitigations are turned \\\"ON\\\" for WINWORD.EXE:\n\n DEP:\n Enable: ON\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \\\"Supporting Files\\\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\" configured to \\\"Enabled\\\" with file name and location defined under \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00227\"\n tag gid: \"V-93363\"\n tag rid: \"SV-103451r1_rule\"\n tag stig_id: \"WN19-EP-000270\"\n tag fix_id: \"F-99609r1_fix\"\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n winword = json({ command: \"Get-ProcessMitigation -Name WINWORD.EXE | ConvertTo-Json\" }).params\n\n if input('sensitive_system') == true || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif winword.empty?\n impact 0.0\n describe 'The referenced application is not installed on the system, this is NA.' do\n skip 'The referenced application is not installed on the system, this is NA.'\n end\n else\n describe \"Exploit Protection: the following mitigations must be set to 'ON' for WINWORD.EXE\" do\n subject { winword }\n its(['Dep','Enable']) { should eq 1 }\n its(['Aslr','ForceRelocateImages']) { should eq 1 }\n its(['Payload','EnableExportAddressFilter']) { should eq 1 }\n its(['Payload','EnableExportAddressFilterPlus']) { should eq 1 }\n its(['Payload','EnableImportAddressFilter']) { should eq 1 }\n its(['Payload','EnableRopStackPivot']) { should eq 1 }\n its(['Payload','EnableRopCallerCheck']) { should eq 1 }\n its(['Payload','EnableRopSimExec']) { should eq 1 }\n end\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93439.rb", + "ref": "./Windows 2019 STIG/controls/V-93363.rb", "line": 3 }, - "id": "V-93439" + "id": "V-93363" }, { - "title": "Windows Server 2019 User Account Control must be configured to detect application installations and prompt for elevation.", - "desc": "User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting requires Windows to respond to application installation requests by prompting for credentials.", + "title": "The Windows Server 2019 time service must synchronize with an\n appropriate DoD time source.", + "desc": "The Windows Time Service controls time synchronization settings. Time\n synchronization is essential for authentication and auditing purposes. If the\n Windows Time Service is used, it must synchronize with a secure, authorized\n time source. Domain-joined systems are automatically configured to synchronize\n with domain controllers. If an NTP server is configured, it must synchronize\n with a secure, authorized time source.", "descriptions": { - "default": "User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting requires Windows to respond to application installation requests by prompting for credentials.", + "default": "The Windows Time Service controls time synchronization settings. Time\n synchronization is essential for authentication and auditing purposes. If the\n Windows Time Service is used, it must synchronize with a secure, authorized\n time source. Domain-joined systems are automatically configured to synchronize\n with domain controllers. If an NTP server is configured, it must synchronize\n with a secure, authorized time source.", "rationale": "", - "check": "UAC requirements are NA for Server Core installations (this is the default installation option for Windows Server 2019 versus Server with Desktop Experience).\n If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\\n\n Value Name: EnableInstallerDetection\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", - "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \"User Account Control: Detect application installations and prompt for elevation\" to \"Enabled\"." + "check": "Review the Windows time service configuration.\n\n Open an elevated \"Command Prompt\" (run as administrator).\n\n Enter \"W32tm /query /configuration\".\n\n Domain-joined systems (excluding the domain controller with the PDC\n emulator role):\n\n If the value for \"Type\" under \"NTP Client\" is not \"NT5DS\", this is a\n finding.\n\n Other systems:\n\n If systems are configured with a \"Type\" of \"NTP\", including standalone\n systems and the domain controller with the PDC Emulator role, and do not have a\n DoD time server defined for \"NTPServer\", this is a finding.\n\n To determine the domain controller with the PDC Emulator role:\n\n Open \"PowerShell\".\n\n Enter \"Get-ADDomain | FT PDCEmulator\".", + "fix": "Configure the system to synchronize time with an appropriate DoD time\n source.\n\n Domain-joined systems use NT5DS to synchronize time from other systems in\n the domain by default.\n\n If the system needs to be configured to an NTP server, configure the system\n to point to an authorized time server by setting the policy value for Computer\n Configuration >> Administrative Templates >> System >> Windows Time Service >>\n Time Providers >> \"Configure Windows NTP Client\" to \"Enabled\", and\n configure the \"NtpServer\" field to point to an appropriate DoD time server.\n\n The US Naval Observatory operates stratum 1 time servers, identified at\n http://tycho.usno.navy.mil/ntp.html. Time synchronization will occur through a\n hierarchy of time servers down to the local level. Clients and lower-level\n servers will synchronize with an authorized time server in the hierarchy." }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000134-GPOS-00068", - "gid": "V-93525", - "rid": "SV-103611r1_rule", - "stig_id": "WN19-SO-000420", - "fix_id": "F-99769r1_fix", + "gtitle": "SRG-OS-000355-GPOS-00143", + "gid": "V-93187", + "rid": "SV-103275r1_rule", + "stig_id": "WN19-00-000440", + "fix_id": "F-99433r1_fix", "cci": [ - "CCI-001084" + "CCI-001891" ], "nist": [ - "SC-3", + "AU-8 (1) (a)", "Rev_4" ] }, - "code": "control \"V-93525\" do\n title \"Windows Server 2019 User Account Control must be configured to detect application installations and prompt for elevation.\"\n desc \"User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting requires Windows to respond to application installation requests by prompting for credentials.\"\n desc \"rationale\", \"\"\n desc \"check\", \"UAC requirements are NA for Server Core installations (this is the default installation option for Windows Server 2019 versus Server with Desktop Experience).\n If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\\n\n Value Name: EnableInstallerDetection\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \\\"User Account Control: Detect application installations and prompt for elevation\\\" to \\\"Enabled\\\".\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000134-GPOS-00068\"\n tag gid: \"V-93525\"\n tag rid: \"SV-103611r1_rule\"\n tag stig_id: \"WN19-SO-000420\"\n tag fix_id: \"F-99769r1_fix\"\n tag cci: [\"CCI-001084\"]\n tag nist: [\"SC-3\", \"Rev_4\"]\n\n os_type = command('Test-Path \"$env:windir\\explorer.exe\"').stdout.strip\n\n if os_type == 'False'\n impact 0.0\n describe 'This system is a Server Core Installation, control is NA' do\n skip 'This system is a Server Core Installation control is NA'\n end\n else\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System') do\n it { should have_property 'EnableInstallerDetection' }\n its('EnableInstallerDetection') { should cmp == 1 }\n end\n end\nend", + "code": "control 'V-93187' do\n title \"The Windows Server 2019 time service must synchronize with an\n appropriate #{input('org_name')[:acronym]} time source.\"\n desc \"The Windows Time Service controls time synchronization settings. Time\n synchronization is essential for authentication and auditing purposes. If the\n Windows Time Service is used, it must synchronize with a secure, authorized\n time source. Domain-joined systems are automatically configured to synchronize\n with domain controllers. If an NTP server is configured, it must synchronize\n with a secure, authorized time source.\"\n desc 'rationale', ''\n desc 'check', \"Review the Windows time service configuration.\n\n Open an elevated \\\"Command Prompt\\\" (run as administrator).\n\n Enter \\\"W32tm /query /configuration\\\".\n\n Domain-joined systems (excluding the domain controller with the PDC\n emulator role):\n\n If the value for \\\"Type\\\" under \\\"NTP Client\\\" is not \\\"NT5DS\\\", this is a\n finding.\n\n Other systems:\n\n If systems are configured with a \\\"Type\\\" of \\\"NTP\\\", including standalone\n systems and the domain controller with the PDC Emulator role, and do not have a\n #{input('org_name')[:acronym]} time server defined for \\\"NTPServer\\\", this is a finding.\n\n To determine the domain controller with the PDC Emulator role:\n\n Open \\\"PowerShell\\\".\n\n Enter \\\"Get-ADDomain | FT PDCEmulator\\\".\"\n desc 'fix', \"Configure the system to synchronize time with an appropriate #{input('org_name')[:acronym]} time\n source.\n\n Domain-joined systems use NT5DS to synchronize time from other systems in\n the domain by default.\n\n If the system needs to be configured to an NTP server, configure the system\n to point to an authorized time server by setting the policy value for Computer\n Configuration >> Administrative Templates >> System >> Windows Time Service >>\n Time Providers >> \\\"Configure Windows NTP Client\\\" to \\\"Enabled\\\", and\n configure the \\\"NtpServer\\\" field to point to an appropriate #{input('org_name')[:acronym]} time server.\n\n The US Naval Observatory operates stratum 1 time servers, identified at\n http://tycho.usno.navy.mil/ntp.html. Time synchronization will occur through a\n hierarchy of time servers down to the local level. Clients and lower-level\n servers will synchronize with an authorized time server in the hierarchy.\"\n impact 0.3\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000355-GPOS-00143'\n tag 'gid': 'V-93187'\n tag 'rid': 'SV-103275r1_rule'\n tag 'stig_id': 'WN19-00-000440'\n tag 'fix_id': 'F-99433r1_fix'\n tag 'cci': ['CCI-001891']\n tag 'nist': ['AU-8 (1) (a)', 'Rev_4']\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n forest_pdce = powershell('(Get-ADDomain).PDCEmulator').stdout.strip\n if forest_pdce.downcase.include? sys_info.hostname.downcase\n # forest pdc emulator should be uniquely configured.\n describe w32time_config do\n its('type') { should cmp 'NTP' }\n its('ntpserver') do\n should be_in input('ntp_servers')\n end\n end\n else\n # just a normal domain controller\n describe w32time_config do\n its('type') { should cmp 'NT5DS' }\n end\n end\n elsif domain_role == '3'\n # just a memberserver\n describe.one do\n describe w32time_config do\n its('type') { should cmp 'NT5DS' }\n end\n describe w32time_config do\n its('type') { should cmp 'ALLSYNC' }\n end\n end\n else\n # just a stand alone system\n describe w32time_config do\n its('type') { should cmp 'NTP' }\n its('ntpserver') do\n should be_in input('ntp_servers')\n end\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93525.rb", - "line": 3 + "ref": "./Windows 2019 STIG/controls/V-93187.rb", + "line": 1 }, - "id": "V-93525" + "id": "V-93187" }, { - "title": "Windows Server 2019 must be configured to audit System - System\nIntegrity successes.", - "desc": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n System Integrity records events related to violations of integrity to the\nsecurity subsystem.", + "title": "Windows Server 2019 setting Microsoft network client: Digitally sign communications (if server agrees) must be configured to Enabled.", + "desc": "The server message block (SMB) protocol provides the basis for many network operations. If this policy is enabled, the SMB client will request packet signing when communicating with an SMB server that is enabled or required to perform SMB packet signing.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n System Integrity records events related to violations of integrity to the\nsecurity subsystem.", + "default": "The server message block (SMB) protocol provides the basis for many network operations. If this policy is enabled, the SMB client will request packet signing when communicating with an SMB server that is enabled or required to perform SMB packet signing.", "rationale": "", - "check": "Security Option \"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\" must be set to\n\"Enabled\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \"AuditPol\" tool to review the current Audit Policy configuration:\n\n Open \"PowerShell\" or a \"Command Prompt\" with elevated privileges (\"Run\nas administrator\").\n\n Enter \"AuditPol /get /category:*\"\n\n Compare the \"AuditPol\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n System >> System Integrity - Success", - "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> System >> \"Audit System Integrity\" with \"Success\"\nselected." + "check": "If the following registry value does not exist or is not configured as specified, this is a finding:\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\LanmanWorkstation\\Parameters\\\n\n Value Name: EnableSecuritySignature\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", + "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \"Microsoft network client: Digitally sign communications (if server agrees)\" to \"Enabled\"." }, "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000327-GPOS-00127", + "gtitle": "SRG-OS-000423-GPOS-00187", "satisfies": [ - "SRG-OS-000327-GPOS-00127", - "SRG-OS-000471-GPOS-00215", - "SRG-OS-000471-GPOS-00216", - "SRG-OS-000477-GPOS-00222" + "SRG-OS-000423-GPOS-00187", + "SRG-OS-000424-GPOS-00188" ], - "gid": "V-93117", - "rid": "SV-103205r1_rule", - "stig_id": "WN19-AU-000380", - "fix_id": "F-99363r1_fix", + "gid": "V-93557", + "rid": "SV-103643r1_rule", + "stig_id": "WN19-SO-000170", + "fix_id": "F-99801r1_fix", "cci": [ - "CCI-000172", - "CCI-002234" + "CCI-002418", + "CCI-002421" ], "nist": [ - "AU-12 c", - "AC-6 (9)", + "SC-8", + "SC-8 (1)", "Rev_4" ] }, - "code": "control \"V-93117\" do\n title \"Windows Server 2019 must be configured to audit System - System\nIntegrity successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n System Integrity records events related to violations of integrity to the\nsecurity subsystem.\"\n desc \"rationale\", \"\"\n desc 'check', \"Security Option \\\"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\\\" must be set to\n\\\"Enabled\\\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \\\"AuditPol\\\" tool to review the current Audit Policy configuration:\n\n Open \\\"PowerShell\\\" or a \\\"Command Prompt\\\" with elevated privileges (\\\"Run\nas administrator\\\").\n\n Enter \\\"AuditPol /get /category:*\\\"\n\n Compare the \\\"AuditPol\\\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n System >> System Integrity - Success\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> System >> \\\"Audit System Integrity\\\" with \\\"Success\\\"\nselected.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000327-GPOS-00127'\n tag 'satisfies': [\"SRG-OS-000327-GPOS-00127\", \"SRG-OS-000471-GPOS-00215\",\n\"SRG-OS-000471-GPOS-00216\", \"SRG-OS-000477-GPOS-00222\"]\n tag 'gid': 'V-93117'\n tag 'rid': 'SV-103205r1_rule'\n tag 'stig_id': 'WN19-AU-000380'\n tag 'fix_id': 'F-99363r1_fix'\n tag 'cci': [\"CCI-000172\", \"CCI-002234\"]\n tag 'nist': [\"AU-12 c\", \"AC-6 (9)\", \"Rev_4\"]\n\n describe.one do\n describe audit_policy do\n its('System Integrity') { should eq 'Success' }\n end\n describe audit_policy do\n its('System Integrity') { should eq 'Success and Failure' }\n end\n end\nend\n", + "code": "control \"V-93557\" do\n title \"Windows Server 2019 setting Microsoft network client: Digitally sign communications (if server agrees) must be configured to Enabled.\"\n desc \"The server message block (SMB) protocol provides the basis for many network operations. If this policy is enabled, the SMB client will request packet signing when communicating with an SMB server that is enabled or required to perform SMB packet signing.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the following registry value does not exist or is not configured as specified, this is a finding:\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\LanmanWorkstation\\\\Parameters\\\\\n\n Value Name: EnableSecuritySignature\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \\\"Microsoft network client: Digitally sign communications (if server agrees)\\\" to \\\"Enabled\\\".\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000423-GPOS-00187\"\n tag satisfies: [\"SRG-OS-000423-GPOS-00187\", \"SRG-OS-000424-GPOS-00188\"]\n tag gid: \"V-93557\"\n tag rid: \"SV-103643r1_rule\"\n tag stig_id: \"WN19-SO-000170\"\n tag fix_id: \"F-99801r1_fix\"\n tag cci: [\"CCI-002418\", \"CCI-002421\"]\n tag nist: [\"SC-8\", \"SC-8 (1)\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Services\\\\LanmanWorkstation\\\\Parameters') do\n it { should have_property 'EnableSecuritySignature' }\n its('EnableSecuritySignature') { should cmp == 1 }\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93117.rb", + "ref": "./Windows 2019 STIG/controls/V-93557.rb", "line": 3 }, - "id": "V-93117" + "id": "V-93557" }, { - "title": "Windows Server 2019 Exploit Protection mitigations must be configured for PPTVIEW.EXE.", - "desc": "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.", + "title": "Windows Server 2019 must, at a minimum, off-load audit records of\ninterconnected systems in real time and off-load standalone systems weekly.", + "desc": "Protection of log data includes assuring the log data is not\naccidentally lost or deleted. Audit information stored in one location is\nvulnerable to accidental or incidental deletion or alteration.", "descriptions": { - "default": "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.", + "default": "Protection of log data includes assuring the log data is not\naccidentally lost or deleted. Audit information stored in one location is\nvulnerable to accidental or incidental deletion or alteration.", "rationale": "", - "check": "If the referenced application is not installed on the system, this is NA.\n\n This is applicable to unclassified systems, for other systems this is NA.\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n Enter \"Get-ProcessMitigation -Name PPTVIEW.EXE\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.)\n\n If the following mitigations do not have a status of \"ON\", this is a finding:\n\n DEP:\n Enable: ON\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n The PowerShell command produces a list of mitigations; only those with a required status of \"ON\" are listed here.", - "fix": "Ensure the following mitigations are turned \"ON\" for PPTVIEW.EXE:\n\n DEP:\n Enable: ON\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \"Supporting Files\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \"Use a common set of exploit protection settings\" configured to \"Enabled\" with file name and location defined under \"Options:\". It is recommended the file be in a read-only network location." - }, - "impact": 0, + "check": "Verify the audit records, at a minimum, are off-loaded for interconnected\nsystems in real time and off-loaded for standalone systems weekly.\n\n If they are not, this is a finding.", + "fix": "Configure the system to, at a minimum, off-load audit records\nof interconnected systems in real time and off-load standalone systems weekly." + }, + "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-93357", - "rid": "SV-103445r1_rule", - "stig_id": "WN19-EP-000240", - "fix_id": "F-99603r1_fix", + "gtitle": "SRG-OS-000479-GPOS-00224", + "gid": "V-93185", + "rid": "SV-103273r1_rule", + "stig_id": "WN19-AU-000020", + "fix_id": "F-99431r1_fix", "cci": [ - "CCI-000366" + "CCI-001851" ], "nist": [ - "CM-6 b", + "AU-4 (1)", "Rev_4" ] }, - "code": "control \"V-93357\" do\n title \"Windows Server 2019 Exploit Protection mitigations must be configured for PPTVIEW.EXE.\"\n desc \"Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the referenced application is not installed on the system, this is NA.\n\n This is applicable to unclassified systems, for other systems this is NA.\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n Enter \\\"Get-ProcessMitigation -Name PPTVIEW.EXE\\\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.)\n\n If the following mitigations do not have a status of \\\"ON\\\", this is a finding:\n\n DEP:\n Enable: ON\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n The PowerShell command produces a list of mitigations; only those with a required status of \\\"ON\\\" are listed here.\"\n desc \"fix\", \"Ensure the following mitigations are turned \\\"ON\\\" for PPTVIEW.EXE:\n\n DEP:\n Enable: ON\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \\\"Supporting Files\\\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\" configured to \\\"Enabled\\\" with file name and location defined under \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00227\"\n tag gid: \"V-93357\"\n tag rid: \"SV-103445r1_rule\"\n tag stig_id: \"WN19-EP-000240\"\n tag fix_id: \"F-99603r1_fix\"\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n pptview = json({ command: \"Get-ProcessMitigation -Name PPTVIEW.EXE | ConvertTo-Json\" }).params\n\n if input('sensitive_system') == true || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif pptview.empty?\n impact 0.0\n describe 'The referenced application is not installed on the system, this is NA.' do\n skip 'The referenced application is not installed on the system, this is NA.'\n end\n else\n describe \"Exploit Protection: the following mitigations must be set to 'ON' for PPTVIEW.EXE\" do\n subject { pptview }\n its(['Dep','Enable']) { should eq 1 }\n its(['Aslr','ForceRelocateImages']) { should eq 1 }\n its(['Payload','EnableExportAddressFilter']) { should eq 1 }\n its(['Payload','EnableExportAddressFilterPlus']) { should eq 1 }\n its(['Payload','EnableImportAddressFilter']) { should eq 1 }\n its(['Payload','EnableRopStackPivot']) { should eq 1 }\n its(['Payload','EnableRopCallerCheck']) { should eq 1 }\n its(['Payload','EnableRopSimExec']) { should eq 1 }\n end\n end\nend", + "code": "control \"V-93185\" do\n title \"Windows Server 2019 must, at a minimum, off-load audit records of\ninterconnected systems in real time and off-load standalone systems weekly.\"\n desc \"Protection of log data includes assuring the log data is not\naccidentally lost or deleted. Audit information stored in one location is\nvulnerable to accidental or incidental deletion or alteration.\"\n desc \"rationale\", \"\"\n desc 'check', \"Verify the audit records, at a minimum, are off-loaded for interconnected\nsystems in real time and off-loaded for standalone systems weekly.\n\n If they are not, this is a finding.\"\n desc 'fix', \"Configure the system to, at a minimum, off-load audit records\nof interconnected systems in real time and off-load standalone systems weekly.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000479-GPOS-00224'\n tag 'gid': 'V-93185'\n tag 'rid': 'SV-103273r1_rule'\n tag 'stig_id': 'WN19-AU-000020'\n tag 'fix_id': 'F-99431r1_fix'\n tag 'cci': [\"CCI-001851\"]\n tag 'nist': [\"AU-4 (1)\", \"Rev_4\"]\n\n describe \"A manual review is required to verify the operating system is, at a minimum, off-loading audit records of interconnected systems in real time and off-loading standalone systems weekly\" do\n skip \"A manual review is required to verify the operating system is, at a minimum, off-loading audit records of interconnected systems in real time and off-loading standalone systems weekly\"\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93357.rb", + "ref": "./Windows 2019 STIG/controls/V-93185.rb", "line": 3 }, - "id": "V-93357" + "id": "V-93185" }, { - "title": "Windows Server 2019 domain controllers must have a PKI server certificate.", - "desc": "Domain controllers are part of the chain of trust for PKI authentications. Without the appropriate certificate, the authenticity of the domain controller cannot be verified. Domain controllers must have a server certificate to establish authenticity as part of PKI authentications in the domain.", + "title": "Windows Server 2019 domain controllers must run on a machine dedicated to that function.", + "desc": "Executing application servers on the same host machine with a directory server may substantially weaken the security of the directory server. Web or database server applications usually require the addition of many programs and accounts, increasing the attack surface of the computer.\n\n Some applications require the addition of privileged accounts, providing potential sources of compromise. Some applications (such as Microsoft Exchange) may require the use of network ports or services conflicting with the directory server. In this case, non-standard ports might be selected, and this could interfere with intrusion detection or prevention services.", "descriptions": { - "default": "Domain controllers are part of the chain of trust for PKI authentications. Without the appropriate certificate, the authenticity of the domain controller cannot be verified. Domain controllers must have a server certificate to establish authenticity as part of PKI authentications in the domain.", + "default": "Executing application servers on the same host machine with a directory server may substantially weaken the security of the directory server. Web or database server applications usually require the addition of many programs and accounts, increasing the attack surface of the computer.\n\n Some applications require the addition of privileged accounts, providing potential sources of compromise. Some applications (such as Microsoft Exchange) may require the use of network ports or services conflicting with the directory server. In this case, non-standard ports might be selected, and this could interfere with intrusion detection or prevention services.", "rationale": "", - "check": "This applies to domain controllers. It is NA for other systems.\n Run \"MMC\".\n Select \"Add/Remove Snap-in\" from the \"File\" menu.\n Select \"Certificates\" in the left pane and click the \"Add >\" button.\n Select \"Computer Account\" and click \"Next\".\n Select the appropriate option for \"Select the computer you want this snap-in to manage\" and click \"Finish\".\n Click \"OK\".\n Select and expand the Certificates (Local Computer) entry in the left pane.\n Select and expand the Personal entry in the left pane.\n Select the Certificates entry in the left pane.\n If no certificate for the domain controller exists in the right pane, this is a finding.", - "fix": "Obtain a server certificate for the domain controller." + "check": "This applies to domain controllers, it is NA for other systems.\n\n Review the installed roles the domain controller is supporting.\n Start \"Server Manager\".\n Select \"AD DS\" in the left pane and the server name under \"Servers\" to the right.\n Select \"Add (or Remove) Roles and Features\" from \"Tasks\" in the \"Roles and Features\" section. (Cancel before any changes are made.)\n Determine if any additional server roles are installed. A basic domain controller setup will include the following:\n\n - Active Directory Domain Services\n - DNS Server\n - File and Storage Services\n\n If any roles not requiring installation on a domain controller are installed, this is a finding.\n A Domain Name System (DNS) server integrated with the directory server (e.g., AD-integrated DNS) is an acceptable application. However, the DNS server must comply with the DNS STIG security requirements.\n Run \"Programs and Features\".\n Review installed applications.\n If any applications are installed that are not required for the domain controller, this is a finding.", + "fix": "Remove additional roles or applications such as web, database, and email from the domain controller." }, "impact": 0, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000066-GPOS-00034", - "gid": "V-93481", - "rid": "SV-103567r1_rule", - "stig_id": "WN19-DC-000280", - "fix_id": "F-99725r1_fix", + "gtitle": "SRG-OS-000095-GPOS-00049", + "gid": "V-93417", + "rid": "SV-103503r1_rule", + "stig_id": "WN19-DC-000130", + "fix_id": "F-99661r1_fix", "cci": [ - "CCI-000185" + "CCI-000381" ], "nist": [ - "IA-5 (2) (a)", + "CM-7 a", "Rev_4" ] }, - "code": "control \"V-93481\" do\n title \"Windows Server 2019 domain controllers must have a PKI server certificate.\"\n desc \"Domain controllers are part of the chain of trust for PKI authentications. Without the appropriate certificate, the authenticity of the domain controller cannot be verified. Domain controllers must have a server certificate to establish authenticity as part of PKI authentications in the domain.\"\n desc \"rationale\", \"\"\n desc \"check\", \"This applies to domain controllers. It is NA for other systems.\n Run \\\"MMC\\\".\n Select \\\"Add/Remove Snap-in\\\" from the \\\"File\\\" menu.\n Select \\\"Certificates\\\" in the left pane and click the \\\"Add >\\\" button.\n Select \\\"Computer Account\\\" and click \\\"Next\\\".\n Select the appropriate option for \\\"Select the computer you want this snap-in to manage\\\" and click \\\"Finish\\\".\n Click \\\"OK\\\".\n Select and expand the Certificates (Local Computer) entry in the left pane.\n Select and expand the Personal entry in the left pane.\n Select the Certificates entry in the left pane.\n If no certificate for the domain controller exists in the right pane, this is a finding.\"\n desc \"fix\", \"Obtain a server certificate for the domain controller.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000066-GPOS-00034\"\n tag gid: \"V-93481\"\n tag rid: \"SV-103567r1_rule\"\n tag stig_id: \"WN19-DC-000280\"\n tag fix_id: \"F-99725r1_fix\"\n tag cci: [\"CCI-000185\"]\n tag nist: [\"IA-5 (2) (a)\", \"Rev_4\"]\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n certs = command(\"Get-ChildItem -Path Cert:\\\\LocalMachine\\\\My | ConvertTo-JSON\").stdout\n describe 'Verify that the domain controller has a PKI server certificate.' do\n subject { certs }\n it { should_not be_empty }\n end\n else\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is NA' do\n skip 'This system is not a domain controller, therefore this control is NA'\n end\n end\nend", + "code": "control \"V-93417\" do\n title \"Windows Server 2019 domain controllers must run on a machine dedicated to that function.\"\n desc \"Executing application servers on the same host machine with a directory server may substantially weaken the security of the directory server. Web or database server applications usually require the addition of many programs and accounts, increasing the attack surface of the computer.\n\n Some applications require the addition of privileged accounts, providing potential sources of compromise. Some applications (such as Microsoft Exchange) may require the use of network ports or services conflicting with the directory server. In this case, non-standard ports might be selected, and this could interfere with intrusion detection or prevention services.\"\n desc \"rationale\", \"\"\n desc \"check\", \"This applies to domain controllers, it is NA for other systems.\n\n Review the installed roles the domain controller is supporting.\n Start \\\"Server Manager\\\".\n Select \\\"AD DS\\\" in the left pane and the server name under \\\"Servers\\\" to the right.\n Select \\\"Add (or Remove) Roles and Features\\\" from \\\"Tasks\\\" in the \\\"Roles and Features\\\" section. (Cancel before any changes are made.)\n Determine if any additional server roles are installed. A basic domain controller setup will include the following:\n\n - Active Directory Domain Services\n - DNS Server\n - File and Storage Services\n\n If any roles not requiring installation on a domain controller are installed, this is a finding.\n A Domain Name System (DNS) server integrated with the directory server (e.g., AD-integrated DNS) is an acceptable application. However, the DNS server must comply with the DNS STIG security requirements.\n Run \\\"Programs and Features\\\".\n Review installed applications.\n If any applications are installed that are not required for the domain controller, this is a finding.\"\n desc \"fix\", \"Remove additional roles or applications such as web, database, and email from the domain controller.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000095-GPOS-00049\"\n tag gid: \"V-93417\"\n tag rid: \"SV-103503r1_rule\"\n tag stig_id: \"WN19-DC-000130\"\n tag fix_id: \"F-99661r1_fix\"\n tag cci: [\"CCI-000381\"]\n tag nist: [\"CM-7 a\", \"Rev_4\"]\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n role_list = [\n \"Active Directory Domain Services\",\n \"DNS Server\",\n \"File and Storage Services\"\n ]\n roles = json(command: \"Get-WindowsFeature | Where {($_.installstate -eq 'installed') -and ($_.featuretype -eq 'role')} | foreach { $_.DisplayName } | ConvertTo-JSON\").params\n describe \"The list of roles installed on the server\" do\n subject { roles }\n it { should be_in role_list }\n end\n else\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is NA' do\n skip 'This system is not a domain controller, therefore this control is NA'\n end\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93481.rb", + "ref": "./Windows 2019 STIG/controls/V-93417.rb", "line": 3 }, - "id": "V-93481" + "id": "V-93417" }, { - "title": "Windows Server 2019 must be configured to audit Privilege Use -\nSensitive Privilege Use failures.", - "desc": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Sensitive Privilege Use records events related to use of sensitive\nprivileges, such as \"Act as part of the operating system\" or \"Debug\nprograms\".", + "title": "Windows Server 2019 Windows Remote Management (WinRM) client must not use Basic authentication.", + "desc": "Basic authentication uses plain-text passwords that could be used to compromise a system. Disabling Basic authentication will reduce this potential.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Sensitive Privilege Use records events related to use of sensitive\nprivileges, such as \"Act as part of the operating system\" or \"Debug\nprograms\".", + "default": "Basic authentication uses plain-text passwords that could be used to compromise a system. Disabling Basic authentication will reduce this potential.", "rationale": "", - "check": "Security Option \"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\" must be set to\n\"Enabled\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \"AuditPol\" tool to review the current Audit Policy configuration:\n\n Open \"PowerShell\" or a \"Command Prompt\" with elevated privileges (\"Run\nas administrator\").\n\n Enter \"AuditPol /get /category:*\"\n\n Compare the \"AuditPol\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n Privilege Use >> Sensitive Privilege Use - Failure", - "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Privilege Use >> \"Audit Sensitive Privilege Use\"\nwith \"Failure\" selected." + "check": "If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\WinRM\\Client\\\n\n Value Name: AllowBasic\n\n Type: REG_DWORD\n Value: 0x00000000 (0)", + "fix": "Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Remote Management (WinRM) >> WinRM Client >> \"Allow Basic authentication\" to \"Disabled\"." }, - "impact": 0.5, + "impact": 0.7, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000327-GPOS-00127", - "satisfies": [ - "SRG-OS-000327-GPOS-00127", - "SRG-OS-000064-GPOS-00033", - "SRG-OS-000462-GPOS-00206", - "SRG-OS-000466-GPOS-00210" - ], - "gid": "V-93103", - "rid": "SV-103191r1_rule", - "stig_id": "WN19-AU-000310", - "fix_id": "F-99349r1_fix", + "gtitle": "SRG-OS-000125-GPOS-00065", + "gid": "V-93503", + "rid": "SV-103589r1_rule", + "stig_id": "WN19-CC-000470", + "fix_id": "F-99747r1_fix", "cci": [ - "CCI-000172", - "CCI-002234" + "CCI-000877" ], "nist": [ - "AU-12 c", - "AC-6 (9)", + "MA-4 c", "Rev_4" ] }, - "code": "control \"V-93103\" do\n title \"Windows Server 2019 must be configured to audit Privilege Use -\nSensitive Privilege Use failures.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Sensitive Privilege Use records events related to use of sensitive\nprivileges, such as \\\"Act as part of the operating system\\\" or \\\"Debug\nprograms\\\".\"\n desc \"rationale\", \"\"\n desc 'check', \"\n Security Option \\\"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\\\" must be set to\n\\\"Enabled\\\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \\\"AuditPol\\\" tool to review the current Audit Policy configuration:\n\n Open \\\"PowerShell\\\" or a \\\"Command Prompt\\\" with elevated privileges (\\\"Run\nas administrator\\\").\n\n Enter \\\"AuditPol /get /category:*\\\"\n\n Compare the \\\"AuditPol\\\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n Privilege Use >> Sensitive Privilege Use - Failure\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Privilege Use >> \\\"Audit Sensitive Privilege Use\\\"\nwith \\\"Failure\\\" selected.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000327-GPOS-00127'\n tag 'satisfies': [\"SRG-OS-000327-GPOS-00127\", \"SRG-OS-000064-GPOS-00033\",\n\"SRG-OS-000462-GPOS-00206\", \"SRG-OS-000466-GPOS-00210\"]\n tag 'gid': 'V-93103'\n tag 'rid': 'SV-103191r1_rule'\n tag 'stig_id': 'WN19-AU-000310'\n tag 'fix_id': 'F-99349r1_fix'\n tag 'cci': [\"CCI-000172\", \"CCI-002234\"]\n tag 'nist': [\"AU-12 c\", \"AC-6 (9)\", \"Rev_4\"]\n\n describe.one do\n describe audit_policy do\n its('Sensitive Privilege Use') { should eq 'Failure' }\n end\n describe audit_policy do\n its('Sensitive Privilege Use') { should eq 'Success and Failure' }\n end\n end\nend\n", + "code": "control \"V-93503\" do\n title \"Windows Server 2019 Windows Remote Management (WinRM) client must not use Basic authentication.\"\n desc \"Basic authentication uses plain-text passwords that could be used to compromise a system. Disabling Basic authentication will reduce this potential.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WinRM\\\\Client\\\\\n\n Value Name: AllowBasic\n\n Type: REG_DWORD\n Value: 0x00000000 (0)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Remote Management (WinRM) >> WinRM Client >> \\\"Allow Basic authentication\\\" to \\\"Disabled\\\".\"\n impact 0.7\n tag severity: nil\n tag gtitle: \"SRG-OS-000125-GPOS-00065\"\n tag gid: \"V-93503\"\n tag rid: \"SV-103589r1_rule\"\n tag stig_id: \"WN19-CC-000470\"\n tag fix_id: \"F-99747r1_fix\"\n tag cci: [\"CCI-000877\"]\n tag nist: [\"MA-4 c\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\WinRM\\\\Client') do\n it { should have_property 'AllowBasic' }\n its('AllowBasic') { should cmp == 0 }\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93103.rb", + "ref": "./Windows 2019 STIG/controls/V-93503.rb", "line": 3 }, - "id": "V-93103" + "id": "V-93503" }, { - "title": "Windows Server 2019 must be configured to audit Logon/Logoff - Group\nMembership successes.", - "desc": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Audit Group Membership records information related to the group membership\nof a user's logon token.", + "title": "Windows Server 2019 users must be prompted to authenticate when the\nsystem wakes from sleep (on battery).", + "desc": "A system that does not require authentication when resuming from sleep\nmay provide access to unauthorized users. Authentication must always be\nrequired when accessing a system. This setting ensures users are prompted for a\npassword when the system wakes from sleep (on battery).", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Audit Group Membership records information related to the group membership\nof a user's logon token.", + "default": "A system that does not require authentication when resuming from sleep\nmay provide access to unauthorized users. Authentication must always be\nrequired when accessing a system. This setting ensures users are prompted for a\npassword when the system wakes from sleep (on battery).", "rationale": "", - "check": "Security Option \"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\" must be set to\n\"Enabled\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \"AuditPol\" tool to review the current Audit Policy configuration:\n\n Open \"PowerShell\" or a \"Command Prompt\" with elevated privileges (\"Run\nas administrator\").\n\n Enter \"AuditPol /get /category:*\"\n\n Compare the \"AuditPol\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n Logon/Logoff >> Group Membership - Success", - "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Advanced Audit Policy Configuration >> System Audit\nPolicies >> Logon/Logoff >> \"Audit Group Membership\" with \"Success\"\nselected." + "check": "If the following registry value does not exist or is not configured as\nspecified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n\\SOFTWARE\\Policies\\Microsoft\\Power\\PowerSettings\\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\\\n\n Value Name: DCSettingIndex\n\n Type: REG_DWORD\n Value: 0x00000001 (1)", + "fix": "Configure the policy value for Computer Configuration >>\nAdministrative Templates >> System >> Power Management >> Sleep Settings >>\n\"Require a password when a computer wakes (on battery)\" to \"Enabled\"." }, "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000470-GPOS-00214", - "gid": "V-93159", - "rid": "SV-103247r1_rule", - "stig_id": "WN19-AU-000170", - "fix_id": "F-99405r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-93253", + "rid": "SV-103341r1_rule", + "stig_id": "WN19-CC-000180", + "fix_id": "F-99499r1_fix", "cci": [ - "CCI-000172" + "CCI-000366" ], "nist": [ - "AU-12 c", + "CM-6 b", "Rev_4" ] }, - "code": "control \"V-93159\" do\n title \"Windows Server 2019 must be configured to audit Logon/Logoff - Group\nMembership successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Audit Group Membership records information related to the group membership\nof a user's logon token.\"\n desc \"rationale\", \"\"\n desc 'check', \"Security Option \\\"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\\\" must be set to\n\\\"Enabled\\\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \\\"AuditPol\\\" tool to review the current Audit Policy configuration:\n\n Open \\\"PowerShell\\\" or a \\\"Command Prompt\\\" with elevated privileges (\\\"Run\nas administrator\\\").\n\n Enter \\\"AuditPol /get /category:*\\\"\n\n Compare the \\\"AuditPol\\\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n Logon/Logoff >> Group Membership - Success\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Advanced Audit Policy Configuration >> System Audit\nPolicies >> Logon/Logoff >> \\\"Audit Group Membership\\\" with \\\"Success\\\"\nselected.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000470-GPOS-00214'\n tag 'gid': 'V-93159'\n tag 'rid': 'SV-103247r1_rule'\n tag 'stig_id': 'WN19-AU-000170'\n tag 'fix_id': 'F-99405r1_fix'\n tag 'cci': [\"CCI-000172\"]\n tag 'nist': [\"AU-12 c\", \"Rev_4\"]\n\n describe.one do\n describe audit_policy do\n its('Group Membership') { should eq 'Success' }\n end\n describe audit_policy do\n its('Group Membership') { should eq 'Success and Failure' }\n end\n end\nend\n", + "code": "control \"V-93253\" do\n title \"Windows Server 2019 users must be prompted to authenticate when the\nsystem wakes from sleep (on battery).\"\n desc \"A system that does not require authentication when resuming from sleep\nmay provide access to unauthorized users. Authentication must always be\nrequired when accessing a system. This setting ensures users are prompted for a\npassword when the system wakes from sleep (on battery).\"\n desc \"rationale\", \"\"\n desc 'check', \"If the following registry value does not exist or is not configured as\nspecified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Power\\\\PowerSettings\\\\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\\\\\n\n Value Name: DCSettingIndex\n\n Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nAdministrative Templates >> System >> Power Management >> Sleep Settings >>\n\\\"Require a password when a computer wakes (on battery)\\\" to \\\"Enabled\\\".\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000480-GPOS-00227'\n tag 'gid': 'V-93253'\n tag 'rid': 'SV-103341r1_rule'\n tag 'stig_id': 'WN19-CC-000180'\n tag 'fix_id': 'F-99499r1_fix'\n tag 'cci': [\"CCI-000366\"]\n tag 'nist': [\"CM-6 b\", \"Rev_4\"]\n\n if sys_info.manufacturer == 'VMware, Inc.'\n impact 0.0\n describe 'This is a Virtual Machine; This Control is NA.' do\n skip 'This is a Virtual Machine; This Control is NA.'\n end\n else\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Power\\PowerSettings\\0e796bdb-100d-47d6-a2d5-f7d2daa51f51') do\n it { should have_property 'DCSettingIndex' }\n its('DCSettingIndex') { should cmp 1 }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93159.rb", + "ref": "./Windows 2019 STIG/controls/V-93253.rb", "line": 3 }, - "id": "V-93159" + "id": "V-93253" }, { - "title": "Windows Server 2019 local administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain-joined member servers.", - "desc": "A compromised local administrator account can provide means for an attacker to move laterally between domain systems.\n With User Account Control enabled, filtering the privileged token for local administrator accounts will prevent the elevated privileges of these accounts from being used over the network.", + "title": "Windows Server 2019 virtualization-based security must be enabled with\nthe platform security level configured to Secure Boot or Secure Boot with DMA\nProtection.", + "desc": "Virtualization Based Security (VBS) provides the platform for the\nadditional security features Credential Guard and virtualization-based\nprotection of code integrity. Secure Boot is the minimum security level, with\nDMA protection providing additional memory protection. DMA Protection requires\na CPU that supports input/output memory management unit (IOMMU).", "descriptions": { - "default": "A compromised local administrator account can provide means for an attacker to move laterally between domain systems.\n With User Account Control enabled, filtering the privileged token for local administrator accounts will prevent the elevated privileges of these accounts from being used over the network.", + "default": "Virtualization Based Security (VBS) provides the platform for the\nadditional security features Credential Guard and virtualization-based\nprotection of code integrity. Secure Boot is the minimum security level, with\nDMA protection providing additional memory protection. DMA Protection requires\na CPU that supports input/output memory management unit (IOMMU).", "rationale": "", - "check": "This applies to member servers. For domain controllers and standalone systems, this is NA.\n If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\n\n Value Name: LocalAccountTokenFilterPolicy\n\n Type: REG_DWORD\n Value: 0x00000000 (0)\n\n This setting may cause issues with some network scanning tools if local administrative accounts are used remotely. Scans should use domain accounts where possible. If a local administrative account must be used, temporarily enabling the privileged token by configuring the registry value to \"1\" may be required.", - "fix": "Configure the policy value for Computer Configuration >> Administrative Templates >> MS Security Guide >> \"Apply UAC restrictions to local accounts on network logons\" to \"Enabled\".\n This policy setting requires the installation of the SecGuide custom templates included with the STIG package. \"SecGuide.admx\" and \" SecGuide.adml\" must be copied to the \\Windows\\PolicyDefinitions and \\Windows\\PolicyDefinitions\\en-US directories respectively." + "check": "For standalone systems, this is NA.\n\n Current hardware and virtual environments may not support\nvirtualization-based security features, including Credential Guard, due to\nspecific supporting requirements, including a TPM, UEFI with Secure Boot, and\nthe capability to run the Hyper-V feature within a virtual machine.\n\n Open \"PowerShell\" with elevated privileges (run as administrator).\n\n Enter the following:\n\n \"Get-CimInstance -ClassName Win32_DeviceGuard -Namespace\nroot\\Microsoft\\Windows\\DeviceGuard\"\n\n If \"RequiredSecurityProperties\" does not include a value of \"2\"\nindicating \"Secure Boot\" (e.g., \"{1, 2}\"), this is a finding.\n\n If \"Secure Boot and DMA Protection\" is configured, \"3\" will also be\ndisplayed in the results (e.g., \"{1, 2, 3}\").\n\n If \"VirtualizationBasedSecurityStatus\" is not a value of \"2\" indicating\n\"Running\", this is a finding.\n\n Alternately:\n\n Run \"System Information\".\n\n Under \"System Summary\", verify the following:\n\n If \"Device Guard Virtualization based security\" does not display\n\"Running\", this is a finding.\n\n If \"Device Guard Required Security Properties\" does not display \"Base\nVirtualization Support, Secure Boot\", this is a finding.\n\n If \"Secure Boot and DMA Protection\" is configured, \"DMA Protection\"\nwill also be displayed (e.g., \"Base Virtualization Support, Secure Boot, DMA\nProtection\").\n\n The policy settings referenced in the Fix section will configure the\nfollowing registry values. However, due to hardware requirements, the registry\nvalues alone do not ensure proper function.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceGuard\\\n\n Value Name: EnableVirtualizationBasedSecurity\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\n\n Value Name: RequirePlatformSecurityFeatures\n Value Type: REG_DWORD\n Value: 0x00000001 (1) (Secure Boot only) or 0x00000003 (3) (Secure Boot and\nDMA Protection)\n\n A Microsoft TechNet article on Credential Guard, including system\nrequirement details, can be found at the following link:\n\n https://technet.microsoft.com/itpro/windows/keep-secure/credential-guard", + "fix": "Configure the policy value for Computer Configuration >> Administrative\nTemplates >> System >> Device Guard >> \"Turn On Virtualization Based\nSecurity\" to \"Enabled\" with \"Secure Boot\" or \"Secure Boot and DMA\nProtection\" selected.\n\n A Microsoft TechNet article on Credential Guard, including system\nrequirement details, can be found at the following link:\n\n https://technet.microsoft.com/itpro/windows/keep-secure/credential-guard" }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000134-GPOS-00068", - "gid": "V-93519", - "rid": "SV-103605r1_rule", - "stig_id": "WN19-MS-000020", - "fix_id": "F-99763r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-93245", + "rid": "SV-103333r1_rule", + "stig_id": "WN19-CC-000110", + "fix_id": "F-99491r1_fix", "cci": [ - "CCI-001084" + "CCI-000366" ], "nist": [ - "SC-3", + "CM-6 b", "Rev_4" ] }, - "code": "control \"V-93519\" do\n title \"Windows Server 2019 local administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain-joined member servers.\"\n desc \"A compromised local administrator account can provide means for an attacker to move laterally between domain systems.\n With User Account Control enabled, filtering the privileged token for local administrator accounts will prevent the elevated privileges of these accounts from being used over the network.\"\n desc \"rationale\", \"\"\n desc \"check\", \"This applies to member servers. For domain controllers and standalone systems, this is NA.\n If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\n\n Value Name: LocalAccountTokenFilterPolicy\n\n Type: REG_DWORD\n Value: 0x00000000 (0)\n\n This setting may cause issues with some network scanning tools if local administrative accounts are used remotely. Scans should use domain accounts where possible. If a local administrative account must be used, temporarily enabling the privileged token by configuring the registry value to \\\"1\\\" may be required.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Administrative Templates >> MS Security Guide >> \\\"Apply UAC restrictions to local accounts on network logons\\\" to \\\"Enabled\\\".\n This policy setting requires the installation of the SecGuide custom templates included with the STIG package. \\\"SecGuide.admx\\\" and \\\" SecGuide.adml\\\" must be copied to the \\\\Windows\\\\PolicyDefinitions and \\\\Windows\\\\PolicyDefinitions\\\\en-US directories respectively.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000134-GPOS-00068\"\n tag gid: \"V-93519\"\n tag rid: \"SV-103605r1_rule\"\n tag stig_id: \"WN19-MS-000020\"\n tag fix_id: \"F-99763r1_fix\"\n tag cci: [\"CCI-001084\"]\n tag nist: [\"SC-3\", \"Rev_4\"]\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '3'\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System') do\n it { should have_property 'LocalAccountTokenFilterPolicy' }\n its('LocalAccountTokenFilterPolicy') { should cmp == 0 }\n end\n else\n impact 0.0\n describe 'This requirement is only applicable to member servers' do\n skip 'This control is NA as the requirement is only applicable to member servers'\n end\n end\nend", + "code": "control \"V-93245\" do\n title \"Windows Server 2019 virtualization-based security must be enabled with\nthe platform security level configured to Secure Boot or Secure Boot with DMA\nProtection.\"\n desc \"Virtualization Based Security (VBS) provides the platform for the\nadditional security features Credential Guard and virtualization-based\nprotection of code integrity. Secure Boot is the minimum security level, with\nDMA protection providing additional memory protection. DMA Protection requires\na CPU that supports input/output memory management unit (IOMMU).\"\n desc \"rationale\", \"\"\n desc 'check', \"For standalone systems, this is NA.\n\n Current hardware and virtual environments may not support\nvirtualization-based security features, including Credential Guard, due to\nspecific supporting requirements, including a TPM, UEFI with Secure Boot, and\nthe capability to run the Hyper-V feature within a virtual machine.\n\n Open \\\"PowerShell\\\" with elevated privileges (run as administrator).\n\n Enter the following:\n\n \\\"Get-CimInstance -ClassName Win32_DeviceGuard -Namespace\nroot\\\\Microsoft\\\\Windows\\\\DeviceGuard\\\"\n\n If \\\"RequiredSecurityProperties\\\" does not include a value of \\\"2\\\"\nindicating \\\"Secure Boot\\\" (e.g., \\\"{1, 2}\\\"), this is a finding.\n\n If \\\"Secure Boot and DMA Protection\\\" is configured, \\\"3\\\" will also be\ndisplayed in the results (e.g., \\\"{1, 2, 3}\\\").\n\n If \\\"VirtualizationBasedSecurityStatus\\\" is not a value of \\\"2\\\" indicating\n\\\"Running\\\", this is a finding.\n\n Alternately:\n\n Run \\\"System Information\\\".\n\n Under \\\"System Summary\\\", verify the following:\n\n If \\\"Device Guard Virtualization based security\\\" does not display\n\\\"Running\\\", this is a finding.\n\n If \\\"Device Guard Required Security Properties\\\" does not display \\\"Base\nVirtualization Support, Secure Boot\\\", this is a finding.\n\n If \\\"Secure Boot and DMA Protection\\\" is configured, \\\"DMA Protection\\\"\nwill also be displayed (e.g., \\\"Base Virtualization Support, Secure Boot, DMA\nProtection\\\").\n\n The policy settings referenced in the Fix section will configure the\nfollowing registry values. However, due to hardware requirements, the registry\nvalues alone do not ensure proper function.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\DeviceGuard\\\\\n\n Value Name: EnableVirtualizationBasedSecurity\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\n\n Value Name: RequirePlatformSecurityFeatures\n Value Type: REG_DWORD\n Value: 0x00000001 (1) (Secure Boot only) or 0x00000003 (3) (Secure Boot and\nDMA Protection)\n\n A Microsoft TechNet article on Credential Guard, including system\nrequirement details, can be found at the following link:\n\n https://technet.microsoft.com/itpro/windows/keep-secure/credential-guard\"\n desc 'fix', \"Configure the policy value for Computer Configuration >> Administrative\nTemplates >> System >> Device Guard >> \\\"Turn On Virtualization Based\nSecurity\\\" to \\\"Enabled\\\" with \\\"Secure Boot\\\" or \\\"Secure Boot and DMA\nProtection\\\" selected.\n\n A Microsoft TechNet article on Credential Guard, including system\nrequirement details, can be found at the following link:\n\n https://technet.microsoft.com/itpro/windows/keep-secure/credential-guard\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000480-GPOS-00227'\n tag 'gid': 'V-93245'\n tag 'rid': 'SV-103333r1_rule'\n tag 'stig_id': 'WN19-CC-000110'\n tag 'fix_id': 'F-99491r1_fix'\n tag 'cci': [\"CCI-000366\"]\n tag 'nist': [\"CM-6 b\", \"Rev_4\"]\n\n is_domain = command('wmic computersystem get domain | FINDSTR /V Domain').stdout.strip\n if is_domain == 'WORKGROUP'\n impact 0.0\n describe 'The system is not a member of a domain, control is NA' do\n skip 'The system is not a member of a domain, control is NA'\n end\n else\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceGuard') do\n it { should have_property 'EnableVirtualizationBasedSecurity' }\n its('EnableVirtualizationBasedSecurity') { should cmp 1 }\n end\n describe.one do\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceGuard') do\n it { should have_property 'RequirePlatformSecurityFeatures' }\n its('RequirePlatformSecurityFeatures') { should cmp 1 }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceGuard') do\n it { should have_property 'RequirePlatformSecurityFeatures' }\n its('RequirePlatformSecurityFeatures') { should cmp 3 }\n end\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93519.rb", + "ref": "./Windows 2019 STIG/controls/V-93245.rb", "line": 3 }, - "id": "V-93519" + "id": "V-93245" }, { - "title": "Windows Server 2019 must not have the Fax Server role installed.", - "desc": "Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption or may provide unauthorized access to the system.", + "title": "Windows Server 2019 must disable Basic authentication for RSS feeds over HTTP.", + "desc": "Basic authentication uses plain-text passwords that could be used to compromise a system. Disabling Basic authentication will reduce this potential.", "descriptions": { - "default": "Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption or may provide unauthorized access to the system.", + "default": "Basic authentication uses plain-text passwords that could be used to compromise a system. Disabling Basic authentication will reduce this potential.", "rationale": "", - "check": "Open \"PowerShell\".\n\n Enter \"Get-WindowsFeature | Where Name -eq Fax\".\n If \"Installed State\" is \"Installed\", this is a finding.\n An Installed State of \"Available\" or \"Removed\" is not a finding.", - "fix": "Uninstall the \"Fax Server\" role.\n\n Start \"Server Manager\".\n Select the server with the role.\n Scroll down to \"ROLES AND FEATURES\" in the right pane.\n Select \"Remove Roles and Features\" from the drop-down \"TASKS\" list.\n Select the appropriate server on the \"Server Selection\" page and click \"Next\".\n Deselect \"Fax Server\" on the \"Roles\" page.\n Click \"Next\" and \"Remove\" as prompted." + "check": "The default behavior is for the Windows RSS platform to not use Basic authentication over HTTP connections.\n\n If the registry value name below does not exist, this is not a finding.\n If it exists and is configured with a value of \"0\", this is not a finding.\n If it exists and is configured with a value of \"1\", this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Feeds\\\n\n Value Name: AllowBasicAuthInClear\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0) (or if the Value Name does not exist)", + "fix": "The default behavior is for the Windows RSS platform to not use Basic authentication over HTTP connections.\n If this needs to be corrected, configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> RSS Feeds >> \"Turn on Basic feed authentication over HTTP\" to \"Not Configured\" or \"Disabled\"." }, "impact": 0.5, "refs": [], "tags": { "severity": null, "gtitle": "SRG-OS-000095-GPOS-00049", - "gid": "V-93383", - "rid": "SV-103469r1_rule", - "stig_id": "WN19-00-000320", - "fix_id": "F-99627r1_fix", + "gid": "V-93413", + "rid": "SV-103499r1_rule", + "stig_id": "WN19-CC-000400", + "fix_id": "F-99657r1_fix", "cci": [ "CCI-000381" ], @@ -2573,439 +2544,443 @@ "Rev_4" ] }, - "code": "control \"V-93383\" do\n title \"Windows Server 2019 must not have the Fax Server role installed.\"\n desc \"Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption or may provide unauthorized access to the system.\"\n desc \"rationale\", \"\"\n desc \"check\", \"Open \\\"PowerShell\\\".\n\n Enter \\\"Get-WindowsFeature | Where Name -eq Fax\\\".\n If \\\"Installed State\\\" is \\\"Installed\\\", this is a finding.\n An Installed State of \\\"Available\\\" or \\\"Removed\\\" is not a finding.\"\n desc \"fix\", \"Uninstall the \\\"Fax Server\\\" role.\n\n Start \\\"Server Manager\\\".\n Select the server with the role.\n Scroll down to \\\"ROLES AND FEATURES\\\" in the right pane.\n Select \\\"Remove Roles and Features\\\" from the drop-down \\\"TASKS\\\" list.\n Select the appropriate server on the \\\"Server Selection\\\" page and click \\\"Next\\\".\n Deselect \\\"Fax Server\\\" on the \\\"Roles\\\" page.\n Click \\\"Next\\\" and \\\"Remove\\\" as prompted.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000095-GPOS-00049\"\n tag gid: \"V-93383\"\n tag rid: \"SV-103469r1_rule\"\n tag stig_id: \"WN19-00-000320\"\n tag fix_id: \"F-99627r1_fix\"\n tag cci: [\"CCI-000381\"]\n tag nist: [\"CM-7 a\", \"Rev_4\"]\n\n describe windows_feature('fax') do\n it { should_not be_installed }\n end\nend", + "code": "control \"V-93413\" do\n title \"Windows Server 2019 must disable Basic authentication for RSS feeds over HTTP.\"\n desc \"Basic authentication uses plain-text passwords that could be used to compromise a system. Disabling Basic authentication will reduce this potential.\"\n desc \"rationale\", \"\"\n desc \"check\", \"The default behavior is for the Windows RSS platform to not use Basic authentication over HTTP connections.\n\n If the registry value name below does not exist, this is not a finding.\n If it exists and is configured with a value of \\\"0\\\", this is not a finding.\n If it exists and is configured with a value of \\\"1\\\", this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Internet Explorer\\\\Feeds\\\\\n\n Value Name: AllowBasicAuthInClear\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0) (or if the Value Name does not exist)\"\n desc \"fix\", \"The default behavior is for the Windows RSS platform to not use Basic authentication over HTTP connections.\n If this needs to be corrected, configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> RSS Feeds >> \\\"Turn on Basic feed authentication over HTTP\\\" to \\\"Not Configured\\\" or \\\"Disabled\\\".\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000095-GPOS-00049\"\n tag gid: \"V-93413\"\n tag rid: \"SV-103499r1_rule\"\n tag stig_id: \"WN19-CC-000400\"\n tag fix_id: \"F-99657r1_fix\"\n tag cci: [\"CCI-000381\"]\n tag nist: [\"CM-7 a\", \"Rev_4\"]\n\n describe.one do \n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Feeds') do\n it { should_not have_property 'AllowBasicAuthInClear' }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Feeds') do\n it { should have_property 'AllowBasicAuthInClear' }\n its('AllowBasicAuthInClear') { should_not cmp 1 }\n its('AllowBasicAuthInClear') { should cmp 0 }\n end\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93383.rb", + "ref": "./Windows 2019 STIG/controls/V-93413.rb", "line": 3 }, - "id": "V-93383" + "id": "V-93413" }, { - "title": "Windows Server 2019 must restrict unauthenticated Remote Procedure Call (RPC) clients from connecting to the RPC server on domain-joined member servers and standalone systems.", - "desc": "Unauthenticated RPC clients may allow anonymous access to sensitive information. Configuring RPC to restrict unauthenticated RPC clients from connecting to the RPC server will prevent anonymous connections.", + "title": "Windows Server 2019 permissions on the Active Directory data files\nmust only allow System and Administrators access.", + "desc": "Improper access permissions for directory data-related files could\nallow unauthorized users to read, modify, or delete directory data or audit\ntrails.", "descriptions": { - "default": "Unauthenticated RPC clients may allow anonymous access to sensitive information. Configuring RPC to restrict unauthenticated RPC clients from connecting to the RPC server will prevent anonymous connections.", + "default": "Improper access permissions for directory data-related files could\nallow unauthorized users to read, modify, or delete directory data or audit\ntrails.", "rationale": "", - "check": "This applies to member servers and standalone systems, it is NA for domain controllers.\n\n If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Rpc\\\n\n Value Name: RestrictRemoteClients\n\n Type: REG_DWORD\n Value: 0x00000001 (1)", - "fix": "Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Remote Procedure Call >> \"Restrict Unauthenticated RPC clients\" to \"Enabled\" with \"Authenticated\" selected." + "check": "This applies to domain controllers. It is NA for other systems.\n\n Run \"Regedit\".\n\n Navigate to\n\"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\NTDS\\Parameters\".\n\n Note the directory locations in the values for:\n\n Database log files path\n DSA Database file\n\n By default, they will be \\Windows\\NTDS.\n\n If the locations are different, the following will need to be run for each.\n\n Open \"Command Prompt (Admin)\".\n\n Navigate to the NTDS directory (\\Windows\\NTDS by default).\n\n Run \"icacls *.*\".\n\n If the permissions on each file are not as restrictive as the following,\nthis is a finding:\n\n NT AUTHORITY\\SYSTEM:(I)(F)\n BUILTIN\\Administrators:(I)(F)\n\n (I) - permission inherited from parent container\n (F) - full access", + "fix": "Maintain the permissions on NTDS database and log files as follows:\n\n NT AUTHORITY\\SYSTEM:(I)(F)\n BUILTIN\\Administrators:(I)(F)\n\n (I) - permission inherited from parent container\n (F) - full access" }, - "impact": 0.5, + "impact": 0.7, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000379-GPOS-00164", - "gid": "V-93453", - "rid": "SV-103539r1_rule", - "stig_id": "WN19-MS-000040", - "fix_id": "F-99697r1_fix", + "gtitle": "SRG-OS-000324-GPOS-00125", + "gid": "V-93029", + "rid": "SV-103117r1_rule", + "stig_id": "WN19-DC-000070", + "fix_id": "F-99275r1_fix", "cci": [ - "CCI-001967" + "CCI-002235" ], "nist": [ - "IA-3 (1)", + "AC-6 (10)", "Rev_4" ] }, - "code": "control \"V-93453\" do\n title \"Windows Server 2019 must restrict unauthenticated Remote Procedure Call (RPC) clients from connecting to the RPC server on domain-joined member servers and standalone systems.\"\n desc \"Unauthenticated RPC clients may allow anonymous access to sensitive information. Configuring RPC to restrict unauthenticated RPC clients from connecting to the RPC server will prevent anonymous connections.\"\n desc \"rationale\", \"\"\n desc \"check\", \"This applies to member servers and standalone systems, it is NA for domain controllers.\n\n If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Rpc\\\\\n\n Value Name: RestrictRemoteClients\n\n Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Remote Procedure Call >> \\\"Restrict Unauthenticated RPC clients\\\" to \\\"Enabled\\\" with \\\"Authenticated\\\" selected.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000379-GPOS-00164\"\n tag gid: \"V-93453\"\n tag rid: \"SV-103539r1_rule\"\n tag stig_id: \"WN19-MS-000040\"\n tag fix_id: \"F-99697r1_fix\"\n tag cci: [\"CCI-001967\"]\n tag nist: [\"IA-3 (1)\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Rpc') do\n it { should have_property 'RestrictRemoteClients' }\n its('RestrictRemoteClients') { should cmp == 1 }\n end\nend", + "code": "control 'V-93029' do\n title \"Windows Server 2019 permissions on the Active Directory data files\nmust only allow System and Administrators access.\"\n desc \"Improper access permissions for directory data-related files could\nallow unauthorized users to read, modify, or delete directory data or audit\ntrails.\"\n desc 'rationale', ''\n desc 'check', \"This applies to domain controllers. It is NA for other systems.\n\n Run \\\"Regedit\\\".\n\n Navigate to\n\\\"HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\Parameters\\\".\n\n Note the directory locations in the values for:\n\n Database log files path\n DSA Database file\n\n By default, they will be \\\\Windows\\\\NTDS.\n\n If the locations are different, the following will need to be run for each.\n\n Open \\\"Command Prompt (Admin)\\\".\n\n Navigate to the NTDS directory (\\\\Windows\\\\NTDS by default).\n\n Run \\\"icacls *.*\\\".\n\n If the permissions on each file are not as restrictive as the following,\nthis is a finding:\n\n NT AUTHORITY\\\\SYSTEM:(I)(F)\n BUILTIN\\\\Administrators:(I)(F)\n\n (I) - permission inherited from parent container\n (F) - full access\"\n desc 'fix', \"Maintain the permissions on NTDS database and log files as follows:\n\n NT AUTHORITY\\\\SYSTEM:(I)(F)\n BUILTIN\\\\Administrators:(I)(F)\n\n (I) - permission inherited from parent container\n (F) - full access\"\n impact 0.7\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000324-GPOS-00125'\n tag 'gid': 'V-93029'\n tag 'rid': 'SV-103117r1_rule'\n tag 'stig_id': 'WN19-DC-000070'\n tag 'fix_id': 'F-99275r1_fix'\n tag 'cci': ['CCI-002235']\n tag 'nist': ['AC-6 (10)', 'Rev_4']\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n # Command Gets the Location of the Property Required\n ntds_database_logs_files_path = json(command: 'Get-ItemProperty -Path Registry::HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\Parameters | Select-Object -ExpandProperty \"Database log files path\" | ConvertTo-Json').params\n # Command Gets the Location of the Property Required\n ntds_dsa_working_directory = json(command: 'Get-ItemProperty -Path Registry::HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\Parameters | Select-Object -ExpandProperty \"DSA Working Directory\" | ConvertTo-Json').params\n expected_permissions = input('ntds_permissions')\n if domain_role == '4' || domain_role == '5'\n if ntds_database_logs_files_path == ntds_dsa_working_directory\n perms = json(command: \"icacls '#{ntds_dsa_working_directory}\\\\*.*' | convertto-json\").params.map(&:strip)[0..-3].map { |e| e.gsub(/^[^\\s]*\\s/, '') }.reject(&:empty?)\n describe \"Permissions on each file in #{ntds_dsa_working_directory} is set\" do\n subject { (perms - expected_permissions).empty? }\n it { should eq true }\n end\n else\n # Command Gets Permissions on Folder Path\n icacls_permissions_ntds_logs = json(command: \"icacls '#{ntds_database_logs_files_path}\\\\*.*' | ConvertTo-Json\").params.map(&:strip)[0..-3].map { |e| e.gsub(/^[^\\s]*\\s/, '') }.reject(&:empty?)\n # Command Gets the Location of the Property Required\n ntds_dsa_file_path = json(command: 'Get-ItemProperty -Path Registry::HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\Parameters | Select-Object -ExpandProperty \"DSA Database file\" | ConvertTo-Json').params\n # Command Gets Permissions on file ntds.dit\n icacls_permissions_ntds_dsa_file = json(command: \"icacls '#{ntds_dsa_file_path}' | ConvertTo-Json\").params.map(&:strip)[0..-3].map { |e| e.gsub(\"#{ntds_dsa_file_path} \", '') }\n describe 'Permissions on NTDS Database Log Files Path is set to' do\n subject { (icacls_permissions_ntds_logs - expected_permissions).empty? }\n it { should eq true }\n end\n describe 'Permissions on NTDS Database DSA File is set to' do\n subject { (icacls_permissions_ntds_dsa_file - expected_permissions).empty? }\n it { should eq true }\n end\n end\n else\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93453.rb", - "line": 3 + "ref": "./Windows 2019 STIG/controls/V-93029.rb", + "line": 1 }, - "id": "V-93453" + "id": "V-93029" }, { - "title": "Windows Server 2019 group policy objects must be reprocessed even if\nthey have not changed.", - "desc": "Registry entries for group policy settings can potentially be changed\nfrom the required configuration. This could occur as part of troubleshooting or\nby a malicious process on a compromised system. Enabling this setting and then\nselecting the \"Process even if the Group Policy objects have not changed\"\noption ensures the policies will be reprocessed even if none have been changed.\nThis way, any unauthorized changes are forced to match the domain-based group\npolicy settings again.", + "title": "Windows Server 2019 Active Directory Group Policy objects must have\nproper access control permissions.", + "desc": "When directory service database objects do not have appropriate access\ncontrol permissions, it may be possible for malicious users to create, read,\nupdate, or delete the objects and degrade or destroy the integrity of the data.\nWhen the directory service is used for identification, authentication, or\nauthorization functions, a compromise of the database objects could lead to a\ncompromise of all systems relying on the directory service.\n\n For Active Directory (AD), the Group Policy objects require special\nattention. In a distributed administration model (i.e., help desk), Group\nPolicy objects are more likely to have access permissions changed from the\nsecure defaults. If inappropriate access permissions are defined for Group\nPolicy objects, this could allow an intruder to change the security policy\napplied to all domain client computers (workstations and servers).", "descriptions": { - "default": "Registry entries for group policy settings can potentially be changed\nfrom the required configuration. This could occur as part of troubleshooting or\nby a malicious process on a compromised system. Enabling this setting and then\nselecting the \"Process even if the Group Policy objects have not changed\"\noption ensures the policies will be reprocessed even if none have been changed.\nThis way, any unauthorized changes are forced to match the domain-based group\npolicy settings again.", + "default": "When directory service database objects do not have appropriate access\ncontrol permissions, it may be possible for malicious users to create, read,\nupdate, or delete the objects and degrade or destroy the integrity of the data.\nWhen the directory service is used for identification, authentication, or\nauthorization functions, a compromise of the database objects could lead to a\ncompromise of all systems relying on the directory service.\n\n For Active Directory (AD), the Group Policy objects require special\nattention. In a distributed administration model (i.e., help desk), Group\nPolicy objects are more likely to have access permissions changed from the\nsecure defaults. If inappropriate access permissions are defined for Group\nPolicy objects, this could allow an intruder to change the security policy\napplied to all domain client computers (workstations and servers).", "rationale": "", - "check": "If the following registry value does not exist or is not configured as\nspecified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\Group Policy\\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\\\n\n Value Name: NoGPOListChanges\n\n Type: REG_DWORD\n Value: 0x00000000 (0)", - "fix": "Configure the policy value for Computer Configuration >>\nAdministrative Templates >> System >> Group Policy >> \"Configure registry\npolicy processing\" to \"Enabled\" with the option \"Process even if the Group\nPolicy objects have not changed\" selected." + "check": "This applies to domain controllers. It is NA for other systems.\n\n Review the permissions on Group Policy objects.\n\n Open \"Group Policy Management\" (available from various menus or run\n\"gpmc.msc\").\n\n Navigate to \"Group Policy Objects\" in the domain being reviewed (Forest\n>> Domains >> Domain).\n\n For each Group Policy object:\n\n Select the Group Policy object item in the left pane.\n\n Select the \"Delegation\" tab in the right pane.\n\n Select the \"Advanced\" button.\n\n Select each Group or user name.\n\n View the permissions.\n\n If any standard user accounts or groups have \"Allow\" permissions greater\nthan \"Read\" and \"Apply group policy\", this is a finding.\n\n Other access permissions that allow the objects to be updated are\nconsidered findings unless specifically documented by the ISSO.\n\n The default permissions noted below satisfy this requirement.\n\n The permissions shown are at the summary level. More detailed permissions\ncan be viewed by selecting the next \"Advanced\" button, the desired Permission\nentry, and the \"Edit\" button.\n\n Authenticated Users - Read, Apply group policy, Special permissions\n\n The special permissions for Authenticated Users are for Read-type\nProperties. If detailed permissions include any Create, Delete, Modify, or\nWrite Permissions or Properties, this is a finding.\n\n The special permissions for the following default groups are not the focus\nof this requirement and may include a wide range of permissions and properties:\n\n CREATOR OWNER - Special permissions\n SYSTEM - Read, Write, Create all child objects, Delete all child objects,\nSpecial permissions\n Domain Admins - Read, Write, Create all child objects, Delete all child\nobjects, Special permissions\n Enterprise Admins - Read, Write, Create all child objects, Delete all child\nobjects, Special permissions\n ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions\n\n The Domain Admins and Enterprise Admins will not have the \"Delete all\nchild objects\" permission on the two default Group Policy objects: Default\nDomain Policy and Default Domain Controllers Policy. They will have this\npermission o'n organization created Group Policy objects.", + "fix": "Maintain the permissions on Group Policy objects to not allow greater than\n\"Read\" and \"Apply group policy\" for standard user accounts or groups. The\ndefault permissions below meet this requirement:\n\n Authenticated Users - Read, Apply group policy, Special permissions\n\n The special permissions for Authenticated Users are for Read-type\nProperties.\n\n CREATOR OWNER - Special permissions\n SYSTEM - Read, Write, Create all child objects, Delete all child objects,\nSpecial permissions\n Domain Admins - Read, Write, Create all child objects, Delete all child\nobjects, Special permissions\n Enterprise Admins - Read, Write, Create all child objects, Delete all child\nobjects, Special permissions\n ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions\n\n Document any other access permissions that allow the objects to be updated\nwith the ISSO.\n\n The Domain Admins and Enterprise Admins will not have the \"Delete all\nchild objects\" permission on the two default Group Policy objects: Default\nDomain Policy and Default Domain Controllers Policy. They will have this\npermission on created Group Policy objects." }, - "impact": 0.5, + "impact": 0.7, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-93251", - "rid": "SV-103339r1_rule", - "stig_id": "WN19-CC-000140", - "fix_id": "F-99497r1_fix", + "gtitle": "SRG-OS-000324-GPOS-00125", + "gid": "V-93033", + "rid": "SV-103121r1_rule", + "stig_id": "WN19-DC-000090", + "fix_id": "F-99279r1_fix", "cci": [ - "CCI-000366" + "CCI-002235" ], "nist": [ - "CM-6 b", + "AC-6 (10)", "Rev_4" ] }, - "code": "control \"V-93251\" do\n title \"Windows Server 2019 group policy objects must be reprocessed even if\nthey have not changed.\"\n desc \"Registry entries for group policy settings can potentially be changed\nfrom the required configuration. This could occur as part of troubleshooting or\nby a malicious process on a compromised system. Enabling this setting and then\nselecting the \\\"Process even if the Group Policy objects have not changed\\\"\noption ensures the policies will be reprocessed even if none have been changed.\nThis way, any unauthorized changes are forced to match the domain-based group\npolicy settings again.\"\n desc \"rationale\", \"\"\n desc 'check', \"If the following registry value does not exist or is not configured as\nspecified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\Group Policy\\\\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\\\\\n\n Value Name: NoGPOListChanges\n\n Type: REG_DWORD\n Value: 0x00000000 (0)\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nAdministrative Templates >> System >> Group Policy >> \\\"Configure registry\npolicy processing\\\" to \\\"Enabled\\\" with the option \\\"Process even if the Group\nPolicy objects have not changed\\\" selected.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000480-GPOS-00227'\n tag 'gid': 'V-93251'\n tag 'rid': 'SV-103339r1_rule'\n tag 'stig_id': 'WN19-CC-000140'\n tag 'fix_id': 'F-99497r1_fix'\n tag 'cci': [\"CCI-000366\"]\n tag 'nist': [\"CM-6 b\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Group Policy\\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}') do\n it { should have_property 'NoGPOListChanges' }\n its('NoGPOListChanges') { should cmp 0 }\n end\nend\n", + "code": "control \"V-93033\" do\n title \"Windows Server 2019 Active Directory Group Policy objects must have\nproper access control permissions.\"\n desc \"When directory service database objects do not have appropriate access\ncontrol permissions, it may be possible for malicious users to create, read,\nupdate, or delete the objects and degrade or destroy the integrity of the data.\nWhen the directory service is used for identification, authentication, or\nauthorization functions, a compromise of the database objects could lead to a\ncompromise of all systems relying on the directory service.\n\n For Active Directory (AD), the Group Policy objects require special\nattention. In a distributed administration model (i.e., help desk), Group\nPolicy objects are more likely to have access permissions changed from the\nsecure defaults. If inappropriate access permissions are defined for Group\nPolicy objects, this could allow an intruder to change the security policy\napplied to all domain client computers (workstations and servers).\"\n desc \"rationale\", \"\"\n desc 'check', \"This applies to domain controllers. It is NA for other systems.\n\n Review the permissions on Group Policy objects.\n\n Open \\\"Group Policy Management\\\" (available from various menus or run\n\\\"gpmc.msc\\\").\n\n Navigate to \\\"Group Policy Objects\\\" in the domain being reviewed (Forest\n>> Domains >> Domain).\n\n For each Group Policy object:\n\n Select the Group Policy object item in the left pane.\n\n Select the \\\"Delegation\\\" tab in the right pane.\n\n Select the \\\"Advanced\\\" button.\n\n Select each Group or user name.\n\n View the permissions.\n\n If any standard user accounts or groups have \\\"Allow\\\" permissions greater\nthan \\\"Read\\\" and \\\"Apply group policy\\\", this is a finding.\n\n Other access permissions that allow the objects to be updated are\nconsidered findings unless specifically documented by the ISSO.\n\n The default permissions noted below satisfy this requirement.\n\n The permissions shown are at the summary level. More detailed permissions\ncan be viewed by selecting the next \\\"Advanced\\\" button, the desired Permission\nentry, and the \\\"Edit\\\" button.\n\n Authenticated Users - Read, Apply group policy, Special permissions\n\n The special permissions for Authenticated Users are for Read-type\nProperties. If detailed permissions include any Create, Delete, Modify, or\nWrite Permissions or Properties, this is a finding.\n\n The special permissions for the following default groups are not the focus\nof this requirement and may include a wide range of permissions and properties:\n\n CREATOR OWNER - Special permissions\n SYSTEM - Read, Write, Create all child objects, Delete all child objects,\nSpecial permissions\n Domain Admins - Read, Write, Create all child objects, Delete all child\nobjects, Special permissions\n Enterprise Admins - Read, Write, Create all child objects, Delete all child\nobjects, Special permissions\n ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions\n\n The Domain Admins and Enterprise Admins will not have the \\\"Delete all\nchild objects\\\" permission on the two default Group Policy objects: Default\nDomain Policy and Default Domain Controllers Policy. They will have this\npermission o'n organization created Group Policy objects.\"\n desc 'fix', \"Maintain the permissions on Group Policy objects to not allow greater than\n\\\"Read\\\" and \\\"Apply group policy\\\" for standard user accounts or groups. The\ndefault permissions below meet this requirement:\n\n Authenticated Users - Read, Apply group policy, Special permissions\n\n The special permissions for Authenticated Users are for Read-type\nProperties.\n\n CREATOR OWNER - Special permissions\n SYSTEM - Read, Write, Create all child objects, Delete all child objects,\nSpecial permissions\n Domain Admins - Read, Write, Create all child objects, Delete all child\nobjects, Special permissions\n Enterprise Admins - Read, Write, Create all child objects, Delete all child\nobjects, Special permissions\n ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions\n\n Document any other access permissions that allow the objects to be updated\nwith the ISSO.\n\n The Domain Admins and Enterprise Admins will not have the \\\"Delete all\nchild objects\\\" permission on the two default Group Policy objects: Default\nDomain Policy and Default Domain Controllers Policy. They will have this\npermission on created Group Policy objects.\"\n impact 0.7\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000324-GPOS-00125'\n tag 'gid': 'V-93033'\n tag 'rid': 'SV-103121r1_rule'\n tag 'stig_id': 'WN19-DC-000090'\n tag 'fix_id': 'F-99279r1_fix'\n tag 'cci': [\"CCI-002235\"]\n tag 'nist': [\"AC-6 (10)\", \"Rev_4\"]\n\n #Checked Code in 2016 and it is not a validate way of checking permissions, Until a command is put together that can get all GPO's in a Domain and then check all permissions, this is manually\n describe 'A manual review is required to ensure all Group Policies have the correct permisions' do\n skip 'A manual review is required to ensure all Group Policies have the correct permisions'\n end\n\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93251.rb", + "ref": "./Windows 2019 STIG/controls/V-93033.rb", "line": 3 }, - "id": "V-93251" + "id": "V-93033" }, { - "title": "Windows Server 2019 session security for NTLM SSP-based clients must be configured to require NTLMv2 session security and 128-bit encryption.", - "desc": "Microsoft has implemented a variety of security support providers for use with Remote Procedure Call (RPC) sessions. All of the options must be enabled to ensure the maximum security level.", + "title": "Windows Server 2019 Windows Remote Management (WinRM) service must not use Basic authentication.", + "desc": "Basic authentication uses plain-text passwords that could be used to compromise a system. Disabling Basic authentication will reduce this potential.", "descriptions": { - "default": "Microsoft has implemented a variety of security support providers for use with Remote Procedure Call (RPC) sessions. All of the options must be enabled to ensure the maximum security level.", + "default": "Basic authentication uses plain-text passwords that could be used to compromise a system. Disabling Basic authentication will reduce this potential.", "rationale": "", - "check": "If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Control\\Lsa\\MSV1_0\\\n\n Value Name: NTLMMinClientSec\n\n Value Type: REG_DWORD\n Value: 0x20080000 (537395200)", - "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \"Network security: Minimum session security for NTLM SSP based (including secure RPC) clients\" to \"Require NTLMv2 session security\" and \"Require 128-bit encryption\" (all options selected)." - }, - "impact": 0.5, + "check": "If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\WinRM\\Service\\\n\n Value Name: AllowBasic\n\n Type: REG_DWORD\n Value: 0x00000000 (0)", + "fix": "Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Remote Management (WinRM) >> WinRM Service >> \"Allow Basic authentication\" to \"Disabled\"." + }, + "impact": 0.7, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-93305", - "rid": "SV-103393r1_rule", - "stig_id": "WN19-SO-000330", - "fix_id": "F-99551r1_fix", + "gtitle": "SRG-OS-000125-GPOS-00065", + "gid": "V-93507", + "rid": "SV-103593r1_rule", + "stig_id": "WN19-CC-000500", + "fix_id": "F-99751r1_fix", "cci": [ - "CCI-000366" + "CCI-000877" ], "nist": [ - "CM-6 b", + "MA-4 c", "Rev_4" ] }, - "code": "control \"V-93305\" do\n title \"Windows Server 2019 session security for NTLM SSP-based clients must be configured to require NTLMv2 session security and 128-bit encryption.\"\n desc \"Microsoft has implemented a variety of security support providers for use with Remote Procedure Call (RPC) sessions. All of the options must be enabled to ensure the maximum security level.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\MSV1_0\\\\\n\n Value Name: NTLMMinClientSec\n\n Value Type: REG_DWORD\n Value: 0x20080000 (537395200)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \\\"Network security: Minimum session security for NTLM SSP based (including secure RPC) clients\\\" to \\\"Require NTLMv2 session security\\\" and \\\"Require 128-bit encryption\\\" (all options selected).\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00227\"\n tag gid: \"V-93305\"\n tag rid: \"SV-103393r1_rule\"\n tag stig_id: \"WN19-SO-000330\"\n tag fix_id: \"F-99551r1_fix\"\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\MSV1_0') do\n it { should have_property 'NTLMMinClientSec' }\n its('NTLMMinClientSec') { should cmp == 537395200 }\n end \nend", + "code": "control \"V-93507\" do\n title \"Windows Server 2019 Windows Remote Management (WinRM) service must not use Basic authentication.\"\n desc \"Basic authentication uses plain-text passwords that could be used to compromise a system. Disabling Basic authentication will reduce this potential.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WinRM\\\\Service\\\\\n\n Value Name: AllowBasic\n\n Type: REG_DWORD\n Value: 0x00000000 (0)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Remote Management (WinRM) >> WinRM Service >> \\\"Allow Basic authentication\\\" to \\\"Disabled\\\".\"\n impact 0.7\n tag severity: nil\n tag gtitle: \"SRG-OS-000125-GPOS-00065\"\n tag gid: \"V-93507\"\n tag rid: \"SV-103593r1_rule\"\n tag stig_id: \"WN19-CC-000500\"\n tag fix_id: \"F-99751r1_fix\"\n tag cci: [\"CCI-000877\"]\n tag nist: [\"MA-4 c\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\WinRM\\\\Service') do\n it { should have_property 'AllowBasic' }\n its('AllowBasic') { should cmp == 0 }\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93305.rb", + "ref": "./Windows 2019 STIG/controls/V-93507.rb", "line": 3 }, - "id": "V-93305" + "id": "V-93507" }, { - "title": "Windows Server 2019 must use separate, NSA-approved (Type 1) cryptography to protect the directory data in transit for directory service implementations at a classified confidentiality level when replication data traverses a network cleared to a lower level than the data.", - "desc": "Directory data that is not appropriately encrypted is subject to compromise. Commercial-grade encryption does not provide adequate protection when the classification level of directory data in transit is higher than the level of the network.", + "title": "Windows Server 2019 network selection user interface (UI) must not be displayed on the logon screen.", + "desc": "Enabling interaction with the network selection UI allows users to change connections to available networks without signing in to Windows.", "descriptions": { - "default": "Directory data that is not appropriately encrypted is subject to compromise. Commercial-grade encryption does not provide adequate protection when the classification level of directory data in transit is higher than the level of the network.", + "default": "Enabling interaction with the network selection UI allows users to change connections to available networks without signing in to Windows.", "rationale": "", - "check": "This applies to domain controllers. It is NA for other systems.\n Review the organization network diagram(s) or documentation to determine the level of classification for the network(s) over which replication data is transmitted.\n\n Determine the classification level of the Windows domain controller.\n\n If the classification level of the Windows domain controller is higher than the level of the networks, review the organization network diagram(s) and directory implementation documentation to determine if NSA-approved encryption is used to protect the replication network traffic.\n\n If the classification level of the Windows domain controller is higher than the level of the network traversed and NSA-approved encryption is not used, this is a finding.", - "fix": "Configure NSA-approved (Type 1) cryptography to protect the directory data in transit for directory service implementations at a classified confidentiality level that transfer replication data through a network cleared to a lower level than the data." + "check": "Verify the registry value below. If it does not exist or is not configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\\n\n Value Name: DontDisplayNetworkSelectionUI\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", + "fix": "Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Logon >> \"Do not display network selection UI\" to \"Enabled\"." }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000396-GPOS-00176", - "gid": "V-93513", - "rid": "SV-103599r1_rule", - "stig_id": "WN19-DC-000140", - "fix_id": "F-99757r1_fix", + "gtitle": "SRG-OS-000095-GPOS-00049", + "gid": "V-93407", + "rid": "SV-103493r1_rule", + "stig_id": "WN19-CC-000170", + "fix_id": "F-99651r1_fix", "cci": [ - "CCI-002450" + "CCI-000381" ], "nist": [ - "SC-13", + "CM-7 a", "Rev_4" ] }, - "code": "control \"V-93513\" do\n title \"Windows Server 2019 must use separate, NSA-approved (Type 1) cryptography to protect the directory data in transit for directory service implementations at a classified confidentiality level when replication data traverses a network cleared to a lower level than the data.\"\n desc \"Directory data that is not appropriately encrypted is subject to compromise. Commercial-grade encryption does not provide adequate protection when the classification level of directory data in transit is higher than the level of the network.\"\n desc \"rationale\", \"\"\n desc \"check\", \"This applies to domain controllers. It is NA for other systems.\n Review the organization network diagram(s) or documentation to determine the level of classification for the network(s) over which replication data is transmitted.\n\n Determine the classification level of the Windows domain controller.\n\n If the classification level of the Windows domain controller is higher than the level of the networks, review the organization network diagram(s) and directory implementation documentation to determine if NSA-approved encryption is used to protect the replication network traffic.\n\n If the classification level of the Windows domain controller is higher than the level of the network traversed and NSA-approved encryption is not used, this is a finding.\"\n desc \"fix\", \"Configure NSA-approved (Type 1) cryptography to protect the directory data in transit for directory service implementations at a classified confidentiality level that transfer replication data through a network cleared to a lower level than the data.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000396-GPOS-00176\"\n tag gid: \"V-93513\"\n tag rid: \"SV-103599r1_rule\"\n tag stig_id: \"WN19-DC-000140\"\n tag fix_id: \"F-99757r1_fix\"\n tag cci: [\"CCI-002450\"]\n tag nist: [\"SC-13\", \"Rev_4\"]\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n describe \"Separate, NSA-approved (Type 1) cryptography must be used to protect\n the directory data in transit for directory service implementations at a\n classified confidentiality level when replication data traverses a network\n cleared to a lower level than the data.\" do\n skip \"Separate, NSA-approved (Type 1) cryptography must be used to protect\n the directory data in transit for directory service implementations at a\n classified confidentiality level when replication data traverses a network\n cleared to a lower level than the data is a manual check\"\n end\n else\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend", + "code": "control \"V-93407\" do\n title \"Windows Server 2019 network selection user interface (UI) must not be displayed on the logon screen.\"\n desc \"Enabling interaction with the network selection UI allows users to change connections to available networks without signing in to Windows.\"\n desc \"rationale\", \"\"\n desc \"check\", \"Verify the registry value below. If it does not exist or is not configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\\n\n Value Name: DontDisplayNetworkSelectionUI\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Logon >> \\\"Do not display network selection UI\\\" to \\\"Enabled\\\".\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000095-GPOS-00049\"\n tag gid: \"V-93407\"\n tag rid: \"SV-103493r1_rule\"\n tag stig_id: \"WN19-CC-000170\"\n tag fix_id: \"F-99651r1_fix\"\n tag cci: [\"CCI-000381\"]\n tag nist: [\"CM-7 a\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System') do\n it { should have_property 'DontDisplayNetworkSelectionUI' }\n its('DontDisplayNetworkSelectionUI') { should cmp == 1 }\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93513.rb", + "ref": "./Windows 2019 STIG/controls/V-93407.rb", "line": 3 }, - "id": "V-93513" + "id": "V-93407" }, { - "title": "Windows Server 2019 domain controllers must be configured to allow reset of machine account passwords.", - "desc": "Enabling this setting on all domain controllers in a domain prevents domain members from changing their computer account passwords. If these passwords are weak or compromised, the inability to change them may leave these computers vulnerable.", + "title": "Windows Server 2019 Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft.", + "desc": "Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and will prevent uncontrolled updates to the system.\n\n This setting will prevent the Program Inventory from collecting data about a system and sending the information to Microsoft.", "descriptions": { - "default": "Enabling this setting on all domain controllers in a domain prevents domain members from changing their computer account passwords. If these passwords are weak or compromised, the inability to change them may leave these computers vulnerable.", + "default": "Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and will prevent uncontrolled updates to the system.\n\n This setting will prevent the Program Inventory from collecting data about a system and sending the information to Microsoft.", "rationale": "", - "check": "This applies to domain controllers. It is NA for other systems.\n\n If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\Netlogon\\Parameters\\\n\n Value Name: RefusePasswordChange\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0)", - "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \"Domain controller: Refuse machine account password changes\" to \"Disabled\"." + "check": "If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\AppCompat\\\n\n Value Name: DisableInventory\n\n Type: REG_DWORD\n Value: 0x00000001 (1)", + "fix": "Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Application Compatibility >> \"Turn off Inventory Collector\" to \"Enabled\"." }, - "impact": 0, + "impact": 0.3, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-93273", - "rid": "SV-103361r1_rule", - "stig_id": "WN19-DC-000330", - "fix_id": "F-99519r1_fix", + "gtitle": "SRG-OS-000095-GPOS-00049", + "gid": "V-93409", + "rid": "SV-103495r1_rule", + "stig_id": "WN19-CC-000200", + "fix_id": "F-99653r1_fix", "cci": [ - "CCI-000366" + "CCI-000381" ], "nist": [ - "CM-6 b", + "CM-7 a", "Rev_4" ] }, - "code": "control \"V-93273\" do\n title \"Windows Server 2019 domain controllers must be configured to allow reset of machine account passwords.\"\n desc \"Enabling this setting on all domain controllers in a domain prevents domain members from changing their computer account passwords. If these passwords are weak or compromised, the inability to change them may leave these computers vulnerable.\"\n desc \"rationale\", \"\"\n desc \"check\", \"This applies to domain controllers. It is NA for other systems.\n\n If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\Netlogon\\\\Parameters\\\\\n\n Value Name: RefusePasswordChange\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \\\"Domain controller: Refuse machine account password changes\\\" to \\\"Disabled\\\".\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00227\"\n tag gid: \"V-93273\"\n tag rid: \"SV-103361r1_rule\"\n tag stig_id: \"WN19-DC-000330\"\n tag fix_id: \"F-99519r1_fix\"\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n \n if domain_role == '4' || domain_role == '5'\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Services\\\\Netlogon\\\\Parameters') do\n it { should have_property 'RefusePasswordChange' }\n its('RefusePasswordChange') { should cmp 0 }\n end\n else\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is NA' do\n skip 'This system is not a domain controller, therefore this control is NA'\n end\n end\nend", + "code": "control \"V-93409\" do\n title \"Windows Server 2019 Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft.\"\n desc \"Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and will prevent uncontrolled updates to the system.\n\n This setting will prevent the Program Inventory from collecting data about a system and sending the information to Microsoft.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\AppCompat\\\\\n\n Value Name: DisableInventory\n\n Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Application Compatibility >> \\\"Turn off Inventory Collector\\\" to \\\"Enabled\\\".\"\n impact 0.3\n tag severity: nil\n tag gtitle: \"SRG-OS-000095-GPOS-00049\"\n tag gid: \"V-93409\"\n tag rid: \"SV-103495r1_rule\"\n tag stig_id: \"WN19-CC-000200\"\n tag fix_id: \"F-99653r1_fix\"\n tag cci: [\"CCI-000381\"]\n tag nist: [\"CM-7 a\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\AppCompat') do\n it { should have_property 'DisableInventory' }\n its('DisableInventory') { should cmp == 1 }\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93273.rb", + "ref": "./Windows 2019 STIG/controls/V-93409.rb", "line": 3 }, - "id": "V-93273" + "id": "V-93409" }, { - "title": "Windows Server 2019 Exploit Protection mitigations must be configured for VISIO.EXE.", - "desc": "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.", + "title": "Windows Server 2019 Perform volume maintenance tasks user right must\nonly be assigned to the Administrators group.", + "desc": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n Accounts with the \"Perform volume maintenance tasks\" user right can\nmanage volume and disk configurations. This could be used to delete volumes,\nresulting in data loss or a denial of service.", "descriptions": { - "default": "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.", + "default": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n Accounts with the \"Perform volume maintenance tasks\" user right can\nmanage volume and disk configurations. This could be used to delete volumes,\nresulting in data loss or a denial of service.", "rationale": "", - "check": "If the referenced application is not installed on the system, this is NA.\n\n This is applicable to unclassified systems, for other systems this is NA.\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n Enter \"Get-ProcessMitigation -Name VISIO.EXE\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.)\n\n If the following mitigations do not have a status of \"ON\", this is a finding:\n\n DEP:\n Enable: ON\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n The PowerShell command produces a list of mitigations; only those with a required status of \"ON\" are listed here.", - "fix": "Ensure the following mitigations are turned \"ON\" for VISIO.EXE:\n\n DEP:\n Enable: ON\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \"Supporting Files\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \"Use a common set of exploit protection settings\" configured to \"Enabled\" with file name and location defined under \"Options:\". It is recommended the file be in a read-only network location." + "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the\n\"Perform volume maintenance tasks\" user right, this is a finding:\n\n - Administrators\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\path\\filename.txt\n\n Review the text file.\n\n If any SIDs other than the following are granted the\n\"SeManageVolumePrivilege\" user right, this is a finding:\n\n S-1-5-32-544 (Administrators)", + "fix": "Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> User Rights Assignment >> \"Perform\nvolume maintenance tasks\" to include only the following accounts or groups:\n\n - Administrators" }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-93359", - "rid": "SV-103447r1_rule", - "stig_id": "WN19-EP-000250", - "fix_id": "F-99605r1_fix", + "gtitle": "SRG-OS-000324-GPOS-00125", + "gid": "V-93081", + "rid": "SV-103169r1_rule", + "stig_id": "WN19-UR-000190", + "fix_id": "F-99327r1_fix", "cci": [ - "CCI-000366" + "CCI-002235" ], "nist": [ - "CM-6 b", + "AC-6 (10)", "Rev_4" ] }, - "code": "control \"V-93359\" do\n title \"Windows Server 2019 Exploit Protection mitigations must be configured for VISIO.EXE.\"\n desc \"Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the referenced application is not installed on the system, this is NA.\n\n This is applicable to unclassified systems, for other systems this is NA.\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n Enter \\\"Get-ProcessMitigation -Name VISIO.EXE\\\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.)\n\n If the following mitigations do not have a status of \\\"ON\\\", this is a finding:\n\n DEP:\n Enable: ON\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n The PowerShell command produces a list of mitigations; only those with a required status of \\\"ON\\\" are listed here.\"\n desc \"fix\", \"Ensure the following mitigations are turned \\\"ON\\\" for VISIO.EXE:\n\n DEP:\n Enable: ON\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \\\"Supporting Files\\\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\" configured to \\\"Enabled\\\" with file name and location defined under \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00227\"\n tag gid: \"V-93359\"\n tag rid: \"SV-103447r1_rule\"\n tag stig_id: \"WN19-EP-000250\"\n tag fix_id: \"F-99605r1_fix\"\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n visio = json({ command: \"Get-ProcessMitigation -Name VISIO.EXE | ConvertTo-Json\" }).params\n\n if input('sensitive_system') == true || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif visio.empty?\n impact 0.0\n describe 'The referenced application is not installed on the system, this is NA.' do\n skip 'The referenced application is not installed on the system, this is NA.'\n end\n else\n describe \"Exploit Protection: the following mitigations must be set to 'ON' for VISIO.EXE\" do\n subject { visio }\n its(['Dep','Enable']) { should eq 1 }\n its(['Aslr','ForceRelocateImages']) { should eq 1 }\n its(['Payload','EnableExportAddressFilter']) { should eq 1 }\n its(['Payload','EnableExportAddressFilterPlus']) { should eq 1 }\n its(['Payload','EnableImportAddressFilter']) { should eq 1 }\n its(['Payload','EnableRopStackPivot']) { should eq 1 }\n its(['Payload','EnableRopCallerCheck']) { should eq 1 }\n its(['Payload','EnableRopSimExec']) { should eq 1 }\n end\n end\nend", + "code": "control \"V-93081\" do\n title \"Windows Server 2019 Perform volume maintenance tasks user right must\nonly be assigned to the Administrators group.\"\n desc \"Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n Accounts with the \\\"Perform volume maintenance tasks\\\" user right can\nmanage volume and disk configurations. This could be used to delete volumes,\nresulting in data loss or a denial of service.\"\n desc \"rationale\", \"\"\n desc 'check', \"Verify the effective setting in Local Group Policy Editor.\n\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the\n\\\"Perform volume maintenance tasks\\\" user right, this is a finding:\n\n - Administrators\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt\n\n Review the text file.\n\n If any SIDs other than the following are granted the\n\\\"SeManageVolumePrivilege\\\" user right, this is a finding:\n\n S-1-5-32-544 (Administrators)\"\n desc 'fix', \"Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> User Rights Assignment >> \\\"Perform\nvolume maintenance tasks\\\" to include only the following accounts or groups:\n\n - Administrators\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000324-GPOS-00125'\n tag 'gid': 'V-93081'\n tag 'rid': 'SV-103169r1_rule'\n tag 'stig_id': 'WN19-UR-000190'\n tag 'fix_id': 'F-99327r1_fix'\n tag 'cci': [\"CCI-002235\"]\n tag 'nist': [\"AC-6 (10)\", \"Rev_4\"]\n\n os_type = command('Test-Path \"$env:windir\\explorer.exe\"').stdout.strip\n\n if os_type == 'False'\n describe 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt' do\n skip 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt'\n end\n else\n describe security_policy do\n its('SeManageVolumePrivilege') { should eq ['S-1-5-32-544'] }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93359.rb", + "ref": "./Windows 2019 STIG/controls/V-93081.rb", "line": 3 }, - "id": "V-93359" + "id": "V-93081" }, { - "title": "Windows Server 2019 Windows Remote Management (WinRM) service must not allow unencrypted traffic.", - "desc": "Unencrypted remote access to a system can allow sensitive information to be compromised. Windows remote management connections must be encrypted to prevent this.", + "title": "Windows Server 2019 must be configured to audit DS Access - Directory\nService Access failures.", + "desc": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Audit Directory Service Access records events related to users accessing an\nActive Directory object.", "descriptions": { - "default": "Unencrypted remote access to a system can allow sensitive information to be compromised. Windows remote management connections must be encrypted to prevent this.", + "default": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Audit Directory Service Access records events related to users accessing an\nActive Directory object.", "rationale": "", - "check": "If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\WinRM\\Service\\\n\n Value Name: AllowUnencryptedTraffic\n\n Type: REG_DWORD\n Value: 0x00000000 (0)", - "fix": "Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Remote Management (WinRM) >> WinRM Service >> \"Allow unencrypted traffic\" to \"Disabled\"." + "check": "This applies to domain controllers. It is NA for other systems.\n\n Security Option \"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\" must be set to\n\"Enabled\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \"AuditPol\" tool to review the current Audit Policy configuration:\n\n Open \"PowerShell\" or a \"Command Prompt\" with elevated privileges (\"Run\nas administrator\").\n\n Enter \"AuditPol /get /category:*\"\n\n Compare the \"AuditPol\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n DS Access >> Directory Service Access - Failure", + "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> DS Access >> \"Directory Service Access\" with\n\"Failure\" selected." }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000393-GPOS-00173", + "gtitle": "SRG-OS-000327-GPOS-00127", "satisfies": [ - "SRG-OS-000393-GPOS-00173", - "SRG-OS-000394-GPOS-00174" + "SRG-OS-000327-GPOS-00127", + "SRG-OS-000458-GPOS-00203", + "SRG-OS-000463-GPOS-00207", + "SRG-OS-000468-GPOS-00212" ], - "gid": "V-93501", - "rid": "SV-103587r1_rule", - "stig_id": "WN19-CC-000510", - "fix_id": "F-99745r1_fix", + "gid": "V-93135", + "rid": "SV-103223r1_rule", + "stig_id": "WN19-DC-000250", + "fix_id": "F-99381r1_fix", "cci": [ - "CCI-002890", - "CCI-003123" + "CCI-000172", + "CCI-002234" ], "nist": [ - "MA-4 (6)", - "MA-4 (6)", + "AU-12 c", + "AC-6 (9)", "Rev_4" ] }, - "code": "control \"V-93501\" do\n title \"Windows Server 2019 Windows Remote Management (WinRM) service must not allow unencrypted traffic.\"\n desc \"Unencrypted remote access to a system can allow sensitive information to be compromised. Windows remote management connections must be encrypted to prevent this.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WinRM\\\\Service\\\\\n\n Value Name: AllowUnencryptedTraffic\n\n Type: REG_DWORD\n Value: 0x00000000 (0)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Remote Management (WinRM) >> WinRM Service >> \\\"Allow unencrypted traffic\\\" to \\\"Disabled\\\".\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000393-GPOS-00173\"\n tag satisfies: [\"SRG-OS-000393-GPOS-00173\", \"SRG-OS-000394-GPOS-00174\"]\n tag gid: \"V-93501\"\n tag rid: \"SV-103587r1_rule\"\n tag stig_id: \"WN19-CC-000510\"\n tag fix_id: \"F-99745r1_fix\"\n tag cci: [\"CCI-002890\", \"CCI-003123\"]\n tag nist: [\"MA-4 (6)\", \"MA-4 (6)\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\WinRM\\\\Service') do\n it { should have_property 'AllowUnencryptedTraffic' }\n its('AllowUnencryptedTraffic') { should cmp == 0 }\n end\nend", + "code": "control \"V-93135\" do\n title \"Windows Server 2019 must be configured to audit DS Access - Directory\nService Access failures.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Audit Directory Service Access records events related to users accessing an\nActive Directory object.\"\n desc \"rationale\", \"\"\n desc 'check', \"This applies to domain controllers. It is NA for other systems.\n\n Security Option \\\"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\\\" must be set to\n\\\"Enabled\\\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \\\"AuditPol\\\" tool to review the current Audit Policy configuration:\n\n Open \\\"PowerShell\\\" or a \\\"Command Prompt\\\" with elevated privileges (\\\"Run\nas administrator\\\").\n\n Enter \\\"AuditPol /get /category:*\\\"\n\n Compare the \\\"AuditPol\\\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n DS Access >> Directory Service Access - Failure\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> DS Access >> \\\"Directory Service Access\\\" with\n\\\"Failure\\\" selected.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000327-GPOS-00127'\n tag 'satisfies': [\"SRG-OS-000327-GPOS-00127\", \"SRG-OS-000458-GPOS-00203\",\n\"SRG-OS-000463-GPOS-00207\", \"SRG-OS-000468-GPOS-00212\"]\n tag 'gid': 'V-93135'\n tag 'rid': 'SV-103223r1_rule'\n tag 'stig_id': 'WN19-DC-000250'\n tag 'fix_id': 'F-99381r1_fix'\n tag 'cci': [\"CCI-000172\", \"CCI-002234\"]\n tag 'nist': [\"AU-12 c\", \"AC-6 (9)\", \"Rev_4\"]\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n if domain_role == '4' || domain_role == '5'\n describe.one do\n describe audit_policy do\n its('Directory Service Access') { should eq 'Failure' }\n end\n describe audit_policy do\n its('Directory Service Access') { should eq 'Success and Failure' }\n end\n end\n else\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93501.rb", + "ref": "./Windows 2019 STIG/controls/V-93135.rb", "line": 3 }, - "id": "V-93501" + "id": "V-93135" }, { - "title": "The Windows Server 2019 time service must synchronize with an\n appropriate DoD time source.", - "desc": "The Windows Time Service controls time synchronization settings. Time\n synchronization is essential for authentication and auditing purposes. If the\n Windows Time Service is used, it must synchronize with a secure, authorized\n time source. Domain-joined systems are automatically configured to synchronize\n with domain controllers. If an NTP server is configured, it must synchronize\n with a secure, authorized time source.", + "title": "Windows Server 2019 must have a host-based firewall installed and enabled.", + "desc": "A firewall provides a line of defense against attack, allowing or blocking inbound and outbound connections based on a set of rules.", "descriptions": { - "default": "The Windows Time Service controls time synchronization settings. Time\n synchronization is essential for authentication and auditing purposes. If the\n Windows Time Service is used, it must synchronize with a secure, authorized\n time source. Domain-joined systems are automatically configured to synchronize\n with domain controllers. If an NTP server is configured, it must synchronize\n with a secure, authorized time source.", + "default": "A firewall provides a line of defense against attack, allowing or blocking inbound and outbound connections based on a set of rules.", "rationale": "", - "check": "Review the Windows time service configuration.\n\n Open an elevated \"Command Prompt\" (run as administrator).\n\n Enter \"W32tm /query /configuration\".\n\n Domain-joined systems (excluding the domain controller with the PDC\n emulator role):\n\n If the value for \"Type\" under \"NTP Client\" is not \"NT5DS\", this is a\n finding.\n\n Other systems:\n\n If systems are configured with a \"Type\" of \"NTP\", including standalone\n systems and the domain controller with the PDC Emulator role, and do not have a\n DoD time server defined for \"NTPServer\", this is a finding.\n\n To determine the domain controller with the PDC Emulator role:\n\n Open \"PowerShell\".\n\n Enter \"Get-ADDomain | FT PDCEmulator\".", - "fix": "Configure the system to synchronize time with an appropriate DoD time\n source.\n\n Domain-joined systems use NT5DS to synchronize time from other systems in\n the domain by default.\n\n If the system needs to be configured to an NTP server, configure the system\n to point to an authorized time server by setting the policy value for Computer\n Configuration >> Administrative Templates >> System >> Windows Time Service >>\n Time Providers >> \"Configure Windows NTP Client\" to \"Enabled\", and\n configure the \"NtpServer\" field to point to an appropriate DoD time server.\n\n The US Naval Observatory operates stratum 1 time servers, identified at\n http://tycho.usno.navy.mil/ntp.html. Time synchronization will occur through a\n hierarchy of time servers down to the local level. Clients and lower-level\n servers will synchronize with an authorized time server in the hierarchy." + "check": "Determine if a host-based firewall is installed and enabled on the system. If a host-based firewall is not installed and enabled on the system, this is a finding. The configuration requirements will be determined by the applicable firewall STIG.", + "fix": "Install and enable a host-based firewall on the system." }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000355-GPOS-00143", - "gid": "V-93187", - "rid": "SV-103275r1_rule", - "stig_id": "WN19-00-000440", - "fix_id": "F-99433r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00231", + "gid": "V-93571", + "rid": "SV-103657r1_rule", + "stig_id": "WN19-00-000280", + "fix_id": "F-99815r1_fix", "cci": [ - "CCI-001891" + "CCI-000366", + "CCI-002080" ], "nist": [ - "AU-8 (1) (a)", + "CM-6 b", + "CA-3 (5)", "Rev_4" ] }, - "code": "control 'V-93187' do\n title \"The Windows Server 2019 time service must synchronize with an\n appropriate #{input('org_name')[:acronym]} time source.\"\n desc \"The Windows Time Service controls time synchronization settings. Time\n synchronization is essential for authentication and auditing purposes. If the\n Windows Time Service is used, it must synchronize with a secure, authorized\n time source. Domain-joined systems are automatically configured to synchronize\n with domain controllers. If an NTP server is configured, it must synchronize\n with a secure, authorized time source.\"\n desc 'rationale', ''\n desc 'check', \"Review the Windows time service configuration.\n\n Open an elevated \\\"Command Prompt\\\" (run as administrator).\n\n Enter \\\"W32tm /query /configuration\\\".\n\n Domain-joined systems (excluding the domain controller with the PDC\n emulator role):\n\n If the value for \\\"Type\\\" under \\\"NTP Client\\\" is not \\\"NT5DS\\\", this is a\n finding.\n\n Other systems:\n\n If systems are configured with a \\\"Type\\\" of \\\"NTP\\\", including standalone\n systems and the domain controller with the PDC Emulator role, and do not have a\n #{input('org_name')[:acronym]} time server defined for \\\"NTPServer\\\", this is a finding.\n\n To determine the domain controller with the PDC Emulator role:\n\n Open \\\"PowerShell\\\".\n\n Enter \\\"Get-ADDomain | FT PDCEmulator\\\".\"\n desc 'fix', \"Configure the system to synchronize time with an appropriate #{input('org_name')[:acronym]} time\n source.\n\n Domain-joined systems use NT5DS to synchronize time from other systems in\n the domain by default.\n\n If the system needs to be configured to an NTP server, configure the system\n to point to an authorized time server by setting the policy value for Computer\n Configuration >> Administrative Templates >> System >> Windows Time Service >>\n Time Providers >> \\\"Configure Windows NTP Client\\\" to \\\"Enabled\\\", and\n configure the \\\"NtpServer\\\" field to point to an appropriate #{input('org_name')[:acronym]} time server.\n\n The US Naval Observatory operates stratum 1 time servers, identified at\n http://tycho.usno.navy.mil/ntp.html. Time synchronization will occur through a\n hierarchy of time servers down to the local level. Clients and lower-level\n servers will synchronize with an authorized time server in the hierarchy.\"\n impact 0.3\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000355-GPOS-00143'\n tag 'gid': 'V-93187'\n tag 'rid': 'SV-103275r1_rule'\n tag 'stig_id': 'WN19-00-000440'\n tag 'fix_id': 'F-99433r1_fix'\n tag 'cci': ['CCI-001891']\n tag 'nist': ['AU-8 (1) (a)', 'Rev_4']\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n forest_pdce = powershell('(Get-ADDomain).PDCEmulator').stdout.strip\n if forest_pdce.downcase.include? sys_info.hostname.downcase\n # forest pdc emulator should be uniquely configured.\n describe w32time_config do\n its('type') { should cmp 'NTP' }\n its('ntpserver') do\n should be_in input('ntp_servers')\n end\n end\n else\n # just a normal domain controller\n describe w32time_config do\n its('type') { should cmp 'NT5DS' }\n end\n end\n elsif domain_role == '3'\n # just a memberserver\n describe.one do\n describe w32time_config do\n its('type') { should cmp 'NT5DS' }\n end\n describe w32time_config do\n its('type') { should cmp 'ALLSYNC' }\n end\n end\n else\n # just a stand alone system\n describe w32time_config do\n its('type') { should cmp 'NTP' }\n its('ntpserver') do\n should be_in input('ntp_servers')\n end\n end\n end\nend\n", + "code": "control \"V-93571\" do\n title \"Windows Server 2019 must have a host-based firewall installed and enabled.\"\n desc \"A firewall provides a line of defense against attack, allowing or blocking inbound and outbound connections based on a set of rules.\"\n desc \"rationale\", \"\"\n desc \"check\", \"Determine if a host-based firewall is installed and enabled on the system. If a host-based firewall is not installed and enabled on the system, this is a finding. The configuration requirements will be determined by the applicable firewall STIG.\"\n desc \"fix\", \"Install and enable a host-based firewall on the system.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00231\"\n tag gid: \"V-93571\"\n tag rid: \"SV-103657r1_rule\"\n tag stig_id: \"WN19-00-000280\"\n tag fix_id: \"F-99815r1_fix\"\n tag cci: [\"CCI-000366\", \"CCI-002080\"]\n tag nist: [\"CM-6 b\", \"CA-3 (5)\", \"Rev_4\"]\n\n query_domain = json({ command: \"Get-WmiObject -NameSpace 'root\\\\standardcimv2' -Class MSFT_NetFirewallProfile | Where {$_.Name -Like 'Domain' } | Select Enabled | ConvertTo-Json\" }).params\n query_private = json({ command: \"Get-WmiObject -NameSpace 'root\\\\standardcimv2' -Class MSFT_NetFirewallProfile | Where {$_.Name -Like 'Private' } | Select Enabled | ConvertTo-Json\" }).params\n query_public = json({ command: \"Get-WmiObject -NameSpace 'root\\\\standardcimv2' -Class MSFT_NetFirewallProfile | Where {$_.Name -Like 'Public' } | Select Enabled | ConvertTo-Json\" }).params\n \n describe.one do\n describe 'Windows Firewall should be Enabled' do\n subject { query_public[\"Enabled\"] }\n it 'The Public host-based firewall' do\n failure_message = \"is not Enabled\"\n expect(subject).to eql(1), failure_message\n end\n end\n describe 'Windows Firewall should be Enabled' do\n subject { query_private[\"Enabled\"] }\n it 'The Private host-based firewall' do\n failure_message = \"is not enabled\"\n expect(subject).to eql(1), failure_message\n end\n end\n describe 'Windows Firewall should be Enabled' do\n subject { query_domain[\"Enabled\"] }\n it 'The Domain host-based firewall' do\n failure_message = \"is not Enabled\"\n expect(subject).to eql(1), failure_message\n end\n end\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93187.rb", - "line": 1 + "ref": "./Windows 2019 STIG/controls/V-93571.rb", + "line": 3 }, - "id": "V-93187" + "id": "V-93571" }, { - "title": "Windows Server 2019 Exploit Protection mitigations must be configured for INFOPATH.EXE.", - "desc": "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.", + "title": "Windows Server 2019 non-system-created file shares must limit access to groups that require it.", + "desc": "Shares on a system provide network access. To prevent exposing sensitive information, where shares are necessary, permissions must be reconfigured to give the minimum access to accounts that require it.", "descriptions": { - "default": "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.", + "default": "Shares on a system provide network access. To prevent exposing sensitive information, where shares are necessary, permissions must be reconfigured to give the minimum access to accounts that require it.", "rationale": "", - "check": "If the referenced application is not installed on the system, this is NA.\n\n This is applicable to unclassified systems, for other systems this is NA.\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n Enter \"Get-ProcessMitigation -Name INFOPATH.EXE\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.)\n\n If the following mitigations do not have a status of \"ON\", this is a finding:\n\n DEP:\n Enable: ON\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n The PowerShell command produces a list of mitigations; only those with a required status of \"ON\" are listed here.", - "fix": "Ensure the following mitigations are turned \"ON\" for INFOPATH.EXE:\n\n DEP:\n Enable: ON\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \"Supporting Files\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \"Use a common set of exploit protection settings\" configured to \"Enabled\" with file name and location defined under \"Options:\". It is recommended the file be in a read-only network location." + "check": "If only system-created shares such as \"ADMIN$\", \"C$\", and \"IPC$\" exist on the system, this is NA. (System-created shares will display a message that it has been shared for administrative purposes when \"Properties\" is selected.)\n\n Run \"Computer Management\".\n Navigate to System Tools >> Shared Folders >> Shares.\n Right-click any non-system-created shares.\n Select \"Properties\".\n Select the \"Share Permissions\" tab.\n If the file shares have not been configured to restrict permissions to the specific groups or accounts that require access, this is a finding.\n Select the \"Security\" tab.\n If the permissions have not been configured to restrict permissions to the specific groups or accounts that require access, this is a finding.", + "fix": "If a non-system-created share is required on a system, configure the share and NTFS permissions to limit access to the specific groups or accounts that require it.\n Remove any unnecessary non-system-created shares." }, "impact": 0, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-93337", - "rid": "SV-103425r1_rule", - "stig_id": "WN19-EP-000140", - "fix_id": "F-99583r1_fix", + "gtitle": "SRG-OS-000138-GPOS-00069", + "gid": "V-93531", + "rid": "SV-103617r1_rule", + "stig_id": "WN19-00-000230", + "fix_id": "F-99775r1_fix", "cci": [ - "CCI-000366" + "CCI-001090" ], "nist": [ - "CM-6 b", + "SC-4", "Rev_4" ] }, - "code": "control \"V-93337\" do\n title \"Windows Server 2019 Exploit Protection mitigations must be configured for INFOPATH.EXE.\"\n desc \"Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the referenced application is not installed on the system, this is NA.\n\n This is applicable to unclassified systems, for other systems this is NA.\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n Enter \\\"Get-ProcessMitigation -Name INFOPATH.EXE\\\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.)\n\n If the following mitigations do not have a status of \\\"ON\\\", this is a finding:\n\n DEP:\n Enable: ON\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n The PowerShell command produces a list of mitigations; only those with a required status of \\\"ON\\\" are listed here.\"\n desc \"fix\", \"Ensure the following mitigations are turned \\\"ON\\\" for INFOPATH.EXE:\n\n DEP:\n Enable: ON\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \\\"Supporting Files\\\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\" configured to \\\"Enabled\\\" with file name and location defined under \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00227\"\n tag gid: \"V-93337\"\n tag rid: \"SV-103425r1_rule\"\n tag stig_id: \"WN19-EP-000140\"\n tag fix_id: \"F-99583r1_fix\"\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n infopath = json({ command: \"Get-ProcessMitigation -Name INFOPATH.EXE | ConvertTo-Json\" }).params\n\n if input('sensitive_system') == true || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif infopath.empty?\n impact 0.0\n describe 'The referenced application is not installed on the system, this is NA.' do\n skip 'The referenced application is not installed on the system, this is NA.'\n end\n else\n describe \"Exploit Protection: the following mitigations must be set to 'ON' for INFOPATH.EXE\" do\n subject { infopath }\n its(['Dep','Enable']) { should eq 1 }\n its(['Aslr','ForceRelocateImages']) { should eq 1 }\n its(['Payload','EnableExportAddressFilter']) { should eq 1 }\n its(['Payload','EnableExportAddressFilterPlus']) { should eq 1 }\n its(['Payload','EnableImportAddressFilter']) { should eq 1 }\n its(['Payload','EnableRopStackPivot']) { should eq 1 }\n its(['Payload','EnableRopCallerCheck']) { should eq 1 }\n its(['Payload','EnableRopSimExec']) { should eq 1 }\n end\n end\nend", + "code": "control 'V-93531' do\n title 'Windows Server 2019 non-system-created file shares must limit access to groups that require it.'\n desc 'Shares on a system provide network access. To prevent exposing sensitive information, where shares are necessary, permissions must be reconfigured to give the minimum access to accounts that require it.'\n desc 'rationale', ''\n desc 'check', \"If only system-created shares such as \\\"ADMIN$\\\", \\\"C$\\\", and \\\"IPC$\\\" exist on the system, this is NA. (System-created shares will display a message that it has been shared for administrative purposes when \\\"Properties\\\" is selected.)\n\n Run \\\"Computer Management\\\".\n Navigate to System Tools >> Shared Folders >> Shares.\n Right-click any non-system-created shares.\n Select \\\"Properties\\\".\n Select the \\\"Share Permissions\\\" tab.\n If the file shares have not been configured to restrict permissions to the specific groups or accounts that require access, this is a finding.\n Select the \\\"Security\\\" tab.\n If the permissions have not been configured to restrict permissions to the specific groups or accounts that require access, this is a finding.\"\n desc 'fix', \"If a non-system-created share is required on a system, configure the share and NTFS permissions to limit access to the specific groups or accounts that require it.\n Remove any unnecessary non-system-created shares.\"\n impact 0.5\n tag severity: nil\n tag gtitle: 'SRG-OS-000138-GPOS-00069'\n tag gid: 'V-93531'\n tag rid: 'SV-103617r1_rule'\n tag stig_id: 'WN19-00-000230'\n tag fix_id: 'F-99775r1_fix'\n tag cci: ['CCI-001090']\n tag nist: %w(SC-4 Rev_4)\n\n net_shares = json({ command: 'Get-SMBShare -Special $false | Where-Object -Property Name -notin C$,ADMIN$,IPC$,NETLOGON,SYSVOL | Select Name, Path | ConvertTo-Json' }).params\n\n if net_shares.empty?\n impact 0.0\n describe 'No non-default file shares were detected' do\n skip 'This control is NA'\n end\n else\n case net_shares\n when Hash\n net_shares.each do |_key, value|\n describe 'Unrestricted file shares' do\n subject { command(\"Get-Acl -Path '#{value}' | ?{$_.AccessToString -match 'Everyone\\sAllow'} | %{($_.PSPath -split '::')[1]}\") }\n its('stdout') { should eq '' }\n end\n end\n when Array\n net_shares.each do |paths|\n paths.each do |_key, value|\n describe 'Unrestricted file shares' do\n subject { command(\"Get-Acl -Path '#{value}' | ?{$_.AccessToString -match 'Everyone\\sAllow'} | %{($_.PSPath -split '::')[1]}\") }\n its('stdout') { should eq '' }\n end\n end\n end\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93337.rb", - "line": 3 + "ref": "./Windows 2019 STIG/controls/V-93531.rb", + "line": 1 }, - "id": "V-93337" + "id": "V-93531" }, { - "title": "Windows Server 2019 must implement protection methods such as TLS, encrypted VPNs, or IPsec if the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process.", - "desc": "Information can be either unintentionally or maliciously disclosed or modified during preparation for transmission, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications compromise the confidentiality or integrity of the information.\n Ensuring the confidentiality of transmitted information requires the operating system to take measures in preparing information for transmission.\n This can be accomplished via access control and encryption.\n Use of this requirement will be limited to situations where the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process. When transmitting data, operating systems need to support transmission protection mechanisms such as TLS, encrypted VPNs, or IPsec.", + "title": "Windows Server 2019 built-in administrator account must be renamed.", + "desc": "The built-in administrator account is a well-known account subject to attack. Renaming this account to an unidentified name improves the protection of this account and the system.", "descriptions": { - "default": "Information can be either unintentionally or maliciously disclosed or modified during preparation for transmission, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications compromise the confidentiality or integrity of the information.\n Ensuring the confidentiality of transmitted information requires the operating system to take measures in preparing information for transmission.\n This can be accomplished via access control and encryption.\n Use of this requirement will be limited to situations where the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process. When transmitting data, operating systems need to support transmission protection mechanisms such as TLS, encrypted VPNs, or IPsec.", + "default": "The built-in administrator account is a well-known account subject to attack. Renaming this account to an unidentified name improves the protection of this account and the system.", "rationale": "", - "check": "If the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process, verify protection methods such as TLS, encrypted VPNs, or IPsec have been implemented.\n If protection methods have not been implemented, this is a finding.", - "fix": "Configure protection methods such as TLS, encrypted VPNs, or IPsec when the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process." + "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options.\n\n If the value for \"Accounts: Rename administrator account\" is not set to a value other than \"Administrator\", this is a finding.\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas SecurityPolicy /CFG C:\\Path\\FileName.Txt\n\n If \"NewAdministratorName\" is not something other than \"Administrator\" in the file, this is a finding.", + "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \"Accounts: Rename administrator account\" to a name other than \"Administrator\"." }, "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000425-GPOS-00189", - "satisfies": [ - "SRG-OS-000425-GPOS-00189", - "SRG-OS-000426-GPOS-00190" - ], - "gid": "V-93543", - "rid": "SV-103629r1_rule", - "stig_id": "WN19-00-000260", - "fix_id": "F-99787r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-93281", + "rid": "SV-103369r1_rule", + "stig_id": "WN19-SO-000030", + "fix_id": "F-99527r1_fix", "cci": [ - "CCI-002420", - "CCI-002422" + "CCI-000366" ], "nist": [ - "SC-8 (2)", - "SC-8 (2)", + "CM-6 b", "Rev_4" ] }, - "code": "control \"V-93543\" do\n title \"Windows Server 2019 must implement protection methods such as TLS, encrypted VPNs, or IPsec if the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process.\"\n desc \"Information can be either unintentionally or maliciously disclosed or modified during preparation for transmission, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications compromise the confidentiality or integrity of the information.\n Ensuring the confidentiality of transmitted information requires the operating system to take measures in preparing information for transmission.\n This can be accomplished via access control and encryption.\n Use of this requirement will be limited to situations where the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process. When transmitting data, operating systems need to support transmission protection mechanisms such as TLS, encrypted VPNs, or IPsec.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process, verify protection methods such as TLS, encrypted VPNs, or IPsec have been implemented.\n If protection methods have not been implemented, this is a finding.\"\n desc \"fix\", \"Configure protection methods such as TLS, encrypted VPNs, or IPsec when the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000425-GPOS-00189\"\n tag satisfies: [\"SRG-OS-000425-GPOS-00189\", \"SRG-OS-000426-GPOS-00190\"]\n tag gid: \"V-93543\"\n tag rid: \"SV-103629r1_rule\"\n tag stig_id: \"WN19-00-000260\"\n tag fix_id: \"F-99787r1_fix\"\n tag cci: [\"CCI-002420\", \"CCI-002422\"]\n tag nist: [\"SC-8 (2)\", \"SC-8 (2)\", \"Rev_4\"]\n\n describe \"A manual review is required to ensure protection methods such as TLS, encrypted VPNs, or IPSEC are\n implemented if the data owner has a strict requirement for ensuring data\n integrity and confidentiality is maintained at every step of the data transfer\n and handling process.\" do\n skip 'A manual review is required to ensure the operating system employs a deny-all, permit-by-exception\n policy to allow the execution of authorized software programs'\n end\nend", + "code": "control \"V-93281\" do\n title \"Windows Server 2019 built-in administrator account must be renamed.\"\n desc \"The built-in administrator account is a well-known account subject to attack. Renaming this account to an unidentified name improves the protection of this account and the system.\"\n desc \"rationale\", \"\"\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options.\n\n If the value for \\\"Accounts: Rename administrator account\\\" is not set to a value other than \\\"Administrator\\\", this is a finding.\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas SecurityPolicy /CFG C:\\\\Path\\\\FileName.Txt\n\n If \\\"NewAdministratorName\\\" is not something other than \\\"Administrator\\\" in the file, this is a finding.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \\\"Accounts: Rename administrator account\\\" to a name other than \\\"Administrator\\\".\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00227\"\n tag gid: \"V-93281\"\n tag rid: \"SV-103369r1_rule\"\n tag stig_id: \"WN19-SO-000030\"\n tag fix_id: \"F-99527r1_fix\"\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n describe security_policy do\n its('NewAdministratorName') { should_not cmp \"Administrator\" }\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93543.rb", + "ref": "./Windows 2019 STIG/controls/V-93281.rb", "line": 3 }, - "id": "V-93543" + "id": "V-93281" }, { - "title": "Windows Server 2019 must have the built-in guest account disabled.", - "desc": "A system faces an increased vulnerability threat if the built-in guest account is not disabled. This is a known account that exists on all Windows systems and cannot be deleted. This account is initialized during the installation of the operating system with no password assigned.", + "title": "Windows Server 2019 Increase scheduling priority: user right must only be assigned to the Administrators group.", + "desc": "Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.\n Accounts with the \"Increase scheduling priority\" user right can change a scheduling priority, causing performance issues or a denial of service.", "descriptions": { - "default": "A system faces an increased vulnerability threat if the built-in guest account is not disabled. This is a known account that exists on all Windows systems and cannot be deleted. This account is initialized during the installation of the operating system with no password assigned.", + "default": "Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.\n Accounts with the \"Increase scheduling priority\" user right can change a scheduling priority, causing performance issues or a denial of service.", "rationale": "", - "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run \"gpedit.msc\".\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options.\n If the value for \"Accounts: Guest account status\" is not set to \"Disabled\", this is a finding.\n \n For server core installations, run the following command:\n Secedit /Export /Areas SecurityPolicy /CFG C:\\Path\\FileName.Txt\n If \"EnableGuestAccount\" equals \"1\" in the file, this is a finding.", - "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \"Accounts: Guest account status\" to \"Disabled\"." + "check": "Verify the effective setting in Local Group Policy Editor.\n Run \"gpedit.msc\".\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment.\n If any accounts or groups other than the following are granted the \"Increase scheduling priority\" user right, this is a finding:\n - Administrators\n\n For server core installations, run the following command:\n Secedit /Export /Areas User_Rights /cfg c:\\path\\filename.txt\n Review the text file.\n If any SIDs other than the following are granted the \"SeIncreaseBasePriorityPrivilege\" user right, this is a finding:\n S-1-5-32-544 (Administrators)\n\n If an application requires this user right, this would not be a finding.\n Vendor documentation must support the requirement for having the user right.\n The requirement must be documented with the ISSO.\n The application account must meet requirements for application account passwords, such as length (WN19-00-000050) and required frequency of changes (WN19-00-000060).", + "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> \"Increase scheduling priority\" to include only the following accounts or groups:\n - Administrators" }, "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000121-GPOS-00062", - "gid": "V-93497", - "rid": "SV-103583r1_rule", - "stig_id": "WN19-SO-000010", - "fix_id": "F-99741r1_fix", + "gtitle": "SRG-OS-000324-GPOS-00125", + "gid": "V-93073", + "rid": "SV-103161r1_rule", + "stig_id": "WN19-UR-000140", + "fix_id": "F-99319r1_fix", "cci": [ - "CCI-000804" + "CCI-002235" ], "nist": [ - "IA-8", + "AC-6 (10)", "Rev_4" ] }, - "code": "control \"V-93497\" do\n title \"Windows Server 2019 must have the built-in guest account disabled.\"\n desc \"A system faces an increased vulnerability threat if the built-in guest account is not disabled. This is a known account that exists on all Windows systems and cannot be deleted. This account is initialized during the installation of the operating system with no password assigned.\"\n desc \"rationale\", \"\"\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n\n Run \\\"gpedit.msc\\\".\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options.\n If the value for \\\"Accounts: Guest account status\\\" is not set to \\\"Disabled\\\", this is a finding.\n \n For server core installations, run the following command:\n Secedit /Export /Areas SecurityPolicy /CFG C:\\\\Path\\\\FileName.Txt\n If \\\"EnableGuestAccount\\\" equals \\\"1\\\" in the file, this is a finding.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \\\"Accounts: Guest account status\\\" to \\\"Disabled\\\".\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000121-GPOS-00062\"\n tag gid: \"V-93497\"\n tag rid: \"SV-103583r1_rule\"\n tag stig_id: \"WN19-SO-000010\"\n tag fix_id: \"F-99741r1_fix\"\n tag cci: [\"CCI-000804\"]\n tag nist: [\"IA-8\", \"Rev_4\"]\n\n describe security_policy do\n its('EnableGuestAccount') { should cmp 0 }\n end\nend", + "code": "control \"V-93073\" do\n title \"Windows Server 2019 Increase scheduling priority: user right must only be assigned to the Administrators group.\"\n desc \"Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.\n Accounts with the \\\"Increase scheduling priority\\\" user right can change a scheduling priority, causing performance issues or a denial of service.\"\n desc \"rationale\", \"\"\n desc 'check', \"Verify the effective setting in Local Group Policy Editor.\n Run \\\"gpedit.msc\\\".\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment.\n If any accounts or groups other than the following are granted the \\\"Increase scheduling priority\\\" user right, this is a finding:\n - Administrators\n\n For server core installations, run the following command:\n Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt\n Review the text file.\n If any SIDs other than the following are granted the \\\"SeIncreaseBasePriorityPrivilege\\\" user right, this is a finding:\n S-1-5-32-544 (Administrators)\n\n If an application requires this user right, this would not be a finding.\n Vendor documentation must support the requirement for having the user right.\n The requirement must be documented with the ISSO.\n The application account must meet requirements for application account passwords, such as length (WN19-00-000050) and required frequency of changes (WN19-00-000060).\"\n desc 'fix', \"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> \\\"Increase scheduling priority\\\" to include only the following accounts or groups:\n - Administrators\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000324-GPOS-00125'\n tag 'gid': 'V-93073'\n tag 'rid': 'SV-103161r1_rule'\n tag 'stig_id': 'WN19-UR-000140'\n tag 'fix_id': 'F-99319r1_fix'\n tag 'cci': [\"CCI-002235\"]\n tag 'nist': [\"AC-6 (10)\", \"Rev_4\"]\n\n os_type = command('Test-Path \"$env:windir\\explorer.exe\"').stdout.strip\n\n if os_type == 'False'\n describe 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt' do\n skip 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt'\n end\n else\n describe security_policy do\n its('SeIncreaseBasePriorityPrivilege') { should eq ['S-1-5-32-544'] }\n end\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93497.rb", + "ref": "./Windows 2019 STIG/controls/V-93073.rb", "line": 3 }, - "id": "V-93497" + "id": "V-93073" }, { - "title": "Windows Server 2019 Deny access to this computer from the network user\nright on domain controllers must be configured to prevent unauthenticated\naccess.", - "desc": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n The \"Deny access to this computer from the network\" user right defines\nthe accounts that are prevented from logging on from the network.\n\n The Guests group must be assigned this right to prevent unauthenticated\naccess.", + "title": "Windows Server 2019 Kerberos policy user ticket renewal maximum lifetime must be limited to seven days or less.", + "desc": "This setting determines the period of time (in days) during which a user's Ticket Granting Ticket (TGT) may be renewed. This security configuration limits the amount of time an attacker has to crack the TGT and gain access.", "descriptions": { - "default": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n The \"Deny access to this computer from the network\" user right defines\nthe accounts that are prevented from logging on from the network.\n\n The Guests group must be assigned this right to prevent unauthenticated\naccess.", + "default": "This setting determines the period of time (in days) during which a user's Ticket Granting Ticket (TGT) may be renewed. This security configuration limits the amount of time an attacker has to crack the TGT and gain access.", "rationale": "", - "check": "This applies to domain controllers. A separate version applies to other\nsystems.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If the following accounts or groups are not defined for the \"Deny access\nto this computer from the network\" user right, this is a finding:\n\n - Guests Group\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\path\\filename.txt\n\n Review the text file.\n\n If the following SIDs are not defined for the \"SeDenyNetworkLogonRight\"\nuser right, this is a finding.\n\n S-1-5-32-546 (Guests)", - "fix": "Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> User Rights Assignment >> \"Deny\naccess to this computer from the network\" to include the following:\n\n - Guests Group" + "check": "This applies to domain controllers. It is NA for other systems.\n\n Verify the following is configured in the Default Domain Policy:\n Open \"Group Policy Management\".\n Navigate to \"Group Policy Objects\" in the Domain being reviewed (Forest >> Domains >> Domain).\n Right-click on the \"Default Domain Policy\".\n Select \"Edit\".\n Navigate to Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy.\n\n If the \"Maximum lifetime for user ticket renewal\" is greater than \"7\" days, this is a finding.", + "fix": "Configure the policy value in the Default Domain Policy for Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy >> \"Maximum lifetime for user ticket renewal\" to a maximum of \"7\" days or less." }, "impact": 0, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000080-GPOS-00048", - "gid": "V-92999", - "rid": "SV-103087r1_rule", - "stig_id": "WN19-DC-000370", - "fix_id": "F-99245r1_fix", + "gtitle": "SRG-OS-000112-GPOS-00057", + "satisfies": [ + "SRG-OS-000112-GPOS-00057", + "SRG-OS-000113-GPOS-00058" + ], + "gid": "V-93449", + "rid": "SV-103535r1_rule", + "stig_id": "WN19-DC-000050", + "fix_id": "F-99693r1_fix", "cci": [ - "CCI-000213" + "CCI-001941", + "CCI-001942" ], "nist": [ - "AC-3", + "IA-2 (8)", + "IA-2 (9)", "Rev_4" ] }, - "code": "control \"V-92999\" do\n title \"Windows Server 2019 Deny access to this computer from the network user\nright on domain controllers must be configured to prevent unauthenticated\naccess.\"\n desc \"Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n The \\\"Deny access to this computer from the network\\\" user right defines\nthe accounts that are prevented from logging on from the network.\n\n The Guests group must be assigned this right to prevent unauthenticated\naccess.\"\n desc \"rationale\", \"\"\n desc 'check', \"This applies to domain controllers. A separate version applies to other\nsystems.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If the following accounts or groups are not defined for the \\\"Deny access\nto this computer from the network\\\" user right, this is a finding:\n\n - Guests Group\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt\n\n Review the text file.\n\n If the following SIDs are not defined for the \\\"SeDenyNetworkLogonRight\\\"\nuser right, this is a finding.\n\n S-1-5-32-546 (Guests)\"\n desc 'fix', \"\n Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> User Rights Assignment >> \\\"Deny\naccess to this computer from the network\\\" to include the following:\n\n - Guests Group\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000080-GPOS-00048'\n tag 'gid': 'V-92999'\n tag 'rid': 'SV-103087r1_rule'\n tag 'stig_id': 'WN19-DC-000370'\n tag 'fix_id': 'F-99245r1_fix'\n tag 'cci': [\"CCI-000213\"]\n tag 'nist': [\"AC-3\", \"Rev_4\"]\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n os_type = command('Test-Path \"$env:windir\\explorer.exe\"').stdout.strip\n\n if os_type == 'False'\n describe 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt' do\n skip 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt'\n end\n end\n if domain_role == '4' || domain_role == '5'\n describe security_policy do\n its('SeDenyNetworkLogonRight') { should eq ['S-1-5-32-546'] }\n end\n else\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", + "code": "control \"V-93449\" do\n title \"Windows Server 2019 Kerberos policy user ticket renewal maximum lifetime must be limited to seven days or less.\"\n desc \"This setting determines the period of time (in days) during which a user's Ticket Granting Ticket (TGT) may be renewed. This security configuration limits the amount of time an attacker has to crack the TGT and gain access.\"\n desc \"rationale\", \"\"\n desc \"check\", \"This applies to domain controllers. It is NA for other systems.\n\n Verify the following is configured in the Default Domain Policy:\n Open \\\"Group Policy Management\\\".\n Navigate to \\\"Group Policy Objects\\\" in the Domain being reviewed (Forest >> Domains >> Domain).\n Right-click on the \\\"Default Domain Policy\\\".\n Select \\\"Edit\\\".\n Navigate to Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy.\n\n If the \\\"Maximum lifetime for user ticket renewal\\\" is greater than \\\"7\\\" days, this is a finding.\"\n desc \"fix\", \"Configure the policy value in the Default Domain Policy for Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy >> \\\"Maximum lifetime for user ticket renewal\\\" to a maximum of \\\"7\\\" days or less.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000112-GPOS-00057\"\n tag satisfies: [\"SRG-OS-000112-GPOS-00057\", \"SRG-OS-000113-GPOS-00058\"]\n tag gid: \"V-93449\"\n tag rid: \"SV-103535r1_rule\"\n tag stig_id: \"WN19-DC-000050\"\n tag fix_id: \"F-99693r1_fix\"\n tag cci: [\"CCI-001941\", \"CCI-001942\"]\n tag nist: [\"IA-2 (8)\", \"IA-2 (9)\", \"Rev_4\"]\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n describe security_policy do\n its('MaxRenewAge') { should be <= 7 }\n end\n else\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is NA' do\n skip 'This system is not a domain controller, therefore this control is NA'\n end\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-92999.rb", + "ref": "./Windows 2019 STIG/controls/V-93449.rb", "line": 3 }, - "id": "V-92999" + "id": "V-93449" }, { - "title": "Windows Server 2019 must be configured to at least negotiate signing for LDAP client signing.", - "desc": "This setting controls the signing requirements for LDAP clients. This must be set to \"Negotiate signing\" or \"Require signing\", depending on the environment and type of LDAP server in use.", + "title": "Windows Server 2019 Exploit Protection system-level mitigation, Control flow guard (CFG), must be on.", + "desc": "Exploit protection enables mitigations against potential threats at the system and application level. Several mitigations, including \"Control flow guard (CFG)\", are enabled by default at the system level. CFG ensures flow integrity for indirect calls. If this is turned off, Windows may be subject to various exploits.", "descriptions": { - "default": "This setting controls the signing requirements for LDAP clients. This must be set to \"Negotiate signing\" or \"Require signing\", depending on the environment and type of LDAP server in use.", + "default": "Exploit protection enables mitigations against potential threats at the system and application level. Several mitigations, including \"Control flow guard (CFG)\", are enabled by default at the system level. CFG ensures flow integrity for indirect calls. If this is turned off, Windows may be subject to various exploits.", "rationale": "", - "check": "If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\LDAP\\\n\n Value Name: LDAPClientIntegrity\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", - "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \"Network security: LDAP client signing requirements\" to \"Negotiate signing\" at a minimum." + "check": "This is applicable to unclassified systems, for other systems this is NA.\n\n The default configuration in Exploit Protection is \"On by default\" which meets this requirement. The PowerShell query results for this show as \"NOTSET\".\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n Enter \"Get-ProcessMitigation -System\".\n If the status of \"CFG: Enable\" is \"OFF\", this is a finding.\n Values that would not be a finding include:\n\n ON\n NOTSET (Default configuration)", + "fix": "Ensure Exploit Protection system-level mitigation, \"Control flow guard (CFG)\", is turned on. The default configuration in Exploit Protection is \"On by default\" which meets this requirement.\n\n Open \"Windows Defender Security Center\".\n Select \"App & browser control\".\n Select \"Exploit protection settings\".\n Under \"System settings\", configure \"Control flow guard (CFG)\" to \"On by default\" or \"Use default ()\".\n\n The STIG package includes a DoD EP XML file in the \"Supporting Files\" folder for configuring application mitigations defined in the STIG. This can also be modified to explicitly enforce the system level requirements. Adding the following to the XML file will explicitly turn CFG on (other system level EP requirements can be combined under ):\n\n \n \n \n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \"Use a common set of exploit protection settings\" configured to \"Enabled\" with file name and location defined under \"Options:\". It is recommended the file be in a read-only network location." }, "impact": 0.5, "refs": [], "tags": { "severity": null, "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-93303", - "rid": "SV-103391r1_rule", - "stig_id": "WN19-SO-000320", - "fix_id": "F-99549r1_fix", + "gid": "V-93315", + "rid": "SV-103403r1_rule", + "stig_id": "WN19-EP-000030", + "fix_id": "F-99561r1_fix", "cci": [ "CCI-000366" ], @@ -3014,546 +2989,512 @@ "Rev_4" ] }, - "code": "control \"V-93303\" do\n title \"Windows Server 2019 must be configured to at least negotiate signing for LDAP client signing.\"\n desc \"This setting controls the signing requirements for LDAP clients. This must be set to \\\"Negotiate signing\\\" or \\\"Require signing\\\", depending on the environment and type of LDAP server in use.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\LDAP\\\\\n\n Value Name: LDAPClientIntegrity\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \\\"Network security: LDAP client signing requirements\\\" to \\\"Negotiate signing\\\" at a minimum.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00227\"\n tag gid: \"V-93303\"\n tag rid: \"SV-103391r1_rule\"\n tag stig_id: \"WN19-SO-000320\"\n tag fix_id: \"F-99549r1_fix\"\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\LDAP') do\n it { should have_property 'LDAPClientIntegrity' }\n its('LDAPClientIntegrity') { should cmp == 1 }\n end\nend", + "code": "control \"V-93315\" do\n title \"Windows Server 2019 Exploit Protection system-level mitigation, Control flow guard (CFG), must be on.\"\n desc \"Exploit protection enables mitigations against potential threats at the system and application level. Several mitigations, including \\\"Control flow guard (CFG)\\\", are enabled by default at the system level. CFG ensures flow integrity for indirect calls. If this is turned off, Windows may be subject to various exploits.\"\n desc \"rationale\", \"\"\n desc \"check\", \"This is applicable to unclassified systems, for other systems this is NA.\n\n The default configuration in Exploit Protection is \\\"On by default\\\" which meets this requirement. The PowerShell query results for this show as \\\"NOTSET\\\".\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n Enter \\\"Get-ProcessMitigation -System\\\".\n If the status of \\\"CFG: Enable\\\" is \\\"OFF\\\", this is a finding.\n Values that would not be a finding include:\n\n ON\n NOTSET (Default configuration)\"\n desc \"fix\", \"Ensure Exploit Protection system-level mitigation, \\\"Control flow guard (CFG)\\\", is turned on. The default configuration in Exploit Protection is \\\"On by default\\\" which meets this requirement.\n\n Open \\\"Windows Defender Security Center\\\".\n Select \\\"App & browser control\\\".\n Select \\\"Exploit protection settings\\\".\n Under \\\"System settings\\\", configure \\\"Control flow guard (CFG)\\\" to \\\"On by default\\\" or \\\"Use default ()\\\".\n\n The STIG package includes a DoD EP XML file in the \\\"Supporting Files\\\" folder for configuring application mitigations defined in the STIG. This can also be modified to explicitly enforce the system level requirements. Adding the following to the XML file will explicitly turn CFG on (other system level EP requirements can be combined under ):\n\n \n \n \n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\" configured to \\\"Enabled\\\" with file name and location defined under \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00227\"\n tag gid: \"V-93315\"\n tag rid: \"SV-103403r1_rule\"\n tag stig_id: \"WN19-EP-000030\"\n tag fix_id: \"F-99561r1_fix\"\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n systemcfg = json({ command: \"Get-ProcessMitigation -System | ConvertTo-Json\" }).params\n\n if input('sensitive_system') == true || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif systemcfg.empty?\n describe \"Exploit Protection: the following mitigation\" do\n it \"must be set to 'ON' for the System\" do\n failure_message = \"Exploit Protection is not set\"\n expect(systemcfg).not_to be_empty, failure_message\n end\n end\n else\n describe \"Exploit Protection: the following mitigation must be set to 'ON' for the System\" do\n subject { systemcfg }\n its(['Cfg','Enable']) { should be_between(0,1) }\n end\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93303.rb", + "ref": "./Windows 2019 STIG/controls/V-93315.rb", "line": 3 }, - "id": "V-93303" + "id": "V-93315" }, { - "title": "Windows Server 2019 Deny log on as a batch job user right on domain\ncontrollers must be configured to prevent unauthenticated access.", - "desc": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n The \"Deny log on as a batch job\" user right defines accounts that are\nprevented from logging on to the system as a batch job, such as Task Scheduler.\n\n The Guests group must be assigned to prevent unauthenticated access.", + "title": "Windows Server 2019 Windows Remote Management (WinRM) service must not store RunAs credentials.", + "desc": "Storage of administrative credentials could allow unauthorized access. Disallowing the storage of RunAs credentials for Windows Remote Management will prevent them from being used with plug-ins.", "descriptions": { - "default": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n The \"Deny log on as a batch job\" user right defines accounts that are\nprevented from logging on to the system as a batch job, such as Task Scheduler.\n\n The Guests group must be assigned to prevent unauthenticated access.", + "default": "Storage of administrative credentials could allow unauthorized access. Disallowing the storage of RunAs credentials for Windows Remote Management will prevent them from being used with plug-ins.", "rationale": "", - "check": "This applies to domain controllers. A separate version applies to other\nsystems.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If the following accounts or groups are not defined for the \"Deny log on\nas a batch job\" user right, this is a finding:\n\n - Guests Group\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\path\\filename.txt\n\n Review the text file.\n\n If the following SID(s) are not defined for the \"SeDenyBatchLogonRight\"\nuser right, this is a finding:\n\n S-1-5-32-546 (Guests)", - "fix": "Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> User Rights Assignment >> \"Deny log\non as a batch job\" to include the following:\n\n - Guests Group" + "check": "If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\WinRM\\Service\\\n\n Value Name: DisableRunAs\n\n Type: REG_DWORD\n Value: 0x00000001 (1)", + "fix": "Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Remote Management (WinRM) >> WinRM Service >> \"Disallow WinRM from storing RunAs credentials\" to \"Enabled\"." }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000080-GPOS-00048", - "gid": "V-93001", - "rid": "SV-103089r1_rule", - "stig_id": "WN19-DC-000380", - "fix_id": "F-99247r1_fix", + "gtitle": "SRG-OS-000373-GPOS-00157", + "satisfies": [ + "SRG-OS-000373-GPOS-00157", + "SRG-OS-000373-GPOS-00156" + ], + "gid": "V-93429", + "rid": "SV-103515r1_rule", + "stig_id": "WN19-CC-000520", + "fix_id": "F-99673r1_fix", "cci": [ - "CCI-000213" + "CCI-002038" ], "nist": [ - "AC-3", + "IA-11", "Rev_4" ] }, - "code": "control \"V-93001\" do\n title \"Windows Server 2019 Deny log on as a batch job user right on domain\ncontrollers must be configured to prevent unauthenticated access.\"\n desc \"Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n The \\\"Deny log on as a batch job\\\" user right defines accounts that are\nprevented from logging on to the system as a batch job, such as Task Scheduler.\n\n The Guests group must be assigned to prevent unauthenticated access.\"\n desc \"rationale\", \"\"\n desc 'check', \"This applies to domain controllers. A separate version applies to other\nsystems.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If the following accounts or groups are not defined for the \\\"Deny log on\nas a batch job\\\" user right, this is a finding:\n\n - Guests Group\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt\n\n Review the text file.\n\n If the following SID(s) are not defined for the \\\"SeDenyBatchLogonRight\\\"\nuser right, this is a finding:\n\n S-1-5-32-546 (Guests)\"\n desc 'fix', \"\n Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> User Rights Assignment >> \\\"Deny log\non as a batch job\\\" to include the following:\n\n - Guests Group\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000080-GPOS-00048'\n tag 'gid': 'V-93001'\n tag 'rid': 'SV-103089r1_rule'\n tag 'stig_id': 'WN19-DC-000380'\n tag 'fix_id': 'F-99247r1_fix'\n tag 'cci': [\"CCI-000213\"]\n tag 'nist': [\"AC-3\", \"Rev_4\"]\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n os_type = command('Test-Path \"$env:windir\\explorer.exe\"').stdout.strip\n\n if os_type == 'False'\n describe 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt' do\n skip 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt'\n end\n end\n if domain_role == '4' || domain_role == '5'\n describe security_policy do\n its('SeDenyBatchLogonRight') { should eq ['S-1-5-32-546'] }\n end\n else\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", + "code": "control \"V-93429\" do\n title \"Windows Server 2019 Windows Remote Management (WinRM) service must not store RunAs credentials.\"\n desc \"Storage of administrative credentials could allow unauthorized access. Disallowing the storage of RunAs credentials for Windows Remote Management will prevent them from being used with plug-ins.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WinRM\\\\Service\\\\\n\n Value Name: DisableRunAs\n\n Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Remote Management (WinRM) >> WinRM Service >> \\\"Disallow WinRM from storing RunAs credentials\\\" to \\\"Enabled\\\".\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000373-GPOS-00157\"\n tag satisfies: [\"SRG-OS-000373-GPOS-00157\", \"SRG-OS-000373-GPOS-00156\"]\n tag gid: \"V-93429\"\n tag rid: \"SV-103515r1_rule\"\n tag stig_id: \"WN19-CC-000520\"\n tag fix_id: \"F-99673r1_fix\"\n tag cci: [\"CCI-002038\"]\n tag nist: [\"IA-11\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WinRM\\\\Service') do\n it { should have_property 'DisableRunAs' }\n its('DisableRunAs') { should cmp == 1 }\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93001.rb", + "ref": "./Windows 2019 STIG/controls/V-93429.rb", "line": 3 }, - "id": "V-93001" + "id": "V-93429" }, { - "title": "Windows Server 2019 PowerShell script block logging must be enabled.", - "desc": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Enabling PowerShell script block logging will record detailed information\nfrom the processing of PowerShell commands and scripts. This can provide\nadditional detail when malware has run on a system.", + "title": "Windows Server 2019 must be configured to audit Detailed Tracking -\nProcess Creation successes.", + "desc": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Process Creation records events related to the creation of a process and\nthe source.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Enabling PowerShell script block logging will record detailed information\nfrom the processing of PowerShell commands and scripts. This can provide\nadditional detail when malware has run on a system.", + "default": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Process Creation records events related to the creation of a process and\nthe source.", "rationale": "", - "check": "If the following registry value does not exist or is not configured as\nspecified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\\\n\n Value Name: EnableScriptBlockLogging\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", - "fix": "Configure the policy value for Computer Configuration >>\nAdministrative Templates >> Windows Components >> Windows PowerShell >> \"Turn\non PowerShell Script Block Logging\" to \"Enabled\"." + "check": "Security Option \"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\" must be set to\n\"Enabled\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \"AuditPol\" tool to review the current Audit Policy configuration:\n\n Open \"PowerShell\" or a \"Command Prompt\" with elevated privileges (\"Run\nas administrator\").\n\n Enter \"AuditPol /get /category:*\"\n\n Compare the \"AuditPol\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n Detailed Tracking >> Process Creation - Success", + "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Detailed Tracking >> \"Audit Process Creation\" with\n\"Success\" selected." }, "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000042-GPOS-00020", - "gid": "V-93175", - "rid": "SV-103263r1_rule", - "stig_id": "WN19-CC-000460", - "fix_id": "F-99421r1_fix", + "gtitle": "SRG-OS-000327-GPOS-00127", + "satisfies": [ + "SRG-OS-000327-GPOS-00127", + "SRG-OS-000471-GPOS-00215" + ], + "gid": "V-93091", + "rid": "SV-103179r1_rule", + "stig_id": "WN19-AU-000140", + "fix_id": "F-99337r1_fix", "cci": [ - "CCI-000135" + "CCI-000172", + "CCI-002234" ], "nist": [ - "AU-3 (1)", + "AU-12 c", + "AC-6 (9)", "Rev_4" ] }, - "code": "control \"V-93175\" do\n title \"Windows Server 2019 PowerShell script block logging must be enabled.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Enabling PowerShell script block logging will record detailed information\nfrom the processing of PowerShell commands and scripts. This can provide\nadditional detail when malware has run on a system.\"\n desc \"rationale\", \"\"\n desc 'check', \"If the following registry value does not exist or is not configured as\nspecified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\\\n\n Value Name: EnableScriptBlockLogging\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nAdministrative Templates >> Windows Components >> Windows PowerShell >> \\\"Turn\non PowerShell Script Block Logging\\\" to \\\"Enabled\\\".\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000042-GPOS-00020'\n tag 'gid': 'V-93175'\n tag 'rid': 'SV-103263r1_rule'\n tag 'stig_id': 'WN19-CC-000460'\n tag 'fix_id': 'F-99421r1_fix'\n tag 'cci': [\"CCI-000135\"]\n tag 'nist': [\"AU-3 (1)\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging') do\n it { should have_property 'EnableScriptBlockLogging' }\n its('EnableScriptBlockLogging') { should cmp 1 }\n end\nend\n", + "code": "control \"V-93091\" do\n title \"Windows Server 2019 must be configured to audit Detailed Tracking -\nProcess Creation successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Process Creation records events related to the creation of a process and\nthe source.\"\n desc \"rationale\", \"\"\n desc 'check', \"Security Option \\\"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\\\" must be set to\n\\\"Enabled\\\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \\\"AuditPol\\\" tool to review the current Audit Policy configuration:\n\n Open \\\"PowerShell\\\" or a \\\"Command Prompt\\\" with elevated privileges (\\\"Run\nas administrator\\\").\n\n Enter \\\"AuditPol /get /category:*\\\"\n\n Compare the \\\"AuditPol\\\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n Detailed Tracking >> Process Creation - Success\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Detailed Tracking >> \\\"Audit Process Creation\\\" with\n\\\"Success\\\" selected.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000327-GPOS-00127'\n tag 'satisfies': [\"SRG-OS-000327-GPOS-00127\", \"SRG-OS-000471-GPOS-00215\"]\n tag 'gid': 'V-93091'\n tag 'rid': 'SV-103179r1_rule'\n tag 'stig_id': 'WN19-AU-000140'\n tag 'fix_id': 'F-99337r1_fix'\n tag 'cci': [\"CCI-000172\", \"CCI-002234\"]\n tag 'nist': [\"AU-12 c\", \"AC-6 (9)\", \"Rev_4\"]\n\n describe.one do\n describe audit_policy do\n its('Process Creation') { should eq 'Success' }\n end\n describe audit_policy do\n its('Process Creation') { should eq 'Success and Failure' }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93175.rb", + "ref": "./Windows 2019 STIG/controls/V-93091.rb", "line": 3 }, - "id": "V-93175" + "id": "V-93091" }, { - "title": "Windows Server 2019 domain Controller PKI certificates must be issued by the DoD PKI or an approved External Certificate Authority (ECA).", - "desc": "A PKI implementation depends on the practices established by the Certificate Authority (CA) to ensure the implementation is secure. Without proper practices, the certificates issued by a CA have limited value in authentication functions. The use of multiple CAs from separate PKI implementations results in interoperability issues. If servers and clients do not have a common set of root CA certificates, they are not able to authenticate each other.", + "title": "Windows Server 2019 Act as part of the operating system user right\nmust not be assigned to any groups or accounts.", + "desc": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n Accounts with the \"Act as part of the operating system\" user right can\nassume the identity of any user and gain access to resources that the user is\nauthorized to access. Any accounts with this right can take complete control of\na system.", "descriptions": { - "default": "A PKI implementation depends on the practices established by the Certificate Authority (CA) to ensure the implementation is secure. Without proper practices, the certificates issued by a CA have limited value in authentication functions. The use of multiple CAs from separate PKI implementations results in interoperability issues. If servers and clients do not have a common set of root CA certificates, they are not able to authenticate each other.", + "default": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n Accounts with the \"Act as part of the operating system\" user right can\nassume the identity of any user and gain access to resources that the user is\nauthorized to access. Any accounts with this right can take complete control of\na system.", "rationale": "", - "check": "This applies to domain controllers. It is NA for other systems.\n Run \"MMC\".\n Select \"Add/Remove Snap-in\" from the \"File\" menu.\n Select \"Certificates\" in the left pane and click the \"Add >\" button.\n Select \"Computer Account\" and click \"Next\".\n Select the appropriate option for \"Select the computer you want this snap-in to manage\" and click \"Finish\".\n Click \"OK\".\n Select and expand the Certificates (Local Computer) entry in the left pane.\n Select and expand the Personal entry in the left pane.\n Select the Certificates entry in the left pane. In the right pane, examine the \"Issued By\" field for the certificate to determine the issuing CA.\n If the \"Issued By\" field of the PKI certificate being used by the domain controller does not indicate the issuing CA is part of the DoD PKI or an approved ECA, this is a finding.\n If the certificates in use are issued by a CA authorized by the Component's CIO, this is a CAT II finding.\n There are multiple sources from which lists of valid DoD CAs and approved ECAs can be obtained:\n\n The Global Directory Service (GDS) website provides an online source. The address for this site is https://crl.gds.disa.mil.\n\n DoD Public Key Enablement (PKE) Engineering Support maintains the InstallRoot utility to manage DoD supported root certificates on Windows computers, which includes a list of authorized CAs. The utility package can be downloaded from the PKI and PKE Tools page on IASE:\n http://iase.disa.mil/pki-pke/function_pages/tools.html", - "fix": "Obtain a server certificate for the domain controller issued by the DoD PKI or an approved ECA." + "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups (to include administrators), are granted the\n\"Act as part of the operating system\" user right, this is a finding.\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\path\\filename.txt\n\n Review the text file.\n\n If any SIDs are granted the \"SeTcbPrivilege\" user right, this is a\nfinding.\n\n If an application requires this user right, this would not be a finding.\n\n Vendor documentation must support the requirement for having the user right.\n\n The requirement must be documented with the ISSO.\n\n The application account must meet requirements for application account\npasswords, such as length (WN19-00-000050) and required frequency of changes\n(WN19-00-000060).\n\n Passwords for accounts with this user right must be protected as highly\nprivileged accounts.", + "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Local Policies >> User Rights\nAssignment >> \"Act as part of the operating system\" to be defined but\ncontaining no entries (blank)." }, - "impact": 0, + "impact": 0.7, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000066-GPOS-00034", - "gid": "V-93483", - "rid": "SV-103569r1_rule", - "stig_id": "WN19-DC-000290", - "fix_id": "F-99727r1_fix", + "gtitle": "SRG-OS-000324-GPOS-00125", + "gid": "V-93051", + "rid": "SV-103139r1_rule", + "stig_id": "WN19-UR-000020", + "fix_id": "F-99297r1_fix", "cci": [ - "CCI-000185" + "CCI-002235" ], "nist": [ - "IA-5 (2) (a)", + "AC-6 (10)", "Rev_4" ] }, - "code": "control \"V-93483\" do\n title \"Windows Server 2019 domain Controller PKI certificates must be issued by the #{input('org_name')[:acronym]} PKI or an approved External Certificate Authority (ECA).\"\n desc \"A PKI implementation depends on the practices established by the Certificate Authority (CA) to ensure the implementation is secure. Without proper practices, the certificates issued by a CA have limited value in authentication functions. The use of multiple CAs from separate PKI implementations results in interoperability issues. If servers and clients do not have a common set of root CA certificates, they are not able to authenticate each other.\"\n desc \"rationale\", \"\"\n desc \"check\", \"This applies to domain controllers. It is NA for other systems.\n Run \\\"MMC\\\".\n Select \\\"Add/Remove Snap-in\\\" from the \\\"File\\\" menu.\n Select \\\"Certificates\\\" in the left pane and click the \\\"Add >\\\" button.\n Select \\\"Computer Account\\\" and click \\\"Next\\\".\n Select the appropriate option for \\\"Select the computer you want this snap-in to manage\\\" and click \\\"Finish\\\".\n Click \\\"OK\\\".\n Select and expand the Certificates (Local Computer) entry in the left pane.\n Select and expand the Personal entry in the left pane.\n Select the Certificates entry in the left pane. In the right pane, examine the \\\"Issued By\\\" field for the certificate to determine the issuing CA.\n If the \\\"Issued By\\\" field of the PKI certificate being used by the domain controller does not indicate the issuing CA is part of the #{input('org_name')[:acronym]} PKI or an approved ECA, this is a finding.\n If the certificates in use are issued by a CA authorized by the Component's CIO, this is a CAT II finding.\n There are multiple sources from which lists of valid #{input('org_name')[:acronym]} CAs and approved ECAs can be obtained:\n\n The Global Directory Service (GDS) website provides an online source. The address for this site is https://crl.gds.disa.mil.\n\n #{input('org_name')[:acronym]} Public Key Enablement (PKE) Engineering Support maintains the InstallRoot utility to manage #{input('org_name')[:acronym]} supported root certificates on Windows computers, which includes a list of authorized CAs. The utility package can be downloaded from the PKI and PKE Tools page on IASE:\n http://iase.disa.mil/pki-pke/function_pages/tools.html\"\n desc \"fix\", \"Obtain a server certificate for the domain controller issued by the #{input('org_name')[:acronym]} PKI or an approved ECA.\"\n impact 0.7\n tag 'severity': nil\n tag gtitle: \"SRG-OS-000066-GPOS-00034\"\n tag gid: \"V-93483\"\n tag rid: \"SV-103569r1_rule\"\n tag stig_id: \"WN19-DC-000290\"\n tag fix_id: \"F-99727r1_fix\"\n tag cci: [\"CCI-000185\"]\n tag nist: [\"IA-5 (2) (a)\", \"Rev_4\"]\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n describe 'This control needs to be check manually' do\n skip 'Control not executed as this test is manual'\n end\n else\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is NA' do\n skip 'This system is not a domain controller, therefore this control is NA'\n end\n end\nend", + "code": "control \"V-93051\" do\n title \"Windows Server 2019 Act as part of the operating system user right\nmust not be assigned to any groups or accounts.\"\n desc \"Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n Accounts with the \\\"Act as part of the operating system\\\" user right can\nassume the identity of any user and gain access to resources that the user is\nauthorized to access. Any accounts with this right can take complete control of\na system.\"\n desc \"rationale\", \"\"\n desc 'check', \"Verify the effective setting in Local Group Policy Editor.\n\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups (to include administrators), are granted the\n\\\"Act as part of the operating system\\\" user right, this is a finding.\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt\n\n Review the text file.\n\n If any SIDs are granted the \\\"SeTcbPrivilege\\\" user right, this is a\nfinding.\n\n If an application requires this user right, this would not be a finding.\n\n Vendor documentation must support the requirement for having the user right.\n\n The requirement must be documented with the ISSO.\n\n The application account must meet requirements for application account\npasswords, such as length (WN19-00-000050) and required frequency of changes\n(WN19-00-000060).\n\n Passwords for accounts with this user right must be protected as highly\nprivileged accounts.\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Local Policies >> User Rights\nAssignment >> \\\"Act as part of the operating system\\\" to be defined but\ncontaining no entries (blank).\"\n impact 0.7\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000324-GPOS-00125'\n tag 'gid': 'V-93051'\n tag 'rid': 'SV-103139r1_rule'\n tag 'stig_id': 'WN19-UR-000020'\n tag 'fix_id': 'F-99297r1_fix'\n tag 'cci': [\"CCI-002235\"]\n tag 'nist': [\"AC-6 (10)\", \"Rev_4\"]\n\n\n os_type = command('Test-Path \"$env:windir\\explorer.exe\"').stdout.strip\n\n if os_type == 'False'\n describe 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt' do\n skip 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt'\n end\n else\n describe security_policy do\n its('SeTcbPrivilege') { should eq [] }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93483.rb", + "ref": "./Windows 2019 STIG/controls/V-93051.rb", "line": 3 }, - "id": "V-93483" + "id": "V-93051" }, { - "title": "Windows Server 2019 Autoplay must be turned off for non-volume devices.", - "desc": "Allowing AutoPlay to execute may introduce malicious code to a system. AutoPlay begins reading from a drive as soon as media is inserted into the drive. As a result, the setup file of programs or music on audio media may start. This setting will disable AutoPlay for non-volume devices, such as Media Transfer Protocol (MTP) devices.", + "title": "Windows Server 2019 Load and unload device drivers user right must\nonly be assigned to the Administrators group.", + "desc": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n The \"Load and unload device drivers\" user right allows a user to load\ndevice drivers dynamically on a system. This could be used by an attacker to\ninstall malicious code.", "descriptions": { - "default": "Allowing AutoPlay to execute may introduce malicious code to a system. AutoPlay begins reading from a drive as soon as media is inserted into the drive. As a result, the setup file of programs or music on audio media may start. This setting will disable AutoPlay for non-volume devices, such as Media Transfer Protocol (MTP) devices.", + "default": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n The \"Load and unload device drivers\" user right allows a user to load\ndevice drivers dynamically on a system. This could be used by an attacker to\ninstall malicious code.", "rationale": "", - "check": "If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\Explorer\\\n\n Value Name: NoAutoplayfornonVolume\n\n Type: REG_DWORD\n Value: 0x00000001 (1)", - "fix": "Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> AutoPlay Policies >> \"Disallow Autoplay for non-volume devices\" to \"Enabled\"." + "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the \"Load\nand unload device drivers\" user right, this is a finding:\n\n - Administrators\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\path\\filename.txt\n\n Review the text file.\n\n If any SIDs other than the following are granted the\n\"SeLoadDriverPrivilege\" user right, this is a finding:\n\n S-1-5-32-544 (Administrators)", + "fix": "Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> User Rights Assignment >> \"Load and\nunload device drivers\" to include only the following accounts or groups:\n\n - Administrators" }, - "impact": 0.7, + "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000368-GPOS-00154", - "gid": "V-93373", - "rid": "SV-103459r1_rule", - "stig_id": "WN19-CC-000210", - "fix_id": "F-99617r1_fix", + "gtitle": "SRG-OS-000324-GPOS-00125", + "gid": "V-93075", + "rid": "SV-103163r1_rule", + "stig_id": "WN19-UR-000150", + "fix_id": "F-99321r1_fix", "cci": [ - "CCI-001764" + "CCI-002235" ], "nist": [ - "CM-7 (2)", + "AC-6 (10)", "Rev_4" ] }, - "code": "control \"V-93373\" do\n title \"Windows Server 2019 Autoplay must be turned off for non-volume devices.\"\n desc \"Allowing AutoPlay to execute may introduce malicious code to a system. AutoPlay begins reading from a drive as soon as media is inserted into the drive. As a result, the setup file of programs or music on audio media may start. This setting will disable AutoPlay for non-volume devices, such as Media Transfer Protocol (MTP) devices.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\Explorer\\\\\n\n Value Name: NoAutoplayfornonVolume\n\n Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> AutoPlay Policies >> \\\"Disallow Autoplay for non-volume devices\\\" to \\\"Enabled\\\".\"\n impact 0.7\n tag severity: nil\n tag gtitle: \"SRG-OS-000368-GPOS-00154\"\n tag gid: \"V-93373\"\n tag rid: \"SV-103459r1_rule\"\n tag stig_id: \"WN19-CC-000210\"\n tag fix_id: \"F-99617r1_fix\"\n tag cci: [\"CCI-001764\"]\n tag nist: [\"CM-7 (2)\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\Explorer') do\n it { should have_property 'NoAutoplayfornonVolume' }\n its('NoAutoplayfornonVolume') { should cmp == 1 }\n end\nend", + "code": "control \"V-93075\" do\n title \"Windows Server 2019 Load and unload device drivers user right must\nonly be assigned to the Administrators group.\"\n desc \"Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n The \\\"Load and unload device drivers\\\" user right allows a user to load\ndevice drivers dynamically on a system. This could be used by an attacker to\ninstall malicious code.\"\n desc \"rationale\", \"\"\n desc 'check', \"Verify the effective setting in Local Group Policy Editor.\n\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the \\\"Load\nand unload device drivers\\\" user right, this is a finding:\n\n - Administrators\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt\n\n Review the text file.\n\n If any SIDs other than the following are granted the\n\\\"SeLoadDriverPrivilege\\\" user right, this is a finding:\n\n S-1-5-32-544 (Administrators)\"\n desc 'fix', \"Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> User Rights Assignment >> \\\"Load and\nunload device drivers\\\" to include only the following accounts or groups:\n\n - Administrators\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000324-GPOS-00125'\n tag 'gid': 'V-93075'\n tag 'rid': 'SV-103163r1_rule'\n tag 'stig_id': 'WN19-UR-000150'\n tag 'fix_id': 'F-99321r1_fix'\n tag 'cci': [\"CCI-002235\"]\n tag 'nist': [\"AC-6 (10)\", \"Rev_4\"]\n\n os_type = command('Test-Path \"$env:windir\\explorer.exe\"').stdout.strip\n\n if os_type == 'False'\n describe 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt' do\n skip 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt'\n end\n else\n describe security_policy do\n its('SeLoadDriverPrivilege') { should eq ['S-1-5-32-544'] }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93373.rb", + "ref": "./Windows 2019 STIG/controls/V-93075.rb", "line": 3 }, - "id": "V-93373" + "id": "V-93075" }, { - "title": "Windows Server 2019 downloading print driver packages over HTTP must be turned off.", - "desc": "Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and will prevent uncontrolled updates to the system.\n\n This setting prevents the computer from downloading print driver packages over HTTP.", + "title": "Windows Server 2019 must not save passwords in the Remote Desktop Client.", + "desc": "Saving passwords in the Remote Desktop Client could allow an unauthorized user to establish a remote desktop session to another system. The system must be configured to prevent users from saving passwords in the Remote Desktop Client.", "descriptions": { - "default": "Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and will prevent uncontrolled updates to the system.\n\n This setting prevents the computer from downloading print driver packages over HTTP.", + "default": "Saving passwords in the Remote Desktop Client could allow an unauthorized user to establish a remote desktop session to another system. The system must be configured to prevent users from saving passwords in the Remote Desktop Client.", "rationale": "", - "check": "If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers\\\n\n Value Name: DisableWebPnPDownload\n\n Type: REG_DWORD\n Value: 0x00000001 (1)", - "fix": "Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Internet Communication Management >> Internet Communication settings >> \"Turn off downloading of print drivers over HTTP\" to \"Enabled\"." + "check": "If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services\\\n\n Value Name: DisablePasswordSaving\n\n Type: REG_DWORD\n Value: 0x00000001 (1)", + "fix": "Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Remote Desktop Services >> Remote Desktop Connection Client >> \"Do not allow passwords to be saved\" to \"Enabled\"." }, "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000095-GPOS-00049", - "gid": "V-93403", - "rid": "SV-103489r1_rule", - "stig_id": "WN19-CC-000150", - "fix_id": "F-99647r1_fix", - "cci": [ - "CCI-000381" - ], - "nist": [ - "CM-7 a", - "Rev_4" - ] - }, - "code": "control \"V-93403\" do\n title \"Windows Server 2019 downloading print driver packages over HTTP must be turned off.\"\n desc \"Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and will prevent uncontrolled updates to the system.\n\n This setting prevents the computer from downloading print driver packages over HTTP.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Printers\\\\\n\n Value Name: DisableWebPnPDownload\n\n Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Internet Communication Management >> Internet Communication settings >> \\\"Turn off downloading of print drivers over HTTP\\\" to \\\"Enabled\\\".\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000095-GPOS-00049\"\n tag gid: \"V-93403\"\n tag rid: \"SV-103489r1_rule\"\n tag stig_id: \"WN19-CC-000150\"\n tag fix_id: \"F-99647r1_fix\"\n tag cci: [\"CCI-000381\"]\n tag nist: [\"CM-7 a\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Printers') do\n it { should have_property 'DisableWebPnPDownload' }\n its('DisableWebPnPDownload') { should cmp == 1 }\n end\nend", - "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93403.rb", - "line": 3 - }, - "id": "V-93403" - }, - { - "title": "Windows Server 2019 Access this computer from the network user right must only be assigned to the Administrators, Authenticated Users, and Enterprise Domain Controllers groups on domain controllers.", - "desc": "Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.\n Accounts with the \"Access this computer from the network\" right may access resources on the system, and this right must be limited to those requiring it.", - "descriptions": { - "default": "Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.\n Accounts with the \"Access this computer from the network\" right may access resources on the system, and this right must be limited to those requiring it.", - "rationale": "", - "check": "This applies to domain controllers. It is NA for other systems.\n\n Verify the effective setting in Local Group Policy Editor.\n Run \"gpedit.msc\".\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment.\n If any accounts or groups other than the following are granted the \"Access this computer from the network\" right, this is a finding.\n - Administrators\n - Authenticated Users\n - Enterprise Domain Controllers\n\n For server core installations, run the following command:\n Secedit /Export /Areas User_Rights /cfg c:\\path\\filename.txt\n Review the text file.\n If any SIDs other than the following are granted the \"SeNetworkLogonRight\" user right, this is a finding.\n S-1-5-32-544 (Administrators)\n S-1-5-11 (Authenticated Users)\n S-1-5-9 (Enterprise Domain Controllers)\n\n If an application requires this user right, this would not be a finding.\n Vendor documentation must support the requirement for having the user right.\n The requirement must be documented with the ISSO.\n The application account must meet requirements for application account passwords, such as length (WN19-00-000050) and required frequency of changes (WN19-00-000060).", - "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> \"Access this computer from the network\" to include only the following accounts or groups:\n - Administrators\n - Authenticated Users\n - Enterprise Domain Controllers" - }, - "impact": 0, - "refs": [], - "tags": { - "severity": null, - "gtitle": "SRG-OS-000080-GPOS-00048", - "gid": "V-92995", - "rid": "SV-103083r1_rule", - "stig_id": "WN19-DC-000340", - "fix_id": "F-99241r1_fix", + "gtitle": "SRG-OS-000373-GPOS-00157", + "satisfies": [ + "SRG-OS-000373-GPOS-00157", + "SRG-OS-000373-GPOS-00156" + ], + "gid": "V-93425", + "rid": "SV-103511r1_rule", + "stig_id": "WN19-CC-000340", + "fix_id": "F-99669r1_fix", "cci": [ - "CCI-000213" + "CCI-002038" ], "nist": [ - "AC-3", + "IA-11", "Rev_4" ] }, - "code": "control \"V-92995\" do\n title \"Windows Server 2019 Access this computer from the network user right must only be assigned to the Administrators, Authenticated Users, and Enterprise Domain Controllers groups on domain controllers.\"\n desc \"Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.\n Accounts with the \\\"Access this computer from the network\\\" right may access resources on the system, and this right must be limited to those requiring it.\"\n desc \"rationale\", \"\"\n desc 'check', \"This applies to domain controllers. It is NA for other systems.\n\n Verify the effective setting in Local Group Policy Editor.\n Run \\\"gpedit.msc\\\".\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment.\n If any accounts or groups other than the following are granted the \\\"Access this computer from the network\\\" right, this is a finding.\n - Administrators\n - Authenticated Users\n - Enterprise Domain Controllers\n\n For server core installations, run the following command:\n Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt\n Review the text file.\n If any SIDs other than the following are granted the \\\"SeNetworkLogonRight\\\" user right, this is a finding.\n S-1-5-32-544 (Administrators)\n S-1-5-11 (Authenticated Users)\n S-1-5-9 (Enterprise Domain Controllers)\n\n If an application requires this user right, this would not be a finding.\n Vendor documentation must support the requirement for having the user right.\n The requirement must be documented with the ISSO.\n The application account must meet requirements for application account passwords, such as length (WN19-00-000050) and required frequency of changes (WN19-00-000060).\"\n desc 'fix', \"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> \\\"Access this computer from the network\\\" to include only the following accounts or groups:\n - Administrators\n - Authenticated Users\n - Enterprise Domain Controllers\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000080-GPOS-00048'\n tag 'gid': 'V-92995'\n tag 'rid': 'SV-103083r1_rule'\n tag 'stig_id': 'WN19-DC-000340'\n tag 'fix_id': 'F-99241r1_fix'\n tag 'cci': [\"CCI-000213\"]\n tag 'nist': [\"AC-3\", \"Rev_4\"]\n\n active_network_access_users = security_policy.SeNetworkLogonRight.entries\n allowed_network_access_users = input(\"allowed_network_access_users\")\n disallowed_network_access_users = input(\"disallowed_network_access_users\")\n unauthorized_users = []\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n os_type = command('Test-Path \"$env:windir\\explorer.exe\"').stdout.strip\n\n if os_type == 'False'\n describe 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt' do\n skip 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt'\n end\n else\n if domain_role == '4' || domain_role == '5'\n active_network_access_users.each do |user|\n next if allowed_network_access_users.include?(user)\n unauthorized_users << user\n end\n disallowed_network_access_users.each do |user|\n unless disallowed_network_access_users == [nil] || unauthorized_users.include?(user)\n unauthorized_users << user\n end\n end\n describe \"Network Logon Privilege must be limited to\" do\n it \"Authorized SIDs: #{allowed_network_access_users}\" do\n failure_message = \"Unauthorized SIDs: #{unauthorized_users}\"\n expect(unauthorized_users).to be_empty, failure_message\n end\n end\n else\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\n end\nend", + "code": "control \"V-93425\" do\n title \"Windows Server 2019 must not save passwords in the Remote Desktop Client.\"\n desc \"Saving passwords in the Remote Desktop Client could allow an unauthorized user to establish a remote desktop session to another system. The system must be configured to prevent users from saving passwords in the Remote Desktop Client.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\\n\n Value Name: DisablePasswordSaving\n\n Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Remote Desktop Services >> Remote Desktop Connection Client >> \\\"Do not allow passwords to be saved\\\" to \\\"Enabled\\\".\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000373-GPOS-00157\"\n tag satisfies: [\"SRG-OS-000373-GPOS-00157\", \"SRG-OS-000373-GPOS-00156\"]\n tag gid: \"V-93425\"\n tag rid: \"SV-103511r1_rule\"\n tag stig_id: \"WN19-CC-000340\"\n tag fix_id: \"F-99669r1_fix\"\n tag cci: [\"CCI-002038\"]\n tag nist: [\"IA-11\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services') do\n it { should have_property 'DisablePasswordSaving' }\n its('DisablePasswordSaving') { should cmp == 1 }\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-92995.rb", + "ref": "./Windows 2019 STIG/controls/V-93425.rb", "line": 3 }, - "id": "V-92995" + "id": "V-93425" }, { - "title": "Windows Server 2019 Create symbolic links user right must only be\nassigned to the Administrators group.", - "desc": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n Accounts with the \"Create symbolic links\" user right can create pointers\nto other objects, which could expose the system to attack.", + "title": "Windows Server 2019 Exploit Protection mitigations must be configured for VISIO.EXE.", + "desc": "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.", "descriptions": { - "default": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n Accounts with the \"Create symbolic links\" user right can create pointers\nto other objects, which could expose the system to attack.", + "default": "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.", "rationale": "", - "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the \"Create\nsymbolic links\" user right, this is a finding:\n\n - Administrators\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\path\\filename.txt\n\n Review the text file.\n\n If any SIDs other than the following are granted the\n\"SeCreateSymbolicLinkPrivilege\" user right, this is a finding:\n\n S-1-5-32-544 (Administrators)\n\n Systems that have the Hyper-V role will also have \"Virtual Machines\"\ngiven this user right (this may be displayed as \"NT Virtual Machine\\Virtual\nMachines\", SID S-1-5-83-0). This is not a finding.", - "fix": "Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> User Rights Assignment >> \"Create\nsymbolic links\" to include only the following accounts or groups:\n\n - Administrators\n\n Systems that have the Hyper-V role will also have \"Virtual Machines\"\ngiven this user right. If this needs to be added manually, enter it as \"NT\nVirtual Machine\\Virtual Machines\"." + "check": "If the referenced application is not installed on the system, this is NA.\n\n This is applicable to unclassified systems, for other systems this is NA.\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n Enter \"Get-ProcessMitigation -Name VISIO.EXE\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.)\n\n If the following mitigations do not have a status of \"ON\", this is a finding:\n\n DEP:\n Enable: ON\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n The PowerShell command produces a list of mitigations; only those with a required status of \"ON\" are listed here.", + "fix": "Ensure the following mitigations are turned \"ON\" for VISIO.EXE:\n\n DEP:\n Enable: ON\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \"Supporting Files\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \"Use a common set of exploit protection settings\" configured to \"Enabled\" with file name and location defined under \"Options:\". It is recommended the file be in a read-only network location." }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000324-GPOS-00125", - "gid": "V-93063", - "rid": "SV-103151r1_rule", - "stig_id": "WN19-UR-000090", - "fix_id": "F-99309r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-93359", + "rid": "SV-103447r1_rule", + "stig_id": "WN19-EP-000250", + "fix_id": "F-99605r1_fix", "cci": [ - "CCI-002235" + "CCI-000366" ], "nist": [ - "AC-6 (10)", + "CM-6 b", "Rev_4" ] }, - "code": "control \"V-93063\" do\n title \"Windows Server 2019 Create symbolic links user right must only be\nassigned to the Administrators group.\"\n desc \"Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n Accounts with the \\\"Create symbolic links\\\" user right can create pointers\nto other objects, which could expose the system to attack.\"\n desc \"rationale\", \"\"\n desc 'check', \"Verify the effective setting in Local Group Policy Editor.\n\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the \\\"Create\nsymbolic links\\\" user right, this is a finding:\n\n - Administrators\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt\n\n Review the text file.\n\n If any SIDs other than the following are granted the\n\\\"SeCreateSymbolicLinkPrivilege\\\" user right, this is a finding:\n\n S-1-5-32-544 (Administrators)\n\n Systems that have the Hyper-V role will also have \\\"Virtual Machines\\\"\ngiven this user right (this may be displayed as \\\"NT Virtual Machine\\\\Virtual\nMachines\\\", SID S-1-5-83-0). This is not a finding.\"\n desc 'fix', \"Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> User Rights Assignment >> \\\"Create\nsymbolic links\\\" to include only the following accounts or groups:\n\n - Administrators\n\n Systems that have the Hyper-V role will also have \\\"Virtual Machines\\\"\ngiven this user right. If this needs to be added manually, enter it as \\\"NT\nVirtual Machine\\\\Virtual Machines\\\". \"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000324-GPOS-00125'\n tag 'gid': 'V-93063'\n tag 'rid': 'SV-103151r1_rule'\n tag 'stig_id': 'WN19-UR-000090'\n tag 'fix_id': 'F-99309r1_fix'\n tag 'cci': [\"CCI-002235\"]\n tag 'nist': [\"AC-6 (10)\", \"Rev_4\"]\n\n os_type = command('Test-Path \"$env:windir\\explorer.exe\"').stdout.strip\n\n if os_type == 'False'\n describe 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt' do\n skip 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt'\n end\n else\n describe security_policy do\n its('SeCreateSymbolicLinkPrivilege') { should eq ['S-1-5-32-544'] }\n end\n end\nend\n", + "code": "control \"V-93359\" do\n title \"Windows Server 2019 Exploit Protection mitigations must be configured for VISIO.EXE.\"\n desc \"Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the referenced application is not installed on the system, this is NA.\n\n This is applicable to unclassified systems, for other systems this is NA.\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n Enter \\\"Get-ProcessMitigation -Name VISIO.EXE\\\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.)\n\n If the following mitigations do not have a status of \\\"ON\\\", this is a finding:\n\n DEP:\n Enable: ON\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n The PowerShell command produces a list of mitigations; only those with a required status of \\\"ON\\\" are listed here.\"\n desc \"fix\", \"Ensure the following mitigations are turned \\\"ON\\\" for VISIO.EXE:\n\n DEP:\n Enable: ON\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \\\"Supporting Files\\\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\" configured to \\\"Enabled\\\" with file name and location defined under \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00227\"\n tag gid: \"V-93359\"\n tag rid: \"SV-103447r1_rule\"\n tag stig_id: \"WN19-EP-000250\"\n tag fix_id: \"F-99605r1_fix\"\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n visio = json({ command: \"Get-ProcessMitigation -Name VISIO.EXE | ConvertTo-Json\" }).params\n\n if input('sensitive_system') == true || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif visio.empty?\n impact 0.0\n describe 'The referenced application is not installed on the system, this is NA.' do\n skip 'The referenced application is not installed on the system, this is NA.'\n end\n else\n describe \"Exploit Protection: the following mitigations must be set to 'ON' for VISIO.EXE\" do\n subject { visio }\n its(['Dep','Enable']) { should eq 1 }\n its(['Aslr','ForceRelocateImages']) { should eq 1 }\n its(['Payload','EnableExportAddressFilter']) { should eq 1 }\n its(['Payload','EnableExportAddressFilterPlus']) { should eq 1 }\n its(['Payload','EnableImportAddressFilter']) { should eq 1 }\n its(['Payload','EnableRopStackPivot']) { should eq 1 }\n its(['Payload','EnableRopCallerCheck']) { should eq 1 }\n its(['Payload','EnableRopSimExec']) { should eq 1 }\n end\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93063.rb", + "ref": "./Windows 2019 STIG/controls/V-93359.rb", "line": 3 }, - "id": "V-93063" + "id": "V-93359" }, { - "title": "Windows Server 2019 must not the Server Message Block (SMB) v1 protocol installed.", - "desc": "SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB. MD5 is known to be vulnerable to a number of attacks such as collision and preimage attacks and is not FIPS compliant.", + "title": "Windows Server 2019 Kerberos user logon restrictions must be enforced.", + "desc": "This policy setting determines whether the Kerberos Key Distribution Center (KDC) validates every request for a session ticket against the user rights policy of the target computer. The policy is enabled by default, which is the most secure setting for validating that access to target resources is not circumvented.", "descriptions": { - "default": "SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB. MD5 is known to be vulnerable to a number of attacks such as collision and preimage attacks and is not FIPS compliant.", + "default": "This policy setting determines whether the Kerberos Key Distribution Center (KDC) validates every request for a session ticket against the user rights policy of the target computer. The policy is enabled by default, which is the most secure setting for validating that access to target resources is not circumvented.", "rationale": "", - "check": "Different methods are available to disable SMBv1 on Windows Server 2019. This is the preferred method, however if WN19-00-000390 and WN19-00-000400 are configured, this is NA.\n\n Open \"Windows PowerShell\" with elevated privileges (run as administrator).\n Enter \"Get-WindowsFeature -Name FS-SMB1\".\n If \"Installed State\" is \"Installed\", this is a finding.\n An Installed State of \"Available\" or \"Removed\" is not a finding.", - "fix": "Uninstall the SMBv1 protocol.\n\n Open \"Windows PowerShell\" with elevated privileges (run as administrator).\n Enter \"Uninstall-WindowsFeature -Name FS-SMB1 -Restart\".\n (Omit the Restart parameter if an immediate restart of the system cannot be done.)\n\n Alternately:\n Start \"Server Manager\".\n Select the server with the feature.\n Scroll down to \"ROLES AND FEATURES\" in the right pane.\n Select \"Remove Roles and Features\" from the drop-down \"TASKS\" list.\n Select the appropriate server on the \"Server Selection\" page and click \"Next\".\n Deselect \"SMB 1.0/CIFS File Sharing Support\" on the \"Features\" page.\n Click \"Next\" and \"Remove\" as prompted." + "check": "This applies to domain controllers. It is NA for other systems.\n\n Verify the following is configured in the Default Domain Policy:\n Open \"Group Policy Management\".\n Navigate to \"Group Policy Objects\" in the Domain being reviewed (Forest >> Domains >> Domain).\n Right-click on the \"Default Domain Policy\".\n Select \"Edit\".\n Navigate to Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy.\n\n If the \"Enforce user logon restrictions\" is not set to \"Enabled\", this is a finding.", + "fix": "Configure the policy value in the Default Domain Policy for Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy >> \"Enforce user logon restrictions\" to \"Enabled\"." }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000095-GPOS-00049", - "gid": "V-93391", - "rid": "SV-103477r1_rule", - "stig_id": "WN19-00-000380", - "fix_id": "F-99635r1_fix", + "gtitle": "SRG-OS-000112-GPOS-00057", + "satisfies": [ + "SRG-OS-000112-GPOS-00057", + "SRG-OS-000113-GPOS-00058" + ], + "gid": "V-93443", + "rid": "SV-103529r1_rule", + "stig_id": "WN19-DC-000020", + "fix_id": "F-99687r1_fix", "cci": [ - "CCI-000381" + "CCI-001941", + "CCI-001942" ], "nist": [ - "CM-7 a", + "IA-2 (8)", + "IA-2 (9)", "Rev_4" ] }, - "code": "control \"V-93391\" do\n title \"Windows Server 2019 must not the Server Message Block (SMB) v1 protocol installed.\"\n desc \"SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB. MD5 is known to be vulnerable to a number of attacks such as collision and preimage attacks and is not FIPS compliant.\"\n desc \"rationale\", \"\"\n desc \"check\", \"Different methods are available to disable SMBv1 on Windows Server 2019. This is the preferred method, however if WN19-00-000390 and WN19-00-000400 are configured, this is NA.\n\n Open \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n Enter \\\"Get-WindowsFeature -Name FS-SMB1\\\".\n If \\\"Installed State\\\" is \\\"Installed\\\", this is a finding.\n An Installed State of \\\"Available\\\" or \\\"Removed\\\" is not a finding.\"\n desc \"fix\", \"Uninstall the SMBv1 protocol.\n\n Open \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n Enter \\\"Uninstall-WindowsFeature -Name FS-SMB1 -Restart\\\".\n (Omit the Restart parameter if an immediate restart of the system cannot be done.)\n\n Alternately:\n Start \\\"Server Manager\\\".\n Select the server with the feature.\n Scroll down to \\\"ROLES AND FEATURES\\\" in the right pane.\n Select \\\"Remove Roles and Features\\\" from the drop-down \\\"TASKS\\\" list.\n Select the appropriate server on the \\\"Server Selection\\\" page and click \\\"Next\\\".\n Deselect \\\"SMB 1.0/CIFS File Sharing Support\\\" on the \\\"Features\\\" page.\n Click \\\"Next\\\" and \\\"Remove\\\" as prompted.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000095-GPOS-00049\"\n tag gid: \"V-93391\"\n tag rid: \"SV-103477r1_rule\"\n tag stig_id: \"WN19-00-000380\"\n tag fix_id: \"F-99635r1_fix\"\n tag cci: [\"CCI-000381\"]\n tag nist: [\"CM-7 a\", \"Rev_4\"]\n\n if powershell(\"Get-ItemPropertyValue 'HKLM:\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\LanmanServer\\\\Parameters' -Name SMB1\").stdout.strip == \"0\" && powershell(\"Get-ItemPropertyValue 'HKLM:\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\mrxsmb10' -Name Start\").stdout.strip == \"4\"\n impact 0.0\n describe 'Controls V-93393 and V-93395 configuration successful' do\n skip 'This is NA as the successful configuration of Controls V-93393 (STIG ID# WN19-00-000390) and V-93395 (STIG ID# WN19-00-000400) meets the requirement'\n end\n else\n state = powershell(\"Get-WindowsFeature -Name FS-SMB1 | Select -ExpandProperty 'InstallState'\").stdout.strip\n describe \"Server Message Block (SMB) v1 protocol msut not be installed\" do\n subject { state }\n it { should_not eq \"Installed\" }\n end\n end\nend", + "code": "control \"V-93443\" do\n title \"Windows Server 2019 Kerberos user logon restrictions must be enforced.\"\n desc \"This policy setting determines whether the Kerberos Key Distribution Center (KDC) validates every request for a session ticket against the user rights policy of the target computer. The policy is enabled by default, which is the most secure setting for validating that access to target resources is not circumvented.\"\n desc \"rationale\", \"\"\n desc \"check\", \"This applies to domain controllers. It is NA for other systems.\n\n Verify the following is configured in the Default Domain Policy:\n Open \\\"Group Policy Management\\\".\n Navigate to \\\"Group Policy Objects\\\" in the Domain being reviewed (Forest >> Domains >> Domain).\n Right-click on the \\\"Default Domain Policy\\\".\n Select \\\"Edit\\\".\n Navigate to Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy.\n\n If the \\\"Enforce user logon restrictions\\\" is not set to \\\"Enabled\\\", this is a finding.\"\n desc \"fix\", \"Configure the policy value in the Default Domain Policy for Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy >> \\\"Enforce user logon restrictions\\\" to \\\"Enabled\\\".\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000112-GPOS-00057\"\n tag satisfies: [\"SRG-OS-000112-GPOS-00057\", \"SRG-OS-000113-GPOS-00058\"]\n tag gid: \"V-93443\"\n tag rid: \"SV-103529r1_rule\"\n tag stig_id: \"WN19-DC-000020\"\n tag fix_id: \"F-99687r1_fix\"\n tag cci: [\"CCI-001941\", \"CCI-001942\"]\n tag nist: [\"IA-2 (8)\", \"IA-2 (9)\", \"Rev_4\"]\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n describe security_policy do\n its('TicketValidateClient') { should eq 1 }\n end\n else\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is NA' do\n skip 'This system is not a domain controller, therefore this control is NA'\n end\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93391.rb", + "ref": "./Windows 2019 STIG/controls/V-93443.rb", "line": 3 }, - "id": "V-93391" + "id": "V-93443" }, { - "title": "Windows Server 2019 Internet Protocol version 6 (IPv6) source routing\nmust be configured to the highest protection level to prevent IP source\nrouting.", - "desc": "Configuring the system to disable IPv6 source routing protects against\nspoofing.", + "title": "Windows Server 2019 title for legal banner dialog box must be configured with the appropriate text.", + "desc": "Failure to display the logon banner prior to a logon attempt will negate legal proceedings resulting from unauthorized access to system resources.", "descriptions": { - "default": "Configuring the system to disable IPv6 source routing protects against\nspoofing.", + "default": "Failure to display the logon banner prior to a logon attempt will negate legal proceedings resulting from unauthorized access to system resources.", "rationale": "", - "check": "If the following registry value does not exist or is not configured as\nspecified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\Tcpip6\\Parameters\\\n\n Value Name: DisableIPSourceRouting\n\n Type: REG_DWORD\n Value: 0x00000002 (2)", - "fix": "Configure the policy value for Computer Configuration >> Administrative\nTemplates >> MSS (Legacy) >> \"MSS: (DisableIPSourceRouting IPv6) IP source\nrouting protection level (protects against packet spoofing)\" to \"Enabled\"\nwith \"Highest protection, source routing is completely disabled\" selected.\n\n This policy setting requires the installation of the MSS-Legacy custom\ntemplates included with the STIG package. \"MSS-Legacy.admx\" and\n\"MSS-Legacy.adml\" must be copied to the \\Windows\\PolicyDefinitions and\n\\Windows\\PolicyDefinitions\\en-US directories respectively." + "check": "If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\\n\n Value Name: LegalNoticeCaption\n\n Value Type: REG_SZ\n Value: See message title options below\n\n \"DoD Notice and Consent Banner\", \"US Department of Defense Warning Statement\", or an organization-defined equivalent.\n\n If an organization-defined title is used, it can in no case contravene or modify the language of the banner text required in WN19-SO-000150.\n\n Automated tools may only search for the titles defined above. If an organization-defined title is used, a manual review will be required.", + "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \"Interactive Logon: Message title for users attempting to log on\" to \"DoD Notice and Consent Banner\", \"US Department of Defense Warning Statement\", or an organization-defined equivalent.\n\n If an organization-defined title is used, it can in no case contravene or modify the language of the message text required in WN19-SO-000150." }, "impact": 0.3, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-93233", - "rid": "SV-103321r1_rule", - "stig_id": "WN19-CC-000030", - "fix_id": "F-99479r1_fix", - "cci": [ - "CCI-000366" + "gtitle": "SRG-OS-000023-GPOS-00006", + "satisfies": [ + "SRG-OS-000023-GPOS-00006", + "SRG-OS-000228-GPOS-00088" ], - "nist": [ - "CM-6 b", - "Rev_4" - ] - }, - "code": "control \"V-93233\" do\n title \"Windows Server 2019 Internet Protocol version 6 (IPv6) source routing\nmust be configured to the highest protection level to prevent IP source\nrouting.\"\n desc \"Configuring the system to disable IPv6 source routing protects against\nspoofing.\"\n desc \"rationale\", \"\"\n desc 'check', \"If the following registry value does not exist or is not configured as\nspecified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\Tcpip6\\\\Parameters\\\\\n\n Value Name: DisableIPSourceRouting\n\n Type: REG_DWORD\n Value: 0x00000002 (2)\"\n desc 'fix', \"Configure the policy value for Computer Configuration >> Administrative\nTemplates >> MSS (Legacy) >> \\\"MSS: (DisableIPSourceRouting IPv6) IP source\nrouting protection level (protects against packet spoofing)\\\" to \\\"Enabled\\\"\nwith \\\"Highest protection, source routing is completely disabled\\\" selected.\n\n This policy setting requires the installation of the MSS-Legacy custom\ntemplates included with the STIG package. \\\"MSS-Legacy.admx\\\" and\n\\\"MSS-Legacy.adml\\\" must be copied to the \\\\Windows\\\\PolicyDefinitions and\n\\\\Windows\\\\PolicyDefinitions\\\\en-US directories respectively.\"\n impact 0.3\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00227\"\n tag gid: \"V-93233\"\n tag rid: \"SV-103321r1_rule\"\n tag stig_id: \"WN19-CC-000030\"\n tag fix_id: \"F-99479r1_fix\"\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip6\\Parameters') do\n it { should have_property 'DisableIPSourceRouting' }\n its('DisableIPSourceRouting') { should cmp 2}\n end\nend\n", - "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93233.rb", - "line": 3 - }, - "id": "V-93233" - }, - { - "title": "Windows Server 2019 must not have the Telnet Client installed.", - "desc": "Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption or may provide unauthorized access to the system.", - "descriptions": { - "default": "Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption or may provide unauthorized access to the system.", - "rationale": "", - "check": "Open \"PowerShell\".\n\n Enter \"Get-WindowsFeature | Where Name -eq Telnet-Client\".\n If \"Installed State\" is \"Installed\", this is a finding.\n An Installed State of \"Available\" or \"Removed\" is not a finding.", - "fix": "Uninstall the \"Telnet Client\" feature.\n\n Start \"Server Manager\".\n Select the server with the feature.\n Scroll down to \"ROLES AND FEATURES\" in the right pane.\n Select \"Remove Roles and Features\" from the drop-down \"TASKS\" list.\n Select the appropriate server on the \"Server Selection\" page and click \"Next\".\n Deselect \"Telnet Client\" on the \"Features\" page.\n Click \"Next\" and \"Remove\" as prompted." - }, - "impact": 0.5, - "refs": [], - "tags": { - "severity": null, - "gtitle": "SRG-OS-000096-GPOS-00050", - "gid": "V-93423", - "rid": "SV-103509r1_rule", - "stig_id": "WN19-00-000360", - "fix_id": "F-99667r1_fix", + "gid": "V-93149", + "rid": "SV-103237r1_rule", + "stig_id": "WN19-SO-000140", + "fix_id": "F-99395r1_fix", "cci": [ - "CCI-000382" + "CCI-000048", + "CCI-001384", + "CCI-001385", + "CCI-001386", + "CCI-001387", + "CCI-001388" ], "nist": [ - "CM-7 b", + "AC-8 a", + "AC-8 c 1", + "AC-8 c 2", + "AC-8 c 2", + "AC-8 c 2", + "AC-8 c 3", "Rev_4" ] }, - "code": "control \"V-93423\" do\n title \"Windows Server 2019 must not have the Telnet Client installed.\"\n desc \"Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption or may provide unauthorized access to the system.\"\n desc \"rationale\", \"\"\n desc \"check\", \"Open \\\"PowerShell\\\".\n\n Enter \\\"Get-WindowsFeature | Where Name -eq Telnet-Client\\\".\n If \\\"Installed State\\\" is \\\"Installed\\\", this is a finding.\n An Installed State of \\\"Available\\\" or \\\"Removed\\\" is not a finding.\"\n desc \"fix\", \"Uninstall the \\\"Telnet Client\\\" feature.\n\n Start \\\"Server Manager\\\".\n Select the server with the feature.\n Scroll down to \\\"ROLES AND FEATURES\\\" in the right pane.\n Select \\\"Remove Roles and Features\\\" from the drop-down \\\"TASKS\\\" list.\n Select the appropriate server on the \\\"Server Selection\\\" page and click \\\"Next\\\".\n Deselect \\\"Telnet Client\\\" on the \\\"Features\\\" page.\n Click \\\"Next\\\" and \\\"Remove\\\" as prompted.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000096-GPOS-00050\"\n tag gid: \"V-93423\"\n tag rid: \"SV-103509r1_rule\"\n tag stig_id: \"WN19-00-000360\"\n tag fix_id: \"F-99667r1_fix\"\n tag cci: [\"CCI-000382\"]\n tag nist: [\"CM-7 b\", \"Rev_4\"]\n\n describe windows_feature('Telnet-Client') do\n it { should_not be_installed }\n end\nend", + "code": "control \"V-93149\" do\n title \"Windows Server 2019 title for legal banner dialog box must be configured with the appropriate text.\"\n desc \"Failure to display the logon banner prior to a logon attempt will negate legal proceedings resulting from unauthorized access to system resources.\"\n desc \"rationale\", \"\"\n desc 'check', \"If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\\n\n Value Name: LegalNoticeCaption\n\n Value Type: REG_SZ\n Value: See message title options below\n\n \\\"#{input('LegalNoticeCaption').join(\"\\\", \\\"\")}\\\", or an organization-defined equivalent.\n\n If an organization-defined title is used, it can in no case contravene or modify the language of the banner text required in WN19-SO-000150.\n\n Automated tools may only search for the titles defined above. If an organization-defined title is used, a manual review will be required.\"\n desc 'fix', \"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \\\"Interactive Logon: Message title for users attempting to log on\\\" to \\\"#{input('LegalNoticeCaption').join(\"\\\", \\\"\")}\\\", or an organization-defined equivalent.\n\n If an organization-defined title is used, it can in no case contravene or modify the language of the message text required in WN19-SO-000150.\"\n impact 0.3\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000023-GPOS-00006'\n tag 'satisfies': [\"SRG-OS-000023-GPOS-00006\", \"SRG-OS-000228-GPOS-00088\"]\n tag 'gid': 'V-93149'\n tag 'rid': 'SV-103237r1_rule'\n tag 'stig_id': 'WN19-SO-000140'\n tag 'fix_id': 'F-99395r1_fix'\n tag 'cci': [\"CCI-000048\", \"CCI-001384\", \"CCI-001385\", \"CCI-001386\", \"CCI-001387\", \"CCI-001388\"]\n tag 'nist': [\"AC-8 a\", \"AC-8 c 1\", \"AC-8 c 2\", \"AC-8 c 2\", \"AC-8 c 2\", \"AC-8 c 3\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System') do\n it { should have_property 'LegalNoticeCaption' }\n its('LegalNoticeCaption') { should be_in input('LegalNoticeCaption') }\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93423.rb", + "ref": "./Windows 2019 STIG/controls/V-93149.rb", "line": 3 }, - "id": "V-93423" + "id": "V-93149" }, { - "title": "Windows Server 2019 Act as part of the operating system user right\nmust not be assigned to any groups or accounts.", - "desc": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n Accounts with the \"Act as part of the operating system\" user right can\nassume the identity of any user and gain access to resources that the user is\nauthorized to access. Any accounts with this right can take complete control of\na system.", + "title": "Windows Server 2019 PowerShell script block logging must be enabled.", + "desc": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Enabling PowerShell script block logging will record detailed information\nfrom the processing of PowerShell commands and scripts. This can provide\nadditional detail when malware has run on a system.", "descriptions": { - "default": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n Accounts with the \"Act as part of the operating system\" user right can\nassume the identity of any user and gain access to resources that the user is\nauthorized to access. Any accounts with this right can take complete control of\na system.", + "default": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Enabling PowerShell script block logging will record detailed information\nfrom the processing of PowerShell commands and scripts. This can provide\nadditional detail when malware has run on a system.", "rationale": "", - "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups (to include administrators), are granted the\n\"Act as part of the operating system\" user right, this is a finding.\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\path\\filename.txt\n\n Review the text file.\n\n If any SIDs are granted the \"SeTcbPrivilege\" user right, this is a\nfinding.\n\n If an application requires this user right, this would not be a finding.\n\n Vendor documentation must support the requirement for having the user right.\n\n The requirement must be documented with the ISSO.\n\n The application account must meet requirements for application account\npasswords, such as length (WN19-00-000050) and required frequency of changes\n(WN19-00-000060).\n\n Passwords for accounts with this user right must be protected as highly\nprivileged accounts.", - "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Local Policies >> User Rights\nAssignment >> \"Act as part of the operating system\" to be defined but\ncontaining no entries (blank)." + "check": "If the following registry value does not exist or is not configured as\nspecified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\\\n\n Value Name: EnableScriptBlockLogging\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", + "fix": "Configure the policy value for Computer Configuration >>\nAdministrative Templates >> Windows Components >> Windows PowerShell >> \"Turn\non PowerShell Script Block Logging\" to \"Enabled\"." }, - "impact": 0.7, + "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000324-GPOS-00125", - "gid": "V-93051", - "rid": "SV-103139r1_rule", - "stig_id": "WN19-UR-000020", - "fix_id": "F-99297r1_fix", + "gtitle": "SRG-OS-000042-GPOS-00020", + "gid": "V-93175", + "rid": "SV-103263r1_rule", + "stig_id": "WN19-CC-000460", + "fix_id": "F-99421r1_fix", "cci": [ - "CCI-002235" + "CCI-000135" ], "nist": [ - "AC-6 (10)", + "AU-3 (1)", "Rev_4" ] }, - "code": "control \"V-93051\" do\n title \"Windows Server 2019 Act as part of the operating system user right\nmust not be assigned to any groups or accounts.\"\n desc \"Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n Accounts with the \\\"Act as part of the operating system\\\" user right can\nassume the identity of any user and gain access to resources that the user is\nauthorized to access. Any accounts with this right can take complete control of\na system.\"\n desc \"rationale\", \"\"\n desc 'check', \"Verify the effective setting in Local Group Policy Editor.\n\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups (to include administrators), are granted the\n\\\"Act as part of the operating system\\\" user right, this is a finding.\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt\n\n Review the text file.\n\n If any SIDs are granted the \\\"SeTcbPrivilege\\\" user right, this is a\nfinding.\n\n If an application requires this user right, this would not be a finding.\n\n Vendor documentation must support the requirement for having the user right.\n\n The requirement must be documented with the ISSO.\n\n The application account must meet requirements for application account\npasswords, such as length (WN19-00-000050) and required frequency of changes\n(WN19-00-000060).\n\n Passwords for accounts with this user right must be protected as highly\nprivileged accounts.\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Local Policies >> User Rights\nAssignment >> \\\"Act as part of the operating system\\\" to be defined but\ncontaining no entries (blank).\"\n impact 0.7\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000324-GPOS-00125'\n tag 'gid': 'V-93051'\n tag 'rid': 'SV-103139r1_rule'\n tag 'stig_id': 'WN19-UR-000020'\n tag 'fix_id': 'F-99297r1_fix'\n tag 'cci': [\"CCI-002235\"]\n tag 'nist': [\"AC-6 (10)\", \"Rev_4\"]\n\n\n os_type = command('Test-Path \"$env:windir\\explorer.exe\"').stdout.strip\n\n if os_type == 'False'\n describe 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt' do\n skip 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt'\n end\n else\n describe security_policy do\n its('SeTcbPrivilege') { should eq [] }\n end\n end\nend\n", + "code": "control \"V-93175\" do\n title \"Windows Server 2019 PowerShell script block logging must be enabled.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Enabling PowerShell script block logging will record detailed information\nfrom the processing of PowerShell commands and scripts. This can provide\nadditional detail when malware has run on a system.\"\n desc \"rationale\", \"\"\n desc 'check', \"If the following registry value does not exist or is not configured as\nspecified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\\\n\n Value Name: EnableScriptBlockLogging\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nAdministrative Templates >> Windows Components >> Windows PowerShell >> \\\"Turn\non PowerShell Script Block Logging\\\" to \\\"Enabled\\\".\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000042-GPOS-00020'\n tag 'gid': 'V-93175'\n tag 'rid': 'SV-103263r1_rule'\n tag 'stig_id': 'WN19-CC-000460'\n tag 'fix_id': 'F-99421r1_fix'\n tag 'cci': [\"CCI-000135\"]\n tag 'nist': [\"AU-3 (1)\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging') do\n it { should have_property 'EnableScriptBlockLogging' }\n its('EnableScriptBlockLogging') { should cmp 1 }\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93051.rb", + "ref": "./Windows 2019 STIG/controls/V-93175.rb", "line": 3 }, - "id": "V-93051" + "id": "V-93175" }, { - "title": "Windows Server 2019 must have the DoD Interoperability Root Certificate Authority (CA) cross-certificates installed in the Untrusted Certificates Store on unclassified systems.", - "desc": "To ensure users do not experience denial of service when performing certificate-based authentication to DoD websites due to the system chaining to a root other than DoD Root CAs, the DoD Interoperability Root CA cross-certificates must be installed in the Untrusted Certificate Store. This requirement only applies to unclassified systems.", + "title": "Windows Server 2019 must be configured to at least negotiate signing for LDAP client signing.", + "desc": "This setting controls the signing requirements for LDAP clients. This must be set to \"Negotiate signing\" or \"Require signing\", depending on the environment and type of LDAP server in use.", "descriptions": { - "default": "To ensure users do not experience denial of service when performing certificate-based authentication to DoD websites due to the system chaining to a root other than DoD Root CAs, the DoD Interoperability Root CA cross-certificates must be installed in the Untrusted Certificate Store. This requirement only applies to unclassified systems.", + "default": "This setting controls the signing requirements for LDAP clients. This must be set to \"Negotiate signing\" or \"Require signing\", depending on the environment and type of LDAP server in use.", "rationale": "", - "check": "This is applicable to unclassified systems. It is NA for others.\n Open \"PowerShell\" as an administrator.\n Execute the following command:\n Get-ChildItem -Path Cert:Localmachine\\disallowed | Where {$_.Issuer -Like \"*DoD Interoperability*\" -and $_.Subject -Like \"*DoD*\"} | FL Subject, Issuer, Thumbprint, NotAfter\n If the following certificate \"Subject\", \"Issuer\", and \"Thumbprint\" information is not displayed, this is a finding.\n If an expired certificate (\"NotAfter\" date) is not listed in the results, this is not a finding.\n\n Subject: CN=DoD Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Issuer: CN=DoD Interoperability Root CA 1, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Thumbprint: 22BBE981F0694D246CC1472ED2B021DC8540A22F\n NotAfter: 9/6/2019\n\n Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Issuer: CN=DoD Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Thumbprint: FCE1B1E25374DD94F5935BEB86CA643D8C8D1FF4\n NotAfter: 2/17/2019\n\n Alternately, use the Certificates MMC snap-in:\n Run \"MMC\".\n Select \"File\", \"Add/Remove Snap-in\".\n Select \"Certificates\" and click \"Add\".\n Select \"Computer account\" and click \"Next\".\n Select \"Local computer: (the computer this console is running on)\" and click \"Finish\".\n Click \"OK\".\n Expand \"Certificates\" and navigate to \"Untrusted Certificates >> Certificates\".\n For each certificate with \"DoD Root CA...\" under \"Issued To\" and \"DoD Interoperability Root CA...\" under \"Issued By\":\n Right-click on the certificate and select \"Open\".\n Select the \"Details\" Tab.\n Scroll to the bottom and select \"Thumbprint\".\n If the certificates below are not listed or the value for the \"Thumbprint\" field is not as noted, this is a finding.\n If an expired certificate (\"Valid to\" date) is not listed in the results, this is not a finding.\n\n Issued To: DoD Root CA 2\n Issued By: DoD Interoperability Root CA 1\n Thumbprint: 22BBE981F0694D246CC1472ED2B021DC8540A22F\n Valid to: Friday, September 6, 2019\n\n Issued To: DoD Root CA 3\n Issued By: DoD Interoperability Root CA 2\n Thumbprint: FFAD03329B9E527A43EEC66A56F9CBB5393E6E13\n Valid to: Sunday, September 23, 2018\n\n Issued To: DoD Root CA 3\n Issued By: DoD Interoperability Root CA 2\n Thumbprint: FCE1B1E25374DD94F5935BEB86CA643D8C8D1FF4\n Valid to: Sunday, February 17, 2019", - "fix": "Install the DoD Interoperability Root CA cross-certificates on unclassified systems.\n\n Issued To - Issued By - Thumbprint\n DoD Root CA 2 - DoD Interoperability Root CA 1 - 22BBE981F0694D246CC1472ED2B021DC8540A22F\n\n DoD Root CA 3 - DoD Interoperability Root CA 2 - FFAD03329B9E527A43EEC66A56F9CBB5393E6E13\n\n DoD Root CA 3 - DoD Interoperability Root CA 2 - FCE1B1E25374DD94F5935BEB86CA643D8C8D1FF4\n\n Administrators should run the Federal Bridge Certification Authority (FBCA) Cross-Certificate Removal Tool once as an administrator and once as the current user.\n\n The FBCA Cross-Certificate Remover Tool and User Guide are available on IASE at http://iase.disa.mil/pki-pke/Pages/tools.aspx." + "check": "If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\LDAP\\\n\n Value Name: LDAPClientIntegrity\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", + "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \"Network security: LDAP client signing requirements\" to \"Negotiate signing\" at a minimum." }, "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000066-GPOS-00034", - "satisfies": [ - "SRG-OS-000066-GPOS-00034", - "SRG-OS-000403-GPOS-00182" - ], - "gid": "V-93489", - "rid": "SV-103575r1_rule", - "stig_id": "WN19-PK-000020", - "fix_id": "F-99733r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-93303", + "rid": "SV-103391r1_rule", + "stig_id": "WN19-SO-000320", + "fix_id": "F-99549r1_fix", "cci": [ - "CCI-000185", - "CCI-002470" + "CCI-000366" ], "nist": [ - "IA-5 (2) (a)", - "SC-23 (5)", + "CM-6 b", "Rev_4" ] }, - "code": "control \"V-93489\" do\n title \"Windows Server 2019 must have the #{input('org_name')[:acronym]} Interoperability Root Certificate Authority (CA) cross-certificates installed in the Untrusted Certificates Store on unclassified systems.\"\n desc \"To ensure users do not experience denial of service when performing certificate-based authentication to #{input('org_name')[:acronym]} websites due to the system chaining to a root other than #{input('org_name')[:acronym]} Root CAs, the #{input('org_name')[:acronym]} Interoperability Root CA cross-certificates must be installed in the Untrusted Certificate Store. This requirement only applies to unclassified systems.\"\n desc \"rationale\", \"\"\n desc \"check\", \"This is applicable to unclassified systems. It is NA for others.\n Open \\\"PowerShell\\\" as an administrator.\n Execute the following command:\n Get-ChildItem -Path Cert:Localmachine\\\\disallowed | Where {$_.Issuer -Like \\\"*DoD Interoperability*\\\" -and $_.Subject -Like \\\"*DoD*\\\"} | FL Subject, Issuer, Thumbprint, NotAfter\n If the following certificate \\\"Subject\\\", \\\"Issuer\\\", and \\\"Thumbprint\\\" information is not displayed, this is a finding.\n If an expired certificate (\\\"NotAfter\\\" date) is not listed in the results, this is not a finding.\n\n Subject: CN=DoD Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Issuer: CN=DoD Interoperability Root CA 1, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Thumbprint: 22BBE981F0694D246CC1472ED2B021DC8540A22F\n NotAfter: 9/6/2019\n\n Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Issuer: CN=DoD Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Thumbprint: FCE1B1E25374DD94F5935BEB86CA643D8C8D1FF4\n NotAfter: 2/17/2019\n\n Alternately, use the Certificates MMC snap-in:\n Run \\\"MMC\\\".\n Select \\\"File\\\", \\\"Add/Remove Snap-in\\\".\n Select \\\"Certificates\\\" and click \\\"Add\\\".\n Select \\\"Computer account\\\" and click \\\"Next\\\".\n Select \\\"Local computer: (the computer this console is running on)\\\" and click \\\"Finish\\\".\n Click \\\"OK\\\".\n Expand \\\"Certificates\\\" and navigate to \\\"Untrusted Certificates >> Certificates\\\".\n For each certificate with \\\"DoD Root CA...\\\" under \\\"Issued To\\\" and \\\"DoD Interoperability Root CA...\\\" under \\\"Issued By\\\":\n Right-click on the certificate and select \\\"Open\\\".\n Select the \\\"Details\\\" Tab.\n Scroll to the bottom and select \\\"Thumbprint\\\".\n If the certificates below are not listed or the value for the \\\"Thumbprint\\\" field is not as noted, this is a finding.\n If an expired certificate (\\\"Valid to\\\" date) is not listed in the results, this is not a finding.\n\n Issued To: DoD Root CA 2\n Issued By: DoD Interoperability Root CA 1\n Thumbprint: 22BBE981F0694D246CC1472ED2B021DC8540A22F\n Valid to: Friday, September 6, 2019\n\n Issued To: DoD Root CA 3\n Issued By: DoD Interoperability Root CA 2\n Thumbprint: FFAD03329B9E527A43EEC66A56F9CBB5393E6E13\n Valid to: Sunday, September 23, 2018\n\n Issued To: DoD Root CA 3\n Issued By: DoD Interoperability Root CA 2\n Thumbprint: FCE1B1E25374DD94F5935BEB86CA643D8C8D1FF4\n Valid to: Sunday, February 17, 2019\"\n desc \"fix\", \"Install the DoD Interoperability Root CA cross-certificates on unclassified systems.\n\n Issued To - Issued By - Thumbprint\n DoD Root CA 2 - DoD Interoperability Root CA 1 - 22BBE981F0694D246CC1472ED2B021DC8540A22F\n\n DoD Root CA 3 - DoD Interoperability Root CA 2 - FFAD03329B9E527A43EEC66A56F9CBB5393E6E13\n\n DoD Root CA 3 - DoD Interoperability Root CA 2 - FCE1B1E25374DD94F5935BEB86CA643D8C8D1FF4\n\n Administrators should run the Federal Bridge Certification Authority (FBCA) Cross-Certificate Removal Tool once as an administrator and once as the current user.\n\n The FBCA Cross-Certificate Remover Tool and User Guide are available on IASE at http://iase.disa.mil/pki-pke/Pages/tools.aspx.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000066-GPOS-00034\"\n tag satisfies: [\"SRG-OS-000066-GPOS-00034\", \"SRG-OS-000403-GPOS-00182\"]\n tag gid: \"V-93489\"\n tag rid: \"SV-103575r1_rule\"\n tag stig_id: \"WN19-PK-000020\"\n tag fix_id: \"F-99733r1_fix\"\n tag cci: [\"CCI-000185\", \"CCI-002470\"]\n tag nist: [\"IA-5 (2) (a)\", \"SC-23 (5)\", \"Rev_4\"]\n\n if input('sensitive_system') == true\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n else \n dod_interoperability_certificates = JSON.parse(input('dod_interoperability_certificates').to_json)\n query = json({ command: 'Get-ChildItem -Path Cert:Localmachine\\\\\\\\disallowed | Where {$_.Issuer -Like \"*DoD Interoperability*\" -and $_.Subject -Like \"*DoD*\"} | Select Subject, Issuer, Thumbprint, @{Name=\\'NotAfter\\';Expression={\"{0:dddd, MMMM dd, yyyy}\" -f [datetime]$_.NotAfter}} | ConvertTo-Json' }).params\n \n describe 'Verify the DoD Interoperability cross-certificates are installed on unclassified systems as Untrusted Certificates.' do\n subject { query }\n it { should_not be_empty }\n it { should be_in dod_interoperability_certificates }\n end\n\n unless query.empty?\n case query\n when Hash\n query.each do |key, value|\n if key == \"NotAfter\"\n cert_date = Date.parse(value)\n describe cert_date do\n it { should be >= Date.today }\n end\n end\n end\n when Array\n query.each do |certs|\n certs.each do |key, value|\n if key == \"NotAfter\"\n cert_date = Date.parse(value)\n describe cert_date do\n it { should be >= Date.today }\n end\n end\n end\n end\n end\n end\n end\nend", + "code": "control \"V-93303\" do\n title \"Windows Server 2019 must be configured to at least negotiate signing for LDAP client signing.\"\n desc \"This setting controls the signing requirements for LDAP clients. This must be set to \\\"Negotiate signing\\\" or \\\"Require signing\\\", depending on the environment and type of LDAP server in use.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\LDAP\\\\\n\n Value Name: LDAPClientIntegrity\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \\\"Network security: LDAP client signing requirements\\\" to \\\"Negotiate signing\\\" at a minimum.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00227\"\n tag gid: \"V-93303\"\n tag rid: \"SV-103391r1_rule\"\n tag stig_id: \"WN19-SO-000320\"\n tag fix_id: \"F-99549r1_fix\"\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\LDAP') do\n it { should have_property 'LDAPClientIntegrity' }\n its('LDAPClientIntegrity') { should cmp == 1 }\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93489.rb", + "ref": "./Windows 2019 STIG/controls/V-93303.rb", "line": 3 }, - "id": "V-93489" + "id": "V-93303" }, { - "title": "Windows Server 2019 reversible password encryption must be disabled.", - "desc": "Storing passwords using reversible encryption is essentially the same as storing clear-text versions of the passwords, which are easily compromised. For this reason, this policy must never be enabled.", + "title": "Windows Server 2019 must be configured to audit Account Management -\nUser Account Management successes.", + "desc": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n User Account Management records events such as creating, changing,\ndeleting, renaming, disabling, or enabling user accounts.", "descriptions": { - "default": "Storing passwords using reversible encryption is essentially the same as storing clear-text versions of the passwords, which are easily compromised. For this reason, this policy must never be enabled.", + "default": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n User Account Management records events such as creating, changing,\ndeleting, renaming, disabling, or enabling user accounts.", "rationale": "", - "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy.\n If the value for \"Store passwords using reversible encryption\" is not set to \"Disabled\", this is a finding.\n\n For server core installations, run the following command:\n Secedit /Export /Areas SecurityPolicy /CFG C:\\Path\\FileName.Txt\n If \"ClearTextPassword\" equals \"1\" in the file, this is a finding.", - "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy >> \"Store passwords using reversible encryption\" to \"Disabled\"." + "check": "Security Option \"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\" must be set to\n\"Enabled\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \"AuditPol\" tool to review the current Audit Policy configuration:\n\n Open \"PowerShell\" or a \"Command Prompt\" with elevated privileges (\"Run\nas administrator\").\n\n Enter \"AuditPol /get /category:*\"\n\n Compare the \"AuditPol\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n Account Management >> User Account Management - Success", + "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Account Management >> \"Audit User Account\nManagement\" with \"Success\" selected." }, - "impact": 0.7, + "impact": 0.5, "refs": [], - "tags": { - "severity": null, - "gtitle": "SRG-OS-000073-GPOS-00041", - "gid": "V-93465", - "rid": "SV-103551r1_rule", - "stig_id": "WN19-AC-000090", - "fix_id": "F-99709r1_fix", + "tags": { + "severity": null, + "gtitle": "SRG-OS-000004-GPOS-00004", + "satisfies": [ + "SRG-OS-000004-GPOS-00004", + "SRG-OS-000239-GPOS-00089", + "SRG-OS-000240-GPOS-00090", + "SRG-OS-000241-GPOS-00091", + "SRG-OS-000303-GPOS-00120", + "SRG-OS-000476-GPOS-00221" + ], + "gid": "V-92981", + "rid": "SV-103069r1_rule", + "stig_id": "WN19-AU-000110", + "fix_id": "F-99227r1_fix", "cci": [ - "CCI-000196" + "CCI-000018", + "CCI-000172", + "CCI-001403", + "CCI-001404", + "CCI-001405", + "CCI-002130" ], "nist": [ - "IA-5 (1) (c)", + "AC-2 (4)", + "AU-12 c", + "AC-2 (4)", + "AC-2 (4)", + "AC-2 (4)", + "AC-2(4)", "Rev_4" ] }, - "code": "control \"V-93465\" do\n title \"Windows Server 2019 reversible password encryption must be disabled.\"\n desc \"Storing passwords using reversible encryption is essentially the same as storing clear-text versions of the passwords, which are easily compromised. For this reason, this policy must never be enabled.\"\n desc \"rationale\", \"\"\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy.\n If the value for \\\"Store passwords using reversible encryption\\\" is not set to \\\"Disabled\\\", this is a finding.\n\n For server core installations, run the following command:\n Secedit /Export /Areas SecurityPolicy /CFG C:\\\\Path\\\\FileName.Txt\n If \\\"ClearTextPassword\\\" equals \\\"1\\\" in the file, this is a finding.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy >> \\\"Store passwords using reversible encryption\\\" to \\\"Disabled\\\".\"\n impact 0.7\n tag severity: nil\n tag gtitle: \"SRG-OS-000073-GPOS-00041\"\n tag gid: \"V-93465\"\n tag rid: \"SV-103551r1_rule\"\n tag stig_id: \"WN19-AC-000090\"\n tag fix_id: \"F-99709r1_fix\"\n tag cci: [\"CCI-000196\"]\n tag nist: [\"IA-5 (1) (c)\", \"Rev_4\"]\n\n describe security_policy do\n its('ClearTextPassword') { should eq 0 }\n end\nend", + "code": "control \"V-92981\" do\n title \"Windows Server 2019 must be configured to audit Account Management -\nUser Account Management successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n User Account Management records events such as creating, changing,\ndeleting, renaming, disabling, or enabling user accounts.\"\n desc \"rationale\", \"\"\n desc 'check', \"Security Option \\\"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\\\" must be set to\n\\\"Enabled\\\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \\\"AuditPol\\\" tool to review the current Audit Policy configuration:\n\n Open \\\"PowerShell\\\" or a \\\"Command Prompt\\\" with elevated privileges (\\\"Run\nas administrator\\\").\n\n Enter \\\"AuditPol /get /category:*\\\"\n\n Compare the \\\"AuditPol\\\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n Account Management >> User Account Management - Success\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Account Management >> \\\"Audit User Account\nManagement\\\" with \\\"Success\\\" selected.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000004-GPOS-00004'\n tag 'satisfies': [\"SRG-OS-000004-GPOS-00004\", \"SRG-OS-000239-GPOS-00089\",\n\"SRG-OS-000240-GPOS-00090\", \"SRG-OS-000241-GPOS-00091\",\n\"SRG-OS-000303-GPOS-00120\", \"SRG-OS-000476-GPOS-00221\"]\n tag 'gid': 'V-92981'\n tag 'rid': 'SV-103069r1_rule'\n tag 'stig_id': 'WN19-AU-000110'\n tag 'fix_id': 'F-99227r1_fix'\n tag 'cci': [\"CCI-000018\", \"CCI-000172\", \"CCI-001403\", \"CCI-001404\",\n\"CCI-001405\", \"CCI-002130\"]\n tag 'nist': [\"AC-2 (4)\", \"AU-12 c\", \"AC-2 (4)\", \"AC-2 (4)\", \"AC-2 (4)\", \"AC-2(4)\", \"Rev_4\"]\n\n describe.one do\n describe audit_policy do\n its('User Account Management') { should eq 'Success' }\n end\n describe audit_policy do\n its('User Account Management') { should eq 'Success and Failure' }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93465.rb", + "ref": "./Windows 2019 STIG/controls/V-92981.rb", "line": 3 }, - "id": "V-93465" + "id": "V-92981" }, { - "title": "Windows Server 2019 setting Domain member: Digitally sign secure channel data (when possible) must be configured to Enabled.", - "desc": "Requests sent on the secure channel are authenticated, and sensitive information (such as passwords) is encrypted, but the channel is not integrity checked. If this policy is enabled, outgoing secure channel traffic will be signed.", + "title": "Windows Server 2019 Exploit Protection mitigations must be configured for OIS.EXE.", + "desc": "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.", "descriptions": { - "default": "Requests sent on the secure channel are authenticated, and sensitive information (such as passwords) is encrypted, but the channel is not integrity checked. If this policy is enabled, outgoing secure channel traffic will be signed.", + "default": "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.", "rationale": "", - "check": "If the following registry value does not exist or is not configured as specified, this is a finding:\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\Netlogon\\Parameters\\\n\n Value Name: SignSecureChannel\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", - "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \"Domain member: Digitally sign secure channel data (when possible)\" to \"Enabled\"." + "check": "If the referenced application is not installed on the system, this is NA.\n\n This is applicable to unclassified systems, for other systems this is NA.\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n Enter \"Get-ProcessMitigation -Name OIS.EXE\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.)\n\n If the following mitigations do not have a status of \"ON\", this is a finding:\n\n DEP:\n Enable: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n The PowerShell command produces a list of mitigations; only those with a required status of \"ON\" are listed here.", + "fix": "Ensure the following mitigations are turned \"ON\" for OIS.EXE:\n\n DEP:\n Enable: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \"Supporting Files\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \"Use a common set of exploit protection settings\" configured to \"Enabled\" with file name and location defined under \"Options:\". It is recommended the file be in a read-only network location." }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000423-GPOS-00187", - "satisfies": [ - "SRG-OS-000423-GPOS-00187", - "SRG-OS-000424-GPOS-00188" - ], - "gid": "V-93551", - "rid": "SV-103637r1_rule", - "stig_id": "WN19-SO-000080", - "fix_id": "F-99795r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-93347", + "rid": "SV-103435r1_rule", + "stig_id": "WN19-EP-000190", + "fix_id": "F-99593r1_fix", "cci": [ - "CCI-002418", - "CCI-002421" + "CCI-000366" ], "nist": [ - "SC-8", - "SC-8 (1)", + "CM-6 b", "Rev_4" ] }, - "code": "control \"V-93551\" do\n title \"Windows Server 2019 setting Domain member: Digitally sign secure channel data (when possible) must be configured to Enabled.\"\n desc \"Requests sent on the secure channel are authenticated, and sensitive information (such as passwords) is encrypted, but the channel is not integrity checked. If this policy is enabled, outgoing secure channel traffic will be signed.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the following registry value does not exist or is not configured as specified, this is a finding:\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\Netlogon\\\\Parameters\\\\\n\n Value Name: SignSecureChannel\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1) \"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \\\"Domain member: Digitally sign secure channel data (when possible)\\\" to \\\"Enabled\\\".\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000423-GPOS-00187\"\n tag satisfies: [\"SRG-OS-000423-GPOS-00187\", \"SRG-OS-000424-GPOS-00188\"]\n tag gid: \"V-93551\"\n tag rid: \"SV-103637r1_rule\"\n tag stig_id: \"WN19-SO-000080\"\n tag fix_id: \"F-99795r1_fix\"\n tag cci: [\"CCI-002418\", \"CCI-002421\"]\n tag nist: [\"SC-8\", \"SC-8 (1)\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Services\\\\Netlogon\\\\Parameters') do\n it { should have_property 'SignSecureChannel' }\n its('SignSecureChannel') { should cmp == 1 }\n end\nend", + "code": "control \"V-93347\" do\n title \"Windows Server 2019 Exploit Protection mitigations must be configured for OIS.EXE.\"\n desc \"Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the referenced application is not installed on the system, this is NA.\n\n This is applicable to unclassified systems, for other systems this is NA.\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n Enter \\\"Get-ProcessMitigation -Name OIS.EXE\\\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.)\n\n If the following mitigations do not have a status of \\\"ON\\\", this is a finding:\n\n DEP:\n Enable: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n The PowerShell command produces a list of mitigations; only those with a required status of \\\"ON\\\" are listed here.\"\n desc \"fix\", \"Ensure the following mitigations are turned \\\"ON\\\" for OIS.EXE:\n\n DEP:\n Enable: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \\\"Supporting Files\\\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\" configured to \\\"Enabled\\\" with file name and location defined under \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00227\"\n tag gid: \"V-93347\"\n tag rid: \"SV-103435r1_rule\"\n tag stig_id: \"WN19-EP-000190\"\n tag fix_id: \"F-99593r1_fix\"\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n ois = json({ command: \"Get-ProcessMitigation -Name OIS.EXE | ConvertTo-Json\" }).params\n\n if input('sensitive_system') == true || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif ois.empty?\n impact 0.0\n describe 'The referenced application is not installed on the system, this is NA.' do\n skip 'The referenced application is not installed on the system, this is NA.'\n end\n else\n describe \"Exploit Protection: the following mitigations must be set to 'ON' for OIS.EXE\" do\n subject { ois }\n its(['Dep','Enable']) { should eq 1 }\n its(['Payload','EnableExportAddressFilter']) { should eq 1 }\n its(['Payload','EnableExportAddressFilterPlus']) { should eq 1 }\n its(['Payload','EnableImportAddressFilter']) { should eq 1 }\n its(['Payload','EnableRopStackPivot']) { should eq 1 }\n its(['Payload','EnableRopCallerCheck']) { should eq 1 }\n its(['Payload','EnableRopSimExec']) { should eq 1 }\n end\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93551.rb", + "ref": "./Windows 2019 STIG/controls/V-93347.rb", "line": 3 }, - "id": "V-93551" + "id": "V-93347" }, { - "title": "Windows Server 2019 must be configured to audit DS Access - Directory\nService Changes successes.", - "desc": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Audit Directory Service Changes records events related to changes made to\nobjects in Active Directory Domain Services.", + "title": "Windows Server 2019 Internet Protocol version 6 (IPv6) source routing\nmust be configured to the highest protection level to prevent IP source\nrouting.", + "desc": "Configuring the system to disable IPv6 source routing protects against\nspoofing.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Audit Directory Service Changes records events related to changes made to\nobjects in Active Directory Domain Services.", + "default": "Configuring the system to disable IPv6 source routing protects against\nspoofing.", "rationale": "", - "check": "This applies to domain controllers. It is NA for other systems.\n\n Security Option \"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\" must be set to\n\"Enabled\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \"AuditPol\" tool to review the current Audit Policy configuration:\n\n Open \"PowerShell\" or a \"Command Prompt\" with elevated privileges (\"Run\nas administrator\").\n\n Enter \"AuditPol /get /category:*\"\n\n Compare the \"AuditPol\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n DS Access >> Directory Service Changes - Success", - "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> DS Access >> \"Directory Service Changes\" with\n\"Success\" selected." + "check": "If the following registry value does not exist or is not configured as\nspecified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\Tcpip6\\Parameters\\\n\n Value Name: DisableIPSourceRouting\n\n Type: REG_DWORD\n Value: 0x00000002 (2)", + "fix": "Configure the policy value for Computer Configuration >> Administrative\nTemplates >> MSS (Legacy) >> \"MSS: (DisableIPSourceRouting IPv6) IP source\nrouting protection level (protects against packet spoofing)\" to \"Enabled\"\nwith \"Highest protection, source routing is completely disabled\" selected.\n\n This policy setting requires the installation of the MSS-Legacy custom\ntemplates included with the STIG package. \"MSS-Legacy.admx\" and\n\"MSS-Legacy.adml\" must be copied to the \\Windows\\PolicyDefinitions and\n\\Windows\\PolicyDefinitions\\en-US directories respectively." }, - "impact": 0, + "impact": 0.3, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000327-GPOS-00127", - "satisfies": [ - "SRG-OS-000327-GPOS-00127", - "SRG-OS-000458-GPOS-00203", - "SRG-OS-000463-GPOS-00207", - "SRG-OS-000468-GPOS-00212" - ], - "gid": "V-93137", - "rid": "SV-103225r1_rule", - "stig_id": "WN19-DC-000260", - "fix_id": "F-99383r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-93233", + "rid": "SV-103321r1_rule", + "stig_id": "WN19-CC-000030", + "fix_id": "F-99479r1_fix", "cci": [ - "CCI-000172", - "CCI-002234" + "CCI-000366" ], "nist": [ - "AU-12 c", - "AC-6 (9)", + "CM-6 b", "Rev_4" ] }, - "code": "control \"V-93137\" do\n title \"Windows Server 2019 must be configured to audit DS Access - Directory\nService Changes successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Audit Directory Service Changes records events related to changes made to\nobjects in Active Directory Domain Services.\"\n desc \"rationale\", \"\"\n desc 'check', \"This applies to domain controllers. It is NA for other systems.\n\n Security Option \\\"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\\\" must be set to\n\\\"Enabled\\\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \\\"AuditPol\\\" tool to review the current Audit Policy configuration:\n\n Open \\\"PowerShell\\\" or a \\\"Command Prompt\\\" with elevated privileges (\\\"Run\nas administrator\\\").\n\n Enter \\\"AuditPol /get /category:*\\\"\n\n Compare the \\\"AuditPol\\\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n DS Access >> Directory Service Changes - Success\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> DS Access >> \\\"Directory Service Changes\\\" with\n\\\"Success\\\" selected.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000327-GPOS-00127'\n tag 'satisfies': [\"SRG-OS-000327-GPOS-00127\", \"SRG-OS-000458-GPOS-00203\",\n\"SRG-OS-000463-GPOS-00207\", \"SRG-OS-000468-GPOS-00212\"]\n tag 'gid': 'V-93137'\n tag 'rid': 'SV-103225r1_rule'\n tag 'stig_id': 'WN19-DC-000260'\n tag 'fix_id': 'F-99383r1_fix'\n tag 'cci': [\"CCI-000172\", \"CCI-002234\"]\n tag 'nist': [\"AU-12 c\", \"AC-6 (9)\", \"Rev_4\"]\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n if domain_role == '4' || domain_role == '5'\n describe.one do\n describe audit_policy do\n its('Directory Service Changes') { should eq 'Success' }\n end\n describe audit_policy do\n its('Directory Service Changes') { should eq 'Success and Failure' }\n end\n end\n else\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", + "code": "control \"V-93233\" do\n title \"Windows Server 2019 Internet Protocol version 6 (IPv6) source routing\nmust be configured to the highest protection level to prevent IP source\nrouting.\"\n desc \"Configuring the system to disable IPv6 source routing protects against\nspoofing.\"\n desc \"rationale\", \"\"\n desc 'check', \"If the following registry value does not exist or is not configured as\nspecified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\Tcpip6\\\\Parameters\\\\\n\n Value Name: DisableIPSourceRouting\n\n Type: REG_DWORD\n Value: 0x00000002 (2)\"\n desc 'fix', \"Configure the policy value for Computer Configuration >> Administrative\nTemplates >> MSS (Legacy) >> \\\"MSS: (DisableIPSourceRouting IPv6) IP source\nrouting protection level (protects against packet spoofing)\\\" to \\\"Enabled\\\"\nwith \\\"Highest protection, source routing is completely disabled\\\" selected.\n\n This policy setting requires the installation of the MSS-Legacy custom\ntemplates included with the STIG package. \\\"MSS-Legacy.admx\\\" and\n\\\"MSS-Legacy.adml\\\" must be copied to the \\\\Windows\\\\PolicyDefinitions and\n\\\\Windows\\\\PolicyDefinitions\\\\en-US directories respectively.\"\n impact 0.3\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00227\"\n tag gid: \"V-93233\"\n tag rid: \"SV-103321r1_rule\"\n tag stig_id: \"WN19-CC-000030\"\n tag fix_id: \"F-99479r1_fix\"\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip6\\Parameters') do\n it { should have_property 'DisableIPSourceRouting' }\n its('DisableIPSourceRouting') { should cmp 2}\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93137.rb", + "ref": "./Windows 2019 STIG/controls/V-93233.rb", "line": 3 }, - "id": "V-93137" + "id": "V-93233" }, { - "title": "Windows Server 2019 must disable automatically signing in the last interactive user after a system-initiated restart.", - "desc": "Windows can be configured to automatically sign the user back in after a Windows Update restart. Some protections are in place to help ensure this is done in a secure fashion; however, disabling this will prevent the caching of credentials for this purpose and also ensure the user is aware of the restart.", + "title": "Windows Server 2019 insecure logons to an SMB server must be disabled.", + "desc": "Insecure guest logons allow unauthenticated access to shared folders.\nShared resources on a system must require authentication to establish proper\naccess.", "descriptions": { - "default": "Windows can be configured to automatically sign the user back in after a Windows Update restart. Some protections are in place to help ensure this is done in a secure fashion; however, disabling this will prevent the caching of credentials for this purpose and also ensure the user is aware of the restart.", + "default": "Insecure guest logons allow unauthenticated access to shared folders.\nShared resources on a system must require authentication to establish proper\naccess.", "rationale": "", - "check": "Verify the registry value below. If it does not exist or is not configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\\n\n Value Name: DisableAutomaticRestartSignOn\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", - "fix": "Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Logon Options >> \"Sign-in last interactive user automatically after a system-initiated restart\" to \"Disabled\"." + "check": "If the following registry value does not exist or is not configured as\nspecified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\LanmanWorkstation\\\n\n Value Name: AllowInsecureGuestAuth\n\n Type: REG_DWORD\n Value: 0x00000000 (0)", + "fix": "Configure the policy value for Computer Configuration >>\nAdministrative Templates >> Network >> Lanman Workstation >> \"Enable insecure\nguest logons\" to \"Disabled\"." }, "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000480-GPOS-00229", - "gid": "V-93269", - "rid": "SV-103357r1_rule", - "stig_id": "WN19-CC-000450", - "fix_id": "F-99515r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-93239", + "rid": "SV-103327r1_rule", + "stig_id": "WN19-CC-000070", + "fix_id": "F-99485r1_fix", "cci": [ "CCI-000366" ], @@ -3562,171 +3503,163 @@ "Rev_4" ] }, - "code": "control \"V-93269\" do\n title \"Windows Server 2019 must disable automatically signing in the last interactive user after a system-initiated restart.\"\n desc \"Windows can be configured to automatically sign the user back in after a Windows Update restart. Some protections are in place to help ensure this is done in a secure fashion; however, disabling this will prevent the caching of credentials for this purpose and also ensure the user is aware of the restart.\"\n desc \"rationale\", \"\"\n desc \"check\", \"Verify the registry value below. If it does not exist or is not configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\\n\n Value Name: DisableAutomaticRestartSignOn\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Logon Options >> \\\"Sign-in last interactive user automatically after a system-initiated restart\\\" to \\\"Disabled\\\".\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00229\"\n tag gid: \"V-93269\"\n tag rid: \"SV-103357r1_rule\"\n tag stig_id: \"WN19-CC-000450\"\n tag fix_id: \"F-99515r1_fix\"\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System') do\n it { should have_property 'DisableAutomaticRestartSignOn' }\n its('DisableAutomaticRestartSignOn') { should cmp 1 }\n end\nend", + "code": "control \"V-93239\" do\n title \"Windows Server 2019 insecure logons to an SMB server must be disabled.\"\n desc \"Insecure guest logons allow unauthenticated access to shared folders.\nShared resources on a system must require authentication to establish proper\naccess.\"\n desc \"rationale\", \"\"\n desc 'check', \"If the following registry value does not exist or is not configured as\nspecified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\LanmanWorkstation\\\\\n\n Value Name: AllowInsecureGuestAuth\n\n Type: REG_DWORD\n Value: 0x00000000 (0)\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nAdministrative Templates >> Network >> Lanman Workstation >> \\\"Enable insecure\nguest logons\\\" to \\\"Disabled\\\".\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000480-GPOS-00227'\n tag 'gid': 'V-93239'\n tag 'rid': 'SV-103327r1_rule'\n tag 'stig_id': 'WN19-CC-000070'\n tag 'fix_id': 'F-99485r1_fix'\n tag 'cci': [\"CCI-000366\"]\n tag 'nist': [\"CM-6 b\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\LanmanWorkstation') do\n it { should have_property 'AllowInsecureGuestAuth' }\n its('AllowInsecureGuestAuth') { should cmp 0}\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93269.rb", + "ref": "./Windows 2019 STIG/controls/V-93239.rb", "line": 3 }, - "id": "V-93269" + "id": "V-93239" }, { - "title": "Windows Server 2019 directory service must be configured to terminate LDAP-based network connections to the directory server after 5 minutes of inactivity.", - "desc": "The failure to terminate inactive network connections increases the risk of a successful attack on the directory server. The longer an established session is in progress, the more time an attacker has to hijack the session, implement a means to passively intercept data, or compromise any protections on client access. For example, if an attacker gains control of a client computer, an existing (already authenticated) session with the directory server could allow access to the directory. The lack of confidentiality protection in LDAP-based sessions increases exposure to this vulnerability.", + "title": "Windows Server 2019 must have the built-in guest account disabled.", + "desc": "A system faces an increased vulnerability threat if the built-in guest account is not disabled. This is a known account that exists on all Windows systems and cannot be deleted. This account is initialized during the installation of the operating system with no password assigned.", "descriptions": { - "default": "The failure to terminate inactive network connections increases the risk of a successful attack on the directory server. The longer an established session is in progress, the more time an attacker has to hijack the session, implement a means to passively intercept data, or compromise any protections on client access. For example, if an attacker gains control of a client computer, an existing (already authenticated) session with the directory server could allow access to the directory. The lack of confidentiality protection in LDAP-based sessions increases exposure to this vulnerability.", + "default": "A system faces an increased vulnerability threat if the built-in guest account is not disabled. This is a known account that exists on all Windows systems and cannot be deleted. This account is initialized during the installation of the operating system with no password assigned.", "rationale": "", - "check": "This applies to domain controllers. It is NA for other systems.\n Open an elevated \"Command Prompt\" (run as administrator).\n Enter \"ntdsutil\".\n At the \"ntdsutil:\" prompt, enter \"LDAP policies\".\n At the \"ldap policy:\" prompt, enter \"connections\".\n At the \"server connections:\" prompt, enter \"connect to server [host-name]\"\n (where [host-name] is the computer name of the domain controller).\n At the \"server connections:\" prompt, enter \"q\".\n At the \"ldap policy:\" prompt, enter \"show values\".\n If the value for MaxConnIdleTime is greater than \"300\" (5 minutes) or is not specified, this is a finding.\n Enter \"q\" at the \"ldap policy:\" and \"ntdsutil:\" prompts to exit.\n\n Alternately, Dsquery can be used to display MaxConnIdleTime:\n Open \"Command Prompt (Admin)\".\n Enter the following command (on a single line).\n dsquery * \"cn=Default Query Policy,cn=Query-Policies,cn=Directory Service, cn=Windows NT,cn=Services,cn=Configuration,dc=[forest-name]\" -attr LDAPAdminLimits\n\n The quotes are required and dc=[forest-name] is the fully qualified LDAP name of the domain being reviewed (e.g., dc=disaost,dc=mil).\n If the results do not specify a \"MaxConnIdleTime\" or it has a value greater than \"300\" (5 minutes), this is a finding.", - "fix": "Configure the directory service to terminate LDAP-based network connections to the directory server after 5 minutes of inactivity.\n Open an elevated \"Command prompt\" (run as administrator).\n Enter \"ntdsutil\".\n At the \"ntdsutil:\" prompt, enter \"LDAP policies\".\n At the \"ldap policy:\" prompt, enter \"connections\".\n At the \"server connections:\" prompt, enter \"connect to server [host-name]\" (where [host-name] is the computer name of the domain controller).\n At the \"server connections:\" prompt, enter \"q\".\n At the \"ldap policy:\" prompt, enter \"Set MaxConnIdleTime to 300\".\n Enter \"Commit Changes\" to save.\n Enter \"Show values\" to verify changes.\n Enter \"q\" at the \"ldap policy:\" and \"ntdsutil:\" prompts to exit." + "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run \"gpedit.msc\".\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options.\n If the value for \"Accounts: Guest account status\" is not set to \"Disabled\", this is a finding.\n \n For server core installations, run the following command:\n Secedit /Export /Areas SecurityPolicy /CFG C:\\Path\\FileName.Txt\n If \"EnableGuestAccount\" equals \"1\" in the file, this is a finding.", + "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \"Accounts: Guest account status\" to \"Disabled\"." }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { - "severity": "", - "gtitle": "SRG-OS-000163-GPOS-00072", - "gid": "V-93509", - "rid": "SV-103595r1_rule", - "stig_id": "WN19-DC-000160", - "fix_id": "F-99753r1_fix", + "severity": null, + "gtitle": "SRG-OS-000121-GPOS-00062", + "gid": "V-93497", + "rid": "SV-103583r1_rule", + "stig_id": "WN19-SO-000010", + "fix_id": "F-99741r1_fix", "cci": [ - "CCI-001133" + "CCI-000804" ], "nist": [ - "SC-10", + "IA-8", "Rev_4" ] }, - "code": "control 'V-93509' do\n title \"Windows Server 2019 directory service must be configured to terminate LDAP-based network connections to the directory server after #{input('maximum_idle_time')/60} minutes of inactivity.\"\n desc 'The failure to terminate inactive network connections increases the risk of a successful attack on the directory server. The longer an established session is in progress, the more time an attacker has to hijack the session, implement a means to passively intercept data, or compromise any protections on client access. For example, if an attacker gains control of a client computer, an existing (already authenticated) session with the directory server could allow access to the directory. The lack of confidentiality protection in LDAP-based sessions increases exposure to this vulnerability.'\n desc 'rationale', ''\n desc 'check', \"This applies to domain controllers. It is NA for other systems.\n Open an elevated \\\"Command Prompt\\\" (run as administrator).\n Enter \\\"ntdsutil\\\".\n At the \\\"ntdsutil:\\\" prompt, enter \\\"LDAP policies\\\".\n At the \\\"ldap policy:\\\" prompt, enter \\\"connections\\\".\n At the \\\"server connections:\\\" prompt, enter \\\"connect to server [host-name]\\\"\n (where [host-name] is the computer name of the domain controller).\n At the \\\"server connections:\\\" prompt, enter \\\"q\\\".\n At the \\\"ldap policy:\\\" prompt, enter \\\"show values\\\".\n If the value for MaxConnIdleTime is greater than \\\"#{input('maximum_idle_time')}\\\" (#{input('maximum_idle_time')/60} minutes) or is not specified, this is a finding.\n Enter \\\"q\\\" at the \\\"ldap policy:\\\" and \\\"ntdsutil:\\\" prompts to exit.\n\n Alternately, Dsquery can be used to display MaxConnIdleTime:\n Open \\\"Command Prompt (Admin)\\\".\n Enter the following command (on a single line).\n dsquery * \\\"cn=Default Query Policy,cn=Query-Policies,cn=Directory Service, cn=Windows NT,cn=Services,cn=Configuration,dc=[forest-name]\\\" -attr LDAPAdminLimits\n\n The quotes are required and dc=[forest-name] is the fully qualified LDAP name of the domain being reviewed (e.g., dc=disaost,dc=mil).\n If the results do not specify a \\\"MaxConnIdleTime\\\" or it has a value greater than \\\"#{input('maximum_idle_time')}\\\" (#{input('maximum_idle_time')/60} minutes), this is a finding.\"\n desc 'fix', \"Configure the directory service to terminate LDAP-based network connections to the directory server after #{input('maximum_idle_time')/60} minutes of inactivity.\n Open an elevated \\\"Command prompt\\\" (run as administrator).\n Enter \\\"ntdsutil\\\".\n At the \\\"ntdsutil:\\\" prompt, enter \\\"LDAP policies\\\".\n At the \\\"ldap policy:\\\" prompt, enter \\\"connections\\\".\n At the \\\"server connections:\\\" prompt, enter \\\"connect to server [host-name]\\\" (where [host-name] is the computer name of the domain controller).\n At the \\\"server connections:\\\" prompt, enter \\\"q\\\".\n At the \\\"ldap policy:\\\" prompt, enter \\\"Set MaxConnIdleTime to #{input('maximum_idle_time')}\\\".\n Enter \\\"Commit Changes\\\" to save.\n Enter \\\"Show values\\\" to verify changes.\n Enter \\\"q\\\" at the \\\"ldap policy:\\\" and \\\"ntdsutil:\\\" prompts to exit.\"\n impact 0.3\n tag 'severity': ''\n tag 'gtitle': \"SRG-OS-000163-GPOS-00072\"\n tag 'gid': \"V-93509\"\n tag 'rid': \"SV-103595r1_rule\"\n tag 'stig_id': \"WN19-DC-000160\"\n tag 'fix_id': \"F-99753r1_fix\"\n tag 'cci': [\"CCI-001133\"]\n tag 'nist': [\"SC-10\", \"Rev_4\"]\n\n forest_name = json(command: '(Get-ADDomain).DistinguishedName | ConvertTo-Json').params\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n \n if domain_role == '4' || domain_role == '5'\n query = command(\"dsquery * 'cn=Default Query Policy,cn=Query-Policies,cn=Directory Service, cn=Windows NT,cn=Services,cn=Configuration,#{forest_name}' -attr LDAPAdminLimits\").stdout \n ldap_admin_limits = parse_config(query.gsub(/;/, \"\\n\")).params\n describe \"MaxConnIdleTime is configured\" do\n subject { ldap_admin_limits }\n it { should include 'MaxConnIdleTime' }\n end\n describe \"The MaxConnIdleTime\" do\n subject { ldap_admin_limits['MaxConnIdleTime'] }\n it { should cmp <= input(\"maximum_idle_time\") }\n end\n else\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is NA' do\n skip 'This system is not a domain controller, therefore this control is NA'\n end\n end\nend\n", + "code": "control \"V-93497\" do\n title \"Windows Server 2019 must have the built-in guest account disabled.\"\n desc \"A system faces an increased vulnerability threat if the built-in guest account is not disabled. This is a known account that exists on all Windows systems and cannot be deleted. This account is initialized during the installation of the operating system with no password assigned.\"\n desc \"rationale\", \"\"\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n\n Run \\\"gpedit.msc\\\".\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options.\n If the value for \\\"Accounts: Guest account status\\\" is not set to \\\"Disabled\\\", this is a finding.\n \n For server core installations, run the following command:\n Secedit /Export /Areas SecurityPolicy /CFG C:\\\\Path\\\\FileName.Txt\n If \\\"EnableGuestAccount\\\" equals \\\"1\\\" in the file, this is a finding.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \\\"Accounts: Guest account status\\\" to \\\"Disabled\\\".\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000121-GPOS-00062\"\n tag gid: \"V-93497\"\n tag rid: \"SV-103583r1_rule\"\n tag stig_id: \"WN19-SO-000010\"\n tag fix_id: \"F-99741r1_fix\"\n tag cci: [\"CCI-000804\"]\n tag nist: [\"IA-8\", \"Rev_4\"]\n\n describe security_policy do\n its('EnableGuestAccount') { should cmp 0 }\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93509.rb", + "ref": "./Windows 2019 STIG/controls/V-93497.rb", "line": 3 }, - "id": "V-93509" + "id": "V-93497" }, { - "title": "Windows Server 2019 virtualization-based security must be enabled with\nthe platform security level configured to Secure Boot or Secure Boot with DMA\nProtection.", - "desc": "Virtualization Based Security (VBS) provides the platform for the\nadditional security features Credential Guard and virtualization-based\nprotection of code integrity. Secure Boot is the minimum security level, with\nDMA protection providing additional memory protection. DMA Protection requires\na CPU that supports input/output memory management unit (IOMMU).", + "title": "Windows Server 2019 Deny log on through Remote Desktop Services user\nright on domain controllers must be configured to prevent unauthenticated\naccess.", + "desc": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n The \"Deny log on through Remote Desktop Services\" user right defines the\naccounts that are prevented from logging on using Remote Desktop Services.\n\n The Guests group must be assigned this right to prevent unauthenticated\naccess.", "descriptions": { - "default": "Virtualization Based Security (VBS) provides the platform for the\nadditional security features Credential Guard and virtualization-based\nprotection of code integrity. Secure Boot is the minimum security level, with\nDMA protection providing additional memory protection. DMA Protection requires\na CPU that supports input/output memory management unit (IOMMU).", + "default": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n The \"Deny log on through Remote Desktop Services\" user right defines the\naccounts that are prevented from logging on using Remote Desktop Services.\n\n The Guests group must be assigned this right to prevent unauthenticated\naccess.", "rationale": "", - "check": "For standalone systems, this is NA.\n\n Current hardware and virtual environments may not support\nvirtualization-based security features, including Credential Guard, due to\nspecific supporting requirements, including a TPM, UEFI with Secure Boot, and\nthe capability to run the Hyper-V feature within a virtual machine.\n\n Open \"PowerShell\" with elevated privileges (run as administrator).\n\n Enter the following:\n\n \"Get-CimInstance -ClassName Win32_DeviceGuard -Namespace\nroot\\Microsoft\\Windows\\DeviceGuard\"\n\n If \"RequiredSecurityProperties\" does not include a value of \"2\"\nindicating \"Secure Boot\" (e.g., \"{1, 2}\"), this is a finding.\n\n If \"Secure Boot and DMA Protection\" is configured, \"3\" will also be\ndisplayed in the results (e.g., \"{1, 2, 3}\").\n\n If \"VirtualizationBasedSecurityStatus\" is not a value of \"2\" indicating\n\"Running\", this is a finding.\n\n Alternately:\n\n Run \"System Information\".\n\n Under \"System Summary\", verify the following:\n\n If \"Device Guard Virtualization based security\" does not display\n\"Running\", this is a finding.\n\n If \"Device Guard Required Security Properties\" does not display \"Base\nVirtualization Support, Secure Boot\", this is a finding.\n\n If \"Secure Boot and DMA Protection\" is configured, \"DMA Protection\"\nwill also be displayed (e.g., \"Base Virtualization Support, Secure Boot, DMA\nProtection\").\n\n The policy settings referenced in the Fix section will configure the\nfollowing registry values. However, due to hardware requirements, the registry\nvalues alone do not ensure proper function.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceGuard\\\n\n Value Name: EnableVirtualizationBasedSecurity\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\n\n Value Name: RequirePlatformSecurityFeatures\n Value Type: REG_DWORD\n Value: 0x00000001 (1) (Secure Boot only) or 0x00000003 (3) (Secure Boot and\nDMA Protection)\n\n A Microsoft TechNet article on Credential Guard, including system\nrequirement details, can be found at the following link:\n\n https://technet.microsoft.com/itpro/windows/keep-secure/credential-guard", - "fix": "Configure the policy value for Computer Configuration >> Administrative\nTemplates >> System >> Device Guard >> \"Turn On Virtualization Based\nSecurity\" to \"Enabled\" with \"Secure Boot\" or \"Secure Boot and DMA\nProtection\" selected.\n\n A Microsoft TechNet article on Credential Guard, including system\nrequirement details, can be found at the following link:\n\n https://technet.microsoft.com/itpro/windows/keep-secure/credential-guard" + "check": "This applies to domain controllers. A separate version applies to other\nsystems.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If the following accounts or groups are not defined for the \"Deny log on\nthrough Remote Desktop Services\" user right, this is a finding:\n\n - Guests Group\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\path\\filename.txt\n\n Review the text file.\n\n If the following SID(s) are not defined for the\n\"SeDenyRemoteInteractiveLogonRight\" user right, this is a finding.\n\n S-1-5-32-546 (Guests)", + "fix": "Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> User Rights Assignment >> \"Deny log\non through Remote Desktop Services\" to include the following:\n\n - Guests Group" }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-93245", - "rid": "SV-103333r1_rule", - "stig_id": "WN19-CC-000110", - "fix_id": "F-99491r1_fix", + "gtitle": "SRG-OS-000297-GPOS-00115", + "gid": "V-92963", + "rid": "SV-103051r1_rule", + "stig_id": "WN19-DC-000410", + "fix_id": "F-99209r1_fix", "cci": [ - "CCI-000366" + "CCI-002314" ], "nist": [ - "CM-6 b", + "AC-17 (1)", "Rev_4" ] }, - "code": "control \"V-93245\" do\n title \"Windows Server 2019 virtualization-based security must be enabled with\nthe platform security level configured to Secure Boot or Secure Boot with DMA\nProtection.\"\n desc \"Virtualization Based Security (VBS) provides the platform for the\nadditional security features Credential Guard and virtualization-based\nprotection of code integrity. Secure Boot is the minimum security level, with\nDMA protection providing additional memory protection. DMA Protection requires\na CPU that supports input/output memory management unit (IOMMU).\"\n desc \"rationale\", \"\"\n desc 'check', \"For standalone systems, this is NA.\n\n Current hardware and virtual environments may not support\nvirtualization-based security features, including Credential Guard, due to\nspecific supporting requirements, including a TPM, UEFI with Secure Boot, and\nthe capability to run the Hyper-V feature within a virtual machine.\n\n Open \\\"PowerShell\\\" with elevated privileges (run as administrator).\n\n Enter the following:\n\n \\\"Get-CimInstance -ClassName Win32_DeviceGuard -Namespace\nroot\\\\Microsoft\\\\Windows\\\\DeviceGuard\\\"\n\n If \\\"RequiredSecurityProperties\\\" does not include a value of \\\"2\\\"\nindicating \\\"Secure Boot\\\" (e.g., \\\"{1, 2}\\\"), this is a finding.\n\n If \\\"Secure Boot and DMA Protection\\\" is configured, \\\"3\\\" will also be\ndisplayed in the results (e.g., \\\"{1, 2, 3}\\\").\n\n If \\\"VirtualizationBasedSecurityStatus\\\" is not a value of \\\"2\\\" indicating\n\\\"Running\\\", this is a finding.\n\n Alternately:\n\n Run \\\"System Information\\\".\n\n Under \\\"System Summary\\\", verify the following:\n\n If \\\"Device Guard Virtualization based security\\\" does not display\n\\\"Running\\\", this is a finding.\n\n If \\\"Device Guard Required Security Properties\\\" does not display \\\"Base\nVirtualization Support, Secure Boot\\\", this is a finding.\n\n If \\\"Secure Boot and DMA Protection\\\" is configured, \\\"DMA Protection\\\"\nwill also be displayed (e.g., \\\"Base Virtualization Support, Secure Boot, DMA\nProtection\\\").\n\n The policy settings referenced in the Fix section will configure the\nfollowing registry values. However, due to hardware requirements, the registry\nvalues alone do not ensure proper function.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\DeviceGuard\\\\\n\n Value Name: EnableVirtualizationBasedSecurity\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\n\n Value Name: RequirePlatformSecurityFeatures\n Value Type: REG_DWORD\n Value: 0x00000001 (1) (Secure Boot only) or 0x00000003 (3) (Secure Boot and\nDMA Protection)\n\n A Microsoft TechNet article on Credential Guard, including system\nrequirement details, can be found at the following link:\n\n https://technet.microsoft.com/itpro/windows/keep-secure/credential-guard\"\n desc 'fix', \"Configure the policy value for Computer Configuration >> Administrative\nTemplates >> System >> Device Guard >> \\\"Turn On Virtualization Based\nSecurity\\\" to \\\"Enabled\\\" with \\\"Secure Boot\\\" or \\\"Secure Boot and DMA\nProtection\\\" selected.\n\n A Microsoft TechNet article on Credential Guard, including system\nrequirement details, can be found at the following link:\n\n https://technet.microsoft.com/itpro/windows/keep-secure/credential-guard\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000480-GPOS-00227'\n tag 'gid': 'V-93245'\n tag 'rid': 'SV-103333r1_rule'\n tag 'stig_id': 'WN19-CC-000110'\n tag 'fix_id': 'F-99491r1_fix'\n tag 'cci': [\"CCI-000366\"]\n tag 'nist': [\"CM-6 b\", \"Rev_4\"]\n\n is_domain = command('wmic computersystem get domain | FINDSTR /V Domain').stdout.strip\n if is_domain == 'WORKGROUP'\n impact 0.0\n describe 'The system is not a member of a domain, control is NA' do\n skip 'The system is not a member of a domain, control is NA'\n end\n else\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceGuard') do\n it { should have_property 'EnableVirtualizationBasedSecurity' }\n its('EnableVirtualizationBasedSecurity') { should cmp 1 }\n end\n describe.one do\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceGuard') do\n it { should have_property 'RequirePlatformSecurityFeatures' }\n its('RequirePlatformSecurityFeatures') { should cmp 1 }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceGuard') do\n it { should have_property 'RequirePlatformSecurityFeatures' }\n its('RequirePlatformSecurityFeatures') { should cmp 3 }\n end\n end\n end\nend\n", + "code": "control 'V-92963' do\n title \"Windows Server 2019 Deny log on through Remote Desktop Services user\nright on domain controllers must be configured to prevent unauthenticated\naccess.\"\n desc \"Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n The \\\"Deny log on through Remote Desktop Services\\\" user right defines the\naccounts that are prevented from logging on using Remote Desktop Services.\n\n The Guests group must be assigned this right to prevent unauthenticated\naccess.\"\n desc 'rationale', ''\n desc 'check', \"This applies to domain controllers. A separate version applies to other\nsystems.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If the following accounts or groups are not defined for the \\\"Deny log on\nthrough Remote Desktop Services\\\" user right, this is a finding:\n\n - Guests Group\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt\n\n Review the text file.\n\n If the following SID(s) are not defined for the\n\\\"SeDenyRemoteInteractiveLogonRight\\\" user right, this is a finding.\n\n S-1-5-32-546 (Guests)\"\n desc 'fix', \"Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> User Rights Assignment >> \\\"Deny log\non through Remote Desktop Services\\\" to include the following:\n\n - Guests Group\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000297-GPOS-00115'\n tag 'gid': 'V-92963'\n tag 'rid': 'SV-103051r1_rule'\n tag 'stig_id': 'WN19-DC-000410'\n tag 'fix_id': 'F-99209r1_fix'\n tag 'cci': ['CCI-002314']\n tag 'nist': ['AC-17 (1)', 'Rev_4']\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n describe security_policy do\n its('SeDenyRemoteInteractiveLogonRight') { should eq ['S-1-5-32-546'] }\n end\n else\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93245.rb", + "ref": "./Windows 2019 STIG/controls/V-92963.rb", "line": 3 }, - "id": "V-93245" + "id": "V-92963" }, { - "title": "Windows Server 2019 Active Directory RID Manager$ object must be\nconfigured with proper audit settings.", - "desc": "When inappropriate audit settings are configured for directory service\ndatabase objects, it may be possible for a user or process to update the data\nwithout generating any tracking data. The impact of missing audit data is\nrelated to the type of object. A failure to capture audit data for objects used\nby identification, authentication, or authorization functions could degrade or\neliminate the ability to track changes to access policy for systems or data.\n\n For Active Directory (AD), there are a number of critical object types in\nthe domain naming context of the AD database for which auditing is essential.\nThis includes the RID Manager$ object. Because changes to these objects can\nsignificantly impact access controls or the availability of systems, the\nabsence of auditing data makes it impossible to identify the source of changes\nthat impact the confidentiality, integrity, and availability of data and\nsystems throughout an AD domain. The lack of proper auditing can result in\ninsufficient forensic evidence needed to investigate an incident and prosecute\nthe intruder.", + "title": "Windows Server 2019 must have orphaned security identifiers (SIDs)\nremoved from user rights.", + "desc": "Accounts or groups given rights on a system may show up as unresolved\nSIDs for various reasons including deletion of the accounts or groups. If the\naccount or group objects are reanimated, there is a potential they may still\nhave rights no longer intended. Valid domain accounts or groups may also show\nup as unresolved SIDs if a connection to the domain cannot be established for\nsome reason.", "descriptions": { - "default": "When inappropriate audit settings are configured for directory service\ndatabase objects, it may be possible for a user or process to update the data\nwithout generating any tracking data. The impact of missing audit data is\nrelated to the type of object. A failure to capture audit data for objects used\nby identification, authentication, or authorization functions could degrade or\neliminate the ability to track changes to access policy for systems or data.\n\n For Active Directory (AD), there are a number of critical object types in\nthe domain naming context of the AD database for which auditing is essential.\nThis includes the RID Manager$ object. Because changes to these objects can\nsignificantly impact access controls or the availability of systems, the\nabsence of auditing data makes it impossible to identify the source of changes\nthat impact the confidentiality, integrity, and availability of data and\nsystems throughout an AD domain. The lack of proper auditing can result in\ninsufficient forensic evidence needed to investigate an incident and prosecute\nthe intruder.", + "default": "Accounts or groups given rights on a system may show up as unresolved\nSIDs for various reasons including deletion of the accounts or groups. If the\naccount or group objects are reanimated, there is a potential they may still\nhave rights no longer intended. Valid domain accounts or groups may also show\nup as unresolved SIDs if a connection to the domain cannot be established for\nsome reason.", "rationale": "", - "check": "This applies to domain controllers. It is NA for other systems.\n\n Review the auditing configuration for the \"RID Manager$\" object.\n\n Open \"Active Directory Users and Computers\" (available from various menus\nor run \"dsa.msc\").\n\n Ensure \"Advanced Features\" is selected in the \"View\" menu.\n\n Select \"System\" under the domain being reviewed in the left pane.\n\n Right-click the \"RID Manager$\" object in the right pane and select\n\"Properties\".\n\n Select the \"Security\" tab.\n\n Select the \"Advanced\" button and then the \"Auditing\" tab.\n\n If the audit settings on the \"RID Manager$\" object are not at least as\ninclusive as those below, this is a finding:\n\n Type - Fail\n Principal - Everyone\n Access - Full Control\n Inherited from - None\n\n The success types listed below are defaults. Where Special is listed in the\nsummary screens for Access, detailed Permissions are provided for reference.\nVarious Properties selections may also exist by default.\n\n Type - Success\n Principal - Everyone\n Access - Special\n Inherited from - None\n (Access - Special = Write all properties, All extended rights, Change RID\nmaster)\n\n Two instances with the following summary information will be listed:\n\n Type - Success\n Principal - Everyone\n Access - (blank)\n Inherited from - (CN of domain)", - "fix": "Open \"Active Directory Users and Computers\" (available from various menus\nor run \"dsa.msc\").\n\n Ensure \"Advanced Features\" is selected in the \"View\" menu.\n\n Select \"System\" under the domain being reviewed in the left pane.\n\n Right-click the \"RID Manager$\" object in the right pane and select\n\"Properties\".\n\n Select the \"Security\" tab.\n\n Select the \"Advanced\" button and then the \"Auditing\" tab.\n\n Configure the audit settings for RID Manager$ object to include the\nfollowing:\n\n Type - Fail\n Principal - Everyone\n Access - Full Control\n Inherited from - None\n\n The success types listed below are defaults. Where Special is listed in the\nsummary screens for Access, detailed Permissions are provided for reference.\nVarious Properties selections may also exist by default.\n\n Type - Success\n Principal - Everyone\n Access - Special\n Inherited from - None\n (Access - Special = Write all properties, All extended rights, Change RID\nmaster)\n\n Two instances with the following summary information will be listed:\n\n Type - Success\n Principal - Everyone\n Access - (blank)\n Inherited from - (CN of domain)" + "check": "Review the effective User Rights setting in Local Group Policy Editor.\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n Review each User Right listed for any unresolved SIDs to determine whether\nthey are valid, such as due to being temporarily disconnected from the domain.\n(Unresolved SIDs have the format that begins with \"*S-1-\".)\n\n If any unresolved SIDs exist and are not for currently valid accounts or\ngroups, this is a finding.\n\n For server core installations, run the following command:\n\n Secedit /export /areas USER_RIGHTS /cfg c:\\path\\UserRights.txt\n\n The results in the file identify user right assignments by SID instead of\ngroup name. Review the SIDs for unidentified ones. A list of typical SIDs \\\nGroups is below, search Microsoft for articles on well-known SIDs for others.\n\n If any unresolved SIDs exist and are not for currently valid accounts or\ngroups, this is a finding.\n\n SID - Group\n S-1-5-11 - Authenticated Users\n S-1-5-113 - Local account\n S-1-5-114 - Local account and member of Administrators group\n S-1-5-19 - Local Service\n S-1-5-20 - Network Service\n S-1-5-32-544 - Administrators\n S-1-5-32-546 - Guests\n S-1-5-6 - Service\n S-1-5-9 - Enterprise Domain Controllers\n S-1-5-domain-512 - Domain Admins\n S-1-5-root domain-519 - Enterprise Admins\n S-1-5-80-3139157870-2983391045-3678747466-658725712-1809340420 - NT\nService\\WdiServiceHost", + "fix": "Remove any unresolved SIDs found in User Rights assignments and\ndetermined to not be for currently valid accounts or groups by removing the\naccounts or groups from the appropriate group policy." }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000327-GPOS-00127", - "satisfies": [ - "SRG-OS-000327-GPOS-00127", - "SRG-OS-000458-GPOS-00203", - "SRG-OS-000463-GPOS-00207", - "SRG-OS-000468-GPOS-00212" - ], - "gid": "V-93131", - "rid": "SV-103219r1_rule", - "stig_id": "WN19-DC-000220", - "fix_id": "F-99377r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-93227", + "rid": "SV-103315r1_rule", + "stig_id": "WN19-00-000450", + "fix_id": "F-99473r1_fix", "cci": [ - "CCI-000172", - "CCI-002234" + "CCI-000366" ], "nist": [ - "AU-12 c", - "AC-6 (9)", + "CM-6 b", "Rev_4" ] }, - "code": "control \"V-93131\" do\n title \"Windows Server 2019 Active Directory RID Manager$ object must be\nconfigured with proper audit settings.\"\n desc \"When inappropriate audit settings are configured for directory service\ndatabase objects, it may be possible for a user or process to update the data\nwithout generating any tracking data. The impact of missing audit data is\nrelated to the type of object. A failure to capture audit data for objects used\nby identification, authentication, or authorization functions could degrade or\neliminate the ability to track changes to access policy for systems or data.\n\n For Active Directory (AD), there are a number of critical object types in\nthe domain naming context of the AD database for which auditing is essential.\nThis includes the RID Manager$ object. Because changes to these objects can\nsignificantly impact access controls or the availability of systems, the\nabsence of auditing data makes it impossible to identify the source of changes\nthat impact the confidentiality, integrity, and availability of data and\nsystems throughout an AD domain. The lack of proper auditing can result in\ninsufficient forensic evidence needed to investigate an incident and prosecute\nthe intruder.\"\n desc \"rationale\", \"\"\n desc 'check', \"This applies to domain controllers. It is NA for other systems.\n\n Review the auditing configuration for the \\\"RID Manager$\\\" object.\n\n Open \\\"Active Directory Users and Computers\\\" (available from various menus\nor run \\\"dsa.msc\\\").\n\n Ensure \\\"Advanced Features\\\" is selected in the \\\"View\\\" menu.\n\n Select \\\"System\\\" under the domain being reviewed in the left pane.\n\n Right-click the \\\"RID Manager$\\\" object in the right pane and select\n\\\"Properties\\\".\n\n Select the \\\"Security\\\" tab.\n\n Select the \\\"Advanced\\\" button and then the \\\"Auditing\\\" tab.\n\n If the audit settings on the \\\"RID Manager$\\\" object are not at least as\ninclusive as those below, this is a finding:\n\n Type - Fail\n Principal - Everyone\n Access - Full Control\n Inherited from - None\n\n The success types listed below are defaults. Where Special is listed in the\nsummary screens for Access, detailed Permissions are provided for reference.\nVarious Properties selections may also exist by default.\n\n Type - Success\n Principal - Everyone\n Access - Special\n Inherited from - None\n (Access - Special = Write all properties, All extended rights, Change RID\nmaster)\n\n Two instances with the following summary information will be listed:\n\n Type - Success\n Principal - Everyone\n Access - (blank)\n Inherited from - (CN of domain)\"\n desc 'fix', \"Open \\\"Active Directory Users and Computers\\\" (available from various menus\nor run \\\"dsa.msc\\\").\n\n Ensure \\\"Advanced Features\\\" is selected in the \\\"View\\\" menu.\n\n Select \\\"System\\\" under the domain being reviewed in the left pane.\n\n Right-click the \\\"RID Manager$\\\" object in the right pane and select\n\\\"Properties\\\".\n\n Select the \\\"Security\\\" tab.\n\n Select the \\\"Advanced\\\" button and then the \\\"Auditing\\\" tab.\n\n Configure the audit settings for RID Manager$ object to include the\nfollowing:\n\n Type - Fail\n Principal - Everyone\n Access - Full Control\n Inherited from - None\n\n The success types listed below are defaults. Where Special is listed in the\nsummary screens for Access, detailed Permissions are provided for reference.\nVarious Properties selections may also exist by default.\n\n Type - Success\n Principal - Everyone\n Access - Special\n Inherited from - None\n (Access - Special = Write all properties, All extended rights, Change RID\nmaster)\n\n Two instances with the following summary information will be listed:\n\n Type - Success\n Principal - Everyone\n Access - (blank)\n Inherited from - (CN of domain)\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000327-GPOS-00127'\n tag 'satisfies': [\"SRG-OS-000327-GPOS-00127\", \"SRG-OS-000458-GPOS-00203\",\n\"SRG-OS-000463-GPOS-00207\", \"SRG-OS-000468-GPOS-00212\"]\n tag 'gid': 'V-93131'\n tag 'rid': 'SV-103219r1_rule'\n tag 'stig_id': 'WN19-DC-000220'\n tag 'fix_id': 'F-99377r1_fix'\n tag 'cci': [\"CCI-000172\", \"CCI-002234\"]\n tag 'nist': [\"AU-12 c\", \"AC-6 (9)\", \"Rev_4\"]\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n if domain_role == '4' || domain_role == '5'\n distinguishedName = json(command: '(Get-ADDomain).DistinguishedName | ConvertTo-JSON').params\n acl_rules = json(command: \"(Get-ACL -Audit -Path AD:'CN=RID Manager$,CN=System,#{distinguishedName}').Audit | ConvertTo-CSV | ConvertFrom-CSV | ConvertTo-JSON\").params\n \n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['AuditFlags']) { should cmp \"Failure\" }\n its(['IdentityReference']) { should cmp \"Everyone\" }\n its(['ActiveDirectoryRights']) { should cmp \"GenericAll\"}\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['AuditFlags']) { should cmp \"Success\" }\n its(['IdentityReference']) { should cmp \"Everyone\" }\n its(['ActiveDirectoryRights']) { should cmp \"WriteProperty, ExtendedRight\"}\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceType']) { should cmp \"None\" }\n end\n end\n end\n\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['AuditFlags']) { should cmp \"Success\" }\n its(['IdentityReference']) { should cmp \"Everyone\" }\n its(['ActiveDirectoryRights']) { should cmp \"WriteProperty\"}\n its(['IsInherited']) { should cmp \"True\" }\n its(['InheritanceType']) { should cmp \"Descendents\" }\n end\n end\n end\n else\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", + "code": "control \"V-93227\" do\n title \"Windows Server 2019 must have orphaned security identifiers (SIDs)\nremoved from user rights.\"\n desc \"Accounts or groups given rights on a system may show up as unresolved\nSIDs for various reasons including deletion of the accounts or groups. If the\naccount or group objects are reanimated, there is a potential they may still\nhave rights no longer intended. Valid domain accounts or groups may also show\nup as unresolved SIDs if a connection to the domain cannot be established for\nsome reason.\"\n desc \"rationale\", \"\"\n desc 'check', \"Review the effective User Rights setting in Local Group Policy Editor.\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n Review each User Right listed for any unresolved SIDs to determine whether\nthey are valid, such as due to being temporarily disconnected from the domain.\n(Unresolved SIDs have the format that begins with \\\"*S-1-\\\".)\n\n If any unresolved SIDs exist and are not for currently valid accounts or\ngroups, this is a finding.\n\n For server core installations, run the following command:\n\n Secedit /export /areas USER_RIGHTS /cfg c:\\\\path\\\\UserRights.txt\n\n The results in the file identify user right assignments by SID instead of\ngroup name. Review the SIDs for unidentified ones. A list of typical SIDs \\\\\nGroups is below, search Microsoft for articles on well-known SIDs for others.\n\n If any unresolved SIDs exist and are not for currently valid accounts or\ngroups, this is a finding.\n\n SID - Group\n S-1-5-11 - Authenticated Users\n S-1-5-113 - Local account\n S-1-5-114 - Local account and member of Administrators group\n S-1-5-19 - Local Service\n S-1-5-20 - Network Service\n S-1-5-32-544 - Administrators\n S-1-5-32-546 - Guests\n S-1-5-6 - Service\n S-1-5-9 - Enterprise Domain Controllers\n S-1-5-domain-512 - Domain Admins\n S-1-5-root domain-519 - Enterprise Admins\n S-1-5-80-3139157870-2983391045-3678747466-658725712-1809340420 - NT\nService\\\\WdiServiceHost\"\n desc 'fix', \"Remove any unresolved SIDs found in User Rights assignments and\ndetermined to not be for currently valid accounts or groups by removing the\naccounts or groups from the appropriate group policy.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000480-GPOS-00227'\n tag 'gid': 'V-93227'\n tag 'rid': 'SV-103315r1_rule'\n tag 'stig_id': 'WN19-00-000450'\n tag 'fix_id': 'F-99473r1_fix'\n tag 'cci': [\"CCI-000366\"]\n tag 'nist': [\"CM-6 b\", \"Rev_4\"]\n\n describe \"A manual review is required to ensure orphaned security identifiers (SIDs) are removed from user rights on Windows Server 2019\" do\n skip 'A manual review is required to ensure orphaned security identifiers (SIDs) are removed from user rights on Windows Server 2019'\n end\n end\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93131.rb", + "ref": "./Windows 2019 STIG/controls/V-93227.rb", "line": 3 }, - "id": "V-93131" + "id": "V-93227" }, { - "title": "Windows Server 2019 must prevent local accounts with blank passwords from being used from the network.", - "desc": "An account without a password can allow unauthorized access to a system as only the username would be required. Password policies should prevent accounts with blank passwords from existing on a system. However, if a local account with a blank password does exist, enabling this setting will prevent network access, limiting the account to local console logon only.", + "title": "Windows Server 2019 Deny log on through Remote Desktop Services user\nright on domain-joined member servers must be configured to prevent access from\nhighly privileged domain accounts and all local accounts and from\nunauthenticated access on all systems.", + "desc": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n The \"Deny log on through Remote Desktop Services\" user right defines the\naccounts that are prevented from logging on using Remote Desktop Services.\n\n In an Active Directory Domain, denying logons to the Enterprise Admins and\nDomain Admins groups on lower-trust systems helps mitigate the risk of\nprivilege escalation from credential theft attacks, which could lead to the\ncompromise of an entire domain.\n\n Local accounts on domain-joined systems must also be assigned this right to\ndecrease the risk of lateral movement resulting from credential theft attacks.\n\n The Guests group must be assigned this right to prevent unauthenticated\naccess.", "descriptions": { - "default": "An account without a password can allow unauthorized access to a system as only the username would be required. Password policies should prevent accounts with blank passwords from existing on a system. However, if a local account with a blank password does exist, enabling this setting will prevent network access, limiting the account to local console logon only.", + "default": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n The \"Deny log on through Remote Desktop Services\" user right defines the\naccounts that are prevented from logging on using Remote Desktop Services.\n\n In an Active Directory Domain, denying logons to the Enterprise Admins and\nDomain Admins groups on lower-trust systems helps mitigate the risk of\nprivilege escalation from credential theft attacks, which could lead to the\ncompromise of an entire domain.\n\n Local accounts on domain-joined systems must also be assigned this right to\ndecrease the risk of lateral movement resulting from credential theft attacks.\n\n The Guests group must be assigned this right to prevent unauthenticated\naccess.", "rationale": "", - "check": "If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Control\\Lsa\\\n\n Value Name: LimitBlankPasswordUse\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", - "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \"Accounts: Limit local account use of blank passwords to console logon only\" to \"Enabled\"." + "check": "This applies to member servers and standalone systems. A separate version\napplies to domain controllers.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If the following accounts or groups are not defined for the \"Deny log on\nthrough Remote Desktop Services\" user right, this is a finding:\n\n Domain Systems Only:\n - Enterprise Admins group\n - Domain Admins group\n - Local account (see Note below)\n\n All Systems:\n - Guests group\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\path\\filename.txt\n\n Review the text file.\n\n If the following SIDs are not defined for the\n\"SeDenyRemoteInteractiveLogonRight\" user right, this is a finding.\n\n Domain Systems Only:\n S-1-5-root domain-519 (Enterprise Admins)\n S-1-5-domain-512 (Domain Admins)\n S-1-5-113 (\"Local account\")\n\n All Systems:\n S-1-5-32-546 (Guests)\n\n Note: \"Local account\" is referring to the Windows built-in security group.", + "fix": "Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> User Rights Assignment >> \"Deny log\non through Remote Desktop Services\" to include the following:\n\n Domain Systems Only:\n - Enterprise Admins group\n - Domain Admins group\n - Local account (see Note below)\n\n All Systems:\n - Guests group\n\n Note: \"Local account\" is referring to the Windows built-in security group." }, - "impact": 0.7, + "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-93279", - "rid": "SV-103367r1_rule", - "stig_id": "WN19-SO-000020", - "fix_id": "F-99525r1_fix", + "gtitle": "SRG-OS-000297-GPOS-00115", + "gid": "V-92965", + "rid": "SV-103053r1_rule", + "stig_id": "WN19-MS-000120", + "fix_id": "F-99211r1_fix", "cci": [ - "CCI-000366" + "CCI-002314" ], "nist": [ - "CM-6 b", + "AC-17 (1)", "Rev_4" ] }, - "code": "control \"V-93279\" do\n title \"Windows Server 2019 must prevent local accounts with blank passwords from being used from the network.\"\n desc \"An account without a password can allow unauthorized access to a system as only the username would be required. Password policies should prevent accounts with blank passwords from existing on a system. However, if a local account with a blank password does exist, enabling this setting will prevent network access, limiting the account to local console logon only.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\\n\n Value Name: LimitBlankPasswordUse\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \\\"Accounts: Limit local account use of blank passwords to console logon only\\\" to \\\"Enabled\\\".\"\n impact 0.7\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00227\"\n tag gid: \"V-93279\"\n tag rid: \"SV-103367r1_rule\"\n tag stig_id: \"WN19-SO-000020\"\n tag fix_id: \"F-99525r1_fix\"\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\Currentcontrolset\\\\Control\\\\Lsa') do\n it { should have_property 'Limitblankpassworduse' }\n its('Limitblankpassworduse') { should cmp == 1 }\n end\nend", + "code": "control \"V-92965\" do\n title \"Windows Server 2019 Deny log on through Remote Desktop Services user\nright on domain-joined member servers must be configured to prevent access from\nhighly privileged domain accounts and all local accounts and from\nunauthenticated access on all systems.\"\n desc \"Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n The \\\"Deny log on through Remote Desktop Services\\\" user right defines the\naccounts that are prevented from logging on using Remote Desktop Services.\n\n In an Active Directory Domain, denying logons to the Enterprise Admins and\nDomain Admins groups on lower-trust systems helps mitigate the risk of\nprivilege escalation from credential theft attacks, which could lead to the\ncompromise of an entire domain.\n\n Local accounts on domain-joined systems must also be assigned this right to\ndecrease the risk of lateral movement resulting from credential theft attacks.\n\n The Guests group must be assigned this right to prevent unauthenticated\naccess.\"\n desc \"rationale\", \"\"\n desc 'check', \"This applies to member servers and standalone systems. A separate version\napplies to domain controllers.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If the following accounts or groups are not defined for the \\\"Deny log on\nthrough Remote Desktop Services\\\" user right, this is a finding:\n\n Domain Systems Only:\n - Enterprise Admins group\n - Domain Admins group\n - Local account (see Note below)\n\n All Systems:\n - Guests group\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt\n\n Review the text file.\n\n If the following SIDs are not defined for the\n\\\"SeDenyRemoteInteractiveLogonRight\\\" user right, this is a finding.\n\n Domain Systems Only:\n S-1-5-root domain-519 (Enterprise Admins)\n S-1-5-domain-512 (Domain Admins)\n S-1-5-113 (\\\"Local account\\\")\n\n All Systems:\n S-1-5-32-546 (Guests)\n\n Note: \\\"Local account\\\" is referring to the Windows built-in security group.\"\n desc 'fix', \"Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> User Rights Assignment >> \\\"Deny log\non through Remote Desktop Services\\\" to include the following:\n\n Domain Systems Only:\n - Enterprise Admins group\n - Domain Admins group\n - Local account (see Note below)\n\n All Systems:\n - Guests group\n\n Note: \\\"Local account\\\" is referring to the Windows built-in security group.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000297-GPOS-00115'\n tag 'gid': 'V-92965'\n tag 'rid': 'SV-103053r1_rule'\n tag 'stig_id': 'WN19-MS-000120'\n tag 'fix_id': 'F-99211r1_fix'\n tag 'cci': [\"CCI-002314\"]\n tag 'nist': [\"AC-17 (1)\", \"Rev_4\"]\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n case domain_role\n when '4', '5'\n impact 0.0\n describe 'This system is dedicated to the management of Active Directory, therefore this system is exempt from this control' do\n skip 'This system is dedicated to the management of Active Directory, therefore this system is exempt from this control'\n end\n when '3'\n domain_query = <<-EOH\n $group = New-Object System.Security.Principal.NTAccount('Domain Admins')\n $sid = ($group.Translate([security.principal.securityidentifier])).value\n $sid | ConvertTo-Json\n EOH\n\n domain_admin_sid = json(command: domain_query).params\n enterprise_admin_query = <<-EOH\n $group = New-Object System.Security.Principal.NTAccount('Enterprise Admins')\n $sid = ($group.Translate([security.principal.securityidentifier])).value\n $sid | ConvertTo-Json\n EOH\n\n enterprise_admin_sid = json(command: enterprise_admin_query).params\n describe security_policy do\n its('SeDenyRemoteInteractiveLogonRight') { should include \"#{domain_admin_sid}\" }\n end\n describe security_policy do\n its('SeDenyRemoteInteractiveLogonRight') { should include \"#{enterprise_admin_sid}\" }\n end\n describe.one do\n describe security_policy do\n its('SeDenyRemoteInteractiveLogonRight') { should include \"S-1-5-113\" }\n end\n describe security_policy do\n its('SeDenyRemoteInteractiveLogonRight') { should include \"S-1-5-114\" }\n end\n end\n describe security_policy do\n its('SeDenyRemoteInteractiveLogonRight') { should include 'S-1-5-32-546' }\n end\n when '2'\n describe security_policy do\n its('SeDenyRemoteInteractiveLogonRight') { should eq ['S-1-5-32-546'] }\n end\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93279.rb", + "ref": "./Windows 2019 STIG/controls/V-92965.rb", "line": 3 }, - "id": "V-93279" + "id": "V-92965" }, { - "title": "Windows Server 2019 FTP servers must be configured to prevent access\nto the system drive.", - "desc": "The FTP service allows remote users to access shared files and\ndirectories that could provide access to system resources and compromise the\nsystem, especially if the user can gain access to the root directory of the\nboot drive.", + "title": "Windows Server 2019 built-in guest account must be renamed.", + "desc": "The built-in guest account is a well-known user account on all Windows systems and, as initially installed, does not require a password. This can allow access to system resources by unauthorized users. Renaming this account to an unidentified name improves the protection of this account and the system.", "descriptions": { - "default": "The FTP service allows remote users to access shared files and\ndirectories that could provide access to system resources and compromise the\nsystem, especially if the user can gain access to the root directory of the\nboot drive.", + "default": "The built-in guest account is a well-known user account on all Windows systems and, as initially installed, does not require a password. This can allow access to system resources by unauthorized users. Renaming this account to an unidentified name improves the protection of this account and the system.", "rationale": "", - "check": "If FTP is not installed on the system, this is NA.\n\n Open \"Internet Information Services (IIS) Manager\".\n\n Select \"Sites\" under the server name.\n\n For any sites with a Binding that lists FTP, right-click the site and\nselect \"Explore\".\n\n If the site is not defined to a specific folder for shared FTP resources,\nthis is a finding.\n\n If the site includes any system areas such as root of the drive, Program\nFiles, or Windows directories, this is a finding.", - "fix": "Configure the FTP sites to allow access only to specific FTP\nshared resources. Do not allow access to other areas of the system." + "check": "Verify the effective setting in Local Group Policy Editor.\n Run \"gpedit.msc\".\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options.\n If the value for \"Accounts: Rename guest account\" is not set to a value other than \"Guest\", this is a finding.\n\n For server core installations, run the following command:\n Secedit /Export /Areas SecurityPolicy /CFG C:\\Path\\FileName.Txt\n If \"NewGuestName\" is not something other than \"Guest\" in the file, this is a finding.", + "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \"Accounts: Rename guest account\" to a name other than \"Guest\"." }, "impact": 0.5, "refs": [], "tags": { "severity": null, "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-93225", - "rid": "SV-103313r1_rule", - "stig_id": "WN19-00-000430", - "fix_id": "F-99471r1_fix", + "gid": "V-93283", + "rid": "SV-103371r1_rule", + "stig_id": "WN19-SO-000040", + "fix_id": "F-99529r1_fix", "cci": [ "CCI-000366" ], @@ -3735,12 +3668,12 @@ "Rev_4" ] }, - "code": "control \"V-93225\" do\n title \"Windows Server 2019 FTP servers must be configured to prevent access\nto the system drive.\"\n desc \"The FTP service allows remote users to access shared files and\ndirectories that could provide access to system resources and compromise the\nsystem, especially if the user can gain access to the root directory of the\nboot drive.\"\n desc \"rationale\", \"\"\n desc 'check', \"If FTP is not installed on the system, this is NA.\n\n Open \\\"Internet Information Services (IIS) Manager\\\".\n\n Select \\\"Sites\\\" under the server name.\n\n For any sites with a Binding that lists FTP, right-click the site and\nselect \\\"Explore\\\".\n\n If the site is not defined to a specific folder for shared FTP resources,\nthis is a finding.\n\n If the site includes any system areas such as root of the drive, Program\nFiles, or Windows directories, this is a finding.\"\n desc 'fix', \"Configure the FTP sites to allow access only to specific FTP\nshared resources. Do not allow access to other areas of the system.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000480-GPOS-00227'\n tag 'gid': 'V-93225'\n tag 'rid': 'SV-103313r1_rule'\n tag 'stig_id': 'WN19-00-000430'\n tag 'fix_id': 'F-99471r1_fix'\n tag 'cci': [\"CCI-000366\"]\n tag 'nist': [\"CM-6 b\", \"Rev_4\"]\n\n is_ftp_installed = command('Get-WindowsFeature Web-Ftp-Server | Select -Expand Installed').stdout.strip\n if is_ftp_installed == 'False'\n impact 0.0\n describe 'FTP is not installed' do\n skip 'Control not applicable'\n end\n else\n describe 'Configure the FTP sites to allow access only to specific FTP shared resources. Do not allow access to other areas of the system.' do\n skip 'Configure the FTP sites to allow access only to specific FTP shared resources. Do not allow access to other areas of the system.'\n end\n end\nend\n", + "code": "control \"V-93283\" do\n title \"Windows Server 2019 built-in guest account must be renamed.\"\n desc \"The built-in guest account is a well-known user account on all Windows systems and, as initially installed, does not require a password. This can allow access to system resources by unauthorized users. Renaming this account to an unidentified name improves the protection of this account and the system.\"\n desc \"rationale\", \"\"\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n Run \\\"gpedit.msc\\\".\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options.\n If the value for \\\"Accounts: Rename guest account\\\" is not set to a value other than \\\"Guest\\\", this is a finding.\n\n For server core installations, run the following command:\n Secedit /Export /Areas SecurityPolicy /CFG C:\\\\Path\\\\FileName.Txt\n If \\\"NewGuestName\\\" is not something other than \\\"Guest\\\" in the file, this is a finding.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \\\"Accounts: Rename guest account\\\" to a name other than \\\"Guest\\\".\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00227\"\n tag gid: \"V-93283\"\n tag rid: \"SV-103371r1_rule\"\n tag stig_id: \"WN19-SO-000040\"\n tag fix_id: \"F-99529r1_fix\"\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n describe security_policy do\n its('NewGuestName') { should_not eq \"Guest\" }\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93225.rb", + "ref": "./Windows 2019 STIG/controls/V-93283.rb", "line": 3 }, - "id": "V-93225" + "id": "V-93283" }, { "title": "Windows Server 2019 must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing.", @@ -3776,23 +3709,56 @@ "id": "V-93511" }, { - "title": "Windows Server 2019 Smart Card removal option must be configured to Force Logoff or Lock Workstation.", - "desc": "Unattended systems are susceptible to unauthorized use and must be locked. Configuring a system to lock when a smart card is removed will ensure the system is inaccessible when unattended.", + "title": "Windows Server 2019 Active Directory Domain Controllers Organizational Unit (OU) object must have the proper access control permissions.", + "desc": "When Active Directory objects do not have appropriate access control permissions, it may be possible for malicious users to create, read, update, or delete the objects and degrade or destroy the integrity of the data. When the directory service is used for identification, authentication, or authorization functions, a compromise of the database objects could lead to a compromise of all systems that rely on the directory service.\n\n The Domain Controllers OU object requires special attention as the Domain Controllers are central to the configuration and management of the domain.\n Inappropriate access permissions defined for the Domain Controllers OU could allow an intruder or unauthorized personnel to make changes that could lead to the compromise of the domain.", "descriptions": { - "default": "Unattended systems are susceptible to unauthorized use and must be locked. Configuring a system to lock when a smart card is removed will ensure the system is inaccessible when unattended.", + "default": "When Active Directory objects do not have appropriate access control permissions, it may be possible for malicious users to create, read, update, or delete the objects and degrade or destroy the integrity of the data. When the directory service is used for identification, authentication, or authorization functions, a compromise of the database objects could lead to a compromise of all systems that rely on the directory service.\n\n The Domain Controllers OU object requires special attention as the Domain Controllers are central to the configuration and management of the domain.\n Inappropriate access permissions defined for the Domain Controllers OU could allow an intruder or unauthorized personnel to make changes that could lead to the compromise of the domain.", "rationale": "", - "check": "If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\\n\n Value Name: scremoveoption\n\n Value Type: REG_SZ\n Value: 1 (Lock Workstation) or 2 (Force Logoff)\n\n If configuring this on servers causes issues, such as terminating users' remote sessions, and the organization has a policy in place that any other sessions on the servers, such as administrative console logons, are manually locked or logged off when unattended or not in use, this would be acceptable. This must be documented with the ISSO.", - "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \"Interactive logon: Smart card removal behavior\" to \"Lock Workstation\" or \"Force Logoff\"." + "check": "This applies to domain controllers. It is NA for other systems.\n\n Review the permissions on the Domain Controllers OU.\n Open \"Active Directory Users and Computers\" (available from various menus or run \"dsa.msc\").\n Select \"Advanced Features\" in the \"View\" menu if not previously selected.\n Select the \"Domain Controllers\" OU (folder in folder icon).\n Right-click and select \"Properties\".\n Select the \"Security\" tab.\n If the permissions on the Domain Controllers OU do not restrict changes to System, Domain Admins, Enterprise Admins and Administrators, this is a finding.\n\n The default permissions listed below satisfy this requirement.\n Domains supporting Microsoft Exchange will have additional Exchange related permissions on the Domain Controllers OU. These may include some change related permissions and are not a finding.\n The permissions shown are at the summary level. More detailed permissions can be viewed by selecting the \"Advanced\" button, the desired Permission entry, and the \"View\" or \"Edit\" button.\n Except where noted otherwise, the special permissions may include a wide range of permissions and properties and are acceptable for this requirement.\n\n CREATOR OWNER - Special permissions\n SELF - Special permissions\n Authenticated Users - Read, Special permissions\n The special permissions for Authenticated Users are Read types.\n If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding.\n\n SYSTEM - Full Control\n Domain Admins - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions\n Enterprise Admins - Full Control\n Key Admins - Special permissions\n Enterprise Key Admins - Special permissions\n Administrators - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions\n Pre-Windows 2000 Compatible Access - Special permissions\n The Special permissions for Pre-Windows 2000 Compatible Access are Read types.\n\n If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding.\n ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions", + "fix": "Limit the permissions on the Domain Controllers OU to restrict changes to System, Domain Admins, Enterprise Admins and Administrators.\n The default permissions listed below satisfy this requirement.\n Domains supporting Microsoft Exchange will have additional Exchange related permissions on the Domain Controllers OU. These may include some change related permissions.\n\n CREATOR OWNER - Special permissions\n SELF - Special permissions\n Authenticated Users - Read, Special permissions\n The special permissions for Authenticated Users are Read types.\n SYSTEM - Full Control\n Domain Admins - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions\n Enterprise Admins - Full Control\n Key Admins - Special permissions\n Enterprise Key Admins - Special permissions\n Administrators - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions\n Pre-Windows 2000 Compatible Access - Special permissions\n The special permissions for Pre-Windows 2000 Compatible Access are Read types.\n ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions" }, - "impact": 0.5, + "impact": 0, + "refs": [], + "tags": { + "severity": null, + "gtitle": "SRG-OS-000324-GPOS-00125", + "gid": "V-93035", + "rid": "SV-103123r1_rule", + "stig_id": "WN19-DC-000100", + "fix_id": "F-99281r1_fix", + "cci": [ + "CCI-002235" + ], + "nist": [ + "AC-6 (10)", + "Rev_4" + ] + }, + "code": "control \"V-93035\" do\n title \"Windows Server 2019 Active Directory Domain Controllers Organizational Unit (OU) object must have the proper access control permissions.\"\n desc \"When Active Directory objects do not have appropriate access control permissions, it may be possible for malicious users to create, read, update, or delete the objects and degrade or destroy the integrity of the data. When the directory service is used for identification, authentication, or authorization functions, a compromise of the database objects could lead to a compromise of all systems that rely on the directory service.\n\n The Domain Controllers OU object requires special attention as the Domain Controllers are central to the configuration and management of the domain.\n Inappropriate access permissions defined for the Domain Controllers OU could allow an intruder or unauthorized personnel to make changes that could lead to the compromise of the domain.\"\n desc \"rationale\", \"\"\n desc 'check', \"This applies to domain controllers. It is NA for other systems.\n\n Review the permissions on the Domain Controllers OU.\n Open \\\"Active Directory Users and Computers\\\" (available from various menus or run \\\"dsa.msc\\\").\n Select \\\"Advanced Features\\\" in the \\\"View\\\" menu if not previously selected.\n Select the \\\"Domain Controllers\\\" OU (folder in folder icon).\n Right-click and select \\\"Properties\\\".\n Select the \\\"Security\\\" tab.\n If the permissions on the Domain Controllers OU do not restrict changes to System, Domain Admins, Enterprise Admins and Administrators, this is a finding.\n\n The default permissions listed below satisfy this requirement.\n Domains supporting Microsoft Exchange will have additional Exchange related permissions on the Domain Controllers OU. These may include some change related permissions and are not a finding.\n The permissions shown are at the summary level. More detailed permissions can be viewed by selecting the \\\"Advanced\\\" button, the desired Permission entry, and the \\\"View\\\" or \\\"Edit\\\" button.\n Except where noted otherwise, the special permissions may include a wide range of permissions and properties and are acceptable for this requirement.\n\n CREATOR OWNER - Special permissions\n SELF - Special permissions\n Authenticated Users - Read, Special permissions\n The special permissions for Authenticated Users are Read types.\n If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding.\n\n SYSTEM - Full Control\n Domain Admins - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions\n Enterprise Admins - Full Control\n Key Admins - Special permissions\n Enterprise Key Admins - Special permissions\n Administrators - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions\n Pre-Windows 2000 Compatible Access - Special permissions\n The Special permissions for Pre-Windows 2000 Compatible Access are Read types.\n\n If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding.\n ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions\"\n desc 'fix', \"Limit the permissions on the Domain Controllers OU to restrict changes to System, Domain Admins, Enterprise Admins and Administrators.\n The default permissions listed below satisfy this requirement.\n Domains supporting Microsoft Exchange will have additional Exchange related permissions on the Domain Controllers OU. These may include some change related permissions.\n\n CREATOR OWNER - Special permissions\n SELF - Special permissions\n Authenticated Users - Read, Special permissions\n The special permissions for Authenticated Users are Read types.\n SYSTEM - Full Control\n Domain Admins - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions\n Enterprise Admins - Full Control\n Key Admins - Special permissions\n Enterprise Key Admins - Special permissions\n Administrators - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions\n Pre-Windows 2000 Compatible Access - Special permissions\n The special permissions for Pre-Windows 2000 Compatible Access are Read types.\n ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions\"\n impact 0.7\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000324-GPOS-00125'\n tag 'gid': 'V-93035'\n tag 'rid': 'SV-103123r1_rule'\n tag 'stig_id': 'WN19-DC-000100'\n tag 'fix_id': 'F-99281r1_fix'\n tag 'cci': [\"CCI-002235\"]\n tag 'nist': [\"AC-6 (10)\", \"Rev_4\"]\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n if domain_role == '4' || domain_role == '5'\n perm_query = <<-EOH\n import-module ActiveDirectory\n Set-Location ad:\n $distinguishedName = (Get-ADDomain).DistinguishedName\n $acl_rules = (Get-Acl \"OU=Domain Controllers,$distinguishedName\").Access\n $acl_rules | ConvertTo-Csv | ConvertFrom-Csv | ConvertTo-Json\n EOH\n\n acl_rules = json(command: perm_query).params\n netbiosname = json(command: 'Get-ADDomain | Select NetBIOSName | ConvertTo-JSON').params['NetBIOSName']\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['IdentityReference']) { should cmp \"NT AUTHORITY\\\\ENTERPRISE DOMAIN CONTROLLERS\" }\n its(['ActiveDirectoryRights']) { should cmp \"GenericRead\"}\n end\n end\n end\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['IdentityReference']) { should cmp \"NT AUTHORITY\\\\Authenticated Users\" }\n its(['ActiveDirectoryRights']) { should cmp \"GenericRead\"}\n end\n end\n end\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['IdentityReference']) { should cmp \"NT AUTHORITY\\\\SYSTEM\" }\n its(['ActiveDirectoryRights']) { should cmp \"GenericAll\"}\n end\n end\n end\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['IdentityReference']) { should cmp \"NT AUTHORITY\\\\SYSTEM\" }\n its(['ActiveDirectoryRights']) { should cmp \"GenericAll\"}\n end\n end\n end\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['IdentityReference']) { should cmp \"#{netbiosname}\\\\Domain Admins\" }\n its(['ActiveDirectoryRights']) { should cmp \"CreateChild, Self, WriteProperty, ExtendedRight, GenericRead, WriteDacl, WriteOwner\"}\n end\n end\n end\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['IdentityReference']) { should cmp \"BUILTIN\\\\Pre-Windows 2000 Compatible Access\" }\n its(['ActiveDirectoryRights']) { should cmp \"ReadProperty\"}\n end\n end\n end\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['IdentityReference']) { should cmp \"NT AUTHORITY\\\\SELF\" }\n its(['ActiveDirectoryRights']) { should cmp \"ReadProperty, WriteProperty\"}\n end\n end\n end\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['IdentityReference']) { should cmp \"NT AUTHORITY\\\\SELF\" }\n its(['ActiveDirectoryRights']) { should cmp \"ReadProperty, WriteProperty, ExtendedRight\"}\n end\n end\n end\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['IdentityReference']) { should cmp \"#{netbiosname}\\\\Enterprise Admins\" }\n its(['ActiveDirectoryRights']) { should cmp \"GenericAll\"}\n end\n end\n end\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['IdentityReference']) { should cmp \"BUILTIN\\\\Pre-Windows 2000 Compatible Access\" }\n its(['ActiveDirectoryRights']) { should cmp \"ListChildren\"}\n end\n end\n end\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['IdentityReference']) { should cmp \"BUILTIN\\\\Administrators\" }\n its(['ActiveDirectoryRights']) { should cmp \"CreateChild, Self, WriteProperty, ExtendedRight, Delete, GenericRead, WriteDacl, WriteOwner\"}\n end\n end\n end\n else\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend", + "source_location": { + "ref": "./Windows 2019 STIG/controls/V-93035.rb", + "line": 3 + }, + "id": "V-93035" + }, + { + "title": "Windows Server 2019 directory data (outside the root DSE) of a non-public directory must be configured to prevent anonymous access.", + "desc": "To the extent that anonymous access to directory data (outside the root DSE) is permitted, read access control of the data is effectively disabled. If other means of controlling access (such as network restrictions) are compromised, there may be nothing else to protect the confidentiality of sensitive directory data.", + "descriptions": { + "default": "To the extent that anonymous access to directory data (outside the root DSE) is permitted, read access control of the data is effectively disabled. If other means of controlling access (such as network restrictions) are compromised, there may be nothing else to protect the confidentiality of sensitive directory data.", + "rationale": "", + "check": "This applies to domain controllers. It is NA for other systems.\n\n Open \"Command Prompt\" (not elevated).\n Run \"ldp.exe\".\n From the \"Connection menu\", select \"Bind\".\n Clear the User, Password, and Domain fields.\n Select \"Simple bind\" for the Bind type and click \"OK\".\n Confirmation of anonymous access will be displayed at the end:\n res = ldap_simple_bind_s\n Authenticated as: 'NT AUTHORITY\\ANONYMOUS LOGON'\n From the \"Browse\" menu, select \"Search\".\n In the Search dialog, enter the DN of the domain naming context (generally something like \"dc=disaost,dc=mil\") in the Base DN field.\n Clear the Attributes field and select \"Run\".\n Error messages should display related to Bind and user not authenticated.\n\n If attribute data is displayed, anonymous access is enabled to the domain naming context and this is a finding.\n The following network controls allow the finding severity to be downgraded to a CAT II since these measures lower the risk associated with anonymous access.\n Network hardware ports at the site are subject to 802.1x authentication or MAC address restrictions.\n Premise firewall or host restrictions prevent access to ports 389, 636, 3268, and 3269 from client hosts not explicitly identified by domain (.mil) or IP address.", + "fix": "Configure directory data (outside the root DSE) of a non-public directory to prevent anonymous access.\n For AD, there are multiple configuration items that could enable anonymous access.\n Changing the access permissions on the domain naming context object (from the secure defaults) could enable anonymous access. If the check procedures indicate this is the cause, the process that was used to change the permissions should be reversed. This could have been through the Windows Support Tools ADSI Edit console (adsiedit.msc).\n The dsHeuristics option is used. This is addressed in check V-8555 in the AD Forest STIG." + }, + "impact": 0, "refs": [], "tags": { "severity": null, "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-93287", - "rid": "SV-103375r1_rule", - "stig_id": "WN19-SO-000150", - "fix_id": "F-99533r1_fix", + "gid": "V-93271", + "rid": "SV-103359r1_rule", + "stig_id": "WN19-DC-000150", + "fix_id": "F-99517r1_fix", "cci": [ "CCI-000366" ], @@ -3801,280 +3767,276 @@ "Rev_4" ] }, - "code": "control \"V-93287\" do\n title \"Windows Server 2019 Smart Card removal option must be configured to Force Logoff or Lock Workstation.\"\n desc \"Unattended systems are susceptible to unauthorized use and must be locked. Configuring a system to lock when a smart card is removed will ensure the system is inaccessible when unattended.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\\n\n Value Name: scremoveoption\n\n Value Type: REG_SZ\n Value: 1 (Lock Workstation) or 2 (Force Logoff)\n\n If configuring this on servers causes issues, such as terminating users' remote sessions, and the organization has a policy in place that any other sessions on the servers, such as administrative console logons, are manually locked or logged off when unattended or not in use, this would be acceptable. This must be documented with the ISSO.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \\\"Interactive logon: Smart card removal behavior\\\" to \\\"Lock Workstation\\\" or \\\"Force Logoff\\\".\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00227\"\n tag gid: \"V-93287\"\n tag rid: \"SV-103375r1_rule\"\n tag stig_id: \"WN19-SO-000150\"\n tag fix_id: \"F-99533r1_fix\"\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon') do\n it { should have_property 'scremoveoption' }\n its('scremoveoption') { should be_between(\"1\", \"2\") }\n end\nend", + "code": "control \"V-93271\" do\n title \"Windows Server 2019 directory data (outside the root DSE) of a non-public directory must be configured to prevent anonymous access.\"\n desc \"To the extent that anonymous access to directory data (outside the root DSE) is permitted, read access control of the data is effectively disabled. If other means of controlling access (such as network restrictions) are compromised, there may be nothing else to protect the confidentiality of sensitive directory data.\"\n desc \"rationale\", \"\"\n desc \"check\", \"This applies to domain controllers. It is NA for other systems.\n\n Open \\\"Command Prompt\\\" (not elevated).\n Run \\\"ldp.exe\\\".\n From the \\\"Connection menu\\\", select \\\"Bind\\\".\n Clear the User, Password, and Domain fields.\n Select \\\"Simple bind\\\" for the Bind type and click \\\"OK\\\".\n Confirmation of anonymous access will be displayed at the end:\n res = ldap_simple_bind_s\n Authenticated as: 'NT AUTHORITY\\\\ANONYMOUS LOGON'\n From the \\\"Browse\\\" menu, select \\\"Search\\\".\n In the Search dialog, enter the DN of the domain naming context (generally something like \\\"dc=disaost,dc=mil\\\") in the Base DN field.\n Clear the Attributes field and select \\\"Run\\\".\n Error messages should display related to Bind and user not authenticated.\n\n If attribute data is displayed, anonymous access is enabled to the domain naming context and this is a finding.\n The following network controls allow the finding severity to be downgraded to a CAT II since these measures lower the risk associated with anonymous access.\n Network hardware ports at the site are subject to 802.1x authentication or MAC address restrictions.\n Premise firewall or host restrictions prevent access to ports 389, 636, 3268, and 3269 from client hosts not explicitly identified by domain (.mil) or IP address.\"\n desc \"fix\", \"Configure directory data (outside the root DSE) of a non-public directory to prevent anonymous access.\n For AD, there are multiple configuration items that could enable anonymous access.\n Changing the access permissions on the domain naming context object (from the secure defaults) could enable anonymous access. If the check procedures indicate this is the cause, the process that was used to change the permissions should be reversed. This could have been through the Windows Support Tools ADSI Edit console (adsiedit.msc).\n The dsHeuristics option is used. This is addressed in check V-8555 in the AD Forest STIG.\"\n impact 0.7\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00227\"\n tag gid: \"V-93271\"\n tag rid: \"SV-103359r1_rule\"\n tag stig_id: \"WN19-DC-000150\"\n tag fix_id: \"F-99517r1_fix\"\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n describe 'Directory data (outside the root DSE) of a non-public directory must be configured to prevent anonymous access.' do\n skip 'Directory data (outside the root DSE) of a non-public directory must be configured to prevent anonymous access is a manual control'\n end\n else\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is NA' do\n skip 'This system is not a domain controller, therefore this control is NA'\n end\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93287.rb", + "ref": "./Windows 2019 STIG/controls/V-93271.rb", "line": 3 }, - "id": "V-93287" + "id": "V-93271" }, { - "title": "Windows Server 2019 PKI certificates associated with user accounts must be issued by a DoD PKI or an approved External Certificate Authority (ECA).", - "desc": "A PKI implementation depends on the practices established by the Certificate Authority (CA) to ensure the implementation is secure. Without proper practices, the certificates issued by a CA have limited value in authentication functions.", + "title": "Windows Server 2019 must automatically remove or disable emergency accounts after the crisis is resolved or within 72 hours.", + "desc": "Emergency administrator accounts are privileged accounts established in response to crisis situations where the need for rapid account activation is required. Therefore, emergency account activation may bypass normal account authorization processes. If these accounts are automatically disabled, system maintenance during emergencies may not be possible, thus adversely affecting system availability.\n Emergency administrator accounts are different from infrequently used accounts (i.e., local logon accounts used by system administrators when network or normal logon/access is not available). Infrequently used accounts are not subject to automatic termination dates. Emergency accounts are accounts created in response to crisis situations, usually for use by maintenance personnel. The automatic expiration or disabling time period may be extended as needed until the crisis is resolved; however, it must not be extended indefinitely. A permanent account should be established for privileged users who need long-term maintenance accounts.\n To address access requirements, many operating systems can be integrated with enterprise-level authentication/access mechanisms that meet or exceed access control policy requirements.", "descriptions": { - "default": "A PKI implementation depends on the practices established by the Certificate Authority (CA) to ensure the implementation is secure. Without proper practices, the certificates issued by a CA have limited value in authentication functions.", + "default": "Emergency administrator accounts are privileged accounts established in response to crisis situations where the need for rapid account activation is required. Therefore, emergency account activation may bypass normal account authorization processes. If these accounts are automatically disabled, system maintenance during emergencies may not be possible, thus adversely affecting system availability.\n Emergency administrator accounts are different from infrequently used accounts (i.e., local logon accounts used by system administrators when network or normal logon/access is not available). Infrequently used accounts are not subject to automatic termination dates. Emergency accounts are accounts created in response to crisis situations, usually for use by maintenance personnel. The automatic expiration or disabling time period may be extended as needed until the crisis is resolved; however, it must not be extended indefinitely. A permanent account should be established for privileged users who need long-term maintenance accounts.\n To address access requirements, many operating systems can be integrated with enterprise-level authentication/access mechanisms that meet or exceed access control policy requirements.", "rationale": "", - "check": "This applies to domain controllers. It is NA for other systems.\n Review user account mappings to PKI certificates.\n Open \"Windows PowerShell\".\n Enter \"Get-ADUser -Filter * | FT Name, UserPrincipalName, Enabled\".\n Exclude disabled accounts (e.g., DefaultAccount, Guest) and the krbtgt account.\n If the User Principal Name (UPN) is not in the format of an individual's identifier for the certificate type and for the appropriate domain suffix, this is a finding.\n For standard NIPRNet certificates, the individual's identifier is in the format of an Electronic Data Interchange - Personnel Identifier (EDI-PI).\n Alt Tokens and other certificates may use a different UPN format than the EDI-PI which vary by organization. Verified these with the organization.\n\n NIPRNet Example:\n\n Name - User Principal Name\n User1 - 1234567890@mil\n\n See PKE documentation for other network domain suffixes.\n If the mappings are to certificates issued by a CA authorized by the Component's CIO, this is a CAT II finding.", - "fix": "Map user accounts to PKI certificates using the appropriate User Principal Name (UPN) for the network. See PKE documentation for details." + "check": "Determine if emergency administrator accounts are used and identify any that exist. If none exist, this is NA.\n If emergency administrator accounts cannot be configured with an expiration date due to an ongoing crisis, the accounts must be disabled or removed when the crisis is resolved.\n If emergency administrator accounts have not been configured with an expiration date or have not been disabled or removed following the resolution of a crisis, this is a finding.\n\n Domain Controllers:\n Open \"PowerShell\".\n Enter \"Search-ADAccount -AccountExpiring | FT Name, AccountExpirationDate\".\n If \"AccountExpirationDate\" has been defined and is not within 72 hours for an emergency administrator account, this is a finding.\n\n Member servers and standalone systems:\n Open \"Command Prompt\".\n Run \"Net user [username]\", where [username] is the name of the emergency account.\n If \"Account expires\" has been defined and is not within 72 hours for an emergency administrator account, this is a finding.", + "fix": "Remove emergency administrator accounts after a crisis has been resolved or configure the accounts to automatically expire within 72 hours.\n Domain accounts can be configured with an account expiration date, under \"Account\" properties.\n Local accounts can be configured to expire with the command \"Net user [username] /expires:[mm/dd/yyyy]\", where username is the name of the temporary user account." }, - "impact": 0.7, + "impact": 0, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000066-GPOS-00034", - "gid": "V-93485", - "rid": "SV-103571r1_rule", - "stig_id": "WN19-DC-000300", - "fix_id": "F-99729r1_fix", + "gtitle": "SRG-OS-000123-GPOS-00064", + "gid": "V-92977", + "rid": "SV-103065r1_rule", + "stig_id": "WN19-00-000310", + "fix_id": "F-99223r1_fix", "cci": [ - "CCI-000185" + "CCI-001682" ], "nist": [ - "IA-5 (2) (a)", + "AC-2 (2)", "Rev_4" ] }, - "code": "control \"V-93485\" do\n title \"Windows Server 2019 PKI certificates associated with user accounts must be issued by a DoD PKI or an approved External Certificate Authority (ECA).\"\n desc \"A PKI implementation depends on the practices established by the Certificate Authority (CA) to ensure the implementation is secure. Without proper practices, the certificates issued by a CA have limited value in authentication functions.\"\n desc \"rationale\", \"\"\n desc \"check\", \"This applies to domain controllers. It is NA for other systems.\n Review user account mappings to PKI certificates.\n Open \\\"Windows PowerShell\\\".\n Enter \\\"Get-ADUser -Filter * | FT Name, UserPrincipalName, Enabled\\\".\n Exclude disabled accounts (e.g., DefaultAccount, Guest) and the krbtgt account.\n If the User Principal Name (UPN) is not in the format of an individual's identifier for the certificate type and for the appropriate domain suffix, this is a finding.\n For standard NIPRNet certificates, the individual's identifier is in the format of an Electronic Data Interchange - Personnel Identifier (EDI-PI).\n Alt Tokens and other certificates may use a different UPN format than the EDI-PI which vary by organization. Verified these with the organization.\n\n NIPRNet Example:\n\n Name - User Principal Name\n User1 - 1234567890@mil\n\n See PKE documentation for other network domain suffixes.\n If the mappings are to certificates issued by a CA authorized by the Component's CIO, this is a CAT II finding.\"\n desc \"fix\", \"Map user accounts to PKI certificates using the appropriate User Principal Name (UPN) for the network. See PKE documentation for details.\"\n impact 0.7\n tag severity: nil\n tag gtitle: \"SRG-OS-000066-GPOS-00034\"\n tag gid: \"V-93485\"\n tag rid: \"SV-103571r1_rule\"\n tag stig_id: \"WN19-DC-000300\"\n tag fix_id: \"F-99729r1_fix\"\n tag cci: [\"CCI-000185\"]\n tag nist: [\"IA-5 (2) (a)\", \"Rev_4\"]\n\n describe 'This control needs to be check manually' do\n skip 'Control not executed as this test is manual'\n end\nend", + "code": "control \"V-92977\" do\n title \"Windows Server 2019 must automatically remove or disable emergency accounts after the crisis is resolved or within #{input('emergency_account_period')*24} hours.\"\n desc \"Emergency administrator accounts are privileged accounts established in response to crisis situations where the need for rapid account activation is required. Therefore, emergency account activation may bypass normal account authorization processes. If these accounts are automatically disabled, system maintenance during emergencies may not be possible, thus adversely affecting system availability.\n Emergency administrator accounts are different from infrequently used accounts (i.e., local logon accounts used by system administrators when network or normal logon/access is not available). Infrequently used accounts are not subject to automatic termination dates. Emergency accounts are accounts created in response to crisis situations, usually for use by maintenance personnel. The automatic expiration or disabling time period may be extended as needed until the crisis is resolved; however, it must not be extended indefinitely. A permanent account should be established for privileged users who need long-term maintenance accounts.\n To address access requirements, many operating systems can be integrated with enterprise-level authentication/access mechanisms that meet or exceed access control policy requirements.\"\n desc \"rationale\", \"\"\n desc 'check', \"Determine if emergency administrator accounts are used and identify any that exist. If none exist, this is NA.\n If emergency administrator accounts cannot be configured with an expiration date due to an ongoing crisis, the accounts must be disabled or removed when the crisis is resolved.\n If emergency administrator accounts have not been configured with an expiration date or have not been disabled or removed following the resolution of a crisis, this is a finding.\n\n Domain Controllers:\n Open \\\"PowerShell\\\".\n Enter \\\"Search-ADAccount -AccountExpiring | FT Name, AccountExpirationDate\\\".\n If \\\"AccountExpirationDate\\\" has been defined and is not within #{input('emergency_account_period')*24} hours for an emergency administrator account, this is a finding.\n\n Member servers and standalone systems:\n Open \\\"Command Prompt\\\".\n Run \\\"Net user [username]\\\", where [username] is the name of the emergency account.\n If \\\"Account expires\\\" has been defined and is not within #{input('emergency_account_period')*24} hours for an emergency administrator account, this is a finding.\"\n desc 'fix', \"Remove emergency administrator accounts after a crisis has been resolved or configure the accounts to automatically expire within #{input('emergency_account_period')*24} hours.\n Domain accounts can be configured with an account expiration date, under \\\"Account\\\" properties.\n Local accounts can be configured to expire with the command \\\"Net user [username] /expires:[mm/dd/yyyy]\\\", where username is the name of the temporary user account.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000123-GPOS-00064'\n tag 'gid': 'V-92977'\n tag 'rid': 'SV-103065r1_rule'\n tag 'stig_id': 'WN19-00-000310'\n tag 'fix_id': 'F-99223r1_fix'\n tag 'cci': [\"CCI-001682\"]\n tag 'nist': [\"AC-2 (2)\", \"Rev_4\"]\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n \n if domain_role == '4' || domain_role == '5'\n emergency_accounts_list = input('emergency_accounts_domain')\n if emergency_accounts_list == [nil]\n impact 0.0\n describe 'There are no Emergency Account listed for this Control' do\n skip 'This becomes a manual check if the input emergency_accounts_domain is not assigned a value'\n end\n else\n emergency_accounts = []\n emergency_accounts_list.each do |emergency_account|\n emergency_accounts << json({ command: \"Get-ADUser -Identity #{emergency_account} -Properties WhenCreated, AccountExpirationDate | Select-Object -Property SamAccountName, @{Name='WhenCreated';Expression={$_.WhenCreated.ToString('yyyy-MM-dd')}}, @{Name='AccountExpirationDate';Expression={$_.AccountExpirationDate.ToString('yyyy-MM-dd')}}| ConvertTo-Json\"}).params\n end\n emergency_accounts.each do |emergency_account|\n account_name = emergency_account.fetch(\"SamAccountName\")\n if emergency_account.fetch(\"WhenCreated\") == nil\n describe \"#{account_name} account's creation date\" do\n subject { emergency_account.fetch(\"WhenCreated\") }\n it { should_not eq nil}\n end\n elsif emergency_account.fetch(\"AccountExpirationDate\") == nil\n describe \"#{account_name} account's expiration date\" do\n subject { emergency_account.fetch(\"AccountExpirationDate\") }\n it { should_not eq nil}\n end\n else\n creation_date = Date.parse(emergency_account.fetch(\"WhenCreated\"))\n expiration_date = Date.parse(emergency_account.fetch(\"AccountExpirationDate\"))\n date_difference = expiration_date.mjd - creation_date.mjd\n describe \"Account expiration set for #{account_name}\" do\n subject { date_difference }\n it { should cmp <= input('emergency_account_period')}\n end\n end\n end\n end\n else\n emergency_accounts_list = input('emergency_accounts_local')\n if emergency_accounts_list == [nil]\n impact 0.0\n describe 'There are no Emergency Account listed for this Control' do\n skip 'This is not applicable as there are no Emergency Account listed for this Control'\n end\n else\n emergency_accounts = []\n emergency_accounts_list.each do |emergency_account|\n emergency_accounts << json({ command: \"Get-LocalUser -Name #{emergency_account} | Select-Object -Property Name, @{Name='PasswordLastSet';Expression={$_.PasswordLastSet.ToString('yyyy-MM-dd')}}, @{Name='AccountExpires';Expression={$_.AccountExpires.ToString('yyyy-MM-dd')}} | ConvertTo-Json\"}).params\n end\n emergency_accounts.each do |emergency_account|\n user_name = emergency_account.fetch(\"Name\")\n if emergency_account.fetch(\"PasswordLastSet\") == nil\n describe \"#{user_name} account's password last set date\" do\n subject { emergency_account.fetch(\"PasswordLastSet\") }\n it { should_not eq nil}\n end\n elsif emergency_account.fetch(\"AccountExpires\") == nil\n describe \"#{user_name} account's expiration date\" do\n subject { emergency_account.fetch(\"AccountExpires\") }\n it { should_not eq nil}\n end\n else\n password_date = Date.parse(emergency_account.fetch(\"PasswordLastSet\"))\n expiration_date = Date.parse(emergency_account.fetch(\"AccountExpires\"))\n date_difference = expiration_date.mjd - password_date.mjd\n describe \"Account expiration set for #{user_name}\" do\n subject { date_difference }\n it { should cmp <= input('emergency_account_period')}\n end\n end\n end\n end\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93485.rb", + "ref": "./Windows 2019 STIG/controls/V-92977.rb", "line": 3 }, - "id": "V-93485" + "id": "V-92977" }, { - "title": "Windows Server 2019 machine inactivity limit must be set to 15 minutes\nor less, locking the system with the screen saver.", - "desc": "Unattended systems are susceptible to unauthorized use and should be\nlocked when unattended. The screen saver should be set at a maximum of 15\nminutes and be password protected. This protects critical and sensitive data\nfrom exposure to unauthorized personnel with physical access to the computer.", + "title": "Windows Server 2019 must be configured to prevent anonymous users from having the same permissions as the Everyone group.", + "desc": "Access by anonymous users must be restricted. If this setting is enabled, anonymous users have the same rights and permissions as the built-in Everyone group. Anonymous users must not have these permissions or rights.", "descriptions": { - "default": "Unattended systems are susceptible to unauthorized use and should be\nlocked when unattended. The screen saver should be set at a maximum of 15\nminutes and be password protected. This protects critical and sensitive data\nfrom exposure to unauthorized personnel with physical access to the computer.", + "default": "Access by anonymous users must be restricted. If this setting is enabled, anonymous users have the same rights and permissions as the built-in Everyone group. Anonymous users must not have these permissions or rights.", "rationale": "", - "check": "If the following registry value does not exist or is not configured as\nspecified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\\n\n Value Name: InactivityTimeoutSecs\n\n Value Type: REG_DWORD\n Value: 0x00000384 (900) (or less, excluding \"0\" which is effectively\ndisabled)", - "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Local Policies >> Security Options >>\n\"Interactive logon: Machine inactivity limit\" to \"900\" seconds or less,\nexcluding \"0\" which is effectively disabled." + "check": "If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Control\\Lsa\\\n\n Value Name: EveryoneIncludesAnonymous\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0)", + "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \"Network access: Let Everyone permissions apply to anonymous users\" to \"Disabled\"." }, "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000028-GPOS-00009", - "satisfies": [ - "SRG-OS-000028-GPOS-00009", - "SRG-OS-000029-GPOS-00010", - "SRG-OS-000031-GPOS-00012" - ], - "gid": "V-92961", - "rid": "SV-103049r1_rule", - "stig_id": "WN19-SO-000120", - "fix_id": "F-99207r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-93293", + "rid": "SV-103381r1_rule", + "stig_id": "WN19-SO-000240", + "fix_id": "F-99539r1_fix", "cci": [ - "CCI-000056", - "CCI-000057", - "CCI-000060" + "CCI-000366" ], "nist": [ - "AC-11 b", - "AC-11 a", - "AC-11 (1)", + "CM-6 b", "Rev_4" ] }, - "code": "control \"V-92961\" do\n title \"Windows Server 2019 machine inactivity limit must be set to 15 minutes\nor less, locking the system with the screen saver.\"\n desc \"Unattended systems are susceptible to unauthorized use and should be\nlocked when unattended. The screen saver should be set at a maximum of 15\nminutes and be password protected. This protects critical and sensitive data\nfrom exposure to unauthorized personnel with physical access to the computer.\"\n desc \"rationale\", \"\"\n desc 'check', \"If the following registry value does not exist or is not configured as\nspecified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\\n\n Value Name: InactivityTimeoutSecs\n\n Value Type: REG_DWORD\n Value: 0x00000384 (900) (or less, excluding \\\"0\\\" which is effectively\ndisabled)\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Local Policies >> Security Options >>\n\\\"Interactive logon: Machine inactivity limit\\\" to \\\"900\\\" seconds or less,\nexcluding \\\"0\\\" which is effectively disabled.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000028-GPOS-00009'\n tag 'satisfies': [\"SRG-OS-000028-GPOS-00009\", \"SRG-OS-000029-GPOS-00010\",\n\"SRG-OS-000031-GPOS-00012\"]\n tag 'gid': 'V-92961'\n tag 'rid': 'SV-103049r1_rule'\n tag 'stig_id': 'WN19-SO-000120'\n tag 'fix_id': 'F-99207r1_fix'\n tag 'cci': [\"CCI-000056\", \"CCI-000057\", \"CCI-000060\"]\n tag 'nist': [\"AC-11 b\", \"AC-11 a\", \"AC-11 (1)\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System') do\n its('InactivityTimeoutSecs') { should be <= 900 }\n its('InactivityTimeoutSecs') { should_not eq 0 }\n end\nend\n", + "code": "control \"V-93293\" do\n title \"Windows Server 2019 must be configured to prevent anonymous users from having the same permissions as the Everyone group.\"\n desc \"Access by anonymous users must be restricted. If this setting is enabled, anonymous users have the same rights and permissions as the built-in Everyone group. Anonymous users must not have these permissions or rights.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\\n\n Value Name: EveryoneIncludesAnonymous\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \\\"Network access: Let Everyone permissions apply to anonymous users\\\" to \\\"Disabled\\\".\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00227\"\n tag gid: \"V-93293\"\n tag rid: \"SV-103381r1_rule\"\n tag stig_id: \"WN19-SO-000240\"\n tag fix_id: \"F-99539r1_fix\"\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa') do\n it { should have_property 'EveryoneIncludesAnonymous' }\n its('EveryoneIncludesAnonymous') { should cmp == 0 }\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-92961.rb", + "ref": "./Windows 2019 STIG/controls/V-93293.rb", "line": 3 }, - "id": "V-92961" + "id": "V-93293" }, { - "title": "Windows Server 2019 must prevent Indexing of encrypted files.", - "desc": "Indexing of encrypted files may expose sensitive data. This setting prevents encrypted files from being indexed.", + "title": "Windows Server 2019 computer account password must not be prevented from being reset.", + "desc": "Computer account passwords are changed automatically on a regular basis. Disabling automatic password changes can make the system more vulnerable to malicious access. Frequent password changes can be a significant safeguard for the system. A new password for the computer account will be generated every 30 days.", "descriptions": { - "default": "Indexing of encrypted files may expose sensitive data. This setting prevents encrypted files from being indexed.", + "default": "Computer account passwords are changed automatically on a regular basis. Disabling automatic password changes can make the system more vulnerable to malicious access. Frequent password changes can be a significant safeguard for the system. A new password for the computer account will be generated every 30 days.", "rationale": "", - "check": "If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Search\\\n\n Value Name: AllowIndexingEncryptedStoresOrItems\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0)", - "fix": "Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Search >> \"Allow indexing of encrypted files\" to \"Disabled\"." + "check": "If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\Netlogon\\Parameters\\\n\n Value Name: DisablePasswordChange\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0)", + "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \"Domain member: Disable machine account password changes\" to \"Disabled\"." }, "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000095-GPOS-00049", - "gid": "V-93415", - "rid": "SV-103501r1_rule", - "stig_id": "WN19-CC-000410", - "fix_id": "F-99659r1_fix", + "gtitle": "SRG-OS-000379-GPOS-00164", + "gid": "V-93455", + "rid": "SV-103541r1_rule", + "stig_id": "WN19-SO-000090", + "fix_id": "F-99699r1_fix", "cci": [ - "CCI-000381" + "CCI-001967" ], "nist": [ - "CM-7 a", + "IA-3 (1)", "Rev_4" ] }, - "code": "control \"V-93415\" do\n title \"Windows Server 2019 must prevent Indexing of encrypted files.\"\n desc \"Indexing of encrypted files may expose sensitive data. This setting prevents encrypted files from being indexed.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\Windows Search\\\\\n\n Value Name: AllowIndexingEncryptedStoresOrItems\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Search >> \\\"Allow indexing of encrypted files\\\" to \\\"Disabled\\\".\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000095-GPOS-00049\"\n tag gid: \"V-93415\"\n tag rid: \"SV-103501r1_rule\"\n tag stig_id: \"WN19-CC-000410\"\n tag fix_id: \"F-99659r1_fix\"\n tag cci: [\"CCI-000381\"]\n tag nist: [\"CM-7 a\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Search') do\n it { should have_property 'AllowIndexingEncryptedStoresOrItems' }\n its('AllowIndexingEncryptedStoresOrItems') { should cmp 0 }\n end\nend", + "code": "control \"V-93455\" do\n title \"Windows Server 2019 computer account password must not be prevented from being reset.\"\n desc \"Computer account passwords are changed automatically on a regular basis. Disabling automatic password changes can make the system more vulnerable to malicious access. Frequent password changes can be a significant safeguard for the system. A new password for the computer account will be generated every 30 days.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\Netlogon\\\\Parameters\\\\\n\n Value Name: DisablePasswordChange\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \\\"Domain member: Disable machine account password changes\\\" to \\\"Disabled\\\".\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000379-GPOS-00164\"\n tag gid: \"V-93455\"\n tag rid: \"SV-103541r1_rule\"\n tag stig_id: \"WN19-SO-000090\"\n tag fix_id: \"F-99699r1_fix\"\n tag cci: [\"CCI-001967\"]\n tag nist: [\"IA-3 (1)\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Services\\\\Netlogon\\\\Parameters') do\n it { should have_property 'DisablePasswordChange' }\n its('DisablePasswordChange') { should cmp == 0 }\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93415.rb", + "ref": "./Windows 2019 STIG/controls/V-93455.rb", "line": 3 }, - "id": "V-93415" + "id": "V-93455" }, { - "title": "Windows Server 2019 must not allow anonymous enumeration of Security Account Manager (SAM) accounts.", - "desc": "Anonymous enumeration of SAM accounts allows anonymous logon users (null session connections) to list all accounts names, thus providing a list of potential points to attack the system.", + "title": "Windows Server 2019 User Account Control must, at a minimum, prompt administrators for consent on the secure desktop.", + "desc": "User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting configures the elevation requirements for logged-on administrators to complete a task that requires raised privileges.", "descriptions": { - "default": "Anonymous enumeration of SAM accounts allows anonymous logon users (null session connections) to list all accounts names, thus providing a list of potential points to attack the system.", + "default": "User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting configures the elevation requirements for logged-on administrators to complete a task that requires raised privileges.", "rationale": "", - "check": "If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Control\\Lsa\\\n\n Value Name: RestrictAnonymousSAM\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", - "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \"Network access: Do not allow anonymous enumeration of SAM accounts\" to \"Enabled\"." + "check": "UAC requirements are NA for Server Core installations (this is default installation option for Windows Server 2019 versus Server with Desktop Experience).\n If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\\n\n Value Name: ConsentPromptBehaviorAdmin\n\n Value Type: REG_DWORD\n Value: 0x00000002 (2) (Prompt for consent on the secure desktop)\n 0x00000001 (1) (Prompt for credentials on the secure desktop)", + "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \"User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode\" to \"Prompt for consent on the secure desktop\".\n\nThe more secure option for this setting, \"Prompt for credentials on the secure desktop\", would also be acceptable." }, - "impact": 0.7, + "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-93291", - "rid": "SV-103379r1_rule", - "stig_id": "WN19-SO-000220", - "fix_id": "F-99537r1_fix", + "gtitle": "SRG-OS-000134-GPOS-00068", + "gid": "V-93523", + "rid": "SV-103609r1_rule", + "stig_id": "WN19-SO-000400", + "fix_id": "F-99767r1_fix", "cci": [ - "CCI-000366" + "CCI-001084" ], "nist": [ - "CM-6 b", + "SC-3", "Rev_4" ] }, - "code": "control \"V-93291\" do\n title \"Windows Server 2019 must not allow anonymous enumeration of Security Account Manager (SAM) accounts.\"\n desc \"Anonymous enumeration of SAM accounts allows anonymous logon users (null session connections) to list all accounts names, thus providing a list of potential points to attack the system.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\\n\n Value Name: RestrictAnonymousSAM\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \\\"Network access: Do not allow anonymous enumeration of SAM accounts\\\" to \\\"Enabled\\\".\"\n impact 0.7\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00227\"\n tag gid: \"V-93291\"\n tag rid: \"SV-103379r1_rule\"\n tag stig_id: \"WN19-SO-000220\"\n tag fix_id: \"F-99537r1_fix\"\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa') do\n it { should have_property 'RestrictAnonymousSAM' }\n its('RestrictAnonymousSAM') { should cmp == 1 }\n end \nend", + "code": "control \"V-93523\" do\n title \"Windows Server 2019 User Account Control must, at a minimum, prompt administrators for consent on the secure desktop.\"\n desc \"User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting configures the elevation requirements for logged-on administrators to complete a task that requires raised privileges.\"\n desc \"rationale\", \"\"\n desc \"check\", \"UAC requirements are NA for Server Core installations (this is default installation option for Windows Server 2019 versus Server with Desktop Experience).\n If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\\n\n Value Name: ConsentPromptBehaviorAdmin\n\n Value Type: REG_DWORD\n Value: 0x00000002 (2) (Prompt for consent on the secure desktop)\n 0x00000001 (1) (Prompt for credentials on the secure desktop)\"\n desc \"fix\", \"\n Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \\\"User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode\\\" to \\\"Prompt for consent on the secure desktop\\\".\n\n The more secure option for this setting, \\\"Prompt for credentials on the secure desktop\\\", would also be acceptable.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000134-GPOS-00068\"\n tag gid: \"V-93523\"\n tag rid: \"SV-103609r1_rule\"\n tag stig_id: \"WN19-SO-000400\"\n tag fix_id: \"F-99767r1_fix\"\n tag cci: [\"CCI-001084\"]\n tag nist: [\"SC-3\", \"Rev_4\"]\n\n os_type = command('Test-Path \"$env:windir\\explorer.exe\"').stdout.strip\n\n if os_type == 'False'\n impact 0.0\n describe 'This system is a Server Core Installation, control is NA' do\n skip 'This system is a Server Core Installation control is NA'\n end\n else\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System') do\n it { should have_property 'ConsentPromptBehaviorAdmin' }\n its('ConsentPromptBehaviorAdmin') { should be_between(1,2) }\n end\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93291.rb", + "ref": "./Windows 2019 STIG/controls/V-93523.rb", "line": 3 }, - "id": "V-93291" + "id": "V-93523" }, { - "title": "Windows Server 2019 must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.", - "desc": "Using a whitelist provides a configuration management method to allow the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities.\n The organization must identify authorized software programs and only permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting.", + "title": "Windows Server 2019 manually managed application account passwords must be at least 15 characters in length.", + "desc": "Application/service account passwords must be of sufficient length to prevent being easily cracked. Application/service accounts that are manually managed must have passwords at least 15 characters in length.", "descriptions": { - "default": "Using a whitelist provides a configuration management method to allow the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities.\n The organization must identify authorized software programs and only permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting.", + "default": "Application/service account passwords must be of sufficient length to prevent being easily cracked. Application/service accounts that are manually managed must have passwords at least 15 characters in length.", "rationale": "", - "check": "This is applicable to unclassified systems. For other systems, this is NA.\n\n Verify the operating system employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs.\n If an application whitelisting program is not in use on the system, this is a finding.\n Configuration of whitelisting applications will vary by the program.\n AppLocker is a whitelisting application built into Windows Server. A deny-by-default implementation is initiated by enabling any AppLocker rules within a category, only allowing what is specified by defined rules.\n If AppLocker is used, perform the following to view the configuration of AppLocker:\n\n Open \"PowerShell\".\n If the AppLocker PowerShell module has not been imported previously, execute the following first:\n Import-Module AppLocker\n Execute the following command, substituting [c:\\temp\\file.xml] with a location and file name appropriate for the system:\n Get-AppLockerPolicy -Effective -XML > c:\\temp\\file.xml\n This will produce an xml file with the effective settings that can be viewed in a browser or opened in a program such as Excel for review.\n Implementation guidance for AppLocker is available in the NSA paper \"Application Whitelisting using Microsoft AppLocker\" at the following link:\n https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", - "fix": "Configure an application whitelisting program to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.\n\n Configuration of whitelisting applications will vary by the program. AppLocker is a whitelisting application built into Windows Server.\n If AppLocker is used, it is configured through group policy in Computer Configuration >> Windows Settings >> Security Settings >> Application Control Policies >> AppLocker.\n Implementation guidance for AppLocker is available in the NSA paper \"Application Whitelisting using Microsoft AppLocker\" at the following link:\n https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm" + "check": "Determine if manually managed application/service accounts exist. If none exist, this is NA.\n\n Verify the organization has a policy to ensure passwords for manually managed application/service accounts are at least 15 characters in length.\n\n If such a policy does not exist or has not been implemented, this is a finding.", + "fix": "Establish a policy that requires application/service account passwords that are manually managed to be at least 15 characters in length. Ensure the policy is enforced." }, "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000370-GPOS-00155", - "gid": "V-93379", - "rid": "SV-103465r1_rule", - "stig_id": "WN19-00-000080", - "fix_id": "F-99623r1_fix", + "gtitle": "SRG-OS-000078-GPOS-00046", + "gid": "V-93461", + "rid": "SV-103547r1_rule", + "stig_id": "WN19-00-000050", + "fix_id": "F-99705r1_fix", "cci": [ - "CCI-001774" + "CCI-000205" ], "nist": [ - "CM-7 (5) (b)", + "IA-5 (1) (a)", "Rev_4" ] }, - "code": "control \"V-93379\" do\n title \"Windows Server 2019 must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.\"\n desc \"Using a whitelist provides a configuration management method to allow the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities.\n The organization must identify authorized software programs and only permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting.\"\n desc \"rationale\", \"\"\n desc \"check\", \"This is applicable to unclassified systems. For other systems, this is NA.\n\n Verify the operating system employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs.\n If an application whitelisting program is not in use on the system, this is a finding.\n Configuration of whitelisting applications will vary by the program.\n AppLocker is a whitelisting application built into Windows Server. A deny-by-default implementation is initiated by enabling any AppLocker rules within a category, only allowing what is specified by defined rules.\n If AppLocker is used, perform the following to view the configuration of AppLocker:\n\n Open \\\"PowerShell\\\".\n If the AppLocker PowerShell module has not been imported previously, execute the following first:\n Import-Module AppLocker\n Execute the following command, substituting [c:\\\\temp\\\\file.xml] with a location and file name appropriate for the system:\n Get-AppLockerPolicy -Effective -XML > c:\\\\temp\\\\file.xml\n This will produce an xml file with the effective settings that can be viewed in a browser or opened in a program such as Excel for review.\n Implementation guidance for AppLocker is available in the NSA paper \\\"Application Whitelisting using Microsoft AppLocker\\\" at the following link:\n https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm\"\n desc \"fix\", \"Configure an application whitelisting program to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.\n\n Configuration of whitelisting applications will vary by the program. AppLocker is a whitelisting application built into Windows Server.\n If AppLocker is used, it is configured through group policy in Computer Configuration >> Windows Settings >> Security Settings >> Application Control Policies >> AppLocker.\n Implementation guidance for AppLocker is available in the NSA paper \\\"Application Whitelisting using Microsoft AppLocker\\\" at the following link:\n https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000370-GPOS-00155\"\n tag gid: \"V-93379\"\n tag rid: \"SV-103465r1_rule\"\n tag stig_id: \"WN19-00-000080\"\n tag fix_id: \"F-99623r1_fix\"\n tag cci: [\"CCI-001774\"]\n tag nist: [\"CM-7 (5) (b)\", \"Rev_4\"]\n\n describe \"A manual review is required to ensure the operating system employs a deny-all, permit-by-exception\n policy to allow the execution of authorized software programs\" do\n skip 'A manual review is required to ensure the operating system employs a deny-all, permit-by-exception\n policy to allow the execution of authorized software programs'\n end\nend", + "code": "control \"V-93461\" do\n title \"Windows Server 2019 manually managed application account passwords must be at least #{input('minimum_password_length_manual')} characters in length.\"\n desc \"Application/service account passwords must be of sufficient length to prevent being easily cracked. Application/service accounts that are manually managed must have passwords at least #{input('minimum_password_length_manual')} characters in length.\"\n desc \"rationale\", \"\"\n desc \"check\", \"Determine if manually managed application/service accounts exist. If none exist, this is NA.\n\n Verify the organization has a policy to ensure passwords for manually managed application/service accounts are at least #{input('minimum_password_length_manual')} characters in length.\n\n If such a policy does not exist or has not been implemented, this is a finding.\"\n desc \"fix\", \"Establish a policy that requires application/service account passwords that are manually managed to be at least #{input('minimum_password_length_manual')} characters in length. Ensure the policy is enforced.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000078-GPOS-00046\"\n tag gid: \"V-93461\"\n tag rid: \"SV-103547r1_rule\"\n tag stig_id: \"WN19-00-000050\"\n tag fix_id: \"F-99705r1_fix\"\n tag cci: [\"CCI-000205\"]\n tag nist: [\"IA-5 (1) (a)\", \"Rev_4\"]\n\n mplm = input('minimum_password_length_manual')\n\n describe 'Please Check all Accounts that are used for Services or Applications to validate they meet the Password Length Policy, Control is a Manual Check' do\n skip \"Determine if manually managed application/service accounts exist. If none exist, this is NA. Verify the organization has a policy to ensure passwords for manually managed application/service accounts are at least #{mplm} characters in length.\"\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93379.rb", + "ref": "./Windows 2019 STIG/controls/V-93461.rb", "line": 3 }, - "id": "V-93379" + "id": "V-93461" }, { - "title": "Windows Server 2019 permissions for the System event log must prevent\naccess by non-privileged accounts.", - "desc": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised. The\nSystem event log may be susceptible to tampering if proper permissions are not\napplied.", + "title": "Windows Server 2019 must be configured to audit DS Access - Directory\nService Access successes.", + "desc": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Audit Directory Service Access records events related to users accessing an\nActive Directory object.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised. The\nSystem event log may be susceptible to tampering if proper permissions are not\napplied.", + "default": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Audit Directory Service Access records events related to users accessing an\nActive Directory object.", "rationale": "", - "check": "Navigate to the System event log file.\n\n The default location is the \"%SystemRoot%\\System32\\winevt\\Logs\"\nfolder. However, the logs may have been moved to another folder.\n\n If the permissions for the \"System.evtx\" file are not as restrictive as\nthe default permissions listed below, this is a finding:\n\n Eventlog - Full Control\n SYSTEM - Full Control\n Administrators - Full Control", - "fix": "Configure the permissions on the System event log file (System.evtx) to\nprevent access by non-privileged accounts. The default permissions listed below\nsatisfy this requirement:\n\n Eventlog - Full Control\n SYSTEM - Full Control\n Administrators - Full Control\n\n The default location is the \"%SystemRoot%\\System32\\winevt\\Logs\" folder.\n\n If the location of the logs has been changed, when adding Eventlog to the\npermissions, it must be entered as \"NT Service\\Eventlog\"." + "check": "This applies to domain controllers. It is NA for other systems.\n\n Security Option \"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\" must be set to\n\"Enabled\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \"AuditPol\" tool to review the current Audit Policy configuration:\n\n Open \"PowerShell\" or a \"Command Prompt\" with elevated privileges (\"Run\nas administrator\").\n\n Enter \"AuditPol /get /category:*\"\n\n Compare the \"AuditPol\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n DS Access >> Directory Service Access - Success", + "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> DS Access >> \"Directory Service Access\" with\n\"Success\" selected." }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000057-GPOS-00027", + "gtitle": "SRG-OS-000327-GPOS-00127", "satisfies": [ - "SRG-OS-000057-GPOS-00027", - "SRG-OS-000058-GPOS-00028", - "SRG-OS-000059-GPOS-00029" + "SRG-OS-000327-GPOS-00127", + "SRG-OS-000458-GPOS-00203", + "SRG-OS-000463-GPOS-00207", + "SRG-OS-000468-GPOS-00212" ], - "gid": "V-93193", - "rid": "SV-103281r1_rule", - "stig_id": "WN19-AU-000050", - "fix_id": "F-99439r1_fix", + "gid": "V-93133", + "rid": "SV-103221r1_rule", + "stig_id": "WN19-DC-000240", + "fix_id": "F-99379r1_fix", "cci": [ - "CCI-000162", - "CCI-000163", - "CCI-000164" + "CCI-000172", + "CCI-002234" ], "nist": [ - "AU-9", - "AU-9", - "AU-9", + "AU-12 c", + "AC-6 (9)", "Rev_4" ] }, - "code": "control \"V-93193\" do\n title \"Windows Server 2019 permissions for the System event log must prevent\naccess by non-privileged accounts.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised. The\nSystem event log may be susceptible to tampering if proper permissions are not\napplied.\"\n desc \"rationale\", \"\"\n desc 'check', \"Navigate to the System event log file.\n\n The default location is the \\\"%SystemRoot%\\\\System32\\\\winevt\\\\Logs\\\"\nfolder. However, the logs may have been moved to another folder.\n\n If the permissions for the \\\"System.evtx\\\" file are not as restrictive as\nthe default permissions listed below, this is a finding:\n\n Eventlog - Full Control\n SYSTEM - Full Control\n Administrators - Full Control\"\n desc 'fix', \"Configure the permissions on the System event log file (System.evtx) to\nprevent access by non-privileged accounts. The default permissions listed below\nsatisfy this requirement:\n\n Eventlog - Full Control\n SYSTEM - Full Control\n Administrators - Full Control\n\n The default location is the \\\"%SystemRoot%\\\\System32\\\\winevt\\\\Logs\\\" folder.\n\n If the location of the logs has been changed, when adding Eventlog to the\npermissions, it must be entered as \\\"NT Service\\\\Eventlog\\\".\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000057-GPOS-00027'\n tag 'satisfies': [\"SRG-OS-000057-GPOS-00027\", \"SRG-OS-000058-GPOS-00028\",\n\"SRG-OS-000059-GPOS-00029\"]\n tag 'gid': 'V-93193'\n tag 'rid': 'SV-103281r1_rule'\n tag 'stig_id': 'WN19-AU-000050'\n tag 'fix_id': 'F-99439r1_fix'\n tag 'cci': [\"CCI-000162\", \"CCI-000163\", \"CCI-000164\"]\n tag 'nist': [\"AU-9\", \"AU-9\", \"AU-9\", \"Rev_4\"]\n\n get_system_root = command('Get-ChildItem Env: | Findstr SystemRoot').stdout.strip\n system_root = get_system_root[11..get_system_root.length]\n\n systemroot = system_root.strip\n\n winevt_logs_system = <<-EOH\n $output = (Get-Acl -Path #{systemroot}\\\\SYSTEM32\\\\WINEVT\\\\LOGS\\\\System.evtx).AccessToString\n write-output $output\n EOH\n\n # raw powershell output\n raw_logs_system = powershell(winevt_logs_system).stdout.strip\n\n # clean results cleans up the extra line breaks\n clean_logs_system = raw_logs_system.lines.collect(&:strip)\n\n describe 'Verify the default registry permissions for the keys note below of the C:\\Windows\\System32\\WINEVT\\LOGS\\System.evtx' do\n subject { clean_logs_system }\n it { should cmp input('winevt_logs_system_perms') }\n end\nend\n", + "code": "control \"V-93133\" do\n title \"Windows Server 2019 must be configured to audit DS Access - Directory\nService Access successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Audit Directory Service Access records events related to users accessing an\nActive Directory object.\"\n desc \"rationale\", \"\"\n desc 'check', \"This applies to domain controllers. It is NA for other systems.\n\n Security Option \\\"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\\\" must be set to\n\\\"Enabled\\\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \\\"AuditPol\\\" tool to review the current Audit Policy configuration:\n\n Open \\\"PowerShell\\\" or a \\\"Command Prompt\\\" with elevated privileges (\\\"Run\nas administrator\\\").\n\n Enter \\\"AuditPol /get /category:*\\\"\n\n Compare the \\\"AuditPol\\\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n DS Access >> Directory Service Access - Success\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> DS Access >> \\\"Directory Service Access\\\" with\n\\\"Success\\\" selected.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': \"SRG-OS-000327-GPOS-00127\"\n tag 'satisfies': [\"SRG-OS-000327-GPOS-00127\", \"SRG-OS-000458-GPOS-00203\",\n\"SRG-OS-000463-GPOS-00207\", \"SRG-OS-000468-GPOS-00212\"]\n tag 'gid': \"V-93133\"\n tag 'rid': \"SV-103221r1_rule\"\n tag 'stig_id': \"WN19-DC-000240\"\n tag 'fix_id': \"F-99379r1_fix\"\n tag 'cci': [\"CCI-000172\", \"CCI-002234\"]\n tag 'nist': [\"AU-12 c\", \"AC-6 (9)\", \"Rev_4\"]\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n if domain_role == '4' || domain_role == '5'\n describe.one do\n describe audit_policy do\n its('Directory Service Access') { should eq 'Success' }\n end\n describe audit_policy do\n its('Directory Service Access') { should eq 'Success and Failure' }\n end\n end\n else\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93193.rb", + "ref": "./Windows 2019 STIG/controls/V-93133.rb", "line": 3 }, - "id": "V-93193" + "id": "V-93133" }, { - "title": "Windows Server 2019 data files owned by users must be on a different logical partition from the directory server data files.", - "desc": "When directory service data files, especially for directories used for identification, authentication, or authorization, reside on the same logical partition as user-owned files, the directory service data may be more vulnerable to unauthorized access or other availability compromises. Directory service and user-owned data files sharing a partition may be configured with less restrictive permissions in order to allow access to the user data.\n\n The directory service may be vulnerable to a denial of service attack when user-owned files on a common partition are expanded to an extent preventing the directory service from acquiring more space for directory or audit data.", + "title": "Windows Server 2019 computer clock synchronization tolerance must be limited to five minutes or less.", + "desc": "This setting determines the maximum time difference (in minutes) that Kerberos will tolerate between the time on a client's clock and the time on a server's clock while still considering the two clocks synchronous. In order to prevent replay attacks, Kerberos uses timestamps as part of its protocol definition. For timestamps to work properly, the clocks of the client and the server need to be in sync as much as possible.", "descriptions": { - "default": "When directory service data files, especially for directories used for identification, authentication, or authorization, reside on the same logical partition as user-owned files, the directory service data may be more vulnerable to unauthorized access or other availability compromises. Directory service and user-owned data files sharing a partition may be configured with less restrictive permissions in order to allow access to the user data.\n\n The directory service may be vulnerable to a denial of service attack when user-owned files on a common partition are expanded to an extent preventing the directory service from acquiring more space for directory or audit data.", + "default": "This setting determines the maximum time difference (in minutes) that Kerberos will tolerate between the time on a client's clock and the time on a server's clock while still considering the two clocks synchronous. In order to prevent replay attacks, Kerberos uses timestamps as part of its protocol definition. For timestamps to work properly, the clocks of the client and the server need to be in sync as much as possible.", "rationale": "", - "check": "This applies to domain controllers. It is NA for other systems.\n\n Run \"Regedit\".\n Navigate to \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\NTDS\\Parameters\".\n Note the directory locations in the values for \"DSA Database file\".\n \n Open \"Command Prompt\".\n Enter \"net share\".\n Note the logical drive(s) or file system partition for any organization-created data shares.\n Ignore system shares (e.g., NETLOGON, SYSVOL, and administrative shares ending in $). User shares that are hidden (ending with $) should not be ignored.\n\n If user shares are located on the same logical partition as the directory server data files, this is a finding.", - "fix": "Move shares used to store files owned by users to a different logical partition than the directory server data files." + "check": "This applies to domain controllers. It is NA for other systems.\n Verify the following is configured in the Default Domain Policy:\n\n Open \"Group Policy Management\".\n Navigate to \"Group Policy Objects\" in the Domain being reviewed (Forest >> Domains >> Domain).\n Right-click on the \"Default Domain Policy\".\n Select \"Edit\".\n Navigate to Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy.\n\n If the \"Maximum tolerance for computer clock synchronization\" is greater than \"5\" minutes, this is a finding.", + "fix": "Configure the policy value in the Default Domain Policy for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy >> \"Maximum tolerance for computer clock synchronization\" to a maximum of \"5\" minutes or less." }, "impact": 0, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000138-GPOS-00069", - "gid": "V-93535", - "rid": "SV-103621r1_rule", - "stig_id": "WN19-DC-000120", - "fix_id": "F-99779r1_fix", + "gtitle": "SRG-OS-000112-GPOS-00057", + "satisfies": [ + "SRG-OS-000112-GPOS-00057", + "SRG-OS-000113-GPOS-00058" + ], + "gid": "V-93451", + "rid": "SV-103537r1_rule", + "stig_id": "WN19-DC-000060", + "fix_id": "F-99695r1_fix", "cci": [ - "CCI-001090" + "CCI-001941", + "CCI-001942" ], "nist": [ - "SC-4", + "IA-2 (8)", + "IA-2 (9)", "Rev_4" ] }, - "code": "control \"V-93535\" do\n title \"Windows Server 2019 data files owned by users must be on a different logical partition from the directory server data files.\"\n desc \"When directory service data files, especially for directories used for identification, authentication, or authorization, reside on the same logical partition as user-owned files, the directory service data may be more vulnerable to unauthorized access or other availability compromises. Directory service and user-owned data files sharing a partition may be configured with less restrictive permissions in order to allow access to the user data.\n\n The directory service may be vulnerable to a denial of service attack when user-owned files on a common partition are expanded to an extent preventing the directory service from acquiring more space for directory or audit data.\"\n desc \"rationale\", \"\"\n desc \"check\", \"This applies to domain controllers. It is NA for other systems.\n\n Run \\\"Regedit\\\".\n Navigate to \\\"HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\Parameters\\\".\n Note the directory locations in the values for \\\"DSA Database file\\\".\n \n Open \\\"Command Prompt\\\".\n Enter \\\"net share\\\".\n Note the logical drive(s) or file system partition for any organization-created data shares.\n Ignore system shares (e.g., NETLOGON, SYSVOL, and administrative shares ending in $). User shares that are hidden (ending with $) should not be ignored.\n\n If user shares are located on the same logical partition as the directory server data files, this is a finding.\"\n desc \"fix\", \"Move shares used to store files owned by users to a different logical partition than the directory server data files.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000138-GPOS-00069\"\n tag gid: \"V-93535\"\n tag rid: \"SV-103621r1_rule\"\n tag stig_id: \"WN19-DC-000120\"\n tag fix_id: \"F-99779r1_fix\"\n tag cci: [\"CCI-001090\"]\n tag nist: [\"SC-4\", \"Rev_4\"]\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n dsa_db_file = command('Get-ItemPropertyValue -Path HKLM:\\\\System\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\Parameters -Name \"DSA Database file\"').stdout.strip\n net_shares = json({ command: \"Get-SMBShare | Where-Object -Property Name -notin C$,ADMIN$,IPC$,NETLOGON,SYSVOL | Select Path | ConvertTo-Json\" }).params\n\n if net_shares.empty?\n impact 0.0\n describe 'No non-default file shares were detected' do\n skip 'This control is NA'\n end\n else\n case net_shares\n when Hash\n net_shares.each do |key, value|\n describe \"Net Share path: #{value}\" do\n subject { value }\n it { should_not eq dsa_db_file }\n end\n end\n when Array\n net_shares.each do |paths|\n paths.each do |key, value|\n describe \"Net Share path: #{value}\" do\n subject { value }\n it { should_not eq dsa_db_file }\n end\n end\n end\n end\n end\n else\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend", + "code": "control \"V-93451\" do\n title \"Windows Server 2019 computer clock synchronization tolerance must be limited to five minutes or less.\"\n desc \"This setting determines the maximum time difference (in minutes) that Kerberos will tolerate between the time on a client's clock and the time on a server's clock while still considering the two clocks synchronous. In order to prevent replay attacks, Kerberos uses timestamps as part of its protocol definition. For timestamps to work properly, the clocks of the client and the server need to be in sync as much as possible.\"\n desc \"rationale\", \"\"\n desc \"check\", \"This applies to domain controllers. It is NA for other systems.\n Verify the following is configured in the Default Domain Policy:\n\n Open \\\"Group Policy Management\\\".\n Navigate to \\\"Group Policy Objects\\\" in the Domain being reviewed (Forest >> Domains >> Domain).\n Right-click on the \\\"Default Domain Policy\\\".\n Select \\\"Edit\\\".\n Navigate to Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy.\n\n If the \\\"Maximum tolerance for computer clock synchronization\\\" is greater than \\\"5\\\" minutes, this is a finding.\"\n desc \"fix\", \"Configure the policy value in the Default Domain Policy for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy >> \\\"Maximum tolerance for computer clock synchronization\\\" to a maximum of \\\"5\\\" minutes or less.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000112-GPOS-00057\"\n tag satisfies: [\"SRG-OS-000112-GPOS-00057\", \"SRG-OS-000113-GPOS-00058\"]\n tag gid: \"V-93451\"\n tag rid: \"SV-103537r1_rule\"\n tag stig_id: \"WN19-DC-000060\"\n tag fix_id: \"F-99695r1_fix\"\n tag cci: [\"CCI-001941\", \"CCI-001942\"]\n tag nist: [\"IA-2 (8)\", \"IA-2 (9)\", \"Rev_4\"]\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n describe security_policy do\n its('MaxClockSkew') { should be <= 5 }\n end\n else\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is NA' do\n skip 'This system is not a domain controller, therefore this control is NA'\n end\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93535.rb", + "ref": "./Windows 2019 STIG/controls/V-93451.rb", "line": 3 }, - "id": "V-93535" + "id": "V-93451" }, { - "title": "Windows Server 2019 LAN Manager authentication level must be configured to send NTLMv2 response only and to refuse LM and NTLM.", - "desc": "The Kerberos v5 authentication protocol is the default for authentication of users who are logging on to domain accounts. NTLM, which is less secure, is retained in later Windows versions for compatibility with clients and servers that are running earlier versions of Windows or applications that still use it. It is also used to authenticate logons to standalone computers that are running later versions.", + "title": "Windows Server 2019 must have a host-based intrusion detection or\nprevention system.", + "desc": "A properly configured Host-based Intrusion Detection System (HIDS) or\nHost-based Intrusion Prevention System (HIPS) provides another level of defense\nagainst unauthorized access to critical servers. With proper configuration and\nlogging enabled, such a system can stop and/or alert for many attempts to gain\nunauthorized access to resources.", "descriptions": { - "default": "The Kerberos v5 authentication protocol is the default for authentication of users who are logging on to domain accounts. NTLM, which is less secure, is retained in later Windows versions for compatibility with clients and servers that are running earlier versions of Windows or applications that still use it. It is also used to authenticate logons to standalone computers that are running later versions.", + "default": "A properly configured Host-based Intrusion Detection System (HIDS) or\nHost-based Intrusion Prevention System (HIPS) provides another level of defense\nagainst unauthorized access to critical servers. With proper configuration and\nlogging enabled, such a system can stop and/or alert for many attempts to gain\nunauthorized access to resources.", "rationale": "", - "check": "If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Control\\Lsa\\\n\n Value Name: LmCompatibilityLevel\n\n Value Type: REG_DWORD\n Value: 0x00000005 (5)", - "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \"Network security: LAN Manager authentication level\" to \"Send NTLMv2 response only. Refuse LM & NTLM\"." + "check": "Determine whether there is a HIDS or HIPS on each server.\n\n If the HIPS component of HBSS is installed and active on the host and the\nalerts of blocked activity are being logged and monitored, this meets the\nrequirement.\n\n A HIDS device is not required on a system that has the role as the Network\nIntrusion Device (NID). However, this exception needs to be documented with the\nISSO.\n\n If a HIDS is not installed on the system, this is a finding.", + "fix": "Install a HIDS or HIPS on each server." }, - "impact": 0.7, + "impact": 0.5, "refs": [], "tags": { "severity": null, "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-93301", - "rid": "SV-103389r1_rule", - "stig_id": "WN19-SO-000310", - "fix_id": "F-99547r1_fix", + "gid": "V-93219", + "rid": "SV-103307r1_rule", + "stig_id": "WN19-00-000120", + "fix_id": "F-99465r1_fix", "cci": [ "CCI-000366" ], @@ -4083,101 +4045,97 @@ "Rev_4" ] }, - "code": "control \"V-93301\" do\n title \"Windows Server 2019 LAN Manager authentication level must be configured to send NTLMv2 response only and to refuse LM and NTLM.\"\n desc \"The Kerberos v5 authentication protocol is the default for authentication of users who are logging on to domain accounts. NTLM, which is less secure, is retained in later Windows versions for compatibility with clients and servers that are running earlier versions of Windows or applications that still use it. It is also used to authenticate logons to standalone computers that are running later versions.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\\n\n Value Name: LmCompatibilityLevel\n\n Value Type: REG_DWORD\n Value: 0x00000005 (5)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \\\"Network security: LAN Manager authentication level\\\" to \\\"Send NTLMv2 response only. Refuse LM & NTLM\\\".\"\n impact 0.7\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00227\"\n tag gid: \"V-93301\"\n tag rid: \"SV-103389r1_rule\"\n tag stig_id: \"WN19-SO-000310\"\n tag fix_id: \"F-99547r1_fix\"\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa') do\n it { should have_property 'LmCompatibilityLevel' }\n its('LmCompatibilityLevel') { should cmp == 5 }\n end\nend", + "code": "control \"V-93219\" do\n title \"Windows Server 2019 must have a host-based intrusion detection or\nprevention system.\"\n desc \"A properly configured Host-based Intrusion Detection System (HIDS) or\nHost-based Intrusion Prevention System (HIPS) provides another level of defense\nagainst unauthorized access to critical servers. With proper configuration and\nlogging enabled, such a system can stop and/or alert for many attempts to gain\nunauthorized access to resources.\"\n desc \"rationale\", \"\"\n desc 'check', \"Determine whether there is a HIDS or HIPS on each server.\n\n If the HIPS component of HBSS is installed and active on the host and the\nalerts of blocked activity are being logged and monitored, this meets the\nrequirement.\n\n A HIDS device is not required on a system that has the role as the Network\nIntrusion Device (NID). However, this exception needs to be documented with the\nISSO.\n\n If a HIDS is not installed on the system, this is a finding.\"\n desc 'fix', \"Install a HIDS or HIPS on each server.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000480-GPOS-00227'\n tag 'gid': 'V-93219'\n tag 'rid': 'SV-103307r1_rule'\n tag 'stig_id': 'WN19-00-000120'\n tag 'fix_id': 'F-99465r1_fix'\n tag 'cci': [\"CCI-000366\"]\n tag 'nist': [\"CM-6 b\", \"Rev_4\"]\n\n describe 'A manual review is required to determine whether this server has a host-based Intrusion Detection System installed' do\n skip 'A manual review is required to determine whether this server has a host-based Intrusion Detection System installed'\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93301.rb", + "ref": "./Windows 2019 STIG/controls/V-93219.rb", "line": 3 }, - "id": "V-93301" + "id": "V-93219" }, { - "title": "Windows Server 2019 User Account Control approval mode for the built-in Administrator must be enabled.", - "desc": "User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting configures the built-in Administrator account so that it runs in Admin Approval Mode.", + "title": "Windows Server 2019 Exploit Protection mitigations must be configured for iexplore.exe.", + "desc": "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.", "descriptions": { - "default": "User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting configures the built-in Administrator account so that it runs in Admin Approval Mode.", + "default": "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.", "rationale": "", - "check": "UAC requirements are NA for Server Core installations (this is the default installation option for Windows Server 2019 versus Server with Desktop Experience).\n\n If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\\n\n Value Name: FilterAdministratorToken\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", - "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \"User Account Control: Admin Approval Mode for the Built-in Administrator account\" to \"Enabled\"." + "check": "If the referenced application is not installed on the system, this is NA.\n\n This is applicable to unclassified systems, for other systems this is NA.\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n Enter \"Get-ProcessMitigation -Name iexplore.exe\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.)\n\n If the following mitigations do not have a status of \"ON\", this is a finding:\n\n DEP:\n Enable: ON\n\n ASLR:\n BottomUp: ON\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n The PowerShell command produces a list of mitigations; only those with a required status of \"ON\" are listed here.", + "fix": "Ensure the following mitigations are turned \"ON\" for iexplore.exe:\n\n DEP:\n Enable: ON\n\n ASLR:\n BottomUp: ON\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \"Supporting Files\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \"Use a common set of exploit protection settings\" configured to \"Enabled\" with file name and location defined under \"Options:\". It is recommended the file be in a read-only network location." }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000373-GPOS-00157", - "satisfies": [ - "SRG-OS-000373-GPOS-00157", - "SRG-OS-000373-GPOS-00156" - ], - "gid": "V-93431", - "rid": "SV-103517r1_rule", - "stig_id": "WN19-SO-000380", - "fix_id": "F-99675r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-93335", + "rid": "SV-103423r1_rule", + "stig_id": "WN19-EP-000130", + "fix_id": "F-99581r1_fix", "cci": [ - "CCI-002038" + "CCI-000366" ], "nist": [ - "IA-11", + "CM-6 b", "Rev_4" ] }, - "code": "control \"V-93431\" do\n title \"Windows Server 2019 User Account Control approval mode for the built-in Administrator must be enabled.\"\n desc \"User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting configures the built-in Administrator account so that it runs in Admin Approval Mode.\"\n desc \"rationale\", \"\"\n desc \"check\", \"UAC requirements are NA for Server Core installations (this is the default installation option for Windows Server 2019 versus Server with Desktop Experience).\n\n If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\\n\n Value Name: FilterAdministratorToken\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \\\"User Account Control: Admin Approval Mode for the Built-in Administrator account\\\" to \\\"Enabled\\\".\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000373-GPOS-00157\"\n tag satisfies: [\"SRG-OS-000373-GPOS-00157\", \"SRG-OS-000373-GPOS-00156\"]\n tag gid: \"V-93431\"\n tag rid: \"SV-103517r1_rule\"\n tag stig_id: \"WN19-SO-000380\"\n tag fix_id: \"F-99675r1_fix\"\n tag cci: [\"CCI-002038\"]\n tag nist: [\"IA-11\", \"Rev_4\"]\n\n os_type = command('Test-Path \"$env:windir\\explorer.exe\"').stdout.strip\n\n if os_type == 'False'\n impact 0.0\n describe 'This system is a Server Core Installation, control is NA' do\n skip 'This system is a Server Core Installation control is NA'\n end\n else\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System') do\n it { should have_property 'FilterAdministratorToken' }\n its('FilterAdministratorToken') { should cmp == 1 }\n end\n end\nend", + "code": "control \"V-93335\" do\n title \"Windows Server 2019 Exploit Protection mitigations must be configured for iexplore.exe.\"\n desc \"Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the referenced application is not installed on the system, this is NA.\n\n This is applicable to unclassified systems, for other systems this is NA.\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n Enter \\\"Get-ProcessMitigation -Name iexplore.exe\\\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.)\n\n If the following mitigations do not have a status of \\\"ON\\\", this is a finding:\n\n DEP:\n Enable: ON\n\n ASLR:\n BottomUp: ON\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n The PowerShell command produces a list of mitigations; only those with a required status of \\\"ON\\\" are listed here.\"\n desc \"fix\", \"Ensure the following mitigations are turned \\\"ON\\\" for iexplore.exe:\n\n DEP:\n Enable: ON\n\n ASLR:\n BottomUp: ON\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \\\"Supporting Files\\\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\" configured to \\\"Enabled\\\" with file name and location defined under \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00227\"\n tag gid: \"V-93335\"\n tag rid: \"SV-103423r1_rule\"\n tag stig_id: \"WN19-EP-000130\"\n tag fix_id: \"F-99581r1_fix\"\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n iexplore = json({ command: \"Get-ProcessMitigation -Name iexplore.exe | ConvertTo-Json\" }).params\n\n if input('sensitive_system') == true || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif iexplore.empty?\n impact 0.0\n describe 'The referenced application is not installed on the system, this is NA.' do\n skip 'The referenced application is not installed on the system, this is NA.'\n end\n else\n describe \"Exploit Protection: the following mitigations must be set to 'ON' for iexplore.exe\" do\n subject { iexplore }\n its(['Dep','Enable']) { should eq 1 }\n its(['Aslr','BottomUp']) { should eq 1 }\n its(['Aslr','ForceRelocateImages']) { should eq 1 }\n its(['Payload','EnableExportAddressFilter']) { should eq 1 }\n its(['Payload','EnableExportAddressFilterPlus']) { should eq 1 }\n its(['Payload','EnableImportAddressFilter']) { should eq 1 }\n its(['Payload','EnableRopStackPivot']) { should eq 1 }\n its(['Payload','EnableRopCallerCheck']) { should eq 1 }\n its(['Payload','EnableRopSimExec']) { should eq 1 }\n end\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93431.rb", + "ref": "./Windows 2019 STIG/controls/V-93335.rb", "line": 3 }, - "id": "V-93431" + "id": "V-93335" }, { - "title": "Windows Server 2019 Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites.", - "desc": "Certain encryption types are no longer considered secure. The DES and RC4 encryption suites must not be used for Kerberos encryption.\n Note: Organizations with domain controllers running earlier versions of Windows where RC4 encryption is enabled, selecting \"The other domain supports Kerberos AES Encryption\" on domain trusts, may be required to allow client communication across the trust relationship.", + "title": "Windows Server 2019 Force shutdown from a remote system user right\nmust only be assigned to the Administrators group.", + "desc": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n Accounts with the \"Force shutdown from a remote system\" user right can\nremotely shut down a system, which could result in a denial of service.", "descriptions": { - "default": "Certain encryption types are no longer considered secure. The DES and RC4 encryption suites must not be used for Kerberos encryption.\n Note: Organizations with domain controllers running earlier versions of Windows where RC4 encryption is enabled, selecting \"The other domain supports Kerberos AES Encryption\" on domain trusts, may be required to allow client communication across the trust relationship.", + "default": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n Accounts with the \"Force shutdown from a remote system\" user right can\nremotely shut down a system, which could result in a denial of service.", "rationale": "", - "check": "If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\Parameters\\\n\n Value Name: SupportedEncryptionTypes\n\n Value Type: REG_DWORD\n Value: 0x7ffffff8 (2147483640)", - "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \"Network security: Configure encryption types allowed for Kerberos\" to \"Enabled\" with only the following selected:\n\n AES128_HMAC_SHA1\n AES256_HMAC_SHA1\n Future encryption types\n\n Note: Organizations with domain controllers running earlier versions of Windows where RC4 encryption is enabled, selecting \"The other domain supports Kerberos AES Encryption\" on domain trusts, may be required to allow client communication across the trust relationship." + "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the \"Force\nshutdown from a remote system\" user right, this is a finding:\n\n - Administrators\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\path\\filename.txt\n\n Review the text file.\n\n If any SIDs other than the following are granted the\n\"SeRemoteShutdownPrivilege\" user right, this is a finding:\n\n S-1-5-32-544 (Administrators)", + "fix": "Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> User Rights Assignment >> \"Force\nshutdown from a remote system\" to include only the following accounts or\ngroups:\n\n - Administrators" }, "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000120-GPOS-00061", - "gid": "V-93495", - "rid": "SV-103581r1_rule", - "stig_id": "WN19-SO-000290", - "fix_id": "F-99739r1_fix", + "gtitle": "SRG-OS-000324-GPOS-00125", + "gid": "V-93067", + "rid": "SV-103155r1_rule", + "stig_id": "WN19-UR-000110", + "fix_id": "F-99313r1_fix", "cci": [ - "CCI-000803" + "CCI-002235" ], "nist": [ - "IA-7", + "AC-6 (10)", "Rev_4" ] }, - "code": "control \"V-93495\" do\n title \"Windows Server 2019 Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites.\"\n desc \"Certain encryption types are no longer considered secure. The DES and RC4 encryption suites must not be used for Kerberos encryption.\n Note: Organizations with domain controllers running earlier versions of Windows where RC4 encryption is enabled, selecting \\\"The other domain supports Kerberos AES Encryption\\\" on domain trusts, may be required to allow client communication across the trust relationship.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Kerberos\\\\Parameters\\\\\n\n Value Name: SupportedEncryptionTypes\n\n Value Type: REG_DWORD\n Value: 0x7ffffff8 (2147483640)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \\\"Network security: Configure encryption types allowed for Kerberos\\\" to \\\"Enabled\\\" with only the following selected:\n\n AES128_HMAC_SHA1\n AES256_HMAC_SHA1\n Future encryption types\n\n Note: Organizations with domain controllers running earlier versions of Windows where RC4 encryption is enabled, selecting \\\"The other domain supports Kerberos AES Encryption\\\" on domain trusts, may be required to allow client communication across the trust relationship.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000120-GPOS-00061\"\n tag gid: \"V-93495\"\n tag rid: \"SV-103581r1_rule\"\n tag stig_id: \"WN19-SO-000290\"\n tag fix_id: \"F-99739r1_fix\"\n tag cci: [\"CCI-000803\"]\n tag nist: [\"IA-7\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Kerberos\\\\Parameters') do\n it { should have_property 'SupportedEncryptionTypes' }\n its('SupportedEncryptionTypes') { should cmp 2147483640 }\n end\nend", + "code": "control \"V-93067\" do\n title \"Windows Server 2019 Force shutdown from a remote system user right\nmust only be assigned to the Administrators group.\"\n desc \"Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n Accounts with the \\\"Force shutdown from a remote system\\\" user right can\nremotely shut down a system, which could result in a denial of service.\"\n desc \"rationale\", \"\"\n desc 'check', \"Verify the effective setting in Local Group Policy Editor.\n\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the \\\"Force\nshutdown from a remote system\\\" user right, this is a finding:\n\n - Administrators\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt\n\n Review the text file.\n\n If any SIDs other than the following are granted the\n\\\"SeRemoteShutdownPrivilege\\\" user right, this is a finding:\n\n S-1-5-32-544 (Administrators)\"\n desc 'fix', \"Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> User Rights Assignment >> \\\"Force\nshutdown from a remote system\\\" to include only the following accounts or\ngroups:\n\n - Administrators\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000324-GPOS-00125'\n tag 'gid': 'V-93067'\n tag 'rid': 'SV-103155r1_rule'\n tag 'stig_id': 'WN19-UR-000110'\n tag 'fix_id': 'F-99313r1_fix'\n tag 'cci': [\"CCI-002235\"]\n tag 'nist': [\"AC-6 (10)\", \"Rev_4\"]\n\n os_type = command('Test-Path \"$env:windir\\explorer.exe\"').stdout.strip\n\n if os_type == 'False'\n describe 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt' do\n skip 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt'\n end\n else\n describe security_policy do\n its('SeRemoteShutdownPrivilege') { should eq ['S-1-5-32-544'] }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93495.rb", + "ref": "./Windows 2019 STIG/controls/V-93067.rb", "line": 3 }, - "id": "V-93495" + "id": "V-93067" }, { - "title": "Windows Server 2019 Exploit Protection mitigations must be configured for wmplayer.exe.", + "title": "Windows Server 2019 Exploit Protection mitigations must be configured for Acrobat.exe.", "desc": "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.", "descriptions": { "default": "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.", "rationale": "", - "check": "If the referenced application is not installed on the system, this is NA.\n\n This is applicable to unclassified systems, for other systems this is NA.\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n Enter \"Get-ProcessMitigation -Name wmplayer.exe\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.)\n\n If the following mitigations do not have a status of \"ON\", this is a finding:\n\n DEP:\n Enable: ON\n\n Payload:\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n The PowerShell command produces a list of mitigations; only those with a required status of \"ON\" are listed here.", - "fix": "Ensure the following mitigations are turned \"ON\" for wmplayer.exe:\n\n DEP:\n Enable: ON\n\n Payload:\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \"Supporting Files\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \"Use a common set of exploit protection settings\" configured to \"Enabled\" with file name and location defined under \"Options:\". It is recommended the file be in a read-only network location." + "check": "If the referenced application is not installed on the system, this is NA.\n\n This is applicable to unclassified systems, for other systems this is NA.\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n Enter \"Get-ProcessMitigation -Name Acrobat.exe\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.)\n\n If the following mitigations do not have a status of \"ON\", this is a finding:\n\n DEP:\n Enable: ON\n\n ASLR:\n BottomUp: ON\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n The PowerShell command produces a list of mitigations; only those with a required status of \"ON\" are listed here.", + "fix": "Ensure the following mitigations are turned \"ON\" for Acrobat.exe:\n\n DEP:\n Enable: ON\n\n ASLR:\n BottomUp: ON\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \"Supporting Files\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \"Use a common set of exploit protection settings\" configured to \"Enabled\" with file name and location defined under \"Options:\". It is recommended the file be in a read-only network location." }, "impact": 0, "refs": [], "tags": { "severity": null, "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-93365", - "rid": "SV-103453r1_rule", - "stig_id": "WN19-EP-000280", - "fix_id": "F-99611r1_fix", + "gid": "V-93321", + "rid": "SV-103409r1_rule", + "stig_id": "WN19-EP-000060", + "fix_id": "F-99567r1_fix", "cci": [ "CCI-000366" ], @@ -4186,150 +4144,195 @@ "Rev_4" ] }, - "code": "control \"V-93365\" do\n title \"Windows Server 2019 Exploit Protection mitigations must be configured for wmplayer.exe.\"\n desc \"Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the referenced application is not installed on the system, this is NA.\n\n This is applicable to unclassified systems, for other systems this is NA.\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n Enter \\\"Get-ProcessMitigation -Name wmplayer.exe\\\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.)\n\n If the following mitigations do not have a status of \\\"ON\\\", this is a finding:\n\n DEP:\n Enable: ON\n\n Payload:\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n The PowerShell command produces a list of mitigations; only those with a required status of \\\"ON\\\" are listed here.\"\n desc \"fix\", \"Ensure the following mitigations are turned \\\"ON\\\" for wmplayer.exe:\n\n DEP:\n Enable: ON\n\n Payload:\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \\\"Supporting Files\\\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\" configured to \\\"Enabled\\\" with file name and location defined under \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00227\"\n tag gid: \"V-93365\"\n tag rid: \"SV-103453r1_rule\"\n tag stig_id: \"WN19-EP-000280\"\n tag fix_id: \"F-99611r1_fix\"\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n wmplayer = json({ command: \"Get-ProcessMitigation -Name wmplayer.exe | ConvertTo-Json\" }).params\n\n if input('sensitive_system') == true || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif wmplayer.empty?\n impact 0.0\n describe 'The referenced application is not installed on the system, this is NA.' do\n skip 'The referenced application is not installed on the system, this is NA.'\n end\n else\n describe \"Exploit Protection: the following mitigations must be set to 'ON' for wmplayer.exe\" do\n subject { wmplayer }\n its(['Dep','Enable']) { should eq 1 }\n its(['Payload','EnableRopStackPivot']) { should eq 1 }\n its(['Payload','EnableRopCallerCheck']) { should eq 1 }\n its(['Payload','EnableRopSimExec']) { should eq 1 }\n end\n end\nend", + "code": "control \"V-93321\" do\n title \"Windows Server 2019 Exploit Protection mitigations must be configured for Acrobat.exe.\"\n desc \"Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the referenced application is not installed on the system, this is NA.\n\n This is applicable to unclassified systems, for other systems this is NA.\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n Enter \\\"Get-ProcessMitigation -Name Acrobat.exe\\\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.)\n\n If the following mitigations do not have a status of \\\"ON\\\", this is a finding:\n\n DEP:\n Enable: ON\n\n ASLR:\n BottomUp: ON\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n The PowerShell command produces a list of mitigations; only those with a required status of \\\"ON\\\" are listed here.\"\n desc \"fix\", \"Ensure the following mitigations are turned \\\"ON\\\" for Acrobat.exe:\n\n DEP:\n Enable: ON\n\n ASLR:\n BottomUp: ON\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \\\"Supporting Files\\\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\" configured to \\\"Enabled\\\" with file name and location defined under \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00227\"\n tag gid: \"V-93321\"\n tag rid: \"SV-103409r1_rule\"\n tag stig_id: \"WN19-EP-000060\"\n tag fix_id: \"F-99567r1_fix\"\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n acrobat = json({ command: \"Get-ProcessMitigation -Name Acrobat.exe | ConvertTo-Json\" }).params\n\n if input('sensitive_system') == true || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif acrobat.empty?\n impact 0.0\n describe 'The referenced application is not installed on the system, this is NA.' do\n skip 'The referenced application is not installed on the system, this is NA.'\n end\n else\n describe \"Exploit Protection: the following mitigations must be set to 'ON' for Acrobat.exe\" do\n subject { acrobat }\n its(['Dep','Enable']) { should eq 1 }\n its(['Aslr','BottomUp']) { should eq 1 }\n its(['Aslr','ForceRelocateImages']) { should eq 1 }\n its(['Payload','EnableExportAddressFilter']) { should eq 1 }\n its(['Payload','EnableExportAddressFilterPlus']) { should eq 1 }\n its(['Payload','EnableImportAddressFilter']) { should eq 1 }\n its(['Payload','EnableRopStackPivot']) { should eq 1 }\n its(['Payload','EnableRopCallerCheck']) { should eq 1 }\n its(['Payload','EnableRopSimExec']) { should eq 1 }\n end\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93365.rb", + "ref": "./Windows 2019 STIG/controls/V-93321.rb", "line": 3 }, - "id": "V-93365" + "id": "V-93321" }, { - "title": "Windows Server 2019 setting Domain member: Digitally encrypt or sign secure channel data (always) must be configured to Enabled.", - "desc": "Requests sent on the secure channel are authenticated, and sensitive information (such as passwords) is encrypted, but not all information is encrypted. If this policy is enabled, outgoing secure channel traffic will be encrypted and signed.", + "title": "Windows Server 2019 User Account Control must run all administrators in Admin Approval Mode, enabling UAC.", + "desc": "User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting enables UAC.", "descriptions": { - "default": "Requests sent on the secure channel are authenticated, and sensitive information (such as passwords) is encrypted, but not all information is encrypted. If this policy is enabled, outgoing secure channel traffic will be encrypted and signed.", + "default": "User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting enables UAC.", "rationale": "", - "check": "If the following registry value does not exist or is not configured as specified, this is a finding:\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\Netlogon\\Parameters\\\n\n Value Name: RequireSignOrSeal\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", - "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \"Domain member: Digitally encrypt or sign secure channel data (always)\" to \"Enabled\"." + "check": "UAC requirements are NA for Server Core installations (this is the default installation option for Windows Server 2019 versus Server with Desktop Experience).\n\n If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\\n\n Value Name: EnableLUA\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", + "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \"User Account Control: Run all administrators in Admin Approval Mode\" to \"Enabled\"." }, "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000423-GPOS-00187", + "gtitle": "SRG-OS-000373-GPOS-00157", "satisfies": [ - "SRG-OS-000423-GPOS-00187", - "SRG-OS-000424-GPOS-00188" + "SRG-OS-000373-GPOS-00157", + "SRG-OS-000373-GPOS-00156" + ], + "gid": "V-93435", + "rid": "SV-103521r1_rule", + "stig_id": "WN19-SO-000440", + "fix_id": "F-99679r1_fix", + "cci": [ + "CCI-002038" + ], + "nist": [ + "IA-11", + "Rev_4" + ] + }, + "code": "control \"V-93435\" do\n title \"Windows Server 2019 User Account Control must run all administrators in Admin Approval Mode, enabling UAC.\"\n desc \"User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting enables UAC.\"\n desc \"rationale\", \"\"\n desc \"check\", \"UAC requirements are NA for Server Core installations (this is the default installation option for Windows Server 2019 versus Server with Desktop Experience).\n\n If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\\n\n Value Name: EnableLUA\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \\\"User Account Control: Run all administrators in Admin Approval Mode\\\" to \\\"Enabled\\\".\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000373-GPOS-00157\"\n tag satisfies: [\"SRG-OS-000373-GPOS-00157\", \"SRG-OS-000373-GPOS-00156\"]\n tag gid: \"V-93435\"\n tag rid: \"SV-103521r1_rule\"\n tag stig_id: \"WN19-SO-000440\"\n tag fix_id: \"F-99679r1_fix\"\n tag cci: [\"CCI-002038\"]\n tag nist: [\"IA-11\", \"Rev_4\"]\n\n os_type = command('Test-Path \"$env:windir\\explorer.exe\"').stdout.strip\n\n if os_type == 'False'\n impact 0.0\n describe 'This system is a Server Core Installation, control is NA' do\n skip 'This system is a Server Core Installation control is NA'\n end\n else\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System') do\n it { should have_property 'EnableLUA' }\n its('EnableLUA') { should cmp == 1 }\n end\n end\nend", + "source_location": { + "ref": "./Windows 2019 STIG/controls/V-93435.rb", + "line": 3 + }, + "id": "V-93435" + }, + { + "title": "Windows Server 2019 must implement protection methods such as TLS, encrypted VPNs, or IPsec if the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process.", + "desc": "Information can be either unintentionally or maliciously disclosed or modified during preparation for transmission, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications compromise the confidentiality or integrity of the information.\n Ensuring the confidentiality of transmitted information requires the operating system to take measures in preparing information for transmission.\n This can be accomplished via access control and encryption.\n Use of this requirement will be limited to situations where the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process. When transmitting data, operating systems need to support transmission protection mechanisms such as TLS, encrypted VPNs, or IPsec.", + "descriptions": { + "default": "Information can be either unintentionally or maliciously disclosed or modified during preparation for transmission, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications compromise the confidentiality or integrity of the information.\n Ensuring the confidentiality of transmitted information requires the operating system to take measures in preparing information for transmission.\n This can be accomplished via access control and encryption.\n Use of this requirement will be limited to situations where the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process. When transmitting data, operating systems need to support transmission protection mechanisms such as TLS, encrypted VPNs, or IPsec.", + "rationale": "", + "check": "If the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process, verify protection methods such as TLS, encrypted VPNs, or IPsec have been implemented.\n If protection methods have not been implemented, this is a finding.", + "fix": "Configure protection methods such as TLS, encrypted VPNs, or IPsec when the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process." + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": null, + "gtitle": "SRG-OS-000425-GPOS-00189", + "satisfies": [ + "SRG-OS-000425-GPOS-00189", + "SRG-OS-000426-GPOS-00190" ], - "gid": "V-93547", - "rid": "SV-103633r1_rule", - "stig_id": "WN19-SO-000060", - "fix_id": "F-99791r1_fix", + "gid": "V-93543", + "rid": "SV-103629r1_rule", + "stig_id": "WN19-00-000260", + "fix_id": "F-99787r1_fix", "cci": [ - "CCI-002418", - "CCI-002421" + "CCI-002420", + "CCI-002422" ], "nist": [ - "SC-8", - "SC-8 (1)", + "SC-8 (2)", + "SC-8 (2)", "Rev_4" ] }, - "code": "control \"V-93547\" do\n title \"Windows Server 2019 setting Domain member: Digitally encrypt or sign secure channel data (always) must be configured to Enabled.\"\n desc \"Requests sent on the secure channel are authenticated, and sensitive information (such as passwords) is encrypted, but not all information is encrypted. If this policy is enabled, outgoing secure channel traffic will be encrypted and signed.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the following registry value does not exist or is not configured as specified, this is a finding:\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\Netlogon\\\\Parameters\\\\\n\n Value Name: RequireSignOrSeal\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \\\"Domain member: Digitally encrypt or sign secure channel data (always)\\\" to \\\"Enabled\\\".\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000423-GPOS-00187\"\n tag satisfies: [\"SRG-OS-000423-GPOS-00187\", \"SRG-OS-000424-GPOS-00188\"]\n tag gid: \"V-93547\"\n tag rid: \"SV-103633r1_rule\"\n tag stig_id: \"WN19-SO-000060\"\n tag fix_id: \"F-99791r1_fix\"\n tag cci: [\"CCI-002418\", \"CCI-002421\"]\n tag nist: [\"SC-8\", \"SC-8 (1)\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Services\\\\Netlogon\\\\Parameters') do\n it { should have_property 'RequireSignOrSeal' }\n its('RequireSignOrSeal') { should cmp == 1 }\n end\nend", + "code": "control \"V-93543\" do\n title \"Windows Server 2019 must implement protection methods such as TLS, encrypted VPNs, or IPsec if the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process.\"\n desc \"Information can be either unintentionally or maliciously disclosed or modified during preparation for transmission, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications compromise the confidentiality or integrity of the information.\n Ensuring the confidentiality of transmitted information requires the operating system to take measures in preparing information for transmission.\n This can be accomplished via access control and encryption.\n Use of this requirement will be limited to situations where the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process. When transmitting data, operating systems need to support transmission protection mechanisms such as TLS, encrypted VPNs, or IPsec.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process, verify protection methods such as TLS, encrypted VPNs, or IPsec have been implemented.\n If protection methods have not been implemented, this is a finding.\"\n desc \"fix\", \"Configure protection methods such as TLS, encrypted VPNs, or IPsec when the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000425-GPOS-00189\"\n tag satisfies: [\"SRG-OS-000425-GPOS-00189\", \"SRG-OS-000426-GPOS-00190\"]\n tag gid: \"V-93543\"\n tag rid: \"SV-103629r1_rule\"\n tag stig_id: \"WN19-00-000260\"\n tag fix_id: \"F-99787r1_fix\"\n tag cci: [\"CCI-002420\", \"CCI-002422\"]\n tag nist: [\"SC-8 (2)\", \"SC-8 (2)\", \"Rev_4\"]\n\n describe \"A manual review is required to ensure protection methods such as TLS, encrypted VPNs, or IPSEC are\n implemented if the data owner has a strict requirement for ensuring data\n integrity and confidentiality is maintained at every step of the data transfer\n and handling process.\" do\n skip 'A manual review is required to ensure the operating system employs a deny-all, permit-by-exception\n policy to allow the execution of authorized software programs'\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93547.rb", + "ref": "./Windows 2019 STIG/controls/V-93543.rb", "line": 3 }, - "id": "V-93547" + "id": "V-93543" }, { - "title": "Windows Server 2019 Exploit Protection mitigations must be configured for EXCEL.EXE.", - "desc": "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.", + "title": "Windows Server 2019 Deny log on locally user right on domain\ncontrollers must be configured to prevent unauthenticated access.", + "desc": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n The \"Deny log on locally\" user right defines accounts that are prevented\nfrom logging on interactively.\n\n The Guests group must be assigned this right to prevent unauthenticated\naccess.", "descriptions": { - "default": "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.", + "default": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n The \"Deny log on locally\" user right defines accounts that are prevented\nfrom logging on interactively.\n\n The Guests group must be assigned this right to prevent unauthenticated\naccess.", "rationale": "", - "check": "If the referenced application is not installed on the system, this is NA.\n\n This is applicable to unclassified systems, for other systems this is NA.\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n Enter \"Get-ProcessMitigation -Name EXCEL.EXE\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.)\n\n If the following mitigations do not have a status of \"ON\", this is a finding:\n\n DEP:\n Enable: ON\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n The PowerShell command produces a list of mitigations; only those with a required status of \"ON\" are listed here.", - "fix": "Ensure the following mitigations are turned \"ON\" for EXCEL.EXE:\n\n DEP:\n Enable: ON\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \"Supporting Files\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \"Use a common set of exploit protection settings\" configured to \"Enabled\" with file name and location defined under \"Options:\". It is recommended the file be in a read-only network location." + "check": "This applies to domain controllers. A separate version applies to other\nsystems.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If the following accounts or groups are not defined for the \"Deny log on\nlocally\" user right, this is a finding:\n\n - Guests Group\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\path\\filename.txt\n\n Review the text file.\n\n If the following SID(s) are not defined for the\n\"SeDenyInteractiveLogonRight\" user right, this is a finding:\n\n S-1-5-32-546 (Guests)", + "fix": "Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> User Rights Assignment >> \"Deny log\non locally\" to include the following:\n\n - Guests Group" }, "impact": 0, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-93327", - "rid": "SV-103415r1_rule", - "stig_id": "WN19-EP-000090", - "fix_id": "F-99573r1_fix", + "gtitle": "SRG-OS-000080-GPOS-00048", + "gid": "V-93005", + "rid": "SV-103093r1_rule", + "stig_id": "WN19-DC-000400", + "fix_id": "F-99251r1_fix", "cci": [ - "CCI-000366" + "CCI-000213" ], "nist": [ - "CM-6 b", + "AC-3", "Rev_4" ] }, - "code": "control \"V-93327\" do\n title \"Windows Server 2019 Exploit Protection mitigations must be configured for EXCEL.EXE.\"\n desc \"Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the referenced application is not installed on the system, this is NA.\n\n This is applicable to unclassified systems, for other systems this is NA.\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n Enter \\\"Get-ProcessMitigation -Name EXCEL.EXE\\\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.)\n\n If the following mitigations do not have a status of \\\"ON\\\", this is a finding:\n\n DEP:\n Enable: ON\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n The PowerShell command produces a list of mitigations; only those with a required status of \\\"ON\\\" are listed here.\"\n desc \"fix\", \"Ensure the following mitigations are turned \\\"ON\\\" for EXCEL.EXE:\n\n DEP:\n Enable: ON\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \\\"Supporting Files\\\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\" configured to \\\"Enabled\\\" with file name and location defined under \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00227\"\n tag gid: \"V-93327\"\n tag rid: \"SV-103415r1_rule\"\n tag stig_id: \"WN19-EP-000090\"\n tag fix_id: \"F-99573r1_fix\"\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n excel = json({ command: \"Get-ProcessMitigation -Name EXCEL.EXE | ConvertTo-Json\" }).params\n\n if input('sensitive_system') == true || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif excel.empty?\n impact 0.0\n describe 'The referenced application is not installed on the system, this is NA.' do\n skip 'The referenced application is not installed on the system, this is NA.'\n end\n else\n describe \"Exploit Protection: the following mitigations must be set to 'ON' for EXCEL.EXE\" do\n subject { excel }\n its(['Dep','Enable']) { should eq 1 }\n its(['Aslr','ForceRelocateImages']) { should eq 1 }\n its(['Payload','EnableExportAddressFilter']) { should eq 1 }\n its(['Payload','EnableExportAddressFilterPlus']) { should eq 1 }\n its(['Payload','EnableImportAddressFilter']) { should eq 1 }\n its(['Payload','EnableRopStackPivot']) { should eq 1 }\n its(['Payload','EnableRopCallerCheck']) { should eq 1 }\n its(['Payload','EnableRopSimExec']) { should eq 1 }\n end\n end\nend", + "code": "control \"V-93005\" do\n title \"Windows Server 2019 Deny log on locally user right on domain\ncontrollers must be configured to prevent unauthenticated access.\"\n desc \"Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n The \\\"Deny log on locally\\\" user right defines accounts that are prevented\nfrom logging on interactively.\n\n The Guests group must be assigned this right to prevent unauthenticated\naccess.\"\n desc \"rationale\", \"\"\n desc 'check', \"This applies to domain controllers. A separate version applies to other\nsystems.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If the following accounts or groups are not defined for the \\\"Deny log on\nlocally\\\" user right, this is a finding:\n\n - Guests Group\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt\n\n Review the text file.\n\n If the following SID(s) are not defined for the\n\\\"SeDenyInteractiveLogonRight\\\" user right, this is a finding:\n\n S-1-5-32-546 (Guests)\"\n desc 'fix', \"\n Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> User Rights Assignment >> \\\"Deny log\non locally\\\" to include the following:\n\n - Guests Group\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000080-GPOS-00048'\n tag 'gid': 'V-93005'\n tag 'rid': 'SV-103093r1_rule'\n tag 'stig_id': 'WN19-DC-000400'\n tag 'fix_id': 'F-99251r1_fix'\n tag 'cci': [\"CCI-000213\"]\n tag 'nist': [\"AC-3\", \"Rev_4\"]\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n os_type = command('Test-Path \"$env:windir\\explorer.exe\"').stdout.strip\n\n if os_type == 'False'\n describe 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt' do\n skip 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt'\n end\n end\n if domain_role == '4' || domain_role == '5'\n describe security_policy do\n its('SeDenyInteractiveLogonRight') { should eq ['S-1-5-32-546'] }\n end\n else\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93327.rb", + "ref": "./Windows 2019 STIG/controls/V-93005.rb", "line": 3 }, - "id": "V-93327" + "id": "V-93005" }, { - "title": "Windows Server 2019 Exploit Protection system-level mitigation, Control flow guard (CFG), must be on.", - "desc": "Exploit protection enables mitigations against potential threats at the system and application level. Several mitigations, including \"Control flow guard (CFG)\", are enabled by default at the system level. CFG ensures flow integrity for indirect calls. If this is turned off, Windows may be subject to various exploits.", + "title": "Windows Server 2019 must be configured to audit DS Access - Directory\nService Changes successes.", + "desc": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Audit Directory Service Changes records events related to changes made to\nobjects in Active Directory Domain Services.", "descriptions": { - "default": "Exploit protection enables mitigations against potential threats at the system and application level. Several mitigations, including \"Control flow guard (CFG)\", are enabled by default at the system level. CFG ensures flow integrity for indirect calls. If this is turned off, Windows may be subject to various exploits.", + "default": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Audit Directory Service Changes records events related to changes made to\nobjects in Active Directory Domain Services.", "rationale": "", - "check": "This is applicable to unclassified systems, for other systems this is NA.\n\n The default configuration in Exploit Protection is \"On by default\" which meets this requirement. The PowerShell query results for this show as \"NOTSET\".\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n Enter \"Get-ProcessMitigation -System\".\n If the status of \"CFG: Enable\" is \"OFF\", this is a finding.\n Values that would not be a finding include:\n\n ON\n NOTSET (Default configuration)", - "fix": "Ensure Exploit Protection system-level mitigation, \"Control flow guard (CFG)\", is turned on. The default configuration in Exploit Protection is \"On by default\" which meets this requirement.\n\n Open \"Windows Defender Security Center\".\n Select \"App & browser control\".\n Select \"Exploit protection settings\".\n Under \"System settings\", configure \"Control flow guard (CFG)\" to \"On by default\" or \"Use default ()\".\n\n The STIG package includes a DoD EP XML file in the \"Supporting Files\" folder for configuring application mitigations defined in the STIG. This can also be modified to explicitly enforce the system level requirements. Adding the following to the XML file will explicitly turn CFG on (other system level EP requirements can be combined under ):\n\n \n \n \n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \"Use a common set of exploit protection settings\" configured to \"Enabled\" with file name and location defined under \"Options:\". It is recommended the file be in a read-only network location." + "check": "This applies to domain controllers. It is NA for other systems.\n\n Security Option \"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\" must be set to\n\"Enabled\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \"AuditPol\" tool to review the current Audit Policy configuration:\n\n Open \"PowerShell\" or a \"Command Prompt\" with elevated privileges (\"Run\nas administrator\").\n\n Enter \"AuditPol /get /category:*\"\n\n Compare the \"AuditPol\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n DS Access >> Directory Service Changes - Success", + "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> DS Access >> \"Directory Service Changes\" with\n\"Success\" selected." }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-93315", - "rid": "SV-103403r1_rule", - "stig_id": "WN19-EP-000030", - "fix_id": "F-99561r1_fix", + "gtitle": "SRG-OS-000327-GPOS-00127", + "satisfies": [ + "SRG-OS-000327-GPOS-00127", + "SRG-OS-000458-GPOS-00203", + "SRG-OS-000463-GPOS-00207", + "SRG-OS-000468-GPOS-00212" + ], + "gid": "V-93137", + "rid": "SV-103225r1_rule", + "stig_id": "WN19-DC-000260", + "fix_id": "F-99383r1_fix", "cci": [ - "CCI-000366" + "CCI-000172", + "CCI-002234" ], "nist": [ - "CM-6 b", + "AU-12 c", + "AC-6 (9)", "Rev_4" ] }, - "code": "control \"V-93315\" do\n title \"Windows Server 2019 Exploit Protection system-level mitigation, Control flow guard (CFG), must be on.\"\n desc \"Exploit protection enables mitigations against potential threats at the system and application level. Several mitigations, including \\\"Control flow guard (CFG)\\\", are enabled by default at the system level. CFG ensures flow integrity for indirect calls. If this is turned off, Windows may be subject to various exploits.\"\n desc \"rationale\", \"\"\n desc \"check\", \"This is applicable to unclassified systems, for other systems this is NA.\n\n The default configuration in Exploit Protection is \\\"On by default\\\" which meets this requirement. The PowerShell query results for this show as \\\"NOTSET\\\".\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n Enter \\\"Get-ProcessMitigation -System\\\".\n If the status of \\\"CFG: Enable\\\" is \\\"OFF\\\", this is a finding.\n Values that would not be a finding include:\n\n ON\n NOTSET (Default configuration)\"\n desc \"fix\", \"Ensure Exploit Protection system-level mitigation, \\\"Control flow guard (CFG)\\\", is turned on. The default configuration in Exploit Protection is \\\"On by default\\\" which meets this requirement.\n\n Open \\\"Windows Defender Security Center\\\".\n Select \\\"App & browser control\\\".\n Select \\\"Exploit protection settings\\\".\n Under \\\"System settings\\\", configure \\\"Control flow guard (CFG)\\\" to \\\"On by default\\\" or \\\"Use default ()\\\".\n\n The STIG package includes a DoD EP XML file in the \\\"Supporting Files\\\" folder for configuring application mitigations defined in the STIG. This can also be modified to explicitly enforce the system level requirements. Adding the following to the XML file will explicitly turn CFG on (other system level EP requirements can be combined under ):\n\n \n \n \n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\" configured to \\\"Enabled\\\" with file name and location defined under \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00227\"\n tag gid: \"V-93315\"\n tag rid: \"SV-103403r1_rule\"\n tag stig_id: \"WN19-EP-000030\"\n tag fix_id: \"F-99561r1_fix\"\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n systemcfg = json({ command: \"Get-ProcessMitigation -System | ConvertTo-Json\" }).params\n\n if input('sensitive_system') == true || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif systemcfg.empty?\n describe \"Exploit Protection: the following mitigation\" do\n it \"must be set to 'ON' for the System\" do\n failure_message = \"Exploit Protection is not set\"\n expect(systemcfg).not_to be_empty, failure_message\n end\n end\n else\n describe \"Exploit Protection: the following mitigation must be set to 'ON' for the System\" do\n subject { systemcfg }\n its(['Cfg','Enable']) { should be_between(0,1) }\n end\n end\nend", + "code": "control \"V-93137\" do\n title \"Windows Server 2019 must be configured to audit DS Access - Directory\nService Changes successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Audit Directory Service Changes records events related to changes made to\nobjects in Active Directory Domain Services.\"\n desc \"rationale\", \"\"\n desc 'check', \"This applies to domain controllers. It is NA for other systems.\n\n Security Option \\\"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\\\" must be set to\n\\\"Enabled\\\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \\\"AuditPol\\\" tool to review the current Audit Policy configuration:\n\n Open \\\"PowerShell\\\" or a \\\"Command Prompt\\\" with elevated privileges (\\\"Run\nas administrator\\\").\n\n Enter \\\"AuditPol /get /category:*\\\"\n\n Compare the \\\"AuditPol\\\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n DS Access >> Directory Service Changes - Success\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> DS Access >> \\\"Directory Service Changes\\\" with\n\\\"Success\\\" selected.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000327-GPOS-00127'\n tag 'satisfies': [\"SRG-OS-000327-GPOS-00127\", \"SRG-OS-000458-GPOS-00203\",\n\"SRG-OS-000463-GPOS-00207\", \"SRG-OS-000468-GPOS-00212\"]\n tag 'gid': 'V-93137'\n tag 'rid': 'SV-103225r1_rule'\n tag 'stig_id': 'WN19-DC-000260'\n tag 'fix_id': 'F-99383r1_fix'\n tag 'cci': [\"CCI-000172\", \"CCI-002234\"]\n tag 'nist': [\"AU-12 c\", \"AC-6 (9)\", \"Rev_4\"]\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n if domain_role == '4' || domain_role == '5'\n describe.one do\n describe audit_policy do\n its('Directory Service Changes') { should eq 'Success' }\n end\n describe audit_policy do\n its('Directory Service Changes') { should eq 'Success and Failure' }\n end\n end\n else\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93315.rb", + "ref": "./Windows 2019 STIG/controls/V-93137.rb", "line": 3 }, - "id": "V-93315" + "id": "V-93137" }, { - "title": "Windows Server 2019 must prevent users from changing installation\noptions.", - "desc": "Installation options for applications are typically controlled by\nadministrators. This setting prevents users from changing installation options\nthat may bypass security features.", + "title": "Windows Server 2019 users must be prompted to authenticate when the\nsystem wakes from sleep (plugged in).", + "desc": "A system that does not require authentication when resuming from sleep\nmay provide access to unauthorized users. Authentication must always be\nrequired when accessing a system. This setting ensures users are prompted for a\npassword when the system wakes from sleep (plugged in).", "descriptions": { - "default": "Installation options for applications are typically controlled by\nadministrators. This setting prevents users from changing installation options\nthat may bypass security features.", + "default": "A system that does not require authentication when resuming from sleep\nmay provide access to unauthorized users. Authentication must always be\nrequired when accessing a system. This setting ensures users are prompted for a\npassword when the system wakes from sleep (plugged in).", "rationale": "", - "check": "If the following registry value does not exist or is not configured as\nspecified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\Installer\\\n\n Value Name: EnableUserControl\n\n Type: REG_DWORD\n Value: 0x00000000 (0)", - "fix": "Configure the policy value for Computer Configuration >>\nAdministrative Templates >> Windows Components >> Windows Installer >> \"Allow\nuser control over installs\" to \"Disabled\"." + "check": "If the following registry value does not exist or is not configured as\nspecified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n\\SOFTWARE\\Policies\\Microsoft\\Power\\PowerSettings\\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\\\n\n Value Name: ACSettingIndex\n\n Type: REG_DWORD\n Value: 0x00000001 (1)", + "fix": "Configure the policy value for Computer Configuration >>\nAdministrative Templates >> System >> Power Management >> Sleep Settings >>\n\"Require a password when a computer wakes (plugged in)\" to \"Enabled\"." }, "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000362-GPOS-00149", - "gid": "V-93199", - "rid": "SV-103287r1_rule", - "stig_id": "WN19-CC-000420", - "fix_id": "F-99445r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-93255", + "rid": "SV-103343r1_rule", + "stig_id": "WN19-CC-000190", + "fix_id": "F-99501r1_fix", "cci": [ - "CCI-001812" + "CCI-000366" ], "nist": [ - "CM-11 (2)", + "CM-6 b", "Rev_4" ] }, - "code": "control \"V-93199\" do\n title \"Windows Server 2019 must prevent users from changing installation\noptions.\"\n desc \"Installation options for applications are typically controlled by\nadministrators. This setting prevents users from changing installation options\nthat may bypass security features.\"\n desc \"rationale\", \"\"\n desc 'check', \"If the following registry value does not exist or is not configured as\nspecified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\Installer\\\\\n\n Value Name: EnableUserControl\n\n Type: REG_DWORD\n Value: 0x00000000 (0)\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nAdministrative Templates >> Windows Components >> Windows Installer >> \\\"Allow\nuser control over installs\\\" to \\\"Disabled\\\".\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000362-GPOS-00149'\n tag 'gid': 'V-93199'\n tag 'rid': 'SV-103287r1_rule'\n tag 'stig_id': 'WN19-CC-000420'\n tag 'fix_id': 'F-99445r1_fix'\n tag 'cci': [\"CCI-001812\"]\n tag 'nist': [\"CM-11 (2)\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Installer') do\n it { should have_property 'EnableUserControl' }\n its('EnableUserControl') { should cmp 0 }\n end\nend\n", + "code": "control \"V-93255\" do\n title \"Windows Server 2019 users must be prompted to authenticate when the\nsystem wakes from sleep (plugged in).\"\n desc \"A system that does not require authentication when resuming from sleep\nmay provide access to unauthorized users. Authentication must always be\nrequired when accessing a system. This setting ensures users are prompted for a\npassword when the system wakes from sleep (plugged in).\"\n desc \"rationale\", \"\"\n desc 'check', \"If the following registry value does not exist or is not configured as\nspecified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Power\\\\PowerSettings\\\\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\\\\\n\n Value Name: ACSettingIndex\n\n Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nAdministrative Templates >> System >> Power Management >> Sleep Settings >>\n\\\"Require a password when a computer wakes (plugged in)\\\" to \\\"Enabled\\\".\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000480-GPOS-00227'\n tag 'gid': 'V-93255'\n tag 'rid': 'SV-103343r1_rule'\n tag 'stig_id': 'WN19-CC-000190'\n tag 'fix_id': 'F-99501r1_fix'\n tag 'cci': [\"CCI-000366\"]\n tag 'nist': [\"CM-6 b\", \"Rev_4\"]\n\n if sys_info.manufacturer == 'VMware, Inc.'\n impact 0.0\n describe 'This is a Virtual Machine; This Control is NA.' do\n skip 'This is a Virtual Machine; This Control is NA.'\n end\n else\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Power\\PowerSettings\\0e796bdb-100d-47d6-a2d5-f7d2daa51f51') do\n it { should have_property 'ACSettingIndex' }\n its('ACSettingIndex') { should cmp 1 }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93199.rb", + "ref": "./Windows 2019 STIG/controls/V-93255.rb", "line": 3 }, - "id": "V-93199" + "id": "V-93255" }, { "title": "Windows Server 2019 Manage auditing and security log user right must\nonly be assigned to the Administrators group.", @@ -4380,394 +4383,447 @@ "id": "V-93197" }, { - "title": "Windows Server 2019 permissions on the Active Directory data files\nmust only allow System and Administrators access.", - "desc": "Improper access permissions for directory data-related files could\nallow unauthorized users to read, modify, or delete directory data or audit\ntrails.", + "title": "Windows Server 2019 Exploit Protection mitigations must be configured for VPREVIEW.EXE.", + "desc": "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.", "descriptions": { - "default": "Improper access permissions for directory data-related files could\nallow unauthorized users to read, modify, or delete directory data or audit\ntrails.", + "default": "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.", "rationale": "", - "check": "This applies to domain controllers. It is NA for other systems.\n\n Run \"Regedit\".\n\n Navigate to\n\"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\NTDS\\Parameters\".\n\n Note the directory locations in the values for:\n\n Database log files path\n DSA Database file\n\n By default, they will be \\Windows\\NTDS.\n\n If the locations are different, the following will need to be run for each.\n\n Open \"Command Prompt (Admin)\".\n\n Navigate to the NTDS directory (\\Windows\\NTDS by default).\n\n Run \"icacls *.*\".\n\n If the permissions on each file are not as restrictive as the following,\nthis is a finding:\n\n NT AUTHORITY\\SYSTEM:(I)(F)\n BUILTIN\\Administrators:(I)(F)\n\n (I) - permission inherited from parent container\n (F) - full access", - "fix": "Maintain the permissions on NTDS database and log files as follows:\n\n NT AUTHORITY\\SYSTEM:(I)(F)\n BUILTIN\\Administrators:(I)(F)\n\n (I) - permission inherited from parent container\n (F) - full access" + "check": "If the referenced application is not installed on the system, this is NA.\n\n This is applicable to unclassified systems, for other systems this is NA.\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n Enter \"Get-ProcessMitigation -Name VPREVIEW.EXE\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.)\n\n If the following mitigations do not have a status of \"ON\", this is a finding:\n\n DEP:\n Enable: ON\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n The PowerShell command produces a list of mitigations; only those with a required status of \"ON\" are listed here.", + "fix": "Ensure the following mitigations are turned \"ON\" for VPREVIEW.EXE:\n\n DEP:\n Enable: ON\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \"Supporting Files\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \"Use a common set of exploit protection settings\" configured to \"Enabled\" with file name and location defined under \"Options:\". It is recommended the file be in a read-only network location." }, - "impact": 0.7, + "impact": 0, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000324-GPOS-00125", - "gid": "V-93029", - "rid": "SV-103117r1_rule", - "stig_id": "WN19-DC-000070", - "fix_id": "F-99275r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-93361", + "rid": "SV-103449r1_rule", + "stig_id": "WN19-EP-000260", + "fix_id": "F-99607r1_fix", "cci": [ - "CCI-002235" + "CCI-000366" ], "nist": [ - "AC-6 (10)", + "CM-6 b", "Rev_4" ] }, - "code": "control 'V-93029' do\n title \"Windows Server 2019 permissions on the Active Directory data files\nmust only allow System and Administrators access.\"\n desc \"Improper access permissions for directory data-related files could\nallow unauthorized users to read, modify, or delete directory data or audit\ntrails.\"\n desc 'rationale', ''\n desc 'check', \"This applies to domain controllers. It is NA for other systems.\n\n Run \\\"Regedit\\\".\n\n Navigate to\n\\\"HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\Parameters\\\".\n\n Note the directory locations in the values for:\n\n Database log files path\n DSA Database file\n\n By default, they will be \\\\Windows\\\\NTDS.\n\n If the locations are different, the following will need to be run for each.\n\n Open \\\"Command Prompt (Admin)\\\".\n\n Navigate to the NTDS directory (\\\\Windows\\\\NTDS by default).\n\n Run \\\"icacls *.*\\\".\n\n If the permissions on each file are not as restrictive as the following,\nthis is a finding:\n\n NT AUTHORITY\\\\SYSTEM:(I)(F)\n BUILTIN\\\\Administrators:(I)(F)\n\n (I) - permission inherited from parent container\n (F) - full access\"\n desc 'fix', \"Maintain the permissions on NTDS database and log files as follows:\n\n NT AUTHORITY\\\\SYSTEM:(I)(F)\n BUILTIN\\\\Administrators:(I)(F)\n\n (I) - permission inherited from parent container\n (F) - full access\"\n impact 0.7\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000324-GPOS-00125'\n tag 'gid': 'V-93029'\n tag 'rid': 'SV-103117r1_rule'\n tag 'stig_id': 'WN19-DC-000070'\n tag 'fix_id': 'F-99275r1_fix'\n tag 'cci': ['CCI-002235']\n tag 'nist': ['AC-6 (10)', 'Rev_4']\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n # Command Gets the Location of the Property Required\n ntds_database_logs_files_path = json(command: 'Get-ItemProperty -Path Registry::HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\Parameters | Select-Object -ExpandProperty \"Database log files path\" | ConvertTo-Json').params\n # Command Gets the Location of the Property Required\n ntds_dsa_working_directory = json(command: 'Get-ItemProperty -Path Registry::HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\Parameters | Select-Object -ExpandProperty \"DSA Working Directory\" | ConvertTo-Json').params\n expected_permissions = input('ntds_permissions')\n if domain_role == '4' || domain_role == '5'\n if ntds_database_logs_files_path == ntds_dsa_working_directory\n perms = json(command: \"icacls '#{ntds_dsa_working_directory}\\\\*.*' | convertto-json\").params.map(&:strip)[0..-3].map { |e| e.gsub(/^[^\\s]*\\s/, '') }.reject(&:empty?)\n describe \"Permissions on each file in #{ntds_dsa_working_directory} is set\" do\n subject { (perms - expected_permissions).empty? }\n it { should eq true }\n end\n else\n # Command Gets Permissions on Folder Path\n icacls_permissions_ntds_logs = json(command: \"icacls '#{ntds_database_logs_files_path}\\\\*.*' | ConvertTo-Json\").params.map(&:strip)[0..-3].map { |e| e.gsub(/^[^\\s]*\\s/, '') }.reject(&:empty?)\n # Command Gets the Location of the Property Required\n ntds_dsa_file_path = json(command: 'Get-ItemProperty -Path Registry::HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\Parameters | Select-Object -ExpandProperty \"DSA Database file\" | ConvertTo-Json').params\n # Command Gets Permissions on file ntds.dit\n icacls_permissions_ntds_dsa_file = json(command: \"icacls '#{ntds_dsa_file_path}' | ConvertTo-Json\").params.map(&:strip)[0..-3].map { |e| e.gsub(\"#{ntds_dsa_file_path} \", '') }\n describe 'Permissions on NTDS Database Log Files Path is set to' do\n subject { (icacls_permissions_ntds_logs - expected_permissions).empty? }\n it { should eq true }\n end\n describe 'Permissions on NTDS Database DSA File is set to' do\n subject { (icacls_permissions_ntds_dsa_file - expected_permissions).empty? }\n it { should eq true }\n end\n end\n else\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", + "code": "control \"V-93361\" do\n title \"Windows Server 2019 Exploit Protection mitigations must be configured for VPREVIEW.EXE.\"\n desc \"Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the referenced application is not installed on the system, this is NA.\n\n This is applicable to unclassified systems, for other systems this is NA.\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n Enter \\\"Get-ProcessMitigation -Name VPREVIEW.EXE\\\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.)\n\n If the following mitigations do not have a status of \\\"ON\\\", this is a finding:\n\n DEP:\n Enable: ON\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n The PowerShell command produces a list of mitigations; only those with a required status of \\\"ON\\\" are listed here.\"\n desc \"fix\", \"Ensure the following mitigations are turned \\\"ON\\\" for VPREVIEW.EXE:\n\n DEP:\n Enable: ON\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \\\"Supporting Files\\\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\" configured to \\\"Enabled\\\" with file name and location defined under \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00227\"\n tag gid: \"V-93361\"\n tag rid: \"SV-103449r1_rule\"\n tag stig_id: \"WN19-EP-000260\"\n tag fix_id: \"F-99607r1_fix\"\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n vpreview = json({ command: \"Get-ProcessMitigation -Name VPREVIEW.EXE | ConvertTo-Json\" }).params\n\n if input('sensitive_system') == true || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif vpreview.empty?\n impact 0.0\n describe 'The referenced application is not installed on the system, this is NA.' do\n skip 'The referenced application is not installed on the system, this is NA.'\n end\n else\n describe \"Exploit Protection: the following mitigations must be set to 'ON' for VPREVIEW.EXE\" do\n subject { vpreview }\n its(['Dep','Enable']) { should eq 1 }\n its(['Aslr','ForceRelocateImages']) { should eq 1 }\n its(['Payload','EnableExportAddressFilter']) { should eq 1 }\n its(['Payload','EnableExportAddressFilterPlus']) { should eq 1 }\n its(['Payload','EnableImportAddressFilter']) { should eq 1 }\n its(['Payload','EnableRopStackPivot']) { should eq 1 }\n its(['Payload','EnableRopCallerCheck']) { should eq 1 }\n its(['Payload','EnableRopSimExec']) { should eq 1 }\n end\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93029.rb", - "line": 1 + "ref": "./Windows 2019 STIG/controls/V-93361.rb", + "line": 3 }, - "id": "V-93029" + "id": "V-93361" }, { - "title": "Windows Server 2019 outdated or unused accounts must be removed or disabled.", - "desc": "Outdated or unused accounts provide penetration points that may go undetected. Inactive accounts must be deleted if no longer necessary or, if still required, disabled until needed.", + "title": "Windows Server 2019 domain controllers must require LDAP access signing.", + "desc": "Unsigned network traffic is susceptible to man-in-the-middle attacks, where an intruder captures packets between the server and the client and modifies them before forwarding them to the client. In the case of an LDAP server, this means that an attacker could cause a client to make decisions based on false records from the LDAP directory. The risk of an attacker pulling this off can be decreased by implementing strong physical security measures to protect the network infrastructure. Furthermore, implementing Internet Protocol security (IPsec) authentication header mode (AH), which performs mutual authentication and packet integrity for Internet Protocol (IP) traffic, can make all types of man-in-the-middle attacks extremely difficult.", "descriptions": { - "default": "Outdated or unused accounts provide penetration points that may go undetected. Inactive accounts must be deleted if no longer necessary or, if still required, disabled until needed.", + "default": "Unsigned network traffic is susceptible to man-in-the-middle attacks, where an intruder captures packets between the server and the client and modifies them before forwarding them to the client. In the case of an LDAP server, this means that an attacker could cause a client to make decisions based on false records from the LDAP directory. The risk of an attacker pulling this off can be decreased by implementing strong physical security measures to protect the network infrastructure. Furthermore, implementing Internet Protocol security (IPsec) authentication header mode (AH), which performs mutual authentication and packet integrity for Internet Protocol (IP) traffic, can make all types of man-in-the-middle attacks extremely difficult.", "rationale": "", - "check": "Open \"Windows PowerShell\".\n\n Domain Controllers:\n Enter \"Search-ADAccount -AccountInactive -UsersOnly -TimeSpan 35.00:00:00\"\n This will return accounts that have not been logged on to for 35 days, along with various attributes such as the Enabled status and LastLogonDate.\n\n Member servers and standalone systems:\n Copy or enter the lines below to the PowerShell window and enter. (Entering twice may be required. Do not include the quotes at the beginning and end of the query.)\n \"([ADSI]('WinNT://{0}' -f $env:COMPUTERNAME)).Children | Where { $_.SchemaClassName -eq 'user' } | ForEach {\n $user = ([ADSI]$_.Path)\n $lastLogin = $user.Properties.LastLogin.Value\n $enabled = ($user.Properties.UserFlags.Value -band 0x2) -ne 0x2\n if ($lastLogin -eq $null) {\n $lastLogin = 'Never'\n }\n Write-Host $user.Name $lastLogin $enabled\n }\"\n This will return a list of local accounts with the account name, last logon, and if the account is enabled (True/False).\n For example: User1 10/31/2015 5:49:56 AM True\n Review the list of accounts returned by the above queries to determine the finding validity for each account reported.\n\n Exclude the following accounts:\n - Built-in administrator account (Renamed, SID ending in 500)\n - Built-in guest account (Renamed, Disabled, SID ending in 501)\n - Application accounts\n\n If any enabled accounts have not been logged on to within the past 35 days, this is a finding.\n\n Inactive accounts that have been reviewed and deemed to be required must be documented with the ISSO.", - "fix": "Regularly review accounts to determine if they are still active. Remove or disable accounts that have not been used in the last 35 days." + "check": "This applies to domain controllers. It is NA for other systems.\n If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\NTDS\\Parameters\\\n\n Value Name: LDAPServerIntegrity\n\n Value Type: REG_DWORD\n Value: 0x00000002 (2)", + "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \"Domain controller: LDAP server signing requirements\" to \"Require signing\"." }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000118-GPOS-00060", - "gid": "V-93457", - "rid": "SV-103543r1_rule", - "stig_id": "WN19-00-000190", - "fix_id": "F-99701r1_fix", + "gtitle": "SRG-OS-000423-GPOS-00187", + "satisfies": [ + "SRG-OS-000423-GPOS-00187", + "SRG-OS-000424-GPOS-00188" + ], + "gid": "V-93545", + "rid": "SV-103631r1_rule", + "stig_id": "WN19-DC-000320", + "fix_id": "F-99789r1_fix", "cci": [ - "CCI-000795" + "CCI-002418", + "CCI-002421" ], "nist": [ - "IA-4 e", + "SC-8", + "SC-8 (1)", "Rev_4" ] }, - "code": "control 'V-93457' do\n title 'Windows Server 2019 outdated or unused accounts must be removed or disabled.'\n desc 'Outdated or unused accounts provide penetration points that may go undetected. Inactive accounts must be deleted if no longer necessary or, if still required, disabled until needed.'\n desc 'rationale', ''\n desc 'check', \"Open \\\"Windows PowerShell\\\".\n\n Domain Controllers:\n Enter \\\"Search-ADAccount -AccountInactive -UsersOnly -TimeSpan #{input('unused_account_age')}.00:00:00\\\"\n This will return accounts that have not been logged on to for #{input('unused_account_age')} days, along with various attributes such as the Enabled status and LastLogonDate.\n\n Member servers and standalone systems:\n Copy or enter the lines below to the PowerShell window and enter. (Entering twice may be required. Do not include the quotes at the beginning and end of the query.)\n \\\"([ADSI]('WinNT://{0}' -f $env:COMPUTERNAME)).Children | Where { $_.SchemaClassName -eq 'user' } | ForEach {\n $user = ([ADSI]$_.Path)\n $lastLogin = $user.Properties.LastLogin.Value\n $enabled = ($user.Properties.UserFlags.Value -band 0x2) -ne 0x2\n if ($lastLogin -eq $null) {\n $lastLogin = 'Never'\n }\n Write-Host $user.Name $lastLogin $enabled\n }\\\"\n This will return a list of local accounts with the account name, last logon, and if the account is enabled (True/False).\n For example: User1 10/31/2015 5:49:56 AM True\n Review the list of accounts returned by the above queries to determine the finding validity for each account reported.\n\n Exclude the following accounts:\n - Built-in administrator account (Renamed, SID ending in 500)\n - Built-in guest account (Renamed, Disabled, SID ending in 501)\n - Application accounts\n\n If any enabled accounts have not been logged on to within the past #{input('unused_account_age')} days, this is a finding.\n\n Inactive accounts that have been reviewed and deemed to be required must be documented with the ISSO.\"\n desc 'fix', \"Regularly review accounts to determine if they are still active. Remove or disable accounts that have not been used in the last #{input('unused_account_age')} days.\"\n impact 0.5\n tag severity: nil\n tag gtitle: 'SRG-OS-000118-GPOS-00060'\n tag gid: 'V-93457'\n tag rid: 'SV-103543r1_rule'\n tag stig_id: 'WN19-00-000190'\n tag fix_id: 'F-99701r1_fix'\n tag cci: ['CCI-000795']\n tag nist: ['IA-4 e', 'Rev_4']\n \n \n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n age = input('unused_account_age')\n untracked_accounts = []\n\n if domain_role == '4' || domain_role == '5'\n\n excluded_accounts_domain_check = json(command: 'Get-ADUser -Filter * | Where {($_.SID -like \"*-500\") -or ($_.SID -like \"*-501\")} | Select Name | ConvertTo-Json').params\n excluded_accounts_domain = []\n excluded_accounts_domain_check.each { |account| excluded_accounts_domain << account[\"Name\"] }\n\n ad_accounts = json({ command: \"Search-ADAccount -AccountInactive -UsersOnly -Timespan #{age}.00:00:00 | Where -Property Enabled -eq $True | Select -ExpandProperty Name | ConvertTo-Json\" }).params\n unless ad_accounts.empty?\n case ad_accounts\n when String\n (ad_account = []) << ad_accounts\n untracked_accounts = ad_account - input('application_accounts_domain') - excluded_accounts_domain\n when Array\n untracked_accounts = ad_accounts - input('application_accounts_domain') - excluded_accounts_domain\n end\n end\n\n describe 'AD Accounts' do\n it \"AD should not have any Accounts that are Inactive over #{age} days\" do\n failure_message = \"User(s) that have not logged into system in #{age} days #{untracked_accounts}\"\n expect(untracked_accounts).to be_empty, failure_message\n end\n end\n\n else\n\n excluded_accounts_local_check = json(command: 'Get-LocalUser | Where {($_.SID -like \"*-500\") -or ($_.SID -like \"*-501\")} | Select Name | ConvertTo-Json').params\n excluded_accounts_local = []\n excluded_accounts_local_check.each do |account|\n excluded_accounts_local << account[\"Name\"]\n end\n\n local_accounts = json({ command: \"Get-LocalUser | Where-Object {$_.Enabled -eq 'True' -and $_.Lastlogon -le (Get-Date).AddDays(-#{age}) } | Select -ExpandProperty Name | ConvertTo-Json\" }).params\n\n unless local_accounts.empty?\n case local_accounts\n when String\n (local_account = []) << local_accounts\n untracked_accounts = local_account - input('application_accounts_local') - excluded_accounts_local\n when Array\n untracked_accounts = local_accounts - input('application_accounts_local') - excluded_accounts_local\n end\n end\n\n describe 'Inactive account or accounts exists' do\n it 'Server should not have inactive accounts' do\n failure_message = \"User(s) that have not logged into system in #{age} days: #{local_accounts}\"\n expect(local_accounts).to be_empty, failure_message\n end\n end\n end\nend", + "code": "control \"V-93545\" do\n title \"Windows Server 2019 domain controllers must require LDAP access signing.\"\n desc \"Unsigned network traffic is susceptible to man-in-the-middle attacks, where an intruder captures packets between the server and the client and modifies them before forwarding them to the client. In the case of an LDAP server, this means that an attacker could cause a client to make decisions based on false records from the LDAP directory. The risk of an attacker pulling this off can be decreased by implementing strong physical security measures to protect the network infrastructure. Furthermore, implementing Internet Protocol security (IPsec) authentication header mode (AH), which performs mutual authentication and packet integrity for Internet Protocol (IP) traffic, can make all types of man-in-the-middle attacks extremely difficult.\"\n desc \"rationale\", \"\"\n desc \"check\", \"This applies to domain controllers. It is NA for other systems.\n If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\Parameters\\\\\n\n Value Name: LDAPServerIntegrity\n\n Value Type: REG_DWORD\n Value: 0x00000002 (2)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \\\"Domain controller: LDAP server signing requirements\\\" to \\\"Require signing\\\".\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000423-GPOS-00187\"\n tag satisfies: [\"SRG-OS-000423-GPOS-00187\", \"SRG-OS-000424-GPOS-00188\"]\n tag gid: \"V-93545\"\n tag rid: \"SV-103631r1_rule\"\n tag stig_id: \"WN19-DC-000320\"\n tag fix_id: \"F-99789r1_fix\"\n tag cci: [\"CCI-002418\", \"CCI-002421\"]\n tag nist: [\"SC-8\", \"SC-8 (1)\", \"Rev_4\"]\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\Parameters') do\n it { should have_property 'LDAPServerIntegrity' }\n its('LDAPServerIntegrity') { should cmp 2 }\n end\n else\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is NA' do\n skip 'This system is not a domain controller, therefore this control is NA'\n end\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93457.rb", + "ref": "./Windows 2019 STIG/controls/V-93545.rb", "line": 3 }, - "id": "V-93457" + "id": "V-93545" }, { - "title": "Windows Server 2019 Windows Defender SmartScreen must be enabled.", - "desc": "Windows Defender SmartScreen helps protect systems from programs downloaded from the internet that may be malicious. Enabling SmartScreen can block potentially malicious programs or warn users.", + "title": "Windows Server 2019 must be configured to audit System - Security\nSystem Extension successes.", + "desc": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Security System Extension records events related to extension code being\nloaded by the security subsystem.", "descriptions": { - "default": "Windows Defender SmartScreen helps protect systems from programs downloaded from the internet that may be malicious. Enabling SmartScreen can block potentially malicious programs or warn users.", + "default": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Security System Extension records events related to extension code being\nloaded by the security subsystem.", "rationale": "", - "check": "This is applicable to unclassified systems; for other systems, this is NA.\n\n If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\\n\n Value Name: EnableSmartScreen\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", - "fix": "Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> File Explorer >> \"Configure Windows Defender SmartScreen\" to \"Enabled\" with either option \"Warn\" or \"Warn and prevent bypass\" selected.\n Windows 2019 includes duplicate policies for this setting. It can also be configured under Computer Configuration >> Administrative Templates >> Windows Components >> Windows Defender SmartScreen >> Explorer." + "check": "Security Option \"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\" must be set to\n\"Enabled\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \"AuditPol\" tool to review the current Audit Policy configuration:\n\n Open \"PowerShell\" or a \"Command Prompt\" with elevated privileges (\"Run\nas administrator\").\n\n Enter \"AuditPol /get /category:*\"\n\n Compare the \"AuditPol\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n System >> Security System Extension - Success", + "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> System >> \"Audit Security System Extension\" with\n\"Success\" selected." }, "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000095-GPOS-00049", - "gid": "V-93411", - "rid": "SV-103497r2_rule", - "stig_id": "WN19-CC-000300", - "fix_id": "F-99655r1_fix", + "gtitle": "SRG-OS-000327-GPOS-00127", + "satisfies": [ + "SRG-OS-000327-GPOS-00127", + "SRG-OS-000458-GPOS-00203", + "SRG-OS-000463-GPOS-00207", + "SRG-OS-000468-GPOS-00212" + ], + "gid": "V-93115", + "rid": "SV-103203r1_rule", + "stig_id": "WN19-AU-000370", + "fix_id": "F-99361r1_fix", + "cci": [ + "CCI-000172", + "CCI-002234" + ], + "nist": [ + "AU-12 c", + "AC-6 (9)", + "Rev_4" + ] + }, + "code": "control \"V-93115\" do\n title \"Windows Server 2019 must be configured to audit System - Security\nSystem Extension successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Security System Extension records events related to extension code being\nloaded by the security subsystem.\"\n desc \"rationale\", \"\"\n desc 'check', \"Security Option \\\"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\\\" must be set to\n\\\"Enabled\\\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \\\"AuditPol\\\" tool to review the current Audit Policy configuration:\n\n Open \\\"PowerShell\\\" or a \\\"Command Prompt\\\" with elevated privileges (\\\"Run\nas administrator\\\").\n\n Enter \\\"AuditPol /get /category:*\\\"\n\n Compare the \\\"AuditPol\\\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n System >> Security System Extension - Success\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> System >> \\\"Audit Security System Extension\\\" with\n\\\"Success\\\" selected.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000327-GPOS-00127'\n tag 'satisfies': [\"SRG-OS-000327-GPOS-00127\", \"SRG-OS-000458-GPOS-00203\",\n\"SRG-OS-000463-GPOS-00207\", \"SRG-OS-000468-GPOS-00212\"]\n tag 'gid': 'V-93115'\n tag 'rid': 'SV-103203r1_rule'\n tag 'stig_id': 'WN19-AU-000370'\n tag 'fix_id': 'F-99361r1_fix'\n tag 'cci': [\"CCI-000172\", \"CCI-002234\"]\n tag 'nist': [\"AU-12 c\", \"AC-6 (9)\", \"Rev_4\"]\n\n describe.one do\n describe audit_policy do\n its('Security System Extension') { should eq 'Success' }\n end\n describe audit_policy do\n its('Security System Extension') { should eq 'Success and Failure' }\n end\n end\nend\n", + "source_location": { + "ref": "./Windows 2019 STIG/controls/V-93115.rb", + "line": 3 + }, + "id": "V-93115" + }, + { + "title": "The password for the krbtgt account on a domain must be reset at least\nevery 180 days.", + "desc": "The krbtgt account acts as a service account for the Kerberos Key\nDistribution Center (KDC) service. The account and password are created when a\ndomain is created and the password is typically not changed. If the krbtgt\naccount is compromised, attackers can create valid Kerberos Ticket Granting\nTickets (TGT).\n The password must be changed twice to effectively remove the password\nhistory. Changing once, waiting for replication to complete and the amount of\ntime equal to or greater than the maximum Kerberos ticket lifetime, and\nchanging again reduces the risk of issues.", + "descriptions": { + "default": "The krbtgt account acts as a service account for the Kerberos Key\nDistribution Center (KDC) service. The account and password are created when a\ndomain is created and the password is typically not changed. If the krbtgt\naccount is compromised, attackers can create valid Kerberos Ticket Granting\nTickets (TGT).\n The password must be changed twice to effectively remove the password\nhistory. Changing once, waiting for replication to complete and the amount of\ntime equal to or greater than the maximum Kerberos ticket lifetime, and\nchanging again reduces the risk of issues.", + "rationale": "", + "check": "This requirement is applicable to domain controllers; it is NA for other\nsystems.\n Open \"Windows PowerShell\".\n Enter \"Get-ADUser krbtgt -Property PasswordLastSet\".\n If the \"PasswordLastSet\" date is more than 180 days old, this is a\nfinding.", + "fix": "Reset the password for the krbtgt account a least every 180 days. The\npassword must be changed twice to effectively remove the password history.\nChanging once, waiting for replication to complete and changing again reduces\nthe risk of issues. Changing twice in rapid succession forces clients to\nre-authenticate (including application services) but is desired if a compromise\nis suspected.\n PowerShell scripts are available to accomplish this such as at the\nfollowing link:\n https://gallery.technet.microsoft.com/Reset-the-krbtgt-account-581a9e51\n Open \"Active Directory Users and Computers\" (available from various menus\nor run \"dsa.msc\").\n Select \"Advanced Features\" in the \"View\" menu if not previously\nselected.\n Select the \"Users\" node.\n Right click on the krbtgt account and select \"Reset password\"\n Enter a password that meets password complexity requirements.\n Clear the \"User must change password at next logon\" check box.\n The system will automatically change this to a system-generated complex\npassword." + }, + "impact": 0, + "refs": [], + "tags": { + "severity": null, + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-93211", + "rid": "SV-103299r3_rule", + "stig_id": "WN19-DC-000430", + "fix_id": "F-99457r1_fix", "cci": [ - "CCI-000381" + "CCI-000366" ], "nist": [ - "CM-7 a", + "CM-6 b", "Rev_4" ] }, - "code": "control \"V-93411\" do\n title \"Windows Server 2019 Windows Defender SmartScreen must be enabled.\"\n desc \"Windows Defender SmartScreen helps protect systems from programs downloaded from the internet that may be malicious. Enabling SmartScreen can block potentially malicious programs or warn users.\"\n desc \"rationale\", \"\"\n desc \"check\", \"This is applicable to unclassified systems; for other systems, this is NA.\n\n If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\\n\n Value Name: EnableSmartScreen\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> File Explorer >> \\\"Configure Windows Defender SmartScreen\\\" to \\\"Enabled\\\" with either option \\\"Warn\\\" or \\\"Warn and prevent bypass\\\" selected.\n Windows 2019 includes duplicate policies for this setting. It can also be configured under Computer Configuration >> Administrative Templates >> Windows Components >> Windows Defender SmartScreen >> Explorer.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000095-GPOS-00049\"\n tag gid: \"V-93411\"\n tag rid: \"SV-103497r2_rule\"\n tag stig_id: \"WN19-CC-000300\"\n tag fix_id: \"F-99655r1_fix\"\n tag cci: [\"CCI-000381\"]\n tag nist: [\"CM-7 a\", \"Rev_4\"]\n\n if input('sensitive_system') == true || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n else\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\System') do\n it { should have_property 'EnableSmartScreen' }\n its('EnableSmartScreen') { should cmp 1 }\n end\n end\nend", + "code": "control 'V-93211' do\n title \"The password for the krbtgt account on a domain must be reset at least\nevery 180 days.\"\n desc \"The krbtgt account acts as a service account for the Kerberos Key\nDistribution Center (KDC) service. The account and password are created when a\ndomain is created and the password is typically not changed. If the krbtgt\naccount is compromised, attackers can create valid Kerberos Ticket Granting\nTickets (TGT).\n The password must be changed twice to effectively remove the password\nhistory. Changing once, waiting for replication to complete and the amount of\ntime equal to or greater than the maximum Kerberos ticket lifetime, and\nchanging again reduces the risk of issues.\"\n desc 'rationale', ''\n desc 'check', \"This requirement is applicable to domain controllers; it is NA for other\nsystems.\n Open \\\"Windows PowerShell\\\".\n Enter \\\"Get-ADUser krbtgt -Property PasswordLastSet\\\".\n If the \\\"PasswordLastSet\\\" date is more than 180 days old, this is a\nfinding.\"\n desc 'fix', \"Reset the password for the krbtgt account a least every 180 days. The\npassword must be changed twice to effectively remove the password history.\nChanging once, waiting for replication to complete and changing again reduces\nthe risk of issues. Changing twice in rapid succession forces clients to\nre-authenticate (including application services) but is desired if a compromise\nis suspected.\n PowerShell scripts are available to accomplish this such as at the\nfollowing link:\n https://gallery.technet.microsoft.com/Reset-the-krbtgt-account-581a9e51\n Open \\\"Active Directory Users and Computers\\\" (available from various menus\nor run \\\"dsa.msc\\\").\n Select \\\"Advanced Features\\\" in the \\\"View\\\" menu if not previously\nselected.\n Select the \\\"Users\\\" node.\n Right click on the krbtgt account and select \\\"Reset password\\\"\n Enter a password that meets password complexity requirements.\n Clear the \\\"User must change password at next logon\\\" check box.\n The system will automatically change this to a system-generated complex\npassword.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000480-GPOS-00227'\n tag 'gid': 'V-93211'\n tag 'rid': 'SV-103299r3_rule'\n tag 'stig_id': 'WN19-DC-000430'\n tag 'fix_id': 'F-99457r1_fix'\n tag 'cci': ['CCI-000366']\n tag 'nist': ['CM-6 b', 'Rev_4']\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n password_set_date = json(command: 'New-TimeSpan -Start (Get-ADUser krbtgt -Property PasswordLastSet).PAsswordLastSet | where -filter { $_.Days -gt 180 } | ConvertTo-JSON').params\n date = password_set_date['Days']\n if date.nil?\n describe 'krbtgt Account is within 180 days since password change' do\n subject { date }\n its(date) { should eq nil }\n end\n else\n describe 'Password Last Set' do\n it 'krbtgt Account Password Last Set Date is' do\n failure_message = \"Password Date should not be more than 180 Days: #{date}\"\n expect(date).to be_empty, failure_message\n end\n end\n end\n else\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93411.rb", - "line": 3 + "ref": "./Windows 2019 STIG/controls/V-93211.rb", + "line": 1 }, - "id": "V-93411" + "id": "V-93211" }, { - "title": "Windows Server 2019 must force audit policy subcategory settings to\noverride audit policy category settings.", - "desc": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n This setting allows administrators to enable more precise auditing\ncapabilities.", + "title": "Windows Server 2019 must be configured to audit System - IPsec Driver\nfailures.", + "desc": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n IPsec Driver records events related to the IPsec Driver, such as dropped\npackets.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n This setting allows administrators to enable more precise auditing\ncapabilities.", + "default": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n IPsec Driver records events related to the IPsec Driver, such as dropped\npackets.", "rationale": "", - "check": "If the following registry value does not exist or is not configured as\nspecified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Control\\Lsa\\\n\n Value Name: SCENoApplyLegacyAuditPolicy\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", - "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Local Policies >> Security Options >>\n\"Audit: Force audit policy subcategory settings (Windows Vista or later) to\noverride audit policy category settings\" to \"Enabled\"." + "check": "Security Option \"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\" must be set to\n\"Enabled\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \"AuditPol\" tool to review the current Audit Policy configuration:\n\n Open \"PowerShell\" or a \"Command Prompt\" with elevated privileges (\"Run\nas administrator\").\n\n Enter \"AuditPol /get /category:*\"\n\n Compare the \"AuditPol\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n System >> IPsec Driver - Failure", + "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> System >> \"Audit IPsec Driver\" with \"Failure\"\nselected." }, "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000062-GPOS-00031", - "gid": "V-93151", - "rid": "SV-103239r1_rule", - "stig_id": "WN19-SO-000050", - "fix_id": "F-99397r1_fix", + "gtitle": "SRG-OS-000327-GPOS-00127", + "satisfies": [ + "SRG-OS-000327-GPOS-00127", + "SRG-OS-000458-GPOS-00203", + "SRG-OS-000463-GPOS-00207", + "SRG-OS-000468-GPOS-00212" + ], + "gid": "V-93107", + "rid": "SV-103195r1_rule", + "stig_id": "WN19-AU-000330", + "fix_id": "F-99353r1_fix", "cci": [ - "CCI-000169" + "CCI-000172", + "CCI-002234" ], "nist": [ - "AU-12 a", + "AU-12 c", + "AC-6 (9)", "Rev_4" ] }, - "code": "control \"V-93151\" do\n title \"Windows Server 2019 must force audit policy subcategory settings to\noverride audit policy category settings.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n This setting allows administrators to enable more precise auditing\ncapabilities.\"\n desc \"rationale\", \"\"\n desc 'check', \"If the following registry value does not exist or is not configured as\nspecified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\\n\n Value Name: SCENoApplyLegacyAuditPolicy\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Local Policies >> Security Options >>\n\\\"Audit: Force audit policy subcategory settings (Windows Vista or later) to\noverride audit policy category settings\\\" to \\\"Enabled\\\".\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000062-GPOS-00031'\n tag 'gid': 'V-93151'\n tag 'rid': 'SV-103239r1_rule'\n tag 'stig_id': 'WN19-SO-000050'\n tag 'fix_id': 'F-99397r1_fix'\n tag 'cci': [\"CCI-000169\"]\n tag 'nist': [\"AU-12 a\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa') do\n it { should have_property 'SCENoApplyLegacyAuditPolicy' }\n its('SCENoApplyLegacyAuditPolicy') { should cmp 1 }\n end \nend", + "code": "control \"V-93107\" do\n title \"Windows Server 2019 must be configured to audit System - IPsec Driver\nfailures.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n IPsec Driver records events related to the IPsec Driver, such as dropped\npackets.\"\n desc \"rationale\", \"\"\n desc 'check', \"Security Option \\\"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\\\" must be set to\n\\\"Enabled\\\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \\\"AuditPol\\\" tool to review the current Audit Policy configuration:\n\n Open \\\"PowerShell\\\" or a \\\"Command Prompt\\\" with elevated privileges (\\\"Run\nas administrator\\\").\n\n Enter \\\"AuditPol /get /category:*\\\"\n\n Compare the \\\"AuditPol\\\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n System >> IPsec Driver - Failure\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> System >> \\\"Audit IPsec Driver\\\" with \\\"Failure\\\"\nselected.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000327-GPOS-00127'\n tag 'satisfies': [\"SRG-OS-000327-GPOS-00127\", \"SRG-OS-000458-GPOS-00203\",\n\"SRG-OS-000463-GPOS-00207\", \"SRG-OS-000468-GPOS-00212\"]\n tag 'gid': 'V-93107'\n tag 'rid': 'SV-103195r1_rule'\n tag 'stig_id': 'WN19-AU-000330'\n tag 'fix_id': 'F-99353r1_fix'\n tag 'cci': [\"CCI-000172\", \"CCI-002234\"]\n tag 'nist': [\"AU-12 c\", \"AC-6 (9)\", \"Rev_4\"]\n\n describe.one do\n describe audit_policy do\n its('IPsec Driver') { should eq 'Failure' }\n end\n describe audit_policy do\n its('IPsec Driver') { should eq 'Success and Failure' }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93151.rb", + "ref": "./Windows 2019 STIG/controls/V-93107.rb", "line": 3 }, - "id": "V-93151" + "id": "V-93107" }, { - "title": "Windows Server 2019 User Account Control (UAC) must virtualize file and registry write failures to per-user locations.", - "desc": "UAC is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting configures non-UAC-compliant applications to run in virtualized file and registry entries in per-user locations, allowing them to run.", + "title": "Windows Server 2019 systems must have Unified Extensible Firmware\nInterface (UEFI) firmware and be configured to run in UEFI mode, not Legacy\nBIOS.", + "desc": "UEFI provides additional security features in comparison to legacy\nBIOS firmware, including Secure Boot. UEFI is required to support additional\nsecurity features in Windows, including Virtualization Based Security and\nCredential Guard. Systems with UEFI that are operating in \"Legacy BIOS\" mode\nwill not support these security features.", "descriptions": { - "default": "UAC is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting configures non-UAC-compliant applications to run in virtualized file and registry entries in per-user locations, allowing them to run.", + "default": "UEFI provides additional security features in comparison to legacy\nBIOS firmware, including Secure Boot. UEFI is required to support additional\nsecurity features in Windows, including Virtualization Based Security and\nCredential Guard. Systems with UEFI that are operating in \"Legacy BIOS\" mode\nwill not support these security features.", "rationale": "", - "check": "UAC requirements are NA for Server Core installations (this is the default installation option for Windows Server 2019 versus Server with Desktop Experience).\n If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\\n\n Value Name: EnableVirtualization\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", - "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \"User Account Control: Virtualize file and registry write failures to per-user locations\" to \"Enabled\"." + "check": "Some older systems may not have UEFI firmware. This is currently a CAT III;\nit will be raised in severity at a future date when broad support of Windows\nhardware and firmware requirements are expected to be met. Devices that have\nUEFI firmware must run in \"UEFI\" mode.\n\n Verify the system firmware is configured to run in \"UEFI\" mode, not\n\"Legacy BIOS\".\n\n Run \"System Information\".\n\n Under \"System Summary\", if \"BIOS Mode\" does not display \"UEFI\", this\nis a finding.", + "fix": "Configure UEFI firmware to run in \"UEFI\" mode, not \"Legacy\nBIOS\" mode." }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000134-GPOS-00068", - "gid": "V-93529", - "rid": "SV-103615r1_rule", - "stig_id": "WN19-SO-000450", - "fix_id": "F-99773r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-93229", + "rid": "SV-103317r1_rule", + "stig_id": "WN19-00-000460", + "fix_id": "F-99475r1_fix", "cci": [ - "CCI-001084" + "CCI-000366" ], "nist": [ - "SC-3", + "CM-6 b", "Rev_4" ] }, - "code": "control \"V-93529\" do\n title \"Windows Server 2019 User Account Control (UAC) must virtualize file and registry write failures to per-user locations.\"\n desc \"UAC is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting configures non-UAC-compliant applications to run in virtualized file and registry entries in per-user locations, allowing them to run.\"\n desc \"rationale\", \"\"\n desc \"check\", \"UAC requirements are NA for Server Core installations (this is the default installation option for Windows Server 2019 versus Server with Desktop Experience).\n If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\\n\n Value Name: EnableVirtualization\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \\\"User Account Control: Virtualize file and registry write failures to per-user locations\\\" to \\\"Enabled\\\".\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000134-GPOS-00068\"\n tag gid: \"V-93529\"\n tag rid: \"SV-103615r1_rule\"\n tag stig_id: \"WN19-SO-000450\"\n tag fix_id: \"F-99773r1_fix\"\n tag cci: [\"CCI-001084\"]\n tag nist: [\"SC-3\", \"Rev_4\"]\n\n os_type = command('Test-Path \"$env:windir\\explorer.exe\"').stdout.strip\n\n if os_type == 'False'\n impact 0.0\n describe 'This system is a Server Core Installation, control is NA' do\n skip 'This system is a Server Core Installation control is NA'\n end\n else\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System') do\n it { should have_property 'EnableVirtualization' }\n its('EnableVirtualization') { should cmp == 1 }\n end\n end\nend", + "code": "control \"V-93229\" do\n title \"Windows Server 2019 systems must have Unified Extensible Firmware\nInterface (UEFI) firmware and be configured to run in UEFI mode, not Legacy\nBIOS.\"\n desc \"UEFI provides additional security features in comparison to legacy\nBIOS firmware, including Secure Boot. UEFI is required to support additional\nsecurity features in Windows, including Virtualization Based Security and\nCredential Guard. Systems with UEFI that are operating in \\\"Legacy BIOS\\\" mode\nwill not support these security features.\"\n desc \"rationale\", \"\"\n desc 'check', \"Some older systems may not have UEFI firmware. This is currently a CAT III;\nit will be raised in severity at a future date when broad support of Windows\nhardware and firmware requirements are expected to be met. Devices that have\nUEFI firmware must run in \\\"UEFI\\\" mode.\n\n Verify the system firmware is configured to run in \\\"UEFI\\\" mode, not\n\\\"Legacy BIOS\\\".\n\n Run \\\"System Information\\\".\n\n Under \\\"System Summary\\\", if \\\"BIOS Mode\\\" does not display \\\"UEFI\\\", this\nis a finding.\"\n desc 'fix', \"Configure UEFI firmware to run in \\\"UEFI\\\" mode, not \\\"Legacy\nBIOS\\\" mode.\"\n impact 0.3\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000480-GPOS-00227'\n tag 'gid': 'V-93229'\n tag 'rid': 'SV-103317r1_rule'\n tag 'stig_id': 'WN19-00-000460'\n tag 'fix_id': 'F-99475r1_fix'\n tag 'cci': [\"CCI-000366\"]\n tag 'nist': [\"CM-6 b\", \"Rev_4\"]\n\n uefi_boot = json( command: 'Confirm-SecureBootUEFI | ConvertTo-Json').params\n describe 'Confirm-Secure Boot UEFI is required to be enabled on System' do\n subject { uefi_boot }\n it { should_not eq 'False' }\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93529.rb", + "ref": "./Windows 2019 STIG/controls/V-93229.rb", "line": 3 }, - "id": "V-93529" + "id": "V-93229" }, { - "title": "Windows Server 2019 Active Directory Domain Controllers Organizational Unit (OU) object must have the proper access control permissions.", - "desc": "When Active Directory objects do not have appropriate access control permissions, it may be possible for malicious users to create, read, update, or delete the objects and degrade or destroy the integrity of the data. When the directory service is used for identification, authentication, or authorization functions, a compromise of the database objects could lead to a compromise of all systems that rely on the directory service.\n\n The Domain Controllers OU object requires special attention as the Domain Controllers are central to the configuration and management of the domain.\n Inappropriate access permissions defined for the Domain Controllers OU could allow an intruder or unauthorized personnel to make changes that could lead to the compromise of the domain.", + "title": "Windows Server 2019 domain Controller PKI certificates must be issued by the DoD PKI or an approved External Certificate Authority (ECA).", + "desc": "A PKI implementation depends on the practices established by the Certificate Authority (CA) to ensure the implementation is secure. Without proper practices, the certificates issued by a CA have limited value in authentication functions. The use of multiple CAs from separate PKI implementations results in interoperability issues. If servers and clients do not have a common set of root CA certificates, they are not able to authenticate each other.", "descriptions": { - "default": "When Active Directory objects do not have appropriate access control permissions, it may be possible for malicious users to create, read, update, or delete the objects and degrade or destroy the integrity of the data. When the directory service is used for identification, authentication, or authorization functions, a compromise of the database objects could lead to a compromise of all systems that rely on the directory service.\n\n The Domain Controllers OU object requires special attention as the Domain Controllers are central to the configuration and management of the domain.\n Inappropriate access permissions defined for the Domain Controllers OU could allow an intruder or unauthorized personnel to make changes that could lead to the compromise of the domain.", + "default": "A PKI implementation depends on the practices established by the Certificate Authority (CA) to ensure the implementation is secure. Without proper practices, the certificates issued by a CA have limited value in authentication functions. The use of multiple CAs from separate PKI implementations results in interoperability issues. If servers and clients do not have a common set of root CA certificates, they are not able to authenticate each other.", "rationale": "", - "check": "This applies to domain controllers. It is NA for other systems.\n\n Review the permissions on the Domain Controllers OU.\n Open \"Active Directory Users and Computers\" (available from various menus or run \"dsa.msc\").\n Select \"Advanced Features\" in the \"View\" menu if not previously selected.\n Select the \"Domain Controllers\" OU (folder in folder icon).\n Right-click and select \"Properties\".\n Select the \"Security\" tab.\n If the permissions on the Domain Controllers OU do not restrict changes to System, Domain Admins, Enterprise Admins and Administrators, this is a finding.\n\n The default permissions listed below satisfy this requirement.\n Domains supporting Microsoft Exchange will have additional Exchange related permissions on the Domain Controllers OU. These may include some change related permissions and are not a finding.\n The permissions shown are at the summary level. More detailed permissions can be viewed by selecting the \"Advanced\" button, the desired Permission entry, and the \"View\" or \"Edit\" button.\n Except where noted otherwise, the special permissions may include a wide range of permissions and properties and are acceptable for this requirement.\n\n CREATOR OWNER - Special permissions\n SELF - Special permissions\n Authenticated Users - Read, Special permissions\n The special permissions for Authenticated Users are Read types.\n If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding.\n\n SYSTEM - Full Control\n Domain Admins - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions\n Enterprise Admins - Full Control\n Key Admins - Special permissions\n Enterprise Key Admins - Special permissions\n Administrators - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions\n Pre-Windows 2000 Compatible Access - Special permissions\n The Special permissions for Pre-Windows 2000 Compatible Access are Read types.\n\n If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding.\n ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions", - "fix": "Limit the permissions on the Domain Controllers OU to restrict changes to System, Domain Admins, Enterprise Admins and Administrators.\n The default permissions listed below satisfy this requirement.\n Domains supporting Microsoft Exchange will have additional Exchange related permissions on the Domain Controllers OU. These may include some change related permissions.\n\n CREATOR OWNER - Special permissions\n SELF - Special permissions\n Authenticated Users - Read, Special permissions\n The special permissions for Authenticated Users are Read types.\n SYSTEM - Full Control\n Domain Admins - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions\n Enterprise Admins - Full Control\n Key Admins - Special permissions\n Enterprise Key Admins - Special permissions\n Administrators - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions\n Pre-Windows 2000 Compatible Access - Special permissions\n The special permissions for Pre-Windows 2000 Compatible Access are Read types.\n ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions" + "check": "This applies to domain controllers. It is NA for other systems.\n Run \"MMC\".\n Select \"Add/Remove Snap-in\" from the \"File\" menu.\n Select \"Certificates\" in the left pane and click the \"Add >\" button.\n Select \"Computer Account\" and click \"Next\".\n Select the appropriate option for \"Select the computer you want this snap-in to manage\" and click \"Finish\".\n Click \"OK\".\n Select and expand the Certificates (Local Computer) entry in the left pane.\n Select and expand the Personal entry in the left pane.\n Select the Certificates entry in the left pane. In the right pane, examine the \"Issued By\" field for the certificate to determine the issuing CA.\n If the \"Issued By\" field of the PKI certificate being used by the domain controller does not indicate the issuing CA is part of the DoD PKI or an approved ECA, this is a finding.\n If the certificates in use are issued by a CA authorized by the Component's CIO, this is a CAT II finding.\n There are multiple sources from which lists of valid DoD CAs and approved ECAs can be obtained:\n\n The Global Directory Service (GDS) website provides an online source. The address for this site is https://crl.gds.disa.mil.\n\n DoD Public Key Enablement (PKE) Engineering Support maintains the InstallRoot utility to manage DoD supported root certificates on Windows computers, which includes a list of authorized CAs. The utility package can be downloaded from the PKI and PKE Tools page on IASE:\n http://iase.disa.mil/pki-pke/function_pages/tools.html", + "fix": "Obtain a server certificate for the domain controller issued by the DoD PKI or an approved ECA." }, "impact": 0, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000324-GPOS-00125", - "gid": "V-93035", - "rid": "SV-103123r1_rule", - "stig_id": "WN19-DC-000100", - "fix_id": "F-99281r1_fix", + "gtitle": "SRG-OS-000066-GPOS-00034", + "gid": "V-93483", + "rid": "SV-103569r1_rule", + "stig_id": "WN19-DC-000290", + "fix_id": "F-99727r1_fix", "cci": [ - "CCI-002235" + "CCI-000185" ], "nist": [ - "AC-6 (10)", + "IA-5 (2) (a)", "Rev_4" ] }, - "code": "control \"V-93035\" do\n title \"Windows Server 2019 Active Directory Domain Controllers Organizational Unit (OU) object must have the proper access control permissions.\"\n desc \"When Active Directory objects do not have appropriate access control permissions, it may be possible for malicious users to create, read, update, or delete the objects and degrade or destroy the integrity of the data. When the directory service is used for identification, authentication, or authorization functions, a compromise of the database objects could lead to a compromise of all systems that rely on the directory service.\n\n The Domain Controllers OU object requires special attention as the Domain Controllers are central to the configuration and management of the domain.\n Inappropriate access permissions defined for the Domain Controllers OU could allow an intruder or unauthorized personnel to make changes that could lead to the compromise of the domain.\"\n desc \"rationale\", \"\"\n desc 'check', \"This applies to domain controllers. It is NA for other systems.\n\n Review the permissions on the Domain Controllers OU.\n Open \\\"Active Directory Users and Computers\\\" (available from various menus or run \\\"dsa.msc\\\").\n Select \\\"Advanced Features\\\" in the \\\"View\\\" menu if not previously selected.\n Select the \\\"Domain Controllers\\\" OU (folder in folder icon).\n Right-click and select \\\"Properties\\\".\n Select the \\\"Security\\\" tab.\n If the permissions on the Domain Controllers OU do not restrict changes to System, Domain Admins, Enterprise Admins and Administrators, this is a finding.\n\n The default permissions listed below satisfy this requirement.\n Domains supporting Microsoft Exchange will have additional Exchange related permissions on the Domain Controllers OU. These may include some change related permissions and are not a finding.\n The permissions shown are at the summary level. More detailed permissions can be viewed by selecting the \\\"Advanced\\\" button, the desired Permission entry, and the \\\"View\\\" or \\\"Edit\\\" button.\n Except where noted otherwise, the special permissions may include a wide range of permissions and properties and are acceptable for this requirement.\n\n CREATOR OWNER - Special permissions\n SELF - Special permissions\n Authenticated Users - Read, Special permissions\n The special permissions for Authenticated Users are Read types.\n If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding.\n\n SYSTEM - Full Control\n Domain Admins - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions\n Enterprise Admins - Full Control\n Key Admins - Special permissions\n Enterprise Key Admins - Special permissions\n Administrators - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions\n Pre-Windows 2000 Compatible Access - Special permissions\n The Special permissions for Pre-Windows 2000 Compatible Access are Read types.\n\n If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding.\n ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions\"\n desc 'fix', \"Limit the permissions on the Domain Controllers OU to restrict changes to System, Domain Admins, Enterprise Admins and Administrators.\n The default permissions listed below satisfy this requirement.\n Domains supporting Microsoft Exchange will have additional Exchange related permissions on the Domain Controllers OU. These may include some change related permissions.\n\n CREATOR OWNER - Special permissions\n SELF - Special permissions\n Authenticated Users - Read, Special permissions\n The special permissions for Authenticated Users are Read types.\n SYSTEM - Full Control\n Domain Admins - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions\n Enterprise Admins - Full Control\n Key Admins - Special permissions\n Enterprise Key Admins - Special permissions\n Administrators - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions\n Pre-Windows 2000 Compatible Access - Special permissions\n The special permissions for Pre-Windows 2000 Compatible Access are Read types.\n ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions\"\n impact 0.7\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000324-GPOS-00125'\n tag 'gid': 'V-93035'\n tag 'rid': 'SV-103123r1_rule'\n tag 'stig_id': 'WN19-DC-000100'\n tag 'fix_id': 'F-99281r1_fix'\n tag 'cci': [\"CCI-002235\"]\n tag 'nist': [\"AC-6 (10)\", \"Rev_4\"]\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n if domain_role == '4' || domain_role == '5'\n perm_query = <<-EOH\n import-module ActiveDirectory\n Set-Location ad:\n $distinguishedName = (Get-ADDomain).DistinguishedName\n $acl_rules = (Get-Acl \"OU=Domain Controllers,$distinguishedName\").Access\n $acl_rules | ConvertTo-Csv | ConvertFrom-Csv | ConvertTo-Json\n EOH\n\n acl_rules = json(command: perm_query).params\n netbiosname = json(command: 'Get-ADDomain | Select NetBIOSName | ConvertTo-JSON').params['NetBIOSName']\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['IdentityReference']) { should cmp \"NT AUTHORITY\\\\ENTERPRISE DOMAIN CONTROLLERS\" }\n its(['ActiveDirectoryRights']) { should cmp \"GenericRead\"}\n end\n end\n end\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['IdentityReference']) { should cmp \"NT AUTHORITY\\\\Authenticated Users\" }\n its(['ActiveDirectoryRights']) { should cmp \"GenericRead\"}\n end\n end\n end\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['IdentityReference']) { should cmp \"NT AUTHORITY\\\\SYSTEM\" }\n its(['ActiveDirectoryRights']) { should cmp \"GenericAll\"}\n end\n end\n end\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['IdentityReference']) { should cmp \"NT AUTHORITY\\\\SYSTEM\" }\n its(['ActiveDirectoryRights']) { should cmp \"GenericAll\"}\n end\n end\n end\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['IdentityReference']) { should cmp \"#{netbiosname}\\\\Domain Admins\" }\n its(['ActiveDirectoryRights']) { should cmp \"CreateChild, Self, WriteProperty, ExtendedRight, GenericRead, WriteDacl, WriteOwner\"}\n end\n end\n end\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['IdentityReference']) { should cmp \"BUILTIN\\\\Pre-Windows 2000 Compatible Access\" }\n its(['ActiveDirectoryRights']) { should cmp \"ReadProperty\"}\n end\n end\n end\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['IdentityReference']) { should cmp \"NT AUTHORITY\\\\SELF\" }\n its(['ActiveDirectoryRights']) { should cmp \"ReadProperty, WriteProperty\"}\n end\n end\n end\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['IdentityReference']) { should cmp \"NT AUTHORITY\\\\SELF\" }\n its(['ActiveDirectoryRights']) { should cmp \"ReadProperty, WriteProperty, ExtendedRight\"}\n end\n end\n end\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['IdentityReference']) { should cmp \"#{netbiosname}\\\\Enterprise Admins\" }\n its(['ActiveDirectoryRights']) { should cmp \"GenericAll\"}\n end\n end\n end\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['IdentityReference']) { should cmp \"BUILTIN\\\\Pre-Windows 2000 Compatible Access\" }\n its(['ActiveDirectoryRights']) { should cmp \"ListChildren\"}\n end\n end\n end\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['IdentityReference']) { should cmp \"BUILTIN\\\\Administrators\" }\n its(['ActiveDirectoryRights']) { should cmp \"CreateChild, Self, WriteProperty, ExtendedRight, Delete, GenericRead, WriteDacl, WriteOwner\"}\n end\n end\n end\n else\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend", + "code": "control \"V-93483\" do\n title \"Windows Server 2019 domain Controller PKI certificates must be issued by the #{input('org_name')[:acronym]} PKI or an approved External Certificate Authority (ECA).\"\n desc \"A PKI implementation depends on the practices established by the Certificate Authority (CA) to ensure the implementation is secure. Without proper practices, the certificates issued by a CA have limited value in authentication functions. The use of multiple CAs from separate PKI implementations results in interoperability issues. If servers and clients do not have a common set of root CA certificates, they are not able to authenticate each other.\"\n desc \"rationale\", \"\"\n desc \"check\", \"This applies to domain controllers. It is NA for other systems.\n Run \\\"MMC\\\".\n Select \\\"Add/Remove Snap-in\\\" from the \\\"File\\\" menu.\n Select \\\"Certificates\\\" in the left pane and click the \\\"Add >\\\" button.\n Select \\\"Computer Account\\\" and click \\\"Next\\\".\n Select the appropriate option for \\\"Select the computer you want this snap-in to manage\\\" and click \\\"Finish\\\".\n Click \\\"OK\\\".\n Select and expand the Certificates (Local Computer) entry in the left pane.\n Select and expand the Personal entry in the left pane.\n Select the Certificates entry in the left pane. In the right pane, examine the \\\"Issued By\\\" field for the certificate to determine the issuing CA.\n If the \\\"Issued By\\\" field of the PKI certificate being used by the domain controller does not indicate the issuing CA is part of the #{input('org_name')[:acronym]} PKI or an approved ECA, this is a finding.\n If the certificates in use are issued by a CA authorized by the Component's CIO, this is a CAT II finding.\n There are multiple sources from which lists of valid #{input('org_name')[:acronym]} CAs and approved ECAs can be obtained:\n\n The Global Directory Service (GDS) website provides an online source. The address for this site is https://crl.gds.disa.mil.\n\n #{input('org_name')[:acronym]} Public Key Enablement (PKE) Engineering Support maintains the InstallRoot utility to manage #{input('org_name')[:acronym]} supported root certificates on Windows computers, which includes a list of authorized CAs. The utility package can be downloaded from the PKI and PKE Tools page on IASE:\n http://iase.disa.mil/pki-pke/function_pages/tools.html\"\n desc \"fix\", \"Obtain a server certificate for the domain controller issued by the #{input('org_name')[:acronym]} PKI or an approved ECA.\"\n impact 0.7\n tag 'severity': nil\n tag gtitle: \"SRG-OS-000066-GPOS-00034\"\n tag gid: \"V-93483\"\n tag rid: \"SV-103569r1_rule\"\n tag stig_id: \"WN19-DC-000290\"\n tag fix_id: \"F-99727r1_fix\"\n tag cci: [\"CCI-000185\"]\n tag nist: [\"IA-5 (2) (a)\", \"Rev_4\"]\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n describe 'This control needs to be check manually' do\n skip 'Control not executed as this test is manual'\n end\n else\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is NA' do\n skip 'This system is not a domain controller, therefore this control is NA'\n end\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93035.rb", + "ref": "./Windows 2019 STIG/controls/V-93483.rb", "line": 3 }, - "id": "V-93035" + "id": "V-93483" }, { - "title": "Windows Server 2019 must not have the Microsoft FTP service installed unless required by the organization.", - "desc": "Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption.", + "title": "Windows Server 2019 Generate security audits user right must only be assigned to Local Service and Network Service.", + "desc": "Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.\n The \"Generate security audits\" user right specifies users and processes that can generate Security Log audit records, which must only be the system service accounts defined.", "descriptions": { - "default": "Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption.", + "default": "Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.\n The \"Generate security audits\" user right specifies users and processes that can generate Security Log audit records, which must only be the system service accounts defined.", "rationale": "", - "check": "If the server has the role of an FTP server, this is NA.\n\n Open \"PowerShell\".\n Enter \"Get-WindowsFeature | Where Name -eq Web-Ftp-Service\".\n If \"Installed State\" is \"Installed\", this is a finding.\n An Installed State of \"Available\" or \"Removed\" is not a finding.\n If the system has the role of an FTP server, this must be documented with the ISSO.", - "fix": "Uninstall the \"FTP Server\" role.\n\n Start \"Server Manager\".\n Select the server with the role.\n Scroll down to \"ROLES AND FEATURES\" in the right pane.\n Select \"Remove Roles and Features\" from the drop-down \"TASKS\" list.\n Select the appropriate server on the \"Server Selection\" page and click \"Next\".\n Deselect \"FTP Server\" under \"Web Server (IIS)\" on the \"Roles\" page.\n Click \"Next\" and \"Remove\" as prompted." + "check": "Verify the effective setting in Local Group Policy Editor.\n Run \"gpedit.msc\".\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment.\n If any accounts or groups other than the following are granted the \"Generate security audits\" user right, this is a finding:\n - Local Service\n - Network Service\n\n For server core installations, run the following command:\n Secedit /Export /Areas User_Rights /cfg c:\\path\\filename.txt\n Review the text file.\n If any SIDs other than the following are granted the \"SeAuditPrivilege\" user right, this is a finding:\n S-1-5-19 (Local Service)\n S-1-5-20 (Network Service)\n\n If an application requires this user right, this would not be a finding.\n Vendor documentation must support the requirement for having the user right.\n The requirement must be documented with the ISSO.\n The application account must meet requirements for application account passwords, such as length (WN19-00-000050) and required frequency of changes (WN19-00-000060).", + "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> \"Generate security audits\" to include only the following accounts or groups:\n - Local Service\n - Network Service" }, "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000096-GPOS-00050", - "gid": "V-93421", - "rid": "SV-103507r1_rule", - "stig_id": "WN19-00-000330", - "fix_id": "F-99665r1_fix", + "gtitle": "SRG-OS-000324-GPOS-00125", + "gid": "V-93069", + "rid": "SV-103157r1_rule", + "stig_id": "WN19-UR-000120", + "fix_id": "F-99315r1_fix", "cci": [ - "CCI-000382" + "CCI-002235" ], "nist": [ - "CM-7 b", + "AC-6 (10)", "Rev_4" ] }, - "code": "control \"V-93421\" do\n title \"Windows Server 2019 must not have the Microsoft FTP service installed unless required by the organization.\"\n desc \"Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the server has the role of an FTP server, this is NA.\n\n Open \\\"PowerShell\\\".\n Enter \\\"Get-WindowsFeature | Where Name -eq Web-Ftp-Service\\\".\n If \\\"Installed State\\\" is \\\"Installed\\\", this is a finding.\n An Installed State of \\\"Available\\\" or \\\"Removed\\\" is not a finding.\n If the system has the role of an FTP server, this must be documented with the ISSO.\"\n desc \"fix\", \"Uninstall the \\\"FTP Server\\\" role.\n\n Start \\\"Server Manager\\\".\n Select the server with the role.\n Scroll down to \\\"ROLES AND FEATURES\\\" in the right pane.\n Select \\\"Remove Roles and Features\\\" from the drop-down \\\"TASKS\\\" list.\n Select the appropriate server on the \\\"Server Selection\\\" page and click \\\"Next\\\".\n Deselect \\\"FTP Server\\\" under \\\"Web Server (IIS)\\\" on the \\\"Roles\\\" page.\n Click \\\"Next\\\" and \\\"Remove\\\" as prompted.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000096-GPOS-00050\"\n tag gid: \"V-93421\"\n tag rid: \"SV-103507r1_rule\"\n tag stig_id: \"WN19-00-000330\"\n tag fix_id: \"F-99665r1_fix\"\n tag cci: [\"CCI-000382\"]\n tag nist: [\"CM-7 b\", \"Rev_4\"]\n\n ftp_server_state = command('Get-WindowsFeature Web-Ftp-Server | Select -Expand Installed').stdout.strip\n\n if input('ftp_server') == false\n describe 'Microsoft FTP service must not be installed unless required' do\n subject { ftp_server_state }\n it { should eq 'False' }\n end\n else\n impact 0.0\n describe 'This server has the role of an FTP server, therefore this control is NA' do\n skip 'This server has the role of an FTP server, therefore this control is NA'\n end\n end\nend", + "code": "control \"V-93069\" do\n title \"Windows Server 2019 Generate security audits user right must only be assigned to Local Service and Network Service.\"\n desc \"Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.\n The \\\"Generate security audits\\\" user right specifies users and processes that can generate Security Log audit records, which must only be the system service accounts defined.\"\n desc \"rationale\", \"\"\n desc 'check', \"Verify the effective setting in Local Group Policy Editor.\n Run \\\"gpedit.msc\\\".\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment.\n If any accounts or groups other than the following are granted the \\\"Generate security audits\\\" user right, this is a finding:\n - Local Service\n - Network Service\n\n For server core installations, run the following command:\n Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt\n Review the text file.\n If any SIDs other than the following are granted the \\\"SeAuditPrivilege\\\" user right, this is a finding:\n S-1-5-19 (Local Service)\n S-1-5-20 (Network Service)\n\n If an application requires this user right, this would not be a finding.\n Vendor documentation must support the requirement for having the user right.\n The requirement must be documented with the ISSO.\n The application account must meet requirements for application account passwords, such as length (WN19-00-000050) and required frequency of changes (WN19-00-000060).\"\n desc 'fix', \"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> \\\"Generate security audits\\\" to include only the following accounts or groups:\n - Local Service\n - Network Service\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000324-GPOS-00125'\n tag 'gid': 'V-93069'\n tag 'rid': 'SV-103157r1_rule'\n tag 'stig_id': 'WN19-UR-000120'\n tag 'fix_id': 'F-99315r1_fix'\n tag 'cci': [\"CCI-002235\"]\n tag 'nist': [\"AC-6 (10)\", \"Rev_4\"]\n\n active_audit_privilege_users = security_policy.SeAuditPrivilege.entries\n allowed_audit_privilege_users = input(\"allowed_audit_privilege_users\")\n disallowed_audit_privilege_users = input(\"disallowed_audit_privilege_users\")\n unauthorized_users = []\n os_type = command('Test-Path \"$env:windir\\explorer.exe\"').stdout.strip\n\n if os_type == 'False'\n describe 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt' do\n skip 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt'\n end\n else\n active_audit_privilege_users.each do |user|\n next if allowed_audit_privilege_users.include?(user)\n unauthorized_users << user\n end\n disallowed_audit_privilege_users.each do |user|\n unless disallowed_audit_privilege_users == [nil] || unauthorized_users.include?(user)\n unauthorized_users << user\n end\n end\n describe \"Security Audit Generation Privilege must be limited to\" do\n it \"Authorized SIDs: #{allowed_audit_privilege_users}\" do\n failure_message = \"Unauthorized SIDs: #{unauthorized_users}\"\n expect(unauthorized_users).to be_empty, failure_message\n end\n end\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93421.rb", + "ref": "./Windows 2019 STIG/controls/V-93069.rb", "line": 3 }, - "id": "V-93421" + "id": "V-93069" }, { - "title": "Windows Server 2019 must be configured to audit System - Security\nSystem Extension successes.", - "desc": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Security System Extension records events related to extension code being\nloaded by the security subsystem.", + "title": "Windows Server 2019 unencrypted passwords must not be sent to third-party Server Message Block (SMB) servers.", + "desc": "Some non-Microsoft SMB servers only support unencrypted (plain-text) password authentication. Sending plain-text passwords across the network when authenticating to an SMB server reduces the overall security of the environment. Check with the vendor of the SMB server to determine if there is a way to support encrypted password authentication.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Security System Extension records events related to extension code being\nloaded by the security subsystem.", + "default": "Some non-Microsoft SMB servers only support unencrypted (plain-text) password authentication. Sending plain-text passwords across the network when authenticating to an SMB server reduces the overall security of the environment. Check with the vendor of the SMB server to determine if there is a way to support encrypted password authentication.", "rationale": "", - "check": "Security Option \"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\" must be set to\n\"Enabled\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \"AuditPol\" tool to review the current Audit Policy configuration:\n\n Open \"PowerShell\" or a \"Command Prompt\" with elevated privileges (\"Run\nas administrator\").\n\n Enter \"AuditPol /get /category:*\"\n\n Compare the \"AuditPol\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n System >> Security System Extension - Success", - "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> System >> \"Audit Security System Extension\" with\n\"Success\" selected." + "check": "If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\LanmanWorkstation\\Parameters\\\n\n Value Name: EnablePlainTextPassword\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0)", + "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \"Microsoft Network Client: Send unencrypted password to third-party SMB servers\" to \"Disabled\"." }, "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000327-GPOS-00127", - "satisfies": [ - "SRG-OS-000327-GPOS-00127", - "SRG-OS-000458-GPOS-00203", - "SRG-OS-000463-GPOS-00207", - "SRG-OS-000468-GPOS-00212" - ], - "gid": "V-93115", - "rid": "SV-103203r1_rule", - "stig_id": "WN19-AU-000370", - "fix_id": "F-99361r1_fix", + "gtitle": "SRG-OS-000074-GPOS-00042", + "gid": "V-93469", + "rid": "SV-103555r1_rule", + "stig_id": "WN19-SO-000180", + "fix_id": "F-99713r1_fix", "cci": [ - "CCI-000172", - "CCI-002234" + "CCI-000197" ], "nist": [ - "AU-12 c", - "AC-6 (9)", + "IA-5 (1) (c)", "Rev_4" ] }, - "code": "control \"V-93115\" do\n title \"Windows Server 2019 must be configured to audit System - Security\nSystem Extension successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Security System Extension records events related to extension code being\nloaded by the security subsystem.\"\n desc \"rationale\", \"\"\n desc 'check', \"Security Option \\\"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\\\" must be set to\n\\\"Enabled\\\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \\\"AuditPol\\\" tool to review the current Audit Policy configuration:\n\n Open \\\"PowerShell\\\" or a \\\"Command Prompt\\\" with elevated privileges (\\\"Run\nas administrator\\\").\n\n Enter \\\"AuditPol /get /category:*\\\"\n\n Compare the \\\"AuditPol\\\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n System >> Security System Extension - Success\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> System >> \\\"Audit Security System Extension\\\" with\n\\\"Success\\\" selected.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000327-GPOS-00127'\n tag 'satisfies': [\"SRG-OS-000327-GPOS-00127\", \"SRG-OS-000458-GPOS-00203\",\n\"SRG-OS-000463-GPOS-00207\", \"SRG-OS-000468-GPOS-00212\"]\n tag 'gid': 'V-93115'\n tag 'rid': 'SV-103203r1_rule'\n tag 'stig_id': 'WN19-AU-000370'\n tag 'fix_id': 'F-99361r1_fix'\n tag 'cci': [\"CCI-000172\", \"CCI-002234\"]\n tag 'nist': [\"AU-12 c\", \"AC-6 (9)\", \"Rev_4\"]\n\n describe.one do\n describe audit_policy do\n its('Security System Extension') { should eq 'Success' }\n end\n describe audit_policy do\n its('Security System Extension') { should eq 'Success and Failure' }\n end\n end\nend\n", + "code": "control \"V-93469\" do\n title \"Windows Server 2019 unencrypted passwords must not be sent to third-party Server Message Block (SMB) servers.\"\n desc \"Some non-Microsoft SMB servers only support unencrypted (plain-text) password authentication. Sending plain-text passwords across the network when authenticating to an SMB server reduces the overall security of the environment. Check with the vendor of the SMB server to determine if there is a way to support encrypted password authentication.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\LanmanWorkstation\\\\Parameters\\\\\n\n Value Name: EnablePlainTextPassword\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \\\"Microsoft Network Client: Send unencrypted password to third-party SMB servers\\\" to \\\"Disabled\\\".\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000074-GPOS-00042\"\n tag gid: \"V-93469\"\n tag rid: \"SV-103555r1_rule\"\n tag stig_id: \"WN19-SO-000180\"\n tag fix_id: \"F-99713r1_fix\"\n tag cci: [\"CCI-000197\"]\n tag nist: [\"IA-5 (1) (c)\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Services\\\\LanmanWorkstation\\\\Parameters') do\n it { should have_property 'EnablePlainTextPassword' }\n its('EnablePlainTextPassword') { should cmp == 0 }\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93115.rb", + "ref": "./Windows 2019 STIG/controls/V-93469.rb", "line": 3 }, - "id": "V-93115" + "id": "V-93469" }, { - "title": "The password for the krbtgt account on a domain must be reset at least\nevery 180 days.", - "desc": "The krbtgt account acts as a service account for the Kerberos Key\nDistribution Center (KDC) service. The account and password are created when a\ndomain is created and the password is typically not changed. If the krbtgt\naccount is compromised, attackers can create valid Kerberos Ticket Granting\nTickets (TGT).\n The password must be changed twice to effectively remove the password\nhistory. Changing once, waiting for replication to complete and the amount of\ntime equal to or greater than the maximum Kerberos ticket lifetime, and\nchanging again reduces the risk of issues.", + "title": "Windows Server 2019 account lockout duration must be configured to 15\nminutes or greater.", + "desc": "The account lockout feature, when enabled, prevents brute-force\npassword attacks on the system. This parameter specifies the period of time\nthat an account will remain locked after the specified number of failed logon\nattempts.", "descriptions": { - "default": "The krbtgt account acts as a service account for the Kerberos Key\nDistribution Center (KDC) service. The account and password are created when a\ndomain is created and the password is typically not changed. If the krbtgt\naccount is compromised, attackers can create valid Kerberos Ticket Granting\nTickets (TGT).\n The password must be changed twice to effectively remove the password\nhistory. Changing once, waiting for replication to complete and the amount of\ntime equal to or greater than the maximum Kerberos ticket lifetime, and\nchanging again reduces the risk of issues.", + "default": "The account lockout feature, when enabled, prevents brute-force\npassword attacks on the system. This parameter specifies the period of time\nthat an account will remain locked after the specified number of failed logon\nattempts.", "rationale": "", - "check": "This requirement is applicable to domain controllers; it is NA for other\nsystems.\n Open \"Windows PowerShell\".\n Enter \"Get-ADUser krbtgt -Property PasswordLastSet\".\n If the \"PasswordLastSet\" date is more than 180 days old, this is a\nfinding.", - "fix": "Reset the password for the krbtgt account a least every 180 days. The\npassword must be changed twice to effectively remove the password history.\nChanging once, waiting for replication to complete and changing again reduces\nthe risk of issues. Changing twice in rapid succession forces clients to\nre-authenticate (including application services) but is desired if a compromise\nis suspected.\n PowerShell scripts are available to accomplish this such as at the\nfollowing link:\n https://gallery.technet.microsoft.com/Reset-the-krbtgt-account-581a9e51\n Open \"Active Directory Users and Computers\" (available from various menus\nor run \"dsa.msc\").\n Select \"Advanced Features\" in the \"View\" menu if not previously\nselected.\n Select the \"Users\" node.\n Right click on the krbtgt account and select \"Reset password\"\n Enter a password that meets password complexity requirements.\n Clear the \"User must change password at next logon\" check box.\n The system will automatically change this to a system-generated complex\npassword." + "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Account Policies >> Account Lockout Policy.\n\n If the \"Account lockout duration\" is less than \"15\" minutes (excluding\n\"0\"), this is a finding.\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas SecurityPolicy /CFG C:\\Path\\FileName.Txt\n\n If \"LockoutDuration\" is less than \"15\" (excluding \"0\") in the file,\nthis is a finding.\n\n Configuring this to \"0\", requiring an administrator to unlock the\naccount, is more restrictive and is not a finding.", + "fix": "Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Account Policies >> Account Lockout Policy >> \"Account\nlockout duration\" to \"15\" minutes or greater.\n\n A value of \"0\" is also acceptable, requiring an administrator to unlock\nthe account." }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-93211", - "rid": "SV-103299r3_rule", - "stig_id": "WN19-DC-000430", - "fix_id": "F-99457r1_fix", + "gtitle": "SRG-OS-000329-GPOS-00128", + "gid": "V-93145", + "rid": "SV-103233r1_rule", + "stig_id": "WN19-AC-000010", + "fix_id": "F-99391r1_fix", "cci": [ - "CCI-000366" + "CCI-002238" ], "nist": [ - "CM-6 b", + "AC-7 b", "Rev_4" ] }, - "code": "control 'V-93211' do\n title \"The password for the krbtgt account on a domain must be reset at least\nevery 180 days.\"\n desc \"The krbtgt account acts as a service account for the Kerberos Key\nDistribution Center (KDC) service. The account and password are created when a\ndomain is created and the password is typically not changed. If the krbtgt\naccount is compromised, attackers can create valid Kerberos Ticket Granting\nTickets (TGT).\n The password must be changed twice to effectively remove the password\nhistory. Changing once, waiting for replication to complete and the amount of\ntime equal to or greater than the maximum Kerberos ticket lifetime, and\nchanging again reduces the risk of issues.\"\n desc 'rationale', ''\n desc 'check', \"This requirement is applicable to domain controllers; it is NA for other\nsystems.\n Open \\\"Windows PowerShell\\\".\n Enter \\\"Get-ADUser krbtgt -Property PasswordLastSet\\\".\n If the \\\"PasswordLastSet\\\" date is more than 180 days old, this is a\nfinding.\"\n desc 'fix', \"Reset the password for the krbtgt account a least every 180 days. The\npassword must be changed twice to effectively remove the password history.\nChanging once, waiting for replication to complete and changing again reduces\nthe risk of issues. Changing twice in rapid succession forces clients to\nre-authenticate (including application services) but is desired if a compromise\nis suspected.\n PowerShell scripts are available to accomplish this such as at the\nfollowing link:\n https://gallery.technet.microsoft.com/Reset-the-krbtgt-account-581a9e51\n Open \\\"Active Directory Users and Computers\\\" (available from various menus\nor run \\\"dsa.msc\\\").\n Select \\\"Advanced Features\\\" in the \\\"View\\\" menu if not previously\nselected.\n Select the \\\"Users\\\" node.\n Right click on the krbtgt account and select \\\"Reset password\\\"\n Enter a password that meets password complexity requirements.\n Clear the \\\"User must change password at next logon\\\" check box.\n The system will automatically change this to a system-generated complex\npassword.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000480-GPOS-00227'\n tag 'gid': 'V-93211'\n tag 'rid': 'SV-103299r3_rule'\n tag 'stig_id': 'WN19-DC-000430'\n tag 'fix_id': 'F-99457r1_fix'\n tag 'cci': ['CCI-000366']\n tag 'nist': ['CM-6 b', 'Rev_4']\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n password_set_date = json(command: 'New-TimeSpan -Start (Get-ADUser krbtgt -Property PasswordLastSet).PAsswordLastSet | where -filter { $_.Days -gt 180 } | ConvertTo-JSON').params\n date = password_set_date['Days']\n if date.nil?\n describe 'krbtgt Account is within 180 days since password change' do\n subject { date }\n its(date) { should eq nil }\n end\n else\n describe 'Password Last Set' do\n it 'krbtgt Account Password Last Set Date is' do\n failure_message = \"Password Date should not be more than 180 Days: #{date}\"\n expect(date).to be_empty, failure_message\n end\n end\n end\n else\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", + "code": "control \"V-93145\" do\n title \"Windows Server 2019 account lockout duration must be configured to #{input('pass_lock_duration')}\nminutes or greater.\"\n desc \"The account lockout feature, when enabled, prevents brute-force\npassword attacks on the system. This parameter specifies the period of time\nthat an account will remain locked after the specified number of failed logon\nattempts.\"\n desc \"rationale\", \"\"\n desc 'check', \"Verify the effective setting in Local Group Policy Editor.\n\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Account Policies >> Account Lockout Policy.\n\n If the \\\"Account lockout duration\\\" is less than \\\"#{input('pass_lock_duration')}\\\" minutes (excluding\n\\\"0\\\"), this is a finding.\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas SecurityPolicy /CFG C:\\\\Path\\\\FileName.Txt\n\n If \\\"LockoutDuration\\\" is less than \\\"#{input('pass_lock_duration')}\\\" (excluding \\\"0\\\") in the file,\nthis is a finding.\n\n Configuring this to \\\"0\\\", requiring an administrator to unlock the\naccount, is more restrictive and is not a finding.\"\n desc 'fix', \"Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Account Policies >> Account Lockout Policy >> \\\"Account\nlockout duration\\\" to \\\"#{input('pass_lock_duration')}\\\" minutes or greater.\n\n A value of \\\"0\\\" is also acceptable, requiring an administrator to unlock\nthe account.\"\n impact 0.5\n tag severity: nil\n tag gtitle: 'SRG-OS-000329-GPOS-00128'\n tag gid: 'V-93145'\n tag rid: 'SV-103233r1_rule'\n tag stig_id: 'WN19-AC-000010'\n tag fix_id: 'F-99391r1_fix'\n tag cci: [\"CCI-002238\"]\n tag nist: [\"AC-7 b\", \"Rev_4\"]\n\n os_type = command('Test-Path \"$env:windir\\explorer.exe\"').stdout.strip\n \n if os_type == 'False'\n describe 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt' do\n skip 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt'\n end\n else\n pass_lock_duration = input('pass_lock_duration')\n describe.one do\n describe security_policy do\n its('LockoutDuration') { should be >= pass_lock_duration }\n end\n describe security_policy do\n its('LockoutDuration') { should cmp == 0 }\n end\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93211.rb", - "line": 1 + "ref": "./Windows 2019 STIG/controls/V-93145.rb", + "line": 3 }, - "id": "V-93211" + "id": "V-93145" }, { - "title": "Windows Server 2019 Exploit Protection mitigations must be configured for chrome.exe.", - "desc": "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.", + "title": "Windows Server 2019 must not have the Microsoft FTP service installed unless required by the organization.", + "desc": "Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption.", "descriptions": { - "default": "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.", + "default": "Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption.", "rationale": "", - "check": "If the referenced application is not installed on the system, this is NA.\n\n This is applicable to unclassified systems, for other systems this is NA.\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n Enter \"Get-ProcessMitigation -Name chrome.exe\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.)\n If the following mitigations do not have a status of \"ON\", this is a finding:\n\n DEP:\n Enable: ON\n\n The PowerShell command produces a list of mitigations; only those with a required status of \"ON\" are listed here.", - "fix": "Ensure the following mitigations are turned \"ON\" for chrome.exe:\n\n DEP:\n Enable: ON\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \"Supporting Files\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \"Use a common set of exploit protection settings\" configured to \"Enabled\" with file name and location defined under \"Options:\". It is recommended the file be in a read-only network location." + "check": "If the server has the role of an FTP server, this is NA.\n\n Open \"PowerShell\".\n Enter \"Get-WindowsFeature | Where Name -eq Web-Ftp-Service\".\n If \"Installed State\" is \"Installed\", this is a finding.\n An Installed State of \"Available\" or \"Removed\" is not a finding.\n If the system has the role of an FTP server, this must be documented with the ISSO.", + "fix": "Uninstall the \"FTP Server\" role.\n\n Start \"Server Manager\".\n Select the server with the role.\n Scroll down to \"ROLES AND FEATURES\" in the right pane.\n Select \"Remove Roles and Features\" from the drop-down \"TASKS\" list.\n Select the appropriate server on the \"Server Selection\" page and click \"Next\".\n Deselect \"FTP Server\" under \"Web Server (IIS)\" on the \"Roles\" page.\n Click \"Next\" and \"Remove\" as prompted." }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-93325", - "rid": "SV-103413r1_rule", - "stig_id": "WN19-EP-000080", - "fix_id": "F-99571r1_fix", + "gtitle": "SRG-OS-000096-GPOS-00050", + "gid": "V-93421", + "rid": "SV-103507r1_rule", + "stig_id": "WN19-00-000330", + "fix_id": "F-99665r1_fix", "cci": [ - "CCI-000366" + "CCI-000382" ], "nist": [ - "CM-6 b", + "CM-7 b", "Rev_4" ] }, - "code": "control \"V-93325\" do\n title \"Windows Server 2019 Exploit Protection mitigations must be configured for chrome.exe.\"\n desc \"Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the referenced application is not installed on the system, this is NA.\n\n This is applicable to unclassified systems, for other systems this is NA.\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n Enter \\\"Get-ProcessMitigation -Name chrome.exe\\\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.)\n If the following mitigations do not have a status of \\\"ON\\\", this is a finding:\n\n DEP:\n Enable: ON\n\n The PowerShell command produces a list of mitigations; only those with a required status of \\\"ON\\\" are listed here.\"\n desc \"fix\", \"Ensure the following mitigations are turned \\\"ON\\\" for chrome.exe:\n\n DEP:\n Enable: ON\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \\\"Supporting Files\\\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\" configured to \\\"Enabled\\\" with file name and location defined under \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00227\"\n tag gid: \"V-93325\"\n tag rid: \"SV-103413r1_rule\"\n tag stig_id: \"WN19-EP-000080\"\n tag fix_id: \"F-99571r1_fix\"\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n chrome = json({ command: \"Get-ProcessMitigation -Name chrome.exe | ConvertTo-Json\" }).params\n\n if input('sensitive_system') == true || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif chrome.empty?\n impact 0.0\n describe 'The referenced application is not installed on the system, this is NA.' do\n skip 'The referenced application is not installed on the system, this is NA.'\n end\n else\n describe \"Exploit Protection: the following mitigations must be set to 'ON' for chrome.exe\" do\n subject { chrome }\n its(['Dep','Enable']) { should eq 1 }\n end\n end\nend", + "code": "control \"V-93421\" do\n title \"Windows Server 2019 must not have the Microsoft FTP service installed unless required by the organization.\"\n desc \"Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the server has the role of an FTP server, this is NA.\n\n Open \\\"PowerShell\\\".\n Enter \\\"Get-WindowsFeature | Where Name -eq Web-Ftp-Service\\\".\n If \\\"Installed State\\\" is \\\"Installed\\\", this is a finding.\n An Installed State of \\\"Available\\\" or \\\"Removed\\\" is not a finding.\n If the system has the role of an FTP server, this must be documented with the ISSO.\"\n desc \"fix\", \"Uninstall the \\\"FTP Server\\\" role.\n\n Start \\\"Server Manager\\\".\n Select the server with the role.\n Scroll down to \\\"ROLES AND FEATURES\\\" in the right pane.\n Select \\\"Remove Roles and Features\\\" from the drop-down \\\"TASKS\\\" list.\n Select the appropriate server on the \\\"Server Selection\\\" page and click \\\"Next\\\".\n Deselect \\\"FTP Server\\\" under \\\"Web Server (IIS)\\\" on the \\\"Roles\\\" page.\n Click \\\"Next\\\" and \\\"Remove\\\" as prompted.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000096-GPOS-00050\"\n tag gid: \"V-93421\"\n tag rid: \"SV-103507r1_rule\"\n tag stig_id: \"WN19-00-000330\"\n tag fix_id: \"F-99665r1_fix\"\n tag cci: [\"CCI-000382\"]\n tag nist: [\"CM-7 b\", \"Rev_4\"]\n\n ftp_server_state = command('Get-WindowsFeature Web-Ftp-Server | Select -Expand Installed').stdout.strip\n\n if input('ftp_server') == false\n describe 'Microsoft FTP service must not be installed unless required' do\n subject { ftp_server_state }\n it { should eq 'False' }\n end\n else\n impact 0.0\n describe 'This server has the role of an FTP server, therefore this control is NA' do\n skip 'This server has the role of an FTP server, therefore this control is NA'\n end\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93325.rb", + "ref": "./Windows 2019 STIG/controls/V-93421.rb", "line": 3 }, - "id": "V-93325" + "id": "V-93421" }, { - "title": "Windows Server 2019 must have the Server Message Block (SMB) v1 protocol disabled on the SMB client.", - "desc": "SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB. MD5 is known to be vulnerable to a number of attacks such as collision and preimage attacks as well as not being FIPS compliant.", + "title": "Windows Server 2019 setting Domain member: Digitally encrypt or sign secure channel data (always) must be configured to Enabled.", + "desc": "Requests sent on the secure channel are authenticated, and sensitive information (such as passwords) is encrypted, but not all information is encrypted. If this policy is enabled, outgoing secure channel traffic will be encrypted and signed.", "descriptions": { - "default": "SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB. MD5 is known to be vulnerable to a number of attacks such as collision and preimage attacks as well as not being FIPS compliant.", + "default": "Requests sent on the secure channel are authenticated, and sensitive information (such as passwords) is encrypted, but not all information is encrypted. If this policy is enabled, outgoing secure channel traffic will be encrypted and signed.", "rationale": "", - "check": "Different methods are available to disable SMBv1 on Windows Server 2019, if WN19-00-000380 is configured, this is NA.\n\n If the following registry value is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\mrxsmb10\\\n\n Value Name: Start\n\n Type: REG_DWORD\n Value: 0x00000004 (4)", - "fix": "Configure the policy value for Computer Configuration >> Administrative Templates >> MS Security Guide >> \"Configure SMBv1 client driver\" to \"Enabled\" with \"Disable driver (recommended)\" selected for \"Configure MrxSmb10 driver\".\n\n The system must be restarted for the changes to take effect.\n\n This policy setting requires the installation of the SecGuide custom templates included with the STIG package. \"SecGuide.admx\" and \"SecGuide.adml\" must be copied to the \\Windows\\PolicyDefinitions and \\Windows\\PolicyDefinitions\\en-US directories respectively." + "check": "If the following registry value does not exist or is not configured as specified, this is a finding:\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\Netlogon\\Parameters\\\n\n Value Name: RequireSignOrSeal\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", + "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \"Domain member: Digitally encrypt or sign secure channel data (always)\" to \"Enabled\"." }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000095-GPOS-00049", - "gid": "V-93395", - "rid": "SV-103481r1_rule", - "stig_id": "WN19-00-000400", - "fix_id": "F-99639r1_fix", + "gtitle": "SRG-OS-000423-GPOS-00187", + "satisfies": [ + "SRG-OS-000423-GPOS-00187", + "SRG-OS-000424-GPOS-00188" + ], + "gid": "V-93547", + "rid": "SV-103633r1_rule", + "stig_id": "WN19-SO-000060", + "fix_id": "F-99791r1_fix", "cci": [ - "CCI-000381" + "CCI-002418", + "CCI-002421" ], "nist": [ - "CM-7 a", + "SC-8", + "SC-8 (1)", "Rev_4" ] }, - "code": "control \"V-93395\" do\n title \"Windows Server 2019 must have the Server Message Block (SMB) v1 protocol disabled on the SMB client.\"\n desc \"SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB. MD5 is known to be vulnerable to a number of attacks such as collision and preimage attacks as well as not being FIPS compliant.\"\n desc \"rationale\", \"\"\n desc \"check\", \"Different methods are available to disable SMBv1 on Windows Server 2019, if WN19-00-000380 is configured, this is NA.\n\n If the following registry value is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\mrxsmb10\\\\\n\n Value Name: Start\n\n Type: REG_DWORD\n Value: 0x00000004 (4)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Administrative Templates >> MS Security Guide >> \\\"Configure SMBv1 client driver\\\" to \\\"Enabled\\\" with \\\"Disable driver (recommended)\\\" selected for \\\"Configure MrxSmb10 driver\\\".\n\n The system must be restarted for the changes to take effect.\n\n This policy setting requires the installation of the SecGuide custom templates included with the STIG package. \\\"SecGuide.admx\\\" and \\\"SecGuide.adml\\\" must be copied to the \\\\Windows\\\\PolicyDefinitions and \\\\Windows\\\\PolicyDefinitions\\\\en-US directories respectively.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000095-GPOS-00049\"\n tag gid: \"V-93395\"\n tag rid: \"SV-103481r1_rule\"\n tag stig_id: \"WN19-00-000400\"\n tag fix_id: \"F-99639r1_fix\"\n tag cci: [\"CCI-000381\"]\n tag nist: [\"CM-7 a\", \"Rev_4\"]\n\n if powershell(\"Get-WindowsFeature -Name FS-SMB1 | Select -ExpandProperty 'InstallState'\").stdout.strip == \"Installed\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\LanmanServer\\\\Parameters') do\n it { should have_property 'SMB1' }\n its('SMB1') { should cmp == 0 }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\mrxsmb10') do\n it { should have_property 'Start' }\n its('Start') { should cmp == 4 }\n end\n else\n impact 0.0\n describe 'Control V-93391 configuration successful' do\n skip 'This is NA as the successful configuration of Control V-93391 (STIG ID# WN19-00-000380) meets the requirement'\n end\n end\nend", + "code": "control \"V-93547\" do\n title \"Windows Server 2019 setting Domain member: Digitally encrypt or sign secure channel data (always) must be configured to Enabled.\"\n desc \"Requests sent on the secure channel are authenticated, and sensitive information (such as passwords) is encrypted, but not all information is encrypted. If this policy is enabled, outgoing secure channel traffic will be encrypted and signed.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the following registry value does not exist or is not configured as specified, this is a finding:\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\Netlogon\\\\Parameters\\\\\n\n Value Name: RequireSignOrSeal\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \\\"Domain member: Digitally encrypt or sign secure channel data (always)\\\" to \\\"Enabled\\\".\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000423-GPOS-00187\"\n tag satisfies: [\"SRG-OS-000423-GPOS-00187\", \"SRG-OS-000424-GPOS-00188\"]\n tag gid: \"V-93547\"\n tag rid: \"SV-103633r1_rule\"\n tag stig_id: \"WN19-SO-000060\"\n tag fix_id: \"F-99791r1_fix\"\n tag cci: [\"CCI-002418\", \"CCI-002421\"]\n tag nist: [\"SC-8\", \"SC-8 (1)\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Services\\\\Netlogon\\\\Parameters') do\n it { should have_property 'RequireSignOrSeal' }\n its('RequireSignOrSeal') { should cmp == 1 }\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93395.rb", + "ref": "./Windows 2019 STIG/controls/V-93547.rb", "line": 3 }, - "id": "V-93395" + "id": "V-93547" }, { - "title": "Windows Server 2019 must prevent PKU2U authentication using online identities.", - "desc": "PKU2U is a peer-to-peer authentication protocol. This setting prevents online identities from authenticating to domain-joined systems. Authentication will be centrally managed with Windows user accounts.", + "title": "Windows Server 2019 must be maintained at a supported servicing level.", + "desc": "Systems at unsupported servicing levels will not receive security\nupdates for new vulnerabilities, which leave them subject to exploitation.\nSystems must be maintained at a servicing level supported by the vendor with\nnew security updates.", "descriptions": { - "default": "PKU2U is a peer-to-peer authentication protocol. This setting prevents online identities from authenticating to domain-joined systems. Authentication will be centrally managed with Windows user accounts.", + "default": "Systems at unsupported servicing levels will not receive security\nupdates for new vulnerabilities, which leave them subject to exploitation.\nSystems must be maintained at a servicing level supported by the vendor with\nnew security updates.", "rationale": "", - "check": "If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Control\\LSA\\pku2u\\\n\n Value Name: AllowOnlineID\n\n Type: REG_DWORD\n Value: 0x00000000 (0)", - "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \"Network security: Allow PKU2U authentication requests to this computer to use online identities\" to \"Disabled\"." + "check": "Open \"Command Prompt\".\n\n Enter \"winver.exe\".\n\n If the \"About Windows\" dialog box does not display \"Microsoft Windows\nServer Version 1809 (Build 17763.xxx)\" or greater, this is a finding.\n\n Preview versions must not be used in a production environment.", + "fix": "Update the system to a Version 1809 (Build 17763.xxx) or\ngreater." }, - "impact": 0.5, + "impact": 0.7, "refs": [], "tags": { "severity": null, "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-93299", - "rid": "SV-103387r1_rule", - "stig_id": "WN19-SO-000280", - "fix_id": "F-99545r1_fix", + "gid": "V-93215", + "rid": "SV-103303r1_rule", + "stig_id": "WN19-00-000100", + "fix_id": "F-99461r1_fix", "cci": [ "CCI-000366" ], @@ -4776,754 +4832,748 @@ "Rev_4" ] }, - "code": "control \"V-93299\" do\n title \"Windows Server 2019 must prevent PKU2U authentication using online identities.\"\n desc \"PKU2U is a peer-to-peer authentication protocol. This setting prevents online identities from authenticating to domain-joined systems. Authentication will be centrally managed with Windows user accounts.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\LSA\\\\pku2u\\\\\n\n Value Name: AllowOnlineID\n\n Type: REG_DWORD\n Value: 0x00000000 (0)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \\\"Network security: Allow PKU2U authentication requests to this computer to use online identities\\\" to \\\"Disabled\\\".\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00227\"\n tag gid: \"V-93299\"\n tag rid: \"SV-103387r1_rule\"\n tag stig_id: \"WN19-SO-000280\"\n tag fix_id: \"F-99545r1_fix\"\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\pku2u') do\n it { should have_property 'AllowOnlineID' }\n its('AllowOnlineID') { should cmp == 0 }\n end\nend", + "code": "control \"V-93215\" do\n title \"Windows Server 2019 must be maintained at a supported servicing level.\"\n desc \"Systems at unsupported servicing levels will not receive security\nupdates for new vulnerabilities, which leave them subject to exploitation.\nSystems must be maintained at a servicing level supported by the vendor with\nnew security updates.\"\n desc \"rationale\", \"\"\n desc 'check', \"Open \\\"Command Prompt\\\".\n\n Enter \\\"winver.exe\\\".\n\n If the \\\"About Windows\\\" dialog box does not display \\\"Microsoft Windows\nServer Version 1809 (Build 17763.xxx)\\\" or greater, this is a finding.\n\n Preview versions must not be used in a production environment.\"\n desc 'fix', \"Update the system to a Version 1809 (Build 17763.xxx) or\ngreater.\"\n impact 0.7\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000480-GPOS-00227'\n tag 'gid': 'V-93215'\n tag 'rid': 'SV-103303r1_rule'\n tag 'stig_id': 'WN19-00-000100'\n tag 'fix_id': 'F-99461r1_fix'\n tag 'cci': [\"CCI-000366\"]\n tag 'nist': [\"CM-6 b\", \"Rev_4\"]\n\n releaseid = registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion').ReleaseId\n current_build_number = registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion').CurrentBuildNumber\n describe 'Microsoft Windows 2019 needs to be higher that release 1809' do\n subject { releaseid }\n it { should cmp >= 1809}\n end\n describe 'Microsoft Windows 2019 needs to be higher that build number 17763' do\n subject { current_build_number }\n it { should cmp >= 17763}\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93299.rb", + "ref": "./Windows 2019 STIG/controls/V-93215.rb", "line": 3 }, - "id": "V-93299" + "id": "V-93215" }, { - "title": "Windows Server 2019 required legal notice must be configured to\ndisplay before console logon.", - "desc": "Failure to display the logon banner prior to a logon attempt will\nnegate legal proceedings resulting from unauthorized access to system resources.", + "title": "Windows Server 2019 must be configured to audit Logon/Logoff - Special\nLogon successes.", + "desc": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Special Logon records special logons that have administrative privileges\nand can be used to elevate processes.", "descriptions": { - "default": "Failure to display the logon banner prior to a logon attempt will\nnegate legal proceedings resulting from unauthorized access to system resources.", + "default": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Special Logon records special logons that have administrative privileges\nand can be used to elevate processes.", "rationale": "", - "check": "If the following registry value does not exist or is not configured as\nspecified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\\n\n Value Name: LegalNoticeText\n\n Value Type: REG_SZ\n Value: See message text below\n\n You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.", - "fix": "Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> Security Options >> \"Interactive\nLogon: Message text for users attempting to log on\" to the following:\n\n You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." + "check": "Security Option \"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\" must be set to\n\"Enabled\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \"AuditPol\" tool to review the current Audit Policy configuration:\n\n Open \"PowerShell\" or a \"Command Prompt\" with elevated privileges (\"Run\nas administrator\").\n\n Enter \"AuditPol /get /category:*\"\n\n Compare the \"AuditPol\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n Logon/Logoff >> Special Logon - Success", + "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Logon/Logoff >> \"Audit Special Logon\" with\n\"Success\" selected." }, "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000023-GPOS-00006", + "gtitle": "SRG-OS-000470-GPOS-00214", "satisfies": [ - "SRG-OS-000023-GPOS-00006", - "SRG-OS-000024-GPOS-00007", - "SRG-OS-000228-GPOS-00088" + "SRG-OS-000470-GPOS-00214", + "SRG-OS-000472-GPOS-00217", + "SRG-OS-000473-GPOS-00218", + "SRG-OS-000475-GPOS-00220" ], - "gid": "V-93147", - "rid": "SV-103235r1_rule", - "stig_id": "WN19-SO-000130", - "fix_id": "F-99393r1_fix", + "gid": "V-93161", + "rid": "SV-103249r1_rule", + "stig_id": "WN19-AU-000210", + "fix_id": "F-99407r1_fix", "cci": [ - "CCI-000048", - "CCI-000050", - "CCI-001384", - "CCI-001385", - "CCI-001386", - "CCI-001387", - "CCI-001388" + "CCI-000172" ], "nist": [ - "AC-8 a", - "AC-8 b", - "AC-8 c 1", - "AC-8 c 2", - "AC-8 c 2", - "AC-8 c2", - "AC-8 c 3", + "AU-12 c", "Rev_4" ] }, - "code": "control \"V-93147\" do\n title \"Windows Server 2019 required legal notice must be configured to\ndisplay before console logon.\"\n desc \"Failure to display the logon banner prior to a logon attempt will\nnegate legal proceedings resulting from unauthorized access to system resources.\"\n desc \"rationale\", \"\"\n desc 'check', \"If the following registry value does not exist or is not configured as\nspecified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\\n\n Value Name: LegalNoticeText\n\n Value Type: REG_SZ\n Value: See message text below\n\n #{input('LegalNoticeText')}\"\n desc 'fix', \"Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> Security Options >> \\\"Interactive\nLogon: Message text for users attempting to log on\\\" to the following:\n\n #{input('LegalNoticeText')}\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000023-GPOS-00006'\n tag 'satisfies': [\"SRG-OS-000023-GPOS-00006\", \"SRG-OS-000024-GPOS-00007\",\n\"SRG-OS-000228-GPOS-00088\"]\n tag 'gid': 'V-93147'\n tag 'rid': 'SV-103235r1_rule'\n tag 'stig_id': 'WN19-SO-000130'\n tag 'fix_id': 'F-99393r1_fix'\n tag 'cci': [\"CCI-000048\", \"CCI-000050\", \"CCI-001384\", \"CCI-001385\",\n\"CCI-001386\", \"CCI-001387\", \"CCI-001388\"]\n tag 'nist': [\"AC-8 a\", \"AC-8 b\", \"AC-8 c 1\", \"AC-8 c 2\", \"AC-8 c 2\", \"AC-8 c2\", \"AC-8 c 3\", \"Rev_4\"]\n\ndescribe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System') do\n it { should have_property 'LegalNoticeText' }\n end\n\n key = registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System').LegalNoticeText.to_s\n\n k = key.gsub(\"\\u0000\", '')\n legal_notice_text = input('LegalNoticeText')\n\n describe 'The required legal notice text' do\n subject { k.scan(/[\\w().;,!]/).join }\n it { should cmp legal_notice_text.scan(/[\\w().;,!]/).join }\n end\nend\n", + "code": "control \"V-93161\" do\n title \"Windows Server 2019 must be configured to audit Logon/Logoff - Special\nLogon successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Special Logon records special logons that have administrative privileges\nand can be used to elevate processes.\"\n desc \"rationale\", \"\"\n desc 'check', \"Security Option \\\"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\\\" must be set to\n\\\"Enabled\\\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \\\"AuditPol\\\" tool to review the current Audit Policy configuration:\n\n Open \\\"PowerShell\\\" or a \\\"Command Prompt\\\" with elevated privileges (\\\"Run\nas administrator\\\").\n\n Enter \\\"AuditPol /get /category:*\\\"\n\n Compare the \\\"AuditPol\\\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n Logon/Logoff >> Special Logon - Success\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Logon/Logoff >> \\\"Audit Special Logon\\\" with\n\\\"Success\\\" selected.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000470-GPOS-00214'\n tag 'satisfies': [\"SRG-OS-000470-GPOS-00214\", \"SRG-OS-000472-GPOS-00217\",\n\"SRG-OS-000473-GPOS-00218\", \"SRG-OS-000475-GPOS-00220\"]\n tag 'gid': 'V-93161'\n tag 'rid': 'SV-103249r1_rule'\n tag 'stig_id': 'WN19-AU-000210'\n tag 'fix_id': 'F-99407r1_fix'\n tag 'cci': [\"CCI-000172\"]\n tag 'nist': [\"AU-12 c\", \"Rev_4\"]\n\n describe.one do\n describe audit_policy do\n its('Special Logon') { should eq 'Success' }\n end\n describe audit_policy do\n its('Special Logon') { should eq 'Success and Failure' }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93147.rb", + "ref": "./Windows 2019 STIG/controls/V-93161.rb", "line": 3 }, - "id": "V-93147" + "id": "V-93161" }, { - "title": "Windows Server 2019 non-administrative accounts or groups must only\nhave print permissions on printer shares.", - "desc": "Windows shares are a means by which files, folders, printers, and\nother resources can be published for network users to access. Improper\nconfiguration can permit access to devices and data beyond a user's need.", + "title": "Windows Server 2019 must only allow administrators responsible for the\ndomain controller to have Administrator rights on the system.", + "desc": "An account that does not have Administrator duties must not have\nAdministrator rights. Such rights would allow the account to bypass or modify\nrequired security restrictions on that machine and make it vulnerable to attack.\n\n System administrators must log on to systems using only accounts with the\nminimum level of authority necessary.\n\n Standard user accounts must not be members of the built-in Administrators\ngroup.", "descriptions": { - "default": "Windows shares are a means by which files, folders, printers, and\nother resources can be published for network users to access. Improper\nconfiguration can permit access to devices and data beyond a user's need.", + "default": "An account that does not have Administrator duties must not have\nAdministrator rights. Such rights would allow the account to bypass or modify\nrequired security restrictions on that machine and make it vulnerable to attack.\n\n System administrators must log on to systems using only accounts with the\nminimum level of authority necessary.\n\n Standard user accounts must not be members of the built-in Administrators\ngroup.", "rationale": "", - "check": "Open \"Printers & scanners\" in \"Settings\".\n\n If there are no printers configured, this is NA. (Exclude Microsoft Print\nto PDF and Microsoft XPS Document Writer, which do not support sharing.)\n\n For each printer:\n\n Select the printer and \"Manage\".\n\n Select \"Printer Properties\".\n\n Select the \"Sharing\" tab.\n\n If \"Share this printer\" is checked, select the \"Security\" tab.\n\n If any standard user accounts or groups have permissions other than\n\"Print\", this is a finding.\n\n The default is for the \"Everyone\" group to be given \"Print\" permission.\n\n \"All APPLICATION PACKAGES\" and \"CREATOR OWNER\" are not standard user\naccounts.", - "fix": "Configure the permissions on shared printers to restrict\nstandard users to only have Print permissions." + "check": "This applies to domain controllers. A separate version applies to other\nsystems.\n\n Review the Administrators group. Only the appropriate administrator groups\nor accounts responsible for administration of the system may be members of the\ngroup.\n\n Standard user accounts must not be members of the local administrator group.\n\n If prohibited accounts are members of the local administrators group, this\nis a finding.\n\n If the built-in Administrator account or other required administrative\naccounts are found on the system, this is not a finding.", + "fix": "Configure the Administrators group to include only administrator groups or\naccounts that are responsible for the system.\n\n Remove any standard user accounts." }, - "impact": 0.3, + "impact": 0, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000080-GPOS-00048", - "gid": "V-92993", - "rid": "SV-103081r1_rule", - "stig_id": "WN19-00-000180", - "fix_id": "F-99239r1_fix", + "gtitle": "SRG-OS-000324-GPOS-00125", + "gid": "V-93027", + "rid": "SV-103115r1_rule", + "stig_id": "WN19-DC-000010", + "fix_id": "F-99273r1_fix", "cci": [ - "CCI-000213" + "CCI-002235" ], "nist": [ - "AC-3", + "AC-6 (10)", "Rev_4" ] }, - "code": "control \"V-92993\" do\n title \"Windows Server 2019 non-administrative accounts or groups must only\nhave print permissions on printer shares.\"\n desc \"Windows shares are a means by which files, folders, printers, and\nother resources can be published for network users to access. Improper\nconfiguration can permit access to devices and data beyond a user's need.\"\n desc \"rationale\", \"\"\n desc 'check', \"Open \\\"Printers & scanners\\\" in \\\"Settings\\\".\n\n If there are no printers configured, this is NA. (Exclude Microsoft Print\nto PDF and Microsoft XPS Document Writer, which do not support sharing.)\n\n For each printer:\n\n Select the printer and \\\"Manage\\\".\n\n Select \\\"Printer Properties\\\".\n\n Select the \\\"Sharing\\\" tab.\n\n If \\\"Share this printer\\\" is checked, select the \\\"Security\\\" tab.\n\n If any standard user accounts or groups have permissions other than\n\\\"Print\\\", this is a finding.\n\n The default is for the \\\"Everyone\\\" group to be given \\\"Print\\\" permission.\n\n \\\"All APPLICATION PACKAGES\\\" and \\\"CREATOR OWNER\\\" are not standard user\naccounts.\"\n desc 'fix', \"Configure the permissions on shared printers to restrict\nstandard users to only have Print permissions.\"\n impact 0.3\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000080-GPOS-00048'\n tag 'gid': 'V-92993'\n tag 'rid': 'SV-103081r1_rule'\n tag 'stig_id': 'WN19-00-000180'\n tag 'fix_id': 'F-99239r1_fix'\n tag 'cci': [\"CCI-000213\"]\n tag 'nist': [\"AC-3\", \"Rev_4\"]\n \n describe \"A manual review is required to verify that Non Administrative user accounts or groups only have print\n permissions on printer shares\" do\n skip 'A manual review is required to verify that Non Administrative user accounts or groups only have print\n permissions on printer shares'\n end\n\nend\n", + "code": "control \"V-93027\" do\n title \"Windows Server 2019 must only allow administrators responsible for the\ndomain controller to have Administrator rights on the system.\"\n desc \"An account that does not have Administrator duties must not have\nAdministrator rights. Such rights would allow the account to bypass or modify\nrequired security restrictions on that machine and make it vulnerable to attack.\n\n System administrators must log on to systems using only accounts with the\nminimum level of authority necessary.\n\n Standard user accounts must not be members of the built-in Administrators\ngroup.\"\n desc \"rationale\", \"\"\n desc 'check', \"This applies to domain controllers. A separate version applies to other\nsystems.\n\n Review the Administrators group. Only the appropriate administrator groups\nor accounts responsible for administration of the system may be members of the\ngroup.\n\n Standard user accounts must not be members of the local administrator group.\n\n If prohibited accounts are members of the local administrators group, this\nis a finding.\n\n If the built-in Administrator account or other required administrative\naccounts are found on the system, this is not a finding.\"\n desc 'fix', \"\n Configure the Administrators group to include only administrator groups or\naccounts that are responsible for the system.\n\n Remove any standard user accounts.\"\n impact 0.7\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000324-GPOS-00125'\n tag 'gid': 'V-93027'\n tag 'rid': 'SV-103115r1_rule'\n tag 'stig_id': 'WN19-DC-000010'\n tag 'fix_id': 'F-99273r1_fix'\n tag 'cci': [\"CCI-002235\"]\n tag 'nist': [\"AC-6 (10)\", \"Rev_4\"]\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n administrators = input('local_administrators_dc')\n administrator_group = command(\"net localgroup Administrators | Format-List | Findstr /V 'Alias Name Comment Members - command'\").stdout.strip.split(\"\\r\\n\")\n if administrator_group.empty?\n impact 0.0\n describe 'There are no users with administrative privileges' do\n skip 'This control is not applicable'\n end\n else\n administrator_group.each do |user|\n describe user.to_s do\n it { should be_in administrators }\n end\n end\n end\n else\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-92993.rb", + "ref": "./Windows 2019 STIG/controls/V-93027.rb", "line": 3 }, - "id": "V-92993" + "id": "V-93027" }, { - "title": "Windows Server 2019 users with Administrative privileges must have separate accounts for administrative duties and normal operational tasks.", - "desc": "Using a privileged account to perform routine functions makes the computer vulnerable to malicious software inadvertently introduced during a session that has been granted full privileges.", + "title": "Windows Server 2019 Active Directory Infrastructure object must be\nconfigured with proper audit settings.", + "desc": "When inappropriate audit settings are configured for directory service\ndatabase objects, it may be possible for a user or process to update the data\nwithout generating any tracking data. The impact of missing audit data is\nrelated to the type of object. A failure to capture audit data for objects used\nby identification, authentication, or authorization functions could degrade or\neliminate the ability to track changes to access policy for systems or data.\n\n For Active Directory (AD), there are a number of critical object types in\nthe domain naming context of the AD database for which auditing is essential.\nThis includes the Infrastructure object. Because changes to these objects can\nsignificantly impact access controls or the availability of systems, the\nabsence of auditing data makes it impossible to identify the source of changes\nthat impact the confidentiality, integrity, and availability of data and\nsystems throughout an AD domain. The lack of proper auditing can result in\ninsufficient forensic evidence needed to investigate an incident and prosecute\nthe intruder.", "descriptions": { - "default": "Using a privileged account to perform routine functions makes the computer vulnerable to malicious software inadvertently introduced during a session that has been granted full privileges.", + "default": "When inappropriate audit settings are configured for directory service\ndatabase objects, it may be possible for a user or process to update the data\nwithout generating any tracking data. The impact of missing audit data is\nrelated to the type of object. A failure to capture audit data for objects used\nby identification, authentication, or authorization functions could degrade or\neliminate the ability to track changes to access policy for systems or data.\n\n For Active Directory (AD), there are a number of critical object types in\nthe domain naming context of the AD database for which auditing is essential.\nThis includes the Infrastructure object. Because changes to these objects can\nsignificantly impact access controls or the availability of systems, the\nabsence of auditing data makes it impossible to identify the source of changes\nthat impact the confidentiality, integrity, and availability of data and\nsystems throughout an AD domain. The lack of proper auditing can result in\ninsufficient forensic evidence needed to investigate an incident and prosecute\nthe intruder.", "rationale": "", - "check": "Verify each user with administrative privileges has been assigned a unique administrative account separate from their standard user account.\n If users with administrative privileges do not have separate accounts for administrative functions and standard user functions, this is a finding.", - "fix": "Ensure each user with administrative privileges has a separate account for user duties and one for privileged duties." + "check": "This applies to domain controllers. It is NA for other systems.\n\n Review the auditing configuration for Infrastructure object.\n\n Open \"Active Directory Users and Computers\" (available from various menus\nor run \"dsa.msc\").\n\n Ensure \"Advanced Features\" is selected in the \"View\" menu.\n\n Select the domain being reviewed in the left pane.\n\n Right-click the \"Infrastructure\" object in the right pane and select\n\"Properties\".\n\n Select the \"Security\" tab.\n\n Select the \"Advanced\" button and then the \"Auditing\" tab.\n\n If the audit settings on the Infrastructure object are not at least as\ninclusive as those below, this is a finding:\n\n Type - Fail\n Principal - Everyone\n Access - Full Control\n Inherited from - None\n\n The success types listed below are defaults. Where Special is listed in the\nsummary screens for Access, detailed Permissions are provided for reference.\nVarious Properties selections may also exist by default.\n\n Type - Success\n Principal - Everyone\n Access - Special\n Inherited from - None\n (Access - Special = Permissions: Write all properties, All extended rights,\nChange infrastructure master)\n\n Two instances with the following summary information will be listed:\n\n Type - Success\n Principal - Everyone\n Access - (blank)\n Inherited from - (CN of domain)", + "fix": "Open \"Active Directory Users and Computers\" (available from various menus\nor run \"dsa.msc\").\n\n Ensure \"Advanced Features\" is selected in the \"View\" menu.\n\n Select the domain being reviewed in the left pane.\n\n Right-click the \"Infrastructure\" object in the right pane and select\n\"Properties\".\n\n Select the \"Security\" tab.\n\n Select the \"Advanced\" button and then the \"Auditing\" tab.\n\n Configure the audit settings for Infrastructure object to include the\nfollowing:\n\n Type - Fail\n Principal - Everyone\n Access - Full Control\n Inherited from - None\n\n The success types listed below are defaults. Where Special is listed in the\nsummary screens for Access, detailed Permissions are provided for reference.\nVarious Properties selections may also exist by default.\n\n Type - Success\n Principal - Everyone\n Access - Special\n Inherited from - None\n (Access - Special = Permissions: Write all properties, All extended rights,\nChange infrastructure master)\n\n Two instances with the following summary information will be listed:\n\n Type - Success\n Principal - Everyone\n Access - (blank)\n Inherited from - (CN of domain)" }, "impact": 0, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-93369", - "rid": "SV-103457r1_rule", - "stig_id": "WN19-00-000010", - "fix_id": "F-99615r1_fix", + "gtitle": "SRG-OS-000327-GPOS-00127", + "satisfies": [ + "SRG-OS-000327-GPOS-00127", + "SRG-OS-000458-GPOS-00203", + "SRG-OS-000463-GPOS-00207", + "SRG-OS-000468-GPOS-00212" + ], + "gid": "V-93125", + "rid": "SV-103213r1_rule", + "stig_id": "WN19-DC-000190", + "fix_id": "F-99371r1_fix", "cci": [ - "CCI-000366" + "CCI-000172", + "CCI-002234" ], "nist": [ - "CM-6 b", + "AU-12 c", + "AC-6 (9)", "Rev_4" ] }, - "code": "control \"V-93369\" do\n title \"Windows Server 2019 users with Administrative privileges must have separate accounts for administrative duties and normal operational tasks.\"\n desc \"Using a privileged account to perform routine functions makes the computer vulnerable to malicious software inadvertently introduced during a session that has been granted full privileges.\"\n desc \"rationale\", \"\"\n desc \"check\", \"Verify each user with administrative privileges has been assigned a unique administrative account separate from their standard user account.\n If users with administrative privileges do not have separate accounts for administrative functions and standard user functions, this is a finding.\"\n desc \"fix\", \"Ensure each user with administrative privileges has a separate account for user duties and one for privileged duties.\"\n impact 0.7\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00227\"\n tag gid: \"V-93369\"\n tag rid: \"SV-103457r1_rule\"\n tag stig_id: \"WN19-00-000010\"\n tag fix_id: \"F-99615r1_fix\"\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n administrators = input('administrators')\n administrator_group = command(\"net localgroup Administrators | Format-List | Findstr /V 'Alias Name Comment Members - command'\").stdout.strip.split(\"\\r\\n\")\n administrator_group.each do |user|\n describe user.to_s do\n it { should be_in administrators }\n end\n end\n if administrator_group.empty?\n impact 0.0\n describe 'There are no users with administrative privileges' do\n skip 'There are no users with administrative privileges so this control is NA'\n end\n end\nend", + "code": "control \"V-93125\" do\n title \"Windows Server 2019 Active Directory Infrastructure object must be\nconfigured with proper audit settings.\"\n desc \"When inappropriate audit settings are configured for directory service\ndatabase objects, it may be possible for a user or process to update the data\nwithout generating any tracking data. The impact of missing audit data is\nrelated to the type of object. A failure to capture audit data for objects used\nby identification, authentication, or authorization functions could degrade or\neliminate the ability to track changes to access policy for systems or data.\n\n For Active Directory (AD), there are a number of critical object types in\nthe domain naming context of the AD database for which auditing is essential.\nThis includes the Infrastructure object. Because changes to these objects can\nsignificantly impact access controls or the availability of systems, the\nabsence of auditing data makes it impossible to identify the source of changes\nthat impact the confidentiality, integrity, and availability of data and\nsystems throughout an AD domain. The lack of proper auditing can result in\ninsufficient forensic evidence needed to investigate an incident and prosecute\nthe intruder.\"\n desc \"rationale\", \"\"\n desc 'check', \"This applies to domain controllers. It is NA for other systems.\n\n Review the auditing configuration for Infrastructure object.\n\n Open \\\"Active Directory Users and Computers\\\" (available from various menus\nor run \\\"dsa.msc\\\").\n\n Ensure \\\"Advanced Features\\\" is selected in the \\\"View\\\" menu.\n\n Select the domain being reviewed in the left pane.\n\n Right-click the \\\"Infrastructure\\\" object in the right pane and select\n\\\"Properties\\\".\n\n Select the \\\"Security\\\" tab.\n\n Select the \\\"Advanced\\\" button and then the \\\"Auditing\\\" tab.\n\n If the audit settings on the Infrastructure object are not at least as\ninclusive as those below, this is a finding:\n\n Type - Fail\n Principal - Everyone\n Access - Full Control\n Inherited from - None\n\n The success types listed below are defaults. Where Special is listed in the\nsummary screens for Access, detailed Permissions are provided for reference.\nVarious Properties selections may also exist by default.\n\n Type - Success\n Principal - Everyone\n Access - Special\n Inherited from - None\n (Access - Special = Permissions: Write all properties, All extended rights,\nChange infrastructure master)\n\n Two instances with the following summary information will be listed:\n\n Type - Success\n Principal - Everyone\n Access - (blank)\n Inherited from - (CN of domain)\"\n desc 'fix', \"Open \\\"Active Directory Users and Computers\\\" (available from various menus\nor run \\\"dsa.msc\\\").\n\n Ensure \\\"Advanced Features\\\" is selected in the \\\"View\\\" menu.\n\n Select the domain being reviewed in the left pane.\n\n Right-click the \\\"Infrastructure\\\" object in the right pane and select\n\\\"Properties\\\".\n\n Select the \\\"Security\\\" tab.\n\n Select the \\\"Advanced\\\" button and then the \\\"Auditing\\\" tab.\n\n Configure the audit settings for Infrastructure object to include the\nfollowing:\n\n Type - Fail\n Principal - Everyone\n Access - Full Control\n Inherited from - None\n\n The success types listed below are defaults. Where Special is listed in the\nsummary screens for Access, detailed Permissions are provided for reference.\nVarious Properties selections may also exist by default.\n\n Type - Success\n Principal - Everyone\n Access - Special\n Inherited from - None\n (Access - Special = Permissions: Write all properties, All extended rights,\nChange infrastructure master)\n\n Two instances with the following summary information will be listed:\n\n Type - Success\n Principal - Everyone\n Access - (blank)\n Inherited from - (CN of domain)\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000327-GPOS-00127'\n tag 'satisfies': [\"SRG-OS-000327-GPOS-00127\", \"SRG-OS-000458-GPOS-00203\",\n\"SRG-OS-000463-GPOS-00207\", \"SRG-OS-000468-GPOS-00212\"]\n tag 'gid': 'V-93125'\n tag 'rid': 'SV-103213r1_rule'\n tag 'stig_id': 'WN19-DC-000190'\n tag 'fix_id': 'F-99371r1_fix'\n tag 'cci': [\"CCI-000172\", \"CCI-002234\"]\n tag 'nist': [\"AU-12 c\", \"AC-6 (9)\", \"Rev_4\"]\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n if domain_role == '4' || domain_role == '5'\n distinguishedName = json(command: '(Get-ADDomain).DistinguishedName | ConvertTo-JSON').params\n acl_rules = json(command: \"(Get-ACL -Audit -Path AD:'CN=Infrastructure,#{distinguishedName}').Audit | ConvertTo-CSV | ConvertFrom-CSV | ConvertTo-JSON\").params\n \n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['AuditFlags']) { should cmp \"Failure\" }\n its(['IdentityReference']) { should cmp \"Everyone\" }\n its(['ActiveDirectoryRights']) { should cmp \"GenericAll\"}\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['AuditFlags']) { should cmp \"Success\" }\n its(['IdentityReference']) { should cmp \"Everyone\" }\n its(['ActiveDirectoryRights']) { should cmp \"WriteProperty, ExtendedRight\"}\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceType']) { should cmp \"None\" }\n end\n end\n end\n\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['AuditFlags']) { should cmp \"Success\" }\n its(['IdentityReference']) { should cmp \"Everyone\" }\n its(['ActiveDirectoryRights']) { should cmp \"WriteProperty\"}\n its(['IsInherited']) { should cmp \"True\" }\n its(['InheritanceType']) { should cmp \"Descendents\" }\n end\n end\n end\n else\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93369.rb", + "ref": "./Windows 2019 STIG/controls/V-93125.rb", "line": 3 }, - "id": "V-93369" + "id": "V-93125" }, { - "title": "Windows Server 2019 must use an anti-virus program.", - "desc": "Malicious software can establish a base on individual desktops and\nservers. Employing an automated mechanism to detect this type of software will\naid in elimination of the software from the operating system.", + "title": "Windows Server 2019 must be configured to audit System - Other System\nEvents successes.", + "desc": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Audit Other System Events records information related to cryptographic key\noperations and the Windows Firewall service.", "descriptions": { - "default": "Malicious software can establish a base on individual desktops and\nservers. Employing an automated mechanism to detect this type of software will\naid in elimination of the software from the operating system.", + "default": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Audit Other System Events records information related to cryptographic key\noperations and the Windows Firewall service.", "rationale": "", - "check": "Verify an anti-virus solution is installed on the system. The anti-virus\nsolution may be bundled with an approved host-based security solution.\n\n If there is no anti-virus solution installed on the system, this is a\nfinding.", - "fix": "Install an anti-virus solution on the system." + "check": "Security Option \"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\" must be set to\n\"Enabled\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \"AuditPol\" tool to review the current Audit Policy configuration:\n\n Open \"PowerShell\" or a \"Command Prompt\" with elevated privileges (\"Run\nas administrator\").\n\n Enter \"AuditPol /get /category:*\"\n\n Compare the \"AuditPol\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n System >> Other System Events - Success", + "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> System >> \"Audit Other System Events\" with\n\"Success\" selected." }, - "impact": 0.7, + "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-93217", - "rid": "SV-103305r1_rule", - "stig_id": "WN19-00-000110", - "fix_id": "F-99463r1_fix", + "gtitle": "SRG-OS-000327-GPOS-00127", + "satisfies": [ + "SRG-OS-000327-GPOS-00127", + "SRG-OS-000458-GPOS-00203", + "SRG-OS-000463-GPOS-00207", + "SRG-OS-000468-GPOS-00212" + ], + "gid": "V-93109", + "rid": "SV-103197r1_rule", + "stig_id": "WN19-AU-000340", + "fix_id": "F-99355r1_fix", "cci": [ - "CCI-000366" + "CCI-000172", + "CCI-002234" ], "nist": [ - "CM-6 b", + "AU-12 c", + "AC-6 (9)", "Rev_4" ] }, - "code": "control \"V-93217\" do\n title \"Windows Server 2019 must use an anti-virus program.\"\n desc \"Malicious software can establish a base on individual desktops and\nservers. Employing an automated mechanism to detect this type of software will\naid in elimination of the software from the operating system.\"\n desc \"rationale\", \"\"\n desc 'check', \"Verify an anti-virus solution is installed on the system. The anti-virus\nsolution may be bundled with an approved host-based security solution.\n\n If there is no anti-virus solution installed on the system, this is a\nfinding.\"\n desc 'fix', \"Install an anti-virus solution on the system.\"\n impact 0.7\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000480-GPOS-00227'\n tag 'gid': 'V-93217'\n tag 'rid': 'SV-103305r1_rule'\n tag 'stig_id': 'WN19-00-000110'\n tag 'fix_id': 'F-99463r1_fix'\n tag 'cci': [\"CCI-000366\"]\n tag 'nist': [\"CM-6 b\", \"Rev_4\"]\n\n describe.one do\n describe windows_feature('Windows-Defender') do\n it { should be_installed }\n end\n describe registry_key('HKLM\\SOFTWARE\\Symantec\\Symantec Endpoint Protection\\CurrentVersion') do\n it { should exist }\n end\n describe registry_key('HKLM\\SOFTWARE\\McAfee/DesktopProtection\\szProductVer') do\n it { should exist }\n end\n describe registry_key('HKLM\\SOFTWARE\\McAfee\\Endpoint\\AV') do\n it { should exist }\n it { should have_property 'ProductVersion' }\n end\n end\nend\n", + "code": "control \"V-93109\" do\n title \"Windows Server 2019 must be configured to audit System - Other System\nEvents successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Audit Other System Events records information related to cryptographic key\noperations and the Windows Firewall service.\"\n desc \"rationale\", \"\"\n desc 'check', \"Security Option \\\"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\\\" must be set to\n\\\"Enabled\\\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \\\"AuditPol\\\" tool to review the current Audit Policy configuration:\n\n Open \\\"PowerShell\\\" or a \\\"Command Prompt\\\" with elevated privileges (\\\"Run\nas administrator\\\").\n\n Enter \\\"AuditPol /get /category:*\\\"\n\n Compare the \\\"AuditPol\\\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n System >> Other System Events - Success\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> System >> \\\"Audit Other System Events\\\" with\n\\\"Success\\\" selected.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000327-GPOS-00127'\n tag 'satisfies': [\"SRG-OS-000327-GPOS-00127\", \"SRG-OS-000458-GPOS-00203\",\n\"SRG-OS-000463-GPOS-00207\", \"SRG-OS-000468-GPOS-00212\"]\n tag 'gid': 'V-93109'\n tag 'rid': 'SV-103197r1_rule'\n tag 'stig_id': 'WN19-AU-000340'\n tag 'fix_id': 'F-99355r1_fix'\n tag 'cci': [\"CCI-000172\", \"CCI-002234\"]\n tag 'nist': [\"AU-12 c\", \"AC-6 (9)\", \"Rev_4\"]\n\n describe.one do\n describe audit_policy do\n its('Other System Events') { should eq 'Success' }\n end\n describe audit_policy do\n its('Other System Events') { should eq 'Success and Failure' }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93217.rb", + "ref": "./Windows 2019 STIG/controls/V-93109.rb", "line": 3 }, - "id": "V-93217" + "id": "V-93109" }, { - "title": "Windows Server 2019 non-system-created file shares must limit access to groups that require it.", - "desc": "Shares on a system provide network access. To prevent exposing sensitive information, where shares are necessary, permissions must be reconfigured to give the minimum access to accounts that require it.", + "title": "Windows Server 2019 Active Directory Group Policy objects must be\nconfigured with proper audit settings.", + "desc": "When inappropriate audit settings are configured for directory service\ndatabase objects, it may be possible for a user or process to update the data\nwithout generating any tracking data. The impact of missing audit data is\nrelated to the type of object. A failure to capture audit data for objects used\nby identification, authentication, or authorization functions could degrade or\neliminate the ability to track changes to access policy for systems or data.\n\n For Active Directory (AD), there are a number of critical object types in\nthe domain naming context of the AD database for which auditing is essential.\nThis includes Group Policy objects. Because changes to these objects can\nsignificantly impact access controls or the availability of systems, the\nabsence of auditing data makes it impossible to identify the source of changes\nthat impact the confidentiality, integrity, and availability of data and\nsystems throughout an AD domain. The lack of proper auditing can result in\ninsufficient forensic evidence needed to investigate an incident and prosecute\nthe intruder.", "descriptions": { - "default": "Shares on a system provide network access. To prevent exposing sensitive information, where shares are necessary, permissions must be reconfigured to give the minimum access to accounts that require it.", + "default": "When inappropriate audit settings are configured for directory service\ndatabase objects, it may be possible for a user or process to update the data\nwithout generating any tracking data. The impact of missing audit data is\nrelated to the type of object. A failure to capture audit data for objects used\nby identification, authentication, or authorization functions could degrade or\neliminate the ability to track changes to access policy for systems or data.\n\n For Active Directory (AD), there are a number of critical object types in\nthe domain naming context of the AD database for which auditing is essential.\nThis includes Group Policy objects. Because changes to these objects can\nsignificantly impact access controls or the availability of systems, the\nabsence of auditing data makes it impossible to identify the source of changes\nthat impact the confidentiality, integrity, and availability of data and\nsystems throughout an AD domain. The lack of proper auditing can result in\ninsufficient forensic evidence needed to investigate an incident and prosecute\nthe intruder.", "rationale": "", - "check": "If only system-created shares such as \"ADMIN$\", \"C$\", and \"IPC$\" exist on the system, this is NA. (System-created shares will display a message that it has been shared for administrative purposes when \"Properties\" is selected.)\n\n Run \"Computer Management\".\n Navigate to System Tools >> Shared Folders >> Shares.\n Right-click any non-system-created shares.\n Select \"Properties\".\n Select the \"Share Permissions\" tab.\n If the file shares have not been configured to restrict permissions to the specific groups or accounts that require access, this is a finding.\n Select the \"Security\" tab.\n If the permissions have not been configured to restrict permissions to the specific groups or accounts that require access, this is a finding.", - "fix": "If a non-system-created share is required on a system, configure the share and NTFS permissions to limit access to the specific groups or accounts that require it.\n Remove any unnecessary non-system-created shares." + "check": "This applies to domain controllers. It is NA for other systems.\n\n Review the auditing configuration for all Group Policy objects.\n\n Open \"Group Policy Management\" (available from various menus or run\n\"gpmc.msc\").\n\n Navigate to \"Group Policy Objects\" in the domain being reviewed (Forest\n>> Domains >> Domain).\n\n For each Group Policy object:\n\n Select the Group Policy object item in the left pane.\n\n Select the \"Delegation\" tab in the right pane.\n\n Select the \"Advanced\" button.\n\n Select the \"Advanced\" button again and then the \"Auditing\" tab.\n\n If the audit settings for any Group Policy object are not at least as\ninclusive as those below, this is a finding:\n\n Type - Fail\n Principal - Everyone\n Access - Full Control\n Applies to - This object and all descendant objects or Descendant\ngroupPolicyContainer objects\n\n The three Success types listed below are defaults inherited from the Parent\nObject. Where Special is listed in the summary screens for Access, detailed\nPermissions are provided for reference.\n\n Type - Success\n Principal - Everyone\n Access - Special (Permissions: Write all properties, Modify permissions;\nProperties: all \"Write\" type selected)\n Inherited from - Parent Object\n Applies to - Descendant groupPolicyContainer objects\n\n Two instances with the following summary information will be listed:\n\n Type - Success\n Principal - Everyone\n Access - blank (Permissions: none selected; Properties: one instance -\nWrite gPLink, one instance - Write gPOptions)\n Inherited from - Parent Object\n Applies to - Descendant Organization Unit Objects", + "fix": "Configure the audit settings for Group Policy objects to include the\nfollowing:\n\n This can be done at the Policy level in Active Directory to apply to all\ngroup policies.\n\n Open \"Active Directory Users and Computers\" (available from various menus\nor run \"dsa.msc\").\n\n Select \"Advanced Features\" from the \"View\" Menu.\n\n Navigate to [Domain] >> System >> Policies in the left panel.\n\n Right click \"Policies\", select \"Properties\".\n\n Select the \"Security\" tab.\n\n Select the \"Advanced\" button.\n\n Select the \"Auditing\" tab.\n\n Type - Fail\n Principal - Everyone\n Access - Full Control\n Applies to - This object and all descendant objects or Descendant\ngroupPolicyContainer objects\n\n The three Success types listed below are defaults inherited from the Parent\nObject. Where Special is listed in the summary screens for Access, detailed\nPermissions are provided for reference.\n\n Type - Success\n Principal - Everyone\n Access - Special (Permissions: Write all properties, Modify permissions;\nProperties: all \"Write\" type selected)\n Inherited from - Parent Object\n Applies to - Descendant groupPolicyContainer objects\n\n Two instances with the following summary information will be listed:\n\n Type - Success\n Principal - Everyone\n Access - blank (Permissions: none selected; Properties: one instance -\nWrite gPLink, one instance - Write gPOptions)\n Inherited from - Parent Object\n Applies to - Descendant Organization Unit Objects" }, "impact": 0, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000138-GPOS-00069", - "gid": "V-93531", - "rid": "SV-103617r1_rule", - "stig_id": "WN19-00-000230", - "fix_id": "F-99775r1_fix", + "gtitle": "SRG-OS-000327-GPOS-00127", + "satisfies": [ + "SRG-OS-000327-GPOS-00127", + "SRG-OS-000458-GPOS-00203", + "SRG-OS-000463-GPOS-00207", + "SRG-OS-000468-GPOS-00212" + ], + "gid": "V-93121", + "rid": "SV-103209r1_rule", + "stig_id": "WN19-DC-000170", + "fix_id": "F-99367r1_fix", "cci": [ - "CCI-001090" + "CCI-000172", + "CCI-002234" ], "nist": [ - "SC-4", + "AU-12 c", + "AC-6 (9)", "Rev_4" ] }, - "code": "control 'V-93531' do\n title 'Windows Server 2019 non-system-created file shares must limit access to groups that require it.'\n desc 'Shares on a system provide network access. To prevent exposing sensitive information, where shares are necessary, permissions must be reconfigured to give the minimum access to accounts that require it.'\n desc 'rationale', ''\n desc 'check', \"If only system-created shares such as \\\"ADMIN$\\\", \\\"C$\\\", and \\\"IPC$\\\" exist on the system, this is NA. (System-created shares will display a message that it has been shared for administrative purposes when \\\"Properties\\\" is selected.)\n\n Run \\\"Computer Management\\\".\n Navigate to System Tools >> Shared Folders >> Shares.\n Right-click any non-system-created shares.\n Select \\\"Properties\\\".\n Select the \\\"Share Permissions\\\" tab.\n If the file shares have not been configured to restrict permissions to the specific groups or accounts that require access, this is a finding.\n Select the \\\"Security\\\" tab.\n If the permissions have not been configured to restrict permissions to the specific groups or accounts that require access, this is a finding.\"\n desc 'fix', \"If a non-system-created share is required on a system, configure the share and NTFS permissions to limit access to the specific groups or accounts that require it.\n Remove any unnecessary non-system-created shares.\"\n impact 0.5\n tag severity: nil\n tag gtitle: 'SRG-OS-000138-GPOS-00069'\n tag gid: 'V-93531'\n tag rid: 'SV-103617r1_rule'\n tag stig_id: 'WN19-00-000230'\n tag fix_id: 'F-99775r1_fix'\n tag cci: ['CCI-001090']\n tag nist: %w(SC-4 Rev_4)\n\n net_shares = json({ command: 'Get-SMBShare -Special $false | Where-Object -Property Name -notin C$,ADMIN$,IPC$,NETLOGON,SYSVOL | Select Name, Path | ConvertTo-Json' }).params\n\n if net_shares.empty?\n impact 0.0\n describe 'No non-default file shares were detected' do\n skip 'This control is NA'\n end\n else\n case net_shares\n when Hash\n net_shares.each do |_key, value|\n describe 'Unrestricted file shares' do\n subject { command(\"Get-Acl -Path '#{value}' | ?{$_.AccessToString -match 'Everyone\\sAllow'} | %{($_.PSPath -split '::')[1]}\") }\n its('stdout') { should eq '' }\n end\n end\n when Array\n net_shares.each do |paths|\n paths.each do |_key, value|\n describe 'Unrestricted file shares' do\n subject { command(\"Get-Acl -Path '#{value}' | ?{$_.AccessToString -match 'Everyone\\sAllow'} | %{($_.PSPath -split '::')[1]}\") }\n its('stdout') { should eq '' }\n end\n end\n end\n end\n end\nend\n", + "code": "control \"V-93121\" do\n title \"Windows Server 2019 Active Directory Group Policy objects must be\nconfigured with proper audit settings.\"\n desc \"When inappropriate audit settings are configured for directory service\ndatabase objects, it may be possible for a user or process to update the data\nwithout generating any tracking data. The impact of missing audit data is\nrelated to the type of object. A failure to capture audit data for objects used\nby identification, authentication, or authorization functions could degrade or\neliminate the ability to track changes to access policy for systems or data.\n\n For Active Directory (AD), there are a number of critical object types in\nthe domain naming context of the AD database for which auditing is essential.\nThis includes Group Policy objects. Because changes to these objects can\nsignificantly impact access controls or the availability of systems, the\nabsence of auditing data makes it impossible to identify the source of changes\nthat impact the confidentiality, integrity, and availability of data and\nsystems throughout an AD domain. The lack of proper auditing can result in\ninsufficient forensic evidence needed to investigate an incident and prosecute\nthe intruder.\"\n desc \"rationale\", \"\"\n desc 'check', \"This applies to domain controllers. It is NA for other systems.\n\n Review the auditing configuration for all Group Policy objects.\n\n Open \\\"Group Policy Management\\\" (available from various menus or run\n\\\"gpmc.msc\\\").\n\n Navigate to \\\"Group Policy Objects\\\" in the domain being reviewed (Forest\n>> Domains >> Domain).\n\n For each Group Policy object:\n\n Select the Group Policy object item in the left pane.\n\n Select the \\\"Delegation\\\" tab in the right pane.\n\n Select the \\\"Advanced\\\" button.\n\n Select the \\\"Advanced\\\" button again and then the \\\"Auditing\\\" tab.\n\n If the audit settings for any Group Policy object are not at least as\ninclusive as those below, this is a finding:\n\n Type - Fail\n Principal - Everyone\n Access - Full Control\n Applies to - This object and all descendant objects or Descendant\ngroupPolicyContainer objects\n\n The three Success types listed below are defaults inherited from the Parent\nObject. Where Special is listed in the summary screens for Access, detailed\nPermissions are provided for reference.\n\n Type - Success\n Principal - Everyone\n Access - Special (Permissions: Write all properties, Modify permissions;\nProperties: all \\\"Write\\\" type selected)\n Inherited from - Parent Object\n Applies to - Descendant groupPolicyContainer objects\n\n Two instances with the following summary information will be listed:\n\n Type - Success\n Principal - Everyone\n Access - blank (Permissions: none selected; Properties: one instance -\nWrite gPLink, one instance - Write gPOptions)\n Inherited from - Parent Object\n Applies to - Descendant Organization Unit Objects\"\n desc 'fix', \"Configure the audit settings for Group Policy objects to include the\nfollowing:\n\n This can be done at the Policy level in Active Directory to apply to all\ngroup policies.\n\n Open \\\"Active Directory Users and Computers\\\" (available from various menus\nor run \\\"dsa.msc\\\").\n\n Select \\\"Advanced Features\\\" from the \\\"View\\\" Menu.\n\n Navigate to [Domain] >> System >> Policies in the left panel.\n\n Right click \\\"Policies\\\", select \\\"Properties\\\".\n\n Select the \\\"Security\\\" tab.\n\n Select the \\\"Advanced\\\" button.\n\n Select the \\\"Auditing\\\" tab.\n\n Type - Fail\n Principal - Everyone\n Access - Full Control\n Applies to - This object and all descendant objects or Descendant\ngroupPolicyContainer objects\n\n The three Success types listed below are defaults inherited from the Parent\nObject. Where Special is listed in the summary screens for Access, detailed\nPermissions are provided for reference.\n\n Type - Success\n Principal - Everyone\n Access - Special (Permissions: Write all properties, Modify permissions;\nProperties: all \\\"Write\\\" type selected)\n Inherited from - Parent Object\n Applies to - Descendant groupPolicyContainer objects\n\n Two instances with the following summary information will be listed:\n\n Type - Success\n Principal - Everyone\n Access - blank (Permissions: none selected; Properties: one instance -\nWrite gPLink, one instance - Write gPOptions)\n Inherited from - Parent Object\n Applies to - Descendant Organization Unit Objects\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000327-GPOS-00127'\n tag 'satisfies': [\"SRG-OS-000327-GPOS-00127\", \"SRG-OS-000458-GPOS-00203\",\n\"SRG-OS-000463-GPOS-00207\", \"SRG-OS-000468-GPOS-00212\"]\n tag 'gid': 'V-93121'\n tag 'rid': 'SV-103209r1_rule'\n tag 'stig_id': 'WN19-DC-000170'\n tag 'fix_id': 'F-99367r1_fix'\n tag 'cci': [\"CCI-000172\", \"CCI-002234\"]\n tag 'nist': [\"AU-12 c\", \"AC-6 (9)\", \"Rev_4\"]\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n if domain_role == '4' || domain_role == '5'\n distinguishedNames = json(command: \"Get-ADObject -Filter { objectclass -eq 'groupPolicyContainer'} | foreach {$_.DistinguishedName} | ConvertTo-JSON\").params\n distinguishedNames.each do |distinguishedName|\n acl_rules = json(command: \"(Get-ACL -Audit -Path AD:'#{distinguishedName}').Audit | ConvertTo-CSV | ConvertFrom-CSV | ConvertTo-JSON\").params\n if acl_rules.is_a?(Hash)\n acl_rules = [JSON.parse(acl_rules.to_json)]\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['AuditFlags']) { should cmp \"Failure\" }\n its(['IdentityReference']) { should cmp \"Everyone\" }\n its(['ActiveDirectoryRights']) { should cmp \"GenericAll\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['AuditFlags']) { should cmp \"Success\" }\n its(['IdentityReference']) { should cmp \"Everyone\" }\n its(['ActiveDirectoryRights']) { should cmp \"WriteProperty, WriteDacl\" }\n its(['IsInherited']) { should cmp \"True\" }\n its(['InheritanceType']) { should cmp \"All\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['AuditFlags']) { should cmp \"Success\" }\n its(['IdentityReference']) { should cmp \"Everyone\" }\n its(['ActiveDirectoryRights']) { should cmp \"WriteProperty\" }\n its(['IsInherited']) { should cmp \"True\" }\n its(['InheritanceType']) { should cmp \"Descendents\" }\n end\n end\n end\n end\n else\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93531.rb", - "line": 1 + "ref": "./Windows 2019 STIG/controls/V-93121.rb", + "line": 3 }, - "id": "V-93531" + "id": "V-93121" }, { - "title": "Windows Server 2019 domain controllers must require LDAP access signing.", - "desc": "Unsigned network traffic is susceptible to man-in-the-middle attacks, where an intruder captures packets between the server and the client and modifies them before forwarding them to the client. In the case of an LDAP server, this means that an attacker could cause a client to make decisions based on false records from the LDAP directory. The risk of an attacker pulling this off can be decreased by implementing strong physical security measures to protect the network infrastructure. Furthermore, implementing Internet Protocol security (IPsec) authentication header mode (AH), which performs mutual authentication and packet integrity for Internet Protocol (IP) traffic, can make all types of man-in-the-middle attacks extremely difficult.", + "title": "Windows Server 2019 must be configured to audit System - System\nIntegrity failures.", + "desc": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n System Integrity records events related to violations of integrity to the\nsecurity subsystem.", "descriptions": { - "default": "Unsigned network traffic is susceptible to man-in-the-middle attacks, where an intruder captures packets between the server and the client and modifies them before forwarding them to the client. In the case of an LDAP server, this means that an attacker could cause a client to make decisions based on false records from the LDAP directory. The risk of an attacker pulling this off can be decreased by implementing strong physical security measures to protect the network infrastructure. Furthermore, implementing Internet Protocol security (IPsec) authentication header mode (AH), which performs mutual authentication and packet integrity for Internet Protocol (IP) traffic, can make all types of man-in-the-middle attacks extremely difficult.", + "default": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n System Integrity records events related to violations of integrity to the\nsecurity subsystem.", "rationale": "", - "check": "This applies to domain controllers. It is NA for other systems.\n If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\NTDS\\Parameters\\\n\n Value Name: LDAPServerIntegrity\n\n Value Type: REG_DWORD\n Value: 0x00000002 (2)", - "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \"Domain controller: LDAP server signing requirements\" to \"Require signing\"." + "check": "Security Option \"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\" must be set to\n\"Enabled\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \"AuditPol\" tool to review the current Audit Policy configuration:\n\n Open \"PowerShell\" or a \"Command Prompt\" with elevated privileges (\"Run\nas administrator\").\n\n Enter \"AuditPol /get /category:*\"\n\n Compare the \"AuditPol\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n System >> System Integrity - Failure", + "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> System >> \"Audit System Integrity\" with \"Failure\"\nselected." }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000423-GPOS-00187", + "gtitle": "SRG-OS-000327-GPOS-00127", "satisfies": [ - "SRG-OS-000423-GPOS-00187", - "SRG-OS-000424-GPOS-00188" + "SRG-OS-000327-GPOS-00127", + "SRG-OS-000471-GPOS-00215", + "SRG-OS-000471-GPOS-00216", + "SRG-OS-000477-GPOS-00222" ], - "gid": "V-93545", - "rid": "SV-103631r1_rule", - "stig_id": "WN19-DC-000320", - "fix_id": "F-99789r1_fix", + "gid": "V-93119", + "rid": "SV-103207r1_rule", + "stig_id": "WN19-AU-000390", + "fix_id": "F-99365r1_fix", "cci": [ - "CCI-002418", - "CCI-002421" + "CCI-000172", + "CCI-002234" ], "nist": [ - "SC-8", - "SC-8 (1)", + "AU-12 c", + "AC-6 (9)", "Rev_4" ] }, - "code": "control \"V-93545\" do\n title \"Windows Server 2019 domain controllers must require LDAP access signing.\"\n desc \"Unsigned network traffic is susceptible to man-in-the-middle attacks, where an intruder captures packets between the server and the client and modifies them before forwarding them to the client. In the case of an LDAP server, this means that an attacker could cause a client to make decisions based on false records from the LDAP directory. The risk of an attacker pulling this off can be decreased by implementing strong physical security measures to protect the network infrastructure. Furthermore, implementing Internet Protocol security (IPsec) authentication header mode (AH), which performs mutual authentication and packet integrity for Internet Protocol (IP) traffic, can make all types of man-in-the-middle attacks extremely difficult.\"\n desc \"rationale\", \"\"\n desc \"check\", \"This applies to domain controllers. It is NA for other systems.\n If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\Parameters\\\\\n\n Value Name: LDAPServerIntegrity\n\n Value Type: REG_DWORD\n Value: 0x00000002 (2)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \\\"Domain controller: LDAP server signing requirements\\\" to \\\"Require signing\\\".\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000423-GPOS-00187\"\n tag satisfies: [\"SRG-OS-000423-GPOS-00187\", \"SRG-OS-000424-GPOS-00188\"]\n tag gid: \"V-93545\"\n tag rid: \"SV-103631r1_rule\"\n tag stig_id: \"WN19-DC-000320\"\n tag fix_id: \"F-99789r1_fix\"\n tag cci: [\"CCI-002418\", \"CCI-002421\"]\n tag nist: [\"SC-8\", \"SC-8 (1)\", \"Rev_4\"]\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\Parameters') do\n it { should have_property 'LDAPServerIntegrity' }\n its('LDAPServerIntegrity') { should cmp 2 }\n end\n else\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is NA' do\n skip 'This system is not a domain controller, therefore this control is NA'\n end\n end\nend", + "code": "control \"V-93119\" do\n title \"Windows Server 2019 must be configured to audit System - System\nIntegrity failures.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n System Integrity records events related to violations of integrity to the\nsecurity subsystem.\"\n desc \"rationale\", \"\"\n desc 'check', \"Security Option \\\"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\\\" must be set to\n\\\"Enabled\\\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \\\"AuditPol\\\" tool to review the current Audit Policy configuration:\n\n Open \\\"PowerShell\\\" or a \\\"Command Prompt\\\" with elevated privileges (\\\"Run\nas administrator\\\").\n\n Enter \\\"AuditPol /get /category:*\\\"\n\n Compare the \\\"AuditPol\\\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n System >> System Integrity - Failure\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> System >> \\\"Audit System Integrity\\\" with \\\"Failure\\\"\nselected.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000327-GPOS-00127'\n tag 'satisfies': [\"SRG-OS-000327-GPOS-00127\", \"SRG-OS-000471-GPOS-00215\",\n\"SRG-OS-000471-GPOS-00216\", \"SRG-OS-000477-GPOS-00222\"]\n tag 'gid': 'V-93119'\n tag 'rid': 'SV-103207r1_rule'\n tag 'stig_id': 'WN19-AU-000390'\n tag 'fix_id': 'F-99365r1_fix'\n tag 'cci': [\"CCI-000172\", \"CCI-002234\"]\n tag 'nist': [\"AU-12 c\", \"AC-6 (9)\", \"Rev_4\"]\n\n describe.one do\n describe audit_policy do\n its('System Integrity') { should eq 'Failure' }\n end\n describe audit_policy do\n its('System Integrity') { should eq 'Success and Failure' }\n end\n end\n\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93545.rb", + "ref": "./Windows 2019 STIG/controls/V-93119.rb", "line": 3 }, - "id": "V-93545" + "id": "V-93119" }, { - "title": "Windows Server 2019 must be configured to audit logoff successes.", - "desc": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Logoff records user logoffs. If this is an interactive logoff, it is\nrecorded on the local system. If it is to a network share, it is recorded on\nthe system accessed.", + "title": "Windows Server 2019 Kerberos user ticket lifetime must be limited to 10 hours or less.", + "desc": "In Kerberos, there are two types of tickets: Ticket Granting Tickets (TGTs) and Service Tickets. Kerberos tickets have a limited lifetime so the time an attacker has to implement an attack is limited. This policy controls how long TGTs can be renewed. With Kerberos, the user's initial authentication to the domain controller results in a TGT, which is then used to request Service Tickets to resources. Upon startup, each computer gets a TGT before requesting a service ticket to the domain controller and any other computers it needs to access. For services that start up under a specified user account, users must always get a TGT first and then get Service Tickets to all computers and services accessed.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Logoff records user logoffs. If this is an interactive logoff, it is\nrecorded on the local system. If it is to a network share, it is recorded on\nthe system accessed.", + "default": "In Kerberos, there are two types of tickets: Ticket Granting Tickets (TGTs) and Service Tickets. Kerberos tickets have a limited lifetime so the time an attacker has to implement an attack is limited. This policy controls how long TGTs can be renewed. With Kerberos, the user's initial authentication to the domain controller results in a TGT, which is then used to request Service Tickets to resources. Upon startup, each computer gets a TGT before requesting a service ticket to the domain controller and any other computers it needs to access. For services that start up under a specified user account, users must always get a TGT first and then get Service Tickets to all computers and services accessed.", "rationale": "", - "check": "Security Option \"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\" must be set to\n\"Enabled\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \"AuditPol\" tool to review the current Audit Policy configuration:\n\n Open \"PowerShell\" or a \"Command Prompt\" with elevated privileges (\"Run\nas administrator\").\n\n Enter \"AuditPol /get /category:*\"\n\n Compare the \"AuditPol\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n Logon/Logoff >> Logoff - Success", - "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Logon/Logoff >> \"Audit Logoff\" with \"Success\"\nselected." + "check": "This applies to domain controllers. It is NA for other systems.\n\n Verify the following is configured in the Default Domain Policy:\n Open \"Group Policy Management\".\n Navigate to \"Group Policy Objects\" in the Domain being reviewed (Forest >> Domains >> Domain).\n Right-click on the \"Default Domain Policy\".\n Select \"Edit\".\n Navigate to Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy.\n If the value for \"Maximum lifetime for user ticket\" is \"0\" or greater than \"10\" hours, this is a finding.", + "fix": "Configure the policy value in the Default Domain Policy for Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy >> \"Maximum lifetime for user ticket\" to a maximum of \"10\" hours but not \"0\", which equates to \"Ticket doesn't expire\"." }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000472-GPOS-00217", + "gtitle": "SRG-OS-000112-GPOS-00057", "satisfies": [ - "SRG-OS-000472-GPOS-00217", - "SRG-OS-000480-GPOS-00227" + "SRG-OS-000112-GPOS-00057", + "SRG-OS-000113-GPOS-00058" ], - "gid": "V-93171", - "rid": "SV-103259r1_rule", - "stig_id": "WN19-AU-000180", - "fix_id": "F-99417r1_fix", + "gid": "V-93447", + "rid": "SV-103533r1_rule", + "stig_id": "WN19-DC-000040", + "fix_id": "F-99691r1_fix", "cci": [ - "CCI-000172", - "CCI-000366" + "CCI-001941", + "CCI-001942" ], "nist": [ - "AU-12 c", - "CM-6 b", + "IA-2 (8)", + "IA-2 (9)", "Rev_4" ] }, - "code": "control \"V-93171\" do\n title \"Windows Server 2019 must be configured to audit logoff successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Logoff records user logoffs. If this is an interactive logoff, it is\nrecorded on the local system. If it is to a network share, it is recorded on\nthe system accessed.\"\n desc \"rationale\", \"\"\n desc 'check', \"Security Option \\\"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\\\" must be set to\n\\\"Enabled\\\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \\\"AuditPol\\\" tool to review the current Audit Policy configuration:\n\n Open \\\"PowerShell\\\" or a \\\"Command Prompt\\\" with elevated privileges (\\\"Run\nas administrator\\\").\n\n Enter \\\"AuditPol /get /category:*\\\"\n\n Compare the \\\"AuditPol\\\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n Logon/Logoff >> Logoff - Success\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Logon/Logoff >> \\\"Audit Logoff\\\" with \\\"Success\\\"\nselected.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000472-GPOS-00217'\n tag 'satisfies': [\"SRG-OS-000472-GPOS-00217\", \"SRG-OS-000480-GPOS-00227\"]\n tag 'gid': 'V-93171'\n tag 'rid': 'SV-103259r1_rule'\n tag 'stig_id': 'WN19-AU-000180'\n tag 'fix_id': 'F-99417r1_fix'\n tag 'cci': [\"CCI-000172\", \"CCI-000366\"]\n tag 'nist': [\"AU-12 c\", \"CM-6 b\", \"Rev_4\"]\n\n describe.one do\n describe audit_policy do\n its('Logoff') { should eq 'Success' }\n end\n describe audit_policy do\n its('Logoff') { should eq 'Success and Failure' }\n end\n end\nend\n", + "code": "control \"V-93447\" do\n title \"Windows Server 2019 Kerberos user ticket lifetime must be limited to 10 hours or less.\"\n desc \"In Kerberos, there are two types of tickets: Ticket Granting Tickets (TGTs) and Service Tickets. Kerberos tickets have a limited lifetime so the time an attacker has to implement an attack is limited. This policy controls how long TGTs can be renewed. With Kerberos, the user's initial authentication to the domain controller results in a TGT, which is then used to request Service Tickets to resources. Upon startup, each computer gets a TGT before requesting a service ticket to the domain controller and any other computers it needs to access. For services that start up under a specified user account, users must always get a TGT first and then get Service Tickets to all computers and services accessed.\"\n desc \"rationale\", \"\"\n desc \"check\", \"This applies to domain controllers. It is NA for other systems.\n\n Verify the following is configured in the Default Domain Policy:\n Open \\\"Group Policy Management\\\".\n Navigate to \\\"Group Policy Objects\\\" in the Domain being reviewed (Forest >> Domains >> Domain).\n Right-click on the \\\"Default Domain Policy\\\".\n Select \\\"Edit\\\".\n Navigate to Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy.\n If the value for \\\"Maximum lifetime for user ticket\\\" is \\\"0\\\" or greater than \\\"10\\\" hours, this is a finding.\"\n desc \"fix\", \"Configure the policy value in the Default Domain Policy for Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy >> \\\"Maximum lifetime for user ticket\\\" to a maximum of \\\"10\\\" hours but not \\\"0\\\", which equates to \\\"Ticket doesn't expire\\\".\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000112-GPOS-00057\"\n tag satisfies: [\"SRG-OS-000112-GPOS-00057\", \"SRG-OS-000113-GPOS-00058\"]\n tag gid: \"V-93447\"\n tag rid: \"SV-103533r1_rule\"\n tag stig_id: \"WN19-DC-000040\"\n tag fix_id: \"F-99691r1_fix\"\n tag cci: [\"CCI-001941\", \"CCI-001942\"]\n tag nist: [\"IA-2 (8)\", \"IA-2 (9)\", \"Rev_4\"]\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n describe security_policy do\n its('MaxTicketAge') { should be_between(1, 10) }\n end\n else\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is NA' do\n skip 'This system is not a domain controller, therefore this control is NA'\n end\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93171.rb", + "ref": "./Windows 2019 STIG/controls/V-93447.rb", "line": 3 }, - "id": "V-93171" + "id": "V-93447" }, { - "title": "Windows Server 2019 computer account password must not be prevented from being reset.", - "desc": "Computer account passwords are changed automatically on a regular basis. Disabling automatic password changes can make the system more vulnerable to malicious access. Frequent password changes can be a significant safeguard for the system. A new password for the computer account will be generated every 30 days.", + "title": "Windows Server 2019 Deny access to this computer from the network user\nright on domain controllers must be configured to prevent unauthenticated\naccess.", + "desc": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n The \"Deny access to this computer from the network\" user right defines\nthe accounts that are prevented from logging on from the network.\n\n The Guests group must be assigned this right to prevent unauthenticated\naccess.", "descriptions": { - "default": "Computer account passwords are changed automatically on a regular basis. Disabling automatic password changes can make the system more vulnerable to malicious access. Frequent password changes can be a significant safeguard for the system. A new password for the computer account will be generated every 30 days.", + "default": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n The \"Deny access to this computer from the network\" user right defines\nthe accounts that are prevented from logging on from the network.\n\n The Guests group must be assigned this right to prevent unauthenticated\naccess.", "rationale": "", - "check": "If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\Netlogon\\Parameters\\\n\n Value Name: DisablePasswordChange\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0)", - "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \"Domain member: Disable machine account password changes\" to \"Disabled\"." + "check": "This applies to domain controllers. A separate version applies to other\nsystems.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If the following accounts or groups are not defined for the \"Deny access\nto this computer from the network\" user right, this is a finding:\n\n - Guests Group\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\path\\filename.txt\n\n Review the text file.\n\n If the following SIDs are not defined for the \"SeDenyNetworkLogonRight\"\nuser right, this is a finding.\n\n S-1-5-32-546 (Guests)", + "fix": "Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> User Rights Assignment >> \"Deny\naccess to this computer from the network\" to include the following:\n\n - Guests Group" }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000379-GPOS-00164", - "gid": "V-93455", - "rid": "SV-103541r1_rule", - "stig_id": "WN19-SO-000090", - "fix_id": "F-99699r1_fix", + "gtitle": "SRG-OS-000080-GPOS-00048", + "gid": "V-92999", + "rid": "SV-103087r1_rule", + "stig_id": "WN19-DC-000370", + "fix_id": "F-99245r1_fix", "cci": [ - "CCI-001967" + "CCI-000213" ], "nist": [ - "IA-3 (1)", + "AC-3", "Rev_4" ] }, - "code": "control \"V-93455\" do\n title \"Windows Server 2019 computer account password must not be prevented from being reset.\"\n desc \"Computer account passwords are changed automatically on a regular basis. Disabling automatic password changes can make the system more vulnerable to malicious access. Frequent password changes can be a significant safeguard for the system. A new password for the computer account will be generated every 30 days.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\Netlogon\\\\Parameters\\\\\n\n Value Name: DisablePasswordChange\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \\\"Domain member: Disable machine account password changes\\\" to \\\"Disabled\\\".\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000379-GPOS-00164\"\n tag gid: \"V-93455\"\n tag rid: \"SV-103541r1_rule\"\n tag stig_id: \"WN19-SO-000090\"\n tag fix_id: \"F-99699r1_fix\"\n tag cci: [\"CCI-001967\"]\n tag nist: [\"IA-3 (1)\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Services\\\\Netlogon\\\\Parameters') do\n it { should have_property 'DisablePasswordChange' }\n its('DisablePasswordChange') { should cmp == 0 }\n end\nend", + "code": "control \"V-92999\" do\n title \"Windows Server 2019 Deny access to this computer from the network user\nright on domain controllers must be configured to prevent unauthenticated\naccess.\"\n desc \"Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n The \\\"Deny access to this computer from the network\\\" user right defines\nthe accounts that are prevented from logging on from the network.\n\n The Guests group must be assigned this right to prevent unauthenticated\naccess.\"\n desc \"rationale\", \"\"\n desc 'check', \"This applies to domain controllers. A separate version applies to other\nsystems.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If the following accounts or groups are not defined for the \\\"Deny access\nto this computer from the network\\\" user right, this is a finding:\n\n - Guests Group\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt\n\n Review the text file.\n\n If the following SIDs are not defined for the \\\"SeDenyNetworkLogonRight\\\"\nuser right, this is a finding.\n\n S-1-5-32-546 (Guests)\"\n desc 'fix', \"\n Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> User Rights Assignment >> \\\"Deny\naccess to this computer from the network\\\" to include the following:\n\n - Guests Group\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000080-GPOS-00048'\n tag 'gid': 'V-92999'\n tag 'rid': 'SV-103087r1_rule'\n tag 'stig_id': 'WN19-DC-000370'\n tag 'fix_id': 'F-99245r1_fix'\n tag 'cci': [\"CCI-000213\"]\n tag 'nist': [\"AC-3\", \"Rev_4\"]\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n os_type = command('Test-Path \"$env:windir\\explorer.exe\"').stdout.strip\n\n if os_type == 'False'\n describe 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt' do\n skip 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt'\n end\n end\n if domain_role == '4' || domain_role == '5'\n describe security_policy do\n its('SeDenyNetworkLogonRight') { should eq ['S-1-5-32-546'] }\n end\n else\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93455.rb", + "ref": "./Windows 2019 STIG/controls/V-92999.rb", "line": 3 }, - "id": "V-93455" + "id": "V-92999" }, { - "title": "Windows Server 2019 Exploit Protection mitigations must be configured for plugin-container.exe.", - "desc": "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.", + "title": "Windows Server 2019 Exploit Protection system-level mitigation, Randomize memory allocations (Bottom-Up ASLR), must be on.", + "desc": "Exploit protection enables mitigations against potential threats at the system and application level. Several mitigations, including \"Randomize memory allocations (Bottom-Up ASLR)\", are enabled by default at the system level. Bottom-Up ASLR (address space layout randomization) randomizes locations for virtual memory allocations, including those for system structures. If this is turned off, Windows may be subject to various exploits.", "descriptions": { - "default": "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.", + "default": "Exploit protection enables mitigations against potential threats at the system and application level. Several mitigations, including \"Randomize memory allocations (Bottom-Up ASLR)\", are enabled by default at the system level. Bottom-Up ASLR (address space layout randomization) randomizes locations for virtual memory allocations, including those for system structures. If this is turned off, Windows may be subject to various exploits.", "rationale": "", - "check": "If the referenced application is not installed on the system, this is NA.\n\n This is applicable to unclassified systems, for other systems this is NA.\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n Enter \"Get-ProcessMitigation -Name plugin-container.exe\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.)\n\n If the following mitigations do not have a status of \"ON\", this is a finding:\n\n DEP:\n Enable: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n The PowerShell command produces a list of mitigations; only those with a required status of \"ON\" are listed here.", - "fix": "Ensure the following mitigations are turned \"ON\" for plugin-container.exe:\n\n DEP:\n Enable: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \"Supporting Files\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \"Use a common set of exploit protection settings\" configured to \"Enabled\" with file name and location defined under \"Options:\". It is recommended the file be in a read-only network location." + "check": "This is applicable to unclassified systems, for other systems this is NA. The default configuration in Exploit Protection is \"On by default\" which meets this requirement.\n The PowerShell query results for this show as \"NOTSET\".\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n Enter \"Get-ProcessMitigation -System\".\n If the status of \"ASLR: BottomUp\" is \"OFF\", this is a finding.\n Values that would not be a finding include:\n ON\n NOTSET (Default configuration)", + "fix": "Ensure Exploit Protection system-level mitigation, \"Randomize memory allocations (Bottom-Up ASLR)\" is turned on. The default configuration in Exploit Protection is \"On by default\" which meets this requirement.\n Open \"Windows Defender Security Center\".\n Select \"App & browser control\".\n Select \"Exploit protection settings\".\n Under \"System settings\", configure \"Randomize memory allocations\n (Bottom-Up ASLR)\" to \"On by default\" or \"Use default ()\".\n\n The STIG package includes a DoD EP XML file in the \"Supporting Files\" folder for configuring application mitigations defined in the STIG. This can also be modified to explicitly enforce the system level requirements. Adding the following to the XML file will explicitly turn Bottom-Up ASLR on (other system level EP requirements can be combined under ):\n \n \n \n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \"Use a common set of exploit protection settings\" configured to \"Enabled\" with file name and location defined under \"Options:\". It is recommended the file be in a read-only network location." }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-93353", - "rid": "SV-103441r1_rule", - "stig_id": "WN19-EP-000220", - "fix_id": "F-99599r1_fix", + "gtitle": "SRG-OS-000433-GPOS-00193", + "gid": "V-93565", + "rid": "SV-103651r1_rule", + "stig_id": "WN19-EP-000020", + "fix_id": "F-99809r1_fix", "cci": [ - "CCI-000366" + "CCI-002824" ], "nist": [ - "CM-6 b", + "SI-16", "Rev_4" ] }, - "code": "control \"V-93353\" do\n title \"Windows Server 2019 Exploit Protection mitigations must be configured for plugin-container.exe.\"\n desc \"Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the referenced application is not installed on the system, this is NA.\n\n This is applicable to unclassified systems, for other systems this is NA.\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n Enter \\\"Get-ProcessMitigation -Name plugin-container.exe\\\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.)\n\n If the following mitigations do not have a status of \\\"ON\\\", this is a finding:\n\n DEP:\n Enable: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n The PowerShell command produces a list of mitigations; only those with a required status of \\\"ON\\\" are listed here.\"\n desc \"fix\", \"Ensure the following mitigations are turned \\\"ON\\\" for plugin-container.exe:\n\n DEP:\n Enable: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \\\"Supporting Files\\\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\" configured to \\\"Enabled\\\" with file name and location defined under \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00227\"\n tag gid: \"V-93353\"\n tag rid: \"SV-103441r1_rule\"\n tag stig_id: \"WN19-EP-000220\"\n tag fix_id: \"F-99599r1_fix\"\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n container = json({ command: \"Get-ProcessMitigation -Name plugin-container.exe | ConvertTo-Json\" }).params\n\n if input('sensitive_system') == true || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif container.empty?\n impact 0.0\n describe 'The referenced application is not installed on the system, this is NA.' do\n skip 'The referenced application is not installed on the system, this is NA.'\n end\n else\n describe \"Exploit Protection: the following mitigations must be set to 'ON' for plugin-container.exe\" do\n subject { container }\n its(['Dep','Enable']) { should eq 1 }\n its(['Payload','EnableExportAddressFilter']) { should eq 1 }\n its(['Payload','EnableExportAddressFilterPlus']) { should eq 1 }\n its(['Payload','EnableImportAddressFilter']) { should eq 1 }\n its(['Payload','EnableRopStackPivot']) { should eq 1 }\n its(['Payload','EnableRopCallerCheck']) { should eq 1 }\n its(['Payload','EnableRopSimExec']) { should eq 1 }\n end\n end\nend", + "code": "control \"V-93565\" do\n title \"Windows Server 2019 Exploit Protection system-level mitigation, Randomize memory allocations (Bottom-Up ASLR), must be on.\"\n desc \"Exploit protection enables mitigations against potential threats at the system and application level. Several mitigations, including \\\"Randomize memory allocations (Bottom-Up ASLR)\\\", are enabled by default at the system level. Bottom-Up ASLR (address space layout randomization) randomizes locations for virtual memory allocations, including those for system structures. If this is turned off, Windows may be subject to various exploits.\"\n desc \"rationale\", \"\"\n desc \"check\", \"This is applicable to unclassified systems, for other systems this is NA. The default configuration in Exploit Protection is \\\"On by default\\\" which meets this requirement.\n The PowerShell query results for this show as \\\"NOTSET\\\".\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n Enter \\\"Get-ProcessMitigation -System\\\".\n If the status of \\\"ASLR: BottomUp\\\" is \\\"OFF\\\", this is a finding.\n Values that would not be a finding include:\n ON\n NOTSET (Default configuration)\"\n desc \"fix\", \"Ensure Exploit Protection system-level mitigation, \\\"Randomize memory allocations (Bottom-Up ASLR)\\\" is turned on. The default configuration in Exploit Protection is \\\"On by default\\\" which meets this requirement.\n Open \\\"Windows Defender Security Center\\\".\n Select \\\"App & browser control\\\".\n Select \\\"Exploit protection settings\\\".\n Under \\\"System settings\\\", configure \\\"Randomize memory allocations\n (Bottom-Up ASLR)\\\" to \\\"On by default\\\" or \\\"Use default ()\\\".\n\n The STIG package includes a DoD EP XML file in the \\\"Supporting Files\\\" folder for configuring application mitigations defined in the STIG. This can also be modified to explicitly enforce the system level requirements. Adding the following to the XML file will explicitly turn Bottom-Up ASLR on (other system level EP requirements can be combined under ):\n \n \n \n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\" configured to \\\"Enabled\\\" with file name and location defined under \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000433-GPOS-00193\"\n tag gid: \"V-93565\"\n tag rid: \"SV-103651r1_rule\"\n tag stig_id: \"WN19-EP-000020\"\n tag fix_id: \"F-99809r1_fix\"\n tag cci: [\"CCI-002824\"]\n tag nist: [\"SI-16\", \"Rev_4\"]\n\n systemaslr = json({ command: \"Get-ProcessMitigation -System | ConvertTo-Json\" }).params\n\n if input('sensitive_system') == true || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif systemaslr.empty?\n describe \"Exploit Protection: the following mitigation\" do\n it \"must be set to 'ON' for the System\" do\n failure_message = \"Exploit Protection is not set\"\n expect(systemaslr).not_to be_empty, failure_message\n end\n end\n else\n describe \"Exploit Protection: the following mitigation must be set to 'ON' for the System\" do\n subject { systemaslr }\n its(['Aslr','BottomUp']) { should be_between(0,1) }\n end\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93353.rb", + "ref": "./Windows 2019 STIG/controls/V-93565.rb", "line": 3 }, - "id": "V-93353" + "id": "V-93565" }, { - "title": "Windows Server 2019 Exploit Protection mitigations must be configured for java.exe, javaw.exe, and javaws.exe.", - "desc": "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.", + "title": "Windows Server 2019 Profile single process user right must only be\nassigned to the Administrators group.", + "desc": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n Accounts with the \"Profile single process\" user right can monitor\nnon-system processes performance. An attacker could use this to identify\nprocesses to attack.", "descriptions": { - "default": "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.", + "default": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n Accounts with the \"Profile single process\" user right can monitor\nnon-system processes performance. An attacker could use this to identify\nprocesses to attack.", "rationale": "", - "check": "If the referenced application is not installed on the system, this is NA.\n\n This is applicable to unclassified systems, for other systems this is NA.\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n Enter \"Get-ProcessMitigation -Name [application name]\" with each of the following substituted for [application name]:\n java.exe, javaw.exe, and javaws.exe\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.)\n\n If the following mitigations do not have a status of \"ON\" for each, this is a finding:\n\n DEP:\n Enable: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n The PowerShell command produces a list of mitigations; only those with a required status of \"ON\" are listed here.", - "fix": "Ensure the following mitigations are turned \"ON\" for java.exe, javaw.exe, and javaws.exe:\n\n DEP:\n Enable: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \"Supporting Files\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \"Use a common set of exploit protection settings\" configured to \"Enabled\" with file name and location defined under \"Options:\". It is recommended the file be in a read-only network location." + "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the\n\"Profile single process\" user right, this is a finding:\n\n - Administrators\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\path\\filename.txt\n\n Review the text file.\n\n If any SIDs other than the following are granted the\n\"SeProfileSingleProcessPrivilege\" user right, this is a finding:\n\n S-1-5-32-544 (Administrators)", + "fix": "Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> User Rights Assignment >> \"Profile\nsingle process\" to include only the following accounts or groups:\n\n - Administrators" }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-93339", - "rid": "SV-103427r1_rule", - "stig_id": "WN19-EP-000150", - "fix_id": "F-99585r1_fix", + "gtitle": "SRG-OS-000324-GPOS-00125", + "gid": "V-93083", + "rid": "SV-103171r1_rule", + "stig_id": "WN19-UR-000200", + "fix_id": "F-99329r1_fix", "cci": [ - "CCI-000366" + "CCI-002235" ], "nist": [ - "CM-6 b", + "AC-6 (10)", "Rev_4" ] }, - "code": "control \"V-93339\" do\n title \"Windows Server 2019 Exploit Protection mitigations must be configured for java.exe, javaw.exe, and javaws.exe.\"\n desc \"Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the referenced application is not installed on the system, this is NA.\n\n This is applicable to unclassified systems, for other systems this is NA.\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n Enter \\\"Get-ProcessMitigation -Name [application name]\\\" with each of the following substituted for [application name]:\n java.exe, javaw.exe, and javaws.exe\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.)\n\n If the following mitigations do not have a status of \\\"ON\\\" for each, this is a finding:\n\n DEP:\n Enable: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n The PowerShell command produces a list of mitigations; only those with a required status of \\\"ON\\\" are listed here.\"\n desc \"fix\", \"Ensure the following mitigations are turned \\\"ON\\\" for java.exe, javaw.exe, and javaws.exe:\n\n DEP:\n Enable: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \\\"Supporting Files\\\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\" configured to \\\"Enabled\\\" with file name and location defined under \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00227\"\n tag gid: \"V-93339\"\n tag rid: \"SV-103427r1_rule\"\n tag stig_id: \"WN19-EP-000150\"\n tag fix_id: \"F-99585r1_fix\"\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n java = json({ command: \"Get-ProcessMitigation -Name java.exe | ConvertTo-Json\" }).params\n javaw = json({ command: \"Get-ProcessMitigation -Name javaw.exe | ConvertTo-Json\" }).params\n javaws = json({ command: \"Get-ProcessMitigation -Name javaws.exe | ConvertTo-Json\" }).params\n\n apps = [ java, javaw, javaws ]\n\n if input('sensitive_system') == true || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n else\n if java.empty? && javaw.empty? && javaws.empty?\n impact 0.0\n describe 'The referenced applications are not installed on the system, this is NA.' do\n skip 'The referenced applications are not installed on the system, this is NA.'\n end\n else\n apps.each do |app|\n next if app.empty?\n describe \"Exploit Protection: the following mitigations must be set to 'ON' for java.exe\" do\n subject { app }\n its(['Dep','Enable']) { should eq 1 }\n its(['Payload','EnableExportAddressFilter']) { should eq 1 }\n its(['Payload','EnableExportAddressFilterPlus']) { should eq 1 }\n its(['Payload','EnableImportAddressFilter']) { should eq 1 }\n its(['Payload','EnableRopStackPivot']) { should eq 1 }\n its(['Payload','EnableRopCallerCheck']) { should eq 1 }\n its(['Payload','EnableRopSimExec']) { should eq 1 }\n end\n end\n end\n end\nend", + "code": "control \"V-93083\" do\n title \"Windows Server 2019 Profile single process user right must only be\nassigned to the Administrators group.\"\n desc \"Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n Accounts with the \\\"Profile single process\\\" user right can monitor\nnon-system processes performance. An attacker could use this to identify\nprocesses to attack.\"\n desc \"rationale\", \"\"\n desc 'check', \"Verify the effective setting in Local Group Policy Editor.\n\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the\n\\\"Profile single process\\\" user right, this is a finding:\n\n - Administrators\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt\n\n Review the text file.\n\n If any SIDs other than the following are granted the\n\\\"SeProfileSingleProcessPrivilege\\\" user right, this is a finding:\n\n S-1-5-32-544 (Administrators)\"\n desc 'fix', \"Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> User Rights Assignment >> \\\"Profile\nsingle process\\\" to include only the following accounts or groups:\n\n - Administrators\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000324-GPOS-00125'\n tag 'gid': 'V-93083'\n tag 'rid': 'SV-103171r1_rule'\n tag 'stig_id': 'WN19-UR-000200'\n tag 'fix_id': 'F-99329r1_fix'\n tag 'cci': [\"CCI-002235\"]\n tag 'nist': [\"AC-6 (10)\", \"Rev_4\"]\n\n os_type = command('Test-Path \"$env:windir\\explorer.exe\"').stdout.strip\n\n if os_type == 'False'\n describe 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt' do\n skip 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt'\n end\n else\n describe security_policy do\n its('SeProfileSingleProcessPrivilege') { should eq ['S-1-5-32-544'] }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93339.rb", + "ref": "./Windows 2019 STIG/controls/V-93083.rb", "line": 3 }, - "id": "V-93339" + "id": "V-93083" }, { - "title": "Windows Server 2019 title for legal banner dialog box must be configured with the appropriate text.", - "desc": "Failure to display the logon banner prior to a logon attempt will negate legal proceedings resulting from unauthorized access to system resources.", + "title": "Windows Server 2019 must use an anti-virus program.", + "desc": "Malicious software can establish a base on individual desktops and\nservers. Employing an automated mechanism to detect this type of software will\naid in elimination of the software from the operating system.", "descriptions": { - "default": "Failure to display the logon banner prior to a logon attempt will negate legal proceedings resulting from unauthorized access to system resources.", + "default": "Malicious software can establish a base on individual desktops and\nservers. Employing an automated mechanism to detect this type of software will\naid in elimination of the software from the operating system.", "rationale": "", - "check": "If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\\n\n Value Name: LegalNoticeCaption\n\n Value Type: REG_SZ\n Value: See message title options below\n\n \"DoD Notice and Consent Banner\", \"US Department of Defense Warning Statement\", or an organization-defined equivalent.\n\n If an organization-defined title is used, it can in no case contravene or modify the language of the banner text required in WN19-SO-000150.\n\n Automated tools may only search for the titles defined above. If an organization-defined title is used, a manual review will be required.", - "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \"Interactive Logon: Message title for users attempting to log on\" to \"DoD Notice and Consent Banner\", \"US Department of Defense Warning Statement\", or an organization-defined equivalent.\n\n If an organization-defined title is used, it can in no case contravene or modify the language of the message text required in WN19-SO-000150." + "check": "Verify an anti-virus solution is installed on the system. The anti-virus\nsolution may be bundled with an approved host-based security solution.\n\n If there is no anti-virus solution installed on the system, this is a\nfinding.", + "fix": "Install an anti-virus solution on the system." }, - "impact": 0.3, + "impact": 0.7, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000023-GPOS-00006", - "satisfies": [ - "SRG-OS-000023-GPOS-00006", - "SRG-OS-000228-GPOS-00088" - ], - "gid": "V-93149", - "rid": "SV-103237r1_rule", - "stig_id": "WN19-SO-000140", - "fix_id": "F-99395r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-93217", + "rid": "SV-103305r1_rule", + "stig_id": "WN19-00-000110", + "fix_id": "F-99463r1_fix", "cci": [ - "CCI-000048", - "CCI-001384", - "CCI-001385", - "CCI-001386", - "CCI-001387", - "CCI-001388" + "CCI-000366" ], "nist": [ - "AC-8 a", - "AC-8 c 1", - "AC-8 c 2", - "AC-8 c 2", - "AC-8 c 2", - "AC-8 c 3", + "CM-6 b", "Rev_4" ] }, - "code": "control \"V-93149\" do\n title \"Windows Server 2019 title for legal banner dialog box must be configured with the appropriate text.\"\n desc \"Failure to display the logon banner prior to a logon attempt will negate legal proceedings resulting from unauthorized access to system resources.\"\n desc \"rationale\", \"\"\n desc 'check', \"If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\\n\n Value Name: LegalNoticeCaption\n\n Value Type: REG_SZ\n Value: See message title options below\n\n \\\"#{input('LegalNoticeCaption').join(\"\\\", \\\"\")}\\\", or an organization-defined equivalent.\n\n If an organization-defined title is used, it can in no case contravene or modify the language of the banner text required in WN19-SO-000150.\n\n Automated tools may only search for the titles defined above. If an organization-defined title is used, a manual review will be required.\"\n desc 'fix', \"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \\\"Interactive Logon: Message title for users attempting to log on\\\" to \\\"#{input('LegalNoticeCaption').join(\"\\\", \\\"\")}\\\", or an organization-defined equivalent.\n\n If an organization-defined title is used, it can in no case contravene or modify the language of the message text required in WN19-SO-000150.\"\n impact 0.3\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000023-GPOS-00006'\n tag 'satisfies': [\"SRG-OS-000023-GPOS-00006\", \"SRG-OS-000228-GPOS-00088\"]\n tag 'gid': 'V-93149'\n tag 'rid': 'SV-103237r1_rule'\n tag 'stig_id': 'WN19-SO-000140'\n tag 'fix_id': 'F-99395r1_fix'\n tag 'cci': [\"CCI-000048\", \"CCI-001384\", \"CCI-001385\", \"CCI-001386\", \"CCI-001387\", \"CCI-001388\"]\n tag 'nist': [\"AC-8 a\", \"AC-8 c 1\", \"AC-8 c 2\", \"AC-8 c 2\", \"AC-8 c 2\", \"AC-8 c 3\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System') do\n it { should have_property 'LegalNoticeCaption' }\n its('LegalNoticeCaption') { should be_in input('LegalNoticeCaption') }\n end\nend", + "code": "control \"V-93217\" do\n title \"Windows Server 2019 must use an anti-virus program.\"\n desc \"Malicious software can establish a base on individual desktops and\nservers. Employing an automated mechanism to detect this type of software will\naid in elimination of the software from the operating system.\"\n desc \"rationale\", \"\"\n desc 'check', \"Verify an anti-virus solution is installed on the system. The anti-virus\nsolution may be bundled with an approved host-based security solution.\n\n If there is no anti-virus solution installed on the system, this is a\nfinding.\"\n desc 'fix', \"Install an anti-virus solution on the system.\"\n impact 0.7\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000480-GPOS-00227'\n tag 'gid': 'V-93217'\n tag 'rid': 'SV-103305r1_rule'\n tag 'stig_id': 'WN19-00-000110'\n tag 'fix_id': 'F-99463r1_fix'\n tag 'cci': [\"CCI-000366\"]\n tag 'nist': [\"CM-6 b\", \"Rev_4\"]\n\n describe.one do\n describe windows_feature('Windows-Defender') do\n it { should be_installed }\n end\n describe registry_key('HKLM\\SOFTWARE\\Symantec\\Symantec Endpoint Protection\\CurrentVersion') do\n it { should exist }\n end\n describe registry_key('HKLM\\SOFTWARE\\McAfee/DesktopProtection\\szProductVer') do\n it { should exist }\n end\n describe registry_key('HKLM\\SOFTWARE\\McAfee\\Endpoint\\AV') do\n it { should exist }\n it { should have_property 'ProductVersion' }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93149.rb", + "ref": "./Windows 2019 STIG/controls/V-93217.rb", "line": 3 }, - "id": "V-93149" + "id": "V-93217" }, { - "title": "Windows Server 2019 must be configured to audit System - IPsec Driver\nsuccesses.", - "desc": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n IPsec Driver records events related to the IPsec Driver, such as dropped\npackets.", + "title": "Windows Server 2019 Remote Desktop Services must always prompt a client for passwords upon connection.", + "desc": "This setting controls the ability of users to supply passwords automatically as part of their remote desktop connection. Disabling this setting would allow anyone to use the stored credentials in a connection item to connect to the terminal server.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n IPsec Driver records events related to the IPsec Driver, such as dropped\npackets.", + "default": "This setting controls the ability of users to supply passwords automatically as part of their remote desktop connection. Disabling this setting would allow anyone to use the stored credentials in a connection item to connect to the terminal server.", "rationale": "", - "check": "Security Option \"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\" must be set to\n\"Enabled\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \"AuditPol\" tool to review the current Audit Policy configuration:\n\n Open \"PowerShell\" or a \"Command Prompt\" with elevated privileges (\"Run\nas administrator\").\n\n Enter \"AuditPol /get /category:*\"\n\n Compare the \"AuditPol\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n System >> IPsec Driver - Success", - "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> System >> \"Audit IPsec Driver\" with \"Success\"\nselected." + "check": "If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services\\\n\n Value Name: fPromptForPassword\n\n Type: REG_DWORD\n Value: 0x00000001 (1)", + "fix": "Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Remote Desktop Services >> Remote Desktop Session Host >> Security >> \"Always prompt for password upon connection\" to \"Enabled\"." }, "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000327-GPOS-00127", + "gtitle": "SRG-OS-000373-GPOS-00157", "satisfies": [ - "SRG-OS-000327-GPOS-00127", - "SRG-OS-000458-GPOS-00203", - "SRG-OS-000463-GPOS-00207", - "SRG-OS-000468-GPOS-00212" + "SRG-OS-000373-GPOS-00157", + "SRG-OS-000373-GPOS-00156" ], - "gid": "V-93105", - "rid": "SV-103193r1_rule", - "stig_id": "WN19-AU-000320", - "fix_id": "F-99351r1_fix", + "gid": "V-93427", + "rid": "SV-103513r1_rule", + "stig_id": "WN19-CC-000360", + "fix_id": "F-99671r1_fix", "cci": [ - "CCI-000172", - "CCI-002234" + "CCI-002038" ], "nist": [ - "AU-12 c", - "AC-6 (9)", + "IA-11", "Rev_4" ] }, - "code": "control \"V-93105\" do\n title \"Windows Server 2019 must be configured to audit System - IPsec Driver\nsuccesses.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n IPsec Driver records events related to the IPsec Driver, such as dropped\npackets.\"\n desc \"rationale\", \"\"\n desc 'check', \"Security Option \\\"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\\\" must be set to\n\\\"Enabled\\\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \\\"AuditPol\\\" tool to review the current Audit Policy configuration:\n\n Open \\\"PowerShell\\\" or a \\\"Command Prompt\\\" with elevated privileges (\\\"Run\nas administrator\\\").\n\n Enter \\\"AuditPol /get /category:*\\\"\n\n Compare the \\\"AuditPol\\\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n System >> IPsec Driver - Success\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> System >> \\\"Audit IPsec Driver\\\" with \\\"Success\\\"\nselected.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000327-GPOS-00127'\n tag 'satisfies': [\"SRG-OS-000327-GPOS-00127\", \"SRG-OS-000458-GPOS-00203\",\n\"SRG-OS-000463-GPOS-00207\", \"SRG-OS-000468-GPOS-00212\"]\n tag 'gid': 'V-93105'\n tag 'rid': 'SV-103193r1_rule'\n tag 'stig_id': 'WN19-AU-000320'\n tag 'fix_id': 'F-99351r1_fix'\n tag 'cci': [\"CCI-000172\", \"CCI-002234\"]\n tag 'nist': [\"AU-12 c\", \"AC-6 (9)\", \"Rev_4\"]\n\n describe.one do\n describe audit_policy do\n its('IPsec Driver') { should eq 'Success' }\n end\n describe audit_policy do\n its('IPsec Driver') { should eq 'Success and Failure' }\n end\n end\nend\n", + "code": "control \"V-93427\" do\n title \"Windows Server 2019 Remote Desktop Services must always prompt a client for passwords upon connection.\"\n desc \"This setting controls the ability of users to supply passwords automatically as part of their remote desktop connection. Disabling this setting would allow anyone to use the stored credentials in a connection item to connect to the terminal server.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\\n\n Value Name: fPromptForPassword\n\n Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Remote Desktop Services >> Remote Desktop Session Host >> Security >> \\\"Always prompt for password upon connection\\\" to \\\"Enabled\\\".\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000373-GPOS-00157\"\n tag satisfies: [\"SRG-OS-000373-GPOS-00157\", \"SRG-OS-000373-GPOS-00156\"]\n tag gid: \"V-93427\"\n tag rid: \"SV-103513r1_rule\"\n tag stig_id: \"WN19-CC-000360\"\n tag fix_id: \"F-99671r1_fix\"\n tag cci: [\"CCI-002038\"]\n tag nist: [\"IA-11\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services') do\n it { should have_property 'fPromptForPassword' }\n its('fPromptForPassword') { should cmp == 1 }\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93105.rb", + "ref": "./Windows 2019 STIG/controls/V-93427.rb", "line": 3 }, - "id": "V-93105" + "id": "V-93427" }, { - "title": "Windows Server 2019 Event Viewer must be protected from unauthorized\nmodification and deletion.", - "desc": "Protecting audit information also includes identifying and protecting\nthe tools used to view and manipulate log data. Therefore, protecting audit\ntools is necessary to prevent unauthorized operation on audit information.\n\n Operating systems providing tools to interface with audit information will\nleverage user permissions and roles identifying the user accessing the tools\nand the corresponding rights the user enjoys in order to make access decisions\nregarding the modification or deletion of audit tools.", + "title": "Windows Server 2019 Exploit Protection system-level mitigation, Validate heap integrity, must be on.", + "desc": "Exploit protection enables mitigations against potential threats at the system and application level. Several mitigations, including \"Validate heap integrity\", are enabled by default at the system level. \"Validate heap integrity\" terminates a process when heap corruption is detected. If this is turned off, Windows may be subject to various exploits.", "descriptions": { - "default": "Protecting audit information also includes identifying and protecting\nthe tools used to view and manipulate log data. Therefore, protecting audit\ntools is necessary to prevent unauthorized operation on audit information.\n\n Operating systems providing tools to interface with audit information will\nleverage user permissions and roles identifying the user accessing the tools\nand the corresponding rights the user enjoys in order to make access decisions\nregarding the modification or deletion of audit tools.", + "default": "Exploit protection enables mitigations against potential threats at the system and application level. Several mitigations, including \"Validate heap integrity\", are enabled by default at the system level. \"Validate heap integrity\" terminates a process when heap corruption is detected. If this is turned off, Windows may be subject to various exploits.", "rationale": "", - "check": "Navigate to \"%SystemRoot%\\System32\".\n\n View the permissions on \"Eventvwr.exe\".\n\n If any groups or accounts other than TrustedInstaller have \"Full control\"\nor \"Modify\" permissions, this is a finding.\n\n The default permissions below satisfy this requirement:\n\n TrustedInstaller - Full Control\n Administrators, SYSTEM, Users, ALL APPLICATION PACKAGES, ALL RESTRICTED\nAPPLICATION PACKAGES - Read & Execute", - "fix": "Configure the permissions on the \"Eventvwr.exe\" file to prevent\nmodification by any groups or accounts other than TrustedInstaller. The default\npermissions listed below satisfy this requirement:\n\n TrustedInstaller - Full Control\n Administrators, SYSTEM, Users, ALL APPLICATION PACKAGES, ALL RESTRICTED\nAPPLICATION PACKAGES - Read & Execute\n\n The default location is the \"%SystemRoot%\\System32\" folder." + "check": "This is applicable to unclassified systems, for other systems this is NA.\n\n The default configuration in Exploit Protection is \"On by default\" which meets this requirement. The PowerShell query results for this show as \"NOTSET\".\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n Enter \"Get-ProcessMitigation -System\".\n If the status of \"Heap: TerminateOnError\" is \"OFF\", this is a finding.\n Values that would not be a finding include:\n\n ON\n NOTSET (Default configuration)", + "fix": "Ensure Exploit Protection system-level mitigation, \"Validate heap integrity\" is turned on. The default configuration in Exploit Protection is \"On by default\" which meets this requirement.\n\n Open \"Windows Defender Security Center\".\n Select \"App & browser control\".\n Select \"Exploit protection settings\".\n Under \"System settings\", configure \"Validate heap integrity\" to \"On by default\" or \"Use default ()\".\n\n The STIG package includes a DoD EP XML file in the \"Supporting Files\" folder for configuring application mitigations defined in the STIG. This can also be modified to explicitly enforce the system level requirements. Adding the following to the XML file will explicitly turn Validate heap integrity on (other system level EP requirements can be combined under ):\n\n \n \n \n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \"Use a common set of exploit protection settings\" configured to \"Enabled\" with file name and location defined under \"Options:\". It is recommended the file be in a read-only network location." }, "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000257-GPOS-00098", - "satisfies": [ - "SRG-OS-000257-GPOS-00098", - "SRG-OS-000258-GPOS-00099" - ], - "gid": "V-93195", - "rid": "SV-103283r1_rule", - "stig_id": "WN19-AU-000060", - "fix_id": "F-99441r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-93319", + "rid": "SV-103407r1_rule", + "stig_id": "WN19-EP-000050", + "fix_id": "F-99565r1_fix", "cci": [ - "CCI-001494", - "CCI-001495" + "CCI-000366" ], "nist": [ - "AU-9", - "AU-9", + "CM-6 b", "Rev_4" ] }, - "code": "control \"V-93195\" do\n title \"Windows Server 2019 Event Viewer must be protected from unauthorized\nmodification and deletion.\"\n desc \"Protecting audit information also includes identifying and protecting\nthe tools used to view and manipulate log data. Therefore, protecting audit\ntools is necessary to prevent unauthorized operation on audit information.\n\n Operating systems providing tools to interface with audit information will\nleverage user permissions and roles identifying the user accessing the tools\nand the corresponding rights the user enjoys in order to make access decisions\nregarding the modification or deletion of audit tools.\"\n desc \"rationale\", \"\"\n desc 'check', \"Navigate to \\\"%SystemRoot%\\\\System32\\\".\n\n View the permissions on \\\"Eventvwr.exe\\\".\n\n If any groups or accounts other than TrustedInstaller have \\\"Full control\\\"\nor \\\"Modify\\\" permissions, this is a finding.\n\n The default permissions below satisfy this requirement:\n\n TrustedInstaller - Full Control\n Administrators, SYSTEM, Users, ALL APPLICATION PACKAGES, ALL RESTRICTED\nAPPLICATION PACKAGES - Read & Execute\"\n desc 'fix', \"Configure the permissions on the \\\"Eventvwr.exe\\\" file to prevent\nmodification by any groups or accounts other than TrustedInstaller. The default\npermissions listed below satisfy this requirement:\n\n TrustedInstaller - Full Control\n Administrators, SYSTEM, Users, ALL APPLICATION PACKAGES, ALL RESTRICTED\nAPPLICATION PACKAGES - Read & Execute\n\n The default location is the \\\"%SystemRoot%\\\\System32\\\" folder.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000257-GPOS-00098'\n tag 'satisfies': [\"SRG-OS-000257-GPOS-00098\", \"SRG-OS-000258-GPOS-00099\"]\n tag 'gid': 'V-93195'\n tag 'rid': 'SV-103283r1_rule'\n tag 'stig_id': 'WN19-AU-000060'\n tag 'fix_id': 'F-99441r1_fix'\n tag 'cci': [\"CCI-001494\", \"CCI-001495\"]\n tag 'nist': [\"AU-9\", \"AU-9\", \"Rev_4\"]\n\n get_system_root = command('Get-ChildItem Env: | Findstr SystemRoot').stdout.strip\n system_root = get_system_root[11..get_system_root.length]\n\n systemroot = system_root.strip\n\n eventvwr = <<-EOH\n $output = (Get-Acl -Path #{systemroot}\\\\SYSTEM32\\\\Eventvwr.exe).AccessToString\n write-output $output\n EOH\n\n # raw powershell output\n raw_eventvwr = powershell(eventvwr).stdout.strip\n\n # clean results cleans up the extra line breaks\n clean_eventvwr = raw_eventvwr.lines.collect(&:strip)\n\n describe 'Verify the default registry permissions for the keys note below of the C:\\Windows\\System32\\Eventvwr.exe' do\n subject { clean_eventvwr }\n it { should cmp input('eventvwr_perms') }\n end\nend\n", + "code": "control \"V-93319\" do\n title \"Windows Server 2019 Exploit Protection system-level mitigation, Validate heap integrity, must be on.\"\n desc \"Exploit protection enables mitigations against potential threats at the system and application level. Several mitigations, including \\\"Validate heap integrity\\\", are enabled by default at the system level. \\\"Validate heap integrity\\\" terminates a process when heap corruption is detected. If this is turned off, Windows may be subject to various exploits.\"\n desc \"rationale\", \"\"\n desc \"check\", \"This is applicable to unclassified systems, for other systems this is NA.\n\n The default configuration in Exploit Protection is \\\"On by default\\\" which meets this requirement. The PowerShell query results for this show as \\\"NOTSET\\\".\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n Enter \\\"Get-ProcessMitigation -System\\\".\n If the status of \\\"Heap: TerminateOnError\\\" is \\\"OFF\\\", this is a finding.\n Values that would not be a finding include:\n\n ON\n NOTSET (Default configuration)\"\n desc \"fix\", \"Ensure Exploit Protection system-level mitigation, \\\"Validate heap integrity\\\" is turned on. The default configuration in Exploit Protection is \\\"On by default\\\" which meets this requirement.\n\n Open \\\"Windows Defender Security Center\\\".\n Select \\\"App & browser control\\\".\n Select \\\"Exploit protection settings\\\".\n Under \\\"System settings\\\", configure \\\"Validate heap integrity\\\" to \\\"On by default\\\" or \\\"Use default ()\\\".\n\n The STIG package includes a DoD EP XML file in the \\\"Supporting Files\\\" folder for configuring application mitigations defined in the STIG. This can also be modified to explicitly enforce the system level requirements. Adding the following to the XML file will explicitly turn Validate heap integrity on (other system level EP requirements can be combined under ):\n\n \n \n \n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\" configured to \\\"Enabled\\\" with file name and location defined under \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00227\"\n tag gid: \"V-93319\"\n tag rid: \"SV-103407r1_rule\"\n tag stig_id: \"WN19-EP-000050\"\n tag fix_id: \"F-99565r1_fix\"\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n systemheap = json({ command: \"Get-ProcessMitigation -System | ConvertTo-Json\" }).params\n\n if input('sensitive_system') == true || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif systemheap.empty?\n describe \"Exploit Protection: the following mitigation\" do\n it \"must be set to 'ON' for the System\" do\n failure_message = \"Exploit Protection is not set\"\n expect(systemheap).not_to be_empty, failure_message\n end\n end\n else\n describe \"Exploit Protection: the following mitigation must be set to 'ON' for the System\" do\n subject { systemheap }\n its(['Heap','TerminateOnError']) { should be_between(0,1) }\n end\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93195.rb", + "ref": "./Windows 2019 STIG/controls/V-93319.rb", "line": 3 }, - "id": "V-93195" + "id": "V-93319" }, { - "title": "Windows Server 2019 must prevent attachments from being downloaded\nfrom RSS feeds.", - "desc": "Attachments from RSS feeds may not be secure. This setting will\nprevent attachments from being downloaded from RSS feeds.", + "title": "Windows Server 2019 AutoPlay must be disabled for all drives.", + "desc": "Allowing AutoPlay to execute may introduce malicious code to a system. AutoPlay begins reading from a drive as soon media is inserted into the drive. As a result, the setup file of programs or music on audio media may start. By default, AutoPlay is disabled on removable drives, such as the floppy disk drive (but not the CD-ROM drive) and on network drives. Enabling this policy disables AutoPlay on all drives.", "descriptions": { - "default": "Attachments from RSS feeds may not be secure. This setting will\nprevent attachments from being downloaded from RSS feeds.", + "default": "Allowing AutoPlay to execute may introduce malicious code to a system. AutoPlay begins reading from a drive as soon media is inserted into the drive. As a result, the setup file of programs or music on audio media may start. By default, AutoPlay is disabled on removable drives, such as the floppy disk drive (but not the CD-ROM drive) and on network drives. Enabling this policy disables AutoPlay on all drives.", "rationale": "", - "check": "If the following registry value does not exist or is not configured as\nspecified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Feeds\\\n\n Value Name: DisableEnclosureDownload\n\n Type: REG_DWORD\n Value: 0x00000001 (1)", - "fix": "Configure the policy value for Computer Configuration >>\nAdministrative Templates >> Windows Components >> RSS Feeds >> \"Prevent\ndownloading of enclosures\" to \"Enabled\"." + "check": "If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\policies\\Explorer\\\n\n Value Name: NoDriveTypeAutoRun\n\n Type: REG_DWORD\n Value: 0x000000ff (255)", + "fix": "Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> AutoPlay Policies >> \"Turn off AutoPlay\" to \"Enabled\" with \"All Drives\" selected." }, - "impact": 0.5, + "impact": 0.7, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-93265", - "rid": "SV-103353r1_rule", - "stig_id": "WN19-CC-000390", - "fix_id": "F-99511r1_fix", + "gtitle": "SRG-OS-000368-GPOS-00154", + "gid": "V-93377", + "rid": "SV-103463r1_rule", + "stig_id": "WN19-CC-000230", + "fix_id": "F-99621r1_fix", "cci": [ - "CCI-000366" + "CCI-001764" ], "nist": [ - "CM-6 b", + "CM-7 (2)", "Rev_4" ] }, - "code": "control \"V-93265\" do\n title \"Windows Server 2019 must prevent attachments from being downloaded\nfrom RSS feeds.\"\n desc \"Attachments from RSS feeds may not be secure. This setting will\nprevent attachments from being downloaded from RSS feeds.\"\n desc \"rationale\", \"\"\n desc 'check', \"If the following registry value does not exist or is not configured as\nspecified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Internet Explorer\\\\Feeds\\\\\n\n Value Name: DisableEnclosureDownload\n\n Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nAdministrative Templates >> Windows Components >> RSS Feeds >> \\\"Prevent\ndownloading of enclosures\\\" to \\\"Enabled\\\".\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000480-GPOS-00227'\n tag 'gid': 'V-93265'\n tag 'rid': 'SV-103353r1_rule'\n tag 'stig_id': 'WN19-CC-000390'\n tag 'fix_id': 'F-99511r1_fix'\n tag 'cci': [\"CCI-000366\"]\n tag 'nist': [\"CM-6 b\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Feeds') do\n it { should have_property 'DisableEnclosureDownload' }\n its('DisableEnclosureDownload') { should cmp 1 }\n end\nend\n", + "code": "control \"V-93377\" do\n title \"Windows Server 2019 AutoPlay must be disabled for all drives.\"\n desc \"Allowing AutoPlay to execute may introduce malicious code to a system. AutoPlay begins reading from a drive as soon media is inserted into the drive. As a result, the setup file of programs or music on audio media may start. By default, AutoPlay is disabled on removable drives, such as the floppy disk drive (but not the CD-ROM drive) and on network drives. Enabling this policy disables AutoPlay on all drives.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\policies\\\\Explorer\\\\\n\n Value Name: NoDriveTypeAutoRun\n\n Type: REG_DWORD\n Value: 0x000000ff (255)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> AutoPlay Policies >> \\\"Turn off AutoPlay\\\" to \\\"Enabled\\\" with \\\"All Drives\\\" selected.\"\n impact 0.7\n tag severity: nil\n tag gtitle: \"SRG-OS-000368-GPOS-00154\"\n tag gid: \"V-93377\"\n tag rid: \"SV-103463r1_rule\"\n tag stig_id: \"WN19-CC-000230\"\n tag fix_id: \"F-99621r1_fix\"\n tag cci: [\"CCI-001764\"]\n tag nist: [\"CM-7 (2)\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer') do\n it { should have_property 'NoDriveTypeAutoRun' }\n its('NoDriveTypeAutoRun') { should cmp == 255 }\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93265.rb", + "ref": "./Windows 2019 STIG/controls/V-93377.rb", "line": 3 }, - "id": "V-93265" + "id": "V-93377" }, { - "title": "Windows Server 2019 Create a pagefile user right must only be assigned\nto the Administrators group.", - "desc": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n Accounts with the \"Create a pagefile\" user right can change the size of a\npagefile, which could affect system performance.", + "title": "Windows Server 2019 maximum password age must be configured to 60 days or less.", + "desc": "The longer a password is in use, the greater the opportunity for someone to gain unauthorized knowledge of the passwords. Scheduled changing of passwords hinders the ability of unauthorized system users to crack passwords and gain access to a system.", "descriptions": { - "default": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n Accounts with the \"Create a pagefile\" user right can change the size of a\npagefile, which could affect system performance.", + "default": "The longer a password is in use, the greater the opportunity for someone to gain unauthorized knowledge of the passwords. Scheduled changing of passwords hinders the ability of unauthorized system users to crack passwords and gain access to a system.", "rationale": "", - "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the \"Create\na pagefile\" user right, this is a finding:\n\n - Administrators\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\path\\filename.txt\n\n Review the text file.\n\n If any SIDs other than the following are granted the\n\"SeCreatePagefilePrivilege\" user right, this is a finding:\n\n S-1-5-32-544 (Administrators)", - "fix": "Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> User Rights Assignment >> \"Create a\npagefile\" to include only the following accounts or groups:\n\n - Administrators" + "check": "Verify the effective setting in Local Group Policy Editor.\n Run \"gpedit.msc\".\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy.\n If the value for the \"Maximum password age\" is greater than \"60\" days, this is a finding.\n If the value is set to \"0\" (never expires), this is a finding.\n For server core installations, run the following command:\n Secedit /Export /Areas SecurityPolicy /CFG C:\\Path\\FileName.Txt\n If \"MaximumPasswordAge\" is greater than \"60\" or equal to \"0\" in the file, this is a finding.", + "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy >> \"Maximum password age\" to \"60\" days or less (excluding \"0\", which is unacceptable)." }, "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000324-GPOS-00125", - "gid": "V-93055", - "rid": "SV-103143r1_rule", - "stig_id": "WN19-UR-000050", - "fix_id": "F-99301r1_fix", + "gtitle": "SRG-OS-000076-GPOS-00044", + "gid": "V-93477", + "rid": "SV-103563r1_rule", + "stig_id": "WN19-AC-000050", + "fix_id": "F-99721r1_fix", "cci": [ - "CCI-002235" + "CCI-000199" ], "nist": [ - "AC-6 (10)", + "IA-5 (1) (d)", "Rev_4" ] }, - "code": "control \"V-93055\" do\n title \"Windows Server 2019 Create a pagefile user right must only be assigned\nto the Administrators group.\"\n desc \"Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n Accounts with the \\\"Create a pagefile\\\" user right can change the size of a\npagefile, which could affect system performance.\"\n desc \"rationale\", \"\"\n desc 'check', \"Verify the effective setting in Local Group Policy Editor.\n\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the \\\"Create\na pagefile\\\" user right, this is a finding:\n\n - Administrators\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt\n\n Review the text file.\n\n If any SIDs other than the following are granted the\n\\\"SeCreatePagefilePrivilege\\\" user right, this is a finding:\n\n S-1-5-32-544 (Administrators)\"\n desc 'fix', \"Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> User Rights Assignment >> \\\"Create a\npagefile\\\" to include only the following accounts or groups:\n\n - Administrators\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000324-GPOS-00125'\n tag 'gid': 'V-93055'\n tag 'rid': 'SV-103143r1_rule'\n tag 'stig_id': 'WN19-UR-000050'\n tag 'fix_id': 'F-99301r1_fix'\n tag 'cci': [\"CCI-002235\"]\n tag 'nist': [\"AC-6 (10)\", \"Rev_4\"]\n\n os_type = command('Test-Path \"$env:windir\\explorer.exe\"').stdout.strip\n\n if os_type == 'False'\n describe 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt' do\n skip 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt'\n end\n else\n describe security_policy do\n its('SeCreatePagefilePrivilege') { should eq ['S-1-5-32-544'] }\n end\n end\nend\n", + "code": "control \"V-93477\" do\n title \"Windows Server 2019 maximum password age must be configured to 60 days or less.\"\n desc \"The longer a password is in use, the greater the opportunity for someone to gain unauthorized knowledge of the passwords. Scheduled changing of passwords hinders the ability of unauthorized system users to crack passwords and gain access to a system.\"\n desc \"rationale\", \"\"\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n Run \\\"gpedit.msc\\\".\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy.\n If the value for the \\\"Maximum password age\\\" is greater than \\\"60\\\" days, this is a finding.\n If the value is set to \\\"0\\\" (never expires), this is a finding.\n For server core installations, run the following command:\n Secedit /Export /Areas SecurityPolicy /CFG C:\\\\Path\\\\FileName.Txt\n If \\\"MaximumPasswordAge\\\" is greater than \\\"60\\\" or equal to \\\"0\\\" in the file, this is a finding.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy >> \\\"Maximum password age\\\" to \\\"60\\\" days or less (excluding \\\"0\\\", which is unacceptable).\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000076-GPOS-00044\"\n tag gid: \"V-93477\"\n tag rid: \"SV-103563r1_rule\"\n tag stig_id: \"WN19-AC-000050\"\n tag fix_id: \"F-99721r1_fix\"\n tag cci: [\"CCI-000199\"]\n tag nist: [\"IA-5 (1) (d)\", \"Rev_4\"]\n\n describe security_policy do\n its('MaximumPasswordAge') { should be_between(1,input('maximum_password_age')) }\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93055.rb", + "ref": "./Windows 2019 STIG/controls/V-93477.rb", "line": 3 }, - "id": "V-93055" + "id": "V-93477" }, { - "title": "Windows Server 2019 must have the number of allowed bad logon attempts\nconfigured to 3 or less.", - "desc": "The account lockout feature, when enabled, prevents brute-force\npassword attacks on the system. The higher this value is, the less effective\nthe account lockout feature will be in protecting the local system. The number\nof bad logon attempts must be reasonably small to minimize the possibility of a\nsuccessful password attack while allowing for honest errors made during normal\nuser logon.", + "title": "Windows Server 2019 Enable computer and user accounts to be trusted\nfor delegation user right must not be assigned to any groups or accounts on\ndomain-joined member servers and standalone systems.", + "desc": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n The \"Enable computer and user accounts to be trusted for delegation\" user\nright allows the \"Trusted for Delegation\" setting to be changed. This could\nallow unauthorized users to impersonate other users.", "descriptions": { - "default": "The account lockout feature, when enabled, prevents brute-force\npassword attacks on the system. The higher this value is, the less effective\nthe account lockout feature will be in protecting the local system. The number\nof bad logon attempts must be reasonably small to minimize the possibility of a\nsuccessful password attack while allowing for honest errors made during normal\nuser logon.", + "default": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n The \"Enable computer and user accounts to be trusted for delegation\" user\nright allows the \"Trusted for Delegation\" setting to be changed. This could\nallow unauthorized users to impersonate other users.", "rationale": "", - "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Account Policies >> Account Lockout Policy.\n\n If the \"Account lockout threshold\" is \"0\" or more than \"3\" attempts,\nthis is a finding.\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas SecurityPolicy /CFG C:\\Path\\FileName.Txt\n\n If \"LockoutBadCount\" equals \"0\" or is greater than \"3\" in the file,\nthis is a finding.", - "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Account Policies >> Account Lockout\nPolicy >> \"Account lockout threshold\" to \"3\" or fewer invalid logon\nattempts (excluding \"0\", which is unacceptable)." + "check": "This applies to member servers and standalone systems. A separate version\napplies to domain controllers.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups are granted the \"Enable computer and user\naccounts to be trusted for delegation\" user right, this is a finding.\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\path\\filename.txt\n\n Review the text file.\n\n If any SIDs are granted the \"SeEnableDelegationPrivilege\" user right,\nthis is a finding.", + "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Local Policies >> User Rights\nAssignment >> \"Enable computer and user accounts to be trusted for\ndelegation\" to be defined but containing no entries (blank)." }, "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000021-GPOS-00005", - "gid": "V-93141", - "rid": "SV-103229r1_rule", - "stig_id": "WN19-AC-000020", - "fix_id": "F-99387r1_fix", + "gtitle": "SRG-OS-000324-GPOS-00125", + "gid": "V-93047", + "rid": "SV-103135r1_rule", + "stig_id": "WN19-MS-000130", + "fix_id": "F-99293r1_fix", "cci": [ - "CCI-000044" + "CCI-002235" ], "nist": [ - "AC-7 a", + "AC-6 (10)", "Rev_4" ] }, - "code": "control \"V-93141\" do\n title \"Windows Server 2019 must have the number of allowed bad logon attempts\nconfigured to #{input('max_pass_lockout')} or less.\"\n desc \"The account lockout feature, when enabled, prevents brute-force\npassword attacks on the system. The higher this value is, the less effective\nthe account lockout feature will be in protecting the local system. The number\nof bad logon attempts must be reasonably small to minimize the possibility of a\nsuccessful password attack while allowing for honest errors made during normal\nuser logon.\"\n desc \"rationale\", \"\"\n desc 'check', \"Verify the effective setting in Local Group Policy Editor.\n\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Account Policies >> Account Lockout Policy.\n\n If the \\\"Account lockout threshold\\\" is \\\"0\\\" or more than \\\"#{input('max_pass_lockout')}\\\" attempts,\nthis is a finding.\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas SecurityPolicy /CFG C:\\\\Path\\\\FileName.Txt\n\n If \\\"LockoutBadCount\\\" equals \\\"0\\\" or is greater than \\\"#{input('max_pass_lockout')}\\\" in the file,\nthis is a finding.\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Account Policies >> Account Lockout\nPolicy >> \\\"Account lockout threshold\\\" to \\\"#{input('max_pass_lockout')}\\\" or fewer invalid logon\nattempts (excluding \\\"0\\\", which is unacceptable).\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000021-GPOS-00005'\n tag 'gid': 'V-93141'\n tag 'rid': 'SV-103229r1_rule'\n tag 'stig_id': 'WN19-AC-000020'\n tag 'fix_id': 'F-99387r1_fix'\n tag 'cci': [\"CCI-000044\"]\n tag 'nist': [\"AC-7 a\", \"Rev_4\"]\n\n os_type = command('Test-Path \"$env:windir\\explorer.exe\"').stdout.strip\n\n if os_type == 'False'\n describe 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt' do\n skip 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt'\n end\n else\n describe security_policy do\n its('LockoutBadCount') { should be <= input('max_pass_lockout') }\n end\n describe security_policy do\n its('LockoutBadCount') { should be > 0 }\n end\n end\nend\n", + "code": "control \"V-93047\" do\n title \"Windows Server 2019 Enable computer and user accounts to be trusted\nfor delegation user right must not be assigned to any groups or accounts on\ndomain-joined member servers and standalone systems.\"\n desc \"Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n The \\\"Enable computer and user accounts to be trusted for delegation\\\" user\nright allows the \\\"Trusted for Delegation\\\" setting to be changed. This could\nallow unauthorized users to impersonate other users.\"\n desc \"rationale\", \"\"\n desc 'check', \"This applies to member servers and standalone systems. A separate version\napplies to domain controllers.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups are granted the \\\"Enable computer and user\naccounts to be trusted for delegation\\\" user right, this is a finding.\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt\n\n Review the text file.\n\n If any SIDs are granted the \\\"SeEnableDelegationPrivilege\\\" user right,\nthis is a finding.\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Local Policies >> User Rights\nAssignment >> \\\"Enable computer and user accounts to be trusted for\ndelegation\\\" to be defined but containing no entries (blank).\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000324-GPOS-00125'\n tag 'gid': 'V-93047'\n tag 'rid': 'SV-103135r1_rule'\n tag 'stig_id': 'WN19-MS-000130'\n tag 'fix_id': 'F-99293r1_fix'\n tag 'cci': [\"CCI-002235\"]\n tag 'nist': [\"AC-6 (10)\", \"Rev_4\"]\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n os_type = command('Test-Path \"$env:windir\\explorer.exe\"').stdout.strip\n\n if os_type == 'False'\n describe 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt' do\n skip 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt'\n end\n end\n if domain_role == '4' || domain_role == '5'\n impact 0.0\n describe 'This system is a domain controller, therefore this control is not applicable as it only applies to member servers' do\n skip 'This system is a domain controller, therefore this control is not applicable as it only applies to member servers'\n end\n else\n describe security_policy do\n its('SeEnableDelegationPrivilege') { should eq [] }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93141.rb", + "ref": "./Windows 2019 STIG/controls/V-93047.rb", "line": 3 }, - "id": "V-93141" + "id": "V-93047" }, { - "title": "Windows Server 2019 must be configured to audit Account Logon -\nCredential Validation successes.", - "desc": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Credential Validation records events related to validation tests on\ncredentials for a user account logon.", + "title": "Windows Server 2019 permissions for the Security event log must\nprevent access by non-privileged accounts.", + "desc": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised. The\nSecurity event log may disclose sensitive information or be susceptible to\ntampering if proper permissions are not applied.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Credential Validation records events related to validation tests on\ncredentials for a user account logon.", + "default": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised. The\nSecurity event log may disclose sensitive information or be susceptible to\ntampering if proper permissions are not applied.", "rationale": "", - "check": "Security Option \"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\" must be set to\n\"Enabled\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \"AuditPol\" tool to review the current Audit Policy configuration:\n\n Open \"PowerShell\" or a \"Command Prompt\" with elevated privileges (\"Run\nas administrator\").\n\n Enter \"AuditPol /get /category:*\"\n\n Compare the \"AuditPol\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n Account Logon >> Credential Validation - Success", - "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Account Logon >> \"Audit Credential Validation\" with\n\"Success\" selected." + "check": "Navigate to the Security event log file.\n\n The default location is the \"%SystemRoot%\\System32\\winevt\\Logs\"\nfolder. However, the logs may have been moved to another folder.\n\n If the permissions for the \"Security.evtx\" file are not as restrictive as\nthe default permissions listed below, this is a finding:\n\n Eventlog - Full Control\n SYSTEM - Full Control\n Administrators - Full Control", + "fix": "Configure the permissions on the Security event log file (Security.evtx) to\nprevent access by non-privileged accounts. The default permissions listed below\nsatisfy this requirement:\n\n Eventlog - Full Control\n SYSTEM - Full Control\n Administrators - Full Control\n\n The default location is the \"%SystemRoot%\\System32\\winevt\\Logs\" folder.\n\n If the location of the logs has been changed, when adding Eventlog to the\npermissions, it must be entered as \"NT Service\\Eventlog\"." }, "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000470-GPOS-00214", - "gid": "V-93153", - "rid": "SV-103241r1_rule", - "stig_id": "WN19-AU-000070", - "fix_id": "F-99399r1_fix", + "gtitle": "SRG-OS-000057-GPOS-00027", + "satisfies": [ + "SRG-OS-000057-GPOS-00027", + "SRG-OS-000058-GPOS-00028", + "SRG-OS-000059-GPOS-00029" + ], + "gid": "V-93191", + "rid": "SV-103279r1_rule", + "stig_id": "WN19-AU-000040", + "fix_id": "F-99437r1_fix", "cci": [ - "CCI-000172" + "CCI-000162", + "CCI-000163", + "CCI-000164" ], "nist": [ - "AU-12 c", + "AU-9", + "AU-9", + "AU-9", "Rev_4" ] }, - "code": "control \"V-93153\" do\n title \"Windows Server 2019 must be configured to audit Account Logon -\nCredential Validation successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Credential Validation records events related to validation tests on\ncredentials for a user account logon.\"\n desc \"rationale\", \"\"\n desc 'check', \"Security Option \\\"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\\\" must be set to\n\\\"Enabled\\\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \\\"AuditPol\\\" tool to review the current Audit Policy configuration:\n\n Open \\\"PowerShell\\\" or a \\\"Command Prompt\\\" with elevated privileges (\\\"Run\nas administrator\\\").\n\n Enter \\\"AuditPol /get /category:*\\\"\n\n Compare the \\\"AuditPol\\\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n Account Logon >> Credential Validation - Success\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Account Logon >> \\\"Audit Credential Validation\\\" with\n\\\"Success\\\" selected.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000470-GPOS-00214'\n tag 'gid': 'V-93153'\n tag 'rid': 'SV-103241r1_rule'\n tag 'stig_id': 'WN19-AU-000070'\n tag 'fix_id': 'F-99399r1_fix'\n tag 'cci': [\"CCI-000172\"]\n tag 'nist': [\"AU-12 c\", \"Rev_4\"]\n\n describe.one do\n describe audit_policy do\n its('Credential Validation') { should eq 'Success' }\n end\n describe audit_policy do\n its('Credential Validation') { should eq 'Success and Failure' }\n end\n end\nend\n", + "code": "control \"V-93191\" do\n title \"Windows Server 2019 permissions for the Security event log must\nprevent access by non-privileged accounts.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised. The\nSecurity event log may disclose sensitive information or be susceptible to\ntampering if proper permissions are not applied.\"\n desc \"rationale\", \"\"\n desc 'check', \"Navigate to the Security event log file.\n\n The default location is the \\\"%SystemRoot%\\\\System32\\\\winevt\\\\Logs\\\"\nfolder. However, the logs may have been moved to another folder.\n\n If the permissions for the \\\"Security.evtx\\\" file are not as restrictive as\nthe default permissions listed below, this is a finding:\n\n Eventlog - Full Control\n SYSTEM - Full Control\n Administrators - Full Control\"\n desc 'fix', \"Configure the permissions on the Security event log file (Security.evtx) to\nprevent access by non-privileged accounts. The default permissions listed below\nsatisfy this requirement:\n\n Eventlog - Full Control\n SYSTEM - Full Control\n Administrators - Full Control\n\n The default location is the \\\"%SystemRoot%\\\\System32\\\\winevt\\\\Logs\\\" folder.\n\n If the location of the logs has been changed, when adding Eventlog to the\npermissions, it must be entered as \\\"NT Service\\\\Eventlog\\\".\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000057-GPOS-00027'\n tag 'satisfies': [\"SRG-OS-000057-GPOS-00027\", \"SRG-OS-000058-GPOS-00028\",\n\"SRG-OS-000059-GPOS-00029\"]\n tag 'gid': 'V-93191'\n tag 'rid': 'SV-103279r1_rule'\n tag 'stig_id': 'WN19-AU-000040'\n tag 'fix_id': 'F-99437r1_fix'\n tag 'cci': [\"CCI-000162\", \"CCI-000163\", \"CCI-000164\"]\n tag 'nist': [\"AU-9\", \"AU-9\", \"AU-9\", \"Rev_4\"]\n\n get_system_root = command('Get-ChildItem Env: | Findstr SystemRoot').stdout.strip\n system_root = get_system_root[11..get_system_root.length]\n\n systemroot = system_root.strip\n\n winevt_logs_security = <<-EOH\n $output = (Get-Acl -Path #{systemroot}\\\\SYSTEM32\\\\WINEVT\\\\LOGS\\\\Security.evtx).AccessToString\n write-output $output\n EOH\n\n # raw powershell output\n raw_logs_security = powershell(winevt_logs_security).stdout.strip\n\n # clean results cleans up the extra line breaks\n clean_logs_security = raw_logs_security.lines.collect(&:strip)\n\n describe 'Verify the default registry permissions for the keys note below of the C:\\Windows\\System32\\WINEVT\\LOGS\\Security.evtx' do\n subject { clean_logs_security }\n it { should cmp input('winevt_logs_security_perms') }\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93153.rb", + "ref": "./Windows 2019 STIG/controls/V-93191.rb", "line": 3 }, - "id": "V-93153" + "id": "V-93191" }, { - "title": "Windows Server 2019 Exploit Protection mitigations must be configured for POWERPNT.EXE.", - "desc": "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.", + "title": "Windows Server 2019 outdated or unused accounts must be removed or disabled.", + "desc": "Outdated or unused accounts provide penetration points that may go undetected. Inactive accounts must be deleted if no longer necessary or, if still required, disabled until needed.", "descriptions": { - "default": "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.", + "default": "Outdated or unused accounts provide penetration points that may go undetected. Inactive accounts must be deleted if no longer necessary or, if still required, disabled until needed.", "rationale": "", - "check": "If the referenced application is not installed on the system, this is NA.\n\n This is applicable to unclassified systems, for other systems this is NA.\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n Enter \"Get-ProcessMitigation -Name POWERPNT.EXE\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.)\n\n If the following mitigations do not have a status of \"ON\", this is a finding:\n\n DEP:\n Enable: ON\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n The PowerShell command produces a list of mitigations; only those with a required status of \"ON\" are listed here.", - "fix": "Ensure the following mitigations are turned \"ON\" for POWERPNT.EXE:\n\n DEP:\n Enable: ON\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \"Supporting Files\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \"Use a common set of exploit protection settings\" configured to \"Enabled\" with file name and location defined under \"Options:\". It is recommended the file be in a read-only network location." + "check": "Open \"Windows PowerShell\".\n\n Domain Controllers:\n Enter \"Search-ADAccount -AccountInactive -UsersOnly -TimeSpan 35.00:00:00\"\n This will return accounts that have not been logged on to for 35 days, along with various attributes such as the Enabled status and LastLogonDate.\n\n Member servers and standalone systems:\n Copy or enter the lines below to the PowerShell window and enter. (Entering twice may be required. Do not include the quotes at the beginning and end of the query.)\n \"([ADSI]('WinNT://{0}' -f $env:COMPUTERNAME)).Children | Where { $_.SchemaClassName -eq 'user' } | ForEach {\n $user = ([ADSI]$_.Path)\n $lastLogin = $user.Properties.LastLogin.Value\n $enabled = ($user.Properties.UserFlags.Value -band 0x2) -ne 0x2\n if ($lastLogin -eq $null) {\n $lastLogin = 'Never'\n }\n Write-Host $user.Name $lastLogin $enabled\n }\"\n This will return a list of local accounts with the account name, last logon, and if the account is enabled (True/False).\n For example: User1 10/31/2015 5:49:56 AM True\n Review the list of accounts returned by the above queries to determine the finding validity for each account reported.\n\n Exclude the following accounts:\n - Built-in administrator account (Renamed, SID ending in 500)\n - Built-in guest account (Renamed, Disabled, SID ending in 501)\n - Application accounts\n\n If any enabled accounts have not been logged on to within the past 35 days, this is a finding.\n\n Inactive accounts that have been reviewed and deemed to be required must be documented with the ISSO.", + "fix": "Regularly review accounts to determine if they are still active. Remove or disable accounts that have not been used in the last 35 days." }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-93355", - "rid": "SV-103443r1_rule", - "stig_id": "WN19-EP-000230", - "fix_id": "F-99601r1_fix", + "gtitle": "SRG-OS-000118-GPOS-00060", + "gid": "V-93457", + "rid": "SV-103543r1_rule", + "stig_id": "WN19-00-000190", + "fix_id": "F-99701r1_fix", "cci": [ - "CCI-000366" + "CCI-000795" ], "nist": [ - "CM-6 b", + "IA-4 e", "Rev_4" ] }, - "code": "control \"V-93355\" do\n title \"Windows Server 2019 Exploit Protection mitigations must be configured for POWERPNT.EXE.\"\n desc \"Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the referenced application is not installed on the system, this is NA.\n\n This is applicable to unclassified systems, for other systems this is NA.\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n Enter \\\"Get-ProcessMitigation -Name POWERPNT.EXE\\\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.)\n\n If the following mitigations do not have a status of \\\"ON\\\", this is a finding:\n\n DEP:\n Enable: ON\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n The PowerShell command produces a list of mitigations; only those with a required status of \\\"ON\\\" are listed here.\"\n desc \"fix\", \"Ensure the following mitigations are turned \\\"ON\\\" for POWERPNT.EXE:\n\n DEP:\n Enable: ON\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \\\"Supporting Files\\\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\" configured to \\\"Enabled\\\" with file name and location defined under \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00227\"\n tag gid: \"V-93355\"\n tag rid: \"SV-103443r1_rule\"\n tag stig_id: \"WN19-EP-000230\"\n tag fix_id: \"F-99601r1_fix\"\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n powerpnt = json({ command: \"Get-ProcessMitigation -Name POWERPNT.EXE | ConvertTo-Json\" }).params\n\n if input('sensitive_system') == true || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif powerpnt.empty?\n impact 0.0\n describe 'The referenced application is not installed on the system, this is NA.' do\n skip 'The referenced application is not installed on the system, this is NA.'\n end\n else\n describe \"Exploit Protection: the following mitigations must be set to 'ON' for POWERPNT.EXE\" do\n subject { powerpnt }\n its(['Dep','Enable']) { should eq 1 }\n its(['Aslr','ForceRelocateImages']) { should eq 1 }\n its(['Payload','EnableExportAddressFilter']) { should eq 1 }\n its(['Payload','EnableExportAddressFilterPlus']) { should eq 1 }\n its(['Payload','EnableImportAddressFilter']) { should eq 1 }\n its(['Payload','EnableRopStackPivot']) { should eq 1 }\n its(['Payload','EnableRopCallerCheck']) { should eq 1 }\n its(['Payload','EnableRopSimExec']) { should eq 1 }\n end\n end\nend", + "code": "control 'V-93457' do\n title 'Windows Server 2019 outdated or unused accounts must be removed or disabled.'\n desc 'Outdated or unused accounts provide penetration points that may go undetected. Inactive accounts must be deleted if no longer necessary or, if still required, disabled until needed.'\n desc 'rationale', ''\n desc 'check', \"Open \\\"Windows PowerShell\\\".\n\n Domain Controllers:\n Enter \\\"Search-ADAccount -AccountInactive -UsersOnly -TimeSpan #{input('unused_account_age')}.00:00:00\\\"\n This will return accounts that have not been logged on to for #{input('unused_account_age')} days, along with various attributes such as the Enabled status and LastLogonDate.\n\n Member servers and standalone systems:\n Copy or enter the lines below to the PowerShell window and enter. (Entering twice may be required. Do not include the quotes at the beginning and end of the query.)\n \\\"([ADSI]('WinNT://{0}' -f $env:COMPUTERNAME)).Children | Where { $_.SchemaClassName -eq 'user' } | ForEach {\n $user = ([ADSI]$_.Path)\n $lastLogin = $user.Properties.LastLogin.Value\n $enabled = ($user.Properties.UserFlags.Value -band 0x2) -ne 0x2\n if ($lastLogin -eq $null) {\n $lastLogin = 'Never'\n }\n Write-Host $user.Name $lastLogin $enabled\n }\\\"\n This will return a list of local accounts with the account name, last logon, and if the account is enabled (True/False).\n For example: User1 10/31/2015 5:49:56 AM True\n Review the list of accounts returned by the above queries to determine the finding validity for each account reported.\n\n Exclude the following accounts:\n - Built-in administrator account (Renamed, SID ending in 500)\n - Built-in guest account (Renamed, Disabled, SID ending in 501)\n - Application accounts\n\n If any enabled accounts have not been logged on to within the past #{input('unused_account_age')} days, this is a finding.\n\n Inactive accounts that have been reviewed and deemed to be required must be documented with the ISSO.\"\n desc 'fix', \"Regularly review accounts to determine if they are still active. Remove or disable accounts that have not been used in the last #{input('unused_account_age')} days.\"\n impact 0.5\n tag severity: nil\n tag gtitle: 'SRG-OS-000118-GPOS-00060'\n tag gid: 'V-93457'\n tag rid: 'SV-103543r1_rule'\n tag stig_id: 'WN19-00-000190'\n tag fix_id: 'F-99701r1_fix'\n tag cci: ['CCI-000795']\n tag nist: ['IA-4 e', 'Rev_4']\n \n \n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n age = input('unused_account_age')\n untracked_accounts = []\n\n if domain_role == '4' || domain_role == '5'\n\n excluded_accounts_domain_check = json(command: 'Get-ADUser -Filter * | Where {($_.SID -like \"*-500\") -or ($_.SID -like \"*-501\")} | Select Name | ConvertTo-Json').params\n excluded_accounts_domain = []\n excluded_accounts_domain_check.each { |account| excluded_accounts_domain << account[\"Name\"] }\n\n ad_accounts = json({ command: \"Search-ADAccount -AccountInactive -UsersOnly -Timespan #{age}.00:00:00 | Where -Property Enabled -eq $True | Select -ExpandProperty Name | ConvertTo-Json\" }).params\n unless ad_accounts.empty?\n case ad_accounts\n when String\n (ad_account = []) << ad_accounts\n untracked_accounts = ad_account - input('application_accounts_domain') - excluded_accounts_domain\n when Array\n untracked_accounts = ad_accounts - input('application_accounts_domain') - excluded_accounts_domain\n end\n end\n\n describe 'AD Accounts' do\n it \"AD should not have any Accounts that are Inactive over #{age} days\" do\n failure_message = \"User(s) that have not logged into system in #{age} days #{untracked_accounts}\"\n expect(untracked_accounts).to be_empty, failure_message\n end\n end\n\n else\n\n excluded_accounts_local_check = json(command: 'Get-LocalUser | Where {($_.SID -like \"*-500\") -or ($_.SID -like \"*-501\")} | Select Name | ConvertTo-Json').params\n excluded_accounts_local = []\n excluded_accounts_local_check.each do |account|\n excluded_accounts_local << account[\"Name\"]\n end\n\n local_accounts = json({ command: \"Get-LocalUser | Where-Object {$_.Enabled -eq 'True' -and $_.Lastlogon -le (Get-Date).AddDays(-#{age}) } | Select -ExpandProperty Name | ConvertTo-Json\" }).params\n\n unless local_accounts.empty?\n case local_accounts\n when String\n (local_account = []) << local_accounts\n untracked_accounts = local_account - input('application_accounts_local') - excluded_accounts_local\n when Array\n untracked_accounts = local_accounts - input('application_accounts_local') - excluded_accounts_local\n end\n end\n\n describe 'Inactive account or accounts exists' do\n it 'Server should not have inactive accounts' do\n failure_message = \"User(s) that have not logged into system in #{age} days: #{local_accounts}\"\n expect(local_accounts).to be_empty, failure_message\n end\n end\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93355.rb", + "ref": "./Windows 2019 STIG/controls/V-93457.rb", "line": 3 }, - "id": "V-93355" + "id": "V-93457" }, { - "title": "Windows Server 2019 Exploit Protection mitigations must be configured for OIS.EXE.", - "desc": "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.", + "title": "Windows Server 2019 Application event log size must be configured to\n32768 KB or greater.", + "desc": "Inadequate log size will cause the log to fill up quickly. This may\nprevent audit events from being recorded properly and require frequent\nattention by administrative personnel.", "descriptions": { - "default": "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.", + "default": "Inadequate log size will cause the log to fill up quickly. This may\nprevent audit events from being recorded properly and require frequent\nattention by administrative personnel.", "rationale": "", - "check": "If the referenced application is not installed on the system, this is NA.\n\n This is applicable to unclassified systems, for other systems this is NA.\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n Enter \"Get-ProcessMitigation -Name OIS.EXE\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.)\n\n If the following mitigations do not have a status of \"ON\", this is a finding:\n\n DEP:\n Enable: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n The PowerShell command produces a list of mitigations; only those with a required status of \"ON\" are listed here.", - "fix": "Ensure the following mitigations are turned \"ON\" for OIS.EXE:\n\n DEP:\n Enable: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \"Supporting Files\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \"Use a common set of exploit protection settings\" configured to \"Enabled\" with file name and location defined under \"Options:\". It is recommended the file be in a read-only network location." + "check": "If the system is configured to write events directly to an audit server,\nthis is NA.\n\n If the following registry value does not exist or is not configured as\nspecified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\\SOFTWARE\\Policies\\Microsoft\\Windows\\EventLog\\Application\\\n\n Value Name: MaxSize\n\n Type: REG_DWORD\n Value: 0x00008000 (32768) (or greater)", + "fix": "Configure the policy value for Computer Configuration >>\nAdministrative Templates >> Windows Components >> Event Log Service >>\nApplication >> \"Specify the maximum log file size (KB)\" to \"Enabled\" with a\n\"Maximum Log Size (KB)\" of \"32768\" or greater." }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-93347", - "rid": "SV-103435r1_rule", - "stig_id": "WN19-EP-000190", - "fix_id": "F-99593r1_fix", + "gtitle": "SRG-OS-000341-GPOS-00132", + "gid": "V-93177", + "rid": "SV-103265r1_rule", + "stig_id": "WN19-CC-000270", + "fix_id": "F-99423r1_fix", "cci": [ - "CCI-000366" + "CCI-001849" ], "nist": [ - "CM-6 b", + "AU-4", "Rev_4" ] }, - "code": "control \"V-93347\" do\n title \"Windows Server 2019 Exploit Protection mitigations must be configured for OIS.EXE.\"\n desc \"Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the referenced application is not installed on the system, this is NA.\n\n This is applicable to unclassified systems, for other systems this is NA.\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n Enter \\\"Get-ProcessMitigation -Name OIS.EXE\\\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.)\n\n If the following mitigations do not have a status of \\\"ON\\\", this is a finding:\n\n DEP:\n Enable: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n The PowerShell command produces a list of mitigations; only those with a required status of \\\"ON\\\" are listed here.\"\n desc \"fix\", \"Ensure the following mitigations are turned \\\"ON\\\" for OIS.EXE:\n\n DEP:\n Enable: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \\\"Supporting Files\\\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\" configured to \\\"Enabled\\\" with file name and location defined under \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00227\"\n tag gid: \"V-93347\"\n tag rid: \"SV-103435r1_rule\"\n tag stig_id: \"WN19-EP-000190\"\n tag fix_id: \"F-99593r1_fix\"\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n ois = json({ command: \"Get-ProcessMitigation -Name OIS.EXE | ConvertTo-Json\" }).params\n\n if input('sensitive_system') == true || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif ois.empty?\n impact 0.0\n describe 'The referenced application is not installed on the system, this is NA.' do\n skip 'The referenced application is not installed on the system, this is NA.'\n end\n else\n describe \"Exploit Protection: the following mitigations must be set to 'ON' for OIS.EXE\" do\n subject { ois }\n its(['Dep','Enable']) { should eq 1 }\n its(['Payload','EnableExportAddressFilter']) { should eq 1 }\n its(['Payload','EnableExportAddressFilterPlus']) { should eq 1 }\n its(['Payload','EnableImportAddressFilter']) { should eq 1 }\n its(['Payload','EnableRopStackPivot']) { should eq 1 }\n its(['Payload','EnableRopCallerCheck']) { should eq 1 }\n its(['Payload','EnableRopSimExec']) { should eq 1 }\n end\n end\nend", + "code": "control \"V-93177\" do\n title \"Windows Server 2019 Application event log size must be configured to\n32768 KB or greater.\"\n desc \"Inadequate log size will cause the log to fill up quickly. This may\nprevent audit events from being recorded properly and require frequent\nattention by administrative personnel.\"\n desc \"rationale\", \"\"\n desc 'check', \"If the system is configured to write events directly to an audit server,\nthis is NA.\n\n If the following registry value does not exist or is not configured as\nspecified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\EventLog\\\\Application\\\\\n\n Value Name: MaxSize\n\n Type: REG_DWORD\n Value: 0x00008000 (32768) (or greater)\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nAdministrative Templates >> Windows Components >> Event Log Service >>\nApplication >> \\\"Specify the maximum log file size (KB)\\\" to \\\"Enabled\\\" with a\n\\\"Maximum Log Size (KB)\\\" of \\\"32768\\\" or greater.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000341-GPOS-00132'\n tag 'gid': 'V-93177'\n tag 'rid': 'SV-103265r1_rule'\n tag 'stig_id': 'WN19-CC-000270'\n tag 'fix_id': 'F-99423r1_fix'\n tag 'cci': [\"CCI-001849\"]\n tag 'nist': [\"AU-4\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\EventLog\\Application') do\n it { should have_property 'MaxSize' }\n its('MaxSize') { should cmp >= 32768 }\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93347.rb", + "ref": "./Windows 2019 STIG/controls/V-93177.rb", "line": 3 }, - "id": "V-93347" + "id": "V-93177" }, { - "title": "Windows Server 2019 setting Microsoft network server: Digitally sign communications (if client agrees) must be configured to Enabled.", - "desc": "The server message block (SMB) protocol provides the basis for many network operations. Digitally signed SMB packets aid in preventing man-in-the-middle attacks. If this policy is enabled, the SMB server will negotiate SMB packet signing as requested by the client.", + "title": "Windows Server 2019 source routing must be configured to the highest\nprotection level to prevent Internet Protocol (IP) source routing.", + "desc": "Configuring the system to disable IP source routing protects against\nspoofing.", "descriptions": { - "default": "The server message block (SMB) protocol provides the basis for many network operations. Digitally signed SMB packets aid in preventing man-in-the-middle attacks. If this policy is enabled, the SMB server will negotiate SMB packet signing as requested by the client.", + "default": "Configuring the system to disable IP source routing protects against\nspoofing.", "rationale": "", - "check": "If the following registry value does not exist or is not configured as specified, this is a finding:\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\LanManServer\\Parameters\\\n\n Value Name: EnableSecuritySignature\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", - "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \"Microsoft network server: Digitally sign communications (if client agrees)\" to \"Enabled\"." + "check": "If the following registry value does not exist or is not configured as\nspecified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters\\\n\n Value Name: DisableIPSourceRouting\n\n Value Type: REG_DWORD\n Value: 0x00000002 (2)", + "fix": "Configure the policy value for Computer Configuration >> Administrative\nTemplates >> MSS (Legacy) >> \"MSS: (DisableIPSourceRouting) IP source routing\nprotection level (protects against packet spoofing)\" to \"Enabled\" with\n\"Highest protection, source routing is completely disabled\" selected.\n\n This policy setting requires the installation of the MSS-Legacy custom\ntemplates included with the STIG package. \"MSS-Legacy.admx\" and\n\"MSS-Legacy.adml\" must be copied to the \\Windows\\PolicyDefinitions and\n\\Windows\\PolicyDefinitions\\en-US directories respectively." }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { - "severity": null, - "gtitle": "SRG-OS-000423-GPOS-00187", - "satisfies": [ - "SRG-OS-000423-GPOS-00187", - "SRG-OS-000424-GPOS-00188" - ], - "gid": "V-93561", - "rid": "SV-103647r1_rule", - "stig_id": "WN19-SO-000200", - "fix_id": "F-99805r1_fix", + "severity": null, + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-93235", + "rid": "SV-103323r1_rule", + "stig_id": "WN19-CC-000040", + "fix_id": "F-99481r1_fix", "cci": [ - "CCI-002418", - "CCI-002421" + "CCI-000366" ], "nist": [ - "SC-8", - "SC-8 (1)", + "CM-6 b", "Rev_4" ] }, - "code": "control \"V-93561\" do\n title \"Windows Server 2019 setting Microsoft network server: Digitally sign communications (if client agrees) must be configured to Enabled.\"\n desc \"The server message block (SMB) protocol provides the basis for many network operations. Digitally signed SMB packets aid in preventing man-in-the-middle attacks. If this policy is enabled, the SMB server will negotiate SMB packet signing as requested by the client.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the following registry value does not exist or is not configured as specified, this is a finding:\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\LanManServer\\\\Parameters\\\\\n\n Value Name: EnableSecuritySignature\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \\\"Microsoft network server: Digitally sign communications (if client agrees)\\\" to \\\"Enabled\\\".\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000423-GPOS-00187\"\n tag satisfies: [\"SRG-OS-000423-GPOS-00187\", \"SRG-OS-000424-GPOS-00188\"]\n tag gid: \"V-93561\"\n tag rid: \"SV-103647r1_rule\"\n tag stig_id: \"WN19-SO-000200\"\n tag fix_id: \"F-99805r1_fix\"\n tag cci: [\"CCI-002418\", \"CCI-002421\"]\n tag nist: [\"SC-8\", \"SC-8 (1)\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Services\\\\LanmanServer\\\\Parameters') do\n it { should have_property 'EnableSecuritySignature' }\n its('EnableSecuritySignature') { should cmp == 1 }\n end\nend", + "code": "control \"V-93235\" do\n title \"Windows Server 2019 source routing must be configured to the highest\nprotection level to prevent Internet Protocol (IP) source routing.\"\n desc \"Configuring the system to disable IP source routing protects against\nspoofing.\"\n desc \"rationale\", \"\"\n desc 'check', \"If the following registry value does not exist or is not configured as\nspecified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\Tcpip\\\\Parameters\\\\\n\n Value Name: DisableIPSourceRouting\n\n Value Type: REG_DWORD\n Value: 0x00000002 (2)\"\n desc 'fix', \"Configure the policy value for Computer Configuration >> Administrative\nTemplates >> MSS (Legacy) >> \\\"MSS: (DisableIPSourceRouting) IP source routing\nprotection level (protects against packet spoofing)\\\" to \\\"Enabled\\\" with\n\\\"Highest protection, source routing is completely disabled\\\" selected.\n\n This policy setting requires the installation of the MSS-Legacy custom\ntemplates included with the STIG package. \\\"MSS-Legacy.admx\\\" and\n\\\"MSS-Legacy.adml\\\" must be copied to the \\\\Windows\\\\PolicyDefinitions and\n\\\\Windows\\\\PolicyDefinitions\\\\en-US directories respectively.\"\n impact 0.3\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000480-GPOS-00227'\n tag 'gid': 'V-93235'\n tag 'rid': 'SV-103323r1_rule'\n tag 'stig_id': 'WN19-CC-000040'\n tag 'fix_id': 'F-99481r1_fix'\n tag 'cci': [\"CCI-000366\"]\n tag 'nist': [\"CM-6 b\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters') do\n it { should have_property 'DisableIPSourceRouting' }\n its('DisableIPSourceRouting') { should cmp 2}\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93561.rb", + "ref": "./Windows 2019 STIG/controls/V-93235.rb", "line": 3 }, - "id": "V-93561" + "id": "V-93235" }, { - "title": "Windows Server 2019 Access Credential Manager as a trusted caller user\nright must not be assigned to any groups or accounts.", - "desc": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n Accounts with the \"Access Credential Manager as a trusted caller\" user\nright may be able to retrieve the credentials of other accounts from Credential\nManager.", + "title": "Windows Server 2019 Impersonate a client after authentication user\nright must only be assigned to Administrators, Service, Local Service, and\nNetwork Service.", + "desc": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n The \"Impersonate a client after authentication\" user right allows a\nprogram to impersonate another user or account to run on their behalf. An\nattacker could use this to elevate privileges.", "descriptions": { - "default": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n Accounts with the \"Access Credential Manager as a trusted caller\" user\nright may be able to retrieve the credentials of other accounts from Credential\nManager.", + "default": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n The \"Impersonate a client after authentication\" user right allows a\nprogram to impersonate another user or account to run on their behalf. An\nattacker could use this to elevate privileges.", "rationale": "", - "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups are granted the \"Access Credential Manager as a\ntrusted caller\" user right, this is a finding.\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\path\\filename.txt\n\n Review the text file.\n\n If any SIDs are granted the \"SeTrustedCredManAccessPrivilege\" user right,\nthis is a finding.", - "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Local Policies >> User Rights\nAssignment >> \"Access Credential Manager as a trusted caller\" to be defined\nbut containing no entries (blank)." + "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the\n\"Impersonate a client after authentication\" user right, this is a finding:\n\n - Administrators\n - Service\n - Local Service\n - Network Service\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\path\\filename.txt\n\n Review the text file.\n\n If any SIDs other than the following are granted the\n\"SeImpersonatePrivilege\" user right, this is a finding:\n\n S-1-5-32-544 (Administrators)\n S-1-5-6 (Service)\n S-1-5-19 (Local Service)\n S-1-5-20 (Network Service)\n\n If an application requires this user right, this would not be a finding.\n\n Vendor documentation must support the requirement for having the user right.\n\n The requirement must be documented with the ISSO.\n\n The application account must meet requirements for application account\npasswords, such as length (WN19-00-000050) and required frequency of changes\n(WN19-00-000060).", + "fix": "Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> User Rights Assignment >>\n\"Impersonate a client after authentication\" to include only the following\naccounts or groups:\n\n - Administrators\n - Service\n - Local Service\n - Network Service" }, "impact": 0.5, "refs": [], "tags": { "severity": null, "gtitle": "SRG-OS-000324-GPOS-00125", - "gid": "V-93049", - "rid": "SV-103137r1_rule", - "stig_id": "WN19-UR-000010", - "fix_id": "F-99295r1_fix", + "gid": "V-93071", + "rid": "SV-103159r1_rule", + "stig_id": "WN19-UR-000130", + "fix_id": "F-99317r1_fix", "cci": [ "CCI-002235" ], @@ -5532,280 +5582,270 @@ "Rev_4" ] }, - "code": "control \"V-93049\" do\n title \"Windows Server 2019 Access Credential Manager as a trusted caller user\nright must not be assigned to any groups or accounts.\"\n desc \"Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n Accounts with the \\\"Access Credential Manager as a trusted caller\\\" user\nright may be able to retrieve the credentials of other accounts from Credential\nManager.\"\n desc \"rationale\", \"\"\n desc 'check', \"Verify the effective setting in Local Group Policy Editor.\n\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups are granted the \\\"Access Credential Manager as a\ntrusted caller\\\" user right, this is a finding.\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt\n\n Review the text file.\n\n If any SIDs are granted the \\\"SeTrustedCredManAccessPrivilege\\\" user right,\nthis is a finding.\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Local Policies >> User Rights\nAssignment >> \\\"Access Credential Manager as a trusted caller\\\" to be defined\nbut containing no entries (blank).\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000324-GPOS-00125'\n tag 'gid': 'V-93049'\n tag 'rid': 'SV-103137r1_rule'\n tag 'stig_id': 'WN19-UR-000010'\n tag 'fix_id': 'F-99295r1_fix'\n tag 'cci': [\"CCI-002235\"]\n tag 'nist': [\"AC-6 (10)\", \"Rev_4\"]\n\n\n os_type = command('Test-Path \"$env:windir\\explorer.exe\"').stdout.strip\n\n if os_type == 'False'\n describe 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt' do\n skip 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt'\n end\n else\n describe security_policy do\n its('SeTrustedCredManAccessPrivilege') { should eq [] }\n end\n end\nend\n", + "code": "control \"V-93071\" do\n title \"Windows Server 2019 Impersonate a client after authentication user\nright must only be assigned to Administrators, Service, Local Service, and\nNetwork Service.\"\n desc \"Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n The \\\"Impersonate a client after authentication\\\" user right allows a\nprogram to impersonate another user or account to run on their behalf. An\nattacker could use this to elevate privileges.\"\n desc \"rationale\", \"\"\n desc 'check', \"Verify the effective setting in Local Group Policy Editor.\n\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the\n\\\"Impersonate a client after authentication\\\" user right, this is a finding:\n\n - Administrators\n - Service\n - Local Service\n - Network Service\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt\n\n Review the text file.\n\n If any SIDs other than the following are granted the\n\\\"SeImpersonatePrivilege\\\" user right, this is a finding:\n\n S-1-5-32-544 (Administrators)\n S-1-5-6 (Service)\n S-1-5-19 (Local Service)\n S-1-5-20 (Network Service)\n\n If an application requires this user right, this would not be a finding.\n\n Vendor documentation must support the requirement for having the user right.\n\n The requirement must be documented with the ISSO.\n\n The application account must meet requirements for application account\npasswords, such as length (WN19-00-000050) and required frequency of changes\n(WN19-00-000060).\"\n desc 'fix', \"Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> User Rights Assignment >>\n\\\"Impersonate a client after authentication\\\" to include only the following\naccounts or groups:\n\n - Administrators\n - Service\n - Local Service\n - Network Service\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000324-GPOS-00125'\n tag 'gid': 'V-93071'\n tag 'rid': 'SV-103159r1_rule'\n tag 'stig_id': 'WN19-UR-000130'\n tag 'fix_id': 'F-99317r1_fix'\n tag 'cci': [\"CCI-002235\"]\n tag 'nist': [\"AC-6 (10)\", \"Rev_4\"]\n\n os_type = command('Test-Path \"$env:windir\\explorer.exe\"').stdout.strip\n\n if os_type == 'False'\n describe 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt' do\n skip 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt'\n end\n else\n describe security_policy do\n its('SeImpersonatePrivilege') { should include \"S-1-5-32-544\" }\n end\n describe security_policy do\n its('SeImpersonatePrivilege') { should include \"S-1-5-6\" }\n end\n describe security_policy do\n its('SeImpersonatePrivilege') { should include \"S-1-5-19\" }\n end\n describe security_policy do\n its('SeImpersonatePrivilege') { should include \"S-1-5-20\" }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93049.rb", + "ref": "./Windows 2019 STIG/controls/V-93071.rb", "line": 3 }, - "id": "V-93049" + "id": "V-93071" }, { - "title": "Windows Server 2019 must have the built-in Windows password complexity policy enabled.", - "desc": "The use of complex passwords increases their strength against attack. The built-in Windows password complexity policy requires passwords to contain at least three of the four types of characters (numbers, uppercase and lowercase letters, and special characters) and prevents the inclusion of user names or parts of user names.", + "title": "Windows Server 2019 must restrict anonymous access to Named Pipes and Shares.", + "desc": "Allowing anonymous access to named pipes or shares provides the potential for unauthorized system access. This setting restricts access to those defined in \"Network access: Named Pipes that can be accessed anonymously\" and \"Network access: Shares that can be accessed anonymously\", both of which must be blank under other requirements.", "descriptions": { - "default": "The use of complex passwords increases their strength against attack. The built-in Windows password complexity policy requires passwords to contain at least three of the four types of characters (numbers, uppercase and lowercase letters, and special characters) and prevents the inclusion of user names or parts of user names.", + "default": "Allowing anonymous access to named pipes or shares provides the potential for unauthorized system access. This setting restricts access to those defined in \"Network access: Named Pipes that can be accessed anonymously\" and \"Network access: Shares that can be accessed anonymously\", both of which must be blank under other requirements.", "rationale": "", - "check": "Verify the effective setting in Local Group Policy Editor.\n \n Run \"gpedit.msc\".\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy.\n If the value for \"Password must meet complexity requirements\" is not set to \"Enabled\", this is a finding.\n\n For server core installations, run the following command:\n Secedit /Export /Areas SecurityPolicy /CFG C:\\Path\\FileName.Txt\n If \"PasswordComplexity\" equals \"0\" in the file, this is a finding.\n\n Note: If an external password filter is in use that enforces all four character types and requires this setting to be set to \"Disabled\", this would not be considered a finding. If this setting does not affect the use of an external password filter, it must be enabled for fallback purposes.", - "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy >> \"Password must meet complexity requirements\" to \"Enabled\"." + "check": "If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\LanManServer\\Parameters\\\n\n Value Name: RestrictNullSessAccess\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", + "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \"Network access: Restrict anonymous access to Named Pipes and Shares\" to \"Enabled\"." }, - "impact": 0.5, + "impact": 0.7, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000069-GPOS-00037", - "satisfies": [ - "SRG-OS-000069-GPOS-00037", - "SRG-OS-000070-GPOS-00038", - "SRG-OS-000071-GPOS-00039", - "SRG-OS-000266-GPOS-00101" - ], - "gid": "V-93459", - "rid": "SV-103545r1_rule", - "stig_id": "WN19-AC-000080", - "fix_id": "F-99703r1_fix", + "gtitle": "SRG-OS-000138-GPOS-00069", + "gid": "V-93539", + "rid": "SV-103625r1_rule", + "stig_id": "WN19-SO-000250", + "fix_id": "F-99783r1_fix", "cci": [ - "CCI-000192", - "CCI-000193", - "CCI-000194", - "CCI-001619" + "CCI-001090" ], "nist": [ - "IA-5 (1) (a)", - "IA-5 (1) (a)", - "IA-5 (1) (a)", - "IA-5 (1) (a)", + "SC-4", "Rev_4" ] }, - "code": "control \"V-93459\" do\n title \"Windows Server 2019 must have the built-in Windows password complexity policy enabled.\"\n desc \"The use of complex passwords increases their strength against attack. The built-in Windows password complexity policy requires passwords to contain at least three of the four types of characters (numbers, uppercase and lowercase letters, and special characters) and prevents the inclusion of user names or parts of user names.\"\n desc \"rationale\", \"\"\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n \n Run \\\"gpedit.msc\\\".\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy.\n If the value for \\\"Password must meet complexity requirements\\\" is not set to \\\"Enabled\\\", this is a finding.\n\n For server core installations, run the following command:\n Secedit /Export /Areas SecurityPolicy /CFG C:\\\\Path\\\\FileName.Txt\n If \\\"PasswordComplexity\\\" equals \\\"0\\\" in the file, this is a finding.\n\n Note: If an external password filter is in use that enforces all four character types and requires this setting to be set to \\\"Disabled\\\", this would not be considered a finding. If this setting does not affect the use of an external password filter, it must be enabled for fallback purposes.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy >> \\\"Password must meet complexity requirements\\\" to \\\"Enabled\\\".\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000069-GPOS-00037\"\n tag satisfies: [\"SRG-OS-000069-GPOS-00037\", \"SRG-OS-000070-GPOS-00038\", \"SRG-OS-000071-GPOS-00039\", \"SRG-OS-000266-GPOS-00101\"]\n tag gid: \"V-93459\"\n tag rid: \"SV-103545r1_rule\"\n tag stig_id: \"WN19-AC-000080\"\n tag fix_id: \"F-99703r1_fix\"\n tag cci: [\"CCI-000192\", \"CCI-000193\", \"CCI-000194\", \"CCI-001619\"]\n tag nist: [\"IA-5 (1) (a)\", \"IA-5 (1) (a)\", \"IA-5 (1) (a)\", \"IA-5 (1) (a)\", \"Rev_4\"]\n\n describe security_policy do\n its('PasswordComplexity') { should eq input('enable_password_complexity') }\n end\nend", + "code": "control \"V-93539\" do\n title \"Windows Server 2019 must restrict anonymous access to Named Pipes and Shares.\"\n desc \"Allowing anonymous access to named pipes or shares provides the potential for unauthorized system access. This setting restricts access to those defined in \\\"Network access: Named Pipes that can be accessed anonymously\\\" and \\\"Network access: Shares that can be accessed anonymously\\\", both of which must be blank under other requirements.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\LanManServer\\\\Parameters\\\\\n\n Value Name: RestrictNullSessAccess\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \\\"Network access: Restrict anonymous access to Named Pipes and Shares\\\" to \\\"Enabled\\\".\"\n impact 0.7\n tag severity: nil\n tag gtitle: \"SRG-OS-000138-GPOS-00069\"\n tag gid: \"V-93539\"\n tag rid: \"SV-103625r1_rule\"\n tag stig_id: \"WN19-SO-000250\"\n tag fix_id: \"F-99783r1_fix\"\n tag cci: [\"CCI-001090\"]\n tag nist: [\"SC-4\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Services\\\\LanManServer\\\\Parameters') do\n it { should have_property 'restrictnullsessaccess' }\n its('restrictnullsessaccess') { should cmp == 1 }\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93459.rb", + "ref": "./Windows 2019 STIG/controls/V-93539.rb", "line": 3 }, - "id": "V-93459" + "id": "V-93539" }, { - "title": "Windows Server 2019 setting Domain member: Digitally encrypt secure channel data (when possible) must be configured to enabled.", - "desc": "Requests sent on the secure channel are authenticated, and sensitive information (such as passwords) is encrypted, but not all information is encrypted. If this policy is enabled, outgoing secure channel traffic will be encrypted.", + "title": "Windows Server 2019 must be configured to audit Account Logon -\nCredential Validation failures.", + "desc": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Credential Validation records events related to validation tests on\ncredentials for a user account logon.", "descriptions": { - "default": "Requests sent on the secure channel are authenticated, and sensitive information (such as passwords) is encrypted, but not all information is encrypted. If this policy is enabled, outgoing secure channel traffic will be encrypted.", + "default": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Credential Validation records events related to validation tests on\ncredentials for a user account logon.", "rationale": "", - "check": "If the following registry value does not exist or is not configured as specified, this is a finding:\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\Netlogon\\Parameters\\\n\n Value Name: SealSecureChannel\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", - "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \"Domain member: Digitally encrypt secure channel data (when possible)\" to \"Enabled\"." + "check": "Security Option \"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\" must be set to\n\"Enabled\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \"AuditPol\" tool to review the current Audit Policy configuration:\n\n Open \"PowerShell\" or a \"Command Prompt\" with elevated privileges (\"Run\nas administrator\").\n\n Enter \"AuditPol /get /category:*\"\n\n Compare the \"AuditPol\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n Account Logon >> Credential Validation - Failure", + "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Account Logon >> \"Audit Credential Validation\" with\n\"Failure\" selected." }, "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000423-GPOS-00187", - "satisfies": [ - "SRG-OS-000423-GPOS-00187", - "SRG-OS-000424-GPOS-00188" - ], - "gid": "V-93549", - "rid": "SV-103635r1_rule", - "stig_id": "WN19-SO-000070", - "fix_id": "F-99793r1_fix", + "gtitle": "SRG-OS-000470-GPOS-00214", + "gid": "V-93155", + "rid": "SV-103243r1_rule", + "stig_id": "WN19-AU-000080", + "fix_id": "F-99401r1_fix", "cci": [ - "CCI-002418", - "CCI-002421" + "CCI-000172" ], "nist": [ - "SC-8", - "SC-8 (1)", + "AU-12 c", "Rev_4" ] }, - "code": "control \"V-93549\" do\n title \"Windows Server 2019 setting Domain member: Digitally encrypt secure channel data (when possible) must be configured to enabled.\"\n desc \"Requests sent on the secure channel are authenticated, and sensitive information (such as passwords) is encrypted, but not all information is encrypted. If this policy is enabled, outgoing secure channel traffic will be encrypted.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the following registry value does not exist or is not configured as specified, this is a finding:\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\Netlogon\\\\Parameters\\\\\n\n Value Name: SealSecureChannel\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \\\"Domain member: Digitally encrypt secure channel data (when possible)\\\" to \\\"Enabled\\\".\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000423-GPOS-00187\"\n tag satisfies: [\"SRG-OS-000423-GPOS-00187\", \"SRG-OS-000424-GPOS-00188\"]\n tag gid: \"V-93549\"\n tag rid: \"SV-103635r1_rule\"\n tag stig_id: \"WN19-SO-000070\"\n tag fix_id: \"F-99793r1_fix\"\n tag cci: [\"CCI-002418\", \"CCI-002421\"]\n tag nist: [\"SC-8\", \"SC-8 (1)\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Services\\\\Netlogon\\\\Parameters') do\n it { should have_property 'SealSecureChannel' }\n its('SealSecureChannel') { should cmp == 1 }\n end\nend", + "code": "control \"V-93155\" do\n title \"Windows Server 2019 must be configured to audit Account Logon -\nCredential Validation failures.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Credential Validation records events related to validation tests on\ncredentials for a user account logon.\"\n desc \"rationale\", \"\"\n desc 'check', \"Security Option \\\"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\\\" must be set to\n\\\"Enabled\\\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \\\"AuditPol\\\" tool to review the current Audit Policy configuration:\n\n Open \\\"PowerShell\\\" or a \\\"Command Prompt\\\" with elevated privileges (\\\"Run\nas administrator\\\").\n\n Enter \\\"AuditPol /get /category:*\\\"\n\n Compare the \\\"AuditPol\\\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n Account Logon >> Credential Validation - Failure\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Account Logon >> \\\"Audit Credential Validation\\\" with\n\\\"Failure\\\" selected.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000470-GPOS-00214'\n tag 'gid': 'V-93155'\n tag 'rid': 'SV-103243r1_rule'\n tag 'stig_id': 'WN19-AU-000080'\n tag 'fix_id': 'F-99401r1_fix'\n tag 'cci': [\"CCI-000172\"]\n tag 'nist': [\"AU-12 c\", \"Rev_4\"]\n\n describe.one do\n describe audit_policy do\n its('Credential Validation') { should eq 'Failure' }\n end\n describe audit_policy do\n its('Credential Validation') { should eq 'Success and Failure' }\n end\n end\n\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93549.rb", + "ref": "./Windows 2019 STIG/controls/V-93155.rb", "line": 3 }, - "id": "V-93549" + "id": "V-93155" }, { - "title": "Windows Server 2019 services using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity instead of authenticating anonymously.", - "desc": "Services using Local System that use Negotiate when reverting to NTLM authentication may gain unauthorized access if allowed to authenticate anonymously versus using the computer identity.", + "title": "Windows Server 2019 Active Directory Domain Controllers Organizational\nUnit (OU) object must be configured with proper audit settings.", + "desc": "When inappropriate audit settings are configured for directory service\ndatabase objects, it may be possible for a user or process to update the data\nwithout generating any tracking data. The impact of missing audit data is\nrelated to the type of object. A failure to capture audit data for objects used\nby identification, authentication, or authorization functions could degrade or\neliminate the ability to track changes to access policy for systems or data.\n\n For Active Directory (AD), there are a number of critical object types in\nthe domain naming context of the AD database for which auditing is essential.\nThis includes the Domain Controller OU object. Because changes to these objects\ncan significantly impact access controls or the availability of systems, the\nabsence of auditing data makes it impossible to identify the source of changes\nthat impact the confidentiality, integrity, and availability of data and\nsystems throughout an AD domain. The lack of proper auditing can result in\ninsufficient forensic evidence needed to investigate an incident and prosecute\nthe intruder.", "descriptions": { - "default": "Services using Local System that use Negotiate when reverting to NTLM authentication may gain unauthorized access if allowed to authenticate anonymously versus using the computer identity.", + "default": "When inappropriate audit settings are configured for directory service\ndatabase objects, it may be possible for a user or process to update the data\nwithout generating any tracking data. The impact of missing audit data is\nrelated to the type of object. A failure to capture audit data for objects used\nby identification, authentication, or authorization functions could degrade or\neliminate the ability to track changes to access policy for systems or data.\n\n For Active Directory (AD), there are a number of critical object types in\nthe domain naming context of the AD database for which auditing is essential.\nThis includes the Domain Controller OU object. Because changes to these objects\ncan significantly impact access controls or the availability of systems, the\nabsence of auditing data makes it impossible to identify the source of changes\nthat impact the confidentiality, integrity, and availability of data and\nsystems throughout an AD domain. The lack of proper auditing can result in\ninsufficient forensic evidence needed to investigate an incident and prosecute\nthe intruder.", "rationale": "", - "check": "If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Control\\LSA\\\n\n Value Name: UseMachineId\n\n Type: REG_DWORD\n Value: 0x00000001 (1)", - "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \"Network security: Allow Local System to use computer identity for NTLM\" to \"Enabled\"." + "check": "This applies to domain controllers. It is NA for other systems.\n\n Review the auditing configuration for the Domain Controller OU object.\n\n Open \"Active Directory Users and Computers\" (available from various menus\nor run \"dsa.msc\").\n\n Ensure \"Advanced Features\" is selected in the \"View\" menu.\n\n Select the \"Domain Controllers OU\" under the domain being reviewed in the\nleft pane.\n\n Right-click the \"Domain Controllers OU\" object and select \"Properties\".\n\n Select the \"Security\" tab.\n\n Select the \"Advanced\" button and then the \"Auditing\" tab.\n\n If the audit settings on the Domain Controllers OU object are not at least\nas inclusive as those below, this is a finding:\n\n Type - Fail\n Principal - Everyone\n Access - Full Control\n Inherited from - None\n Applies to - This object and all descendant objects\n\n The success types listed below are defaults. Where Special is listed in the\nsummary screens for Access, detailed Permissions are provided for reference.\nVarious Properties selections may also exist by default.\n\n Type - Success\n Principal - Everyone\n Access - Special\n Inherited from - None\n Applies to - This object only\n (Access - Special = Permissions: all create, delete and modify permissions)\n\n Type - Success\n Principal - Everyone\n Access - Write all properties\n Inherited from - None\n Applies to - This object and all descendant objects\n\n Two instances with the following summary information will be listed:\n\n Type - Success\n Principal - Everyone\n Access - (blank)\n Inherited from - (CN of domain)\n Applies to - Descendant Organizational Unit objects", + "fix": "Open \"Active Directory Users and Computers\" (available from various menus\nor run \"dsa.msc\").\n\n Ensure \"Advanced Features\" is selected in the \"View\" menu.\n\n Select the \"Domain Controllers OU\" under the domain being reviewed in the\nleft pane.\n\n Right-click the \"Domain Controllers OU\" object and select \"Properties\".\n\n Select the \"Security\" tab.\n\n Select the \"Advanced\" button and then the \"Auditing\" tab.\n\n Configure the audit settings for Domain Controllers OU object to include\nthe following:\n\n Type - Fail\n Principal - Everyone\n Access - Full Control\n Inherited from - None\n\n The success types listed below are defaults. Where Special is listed in the\nsummary screens for Access, detailed Permissions are provided for reference.\nVarious Properties selections may also exist by default.\n\n Type - Success\n Principal - Everyone\n Access - Special\n Inherited from - None\n Applies to - This object only\n (Access - Special = Permissions: all create, delete and modify permissions)\n\n Type - Success\n Principal - Everyone\n Access - Write all properties\n Inherited from - None\n Applies to - This object and all descendant objects\n\n Two instances with the following summary information will be listed:\n\n Type - Success\n Principal - Everyone\n Access - (blank)\n Inherited from - (CN of domain)\n Applies to - Descendant Organizational Unit objects" }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-93295", - "rid": "SV-103383r1_rule", - "stig_id": "WN19-SO-000260", - "fix_id": "F-99541r1_fix", + "gtitle": "SRG-OS-000327-GPOS-00127", + "satisfies": [ + "SRG-OS-000327-GPOS-00127", + "SRG-OS-000458-GPOS-00203", + "SRG-OS-000463-GPOS-00207", + "SRG-OS-000468-GPOS-00212" + ], + "gid": "V-93127", + "rid": "SV-103215r1_rule", + "stig_id": "WN19-DC-000200", + "fix_id": "F-99373r1_fix", "cci": [ - "CCI-000366" + "CCI-000172", + "CCI-002234" ], "nist": [ - "CM-6 b", + "AU-12 c", + "AC-6 (9)", "Rev_4" ] }, - "code": "control \"V-93295\" do\n title \"Windows Server 2019 services using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity instead of authenticating anonymously.\"\n desc \"Services using Local System that use Negotiate when reverting to NTLM authentication may gain unauthorized access if allowed to authenticate anonymously versus using the computer identity.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\LSA\\\\\n\n Value Name: UseMachineId\n\n Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \\\"Network security: Allow Local System to use computer identity for NTLM\\\" to \\\"Enabled\\\".\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00227\"\n tag gid: \"V-93295\"\n tag rid: \"SV-103383r1_rule\"\n tag stig_id: \"WN19-SO-000260\"\n tag fix_id: \"F-99541r1_fix\"\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa') do\n it { should have_property 'UseMachineId' }\n its('UseMachineId') { should cmp == 1 }\n end\nend", + "code": "control \"V-93127\" do\n title \"Windows Server 2019 Active Directory Domain Controllers Organizational\nUnit (OU) object must be configured with proper audit settings.\"\n desc \"When inappropriate audit settings are configured for directory service\ndatabase objects, it may be possible for a user or process to update the data\nwithout generating any tracking data. The impact of missing audit data is\nrelated to the type of object. A failure to capture audit data for objects used\nby identification, authentication, or authorization functions could degrade or\neliminate the ability to track changes to access policy for systems or data.\n\n For Active Directory (AD), there are a number of critical object types in\nthe domain naming context of the AD database for which auditing is essential.\nThis includes the Domain Controller OU object. Because changes to these objects\ncan significantly impact access controls or the availability of systems, the\nabsence of auditing data makes it impossible to identify the source of changes\nthat impact the confidentiality, integrity, and availability of data and\nsystems throughout an AD domain. The lack of proper auditing can result in\ninsufficient forensic evidence needed to investigate an incident and prosecute\nthe intruder.\"\n desc \"rationale\", \"\"\n desc 'check', \"This applies to domain controllers. It is NA for other systems.\n\n Review the auditing configuration for the Domain Controller OU object.\n\n Open \\\"Active Directory Users and Computers\\\" (available from various menus\nor run \\\"dsa.msc\\\").\n\n Ensure \\\"Advanced Features\\\" is selected in the \\\"View\\\" menu.\n\n Select the \\\"Domain Controllers OU\\\" under the domain being reviewed in the\nleft pane.\n\n Right-click the \\\"Domain Controllers OU\\\" object and select \\\"Properties\\\".\n\n Select the \\\"Security\\\" tab.\n\n Select the \\\"Advanced\\\" button and then the \\\"Auditing\\\" tab.\n\n If the audit settings on the Domain Controllers OU object are not at least\nas inclusive as those below, this is a finding:\n\n Type - Fail\n Principal - Everyone\n Access - Full Control\n Inherited from - None\n Applies to - This object and all descendant objects\n\n The success types listed below are defaults. Where Special is listed in the\nsummary screens for Access, detailed Permissions are provided for reference.\nVarious Properties selections may also exist by default.\n\n Type - Success\n Principal - Everyone\n Access - Special\n Inherited from - None\n Applies to - This object only\n (Access - Special = Permissions: all create, delete and modify permissions)\n\n Type - Success\n Principal - Everyone\n Access - Write all properties\n Inherited from - None\n Applies to - This object and all descendant objects\n\n Two instances with the following summary information will be listed:\n\n Type - Success\n Principal - Everyone\n Access - (blank)\n Inherited from - (CN of domain)\n Applies to - Descendant Organizational Unit objects\"\n desc 'fix', \"\n Open \\\"Active Directory Users and Computers\\\" (available from various menus\nor run \\\"dsa.msc\\\").\n\n Ensure \\\"Advanced Features\\\" is selected in the \\\"View\\\" menu.\n\n Select the \\\"Domain Controllers OU\\\" under the domain being reviewed in the\nleft pane.\n\n Right-click the \\\"Domain Controllers OU\\\" object and select \\\"Properties\\\".\n\n Select the \\\"Security\\\" tab.\n\n Select the \\\"Advanced\\\" button and then the \\\"Auditing\\\" tab.\n\n Configure the audit settings for Domain Controllers OU object to include\nthe following:\n\n Type - Fail\n Principal - Everyone\n Access - Full Control\n Inherited from - None\n\n The success types listed below are defaults. Where Special is listed in the\nsummary screens for Access, detailed Permissions are provided for reference.\nVarious Properties selections may also exist by default.\n\n Type - Success\n Principal - Everyone\n Access - Special\n Inherited from - None\n Applies to - This object only\n (Access - Special = Permissions: all create, delete and modify permissions)\n\n Type - Success\n Principal - Everyone\n Access - Write all properties\n Inherited from - None\n Applies to - This object and all descendant objects\n\n Two instances with the following summary information will be listed:\n\n Type - Success\n Principal - Everyone\n Access - (blank)\n Inherited from - (CN of domain)\n Applies to - Descendant Organizational Unit objects\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000327-GPOS-00127'\n tag 'satisfies': [\"SRG-OS-000327-GPOS-00127\", \"SRG-OS-000458-GPOS-00203\",\n\"SRG-OS-000463-GPOS-00207\", \"SRG-OS-000468-GPOS-00212\"]\n tag 'gid': 'V-93127'\n tag 'rid': 'SV-103215r1_rule'\n tag 'stig_id': 'WN19-DC-000200'\n tag 'fix_id': 'F-99373r1_fix'\n tag 'cci': [\"CCI-000172\", \"CCI-002234\"]\n tag 'nist': [\"AU-12 c\", \"AC-6 (9)\", \"Rev_4\"]\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n if domain_role == '4' || domain_role == '5'\n distinguishedName = json(command: '(Get-ADDomain).DistinguishedName | ConvertTo-JSON').params\n acl_rules = json(command: \"(Get-ACL -Audit -Path AD:'OU=Domain Controllers,#{distinguishedName}').Audit | ConvertTo-CSV | ConvertFrom-CSV | ConvertTo-JSON\").params\n \n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['AuditFlags']) { should cmp \"Failure\" }\n its(['IdentityReference']) { should cmp \"Everyone\" }\n its(['ActiveDirectoryRights']) { should cmp \"GenericAll\"}\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['AuditFlags']) { should cmp \"Success\" }\n its(['IdentityReference']) { should cmp \"Everyone\" }\n its(['ActiveDirectoryRights']) { should cmp \"CreateChild, DeleteChild, DeleteTree, Delete, WriteDacl, WriteOwner\"}\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceType']) { should cmp \"None\" }\n end\n end\n end\n\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['AuditFlags']) { should cmp \"Success\" }\n its(['IdentityReference']) { should cmp \"Everyone\" }\n its(['ActiveDirectoryRights']) { should cmp \"WriteProperty\"}\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceType']) { should cmp \"All\" }\n end\n end\n end\n \n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['AuditFlags']) { should cmp \"Success\" }\n its(['IdentityReference']) { should cmp \"Everyone\" }\n its(['ActiveDirectoryRights']) { should cmp \"WriteProperty\"}\n its(['IsInherited']) { should cmp \"True\" }\n its(['InheritanceType']) { should cmp \"All\" }\n end\n end\n end\n \n \n else\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93295.rb", + "ref": "./Windows 2019 STIG/controls/V-93127.rb", "line": 3 }, - "id": "V-93295" + "id": "V-93127" }, { - "title": "Windows Server 2019 Allow log on through Remote Desktop Services user\nright must only be assigned to the Administrators group on domain controllers.", - "desc": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n Accounts with the \"Allow log on through Remote Desktop Services\" user\nright can access a system through Remote Desktop.", + "title": "Windows Server 2019 Exploit Protection mitigations must be configured for EXCEL.EXE.", + "desc": "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.", "descriptions": { - "default": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n Accounts with the \"Allow log on through Remote Desktop Services\" user\nright can access a system through Remote Desktop.", + "default": "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.", "rationale": "", - "check": "This applies to domain controllers, it is NA for other systems.\n\n Verify the effective setting in Local Group Policy Editor.\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the \"Allow\nlog on through Remote Desktop Services\" user right, this is a finding.\n\n - Administrators\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\path\\filename.txt\n\n Review the text file.\n\n If any SIDs other than the following are granted the\n\"SeRemoteInteractiveLogonRight\" user right, this is a finding.\n\n S-1-5-32-544 (Administrators)", - "fix": "Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> User Rights Assignment >> \"Allow log\non through Remote Desktop Services\" to include only the following accounts or\ngroups:\n\n - Administrators" + "check": "If the referenced application is not installed on the system, this is NA.\n\n This is applicable to unclassified systems, for other systems this is NA.\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n Enter \"Get-ProcessMitigation -Name EXCEL.EXE\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.)\n\n If the following mitigations do not have a status of \"ON\", this is a finding:\n\n DEP:\n Enable: ON\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n The PowerShell command produces a list of mitigations; only those with a required status of \"ON\" are listed here.", + "fix": "Ensure the following mitigations are turned \"ON\" for EXCEL.EXE:\n\n DEP:\n Enable: ON\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \"Supporting Files\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \"Use a common set of exploit protection settings\" configured to \"Enabled\" with file name and location defined under \"Options:\". It is recommended the file be in a read-only network location." }, "impact": 0, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000080-GPOS-00048", - "gid": "V-92997", - "rid": "SV-103085r1_rule", - "stig_id": "WN19-DC-000360", - "fix_id": "F-99243r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-93327", + "rid": "SV-103415r1_rule", + "stig_id": "WN19-EP-000090", + "fix_id": "F-99573r1_fix", "cci": [ - "CCI-000213" + "CCI-000366" ], "nist": [ - "AC-3", + "CM-6 b", "Rev_4" ] }, - "code": "control \"V-92997\" do\n title \"Windows Server 2019 Allow log on through Remote Desktop Services user\nright must only be assigned to the Administrators group on domain controllers.\"\n desc \"Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n Accounts with the \\\"Allow log on through Remote Desktop Services\\\" user\nright can access a system through Remote Desktop.\"\n desc \"rationale\", \"\"\n desc 'check', \"This applies to domain controllers, it is NA for other systems.\n\n Verify the effective setting in Local Group Policy Editor.\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the \\\"Allow\nlog on through Remote Desktop Services\\\" user right, this is a finding.\n\n - Administrators\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt\n\n Review the text file.\n\n If any SIDs other than the following are granted the\n\\\"SeRemoteInteractiveLogonRight\\\" user right, this is a finding.\n\n S-1-5-32-544 (Administrators)\"\n desc 'fix', \"Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> User Rights Assignment >> \\\"Allow log\non through Remote Desktop Services\\\" to include only the following accounts or\ngroups:\n\n - Administrators\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000080-GPOS-00048'\n tag 'gid': 'V-92997'\n tag 'rid': 'SV-103085r1_rule'\n tag 'stig_id': 'WN19-DC-000360'\n tag 'fix_id': 'F-99243r1_fix'\n tag 'cci': [\"CCI-000213\"]\n tag 'nist': [\"AC-3\", \"Rev_4\"]\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n os_type = command('Test-Path \"$env:windir\\explorer.exe\"').stdout.strip\n\n if os_type == 'False'\n describe 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt' do\n skip 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt'\n end\n end\n if domain_role == '4' || domain_role == '5'\n describe security_policy do\n its('SeRemoteInteractiveLogonRight') { should eq ['S-1-5-32-544'] }\n end\n else\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", + "code": "control \"V-93327\" do\n title \"Windows Server 2019 Exploit Protection mitigations must be configured for EXCEL.EXE.\"\n desc \"Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the referenced application is not installed on the system, this is NA.\n\n This is applicable to unclassified systems, for other systems this is NA.\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n Enter \\\"Get-ProcessMitigation -Name EXCEL.EXE\\\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.)\n\n If the following mitigations do not have a status of \\\"ON\\\", this is a finding:\n\n DEP:\n Enable: ON\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n The PowerShell command produces a list of mitigations; only those with a required status of \\\"ON\\\" are listed here.\"\n desc \"fix\", \"Ensure the following mitigations are turned \\\"ON\\\" for EXCEL.EXE:\n\n DEP:\n Enable: ON\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \\\"Supporting Files\\\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\" configured to \\\"Enabled\\\" with file name and location defined under \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00227\"\n tag gid: \"V-93327\"\n tag rid: \"SV-103415r1_rule\"\n tag stig_id: \"WN19-EP-000090\"\n tag fix_id: \"F-99573r1_fix\"\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n excel = json({ command: \"Get-ProcessMitigation -Name EXCEL.EXE | ConvertTo-Json\" }).params\n\n if input('sensitive_system') == true || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif excel.empty?\n impact 0.0\n describe 'The referenced application is not installed on the system, this is NA.' do\n skip 'The referenced application is not installed on the system, this is NA.'\n end\n else\n describe \"Exploit Protection: the following mitigations must be set to 'ON' for EXCEL.EXE\" do\n subject { excel }\n its(['Dep','Enable']) { should eq 1 }\n its(['Aslr','ForceRelocateImages']) { should eq 1 }\n its(['Payload','EnableExportAddressFilter']) { should eq 1 }\n its(['Payload','EnableExportAddressFilterPlus']) { should eq 1 }\n its(['Payload','EnableImportAddressFilter']) { should eq 1 }\n its(['Payload','EnableRopStackPivot']) { should eq 1 }\n its(['Payload','EnableRopCallerCheck']) { should eq 1 }\n its(['Payload','EnableRopSimExec']) { should eq 1 }\n end\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-92997.rb", + "ref": "./Windows 2019 STIG/controls/V-93327.rb", "line": 3 }, - "id": "V-92997" + "id": "V-93327" }, { - "title": "Windows Server 2019 Deny log on as a batch job user right on\ndomain-joined member servers must be configured to prevent access from highly\nprivileged domain accounts and from unauthenticated access on all systems.", - "desc": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n The \"Deny log on as a batch job\" user right defines accounts that are\nprevented from logging on to the system as a batch job, such as Task Scheduler.\n\n In an Active Directory Domain, denying logons to the Enterprise Admins and\nDomain Admins groups on lower-trust systems helps mitigate the risk of\nprivilege escalation from credential theft attacks, which could lead to the\ncompromise of an entire domain.\n\n The Guests group must be assigned to prevent unauthenticated access.", + "title": "Windows Server 2019 Exploit Protection mitigations must be configured for wordpad.exe.", + "desc": "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.", "descriptions": { - "default": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n The \"Deny log on as a batch job\" user right defines accounts that are\nprevented from logging on to the system as a batch job, such as Task Scheduler.\n\n In an Active Directory Domain, denying logons to the Enterprise Admins and\nDomain Admins groups on lower-trust systems helps mitigate the risk of\nprivilege escalation from credential theft attacks, which could lead to the\ncompromise of an entire domain.\n\n The Guests group must be assigned to prevent unauthenticated access.", + "default": "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.", "rationale": "", - "check": "This applies to member servers and standalone systems. A separate version\napplies to domain controllers.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If the following accounts or groups are not defined for the \"Deny log on\nas a batch job\" user right, this is a finding:\n\n Domain Systems Only:\n - Enterprise Admins Group\n - Domain Admins Group\n\n All Systems:\n - Guests Group\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\path\\filename.txt\n\n Review the text file.\n\n If the following SIDs are not defined for the \"SeDenyBatchLogonRight\"\nuser right, this is a finding.\n\n Domain Systems Only:\n S-1-5-root domain-519 (Enterprise Admins)\n S-1-5-domain-512 (Domain Admins)\n\n All Systems:\n S-1-5-32-546 (Guests)", - "fix": "Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> User Rights Assignment >> \"Deny log\non as a batch job\" to include the following:\n\n Domain Systems Only:\n - Enterprise Admins Group\n - Domain Admins Group\n\n All Systems:\n - Guests Group" + "check": "If the referenced application is not installed on the system, this is NA.\n\n This is applicable to unclassified systems, for other systems this is NA.\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n Enter \"Get-ProcessMitigation -Name wordpad.exe\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.)\n\n If the following mitigations do not have a status of \"ON\", this is a finding:\n\n DEP:\n Enable: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n The PowerShell command produces a list of mitigations; only those with a required status of \"ON\" are listed here.", + "fix": "Ensure the following mitigations are turned \"ON\" for wordpad.exe:\n\n DEP:\n Enable: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \"Supporting Files\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \"Use a common set of exploit protection settings\" configured to \"Enabled\" with file name and location defined under \"Options:\". It is recommended the file be in a read-only network location." }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000080-GPOS-00048", - "gid": "V-93011", - "rid": "SV-103099r1_rule", - "stig_id": "WN19-MS-000090", - "fix_id": "F-99257r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-93367", + "rid": "SV-103455r1_rule", + "stig_id": "WN19-EP-000290", + "fix_id": "F-99613r1_fix", "cci": [ - "CCI-000213" + "CCI-000366" ], "nist": [ - "AC-3", + "CM-6 b", "Rev_4" ] }, - "code": "control \"V-93011\" do\n title \"Windows Server 2019 Deny log on as a batch job user right on\ndomain-joined member servers must be configured to prevent access from highly\nprivileged domain accounts and from unauthenticated access on all systems.\"\n desc \"Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n The \\\"Deny log on as a batch job\\\" user right defines accounts that are\nprevented from logging on to the system as a batch job, such as Task Scheduler.\n\n In an Active Directory Domain, denying logons to the Enterprise Admins and\nDomain Admins groups on lower-trust systems helps mitigate the risk of\nprivilege escalation from credential theft attacks, which could lead to the\ncompromise of an entire domain.\n\n The Guests group must be assigned to prevent unauthenticated access.\"\n desc \"rationale\", \"\"\n desc 'check', \"This applies to member servers and standalone systems. A separate version\napplies to domain controllers.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If the following accounts or groups are not defined for the \\\"Deny log on\nas a batch job\\\" user right, this is a finding:\n\n Domain Systems Only:\n - Enterprise Admins Group\n - Domain Admins Group\n\n All Systems:\n - Guests Group\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt\n\n Review the text file.\n\n If the following SIDs are not defined for the \\\"SeDenyBatchLogonRight\\\"\nuser right, this is a finding.\n\n Domain Systems Only:\n S-1-5-root domain-519 (Enterprise Admins)\n S-1-5-domain-512 (Domain Admins)\n\n All Systems:\n S-1-5-32-546 (Guests)\"\n desc 'fix', \"Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> User Rights Assignment >> \\\"Deny log\non as a batch job\\\" to include the following:\n\n Domain Systems Only:\n - Enterprise Admins Group\n - Domain Admins Group\n\n All Systems:\n - Guests Group\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000080-GPOS-00048'\n tag 'gid': 'V-93011'\n tag 'rid': 'SV-103099r1_rule'\n tag 'stig_id': 'WN19-MS-000090'\n tag 'fix_id': 'F-99257r1_fix'\n tag 'cci': [\"CCI-000213\"]\n tag 'nist': [\"AC-3\", \"Rev_4\"]\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n case domain_role\n when '4', '5'\n impact 0.0\n describe 'This system is dedicated to the management of Active Directory, therefore this system is exempt from this control' do\n skip 'This system is dedicated to the management of Active Directory, therefore this system is exempt from this control'\n end\n when '2'\n describe security_policy do\n its('SeDenyBatchLogonRight') { should eq ['S-1-5-32-546'] }\n end\n when '3'\n domain_query = <<-EOH\n $group = New-Object System.Security.Principal.NTAccount('Domain Admins')\n $sid = ($group.Translate([security.principal.securityidentifier])).value\n $sid | ConvertTo-Json\n EOH\n\n domain_admin_sid = json(command: domain_query).params\n enterprise_admin_query = <<-EOH\n $group = New-Object System.Security.Principal.NTAccount('Enterprise Admins')\n $sid = ($group.Translate([security.principal.securityidentifier])).value\n $sid | ConvertTo-Json\n EOH\n\n enterprise_admin_sid = json(command: enterprise_admin_query).params\n describe security_policy do\n its('SeDenyBatchLogonRight') { should include \"#{domain_admin_sid}\" }\n end\n describe security_policy do\n its('SeDenyBatchLogonRight') { should include \"#{enterprise_admin_sid}\" }\n end\n describe security_policy do\n its('SeDenyBatchLogonRight') { should include 'S-1-5-32-546' }\n end\n end\nend\n", + "code": "control \"V-93367\" do\n title \"Windows Server 2019 Exploit Protection mitigations must be configured for wordpad.exe.\"\n desc \"Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the referenced application is not installed on the system, this is NA.\n\n This is applicable to unclassified systems, for other systems this is NA.\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n Enter \\\"Get-ProcessMitigation -Name wordpad.exe\\\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.)\n\n If the following mitigations do not have a status of \\\"ON\\\", this is a finding:\n\n DEP:\n Enable: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n The PowerShell command produces a list of mitigations; only those with a required status of \\\"ON\\\" are listed here.\"\n desc \"fix\", \"Ensure the following mitigations are turned \\\"ON\\\" for wordpad.exe:\n\n DEP:\n Enable: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \\\"Supporting Files\\\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\" configured to \\\"Enabled\\\" with file name and location defined under \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00227\"\n tag gid: \"V-93367\"\n tag rid: \"SV-103455r1_rule\"\n tag stig_id: \"WN19-EP-000290\"\n tag fix_id: \"F-99613r1_fix\"\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n wordpad = json({ command: \"Get-ProcessMitigation -Name wordpad.exe | ConvertTo-Json\" }).params\n\n if input('sensitive_system') == true || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif wordpad.empty?\n impact 0.0\n describe 'The referenced application is not installed on the system, this is NA.' do\n skip 'The referenced application is not installed on the system, this is NA.'\n end\n else\n describe \"Exploit Protection: the following mitigations must be set to 'ON' for wordpad.exe\" do\n subject { wordpad }\n its(['Dep','Enable']) { should eq 1 }\n its(['Payload','EnableExportAddressFilter']) { should eq 1 }\n its(['Payload','EnableExportAddressFilterPlus']) { should eq 1 }\n its(['Payload','EnableImportAddressFilter']) { should eq 1 }\n its(['Payload','EnableRopStackPivot']) { should eq 1 }\n its(['Payload','EnableRopCallerCheck']) { should eq 1 }\n its(['Payload','EnableRopSimExec']) { should eq 1 }\n end\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93011.rb", + "ref": "./Windows 2019 STIG/controls/V-93367.rb", "line": 3 }, - "id": "V-93011" + "id": "V-93367" }, { - "title": "Windows Server 2019 must limit the caching of logon credentials to four or less on domain-joined member servers.", - "desc": "The default Windows configuration caches the last logon credentials for users who log on interactively to a system. This feature is provided for system availability reasons, such as the user's machine being disconnected from the network or domain controllers being unavailable. Even though the credential cache is well protected, if a system is attacked, an unauthorized individual may isolate the password to a domain user account using a password-cracking program and gain access to the domain.", + "title": "Windows Server 2019 shared user accounts must not be permitted.", + "desc": "Shared accounts (accounts where two or more people log on with the same user identification) do not provide adequate identification and authentication. There is no way to provide for nonrepudiation or individual accountability for system access and resource usage.", "descriptions": { - "default": "The default Windows configuration caches the last logon credentials for users who log on interactively to a system. This feature is provided for system availability reasons, such as the user's machine being disconnected from the network or domain controllers being unavailable. Even though the credential cache is well protected, if a system is attacked, an unauthorized individual may isolate the password to a domain user account using a password-cracking program and gain access to the domain.", + "default": "Shared accounts (accounts where two or more people log on with the same user identification) do not provide adequate identification and authentication. There is no way to provide for nonrepudiation or individual accountability for system access and resource usage.", "rationale": "", - "check": "This applies to member servers. For domain controllers and standalone systems, this is NA.\n\n If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\\n\n Value Name: CachedLogonsCount\n\n Value Type: REG_SZ\n Value: 4 (or less)", - "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \"Interactive Logon: Number of previous logons to cache (in case Domain Controller is not available)\" to \"4\" logons or less." + "check": "Determine whether any shared accounts exist. If no shared accounts exist, this is NA.\n\n Shared accounts, such as required by an application, may be approved by the organization. This must be documented with the ISSO. Documentation must include the reason for the account, who has access to the account, and how the risk of using the shared account is mitigated to include monitoring account activity.\n\n If unapproved shared accounts exist, this is a finding.", + "fix": "Remove unapproved shared accounts from the system.\n\n Document required shared accounts with the ISSO. Documentation must include the reason for the account, who has access to the account, and how the risk of using the shared account is mitigated to include monitoring account activity." }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-93275", - "rid": "SV-103363r1_rule", - "stig_id": "WN19-MS-000050", - "fix_id": "F-99521r1_fix", + "gtitle": "SRG-OS-000104-GPOS-00051", + "gid": "V-93437", + "rid": "SV-103523r1_rule", + "stig_id": "WN19-00-000070", + "fix_id": "F-99681r1_fix", "cci": [ - "CCI-000366" + "CCI-000764" ], "nist": [ - "CM-6 b", + "IA-2", "Rev_4" ] }, - "code": "control \"V-93275\" do\n title \"Windows Server 2019 must limit the caching of logon credentials to four or less on domain-joined member servers.\"\n desc \"The default Windows configuration caches the last logon credentials for users who log on interactively to a system. This feature is provided for system availability reasons, such as the user's machine being disconnected from the network or domain controllers being unavailable. Even though the credential cache is well protected, if a system is attacked, an unauthorized individual may isolate the password to a domain user account using a password-cracking program and gain access to the domain.\"\n desc \"rationale\", \"\"\n desc \"check\", \"This applies to member servers. For domain controllers and standalone systems, this is NA.\n\n If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\\n\n Value Name: CachedLogonsCount\n\n Value Type: REG_SZ\n Value: 4 (or less)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \\\"Interactive Logon: Number of previous logons to cache (in case Domain Controller is not available)\\\" to \\\"4\\\" logons or less.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00227\"\n tag gid: \"V-93275\"\n tag rid: \"SV-103363r1_rule\"\n tag stig_id: \"WN19-MS-000050\"\n tag fix_id: \"F-99521r1_fix\"\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '3'\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon') do\n it { should have_property 'CachedLogonsCount' }\n its('CachedLogonsCount') { should cmp <= 4 }\n end\n else\n impact 0.0\n describe 'This requirement is only applicable to member servers' do\n skip 'This control is NA as the requirement is only applicable to member servers'\n end\n end\nend\n", + "code": "control \"V-93437\" do\n title \"Windows Server 2019 shared user accounts must not be permitted.\"\n desc \"Shared accounts (accounts where two or more people log on with the same user identification) do not provide adequate identification and authentication. There is no way to provide for nonrepudiation or individual accountability for system access and resource usage.\"\n desc \"rationale\", \"\"\n desc \"check\", \"Determine whether any shared accounts exist. If no shared accounts exist, this is NA.\n\n Shared accounts, such as required by an application, may be approved by the organization. This must be documented with the ISSO. Documentation must include the reason for the account, who has access to the account, and how the risk of using the shared account is mitigated to include monitoring account activity.\n\n If unapproved shared accounts exist, this is a finding.\"\n desc \"fix\", \"Remove unapproved shared accounts from the system.\n\n Document required shared accounts with the ISSO. Documentation must include the reason for the account, who has access to the account, and how the risk of using the shared account is mitigated to include monitoring account activity.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000104-GPOS-00051\"\n tag gid: \"V-93437\"\n tag rid: \"SV-103523r1_rule\"\n tag stig_id: \"WN19-00-000070\"\n tag fix_id: \"F-99681r1_fix\"\n tag cci: [\"CCI-000764\"]\n tag nist: [\"IA-2\", \"Rev_4\"]\n\n describe 'This control needs to be check manually' do\n skip 'Control not executed as this test is manual'\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93275.rb", + "ref": "./Windows 2019 STIG/controls/V-93437.rb", "line": 3 }, - "id": "V-93275" + "id": "V-93437" }, { - "title": "Windows Server 2019 must not allow anonymous SID/Name translation.", - "desc": "Allowing anonymous SID/Name translation can provide sensitive information for accessing a system. Only authorized users must be able to perform such translations.", + "title": "Windows Server 2019 Deny log on as a batch job user right on domain\ncontrollers must be configured to prevent unauthenticated access.", + "desc": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n The \"Deny log on as a batch job\" user right defines accounts that are\nprevented from logging on to the system as a batch job, such as Task Scheduler.\n\n The Guests group must be assigned to prevent unauthenticated access.", "descriptions": { - "default": "Allowing anonymous SID/Name translation can provide sensitive information for accessing a system. Only authorized users must be able to perform such translations.", + "default": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n The \"Deny log on as a batch job\" user right defines accounts that are\nprevented from logging on to the system as a batch job, such as Task Scheduler.\n\n The Guests group must be assigned to prevent unauthenticated access.", "rationale": "", - "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options.\n\n If the value for \"Network access: Allow anonymous SID/Name translation\" is not set to \"Disabled\", this is a finding.", - "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \"Network access: Allow anonymous SID/Name translation\" to \"Disabled\"." + "check": "This applies to domain controllers. A separate version applies to other\nsystems.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If the following accounts or groups are not defined for the \"Deny log on\nas a batch job\" user right, this is a finding:\n\n - Guests Group\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\path\\filename.txt\n\n Review the text file.\n\n If the following SID(s) are not defined for the \"SeDenyBatchLogonRight\"\nuser right, this is a finding:\n\n S-1-5-32-546 (Guests)", + "fix": "Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> User Rights Assignment >> \"Deny log\non as a batch job\" to include the following:\n\n - Guests Group" }, - "impact": 0.7, + "impact": 0, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-93289", - "rid": "SV-103377r1_rule", - "stig_id": "WN19-SO-000210", - "fix_id": "F-99535r1_fix", + "gtitle": "SRG-OS-000080-GPOS-00048", + "gid": "V-93001", + "rid": "SV-103089r1_rule", + "stig_id": "WN19-DC-000380", + "fix_id": "F-99247r1_fix", "cci": [ - "CCI-000366" + "CCI-000213" ], "nist": [ - "CM-6 b", + "AC-3", "Rev_4" ] }, - "code": "control \"V-93289\" do\n title \"Windows Server 2019 must not allow anonymous SID/Name translation.\"\n desc \"Allowing anonymous SID/Name translation can provide sensitive information for accessing a system. Only authorized users must be able to perform such translations.\"\n desc \"rationale\", \"\"\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options.\n\n If the value for \\\"Network access: Allow anonymous SID/Name translation\\\" is not set to \\\"Disabled\\\", this is a finding.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \\\"Network access: Allow anonymous SID/Name translation\\\" to \\\"Disabled\\\".\"\n impact 0.7\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00227\"\n tag gid: \"V-93289\"\n tag rid: \"SV-103377r1_rule\"\n tag stig_id: \"WN19-SO-000210\"\n tag fix_id: \"F-99535r1_fix\"\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n describe security_policy do\n its('LSAAnonymousNameLookup') { should eq 0 }\n end\nend", + "code": "control \"V-93001\" do\n title \"Windows Server 2019 Deny log on as a batch job user right on domain\ncontrollers must be configured to prevent unauthenticated access.\"\n desc \"Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n The \\\"Deny log on as a batch job\\\" user right defines accounts that are\nprevented from logging on to the system as a batch job, such as Task Scheduler.\n\n The Guests group must be assigned to prevent unauthenticated access.\"\n desc \"rationale\", \"\"\n desc 'check', \"This applies to domain controllers. A separate version applies to other\nsystems.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If the following accounts or groups are not defined for the \\\"Deny log on\nas a batch job\\\" user right, this is a finding:\n\n - Guests Group\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt\n\n Review the text file.\n\n If the following SID(s) are not defined for the \\\"SeDenyBatchLogonRight\\\"\nuser right, this is a finding:\n\n S-1-5-32-546 (Guests)\"\n desc 'fix', \"\n Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> User Rights Assignment >> \\\"Deny log\non as a batch job\\\" to include the following:\n\n - Guests Group\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000080-GPOS-00048'\n tag 'gid': 'V-93001'\n tag 'rid': 'SV-103089r1_rule'\n tag 'stig_id': 'WN19-DC-000380'\n tag 'fix_id': 'F-99247r1_fix'\n tag 'cci': [\"CCI-000213\"]\n tag 'nist': [\"AC-3\", \"Rev_4\"]\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n os_type = command('Test-Path \"$env:windir\\explorer.exe\"').stdout.strip\n\n if os_type == 'False'\n describe 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt' do\n skip 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt'\n end\n end\n if domain_role == '4' || domain_role == '5'\n describe security_policy do\n its('SeDenyBatchLogonRight') { should eq ['S-1-5-32-546'] }\n end\n else\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93289.rb", + "ref": "./Windows 2019 STIG/controls/V-93001.rb", "line": 3 }, - "id": "V-93289" + "id": "V-93001" }, { - "title": "Windows Server 2019 default permissions for the HKEY_LOCAL_MACHINE\nregistry hive must be maintained.", - "desc": "The registry is integral to the function, security, and stability of\nthe Windows system. Changing the system's registry permissions allows the\npossibility of unauthorized and anonymous modification to the operating system.", + "title": "Windows Server 2019 Create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service.", + "desc": "Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.\n Accounts with the \"Create global objects\" user right can create objects that are available to all sessions, which could affect processes in otherusers' sessions.", "descriptions": { - "default": "The registry is integral to the function, security, and stability of\nthe Windows system. Changing the system's registry permissions allows the\npossibility of unauthorized and anonymous modification to the operating system.", + "default": "Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.\n Accounts with the \"Create global objects\" user right can create objects that are available to all sessions, which could affect processes in otherusers' sessions.", "rationale": "", - "check": "Review the registry permissions for the keys of the HKEY_LOCAL_MACHINE hive\nnoted below.\n\n If any non-privileged groups such as Everyone, Users, or Authenticated\nUsers have greater than Read permission, this is a finding.\n\n If permissions are not as restrictive as the default permissions listed\nbelow, this is a finding:\n\n Run \"Regedit\".\n\n Right-click on the registry areas noted below.\n\n Select \"Permissions\" and the \"Advanced\" button.\n\n HKEY_LOCAL_MACHINE\\SECURITY\n\n Type - \"Allow\" for all\n Inherited from - \"None\" for all\n Principal - Access - Applies to\n SYSTEM - Full Control - This key and subkeys\n Administrators - Special - This key and subkeys\n\n HKEY_LOCAL_MACHINE\\SOFTWARE\n\n Type - \"Allow\" for all\n Inherited from - \"None\" for all\n Principal - Access - Applies to\n Users - Read - This key and subkeys\n Administrators - Full Control - This key and subkeys\n SYSTEM - Full Control - This key and subkeys\n CREATOR OWNER - Full Control - This key and subkeys\n ALL APPLICATION PACKAGES - Read - This key and subkeys\n\n HKEY_LOCAL_MACHINE\\SYSTEM\n\n Type - \"Allow\" for all\n Inherited from - \"None\" for all\n Principal - Access - Applies to\n Users - Read - This key and subkeys\n Administrators - Full Control - This key and subkeys\n SYSTEM - Full Control - This key and subkeys\n CREATOR OWNER - Full Control - Subkeys only\n ALL APPLICATION PACKAGES - Read - This key and subkeys\n\n Other examples under the noted keys may also be sampled. There may be some\ninstances where non-privileged groups have greater than Read permission.\n\n Microsoft has given Read permission to the SOFTWARE and SYSTEM registry\nkeys in Windows Server 2019 to the following SID, this is currently not a\nfinding.\n\nS-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681\n\n If the defaults have not been changed, these are not a finding.", - "fix": "Maintain the default permissions for the HKEY_LOCAL_MACHINE registry hive.\n\n The default permissions of the higher-level keys are noted below.\n\n HKEY_LOCAL_MACHINE\\SECURITY\n\n Type - \"Allow\" for all\n Inherited from - \"None\" for all\n Principal - Access - Applies to\n SYSTEM - Full Control - This key and subkeys\n Administrators - Special - This key and subkeys\n\n HKEY_LOCAL_MACHINE\\SOFTWARE\n\n Type - \"Allow\" for all\n Inherited from - \"None\" for all\n Principal - Access - Applies to\n Users - Read - This key and subkeys\n Administrators - Full Control - This key and subkeys\n SYSTEM - Full Control - This key and subkeys\n CREATOR OWNER - Full Control - This key and subkeys\n ALL APPLICATION PACKAGES - Read - This key and subkeys\n\n HKEY_LOCAL_MACHINE\\SYSTEM\n\n Type - \"Allow\" for all\n Inherited from - \"None\" for all\n Principal - Access - Applies to\n Users - Read - This key and subkeys\n Administrators - Full Control - This key and subkeys\n SYSTEM - Full Control - This key and subkeys\n CREATOR OWNER - Full Control - Subkeys only\n ALL APPLICATION PACKAGES - Read - This key and subkeys\n\n Microsoft has also given Read permission to the SOFTWARE and SYSTEM\nregistry keys in Windows Server 2019 to the following SID.\n\nS-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681" + "check": "Verify the effective setting in Local Group Policy Editor.\n Run \"gpedit.msc\".\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment.\n If any accounts or groups other than the following are granted the \"Create global objects\" user right, this is a finding:\n - Administrators\n - Service\n - Local Service\n - Network Service\n\n For server core installations, run the following command:\n Secedit /Export /Areas User_Rights /cfg c:\\path\\filename.txt\n Review the text file.\n If any SIDs other than the following are granted the \"SeCreateGlobalPrivilege\" user right, this is a finding:\n S-1-5-32-544 (Administrators)\n S-1-5-6 (Service)\n S-1-5-19 (Local Service)\n S-1-5-20 (Network Service)\n\n If an application requires this user right, this would not be a finding.\n Vendor documentation must support the requirement for having the user right.\n The requirement must be documented with the ISSO.\n The application account must meet requirements for application account passwords, such as length (WN19-00-000050) and required frequency of changes (WN19-00-000060).", + "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> \"Create global objects\" to include only the following accounts or groups:\n - Administrators\n - Service\n - Local Service\n - Network Service" }, "impact": 0.5, "refs": [], "tags": { "severity": null, "gtitle": "SRG-OS-000324-GPOS-00125", - "gid": "V-93025", - "rid": "SV-103113r1_rule", - "stig_id": "WN19-00-000170", - "fix_id": "F-99271r1_fix", + "gid": "V-93059", + "rid": "SV-103147r1_rule", + "stig_id": "WN19-UR-000070", + "fix_id": "F-99305r1_fix", "cci": [ "CCI-002235" ], @@ -5814,64 +5854,70 @@ "Rev_4" ] }, - "code": "control 'V-93025' do\n title \"Windows Server 2019 default permissions for the HKEY_LOCAL_MACHINE\nregistry hive must be maintained.\"\n desc \"The registry is integral to the function, security, and stability of\nthe Windows system. Changing the system's registry permissions allows the\npossibility of unauthorized and anonymous modification to the operating system.\"\n desc 'rationale', ''\n desc 'check', \"Review the registry permissions for the keys of the HKEY_LOCAL_MACHINE hive\nnoted below.\n\n If any non-privileged groups such as Everyone, Users, or Authenticated\nUsers have greater than Read permission, this is a finding.\n\n If permissions are not as restrictive as the default permissions listed\nbelow, this is a finding:\n\n Run \\\"Regedit\\\".\n\n Right-click on the registry areas noted below.\n\n Select \\\"Permissions\\\" and the \\\"Advanced\\\" button.\n\n HKEY_LOCAL_MACHINE\\\\SECURITY\n\n Type - \\\"Allow\\\" for all\n Inherited from - \\\"None\\\" for all\n Principal - Access - Applies to\n SYSTEM - Full Control - This key and subkeys\n Administrators - Special - This key and subkeys\n\n HKEY_LOCAL_MACHINE\\\\SOFTWARE\n\n Type - \\\"Allow\\\" for all\n Inherited from - \\\"None\\\" for all\n Principal - Access - Applies to\n Users - Read - This key and subkeys\n Administrators - Full Control - This key and subkeys\n SYSTEM - Full Control - This key and subkeys\n CREATOR OWNER - Full Control - This key and subkeys\n ALL APPLICATION PACKAGES - Read - This key and subkeys\n\n HKEY_LOCAL_MACHINE\\\\SYSTEM\n\n Type - \\\"Allow\\\" for all\n Inherited from - \\\"None\\\" for all\n Principal - Access - Applies to\n Users - Read - This key and subkeys\n Administrators - Full Control - This key and subkeys\n SYSTEM - Full Control - This key and subkeys\n CREATOR OWNER - Full Control - Subkeys only\n ALL APPLICATION PACKAGES - Read - This key and subkeys\n\n Other examples under the noted keys may also be sampled. There may be some\ninstances where non-privileged groups have greater than Read permission.\n\n Microsoft has given Read permission to the SOFTWARE and SYSTEM registry\nkeys in Windows Server 2019 to the following SID, this is currently not a\nfinding.\n\nS-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681\n\n If the defaults have not been changed, these are not a finding.\"\n desc 'fix', \"\n Maintain the default permissions for the HKEY_LOCAL_MACHINE registry hive.\n\n The default permissions of the higher-level keys are noted below.\n\n HKEY_LOCAL_MACHINE\\\\SECURITY\n\n Type - \\\"Allow\\\" for all\n Inherited from - \\\"None\\\" for all\n Principal - Access - Applies to\n SYSTEM - Full Control - This key and subkeys\n Administrators - Special - This key and subkeys\n\n HKEY_LOCAL_MACHINE\\\\SOFTWARE\n\n Type - \\\"Allow\\\" for all\n Inherited from - \\\"None\\\" for all\n Principal - Access - Applies to\n Users - Read - This key and subkeys\n Administrators - Full Control - This key and subkeys\n SYSTEM - Full Control - This key and subkeys\n CREATOR OWNER - Full Control - This key and subkeys\n ALL APPLICATION PACKAGES - Read - This key and subkeys\n\n HKEY_LOCAL_MACHINE\\\\SYSTEM\n\n Type - \\\"Allow\\\" for all\n Inherited from - \\\"None\\\" for all\n Principal - Access - Applies to\n Users - Read - This key and subkeys\n Administrators - Full Control - This key and subkeys\n SYSTEM - Full Control - This key and subkeys\n CREATOR OWNER - Full Control - Subkeys only\n ALL APPLICATION PACKAGES - Read - This key and subkeys\n\n Microsoft has also given Read permission to the SOFTWARE and SYSTEM\nregistry keys in Windows Server 2019 to the following SID.\n\nS-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000324-GPOS-00125'\n tag 'gid': 'V-93025'\n tag 'rid': 'SV-103113r1_rule'\n tag 'stig_id': 'WN19-00-000170'\n tag 'fix_id': 'F-99271r1_fix'\n tag 'cci': ['CCI-002235']\n tag 'nist': ['AC-6 (10)', 'Rev_4']\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n hklm_system = powershell('(Get-Acl -Path HKLM:System).AccessToString').stdout.lines.collect(&:strip)\n describe 'Registry Key Security are set correctly on folder structure' do\n subject { hklm_system.eql? input('reg_system_perms_dc') }\n it { should eq true }\n end\n else\n hklm_software = powershell('(Get-Acl -Path HKLM:Software).AccessToString').stdout.lines.collect(&:strip)\n describe 'Registry Key Software permissions are set correctly on folder structure' do\n subject { hklm_software.eql? input('reg_software_perms') }\n it { should eq true }\n end\n\n hklm_security = powershell('(Get-Acl -Path HKLM:Security).AccessToString').stdout.lines.collect(&:strip)\n describe 'Registry Key Security are set correctly on folder structure' do\n subject { hklm_security.eql? input('reg_security_perms') }\n it { should eq true }\n end\n\n hklm_system = powershell('(Get-Acl -Path HKLM:System).AccessToString').stdout.lines.collect(&:strip)\n describe 'Registry Key System are set correctly on folder structure' do\n subject { hklm_system.eql? input('reg_system_perms') }\n it { should eq true }\n end\n end\n end\n", + "code": "control \"V-93059\" do\n title \"Windows Server 2019 Create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service.\"\n desc \"Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.\n Accounts with the \\\"Create global objects\\\" user right can create objects that are available to all sessions, which could affect processes in otherusers' sessions.\"\n desc \"rationale\", \"\"\n desc 'check', \"Verify the effective setting in Local Group Policy Editor.\n Run \\\"gpedit.msc\\\".\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment.\n If any accounts or groups other than the following are granted the \\\"Create global objects\\\" user right, this is a finding:\n - Administrators\n - Service\n - Local Service\n - Network Service\n\n For server core installations, run the following command:\n Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt\n Review the text file.\n If any SIDs other than the following are granted the \\\"SeCreateGlobalPrivilege\\\" user right, this is a finding:\n S-1-5-32-544 (Administrators)\n S-1-5-6 (Service)\n S-1-5-19 (Local Service)\n S-1-5-20 (Network Service)\n\n If an application requires this user right, this would not be a finding.\n Vendor documentation must support the requirement for having the user right.\n The requirement must be documented with the ISSO.\n The application account must meet requirements for application account passwords, such as length (WN19-00-000050) and required frequency of changes (WN19-00-000060).\"\n desc 'fix', \"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> \\\"Create global objects\\\" to include only the following accounts or groups:\n - Administrators\n - Service\n - Local Service\n - Network Service\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000324-GPOS-00125'\n tag 'gid': 'V-93059'\n tag 'rid': 'SV-103147r1_rule'\n tag 'stig_id': 'WN19-UR-000070'\n tag 'fix_id': 'F-99305r1_fix'\n tag 'cci': [\"CCI-002235\"]\n tag 'nist': [\"AC-6 (10)\", \"Rev_4\"]\n\n active_global_privilege_users = security_policy.SeCreateGlobalPrivilege.entries\n allowed_global_privilege_users = input(\"allowed_global_privilege_users\")\n disallowed_global_privilege_users = input(\"disallowed_global_privilege_users\")\n unauthorized_users = []\n os_type = command('Test-Path \"$env:windir\\explorer.exe\"').stdout.strip\n\n if os_type == 'False'\n describe 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt' do\n skip 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt'\n end\n else\n active_global_privilege_users.each do |user|\n next if allowed_global_privilege_users.include?(user)\n unauthorized_users << user\n end\n disallowed_global_privilege_users.each do |user|\n unless disallowed_global_privilege_users == [nil] || unauthorized_users.include?(user)\n unauthorized_users << user\n end\n end\n describe \"Global Object Creation Privilege must be limited to\" do\n it \"Authorized SIDs: #{allowed_global_privilege_users}\" do\n failure_message = \"Unauthorized SIDs: #{unauthorized_users}\"\n expect(unauthorized_users).to be_empty, failure_message\n end\n end\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93025.rb", - "line": 1 + "ref": "./Windows 2019 STIG/controls/V-93059.rb", + "line": 3 }, - "id": "V-93025" + "id": "V-93059" }, { - "title": "Windows Server 2019 System event log size must be configured to 32768\nKB or greater.", - "desc": "Inadequate log size will cause the log to fill up quickly. This may\nprevent audit events from being recorded properly and require frequent\nattention by administrative personnel.", + "title": "Windows Server 2019 must have the DoD Interoperability Root Certificate Authority (CA) cross-certificates installed in the Untrusted Certificates Store on unclassified systems.", + "desc": "To ensure users do not experience denial of service when performing certificate-based authentication to DoD websites due to the system chaining to a root other than DoD Root CAs, the DoD Interoperability Root CA cross-certificates must be installed in the Untrusted Certificate Store. This requirement only applies to unclassified systems.", "descriptions": { - "default": "Inadequate log size will cause the log to fill up quickly. This may\nprevent audit events from being recorded properly and require frequent\nattention by administrative personnel.", + "default": "To ensure users do not experience denial of service when performing certificate-based authentication to DoD websites due to the system chaining to a root other than DoD Root CAs, the DoD Interoperability Root CA cross-certificates must be installed in the Untrusted Certificate Store. This requirement only applies to unclassified systems.", "rationale": "", - "check": "If the system is configured to write events directly to an audit server,\nthis is NA.\n\n If the following registry value does not exist or is not configured as\nspecified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\EventLog\\System\\\n\n Value Name: MaxSize\n\n Type: REG_DWORD\n Value: 0x00008000 (32768) (or greater)", - "fix": "Configure the policy value for Computer Configuration >>\nAdministrative Templates >> Windows Components >> Event Log Service >> System\n>> \"Specify the maximum log file size (KB)\" to \"Enabled\" with a \"Maximum\nLog Size (KB)\" of \"32768\" or greater." + "check": "This is applicable to unclassified systems. It is NA for others.\n Open \"PowerShell\" as an administrator.\n Execute the following command:\n Get-ChildItem -Path Cert:Localmachine\\disallowed | Where {$_.Issuer -Like \"*DoD Interoperability*\" -and $_.Subject -Like \"*DoD*\"} | FL Subject, Issuer, Thumbprint, NotAfter\n If the following certificate \"Subject\", \"Issuer\", and \"Thumbprint\" information is not displayed, this is a finding.\n If an expired certificate (\"NotAfter\" date) is not listed in the results, this is not a finding.\n\n Subject: CN=DoD Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Issuer: CN=DoD Interoperability Root CA 1, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Thumbprint: 22BBE981F0694D246CC1472ED2B021DC8540A22F\n NotAfter: 9/6/2019\n\n Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Issuer: CN=DoD Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Thumbprint: FCE1B1E25374DD94F5935BEB86CA643D8C8D1FF4\n NotAfter: 2/17/2019\n\n Alternately, use the Certificates MMC snap-in:\n Run \"MMC\".\n Select \"File\", \"Add/Remove Snap-in\".\n Select \"Certificates\" and click \"Add\".\n Select \"Computer account\" and click \"Next\".\n Select \"Local computer: (the computer this console is running on)\" and click \"Finish\".\n Click \"OK\".\n Expand \"Certificates\" and navigate to \"Untrusted Certificates >> Certificates\".\n For each certificate with \"DoD Root CA...\" under \"Issued To\" and \"DoD Interoperability Root CA...\" under \"Issued By\":\n Right-click on the certificate and select \"Open\".\n Select the \"Details\" Tab.\n Scroll to the bottom and select \"Thumbprint\".\n If the certificates below are not listed or the value for the \"Thumbprint\" field is not as noted, this is a finding.\n If an expired certificate (\"Valid to\" date) is not listed in the results, this is not a finding.\n\n Issued To: DoD Root CA 2\n Issued By: DoD Interoperability Root CA 1\n Thumbprint: 22BBE981F0694D246CC1472ED2B021DC8540A22F\n Valid to: Friday, September 6, 2019\n\n Issued To: DoD Root CA 3\n Issued By: DoD Interoperability Root CA 2\n Thumbprint: FFAD03329B9E527A43EEC66A56F9CBB5393E6E13\n Valid to: Sunday, September 23, 2018\n\n Issued To: DoD Root CA 3\n Issued By: DoD Interoperability Root CA 2\n Thumbprint: FCE1B1E25374DD94F5935BEB86CA643D8C8D1FF4\n Valid to: Sunday, February 17, 2019", + "fix": "Install the DoD Interoperability Root CA cross-certificates on unclassified systems.\n\n Issued To - Issued By - Thumbprint\n DoD Root CA 2 - DoD Interoperability Root CA 1 - 22BBE981F0694D246CC1472ED2B021DC8540A22F\n\n DoD Root CA 3 - DoD Interoperability Root CA 2 - FFAD03329B9E527A43EEC66A56F9CBB5393E6E13\n\n DoD Root CA 3 - DoD Interoperability Root CA 2 - FCE1B1E25374DD94F5935BEB86CA643D8C8D1FF4\n\n Administrators should run the Federal Bridge Certification Authority (FBCA) Cross-Certificate Removal Tool once as an administrator and once as the current user.\n\n The FBCA Cross-Certificate Remover Tool and User Guide are available on IASE at http://iase.disa.mil/pki-pke/Pages/tools.aspx." }, "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000341-GPOS-00132", - "gid": "V-93181", - "rid": "SV-103269r1_rule", - "stig_id": "WN19-CC-000290", - "fix_id": "F-99427r1_fix", + "gtitle": "SRG-OS-000066-GPOS-00034", + "satisfies": [ + "SRG-OS-000066-GPOS-00034", + "SRG-OS-000403-GPOS-00182" + ], + "gid": "V-93489", + "rid": "SV-103575r1_rule", + "stig_id": "WN19-PK-000020", + "fix_id": "F-99733r1_fix", "cci": [ - "CCI-001849" + "CCI-000185", + "CCI-002470" ], "nist": [ - "AU-4", + "IA-5 (2) (a)", + "SC-23 (5)", "Rev_4" ] }, - "code": "control \"V-93181\" do\n title \"Windows Server 2019 System event log size must be configured to 32768\nKB or greater.\"\n desc \"Inadequate log size will cause the log to fill up quickly. This may\nprevent audit events from being recorded properly and require frequent\nattention by administrative personnel.\"\n desc \"rationale\", \"\"\n desc 'check', \"If the system is configured to write events directly to an audit server,\nthis is NA.\n\n If the following registry value does not exist or is not configured as\nspecified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\EventLog\\\\System\\\\\n\n Value Name: MaxSize\n\n Type: REG_DWORD\n Value: 0x00008000 (32768) (or greater)\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nAdministrative Templates >> Windows Components >> Event Log Service >> System\n>> \\\"Specify the maximum log file size (KB)\\\" to \\\"Enabled\\\" with a \\\"Maximum\nLog Size (KB)\\\" of \\\"32768\\\" or greater.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000341-GPOS-00132'\n tag 'gid': 'V-93181'\n tag 'rid': 'SV-103269r1_rule'\n tag 'stig_id': 'WN19-CC-000290'\n tag 'fix_id': 'F-99427r1_fix'\n tag 'cci': [\"CCI-001849\"]\n tag 'nist': [\"AU-4\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\EventLog\\System') do\n it { should have_property 'MaxSize' }\n its('MaxSize') { should cmp >= 32768 }\n end\nend\n", + "code": "control \"V-93489\" do\n title \"Windows Server 2019 must have the #{input('org_name')[:acronym]} Interoperability Root Certificate Authority (CA) cross-certificates installed in the Untrusted Certificates Store on unclassified systems.\"\n desc \"To ensure users do not experience denial of service when performing certificate-based authentication to #{input('org_name')[:acronym]} websites due to the system chaining to a root other than #{input('org_name')[:acronym]} Root CAs, the #{input('org_name')[:acronym]} Interoperability Root CA cross-certificates must be installed in the Untrusted Certificate Store. This requirement only applies to unclassified systems.\"\n desc \"rationale\", \"\"\n desc \"check\", \"This is applicable to unclassified systems. It is NA for others.\n Open \\\"PowerShell\\\" as an administrator.\n Execute the following command:\n Get-ChildItem -Path Cert:Localmachine\\\\disallowed | Where {$_.Issuer -Like \\\"*DoD Interoperability*\\\" -and $_.Subject -Like \\\"*DoD*\\\"} | FL Subject, Issuer, Thumbprint, NotAfter\n If the following certificate \\\"Subject\\\", \\\"Issuer\\\", and \\\"Thumbprint\\\" information is not displayed, this is a finding.\n If an expired certificate (\\\"NotAfter\\\" date) is not listed in the results, this is not a finding.\n\n Subject: CN=DoD Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Issuer: CN=DoD Interoperability Root CA 1, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Thumbprint: 22BBE981F0694D246CC1472ED2B021DC8540A22F\n NotAfter: 9/6/2019\n\n Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Issuer: CN=DoD Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Thumbprint: FCE1B1E25374DD94F5935BEB86CA643D8C8D1FF4\n NotAfter: 2/17/2019\n\n Alternately, use the Certificates MMC snap-in:\n Run \\\"MMC\\\".\n Select \\\"File\\\", \\\"Add/Remove Snap-in\\\".\n Select \\\"Certificates\\\" and click \\\"Add\\\".\n Select \\\"Computer account\\\" and click \\\"Next\\\".\n Select \\\"Local computer: (the computer this console is running on)\\\" and click \\\"Finish\\\".\n Click \\\"OK\\\".\n Expand \\\"Certificates\\\" and navigate to \\\"Untrusted Certificates >> Certificates\\\".\n For each certificate with \\\"DoD Root CA...\\\" under \\\"Issued To\\\" and \\\"DoD Interoperability Root CA...\\\" under \\\"Issued By\\\":\n Right-click on the certificate and select \\\"Open\\\".\n Select the \\\"Details\\\" Tab.\n Scroll to the bottom and select \\\"Thumbprint\\\".\n If the certificates below are not listed or the value for the \\\"Thumbprint\\\" field is not as noted, this is a finding.\n If an expired certificate (\\\"Valid to\\\" date) is not listed in the results, this is not a finding.\n\n Issued To: DoD Root CA 2\n Issued By: DoD Interoperability Root CA 1\n Thumbprint: 22BBE981F0694D246CC1472ED2B021DC8540A22F\n Valid to: Friday, September 6, 2019\n\n Issued To: DoD Root CA 3\n Issued By: DoD Interoperability Root CA 2\n Thumbprint: FFAD03329B9E527A43EEC66A56F9CBB5393E6E13\n Valid to: Sunday, September 23, 2018\n\n Issued To: DoD Root CA 3\n Issued By: DoD Interoperability Root CA 2\n Thumbprint: FCE1B1E25374DD94F5935BEB86CA643D8C8D1FF4\n Valid to: Sunday, February 17, 2019\"\n desc \"fix\", \"Install the DoD Interoperability Root CA cross-certificates on unclassified systems.\n\n Issued To - Issued By - Thumbprint\n DoD Root CA 2 - DoD Interoperability Root CA 1 - 22BBE981F0694D246CC1472ED2B021DC8540A22F\n\n DoD Root CA 3 - DoD Interoperability Root CA 2 - FFAD03329B9E527A43EEC66A56F9CBB5393E6E13\n\n DoD Root CA 3 - DoD Interoperability Root CA 2 - FCE1B1E25374DD94F5935BEB86CA643D8C8D1FF4\n\n Administrators should run the Federal Bridge Certification Authority (FBCA) Cross-Certificate Removal Tool once as an administrator and once as the current user.\n\n The FBCA Cross-Certificate Remover Tool and User Guide are available on IASE at http://iase.disa.mil/pki-pke/Pages/tools.aspx.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000066-GPOS-00034\"\n tag satisfies: [\"SRG-OS-000066-GPOS-00034\", \"SRG-OS-000403-GPOS-00182\"]\n tag gid: \"V-93489\"\n tag rid: \"SV-103575r1_rule\"\n tag stig_id: \"WN19-PK-000020\"\n tag fix_id: \"F-99733r1_fix\"\n tag cci: [\"CCI-000185\", \"CCI-002470\"]\n tag nist: [\"IA-5 (2) (a)\", \"SC-23 (5)\", \"Rev_4\"]\n\n if input('sensitive_system') == true\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n else \n dod_interoperability_certificates = JSON.parse(input('dod_interoperability_certificates').to_json)\n query = json({ command: 'Get-ChildItem -Path Cert:Localmachine\\\\\\\\disallowed | Where {$_.Issuer -Like \"*DoD Interoperability*\" -and $_.Subject -Like \"*DoD*\"} | Select Subject, Issuer, Thumbprint, @{Name=\\'NotAfter\\';Expression={\"{0:dddd, MMMM dd, yyyy}\" -f [datetime]$_.NotAfter}} | ConvertTo-Json' }).params\n \n describe 'Verify the DoD Interoperability cross-certificates are installed on unclassified systems as Untrusted Certificates.' do\n subject { query }\n it { should_not be_empty }\n it { should be_in dod_interoperability_certificates }\n end\n\n unless query.empty?\n case query\n when Hash\n query.each do |key, value|\n if key == \"NotAfter\"\n cert_date = Date.parse(value)\n describe cert_date do\n it { should be >= Date.today }\n end\n end\n end\n when Array\n query.each do |certs|\n certs.each do |key, value|\n if key == \"NotAfter\"\n cert_date = Date.parse(value)\n describe cert_date do\n it { should be >= Date.today }\n end\n end\n end\n end\n end\n end\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93181.rb", + "ref": "./Windows 2019 STIG/controls/V-93489.rb", "line": 3 }, - "id": "V-93181" + "id": "V-93489" }, { - "title": "Windows Server 2019 Deny log on locally user right on domain-joined\nmember servers must be configured to prevent access from highly privileged\ndomain accounts and from unauthenticated access on all systems.", - "desc": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n The \"Deny log on locally\" user right defines accounts that are prevented\nfrom logging on interactively.\n\n In an Active Directory Domain, denying logons to the Enterprise Admins and\nDomain Admins groups on lower-trust systems helps mitigate the risk of\nprivilege escalation from credential theft attacks, which could lead to the\ncompromise of an entire domain.\n\n The Guests group must be assigned this right to prevent unauthenticated\naccess.", + "title": "Windows Server 2019 Deny log on as a service user right must be\nconfigured to include no accounts or groups (blank) on domain controllers.", + "desc": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n The \"Deny log on as a service\" user right defines accounts that are\ndenied logon as a service.\n\n Incorrect configurations could prevent services from starting and result in\na denial of service.", "descriptions": { - "default": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n The \"Deny log on locally\" user right defines accounts that are prevented\nfrom logging on interactively.\n\n In an Active Directory Domain, denying logons to the Enterprise Admins and\nDomain Admins groups on lower-trust systems helps mitigate the risk of\nprivilege escalation from credential theft attacks, which could lead to the\ncompromise of an entire domain.\n\n The Guests group must be assigned this right to prevent unauthenticated\naccess.", + "default": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n The \"Deny log on as a service\" user right defines accounts that are\ndenied logon as a service.\n\n Incorrect configurations could prevent services from starting and result in\na denial of service.", "rationale": "", - "check": "This applies to member servers and standalone systems. A separate version\napplies to domain controllers.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If the following accounts or groups are not defined for the \"Deny log on\nlocally\" user right, this is a finding:\n\n Domain Systems Only:\n - Enterprise Admins Group\n - Domain Admins Group\n\n All Systems:\n - Guests Group\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\path\\filename.txt\n\n Review the text file.\n\n If the following SIDs are not defined for the\n\"SeDenyInteractiveLogonRight\" user right, this is a finding:\n\n Domain Systems Only:\n S-1-5-root domain-519 (Enterprise Admins)\n S-1-5-domain-512 (Domain Admins)\n\n All Systems:\n S-1-5-32-546 (Guests)", - "fix": "Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> User Rights Assignment >> \"Deny log\non locally\" to include the following:\n\n Domain Systems Only:\n - Enterprise Admins Group\n - Domain Admins Group\n\n All Systems:\n - Guests Group" + "check": "This applies to domain controllers. A separate version applies to other\nsystems.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups are defined for the \"Deny log on as a service\"\nuser right, this is a finding.\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\path\\filename.txt\n\n Review the text file.\n\n If any SIDs are granted the \"SeDenyServiceLogonRight\" user right, this is\na finding.", + "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Local Policies >> User Rights\nAssignment >> \"Deny log on as a service\" to include no entries (blank)." }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { "severity": null, "gtitle": "SRG-OS-000080-GPOS-00048", - "gid": "V-93015", - "rid": "SV-103103r1_rule", - "stig_id": "WN19-MS-000110", - "fix_id": "F-99261r1_fix", + "gid": "V-93003", + "rid": "SV-103091r1_rule", + "stig_id": "WN19-DC-000390", + "fix_id": "F-99249r1_fix", "cci": [ "CCI-000213" ], @@ -5880,64 +5926,81 @@ "Rev_4" ] }, - "code": "control \"V-93015\" do\n title \"Windows Server 2019 Deny log on locally user right on domain-joined\nmember servers must be configured to prevent access from highly privileged\ndomain accounts and from unauthenticated access on all systems.\"\n desc \"Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n The \\\"Deny log on locally\\\" user right defines accounts that are prevented\nfrom logging on interactively.\n\n In an Active Directory Domain, denying logons to the Enterprise Admins and\nDomain Admins groups on lower-trust systems helps mitigate the risk of\nprivilege escalation from credential theft attacks, which could lead to the\ncompromise of an entire domain.\n\n The Guests group must be assigned this right to prevent unauthenticated\naccess.\"\n desc \"rationale\", \"\"\n desc 'check', \"This applies to member servers and standalone systems. A separate version\napplies to domain controllers.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If the following accounts or groups are not defined for the \\\"Deny log on\nlocally\\\" user right, this is a finding:\n\n Domain Systems Only:\n - Enterprise Admins Group\n - Domain Admins Group\n\n All Systems:\n - Guests Group\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt\n\n Review the text file.\n\n If the following SIDs are not defined for the\n\\\"SeDenyInteractiveLogonRight\\\" user right, this is a finding:\n\n Domain Systems Only:\n S-1-5-root domain-519 (Enterprise Admins)\n S-1-5-domain-512 (Domain Admins)\n\n All Systems:\n S-1-5-32-546 (Guests)\"\n desc 'fix', \"Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> User Rights Assignment >> \\\"Deny log\non locally\\\" to include the following:\n\n Domain Systems Only:\n - Enterprise Admins Group\n - Domain Admins Group\n\n All Systems:\n - Guests Group\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000080-GPOS-00048'\n tag 'gid': 'V-93015'\n tag 'rid': 'SV-103103r1_rule'\n tag 'stig_id': 'WN19-MS-000110'\n tag 'fix_id': 'F-99261r1_fix'\n tag 'cci': [\"CCI-000213\"]\n tag 'nist': [\"AC-3\", \"Rev_4\"]\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n case domain_role\n when '4', '5'\n impact 0.0\n describe 'This system is dedicated to the management of Active Directory, therefore this system is exempt from this control' do\n skip 'This system is dedicated to the management of Active Directory, therefore this system is exempt from this control'\n end\n when '2'\n describe security_policy do\n its('SeDenyInteractiveLogonRight') { should eq ['S-1-5-32-546'] }\n end\n when '3'\n domain_query = <<-EOH\n $group = New-Object System.Security.Principal.NTAccount('Domain Admins')\n $sid = ($group.Translate([security.principal.securityidentifier])).value\n $sid | ConvertTo-Json\n EOH\n\n domain_admin_sid = json(command: domain_query).params\n enterprise_admin_query = <<-EOH\n $group = New-Object System.Security.Principal.NTAccount('Enterprise Admins')\n $sid = ($group.Translate([security.principal.securityidentifier])).value\n $sid | ConvertTo-Json\n EOH\n\n enterprise_admin_sid = json(command: enterprise_admin_query).params\n describe security_policy do\n its('SeDenyInteractiveLogonRight') { should include \"#{domain_admin_sid}\" }\n end\n describe security_policy do\n its('SeDenyInteractiveLogonRight') { should include \"#{enterprise_admin_sid}\" }\n end\n describe security_policy do\n its('SeDenyInteractiveLogonRight') { should include 'S-1-5-32-546' }\n end\n end\nend\n", + "code": "control \"V-93003\" do\n title \"Windows Server 2019 Deny log on as a service user right must be\nconfigured to include no accounts or groups (blank) on domain controllers.\"\n desc \"Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n The \\\"Deny log on as a service\\\" user right defines accounts that are\ndenied logon as a service.\n\n Incorrect configurations could prevent services from starting and result in\na denial of service.\"\n desc \"rationale\", \"\"\n desc 'check', \"This applies to domain controllers. A separate version applies to other\nsystems.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups are defined for the \\\"Deny log on as a service\\\"\nuser right, this is a finding.\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt\n\n Review the text file.\n\n If any SIDs are granted the \\\"SeDenyServiceLogonRight\\\" user right, this is\na finding.\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Local Policies >> User Rights\nAssignment >> \\\"Deny log on as a service\\\" to include no entries (blank).\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000080-GPOS-00048'\n tag 'gid': 'V-93003'\n tag 'rid': 'SV-103091r1_rule'\n tag 'stig_id': 'WN19-DC-000390'\n tag 'fix_id': 'F-99249r1_fix'\n tag 'cci': [\"CCI-000213\"]\n tag 'nist': [\"AC-3\", \"Rev_4\"]\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n os_type = command('Test-Path \"$env:windir\\explorer.exe\"').stdout.strip\n\n if os_type == 'False'\n describe 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt' do\n skip 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt'\n end\n end\n if domain_role == '4' || domain_role == '5'\n describe security_policy do\n its('SeDenyServiceLogonRight') { should eq [] }\n end\n else\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93015.rb", + "ref": "./Windows 2019 STIG/controls/V-93003.rb", "line": 3 }, - "id": "V-93015" + "id": "V-93003" }, { - "title": "Windows Server 2019 passwords must be configured to expire.", - "desc": "Passwords that do not expire or are reused increase the exposure of a password with greater probability of being discovered or cracked.", + "title": "Windows Server 2019 required legal notice must be configured to\ndisplay before console logon.", + "desc": "Failure to display the logon banner prior to a logon attempt will\nnegate legal proceedings resulting from unauthorized access to system resources.", "descriptions": { - "default": "Passwords that do not expire or are reused increase the exposure of a password with greater probability of being discovered or cracked.", + "default": "Failure to display the logon banner prior to a logon attempt will\nnegate legal proceedings resulting from unauthorized access to system resources.", "rationale": "", - "check": "Review the password never expires status for enabled user accounts.\n Open \"PowerShell\".\n\n Domain Controllers:\n Enter \"Search-ADAccount -PasswordNeverExpires -UsersOnly | FT Name, PasswordNeverExpires, Enabled\".\n Exclude application accounts, disabled accounts (e.g., DefaultAccount, Guest) and the krbtgt account.\n If any enabled user accounts are returned with a \"PasswordNeverExpires\" status of \"True\", this is a finding.\n\n Member servers and standalone systems:\n Enter 'Get-CimInstance -Class Win32_Useraccount -Filter \"PasswordExpires=False and LocalAccount=True\" | FT Name, PasswordExpires, Disabled, LocalAccount'.\n Exclude application accounts and disabled accounts (e.g., DefaultAccount, Guest).\n If any enabled user accounts are returned with a \"PasswordExpires\" status of \"False\", this is a finding.", - "fix": "Configure all enabled user account passwords to expire.\n Uncheck \"Password never expires\" for all enabled user accounts in Active Directory Users and Computers for domain accounts and Users in Computer Management for member servers and standalone systems. Document any exceptions with the ISSO." + "check": "If the following registry value does not exist or is not configured as\nspecified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\\n\n Value Name: LegalNoticeText\n\n Value Type: REG_SZ\n Value: See message text below\n\n You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.", + "fix": "Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> Security Options >> \"Interactive\nLogon: Message text for users attempting to log on\" to the following:\n\n You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." }, "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000076-GPOS-00044", - "gid": "V-93475", - "rid": "SV-103561r1_rule", - "stig_id": "WN19-00-000210", - "fix_id": "F-99719r1_fix", + "gtitle": "SRG-OS-000023-GPOS-00006", + "satisfies": [ + "SRG-OS-000023-GPOS-00006", + "SRG-OS-000024-GPOS-00007", + "SRG-OS-000228-GPOS-00088" + ], + "gid": "V-93147", + "rid": "SV-103235r1_rule", + "stig_id": "WN19-SO-000130", + "fix_id": "F-99393r1_fix", "cci": [ - "CCI-000199" + "CCI-000048", + "CCI-000050", + "CCI-001384", + "CCI-001385", + "CCI-001386", + "CCI-001387", + "CCI-001388" ], "nist": [ - "IA-5 (1) (d)", + "AC-8 a", + "AC-8 b", + "AC-8 c 1", + "AC-8 c 2", + "AC-8 c 2", + "AC-8 c2", + "AC-8 c 3", "Rev_4" ] }, - "code": "control 'V-93475' do\n title 'Windows Server 2019 passwords must be configured to expire.'\n desc 'Passwords that do not expire or are reused increase the exposure of a password with greater probability of being discovered or cracked.'\n desc 'rationale', ''\n desc 'check', \"Review the password never expires status for enabled user accounts.\n Open \\\"PowerShell\\\".\n\n Domain Controllers:\n Enter \\\"Search-ADAccount -PasswordNeverExpires -UsersOnly | FT Name, PasswordNeverExpires, Enabled\\\".\n Exclude application accounts, disabled accounts (e.g., DefaultAccount, Guest) and the krbtgt account.\n If any enabled user accounts are returned with a \\\"PasswordNeverExpires\\\" status of \\\"True\\\", this is a finding.\n\n Member servers and standalone systems:\n Enter 'Get-CimInstance -Class Win32_Useraccount -Filter \\\"PasswordExpires=False and LocalAccount=True\\\" | FT Name, PasswordExpires, Disabled, LocalAccount'.\n Exclude application accounts and disabled accounts (e.g., DefaultAccount, Guest).\n If any enabled user accounts are returned with a \\\"PasswordExpires\\\" status of \\\"False\\\", this is a finding.\"\n desc 'fix', \"Configure all enabled user account passwords to expire.\n Uncheck \\\"Password never expires\\\" for all enabled user accounts in Active Directory Users and Computers for domain accounts and Users in Computer Management for member servers and standalone systems. Document any exceptions with the ISSO.\"\n impact 0.5\n tag severity: nil\n tag gtitle: 'SRG-OS-000076-GPOS-00044'\n tag gid: 'V-93475'\n tag rid: 'SV-103561r1_rule'\n tag stig_id: 'WN19-00-000210'\n tag fix_id: 'F-99719r1_fix'\n tag cci: ['CCI-000199']\n tag nist: ['IA-5 (1) (d)', 'Rev_4']\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n untracked_accounts = []\n\n if domain_role == '4' || domain_role == '5'\n ad_accounts = json({ command: \"Search-ADAccount -PasswordNeverExpires -UsersOnly | Where-Object {$_.PasswordNeverExpires -eq 'True' -and $_.Enabled -eq 'True'} | Select -ExpandProperty Name | ConvertTo-Json\" }).params\n\n application_accounts = input('application_accounts_domain')\n excluded_accounts = input('excluded_accounts_domain')\n\n unless ad_accounts.empty?\n ad_accounts = [ad_accounts] if ad_accounts.class == String\n untracked_accounts = ad_accounts - application_accounts - excluded_accounts\n end\n\n describe 'Untracked Accounts' do\n it 'No Enabled Domain Account should be set to have Password Never Expire' do\n failure_message = \"Users Accounts are set to Password Never Expire: #{untracked_accounts}\"\n expect(untracked_accounts).to be_empty, failure_message\n end\n end\n else\n local_accounts = json({ command: \"Get-CimInstance -Class Win32_Useraccount -Filter 'PasswordExpires=False and LocalAccount=True and Disabled=False' | Select -ExpandProperty Name | ConvertTo-Json\" }).params\n\n application_accounts = input('application_accounts_local')\n\n excluded_accounts = input('excluded_accounts_local')\n\n unless local_accounts.empty?\n local_accounts = [local_accounts] if local_accounts.class == String\n untracked_accounts = local_accounts - application_accounts - excluded_accounts\n end\n\n describe 'Account or Accounts exists' do\n it 'Server should not have Accounts with Password Never Expire' do\n failure_message = \"User or Users have Password set to not expire: #{untracked_accounts}\"\n expect(untracked_accounts).to be_empty, failure_message\n end\n end\n end\nend\n", + "code": "control \"V-93147\" do\n title \"Windows Server 2019 required legal notice must be configured to\ndisplay before console logon.\"\n desc \"Failure to display the logon banner prior to a logon attempt will\nnegate legal proceedings resulting from unauthorized access to system resources.\"\n desc \"rationale\", \"\"\n desc 'check', \"If the following registry value does not exist or is not configured as\nspecified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\\n\n Value Name: LegalNoticeText\n\n Value Type: REG_SZ\n Value: See message text below\n\n #{input('LegalNoticeText')}\"\n desc 'fix', \"Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> Security Options >> \\\"Interactive\nLogon: Message text for users attempting to log on\\\" to the following:\n\n #{input('LegalNoticeText')}\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000023-GPOS-00006'\n tag 'satisfies': [\"SRG-OS-000023-GPOS-00006\", \"SRG-OS-000024-GPOS-00007\",\n\"SRG-OS-000228-GPOS-00088\"]\n tag 'gid': 'V-93147'\n tag 'rid': 'SV-103235r1_rule'\n tag 'stig_id': 'WN19-SO-000130'\n tag 'fix_id': 'F-99393r1_fix'\n tag 'cci': [\"CCI-000048\", \"CCI-000050\", \"CCI-001384\", \"CCI-001385\",\n\"CCI-001386\", \"CCI-001387\", \"CCI-001388\"]\n tag 'nist': [\"AC-8 a\", \"AC-8 b\", \"AC-8 c 1\", \"AC-8 c 2\", \"AC-8 c 2\", \"AC-8 c2\", \"AC-8 c 3\", \"Rev_4\"]\n\ndescribe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System') do\n it { should have_property 'LegalNoticeText' }\n end\n\n key = registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System').LegalNoticeText.to_s\n\n k = key.gsub(\"\\u0000\", '')\n legal_notice_text = input('LegalNoticeText')\n\n describe 'The required legal notice text' do\n subject { k.scan(/[\\w().;,!]/).join }\n it { should cmp legal_notice_text.scan(/[\\w().;,!]/).join }\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93475.rb", + "ref": "./Windows 2019 STIG/controls/V-93147.rb", "line": 3 }, - "id": "V-93475" + "id": "V-93147" }, { - "title": "Windows Server 2019 systems must have Unified Extensible Firmware\nInterface (UEFI) firmware and be configured to run in UEFI mode, not Legacy\nBIOS.", - "desc": "UEFI provides additional security features in comparison to legacy\nBIOS firmware, including Secure Boot. UEFI is required to support additional\nsecurity features in Windows, including Virtualization Based Security and\nCredential Guard. Systems with UEFI that are operating in \"Legacy BIOS\" mode\nwill not support these security features.", + "title": "Windows Server 2019 must be configured to enable Remote host allows\ndelegation of non-exportable credentials.", + "desc": "An exportable version of credentials is provided to remote hosts when\nusing credential delegation which exposes them to theft on the remote host.\nRestricted Admin mode or Remote Credential Guard allow delegation of\nnon-exportable credentials providing additional protection of the credentials.\nEnabling this configures the host to support Restricted Admin mode or Remote\nCredential Guard.", "descriptions": { - "default": "UEFI provides additional security features in comparison to legacy\nBIOS firmware, including Secure Boot. UEFI is required to support additional\nsecurity features in Windows, including Virtualization Based Security and\nCredential Guard. Systems with UEFI that are operating in \"Legacy BIOS\" mode\nwill not support these security features.", + "default": "An exportable version of credentials is provided to remote hosts when\nusing credential delegation which exposes them to theft on the remote host.\nRestricted Admin mode or Remote Credential Guard allow delegation of\nnon-exportable credentials providing additional protection of the credentials.\nEnabling this configures the host to support Restricted Admin mode or Remote\nCredential Guard.", "rationale": "", - "check": "Some older systems may not have UEFI firmware. This is currently a CAT III;\nit will be raised in severity at a future date when broad support of Windows\nhardware and firmware requirements are expected to be met. Devices that have\nUEFI firmware must run in \"UEFI\" mode.\n\n Verify the system firmware is configured to run in \"UEFI\" mode, not\n\"Legacy BIOS\".\n\n Run \"System Information\".\n\n Under \"System Summary\", if \"BIOS Mode\" does not display \"UEFI\", this\nis a finding.", - "fix": "Configure UEFI firmware to run in \"UEFI\" mode, not \"Legacy\nBIOS\" mode." + "check": "If the following registry value does not exist or is not configured as\nspecified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n\\SOFTWARE\\Policies\\Microsoft\\Windows\\CredentialsDelegation\\\n\n Value Name: AllowProtectedCreds\n\n Type: REG_DWORD\n Value: 0x00000001 (1)", + "fix": "Configure the policy value for Computer Configuration >>\nAdministrative Templates >> System >> Credentials Delegation >> \"Remote host\nallows delegation of non-exportable credentials\" to \"Enabled\"." }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { "severity": null, "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-93229", - "rid": "SV-103317r1_rule", - "stig_id": "WN19-00-000460", - "fix_id": "F-99475r1_fix", + "gid": "V-93243", + "rid": "SV-103331r1_rule", + "stig_id": "WN19-CC-000100", + "fix_id": "F-99489r1_fix", "cci": [ "CCI-000366" ], @@ -5946,138 +6009,138 @@ "Rev_4" ] }, - "code": "control \"V-93229\" do\n title \"Windows Server 2019 systems must have Unified Extensible Firmware\nInterface (UEFI) firmware and be configured to run in UEFI mode, not Legacy\nBIOS.\"\n desc \"UEFI provides additional security features in comparison to legacy\nBIOS firmware, including Secure Boot. UEFI is required to support additional\nsecurity features in Windows, including Virtualization Based Security and\nCredential Guard. Systems with UEFI that are operating in \\\"Legacy BIOS\\\" mode\nwill not support these security features.\"\n desc \"rationale\", \"\"\n desc 'check', \"Some older systems may not have UEFI firmware. This is currently a CAT III;\nit will be raised in severity at a future date when broad support of Windows\nhardware and firmware requirements are expected to be met. Devices that have\nUEFI firmware must run in \\\"UEFI\\\" mode.\n\n Verify the system firmware is configured to run in \\\"UEFI\\\" mode, not\n\\\"Legacy BIOS\\\".\n\n Run \\\"System Information\\\".\n\n Under \\\"System Summary\\\", if \\\"BIOS Mode\\\" does not display \\\"UEFI\\\", this\nis a finding.\"\n desc 'fix', \"Configure UEFI firmware to run in \\\"UEFI\\\" mode, not \\\"Legacy\nBIOS\\\" mode.\"\n impact 0.3\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000480-GPOS-00227'\n tag 'gid': 'V-93229'\n tag 'rid': 'SV-103317r1_rule'\n tag 'stig_id': 'WN19-00-000460'\n tag 'fix_id': 'F-99475r1_fix'\n tag 'cci': [\"CCI-000366\"]\n tag 'nist': [\"CM-6 b\", \"Rev_4\"]\n\n uefi_boot = json( command: 'Confirm-SecureBootUEFI | ConvertTo-Json').params\n describe 'Confirm-Secure Boot UEFI is required to be enabled on System' do\n subject { uefi_boot }\n it { should_not eq 'False' }\n end\nend\n", + "code": "control \"V-93243\" do\n title \"Windows Server 2019 must be configured to enable Remote host allows\ndelegation of non-exportable credentials.\"\n desc \"An exportable version of credentials is provided to remote hosts when\nusing credential delegation which exposes them to theft on the remote host.\nRestricted Admin mode or Remote Credential Guard allow delegation of\nnon-exportable credentials providing additional protection of the credentials.\nEnabling this configures the host to support Restricted Admin mode or Remote\nCredential Guard.\"\n desc \"rationale\", \"\"\n desc 'check', \"If the following registry value does not exist or is not configured as\nspecified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\CredentialsDelegation\\\\\n\n Value Name: AllowProtectedCreds\n\n Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nAdministrative Templates >> System >> Credentials Delegation >> \\\"Remote host\nallows delegation of non-exportable credentials\\\" to \\\"Enabled\\\".\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000480-GPOS-00227'\n tag 'gid': 'V-93243'\n tag 'rid': 'SV-103331r1_rule'\n tag 'stig_id': 'WN19-CC-000100'\n tag 'fix_id': 'F-99489r1_fix'\n tag 'cci': [\"CCI-000366\"]\n tag 'nist': [\"CM-6 b\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CredentialsDelegation') do\n it { should have_property 'AllowProtectedCreds' }\n its('AllowProtectedCreds') { should cmp 1 }\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93229.rb", + "ref": "./Windows 2019 STIG/controls/V-93243.rb", "line": 3 }, - "id": "V-93229" + "id": "V-93243" }, { - "title": "Windows Server 2019 minimum password length must be configured to 14 characters.", - "desc": "Information systems not protected with strong password schemes (including passwords of minimum length) provide the opportunity for anyone to crack the password, thus gaining access to the system and compromising the device, information, or the local network.", + "title": "Windows Server 2019 must be configured to audit Policy Change -\nAuthorization Policy Change successes.", + "desc": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Authorization Policy Change records events related to changes in user\nrights, such as \"Create a token object\".", "descriptions": { - "default": "Information systems not protected with strong password schemes (including passwords of minimum length) provide the opportunity for anyone to crack the password, thus gaining access to the system and compromising the device, information, or the local network.", + "default": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Authorization Policy Change records events related to changes in user\nrights, such as \"Create a token object\".", "rationale": "", - "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run \"gpedit.msc\".\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy.\n If the value for the \"Minimum password length,\" is less than \"14\" characters, this is a finding.\n\n For server core installations, run the following command:\n Secedit /Export /Areas SecurityPolicy /CFG C:\\Path\\FileName.Txt\n If \"MinimumPasswordLength\" is less than \"14\" in the file, this is a finding.", - "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy >> \"Minimum password length\" to \"14\" characters." + "check": "Security Option \"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\" must be set to\n\"Enabled\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \"AuditPol\" tool to review the current Audit Policy configuration:\n\n Open \"PowerShell\" or a \"Command Prompt\" with elevated privileges (\"Run\nas administrator\").\n\n Enter \"AuditPol /get /category:*\"\n\n Compare the \"AuditPol\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n Policy Change >> Authorization Policy Change - Success", + "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Policy Change >> \"Audit Authorization Policy Change\"\nwith \"Success\" selected." }, "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000078-GPOS-00046", - "gid": "V-93463", - "rid": "SV-103549r1_rule", - "stig_id": "WN19-AC-000070", - "fix_id": "F-99707r1_fix", + "gtitle": "SRG-OS-000327-GPOS-00127", + "satisfies": [ + "SRG-OS-000327-GPOS-00127", + "SRG-OS-000064-GPOS-00033", + "SRG-OS-000462-GPOS-00206", + "SRG-OS-000466-GPOS-00210" + ], + "gid": "V-93099", + "rid": "SV-103187r1_rule", + "stig_id": "WN19-AU-000290", + "fix_id": "F-99345r1_fix", "cci": [ - "CCI-000205" + "CCI-000172", + "CCI-002234" ], "nist": [ - "IA-5 (1) (a)", + "AU-12 c", + "AC-6 (9)", "Rev_4" ] }, - "code": "control \"V-93463\" do\n title \"Windows Server 2019 minimum password length must be configured to #{input('minimum_password_length')} characters.\"\n desc \"Information systems not protected with strong password schemes (including passwords of minimum length) provide the opportunity for anyone to crack the password, thus gaining access to the system and compromising the device, information, or the local network.\"\n desc \"rationale\", \"\"\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n\n Run \\\"gpedit.msc\\\".\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy.\n If the value for the \\\"Minimum password length,\\\" is less than \\\"#{input('minimum_password_length')}\\\" characters, this is a finding.\n\n For server core installations, run the following command:\n Secedit /Export /Areas SecurityPolicy /CFG C:\\\\Path\\\\FileName.Txt\n If \\\"MinimumPasswordLength\\\" is less than \\\"#{input('minimum_password_length')}\\\" in the file, this is a finding.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy >> \\\"Minimum password length\\\" to \\\"#{input('minimum_password_length')}\\\" characters.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000078-GPOS-00046\"\n tag gid: \"V-93463\"\n tag rid: \"SV-103549r1_rule\"\n tag stig_id: \"WN19-AC-000070\"\n tag fix_id: \"F-99707r1_fix\"\n tag cci: [\"CCI-000205\"]\n tag nist: [\"IA-5 (1) (a)\", \"Rev_4\"]\n\n describe security_policy do\n its('MinimumPasswordLength') { should be >= input('minimum_password_length')}\n end\nend", + "code": "control \"V-93099\" do\n title \"Windows Server 2019 must be configured to audit Policy Change -\nAuthorization Policy Change successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Authorization Policy Change records events related to changes in user\nrights, such as \\\"Create a token object\\\".\"\n desc \"rationale\", \"\"\n desc 'check', \"Security Option \\\"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\\\" must be set to\n\\\"Enabled\\\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \\\"AuditPol\\\" tool to review the current Audit Policy configuration:\n\n Open \\\"PowerShell\\\" or a \\\"Command Prompt\\\" with elevated privileges (\\\"Run\nas administrator\\\").\n\n Enter \\\"AuditPol /get /category:*\\\"\n\n Compare the \\\"AuditPol\\\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n Policy Change >> Authorization Policy Change - Success\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Policy Change >> \\\"Audit Authorization Policy Change\\\"\nwith \\\"Success\\\" selected.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000327-GPOS-00127'\n tag 'satisfies': [\"SRG-OS-000327-GPOS-00127\", \"SRG-OS-000064-GPOS-00033\",\n\"SRG-OS-000462-GPOS-00206\", \"SRG-OS-000466-GPOS-00210\"]\n tag 'gid': 'V-93099'\n tag 'rid': 'SV-103187r1_rule'\n tag 'stig_id': 'WN19-AU-000290'\n tag 'fix_id': 'F-99345r1_fix'\n tag 'cci': [\"CCI-000172\", \"CCI-002234\"]\n tag 'nist': [\"AU-12 c\", \"AC-6 (9)\", \"Rev_4\"]\n\n describe.one do\n describe audit_policy do\n its('Authentication Policy Change') { should eq 'Success' }\n end\n describe audit_policy do\n its('Authentication Policy Change') { should eq 'Success and Failure' }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93463.rb", + "ref": "./Windows 2019 STIG/controls/V-93099.rb", "line": 3 }, - "id": "V-93463" + "id": "V-93099" }, { - "title": "Windows Server 2019 Active Directory AdminSDHolder object must be\nconfigured with proper audit settings.", - "desc": "When inappropriate audit settings are configured for directory service\ndatabase objects, it may be possible for a user or process to update the data\nwithout generating any tracking data. The impact of missing audit data is\nrelated to the type of object. A failure to capture audit data for objects used\nby identification, authentication, or authorization functions could degrade or\neliminate the ability to track changes to access policy for systems or data.\n\n For Active Directory (AD), there are a number of critical object types in\nthe domain naming context of the AD database for which auditing is essential.\nThis includes the AdminSDHolder object. Because changes to these objects can\nsignificantly impact access controls or the availability of systems, the\nabsence of auditing data makes it impossible to identify the source of changes\nthat impact the confidentiality, integrity, and availability of data and\nsystems throughout an AD domain. The lack of proper auditing can result in\ninsufficient forensic evidence needed to investigate an incident and prosecute\nthe intruder.", + "title": "Windows Server 2019 must restrict remote calls to the Security Account\nManager (SAM) to Administrators on domain-joined member servers and standalone\nsystems.", + "desc": "The Windows SAM stores users' passwords. Restricting Remote Procedure\nCall (RPC) connections to the SAM to Administrators helps protect those\ncredentials.", "descriptions": { - "default": "When inappropriate audit settings are configured for directory service\ndatabase objects, it may be possible for a user or process to update the data\nwithout generating any tracking data. The impact of missing audit data is\nrelated to the type of object. A failure to capture audit data for objects used\nby identification, authentication, or authorization functions could degrade or\neliminate the ability to track changes to access policy for systems or data.\n\n For Active Directory (AD), there are a number of critical object types in\nthe domain naming context of the AD database for which auditing is essential.\nThis includes the AdminSDHolder object. Because changes to these objects can\nsignificantly impact access controls or the availability of systems, the\nabsence of auditing data makes it impossible to identify the source of changes\nthat impact the confidentiality, integrity, and availability of data and\nsystems throughout an AD domain. The lack of proper auditing can result in\ninsufficient forensic evidence needed to investigate an incident and prosecute\nthe intruder.", + "default": "The Windows SAM stores users' passwords. Restricting Remote Procedure\nCall (RPC) connections to the SAM to Administrators helps protect those\ncredentials.", "rationale": "", - "check": "This applies to domain controllers. It is NA for other systems.\n\n Review the auditing configuration for the \"AdminSDHolder\" object.\n\n Open \"Active Directory Users and Computers\" (available from various menus\nor run \"dsa.msc\").\n\n Ensure \"Advanced Features\" is selected in the \"View\" menu.\n\n Select \"System\" under the domain being reviewed in the left pane.\n\n Right-click the \"AdminSDHolder\" object in the right pane and select\n\"Properties\".\n\n Select the \"Security\" tab.\n\n Select the \"Advanced\" button and then the \"Auditing\" tab.\n\n If the audit settings on the \"AdminSDHolder\" object are not at least as\ninclusive as those below, this is a finding:\n\n Type - Fail\n Principal - Everyone\n Access - Full Control\n Inherited from - None\n Applies to - This object only\n\n The success types listed below are defaults. Where Special is listed in the\nsummary screens for Access, detailed Permissions are provided for reference.\nVarious Properties selections may also exist by default.\n\n Type - Success\n Principal - Everyone\n Access - Special\n Inherited from - None\n Applies to - This object only\n (Access - Special = Write all properties, Modify permissions, Modify owner)\n\n Two instances with the following summary information will be listed:\n\n Type - Success\n Principal - Everyone\n Access - (blank)\n Inherited from - (CN of domain)\n Applies to - Descendant Organizational Unit objects", - "fix": "Open \"Active Directory Users and Computers\" (available from various menus\nor run \"dsa.msc\").\n\n Ensure \"Advanced Features\" is selected in the \"View\" menu.\n\n Select \"System\" under the domain being reviewed in the left pane.\n\n Right-click the \"AdminSDHolder\" object in the right pane and select\n\"Properties\".\n\n Select the \"Security\" tab.\n\n Select the \"Advanced\" button and then the \"Auditing\" tab.\n\n Configure the audit settings for AdminSDHolder object to include the\nfollowing:\n\n Type - Fail\n Principal - Everyone\n Access - Full Control\n Inherited from - None\n Applies to - This object only\n\n The success types listed below are defaults. Where Special is listed in the\nsummary screens for Access, detailed Permissions are provided for reference.\nVarious Properties selections may also exist by default.\n\n Type - Success\n Principal - Everyone\n Access - Special\n Inherited from - None\n Applies to - This object only\n (Access - Special = Write all properties, Modify permissions, Modify owner)\n\n Two instances with the following summary information will be listed:\n\n Type - Success\n Principal - Everyone\n Access - (blank)\n Inherited from - (CN of domain)\n Applies to - Descendant Organizational Unit objects" + "check": "This applies to member servers and standalone systems; it is NA for domain\ncontrollers.\n\n If the following registry value does not exist or is not configured as\nspecified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Control\\Lsa\\\n\n Value Name: RestrictRemoteSAM\n\n Value Type: REG_SZ\n Value: O:BAG:BAD:(A;;RC;;;BA)", + "fix": "Navigate to the policy Computer Configuration >> Windows Settings >>\nSecurity Settings >> Local Policies >> Security Options >> \"Network access:\nRestrict clients allowed to make remote calls to SAM\".\n Select \"Edit Security\" to configure the \"Security descriptor:\".\n\n Add \"Administrators\" in \"Group or user names:\" if it is not already\nlisted (this is the default).\n\n Select \"Administrators\" in \"Group or user names:\".\n\n Select \"Allow\" for \"Remote Access\" in \"Permissions for\n\"Administrators\".\n\n Click \"OK\".\n\n The \"Security descriptor:\" must be populated with\n\"O:BAG:BAD:(A;;RC;;;BA) for the policy to be enforced." }, - "impact": 0, + "impact": 0.5, "refs": [], - "tags": { - "severity": null, - "gtitle": "SRG-OS-000327-GPOS-00127", - "satisfies": [ - "SRG-OS-000327-GPOS-00127", - "SRG-OS-000458-GPOS-00203", - "SRG-OS-000463-GPOS-00207", - "SRG-OS-000468-GPOS-00212" - ], - "gid": "V-93129", - "rid": "SV-103217r1_rule", - "stig_id": "WN19-DC-000210", - "fix_id": "F-99375r1_fix", + "tags": { + "severity": null, + "gtitle": "SRG-OS-000324-GPOS-00125", + "gid": "V-93045", + "rid": "SV-103133r1_rule", + "stig_id": "WN19-MS-000060", + "fix_id": "F-99291r1_fix", "cci": [ - "CCI-000172", - "CCI-002234" + "CCI-002235" ], "nist": [ - "AU-12 c", - "AC-6 (9)", + "AC-6 (10)", "Rev_4" ] }, - "code": "control \"V-93129\" do\n title \"Windows Server 2019 Active Directory AdminSDHolder object must be\nconfigured with proper audit settings.\"\n desc \"When inappropriate audit settings are configured for directory service\ndatabase objects, it may be possible for a user or process to update the data\nwithout generating any tracking data. The impact of missing audit data is\nrelated to the type of object. A failure to capture audit data for objects used\nby identification, authentication, or authorization functions could degrade or\neliminate the ability to track changes to access policy for systems or data.\n\n For Active Directory (AD), there are a number of critical object types in\nthe domain naming context of the AD database for which auditing is essential.\nThis includes the AdminSDHolder object. Because changes to these objects can\nsignificantly impact access controls or the availability of systems, the\nabsence of auditing data makes it impossible to identify the source of changes\nthat impact the confidentiality, integrity, and availability of data and\nsystems throughout an AD domain. The lack of proper auditing can result in\ninsufficient forensic evidence needed to investigate an incident and prosecute\nthe intruder.\"\n desc \"rationale\", \"\"\n desc 'check', \"This applies to domain controllers. It is NA for other systems.\n\n Review the auditing configuration for the \\\"AdminSDHolder\\\" object.\n\n Open \\\"Active Directory Users and Computers\\\" (available from various menus\nor run \\\"dsa.msc\\\").\n\n Ensure \\\"Advanced Features\\\" is selected in the \\\"View\\\" menu.\n\n Select \\\"System\\\" under the domain being reviewed in the left pane.\n\n Right-click the \\\"AdminSDHolder\\\" object in the right pane and select\n\\\"Properties\\\".\n\n Select the \\\"Security\\\" tab.\n\n Select the \\\"Advanced\\\" button and then the \\\"Auditing\\\" tab.\n\n If the audit settings on the \\\"AdminSDHolder\\\" object are not at least as\ninclusive as those below, this is a finding:\n\n Type - Fail\n Principal - Everyone\n Access - Full Control\n Inherited from - None\n Applies to - This object only\n\n The success types listed below are defaults. Where Special is listed in the\nsummary screens for Access, detailed Permissions are provided for reference.\nVarious Properties selections may also exist by default.\n\n Type - Success\n Principal - Everyone\n Access - Special\n Inherited from - None\n Applies to - This object only\n (Access - Special = Write all properties, Modify permissions, Modify owner)\n\n Two instances with the following summary information will be listed:\n\n Type - Success\n Principal - Everyone\n Access - (blank)\n Inherited from - (CN of domain)\n Applies to - Descendant Organizational Unit objects\"\n desc 'fix', \"Open \\\"Active Directory Users and Computers\\\" (available from various menus\nor run \\\"dsa.msc\\\").\n\n Ensure \\\"Advanced Features\\\" is selected in the \\\"View\\\" menu.\n\n Select \\\"System\\\" under the domain being reviewed in the left pane.\n\n Right-click the \\\"AdminSDHolder\\\" object in the right pane and select\n\\\"Properties\\\".\n\n Select the \\\"Security\\\" tab.\n\n Select the \\\"Advanced\\\" button and then the \\\"Auditing\\\" tab.\n\n Configure the audit settings for AdminSDHolder object to include the\nfollowing:\n\n Type - Fail\n Principal - Everyone\n Access - Full Control\n Inherited from - None\n Applies to - This object only\n\n The success types listed below are defaults. Where Special is listed in the\nsummary screens for Access, detailed Permissions are provided for reference.\nVarious Properties selections may also exist by default.\n\n Type - Success\n Principal - Everyone\n Access - Special\n Inherited from - None\n Applies to - This object only\n (Access - Special = Write all properties, Modify permissions, Modify owner)\n\n Two instances with the following summary information will be listed:\n\n Type - Success\n Principal - Everyone\n Access - (blank)\n Inherited from - (CN of domain)\n Applies to - Descendant Organizational Unit objects\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000327-GPOS-00127'\n tag 'satisfies': [\"SRG-OS-000327-GPOS-00127\", \"SRG-OS-000458-GPOS-00203\",\n\"SRG-OS-000463-GPOS-00207\", \"SRG-OS-000468-GPOS-00212\"]\n tag 'gid': 'V-93129'\n tag 'rid': 'SV-103217r1_rule'\n tag 'stig_id': 'WN19-DC-000210'\n tag 'fix_id': 'F-99375r1_fix'\n tag 'cci': [\"CCI-000172\", \"CCI-002234\"]\n tag 'nist': [\"AU-12 c\", \"AC-6 (9)\", \"Rev_4\"]\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n if domain_role == '4' || domain_role == '5'\n distinguishedName = json(command: '(Get-ADDomain).DistinguishedName | ConvertTo-JSON').params\n acl_rules = json(command: \"(Get-ACL -Audit -Path AD:'CN=AdminSDHolder,CN=System,#{distinguishedName}').Audit | ConvertTo-CSV | ConvertFrom-CSV | ConvertTo-JSON\").params\n \n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['AuditFlags']) { should cmp \"Failure\" }\n its(['IdentityReference']) { should cmp \"Everyone\" }\n its(['ActiveDirectoryRights']) { should cmp \"GenericAll\"}\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['AuditFlags']) { should cmp \"Success\" }\n its(['IdentityReference']) { should cmp \"Everyone\" }\n its(['ActiveDirectoryRights']) { should cmp \"WriteProperty, WriteDacl, WriteOwner\"}\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceType']) { should cmp \"None\" }\n end\n end\n end\n\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['AuditFlags']) { should cmp \"Success\" }\n its(['IdentityReference']) { should cmp \"Everyone\" }\n its(['ActiveDirectoryRights']) { should cmp \"WriteProperty\"}\n its(['IsInherited']) { should cmp \"True\" }\n its(['InheritanceType']) { should cmp \"Descendents\" }\n end\n end\n end\n else\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", + "code": "control \"V-93045\" do\n title \"Windows Server 2019 must restrict remote calls to the Security Account\nManager (SAM) to Administrators on domain-joined member servers and standalone\nsystems.\"\n desc \"The Windows SAM stores users' passwords. Restricting Remote Procedure\nCall (RPC) connections to the SAM to Administrators helps protect those\ncredentials.\"\n desc \"rationale\", \"\"\n desc 'check', \"This applies to member servers and standalone systems; it is NA for domain\ncontrollers.\n\n If the following registry value does not exist or is not configured as\nspecified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\\n\n Value Name: RestrictRemoteSAM\n\n Value Type: REG_SZ\n Value: O:BAG:BAD:(A;;RC;;;BA)\"\n desc 'fix', \"Navigate to the policy Computer Configuration >> Windows Settings >>\nSecurity Settings >> Local Policies >> Security Options >> \\\"Network access:\nRestrict clients allowed to make remote calls to SAM\\\".\n Select \\\"Edit Security\\\" to configure the \\\"Security descriptor:\\\".\n\n Add \\\"Administrators\\\" in \\\"Group or user names:\\\" if it is not already\nlisted (this is the default).\n\n Select \\\"Administrators\\\" in \\\"Group or user names:\\\".\n\n Select \\\"Allow\\\" for \\\"Remote Access\\\" in \\\"Permissions for\n\\\"Administrators\\\".\n\n Click \\\"OK\\\".\n\n The \\\"Security descriptor:\\\" must be populated with\n\\\"O:BAG:BAD:(A;;RC;;;BA) for the policy to be enforced.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000324-GPOS-00125'\n tag 'gid': 'V-93045'\n tag 'rid': 'SV-103133r1_rule'\n tag 'stig_id': 'WN19-MS-000060'\n tag 'fix_id': 'F-99291r1_fix'\n tag 'cci': [\"CCI-002235\"]\n tag 'nist': [\"AC-6 (10)\", \"Rev_4\"]\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n if domain_role == '4' || domain_role == '5'\n impact 0.0\n describe 'This system is a domain controller, therefore this control is not applicable as it only applies to member servers' do\n skip 'This system is a domain controller, therefore this control is not applicable as it only applies to member servers'\n end\n else\n describe registry_key('HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa') do\n it { should have_property \"RestrictRemoteSAM\"}\n its('RestrictRemoteSAM') { should cmp \"O:BAG:BAD:(A;;RC;;;BA)\" }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93129.rb", + "ref": "./Windows 2019 STIG/controls/V-93045.rb", "line": 3 }, - "id": "V-93129" + "id": "V-93045" }, { - "title": "Windows Server 2019 Enable computer and user accounts to be trusted\nfor delegation user right must not be assigned to any groups or accounts on\ndomain-joined member servers and standalone systems.", - "desc": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n The \"Enable computer and user accounts to be trusted for delegation\" user\nright allows the \"Trusted for Delegation\" setting to be changed. This could\nallow unauthorized users to impersonate other users.", + "title": "Windows Server 2019 local administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain-joined member servers.", + "desc": "A compromised local administrator account can provide means for an attacker to move laterally between domain systems.\n With User Account Control enabled, filtering the privileged token for local administrator accounts will prevent the elevated privileges of these accounts from being used over the network.", "descriptions": { - "default": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n The \"Enable computer and user accounts to be trusted for delegation\" user\nright allows the \"Trusted for Delegation\" setting to be changed. This could\nallow unauthorized users to impersonate other users.", + "default": "A compromised local administrator account can provide means for an attacker to move laterally between domain systems.\n With User Account Control enabled, filtering the privileged token for local administrator accounts will prevent the elevated privileges of these accounts from being used over the network.", "rationale": "", - "check": "This applies to member servers and standalone systems. A separate version\napplies to domain controllers.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups are granted the \"Enable computer and user\naccounts to be trusted for delegation\" user right, this is a finding.\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\path\\filename.txt\n\n Review the text file.\n\n If any SIDs are granted the \"SeEnableDelegationPrivilege\" user right,\nthis is a finding.", - "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Local Policies >> User Rights\nAssignment >> \"Enable computer and user accounts to be trusted for\ndelegation\" to be defined but containing no entries (blank)." + "check": "This applies to member servers. For domain controllers and standalone systems, this is NA.\n If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\n\n Value Name: LocalAccountTokenFilterPolicy\n\n Type: REG_DWORD\n Value: 0x00000000 (0)\n\n This setting may cause issues with some network scanning tools if local administrative accounts are used remotely. Scans should use domain accounts where possible. If a local administrative account must be used, temporarily enabling the privileged token by configuring the registry value to \"1\" may be required.", + "fix": "Configure the policy value for Computer Configuration >> Administrative Templates >> MS Security Guide >> \"Apply UAC restrictions to local accounts on network logons\" to \"Enabled\".\n This policy setting requires the installation of the SecGuide custom templates included with the STIG package. \"SecGuide.admx\" and \" SecGuide.adml\" must be copied to the \\Windows\\PolicyDefinitions and \\Windows\\PolicyDefinitions\\en-US directories respectively." }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000324-GPOS-00125", - "gid": "V-93047", - "rid": "SV-103135r1_rule", - "stig_id": "WN19-MS-000130", - "fix_id": "F-99293r1_fix", + "gtitle": "SRG-OS-000134-GPOS-00068", + "gid": "V-93519", + "rid": "SV-103605r1_rule", + "stig_id": "WN19-MS-000020", + "fix_id": "F-99763r1_fix", "cci": [ - "CCI-002235" + "CCI-001084" ], "nist": [ - "AC-6 (10)", + "SC-3", "Rev_4" ] }, - "code": "control \"V-93047\" do\n title \"Windows Server 2019 Enable computer and user accounts to be trusted\nfor delegation user right must not be assigned to any groups or accounts on\ndomain-joined member servers and standalone systems.\"\n desc \"Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n The \\\"Enable computer and user accounts to be trusted for delegation\\\" user\nright allows the \\\"Trusted for Delegation\\\" setting to be changed. This could\nallow unauthorized users to impersonate other users.\"\n desc \"rationale\", \"\"\n desc 'check', \"This applies to member servers and standalone systems. A separate version\napplies to domain controllers.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups are granted the \\\"Enable computer and user\naccounts to be trusted for delegation\\\" user right, this is a finding.\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt\n\n Review the text file.\n\n If any SIDs are granted the \\\"SeEnableDelegationPrivilege\\\" user right,\nthis is a finding.\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Local Policies >> User Rights\nAssignment >> \\\"Enable computer and user accounts to be trusted for\ndelegation\\\" to be defined but containing no entries (blank).\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000324-GPOS-00125'\n tag 'gid': 'V-93047'\n tag 'rid': 'SV-103135r1_rule'\n tag 'stig_id': 'WN19-MS-000130'\n tag 'fix_id': 'F-99293r1_fix'\n tag 'cci': [\"CCI-002235\"]\n tag 'nist': [\"AC-6 (10)\", \"Rev_4\"]\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n os_type = command('Test-Path \"$env:windir\\explorer.exe\"').stdout.strip\n\n if os_type == 'False'\n describe 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt' do\n skip 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt'\n end\n end\n if domain_role == '4' || domain_role == '5'\n impact 0.0\n describe 'This system is a domain controller, therefore this control is not applicable as it only applies to member servers' do\n skip 'This system is a domain controller, therefore this control is not applicable as it only applies to member servers'\n end\n else\n describe security_policy do\n its('SeEnableDelegationPrivilege') { should eq [] }\n end\n end\nend\n", + "code": "control \"V-93519\" do\n title \"Windows Server 2019 local administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain-joined member servers.\"\n desc \"A compromised local administrator account can provide means for an attacker to move laterally between domain systems.\n With User Account Control enabled, filtering the privileged token for local administrator accounts will prevent the elevated privileges of these accounts from being used over the network.\"\n desc \"rationale\", \"\"\n desc \"check\", \"This applies to member servers. For domain controllers and standalone systems, this is NA.\n If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\n\n Value Name: LocalAccountTokenFilterPolicy\n\n Type: REG_DWORD\n Value: 0x00000000 (0)\n\n This setting may cause issues with some network scanning tools if local administrative accounts are used remotely. Scans should use domain accounts where possible. If a local administrative account must be used, temporarily enabling the privileged token by configuring the registry value to \\\"1\\\" may be required.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Administrative Templates >> MS Security Guide >> \\\"Apply UAC restrictions to local accounts on network logons\\\" to \\\"Enabled\\\".\n This policy setting requires the installation of the SecGuide custom templates included with the STIG package. \\\"SecGuide.admx\\\" and \\\" SecGuide.adml\\\" must be copied to the \\\\Windows\\\\PolicyDefinitions and \\\\Windows\\\\PolicyDefinitions\\\\en-US directories respectively.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000134-GPOS-00068\"\n tag gid: \"V-93519\"\n tag rid: \"SV-103605r1_rule\"\n tag stig_id: \"WN19-MS-000020\"\n tag fix_id: \"F-99763r1_fix\"\n tag cci: [\"CCI-001084\"]\n tag nist: [\"SC-3\", \"Rev_4\"]\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '3'\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System') do\n it { should have_property 'LocalAccountTokenFilterPolicy' }\n its('LocalAccountTokenFilterPolicy') { should cmp == 0 }\n end\n else\n impact 0.0\n describe 'This requirement is only applicable to member servers' do\n skip 'This control is NA as the requirement is only applicable to member servers'\n end\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93047.rb", + "ref": "./Windows 2019 STIG/controls/V-93519.rb", "line": 3 }, - "id": "V-93047" + "id": "V-93519" }, { - "title": "Windows Server 2019 must have Secure Boot enabled.", - "desc": "Secure Boot is a standard that ensures systems boot only to a trusted\noperating system. Secure Boot is required to support additional security\nfeatures in Windows, including Virtualization Based Security and Credential\nGuard. If Secure Boot is turned off, these security features will not function.", + "title": "Windows Server 2019 Exploit Protection mitigations must be configured for GROOVE.EXE.", + "desc": "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.", "descriptions": { - "default": "Secure Boot is a standard that ensures systems boot only to a trusted\noperating system. Secure Boot is required to support additional security\nfeatures in Windows, including Virtualization Based Security and Credential\nGuard. If Secure Boot is turned off, these security features will not function.", + "default": "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.", "rationale": "", - "check": "Some older systems may not have UEFI firmware. This is currently a CAT III;\nit will be raised in severity at a future date when broad support of Windows\nhardware and firmware requirements are expected to be met. Devices that have\nUEFI firmware must have Secure Boot enabled.\n\n Run \"System Information\".\n\n Under \"System Summary\", if \"Secure Boot State\" does not display \"On\",\nthis is a finding.\n\n On server core installations, run the following PowerShell command:\n\n Confirm-SecureBootUEFI\n\n If a value of \"True\" is not returned, this is a finding.", - "fix": "Enable Secure Boot in the system firmware." + "check": "If the referenced application is not installed on the system, this is NA.\n\n This is applicable to unclassified systems, for other systems this is NA.\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n Enter \"Get-ProcessMitigation -Name GROOVE.EXE\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.)\n\n If the following mitigations do not have a status of \"ON\", this is a finding:\n\n DEP:\n Enable: ON\n\n ASLR:\n ForceRelocateImages: ON\n\n ImageLoad:\n BlockRemoteImageLoads: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n Child Process:\n DisallowChildProcessCreation: ON\n\n The PowerShell command produces a list of mitigations; only those with a required status of \"ON\" are listed here.", + "fix": "Ensure the following mitigations are turned \"ON\" for GROOVE.EXE:\n\n DEP:\n Enable: ON\n\n ASLR:\n ForceRelocateImages: ON\n\n ImageLoad:\n BlockRemoteImageLoads: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n Child Process:\n DisallowChildProcessCreation: ON\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \"Supporting Files\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \"Use a common set of exploit protection settings\" configured to \"Enabled\" with file name and location defined under \"Options:\". It is recommended the file be in a read-only network location." }, - "impact": 0.3, + "impact": 0, "refs": [], "tags": { "severity": null, "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-93231", - "rid": "SV-103319r1_rule", - "stig_id": "WN19-00-000470", - "fix_id": "F-99477r1_fix", + "gid": "V-93333", + "rid": "SV-103421r1_rule", + "stig_id": "WN19-EP-000120", + "fix_id": "F-99579r1_fix", "cci": [ "CCI-000366" ], @@ -6086,307 +6149,306 @@ "Rev_4" ] }, - "code": "control \"V-93231\" do\n title \"Windows Server 2019 must have Secure Boot enabled.\"\n desc \"Secure Boot is a standard that ensures systems boot only to a trusted\noperating system. Secure Boot is required to support additional security\nfeatures in Windows, including Virtualization Based Security and Credential\nGuard. If Secure Boot is turned off, these security features will not function.\"\n desc \"rationale\", \"\"\n desc 'check', \"Some older systems may not have UEFI firmware. This is currently a CAT III;\nit will be raised in severity at a future date when broad support of Windows\nhardware and firmware requirements are expected to be met. Devices that have\nUEFI firmware must have Secure Boot enabled.\n\n Run \\\"System Information\\\".\n\n Under \\\"System Summary\\\", if \\\"Secure Boot State\\\" does not display \\\"On\\\",\nthis is a finding.\n\n On server core installations, run the following PowerShell command:\n\n Confirm-SecureBootUEFI\n\n If a value of \\\"True\\\" is not returned, this is a finding.\"\n desc 'fix', \"Enable Secure Boot in the system firmware.\"\n impact 0.3\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000480-GPOS-00227'\n tag 'gid': 'V-93231'\n tag 'rid': 'SV-103319r1_rule'\n tag 'stig_id': 'WN19-00-000470'\n tag 'fix_id': 'F-99477r1_fix'\n tag 'cci': [\"CCI-000366\"]\n tag 'nist': [\"CM-6 b\", \"Rev_4\"]\n\n uefi_boot = json( command: 'Confirm-SecureBootUEFI | ConvertTo-Json').params\n describe 'Confirm-Secure Boot UEFI is required to be enabled on System' do\n subject { uefi_boot }\n it { should_not eq 'False' }\n end\nend\n", + "code": "control \"V-93333\" do\n title \"Windows Server 2019 Exploit Protection mitigations must be configured for GROOVE.EXE.\"\n desc \"Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the referenced application is not installed on the system, this is NA.\n\n This is applicable to unclassified systems, for other systems this is NA.\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n Enter \\\"Get-ProcessMitigation -Name GROOVE.EXE\\\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.)\n\n If the following mitigations do not have a status of \\\"ON\\\", this is a finding:\n\n DEP:\n Enable: ON\n\n ASLR:\n ForceRelocateImages: ON\n\n ImageLoad:\n BlockRemoteImageLoads: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n Child Process:\n DisallowChildProcessCreation: ON\n\n The PowerShell command produces a list of mitigations; only those with a required status of \\\"ON\\\" are listed here.\"\n desc \"fix\", \"Ensure the following mitigations are turned \\\"ON\\\" for GROOVE.EXE:\n\n DEP:\n Enable: ON\n\n ASLR:\n ForceRelocateImages: ON\n\n ImageLoad:\n BlockRemoteImageLoads: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n Child Process:\n DisallowChildProcessCreation: ON\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \\\"Supporting Files\\\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\" configured to \\\"Enabled\\\" with file name and location defined under \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00227\"\n tag gid: \"V-93333\"\n tag rid: \"SV-103421r1_rule\"\n tag stig_id: \"WN19-EP-000120\"\n tag fix_id: \"F-99579r1_fix\"\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n groove = json({ command: \"Get-ProcessMitigation -Name GROOVE.EXE | ConvertTo-Json\" }).params\n\n if input('sensitive_system') == true || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif groove.empty?\n impact 0.0\n describe 'The referenced application is not installed on the system, this is NA.' do\n skip 'The referenced application is not installed on the system, this is NA.'\n end\n else\n describe \"Exploit Protection: the following mitigations must be set to 'ON' for GROOVE.EXE\" do\n subject { groove }\n its(['Dep','Enable']) { should eq 1 }\n its(['Aslr','ForceRelocateImages']) { should eq 1 }\n its(['ImageLoad','BlockRemoteImageLoads']) { should eq 1 }\n its(['Payload','EnableExportAddressFilter']) { should eq 1 }\n its(['Payload','EnableExportAddressFilterPlus']) { should eq 1 }\n its(['Payload','EnableImportAddressFilter']) { should eq 1 }\n its(['Payload','EnableRopStackPivot']) { should eq 1 }\n its(['Payload','EnableRopCallerCheck']) { should eq 1 }\n its(['Payload','EnableRopSimExec']) { should eq 1 }\n its(['ChildProcess','DisallowChildProcessCreation']) { should eq 1 }\n end\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93231.rb", + "ref": "./Windows 2019 STIG/controls/V-93333.rb", "line": 3 }, - "id": "V-93231" + "id": "V-93333" }, { - "title": "Windows Server 2019 must only allow administrators responsible for the\ndomain controller to have Administrator rights on the system.", - "desc": "An account that does not have Administrator duties must not have\nAdministrator rights. Such rights would allow the account to bypass or modify\nrequired security restrictions on that machine and make it vulnerable to attack.\n\n System administrators must log on to systems using only accounts with the\nminimum level of authority necessary.\n\n Standard user accounts must not be members of the built-in Administrators\ngroup.", + "title": "Windows Server 2019 must be running Credential Guard on domain-joined member servers.", + "desc": "Credential Guard uses virtualization-based security to protect data that could be used in credential theft attacks if compromised. This authentication information, which was stored in the Local Security Authority (LSA) in previous versions of Windows, is isolated from the rest of operating system and can only be accessed by privileged system software.", "descriptions": { - "default": "An account that does not have Administrator duties must not have\nAdministrator rights. Such rights would allow the account to bypass or modify\nrequired security restrictions on that machine and make it vulnerable to attack.\n\n System administrators must log on to systems using only accounts with the\nminimum level of authority necessary.\n\n Standard user accounts must not be members of the built-in Administrators\ngroup.", + "default": "Credential Guard uses virtualization-based security to protect data that could be used in credential theft attacks if compromised. This authentication information, which was stored in the Local Security Authority (LSA) in previous versions of Windows, is isolated from the rest of operating system and can only be accessed by privileged system software.", "rationale": "", - "check": "This applies to domain controllers. A separate version applies to other\nsystems.\n\n Review the Administrators group. Only the appropriate administrator groups\nor accounts responsible for administration of the system may be members of the\ngroup.\n\n Standard user accounts must not be members of the local administrator group.\n\n If prohibited accounts are members of the local administrators group, this\nis a finding.\n\n If the built-in Administrator account or other required administrative\naccounts are found on the system, this is not a finding.", - "fix": "Configure the Administrators group to include only administrator groups or\naccounts that are responsible for the system.\n\n Remove any standard user accounts." + "check": "For domain controllers and standalone systems, this is NA.\n\n Current hardware and virtual environments may not support virtualization-based security features, including Credential Guard, due to specific supporting requirements, including a TPM, UEFI with Secure Boot, and the capability to run the Hyper-V feature within a virtual machine.\n\n Open \"PowerShell\" with elevated privileges (run as administrator).\n Enter the following:\n \"Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\\Microsoft\\Windows\\DeviceGuard\"\n If \"SecurityServicesRunning\" does not include a value of \"1\" (e.g., \"{1, 2}\"), this is a finding.\n\n Alternately:\n Run \"System Information\".\n Under \"System Summary\", verify the following:\n If \"Device Guard Security Services Running\" does not list \"Credential Guard\", this is a finding.\n The policy settings referenced in the Fix section will configure the following registry value. However, due to hardware requirements, the registry value alone does not ensure proper function.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceGuard\\\n\n Value Name: LsaCfgFlags\n Value Type: REG_DWORD\n Value: 0x00000001 (1) (Enabled with UEFI lock)\n\n A Microsoft article on Credential Guard system requirement can be found at the following link:\n https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-requirements", + "fix": "Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Device Guard >> \"Turn On Virtualization Based Security\" to \"Enabled\" with \"Enabled with UEFI lock\" selected for \"Credential Guard Configuration\".\n A Microsoft article on Credential Guard system requirement can be found at the following link: https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-requirements" }, - "impact": 0, + "impact": 0.7, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000324-GPOS-00125", - "gid": "V-93027", - "rid": "SV-103115r1_rule", - "stig_id": "WN19-DC-000010", - "fix_id": "F-99273r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-93277", + "rid": "SV-103365r1_rule", + "stig_id": "WN19-MS-000140", + "fix_id": "F-99523r1_fix", "cci": [ - "CCI-002235" + "CCI-000366" ], "nist": [ - "AC-6 (10)", + "CM-6 b", "Rev_4" ] }, - "code": "control \"V-93027\" do\n title \"Windows Server 2019 must only allow administrators responsible for the\ndomain controller to have Administrator rights on the system.\"\n desc \"An account that does not have Administrator duties must not have\nAdministrator rights. Such rights would allow the account to bypass or modify\nrequired security restrictions on that machine and make it vulnerable to attack.\n\n System administrators must log on to systems using only accounts with the\nminimum level of authority necessary.\n\n Standard user accounts must not be members of the built-in Administrators\ngroup.\"\n desc \"rationale\", \"\"\n desc 'check', \"This applies to domain controllers. A separate version applies to other\nsystems.\n\n Review the Administrators group. Only the appropriate administrator groups\nor accounts responsible for administration of the system may be members of the\ngroup.\n\n Standard user accounts must not be members of the local administrator group.\n\n If prohibited accounts are members of the local administrators group, this\nis a finding.\n\n If the built-in Administrator account or other required administrative\naccounts are found on the system, this is not a finding.\"\n desc 'fix', \"\n Configure the Administrators group to include only administrator groups or\naccounts that are responsible for the system.\n\n Remove any standard user accounts.\"\n impact 0.7\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000324-GPOS-00125'\n tag 'gid': 'V-93027'\n tag 'rid': 'SV-103115r1_rule'\n tag 'stig_id': 'WN19-DC-000010'\n tag 'fix_id': 'F-99273r1_fix'\n tag 'cci': [\"CCI-002235\"]\n tag 'nist': [\"AC-6 (10)\", \"Rev_4\"]\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n administrators = input('local_administrators_dc')\n administrator_group = command(\"net localgroup Administrators | Format-List | Findstr /V 'Alias Name Comment Members - command'\").stdout.strip.split(\"\\r\\n\")\n if administrator_group.empty?\n impact 0.0\n describe 'There are no users with administrative privileges' do\n skip 'This control is not applicable'\n end\n else\n administrator_group.each do |user|\n describe user.to_s do\n it { should be_in administrators }\n end\n end\n end\n else\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend", + "code": "control \"V-93277\" do\n title \"Windows Server 2019 must be running Credential Guard on domain-joined member servers.\"\n desc \"Credential Guard uses virtualization-based security to protect data that could be used in credential theft attacks if compromised. This authentication information, which was stored in the Local Security Authority (LSA) in previous versions of Windows, is isolated from the rest of operating system and can only be accessed by privileged system software.\"\n desc \"rationale\", \"\"\n desc \"check\", \"For domain controllers and standalone systems, this is NA.\n\n Current hardware and virtual environments may not support virtualization-based security features, including Credential Guard, due to specific supporting requirements, including a TPM, UEFI with Secure Boot, and the capability to run the Hyper-V feature within a virtual machine.\n\n Open \\\"PowerShell\\\" with elevated privileges (run as administrator).\n Enter the following:\n \\\"Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\\\\Microsoft\\\\Windows\\\\DeviceGuard\\\"\n If \\\"SecurityServicesRunning\\\" does not include a value of \\\"1\\\" (e.g., \\\"{1, 2}\\\"), this is a finding.\n\n Alternately:\n Run \\\"System Information\\\".\n Under \\\"System Summary\\\", verify the following:\n If \\\"Device Guard Security Services Running\\\" does not list \\\"Credential Guard\\\", this is a finding.\n The policy settings referenced in the Fix section will configure the following registry value. However, due to hardware requirements, the registry value alone does not ensure proper function.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\DeviceGuard\\\\\n\n Value Name: LsaCfgFlags\n Value Type: REG_DWORD\n Value: 0x00000001 (1) (Enabled with UEFI lock)\n\n A Microsoft article on Credential Guard system requirement can be found at the following link:\n https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-requirements\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Device Guard >> \\\"Turn On Virtualization Based Security\\\" to \\\"Enabled\\\" with \\\"Enabled with UEFI lock\\\" selected for \\\"Credential Guard Configuration\\\".\n A Microsoft article on Credential Guard system requirement can be found at the following link: https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-requirements\"\n impact 0.7\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00227\"\n tag gid: \"V-93277\"\n tag rid: \"SV-103365r1_rule\"\n tag stig_id: \"WN19-MS-000140\"\n tag fix_id: \"F-99523r1_fix\"\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n security_services = command('Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\\\\Microsoft\\\\Windows\\\\DeviceGuard | Select -ExpandProperty \"SecurityServicesRunning\"').stdout.strip.split(\"\\r\\n\")\n\n if domain_role == '0' || domain_role == '2'\n impact 0.0\n describe 'This is NA for standalone systems' do\n skip 'This is NA for standalone systems'\n end\n elsif domain_role == '4' || domain_role == '5'\n impact 0.0\n describe 'This is NA for domain controllers' do\n skip 'This is NA for domain controllers'\n end\n else\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\DeviceGuard') do\n it { should have_property 'LsaCfgFlags' }\n its('LsaCfgFlags') { should cmp 1 }\n end\n describe \"Security Services Running should include 1\" do\n subject { security_services }\n it { should include \"1\" }\n end\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93027.rb", + "ref": "./Windows 2019 STIG/controls/V-93277.rb", "line": 3 }, - "id": "V-93027" + "id": "V-93277" }, { - "title": "Windows Server 2019 Kerberos user ticket lifetime must be limited to 10 hours or less.", - "desc": "In Kerberos, there are two types of tickets: Ticket Granting Tickets (TGTs) and Service Tickets. Kerberos tickets have a limited lifetime so the time an attacker has to implement an attack is limited. This policy controls how long TGTs can be renewed. With Kerberos, the user's initial authentication to the domain controller results in a TGT, which is then used to request Service Tickets to resources. Upon startup, each computer gets a TGT before requesting a service ticket to the domain controller and any other computers it needs to access. For services that start up under a specified user account, users must always get a TGT first and then get Service Tickets to all computers and services accessed.", + "title": "Windows Server 2019 organization created Active Directory\nOrganizational Unit (OU) objects must have proper access control permissions.", + "desc": "When directory service database objects do not have appropriate access\ncontrol permissions, it may be possible for malicious users to create, read,\nupdate, or delete the objects and degrade or destroy the integrity of the data.\nWhen the directory service is used for identification, authentication, or\nauthorization functions, a compromise of the database objects could lead to a\ncompromise of all systems that rely on the directory service.\n\n For Active Directory, the OU objects require special attention. In a\ndistributed administration model (i.e., help desk), OU objects are more likely\nto have access permissions changed from the secure defaults. If inappropriate\naccess permissions are defined for OU objects, it could allow an intruder to\nadd or delete users in the OU. This could result in unauthorized access to data\nor a denial of service (DoS) to authorized users.", "descriptions": { - "default": "In Kerberos, there are two types of tickets: Ticket Granting Tickets (TGTs) and Service Tickets. Kerberos tickets have a limited lifetime so the time an attacker has to implement an attack is limited. This policy controls how long TGTs can be renewed. With Kerberos, the user's initial authentication to the domain controller results in a TGT, which is then used to request Service Tickets to resources. Upon startup, each computer gets a TGT before requesting a service ticket to the domain controller and any other computers it needs to access. For services that start up under a specified user account, users must always get a TGT first and then get Service Tickets to all computers and services accessed.", + "default": "When directory service database objects do not have appropriate access\ncontrol permissions, it may be possible for malicious users to create, read,\nupdate, or delete the objects and degrade or destroy the integrity of the data.\nWhen the directory service is used for identification, authentication, or\nauthorization functions, a compromise of the database objects could lead to a\ncompromise of all systems that rely on the directory service.\n\n For Active Directory, the OU objects require special attention. In a\ndistributed administration model (i.e., help desk), OU objects are more likely\nto have access permissions changed from the secure defaults. If inappropriate\naccess permissions are defined for OU objects, it could allow an intruder to\nadd or delete users in the OU. This could result in unauthorized access to data\nor a denial of service (DoS) to authorized users.", "rationale": "", - "check": "This applies to domain controllers. It is NA for other systems.\n\n Verify the following is configured in the Default Domain Policy:\n Open \"Group Policy Management\".\n Navigate to \"Group Policy Objects\" in the Domain being reviewed (Forest >> Domains >> Domain).\n Right-click on the \"Default Domain Policy\".\n Select \"Edit\".\n Navigate to Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy.\n If the value for \"Maximum lifetime for user ticket\" is \"0\" or greater than \"10\" hours, this is a finding.", - "fix": "Configure the policy value in the Default Domain Policy for Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy >> \"Maximum lifetime for user ticket\" to a maximum of \"10\" hours but not \"0\", which equates to \"Ticket doesn't expire\"." + "check": "This applies to domain controllers. It is NA for other systems.\n\n Review the permissions on domain-defined OUs.\n\n Open \"Active Directory Users and Computers\" (available from various menus\nor run \"dsa.msc\").\n\n Ensure \"Advanced Features\" is selected in the \"View\" menu.\n\n For each OU that is defined (folder in folder icon) excluding the Domain\nControllers OU:\n\n Right-click the OU and select \"Properties\".\n\n Select the \"Security\" tab.\n\n If the Allow type permissions on the OU are not at least as restrictive as\nthose below, this is a finding.\n\n The permissions shown are at the summary level. More detailed permissions\ncan be viewed by selecting the \"Advanced\" button, the desired Permission\nentry, and the \"Edit\" or \"View\" button.\n\n Except where noted otherwise, the special permissions may include a wide\nrange of permissions and properties and are acceptable for this requirement.\n\n CREATOR OWNER - Special permissions\n\n Self - Special permissions\n\n Authenticated Users - Read, Special permissions\n\n The Special permissions for Authenticated Users are Read type. If detailed\npermissions include any Create, Delete, Modify, or Write Permissions or\nProperties, this is a finding.\n\n SYSTEM - Full Control\n\n Domain Admins - Full Control\n\n Enterprise Admins - Full Control\n\n Key Admins - Special permissions\n\n Enterprise Key Admins - Special permissions\n\n Administrators - Read, Write, Create all child objects, Generate resultant\nset of policy (logging), Generate resultant set of policy (planning), Special\npermissions\n\n Pre-Windows 2000 Compatible Access - Special permissions\n\n The Special permissions for Pre-Windows 2000 Compatible Access are for Read\ntypes. If detailed permissions include any Create, Delete, Modify, or Write\nPermissions or Properties, this is a finding.\n\n ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions\n\n If an ISSO-approved distributed administration model (help desk or other\nuser support staff) is implemented, permissions above Read may be allowed for\ngroups documented by the ISSO.\n\n If any OU with improper permissions includes identification or\nauthentication data (e.g., accounts, passwords, or password hash data) used by\nsystems to determine access control, the severity is CAT I (e.g., OUs that\ninclude user accounts, including service/application accounts).\n\n If an OU with improper permissions does not include identification and\nauthentication data used by systems to determine access control, the severity\nis CAT II (e.g., Workstation, Printer OUs).", + "fix": "Maintain the Allow type permissions on domain-defined OUs to be at least as\nrestrictive as the defaults below.\n\n Document any additional permissions above Read with the ISSO if an approved\ndistributed administration model (help desk or other user support staff) is\nimplemented.\n\n CREATOR OWNER - Special permissions\n\n Self - Special permissions\n\n Authenticated Users - Read, Special permissions\n\n The special permissions for Authenticated Users are Read type.\n\n SYSTEM - Full Control\n\n Domain Admins - Full Control\n\n Enterprise Admins - Full Control\n\n Key Admins - Special permissions\n\n Enterprise Key Admins - Special permissions\n\n Administrators - Read, Write, Create all child objects, Generate resultant\nset of policy (logging), Generate resultant set of policy (planning), Special\npermissions\n\n Pre-Windows 2000 Compatible Access - Special permissions\n\n The special permissions for Pre-Windows 2000 Compatible Access are for Read\ntypes.\n\n ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions" }, "impact": 0, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000112-GPOS-00057", - "satisfies": [ - "SRG-OS-000112-GPOS-00057", - "SRG-OS-000113-GPOS-00058" - ], - "gid": "V-93447", - "rid": "SV-103533r1_rule", - "stig_id": "WN19-DC-000040", - "fix_id": "F-99691r1_fix", + "gtitle": "SRG-OS-000324-GPOS-00125", + "gid": "V-93037", + "rid": "SV-103125r1_rule", + "stig_id": "WN19-DC-000110", + "fix_id": "F-99283r1_fix", "cci": [ - "CCI-001941", - "CCI-001942" + "CCI-002235" ], "nist": [ - "IA-2 (8)", - "IA-2 (9)", + "AC-6 (10)", "Rev_4" ] }, - "code": "control \"V-93447\" do\n title \"Windows Server 2019 Kerberos user ticket lifetime must be limited to 10 hours or less.\"\n desc \"In Kerberos, there are two types of tickets: Ticket Granting Tickets (TGTs) and Service Tickets. Kerberos tickets have a limited lifetime so the time an attacker has to implement an attack is limited. This policy controls how long TGTs can be renewed. With Kerberos, the user's initial authentication to the domain controller results in a TGT, which is then used to request Service Tickets to resources. Upon startup, each computer gets a TGT before requesting a service ticket to the domain controller and any other computers it needs to access. For services that start up under a specified user account, users must always get a TGT first and then get Service Tickets to all computers and services accessed.\"\n desc \"rationale\", \"\"\n desc \"check\", \"This applies to domain controllers. It is NA for other systems.\n\n Verify the following is configured in the Default Domain Policy:\n Open \\\"Group Policy Management\\\".\n Navigate to \\\"Group Policy Objects\\\" in the Domain being reviewed (Forest >> Domains >> Domain).\n Right-click on the \\\"Default Domain Policy\\\".\n Select \\\"Edit\\\".\n Navigate to Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy.\n If the value for \\\"Maximum lifetime for user ticket\\\" is \\\"0\\\" or greater than \\\"10\\\" hours, this is a finding.\"\n desc \"fix\", \"Configure the policy value in the Default Domain Policy for Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy >> \\\"Maximum lifetime for user ticket\\\" to a maximum of \\\"10\\\" hours but not \\\"0\\\", which equates to \\\"Ticket doesn't expire\\\".\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000112-GPOS-00057\"\n tag satisfies: [\"SRG-OS-000112-GPOS-00057\", \"SRG-OS-000113-GPOS-00058\"]\n tag gid: \"V-93447\"\n tag rid: \"SV-103533r1_rule\"\n tag stig_id: \"WN19-DC-000040\"\n tag fix_id: \"F-99691r1_fix\"\n tag cci: [\"CCI-001941\", \"CCI-001942\"]\n tag nist: [\"IA-2 (8)\", \"IA-2 (9)\", \"Rev_4\"]\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n describe security_policy do\n its('MaxTicketAge') { should be_between(1, 10) }\n end\n else\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is NA' do\n skip 'This system is not a domain controller, therefore this control is NA'\n end\n end\nend", + "code": "control \"V-93037\" do\n title \"Windows Server 2019 organization created Active Directory\nOrganizational Unit (OU) objects must have proper access control permissions.\"\n desc \"When directory service database objects do not have appropriate access\ncontrol permissions, it may be possible for malicious users to create, read,\nupdate, or delete the objects and degrade or destroy the integrity of the data.\nWhen the directory service is used for identification, authentication, or\nauthorization functions, a compromise of the database objects could lead to a\ncompromise of all systems that rely on the directory service.\n\n For Active Directory, the OU objects require special attention. In a\ndistributed administration model (i.e., help desk), OU objects are more likely\nto have access permissions changed from the secure defaults. If inappropriate\naccess permissions are defined for OU objects, it could allow an intruder to\nadd or delete users in the OU. This could result in unauthorized access to data\nor a denial of service (DoS) to authorized users.\"\n desc \"rationale\", \"\"\n desc 'check', \"This applies to domain controllers. It is NA for other systems.\n\n Review the permissions on domain-defined OUs.\n\n Open \\\"Active Directory Users and Computers\\\" (available from various menus\nor run \\\"dsa.msc\\\").\n\n Ensure \\\"Advanced Features\\\" is selected in the \\\"View\\\" menu.\n\n For each OU that is defined (folder in folder icon) excluding the Domain\nControllers OU:\n\n Right-click the OU and select \\\"Properties\\\".\n\n Select the \\\"Security\\\" tab.\n\n If the Allow type permissions on the OU are not at least as restrictive as\nthose below, this is a finding.\n\n The permissions shown are at the summary level. More detailed permissions\ncan be viewed by selecting the \\\"Advanced\\\" button, the desired Permission\nentry, and the \\\"Edit\\\" or \\\"View\\\" button.\n\n Except where noted otherwise, the special permissions may include a wide\nrange of permissions and properties and are acceptable for this requirement.\n\n CREATOR OWNER - Special permissions\n\n Self - Special permissions\n\n Authenticated Users - Read, Special permissions\n\n The Special permissions for Authenticated Users are Read type. If detailed\npermissions include any Create, Delete, Modify, or Write Permissions or\nProperties, this is a finding.\n\n SYSTEM - Full Control\n\n Domain Admins - Full Control\n\n Enterprise Admins - Full Control\n\n Key Admins - Special permissions\n\n Enterprise Key Admins - Special permissions\n\n Administrators - Read, Write, Create all child objects, Generate resultant\nset of policy (logging), Generate resultant set of policy (planning), Special\npermissions\n\n Pre-Windows 2000 Compatible Access - Special permissions\n\n The Special permissions for Pre-Windows 2000 Compatible Access are for Read\ntypes. If detailed permissions include any Create, Delete, Modify, or Write\nPermissions or Properties, this is a finding.\n\n ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions\n\n If an ISSO-approved distributed administration model (help desk or other\nuser support staff) is implemented, permissions above Read may be allowed for\ngroups documented by the ISSO.\n\n If any OU with improper permissions includes identification or\nauthentication data (e.g., accounts, passwords, or password hash data) used by\nsystems to determine access control, the severity is CAT I (e.g., OUs that\ninclude user accounts, including service/application accounts).\n\n If an OU with improper permissions does not include identification and\nauthentication data used by systems to determine access control, the severity\nis CAT II (e.g., Workstation, Printer OUs).\"\n desc 'fix', \"Maintain the Allow type permissions on domain-defined OUs to be at least as\nrestrictive as the defaults below.\n\n Document any additional permissions above Read with the ISSO if an approved\ndistributed administration model (help desk or other user support staff) is\nimplemented.\n\n CREATOR OWNER - Special permissions\n\n Self - Special permissions\n\n Authenticated Users - Read, Special permissions\n\n The special permissions for Authenticated Users are Read type.\n\n SYSTEM - Full Control\n\n Domain Admins - Full Control\n\n Enterprise Admins - Full Control\n\n Key Admins - Special permissions\n\n Enterprise Key Admins - Special permissions\n\n Administrators - Read, Write, Create all child objects, Generate resultant\nset of policy (logging), Generate resultant set of policy (planning), Special\npermissions\n\n Pre-Windows 2000 Compatible Access - Special permissions\n\n The special permissions for Pre-Windows 2000 Compatible Access are for Read\ntypes.\n\n ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions\"\n impact 0.7\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000324-GPOS-00125'\n tag 'gid': 'V-93037'\n tag 'rid': 'SV-103125r1_rule'\n tag 'stig_id': 'WN19-DC-000110'\n tag 'fix_id': 'F-99283r1_fix'\n tag 'cci': [\"CCI-002235\"]\n tag 'nist': [\"AC-6 (10)\", \"Rev_4\"]\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n if domain_role == '4' || domain_role == '5'\n distinguishedName = json(command: '(Get-ADDomain).DistinguishedName | ConvertTo-Json').params\n ou_list = json(command: \"Get-ADOrganizationalUnit -filter * -SearchBase '#{distinguishedName}' | Select-Object -ExpandProperty distinguishedname | ConvertTo-Json\").params\n if ou_list.is_a?(String)\n ou_list = []\n ou_list << json(command: \"Get-ADOrganizationalUnit -filter * -SearchBase '#{distinguishedName}' | Select-Object -ExpandProperty distinguishedname | ConvertTo-Json\").params\n end\n exclude_dc = json(command: \"Get-ADOrganizationalUnit -filter * -SearchBase '#{distinguishedName}' | Where-Object {$_.distinguishedname -like 'OU=Domain Controllers,#{distinguishedName}'} | Select-Object -ExpandProperty distinguishedname | ConvertTo-Json\").params\n ou_list.delete(exclude_dc)\n netbiosname = json(command: 'Get-ADDomain | Select NetBIOSName | ConvertTo-JSON').params['NetBIOSName']\n if ou_list.empty?\n impact 0.0\n describe 'This control is not applicable as no domain-defined OUs were found (excluding the Domain Controllers OU)' do\n skip 'This control is not applicable as no domain-defined OUs were found (excluding the Domain Controllers OU)'\n end\n else\n ou_list.each do |ou|\n acl_rules = json(command: \"(Get-ACL -Audit -Path AD:'#{ou}').Access | ConvertTo-CSV | ConvertFrom-CSV | ConvertTo-JSON\").params\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['IdentityReference']) { should cmp \"NT AUTHORITY\\\\ENTERPRISE DOMAIN CONTROLLERS\" }\n its(['ActiveDirectoryRights']) { should cmp \"GenericRead\"}\n end\n end\n end\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['IdentityReference']) { should cmp \"NT AUTHORITY\\\\Authenticated Users\" }\n its(['ActiveDirectoryRights']) { should cmp \"GenericRead\"}\n end\n end\n end\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['IdentityReference']) { should cmp \"NT AUTHORITY\\\\SYSTEM\" }\n its(['ActiveDirectoryRights']) { should cmp \"GenericAll\"}\n end\n end\n end\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['IdentityReference']) { should cmp \"BUILTIN\\\\Administrators\" }\n its(['ActiveDirectoryRights']) { should cmp \"CreateChild, Self, WriteProperty, ExtendedRight, Delete, GenericRead, WriteDacl, WriteOwner\"}\n end\n end\n end\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['IdentityReference']) { should cmp \"BUILTIN\\\\Pre-Windows 2000 Compatible Access\" }\n its(['ActiveDirectoryRights']) { should cmp \"ListChildren\"}\n end\n end\n end\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['IdentityReference']) { should cmp \"#{netbiosname}\\\\Domain Admins\" }\n its(['ActiveDirectoryRights']) { should cmp \"GenericAll\"}\n end\n end\n end\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['IdentityReference']) { should cmp \"#{netbiosname}\\\\Enterprise Admins\" }\n its(['ActiveDirectoryRights']) { should cmp \"GenericAll\"}\n end\n end\n end\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['IdentityReference']) { should cmp \"NT AUTHORITY\\\\SELF\" }\n its(['ActiveDirectoryRights']) { should cmp \"ReadProperty, WriteProperty, ExtendedRight\"}\n end\n end\n end\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['IdentityReference']) { should cmp \"NT AUTHORITY\\\\SELF\" }\n its(['ActiveDirectoryRights']) { should cmp \"ReadProperty, WriteProperty\"}\n end\n end\n end\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['IdentityReference']) { should cmp \"NT AUTHORITY\\\\SELF\" }\n its(['ActiveDirectoryRights']) { should cmp \"WriteProperty\"}\n end\n end\n end\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['IdentityReference']) { should cmp \"NT AUTHORITY\\\\SELF\" }\n its(['ActiveDirectoryRights']) { should cmp \"Self\"}\n end\n end\n end\n end\n end\n else\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93447.rb", + "ref": "./Windows 2019 STIG/controls/V-93037.rb", "line": 3 }, - "id": "V-93447" + "id": "V-93037" }, { - "title": "Windows Server 2019 setting Microsoft network server: Digitally sign communications (always) must be configured to Enabled.", - "desc": "The server message block (SMB) protocol provides the basis for many network operations. Digitally signed SMB packets aid in preventing man-in-the-middle attacks. If this policy is enabled, the SMB server will only communicate with an SMB client that performs SMB packet signing.", + "title": "Windows Server 2019 must not have the TFTP Client installed.", + "desc": "Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption or may provide unauthorized access to the system.", "descriptions": { - "default": "The server message block (SMB) protocol provides the basis for many network operations. Digitally signed SMB packets aid in preventing man-in-the-middle attacks. If this policy is enabled, the SMB server will only communicate with an SMB client that performs SMB packet signing.", + "default": "Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption or may provide unauthorized access to the system.", "rationale": "", - "check": "If the following registry value does not exist or is not configured as specified, this is a finding:\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\LanManServer\\Parameters\\\n\n Value Name: RequireSecuritySignature\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", - "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \"Microsoft network server: Digitally sign communications (always)\" to \"Enabled\"." + "check": "Open \"PowerShell\".\n\n Enter \"Get-WindowsFeature | Where Name -eq TFTP-Client\".\n If \"Installed State\" is \"Installed\", this is a finding.\n An Installed State of \"Available\" or \"Removed\" is not a finding.", + "fix": "Uninstall the \"TFTP Client\" feature.\n\n Start \"Server Manager\".\n Select the server with the feature.\n Scroll down to \"ROLES AND FEATURES\" in the right pane.\n Select \"Remove Roles and Features\" from the drop-down \"TASKS\" list.\n Select the appropriate server on the \"Server Selection\" page and click \"Next\".\n Deselect \"TFTP Client\" on the \"Features\" page.\n Click \"Next\" and \"Remove\" as prompted." }, "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000423-GPOS-00187", - "satisfies": [ - "SRG-OS-000423-GPOS-00187", - "SRG-OS-000424-GPOS-00188" - ], - "gid": "V-93559", - "rid": "SV-103645r1_rule", - "stig_id": "WN19-SO-000190", - "fix_id": "F-99803r1_fix", + "gtitle": "SRG-OS-000095-GPOS-00049", + "gid": "V-93389", + "rid": "SV-103475r1_rule", + "stig_id": "WN19-00-000370", + "fix_id": "F-99633r1_fix", "cci": [ - "CCI-002418", - "CCI-002421" + "CCI-000381" ], "nist": [ - "SC-8", - "SC-8 (1)", + "CM-7 a", "Rev_4" ] }, - "code": "control \"V-93559\" do\n title \"Windows Server 2019 setting Microsoft network server: Digitally sign communications (always) must be configured to Enabled.\"\n desc \"The server message block (SMB) protocol provides the basis for many network operations. Digitally signed SMB packets aid in preventing man-in-the-middle attacks. If this policy is enabled, the SMB server will only communicate with an SMB client that performs SMB packet signing.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the following registry value does not exist or is not configured as specified, this is a finding:\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\LanManServer\\\\Parameters\\\\\n\n Value Name: RequireSecuritySignature\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \\\"Microsoft network server: Digitally sign communications (always)\\\" to \\\"Enabled\\\".\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000423-GPOS-00187\"\n tag satisfies: [\"SRG-OS-000423-GPOS-00187\", \"SRG-OS-000424-GPOS-00188\"]\n tag gid: \"V-93559\"\n tag rid: \"SV-103645r1_rule\"\n tag stig_id: \"WN19-SO-000190\"\n tag fix_id: \"F-99803r1_fix\"\n tag cci: [\"CCI-002418\", \"CCI-002421\"]\n tag nist: [\"SC-8\", \"SC-8 (1)\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Services\\\\LanmanServer\\\\Parameters') do\n it { should have_property 'RequireSecuritySignature' }\n its('RequireSecuritySignature') { should cmp == 1 }\n end\nend", + "code": "control \"V-93389\" do\n title \"Windows Server 2019 must not have the TFTP Client installed.\"\n desc \"Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption or may provide unauthorized access to the system.\"\n desc \"rationale\", \"\"\n desc \"check\", \"Open \\\"PowerShell\\\".\n\n Enter \\\"Get-WindowsFeature | Where Name -eq TFTP-Client\\\".\n If \\\"Installed State\\\" is \\\"Installed\\\", this is a finding.\n An Installed State of \\\"Available\\\" or \\\"Removed\\\" is not a finding.\"\n desc \"fix\", \"Uninstall the \\\"TFTP Client\\\" feature.\n\n Start \\\"Server Manager\\\".\n Select the server with the feature.\n Scroll down to \\\"ROLES AND FEATURES\\\" in the right pane.\n Select \\\"Remove Roles and Features\\\" from the drop-down \\\"TASKS\\\" list.\n Select the appropriate server on the \\\"Server Selection\\\" page and click \\\"Next\\\".\n Deselect \\\"TFTP Client\\\" on the \\\"Features\\\" page.\n Click \\\"Next\\\" and \\\"Remove\\\" as prompted.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000095-GPOS-00049\"\n tag gid: \"V-93389\"\n tag rid: \"SV-103475r1_rule\"\n tag stig_id: \"WN19-00-000370\"\n tag fix_id: \"F-99633r1_fix\"\n tag cci: [\"CCI-000381\"]\n tag nist: [\"CM-7 a\", \"Rev_4\"]\n\n describe windows_feature('TFTP-Client') do\n it { should_not be_installed }\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93559.rb", + "ref": "./Windows 2019 STIG/controls/V-93389.rb", "line": 3 }, - "id": "V-93559" + "id": "V-93389" }, { - "title": "Windows Server 2019 Windows Update must not obtain updates from other\nPCs on the Internet.", - "desc": "Windows Update can obtain updates from additional sources instead of\nMicrosoft. In addition to Microsoft, updates can be obtained from and sent to\nPCs on the local network as well as on the Internet. This is part of the\nWindows Update trusted process, however to minimize outside exposure, obtaining\nupdates from or sending to systems on the Internet must be prevented.", + "title": "Windows Server 2019 must not have the Telnet Client installed.", + "desc": "Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption or may provide unauthorized access to the system.", "descriptions": { - "default": "Windows Update can obtain updates from additional sources instead of\nMicrosoft. In addition to Microsoft, updates can be obtained from and sent to\nPCs on the local network as well as on the Internet. This is part of the\nWindows Update trusted process, however to minimize outside exposure, obtaining\nupdates from or sending to systems on the Internet must be prevented.", + "default": "Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption or may provide unauthorized access to the system.", "rationale": "", - "check": "If the following registry value does not exist or is not configured as\nspecified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeliveryOptimization\\\n\n Value Name: DODownloadMode\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0) - No peering (HTTP Only)\n 0x00000001 (1) - Peers on same NAT only (LAN)\n 0x00000002 (2) - Local Network / Private group peering (Group)\n 0x00000063 (99) - Simple download mode, no peering (Simple)\n 0x00000064 (100) - Bypass mode, Delivery Optimization not used (Bypass)\n\n A value of 0x00000003 (3), Internet, is a finding.", - "fix": "Configure the policy value for Computer Configuration >> Administrative\nTemplates >> Windows Components >> Delivery Optimization >> \"Download Mode\"\nto \"Enabled\" with any option except \"Internet\" selected.\n\n Acceptable selections include:\n\n Bypass (100)\n Group (2)\n HTTP only (0)\n LAN (1)\n Simple (99)" + "check": "Open \"PowerShell\".\n\n Enter \"Get-WindowsFeature | Where Name -eq Telnet-Client\".\n If \"Installed State\" is \"Installed\", this is a finding.\n An Installed State of \"Available\" or \"Removed\" is not a finding.", + "fix": "Uninstall the \"Telnet Client\" feature.\n\n Start \"Server Manager\".\n Select the server with the feature.\n Scroll down to \"ROLES AND FEATURES\" in the right pane.\n Select \"Remove Roles and Features\" from the drop-down \"TASKS\" list.\n Select the appropriate server on the \"Server Selection\" page and click \"Next\".\n Deselect \"Telnet Client\" on the \"Features\" page.\n Click \"Next\" and \"Remove\" as prompted." }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-93259", - "rid": "SV-103347r1_rule", - "stig_id": "WN19-CC-000260", - "fix_id": "F-99505r1_fix", + "gtitle": "SRG-OS-000096-GPOS-00050", + "gid": "V-93423", + "rid": "SV-103509r1_rule", + "stig_id": "WN19-00-000360", + "fix_id": "F-99667r1_fix", "cci": [ - "CCI-000366" + "CCI-000382" ], "nist": [ - "CM-6 b", + "CM-7 b", "Rev_4" ] }, - "code": "control \"V-93259\" do\n title \"Windows Server 2019 Windows Update must not obtain updates from other\nPCs on the Internet.\"\n desc \"Windows Update can obtain updates from additional sources instead of\nMicrosoft. In addition to Microsoft, updates can be obtained from and sent to\nPCs on the local network as well as on the Internet. This is part of the\nWindows Update trusted process, however to minimize outside exposure, obtaining\nupdates from or sending to systems on the Internet must be prevented.\"\n desc \"rationale\", \"\"\n desc 'check', \"If the following registry value does not exist or is not configured as\nspecified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\DeliveryOptimization\\\\\n\n Value Name: DODownloadMode\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0) - No peering (HTTP Only)\n 0x00000001 (1) - Peers on same NAT only (LAN)\n 0x00000002 (2) - Local Network / Private group peering (Group)\n 0x00000063 (99) - Simple download mode, no peering (Simple)\n 0x00000064 (100) - Bypass mode, Delivery Optimization not used (Bypass)\n\n A value of 0x00000003 (3), Internet, is a finding.\"\n desc 'fix', \"Configure the policy value for Computer Configuration >> Administrative\nTemplates >> Windows Components >> Delivery Optimization >> \\\"Download Mode\\\"\nto \\\"Enabled\\\" with any option except \\\"Internet\\\" selected.\n\n Acceptable selections include:\n\n Bypass (100)\n Group (2)\n HTTP only (0)\n LAN (1)\n Simple (99)\"\n impact 0.3\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000480-GPOS-00227'\n tag 'gid': 'V-93259'\n tag 'rid': 'SV-103347r1_rule'\n tag 'stig_id': 'WN19-CC-000260'\n tag 'fix_id': 'F-99505r1_fix'\n tag 'cci': [\"CCI-000366\"]\n tag 'nist': [\"CM-6 b\", \"Rev_4\"]\n\n describe.one do\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeliveryOptimization') do\n it { should have_property 'DODownloadMode' }\n its('DODownloadMode') { should cmp 0 }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeliveryOptimization') do\n it { should have_property 'DODownloadMode' }\n its('DODownloadMode') { should cmp 1 }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeliveryOptimization') do\n it { should have_property 'DODownloadMode' }\n its('DODownloadMode') { should cmp 2 }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeliveryOptimization') do\n it { should have_property 'DODownloadMode' }\n its('DODownloadMode') { should cmp 99 }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeliveryOptimization') do\n it { should have_property 'DODownloadMode' }\n its('DODownloadMode') { should cmp 100 }\n end\n end\nend\n", + "code": "control \"V-93423\" do\n title \"Windows Server 2019 must not have the Telnet Client installed.\"\n desc \"Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption or may provide unauthorized access to the system.\"\n desc \"rationale\", \"\"\n desc \"check\", \"Open \\\"PowerShell\\\".\n\n Enter \\\"Get-WindowsFeature | Where Name -eq Telnet-Client\\\".\n If \\\"Installed State\\\" is \\\"Installed\\\", this is a finding.\n An Installed State of \\\"Available\\\" or \\\"Removed\\\" is not a finding.\"\n desc \"fix\", \"Uninstall the \\\"Telnet Client\\\" feature.\n\n Start \\\"Server Manager\\\".\n Select the server with the feature.\n Scroll down to \\\"ROLES AND FEATURES\\\" in the right pane.\n Select \\\"Remove Roles and Features\\\" from the drop-down \\\"TASKS\\\" list.\n Select the appropriate server on the \\\"Server Selection\\\" page and click \\\"Next\\\".\n Deselect \\\"Telnet Client\\\" on the \\\"Features\\\" page.\n Click \\\"Next\\\" and \\\"Remove\\\" as prompted.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000096-GPOS-00050\"\n tag gid: \"V-93423\"\n tag rid: \"SV-103509r1_rule\"\n tag stig_id: \"WN19-00-000360\"\n tag fix_id: \"F-99667r1_fix\"\n tag cci: [\"CCI-000382\"]\n tag nist: [\"CM-7 b\", \"Rev_4\"]\n\n describe windows_feature('Telnet-Client') do\n it { should_not be_installed }\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93259.rb", + "ref": "./Windows 2019 STIG/controls/V-93423.rb", "line": 3 }, - "id": "V-93259" + "id": "V-93423" }, { - "title": "Windows Server 2019 Enable computer and user accounts to be trusted\nfor delegation user right must only be assigned to the Administrators group on\ndomain controllers.", - "desc": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n The \"Enable computer and user accounts to be trusted for delegation\" user\nright allows the \"Trusted for Delegation\" setting to be changed. This could\nallow unauthorized users to impersonate other users.", + "title": "Windows Server 2019 Remote Desktop Services must require secure Remote\nProcedure Call (RPC) communications.", + "desc": "Allowing unsecure RPC communication exposes the system to\nman-in-the-middle attacks and data disclosure attacks. A man-in-the-middle\nattack occurs when an intruder captures packets between a client and server and\nmodifies them before allowing the packets to be exchanged. Usually the attacker\nwill modify the information in the packets in an attempt to cause either the\nclient or server to reveal sensitive information.", "descriptions": { - "default": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n The \"Enable computer and user accounts to be trusted for delegation\" user\nright allows the \"Trusted for Delegation\" setting to be changed. This could\nallow unauthorized users to impersonate other users.", + "default": "Allowing unsecure RPC communication exposes the system to\nman-in-the-middle attacks and data disclosure attacks. A man-in-the-middle\nattack occurs when an intruder captures packets between a client and server and\nmodifies them before allowing the packets to be exchanged. Usually the attacker\nwill modify the information in the packets in an attempt to cause either the\nclient or server to reveal sensitive information.", "rationale": "", - "check": "This applies to domain controllers. A separate version applies to other\nsystems.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the \"Enable\ncomputer and user accounts to be trusted for delegation\" user right, this is a\nfinding.\n\n - Administrators\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\path\\filename.txt\n\n Review the text file.\n\n If any SIDs other than the following are granted the\n\"SeEnableDelegationPrivilege\" user right, this is a finding.\n\n S-1-5-32-544 (Administrators)", - "fix": "Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> User Rights Assignment >> \"Enable\ncomputer and user accounts to be trusted for delegation\" to include only the\nfollowing accounts or groups:\n\n - Administrators" + "check": "If the following registry value does not exist or is not configured as\nspecified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal\nServices\\\n\n Value Name: fEncryptRPCTraffic\n\n Type: REG_DWORD\n Value: 0x00000001 (1)", + "fix": "Configure the policy value for Computer Configuration >>\nAdministrative Templates >> Windows Components >> Remote Desktop Services >>\nRemote Desktop Session Host >> Security >> \"Require secure RPC communication\"\nto \"Enabled\"." }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000324-GPOS-00125", - "gid": "V-93041", - "rid": "SV-103129r1_rule", - "stig_id": "WN19-DC-000420", - "fix_id": "F-99287r1_fix", + "gtitle": "SRG-OS-000033-GPOS-00014", + "satisfies": [ + "SRG-OS-000033-GPOS-00014", + "SRG-OS-000250-GPOS-00093" + ], + "gid": "V-92971", + "rid": "SV-103059r1_rule", + "stig_id": "WN19-CC-000370", + "fix_id": "F-99217r1_fix", "cci": [ - "CCI-002235" + "CCI-000068", + "CCI-001453" ], "nist": [ - "AC-6 (10)", + "AC-17 (2)", + "AC-17 (2)", "Rev_4" ] }, - "code": "control \"V-93041\" do\n title \"Windows Server 2019 Enable computer and user accounts to be trusted\nfor delegation user right must only be assigned to the Administrators group on\ndomain controllers.\"\n desc \"Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n The \\\"Enable computer and user accounts to be trusted for delegation\\\" user\nright allows the \\\"Trusted for Delegation\\\" setting to be changed. This could\nallow unauthorized users to impersonate other users.\"\n desc \"rationale\", \"\"\n desc 'check', \"This applies to domain controllers. A separate version applies to other\nsystems.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the \\\"Enable\ncomputer and user accounts to be trusted for delegation\\\" user right, this is a\nfinding.\n\n - Administrators\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt\n\n Review the text file.\n\n If any SIDs other than the following are granted the\n\\\"SeEnableDelegationPrivilege\\\" user right, this is a finding.\n\n S-1-5-32-544 (Administrators)\"\n desc 'fix', \"Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> User Rights Assignment >> \\\"Enable\ncomputer and user accounts to be trusted for delegation\\\" to include only the\nfollowing accounts or groups:\n\n - Administrators\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000324-GPOS-00125'\n tag 'gid': 'V-93041'\n tag 'rid': 'SV-103129r1_rule'\n tag 'stig_id': 'WN19-DC-000420'\n tag 'fix_id': 'F-99287r1_fix'\n tag 'cci': [\"CCI-002235\"]\n tag 'nist': [\"AC-6 (10)\", \"Rev_4\"]\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n os_type = command('Test-Path \"$env:windir\\explorer.exe\"').stdout.strip\n\n if os_type == 'False'\n describe 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt' do\n skip 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt'\n end\n end\n if domain_role == '4' || domain_role == '5'\n describe security_policy do\n its('SeEnableDelegationPrivilege') { should eq ['S-1-5-32-544'] }\n end\n else\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", + "code": "control \"V-92971\" do\n title \"Windows Server 2019 Remote Desktop Services must require secure Remote\nProcedure Call (RPC) communications.\"\n desc \"Allowing unsecure RPC communication exposes the system to\nman-in-the-middle attacks and data disclosure attacks. A man-in-the-middle\nattack occurs when an intruder captures packets between a client and server and\nmodifies them before allowing the packets to be exchanged. Usually the attacker\nwill modify the information in the packets in an attempt to cause either the\nclient or server to reveal sensitive information.\"\n desc \"rationale\", \"\"\n desc 'check', \"If the following registry value does not exist or is not configured as\nspecified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal\nServices\\\\\n\n Value Name: fEncryptRPCTraffic\n\n Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nAdministrative Templates >> Windows Components >> Remote Desktop Services >>\nRemote Desktop Session Host >> Security >> \\\"Require secure RPC communication\\\"\nto \\\"Enabled\\\".\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000033-GPOS-00014'\n tag 'satisfies': [\"SRG-OS-000033-GPOS-00014\", \"SRG-OS-000250-GPOS-00093\"]\n tag 'gid': 'V-92971'\n tag 'rid': 'SV-103059r1_rule'\n tag 'stig_id': 'WN19-CC-000370'\n tag 'fix_id': 'F-99217r1_fix'\n tag 'cci': [\"CCI-000068\", \"CCI-001453\"]\n tag 'nist': [\"AC-17 (2)\", \"AC-17 (2)\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services') do\n it { should have_property \"fEncryptRPCTraffic\"}\n its(\"fEncryptRPCTraffic\") { should cmp 1 }\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93041.rb", + "ref": "./Windows 2019 STIG/controls/V-92971.rb", "line": 3 }, - "id": "V-93041" + "id": "V-92971" }, { - "title": "Windows Server 2019 administrative accounts must not be used with\napplications that access the Internet, such as web browsers, or with potential\nInternet sources, such as email.", - "desc": "Using applications that access the Internet or have potential Internet\nsources using administrative privileges exposes a system to compromise. If a\nflaw in an application is exploited while running as a privileged user, the\nentire system could be compromised. Web browsers and email are common attack\nvectors for introducing malicious code and must not be run with an\nadministrative account.\n\n Since administrative accounts may generally change or work around technical\nrestrictions for running a web browser or other applications, it is essential\nthat policy require administrative accounts to not access the Internet or use\napplications such as email.\n\n The policy should define specific exceptions for local service\nadministration. These exceptions may include HTTP(S)-based tools that are used\nfor the administration of the local system, services, or attached devices.\n\n Whitelisting can be used to enforce the policy to ensure compliance.", + "title": "Windows Server 2019 Deny access to this computer from the network user\nright on domain-joined member servers must be configured to prevent access from\nhighly privileged domain accounts and local accounts and from unauthenticated\naccess on all systems.", + "desc": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n The \"Deny access to this computer from the network\" user right defines\nthe accounts that are prevented from logging on from the network.\n\n In an Active Directory Domain, denying logons to the Enterprise Admins and\nDomain Admins groups on lower-trust systems helps mitigate the risk of\nprivilege escalation from credential theft attacks, which could lead to the\ncompromise of an entire domain.\n\n Local accounts on domain-joined systems must also be assigned this right to\ndecrease the risk of lateral movement resulting from credential theft attacks.\n\n The Guests group must be assigned this right to prevent unauthenticated\naccess.", "descriptions": { - "default": "Using applications that access the Internet or have potential Internet\nsources using administrative privileges exposes a system to compromise. If a\nflaw in an application is exploited while running as a privileged user, the\nentire system could be compromised. Web browsers and email are common attack\nvectors for introducing malicious code and must not be run with an\nadministrative account.\n\n Since administrative accounts may generally change or work around technical\nrestrictions for running a web browser or other applications, it is essential\nthat policy require administrative accounts to not access the Internet or use\napplications such as email.\n\n The policy should define specific exceptions for local service\nadministration. These exceptions may include HTTP(S)-based tools that are used\nfor the administration of the local system, services, or attached devices.\n\n Whitelisting can be used to enforce the policy to ensure compliance.", + "default": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n The \"Deny access to this computer from the network\" user right defines\nthe accounts that are prevented from logging on from the network.\n\n In an Active Directory Domain, denying logons to the Enterprise Admins and\nDomain Admins groups on lower-trust systems helps mitigate the risk of\nprivilege escalation from credential theft attacks, which could lead to the\ncompromise of an entire domain.\n\n Local accounts on domain-joined systems must also be assigned this right to\ndecrease the risk of lateral movement resulting from credential theft attacks.\n\n The Guests group must be assigned this right to prevent unauthenticated\naccess.", "rationale": "", - "check": "Determine whether organization policy, at a minimum, prohibits\nadministrative accounts from using applications that access the Internet, such\nas web browsers, or with potential Internet sources, such as email, except as\nnecessary for local service administration.\n\n If it does not, this is a finding.\n\n The organization may use technical means such as whitelisting to prevent\nthe use of browsers and mail applications to enforce this requirement.", - "fix": "Establish a policy, at minimum, to prohibit administrative accounts from\nusing applications that access the Internet, such as web browsers, or with\npotential Internet sources, such as email. Ensure the policy is enforced.\n\n The organization may use technical means such as whitelisting to prevent\nthe use of browsers and mail applications to enforce this requirement." + "check": "This applies to member servers and standalone systems. A separate version\napplies to domain controllers.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If the following accounts or groups are not defined for the \"Deny access\nto this computer from the network\" user right, this is a finding:\n\n Domain Systems Only:\n - Enterprise Admins group\n - Domain Admins group\n - \"Local account and member of Administrators group\" or \"Local account\"\n(see Note below)\n\n All Systems:\n - Guests group\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\path\\filename.txt\n\n Review the text file.\n\n If the following SIDs are not defined for the \"SeDenyNetworkLogonRight\"\nuser right, this is a finding.\n\n Domain Systems Only:\n S-1-5-root domain-519 (Enterprise Admins)\n S-1-5-domain-512 (Domain Admins)\n S-1-5-114 (\"Local account and member of Administrators group\") or\nS-1-5-113 (\"Local account\")\n\n All Systems:\n S-1-5-32-546 (Guests)\n\n Note: These are built-in security groups. \"Local account\" is more\nrestrictive but may cause issues on servers such as systems that provide\nfailover clustering.", + "fix": "Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> User Rights Assignment >> \"Deny\naccess to this computer from the network\" to include the following:\n\n Domain Systems Only:\n - Enterprise Admins group\n - Domain Admins group\n - \"Local account and member of Administrators group\" or \"Local account\"\n(see Note below)\n\n All Systems:\n - Guests group\n\n Note: These are built-in security groups. \"Local account\" is more\nrestrictive but may cause issues on servers such as systems that provide\nfailover clustering." }, - "impact": 0.7, + "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-93205", - "rid": "SV-103293r1_rule", - "stig_id": "WN19-00-000030", - "fix_id": "F-99451r1_fix", + "gtitle": "SRG-OS-000080-GPOS-00048", + "gid": "V-93009", + "rid": "SV-103097r1_rule", + "stig_id": "WN19-MS-000080", + "fix_id": "F-99255r1_fix", "cci": [ - "CCI-000366" + "CCI-000213" ], "nist": [ - "CM-6 b", + "AC-3", "Rev_4" ] }, - "code": "control \"V-93205\" do\n title \"Windows Server 2019 administrative accounts must not be used with\napplications that access the Internet, such as web browsers, or with potential\nInternet sources, such as email.\"\n desc \"Using applications that access the Internet or have potential Internet\nsources using administrative privileges exposes a system to compromise. If a\nflaw in an application is exploited while running as a privileged user, the\nentire system could be compromised. Web browsers and email are common attack\nvectors for introducing malicious code and must not be run with an\nadministrative account.\n\n Since administrative accounts may generally change or work around technical\nrestrictions for running a web browser or other applications, it is essential\nthat policy require administrative accounts to not access the Internet or use\napplications such as email.\n\n The policy should define specific exceptions for local service\nadministration. These exceptions may include HTTP(S)-based tools that are used\nfor the administration of the local system, services, or attached devices.\n\n Whitelisting can be used to enforce the policy to ensure compliance.\"\n desc \"rationale\", \"\"\n desc 'check', \"Determine whether organization policy, at a minimum, prohibits\nadministrative accounts from using applications that access the Internet, such\nas web browsers, or with potential Internet sources, such as email, except as\nnecessary for local service administration.\n\n If it does not, this is a finding.\n\n The organization may use technical means such as whitelisting to prevent\nthe use of browsers and mail applications to enforce this requirement.\"\n desc 'fix', \"Establish a policy, at minimum, to prohibit administrative accounts from\nusing applications that access the Internet, such as web browsers, or with\npotential Internet sources, such as email. Ensure the policy is enforced.\n\n The organization may use technical means such as whitelisting to prevent\nthe use of browsers and mail applications to enforce this requirement.\"\n impact 0.7\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000480-GPOS-00227'\n tag 'gid': 'V-93205'\n tag 'rid': 'SV-103293r1_rule'\n tag 'stig_id': 'WN19-00-000030'\n tag 'fix_id': 'F-99451r1_fix'\n tag 'cci': [\"CCI-000366\"]\n tag 'nist': [\"CM-6 b\", \"Rev_4\"]\n\n describe \"A manual review is required to verify that administrative accounts are not being used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email\" do\n skip \"A manual review is required to verify that administrative accounts are not being used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email\"\n end\nend\n", + "code": "control \"V-93009\" do\n title \"Windows Server 2019 Deny access to this computer from the network user\nright on domain-joined member servers must be configured to prevent access from\nhighly privileged domain accounts and local accounts and from unauthenticated\naccess on all systems.\"\n desc \"Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n The \\\"Deny access to this computer from the network\\\" user right defines\nthe accounts that are prevented from logging on from the network.\n\n In an Active Directory Domain, denying logons to the Enterprise Admins and\nDomain Admins groups on lower-trust systems helps mitigate the risk of\nprivilege escalation from credential theft attacks, which could lead to the\ncompromise of an entire domain.\n\n Local accounts on domain-joined systems must also be assigned this right to\ndecrease the risk of lateral movement resulting from credential theft attacks.\n\n The Guests group must be assigned this right to prevent unauthenticated\naccess.\"\n desc \"rationale\", \"\"\n desc 'check', \"This applies to member servers and standalone systems. A separate version\napplies to domain controllers.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If the following accounts or groups are not defined for the \\\"Deny access\nto this computer from the network\\\" user right, this is a finding:\n\n Domain Systems Only:\n - Enterprise Admins group\n - Domain Admins group\n - \\\"Local account and member of Administrators group\\\" or \\\"Local account\\\"\n(see Note below)\n\n All Systems:\n - Guests group\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt\n\n Review the text file.\n\n If the following SIDs are not defined for the \\\"SeDenyNetworkLogonRight\\\"\nuser right, this is a finding.\n\n Domain Systems Only:\n S-1-5-root domain-519 (Enterprise Admins)\n S-1-5-domain-512 (Domain Admins)\n S-1-5-114 (\\\"Local account and member of Administrators group\\\") or\nS-1-5-113 (\\\"Local account\\\")\n\n All Systems:\n S-1-5-32-546 (Guests)\n\n Note: These are built-in security groups. \\\"Local account\\\" is more\nrestrictive but may cause issues on servers such as systems that provide\nfailover clustering.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> User Rights Assignment >> \\\"Deny\naccess to this computer from the network\\\" to include the following:\n\n Domain Systems Only:\n - Enterprise Admins group\n - Domain Admins group\n - \\\"Local account and member of Administrators group\\\" or \\\"Local account\\\"\n(see Note below)\n\n All Systems:\n - Guests group\n\n Note: These are built-in security groups. \\\"Local account\\\" is more\nrestrictive but may cause issues on servers such as systems that provide\nfailover clustering.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000080-GPOS-00048'\n tag 'gid': 'V-93009'\n tag 'rid': 'SV-103097r1_rule'\n tag 'stig_id': 'WN19-MS-000080'\n tag 'fix_id': 'F-99255r1_fix'\n tag 'cci': [\"CCI-000213\"]\n tag 'nist': [\"AC-3\", \"Rev_4\"]\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n case domain_role\n when '4', '5'\n impact 0.0\n describe 'This system is dedicated to the management of Active Directory, therefore this system is exempt from this control' do\n skip 'This system is dedicated to the management of Active Directory, therefore this system is exempt from this control'\n end\n when '3'\n domain_query = <<-EOH\n $group = New-Object System.Security.Principal.NTAccount('Domain Admins')\n $sid = ($group.Translate([security.principal.securityidentifier])).value\n $sid | ConvertTo-Json\n EOH\n\n domain_admin_sid = json(command: domain_query).params\n enterprise_admin_query = <<-EOH\n $group = New-Object System.Security.Principal.NTAccount('Enterprise Admins')\n $sid = ($group.Translate([security.principal.securityidentifier])).value\n $sid | ConvertTo-Json\n EOH\n\n enterprise_admin_sid = json(command: enterprise_admin_query).params\n describe security_policy do\n its('SeDenyNetworkLogonRight') { should include \"#{domain_admin_sid}\" }\n end\n describe security_policy do\n its('SeDenyNetworkLogonRight') { should include \"#{enterprise_admin_sid}\" }\n end\n describe.one do\n describe security_policy do\n its('SeDenyNetworkLogonRight') { should include \"S-1-5-113\" }\n end\n describe security_policy do\n its('SeDenyNetworkLogonRight') { should include \"S-1-5-114\" }\n end\n end\n describe security_policy do\n its('SeDenyNetworkLogonRight') { should include 'S-1-5-32-546' }\n end\n when '2'\n describe security_policy do\n its('SeDenyNetworkLogonRight') { should eq ['S-1-5-32-546'] }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93205.rb", + "ref": "./Windows 2019 STIG/controls/V-93009.rb", "line": 3 }, - "id": "V-93205" + "id": "V-93009" }, { - "title": "Windows Server 2019 must be configured to audit Object Access - Other\nObject Access Events successes.", - "desc": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Auditing for other object access records events related to the management\nof task scheduler jobs and COM+ objects.", + "title": "Windows Server 2019 permissions for the Windows installation directory\nmust conform to minimum requirements.", + "desc": "Changing the system's file and directory permissions allows the\npossibility of unauthorized and anonymous modification to the operating system\nand installed applications.\n\n The default permissions are adequate when the Security Option \"Network\naccess: Let Everyone permissions apply to anonymous users\" is set to\n\"Disabled\" (WN19-SO-000240).", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Auditing for other object access records events related to the management\nof task scheduler jobs and COM+ objects.", + "default": "Changing the system's file and directory permissions allows the\npossibility of unauthorized and anonymous modification to the operating system\nand installed applications.\n\n The default permissions are adequate when the Security Option \"Network\naccess: Let Everyone permissions apply to anonymous users\" is set to\n\"Disabled\" (WN19-SO-000240).", "rationale": "", - "check": "Security Option \"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\" must be set to\n\"Enabled\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \"AuditPol\" tool to review the current Audit Policy configuration:\n\n Open \"PowerShell\" or a \"Command Prompt\" with elevated privileges (\"Run\nas administrator\").\n\n Enter \"AuditPol /get /category:*\"\n\n Compare the \"AuditPol\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n Object Access >> Other Object Access Events - Success", - "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Object Access >> \"Audit Other Object Access Events\"\nwith \"Success\" selected." + "check": "The default permissions are adequate when the Security Option \"Network\naccess: Let Everyone permissions apply to anonymous users\" is set to\n\"Disabled\" (WN19-SO-000240).\n\n Review the permissions for the Windows installation directory (usually\nC:\\Windows). Non-privileged groups such as Users or Authenticated Users must\nnot have greater than \"Read & execute\" permissions. Individual accounts must\nnot be used to assign permissions.\n\n If permissions are not as restrictive as the default permissions listed\nbelow, this is a finding:\n\n Viewing in File Explorer:\n\n For each folder, view the Properties.\n\n Select the \"Security\" tab and the \"Advanced\" button.\n\n Default permissions:\n \\Windows\n Type - \"Allow\" for all\n Inherited from - \"None\" for all\n\n Principal - Access - Applies to\n\n TrustedInstaller - Full control - This folder and subfolders\n SYSTEM - Modify - This folder only\n SYSTEM - Full control - Subfolders and files only\n Administrators - Modify - This folder only\n Administrators - Full control - Subfolders and files only\n Users - Read & execute - This folder, subfolders, and files\n CREATOR OWNER - Full control - Subfolders and files only\n ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders, and\nfiles\n ALL RESTRICTED APPLICATION PACKAGES - Read & execute - This folder,\nsubfolders, and files\n\n Alternately, use icacls:\n\n Open a Command prompt (admin).\n\n Enter \"icacls\" followed by the directory:\n\n \"icacls c:\\windows\"\n\n The following results should be displayed for each when entered:\n\n c:\\windows\n NT SERVICE\\TrustedInstaller:(F)\n NT SERVICE\\TrustedInstaller:(CI)(IO)(F)\n NT AUTHORITY\\SYSTEM:(M)\n NT AUTHORITY\\SYSTEM:(OI)(CI)(IO)(F)\n BUILTIN\\Administrators:(M)\n BUILTIN\\Administrators:(OI)(CI)(IO)(F)\n BUILTIN\\Users:(RX)\n BUILTIN\\Users:(OI)(CI)(IO)(GR,GE)\n CREATOR OWNER:(OI)(CI)(IO)(F)\n APPLICATION PACKAGE AUTHORITY\\ALL APPLICATION PACKAGES:(RX)\n APPLICATION PACKAGE AUTHORITY\\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE)\n APPLICATION PACKAGE AUTHORITY\\ALL RESTRICTED APPLICATION PACKAGES:(RX)\n APPLICATION PACKAGE AUTHORITY\\ALL RESTRICTED APPLICATION\nPACKAGES:(OI)(CI)(IO)(GR,GE)\n Successfully processed 1 files; Failed processing 0 files", + "fix": "Maintain the default file ACLs and configure the Security Option \"Network\naccess: Let Everyone permissions apply to anonymous users\" to \"Disabled\"\n(WN19-SO-000240).\n\n Default permissions:\n Type - \"Allow\" for all\n Inherited from - \"None\" for all\n\n Principal - Access - Applies to\n\n TrustedInstaller - Full control - This folder and subfolders\n SYSTEM - Modify - This folder only\n SYSTEM - Full control - Subfolders and files only\n Administrators - Modify - This folder only\n Administrators - Full control - Subfolders and files only\n Users - Read & execute - This folder, subfolders, and files\n CREATOR OWNER - Full control - Subfolders and files only\n ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders, and\nfiles\n ALL RESTRICTED APPLICATION PACKAGES - Read & execute - This folder,\nsubfolders, and files" }, "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000470-GPOS-00214", - "gid": "V-93163", - "rid": "SV-103251r1_rule", - "stig_id": "WN19-AU-000220", - "fix_id": "F-99409r1_fix", + "gtitle": "SRG-OS-000312-GPOS-00122", + "satisfies": [ + "SRG-OS-000312-GPOS-00122", + "SRG-OS-000312-GPOS-00123", + "SRG-OS-000312-GPOS-00124" + ], + "gid": "V-93023", + "rid": "SV-103111r1_rule", + "stig_id": "WN19-00-000160", + "fix_id": "F-99269r1_fix", "cci": [ - "CCI-000172" + "CCI-002165" ], "nist": [ - "AU-12 c", + "AC-3 (4)", "Rev_4" ] }, - "code": "control \"V-93163\" do\n title \"Windows Server 2019 must be configured to audit Object Access - Other\nObject Access Events successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Auditing for other object access records events related to the management\nof task scheduler jobs and COM+ objects.\"\n desc \"rationale\", \"\"\n desc 'check', \"Security Option \\\"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\\\" must be set to\n\\\"Enabled\\\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \\\"AuditPol\\\" tool to review the current Audit Policy configuration:\n\n Open \\\"PowerShell\\\" or a \\\"Command Prompt\\\" with elevated privileges (\\\"Run\nas administrator\\\").\n\n Enter \\\"AuditPol /get /category:*\\\"\n\n Compare the \\\"AuditPol\\\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n Object Access >> Other Object Access Events - Success\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Object Access >> \\\"Audit Other Object Access Events\\\"\nwith \\\"Success\\\" selected.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000470-GPOS-00214'\n tag 'gid': 'V-93163'\n tag 'rid': 'SV-103251r1_rule'\n tag 'stig_id': 'WN19-AU-000220'\n tag 'fix_id': 'F-99409r1_fix'\n tag 'cci': [\"CCI-000172\"]\n tag 'nist': [\"AU-12 c\", \"Rev_4\"]\n\n describe.one do\n describe audit_policy do\n its('Other Object Access Events') { should eq 'Success' }\n end\n describe audit_policy do\n its('Other Object Access Events') { should eq 'Success and Failure' }\n end\n end\nend\n", + "code": "control \"V-93023\" do\n title \"Windows Server 2019 permissions for the Windows installation directory\nmust conform to minimum requirements.\"\n desc \"Changing the system's file and directory permissions allows the\npossibility of unauthorized and anonymous modification to the operating system\nand installed applications.\n\n The default permissions are adequate when the Security Option \\\"Network\naccess: Let Everyone permissions apply to anonymous users\\\" is set to\n\\\"Disabled\\\" (WN19-SO-000240).\"\n desc \"rationale\", \"\"\n desc 'check', \"The default permissions are adequate when the Security Option \\\"Network\naccess: Let Everyone permissions apply to anonymous users\\\" is set to\n\\\"Disabled\\\" (WN19-SO-000240).\n\n Review the permissions for the Windows installation directory (usually\nC:\\\\Windows). Non-privileged groups such as Users or Authenticated Users must\nnot have greater than \\\"Read & execute\\\" permissions. Individual accounts must\nnot be used to assign permissions.\n\n If permissions are not as restrictive as the default permissions listed\nbelow, this is a finding:\n\n Viewing in File Explorer:\n\n For each folder, view the Properties.\n\n Select the \\\"Security\\\" tab and the \\\"Advanced\\\" button.\n\n Default permissions:\n \\\\Windows\n Type - \\\"Allow\\\" for all\n Inherited from - \\\"None\\\" for all\n\n Principal - Access - Applies to\n\n TrustedInstaller - Full control - This folder and subfolders\n SYSTEM - Modify - This folder only\n SYSTEM - Full control - Subfolders and files only\n Administrators - Modify - This folder only\n Administrators - Full control - Subfolders and files only\n Users - Read & execute - This folder, subfolders, and files\n CREATOR OWNER - Full control - Subfolders and files only\n ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders, and\nfiles\n ALL RESTRICTED APPLICATION PACKAGES - Read & execute - This folder,\nsubfolders, and files\n\n Alternately, use icacls:\n\n Open a Command prompt (admin).\n\n Enter \\\"icacls\\\" followed by the directory:\n\n \\\"icacls c:\\\\windows\\\"\n\n The following results should be displayed for each when entered:\n\n c:\\\\windows\n NT SERVICE\\\\TrustedInstaller:(F)\n NT SERVICE\\\\TrustedInstaller:(CI)(IO)(F)\n NT AUTHORITY\\\\SYSTEM:(M)\n NT AUTHORITY\\\\SYSTEM:(OI)(CI)(IO)(F)\n BUILTIN\\\\Administrators:(M)\n BUILTIN\\\\Administrators:(OI)(CI)(IO)(F)\n BUILTIN\\\\Users:(RX)\n BUILTIN\\\\Users:(OI)(CI)(IO)(GR,GE)\n CREATOR OWNER:(OI)(CI)(IO)(F)\n APPLICATION PACKAGE AUTHORITY\\\\ALL APPLICATION PACKAGES:(RX)\n APPLICATION PACKAGE AUTHORITY\\\\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE)\n APPLICATION PACKAGE AUTHORITY\\\\ALL RESTRICTED APPLICATION PACKAGES:(RX)\n APPLICATION PACKAGE AUTHORITY\\\\ALL RESTRICTED APPLICATION\nPACKAGES:(OI)(CI)(IO)(GR,GE)\n Successfully processed 1 files; Failed processing 0 files\"\n desc 'fix', \"Maintain the default file ACLs and configure the Security Option \\\"Network\naccess: Let Everyone permissions apply to anonymous users\\\" to \\\"Disabled\\\"\n(WN19-SO-000240).\n\n Default permissions:\n Type - \\\"Allow\\\" for all\n Inherited from - \\\"None\\\" for all\n\n Principal - Access - Applies to\n\n TrustedInstaller - Full control - This folder and subfolders\n SYSTEM - Modify - This folder only\n SYSTEM - Full control - Subfolders and files only\n Administrators - Modify - This folder only\n Administrators - Full control - Subfolders and files only\n Users - Read & execute - This folder, subfolders, and files\n CREATOR OWNER - Full control - Subfolders and files only\n ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders, and\nfiles\n ALL RESTRICTED APPLICATION PACKAGES - Read & execute - This folder,\nsubfolders, and files\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': \"SRG-OS-000312-GPOS-00122\"\n tag 'satisfies': [\"SRG-OS-000312-GPOS-00122\", \"SRG-OS-000312-GPOS-00123\",\n\"SRG-OS-000312-GPOS-00124\"]\n tag 'gid': 'V-93023'\n tag 'rid': 'SV-103111r1_rule'\n tag 'stig_id': 'WN19-00-000160'\n tag 'fix_id': 'F-99269r1_fix'\n tag 'cci': [\"CCI-002165\"]\n tag 'nist': [\"AC-3 (4)\", \"Rev_4\"]\n\n c_windows_perm = json( command: \"icacls 'C:\\\\Windows' | ConvertTo-Json\").params.map { |e| e.strip }[0..-3].map{ |e| e.gsub(\"C:\\\\Windows \", '') }\n describe \"C:\\\\Windows permissions are set correctly on folder structure\" do\n subject { c_windows_perm.eql? input('c_windows_perm') }\n it { should eq true }\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93163.rb", + "ref": "./Windows 2019 STIG/controls/V-93023.rb", "line": 3 }, - "id": "V-93163" + "id": "V-93023" }, { - "title": "Windows Server 2019 Modify firmware environment values user right must\nonly be assigned to the Administrators group.", - "desc": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n Accounts with the \"Modify firmware environment values\" user right can\nchange hardware configuration environment variables. This could result in\nhardware failures or a denial of service.", + "title": "Windows Server 2019 Exploit Protection mitigations must be configured for firefox.exe.", + "desc": "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.", "descriptions": { - "default": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n Accounts with the \"Modify firmware environment values\" user right can\nchange hardware configuration environment variables. This could result in\nhardware failures or a denial of service.", + "default": "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.", "rationale": "", - "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the \"Modify\nfirmware environment values\" user right, this is a finding:\n\n - Administrators\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\path\\filename.txt\n\n Review the text file.\n\n If any SIDs other than the following are granted the\n\"SeSystemEnvironmentPrivilege\" user right, this is a finding:\n\n S-1-5-32-544 (Administrators)", - "fix": "Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> User Rights Assignment >> \"Modify\nfirmware environment values\" to include only the following accounts or groups:\n\n - Administrators" + "check": "If the referenced application is not installed on the system, this is NA.\n\n This is applicable to unclassified systems, for other systems this is NA.\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n Enter \"Get-ProcessMitigation -Name firefox.exe\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.)\n\n If the following mitigations do not have a status of \"ON\", this is a finding:\n\n DEP:\n Enable: ON\n\n ASLR:\n BottomUp: ON\n ForceRelocateImages: ON\n\n The PowerShell command produces a list of mitigations; only those with a required status of \"ON\" are listed here.", + "fix": "Ensure the following mitigations are turned \"ON\" for firefox.exe:\n\n DEP:\n Enable: ON\n\n ASLR:\n BottomUp: ON\n ForceRelocateImages: ON\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \"Supporting Files\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \"Use a common set of exploit protection settings\" configured to \"Enabled\" with file name and location defined under \"Options:\". It is recommended the file be in a read-only network location." }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000324-GPOS-00125", - "gid": "V-93079", - "rid": "SV-103167r1_rule", - "stig_id": "WN19-UR-000180", - "fix_id": "F-99325r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-93329", + "rid": "SV-103417r1_rule", + "stig_id": "WN19-EP-000100", + "fix_id": "F-99575r1_fix", "cci": [ - "CCI-002235" + "CCI-000366" ], "nist": [ - "AC-6 (10)", + "CM-6 b", "Rev_4" ] }, - "code": "control \"V-93079\" do\n title \"Windows Server 2019 Modify firmware environment values user right must\nonly be assigned to the Administrators group.\"\n desc \"Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n Accounts with the \\\"Modify firmware environment values\\\" user right can\nchange hardware configuration environment variables. This could result in\nhardware failures or a denial of service.\"\n desc \"rationale\", \"\"\n desc 'check', \"Verify the effective setting in Local Group Policy Editor.\n\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the \\\"Modify\nfirmware environment values\\\" user right, this is a finding:\n\n - Administrators\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt\n\n Review the text file.\n\n If any SIDs other than the following are granted the\n\\\"SeSystemEnvironmentPrivilege\\\" user right, this is a finding:\n\n S-1-5-32-544 (Administrators)\"\n desc 'fix', \"Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> User Rights Assignment >> \\\"Modify\nfirmware environment values\\\" to include only the following accounts or groups:\n\n - Administrators\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000324-GPOS-00125'\n tag 'gid': 'V-93079'\n tag 'rid': 'SV-103167r1_rule'\n tag 'stig_id': 'WN19-UR-000180'\n tag 'fix_id': 'F-99325r1_fix'\n tag 'cci': [\"CCI-002235\"]\n tag 'nist': [\"AC-6 (10)\", \"Rev_4\"]\n\n os_type = command('Test-Path \"$env:windir\\explorer.exe\"').stdout.strip\n\n if os_type == 'False'\n describe 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt' do\n skip 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt'\n end\n else\n describe security_policy do\n its('SeSystemEnvironmentPrivilege') { should eq ['S-1-5-32-544'] }\n end\n end\nend\n", + "code": "control \"V-93329\" do\n title \"Windows Server 2019 Exploit Protection mitigations must be configured for firefox.exe.\"\n desc \"Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the referenced application is not installed on the system, this is NA.\n\n This is applicable to unclassified systems, for other systems this is NA.\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n Enter \\\"Get-ProcessMitigation -Name firefox.exe\\\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.)\n\n If the following mitigations do not have a status of \\\"ON\\\", this is a finding:\n\n DEP:\n Enable: ON\n\n ASLR:\n BottomUp: ON\n ForceRelocateImages: ON\n\n The PowerShell command produces a list of mitigations; only those with a required status of \\\"ON\\\" are listed here.\"\n desc \"fix\", \"Ensure the following mitigations are turned \\\"ON\\\" for firefox.exe:\n\n DEP:\n Enable: ON\n\n ASLR:\n BottomUp: ON\n ForceRelocateImages: ON\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \\\"Supporting Files\\\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\" configured to \\\"Enabled\\\" with file name and location defined under \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00227\"\n tag gid: \"V-93329\"\n tag rid: \"SV-103417r1_rule\"\n tag stig_id: \"WN19-EP-000100\"\n tag fix_id: \"F-99575r1_fix\"\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n firefox = json({ command: \"Get-ProcessMitigation -Name firefox.exe | ConvertTo-Json\" }).params\n\n if input('sensitive_system') == true || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif firefox.empty?\n impact 0.0\n describe 'The referenced application is not installed on the system, this is NA.' do\n skip 'The referenced application is not installed on the system, this is NA.'\n end\n else\n describe \"Exploit Protection: the following mitigations must be set to 'ON' for firefox.exe\" do\n subject { firefox }\n its(['Dep','Enable']) { should eq 1 }\n its(['Aslr','BottomUp']) { should eq 1 }\n its(['Aslr','ForceRelocateImages']) { should eq 1 }\n end\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93079.rb", + "ref": "./Windows 2019 STIG/controls/V-93329.rb", "line": 3 }, - "id": "V-93079" + "id": "V-93329" }, { - "title": "Windows Server 2019 must preserve zone information when saving attachments.", - "desc": "Attachments from outside sources may contain malicious code. Preserving zone of origin (Internet, intranet, local, restricted) information on file attachments allows Windows to determine risk.", + "title": "Windows Server 2019 domain controllers must be configured to allow reset of machine account passwords.", + "desc": "Enabling this setting on all domain controllers in a domain prevents domain members from changing their computer account passwords. If these passwords are weak or compromised, the inability to change them may leave these computers vulnerable.", "descriptions": { - "default": "Attachments from outside sources may contain malicious code. Preserving zone of origin (Internet, intranet, local, restricted) information on file attachments allows Windows to determine risk.", + "default": "Enabling this setting on all domain controllers in a domain prevents domain members from changing their computer account passwords. If these passwords are weak or compromised, the inability to change them may leave these computers vulnerable.", "rationale": "", - "check": "The default behavior is for Windows to mark file attachments with their zone information.\n\n If the registry Value Name below does not exist, this is not a finding.\n If it exists and is configured with a value of \"2\", this is not a finding.\n If it exists and is configured with a value of \"1\", this is a finding.\n\n Registry Hive: HKEY_CURRENT_USER\n Registry Path: \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Attachments\\\n\n Value Name: SaveZoneInformation\n\n Value Type: REG_DWORD\n Value: 0x00000002 (2) (or if the Value Name does not exist)", - "fix": "The default behavior is for Windows to mark file attachments with their zone information.\n\n If this needs to be corrected, configure the policy value for User Configuration >> Administrative Templates >> Windows Components >> Attachment Manager >> \"Do not preserve zone information in file attachments\" to \"Not Configured\" or \"Disabled\"." + "check": "This applies to domain controllers. It is NA for other systems.\n\n If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\Netlogon\\Parameters\\\n\n Value Name: RefusePasswordChange\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0)", + "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \"Domain controller: Refuse machine account password changes\" to \"Disabled\"." }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { "severity": null, "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-93311", - "rid": "SV-103399r1_rule", - "stig_id": "WN19-UC-000010", - "fix_id": "F-99557r1_fix", + "gid": "V-93273", + "rid": "SV-103361r1_rule", + "stig_id": "WN19-DC-000330", + "fix_id": "F-99519r1_fix", "cci": [ "CCI-000366" ], @@ -6395,31 +6457,31 @@ "Rev_4" ] }, - "code": "control \"V-93311\" do\n title \"Windows Server 2019 must preserve zone information when saving attachments.\"\n desc \"Attachments from outside sources may contain malicious code. Preserving zone of origin (Internet, intranet, local, restricted) information on file attachments allows Windows to determine risk.\"\n desc \"rationale\", \"\"\n desc \"check\", \"The default behavior is for Windows to mark file attachments with their zone information.\n\n If the registry Value Name below does not exist, this is not a finding.\n If it exists and is configured with a value of \\\"2\\\", this is not a finding.\n If it exists and is configured with a value of \\\"1\\\", this is a finding.\n\n Registry Hive: HKEY_CURRENT_USER\n Registry Path: \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Attachments\\\\\n\n Value Name: SaveZoneInformation\n\n Value Type: REG_DWORD\n Value: 0x00000002 (2) (or if the Value Name does not exist)\"\n desc \"fix\", \"The default behavior is for Windows to mark file attachments with their zone information.\n\n If this needs to be corrected, configure the policy value for User Configuration >> Administrative Templates >> Windows Components >> Attachment Manager >> \\\"Do not preserve zone information in file attachments\\\" to \\\"Not Configured\\\" or \\\"Disabled\\\".\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00227\"\n tag gid: \"V-93311\"\n tag rid: \"SV-103399r1_rule\"\n tag stig_id: \"WN19-UC-000010\"\n tag fix_id: \"F-99557r1_fix\"\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n describe.one do\n describe registry_key('HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Attachments') do\n it { should_not have_property 'SaveZoneInformation' }\n end\n describe registry_key('HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Attachments') do\n it { should have_property 'SaveZoneInformation' }\n its('SaveZoneInformation') { should_not cmp 1 }\n its('SaveZoneInformation') { should cmp 2 }\n end\n end\nend", + "code": "control \"V-93273\" do\n title \"Windows Server 2019 domain controllers must be configured to allow reset of machine account passwords.\"\n desc \"Enabling this setting on all domain controllers in a domain prevents domain members from changing their computer account passwords. If these passwords are weak or compromised, the inability to change them may leave these computers vulnerable.\"\n desc \"rationale\", \"\"\n desc \"check\", \"This applies to domain controllers. It is NA for other systems.\n\n If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\Netlogon\\\\Parameters\\\\\n\n Value Name: RefusePasswordChange\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \\\"Domain controller: Refuse machine account password changes\\\" to \\\"Disabled\\\".\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00227\"\n tag gid: \"V-93273\"\n tag rid: \"SV-103361r1_rule\"\n tag stig_id: \"WN19-DC-000330\"\n tag fix_id: \"F-99519r1_fix\"\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n \n if domain_role == '4' || domain_role == '5'\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Services\\\\Netlogon\\\\Parameters') do\n it { should have_property 'RefusePasswordChange' }\n its('RefusePasswordChange') { should cmp 0 }\n end\n else\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is NA' do\n skip 'This system is not a domain controller, therefore this control is NA'\n end\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93311.rb", + "ref": "./Windows 2019 STIG/controls/V-93273.rb", "line": 3 }, - "id": "V-93311" + "id": "V-93273" }, { - "title": "Windows Server 2019 manually managed application account passwords must be changed at least every 365 days or when a system administrator with knowledge of the password leaves the organization.", - "desc": "Setting application account passwords to expire may cause applications to stop functioning. However, not changing them on a regular basis exposes them to attack. If managed service accounts are used, this alleviates the need to manually change application account passwords.", + "title": "Windows Server 2019 group policy objects must be reprocessed even if\nthey have not changed.", + "desc": "Registry entries for group policy settings can potentially be changed\nfrom the required configuration. This could occur as part of troubleshooting or\nby a malicious process on a compromised system. Enabling this setting and then\nselecting the \"Process even if the Group Policy objects have not changed\"\noption ensures the policies will be reprocessed even if none have been changed.\nThis way, any unauthorized changes are forced to match the domain-based group\npolicy settings again.", "descriptions": { - "default": "Setting application account passwords to expire may cause applications to stop functioning. However, not changing them on a regular basis exposes them to attack. If managed service accounts are used, this alleviates the need to manually change application account passwords.", + "default": "Registry entries for group policy settings can potentially be changed\nfrom the required configuration. This could occur as part of troubleshooting or\nby a malicious process on a compromised system. Enabling this setting and then\nselecting the \"Process even if the Group Policy objects have not changed\"\noption ensures the policies will be reprocessed even if none have been changed.\nThis way, any unauthorized changes are forced to match the domain-based group\npolicy settings again.", "rationale": "", - "check": "Determine if manually managed application/service accounts exist. If none exist, this is NA.\n If passwords for manually managed application/service accounts are not changed at least every 365 days or when an administrator with knowledge of the password leaves the organization, this is a finding.\n Identify manually managed application/service accounts.\n To determine the date a password was last changed:\n\n Domain controllers:\n Open \"PowerShell\".\n Enter \"Get-AdUser -Identity [application account name] -Properties PasswordLastSet | FT Name, PasswordLastSet\", where [application account name] is the name of the manually managed application/service account.\n If the \"PasswordLastSet\" date is more than 365 days old, this is a finding.\n\n Member servers and standalone systems:\n Open \"Command Prompt\".\n Enter 'Net User [application account name] | Find /i \"Password Last Set\"', where [application account name] is the name of the manually managed application/service account.\n If the \"Password Last Set\" date is more than 365 days old, this is a finding.", - "fix": "Change passwords for manually managed application/service accounts at least every 365 days or when an administrator with knowledge of the password leaves the organization.\n It is recommended that system-managed service accounts be used whenever possible." + "check": "If the following registry value does not exist or is not configured as\nspecified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\Group Policy\\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\\\n\n Value Name: NoGPOListChanges\n\n Type: REG_DWORD\n Value: 0x00000000 (0)", + "fix": "Configure the policy value for Computer Configuration >>\nAdministrative Templates >> System >> Group Policy >> \"Configure registry\npolicy processing\" to \"Enabled\" with the option \"Process even if the Group\nPolicy objects have not changed\" selected." }, "impact": 0.5, "refs": [], "tags": { "severity": null, "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-93209", - "rid": "SV-103297r1_rule", - "stig_id": "WN19-00-000060", - "fix_id": "F-99455r1_fix", + "gid": "V-93251", + "rid": "SV-103339r1_rule", + "stig_id": "WN19-CC-000140", + "fix_id": "F-99497r1_fix", "cci": [ "CCI-000366" ], @@ -6428,173 +6490,181 @@ "Rev_4" ] }, - "code": "control \"V-93209\" do\n title \"Windows Server 2019 manually managed application account passwords must be changed at least every #{input('app_password_age')} days or when a system administrator with knowledge of the password leaves the organization.\"\n desc \"Setting application account passwords to expire may cause applications to stop functioning. However, not changing them on a regular basis exposes them to attack. If managed service accounts are used, this alleviates the need to manually change application account passwords.\"\n desc \"rationale\", \"\"\n desc 'check', \"Determine if manually managed application/service accounts exist. If none exist, this is NA.\n If passwords for manually managed application/service accounts are not changed at least every #{input('app_password_age')} days or when an administrator with knowledge of the password leaves the organization, this is a finding.\n Identify manually managed application/service accounts.\n To determine the date a password was last changed:\n\n Domain controllers:\n Open \\\"PowerShell\\\".\n Enter \\\"Get-AdUser -Identity [application account name] -Properties PasswordLastSet | FT Name, PasswordLastSet\\\", where [application account name] is the name of the manually managed application/service account.\n If the \\\"PasswordLastSet\\\" date is more than #{input('app_password_age')} days old, this is a finding.\n\n Member servers and standalone systems:\n Open \\\"Command Prompt\\\".\n Enter 'Net User [application account name] | Find /i \\\"Password Last Set\\\"', where [application account name] is the name of the manually managed application/service account.\n If the \\\"Password Last Set\\\" date is more than #{input('app_password_age')} days old, this is a finding.\"\n desc 'fix', \"Change passwords for manually managed application/service accounts at least every #{input('app_password_age')} days or when an administrator with knowledge of the password leaves the organization.\n It is recommended that system-managed service accounts be used whenever possible.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000480-GPOS-00227'\n tag 'gid': 'V-93209'\n tag 'rid': 'SV-103297r1_rule'\n tag 'stig_id': 'WN19-00-000060'\n tag 'fix_id': 'F-99455r1_fix'\n tag 'cci': [\"CCI-000366\"]\n tag 'nist': [\"CM-6 b\", \"Rev_4\"]\n\n application_accounts_domain = input('application_accounts_domain')\n application_accounts_local = input('application_accounts_local')\n app_password_age = input('app_password_age')\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n if application_accounts_domain.empty?\n impact 0.0\n describe 'There are no application accounts are listed for this control' do\n skip 'This is not applicable since no application accounts are listed for this control'\n end\n else\n application_accounts_domain.each do |user|\n password_set_date = json({ command: \"Get-ADUser -Identity #{user} -Properties PasswordLastSet | Where-Object {$_.PasswordLastSet -le (Get-Date).AddDays(-#{app_password_age})} | Select-Object -ExpandProperty PasswordLastSet | ConvertTo-Json\" }).params\n date = password_set_date['DateTime']\n describe 'Password Last Set' do\n it \"Date should not be more that #{app_password_age} days for Application Account: #{user} \" do\n failure_message = \"Password Date is: #{date}\"\n expect(date).to be_nil, failure_message\n end\n end\n end\n end\n else\n if application_accounts_local.empty?\n impact 0.0\n describe 'There are no application accounts are listed for this control' do\n skip 'This is not applicable since no application accounts are listed for this control'\n end\n else\n application_accounts_local.each do |user|\n local_password_set_date = json({ command: \"Get-LocalUser -name #{user} | Where-Object {$_.PasswordLastSet -le (Get-Date).AddDays(-#{app_password_age})} | Select-Object -ExpandProperty PasswordLastSet | ConvertTo-Json\" }).params\n date = local_password_set_date['DateTime']\n describe 'Password Last Set' do\n it \"Date should not be more that #{app_password_age} days for Application Account: #{user} \" do\n failure_message = \"Password Date is: #{date}\"\n expect(date).to be_nil, failure_message\n end\n end\n end\n end\n end\nend\n", + "code": "control \"V-93251\" do\n title \"Windows Server 2019 group policy objects must be reprocessed even if\nthey have not changed.\"\n desc \"Registry entries for group policy settings can potentially be changed\nfrom the required configuration. This could occur as part of troubleshooting or\nby a malicious process on a compromised system. Enabling this setting and then\nselecting the \\\"Process even if the Group Policy objects have not changed\\\"\noption ensures the policies will be reprocessed even if none have been changed.\nThis way, any unauthorized changes are forced to match the domain-based group\npolicy settings again.\"\n desc \"rationale\", \"\"\n desc 'check', \"If the following registry value does not exist or is not configured as\nspecified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\Group Policy\\\\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\\\\\n\n Value Name: NoGPOListChanges\n\n Type: REG_DWORD\n Value: 0x00000000 (0)\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nAdministrative Templates >> System >> Group Policy >> \\\"Configure registry\npolicy processing\\\" to \\\"Enabled\\\" with the option \\\"Process even if the Group\nPolicy objects have not changed\\\" selected.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000480-GPOS-00227'\n tag 'gid': 'V-93251'\n tag 'rid': 'SV-103339r1_rule'\n tag 'stig_id': 'WN19-CC-000140'\n tag 'fix_id': 'F-99497r1_fix'\n tag 'cci': [\"CCI-000366\"]\n tag 'nist': [\"CM-6 b\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Group Policy\\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}') do\n it { should have_property 'NoGPOListChanges' }\n its('NoGPOListChanges') { should cmp 0 }\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93209.rb", + "ref": "./Windows 2019 STIG/controls/V-93251.rb", "line": 3 }, - "id": "V-93209" + "id": "V-93251" }, { - "title": "Windows Server 2019 Remote Desktop Services must prevent drive redirection.", - "desc": "Preventing users from sharing the local drives on their client computers with Remote Session Hosts that they access helps reduce possible exposure of sensitive data.", + "title": "Windows Server 2019 must be configured to audit logon successes.", + "desc": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Logon records user logons. If this is an interactive logon, it is recorded\non the local system. If it is to a network share, it is recorded on the system\naccessed.", "descriptions": { - "default": "Preventing users from sharing the local drives on their client computers with Remote Session Hosts that they access helps reduce possible exposure of sensitive data.", + "default": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Logon records user logons. If this is an interactive logon, it is recorded\non the local system. If it is to a network share, it is recorded on the system\naccessed.", "rationale": "", - "check": "If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services\\\n\n Value Name: fDisableCdm\n\n Type: REG_DWORD\n Value: 0x00000001 (1)", - "fix": "Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Remote Desktop Services >> Remote Desktop Session Host >> Device and Resource Redirection >> \"Do not allow drive redirection\" to \"Enabled\"." + "check": "Security Option \"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\" must be set to\n\"Enabled\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \"AuditPol\" tool to review the current Audit Policy configuration:\n\n Open \"PowerShell\" or a \"Command Prompt\" with elevated privileges (\"Run\nas administrator\").\n\n Enter \"AuditPol /get /category:*\"\n\n Compare the \"AuditPol\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n Logon/Logoff >> Logon - Success", + "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Logon/Logoff >> \"Audit Logon\" with \"Success\"\nselected." }, "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000138-GPOS-00069", - "gid": "V-93533", - "rid": "SV-103619r1_rule", - "stig_id": "WN19-CC-000350", - "fix_id": "F-99777r1_fix", + "gtitle": "SRG-OS-000032-GPOS-00013", + "satisfies": [ + "SRG-OS-000032-GPOS-00013", + "SRG-OS-000470-GPOS-00214", + "SRG-OS-000472-GPOS-00217", + "SRG-OS-000473-GPOS-00218", + "SRG-OS-000475-GPOS-00220" + ], + "gid": "V-92967", + "rid": "SV-103055r1_rule", + "stig_id": "WN19-AU-000190", + "fix_id": "F-99213r1_fix", "cci": [ - "CCI-001090" + "CCI-000067", + "CCI-000172" ], "nist": [ - "SC-4", + "AC-17 (1)", + "AU-12 c", "Rev_4" ] }, - "code": "control \"V-93533\" do\n title \"Windows Server 2019 Remote Desktop Services must prevent drive redirection.\"\n desc \"Preventing users from sharing the local drives on their client computers with Remote Session Hosts that they access helps reduce possible exposure of sensitive data.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\\n\n Value Name: fDisableCdm\n\n Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Remote Desktop Services >> Remote Desktop Session Host >> Device and Resource Redirection >> \\\"Do not allow drive redirection\\\" to \\\"Enabled\\\".\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000138-GPOS-00069\"\n tag gid: \"V-93533\"\n tag rid: \"SV-103619r1_rule\"\n tag stig_id: \"WN19-CC-000350\"\n tag fix_id: \"F-99777r1_fix\"\n tag cci: [\"CCI-001090\"]\n tag nist: [\"SC-4\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services') do\n it { should have_property 'fDisableCdm' }\n its('fDisableCdm') { should cmp == 1 }\n end\nend", + "code": "control \"V-92967\" do\n title \"Windows Server 2019 must be configured to audit logon successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Logon records user logons. If this is an interactive logon, it is recorded\non the local system. If it is to a network share, it is recorded on the system\naccessed.\"\n desc \"rationale\", \"\"\n desc 'check', \"Security Option \\\"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\\\" must be set to\n\\\"Enabled\\\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \\\"AuditPol\\\" tool to review the current Audit Policy configuration:\n\n Open \\\"PowerShell\\\" or a \\\"Command Prompt\\\" with elevated privileges (\\\"Run\nas administrator\\\").\n\n Enter \\\"AuditPol /get /category:*\\\"\n\n Compare the \\\"AuditPol\\\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n Logon/Logoff >> Logon - Success\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Logon/Logoff >> \\\"Audit Logon\\\" with \\\"Success\\\"\nselected.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': \"SRG-OS-000032-GPOS-00013\"\n tag 'satisfies': [\"SRG-OS-000032-GPOS-00013\", \"SRG-OS-000470-GPOS-00214\",\n\"SRG-OS-000472-GPOS-00217\", \"SRG-OS-000473-GPOS-00218\",\n\"SRG-OS-000475-GPOS-00220\"]\n tag 'gid': 'V-92967'\n tag 'rid': 'SV-103055r1_rule'\n tag 'stig_id': 'WN19-AU-000190'\n tag 'fix_id': 'F-99213r1_fix'\n tag 'cci': [\"CCI-000067\", \"CCI-000172\"]\n tag 'nist': [\"AC-17 (1)\", \"AU-12 c\", \"Rev_4\"]\n\n describe.one do\n describe audit_policy do\n its('Logon') { should eq 'Success' }\n end\n describe audit_policy do\n its('Logon') { should eq 'Success and Failure' }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93533.rb", + "ref": "./Windows 2019 STIG/controls/V-92967.rb", "line": 3 }, - "id": "V-93533" + "id": "V-92967" }, { - "title": "Windows Server 2019 Kerberos user logon restrictions must be enforced.", - "desc": "This policy setting determines whether the Kerberos Key Distribution Center (KDC) validates every request for a session ticket against the user rights policy of the target computer. The policy is enabled by default, which is the most secure setting for validating that access to target resources is not circumvented.", + "title": "Windows Server 2019 Allow log on locally user right must only be\nassigned to the Administrators group.", + "desc": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n Accounts with the \"Allow log on locally\" user right can log on\ninteractively to a system.", "descriptions": { - "default": "This policy setting determines whether the Kerberos Key Distribution Center (KDC) validates every request for a session ticket against the user rights policy of the target computer. The policy is enabled by default, which is the most secure setting for validating that access to target resources is not circumvented.", + "default": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n Accounts with the \"Allow log on locally\" user right can log on\ninteractively to a system.", "rationale": "", - "check": "This applies to domain controllers. It is NA for other systems.\n\n Verify the following is configured in the Default Domain Policy:\n Open \"Group Policy Management\".\n Navigate to \"Group Policy Objects\" in the Domain being reviewed (Forest >> Domains >> Domain).\n Right-click on the \"Default Domain Policy\".\n Select \"Edit\".\n Navigate to Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy.\n\n If the \"Enforce user logon restrictions\" is not set to \"Enabled\", this is a finding.", - "fix": "Configure the policy value in the Default Domain Policy for Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy >> \"Enforce user logon restrictions\" to \"Enabled\"." + "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the \"Allow\nlog on locally\" user right, this is a finding:\n\n - Administrators\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\path\\filename.txt\n\n Review the text file.\n\n If any SIDs other than the following are granted the\n\"SeInteractiveLogonRight\" user right, this is a finding:\n\n S-1-5-32-544 (Administrators)\n\n If an application requires this user right, this would not be a finding.\n\n Vendor documentation must support the requirement for having the user right.\n\n The requirement must be documented with the ISSO.\n\n The application account must meet requirements for application account\npasswords, such as length (WN19-00-000050) and required frequency of changes\n(WN19-00-000060).", + "fix": "Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> User Rights Assignment >> \"Allow log\non locally\" to include only the following accounts or groups:\n\n - Administrators" }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000112-GPOS-00057", - "satisfies": [ - "SRG-OS-000112-GPOS-00057", - "SRG-OS-000113-GPOS-00058" - ], - "gid": "V-93443", - "rid": "SV-103529r1_rule", - "stig_id": "WN19-DC-000020", - "fix_id": "F-99687r1_fix", + "gtitle": "SRG-OS-000080-GPOS-00048", + "gid": "V-93017", + "rid": "SV-103105r1_rule", + "stig_id": "WN19-UR-000030", + "fix_id": "F-99263r1_fix", "cci": [ - "CCI-001941", - "CCI-001942" + "CCI-000213" ], "nist": [ - "IA-2 (8)", - "IA-2 (9)", + "AC-3", "Rev_4" ] }, - "code": "control \"V-93443\" do\n title \"Windows Server 2019 Kerberos user logon restrictions must be enforced.\"\n desc \"This policy setting determines whether the Kerberos Key Distribution Center (KDC) validates every request for a session ticket against the user rights policy of the target computer. The policy is enabled by default, which is the most secure setting for validating that access to target resources is not circumvented.\"\n desc \"rationale\", \"\"\n desc \"check\", \"This applies to domain controllers. It is NA for other systems.\n\n Verify the following is configured in the Default Domain Policy:\n Open \\\"Group Policy Management\\\".\n Navigate to \\\"Group Policy Objects\\\" in the Domain being reviewed (Forest >> Domains >> Domain).\n Right-click on the \\\"Default Domain Policy\\\".\n Select \\\"Edit\\\".\n Navigate to Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy.\n\n If the \\\"Enforce user logon restrictions\\\" is not set to \\\"Enabled\\\", this is a finding.\"\n desc \"fix\", \"Configure the policy value in the Default Domain Policy for Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy >> \\\"Enforce user logon restrictions\\\" to \\\"Enabled\\\".\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000112-GPOS-00057\"\n tag satisfies: [\"SRG-OS-000112-GPOS-00057\", \"SRG-OS-000113-GPOS-00058\"]\n tag gid: \"V-93443\"\n tag rid: \"SV-103529r1_rule\"\n tag stig_id: \"WN19-DC-000020\"\n tag fix_id: \"F-99687r1_fix\"\n tag cci: [\"CCI-001941\", \"CCI-001942\"]\n tag nist: [\"IA-2 (8)\", \"IA-2 (9)\", \"Rev_4\"]\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n describe security_policy do\n its('TicketValidateClient') { should eq 1 }\n end\n else\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is NA' do\n skip 'This system is not a domain controller, therefore this control is NA'\n end\n end\nend", + "code": "control \"V-93017\" do\n title \"Windows Server 2019 Allow log on locally user right must only be\nassigned to the Administrators group.\"\n desc \"Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n Accounts with the \\\"Allow log on locally\\\" user right can log on\ninteractively to a system.\"\n desc \"rationale\", \"\"\n desc 'check', \"Verify the effective setting in Local Group Policy Editor.\n\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the \\\"Allow\nlog on locally\\\" user right, this is a finding:\n\n - Administrators\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt\n\n Review the text file.\n\n If any SIDs other than the following are granted the\n\\\"SeInteractiveLogonRight\\\" user right, this is a finding:\n\n S-1-5-32-544 (Administrators)\n\n If an application requires this user right, this would not be a finding.\n\n Vendor documentation must support the requirement for having the user right.\n\n The requirement must be documented with the ISSO.\n\n The application account must meet requirements for application account\npasswords, such as length (WN19-00-000050) and required frequency of changes\n(WN19-00-000060).\"\n desc 'fix', \"Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> User Rights Assignment >> \\\"Allow log\non locally\\\" to include only the following accounts or groups:\n\n - Administrators\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000080-GPOS-00048'\n tag 'gid': 'V-93017'\n tag 'rid': 'SV-103105r1_rule'\n tag 'stig_id': 'WN19-UR-000030'\n tag 'fix_id': 'F-99263r1_fix'\n tag 'cci': [\"CCI-000213\"]\n tag 'nist': [\"AC-3\", \"Rev_4\"]\n\n describe security_policy do\n its('SeInteractiveLogonRight') { should eq ['S-1-5-32-544'] }\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93443.rb", + "ref": "./Windows 2019 STIG/controls/V-93017.rb", "line": 3 }, - "id": "V-93443" + "id": "V-93017" }, { - "title": "Windows Server 2019 Windows Remote Management (WinRM) service must not store RunAs credentials.", - "desc": "Storage of administrative credentials could allow unauthorized access. Disallowing the storage of RunAs credentials for Windows Remote Management will prevent them from being used with plug-ins.", + "title": "Windows Server 2019 systems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest.", + "desc": "This requirement addresses protection of user-generated data as well as operating system-specific configuration data. Organizations may choose to employ different mechanisms to achieve confidentiality and integrity protections, as appropriate, in accordance with the security category and/or classification of the information.\n Selection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields).", "descriptions": { - "default": "Storage of administrative credentials could allow unauthorized access. Disallowing the storage of RunAs credentials for Windows Remote Management will prevent them from being used with plug-ins.", + "default": "This requirement addresses protection of user-generated data as well as operating system-specific configuration data. Organizations may choose to employ different mechanisms to achieve confidentiality and integrity protections, as appropriate, in accordance with the security category and/or classification of the information.\n Selection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields).", "rationale": "", - "check": "If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\WinRM\\Service\\\n\n Value Name: DisableRunAs\n\n Type: REG_DWORD\n Value: 0x00000001 (1)", - "fix": "Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Remote Management (WinRM) >> WinRM Service >> \"Disallow WinRM from storing RunAs credentials\" to \"Enabled\"." + "check": "Verify systems that require additional protections due to factors such as inadequate physical protection or sensitivity of the data employ encryption to protect the confidentiality and integrity of all information at rest.\n If they do not, this is a finding.", + "fix": "Configure systems that require additional protections due to factors such as inadequate physical protection or sensitivity of the data to employ encryption to protect the confidentiality and integrity of all information at rest." }, "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000373-GPOS-00157", + "gtitle": "SRG-OS-000185-GPOS-00079", "satisfies": [ - "SRG-OS-000373-GPOS-00157", - "SRG-OS-000373-GPOS-00156" + "SRG-OS-000185-GPOS-00079", + "SRG-OS-000404-GPOS-00183", + "SRG-OS-000405-GPOS-00184" ], - "gid": "V-93429", - "rid": "SV-103515r1_rule", - "stig_id": "WN19-CC-000520", - "fix_id": "F-99673r1_fix", + "gid": "V-93515", + "rid": "SV-103601r1_rule", + "stig_id": "WN19-00-000250", + "fix_id": "F-99759r1_fix", "cci": [ - "CCI-002038" + "CCI-001199", + "CCI-002475", + "CCI-002476" ], "nist": [ - "IA-11", + "SC-28", + "SC-28 (1)", + "SC-28 (1)", "Rev_4" ] }, - "code": "control \"V-93429\" do\n title \"Windows Server 2019 Windows Remote Management (WinRM) service must not store RunAs credentials.\"\n desc \"Storage of administrative credentials could allow unauthorized access. Disallowing the storage of RunAs credentials for Windows Remote Management will prevent them from being used with plug-ins.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WinRM\\\\Service\\\\\n\n Value Name: DisableRunAs\n\n Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Remote Management (WinRM) >> WinRM Service >> \\\"Disallow WinRM from storing RunAs credentials\\\" to \\\"Enabled\\\".\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000373-GPOS-00157\"\n tag satisfies: [\"SRG-OS-000373-GPOS-00157\", \"SRG-OS-000373-GPOS-00156\"]\n tag gid: \"V-93429\"\n tag rid: \"SV-103515r1_rule\"\n tag stig_id: \"WN19-CC-000520\"\n tag fix_id: \"F-99673r1_fix\"\n tag cci: [\"CCI-002038\"]\n tag nist: [\"IA-11\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WinRM\\\\Service') do\n it { should have_property 'DisableRunAs' }\n its('DisableRunAs') { should cmp == 1 }\n end\nend", + "code": "control \"V-93515\" do\n title \"Windows Server 2019 systems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest.\"\n desc \"This requirement addresses protection of user-generated data as well as operating system-specific configuration data. Organizations may choose to employ different mechanisms to achieve confidentiality and integrity protections, as appropriate, in accordance with the security category and/or classification of the information.\n Selection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields).\"\n desc \"rationale\", \"\"\n desc \"check\", \"Verify systems that require additional protections due to factors such as inadequate physical protection or sensitivity of the data employ encryption to protect the confidentiality and integrity of all information at rest.\n If they do not, this is a finding.\"\n desc \"fix\", \"Configure systems that require additional protections due to factors such as inadequate physical protection or sensitivity of the data to employ encryption to protect the confidentiality and integrity of all information at rest.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000185-GPOS-00079\"\n tag satisfies: [\"SRG-OS-000185-GPOS-00079\", \"SRG-OS-000404-GPOS-00183\", \"SRG-OS-000405-GPOS-00184\"]\n tag gid: \"V-93515\"\n tag rid: \"SV-103601r1_rule\"\n tag stig_id: \"WN19-00-000250\"\n tag fix_id: \"F-99759r1_fix\"\n tag cci: [\"CCI-001199\", \"CCI-002475\", \"CCI-002476\"]\n tag nist: [\"SC-28\", \"SC-28 (1)\", \"SC-28 (1)\", \"Rev_4\"]\n\n describe \"A manual review is required to ensure systems requiring data at rest protections must employ cryptographic\n mechanisms to prevent unauthorized disclosure and modification of the\n information at rest.\" do\n skip 'A manual review is required to ensure systems requiring data at rest protections must employ cryptographic\n mechanisms to prevent unauthorized disclosure and modification of the\n information at rest.'\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93429.rb", + "ref": "./Windows 2019 STIG/controls/V-93515.rb", "line": 3 }, - "id": "V-93429" + "id": "V-93515" }, { - "title": "Windows Server 2019 network selection user interface (UI) must not be displayed on the logon screen.", - "desc": "Enabling interaction with the network selection UI allows users to change connections to available networks without signing in to Windows.", + "title": "Windows Server 2019 password history must be configured to 24 passwords remembered.", + "desc": "A system is more vulnerable to unauthorized access when system users recycle the same password several times without being required to change to a unique password on a regularly scheduled basis. This enables users to effectively negate the purpose of mandating periodic password changes. The default value is \"24\" for Windows domain systems. DoD has decided this is the appropriate value for all Windows systems.", "descriptions": { - "default": "Enabling interaction with the network selection UI allows users to change connections to available networks without signing in to Windows.", + "default": "A system is more vulnerable to unauthorized access when system users recycle the same password several times without being required to change to a unique password on a regularly scheduled basis. This enables users to effectively negate the purpose of mandating periodic password changes. The default value is \"24\" for Windows domain systems. DoD has decided this is the appropriate value for all Windows systems.", "rationale": "", - "check": "Verify the registry value below. If it does not exist or is not configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\\n\n Value Name: DontDisplayNetworkSelectionUI\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", - "fix": "Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Logon >> \"Do not display network selection UI\" to \"Enabled\"." + "check": "Verify the effective setting in Local Group Policy Editor.\n Run \"gpedit.msc\".\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy.\n If the value for \"Enforce password history\" is less than \"24\" passwords remembered, this is a finding.\n\n For server core installations, run the following command:\n Secedit /Export /Areas SecurityPolicy /CFG C:\\Path\\FileName.Txt\n If \"PasswordHistorySize\" is less than \"24\" in the file, this is a finding.", + "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy >> \"Enforce password history\" to \"24\" passwords remembered." }, "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000095-GPOS-00049", - "gid": "V-93407", - "rid": "SV-103493r1_rule", - "stig_id": "WN19-CC-000170", - "fix_id": "F-99651r1_fix", + "gtitle": "SRG-OS-000077-GPOS-00045", + "gid": "V-93479", + "rid": "SV-103565r1_rule", + "stig_id": "WN19-AC-000040", + "fix_id": "F-99723r1_fix", "cci": [ - "CCI-000381" + "CCI-000200" ], "nist": [ - "CM-7 a", + "IA-5 (1) (e)", "Rev_4" ] }, - "code": "control \"V-93407\" do\n title \"Windows Server 2019 network selection user interface (UI) must not be displayed on the logon screen.\"\n desc \"Enabling interaction with the network selection UI allows users to change connections to available networks without signing in to Windows.\"\n desc \"rationale\", \"\"\n desc \"check\", \"Verify the registry value below. If it does not exist or is not configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\\n\n Value Name: DontDisplayNetworkSelectionUI\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Logon >> \\\"Do not display network selection UI\\\" to \\\"Enabled\\\".\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000095-GPOS-00049\"\n tag gid: \"V-93407\"\n tag rid: \"SV-103493r1_rule\"\n tag stig_id: \"WN19-CC-000170\"\n tag fix_id: \"F-99651r1_fix\"\n tag cci: [\"CCI-000381\"]\n tag nist: [\"CM-7 a\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System') do\n it { should have_property 'DontDisplayNetworkSelectionUI' }\n its('DontDisplayNetworkSelectionUI') { should cmp == 1 }\n end\nend", + "code": "control \"V-93479\" do\n title \"Windows Server 2019 password history must be configured to #{input('password_history_size')} passwords remembered.\"\n desc \"A system is more vulnerable to unauthorized access when system users recycle the same password several times without being required to change to a unique password on a regularly scheduled basis. This enables users to effectively negate the purpose of mandating periodic password changes. The default value is \\\"#{input('password_history_size')}\\\" for Windows domain systems. #{input('org_name')[:acronym]} has decided this is the appropriate value for all Windows systems.\"\n desc \"rationale\", \"\"\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n Run \\\"gpedit.msc\\\".\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy.\n If the value for \\\"Enforce password history\\\" is less than \\\"#{input('password_history_size')}\\\" passwords remembered, this is a finding.\n\n For server core installations, run the following command:\n Secedit /Export /Areas SecurityPolicy /CFG C:\\\\Path\\\\FileName.Txt\n If \\\"PasswordHistorySize\\\" is less than \\\"#{input('password_history_size')}\\\" in the file, this is a finding.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy >> \\\"Enforce password history\\\" to \\\"#{input('password_history_size')}\\\" passwords remembered.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000077-GPOS-00045\"\n tag gid: \"V-93479\"\n tag rid: \"SV-103565r1_rule\"\n tag stig_id: \"WN19-AC-000040\"\n tag fix_id: \"F-99723r1_fix\"\n tag cci: [\"CCI-000200\"]\n tag nist: [\"IA-5 (1) (e)\", \"Rev_4\"]\n\n describe security_policy do\n its('PasswordHistorySize') { should be >= input('password_history_size') }\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93407.rb", + "ref": "./Windows 2019 STIG/controls/V-93479.rb", "line": 3 }, - "id": "V-93407" + "id": "V-93479" }, { - "title": "Windows Server 2019 Exploit Protection mitigations must be configured for iexplore.exe.", - "desc": "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.", + "title": "Windows Server 2019 Early Launch Antimalware, Boot-Start Driver\nInitialization Policy must prevent boot drivers identified as bad.", + "desc": "Compromised boot drivers can introduce malware prior to protection\nmechanisms that load after initialization. The Early Launch Antimalware driver\ncan limit allowed drivers based on classifications determined by the malware\nprotection application. At a minimum, drivers determined to be bad must not be\nallowed.", "descriptions": { - "default": "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.", + "default": "Compromised boot drivers can introduce malware prior to protection\nmechanisms that load after initialization. The Early Launch Antimalware driver\ncan limit allowed drivers based on classifications determined by the malware\nprotection application. At a minimum, drivers determined to be bad must not be\nallowed.", "rationale": "", - "check": "If the referenced application is not installed on the system, this is NA.\n\n This is applicable to unclassified systems, for other systems this is NA.\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n Enter \"Get-ProcessMitigation -Name iexplore.exe\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.)\n\n If the following mitigations do not have a status of \"ON\", this is a finding:\n\n DEP:\n Enable: ON\n\n ASLR:\n BottomUp: ON\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n The PowerShell command produces a list of mitigations; only those with a required status of \"ON\" are listed here.", - "fix": "Ensure the following mitigations are turned \"ON\" for iexplore.exe:\n\n DEP:\n Enable: ON\n\n ASLR:\n BottomUp: ON\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \"Supporting Files\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \"Use a common set of exploit protection settings\" configured to \"Enabled\" with file name and location defined under \"Options:\". It is recommended the file be in a read-only network location." + "check": "The default behavior is for Early Launch Antimalware - Boot-Start Driver\nInitialization policy to enforce \"Good, unknown and bad but critical\"\n(preventing \"bad\").\n\n If the registry value name below does not exist, this is not a finding.\n\n If it exists and is configured with a value of \"0x00000007 (7)\", this is\na finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Policies\\EarlyLaunch\\\n\n Value Name: DriverLoadPolicy\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1), 0x00000003 (3), or 0x00000008 (8) (or if the Value\nName does not exist)\n\n Possible values for this setting are:\n 8 - Good only\n 1 - Good and unknown\n 3 - Good, unknown and bad but critical\n 7 - All (which includes \"bad\" and would be a finding)", + "fix": "The default behavior is for Early Launch Antimalware - Boot-Start Driver\nInitialization policy to enforce \"Good, unknown and bad but critical\"\n(preventing \"bad\").\n\n If this needs to be corrected or a more secure setting is desired,\nconfigure the policy value for Computer Configuration >> Administrative\nTemplates >> System >> Early Launch Antimalware >> \"Boot-Start Driver\nInitialization Policy\" to \"Not Configured\" or \"Enabled\" with any option\nother than \"All\" selected." }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { "severity": null, "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-93335", - "rid": "SV-103423r1_rule", - "stig_id": "WN19-EP-000130", - "fix_id": "F-99581r1_fix", + "gid": "V-93249", + "rid": "SV-103337r1_rule", + "stig_id": "WN19-CC-000130", + "fix_id": "F-99495r1_fix", "cci": [ "CCI-000366" ], @@ -6603,305 +6673,294 @@ "Rev_4" ] }, - "code": "control \"V-93335\" do\n title \"Windows Server 2019 Exploit Protection mitigations must be configured for iexplore.exe.\"\n desc \"Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the referenced application is not installed on the system, this is NA.\n\n This is applicable to unclassified systems, for other systems this is NA.\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n Enter \\\"Get-ProcessMitigation -Name iexplore.exe\\\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.)\n\n If the following mitigations do not have a status of \\\"ON\\\", this is a finding:\n\n DEP:\n Enable: ON\n\n ASLR:\n BottomUp: ON\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n The PowerShell command produces a list of mitigations; only those with a required status of \\\"ON\\\" are listed here.\"\n desc \"fix\", \"Ensure the following mitigations are turned \\\"ON\\\" for iexplore.exe:\n\n DEP:\n Enable: ON\n\n ASLR:\n BottomUp: ON\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \\\"Supporting Files\\\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\" configured to \\\"Enabled\\\" with file name and location defined under \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00227\"\n tag gid: \"V-93335\"\n tag rid: \"SV-103423r1_rule\"\n tag stig_id: \"WN19-EP-000130\"\n tag fix_id: \"F-99581r1_fix\"\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n iexplore = json({ command: \"Get-ProcessMitigation -Name iexplore.exe | ConvertTo-Json\" }).params\n\n if input('sensitive_system') == true || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif iexplore.empty?\n impact 0.0\n describe 'The referenced application is not installed on the system, this is NA.' do\n skip 'The referenced application is not installed on the system, this is NA.'\n end\n else\n describe \"Exploit Protection: the following mitigations must be set to 'ON' for iexplore.exe\" do\n subject { iexplore }\n its(['Dep','Enable']) { should eq 1 }\n its(['Aslr','BottomUp']) { should eq 1 }\n its(['Aslr','ForceRelocateImages']) { should eq 1 }\n its(['Payload','EnableExportAddressFilter']) { should eq 1 }\n its(['Payload','EnableExportAddressFilterPlus']) { should eq 1 }\n its(['Payload','EnableImportAddressFilter']) { should eq 1 }\n its(['Payload','EnableRopStackPivot']) { should eq 1 }\n its(['Payload','EnableRopCallerCheck']) { should eq 1 }\n its(['Payload','EnableRopSimExec']) { should eq 1 }\n end\n end\nend", + "code": "control \"V-93249\" do\n title \"Windows Server 2019 Early Launch Antimalware, Boot-Start Driver\nInitialization Policy must prevent boot drivers identified as bad.\"\n desc \"Compromised boot drivers can introduce malware prior to protection\nmechanisms that load after initialization. The Early Launch Antimalware driver\ncan limit allowed drivers based on classifications determined by the malware\nprotection application. At a minimum, drivers determined to be bad must not be\nallowed.\"\n desc \"rationale\", \"\"\n desc 'check', \"The default behavior is for Early Launch Antimalware - Boot-Start Driver\nInitialization policy to enforce \\\"Good, unknown and bad but critical\\\"\n(preventing \\\"bad\\\").\n\n If the registry value name below does not exist, this is not a finding.\n\n If it exists and is configured with a value of \\\"0x00000007 (7)\\\", this is\na finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Policies\\\\EarlyLaunch\\\\\n\n Value Name: DriverLoadPolicy\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1), 0x00000003 (3), or 0x00000008 (8) (or if the Value\nName does not exist)\n\n Possible values for this setting are:\n 8 - Good only\n 1 - Good and unknown\n 3 - Good, unknown and bad but critical\n 7 - All (which includes \\\"bad\\\" and would be a finding)\"\n desc 'fix', \"The default behavior is for Early Launch Antimalware - Boot-Start Driver\nInitialization policy to enforce \\\"Good, unknown and bad but critical\\\"\n(preventing \\\"bad\\\").\n\n If this needs to be corrected or a more secure setting is desired,\nconfigure the policy value for Computer Configuration >> Administrative\nTemplates >> System >> Early Launch Antimalware >> \\\"Boot-Start Driver\nInitialization Policy\\\" to \\\"Not Configured\\\" or \\\"Enabled\\\" with any option\nother than \\\"All\\\" selected.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000480-GPOS-00227'\n tag 'gid': 'V-93249'\n tag 'rid': 'SV-103337r1_rule'\n tag 'stig_id': 'WN19-CC-000130'\n tag 'fix_id': 'F-99495r1_fix'\n tag 'cci': [\"CCI-000366\"]\n tag 'nist': [\"CM-6 b\", \"Rev_4\"]\n\n describe.one do\n describe registry_key('HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Policies\\EarlyLaunch') do\n it { should_not have_property 'DriverLoadPolicy' }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Policies\\EarlyLaunch') do\n it { should have_property 'DriverLoadPolicy' }\n its('DriverLoadPolicy') { should be_in [1, 3, 8] }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93335.rb", + "ref": "./Windows 2019 STIG/controls/V-93249.rb", "line": 3 }, - "id": "V-93335" + "id": "V-93249" }, { - "title": "Windows Server 2019 Windows Remote Management (WinRM) client must not use Basic authentication.", - "desc": "Basic authentication uses plain-text passwords that could be used to compromise a system. Disabling Basic authentication will reduce this potential.", + "title": "Windows Server 2019 must have the US DoD CCEB Interoperability Root CA cross-certificates in the Untrusted Certificates Store on unclassified systems.", + "desc": "To ensure users do not experience denial of service when performing certificate-based authentication to DoD websites due to the system chaining to a root other than DoD Root CAs, the US DoD CCEB Interoperability Root CA cross-certificates must be installed in the Untrusted Certificate Store. This requirement only applies to unclassified systems.", "descriptions": { - "default": "Basic authentication uses plain-text passwords that could be used to compromise a system. Disabling Basic authentication will reduce this potential.", + "default": "To ensure users do not experience denial of service when performing certificate-based authentication to DoD websites due to the system chaining to a root other than DoD Root CAs, the US DoD CCEB Interoperability Root CA cross-certificates must be installed in the Untrusted Certificate Store. This requirement only applies to unclassified systems.", "rationale": "", - "check": "If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\WinRM\\Client\\\n\n Value Name: AllowBasic\n\n Type: REG_DWORD\n Value: 0x00000000 (0)", - "fix": "Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Remote Management (WinRM) >> WinRM Client >> \"Allow Basic authentication\" to \"Disabled\"." + "check": "This is applicable to unclassified systems. It is NA for others.\n Open \"PowerShell\" as an administrator.\n Execute the following command:\n Get-ChildItem -Path Cert:Localmachine\\disallowed | Where Issuer -Like \"*CCEB Interoperability*\" | FL Subject, Issuer, Thumbprint, NotAfter\n If the following certificate \"Subject\", \"Issuer\", and \"Thumbprint\" information is not displayed, this is a finding.\n If an expired certificate (\"NotAfter\" date) is not listed in the results, this is not a finding.\n\n Subject: CN=DoD Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Issuer: CN=US DoD CCEB Interoperability Root CA 1, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Thumbprint: DA36FAF56B2F6FBA1604F5BE46D864C9FA013BA3\n NotAfter: 3/9/2019\n\n Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Issuer: CN=US DoD CCEB Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Thumbprint: 929BF3196896994C0A201DF4A5B71F603FEFBF2E\n NotAfter: 9/27/2019\n\n Alternately, use the Certificates MMC snap-in:\n Run \"MMC\".\n Select \"File\", \"Add/Remove Snap-in\".\n Select \"Certificates\" and click \"Add\".\n Select \"Computer account\" and click \"Next\".\n Select \"Local computer: (the computer this console is running on)\" and click \"Finish\".\n Click \"OK\".\n Expand \"Certificates\" and navigate to \"Untrusted Certificates >> Certificates\".\n For each certificate with \"US DoD CCEB Interoperability Root CA ...\" under \"Issued By\":\n Right-click on the certificate and select \"Open\".\n Select the \"Details\" Tab.\n Scroll to the bottom and select \"Thumbprint\".\n If the certificate below is not listed or the value for the \"Thumbprint\" field is not as noted, this is a finding.\n If an expired certificate (\"Valid to\" date) is not listed in the results, this is not a finding.\n\n Issued To: DoD Root CA 2\n Issued By: US DoD CCEB Interoperability Root CA 1\n Thumbprint: DA36FAF56B2F6FBA1604F5BE46D864C9FA013BA3\n Valid to: Saturday, March 9, 2019\n\n Issued To: DoD Root CA 3\n Issuer by: US DoD CCEB Interoperability Root CA 2\n Thumbprint: 929BF3196896994C0A201DF4A5B71F603FEFBF2E\n Valid: Friday, September 27, 2019", + "fix": "Install the US DoD CCEB Interoperability Root CA cross-certificate on unclassified systems.\n\n Issued To - Issued By - Thumbprint\n DoD Root CA 2 - US DoD CCEB Interoperability Root CA 1 - DA36FAF56B2F6FBA1604F5BE46D864C9FA013BA3\n\n DoD Root CA 3 - US DoD CCEB Interoperability Root CA 2 - 929BF3196896994C0A201DF4A5B71F603FEFBF2E\n\n Administrators should run the Federal Bridge Certification Authority (FBCA) Cross-Certificate Removal Tool once as an administrator and once as the current user.\n\n The FBCA Cross-Certificate Remover Tool and User Guide are available on IASE at http://iase.disa.mil/pki-pke/Pages/tools.aspx." }, - "impact": 0.7, + "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000125-GPOS-00065", - "gid": "V-93503", - "rid": "SV-103589r1_rule", - "stig_id": "WN19-CC-000470", - "fix_id": "F-99747r1_fix", + "gtitle": "SRG-OS-000066-GPOS-00034", + "satisfies": [ + "SRG-OS-000066-GPOS-00034", + "SRG-OS-000403-GPOS-00182" + ], + "gid": "V-93491", + "rid": "SV-103577r1_rule", + "stig_id": "WN19-PK-000030", + "fix_id": "F-99735r1_fix", "cci": [ - "CCI-000877" + "CCI-000185", + "CCI-002470" ], "nist": [ - "MA-4 c", + "IA-5 (2) (a)", + "SC-23 (5)", "Rev_4" ] }, - "code": "control \"V-93503\" do\n title \"Windows Server 2019 Windows Remote Management (WinRM) client must not use Basic authentication.\"\n desc \"Basic authentication uses plain-text passwords that could be used to compromise a system. Disabling Basic authentication will reduce this potential.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WinRM\\\\Client\\\\\n\n Value Name: AllowBasic\n\n Type: REG_DWORD\n Value: 0x00000000 (0)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Remote Management (WinRM) >> WinRM Client >> \\\"Allow Basic authentication\\\" to \\\"Disabled\\\".\"\n impact 0.7\n tag severity: nil\n tag gtitle: \"SRG-OS-000125-GPOS-00065\"\n tag gid: \"V-93503\"\n tag rid: \"SV-103589r1_rule\"\n tag stig_id: \"WN19-CC-000470\"\n tag fix_id: \"F-99747r1_fix\"\n tag cci: [\"CCI-000877\"]\n tag nist: [\"MA-4 c\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\WinRM\\\\Client') do\n it { should have_property 'AllowBasic' }\n its('AllowBasic') { should cmp == 0 }\n end\nend", + "code": "control \"V-93491\" do\n title \"Windows Server 2019 must have the US #{input('org_name')[:acronym]} CCEB Interoperability Root CA cross-certificates in the Untrusted Certificates Store on unclassified systems.\"\n desc \"To ensure users do not experience denial of service when performing certificate-based authentication to #{input('org_name')[:acronym]} websites due to the system chaining to a root other than #{input('org_name')[:acronym]} Root CAs, the US #{input('org_name')[:acronym]} CCEB Interoperability Root CA cross-certificates must be installed in the Untrusted Certificate Store. This requirement only applies to unclassified systems.\"\n desc \"rationale\", \"\"\n desc \"check\", \"This is applicable to unclassified systems. It is NA for others.\n Open \\\"PowerShell\\\" as an administrator.\n Execute the following command:\n Get-ChildItem -Path Cert:Localmachine\\\\disallowed | Where Issuer -Like \\\"*CCEB Interoperability*\\\" | FL Subject, Issuer, Thumbprint, NotAfter\n If the following certificate \\\"Subject\\\", \\\"Issuer\\\", and \\\"Thumbprint\\\" information is not displayed, this is a finding.\n If an expired certificate (\\\"NotAfter\\\" date) is not listed in the results, this is not a finding.\n\n Subject: CN=DoD Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Issuer: CN=US DoD CCEB Interoperability Root CA 1, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Thumbprint: DA36FAF56B2F6FBA1604F5BE46D864C9FA013BA3\n NotAfter: 3/9/2019\n\n Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Issuer: CN=US DoD CCEB Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Thumbprint: 929BF3196896994C0A201DF4A5B71F603FEFBF2E\n NotAfter: 9/27/2019\n\n Alternately, use the Certificates MMC snap-in:\n Run \\\"MMC\\\".\n Select \\\"File\\\", \\\"Add/Remove Snap-in\\\".\n Select \\\"Certificates\\\" and click \\\"Add\\\".\n Select \\\"Computer account\\\" and click \\\"Next\\\".\n Select \\\"Local computer: (the computer this console is running on)\\\" and click \\\"Finish\\\".\n Click \\\"OK\\\".\n Expand \\\"Certificates\\\" and navigate to \\\"Untrusted Certificates >> Certificates\\\".\n For each certificate with \\\"US DoD CCEB Interoperability Root CA ...\\\" under \\\"Issued By\\\":\n Right-click on the certificate and select \\\"Open\\\".\n Select the \\\"Details\\\" Tab.\n Scroll to the bottom and select \\\"Thumbprint\\\".\n If the certificate below is not listed or the value for the \\\"Thumbprint\\\" field is not as noted, this is a finding.\n If an expired certificate (\\\"Valid to\\\" date) is not listed in the results, this is not a finding.\n\n Issued To: DoD Root CA 2\n Issued By: US DoD CCEB Interoperability Root CA 1\n Thumbprint: DA36FAF56B2F6FBA1604F5BE46D864C9FA013BA3\n Valid to: Saturday, March 9, 2019\n\n Issued To: DoD Root CA 3\n Issuer by: US DoD CCEB Interoperability Root CA 2\n Thumbprint: 929BF3196896994C0A201DF4A5B71F603FEFBF2E\n Valid: Friday, September 27, 2019\"\n desc \"fix\", \"Install the US DoD CCEB Interoperability Root CA cross-certificate on unclassified systems.\n\n Issued To - Issued By - Thumbprint\n DoD Root CA 2 - US DoD CCEB Interoperability Root CA 1 - DA36FAF56B2F6FBA1604F5BE46D864C9FA013BA3\n\n DoD Root CA 3 - US DoD CCEB Interoperability Root CA 2 - 929BF3196896994C0A201DF4A5B71F603FEFBF2E\n\n Administrators should run the Federal Bridge Certification Authority (FBCA) Cross-Certificate Removal Tool once as an administrator and once as the current user.\n\n The FBCA Cross-Certificate Remover Tool and User Guide are available on IASE at http://iase.disa.mil/pki-pke/Pages/tools.aspx.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000066-GPOS-00034\"\n tag satisfies: [\"SRG-OS-000066-GPOS-00034\", \"SRG-OS-000403-GPOS-00182\"]\n tag gid: \"V-93491\"\n tag rid: \"SV-103577r1_rule\"\n tag stig_id: \"WN19-PK-000030\"\n tag fix_id: \"F-99735r1_fix\"\n tag cci: [\"CCI-000185\", \"CCI-002470\"]\n tag nist: [\"IA-5 (2) (a)\", \"SC-23 (5)\", \"Rev_4\"]\n\n if input('sensitive_system') == 'true'\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n else\n dod_cceb_certificates = JSON.parse(input('dod_cceb_certificates').to_json)\n query = json({ command: 'Get-ChildItem -Path Cert:Localmachine\\\\\\\\disallowed | Where {$_.Issuer -Like \"*CCEB Interoperability*\"} | Select Subject, Issuer, Thumbprint, @{Name=\\'NotAfter\\';Expression={\"{0:dddd, MMMM dd, yyyy}\" -f [datetime]$_.NotAfter}} | ConvertTo-Json' })\n\n describe 'Verify the DoD CCEB CA certificates are installed as Untrusted Certificate.' do\n subject { query.params }\n it { should be_in dod_cceb_certificates }\n end\n\n unless query.empty?\n case query\n when Hash\n query.each do |key, value|\n if key == \"NotAfter\"\n cert_date = Date.parse(value)\n describe cert_date do\n it { should be >= Date.today }\n end\n end\n end\n when Array\n query.each do |certs|\n certs.each do |key, value|\n if key == \"NotAfter\"\n cert_date = Date.parse(value)\n describe cert_date do\n it { should be >= Date.today }\n end\n end\n end\n end\n end\n end\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93503.rb", + "ref": "./Windows 2019 STIG/controls/V-93491.rb", "line": 3 }, - "id": "V-93503" + "id": "V-93491" }, { - "title": "Windows Server 2019 setting Microsoft network client: Digitally sign communications (if server agrees) must be configured to Enabled.", - "desc": "The server message block (SMB) protocol provides the basis for many network operations. If this policy is enabled, the SMB client will request packet signing when communicating with an SMB server that is enabled or required to perform SMB packet signing.", + "title": "Windows Server 2019 must preserve zone information when saving attachments.", + "desc": "Attachments from outside sources may contain malicious code. Preserving zone of origin (Internet, intranet, local, restricted) information on file attachments allows Windows to determine risk.", "descriptions": { - "default": "The server message block (SMB) protocol provides the basis for many network operations. If this policy is enabled, the SMB client will request packet signing when communicating with an SMB server that is enabled or required to perform SMB packet signing.", + "default": "Attachments from outside sources may contain malicious code. Preserving zone of origin (Internet, intranet, local, restricted) information on file attachments allows Windows to determine risk.", "rationale": "", - "check": "If the following registry value does not exist or is not configured as specified, this is a finding:\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\LanmanWorkstation\\Parameters\\\n\n Value Name: EnableSecuritySignature\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", - "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \"Microsoft network client: Digitally sign communications (if server agrees)\" to \"Enabled\"." + "check": "The default behavior is for Windows to mark file attachments with their zone information.\n\n If the registry Value Name below does not exist, this is not a finding.\n If it exists and is configured with a value of \"2\", this is not a finding.\n If it exists and is configured with a value of \"1\", this is a finding.\n\n Registry Hive: HKEY_CURRENT_USER\n Registry Path: \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Attachments\\\n\n Value Name: SaveZoneInformation\n\n Value Type: REG_DWORD\n Value: 0x00000002 (2) (or if the Value Name does not exist)", + "fix": "The default behavior is for Windows to mark file attachments with their zone information.\n\n If this needs to be corrected, configure the policy value for User Configuration >> Administrative Templates >> Windows Components >> Attachment Manager >> \"Do not preserve zone information in file attachments\" to \"Not Configured\" or \"Disabled\"." }, "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000423-GPOS-00187", - "satisfies": [ - "SRG-OS-000423-GPOS-00187", - "SRG-OS-000424-GPOS-00188" - ], - "gid": "V-93557", - "rid": "SV-103643r1_rule", - "stig_id": "WN19-SO-000170", - "fix_id": "F-99801r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-93311", + "rid": "SV-103399r1_rule", + "stig_id": "WN19-UC-000010", + "fix_id": "F-99557r1_fix", "cci": [ - "CCI-002418", - "CCI-002421" + "CCI-000366" ], "nist": [ - "SC-8", - "SC-8 (1)", + "CM-6 b", "Rev_4" ] }, - "code": "control \"V-93557\" do\n title \"Windows Server 2019 setting Microsoft network client: Digitally sign communications (if server agrees) must be configured to Enabled.\"\n desc \"The server message block (SMB) protocol provides the basis for many network operations. If this policy is enabled, the SMB client will request packet signing when communicating with an SMB server that is enabled or required to perform SMB packet signing.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the following registry value does not exist or is not configured as specified, this is a finding:\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\LanmanWorkstation\\\\Parameters\\\\\n\n Value Name: EnableSecuritySignature\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \\\"Microsoft network client: Digitally sign communications (if server agrees)\\\" to \\\"Enabled\\\".\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000423-GPOS-00187\"\n tag satisfies: [\"SRG-OS-000423-GPOS-00187\", \"SRG-OS-000424-GPOS-00188\"]\n tag gid: \"V-93557\"\n tag rid: \"SV-103643r1_rule\"\n tag stig_id: \"WN19-SO-000170\"\n tag fix_id: \"F-99801r1_fix\"\n tag cci: [\"CCI-002418\", \"CCI-002421\"]\n tag nist: [\"SC-8\", \"SC-8 (1)\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Services\\\\LanmanWorkstation\\\\Parameters') do\n it { should have_property 'EnableSecuritySignature' }\n its('EnableSecuritySignature') { should cmp == 1 }\n end\nend", + "code": "control \"V-93311\" do\n title \"Windows Server 2019 must preserve zone information when saving attachments.\"\n desc \"Attachments from outside sources may contain malicious code. Preserving zone of origin (Internet, intranet, local, restricted) information on file attachments allows Windows to determine risk.\"\n desc \"rationale\", \"\"\n desc \"check\", \"The default behavior is for Windows to mark file attachments with their zone information.\n\n If the registry Value Name below does not exist, this is not a finding.\n If it exists and is configured with a value of \\\"2\\\", this is not a finding.\n If it exists and is configured with a value of \\\"1\\\", this is a finding.\n\n Registry Hive: HKEY_CURRENT_USER\n Registry Path: \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Attachments\\\\\n\n Value Name: SaveZoneInformation\n\n Value Type: REG_DWORD\n Value: 0x00000002 (2) (or if the Value Name does not exist)\"\n desc \"fix\", \"The default behavior is for Windows to mark file attachments with their zone information.\n\n If this needs to be corrected, configure the policy value for User Configuration >> Administrative Templates >> Windows Components >> Attachment Manager >> \\\"Do not preserve zone information in file attachments\\\" to \\\"Not Configured\\\" or \\\"Disabled\\\".\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00227\"\n tag gid: \"V-93311\"\n tag rid: \"SV-103399r1_rule\"\n tag stig_id: \"WN19-UC-000010\"\n tag fix_id: \"F-99557r1_fix\"\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n describe.one do\n describe registry_key('HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Attachments') do\n it { should_not have_property 'SaveZoneInformation' }\n end\n describe registry_key('HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Attachments') do\n it { should have_property 'SaveZoneInformation' }\n its('SaveZoneInformation') { should_not cmp 1 }\n its('SaveZoneInformation') { should cmp 2 }\n end\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93557.rb", + "ref": "./Windows 2019 STIG/controls/V-93311.rb", "line": 3 }, - "id": "V-93557" + "id": "V-93311" }, { - "title": "Windows Server 2019 Deny access to this computer from the network user\nright on domain-joined member servers must be configured to prevent access from\nhighly privileged domain accounts and local accounts and from unauthenticated\naccess on all systems.", - "desc": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n The \"Deny access to this computer from the network\" user right defines\nthe accounts that are prevented from logging on from the network.\n\n In an Active Directory Domain, denying logons to the Enterprise Admins and\nDomain Admins groups on lower-trust systems helps mitigate the risk of\nprivilege escalation from credential theft attacks, which could lead to the\ncompromise of an entire domain.\n\n Local accounts on domain-joined systems must also be assigned this right to\ndecrease the risk of lateral movement resulting from credential theft attacks.\n\n The Guests group must be assigned this right to prevent unauthenticated\naccess.", + "title": "Windows Server 2019 must have the period of time before the bad logon\ncounter is reset configured to 15 minutes or greater.", + "desc": "The account lockout feature, when enabled, prevents brute-force\npassword attacks on the system. This parameter specifies the period of time\nthat must pass after failed logon attempts before the counter is reset to\n\"0\". The smaller this value is, the less effective the account lockout\nfeature will be in protecting the local system.", "descriptions": { - "default": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n The \"Deny access to this computer from the network\" user right defines\nthe accounts that are prevented from logging on from the network.\n\n In an Active Directory Domain, denying logons to the Enterprise Admins and\nDomain Admins groups on lower-trust systems helps mitigate the risk of\nprivilege escalation from credential theft attacks, which could lead to the\ncompromise of an entire domain.\n\n Local accounts on domain-joined systems must also be assigned this right to\ndecrease the risk of lateral movement resulting from credential theft attacks.\n\n The Guests group must be assigned this right to prevent unauthenticated\naccess.", + "default": "The account lockout feature, when enabled, prevents brute-force\npassword attacks on the system. This parameter specifies the period of time\nthat must pass after failed logon attempts before the counter is reset to\n\"0\". The smaller this value is, the less effective the account lockout\nfeature will be in protecting the local system.", "rationale": "", - "check": "This applies to member servers and standalone systems. A separate version\napplies to domain controllers.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If the following accounts or groups are not defined for the \"Deny access\nto this computer from the network\" user right, this is a finding:\n\n Domain Systems Only:\n - Enterprise Admins group\n - Domain Admins group\n - \"Local account and member of Administrators group\" or \"Local account\"\n(see Note below)\n\n All Systems:\n - Guests group\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\path\\filename.txt\n\n Review the text file.\n\n If the following SIDs are not defined for the \"SeDenyNetworkLogonRight\"\nuser right, this is a finding.\n\n Domain Systems Only:\n S-1-5-root domain-519 (Enterprise Admins)\n S-1-5-domain-512 (Domain Admins)\n S-1-5-114 (\"Local account and member of Administrators group\") or\nS-1-5-113 (\"Local account\")\n\n All Systems:\n S-1-5-32-546 (Guests)\n\n Note: These are built-in security groups. \"Local account\" is more\nrestrictive but may cause issues on servers such as systems that provide\nfailover clustering.", - "fix": "Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> User Rights Assignment >> \"Deny\naccess to this computer from the network\" to include the following:\n\n Domain Systems Only:\n - Enterprise Admins group\n - Domain Admins group\n - \"Local account and member of Administrators group\" or \"Local account\"\n(see Note below)\n\n All Systems:\n - Guests group\n\n Note: These are built-in security groups. \"Local account\" is more\nrestrictive but may cause issues on servers such as systems that provide\nfailover clustering." + "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Account Policies >> Account Lockout Policy.\n\n If the \"Reset account lockout counter after\" value is less than \"15\"\nminutes, this is a finding.\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas SecurityPolicy /CFG C:\\Path\\FileName.Txt\n\n If \"ResetLockoutCount\" is less than \"15\" in the file, this is a finding.", + "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Account Policies >> Account Lockout\nPolicy >> \"Reset account lockout counter after\" to at least \"15\" minutes." }, "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000080-GPOS-00048", - "gid": "V-93009", - "rid": "SV-103097r1_rule", - "stig_id": "WN19-MS-000080", - "fix_id": "F-99255r1_fix", + "gtitle": "SRG-OS-000021-GPOS-00005", + "satisfies": [ + "SRG-OS-000021-GPOS-00005", + "SRG-OS-000329-GPOS-00128" + ], + "gid": "V-93143", + "rid": "SV-103231r1_rule", + "stig_id": "WN19-AC-000030", + "fix_id": "F-99389r1_fix", "cci": [ - "CCI-000213" + "CCI-000044", + "CCI-002238" ], "nist": [ - "AC-3", + "AC-7 a", + "AC-7 b", "Rev_4" ] }, - "code": "control \"V-93009\" do\n title \"Windows Server 2019 Deny access to this computer from the network user\nright on domain-joined member servers must be configured to prevent access from\nhighly privileged domain accounts and local accounts and from unauthenticated\naccess on all systems.\"\n desc \"Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n The \\\"Deny access to this computer from the network\\\" user right defines\nthe accounts that are prevented from logging on from the network.\n\n In an Active Directory Domain, denying logons to the Enterprise Admins and\nDomain Admins groups on lower-trust systems helps mitigate the risk of\nprivilege escalation from credential theft attacks, which could lead to the\ncompromise of an entire domain.\n\n Local accounts on domain-joined systems must also be assigned this right to\ndecrease the risk of lateral movement resulting from credential theft attacks.\n\n The Guests group must be assigned this right to prevent unauthenticated\naccess.\"\n desc \"rationale\", \"\"\n desc 'check', \"This applies to member servers and standalone systems. A separate version\napplies to domain controllers.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If the following accounts or groups are not defined for the \\\"Deny access\nto this computer from the network\\\" user right, this is a finding:\n\n Domain Systems Only:\n - Enterprise Admins group\n - Domain Admins group\n - \\\"Local account and member of Administrators group\\\" or \\\"Local account\\\"\n(see Note below)\n\n All Systems:\n - Guests group\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt\n\n Review the text file.\n\n If the following SIDs are not defined for the \\\"SeDenyNetworkLogonRight\\\"\nuser right, this is a finding.\n\n Domain Systems Only:\n S-1-5-root domain-519 (Enterprise Admins)\n S-1-5-domain-512 (Domain Admins)\n S-1-5-114 (\\\"Local account and member of Administrators group\\\") or\nS-1-5-113 (\\\"Local account\\\")\n\n All Systems:\n S-1-5-32-546 (Guests)\n\n Note: These are built-in security groups. \\\"Local account\\\" is more\nrestrictive but may cause issues on servers such as systems that provide\nfailover clustering.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> User Rights Assignment >> \\\"Deny\naccess to this computer from the network\\\" to include the following:\n\n Domain Systems Only:\n - Enterprise Admins group\n - Domain Admins group\n - \\\"Local account and member of Administrators group\\\" or \\\"Local account\\\"\n(see Note below)\n\n All Systems:\n - Guests group\n\n Note: These are built-in security groups. \\\"Local account\\\" is more\nrestrictive but may cause issues on servers such as systems that provide\nfailover clustering.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000080-GPOS-00048'\n tag 'gid': 'V-93009'\n tag 'rid': 'SV-103097r1_rule'\n tag 'stig_id': 'WN19-MS-000080'\n tag 'fix_id': 'F-99255r1_fix'\n tag 'cci': [\"CCI-000213\"]\n tag 'nist': [\"AC-3\", \"Rev_4\"]\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n case domain_role\n when '4', '5'\n impact 0.0\n describe 'This system is dedicated to the management of Active Directory, therefore this system is exempt from this control' do\n skip 'This system is dedicated to the management of Active Directory, therefore this system is exempt from this control'\n end\n when '3'\n domain_query = <<-EOH\n $group = New-Object System.Security.Principal.NTAccount('Domain Admins')\n $sid = ($group.Translate([security.principal.securityidentifier])).value\n $sid | ConvertTo-Json\n EOH\n\n domain_admin_sid = json(command: domain_query).params\n enterprise_admin_query = <<-EOH\n $group = New-Object System.Security.Principal.NTAccount('Enterprise Admins')\n $sid = ($group.Translate([security.principal.securityidentifier])).value\n $sid | ConvertTo-Json\n EOH\n\n enterprise_admin_sid = json(command: enterprise_admin_query).params\n describe security_policy do\n its('SeDenyNetworkLogonRight') { should include \"#{domain_admin_sid}\" }\n end\n describe security_policy do\n its('SeDenyNetworkLogonRight') { should include \"#{enterprise_admin_sid}\" }\n end\n describe.one do\n describe security_policy do\n its('SeDenyNetworkLogonRight') { should include \"S-1-5-113\" }\n end\n describe security_policy do\n its('SeDenyNetworkLogonRight') { should include \"S-1-5-114\" }\n end\n end\n describe security_policy do\n its('SeDenyNetworkLogonRight') { should include 'S-1-5-32-546' }\n end\n when '2'\n describe security_policy do\n its('SeDenyNetworkLogonRight') { should eq ['S-1-5-32-546'] }\n end\n end\nend\n", + "code": "control \"V-93143\" do\n title \"Windows Server 2019 must have the period of time before the bad logon\ncounter is reset configured to #{input('pass_lock_time')} minutes or greater.\"\n desc \"The account lockout feature, when enabled, prevents brute-force\npassword attacks on the system. This parameter specifies the period of time\nthat must pass after failed logon attempts before the counter is reset to\n\\\"0\\\". The smaller this value is, the less effective the account lockout\nfeature will be in protecting the local system.\"\n desc \"rationale\", \"\"\n desc 'check', \"Verify the effective setting in Local Group Policy Editor.\n\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Account Policies >> Account Lockout Policy.\n\n If the \\\"Reset account lockout counter after\\\" value is less than \\\"#{input('pass_lock_time')}\\\"\nminutes, this is a finding.\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas SecurityPolicy /CFG C:\\\\Path\\\\FileName.Txt\n\n If \\\"ResetLockoutCount\\\" is less than \\\"#{input('pass_lock_time')}\\\" in the file, this is a finding.\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Account Policies >> Account Lockout\nPolicy >> \\\"Reset account lockout counter after\\\" to at least \\\"#{input('pass_lock_time')}\\\" minutes.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000021-GPOS-00005'\n tag 'satisfies': [\"SRG-OS-000021-GPOS-00005\", \"SRG-OS-000329-GPOS-00128\"]\n tag 'gid': 'V-93143'\n tag 'rid': 'SV-103231r1_rule'\n tag 'stig_id': 'WN19-AC-000030'\n tag 'fix_id': 'F-99389r1_fix'\n tag 'cci': [\"CCI-000044\", \"CCI-002238\"]\n tag 'nist': [\"AC-7 a\", \"AC-7 b\", \"Rev_4\"]\n\n os_type = command('Test-Path \"$env:windir\\explorer.exe\"').stdout.strip\n \n if os_type == 'False'\n describe 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt' do\n skip 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt'\n end\n else\n describe security_policy do\n its('ResetLockoutCount') { should be >= input('pass_lock_time') }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93009.rb", + "ref": "./Windows 2019 STIG/controls/V-93143.rb", "line": 3 }, - "id": "V-93009" + "id": "V-93143" }, { - "title": "Windows Server 2019 permissions for the Windows installation directory\nmust conform to minimum requirements.", - "desc": "Changing the system's file and directory permissions allows the\npossibility of unauthorized and anonymous modification to the operating system\nand installed applications.\n\n The default permissions are adequate when the Security Option \"Network\naccess: Let Everyone permissions apply to anonymous users\" is set to\n\"Disabled\" (WN19-SO-000240).", + "title": "Windows Server 2019 User Account Control (UAC) must virtualize file and registry write failures to per-user locations.", + "desc": "UAC is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting configures non-UAC-compliant applications to run in virtualized file and registry entries in per-user locations, allowing them to run.", "descriptions": { - "default": "Changing the system's file and directory permissions allows the\npossibility of unauthorized and anonymous modification to the operating system\nand installed applications.\n\n The default permissions are adequate when the Security Option \"Network\naccess: Let Everyone permissions apply to anonymous users\" is set to\n\"Disabled\" (WN19-SO-000240).", + "default": "UAC is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting configures non-UAC-compliant applications to run in virtualized file and registry entries in per-user locations, allowing them to run.", "rationale": "", - "check": "The default permissions are adequate when the Security Option \"Network\naccess: Let Everyone permissions apply to anonymous users\" is set to\n\"Disabled\" (WN19-SO-000240).\n\n Review the permissions for the Windows installation directory (usually\nC:\\Windows). Non-privileged groups such as Users or Authenticated Users must\nnot have greater than \"Read & execute\" permissions. Individual accounts must\nnot be used to assign permissions.\n\n If permissions are not as restrictive as the default permissions listed\nbelow, this is a finding:\n\n Viewing in File Explorer:\n\n For each folder, view the Properties.\n\n Select the \"Security\" tab and the \"Advanced\" button.\n\n Default permissions:\n \\Windows\n Type - \"Allow\" for all\n Inherited from - \"None\" for all\n\n Principal - Access - Applies to\n\n TrustedInstaller - Full control - This folder and subfolders\n SYSTEM - Modify - This folder only\n SYSTEM - Full control - Subfolders and files only\n Administrators - Modify - This folder only\n Administrators - Full control - Subfolders and files only\n Users - Read & execute - This folder, subfolders, and files\n CREATOR OWNER - Full control - Subfolders and files only\n ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders, and\nfiles\n ALL RESTRICTED APPLICATION PACKAGES - Read & execute - This folder,\nsubfolders, and files\n\n Alternately, use icacls:\n\n Open a Command prompt (admin).\n\n Enter \"icacls\" followed by the directory:\n\n \"icacls c:\\windows\"\n\n The following results should be displayed for each when entered:\n\n c:\\windows\n NT SERVICE\\TrustedInstaller:(F)\n NT SERVICE\\TrustedInstaller:(CI)(IO)(F)\n NT AUTHORITY\\SYSTEM:(M)\n NT AUTHORITY\\SYSTEM:(OI)(CI)(IO)(F)\n BUILTIN\\Administrators:(M)\n BUILTIN\\Administrators:(OI)(CI)(IO)(F)\n BUILTIN\\Users:(RX)\n BUILTIN\\Users:(OI)(CI)(IO)(GR,GE)\n CREATOR OWNER:(OI)(CI)(IO)(F)\n APPLICATION PACKAGE AUTHORITY\\ALL APPLICATION PACKAGES:(RX)\n APPLICATION PACKAGE AUTHORITY\\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE)\n APPLICATION PACKAGE AUTHORITY\\ALL RESTRICTED APPLICATION PACKAGES:(RX)\n APPLICATION PACKAGE AUTHORITY\\ALL RESTRICTED APPLICATION\nPACKAGES:(OI)(CI)(IO)(GR,GE)\n Successfully processed 1 files; Failed processing 0 files", - "fix": "Maintain the default file ACLs and configure the Security Option \"Network\naccess: Let Everyone permissions apply to anonymous users\" to \"Disabled\"\n(WN19-SO-000240).\n\n Default permissions:\n Type - \"Allow\" for all\n Inherited from - \"None\" for all\n\n Principal - Access - Applies to\n\n TrustedInstaller - Full control - This folder and subfolders\n SYSTEM - Modify - This folder only\n SYSTEM - Full control - Subfolders and files only\n Administrators - Modify - This folder only\n Administrators - Full control - Subfolders and files only\n Users - Read & execute - This folder, subfolders, and files\n CREATOR OWNER - Full control - Subfolders and files only\n ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders, and\nfiles\n ALL RESTRICTED APPLICATION PACKAGES - Read & execute - This folder,\nsubfolders, and files" + "check": "UAC requirements are NA for Server Core installations (this is the default installation option for Windows Server 2019 versus Server with Desktop Experience).\n If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\\n\n Value Name: EnableVirtualization\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", + "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \"User Account Control: Virtualize file and registry write failures to per-user locations\" to \"Enabled\"." }, "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000312-GPOS-00122", - "satisfies": [ - "SRG-OS-000312-GPOS-00122", - "SRG-OS-000312-GPOS-00123", - "SRG-OS-000312-GPOS-00124" - ], - "gid": "V-93023", - "rid": "SV-103111r1_rule", - "stig_id": "WN19-00-000160", - "fix_id": "F-99269r1_fix", + "gtitle": "SRG-OS-000134-GPOS-00068", + "gid": "V-93529", + "rid": "SV-103615r1_rule", + "stig_id": "WN19-SO-000450", + "fix_id": "F-99773r1_fix", "cci": [ - "CCI-002165" + "CCI-001084" ], "nist": [ - "AC-3 (4)", + "SC-3", "Rev_4" ] }, - "code": "control \"V-93023\" do\n title \"Windows Server 2019 permissions for the Windows installation directory\nmust conform to minimum requirements.\"\n desc \"Changing the system's file and directory permissions allows the\npossibility of unauthorized and anonymous modification to the operating system\nand installed applications.\n\n The default permissions are adequate when the Security Option \\\"Network\naccess: Let Everyone permissions apply to anonymous users\\\" is set to\n\\\"Disabled\\\" (WN19-SO-000240).\"\n desc \"rationale\", \"\"\n desc 'check', \"The default permissions are adequate when the Security Option \\\"Network\naccess: Let Everyone permissions apply to anonymous users\\\" is set to\n\\\"Disabled\\\" (WN19-SO-000240).\n\n Review the permissions for the Windows installation directory (usually\nC:\\\\Windows). Non-privileged groups such as Users or Authenticated Users must\nnot have greater than \\\"Read & execute\\\" permissions. Individual accounts must\nnot be used to assign permissions.\n\n If permissions are not as restrictive as the default permissions listed\nbelow, this is a finding:\n\n Viewing in File Explorer:\n\n For each folder, view the Properties.\n\n Select the \\\"Security\\\" tab and the \\\"Advanced\\\" button.\n\n Default permissions:\n \\\\Windows\n Type - \\\"Allow\\\" for all\n Inherited from - \\\"None\\\" for all\n\n Principal - Access - Applies to\n\n TrustedInstaller - Full control - This folder and subfolders\n SYSTEM - Modify - This folder only\n SYSTEM - Full control - Subfolders and files only\n Administrators - Modify - This folder only\n Administrators - Full control - Subfolders and files only\n Users - Read & execute - This folder, subfolders, and files\n CREATOR OWNER - Full control - Subfolders and files only\n ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders, and\nfiles\n ALL RESTRICTED APPLICATION PACKAGES - Read & execute - This folder,\nsubfolders, and files\n\n Alternately, use icacls:\n\n Open a Command prompt (admin).\n\n Enter \\\"icacls\\\" followed by the directory:\n\n \\\"icacls c:\\\\windows\\\"\n\n The following results should be displayed for each when entered:\n\n c:\\\\windows\n NT SERVICE\\\\TrustedInstaller:(F)\n NT SERVICE\\\\TrustedInstaller:(CI)(IO)(F)\n NT AUTHORITY\\\\SYSTEM:(M)\n NT AUTHORITY\\\\SYSTEM:(OI)(CI)(IO)(F)\n BUILTIN\\\\Administrators:(M)\n BUILTIN\\\\Administrators:(OI)(CI)(IO)(F)\n BUILTIN\\\\Users:(RX)\n BUILTIN\\\\Users:(OI)(CI)(IO)(GR,GE)\n CREATOR OWNER:(OI)(CI)(IO)(F)\n APPLICATION PACKAGE AUTHORITY\\\\ALL APPLICATION PACKAGES:(RX)\n APPLICATION PACKAGE AUTHORITY\\\\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE)\n APPLICATION PACKAGE AUTHORITY\\\\ALL RESTRICTED APPLICATION PACKAGES:(RX)\n APPLICATION PACKAGE AUTHORITY\\\\ALL RESTRICTED APPLICATION\nPACKAGES:(OI)(CI)(IO)(GR,GE)\n Successfully processed 1 files; Failed processing 0 files\"\n desc 'fix', \"Maintain the default file ACLs and configure the Security Option \\\"Network\naccess: Let Everyone permissions apply to anonymous users\\\" to \\\"Disabled\\\"\n(WN19-SO-000240).\n\n Default permissions:\n Type - \\\"Allow\\\" for all\n Inherited from - \\\"None\\\" for all\n\n Principal - Access - Applies to\n\n TrustedInstaller - Full control - This folder and subfolders\n SYSTEM - Modify - This folder only\n SYSTEM - Full control - Subfolders and files only\n Administrators - Modify - This folder only\n Administrators - Full control - Subfolders and files only\n Users - Read & execute - This folder, subfolders, and files\n CREATOR OWNER - Full control - Subfolders and files only\n ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders, and\nfiles\n ALL RESTRICTED APPLICATION PACKAGES - Read & execute - This folder,\nsubfolders, and files\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': \"SRG-OS-000312-GPOS-00122\"\n tag 'satisfies': [\"SRG-OS-000312-GPOS-00122\", \"SRG-OS-000312-GPOS-00123\",\n\"SRG-OS-000312-GPOS-00124\"]\n tag 'gid': 'V-93023'\n tag 'rid': 'SV-103111r1_rule'\n tag 'stig_id': 'WN19-00-000160'\n tag 'fix_id': 'F-99269r1_fix'\n tag 'cci': [\"CCI-002165\"]\n tag 'nist': [\"AC-3 (4)\", \"Rev_4\"]\n\n c_windows_perm = json( command: \"icacls 'C:\\\\Windows' | ConvertTo-Json\").params.map { |e| e.strip }[0..-3].map{ |e| e.gsub(\"C:\\\\Windows \", '') }\n describe \"C:\\\\Windows permissions are set correctly on folder structure\" do\n subject { c_windows_perm.eql? input('c_windows_perm') }\n it { should eq true }\n end\nend\n", + "code": "control \"V-93529\" do\n title \"Windows Server 2019 User Account Control (UAC) must virtualize file and registry write failures to per-user locations.\"\n desc \"UAC is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting configures non-UAC-compliant applications to run in virtualized file and registry entries in per-user locations, allowing them to run.\"\n desc \"rationale\", \"\"\n desc \"check\", \"UAC requirements are NA for Server Core installations (this is the default installation option for Windows Server 2019 versus Server with Desktop Experience).\n If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\\n\n Value Name: EnableVirtualization\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \\\"User Account Control: Virtualize file and registry write failures to per-user locations\\\" to \\\"Enabled\\\".\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000134-GPOS-00068\"\n tag gid: \"V-93529\"\n tag rid: \"SV-103615r1_rule\"\n tag stig_id: \"WN19-SO-000450\"\n tag fix_id: \"F-99773r1_fix\"\n tag cci: [\"CCI-001084\"]\n tag nist: [\"SC-3\", \"Rev_4\"]\n\n os_type = command('Test-Path \"$env:windir\\explorer.exe\"').stdout.strip\n\n if os_type == 'False'\n impact 0.0\n describe 'This system is a Server Core Installation, control is NA' do\n skip 'This system is a Server Core Installation control is NA'\n end\n else\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System') do\n it { should have_property 'EnableVirtualization' }\n its('EnableVirtualization') { should cmp == 1 }\n end\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93023.rb", + "ref": "./Windows 2019 STIG/controls/V-93529.rb", "line": 3 }, - "id": "V-93023" + "id": "V-93529" }, { - "title": "Windows Server 2019 Lock pages in memory user right must not be\nassigned to any groups or accounts.", - "desc": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n The \"Lock pages in memory\" user right allows physical memory to be\nassigned to processes, which could cause performance issues or a denial of\nservice.", + "title": "Windows Server 2019 must be configured to audit Object Access - Other\nObject Access Events successes.", + "desc": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Auditing for other object access records events related to the management\nof task scheduler jobs and COM+ objects.", "descriptions": { - "default": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n The \"Lock pages in memory\" user right allows physical memory to be\nassigned to processes, which could cause performance issues or a denial of\nservice.", + "default": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Auditing for other object access records events related to the management\nof task scheduler jobs and COM+ objects.", "rationale": "", - "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups are granted the \"Lock pages in memory\" user\nright, this is a finding.\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\path\\filename.txt\n\n Review the text file.\n\n If any SIDs are granted the \"SeLockMemoryPrivilege\" user right, this is a\nfinding.\n\n If an application requires this user right, this would not be a finding.\n\n Vendor documentation must support the requirement for having the user right.\n\n The requirement must be documented with the ISSO.\n\n The application account must meet requirements for application account\npasswords, such as length (WN19-00-000050) and required frequency of changes\n(WN19-00-000060).", - "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Local Policies >> User Rights\nAssignment >> \"Lock pages in memory\" to be defined but containing no entries\n(blank)." + "check": "Security Option \"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\" must be set to\n\"Enabled\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \"AuditPol\" tool to review the current Audit Policy configuration:\n\n Open \"PowerShell\" or a \"Command Prompt\" with elevated privileges (\"Run\nas administrator\").\n\n Enter \"AuditPol /get /category:*\"\n\n Compare the \"AuditPol\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n Object Access >> Other Object Access Events - Success", + "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Object Access >> \"Audit Other Object Access Events\"\nwith \"Success\" selected." }, "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000324-GPOS-00125", - "gid": "V-93077", - "rid": "SV-103165r1_rule", - "stig_id": "WN19-UR-000160", - "fix_id": "F-99323r1_fix", + "gtitle": "SRG-OS-000470-GPOS-00214", + "gid": "V-93163", + "rid": "SV-103251r1_rule", + "stig_id": "WN19-AU-000220", + "fix_id": "F-99409r1_fix", "cci": [ - "CCI-002235" + "CCI-000172" ], "nist": [ - "AC-6 (10)", + "AU-12 c", "Rev_4" ] }, - "code": "control \"V-93077\" do\n title \"Windows Server 2019 Lock pages in memory user right must not be\nassigned to any groups or accounts.\"\n desc \"Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n The \\\"Lock pages in memory\\\" user right allows physical memory to be\nassigned to processes, which could cause performance issues or a denial of\nservice.\"\n desc \"rationale\", \"\"\n desc 'check', \"Verify the effective setting in Local Group Policy Editor.\n\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups are granted the \\\"Lock pages in memory\\\" user\nright, this is a finding.\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt\n\n Review the text file.\n\n If any SIDs are granted the \\\"SeLockMemoryPrivilege\\\" user right, this is a\nfinding.\n\n If an application requires this user right, this would not be a finding.\n\n Vendor documentation must support the requirement for having the user right.\n\n The requirement must be documented with the ISSO.\n\n The application account must meet requirements for application account\npasswords, such as length (WN19-00-000050) and required frequency of changes\n(WN19-00-000060).\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Local Policies >> User Rights\nAssignment >> \\\"Lock pages in memory\\\" to be defined but containing no entries\n(blank).\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000324-GPOS-00125'\n tag 'gid': 'V-93077'\n tag 'rid': 'SV-103165r1_rule'\n tag 'stig_id': 'WN19-UR-000160'\n tag 'fix_id': 'F-99323r1_fix'\n tag 'cci': [\"CCI-002235\"]\n tag 'nist': [\"AC-6 (10)\", \"Rev_4\"]\n\n os_type = command('Test-Path \"$env:windir\\explorer.exe\"').stdout.strip\n\n if os_type == 'False'\n describe 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt' do\n skip 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt'\n end\n else\n describe security_policy do\n its('SeLockMemoryPrivilege') { should eq [] }\n end\n end\nend\n", + "code": "control \"V-93163\" do\n title \"Windows Server 2019 must be configured to audit Object Access - Other\nObject Access Events successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Auditing for other object access records events related to the management\nof task scheduler jobs and COM+ objects.\"\n desc \"rationale\", \"\"\n desc 'check', \"Security Option \\\"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\\\" must be set to\n\\\"Enabled\\\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \\\"AuditPol\\\" tool to review the current Audit Policy configuration:\n\n Open \\\"PowerShell\\\" or a \\\"Command Prompt\\\" with elevated privileges (\\\"Run\nas administrator\\\").\n\n Enter \\\"AuditPol /get /category:*\\\"\n\n Compare the \\\"AuditPol\\\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n Object Access >> Other Object Access Events - Success\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Object Access >> \\\"Audit Other Object Access Events\\\"\nwith \\\"Success\\\" selected.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000470-GPOS-00214'\n tag 'gid': 'V-93163'\n tag 'rid': 'SV-103251r1_rule'\n tag 'stig_id': 'WN19-AU-000220'\n tag 'fix_id': 'F-99409r1_fix'\n tag 'cci': [\"CCI-000172\"]\n tag 'nist': [\"AU-12 c\", \"Rev_4\"]\n\n describe.one do\n describe audit_policy do\n its('Other Object Access Events') { should eq 'Success' }\n end\n describe audit_policy do\n its('Other Object Access Events') { should eq 'Success and Failure' }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93077.rb", + "ref": "./Windows 2019 STIG/controls/V-93163.rb", "line": 3 }, - "id": "V-93077" + "id": "V-93163" }, { - "title": "Windows Server 2019 Exploit Protection mitigations must be configured for OneDrive.exe.", - "desc": "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.", + "title": "Windows Server 2019 must have the DoD Root Certificate Authority (CA) certificates installed in the Trusted Root Store.", + "desc": "To ensure secure DoD websites and DoD-signed code are properly validated, the system must trust the DoD Root CAs. The DoD root certificates will ensure that the trust chain is established for server certificates issued from the DoD CAs.", "descriptions": { - "default": "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.", + "default": "To ensure secure DoD websites and DoD-signed code are properly validated, the system must trust the DoD Root CAs. The DoD root certificates will ensure that the trust chain is established for server certificates issued from the DoD CAs.", "rationale": "", - "check": "If the referenced application is not installed on the system, this is NA.\n\n This is applicable to unclassified systems, for other systems this is NA.\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n Enter \"Get-ProcessMitigation -Name OneDrive.exe\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.)\n\n If the following mitigations do not have a status of \"ON\", this is a finding:\n\n DEP:\n Enable: ON\n\n ASLR:\n ForceRelocateImages: ON\n\n ImageLoad:\n BlockRemoteImageLoads: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n The PowerShell command produces a list of mitigations; only those with a required status of \"ON\" are listed here.", - "fix": "Ensure the following mitigations are turned \"ON\" for OneDrive.exe:\n\n DEP:\n Enable: ON\n\n ASLR:\n ForceRelocateImages: ON\n\n ImageLoad:\n BlockRemoteImageLoads: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \"Supporting Files\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \"Use a common set of exploit protection settings\" configured to \"Enabled\" with file name and location defined under \"Options:\". It is recommended the file be in a read-only network location." + "check": "The certificates and thumbprints referenced below apply to unclassified systems; see PKE documentation for other networks.\n Open \"Windows PowerShell\" as an administrator.\n Execute the following command:\n Get-ChildItem -Path Cert:Localmachine\\root | Where Subject -Like \"*DoD*\" | FL Subject, Thumbprint, NotAfter\n If the following certificate \"Subject\" and \"Thumbprint\" information is not displayed, this is a finding.\n If an expired certificate (\"NotAfter\" date) is not listed in the results, this is not a finding.\n\n Subject: CN=DoD Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Thumbprint: 8C941B34EA1EA6ED9AE2BC54CF687252B4C9B561\n NotAfter: 12/5/2029\n\n Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Thumbprint: D73CA91102A2204A36459ED32213B467D7CE97FB\n NotAfter: 12/30/2029\n\n Subject: CN=DoD Root CA 4, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Thumbprint: B8269F25DBD937ECAFD4C35A9838571723F2D026\n NotAfter: 7/25/2032\n\n Subject: CN=DoD Root CA 5, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Thumbprint: 4ECB5CC3095670454DA1CBD410FC921F46B8564B\n NotAfter: 6/14/2041\n\n Alternately, use the Certificates MMC snap-in:\n Run \"MMC\".\n Select \"File\", \"Add/Remove Snap-in\".\n Select \"Certificates\" and click \"Add\".\n Select \"Computer account\" and click \"Next\".\n Select \"Local computer: (the computer this console is running on)\" and click \"Finish\".\n Click \"OK\".\n Expand \"Certificates\" and navigate to \"Trusted Root Certification Authorities >> Certificates\".\n For each of the DoD Root CA certificates noted below:\n Right-click on the certificate and select \"Open\".\n Select the \"Details\" Tab.\n Scroll to the bottom and select \"Thumbprint\".\n If the DoD Root CA certificates below are not listed or the value for the \"Thumbprint\" field is not as noted, this is a finding.\n If an expired certificate (\"Valid to\" date) is not listed in the results, this is not a finding.\n\n DoD Root CA 2\n Thumbprint: 8C941B34EA1EA6ED9AE2BC54CF687252B4C9B561\n Valid to: Wednesday, December 5, 2029\n\n DoD Root CA 3\n Thumbprint: D73CA91102A2204A36459ED32213B467D7CE97FB\n Valid to: Sunday, December 30, 2029\n\n DoD Root CA 4\n Thumbprint: B8269F25DBD937ECAFD4C35A9838571723F2D026\n Valid to: Sunday, July 25, 2032\n\n DoD Root CA 5\n Thumbprint: 4ECB5CC3095670454DA1CBD410FC921F46B8564B\n Valid to: Friday, June 14, 2041", + "fix": "Install the DoD Root CA certificates:\n\n DoD Root CA 2\n DoD Root CA 3\n DoD Root CA 4\n DoD Root CA 5\n\n The InstallRoot tool is available on IASE at http://iase.disa.mil/pki-pke/Pages/tools.aspx." }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-93349", - "rid": "SV-103437r1_rule", - "stig_id": "WN19-EP-000200", - "fix_id": "F-99595r1_fix", + "gtitle": "SRG-OS-000066-GPOS-00034", + "satisfies": [ + "SRG-OS-000066-GPOS-00034", + "SRG-OS-000403-GPOS-00182" + ], + "gid": "V-93487", + "rid": "SV-103573r1_rule", + "stig_id": "WN19-PK-000010", + "fix_id": "F-99731r1_fix", "cci": [ - "CCI-000366" + "CCI-000185", + "CCI-002470" ], "nist": [ - "CM-6 b", + "IA-5 (2) (a)", + "SC-23 (5)", "Rev_4" ] }, - "code": "control \"V-93349\" do\n title \"Windows Server 2019 Exploit Protection mitigations must be configured for OneDrive.exe.\"\n desc \"Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the referenced application is not installed on the system, this is NA.\n\n This is applicable to unclassified systems, for other systems this is NA.\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n Enter \\\"Get-ProcessMitigation -Name OneDrive.exe\\\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.)\n\n If the following mitigations do not have a status of \\\"ON\\\", this is a finding:\n\n DEP:\n Enable: ON\n\n ASLR:\n ForceRelocateImages: ON\n\n ImageLoad:\n BlockRemoteImageLoads: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n The PowerShell command produces a list of mitigations; only those with a required status of \\\"ON\\\" are listed here.\"\n desc \"fix\", \"Ensure the following mitigations are turned \\\"ON\\\" for OneDrive.exe:\n\n DEP:\n Enable: ON\n\n ASLR:\n ForceRelocateImages: ON\n\n ImageLoad:\n BlockRemoteImageLoads: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \\\"Supporting Files\\\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\" configured to \\\"Enabled\\\" with file name and location defined under \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00227\"\n tag gid: \"V-93349\"\n tag rid: \"SV-103437r1_rule\"\n tag stig_id: \"WN19-EP-000200\"\n tag fix_id: \"F-99595r1_fix\"\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n onedrive = json({ command: \"Get-ProcessMitigation -Name OneDrive.EXE | ConvertTo-Json\" }).params\n\n if input('sensitive_system') == true || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif onedrive.empty?\n impact 0.0\n describe 'The referenced application is not installed on the system, this is NA.' do\n skip 'The referenced application is not installed on the system, this is NA.'\n end\n else\n describe \"Exploit Protection: the following mitigations must be set to 'ON' for OneDrive.EXE\" do\n subject { onedrive }\n its(['Dep','Enable']) { should eq 1 }\n its(['Aslr','ForceRelocateImages']) { should eq 1 }\n its(['ImageLoad','BlockRemoteImageLoads']) { should eq 1 }\n its(['Payload','EnableExportAddressFilter']) { should eq 1 }\n its(['Payload','EnableExportAddressFilterPlus']) { should eq 1 }\n its(['Payload','EnableImportAddressFilter']) { should eq 1 }\n its(['Payload','EnableRopStackPivot']) { should eq 1 }\n its(['Payload','EnableRopCallerCheck']) { should eq 1 }\n its(['Payload','EnableRopSimExec']) { should eq 1 }\n end\n end\nend", + "code": "control \"V-93487\" do\n title \"Windows Server 2019 must have the #{input('org_name')[:acronym]} Root Certificate Authority (CA) certificates installed in the Trusted Root Store.\"\n desc \"To ensure secure #{input('org_name')[:acronym]} websites and #{input('org_name')[:acronym]}-signed code are properly validated, the system must trust the #{input('org_name')[:acronym]} Root CAs. The #{input('org_name')[:acronym]} root certificates will ensure that the trust chain is established for server certificates issued from the #{input('org_name')[:acronym]} CAs.\"\n desc \"rationale\", \"\"\n desc \"check\", \"The certificates and thumbprints referenced below apply to unclassified systems; see PKE documentation for other networks.\n Open \\\"Windows PowerShell\\\" as an administrator.\n Execute the following command:\n Get-ChildItem -Path Cert:Localmachine\\\\root | Where Subject -Like \\\"*DoD*\\\" | FL Subject, Thumbprint, NotAfter\n If the following certificate \\\"Subject\\\" and \\\"Thumbprint\\\" information is not displayed, this is a finding.\n If an expired certificate (\\\"NotAfter\\\" date) is not listed in the results, this is not a finding.\n\n Subject: CN=DoD Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Thumbprint: 8C941B34EA1EA6ED9AE2BC54CF687252B4C9B561\n NotAfter: 12/5/2029\n\n Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Thumbprint: D73CA91102A2204A36459ED32213B467D7CE97FB\n NotAfter: 12/30/2029\n\n Subject: CN=DoD Root CA 4, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Thumbprint: B8269F25DBD937ECAFD4C35A9838571723F2D026\n NotAfter: 7/25/2032\n\n Subject: CN=DoD Root CA 5, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Thumbprint: 4ECB5CC3095670454DA1CBD410FC921F46B8564B\n NotAfter: 6/14/2041\n\n Alternately, use the Certificates MMC snap-in:\n Run \\\"MMC\\\".\n Select \\\"File\\\", \\\"Add/Remove Snap-in\\\".\n Select \\\"Certificates\\\" and click \\\"Add\\\".\n Select \\\"Computer account\\\" and click \\\"Next\\\".\n Select \\\"Local computer: (the computer this console is running on)\\\" and click \\\"Finish\\\".\n Click \\\"OK\\\".\n Expand \\\"Certificates\\\" and navigate to \\\"Trusted Root Certification Authorities >> Certificates\\\".\n For each of the DoD Root CA certificates noted below:\n Right-click on the certificate and select \\\"Open\\\".\n Select the \\\"Details\\\" Tab.\n Scroll to the bottom and select \\\"Thumbprint\\\".\n If the DoD Root CA certificates below are not listed or the value for the \\\"Thumbprint\\\" field is not as noted, this is a finding.\n If an expired certificate (\\\"Valid to\\\" date) is not listed in the results, this is not a finding.\n\n DoD Root CA 2\n Thumbprint: 8C941B34EA1EA6ED9AE2BC54CF687252B4C9B561\n Valid to: Wednesday, December 5, 2029\n\n DoD Root CA 3\n Thumbprint: D73CA91102A2204A36459ED32213B467D7CE97FB\n Valid to: Sunday, December 30, 2029\n\n DoD Root CA 4\n Thumbprint: B8269F25DBD937ECAFD4C35A9838571723F2D026\n Valid to: Sunday, July 25, 2032\n\n DoD Root CA 5\n Thumbprint: 4ECB5CC3095670454DA1CBD410FC921F46B8564B\n Valid to: Friday, June 14, 2041\"\n desc \"fix\", \"Install the DoD Root CA certificates:\n\n DoD Root CA 2\n DoD Root CA 3\n DoD Root CA 4\n DoD Root CA 5\n\n The InstallRoot tool is available on IASE at http://iase.disa.mil/pki-pke/Pages/tools.aspx.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000066-GPOS-00034\"\n tag satisfies: [\"SRG-OS-000066-GPOS-00034\", \"SRG-OS-000403-GPOS-00182\"]\n tag gid: \"V-93487\"\n tag rid: \"SV-103573r1_rule\"\n tag stig_id: \"WN19-PK-000010\"\n tag fix_id: \"F-99731r1_fix\"\n tag cci: [\"CCI-000185\", \"CCI-002470\"]\n tag nist: [\"IA-5 (2) (a)\", \"SC-23 (5)\", \"Rev_4\"]\n\n if input('sensitive_system') == true\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n else\n dod_interoperability_certificates = JSON.parse(input('dod_interoperability_certificates').to_json)\n query = json({ command: 'Get-ChildItem -Path Cert:Localmachine\\\\root | Where Subject -Like \"*DoD*\" | Select Subject, Thumbprint, @{Name=\\'NotAfter\\';Expression={\"{0:dddd, MMMM dd, yyyy}\" -f [datetime]$_.NotAfter}} | ConvertTo-Json' }).params\n \n describe 'Verify DoD Root Certificate Authority (CA) certificates are installed in the Trusted Root Store.' do\n subject { query }\n it { should be_in dod_interoperability_certificates }\n end\n \n unless query.empty?\n case query\n when Hash\n query.each do |key, value|\n if key == \"NotAfter\"\n cert_date = Date.parse(value)\n describe cert_date do\n it { should be >= Date.today }\n end\n end\n end\n when Array\n query.each do |certs|\n certs.each do |key, value|\n if key == \"NotAfter\"\n cert_date = Date.parse(value)\n describe cert_date do\n it { should be >= Date.today }\n end\n end\n end\n end\n end\n end\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93349.rb", + "ref": "./Windows 2019 STIG/controls/V-93487.rb", "line": 3 }, - "id": "V-93349" + "id": "V-93487" }, { - "title": "Windows Server 2019 must be configured to audit Account Management -\nComputer Account Management successes.", - "desc": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Computer Account Management records events such as creating, changing,\ndeleting, renaming, disabling, or enabling computer accounts.", + "title": "Windows Server 2019 non-administrative accounts or groups must only\nhave print permissions on printer shares.", + "desc": "Windows shares are a means by which files, folders, printers, and\nother resources can be published for network users to access. Improper\nconfiguration can permit access to devices and data beyond a user's need.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Computer Account Management records events such as creating, changing,\ndeleting, renaming, disabling, or enabling computer accounts.", + "default": "Windows shares are a means by which files, folders, printers, and\nother resources can be published for network users to access. Improper\nconfiguration can permit access to devices and data beyond a user's need.", "rationale": "", - "check": "This applies to domain controllers. It is NA for other systems.\n\n Security Option \"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\" must be set to\n\"Enabled\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \"AuditPol\" tool to review the current Audit Policy configuration:\n\n Open \"PowerShell\" or a \"Command Prompt\" with elevated privileges (\"Run\nas administrator\").\n\n Enter \"AuditPol /get /category:*\"\n\n Compare the \"AuditPol\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n Account Management >> Computer Account Management - Success", - "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Account Management >> \"Audit Computer Account\nManagement\" with \"Success\" selected." + "check": "Open \"Printers & scanners\" in \"Settings\".\n\n If there are no printers configured, this is NA. (Exclude Microsoft Print\nto PDF and Microsoft XPS Document Writer, which do not support sharing.)\n\n For each printer:\n\n Select the printer and \"Manage\".\n\n Select \"Printer Properties\".\n\n Select the \"Sharing\" tab.\n\n If \"Share this printer\" is checked, select the \"Security\" tab.\n\n If any standard user accounts or groups have permissions other than\n\"Print\", this is a finding.\n\n The default is for the \"Everyone\" group to be given \"Print\" permission.\n\n \"All APPLICATION PACKAGES\" and \"CREATOR OWNER\" are not standard user\naccounts.", + "fix": "Configure the permissions on shared printers to restrict\nstandard users to only have Print permissions." }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000004-GPOS-00004", - "satisfies": [ - "SRG-OS-000004-GPOS-00004", - "SRG-OS-000239-GPOS-00089", - "SRG-OS-000240-GPOS-00090", - "SRG-OS-000241-GPOS-00091", - "SRG-OS-000303-GPOS-00120", - "SRG-OS-000476-GPOS-00221" - ], - "gid": "V-92985", - "rid": "SV-103073r1_rule", - "stig_id": "WN19-DC-000230", - "fix_id": "F-99231r1_fix", + "gtitle": "SRG-OS-000080-GPOS-00048", + "gid": "V-92993", + "rid": "SV-103081r1_rule", + "stig_id": "WN19-00-000180", + "fix_id": "F-99239r1_fix", "cci": [ - "CCI-000018", - "CCI-000172", - "CCI-001403", - "CCI-001404", - "CCI-001405", - "CCI-002130" + "CCI-000213" ], "nist": [ - "AC-2 (4)", - "AU-12 c", - "AC-2 (4)", - "AC-2 (4)", - "AC-2 (4)", - "AC-2(4)", + "AC-3", "Rev_4" ] }, - "code": "control 'V-92989' do\n title \"Windows Server 2019 must be configured to audit Account Management -\nComputer Account Management successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Computer Account Management records events such as creating, changing,\ndeleting, renaming, disabling, or enabling computer accounts.\"\n desc 'rationale', ''\n desc 'check', \"This applies to domain controllers. It is NA for other systems.\n\n Security Option \\\"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\\\" must be set to\n\\\"Enabled\\\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \\\"AuditPol\\\" tool to review the current Audit Policy configuration:\n\n Open \\\"PowerShell\\\" or a \\\"Command Prompt\\\" with elevated privileges (\\\"Run\nas administrator\\\").\n\n Enter \\\"AuditPol /get /category:*\\\"\n\n Compare the \\\"AuditPol\\\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n Account Management >> Computer Account Management - Success\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Account Management >> \\\"Audit Computer Account\nManagement\\\" with \\\"Success\\\" selected.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000004-GPOS-00004'\n tag 'satisfies': %w(SRG-OS-000004-GPOS-00004 SRG-OS-000239-GPOS-00089\nSRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091\nSRG-OS-000303-GPOS-00120 SRG-OS-000476-GPOS-00221)\n tag 'gid': 'V-92985'\n tag 'rid': 'SV-103073r1_rule'\n tag 'stig_id': 'WN19-DC-000230'\n tag 'fix_id': 'F-99231r1_fix'\n tag 'cci': %w(CCI-000018 CCI-000172 CCI-001403 CCI-001404\nCCI-001405 CCI-002130)\n tag 'nist': ['AC-2 (4)', 'AU-12 c', 'AC-2 (4)', 'AC-2 (4)', 'AC-2 (4)', \"AC-2(4)\", 'Rev_4']\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n case domain_role\n when '4', '5'\n impact 0.5\n describe.one do\n describe audit_policy do\n its('Computer Account Management') { should eq 'Success' }\n end\n describe audit_policy do\n its('Computer Account Management') { should eq 'Success and Failure' }\n end\n end\n when '2', '3'\n impact 0.0\n describe 'This applies to domain controllers. It is NA for other systems.' do\n skip 'This applies to domain controllers. It is NA for other systems.'\n end\n end\nend\n", + "code": "control \"V-92993\" do\n title \"Windows Server 2019 non-administrative accounts or groups must only\nhave print permissions on printer shares.\"\n desc \"Windows shares are a means by which files, folders, printers, and\nother resources can be published for network users to access. Improper\nconfiguration can permit access to devices and data beyond a user's need.\"\n desc \"rationale\", \"\"\n desc 'check', \"Open \\\"Printers & scanners\\\" in \\\"Settings\\\".\n\n If there are no printers configured, this is NA. (Exclude Microsoft Print\nto PDF and Microsoft XPS Document Writer, which do not support sharing.)\n\n For each printer:\n\n Select the printer and \\\"Manage\\\".\n\n Select \\\"Printer Properties\\\".\n\n Select the \\\"Sharing\\\" tab.\n\n If \\\"Share this printer\\\" is checked, select the \\\"Security\\\" tab.\n\n If any standard user accounts or groups have permissions other than\n\\\"Print\\\", this is a finding.\n\n The default is for the \\\"Everyone\\\" group to be given \\\"Print\\\" permission.\n\n \\\"All APPLICATION PACKAGES\\\" and \\\"CREATOR OWNER\\\" are not standard user\naccounts.\"\n desc 'fix', \"Configure the permissions on shared printers to restrict\nstandard users to only have Print permissions.\"\n impact 0.3\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000080-GPOS-00048'\n tag 'gid': 'V-92993'\n tag 'rid': 'SV-103081r1_rule'\n tag 'stig_id': 'WN19-00-000180'\n tag 'fix_id': 'F-99239r1_fix'\n tag 'cci': [\"CCI-000213\"]\n tag 'nist': [\"AC-3\", \"Rev_4\"]\n \n describe \"A manual review is required to verify that Non Administrative user accounts or groups only have print\n permissions on printer shares\" do\n skip 'A manual review is required to verify that Non Administrative user accounts or groups only have print\n permissions on printer shares'\n end\n\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-92989.rb", - "line": 2 + "ref": "./Windows 2019 STIG/controls/V-92993.rb", + "line": 3 }, - "id": "V-92989" + "id": "V-92993" }, { - "title": "Windows Server 2019 account lockout duration must be configured to 15\nminutes or greater.", - "desc": "The account lockout feature, when enabled, prevents brute-force\npassword attacks on the system. This parameter specifies the period of time\nthat an account will remain locked after the specified number of failed logon\nattempts.", + "title": "Windows Server 2019 Exploit Protection mitigations must be configured for FLTLDR.EXE.", + "desc": "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.", "descriptions": { - "default": "The account lockout feature, when enabled, prevents brute-force\npassword attacks on the system. This parameter specifies the period of time\nthat an account will remain locked after the specified number of failed logon\nattempts.", + "default": "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.", "rationale": "", - "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Account Policies >> Account Lockout Policy.\n\n If the \"Account lockout duration\" is less than \"15\" minutes (excluding\n\"0\"), this is a finding.\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas SecurityPolicy /CFG C:\\Path\\FileName.Txt\n\n If \"LockoutDuration\" is less than \"15\" (excluding \"0\") in the file,\nthis is a finding.\n\n Configuring this to \"0\", requiring an administrator to unlock the\naccount, is more restrictive and is not a finding.", - "fix": "Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Account Policies >> Account Lockout Policy >> \"Account\nlockout duration\" to \"15\" minutes or greater.\n\n A value of \"0\" is also acceptable, requiring an administrator to unlock\nthe account." + "check": "If the referenced application is not installed on the system, this is NA.\n\n This is applicable to unclassified systems, for other systems this is NA.\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n Enter \"Get-ProcessMitigation -Name FLTLDR.EXE\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.)\n\n If the following mitigations do not have a status of \"ON\", this is a finding:\n\n DEP:\n Enable: ON\n\n ImageLoad:\n BlockRemoteImageLoads: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n Child Process:\n DisallowChildProcessCreation: ON\n\n The PowerShell command produces a list of mitigations; only those with a required status of \"ON\" are listed here.", + "fix": "Ensure the following mitigations are turned \"ON\" for FLTLDR.EXE:\n\n DEP:\n Enable: ON\n\n ImageLoad:\n BlockRemoteImageLoads: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n Child Process:\n DisallowChildProcessCreation: ON\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \"Supporting Files\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \"Use a common set of exploit protection settings\" configured to \"Enabled\" with file name and location defined under \"Options:\". It is recommended the file be in a read-only network location." }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000329-GPOS-00128", - "gid": "V-93145", - "rid": "SV-103233r1_rule", - "stig_id": "WN19-AC-000010", - "fix_id": "F-99391r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-93331", + "rid": "SV-103419r1_rule", + "stig_id": "WN19-EP-000110", + "fix_id": "F-99577r1_fix", "cci": [ - "CCI-002238" + "CCI-000366" ], "nist": [ - "AC-7 b", + "CM-6 b", "Rev_4" ] }, - "code": "control \"V-93145\" do\n title \"Windows Server 2019 account lockout duration must be configured to #{input('pass_lock_duration')}\nminutes or greater.\"\n desc \"The account lockout feature, when enabled, prevents brute-force\npassword attacks on the system. This parameter specifies the period of time\nthat an account will remain locked after the specified number of failed logon\nattempts.\"\n desc \"rationale\", \"\"\n desc 'check', \"Verify the effective setting in Local Group Policy Editor.\n\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Account Policies >> Account Lockout Policy.\n\n If the \\\"Account lockout duration\\\" is less than \\\"#{input('pass_lock_duration')}\\\" minutes (excluding\n\\\"0\\\"), this is a finding.\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas SecurityPolicy /CFG C:\\\\Path\\\\FileName.Txt\n\n If \\\"LockoutDuration\\\" is less than \\\"#{input('pass_lock_duration')}\\\" (excluding \\\"0\\\") in the file,\nthis is a finding.\n\n Configuring this to \\\"0\\\", requiring an administrator to unlock the\naccount, is more restrictive and is not a finding.\"\n desc 'fix', \"Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Account Policies >> Account Lockout Policy >> \\\"Account\nlockout duration\\\" to \\\"#{input('pass_lock_duration')}\\\" minutes or greater.\n\n A value of \\\"0\\\" is also acceptable, requiring an administrator to unlock\nthe account.\"\n impact 0.5\n tag severity: nil\n tag gtitle: 'SRG-OS-000329-GPOS-00128'\n tag gid: 'V-93145'\n tag rid: 'SV-103233r1_rule'\n tag stig_id: 'WN19-AC-000010'\n tag fix_id: 'F-99391r1_fix'\n tag cci: [\"CCI-002238\"]\n tag nist: [\"AC-7 b\", \"Rev_4\"]\n\n os_type = command('Test-Path \"$env:windir\\explorer.exe\"').stdout.strip\n \n if os_type == 'False'\n describe 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt' do\n skip 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt'\n end\n else\n pass_lock_duration = input('pass_lock_duration')\n describe.one do\n describe security_policy do\n its('LockoutDuration') { should be >= pass_lock_duration }\n end\n describe security_policy do\n its('LockoutDuration') { should cmp == 0 }\n end\n end\n end\nend\n", + "code": "control \"V-93331\" do\n title \"Windows Server 2019 Exploit Protection mitigations must be configured for FLTLDR.EXE.\"\n desc \"Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the referenced application is not installed on the system, this is NA.\n\n This is applicable to unclassified systems, for other systems this is NA.\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n Enter \\\"Get-ProcessMitigation -Name FLTLDR.EXE\\\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.)\n\n If the following mitigations do not have a status of \\\"ON\\\", this is a finding:\n\n DEP:\n Enable: ON\n\n ImageLoad:\n BlockRemoteImageLoads: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n Child Process:\n DisallowChildProcessCreation: ON\n\n The PowerShell command produces a list of mitigations; only those with a required status of \\\"ON\\\" are listed here.\"\n desc \"fix\", \"Ensure the following mitigations are turned \\\"ON\\\" for FLTLDR.EXE:\n\n DEP:\n Enable: ON\n\n ImageLoad:\n BlockRemoteImageLoads: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n Child Process:\n DisallowChildProcessCreation: ON\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \\\"Supporting Files\\\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\" configured to \\\"Enabled\\\" with file name and location defined under \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00227\"\n tag gid: \"V-93331\"\n tag rid: \"SV-103419r1_rule\"\n tag stig_id: \"WN19-EP-000110\"\n tag fix_id: \"F-99577r1_fix\"\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n fltldr = json({ command: \"Get-ProcessMitigation -Name FLTLDR.EXE | ConvertTo-Json\" }).params\n\n if input('sensitive_system') == true || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif fltldr.empty?\n impact 0.0\n describe 'The referenced application is not installed on the system, this is NA.' do\n skip 'The referenced application is not installed on the system, this is NA.'\n end\n else\n describe \"Exploit Protection: the following mitigations must be set to 'ON' for FLTLDR.EXE\" do\n subject { fltldr }\n its(['Dep','Enable']) { should eq 1 }\n its(['ImageLoad','BlockRemoteImageLoads']) { should eq 1 }\n its(['Payload','EnableExportAddressFilter']) { should eq 1 }\n its(['Payload','EnableExportAddressFilterPlus']) { should eq 1 }\n its(['Payload','EnableImportAddressFilter']) { should eq 1 }\n its(['Payload','EnableRopStackPivot']) { should eq 1 }\n its(['Payload','EnableRopCallerCheck']) { should eq 1 }\n its(['Payload','EnableRopSimExec']) { should eq 1 }\n its(['ChildProcess','DisallowChildProcessCreation']) { should eq 1 }\n end\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93145.rb", + "ref": "./Windows 2019 STIG/controls/V-93331.rb", "line": 3 }, - "id": "V-93145" + "id": "V-93331" }, { "title": "Windows Server 2019 must be configured to audit Account Management -\nComputer Account Management successes.", @@ -6955,155 +7014,134 @@ "id": "V-92985" }, { - "title": "Windows Server 2019 Exploit Protection system-level mitigation, Validate heap integrity, must be on.", - "desc": "Exploit protection enables mitigations against potential threats at the system and application level. Several mitigations, including \"Validate heap integrity\", are enabled by default at the system level. \"Validate heap integrity\" terminates a process when heap corruption is detected. If this is turned off, Windows may be subject to various exploits.", + "title": "Windows Server 2019 setting Microsoft network server: Digitally sign communications (if client agrees) must be configured to Enabled.", + "desc": "The server message block (SMB) protocol provides the basis for many network operations. Digitally signed SMB packets aid in preventing man-in-the-middle attacks. If this policy is enabled, the SMB server will negotiate SMB packet signing as requested by the client.", "descriptions": { - "default": "Exploit protection enables mitigations against potential threats at the system and application level. Several mitigations, including \"Validate heap integrity\", are enabled by default at the system level. \"Validate heap integrity\" terminates a process when heap corruption is detected. If this is turned off, Windows may be subject to various exploits.", + "default": "The server message block (SMB) protocol provides the basis for many network operations. Digitally signed SMB packets aid in preventing man-in-the-middle attacks. If this policy is enabled, the SMB server will negotiate SMB packet signing as requested by the client.", "rationale": "", - "check": "This is applicable to unclassified systems, for other systems this is NA.\n\n The default configuration in Exploit Protection is \"On by default\" which meets this requirement. The PowerShell query results for this show as \"NOTSET\".\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n Enter \"Get-ProcessMitigation -System\".\n If the status of \"Heap: TerminateOnError\" is \"OFF\", this is a finding.\n Values that would not be a finding include:\n\n ON\n NOTSET (Default configuration)", - "fix": "Ensure Exploit Protection system-level mitigation, \"Validate heap integrity\" is turned on. The default configuration in Exploit Protection is \"On by default\" which meets this requirement.\n\n Open \"Windows Defender Security Center\".\n Select \"App & browser control\".\n Select \"Exploit protection settings\".\n Under \"System settings\", configure \"Validate heap integrity\" to \"On by default\" or \"Use default ()\".\n\n The STIG package includes a DoD EP XML file in the \"Supporting Files\" folder for configuring application mitigations defined in the STIG. This can also be modified to explicitly enforce the system level requirements. Adding the following to the XML file will explicitly turn Validate heap integrity on (other system level EP requirements can be combined under ):\n\n \n \n \n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \"Use a common set of exploit protection settings\" configured to \"Enabled\" with file name and location defined under \"Options:\". It is recommended the file be in a read-only network location." + "check": "If the following registry value does not exist or is not configured as specified, this is a finding:\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\LanManServer\\Parameters\\\n\n Value Name: EnableSecuritySignature\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", + "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \"Microsoft network server: Digitally sign communications (if client agrees)\" to \"Enabled\"." }, "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-93319", - "rid": "SV-103407r1_rule", - "stig_id": "WN19-EP-000050", - "fix_id": "F-99565r1_fix", + "gtitle": "SRG-OS-000423-GPOS-00187", + "satisfies": [ + "SRG-OS-000423-GPOS-00187", + "SRG-OS-000424-GPOS-00188" + ], + "gid": "V-93561", + "rid": "SV-103647r1_rule", + "stig_id": "WN19-SO-000200", + "fix_id": "F-99805r1_fix", "cci": [ - "CCI-000366" + "CCI-002418", + "CCI-002421" ], "nist": [ - "CM-6 b", + "SC-8", + "SC-8 (1)", "Rev_4" ] }, - "code": "control \"V-93319\" do\n title \"Windows Server 2019 Exploit Protection system-level mitigation, Validate heap integrity, must be on.\"\n desc \"Exploit protection enables mitigations against potential threats at the system and application level. Several mitigations, including \\\"Validate heap integrity\\\", are enabled by default at the system level. \\\"Validate heap integrity\\\" terminates a process when heap corruption is detected. If this is turned off, Windows may be subject to various exploits.\"\n desc \"rationale\", \"\"\n desc \"check\", \"This is applicable to unclassified systems, for other systems this is NA.\n\n The default configuration in Exploit Protection is \\\"On by default\\\" which meets this requirement. The PowerShell query results for this show as \\\"NOTSET\\\".\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n Enter \\\"Get-ProcessMitigation -System\\\".\n If the status of \\\"Heap: TerminateOnError\\\" is \\\"OFF\\\", this is a finding.\n Values that would not be a finding include:\n\n ON\n NOTSET (Default configuration)\"\n desc \"fix\", \"Ensure Exploit Protection system-level mitigation, \\\"Validate heap integrity\\\" is turned on. The default configuration in Exploit Protection is \\\"On by default\\\" which meets this requirement.\n\n Open \\\"Windows Defender Security Center\\\".\n Select \\\"App & browser control\\\".\n Select \\\"Exploit protection settings\\\".\n Under \\\"System settings\\\", configure \\\"Validate heap integrity\\\" to \\\"On by default\\\" or \\\"Use default ()\\\".\n\n The STIG package includes a DoD EP XML file in the \\\"Supporting Files\\\" folder for configuring application mitigations defined in the STIG. This can also be modified to explicitly enforce the system level requirements. Adding the following to the XML file will explicitly turn Validate heap integrity on (other system level EP requirements can be combined under ):\n\n \n \n \n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\" configured to \\\"Enabled\\\" with file name and location defined under \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00227\"\n tag gid: \"V-93319\"\n tag rid: \"SV-103407r1_rule\"\n tag stig_id: \"WN19-EP-000050\"\n tag fix_id: \"F-99565r1_fix\"\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n systemheap = json({ command: \"Get-ProcessMitigation -System | ConvertTo-Json\" }).params\n\n if input('sensitive_system') == true || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif systemheap.empty?\n describe \"Exploit Protection: the following mitigation\" do\n it \"must be set to 'ON' for the System\" do\n failure_message = \"Exploit Protection is not set\"\n expect(systemheap).not_to be_empty, failure_message\n end\n end\n else\n describe \"Exploit Protection: the following mitigation must be set to 'ON' for the System\" do\n subject { systemheap }\n its(['Heap','TerminateOnError']) { should be_between(0,1) }\n end\n end\nend", + "code": "control \"V-93561\" do\n title \"Windows Server 2019 setting Microsoft network server: Digitally sign communications (if client agrees) must be configured to Enabled.\"\n desc \"The server message block (SMB) protocol provides the basis for many network operations. Digitally signed SMB packets aid in preventing man-in-the-middle attacks. If this policy is enabled, the SMB server will negotiate SMB packet signing as requested by the client.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the following registry value does not exist or is not configured as specified, this is a finding:\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\LanManServer\\\\Parameters\\\\\n\n Value Name: EnableSecuritySignature\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \\\"Microsoft network server: Digitally sign communications (if client agrees)\\\" to \\\"Enabled\\\".\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000423-GPOS-00187\"\n tag satisfies: [\"SRG-OS-000423-GPOS-00187\", \"SRG-OS-000424-GPOS-00188\"]\n tag gid: \"V-93561\"\n tag rid: \"SV-103647r1_rule\"\n tag stig_id: \"WN19-SO-000200\"\n tag fix_id: \"F-99805r1_fix\"\n tag cci: [\"CCI-002418\", \"CCI-002421\"]\n tag nist: [\"SC-8\", \"SC-8 (1)\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Services\\\\LanmanServer\\\\Parameters') do\n it { should have_property 'EnableSecuritySignature' }\n its('EnableSecuritySignature') { should cmp == 1 }\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93319.rb", + "ref": "./Windows 2019 STIG/controls/V-93561.rb", "line": 3 }, - "id": "V-93319" + "id": "V-93561" }, { - "title": "Windows Server 2019 Exploit Protection mitigations must be configured for lync.exe.", - "desc": "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.", + "title": "Windows Server 2019 User Account Control must be configured to detect application installations and prompt for elevation.", + "desc": "User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting requires Windows to respond to application installation requests by prompting for credentials.", "descriptions": { - "default": "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.", + "default": "User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting requires Windows to respond to application installation requests by prompting for credentials.", "rationale": "", - "check": "If the referenced application is not installed on the system, this is NA.\n\n This is applicable to unclassified systems, for other systems this is NA.\n \n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n Enter \"Get-ProcessMitigation -Name lync.exe\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.)\n\n If the following mitigations do not have a status of \"ON\", this is a finding:\n\n DEP:\n Enable: ON\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n The PowerShell command produces a list of mitigations; only those with a required status of \"ON\" are listed here.", - "fix": "Ensure the following mitigations are turned \"ON\" for lync.exe:\n\n DEP:\n Enable: ON\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \"Supporting Files\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \"Use a common set of exploit protection settings\" configured to \"Enabled\" with file name and location defined under \"Options:\". It is recommended the file be in a read-only network location." + "check": "UAC requirements are NA for Server Core installations (this is the default installation option for Windows Server 2019 versus Server with Desktop Experience).\n If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\\n\n Value Name: EnableInstallerDetection\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", + "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \"User Account Control: Detect application installations and prompt for elevation\" to \"Enabled\"." }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-93341", - "rid": "SV-103429r1_rule", - "stig_id": "WN19-EP-000160", - "fix_id": "F-99587r1_fix", + "gtitle": "SRG-OS-000134-GPOS-00068", + "gid": "V-93525", + "rid": "SV-103611r1_rule", + "stig_id": "WN19-SO-000420", + "fix_id": "F-99769r1_fix", "cci": [ - "CCI-000366" + "CCI-001084" ], "nist": [ - "CM-6 b", + "SC-3", "Rev_4" ] }, - "code": "control \"V-93341\" do\n title \"Windows Server 2019 Exploit Protection mitigations must be configured for lync.exe.\"\n desc \"Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the referenced application is not installed on the system, this is NA.\n\n This is applicable to unclassified systems, for other systems this is NA.\n \n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n Enter \\\"Get-ProcessMitigation -Name lync.exe\\\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.)\n\n If the following mitigations do not have a status of \\\"ON\\\", this is a finding:\n\n DEP:\n Enable: ON\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n The PowerShell command produces a list of mitigations; only those with a required status of \\\"ON\\\" are listed here.\"\n desc \"fix\", \"Ensure the following mitigations are turned \\\"ON\\\" for lync.exe:\n\n DEP:\n Enable: ON\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \\\"Supporting Files\\\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\" configured to \\\"Enabled\\\" with file name and location defined under \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00227\"\n tag gid: \"V-93341\"\n tag rid: \"SV-103429r1_rule\"\n tag stig_id: \"WN19-EP-000160\"\n tag fix_id: \"F-99587r1_fix\"\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n lync = json({ command: \"Get-ProcessMitigation -Name lync.exe | ConvertTo-Json\" }).params\n\n if input('sensitive_system') == true || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif lync.empty?\n impact 0.0\n describe 'The referenced application is not installed on the system, this is NA.' do\n skip 'The referenced application is not installed on the system, this is NA.'\n end\n else\n describe \"Exploit Protection: the following mitigations must be set to 'ON' for lync.exe\" do\n subject { lync }\n its(['Dep','Enable']) { should eq 1 }\n its(['Aslr','ForceRelocateImages']) { should eq 1 }\n its(['Payload','EnableExportAddressFilter']) { should eq 1 }\n its(['Payload','EnableExportAddressFilterPlus']) { should eq 1 }\n its(['Payload','EnableImportAddressFilter']) { should eq 1 }\n its(['Payload','EnableRopStackPivot']) { should eq 1 }\n its(['Payload','EnableRopCallerCheck']) { should eq 1 }\n its(['Payload','EnableRopSimExec']) { should eq 1 }\n end\n end\nend", + "code": "control \"V-93525\" do\n title \"Windows Server 2019 User Account Control must be configured to detect application installations and prompt for elevation.\"\n desc \"User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting requires Windows to respond to application installation requests by prompting for credentials.\"\n desc \"rationale\", \"\"\n desc \"check\", \"UAC requirements are NA for Server Core installations (this is the default installation option for Windows Server 2019 versus Server with Desktop Experience).\n If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\\n\n Value Name: EnableInstallerDetection\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \\\"User Account Control: Detect application installations and prompt for elevation\\\" to \\\"Enabled\\\".\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000134-GPOS-00068\"\n tag gid: \"V-93525\"\n tag rid: \"SV-103611r1_rule\"\n tag stig_id: \"WN19-SO-000420\"\n tag fix_id: \"F-99769r1_fix\"\n tag cci: [\"CCI-001084\"]\n tag nist: [\"SC-3\", \"Rev_4\"]\n\n os_type = command('Test-Path \"$env:windir\\explorer.exe\"').stdout.strip\n\n if os_type == 'False'\n impact 0.0\n describe 'This system is a Server Core Installation, control is NA' do\n skip 'This system is a Server Core Installation control is NA'\n end\n else\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System') do\n it { should have_property 'EnableInstallerDetection' }\n its('EnableInstallerDetection') { should cmp == 1 }\n end\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93341.rb", + "ref": "./Windows 2019 STIG/controls/V-93525.rb", "line": 3 }, - "id": "V-93341" + "id": "V-93525" }, { - "title": "Windows Server 2019 Windows Remote Management (WinRM) client must not use Digest authentication.", - "desc": "Digest authentication is not as strong as other options and may be subject to man-in-the-middle attacks. Disallowing Digest authentication will reduce this potential.", + "title": "Windows Server 2019 setting Domain member: Digitally encrypt secure channel data (when possible) must be configured to enabled.", + "desc": "Requests sent on the secure channel are authenticated, and sensitive information (such as passwords) is encrypted, but not all information is encrypted. If this policy is enabled, outgoing secure channel traffic will be encrypted.", "descriptions": { - "default": "Digest authentication is not as strong as other options and may be subject to man-in-the-middle attacks. Disallowing Digest authentication will reduce this potential.", + "default": "Requests sent on the secure channel are authenticated, and sensitive information (such as passwords) is encrypted, but not all information is encrypted. If this policy is enabled, outgoing secure channel traffic will be encrypted.", "rationale": "", - "check": "If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\WinRM\\Client\\\n\n Value Name: AllowDigest\n\n Type: REG_DWORD\n Value: 0x00000000 (0)", - "fix": "Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Remote Management (WinRM) >> WinRM Client >> \"Disallow Digest authentication\" to \"Enabled\"." + "check": "If the following registry value does not exist or is not configured as specified, this is a finding:\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\Netlogon\\Parameters\\\n\n Value Name: SealSecureChannel\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", + "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \"Domain member: Digitally encrypt secure channel data (when possible)\" to \"Enabled\"." }, "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000125-GPOS-00065", - "gid": "V-93505", - "rid": "SV-103591r1_rule", - "stig_id": "WN19-CC-000490", - "fix_id": "F-99749r1_fix", + "gtitle": "SRG-OS-000423-GPOS-00187", + "satisfies": [ + "SRG-OS-000423-GPOS-00187", + "SRG-OS-000424-GPOS-00188" + ], + "gid": "V-93549", + "rid": "SV-103635r1_rule", + "stig_id": "WN19-SO-000070", + "fix_id": "F-99793r1_fix", "cci": [ - "CCI-000877" + "CCI-002418", + "CCI-002421" ], "nist": [ - "MA-4 c", + "SC-8", + "SC-8 (1)", "Rev_4" ] }, - "code": "control \"V-93505\" do\n title \"Windows Server 2019 Windows Remote Management (WinRM) client must not use Digest authentication.\"\n desc \"Digest authentication is not as strong as other options and may be subject to man-in-the-middle attacks. Disallowing Digest authentication will reduce this potential.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WinRM\\\\Client\\\\\n\n Value Name: AllowDigest\n\n Type: REG_DWORD\n Value: 0x00000000 (0)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Remote Management (WinRM) >> WinRM Client >> \\\"Disallow Digest authentication\\\" to \\\"Enabled\\\".\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000125-GPOS-00065\"\n tag gid: \"V-93505\"\n tag rid: \"SV-103591r1_rule\"\n tag stig_id: \"WN19-CC-000490\"\n tag fix_id: \"F-99749r1_fix\"\n tag cci: [\"CCI-000877\"]\n tag nist: [\"MA-4 c\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\WinRM\\\\Client') do\n it { should have_property 'AllowDigest' }\n its('AllowDigest') { should cmp == 0 }\n end\nend", + "code": "control \"V-93549\" do\n title \"Windows Server 2019 setting Domain member: Digitally encrypt secure channel data (when possible) must be configured to enabled.\"\n desc \"Requests sent on the secure channel are authenticated, and sensitive information (such as passwords) is encrypted, but not all information is encrypted. If this policy is enabled, outgoing secure channel traffic will be encrypted.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the following registry value does not exist or is not configured as specified, this is a finding:\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\Netlogon\\\\Parameters\\\\\n\n Value Name: SealSecureChannel\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \\\"Domain member: Digitally encrypt secure channel data (when possible)\\\" to \\\"Enabled\\\".\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000423-GPOS-00187\"\n tag satisfies: [\"SRG-OS-000423-GPOS-00187\", \"SRG-OS-000424-GPOS-00188\"]\n tag gid: \"V-93549\"\n tag rid: \"SV-103635r1_rule\"\n tag stig_id: \"WN19-SO-000070\"\n tag fix_id: \"F-99793r1_fix\"\n tag cci: [\"CCI-002418\", \"CCI-002421\"]\n tag nist: [\"SC-8\", \"SC-8 (1)\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Services\\\\Netlogon\\\\Parameters') do\n it { should have_property 'SealSecureChannel' }\n its('SealSecureChannel') { should cmp == 1 }\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93505.rb", + "ref": "./Windows 2019 STIG/controls/V-93549.rb", "line": 3 }, - "id": "V-93505" + "id": "V-93549" }, { - "title": "Windows Server 2019 Exploit Protection mitigations must be configured for FLTLDR.EXE.", + "title": "Windows Server 2019 Exploit Protection mitigations must be configured for OneDrive.exe.", "desc": "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.", "descriptions": { "default": "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.", "rationale": "", - "check": "If the referenced application is not installed on the system, this is NA.\n\n This is applicable to unclassified systems, for other systems this is NA.\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n Enter \"Get-ProcessMitigation -Name FLTLDR.EXE\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.)\n\n If the following mitigations do not have a status of \"ON\", this is a finding:\n\n DEP:\n Enable: ON\n\n ImageLoad:\n BlockRemoteImageLoads: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n Child Process:\n DisallowChildProcessCreation: ON\n\n The PowerShell command produces a list of mitigations; only those with a required status of \"ON\" are listed here.", - "fix": "Ensure the following mitigations are turned \"ON\" for FLTLDR.EXE:\n\n DEP:\n Enable: ON\n\n ImageLoad:\n BlockRemoteImageLoads: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n Child Process:\n DisallowChildProcessCreation: ON\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \"Supporting Files\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \"Use a common set of exploit protection settings\" configured to \"Enabled\" with file name and location defined under \"Options:\". It is recommended the file be in a read-only network location." + "check": "If the referenced application is not installed on the system, this is NA.\n\n This is applicable to unclassified systems, for other systems this is NA.\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n Enter \"Get-ProcessMitigation -Name OneDrive.exe\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.)\n\n If the following mitigations do not have a status of \"ON\", this is a finding:\n\n DEP:\n Enable: ON\n\n ASLR:\n ForceRelocateImages: ON\n\n ImageLoad:\n BlockRemoteImageLoads: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n The PowerShell command produces a list of mitigations; only those with a required status of \"ON\" are listed here.", + "fix": "Ensure the following mitigations are turned \"ON\" for OneDrive.exe:\n\n DEP:\n Enable: ON\n\n ASLR:\n ForceRelocateImages: ON\n\n ImageLoad:\n BlockRemoteImageLoads: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \"Supporting Files\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \"Use a common set of exploit protection settings\" configured to \"Enabled\" with file name and location defined under \"Options:\". It is recommended the file be in a read-only network location." }, "impact": 0, "refs": [], "tags": { "severity": null, "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-93331", - "rid": "SV-103419r1_rule", - "stig_id": "WN19-EP-000110", - "fix_id": "F-99577r1_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b", - "Rev_4" - ] - }, - "code": "control \"V-93331\" do\n title \"Windows Server 2019 Exploit Protection mitigations must be configured for FLTLDR.EXE.\"\n desc \"Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the referenced application is not installed on the system, this is NA.\n\n This is applicable to unclassified systems, for other systems this is NA.\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n Enter \\\"Get-ProcessMitigation -Name FLTLDR.EXE\\\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.)\n\n If the following mitigations do not have a status of \\\"ON\\\", this is a finding:\n\n DEP:\n Enable: ON\n\n ImageLoad:\n BlockRemoteImageLoads: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n Child Process:\n DisallowChildProcessCreation: ON\n\n The PowerShell command produces a list of mitigations; only those with a required status of \\\"ON\\\" are listed here.\"\n desc \"fix\", \"Ensure the following mitigations are turned \\\"ON\\\" for FLTLDR.EXE:\n\n DEP:\n Enable: ON\n\n ImageLoad:\n BlockRemoteImageLoads: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n Child Process:\n DisallowChildProcessCreation: ON\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \\\"Supporting Files\\\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\" configured to \\\"Enabled\\\" with file name and location defined under \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00227\"\n tag gid: \"V-93331\"\n tag rid: \"SV-103419r1_rule\"\n tag stig_id: \"WN19-EP-000110\"\n tag fix_id: \"F-99577r1_fix\"\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n fltldr = json({ command: \"Get-ProcessMitigation -Name FLTLDR.EXE | ConvertTo-Json\" }).params\n\n if input('sensitive_system') == true || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif fltldr.empty?\n impact 0.0\n describe 'The referenced application is not installed on the system, this is NA.' do\n skip 'The referenced application is not installed on the system, this is NA.'\n end\n else\n describe \"Exploit Protection: the following mitigations must be set to 'ON' for FLTLDR.EXE\" do\n subject { fltldr }\n its(['Dep','Enable']) { should eq 1 }\n its(['ImageLoad','BlockRemoteImageLoads']) { should eq 1 }\n its(['Payload','EnableExportAddressFilter']) { should eq 1 }\n its(['Payload','EnableExportAddressFilterPlus']) { should eq 1 }\n its(['Payload','EnableImportAddressFilter']) { should eq 1 }\n its(['Payload','EnableRopStackPivot']) { should eq 1 }\n its(['Payload','EnableRopCallerCheck']) { should eq 1 }\n its(['Payload','EnableRopSimExec']) { should eq 1 }\n its(['ChildProcess','DisallowChildProcessCreation']) { should eq 1 }\n end\n end\nend", - "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93331.rb", - "line": 3 - }, - "id": "V-93331" - }, - { - "title": "Windows Server 2019 File Explorer shell protocol must run in protected\nmode.", - "desc": "The shell protocol will limit the set of folders that applications can\nopen when run in protected mode. Restricting files an application can open to a\nlimited set of folders increases the security of Windows.", - "descriptions": { - "default": "The shell protocol will limit the set of folders that applications can\nopen when run in protected mode. Restricting files an application can open to a\nlimited set of folders increases the security of Windows.", - "rationale": "", - "check": "The default behavior is for shell protected mode to be turned on for File\nExplorer.\n\n If the registry value name below does not exist, this is not a finding.\n\n If it exists and is configured with a value of \"0\", this is not a finding.\n\n If it exists and is configured with a value of \"1\", this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\\n\n Value Name: PreXPSP2ShellProtocolBehavior\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0) (or if the Value Name does not exist)", - "fix": "The default behavior is for shell protected mode to be turned on for File\nExplorer.\n\n If this needs to be corrected, configure the policy value for Computer\nConfiguration >> Administrative Templates >> Windows Components >> File\nExplorer >> \"Turn off shell protocol protected mode\" to \"Not Configured\" or\n\"Disabled\"." - }, - "impact": 0.5, - "refs": [], - "tags": { - "severity": null, - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-93263", - "rid": "SV-103351r1_rule", - "stig_id": "WN19-CC-000330", - "fix_id": "F-99509r1_fix", + "gid": "V-93349", + "rid": "SV-103437r1_rule", + "stig_id": "WN19-EP-000200", + "fix_id": "F-99595r1_fix", "cci": [ "CCI-000366" ], @@ -7112,64 +7150,70 @@ "Rev_4" ] }, - "code": "control \"V-93263\" do\n title \"Windows Server 2019 File Explorer shell protocol must run in protected\nmode.\"\n desc \"The shell protocol will limit the set of folders that applications can\nopen when run in protected mode. Restricting files an application can open to a\nlimited set of folders increases the security of Windows.\"\n desc \"rationale\", \"\"\n desc 'check', \"The default behavior is for shell protected mode to be turned on for File\nExplorer.\n\n If the registry value name below does not exist, this is not a finding.\n\n If it exists and is configured with a value of \\\"0\\\", this is not a finding.\n\n If it exists and is configured with a value of \\\"1\\\", this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\\n\n Value Name: PreXPSP2ShellProtocolBehavior\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0) (or if the Value Name does not exist)\"\n desc 'fix', \"The default behavior is for shell protected mode to be turned on for File\nExplorer.\n\n If this needs to be corrected, configure the policy value for Computer\nConfiguration >> Administrative Templates >> Windows Components >> File\nExplorer >> \\\"Turn off shell protocol protected mode\\\" to \\\"Not Configured\\\" or\n\\\"Disabled\\\".\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000480-GPOS-00227'\n tag 'gid': 'V-93263'\n tag 'rid': 'SV-103351r1_rule'\n tag 'stig_id': 'WN19-CC-000330'\n tag 'fix_id': 'F-99509r1_fix'\n tag 'cci': [\"CCI-000366\"]\n tag 'nist': [\"CM-6 b\", \"Rev_4\"]\n\n describe.one do\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer') do\n it { should_not have_property 'PreXPSP2ShellProtocolBehavior' }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer') do\n it { should have_property 'PreXPSP2ShellProtocolBehavior' }\n its('PreXPSP2ShellProtocolBehavior') { should_not be 1 }\n its('PreXPSP2ShellProtocolBehavior') { should cmp 0 }\n end\n end\nend", + "code": "control \"V-93349\" do\n title \"Windows Server 2019 Exploit Protection mitigations must be configured for OneDrive.exe.\"\n desc \"Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the referenced application is not installed on the system, this is NA.\n\n This is applicable to unclassified systems, for other systems this is NA.\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n Enter \\\"Get-ProcessMitigation -Name OneDrive.exe\\\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.)\n\n If the following mitigations do not have a status of \\\"ON\\\", this is a finding:\n\n DEP:\n Enable: ON\n\n ASLR:\n ForceRelocateImages: ON\n\n ImageLoad:\n BlockRemoteImageLoads: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n The PowerShell command produces a list of mitigations; only those with a required status of \\\"ON\\\" are listed here.\"\n desc \"fix\", \"Ensure the following mitigations are turned \\\"ON\\\" for OneDrive.exe:\n\n DEP:\n Enable: ON\n\n ASLR:\n ForceRelocateImages: ON\n\n ImageLoad:\n BlockRemoteImageLoads: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \\\"Supporting Files\\\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\" configured to \\\"Enabled\\\" with file name and location defined under \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00227\"\n tag gid: \"V-93349\"\n tag rid: \"SV-103437r1_rule\"\n tag stig_id: \"WN19-EP-000200\"\n tag fix_id: \"F-99595r1_fix\"\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n onedrive = json({ command: \"Get-ProcessMitigation -Name OneDrive.EXE | ConvertTo-Json\" }).params\n\n if input('sensitive_system') == true || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif onedrive.empty?\n impact 0.0\n describe 'The referenced application is not installed on the system, this is NA.' do\n skip 'The referenced application is not installed on the system, this is NA.'\n end\n else\n describe \"Exploit Protection: the following mitigations must be set to 'ON' for OneDrive.EXE\" do\n subject { onedrive }\n its(['Dep','Enable']) { should eq 1 }\n its(['Aslr','ForceRelocateImages']) { should eq 1 }\n its(['ImageLoad','BlockRemoteImageLoads']) { should eq 1 }\n its(['Payload','EnableExportAddressFilter']) { should eq 1 }\n its(['Payload','EnableExportAddressFilterPlus']) { should eq 1 }\n its(['Payload','EnableImportAddressFilter']) { should eq 1 }\n its(['Payload','EnableRopStackPivot']) { should eq 1 }\n its(['Payload','EnableRopCallerCheck']) { should eq 1 }\n its(['Payload','EnableRopSimExec']) { should eq 1 }\n end\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93263.rb", + "ref": "./Windows 2019 STIG/controls/V-93349.rb", "line": 3 }, - "id": "V-93263" + "id": "V-93349" }, { - "title": "Windows Server 2019 must have a host-based intrusion detection or\nprevention system.", - "desc": "A properly configured Host-based Intrusion Detection System (HIDS) or\nHost-based Intrusion Prevention System (HIPS) provides another level of defense\nagainst unauthorized access to critical servers. With proper configuration and\nlogging enabled, such a system can stop and/or alert for many attempts to gain\nunauthorized access to resources.", + "title": "Windows Server 2019 setting Microsoft network client: Digitally sign communications (always) must be configured to Enabled.", + "desc": "The server message block (SMB) protocol provides the basis for many network operations. Digitally signed SMB packets aid in preventing man-in-the-middle attacks. If this policy is enabled, the SMB client will only communicate with an SMB server that performs SMB packet signing.", "descriptions": { - "default": "A properly configured Host-based Intrusion Detection System (HIDS) or\nHost-based Intrusion Prevention System (HIPS) provides another level of defense\nagainst unauthorized access to critical servers. With proper configuration and\nlogging enabled, such a system can stop and/or alert for many attempts to gain\nunauthorized access to resources.", + "default": "The server message block (SMB) protocol provides the basis for many network operations. Digitally signed SMB packets aid in preventing man-in-the-middle attacks. If this policy is enabled, the SMB client will only communicate with an SMB server that performs SMB packet signing.", "rationale": "", - "check": "Determine whether there is a HIDS or HIPS on each server.\n\n If the HIPS component of HBSS is installed and active on the host and the\nalerts of blocked activity are being logged and monitored, this meets the\nrequirement.\n\n A HIDS device is not required on a system that has the role as the Network\nIntrusion Device (NID). However, this exception needs to be documented with the\nISSO.\n\n If a HIDS is not installed on the system, this is a finding.", - "fix": "Install a HIDS or HIPS on each server." + "check": "If the following registry value does not exist or is not configured as specified, this is a finding:\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\LanmanWorkstation\\Parameters\\\n\n Value Name: RequireSecuritySignature\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", + "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \"Microsoft network client: Digitally sign communications (always)\" to \"Enabled\"." }, "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-93219", - "rid": "SV-103307r1_rule", - "stig_id": "WN19-00-000120", - "fix_id": "F-99465r1_fix", + "gtitle": "SRG-OS-000423-GPOS-00187", + "satisfies": [ + "SRG-OS-000423-GPOS-00187", + "SRG-OS-000424-GPOS-00188" + ], + "gid": "V-93555", + "rid": "SV-103641r1_rule", + "stig_id": "WN19-SO-000160", + "fix_id": "F-99799r1_fix", "cci": [ - "CCI-000366" + "CCI-002418", + "CCI-002421" ], "nist": [ - "CM-6 b", + "SC-8", + "SC-8 (1)", "Rev_4" ] }, - "code": "control \"V-93219\" do\n title \"Windows Server 2019 must have a host-based intrusion detection or\nprevention system.\"\n desc \"A properly configured Host-based Intrusion Detection System (HIDS) or\nHost-based Intrusion Prevention System (HIPS) provides another level of defense\nagainst unauthorized access to critical servers. With proper configuration and\nlogging enabled, such a system can stop and/or alert for many attempts to gain\nunauthorized access to resources.\"\n desc \"rationale\", \"\"\n desc 'check', \"Determine whether there is a HIDS or HIPS on each server.\n\n If the HIPS component of HBSS is installed and active on the host and the\nalerts of blocked activity are being logged and monitored, this meets the\nrequirement.\n\n A HIDS device is not required on a system that has the role as the Network\nIntrusion Device (NID). However, this exception needs to be documented with the\nISSO.\n\n If a HIDS is not installed on the system, this is a finding.\"\n desc 'fix', \"Install a HIDS or HIPS on each server.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000480-GPOS-00227'\n tag 'gid': 'V-93219'\n tag 'rid': 'SV-103307r1_rule'\n tag 'stig_id': 'WN19-00-000120'\n tag 'fix_id': 'F-99465r1_fix'\n tag 'cci': [\"CCI-000366\"]\n tag 'nist': [\"CM-6 b\", \"Rev_4\"]\n\n describe 'A manual review is required to determine whether this server has a host-based Intrusion Detection System installed' do\n skip 'A manual review is required to determine whether this server has a host-based Intrusion Detection System installed'\n end\nend\n", + "code": "control \"V-93555\" do\n title \"Windows Server 2019 setting Microsoft network client: Digitally sign communications (always) must be configured to Enabled.\"\n desc \"The server message block (SMB) protocol provides the basis for many network operations. Digitally signed SMB packets aid in preventing man-in-the-middle attacks. If this policy is enabled, the SMB client will only communicate with an SMB server that performs SMB packet signing.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the following registry value does not exist or is not configured as specified, this is a finding:\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\LanmanWorkstation\\\\Parameters\\\\\n\n Value Name: RequireSecuritySignature\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \\\"Microsoft network client: Digitally sign communications (always)\\\" to \\\"Enabled\\\".\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000423-GPOS-00187\"\n tag satisfies: [\"SRG-OS-000423-GPOS-00187\", \"SRG-OS-000424-GPOS-00188\"]\n tag gid: \"V-93555\"\n tag rid: \"SV-103641r1_rule\"\n tag stig_id: \"WN19-SO-000160\"\n tag fix_id: \"F-99799r1_fix\"\n tag cci: [\"CCI-002418\", \"CCI-002421\"]\n tag nist: [\"SC-8\", \"SC-8 (1)\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Services\\\\LanmanWorkstation\\\\Parameters') do\n it { should have_property 'RequireSecuritySignature' }\n its('RequireSecuritySignature') { should cmp == 1 }\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93219.rb", + "ref": "./Windows 2019 STIG/controls/V-93555.rb", "line": 3 }, - "id": "V-93219" + "id": "V-93555" }, { - "title": "Windows Server 2019 must be configured to prevent anonymous users from having the same permissions as the Everyone group.", - "desc": "Access by anonymous users must be restricted. If this setting is enabled, anonymous users have the same rights and permissions as the built-in Everyone group. Anonymous users must not have these permissions or rights.", + "title": "Windows Server 2019 Exploit Protection mitigations must be configured for lync.exe.", + "desc": "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.", "descriptions": { - "default": "Access by anonymous users must be restricted. If this setting is enabled, anonymous users have the same rights and permissions as the built-in Everyone group. Anonymous users must not have these permissions or rights.", + "default": "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.", "rationale": "", - "check": "If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Control\\Lsa\\\n\n Value Name: EveryoneIncludesAnonymous\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0)", - "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \"Network access: Let Everyone permissions apply to anonymous users\" to \"Disabled\"." + "check": "If the referenced application is not installed on the system, this is NA.\n\n This is applicable to unclassified systems, for other systems this is NA.\n \n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n Enter \"Get-ProcessMitigation -Name lync.exe\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.)\n\n If the following mitigations do not have a status of \"ON\", this is a finding:\n\n DEP:\n Enable: ON\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n The PowerShell command produces a list of mitigations; only those with a required status of \"ON\" are listed here.", + "fix": "Ensure the following mitigations are turned \"ON\" for lync.exe:\n\n DEP:\n Enable: ON\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \"Supporting Files\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \"Use a common set of exploit protection settings\" configured to \"Enabled\" with file name and location defined under \"Options:\". It is recommended the file be in a read-only network location." }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { "severity": null, "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-93293", - "rid": "SV-103381r1_rule", - "stig_id": "WN19-SO-000240", - "fix_id": "F-99539r1_fix", + "gid": "V-93341", + "rid": "SV-103429r1_rule", + "stig_id": "WN19-EP-000160", + "fix_id": "F-99587r1_fix", "cci": [ "CCI-000366" ], @@ -7178,558 +7222,572 @@ "Rev_4" ] }, - "code": "control \"V-93293\" do\n title \"Windows Server 2019 must be configured to prevent anonymous users from having the same permissions as the Everyone group.\"\n desc \"Access by anonymous users must be restricted. If this setting is enabled, anonymous users have the same rights and permissions as the built-in Everyone group. Anonymous users must not have these permissions or rights.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\\n\n Value Name: EveryoneIncludesAnonymous\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \\\"Network access: Let Everyone permissions apply to anonymous users\\\" to \\\"Disabled\\\".\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00227\"\n tag gid: \"V-93293\"\n tag rid: \"SV-103381r1_rule\"\n tag stig_id: \"WN19-SO-000240\"\n tag fix_id: \"F-99539r1_fix\"\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa') do\n it { should have_property 'EveryoneIncludesAnonymous' }\n its('EveryoneIncludesAnonymous') { should cmp == 0 }\n end\nend", + "code": "control \"V-93341\" do\n title \"Windows Server 2019 Exploit Protection mitigations must be configured for lync.exe.\"\n desc \"Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the referenced application is not installed on the system, this is NA.\n\n This is applicable to unclassified systems, for other systems this is NA.\n \n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n Enter \\\"Get-ProcessMitigation -Name lync.exe\\\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.)\n\n If the following mitigations do not have a status of \\\"ON\\\", this is a finding:\n\n DEP:\n Enable: ON\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n The PowerShell command produces a list of mitigations; only those with a required status of \\\"ON\\\" are listed here.\"\n desc \"fix\", \"Ensure the following mitigations are turned \\\"ON\\\" for lync.exe:\n\n DEP:\n Enable: ON\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \\\"Supporting Files\\\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\" configured to \\\"Enabled\\\" with file name and location defined under \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00227\"\n tag gid: \"V-93341\"\n tag rid: \"SV-103429r1_rule\"\n tag stig_id: \"WN19-EP-000160\"\n tag fix_id: \"F-99587r1_fix\"\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n lync = json({ command: \"Get-ProcessMitigation -Name lync.exe | ConvertTo-Json\" }).params\n\n if input('sensitive_system') == true || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif lync.empty?\n impact 0.0\n describe 'The referenced application is not installed on the system, this is NA.' do\n skip 'The referenced application is not installed on the system, this is NA.'\n end\n else\n describe \"Exploit Protection: the following mitigations must be set to 'ON' for lync.exe\" do\n subject { lync }\n its(['Dep','Enable']) { should eq 1 }\n its(['Aslr','ForceRelocateImages']) { should eq 1 }\n its(['Payload','EnableExportAddressFilter']) { should eq 1 }\n its(['Payload','EnableExportAddressFilterPlus']) { should eq 1 }\n its(['Payload','EnableImportAddressFilter']) { should eq 1 }\n its(['Payload','EnableRopStackPivot']) { should eq 1 }\n its(['Payload','EnableRopCallerCheck']) { should eq 1 }\n its(['Payload','EnableRopSimExec']) { should eq 1 }\n end\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93293.rb", + "ref": "./Windows 2019 STIG/controls/V-93341.rb", "line": 3 }, - "id": "V-93293" + "id": "V-93341" }, { - "title": "Windows Server 2019 Exploit Protection mitigations must be configured for AcroRd32.exe.", - "desc": "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.", + "title": "Windows Server 2019 must disable the Windows Installer Always install\nwith elevated privileges option.", + "desc": "Standard user accounts must not be granted elevated privileges.\nEnabling Windows Installer to elevate privileges when installing applications\ncan allow malicious persons and applications to gain full control of a system.", "descriptions": { - "default": "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.", + "default": "Standard user accounts must not be granted elevated privileges.\nEnabling Windows Installer to elevate privileges when installing applications\ncan allow malicious persons and applications to gain full control of a system.", "rationale": "", - "check": "If the referenced application is not installed on the system, this is NA.\n\n This is applicable to unclassified systems, for other systems this is NA.\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n Enter \"Get-ProcessMitigation -Name AcroRd32.exe\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.)\n\n If the following mitigations do not have a status of \"ON\", this is a finding:\n\n DEP:\n Enable: ON\n\n ASLR:\n BottomUp: ON\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n The PowerShell command produces a list of mitigations; only those with a required status of \"ON\" are listed here.", - "fix": "Ensure the following mitigations are turned \"ON\" for AcroRd32.exe:\n\n DEP:\n Enable: ON\n\n ASLR:\n BottomUp: ON\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \"Supporting Files\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \"Use a common set of exploit protection settings\" configured to \"Enabled\" with file name and location defined under \"Options:\". It is recommended the file be in a read-only network location." + "check": "If the following registry value does not exist or is not configured as\nspecified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\Installer\\\n\n Value Name: AlwaysInstallElevated\n\n Type: REG_DWORD\n Value: 0x00000000 (0)", + "fix": "Configure the policy value for Computer Configuration >>\nAdministrative Templates >> Windows Components >> Windows Installer >> \"Always\ninstall with elevated privileges\" to \"Disabled\"." }, - "impact": 0, + "impact": 0.7, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-93323", - "rid": "SV-103411r1_rule", - "stig_id": "WN19-EP-000070", - "fix_id": "F-99569r1_fix", + "gtitle": "SRG-OS-000362-GPOS-00149", + "gid": "V-93201", + "rid": "SV-103289r1_rule", + "stig_id": "WN19-CC-000430", + "fix_id": "F-99447r1_fix", "cci": [ - "CCI-000366" + "CCI-001812" ], "nist": [ - "CM-6 b", + "CM-11 (2)", "Rev_4" ] }, - "code": "control \"V-93323\" do\n title \"Windows Server 2019 Exploit Protection mitigations must be configured for AcroRd32.exe.\"\n desc \"Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the referenced application is not installed on the system, this is NA.\n\n This is applicable to unclassified systems, for other systems this is NA.\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n Enter \\\"Get-ProcessMitigation -Name AcroRd32.exe\\\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.)\n\n If the following mitigations do not have a status of \\\"ON\\\", this is a finding:\n\n DEP:\n Enable: ON\n\n ASLR:\n BottomUp: ON\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n The PowerShell command produces a list of mitigations; only those with a required status of \\\"ON\\\" are listed here.\"\n desc \"fix\", \"Ensure the following mitigations are turned \\\"ON\\\" for AcroRd32.exe:\n\n DEP:\n Enable: ON\n\n ASLR:\n BottomUp: ON\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \\\"Supporting Files\\\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\" configured to \\\"Enabled\\\" with file name and location defined under \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00227\"\n tag gid: \"V-93323\"\n tag rid: \"SV-103411r1_rule\"\n tag stig_id: \"WN19-EP-000070\"\n tag fix_id: \"F-99569r1_fix\"\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n acroRd32 = json({ command: \"Get-ProcessMitigation -Name AcroRd32.exe | ConvertTo-Json\" }).params\n\n if input('sensitive_system') == true || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif acroRd32.empty?\n impact 0.0\n describe 'The referenced application is not installed on the system, this is NA.' do\n skip 'The referenced application is not installed on the system, this is NA.'\n end\n else\n describe \"Exploit Protection: the following mitigations must be set to 'ON' for AcroRd32.exe\" do\n subject { acroRd32 }\n its(['Dep','Enable']) { should eq 1 }\n its(['Aslr','BottomUp']) { should eq 1 }\n its(['Aslr','ForceRelocateImages']) { should eq 1 }\n its(['Payload','EnableExportAddressFilter']) { should eq 1 }\n its(['Payload','EnableExportAddressFilterPlus']) { should eq 1 }\n its(['Payload','EnableImportAddressFilter']) { should eq 1 }\n its(['Payload','EnableRopStackPivot']) { should eq 1 }\n its(['Payload','EnableRopCallerCheck']) { should eq 1 }\n its(['Payload','EnableRopSimExec']) { should eq 1 }\n end\n end\nend", + "code": "control \"V-93201\" do\n title \"Windows Server 2019 must disable the Windows Installer Always install\nwith elevated privileges option.\"\n desc \"Standard user accounts must not be granted elevated privileges.\nEnabling Windows Installer to elevate privileges when installing applications\ncan allow malicious persons and applications to gain full control of a system.\"\n desc \"rationale\", \"\"\n desc 'check', \"If the following registry value does not exist or is not configured as\nspecified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\Installer\\\\\n\n Value Name: AlwaysInstallElevated\n\n Type: REG_DWORD\n Value: 0x00000000 (0)\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nAdministrative Templates >> Windows Components >> Windows Installer >> \\\"Always\ninstall with elevated privileges\\\" to \\\"Disabled\\\".\"\n impact 0.7\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000362-GPOS-00149'\n tag 'gid': 'V-93201'\n tag 'rid': 'SV-103289r1_rule'\n tag 'stig_id': 'WN19-CC-000430'\n tag 'fix_id': 'F-99447r1_fix'\n tag 'cci': [\"CCI-001812\"]\n tag 'nist': [\"CM-11 (2)\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Installer') do\n it { should have_property 'AlwaysInstallElevated' }\n its('AlwaysInstallElevated') { should cmp 0 }\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93323.rb", + "ref": "./Windows 2019 STIG/controls/V-93201.rb", "line": 3 }, - "id": "V-93323" + "id": "V-93201" }, { - "title": "Windows Server 2019 must have a host-based firewall installed and enabled.", - "desc": "A firewall provides a line of defense against attack, allowing or blocking inbound and outbound connections based on a set of rules.", + "title": "Windows Server 2019 must have the built-in Windows password complexity policy enabled.", + "desc": "The use of complex passwords increases their strength against attack. The built-in Windows password complexity policy requires passwords to contain at least three of the four types of characters (numbers, uppercase and lowercase letters, and special characters) and prevents the inclusion of user names or parts of user names.", "descriptions": { - "default": "A firewall provides a line of defense against attack, allowing or blocking inbound and outbound connections based on a set of rules.", + "default": "The use of complex passwords increases their strength against attack. The built-in Windows password complexity policy requires passwords to contain at least three of the four types of characters (numbers, uppercase and lowercase letters, and special characters) and prevents the inclusion of user names or parts of user names.", "rationale": "", - "check": "Determine if a host-based firewall is installed and enabled on the system. If a host-based firewall is not installed and enabled on the system, this is a finding. The configuration requirements will be determined by the applicable firewall STIG.", - "fix": "Install and enable a host-based firewall on the system." + "check": "Verify the effective setting in Local Group Policy Editor.\n \n Run \"gpedit.msc\".\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy.\n If the value for \"Password must meet complexity requirements\" is not set to \"Enabled\", this is a finding.\n\n For server core installations, run the following command:\n Secedit /Export /Areas SecurityPolicy /CFG C:\\Path\\FileName.Txt\n If \"PasswordComplexity\" equals \"0\" in the file, this is a finding.\n\n Note: If an external password filter is in use that enforces all four character types and requires this setting to be set to \"Disabled\", this would not be considered a finding. If this setting does not affect the use of an external password filter, it must be enabled for fallback purposes.", + "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy >> \"Password must meet complexity requirements\" to \"Enabled\"." }, "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000480-GPOS-00231", - "gid": "V-93571", - "rid": "SV-103657r1_rule", - "stig_id": "WN19-00-000280", - "fix_id": "F-99815r1_fix", + "gtitle": "SRG-OS-000069-GPOS-00037", + "satisfies": [ + "SRG-OS-000069-GPOS-00037", + "SRG-OS-000070-GPOS-00038", + "SRG-OS-000071-GPOS-00039", + "SRG-OS-000266-GPOS-00101" + ], + "gid": "V-93459", + "rid": "SV-103545r1_rule", + "stig_id": "WN19-AC-000080", + "fix_id": "F-99703r1_fix", "cci": [ - "CCI-000366", - "CCI-002080" + "CCI-000192", + "CCI-000193", + "CCI-000194", + "CCI-001619" ], "nist": [ - "CM-6 b", - "CA-3 (5)", + "IA-5 (1) (a)", + "IA-5 (1) (a)", + "IA-5 (1) (a)", + "IA-5 (1) (a)", "Rev_4" ] }, - "code": "control \"V-93571\" do\n title \"Windows Server 2019 must have a host-based firewall installed and enabled.\"\n desc \"A firewall provides a line of defense against attack, allowing or blocking inbound and outbound connections based on a set of rules.\"\n desc \"rationale\", \"\"\n desc \"check\", \"Determine if a host-based firewall is installed and enabled on the system. If a host-based firewall is not installed and enabled on the system, this is a finding. The configuration requirements will be determined by the applicable firewall STIG.\"\n desc \"fix\", \"Install and enable a host-based firewall on the system.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00231\"\n tag gid: \"V-93571\"\n tag rid: \"SV-103657r1_rule\"\n tag stig_id: \"WN19-00-000280\"\n tag fix_id: \"F-99815r1_fix\"\n tag cci: [\"CCI-000366\", \"CCI-002080\"]\n tag nist: [\"CM-6 b\", \"CA-3 (5)\", \"Rev_4\"]\n\n query_domain = json({ command: \"Get-WmiObject -NameSpace 'root\\\\standardcimv2' -Class MSFT_NetFirewallProfile | Where {$_.Name -Like 'Domain' } | Select Enabled | ConvertTo-Json\" }).params\n query_private = json({ command: \"Get-WmiObject -NameSpace 'root\\\\standardcimv2' -Class MSFT_NetFirewallProfile | Where {$_.Name -Like 'Private' } | Select Enabled | ConvertTo-Json\" }).params\n query_public = json({ command: \"Get-WmiObject -NameSpace 'root\\\\standardcimv2' -Class MSFT_NetFirewallProfile | Where {$_.Name -Like 'Public' } | Select Enabled | ConvertTo-Json\" }).params\n \n describe.one do\n describe 'Windows Firewall should be Enabled' do\n subject { query_public[\"Enabled\"] }\n it 'The Public host-based firewall' do\n failure_message = \"is not Enabled\"\n expect(subject).to eql(1), failure_message\n end\n end\n describe 'Windows Firewall should be Enabled' do\n subject { query_private[\"Enabled\"] }\n it 'The Private host-based firewall' do\n failure_message = \"is not enabled\"\n expect(subject).to eql(1), failure_message\n end\n end\n describe 'Windows Firewall should be Enabled' do\n subject { query_domain[\"Enabled\"] }\n it 'The Domain host-based firewall' do\n failure_message = \"is not Enabled\"\n expect(subject).to eql(1), failure_message\n end\n end\n end\nend", + "code": "control \"V-93459\" do\n title \"Windows Server 2019 must have the built-in Windows password complexity policy enabled.\"\n desc \"The use of complex passwords increases their strength against attack. The built-in Windows password complexity policy requires passwords to contain at least three of the four types of characters (numbers, uppercase and lowercase letters, and special characters) and prevents the inclusion of user names or parts of user names.\"\n desc \"rationale\", \"\"\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n \n Run \\\"gpedit.msc\\\".\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy.\n If the value for \\\"Password must meet complexity requirements\\\" is not set to \\\"Enabled\\\", this is a finding.\n\n For server core installations, run the following command:\n Secedit /Export /Areas SecurityPolicy /CFG C:\\\\Path\\\\FileName.Txt\n If \\\"PasswordComplexity\\\" equals \\\"0\\\" in the file, this is a finding.\n\n Note: If an external password filter is in use that enforces all four character types and requires this setting to be set to \\\"Disabled\\\", this would not be considered a finding. If this setting does not affect the use of an external password filter, it must be enabled for fallback purposes.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy >> \\\"Password must meet complexity requirements\\\" to \\\"Enabled\\\".\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000069-GPOS-00037\"\n tag satisfies: [\"SRG-OS-000069-GPOS-00037\", \"SRG-OS-000070-GPOS-00038\", \"SRG-OS-000071-GPOS-00039\", \"SRG-OS-000266-GPOS-00101\"]\n tag gid: \"V-93459\"\n tag rid: \"SV-103545r1_rule\"\n tag stig_id: \"WN19-AC-000080\"\n tag fix_id: \"F-99703r1_fix\"\n tag cci: [\"CCI-000192\", \"CCI-000193\", \"CCI-000194\", \"CCI-001619\"]\n tag nist: [\"IA-5 (1) (a)\", \"IA-5 (1) (a)\", \"IA-5 (1) (a)\", \"IA-5 (1) (a)\", \"Rev_4\"]\n\n describe security_policy do\n its('PasswordComplexity') { should eq input('enable_password_complexity') }\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93571.rb", + "ref": "./Windows 2019 STIG/controls/V-93459.rb", "line": 3 }, - "id": "V-93571" + "id": "V-93459" }, { - "title": "Windows Server 2019 organization created Active Directory\nOrganizational Unit (OU) objects must have proper access control permissions.", - "desc": "When directory service database objects do not have appropriate access\ncontrol permissions, it may be possible for malicious users to create, read,\nupdate, or delete the objects and degrade or destroy the integrity of the data.\nWhen the directory service is used for identification, authentication, or\nauthorization functions, a compromise of the database objects could lead to a\ncompromise of all systems that rely on the directory service.\n\n For Active Directory, the OU objects require special attention. In a\ndistributed administration model (i.e., help desk), OU objects are more likely\nto have access permissions changed from the secure defaults. If inappropriate\naccess permissions are defined for OU objects, it could allow an intruder to\nadd or delete users in the OU. This could result in unauthorized access to data\nor a denial of service (DoS) to authorized users.", + "title": "Windows Server 2019 Explorer Data Execution Prevention must be enabled.", + "desc": "Data Execution Prevention provides additional protection by performing checks on memory to help prevent malicious code from running. This setting will prevent Data Execution Prevention from being turned off for File Explorer.", "descriptions": { - "default": "When directory service database objects do not have appropriate access\ncontrol permissions, it may be possible for malicious users to create, read,\nupdate, or delete the objects and degrade or destroy the integrity of the data.\nWhen the directory service is used for identification, authentication, or\nauthorization functions, a compromise of the database objects could lead to a\ncompromise of all systems that rely on the directory service.\n\n For Active Directory, the OU objects require special attention. In a\ndistributed administration model (i.e., help desk), OU objects are more likely\nto have access permissions changed from the secure defaults. If inappropriate\naccess permissions are defined for OU objects, it could allow an intruder to\nadd or delete users in the OU. This could result in unauthorized access to data\nor a denial of service (DoS) to authorized users.", + "default": "Data Execution Prevention provides additional protection by performing checks on memory to help prevent malicious code from running. This setting will prevent Data Execution Prevention from being turned off for File Explorer.", "rationale": "", - "check": "This applies to domain controllers. It is NA for other systems.\n\n Review the permissions on domain-defined OUs.\n\n Open \"Active Directory Users and Computers\" (available from various menus\nor run \"dsa.msc\").\n\n Ensure \"Advanced Features\" is selected in the \"View\" menu.\n\n For each OU that is defined (folder in folder icon) excluding the Domain\nControllers OU:\n\n Right-click the OU and select \"Properties\".\n\n Select the \"Security\" tab.\n\n If the Allow type permissions on the OU are not at least as restrictive as\nthose below, this is a finding.\n\n The permissions shown are at the summary level. More detailed permissions\ncan be viewed by selecting the \"Advanced\" button, the desired Permission\nentry, and the \"Edit\" or \"View\" button.\n\n Except where noted otherwise, the special permissions may include a wide\nrange of permissions and properties and are acceptable for this requirement.\n\n CREATOR OWNER - Special permissions\n\n Self - Special permissions\n\n Authenticated Users - Read, Special permissions\n\n The Special permissions for Authenticated Users are Read type. If detailed\npermissions include any Create, Delete, Modify, or Write Permissions or\nProperties, this is a finding.\n\n SYSTEM - Full Control\n\n Domain Admins - Full Control\n\n Enterprise Admins - Full Control\n\n Key Admins - Special permissions\n\n Enterprise Key Admins - Special permissions\n\n Administrators - Read, Write, Create all child objects, Generate resultant\nset of policy (logging), Generate resultant set of policy (planning), Special\npermissions\n\n Pre-Windows 2000 Compatible Access - Special permissions\n\n The Special permissions for Pre-Windows 2000 Compatible Access are for Read\ntypes. If detailed permissions include any Create, Delete, Modify, or Write\nPermissions or Properties, this is a finding.\n\n ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions\n\n If an ISSO-approved distributed administration model (help desk or other\nuser support staff) is implemented, permissions above Read may be allowed for\ngroups documented by the ISSO.\n\n If any OU with improper permissions includes identification or\nauthentication data (e.g., accounts, passwords, or password hash data) used by\nsystems to determine access control, the severity is CAT I (e.g., OUs that\ninclude user accounts, including service/application accounts).\n\n If an OU with improper permissions does not include identification and\nauthentication data used by systems to determine access control, the severity\nis CAT II (e.g., Workstation, Printer OUs).", - "fix": "Maintain the Allow type permissions on domain-defined OUs to be at least as\nrestrictive as the defaults below.\n\n Document any additional permissions above Read with the ISSO if an approved\ndistributed administration model (help desk or other user support staff) is\nimplemented.\n\n CREATOR OWNER - Special permissions\n\n Self - Special permissions\n\n Authenticated Users - Read, Special permissions\n\n The special permissions for Authenticated Users are Read type.\n\n SYSTEM - Full Control\n\n Domain Admins - Full Control\n\n Enterprise Admins - Full Control\n\n Key Admins - Special permissions\n\n Enterprise Key Admins - Special permissions\n\n Administrators - Read, Write, Create all child objects, Generate resultant\nset of policy (logging), Generate resultant set of policy (planning), Special\npermissions\n\n Pre-Windows 2000 Compatible Access - Special permissions\n\n The special permissions for Pre-Windows 2000 Compatible Access are for Read\ntypes.\n\n ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions" + "check": "The default behavior is for Data Execution Prevention to be turned on for File Explorer.\n If the registry value name below does not exist, this is not a finding.\n If it exists and is configured with a value of \"0\", this is not a finding.\n If it exists and is configured with a value of \"1\", this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\Explorer\\\n\n Value Name: NoDataExecutionPrevention\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0) (or if the Value Name does not exist)", + "fix": "The default behavior is for data execution prevention to be turned on for File Explorer. If this needs to be corrected, configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> File Explorer >> \"Turn off Data Execution Prevention for Explorer\" to \"Not Configured\" or \"Disabled\"." }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000324-GPOS-00125", - "gid": "V-93037", - "rid": "SV-103125r1_rule", - "stig_id": "WN19-DC-000110", - "fix_id": "F-99283r1_fix", + "gtitle": "SRG-OS-000433-GPOS-00192", + "gid": "V-93563", + "rid": "SV-103649r1_rule", + "stig_id": "WN19-CC-000310", + "fix_id": "F-99807r1_fix", "cci": [ - "CCI-002235" + "CCI-002824" ], "nist": [ - "AC-6 (10)", + "SI-16", "Rev_4" ] }, - "code": "control \"V-93037\" do\n title \"Windows Server 2019 organization created Active Directory\nOrganizational Unit (OU) objects must have proper access control permissions.\"\n desc \"When directory service database objects do not have appropriate access\ncontrol permissions, it may be possible for malicious users to create, read,\nupdate, or delete the objects and degrade or destroy the integrity of the data.\nWhen the directory service is used for identification, authentication, or\nauthorization functions, a compromise of the database objects could lead to a\ncompromise of all systems that rely on the directory service.\n\n For Active Directory, the OU objects require special attention. In a\ndistributed administration model (i.e., help desk), OU objects are more likely\nto have access permissions changed from the secure defaults. If inappropriate\naccess permissions are defined for OU objects, it could allow an intruder to\nadd or delete users in the OU. This could result in unauthorized access to data\nor a denial of service (DoS) to authorized users.\"\n desc \"rationale\", \"\"\n desc 'check', \"This applies to domain controllers. It is NA for other systems.\n\n Review the permissions on domain-defined OUs.\n\n Open \\\"Active Directory Users and Computers\\\" (available from various menus\nor run \\\"dsa.msc\\\").\n\n Ensure \\\"Advanced Features\\\" is selected in the \\\"View\\\" menu.\n\n For each OU that is defined (folder in folder icon) excluding the Domain\nControllers OU:\n\n Right-click the OU and select \\\"Properties\\\".\n\n Select the \\\"Security\\\" tab.\n\n If the Allow type permissions on the OU are not at least as restrictive as\nthose below, this is a finding.\n\n The permissions shown are at the summary level. More detailed permissions\ncan be viewed by selecting the \\\"Advanced\\\" button, the desired Permission\nentry, and the \\\"Edit\\\" or \\\"View\\\" button.\n\n Except where noted otherwise, the special permissions may include a wide\nrange of permissions and properties and are acceptable for this requirement.\n\n CREATOR OWNER - Special permissions\n\n Self - Special permissions\n\n Authenticated Users - Read, Special permissions\n\n The Special permissions for Authenticated Users are Read type. If detailed\npermissions include any Create, Delete, Modify, or Write Permissions or\nProperties, this is a finding.\n\n SYSTEM - Full Control\n\n Domain Admins - Full Control\n\n Enterprise Admins - Full Control\n\n Key Admins - Special permissions\n\n Enterprise Key Admins - Special permissions\n\n Administrators - Read, Write, Create all child objects, Generate resultant\nset of policy (logging), Generate resultant set of policy (planning), Special\npermissions\n\n Pre-Windows 2000 Compatible Access - Special permissions\n\n The Special permissions for Pre-Windows 2000 Compatible Access are for Read\ntypes. If detailed permissions include any Create, Delete, Modify, or Write\nPermissions or Properties, this is a finding.\n\n ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions\n\n If an ISSO-approved distributed administration model (help desk or other\nuser support staff) is implemented, permissions above Read may be allowed for\ngroups documented by the ISSO.\n\n If any OU with improper permissions includes identification or\nauthentication data (e.g., accounts, passwords, or password hash data) used by\nsystems to determine access control, the severity is CAT I (e.g., OUs that\ninclude user accounts, including service/application accounts).\n\n If an OU with improper permissions does not include identification and\nauthentication data used by systems to determine access control, the severity\nis CAT II (e.g., Workstation, Printer OUs).\"\n desc 'fix', \"Maintain the Allow type permissions on domain-defined OUs to be at least as\nrestrictive as the defaults below.\n\n Document any additional permissions above Read with the ISSO if an approved\ndistributed administration model (help desk or other user support staff) is\nimplemented.\n\n CREATOR OWNER - Special permissions\n\n Self - Special permissions\n\n Authenticated Users - Read, Special permissions\n\n The special permissions for Authenticated Users are Read type.\n\n SYSTEM - Full Control\n\n Domain Admins - Full Control\n\n Enterprise Admins - Full Control\n\n Key Admins - Special permissions\n\n Enterprise Key Admins - Special permissions\n\n Administrators - Read, Write, Create all child objects, Generate resultant\nset of policy (logging), Generate resultant set of policy (planning), Special\npermissions\n\n Pre-Windows 2000 Compatible Access - Special permissions\n\n The special permissions for Pre-Windows 2000 Compatible Access are for Read\ntypes.\n\n ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions\"\n impact 0.7\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000324-GPOS-00125'\n tag 'gid': 'V-93037'\n tag 'rid': 'SV-103125r1_rule'\n tag 'stig_id': 'WN19-DC-000110'\n tag 'fix_id': 'F-99283r1_fix'\n tag 'cci': [\"CCI-002235\"]\n tag 'nist': [\"AC-6 (10)\", \"Rev_4\"]\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n if domain_role == '4' || domain_role == '5'\n distinguishedName = json(command: '(Get-ADDomain).DistinguishedName | ConvertTo-Json').params\n ou_list = json(command: \"Get-ADOrganizationalUnit -filter * -SearchBase '#{distinguishedName}' | Select-Object -ExpandProperty distinguishedname | ConvertTo-Json\").params\n if ou_list.is_a?(String)\n ou_list = []\n ou_list << json(command: \"Get-ADOrganizationalUnit -filter * -SearchBase '#{distinguishedName}' | Select-Object -ExpandProperty distinguishedname | ConvertTo-Json\").params\n end\n exclude_dc = json(command: \"Get-ADOrganizationalUnit -filter * -SearchBase '#{distinguishedName}' | Where-Object {$_.distinguishedname -like 'OU=Domain Controllers,#{distinguishedName}'} | Select-Object -ExpandProperty distinguishedname | ConvertTo-Json\").params\n ou_list.delete(exclude_dc)\n netbiosname = json(command: 'Get-ADDomain | Select NetBIOSName | ConvertTo-JSON').params['NetBIOSName']\n if ou_list.empty?\n impact 0.0\n describe 'This control is not applicable as no domain-defined OUs were found (excluding the Domain Controllers OU)' do\n skip 'This control is not applicable as no domain-defined OUs were found (excluding the Domain Controllers OU)'\n end\n else\n ou_list.each do |ou|\n acl_rules = json(command: \"(Get-ACL -Audit -Path AD:'#{ou}').Access | ConvertTo-CSV | ConvertFrom-CSV | ConvertTo-JSON\").params\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['IdentityReference']) { should cmp \"NT AUTHORITY\\\\ENTERPRISE DOMAIN CONTROLLERS\" }\n its(['ActiveDirectoryRights']) { should cmp \"GenericRead\"}\n end\n end\n end\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['IdentityReference']) { should cmp \"NT AUTHORITY\\\\Authenticated Users\" }\n its(['ActiveDirectoryRights']) { should cmp \"GenericRead\"}\n end\n end\n end\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['IdentityReference']) { should cmp \"NT AUTHORITY\\\\SYSTEM\" }\n its(['ActiveDirectoryRights']) { should cmp \"GenericAll\"}\n end\n end\n end\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['IdentityReference']) { should cmp \"BUILTIN\\\\Administrators\" }\n its(['ActiveDirectoryRights']) { should cmp \"CreateChild, Self, WriteProperty, ExtendedRight, Delete, GenericRead, WriteDacl, WriteOwner\"}\n end\n end\n end\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['IdentityReference']) { should cmp \"BUILTIN\\\\Pre-Windows 2000 Compatible Access\" }\n its(['ActiveDirectoryRights']) { should cmp \"ListChildren\"}\n end\n end\n end\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['IdentityReference']) { should cmp \"#{netbiosname}\\\\Domain Admins\" }\n its(['ActiveDirectoryRights']) { should cmp \"GenericAll\"}\n end\n end\n end\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['IdentityReference']) { should cmp \"#{netbiosname}\\\\Enterprise Admins\" }\n its(['ActiveDirectoryRights']) { should cmp \"GenericAll\"}\n end\n end\n end\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['IdentityReference']) { should cmp \"NT AUTHORITY\\\\SELF\" }\n its(['ActiveDirectoryRights']) { should cmp \"ReadProperty, WriteProperty, ExtendedRight\"}\n end\n end\n end\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['IdentityReference']) { should cmp \"NT AUTHORITY\\\\SELF\" }\n its(['ActiveDirectoryRights']) { should cmp \"ReadProperty, WriteProperty\"}\n end\n end\n end\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['IdentityReference']) { should cmp \"NT AUTHORITY\\\\SELF\" }\n its(['ActiveDirectoryRights']) { should cmp \"WriteProperty\"}\n end\n end\n end\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['IdentityReference']) { should cmp \"NT AUTHORITY\\\\SELF\" }\n its(['ActiveDirectoryRights']) { should cmp \"Self\"}\n end\n end\n end\n end\n end\n else\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend", + "code": "control \"V-93563\" do\n title \"Windows Server 2019 Explorer Data Execution Prevention must be enabled.\"\n desc \"Data Execution Prevention provides additional protection by performing checks on memory to help prevent malicious code from running. This setting will prevent Data Execution Prevention from being turned off for File Explorer.\"\n desc \"rationale\", \"\"\n desc \"check\", \"The default behavior is for Data Execution Prevention to be turned on for File Explorer.\n If the registry value name below does not exist, this is not a finding.\n If it exists and is configured with a value of \\\"0\\\", this is not a finding.\n If it exists and is configured with a value of \\\"1\\\", this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\Explorer\\\\\n\n Value Name: NoDataExecutionPrevention\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0) (or if the Value Name does not exist)\"\n desc \"fix\", \"The default behavior is for data execution prevention to be turned on for File Explorer. If this needs to be corrected, configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> File Explorer >> \\\"Turn off Data Execution Prevention for Explorer\\\" to \\\"Not Configured\\\" or \\\"Disabled\\\".\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000433-GPOS-00192\"\n tag gid: \"V-93563\"\n tag rid: \"SV-103649r1_rule\"\n tag stig_id: \"WN19-CC-000310\"\n tag fix_id: \"F-99807r1_fix\"\n tag cci: [\"CCI-002824\"]\n tag nist: [\"SI-16\", \"Rev_4\"]\n\n describe.one do \n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Explorer') do\n it { should_not have_property 'NoDataExecutionPrevention' }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Explorer') do\n it { should have_property 'NoDataExecutionPrevention' }\n its('NoDataExecutionPrevention') { should_not cmp 1 }\n its('NoDataExecutionPrevention') { should cmp 0 }\n end\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93037.rb", + "ref": "./Windows 2019 STIG/controls/V-93563.rb", "line": 3 }, - "id": "V-93037" + "id": "V-93563" }, { - "title": "Windows Server 2019 must be configured to prevent the storage of the LAN Manager hash of passwords.", - "desc": "The LAN Manager hash uses a weak encryption algorithm and there are several tools available that use this hash to retrieve account passwords. This setting controls whether a LAN Manager hash of the password is stored in the SAM the next time the password is changed.", + "title": "Windows Server 2019 Modify firmware environment values user right must\nonly be assigned to the Administrators group.", + "desc": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n Accounts with the \"Modify firmware environment values\" user right can\nchange hardware configuration environment variables. This could result in\nhardware failures or a denial of service.", "descriptions": { - "default": "The LAN Manager hash uses a weak encryption algorithm and there are several tools available that use this hash to retrieve account passwords. This setting controls whether a LAN Manager hash of the password is stored in the SAM the next time the password is changed.", + "default": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n Accounts with the \"Modify firmware environment values\" user right can\nchange hardware configuration environment variables. This could result in\nhardware failures or a denial of service.", "rationale": "", - "check": "If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Control\\Lsa\\\n\n Value Name: NoLMHash\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", - "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \"Network security: Do not store LAN Manager hash value on next password change\" to \"Enabled\"." + "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the \"Modify\nfirmware environment values\" user right, this is a finding:\n\n - Administrators\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\path\\filename.txt\n\n Review the text file.\n\n If any SIDs other than the following are granted the\n\"SeSystemEnvironmentPrivilege\" user right, this is a finding:\n\n S-1-5-32-544 (Administrators)", + "fix": "Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> User Rights Assignment >> \"Modify\nfirmware environment values\" to include only the following accounts or groups:\n\n - Administrators" }, - "impact": 0.7, + "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000073-GPOS-00041", - "gid": "V-93467", - "rid": "SV-103553r1_rule", - "stig_id": "WN19-SO-000300", - "fix_id": "F-99711r1_fix", + "gtitle": "SRG-OS-000324-GPOS-00125", + "gid": "V-93079", + "rid": "SV-103167r1_rule", + "stig_id": "WN19-UR-000180", + "fix_id": "F-99325r1_fix", "cci": [ - "CCI-000196" + "CCI-002235" ], "nist": [ - "IA-5 (1) (c)", + "AC-6 (10)", "Rev_4" ] }, - "code": "control \"V-93467\" do\n title \"Windows Server 2019 must be configured to prevent the storage of the LAN Manager hash of passwords.\"\n desc \"The LAN Manager hash uses a weak encryption algorithm and there are several tools available that use this hash to retrieve account passwords. This setting controls whether a LAN Manager hash of the password is stored in the SAM the next time the password is changed.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\\n\n Value Name: NoLMHash\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \\\"Network security: Do not store LAN Manager hash value on next password change\\\" to \\\"Enabled\\\".\"\n impact 0.7\n tag severity: nil\n tag gtitle: \"SRG-OS-000073-GPOS-00041\"\n tag gid: \"V-93467\"\n tag rid: \"SV-103553r1_rule\"\n tag stig_id: \"WN19-SO-000300\"\n tag fix_id: \"F-99711r1_fix\"\n tag cci: [\"CCI-000196\"]\n tag nist: [\"IA-5 (1) (c)\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa') do\n it { should have_property 'NoLMHash' }\n its('NoLMHash') { should cmp == 1 }\n end\nend", + "code": "control \"V-93079\" do\n title \"Windows Server 2019 Modify firmware environment values user right must\nonly be assigned to the Administrators group.\"\n desc \"Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n Accounts with the \\\"Modify firmware environment values\\\" user right can\nchange hardware configuration environment variables. This could result in\nhardware failures or a denial of service.\"\n desc \"rationale\", \"\"\n desc 'check', \"Verify the effective setting in Local Group Policy Editor.\n\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the \\\"Modify\nfirmware environment values\\\" user right, this is a finding:\n\n - Administrators\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt\n\n Review the text file.\n\n If any SIDs other than the following are granted the\n\\\"SeSystemEnvironmentPrivilege\\\" user right, this is a finding:\n\n S-1-5-32-544 (Administrators)\"\n desc 'fix', \"Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> User Rights Assignment >> \\\"Modify\nfirmware environment values\\\" to include only the following accounts or groups:\n\n - Administrators\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000324-GPOS-00125'\n tag 'gid': 'V-93079'\n tag 'rid': 'SV-103167r1_rule'\n tag 'stig_id': 'WN19-UR-000180'\n tag 'fix_id': 'F-99325r1_fix'\n tag 'cci': [\"CCI-002235\"]\n tag 'nist': [\"AC-6 (10)\", \"Rev_4\"]\n\n os_type = command('Test-Path \"$env:windir\\explorer.exe\"').stdout.strip\n\n if os_type == 'False'\n describe 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt' do\n skip 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt'\n end\n else\n describe security_policy do\n its('SeSystemEnvironmentPrivilege') { should eq ['S-1-5-32-544'] }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93467.rb", + "ref": "./Windows 2019 STIG/controls/V-93079.rb", "line": 3 }, - "id": "V-93467" + "id": "V-93079" }, { - "title": "Windows Server 2019 AutoPlay must be disabled for all drives.", - "desc": "Allowing AutoPlay to execute may introduce malicious code to a system. AutoPlay begins reading from a drive as soon media is inserted into the drive. As a result, the setup file of programs or music on audio media may start. By default, AutoPlay is disabled on removable drives, such as the floppy disk drive (but not the CD-ROM drive) and on network drives. Enabling this policy disables AutoPlay on all drives.", + "title": "Windows Server 2019 must automatically remove or disable temporary user accounts after 72 hours.", + "desc": "If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be used to gain unauthorized access. To mitigate this risk, automated termination of all temporary accounts must be set upon account creation.\n\n Temporary accounts are established as part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation.\n If temporary accounts are used, the operating system must be configured to automatically terminate these types of accounts after a DoD-defined time period of 72 hours.\n To address access requirements, many operating systems may be integrated with enterprise-level authentication/access mechanisms that meet or exceed access control policy requirements.", "descriptions": { - "default": "Allowing AutoPlay to execute may introduce malicious code to a system. AutoPlay begins reading from a drive as soon media is inserted into the drive. As a result, the setup file of programs or music on audio media may start. By default, AutoPlay is disabled on removable drives, such as the floppy disk drive (but not the CD-ROM drive) and on network drives. Enabling this policy disables AutoPlay on all drives.", + "default": "If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be used to gain unauthorized access. To mitigate this risk, automated termination of all temporary accounts must be set upon account creation.\n\n Temporary accounts are established as part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation.\n If temporary accounts are used, the operating system must be configured to automatically terminate these types of accounts after a DoD-defined time period of 72 hours.\n To address access requirements, many operating systems may be integrated with enterprise-level authentication/access mechanisms that meet or exceed access control policy requirements.", "rationale": "", - "check": "If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\policies\\Explorer\\\n\n Value Name: NoDriveTypeAutoRun\n\n Type: REG_DWORD\n Value: 0x000000ff (255)", - "fix": "Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> AutoPlay Policies >> \"Turn off AutoPlay\" to \"Enabled\" with \"All Drives\" selected." + "check": "Review temporary user accounts for expiration dates.\n Determine if temporary user accounts are used and identify any that exist. If none exist, this is NA.\n\n Domain Controllers:\n Open \"PowerShell\".\n Enter \"Search-ADAccount -AccountExpiring | FT Name, AccountExpirationDate\".\n If \"AccountExpirationDate\" has not been defined within 72 hours for any temporary user account, this is a finding.\n\n Member servers and standalone systems:\n Open \"Command Prompt\".\n Run \"Net user [username]\", where [username] is the name of the temporary user account.\n If \"Account expires\" has not been defined within 72 hours for any temporary user account, this is a finding.", + "fix": "Configure temporary user accounts to automatically expire within 72 hours.\n Domain accounts can be configured with an account expiration date, under \"Account\" properties.\n Local accounts can be configured to expire with the command \"Net user [username] /expires:[mm/dd/yyyy]\", where username is the name of the temporary user account.\n Delete any temporary user accounts that are no longer necessary." }, - "impact": 0.7, + "impact": 0, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000368-GPOS-00154", - "gid": "V-93377", - "rid": "SV-103463r1_rule", - "stig_id": "WN19-CC-000230", - "fix_id": "F-99621r1_fix", + "gtitle": "SRG-OS-000002-GPOS-00002", + "gid": "V-92975", + "rid": "SV-103063r1_rule", + "stig_id": "WN19-00-000300", + "fix_id": "F-99221r1_fix", "cci": [ - "CCI-001764" + "CCI-000016" ], "nist": [ - "CM-7 (2)", + "AC-2 (2)", "Rev_4" ] }, - "code": "control \"V-93377\" do\n title \"Windows Server 2019 AutoPlay must be disabled for all drives.\"\n desc \"Allowing AutoPlay to execute may introduce malicious code to a system. AutoPlay begins reading from a drive as soon media is inserted into the drive. As a result, the setup file of programs or music on audio media may start. By default, AutoPlay is disabled on removable drives, such as the floppy disk drive (but not the CD-ROM drive) and on network drives. Enabling this policy disables AutoPlay on all drives.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\policies\\\\Explorer\\\\\n\n Value Name: NoDriveTypeAutoRun\n\n Type: REG_DWORD\n Value: 0x000000ff (255)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> AutoPlay Policies >> \\\"Turn off AutoPlay\\\" to \\\"Enabled\\\" with \\\"All Drives\\\" selected.\"\n impact 0.7\n tag severity: nil\n tag gtitle: \"SRG-OS-000368-GPOS-00154\"\n tag gid: \"V-93377\"\n tag rid: \"SV-103463r1_rule\"\n tag stig_id: \"WN19-CC-000230\"\n tag fix_id: \"F-99621r1_fix\"\n tag cci: [\"CCI-001764\"]\n tag nist: [\"CM-7 (2)\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer') do\n it { should have_property 'NoDriveTypeAutoRun' }\n its('NoDriveTypeAutoRun') { should cmp == 255 }\n end\nend", + "code": "control 'V-92975' do\n title \"Windows Server 2019 must automatically remove or disable temporary user accounts after #{input('temporary_account_period')*24} hours.\"\n desc \"If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be used to gain unauthorized access. To mitigate this risk, automated termination of all temporary accounts must be set upon account creation.\n\n Temporary accounts are established as part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation.\n If temporary accounts are used, the operating system must be configured to automatically terminate these types of accounts after a #{input('org_name')[:acronym]}-defined time period of #{input('temporary_account_period')*24} hours.\n To address access requirements, many operating systems may be integrated with enterprise-level authentication/access mechanisms that meet or exceed access control policy requirements.\"\n desc 'rationale', ''\n desc 'check', \"Review temporary user accounts for expiration dates.\n Determine if temporary user accounts are used and identify any that exist. If none exist, this is NA.\n\n Domain Controllers:\n Open \\\"PowerShell\\\".\n Enter \\\"Search-ADAccount -AccountExpiring | FT Name, AccountExpirationDate\\\".\n If \\\"AccountExpirationDate\\\" has not been defined within #{input('temporary_account_period')*24} hours for any temporary user account, this is a finding.\n\n Member servers and standalone systems:\n Open \\\"Command Prompt\\\".\n Run \\\"Net user [username]\\\", where [username] is the name of the temporary user account.\n If \\\"Account expires\\\" has not been defined within #{input('temporary_account_period')*24} hours for any temporary user account, this is a finding.\"\n desc 'fix', \"Configure temporary user accounts to automatically expire within #{input('temporary_account_period')*24} hours.\n Domain accounts can be configured with an account expiration date, under \\\"Account\\\" properties.\n Local accounts can be configured to expire with the command \\\"Net user [username] /expires:[mm/dd/yyyy]\\\", where username is the name of the temporary user account.\n Delete any temporary user accounts that are no longer necessary.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000002-GPOS-00002'\n tag 'gid': 'V-92975'\n tag 'rid': 'SV-103063r1_rule'\n tag 'stig_id': 'WN19-00-000300'\n tag 'fix_id': 'F-99221r1_fix'\n tag 'cci': ['CCI-000016']\n tag 'nist': ['AC-2 (2)', 'Rev_4']\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n expiring_accounts = []\n temporary_accounts = input('temp_accounts_domain')\n unless temporary_accounts == [nil]\n temporary_accounts.each do |temporary_account|\n expiring_accounts << json({ command: \"Get-ADUser -Identity #{temporary_account} -Properties WhenCreated, AccountExpirationDate | Select-Object -Property SamAccountName, @{Name='WhenCreated';Expression={$_.WhenCreated.ToString('yyyy-MM-dd')}}, @{Name='AccountExpirationDate';Expression={$_.AccountExpirationDate.ToString('yyyy-MM-dd')}}| ConvertTo-Json\" }).params\n end\n end\n ad_accounts = json({ command: \"Get-ADUser -Filter 'Enabled -eq $true' -Properties WhenCreated, AccountExpirationDate | Select-Object -Property SamAccountName, @{Name='WhenCreated';Expression={$_.WhenCreated.ToString('yyyy-MM-dd')}}, @{Name='AccountExpirationDate';Expression={$_.AccountExpirationDate.ToString('yyyy-MM-dd')}}| ConvertTo-Json\" }).params\n if ad_accounts.empty?\n impact 0.0\n describe 'This control is not applicable as no user accounts were found' do\n skip 'This control is not applicable as no user accounts were found'\n end\n else\n case ad_accounts\n when Hash # One user account\n if ad_accounts.fetch('AccountExpirationDate').nil?\n impact 0.0\n describe 'This control is not applicable as no expiring user accounts were found' do\n skip 'This control is not applicable as no expiring user accounts were found'\n end\n else\n expiring_accounts << ad_accounts unless expiring_accounts.any? { |h| h['SamAccountName'] == ad_accounts.fetch('SamAccountName') }\n end\n when Array # Multiple user accounts\n ad_accounts.each do |ad_account|\n next if ad_account.fetch('AccountExpirationDate').nil?\n expiring_accounts << ad_account unless expiring_accounts.any? { |h| h['SamAccountName'] == ad_account.fetch('SamAccountName') }\n end\n end\n end\n if expiring_accounts.empty?\n impact 0.0\n describe 'This control is not applicable as no expiring user accounts were found' do\n skip 'This control is not applicable as no expiring user accounts were found'\n end\n else\n expiring_accounts.each do |expiring_account|\n account_name = expiring_account.fetch('SamAccountName')\n if expiring_account.fetch(\"WhenCreated\") == nil\n describe \"#{account_name} account's creation date\" do\n subject { expiring_account.fetch(\"WhenCreated\") }\n it { should_not eq nil}\n end\n elsif expiring_account.fetch(\"AccountExpirationDate\") == nil\n describe \"#{account_name} account's expiration date\" do\n subject { expiring_account.fetch(\"AccountExpirationDate\") }\n it { should_not eq nil}\n end\n else \n creation_date = Date.parse(expiring_account.fetch('WhenCreated'))\n expiration_date = Date.parse(expiring_account.fetch('AccountExpirationDate'))\n date_difference = expiration_date.mjd - creation_date.mjd\n describe \"Account expiration set for #{account_name}\" do\n subject { date_difference }\n it { should cmp <= input('temporary_account_period') }\n end\n end\n end\n end\n else\n expiring_users = []\n temporary_accounts = input('temp_accounts_local')\n unless temporary_accounts == [nil]\n temporary_accounts.each do |temporary_account|\n expiring_users << json({ command: \"Get-LocalUser -Name #{temporary_account} | Select-Object -Property Name, @{Name='PasswordLastSet';Expression={$_.PasswordLastSet.ToString('yyyy-MM-dd')}}, @{Name='AccountExpires';Expression={$_.AccountExpires.ToString('yyyy-MM-dd')}} | ConvertTo-Json\" }).params\n end\n end\n local_users = json({ command: \"Get-LocalUser * | Select-Object -Property Name, @{Name='PasswordLastSet';Expression={$_.PasswordLastSet.ToString('yyyy-MM-dd')}}, @{Name='AccountExpires';Expression={$_.AccountExpires.ToString('yyyy-MM-dd')}} | ConvertTo-Json\" }).params\n if local_users.empty?\n impact 0.0\n describe 'This control is not applicable as no user accounts were found' do\n skip 'This control is not applicable as no user accounts were found'\n end\n else\n case local_users\n when Hash # One user account\n if local_users.fetch('AccountExpires').nil? || local_user.fetch('PasswordLastSet').nil?\n impact 0.0\n describe 'This control is not applicable as no expiring user accounts with password last set date were found' do\n skip 'This control is not applicable as no expiring user accounts password last set date were found'\n end\n else\n expiring_users << local_users unless expiring_users.any? { |h| h['Name'] == local_users.fetch('Name') }\n end\n when Array # Multiple user accounts\n local_users.each do |local_user|\n next if local_user.fetch('AccountExpires').nil? || local_user.fetch('PasswordLastSet').nil?\n expiring_users << local_user unless expiring_users.any? { |h| h['Name'] == local_user.fetch('Name') }\n end\n end\n end\n if expiring_users.empty?\n impact 0.0\n describe 'This control is not applicable as no expiring user accounts with password last set date were found' do\n skip 'This control is not applicable as no expiring user accounts with password last set date were found'\n end\n else\n expiring_users.each do |expiring_account|\n user_name = expiring_account.fetch('Name')\n if expiring_account.fetch(\"PasswordLastSet\") == nil\n describe \"#{user_name} account's password last set date\" do\n subject { expiring_account.fetch(\"PasswordLastSet\") }\n it { should_not eq nil}\n end\n elsif expiring_account.fetch(\"AccountExpires\") == nil\n describe \"#{user_name} account's expiration date\" do\n subject { expiring_account.fetch(\"AccountExpires\") }\n it { should_not eq nil}\n end\n else\n password_date = Date.parse(expiring_account.fetch('PasswordLastSet'))\n expiration_date = Date.parse(expiring_account.fetch('AccountExpires'))\n date_difference = expiration_date.mjd - password_date.mjd\n describe \"Account expiration set for #{user_name}\" do\n subject { date_difference }\n it { should cmp <= input('temporary_account_period') }\n end\n end\n end\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93377.rb", + "ref": "./Windows 2019 STIG/controls/V-92975.rb", "line": 3 }, - "id": "V-93377" + "id": "V-92975" }, { - "title": "Windows Server 2019 Active Directory Group Policy objects must be\nconfigured with proper audit settings.", - "desc": "When inappropriate audit settings are configured for directory service\ndatabase objects, it may be possible for a user or process to update the data\nwithout generating any tracking data. The impact of missing audit data is\nrelated to the type of object. A failure to capture audit data for objects used\nby identification, authentication, or authorization functions could degrade or\neliminate the ability to track changes to access policy for systems or data.\n\n For Active Directory (AD), there are a number of critical object types in\nthe domain naming context of the AD database for which auditing is essential.\nThis includes Group Policy objects. Because changes to these objects can\nsignificantly impact access controls or the availability of systems, the\nabsence of auditing data makes it impossible to identify the source of changes\nthat impact the confidentiality, integrity, and availability of data and\nsystems throughout an AD domain. The lack of proper auditing can result in\ninsufficient forensic evidence needed to investigate an incident and prosecute\nthe intruder.", + "title": "Windows Server 2019 must be configured to audit Account Management -\nSecurity Group Management successes.", + "desc": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Security Group Management records events such as creating, deleting, or\nchanging security groups, including changes in group members.", "descriptions": { - "default": "When inappropriate audit settings are configured for directory service\ndatabase objects, it may be possible for a user or process to update the data\nwithout generating any tracking data. The impact of missing audit data is\nrelated to the type of object. A failure to capture audit data for objects used\nby identification, authentication, or authorization functions could degrade or\neliminate the ability to track changes to access policy for systems or data.\n\n For Active Directory (AD), there are a number of critical object types in\nthe domain naming context of the AD database for which auditing is essential.\nThis includes Group Policy objects. Because changes to these objects can\nsignificantly impact access controls or the availability of systems, the\nabsence of auditing data makes it impossible to identify the source of changes\nthat impact the confidentiality, integrity, and availability of data and\nsystems throughout an AD domain. The lack of proper auditing can result in\ninsufficient forensic evidence needed to investigate an incident and prosecute\nthe intruder.", + "default": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Security Group Management records events such as creating, deleting, or\nchanging security groups, including changes in group members.", "rationale": "", - "check": "This applies to domain controllers. It is NA for other systems.\n\n Review the auditing configuration for all Group Policy objects.\n\n Open \"Group Policy Management\" (available from various menus or run\n\"gpmc.msc\").\n\n Navigate to \"Group Policy Objects\" in the domain being reviewed (Forest\n>> Domains >> Domain).\n\n For each Group Policy object:\n\n Select the Group Policy object item in the left pane.\n\n Select the \"Delegation\" tab in the right pane.\n\n Select the \"Advanced\" button.\n\n Select the \"Advanced\" button again and then the \"Auditing\" tab.\n\n If the audit settings for any Group Policy object are not at least as\ninclusive as those below, this is a finding:\n\n Type - Fail\n Principal - Everyone\n Access - Full Control\n Applies to - This object and all descendant objects or Descendant\ngroupPolicyContainer objects\n\n The three Success types listed below are defaults inherited from the Parent\nObject. Where Special is listed in the summary screens for Access, detailed\nPermissions are provided for reference.\n\n Type - Success\n Principal - Everyone\n Access - Special (Permissions: Write all properties, Modify permissions;\nProperties: all \"Write\" type selected)\n Inherited from - Parent Object\n Applies to - Descendant groupPolicyContainer objects\n\n Two instances with the following summary information will be listed:\n\n Type - Success\n Principal - Everyone\n Access - blank (Permissions: none selected; Properties: one instance -\nWrite gPLink, one instance - Write gPOptions)\n Inherited from - Parent Object\n Applies to - Descendant Organization Unit Objects", - "fix": "Configure the audit settings for Group Policy objects to include the\nfollowing:\n\n This can be done at the Policy level in Active Directory to apply to all\ngroup policies.\n\n Open \"Active Directory Users and Computers\" (available from various menus\nor run \"dsa.msc\").\n\n Select \"Advanced Features\" from the \"View\" Menu.\n\n Navigate to [Domain] >> System >> Policies in the left panel.\n\n Right click \"Policies\", select \"Properties\".\n\n Select the \"Security\" tab.\n\n Select the \"Advanced\" button.\n\n Select the \"Auditing\" tab.\n\n Type - Fail\n Principal - Everyone\n Access - Full Control\n Applies to - This object and all descendant objects or Descendant\ngroupPolicyContainer objects\n\n The three Success types listed below are defaults inherited from the Parent\nObject. Where Special is listed in the summary screens for Access, detailed\nPermissions are provided for reference.\n\n Type - Success\n Principal - Everyone\n Access - Special (Permissions: Write all properties, Modify permissions;\nProperties: all \"Write\" type selected)\n Inherited from - Parent Object\n Applies to - Descendant groupPolicyContainer objects\n\n Two instances with the following summary information will be listed:\n\n Type - Success\n Principal - Everyone\n Access - blank (Permissions: none selected; Properties: one instance -\nWrite gPLink, one instance - Write gPOptions)\n Inherited from - Parent Object\n Applies to - Descendant Organization Unit Objects" + "check": "Security Option \"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\" must be set to\n\"Enabled\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \"AuditPol\" tool to review the current Audit Policy configuration:\n\n Open \"PowerShell\" or a \"Command Prompt\" with elevated privileges (\"Run\nas administrator\").\n\n Enter \"AuditPol /get /category:*\"\n\n Compare the \"AuditPol\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n Account Management >> Security Group Management - Success", + "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Account Management >> \"Audit Security Group\nManagement\" with \"Success\" selected." }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000327-GPOS-00127", + "gtitle": "SRG-OS-000004-GPOS-00004", "satisfies": [ - "SRG-OS-000327-GPOS-00127", - "SRG-OS-000458-GPOS-00203", - "SRG-OS-000463-GPOS-00207", - "SRG-OS-000468-GPOS-00212" + "SRG-OS-000004-GPOS-00004", + "SRG-OS-000239-GPOS-00089", + "SRG-OS-000240-GPOS-00090", + "SRG-OS-000241-GPOS-00091", + "SRG-OS-000303-GPOS-00120", + "SRG-OS-000476-GPOS-00221" ], - "gid": "V-93121", - "rid": "SV-103209r1_rule", - "stig_id": "WN19-DC-000170", - "fix_id": "F-99367r1_fix", + "gid": "V-92979", + "rid": "SV-103067r1_rule", + "stig_id": "WN19-AU-000100", + "fix_id": "F-99225r1_fix", "cci": [ + "CCI-000018", "CCI-000172", - "CCI-002234" + "CCI-001403", + "CCI-001404", + "CCI-001405", + "CCI-002130" ], "nist": [ + "AC-2 (4)", "AU-12 c", - "AC-6 (9)", + "AC-2 (4)", + "AC-2 (4)", + "AC-2 (4)", + "AC-2(4)", "Rev_4" ] }, - "code": "control \"V-93121\" do\n title \"Windows Server 2019 Active Directory Group Policy objects must be\nconfigured with proper audit settings.\"\n desc \"When inappropriate audit settings are configured for directory service\ndatabase objects, it may be possible for a user or process to update the data\nwithout generating any tracking data. The impact of missing audit data is\nrelated to the type of object. A failure to capture audit data for objects used\nby identification, authentication, or authorization functions could degrade or\neliminate the ability to track changes to access policy for systems or data.\n\n For Active Directory (AD), there are a number of critical object types in\nthe domain naming context of the AD database for which auditing is essential.\nThis includes Group Policy objects. Because changes to these objects can\nsignificantly impact access controls or the availability of systems, the\nabsence of auditing data makes it impossible to identify the source of changes\nthat impact the confidentiality, integrity, and availability of data and\nsystems throughout an AD domain. The lack of proper auditing can result in\ninsufficient forensic evidence needed to investigate an incident and prosecute\nthe intruder.\"\n desc \"rationale\", \"\"\n desc 'check', \"This applies to domain controllers. It is NA for other systems.\n\n Review the auditing configuration for all Group Policy objects.\n\n Open \\\"Group Policy Management\\\" (available from various menus or run\n\\\"gpmc.msc\\\").\n\n Navigate to \\\"Group Policy Objects\\\" in the domain being reviewed (Forest\n>> Domains >> Domain).\n\n For each Group Policy object:\n\n Select the Group Policy object item in the left pane.\n\n Select the \\\"Delegation\\\" tab in the right pane.\n\n Select the \\\"Advanced\\\" button.\n\n Select the \\\"Advanced\\\" button again and then the \\\"Auditing\\\" tab.\n\n If the audit settings for any Group Policy object are not at least as\ninclusive as those below, this is a finding:\n\n Type - Fail\n Principal - Everyone\n Access - Full Control\n Applies to - This object and all descendant objects or Descendant\ngroupPolicyContainer objects\n\n The three Success types listed below are defaults inherited from the Parent\nObject. Where Special is listed in the summary screens for Access, detailed\nPermissions are provided for reference.\n\n Type - Success\n Principal - Everyone\n Access - Special (Permissions: Write all properties, Modify permissions;\nProperties: all \\\"Write\\\" type selected)\n Inherited from - Parent Object\n Applies to - Descendant groupPolicyContainer objects\n\n Two instances with the following summary information will be listed:\n\n Type - Success\n Principal - Everyone\n Access - blank (Permissions: none selected; Properties: one instance -\nWrite gPLink, one instance - Write gPOptions)\n Inherited from - Parent Object\n Applies to - Descendant Organization Unit Objects\"\n desc 'fix', \"Configure the audit settings for Group Policy objects to include the\nfollowing:\n\n This can be done at the Policy level in Active Directory to apply to all\ngroup policies.\n\n Open \\\"Active Directory Users and Computers\\\" (available from various menus\nor run \\\"dsa.msc\\\").\n\n Select \\\"Advanced Features\\\" from the \\\"View\\\" Menu.\n\n Navigate to [Domain] >> System >> Policies in the left panel.\n\n Right click \\\"Policies\\\", select \\\"Properties\\\".\n\n Select the \\\"Security\\\" tab.\n\n Select the \\\"Advanced\\\" button.\n\n Select the \\\"Auditing\\\" tab.\n\n Type - Fail\n Principal - Everyone\n Access - Full Control\n Applies to - This object and all descendant objects or Descendant\ngroupPolicyContainer objects\n\n The three Success types listed below are defaults inherited from the Parent\nObject. Where Special is listed in the summary screens for Access, detailed\nPermissions are provided for reference.\n\n Type - Success\n Principal - Everyone\n Access - Special (Permissions: Write all properties, Modify permissions;\nProperties: all \\\"Write\\\" type selected)\n Inherited from - Parent Object\n Applies to - Descendant groupPolicyContainer objects\n\n Two instances with the following summary information will be listed:\n\n Type - Success\n Principal - Everyone\n Access - blank (Permissions: none selected; Properties: one instance -\nWrite gPLink, one instance - Write gPOptions)\n Inherited from - Parent Object\n Applies to - Descendant Organization Unit Objects\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000327-GPOS-00127'\n tag 'satisfies': [\"SRG-OS-000327-GPOS-00127\", \"SRG-OS-000458-GPOS-00203\",\n\"SRG-OS-000463-GPOS-00207\", \"SRG-OS-000468-GPOS-00212\"]\n tag 'gid': 'V-93121'\n tag 'rid': 'SV-103209r1_rule'\n tag 'stig_id': 'WN19-DC-000170'\n tag 'fix_id': 'F-99367r1_fix'\n tag 'cci': [\"CCI-000172\", \"CCI-002234\"]\n tag 'nist': [\"AU-12 c\", \"AC-6 (9)\", \"Rev_4\"]\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n if domain_role == '4' || domain_role == '5'\n distinguishedNames = json(command: \"Get-ADObject -Filter { objectclass -eq 'groupPolicyContainer'} | foreach {$_.DistinguishedName} | ConvertTo-JSON\").params\n distinguishedNames.each do |distinguishedName|\n acl_rules = json(command: \"(Get-ACL -Audit -Path AD:'#{distinguishedName}').Audit | ConvertTo-CSV | ConvertFrom-CSV | ConvertTo-JSON\").params\n if acl_rules.is_a?(Hash)\n acl_rules = [JSON.parse(acl_rules.to_json)]\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['AuditFlags']) { should cmp \"Failure\" }\n its(['IdentityReference']) { should cmp \"Everyone\" }\n its(['ActiveDirectoryRights']) { should cmp \"GenericAll\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['AuditFlags']) { should cmp \"Success\" }\n its(['IdentityReference']) { should cmp \"Everyone\" }\n its(['ActiveDirectoryRights']) { should cmp \"WriteProperty, WriteDacl\" }\n its(['IsInherited']) { should cmp \"True\" }\n its(['InheritanceType']) { should cmp \"All\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['AuditFlags']) { should cmp \"Success\" }\n its(['IdentityReference']) { should cmp \"Everyone\" }\n its(['ActiveDirectoryRights']) { should cmp \"WriteProperty\" }\n its(['IsInherited']) { should cmp \"True\" }\n its(['InheritanceType']) { should cmp \"Descendents\" }\n end\n end\n end\n end\n else\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", + "code": "control \"V-92979\" do\n title \"Windows Server 2019 must be configured to audit Account Management -\nSecurity Group Management successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Security Group Management records events such as creating, deleting, or\nchanging security groups, including changes in group members.\"\n desc \"rationale\", \"\"\n desc 'check', \"Security Option \\\"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\\\" must be set to\n\\\"Enabled\\\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \\\"AuditPol\\\" tool to review the current Audit Policy configuration:\n\n Open \\\"PowerShell\\\" or a \\\"Command Prompt\\\" with elevated privileges (\\\"Run\nas administrator\\\").\n\n Enter \\\"AuditPol /get /category:*\\\"\n\n Compare the \\\"AuditPol\\\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n Account Management >> Security Group Management - Success\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Account Management >> \\\"Audit Security Group\nManagement\\\" with \\\"Success\\\" selected.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000004-GPOS-00004'\n tag 'satisfies': [\"SRG-OS-000004-GPOS-00004\", \"SRG-OS-000239-GPOS-00089\",\n\"SRG-OS-000240-GPOS-00090\", \"SRG-OS-000241-GPOS-00091\",\n\"SRG-OS-000303-GPOS-00120\", \"SRG-OS-000476-GPOS-00221\"]\n tag 'gid': 'V-92979'\n tag 'rid': 'SV-103067r1_rule'\n tag 'stig_id': 'WN19-AU-000100'\n tag 'fix_id': 'F-99225r1_fix'\n tag 'cci': [\"CCI-000018\", \"CCI-000172\", \"CCI-001403\", \"CCI-001404\",\n\"CCI-001405\", \"CCI-002130\"]\n tag 'nist': [\"AC-2 (4)\", \"AU-12 c\", \"AC-2 (4)\", \"AC-2 (4)\", \"AC-2 (4)\", \"AC-2(4)\", \"Rev_4\"]\n\n describe.one do\n describe audit_policy do\n its('Security Group Management') { should eq 'Success' }\n end\n describe audit_policy do\n its('Security Group Management') { should eq 'Success and Failure' }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93121.rb", + "ref": "./Windows 2019 STIG/controls/V-92979.rb", "line": 3 }, - "id": "V-93121" + "id": "V-92979" }, { - "title": "Windows Server 2019 must have the DoD Root Certificate Authority (CA) certificates installed in the Trusted Root Store.", - "desc": "To ensure secure DoD websites and DoD-signed code are properly validated, the system must trust the DoD Root CAs. The DoD root certificates will ensure that the trust chain is established for server certificates issued from the DoD CAs.", + "title": "Windows Server 2019 must be configured to audit Object Access - Other\nObject Access Events failures.", + "desc": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Auditing for other object access records events related to the management\nof task scheduler jobs and COM+ objects.", "descriptions": { - "default": "To ensure secure DoD websites and DoD-signed code are properly validated, the system must trust the DoD Root CAs. The DoD root certificates will ensure that the trust chain is established for server certificates issued from the DoD CAs.", + "default": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Auditing for other object access records events related to the management\nof task scheduler jobs and COM+ objects.", "rationale": "", - "check": "The certificates and thumbprints referenced below apply to unclassified systems; see PKE documentation for other networks.\n Open \"Windows PowerShell\" as an administrator.\n Execute the following command:\n Get-ChildItem -Path Cert:Localmachine\\root | Where Subject -Like \"*DoD*\" | FL Subject, Thumbprint, NotAfter\n If the following certificate \"Subject\" and \"Thumbprint\" information is not displayed, this is a finding.\n If an expired certificate (\"NotAfter\" date) is not listed in the results, this is not a finding.\n\n Subject: CN=DoD Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Thumbprint: 8C941B34EA1EA6ED9AE2BC54CF687252B4C9B561\n NotAfter: 12/5/2029\n\n Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Thumbprint: D73CA91102A2204A36459ED32213B467D7CE97FB\n NotAfter: 12/30/2029\n\n Subject: CN=DoD Root CA 4, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Thumbprint: B8269F25DBD937ECAFD4C35A9838571723F2D026\n NotAfter: 7/25/2032\n\n Subject: CN=DoD Root CA 5, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Thumbprint: 4ECB5CC3095670454DA1CBD410FC921F46B8564B\n NotAfter: 6/14/2041\n\n Alternately, use the Certificates MMC snap-in:\n Run \"MMC\".\n Select \"File\", \"Add/Remove Snap-in\".\n Select \"Certificates\" and click \"Add\".\n Select \"Computer account\" and click \"Next\".\n Select \"Local computer: (the computer this console is running on)\" and click \"Finish\".\n Click \"OK\".\n Expand \"Certificates\" and navigate to \"Trusted Root Certification Authorities >> Certificates\".\n For each of the DoD Root CA certificates noted below:\n Right-click on the certificate and select \"Open\".\n Select the \"Details\" Tab.\n Scroll to the bottom and select \"Thumbprint\".\n If the DoD Root CA certificates below are not listed or the value for the \"Thumbprint\" field is not as noted, this is a finding.\n If an expired certificate (\"Valid to\" date) is not listed in the results, this is not a finding.\n\n DoD Root CA 2\n Thumbprint: 8C941B34EA1EA6ED9AE2BC54CF687252B4C9B561\n Valid to: Wednesday, December 5, 2029\n\n DoD Root CA 3\n Thumbprint: D73CA91102A2204A36459ED32213B467D7CE97FB\n Valid to: Sunday, December 30, 2029\n\n DoD Root CA 4\n Thumbprint: B8269F25DBD937ECAFD4C35A9838571723F2D026\n Valid to: Sunday, July 25, 2032\n\n DoD Root CA 5\n Thumbprint: 4ECB5CC3095670454DA1CBD410FC921F46B8564B\n Valid to: Friday, June 14, 2041", - "fix": "Install the DoD Root CA certificates:\n\n DoD Root CA 2\n DoD Root CA 3\n DoD Root CA 4\n DoD Root CA 5\n\n The InstallRoot tool is available on IASE at http://iase.disa.mil/pki-pke/Pages/tools.aspx." + "check": "Security Option \"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\" must be set to\n\"Enabled\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \"AuditPol\" tool to review the current Audit Policy configuration:\n\n Open \"PowerShell\" or a \"Command Prompt\" with elevated privileges (\"Run\nas administrator\").\n\n Enter \"AuditPol /get /category:*\"\n\n Compare the \"AuditPol\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n Object Access >> Other Object Access Events - Failure", + "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Object Access >> \"Audit Other Object Access Events\"\nwith \"Failure\" selected." }, "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000066-GPOS-00034", - "satisfies": [ - "SRG-OS-000066-GPOS-00034", - "SRG-OS-000403-GPOS-00182" - ], - "gid": "V-93487", - "rid": "SV-103573r1_rule", - "stig_id": "WN19-PK-000010", - "fix_id": "F-99731r1_fix", + "gtitle": "SRG-OS-000470-GPOS-00214", + "gid": "V-93165", + "rid": "SV-103253r1_rule", + "stig_id": "WN19-AU-000230", + "fix_id": "F-99411r1_fix", "cci": [ - "CCI-000185", - "CCI-002470" + "CCI-000172" ], "nist": [ - "IA-5 (2) (a)", - "SC-23 (5)", + "AU-12 c", "Rev_4" ] }, - "code": "control \"V-93487\" do\n title \"Windows Server 2019 must have the #{input('org_name')[:acronym]} Root Certificate Authority (CA) certificates installed in the Trusted Root Store.\"\n desc \"To ensure secure #{input('org_name')[:acronym]} websites and #{input('org_name')[:acronym]}-signed code are properly validated, the system must trust the #{input('org_name')[:acronym]} Root CAs. The #{input('org_name')[:acronym]} root certificates will ensure that the trust chain is established for server certificates issued from the #{input('org_name')[:acronym]} CAs.\"\n desc \"rationale\", \"\"\n desc \"check\", \"The certificates and thumbprints referenced below apply to unclassified systems; see PKE documentation for other networks.\n Open \\\"Windows PowerShell\\\" as an administrator.\n Execute the following command:\n Get-ChildItem -Path Cert:Localmachine\\\\root | Where Subject -Like \\\"*DoD*\\\" | FL Subject, Thumbprint, NotAfter\n If the following certificate \\\"Subject\\\" and \\\"Thumbprint\\\" information is not displayed, this is a finding.\n If an expired certificate (\\\"NotAfter\\\" date) is not listed in the results, this is not a finding.\n\n Subject: CN=DoD Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Thumbprint: 8C941B34EA1EA6ED9AE2BC54CF687252B4C9B561\n NotAfter: 12/5/2029\n\n Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Thumbprint: D73CA91102A2204A36459ED32213B467D7CE97FB\n NotAfter: 12/30/2029\n\n Subject: CN=DoD Root CA 4, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Thumbprint: B8269F25DBD937ECAFD4C35A9838571723F2D026\n NotAfter: 7/25/2032\n\n Subject: CN=DoD Root CA 5, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Thumbprint: 4ECB5CC3095670454DA1CBD410FC921F46B8564B\n NotAfter: 6/14/2041\n\n Alternately, use the Certificates MMC snap-in:\n Run \\\"MMC\\\".\n Select \\\"File\\\", \\\"Add/Remove Snap-in\\\".\n Select \\\"Certificates\\\" and click \\\"Add\\\".\n Select \\\"Computer account\\\" and click \\\"Next\\\".\n Select \\\"Local computer: (the computer this console is running on)\\\" and click \\\"Finish\\\".\n Click \\\"OK\\\".\n Expand \\\"Certificates\\\" and navigate to \\\"Trusted Root Certification Authorities >> Certificates\\\".\n For each of the DoD Root CA certificates noted below:\n Right-click on the certificate and select \\\"Open\\\".\n Select the \\\"Details\\\" Tab.\n Scroll to the bottom and select \\\"Thumbprint\\\".\n If the DoD Root CA certificates below are not listed or the value for the \\\"Thumbprint\\\" field is not as noted, this is a finding.\n If an expired certificate (\\\"Valid to\\\" date) is not listed in the results, this is not a finding.\n\n DoD Root CA 2\n Thumbprint: 8C941B34EA1EA6ED9AE2BC54CF687252B4C9B561\n Valid to: Wednesday, December 5, 2029\n\n DoD Root CA 3\n Thumbprint: D73CA91102A2204A36459ED32213B467D7CE97FB\n Valid to: Sunday, December 30, 2029\n\n DoD Root CA 4\n Thumbprint: B8269F25DBD937ECAFD4C35A9838571723F2D026\n Valid to: Sunday, July 25, 2032\n\n DoD Root CA 5\n Thumbprint: 4ECB5CC3095670454DA1CBD410FC921F46B8564B\n Valid to: Friday, June 14, 2041\"\n desc \"fix\", \"Install the DoD Root CA certificates:\n\n DoD Root CA 2\n DoD Root CA 3\n DoD Root CA 4\n DoD Root CA 5\n\n The InstallRoot tool is available on IASE at http://iase.disa.mil/pki-pke/Pages/tools.aspx.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000066-GPOS-00034\"\n tag satisfies: [\"SRG-OS-000066-GPOS-00034\", \"SRG-OS-000403-GPOS-00182\"]\n tag gid: \"V-93487\"\n tag rid: \"SV-103573r1_rule\"\n tag stig_id: \"WN19-PK-000010\"\n tag fix_id: \"F-99731r1_fix\"\n tag cci: [\"CCI-000185\", \"CCI-002470\"]\n tag nist: [\"IA-5 (2) (a)\", \"SC-23 (5)\", \"Rev_4\"]\n\n if input('sensitive_system') == true\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n else\n dod_interoperability_certificates = JSON.parse(input('dod_interoperability_certificates').to_json)\n query = json({ command: 'Get-ChildItem -Path Cert:Localmachine\\\\root | Where Subject -Like \"*DoD*\" | Select Subject, Thumbprint, @{Name=\\'NotAfter\\';Expression={\"{0:dddd, MMMM dd, yyyy}\" -f [datetime]$_.NotAfter}} | ConvertTo-Json' }).params\n \n describe 'Verify DoD Root Certificate Authority (CA) certificates are installed in the Trusted Root Store.' do\n subject { query }\n it { should be_in dod_interoperability_certificates }\n end\n \n unless query.empty?\n case query\n when Hash\n query.each do |key, value|\n if key == \"NotAfter\"\n cert_date = Date.parse(value)\n describe cert_date do\n it { should be >= Date.today }\n end\n end\n end\n when Array\n query.each do |certs|\n certs.each do |key, value|\n if key == \"NotAfter\"\n cert_date = Date.parse(value)\n describe cert_date do\n it { should be >= Date.today }\n end\n end\n end\n end\n end\n end\n end\nend", + "code": "control \"V-93165\" do\n title \"Windows Server 2019 must be configured to audit Object Access - Other\nObject Access Events failures.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Auditing for other object access records events related to the management\nof task scheduler jobs and COM+ objects.\"\n desc \"rationale\", \"\"\n desc 'check', \"Security Option \\\"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\\\" must be set to\n\\\"Enabled\\\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \\\"AuditPol\\\" tool to review the current Audit Policy configuration:\n\n Open \\\"PowerShell\\\" or a \\\"Command Prompt\\\" with elevated privileges (\\\"Run\nas administrator\\\").\n\n Enter \\\"AuditPol /get /category:*\\\"\n\n Compare the \\\"AuditPol\\\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n Object Access >> Other Object Access Events - Failure\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Object Access >> \\\"Audit Other Object Access Events\\\"\nwith \\\"Failure\\\" selected.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000470-GPOS-00214'\n tag 'gid': 'V-93165'\n tag 'rid': 'SV-103253r1_rule'\n tag 'stig_id': 'WN19-AU-000230'\n tag 'fix_id': 'F-99411r1_fix'\n tag 'cci': [\"CCI-000172\"]\n tag 'nist': [\"AU-12 c\", \"Rev_4\"]\n\n describe.one do\n describe audit_policy do\n its('Other Object Access Events') { should eq 'Failure' }\n end\n describe audit_policy do\n its('Other Object Access Events') { should eq 'Success and Failure' }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93487.rb", + "ref": "./Windows 2019 STIG/controls/V-93165.rb", "line": 3 }, - "id": "V-93487" + "id": "V-93165" }, { - "title": "Windows Server 2019 must not save passwords in the Remote Desktop Client.", - "desc": "Saving passwords in the Remote Desktop Client could allow an unauthorized user to establish a remote desktop session to another system. The system must be configured to prevent users from saving passwords in the Remote Desktop Client.", + "title": "Windows Server 2019 must prevent local accounts with blank passwords from being used from the network.", + "desc": "An account without a password can allow unauthorized access to a system as only the username would be required. Password policies should prevent accounts with blank passwords from existing on a system. However, if a local account with a blank password does exist, enabling this setting will prevent network access, limiting the account to local console logon only.", "descriptions": { - "default": "Saving passwords in the Remote Desktop Client could allow an unauthorized user to establish a remote desktop session to another system. The system must be configured to prevent users from saving passwords in the Remote Desktop Client.", + "default": "An account without a password can allow unauthorized access to a system as only the username would be required. Password policies should prevent accounts with blank passwords from existing on a system. However, if a local account with a blank password does exist, enabling this setting will prevent network access, limiting the account to local console logon only.", "rationale": "", - "check": "If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services\\\n\n Value Name: DisablePasswordSaving\n\n Type: REG_DWORD\n Value: 0x00000001 (1)", - "fix": "Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Remote Desktop Services >> Remote Desktop Connection Client >> \"Do not allow passwords to be saved\" to \"Enabled\"." + "check": "If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Control\\Lsa\\\n\n Value Name: LimitBlankPasswordUse\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", + "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \"Accounts: Limit local account use of blank passwords to console logon only\" to \"Enabled\"." }, - "impact": 0.5, + "impact": 0.7, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000373-GPOS-00157", - "satisfies": [ - "SRG-OS-000373-GPOS-00157", - "SRG-OS-000373-GPOS-00156" - ], - "gid": "V-93425", - "rid": "SV-103511r1_rule", - "stig_id": "WN19-CC-000340", - "fix_id": "F-99669r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-93279", + "rid": "SV-103367r1_rule", + "stig_id": "WN19-SO-000020", + "fix_id": "F-99525r1_fix", "cci": [ - "CCI-002038" + "CCI-000366" ], "nist": [ - "IA-11", + "CM-6 b", "Rev_4" ] }, - "code": "control \"V-93425\" do\n title \"Windows Server 2019 must not save passwords in the Remote Desktop Client.\"\n desc \"Saving passwords in the Remote Desktop Client could allow an unauthorized user to establish a remote desktop session to another system. The system must be configured to prevent users from saving passwords in the Remote Desktop Client.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\\n\n Value Name: DisablePasswordSaving\n\n Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Remote Desktop Services >> Remote Desktop Connection Client >> \\\"Do not allow passwords to be saved\\\" to \\\"Enabled\\\".\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000373-GPOS-00157\"\n tag satisfies: [\"SRG-OS-000373-GPOS-00157\", \"SRG-OS-000373-GPOS-00156\"]\n tag gid: \"V-93425\"\n tag rid: \"SV-103511r1_rule\"\n tag stig_id: \"WN19-CC-000340\"\n tag fix_id: \"F-99669r1_fix\"\n tag cci: [\"CCI-002038\"]\n tag nist: [\"IA-11\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services') do\n it { should have_property 'DisablePasswordSaving' }\n its('DisablePasswordSaving') { should cmp == 1 }\n end\nend", + "code": "control \"V-93279\" do\n title \"Windows Server 2019 must prevent local accounts with blank passwords from being used from the network.\"\n desc \"An account without a password can allow unauthorized access to a system as only the username would be required. Password policies should prevent accounts with blank passwords from existing on a system. However, if a local account with a blank password does exist, enabling this setting will prevent network access, limiting the account to local console logon only.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\\n\n Value Name: LimitBlankPasswordUse\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \\\"Accounts: Limit local account use of blank passwords to console logon only\\\" to \\\"Enabled\\\".\"\n impact 0.7\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00227\"\n tag gid: \"V-93279\"\n tag rid: \"SV-103367r1_rule\"\n tag stig_id: \"WN19-SO-000020\"\n tag fix_id: \"F-99525r1_fix\"\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\Currentcontrolset\\\\Control\\\\Lsa') do\n it { should have_property 'Limitblankpassworduse' }\n its('Limitblankpassworduse') { should cmp == 1 }\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93425.rb", + "ref": "./Windows 2019 STIG/controls/V-93279.rb", "line": 3 }, - "id": "V-93425" + "id": "V-93279" }, { - "title": "Windows Server 2019 must have the US DoD CCEB Interoperability Root CA cross-certificates in the Untrusted Certificates Store on unclassified systems.", - "desc": "To ensure users do not experience denial of service when performing certificate-based authentication to DoD websites due to the system chaining to a root other than DoD Root CAs, the US DoD CCEB Interoperability Root CA cross-certificates must be installed in the Untrusted Certificate Store. This requirement only applies to unclassified systems.", + "title": "Windows Server 2019 administrator accounts must not be enumerated during elevation.", + "desc": "Enumeration of administrator accounts when elevating can provide part of the logon information to an unauthorized user. This setting configures the system to always require users to type in a username and password to elevate a running application.", "descriptions": { - "default": "To ensure users do not experience denial of service when performing certificate-based authentication to DoD websites due to the system chaining to a root other than DoD Root CAs, the US DoD CCEB Interoperability Root CA cross-certificates must be installed in the Untrusted Certificate Store. This requirement only applies to unclassified systems.", + "default": "Enumeration of administrator accounts when elevating can provide part of the logon information to an unauthorized user. This setting configures the system to always require users to type in a username and password to elevate a running application.", "rationale": "", - "check": "This is applicable to unclassified systems. It is NA for others.\n Open \"PowerShell\" as an administrator.\n Execute the following command:\n Get-ChildItem -Path Cert:Localmachine\\disallowed | Where Issuer -Like \"*CCEB Interoperability*\" | FL Subject, Issuer, Thumbprint, NotAfter\n If the following certificate \"Subject\", \"Issuer\", and \"Thumbprint\" information is not displayed, this is a finding.\n If an expired certificate (\"NotAfter\" date) is not listed in the results, this is not a finding.\n\n Subject: CN=DoD Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Issuer: CN=US DoD CCEB Interoperability Root CA 1, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Thumbprint: DA36FAF56B2F6FBA1604F5BE46D864C9FA013BA3\n NotAfter: 3/9/2019\n\n Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Issuer: CN=US DoD CCEB Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Thumbprint: 929BF3196896994C0A201DF4A5B71F603FEFBF2E\n NotAfter: 9/27/2019\n\n Alternately, use the Certificates MMC snap-in:\n Run \"MMC\".\n Select \"File\", \"Add/Remove Snap-in\".\n Select \"Certificates\" and click \"Add\".\n Select \"Computer account\" and click \"Next\".\n Select \"Local computer: (the computer this console is running on)\" and click \"Finish\".\n Click \"OK\".\n Expand \"Certificates\" and navigate to \"Untrusted Certificates >> Certificates\".\n For each certificate with \"US DoD CCEB Interoperability Root CA ...\" under \"Issued By\":\n Right-click on the certificate and select \"Open\".\n Select the \"Details\" Tab.\n Scroll to the bottom and select \"Thumbprint\".\n If the certificate below is not listed or the value for the \"Thumbprint\" field is not as noted, this is a finding.\n If an expired certificate (\"Valid to\" date) is not listed in the results, this is not a finding.\n\n Issued To: DoD Root CA 2\n Issued By: US DoD CCEB Interoperability Root CA 1\n Thumbprint: DA36FAF56B2F6FBA1604F5BE46D864C9FA013BA3\n Valid to: Saturday, March 9, 2019\n\n Issued To: DoD Root CA 3\n Issuer by: US DoD CCEB Interoperability Root CA 2\n Thumbprint: 929BF3196896994C0A201DF4A5B71F603FEFBF2E\n Valid: Friday, September 27, 2019", - "fix": "Install the US DoD CCEB Interoperability Root CA cross-certificate on unclassified systems.\n\n Issued To - Issued By - Thumbprint\n DoD Root CA 2 - US DoD CCEB Interoperability Root CA 1 - DA36FAF56B2F6FBA1604F5BE46D864C9FA013BA3\n\n DoD Root CA 3 - US DoD CCEB Interoperability Root CA 2 - 929BF3196896994C0A201DF4A5B71F603FEFBF2E\n\n Administrators should run the Federal Bridge Certification Authority (FBCA) Cross-Certificate Removal Tool once as an administrator and once as the current user.\n\n The FBCA Cross-Certificate Remover Tool and User Guide are available on IASE at http://iase.disa.mil/pki-pke/Pages/tools.aspx." + "check": "If the following registry value does not exist or is not configured as specified, this is a finding:\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\CredUI\\\n\n Value Name: EnumerateAdministrators\n\n Type: REG_DWORD\n Value: 0x00000000 (0)", + "fix": "Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Credential User Interface >> \"Enumerate administrator accounts on elevation\" to \"Disabled\"." }, "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000066-GPOS-00034", - "satisfies": [ - "SRG-OS-000066-GPOS-00034", - "SRG-OS-000403-GPOS-00182" - ], - "gid": "V-93491", - "rid": "SV-103577r1_rule", - "stig_id": "WN19-PK-000030", - "fix_id": "F-99735r1_fix", + "gtitle": "SRG-OS-000134-GPOS-00068", + "gid": "V-93517", + "rid": "SV-103603r1_rule", + "stig_id": "WN19-CC-000240", + "fix_id": "F-99761r1_fix", "cci": [ - "CCI-000185", - "CCI-002470" + "CCI-001084" ], "nist": [ - "IA-5 (2) (a)", - "SC-23 (5)", + "SC-3", "Rev_4" ] }, - "code": "control \"V-93491\" do\n title \"Windows Server 2019 must have the US #{input('org_name')[:acronym]} CCEB Interoperability Root CA cross-certificates in the Untrusted Certificates Store on unclassified systems.\"\n desc \"To ensure users do not experience denial of service when performing certificate-based authentication to #{input('org_name')[:acronym]} websites due to the system chaining to a root other than #{input('org_name')[:acronym]} Root CAs, the US #{input('org_name')[:acronym]} CCEB Interoperability Root CA cross-certificates must be installed in the Untrusted Certificate Store. This requirement only applies to unclassified systems.\"\n desc \"rationale\", \"\"\n desc \"check\", \"This is applicable to unclassified systems. It is NA for others.\n Open \\\"PowerShell\\\" as an administrator.\n Execute the following command:\n Get-ChildItem -Path Cert:Localmachine\\\\disallowed | Where Issuer -Like \\\"*CCEB Interoperability*\\\" | FL Subject, Issuer, Thumbprint, NotAfter\n If the following certificate \\\"Subject\\\", \\\"Issuer\\\", and \\\"Thumbprint\\\" information is not displayed, this is a finding.\n If an expired certificate (\\\"NotAfter\\\" date) is not listed in the results, this is not a finding.\n\n Subject: CN=DoD Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Issuer: CN=US DoD CCEB Interoperability Root CA 1, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Thumbprint: DA36FAF56B2F6FBA1604F5BE46D864C9FA013BA3\n NotAfter: 3/9/2019\n\n Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Issuer: CN=US DoD CCEB Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US\n Thumbprint: 929BF3196896994C0A201DF4A5B71F603FEFBF2E\n NotAfter: 9/27/2019\n\n Alternately, use the Certificates MMC snap-in:\n Run \\\"MMC\\\".\n Select \\\"File\\\", \\\"Add/Remove Snap-in\\\".\n Select \\\"Certificates\\\" and click \\\"Add\\\".\n Select \\\"Computer account\\\" and click \\\"Next\\\".\n Select \\\"Local computer: (the computer this console is running on)\\\" and click \\\"Finish\\\".\n Click \\\"OK\\\".\n Expand \\\"Certificates\\\" and navigate to \\\"Untrusted Certificates >> Certificates\\\".\n For each certificate with \\\"US DoD CCEB Interoperability Root CA ...\\\" under \\\"Issued By\\\":\n Right-click on the certificate and select \\\"Open\\\".\n Select the \\\"Details\\\" Tab.\n Scroll to the bottom and select \\\"Thumbprint\\\".\n If the certificate below is not listed or the value for the \\\"Thumbprint\\\" field is not as noted, this is a finding.\n If an expired certificate (\\\"Valid to\\\" date) is not listed in the results, this is not a finding.\n\n Issued To: DoD Root CA 2\n Issued By: US DoD CCEB Interoperability Root CA 1\n Thumbprint: DA36FAF56B2F6FBA1604F5BE46D864C9FA013BA3\n Valid to: Saturday, March 9, 2019\n\n Issued To: DoD Root CA 3\n Issuer by: US DoD CCEB Interoperability Root CA 2\n Thumbprint: 929BF3196896994C0A201DF4A5B71F603FEFBF2E\n Valid: Friday, September 27, 2019\"\n desc \"fix\", \"Install the US DoD CCEB Interoperability Root CA cross-certificate on unclassified systems.\n\n Issued To - Issued By - Thumbprint\n DoD Root CA 2 - US DoD CCEB Interoperability Root CA 1 - DA36FAF56B2F6FBA1604F5BE46D864C9FA013BA3\n\n DoD Root CA 3 - US DoD CCEB Interoperability Root CA 2 - 929BF3196896994C0A201DF4A5B71F603FEFBF2E\n\n Administrators should run the Federal Bridge Certification Authority (FBCA) Cross-Certificate Removal Tool once as an administrator and once as the current user.\n\n The FBCA Cross-Certificate Remover Tool and User Guide are available on IASE at http://iase.disa.mil/pki-pke/Pages/tools.aspx.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000066-GPOS-00034\"\n tag satisfies: [\"SRG-OS-000066-GPOS-00034\", \"SRG-OS-000403-GPOS-00182\"]\n tag gid: \"V-93491\"\n tag rid: \"SV-103577r1_rule\"\n tag stig_id: \"WN19-PK-000030\"\n tag fix_id: \"F-99735r1_fix\"\n tag cci: [\"CCI-000185\", \"CCI-002470\"]\n tag nist: [\"IA-5 (2) (a)\", \"SC-23 (5)\", \"Rev_4\"]\n\n if input('sensitive_system') == 'true'\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n else\n dod_cceb_certificates = JSON.parse(input('dod_cceb_certificates').to_json)\n query = json({ command: 'Get-ChildItem -Path Cert:Localmachine\\\\\\\\disallowed | Where {$_.Issuer -Like \"*CCEB Interoperability*\"} | Select Subject, Issuer, Thumbprint, @{Name=\\'NotAfter\\';Expression={\"{0:dddd, MMMM dd, yyyy}\" -f [datetime]$_.NotAfter}} | ConvertTo-Json' })\n\n describe 'Verify the DoD CCEB CA certificates are installed as Untrusted Certificate.' do\n subject { query.params }\n it { should be_in dod_cceb_certificates }\n end\n\n unless query.empty?\n case query\n when Hash\n query.each do |key, value|\n if key == \"NotAfter\"\n cert_date = Date.parse(value)\n describe cert_date do\n it { should be >= Date.today }\n end\n end\n end\n when Array\n query.each do |certs|\n certs.each do |key, value|\n if key == \"NotAfter\"\n cert_date = Date.parse(value)\n describe cert_date do\n it { should be >= Date.today }\n end\n end\n end\n end\n end\n end\n end\nend", + "code": "control \"V-93517\" do\n title \"Windows Server 2019 administrator accounts must not be enumerated during elevation.\"\n desc \"Enumeration of administrator accounts when elevating can provide part of the logon information to an unauthorized user. This setting configures the system to always require users to type in a username and password to elevate a running application.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the following registry value does not exist or is not configured as specified, this is a finding:\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\CredUI\\\\\n\n Value Name: EnumerateAdministrators\n\n Type: REG_DWORD\n Value: 0x00000000 (0)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Credential User Interface >> \\\"Enumerate administrator accounts on elevation\\\" to \\\"Disabled\\\".\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000134-GPOS-00068\"\n tag gid: \"V-93517\"\n tag rid: \"SV-103603r1_rule\"\n tag stig_id: \"WN19-CC-000240\"\n tag fix_id: \"F-99761r1_fix\"\n tag cci: [\"CCI-001084\"]\n tag nist: [\"SC-3\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\CredUI') do\n it { should have_property 'EnumerateAdministrators' }\n its('EnumerateAdministrators') { should cmp == 0 }\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93491.rb", + "ref": "./Windows 2019 STIG/controls/V-93517.rb", "line": 3 }, - "id": "V-93491" + "id": "V-93517" }, { - "title": "Windows Server 2019 Debug programs: user right must only be assigned\nto the Administrators group.", - "desc": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n Accounts with the \"Debug programs\" user right can attach a debugger to\nany process or to the kernel, providing complete access to sensitive and\ncritical operating system components. This right is given to Administrators in\nthe default configuration.", + "title": "Windows Server 2019 system files must be monitored for unauthorized\nchanges.", + "desc": "Monitoring system files for changes against a baseline on a regular\nbasis may help detect the possible introduction of malicious code on a system.", "descriptions": { - "default": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n Accounts with the \"Debug programs\" user right can attach a debugger to\nany process or to the kernel, providing complete access to sensitive and\ncritical operating system components. This right is given to Administrators in\nthe default configuration.", + "default": "Monitoring system files for changes against a baseline on a regular\nbasis may help detect the possible introduction of malicious code on a system.", "rationale": "", - "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the \"Debug\nprograms\" user right, this is a finding:\n\n - Administrators\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\path\\filename.txt\n\n Review the text file.\n\n If any SIDs other than the following are granted the \"SeDebugPrivilege\"\nuser right, this is a finding:\n\n S-1-5-32-544 (Administrators)\n\n If an application requires this user right, this would not be a finding.\n\n Vendor documentation must support the requirement for having the user right.\n\n The requirement must be documented with the ISSO.\n\n The application account must meet requirements for application account\npasswords, such as length (WN19-00-000050) and required frequency of changes\n(WN19-00-000060).\n\n Passwords for application accounts with this user right must be protected\nas highly privileged accounts.", - "fix": "Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> User Rights Assignment >> \"Debug\nprograms\" to include only the following accounts or groups:\n\n - Administrators" + "check": "Determine whether the system is monitored for unauthorized changes to\nsystem files (e.g., *.exe, *.bat, *.com, *.cmd, and *.dll) against a baseline\non a weekly basis.\n\n If system files are not monitored for unauthorized changes, this is a\nfinding.\n\n A properly configured HBSS Policy Auditor 5.2 or later File Integrity\nMonitor (FIM) module will meet the requirement for file integrity checking. The\nAsset module within HBSS does not meet this requirement.", + "fix": "Monitor the system for unauthorized changes to system files\n(e.g., *.exe, *.bat, *.com, *.cmd, and *.dll) against a baseline on a weekly\nbasis. This can be done with the use of various monitoring tools." }, - "impact": 0.7, + "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000324-GPOS-00125", - "gid": "V-93065", - "rid": "SV-103153r1_rule", - "stig_id": "WN19-UR-000100", - "fix_id": "F-99311r1_fix", + "gtitle": "SRG-OS-000363-GPOS-00150", + "gid": "V-93203", + "rid": "SV-103291r1_rule", + "stig_id": "WN19-00-000220", + "fix_id": "F-99449r1_fix", "cci": [ - "CCI-002235" + "CCI-001744" ], "nist": [ - "AC-6 (10)", + "CM-3 (5)", "Rev_4" ] }, - "code": "control \"V-93065\" do\n title \"Windows Server 2019 Debug programs: user right must only be assigned\nto the Administrators group.\"\n desc \"Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n Accounts with the \\\"Debug programs\\\" user right can attach a debugger to\nany process or to the kernel, providing complete access to sensitive and\ncritical operating system components. This right is given to Administrators in\nthe default configuration.\"\n desc \"rationale\", \"\"\n desc 'check', \"Verify the effective setting in Local Group Policy Editor.\n\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the \\\"Debug\nprograms\\\" user right, this is a finding:\n\n - Administrators\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt\n\n Review the text file.\n\n If any SIDs other than the following are granted the \\\"SeDebugPrivilege\\\"\nuser right, this is a finding:\n\n S-1-5-32-544 (Administrators)\n\n If an application requires this user right, this would not be a finding.\n\n Vendor documentation must support the requirement for having the user right.\n\n The requirement must be documented with the ISSO.\n\n The application account must meet requirements for application account\npasswords, such as length (WN19-00-000050) and required frequency of changes\n(WN19-00-000060).\n\n Passwords for application accounts with this user right must be protected\nas highly privileged accounts.\"\n desc 'fix', \"Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> User Rights Assignment >> \\\"Debug\nprograms\\\" to include only the following accounts or groups:\n\n - Administrators\"\n impact 0.7\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000324-GPOS-00125'\n tag 'gid': 'V-93065'\n tag 'rid': 'SV-103153r1_rule'\n tag 'stig_id': 'WN19-UR-000100'\n tag 'fix_id': 'F-99311r1_fix'\n tag 'cci': [\"CCI-002235\"]\n tag 'nist': [\"AC-6 (10)\", \"Rev_4\"]\n\n os_type = command('Test-Path \"$env:windir\\explorer.exe\"').stdout.strip\n\n if os_type == 'False'\n describe 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt' do\n skip 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt'\n end\n else\n describe security_policy do\n its('SeDebugPrivilege') { should eq ['S-1-5-32-544'] }\n end\n end\nend\n", + "code": "control \"V-93203\" do\n title \"Windows Server 2019 system files must be monitored for unauthorized\nchanges.\"\n desc \"Monitoring system files for changes against a baseline on a regular\nbasis may help detect the possible introduction of malicious code on a system.\"\n desc \"rationale\", \"\"\n desc 'check', \"Determine whether the system is monitored for unauthorized changes to\nsystem files (e.g., *.exe, *.bat, *.com, *.cmd, and *.dll) against a baseline\non a weekly basis.\n\n If system files are not monitored for unauthorized changes, this is a\nfinding.\n\n A properly configured HBSS Policy Auditor 5.2 or later File Integrity\nMonitor (FIM) module will meet the requirement for file integrity checking. The\nAsset module within HBSS does not meet this requirement.\"\n desc 'fix', \"Monitor the system for unauthorized changes to system files\n(e.g., *.exe, *.bat, *.com, *.cmd, and *.dll) against a baseline on a weekly\nbasis. This can be done with the use of various monitoring tools.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000363-GPOS-00150'\n tag 'gid': 'V-93203'\n tag 'rid': 'SV-103291r1_rule'\n tag 'stig_id': 'WN19-00-000220'\n tag 'fix_id': 'F-99449r1_fix'\n tag 'cci': [\"CCI-001744\"]\n tag 'nist': [\"CM-3 (5)\", \"Rev_4\"]\n\n describe 'A manual review is required to ensure system files are monitored for unauthorized changes' do\n skip 'A manual review is required to ensure system files are monitored for unauthorized changes'\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93065.rb", + "ref": "./Windows 2019 STIG/controls/V-93203.rb", "line": 3 }, - "id": "V-93065" + "id": "V-93203" }, { - "title": "Windows Server 2019 audit records must be backed up to a different\nsystem or media than the system being audited.", - "desc": "Protection of log data includes assuring the log data is not\naccidentally lost or deleted. Audit information stored in one location is\nvulnerable to accidental or incidental deletion or alteration.", + "title": "Windows Server 2019 must prevent NTLM from falling back to a Null session.", + "desc": "NTLM sessions that are allowed to fall back to Null (unauthenticated) sessions may gain unauthorized access.", "descriptions": { - "default": "Protection of log data includes assuring the log data is not\naccidentally lost or deleted. Audit information stored in one location is\nvulnerable to accidental or incidental deletion or alteration.", + "default": "NTLM sessions that are allowed to fall back to Null (unauthenticated) sessions may gain unauthorized access.", "rationale": "", - "check": "Determine if a process to back up log data to a different system or media\nthan the system being audited has been implemented.\n\n If it has not, this is a finding.", - "fix": "Establish and implement a process for backing up log data to\nanother system or media other than the system being audited." + "check": "If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Control\\LSA\\MSV1_0\\\n\n Value Name: allownullsessionfallback\n\n Type: REG_DWORD\n Value: 0x00000000 (0)", + "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \"Network security: Allow LocalSystem NULL session fallback\" to \"Disabled\"." }, "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000342-GPOS-00133", - "gid": "V-93183", - "rid": "SV-103271r1_rule", - "stig_id": "WN19-AU-000010", - "fix_id": "F-99429r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-93297", + "rid": "SV-103385r1_rule", + "stig_id": "WN19-SO-000270", + "fix_id": "F-99543r1_fix", "cci": [ - "CCI-001851" + "CCI-000366" ], "nist": [ - "AU-4 (1)", + "CM-6 b", "Rev_4" ] }, - "code": "control \"V-93183\" do\n title \"Windows Server 2019 audit records must be backed up to a different\nsystem or media than the system being audited.\"\n desc \"Protection of log data includes assuring the log data is not\naccidentally lost or deleted. Audit information stored in one location is\nvulnerable to accidental or incidental deletion or alteration.\"\n desc \"rationale\", \"\"\n desc 'check', \"Determine if a process to back up log data to a different system or media\nthan the system being audited has been implemented.\n\n If it has not, this is a finding.\"\n desc 'fix', \"Establish and implement a process for backing up log data to\nanother system or media other than the system being audited.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000342-GPOS-00133'\n tag 'gid': 'V-93183'\n tag 'rid': 'SV-103271r1_rule'\n tag 'stig_id': 'WN19-AU-000010'\n tag 'fix_id': 'F-99429r1_fix'\n tag 'cci': [\"CCI-001851\"]\n tag 'nist': [\"AU-4 (1)\", \"Rev_4\"]\n\n describe 'A manual review is required to verify audit records are being backed up onto a different system or media than the system being audited' do\n skip 'A manual review is required to verify audit records are being backed up onto a different system or media than the system being audited'\n end\nend\n", + "code": "control \"V-93297\" do\n title \"Windows Server 2019 must prevent NTLM from falling back to a Null session.\"\n desc \"NTLM sessions that are allowed to fall back to Null (unauthenticated) sessions may gain unauthorized access.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\LSA\\\\MSV1_0\\\\\n\n Value Name: allownullsessionfallback\n\n Type: REG_DWORD\n Value: 0x00000000 (0)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \\\"Network security: Allow LocalSystem NULL session fallback\\\" to \\\"Disabled\\\".\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00227\"\n tag gid: \"V-93297\"\n tag rid: \"SV-103385r1_rule\"\n tag stig_id: \"WN19-SO-000270\"\n tag fix_id: \"F-99543r1_fix\"\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\MSV1_0') do\n it { should have_property 'allownullsessionfallback' }\n its('allownullsessionfallback') { should cmp == 0 }\n end \nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93183.rb", + "ref": "./Windows 2019 STIG/controls/V-93297.rb", "line": 3 }, - "id": "V-93183" + "id": "V-93297" }, { - "title": "Windows Server 2019 must be configured to require a strong session key.", - "desc": "A computer connecting to a domain controller will establish a secure channel. The secure channel connection may be subject to compromise, such as hijacking or eavesdropping, if strong session keys are not used to establish the connection. Requiring strong session keys enforces 128-bit encryption between systems.", + "title": "Windows Server 2019 maximum age for machine account passwords must be configured to 30 days or less.", + "desc": "Computer account passwords are changed automatically on a regular basis. This setting controls the maximum password age that a machine account may have. This must be set to no more than 30 days, ensuring the machine changes its password monthly.", "descriptions": { - "default": "A computer connecting to a domain controller will establish a secure channel. The secure channel connection may be subject to compromise, such as hijacking or eavesdropping, if strong session keys are not used to establish the connection. Requiring strong session keys enforces 128-bit encryption between systems.", + "default": "Computer account passwords are changed automatically on a regular basis. This setting controls the maximum password age that a machine account may have. This must be set to no more than 30 days, ensuring the machine changes its password monthly.", "rationale": "", - "check": "If the following registry value does not exist or is not configured as specified, this is a finding:\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\Netlogon\\Parameters\\\n\n Value Name: RequireStrongKey\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\n\n This setting may prevent a system from being joined to a domain if not configured consistently between systems.", - "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \"Domain member: Require strong (Windows 2000 or Later) session key\" to \"Enabled\"." + "check": "This is the default configuration for this setting (30 days).\n\n If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\Netlogon\\Parameters\\\n\n Value Name: MaximumPasswordAge\n\n Value Type: REG_DWORD\n Value: 0x0000001e (30) (or less, but not 0)", + "fix": "This is the default configuration for this setting (30 days).\n Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \"Domain member: Maximum machine account password age\" to \"30\" or less (excluding \"0\", which is unacceptable)." }, "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000423-GPOS-00187", - "satisfies": [ - "SRG-OS-000423-GPOS-00187", - "SRG-OS-000424-GPOS-00188" - ], - "gid": "V-93553", - "rid": "SV-103639r1_rule", - "stig_id": "WN19-SO-000110", - "fix_id": "F-99797r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-93285", + "rid": "SV-103373r1_rule", + "stig_id": "WN19-SO-000100", + "fix_id": "F-99531r1_fix", "cci": [ - "CCI-002418", - "CCI-002421" + "CCI-000366" ], "nist": [ - "SC-8", - "SC-8 (1)", + "CM-6 b", "Rev_4" ] }, - "code": "control \"V-93553\" do\n title \"Windows Server 2019 must be configured to require a strong session key.\"\n desc \"A computer connecting to a domain controller will establish a secure channel. The secure channel connection may be subject to compromise, such as hijacking or eavesdropping, if strong session keys are not used to establish the connection. Requiring strong session keys enforces 128-bit encryption between systems.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the following registry value does not exist or is not configured as specified, this is a finding:\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\Netlogon\\\\Parameters\\\\\n\n Value Name: RequireStrongKey\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\n\n This setting may prevent a system from being joined to a domain if not configured consistently between systems.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \\\"Domain member: Require strong (Windows 2000 or Later) session key\\\" to \\\"Enabled\\\".\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000423-GPOS-00187\"\n tag satisfies: [\"SRG-OS-000423-GPOS-00187\", \"SRG-OS-000424-GPOS-00188\"]\n tag gid: \"V-93553\"\n tag rid: \"SV-103639r1_rule\"\n tag stig_id: \"WN19-SO-000110\"\n tag fix_id: \"F-99797r1_fix\"\n tag cci: [\"CCI-002418\", \"CCI-002421\"]\n tag nist: [\"SC-8\", \"SC-8 (1)\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Services\\\\Netlogon\\\\Parameters') do\n it { should have_property 'RequireStrongKey' }\n its('RequireStrongKey') { should cmp == 1 }\n end\nend", + "code": "control \"V-93285\" do\n title \"Windows Server 2019 maximum age for machine account passwords must be configured to #{input('maximum_password_age_machine')} days or less.\"\n desc \"Computer account passwords are changed automatically on a regular basis. This setting controls the maximum password age that a machine account may have. This must be set to no more than #{input('maximum_password_age_machine')} days, ensuring the machine changes its password monthly.\"\n desc \"rationale\", \"\"\n desc \"check\", \"This is the default configuration for this setting (#{input('maximum_password_age_machine')} days).\n\n If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\Netlogon\\\\Parameters\\\\\n\n Value Name: MaximumPasswordAge\n\n Value Type: REG_DWORD\n Value: 0x000000#{input('maximum_password_age_machine').to_s(16)} (#{input('maximum_password_age_machine')}) (or less, but not 0)\"\n desc \"fix\", \"This is the default configuration for this setting (#{input('maximum_password_age_machine')} days).\n Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \\\"Domain member: Maximum machine account password age\\\" to \\\"#{input('maximum_password_age_machine')}\\\" or less (excluding \\\"0\\\", which is unacceptable).\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00227\"\n tag gid: \"V-93285\"\n tag rid: \"SV-103373r1_rule\"\n tag stig_id: \"WN19-SO-000100\"\n tag fix_id: \"F-99531r1_fix\"\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Services\\\\Netlogon\\\\Parameters') do\n it { should have_property 'MaximumPasswordAge' }\n its('MaximumPasswordAge') { should be_between(1,input('maximum_password_age_machine')) }\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93553.rb", + "ref": "./Windows 2019 STIG/controls/V-93285.rb", "line": 3 }, - "id": "V-93553" + "id": "V-93285" }, { - "title": "Windows Server 2019 Deny log on locally user right on domain\ncontrollers must be configured to prevent unauthenticated access.", - "desc": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n The \"Deny log on locally\" user right defines accounts that are prevented\nfrom logging on interactively.\n\n The Guests group must be assigned this right to prevent unauthenticated\naccess.", + "title": "Windows Server 2019 members of the Backup Operators group must have\nseparate accounts for backup duties and normal operational tasks.", + "desc": "Backup Operators are able to read and write to any file in the system,\nregardless of the rights assigned to it. Backup and restore rights permit users\nto circumvent the file access restrictions present on NTFS disk drives for\nbackup and restore purposes. Members of the Backup Operators group must have\nseparate logon accounts for performing backup duties.", "descriptions": { - "default": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n The \"Deny log on locally\" user right defines accounts that are prevented\nfrom logging on interactively.\n\n The Guests group must be assigned this right to prevent unauthenticated\naccess.", + "default": "Backup Operators are able to read and write to any file in the system,\nregardless of the rights assigned to it. Backup and restore rights permit users\nto circumvent the file access restrictions present on NTFS disk drives for\nbackup and restore purposes. Members of the Backup Operators group must have\nseparate logon accounts for performing backup duties.", "rationale": "", - "check": "This applies to domain controllers. A separate version applies to other\nsystems.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If the following accounts or groups are not defined for the \"Deny log on\nlocally\" user right, this is a finding:\n\n - Guests Group\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\path\\filename.txt\n\n Review the text file.\n\n If the following SID(s) are not defined for the\n\"SeDenyInteractiveLogonRight\" user right, this is a finding:\n\n S-1-5-32-546 (Guests)", - "fix": "Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> User Rights Assignment >> \"Deny log\non locally\" to include the following:\n\n - Guests Group" + "check": "If no accounts are members of the Backup Operators group, this is NA.\n\n Verify users with accounts in the Backup Operators group have a separate\nuser account for backup functions and for performing normal user tasks.\n\n If users with accounts in the Backup Operators group do not have separate\naccounts for backup functions and standard user functions, this is a finding.", + "fix": "Ensure each member of the Backup Operators group has separate\naccounts for backup functions and standard user functions." }, "impact": 0, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000080-GPOS-00048", - "gid": "V-93005", - "rid": "SV-103093r1_rule", - "stig_id": "WN19-DC-000400", - "fix_id": "F-99251r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-93207", + "rid": "SV-103295r1_rule", + "stig_id": "WN19-00-000040", + "fix_id": "F-99453r1_fix", "cci": [ - "CCI-000213" + "CCI-000366" ], "nist": [ - "AC-3", + "CM-6 b", "Rev_4" ] }, - "code": "control \"V-93005\" do\n title \"Windows Server 2019 Deny log on locally user right on domain\ncontrollers must be configured to prevent unauthenticated access.\"\n desc \"Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n The \\\"Deny log on locally\\\" user right defines accounts that are prevented\nfrom logging on interactively.\n\n The Guests group must be assigned this right to prevent unauthenticated\naccess.\"\n desc \"rationale\", \"\"\n desc 'check', \"This applies to domain controllers. A separate version applies to other\nsystems.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If the following accounts or groups are not defined for the \\\"Deny log on\nlocally\\\" user right, this is a finding:\n\n - Guests Group\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt\n\n Review the text file.\n\n If the following SID(s) are not defined for the\n\\\"SeDenyInteractiveLogonRight\\\" user right, this is a finding:\n\n S-1-5-32-546 (Guests)\"\n desc 'fix', \"\n Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> User Rights Assignment >> \\\"Deny log\non locally\\\" to include the following:\n\n - Guests Group\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000080-GPOS-00048'\n tag 'gid': 'V-93005'\n tag 'rid': 'SV-103093r1_rule'\n tag 'stig_id': 'WN19-DC-000400'\n tag 'fix_id': 'F-99251r1_fix'\n tag 'cci': [\"CCI-000213\"]\n tag 'nist': [\"AC-3\", \"Rev_4\"]\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n os_type = command('Test-Path \"$env:windir\\explorer.exe\"').stdout.strip\n\n if os_type == 'False'\n describe 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt' do\n skip 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt'\n end\n end\n if domain_role == '4' || domain_role == '5'\n describe security_policy do\n its('SeDenyInteractiveLogonRight') { should eq ['S-1-5-32-546'] }\n end\n else\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", + "code": "control \"V-93207\" do\n title \"Windows Server 2019 members of the Backup Operators group must have\nseparate accounts for backup duties and normal operational tasks.\"\n desc \"Backup Operators are able to read and write to any file in the system,\nregardless of the rights assigned to it. Backup and restore rights permit users\nto circumvent the file access restrictions present on NTFS disk drives for\nbackup and restore purposes. Members of the Backup Operators group must have\nseparate logon accounts for performing backup duties.\"\n desc \"rationale\", \"\"\n desc 'check', \"If no accounts are members of the Backup Operators group, this is NA.\n\n Verify users with accounts in the Backup Operators group have a separate\nuser account for backup functions and for performing normal user tasks.\n\n If users with accounts in the Backup Operators group do not have separate\naccounts for backup functions and standard user functions, this is a finding.\"\n desc 'fix', \"Ensure each member of the Backup Operators group has separate\naccounts for backup functions and standard user functions.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000480-GPOS-00227'\n tag 'gid': 'V-93207'\n tag 'rid': 'SV-103295r1_rule'\n tag 'stig_id': 'WN19-00-000040'\n tag 'fix_id': 'F-99453r1_fix'\n tag 'cci': [\"CCI-000366\"]\n tag 'nist': [\"CM-6 b\", \"Rev_4\"]\n\n backup_operators_group = command(\"net localgroup 'Backup Operators' | Format-List | Findstr /V 'Alias Name Comment Members - command'\").stdout.strip.split(\"\\r\\n\")\n backup_operators = input('backup_operators')\n if backup_operators_group.empty?\n impact 0.0\n describe 'Backup Operators Group Empty' do\n skip 'The control is N/A as there are no users in the Backup Operators group'\n end\n else\n backup_operators_group.each do |user|\n describe user do\n it { should be_in backup_operators }\n end\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93005.rb", + "ref": "./Windows 2019 STIG/controls/V-93207.rb", "line": 3 }, - "id": "V-93005" + "id": "V-93207" }, { - "title": "Windows Server 2019 Create permanent shared objects user right must\nnot be assigned to any groups or accounts.", - "desc": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n Accounts with the \"Create permanent shared objects\" user right could\nexpose sensitive data by creating shared objects.", + "title": "Windows Server 2019 must be configured to audit Account Management -\nOther Account Management Events successes.", + "desc": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Other Account Management Events records events such as the access of a\npassword hash or the Password Policy Checking API being called.", "descriptions": { - "default": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n Accounts with the \"Create permanent shared objects\" user right could\nexpose sensitive data by creating shared objects.", + "default": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Other Account Management Events records events such as the access of a\npassword hash or the Password Policy Checking API being called.", "rationale": "", - "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups are granted the \"Create permanent shared\nobjects\" user right, this is a finding.\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\path\\filename.txt\n\n Review the text file.\n\n If any SIDs are granted the \"SeCreatePermanentPrivilege\" user right, this\nis a finding.", - "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Local Policies >> User Rights\nAssignment >> \"Create permanent shared objects\" to be defined but containing\nno entries (blank)." + "check": "Security Option \"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\" must be set to\n\"Enabled\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \"AuditPol\" tool to review the current Audit Policy configuration:\n\n Open \"PowerShell\" or a \"Command Prompt\" with elevated privileges (\"Run\nas administrator\").\n\n Enter \"AuditPol /get /category:*\"\n\n Compare the \"AuditPol\" settings with the following:\n\n If the system does not audit the following, this is a finding:\n\n Account Management >> Other Account Management Events - Success", + "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Account Management >> \"Audit Other Account Management\nEvents\" with \"Success\" selected." }, "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000324-GPOS-00125", - "gid": "V-93061", - "rid": "SV-103149r1_rule", - "stig_id": "WN19-UR-000080", - "fix_id": "F-99307r1_fix", + "gtitle": "SRG-OS-000327-GPOS-00127", + "satisfies": [ + "SRG-OS-000327-GPOS-00127", + "SRG-OS-000064-GPOS-00033", + "SRG-OS-000462-GPOS-00206", + "SRG-OS-000466-GPOS-00210" + ], + "gid": "V-93089", + "rid": "SV-103177r1_rule", + "stig_id": "WN19-AU-000090", + "fix_id": "F-99335r1_fix", "cci": [ - "CCI-002235" + "CCI-000172", + "CCI-002234" ], "nist": [ - "AC-6 (10)", + "AU-12 c", + "AC-6 (9)", "Rev_4" ] }, - "code": "control \"V-93061\" do\n title \"Windows Server 2019 Create permanent shared objects user right must\nnot be assigned to any groups or accounts.\"\n desc \"Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n Accounts with the \\\"Create permanent shared objects\\\" user right could\nexpose sensitive data by creating shared objects.\"\n desc \"rationale\", \"\"\n desc 'check', \"Verify the effective setting in Local Group Policy Editor.\n\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups are granted the \\\"Create permanent shared\nobjects\\\" user right, this is a finding.\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt\n\n Review the text file.\n\n If any SIDs are granted the \\\"SeCreatePermanentPrivilege\\\" user right, this\nis a finding.\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Local Policies >> User Rights\nAssignment >> \\\"Create permanent shared objects\\\" to be defined but containing\nno entries (blank).\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000324-GPOS-00125'\n tag 'gid': 'V-93061'\n tag 'rid': 'SV-103149r1_rule'\n tag 'stig_id': 'WN19-UR-000080'\n tag 'fix_id': 'F-99307r1_fix'\n tag 'cci': [\"CCI-002235\"]\n tag 'nist': [\"AC-6 (10)\", \"Rev_4\"]\n\n os_type = command('Test-Path \"$env:windir\\explorer.exe\"').stdout.strip\n\n if os_type == 'False'\n describe 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt' do\n skip 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt'\n end\n else\n describe security_policy do\n its('SeCreatePermanentPrivilege') { should eq [] }\n end\n end\nend\n", + "code": "control \"V-93089\" do\n title \"Windows Server 2019 must be configured to audit Account Management -\nOther Account Management Events successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Other Account Management Events records events such as the access of a\npassword hash or the Password Policy Checking API being called.\"\n desc \"rationale\", \"\"\n desc 'check', \"Security Option \\\"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\\\" must be set to\n\\\"Enabled\\\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \\\"AuditPol\\\" tool to review the current Audit Policy configuration:\n\n Open \\\"PowerShell\\\" or a \\\"Command Prompt\\\" with elevated privileges (\\\"Run\nas administrator\\\").\n\n Enter \\\"AuditPol /get /category:*\\\"\n\n Compare the \\\"AuditPol\\\" settings with the following:\n\n If the system does not audit the following, this is a finding:\n\n Account Management >> Other Account Management Events - Success\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Account Management >> \\\"Audit Other Account Management\nEvents\\\" with \\\"Success\\\" selected.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000327-GPOS-00127'\n tag 'satisfies': [\"SRG-OS-000327-GPOS-00127\", \"SRG-OS-000064-GPOS-00033\",\n\"SRG-OS-000462-GPOS-00206\", \"SRG-OS-000466-GPOS-00210\"]\n tag 'gid': 'V-93089'\n tag 'rid': 'SV-103177r1_rule'\n tag 'stig_id': 'WN19-AU-000090'\n tag 'fix_id': 'F-99335r1_fix'\n tag 'cci': [\"CCI-000172\", \"CCI-002234\"]\n tag 'nist': [\"AU-12 c\", \"AC-6 (9)\", \"Rev_4\"]\n\n describe.one do\n describe audit_policy do\n its('Other Account Management Events') { should eq 'Success' }\n end\n describe audit_policy do\n its('Other Account Management Events') { should eq 'Success and Failure' }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93061.rb", + "ref": "./Windows 2019 STIG/controls/V-93089.rb", "line": 3 }, - "id": "V-93061" + "id": "V-93089" }, { - "title": "Windows Server 2019 Increase scheduling priority: user right must only be assigned to the Administrators group.", - "desc": "Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.\n Accounts with the \"Increase scheduling priority\" user right can change a scheduling priority, causing performance issues or a denial of service.", + "title": "Windows Server 2019 Active Directory AdminSDHolder object must be\nconfigured with proper audit settings.", + "desc": "When inappropriate audit settings are configured for directory service\ndatabase objects, it may be possible for a user or process to update the data\nwithout generating any tracking data. The impact of missing audit data is\nrelated to the type of object. A failure to capture audit data for objects used\nby identification, authentication, or authorization functions could degrade or\neliminate the ability to track changes to access policy for systems or data.\n\n For Active Directory (AD), there are a number of critical object types in\nthe domain naming context of the AD database for which auditing is essential.\nThis includes the AdminSDHolder object. Because changes to these objects can\nsignificantly impact access controls or the availability of systems, the\nabsence of auditing data makes it impossible to identify the source of changes\nthat impact the confidentiality, integrity, and availability of data and\nsystems throughout an AD domain. The lack of proper auditing can result in\ninsufficient forensic evidence needed to investigate an incident and prosecute\nthe intruder.", "descriptions": { - "default": "Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.\n Accounts with the \"Increase scheduling priority\" user right can change a scheduling priority, causing performance issues or a denial of service.", + "default": "When inappropriate audit settings are configured for directory service\ndatabase objects, it may be possible for a user or process to update the data\nwithout generating any tracking data. The impact of missing audit data is\nrelated to the type of object. A failure to capture audit data for objects used\nby identification, authentication, or authorization functions could degrade or\neliminate the ability to track changes to access policy for systems or data.\n\n For Active Directory (AD), there are a number of critical object types in\nthe domain naming context of the AD database for which auditing is essential.\nThis includes the AdminSDHolder object. Because changes to these objects can\nsignificantly impact access controls or the availability of systems, the\nabsence of auditing data makes it impossible to identify the source of changes\nthat impact the confidentiality, integrity, and availability of data and\nsystems throughout an AD domain. The lack of proper auditing can result in\ninsufficient forensic evidence needed to investigate an incident and prosecute\nthe intruder.", "rationale": "", - "check": "Verify the effective setting in Local Group Policy Editor.\n Run \"gpedit.msc\".\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment.\n If any accounts or groups other than the following are granted the \"Increase scheduling priority\" user right, this is a finding:\n - Administrators\n\n For server core installations, run the following command:\n Secedit /Export /Areas User_Rights /cfg c:\\path\\filename.txt\n Review the text file.\n If any SIDs other than the following are granted the \"SeIncreaseBasePriorityPrivilege\" user right, this is a finding:\n S-1-5-32-544 (Administrators)\n\n If an application requires this user right, this would not be a finding.\n Vendor documentation must support the requirement for having the user right.\n The requirement must be documented with the ISSO.\n The application account must meet requirements for application account passwords, such as length (WN19-00-000050) and required frequency of changes (WN19-00-000060).", - "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> \"Increase scheduling priority\" to include only the following accounts or groups:\n - Administrators" + "check": "This applies to domain controllers. It is NA for other systems.\n\n Review the auditing configuration for the \"AdminSDHolder\" object.\n\n Open \"Active Directory Users and Computers\" (available from various menus\nor run \"dsa.msc\").\n\n Ensure \"Advanced Features\" is selected in the \"View\" menu.\n\n Select \"System\" under the domain being reviewed in the left pane.\n\n Right-click the \"AdminSDHolder\" object in the right pane and select\n\"Properties\".\n\n Select the \"Security\" tab.\n\n Select the \"Advanced\" button and then the \"Auditing\" tab.\n\n If the audit settings on the \"AdminSDHolder\" object are not at least as\ninclusive as those below, this is a finding:\n\n Type - Fail\n Principal - Everyone\n Access - Full Control\n Inherited from - None\n Applies to - This object only\n\n The success types listed below are defaults. Where Special is listed in the\nsummary screens for Access, detailed Permissions are provided for reference.\nVarious Properties selections may also exist by default.\n\n Type - Success\n Principal - Everyone\n Access - Special\n Inherited from - None\n Applies to - This object only\n (Access - Special = Write all properties, Modify permissions, Modify owner)\n\n Two instances with the following summary information will be listed:\n\n Type - Success\n Principal - Everyone\n Access - (blank)\n Inherited from - (CN of domain)\n Applies to - Descendant Organizational Unit objects", + "fix": "Open \"Active Directory Users and Computers\" (available from various menus\nor run \"dsa.msc\").\n\n Ensure \"Advanced Features\" is selected in the \"View\" menu.\n\n Select \"System\" under the domain being reviewed in the left pane.\n\n Right-click the \"AdminSDHolder\" object in the right pane and select\n\"Properties\".\n\n Select the \"Security\" tab.\n\n Select the \"Advanced\" button and then the \"Auditing\" tab.\n\n Configure the audit settings for AdminSDHolder object to include the\nfollowing:\n\n Type - Fail\n Principal - Everyone\n Access - Full Control\n Inherited from - None\n Applies to - This object only\n\n The success types listed below are defaults. Where Special is listed in the\nsummary screens for Access, detailed Permissions are provided for reference.\nVarious Properties selections may also exist by default.\n\n Type - Success\n Principal - Everyone\n Access - Special\n Inherited from - None\n Applies to - This object only\n (Access - Special = Write all properties, Modify permissions, Modify owner)\n\n Two instances with the following summary information will be listed:\n\n Type - Success\n Principal - Everyone\n Access - (blank)\n Inherited from - (CN of domain)\n Applies to - Descendant Organizational Unit objects" }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000324-GPOS-00125", - "gid": "V-93073", - "rid": "SV-103161r1_rule", - "stig_id": "WN19-UR-000140", - "fix_id": "F-99319r1_fix", + "gtitle": "SRG-OS-000327-GPOS-00127", + "satisfies": [ + "SRG-OS-000327-GPOS-00127", + "SRG-OS-000458-GPOS-00203", + "SRG-OS-000463-GPOS-00207", + "SRG-OS-000468-GPOS-00212" + ], + "gid": "V-93129", + "rid": "SV-103217r1_rule", + "stig_id": "WN19-DC-000210", + "fix_id": "F-99375r1_fix", "cci": [ - "CCI-002235" + "CCI-000172", + "CCI-002234" ], "nist": [ - "AC-6 (10)", + "AU-12 c", + "AC-6 (9)", "Rev_4" ] }, - "code": "control \"V-93073\" do\n title \"Windows Server 2019 Increase scheduling priority: user right must only be assigned to the Administrators group.\"\n desc \"Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.\n Accounts with the \\\"Increase scheduling priority\\\" user right can change a scheduling priority, causing performance issues or a denial of service.\"\n desc \"rationale\", \"\"\n desc 'check', \"Verify the effective setting in Local Group Policy Editor.\n Run \\\"gpedit.msc\\\".\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment.\n If any accounts or groups other than the following are granted the \\\"Increase scheduling priority\\\" user right, this is a finding:\n - Administrators\n\n For server core installations, run the following command:\n Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt\n Review the text file.\n If any SIDs other than the following are granted the \\\"SeIncreaseBasePriorityPrivilege\\\" user right, this is a finding:\n S-1-5-32-544 (Administrators)\n\n If an application requires this user right, this would not be a finding.\n Vendor documentation must support the requirement for having the user right.\n The requirement must be documented with the ISSO.\n The application account must meet requirements for application account passwords, such as length (WN19-00-000050) and required frequency of changes (WN19-00-000060).\"\n desc 'fix', \"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> \\\"Increase scheduling priority\\\" to include only the following accounts or groups:\n - Administrators\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000324-GPOS-00125'\n tag 'gid': 'V-93073'\n tag 'rid': 'SV-103161r1_rule'\n tag 'stig_id': 'WN19-UR-000140'\n tag 'fix_id': 'F-99319r1_fix'\n tag 'cci': [\"CCI-002235\"]\n tag 'nist': [\"AC-6 (10)\", \"Rev_4\"]\n\n os_type = command('Test-Path \"$env:windir\\explorer.exe\"').stdout.strip\n\n if os_type == 'False'\n describe 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt' do\n skip 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt'\n end\n else\n describe security_policy do\n its('SeIncreaseBasePriorityPrivilege') { should eq ['S-1-5-32-544'] }\n end\n end\nend", + "code": "control \"V-93129\" do\n title \"Windows Server 2019 Active Directory AdminSDHolder object must be\nconfigured with proper audit settings.\"\n desc \"When inappropriate audit settings are configured for directory service\ndatabase objects, it may be possible for a user or process to update the data\nwithout generating any tracking data. The impact of missing audit data is\nrelated to the type of object. A failure to capture audit data for objects used\nby identification, authentication, or authorization functions could degrade or\neliminate the ability to track changes to access policy for systems or data.\n\n For Active Directory (AD), there are a number of critical object types in\nthe domain naming context of the AD database for which auditing is essential.\nThis includes the AdminSDHolder object. Because changes to these objects can\nsignificantly impact access controls or the availability of systems, the\nabsence of auditing data makes it impossible to identify the source of changes\nthat impact the confidentiality, integrity, and availability of data and\nsystems throughout an AD domain. The lack of proper auditing can result in\ninsufficient forensic evidence needed to investigate an incident and prosecute\nthe intruder.\"\n desc \"rationale\", \"\"\n desc 'check', \"This applies to domain controllers. It is NA for other systems.\n\n Review the auditing configuration for the \\\"AdminSDHolder\\\" object.\n\n Open \\\"Active Directory Users and Computers\\\" (available from various menus\nor run \\\"dsa.msc\\\").\n\n Ensure \\\"Advanced Features\\\" is selected in the \\\"View\\\" menu.\n\n Select \\\"System\\\" under the domain being reviewed in the left pane.\n\n Right-click the \\\"AdminSDHolder\\\" object in the right pane and select\n\\\"Properties\\\".\n\n Select the \\\"Security\\\" tab.\n\n Select the \\\"Advanced\\\" button and then the \\\"Auditing\\\" tab.\n\n If the audit settings on the \\\"AdminSDHolder\\\" object are not at least as\ninclusive as those below, this is a finding:\n\n Type - Fail\n Principal - Everyone\n Access - Full Control\n Inherited from - None\n Applies to - This object only\n\n The success types listed below are defaults. Where Special is listed in the\nsummary screens for Access, detailed Permissions are provided for reference.\nVarious Properties selections may also exist by default.\n\n Type - Success\n Principal - Everyone\n Access - Special\n Inherited from - None\n Applies to - This object only\n (Access - Special = Write all properties, Modify permissions, Modify owner)\n\n Two instances with the following summary information will be listed:\n\n Type - Success\n Principal - Everyone\n Access - (blank)\n Inherited from - (CN of domain)\n Applies to - Descendant Organizational Unit objects\"\n desc 'fix', \"Open \\\"Active Directory Users and Computers\\\" (available from various menus\nor run \\\"dsa.msc\\\").\n\n Ensure \\\"Advanced Features\\\" is selected in the \\\"View\\\" menu.\n\n Select \\\"System\\\" under the domain being reviewed in the left pane.\n\n Right-click the \\\"AdminSDHolder\\\" object in the right pane and select\n\\\"Properties\\\".\n\n Select the \\\"Security\\\" tab.\n\n Select the \\\"Advanced\\\" button and then the \\\"Auditing\\\" tab.\n\n Configure the audit settings for AdminSDHolder object to include the\nfollowing:\n\n Type - Fail\n Principal - Everyone\n Access - Full Control\n Inherited from - None\n Applies to - This object only\n\n The success types listed below are defaults. Where Special is listed in the\nsummary screens for Access, detailed Permissions are provided for reference.\nVarious Properties selections may also exist by default.\n\n Type - Success\n Principal - Everyone\n Access - Special\n Inherited from - None\n Applies to - This object only\n (Access - Special = Write all properties, Modify permissions, Modify owner)\n\n Two instances with the following summary information will be listed:\n\n Type - Success\n Principal - Everyone\n Access - (blank)\n Inherited from - (CN of domain)\n Applies to - Descendant Organizational Unit objects\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000327-GPOS-00127'\n tag 'satisfies': [\"SRG-OS-000327-GPOS-00127\", \"SRG-OS-000458-GPOS-00203\",\n\"SRG-OS-000463-GPOS-00207\", \"SRG-OS-000468-GPOS-00212\"]\n tag 'gid': 'V-93129'\n tag 'rid': 'SV-103217r1_rule'\n tag 'stig_id': 'WN19-DC-000210'\n tag 'fix_id': 'F-99375r1_fix'\n tag 'cci': [\"CCI-000172\", \"CCI-002234\"]\n tag 'nist': [\"AU-12 c\", \"AC-6 (9)\", \"Rev_4\"]\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n if domain_role == '4' || domain_role == '5'\n distinguishedName = json(command: '(Get-ADDomain).DistinguishedName | ConvertTo-JSON').params\n acl_rules = json(command: \"(Get-ACL -Audit -Path AD:'CN=AdminSDHolder,CN=System,#{distinguishedName}').Audit | ConvertTo-CSV | ConvertFrom-CSV | ConvertTo-JSON\").params\n \n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['AuditFlags']) { should cmp \"Failure\" }\n its(['IdentityReference']) { should cmp \"Everyone\" }\n its(['ActiveDirectoryRights']) { should cmp \"GenericAll\"}\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['AuditFlags']) { should cmp \"Success\" }\n its(['IdentityReference']) { should cmp \"Everyone\" }\n its(['ActiveDirectoryRights']) { should cmp \"WriteProperty, WriteDacl, WriteOwner\"}\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceType']) { should cmp \"None\" }\n end\n end\n end\n\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['AuditFlags']) { should cmp \"Success\" }\n its(['IdentityReference']) { should cmp \"Everyone\" }\n its(['ActiveDirectoryRights']) { should cmp \"WriteProperty\"}\n its(['IsInherited']) { should cmp \"True\" }\n its(['InheritanceType']) { should cmp \"Descendents\" }\n end\n end\n end\n else\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93073.rb", + "ref": "./Windows 2019 STIG/controls/V-93129.rb", "line": 3 }, - "id": "V-93073" + "id": "V-93129" }, { - "title": "Windows Server 2019 users must be notified if a web-based program\nattempts to install software.", - "desc": "Web-based programs may attempt to install malicious software on a\nsystem. Ensuring users are notified if a web-based program attempts to install\nsoftware allows them to refuse the installation.", + "title": "Windows Server 2019 Exploit Protection system-level mitigation, Validate exception chains (SEHOP), must be on.", + "desc": "Exploit protection enables mitigations against potential threats at the system and application level. Several mitigations, including \"Validate exception chains (SEHOP)\", are enabled by default at the system level. SEHOP (structured exception handling overwrite protection) ensures the integrity of an exception chain during exception dispatch. If this is turned off, Windows may be subject to various exploits.", "descriptions": { - "default": "Web-based programs may attempt to install malicious software on a\nsystem. Ensuring users are notified if a web-based program attempts to install\nsoftware allows them to refuse the installation.", + "default": "Exploit protection enables mitigations against potential threats at the system and application level. Several mitigations, including \"Validate exception chains (SEHOP)\", are enabled by default at the system level. SEHOP (structured exception handling overwrite protection) ensures the integrity of an exception chain during exception dispatch. If this is turned off, Windows may be subject to various exploits.", "rationale": "", - "check": "The default behavior is for Internet Explorer to warn users and select\nwhether to allow or refuse installation when a web-based program attempts to\ninstall software on the system.\n\n If the registry value name below does not exist, this is not a finding.\n\n If it exists and is configured with a value of \"0\", this is not a finding.\n\n If it exists and is configured with a value of \"1\", this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\Installer\\\n\n Value Name: SafeForScripting\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0) (or if the Value Name does not exist)", - "fix": "The default behavior is for Internet Explorer to warn users and select\nwhether to allow or refuse installation when a web-based program attempts to\ninstall software on the system.\n\n If this needs to be corrected, configure the policy value for Computer\nConfiguration >> Administrative Templates >> Windows Components >> Windows\nInstaller >> \"Prevent Internet Explorer security prompt for Windows Installer\nscripts\" to \"Not Configured\" or \"Disabled\"." + "check": "This is applicable to unclassified systems, for other systems this is NA.\n\n The default configuration in Exploit Protection is \"On by default\" which meets this requirement. The PowerShell query results for this show as \"NOTSET\".\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n Enter \"Get-ProcessMitigation -System\".\n If the status of \"SEHOP: Enable\" is \"OFF\", this is a finding.\n Values that would not be a finding include:\n\n ON\n NOTSET (Default configuration)", + "fix": "Ensure Exploit Protection system-level mitigation, \"Validate exception chains (SEHOP)\", is turned on. The default configuration in Exploit Protection is \"On by default\" which meets this requirement.\n\n Open \"Windows Defender Security Center\".\n Select \"App & browser control\".\n Select \"Exploit protection settings\".\n Under \"System settings\", configure \"Validate exception chains (SEHOP)\" to \"On by default\" or \"Use default ()\".\n\n The STIG package includes a DoD EP XML file in the \"Supporting Files\" folder for configuring application mitigations defined in the STIG. This can also be modified to explicitly enforce the system level requirements. Adding the following to the XML file will explicitly turn SEHOP on (other system level EP requirements can be combined under ):\n\n \n \n \n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \"Use a common set of exploit protection settings\" configured to \"Enabled\" with file name and location defined under \"Options:\". It is recommended the file be in a read-only network location." }, "impact": 0.5, "refs": [], "tags": { "severity": null, "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-93267", - "rid": "SV-103355r1_rule", - "stig_id": "WN19-CC-000440", - "fix_id": "F-99513r1_fix", + "gid": "V-93317", + "rid": "SV-103405r1_rule", + "stig_id": "WN19-EP-000040", + "fix_id": "F-99563r1_fix", "cci": [ "CCI-000366" ], @@ -7738,313 +7796,306 @@ "Rev_4" ] }, - "code": "control \"V-93267\" do\n title \"Windows Server 2019 users must be notified if a web-based program\nattempts to install software.\"\n desc \"Web-based programs may attempt to install malicious software on a\nsystem. Ensuring users are notified if a web-based program attempts to install\nsoftware allows them to refuse the installation.\"\n desc \"rationale\", \"\"\n desc 'check', \"The default behavior is for Internet Explorer to warn users and select\nwhether to allow or refuse installation when a web-based program attempts to\ninstall software on the system.\n\n If the registry value name below does not exist, this is not a finding.\n\n If it exists and is configured with a value of \\\"0\\\", this is not a finding.\n\n If it exists and is configured with a value of \\\"1\\\", this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\Installer\\\\\n\n Value Name: SafeForScripting\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0) (or if the Value Name does not exist)\"\n desc 'fix', \"The default behavior is for Internet Explorer to warn users and select\nwhether to allow or refuse installation when a web-based program attempts to\ninstall software on the system.\n\n If this needs to be corrected, configure the policy value for Computer\nConfiguration >> Administrative Templates >> Windows Components >> Windows\nInstaller >> \\\"Prevent Internet Explorer security prompt for Windows Installer\nscripts\\\" to \\\"Not Configured\\\" or \\\"Disabled\\\".\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000480-GPOS-00227'\n tag 'gid': 'V-93267'\n tag 'rid': 'SV-103355r1_rule'\n tag 'stig_id': 'WN19-CC-000440'\n tag 'fix_id': 'F-99513r1_fix'\n tag 'cci': [\"CCI-000366\"]\n tag 'nist': [\"CM-6 b\", \"Rev_4\"]\n\n describe.one do\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Installer') do\n it { should_not have_property 'SafeForScripting' }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Installer') do\n it { should have_property 'SafeForScripting' }\n its('SafeForScripting') { should_not cmp 1 }\n its('SafeForScripting') { should cmp 0 }\n end\n end\nend\n", + "code": "control \"V-93317\" do\n title \"Windows Server 2019 Exploit Protection system-level mitigation, Validate exception chains (SEHOP), must be on.\"\n desc \"Exploit protection enables mitigations against potential threats at the system and application level. Several mitigations, including \\\"Validate exception chains (SEHOP)\\\", are enabled by default at the system level. SEHOP (structured exception handling overwrite protection) ensures the integrity of an exception chain during exception dispatch. If this is turned off, Windows may be subject to various exploits.\"\n desc \"rationale\", \"\"\n desc \"check\", \"This is applicable to unclassified systems, for other systems this is NA.\n\n The default configuration in Exploit Protection is \\\"On by default\\\" which meets this requirement. The PowerShell query results for this show as \\\"NOTSET\\\".\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n Enter \\\"Get-ProcessMitigation -System\\\".\n If the status of \\\"SEHOP: Enable\\\" is \\\"OFF\\\", this is a finding.\n Values that would not be a finding include:\n\n ON\n NOTSET (Default configuration)\"\n desc \"fix\", \"Ensure Exploit Protection system-level mitigation, \\\"Validate exception chains (SEHOP)\\\", is turned on. The default configuration in Exploit Protection is \\\"On by default\\\" which meets this requirement.\n\n Open \\\"Windows Defender Security Center\\\".\n Select \\\"App & browser control\\\".\n Select \\\"Exploit protection settings\\\".\n Under \\\"System settings\\\", configure \\\"Validate exception chains (SEHOP)\\\" to \\\"On by default\\\" or \\\"Use default ()\\\".\n\n The STIG package includes a DoD EP XML file in the \\\"Supporting Files\\\" folder for configuring application mitigations defined in the STIG. This can also be modified to explicitly enforce the system level requirements. Adding the following to the XML file will explicitly turn SEHOP on (other system level EP requirements can be combined under ):\n\n \n \n \n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\" configured to \\\"Enabled\\\" with file name and location defined under \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00227\"\n tag gid: \"V-93317\"\n tag rid: \"SV-103405r1_rule\"\n tag stig_id: \"WN19-EP-000040\"\n tag fix_id: \"F-99563r1_fix\"\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n systemsehop = json({ command: \"Get-ProcessMitigation -System | ConvertTo-Json\" }).params\n\n if input('sensitive_system') == true || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif systemsehop.empty?\n describe \"Exploit Protection: the following mitigation\" do\n it \"must be set to 'ON' for the System\" do\n failure_message = \"Exploit Protection is not set\"\n expect(systemsehop).not_to be_empty, failure_message\n end\n end\n else\n describe \"Exploit Protection: the following mitigation must be set to 'ON' for the System\" do\n subject { systemsehop }\n its(['SEHOP','Enable']) { should be_between(0,1) }\n end\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93267.rb", + "ref": "./Windows 2019 STIG/controls/V-93317.rb", "line": 3 }, - "id": "V-93267" + "id": "V-93317" }, { - "title": "Windows Server 2019 permissions for the Application event log must\nprevent access by non-privileged accounts.", - "desc": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised. The\nApplication event log may be susceptible to tampering if proper permissions are\nnot applied.", + "title": "Windows Server 2019 must have Secure Boot enabled.", + "desc": "Secure Boot is a standard that ensures systems boot only to a trusted\noperating system. Secure Boot is required to support additional security\nfeatures in Windows, including Virtualization Based Security and Credential\nGuard. If Secure Boot is turned off, these security features will not function.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised. The\nApplication event log may be susceptible to tampering if proper permissions are\nnot applied.", + "default": "Secure Boot is a standard that ensures systems boot only to a trusted\noperating system. Secure Boot is required to support additional security\nfeatures in Windows, including Virtualization Based Security and Credential\nGuard. If Secure Boot is turned off, these security features will not function.", "rationale": "", - "check": "Navigate to the Application event log file.\n\n The default location is the \"%SystemRoot%\\System32\\winevt\\Logs\"\nfolder. However, the logs may have been moved to another folder.\n\n If the permissions for the \"Application.evtx\" file are not as restrictive\nas the default permissions listed below, this is a finding:\n\n Eventlog - Full Control\n SYSTEM - Full Control\n Administrators - Full Control", - "fix": "Configure the permissions on the Application event log file\n(Application.evtx) to prevent access by non-privileged accounts. The default\npermissions listed below satisfy this requirement:\n\n Eventlog - Full Control\n SYSTEM - Full Control\n Administrators - Full Control\n\n The default location is the \"%SystemRoot%\\System32\\winevt\\Logs\" folder.\n\n If the location of the logs has been changed, when adding Eventlog to the\npermissions, it must be entered as \"NT Service\\Eventlog\"." + "check": "Some older systems may not have UEFI firmware. This is currently a CAT III;\nit will be raised in severity at a future date when broad support of Windows\nhardware and firmware requirements are expected to be met. Devices that have\nUEFI firmware must have Secure Boot enabled.\n\n Run \"System Information\".\n\n Under \"System Summary\", if \"Secure Boot State\" does not display \"On\",\nthis is a finding.\n\n On server core installations, run the following PowerShell command:\n\n Confirm-SecureBootUEFI\n\n If a value of \"True\" is not returned, this is a finding.", + "fix": "Enable Secure Boot in the system firmware." }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000057-GPOS-00027", - "satisfies": [ - "SRG-OS-000057-GPOS-00027", - "SRG-OS-000058-GPOS-00028", - "SRG-OS-000059-GPOS-00029" - ], - "gid": "V-93189", - "rid": "SV-103277r1_rule", - "stig_id": "WN19-AU-000030", - "fix_id": "F-99435r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-93231", + "rid": "SV-103319r1_rule", + "stig_id": "WN19-00-000470", + "fix_id": "F-99477r1_fix", "cci": [ - "CCI-000162", - "CCI-000163", - "CCI-000164" + "CCI-000366" ], "nist": [ - "AU-9", - "AU-9", - "AU-9", + "CM-6 b", "Rev_4" ] }, - "code": "control \"V-93189\" do\n title \"Windows Server 2019 permissions for the Application event log must\nprevent access by non-privileged accounts.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised. The\nApplication event log may be susceptible to tampering if proper permissions are\nnot applied.\"\n desc \"rationale\", \"\"\n desc 'check', \"Navigate to the Application event log file.\n\n The default location is the \\\"%SystemRoot%\\\\System32\\\\winevt\\\\Logs\\\"\nfolder. However, the logs may have been moved to another folder.\n\n If the permissions for the \\\"Application.evtx\\\" file are not as restrictive\nas the default permissions listed below, this is a finding:\n\n Eventlog - Full Control\n SYSTEM - Full Control\n Administrators - Full Control\"\n desc 'fix', \"Configure the permissions on the Application event log file\n(Application.evtx) to prevent access by non-privileged accounts. The default\npermissions listed below satisfy this requirement:\n\n Eventlog - Full Control\n SYSTEM - Full Control\n Administrators - Full Control\n\n The default location is the \\\"%SystemRoot%\\\\System32\\\\winevt\\\\Logs\\\" folder.\n\n If the location of the logs has been changed, when adding Eventlog to the\npermissions, it must be entered as \\\"NT Service\\\\Eventlog\\\".\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000057-GPOS-00027'\n tag 'satisfies': [\"SRG-OS-000057-GPOS-00027\", \"SRG-OS-000058-GPOS-00028\",\n\"SRG-OS-000059-GPOS-00029\"]\n tag 'gid': 'V-93189'\n tag 'rid': 'SV-103277r1_rule'\n tag 'stig_id': 'WN19-AU-000030'\n tag 'fix_id': 'F-99435r1_fix'\n tag 'cci': [\"CCI-000162\", \"CCI-000163\", \"CCI-000164\"]\n tag 'nist': [\"AU-9\", \"AU-9\", \"AU-9\", \"Rev_4\"]\n\n get_system_root = command('Get-ChildItem Env: | Findstr SystemRoot').stdout.strip\n system_root = get_system_root[11..get_system_root.length]\n\n systemroot = system_root.strip\n\n winevt_logs_application = <<-EOH\n $output = (Get-Acl -Path #{systemroot}\\\\SYSTEM32\\\\WINEVT\\\\LOGS\\\\Application.evtx).AccessToString\n write-output $output\n EOH\n\n # raw powershell output\n raw_logs_application = powershell(winevt_logs_application).stdout.strip\n\n # clean results cleans up the extra line breaks\n clean_logs_application = raw_logs_application.lines.collect(&:strip)\n\n describe 'Verify the default registry permissions for the keys note below of the C:\\Windows\\System32\\WINEVT\\LOGS\\Application.evtx' do\n subject { clean_logs_application }\n it { should cmp input('winevt_logs_application_perms') }\n end\nend\n", + "code": "control \"V-93231\" do\n title \"Windows Server 2019 must have Secure Boot enabled.\"\n desc \"Secure Boot is a standard that ensures systems boot only to a trusted\noperating system. Secure Boot is required to support additional security\nfeatures in Windows, including Virtualization Based Security and Credential\nGuard. If Secure Boot is turned off, these security features will not function.\"\n desc \"rationale\", \"\"\n desc 'check', \"Some older systems may not have UEFI firmware. This is currently a CAT III;\nit will be raised in severity at a future date when broad support of Windows\nhardware and firmware requirements are expected to be met. Devices that have\nUEFI firmware must have Secure Boot enabled.\n\n Run \\\"System Information\\\".\n\n Under \\\"System Summary\\\", if \\\"Secure Boot State\\\" does not display \\\"On\\\",\nthis is a finding.\n\n On server core installations, run the following PowerShell command:\n\n Confirm-SecureBootUEFI\n\n If a value of \\\"True\\\" is not returned, this is a finding.\"\n desc 'fix', \"Enable Secure Boot in the system firmware.\"\n impact 0.3\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000480-GPOS-00227'\n tag 'gid': 'V-93231'\n tag 'rid': 'SV-103319r1_rule'\n tag 'stig_id': 'WN19-00-000470'\n tag 'fix_id': 'F-99477r1_fix'\n tag 'cci': [\"CCI-000366\"]\n tag 'nist': [\"CM-6 b\", \"Rev_4\"]\n\n uefi_boot = json( command: 'Confirm-SecureBootUEFI | ConvertTo-Json').params\n describe 'Confirm-Secure Boot UEFI is required to be enabled on System' do\n subject { uefi_boot }\n it { should_not eq 'False' }\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93189.rb", + "ref": "./Windows 2019 STIG/controls/V-93231.rb", "line": 3 }, - "id": "V-93189" + "id": "V-93231" }, { - "title": "Windows Server 2019 Exploit Protection system-level mitigation, Randomize memory allocations (Bottom-Up ASLR), must be on.", - "desc": "Exploit protection enables mitigations against potential threats at the system and application level. Several mitigations, including \"Randomize memory allocations (Bottom-Up ASLR)\", are enabled by default at the system level. Bottom-Up ASLR (address space layout randomization) randomizes locations for virtual memory allocations, including those for system structures. If this is turned off, Windows may be subject to various exploits.", + "title": "Windows Server 2019 accounts must require passwords.", + "desc": "The lack of password protection enables anyone to gain access to the information system, which opens a backdoor opportunity for intruders to compromise the system as well as other resources. Accounts on a system must require passwords.", "descriptions": { - "default": "Exploit protection enables mitigations against potential threats at the system and application level. Several mitigations, including \"Randomize memory allocations (Bottom-Up ASLR)\", are enabled by default at the system level. Bottom-Up ASLR (address space layout randomization) randomizes locations for virtual memory allocations, including those for system structures. If this is turned off, Windows may be subject to various exploits.", + "default": "The lack of password protection enables anyone to gain access to the information system, which opens a backdoor opportunity for intruders to compromise the system as well as other resources. Accounts on a system must require passwords.", "rationale": "", - "check": "This is applicable to unclassified systems, for other systems this is NA. The default configuration in Exploit Protection is \"On by default\" which meets this requirement.\n The PowerShell query results for this show as \"NOTSET\".\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n Enter \"Get-ProcessMitigation -System\".\n If the status of \"ASLR: BottomUp\" is \"OFF\", this is a finding.\n Values that would not be a finding include:\n ON\n NOTSET (Default configuration)", - "fix": "Ensure Exploit Protection system-level mitigation, \"Randomize memory allocations (Bottom-Up ASLR)\" is turned on. The default configuration in Exploit Protection is \"On by default\" which meets this requirement.\n Open \"Windows Defender Security Center\".\n Select \"App & browser control\".\n Select \"Exploit protection settings\".\n Under \"System settings\", configure \"Randomize memory allocations\n (Bottom-Up ASLR)\" to \"On by default\" or \"Use default ()\".\n\n The STIG package includes a DoD EP XML file in the \"Supporting Files\" folder for configuring application mitigations defined in the STIG. This can also be modified to explicitly enforce the system level requirements. Adding the following to the XML file will explicitly turn Bottom-Up ASLR on (other system level EP requirements can be combined under ):\n \n \n \n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \"Use a common set of exploit protection settings\" configured to \"Enabled\" with file name and location defined under \"Options:\". It is recommended the file be in a read-only network location." + "check": "Review the password required status for enabled user accounts.\n Open \"PowerShell\".\n\n Domain Controllers:\n Enter \"Get-Aduser -Filter * -Properties Passwordnotrequired |FT Name, Passwordnotrequired, Enabled\".\n Exclude disabled accounts (e.g., DefaultAccount, Guest) and Trusted Domain Objects (TDOs).\n If \"Passwordnotrequired\" is \"True\" or blank for any enabled user account, this is a finding.\n\n Member servers and standalone systems:\n Enter 'Get-CimInstance -Class Win32_Useraccount -Filter \"PasswordRequired=False and LocalAccount=True\" | FT Name, PasswordRequired, Disabled, LocalAccount'.\n Exclude disabled accounts (e.g., DefaultAccount, Guest).\n If any enabled user accounts are returned with a \"PasswordRequired\" status of \"False\", this is a finding.", + "fix": "Configure all enabled accounts to require passwords.\n The password required flag can be set by entering the following on a command line: \"Net user [username] /passwordreq:yes\", substituting [username] with the name of the user account." }, "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000433-GPOS-00193", - "gid": "V-93565", - "rid": "SV-103651r1_rule", - "stig_id": "WN19-EP-000020", - "fix_id": "F-99809r1_fix", + "gtitle": "SRG-OS-000104-GPOS-00051", + "gid": "V-93439", + "rid": "SV-103525r2_rule", + "stig_id": "WN19-00-000200", + "fix_id": "F-99683r1_fix", "cci": [ - "CCI-002824" + "CCI-000764" ], "nist": [ - "SI-16", + "IA-2", "Rev_4" ] }, - "code": "control \"V-93565\" do\n title \"Windows Server 2019 Exploit Protection system-level mitigation, Randomize memory allocations (Bottom-Up ASLR), must be on.\"\n desc \"Exploit protection enables mitigations against potential threats at the system and application level. Several mitigations, including \\\"Randomize memory allocations (Bottom-Up ASLR)\\\", are enabled by default at the system level. Bottom-Up ASLR (address space layout randomization) randomizes locations for virtual memory allocations, including those for system structures. If this is turned off, Windows may be subject to various exploits.\"\n desc \"rationale\", \"\"\n desc \"check\", \"This is applicable to unclassified systems, for other systems this is NA. The default configuration in Exploit Protection is \\\"On by default\\\" which meets this requirement.\n The PowerShell query results for this show as \\\"NOTSET\\\".\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n Enter \\\"Get-ProcessMitigation -System\\\".\n If the status of \\\"ASLR: BottomUp\\\" is \\\"OFF\\\", this is a finding.\n Values that would not be a finding include:\n ON\n NOTSET (Default configuration)\"\n desc \"fix\", \"Ensure Exploit Protection system-level mitigation, \\\"Randomize memory allocations (Bottom-Up ASLR)\\\" is turned on. The default configuration in Exploit Protection is \\\"On by default\\\" which meets this requirement.\n Open \\\"Windows Defender Security Center\\\".\n Select \\\"App & browser control\\\".\n Select \\\"Exploit protection settings\\\".\n Under \\\"System settings\\\", configure \\\"Randomize memory allocations\n (Bottom-Up ASLR)\\\" to \\\"On by default\\\" or \\\"Use default ()\\\".\n\n The STIG package includes a DoD EP XML file in the \\\"Supporting Files\\\" folder for configuring application mitigations defined in the STIG. This can also be modified to explicitly enforce the system level requirements. Adding the following to the XML file will explicitly turn Bottom-Up ASLR on (other system level EP requirements can be combined under ):\n \n \n \n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\" configured to \\\"Enabled\\\" with file name and location defined under \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000433-GPOS-00193\"\n tag gid: \"V-93565\"\n tag rid: \"SV-103651r1_rule\"\n tag stig_id: \"WN19-EP-000020\"\n tag fix_id: \"F-99809r1_fix\"\n tag cci: [\"CCI-002824\"]\n tag nist: [\"SI-16\", \"Rev_4\"]\n\n systemaslr = json({ command: \"Get-ProcessMitigation -System | ConvertTo-Json\" }).params\n\n if input('sensitive_system') == true || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif systemaslr.empty?\n describe \"Exploit Protection: the following mitigation\" do\n it \"must be set to 'ON' for the System\" do\n failure_message = \"Exploit Protection is not set\"\n expect(systemaslr).not_to be_empty, failure_message\n end\n end\n else\n describe \"Exploit Protection: the following mitigation must be set to 'ON' for the System\" do\n subject { systemaslr }\n its(['Aslr','BottomUp']) { should be_between(0,1) }\n end\n end\nend", + "code": "control \"V-93439\" do\n title \"Windows Server 2019 accounts must require passwords.\"\n desc \"The lack of password protection enables anyone to gain access to the information system, which opens a backdoor opportunity for intruders to compromise the system as well as other resources. Accounts on a system must require passwords.\"\n desc \"rationale\", \"\"\n desc \"check\", \"Review the password required status for enabled user accounts.\n Open \\\"PowerShell\\\".\n\n Domain Controllers:\n Enter \\\"Get-Aduser -Filter * -Properties Passwordnotrequired |FT Name, Passwordnotrequired, Enabled\\\".\n Exclude disabled accounts (e.g., DefaultAccount, Guest) and Trusted Domain Objects (TDOs).\n If \\\"Passwordnotrequired\\\" is \\\"True\\\" or blank for any enabled user account, this is a finding.\n\n Member servers and standalone systems:\n Enter 'Get-CimInstance -Class Win32_Useraccount -Filter \\\"PasswordRequired=False and LocalAccount=True\\\" | FT Name, PasswordRequired, Disabled, LocalAccount'.\n Exclude disabled accounts (e.g., DefaultAccount, Guest).\n If any enabled user accounts are returned with a \\\"PasswordRequired\\\" status of \\\"False\\\", this is a finding.\"\n desc \"fix\", \"Configure all enabled accounts to require passwords.\n The password required flag can be set by entering the following on a command line: \\\"Net user [username] /passwordreq:yes\\\", substituting [username] with the name of the user account.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000104-GPOS-00051\"\n tag gid: \"V-93439\"\n tag rid: \"SV-103525r2_rule\"\n tag stig_id: \"WN19-00-000200\"\n tag fix_id: \"F-99683r1_fix\"\n tag cci: [\"CCI-000764\"]\n tag nist: [\"IA-2\", \"Rev_4\"]\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n ad_accounts = json({ command: \"Get-ADUser -Filter \\\"(Enabled -eq $true) -And (PasswordNotRequired -eq $true)\\\" | Select -ExpandProperty Name | ConvertTo-Json\" }).params\n describe 'AD Accounts' do\n it 'AD should not have any Accounts that have Password Not Required' do\n failure_message = \"Users that have Password Not Required: #{ad_accounts}\"\n expect(ad_accounts).to be_empty, failure_message\n end\n end\n else\n local_accounts = json({ command: \"Get-CimInstance -Class Win32_Useraccount -Filter 'PasswordRequired=False and LocalAccount=True and Disabled=False' | Select -ExpandProperty Name | ConvertTo-Json\" }).params\n describe \"Account or Accounts exists\" do\n it 'Server should not have Accounts with No Password Set' do\n failure_message = \"User or Users that have no Password Set: #{local_accounts}\" \n expect(local_accounts).to be_empty, failure_message\n end\n end\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93565.rb", + "ref": "./Windows 2019 STIG/controls/V-93439.rb", "line": 3 }, - "id": "V-93565" + "id": "V-93439" }, { - "title": "Windows Server 2019 systems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest.", - "desc": "This requirement addresses protection of user-generated data as well as operating system-specific configuration data. Organizations may choose to employ different mechanisms to achieve confidentiality and integrity protections, as appropriate, in accordance with the security category and/or classification of the information.\n Selection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields).", + "title": "Windows Server 2019 Allow log on through Remote Desktop Services user\nright must only be assigned to the Administrators group on domain controllers.", + "desc": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n Accounts with the \"Allow log on through Remote Desktop Services\" user\nright can access a system through Remote Desktop.", "descriptions": { - "default": "This requirement addresses protection of user-generated data as well as operating system-specific configuration data. Organizations may choose to employ different mechanisms to achieve confidentiality and integrity protections, as appropriate, in accordance with the security category and/or classification of the information.\n Selection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields).", + "default": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n Accounts with the \"Allow log on through Remote Desktop Services\" user\nright can access a system through Remote Desktop.", "rationale": "", - "check": "Verify systems that require additional protections due to factors such as inadequate physical protection or sensitivity of the data employ encryption to protect the confidentiality and integrity of all information at rest.\n If they do not, this is a finding.", - "fix": "Configure systems that require additional protections due to factors such as inadequate physical protection or sensitivity of the data to employ encryption to protect the confidentiality and integrity of all information at rest." + "check": "This applies to domain controllers, it is NA for other systems.\n\n Verify the effective setting in Local Group Policy Editor.\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the \"Allow\nlog on through Remote Desktop Services\" user right, this is a finding.\n\n - Administrators\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\path\\filename.txt\n\n Review the text file.\n\n If any SIDs other than the following are granted the\n\"SeRemoteInteractiveLogonRight\" user right, this is a finding.\n\n S-1-5-32-544 (Administrators)", + "fix": "Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> User Rights Assignment >> \"Allow log\non through Remote Desktop Services\" to include only the following accounts or\ngroups:\n\n - Administrators" }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000185-GPOS-00079", - "satisfies": [ - "SRG-OS-000185-GPOS-00079", - "SRG-OS-000404-GPOS-00183", - "SRG-OS-000405-GPOS-00184" - ], - "gid": "V-93515", - "rid": "SV-103601r1_rule", - "stig_id": "WN19-00-000250", - "fix_id": "F-99759r1_fix", + "gtitle": "SRG-OS-000080-GPOS-00048", + "gid": "V-92997", + "rid": "SV-103085r1_rule", + "stig_id": "WN19-DC-000360", + "fix_id": "F-99243r1_fix", "cci": [ - "CCI-001199", - "CCI-002475", - "CCI-002476" + "CCI-000213" ], "nist": [ - "SC-28", - "SC-28 (1)", - "SC-28 (1)", + "AC-3", "Rev_4" ] }, - "code": "control \"V-93515\" do\n title \"Windows Server 2019 systems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest.\"\n desc \"This requirement addresses protection of user-generated data as well as operating system-specific configuration data. Organizations may choose to employ different mechanisms to achieve confidentiality and integrity protections, as appropriate, in accordance with the security category and/or classification of the information.\n Selection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields).\"\n desc \"rationale\", \"\"\n desc \"check\", \"Verify systems that require additional protections due to factors such as inadequate physical protection or sensitivity of the data employ encryption to protect the confidentiality and integrity of all information at rest.\n If they do not, this is a finding.\"\n desc \"fix\", \"Configure systems that require additional protections due to factors such as inadequate physical protection or sensitivity of the data to employ encryption to protect the confidentiality and integrity of all information at rest.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000185-GPOS-00079\"\n tag satisfies: [\"SRG-OS-000185-GPOS-00079\", \"SRG-OS-000404-GPOS-00183\", \"SRG-OS-000405-GPOS-00184\"]\n tag gid: \"V-93515\"\n tag rid: \"SV-103601r1_rule\"\n tag stig_id: \"WN19-00-000250\"\n tag fix_id: \"F-99759r1_fix\"\n tag cci: [\"CCI-001199\", \"CCI-002475\", \"CCI-002476\"]\n tag nist: [\"SC-28\", \"SC-28 (1)\", \"SC-28 (1)\", \"Rev_4\"]\n\n describe \"A manual review is required to ensure systems requiring data at rest protections must employ cryptographic\n mechanisms to prevent unauthorized disclosure and modification of the\n information at rest.\" do\n skip 'A manual review is required to ensure systems requiring data at rest protections must employ cryptographic\n mechanisms to prevent unauthorized disclosure and modification of the\n information at rest.'\n end\nend", + "code": "control \"V-92997\" do\n title \"Windows Server 2019 Allow log on through Remote Desktop Services user\nright must only be assigned to the Administrators group on domain controllers.\"\n desc \"Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n Accounts with the \\\"Allow log on through Remote Desktop Services\\\" user\nright can access a system through Remote Desktop.\"\n desc \"rationale\", \"\"\n desc 'check', \"This applies to domain controllers, it is NA for other systems.\n\n Verify the effective setting in Local Group Policy Editor.\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the \\\"Allow\nlog on through Remote Desktop Services\\\" user right, this is a finding.\n\n - Administrators\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt\n\n Review the text file.\n\n If any SIDs other than the following are granted the\n\\\"SeRemoteInteractiveLogonRight\\\" user right, this is a finding.\n\n S-1-5-32-544 (Administrators)\"\n desc 'fix', \"Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> User Rights Assignment >> \\\"Allow log\non through Remote Desktop Services\\\" to include only the following accounts or\ngroups:\n\n - Administrators\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000080-GPOS-00048'\n tag 'gid': 'V-92997'\n tag 'rid': 'SV-103085r1_rule'\n tag 'stig_id': 'WN19-DC-000360'\n tag 'fix_id': 'F-99243r1_fix'\n tag 'cci': [\"CCI-000213\"]\n tag 'nist': [\"AC-3\", \"Rev_4\"]\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n os_type = command('Test-Path \"$env:windir\\explorer.exe\"').stdout.strip\n\n if os_type == 'False'\n describe 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt' do\n skip 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt'\n end\n end\n if domain_role == '4' || domain_role == '5'\n describe security_policy do\n its('SeRemoteInteractiveLogonRight') { should eq ['S-1-5-32-544'] }\n end\n else\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93515.rb", + "ref": "./Windows 2019 STIG/controls/V-92997.rb", "line": 3 }, - "id": "V-93515" + "id": "V-92997" }, { - "title": "Windows Server 2019 Exploit Protection mitigations must be configured for wordpad.exe.", - "desc": "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.", + "title": "Windows Server 2019 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where Host Based Security System (HBSS) is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP).", + "desc": "Without the use of automated mechanisms to scan for security flaws on a continuous and/or periodic basis, the operating system or other system components may remain vulnerable to the exploits presented by undetected software flaws. The operating system may have an integrated solution incorporating continuous scanning using HBSS and periodic scanning using other tools.", "descriptions": { - "default": "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.", + "default": "Without the use of automated mechanisms to scan for security flaws on a continuous and/or periodic basis, the operating system or other system components may remain vulnerable to the exploits presented by undetected software flaws. The operating system may have an integrated solution incorporating continuous scanning using HBSS and periodic scanning using other tools.", "rationale": "", - "check": "If the referenced application is not installed on the system, this is NA.\n\n This is applicable to unclassified systems, for other systems this is NA.\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n Enter \"Get-ProcessMitigation -Name wordpad.exe\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.)\n\n If the following mitigations do not have a status of \"ON\", this is a finding:\n\n DEP:\n Enable: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n The PowerShell command produces a list of mitigations; only those with a required status of \"ON\" are listed here.", - "fix": "Ensure the following mitigations are turned \"ON\" for wordpad.exe:\n\n DEP:\n Enable: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \"Supporting Files\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \"Use a common set of exploit protection settings\" configured to \"Enabled\" with file name and location defined under \"Options:\". It is recommended the file be in a read-only network location." + "check": "Verify DoD approved HBSS software is installed, configured, and properly operating. Ask the operator to document the HBSS software installation and configuration. If the operator is not able to provide a documented configuration for an installed HBSS or if the HBSS software is not properly configured maintained, or used, this is a finding.", + "fix": "Install a DoD approved HBSS software and ensure it is operating continuously." }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-93367", - "rid": "SV-103455r1_rule", - "stig_id": "WN19-EP-000290", - "fix_id": "F-99613r1_fix", + "gtitle": "SRG-OS-000191-GPOS-00080", + "gid": "V-93567", + "rid": "SV-103653r1_rule", + "stig_id": "WN19-00-000290", + "fix_id": "F-99811r1_fix", "cci": [ - "CCI-000366" + "CCI-001233" ], "nist": [ - "CM-6 b", + "SI-2 (2)", "Rev_4" ] }, - "code": "control \"V-93367\" do\n title \"Windows Server 2019 Exploit Protection mitigations must be configured for wordpad.exe.\"\n desc \"Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the referenced application is not installed on the system, this is NA.\n\n This is applicable to unclassified systems, for other systems this is NA.\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n Enter \\\"Get-ProcessMitigation -Name wordpad.exe\\\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.)\n\n If the following mitigations do not have a status of \\\"ON\\\", this is a finding:\n\n DEP:\n Enable: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n The PowerShell command produces a list of mitigations; only those with a required status of \\\"ON\\\" are listed here.\"\n desc \"fix\", \"Ensure the following mitigations are turned \\\"ON\\\" for wordpad.exe:\n\n DEP:\n Enable: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \\\"Supporting Files\\\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\" configured to \\\"Enabled\\\" with file name and location defined under \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00227\"\n tag gid: \"V-93367\"\n tag rid: \"SV-103455r1_rule\"\n tag stig_id: \"WN19-EP-000290\"\n tag fix_id: \"F-99613r1_fix\"\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n wordpad = json({ command: \"Get-ProcessMitigation -Name wordpad.exe | ConvertTo-Json\" }).params\n\n if input('sensitive_system') == true || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif wordpad.empty?\n impact 0.0\n describe 'The referenced application is not installed on the system, this is NA.' do\n skip 'The referenced application is not installed on the system, this is NA.'\n end\n else\n describe \"Exploit Protection: the following mitigations must be set to 'ON' for wordpad.exe\" do\n subject { wordpad }\n its(['Dep','Enable']) { should eq 1 }\n its(['Payload','EnableExportAddressFilter']) { should eq 1 }\n its(['Payload','EnableExportAddressFilterPlus']) { should eq 1 }\n its(['Payload','EnableImportAddressFilter']) { should eq 1 }\n its(['Payload','EnableRopStackPivot']) { should eq 1 }\n its(['Payload','EnableRopCallerCheck']) { should eq 1 }\n its(['Payload','EnableRopSimExec']) { should eq 1 }\n end\n end\nend", + "code": "control \"V-93567\" do\n title \"Windows Server 2019 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where Host Based Security System (HBSS) is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP).\"\n desc \"Without the use of automated mechanisms to scan for security flaws on a continuous and/or periodic basis, the operating system or other system components may remain vulnerable to the exploits presented by undetected software flaws. The operating system may have an integrated solution incorporating continuous scanning using HBSS and periodic scanning using other tools.\"\n desc \"rationale\", \"\"\n desc \"check\", \"Verify #{input('org_name')[:acronym]} approved HBSS software is installed, configured, and properly operating. Ask the operator to document the HBSS software installation and configuration. If the operator is not able to provide a documented configuration for an installed HBSS or if the HBSS software is not properly configured maintained, or used, this is a finding.\"\n desc \"fix\", \"Install a #{input('org_name')[:acronym]} approved HBSS software and ensure it is operating continuously.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000191-GPOS-00080\"\n tag gid: \"V-93567\"\n tag rid: \"SV-103653r1_rule\"\n tag stig_id: \"WN19-00-000290\"\n tag fix_id: \"F-99811r1_fix\"\n tag cci: [\"CCI-001233\"]\n tag nist: [\"SI-2 (2)\", \"Rev_4\"]\n\n org_name = input('org_name')\n\n describe \"A manual review is required to verify #{org_name[:acronym]} approved HBSS software is installed, configured, and properly operating. Ask the operator to document the HBSS software installation and configuration. If the operator is not able to provide a documented configuration for an installed HBSS or if the HBSS software is not properly configured maintained, or used, this is a finding.\" do\t\n skip \"A manual review is required to verify #{org_name[:acronym]} approved HBSS software is installed, configured, and properly operating. Ask the operator to document the HBSS software installation and configuration. If the operator is not able to provide a documented configuration for an installed HBSS or if the HBSS software is not properly configured maintained, or used, this is a finding.\"\t\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93367.rb", + "ref": "./Windows 2019 STIG/controls/V-93567.rb", "line": 3 }, - "id": "V-93367" + "id": "V-93567" }, { - "title": "Windows Server 2019 Explorer Data Execution Prevention must be enabled.", - "desc": "Data Execution Prevention provides additional protection by performing checks on memory to help prevent malicious code from running. This setting will prevent Data Execution Prevention from being turned off for File Explorer.", + "title": "Windows Server 2019 Back up files and directories user right must only\nbe assigned to the Administrators group.", + "desc": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n Accounts with the \"Back up files and directories\" user right can\ncircumvent file and directory permissions and could allow access to sensitive\ndata.", "descriptions": { - "default": "Data Execution Prevention provides additional protection by performing checks on memory to help prevent malicious code from running. This setting will prevent Data Execution Prevention from being turned off for File Explorer.", + "default": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n Accounts with the \"Back up files and directories\" user right can\ncircumvent file and directory permissions and could allow access to sensitive\ndata.", "rationale": "", - "check": "The default behavior is for Data Execution Prevention to be turned on for File Explorer.\n If the registry value name below does not exist, this is not a finding.\n If it exists and is configured with a value of \"0\", this is not a finding.\n If it exists and is configured with a value of \"1\", this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\Explorer\\\n\n Value Name: NoDataExecutionPrevention\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0) (or if the Value Name does not exist)", - "fix": "The default behavior is for data execution prevention to be turned on for File Explorer. If this needs to be corrected, configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> File Explorer >> \"Turn off Data Execution Prevention for Explorer\" to \"Not Configured\" or \"Disabled\"." + "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the \"Back\nup files and directories\" user right, this is a finding:\n\n - Administrators\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\path\\filename.txt\n\n Review the text file.\n\n If any SIDs other than the following are granted the \"SeBackupPrivilege\"\nuser right, this is a finding:\n\n S-1-5-32-544 (Administrators)\n\n If an application requires this user right, this would not be a finding.\n\n Vendor documentation must support the requirement for having the user right.\n\n The requirement must be documented with the ISSO.\n\n The application account must meet requirements for application account\npasswords, such as length (WN19-00-000050) and required frequency of changes\n(WN19-00-000060).", + "fix": "Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> User Rights Assignment >> \"Back up\nfiles and directories\" to include only the following accounts or groups:\n\n - Administrators" }, "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000433-GPOS-00192", - "gid": "V-93563", - "rid": "SV-103649r1_rule", - "stig_id": "WN19-CC-000310", - "fix_id": "F-99807r1_fix", + "gtitle": "SRG-OS-000324-GPOS-00125", + "gid": "V-93053", + "rid": "SV-103141r1_rule", + "stig_id": "WN19-UR-000040", + "fix_id": "F-99299r1_fix", "cci": [ - "CCI-002824" + "CCI-002235" ], "nist": [ - "SI-16", + "AC-6 (10)", "Rev_4" ] }, - "code": "control \"V-93563\" do\n title \"Windows Server 2019 Explorer Data Execution Prevention must be enabled.\"\n desc \"Data Execution Prevention provides additional protection by performing checks on memory to help prevent malicious code from running. This setting will prevent Data Execution Prevention from being turned off for File Explorer.\"\n desc \"rationale\", \"\"\n desc \"check\", \"The default behavior is for Data Execution Prevention to be turned on for File Explorer.\n If the registry value name below does not exist, this is not a finding.\n If it exists and is configured with a value of \\\"0\\\", this is not a finding.\n If it exists and is configured with a value of \\\"1\\\", this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\Explorer\\\\\n\n Value Name: NoDataExecutionPrevention\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0) (or if the Value Name does not exist)\"\n desc \"fix\", \"The default behavior is for data execution prevention to be turned on for File Explorer. If this needs to be corrected, configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> File Explorer >> \\\"Turn off Data Execution Prevention for Explorer\\\" to \\\"Not Configured\\\" or \\\"Disabled\\\".\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000433-GPOS-00192\"\n tag gid: \"V-93563\"\n tag rid: \"SV-103649r1_rule\"\n tag stig_id: \"WN19-CC-000310\"\n tag fix_id: \"F-99807r1_fix\"\n tag cci: [\"CCI-002824\"]\n tag nist: [\"SI-16\", \"Rev_4\"]\n\n describe.one do \n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Explorer') do\n it { should_not have_property 'NoDataExecutionPrevention' }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Explorer') do\n it { should have_property 'NoDataExecutionPrevention' }\n its('NoDataExecutionPrevention') { should_not cmp 1 }\n its('NoDataExecutionPrevention') { should cmp 0 }\n end\n end\nend", + "code": "control \"V-93053\" do\n title \"Windows Server 2019 Back up files and directories user right must only\nbe assigned to the Administrators group.\"\n desc \"Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n Accounts with the \\\"Back up files and directories\\\" user right can\ncircumvent file and directory permissions and could allow access to sensitive\ndata.\"\n desc \"rationale\", \"\"\n desc 'check', \"Verify the effective setting in Local Group Policy Editor.\n\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the \\\"Back\nup files and directories\\\" user right, this is a finding:\n\n - Administrators\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt\n\n Review the text file.\n\n If any SIDs other than the following are granted the \\\"SeBackupPrivilege\\\"\nuser right, this is a finding:\n\n S-1-5-32-544 (Administrators)\n\n If an application requires this user right, this would not be a finding.\n\n Vendor documentation must support the requirement for having the user right.\n\n The requirement must be documented with the ISSO.\n\n The application account must meet requirements for application account\npasswords, such as length (WN19-00-000050) and required frequency of changes\n(WN19-00-000060).\"\n desc 'fix', \"Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> User Rights Assignment >> \\\"Back up\nfiles and directories\\\" to include only the following accounts or groups:\n\n - Administrators\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000324-GPOS-00125'\n tag 'gid': 'V-93053'\n tag 'rid': 'SV-103141r1_rule'\n tag 'stig_id': 'WN19-UR-000040'\n tag 'fix_id': 'F-99299r1_fix'\n tag 'cci': [\"CCI-002235\"]\n tag 'nist': [\"AC-6 (10)\", \"Rev_4\"]\n\n os_type = command('Test-Path \"$env:windir\\explorer.exe\"').stdout.strip\n\n if os_type == 'False'\n describe 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt' do\n skip 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt'\n end\n else\n describe security_policy do\n its('SeBackupPrivilege') { should eq ['S-1-5-32-544'] }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93563.rb", + "ref": "./Windows 2019 STIG/controls/V-93053.rb", "line": 3 }, - "id": "V-93563" + "id": "V-93053" }, { - "title": "Windows Server 2019 must be configured to audit Account Logon -\nCredential Validation failures.", - "desc": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Credential Validation records events related to validation tests on\ncredentials for a user account logon.", + "title": "Windows Server 2019 Windows Remote Management (WinRM) service must not allow unencrypted traffic.", + "desc": "Unencrypted remote access to a system can allow sensitive information to be compromised. Windows remote management connections must be encrypted to prevent this.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Credential Validation records events related to validation tests on\ncredentials for a user account logon.", + "default": "Unencrypted remote access to a system can allow sensitive information to be compromised. Windows remote management connections must be encrypted to prevent this.", "rationale": "", - "check": "Security Option \"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\" must be set to\n\"Enabled\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \"AuditPol\" tool to review the current Audit Policy configuration:\n\n Open \"PowerShell\" or a \"Command Prompt\" with elevated privileges (\"Run\nas administrator\").\n\n Enter \"AuditPol /get /category:*\"\n\n Compare the \"AuditPol\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n Account Logon >> Credential Validation - Failure", - "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Account Logon >> \"Audit Credential Validation\" with\n\"Failure\" selected." + "check": "If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\WinRM\\Service\\\n\n Value Name: AllowUnencryptedTraffic\n\n Type: REG_DWORD\n Value: 0x00000000 (0)", + "fix": "Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Remote Management (WinRM) >> WinRM Service >> \"Allow unencrypted traffic\" to \"Disabled\"." }, "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000470-GPOS-00214", - "gid": "V-93155", - "rid": "SV-103243r1_rule", - "stig_id": "WN19-AU-000080", - "fix_id": "F-99401r1_fix", + "gtitle": "SRG-OS-000393-GPOS-00173", + "satisfies": [ + "SRG-OS-000393-GPOS-00173", + "SRG-OS-000394-GPOS-00174" + ], + "gid": "V-93501", + "rid": "SV-103587r1_rule", + "stig_id": "WN19-CC-000510", + "fix_id": "F-99745r1_fix", "cci": [ - "CCI-000172" + "CCI-002890", + "CCI-003123" ], "nist": [ - "AU-12 c", + "MA-4 (6)", + "MA-4 (6)", "Rev_4" ] }, - "code": "control \"V-93155\" do\n title \"Windows Server 2019 must be configured to audit Account Logon -\nCredential Validation failures.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Credential Validation records events related to validation tests on\ncredentials for a user account logon.\"\n desc \"rationale\", \"\"\n desc 'check', \"Security Option \\\"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\\\" must be set to\n\\\"Enabled\\\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \\\"AuditPol\\\" tool to review the current Audit Policy configuration:\n\n Open \\\"PowerShell\\\" or a \\\"Command Prompt\\\" with elevated privileges (\\\"Run\nas administrator\\\").\n\n Enter \\\"AuditPol /get /category:*\\\"\n\n Compare the \\\"AuditPol\\\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n Account Logon >> Credential Validation - Failure\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Account Logon >> \\\"Audit Credential Validation\\\" with\n\\\"Failure\\\" selected.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000470-GPOS-00214'\n tag 'gid': 'V-93155'\n tag 'rid': 'SV-103243r1_rule'\n tag 'stig_id': 'WN19-AU-000080'\n tag 'fix_id': 'F-99401r1_fix'\n tag 'cci': [\"CCI-000172\"]\n tag 'nist': [\"AU-12 c\", \"Rev_4\"]\n\n describe.one do\n describe audit_policy do\n its('Credential Validation') { should eq 'Failure' }\n end\n describe audit_policy do\n its('Credential Validation') { should eq 'Success and Failure' }\n end\n end\n\nend\n", + "code": "control \"V-93501\" do\n title \"Windows Server 2019 Windows Remote Management (WinRM) service must not allow unencrypted traffic.\"\n desc \"Unencrypted remote access to a system can allow sensitive information to be compromised. Windows remote management connections must be encrypted to prevent this.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WinRM\\\\Service\\\\\n\n Value Name: AllowUnencryptedTraffic\n\n Type: REG_DWORD\n Value: 0x00000000 (0)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Remote Management (WinRM) >> WinRM Service >> \\\"Allow unencrypted traffic\\\" to \\\"Disabled\\\".\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000393-GPOS-00173\"\n tag satisfies: [\"SRG-OS-000393-GPOS-00173\", \"SRG-OS-000394-GPOS-00174\"]\n tag gid: \"V-93501\"\n tag rid: \"SV-103587r1_rule\"\n tag stig_id: \"WN19-CC-000510\"\n tag fix_id: \"F-99745r1_fix\"\n tag cci: [\"CCI-002890\", \"CCI-003123\"]\n tag nist: [\"MA-4 (6)\", \"MA-4 (6)\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\WinRM\\\\Service') do\n it { should have_property 'AllowUnencryptedTraffic' }\n its('AllowUnencryptedTraffic') { should cmp == 0 }\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93155.rb", + "ref": "./Windows 2019 STIG/controls/V-93501.rb", "line": 3 }, - "id": "V-93155" + "id": "V-93501" }, { - "title": "Windows Server 2019 Exploit Protection mitigations must be configured for Acrobat.exe.", - "desc": "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.", + "title": "Windows Server 2019 permissions for the system drive root directory\n (usually C:\\) must conform to minimum requirements.", + "desc": "Changing the system's file and directory permissions allows the\n possibility of unauthorized and anonymous modification to the operating system\n and installed applications.\n\n The default permissions are adequate when the Security Option \"Network\n access: Let Everyone permissions apply to anonymous users\" is set to\n \"Disabled\" (WN19-SO-000240).", "descriptions": { - "default": "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.", + "default": "Changing the system's file and directory permissions allows the\n possibility of unauthorized and anonymous modification to the operating system\n and installed applications.\n\n The default permissions are adequate when the Security Option \"Network\n access: Let Everyone permissions apply to anonymous users\" is set to\n \"Disabled\" (WN19-SO-000240).", "rationale": "", - "check": "If the referenced application is not installed on the system, this is NA.\n\n This is applicable to unclassified systems, for other systems this is NA.\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n Enter \"Get-ProcessMitigation -Name Acrobat.exe\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.)\n\n If the following mitigations do not have a status of \"ON\", this is a finding:\n\n DEP:\n Enable: ON\n\n ASLR:\n BottomUp: ON\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n The PowerShell command produces a list of mitigations; only those with a required status of \"ON\" are listed here.", - "fix": "Ensure the following mitigations are turned \"ON\" for Acrobat.exe:\n\n DEP:\n Enable: ON\n\n ASLR:\n BottomUp: ON\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \"Supporting Files\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \"Use a common set of exploit protection settings\" configured to \"Enabled\" with file name and location defined under \"Options:\". It is recommended the file be in a read-only network location." + "check": "The default permissions are adequate when the Security Option \"Network\n access: Let Everyone permissions apply to anonymous users\" is set to\n \"Disabled\" (WN19-SO-000240).\n\n Review the permissions for the system drive's root directory (usually\n C:\\). Non-privileged groups such as Users or Authenticated Users must not have\n greater than \"Read & execute\" permissions except where noted as defaults.\n Individual accounts must not be used to assign permissions.\n\n If permissions are not as restrictive as the default permissions listed\n below, this is a finding.\n\n Viewing in File Explorer:\n\n View the Properties of the system drive's root directory.\n\n Select the \"Security\" tab, and the \"Advanced\" button.\n\n Default permissions:\n C:\\\n Type - \"Allow\" for all\n Inherited from - \"None\" for all\n\n Principal - Access - Applies to\n\n SYSTEM - Full control - This folder, subfolders, and files\n Administrators - Full control - This folder, subfolders, and files\n Users - Read & execute - This folder, subfolders, and files\n Users - Create folders/append data - This folder and subfolders\n Users - Create files/write data - Subfolders only\n CREATOR OWNER - Full Control - Subfolders and files only\n\n Alternately, use icacls:\n\n Open \"Command Prompt (Admin)\".\n\n Enter \"icacls\" followed by the directory:\n\n \"icacls c:\\\"\n\n The following results should be displayed:\n\n c:\\\n NT AUTHORITY\\SYSTEM:(OI)(CI)(F)\n BUILTIN\\Administrators:(OI)(CI)(F)\n BUILTIN\\Users:(OI)(CI)(RX)\n BUILTIN\\Users:(CI)(AD)\n BUILTIN\\Users:(CI)(IO)(WD)\n CREATOR OWNER:(OI)(CI)(IO)(F)\n Successfully processed 1 files; Failed processing 0 files", + "fix": "Maintain the default permissions for the system drive's root directory and\nconfigure the Security Option \"Network access: Let Everyone permissions apply\nto anonymous users\" to \"Disabled\" (WN19-SO-000240).\n\n Default Permissions\n C:\\\n Type - \"Allow\" for all\n Inherited from - \"None\" for all\n\n Principal - Access - Applies to\n\n SYSTEM - Full control - This folder, subfolders, and files\n Administrators - Full control - This folder, subfolders, and files\n Users - Read & execute - This folder, subfolders, and files\n Users - Create folders/append data - This folder and subfolders\n Users - Create files/write data - Subfolders only\n CREATOR OWNER - Full Control - Subfolders and files only" }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-93321", - "rid": "SV-103409r1_rule", - "stig_id": "WN19-EP-000060", - "fix_id": "F-99567r1_fix", + "gtitle": "SRG-OS-000312-GPOS-00122", + "satisfies": [ + "SRG-OS-000312-GPOS-00122", + "SRG-OS-000312-GPOS-00123", + "SRG-OS-000312-GPOS-00124" + ], + "gid": "V-93019", + "rid": "SV-103107r1_rule", + "stig_id": "WN19-00-000140", + "fix_id": "F-99265r1_fix", "cci": [ - "CCI-000366" + "CCI-002165" ], "nist": [ - "CM-6 b", + "AC-3 (4)", "Rev_4" ] }, - "code": "control \"V-93321\" do\n title \"Windows Server 2019 Exploit Protection mitigations must be configured for Acrobat.exe.\"\n desc \"Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the referenced application is not installed on the system, this is NA.\n\n This is applicable to unclassified systems, for other systems this is NA.\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n Enter \\\"Get-ProcessMitigation -Name Acrobat.exe\\\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.)\n\n If the following mitigations do not have a status of \\\"ON\\\", this is a finding:\n\n DEP:\n Enable: ON\n\n ASLR:\n BottomUp: ON\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n The PowerShell command produces a list of mitigations; only those with a required status of \\\"ON\\\" are listed here.\"\n desc \"fix\", \"Ensure the following mitigations are turned \\\"ON\\\" for Acrobat.exe:\n\n DEP:\n Enable: ON\n\n ASLR:\n BottomUp: ON\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \\\"Supporting Files\\\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\" configured to \\\"Enabled\\\" with file name and location defined under \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00227\"\n tag gid: \"V-93321\"\n tag rid: \"SV-103409r1_rule\"\n tag stig_id: \"WN19-EP-000060\"\n tag fix_id: \"F-99567r1_fix\"\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n acrobat = json({ command: \"Get-ProcessMitigation -Name Acrobat.exe | ConvertTo-Json\" }).params\n\n if input('sensitive_system') == true || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif acrobat.empty?\n impact 0.0\n describe 'The referenced application is not installed on the system, this is NA.' do\n skip 'The referenced application is not installed on the system, this is NA.'\n end\n else\n describe \"Exploit Protection: the following mitigations must be set to 'ON' for Acrobat.exe\" do\n subject { acrobat }\n its(['Dep','Enable']) { should eq 1 }\n its(['Aslr','BottomUp']) { should eq 1 }\n its(['Aslr','ForceRelocateImages']) { should eq 1 }\n its(['Payload','EnableExportAddressFilter']) { should eq 1 }\n its(['Payload','EnableExportAddressFilterPlus']) { should eq 1 }\n its(['Payload','EnableImportAddressFilter']) { should eq 1 }\n its(['Payload','EnableRopStackPivot']) { should eq 1 }\n its(['Payload','EnableRopCallerCheck']) { should eq 1 }\n its(['Payload','EnableRopSimExec']) { should eq 1 }\n end\n end\nend", + "code": "control 'V-93019' do\n title \"Windows Server 2019 permissions for the system drive root directory\n (usually C:\\\\) must conform to minimum requirements.\"\n desc \"Changing the system's file and directory permissions allows the\n possibility of unauthorized and anonymous modification to the operating system\n and installed applications.\n\n The default permissions are adequate when the Security Option \\\"Network\n access: Let Everyone permissions apply to anonymous users\\\" is set to\n \\\"Disabled\\\" (WN19-SO-000240).\"\n desc 'rationale', ''\n desc 'check', \"The default permissions are adequate when the Security Option \\\"Network\n access: Let Everyone permissions apply to anonymous users\\\" is set to\n \\\"Disabled\\\" (WN19-SO-000240).\n\n Review the permissions for the system drive's root directory (usually\n C:\\\\). Non-privileged groups such as Users or Authenticated Users must not have\n greater than \\\"Read & execute\\\" permissions except where noted as defaults.\n Individual accounts must not be used to assign permissions.\n\n If permissions are not as restrictive as the default permissions listed\n below, this is a finding.\n\n Viewing in File Explorer:\n\n View the Properties of the system drive's root directory.\n\n Select the \\\"Security\\\" tab, and the \\\"Advanced\\\" button.\n\n Default permissions:\n C:\\\\\n Type - \\\"Allow\\\" for all\n Inherited from - \\\"None\\\" for all\n\n Principal - Access - Applies to\n\n SYSTEM - Full control - This folder, subfolders, and files\n Administrators - Full control - This folder, subfolders, and files\n Users - Read & execute - This folder, subfolders, and files\n Users - Create folders/append data - This folder and subfolders\n Users - Create files/write data - Subfolders only\n CREATOR OWNER - Full Control - Subfolders and files only\n\n Alternately, use icacls:\n\n Open \\\"Command Prompt (Admin)\\\".\n\n Enter \\\"icacls\\\" followed by the directory:\n\n \\\"icacls c:\\\\\\\"\n\n The following results should be displayed:\n\n c:\\\\\n NT AUTHORITY\\\\SYSTEM:(OI)(CI)(F)\n BUILTIN\\\\Administrators:(OI)(CI)(F)\n BUILTIN\\\\Users:(OI)(CI)(RX)\n BUILTIN\\\\Users:(CI)(AD)\n BUILTIN\\\\Users:(CI)(IO)(WD)\n CREATOR OWNER:(OI)(CI)(IO)(F)\n Successfully processed 1 files; Failed processing 0 files\"\n desc 'fix', \"\n Maintain the default permissions for the system drive's root directory and\n configure the Security Option \\\"Network access: Let Everyone permissions apply\n to anonymous users\\\" to \\\"Disabled\\\" (WN19-SO-000240).\n\n Default Permissions\n C:\\\\\n Type - \\\"Allow\\\" for all\n Inherited from - \\\"None\\\" for all\n\n Principal - Access - Applies to\n\n SYSTEM - Full control - This folder, subfolders, and files\n Administrators - Full control - This folder, subfolders, and files\n Users - Read & execute - This folder, subfolders, and files\n Users - Create folders/append data - This folder and subfolders\n Users - Create files/write data - Subfolders only\n CREATOR OWNER - Full Control - Subfolders and files only\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000312-GPOS-00122'\n tag 'satisfies': %w(SRG-OS-000312-GPOS-00122 SRG-OS-000312-GPOS-00123\nSRG-OS-000312-GPOS-00124)\n tag 'gid': 'V-93019'\n tag 'rid': 'SV-103107r1_rule'\n tag 'stig_id': 'WN19-00-000140'\n tag 'fix_id': 'F-99265r1_fix'\n tag 'cci': ['CCI-002165']\n tag 'nist': ['AC-3 (4)', 'Rev_4']\n\n expected_c_perm = input('c_perm')\n describe.one do\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa') do\n it { should have_property 'EveryoneIncludesAnonymous' }\n its('EveryoneIncludesAnonymous') { should eq 0 }\n end\n c_perm = json(command: \"icacls 'C:\\\\' | ConvertTo-Json\").params.map(&:strip)[0..-3].map { |e| e.gsub('C:\\\\ ', '') }\n describe 'C:\\\\ permissions are set correctly on folder structure' do\n subject { c_perm.eql? expected_c_perm }\n it { should eq true }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93321.rb", - "line": 3 + "ref": "./Windows 2019 STIG/controls/V-93019.rb", + "line": 1 }, - "id": "V-93321" + "id": "V-93019" }, { - "title": "Windows Server 2019 User Account Control must, at a minimum, prompt administrators for consent on the secure desktop.", - "desc": "User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting configures the elevation requirements for logged-on administrators to complete a task that requires raised privileges.", + "title": "Windows Server 2019 Enable computer and user accounts to be trusted\nfor delegation user right must only be assigned to the Administrators group on\ndomain controllers.", + "desc": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n The \"Enable computer and user accounts to be trusted for delegation\" user\nright allows the \"Trusted for Delegation\" setting to be changed. This could\nallow unauthorized users to impersonate other users.", "descriptions": { - "default": "User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting configures the elevation requirements for logged-on administrators to complete a task that requires raised privileges.", + "default": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n The \"Enable computer and user accounts to be trusted for delegation\" user\nright allows the \"Trusted for Delegation\" setting to be changed. This could\nallow unauthorized users to impersonate other users.", "rationale": "", - "check": "UAC requirements are NA for Server Core installations (this is default installation option for Windows Server 2019 versus Server with Desktop Experience).\n If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\\n\n Value Name: ConsentPromptBehaviorAdmin\n\n Value Type: REG_DWORD\n Value: 0x00000002 (2) (Prompt for consent on the secure desktop)\n 0x00000001 (1) (Prompt for credentials on the secure desktop)", - "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \"User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode\" to \"Prompt for consent on the secure desktop\".\n\nThe more secure option for this setting, \"Prompt for credentials on the secure desktop\", would also be acceptable." + "check": "This applies to domain controllers. A separate version applies to other\nsystems.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the \"Enable\ncomputer and user accounts to be trusted for delegation\" user right, this is a\nfinding.\n\n - Administrators\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\path\\filename.txt\n\n Review the text file.\n\n If any SIDs other than the following are granted the\n\"SeEnableDelegationPrivilege\" user right, this is a finding.\n\n S-1-5-32-544 (Administrators)", + "fix": "Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> User Rights Assignment >> \"Enable\ncomputer and user accounts to be trusted for delegation\" to include only the\nfollowing accounts or groups:\n\n - Administrators" }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000134-GPOS-00068", - "gid": "V-93523", - "rid": "SV-103609r1_rule", - "stig_id": "WN19-SO-000400", - "fix_id": "F-99767r1_fix", + "gtitle": "SRG-OS-000324-GPOS-00125", + "gid": "V-93041", + "rid": "SV-103129r1_rule", + "stig_id": "WN19-DC-000420", + "fix_id": "F-99287r1_fix", "cci": [ - "CCI-001084" + "CCI-002235" ], "nist": [ - "SC-3", + "AC-6 (10)", "Rev_4" ] }, - "code": "control \"V-93523\" do\n title \"Windows Server 2019 User Account Control must, at a minimum, prompt administrators for consent on the secure desktop.\"\n desc \"User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting configures the elevation requirements for logged-on administrators to complete a task that requires raised privileges.\"\n desc \"rationale\", \"\"\n desc \"check\", \"UAC requirements are NA for Server Core installations (this is default installation option for Windows Server 2019 versus Server with Desktop Experience).\n If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\\n\n Value Name: ConsentPromptBehaviorAdmin\n\n Value Type: REG_DWORD\n Value: 0x00000002 (2) (Prompt for consent on the secure desktop)\n 0x00000001 (1) (Prompt for credentials on the secure desktop)\"\n desc \"fix\", \"\n Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \\\"User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode\\\" to \\\"Prompt for consent on the secure desktop\\\".\n\n The more secure option for this setting, \\\"Prompt for credentials on the secure desktop\\\", would also be acceptable.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000134-GPOS-00068\"\n tag gid: \"V-93523\"\n tag rid: \"SV-103609r1_rule\"\n tag stig_id: \"WN19-SO-000400\"\n tag fix_id: \"F-99767r1_fix\"\n tag cci: [\"CCI-001084\"]\n tag nist: [\"SC-3\", \"Rev_4\"]\n\n os_type = command('Test-Path \"$env:windir\\explorer.exe\"').stdout.strip\n\n if os_type == 'False'\n impact 0.0\n describe 'This system is a Server Core Installation, control is NA' do\n skip 'This system is a Server Core Installation control is NA'\n end\n else\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System') do\n it { should have_property 'ConsentPromptBehaviorAdmin' }\n its('ConsentPromptBehaviorAdmin') { should be_between(1,2) }\n end\n end\nend", + "code": "control \"V-93041\" do\n title \"Windows Server 2019 Enable computer and user accounts to be trusted\nfor delegation user right must only be assigned to the Administrators group on\ndomain controllers.\"\n desc \"Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n The \\\"Enable computer and user accounts to be trusted for delegation\\\" user\nright allows the \\\"Trusted for Delegation\\\" setting to be changed. This could\nallow unauthorized users to impersonate other users.\"\n desc \"rationale\", \"\"\n desc 'check', \"This applies to domain controllers. A separate version applies to other\nsystems.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the \\\"Enable\ncomputer and user accounts to be trusted for delegation\\\" user right, this is a\nfinding.\n\n - Administrators\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt\n\n Review the text file.\n\n If any SIDs other than the following are granted the\n\\\"SeEnableDelegationPrivilege\\\" user right, this is a finding.\n\n S-1-5-32-544 (Administrators)\"\n desc 'fix', \"Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> User Rights Assignment >> \\\"Enable\ncomputer and user accounts to be trusted for delegation\\\" to include only the\nfollowing accounts or groups:\n\n - Administrators\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000324-GPOS-00125'\n tag 'gid': 'V-93041'\n tag 'rid': 'SV-103129r1_rule'\n tag 'stig_id': 'WN19-DC-000420'\n tag 'fix_id': 'F-99287r1_fix'\n tag 'cci': [\"CCI-002235\"]\n tag 'nist': [\"AC-6 (10)\", \"Rev_4\"]\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n os_type = command('Test-Path \"$env:windir\\explorer.exe\"').stdout.strip\n\n if os_type == 'False'\n describe 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt' do\n skip 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt'\n end\n end\n if domain_role == '4' || domain_role == '5'\n describe security_policy do\n its('SeEnableDelegationPrivilege') { should eq ['S-1-5-32-544'] }\n end\n else\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93523.rb", + "ref": "./Windows 2019 STIG/controls/V-93041.rb", "line": 3 }, - "id": "V-93523" + "id": "V-93041" }, { - "title": "Windows Server 2019 maximum age for machine account passwords must be configured to 30 days or less.", - "desc": "Computer account passwords are changed automatically on a regular basis. This setting controls the maximum password age that a machine account may have. This must be set to no more than 30 days, ensuring the machine changes its password monthly.", + "title": "Windows Server 2019 Exploit Protection mitigations must be configured for POWERPNT.EXE.", + "desc": "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.", "descriptions": { - "default": "Computer account passwords are changed automatically on a regular basis. This setting controls the maximum password age that a machine account may have. This must be set to no more than 30 days, ensuring the machine changes its password monthly.", + "default": "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.", "rationale": "", - "check": "This is the default configuration for this setting (30 days).\n\n If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\Netlogon\\Parameters\\\n\n Value Name: MaximumPasswordAge\n\n Value Type: REG_DWORD\n Value: 0x0000001e (30) (or less, but not 0)", - "fix": "This is the default configuration for this setting (30 days).\n Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \"Domain member: Maximum machine account password age\" to \"30\" or less (excluding \"0\", which is unacceptable)." + "check": "If the referenced application is not installed on the system, this is NA.\n\n This is applicable to unclassified systems, for other systems this is NA.\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n Enter \"Get-ProcessMitigation -Name POWERPNT.EXE\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.)\n\n If the following mitigations do not have a status of \"ON\", this is a finding:\n\n DEP:\n Enable: ON\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n The PowerShell command produces a list of mitigations; only those with a required status of \"ON\" are listed here.", + "fix": "Ensure the following mitigations are turned \"ON\" for POWERPNT.EXE:\n\n DEP:\n Enable: ON\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \"Supporting Files\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \"Use a common set of exploit protection settings\" configured to \"Enabled\" with file name and location defined under \"Options:\". It is recommended the file be in a read-only network location." }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { "severity": null, "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-93285", - "rid": "SV-103373r1_rule", - "stig_id": "WN19-SO-000100", - "fix_id": "F-99531r1_fix", + "gid": "V-93355", + "rid": "SV-103443r1_rule", + "stig_id": "WN19-EP-000230", + "fix_id": "F-99601r1_fix", "cci": [ "CCI-000366" ], @@ -8053,531 +8104,512 @@ "Rev_4" ] }, - "code": "control \"V-93285\" do\n title \"Windows Server 2019 maximum age for machine account passwords must be configured to #{input('maximum_password_age_machine')} days or less.\"\n desc \"Computer account passwords are changed automatically on a regular basis. This setting controls the maximum password age that a machine account may have. This must be set to no more than #{input('maximum_password_age_machine')} days, ensuring the machine changes its password monthly.\"\n desc \"rationale\", \"\"\n desc \"check\", \"This is the default configuration for this setting (#{input('maximum_password_age_machine')} days).\n\n If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\Netlogon\\\\Parameters\\\\\n\n Value Name: MaximumPasswordAge\n\n Value Type: REG_DWORD\n Value: 0x000000#{input('maximum_password_age_machine').to_s(16)} (#{input('maximum_password_age_machine')}) (or less, but not 0)\"\n desc \"fix\", \"This is the default configuration for this setting (#{input('maximum_password_age_machine')} days).\n Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \\\"Domain member: Maximum machine account password age\\\" to \\\"#{input('maximum_password_age_machine')}\\\" or less (excluding \\\"0\\\", which is unacceptable).\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00227\"\n tag gid: \"V-93285\"\n tag rid: \"SV-103373r1_rule\"\n tag stig_id: \"WN19-SO-000100\"\n tag fix_id: \"F-99531r1_fix\"\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Services\\\\Netlogon\\\\Parameters') do\n it { should have_property 'MaximumPasswordAge' }\n its('MaximumPasswordAge') { should be_between(1,input('maximum_password_age_machine')) }\n end\nend\n", + "code": "control \"V-93355\" do\n title \"Windows Server 2019 Exploit Protection mitigations must be configured for POWERPNT.EXE.\"\n desc \"Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the referenced application is not installed on the system, this is NA.\n\n This is applicable to unclassified systems, for other systems this is NA.\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n Enter \\\"Get-ProcessMitigation -Name POWERPNT.EXE\\\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.)\n\n If the following mitigations do not have a status of \\\"ON\\\", this is a finding:\n\n DEP:\n Enable: ON\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n The PowerShell command produces a list of mitigations; only those with a required status of \\\"ON\\\" are listed here.\"\n desc \"fix\", \"Ensure the following mitigations are turned \\\"ON\\\" for POWERPNT.EXE:\n\n DEP:\n Enable: ON\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \\\"Supporting Files\\\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\" configured to \\\"Enabled\\\" with file name and location defined under \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00227\"\n tag gid: \"V-93355\"\n tag rid: \"SV-103443r1_rule\"\n tag stig_id: \"WN19-EP-000230\"\n tag fix_id: \"F-99601r1_fix\"\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n powerpnt = json({ command: \"Get-ProcessMitigation -Name POWERPNT.EXE | ConvertTo-Json\" }).params\n\n if input('sensitive_system') == true || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif powerpnt.empty?\n impact 0.0\n describe 'The referenced application is not installed on the system, this is NA.' do\n skip 'The referenced application is not installed on the system, this is NA.'\n end\n else\n describe \"Exploit Protection: the following mitigations must be set to 'ON' for POWERPNT.EXE\" do\n subject { powerpnt }\n its(['Dep','Enable']) { should eq 1 }\n its(['Aslr','ForceRelocateImages']) { should eq 1 }\n its(['Payload','EnableExportAddressFilter']) { should eq 1 }\n its(['Payload','EnableExportAddressFilterPlus']) { should eq 1 }\n its(['Payload','EnableImportAddressFilter']) { should eq 1 }\n its(['Payload','EnableRopStackPivot']) { should eq 1 }\n its(['Payload','EnableRopCallerCheck']) { should eq 1 }\n its(['Payload','EnableRopSimExec']) { should eq 1 }\n end\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93285.rb", + "ref": "./Windows 2019 STIG/controls/V-93355.rb", "line": 3 }, - "id": "V-93285" + "id": "V-93355" }, { - "title": "Windows Server 2019 system files must be monitored for unauthorized\nchanges.", - "desc": "Monitoring system files for changes against a baseline on a regular\nbasis may help detect the possible introduction of malicious code on a system.", + "title": "Windows Server 2019 permissions for program file directories must\nconform to minimum requirements.", + "desc": "Changing the system's file and directory permissions allows the\npossibility of unauthorized and anonymous modification to the operating system\nand installed applications.\n\n The default permissions are adequate when the Security Option \"Network\naccess: Let Everyone permissions apply to anonymous users\" is set to\n\"Disabled\" (WN19-SO-000240).", "descriptions": { - "default": "Monitoring system files for changes against a baseline on a regular\nbasis may help detect the possible introduction of malicious code on a system.", + "default": "Changing the system's file and directory permissions allows the\npossibility of unauthorized and anonymous modification to the operating system\nand installed applications.\n\n The default permissions are adequate when the Security Option \"Network\naccess: Let Everyone permissions apply to anonymous users\" is set to\n\"Disabled\" (WN19-SO-000240).", "rationale": "", - "check": "Determine whether the system is monitored for unauthorized changes to\nsystem files (e.g., *.exe, *.bat, *.com, *.cmd, and *.dll) against a baseline\non a weekly basis.\n\n If system files are not monitored for unauthorized changes, this is a\nfinding.\n\n A properly configured HBSS Policy Auditor 5.2 or later File Integrity\nMonitor (FIM) module will meet the requirement for file integrity checking. The\nAsset module within HBSS does not meet this requirement.", - "fix": "Monitor the system for unauthorized changes to system files\n(e.g., *.exe, *.bat, *.com, *.cmd, and *.dll) against a baseline on a weekly\nbasis. This can be done with the use of various monitoring tools." + "check": "The default permissions are adequate when the Security Option \"Network\naccess: Let Everyone permissions apply to anonymous users\" is set to\n\"Disabled\" (WN19-SO-000240).\n\n Review the permissions for the program file directories (Program Files and\nProgram Files [x86]). Non-privileged groups such as Users or Authenticated\nUsers must not have greater than \"Read & execute\" permissions. Individual\naccounts must not be used to assign permissions.\n\n If permissions are not as restrictive as the default permissions listed\nbelow, this is a finding.\n\n Viewing in File Explorer:\n\n For each folder, view the Properties.\n\n Select the \"Security\" tab, and the \"Advanced\" button.\n\n Default permissions:\n \\Program Files and \\Program Files (x86)\n Type - \"Allow\" for all\n Inherited from - \"None\" for all\n\n Principal - Access - Applies to\n\n TrustedInstaller - Full control - This folder and subfolders\n SYSTEM - Modify - This folder only\n SYSTEM - Full control - Subfolders and files only\n Administrators - Modify - This folder only\n Administrators - Full control - Subfolders and files only\n Users - Read & execute - This folder, subfolders and files\n CREATOR OWNER - Full control - Subfolders and files only\n ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders, and\nfiles\n ALL RESTRICTED APPLICATION PACKAGES - Read & execute - This folder,\nsubfolders, and files\n\n Alternately, use icacls:\n\n Open a Command prompt (admin).\n\n Enter \"icacls\" followed by the directory:\n\n 'icacls \"c:\\program files\"'\n 'icacls \"c:\\program files (x86)\"'\n\n The following results should be displayed for each when entered:\n\n c:\\program files (c:\\program files (x86))\n NT SERVICE\\TrustedInstaller:(F)\n NT SERVICE\\TrustedInstaller:(CI)(IO)(F)\n NT AUTHORITY\\SYSTEM:(M)\n NT AUTHORITY\\SYSTEM:(OI)(CI)(IO)(F)\n BUILTIN\\Administrators:(M)\n BUILTIN\\Administrators:(OI)(CI)(IO)(F)\n BUILTIN\\Users:(RX)\n BUILTIN\\Users:(OI)(CI)(IO)(GR,GE)\n CREATOR OWNER:(OI)(CI)(IO)(F)\n APPLICATION PACKAGE AUTHORITY\\ALL APPLICATION PACKAGES:(RX)\n APPLICATION PACKAGE AUTHORITY\\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE)\n APPLICATION PACKAGE AUTHORITY\\ALL RESTRICTED APPLICATION PACKAGES:(RX)\n APPLICATION PACKAGE AUTHORITY\\ALL RESTRICTED APPLICATION\nPACKAGES:(OI)(CI)(IO)(GR,GE)\n Successfully processed 1 files; Failed processing 0 files", + "fix": "Maintain the default permissions for the program file directories and\nconfigure the Security Option \"Network access: Let Everyone permissions apply\nto anonymous users\" to \"Disabled\" (WN19-SO-000240).\n\n Default permissions:\n \\Program Files and \\Program Files (x86)\n Type - \"Allow\" for all\n Inherited from - \"None\" for all\n\n Principal - Access - Applies to\n\n TrustedInstaller - Full control - This folder and subfolders\n SYSTEM - Modify - This folder only\n SYSTEM - Full control - Subfolders and files only\n Administrators - Modify - This folder only\n Administrators - Full control - Subfolders and files only\n Users - Read & execute - This folder, subfolders, and files\n CREATOR OWNER - Full control - Subfolders and files only\n ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders, and\nfiles\n ALL RESTRICTED APPLICATION PACKAGES - Read & execute - This folder,\nsubfolders, and files" }, "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000363-GPOS-00150", - "gid": "V-93203", - "rid": "SV-103291r1_rule", - "stig_id": "WN19-00-000220", - "fix_id": "F-99449r1_fix", + "gtitle": "SRG-OS-000312-GPOS-00122", + "satisfies": [ + "SRG-OS-000312-GPOS-00122", + "SRG-OS-000312-GPOS-00123", + "SRG-OS-000312-GPOS-00124" + ], + "gid": "V-93021", + "rid": "SV-103109r1_rule", + "stig_id": "WN19-00-000150", + "fix_id": "F-99267r1_fix", "cci": [ - "CCI-001744" + "CCI-002165" ], "nist": [ - "CM-3 (5)", + "AC-3 (4)", "Rev_4" ] }, - "code": "control \"V-93203\" do\n title \"Windows Server 2019 system files must be monitored for unauthorized\nchanges.\"\n desc \"Monitoring system files for changes against a baseline on a regular\nbasis may help detect the possible introduction of malicious code on a system.\"\n desc \"rationale\", \"\"\n desc 'check', \"Determine whether the system is monitored for unauthorized changes to\nsystem files (e.g., *.exe, *.bat, *.com, *.cmd, and *.dll) against a baseline\non a weekly basis.\n\n If system files are not monitored for unauthorized changes, this is a\nfinding.\n\n A properly configured HBSS Policy Auditor 5.2 or later File Integrity\nMonitor (FIM) module will meet the requirement for file integrity checking. The\nAsset module within HBSS does not meet this requirement.\"\n desc 'fix', \"Monitor the system for unauthorized changes to system files\n(e.g., *.exe, *.bat, *.com, *.cmd, and *.dll) against a baseline on a weekly\nbasis. This can be done with the use of various monitoring tools.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000363-GPOS-00150'\n tag 'gid': 'V-93203'\n tag 'rid': 'SV-103291r1_rule'\n tag 'stig_id': 'WN19-00-000220'\n tag 'fix_id': 'F-99449r1_fix'\n tag 'cci': [\"CCI-001744\"]\n tag 'nist': [\"CM-3 (5)\", \"Rev_4\"]\n\n describe 'A manual review is required to ensure system files are monitored for unauthorized changes' do\n skip 'A manual review is required to ensure system files are monitored for unauthorized changes'\n end\nend\n", + "code": "control \"V-93021\" do\n title \"Windows Server 2019 permissions for program file directories must\nconform to minimum requirements.\"\n desc \"Changing the system's file and directory permissions allows the\npossibility of unauthorized and anonymous modification to the operating system\nand installed applications.\n\n The default permissions are adequate when the Security Option \\\"Network\naccess: Let Everyone permissions apply to anonymous users\\\" is set to\n\\\"Disabled\\\" (WN19-SO-000240).\"\n desc \"rationale\", \"\"\n desc 'check', \"The default permissions are adequate when the Security Option \\\"Network\naccess: Let Everyone permissions apply to anonymous users\\\" is set to\n\\\"Disabled\\\" (WN19-SO-000240).\n\n Review the permissions for the program file directories (Program Files and\nProgram Files [x86]). Non-privileged groups such as Users or Authenticated\nUsers must not have greater than \\\"Read & execute\\\" permissions. Individual\naccounts must not be used to assign permissions.\n\n If permissions are not as restrictive as the default permissions listed\nbelow, this is a finding.\n\n Viewing in File Explorer:\n\n For each folder, view the Properties.\n\n Select the \\\"Security\\\" tab, and the \\\"Advanced\\\" button.\n\n Default permissions:\n \\\\Program Files and \\\\Program Files (x86)\n Type - \\\"Allow\\\" for all\n Inherited from - \\\"None\\\" for all\n\n Principal - Access - Applies to\n\n TrustedInstaller - Full control - This folder and subfolders\n SYSTEM - Modify - This folder only\n SYSTEM - Full control - Subfolders and files only\n Administrators - Modify - This folder only\n Administrators - Full control - Subfolders and files only\n Users - Read & execute - This folder, subfolders and files\n CREATOR OWNER - Full control - Subfolders and files only\n ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders, and\nfiles\n ALL RESTRICTED APPLICATION PACKAGES - Read & execute - This folder,\nsubfolders, and files\n\n Alternately, use icacls:\n\n Open a Command prompt (admin).\n\n Enter \\\"icacls\\\" followed by the directory:\n\n 'icacls \\\"c:\\\\program files\\\"'\n 'icacls \\\"c:\\\\program files (x86)\\\"'\n\n The following results should be displayed for each when entered:\n\n c:\\\\program files (c:\\\\program files (x86))\n NT SERVICE\\\\TrustedInstaller:(F)\n NT SERVICE\\\\TrustedInstaller:(CI)(IO)(F)\n NT AUTHORITY\\\\SYSTEM:(M)\n NT AUTHORITY\\\\SYSTEM:(OI)(CI)(IO)(F)\n BUILTIN\\\\Administrators:(M)\n BUILTIN\\\\Administrators:(OI)(CI)(IO)(F)\n BUILTIN\\\\Users:(RX)\n BUILTIN\\\\Users:(OI)(CI)(IO)(GR,GE)\n CREATOR OWNER:(OI)(CI)(IO)(F)\n APPLICATION PACKAGE AUTHORITY\\\\ALL APPLICATION PACKAGES:(RX)\n APPLICATION PACKAGE AUTHORITY\\\\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE)\n APPLICATION PACKAGE AUTHORITY\\\\ALL RESTRICTED APPLICATION PACKAGES:(RX)\n APPLICATION PACKAGE AUTHORITY\\\\ALL RESTRICTED APPLICATION\nPACKAGES:(OI)(CI)(IO)(GR,GE)\n Successfully processed 1 files; Failed processing 0 files\"\n desc 'fix', \"\n Maintain the default permissions for the program file directories and\nconfigure the Security Option \\\"Network access: Let Everyone permissions apply\nto anonymous users\\\" to \\\"Disabled\\\" (WN19-SO-000240).\n\n Default permissions:\n \\\\Program Files and \\\\Program Files (x86)\n Type - \\\"Allow\\\" for all\n Inherited from - \\\"None\\\" for all\n\n Principal - Access - Applies to\n\n TrustedInstaller - Full control - This folder and subfolders\n SYSTEM - Modify - This folder only\n SYSTEM - Full control - Subfolders and files only\n Administrators - Modify - This folder only\n Administrators - Full control - Subfolders and files only\n Users - Read & execute - This folder, subfolders, and files\n CREATOR OWNER - Full control - Subfolders and files only\n ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders, and\nfiles\n ALL RESTRICTED APPLICATION PACKAGES - Read & execute - This folder,\nsubfolders, and files\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000312-GPOS-00122'\n tag 'satisfies': [\"SRG-OS-000312-GPOS-00122\", \"SRG-OS-000312-GPOS-00123\",\n\"SRG-OS-000312-GPOS-00124\"]\n tag 'gid': 'V-93021'\n tag 'rid': 'SV-103109r1_rule'\n tag 'stig_id': 'WN19-00-000150'\n tag 'fix_id': 'F-99267r1_fix'\n tag 'cci': [\"CCI-002165\"]\n tag 'nist': [\"AC-3 (4)\", \"Rev_4\"]\n\n c_program_files_perm = json( command: \"icacls 'C:\\\\Program Files' | ConvertTo-Json\").params.map { |e| e.strip }[0..-3].map{ |e| e.gsub(\"C:\\\\Program Files \", '') }\n describe \"c:\\\\Program Files permissions are set correctly on folder structure\" do\n subject { c_program_files_perm.eql? input('c_program_files_perm') }\n it { should eq true }\n end\n\n c_program_filesx86_perm = json( command: \"icacls 'C:\\\\Program Files (x86)' | ConvertTo-Json\").params.map { |e| e.strip }[0..-3].map{ |e| e.gsub(\"C:\\\\Program Files (x86) \", '') }\n describe \"c:\\\\Program Files(x86) permissions are set correctly on folder structure\" do\n subject { c_program_filesx86_perm.eql? input('c_program_files_perm') }\n it { should eq true }\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93203.rb", + "ref": "./Windows 2019 STIG/controls/V-93021.rb", "line": 3 }, - "id": "V-93203" + "id": "V-93021" }, { - "title": "Windows Server 2019 printing over HTTP must be turned off.", - "desc": "Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and will prevent uncontrolled updates to the system.\n\n This setting prevents the client computer from printing over HTTP, which allows the computer to print to printers on the intranet as well as the Internet.", + "title": "Windows Server 2019 Add workstations to domain user right must only be\nassigned to the Administrators group on domain controllers.", + "desc": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n Accounts with the \"Add workstations to domain\" right may add computers to\na domain. This could result in unapproved or incorrectly configured systems\nbeing added to a domain.", "descriptions": { - "default": "Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and will prevent uncontrolled updates to the system.\n\n This setting prevents the client computer from printing over HTTP, which allows the computer to print to printers on the intranet as well as the Internet.", + "default": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n Accounts with the \"Add workstations to domain\" right may add computers to\na domain. This could result in unapproved or incorrectly configured systems\nbeing added to a domain.", "rationale": "", - "check": "If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers\\\n\n Value Name: DisableHTTPPrinting\n\n Type: REG_DWORD\n Value: 0x00000001 (1)", - "fix": "Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Internet Communication Management >> Internet Communication settings >> \"Turn off printing over HTTP\" to \"Enabled\"." + "check": "This applies to domain controllers. It is NA for other systems.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the \"Add\nworkstations to domain\" right, this is a finding.\n\n - Administrators\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\path\\filename.txt\n\n Review the text file.\n\n If any SIDs other than the following are granted the\n\"SeMachineAccountPrivilege\" user right, this is a finding.\n\n S-1-5-32-544 (Administrators)", + "fix": "Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> User Rights Assignment >> \"Add\nworkstations to domain\" to include only the following accounts or groups:\n\n - Administrators" }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000095-GPOS-00049", - "gid": "V-93405", - "rid": "SV-103491r1_rule", - "stig_id": "WN19-CC-000160", - "fix_id": "F-99649r1_fix", + "gtitle": "SRG-OS-000324-GPOS-00125", + "gid": "V-93039", + "rid": "SV-103127r1_rule", + "stig_id": "WN19-DC-000350", + "fix_id": "F-99285r1_fix", "cci": [ - "CCI-000381" + "CCI-002235" ], "nist": [ - "CM-7 a", + "AC-6 (10)", "Rev_4" ] }, - "code": "control \"V-93405\" do\n title \"Windows Server 2019 printing over HTTP must be turned off.\"\n desc \"Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and will prevent uncontrolled updates to the system.\n\n This setting prevents the client computer from printing over HTTP, which allows the computer to print to printers on the intranet as well as the Internet.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Printers\\\\\n\n Value Name: DisableHTTPPrinting\n\n Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Internet Communication Management >> Internet Communication settings >> \\\"Turn off printing over HTTP\\\" to \\\"Enabled\\\".\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000095-GPOS-00049\"\n tag gid: \"V-93405\"\n tag rid: \"SV-103491r1_rule\"\n tag stig_id: \"WN19-CC-000160\"\n tag fix_id: \"F-99649r1_fix\"\n tag cci: [\"CCI-000381\"]\n tag nist: [\"CM-7 a\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Printers') do\n it { should have_property 'DisableHTTPPrinting' }\n its('DisableHTTPPrinting') { should cmp == 1 }\n end\nend", + "code": "control \"V-93039\" do\n title \"Windows Server 2019 Add workstations to domain user right must only be\nassigned to the Administrators group on domain controllers.\"\n desc \"Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n Accounts with the \\\"Add workstations to domain\\\" right may add computers to\na domain. This could result in unapproved or incorrectly configured systems\nbeing added to a domain.\"\n desc \"rationale\", \"\"\n desc 'check', \"This applies to domain controllers. It is NA for other systems.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the \\\"Add\nworkstations to domain\\\" right, this is a finding.\n\n - Administrators\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt\n\n Review the text file.\n\n If any SIDs other than the following are granted the\n\\\"SeMachineAccountPrivilege\\\" user right, this is a finding.\n\n S-1-5-32-544 (Administrators)\"\n desc 'fix', \"Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> User Rights Assignment >> \\\"Add\nworkstations to domain\\\" to include only the following accounts or groups:\n\n - Administrators\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000324-GPOS-00125'\n tag 'gid': 'V-93039'\n tag 'rid': 'SV-103127r1_rule'\n tag 'stig_id': 'WN19-DC-000350'\n tag 'fix_id': 'F-99285r1_fix'\n tag 'cci': [\"CCI-002235\"]\n tag 'nist': [\"AC-6 (10)\", \"Rev_4\"]\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n os_type = command('Test-Path \"$env:windir\\explorer.exe\"').stdout.strip\n\n if os_type == 'False'\n describe 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt' do\n skip 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt'\n end\n end\n if domain_role == '4' || domain_role == '5'\n describe security_policy do\n its('SeMachineAccountPrivilege') { should eq ['S-1-5-32-544'] }\n end\n else\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93405.rb", + "ref": "./Windows 2019 STIG/controls/V-93039.rb", "line": 3 }, - "id": "V-93405" + "id": "V-93039" }, { - "title": "Windows Server 2019 must disable Basic authentication for RSS feeds over HTTP.", - "desc": "Basic authentication uses plain-text passwords that could be used to compromise a system. Disabling Basic authentication will reduce this potential.", + "title": "Windows Server 2019 Remote Desktop Services must be configured with\nthe client connection encryption set to High Level.", + "desc": "Remote connections must be encrypted to prevent interception of data\nor sensitive information. Selecting \"High Level\" will ensure encryption of\nRemote Desktop Services sessions in both directions.", "descriptions": { - "default": "Basic authentication uses plain-text passwords that could be used to compromise a system. Disabling Basic authentication will reduce this potential.", + "default": "Remote connections must be encrypted to prevent interception of data\nor sensitive information. Selecting \"High Level\" will ensure encryption of\nRemote Desktop Services sessions in both directions.", "rationale": "", - "check": "The default behavior is for the Windows RSS platform to not use Basic authentication over HTTP connections.\n\n If the registry value name below does not exist, this is not a finding.\n If it exists and is configured with a value of \"0\", this is not a finding.\n If it exists and is configured with a value of \"1\", this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Feeds\\\n\n Value Name: AllowBasicAuthInClear\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0) (or if the Value Name does not exist)", - "fix": "The default behavior is for the Windows RSS platform to not use Basic authentication over HTTP connections.\n If this needs to be corrected, configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> RSS Feeds >> \"Turn on Basic feed authentication over HTTP\" to \"Not Configured\" or \"Disabled\"." + "check": "If the following registry value does not exist or is not configured as\nspecified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal\nServices\\\n\n Value Name: MinEncryptionLevel\n\n Type: REG_DWORD\n Value: 0x00000003 (3)", + "fix": "Configure the policy value for Computer Configuration >>\nAdministrative Templates >> Windows Components >> Remote Desktop Services >>\nRemote Desktop Session Host >> Security >> \"Set client connection encryption\nlevel\" to \"Enabled\" with \"High Level\" selected." }, "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000095-GPOS-00049", - "gid": "V-93413", - "rid": "SV-103499r1_rule", - "stig_id": "WN19-CC-000400", - "fix_id": "F-99657r1_fix", + "gtitle": "SRG-OS-000033-GPOS-00014", + "satisfies": [ + "SRG-OS-000033-GPOS-00014", + "SRG-OS-000250-GPOS-00093" + ], + "gid": "V-92973", + "rid": "SV-103061r1_rule", + "stig_id": "WN19-CC-000380", + "fix_id": "F-99219r1_fix", "cci": [ - "CCI-000381" + "CCI-000068", + "CCI-001453" ], "nist": [ - "CM-7 a", + "AC-17 (2)", + "AC-17 (2)", "Rev_4" ] }, - "code": "control \"V-93413\" do\n title \"Windows Server 2019 must disable Basic authentication for RSS feeds over HTTP.\"\n desc \"Basic authentication uses plain-text passwords that could be used to compromise a system. Disabling Basic authentication will reduce this potential.\"\n desc \"rationale\", \"\"\n desc \"check\", \"The default behavior is for the Windows RSS platform to not use Basic authentication over HTTP connections.\n\n If the registry value name below does not exist, this is not a finding.\n If it exists and is configured with a value of \\\"0\\\", this is not a finding.\n If it exists and is configured with a value of \\\"1\\\", this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Internet Explorer\\\\Feeds\\\\\n\n Value Name: AllowBasicAuthInClear\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0) (or if the Value Name does not exist)\"\n desc \"fix\", \"The default behavior is for the Windows RSS platform to not use Basic authentication over HTTP connections.\n If this needs to be corrected, configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> RSS Feeds >> \\\"Turn on Basic feed authentication over HTTP\\\" to \\\"Not Configured\\\" or \\\"Disabled\\\".\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000095-GPOS-00049\"\n tag gid: \"V-93413\"\n tag rid: \"SV-103499r1_rule\"\n tag stig_id: \"WN19-CC-000400\"\n tag fix_id: \"F-99657r1_fix\"\n tag cci: [\"CCI-000381\"]\n tag nist: [\"CM-7 a\", \"Rev_4\"]\n\n describe.one do \n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Feeds') do\n it { should_not have_property 'AllowBasicAuthInClear' }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Feeds') do\n it { should have_property 'AllowBasicAuthInClear' }\n its('AllowBasicAuthInClear') { should_not cmp 1 }\n its('AllowBasicAuthInClear') { should cmp 0 }\n end\n end\nend", + "code": "control \"V-92973\" do\n title \"Windows Server 2019 Remote Desktop Services must be configured with\nthe client connection encryption set to High Level.\"\n desc \"Remote connections must be encrypted to prevent interception of data\nor sensitive information. Selecting \\\"High Level\\\" will ensure encryption of\nRemote Desktop Services sessions in both directions.\"\n desc \"rationale\", \"\"\n desc 'check', \"If the following registry value does not exist or is not configured as\nspecified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal\nServices\\\\\n\n Value Name: MinEncryptionLevel\n\n Type: REG_DWORD\n Value: 0x00000003 (3)\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nAdministrative Templates >> Windows Components >> Remote Desktop Services >>\nRemote Desktop Session Host >> Security >> \\\"Set client connection encryption\nlevel\\\" to \\\"Enabled\\\" with \\\"High Level\\\" selected.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000033-GPOS-00014'\n tag 'satisfies': [\"SRG-OS-000033-GPOS-00014\", \"SRG-OS-000250-GPOS-00093\"]\n tag 'gid': 'V-92973'\n tag 'rid': 'SV-103061r1_rule'\n tag 'stig_id': 'WN19-CC-000380'\n tag 'fix_id': 'F-99219r1_fix'\n tag 'cci': [\"CCI-000068\", \"CCI-001453\"]\n tag 'nist': [\"AC-17 (2)\", \"AC-17 (2)\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services') do\n it { should have_property \"MinEncryptionLevel\"}\n its(\"MinEncryptionLevel\") { should cmp 3 }\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93413.rb", + "ref": "./Windows 2019 STIG/controls/V-92973.rb", "line": 3 }, - "id": "V-93413" + "id": "V-92973" }, { - "title": "Windows Server 2019 Active Directory Domain Controllers Organizational\nUnit (OU) object must be configured with proper audit settings.", - "desc": "When inappropriate audit settings are configured for directory service\ndatabase objects, it may be possible for a user or process to update the data\nwithout generating any tracking data. The impact of missing audit data is\nrelated to the type of object. A failure to capture audit data for objects used\nby identification, authentication, or authorization functions could degrade or\neliminate the ability to track changes to access policy for systems or data.\n\n For Active Directory (AD), there are a number of critical object types in\nthe domain naming context of the AD database for which auditing is essential.\nThis includes the Domain Controller OU object. Because changes to these objects\ncan significantly impact access controls or the availability of systems, the\nabsence of auditing data makes it impossible to identify the source of changes\nthat impact the confidentiality, integrity, and availability of data and\nsystems throughout an AD domain. The lack of proper auditing can result in\ninsufficient forensic evidence needed to investigate an incident and prosecute\nthe intruder.", + "title": "Windows Server 2019 Lock pages in memory user right must not be\nassigned to any groups or accounts.", + "desc": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n The \"Lock pages in memory\" user right allows physical memory to be\nassigned to processes, which could cause performance issues or a denial of\nservice.", "descriptions": { - "default": "When inappropriate audit settings are configured for directory service\ndatabase objects, it may be possible for a user or process to update the data\nwithout generating any tracking data. The impact of missing audit data is\nrelated to the type of object. A failure to capture audit data for objects used\nby identification, authentication, or authorization functions could degrade or\neliminate the ability to track changes to access policy for systems or data.\n\n For Active Directory (AD), there are a number of critical object types in\nthe domain naming context of the AD database for which auditing is essential.\nThis includes the Domain Controller OU object. Because changes to these objects\ncan significantly impact access controls or the availability of systems, the\nabsence of auditing data makes it impossible to identify the source of changes\nthat impact the confidentiality, integrity, and availability of data and\nsystems throughout an AD domain. The lack of proper auditing can result in\ninsufficient forensic evidence needed to investigate an incident and prosecute\nthe intruder.", + "default": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n The \"Lock pages in memory\" user right allows physical memory to be\nassigned to processes, which could cause performance issues or a denial of\nservice.", "rationale": "", - "check": "This applies to domain controllers. It is NA for other systems.\n\n Review the auditing configuration for the Domain Controller OU object.\n\n Open \"Active Directory Users and Computers\" (available from various menus\nor run \"dsa.msc\").\n\n Ensure \"Advanced Features\" is selected in the \"View\" menu.\n\n Select the \"Domain Controllers OU\" under the domain being reviewed in the\nleft pane.\n\n Right-click the \"Domain Controllers OU\" object and select \"Properties\".\n\n Select the \"Security\" tab.\n\n Select the \"Advanced\" button and then the \"Auditing\" tab.\n\n If the audit settings on the Domain Controllers OU object are not at least\nas inclusive as those below, this is a finding:\n\n Type - Fail\n Principal - Everyone\n Access - Full Control\n Inherited from - None\n Applies to - This object and all descendant objects\n\n The success types listed below are defaults. Where Special is listed in the\nsummary screens for Access, detailed Permissions are provided for reference.\nVarious Properties selections may also exist by default.\n\n Type - Success\n Principal - Everyone\n Access - Special\n Inherited from - None\n Applies to - This object only\n (Access - Special = Permissions: all create, delete and modify permissions)\n\n Type - Success\n Principal - Everyone\n Access - Write all properties\n Inherited from - None\n Applies to - This object and all descendant objects\n\n Two instances with the following summary information will be listed:\n\n Type - Success\n Principal - Everyone\n Access - (blank)\n Inherited from - (CN of domain)\n Applies to - Descendant Organizational Unit objects", - "fix": "Open \"Active Directory Users and Computers\" (available from various menus\nor run \"dsa.msc\").\n\n Ensure \"Advanced Features\" is selected in the \"View\" menu.\n\n Select the \"Domain Controllers OU\" under the domain being reviewed in the\nleft pane.\n\n Right-click the \"Domain Controllers OU\" object and select \"Properties\".\n\n Select the \"Security\" tab.\n\n Select the \"Advanced\" button and then the \"Auditing\" tab.\n\n Configure the audit settings for Domain Controllers OU object to include\nthe following:\n\n Type - Fail\n Principal - Everyone\n Access - Full Control\n Inherited from - None\n\n The success types listed below are defaults. Where Special is listed in the\nsummary screens for Access, detailed Permissions are provided for reference.\nVarious Properties selections may also exist by default.\n\n Type - Success\n Principal - Everyone\n Access - Special\n Inherited from - None\n Applies to - This object only\n (Access - Special = Permissions: all create, delete and modify permissions)\n\n Type - Success\n Principal - Everyone\n Access - Write all properties\n Inherited from - None\n Applies to - This object and all descendant objects\n\n Two instances with the following summary information will be listed:\n\n Type - Success\n Principal - Everyone\n Access - (blank)\n Inherited from - (CN of domain)\n Applies to - Descendant Organizational Unit objects" + "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups are granted the \"Lock pages in memory\" user\nright, this is a finding.\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\path\\filename.txt\n\n Review the text file.\n\n If any SIDs are granted the \"SeLockMemoryPrivilege\" user right, this is a\nfinding.\n\n If an application requires this user right, this would not be a finding.\n\n Vendor documentation must support the requirement for having the user right.\n\n The requirement must be documented with the ISSO.\n\n The application account must meet requirements for application account\npasswords, such as length (WN19-00-000050) and required frequency of changes\n(WN19-00-000060).", + "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Local Policies >> User Rights\nAssignment >> \"Lock pages in memory\" to be defined but containing no entries\n(blank)." }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000327-GPOS-00127", - "satisfies": [ - "SRG-OS-000327-GPOS-00127", - "SRG-OS-000458-GPOS-00203", - "SRG-OS-000463-GPOS-00207", - "SRG-OS-000468-GPOS-00212" - ], - "gid": "V-93127", - "rid": "SV-103215r1_rule", - "stig_id": "WN19-DC-000200", - "fix_id": "F-99373r1_fix", + "gtitle": "SRG-OS-000324-GPOS-00125", + "gid": "V-93077", + "rid": "SV-103165r1_rule", + "stig_id": "WN19-UR-000160", + "fix_id": "F-99323r1_fix", "cci": [ - "CCI-000172", - "CCI-002234" + "CCI-002235" ], "nist": [ - "AU-12 c", - "AC-6 (9)", + "AC-6 (10)", "Rev_4" ] }, - "code": "control \"V-93127\" do\n title \"Windows Server 2019 Active Directory Domain Controllers Organizational\nUnit (OU) object must be configured with proper audit settings.\"\n desc \"When inappropriate audit settings are configured for directory service\ndatabase objects, it may be possible for a user or process to update the data\nwithout generating any tracking data. The impact of missing audit data is\nrelated to the type of object. A failure to capture audit data for objects used\nby identification, authentication, or authorization functions could degrade or\neliminate the ability to track changes to access policy for systems or data.\n\n For Active Directory (AD), there are a number of critical object types in\nthe domain naming context of the AD database for which auditing is essential.\nThis includes the Domain Controller OU object. Because changes to these objects\ncan significantly impact access controls or the availability of systems, the\nabsence of auditing data makes it impossible to identify the source of changes\nthat impact the confidentiality, integrity, and availability of data and\nsystems throughout an AD domain. The lack of proper auditing can result in\ninsufficient forensic evidence needed to investigate an incident and prosecute\nthe intruder.\"\n desc \"rationale\", \"\"\n desc 'check', \"This applies to domain controllers. It is NA for other systems.\n\n Review the auditing configuration for the Domain Controller OU object.\n\n Open \\\"Active Directory Users and Computers\\\" (available from various menus\nor run \\\"dsa.msc\\\").\n\n Ensure \\\"Advanced Features\\\" is selected in the \\\"View\\\" menu.\n\n Select the \\\"Domain Controllers OU\\\" under the domain being reviewed in the\nleft pane.\n\n Right-click the \\\"Domain Controllers OU\\\" object and select \\\"Properties\\\".\n\n Select the \\\"Security\\\" tab.\n\n Select the \\\"Advanced\\\" button and then the \\\"Auditing\\\" tab.\n\n If the audit settings on the Domain Controllers OU object are not at least\nas inclusive as those below, this is a finding:\n\n Type - Fail\n Principal - Everyone\n Access - Full Control\n Inherited from - None\n Applies to - This object and all descendant objects\n\n The success types listed below are defaults. Where Special is listed in the\nsummary screens for Access, detailed Permissions are provided for reference.\nVarious Properties selections may also exist by default.\n\n Type - Success\n Principal - Everyone\n Access - Special\n Inherited from - None\n Applies to - This object only\n (Access - Special = Permissions: all create, delete and modify permissions)\n\n Type - Success\n Principal - Everyone\n Access - Write all properties\n Inherited from - None\n Applies to - This object and all descendant objects\n\n Two instances with the following summary information will be listed:\n\n Type - Success\n Principal - Everyone\n Access - (blank)\n Inherited from - (CN of domain)\n Applies to - Descendant Organizational Unit objects\"\n desc 'fix', \"\n Open \\\"Active Directory Users and Computers\\\" (available from various menus\nor run \\\"dsa.msc\\\").\n\n Ensure \\\"Advanced Features\\\" is selected in the \\\"View\\\" menu.\n\n Select the \\\"Domain Controllers OU\\\" under the domain being reviewed in the\nleft pane.\n\n Right-click the \\\"Domain Controllers OU\\\" object and select \\\"Properties\\\".\n\n Select the \\\"Security\\\" tab.\n\n Select the \\\"Advanced\\\" button and then the \\\"Auditing\\\" tab.\n\n Configure the audit settings for Domain Controllers OU object to include\nthe following:\n\n Type - Fail\n Principal - Everyone\n Access - Full Control\n Inherited from - None\n\n The success types listed below are defaults. Where Special is listed in the\nsummary screens for Access, detailed Permissions are provided for reference.\nVarious Properties selections may also exist by default.\n\n Type - Success\n Principal - Everyone\n Access - Special\n Inherited from - None\n Applies to - This object only\n (Access - Special = Permissions: all create, delete and modify permissions)\n\n Type - Success\n Principal - Everyone\n Access - Write all properties\n Inherited from - None\n Applies to - This object and all descendant objects\n\n Two instances with the following summary information will be listed:\n\n Type - Success\n Principal - Everyone\n Access - (blank)\n Inherited from - (CN of domain)\n Applies to - Descendant Organizational Unit objects\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000327-GPOS-00127'\n tag 'satisfies': [\"SRG-OS-000327-GPOS-00127\", \"SRG-OS-000458-GPOS-00203\",\n\"SRG-OS-000463-GPOS-00207\", \"SRG-OS-000468-GPOS-00212\"]\n tag 'gid': 'V-93127'\n tag 'rid': 'SV-103215r1_rule'\n tag 'stig_id': 'WN19-DC-000200'\n tag 'fix_id': 'F-99373r1_fix'\n tag 'cci': [\"CCI-000172\", \"CCI-002234\"]\n tag 'nist': [\"AU-12 c\", \"AC-6 (9)\", \"Rev_4\"]\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n if domain_role == '4' || domain_role == '5'\n distinguishedName = json(command: '(Get-ADDomain).DistinguishedName | ConvertTo-JSON').params\n acl_rules = json(command: \"(Get-ACL -Audit -Path AD:'OU=Domain Controllers,#{distinguishedName}').Audit | ConvertTo-CSV | ConvertFrom-CSV | ConvertTo-JSON\").params\n \n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['AuditFlags']) { should cmp \"Failure\" }\n its(['IdentityReference']) { should cmp \"Everyone\" }\n its(['ActiveDirectoryRights']) { should cmp \"GenericAll\"}\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['AuditFlags']) { should cmp \"Success\" }\n its(['IdentityReference']) { should cmp \"Everyone\" }\n its(['ActiveDirectoryRights']) { should cmp \"CreateChild, DeleteChild, DeleteTree, Delete, WriteDacl, WriteOwner\"}\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceType']) { should cmp \"None\" }\n end\n end\n end\n\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['AuditFlags']) { should cmp \"Success\" }\n its(['IdentityReference']) { should cmp \"Everyone\" }\n its(['ActiveDirectoryRights']) { should cmp \"WriteProperty\"}\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceType']) { should cmp \"All\" }\n end\n end\n end\n \n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['AuditFlags']) { should cmp \"Success\" }\n its(['IdentityReference']) { should cmp \"Everyone\" }\n its(['ActiveDirectoryRights']) { should cmp \"WriteProperty\"}\n its(['IsInherited']) { should cmp \"True\" }\n its(['InheritanceType']) { should cmp \"All\" }\n end\n end\n end\n \n \n else\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", + "code": "control \"V-93077\" do\n title \"Windows Server 2019 Lock pages in memory user right must not be\nassigned to any groups or accounts.\"\n desc \"Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n The \\\"Lock pages in memory\\\" user right allows physical memory to be\nassigned to processes, which could cause performance issues or a denial of\nservice.\"\n desc \"rationale\", \"\"\n desc 'check', \"Verify the effective setting in Local Group Policy Editor.\n\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups are granted the \\\"Lock pages in memory\\\" user\nright, this is a finding.\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt\n\n Review the text file.\n\n If any SIDs are granted the \\\"SeLockMemoryPrivilege\\\" user right, this is a\nfinding.\n\n If an application requires this user right, this would not be a finding.\n\n Vendor documentation must support the requirement for having the user right.\n\n The requirement must be documented with the ISSO.\n\n The application account must meet requirements for application account\npasswords, such as length (WN19-00-000050) and required frequency of changes\n(WN19-00-000060).\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Local Policies >> User Rights\nAssignment >> \\\"Lock pages in memory\\\" to be defined but containing no entries\n(blank).\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000324-GPOS-00125'\n tag 'gid': 'V-93077'\n tag 'rid': 'SV-103165r1_rule'\n tag 'stig_id': 'WN19-UR-000160'\n tag 'fix_id': 'F-99323r1_fix'\n tag 'cci': [\"CCI-002235\"]\n tag 'nist': [\"AC-6 (10)\", \"Rev_4\"]\n\n os_type = command('Test-Path \"$env:windir\\explorer.exe\"').stdout.strip\n\n if os_type == 'False'\n describe 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt' do\n skip 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt'\n end\n else\n describe security_policy do\n its('SeLockMemoryPrivilege') { should eq [] }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93127.rb", + "ref": "./Windows 2019 STIG/controls/V-93077.rb", "line": 3 }, - "id": "V-93127" + "id": "V-93077" }, { - "title": "Windows Server 2019 must be configured to audit DS Access - Directory\nService Access successes.", - "desc": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Audit Directory Service Access records events related to users accessing an\nActive Directory object.", + "title": "Windows Server 2019 data files owned by users must be on a different logical partition from the directory server data files.", + "desc": "When directory service data files, especially for directories used for identification, authentication, or authorization, reside on the same logical partition as user-owned files, the directory service data may be more vulnerable to unauthorized access or other availability compromises. Directory service and user-owned data files sharing a partition may be configured with less restrictive permissions in order to allow access to the user data.\n\n The directory service may be vulnerable to a denial of service attack when user-owned files on a common partition are expanded to an extent preventing the directory service from acquiring more space for directory or audit data.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Audit Directory Service Access records events related to users accessing an\nActive Directory object.", + "default": "When directory service data files, especially for directories used for identification, authentication, or authorization, reside on the same logical partition as user-owned files, the directory service data may be more vulnerable to unauthorized access or other availability compromises. Directory service and user-owned data files sharing a partition may be configured with less restrictive permissions in order to allow access to the user data.\n\n The directory service may be vulnerable to a denial of service attack when user-owned files on a common partition are expanded to an extent preventing the directory service from acquiring more space for directory or audit data.", "rationale": "", - "check": "This applies to domain controllers. It is NA for other systems.\n\n Security Option \"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\" must be set to\n\"Enabled\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \"AuditPol\" tool to review the current Audit Policy configuration:\n\n Open \"PowerShell\" or a \"Command Prompt\" with elevated privileges (\"Run\nas administrator\").\n\n Enter \"AuditPol /get /category:*\"\n\n Compare the \"AuditPol\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n DS Access >> Directory Service Access - Success", - "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> DS Access >> \"Directory Service Access\" with\n\"Success\" selected." + "check": "This applies to domain controllers. It is NA for other systems.\n\n Run \"Regedit\".\n Navigate to \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\NTDS\\Parameters\".\n Note the directory locations in the values for \"DSA Database file\".\n \n Open \"Command Prompt\".\n Enter \"net share\".\n Note the logical drive(s) or file system partition for any organization-created data shares.\n Ignore system shares (e.g., NETLOGON, SYSVOL, and administrative shares ending in $). User shares that are hidden (ending with $) should not be ignored.\n\n If user shares are located on the same logical partition as the directory server data files, this is a finding.", + "fix": "Move shares used to store files owned by users to a different logical partition than the directory server data files." }, "impact": 0, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000327-GPOS-00127", - "satisfies": [ - "SRG-OS-000327-GPOS-00127", - "SRG-OS-000458-GPOS-00203", - "SRG-OS-000463-GPOS-00207", - "SRG-OS-000468-GPOS-00212" - ], - "gid": "V-93133", - "rid": "SV-103221r1_rule", - "stig_id": "WN19-DC-000240", - "fix_id": "F-99379r1_fix", + "gtitle": "SRG-OS-000138-GPOS-00069", + "gid": "V-93535", + "rid": "SV-103621r1_rule", + "stig_id": "WN19-DC-000120", + "fix_id": "F-99779r1_fix", "cci": [ - "CCI-000172", - "CCI-002234" + "CCI-001090" ], "nist": [ - "AU-12 c", - "AC-6 (9)", + "SC-4", "Rev_4" ] }, - "code": "control \"V-93133\" do\n title \"Windows Server 2019 must be configured to audit DS Access - Directory\nService Access successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Audit Directory Service Access records events related to users accessing an\nActive Directory object.\"\n desc \"rationale\", \"\"\n desc 'check', \"This applies to domain controllers. It is NA for other systems.\n\n Security Option \\\"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\\\" must be set to\n\\\"Enabled\\\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \\\"AuditPol\\\" tool to review the current Audit Policy configuration:\n\n Open \\\"PowerShell\\\" or a \\\"Command Prompt\\\" with elevated privileges (\\\"Run\nas administrator\\\").\n\n Enter \\\"AuditPol /get /category:*\\\"\n\n Compare the \\\"AuditPol\\\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n DS Access >> Directory Service Access - Success\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> DS Access >> \\\"Directory Service Access\\\" with\n\\\"Success\\\" selected.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': \"SRG-OS-000327-GPOS-00127\"\n tag 'satisfies': [\"SRG-OS-000327-GPOS-00127\", \"SRG-OS-000458-GPOS-00203\",\n\"SRG-OS-000463-GPOS-00207\", \"SRG-OS-000468-GPOS-00212\"]\n tag 'gid': \"V-93133\"\n tag 'rid': \"SV-103221r1_rule\"\n tag 'stig_id': \"WN19-DC-000240\"\n tag 'fix_id': \"F-99379r1_fix\"\n tag 'cci': [\"CCI-000172\", \"CCI-002234\"]\n tag 'nist': [\"AU-12 c\", \"AC-6 (9)\", \"Rev_4\"]\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n if domain_role == '4' || domain_role == '5'\n describe.one do\n describe audit_policy do\n its('Directory Service Access') { should eq 'Success' }\n end\n describe audit_policy do\n its('Directory Service Access') { should eq 'Success and Failure' }\n end\n end\n else\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", + "code": "control \"V-93535\" do\n title \"Windows Server 2019 data files owned by users must be on a different logical partition from the directory server data files.\"\n desc \"When directory service data files, especially for directories used for identification, authentication, or authorization, reside on the same logical partition as user-owned files, the directory service data may be more vulnerable to unauthorized access or other availability compromises. Directory service and user-owned data files sharing a partition may be configured with less restrictive permissions in order to allow access to the user data.\n\n The directory service may be vulnerable to a denial of service attack when user-owned files on a common partition are expanded to an extent preventing the directory service from acquiring more space for directory or audit data.\"\n desc \"rationale\", \"\"\n desc \"check\", \"This applies to domain controllers. It is NA for other systems.\n\n Run \\\"Regedit\\\".\n Navigate to \\\"HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\Parameters\\\".\n Note the directory locations in the values for \\\"DSA Database file\\\".\n \n Open \\\"Command Prompt\\\".\n Enter \\\"net share\\\".\n Note the logical drive(s) or file system partition for any organization-created data shares.\n Ignore system shares (e.g., NETLOGON, SYSVOL, and administrative shares ending in $). User shares that are hidden (ending with $) should not be ignored.\n\n If user shares are located on the same logical partition as the directory server data files, this is a finding.\"\n desc \"fix\", \"Move shares used to store files owned by users to a different logical partition than the directory server data files.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000138-GPOS-00069\"\n tag gid: \"V-93535\"\n tag rid: \"SV-103621r1_rule\"\n tag stig_id: \"WN19-DC-000120\"\n tag fix_id: \"F-99779r1_fix\"\n tag cci: [\"CCI-001090\"]\n tag nist: [\"SC-4\", \"Rev_4\"]\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n dsa_db_file = command('Get-ItemPropertyValue -Path HKLM:\\\\System\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\Parameters -Name \"DSA Database file\"').stdout.strip\n net_shares = json({ command: \"Get-SMBShare | Where-Object -Property Name -notin C$,ADMIN$,IPC$,NETLOGON,SYSVOL | Select Path | ConvertTo-Json\" }).params\n\n if net_shares.empty?\n impact 0.0\n describe 'No non-default file shares were detected' do\n skip 'This control is NA'\n end\n else\n case net_shares\n when Hash\n net_shares.each do |key, value|\n describe \"Net Share path: #{value}\" do\n subject { value }\n it { should_not eq dsa_db_file }\n end\n end\n when Array\n net_shares.each do |paths|\n paths.each do |key, value|\n describe \"Net Share path: #{value}\" do\n subject { value }\n it { should_not eq dsa_db_file }\n end\n end\n end\n end\n end\n else\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93133.rb", + "ref": "./Windows 2019 STIG/controls/V-93535.rb", "line": 3 }, - "id": "V-93133" + "id": "V-93535" }, { - "title": "Windows Server 2019 Add workstations to domain user right must only be\nassigned to the Administrators group on domain controllers.", - "desc": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n Accounts with the \"Add workstations to domain\" right may add computers to\na domain. This could result in unapproved or incorrectly configured systems\nbeing added to a domain.", + "title": "Windows Server 2019 must be configured to prevent the storage of the LAN Manager hash of passwords.", + "desc": "The LAN Manager hash uses a weak encryption algorithm and there are several tools available that use this hash to retrieve account passwords. This setting controls whether a LAN Manager hash of the password is stored in the SAM the next time the password is changed.", "descriptions": { - "default": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n Accounts with the \"Add workstations to domain\" right may add computers to\na domain. This could result in unapproved or incorrectly configured systems\nbeing added to a domain.", + "default": "The LAN Manager hash uses a weak encryption algorithm and there are several tools available that use this hash to retrieve account passwords. This setting controls whether a LAN Manager hash of the password is stored in the SAM the next time the password is changed.", "rationale": "", - "check": "This applies to domain controllers. It is NA for other systems.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the \"Add\nworkstations to domain\" right, this is a finding.\n\n - Administrators\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\path\\filename.txt\n\n Review the text file.\n\n If any SIDs other than the following are granted the\n\"SeMachineAccountPrivilege\" user right, this is a finding.\n\n S-1-5-32-544 (Administrators)", - "fix": "Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> User Rights Assignment >> \"Add\nworkstations to domain\" to include only the following accounts or groups:\n\n - Administrators" + "check": "If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Control\\Lsa\\\n\n Value Name: NoLMHash\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", + "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \"Network security: Do not store LAN Manager hash value on next password change\" to \"Enabled\"." }, - "impact": 0, + "impact": 0.7, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000324-GPOS-00125", - "gid": "V-93039", - "rid": "SV-103127r1_rule", - "stig_id": "WN19-DC-000350", - "fix_id": "F-99285r1_fix", + "gtitle": "SRG-OS-000073-GPOS-00041", + "gid": "V-93467", + "rid": "SV-103553r1_rule", + "stig_id": "WN19-SO-000300", + "fix_id": "F-99711r1_fix", "cci": [ - "CCI-002235" + "CCI-000196" ], "nist": [ - "AC-6 (10)", + "IA-5 (1) (c)", "Rev_4" ] }, - "code": "control \"V-93039\" do\n title \"Windows Server 2019 Add workstations to domain user right must only be\nassigned to the Administrators group on domain controllers.\"\n desc \"Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n Accounts with the \\\"Add workstations to domain\\\" right may add computers to\na domain. This could result in unapproved or incorrectly configured systems\nbeing added to a domain.\"\n desc \"rationale\", \"\"\n desc 'check', \"This applies to domain controllers. It is NA for other systems.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the \\\"Add\nworkstations to domain\\\" right, this is a finding.\n\n - Administrators\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt\n\n Review the text file.\n\n If any SIDs other than the following are granted the\n\\\"SeMachineAccountPrivilege\\\" user right, this is a finding.\n\n S-1-5-32-544 (Administrators)\"\n desc 'fix', \"Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> User Rights Assignment >> \\\"Add\nworkstations to domain\\\" to include only the following accounts or groups:\n\n - Administrators\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000324-GPOS-00125'\n tag 'gid': 'V-93039'\n tag 'rid': 'SV-103127r1_rule'\n tag 'stig_id': 'WN19-DC-000350'\n tag 'fix_id': 'F-99285r1_fix'\n tag 'cci': [\"CCI-002235\"]\n tag 'nist': [\"AC-6 (10)\", \"Rev_4\"]\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n os_type = command('Test-Path \"$env:windir\\explorer.exe\"').stdout.strip\n\n if os_type == 'False'\n describe 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt' do\n skip 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt'\n end\n end\n if domain_role == '4' || domain_role == '5'\n describe security_policy do\n its('SeMachineAccountPrivilege') { should eq ['S-1-5-32-544'] }\n end\n else\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", + "code": "control \"V-93467\" do\n title \"Windows Server 2019 must be configured to prevent the storage of the LAN Manager hash of passwords.\"\n desc \"The LAN Manager hash uses a weak encryption algorithm and there are several tools available that use this hash to retrieve account passwords. This setting controls whether a LAN Manager hash of the password is stored in the SAM the next time the password is changed.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\\n\n Value Name: NoLMHash\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \\\"Network security: Do not store LAN Manager hash value on next password change\\\" to \\\"Enabled\\\".\"\n impact 0.7\n tag severity: nil\n tag gtitle: \"SRG-OS-000073-GPOS-00041\"\n tag gid: \"V-93467\"\n tag rid: \"SV-103553r1_rule\"\n tag stig_id: \"WN19-SO-000300\"\n tag fix_id: \"F-99711r1_fix\"\n tag cci: [\"CCI-000196\"]\n tag nist: [\"IA-5 (1) (c)\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa') do\n it { should have_property 'NoLMHash' }\n its('NoLMHash') { should cmp == 1 }\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93039.rb", + "ref": "./Windows 2019 STIG/controls/V-93467.rb", "line": 3 }, - "id": "V-93039" + "id": "V-93467" }, { - "title": "Windows Server 2019 users must be prompted to authenticate when the\nsystem wakes from sleep (on battery).", - "desc": "A system that does not require authentication when resuming from sleep\nmay provide access to unauthorized users. Authentication must always be\nrequired when accessing a system. This setting ensures users are prompted for a\npassword when the system wakes from sleep (on battery).", + "title": "Windows Server 2019 must be configured to audit Privilege Use -\nSensitive Privilege Use failures.", + "desc": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Sensitive Privilege Use records events related to use of sensitive\nprivileges, such as \"Act as part of the operating system\" or \"Debug\nprograms\".", "descriptions": { - "default": "A system that does not require authentication when resuming from sleep\nmay provide access to unauthorized users. Authentication must always be\nrequired when accessing a system. This setting ensures users are prompted for a\npassword when the system wakes from sleep (on battery).", + "default": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Sensitive Privilege Use records events related to use of sensitive\nprivileges, such as \"Act as part of the operating system\" or \"Debug\nprograms\".", "rationale": "", - "check": "If the following registry value does not exist or is not configured as\nspecified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n\\SOFTWARE\\Policies\\Microsoft\\Power\\PowerSettings\\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\\\n\n Value Name: DCSettingIndex\n\n Type: REG_DWORD\n Value: 0x00000001 (1)", - "fix": "Configure the policy value for Computer Configuration >>\nAdministrative Templates >> System >> Power Management >> Sleep Settings >>\n\"Require a password when a computer wakes (on battery)\" to \"Enabled\"." + "check": "Security Option \"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\" must be set to\n\"Enabled\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \"AuditPol\" tool to review the current Audit Policy configuration:\n\n Open \"PowerShell\" or a \"Command Prompt\" with elevated privileges (\"Run\nas administrator\").\n\n Enter \"AuditPol /get /category:*\"\n\n Compare the \"AuditPol\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n Privilege Use >> Sensitive Privilege Use - Failure", + "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Privilege Use >> \"Audit Sensitive Privilege Use\"\nwith \"Failure\" selected." }, "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-93253", - "rid": "SV-103341r1_rule", - "stig_id": "WN19-CC-000180", - "fix_id": "F-99499r1_fix", + "gtitle": "SRG-OS-000327-GPOS-00127", + "satisfies": [ + "SRG-OS-000327-GPOS-00127", + "SRG-OS-000064-GPOS-00033", + "SRG-OS-000462-GPOS-00206", + "SRG-OS-000466-GPOS-00210" + ], + "gid": "V-93103", + "rid": "SV-103191r1_rule", + "stig_id": "WN19-AU-000310", + "fix_id": "F-99349r1_fix", "cci": [ - "CCI-000366" + "CCI-000172", + "CCI-002234" ], "nist": [ - "CM-6 b", + "AU-12 c", + "AC-6 (9)", "Rev_4" ] }, - "code": "control \"V-93253\" do\n title \"Windows Server 2019 users must be prompted to authenticate when the\nsystem wakes from sleep (on battery).\"\n desc \"A system that does not require authentication when resuming from sleep\nmay provide access to unauthorized users. Authentication must always be\nrequired when accessing a system. This setting ensures users are prompted for a\npassword when the system wakes from sleep (on battery).\"\n desc \"rationale\", \"\"\n desc 'check', \"If the following registry value does not exist or is not configured as\nspecified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Power\\\\PowerSettings\\\\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\\\\\n\n Value Name: DCSettingIndex\n\n Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nAdministrative Templates >> System >> Power Management >> Sleep Settings >>\n\\\"Require a password when a computer wakes (on battery)\\\" to \\\"Enabled\\\".\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000480-GPOS-00227'\n tag 'gid': 'V-93253'\n tag 'rid': 'SV-103341r1_rule'\n tag 'stig_id': 'WN19-CC-000180'\n tag 'fix_id': 'F-99499r1_fix'\n tag 'cci': [\"CCI-000366\"]\n tag 'nist': [\"CM-6 b\", \"Rev_4\"]\n\n if sys_info.manufacturer == 'VMware, Inc.'\n impact 0.0\n describe 'This is a Virtual Machine; This Control is NA.' do\n skip 'This is a Virtual Machine; This Control is NA.'\n end\n else\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Power\\PowerSettings\\0e796bdb-100d-47d6-a2d5-f7d2daa51f51') do\n it { should have_property 'DCSettingIndex' }\n its('DCSettingIndex') { should cmp 1 }\n end\n end\nend\n", + "code": "control \"V-93103\" do\n title \"Windows Server 2019 must be configured to audit Privilege Use -\nSensitive Privilege Use failures.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Sensitive Privilege Use records events related to use of sensitive\nprivileges, such as \\\"Act as part of the operating system\\\" or \\\"Debug\nprograms\\\".\"\n desc \"rationale\", \"\"\n desc 'check', \"\n Security Option \\\"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\\\" must be set to\n\\\"Enabled\\\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \\\"AuditPol\\\" tool to review the current Audit Policy configuration:\n\n Open \\\"PowerShell\\\" or a \\\"Command Prompt\\\" with elevated privileges (\\\"Run\nas administrator\\\").\n\n Enter \\\"AuditPol /get /category:*\\\"\n\n Compare the \\\"AuditPol\\\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n Privilege Use >> Sensitive Privilege Use - Failure\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Privilege Use >> \\\"Audit Sensitive Privilege Use\\\"\nwith \\\"Failure\\\" selected.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000327-GPOS-00127'\n tag 'satisfies': [\"SRG-OS-000327-GPOS-00127\", \"SRG-OS-000064-GPOS-00033\",\n\"SRG-OS-000462-GPOS-00206\", \"SRG-OS-000466-GPOS-00210\"]\n tag 'gid': 'V-93103'\n tag 'rid': 'SV-103191r1_rule'\n tag 'stig_id': 'WN19-AU-000310'\n tag 'fix_id': 'F-99349r1_fix'\n tag 'cci': [\"CCI-000172\", \"CCI-002234\"]\n tag 'nist': [\"AU-12 c\", \"AC-6 (9)\", \"Rev_4\"]\n\n describe.one do\n describe audit_policy do\n its('Sensitive Privilege Use') { should eq 'Failure' }\n end\n describe audit_policy do\n its('Sensitive Privilege Use') { should eq 'Success and Failure' }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93253.rb", + "ref": "./Windows 2019 STIG/controls/V-93103.rb", "line": 3 }, - "id": "V-93253" + "id": "V-93103" }, { - "title": "Windows Server 2019 Profile single process user right must only be\nassigned to the Administrators group.", - "desc": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n Accounts with the \"Profile single process\" user right can monitor\nnon-system processes performance. An attacker could use this to identify\nprocesses to attack.", + "title": "Windows Server 2019 must prevent the display of slide shows on the lock screen.", + "desc": "Slide shows that are displayed on the lock screen could display sensitive information to unauthorized personnel. Turning off this feature will limit access to the information to a logged-on user.", "descriptions": { - "default": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n Accounts with the \"Profile single process\" user right can monitor\nnon-system processes performance. An attacker could use this to identify\nprocesses to attack.", + "default": "Slide shows that are displayed on the lock screen could display sensitive information to unauthorized personnel. Turning off this feature will limit access to the information to a logged-on user.", "rationale": "", - "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the\n\"Profile single process\" user right, this is a finding:\n\n - Administrators\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\path\\filename.txt\n\n Review the text file.\n\n If any SIDs other than the following are granted the\n\"SeProfileSingleProcessPrivilege\" user right, this is a finding:\n\n S-1-5-32-544 (Administrators)", - "fix": "Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> User Rights Assignment >> \"Profile\nsingle process\" to include only the following accounts or groups:\n\n - Administrators" + "check": "Verify the registry value below. If it does not exist or is not configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\Personalization\\\n\n Value Name: NoLockScreenSlideshow\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", + "fix": "Configure the policy value for Computer Configuration >> Administrative Templates >> Control Panel >> Personalization >> \"Prevent enabling lock screen slide show\" to \"Enabled\"." }, "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000324-GPOS-00125", - "gid": "V-93083", - "rid": "SV-103171r1_rule", - "stig_id": "WN19-UR-000200", - "fix_id": "F-99329r1_fix", + "gtitle": "SRG-OS-000095-GPOS-00049", + "gid": "V-93399", + "rid": "SV-103485r1_rule", + "stig_id": "WN19-CC-000010", + "fix_id": "F-99643r1_fix", "cci": [ - "CCI-002235" + "CCI-000381" ], "nist": [ - "AC-6 (10)", + "CM-7 a", "Rev_4" ] }, - "code": "control \"V-93083\" do\n title \"Windows Server 2019 Profile single process user right must only be\nassigned to the Administrators group.\"\n desc \"Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n Accounts with the \\\"Profile single process\\\" user right can monitor\nnon-system processes performance. An attacker could use this to identify\nprocesses to attack.\"\n desc \"rationale\", \"\"\n desc 'check', \"Verify the effective setting in Local Group Policy Editor.\n\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the\n\\\"Profile single process\\\" user right, this is a finding:\n\n - Administrators\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt\n\n Review the text file.\n\n If any SIDs other than the following are granted the\n\\\"SeProfileSingleProcessPrivilege\\\" user right, this is a finding:\n\n S-1-5-32-544 (Administrators)\"\n desc 'fix', \"Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> User Rights Assignment >> \\\"Profile\nsingle process\\\" to include only the following accounts or groups:\n\n - Administrators\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000324-GPOS-00125'\n tag 'gid': 'V-93083'\n tag 'rid': 'SV-103171r1_rule'\n tag 'stig_id': 'WN19-UR-000200'\n tag 'fix_id': 'F-99329r1_fix'\n tag 'cci': [\"CCI-002235\"]\n tag 'nist': [\"AC-6 (10)\", \"Rev_4\"]\n\n os_type = command('Test-Path \"$env:windir\\explorer.exe\"').stdout.strip\n\n if os_type == 'False'\n describe 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt' do\n skip 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt'\n end\n else\n describe security_policy do\n its('SeProfileSingleProcessPrivilege') { should eq ['S-1-5-32-544'] }\n end\n end\nend\n", + "code": "control \"V-93399\" do\n title \"Windows Server 2019 must prevent the display of slide shows on the lock screen.\"\n desc \"Slide shows that are displayed on the lock screen could display sensitive information to unauthorized personnel. Turning off this feature will limit access to the information to a logged-on user.\"\n desc \"rationale\", \"\"\n desc \"check\", \"Verify the registry value below. If it does not exist or is not configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\Personalization\\\\\n\n Value Name: NoLockScreenSlideshow\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Administrative Templates >> Control Panel >> Personalization >> \\\"Prevent enabling lock screen slide show\\\" to \\\"Enabled\\\".\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000095-GPOS-00049\"\n tag gid: \"V-93399\"\n tag rid: \"SV-103485r1_rule\"\n tag stig_id: \"WN19-CC-000010\"\n tag fix_id: \"F-99643r1_fix\"\n tag cci: [\"CCI-000381\"]\n tag nist: [\"CM-7 a\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\Personalization') do\n it { should have_property 'NoLockScreenSlideshow' }\n its('NoLockScreenSlideshow') { should cmp == 1 }\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93083.rb", + "ref": "./Windows 2019 STIG/controls/V-93399.rb", "line": 3 }, - "id": "V-93083" + "id": "V-93399" }, { - "title": "Windows Server 2019 computer clock synchronization tolerance must be limited to five minutes or less.", - "desc": "This setting determines the maximum time difference (in minutes) that Kerberos will tolerate between the time on a client's clock and the time on a server's clock while still considering the two clocks synchronous. In order to prevent replay attacks, Kerberos uses timestamps as part of its protocol definition. For timestamps to work properly, the clocks of the client and the server need to be in sync as much as possible.", + "title": "Windows Server 2019 must restrict unauthenticated Remote Procedure Call (RPC) clients from connecting to the RPC server on domain-joined member servers and standalone systems.", + "desc": "Unauthenticated RPC clients may allow anonymous access to sensitive information. Configuring RPC to restrict unauthenticated RPC clients from connecting to the RPC server will prevent anonymous connections.", "descriptions": { - "default": "This setting determines the maximum time difference (in minutes) that Kerberos will tolerate between the time on a client's clock and the time on a server's clock while still considering the two clocks synchronous. In order to prevent replay attacks, Kerberos uses timestamps as part of its protocol definition. For timestamps to work properly, the clocks of the client and the server need to be in sync as much as possible.", + "default": "Unauthenticated RPC clients may allow anonymous access to sensitive information. Configuring RPC to restrict unauthenticated RPC clients from connecting to the RPC server will prevent anonymous connections.", "rationale": "", - "check": "This applies to domain controllers. It is NA for other systems.\n Verify the following is configured in the Default Domain Policy:\n\n Open \"Group Policy Management\".\n Navigate to \"Group Policy Objects\" in the Domain being reviewed (Forest >> Domains >> Domain).\n Right-click on the \"Default Domain Policy\".\n Select \"Edit\".\n Navigate to Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy.\n\n If the \"Maximum tolerance for computer clock synchronization\" is greater than \"5\" minutes, this is a finding.", - "fix": "Configure the policy value in the Default Domain Policy for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy >> \"Maximum tolerance for computer clock synchronization\" to a maximum of \"5\" minutes or less." + "check": "This applies to member servers and standalone systems, it is NA for domain controllers.\n\n If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Rpc\\\n\n Value Name: RestrictRemoteClients\n\n Type: REG_DWORD\n Value: 0x00000001 (1)", + "fix": "Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Remote Procedure Call >> \"Restrict Unauthenticated RPC clients\" to \"Enabled\" with \"Authenticated\" selected." }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000112-GPOS-00057", - "satisfies": [ - "SRG-OS-000112-GPOS-00057", - "SRG-OS-000113-GPOS-00058" - ], - "gid": "V-93451", - "rid": "SV-103537r1_rule", - "stig_id": "WN19-DC-000060", - "fix_id": "F-99695r1_fix", + "gtitle": "SRG-OS-000379-GPOS-00164", + "gid": "V-93453", + "rid": "SV-103539r1_rule", + "stig_id": "WN19-MS-000040", + "fix_id": "F-99697r1_fix", "cci": [ - "CCI-001941", - "CCI-001942" + "CCI-001967" ], "nist": [ - "IA-2 (8)", - "IA-2 (9)", + "IA-3 (1)", "Rev_4" ] }, - "code": "control \"V-93451\" do\n title \"Windows Server 2019 computer clock synchronization tolerance must be limited to five minutes or less.\"\n desc \"This setting determines the maximum time difference (in minutes) that Kerberos will tolerate between the time on a client's clock and the time on a server's clock while still considering the two clocks synchronous. In order to prevent replay attacks, Kerberos uses timestamps as part of its protocol definition. For timestamps to work properly, the clocks of the client and the server need to be in sync as much as possible.\"\n desc \"rationale\", \"\"\n desc \"check\", \"This applies to domain controllers. It is NA for other systems.\n Verify the following is configured in the Default Domain Policy:\n\n Open \\\"Group Policy Management\\\".\n Navigate to \\\"Group Policy Objects\\\" in the Domain being reviewed (Forest >> Domains >> Domain).\n Right-click on the \\\"Default Domain Policy\\\".\n Select \\\"Edit\\\".\n Navigate to Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy.\n\n If the \\\"Maximum tolerance for computer clock synchronization\\\" is greater than \\\"5\\\" minutes, this is a finding.\"\n desc \"fix\", \"Configure the policy value in the Default Domain Policy for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy >> \\\"Maximum tolerance for computer clock synchronization\\\" to a maximum of \\\"5\\\" minutes or less.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000112-GPOS-00057\"\n tag satisfies: [\"SRG-OS-000112-GPOS-00057\", \"SRG-OS-000113-GPOS-00058\"]\n tag gid: \"V-93451\"\n tag rid: \"SV-103537r1_rule\"\n tag stig_id: \"WN19-DC-000060\"\n tag fix_id: \"F-99695r1_fix\"\n tag cci: [\"CCI-001941\", \"CCI-001942\"]\n tag nist: [\"IA-2 (8)\", \"IA-2 (9)\", \"Rev_4\"]\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n describe security_policy do\n its('MaxClockSkew') { should be <= 5 }\n end\n else\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is NA' do\n skip 'This system is not a domain controller, therefore this control is NA'\n end\n end\nend", + "code": "control \"V-93453\" do\n title \"Windows Server 2019 must restrict unauthenticated Remote Procedure Call (RPC) clients from connecting to the RPC server on domain-joined member servers and standalone systems.\"\n desc \"Unauthenticated RPC clients may allow anonymous access to sensitive information. Configuring RPC to restrict unauthenticated RPC clients from connecting to the RPC server will prevent anonymous connections.\"\n desc \"rationale\", \"\"\n desc \"check\", \"This applies to member servers and standalone systems, it is NA for domain controllers.\n\n If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Rpc\\\\\n\n Value Name: RestrictRemoteClients\n\n Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Remote Procedure Call >> \\\"Restrict Unauthenticated RPC clients\\\" to \\\"Enabled\\\" with \\\"Authenticated\\\" selected.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000379-GPOS-00164\"\n tag gid: \"V-93453\"\n tag rid: \"SV-103539r1_rule\"\n tag stig_id: \"WN19-MS-000040\"\n tag fix_id: \"F-99697r1_fix\"\n tag cci: [\"CCI-001967\"]\n tag nist: [\"IA-3 (1)\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Rpc') do\n it { should have_property 'RestrictRemoteClients' }\n its('RestrictRemoteClients') { should cmp == 1 }\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93451.rb", + "ref": "./Windows 2019 STIG/controls/V-93453.rb", "line": 3 }, - "id": "V-93451" + "id": "V-93453" }, { - "title": "Windows Server 2019 Windows Remote Management (WinRM) client must not allow unencrypted traffic.", - "desc": "Unencrypted remote access to a system can allow sensitive information to be compromised. Windows remote management connections must be encrypted to prevent this.", + "title": "Windows Server 2019 Windows Remote Management (WinRM) client must not use Digest authentication.", + "desc": "Digest authentication is not as strong as other options and may be subject to man-in-the-middle attacks. Disallowing Digest authentication will reduce this potential.", "descriptions": { - "default": "Unencrypted remote access to a system can allow sensitive information to be compromised. Windows remote management connections must be encrypted to prevent this.", + "default": "Digest authentication is not as strong as other options and may be subject to man-in-the-middle attacks. Disallowing Digest authentication will reduce this potential.", "rationale": "", - "check": "If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\WinRM\\Client\\\n\n Value Name: AllowUnencryptedTraffic\n\n Type: REG_DWORD\n Value: 0x00000000 (0)", - "fix": "Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Remote Management (WinRM) >> WinRM Client >> \"Allow unencrypted traffic\" to \"Disabled\"." + "check": "If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\WinRM\\Client\\\n\n Value Name: AllowDigest\n\n Type: REG_DWORD\n Value: 0x00000000 (0)", + "fix": "Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Remote Management (WinRM) >> WinRM Client >> \"Disallow Digest authentication\" to \"Enabled\"." }, "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000393-GPOS-00173", - "satisfies": [ - "SRG-OS-000393-GPOS-00173", - "SRG-OS-000394-GPOS-00174" - ], - "gid": "V-93499", - "rid": "SV-103585r1_rule", - "stig_id": "WN19-CC-000480", - "fix_id": "F-99743r1_fix", + "gtitle": "SRG-OS-000125-GPOS-00065", + "gid": "V-93505", + "rid": "SV-103591r1_rule", + "stig_id": "WN19-CC-000490", + "fix_id": "F-99749r1_fix", "cci": [ - "CCI-002890", - "CCI-003123" + "CCI-000877" ], "nist": [ - "MA-4 (6)", - "MA-4 (6)", + "MA-4 c", "Rev_4" ] }, - "code": "control \"V-93499\" do\n title \"Windows Server 2019 Windows Remote Management (WinRM) client must not allow unencrypted traffic.\"\n desc \"Unencrypted remote access to a system can allow sensitive information to be compromised. Windows remote management connections must be encrypted to prevent this.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WinRM\\\\Client\\\\\n\n Value Name: AllowUnencryptedTraffic\n\n Type: REG_DWORD\n Value: 0x00000000 (0)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Remote Management (WinRM) >> WinRM Client >> \\\"Allow unencrypted traffic\\\" to \\\"Disabled\\\".\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000393-GPOS-00173\"\n tag satisfies: [\"SRG-OS-000393-GPOS-00173\", \"SRG-OS-000394-GPOS-00174\"]\n tag gid: \"V-93499\"\n tag rid: \"SV-103585r1_rule\"\n tag stig_id: \"WN19-CC-000480\"\n tag fix_id: \"F-99743r1_fix\"\n tag cci: [\"CCI-002890\", \"CCI-003123\"]\n tag nist: [\"MA-4 (6)\", \"MA-4 (6)\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\WinRM\\\\Client') do\n it { should have_property 'AllowUnencryptedTraffic' }\n its('AllowUnencryptedTraffic') { should cmp == 0 }\n end\nend", + "code": "control \"V-93505\" do\n title \"Windows Server 2019 Windows Remote Management (WinRM) client must not use Digest authentication.\"\n desc \"Digest authentication is not as strong as other options and may be subject to man-in-the-middle attacks. Disallowing Digest authentication will reduce this potential.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WinRM\\\\Client\\\\\n\n Value Name: AllowDigest\n\n Type: REG_DWORD\n Value: 0x00000000 (0)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Remote Management (WinRM) >> WinRM Client >> \\\"Disallow Digest authentication\\\" to \\\"Enabled\\\".\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000125-GPOS-00065\"\n tag gid: \"V-93505\"\n tag rid: \"SV-103591r1_rule\"\n tag stig_id: \"WN19-CC-000490\"\n tag fix_id: \"F-99749r1_fix\"\n tag cci: [\"CCI-000877\"]\n tag nist: [\"MA-4 c\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\WinRM\\\\Client') do\n it { should have_property 'AllowDigest' }\n its('AllowDigest') { should cmp == 0 }\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93499.rb", + "ref": "./Windows 2019 STIG/controls/V-93505.rb", "line": 3 }, - "id": "V-93499" + "id": "V-93505" }, { - "title": "Windows Server 2019 Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft.", - "desc": "Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and will prevent uncontrolled updates to the system.\n\n This setting will prevent the Program Inventory from collecting data about a system and sending the information to Microsoft.", + "title": "Windows Server 2019 users with Administrative privileges must have separate accounts for administrative duties and normal operational tasks.", + "desc": "Using a privileged account to perform routine functions makes the computer vulnerable to malicious software inadvertently introduced during a session that has been granted full privileges.", "descriptions": { - "default": "Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and will prevent uncontrolled updates to the system.\n\n This setting will prevent the Program Inventory from collecting data about a system and sending the information to Microsoft.", + "default": "Using a privileged account to perform routine functions makes the computer vulnerable to malicious software inadvertently introduced during a session that has been granted full privileges.", "rationale": "", - "check": "If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\AppCompat\\\n\n Value Name: DisableInventory\n\n Type: REG_DWORD\n Value: 0x00000001 (1)", - "fix": "Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Application Compatibility >> \"Turn off Inventory Collector\" to \"Enabled\"." + "check": "Verify each user with administrative privileges has been assigned a unique administrative account separate from their standard user account.\n If users with administrative privileges do not have separate accounts for administrative functions and standard user functions, this is a finding.", + "fix": "Ensure each user with administrative privileges has a separate account for user duties and one for privileged duties." }, - "impact": 0.3, + "impact": 0, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000095-GPOS-00049", - "gid": "V-93409", - "rid": "SV-103495r1_rule", - "stig_id": "WN19-CC-000200", - "fix_id": "F-99653r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-93369", + "rid": "SV-103457r1_rule", + "stig_id": "WN19-00-000010", + "fix_id": "F-99615r1_fix", "cci": [ - "CCI-000381" + "CCI-000366" ], "nist": [ - "CM-7 a", + "CM-6 b", "Rev_4" ] }, - "code": "control \"V-93409\" do\n title \"Windows Server 2019 Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft.\"\n desc \"Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and will prevent uncontrolled updates to the system.\n\n This setting will prevent the Program Inventory from collecting data about a system and sending the information to Microsoft.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\AppCompat\\\\\n\n Value Name: DisableInventory\n\n Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Application Compatibility >> \\\"Turn off Inventory Collector\\\" to \\\"Enabled\\\".\"\n impact 0.3\n tag severity: nil\n tag gtitle: \"SRG-OS-000095-GPOS-00049\"\n tag gid: \"V-93409\"\n tag rid: \"SV-103495r1_rule\"\n tag stig_id: \"WN19-CC-000200\"\n tag fix_id: \"F-99653r1_fix\"\n tag cci: [\"CCI-000381\"]\n tag nist: [\"CM-7 a\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\AppCompat') do\n it { should have_property 'DisableInventory' }\n its('DisableInventory') { should cmp == 1 }\n end\nend", + "code": "control \"V-93369\" do\n title \"Windows Server 2019 users with Administrative privileges must have separate accounts for administrative duties and normal operational tasks.\"\n desc \"Using a privileged account to perform routine functions makes the computer vulnerable to malicious software inadvertently introduced during a session that has been granted full privileges.\"\n desc \"rationale\", \"\"\n desc \"check\", \"Verify each user with administrative privileges has been assigned a unique administrative account separate from their standard user account.\n If users with administrative privileges do not have separate accounts for administrative functions and standard user functions, this is a finding.\"\n desc \"fix\", \"Ensure each user with administrative privileges has a separate account for user duties and one for privileged duties.\"\n impact 0.7\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00227\"\n tag gid: \"V-93369\"\n tag rid: \"SV-103457r1_rule\"\n tag stig_id: \"WN19-00-000010\"\n tag fix_id: \"F-99615r1_fix\"\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n administrators = input('administrators')\n administrator_group = command(\"net localgroup Administrators | Format-List | Findstr /V 'Alias Name Comment Members - command'\").stdout.strip.split(\"\\r\\n\")\n administrator_group.each do |user|\n describe user.to_s do\n it { should be_in administrators }\n end\n end\n if administrator_group.empty?\n impact 0.0\n describe 'There are no users with administrative privileges' do\n skip 'There are no users with administrative privileges so this control is NA'\n end\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93409.rb", + "ref": "./Windows 2019 STIG/controls/V-93369.rb", "line": 3 }, - "id": "V-93409" + "id": "V-93369" }, { - "title": "Windows Server 2019 User Account Control must automatically deny standard user requests for elevation.", - "desc": "User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting controls the behavior of elevation when requested by a standard user account.", + "title": "Windows Server 2019 Restore files and directories user right must only\nbe assigned to the Administrators group.", + "desc": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n Accounts with the \"Restore files and directories\" user right can\ncircumvent file and directory permissions and could allow access to sensitive\ndata. It could also be used to overwrite more current data.", "descriptions": { - "default": "User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting controls the behavior of elevation when requested by a standard user account.", + "default": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n Accounts with the \"Restore files and directories\" user right can\ncircumvent file and directory permissions and could allow access to sensitive\ndata. It could also be used to overwrite more current data.", "rationale": "", - "check": "UAC requirements are NA for Server Core installations (this is the default installation option for Windows Server 2019 versus Server with Desktop Experience).\n\n If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\\n\n Value Name: ConsentPromptBehaviorUser\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0)", - "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \"User Account Control: Behavior of the elevation prompt for standard users\" to \"Automatically deny elevation requests\"." + "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the\n\"Restore files and directories\" user right, this is a finding:\n\n - Administrators\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\path\\filename.txt\n\n Review the text file.\n\n If any SIDs other than the following are granted the \"SeRestorePrivilege\"\nuser right, this is a finding:\n\n S-1-5-32-544 (Administrators)\n\n If an application requires this user right, this would not be a finding.\n\n Vendor documentation must support the requirement for having the user right.\n\n The requirement must be documented with the ISSO.\n\n The application account must meet requirements for application account\npasswords, such as length (WN19-00-000050) and required frequency of changes\n(WN19-00-000060).", + "fix": "Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> User Rights Assignment >> \"Restore\nfiles and directories\" to include only the following accounts or groups:\n\n - Administrators" }, "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000373-GPOS-00157", - "satisfies": [ - "SRG-OS-000373-GPOS-00157", - "SRG-OS-000373-GPOS-00156" - ], - "gid": "V-93433", - "rid": "SV-103519r1_rule", - "stig_id": "WN19-SO-000410", - "fix_id": "F-99677r1_fix", + "gtitle": "SRG-OS-000324-GPOS-00125", + "gid": "V-93085", + "rid": "SV-103173r1_rule", + "stig_id": "WN19-UR-000210", + "fix_id": "F-99331r1_fix", "cci": [ - "CCI-002038" + "CCI-002235" ], "nist": [ - "IA-11", + "AC-6 (10)", "Rev_4" ] }, - "code": "control \"V-93433\" do\n title \"Windows Server 2019 User Account Control must automatically deny standard user requests for elevation.\"\n desc \"User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting controls the behavior of elevation when requested by a standard user account.\"\n desc \"rationale\", \"\"\n desc \"check\", \"UAC requirements are NA for Server Core installations (this is the default installation option for Windows Server 2019 versus Server with Desktop Experience).\n\n If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\\n\n Value Name: ConsentPromptBehaviorUser\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \\\"User Account Control: Behavior of the elevation prompt for standard users\\\" to \\\"Automatically deny elevation requests\\\".\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000373-GPOS-00157\"\n tag satisfies: [\"SRG-OS-000373-GPOS-00157\", \"SRG-OS-000373-GPOS-00156\"]\n tag gid: \"V-93433\"\n tag rid: \"SV-103519r1_rule\"\n tag stig_id: \"WN19-SO-000410\"\n tag fix_id: \"F-99677r1_fix\"\n tag cci: [\"CCI-002038\"]\n tag nist: [\"IA-11\", \"Rev_4\"]\n\n os_type = command('Test-Path \"$env:windir\\explorer.exe\"').stdout.strip\n\n if os_type == 'False'\n impact 0.0\n describe 'This system is a Server Core Installation, control is NA' do\n skip 'This system is a Server Core Installation control is NA'\n end\n else\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System') do\n it { should have_property 'ConsentPromptBehaviorUser' }\n its('ConsentPromptBehaviorUser') { should cmp == 0 }\n end\n end\nend", + "code": "control \"V-93085\" do\n title \"Windows Server 2019 Restore files and directories user right must only\nbe assigned to the Administrators group.\"\n desc \"Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n Accounts with the \\\"Restore files and directories\\\" user right can\ncircumvent file and directory permissions and could allow access to sensitive\ndata. It could also be used to overwrite more current data.\"\n desc \"rationale\", \"\"\n desc 'check', \"Verify the effective setting in Local Group Policy Editor.\n\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the\n\\\"Restore files and directories\\\" user right, this is a finding:\n\n - Administrators\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt\n\n Review the text file.\n\n If any SIDs other than the following are granted the \\\"SeRestorePrivilege\\\"\nuser right, this is a finding:\n\n S-1-5-32-544 (Administrators)\n\n If an application requires this user right, this would not be a finding.\n\n Vendor documentation must support the requirement for having the user right.\n\n The requirement must be documented with the ISSO.\n\n The application account must meet requirements for application account\npasswords, such as length (WN19-00-000050) and required frequency of changes\n(WN19-00-000060).\"\n desc 'fix', \"Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> User Rights Assignment >> \\\"Restore\nfiles and directories\\\" to include only the following accounts or groups:\n\n - Administrators\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000324-GPOS-00125'\n tag 'gid': 'V-93085'\n tag 'rid': 'SV-103173r1_rule'\n tag 'stig_id': 'WN19-UR-000210'\n tag 'fix_id': 'F-99331r1_fix'\n tag 'cci': [\"CCI-002235\"]\n tag 'nist': [\"AC-6 (10)\", \"Rev_4\"]\n\n os_type = command('Test-Path \"$env:windir\\explorer.exe\"').stdout.strip\n\n if os_type == 'False'\n describe 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt' do\n skip 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt'\n end\n else\n describe security_policy do\n its('SeRestorePrivilege') { should eq ['S-1-5-32-544'] }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93433.rb", + "ref": "./Windows 2019 STIG/controls/V-93085.rb", "line": 3 }, - "id": "V-93433" + "id": "V-93085" }, { - "title": "Windows Server 2019 must be configured to enable Remote host allows\ndelegation of non-exportable credentials.", - "desc": "An exportable version of credentials is provided to remote hosts when\nusing credential delegation which exposes them to theft on the remote host.\nRestricted Admin mode or Remote Credential Guard allow delegation of\nnon-exportable credentials providing additional protection of the credentials.\nEnabling this configures the host to support Restricted Admin mode or Remote\nCredential Guard.", + "title": "Windows Server 2019 must have the number of allowed bad logon attempts\nconfigured to 3 or less.", + "desc": "The account lockout feature, when enabled, prevents brute-force\npassword attacks on the system. The higher this value is, the less effective\nthe account lockout feature will be in protecting the local system. The number\nof bad logon attempts must be reasonably small to minimize the possibility of a\nsuccessful password attack while allowing for honest errors made during normal\nuser logon.", "descriptions": { - "default": "An exportable version of credentials is provided to remote hosts when\nusing credential delegation which exposes them to theft on the remote host.\nRestricted Admin mode or Remote Credential Guard allow delegation of\nnon-exportable credentials providing additional protection of the credentials.\nEnabling this configures the host to support Restricted Admin mode or Remote\nCredential Guard.", + "default": "The account lockout feature, when enabled, prevents brute-force\npassword attacks on the system. The higher this value is, the less effective\nthe account lockout feature will be in protecting the local system. The number\nof bad logon attempts must be reasonably small to minimize the possibility of a\nsuccessful password attack while allowing for honest errors made during normal\nuser logon.", "rationale": "", - "check": "If the following registry value does not exist or is not configured as\nspecified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n\\SOFTWARE\\Policies\\Microsoft\\Windows\\CredentialsDelegation\\\n\n Value Name: AllowProtectedCreds\n\n Type: REG_DWORD\n Value: 0x00000001 (1)", - "fix": "Configure the policy value for Computer Configuration >>\nAdministrative Templates >> System >> Credentials Delegation >> \"Remote host\nallows delegation of non-exportable credentials\" to \"Enabled\"." + "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Account Policies >> Account Lockout Policy.\n\n If the \"Account lockout threshold\" is \"0\" or more than \"3\" attempts,\nthis is a finding.\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas SecurityPolicy /CFG C:\\Path\\FileName.Txt\n\n If \"LockoutBadCount\" equals \"0\" or is greater than \"3\" in the file,\nthis is a finding.", + "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Account Policies >> Account Lockout\nPolicy >> \"Account lockout threshold\" to \"3\" or fewer invalid logon\nattempts (excluding \"0\", which is unacceptable)." }, "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-93243", - "rid": "SV-103331r1_rule", - "stig_id": "WN19-CC-000100", - "fix_id": "F-99489r1_fix", + "gtitle": "SRG-OS-000021-GPOS-00005", + "gid": "V-93141", + "rid": "SV-103229r1_rule", + "stig_id": "WN19-AC-000020", + "fix_id": "F-99387r1_fix", "cci": [ - "CCI-000366" + "CCI-000044" ], "nist": [ - "CM-6 b", + "AC-7 a", "Rev_4" ] }, - "code": "control \"V-93243\" do\n title \"Windows Server 2019 must be configured to enable Remote host allows\ndelegation of non-exportable credentials.\"\n desc \"An exportable version of credentials is provided to remote hosts when\nusing credential delegation which exposes them to theft on the remote host.\nRestricted Admin mode or Remote Credential Guard allow delegation of\nnon-exportable credentials providing additional protection of the credentials.\nEnabling this configures the host to support Restricted Admin mode or Remote\nCredential Guard.\"\n desc \"rationale\", \"\"\n desc 'check', \"If the following registry value does not exist or is not configured as\nspecified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\CredentialsDelegation\\\\\n\n Value Name: AllowProtectedCreds\n\n Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nAdministrative Templates >> System >> Credentials Delegation >> \\\"Remote host\nallows delegation of non-exportable credentials\\\" to \\\"Enabled\\\".\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000480-GPOS-00227'\n tag 'gid': 'V-93243'\n tag 'rid': 'SV-103331r1_rule'\n tag 'stig_id': 'WN19-CC-000100'\n tag 'fix_id': 'F-99489r1_fix'\n tag 'cci': [\"CCI-000366\"]\n tag 'nist': [\"CM-6 b\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CredentialsDelegation') do\n it { should have_property 'AllowProtectedCreds' }\n its('AllowProtectedCreds') { should cmp 1 }\n end\nend\n", + "code": "control \"V-93141\" do\n title \"Windows Server 2019 must have the number of allowed bad logon attempts\nconfigured to #{input('max_pass_lockout')} or less.\"\n desc \"The account lockout feature, when enabled, prevents brute-force\npassword attacks on the system. The higher this value is, the less effective\nthe account lockout feature will be in protecting the local system. The number\nof bad logon attempts must be reasonably small to minimize the possibility of a\nsuccessful password attack while allowing for honest errors made during normal\nuser logon.\"\n desc \"rationale\", \"\"\n desc 'check', \"Verify the effective setting in Local Group Policy Editor.\n\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Account Policies >> Account Lockout Policy.\n\n If the \\\"Account lockout threshold\\\" is \\\"0\\\" or more than \\\"#{input('max_pass_lockout')}\\\" attempts,\nthis is a finding.\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas SecurityPolicy /CFG C:\\\\Path\\\\FileName.Txt\n\n If \\\"LockoutBadCount\\\" equals \\\"0\\\" or is greater than \\\"#{input('max_pass_lockout')}\\\" in the file,\nthis is a finding.\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Account Policies >> Account Lockout\nPolicy >> \\\"Account lockout threshold\\\" to \\\"#{input('max_pass_lockout')}\\\" or fewer invalid logon\nattempts (excluding \\\"0\\\", which is unacceptable).\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000021-GPOS-00005'\n tag 'gid': 'V-93141'\n tag 'rid': 'SV-103229r1_rule'\n tag 'stig_id': 'WN19-AC-000020'\n tag 'fix_id': 'F-99387r1_fix'\n tag 'cci': [\"CCI-000044\"]\n tag 'nist': [\"AC-7 a\", \"Rev_4\"]\n\n os_type = command('Test-Path \"$env:windir\\explorer.exe\"').stdout.strip\n\n if os_type == 'False'\n describe 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt' do\n skip 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt'\n end\n else\n describe security_policy do\n its('LockoutBadCount') { should be <= input('max_pass_lockout') }\n end\n describe security_policy do\n its('LockoutBadCount') { should be > 0 }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93243.rb", + "ref": "./Windows 2019 STIG/controls/V-93141.rb", "line": 3 }, - "id": "V-93243" + "id": "V-93141" }, { - "title": "Windows Server 2019 Remote Desktop Services must be configured with\nthe client connection encryption set to High Level.", - "desc": "Remote connections must be encrypted to prevent interception of data\nor sensitive information. Selecting \"High Level\" will ensure encryption of\nRemote Desktop Services sessions in both directions.", + "title": "Windows Server 2019 must be configured to ignore NetBIOS name release requests except from WINS servers.", + "desc": "Configuring the system to ignore name release requests, except from WINS servers, prevents a denial of service (DoS) attack. The DoS consists of sending a NetBIOS name release request to the server for each entry in the server's cache, causing a response delay in the normal operation of the server's WINS resolution capability.", "descriptions": { - "default": "Remote connections must be encrypted to prevent interception of data\nor sensitive information. Selecting \"High Level\" will ensure encryption of\nRemote Desktop Services sessions in both directions.", + "default": "Configuring the system to ignore name release requests, except from WINS servers, prevents a denial of service (DoS) attack. The DoS consists of sending a NetBIOS name release request to the server for each entry in the server's cache, causing a response delay in the normal operation of the server's WINS resolution capability.", "rationale": "", - "check": "If the following registry value does not exist or is not configured as\nspecified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal\nServices\\\n\n Value Name: MinEncryptionLevel\n\n Type: REG_DWORD\n Value: 0x00000003 (3)", - "fix": "Configure the policy value for Computer Configuration >>\nAdministrative Templates >> Windows Components >> Remote Desktop Services >>\nRemote Desktop Session Host >> Security >> \"Set client connection encryption\nlevel\" to \"Enabled\" with \"High Level\" selected." + "check": "If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\Netbt\\Parameters\\\n\n Value Name: NoNameReleaseOnDemand\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", + "fix": "Configure the policy value for Computer Configuration >> Administrative Templates >> MSS (Legacy) >> \"MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers\" to \"Enabled\".\n This policy setting requires the installation of the MSS-Legacy custom templates included with the STIG package. \"MSS-Legacy.admx\" and \"MSS-Legacy.adml\" must be copied to the \\Windows\\PolicyDefinitions and \\Windows\\PolicyDefinitions\\en-US directories respectively." }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000033-GPOS-00014", - "satisfies": [ - "SRG-OS-000033-GPOS-00014", - "SRG-OS-000250-GPOS-00093" - ], - "gid": "V-92973", - "rid": "SV-103061r1_rule", - "stig_id": "WN19-CC-000380", - "fix_id": "F-99219r1_fix", + "gtitle": "SRG-OS-000420-GPOS-00186", + "gid": "V-93541", + "rid": "SV-103627r1_rule", + "stig_id": "WN19-CC-000060", + "fix_id": "F-99785r1_fix", "cci": [ - "CCI-000068", - "CCI-001453" + "CCI-002385" ], "nist": [ - "AC-17 (2)", - "AC-17 (2)", + "SC-5", "Rev_4" ] }, - "code": "control \"V-92973\" do\n title \"Windows Server 2019 Remote Desktop Services must be configured with\nthe client connection encryption set to High Level.\"\n desc \"Remote connections must be encrypted to prevent interception of data\nor sensitive information. Selecting \\\"High Level\\\" will ensure encryption of\nRemote Desktop Services sessions in both directions.\"\n desc \"rationale\", \"\"\n desc 'check', \"If the following registry value does not exist or is not configured as\nspecified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal\nServices\\\\\n\n Value Name: MinEncryptionLevel\n\n Type: REG_DWORD\n Value: 0x00000003 (3)\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nAdministrative Templates >> Windows Components >> Remote Desktop Services >>\nRemote Desktop Session Host >> Security >> \\\"Set client connection encryption\nlevel\\\" to \\\"Enabled\\\" with \\\"High Level\\\" selected.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000033-GPOS-00014'\n tag 'satisfies': [\"SRG-OS-000033-GPOS-00014\", \"SRG-OS-000250-GPOS-00093\"]\n tag 'gid': 'V-92973'\n tag 'rid': 'SV-103061r1_rule'\n tag 'stig_id': 'WN19-CC-000380'\n tag 'fix_id': 'F-99219r1_fix'\n tag 'cci': [\"CCI-000068\", \"CCI-001453\"]\n tag 'nist': [\"AC-17 (2)\", \"AC-17 (2)\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services') do\n it { should have_property \"MinEncryptionLevel\"}\n its(\"MinEncryptionLevel\") { should cmp 3 }\n end\nend\n", + "code": "control \"V-93541\" do\n title \"Windows Server 2019 must be configured to ignore NetBIOS name release requests except from WINS servers.\"\n desc \"Configuring the system to ignore name release requests, except from WINS servers, prevents a denial of service (DoS) attack. The DoS consists of sending a NetBIOS name release request to the server for each entry in the server's cache, causing a response delay in the normal operation of the server's WINS resolution capability.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\Netbt\\\\Parameters\\\\\n\n Value Name: NoNameReleaseOnDemand\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Administrative Templates >> MSS (Legacy) >> \\\"MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers\\\" to \\\"Enabled\\\".\n This policy setting requires the installation of the MSS-Legacy custom templates included with the STIG package. \\\"MSS-Legacy.admx\\\" and \\\"MSS-Legacy.adml\\\" must be copied to the \\\\Windows\\\\PolicyDefinitions and \\\\Windows\\\\PolicyDefinitions\\\\en-US directories respectively.\"\n impact 0.3\n tag severity: nil\n tag gtitle: \"SRG-OS-000420-GPOS-00186\"\n tag gid: \"V-93541\"\n tag rid: \"SV-103627r1_rule\"\n tag stig_id: \"WN19-CC-000060\"\n tag fix_id: \"F-99785r1_fix\"\n tag cci: [\"CCI-002385\"]\n tag nist: [\"SC-5\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Services\\\\Netbt\\\\Parameters') do\n it { should have_property 'NoNameReleaseOnDemand' }\n its('NoNameReleaseOnDemand') { should cmp == 1 }\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-92973.rb", + "ref": "./Windows 2019 STIG/controls/V-93541.rb", "line": 3 }, - "id": "V-92973" + "id": "V-93541" }, { - "title": "Windows Server 2019 built-in guest account must be renamed.", - "desc": "The built-in guest account is a well-known user account on all Windows systems and, as initially installed, does not require a password. This can allow access to system resources by unauthorized users. Renaming this account to an unidentified name improves the protection of this account and the system.", + "title": "Windows Server 2019 Turning off File Explorer heap termination on\ncorruption must be disabled.", + "desc": "Legacy plug-in applications may continue to function when a File\nExplorer session has become corrupt. Disabling this feature will prevent this.", "descriptions": { - "default": "The built-in guest account is a well-known user account on all Windows systems and, as initially installed, does not require a password. This can allow access to system resources by unauthorized users. Renaming this account to an unidentified name improves the protection of this account and the system.", + "default": "Legacy plug-in applications may continue to function when a File\nExplorer session has become corrupt. Disabling this feature will prevent this.", "rationale": "", - "check": "Verify the effective setting in Local Group Policy Editor.\n Run \"gpedit.msc\".\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options.\n If the value for \"Accounts: Rename guest account\" is not set to a value other than \"Guest\", this is a finding.\n\n For server core installations, run the following command:\n Secedit /Export /Areas SecurityPolicy /CFG C:\\Path\\FileName.Txt\n If \"NewGuestName\" is not something other than \"Guest\" in the file, this is a finding.", - "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \"Accounts: Rename guest account\" to a name other than \"Guest\"." + "check": "The default behavior is for File Explorer heap termination on corruption to\nbe enabled.\n\n If the registry Value Name below does not exist, this is not a finding.\n\n If it exists and is configured with a value of \"0\", this is not a finding.\n\n If it exists and is configured with a value of \"1\", this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\Explorer\\\n\n Value Name: NoHeapTerminationOnCorruption\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0) (or if the Value Name does not exist)", + "fix": "The default behavior is for File Explorer heap termination on corruption to\nbe disabled.\n\n If this needs to be corrected, configure the policy value for Computer\nConfiguration >> Administrative Templates >> Windows Components >> File\nExplorer >> \"Turn off heap termination on corruption\" to \"Not Configured\"\nor \"Disabled\"." }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { "severity": null, "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-93283", - "rid": "SV-103371r1_rule", - "stig_id": "WN19-SO-000040", - "fix_id": "F-99529r1_fix", + "gid": "V-93261", + "rid": "SV-103349r1_rule", + "stig_id": "WN19-CC-000320", + "fix_id": "F-99507r1_fix", "cci": [ "CCI-000366" ], @@ -8586,297 +8618,270 @@ "Rev_4" ] }, - "code": "control \"V-93283\" do\n title \"Windows Server 2019 built-in guest account must be renamed.\"\n desc \"The built-in guest account is a well-known user account on all Windows systems and, as initially installed, does not require a password. This can allow access to system resources by unauthorized users. Renaming this account to an unidentified name improves the protection of this account and the system.\"\n desc \"rationale\", \"\"\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n Run \\\"gpedit.msc\\\".\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options.\n If the value for \\\"Accounts: Rename guest account\\\" is not set to a value other than \\\"Guest\\\", this is a finding.\n\n For server core installations, run the following command:\n Secedit /Export /Areas SecurityPolicy /CFG C:\\\\Path\\\\FileName.Txt\n If \\\"NewGuestName\\\" is not something other than \\\"Guest\\\" in the file, this is a finding.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \\\"Accounts: Rename guest account\\\" to a name other than \\\"Guest\\\".\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00227\"\n tag gid: \"V-93283\"\n tag rid: \"SV-103371r1_rule\"\n tag stig_id: \"WN19-SO-000040\"\n tag fix_id: \"F-99529r1_fix\"\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n describe security_policy do\n its('NewGuestName') { should_not eq \"Guest\" }\n end\nend", + "code": "control \"V-93261\" do\n title \"Windows Server 2019 Turning off File Explorer heap termination on\ncorruption must be disabled.\"\n desc \"Legacy plug-in applications may continue to function when a File\nExplorer session has become corrupt. Disabling this feature will prevent this.\"\n desc \"rationale\", \"\"\n desc 'check', \"The default behavior is for File Explorer heap termination on corruption to\nbe enabled.\n\n If the registry Value Name below does not exist, this is not a finding.\n\n If it exists and is configured with a value of \\\"0\\\", this is not a finding.\n\n If it exists and is configured with a value of \\\"1\\\", this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\Explorer\\\\\n\n Value Name: NoHeapTerminationOnCorruption\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0) (or if the Value Name does not exist)\"\n desc 'fix', \"The default behavior is for File Explorer heap termination on corruption to\nbe disabled.\n\n If this needs to be corrected, configure the policy value for Computer\nConfiguration >> Administrative Templates >> Windows Components >> File\nExplorer >> \\\"Turn off heap termination on corruption\\\" to \\\"Not Configured\\\"\nor \\\"Disabled\\\".\"\n impact 0.3\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000480-GPOS-00227'\n tag 'gid': 'V-93261'\n tag 'rid': 'SV-103349r1_rule'\n tag 'stig_id': 'WN19-CC-000320'\n tag 'fix_id': 'F-99507r1_fix'\n tag 'cci': [\"CCI-000366\"]\n tag 'nist': [\"CM-6 b\", \"Rev_4\"]\n\n describe.one do\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Explorer') do\n it { should_not have_property 'NoHeapTerminationOnCorruption' }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Explorer') do\n it { should have_property 'NoHeapTerminationOnCorruption' }\n its('NoHeapTerminationOnCorruption') { should_not be 1 }\n its('NoHeapTerminationOnCorruption') { should cmp 0 }\n end\n \n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93283.rb", + "ref": "./Windows 2019 STIG/controls/V-93261.rb", "line": 3 }, - "id": "V-93283" + "id": "V-93261" }, { - "title": "Windows Server 2019 must disable the Windows Installer Always install\nwith elevated privileges option.", - "desc": "Standard user accounts must not be granted elevated privileges.\nEnabling Windows Installer to elevate privileges when installing applications\ncan allow malicious persons and applications to gain full control of a system.", + "title": "Windows Server 2019 Exploit Protection mitigations must be configured for MSACCESS.EXE.", + "desc": "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.", "descriptions": { - "default": "Standard user accounts must not be granted elevated privileges.\nEnabling Windows Installer to elevate privileges when installing applications\ncan allow malicious persons and applications to gain full control of a system.", + "default": "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.", "rationale": "", - "check": "If the following registry value does not exist or is not configured as\nspecified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\Installer\\\n\n Value Name: AlwaysInstallElevated\n\n Type: REG_DWORD\n Value: 0x00000000 (0)", - "fix": "Configure the policy value for Computer Configuration >>\nAdministrative Templates >> Windows Components >> Windows Installer >> \"Always\ninstall with elevated privileges\" to \"Disabled\"." + "check": "If the referenced application is not installed on the system, this is NA.\n\n This is applicable to unclassified systems, for other systems this is NA.\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n Enter \"Get-ProcessMitigation -Name MSACCESS.EXE\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.)\n\n If the following mitigations do not have a status of \"ON\", this is a finding:\n\n DEP:\n Enable: ON\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n The PowerShell command produces a list of mitigations; only those with a required status of \"ON\" are listed here.", + "fix": "Ensure the following mitigations are turned \"ON\" for MSACCESS.EXE:\n\n DEP:\n Enable: ON\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \"Supporting Files\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \"Use a common set of exploit protection settings\" configured to \"Enabled\" with file name and location defined under \"Options:\". It is recommended the file be in a read-only network location." }, - "impact": 0.7, + "impact": 0, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000362-GPOS-00149", - "gid": "V-93201", - "rid": "SV-103289r1_rule", - "stig_id": "WN19-CC-000430", - "fix_id": "F-99447r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-93343", + "rid": "SV-103431r1_rule", + "stig_id": "WN19-EP-000170", + "fix_id": "F-99589r1_fix", "cci": [ - "CCI-001812" + "CCI-000366" ], "nist": [ - "CM-11 (2)", + "CM-6 b", "Rev_4" ] }, - "code": "control \"V-93201\" do\n title \"Windows Server 2019 must disable the Windows Installer Always install\nwith elevated privileges option.\"\n desc \"Standard user accounts must not be granted elevated privileges.\nEnabling Windows Installer to elevate privileges when installing applications\ncan allow malicious persons and applications to gain full control of a system.\"\n desc \"rationale\", \"\"\n desc 'check', \"If the following registry value does not exist or is not configured as\nspecified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\Installer\\\\\n\n Value Name: AlwaysInstallElevated\n\n Type: REG_DWORD\n Value: 0x00000000 (0)\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nAdministrative Templates >> Windows Components >> Windows Installer >> \\\"Always\ninstall with elevated privileges\\\" to \\\"Disabled\\\".\"\n impact 0.7\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000362-GPOS-00149'\n tag 'gid': 'V-93201'\n tag 'rid': 'SV-103289r1_rule'\n tag 'stig_id': 'WN19-CC-000430'\n tag 'fix_id': 'F-99447r1_fix'\n tag 'cci': [\"CCI-001812\"]\n tag 'nist': [\"CM-11 (2)\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Installer') do\n it { should have_property 'AlwaysInstallElevated' }\n its('AlwaysInstallElevated') { should cmp 0 }\n end\nend\n", + "code": "control \"V-93343\" do\n title \"Windows Server 2019 Exploit Protection mitigations must be configured for MSACCESS.EXE.\"\n desc \"Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the referenced application is not installed on the system, this is NA.\n\n This is applicable to unclassified systems, for other systems this is NA.\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n Enter \\\"Get-ProcessMitigation -Name MSACCESS.EXE\\\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.)\n\n If the following mitigations do not have a status of \\\"ON\\\", this is a finding:\n\n DEP:\n Enable: ON\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n The PowerShell command produces a list of mitigations; only those with a required status of \\\"ON\\\" are listed here.\"\n desc \"fix\", \"Ensure the following mitigations are turned \\\"ON\\\" for MSACCESS.EXE:\n\n DEP:\n Enable: ON\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \\\"Supporting Files\\\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\" configured to \\\"Enabled\\\" with file name and location defined under \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00227\"\n tag gid: \"V-93343\"\n tag rid: \"SV-103431r1_rule\"\n tag stig_id: \"WN19-EP-000170\"\n tag fix_id: \"F-99589r1_fix\"\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n msaccess = json({ command: \"Get-ProcessMitigation -Name MSACCESS.EXE | ConvertTo-Json\" }).params\n\n if input('sensitive_system') == true || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif msaccess.empty?\n impact 0.0\n describe 'The referenced application is not installed on the system, this is NA.' do\n skip 'The referenced application is not installed on the system, this is NA.'\n end\n else\n describe \"Exploit Protection: the following mitigations must be set to 'ON' for MSACCESS.EXE\" do\n subject { msaccess }\n its(['Dep','Enable']) { should eq 1 }\n its(['Aslr','ForceRelocateImages']) { should eq 1 }\n its(['Payload','EnableExportAddressFilter']) { should eq 1 }\n its(['Payload','EnableExportAddressFilterPlus']) { should eq 1 }\n its(['Payload','EnableImportAddressFilter']) { should eq 1 }\n its(['Payload','EnableRopStackPivot']) { should eq 1 }\n its(['Payload','EnableRopCallerCheck']) { should eq 1 }\n its(['Payload','EnableRopSimExec']) { should eq 1 }\n end\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93201.rb", + "ref": "./Windows 2019 STIG/controls/V-93343.rb", "line": 3 }, - "id": "V-93201" + "id": "V-93343" }, { - "title": "Windows Server 2019 must be configured to audit Account Management -\nSecurity Group Management successes.", - "desc": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Security Group Management records events such as creating, deleting, or\nchanging security groups, including changes in group members.", + "title": "Windows Server 2019 Create permanent shared objects user right must\nnot be assigned to any groups or accounts.", + "desc": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n Accounts with the \"Create permanent shared objects\" user right could\nexpose sensitive data by creating shared objects.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Security Group Management records events such as creating, deleting, or\nchanging security groups, including changes in group members.", + "default": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n Accounts with the \"Create permanent shared objects\" user right could\nexpose sensitive data by creating shared objects.", "rationale": "", - "check": "Security Option \"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\" must be set to\n\"Enabled\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \"AuditPol\" tool to review the current Audit Policy configuration:\n\n Open \"PowerShell\" or a \"Command Prompt\" with elevated privileges (\"Run\nas administrator\").\n\n Enter \"AuditPol /get /category:*\"\n\n Compare the \"AuditPol\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n Account Management >> Security Group Management - Success", - "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Account Management >> \"Audit Security Group\nManagement\" with \"Success\" selected." + "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups are granted the \"Create permanent shared\nobjects\" user right, this is a finding.\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\path\\filename.txt\n\n Review the text file.\n\n If any SIDs are granted the \"SeCreatePermanentPrivilege\" user right, this\nis a finding.", + "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Local Policies >> User Rights\nAssignment >> \"Create permanent shared objects\" to be defined but containing\nno entries (blank)." }, "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000004-GPOS-00004", - "satisfies": [ - "SRG-OS-000004-GPOS-00004", - "SRG-OS-000239-GPOS-00089", - "SRG-OS-000240-GPOS-00090", - "SRG-OS-000241-GPOS-00091", - "SRG-OS-000303-GPOS-00120", - "SRG-OS-000476-GPOS-00221" - ], - "gid": "V-92979", - "rid": "SV-103067r1_rule", - "stig_id": "WN19-AU-000100", - "fix_id": "F-99225r1_fix", + "gtitle": "SRG-OS-000324-GPOS-00125", + "gid": "V-93061", + "rid": "SV-103149r1_rule", + "stig_id": "WN19-UR-000080", + "fix_id": "F-99307r1_fix", "cci": [ - "CCI-000018", - "CCI-000172", - "CCI-001403", - "CCI-001404", - "CCI-001405", - "CCI-002130" + "CCI-002235" ], "nist": [ - "AC-2 (4)", - "AU-12 c", - "AC-2 (4)", - "AC-2 (4)", - "AC-2 (4)", - "AC-2(4)", + "AC-6 (10)", "Rev_4" ] }, - "code": "control \"V-92979\" do\n title \"Windows Server 2019 must be configured to audit Account Management -\nSecurity Group Management successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Security Group Management records events such as creating, deleting, or\nchanging security groups, including changes in group members.\"\n desc \"rationale\", \"\"\n desc 'check', \"Security Option \\\"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\\\" must be set to\n\\\"Enabled\\\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \\\"AuditPol\\\" tool to review the current Audit Policy configuration:\n\n Open \\\"PowerShell\\\" or a \\\"Command Prompt\\\" with elevated privileges (\\\"Run\nas administrator\\\").\n\n Enter \\\"AuditPol /get /category:*\\\"\n\n Compare the \\\"AuditPol\\\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n Account Management >> Security Group Management - Success\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Account Management >> \\\"Audit Security Group\nManagement\\\" with \\\"Success\\\" selected.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000004-GPOS-00004'\n tag 'satisfies': [\"SRG-OS-000004-GPOS-00004\", \"SRG-OS-000239-GPOS-00089\",\n\"SRG-OS-000240-GPOS-00090\", \"SRG-OS-000241-GPOS-00091\",\n\"SRG-OS-000303-GPOS-00120\", \"SRG-OS-000476-GPOS-00221\"]\n tag 'gid': 'V-92979'\n tag 'rid': 'SV-103067r1_rule'\n tag 'stig_id': 'WN19-AU-000100'\n tag 'fix_id': 'F-99225r1_fix'\n tag 'cci': [\"CCI-000018\", \"CCI-000172\", \"CCI-001403\", \"CCI-001404\",\n\"CCI-001405\", \"CCI-002130\"]\n tag 'nist': [\"AC-2 (4)\", \"AU-12 c\", \"AC-2 (4)\", \"AC-2 (4)\", \"AC-2 (4)\", \"AC-2(4)\", \"Rev_4\"]\n\n describe.one do\n describe audit_policy do\n its('Security Group Management') { should eq 'Success' }\n end\n describe audit_policy do\n its('Security Group Management') { should eq 'Success and Failure' }\n end\n end\nend\n", + "code": "control \"V-93061\" do\n title \"Windows Server 2019 Create permanent shared objects user right must\nnot be assigned to any groups or accounts.\"\n desc \"Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n Accounts with the \\\"Create permanent shared objects\\\" user right could\nexpose sensitive data by creating shared objects.\"\n desc \"rationale\", \"\"\n desc 'check', \"Verify the effective setting in Local Group Policy Editor.\n\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups are granted the \\\"Create permanent shared\nobjects\\\" user right, this is a finding.\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt\n\n Review the text file.\n\n If any SIDs are granted the \\\"SeCreatePermanentPrivilege\\\" user right, this\nis a finding.\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Local Policies >> User Rights\nAssignment >> \\\"Create permanent shared objects\\\" to be defined but containing\nno entries (blank).\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000324-GPOS-00125'\n tag 'gid': 'V-93061'\n tag 'rid': 'SV-103149r1_rule'\n tag 'stig_id': 'WN19-UR-000080'\n tag 'fix_id': 'F-99307r1_fix'\n tag 'cci': [\"CCI-002235\"]\n tag 'nist': [\"AC-6 (10)\", \"Rev_4\"]\n\n os_type = command('Test-Path \"$env:windir\\explorer.exe\"').stdout.strip\n\n if os_type == 'False'\n describe 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt' do\n skip 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt'\n end\n else\n describe security_policy do\n its('SeCreatePermanentPrivilege') { should eq [] }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-92979.rb", + "ref": "./Windows 2019 STIG/controls/V-93061.rb", "line": 3 }, - "id": "V-92979" + "id": "V-93061" }, { - "title": "Windows Server 2019 must be maintained at a supported servicing level.", - "desc": "Systems at unsupported servicing levels will not receive security\nupdates for new vulnerabilities, which leave them subject to exploitation.\nSystems must be maintained at a servicing level supported by the vendor with\nnew security updates.", + "title": "Windows Server 2019 Active Directory Domain object must be configured\nwith proper audit settings.", + "desc": "When inappropriate audit settings are configured for directory service\ndatabase objects, it may be possible for a user or process to update the data\nwithout generating any tracking data. The impact of missing audit data is\nrelated to the type of object. A failure to capture audit data for objects used\nby identification, authentication, or authorization functions could degrade or\neliminate the ability to track changes to access policy for systems or data.\n\n For Active Directory (AD), there are a number of critical object types in\nthe domain naming context of the AD database for which auditing is essential.\nThis includes the Domain object. Because changes to these objects can\nsignificantly impact access controls or the availability of systems, the\nabsence of auditing data makes it impossible to identify the source of changes\nthat impact the confidentiality, integrity, and availability of data and\nsystems throughout an AD domain. The lack of proper auditing can result in\ninsufficient forensic evidence needed to investigate an incident and prosecute\nthe intruder.", "descriptions": { - "default": "Systems at unsupported servicing levels will not receive security\nupdates for new vulnerabilities, which leave them subject to exploitation.\nSystems must be maintained at a servicing level supported by the vendor with\nnew security updates.", + "default": "When inappropriate audit settings are configured for directory service\ndatabase objects, it may be possible for a user or process to update the data\nwithout generating any tracking data. The impact of missing audit data is\nrelated to the type of object. A failure to capture audit data for objects used\nby identification, authentication, or authorization functions could degrade or\neliminate the ability to track changes to access policy for systems or data.\n\n For Active Directory (AD), there are a number of critical object types in\nthe domain naming context of the AD database for which auditing is essential.\nThis includes the Domain object. Because changes to these objects can\nsignificantly impact access controls or the availability of systems, the\nabsence of auditing data makes it impossible to identify the source of changes\nthat impact the confidentiality, integrity, and availability of data and\nsystems throughout an AD domain. The lack of proper auditing can result in\ninsufficient forensic evidence needed to investigate an incident and prosecute\nthe intruder.", "rationale": "", - "check": "Open \"Command Prompt\".\n\n Enter \"winver.exe\".\n\n If the \"About Windows\" dialog box does not display \"Microsoft Windows\nServer Version 1809 (Build 17763.xxx)\" or greater, this is a finding.\n\n Preview versions must not be used in a production environment.", - "fix": "Update the system to a Version 1809 (Build 17763.xxx) or\ngreater." + "check": "This applies to domain controllers. It is NA for other systems.\n\n Review the auditing configuration for the Domain object.\n\n Open \"Active Directory Users and Computers\" (available from various menus\nor run \"dsa.msc\").\n\n Ensure \"Advanced Features\" is selected in the \"View\" menu.\n\n Select the domain being reviewed in the left pane.\n\n Right-click the domain name and select \"Properties\".\n\n Select the \"Security\" tab.\n\n Select the \"Advanced\" button and then the \"Auditing\" tab.\n\n If the audit settings on the Domain object are not at least as inclusive as\nthose below, this is a finding:\n\n Type - Fail\n Principal - Everyone\n Access - Full Control\n Inherited from - None\n Applies to - This object only\n\n The success types listed below are defaults. Where Special is listed in the\nsummary screens for Access, detailed Permissions are provided for reference.\nVarious Properties selections may also exist by default.\n\n Two instances with the following summary information will be listed:\n\n Type - Success\n Principal - Everyone\n Access - (blank)\n Inherited from - None\n Applies to - Special\n\n Type - Success\n Principal - Domain Users\n Access - All extended rights\n Inherited from - None\n Applies to - This object only\n\n Type - Success\n Principal - Administrators\n Access - All extended rights\n Inherited from - None\n Applies to - This object only\n\n Type - Success\n Principal - Everyone\n Access - Special\n Inherited from - None\n Applies to - This object only\n (Access - Special = Permissions: Write all properties, Modify permissions,\nModify owner)", + "fix": "Open \"Active Directory Users and Computers\" (available from various menus\nor run \"dsa.msc\").\n\n Ensure \"Advanced Features\" is selected in the \"View\" menu.\n\n Select the domain being reviewed in the left pane.\n\n Right-click the domain name and select \"Properties\".\n\n Select the \"Security\" tab.\n\n Select the \"Advanced\" button and then the \"Auditing\" tab.\n\n Configure the audit settings for Domain object to include the following:\n\n Type - Fail\n Principal - Everyone\n Access - Full Control\n Inherited from - None\n Applies to - This object only\n\n The success types listed below are defaults. Where Special is listed in the\nsummary screens for Access, detailed Permissions are provided for reference.\nVarious Properties selections may also exist by default.\n\n Two instances with the following summary information will be listed:\n\n Type - Success\n Principal - Everyone\n Access - (blank)\n Inherited from - None\n Applies to - Special\n\n Type - Success\n Principal - Domain Users\n Access - All extended rights\n Inherited from - None\n Applies to - This object only\n\n Type - Success\n Principal - Administrators\n Access - All extended rights\n Inherited from - None\n Applies to - This object only\n\n Type - Success\n Principal - Everyone\n Access - Special\n Inherited from - None\n Applies to - This object only\n (Access - Special = Permissions: Write all properties, Modify permissions,\nModify owner.)" }, - "impact": 0.7, + "impact": 0, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-93215", - "rid": "SV-103303r1_rule", - "stig_id": "WN19-00-000100", - "fix_id": "F-99461r1_fix", + "gtitle": "SRG-OS-000327-GPOS-00127", + "satisfies": [ + "SRG-OS-000327-GPOS-00127", + "SRG-OS-000458-GPOS-00203", + "SRG-OS-000463-GPOS-00207", + "SRG-OS-000468-GPOS-00212" + ], + "gid": "V-93123", + "rid": "SV-103211r1_rule", + "stig_id": "WN19-DC-000180", + "fix_id": "F-99369r1_fix", "cci": [ - "CCI-000366" + "CCI-000172", + "CCI-002234" ], "nist": [ - "CM-6 b", + "AU-12 c", + "AC-6 (9)", "Rev_4" ] }, - "code": "control \"V-93215\" do\n title \"Windows Server 2019 must be maintained at a supported servicing level.\"\n desc \"Systems at unsupported servicing levels will not receive security\nupdates for new vulnerabilities, which leave them subject to exploitation.\nSystems must be maintained at a servicing level supported by the vendor with\nnew security updates.\"\n desc \"rationale\", \"\"\n desc 'check', \"Open \\\"Command Prompt\\\".\n\n Enter \\\"winver.exe\\\".\n\n If the \\\"About Windows\\\" dialog box does not display \\\"Microsoft Windows\nServer Version 1809 (Build 17763.xxx)\\\" or greater, this is a finding.\n\n Preview versions must not be used in a production environment.\"\n desc 'fix', \"Update the system to a Version 1809 (Build 17763.xxx) or\ngreater.\"\n impact 0.7\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000480-GPOS-00227'\n tag 'gid': 'V-93215'\n tag 'rid': 'SV-103303r1_rule'\n tag 'stig_id': 'WN19-00-000100'\n tag 'fix_id': 'F-99461r1_fix'\n tag 'cci': [\"CCI-000366\"]\n tag 'nist': [\"CM-6 b\", \"Rev_4\"]\n\n releaseid = registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion').ReleaseId\n current_build_number = registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion').CurrentBuildNumber\n describe 'Microsoft Windows 2019 needs to be higher that release 1809' do\n subject { releaseid }\n it { should cmp >= 1809}\n end\n describe 'Microsoft Windows 2019 needs to be higher that build number 17763' do\n subject { current_build_number }\n it { should cmp >= 17763}\n end\nend\n", + "code": "control \"V-93123\" do\n title \"Windows Server 2019 Active Directory Domain object must be configured\nwith proper audit settings.\"\n desc \"When inappropriate audit settings are configured for directory service\ndatabase objects, it may be possible for a user or process to update the data\nwithout generating any tracking data. The impact of missing audit data is\nrelated to the type of object. A failure to capture audit data for objects used\nby identification, authentication, or authorization functions could degrade or\neliminate the ability to track changes to access policy for systems or data.\n\n For Active Directory (AD), there are a number of critical object types in\nthe domain naming context of the AD database for which auditing is essential.\nThis includes the Domain object. Because changes to these objects can\nsignificantly impact access controls or the availability of systems, the\nabsence of auditing data makes it impossible to identify the source of changes\nthat impact the confidentiality, integrity, and availability of data and\nsystems throughout an AD domain. The lack of proper auditing can result in\ninsufficient forensic evidence needed to investigate an incident and prosecute\nthe intruder.\"\n desc \"rationale\", \"\"\n desc 'check', \"This applies to domain controllers. It is NA for other systems.\n\n Review the auditing configuration for the Domain object.\n\n Open \\\"Active Directory Users and Computers\\\" (available from various menus\nor run \\\"dsa.msc\\\").\n\n Ensure \\\"Advanced Features\\\" is selected in the \\\"View\\\" menu.\n\n Select the domain being reviewed in the left pane.\n\n Right-click the domain name and select \\\"Properties\\\".\n\n Select the \\\"Security\\\" tab.\n\n Select the \\\"Advanced\\\" button and then the \\\"Auditing\\\" tab.\n\n If the audit settings on the Domain object are not at least as inclusive as\nthose below, this is a finding:\n\n Type - Fail\n Principal - Everyone\n Access - Full Control\n Inherited from - None\n Applies to - This object only\n\n The success types listed below are defaults. Where Special is listed in the\nsummary screens for Access, detailed Permissions are provided for reference.\nVarious Properties selections may also exist by default.\n\n Two instances with the following summary information will be listed:\n\n Type - Success\n Principal - Everyone\n Access - (blank)\n Inherited from - None\n Applies to - Special\n\n Type - Success\n Principal - Domain Users\n Access - All extended rights\n Inherited from - None\n Applies to - This object only\n\n Type - Success\n Principal - Administrators\n Access - All extended rights\n Inherited from - None\n Applies to - This object only\n\n Type - Success\n Principal - Everyone\n Access - Special\n Inherited from - None\n Applies to - This object only\n (Access - Special = Permissions: Write all properties, Modify permissions,\nModify owner)\"\n desc 'fix', \"\n Open \\\"Active Directory Users and Computers\\\" (available from various menus\nor run \\\"dsa.msc\\\").\n\n Ensure \\\"Advanced Features\\\" is selected in the \\\"View\\\" menu.\n\n Select the domain being reviewed in the left pane.\n\n Right-click the domain name and select \\\"Properties\\\".\n\n Select the \\\"Security\\\" tab.\n\n Select the \\\"Advanced\\\" button and then the \\\"Auditing\\\" tab.\n\n Configure the audit settings for Domain object to include the following:\n\n Type - Fail\n Principal - Everyone\n Access - Full Control\n Inherited from - None\n Applies to - This object only\n\n The success types listed below are defaults. Where Special is listed in the\nsummary screens for Access, detailed Permissions are provided for reference.\nVarious Properties selections may also exist by default.\n\n Two instances with the following summary information will be listed:\n\n Type - Success\n Principal - Everyone\n Access - (blank)\n Inherited from - None\n Applies to - Special\n\n Type - Success\n Principal - Domain Users\n Access - All extended rights\n Inherited from - None\n Applies to - This object only\n\n Type - Success\n Principal - Administrators\n Access - All extended rights\n Inherited from - None\n Applies to - This object only\n\n Type - Success\n Principal - Everyone\n Access - Special\n Inherited from - None\n Applies to - This object only\n (Access - Special = Permissions: Write all properties, Modify permissions,\nModify owner.)\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000327-GPOS-00127'\n tag 'satisfies': [\"SRG-OS-000327-GPOS-00127\", \"SRG-OS-000458-GPOS-00203\",\n\"SRG-OS-000463-GPOS-00207\", \"SRG-OS-000468-GPOS-00212\"]\n tag 'gid': 'V-93123'\n tag 'rid': 'SV-103211r1_rule'\n tag 'stig_id': 'WN19-DC-000180'\n tag 'fix_id': 'F-99369r1_fix'\n tag 'cci': [\"CCI-000172\", \"CCI-002234\"]\n tag 'nist': [\"AU-12 c\", \"AC-6 (9)\", \"Rev_4\"]\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n if domain_role == '4' || domain_role == '5'\n distinguishedName = json(command: '(Get-ADDomain).DistinguishedName | ConvertTo-JSON').params\n distinguishedName = \"\\'#{distinguishedName}\\'\"\n netbiosname = json(command: 'Get-ADDomain | Select NetBIOSName | ConvertTo-JSON').params['NetBIOSName']\n acl_rules = json(command: \"(Get-ACL -Audit -Path AD:#{distinguishedName}).Audit | ConvertTo-CSV | ConvertFrom-CSV | ConvertTo-JSON\").params\n \n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['AuditFlags']) { should cmp \"Failure\" }\n its(['IdentityReference']) { should cmp \"Everyone\" }\n its(['ActiveDirectoryRights']) { should cmp \"GenericAll\"}\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['AuditFlags']) { should cmp \"Success\" }\n its(['IdentityReference']) { should cmp \"Everyone\" }\n its(['ActiveDirectoryRights']) { should cmp \"WriteProperty, WriteDacl, WriteOwner\"}\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceType']) { should cmp \"None\" }\n end\n end\n end\n\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['AuditFlags']) { should cmp \"Success\" }\n its(['IdentityReference']) { should cmp \"BUILTIN\\\\Administrators\" }\n its(['ActiveDirectoryRights']) { should cmp \"ExtendedRight\"}\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceType']) { should cmp \"None\" }\n end\n end\n end\n \n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['AuditFlags']) { should cmp \"Success\" }\n its(['IdentityReference']) { should cmp \"#{netbiosname}\\\\Domain Users\" }\n its(['ActiveDirectoryRights']) { should cmp \"ExtendedRight\"}\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceType']) { should cmp \"None\" }\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['AuditFlags']) { should cmp \"Success\" }\n its(['IdentityReference']) { should cmp \"Everyone\" }\n its(['ActiveDirectoryRights']) { should cmp \"WriteProperty\"}\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceType']) { should cmp \"All\" }\n end\n end\n end\n else\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93215.rb", + "ref": "./Windows 2019 STIG/controls/V-93123.rb", "line": 3 }, - "id": "V-93215" + "id": "V-93123" }, { - "title": "Windows Server 2019 must be configured to audit Object Access - Other\nObject Access Events failures.", - "desc": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Auditing for other object access records events related to the management\nof task scheduler jobs and COM+ objects.", + "title": "Windows Server 2019 audit records must be backed up to a different\nsystem or media than the system being audited.", + "desc": "Protection of log data includes assuring the log data is not\naccidentally lost or deleted. Audit information stored in one location is\nvulnerable to accidental or incidental deletion or alteration.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Auditing for other object access records events related to the management\nof task scheduler jobs and COM+ objects.", + "default": "Protection of log data includes assuring the log data is not\naccidentally lost or deleted. Audit information stored in one location is\nvulnerable to accidental or incidental deletion or alteration.", "rationale": "", - "check": "Security Option \"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\" must be set to\n\"Enabled\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \"AuditPol\" tool to review the current Audit Policy configuration:\n\n Open \"PowerShell\" or a \"Command Prompt\" with elevated privileges (\"Run\nas administrator\").\n\n Enter \"AuditPol /get /category:*\"\n\n Compare the \"AuditPol\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n Object Access >> Other Object Access Events - Failure", - "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Object Access >> \"Audit Other Object Access Events\"\nwith \"Failure\" selected." + "check": "Determine if a process to back up log data to a different system or media\nthan the system being audited has been implemented.\n\n If it has not, this is a finding.", + "fix": "Establish and implement a process for backing up log data to\nanother system or media other than the system being audited." }, "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000470-GPOS-00214", - "gid": "V-93165", - "rid": "SV-103253r1_rule", - "stig_id": "WN19-AU-000230", - "fix_id": "F-99411r1_fix", + "gtitle": "SRG-OS-000342-GPOS-00133", + "gid": "V-93183", + "rid": "SV-103271r1_rule", + "stig_id": "WN19-AU-000010", + "fix_id": "F-99429r1_fix", "cci": [ - "CCI-000172" + "CCI-001851" ], "nist": [ - "AU-12 c", + "AU-4 (1)", "Rev_4" ] }, - "code": "control \"V-93165\" do\n title \"Windows Server 2019 must be configured to audit Object Access - Other\nObject Access Events failures.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Auditing for other object access records events related to the management\nof task scheduler jobs and COM+ objects.\"\n desc \"rationale\", \"\"\n desc 'check', \"Security Option \\\"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\\\" must be set to\n\\\"Enabled\\\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \\\"AuditPol\\\" tool to review the current Audit Policy configuration:\n\n Open \\\"PowerShell\\\" or a \\\"Command Prompt\\\" with elevated privileges (\\\"Run\nas administrator\\\").\n\n Enter \\\"AuditPol /get /category:*\\\"\n\n Compare the \\\"AuditPol\\\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n Object Access >> Other Object Access Events - Failure\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Object Access >> \\\"Audit Other Object Access Events\\\"\nwith \\\"Failure\\\" selected.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000470-GPOS-00214'\n tag 'gid': 'V-93165'\n tag 'rid': 'SV-103253r1_rule'\n tag 'stig_id': 'WN19-AU-000230'\n tag 'fix_id': 'F-99411r1_fix'\n tag 'cci': [\"CCI-000172\"]\n tag 'nist': [\"AU-12 c\", \"Rev_4\"]\n\n describe.one do\n describe audit_policy do\n its('Other Object Access Events') { should eq 'Failure' }\n end\n describe audit_policy do\n its('Other Object Access Events') { should eq 'Success and Failure' }\n end\n end\nend\n", + "code": "control \"V-93183\" do\n title \"Windows Server 2019 audit records must be backed up to a different\nsystem or media than the system being audited.\"\n desc \"Protection of log data includes assuring the log data is not\naccidentally lost or deleted. Audit information stored in one location is\nvulnerable to accidental or incidental deletion or alteration.\"\n desc \"rationale\", \"\"\n desc 'check', \"Determine if a process to back up log data to a different system or media\nthan the system being audited has been implemented.\n\n If it has not, this is a finding.\"\n desc 'fix', \"Establish and implement a process for backing up log data to\nanother system or media other than the system being audited.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000342-GPOS-00133'\n tag 'gid': 'V-93183'\n tag 'rid': 'SV-103271r1_rule'\n tag 'stig_id': 'WN19-AU-000010'\n tag 'fix_id': 'F-99429r1_fix'\n tag 'cci': [\"CCI-001851\"]\n tag 'nist': [\"AU-4 (1)\", \"Rev_4\"]\n\n describe 'A manual review is required to verify audit records are being backed up onto a different system or media than the system being audited' do\n skip 'A manual review is required to verify audit records are being backed up onto a different system or media than the system being audited'\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93165.rb", + "ref": "./Windows 2019 STIG/controls/V-93183.rb", "line": 3 }, - "id": "V-93165" + "id": "V-93183" }, { - "title": "Windows Server 2019 default permissions of global system objects must be strengthened.", - "desc": "Windows systems maintain a global list of shared system resources such as DOS device names, mutexes, and semaphores. Each type of object is created with a default Discretionary Access Control List (DACL) that specifies who can access the objects with what permissions. When this policy is enabled, the default DACL is stronger, allowing non-administrative users to read shared objects but not to modify shared objects they did not create.", + "title": "Windows Server 2019 downloading print driver packages over HTTP must be turned off.", + "desc": "Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and will prevent uncontrolled updates to the system.\n\n This setting prevents the computer from downloading print driver packages over HTTP.", "descriptions": { - "default": "Windows systems maintain a global list of shared system resources such as DOS device names, mutexes, and semaphores. Each type of object is created with a default Discretionary Access Control List (DACL) that specifies who can access the objects with what permissions. When this policy is enabled, the default DACL is stronger, allowing non-administrative users to read shared objects but not to modify shared objects they did not create.", + "default": "Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and will prevent uncontrolled updates to the system.\n\n This setting prevents the computer from downloading print driver packages over HTTP.", "rationale": "", - "check": "If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\\n\n Value Name: ProtectionMode\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", - "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \"System objects: Strengthen default permissions of internal system objects (e.g., Symbolic Links)\" to \"Enabled\"." + "check": "If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers\\\n\n Value Name: DisableWebPnPDownload\n\n Type: REG_DWORD\n Value: 0x00000001 (1)", + "fix": "Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Internet Communication Management >> Internet Communication settings >> \"Turn off downloading of print drivers over HTTP\" to \"Enabled\"." }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-93309", - "rid": "SV-103397r1_rule", - "stig_id": "WN19-SO-000370", - "fix_id": "F-99555r1_fix", + "gtitle": "SRG-OS-000095-GPOS-00049", + "gid": "V-93403", + "rid": "SV-103489r1_rule", + "stig_id": "WN19-CC-000150", + "fix_id": "F-99647r1_fix", "cci": [ - "CCI-000366" + "CCI-000381" ], "nist": [ - "CM-6 b", + "CM-7 a", "Rev_4" ] }, - "code": "control \"V-93309\" do\n title \"Windows Server 2019 default permissions of global system objects must be strengthened.\"\n desc \"Windows systems maintain a global list of shared system resources such as DOS device names, mutexes, and semaphores. Each type of object is created with a default Discretionary Access Control List (DACL) that specifies who can access the objects with what permissions. When this policy is enabled, the default DACL is stronger, allowing non-administrative users to read shared objects but not to modify shared objects they did not create.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Session Manager\\\\\n\n Value Name: ProtectionMode\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \\\"System objects: Strengthen default permissions of internal system objects (e.g., Symbolic Links)\\\" to \\\"Enabled\\\".\"\n impact 0.3\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00227\"\n tag gid: \"V-93309\"\n tag rid: \"SV-103397r1_rule\"\n tag stig_id: \"WN19-SO-000370\"\n tag fix_id: \"F-99555r1_fix\"\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Session Manager') do\n it { should have_property 'ProtectionMode' }\n its('ProtectionMode') { should cmp == 1 }\n end\nend", + "code": "control \"V-93403\" do\n title \"Windows Server 2019 downloading print driver packages over HTTP must be turned off.\"\n desc \"Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and will prevent uncontrolled updates to the system.\n\n This setting prevents the computer from downloading print driver packages over HTTP.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Printers\\\\\n\n Value Name: DisableWebPnPDownload\n\n Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Internet Communication Management >> Internet Communication settings >> \\\"Turn off downloading of print drivers over HTTP\\\" to \\\"Enabled\\\".\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000095-GPOS-00049\"\n tag gid: \"V-93403\"\n tag rid: \"SV-103489r1_rule\"\n tag stig_id: \"WN19-CC-000150\"\n tag fix_id: \"F-99647r1_fix\"\n tag cci: [\"CCI-000381\"]\n tag nist: [\"CM-7 a\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Printers') do\n it { should have_property 'DisableWebPnPDownload' }\n its('DisableWebPnPDownload') { should cmp == 1 }\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93309.rb", + "ref": "./Windows 2019 STIG/controls/V-93403.rb", "line": 3 }, - "id": "V-93309" + "id": "V-93403" }, { - "title": "Windows Server 2019 must be configured to audit logon failures.", - "desc": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Logon records user logons. If this is an interactive logon, it is recorded\non the local system. If it is to a network share, it is recorded on the system\naccessed.", + "title": "Windows Server 2019 must not have the Fax Server role installed.", + "desc": "Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption or may provide unauthorized access to the system.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Logon records user logons. If this is an interactive logon, it is recorded\non the local system. If it is to a network share, it is recorded on the system\naccessed.", + "default": "Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption or may provide unauthorized access to the system.", "rationale": "", - "check": "Security Option \"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\" must be set to\n\"Enabled\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \"AuditPol\" tool to review the current Audit Policy configuration:\n\n Open \"PowerShell\" or a \"Command Prompt\" with elevated privileges (\"Run\nas administrator\").\n\n Enter \"AuditPol /get /category:*\"\n\n Compare the \"AuditPol\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n Logon/Logoff >> Logon - Failure", - "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Logon/Logoff >> \"Audit Logon\" with \"Failure\"\nselected." + "check": "Open \"PowerShell\".\n\n Enter \"Get-WindowsFeature | Where Name -eq Fax\".\n If \"Installed State\" is \"Installed\", this is a finding.\n An Installed State of \"Available\" or \"Removed\" is not a finding.", + "fix": "Uninstall the \"Fax Server\" role.\n\n Start \"Server Manager\".\n Select the server with the role.\n Scroll down to \"ROLES AND FEATURES\" in the right pane.\n Select \"Remove Roles and Features\" from the drop-down \"TASKS\" list.\n Select the appropriate server on the \"Server Selection\" page and click \"Next\".\n Deselect \"Fax Server\" on the \"Roles\" page.\n Click \"Next\" and \"Remove\" as prompted." }, "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000032-GPOS-00013", - "satisfies": [ - "SRG-OS-000032-GPOS-00013", - "SRG-OS-000470-GPOS-00214", - "SRG-OS-000472-GPOS-00217", - "SRG-OS-000473-GPOS-00218", - "SRG-OS-000475-GPOS-00220" - ], - "gid": "V-92969", - "rid": "SV-103057r1_rule", - "stig_id": "WN19-AU-000200", - "fix_id": "F-99215r1_fix", + "gtitle": "SRG-OS-000095-GPOS-00049", + "gid": "V-93383", + "rid": "SV-103469r1_rule", + "stig_id": "WN19-00-000320", + "fix_id": "F-99627r1_fix", "cci": [ - "CCI-000067", - "CCI-000172" + "CCI-000381" ], "nist": [ - "AC-17 (1)", - "AU-12 c", + "CM-7 a", "Rev_4" ] }, - "code": "control \"V-92969\" do\n title \"Windows Server 2019 must be configured to audit logon failures.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Logon records user logons. If this is an interactive logon, it is recorded\non the local system. If it is to a network share, it is recorded on the system\naccessed.\"\n desc \"rationale\", \"\"\n desc 'check', \"Security Option \\\"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\\\" must be set to\n\\\"Enabled\\\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \\\"AuditPol\\\" tool to review the current Audit Policy configuration:\n\n Open \\\"PowerShell\\\" or a \\\"Command Prompt\\\" with elevated privileges (\\\"Run\nas administrator\\\").\n\n Enter \\\"AuditPol /get /category:*\\\"\n\n Compare the \\\"AuditPol\\\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n Logon/Logoff >> Logon - Failure\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Logon/Logoff >> \\\"Audit Logon\\\" with \\\"Failure\\\"\nselected.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000032-GPOS-00013'\n tag 'satisfies': [\"SRG-OS-000032-GPOS-00013\", \"SRG-OS-000470-GPOS-00214\",\n\"SRG-OS-000472-GPOS-00217\", \"SRG-OS-000473-GPOS-00218\",\n\"SRG-OS-000475-GPOS-00220\"]\n tag 'gid': 'V-92969'\n tag 'rid': 'SV-103057r1_rule'\n tag 'stig_id': 'WN19-AU-000200'\n tag 'fix_id': 'F-99215r1_fix'\n tag 'cci': [\"CCI-000067\", \"CCI-000172\"]\n tag 'nist': [\"AC-17 (1)\", \"AU-12 c\", \"Rev_4\"]\n\n describe.one do\n describe audit_policy do\n its('Logon') { should eq 'Failure' }\n end\n describe audit_policy do\n its('Logon') { should eq 'Success and Failure' }\n end\n end\nend\n", + "code": "control \"V-93383\" do\n title \"Windows Server 2019 must not have the Fax Server role installed.\"\n desc \"Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption or may provide unauthorized access to the system.\"\n desc \"rationale\", \"\"\n desc \"check\", \"Open \\\"PowerShell\\\".\n\n Enter \\\"Get-WindowsFeature | Where Name -eq Fax\\\".\n If \\\"Installed State\\\" is \\\"Installed\\\", this is a finding.\n An Installed State of \\\"Available\\\" or \\\"Removed\\\" is not a finding.\"\n desc \"fix\", \"Uninstall the \\\"Fax Server\\\" role.\n\n Start \\\"Server Manager\\\".\n Select the server with the role.\n Scroll down to \\\"ROLES AND FEATURES\\\" in the right pane.\n Select \\\"Remove Roles and Features\\\" from the drop-down \\\"TASKS\\\" list.\n Select the appropriate server on the \\\"Server Selection\\\" page and click \\\"Next\\\".\n Deselect \\\"Fax Server\\\" on the \\\"Roles\\\" page.\n Click \\\"Next\\\" and \\\"Remove\\\" as prompted.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000095-GPOS-00049\"\n tag gid: \"V-93383\"\n tag rid: \"SV-103469r1_rule\"\n tag stig_id: \"WN19-00-000320\"\n tag fix_id: \"F-99627r1_fix\"\n tag cci: [\"CCI-000381\"]\n tag nist: [\"CM-7 a\", \"Rev_4\"]\n\n describe windows_feature('fax') do\n it { should_not be_installed }\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-92969.rb", + "ref": "./Windows 2019 STIG/controls/V-93383.rb", "line": 3 }, - "id": "V-92969" + "id": "V-93383" }, { - "title": "Windows Server 2019 must be configured to audit Privilege Use -\nSensitive Privilege Use successes.", - "desc": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Sensitive Privilege Use records events related to use of sensitive\nprivileges, such as \"Act as part of the operating system\" or \"Debug\nprograms\".", + "title": "Windows Server 2019 must have the Server Message Block (SMB) v1 protocol disabled on the SMB server.", + "desc": "SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB. MD5 is known to be vulnerable to a number of attacks such as collision and preimage attacks as well as not being FIPS compliant.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Sensitive Privilege Use records events related to use of sensitive\nprivileges, such as \"Act as part of the operating system\" or \"Debug\nprograms\".", + "default": "SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB. MD5 is known to be vulnerable to a number of attacks such as collision and preimage attacks as well as not being FIPS compliant.", "rationale": "", - "check": "Security Option \"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\" must be set to\n\"Enabled\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \"AuditPol\" tool to review the current Audit Policy configuration:\n\n Open \"PowerShell\" or a \"Command Prompt\" with elevated privileges (\"Run\nas administrator\").\n\n Enter \"AuditPol /get /category:*\"\n\n Compare the \"AuditPol\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n Privilege Use >> Sensitive Privilege Use - Success", - "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Privilege Use >> \"Audit Sensitive Privilege Use\"\nwith \"Success\" selected." + "check": "Different methods are available to disable SMBv1 on Windows Server 2019, if WN19-00-000380 is configured, this is NA.\n\n If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters\\\n\n Value Name: SMB1\n\n Type: REG_DWORD\n Value: 0x00000000 (0)", + "fix": "Configure the policy value for Computer Configuration >> Administrative Templates >> MS Security Guide >> \"Configure SMBv1 Server\" to \"Disabled\".\n\n The system must be restarted for the change to take effect.\n\n This policy setting requires the installation of the SecGuide custom templates included with the STIG package. \"SecGuide.admx\" and \"SecGuide.adml\" must be copied to the \\Windows\\PolicyDefinitions and \\Windows\\PolicyDefinitions\\en-US directories respectively." }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000327-GPOS-00127", - "satisfies": [ - "SRG-OS-000327-GPOS-00127", - "SRG-OS-000064-GPOS-00033", - "SRG-OS-000462-GPOS-00206", - "SRG-OS-000466-GPOS-00210" - ], - "gid": "V-93101", - "rid": "SV-103189r1_rule", - "stig_id": "WN19-AU-000300", - "fix_id": "F-99347r1_fix", + "gtitle": "SRG-OS-000095-GPOS-00049", + "gid": "V-93393", + "rid": "SV-103479r1_rule", + "stig_id": "WN19-00-000390", + "fix_id": "F-99637r1_fix", "cci": [ - "CCI-000172", - "CCI-002234" + "CCI-000381" ], "nist": [ - "AU-12 c", - "AC-6 (9)", + "CM-7 a", "Rev_4" ] }, - "code": "control \"V-93101\" do\n title \"Windows Server 2019 must be configured to audit Privilege Use -\nSensitive Privilege Use successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Sensitive Privilege Use records events related to use of sensitive\nprivileges, such as \\\"Act as part of the operating system\\\" or \\\"Debug\nprograms\\\".\"\n desc \"rationale\", \"\"\n desc 'check', \"Security Option \\\"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\\\" must be set to\n\\\"Enabled\\\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \\\"AuditPol\\\" tool to review the current Audit Policy configuration:\n\n Open \\\"PowerShell\\\" or a \\\"Command Prompt\\\" with elevated privileges (\\\"Run\nas administrator\\\").\n\n Enter \\\"AuditPol /get /category:*\\\"\n\n Compare the \\\"AuditPol\\\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n Privilege Use >> Sensitive Privilege Use - Success\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Privilege Use >> \\\"Audit Sensitive Privilege Use\\\"\nwith \\\"Success\\\" selected.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000327-GPOS-00127'\n tag 'satisfies': [\"SRG-OS-000327-GPOS-00127\", \"SRG-OS-000064-GPOS-00033\",\n\"SRG-OS-000462-GPOS-00206\", \"SRG-OS-000466-GPOS-00210\"]\n tag 'gid': 'V-93101'\n tag 'rid': 'SV-103189r1_rule'\n tag 'stig_id': 'WN19-AU-000300'\n tag 'fix_id': 'F-99347r1_fix'\n tag 'cci': [\"CCI-000172\", \"CCI-002234\"]\n tag 'nist': [\"AU-12 c\", \"AC-6 (9)\", \"Rev_4\"]\n\n describe.one do\n describe audit_policy do\n its('Sensitive Privilege Use') { should eq 'Success' }\n end\n describe audit_policy do\n its('Sensitive Privilege Use') { should eq 'Success and Failure' }\n end\n end\nend\n", + "code": "control \"V-93393\" do\n title \"Windows Server 2019 must have the Server Message Block (SMB) v1 protocol disabled on the SMB server.\"\n desc \"SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB. MD5 is known to be vulnerable to a number of attacks such as collision and preimage attacks as well as not being FIPS compliant.\"\n desc \"rationale\", \"\"\n desc \"check\", \"Different methods are available to disable SMBv1 on Windows Server 2019, if WN19-00-000380 is configured, this is NA.\n\n If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\LanmanServer\\\\Parameters\\\\\n\n Value Name: SMB1\n\n Type: REG_DWORD\n Value: 0x00000000 (0)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Administrative Templates >> MS Security Guide >> \\\"Configure SMBv1 Server\\\" to \\\"Disabled\\\".\n\n The system must be restarted for the change to take effect.\n\n This policy setting requires the installation of the SecGuide custom templates included with the STIG package. \\\"SecGuide.admx\\\" and \\\"SecGuide.adml\\\" must be copied to the \\\\Windows\\\\PolicyDefinitions and \\\\Windows\\\\PolicyDefinitions\\\\en-US directories respectively.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000095-GPOS-00049\"\n tag gid: \"V-93393\"\n tag rid: \"SV-103479r1_rule\"\n tag stig_id: \"WN19-00-000390\"\n tag fix_id: \"F-99637r1_fix\"\n tag cci: [\"CCI-000381\"]\n tag nist: [\"CM-7 a\", \"Rev_4\"]\n\n if powershell(\"Get-WindowsFeature -Name FS-SMB1 | Select -ExpandProperty 'InstallState'\").stdout.strip == \"Installed\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\LanmanServer\\\\Parameters') do\n it { should have_property 'SMB1' }\n its('SMB1') { should cmp == 0 }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\mrxsmb10') do\n it { should have_property 'Start' }\n its('Start') { should cmp == 4 }\n end\n else\n impact 0.0\n describe 'Control V-93391 configuration successful' do\n skip 'This is NA as the successful configuration of Control V-93391 (STIG ID# WN19-00-000380) meets the requirement'\n end\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93101.rb", + "ref": "./Windows 2019 STIG/controls/V-93393.rb", "line": 3 }, - "id": "V-93101" + "id": "V-93393" }, { - "title": "Windows Server 2019 Early Launch Antimalware, Boot-Start Driver\nInitialization Policy must prevent boot drivers identified as bad.", - "desc": "Compromised boot drivers can introduce malware prior to protection\nmechanisms that load after initialization. The Early Launch Antimalware driver\ncan limit allowed drivers based on classifications determined by the malware\nprotection application. At a minimum, drivers determined to be bad must not be\nallowed.", + "title": "Windows Server 2019 must not allow anonymous SID/Name translation.", + "desc": "Allowing anonymous SID/Name translation can provide sensitive information for accessing a system. Only authorized users must be able to perform such translations.", "descriptions": { - "default": "Compromised boot drivers can introduce malware prior to protection\nmechanisms that load after initialization. The Early Launch Antimalware driver\ncan limit allowed drivers based on classifications determined by the malware\nprotection application. At a minimum, drivers determined to be bad must not be\nallowed.", + "default": "Allowing anonymous SID/Name translation can provide sensitive information for accessing a system. Only authorized users must be able to perform such translations.", "rationale": "", - "check": "The default behavior is for Early Launch Antimalware - Boot-Start Driver\nInitialization policy to enforce \"Good, unknown and bad but critical\"\n(preventing \"bad\").\n\n If the registry value name below does not exist, this is not a finding.\n\n If it exists and is configured with a value of \"0x00000007 (7)\", this is\na finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Policies\\EarlyLaunch\\\n\n Value Name: DriverLoadPolicy\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1), 0x00000003 (3), or 0x00000008 (8) (or if the Value\nName does not exist)\n\n Possible values for this setting are:\n 8 - Good only\n 1 - Good and unknown\n 3 - Good, unknown and bad but critical\n 7 - All (which includes \"bad\" and would be a finding)", - "fix": "The default behavior is for Early Launch Antimalware - Boot-Start Driver\nInitialization policy to enforce \"Good, unknown and bad but critical\"\n(preventing \"bad\").\n\n If this needs to be corrected or a more secure setting is desired,\nconfigure the policy value for Computer Configuration >> Administrative\nTemplates >> System >> Early Launch Antimalware >> \"Boot-Start Driver\nInitialization Policy\" to \"Not Configured\" or \"Enabled\" with any option\nother than \"All\" selected." + "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options.\n\n If the value for \"Network access: Allow anonymous SID/Name translation\" is not set to \"Disabled\", this is a finding.", + "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \"Network access: Allow anonymous SID/Name translation\" to \"Disabled\"." }, - "impact": 0.5, + "impact": 0.7, "refs": [], "tags": { "severity": null, "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-93249", - "rid": "SV-103337r1_rule", - "stig_id": "WN19-CC-000130", - "fix_id": "F-99495r1_fix", + "gid": "V-93289", + "rid": "SV-103377r1_rule", + "stig_id": "WN19-SO-000210", + "fix_id": "F-99535r1_fix", "cci": [ "CCI-000366" ], @@ -8885,31 +8890,31 @@ "Rev_4" ] }, - "code": "control \"V-93249\" do\n title \"Windows Server 2019 Early Launch Antimalware, Boot-Start Driver\nInitialization Policy must prevent boot drivers identified as bad.\"\n desc \"Compromised boot drivers can introduce malware prior to protection\nmechanisms that load after initialization. The Early Launch Antimalware driver\ncan limit allowed drivers based on classifications determined by the malware\nprotection application. At a minimum, drivers determined to be bad must not be\nallowed.\"\n desc \"rationale\", \"\"\n desc 'check', \"The default behavior is for Early Launch Antimalware - Boot-Start Driver\nInitialization policy to enforce \\\"Good, unknown and bad but critical\\\"\n(preventing \\\"bad\\\").\n\n If the registry value name below does not exist, this is not a finding.\n\n If it exists and is configured with a value of \\\"0x00000007 (7)\\\", this is\na finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Policies\\\\EarlyLaunch\\\\\n\n Value Name: DriverLoadPolicy\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1), 0x00000003 (3), or 0x00000008 (8) (or if the Value\nName does not exist)\n\n Possible values for this setting are:\n 8 - Good only\n 1 - Good and unknown\n 3 - Good, unknown and bad but critical\n 7 - All (which includes \\\"bad\\\" and would be a finding)\"\n desc 'fix', \"The default behavior is for Early Launch Antimalware - Boot-Start Driver\nInitialization policy to enforce \\\"Good, unknown and bad but critical\\\"\n(preventing \\\"bad\\\").\n\n If this needs to be corrected or a more secure setting is desired,\nconfigure the policy value for Computer Configuration >> Administrative\nTemplates >> System >> Early Launch Antimalware >> \\\"Boot-Start Driver\nInitialization Policy\\\" to \\\"Not Configured\\\" or \\\"Enabled\\\" with any option\nother than \\\"All\\\" selected.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000480-GPOS-00227'\n tag 'gid': 'V-93249'\n tag 'rid': 'SV-103337r1_rule'\n tag 'stig_id': 'WN19-CC-000130'\n tag 'fix_id': 'F-99495r1_fix'\n tag 'cci': [\"CCI-000366\"]\n tag 'nist': [\"CM-6 b\", \"Rev_4\"]\n\n describe.one do\n describe registry_key('HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Policies\\EarlyLaunch') do\n it { should_not have_property 'DriverLoadPolicy' }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Policies\\EarlyLaunch') do\n it { should have_property 'DriverLoadPolicy' }\n its('DriverLoadPolicy') { should be_in [1, 3, 8] }\n end\n end\nend\n", + "code": "control \"V-93289\" do\n title \"Windows Server 2019 must not allow anonymous SID/Name translation.\"\n desc \"Allowing anonymous SID/Name translation can provide sensitive information for accessing a system. Only authorized users must be able to perform such translations.\"\n desc \"rationale\", \"\"\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options.\n\n If the value for \\\"Network access: Allow anonymous SID/Name translation\\\" is not set to \\\"Disabled\\\", this is a finding.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \\\"Network access: Allow anonymous SID/Name translation\\\" to \\\"Disabled\\\".\"\n impact 0.7\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00227\"\n tag gid: \"V-93289\"\n tag rid: \"SV-103377r1_rule\"\n tag stig_id: \"WN19-SO-000210\"\n tag fix_id: \"F-99535r1_fix\"\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n describe security_policy do\n its('LSAAnonymousNameLookup') { should eq 0 }\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93249.rb", + "ref": "./Windows 2019 STIG/controls/V-93289.rb", "line": 3 }, - "id": "V-93249" + "id": "V-93289" }, { - "title": "Windows Server 2019 hardened Universal Naming Convention (UNC) paths\n must be defined to require mutual authentication and integrity for at least the\n \\\\*\\SYSVOL and \\\\*\\NETLOGON shares.", - "desc": "Additional security requirements are applied to UNC paths specified in\n hardened UNC paths before allowing access to them. This aids in preventing\n tampering with or spoofing of connections to these paths.", + "title": "Windows Server 2019 FTP servers must be configured to prevent access\nto the system drive.", + "desc": "The FTP service allows remote users to access shared files and\ndirectories that could provide access to system resources and compromise the\nsystem, especially if the user can gain access to the root directory of the\nboot drive.", "descriptions": { - "default": "Additional security requirements are applied to UNC paths specified in\n hardened UNC paths before allowing access to them. This aids in preventing\n tampering with or spoofing of connections to these paths.", + "default": "The FTP service allows remote users to access shared files and\ndirectories that could provide access to system resources and compromise the\nsystem, especially if the user can gain access to the root directory of the\nboot drive.", "rationale": "", - "check": "This requirement is applicable to domain-joined systems. For standalone\n systems, this is NA.\n\n If the following registry values do not exist or are not configured as\n specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\SOFTWARE\\Policies\\Microsoft\\Windows\\NetworkProvider\\HardenedPaths\\\n\n Value Name: \\\\*\\NETLOGON\n Value Type: REG_SZ\n Value: RequireMutualAuthentication=1, RequireIntegrity=1\n\n Value Name: \\\\*\\SYSVOL\n Value Type: REG_SZ\n Value: RequireMutualAuthentication=1, RequireIntegrity=1\n\n Additional entries would not be a finding.", - "fix": "Configure the policy value for Computer Configuration >> Administrative\n Templates >> Network >> Network Provider >> \"Hardened UNC Paths\" to\n \"Enabled\" with at least the following configured in \"Hardened UNC Paths\"\n (click the \"Show\" button to display):\n\n Value Name: \\\\*\\SYSVOL\n Value: RequireMutualAuthentication=1, RequireIntegrity=1\n\n Value Name: \\\\*\\NETLOGON\n Value: RequireMutualAuthentication=1, RequireIntegrity=1" + "check": "If FTP is not installed on the system, this is NA.\n\n Open \"Internet Information Services (IIS) Manager\".\n\n Select \"Sites\" under the server name.\n\n For any sites with a Binding that lists FTP, right-click the site and\nselect \"Explore\".\n\n If the site is not defined to a specific folder for shared FTP resources,\nthis is a finding.\n\n If the site includes any system areas such as root of the drive, Program\nFiles, or Windows directories, this is a finding.", + "fix": "Configure the FTP sites to allow access only to specific FTP\nshared resources. Do not allow access to other areas of the system." }, "impact": 0.5, "refs": [], "tags": { "severity": null, "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-93241", - "rid": "SV-103329r1_rule", - "stig_id": "WN19-CC-000080", - "fix_id": "F-99487r1_fix", + "gid": "V-93225", + "rid": "SV-103313r1_rule", + "stig_id": "WN19-00-000430", + "fix_id": "F-99471r1_fix", "cci": [ "CCI-000366" ], @@ -8918,179 +8923,186 @@ "Rev_4" ] }, - "code": "control 'V-93241' do\n title \"Windows Server 2019 hardened Universal Naming Convention (UNC) paths\n must be defined to require mutual authentication and integrity for at least the\n \\\\\\\\*\\\\SYSVOL and \\\\\\\\*\\\\NETLOGON shares.\"\n desc \"Additional security requirements are applied to UNC paths specified in\n hardened UNC paths before allowing access to them. This aids in preventing\n tampering with or spoofing of connections to these paths.\"\n desc 'rationale', ''\n desc 'check', \"This requirement is applicable to domain-joined systems. For standalone\n systems, this is NA.\n\n If the following registry values do not exist or are not configured as\n specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\NetworkProvider\\\\HardenedPaths\\\\\n\n Value Name: \\\\\\\\*\\\\NETLOGON\n Value Type: REG_SZ\n Value: RequireMutualAuthentication=1, RequireIntegrity=1\n\n Value Name: \\\\\\\\*\\\\SYSVOL\n Value Type: REG_SZ\n Value: RequireMutualAuthentication=1, RequireIntegrity=1\n\n Additional entries would not be a finding.\"\n desc 'fix', \"Configure the policy value for Computer Configuration >> Administrative\n Templates >> Network >> Network Provider >> \\\"Hardened UNC Paths\\\" to\n \\\"Enabled\\\" with at least the following configured in \\\"Hardened UNC Paths\\\"\n (click the \\\"Show\\\" button to display):\n\n Value Name: \\\\\\\\*\\\\SYSVOL\n Value: RequireMutualAuthentication=1, RequireIntegrity=1\n\n Value Name: \\\\\\\\*\\\\NETLOGON\n Value: RequireMutualAuthentication=1, RequireIntegrity=1\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000480-GPOS-00227'\n tag 'gid': 'V-93241'\n tag 'rid': 'SV-103329r1_rule'\n tag 'stig_id': 'WN19-CC-000080'\n tag 'fix_id': 'F-99487r1_fix'\n tag 'cci': ['CCI-000366']\n tag 'nist': ['CM-6 b', 'Rev_4']\n\n is_domain = command('wmic computersystem get domain | FINDSTR /V Domain').stdout.strip\n\n if is_domain == 'WORKGROUP'\n impact 0.0\n describe 'The system is not a member of a domain, control is NA' do\n skip 'The system is not a member of a domain, control is NA'\n end\n else\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\NetworkProvider\\HardenedPaths') do\n it { should have_property '\\\\\\\\*\\\\SYSVOL' }\n its('\\\\\\\\*\\\\SYSVOL') { should cmp 'RequireMutualAuthentication=1, RequireIntegrity=1' }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\NetworkProvider\\HardenedPaths') do\n it { should have_property '\\\\\\\\*\\\\NETLOGON' }\n its('\\\\\\\\*\\\\NETLOGON') { should cmp 'RequireMutualAuthentication=1, RequireIntegrity=1' }\n end\n end\nend\n", + "code": "control \"V-93225\" do\n title \"Windows Server 2019 FTP servers must be configured to prevent access\nto the system drive.\"\n desc \"The FTP service allows remote users to access shared files and\ndirectories that could provide access to system resources and compromise the\nsystem, especially if the user can gain access to the root directory of the\nboot drive.\"\n desc \"rationale\", \"\"\n desc 'check', \"If FTP is not installed on the system, this is NA.\n\n Open \\\"Internet Information Services (IIS) Manager\\\".\n\n Select \\\"Sites\\\" under the server name.\n\n For any sites with a Binding that lists FTP, right-click the site and\nselect \\\"Explore\\\".\n\n If the site is not defined to a specific folder for shared FTP resources,\nthis is a finding.\n\n If the site includes any system areas such as root of the drive, Program\nFiles, or Windows directories, this is a finding.\"\n desc 'fix', \"Configure the FTP sites to allow access only to specific FTP\nshared resources. Do not allow access to other areas of the system.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000480-GPOS-00227'\n tag 'gid': 'V-93225'\n tag 'rid': 'SV-103313r1_rule'\n tag 'stig_id': 'WN19-00-000430'\n tag 'fix_id': 'F-99471r1_fix'\n tag 'cci': [\"CCI-000366\"]\n tag 'nist': [\"CM-6 b\", \"Rev_4\"]\n\n is_ftp_installed = command('Get-WindowsFeature Web-Ftp-Server | Select -Expand Installed').stdout.strip\n if is_ftp_installed == 'False'\n impact 0.0\n describe 'FTP is not installed' do\n skip 'Control not applicable'\n end\n else\n describe 'Configure the FTP sites to allow access only to specific FTP shared resources. Do not allow access to other areas of the system.' do\n skip 'Configure the FTP sites to allow access only to specific FTP shared resources. Do not allow access to other areas of the system.'\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93241.rb", + "ref": "./Windows 2019 STIG/controls/V-93225.rb", "line": 3 }, - "id": "V-93241" + "id": "V-93225" }, { - "title": "Windows Server 2019 built-in administrator account must be renamed.", - "desc": "The built-in administrator account is a well-known account subject to attack. Renaming this account to an unidentified name improves the protection of this account and the system.", + "title": "Windows Server 2019 must be configured to audit Privilege Use -\nSensitive Privilege Use successes.", + "desc": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Sensitive Privilege Use records events related to use of sensitive\nprivileges, such as \"Act as part of the operating system\" or \"Debug\nprograms\".", "descriptions": { - "default": "The built-in administrator account is a well-known account subject to attack. Renaming this account to an unidentified name improves the protection of this account and the system.", + "default": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Sensitive Privilege Use records events related to use of sensitive\nprivileges, such as \"Act as part of the operating system\" or \"Debug\nprograms\".", "rationale": "", - "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options.\n\n If the value for \"Accounts: Rename administrator account\" is not set to a value other than \"Administrator\", this is a finding.\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas SecurityPolicy /CFG C:\\Path\\FileName.Txt\n\n If \"NewAdministratorName\" is not something other than \"Administrator\" in the file, this is a finding.", - "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \"Accounts: Rename administrator account\" to a name other than \"Administrator\"." + "check": "Security Option \"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\" must be set to\n\"Enabled\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \"AuditPol\" tool to review the current Audit Policy configuration:\n\n Open \"PowerShell\" or a \"Command Prompt\" with elevated privileges (\"Run\nas administrator\").\n\n Enter \"AuditPol /get /category:*\"\n\n Compare the \"AuditPol\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n Privilege Use >> Sensitive Privilege Use - Success", + "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Privilege Use >> \"Audit Sensitive Privilege Use\"\nwith \"Success\" selected." }, "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-93281", - "rid": "SV-103369r1_rule", - "stig_id": "WN19-SO-000030", - "fix_id": "F-99527r1_fix", + "gtitle": "SRG-OS-000327-GPOS-00127", + "satisfies": [ + "SRG-OS-000327-GPOS-00127", + "SRG-OS-000064-GPOS-00033", + "SRG-OS-000462-GPOS-00206", + "SRG-OS-000466-GPOS-00210" + ], + "gid": "V-93101", + "rid": "SV-103189r1_rule", + "stig_id": "WN19-AU-000300", + "fix_id": "F-99347r1_fix", "cci": [ - "CCI-000366" + "CCI-000172", + "CCI-002234" ], "nist": [ - "CM-6 b", + "AU-12 c", + "AC-6 (9)", "Rev_4" ] }, - "code": "control \"V-93281\" do\n title \"Windows Server 2019 built-in administrator account must be renamed.\"\n desc \"The built-in administrator account is a well-known account subject to attack. Renaming this account to an unidentified name improves the protection of this account and the system.\"\n desc \"rationale\", \"\"\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options.\n\n If the value for \\\"Accounts: Rename administrator account\\\" is not set to a value other than \\\"Administrator\\\", this is a finding.\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas SecurityPolicy /CFG C:\\\\Path\\\\FileName.Txt\n\n If \\\"NewAdministratorName\\\" is not something other than \\\"Administrator\\\" in the file, this is a finding.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \\\"Accounts: Rename administrator account\\\" to a name other than \\\"Administrator\\\".\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00227\"\n tag gid: \"V-93281\"\n tag rid: \"SV-103369r1_rule\"\n tag stig_id: \"WN19-SO-000030\"\n tag fix_id: \"F-99527r1_fix\"\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n describe security_policy do\n its('NewAdministratorName') { should_not cmp \"Administrator\" }\n end\nend\n", + "code": "control \"V-93101\" do\n title \"Windows Server 2019 must be configured to audit Privilege Use -\nSensitive Privilege Use successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Sensitive Privilege Use records events related to use of sensitive\nprivileges, such as \\\"Act as part of the operating system\\\" or \\\"Debug\nprograms\\\".\"\n desc \"rationale\", \"\"\n desc 'check', \"Security Option \\\"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\\\" must be set to\n\\\"Enabled\\\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \\\"AuditPol\\\" tool to review the current Audit Policy configuration:\n\n Open \\\"PowerShell\\\" or a \\\"Command Prompt\\\" with elevated privileges (\\\"Run\nas administrator\\\").\n\n Enter \\\"AuditPol /get /category:*\\\"\n\n Compare the \\\"AuditPol\\\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n Privilege Use >> Sensitive Privilege Use - Success\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Privilege Use >> \\\"Audit Sensitive Privilege Use\\\"\nwith \\\"Success\\\" selected.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000327-GPOS-00127'\n tag 'satisfies': [\"SRG-OS-000327-GPOS-00127\", \"SRG-OS-000064-GPOS-00033\",\n\"SRG-OS-000462-GPOS-00206\", \"SRG-OS-000466-GPOS-00210\"]\n tag 'gid': 'V-93101'\n tag 'rid': 'SV-103189r1_rule'\n tag 'stig_id': 'WN19-AU-000300'\n tag 'fix_id': 'F-99347r1_fix'\n tag 'cci': [\"CCI-000172\", \"CCI-002234\"]\n tag 'nist': [\"AU-12 c\", \"AC-6 (9)\", \"Rev_4\"]\n\n describe.one do\n describe audit_policy do\n its('Sensitive Privilege Use') { should eq 'Success' }\n end\n describe audit_policy do\n its('Sensitive Privilege Use') { should eq 'Success and Failure' }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93281.rb", + "ref": "./Windows 2019 STIG/controls/V-93101.rb", "line": 3 }, - "id": "V-93281" + "id": "V-93101" }, { - "title": "Windows Server 2019 Exploit Protection system-level mitigation, Validate exception chains (SEHOP), must be on.", - "desc": "Exploit protection enables mitigations against potential threats at the system and application level. Several mitigations, including \"Validate exception chains (SEHOP)\", are enabled by default at the system level. SEHOP (structured exception handling overwrite protection) ensures the integrity of an exception chain during exception dispatch. If this is turned off, Windows may be subject to various exploits.", + "title": "Windows Server 2019 must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.", + "desc": "Using a whitelist provides a configuration management method to allow the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities.\n The organization must identify authorized software programs and only permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting.", "descriptions": { - "default": "Exploit protection enables mitigations against potential threats at the system and application level. Several mitigations, including \"Validate exception chains (SEHOP)\", are enabled by default at the system level. SEHOP (structured exception handling overwrite protection) ensures the integrity of an exception chain during exception dispatch. If this is turned off, Windows may be subject to various exploits.", + "default": "Using a whitelist provides a configuration management method to allow the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities.\n The organization must identify authorized software programs and only permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting.", "rationale": "", - "check": "This is applicable to unclassified systems, for other systems this is NA.\n\n The default configuration in Exploit Protection is \"On by default\" which meets this requirement. The PowerShell query results for this show as \"NOTSET\".\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n Enter \"Get-ProcessMitigation -System\".\n If the status of \"SEHOP: Enable\" is \"OFF\", this is a finding.\n Values that would not be a finding include:\n\n ON\n NOTSET (Default configuration)", - "fix": "Ensure Exploit Protection system-level mitigation, \"Validate exception chains (SEHOP)\", is turned on. The default configuration in Exploit Protection is \"On by default\" which meets this requirement.\n\n Open \"Windows Defender Security Center\".\n Select \"App & browser control\".\n Select \"Exploit protection settings\".\n Under \"System settings\", configure \"Validate exception chains (SEHOP)\" to \"On by default\" or \"Use default ()\".\n\n The STIG package includes a DoD EP XML file in the \"Supporting Files\" folder for configuring application mitigations defined in the STIG. This can also be modified to explicitly enforce the system level requirements. Adding the following to the XML file will explicitly turn SEHOP on (other system level EP requirements can be combined under ):\n\n \n \n \n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \"Use a common set of exploit protection settings\" configured to \"Enabled\" with file name and location defined under \"Options:\". It is recommended the file be in a read-only network location." + "check": "This is applicable to unclassified systems. For other systems, this is NA.\n\n Verify the operating system employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs.\n If an application whitelisting program is not in use on the system, this is a finding.\n Configuration of whitelisting applications will vary by the program.\n AppLocker is a whitelisting application built into Windows Server. A deny-by-default implementation is initiated by enabling any AppLocker rules within a category, only allowing what is specified by defined rules.\n If AppLocker is used, perform the following to view the configuration of AppLocker:\n\n Open \"PowerShell\".\n If the AppLocker PowerShell module has not been imported previously, execute the following first:\n Import-Module AppLocker\n Execute the following command, substituting [c:\\temp\\file.xml] with a location and file name appropriate for the system:\n Get-AppLockerPolicy -Effective -XML > c:\\temp\\file.xml\n This will produce an xml file with the effective settings that can be viewed in a browser or opened in a program such as Excel for review.\n Implementation guidance for AppLocker is available in the NSA paper \"Application Whitelisting using Microsoft AppLocker\" at the following link:\n https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", + "fix": "Configure an application whitelisting program to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.\n\n Configuration of whitelisting applications will vary by the program. AppLocker is a whitelisting application built into Windows Server.\n If AppLocker is used, it is configured through group policy in Computer Configuration >> Windows Settings >> Security Settings >> Application Control Policies >> AppLocker.\n Implementation guidance for AppLocker is available in the NSA paper \"Application Whitelisting using Microsoft AppLocker\" at the following link:\n https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm" }, "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-93317", - "rid": "SV-103405r1_rule", - "stig_id": "WN19-EP-000040", - "fix_id": "F-99563r1_fix", + "gtitle": "SRG-OS-000370-GPOS-00155", + "gid": "V-93379", + "rid": "SV-103465r1_rule", + "stig_id": "WN19-00-000080", + "fix_id": "F-99623r1_fix", "cci": [ - "CCI-000366" + "CCI-001774" ], "nist": [ - "CM-6 b", + "CM-7 (5) (b)", "Rev_4" ] }, - "code": "control \"V-93317\" do\n title \"Windows Server 2019 Exploit Protection system-level mitigation, Validate exception chains (SEHOP), must be on.\"\n desc \"Exploit protection enables mitigations against potential threats at the system and application level. Several mitigations, including \\\"Validate exception chains (SEHOP)\\\", are enabled by default at the system level. SEHOP (structured exception handling overwrite protection) ensures the integrity of an exception chain during exception dispatch. If this is turned off, Windows may be subject to various exploits.\"\n desc \"rationale\", \"\"\n desc \"check\", \"This is applicable to unclassified systems, for other systems this is NA.\n\n The default configuration in Exploit Protection is \\\"On by default\\\" which meets this requirement. The PowerShell query results for this show as \\\"NOTSET\\\".\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n Enter \\\"Get-ProcessMitigation -System\\\".\n If the status of \\\"SEHOP: Enable\\\" is \\\"OFF\\\", this is a finding.\n Values that would not be a finding include:\n\n ON\n NOTSET (Default configuration)\"\n desc \"fix\", \"Ensure Exploit Protection system-level mitigation, \\\"Validate exception chains (SEHOP)\\\", is turned on. The default configuration in Exploit Protection is \\\"On by default\\\" which meets this requirement.\n\n Open \\\"Windows Defender Security Center\\\".\n Select \\\"App & browser control\\\".\n Select \\\"Exploit protection settings\\\".\n Under \\\"System settings\\\", configure \\\"Validate exception chains (SEHOP)\\\" to \\\"On by default\\\" or \\\"Use default ()\\\".\n\n The STIG package includes a DoD EP XML file in the \\\"Supporting Files\\\" folder for configuring application mitigations defined in the STIG. This can also be modified to explicitly enforce the system level requirements. Adding the following to the XML file will explicitly turn SEHOP on (other system level EP requirements can be combined under ):\n\n \n \n \n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\" configured to \\\"Enabled\\\" with file name and location defined under \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00227\"\n tag gid: \"V-93317\"\n tag rid: \"SV-103405r1_rule\"\n tag stig_id: \"WN19-EP-000040\"\n tag fix_id: \"F-99563r1_fix\"\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n systemsehop = json({ command: \"Get-ProcessMitigation -System | ConvertTo-Json\" }).params\n\n if input('sensitive_system') == true || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif systemsehop.empty?\n describe \"Exploit Protection: the following mitigation\" do\n it \"must be set to 'ON' for the System\" do\n failure_message = \"Exploit Protection is not set\"\n expect(systemsehop).not_to be_empty, failure_message\n end\n end\n else\n describe \"Exploit Protection: the following mitigation must be set to 'ON' for the System\" do\n subject { systemsehop }\n its(['SEHOP','Enable']) { should be_between(0,1) }\n end\n end\nend", + "code": "control \"V-93379\" do\n title \"Windows Server 2019 must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.\"\n desc \"Using a whitelist provides a configuration management method to allow the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities.\n The organization must identify authorized software programs and only permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting.\"\n desc \"rationale\", \"\"\n desc \"check\", \"This is applicable to unclassified systems. For other systems, this is NA.\n\n Verify the operating system employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs.\n If an application whitelisting program is not in use on the system, this is a finding.\n Configuration of whitelisting applications will vary by the program.\n AppLocker is a whitelisting application built into Windows Server. A deny-by-default implementation is initiated by enabling any AppLocker rules within a category, only allowing what is specified by defined rules.\n If AppLocker is used, perform the following to view the configuration of AppLocker:\n\n Open \\\"PowerShell\\\".\n If the AppLocker PowerShell module has not been imported previously, execute the following first:\n Import-Module AppLocker\n Execute the following command, substituting [c:\\\\temp\\\\file.xml] with a location and file name appropriate for the system:\n Get-AppLockerPolicy -Effective -XML > c:\\\\temp\\\\file.xml\n This will produce an xml file with the effective settings that can be viewed in a browser or opened in a program such as Excel for review.\n Implementation guidance for AppLocker is available in the NSA paper \\\"Application Whitelisting using Microsoft AppLocker\\\" at the following link:\n https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm\"\n desc \"fix\", \"Configure an application whitelisting program to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.\n\n Configuration of whitelisting applications will vary by the program. AppLocker is a whitelisting application built into Windows Server.\n If AppLocker is used, it is configured through group policy in Computer Configuration >> Windows Settings >> Security Settings >> Application Control Policies >> AppLocker.\n Implementation guidance for AppLocker is available in the NSA paper \\\"Application Whitelisting using Microsoft AppLocker\\\" at the following link:\n https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000370-GPOS-00155\"\n tag gid: \"V-93379\"\n tag rid: \"SV-103465r1_rule\"\n tag stig_id: \"WN19-00-000080\"\n tag fix_id: \"F-99623r1_fix\"\n tag cci: [\"CCI-001774\"]\n tag nist: [\"CM-7 (5) (b)\", \"Rev_4\"]\n\n describe \"A manual review is required to ensure the operating system employs a deny-all, permit-by-exception\n policy to allow the execution of authorized software programs\" do\n skip 'A manual review is required to ensure the operating system employs a deny-all, permit-by-exception\n policy to allow the execution of authorized software programs'\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93317.rb", + "ref": "./Windows 2019 STIG/controls/V-93379.rb", "line": 3 }, - "id": "V-93317" + "id": "V-93379" }, { - "title": "Windows Server 2019 must be configured to audit Policy Change - Audit\nPolicy Change failures.", - "desc": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Audit Policy Change records events related to changes in audit policy.", + "title": "Windows Server 2019 must prevent users from changing installation\noptions.", + "desc": "Installation options for applications are typically controlled by\nadministrators. This setting prevents users from changing installation options\nthat may bypass security features.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Audit Policy Change records events related to changes in audit policy.", + "default": "Installation options for applications are typically controlled by\nadministrators. This setting prevents users from changing installation options\nthat may bypass security features.", "rationale": "", - "check": "Security Option \"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\" must be set to\n\"Enabled\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \"AuditPol\" tool to review the current Audit Policy configuration:\n\n Open \"PowerShell\" or a \"Command Prompt\" with elevated privileges (\"Run\nas administrator\").\n\n Enter \"AuditPol /get /category:*\"\n\n Compare the \"AuditPol\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n Policy Change >> Audit Policy Change - Failure", - "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Policy Change >> \"Audit Audit Policy Change\" with\n\"Failure\" selected." + "check": "If the following registry value does not exist or is not configured as\nspecified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\Installer\\\n\n Value Name: EnableUserControl\n\n Type: REG_DWORD\n Value: 0x00000000 (0)", + "fix": "Configure the policy value for Computer Configuration >>\nAdministrative Templates >> Windows Components >> Windows Installer >> \"Allow\nuser control over installs\" to \"Disabled\"." }, "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000327-GPOS-00127", - "satisfies": [ - "SRG-OS-000327-GPOS-00127", - "SRG-OS-000458-GPOS-00203", - "SRG-OS-000463-GPOS-00207", - "SRG-OS-000468-GPOS-00212" - ], - "gid": "V-93095", - "rid": "SV-103183r1_rule", - "stig_id": "WN19-AU-000270", - "fix_id": "F-99341r1_fix", + "gtitle": "SRG-OS-000362-GPOS-00149", + "gid": "V-93199", + "rid": "SV-103287r1_rule", + "stig_id": "WN19-CC-000420", + "fix_id": "F-99445r1_fix", "cci": [ - "CCI-000172", - "CCI-002234" + "CCI-001812" ], "nist": [ - "AU-12 c", - "AC-6 (9)", + "CM-11 (2)", "Rev_4" ] }, - "code": "control \"V-93095\" do\n title \"Windows Server 2019 must be configured to audit Policy Change - Audit\nPolicy Change failures.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Audit Policy Change records events related to changes in audit policy.\"\n desc \"rationale\", \"\"\n desc 'check', \"Security Option \\\"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\\\" must be set to\n\\\"Enabled\\\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \\\"AuditPol\\\" tool to review the current Audit Policy configuration:\n\n Open \\\"PowerShell\\\" or a \\\"Command Prompt\\\" with elevated privileges (\\\"Run\nas administrator\\\").\n\n Enter \\\"AuditPol /get /category:*\\\"\n\n Compare the \\\"AuditPol\\\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n Policy Change >> Audit Policy Change - Failure\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Policy Change >> \\\"Audit Audit Policy Change\\\" with\n\\\"Failure\\\" selected.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000327-GPOS-00127'\n tag 'satisfies': [\"SRG-OS-000327-GPOS-00127\", \"SRG-OS-000458-GPOS-00203\",\n\"SRG-OS-000463-GPOS-00207\", \"SRG-OS-000468-GPOS-00212\"]\n tag 'gid': 'V-93095'\n tag 'rid': 'SV-103183r1_rule'\n tag 'stig_id': 'WN19-AU-000270'\n tag 'fix_id': 'F-99341r1_fix'\n tag 'cci': [\"CCI-000172\", \"CCI-002234\"]\n tag 'nist': [\"AU-12 c\", \"AC-6 (9)\", \"Rev_4\"]\n\n describe.one do\n describe audit_policy do\n its('Audit Policy Change') { should eq 'Failure' }\n end\n describe audit_policy do\n its('Audit Policy Change') { should eq 'Success and Failure' }\n end\n end\nend\n", + "code": "control \"V-93199\" do\n title \"Windows Server 2019 must prevent users from changing installation\noptions.\"\n desc \"Installation options for applications are typically controlled by\nadministrators. This setting prevents users from changing installation options\nthat may bypass security features.\"\n desc \"rationale\", \"\"\n desc 'check', \"If the following registry value does not exist or is not configured as\nspecified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\Installer\\\\\n\n Value Name: EnableUserControl\n\n Type: REG_DWORD\n Value: 0x00000000 (0)\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nAdministrative Templates >> Windows Components >> Windows Installer >> \\\"Allow\nuser control over installs\\\" to \\\"Disabled\\\".\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000362-GPOS-00149'\n tag 'gid': 'V-93199'\n tag 'rid': 'SV-103287r1_rule'\n tag 'stig_id': 'WN19-CC-000420'\n tag 'fix_id': 'F-99445r1_fix'\n tag 'cci': [\"CCI-001812\"]\n tag 'nist': [\"CM-11 (2)\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Installer') do\n it { should have_property 'EnableUserControl' }\n its('EnableUserControl') { should cmp 0 }\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93095.rb", + "ref": "./Windows 2019 STIG/controls/V-93199.rb", "line": 3 }, - "id": "V-93095" + "id": "V-93199" }, { - "title": "Windows Server 2019 must be configured to audit Policy Change -\nAuthorization Policy Change successes.", - "desc": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Authorization Policy Change records events related to changes in user\nrights, such as \"Create a token object\".", + "title": "Windows Server 2019 Active Directory user accounts, including administrators, must be configured to require the use of a Common Access Card (CAC), Personal Identity Verification (PIV)-compliant hardware token, or Alternate Logon Token (ALT) for user authentication.", + "desc": "Smart cards such as the CAC support a two-factor authentication technique. This provides a higher level of trust in the asserted identity than use of the username and password for authentication.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Authorization Policy Change records events related to changes in user\nrights, such as \"Create a token object\".", + "default": "Smart cards such as the CAC support a two-factor authentication technique. This provides a higher level of trust in the asserted identity than use of the username and password for authentication.", "rationale": "", - "check": "Security Option \"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\" must be set to\n\"Enabled\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \"AuditPol\" tool to review the current Audit Policy configuration:\n\n Open \"PowerShell\" or a \"Command Prompt\" with elevated privileges (\"Run\nas administrator\").\n\n Enter \"AuditPol /get /category:*\"\n\n Compare the \"AuditPol\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n Policy Change >> Authorization Policy Change - Success", - "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Policy Change >> \"Audit Authorization Policy Change\"\nwith \"Success\" selected." + "check": "This applies to domain controllers. It is NA for other systems.\n\n Open \"PowerShell\".\n Enter the following:\n \"Get-ADUser -Filter {(Enabled -eq $True) -and (SmartcardLogonRequired -eq $False)} | FT Name\"\n (\"DistinguishedName\" may be substituted for \"Name\" for more detailed output.)\n If any user accounts, including administrators, are listed, this is a finding.\n\n Alternately:\n To view sample accounts in \"Active Directory Users and Computers\" (available from various menus or run \"dsa.msc\"):\n Select the Organizational Unit (OU) where the user accounts are located. (By default, this is the Users node; however, accounts may be under other organization-defined OUs.)\n Right-click the sample user account and select \"Properties\".\n Select the \"Account\" tab.\n If any user accounts, including administrators, do not have \"Smart card is required for interactive logon\" checked in the \"Account Options\" area, this is a finding.", + "fix": "Configure all user accounts, including administrator accounts, in Active Directory to enable the option \"Smart card is required for interactive logon\".\n\n Run \"Active Directory Users and Computers\" (available from various menus or run \"dsa.msc\"):\n Select the OU where the user accounts are located. (By default this is the Users node; however, accounts may be under other organization-defined OUs.)\n Right-click the user account and select \"Properties\".\n Select the \"Account\" tab.\n Check \"Smart card is required for interactive logon\" in the \"Account Options\" area." }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000327-GPOS-00127", + "gtitle": "SRG-OS-000105-GPOS-00052", "satisfies": [ - "SRG-OS-000327-GPOS-00127", - "SRG-OS-000064-GPOS-00033", - "SRG-OS-000462-GPOS-00206", - "SRG-OS-000466-GPOS-00210" + "SRG-OS-000105-GPOS-00052", + "SRG-OS-000106-GPOS-00053", + "SRG-OS-000107-GPOS-00054", + "SRG-OS-000108-GPOS-00055", + "SRG-OS-000375-GPOS-00160" ], - "gid": "V-93099", - "rid": "SV-103187r1_rule", - "stig_id": "WN19-AU-000290", - "fix_id": "F-99345r1_fix", + "gid": "V-93441", + "rid": "SV-103527r1_rule", + "stig_id": "WN19-DC-000310", + "fix_id": "F-99685r1_fix", "cci": [ - "CCI-000172", - "CCI-002234" + "CCI-000765", + "CCI-000766", + "CCI-000767", + "CCI-000768", + "CCI-001948" ], "nist": [ - "AU-12 c", - "AC-6 (9)", + "IA-2 (1)", + "IA-2 (2)", + "IA-2 (3)", + "IA-2 (4)", + "IA-2 (11)", "Rev_4" ] }, - "code": "control \"V-93099\" do\n title \"Windows Server 2019 must be configured to audit Policy Change -\nAuthorization Policy Change successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Authorization Policy Change records events related to changes in user\nrights, such as \\\"Create a token object\\\".\"\n desc \"rationale\", \"\"\n desc 'check', \"Security Option \\\"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\\\" must be set to\n\\\"Enabled\\\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \\\"AuditPol\\\" tool to review the current Audit Policy configuration:\n\n Open \\\"PowerShell\\\" or a \\\"Command Prompt\\\" with elevated privileges (\\\"Run\nas administrator\\\").\n\n Enter \\\"AuditPol /get /category:*\\\"\n\n Compare the \\\"AuditPol\\\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n Policy Change >> Authorization Policy Change - Success\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Policy Change >> \\\"Audit Authorization Policy Change\\\"\nwith \\\"Success\\\" selected.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000327-GPOS-00127'\n tag 'satisfies': [\"SRG-OS-000327-GPOS-00127\", \"SRG-OS-000064-GPOS-00033\",\n\"SRG-OS-000462-GPOS-00206\", \"SRG-OS-000466-GPOS-00210\"]\n tag 'gid': 'V-93099'\n tag 'rid': 'SV-103187r1_rule'\n tag 'stig_id': 'WN19-AU-000290'\n tag 'fix_id': 'F-99345r1_fix'\n tag 'cci': [\"CCI-000172\", \"CCI-002234\"]\n tag 'nist': [\"AU-12 c\", \"AC-6 (9)\", \"Rev_4\"]\n\n describe.one do\n describe audit_policy do\n its('Authentication Policy Change') { should eq 'Success' }\n end\n describe audit_policy do\n its('Authentication Policy Change') { should eq 'Success and Failure' }\n end\n end\nend\n", + "code": "control \"V-93441\" do\n title \"Windows Server 2019 Active Directory user accounts, including administrators, must be configured to require the use of a Common Access Card (CAC), Personal Identity Verification (PIV)-compliant hardware token, or Alternate Logon Token (ALT) for user authentication.\"\n desc \"Smart cards such as the CAC support a two-factor authentication technique. This provides a higher level of trust in the asserted identity than use of the username and password for authentication.\"\n desc \"rationale\", \"\"\n desc \"check\", \"This applies to domain controllers. It is NA for other systems.\n\n Open \\\"PowerShell\\\".\n Enter the following:\n \\\"Get-ADUser -Filter {(Enabled -eq $True) -and (SmartcardLogonRequired -eq $False)} | FT Name\\\"\n (\\\"DistinguishedName\\\" may be substituted for \\\"Name\\\" for more detailed output.)\n If any user accounts, including administrators, are listed, this is a finding.\n\n Alternately:\n To view sample accounts in \\\"Active Directory Users and Computers\\\" (available from various menus or run \\\"dsa.msc\\\"):\n Select the Organizational Unit (OU) where the user accounts are located. (By default, this is the Users node; however, accounts may be under other organization-defined OUs.)\n Right-click the sample user account and select \\\"Properties\\\".\n Select the \\\"Account\\\" tab.\n If any user accounts, including administrators, do not have \\\"Smart card is required for interactive logon\\\" checked in the \\\"Account Options\\\" area, this is a finding.\"\n desc \"fix\", \"Configure all user accounts, including administrator accounts, in Active Directory to enable the option \\\"Smart card is required for interactive logon\\\".\n\n Run \\\"Active Directory Users and Computers\\\" (available from various menus or run \\\"dsa.msc\\\"):\n Select the OU where the user accounts are located. (By default this is the Users node; however, accounts may be under other organization-defined OUs.)\n Right-click the user account and select \\\"Properties\\\".\n Select the \\\"Account\\\" tab.\n Check \\\"Smart card is required for interactive logon\\\" in the \\\"Account Options\\\" area.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000105-GPOS-00052\"\n tag satisfies: [\"SRG-OS-000105-GPOS-00052\", \"SRG-OS-000106-GPOS-00053\", \"SRG-OS-000107-GPOS-00054\", \"SRG-OS-000108-GPOS-00055\", \"SRG-OS-000375-GPOS-00160\"]\n tag gid: \"V-93441\"\n tag rid: \"SV-103527r1_rule\"\n tag stig_id: \"WN19-DC-000310\"\n tag fix_id: \"F-99685r1_fix\"\n tag cci: [\"CCI-000765\", \"CCI-000766\", \"CCI-000767\", \"CCI-000768\", \"CCI-001948\"]\n tag nist: [\"IA-2 (1)\", \"IA-2 (2)\", \"IA-2 (3)\", \"IA-2 (4)\", \"IA-2 (11)\", \"Rev_4\"]\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n accounts = json(command: \"Get-ADUser -Filter {(Enabled -eq $True) -and (SmartcardLogonRequired -eq $False)} | Select -ExpandProperty Name | ConvertTo-Json\").params\n describe 'Accounts without smartcard logon required' do\n it 'Accounts must be configured to require the use of a CAC, PIV or ALT' do\n failure_message = \"#{accounts}\"\n expect(accounts).to be_empty, failure_message\n end\n end\n else\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is NA' do\n skip 'This system is not a domain controller, therefore this control is NA'\n end\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93099.rb", + "ref": "./Windows 2019 STIG/controls/V-93441.rb", "line": 3 }, - "id": "V-93099" + "id": "V-93441" }, { - "title": "Windows Server 2019 session security for NTLM SSP-based servers must be configured to require NTLMv2 session security and 128-bit encryption.", + "title": "Windows Server 2019 session security for NTLM SSP-based clients must be configured to require NTLMv2 session security and 128-bit encryption.", "desc": "Microsoft has implemented a variety of security support providers for use with Remote Procedure Call (RPC) sessions. All of the options must be enabled to ensure the maximum security level.", "descriptions": { "default": "Microsoft has implemented a variety of security support providers for use with Remote Procedure Call (RPC) sessions. All of the options must be enabled to ensure the maximum security level.", "rationale": "", - "check": "If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Control\\Lsa\\MSV1_0\\\n\n Value Name: NTLMMinServerSec\n\n Value Type: REG_DWORD\n Value: 0x20080000 (537395200)", - "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \"Network security: Minimum session security for NTLM SSP based (including secure RPC) servers\" to \"Require NTLMv2 session security\" and \"Require 128-bit encryption\" (all options selected)." + "check": "If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Control\\Lsa\\MSV1_0\\\n\n Value Name: NTLMMinClientSec\n\n Value Type: REG_DWORD\n Value: 0x20080000 (537395200)", + "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \"Network security: Minimum session security for NTLM SSP based (including secure RPC) clients\" to \"Require NTLMv2 session security\" and \"Require 128-bit encryption\" (all options selected)." }, "impact": 0.5, "refs": [], "tags": { "severity": null, "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-93307", - "rid": "SV-103395r1_rule", - "stig_id": "WN19-SO-000340", - "fix_id": "F-99553r1_fix", + "gid": "V-93305", + "rid": "SV-103393r1_rule", + "stig_id": "WN19-SO-000330", + "fix_id": "F-99551r1_fix", "cci": [ "CCI-000366" ], @@ -9099,196 +9111,202 @@ "Rev_4" ] }, - "code": "control \"V-93307\" do\n title \"Windows Server 2019 session security for NTLM SSP-based servers must be configured to require NTLMv2 session security and 128-bit encryption.\"\n desc \"Microsoft has implemented a variety of security support providers for use with Remote Procedure Call (RPC) sessions. All of the options must be enabled to ensure the maximum security level.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\MSV1_0\\\\\n\n Value Name: NTLMMinServerSec\n\n Value Type: REG_DWORD\n Value: 0x20080000 (537395200)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \\\"Network security: Minimum session security for NTLM SSP based (including secure RPC) servers\\\" to \\\"Require NTLMv2 session security\\\" and \\\"Require 128-bit encryption\\\" (all options selected).\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00227\"\n tag gid: \"V-93307\"\n tag rid: \"SV-103395r1_rule\"\n tag stig_id: \"WN19-SO-000340\"\n tag fix_id: \"F-99553r1_fix\"\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\MSV1_0') do\n it { should have_property 'NTLMMinServerSec' }\n its('NTLMMinServerSec') { should cmp == 537395200 }\n end\nend", + "code": "control \"V-93305\" do\n title \"Windows Server 2019 session security for NTLM SSP-based clients must be configured to require NTLMv2 session security and 128-bit encryption.\"\n desc \"Microsoft has implemented a variety of security support providers for use with Remote Procedure Call (RPC) sessions. All of the options must be enabled to ensure the maximum security level.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\MSV1_0\\\\\n\n Value Name: NTLMMinClientSec\n\n Value Type: REG_DWORD\n Value: 0x20080000 (537395200)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \\\"Network security: Minimum session security for NTLM SSP based (including secure RPC) clients\\\" to \\\"Require NTLMv2 session security\\\" and \\\"Require 128-bit encryption\\\" (all options selected).\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00227\"\n tag gid: \"V-93305\"\n tag rid: \"SV-103393r1_rule\"\n tag stig_id: \"WN19-SO-000330\"\n tag fix_id: \"F-99551r1_fix\"\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\MSV1_0') do\n it { should have_property 'NTLMMinClientSec' }\n its('NTLMMinClientSec') { should cmp == 537395200 }\n end \nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93307.rb", + "ref": "./Windows 2019 STIG/controls/V-93305.rb", "line": 3 }, - "id": "V-93307" + "id": "V-93305" }, { - "title": "Windows Server 2019 must restrict anonymous access to Named Pipes and Shares.", - "desc": "Allowing anonymous access to named pipes or shares provides the potential for unauthorized system access. This setting restricts access to those defined in \"Network access: Named Pipes that can be accessed anonymously\" and \"Network access: Shares that can be accessed anonymously\", both of which must be blank under other requirements.", + "title": "Windows Server 2019 command line data must be included in process\ncreation events.", + "desc": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Enabling \"Include command line data for process creation events\" will\nrecord the command line information with the process creation events in the\nlog. This can provide additional detail when malware has run on a system.", "descriptions": { - "default": "Allowing anonymous access to named pipes or shares provides the potential for unauthorized system access. This setting restricts access to those defined in \"Network access: Named Pipes that can be accessed anonymously\" and \"Network access: Shares that can be accessed anonymously\", both of which must be blank under other requirements.", + "default": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Enabling \"Include command line data for process creation events\" will\nrecord the command line information with the process creation events in the\nlog. This can provide additional detail when malware has run on a system.", "rationale": "", - "check": "If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\LanManServer\\Parameters\\\n\n Value Name: RestrictNullSessAccess\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", - "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \"Network access: Restrict anonymous access to Named Pipes and Shares\" to \"Enabled\"." + "check": "If the following registry value does not exist or is not configured as\nspecified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Audit\\\n\n Value Name: ProcessCreationIncludeCmdLine_Enabled\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", + "fix": "Configure the policy value for Computer Configuration >>\nAdministrative Templates >> System >> Audit Process Creation >> \"Include\ncommand line in process creation events\" to \"Enabled\"." }, - "impact": 0.7, + "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000138-GPOS-00069", - "gid": "V-93539", - "rid": "SV-103625r1_rule", - "stig_id": "WN19-SO-000250", - "fix_id": "F-99783r1_fix", + "gtitle": "SRG-OS-000042-GPOS-00020", + "gid": "V-93173", + "rid": "SV-103261r1_rule", + "stig_id": "WN19-CC-000090", + "fix_id": "F-99419r1_fix", "cci": [ - "CCI-001090" + "CCI-000135" ], "nist": [ - "SC-4", + "AU-3 (1)", "Rev_4" ] }, - "code": "control \"V-93539\" do\n title \"Windows Server 2019 must restrict anonymous access to Named Pipes and Shares.\"\n desc \"Allowing anonymous access to named pipes or shares provides the potential for unauthorized system access. This setting restricts access to those defined in \\\"Network access: Named Pipes that can be accessed anonymously\\\" and \\\"Network access: Shares that can be accessed anonymously\\\", both of which must be blank under other requirements.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\LanManServer\\\\Parameters\\\\\n\n Value Name: RestrictNullSessAccess\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \\\"Network access: Restrict anonymous access to Named Pipes and Shares\\\" to \\\"Enabled\\\".\"\n impact 0.7\n tag severity: nil\n tag gtitle: \"SRG-OS-000138-GPOS-00069\"\n tag gid: \"V-93539\"\n tag rid: \"SV-103625r1_rule\"\n tag stig_id: \"WN19-SO-000250\"\n tag fix_id: \"F-99783r1_fix\"\n tag cci: [\"CCI-001090\"]\n tag nist: [\"SC-4\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Services\\\\LanManServer\\\\Parameters') do\n it { should have_property 'restrictnullsessaccess' }\n its('restrictnullsessaccess') { should cmp == 1 }\n end\nend", + "code": "control \"V-93173\" do\n title \"Windows Server 2019 command line data must be included in process\ncreation events.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Enabling \\\"Include command line data for process creation events\\\" will\nrecord the command line information with the process creation events in the\nlog. This can provide additional detail when malware has run on a system.\"\n desc \"rationale\", \"\"\n desc 'check', \"If the following registry value does not exist or is not configured as\nspecified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Audit\\\\\n\n Value Name: ProcessCreationIncludeCmdLine_Enabled\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nAdministrative Templates >> System >> Audit Process Creation >> \\\"Include\ncommand line in process creation events\\\" to \\\"Enabled\\\".\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000042-GPOS-00020'\n tag 'gid': 'V-93173'\n tag 'rid': 'SV-103261r1_rule'\n tag 'stig_id': 'WN19-CC-000090'\n tag 'fix_id': 'F-99419r1_fix'\n tag 'cci': [\"CCI-000135\"]\n tag 'nist': [\"AU-3 (1)\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Audit') do\n it { should have_property 'ProcessCreationIncludeCmdLine_Enabled' }\n its('ProcessCreationIncludeCmdLine_Enabled') { should cmp 1 }\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93539.rb", + "ref": "./Windows 2019 STIG/controls/V-93173.rb", "line": 3 }, - "id": "V-93539" + "id": "V-93173" }, { - "title": "Windows Server 2019 must not have Windows PowerShell 2.0 installed.", - "desc": "Windows PowerShell 5.x added advanced logging features that can provide additional detail when malware has been run on a system. Disabling the Windows PowerShell 2.0 mitigates against a downgrade attack that evades the Windows PowerShell 5.x script block logging feature.", + "title": "Windows Server 2019 Windows Update must not obtain updates from other\nPCs on the Internet.", + "desc": "Windows Update can obtain updates from additional sources instead of\nMicrosoft. In addition to Microsoft, updates can be obtained from and sent to\nPCs on the local network as well as on the Internet. This is part of the\nWindows Update trusted process, however to minimize outside exposure, obtaining\nupdates from or sending to systems on the Internet must be prevented.", "descriptions": { - "default": "Windows PowerShell 5.x added advanced logging features that can provide additional detail when malware has been run on a system. Disabling the Windows PowerShell 2.0 mitigates against a downgrade attack that evades the Windows PowerShell 5.x script block logging feature.", + "default": "Windows Update can obtain updates from additional sources instead of\nMicrosoft. In addition to Microsoft, updates can be obtained from and sent to\nPCs on the local network as well as on the Internet. This is part of the\nWindows Update trusted process, however to minimize outside exposure, obtaining\nupdates from or sending to systems on the Internet must be prevented.", "rationale": "", - "check": "Open \"PowerShell\".\n Enter \"Get-WindowsFeature | Where Name -eq PowerShell-v2\".\n If \"Installed State\" is \"Installed\", this is a finding.\n An Installed State of \"Available\" or \"Removed\" is not a finding.", - "fix": "Uninstall the \"Windows PowerShell 2.0 Engine\".\n\n Start \"Server Manager\".\n Select the server with the feature.\n Scroll down to \"ROLES AND FEATURES\" in the right pane.\n Select \"Remove Roles and Features\" from the drop-down \"TASKS\" list.\n Select the appropriate server on the \"Server Selection\" page and click \"Next\".\n Deselect \"Windows PowerShell 2.0 Engine\" under \"Windows PowerShell\" on the \"Features\" page.\n Click \"Next\" and \"Remove\" as prompted." + "check": "If the following registry value does not exist or is not configured as\nspecified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeliveryOptimization\\\n\n Value Name: DODownloadMode\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0) - No peering (HTTP Only)\n 0x00000001 (1) - Peers on same NAT only (LAN)\n 0x00000002 (2) - Local Network / Private group peering (Group)\n 0x00000063 (99) - Simple download mode, no peering (Simple)\n 0x00000064 (100) - Bypass mode, Delivery Optimization not used (Bypass)\n\n A value of 0x00000003 (3), Internet, is a finding.", + "fix": "Configure the policy value for Computer Configuration >> Administrative\nTemplates >> Windows Components >> Delivery Optimization >> \"Download Mode\"\nto \"Enabled\" with any option except \"Internet\" selected.\n\n Acceptable selections include:\n\n Bypass (100)\n Group (2)\n HTTP only (0)\n LAN (1)\n Simple (99)" }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000095-GPOS-00049", - "gid": "V-93397", - "rid": "SV-103483r1_rule", - "stig_id": "WN19-00-000410", - "fix_id": "F-99641r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-93259", + "rid": "SV-103347r1_rule", + "stig_id": "WN19-CC-000260", + "fix_id": "F-99505r1_fix", "cci": [ - "CCI-000381" + "CCI-000366" ], "nist": [ - "CM-7 a", + "CM-6 b", "Rev_4" ] }, - "code": "control \"V-93397\" do\n title \"Windows Server 2019 must not have Windows PowerShell 2.0 installed.\"\n desc \"Windows PowerShell 5.x added advanced logging features that can provide additional detail when malware has been run on a system. Disabling the Windows PowerShell 2.0 mitigates against a downgrade attack that evades the Windows PowerShell 5.x script block logging feature.\"\n desc \"rationale\", \"\"\n desc \"check\", \"Open \\\"PowerShell\\\".\n Enter \\\"Get-WindowsFeature | Where Name -eq PowerShell-v2\\\".\n If \\\"Installed State\\\" is \\\"Installed\\\", this is a finding.\n An Installed State of \\\"Available\\\" or \\\"Removed\\\" is not a finding.\"\n desc \"fix\", \"Uninstall the \\\"Windows PowerShell 2.0 Engine\\\".\n\n Start \\\"Server Manager\\\".\n Select the server with the feature.\n Scroll down to \\\"ROLES AND FEATURES\\\" in the right pane.\n Select \\\"Remove Roles and Features\\\" from the drop-down \\\"TASKS\\\" list.\n Select the appropriate server on the \\\"Server Selection\\\" page and click \\\"Next\\\".\n Deselect \\\"Windows PowerShell 2.0 Engine\\\" under \\\"Windows PowerShell\\\" on the \\\"Features\\\" page.\n Click \\\"Next\\\" and \\\"Remove\\\" as prompted.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000095-GPOS-00049\"\n tag gid: \"V-93397\"\n tag rid: \"SV-103483r1_rule\"\n tag stig_id: \"WN19-00-000410\"\n tag fix_id: \"F-99641r1_fix\"\n tag cci: [\"CCI-000381\"]\n tag nist: [\"CM-7 a\", \"Rev_4\"]\n\n describe windows_feature('PowerShell-v2') do\n it { should_not be_installed }\n end\nend", + "code": "control \"V-93259\" do\n title \"Windows Server 2019 Windows Update must not obtain updates from other\nPCs on the Internet.\"\n desc \"Windows Update can obtain updates from additional sources instead of\nMicrosoft. In addition to Microsoft, updates can be obtained from and sent to\nPCs on the local network as well as on the Internet. This is part of the\nWindows Update trusted process, however to minimize outside exposure, obtaining\nupdates from or sending to systems on the Internet must be prevented.\"\n desc \"rationale\", \"\"\n desc 'check', \"If the following registry value does not exist or is not configured as\nspecified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\DeliveryOptimization\\\\\n\n Value Name: DODownloadMode\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0) - No peering (HTTP Only)\n 0x00000001 (1) - Peers on same NAT only (LAN)\n 0x00000002 (2) - Local Network / Private group peering (Group)\n 0x00000063 (99) - Simple download mode, no peering (Simple)\n 0x00000064 (100) - Bypass mode, Delivery Optimization not used (Bypass)\n\n A value of 0x00000003 (3), Internet, is a finding.\"\n desc 'fix', \"Configure the policy value for Computer Configuration >> Administrative\nTemplates >> Windows Components >> Delivery Optimization >> \\\"Download Mode\\\"\nto \\\"Enabled\\\" with any option except \\\"Internet\\\" selected.\n\n Acceptable selections include:\n\n Bypass (100)\n Group (2)\n HTTP only (0)\n LAN (1)\n Simple (99)\"\n impact 0.3\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000480-GPOS-00227'\n tag 'gid': 'V-93259'\n tag 'rid': 'SV-103347r1_rule'\n tag 'stig_id': 'WN19-CC-000260'\n tag 'fix_id': 'F-99505r1_fix'\n tag 'cci': [\"CCI-000366\"]\n tag 'nist': [\"CM-6 b\", \"Rev_4\"]\n\n describe.one do\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeliveryOptimization') do\n it { should have_property 'DODownloadMode' }\n its('DODownloadMode') { should cmp 0 }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeliveryOptimization') do\n it { should have_property 'DODownloadMode' }\n its('DODownloadMode') { should cmp 1 }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeliveryOptimization') do\n it { should have_property 'DODownloadMode' }\n its('DODownloadMode') { should cmp 2 }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeliveryOptimization') do\n it { should have_property 'DODownloadMode' }\n its('DODownloadMode') { should cmp 99 }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeliveryOptimization') do\n it { should have_property 'DODownloadMode' }\n its('DODownloadMode') { should cmp 100 }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93397.rb", + "ref": "./Windows 2019 STIG/controls/V-93259.rb", "line": 3 }, - "id": "V-93397" + "id": "V-93259" }, { - "title": "Windows Server 2019 Force shutdown from a remote system user right\nmust only be assigned to the Administrators group.", - "desc": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n Accounts with the \"Force shutdown from a remote system\" user right can\nremotely shut down a system, which could result in a denial of service.", + "title": "Windows Server 2019 users must be required to enter a password to access private keys stored on the computer.", + "desc": "If the private key is discovered, an attacker can use the key to authenticate as an authorized user and gain access to the network infrastructure.\n The cornerstone of the PKI is the private key used to encrypt or digitally sign information.\n\n If the private key is stolen, this will lead to the compromise of the authentication and non-repudiation gained through PKI because the attacker can use the private key to digitally sign documents and pretend to be the authorized user.\n\n Both the holders of a digital certificate and the issuing authority must protect the computers, storage devices, or whatever they use to keep the private keys.", "descriptions": { - "default": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n Accounts with the \"Force shutdown from a remote system\" user right can\nremotely shut down a system, which could result in a denial of service.", + "default": "If the private key is discovered, an attacker can use the key to authenticate as an authorized user and gain access to the network infrastructure.\n The cornerstone of the PKI is the private key used to encrypt or digitally sign information.\n\n If the private key is stolen, this will lead to the compromise of the authentication and non-repudiation gained through PKI because the attacker can use the private key to digitally sign documents and pretend to be the authorized user.\n\n Both the holders of a digital certificate and the issuing authority must protect the computers, storage devices, or whatever they use to keep the private keys.", "rationale": "", - "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the \"Force\nshutdown from a remote system\" user right, this is a finding:\n\n - Administrators\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\path\\filename.txt\n\n Review the text file.\n\n If any SIDs other than the following are granted the\n\"SeRemoteShutdownPrivilege\" user right, this is a finding:\n\n S-1-5-32-544 (Administrators)", - "fix": "Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> User Rights Assignment >> \"Force\nshutdown from a remote system\" to include only the following accounts or\ngroups:\n\n - Administrators" + "check": "If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Cryptography\\\n\n Value Name: ForceKeyProtection\n\n Type: REG_DWORD\n Value: 0x00000002 (2)", + "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \"System cryptography: Force strong key protection for user keys stored on the computer\" to \"User must enter a password each time they use a key\"." }, "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000324-GPOS-00125", - "gid": "V-93067", - "rid": "SV-103155r1_rule", - "stig_id": "WN19-UR-000110", - "fix_id": "F-99313r1_fix", + "gtitle": "SRG-OS-000067-GPOS-00035", + "gid": "V-93493", + "rid": "SV-103579r1_rule", + "stig_id": "WN19-SO-000350", + "fix_id": "F-99737r1_fix", "cci": [ - "CCI-002235" + "CCI-000186" ], "nist": [ - "AC-6 (10)", + "IA-5 (2) (b)", "Rev_4" ] }, - "code": "control \"V-93067\" do\n title \"Windows Server 2019 Force shutdown from a remote system user right\nmust only be assigned to the Administrators group.\"\n desc \"Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n Accounts with the \\\"Force shutdown from a remote system\\\" user right can\nremotely shut down a system, which could result in a denial of service.\"\n desc \"rationale\", \"\"\n desc 'check', \"Verify the effective setting in Local Group Policy Editor.\n\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the \\\"Force\nshutdown from a remote system\\\" user right, this is a finding:\n\n - Administrators\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt\n\n Review the text file.\n\n If any SIDs other than the following are granted the\n\\\"SeRemoteShutdownPrivilege\\\" user right, this is a finding:\n\n S-1-5-32-544 (Administrators)\"\n desc 'fix', \"Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> User Rights Assignment >> \\\"Force\nshutdown from a remote system\\\" to include only the following accounts or\ngroups:\n\n - Administrators\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000324-GPOS-00125'\n tag 'gid': 'V-93067'\n tag 'rid': 'SV-103155r1_rule'\n tag 'stig_id': 'WN19-UR-000110'\n tag 'fix_id': 'F-99313r1_fix'\n tag 'cci': [\"CCI-002235\"]\n tag 'nist': [\"AC-6 (10)\", \"Rev_4\"]\n\n os_type = command('Test-Path \"$env:windir\\explorer.exe\"').stdout.strip\n\n if os_type == 'False'\n describe 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt' do\n skip 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt'\n end\n else\n describe security_policy do\n its('SeRemoteShutdownPrivilege') { should eq ['S-1-5-32-544'] }\n end\n end\nend\n", + "code": "control \"V-93493\" do\n title \"Windows Server 2019 users must be required to enter a password to access private keys stored on the computer.\"\n desc \"If the private key is discovered, an attacker can use the key to authenticate as an authorized user and gain access to the network infrastructure.\n The cornerstone of the PKI is the private key used to encrypt or digitally sign information.\n\n If the private key is stolen, this will lead to the compromise of the authentication and non-repudiation gained through PKI because the attacker can use the private key to digitally sign documents and pretend to be the authorized user.\n\n Both the holders of a digital certificate and the issuing authority must protect the computers, storage devices, or whatever they use to keep the private keys.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Cryptography\\\\\n\n Value Name: ForceKeyProtection\n\n Type: REG_DWORD\n Value: 0x00000002 (2)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \\\"System cryptography: Force strong key protection for user keys stored on the computer\\\" to \\\"User must enter a password each time they use a key\\\".\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000067-GPOS-00035\"\n tag gid: \"V-93493\"\n tag rid: \"SV-103579r1_rule\"\n tag stig_id: \"WN19-SO-000350\"\n tag fix_id: \"F-99737r1_fix\"\n tag cci: [\"CCI-000186\"]\n tag nist: [\"IA-5 (2) (b)\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Cryptography') do\n it { should have_property 'ForceKeyProtection' }\n its('ForceKeyProtection') { should cmp == 2 }\n end \nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93067.rb", + "ref": "./Windows 2019 STIG/controls/V-93493.rb", "line": 3 }, - "id": "V-93067" + "id": "V-93493" }, { - "title": "Windows Server 2019 Exploit Protection mitigations must be configured for VPREVIEW.EXE.", - "desc": "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.", + "title": "Windows Server 2019 setting Domain member: Digitally sign secure channel data (when possible) must be configured to Enabled.", + "desc": "Requests sent on the secure channel are authenticated, and sensitive information (such as passwords) is encrypted, but the channel is not integrity checked. If this policy is enabled, outgoing secure channel traffic will be signed.", "descriptions": { - "default": "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.", + "default": "Requests sent on the secure channel are authenticated, and sensitive information (such as passwords) is encrypted, but the channel is not integrity checked. If this policy is enabled, outgoing secure channel traffic will be signed.", "rationale": "", - "check": "If the referenced application is not installed on the system, this is NA.\n\n This is applicable to unclassified systems, for other systems this is NA.\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n Enter \"Get-ProcessMitigation -Name VPREVIEW.EXE\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.)\n\n If the following mitigations do not have a status of \"ON\", this is a finding:\n\n DEP:\n Enable: ON\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n The PowerShell command produces a list of mitigations; only those with a required status of \"ON\" are listed here.", - "fix": "Ensure the following mitigations are turned \"ON\" for VPREVIEW.EXE:\n\n DEP:\n Enable: ON\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \"Supporting Files\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \"Use a common set of exploit protection settings\" configured to \"Enabled\" with file name and location defined under \"Options:\". It is recommended the file be in a read-only network location." + "check": "If the following registry value does not exist or is not configured as specified, this is a finding:\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\Netlogon\\Parameters\\\n\n Value Name: SignSecureChannel\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", + "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \"Domain member: Digitally sign secure channel data (when possible)\" to \"Enabled\"." }, - "impact": 0, - "refs": [], - "tags": { - "severity": null, - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-93361", - "rid": "SV-103449r1_rule", - "stig_id": "WN19-EP-000260", - "fix_id": "F-99607r1_fix", + "impact": 0.5, + "refs": [], + "tags": { + "severity": null, + "gtitle": "SRG-OS-000423-GPOS-00187", + "satisfies": [ + "SRG-OS-000423-GPOS-00187", + "SRG-OS-000424-GPOS-00188" + ], + "gid": "V-93551", + "rid": "SV-103637r1_rule", + "stig_id": "WN19-SO-000080", + "fix_id": "F-99795r1_fix", "cci": [ - "CCI-000366" + "CCI-002418", + "CCI-002421" ], "nist": [ - "CM-6 b", + "SC-8", + "SC-8 (1)", "Rev_4" ] }, - "code": "control \"V-93361\" do\n title \"Windows Server 2019 Exploit Protection mitigations must be configured for VPREVIEW.EXE.\"\n desc \"Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the referenced application is not installed on the system, this is NA.\n\n This is applicable to unclassified systems, for other systems this is NA.\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n Enter \\\"Get-ProcessMitigation -Name VPREVIEW.EXE\\\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.)\n\n If the following mitigations do not have a status of \\\"ON\\\", this is a finding:\n\n DEP:\n Enable: ON\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n The PowerShell command produces a list of mitigations; only those with a required status of \\\"ON\\\" are listed here.\"\n desc \"fix\", \"Ensure the following mitigations are turned \\\"ON\\\" for VPREVIEW.EXE:\n\n DEP:\n Enable: ON\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \\\"Supporting Files\\\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\" configured to \\\"Enabled\\\" with file name and location defined under \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00227\"\n tag gid: \"V-93361\"\n tag rid: \"SV-103449r1_rule\"\n tag stig_id: \"WN19-EP-000260\"\n tag fix_id: \"F-99607r1_fix\"\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n vpreview = json({ command: \"Get-ProcessMitigation -Name VPREVIEW.EXE | ConvertTo-Json\" }).params\n\n if input('sensitive_system') == true || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif vpreview.empty?\n impact 0.0\n describe 'The referenced application is not installed on the system, this is NA.' do\n skip 'The referenced application is not installed on the system, this is NA.'\n end\n else\n describe \"Exploit Protection: the following mitigations must be set to 'ON' for VPREVIEW.EXE\" do\n subject { vpreview }\n its(['Dep','Enable']) { should eq 1 }\n its(['Aslr','ForceRelocateImages']) { should eq 1 }\n its(['Payload','EnableExportAddressFilter']) { should eq 1 }\n its(['Payload','EnableExportAddressFilterPlus']) { should eq 1 }\n its(['Payload','EnableImportAddressFilter']) { should eq 1 }\n its(['Payload','EnableRopStackPivot']) { should eq 1 }\n its(['Payload','EnableRopCallerCheck']) { should eq 1 }\n its(['Payload','EnableRopSimExec']) { should eq 1 }\n end\n end\nend", + "code": "control \"V-93551\" do\n title \"Windows Server 2019 setting Domain member: Digitally sign secure channel data (when possible) must be configured to Enabled.\"\n desc \"Requests sent on the secure channel are authenticated, and sensitive information (such as passwords) is encrypted, but the channel is not integrity checked. If this policy is enabled, outgoing secure channel traffic will be signed.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the following registry value does not exist or is not configured as specified, this is a finding:\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\Netlogon\\\\Parameters\\\\\n\n Value Name: SignSecureChannel\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1) \"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \\\"Domain member: Digitally sign secure channel data (when possible)\\\" to \\\"Enabled\\\".\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000423-GPOS-00187\"\n tag satisfies: [\"SRG-OS-000423-GPOS-00187\", \"SRG-OS-000424-GPOS-00188\"]\n tag gid: \"V-93551\"\n tag rid: \"SV-103637r1_rule\"\n tag stig_id: \"WN19-SO-000080\"\n tag fix_id: \"F-99795r1_fix\"\n tag cci: [\"CCI-002418\", \"CCI-002421\"]\n tag nist: [\"SC-8\", \"SC-8 (1)\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Services\\\\Netlogon\\\\Parameters') do\n it { should have_property 'SignSecureChannel' }\n its('SignSecureChannel') { should cmp == 1 }\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93361.rb", + "ref": "./Windows 2019 STIG/controls/V-93551.rb", "line": 3 }, - "id": "V-93361" + "id": "V-93551" }, { - "title": "Windows Server 2019 Deny log on through Remote Desktop Services user\nright on domain-joined member servers must be configured to prevent access from\nhighly privileged domain accounts and all local accounts and from\nunauthenticated access on all systems.", - "desc": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n The \"Deny log on through Remote Desktop Services\" user right defines the\naccounts that are prevented from logging on using Remote Desktop Services.\n\n In an Active Directory Domain, denying logons to the Enterprise Admins and\nDomain Admins groups on lower-trust systems helps mitigate the risk of\nprivilege escalation from credential theft attacks, which could lead to the\ncompromise of an entire domain.\n\n Local accounts on domain-joined systems must also be assigned this right to\ndecrease the risk of lateral movement resulting from credential theft attacks.\n\n The Guests group must be assigned this right to prevent unauthenticated\naccess.", + "title": "Windows Server 2019 Telemetry must be configured to Security or Basic.", + "desc": "Some features may communicate with the vendor, sending system\ninformation or downloading data or components for the feature. Limiting this\ncapability will prevent potentially sensitive information from being sent\noutside the enterprise. The \"Security\" option for Telemetry configures the\nlowest amount of data, effectively none outside of the Malicious Software\nRemoval Tool (MSRT), Defender, and telemetry client settings. \"Basic\" sends\nbasic diagnostic and usage data and may be required to support some Microsoft\nservices.", "descriptions": { - "default": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n The \"Deny log on through Remote Desktop Services\" user right defines the\naccounts that are prevented from logging on using Remote Desktop Services.\n\n In an Active Directory Domain, denying logons to the Enterprise Admins and\nDomain Admins groups on lower-trust systems helps mitigate the risk of\nprivilege escalation from credential theft attacks, which could lead to the\ncompromise of an entire domain.\n\n Local accounts on domain-joined systems must also be assigned this right to\ndecrease the risk of lateral movement resulting from credential theft attacks.\n\n The Guests group must be assigned this right to prevent unauthenticated\naccess.", + "default": "Some features may communicate with the vendor, sending system\ninformation or downloading data or components for the feature. Limiting this\ncapability will prevent potentially sensitive information from being sent\noutside the enterprise. The \"Security\" option for Telemetry configures the\nlowest amount of data, effectively none outside of the Malicious Software\nRemoval Tool (MSRT), Defender, and telemetry client settings. \"Basic\" sends\nbasic diagnostic and usage data and may be required to support some Microsoft\nservices.", "rationale": "", - "check": "This applies to member servers and standalone systems. A separate version\napplies to domain controllers.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If the following accounts or groups are not defined for the \"Deny log on\nthrough Remote Desktop Services\" user right, this is a finding:\n\n Domain Systems Only:\n - Enterprise Admins group\n - Domain Admins group\n - Local account (see Note below)\n\n All Systems:\n - Guests group\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\path\\filename.txt\n\n Review the text file.\n\n If the following SIDs are not defined for the\n\"SeDenyRemoteInteractiveLogonRight\" user right, this is a finding.\n\n Domain Systems Only:\n S-1-5-root domain-519 (Enterprise Admins)\n S-1-5-domain-512 (Domain Admins)\n S-1-5-113 (\"Local account\")\n\n All Systems:\n S-1-5-32-546 (Guests)\n\n Note: \"Local account\" is referring to the Windows built-in security group.", - "fix": "Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> User Rights Assignment >> \"Deny log\non through Remote Desktop Services\" to include the following:\n\n Domain Systems Only:\n - Enterprise Admins group\n - Domain Admins group\n - Local account (see Note below)\n\n All Systems:\n - Guests group\n\n Note: \"Local account\" is referring to the Windows built-in security group." + "check": "If the following registry value does not exist or is not configured as\nspecified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\\n\n Value Name: AllowTelemetry\n\n Type: REG_DWORD\n Value: 0x00000000 (0) (Security), 0x00000001 (1) (Basic)", + "fix": "Configure the policy value for Computer Configuration >>\nAdministrative Templates >> Windows Components >> Data Collection and Preview\nBuilds>> \"Allow Telemetry\" to \"Enabled\" with \"0 - Security [Enterprise\nOnly]\" or \"1 - Basic\" selected in \"Options\"." }, "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000297-GPOS-00115", - "gid": "V-92965", - "rid": "SV-103053r1_rule", - "stig_id": "WN19-MS-000120", - "fix_id": "F-99211r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-93257", + "rid": "SV-103345r1_rule", + "stig_id": "WN19-CC-000250", + "fix_id": "F-99503r1_fix", "cci": [ - "CCI-002314" + "CCI-000366" ], "nist": [ - "AC-17 (1)", + "CM-6 b", "Rev_4" ] }, - "code": "control \"V-92965\" do\n title \"Windows Server 2019 Deny log on through Remote Desktop Services user\nright on domain-joined member servers must be configured to prevent access from\nhighly privileged domain accounts and all local accounts and from\nunauthenticated access on all systems.\"\n desc \"Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n The \\\"Deny log on through Remote Desktop Services\\\" user right defines the\naccounts that are prevented from logging on using Remote Desktop Services.\n\n In an Active Directory Domain, denying logons to the Enterprise Admins and\nDomain Admins groups on lower-trust systems helps mitigate the risk of\nprivilege escalation from credential theft attacks, which could lead to the\ncompromise of an entire domain.\n\n Local accounts on domain-joined systems must also be assigned this right to\ndecrease the risk of lateral movement resulting from credential theft attacks.\n\n The Guests group must be assigned this right to prevent unauthenticated\naccess.\"\n desc \"rationale\", \"\"\n desc 'check', \"This applies to member servers and standalone systems. A separate version\napplies to domain controllers.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If the following accounts or groups are not defined for the \\\"Deny log on\nthrough Remote Desktop Services\\\" user right, this is a finding:\n\n Domain Systems Only:\n - Enterprise Admins group\n - Domain Admins group\n - Local account (see Note below)\n\n All Systems:\n - Guests group\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt\n\n Review the text file.\n\n If the following SIDs are not defined for the\n\\\"SeDenyRemoteInteractiveLogonRight\\\" user right, this is a finding.\n\n Domain Systems Only:\n S-1-5-root domain-519 (Enterprise Admins)\n S-1-5-domain-512 (Domain Admins)\n S-1-5-113 (\\\"Local account\\\")\n\n All Systems:\n S-1-5-32-546 (Guests)\n\n Note: \\\"Local account\\\" is referring to the Windows built-in security group.\"\n desc 'fix', \"Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> User Rights Assignment >> \\\"Deny log\non through Remote Desktop Services\\\" to include the following:\n\n Domain Systems Only:\n - Enterprise Admins group\n - Domain Admins group\n - Local account (see Note below)\n\n All Systems:\n - Guests group\n\n Note: \\\"Local account\\\" is referring to the Windows built-in security group.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000297-GPOS-00115'\n tag 'gid': 'V-92965'\n tag 'rid': 'SV-103053r1_rule'\n tag 'stig_id': 'WN19-MS-000120'\n tag 'fix_id': 'F-99211r1_fix'\n tag 'cci': [\"CCI-002314\"]\n tag 'nist': [\"AC-17 (1)\", \"Rev_4\"]\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n case domain_role\n when '4', '5'\n impact 0.0\n describe 'This system is dedicated to the management of Active Directory, therefore this system is exempt from this control' do\n skip 'This system is dedicated to the management of Active Directory, therefore this system is exempt from this control'\n end\n when '3'\n domain_query = <<-EOH\n $group = New-Object System.Security.Principal.NTAccount('Domain Admins')\n $sid = ($group.Translate([security.principal.securityidentifier])).value\n $sid | ConvertTo-Json\n EOH\n\n domain_admin_sid = json(command: domain_query).params\n enterprise_admin_query = <<-EOH\n $group = New-Object System.Security.Principal.NTAccount('Enterprise Admins')\n $sid = ($group.Translate([security.principal.securityidentifier])).value\n $sid | ConvertTo-Json\n EOH\n\n enterprise_admin_sid = json(command: enterprise_admin_query).params\n describe security_policy do\n its('SeDenyRemoteInteractiveLogonRight') { should include \"#{domain_admin_sid}\" }\n end\n describe security_policy do\n its('SeDenyRemoteInteractiveLogonRight') { should include \"#{enterprise_admin_sid}\" }\n end\n describe.one do\n describe security_policy do\n its('SeDenyRemoteInteractiveLogonRight') { should include \"S-1-5-113\" }\n end\n describe security_policy do\n its('SeDenyRemoteInteractiveLogonRight') { should include \"S-1-5-114\" }\n end\n end\n describe security_policy do\n its('SeDenyRemoteInteractiveLogonRight') { should include 'S-1-5-32-546' }\n end\n when '2'\n describe security_policy do\n its('SeDenyRemoteInteractiveLogonRight') { should eq ['S-1-5-32-546'] }\n end\n end\nend", + "code": "control \"V-93257\" do\n title \"Windows Server 2019 Telemetry must be configured to Security or Basic.\"\n desc \"Some features may communicate with the vendor, sending system\ninformation or downloading data or components for the feature. Limiting this\ncapability will prevent potentially sensitive information from being sent\noutside the enterprise. The \\\"Security\\\" option for Telemetry configures the\nlowest amount of data, effectively none outside of the Malicious Software\nRemoval Tool (MSRT), Defender, and telemetry client settings. \\\"Basic\\\" sends\nbasic diagnostic and usage data and may be required to support some Microsoft\nservices.\"\n desc \"rationale\", \"\"\n desc 'check', \"If the following registry value does not exist or is not configured as\nspecified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\DataCollection\\\\\n\n Value Name: AllowTelemetry\n\n Type: REG_DWORD\n Value: 0x00000000 (0) (Security), 0x00000001 (1) (Basic)\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nAdministrative Templates >> Windows Components >> Data Collection and Preview\nBuilds>> \\\"Allow Telemetry\\\" to \\\"Enabled\\\" with \\\"0 - Security [Enterprise\nOnly]\\\" or \\\"1 - Basic\\\" selected in \\\"Options\\\".\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000480-GPOS-00227'\n tag 'gid': 'V-93257'\n tag 'rid': 'SV-103345r1_rule'\n tag 'stig_id': 'WN19-CC-000250'\n tag 'fix_id': 'F-99503r1_fix'\n tag 'cci': [\"CCI-000366\"]\n tag 'nist': [\"CM-6 b\", \"Rev_4\"]\n\n describe.one do\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection') do\n it { should have_property 'AllowTelemetry' }\n its('AllowTelemetry') { should cmp 0 }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection') do\n it { should have_property 'AllowTelemetry' }\n its('AllowTelemetry') { should cmp 1 }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-92965.rb", + "ref": "./Windows 2019 STIG/controls/V-93257.rb", "line": 3 }, - "id": "V-92965" + "id": "V-93257" }, { - "title": "Windows Server 2019 must not have the Peer Name Resolution Protocol installed.", - "desc": "Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption or may provide unauthorized access to the system.", + "title": "Windows Server 2019 must have WDigest Authentication disabled.", + "desc": "When the WDigest Authentication protocol is enabled, plain-text passwords are stored in the Local Security Authority Subsystem Service (LSASS),exposing them to theft. WDigest is disabled by default in Windows Server 2019. This setting ensures this is enforced.", "descriptions": { - "default": "Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption or may provide unauthorized access to the system.", + "default": "When the WDigest Authentication protocol is enabled, plain-text passwords are stored in the Local Security Authority Subsystem Service (LSASS),exposing them to theft. WDigest is disabled by default in Windows Server 2019. This setting ensures this is enforced.", "rationale": "", - "check": "Open \"PowerShell\".\n\n Enter \"Get-WindowsFeature | Where Name -eq PNRP\".\n If \"Installed State\" is \"Installed\", this is a finding.\n An Installed State of \"Available\" or \"Removed\" is not a finding.", - "fix": "Uninstall the \"Peer Name Resolution Protocol\" feature.\n\n Start \"Server Manager\".\n Select the server with the feature.\n Scroll down to \"ROLES AND FEATURES\" in the right pane.\n Select \"Remove Roles and Features\" from the drop-down \"TASKS\" list.\n Select the appropriate server on the \"Server Selection\" page and click \"Next\".\n Deselect \"Peer Name Resolution Protocol\" on the \"Features\" page.\n Click \"Next\" and \"Remove\" as prompted." + "check": "If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\Wdigest\\\n\n Value Name: UseLogonCredential\n\n Type: REG_DWORD\n Value: 0x00000000 (0)", + "fix": "Configure the policy value for Computer Configuration >> Administrative Templates >> MS Security Guide >> \"WDigest Authentication (disabling may require KB2871997)\" to \"Disabled\".\n\n This policy setting requires the installation of the SecGuide custom templates included with the STIG package. \"SecGuide.admx\" and \" SecGuide.adml\" must be copied to the \\Windows\\PolicyDefinitions and \\Windows\\PolicyDefinitions\\en-US directories respectively." }, "impact": 0.5, "refs": [], "tags": { "severity": null, "gtitle": "SRG-OS-000095-GPOS-00049", - "gid": "V-93385", - "rid": "SV-103471r1_rule", - "stig_id": "WN19-00-000340", - "fix_id": "F-99629r1_fix", + "gid": "V-93401", + "rid": "SV-103487r1_rule", + "stig_id": "WN19-CC-000020", + "fix_id": "F-99645r1_fix", "cci": [ "CCI-000381" ], @@ -9297,539 +9315,549 @@ "Rev_4" ] }, - "code": "control \"V-93385\" do\n title \"Windows Server 2019 must not have the Peer Name Resolution Protocol installed.\"\n desc \"Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption or may provide unauthorized access to the system.\"\n desc \"rationale\", \"\"\n desc \"check\", \"Open \\\"PowerShell\\\".\n\n Enter \\\"Get-WindowsFeature | Where Name -eq PNRP\\\".\n If \\\"Installed State\\\" is \\\"Installed\\\", this is a finding.\n An Installed State of \\\"Available\\\" or \\\"Removed\\\" is not a finding.\"\n desc \"fix\", \"Uninstall the \\\"Peer Name Resolution Protocol\\\" feature.\n\n Start \\\"Server Manager\\\".\n Select the server with the feature.\n Scroll down to \\\"ROLES AND FEATURES\\\" in the right pane.\n Select \\\"Remove Roles and Features\\\" from the drop-down \\\"TASKS\\\" list.\n Select the appropriate server on the \\\"Server Selection\\\" page and click \\\"Next\\\".\n Deselect \\\"Peer Name Resolution Protocol\\\" on the \\\"Features\\\" page.\n Click \\\"Next\\\" and \\\"Remove\\\" as prompted.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000095-GPOS-00049\"\n tag gid: \"V-93385\"\n tag rid: \"SV-103471r1_rule\"\n tag stig_id: \"WN19-00-000340\"\n tag fix_id: \"F-99629r1_fix\"\n tag cci: [\"CCI-000381\"]\n tag nist: [\"CM-7 a\", \"Rev_4\"]\n\n describe windows_feature('PNRP') do\n it { should_not be_installed }\n end\nend", + "code": "control \"V-93401\" do\n title \"Windows Server 2019 must have WDigest Authentication disabled.\"\n desc \"When the WDigest Authentication protocol is enabled, plain-text passwords are stored in the Local Security Authority Subsystem Service (LSASS),exposing them to theft. WDigest is disabled by default in Windows Server 2019. This setting ensures this is enforced.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SecurityProviders\\\\Wdigest\\\\\n\n Value Name: UseLogonCredential\n\n Type: REG_DWORD\n Value: 0x00000000 (0)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Administrative Templates >> MS Security Guide >> \\\"WDigest Authentication (disabling may require KB2871997)\\\" to \\\"Disabled\\\".\n\n This policy setting requires the installation of the SecGuide custom templates included with the STIG package. \\\"SecGuide.admx\\\" and \\\" SecGuide.adml\\\" must be copied to the \\\\Windows\\\\PolicyDefinitions and \\\\Windows\\\\PolicyDefinitions\\\\en-US directories respectively.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000095-GPOS-00049\"\n tag gid: \"V-93401\"\n tag rid: \"SV-103487r1_rule\"\n tag stig_id: \"WN19-CC-000020\"\n tag fix_id: \"F-99645r1_fix\"\n tag cci: [\"CCI-000381\"]\n tag nist: [\"CM-7 a\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SecurityProviders\\\\Wdigest') do\n it { should have_property 'UseLogonCredential' }\n its('UseLogonCredential') { should cmp == 0 }\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93385.rb", + "ref": "./Windows 2019 STIG/controls/V-93401.rb", "line": 3 }, - "id": "V-93385" + "id": "V-93401" }, { - "title": "Windows Server 2019 Create a token object user right must not be\nassigned to any groups or accounts.", - "desc": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n The \"Create a token object\" user right allows a process to create an\naccess token. This could be used to provide elevated rights and compromise a\nsystem.", + "title": "Windows Server 2019 User Account Control must automatically deny standard user requests for elevation.", + "desc": "User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting controls the behavior of elevation when requested by a standard user account.", "descriptions": { - "default": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n The \"Create a token object\" user right allows a process to create an\naccess token. This could be used to provide elevated rights and compromise a\nsystem.", + "default": "User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting controls the behavior of elevation when requested by a standard user account.", "rationale": "", - "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups are granted the \"Create a token object\" user\nright, this is a finding.\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\path\\filename.txt\n\n Review the text file.\n\n If any SIDs are granted the \"SeCreateTokenPrivilege\" user right, this is\na finding.\n\n If an application requires this user right, this would not be a finding.\n\n Vendor documentation must support the requirement for having the user right.\n\n The requirement must be documented with the ISSO.\n\n The application account must meet requirements for application account\npasswords, such as length (WN19-00-000050) and required frequency of changes\n(WN19-00-000060).\n\n Passwords for application accounts with this user right must be protected\nas highly privileged accounts.", - "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Local Policies >> User Rights\nAssignment >> \"Create a token object\" to be defined but containing no entries\n(blank)." + "check": "UAC requirements are NA for Server Core installations (this is the default installation option for Windows Server 2019 versus Server with Desktop Experience).\n\n If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\\n\n Value Name: ConsentPromptBehaviorUser\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0)", + "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \"User Account Control: Behavior of the elevation prompt for standard users\" to \"Automatically deny elevation requests\"." }, - "impact": 0.7, + "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000324-GPOS-00125", - "gid": "V-93057", - "rid": "SV-103145r1_rule", - "stig_id": "WN19-UR-000060", - "fix_id": "F-99303r1_fix", + "gtitle": "SRG-OS-000373-GPOS-00157", + "satisfies": [ + "SRG-OS-000373-GPOS-00157", + "SRG-OS-000373-GPOS-00156" + ], + "gid": "V-93433", + "rid": "SV-103519r1_rule", + "stig_id": "WN19-SO-000410", + "fix_id": "F-99677r1_fix", "cci": [ - "CCI-002235" + "CCI-002038" ], "nist": [ - "AC-6 (10)", + "IA-11", "Rev_4" ] }, - "code": "control \"V-93057\" do\n title \"Windows Server 2019 Create a token object user right must not be\nassigned to any groups or accounts.\"\n desc \"Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n The \\\"Create a token object\\\" user right allows a process to create an\naccess token. This could be used to provide elevated rights and compromise a\nsystem.\"\n desc \"rationale\", \"\"\n desc 'check', \"Verify the effective setting in Local Group Policy Editor.\n\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups are granted the \\\"Create a token object\\\" user\nright, this is a finding.\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt\n\n Review the text file.\n\n If any SIDs are granted the \\\"SeCreateTokenPrivilege\\\" user right, this is\na finding.\n\n If an application requires this user right, this would not be a finding.\n\n Vendor documentation must support the requirement for having the user right.\n\n The requirement must be documented with the ISSO.\n\n The application account must meet requirements for application account\npasswords, such as length (WN19-00-000050) and required frequency of changes\n(WN19-00-000060).\n\n Passwords for application accounts with this user right must be protected\nas highly privileged accounts.\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Local Policies >> User Rights\nAssignment >> \\\"Create a token object\\\" to be defined but containing no entries\n(blank).\"\n impact 0.7\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000324-GPOS-00125'\n tag 'gid': 'V-93057'\n tag 'rid': 'SV-103145r1_rule'\n tag 'stig_id': 'WN19-UR-000060'\n tag 'fix_id': 'F-99303r1_fix'\n tag 'cci': [\"CCI-002235\"]\n tag 'nist': [\"AC-6 (10)\", \"Rev_4\"]\n\n os_type = command('Test-Path \"$env:windir\\explorer.exe\"').stdout.strip\n\n if os_type == 'False'\n describe 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt' do\n skip 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt'\n end\n else\n describe security_policy do\n its('SeCreateTokenPrivilege') { should eq [] }\n end\n end\nend\n", + "code": "control \"V-93433\" do\n title \"Windows Server 2019 User Account Control must automatically deny standard user requests for elevation.\"\n desc \"User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting controls the behavior of elevation when requested by a standard user account.\"\n desc \"rationale\", \"\"\n desc \"check\", \"UAC requirements are NA for Server Core installations (this is the default installation option for Windows Server 2019 versus Server with Desktop Experience).\n\n If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\\n\n Value Name: ConsentPromptBehaviorUser\n\n Value Type: REG_DWORD\n Value: 0x00000000 (0)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \\\"User Account Control: Behavior of the elevation prompt for standard users\\\" to \\\"Automatically deny elevation requests\\\".\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000373-GPOS-00157\"\n tag satisfies: [\"SRG-OS-000373-GPOS-00157\", \"SRG-OS-000373-GPOS-00156\"]\n tag gid: \"V-93433\"\n tag rid: \"SV-103519r1_rule\"\n tag stig_id: \"WN19-SO-000410\"\n tag fix_id: \"F-99677r1_fix\"\n tag cci: [\"CCI-002038\"]\n tag nist: [\"IA-11\", \"Rev_4\"]\n\n os_type = command('Test-Path \"$env:windir\\explorer.exe\"').stdout.strip\n\n if os_type == 'False'\n impact 0.0\n describe 'This system is a Server Core Installation, control is NA' do\n skip 'This system is a Server Core Installation control is NA'\n end\n else\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System') do\n it { should have_property 'ConsentPromptBehaviorUser' }\n its('ConsentPromptBehaviorUser') { should cmp == 0 }\n end\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93057.rb", + "ref": "./Windows 2019 STIG/controls/V-93433.rb", "line": 3 }, - "id": "V-93057" + "id": "V-93433" }, { - "title": "Windows Server 2019 must be configured to audit DS Access - Directory\nService Access failures.", - "desc": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Audit Directory Service Access records events related to users accessing an\nActive Directory object.", + "title": "Windows Server 2019 permissions for the Application event log must\nprevent access by non-privileged accounts.", + "desc": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised. The\nApplication event log may be susceptible to tampering if proper permissions are\nnot applied.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Audit Directory Service Access records events related to users accessing an\nActive Directory object.", + "default": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised. The\nApplication event log may be susceptible to tampering if proper permissions are\nnot applied.", "rationale": "", - "check": "This applies to domain controllers. It is NA for other systems.\n\n Security Option \"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\" must be set to\n\"Enabled\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \"AuditPol\" tool to review the current Audit Policy configuration:\n\n Open \"PowerShell\" or a \"Command Prompt\" with elevated privileges (\"Run\nas administrator\").\n\n Enter \"AuditPol /get /category:*\"\n\n Compare the \"AuditPol\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n DS Access >> Directory Service Access - Failure", - "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> DS Access >> \"Directory Service Access\" with\n\"Failure\" selected." + "check": "Navigate to the Application event log file.\n\n The default location is the \"%SystemRoot%\\System32\\winevt\\Logs\"\nfolder. However, the logs may have been moved to another folder.\n\n If the permissions for the \"Application.evtx\" file are not as restrictive\nas the default permissions listed below, this is a finding:\n\n Eventlog - Full Control\n SYSTEM - Full Control\n Administrators - Full Control", + "fix": "Configure the permissions on the Application event log file\n(Application.evtx) to prevent access by non-privileged accounts. The default\npermissions listed below satisfy this requirement:\n\n Eventlog - Full Control\n SYSTEM - Full Control\n Administrators - Full Control\n\n The default location is the \"%SystemRoot%\\System32\\winevt\\Logs\" folder.\n\n If the location of the logs has been changed, when adding Eventlog to the\npermissions, it must be entered as \"NT Service\\Eventlog\"." }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000327-GPOS-00127", + "gtitle": "SRG-OS-000057-GPOS-00027", "satisfies": [ - "SRG-OS-000327-GPOS-00127", - "SRG-OS-000458-GPOS-00203", - "SRG-OS-000463-GPOS-00207", - "SRG-OS-000468-GPOS-00212" + "SRG-OS-000057-GPOS-00027", + "SRG-OS-000058-GPOS-00028", + "SRG-OS-000059-GPOS-00029" ], - "gid": "V-93135", - "rid": "SV-103223r1_rule", - "stig_id": "WN19-DC-000250", - "fix_id": "F-99381r1_fix", + "gid": "V-93189", + "rid": "SV-103277r1_rule", + "stig_id": "WN19-AU-000030", + "fix_id": "F-99435r1_fix", "cci": [ - "CCI-000172", - "CCI-002234" + "CCI-000162", + "CCI-000163", + "CCI-000164" ], "nist": [ - "AU-12 c", - "AC-6 (9)", + "AU-9", + "AU-9", + "AU-9", "Rev_4" ] }, - "code": "control \"V-93135\" do\n title \"Windows Server 2019 must be configured to audit DS Access - Directory\nService Access failures.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Audit Directory Service Access records events related to users accessing an\nActive Directory object.\"\n desc \"rationale\", \"\"\n desc 'check', \"This applies to domain controllers. It is NA for other systems.\n\n Security Option \\\"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\\\" must be set to\n\\\"Enabled\\\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \\\"AuditPol\\\" tool to review the current Audit Policy configuration:\n\n Open \\\"PowerShell\\\" or a \\\"Command Prompt\\\" with elevated privileges (\\\"Run\nas administrator\\\").\n\n Enter \\\"AuditPol /get /category:*\\\"\n\n Compare the \\\"AuditPol\\\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n DS Access >> Directory Service Access - Failure\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> DS Access >> \\\"Directory Service Access\\\" with\n\\\"Failure\\\" selected.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000327-GPOS-00127'\n tag 'satisfies': [\"SRG-OS-000327-GPOS-00127\", \"SRG-OS-000458-GPOS-00203\",\n\"SRG-OS-000463-GPOS-00207\", \"SRG-OS-000468-GPOS-00212\"]\n tag 'gid': 'V-93135'\n tag 'rid': 'SV-103223r1_rule'\n tag 'stig_id': 'WN19-DC-000250'\n tag 'fix_id': 'F-99381r1_fix'\n tag 'cci': [\"CCI-000172\", \"CCI-002234\"]\n tag 'nist': [\"AU-12 c\", \"AC-6 (9)\", \"Rev_4\"]\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n if domain_role == '4' || domain_role == '5'\n describe.one do\n describe audit_policy do\n its('Directory Service Access') { should eq 'Failure' }\n end\n describe audit_policy do\n its('Directory Service Access') { should eq 'Success and Failure' }\n end\n end\n else\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", + "code": "control \"V-93189\" do\n title \"Windows Server 2019 permissions for the Application event log must\nprevent access by non-privileged accounts.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised. The\nApplication event log may be susceptible to tampering if proper permissions are\nnot applied.\"\n desc \"rationale\", \"\"\n desc 'check', \"Navigate to the Application event log file.\n\n The default location is the \\\"%SystemRoot%\\\\System32\\\\winevt\\\\Logs\\\"\nfolder. However, the logs may have been moved to another folder.\n\n If the permissions for the \\\"Application.evtx\\\" file are not as restrictive\nas the default permissions listed below, this is a finding:\n\n Eventlog - Full Control\n SYSTEM - Full Control\n Administrators - Full Control\"\n desc 'fix', \"Configure the permissions on the Application event log file\n(Application.evtx) to prevent access by non-privileged accounts. The default\npermissions listed below satisfy this requirement:\n\n Eventlog - Full Control\n SYSTEM - Full Control\n Administrators - Full Control\n\n The default location is the \\\"%SystemRoot%\\\\System32\\\\winevt\\\\Logs\\\" folder.\n\n If the location of the logs has been changed, when adding Eventlog to the\npermissions, it must be entered as \\\"NT Service\\\\Eventlog\\\".\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000057-GPOS-00027'\n tag 'satisfies': [\"SRG-OS-000057-GPOS-00027\", \"SRG-OS-000058-GPOS-00028\",\n\"SRG-OS-000059-GPOS-00029\"]\n tag 'gid': 'V-93189'\n tag 'rid': 'SV-103277r1_rule'\n tag 'stig_id': 'WN19-AU-000030'\n tag 'fix_id': 'F-99435r1_fix'\n tag 'cci': [\"CCI-000162\", \"CCI-000163\", \"CCI-000164\"]\n tag 'nist': [\"AU-9\", \"AU-9\", \"AU-9\", \"Rev_4\"]\n\n get_system_root = command('Get-ChildItem Env: | Findstr SystemRoot').stdout.strip\n system_root = get_system_root[11..get_system_root.length]\n\n systemroot = system_root.strip\n\n winevt_logs_application = <<-EOH\n $output = (Get-Acl -Path #{systemroot}\\\\SYSTEM32\\\\WINEVT\\\\LOGS\\\\Application.evtx).AccessToString\n write-output $output\n EOH\n\n # raw powershell output\n raw_logs_application = powershell(winevt_logs_application).stdout.strip\n\n # clean results cleans up the extra line breaks\n clean_logs_application = raw_logs_application.lines.collect(&:strip)\n\n describe 'Verify the default registry permissions for the keys note below of the C:\\Windows\\System32\\WINEVT\\LOGS\\Application.evtx' do\n subject { clean_logs_application }\n it { should cmp input('winevt_logs_application_perms') }\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93135.rb", + "ref": "./Windows 2019 STIG/controls/V-93189.rb", "line": 3 }, - "id": "V-93135" + "id": "V-93189" }, { - "title": "Windows Server 2019 minimum password age must be configured to at least one day.", - "desc": "Permitting passwords to be changed in immediate succession within the same day allows users to cycle passwords through their history database. This enables users to effectively negate the purpose of mandating periodic password changes.", + "title": "Windows Server 2019 FTP servers must be configured to prevent\nanonymous logons.", + "desc": "The FTP service allows remote users to access shared files and\ndirectories. Allowing anonymous FTP connections makes user auditing difficult.\n\n Using accounts that have administrator privileges to log on to FTP risks\nthat the userid and password will be captured on the network and give\nadministrator access to an unauthorized user.", "descriptions": { - "default": "Permitting passwords to be changed in immediate succession within the same day allows users to cycle passwords through their history database. This enables users to effectively negate the purpose of mandating periodic password changes.", + "default": "The FTP service allows remote users to access shared files and\ndirectories. Allowing anonymous FTP connections makes user auditing difficult.\n\n Using accounts that have administrator privileges to log on to FTP risks\nthat the userid and password will be captured on the network and give\nadministrator access to an unauthorized user.", "rationale": "", - "check": "Verify the effective setting in Local Group Policy Editor.\n Run \"gpedit.msc\".\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy.\n If the value for the \"Minimum password age\" is set to \"0\" days (\"Password can be changed immediately\"), this is a finding.\n\n For server core installations, run the following command:\n Secedit /Export /Areas SecurityPolicy /CFG C:\\Path\\FileName.Txt\n If \"MinimumPasswordAge\" equals \"0\" in the file, this is a finding.", - "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy >> \"Minimum password age\" to at least \"1\" day." + "check": "If FTP is not installed on the system, this is NA.\n\n Open \"Internet Information Services (IIS) Manager\".\n\n Select the server.\n\n Double-click \"FTP Authentication\".\n\n If the \"Anonymous Authentication\" status is \"Enabled\", this is a\nfinding.", + "fix": "Configure the FTP service to prevent anonymous logons.\n\n Open \"Internet Information Services (IIS) Manager\".\n\n Select the server.\n\n Double-click \"FTP Authentication\".\n\n Select \"Anonymous Authentication\".\n\n Select \"Disabled\" under \"Actions\"." }, "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000075-GPOS-00043", - "gid": "V-93471", - "rid": "SV-103557r1_rule", - "stig_id": "WN19-AC-000060", - "fix_id": "F-99715r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-93223", + "rid": "SV-103311r1_rule", + "stig_id": "WN19-00-000420", + "fix_id": "F-99469r1_fix", "cci": [ - "CCI-000198" + "CCI-000366" ], "nist": [ - "IA-5 (1) (d)", + "CM-6 b", "Rev_4" ] }, - "code": "control \"V-93471\" do\n title \"Windows Server 2019 minimum password age must be configured to at least one day.\"\n desc \"Permitting passwords to be changed in immediate succession within the same day allows users to cycle passwords through their history database. This enables users to effectively negate the purpose of mandating periodic password changes.\"\n desc \"rationale\", \"\"\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n Run \\\"gpedit.msc\\\".\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy.\n If the value for the \\\"Minimum password age\\\" is set to \\\"0\\\" days (\\\"Password can be changed immediately\\\"), this is a finding.\n\n For server core installations, run the following command:\n Secedit /Export /Areas SecurityPolicy /CFG C:\\\\Path\\\\FileName.Txt\n If \\\"MinimumPasswordAge\\\" equals \\\"0\\\" in the file, this is a finding.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy >> \\\"Minimum password age\\\" to at least \\\"1\\\" day.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000075-GPOS-00043\"\n tag gid: \"V-93471\"\n tag rid: \"SV-103557r1_rule\"\n tag stig_id: \"WN19-AC-000060\"\n tag fix_id: \"F-99715r1_fix\"\n tag cci: [\"CCI-000198\"]\n tag nist: [\"IA-5 (1) (d)\", \"Rev_4\"]\n\n describe security_policy do\n its('MinimumPasswordAge') { should be >= input('minimum_password_age') }\n end\nend", + "code": "control \"V-93223\" do\n title \"Windows Server 2019 FTP servers must be configured to prevent\nanonymous logons.\"\n desc \"The FTP service allows remote users to access shared files and\ndirectories. Allowing anonymous FTP connections makes user auditing difficult.\n\n Using accounts that have administrator privileges to log on to FTP risks\nthat the userid and password will be captured on the network and give\nadministrator access to an unauthorized user.\"\n desc \"rationale\", \"\"\n desc 'check', \"If FTP is not installed on the system, this is NA.\n\n Open \\\"Internet Information Services (IIS) Manager\\\".\n\n Select the server.\n\n Double-click \\\"FTP Authentication\\\".\n\n If the \\\"Anonymous Authentication\\\" status is \\\"Enabled\\\", this is a\nfinding.\"\n desc 'fix', \"Configure the FTP service to prevent anonymous logons.\n\n Open \\\"Internet Information Services (IIS) Manager\\\".\n\n Select the server.\n\n Double-click \\\"FTP Authentication\\\".\n\n Select \\\"Anonymous Authentication\\\".\n\n Select \\\"Disabled\\\" under \\\"Actions\\\".\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000480-GPOS-00227'\n tag 'gid': 'V-93223'\n tag 'rid': 'SV-103311r1_rule'\n tag 'stig_id': 'WN19-00-000420'\n tag 'fix_id': 'F-99469r1_fix'\n tag 'cci': [\"CCI-000366\"]\n tag 'nist': [\"CM-6 b\", \"Rev_4\"]\n\n is_ftp_installed = command('Get-WindowsFeature Web-Ftp-Server | Select -Expand Installed').stdout.strip\n if is_ftp_installed == 'False'\n impact 0.0\n describe 'FTP is not installed' do\n skip 'Control not applicable'\n end\n else\n describe 'File Transfer Protocol (FTP) servers must be configured to prevent anonymous logons' do\n skip 'is a manual check'\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93471.rb", + "ref": "./Windows 2019 STIG/controls/V-93223.rb", "line": 3 }, - "id": "V-93471" + "id": "V-93223" }, { - "title": "Windows Server 2019 Application event log size must be configured to\n32768 KB or greater.", - "desc": "Inadequate log size will cause the log to fill up quickly. This may\nprevent audit events from being recorded properly and require frequent\nattention by administrative personnel.", + "title": "Windows Server 2019 Create symbolic links user right must only be\nassigned to the Administrators group.", + "desc": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n Accounts with the \"Create symbolic links\" user right can create pointers\nto other objects, which could expose the system to attack.", "descriptions": { - "default": "Inadequate log size will cause the log to fill up quickly. This may\nprevent audit events from being recorded properly and require frequent\nattention by administrative personnel.", + "default": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n Accounts with the \"Create symbolic links\" user right can create pointers\nto other objects, which could expose the system to attack.", "rationale": "", - "check": "If the system is configured to write events directly to an audit server,\nthis is NA.\n\n If the following registry value does not exist or is not configured as\nspecified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\\SOFTWARE\\Policies\\Microsoft\\Windows\\EventLog\\Application\\\n\n Value Name: MaxSize\n\n Type: REG_DWORD\n Value: 0x00008000 (32768) (or greater)", - "fix": "Configure the policy value for Computer Configuration >>\nAdministrative Templates >> Windows Components >> Event Log Service >>\nApplication >> \"Specify the maximum log file size (KB)\" to \"Enabled\" with a\n\"Maximum Log Size (KB)\" of \"32768\" or greater." + "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the \"Create\nsymbolic links\" user right, this is a finding:\n\n - Administrators\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\path\\filename.txt\n\n Review the text file.\n\n If any SIDs other than the following are granted the\n\"SeCreateSymbolicLinkPrivilege\" user right, this is a finding:\n\n S-1-5-32-544 (Administrators)\n\n Systems that have the Hyper-V role will also have \"Virtual Machines\"\ngiven this user right (this may be displayed as \"NT Virtual Machine\\Virtual\nMachines\", SID S-1-5-83-0). This is not a finding.", + "fix": "Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> User Rights Assignment >> \"Create\nsymbolic links\" to include only the following accounts or groups:\n\n - Administrators\n\n Systems that have the Hyper-V role will also have \"Virtual Machines\"\ngiven this user right. If this needs to be added manually, enter it as \"NT\nVirtual Machine\\Virtual Machines\"." }, "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000341-GPOS-00132", - "gid": "V-93177", - "rid": "SV-103265r1_rule", - "stig_id": "WN19-CC-000270", - "fix_id": "F-99423r1_fix", + "gtitle": "SRG-OS-000324-GPOS-00125", + "gid": "V-93063", + "rid": "SV-103151r1_rule", + "stig_id": "WN19-UR-000090", + "fix_id": "F-99309r1_fix", "cci": [ - "CCI-001849" + "CCI-002235" ], "nist": [ - "AU-4", + "AC-6 (10)", "Rev_4" ] }, - "code": "control \"V-93177\" do\n title \"Windows Server 2019 Application event log size must be configured to\n32768 KB or greater.\"\n desc \"Inadequate log size will cause the log to fill up quickly. This may\nprevent audit events from being recorded properly and require frequent\nattention by administrative personnel.\"\n desc \"rationale\", \"\"\n desc 'check', \"If the system is configured to write events directly to an audit server,\nthis is NA.\n\n If the following registry value does not exist or is not configured as\nspecified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\EventLog\\\\Application\\\\\n\n Value Name: MaxSize\n\n Type: REG_DWORD\n Value: 0x00008000 (32768) (or greater)\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nAdministrative Templates >> Windows Components >> Event Log Service >>\nApplication >> \\\"Specify the maximum log file size (KB)\\\" to \\\"Enabled\\\" with a\n\\\"Maximum Log Size (KB)\\\" of \\\"32768\\\" or greater.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000341-GPOS-00132'\n tag 'gid': 'V-93177'\n tag 'rid': 'SV-103265r1_rule'\n tag 'stig_id': 'WN19-CC-000270'\n tag 'fix_id': 'F-99423r1_fix'\n tag 'cci': [\"CCI-001849\"]\n tag 'nist': [\"AU-4\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\EventLog\\Application') do\n it { should have_property 'MaxSize' }\n its('MaxSize') { should cmp >= 32768 }\n end\nend\n", + "code": "control \"V-93063\" do\n title \"Windows Server 2019 Create symbolic links user right must only be\nassigned to the Administrators group.\"\n desc \"Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n Accounts with the \\\"Create symbolic links\\\" user right can create pointers\nto other objects, which could expose the system to attack.\"\n desc \"rationale\", \"\"\n desc 'check', \"Verify the effective setting in Local Group Policy Editor.\n\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the \\\"Create\nsymbolic links\\\" user right, this is a finding:\n\n - Administrators\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt\n\n Review the text file.\n\n If any SIDs other than the following are granted the\n\\\"SeCreateSymbolicLinkPrivilege\\\" user right, this is a finding:\n\n S-1-5-32-544 (Administrators)\n\n Systems that have the Hyper-V role will also have \\\"Virtual Machines\\\"\ngiven this user right (this may be displayed as \\\"NT Virtual Machine\\\\Virtual\nMachines\\\", SID S-1-5-83-0). This is not a finding.\"\n desc 'fix', \"Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> User Rights Assignment >> \\\"Create\nsymbolic links\\\" to include only the following accounts or groups:\n\n - Administrators\n\n Systems that have the Hyper-V role will also have \\\"Virtual Machines\\\"\ngiven this user right. If this needs to be added manually, enter it as \\\"NT\nVirtual Machine\\\\Virtual Machines\\\". \"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000324-GPOS-00125'\n tag 'gid': 'V-93063'\n tag 'rid': 'SV-103151r1_rule'\n tag 'stig_id': 'WN19-UR-000090'\n tag 'fix_id': 'F-99309r1_fix'\n tag 'cci': [\"CCI-002235\"]\n tag 'nist': [\"AC-6 (10)\", \"Rev_4\"]\n\n os_type = command('Test-Path \"$env:windir\\explorer.exe\"').stdout.strip\n\n if os_type == 'False'\n describe 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt' do\n skip 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt'\n end\n else\n describe security_policy do\n its('SeCreateSymbolicLinkPrivilege') { should eq ['S-1-5-32-544'] }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93177.rb", + "ref": "./Windows 2019 STIG/controls/V-93063.rb", "line": 3 }, - "id": "V-93177" + "id": "V-93063" }, { - "title": "Windows Server 2019 Exploit Protection mitigations must be configured for WINWORD.EXE.", - "desc": "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.", + "title": "Windows Server 2019 Create a token object user right must not be\nassigned to any groups or accounts.", + "desc": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n The \"Create a token object\" user right allows a process to create an\naccess token. This could be used to provide elevated rights and compromise a\nsystem.", "descriptions": { - "default": "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.", + "default": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n The \"Create a token object\" user right allows a process to create an\naccess token. This could be used to provide elevated rights and compromise a\nsystem.", "rationale": "", - "check": "If the referenced application is not installed on the system, this is NA.\n\n This is applicable to unclassified systems, for other systems this is NA.\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n Enter \"Get-ProcessMitigation -Name WINWORD.EXE\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.)\n\n If the following mitigations do not have a status of \"ON\", this is a finding:\n\n DEP:\n Enable: ON\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n The PowerShell command produces a list of mitigations; only those with a required status of \"ON\" are listed here.", - "fix": "Ensure the following mitigations are turned \"ON\" for WINWORD.EXE:\n\n DEP:\n Enable: ON\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \"Supporting Files\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \"Use a common set of exploit protection settings\" configured to \"Enabled\" with file name and location defined under \"Options:\". It is recommended the file be in a read-only network location." + "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups are granted the \"Create a token object\" user\nright, this is a finding.\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\path\\filename.txt\n\n Review the text file.\n\n If any SIDs are granted the \"SeCreateTokenPrivilege\" user right, this is\na finding.\n\n If an application requires this user right, this would not be a finding.\n\n Vendor documentation must support the requirement for having the user right.\n\n The requirement must be documented with the ISSO.\n\n The application account must meet requirements for application account\npasswords, such as length (WN19-00-000050) and required frequency of changes\n(WN19-00-000060).\n\n Passwords for application accounts with this user right must be protected\nas highly privileged accounts.", + "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Local Policies >> User Rights\nAssignment >> \"Create a token object\" to be defined but containing no entries\n(blank)." }, - "impact": 0, + "impact": 0.7, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-93363", - "rid": "SV-103451r1_rule", - "stig_id": "WN19-EP-000270", - "fix_id": "F-99609r1_fix", + "gtitle": "SRG-OS-000324-GPOS-00125", + "gid": "V-93057", + "rid": "SV-103145r1_rule", + "stig_id": "WN19-UR-000060", + "fix_id": "F-99303r1_fix", "cci": [ - "CCI-000366" + "CCI-002235" ], "nist": [ - "CM-6 b", + "AC-6 (10)", "Rev_4" ] }, - "code": "control \"V-93363\" do\n title \"Windows Server 2019 Exploit Protection mitigations must be configured for WINWORD.EXE.\"\n desc \"Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the referenced application is not installed on the system, this is NA.\n\n This is applicable to unclassified systems, for other systems this is NA.\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n Enter \\\"Get-ProcessMitigation -Name WINWORD.EXE\\\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.)\n\n If the following mitigations do not have a status of \\\"ON\\\", this is a finding:\n\n DEP:\n Enable: ON\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n The PowerShell command produces a list of mitigations; only those with a required status of \\\"ON\\\" are listed here.\"\n desc \"fix\", \"Ensure the following mitigations are turned \\\"ON\\\" for WINWORD.EXE:\n\n DEP:\n Enable: ON\n\n ASLR:\n ForceRelocateImages: ON\n\n Payload:\n EnableExportAddressFilter: ON\n EnableExportAddressFilterPlus: ON\n EnableImportAddressFilter: ON\n EnableRopStackPivot: ON\n EnableRopCallerCheck: ON\n EnableRopSimExec: ON\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \\\"Supporting Files\\\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\" configured to \\\"Enabled\\\" with file name and location defined under \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00227\"\n tag gid: \"V-93363\"\n tag rid: \"SV-103451r1_rule\"\n tag stig_id: \"WN19-EP-000270\"\n tag fix_id: \"F-99609r1_fix\"\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n winword = json({ command: \"Get-ProcessMitigation -Name WINWORD.EXE | ConvertTo-Json\" }).params\n\n if input('sensitive_system') == true || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif winword.empty?\n impact 0.0\n describe 'The referenced application is not installed on the system, this is NA.' do\n skip 'The referenced application is not installed on the system, this is NA.'\n end\n else\n describe \"Exploit Protection: the following mitigations must be set to 'ON' for WINWORD.EXE\" do\n subject { winword }\n its(['Dep','Enable']) { should eq 1 }\n its(['Aslr','ForceRelocateImages']) { should eq 1 }\n its(['Payload','EnableExportAddressFilter']) { should eq 1 }\n its(['Payload','EnableExportAddressFilterPlus']) { should eq 1 }\n its(['Payload','EnableImportAddressFilter']) { should eq 1 }\n its(['Payload','EnableRopStackPivot']) { should eq 1 }\n its(['Payload','EnableRopCallerCheck']) { should eq 1 }\n its(['Payload','EnableRopSimExec']) { should eq 1 }\n end\n end\nend", + "code": "control \"V-93057\" do\n title \"Windows Server 2019 Create a token object user right must not be\nassigned to any groups or accounts.\"\n desc \"Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n The \\\"Create a token object\\\" user right allows a process to create an\naccess token. This could be used to provide elevated rights and compromise a\nsystem.\"\n desc \"rationale\", \"\"\n desc 'check', \"Verify the effective setting in Local Group Policy Editor.\n\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups are granted the \\\"Create a token object\\\" user\nright, this is a finding.\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt\n\n Review the text file.\n\n If any SIDs are granted the \\\"SeCreateTokenPrivilege\\\" user right, this is\na finding.\n\n If an application requires this user right, this would not be a finding.\n\n Vendor documentation must support the requirement for having the user right.\n\n The requirement must be documented with the ISSO.\n\n The application account must meet requirements for application account\npasswords, such as length (WN19-00-000050) and required frequency of changes\n(WN19-00-000060).\n\n Passwords for application accounts with this user right must be protected\nas highly privileged accounts.\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Local Policies >> User Rights\nAssignment >> \\\"Create a token object\\\" to be defined but containing no entries\n(blank).\"\n impact 0.7\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000324-GPOS-00125'\n tag 'gid': 'V-93057'\n tag 'rid': 'SV-103145r1_rule'\n tag 'stig_id': 'WN19-UR-000060'\n tag 'fix_id': 'F-99303r1_fix'\n tag 'cci': [\"CCI-002235\"]\n tag 'nist': [\"AC-6 (10)\", \"Rev_4\"]\n\n os_type = command('Test-Path \"$env:windir\\explorer.exe\"').stdout.strip\n\n if os_type == 'False'\n describe 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt' do\n skip 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt'\n end\n else\n describe security_policy do\n its('SeCreateTokenPrivilege') { should eq [] }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93363.rb", + "ref": "./Windows 2019 STIG/controls/V-93057.rb", "line": 3 }, - "id": "V-93363" + "id": "V-93057" }, { - "title": "Windows Server 2019 Exploit Protection system-level mitigation, Data Execution Prevention (DEP), must be on.", - "desc": "Exploit protection enables mitigations against potential threats at the system and application level. Several mitigations, including \"Data Execution Prevention (DEP)\", are enabled by default at the system level. DEP prevents code from being run from data-only memory pages. If this is turned off, Windows may be subject to various exploits.", + "title": "Windows Server 2019 reversible password encryption must be disabled.", + "desc": "Storing passwords using reversible encryption is essentially the same as storing clear-text versions of the passwords, which are easily compromised. For this reason, this policy must never be enabled.", "descriptions": { - "default": "Exploit protection enables mitigations against potential threats at the system and application level. Several mitigations, including \"Data Execution Prevention (DEP)\", are enabled by default at the system level. DEP prevents code from being run from data-only memory pages. If this is turned off, Windows may be subject to various exploits.", + "default": "Storing passwords using reversible encryption is essentially the same as storing clear-text versions of the passwords, which are easily compromised. For this reason, this policy must never be enabled.", "rationale": "", - "check": "This is applicable to unclassified systems, for other systems this is NA.\n\n The default configuration in Exploit Protection is \"On by default\" which meets this requirement. The PowerShell query results for this show as \"NOTSET\".\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n Enter \"Get-ProcessMitigation -System\".\n If the status of \"DEP: Enable\" is \"OFF\", this is a finding.\n\n Values that would not be a finding include:\n ON\n NOTSET (Default configuration)", - "fix": "Ensure Exploit Protection system-level mitigation, \"Data Execution Prevention (DEP)\", is turned on. The default configuration in Exploit Protection is \"On by default\" which meets this requirement.\n\n Open \"Windows Defender Security Center\".\n Select \"App & browser control\".\n Select \"Exploit protection settings\".\n Under \"System settings\", configure \"Data Execution Prevention (DEP)\" to \"On by default\" or \"Use default ()\".\n\n The STIG package includes a DoD EP XML file in the \"Supporting Files\" folder for configuring application mitigations defined in the STIG. This can also be modified to explicitly enforce the system level requirements. Adding the following to the XML file will explicitly turn DEP on (other system level EP requirements can be combined under ):\n\n \n \n \n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \"Use a common set of exploit protection settings\" configured to \"Enabled\" with file name and location defined under \"Options:\". It is recommended the file be in a read-only network location." + "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy.\n If the value for \"Store passwords using reversible encryption\" is not set to \"Disabled\", this is a finding.\n\n For server core installations, run the following command:\n Secedit /Export /Areas SecurityPolicy /CFG C:\\Path\\FileName.Txt\n If \"ClearTextPassword\" equals \"1\" in the file, this is a finding.", + "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy >> \"Store passwords using reversible encryption\" to \"Disabled\"." }, - "impact": 0.5, + "impact": 0.7, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-93313", - "rid": "SV-103401r1_rule", - "stig_id": "WN19-EP-000010", - "fix_id": "F-99559r1_fix", + "gtitle": "SRG-OS-000073-GPOS-00041", + "gid": "V-93465", + "rid": "SV-103551r1_rule", + "stig_id": "WN19-AC-000090", + "fix_id": "F-99709r1_fix", "cci": [ - "CCI-000366" + "CCI-000196" ], "nist": [ - "CM-6 b", + "IA-5 (1) (c)", "Rev_4" ] }, - "code": "control \"V-93313\" do\n title \"Windows Server 2019 Exploit Protection system-level mitigation, Data Execution Prevention (DEP), must be on.\"\n desc \"Exploit protection enables mitigations against potential threats at the system and application level. Several mitigations, including \\\"Data Execution Prevention (DEP)\\\", are enabled by default at the system level. DEP prevents code from being run from data-only memory pages. If this is turned off, Windows may be subject to various exploits.\"\n desc \"rationale\", \"\"\n desc \"check\", \"This is applicable to unclassified systems, for other systems this is NA.\n\n The default configuration in Exploit Protection is \\\"On by default\\\" which meets this requirement. The PowerShell query results for this show as \\\"NOTSET\\\".\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n Enter \\\"Get-ProcessMitigation -System\\\".\n If the status of \\\"DEP: Enable\\\" is \\\"OFF\\\", this is a finding.\n\n Values that would not be a finding include:\n ON\n NOTSET (Default configuration)\"\n desc \"fix\", \"Ensure Exploit Protection system-level mitigation, \\\"Data Execution Prevention (DEP)\\\", is turned on. The default configuration in Exploit Protection is \\\"On by default\\\" which meets this requirement.\n\n Open \\\"Windows Defender Security Center\\\".\n Select \\\"App & browser control\\\".\n Select \\\"Exploit protection settings\\\".\n Under \\\"System settings\\\", configure \\\"Data Execution Prevention (DEP)\\\" to \\\"On by default\\\" or \\\"Use default ()\\\".\n\n The STIG package includes a DoD EP XML file in the \\\"Supporting Files\\\" folder for configuring application mitigations defined in the STIG. This can also be modified to explicitly enforce the system level requirements. Adding the following to the XML file will explicitly turn DEP on (other system level EP requirements can be combined under ):\n\n \n \n \n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\" configured to \\\"Enabled\\\" with file name and location defined under \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00227\"\n tag gid: \"V-93313\"\n tag rid: \"SV-103401r1_rule\"\n tag stig_id: \"WN19-EP-000010\"\n tag fix_id: \"F-99559r1_fix\"\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n systemdep = json({ command: \"Get-ProcessMitigation -System | ConvertTo-Json\" }).params\n\n if input('sensitive_system') == true || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif systemdep.empty?\n describe \"Exploit Protection: the following mitigation\" do\n it \"must be set to 'ON' for the System\" do\n failure_message = \"Exploit Protection is not set\"\n expect(systemdep).not_to be_empty, failure_message\n end\n end\n else\n describe \"Exploit Protection: the following mitigation must be set to 'ON' for the System\" do\n subject { systemdep }\n its(['Dep','Enable']) { should be_between(0,1) }\n end\n end\nend", + "code": "control \"V-93465\" do\n title \"Windows Server 2019 reversible password encryption must be disabled.\"\n desc \"Storing passwords using reversible encryption is essentially the same as storing clear-text versions of the passwords, which are easily compromised. For this reason, this policy must never be enabled.\"\n desc \"rationale\", \"\"\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy.\n If the value for \\\"Store passwords using reversible encryption\\\" is not set to \\\"Disabled\\\", this is a finding.\n\n For server core installations, run the following command:\n Secedit /Export /Areas SecurityPolicy /CFG C:\\\\Path\\\\FileName.Txt\n If \\\"ClearTextPassword\\\" equals \\\"1\\\" in the file, this is a finding.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy >> \\\"Store passwords using reversible encryption\\\" to \\\"Disabled\\\".\"\n impact 0.7\n tag severity: nil\n tag gtitle: \"SRG-OS-000073-GPOS-00041\"\n tag gid: \"V-93465\"\n tag rid: \"SV-103551r1_rule\"\n tag stig_id: \"WN19-AC-000090\"\n tag fix_id: \"F-99709r1_fix\"\n tag cci: [\"CCI-000196\"]\n tag nist: [\"IA-5 (1) (c)\", \"Rev_4\"]\n\n describe security_policy do\n its('ClearTextPassword') { should eq 0 }\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93313.rb", + "ref": "./Windows 2019 STIG/controls/V-93465.rb", "line": 3 }, - "id": "V-93313" + "id": "V-93465" }, { - "title": "Windows Server 2019 Exploit Protection mitigations must be configured for firefox.exe.", - "desc": "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.", + "title": "Windows Server 2019 directory service must be configured to terminate LDAP-based network connections to the directory server after 5 minutes of inactivity.", + "desc": "The failure to terminate inactive network connections increases the risk of a successful attack on the directory server. The longer an established session is in progress, the more time an attacker has to hijack the session, implement a means to passively intercept data, or compromise any protections on client access. For example, if an attacker gains control of a client computer, an existing (already authenticated) session with the directory server could allow access to the directory. The lack of confidentiality protection in LDAP-based sessions increases exposure to this vulnerability.", "descriptions": { - "default": "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.", + "default": "The failure to terminate inactive network connections increases the risk of a successful attack on the directory server. The longer an established session is in progress, the more time an attacker has to hijack the session, implement a means to passively intercept data, or compromise any protections on client access. For example, if an attacker gains control of a client computer, an existing (already authenticated) session with the directory server could allow access to the directory. The lack of confidentiality protection in LDAP-based sessions increases exposure to this vulnerability.", "rationale": "", - "check": "If the referenced application is not installed on the system, this is NA.\n\n This is applicable to unclassified systems, for other systems this is NA.\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n Enter \"Get-ProcessMitigation -Name firefox.exe\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.)\n\n If the following mitigations do not have a status of \"ON\", this is a finding:\n\n DEP:\n Enable: ON\n\n ASLR:\n BottomUp: ON\n ForceRelocateImages: ON\n\n The PowerShell command produces a list of mitigations; only those with a required status of \"ON\" are listed here.", - "fix": "Ensure the following mitigations are turned \"ON\" for firefox.exe:\n\n DEP:\n Enable: ON\n\n ASLR:\n BottomUp: ON\n ForceRelocateImages: ON\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \"Supporting Files\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \"Use a common set of exploit protection settings\" configured to \"Enabled\" with file name and location defined under \"Options:\". It is recommended the file be in a read-only network location." + "check": "This applies to domain controllers. It is NA for other systems.\n Open an elevated \"Command Prompt\" (run as administrator).\n Enter \"ntdsutil\".\n At the \"ntdsutil:\" prompt, enter \"LDAP policies\".\n At the \"ldap policy:\" prompt, enter \"connections\".\n At the \"server connections:\" prompt, enter \"connect to server [host-name]\"\n (where [host-name] is the computer name of the domain controller).\n At the \"server connections:\" prompt, enter \"q\".\n At the \"ldap policy:\" prompt, enter \"show values\".\n If the value for MaxConnIdleTime is greater than \"300\" (5 minutes) or is not specified, this is a finding.\n Enter \"q\" at the \"ldap policy:\" and \"ntdsutil:\" prompts to exit.\n\n Alternately, Dsquery can be used to display MaxConnIdleTime:\n Open \"Command Prompt (Admin)\".\n Enter the following command (on a single line).\n dsquery * \"cn=Default Query Policy,cn=Query-Policies,cn=Directory Service, cn=Windows NT,cn=Services,cn=Configuration,dc=[forest-name]\" -attr LDAPAdminLimits\n\n The quotes are required and dc=[forest-name] is the fully qualified LDAP name of the domain being reviewed (e.g., dc=disaost,dc=mil).\n If the results do not specify a \"MaxConnIdleTime\" or it has a value greater than \"300\" (5 minutes), this is a finding.", + "fix": "Configure the directory service to terminate LDAP-based network connections to the directory server after 5 minutes of inactivity.\n Open an elevated \"Command prompt\" (run as administrator).\n Enter \"ntdsutil\".\n At the \"ntdsutil:\" prompt, enter \"LDAP policies\".\n At the \"ldap policy:\" prompt, enter \"connections\".\n At the \"server connections:\" prompt, enter \"connect to server [host-name]\" (where [host-name] is the computer name of the domain controller).\n At the \"server connections:\" prompt, enter \"q\".\n At the \"ldap policy:\" prompt, enter \"Set MaxConnIdleTime to 300\".\n Enter \"Commit Changes\" to save.\n Enter \"Show values\" to verify changes.\n Enter \"q\" at the \"ldap policy:\" and \"ntdsutil:\" prompts to exit." }, "impact": 0, "refs": [], "tags": { - "severity": null, - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-93329", - "rid": "SV-103417r1_rule", - "stig_id": "WN19-EP-000100", - "fix_id": "F-99575r1_fix", + "severity": "", + "gtitle": "SRG-OS-000163-GPOS-00072", + "gid": "V-93509", + "rid": "SV-103595r1_rule", + "stig_id": "WN19-DC-000160", + "fix_id": "F-99753r1_fix", "cci": [ - "CCI-000366" + "CCI-001133" ], "nist": [ - "CM-6 b", + "SC-10", "Rev_4" ] }, - "code": "control \"V-93329\" do\n title \"Windows Server 2019 Exploit Protection mitigations must be configured for firefox.exe.\"\n desc \"Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the referenced application is not installed on the system, this is NA.\n\n This is applicable to unclassified systems, for other systems this is NA.\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n Enter \\\"Get-ProcessMitigation -Name firefox.exe\\\".\n (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.)\n\n If the following mitigations do not have a status of \\\"ON\\\", this is a finding:\n\n DEP:\n Enable: ON\n\n ASLR:\n BottomUp: ON\n ForceRelocateImages: ON\n\n The PowerShell command produces a list of mitigations; only those with a required status of \\\"ON\\\" are listed here.\"\n desc \"fix\", \"Ensure the following mitigations are turned \\\"ON\\\" for firefox.exe:\n\n DEP:\n Enable: ON\n\n ASLR:\n BottomUp: ON\n ForceRelocateImages: ON\n\n Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \\\"Supporting Files\\\" folder.\n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\" configured to \\\"Enabled\\\" with file name and location defined under \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00227\"\n tag gid: \"V-93329\"\n tag rid: \"SV-103417r1_rule\"\n tag stig_id: \"WN19-EP-000100\"\n tag fix_id: \"F-99575r1_fix\"\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n firefox = json({ command: \"Get-ProcessMitigation -Name firefox.exe | ConvertTo-Json\" }).params\n\n if input('sensitive_system') == true || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif firefox.empty?\n impact 0.0\n describe 'The referenced application is not installed on the system, this is NA.' do\n skip 'The referenced application is not installed on the system, this is NA.'\n end\n else\n describe \"Exploit Protection: the following mitigations must be set to 'ON' for firefox.exe\" do\n subject { firefox }\n its(['Dep','Enable']) { should eq 1 }\n its(['Aslr','BottomUp']) { should eq 1 }\n its(['Aslr','ForceRelocateImages']) { should eq 1 }\n end\n end\nend", + "code": "control 'V-93509' do\n title \"Windows Server 2019 directory service must be configured to terminate LDAP-based network connections to the directory server after #{input('maximum_idle_time')/60} minutes of inactivity.\"\n desc 'The failure to terminate inactive network connections increases the risk of a successful attack on the directory server. The longer an established session is in progress, the more time an attacker has to hijack the session, implement a means to passively intercept data, or compromise any protections on client access. For example, if an attacker gains control of a client computer, an existing (already authenticated) session with the directory server could allow access to the directory. The lack of confidentiality protection in LDAP-based sessions increases exposure to this vulnerability.'\n desc 'rationale', ''\n desc 'check', \"This applies to domain controllers. It is NA for other systems.\n Open an elevated \\\"Command Prompt\\\" (run as administrator).\n Enter \\\"ntdsutil\\\".\n At the \\\"ntdsutil:\\\" prompt, enter \\\"LDAP policies\\\".\n At the \\\"ldap policy:\\\" prompt, enter \\\"connections\\\".\n At the \\\"server connections:\\\" prompt, enter \\\"connect to server [host-name]\\\"\n (where [host-name] is the computer name of the domain controller).\n At the \\\"server connections:\\\" prompt, enter \\\"q\\\".\n At the \\\"ldap policy:\\\" prompt, enter \\\"show values\\\".\n If the value for MaxConnIdleTime is greater than \\\"#{input('maximum_idle_time')}\\\" (#{input('maximum_idle_time')/60} minutes) or is not specified, this is a finding.\n Enter \\\"q\\\" at the \\\"ldap policy:\\\" and \\\"ntdsutil:\\\" prompts to exit.\n\n Alternately, Dsquery can be used to display MaxConnIdleTime:\n Open \\\"Command Prompt (Admin)\\\".\n Enter the following command (on a single line).\n dsquery * \\\"cn=Default Query Policy,cn=Query-Policies,cn=Directory Service, cn=Windows NT,cn=Services,cn=Configuration,dc=[forest-name]\\\" -attr LDAPAdminLimits\n\n The quotes are required and dc=[forest-name] is the fully qualified LDAP name of the domain being reviewed (e.g., dc=disaost,dc=mil).\n If the results do not specify a \\\"MaxConnIdleTime\\\" or it has a value greater than \\\"#{input('maximum_idle_time')}\\\" (#{input('maximum_idle_time')/60} minutes), this is a finding.\"\n desc 'fix', \"Configure the directory service to terminate LDAP-based network connections to the directory server after #{input('maximum_idle_time')/60} minutes of inactivity.\n Open an elevated \\\"Command prompt\\\" (run as administrator).\n Enter \\\"ntdsutil\\\".\n At the \\\"ntdsutil:\\\" prompt, enter \\\"LDAP policies\\\".\n At the \\\"ldap policy:\\\" prompt, enter \\\"connections\\\".\n At the \\\"server connections:\\\" prompt, enter \\\"connect to server [host-name]\\\" (where [host-name] is the computer name of the domain controller).\n At the \\\"server connections:\\\" prompt, enter \\\"q\\\".\n At the \\\"ldap policy:\\\" prompt, enter \\\"Set MaxConnIdleTime to #{input('maximum_idle_time')}\\\".\n Enter \\\"Commit Changes\\\" to save.\n Enter \\\"Show values\\\" to verify changes.\n Enter \\\"q\\\" at the \\\"ldap policy:\\\" and \\\"ntdsutil:\\\" prompts to exit.\"\n impact 0.3\n tag 'severity': ''\n tag 'gtitle': \"SRG-OS-000163-GPOS-00072\"\n tag 'gid': \"V-93509\"\n tag 'rid': \"SV-103595r1_rule\"\n tag 'stig_id': \"WN19-DC-000160\"\n tag 'fix_id': \"F-99753r1_fix\"\n tag 'cci': [\"CCI-001133\"]\n tag 'nist': [\"SC-10\", \"Rev_4\"]\n\n forest_name = json(command: '(Get-ADDomain).DistinguishedName | ConvertTo-Json').params\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n \n if domain_role == '4' || domain_role == '5'\n query = command(\"dsquery * 'cn=Default Query Policy,cn=Query-Policies,cn=Directory Service, cn=Windows NT,cn=Services,cn=Configuration,#{forest_name}' -attr LDAPAdminLimits\").stdout \n ldap_admin_limits = parse_config(query.gsub(/;/, \"\\n\")).params\n describe \"MaxConnIdleTime is configured\" do\n subject { ldap_admin_limits }\n it { should include 'MaxConnIdleTime' }\n end\n describe \"The MaxConnIdleTime\" do\n subject { ldap_admin_limits['MaxConnIdleTime'] }\n it { should cmp <= input(\"maximum_idle_time\") }\n end\n else\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is NA' do\n skip 'This system is not a domain controller, therefore this control is NA'\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93329.rb", + "ref": "./Windows 2019 STIG/controls/V-93509.rb", "line": 3 }, - "id": "V-93329" + "id": "V-93509" }, { - "title": "Windows Server 2019 maximum password age must be configured to 60 days or less.", - "desc": "The longer a password is in use, the greater the opportunity for someone to gain unauthorized knowledge of the passwords. Scheduled changing of passwords hinders the ability of unauthorized system users to crack passwords and gain access to a system.", + "title": "Windows Server 2019 machine inactivity limit must be set to 15 minutes\nor less, locking the system with the screen saver.", + "desc": "Unattended systems are susceptible to unauthorized use and should be\nlocked when unattended. The screen saver should be set at a maximum of 15\nminutes and be password protected. This protects critical and sensitive data\nfrom exposure to unauthorized personnel with physical access to the computer.", "descriptions": { - "default": "The longer a password is in use, the greater the opportunity for someone to gain unauthorized knowledge of the passwords. Scheduled changing of passwords hinders the ability of unauthorized system users to crack passwords and gain access to a system.", + "default": "Unattended systems are susceptible to unauthorized use and should be\nlocked when unattended. The screen saver should be set at a maximum of 15\nminutes and be password protected. This protects critical and sensitive data\nfrom exposure to unauthorized personnel with physical access to the computer.", "rationale": "", - "check": "Verify the effective setting in Local Group Policy Editor.\n Run \"gpedit.msc\".\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy.\n If the value for the \"Maximum password age\" is greater than \"60\" days, this is a finding.\n If the value is set to \"0\" (never expires), this is a finding.\n For server core installations, run the following command:\n Secedit /Export /Areas SecurityPolicy /CFG C:\\Path\\FileName.Txt\n If \"MaximumPasswordAge\" is greater than \"60\" or equal to \"0\" in the file, this is a finding.", - "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy >> \"Maximum password age\" to \"60\" days or less (excluding \"0\", which is unacceptable)." + "check": "If the following registry value does not exist or is not configured as\nspecified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\\n\n Value Name: InactivityTimeoutSecs\n\n Value Type: REG_DWORD\n Value: 0x00000384 (900) (or less, excluding \"0\" which is effectively\ndisabled)", + "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Local Policies >> Security Options >>\n\"Interactive logon: Machine inactivity limit\" to \"900\" seconds or less,\nexcluding \"0\" which is effectively disabled." }, "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000076-GPOS-00044", - "gid": "V-93477", - "rid": "SV-103563r1_rule", - "stig_id": "WN19-AC-000050", - "fix_id": "F-99721r1_fix", + "gtitle": "SRG-OS-000028-GPOS-00009", + "satisfies": [ + "SRG-OS-000028-GPOS-00009", + "SRG-OS-000029-GPOS-00010", + "SRG-OS-000031-GPOS-00012" + ], + "gid": "V-92961", + "rid": "SV-103049r1_rule", + "stig_id": "WN19-SO-000120", + "fix_id": "F-99207r1_fix", "cci": [ - "CCI-000199" + "CCI-000056", + "CCI-000057", + "CCI-000060" ], "nist": [ - "IA-5 (1) (d)", + "AC-11 b", + "AC-11 a", + "AC-11 (1)", "Rev_4" ] }, - "code": "control \"V-93477\" do\n title \"Windows Server 2019 maximum password age must be configured to 60 days or less.\"\n desc \"The longer a password is in use, the greater the opportunity for someone to gain unauthorized knowledge of the passwords. Scheduled changing of passwords hinders the ability of unauthorized system users to crack passwords and gain access to a system.\"\n desc \"rationale\", \"\"\n desc \"check\", \"Verify the effective setting in Local Group Policy Editor.\n Run \\\"gpedit.msc\\\".\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy.\n If the value for the \\\"Maximum password age\\\" is greater than \\\"60\\\" days, this is a finding.\n If the value is set to \\\"0\\\" (never expires), this is a finding.\n For server core installations, run the following command:\n Secedit /Export /Areas SecurityPolicy /CFG C:\\\\Path\\\\FileName.Txt\n If \\\"MaximumPasswordAge\\\" is greater than \\\"60\\\" or equal to \\\"0\\\" in the file, this is a finding.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy >> \\\"Maximum password age\\\" to \\\"60\\\" days or less (excluding \\\"0\\\", which is unacceptable).\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000076-GPOS-00044\"\n tag gid: \"V-93477\"\n tag rid: \"SV-103563r1_rule\"\n tag stig_id: \"WN19-AC-000050\"\n tag fix_id: \"F-99721r1_fix\"\n tag cci: [\"CCI-000199\"]\n tag nist: [\"IA-5 (1) (d)\", \"Rev_4\"]\n\n describe security_policy do\n its('MaximumPasswordAge') { should be_between(1,input('maximum_password_age')) }\n end\nend", + "code": "control \"V-92961\" do\n title \"Windows Server 2019 machine inactivity limit must be set to 15 minutes\nor less, locking the system with the screen saver.\"\n desc \"Unattended systems are susceptible to unauthorized use and should be\nlocked when unattended. The screen saver should be set at a maximum of 15\nminutes and be password protected. This protects critical and sensitive data\nfrom exposure to unauthorized personnel with physical access to the computer.\"\n desc \"rationale\", \"\"\n desc 'check', \"If the following registry value does not exist or is not configured as\nspecified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\\n\n Value Name: InactivityTimeoutSecs\n\n Value Type: REG_DWORD\n Value: 0x00000384 (900) (or less, excluding \\\"0\\\" which is effectively\ndisabled)\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Local Policies >> Security Options >>\n\\\"Interactive logon: Machine inactivity limit\\\" to \\\"900\\\" seconds or less,\nexcluding \\\"0\\\" which is effectively disabled.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000028-GPOS-00009'\n tag 'satisfies': [\"SRG-OS-000028-GPOS-00009\", \"SRG-OS-000029-GPOS-00010\",\n\"SRG-OS-000031-GPOS-00012\"]\n tag 'gid': 'V-92961'\n tag 'rid': 'SV-103049r1_rule'\n tag 'stig_id': 'WN19-SO-000120'\n tag 'fix_id': 'F-99207r1_fix'\n tag 'cci': [\"CCI-000056\", \"CCI-000057\", \"CCI-000060\"]\n tag 'nist': [\"AC-11 b\", \"AC-11 a\", \"AC-11 (1)\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System') do\n its('InactivityTimeoutSecs') { should be <= 900 }\n its('InactivityTimeoutSecs') { should_not eq 0 }\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93477.rb", + "ref": "./Windows 2019 STIG/controls/V-92961.rb", "line": 3 }, - "id": "V-93477" + "id": "V-92961" }, { - "title": "Windows Server 2019 administrator accounts must not be enumerated during elevation.", - "desc": "Enumeration of administrator accounts when elevating can provide part of the logon information to an unauthorized user. This setting configures the system to always require users to type in a username and password to elevate a running application.", + "title": "Windows Server 2019 Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites.", + "desc": "Certain encryption types are no longer considered secure. The DES and RC4 encryption suites must not be used for Kerberos encryption.\n Note: Organizations with domain controllers running earlier versions of Windows where RC4 encryption is enabled, selecting \"The other domain supports Kerberos AES Encryption\" on domain trusts, may be required to allow client communication across the trust relationship.", "descriptions": { - "default": "Enumeration of administrator accounts when elevating can provide part of the logon information to an unauthorized user. This setting configures the system to always require users to type in a username and password to elevate a running application.", + "default": "Certain encryption types are no longer considered secure. The DES and RC4 encryption suites must not be used for Kerberos encryption.\n Note: Organizations with domain controllers running earlier versions of Windows where RC4 encryption is enabled, selecting \"The other domain supports Kerberos AES Encryption\" on domain trusts, may be required to allow client communication across the trust relationship.", "rationale": "", - "check": "If the following registry value does not exist or is not configured as specified, this is a finding:\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\CredUI\\\n\n Value Name: EnumerateAdministrators\n\n Type: REG_DWORD\n Value: 0x00000000 (0)", - "fix": "Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Credential User Interface >> \"Enumerate administrator accounts on elevation\" to \"Disabled\"." + "check": "If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\Parameters\\\n\n Value Name: SupportedEncryptionTypes\n\n Value Type: REG_DWORD\n Value: 0x7ffffff8 (2147483640)", + "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \"Network security: Configure encryption types allowed for Kerberos\" to \"Enabled\" with only the following selected:\n\n AES128_HMAC_SHA1\n AES256_HMAC_SHA1\n Future encryption types\n\n Note: Organizations with domain controllers running earlier versions of Windows where RC4 encryption is enabled, selecting \"The other domain supports Kerberos AES Encryption\" on domain trusts, may be required to allow client communication across the trust relationship." }, "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000134-GPOS-00068", - "gid": "V-93517", - "rid": "SV-103603r1_rule", - "stig_id": "WN19-CC-000240", - "fix_id": "F-99761r1_fix", + "gtitle": "SRG-OS-000120-GPOS-00061", + "gid": "V-93495", + "rid": "SV-103581r1_rule", + "stig_id": "WN19-SO-000290", + "fix_id": "F-99739r1_fix", "cci": [ - "CCI-001084" + "CCI-000803" ], "nist": [ - "SC-3", + "IA-7", "Rev_4" ] }, - "code": "control \"V-93517\" do\n title \"Windows Server 2019 administrator accounts must not be enumerated during elevation.\"\n desc \"Enumeration of administrator accounts when elevating can provide part of the logon information to an unauthorized user. This setting configures the system to always require users to type in a username and password to elevate a running application.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the following registry value does not exist or is not configured as specified, this is a finding:\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\CredUI\\\\\n\n Value Name: EnumerateAdministrators\n\n Type: REG_DWORD\n Value: 0x00000000 (0)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Credential User Interface >> \\\"Enumerate administrator accounts on elevation\\\" to \\\"Disabled\\\".\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000134-GPOS-00068\"\n tag gid: \"V-93517\"\n tag rid: \"SV-103603r1_rule\"\n tag stig_id: \"WN19-CC-000240\"\n tag fix_id: \"F-99761r1_fix\"\n tag cci: [\"CCI-001084\"]\n tag nist: [\"SC-3\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\CredUI') do\n it { should have_property 'EnumerateAdministrators' }\n its('EnumerateAdministrators') { should cmp == 0 }\n end\nend", + "code": "control \"V-93495\" do\n title \"Windows Server 2019 Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites.\"\n desc \"Certain encryption types are no longer considered secure. The DES and RC4 encryption suites must not be used for Kerberos encryption.\n Note: Organizations with domain controllers running earlier versions of Windows where RC4 encryption is enabled, selecting \\\"The other domain supports Kerberos AES Encryption\\\" on domain trusts, may be required to allow client communication across the trust relationship.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Kerberos\\\\Parameters\\\\\n\n Value Name: SupportedEncryptionTypes\n\n Value Type: REG_DWORD\n Value: 0x7ffffff8 (2147483640)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \\\"Network security: Configure encryption types allowed for Kerberos\\\" to \\\"Enabled\\\" with only the following selected:\n\n AES128_HMAC_SHA1\n AES256_HMAC_SHA1\n Future encryption types\n\n Note: Organizations with domain controllers running earlier versions of Windows where RC4 encryption is enabled, selecting \\\"The other domain supports Kerberos AES Encryption\\\" on domain trusts, may be required to allow client communication across the trust relationship.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000120-GPOS-00061\"\n tag gid: \"V-93495\"\n tag rid: \"SV-103581r1_rule\"\n tag stig_id: \"WN19-SO-000290\"\n tag fix_id: \"F-99739r1_fix\"\n tag cci: [\"CCI-000803\"]\n tag nist: [\"IA-7\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Kerberos\\\\Parameters') do\n it { should have_property 'SupportedEncryptionTypes' }\n its('SupportedEncryptionTypes') { should cmp 2147483640 }\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93517.rb", + "ref": "./Windows 2019 STIG/controls/V-93495.rb", "line": 3 }, - "id": "V-93517" + "id": "V-93495" }, { - "title": "Windows Server 2019 must have software certificate installation files\nremoved.", - "desc": "Use of software certificates and their accompanying installation files\nfor end users to access resources is less secure than the use of hardware-based\ncertificates.", + "title": "Windows Server 2019 Deny log on locally user right on domain-joined\nmember servers must be configured to prevent access from highly privileged\ndomain accounts and from unauthenticated access on all systems.", + "desc": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n The \"Deny log on locally\" user right defines accounts that are prevented\nfrom logging on interactively.\n\n In an Active Directory Domain, denying logons to the Enterprise Admins and\nDomain Admins groups on lower-trust systems helps mitigate the risk of\nprivilege escalation from credential theft attacks, which could lead to the\ncompromise of an entire domain.\n\n The Guests group must be assigned this right to prevent unauthenticated\naccess.", "descriptions": { - "default": "Use of software certificates and their accompanying installation files\nfor end users to access resources is less secure than the use of hardware-based\ncertificates.", + "default": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n The \"Deny log on locally\" user right defines accounts that are prevented\nfrom logging on interactively.\n\n In an Active Directory Domain, denying logons to the Enterprise Admins and\nDomain Admins groups on lower-trust systems helps mitigate the risk of\nprivilege escalation from credential theft attacks, which could lead to the\ncompromise of an entire domain.\n\n The Guests group must be assigned this right to prevent unauthenticated\naccess.", "rationale": "", - "check": "Search all drives for *.p12 and *.pfx files.\n\n If any files with these extensions exist, this is a finding.\n\n This does not apply to server-based applications that have a requirement\nfor .p12 certificate files or Adobe PreFlight certificate files. Some\napplications create files with extensions of .p12 that are not certificate\ninstallation files. Removal of non-certificate installation files from systems\nis not required. These must be documented with the ISSO.", - "fix": "Remove any certificate installation files (*.p12 and *.pfx) found on a\nsystem.\n\n Note: This does not apply to server-based applications that have a\nrequirement for .p12 certificate files or Adobe PreFlight certificate files." + "check": "This applies to member servers and standalone systems. A separate version\napplies to domain controllers.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If the following accounts or groups are not defined for the \"Deny log on\nlocally\" user right, this is a finding:\n\n Domain Systems Only:\n - Enterprise Admins Group\n - Domain Admins Group\n\n All Systems:\n - Guests Group\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\path\\filename.txt\n\n Review the text file.\n\n If the following SIDs are not defined for the\n\"SeDenyInteractiveLogonRight\" user right, this is a finding:\n\n Domain Systems Only:\n S-1-5-root domain-519 (Enterprise Admins)\n S-1-5-domain-512 (Domain Admins)\n\n All Systems:\n S-1-5-32-546 (Guests)", + "fix": "Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> User Rights Assignment >> \"Deny log\non locally\" to include the following:\n\n Domain Systems Only:\n - Enterprise Admins Group\n - Domain Admins Group\n\n All Systems:\n - Guests Group" }, "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-93221", - "rid": "SV-103309r2_rule", - "stig_id": "WN19-00-000240", - "fix_id": "F-101007r1_fix", + "gtitle": "SRG-OS-000080-GPOS-00048", + "gid": "V-93015", + "rid": "SV-103103r1_rule", + "stig_id": "WN19-MS-000110", + "fix_id": "F-99261r1_fix", "cci": [ - "CCI-000366" + "CCI-000213" ], "nist": [ - "CM-6 b", + "AC-3", "Rev_4" ] }, - "code": "control \"V-93221\" do\n title \"Windows Server 2019 must have software certificate installation files\nremoved.\"\n desc \"Use of software certificates and their accompanying installation files\nfor end users to access resources is less secure than the use of hardware-based\ncertificates.\"\n desc \"rationale\", \"\"\n desc 'check', \"Search all drives for *.p12 and *.pfx files.\n\n If any files with these extensions exist, this is a finding.\n\n This does not apply to server-based applications that have a requirement\nfor .p12 certificate files or Adobe PreFlight certificate files. Some\napplications create files with extensions of .p12 that are not certificate\ninstallation files. Removal of non-certificate installation files from systems\nis not required. These must be documented with the ISSO.\"\n desc 'fix', \"Remove any certificate installation files (*.p12 and *.pfx) found on a\nsystem.\n\n Note: This does not apply to server-based applications that have a\nrequirement for .p12 certificate files or Adobe PreFlight certificate files.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000480-GPOS-00227'\n tag 'gid': 'V-93221'\n tag 'rid': 'SV-103309r2_rule'\n tag 'stig_id': 'WN19-00-000240'\n tag 'fix_id': 'F-101007r1_fix'\n tag 'cci': [\"CCI-000366\"]\n tag 'nist': [\"CM-6 b\", \"Rev_4\"]\n\n describe command('where /R c: *.p12 *.pfx') do\n its('stdout') { should eq '' }\n end\nend\n", + "code": "control \"V-93015\" do\n title \"Windows Server 2019 Deny log on locally user right on domain-joined\nmember servers must be configured to prevent access from highly privileged\ndomain accounts and from unauthenticated access on all systems.\"\n desc \"Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n The \\\"Deny log on locally\\\" user right defines accounts that are prevented\nfrom logging on interactively.\n\n In an Active Directory Domain, denying logons to the Enterprise Admins and\nDomain Admins groups on lower-trust systems helps mitigate the risk of\nprivilege escalation from credential theft attacks, which could lead to the\ncompromise of an entire domain.\n\n The Guests group must be assigned this right to prevent unauthenticated\naccess.\"\n desc \"rationale\", \"\"\n desc 'check', \"This applies to member servers and standalone systems. A separate version\napplies to domain controllers.\n\n Verify the effective setting in Local Group Policy Editor.\n\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If the following accounts or groups are not defined for the \\\"Deny log on\nlocally\\\" user right, this is a finding:\n\n Domain Systems Only:\n - Enterprise Admins Group\n - Domain Admins Group\n\n All Systems:\n - Guests Group\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt\n\n Review the text file.\n\n If the following SIDs are not defined for the\n\\\"SeDenyInteractiveLogonRight\\\" user right, this is a finding:\n\n Domain Systems Only:\n S-1-5-root domain-519 (Enterprise Admins)\n S-1-5-domain-512 (Domain Admins)\n\n All Systems:\n S-1-5-32-546 (Guests)\"\n desc 'fix', \"Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> User Rights Assignment >> \\\"Deny log\non locally\\\" to include the following:\n\n Domain Systems Only:\n - Enterprise Admins Group\n - Domain Admins Group\n\n All Systems:\n - Guests Group\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000080-GPOS-00048'\n tag 'gid': 'V-93015'\n tag 'rid': 'SV-103103r1_rule'\n tag 'stig_id': 'WN19-MS-000110'\n tag 'fix_id': 'F-99261r1_fix'\n tag 'cci': [\"CCI-000213\"]\n tag 'nist': [\"AC-3\", \"Rev_4\"]\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n case domain_role\n when '4', '5'\n impact 0.0\n describe 'This system is dedicated to the management of Active Directory, therefore this system is exempt from this control' do\n skip 'This system is dedicated to the management of Active Directory, therefore this system is exempt from this control'\n end\n when '2'\n describe security_policy do\n its('SeDenyInteractiveLogonRight') { should eq ['S-1-5-32-546'] }\n end\n when '3'\n domain_query = <<-EOH\n $group = New-Object System.Security.Principal.NTAccount('Domain Admins')\n $sid = ($group.Translate([security.principal.securityidentifier])).value\n $sid | ConvertTo-Json\n EOH\n\n domain_admin_sid = json(command: domain_query).params\n enterprise_admin_query = <<-EOH\n $group = New-Object System.Security.Principal.NTAccount('Enterprise Admins')\n $sid = ($group.Translate([security.principal.securityidentifier])).value\n $sid | ConvertTo-Json\n EOH\n\n enterprise_admin_sid = json(command: enterprise_admin_query).params\n describe security_policy do\n its('SeDenyInteractiveLogonRight') { should include \"#{domain_admin_sid}\" }\n end\n describe security_policy do\n its('SeDenyInteractiveLogonRight') { should include \"#{enterprise_admin_sid}\" }\n end\n describe security_policy do\n its('SeDenyInteractiveLogonRight') { should include 'S-1-5-32-546' }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93221.rb", + "ref": "./Windows 2019 STIG/controls/V-93015.rb", "line": 3 }, - "id": "V-93221" + "id": "V-93015" }, { - "title": "Windows Server 2019 must prevent the display of slide shows on the lock screen.", - "desc": "Slide shows that are displayed on the lock screen could display sensitive information to unauthorized personnel. Turning off this feature will limit access to the information to a logged-on user.", + "title": "Windows Server 2019 permissions for the System event log must prevent\naccess by non-privileged accounts.", + "desc": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised. The\nSystem event log may be susceptible to tampering if proper permissions are not\napplied.", "descriptions": { - "default": "Slide shows that are displayed on the lock screen could display sensitive information to unauthorized personnel. Turning off this feature will limit access to the information to a logged-on user.", + "default": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised. The\nSystem event log may be susceptible to tampering if proper permissions are not\napplied.", "rationale": "", - "check": "Verify the registry value below. If it does not exist or is not configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\Personalization\\\n\n Value Name: NoLockScreenSlideshow\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", - "fix": "Configure the policy value for Computer Configuration >> Administrative Templates >> Control Panel >> Personalization >> \"Prevent enabling lock screen slide show\" to \"Enabled\"." + "check": "Navigate to the System event log file.\n\n The default location is the \"%SystemRoot%\\System32\\winevt\\Logs\"\nfolder. However, the logs may have been moved to another folder.\n\n If the permissions for the \"System.evtx\" file are not as restrictive as\nthe default permissions listed below, this is a finding:\n\n Eventlog - Full Control\n SYSTEM - Full Control\n Administrators - Full Control", + "fix": "Configure the permissions on the System event log file (System.evtx) to\nprevent access by non-privileged accounts. The default permissions listed below\nsatisfy this requirement:\n\n Eventlog - Full Control\n SYSTEM - Full Control\n Administrators - Full Control\n\n The default location is the \"%SystemRoot%\\System32\\winevt\\Logs\" folder.\n\n If the location of the logs has been changed, when adding Eventlog to the\npermissions, it must be entered as \"NT Service\\Eventlog\"." }, "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000095-GPOS-00049", - "gid": "V-93399", - "rid": "SV-103485r1_rule", - "stig_id": "WN19-CC-000010", - "fix_id": "F-99643r1_fix", + "gtitle": "SRG-OS-000057-GPOS-00027", + "satisfies": [ + "SRG-OS-000057-GPOS-00027", + "SRG-OS-000058-GPOS-00028", + "SRG-OS-000059-GPOS-00029" + ], + "gid": "V-93193", + "rid": "SV-103281r1_rule", + "stig_id": "WN19-AU-000050", + "fix_id": "F-99439r1_fix", "cci": [ - "CCI-000381" + "CCI-000162", + "CCI-000163", + "CCI-000164" ], "nist": [ - "CM-7 a", + "AU-9", + "AU-9", + "AU-9", "Rev_4" ] }, - "code": "control \"V-93399\" do\n title \"Windows Server 2019 must prevent the display of slide shows on the lock screen.\"\n desc \"Slide shows that are displayed on the lock screen could display sensitive information to unauthorized personnel. Turning off this feature will limit access to the information to a logged-on user.\"\n desc \"rationale\", \"\"\n desc \"check\", \"Verify the registry value below. If it does not exist or is not configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\Personalization\\\\\n\n Value Name: NoLockScreenSlideshow\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Administrative Templates >> Control Panel >> Personalization >> \\\"Prevent enabling lock screen slide show\\\" to \\\"Enabled\\\".\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000095-GPOS-00049\"\n tag gid: \"V-93399\"\n tag rid: \"SV-103485r1_rule\"\n tag stig_id: \"WN19-CC-000010\"\n tag fix_id: \"F-99643r1_fix\"\n tag cci: [\"CCI-000381\"]\n tag nist: [\"CM-7 a\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\Personalization') do\n it { should have_property 'NoLockScreenSlideshow' }\n its('NoLockScreenSlideshow') { should cmp == 1 }\n end\nend", + "code": "control \"V-93193\" do\n title \"Windows Server 2019 permissions for the System event log must prevent\naccess by non-privileged accounts.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised. The\nSystem event log may be susceptible to tampering if proper permissions are not\napplied.\"\n desc \"rationale\", \"\"\n desc 'check', \"Navigate to the System event log file.\n\n The default location is the \\\"%SystemRoot%\\\\System32\\\\winevt\\\\Logs\\\"\nfolder. However, the logs may have been moved to another folder.\n\n If the permissions for the \\\"System.evtx\\\" file are not as restrictive as\nthe default permissions listed below, this is a finding:\n\n Eventlog - Full Control\n SYSTEM - Full Control\n Administrators - Full Control\"\n desc 'fix', \"Configure the permissions on the System event log file (System.evtx) to\nprevent access by non-privileged accounts. The default permissions listed below\nsatisfy this requirement:\n\n Eventlog - Full Control\n SYSTEM - Full Control\n Administrators - Full Control\n\n The default location is the \\\"%SystemRoot%\\\\System32\\\\winevt\\\\Logs\\\" folder.\n\n If the location of the logs has been changed, when adding Eventlog to the\npermissions, it must be entered as \\\"NT Service\\\\Eventlog\\\".\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000057-GPOS-00027'\n tag 'satisfies': [\"SRG-OS-000057-GPOS-00027\", \"SRG-OS-000058-GPOS-00028\",\n\"SRG-OS-000059-GPOS-00029\"]\n tag 'gid': 'V-93193'\n tag 'rid': 'SV-103281r1_rule'\n tag 'stig_id': 'WN19-AU-000050'\n tag 'fix_id': 'F-99439r1_fix'\n tag 'cci': [\"CCI-000162\", \"CCI-000163\", \"CCI-000164\"]\n tag 'nist': [\"AU-9\", \"AU-9\", \"AU-9\", \"Rev_4\"]\n\n get_system_root = command('Get-ChildItem Env: | Findstr SystemRoot').stdout.strip\n system_root = get_system_root[11..get_system_root.length]\n\n systemroot = system_root.strip\n\n winevt_logs_system = <<-EOH\n $output = (Get-Acl -Path #{systemroot}\\\\SYSTEM32\\\\WINEVT\\\\LOGS\\\\System.evtx).AccessToString\n write-output $output\n EOH\n\n # raw powershell output\n raw_logs_system = powershell(winevt_logs_system).stdout.strip\n\n # clean results cleans up the extra line breaks\n clean_logs_system = raw_logs_system.lines.collect(&:strip)\n\n describe 'Verify the default registry permissions for the keys note below of the C:\\Windows\\System32\\WINEVT\\LOGS\\System.evtx' do\n subject { clean_logs_system }\n it { should cmp input('winevt_logs_system_perms') }\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93399.rb", + "ref": "./Windows 2019 STIG/controls/V-93193.rb", "line": 3 }, - "id": "V-93399" + "id": "V-93193" }, { - "title": "Windows Server 2019 must be configured to audit logon successes.", - "desc": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Logon records user logons. If this is an interactive logon, it is recorded\non the local system. If it is to a network share, it is recorded on the system\naccessed.", + "title": "Windows Server 2019 default permissions of global system objects must be strengthened.", + "desc": "Windows systems maintain a global list of shared system resources such as DOS device names, mutexes, and semaphores. Each type of object is created with a default Discretionary Access Control List (DACL) that specifies who can access the objects with what permissions. When this policy is enabled, the default DACL is stronger, allowing non-administrative users to read shared objects but not to modify shared objects they did not create.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Logon records user logons. If this is an interactive logon, it is recorded\non the local system. If it is to a network share, it is recorded on the system\naccessed.", + "default": "Windows systems maintain a global list of shared system resources such as DOS device names, mutexes, and semaphores. Each type of object is created with a default Discretionary Access Control List (DACL) that specifies who can access the objects with what permissions. When this policy is enabled, the default DACL is stronger, allowing non-administrative users to read shared objects but not to modify shared objects they did not create.", "rationale": "", - "check": "Security Option \"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\" must be set to\n\"Enabled\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \"AuditPol\" tool to review the current Audit Policy configuration:\n\n Open \"PowerShell\" or a \"Command Prompt\" with elevated privileges (\"Run\nas administrator\").\n\n Enter \"AuditPol /get /category:*\"\n\n Compare the \"AuditPol\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n Logon/Logoff >> Logon - Success", - "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Logon/Logoff >> \"Audit Logon\" with \"Success\"\nselected." + "check": "If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\\n\n Value Name: ProtectionMode\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", + "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \"System objects: Strengthen default permissions of internal system objects (e.g., Symbolic Links)\" to \"Enabled\"." }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000032-GPOS-00013", - "satisfies": [ - "SRG-OS-000032-GPOS-00013", - "SRG-OS-000470-GPOS-00214", - "SRG-OS-000472-GPOS-00217", - "SRG-OS-000473-GPOS-00218", - "SRG-OS-000475-GPOS-00220" - ], - "gid": "V-92967", - "rid": "SV-103055r1_rule", - "stig_id": "WN19-AU-000190", - "fix_id": "F-99213r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-93309", + "rid": "SV-103397r1_rule", + "stig_id": "WN19-SO-000370", + "fix_id": "F-99555r1_fix", "cci": [ - "CCI-000067", - "CCI-000172" + "CCI-000366" ], "nist": [ - "AC-17 (1)", - "AU-12 c", + "CM-6 b", "Rev_4" ] }, - "code": "control \"V-92967\" do\n title \"Windows Server 2019 must be configured to audit logon successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Logon records user logons. If this is an interactive logon, it is recorded\non the local system. If it is to a network share, it is recorded on the system\naccessed.\"\n desc \"rationale\", \"\"\n desc 'check', \"Security Option \\\"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\\\" must be set to\n\\\"Enabled\\\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \\\"AuditPol\\\" tool to review the current Audit Policy configuration:\n\n Open \\\"PowerShell\\\" or a \\\"Command Prompt\\\" with elevated privileges (\\\"Run\nas administrator\\\").\n\n Enter \\\"AuditPol /get /category:*\\\"\n\n Compare the \\\"AuditPol\\\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n Logon/Logoff >> Logon - Success\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Logon/Logoff >> \\\"Audit Logon\\\" with \\\"Success\\\"\nselected.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': \"SRG-OS-000032-GPOS-00013\"\n tag 'satisfies': [\"SRG-OS-000032-GPOS-00013\", \"SRG-OS-000470-GPOS-00214\",\n\"SRG-OS-000472-GPOS-00217\", \"SRG-OS-000473-GPOS-00218\",\n\"SRG-OS-000475-GPOS-00220\"]\n tag 'gid': 'V-92967'\n tag 'rid': 'SV-103055r1_rule'\n tag 'stig_id': 'WN19-AU-000190'\n tag 'fix_id': 'F-99213r1_fix'\n tag 'cci': [\"CCI-000067\", \"CCI-000172\"]\n tag 'nist': [\"AC-17 (1)\", \"AU-12 c\", \"Rev_4\"]\n\n describe.one do\n describe audit_policy do\n its('Logon') { should eq 'Success' }\n end\n describe audit_policy do\n its('Logon') { should eq 'Success and Failure' }\n end\n end\nend\n", + "code": "control \"V-93309\" do\n title \"Windows Server 2019 default permissions of global system objects must be strengthened.\"\n desc \"Windows systems maintain a global list of shared system resources such as DOS device names, mutexes, and semaphores. Each type of object is created with a default Discretionary Access Control List (DACL) that specifies who can access the objects with what permissions. When this policy is enabled, the default DACL is stronger, allowing non-administrative users to read shared objects but not to modify shared objects they did not create.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Session Manager\\\\\n\n Value Name: ProtectionMode\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \\\"System objects: Strengthen default permissions of internal system objects (e.g., Symbolic Links)\\\" to \\\"Enabled\\\".\"\n impact 0.3\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00227\"\n tag gid: \"V-93309\"\n tag rid: \"SV-103397r1_rule\"\n tag stig_id: \"WN19-SO-000370\"\n tag fix_id: \"F-99555r1_fix\"\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Session Manager') do\n it { should have_property 'ProtectionMode' }\n its('ProtectionMode') { should cmp == 1 }\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-92967.rb", + "ref": "./Windows 2019 STIG/controls/V-93309.rb", "line": 3 }, - "id": "V-92967" + "id": "V-93309" }, { - "title": "Windows Server 2019 must not have Simple TCP/IP Services installed.", - "desc": "Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption or may provide unauthorized access to the system.", + "title": "Windows Server 2019 must disable automatically signing in the last interactive user after a system-initiated restart.", + "desc": "Windows can be configured to automatically sign the user back in after a Windows Update restart. Some protections are in place to help ensure this is done in a secure fashion; however, disabling this will prevent the caching of credentials for this purpose and also ensure the user is aware of the restart.", "descriptions": { - "default": "Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption or may provide unauthorized access to the system.", + "default": "Windows can be configured to automatically sign the user back in after a Windows Update restart. Some protections are in place to help ensure this is done in a secure fashion; however, disabling this will prevent the caching of credentials for this purpose and also ensure the user is aware of the restart.", "rationale": "", - "check": "Open \"PowerShell\".\n\n Enter \"Get-WindowsFeature | Where Name -eq Simple-TCPIP\".\n If \"Installed State\" is \"Installed\", this is a finding.\n An Installed State of \"Available\" or \"Removed\" is not a finding.", - "fix": "Uninstall the \"Simple TCP/IP Services\" feature.\n\n Start \"Server Manager\".\n Select the server with the feature.\n Scroll down to \"ROLES AND FEATURES\" in the right pane.\n Select \"Remove Roles and Features\" from the drop-down \"TASKS\" list.\n Select the appropriate server on the \"Server Selection\" page and click \"Next\".\n Deselect \"Simple TCP/IP Services\" on the \"Features\" page.\n Click \"Next\" and \"Remove\" as prompted." + "check": "Verify the registry value below. If it does not exist or is not configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\\n\n Value Name: DisableAutomaticRestartSignOn\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", + "fix": "Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Logon Options >> \"Sign-in last interactive user automatically after a system-initiated restart\" to \"Disabled\"." }, "impact": 0.5, - "refs": [], - "tags": { - "severity": null, - "gtitle": "SRG-OS-000095-GPOS-00049", - "gid": "V-93387", - "rid": "SV-103473r1_rule", - "stig_id": "WN19-00-000350", - "fix_id": "F-99631r1_fix", + "refs": [], + "tags": { + "severity": null, + "gtitle": "SRG-OS-000480-GPOS-00229", + "gid": "V-93269", + "rid": "SV-103357r1_rule", + "stig_id": "WN19-CC-000450", + "fix_id": "F-99515r1_fix", "cci": [ - "CCI-000381" + "CCI-000366" ], "nist": [ - "CM-7 a", + "CM-6 b", "Rev_4" ] }, - "code": "control \"V-93387\" do\n title \"Windows Server 2019 must not have Simple TCP/IP Services installed.\"\n desc \"Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption or may provide unauthorized access to the system.\"\n desc \"rationale\", \"\"\n desc \"check\", \"Open \\\"PowerShell\\\".\n\n Enter \\\"Get-WindowsFeature | Where Name -eq Simple-TCPIP\\\".\n If \\\"Installed State\\\" is \\\"Installed\\\", this is a finding.\n An Installed State of \\\"Available\\\" or \\\"Removed\\\" is not a finding.\"\n desc \"fix\", \"Uninstall the \\\"Simple TCP/IP Services\\\" feature.\n\n Start \\\"Server Manager\\\".\n Select the server with the feature.\n Scroll down to \\\"ROLES AND FEATURES\\\" in the right pane.\n Select \\\"Remove Roles and Features\\\" from the drop-down \\\"TASKS\\\" list.\n Select the appropriate server on the \\\"Server Selection\\\" page and click \\\"Next\\\".\n Deselect \\\"Simple TCP/IP Services\\\" on the \\\"Features\\\" page.\n Click \\\"Next\\\" and \\\"Remove\\\" as prompted.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000095-GPOS-00049\"\n tag gid: \"V-93387\"\n tag rid: \"SV-103473r1_rule\"\n tag stig_id: \"WN19-00-000350\"\n tag fix_id: \"F-99631r1_fix\"\n tag cci: [\"CCI-000381\"]\n tag nist: [\"CM-7 a\", \"Rev_4\"]\n\n describe windows_feature('Simple-TCPIP') do\n it { should_not be_installed }\n end\nend", + "code": "control \"V-93269\" do\n title \"Windows Server 2019 must disable automatically signing in the last interactive user after a system-initiated restart.\"\n desc \"Windows can be configured to automatically sign the user back in after a Windows Update restart. Some protections are in place to help ensure this is done in a secure fashion; however, disabling this will prevent the caching of credentials for this purpose and also ensure the user is aware of the restart.\"\n desc \"rationale\", \"\"\n desc \"check\", \"Verify the registry value below. If it does not exist or is not configured as specified, this is a finding.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\\n\n Value Name: DisableAutomaticRestartSignOn\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Logon Options >> \\\"Sign-in last interactive user automatically after a system-initiated restart\\\" to \\\"Disabled\\\".\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00229\"\n tag gid: \"V-93269\"\n tag rid: \"SV-103357r1_rule\"\n tag stig_id: \"WN19-CC-000450\"\n tag fix_id: \"F-99515r1_fix\"\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System') do\n it { should have_property 'DisableAutomaticRestartSignOn' }\n its('DisableAutomaticRestartSignOn') { should cmp 1 }\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93387.rb", + "ref": "./Windows 2019 STIG/controls/V-93269.rb", "line": 3 }, - "id": "V-93387" + "id": "V-93269" }, { - "title": "Windows Server 2019 Remote Desktop Services must always prompt a client for passwords upon connection.", - "desc": "This setting controls the ability of users to supply passwords automatically as part of their remote desktop connection. Disabling this setting would allow anyone to use the stored credentials in a connection item to connect to the terminal server.", + "title": "Windows Server 2019 must have the Server Message Block (SMB) v1 protocol disabled on the SMB client.", + "desc": "SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB. MD5 is known to be vulnerable to a number of attacks such as collision and preimage attacks as well as not being FIPS compliant.", "descriptions": { - "default": "This setting controls the ability of users to supply passwords automatically as part of their remote desktop connection. Disabling this setting would allow anyone to use the stored credentials in a connection item to connect to the terminal server.", + "default": "SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB. MD5 is known to be vulnerable to a number of attacks such as collision and preimage attacks as well as not being FIPS compliant.", "rationale": "", - "check": "If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services\\\n\n Value Name: fPromptForPassword\n\n Type: REG_DWORD\n Value: 0x00000001 (1)", - "fix": "Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Remote Desktop Services >> Remote Desktop Session Host >> Security >> \"Always prompt for password upon connection\" to \"Enabled\"." + "check": "Different methods are available to disable SMBv1 on Windows Server 2019, if WN19-00-000380 is configured, this is NA.\n\n If the following registry value is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\mrxsmb10\\\n\n Value Name: Start\n\n Type: REG_DWORD\n Value: 0x00000004 (4)", + "fix": "Configure the policy value for Computer Configuration >> Administrative Templates >> MS Security Guide >> \"Configure SMBv1 client driver\" to \"Enabled\" with \"Disable driver (recommended)\" selected for \"Configure MrxSmb10 driver\".\n\n The system must be restarted for the changes to take effect.\n\n This policy setting requires the installation of the SecGuide custom templates included with the STIG package. \"SecGuide.admx\" and \"SecGuide.adml\" must be copied to the \\Windows\\PolicyDefinitions and \\Windows\\PolicyDefinitions\\en-US directories respectively." }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000373-GPOS-00157", - "satisfies": [ - "SRG-OS-000373-GPOS-00157", - "SRG-OS-000373-GPOS-00156" - ], - "gid": "V-93427", - "rid": "SV-103513r1_rule", - "stig_id": "WN19-CC-000360", - "fix_id": "F-99671r1_fix", + "gtitle": "SRG-OS-000095-GPOS-00049", + "gid": "V-93395", + "rid": "SV-103481r1_rule", + "stig_id": "WN19-00-000400", + "fix_id": "F-99639r1_fix", "cci": [ - "CCI-002038" + "CCI-000381" ], "nist": [ - "IA-11", + "CM-7 a", "Rev_4" ] }, - "code": "control \"V-93427\" do\n title \"Windows Server 2019 Remote Desktop Services must always prompt a client for passwords upon connection.\"\n desc \"This setting controls the ability of users to supply passwords automatically as part of their remote desktop connection. Disabling this setting would allow anyone to use the stored credentials in a connection item to connect to the terminal server.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\\n\n Value Name: fPromptForPassword\n\n Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Remote Desktop Services >> Remote Desktop Session Host >> Security >> \\\"Always prompt for password upon connection\\\" to \\\"Enabled\\\".\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000373-GPOS-00157\"\n tag satisfies: [\"SRG-OS-000373-GPOS-00157\", \"SRG-OS-000373-GPOS-00156\"]\n tag gid: \"V-93427\"\n tag rid: \"SV-103513r1_rule\"\n tag stig_id: \"WN19-CC-000360\"\n tag fix_id: \"F-99671r1_fix\"\n tag cci: [\"CCI-002038\"]\n tag nist: [\"IA-11\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services') do\n it { should have_property 'fPromptForPassword' }\n its('fPromptForPassword') { should cmp == 1 }\n end\nend", + "code": "control \"V-93395\" do\n title \"Windows Server 2019 must have the Server Message Block (SMB) v1 protocol disabled on the SMB client.\"\n desc \"SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB. MD5 is known to be vulnerable to a number of attacks such as collision and preimage attacks as well as not being FIPS compliant.\"\n desc \"rationale\", \"\"\n desc \"check\", \"Different methods are available to disable SMBv1 on Windows Server 2019, if WN19-00-000380 is configured, this is NA.\n\n If the following registry value is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\mrxsmb10\\\\\n\n Value Name: Start\n\n Type: REG_DWORD\n Value: 0x00000004 (4)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Administrative Templates >> MS Security Guide >> \\\"Configure SMBv1 client driver\\\" to \\\"Enabled\\\" with \\\"Disable driver (recommended)\\\" selected for \\\"Configure MrxSmb10 driver\\\".\n\n The system must be restarted for the changes to take effect.\n\n This policy setting requires the installation of the SecGuide custom templates included with the STIG package. \\\"SecGuide.admx\\\" and \\\"SecGuide.adml\\\" must be copied to the \\\\Windows\\\\PolicyDefinitions and \\\\Windows\\\\PolicyDefinitions\\\\en-US directories respectively.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000095-GPOS-00049\"\n tag gid: \"V-93395\"\n tag rid: \"SV-103481r1_rule\"\n tag stig_id: \"WN19-00-000400\"\n tag fix_id: \"F-99639r1_fix\"\n tag cci: [\"CCI-000381\"]\n tag nist: [\"CM-7 a\", \"Rev_4\"]\n\n if powershell(\"Get-WindowsFeature -Name FS-SMB1 | Select -ExpandProperty 'InstallState'\").stdout.strip == \"Installed\"\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\LanmanServer\\\\Parameters') do\n it { should have_property 'SMB1' }\n its('SMB1') { should cmp == 0 }\n end\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\mrxsmb10') do\n it { should have_property 'Start' }\n its('Start') { should cmp == 4 }\n end\n else\n impact 0.0\n describe 'Control V-93391 configuration successful' do\n skip 'This is NA as the successful configuration of Control V-93391 (STIG ID# WN19-00-000380) meets the requirement'\n end\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93427.rb", + "ref": "./Windows 2019 STIG/controls/V-93395.rb", "line": 3 }, - "id": "V-93427" + "id": "V-93395" }, { - "title": "Windows Server 2019 Take ownership of files or other objects user\nright must only be assigned to the Administrators group.", - "desc": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n Accounts with the \"Take ownership of files or other objects\" user right\ncan take ownership of objects and make changes.", + "title": "Windows Server 2019 manually managed application account passwords must be changed at least every 365 days or when a system administrator with knowledge of the password leaves the organization.", + "desc": "Setting application account passwords to expire may cause applications to stop functioning. However, not changing them on a regular basis exposes them to attack. If managed service accounts are used, this alleviates the need to manually change application account passwords.", "descriptions": { - "default": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n Accounts with the \"Take ownership of files or other objects\" user right\ncan take ownership of objects and make changes.", + "default": "Setting application account passwords to expire may cause applications to stop functioning. However, not changing them on a regular basis exposes them to attack. If managed service accounts are used, this alleviates the need to manually change application account passwords.", "rationale": "", - "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the \"Take\nownership of files or other objects\" user right, this is a finding:\n\n - Administrators\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\path\\filename.txt\n\n Review the text file.\n\n If any SIDs other than the following are granted the\n\"SeTakeOwnershipPrivilege\" user right, this is a finding:\n\n S-1-5-32-544 (Administrators)\n\n If an application requires this user right, this would not be a finding.\n\n Vendor documentation must support the requirement for having the user right.\n\n The requirement must be documented with the ISSO.\n\n The application account must meet requirements for application account\npasswords, such as length (WN19-00-000050) and required frequency of changes\n(WN19-00-000060).", - "fix": "Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> User Rights Assignment >> \"Take\nownership of files or other objects\" to include only the following accounts or\ngroups:\n\n - Administrators" + "check": "Determine if manually managed application/service accounts exist. If none exist, this is NA.\n If passwords for manually managed application/service accounts are not changed at least every 365 days or when an administrator with knowledge of the password leaves the organization, this is a finding.\n Identify manually managed application/service accounts.\n To determine the date a password was last changed:\n\n Domain controllers:\n Open \"PowerShell\".\n Enter \"Get-AdUser -Identity [application account name] -Properties PasswordLastSet | FT Name, PasswordLastSet\", where [application account name] is the name of the manually managed application/service account.\n If the \"PasswordLastSet\" date is more than 365 days old, this is a finding.\n\n Member servers and standalone systems:\n Open \"Command Prompt\".\n Enter 'Net User [application account name] | Find /i \"Password Last Set\"', where [application account name] is the name of the manually managed application/service account.\n If the \"Password Last Set\" date is more than 365 days old, this is a finding.", + "fix": "Change passwords for manually managed application/service accounts at least every 365 days or when an administrator with knowledge of the password leaves the organization.\n It is recommended that system-managed service accounts be used whenever possible." }, "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000324-GPOS-00125", - "gid": "V-93087", - "rid": "SV-103175r1_rule", - "stig_id": "WN19-UR-000220", - "fix_id": "F-99333r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-93209", + "rid": "SV-103297r1_rule", + "stig_id": "WN19-00-000060", + "fix_id": "F-99455r1_fix", "cci": [ - "CCI-002235" + "CCI-000366" ], "nist": [ - "AC-6 (10)", + "CM-6 b", "Rev_4" ] }, - "code": "control \"V-93087\" do\n title \"Windows Server 2019 Take ownership of files or other objects user\nright must only be assigned to the Administrators group.\"\n desc \"Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n Accounts with the \\\"Take ownership of files or other objects\\\" user right\ncan take ownership of objects and make changes.\"\n desc \"rationale\", \"\"\n desc 'check', \"Verify the effective setting in Local Group Policy Editor.\n\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the \\\"Take\nownership of files or other objects\\\" user right, this is a finding:\n\n - Administrators\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt\n\n Review the text file.\n\n If any SIDs other than the following are granted the\n\\\"SeTakeOwnershipPrivilege\\\" user right, this is a finding:\n\n S-1-5-32-544 (Administrators)\n\n If an application requires this user right, this would not be a finding.\n\n Vendor documentation must support the requirement for having the user right.\n\n The requirement must be documented with the ISSO.\n\n The application account must meet requirements for application account\npasswords, such as length (WN19-00-000050) and required frequency of changes\n(WN19-00-000060).\"\n desc 'fix', \"Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> User Rights Assignment >> \\\"Take\nownership of files or other objects\\\" to include only the following accounts or\ngroups:\n\n - Administrators\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000324-GPOS-00125'\n tag 'gid': 'V-93087'\n tag 'rid': 'SV-103175r1_rule'\n tag 'stig_id': 'WN19-UR-000220'\n tag 'fix_id': 'F-99333r1_fix'\n tag 'cci': [\"CCI-002235\"]\n tag 'nist': [\"AC-6 (10)\", \"Rev_4\"]\n\n os_type = command('Test-Path \"$env:windir\\explorer.exe\"').stdout.strip\n\n if os_type == 'False'\n describe 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt' do\n skip 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt'\n end\n else\n describe security_policy do\n its('SeTakeOwnershipPrivilege') { should eq ['S-1-5-32-544'] }\n end\n end\nend\n", + "code": "control \"V-93209\" do\n title \"Windows Server 2019 manually managed application account passwords must be changed at least every #{input('app_password_age')} days or when a system administrator with knowledge of the password leaves the organization.\"\n desc \"Setting application account passwords to expire may cause applications to stop functioning. However, not changing them on a regular basis exposes them to attack. If managed service accounts are used, this alleviates the need to manually change application account passwords.\"\n desc \"rationale\", \"\"\n desc 'check', \"Determine if manually managed application/service accounts exist. If none exist, this is NA.\n If passwords for manually managed application/service accounts are not changed at least every #{input('app_password_age')} days or when an administrator with knowledge of the password leaves the organization, this is a finding.\n Identify manually managed application/service accounts.\n To determine the date a password was last changed:\n\n Domain controllers:\n Open \\\"PowerShell\\\".\n Enter \\\"Get-AdUser -Identity [application account name] -Properties PasswordLastSet | FT Name, PasswordLastSet\\\", where [application account name] is the name of the manually managed application/service account.\n If the \\\"PasswordLastSet\\\" date is more than #{input('app_password_age')} days old, this is a finding.\n\n Member servers and standalone systems:\n Open \\\"Command Prompt\\\".\n Enter 'Net User [application account name] | Find /i \\\"Password Last Set\\\"', where [application account name] is the name of the manually managed application/service account.\n If the \\\"Password Last Set\\\" date is more than #{input('app_password_age')} days old, this is a finding.\"\n desc 'fix', \"Change passwords for manually managed application/service accounts at least every #{input('app_password_age')} days or when an administrator with knowledge of the password leaves the organization.\n It is recommended that system-managed service accounts be used whenever possible.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000480-GPOS-00227'\n tag 'gid': 'V-93209'\n tag 'rid': 'SV-103297r1_rule'\n tag 'stig_id': 'WN19-00-000060'\n tag 'fix_id': 'F-99455r1_fix'\n tag 'cci': [\"CCI-000366\"]\n tag 'nist': [\"CM-6 b\", \"Rev_4\"]\n\n application_accounts_domain = input('application_accounts_domain')\n application_accounts_local = input('application_accounts_local')\n app_password_age = input('app_password_age')\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n if application_accounts_domain.empty?\n impact 0.0\n describe 'There are no application accounts are listed for this control' do\n skip 'This is not applicable since no application accounts are listed for this control'\n end\n else\n application_accounts_domain.each do |user|\n password_set_date = json({ command: \"Get-ADUser -Identity #{user} -Properties PasswordLastSet | Where-Object {$_.PasswordLastSet -le (Get-Date).AddDays(-#{app_password_age})} | Select-Object -ExpandProperty PasswordLastSet | ConvertTo-Json\" }).params\n date = password_set_date['DateTime']\n describe 'Password Last Set' do\n it \"Date should not be more that #{app_password_age} days for Application Account: #{user} \" do\n failure_message = \"Password Date is: #{date}\"\n expect(date).to be_nil, failure_message\n end\n end\n end\n end\n else\n if application_accounts_local.empty?\n impact 0.0\n describe 'There are no application accounts are listed for this control' do\n skip 'This is not applicable since no application accounts are listed for this control'\n end\n else\n application_accounts_local.each do |user|\n local_password_set_date = json({ command: \"Get-LocalUser -name #{user} | Where-Object {$_.PasswordLastSet -le (Get-Date).AddDays(-#{app_password_age})} | Select-Object -ExpandProperty PasswordLastSet | ConvertTo-Json\" }).params\n date = local_password_set_date['DateTime']\n describe 'Password Last Set' do\n it \"Date should not be more that #{app_password_age} days for Application Account: #{user} \" do\n failure_message = \"Password Date is: #{date}\"\n expect(date).to be_nil, failure_message\n end\n end\n end\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93087.rb", + "ref": "./Windows 2019 STIG/controls/V-93209.rb", "line": 3 }, - "id": "V-93087" + "id": "V-93209" }, { - "title": "Windows Server 2019 must be configured to audit System - IPsec Driver\nfailures.", - "desc": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n IPsec Driver records events related to the IPsec Driver, such as dropped\npackets.", + "title": "Windows Server 2019 Active Directory RID Manager$ object must be\nconfigured with proper audit settings.", + "desc": "When inappropriate audit settings are configured for directory service\ndatabase objects, it may be possible for a user or process to update the data\nwithout generating any tracking data. The impact of missing audit data is\nrelated to the type of object. A failure to capture audit data for objects used\nby identification, authentication, or authorization functions could degrade or\neliminate the ability to track changes to access policy for systems or data.\n\n For Active Directory (AD), there are a number of critical object types in\nthe domain naming context of the AD database for which auditing is essential.\nThis includes the RID Manager$ object. Because changes to these objects can\nsignificantly impact access controls or the availability of systems, the\nabsence of auditing data makes it impossible to identify the source of changes\nthat impact the confidentiality, integrity, and availability of data and\nsystems throughout an AD domain. The lack of proper auditing can result in\ninsufficient forensic evidence needed to investigate an incident and prosecute\nthe intruder.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n IPsec Driver records events related to the IPsec Driver, such as dropped\npackets.", + "default": "When inappropriate audit settings are configured for directory service\ndatabase objects, it may be possible for a user or process to update the data\nwithout generating any tracking data. The impact of missing audit data is\nrelated to the type of object. A failure to capture audit data for objects used\nby identification, authentication, or authorization functions could degrade or\neliminate the ability to track changes to access policy for systems or data.\n\n For Active Directory (AD), there are a number of critical object types in\nthe domain naming context of the AD database for which auditing is essential.\nThis includes the RID Manager$ object. Because changes to these objects can\nsignificantly impact access controls or the availability of systems, the\nabsence of auditing data makes it impossible to identify the source of changes\nthat impact the confidentiality, integrity, and availability of data and\nsystems throughout an AD domain. The lack of proper auditing can result in\ninsufficient forensic evidence needed to investigate an incident and prosecute\nthe intruder.", "rationale": "", - "check": "Security Option \"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\" must be set to\n\"Enabled\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \"AuditPol\" tool to review the current Audit Policy configuration:\n\n Open \"PowerShell\" or a \"Command Prompt\" with elevated privileges (\"Run\nas administrator\").\n\n Enter \"AuditPol /get /category:*\"\n\n Compare the \"AuditPol\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n System >> IPsec Driver - Failure", - "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> System >> \"Audit IPsec Driver\" with \"Failure\"\nselected." + "check": "This applies to domain controllers. It is NA for other systems.\n\n Review the auditing configuration for the \"RID Manager$\" object.\n\n Open \"Active Directory Users and Computers\" (available from various menus\nor run \"dsa.msc\").\n\n Ensure \"Advanced Features\" is selected in the \"View\" menu.\n\n Select \"System\" under the domain being reviewed in the left pane.\n\n Right-click the \"RID Manager$\" object in the right pane and select\n\"Properties\".\n\n Select the \"Security\" tab.\n\n Select the \"Advanced\" button and then the \"Auditing\" tab.\n\n If the audit settings on the \"RID Manager$\" object are not at least as\ninclusive as those below, this is a finding:\n\n Type - Fail\n Principal - Everyone\n Access - Full Control\n Inherited from - None\n\n The success types listed below are defaults. Where Special is listed in the\nsummary screens for Access, detailed Permissions are provided for reference.\nVarious Properties selections may also exist by default.\n\n Type - Success\n Principal - Everyone\n Access - Special\n Inherited from - None\n (Access - Special = Write all properties, All extended rights, Change RID\nmaster)\n\n Two instances with the following summary information will be listed:\n\n Type - Success\n Principal - Everyone\n Access - (blank)\n Inherited from - (CN of domain)", + "fix": "Open \"Active Directory Users and Computers\" (available from various menus\nor run \"dsa.msc\").\n\n Ensure \"Advanced Features\" is selected in the \"View\" menu.\n\n Select \"System\" under the domain being reviewed in the left pane.\n\n Right-click the \"RID Manager$\" object in the right pane and select\n\"Properties\".\n\n Select the \"Security\" tab.\n\n Select the \"Advanced\" button and then the \"Auditing\" tab.\n\n Configure the audit settings for RID Manager$ object to include the\nfollowing:\n\n Type - Fail\n Principal - Everyone\n Access - Full Control\n Inherited from - None\n\n The success types listed below are defaults. Where Special is listed in the\nsummary screens for Access, detailed Permissions are provided for reference.\nVarious Properties selections may also exist by default.\n\n Type - Success\n Principal - Everyone\n Access - Special\n Inherited from - None\n (Access - Special = Write all properties, All extended rights, Change RID\nmaster)\n\n Two instances with the following summary information will be listed:\n\n Type - Success\n Principal - Everyone\n Access - (blank)\n Inherited from - (CN of domain)" }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { "severity": null, @@ -9840,10 +9868,10 @@ "SRG-OS-000463-GPOS-00207", "SRG-OS-000468-GPOS-00212" ], - "gid": "V-93107", - "rid": "SV-103195r1_rule", - "stig_id": "WN19-AU-000330", - "fix_id": "F-99353r1_fix", + "gid": "V-93131", + "rid": "SV-103219r1_rule", + "stig_id": "WN19-DC-000220", + "fix_id": "F-99377r1_fix", "cci": [ "CCI-000172", "CCI-002234" @@ -9854,500 +9882,447 @@ "Rev_4" ] }, - "code": "control \"V-93107\" do\n title \"Windows Server 2019 must be configured to audit System - IPsec Driver\nfailures.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n IPsec Driver records events related to the IPsec Driver, such as dropped\npackets.\"\n desc \"rationale\", \"\"\n desc 'check', \"Security Option \\\"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\\\" must be set to\n\\\"Enabled\\\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \\\"AuditPol\\\" tool to review the current Audit Policy configuration:\n\n Open \\\"PowerShell\\\" or a \\\"Command Prompt\\\" with elevated privileges (\\\"Run\nas administrator\\\").\n\n Enter \\\"AuditPol /get /category:*\\\"\n\n Compare the \\\"AuditPol\\\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n System >> IPsec Driver - Failure\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> System >> \\\"Audit IPsec Driver\\\" with \\\"Failure\\\"\nselected.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000327-GPOS-00127'\n tag 'satisfies': [\"SRG-OS-000327-GPOS-00127\", \"SRG-OS-000458-GPOS-00203\",\n\"SRG-OS-000463-GPOS-00207\", \"SRG-OS-000468-GPOS-00212\"]\n tag 'gid': 'V-93107'\n tag 'rid': 'SV-103195r1_rule'\n tag 'stig_id': 'WN19-AU-000330'\n tag 'fix_id': 'F-99353r1_fix'\n tag 'cci': [\"CCI-000172\", \"CCI-002234\"]\n tag 'nist': [\"AU-12 c\", \"AC-6 (9)\", \"Rev_4\"]\n\n describe.one do\n describe audit_policy do\n its('IPsec Driver') { should eq 'Failure' }\n end\n describe audit_policy do\n its('IPsec Driver') { should eq 'Success and Failure' }\n end\n end\nend\n", - "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93107.rb", - "line": 3 - }, - "id": "V-93107" - }, - { - "title": "Windows Server 2019 must restrict remote calls to the Security Account\nManager (SAM) to Administrators on domain-joined member servers and standalone\nsystems.", - "desc": "The Windows SAM stores users' passwords. Restricting Remote Procedure\nCall (RPC) connections to the SAM to Administrators helps protect those\ncredentials.", - "descriptions": { - "default": "The Windows SAM stores users' passwords. Restricting Remote Procedure\nCall (RPC) connections to the SAM to Administrators helps protect those\ncredentials.", - "rationale": "", - "check": "This applies to member servers and standalone systems; it is NA for domain\ncontrollers.\n\n If the following registry value does not exist or is not configured as\nspecified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Control\\Lsa\\\n\n Value Name: RestrictRemoteSAM\n\n Value Type: REG_SZ\n Value: O:BAG:BAD:(A;;RC;;;BA)", - "fix": "Navigate to the policy Computer Configuration >> Windows Settings >>\nSecurity Settings >> Local Policies >> Security Options >> \"Network access:\nRestrict clients allowed to make remote calls to SAM\".\n Select \"Edit Security\" to configure the \"Security descriptor:\".\n\n Add \"Administrators\" in \"Group or user names:\" if it is not already\nlisted (this is the default).\n\n Select \"Administrators\" in \"Group or user names:\".\n\n Select \"Allow\" for \"Remote Access\" in \"Permissions for\n\"Administrators\".\n\n Click \"OK\".\n\n The \"Security descriptor:\" must be populated with\n\"O:BAG:BAD:(A;;RC;;;BA) for the policy to be enforced." - }, - "impact": 0.5, - "refs": [], - "tags": { - "severity": null, - "gtitle": "SRG-OS-000324-GPOS-00125", - "gid": "V-93045", - "rid": "SV-103133r1_rule", - "stig_id": "WN19-MS-000060", - "fix_id": "F-99291r1_fix", - "cci": [ - "CCI-002235" - ], - "nist": [ - "AC-6 (10)", - "Rev_4" - ] - }, - "code": "control \"V-93045\" do\n title \"Windows Server 2019 must restrict remote calls to the Security Account\nManager (SAM) to Administrators on domain-joined member servers and standalone\nsystems.\"\n desc \"The Windows SAM stores users' passwords. Restricting Remote Procedure\nCall (RPC) connections to the SAM to Administrators helps protect those\ncredentials.\"\n desc \"rationale\", \"\"\n desc 'check', \"This applies to member servers and standalone systems; it is NA for domain\ncontrollers.\n\n If the following registry value does not exist or is not configured as\nspecified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\\n\n Value Name: RestrictRemoteSAM\n\n Value Type: REG_SZ\n Value: O:BAG:BAD:(A;;RC;;;BA)\"\n desc 'fix', \"Navigate to the policy Computer Configuration >> Windows Settings >>\nSecurity Settings >> Local Policies >> Security Options >> \\\"Network access:\nRestrict clients allowed to make remote calls to SAM\\\".\n Select \\\"Edit Security\\\" to configure the \\\"Security descriptor:\\\".\n\n Add \\\"Administrators\\\" in \\\"Group or user names:\\\" if it is not already\nlisted (this is the default).\n\n Select \\\"Administrators\\\" in \\\"Group or user names:\\\".\n\n Select \\\"Allow\\\" for \\\"Remote Access\\\" in \\\"Permissions for\n\\\"Administrators\\\".\n\n Click \\\"OK\\\".\n\n The \\\"Security descriptor:\\\" must be populated with\n\\\"O:BAG:BAD:(A;;RC;;;BA) for the policy to be enforced.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000324-GPOS-00125'\n tag 'gid': 'V-93045'\n tag 'rid': 'SV-103133r1_rule'\n tag 'stig_id': 'WN19-MS-000060'\n tag 'fix_id': 'F-99291r1_fix'\n tag 'cci': [\"CCI-002235\"]\n tag 'nist': [\"AC-6 (10)\", \"Rev_4\"]\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n if domain_role == '4' || domain_role == '5'\n impact 0.0\n describe 'This system is a domain controller, therefore this control is not applicable as it only applies to member servers' do\n skip 'This system is a domain controller, therefore this control is not applicable as it only applies to member servers'\n end\n else\n describe registry_key('HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa') do\n it { should have_property \"RestrictRemoteSAM\"}\n its('RestrictRemoteSAM') { should cmp \"O:BAG:BAD:(A;;RC;;;BA)\" }\n end\n end\nend\n", + "code": "control \"V-93131\" do\n title \"Windows Server 2019 Active Directory RID Manager$ object must be\nconfigured with proper audit settings.\"\n desc \"When inappropriate audit settings are configured for directory service\ndatabase objects, it may be possible for a user or process to update the data\nwithout generating any tracking data. The impact of missing audit data is\nrelated to the type of object. A failure to capture audit data for objects used\nby identification, authentication, or authorization functions could degrade or\neliminate the ability to track changes to access policy for systems or data.\n\n For Active Directory (AD), there are a number of critical object types in\nthe domain naming context of the AD database for which auditing is essential.\nThis includes the RID Manager$ object. Because changes to these objects can\nsignificantly impact access controls or the availability of systems, the\nabsence of auditing data makes it impossible to identify the source of changes\nthat impact the confidentiality, integrity, and availability of data and\nsystems throughout an AD domain. The lack of proper auditing can result in\ninsufficient forensic evidence needed to investigate an incident and prosecute\nthe intruder.\"\n desc \"rationale\", \"\"\n desc 'check', \"This applies to domain controllers. It is NA for other systems.\n\n Review the auditing configuration for the \\\"RID Manager$\\\" object.\n\n Open \\\"Active Directory Users and Computers\\\" (available from various menus\nor run \\\"dsa.msc\\\").\n\n Ensure \\\"Advanced Features\\\" is selected in the \\\"View\\\" menu.\n\n Select \\\"System\\\" under the domain being reviewed in the left pane.\n\n Right-click the \\\"RID Manager$\\\" object in the right pane and select\n\\\"Properties\\\".\n\n Select the \\\"Security\\\" tab.\n\n Select the \\\"Advanced\\\" button and then the \\\"Auditing\\\" tab.\n\n If the audit settings on the \\\"RID Manager$\\\" object are not at least as\ninclusive as those below, this is a finding:\n\n Type - Fail\n Principal - Everyone\n Access - Full Control\n Inherited from - None\n\n The success types listed below are defaults. Where Special is listed in the\nsummary screens for Access, detailed Permissions are provided for reference.\nVarious Properties selections may also exist by default.\n\n Type - Success\n Principal - Everyone\n Access - Special\n Inherited from - None\n (Access - Special = Write all properties, All extended rights, Change RID\nmaster)\n\n Two instances with the following summary information will be listed:\n\n Type - Success\n Principal - Everyone\n Access - (blank)\n Inherited from - (CN of domain)\"\n desc 'fix', \"Open \\\"Active Directory Users and Computers\\\" (available from various menus\nor run \\\"dsa.msc\\\").\n\n Ensure \\\"Advanced Features\\\" is selected in the \\\"View\\\" menu.\n\n Select \\\"System\\\" under the domain being reviewed in the left pane.\n\n Right-click the \\\"RID Manager$\\\" object in the right pane and select\n\\\"Properties\\\".\n\n Select the \\\"Security\\\" tab.\n\n Select the \\\"Advanced\\\" button and then the \\\"Auditing\\\" tab.\n\n Configure the audit settings for RID Manager$ object to include the\nfollowing:\n\n Type - Fail\n Principal - Everyone\n Access - Full Control\n Inherited from - None\n\n The success types listed below are defaults. Where Special is listed in the\nsummary screens for Access, detailed Permissions are provided for reference.\nVarious Properties selections may also exist by default.\n\n Type - Success\n Principal - Everyone\n Access - Special\n Inherited from - None\n (Access - Special = Write all properties, All extended rights, Change RID\nmaster)\n\n Two instances with the following summary information will be listed:\n\n Type - Success\n Principal - Everyone\n Access - (blank)\n Inherited from - (CN of domain)\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000327-GPOS-00127'\n tag 'satisfies': [\"SRG-OS-000327-GPOS-00127\", \"SRG-OS-000458-GPOS-00203\",\n\"SRG-OS-000463-GPOS-00207\", \"SRG-OS-000468-GPOS-00212\"]\n tag 'gid': 'V-93131'\n tag 'rid': 'SV-103219r1_rule'\n tag 'stig_id': 'WN19-DC-000220'\n tag 'fix_id': 'F-99377r1_fix'\n tag 'cci': [\"CCI-000172\", \"CCI-002234\"]\n tag 'nist': [\"AU-12 c\", \"AC-6 (9)\", \"Rev_4\"]\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n if domain_role == '4' || domain_role == '5'\n distinguishedName = json(command: '(Get-ADDomain).DistinguishedName | ConvertTo-JSON').params\n acl_rules = json(command: \"(Get-ACL -Audit -Path AD:'CN=RID Manager$,CN=System,#{distinguishedName}').Audit | ConvertTo-CSV | ConvertFrom-CSV | ConvertTo-JSON\").params\n \n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['AuditFlags']) { should cmp \"Failure\" }\n its(['IdentityReference']) { should cmp \"Everyone\" }\n its(['ActiveDirectoryRights']) { should cmp \"GenericAll\"}\n end\n end\n end\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['AuditFlags']) { should cmp \"Success\" }\n its(['IdentityReference']) { should cmp \"Everyone\" }\n its(['ActiveDirectoryRights']) { should cmp \"WriteProperty, ExtendedRight\"}\n its(['IsInherited']) { should cmp \"False\" }\n its(['InheritanceType']) { should cmp \"None\" }\n end\n end\n end\n\n\n describe.one do\n acl_rules.each do |acl_rule|\n describe \"Audit rule property for principal: #{acl_rule['IdentityReference']}\" do\n subject { acl_rule }\n its(['AuditFlags']) { should cmp \"Success\" }\n its(['IdentityReference']) { should cmp \"Everyone\" }\n its(['ActiveDirectoryRights']) { should cmp \"WriteProperty\"}\n its(['IsInherited']) { should cmp \"True\" }\n its(['InheritanceType']) { should cmp \"Descendents\" }\n end\n end\n end\n else\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93045.rb", + "ref": "./Windows 2019 STIG/controls/V-93131.rb", "line": 3 }, - "id": "V-93045" + "id": "V-93131" }, { - "title": "Windows Server 2019 must have the period of time before the bad logon\ncounter is reset configured to 15 minutes or greater.", - "desc": "The account lockout feature, when enabled, prevents brute-force\npassword attacks on the system. This parameter specifies the period of time\nthat must pass after failed logon attempts before the counter is reset to\n\"0\". The smaller this value is, the less effective the account lockout\nfeature will be in protecting the local system.", + "title": "Windows Server 2019 must be configured to audit System - Security\nState Change successes.", + "desc": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Security State Change records events related to changes in the security\nstate, such as startup and shutdown of the system.", "descriptions": { - "default": "The account lockout feature, when enabled, prevents brute-force\npassword attacks on the system. This parameter specifies the period of time\nthat must pass after failed logon attempts before the counter is reset to\n\"0\". The smaller this value is, the less effective the account lockout\nfeature will be in protecting the local system.", + "default": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Security State Change records events related to changes in the security\nstate, such as startup and shutdown of the system.", "rationale": "", - "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Account Policies >> Account Lockout Policy.\n\n If the \"Reset account lockout counter after\" value is less than \"15\"\nminutes, this is a finding.\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas SecurityPolicy /CFG C:\\Path\\FileName.Txt\n\n If \"ResetLockoutCount\" is less than \"15\" in the file, this is a finding.", - "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Account Policies >> Account Lockout\nPolicy >> \"Reset account lockout counter after\" to at least \"15\" minutes." + "check": "Security Option \"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\" must be set to\n\"Enabled\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \"AuditPol\" tool to review the current Audit Policy configuration:\n\n Open \"PowerShell\" or a \"Command Prompt\" with elevated privileges (\"Run\nas administrator\").\n\n Enter \"AuditPol /get /category:*\"\n\n Compare the \"AuditPol\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n System >> Security State Change - Success", + "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> System >> \"Audit Security State Change\" with\n\"Success\" selected." }, "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000021-GPOS-00005", + "gtitle": "SRG-OS-000327-GPOS-00127", "satisfies": [ - "SRG-OS-000021-GPOS-00005", - "SRG-OS-000329-GPOS-00128" + "SRG-OS-000327-GPOS-00127", + "SRG-OS-000458-GPOS-00203", + "SRG-OS-000463-GPOS-00207", + "SRG-OS-000468-GPOS-00212" ], - "gid": "V-93143", - "rid": "SV-103231r1_rule", - "stig_id": "WN19-AC-000030", - "fix_id": "F-99389r1_fix", + "gid": "V-93113", + "rid": "SV-103201r1_rule", + "stig_id": "WN19-AU-000360", + "fix_id": "F-99359r1_fix", "cci": [ - "CCI-000044", - "CCI-002238" + "CCI-000172", + "CCI-002234" ], "nist": [ - "AC-7 a", - "AC-7 b", + "AU-12 c", + "AC-6 (9)", "Rev_4" ] }, - "code": "control \"V-93143\" do\n title \"Windows Server 2019 must have the period of time before the bad logon\ncounter is reset configured to #{input('pass_lock_time')} minutes or greater.\"\n desc \"The account lockout feature, when enabled, prevents brute-force\npassword attacks on the system. This parameter specifies the period of time\nthat must pass after failed logon attempts before the counter is reset to\n\\\"0\\\". The smaller this value is, the less effective the account lockout\nfeature will be in protecting the local system.\"\n desc \"rationale\", \"\"\n desc 'check', \"Verify the effective setting in Local Group Policy Editor.\n\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Account Policies >> Account Lockout Policy.\n\n If the \\\"Reset account lockout counter after\\\" value is less than \\\"#{input('pass_lock_time')}\\\"\nminutes, this is a finding.\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas SecurityPolicy /CFG C:\\\\Path\\\\FileName.Txt\n\n If \\\"ResetLockoutCount\\\" is less than \\\"#{input('pass_lock_time')}\\\" in the file, this is a finding.\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Account Policies >> Account Lockout\nPolicy >> \\\"Reset account lockout counter after\\\" to at least \\\"#{input('pass_lock_time')}\\\" minutes.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000021-GPOS-00005'\n tag 'satisfies': [\"SRG-OS-000021-GPOS-00005\", \"SRG-OS-000329-GPOS-00128\"]\n tag 'gid': 'V-93143'\n tag 'rid': 'SV-103231r1_rule'\n tag 'stig_id': 'WN19-AC-000030'\n tag 'fix_id': 'F-99389r1_fix'\n tag 'cci': [\"CCI-000044\", \"CCI-002238\"]\n tag 'nist': [\"AC-7 a\", \"AC-7 b\", \"Rev_4\"]\n\n os_type = command('Test-Path \"$env:windir\\explorer.exe\"').stdout.strip\n \n if os_type == 'False'\n describe 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt' do\n skip 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt'\n end\n else\n describe security_policy do\n its('ResetLockoutCount') { should be >= input('pass_lock_time') }\n end\n end\nend\n", + "code": "control \"V-93113\" do\n title \"Windows Server 2019 must be configured to audit System - Security\nState Change successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Security State Change records events related to changes in the security\nstate, such as startup and shutdown of the system.\"\n desc \"rationale\", \"\"\n desc 'check', \"Security Option \\\"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\\\" must be set to\n\\\"Enabled\\\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \\\"AuditPol\\\" tool to review the current Audit Policy configuration:\n\n Open \\\"PowerShell\\\" or a \\\"Command Prompt\\\" with elevated privileges (\\\"Run\nas administrator\\\").\n\n Enter \\\"AuditPol /get /category:*\\\"\n\n Compare the \\\"AuditPol\\\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n System >> Security State Change - Success\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> System >> \\\"Audit Security State Change\\\" with\n\\\"Success\\\" selected.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000327-GPOS-00127'\n tag 'satisfies': [\"SRG-OS-000327-GPOS-00127\", \"SRG-OS-000458-GPOS-00203\",\n\"SRG-OS-000463-GPOS-00207\", \"SRG-OS-000468-GPOS-00212\"]\n tag 'gid': 'V-93113'\n tag 'rid': 'SV-103201r1_rule'\n tag 'stig_id': 'WN19-AU-000360'\n tag 'fix_id': 'F-99359r1_fix'\n tag 'cci': [\"CCI-000172\", \"CCI-002234\"]\n tag 'nist': [\"AU-12 c\", \"AC-6 (9)\", \"Rev_4\"]\n\n describe.one do\n describe audit_policy do\n its('Security State Change') { should eq 'Success' }\n end\n describe audit_policy do\n its('Security State Change') { should eq 'Success and Failure' }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93143.rb", + "ref": "./Windows 2019 STIG/controls/V-93113.rb", "line": 3 }, - "id": "V-93143" + "id": "V-93113" }, { - "title": "Windows Server 2019 manually managed application account passwords must be at least 15 characters in length.", - "desc": "Application/service account passwords must be of sufficient length to prevent being easily cracked. Application/service accounts that are manually managed must have passwords at least 15 characters in length.", + "title": "Windows Server 2019 must have software certificate installation files\nremoved.", + "desc": "Use of software certificates and their accompanying installation files\nfor end users to access resources is less secure than the use of hardware-based\ncertificates.", "descriptions": { - "default": "Application/service account passwords must be of sufficient length to prevent being easily cracked. Application/service accounts that are manually managed must have passwords at least 15 characters in length.", + "default": "Use of software certificates and their accompanying installation files\nfor end users to access resources is less secure than the use of hardware-based\ncertificates.", "rationale": "", - "check": "Determine if manually managed application/service accounts exist. If none exist, this is NA.\n\n Verify the organization has a policy to ensure passwords for manually managed application/service accounts are at least 15 characters in length.\n\n If such a policy does not exist or has not been implemented, this is a finding.", - "fix": "Establish a policy that requires application/service account passwords that are manually managed to be at least 15 characters in length. Ensure the policy is enforced." + "check": "Search all drives for *.p12 and *.pfx files.\n\n If any files with these extensions exist, this is a finding.\n\n This does not apply to server-based applications that have a requirement\nfor .p12 certificate files or Adobe PreFlight certificate files. Some\napplications create files with extensions of .p12 that are not certificate\ninstallation files. Removal of non-certificate installation files from systems\nis not required. These must be documented with the ISSO.", + "fix": "Remove any certificate installation files (*.p12 and *.pfx) found on a\nsystem.\n\n Note: This does not apply to server-based applications that have a\nrequirement for .p12 certificate files or Adobe PreFlight certificate files." }, "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000078-GPOS-00046", - "gid": "V-93461", - "rid": "SV-103547r1_rule", - "stig_id": "WN19-00-000050", - "fix_id": "F-99705r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-93221", + "rid": "SV-103309r2_rule", + "stig_id": "WN19-00-000240", + "fix_id": "F-101007r1_fix", "cci": [ - "CCI-000205" + "CCI-000366" ], "nist": [ - "IA-5 (1) (a)", + "CM-6 b", "Rev_4" ] }, - "code": "control \"V-93461\" do\n title \"Windows Server 2019 manually managed application account passwords must be at least #{input('minimum_password_length_manual')} characters in length.\"\n desc \"Application/service account passwords must be of sufficient length to prevent being easily cracked. Application/service accounts that are manually managed must have passwords at least #{input('minimum_password_length_manual')} characters in length.\"\n desc \"rationale\", \"\"\n desc \"check\", \"Determine if manually managed application/service accounts exist. If none exist, this is NA.\n\n Verify the organization has a policy to ensure passwords for manually managed application/service accounts are at least #{input('minimum_password_length_manual')} characters in length.\n\n If such a policy does not exist or has not been implemented, this is a finding.\"\n desc \"fix\", \"Establish a policy that requires application/service account passwords that are manually managed to be at least #{input('minimum_password_length_manual')} characters in length. Ensure the policy is enforced.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000078-GPOS-00046\"\n tag gid: \"V-93461\"\n tag rid: \"SV-103547r1_rule\"\n tag stig_id: \"WN19-00-000050\"\n tag fix_id: \"F-99705r1_fix\"\n tag cci: [\"CCI-000205\"]\n tag nist: [\"IA-5 (1) (a)\", \"Rev_4\"]\n\n mplm = input('minimum_password_length_manual')\n\n describe 'Please Check all Accounts that are used for Services or Applications to validate they meet the Password Length Policy, Control is a Manual Check' do\n skip \"Determine if manually managed application/service accounts exist. If none exist, this is NA. Verify the organization has a policy to ensure passwords for manually managed application/service accounts are at least #{mplm} characters in length.\"\n end\nend\n", + "code": "control \"V-93221\" do\n title \"Windows Server 2019 must have software certificate installation files\nremoved.\"\n desc \"Use of software certificates and their accompanying installation files\nfor end users to access resources is less secure than the use of hardware-based\ncertificates.\"\n desc \"rationale\", \"\"\n desc 'check', \"Search all drives for *.p12 and *.pfx files.\n\n If any files with these extensions exist, this is a finding.\n\n This does not apply to server-based applications that have a requirement\nfor .p12 certificate files or Adobe PreFlight certificate files. Some\napplications create files with extensions of .p12 that are not certificate\ninstallation files. Removal of non-certificate installation files from systems\nis not required. These must be documented with the ISSO.\"\n desc 'fix', \"Remove any certificate installation files (*.p12 and *.pfx) found on a\nsystem.\n\n Note: This does not apply to server-based applications that have a\nrequirement for .p12 certificate files or Adobe PreFlight certificate files.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000480-GPOS-00227'\n tag 'gid': 'V-93221'\n tag 'rid': 'SV-103309r2_rule'\n tag 'stig_id': 'WN19-00-000240'\n tag 'fix_id': 'F-101007r1_fix'\n tag 'cci': [\"CCI-000366\"]\n tag 'nist': [\"CM-6 b\", \"Rev_4\"]\n\n describe command('where /R c: *.p12 *.pfx') do\n its('stdout') { should eq '' }\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93461.rb", + "ref": "./Windows 2019 STIG/controls/V-93221.rb", "line": 3 }, - "id": "V-93461" + "id": "V-93221" }, { - "title": "Windows Server 2019 Kerberos policy user ticket renewal maximum lifetime must be limited to seven days or less.", - "desc": "This setting determines the period of time (in days) during which a user's Ticket Granting Ticket (TGT) may be renewed. This security configuration limits the amount of time an attacker has to crack the TGT and gain access.", + "title": "Windows Server 2019 must prevent attachments from being downloaded\nfrom RSS feeds.", + "desc": "Attachments from RSS feeds may not be secure. This setting will\nprevent attachments from being downloaded from RSS feeds.", "descriptions": { - "default": "This setting determines the period of time (in days) during which a user's Ticket Granting Ticket (TGT) may be renewed. This security configuration limits the amount of time an attacker has to crack the TGT and gain access.", + "default": "Attachments from RSS feeds may not be secure. This setting will\nprevent attachments from being downloaded from RSS feeds.", "rationale": "", - "check": "This applies to domain controllers. It is NA for other systems.\n\n Verify the following is configured in the Default Domain Policy:\n Open \"Group Policy Management\".\n Navigate to \"Group Policy Objects\" in the Domain being reviewed (Forest >> Domains >> Domain).\n Right-click on the \"Default Domain Policy\".\n Select \"Edit\".\n Navigate to Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy.\n\n If the \"Maximum lifetime for user ticket renewal\" is greater than \"7\" days, this is a finding.", - "fix": "Configure the policy value in the Default Domain Policy for Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy >> \"Maximum lifetime for user ticket renewal\" to a maximum of \"7\" days or less." + "check": "If the following registry value does not exist or is not configured as\nspecified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Feeds\\\n\n Value Name: DisableEnclosureDownload\n\n Type: REG_DWORD\n Value: 0x00000001 (1)", + "fix": "Configure the policy value for Computer Configuration >>\nAdministrative Templates >> Windows Components >> RSS Feeds >> \"Prevent\ndownloading of enclosures\" to \"Enabled\"." }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000112-GPOS-00057", - "satisfies": [ - "SRG-OS-000112-GPOS-00057", - "SRG-OS-000113-GPOS-00058" - ], - "gid": "V-93449", - "rid": "SV-103535r1_rule", - "stig_id": "WN19-DC-000050", - "fix_id": "F-99693r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-93265", + "rid": "SV-103353r1_rule", + "stig_id": "WN19-CC-000390", + "fix_id": "F-99511r1_fix", "cci": [ - "CCI-001941", - "CCI-001942" + "CCI-000366" ], "nist": [ - "IA-2 (8)", - "IA-2 (9)", + "CM-6 b", "Rev_4" ] }, - "code": "control \"V-93449\" do\n title \"Windows Server 2019 Kerberos policy user ticket renewal maximum lifetime must be limited to seven days or less.\"\n desc \"This setting determines the period of time (in days) during which a user's Ticket Granting Ticket (TGT) may be renewed. This security configuration limits the amount of time an attacker has to crack the TGT and gain access.\"\n desc \"rationale\", \"\"\n desc \"check\", \"This applies to domain controllers. It is NA for other systems.\n\n Verify the following is configured in the Default Domain Policy:\n Open \\\"Group Policy Management\\\".\n Navigate to \\\"Group Policy Objects\\\" in the Domain being reviewed (Forest >> Domains >> Domain).\n Right-click on the \\\"Default Domain Policy\\\".\n Select \\\"Edit\\\".\n Navigate to Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy.\n\n If the \\\"Maximum lifetime for user ticket renewal\\\" is greater than \\\"7\\\" days, this is a finding.\"\n desc \"fix\", \"Configure the policy value in the Default Domain Policy for Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy >> \\\"Maximum lifetime for user ticket renewal\\\" to a maximum of \\\"7\\\" days or less.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000112-GPOS-00057\"\n tag satisfies: [\"SRG-OS-000112-GPOS-00057\", \"SRG-OS-000113-GPOS-00058\"]\n tag gid: \"V-93449\"\n tag rid: \"SV-103535r1_rule\"\n tag stig_id: \"WN19-DC-000050\"\n tag fix_id: \"F-99693r1_fix\"\n tag cci: [\"CCI-001941\", \"CCI-001942\"]\n tag nist: [\"IA-2 (8)\", \"IA-2 (9)\", \"Rev_4\"]\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n describe security_policy do\n its('MaxRenewAge') { should be <= 7 }\n end\n else\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is NA' do\n skip 'This system is not a domain controller, therefore this control is NA'\n end\n end\nend", + "code": "control \"V-93265\" do\n title \"Windows Server 2019 must prevent attachments from being downloaded\nfrom RSS feeds.\"\n desc \"Attachments from RSS feeds may not be secure. This setting will\nprevent attachments from being downloaded from RSS feeds.\"\n desc \"rationale\", \"\"\n desc 'check', \"If the following registry value does not exist or is not configured as\nspecified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Internet Explorer\\\\Feeds\\\\\n\n Value Name: DisableEnclosureDownload\n\n Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nAdministrative Templates >> Windows Components >> RSS Feeds >> \\\"Prevent\ndownloading of enclosures\\\" to \\\"Enabled\\\".\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000480-GPOS-00227'\n tag 'gid': 'V-93265'\n tag 'rid': 'SV-103353r1_rule'\n tag 'stig_id': 'WN19-CC-000390'\n tag 'fix_id': 'F-99511r1_fix'\n tag 'cci': [\"CCI-000366\"]\n tag 'nist': [\"CM-6 b\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Feeds') do\n it { should have_property 'DisableEnclosureDownload' }\n its('DisableEnclosureDownload') { should cmp 1 }\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93449.rb", + "ref": "./Windows 2019 STIG/controls/V-93265.rb", "line": 3 }, - "id": "V-93449" + "id": "V-93265" }, { - "title": "Windows Server 2019 must be configured to audit System - Other System\nEvents failures.", - "desc": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Audit Other System Events records information related to cryptographic key\noperations and the Windows Firewall service.", + "title": "Windows Server 2019 printing over HTTP must be turned off.", + "desc": "Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and will prevent uncontrolled updates to the system.\n\n This setting prevents the client computer from printing over HTTP, which allows the computer to print to printers on the intranet as well as the Internet.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Audit Other System Events records information related to cryptographic key\noperations and the Windows Firewall service.", + "default": "Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and will prevent uncontrolled updates to the system.\n\n This setting prevents the client computer from printing over HTTP, which allows the computer to print to printers on the intranet as well as the Internet.", "rationale": "", - "check": "Security Option \"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\" must be set to\n\"Enabled\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \"AuditPol\" tool to review the current Audit Policy configuration:\n\n Open \"PowerShell\" or a \"Command Prompt\" with elevated privileges (\"Run\nas administrator\").\n\n Enter \"AuditPol /get /category:*\"\n\n Compare the \"AuditPol\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n System >> Other System Events - Failure", - "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> System >> \"Audit Other System Events\" with\n\"Failure\" selected." + "check": "If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers\\\n\n Value Name: DisableHTTPPrinting\n\n Type: REG_DWORD\n Value: 0x00000001 (1)", + "fix": "Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Internet Communication Management >> Internet Communication settings >> \"Turn off printing over HTTP\" to \"Enabled\"." }, "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000327-GPOS-00127", - "satisfies": [ - "SRG-OS-000327-GPOS-00127", - "SRG-OS-000458-GPOS-00203", - "SRG-OS-000463-GPOS-00207", - "SRG-OS-000468-GPOS-00212" - ], - "gid": "V-93111", - "rid": "SV-103199r1_rule", - "stig_id": "WN19-AU-000350", - "fix_id": "F-99357r1_fix", + "gtitle": "SRG-OS-000095-GPOS-00049", + "gid": "V-93405", + "rid": "SV-103491r1_rule", + "stig_id": "WN19-CC-000160", + "fix_id": "F-99649r1_fix", "cci": [ - "CCI-000172", - "CCI-002234" + "CCI-000381" ], "nist": [ - "AU-12 c", - "AC-6 (9)", + "CM-7 a", "Rev_4" ] }, - "code": "control \"V-93111\" do\n title \"Windows Server 2019 must be configured to audit System - Other System\nEvents failures.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Audit Other System Events records information related to cryptographic key\noperations and the Windows Firewall service.\"\n desc \"rationale\", \"\"\n desc 'check', \"Security Option \\\"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\\\" must be set to\n\\\"Enabled\\\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \\\"AuditPol\\\" tool to review the current Audit Policy configuration:\n\n Open \\\"PowerShell\\\" or a \\\"Command Prompt\\\" with elevated privileges (\\\"Run\nas administrator\\\").\n\n Enter \\\"AuditPol /get /category:*\\\"\n\n Compare the \\\"AuditPol\\\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n System >> Other System Events - Failure\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> System >> \\\"Audit Other System Events\\\" with\n\\\"Failure\\\" selected.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': \"SRG-OS-000327-GPOS-00127\"\n tag 'satisfies': [\"SRG-OS-000327-GPOS-00127\", \"SRG-OS-000458-GPOS-00203\",\n\"SRG-OS-000463-GPOS-00207\", \"SRG-OS-000468-GPOS-00212\"]\n tag 'gid': \"V-93111\"\n tag 'rid': \"SV-103199r1_rule\"\n tag 'stig_id': \"WN19-AU-000350\"\n tag 'fix_id': \"F-99357r1_fix\"\n tag 'cci': [\"CCI-000172\", \"CCI-002234\"]\n tag 'nist': [\"AU-12 c\", \"AC-6 (9)\", \"Rev_4\"]\n\n describe.one do\n describe audit_policy do\n its('Other System Events') { should eq 'Failure' }\n end\n describe audit_policy do\n its('Other System Events') { should eq 'Success and Failure' }\n end\n end\nend\n", + "code": "control \"V-93405\" do\n title \"Windows Server 2019 printing over HTTP must be turned off.\"\n desc \"Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and will prevent uncontrolled updates to the system.\n\n This setting prevents the client computer from printing over HTTP, which allows the computer to print to printers on the intranet as well as the Internet.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Printers\\\\\n\n Value Name: DisableHTTPPrinting\n\n Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Internet Communication Management >> Internet Communication settings >> \\\"Turn off printing over HTTP\\\" to \\\"Enabled\\\".\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000095-GPOS-00049\"\n tag gid: \"V-93405\"\n tag rid: \"SV-103491r1_rule\"\n tag stig_id: \"WN19-CC-000160\"\n tag fix_id: \"F-99649r1_fix\"\n tag cci: [\"CCI-000381\"]\n tag nist: [\"CM-7 a\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Printers') do\n it { should have_property 'DisableHTTPPrinting' }\n its('DisableHTTPPrinting') { should cmp == 1 }\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93111.rb", + "ref": "./Windows 2019 STIG/controls/V-93405.rb", "line": 3 }, - "id": "V-93111" + "id": "V-93405" }, { - "title": "Windows Server 2019 domain controllers must run on a machine dedicated to that function.", - "desc": "Executing application servers on the same host machine with a directory server may substantially weaken the security of the directory server. Web or database server applications usually require the addition of many programs and accounts, increasing the attack surface of the computer.\n\n Some applications require the addition of privileged accounts, providing potential sources of compromise. Some applications (such as Microsoft Exchange) may require the use of network ports or services conflicting with the directory server. In this case, non-standard ports might be selected, and this could interfere with intrusion detection or prevention services.", + "title": "Windows Server 2019 Security event log size must be configured to\n196608 KB or greater.", + "desc": "Inadequate log size will cause the log to fill up quickly. This may\nprevent audit events from being recorded properly and require frequent\nattention by administrative personnel.", "descriptions": { - "default": "Executing application servers on the same host machine with a directory server may substantially weaken the security of the directory server. Web or database server applications usually require the addition of many programs and accounts, increasing the attack surface of the computer.\n\n Some applications require the addition of privileged accounts, providing potential sources of compromise. Some applications (such as Microsoft Exchange) may require the use of network ports or services conflicting with the directory server. In this case, non-standard ports might be selected, and this could interfere with intrusion detection or prevention services.", + "default": "Inadequate log size will cause the log to fill up quickly. This may\nprevent audit events from being recorded properly and require frequent\nattention by administrative personnel.", "rationale": "", - "check": "This applies to domain controllers, it is NA for other systems.\n\n Review the installed roles the domain controller is supporting.\n Start \"Server Manager\".\n Select \"AD DS\" in the left pane and the server name under \"Servers\" to the right.\n Select \"Add (or Remove) Roles and Features\" from \"Tasks\" in the \"Roles and Features\" section. (Cancel before any changes are made.)\n Determine if any additional server roles are installed. A basic domain controller setup will include the following:\n\n - Active Directory Domain Services\n - DNS Server\n - File and Storage Services\n\n If any roles not requiring installation on a domain controller are installed, this is a finding.\n A Domain Name System (DNS) server integrated with the directory server (e.g., AD-integrated DNS) is an acceptable application. However, the DNS server must comply with the DNS STIG security requirements.\n Run \"Programs and Features\".\n Review installed applications.\n If any applications are installed that are not required for the domain controller, this is a finding.", - "fix": "Remove additional roles or applications such as web, database, and email from the domain controller." + "check": "If the system is configured to write events directly to an audit server,\nthis is NA.\n\n If the following registry value does not exist or is not configured as\nspecified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n\\SOFTWARE\\Policies\\Microsoft\\Windows\\EventLog\\Security\\\n\n Value Name: MaxSize\n\n Type: REG_DWORD\n Value: 0x00030000 (196608) (or greater)", + "fix": "Configure the policy value for Computer Configuration >>\nAdministrative Templates >> Windows Components >> Event Log Service >> Security\n>> \"Specify the maximum log file size (KB)\" to \"Enabled\" with a \"Maximum\nLog Size (KB)\" of \"196608\" or greater." }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000095-GPOS-00049", - "gid": "V-93417", - "rid": "SV-103503r1_rule", - "stig_id": "WN19-DC-000130", - "fix_id": "F-99661r1_fix", + "gtitle": "SRG-OS-000341-GPOS-00132", + "gid": "V-93179", + "rid": "SV-103267r1_rule", + "stig_id": "WN19-CC-000280", + "fix_id": "F-99425r1_fix", "cci": [ - "CCI-000381" + "CCI-001849" ], "nist": [ - "CM-7 a", + "AU-4", "Rev_4" ] }, - "code": "control \"V-93417\" do\n title \"Windows Server 2019 domain controllers must run on a machine dedicated to that function.\"\n desc \"Executing application servers on the same host machine with a directory server may substantially weaken the security of the directory server. Web or database server applications usually require the addition of many programs and accounts, increasing the attack surface of the computer.\n\n Some applications require the addition of privileged accounts, providing potential sources of compromise. Some applications (such as Microsoft Exchange) may require the use of network ports or services conflicting with the directory server. In this case, non-standard ports might be selected, and this could interfere with intrusion detection or prevention services.\"\n desc \"rationale\", \"\"\n desc \"check\", \"This applies to domain controllers, it is NA for other systems.\n\n Review the installed roles the domain controller is supporting.\n Start \\\"Server Manager\\\".\n Select \\\"AD DS\\\" in the left pane and the server name under \\\"Servers\\\" to the right.\n Select \\\"Add (or Remove) Roles and Features\\\" from \\\"Tasks\\\" in the \\\"Roles and Features\\\" section. (Cancel before any changes are made.)\n Determine if any additional server roles are installed. A basic domain controller setup will include the following:\n\n - Active Directory Domain Services\n - DNS Server\n - File and Storage Services\n\n If any roles not requiring installation on a domain controller are installed, this is a finding.\n A Domain Name System (DNS) server integrated with the directory server (e.g., AD-integrated DNS) is an acceptable application. However, the DNS server must comply with the DNS STIG security requirements.\n Run \\\"Programs and Features\\\".\n Review installed applications.\n If any applications are installed that are not required for the domain controller, this is a finding.\"\n desc \"fix\", \"Remove additional roles or applications such as web, database, and email from the domain controller.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000095-GPOS-00049\"\n tag gid: \"V-93417\"\n tag rid: \"SV-103503r1_rule\"\n tag stig_id: \"WN19-DC-000130\"\n tag fix_id: \"F-99661r1_fix\"\n tag cci: [\"CCI-000381\"]\n tag nist: [\"CM-7 a\", \"Rev_4\"]\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n role_list = [\n \"Active Directory Domain Services\",\n \"DNS Server\",\n \"File and Storage Services\"\n ]\n roles = json(command: \"Get-WindowsFeature | Where {($_.installstate -eq 'installed') -and ($_.featuretype -eq 'role')} | foreach { $_.DisplayName } | ConvertTo-JSON\").params\n describe \"The list of roles installed on the server\" do\n subject { roles }\n it { should be_in role_list }\n end\n else\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is NA' do\n skip 'This system is not a domain controller, therefore this control is NA'\n end\n end\nend", + "code": "control \"V-93179\" do\n title \"Windows Server 2019 Security event log size must be configured to\n196608 KB or greater.\"\n desc \"Inadequate log size will cause the log to fill up quickly. This may\nprevent audit events from being recorded properly and require frequent\nattention by administrative personnel.\"\n desc \"rationale\", \"\"\n desc 'check', \"If the system is configured to write events directly to an audit server,\nthis is NA.\n\n If the following registry value does not exist or is not configured as\nspecified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\EventLog\\\\Security\\\\\n\n Value Name: MaxSize\n\n Type: REG_DWORD\n Value: 0x00030000 (196608) (or greater)\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nAdministrative Templates >> Windows Components >> Event Log Service >> Security\n>> \\\"Specify the maximum log file size (KB)\\\" to \\\"Enabled\\\" with a \\\"Maximum\nLog Size (KB)\\\" of \\\"196608\\\" or greater.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000341-GPOS-00132'\n tag 'gid': 'V-93179'\n tag 'rid': 'SV-103267r1_rule'\n tag 'stig_id': 'WN19-CC-000280'\n tag 'fix_id': 'F-99425r1_fix'\n tag 'cci': [\"CCI-001849\"]\n tag 'nist': [\"AU-4\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\EventLog\\Security') do\n it { should have_property 'MaxSize' }\n its('MaxSize') { should cmp >= 196608 }\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93417.rb", + "ref": "./Windows 2019 STIG/controls/V-93179.rb", "line": 3 }, - "id": "V-93417" + "id": "V-93179" }, { - "title": "Windows Server 2019 users must be prompted to authenticate when the\nsystem wakes from sleep (plugged in).", - "desc": "A system that does not require authentication when resuming from sleep\nmay provide access to unauthorized users. Authentication must always be\nrequired when accessing a system. This setting ensures users are prompted for a\npassword when the system wakes from sleep (plugged in).", + "title": "Windows Server 2019 PKI certificates associated with user accounts must be issued by a DoD PKI or an approved External Certificate Authority (ECA).", + "desc": "A PKI implementation depends on the practices established by the Certificate Authority (CA) to ensure the implementation is secure. Without proper practices, the certificates issued by a CA have limited value in authentication functions.", "descriptions": { - "default": "A system that does not require authentication when resuming from sleep\nmay provide access to unauthorized users. Authentication must always be\nrequired when accessing a system. This setting ensures users are prompted for a\npassword when the system wakes from sleep (plugged in).", + "default": "A PKI implementation depends on the practices established by the Certificate Authority (CA) to ensure the implementation is secure. Without proper practices, the certificates issued by a CA have limited value in authentication functions.", "rationale": "", - "check": "If the following registry value does not exist or is not configured as\nspecified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n\\SOFTWARE\\Policies\\Microsoft\\Power\\PowerSettings\\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\\\n\n Value Name: ACSettingIndex\n\n Type: REG_DWORD\n Value: 0x00000001 (1)", - "fix": "Configure the policy value for Computer Configuration >>\nAdministrative Templates >> System >> Power Management >> Sleep Settings >>\n\"Require a password when a computer wakes (plugged in)\" to \"Enabled\"." + "check": "This applies to domain controllers. It is NA for other systems.\n Review user account mappings to PKI certificates.\n Open \"Windows PowerShell\".\n Enter \"Get-ADUser -Filter * | FT Name, UserPrincipalName, Enabled\".\n Exclude disabled accounts (e.g., DefaultAccount, Guest) and the krbtgt account.\n If the User Principal Name (UPN) is not in the format of an individual's identifier for the certificate type and for the appropriate domain suffix, this is a finding.\n For standard NIPRNet certificates, the individual's identifier is in the format of an Electronic Data Interchange - Personnel Identifier (EDI-PI).\n Alt Tokens and other certificates may use a different UPN format than the EDI-PI which vary by organization. Verified these with the organization.\n\n NIPRNet Example:\n\n Name - User Principal Name\n User1 - 1234567890@mil\n\n See PKE documentation for other network domain suffixes.\n If the mappings are to certificates issued by a CA authorized by the Component's CIO, this is a CAT II finding.", + "fix": "Map user accounts to PKI certificates using the appropriate User Principal Name (UPN) for the network. See PKE documentation for details." }, - "impact": 0.5, + "impact": 0.7, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-93255", - "rid": "SV-103343r1_rule", - "stig_id": "WN19-CC-000190", - "fix_id": "F-99501r1_fix", + "gtitle": "SRG-OS-000066-GPOS-00034", + "gid": "V-93485", + "rid": "SV-103571r1_rule", + "stig_id": "WN19-DC-000300", + "fix_id": "F-99729r1_fix", "cci": [ - "CCI-000366" + "CCI-000185" ], "nist": [ - "CM-6 b", + "IA-5 (2) (a)", "Rev_4" ] }, - "code": "control \"V-93255\" do\n title \"Windows Server 2019 users must be prompted to authenticate when the\nsystem wakes from sleep (plugged in).\"\n desc \"A system that does not require authentication when resuming from sleep\nmay provide access to unauthorized users. Authentication must always be\nrequired when accessing a system. This setting ensures users are prompted for a\npassword when the system wakes from sleep (plugged in).\"\n desc \"rationale\", \"\"\n desc 'check', \"If the following registry value does not exist or is not configured as\nspecified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Power\\\\PowerSettings\\\\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\\\\\n\n Value Name: ACSettingIndex\n\n Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nAdministrative Templates >> System >> Power Management >> Sleep Settings >>\n\\\"Require a password when a computer wakes (plugged in)\\\" to \\\"Enabled\\\".\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000480-GPOS-00227'\n tag 'gid': 'V-93255'\n tag 'rid': 'SV-103343r1_rule'\n tag 'stig_id': 'WN19-CC-000190'\n tag 'fix_id': 'F-99501r1_fix'\n tag 'cci': [\"CCI-000366\"]\n tag 'nist': [\"CM-6 b\", \"Rev_4\"]\n\n if sys_info.manufacturer == 'VMware, Inc.'\n impact 0.0\n describe 'This is a Virtual Machine; This Control is NA.' do\n skip 'This is a Virtual Machine; This Control is NA.'\n end\n else\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Power\\PowerSettings\\0e796bdb-100d-47d6-a2d5-f7d2daa51f51') do\n it { should have_property 'ACSettingIndex' }\n its('ACSettingIndex') { should cmp 1 }\n end\n end\nend\n", + "code": "control \"V-93485\" do\n title \"Windows Server 2019 PKI certificates associated with user accounts must be issued by a DoD PKI or an approved External Certificate Authority (ECA).\"\n desc \"A PKI implementation depends on the practices established by the Certificate Authority (CA) to ensure the implementation is secure. Without proper practices, the certificates issued by a CA have limited value in authentication functions.\"\n desc \"rationale\", \"\"\n desc \"check\", \"This applies to domain controllers. It is NA for other systems.\n Review user account mappings to PKI certificates.\n Open \\\"Windows PowerShell\\\".\n Enter \\\"Get-ADUser -Filter * | FT Name, UserPrincipalName, Enabled\\\".\n Exclude disabled accounts (e.g., DefaultAccount, Guest) and the krbtgt account.\n If the User Principal Name (UPN) is not in the format of an individual's identifier for the certificate type and for the appropriate domain suffix, this is a finding.\n For standard NIPRNet certificates, the individual's identifier is in the format of an Electronic Data Interchange - Personnel Identifier (EDI-PI).\n Alt Tokens and other certificates may use a different UPN format than the EDI-PI which vary by organization. Verified these with the organization.\n\n NIPRNet Example:\n\n Name - User Principal Name\n User1 - 1234567890@mil\n\n See PKE documentation for other network domain suffixes.\n If the mappings are to certificates issued by a CA authorized by the Component's CIO, this is a CAT II finding.\"\n desc \"fix\", \"Map user accounts to PKI certificates using the appropriate User Principal Name (UPN) for the network. See PKE documentation for details.\"\n impact 0.7\n tag severity: nil\n tag gtitle: \"SRG-OS-000066-GPOS-00034\"\n tag gid: \"V-93485\"\n tag rid: \"SV-103571r1_rule\"\n tag stig_id: \"WN19-DC-000300\"\n tag fix_id: \"F-99729r1_fix\"\n tag cci: [\"CCI-000185\"]\n tag nist: [\"IA-5 (2) (a)\", \"Rev_4\"]\n\n describe 'This control needs to be check manually' do\n skip 'Control not executed as this test is manual'\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93255.rb", + "ref": "./Windows 2019 STIG/controls/V-93485.rb", "line": 3 }, - "id": "V-93255" + "id": "V-93485" }, { - "title": "Windows Server 2019 must be configured to audit System - Security\nState Change successes.", - "desc": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Security State Change records events related to changes in the security\nstate, such as startup and shutdown of the system.", + "title": "Windows Server 2019 passwords must be configured to expire.", + "desc": "Passwords that do not expire or are reused increase the exposure of a password with greater probability of being discovered or cracked.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Security State Change records events related to changes in the security\nstate, such as startup and shutdown of the system.", + "default": "Passwords that do not expire or are reused increase the exposure of a password with greater probability of being discovered or cracked.", "rationale": "", - "check": "Security Option \"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\" must be set to\n\"Enabled\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \"AuditPol\" tool to review the current Audit Policy configuration:\n\n Open \"PowerShell\" or a \"Command Prompt\" with elevated privileges (\"Run\nas administrator\").\n\n Enter \"AuditPol /get /category:*\"\n\n Compare the \"AuditPol\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n System >> Security State Change - Success", - "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> System >> \"Audit Security State Change\" with\n\"Success\" selected." + "check": "Review the password never expires status for enabled user accounts.\n Open \"PowerShell\".\n\n Domain Controllers:\n Enter \"Search-ADAccount -PasswordNeverExpires -UsersOnly | FT Name, PasswordNeverExpires, Enabled\".\n Exclude application accounts, disabled accounts (e.g., DefaultAccount, Guest) and the krbtgt account.\n If any enabled user accounts are returned with a \"PasswordNeverExpires\" status of \"True\", this is a finding.\n\n Member servers and standalone systems:\n Enter 'Get-CimInstance -Class Win32_Useraccount -Filter \"PasswordExpires=False and LocalAccount=True\" | FT Name, PasswordExpires, Disabled, LocalAccount'.\n Exclude application accounts and disabled accounts (e.g., DefaultAccount, Guest).\n If any enabled user accounts are returned with a \"PasswordExpires\" status of \"False\", this is a finding.", + "fix": "Configure all enabled user account passwords to expire.\n Uncheck \"Password never expires\" for all enabled user accounts in Active Directory Users and Computers for domain accounts and Users in Computer Management for member servers and standalone systems. Document any exceptions with the ISSO." }, "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000327-GPOS-00127", - "satisfies": [ - "SRG-OS-000327-GPOS-00127", - "SRG-OS-000458-GPOS-00203", - "SRG-OS-000463-GPOS-00207", - "SRG-OS-000468-GPOS-00212" - ], - "gid": "V-93113", - "rid": "SV-103201r1_rule", - "stig_id": "WN19-AU-000360", - "fix_id": "F-99359r1_fix", + "gtitle": "SRG-OS-000076-GPOS-00044", + "gid": "V-93475", + "rid": "SV-103561r1_rule", + "stig_id": "WN19-00-000210", + "fix_id": "F-99719r1_fix", "cci": [ - "CCI-000172", - "CCI-002234" + "CCI-000199" ], "nist": [ - "AU-12 c", - "AC-6 (9)", + "IA-5 (1) (d)", "Rev_4" ] }, - "code": "control \"V-93113\" do\n title \"Windows Server 2019 must be configured to audit System - Security\nState Change successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Security State Change records events related to changes in the security\nstate, such as startup and shutdown of the system.\"\n desc \"rationale\", \"\"\n desc 'check', \"Security Option \\\"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\\\" must be set to\n\\\"Enabled\\\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \\\"AuditPol\\\" tool to review the current Audit Policy configuration:\n\n Open \\\"PowerShell\\\" or a \\\"Command Prompt\\\" with elevated privileges (\\\"Run\nas administrator\\\").\n\n Enter \\\"AuditPol /get /category:*\\\"\n\n Compare the \\\"AuditPol\\\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n System >> Security State Change - Success\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> System >> \\\"Audit Security State Change\\\" with\n\\\"Success\\\" selected.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000327-GPOS-00127'\n tag 'satisfies': [\"SRG-OS-000327-GPOS-00127\", \"SRG-OS-000458-GPOS-00203\",\n\"SRG-OS-000463-GPOS-00207\", \"SRG-OS-000468-GPOS-00212\"]\n tag 'gid': 'V-93113'\n tag 'rid': 'SV-103201r1_rule'\n tag 'stig_id': 'WN19-AU-000360'\n tag 'fix_id': 'F-99359r1_fix'\n tag 'cci': [\"CCI-000172\", \"CCI-002234\"]\n tag 'nist': [\"AU-12 c\", \"AC-6 (9)\", \"Rev_4\"]\n\n describe.one do\n describe audit_policy do\n its('Security State Change') { should eq 'Success' }\n end\n describe audit_policy do\n its('Security State Change') { should eq 'Success and Failure' }\n end\n end\nend\n", + "code": "control 'V-93475' do\n title 'Windows Server 2019 passwords must be configured to expire.'\n desc 'Passwords that do not expire or are reused increase the exposure of a password with greater probability of being discovered or cracked.'\n desc 'rationale', ''\n desc 'check', \"Review the password never expires status for enabled user accounts.\n Open \\\"PowerShell\\\".\n\n Domain Controllers:\n Enter \\\"Search-ADAccount -PasswordNeverExpires -UsersOnly | FT Name, PasswordNeverExpires, Enabled\\\".\n Exclude application accounts, disabled accounts (e.g., DefaultAccount, Guest) and the krbtgt account.\n If any enabled user accounts are returned with a \\\"PasswordNeverExpires\\\" status of \\\"True\\\", this is a finding.\n\n Member servers and standalone systems:\n Enter 'Get-CimInstance -Class Win32_Useraccount -Filter \\\"PasswordExpires=False and LocalAccount=True\\\" | FT Name, PasswordExpires, Disabled, LocalAccount'.\n Exclude application accounts and disabled accounts (e.g., DefaultAccount, Guest).\n If any enabled user accounts are returned with a \\\"PasswordExpires\\\" status of \\\"False\\\", this is a finding.\"\n desc 'fix', \"Configure all enabled user account passwords to expire.\n Uncheck \\\"Password never expires\\\" for all enabled user accounts in Active Directory Users and Computers for domain accounts and Users in Computer Management for member servers and standalone systems. Document any exceptions with the ISSO.\"\n impact 0.5\n tag severity: nil\n tag gtitle: 'SRG-OS-000076-GPOS-00044'\n tag gid: 'V-93475'\n tag rid: 'SV-103561r1_rule'\n tag stig_id: 'WN19-00-000210'\n tag fix_id: 'F-99719r1_fix'\n tag cci: ['CCI-000199']\n tag nist: ['IA-5 (1) (d)', 'Rev_4']\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n untracked_accounts = []\n\n if domain_role == '4' || domain_role == '5'\n ad_accounts = json({ command: \"Search-ADAccount -PasswordNeverExpires -UsersOnly | Where-Object {$_.PasswordNeverExpires -eq 'True' -and $_.Enabled -eq 'True'} | Select -ExpandProperty Name | ConvertTo-Json\" }).params\n\n application_accounts = input('application_accounts_domain')\n excluded_accounts = input('excluded_accounts_domain')\n\n unless ad_accounts.empty?\n ad_accounts = [ad_accounts] if ad_accounts.class == String\n untracked_accounts = ad_accounts - application_accounts - excluded_accounts\n end\n\n describe 'Untracked Accounts' do\n it 'No Enabled Domain Account should be set to have Password Never Expire' do\n failure_message = \"Users Accounts are set to Password Never Expire: #{untracked_accounts}\"\n expect(untracked_accounts).to be_empty, failure_message\n end\n end\n else\n local_accounts = json({ command: \"Get-CimInstance -Class Win32_Useraccount -Filter 'PasswordExpires=False and LocalAccount=True and Disabled=False' | Select -ExpandProperty Name | ConvertTo-Json\" }).params\n\n application_accounts = input('application_accounts_local')\n\n excluded_accounts = input('excluded_accounts_local')\n\n unless local_accounts.empty?\n local_accounts = [local_accounts] if local_accounts.class == String\n untracked_accounts = local_accounts - application_accounts - excluded_accounts\n end\n\n describe 'Account or Accounts exists' do\n it 'Server should not have Accounts with Password Never Expire' do\n failure_message = \"User or Users have Password set to not expire: #{untracked_accounts}\"\n expect(untracked_accounts).to be_empty, failure_message\n end\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93113.rb", + "ref": "./Windows 2019 STIG/controls/V-93475.rb", "line": 3 }, - "id": "V-93113" + "id": "V-93475" }, { - "title": "Windows Server 2019 must be configured to ignore NetBIOS name release requests except from WINS servers.", - "desc": "Configuring the system to ignore name release requests, except from WINS servers, prevents a denial of service (DoS) attack. The DoS consists of sending a NetBIOS name release request to the server for each entry in the server's cache, causing a response delay in the normal operation of the server's WINS resolution capability.", + "title": "Windows Server 2019 must have the roles and features required by the system documented.", + "desc": "Unnecessary roles and features increase the attack surface of a system. Limiting roles and features of a system to only those necessary reduces this potential. The standard installation option (previously called Server Core) further reduces this when selected at installation.", "descriptions": { - "default": "Configuring the system to ignore name release requests, except from WINS servers, prevents a denial of service (DoS) attack. The DoS consists of sending a NetBIOS name release request to the server for each entry in the server's cache, causing a response delay in the normal operation of the server's WINS resolution capability.", + "default": "Unnecessary roles and features increase the attack surface of a system. Limiting roles and features of a system to only those necessary reduces this potential. The standard installation option (previously called Server Core) further reduces this when selected at installation.", "rationale": "", - "check": "If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Services\\Netbt\\Parameters\\\n\n Value Name: NoNameReleaseOnDemand\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)", - "fix": "Configure the policy value for Computer Configuration >> Administrative Templates >> MSS (Legacy) >> \"MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers\" to \"Enabled\".\n This policy setting requires the installation of the MSS-Legacy custom templates included with the STIG package. \"MSS-Legacy.admx\" and \"MSS-Legacy.adml\" must be copied to the \\Windows\\PolicyDefinitions and \\Windows\\PolicyDefinitions\\en-US directories respectively." + "check": "Required roles and features will vary based on the function of the individual system.\n\n Roles and features specifically required to be disabled per the STIG are identified in separate requirements.\n If the organization has not documented the roles and features required for the system(s), this is a finding.\n The PowerShell command \"Get-WindowsFeature\" will list all roles and features with an \"Install State\".", + "fix": "Document the roles and features required for the system to operate. Uninstall any that are not required." }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000420-GPOS-00186", - "gid": "V-93541", - "rid": "SV-103627r1_rule", - "stig_id": "WN19-CC-000060", - "fix_id": "F-99785r1_fix", + "gtitle": "SRG-OS-000095-GPOS-00049", + "gid": "V-93381", + "rid": "SV-103467r1_rule", + "stig_id": "WN19-00-000270", + "fix_id": "F-99625r1_fix", "cci": [ - "CCI-002385" + "CCI-000381" ], "nist": [ - "SC-5", + "CM-7 a", "Rev_4" ] }, - "code": "control \"V-93541\" do\n title \"Windows Server 2019 must be configured to ignore NetBIOS name release requests except from WINS servers.\"\n desc \"Configuring the system to ignore name release requests, except from WINS servers, prevents a denial of service (DoS) attack. The DoS consists of sending a NetBIOS name release request to the server for each entry in the server's cache, causing a response delay in the normal operation of the server's WINS resolution capability.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\Netbt\\\\Parameters\\\\\n\n Value Name: NoNameReleaseOnDemand\n\n Value Type: REG_DWORD\n Value: 0x00000001 (1)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Administrative Templates >> MSS (Legacy) >> \\\"MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers\\\" to \\\"Enabled\\\".\n This policy setting requires the installation of the MSS-Legacy custom templates included with the STIG package. \\\"MSS-Legacy.admx\\\" and \\\"MSS-Legacy.adml\\\" must be copied to the \\\\Windows\\\\PolicyDefinitions and \\\\Windows\\\\PolicyDefinitions\\\\en-US directories respectively.\"\n impact 0.3\n tag severity: nil\n tag gtitle: \"SRG-OS-000420-GPOS-00186\"\n tag gid: \"V-93541\"\n tag rid: \"SV-103627r1_rule\"\n tag stig_id: \"WN19-CC-000060\"\n tag fix_id: \"F-99785r1_fix\"\n tag cci: [\"CCI-002385\"]\n tag nist: [\"SC-5\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Services\\\\Netbt\\\\Parameters') do\n it { should have_property 'NoNameReleaseOnDemand' }\n its('NoNameReleaseOnDemand') { should cmp == 1 }\n end\nend", + "code": "control \"V-93381\" do\n title \"Windows Server 2019 must have the roles and features required by the system documented.\"\n desc \"Unnecessary roles and features increase the attack surface of a system. Limiting roles and features of a system to only those necessary reduces this potential. The standard installation option (previously called Server Core) further reduces this when selected at installation.\"\n desc \"rationale\", \"\"\n desc \"check\", \"Required roles and features will vary based on the function of the individual system.\n\n Roles and features specifically required to be disabled per the STIG are identified in separate requirements.\n If the organization has not documented the roles and features required for the system(s), this is a finding.\n The PowerShell command \\\"Get-WindowsFeature\\\" will list all roles and features with an \\\"Install State\\\".\"\n desc \"fix\", \"Document the roles and features required for the system to operate. Uninstall any that are not required.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000095-GPOS-00049\"\n tag gid: \"V-93381\"\n tag rid: \"SV-103467r1_rule\"\n tag stig_id: \"WN19-00-000270\"\n tag fix_id: \"F-99625r1_fix\"\n tag cci: [\"CCI-000381\"]\n tag nist: [\"CM-7 a\", \"Rev_4\"]\n\n describe 'A manual review is required to verify that the roles and features required by the system are documented' do\n skip 'A manual review is required to verify that the roles and features required by the system are documented'\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93541.rb", + "ref": "./Windows 2019 STIG/controls/V-93381.rb", "line": 3 }, - "id": "V-93541" + "id": "V-93381" }, { - "title": "Windows Server 2019 Create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service.", - "desc": "Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.\n Accounts with the \"Create global objects\" user right can create objects that are available to all sessions, which could affect processes in otherusers' sessions.", + "title": "Windows Server 2019 Kerberos service ticket maximum lifetime must be limited to 600 minutes or less.", + "desc": "This setting determines the maximum amount of time (in minutes) that a granted session ticket can be used to access a particular service. Session tickets are used only to authenticate new connections with servers. Ongoing operations are not interrupted if the session ticket used to authenticate the connection expires during the connection.", "descriptions": { - "default": "Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.\n Accounts with the \"Create global objects\" user right can create objects that are available to all sessions, which could affect processes in otherusers' sessions.", + "default": "This setting determines the maximum amount of time (in minutes) that a granted session ticket can be used to access a particular service. Session tickets are used only to authenticate new connections with servers. Ongoing operations are not interrupted if the session ticket used to authenticate the connection expires during the connection.", "rationale": "", - "check": "Verify the effective setting in Local Group Policy Editor.\n Run \"gpedit.msc\".\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment.\n If any accounts or groups other than the following are granted the \"Create global objects\" user right, this is a finding:\n - Administrators\n - Service\n - Local Service\n - Network Service\n\n For server core installations, run the following command:\n Secedit /Export /Areas User_Rights /cfg c:\\path\\filename.txt\n Review the text file.\n If any SIDs other than the following are granted the \"SeCreateGlobalPrivilege\" user right, this is a finding:\n S-1-5-32-544 (Administrators)\n S-1-5-6 (Service)\n S-1-5-19 (Local Service)\n S-1-5-20 (Network Service)\n\n If an application requires this user right, this would not be a finding.\n Vendor documentation must support the requirement for having the user right.\n The requirement must be documented with the ISSO.\n The application account must meet requirements for application account passwords, such as length (WN19-00-000050) and required frequency of changes (WN19-00-000060).", - "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> \"Create global objects\" to include only the following accounts or groups:\n - Administrators\n - Service\n - Local Service\n - Network Service" + "check": "This applies to domain controllers. It is NA for other systems.\n\n Verify the following is configured in the Default Domain Policy:\n Open \"Group Policy Management\".\n Navigate to \"Group Policy Objects\" in the Domain being reviewed (Forest >> Domains >> Domain).\n Right-click on the \"Default Domain Policy\".\n Select \"Edit\".\n Navigate to Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy.\n If the value for \"Maximum lifetime for service ticket\" is \"0\" or greater than \"600\" minutes, this is a finding.", + "fix": "Configure the policy value in the Default Domain Policy for Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy >> \"Maximum lifetime for service ticket\" to a maximum of \"600\" minutes, but not \"0\", which equates to \"Ticket doesn't expire\"." }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000324-GPOS-00125", - "gid": "V-93059", - "rid": "SV-103147r1_rule", - "stig_id": "WN19-UR-000070", - "fix_id": "F-99305r1_fix", + "gtitle": "SRG-OS-000112-GPOS-00057", + "satisfies": [ + "SRG-OS-000112-GPOS-00057", + "SRG-OS-000113-GPOS-00058" + ], + "gid": "V-93445", + "rid": "SV-103531r1_rule", + "stig_id": "WN19-DC-000030", + "fix_id": "F-99689r1_fix", "cci": [ - "CCI-002235" + "CCI-001941", + "CCI-001942" ], "nist": [ - "AC-6 (10)", + "IA-2 (8)", + "IA-2 (9)", "Rev_4" ] }, - "code": "control \"V-93059\" do\n title \"Windows Server 2019 Create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service.\"\n desc \"Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.\n Accounts with the \\\"Create global objects\\\" user right can create objects that are available to all sessions, which could affect processes in otherusers' sessions.\"\n desc \"rationale\", \"\"\n desc 'check', \"Verify the effective setting in Local Group Policy Editor.\n Run \\\"gpedit.msc\\\".\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment.\n If any accounts or groups other than the following are granted the \\\"Create global objects\\\" user right, this is a finding:\n - Administrators\n - Service\n - Local Service\n - Network Service\n\n For server core installations, run the following command:\n Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt\n Review the text file.\n If any SIDs other than the following are granted the \\\"SeCreateGlobalPrivilege\\\" user right, this is a finding:\n S-1-5-32-544 (Administrators)\n S-1-5-6 (Service)\n S-1-5-19 (Local Service)\n S-1-5-20 (Network Service)\n\n If an application requires this user right, this would not be a finding.\n Vendor documentation must support the requirement for having the user right.\n The requirement must be documented with the ISSO.\n The application account must meet requirements for application account passwords, such as length (WN19-00-000050) and required frequency of changes (WN19-00-000060).\"\n desc 'fix', \"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> \\\"Create global objects\\\" to include only the following accounts or groups:\n - Administrators\n - Service\n - Local Service\n - Network Service\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000324-GPOS-00125'\n tag 'gid': 'V-93059'\n tag 'rid': 'SV-103147r1_rule'\n tag 'stig_id': 'WN19-UR-000070'\n tag 'fix_id': 'F-99305r1_fix'\n tag 'cci': [\"CCI-002235\"]\n tag 'nist': [\"AC-6 (10)\", \"Rev_4\"]\n\n active_global_privilege_users = security_policy.SeCreateGlobalPrivilege.entries\n allowed_global_privilege_users = input(\"allowed_global_privilege_users\")\n disallowed_global_privilege_users = input(\"disallowed_global_privilege_users\")\n unauthorized_users = []\n os_type = command('Test-Path \"$env:windir\\explorer.exe\"').stdout.strip\n\n if os_type == 'False'\n describe 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt' do\n skip 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt'\n end\n else\n active_global_privilege_users.each do |user|\n next if allowed_global_privilege_users.include?(user)\n unauthorized_users << user\n end\n disallowed_global_privilege_users.each do |user|\n unless disallowed_global_privilege_users == [nil] || unauthorized_users.include?(user)\n unauthorized_users << user\n end\n end\n describe \"Global Object Creation Privilege must be limited to\" do\n it \"Authorized SIDs: #{allowed_global_privilege_users}\" do\n failure_message = \"Unauthorized SIDs: #{unauthorized_users}\"\n expect(unauthorized_users).to be_empty, failure_message\n end\n end\n end\nend", + "code": "control \"V-93445\" do\n title \"Windows Server 2019 Kerberos service ticket maximum lifetime must be limited to 600 minutes or less.\"\n desc \"This setting determines the maximum amount of time (in minutes) that a granted session ticket can be used to access a particular service. Session tickets are used only to authenticate new connections with servers. Ongoing operations are not interrupted if the session ticket used to authenticate the connection expires during the connection.\"\n desc \"rationale\", \"\"\n desc \"check\", \"This applies to domain controllers. It is NA for other systems.\n\n Verify the following is configured in the Default Domain Policy:\n Open \\\"Group Policy Management\\\".\n Navigate to \\\"Group Policy Objects\\\" in the Domain being reviewed (Forest >> Domains >> Domain).\n Right-click on the \\\"Default Domain Policy\\\".\n Select \\\"Edit\\\".\n Navigate to Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy.\n If the value for \\\"Maximum lifetime for service ticket\\\" is \\\"0\\\" or greater than \\\"600\\\" minutes, this is a finding.\"\n desc \"fix\", \"Configure the policy value in the Default Domain Policy for Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy >> \\\"Maximum lifetime for service ticket\\\" to a maximum of \\\"600\\\" minutes, but not \\\"0\\\", which equates to \\\"Ticket doesn't expire\\\".\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000112-GPOS-00057\"\n tag satisfies: [\"SRG-OS-000112-GPOS-00057\", \"SRG-OS-000113-GPOS-00058\"]\n tag gid: \"V-93445\"\n tag rid: \"SV-103531r1_rule\"\n tag stig_id: \"WN19-DC-000030\"\n tag fix_id: \"F-99689r1_fix\"\n tag cci: [\"CCI-001941\", \"CCI-001942\"]\n tag nist: [\"IA-2 (8)\", \"IA-2 (9)\", \"Rev_4\"]\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n describe security_policy do\n its('MaxServiceAge') { should be_between(0,600) }\n end\n else\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is NA' do\n skip 'This system is not a domain controller, therefore this control is NA'\n end\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93059.rb", + "ref": "./Windows 2019 STIG/controls/V-93445.rb", "line": 3 }, - "id": "V-93059" + "id": "V-93445" }, { - "title": "Windows Server 2019 must be configured to audit Logon/Logoff - Account\nLockout successes.", - "desc": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Account Lockout events can be used to identify potentially malicious logon\nattempts.", + "title": "Windows Server 2019 domain-joined systems must have a Trusted Platform\nModule (TPM) enabled and ready for use.", + "desc": "Credential Guard uses virtualization-based security to protect data\nthat could be used in credential theft attacks if compromised. A number of\nsystem requirements must be met in order for Credential Guard to be configured\nand enabled properly. Without a TPM enabled and ready for use, Credential Guard\nkeys are stored in a less secure method using software.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Account Lockout events can be used to identify potentially malicious logon\nattempts.", + "default": "Credential Guard uses virtualization-based security to protect data\nthat could be used in credential theft attacks if compromised. A number of\nsystem requirements must be met in order for Credential Guard to be configured\nand enabled properly. Without a TPM enabled and ready for use, Credential Guard\nkeys are stored in a less secure method using software.", "rationale": "", - "check": "Security Option \"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\" must be set to\n\"Enabled\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \"AuditPol\" tool to review the current Audit Policy configuration:\n\n Open \"PowerShell\" or a \"Command Prompt\" with elevated privileges (\"Run\nas administrator\").\n\n Enter \"AuditPol /get /category:*\"\n\n Compare the \"AuditPol\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n Logon/Logoff >> Account Lockout - Success", - "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Logon/Logoff >> \"Audit Account Lockout\" with\n\"Success\" selected." + "check": "For standalone systems, this is NA.\n\n Current hardware and virtual environments may not support\nvirtualization-based security features, including Credential Guard, due to\nspecific supporting requirements including a TPM, UEFI with Secure Boot, and\nthe capability to run the Hyper-V feature within a virtual machine.\n\n Verify the system has a TPM and it is ready for use.\n\n Run \"tpm.msc\".\n\n Review the sections in the center pane.\n\n \"Status\" must indicate it has been configured with a message such as\n\"The TPM is ready for use\" or \"The TPM is on and ownership has been taken\".\n\n TPM Manufacturer Information - Specific Version = 2.0 or 1.2\n\n If a TPM is not found or is not ready for use, this is a finding.", + "fix": "Ensure domain-joined systems have a TPM that is configured for use.\n(Versions 2.0 or 1.2 support Credential Guard.)\n\n The TPM must be enabled in the firmware.\n\n Run \"tpm.msc\" for configuration options in Windows." }, "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000240-GPOS-00090", - "satisfies": [ - "SRG-OS-000240-GPOS-00090", - "SRG-OS-000470-GPOS-00214" - ], - "gid": "V-92987", - "rid": "SV-103075r1_rule", - "stig_id": "WN19-AU-000150", - "fix_id": "F-99233r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-93213", + "rid": "SV-103301r1_rule", + "stig_id": "WN19-00-000090", + "fix_id": "F-99459r1_fix", "cci": [ - "CCI-000172", - "CCI-001404" + "CCI-000366" ], "nist": [ - "AU-12 c", - "AC-2 (4)", + "CM-6 b", "Rev_4" ] }, - "code": "control \"V-92987\" do\n title \"Windows Server 2019 must be configured to audit Logon/Logoff - Account\nLockout successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Account Lockout events can be used to identify potentially malicious logon\nattempts.\"\n desc \"rationale\", \"\"\n desc 'check', \"Security Option \\\"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\\\" must be set to\n\\\"Enabled\\\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \\\"AuditPol\\\" tool to review the current Audit Policy configuration:\n\n Open \\\"PowerShell\\\" or a \\\"Command Prompt\\\" with elevated privileges (\\\"Run\nas administrator\\\").\n\n Enter \\\"AuditPol /get /category:*\\\"\n\n Compare the \\\"AuditPol\\\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n Logon/Logoff >> Account Lockout - Success\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Logon/Logoff >> \\\"Audit Account Lockout\\\" with\n\\\"Success\\\" selected.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000240-GPOS-00090'\n tag 'satisfies': [\"SRG-OS-000240-GPOS-00090\", \"SRG-OS-000470-GPOS-00214\"]\n tag 'gid': 'V-92987'\n tag 'rid': 'SV-103075r1_rule'\n tag 'stig_id': 'WN19-AU-000150'\n tag 'fix_id': 'F-99233r1_fix'\n tag 'cci': [\"CCI-000172\", \"CCI-001404\"]\n tag 'nist': [\"AU-12 c\", \"AC-2 (4)\", \"Rev_4\"]\n\n describe.one do\n describe audit_policy do\n its('Account Lockout') { should eq 'Success' }\n end\n describe audit_policy do\n its('Account Lockout') { should eq 'Success and Failure' }\n end\n end\nend\n", + "code": "control \"V-93213\" do\n title \"Windows Server 2019 domain-joined systems must have a Trusted Platform\nModule (TPM) enabled and ready for use.\"\n desc \"Credential Guard uses virtualization-based security to protect data\nthat could be used in credential theft attacks if compromised. A number of\nsystem requirements must be met in order for Credential Guard to be configured\nand enabled properly. Without a TPM enabled and ready for use, Credential Guard\nkeys are stored in a less secure method using software.\"\n desc \"rationale\", \"\"\n desc 'check', \"For standalone systems, this is NA.\n\n Current hardware and virtual environments may not support\nvirtualization-based security features, including Credential Guard, due to\nspecific supporting requirements including a TPM, UEFI with Secure Boot, and\nthe capability to run the Hyper-V feature within a virtual machine.\n\n Verify the system has a TPM and it is ready for use.\n\n Run \\\"tpm.msc\\\".\n\n Review the sections in the center pane.\n\n \\\"Status\\\" must indicate it has been configured with a message such as\n\\\"The TPM is ready for use\\\" or \\\"The TPM is on and ownership has been taken\\\".\n\n TPM Manufacturer Information - Specific Version = 2.0 or 1.2\n\n If a TPM is not found or is not ready for use, this is a finding.\"\n desc 'fix', \"Ensure domain-joined systems have a TPM that is configured for use.\n(Versions 2.0 or 1.2 support Credential Guard.)\n\n The TPM must be enabled in the firmware.\n\n Run \\\"tpm.msc\\\" for configuration options in Windows.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000480-GPOS-00227'\n tag 'gid': 'V-93213'\n tag 'rid': 'SV-103301r1_rule'\n tag 'stig_id': 'WN19-00-000090'\n tag 'fix_id': 'F-99459r1_fix'\n tag 'cci': [\"CCI-000366\"]\n tag 'nist': [\"CM-6 b\", \"Rev_4\"]\n\n is_domain = command('wmic computersystem get domain | FINDSTR /V Domain').stdout.strip\n\n if sys_info.manufacturer == \"VMware, Inc.\"\n impact 0.0\n describe 'This System is NA for Control V-93213, This is a VMware Virtual Machine.' do\n skip 'This System is NA for Control V-93213, This is a VMware Virtual Machine.'\n end\n elsif is_domain == 'WORKGROUP'\n impact 0.0\n describe 'This system is not joined to a domain, therefore this control is Not Applicable' do\n skip 'This system is not joined to a domain, therefore this control is Not Applicable'\n end\n else\n tpm_ready = command('Get-Tpm | select -expand TpmReady').stdout.strip\n tpm_present = command('Get-Tpm | select -expand TpmPresent').stdout.strip\n describe 'Trusted Platform Module (TPM) TpmReady' do\n subject { tpm_ready }\n it { should eq 'True' }\n end\n describe 'Trusted Platform Module (TPM) TpmPresent' do\n subject { tpm_present }\n it { should eq 'True' }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-92987.rb", + "ref": "./Windows 2019 STIG/controls/V-93213.rb", "line": 3 }, - "id": "V-92987" + "id": "V-93213" }, { - "title": "Windows Server 2019 Allow log on locally user right must only be\nassigned to the Administrators group.", - "desc": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n Accounts with the \"Allow log on locally\" user right can log on\ninteractively to a system.", + "title": "Windows Server 2019 System event log size must be configured to 32768\nKB or greater.", + "desc": "Inadequate log size will cause the log to fill up quickly. This may\nprevent audit events from being recorded properly and require frequent\nattention by administrative personnel.", "descriptions": { - "default": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n Accounts with the \"Allow log on locally\" user right can log on\ninteractively to a system.", + "default": "Inadequate log size will cause the log to fill up quickly. This may\nprevent audit events from being recorded properly and require frequent\nattention by administrative personnel.", "rationale": "", - "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the \"Allow\nlog on locally\" user right, this is a finding:\n\n - Administrators\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\path\\filename.txt\n\n Review the text file.\n\n If any SIDs other than the following are granted the\n\"SeInteractiveLogonRight\" user right, this is a finding:\n\n S-1-5-32-544 (Administrators)\n\n If an application requires this user right, this would not be a finding.\n\n Vendor documentation must support the requirement for having the user right.\n\n The requirement must be documented with the ISSO.\n\n The application account must meet requirements for application account\npasswords, such as length (WN19-00-000050) and required frequency of changes\n(WN19-00-000060).", - "fix": "Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> User Rights Assignment >> \"Allow log\non locally\" to include only the following accounts or groups:\n\n - Administrators" + "check": "If the system is configured to write events directly to an audit server,\nthis is NA.\n\n If the following registry value does not exist or is not configured as\nspecified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\EventLog\\System\\\n\n Value Name: MaxSize\n\n Type: REG_DWORD\n Value: 0x00008000 (32768) (or greater)", + "fix": "Configure the policy value for Computer Configuration >>\nAdministrative Templates >> Windows Components >> Event Log Service >> System\n>> \"Specify the maximum log file size (KB)\" to \"Enabled\" with a \"Maximum\nLog Size (KB)\" of \"32768\" or greater." }, "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000080-GPOS-00048", - "gid": "V-93017", - "rid": "SV-103105r1_rule", - "stig_id": "WN19-UR-000030", - "fix_id": "F-99263r1_fix", + "gtitle": "SRG-OS-000341-GPOS-00132", + "gid": "V-93181", + "rid": "SV-103269r1_rule", + "stig_id": "WN19-CC-000290", + "fix_id": "F-99427r1_fix", "cci": [ - "CCI-000213" + "CCI-001849" ], "nist": [ - "AC-3", + "AU-4", "Rev_4" ] }, - "code": "control \"V-93017\" do\n title \"Windows Server 2019 Allow log on locally user right must only be\nassigned to the Administrators group.\"\n desc \"Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n Accounts with the \\\"Allow log on locally\\\" user right can log on\ninteractively to a system.\"\n desc \"rationale\", \"\"\n desc 'check', \"Verify the effective setting in Local Group Policy Editor.\n\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the \\\"Allow\nlog on locally\\\" user right, this is a finding:\n\n - Administrators\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt\n\n Review the text file.\n\n If any SIDs other than the following are granted the\n\\\"SeInteractiveLogonRight\\\" user right, this is a finding:\n\n S-1-5-32-544 (Administrators)\n\n If an application requires this user right, this would not be a finding.\n\n Vendor documentation must support the requirement for having the user right.\n\n The requirement must be documented with the ISSO.\n\n The application account must meet requirements for application account\npasswords, such as length (WN19-00-000050) and required frequency of changes\n(WN19-00-000060).\"\n desc 'fix', \"Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> User Rights Assignment >> \\\"Allow log\non locally\\\" to include only the following accounts or groups:\n\n - Administrators\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000080-GPOS-00048'\n tag 'gid': 'V-93017'\n tag 'rid': 'SV-103105r1_rule'\n tag 'stig_id': 'WN19-UR-000030'\n tag 'fix_id': 'F-99263r1_fix'\n tag 'cci': [\"CCI-000213\"]\n tag 'nist': [\"AC-3\", \"Rev_4\"]\n\n describe security_policy do\n its('SeInteractiveLogonRight') { should eq ['S-1-5-32-544'] }\n end\nend\n", + "code": "control \"V-93181\" do\n title \"Windows Server 2019 System event log size must be configured to 32768\nKB or greater.\"\n desc \"Inadequate log size will cause the log to fill up quickly. This may\nprevent audit events from being recorded properly and require frequent\nattention by administrative personnel.\"\n desc \"rationale\", \"\"\n desc 'check', \"If the system is configured to write events directly to an audit server,\nthis is NA.\n\n If the following registry value does not exist or is not configured as\nspecified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\EventLog\\\\System\\\\\n\n Value Name: MaxSize\n\n Type: REG_DWORD\n Value: 0x00008000 (32768) (or greater)\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nAdministrative Templates >> Windows Components >> Event Log Service >> System\n>> \\\"Specify the maximum log file size (KB)\\\" to \\\"Enabled\\\" with a \\\"Maximum\nLog Size (KB)\\\" of \\\"32768\\\" or greater.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000341-GPOS-00132'\n tag 'gid': 'V-93181'\n tag 'rid': 'SV-103269r1_rule'\n tag 'stig_id': 'WN19-CC-000290'\n tag 'fix_id': 'F-99427r1_fix'\n tag 'cci': [\"CCI-001849\"]\n tag 'nist': [\"AU-4\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\EventLog\\System') do\n it { should have_property 'MaxSize' }\n its('MaxSize') { should cmp >= 32768 }\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93017.rb", + "ref": "./Windows 2019 STIG/controls/V-93181.rb", "line": 3 }, - "id": "V-93017" + "id": "V-93181" }, { - "title": "Windows Server 2019 local volumes must use a format that supports NTFS\nattributes.", - "desc": "The ability to set access permissions and auditing is critical to\nmaintaining the security and proper access controls of a system. To support\nthis, volumes must be formatted using a file system that supports NTFS\nattributes.", + "title": "Windows Server 2019 administrative accounts must not be used with\napplications that access the Internet, such as web browsers, or with potential\nInternet sources, such as email.", + "desc": "Using applications that access the Internet or have potential Internet\nsources using administrative privileges exposes a system to compromise. If a\nflaw in an application is exploited while running as a privileged user, the\nentire system could be compromised. Web browsers and email are common attack\nvectors for introducing malicious code and must not be run with an\nadministrative account.\n\n Since administrative accounts may generally change or work around technical\nrestrictions for running a web browser or other applications, it is essential\nthat policy require administrative accounts to not access the Internet or use\napplications such as email.\n\n The policy should define specific exceptions for local service\nadministration. These exceptions may include HTTP(S)-based tools that are used\nfor the administration of the local system, services, or attached devices.\n\n Whitelisting can be used to enforce the policy to ensure compliance.", "descriptions": { - "default": "The ability to set access permissions and auditing is critical to\nmaintaining the security and proper access controls of a system. To support\nthis, volumes must be formatted using a file system that supports NTFS\nattributes.", + "default": "Using applications that access the Internet or have potential Internet\nsources using administrative privileges exposes a system to compromise. If a\nflaw in an application is exploited while running as a privileged user, the\nentire system could be compromised. Web browsers and email are common attack\nvectors for introducing malicious code and must not be run with an\nadministrative account.\n\n Since administrative accounts may generally change or work around technical\nrestrictions for running a web browser or other applications, it is essential\nthat policy require administrative accounts to not access the Internet or use\napplications such as email.\n\n The policy should define specific exceptions for local service\nadministration. These exceptions may include HTTP(S)-based tools that are used\nfor the administration of the local system, services, or attached devices.\n\n Whitelisting can be used to enforce the policy to ensure compliance.", "rationale": "", - "check": "Open \"Computer Management\".\n\n Select \"Disk Management\" under \"Storage\".\n\n For each local volume, if the file system does not indicate \"NTFS\", this\nis a finding.\n\n \"ReFS\" (resilient file system) is also acceptable and would not be a\nfinding.\n\n This does not apply to system partitions such the Recovery and EFI System\nPartition.", - "fix": "Format volumes to use NTFS or ReFS." + "check": "Determine whether organization policy, at a minimum, prohibits\nadministrative accounts from using applications that access the Internet, such\nas web browsers, or with potential Internet sources, such as email, except as\nnecessary for local service administration.\n\n If it does not, this is a finding.\n\n The organization may use technical means such as whitelisting to prevent\nthe use of browsers and mail applications to enforce this requirement.", + "fix": "Establish a policy, at minimum, to prohibit administrative accounts from\nusing applications that access the Internet, such as web browsers, or with\npotential Internet sources, such as email. Ensure the policy is enforced.\n\n The organization may use technical means such as whitelisting to prevent\nthe use of browsers and mail applications to enforce this requirement." }, - "impact": 0, + "impact": 0.7, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000080-GPOS-00048", - "gid": "V-92991", - "rid": "SV-103079r1_rule", - "stig_id": "WN19-00-000130", - "fix_id": "F-99237r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-93205", + "rid": "SV-103293r1_rule", + "stig_id": "WN19-00-000030", + "fix_id": "F-99451r1_fix", "cci": [ - "CCI-000213" + "CCI-000366" ], "nist": [ - "AC-3", + "CM-6 b", "Rev_4" ] }, - "code": "control \"V-92991\" do\n title \"Windows Server 2019 local volumes must use a format that supports NTFS\nattributes.\"\n desc \"The ability to set access permissions and auditing is critical to\nmaintaining the security and proper access controls of a system. To support\nthis, volumes must be formatted using a file system that supports NTFS\nattributes.\"\n desc \"rationale\", \"\"\n desc 'check', \"Open \\\"Computer Management\\\".\n\n Select \\\"Disk Management\\\" under \\\"Storage\\\".\n\n For each local volume, if the file system does not indicate \\\"NTFS\\\", this\nis a finding.\n\n \\\"ReFS\\\" (resilient file system) is also acceptable and would not be a\nfinding.\n\n This does not apply to system partitions such the Recovery and EFI System\nPartition.\"\n desc 'fix', \"Format volumes to use NTFS or ReFS.\"\n impact 0.7\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000080-GPOS-00048'\n tag 'gid': 'V-92991'\n tag 'rid': 'SV-103079r1_rule'\n tag 'stig_id': 'WN19-00-000130'\n tag 'fix_id': 'F-99237r1_fix'\n tag 'cci': [\"CCI-000213\"]\n tag 'nist': [\"AC-3\", \"Rev_4\"]\n\n get_volumes = command(\"wmic logicaldisk where DriveType=3 get FileSystem | findstr /r /v '^$' |Findstr /v 'FileSystem'\").stdout.strip.split(\"\\r\\n\")\n\n get_volumes.each do |volume|\n volumes = volume.strip\n describe.one do\n describe 'The format local volumes' do\n subject { volumes }\n it { should eq 'NTFS' }\n end\n describe 'The format local volumes' do\n subject { volumes }\n it { should eq 'ReFS' }\n end\n end\n end\n if get_volumes.empty?\n impact 0.0\n describe 'There are no local volumes' do\n skip 'This control is not applicable'\n end\n end\nend\n", + "code": "control \"V-93205\" do\n title \"Windows Server 2019 administrative accounts must not be used with\napplications that access the Internet, such as web browsers, or with potential\nInternet sources, such as email.\"\n desc \"Using applications that access the Internet or have potential Internet\nsources using administrative privileges exposes a system to compromise. If a\nflaw in an application is exploited while running as a privileged user, the\nentire system could be compromised. Web browsers and email are common attack\nvectors for introducing malicious code and must not be run with an\nadministrative account.\n\n Since administrative accounts may generally change or work around technical\nrestrictions for running a web browser or other applications, it is essential\nthat policy require administrative accounts to not access the Internet or use\napplications such as email.\n\n The policy should define specific exceptions for local service\nadministration. These exceptions may include HTTP(S)-based tools that are used\nfor the administration of the local system, services, or attached devices.\n\n Whitelisting can be used to enforce the policy to ensure compliance.\"\n desc \"rationale\", \"\"\n desc 'check', \"Determine whether organization policy, at a minimum, prohibits\nadministrative accounts from using applications that access the Internet, such\nas web browsers, or with potential Internet sources, such as email, except as\nnecessary for local service administration.\n\n If it does not, this is a finding.\n\n The organization may use technical means such as whitelisting to prevent\nthe use of browsers and mail applications to enforce this requirement.\"\n desc 'fix', \"Establish a policy, at minimum, to prohibit administrative accounts from\nusing applications that access the Internet, such as web browsers, or with\npotential Internet sources, such as email. Ensure the policy is enforced.\n\n The organization may use technical means such as whitelisting to prevent\nthe use of browsers and mail applications to enforce this requirement.\"\n impact 0.7\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000480-GPOS-00227'\n tag 'gid': 'V-93205'\n tag 'rid': 'SV-103293r1_rule'\n tag 'stig_id': 'WN19-00-000030'\n tag 'fix_id': 'F-99451r1_fix'\n tag 'cci': [\"CCI-000366\"]\n tag 'nist': [\"CM-6 b\", \"Rev_4\"]\n\n describe \"A manual review is required to verify that administrative accounts are not being used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email\" do\n skip \"A manual review is required to verify that administrative accounts are not being used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email\"\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-92991.rb", + "ref": "./Windows 2019 STIG/controls/V-93205.rb", "line": 3 }, - "id": "V-92991" + "id": "V-93205" }, { - "title": "Windows Server 2019 must be configured to audit System - System\nIntegrity failures.", - "desc": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n System Integrity records events related to violations of integrity to the\nsecurity subsystem.", + "title": "Windows Server 2019 must be configured to audit DS Access - Directory\nService Changes failures.", + "desc": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Audit Directory Service Changes records events related to changes made to\nobjects in Active Directory Domain Services.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n System Integrity records events related to violations of integrity to the\nsecurity subsystem.", + "default": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Audit Directory Service Changes records events related to changes made to\nobjects in Active Directory Domain Services.", "rationale": "", - "check": "Security Option \"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\" must be set to\n\"Enabled\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \"AuditPol\" tool to review the current Audit Policy configuration:\n\n Open \"PowerShell\" or a \"Command Prompt\" with elevated privileges (\"Run\nas administrator\").\n\n Enter \"AuditPol /get /category:*\"\n\n Compare the \"AuditPol\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n System >> System Integrity - Failure", - "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> System >> \"Audit System Integrity\" with \"Failure\"\nselected." + "check": "This applies to domain controllers. It is NA for other systems.\n\n Security Option \"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\" must be set to\n\"Enabled\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \"AuditPol\" tool to review the current Audit Policy configuration:\n\n Open \"PowerShell\" or a \"Command Prompt\" with elevated privileges (\"Run\nas administrator\").\n\n Enter \"AuditPol /get /category:*\"\n\n Compare the \"AuditPol\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n DS Access >> Directory Service Changes - Failure", + "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> DS Access >> \"Directory Service Changes\" with\n\"Failure\" selected." }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { "severity": null, "gtitle": "SRG-OS-000327-GPOS-00127", "satisfies": [ "SRG-OS-000327-GPOS-00127", - "SRG-OS-000471-GPOS-00215", - "SRG-OS-000471-GPOS-00216", - "SRG-OS-000477-GPOS-00222" + "SRG-OS-000458-GPOS-00203", + "SRG-OS-000463-GPOS-00207", + "SRG-OS-000468-GPOS-00212" ], - "gid": "V-93119", - "rid": "SV-103207r1_rule", - "stig_id": "WN19-AU-000390", - "fix_id": "F-99365r1_fix", + "gid": "V-93139", + "rid": "SV-103227r1_rule", + "stig_id": "WN19-DC-000270", + "fix_id": "F-99385r1_fix", "cci": [ "CCI-000172", "CCI-002234" @@ -10358,171 +10333,163 @@ "Rev_4" ] }, - "code": "control \"V-93119\" do\n title \"Windows Server 2019 must be configured to audit System - System\nIntegrity failures.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n System Integrity records events related to violations of integrity to the\nsecurity subsystem.\"\n desc \"rationale\", \"\"\n desc 'check', \"Security Option \\\"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\\\" must be set to\n\\\"Enabled\\\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \\\"AuditPol\\\" tool to review the current Audit Policy configuration:\n\n Open \\\"PowerShell\\\" or a \\\"Command Prompt\\\" with elevated privileges (\\\"Run\nas administrator\\\").\n\n Enter \\\"AuditPol /get /category:*\\\"\n\n Compare the \\\"AuditPol\\\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n System >> System Integrity - Failure\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> System >> \\\"Audit System Integrity\\\" with \\\"Failure\\\"\nselected.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000327-GPOS-00127'\n tag 'satisfies': [\"SRG-OS-000327-GPOS-00127\", \"SRG-OS-000471-GPOS-00215\",\n\"SRG-OS-000471-GPOS-00216\", \"SRG-OS-000477-GPOS-00222\"]\n tag 'gid': 'V-93119'\n tag 'rid': 'SV-103207r1_rule'\n tag 'stig_id': 'WN19-AU-000390'\n tag 'fix_id': 'F-99365r1_fix'\n tag 'cci': [\"CCI-000172\", \"CCI-002234\"]\n tag 'nist': [\"AU-12 c\", \"AC-6 (9)\", \"Rev_4\"]\n\n describe.one do\n describe audit_policy do\n its('System Integrity') { should eq 'Failure' }\n end\n describe audit_policy do\n its('System Integrity') { should eq 'Success and Failure' }\n end\n end\n\nend\n", + "code": "control \"V-93139\" do\n title \"Windows Server 2019 must be configured to audit DS Access - Directory\nService Changes failures.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Audit Directory Service Changes records events related to changes made to\nobjects in Active Directory Domain Services.\"\n desc \"rationale\", \"\"\n desc 'check', \"This applies to domain controllers. It is NA for other systems.\n\n Security Option \\\"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\\\" must be set to\n\\\"Enabled\\\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \\\"AuditPol\\\" tool to review the current Audit Policy configuration:\n\n Open \\\"PowerShell\\\" or a \\\"Command Prompt\\\" with elevated privileges (\\\"Run\nas administrator\\\").\n\n Enter \\\"AuditPol /get /category:*\\\"\n\n Compare the \\\"AuditPol\\\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n DS Access >> Directory Service Changes - Failure\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> DS Access >> \\\"Directory Service Changes\\\" with\n\\\"Failure\\\" selected.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000327-GPOS-00127'\n tag 'satisfies': [\"SRG-OS-000327-GPOS-00127\", \"SRG-OS-000458-GPOS-00203\",\n\"SRG-OS-000463-GPOS-00207\", \"SRG-OS-000468-GPOS-00212\"]\n tag 'gid': 'V-93139'\n tag 'rid': 'SV-103227r1_rule'\n tag 'stig_id': 'WN19-DC-000270'\n tag 'fix_id': 'F-99385r1_fix'\n tag 'cci': [\"CCI-000172\", \"CCI-002234\"]\n tag 'nist': [\"AU-12 c\", \"AC-6 (9)\", \"Rev_4\"]\n \n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n if domain_role == '4' || domain_role == '5'\n describe.one do\n describe audit_policy do\n its('Directory Service Changes') { should eq 'Failure' }\n end\n describe audit_policy do\n its('Directory Service Changes') { should eq 'Success and Failure' }\n end\n end\n else\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93119.rb", + "ref": "./Windows 2019 STIG/controls/V-93139.rb", "line": 3 }, - "id": "V-93119" + "id": "V-93139" }, { - "title": "Windows Server 2019 Generate security audits user right must only be assigned to Local Service and Network Service.", - "desc": "Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.\n The \"Generate security audits\" user right specifies users and processes that can generate Security Log audit records, which must only be the system service accounts defined.", + "title": "Windows Server 2019 must prevent PKU2U authentication using online identities.", + "desc": "PKU2U is a peer-to-peer authentication protocol. This setting prevents online identities from authenticating to domain-joined systems. Authentication will be centrally managed with Windows user accounts.", "descriptions": { - "default": "Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.\n The \"Generate security audits\" user right specifies users and processes that can generate Security Log audit records, which must only be the system service accounts defined.", + "default": "PKU2U is a peer-to-peer authentication protocol. This setting prevents online identities from authenticating to domain-joined systems. Authentication will be centrally managed with Windows user accounts.", "rationale": "", - "check": "Verify the effective setting in Local Group Policy Editor.\n Run \"gpedit.msc\".\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment.\n If any accounts or groups other than the following are granted the \"Generate security audits\" user right, this is a finding:\n - Local Service\n - Network Service\n\n For server core installations, run the following command:\n Secedit /Export /Areas User_Rights /cfg c:\\path\\filename.txt\n Review the text file.\n If any SIDs other than the following are granted the \"SeAuditPrivilege\" user right, this is a finding:\n S-1-5-19 (Local Service)\n S-1-5-20 (Network Service)\n\n If an application requires this user right, this would not be a finding.\n Vendor documentation must support the requirement for having the user right.\n The requirement must be documented with the ISSO.\n The application account must meet requirements for application account passwords, such as length (WN19-00-000050) and required frequency of changes (WN19-00-000060).", - "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> \"Generate security audits\" to include only the following accounts or groups:\n - Local Service\n - Network Service" + "check": "If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SYSTEM\\CurrentControlSet\\Control\\LSA\\pku2u\\\n\n Value Name: AllowOnlineID\n\n Type: REG_DWORD\n Value: 0x00000000 (0)", + "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \"Network security: Allow PKU2U authentication requests to this computer to use online identities\" to \"Disabled\"." }, "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000324-GPOS-00125", - "gid": "V-93069", - "rid": "SV-103157r1_rule", - "stig_id": "WN19-UR-000120", - "fix_id": "F-99315r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-93299", + "rid": "SV-103387r1_rule", + "stig_id": "WN19-SO-000280", + "fix_id": "F-99545r1_fix", "cci": [ - "CCI-002235" + "CCI-000366" ], "nist": [ - "AC-6 (10)", + "CM-6 b", "Rev_4" ] }, - "code": "control \"V-93069\" do\n title \"Windows Server 2019 Generate security audits user right must only be assigned to Local Service and Network Service.\"\n desc \"Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.\n The \\\"Generate security audits\\\" user right specifies users and processes that can generate Security Log audit records, which must only be the system service accounts defined.\"\n desc \"rationale\", \"\"\n desc 'check', \"Verify the effective setting in Local Group Policy Editor.\n Run \\\"gpedit.msc\\\".\n Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment.\n If any accounts or groups other than the following are granted the \\\"Generate security audits\\\" user right, this is a finding:\n - Local Service\n - Network Service\n\n For server core installations, run the following command:\n Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt\n Review the text file.\n If any SIDs other than the following are granted the \\\"SeAuditPrivilege\\\" user right, this is a finding:\n S-1-5-19 (Local Service)\n S-1-5-20 (Network Service)\n\n If an application requires this user right, this would not be a finding.\n Vendor documentation must support the requirement for having the user right.\n The requirement must be documented with the ISSO.\n The application account must meet requirements for application account passwords, such as length (WN19-00-000050) and required frequency of changes (WN19-00-000060).\"\n desc 'fix', \"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> \\\"Generate security audits\\\" to include only the following accounts or groups:\n - Local Service\n - Network Service\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000324-GPOS-00125'\n tag 'gid': 'V-93069'\n tag 'rid': 'SV-103157r1_rule'\n tag 'stig_id': 'WN19-UR-000120'\n tag 'fix_id': 'F-99315r1_fix'\n tag 'cci': [\"CCI-002235\"]\n tag 'nist': [\"AC-6 (10)\", \"Rev_4\"]\n\n active_audit_privilege_users = security_policy.SeAuditPrivilege.entries\n allowed_audit_privilege_users = input(\"allowed_audit_privilege_users\")\n disallowed_audit_privilege_users = input(\"disallowed_audit_privilege_users\")\n unauthorized_users = []\n os_type = command('Test-Path \"$env:windir\\explorer.exe\"').stdout.strip\n\n if os_type == 'False'\n describe 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt' do\n skip 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt'\n end\n else\n active_audit_privilege_users.each do |user|\n next if allowed_audit_privilege_users.include?(user)\n unauthorized_users << user\n end\n disallowed_audit_privilege_users.each do |user|\n unless disallowed_audit_privilege_users == [nil] || unauthorized_users.include?(user)\n unauthorized_users << user\n end\n end\n describe \"Security Audit Generation Privilege must be limited to\" do\n it \"Authorized SIDs: #{allowed_audit_privilege_users}\" do\n failure_message = \"Unauthorized SIDs: #{unauthorized_users}\"\n expect(unauthorized_users).to be_empty, failure_message\n end\n end\n end\nend", + "code": "control \"V-93299\" do\n title \"Windows Server 2019 must prevent PKU2U authentication using online identities.\"\n desc \"PKU2U is a peer-to-peer authentication protocol. This setting prevents online identities from authenticating to domain-joined systems. Authentication will be centrally managed with Windows user accounts.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\LSA\\\\pku2u\\\\\n\n Value Name: AllowOnlineID\n\n Type: REG_DWORD\n Value: 0x00000000 (0)\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \\\"Network security: Allow PKU2U authentication requests to this computer to use online identities\\\" to \\\"Disabled\\\".\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00227\"\n tag gid: \"V-93299\"\n tag rid: \"SV-103387r1_rule\"\n tag stig_id: \"WN19-SO-000280\"\n tag fix_id: \"F-99545r1_fix\"\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\pku2u') do\n it { should have_property 'AllowOnlineID' }\n its('AllowOnlineID') { should cmp == 0 }\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93069.rb", + "ref": "./Windows 2019 STIG/controls/V-93299.rb", "line": 3 }, - "id": "V-93069" + "id": "V-93299" }, { - "title": "Windows Server 2019 must be configured to audit Detailed Tracking -\nPlug and Play Events successes.", - "desc": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Plug and Play activity records events related to the successful connection\nof external devices.", + "title": "Windows Server 2019 must not have the Peer Name Resolution Protocol installed.", + "desc": "Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption or may provide unauthorized access to the system.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Plug and Play activity records events related to the successful connection\nof external devices.", + "default": "Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption or may provide unauthorized access to the system.", "rationale": "", - "check": "Security Option \"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\" must be set to\n\"Enabled\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \"AuditPol\" tool to review the current Audit Policy configuration:\n\n Open \"PowerShell\" or a \"Command Prompt\" with elevated privileges (\"Run\nas administrator\").\n\n Enter \"AuditPol /get /category:*\"\n\n Compare the \"AuditPol\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n Detailed Tracking >> Plug and Play Events - Success", - "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Advanced Audit Policy Configuration >> System Audit\nPolicies >> Detailed Tracking >> \"Audit PNP Activity\" with \"Success\"\nselected." + "check": "Open \"PowerShell\".\n\n Enter \"Get-WindowsFeature | Where Name -eq PNRP\".\n If \"Installed State\" is \"Installed\", this is a finding.\n An Installed State of \"Available\" or \"Removed\" is not a finding.", + "fix": "Uninstall the \"Peer Name Resolution Protocol\" feature.\n\n Start \"Server Manager\".\n Select the server with the feature.\n Scroll down to \"ROLES AND FEATURES\" in the right pane.\n Select \"Remove Roles and Features\" from the drop-down \"TASKS\" list.\n Select the appropriate server on the \"Server Selection\" page and click \"Next\".\n Deselect \"Peer Name Resolution Protocol\" on the \"Features\" page.\n Click \"Next\" and \"Remove\" as prompted." }, "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000474-GPOS-00219", - "gid": "V-93157", - "rid": "SV-103245r1_rule", - "stig_id": "WN19-AU-000130", - "fix_id": "F-99403r1_fix", + "gtitle": "SRG-OS-000095-GPOS-00049", + "gid": "V-93385", + "rid": "SV-103471r1_rule", + "stig_id": "WN19-00-000340", + "fix_id": "F-99629r1_fix", "cci": [ - "CCI-000172" + "CCI-000381" ], "nist": [ - "AU-12 c", + "CM-7 a", "Rev_4" ] }, - "code": "control \"V-93157\" do\n title \"Windows Server 2019 must be configured to audit Detailed Tracking -\nPlug and Play Events successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Plug and Play activity records events related to the successful connection\nof external devices.\"\n desc \"rationale\", \"\"\n desc 'check', \"Security Option \\\"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\\\" must be set to\n\\\"Enabled\\\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \\\"AuditPol\\\" tool to review the current Audit Policy configuration:\n\n Open \\\"PowerShell\\\" or a \\\"Command Prompt\\\" with elevated privileges (\\\"Run\nas administrator\\\").\n\n Enter \\\"AuditPol /get /category:*\\\"\n\n Compare the \\\"AuditPol\\\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n Detailed Tracking >> Plug and Play Events - Success\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Advanced Audit Policy Configuration >> System Audit\nPolicies >> Detailed Tracking >> \\\"Audit PNP Activity\\\" with \\\"Success\\\"\nselected.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000474-GPOS-00219'\n tag 'gid': 'V-93157'\n tag 'rid': 'SV-103245r1_rule'\n tag 'stig_id': 'WN19-AU-000130'\n tag 'fix_id': 'F-99403r1_fix'\n tag 'cci': [\"CCI-000172\"]\n tag 'nist': [\"AU-12 c\", \"Rev_4\"]\n\n describe.one do\n describe audit_policy do\n its('Plug and Play Events') { should eq 'Success' }\n end\n describe audit_policy do\n its('Plug and Play Events') { should eq 'Success and Failure' }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Plug and Play Events'\") do\n its('stdout') { should match /Plug and Play Events Success/ }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Plug and Play Events'\") do\n its('stdout') { should match /Plug and Play Events Success and Failure/ }\n end\n end\nend\n", + "code": "control \"V-93385\" do\n title \"Windows Server 2019 must not have the Peer Name Resolution Protocol installed.\"\n desc \"Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption or may provide unauthorized access to the system.\"\n desc \"rationale\", \"\"\n desc \"check\", \"Open \\\"PowerShell\\\".\n\n Enter \\\"Get-WindowsFeature | Where Name -eq PNRP\\\".\n If \\\"Installed State\\\" is \\\"Installed\\\", this is a finding.\n An Installed State of \\\"Available\\\" or \\\"Removed\\\" is not a finding.\"\n desc \"fix\", \"Uninstall the \\\"Peer Name Resolution Protocol\\\" feature.\n\n Start \\\"Server Manager\\\".\n Select the server with the feature.\n Scroll down to \\\"ROLES AND FEATURES\\\" in the right pane.\n Select \\\"Remove Roles and Features\\\" from the drop-down \\\"TASKS\\\" list.\n Select the appropriate server on the \\\"Server Selection\\\" page and click \\\"Next\\\".\n Deselect \\\"Peer Name Resolution Protocol\\\" on the \\\"Features\\\" page.\n Click \\\"Next\\\" and \\\"Remove\\\" as prompted.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000095-GPOS-00049\"\n tag gid: \"V-93385\"\n tag rid: \"SV-103471r1_rule\"\n tag stig_id: \"WN19-00-000340\"\n tag fix_id: \"F-99629r1_fix\"\n tag cci: [\"CCI-000381\"]\n tag nist: [\"CM-7 a\", \"Rev_4\"]\n\n describe windows_feature('PNRP') do\n it { should_not be_installed }\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93157.rb", + "ref": "./Windows 2019 STIG/controls/V-93385.rb", "line": 3 }, - "id": "V-93157" + "id": "V-93385" }, { - "title": "Windows Server 2019 must be configured to audit Account Management -\nOther Account Management Events successes.", - "desc": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Other Account Management Events records events such as the access of a\npassword hash or the Password Policy Checking API being called.", + "title": "Windows Server 2019 must use separate, NSA-approved (Type 1) cryptography to protect the directory data in transit for directory service implementations at a classified confidentiality level when replication data traverses a network cleared to a lower level than the data.", + "desc": "Directory data that is not appropriately encrypted is subject to compromise. Commercial-grade encryption does not provide adequate protection when the classification level of directory data in transit is higher than the level of the network.", "descriptions": { - "default": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Other Account Management Events records events such as the access of a\npassword hash or the Password Policy Checking API being called.", + "default": "Directory data that is not appropriately encrypted is subject to compromise. Commercial-grade encryption does not provide adequate protection when the classification level of directory data in transit is higher than the level of the network.", "rationale": "", - "check": "Security Option \"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\" must be set to\n\"Enabled\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \"AuditPol\" tool to review the current Audit Policy configuration:\n\n Open \"PowerShell\" or a \"Command Prompt\" with elevated privileges (\"Run\nas administrator\").\n\n Enter \"AuditPol /get /category:*\"\n\n Compare the \"AuditPol\" settings with the following:\n\n If the system does not audit the following, this is a finding:\n\n Account Management >> Other Account Management Events - Success", - "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Account Management >> \"Audit Other Account Management\nEvents\" with \"Success\" selected." + "check": "This applies to domain controllers. It is NA for other systems.\n Review the organization network diagram(s) or documentation to determine the level of classification for the network(s) over which replication data is transmitted.\n\n Determine the classification level of the Windows domain controller.\n\n If the classification level of the Windows domain controller is higher than the level of the networks, review the organization network diagram(s) and directory implementation documentation to determine if NSA-approved encryption is used to protect the replication network traffic.\n\n If the classification level of the Windows domain controller is higher than the level of the network traversed and NSA-approved encryption is not used, this is a finding.", + "fix": "Configure NSA-approved (Type 1) cryptography to protect the directory data in transit for directory service implementations at a classified confidentiality level that transfer replication data through a network cleared to a lower level than the data." }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000327-GPOS-00127", - "satisfies": [ - "SRG-OS-000327-GPOS-00127", - "SRG-OS-000064-GPOS-00033", - "SRG-OS-000462-GPOS-00206", - "SRG-OS-000466-GPOS-00210" - ], - "gid": "V-93089", - "rid": "SV-103177r1_rule", - "stig_id": "WN19-AU-000090", - "fix_id": "F-99335r1_fix", + "gtitle": "SRG-OS-000396-GPOS-00176", + "gid": "V-93513", + "rid": "SV-103599r1_rule", + "stig_id": "WN19-DC-000140", + "fix_id": "F-99757r1_fix", "cci": [ - "CCI-000172", - "CCI-002234" + "CCI-002450" ], "nist": [ - "AU-12 c", - "AC-6 (9)", + "SC-13", "Rev_4" ] }, - "code": "control \"V-93089\" do\n title \"Windows Server 2019 must be configured to audit Account Management -\nOther Account Management Events successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Other Account Management Events records events such as the access of a\npassword hash or the Password Policy Checking API being called.\"\n desc \"rationale\", \"\"\n desc 'check', \"Security Option \\\"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\\\" must be set to\n\\\"Enabled\\\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \\\"AuditPol\\\" tool to review the current Audit Policy configuration:\n\n Open \\\"PowerShell\\\" or a \\\"Command Prompt\\\" with elevated privileges (\\\"Run\nas administrator\\\").\n\n Enter \\\"AuditPol /get /category:*\\\"\n\n Compare the \\\"AuditPol\\\" settings with the following:\n\n If the system does not audit the following, this is a finding:\n\n Account Management >> Other Account Management Events - Success\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Security Settings >> Advanced Audit Policy Configuration >>\nSystem Audit Policies >> Account Management >> \\\"Audit Other Account Management\nEvents\\\" with \\\"Success\\\" selected.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000327-GPOS-00127'\n tag 'satisfies': [\"SRG-OS-000327-GPOS-00127\", \"SRG-OS-000064-GPOS-00033\",\n\"SRG-OS-000462-GPOS-00206\", \"SRG-OS-000466-GPOS-00210\"]\n tag 'gid': 'V-93089'\n tag 'rid': 'SV-103177r1_rule'\n tag 'stig_id': 'WN19-AU-000090'\n tag 'fix_id': 'F-99335r1_fix'\n tag 'cci': [\"CCI-000172\", \"CCI-002234\"]\n tag 'nist': [\"AU-12 c\", \"AC-6 (9)\", \"Rev_4\"]\n\n describe.one do\n describe audit_policy do\n its('Other Account Management Events') { should eq 'Success' }\n end\n describe audit_policy do\n its('Other Account Management Events') { should eq 'Success and Failure' }\n end\n end\nend\n", + "code": "control \"V-93513\" do\n title \"Windows Server 2019 must use separate, NSA-approved (Type 1) cryptography to protect the directory data in transit for directory service implementations at a classified confidentiality level when replication data traverses a network cleared to a lower level than the data.\"\n desc \"Directory data that is not appropriately encrypted is subject to compromise. Commercial-grade encryption does not provide adequate protection when the classification level of directory data in transit is higher than the level of the network.\"\n desc \"rationale\", \"\"\n desc \"check\", \"This applies to domain controllers. It is NA for other systems.\n Review the organization network diagram(s) or documentation to determine the level of classification for the network(s) over which replication data is transmitted.\n\n Determine the classification level of the Windows domain controller.\n\n If the classification level of the Windows domain controller is higher than the level of the networks, review the organization network diagram(s) and directory implementation documentation to determine if NSA-approved encryption is used to protect the replication network traffic.\n\n If the classification level of the Windows domain controller is higher than the level of the network traversed and NSA-approved encryption is not used, this is a finding.\"\n desc \"fix\", \"Configure NSA-approved (Type 1) cryptography to protect the directory data in transit for directory service implementations at a classified confidentiality level that transfer replication data through a network cleared to a lower level than the data.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000396-GPOS-00176\"\n tag gid: \"V-93513\"\n tag rid: \"SV-103599r1_rule\"\n tag stig_id: \"WN19-DC-000140\"\n tag fix_id: \"F-99757r1_fix\"\n tag cci: [\"CCI-002450\"]\n tag nist: [\"SC-13\", \"Rev_4\"]\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n describe \"Separate, NSA-approved (Type 1) cryptography must be used to protect\n the directory data in transit for directory service implementations at a\n classified confidentiality level when replication data traverses a network\n cleared to a lower level than the data.\" do\n skip \"Separate, NSA-approved (Type 1) cryptography must be used to protect\n the directory data in transit for directory service implementations at a\n classified confidentiality level when replication data traverses a network\n cleared to a lower level than the data is a manual check\"\n end\n else\n impact 0.0\n describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do\n skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'\n end\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93089.rb", + "ref": "./Windows 2019 STIG/controls/V-93513.rb", "line": 3 }, - "id": "V-93089" + "id": "V-93513" }, { - "title": "Windows Server 2019 Security event log size must be configured to\n196608 KB or greater.", - "desc": "Inadequate log size will cause the log to fill up quickly. This may\nprevent audit events from being recorded properly and require frequent\nattention by administrative personnel.", + "title": "Windows Server 2019 must be configured to audit Detailed Tracking -\nPlug and Play Events successes.", + "desc": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Plug and Play activity records events related to the successful connection\nof external devices.", "descriptions": { - "default": "Inadequate log size will cause the log to fill up quickly. This may\nprevent audit events from being recorded properly and require frequent\nattention by administrative personnel.", + "default": "Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Plug and Play activity records events related to the successful connection\nof external devices.", "rationale": "", - "check": "If the system is configured to write events directly to an audit server,\nthis is NA.\n\n If the following registry value does not exist or is not configured as\nspecified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n\\SOFTWARE\\Policies\\Microsoft\\Windows\\EventLog\\Security\\\n\n Value Name: MaxSize\n\n Type: REG_DWORD\n Value: 0x00030000 (196608) (or greater)", - "fix": "Configure the policy value for Computer Configuration >>\nAdministrative Templates >> Windows Components >> Event Log Service >> Security\n>> \"Specify the maximum log file size (KB)\" to \"Enabled\" with a \"Maximum\nLog Size (KB)\" of \"196608\" or greater." + "check": "Security Option \"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\" must be set to\n\"Enabled\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \"AuditPol\" tool to review the current Audit Policy configuration:\n\n Open \"PowerShell\" or a \"Command Prompt\" with elevated privileges (\"Run\nas administrator\").\n\n Enter \"AuditPol /get /category:*\"\n\n Compare the \"AuditPol\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n Detailed Tracking >> Plug and Play Events - Success", + "fix": "Configure the policy value for Computer Configuration >>\nWindows Settings >> Advanced Audit Policy Configuration >> System Audit\nPolicies >> Detailed Tracking >> \"Audit PNP Activity\" with \"Success\"\nselected." }, "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000341-GPOS-00132", - "gid": "V-93179", - "rid": "SV-103267r1_rule", - "stig_id": "WN19-CC-000280", - "fix_id": "F-99425r1_fix", + "gtitle": "SRG-OS-000474-GPOS-00219", + "gid": "V-93157", + "rid": "SV-103245r1_rule", + "stig_id": "WN19-AU-000130", + "fix_id": "F-99403r1_fix", "cci": [ - "CCI-001849" + "CCI-000172" ], "nist": [ - "AU-4", + "AU-12 c", "Rev_4" ] }, - "code": "control \"V-93179\" do\n title \"Windows Server 2019 Security event log size must be configured to\n196608 KB or greater.\"\n desc \"Inadequate log size will cause the log to fill up quickly. This may\nprevent audit events from being recorded properly and require frequent\nattention by administrative personnel.\"\n desc \"rationale\", \"\"\n desc 'check', \"If the system is configured to write events directly to an audit server,\nthis is NA.\n\n If the following registry value does not exist or is not configured as\nspecified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path:\n\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\EventLog\\\\Security\\\\\n\n Value Name: MaxSize\n\n Type: REG_DWORD\n Value: 0x00030000 (196608) (or greater)\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nAdministrative Templates >> Windows Components >> Event Log Service >> Security\n>> \\\"Specify the maximum log file size (KB)\\\" to \\\"Enabled\\\" with a \\\"Maximum\nLog Size (KB)\\\" of \\\"196608\\\" or greater.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000341-GPOS-00132'\n tag 'gid': 'V-93179'\n tag 'rid': 'SV-103267r1_rule'\n tag 'stig_id': 'WN19-CC-000280'\n tag 'fix_id': 'F-99425r1_fix'\n tag 'cci': [\"CCI-001849\"]\n tag 'nist': [\"AU-4\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\EventLog\\Security') do\n it { should have_property 'MaxSize' }\n its('MaxSize') { should cmp >= 196608 }\n end\nend\n", + "code": "control \"V-93157\" do\n title \"Windows Server 2019 must be configured to audit Detailed Tracking -\nPlug and Play Events successes.\"\n desc \"Maintaining an audit trail of system activity logs can help identify\nconfiguration errors, troubleshoot service disruptions, and analyze compromises\nthat have occurred, as well as detect attacks. Audit logs are necessary to\nprovide a trail of evidence in case the system or network is compromised.\nCollecting this data is essential for analyzing the security of information\nassets and detecting signs of suspicious and unexpected behavior.\n\n Plug and Play activity records events related to the successful connection\nof external devices.\"\n desc \"rationale\", \"\"\n desc 'check', \"Security Option \\\"Audit: Force audit policy subcategory settings (Windows\nVista or later) to override audit policy category settings\\\" must be set to\n\\\"Enabled\\\" (WN19-SO-000050) for the detailed auditing subcategories to be\neffective.\n\n Use the \\\"AuditPol\\\" tool to review the current Audit Policy configuration:\n\n Open \\\"PowerShell\\\" or a \\\"Command Prompt\\\" with elevated privileges (\\\"Run\nas administrator\\\").\n\n Enter \\\"AuditPol /get /category:*\\\"\n\n Compare the \\\"AuditPol\\\" settings with the following:\n\n If the system does not audit the following, this is a finding.\n\n Detailed Tracking >> Plug and Play Events - Success\"\n desc 'fix', \"Configure the policy value for Computer Configuration >>\nWindows Settings >> Advanced Audit Policy Configuration >> System Audit\nPolicies >> Detailed Tracking >> \\\"Audit PNP Activity\\\" with \\\"Success\\\"\nselected.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000474-GPOS-00219'\n tag 'gid': 'V-93157'\n tag 'rid': 'SV-103245r1_rule'\n tag 'stig_id': 'WN19-AU-000130'\n tag 'fix_id': 'F-99403r1_fix'\n tag 'cci': [\"CCI-000172\"]\n tag 'nist': [\"AU-12 c\", \"Rev_4\"]\n\n describe.one do\n describe audit_policy do\n its('Plug and Play Events') { should eq 'Success' }\n end\n describe audit_policy do\n its('Plug and Play Events') { should eq 'Success and Failure' }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Plug and Play Events'\") do\n its('stdout') { should match /Plug and Play Events Success/ }\n end\n describe command(\"AuditPol /get /category:* | Findstr /c:'Plug and Play Events'\") do\n its('stdout') { should match /Plug and Play Events Success and Failure/ }\n end\n end\nend\n", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93179.rb", + "ref": "./Windows 2019 STIG/controls/V-93157.rb", "line": 3 }, - "id": "V-93179" + "id": "V-93157" }, { - "title": "Windows Server 2019 must be running Credential Guard on domain-joined member servers.", - "desc": "Credential Guard uses virtualization-based security to protect data that could be used in credential theft attacks if compromised. This authentication information, which was stored in the Local Security Authority (LSA) in previous versions of Windows, is isolated from the rest of operating system and can only be accessed by privileged system software.", + "title": "Windows Server 2019 Smart Card removal option must be configured to Force Logoff or Lock Workstation.", + "desc": "Unattended systems are susceptible to unauthorized use and must be locked. Configuring a system to lock when a smart card is removed will ensure the system is inaccessible when unattended.", "descriptions": { - "default": "Credential Guard uses virtualization-based security to protect data that could be used in credential theft attacks if compromised. This authentication information, which was stored in the Local Security Authority (LSA) in previous versions of Windows, is isolated from the rest of operating system and can only be accessed by privileged system software.", + "default": "Unattended systems are susceptible to unauthorized use and must be locked. Configuring a system to lock when a smart card is removed will ensure the system is inaccessible when unattended.", "rationale": "", - "check": "For domain controllers and standalone systems, this is NA.\n\n Current hardware and virtual environments may not support virtualization-based security features, including Credential Guard, due to specific supporting requirements, including a TPM, UEFI with Secure Boot, and the capability to run the Hyper-V feature within a virtual machine.\n\n Open \"PowerShell\" with elevated privileges (run as administrator).\n Enter the following:\n \"Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\\Microsoft\\Windows\\DeviceGuard\"\n If \"SecurityServicesRunning\" does not include a value of \"1\" (e.g., \"{1, 2}\"), this is a finding.\n\n Alternately:\n Run \"System Information\".\n Under \"System Summary\", verify the following:\n If \"Device Guard Security Services Running\" does not list \"Credential Guard\", this is a finding.\n The policy settings referenced in the Fix section will configure the following registry value. However, due to hardware requirements, the registry value alone does not ensure proper function.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceGuard\\\n\n Value Name: LsaCfgFlags\n Value Type: REG_DWORD\n Value: 0x00000001 (1) (Enabled with UEFI lock)\n\n A Microsoft article on Credential Guard system requirement can be found at the following link:\n https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-requirements", - "fix": "Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Device Guard >> \"Turn On Virtualization Based Security\" to \"Enabled\" with \"Enabled with UEFI lock\" selected for \"Credential Guard Configuration\".\n A Microsoft article on Credential Guard system requirement can be found at the following link: https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-requirements" + "check": "If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\\n\n Value Name: scremoveoption\n\n Value Type: REG_SZ\n Value: 1 (Lock Workstation) or 2 (Force Logoff)\n\n If configuring this on servers causes issues, such as terminating users' remote sessions, and the organization has a policy in place that any other sessions on the servers, such as administrative console logons, are manually locked or logged off when unattended or not in use, this would be acceptable. This must be documented with the ISSO.", + "fix": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \"Interactive logon: Smart card removal behavior\" to \"Lock Workstation\" or \"Force Logoff\"." }, - "impact": 0.7, + "impact": 0.5, "refs": [], "tags": { "severity": null, "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-93277", - "rid": "SV-103365r1_rule", - "stig_id": "WN19-MS-000140", - "fix_id": "F-99523r1_fix", + "gid": "V-93287", + "rid": "SV-103375r1_rule", + "stig_id": "WN19-SO-000150", + "fix_id": "F-99533r1_fix", "cci": [ "CCI-000366" ], @@ -10531,45 +10498,45 @@ "Rev_4" ] }, - "code": "control \"V-93277\" do\n title \"Windows Server 2019 must be running Credential Guard on domain-joined member servers.\"\n desc \"Credential Guard uses virtualization-based security to protect data that could be used in credential theft attacks if compromised. This authentication information, which was stored in the Local Security Authority (LSA) in previous versions of Windows, is isolated from the rest of operating system and can only be accessed by privileged system software.\"\n desc \"rationale\", \"\"\n desc \"check\", \"For domain controllers and standalone systems, this is NA.\n\n Current hardware and virtual environments may not support virtualization-based security features, including Credential Guard, due to specific supporting requirements, including a TPM, UEFI with Secure Boot, and the capability to run the Hyper-V feature within a virtual machine.\n\n Open \\\"PowerShell\\\" with elevated privileges (run as administrator).\n Enter the following:\n \\\"Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\\\\Microsoft\\\\Windows\\\\DeviceGuard\\\"\n If \\\"SecurityServicesRunning\\\" does not include a value of \\\"1\\\" (e.g., \\\"{1, 2}\\\"), this is a finding.\n\n Alternately:\n Run \\\"System Information\\\".\n Under \\\"System Summary\\\", verify the following:\n If \\\"Device Guard Security Services Running\\\" does not list \\\"Credential Guard\\\", this is a finding.\n The policy settings referenced in the Fix section will configure the following registry value. However, due to hardware requirements, the registry value alone does not ensure proper function.\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\DeviceGuard\\\\\n\n Value Name: LsaCfgFlags\n Value Type: REG_DWORD\n Value: 0x00000001 (1) (Enabled with UEFI lock)\n\n A Microsoft article on Credential Guard system requirement can be found at the following link:\n https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-requirements\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Device Guard >> \\\"Turn On Virtualization Based Security\\\" to \\\"Enabled\\\" with \\\"Enabled with UEFI lock\\\" selected for \\\"Credential Guard Configuration\\\".\n A Microsoft article on Credential Guard system requirement can be found at the following link: https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-requirements\"\n impact 0.7\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00227\"\n tag gid: \"V-93277\"\n tag rid: \"SV-103365r1_rule\"\n tag stig_id: \"WN19-MS-000140\"\n tag fix_id: \"F-99523r1_fix\"\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n security_services = command('Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\\\\Microsoft\\\\Windows\\\\DeviceGuard | Select -ExpandProperty \"SecurityServicesRunning\"').stdout.strip.split(\"\\r\\n\")\n\n if domain_role == '0' || domain_role == '2'\n impact 0.0\n describe 'This is NA for standalone systems' do\n skip 'This is NA for standalone systems'\n end\n elsif domain_role == '4' || domain_role == '5'\n impact 0.0\n describe 'This is NA for domain controllers' do\n skip 'This is NA for domain controllers'\n end\n else\n describe registry_key('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\DeviceGuard') do\n it { should have_property 'LsaCfgFlags' }\n its('LsaCfgFlags') { should cmp 1 }\n end\n describe \"Security Services Running should include 1\" do\n subject { security_services }\n it { should include \"1\" }\n end\n end\nend", + "code": "control \"V-93287\" do\n title \"Windows Server 2019 Smart Card removal option must be configured to Force Logoff or Lock Workstation.\"\n desc \"Unattended systems are susceptible to unauthorized use and must be locked. Configuring a system to lock when a smart card is removed will ensure the system is inaccessible when unattended.\"\n desc \"rationale\", \"\"\n desc \"check\", \"If the following registry value does not exist or is not configured as specified, this is a finding:\n\n Registry Hive: HKEY_LOCAL_MACHINE\n Registry Path: \\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\\n\n Value Name: scremoveoption\n\n Value Type: REG_SZ\n Value: 1 (Lock Workstation) or 2 (Force Logoff)\n\n If configuring this on servers causes issues, such as terminating users' remote sessions, and the organization has a policy in place that any other sessions on the servers, such as administrative console logons, are manually locked or logged off when unattended or not in use, this would be acceptable. This must be documented with the ISSO.\"\n desc \"fix\", \"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> \\\"Interactive logon: Smart card removal behavior\\\" to \\\"Lock Workstation\\\" or \\\"Force Logoff\\\".\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00227\"\n tag gid: \"V-93287\"\n tag rid: \"SV-103375r1_rule\"\n tag stig_id: \"WN19-SO-000150\"\n tag fix_id: \"F-99533r1_fix\"\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n describe registry_key('HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon') do\n it { should have_property 'scremoveoption' }\n its('scremoveoption') { should be_between(\"1\", \"2\") }\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93277.rb", + "ref": "./Windows 2019 STIG/controls/V-93287.rb", "line": 3 }, - "id": "V-93277" + "id": "V-93287" }, { - "title": "Windows Server 2019 Impersonate a client after authentication user\nright must only be assigned to Administrators, Service, Local Service, and\nNetwork Service.", - "desc": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n The \"Impersonate a client after authentication\" user right allows a\nprogram to impersonate another user or account to run on their behalf. An\nattacker could use this to elevate privileges.", + "title": "Windows Server 2019 must not have Simple TCP/IP Services installed.", + "desc": "Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption or may provide unauthorized access to the system.", "descriptions": { - "default": "Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n The \"Impersonate a client after authentication\" user right allows a\nprogram to impersonate another user or account to run on their behalf. An\nattacker could use this to elevate privileges.", + "default": "Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption or may provide unauthorized access to the system.", "rationale": "", - "check": "Verify the effective setting in Local Group Policy Editor.\n\n Run \"gpedit.msc\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the\n\"Impersonate a client after authentication\" user right, this is a finding:\n\n - Administrators\n - Service\n - Local Service\n - Network Service\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\path\\filename.txt\n\n Review the text file.\n\n If any SIDs other than the following are granted the\n\"SeImpersonatePrivilege\" user right, this is a finding:\n\n S-1-5-32-544 (Administrators)\n S-1-5-6 (Service)\n S-1-5-19 (Local Service)\n S-1-5-20 (Network Service)\n\n If an application requires this user right, this would not be a finding.\n\n Vendor documentation must support the requirement for having the user right.\n\n The requirement must be documented with the ISSO.\n\n The application account must meet requirements for application account\npasswords, such as length (WN19-00-000050) and required frequency of changes\n(WN19-00-000060).", - "fix": "Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> User Rights Assignment >>\n\"Impersonate a client after authentication\" to include only the following\naccounts or groups:\n\n - Administrators\n - Service\n - Local Service\n - Network Service" + "check": "Open \"PowerShell\".\n\n Enter \"Get-WindowsFeature | Where Name -eq Simple-TCPIP\".\n If \"Installed State\" is \"Installed\", this is a finding.\n An Installed State of \"Available\" or \"Removed\" is not a finding.", + "fix": "Uninstall the \"Simple TCP/IP Services\" feature.\n\n Start \"Server Manager\".\n Select the server with the feature.\n Scroll down to \"ROLES AND FEATURES\" in the right pane.\n Select \"Remove Roles and Features\" from the drop-down \"TASKS\" list.\n Select the appropriate server on the \"Server Selection\" page and click \"Next\".\n Deselect \"Simple TCP/IP Services\" on the \"Features\" page.\n Click \"Next\" and \"Remove\" as prompted." }, "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000324-GPOS-00125", - "gid": "V-93071", - "rid": "SV-103159r1_rule", - "stig_id": "WN19-UR-000130", - "fix_id": "F-99317r1_fix", + "gtitle": "SRG-OS-000095-GPOS-00049", + "gid": "V-93387", + "rid": "SV-103473r1_rule", + "stig_id": "WN19-00-000350", + "fix_id": "F-99631r1_fix", "cci": [ - "CCI-002235" + "CCI-000381" ], "nist": [ - "AC-6 (10)", + "CM-7 a", "Rev_4" ] }, - "code": "control \"V-93071\" do\n title \"Windows Server 2019 Impersonate a client after authentication user\nright must only be assigned to Administrators, Service, Local Service, and\nNetwork Service.\"\n desc \"Inappropriate granting of user rights can provide system,\nadministrative, and other high-level capabilities.\n\n The \\\"Impersonate a client after authentication\\\" user right allows a\nprogram to impersonate another user or account to run on their behalf. An\nattacker could use this to elevate privileges.\"\n desc \"rationale\", \"\"\n desc 'check', \"Verify the effective setting in Local Group Policy Editor.\n\n Run \\\"gpedit.msc\\\".\n\n Navigate to Local Computer Policy >> Computer Configuration >> Windows\nSettings >> Security Settings >> Local Policies >> User Rights Assignment.\n\n If any accounts or groups other than the following are granted the\n\\\"Impersonate a client after authentication\\\" user right, this is a finding:\n\n - Administrators\n - Service\n - Local Service\n - Network Service\n\n For server core installations, run the following command:\n\n Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt\n\n Review the text file.\n\n If any SIDs other than the following are granted the\n\\\"SeImpersonatePrivilege\\\" user right, this is a finding:\n\n S-1-5-32-544 (Administrators)\n S-1-5-6 (Service)\n S-1-5-19 (Local Service)\n S-1-5-20 (Network Service)\n\n If an application requires this user right, this would not be a finding.\n\n Vendor documentation must support the requirement for having the user right.\n\n The requirement must be documented with the ISSO.\n\n The application account must meet requirements for application account\npasswords, such as length (WN19-00-000050) and required frequency of changes\n(WN19-00-000060).\"\n desc 'fix', \"Configure the policy value for Computer Configuration >> Windows Settings\n>> Security Settings >> Local Policies >> User Rights Assignment >>\n\\\"Impersonate a client after authentication\\\" to include only the following\naccounts or groups:\n\n - Administrators\n - Service\n - Local Service\n - Network Service\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000324-GPOS-00125'\n tag 'gid': 'V-93071'\n tag 'rid': 'SV-103159r1_rule'\n tag 'stig_id': 'WN19-UR-000130'\n tag 'fix_id': 'F-99317r1_fix'\n tag 'cci': [\"CCI-002235\"]\n tag 'nist': [\"AC-6 (10)\", \"Rev_4\"]\n\n os_type = command('Test-Path \"$env:windir\\explorer.exe\"').stdout.strip\n\n if os_type == 'False'\n describe 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt' do\n skip 'This system is a Server Core Installation, and a manual check will need to be performed with command Secedit /Export /Areas User_Rights /cfg c:\\\\path\\\\filename.txt'\n end\n else\n describe security_policy do\n its('SeImpersonatePrivilege') { should include \"S-1-5-32-544\" }\n end\n describe security_policy do\n its('SeImpersonatePrivilege') { should include \"S-1-5-6\" }\n end\n describe security_policy do\n its('SeImpersonatePrivilege') { should include \"S-1-5-19\" }\n end\n describe security_policy do\n its('SeImpersonatePrivilege') { should include \"S-1-5-20\" }\n end\n end\nend\n", + "code": "control \"V-93387\" do\n title \"Windows Server 2019 must not have Simple TCP/IP Services installed.\"\n desc \"Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption or may provide unauthorized access to the system.\"\n desc \"rationale\", \"\"\n desc \"check\", \"Open \\\"PowerShell\\\".\n\n Enter \\\"Get-WindowsFeature | Where Name -eq Simple-TCPIP\\\".\n If \\\"Installed State\\\" is \\\"Installed\\\", this is a finding.\n An Installed State of \\\"Available\\\" or \\\"Removed\\\" is not a finding.\"\n desc \"fix\", \"Uninstall the \\\"Simple TCP/IP Services\\\" feature.\n\n Start \\\"Server Manager\\\".\n Select the server with the feature.\n Scroll down to \\\"ROLES AND FEATURES\\\" in the right pane.\n Select \\\"Remove Roles and Features\\\" from the drop-down \\\"TASKS\\\" list.\n Select the appropriate server on the \\\"Server Selection\\\" page and click \\\"Next\\\".\n Deselect \\\"Simple TCP/IP Services\\\" on the \\\"Features\\\" page.\n Click \\\"Next\\\" and \\\"Remove\\\" as prompted.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000095-GPOS-00049\"\n tag gid: \"V-93387\"\n tag rid: \"SV-103473r1_rule\"\n tag stig_id: \"WN19-00-000350\"\n tag fix_id: \"F-99631r1_fix\"\n tag cci: [\"CCI-000381\"]\n tag nist: [\"CM-7 a\", \"Rev_4\"]\n\n describe windows_feature('Simple-TCPIP') do\n it { should_not be_installed }\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93071.rb", + "ref": "./Windows 2019 STIG/controls/V-93387.rb", "line": 3 }, - "id": "V-93071" + "id": "V-93387" }, { "title": "Windows Server 2019 must be configured to audit Policy Change -\nAuthentication Policy Change successes.", @@ -10613,907 +10580,940 @@ "id": "V-93097" }, { - "title": "Windows Server 2019 must, at a minimum, off-load audit records of\ninterconnected systems in real time and off-load standalone systems weekly.", - "desc": "Protection of log data includes assuring the log data is not\naccidentally lost or deleted. Audit information stored in one location is\nvulnerable to accidental or incidental deletion or alteration.", + "title": "Windows Server 2019 passwords for the built-in Administrator account must be changed at least every 60 days.", + "desc": "The longer a password is in use, the greater the opportunity for someone to gain unauthorized knowledge of the password. The built-in Administrator account is not generally used and its password not may be changed as frequently as necessary. Changing the password for the built-in Administrator account on a regular basis will limit its exposure.\n Organizations that use an automated tool, such Microsoft's Local Administrator Password Solution (LAPS), on domain-joined systems can configure this to occur more frequently. LAPS will change the password every \"30\" days by default.", "descriptions": { - "default": "Protection of log data includes assuring the log data is not\naccidentally lost or deleted. Audit information stored in one location is\nvulnerable to accidental or incidental deletion or alteration.", + "default": "The longer a password is in use, the greater the opportunity for someone to gain unauthorized knowledge of the password. The built-in Administrator account is not generally used and its password not may be changed as frequently as necessary. Changing the password for the built-in Administrator account on a regular basis will limit its exposure.\n Organizations that use an automated tool, such Microsoft's Local Administrator Password Solution (LAPS), on domain-joined systems can configure this to occur more frequently. LAPS will change the password every \"30\" days by default.", "rationale": "", - "check": "Verify the audit records, at a minimum, are off-loaded for interconnected\nsystems in real time and off-loaded for standalone systems weekly.\n\n If they are not, this is a finding.", - "fix": "Configure the system to, at a minimum, off-load audit records\nof interconnected systems in real time and off-load standalone systems weekly." + "check": "Review the password last set date for the built-in Administrator account.\n\n Domain controllers:\n Open \"PowerShell\".\n Enter \"Get-ADUser -Filter * -Properties SID, PasswordLastSet | Where SID -Like \"*-500\" | Ft Name, SID, PasswordLastSet\".\n If the \"PasswordLastSet\" date is greater than \"60\" days old, this is a finding.\n\n Member servers and standalone systems:\n Open \"Command Prompt\".\n Enter 'Net User [account name] | Find /i \"Password Last Set\"', where [account name] is the name of the built-in administrator account.\n (The name of the built-in Administrator account must be changed to something other than \"Administrator\" per STIG requirements.)\n If the \"PasswordLastSet\" date is greater than \"60\" days old, this is a finding.", + "fix": "Change the built-in Administrator account password at least every \"60\" days.\n Automated tools, such as Microsoft's LAPS, may be used on domain-joined member servers to accomplish this." }, "impact": 0.5, "refs": [], "tags": { "severity": null, - "gtitle": "SRG-OS-000479-GPOS-00224", - "gid": "V-93185", - "rid": "SV-103273r1_rule", - "stig_id": "WN19-AU-000020", - "fix_id": "F-99431r1_fix", + "gtitle": "SRG-OS-000076-GPOS-00044", + "gid": "V-93473", + "rid": "SV-103559r1_rule", + "stig_id": "WN19-00-000020", + "fix_id": "F-99717r1_fix", "cci": [ - "CCI-001851" + "CCI-000199" ], "nist": [ - "AU-4 (1)", + "IA-5 (1) (d)", "Rev_4" ] }, - "code": "control \"V-93185\" do\n title \"Windows Server 2019 must, at a minimum, off-load audit records of\ninterconnected systems in real time and off-load standalone systems weekly.\"\n desc \"Protection of log data includes assuring the log data is not\naccidentally lost or deleted. Audit information stored in one location is\nvulnerable to accidental or incidental deletion or alteration.\"\n desc \"rationale\", \"\"\n desc 'check', \"Verify the audit records, at a minimum, are off-loaded for interconnected\nsystems in real time and off-loaded for standalone systems weekly.\n\n If they are not, this is a finding.\"\n desc 'fix', \"Configure the system to, at a minimum, off-load audit records\nof interconnected systems in real time and off-load standalone systems weekly.\"\n impact 0.5\n tag 'severity': nil\n tag 'gtitle': 'SRG-OS-000479-GPOS-00224'\n tag 'gid': 'V-93185'\n tag 'rid': 'SV-103273r1_rule'\n tag 'stig_id': 'WN19-AU-000020'\n tag 'fix_id': 'F-99431r1_fix'\n tag 'cci': [\"CCI-001851\"]\n tag 'nist': [\"AU-4 (1)\", \"Rev_4\"]\n\n describe \"A manual review is required to verify the operating system is, at a minimum, off-loading audit records of interconnected systems in real time and off-loading standalone systems weekly\" do\n skip \"A manual review is required to verify the operating system is, at a minimum, off-loading audit records of interconnected systems in real time and off-loading standalone systems weekly\"\n end\nend\n", + "code": "control \"V-93473\" do\n title \"Windows Server 2019 passwords for the built-in Administrator account must be changed at least every 60 days.\"\n desc \"The longer a password is in use, the greater the opportunity for someone to gain unauthorized knowledge of the password. The built-in Administrator account is not generally used and its password not may be changed as frequently as necessary. Changing the password for the built-in Administrator account on a regular basis will limit its exposure.\n Organizations that use an automated tool, such Microsoft's Local Administrator Password Solution (LAPS), on domain-joined systems can configure this to occur more frequently. LAPS will change the password every \\\"30\\\" days by default.\"\n desc \"rationale\", \"\"\n desc \"check\", \"Review the password last set date for the built-in Administrator account.\n\n Domain controllers:\n Open \\\"PowerShell\\\".\n Enter \\\"Get-ADUser -Filter * -Properties SID, PasswordLastSet | Where SID -Like \\\"*-500\\\" | Ft Name, SID, PasswordLastSet\\\".\n If the \\\"PasswordLastSet\\\" date is greater than \\\"60\\\" days old, this is a finding.\n\n Member servers and standalone systems:\n Open \\\"Command Prompt\\\".\n Enter 'Net User [account name] | Find /i \\\"Password Last Set\\\"', where [account name] is the name of the built-in administrator account.\n (The name of the built-in Administrator account must be changed to something other than \\\"Administrator\\\" per STIG requirements.)\n If the \\\"PasswordLastSet\\\" date is greater than \\\"60\\\" days old, this is a finding.\"\n desc \"fix\", \"Change the built-in Administrator account password at least every \\\"60\\\" days.\n Automated tools, such as Microsoft's LAPS, may be used on domain-joined member servers to accomplish this.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000076-GPOS-00044\"\n tag gid: \"V-93473\"\n tag rid: \"SV-103559r1_rule\"\n tag stig_id: \"WN19-00-000020\"\n tag fix_id: \"F-99717r1_fix\"\n tag cci: [\"CCI-000199\"]\n tag nist: [\"IA-5 (1) (d)\", \"Rev_4\"]\n\n administrator = input('local_administrator')\n domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip\n\n if domain_role == '4' || domain_role == '5'\n password_set_date = json({ command: \"Get-ADUser -Filter * -Properties SID, PasswordLastSet | Where-Object {$_.SID -like '*-500' -and $_.PasswordLastSet -lt ((Get-Date).AddDays(-60))} | Select-Object -ExpandProperty PasswordLastSet | ConvertTo-Json\" })\n date = password_set_date[\"DateTime\"]\n describe \"Password Last Set Date\" do\n it \"The built-in Administrator account must be changed at least every 60 days.\" do\n expect(date).to be_nil\n end\n end\n else\n if administrator == \"Administrator\"\n describe 'The name of the built-in Administrator account:' do\n it 'It must be changed to something other than \"Administrator\" per STIG requirements' do\n failure_message = \"Change the built-in Administrator account name to something other than: #{administrator}\"\n expect(administrator).not_to eq(\"Administrator\"), failure_message\n end\n end\n end\n local_password_set_date = json({ command: \"Get-LocalUser -name #{administrator} | Where-Object {$_.PasswordLastSet -le (Get-Date).AddDays(-60)} | Select-Object -ExpandProperty PasswordLastSet | ConvertTo-Json\"})\n local_date = local_password_set_date[\"DateTime\"]\n describe \"Password Last Set Date\" do\n it \"The built-in Administrator account must be changed at least every 60 days.\" do\n expect(local_date).to be_nil\n end\n end\n end\nend", "source_location": { - "ref": "./Windows 2019 STIG/controls/V-93185.rb", + "ref": "./Windows 2019 STIG/controls/V-93473.rb", "line": 3 }, - "id": "V-93185" + "id": "V-93473" + }, + { + "title": "Windows Server 2019 Exploit Protection system-level mitigation, Data Execution Prevention (DEP), must be on.", + "desc": "Exploit protection enables mitigations against potential threats at the system and application level. Several mitigations, including \"Data Execution Prevention (DEP)\", are enabled by default at the system level. DEP prevents code from being run from data-only memory pages. If this is turned off, Windows may be subject to various exploits.", + "descriptions": { + "default": "Exploit protection enables mitigations against potential threats at the system and application level. Several mitigations, including \"Data Execution Prevention (DEP)\", are enabled by default at the system level. DEP prevents code from being run from data-only memory pages. If this is turned off, Windows may be subject to various exploits.", + "rationale": "", + "check": "This is applicable to unclassified systems, for other systems this is NA.\n\n The default configuration in Exploit Protection is \"On by default\" which meets this requirement. The PowerShell query results for this show as \"NOTSET\".\n Run \"Windows PowerShell\" with elevated privileges (run as administrator).\n Enter \"Get-ProcessMitigation -System\".\n If the status of \"DEP: Enable\" is \"OFF\", this is a finding.\n\n Values that would not be a finding include:\n ON\n NOTSET (Default configuration)", + "fix": "Ensure Exploit Protection system-level mitigation, \"Data Execution Prevention (DEP)\", is turned on. The default configuration in Exploit Protection is \"On by default\" which meets this requirement.\n\n Open \"Windows Defender Security Center\".\n Select \"App & browser control\".\n Select \"Exploit protection settings\".\n Under \"System settings\", configure \"Data Execution Prevention (DEP)\" to \"On by default\" or \"Use default ()\".\n\n The STIG package includes a DoD EP XML file in the \"Supporting Files\" folder for configuring application mitigations defined in the STIG. This can also be modified to explicitly enforce the system level requirements. Adding the following to the XML file will explicitly turn DEP on (other system level EP requirements can be combined under ):\n\n \n \n \n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \"Use a common set of exploit protection settings\" configured to \"Enabled\" with file name and location defined under \"Options:\". It is recommended the file be in a read-only network location." + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": null, + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-93313", + "rid": "SV-103401r1_rule", + "stig_id": "WN19-EP-000010", + "fix_id": "F-99559r1_fix", + "cci": [ + "CCI-000366" + ], + "nist": [ + "CM-6 b", + "Rev_4" + ] + }, + "code": "control \"V-93313\" do\n title \"Windows Server 2019 Exploit Protection system-level mitigation, Data Execution Prevention (DEP), must be on.\"\n desc \"Exploit protection enables mitigations against potential threats at the system and application level. Several mitigations, including \\\"Data Execution Prevention (DEP)\\\", are enabled by default at the system level. DEP prevents code from being run from data-only memory pages. If this is turned off, Windows may be subject to various exploits.\"\n desc \"rationale\", \"\"\n desc \"check\", \"This is applicable to unclassified systems, for other systems this is NA.\n\n The default configuration in Exploit Protection is \\\"On by default\\\" which meets this requirement. The PowerShell query results for this show as \\\"NOTSET\\\".\n Run \\\"Windows PowerShell\\\" with elevated privileges (run as administrator).\n Enter \\\"Get-ProcessMitigation -System\\\".\n If the status of \\\"DEP: Enable\\\" is \\\"OFF\\\", this is a finding.\n\n Values that would not be a finding include:\n ON\n NOTSET (Default configuration)\"\n desc \"fix\", \"Ensure Exploit Protection system-level mitigation, \\\"Data Execution Prevention (DEP)\\\", is turned on. The default configuration in Exploit Protection is \\\"On by default\\\" which meets this requirement.\n\n Open \\\"Windows Defender Security Center\\\".\n Select \\\"App & browser control\\\".\n Select \\\"Exploit protection settings\\\".\n Under \\\"System settings\\\", configure \\\"Data Execution Prevention (DEP)\\\" to \\\"On by default\\\" or \\\"Use default ()\\\".\n\n The STIG package includes a DoD EP XML file in the \\\"Supporting Files\\\" folder for configuring application mitigations defined in the STIG. This can also be modified to explicitly enforce the system level requirements. Adding the following to the XML file will explicitly turn DEP on (other system level EP requirements can be combined under ):\n\n \n \n \n\n The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \\\"Use a common set of exploit protection settings\\\" configured to \\\"Enabled\\\" with file name and location defined under \\\"Options:\\\". It is recommended the file be in a read-only network location.\"\n impact 0.5\n tag severity: nil\n tag gtitle: \"SRG-OS-000480-GPOS-00227\"\n tag gid: \"V-93313\"\n tag rid: \"SV-103401r1_rule\"\n tag stig_id: \"WN19-EP-000010\"\n tag fix_id: \"F-99559r1_fix\"\n tag cci: [\"CCI-000366\"]\n tag nist: [\"CM-6 b\", \"Rev_4\"]\n\n systemdep = json({ command: \"Get-ProcessMitigation -System | ConvertTo-Json\" }).params\n\n if input('sensitive_system') == true || nil\n impact 0.0\n describe 'This Control is Not Applicable to sensitive systems.' do\n skip 'This Control is Not Applicable to sensitive systems.'\n end\n elsif systemdep.empty?\n describe \"Exploit Protection: the following mitigation\" do\n it \"must be set to 'ON' for the System\" do\n failure_message = \"Exploit Protection is not set\"\n expect(systemdep).not_to be_empty, failure_message\n end\n end\n else\n describe \"Exploit Protection: the following mitigation must be set to 'ON' for the System\" do\n subject { systemdep }\n its(['Dep','Enable']) { should be_between(0,1) }\n end\n end\nend", + "source_location": { + "ref": "./Windows 2019 STIG/controls/V-93313.rb", + "line": 3 + }, + "id": "V-93313" } ], "groups": [ { "title": null, "controls": [ - "V-93445" + "V-93159" ], - "id": "controls/V-93445.rb" + "id": "controls/V-93159.rb" }, { "title": null, "controls": [ - "V-93191" + "V-93415" ], - "id": "controls/V-93191.rb" + "id": "controls/V-93415.rb" }, { "title": null, "controls": [ - "V-93013" + "V-93043" ], - "id": "controls/V-93013.rb" + "id": "controls/V-93043.rb" }, { "title": null, "controls": [ - "V-93537" + "V-93365" ], - "id": "controls/V-93537.rb" + "id": "controls/V-93365.rb" }, { "title": null, "controls": [ - "V-93235" + "V-93275" ], - "id": "controls/V-93235.rb" + "id": "controls/V-93275.rb" }, { "title": null, "controls": [ - "V-93435" + "V-93337" ], - "id": "controls/V-93435.rb" + "id": "controls/V-93337.rb" }, { "title": null, "controls": [ - "V-93081" + "V-93295" ], - "id": "controls/V-93081.rb" + "id": "controls/V-93295.rb" }, { "title": null, "controls": [ - "V-93261" + "V-93397" ], - "id": "controls/V-93261.rb" + "id": "controls/V-93397.rb" }, { "title": null, "controls": [ - "V-93021" + "V-93323" ], - "id": "controls/V-93021.rb" + "id": "controls/V-93323.rb" }, { "title": null, "controls": [ - "V-92975" + "V-93117" ], - "id": "controls/V-92975.rb" + "id": "controls/V-93117.rb" }, { "title": null, "controls": [ - "V-93213" + "V-93391" ], - "id": "controls/V-93213.rb" + "id": "controls/V-93391.rb" }, { "title": null, "controls": [ - "V-93031" + "V-93169" ], - "id": "controls/V-93031.rb" + "id": "controls/V-93169.rb" }, { "title": null, "controls": [ - "V-93207" + "V-93151" ], - "id": "controls/V-93207.rb" + "id": "controls/V-93151.rb" }, { "title": null, "controls": [ - "V-93343" + "V-93025" ], - "id": "controls/V-93343.rb" + "id": "controls/V-93025.rb" }, { "title": null, "controls": [ - "V-92981" + "V-93559" ], - "id": "controls/V-92981.rb" + "id": "controls/V-93559.rb" }, { "title": null, "controls": [ - "V-93033" + "V-92995" ], - "id": "controls/V-93033.rb" + "id": "controls/V-92995.rb" }, { "title": null, "controls": [ - "V-93389" + "V-93411" ], - "id": "controls/V-93389.rb" + "id": "controls/V-93411.rb" }, { "title": null, "controls": [ - "V-93125" + "V-92987" ], - "id": "controls/V-93125.rb" + "id": "controls/V-92987.rb" }, { "title": null, "controls": [ - "V-92983" + "V-93055" ], - "id": "controls/V-92983.rb" + "id": "controls/V-93055.rb" }, { "title": null, "controls": [ - "V-93375" + "V-92969" ], - "id": "controls/V-93375.rb" + "id": "controls/V-92969.rb" }, { "title": null, "controls": [ - "V-93493" + "V-93105" ], - "id": "controls/V-93493.rb" + "id": "controls/V-93105.rb" }, { "title": null, "controls": [ - "V-93003" + "V-93431" ], - "id": "controls/V-93003.rb" + "id": "controls/V-93431.rb" }, { "title": null, "controls": [ - "V-93043" + "V-93093" ], - "id": "controls/V-93043.rb" + "id": "controls/V-93093.rb" }, { "title": null, "controls": [ - "V-93393" + "V-93351" ], - "id": "controls/V-93393.rb" + "id": "controls/V-93351.rb" }, { "title": null, "controls": [ - "V-93237" + "V-93521" ], - "id": "controls/V-93237.rb" + "id": "controls/V-93521.rb" }, { "title": null, "controls": [ - "V-93161" + "V-93537" ], - "id": "controls/V-93161.rb" + "id": "controls/V-93537.rb" }, { "title": null, "controls": [ - "V-93227" + "V-93533" ], - "id": "controls/V-93227.rb" + "id": "controls/V-93533.rb" }, { "title": null, "controls": [ - "V-93019" + "V-93499" ], - "id": "controls/V-93019.rb" + "id": "controls/V-93499.rb" }, { "title": null, "controls": [ - "V-93169" + "V-93357" ], - "id": "controls/V-93169.rb" + "id": "controls/V-93357.rb" }, { "title": null, "controls": [ - "V-93469" + "V-93307" ], - "id": "controls/V-93469.rb" + "id": "controls/V-93307.rb" }, { "title": null, "controls": [ - "V-93473" + "V-93353" ], - "id": "controls/V-93473.rb" + "id": "controls/V-93353.rb" }, { "title": null, "controls": [ - "V-93555" + "V-93375" ], - "id": "controls/V-93555.rb" + "id": "controls/V-93375.rb" }, { "title": null, "controls": [ - "V-93257" + "V-93167" ], - "id": "controls/V-93257.rb" + "id": "controls/V-93167.rb" }, { "title": null, "controls": [ - "V-93441" + "V-93087" ], - "id": "controls/V-93441.rb" + "id": "controls/V-93087.rb" }, { "title": null, "controls": [ - "V-93567" + "V-93345" ], - "id": "controls/V-93567.rb" + "id": "controls/V-93345.rb" }, { "title": null, "controls": [ - "V-93223" + "V-93481" ], - "id": "controls/V-93223.rb" + "id": "controls/V-93481.rb" }, { "title": null, "controls": [ - "V-92963" + "V-93527" ], - "id": "controls/V-92963.rb" + "id": "controls/V-93527.rb" }, { "title": null, "controls": [ - "V-93401" + "V-93267" ], - "id": "controls/V-93401.rb" + "id": "controls/V-93267.rb" }, { "title": null, "controls": [ - "V-93085" + "V-93553" ], - "id": "controls/V-93085.rb" + "id": "controls/V-93553.rb" }, { "title": null, "controls": [ - "V-93239" + "V-93291" ], - "id": "controls/V-93239.rb" + "id": "controls/V-93291.rb" }, { "title": null, "controls": [ - "V-93419" + "V-93153" ], - "id": "controls/V-93419.rb" + "id": "controls/V-93153.rb" }, { "title": null, "controls": [ - "V-93091" + "V-93065" ], - "id": "controls/V-93091.rb" + "id": "controls/V-93065.rb" }, { "title": null, "controls": [ - "V-93167" + "V-93339" ], - "id": "controls/V-93167.rb" + "id": "controls/V-93339.rb" }, { "title": null, "controls": [ - "V-93109" + "V-92983" ], - "id": "controls/V-93109.rb" + "id": "controls/V-92983.rb" }, { "title": null, "controls": [ - "V-93139" + "V-93419" ], - "id": "controls/V-93139.rb" + "id": "controls/V-93419.rb" }, { "title": null, "controls": [ - "V-93173" + "V-93111" ], - "id": "controls/V-93173.rb" + "id": "controls/V-93111.rb" }, { "title": null, "controls": [ - "V-93351" + "V-93471" ], - "id": "controls/V-93351.rb" + "id": "controls/V-93471.rb" }, { "title": null, "controls": [ - "V-92977" + "V-93031" ], - "id": "controls/V-92977.rb" + "id": "controls/V-93031.rb" }, { "title": null, "controls": [ - "V-93297" + "V-93301" ], - "id": "controls/V-93297.rb" + "id": "controls/V-93301.rb" }, { "title": null, "controls": [ - "V-93437" + "V-93237" ], - "id": "controls/V-93437.rb" + "id": "controls/V-93237.rb" }, { "title": null, "controls": [ - "V-93123" + "V-93007" ], - "id": "controls/V-93123.rb" + "id": "controls/V-93007.rb" }, { "title": null, "controls": [ - "V-93345" + "V-93011" ], - "id": "controls/V-93345.rb" + "id": "controls/V-93011.rb" }, { "title": null, "controls": [ - "V-92971" + "V-93325" ], - "id": "controls/V-92971.rb" + "id": "controls/V-93325.rb" }, { "title": null, "controls": [ - "V-93479" + "V-93049" ], - "id": "controls/V-93479.rb" + "id": "controls/V-93049.rb" }, { "title": null, "controls": [ - "V-93075" + "V-93463" ], - "id": "controls/V-93075.rb" + "id": "controls/V-93463.rb" }, { "title": null, "controls": [ - "V-93271" + "V-93171" ], - "id": "controls/V-93271.rb" + "id": "controls/V-93171.rb" }, { "title": null, "controls": [ - "V-93093" + "V-93095" ], - "id": "controls/V-93093.rb" + "id": "controls/V-93095.rb" }, { "title": null, "controls": [ - "V-93507" + "V-93195" ], - "id": "controls/V-93507.rb" + "id": "controls/V-93195.rb" }, { "title": null, "controls": [ - "V-93007" + "V-93013" ], - "id": "controls/V-93007.rb" + "id": "controls/V-93013.rb" }, { "title": null, "controls": [ - "V-93521" + "V-93373" ], - "id": "controls/V-93521.rb" + "id": "controls/V-93373.rb" }, { "title": null, "controls": [ - "V-93381" + "V-92991" ], - "id": "controls/V-93381.rb" + "id": "controls/V-92991.rb" }, { "title": null, "controls": [ - "V-93333" + "V-93241" ], - "id": "controls/V-93333.rb" + "id": "controls/V-93241.rb" }, { "title": null, "controls": [ - "V-93053" + "V-93263" ], - "id": "controls/V-93053.rb" + "id": "controls/V-93263.rb" }, { "title": null, "controls": [ - "V-93527" + "V-92989" ], - "id": "controls/V-93527.rb" + "id": "controls/V-92989.rb" }, { "title": null, "controls": [ - "V-93439" + "V-93363" ], - "id": "controls/V-93439.rb" + "id": "controls/V-93363.rb" }, { "title": null, "controls": [ - "V-93525" + "V-93187" ], - "id": "controls/V-93525.rb" + "id": "controls/V-93187.rb" }, { "title": null, "controls": [ - "V-93117" + "V-93557" ], - "id": "controls/V-93117.rb" + "id": "controls/V-93557.rb" }, { "title": null, "controls": [ - "V-93357" + "V-93185" ], - "id": "controls/V-93357.rb" + "id": "controls/V-93185.rb" }, { "title": null, "controls": [ - "V-93481" + "V-93417" ], - "id": "controls/V-93481.rb" + "id": "controls/V-93417.rb" }, { "title": null, "controls": [ - "V-93103" + "V-93503" ], - "id": "controls/V-93103.rb" + "id": "controls/V-93503.rb" }, { "title": null, "controls": [ - "V-93159" + "V-93253" ], - "id": "controls/V-93159.rb" + "id": "controls/V-93253.rb" }, { "title": null, "controls": [ - "V-93519" + "V-93245" ], - "id": "controls/V-93519.rb" + "id": "controls/V-93245.rb" }, { "title": null, "controls": [ - "V-93383" + "V-93413" ], - "id": "controls/V-93383.rb" + "id": "controls/V-93413.rb" }, { "title": null, "controls": [ - "V-93453" + "V-93029" ], - "id": "controls/V-93453.rb" + "id": "controls/V-93029.rb" }, { "title": null, "controls": [ - "V-93251" + "V-93033" ], - "id": "controls/V-93251.rb" + "id": "controls/V-93033.rb" }, { "title": null, "controls": [ - "V-93305" + "V-93507" ], - "id": "controls/V-93305.rb" + "id": "controls/V-93507.rb" }, { "title": null, "controls": [ - "V-93513" + "V-93407" ], - "id": "controls/V-93513.rb" + "id": "controls/V-93407.rb" }, { "title": null, "controls": [ - "V-93273" + "V-93409" ], - "id": "controls/V-93273.rb" + "id": "controls/V-93409.rb" }, { "title": null, "controls": [ - "V-93359" + "V-93081" ], - "id": "controls/V-93359.rb" + "id": "controls/V-93081.rb" }, { "title": null, "controls": [ - "V-93501" + "V-93135" ], - "id": "controls/V-93501.rb" + "id": "controls/V-93135.rb" }, { "title": null, "controls": [ - "V-93187" + "V-93571" ], - "id": "controls/V-93187.rb" + "id": "controls/V-93571.rb" }, { "title": null, "controls": [ - "V-93337" + "V-93531" ], - "id": "controls/V-93337.rb" + "id": "controls/V-93531.rb" }, { "title": null, "controls": [ - "V-93543" + "V-93281" ], - "id": "controls/V-93543.rb" + "id": "controls/V-93281.rb" }, { "title": null, "controls": [ - "V-93497" + "V-93073" ], - "id": "controls/V-93497.rb" + "id": "controls/V-93073.rb" }, { "title": null, "controls": [ - "V-92999" + "V-93449" ], - "id": "controls/V-92999.rb" + "id": "controls/V-93449.rb" }, { "title": null, "controls": [ - "V-93303" + "V-93315" ], - "id": "controls/V-93303.rb" + "id": "controls/V-93315.rb" }, { "title": null, "controls": [ - "V-93001" + "V-93429" ], - "id": "controls/V-93001.rb" + "id": "controls/V-93429.rb" }, { "title": null, "controls": [ - "V-93175" + "V-93091" ], - "id": "controls/V-93175.rb" + "id": "controls/V-93091.rb" }, { "title": null, "controls": [ - "V-93483" + "V-93051" ], - "id": "controls/V-93483.rb" + "id": "controls/V-93051.rb" }, { "title": null, "controls": [ - "V-93373" + "V-93075" ], - "id": "controls/V-93373.rb" + "id": "controls/V-93075.rb" }, { "title": null, "controls": [ - "V-93403" + "V-93425" ], - "id": "controls/V-93403.rb" + "id": "controls/V-93425.rb" }, { "title": null, "controls": [ - "V-92995" + "V-93359" ], - "id": "controls/V-92995.rb" + "id": "controls/V-93359.rb" }, { "title": null, "controls": [ - "V-93063" + "V-93443" ], - "id": "controls/V-93063.rb" + "id": "controls/V-93443.rb" }, { "title": null, "controls": [ - "V-93391" + "V-93149" ], - "id": "controls/V-93391.rb" + "id": "controls/V-93149.rb" }, { "title": null, "controls": [ - "V-93233" + "V-93175" ], - "id": "controls/V-93233.rb" + "id": "controls/V-93175.rb" }, { "title": null, "controls": [ - "V-93423" + "V-93303" ], - "id": "controls/V-93423.rb" + "id": "controls/V-93303.rb" }, { "title": null, "controls": [ - "V-93051" + "V-92981" ], - "id": "controls/V-93051.rb" + "id": "controls/V-92981.rb" }, { "title": null, "controls": [ - "V-93489" + "V-93347" ], - "id": "controls/V-93489.rb" + "id": "controls/V-93347.rb" }, { "title": null, "controls": [ - "V-93465" + "V-93233" ], - "id": "controls/V-93465.rb" + "id": "controls/V-93233.rb" }, { "title": null, "controls": [ - "V-93551" + "V-93239" ], - "id": "controls/V-93551.rb" + "id": "controls/V-93239.rb" }, { "title": null, "controls": [ - "V-93137" + "V-93497" ], - "id": "controls/V-93137.rb" + "id": "controls/V-93497.rb" }, { "title": null, "controls": [ - "V-93269" + "V-92963" ], - "id": "controls/V-93269.rb" + "id": "controls/V-92963.rb" }, { "title": null, "controls": [ - "V-93509" + "V-93227" ], - "id": "controls/V-93509.rb" + "id": "controls/V-93227.rb" }, { "title": null, "controls": [ - "V-93245" + "V-92965" ], - "id": "controls/V-93245.rb" + "id": "controls/V-92965.rb" }, { "title": null, "controls": [ - "V-93131" + "V-93283" ], - "id": "controls/V-93131.rb" + "id": "controls/V-93283.rb" }, { "title": null, "controls": [ - "V-93279" + "V-93511" ], - "id": "controls/V-93279.rb" + "id": "controls/V-93511.rb" }, { "title": null, "controls": [ - "V-93225" + "V-93035" ], - "id": "controls/V-93225.rb" + "id": "controls/V-93035.rb" }, { "title": null, "controls": [ - "V-93511" + "V-93271" ], - "id": "controls/V-93511.rb" + "id": "controls/V-93271.rb" }, { "title": null, "controls": [ - "V-93287" + "V-92977" ], - "id": "controls/V-93287.rb" + "id": "controls/V-92977.rb" }, { "title": null, "controls": [ - "V-93485" + "V-93293" ], - "id": "controls/V-93485.rb" + "id": "controls/V-93293.rb" }, { "title": null, "controls": [ - "V-92961" + "V-93455" ], - "id": "controls/V-92961.rb" + "id": "controls/V-93455.rb" }, { "title": null, "controls": [ - "V-93415" + "V-93523" ], - "id": "controls/V-93415.rb" + "id": "controls/V-93523.rb" }, { "title": null, "controls": [ - "V-93291" + "V-93461" ], - "id": "controls/V-93291.rb" + "id": "controls/V-93461.rb" }, { "title": null, "controls": [ - "V-93379" + "V-93133" ], - "id": "controls/V-93379.rb" + "id": "controls/V-93133.rb" }, { "title": null, "controls": [ - "V-93193" + "V-93451" ], - "id": "controls/V-93193.rb" + "id": "controls/V-93451.rb" }, { "title": null, "controls": [ - "V-93535" + "V-93219" ], - "id": "controls/V-93535.rb" + "id": "controls/V-93219.rb" }, { "title": null, "controls": [ - "V-93301" + "V-93335" ], - "id": "controls/V-93301.rb" + "id": "controls/V-93335.rb" }, { "title": null, "controls": [ - "V-93431" + "V-93067" ], - "id": "controls/V-93431.rb" + "id": "controls/V-93067.rb" }, { "title": null, "controls": [ - "V-93495" + "V-93321" ], - "id": "controls/V-93495.rb" + "id": "controls/V-93321.rb" }, { "title": null, "controls": [ - "V-93365" + "V-93435" ], - "id": "controls/V-93365.rb" + "id": "controls/V-93435.rb" }, { "title": null, "controls": [ - "V-93547" + "V-93543" ], - "id": "controls/V-93547.rb" + "id": "controls/V-93543.rb" }, { "title": null, "controls": [ - "V-93327" + "V-93005" ], - "id": "controls/V-93327.rb" + "id": "controls/V-93005.rb" }, { "title": null, "controls": [ - "V-93315" + "V-93137" ], - "id": "controls/V-93315.rb" + "id": "controls/V-93137.rb" }, { "title": null, "controls": [ - "V-93199" + "V-93255" ], - "id": "controls/V-93199.rb" + "id": "controls/V-93255.rb" }, { "title": null, @@ -11525,1248 +11525,1248 @@ { "title": null, "controls": [ - "V-93029" + "V-93361" ], - "id": "controls/V-93029.rb" + "id": "controls/V-93361.rb" }, { "title": null, "controls": [ - "V-93457" + "V-93545" ], - "id": "controls/V-93457.rb" + "id": "controls/V-93545.rb" }, { "title": null, "controls": [ - "V-93411" + "V-93115" ], - "id": "controls/V-93411.rb" + "id": "controls/V-93115.rb" }, { "title": null, "controls": [ - "V-93151" + "V-93211" ], - "id": "controls/V-93151.rb" + "id": "controls/V-93211.rb" }, { "title": null, "controls": [ - "V-93529" + "V-93107" ], - "id": "controls/V-93529.rb" + "id": "controls/V-93107.rb" }, { "title": null, "controls": [ - "V-93035" + "V-93229" ], - "id": "controls/V-93035.rb" + "id": "controls/V-93229.rb" }, { "title": null, "controls": [ - "V-93421" + "V-93483" ], - "id": "controls/V-93421.rb" + "id": "controls/V-93483.rb" }, { "title": null, "controls": [ - "V-93115" + "V-93069" ], - "id": "controls/V-93115.rb" + "id": "controls/V-93069.rb" }, { "title": null, "controls": [ - "V-93211" + "V-93469" ], - "id": "controls/V-93211.rb" + "id": "controls/V-93469.rb" }, { "title": null, "controls": [ - "V-93325" + "V-93145" ], - "id": "controls/V-93325.rb" + "id": "controls/V-93145.rb" }, { "title": null, "controls": [ - "V-93395" + "V-93421" ], - "id": "controls/V-93395.rb" + "id": "controls/V-93421.rb" }, { "title": null, "controls": [ - "V-93299" + "V-93547" ], - "id": "controls/V-93299.rb" + "id": "controls/V-93547.rb" }, { "title": null, "controls": [ - "V-93147" + "V-93215" ], - "id": "controls/V-93147.rb" + "id": "controls/V-93215.rb" }, { "title": null, "controls": [ - "V-92993" + "V-93161" ], - "id": "controls/V-92993.rb" + "id": "controls/V-93161.rb" }, { "title": null, "controls": [ - "V-93369" + "V-93027" ], - "id": "controls/V-93369.rb" + "id": "controls/V-93027.rb" }, { "title": null, "controls": [ - "V-93217" + "V-93125" ], - "id": "controls/V-93217.rb" + "id": "controls/V-93125.rb" }, { "title": null, "controls": [ - "V-93531" + "V-93109" ], - "id": "controls/V-93531.rb" + "id": "controls/V-93109.rb" }, { "title": null, "controls": [ - "V-93545" + "V-93121" ], - "id": "controls/V-93545.rb" + "id": "controls/V-93121.rb" }, { "title": null, "controls": [ - "V-93171" + "V-93119" ], - "id": "controls/V-93171.rb" + "id": "controls/V-93119.rb" }, { "title": null, "controls": [ - "V-93455" + "V-93447" ], - "id": "controls/V-93455.rb" + "id": "controls/V-93447.rb" }, { "title": null, "controls": [ - "V-93353" + "V-92999" ], - "id": "controls/V-93353.rb" + "id": "controls/V-92999.rb" }, { "title": null, "controls": [ - "V-93339" + "V-93565" ], - "id": "controls/V-93339.rb" + "id": "controls/V-93565.rb" }, { "title": null, "controls": [ - "V-93149" + "V-93083" ], - "id": "controls/V-93149.rb" + "id": "controls/V-93083.rb" }, { "title": null, "controls": [ - "V-93105" + "V-93217" ], - "id": "controls/V-93105.rb" + "id": "controls/V-93217.rb" }, { "title": null, "controls": [ - "V-93195" + "V-93427" ], - "id": "controls/V-93195.rb" + "id": "controls/V-93427.rb" }, { "title": null, "controls": [ - "V-93265" + "V-93319" ], - "id": "controls/V-93265.rb" + "id": "controls/V-93319.rb" }, { "title": null, "controls": [ - "V-93055" + "V-93377" ], - "id": "controls/V-93055.rb" + "id": "controls/V-93377.rb" }, { "title": null, "controls": [ - "V-93141" + "V-93477" ], - "id": "controls/V-93141.rb" + "id": "controls/V-93477.rb" }, { "title": null, "controls": [ - "V-93153" + "V-93047" ], - "id": "controls/V-93153.rb" + "id": "controls/V-93047.rb" }, { "title": null, "controls": [ - "V-93355" + "V-93191" ], - "id": "controls/V-93355.rb" + "id": "controls/V-93191.rb" }, { "title": null, "controls": [ - "V-93347" + "V-93457" ], - "id": "controls/V-93347.rb" + "id": "controls/V-93457.rb" }, { "title": null, "controls": [ - "V-93561" + "V-93177" ], - "id": "controls/V-93561.rb" + "id": "controls/V-93177.rb" }, { "title": null, "controls": [ - "V-93049" + "V-93235" ], - "id": "controls/V-93049.rb" + "id": "controls/V-93235.rb" }, { "title": null, "controls": [ - "V-93459" + "V-93071" ], - "id": "controls/V-93459.rb" + "id": "controls/V-93071.rb" }, { "title": null, "controls": [ - "V-93549" + "V-93539" ], - "id": "controls/V-93549.rb" + "id": "controls/V-93539.rb" }, { "title": null, "controls": [ - "V-93295" + "V-93155" ], - "id": "controls/V-93295.rb" + "id": "controls/V-93155.rb" }, { "title": null, "controls": [ - "V-92997" + "V-93127" ], - "id": "controls/V-92997.rb" + "id": "controls/V-93127.rb" }, { "title": null, "controls": [ - "V-93011" + "V-93327" ], - "id": "controls/V-93011.rb" + "id": "controls/V-93327.rb" }, { "title": null, "controls": [ - "V-93275" + "V-93367" ], - "id": "controls/V-93275.rb" + "id": "controls/V-93367.rb" }, { "title": null, "controls": [ - "V-93289" + "V-93437" ], - "id": "controls/V-93289.rb" + "id": "controls/V-93437.rb" }, { "title": null, "controls": [ - "V-93025" + "V-93001" ], - "id": "controls/V-93025.rb" + "id": "controls/V-93001.rb" }, { "title": null, "controls": [ - "V-93181" + "V-93059" ], - "id": "controls/V-93181.rb" + "id": "controls/V-93059.rb" }, { "title": null, "controls": [ - "V-93015" + "V-93489" ], - "id": "controls/V-93015.rb" + "id": "controls/V-93489.rb" }, { "title": null, "controls": [ - "V-93475" + "V-93003" ], - "id": "controls/V-93475.rb" + "id": "controls/V-93003.rb" }, { "title": null, "controls": [ - "V-93229" + "V-93147" ], - "id": "controls/V-93229.rb" + "id": "controls/V-93147.rb" }, { "title": null, "controls": [ - "V-93463" + "V-93243" ], - "id": "controls/V-93463.rb" + "id": "controls/V-93243.rb" }, { "title": null, "controls": [ - "V-93129" + "V-93099" ], - "id": "controls/V-93129.rb" + "id": "controls/V-93099.rb" }, { "title": null, "controls": [ - "V-93047" + "V-93045" ], - "id": "controls/V-93047.rb" + "id": "controls/V-93045.rb" }, { "title": null, "controls": [ - "V-93231" + "V-93519" ], - "id": "controls/V-93231.rb" + "id": "controls/V-93519.rb" }, { "title": null, "controls": [ - "V-93027" + "V-93333" ], - "id": "controls/V-93027.rb" + "id": "controls/V-93333.rb" }, { "title": null, "controls": [ - "V-93447" + "V-93277" ], - "id": "controls/V-93447.rb" + "id": "controls/V-93277.rb" }, { "title": null, "controls": [ - "V-93559" + "V-93037" ], - "id": "controls/V-93559.rb" + "id": "controls/V-93037.rb" }, { "title": null, "controls": [ - "V-93259" + "V-93389" ], - "id": "controls/V-93259.rb" + "id": "controls/V-93389.rb" }, { "title": null, "controls": [ - "V-93041" + "V-93423" ], - "id": "controls/V-93041.rb" + "id": "controls/V-93423.rb" }, { "title": null, "controls": [ - "V-93205" + "V-92971" ], - "id": "controls/V-93205.rb" + "id": "controls/V-92971.rb" }, { "title": null, "controls": [ - "V-93163" + "V-93009" ], - "id": "controls/V-93163.rb" + "id": "controls/V-93009.rb" }, { "title": null, "controls": [ - "V-93079" + "V-93023" ], - "id": "controls/V-93079.rb" + "id": "controls/V-93023.rb" }, { "title": null, "controls": [ - "V-93311" + "V-93329" ], - "id": "controls/V-93311.rb" + "id": "controls/V-93329.rb" }, { "title": null, "controls": [ - "V-93209" + "V-93273" ], - "id": "controls/V-93209.rb" + "id": "controls/V-93273.rb" }, { "title": null, "controls": [ - "V-93533" + "V-93251" ], - "id": "controls/V-93533.rb" + "id": "controls/V-93251.rb" }, { "title": null, "controls": [ - "V-93443" + "V-92967" ], - "id": "controls/V-93443.rb" + "id": "controls/V-92967.rb" }, { "title": null, "controls": [ - "V-93429" + "V-93017" ], - "id": "controls/V-93429.rb" + "id": "controls/V-93017.rb" }, { "title": null, "controls": [ - "V-93407" + "V-93515" ], - "id": "controls/V-93407.rb" + "id": "controls/V-93515.rb" }, { "title": null, "controls": [ - "V-93335" + "V-93479" ], - "id": "controls/V-93335.rb" + "id": "controls/V-93479.rb" }, { "title": null, "controls": [ - "V-93503" + "V-93249" ], - "id": "controls/V-93503.rb" + "id": "controls/V-93249.rb" }, { "title": null, "controls": [ - "V-93557" + "V-93491" ], - "id": "controls/V-93557.rb" + "id": "controls/V-93491.rb" }, { "title": null, "controls": [ - "V-93009" + "V-93311" ], - "id": "controls/V-93009.rb" + "id": "controls/V-93311.rb" }, { "title": null, "controls": [ - "V-93023" + "V-93143" ], - "id": "controls/V-93023.rb" + "id": "controls/V-93143.rb" }, { "title": null, "controls": [ - "V-93077" + "V-93529" ], - "id": "controls/V-93077.rb" + "id": "controls/V-93529.rb" }, { "title": null, "controls": [ - "V-93349" + "V-93163" ], - "id": "controls/V-93349.rb" + "id": "controls/V-93163.rb" }, { "title": null, "controls": [ - "V-92989" + "V-93487" ], - "id": "controls/V-92989.rb" + "id": "controls/V-93487.rb" }, { "title": null, "controls": [ - "V-93145" + "V-92993" ], - "id": "controls/V-93145.rb" + "id": "controls/V-92993.rb" }, { "title": null, "controls": [ - "V-92985" + "V-93331" ], - "id": "controls/V-92985.rb" + "id": "controls/V-93331.rb" }, { "title": null, "controls": [ - "V-93319" + "V-92985" ], - "id": "controls/V-93319.rb" + "id": "controls/V-92985.rb" }, { "title": null, "controls": [ - "V-93341" + "V-93561" ], - "id": "controls/V-93341.rb" + "id": "controls/V-93561.rb" }, { "title": null, "controls": [ - "V-93505" + "V-93525" ], - "id": "controls/V-93505.rb" + "id": "controls/V-93525.rb" }, { "title": null, "controls": [ - "V-93331" + "V-93549" ], - "id": "controls/V-93331.rb" + "id": "controls/V-93549.rb" }, { "title": null, "controls": [ - "V-93263" + "V-93349" ], - "id": "controls/V-93263.rb" + "id": "controls/V-93349.rb" }, { "title": null, "controls": [ - "V-93219" + "V-93555" ], - "id": "controls/V-93219.rb" + "id": "controls/V-93555.rb" }, { "title": null, "controls": [ - "V-93293" + "V-93341" ], - "id": "controls/V-93293.rb" + "id": "controls/V-93341.rb" }, { "title": null, "controls": [ - "V-93323" + "V-93201" ], - "id": "controls/V-93323.rb" + "id": "controls/V-93201.rb" }, { "title": null, "controls": [ - "V-93571" + "V-93459" ], - "id": "controls/V-93571.rb" + "id": "controls/V-93459.rb" }, { "title": null, "controls": [ - "V-93037" + "V-93563" ], - "id": "controls/V-93037.rb" + "id": "controls/V-93563.rb" }, { "title": null, "controls": [ - "V-93467" + "V-93079" ], - "id": "controls/V-93467.rb" + "id": "controls/V-93079.rb" }, { "title": null, "controls": [ - "V-93377" + "V-92975" ], - "id": "controls/V-93377.rb" + "id": "controls/V-92975.rb" }, { "title": null, "controls": [ - "V-93121" + "V-92979" ], - "id": "controls/V-93121.rb" + "id": "controls/V-92979.rb" }, { "title": null, "controls": [ - "V-93487" + "V-93165" ], - "id": "controls/V-93487.rb" + "id": "controls/V-93165.rb" }, { "title": null, "controls": [ - "V-93425" + "V-93279" ], - "id": "controls/V-93425.rb" + "id": "controls/V-93279.rb" }, { "title": null, "controls": [ - "V-93491" + "V-93517" ], - "id": "controls/V-93491.rb" + "id": "controls/V-93517.rb" }, { "title": null, "controls": [ - "V-93065" + "V-93203" ], - "id": "controls/V-93065.rb" + "id": "controls/V-93203.rb" }, { "title": null, "controls": [ - "V-93183" + "V-93297" ], - "id": "controls/V-93183.rb" + "id": "controls/V-93297.rb" }, { "title": null, "controls": [ - "V-93553" + "V-93285" ], - "id": "controls/V-93553.rb" + "id": "controls/V-93285.rb" }, { "title": null, "controls": [ - "V-93005" + "V-93207" ], - "id": "controls/V-93005.rb" + "id": "controls/V-93207.rb" }, { "title": null, "controls": [ - "V-93061" + "V-93089" ], - "id": "controls/V-93061.rb" + "id": "controls/V-93089.rb" }, { "title": null, "controls": [ - "V-93073" + "V-93129" ], - "id": "controls/V-93073.rb" + "id": "controls/V-93129.rb" }, { "title": null, "controls": [ - "V-93267" + "V-93317" ], - "id": "controls/V-93267.rb" + "id": "controls/V-93317.rb" }, { "title": null, "controls": [ - "V-93189" + "V-93231" ], - "id": "controls/V-93189.rb" + "id": "controls/V-93231.rb" }, { "title": null, "controls": [ - "V-93565" + "V-93439" ], - "id": "controls/V-93565.rb" + "id": "controls/V-93439.rb" }, { "title": null, "controls": [ - "V-93515" + "V-92997" ], - "id": "controls/V-93515.rb" + "id": "controls/V-92997.rb" }, { "title": null, "controls": [ - "V-93367" + "V-93567" ], - "id": "controls/V-93367.rb" + "id": "controls/V-93567.rb" }, { "title": null, "controls": [ - "V-93563" + "V-93053" ], - "id": "controls/V-93563.rb" + "id": "controls/V-93053.rb" }, { "title": null, "controls": [ - "V-93155" + "V-93501" ], - "id": "controls/V-93155.rb" + "id": "controls/V-93501.rb" }, { "title": null, "controls": [ - "V-93321" + "V-93019" ], - "id": "controls/V-93321.rb" + "id": "controls/V-93019.rb" }, { "title": null, "controls": [ - "V-93523" + "V-93041" ], - "id": "controls/V-93523.rb" + "id": "controls/V-93041.rb" }, { "title": null, "controls": [ - "V-93285" + "V-93355" ], - "id": "controls/V-93285.rb" + "id": "controls/V-93355.rb" }, { "title": null, "controls": [ - "V-93203" + "V-93021" ], - "id": "controls/V-93203.rb" + "id": "controls/V-93021.rb" }, { "title": null, "controls": [ - "V-93405" + "V-93039" ], - "id": "controls/V-93405.rb" + "id": "controls/V-93039.rb" }, { "title": null, "controls": [ - "V-93413" + "V-92973" ], - "id": "controls/V-93413.rb" + "id": "controls/V-92973.rb" }, { "title": null, "controls": [ - "V-93127" + "V-93077" ], - "id": "controls/V-93127.rb" + "id": "controls/V-93077.rb" }, { "title": null, "controls": [ - "V-93133" + "V-93535" ], - "id": "controls/V-93133.rb" + "id": "controls/V-93535.rb" }, { "title": null, "controls": [ - "V-93039" + "V-93467" ], - "id": "controls/V-93039.rb" + "id": "controls/V-93467.rb" }, { "title": null, "controls": [ - "V-93253" + "V-93103" ], - "id": "controls/V-93253.rb" + "id": "controls/V-93103.rb" }, { "title": null, "controls": [ - "V-93083" + "V-93399" ], - "id": "controls/V-93083.rb" + "id": "controls/V-93399.rb" }, { "title": null, "controls": [ - "V-93451" + "V-93453" ], - "id": "controls/V-93451.rb" + "id": "controls/V-93453.rb" }, { "title": null, "controls": [ - "V-93499" + "V-93505" ], - "id": "controls/V-93499.rb" + "id": "controls/V-93505.rb" }, { "title": null, "controls": [ - "V-93409" + "V-93369" ], - "id": "controls/V-93409.rb" + "id": "controls/V-93369.rb" }, { "title": null, "controls": [ - "V-93433" + "V-93085" ], - "id": "controls/V-93433.rb" + "id": "controls/V-93085.rb" }, { "title": null, "controls": [ - "V-93243" + "V-93141" ], - "id": "controls/V-93243.rb" + "id": "controls/V-93141.rb" }, { "title": null, "controls": [ - "V-92973" + "V-93541" ], - "id": "controls/V-92973.rb" + "id": "controls/V-93541.rb" }, { "title": null, "controls": [ - "V-93283" + "V-93261" ], - "id": "controls/V-93283.rb" + "id": "controls/V-93261.rb" }, { "title": null, "controls": [ - "V-93201" + "V-93343" ], - "id": "controls/V-93201.rb" + "id": "controls/V-93343.rb" }, { "title": null, "controls": [ - "V-92979" + "V-93061" ], - "id": "controls/V-92979.rb" + "id": "controls/V-93061.rb" }, { "title": null, "controls": [ - "V-93215" + "V-93123" ], - "id": "controls/V-93215.rb" + "id": "controls/V-93123.rb" }, { "title": null, "controls": [ - "V-93165" + "V-93183" ], - "id": "controls/V-93165.rb" + "id": "controls/V-93183.rb" }, { "title": null, "controls": [ - "V-93309" + "V-93403" ], - "id": "controls/V-93309.rb" + "id": "controls/V-93403.rb" }, { "title": null, "controls": [ - "V-92969" + "V-93383" ], - "id": "controls/V-92969.rb" + "id": "controls/V-93383.rb" }, { "title": null, "controls": [ - "V-93101" + "V-93393" ], - "id": "controls/V-93101.rb" + "id": "controls/V-93393.rb" }, { "title": null, "controls": [ - "V-93249" + "V-93289" ], - "id": "controls/V-93249.rb" + "id": "controls/V-93289.rb" }, { "title": null, "controls": [ - "V-93241" + "V-93225" ], - "id": "controls/V-93241.rb" + "id": "controls/V-93225.rb" }, { "title": null, "controls": [ - "V-93281" + "V-93101" ], - "id": "controls/V-93281.rb" + "id": "controls/V-93101.rb" }, { "title": null, "controls": [ - "V-93317" + "V-93379" ], - "id": "controls/V-93317.rb" + "id": "controls/V-93379.rb" }, { "title": null, "controls": [ - "V-93095" + "V-93199" ], - "id": "controls/V-93095.rb" + "id": "controls/V-93199.rb" }, { "title": null, "controls": [ - "V-93099" + "V-93441" ], - "id": "controls/V-93099.rb" + "id": "controls/V-93441.rb" }, { "title": null, "controls": [ - "V-93307" + "V-93305" ], - "id": "controls/V-93307.rb" + "id": "controls/V-93305.rb" }, { "title": null, "controls": [ - "V-93539" + "V-93173" ], - "id": "controls/V-93539.rb" + "id": "controls/V-93173.rb" }, { "title": null, "controls": [ - "V-93397" + "V-93259" ], - "id": "controls/V-93397.rb" + "id": "controls/V-93259.rb" }, { "title": null, "controls": [ - "V-93067" + "V-93493" ], - "id": "controls/V-93067.rb" + "id": "controls/V-93493.rb" }, { "title": null, "controls": [ - "V-93361" + "V-93551" ], - "id": "controls/V-93361.rb" + "id": "controls/V-93551.rb" }, { "title": null, "controls": [ - "V-92965" + "V-93257" ], - "id": "controls/V-92965.rb" + "id": "controls/V-93257.rb" }, { "title": null, "controls": [ - "V-93385" + "V-93401" ], - "id": "controls/V-93385.rb" + "id": "controls/V-93401.rb" }, { "title": null, "controls": [ - "V-93057" + "V-93433" ], - "id": "controls/V-93057.rb" + "id": "controls/V-93433.rb" }, { "title": null, "controls": [ - "V-93135" + "V-93189" ], - "id": "controls/V-93135.rb" + "id": "controls/V-93189.rb" }, { "title": null, "controls": [ - "V-93471" + "V-93223" ], - "id": "controls/V-93471.rb" + "id": "controls/V-93223.rb" }, { "title": null, "controls": [ - "V-93177" + "V-93063" ], - "id": "controls/V-93177.rb" + "id": "controls/V-93063.rb" }, { "title": null, "controls": [ - "V-93363" + "V-93057" ], - "id": "controls/V-93363.rb" + "id": "controls/V-93057.rb" }, { "title": null, "controls": [ - "V-93313" + "V-93465" ], - "id": "controls/V-93313.rb" + "id": "controls/V-93465.rb" }, { "title": null, "controls": [ - "V-93329" + "V-93509" ], - "id": "controls/V-93329.rb" + "id": "controls/V-93509.rb" }, { "title": null, "controls": [ - "V-93477" + "V-92961" ], - "id": "controls/V-93477.rb" + "id": "controls/V-92961.rb" }, { "title": null, "controls": [ - "V-93517" + "V-93495" ], - "id": "controls/V-93517.rb" + "id": "controls/V-93495.rb" }, { "title": null, "controls": [ - "V-93221" + "V-93015" ], - "id": "controls/V-93221.rb" + "id": "controls/V-93015.rb" }, { "title": null, "controls": [ - "V-93399" + "V-93193" ], - "id": "controls/V-93399.rb" + "id": "controls/V-93193.rb" }, { "title": null, "controls": [ - "V-92967" + "V-93309" ], - "id": "controls/V-92967.rb" + "id": "controls/V-93309.rb" }, { "title": null, "controls": [ - "V-93387" + "V-93269" ], - "id": "controls/V-93387.rb" + "id": "controls/V-93269.rb" }, { "title": null, "controls": [ - "V-93427" + "V-93395" ], - "id": "controls/V-93427.rb" + "id": "controls/V-93395.rb" }, { "title": null, "controls": [ - "V-93087" + "V-93209" ], - "id": "controls/V-93087.rb" + "id": "controls/V-93209.rb" }, { "title": null, "controls": [ - "V-93107" + "V-93131" ], - "id": "controls/V-93107.rb" + "id": "controls/V-93131.rb" }, { "title": null, "controls": [ - "V-93045" + "V-93113" ], - "id": "controls/V-93045.rb" + "id": "controls/V-93113.rb" }, { "title": null, "controls": [ - "V-93143" + "V-93221" ], - "id": "controls/V-93143.rb" + "id": "controls/V-93221.rb" }, { "title": null, "controls": [ - "V-93461" + "V-93265" ], - "id": "controls/V-93461.rb" + "id": "controls/V-93265.rb" }, { "title": null, "controls": [ - "V-93449" + "V-93405" ], - "id": "controls/V-93449.rb" + "id": "controls/V-93405.rb" }, { "title": null, "controls": [ - "V-93111" + "V-93179" ], - "id": "controls/V-93111.rb" + "id": "controls/V-93179.rb" }, { "title": null, "controls": [ - "V-93417" + "V-93485" ], - "id": "controls/V-93417.rb" + "id": "controls/V-93485.rb" }, { "title": null, "controls": [ - "V-93255" + "V-93475" ], - "id": "controls/V-93255.rb" + "id": "controls/V-93475.rb" }, { "title": null, "controls": [ - "V-93113" + "V-93381" ], - "id": "controls/V-93113.rb" + "id": "controls/V-93381.rb" }, { "title": null, "controls": [ - "V-93541" + "V-93445" ], - "id": "controls/V-93541.rb" + "id": "controls/V-93445.rb" }, { "title": null, "controls": [ - "V-93059" + "V-93213" ], - "id": "controls/V-93059.rb" + "id": "controls/V-93213.rb" }, { "title": null, "controls": [ - "V-92987" + "V-93181" ], - "id": "controls/V-92987.rb" + "id": "controls/V-93181.rb" }, { "title": null, "controls": [ - "V-93017" + "V-93205" ], - "id": "controls/V-93017.rb" + "id": "controls/V-93205.rb" }, { "title": null, "controls": [ - "V-92991" + "V-93139" ], - "id": "controls/V-92991.rb" + "id": "controls/V-93139.rb" }, { "title": null, "controls": [ - "V-93119" + "V-93299" ], - "id": "controls/V-93119.rb" + "id": "controls/V-93299.rb" }, { "title": null, "controls": [ - "V-93069" + "V-93385" ], - "id": "controls/V-93069.rb" + "id": "controls/V-93385.rb" }, { "title": null, "controls": [ - "V-93157" + "V-93513" ], - "id": "controls/V-93157.rb" + "id": "controls/V-93513.rb" }, { "title": null, "controls": [ - "V-93089" + "V-93157" ], - "id": "controls/V-93089.rb" + "id": "controls/V-93157.rb" }, { "title": null, "controls": [ - "V-93179" + "V-93287" ], - "id": "controls/V-93179.rb" + "id": "controls/V-93287.rb" }, { "title": null, "controls": [ - "V-93277" + "V-93387" ], - "id": "controls/V-93277.rb" + "id": "controls/V-93387.rb" }, { "title": null, "controls": [ - "V-93071" + "V-93097" ], - "id": "controls/V-93071.rb" + "id": "controls/V-93097.rb" }, { "title": null, "controls": [ - "V-93097" + "V-93473" ], - "id": "controls/V-93097.rb" + "id": "controls/V-93473.rb" }, { "title": null, "controls": [ - "V-93185" + "V-93313" ], - "id": "controls/V-93185.rb" + "id": "controls/V-93313.rb" } ], "sha256": "3b82a0846d74ce672f8057bc362c5a08079d0596e4032705f4e7ea41b7db2aad", diff --git a/src/assets/data/baselineProfiles/oracle-java-runtime-environment-7-unix-stig-baseline.json b/src/assets/data/baselineProfiles/oracle-java-runtime-environment-7-unix-stig-baseline.json index 24a0e51e..773c286f 100644 --- a/src/assets/data/baselineProfiles/oracle-java-runtime-environment-7-unix-stig-baseline.json +++ b/src/assets/data/baselineProfiles/oracle-java-runtime-environment-7-unix-stig-baseline.json @@ -16,62 +16,62 @@ "inputs": [], "controls": [ { - "title": "The option to enable online certificate validation must be enabled.", - "desc": "Online certificate validation provides a real-time option to validate a certificate. When enabled, if a certificate is presented, the status of the certificate is requested. The status is sent back as 'current', 'expired', or 'unknown'. Online certificate validation provides a greater degree of validation of certificates when running a signed Java applet. Permitting execution of an applet with an invalid certificate may result in malware execution , system modification, invasion of privacy, and denial of service. NOTE: The 'JRE' directory in the file path may reflect the specific JRE release installed.", + "title": "The configuration file must contain proper keys and values to deploy settings correctly.", + "desc": "This configuration file must hold values of the location of the deployment.properties file as well as the enforcement of these properties. Without a proper path for the properties file, deployment would not be possible. If the path specified does not lead to a properties file the value of the 'deployment.system.config. mandatory' key determines how to handle the situation. If the value of this key is true, JRE will not run if the path to the properties file is invalid. NOTE: The 'JRE' directory in the file path may reflect the specific JRE release installed.", "descriptions": { - "default": "Online certificate validation provides a real-time option to validate a certificate. When enabled, if a certificate is presented, the status of the certificate is requested. The status is sent back as 'current', 'expired', or 'unknown'. Online certificate validation provides a greater degree of validation of certificates when running a signed Java applet. Permitting execution of an applet with an invalid certificate may result in malware execution , system modification, invasion of privacy, and denial of service. NOTE: The 'JRE' directory in the file path may reflect the specific JRE release installed." + "default": "This configuration file must hold values of the location of the deployment.properties file as well as the enforcement of these properties. Without a proper path for the properties file, deployment would not be possible. If the path specified does not lead to a properties file the value of the 'deployment.system.config. mandatory' key determines how to handle the situation. If the value of this key is true, JRE will not run if the path to the properties file is invalid. NOTE: The 'JRE' directory in the file path may reflect the specific JRE release installed." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "JRE0040 Enable online certificate validation", - "gid": "V-32832", - "rid": "SV-43618r2_rule", - "stig_id": "JRE0040-UX", - "cci": "CCI-000185", + "gtitle": "JRE0060 The deployment.config file must be properly configured", + "gid": "V-32842", + "rid": "SV-43649r1_rule", + "stig_id": "JRE0060-UX", + "cci": "CCI-000366", "nist": [ - "IA-5 (2)(a)", + "CM-6 b", "Rev_4" ], - "check": "If the system is on the SIPRNET, this requirement is NA. Navigate to the 'deployment.properties' file for Java. /usr/java/jre/lib/deployment.properties Examine the deployment.properties file for the 'deployment.security.validation.ocsp' key. If the 'deployment.security.validation.ocsp' key is not present, this is a finding. If the key 'deployment.security.validation.ocsp' is set to 'false', this is a finding. ", - "fix": "If the system is on the SIPRNET, this requirement is NA. Enable the 'Enable online certificate validation' option. Navigate to the 'deployment.properties' file for Java. /usr/java/jre/lib/deployment.properties Add or update the key 'deployment.security.validation.ocsp' to be 'true'. " + "check": "Navigate to the deployment.config file. /usr/java/jre/lib/deployment.config If the configuration file does not contain 'deployment.system.config=file:/usr/java/jre/lib/deployment.properties', this is a finding. If the configuration file does not contain 'deployment.system.config.mandatory=false', this is a finding.", + "fix": "Specify the path to the deployment.properties file and set the mandatory configuration values. Navigate to the deployment.config file. /usr/java/jre/lib/deployment.properties Include the following keys in the configuration file: 'deployment.system.config=file:/usr/java/jre/lib/deployment.properties' 'deployment.system.config.mandatory=false'." }, - "code": "control 'V-32832' do\n title 'The option to enable online certificate validation must be enabled.'\n desc \"Online certificate validation provides a real-time option to validate a certificate. When enabled, if a certificate is presented, the status of the certificate is requested. The status is sent back as 'current', 'expired', or 'unknown'. Online certificate validation provides a greater degree of validation of certificates when running a signed Java applet. Permitting execution of an applet with an invalid certificate may result in malware execution , system modification, invasion of privacy, and denial of service. NOTE: The 'JRE' directory in the file path may reflect the specific JRE release installed.\"\n impact 0.5\n tag \"severity\": 'medium'\n tag \"gtitle\": 'JRE0040 Enable online certificate validation'\n tag \"gid\": 'V-32832'\n tag \"rid\": 'SV-43618r2_rule'\n tag \"stig_id\": 'JRE0040-UX'\n tag \"cci\": 'CCI-000185'\n tag \"nist\": ['IA-5 (2)(a)', 'Rev_4']\n tag \"check\": \"If the system is on the SIPRNET, this requirement is NA. Navigate to the 'deployment.properties' file for Java. /usr/java/jre/lib/deployment.properties Examine the deployment.properties file for the 'deployment.security.validation.ocsp' key. If the 'deployment.security.validation.ocsp' key is not present, this is a finding. If the key 'deployment.security.validation.ocsp' is set to 'false', this is a finding. \"\n tag \"fix\": \"If the system is on the SIPRNET, this requirement is NA. Enable the 'Enable online certificate validation' option. Navigate to the 'deployment.properties' file for Java. /usr/java/jre/lib/deployment.properties Add or update the key 'deployment.security.validation.ocsp' to be 'true'. \"\n\n if is_on_siprnet\n impact 0.0\n desc 'If the system is on the SIPRNET, therefore this requirement is NA'\n describe 'If the system is on the SIPRNET, therefore this requirement is NA' do\n skip 'If the system is on the SIPRNET, therefore this requirement is NA'\n end\n else\n describe file('/usr/java/jre/lib/deployment.properties') do\n its('content') { should match(/deployment.security.validation.ocsp=true/) }\n end\n end\nend\n", + "code": "control 'V-32842' do\n title 'The configuration file must contain proper keys and values to deploy settings correctly.'\n desc \"This configuration file must hold values of the location of the deployment.properties file as well as the enforcement of these properties. Without a proper path for the properties file, deployment would not be possible. If the path specified does not lead to a properties file the value of the 'deployment.system.config. mandatory' key determines how to handle the situation. If the value of this key is true, JRE will not run if the path to the properties file is invalid. NOTE: The 'JRE' directory in the file path may reflect the specific JRE release installed.\"\n impact 0.5\n tag \"severity\": 'medium'\n tag \"gtitle\": 'JRE0060 The deployment.config file must be properly configured'\n tag \"gid\": 'V-32842'\n tag \"rid\": 'SV-43649r1_rule'\n tag \"stig_id\": 'JRE0060-UX'\n tag \"cci\": 'CCI-000366'\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"check\": \"Navigate to the deployment.config file. /usr/java/jre/lib/deployment.config If the configuration file does not contain 'deployment.system.config=file:/usr/java/jre/lib/deployment.properties', this is a finding. If the configuration file does not contain 'deployment.system.config.mandatory=false', this is a finding.\"\n tag \"fix\": \"Specify the path to the deployment.properties file and set the mandatory configuration values. Navigate to the deployment.config file. /usr/java/jre/lib/deployment.properties Include the following keys in the configuration file: 'deployment.system.config=file:/usr/java/jre/lib/deployment.properties' 'deployment.system.config.mandatory=false'.\"\n\n describe file('/usr/java/jre/lib/deployment.config') do\n its('content') { should match(%r{deployment.system.config=file:/usr/java/jre/lib/deployment.properties}) }\n end\n describe file('/usr/java/jre/lib/deployment.config') do\n its('content') { should match(/deployment.system.config.mandatory=false/) }\n end\nend\n", "source_location": { - "ref": "./JRE 7 STIG/controls/V-32832.rb", - "line": 2 + "ref": "./JRE 7 STIG/controls/V-32842.rb", + "line": 1 }, - "id": "V-32832" + "id": "V-32842" }, { - "title": "A properties file must be present to hold all the keys that establish properties within the Java control panel.", - "desc": "The deployment.properties file is used for specifying keys for the Java Runtime Environment. Each option in the Java control panel is represented by property keys. These keys adjust the options in the Java control panel based on the value assigned to that key. By default no deployment.properties file exists; thus, no system-wide deployment exists. Without the deployment.properties file, setting particular options for the Java control panel is impossible. NOTE: The 'JRE' directory in the file path may reflect the specific JRE release installed.", + "title": "A configuration file must be present to deploy properties for JRE.", + "desc": "The deployment.config file is used for specifying the location and execution of system-level properties for the Java Runtime Environment. By default no deployment.config file exists; thus, no system-wide deployment.properties file exists. Without the deployment.config file, setting particular options for the Java control panel is impossible. NOTE: The 'JRE' directory in the file path may reflect the specific JRE release installed.", "descriptions": { - "default": "The deployment.properties file is used for specifying keys for the Java Runtime Environment. Each option in the Java control panel is represented by property keys. These keys adjust the options in the Java control panel based on the value assigned to that key. By default no deployment.properties file exists; thus, no system-wide deployment exists. Without the deployment.properties file, setting particular options for the Java control panel is impossible. NOTE: The 'JRE' directory in the file path may reflect the specific JRE release installed." + "default": "The deployment.config file is used for specifying the location and execution of system-level properties for the Java Runtime Environment. By default no deployment.config file exists; thus, no system-wide deployment.properties file exists. Without the deployment.config file, setting particular options for the Java control panel is impossible. NOTE: The 'JRE' directory in the file path may reflect the specific JRE release installed." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "JRE0080 Properties file must exist", - "gid": "V-32902", - "rid": "SV-43620r2_rule", - "stig_id": "JRE0080-UX", + "gtitle": "JRE0070 Configuration file must be present", + "gid": "V-32901", + "rid": "SV-43621r1_rule", + "stig_id": "JRE0070-UX", "cci": "CCI-000366", "nist": [ "CM-6 b", "Rev_4" ], - "check": "Navigate to the lib directory: /usr/java/jre/lib/ If there is no properties file entitled 'deployment.properties', this is a finding.", - "fix": "Create the Java deployment properties file. Navigate to the lib directory: /usr/java/jre/lib/ Create a properties file entitled 'deployment.properties'." + "check": "Navigate to the lib directory: /usr/java/jre/lib/ If there is no configuration file entitled 'deployment.config', this is a finding. ", + "fix": "Create a JRE deployment configuration file. Navigate to the lib directory: /usr/java/jre/lib/ Create a configuration file entitled 'deployment.config'. " }, - "code": "control 'V-32902' do\n title 'A properties file must be present to hold all the keys that establish properties within the Java control panel.'\n desc \"The deployment.properties file is used for specifying keys for the Java Runtime Environment. Each option in the Java control panel is represented by property keys. These keys adjust the options in the Java control panel based on the value assigned to that key. By default no deployment.properties file exists; thus, no system-wide deployment exists. Without the deployment.properties file, setting particular options for the Java control panel is impossible. NOTE: The 'JRE' directory in the file path may reflect the specific JRE release installed.\"\n impact 0.5\n tag \"severity\": 'medium'\n tag \"gtitle\": 'JRE0080 Properties file must exist'\n tag \"gid\": 'V-32902'\n tag \"rid\": 'SV-43620r2_rule'\n tag \"stig_id\": 'JRE0080-UX'\n tag \"cci\": 'CCI-000366'\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"check\": \"Navigate to the lib directory: /usr/java/jre/lib/ If there is no properties file entitled 'deployment.properties', this is a finding.\"\n tag \"fix\": \"Create the Java deployment properties file. Navigate to the lib directory: /usr/java/jre/lib/ Create a properties file entitled 'deployment.properties'.\"\n\n describe file('/usr/java/jre/lib/deployment.properties') do\n it { should exist }\n end\nend\n", + "code": "control 'V-32901' do\n title 'A configuration file must be present to deploy properties for JRE.'\n desc \"The deployment.config file is used for specifying the location and execution of system-level properties for the Java Runtime Environment. By default no deployment.config file exists; thus, no system-wide deployment.properties file exists. Without the deployment.config file, setting particular options for the Java control panel is impossible. NOTE: The 'JRE' directory in the file path may reflect the specific JRE release installed.\"\n impact 0.5\n tag \"severity\": 'medium'\n tag \"gtitle\": 'JRE0070 Configuration file must be present'\n tag \"gid\": 'V-32901'\n tag \"rid\": 'SV-43621r1_rule'\n tag \"stig_id\": 'JRE0070-UX'\n tag \"cci\": 'CCI-000366'\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"check\": \"Navigate to the lib directory: /usr/java/jre/lib/ If there is no configuration file entitled 'deployment.config', this is a finding. \"\n tag \"fix\": \"Create a JRE deployment configuration file. Navigate to the lib directory: /usr/java/jre/lib/ Create a configuration file entitled 'deployment.config'. \"\n\n describe file('/usr/java/jre/lib/deployment.config') do\n it { should exist }\n end\nend\n", "source_location": { - "ref": "./JRE 7 STIG/controls/V-32902.rb", + "ref": "./JRE 7 STIG/controls/V-32901.rb", "line": 1 }, - "id": "V-32902" + "id": "V-32901" }, { "title": "The setting enabling users to configure the check publisher certificates for revocation must be locked.", @@ -103,120 +103,149 @@ "id": "V-32831" }, { - "title": "A configuration file must be present to deploy properties for JRE.", - "desc": "The deployment.config file is used for specifying the location and execution of system-level properties for the Java Runtime Environment. By default no deployment.config file exists; thus, no system-wide deployment.properties file exists. Without the deployment.config file, setting particular options for the Java control panel is impossible. NOTE: The 'JRE' directory in the file path may reflect the specific JRE release installed.", + "title": "A properties file must be present to hold all the keys that establish properties within the Java control panel.", + "desc": "The deployment.properties file is used for specifying keys for the Java Runtime Environment. Each option in the Java control panel is represented by property keys. These keys adjust the options in the Java control panel based on the value assigned to that key. By default no deployment.properties file exists; thus, no system-wide deployment exists. Without the deployment.properties file, setting particular options for the Java control panel is impossible. NOTE: The 'JRE' directory in the file path may reflect the specific JRE release installed.", "descriptions": { - "default": "The deployment.config file is used for specifying the location and execution of system-level properties for the Java Runtime Environment. By default no deployment.config file exists; thus, no system-wide deployment.properties file exists. Without the deployment.config file, setting particular options for the Java control panel is impossible. NOTE: The 'JRE' directory in the file path may reflect the specific JRE release installed." + "default": "The deployment.properties file is used for specifying keys for the Java Runtime Environment. Each option in the Java control panel is represented by property keys. These keys adjust the options in the Java control panel based on the value assigned to that key. By default no deployment.properties file exists; thus, no system-wide deployment exists. Without the deployment.properties file, setting particular options for the Java control panel is impossible. NOTE: The 'JRE' directory in the file path may reflect the specific JRE release installed." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "JRE0070 Configuration file must be present", - "gid": "V-32901", - "rid": "SV-43621r1_rule", - "stig_id": "JRE0070-UX", + "gtitle": "JRE0080 Properties file must exist", + "gid": "V-32902", + "rid": "SV-43620r2_rule", + "stig_id": "JRE0080-UX", "cci": "CCI-000366", "nist": [ "CM-6 b", "Rev_4" ], - "check": "Navigate to the lib directory: /usr/java/jre/lib/ If there is no configuration file entitled 'deployment.config', this is a finding. ", - "fix": "Create a JRE deployment configuration file. Navigate to the lib directory: /usr/java/jre/lib/ Create a configuration file entitled 'deployment.config'. " + "check": "Navigate to the lib directory: /usr/java/jre/lib/ If there is no properties file entitled 'deployment.properties', this is a finding.", + "fix": "Create the Java deployment properties file. Navigate to the lib directory: /usr/java/jre/lib/ Create a properties file entitled 'deployment.properties'." }, - "code": "control 'V-32901' do\n title 'A configuration file must be present to deploy properties for JRE.'\n desc \"The deployment.config file is used for specifying the location and execution of system-level properties for the Java Runtime Environment. By default no deployment.config file exists; thus, no system-wide deployment.properties file exists. Without the deployment.config file, setting particular options for the Java control panel is impossible. NOTE: The 'JRE' directory in the file path may reflect the specific JRE release installed.\"\n impact 0.5\n tag \"severity\": 'medium'\n tag \"gtitle\": 'JRE0070 Configuration file must be present'\n tag \"gid\": 'V-32901'\n tag \"rid\": 'SV-43621r1_rule'\n tag \"stig_id\": 'JRE0070-UX'\n tag \"cci\": 'CCI-000366'\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"check\": \"Navigate to the lib directory: /usr/java/jre/lib/ If there is no configuration file entitled 'deployment.config', this is a finding. \"\n tag \"fix\": \"Create a JRE deployment configuration file. Navigate to the lib directory: /usr/java/jre/lib/ Create a configuration file entitled 'deployment.config'. \"\n\n describe file('/usr/java/jre/lib/deployment.config') do\n it { should exist }\n end\nend\n", + "code": "control 'V-32902' do\n title 'A properties file must be present to hold all the keys that establish properties within the Java control panel.'\n desc \"The deployment.properties file is used for specifying keys for the Java Runtime Environment. Each option in the Java control panel is represented by property keys. These keys adjust the options in the Java control panel based on the value assigned to that key. By default no deployment.properties file exists; thus, no system-wide deployment exists. Without the deployment.properties file, setting particular options for the Java control panel is impossible. NOTE: The 'JRE' directory in the file path may reflect the specific JRE release installed.\"\n impact 0.5\n tag \"severity\": 'medium'\n tag \"gtitle\": 'JRE0080 Properties file must exist'\n tag \"gid\": 'V-32902'\n tag \"rid\": 'SV-43620r2_rule'\n tag \"stig_id\": 'JRE0080-UX'\n tag \"cci\": 'CCI-000366'\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"check\": \"Navigate to the lib directory: /usr/java/jre/lib/ If there is no properties file entitled 'deployment.properties', this is a finding.\"\n tag \"fix\": \"Create the Java deployment properties file. Navigate to the lib directory: /usr/java/jre/lib/ Create a properties file entitled 'deployment.properties'.\"\n\n describe file('/usr/java/jre/lib/deployment.properties') do\n it { should exist }\n end\nend\n", "source_location": { - "ref": "./JRE 7 STIG/controls/V-32901.rb", + "ref": "./JRE 7 STIG/controls/V-32902.rb", "line": 1 }, - "id": "V-32901" + "id": "V-32902" }, { - "title": "The dialog enabling users to grant permissions to execute signed content from an un-trusted authority must be locked.", - "desc": "Java applets exist both signed and unsigned. Even for signed applets, there can be many sources, some of which may be purveyors of malware. Applet sources considered trusted can have their information populated into the browser, enabling Java to validate applets against trusted sources. Permitting execution of signed Java applets from un-trusted sources may result in malware running on the system, and risks system modification, invasion of privacy, or denial of service. Ensuring users cannot change the permission settings which control the execution of signed Java applets contributes to a more consistent security profile. NOTE: The 'JRE' directory in the file path may reflect the specific JRE release installed.", + "title": "The dialog to enable users to grant permissions to execute signed content from an un-trusted authority must be disabled", + "desc": "Java applets exist both signed and unsigned. Even for signed applets, there can be many sources, some of which may be purveyors of malware. Applet sources considered trusted can have their information populated into the browser, enabling Java to validate applets against trusted sources. Permitting execution of signed Java applets from un-trusted sources may result in acquiring malware, and risks system modification, invasion of privacy, or denial of service. NOTE: The 'JRE' directory in the file path may reflect the specific JRE release installed.", "descriptions": { - "default": "Java applets exist both signed and unsigned. Even for signed applets, there can be many sources, some of which may be purveyors of malware. Applet sources considered trusted can have their information populated into the browser, enabling Java to validate applets against trusted sources. Permitting execution of signed Java applets from un-trusted sources may result in malware running on the system, and risks system modification, invasion of privacy, or denial of service. Ensuring users cannot change the permission settings which control the execution of signed Java applets contributes to a more consistent security profile. NOTE: The 'JRE' directory in the file path may reflect the specific JRE release installed." + "default": "Java applets exist both signed and unsigned. Even for signed applets, there can be many sources, some of which may be purveyors of malware. Applet sources considered trusted can have their information populated into the browser, enabling Java to validate applets against trusted sources. Permitting execution of signed Java applets from un-trusted sources may result in acquiring malware, and risks system modification, invasion of privacy, or denial of service. NOTE: The 'JRE' directory in the file path may reflect the specific JRE release installed." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "JRE0010 Lock out option to grant permission to untrusted", - "gid": "V-32829", - "rid": "SV-43601r2_rule", - "stig_id": "JRE0010-UX", + "gtitle": "JRE0001 Disable ability to grant permission to untrusted authority", + "gid": "V-32828", + "rid": "SV-43596r2_rule", + "stig_id": "JRE0001-UX", "cci": "CCI-001695", "nist": [ "SC-18 (3)", "Rev_4" ], - "check": "If the system is on the SIPRNET this requirement is NA. Navigate to the 'deployment.properties' file for Java, the default location is /usr/java/jre/lib/deployment.properties Review the file. If the 'deployment.security.askgrantdialog.notinca.locked' key is not present this is a finding.", - "fix": "Lock the 'Allow user to grant permissions to content from an un-trusted authority' feature. Navigate to the 'deployment.properties' file for Java, the default location is /usr/java/jre/lib/deployment.properties Edit the file and add the 'deployment.security.askgrantdialog.notinca.locked' key." + "check": "If the system is on the SIPRNET, this requirement is NA.\n\n Examine the system 'deployment.properties' file for Java which is located by default at\n /usr/java/jre/lib/deployment.properties.\n\n If the 'deployment.security.askgrantdialog.notinca=false' key is not present, this is a finding.\n\n If the key 'deployment.security.askgrantdialog.notinca' exists and is set to true, this is a finding. ", + "fix": "Disable the 'Allow user to grant permissions to content from an un-trusted authority' feature.\n\n Navigate to the 'deployment.properties' file for Java, the default location is\n /usr/java/jre/lib/deployment.properties\n\n If the key does not exist, create the 'deployment.security.askgrantdialog.notinca' key and set the value to 'false'.\n\n If the key does exist. update the 'deployment.security.askgrantdialog.notinca' key to be a value of 'false'." }, - "code": "control 'V-32829' do\n title 'The dialog enabling users to grant permissions to execute signed content from an un-trusted authority must be locked.'\n desc \"Java applets exist both signed and unsigned. Even for signed applets, there can be many sources, some of which may be purveyors of malware. Applet sources considered trusted can have their information populated into the browser, enabling Java to validate applets against trusted sources. Permitting execution of signed Java applets from un-trusted sources may result in malware running on the system, and risks system modification, invasion of privacy, or denial of service. Ensuring users cannot change the permission settings which control the execution of signed Java applets contributes to a more consistent security profile. NOTE: The 'JRE' directory in the file path may reflect the specific JRE release installed. \"\n impact 0.5\n tag \"severity\": 'medium'\n tag \"gtitle\": 'JRE0010 Lock out option to grant permission to untrusted'\n tag \"gid\": 'V-32829'\n tag \"rid\": 'SV-43601r2_rule'\n tag \"stig_id\": 'JRE0010-UX'\n tag \"cci\": 'CCI-001695'\n tag \"nist\": ['SC-18 (3)', 'Rev_4']\n tag \"check\": \"If the system is on the SIPRNET this requirement is NA. Navigate to the 'deployment.properties' file for Java, the default location is /usr/java/jre/lib/deployment.properties Review the file. If the 'deployment.security.askgrantdialog.notinca.locked' key is not present this is a finding.\"\n\n tag \"fix\": \"Lock the 'Allow user to grant permissions to content from an un-trusted authority' feature. Navigate to the 'deployment.properties' file for Java, the default location is /usr/java/jre/lib/deployment.properties Edit the file and add the 'deployment.security.askgrantdialog.notinca.locked' key.\"\n\n if is_on_siprnet\n impact 0.0\n desc 'If the system is on the SIPRNET, therefore this requirement is NA'\n describe 'If the system is on the SIPRNET, therefore this requirement is NA' do\n skip 'If the system is on the SIPRNET, therefore this requirement is NA'\n end\n else\n describe file('/usr/java/jre/lib/deployment.properties') do\n its('content') { should match(/deployment.security.askgrantdialog.notinca.locked/) }\n end\n end\nend\n", + "code": "control 'V-32828' do\n title 'The dialog to enable users to grant permissions to execute signed content from an un-trusted authority must be disabled'\n desc \"\n Java applets exist both signed and unsigned. Even for signed applets, there can be many sources, some of which may be purveyors of malware. Applet sources considered trusted can have their information populated into the browser, enabling Java to validate applets against trusted sources. Permitting execution of signed Java applets from un-trusted sources may result in acquiring malware, and risks system modification, invasion of privacy, or denial of service. NOTE: The 'JRE' directory in the file path may reflect the specific JRE release installed.\n \"\n impact 0.5\n tag \"severity\": 'medium'\n tag \"gtitle\": 'JRE0001 Disable ability to grant permission to untrusted authority'\n tag \"gid\": 'V-32828'\n tag \"rid\": 'SV-43596r2_rule'\n tag \"stig_id\": 'JRE0001-UX'\n tag \"cci\": 'CCI-001695'\n tag \"nist\": ['SC-18 (3)', 'Rev_4']\n tag \"check\": \"If the system is on the SIPRNET, this requirement is NA.\n\n Examine the system 'deployment.properties' file for Java which is located by default at\n /usr/java/jre/lib/deployment.properties.\n\n If the 'deployment.security.askgrantdialog.notinca=false' key is not present, this is a finding.\n\n If the key 'deployment.security.askgrantdialog.notinca' exists and is set to true, this is a finding. \"\n\n tag \"fix\": \"Disable the 'Allow user to grant permissions to content from an un-trusted authority' feature.\n\n Navigate to the 'deployment.properties' file for Java, the default location is\n /usr/java/jre/lib/deployment.properties\n\n If the key does not exist, create the 'deployment.security.askgrantdialog.notinca' key and set the value to 'false'.\n\n If the key does exist. update the 'deployment.security.askgrantdialog.notinca' key to be a value of 'false'.\"\n\n if is_on_siprnet\n impact 0.0\n desc 'If the system is on the SIPRNET, therefore this requirement is NA'\n describe 'If the system is on the SIPRNET, therefore this requirement is NA' do\n skip 'If the system is on the SIPRNET, therefore this requirement is NA'\n end\n else\n describe file('/usr/java/jre/lib/deployment.properties') do\n its('content') { should match(/deployment.security.askgrantdialog.notinca=false/) }\n end\n end\nend\n", "source_location": { - "ref": "./JRE 7 STIG/controls/V-32829.rb", + "ref": "./JRE 7 STIG/controls/V-32828.rb", "line": 2 }, - "id": "V-32829" + "id": "V-32828" }, { - "title": "The dialog to enable users to grant permissions to execute signed content from an un-trusted authority must be disabled", - "desc": "Java applets exist both signed and unsigned. Even for signed applets, there can be many sources, some of which may be purveyors of malware. Applet sources considered trusted can have their information populated into the browser, enabling Java to validate applets against trusted sources. Permitting execution of signed Java applets from un-trusted sources may result in acquiring malware, and risks system modification, invasion of privacy, or denial of service. NOTE: The 'JRE' directory in the file path may reflect the specific JRE release installed.", + "title": "The option to enable online certificate validation must be enabled.", + "desc": "Online certificate validation provides a real-time option to validate a certificate. When enabled, if a certificate is presented, the status of the certificate is requested. The status is sent back as 'current', 'expired', or 'unknown'. Online certificate validation provides a greater degree of validation of certificates when running a signed Java applet. Permitting execution of an applet with an invalid certificate may result in malware execution , system modification, invasion of privacy, and denial of service. NOTE: The 'JRE' directory in the file path may reflect the specific JRE release installed.", "descriptions": { - "default": "Java applets exist both signed and unsigned. Even for signed applets, there can be many sources, some of which may be purveyors of malware. Applet sources considered trusted can have their information populated into the browser, enabling Java to validate applets against trusted sources. Permitting execution of signed Java applets from un-trusted sources may result in acquiring malware, and risks system modification, invasion of privacy, or denial of service. NOTE: The 'JRE' directory in the file path may reflect the specific JRE release installed." + "default": "Online certificate validation provides a real-time option to validate a certificate. When enabled, if a certificate is presented, the status of the certificate is requested. The status is sent back as 'current', 'expired', or 'unknown'. Online certificate validation provides a greater degree of validation of certificates when running a signed Java applet. Permitting execution of an applet with an invalid certificate may result in malware execution , system modification, invasion of privacy, and denial of service. NOTE: The 'JRE' directory in the file path may reflect the specific JRE release installed." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "JRE0001 Disable ability to grant permission to untrusted authority", - "gid": "V-32828", - "rid": "SV-43596r2_rule", - "stig_id": "JRE0001-UX", - "cci": "CCI-001695", + "gtitle": "JRE0040 Enable online certificate validation", + "gid": "V-32832", + "rid": "SV-43618r2_rule", + "stig_id": "JRE0040-UX", + "cci": "CCI-000185", "nist": [ - "SC-18 (3)", + "IA-5 (2)(a)", "Rev_4" ], - "check": "If the system is on the SIPRNET, this requirement is NA.\n\n Examine the system 'deployment.properties' file for Java which is located by default at\n /usr/java/jre/lib/deployment.properties.\n\n If the 'deployment.security.askgrantdialog.notinca=false' key is not present, this is a finding.\n\n If the key 'deployment.security.askgrantdialog.notinca' exists and is set to true, this is a finding. ", - "fix": "Disable the 'Allow user to grant permissions to content from an un-trusted authority' feature.\n\n Navigate to the 'deployment.properties' file for Java, the default location is\n /usr/java/jre/lib/deployment.properties\n\n If the key does not exist, create the 'deployment.security.askgrantdialog.notinca' key and set the value to 'false'.\n\n If the key does exist. update the 'deployment.security.askgrantdialog.notinca' key to be a value of 'false'." + "check": "If the system is on the SIPRNET, this requirement is NA. Navigate to the 'deployment.properties' file for Java. /usr/java/jre/lib/deployment.properties Examine the deployment.properties file for the 'deployment.security.validation.ocsp' key. If the 'deployment.security.validation.ocsp' key is not present, this is a finding. If the key 'deployment.security.validation.ocsp' is set to 'false', this is a finding. ", + "fix": "If the system is on the SIPRNET, this requirement is NA. Enable the 'Enable online certificate validation' option. Navigate to the 'deployment.properties' file for Java. /usr/java/jre/lib/deployment.properties Add or update the key 'deployment.security.validation.ocsp' to be 'true'. " }, - "code": "control 'V-32828' do\n title 'The dialog to enable users to grant permissions to execute signed content from an un-trusted authority must be disabled'\n desc \"\n Java applets exist both signed and unsigned. Even for signed applets, there can be many sources, some of which may be purveyors of malware. Applet sources considered trusted can have their information populated into the browser, enabling Java to validate applets against trusted sources. Permitting execution of signed Java applets from un-trusted sources may result in acquiring malware, and risks system modification, invasion of privacy, or denial of service. NOTE: The 'JRE' directory in the file path may reflect the specific JRE release installed.\n \"\n impact 0.5\n tag \"severity\": 'medium'\n tag \"gtitle\": 'JRE0001 Disable ability to grant permission to untrusted authority'\n tag \"gid\": 'V-32828'\n tag \"rid\": 'SV-43596r2_rule'\n tag \"stig_id\": 'JRE0001-UX'\n tag \"cci\": 'CCI-001695'\n tag \"nist\": ['SC-18 (3)', 'Rev_4']\n tag \"check\": \"If the system is on the SIPRNET, this requirement is NA.\n\n Examine the system 'deployment.properties' file for Java which is located by default at\n /usr/java/jre/lib/deployment.properties.\n\n If the 'deployment.security.askgrantdialog.notinca=false' key is not present, this is a finding.\n\n If the key 'deployment.security.askgrantdialog.notinca' exists and is set to true, this is a finding. \"\n\n tag \"fix\": \"Disable the 'Allow user to grant permissions to content from an un-trusted authority' feature.\n\n Navigate to the 'deployment.properties' file for Java, the default location is\n /usr/java/jre/lib/deployment.properties\n\n If the key does not exist, create the 'deployment.security.askgrantdialog.notinca' key and set the value to 'false'.\n\n If the key does exist. update the 'deployment.security.askgrantdialog.notinca' key to be a value of 'false'.\"\n\n if is_on_siprnet\n impact 0.0\n desc 'If the system is on the SIPRNET, therefore this requirement is NA'\n describe 'If the system is on the SIPRNET, therefore this requirement is NA' do\n skip 'If the system is on the SIPRNET, therefore this requirement is NA'\n end\n else\n describe file('/usr/java/jre/lib/deployment.properties') do\n its('content') { should match(/deployment.security.askgrantdialog.notinca=false/) }\n end\n end\nend\n", + "code": "control 'V-32832' do\n title 'The option to enable online certificate validation must be enabled.'\n desc \"Online certificate validation provides a real-time option to validate a certificate. When enabled, if a certificate is presented, the status of the certificate is requested. The status is sent back as 'current', 'expired', or 'unknown'. Online certificate validation provides a greater degree of validation of certificates when running a signed Java applet. Permitting execution of an applet with an invalid certificate may result in malware execution , system modification, invasion of privacy, and denial of service. NOTE: The 'JRE' directory in the file path may reflect the specific JRE release installed.\"\n impact 0.5\n tag \"severity\": 'medium'\n tag \"gtitle\": 'JRE0040 Enable online certificate validation'\n tag \"gid\": 'V-32832'\n tag \"rid\": 'SV-43618r2_rule'\n tag \"stig_id\": 'JRE0040-UX'\n tag \"cci\": 'CCI-000185'\n tag \"nist\": ['IA-5 (2)(a)', 'Rev_4']\n tag \"check\": \"If the system is on the SIPRNET, this requirement is NA. Navigate to the 'deployment.properties' file for Java. /usr/java/jre/lib/deployment.properties Examine the deployment.properties file for the 'deployment.security.validation.ocsp' key. If the 'deployment.security.validation.ocsp' key is not present, this is a finding. If the key 'deployment.security.validation.ocsp' is set to 'false', this is a finding. \"\n tag \"fix\": \"If the system is on the SIPRNET, this requirement is NA. Enable the 'Enable online certificate validation' option. Navigate to the 'deployment.properties' file for Java. /usr/java/jre/lib/deployment.properties Add or update the key 'deployment.security.validation.ocsp' to be 'true'. \"\n\n if is_on_siprnet\n impact 0.0\n desc 'If the system is on the SIPRNET, therefore this requirement is NA'\n describe 'If the system is on the SIPRNET, therefore this requirement is NA' do\n skip 'If the system is on the SIPRNET, therefore this requirement is NA'\n end\n else\n describe file('/usr/java/jre/lib/deployment.properties') do\n its('content') { should match(/deployment.security.validation.ocsp=true/) }\n end\n end\nend\n", "source_location": { - "ref": "./JRE 7 STIG/controls/V-32828.rb", + "ref": "./JRE 7 STIG/controls/V-32832.rb", "line": 2 }, - "id": "V-32828" + "id": "V-32832" }, { - "title": "The setting for users to check publisher certificates for revocation must be enabled.", - "desc": "A certificate revocation list is a directory which contains a list of certificates that have been revoked for various reasons. Certificates may be revoked due to improper issuance, compromise of the certificate, and failure to adhere to policy. Therefore, any certificate found on a CRL should not be trusted. Permitting execution of an applet published with a revoked certificate may result in spoofing, malware, system modification, invasion of privacy, and denial of service.\n\n NOTE: The 'JRE' directory in the file path may reflect the specific JRE release installed.", + "title": "Java Runtime Environment (JRE) versions that are no longer supported by the vendor for security updates must not be installed on a system.", + "desc": "Java Runtime Environment (JRE) versions that are no longer supported by Oracle for security updates are not evaluated or updated for vulnerabilities leaving them open to potential attack. Organizations must transition to a supported Java Runtime Environment (JRE) version to ensure continued support.", "descriptions": { - "default": "A certificate revocation list is a directory which contains a list of certificates that have been revoked for various reasons. Certificates may be revoked due to improper issuance, compromise of the certificate, and failure to adhere to policy. Therefore, any certificate found on a CRL should not be trusted. Permitting execution of an applet published with a revoked certificate may result in spoofing, malware, system modification, invasion of privacy, and denial of service.\n\n NOTE: The 'JRE' directory in the file path may reflect the specific JRE release installed." + "default": "Java Runtime Environment (JRE) versions that are no longer supported by Oracle for security updates are not evaluated or updated for vulnerabilities leaving them open to potential attack. Organizations must transition to a supported Java Runtime Environment (JRE) version to ensure continued support." + }, + "impact": 0.7, + "refs": [], + "tags": { + "severity": "high", + "gtitle": "Unsupported Java Runtime Environment (JRE) applications", + "gid": "V-61037", + "rid": "SV-75505r2_rule", + "stig_id": "JRE9999-UX", + "cci": "CCI-002605", + "nist": [ + "SI-2 c", + "Rev_4" + ], + "check": "Oracle support for Java Runtime Environment (JRE) 7 for Unix ended 2015 April. If JRE 7 for Unix is installed on a system, this is a finding. If an extended support agreement providing security patches for the unsupported product is procured from the vendor, this finding may be downgraded to a CAT III.", + "fix": "Upgrade Java Runtime Environment (JRE) 7 for Unix software to a supported version." + }, + "code": "control 'V-61037' do\n title 'Java Runtime Environment (JRE) versions that are no longer supported by the vendor for security updates must not be installed on a system.'\n desc 'Java Runtime Environment (JRE) versions that are no longer supported by Oracle for security updates are not evaluated or updated for vulnerabilities leaving them open to potential attack. Organizations must transition to a supported Java Runtime Environment (JRE) version to ensure continued support.'\n impact 0.7\n tag \"severity\": 'high'\n tag \"gtitle\": 'Unsupported Java Runtime Environment (JRE) applications'\n tag \"gid\": 'V-61037'\n tag \"rid\": 'SV-75505r2_rule'\n tag \"stig_id\": 'JRE9999-UX'\n tag \"cci\": 'CCI-002605'\n tag \"nist\": ['SI-2 c', 'Rev_4']\n tag \"check\": 'Oracle support for Java Runtime Environment (JRE) 7 for Unix ended 2015 April. If JRE 7 for Unix is installed on a system, this is a finding. If an extended support agreement providing security patches for the unsupported product is procured from the vendor, this finding may be downgraded to a CAT III.'\n\n tag \"fix\": 'Upgrade Java Runtime Environment (JRE) 7 for Unix software to a supported version.'\n\n\n\n java_cmd = command('java -version').stderr&.lines&.first&.strip&.split&.last\n describe 'The java version installed' do\n it \"should be attribute('java_version\" do\n expect(java_cmd).to(match attribute('java_version'))\n end\n end\nend\n", + "source_location": { + "ref": "./JRE 7 STIG/controls/V-61037.rb", + "line": 1 + }, + "id": "V-61037" + }, + { + "title": "The dialog enabling users to grant permissions to execute signed content from an un-trusted authority must be locked.", + "desc": "Java applets exist both signed and unsigned. Even for signed applets, there can be many sources, some of which may be purveyors of malware. Applet sources considered trusted can have their information populated into the browser, enabling Java to validate applets against trusted sources. Permitting execution of signed Java applets from un-trusted sources may result in malware running on the system, and risks system modification, invasion of privacy, or denial of service. Ensuring users cannot change the permission settings which control the execution of signed Java applets contributes to a more consistent security profile. NOTE: The 'JRE' directory in the file path may reflect the specific JRE release installed.", + "descriptions": { + "default": "Java applets exist both signed and unsigned. Even for signed applets, there can be many sources, some of which may be purveyors of malware. Applet sources considered trusted can have their information populated into the browser, enabling Java to validate applets against trusted sources. Permitting execution of signed Java applets from un-trusted sources may result in malware running on the system, and risks system modification, invasion of privacy, or denial of service. Ensuring users cannot change the permission settings which control the execution of signed Java applets contributes to a more consistent security profile. NOTE: The 'JRE' directory in the file path may reflect the specific JRE release installed." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "JRE0020 Enable revocation check on publisher certificates", - "gid": "V-32830", - "rid": "SV-43604r2_rule", - "stig_id": "JRE0020-UX", - "cci": "CCI-001991", + "gtitle": "JRE0010 Lock out option to grant permission to untrusted", + "gid": "V-32829", + "rid": "SV-43601r2_rule", + "stig_id": "JRE0010-UX", + "cci": "CCI-001695", "nist": [ - "IA-5 (2) (d)", + "SC-18 (3)", "Rev_4" ], - "check": "If the system is on the SIPRNET, this requirement is NA. Navigate to the 'deployment.properties' file for Java, the default location is /usr/java/jre/lib/deployment.properties. If the 'deployment.security.validation.crl' key is not present, this is a finding. If the 'deployment.security.validation.crl' key is present and set to 'false', this is a finding.", - "fix": "Enable the 'Check certificates for revocation using Certificate Revocation Lists (CRL)' option. Navigate to the 'deployment.properties' file for Java, the default location is /usr/java/jre/lib/deployment.properties Add or update the 'deployment.security.validation.crl' key. Set the value to 'true'. " + "check": "If the system is on the SIPRNET this requirement is NA. Navigate to the 'deployment.properties' file for Java, the default location is /usr/java/jre/lib/deployment.properties Review the file. If the 'deployment.security.askgrantdialog.notinca.locked' key is not present this is a finding.", + "fix": "Lock the 'Allow user to grant permissions to content from an un-trusted authority' feature. Navigate to the 'deployment.properties' file for Java, the default location is /usr/java/jre/lib/deployment.properties Edit the file and add the 'deployment.security.askgrantdialog.notinca.locked' key." }, - "code": "control 'V-32830' do\n title 'The setting for users to check publisher certificates for revocation must be enabled.'\n desc \"A certificate revocation list is a directory which contains a list of certificates that have been revoked for various reasons. Certificates may be revoked due to improper issuance, compromise of the certificate, and failure to adhere to policy. Therefore, any certificate found on a CRL should not be trusted. Permitting execution of an applet published with a revoked certificate may result in spoofing, malware, system modification, invasion of privacy, and denial of service.\n\n NOTE: The 'JRE' directory in the file path may reflect the specific JRE release installed.\"\n impact 0.5\n tag \"severity\": 'medium'\n tag \"gtitle\": 'JRE0020 Enable revocation check on publisher certificates'\n tag \"gid\": 'V-32830'\n tag \"rid\": 'SV-43604r2_rule'\n tag \"stig_id\": 'JRE0020-UX'\n tag \"cci\": 'CCI-001991'\n tag \"nist\": ['IA-5 (2) (d)', 'Rev_4']\n tag \"check\": \"If the system is on the SIPRNET, this requirement is NA. Navigate to the 'deployment.properties' file for Java, the default location is /usr/java/jre/lib/deployment.properties. If the 'deployment.security.validation.crl' key is not present, this is a finding. If the 'deployment.security.validation.crl' key is present and set to 'false', this is a finding.\"\n tag \"fix\": \"Enable the 'Check certificates for revocation using Certificate Revocation Lists (CRL)' option. Navigate to the 'deployment.properties' file for Java, the default location is /usr/java/jre/lib/deployment.properties Add or update the 'deployment.security.validation.crl' key. Set the value to 'true'. \"\n\n if is_on_siprnet\n impact 0.0\n desc 'If the system is on the SIPRNET, therefore this requirement is NA'\n describe 'If the system is on the SIPRNET, therefore this requirement is NA' do\n skip 'If the system is on the SIPRNET, therefore this requirement is NA'\n end\n else\n describe file('/usr/java/jre/lib/deployment.properties') do\n its('content') { should match(/deployment.security.validation.crl=true/) }\n end\n end\nend\n", + "code": "control 'V-32829' do\n title 'The dialog enabling users to grant permissions to execute signed content from an un-trusted authority must be locked.'\n desc \"Java applets exist both signed and unsigned. Even for signed applets, there can be many sources, some of which may be purveyors of malware. Applet sources considered trusted can have their information populated into the browser, enabling Java to validate applets against trusted sources. Permitting execution of signed Java applets from un-trusted sources may result in malware running on the system, and risks system modification, invasion of privacy, or denial of service. Ensuring users cannot change the permission settings which control the execution of signed Java applets contributes to a more consistent security profile. NOTE: The 'JRE' directory in the file path may reflect the specific JRE release installed. \"\n impact 0.5\n tag \"severity\": 'medium'\n tag \"gtitle\": 'JRE0010 Lock out option to grant permission to untrusted'\n tag \"gid\": 'V-32829'\n tag \"rid\": 'SV-43601r2_rule'\n tag \"stig_id\": 'JRE0010-UX'\n tag \"cci\": 'CCI-001695'\n tag \"nist\": ['SC-18 (3)', 'Rev_4']\n tag \"check\": \"If the system is on the SIPRNET this requirement is NA. Navigate to the 'deployment.properties' file for Java, the default location is /usr/java/jre/lib/deployment.properties Review the file. If the 'deployment.security.askgrantdialog.notinca.locked' key is not present this is a finding.\"\n\n tag \"fix\": \"Lock the 'Allow user to grant permissions to content from an un-trusted authority' feature. Navigate to the 'deployment.properties' file for Java, the default location is /usr/java/jre/lib/deployment.properties Edit the file and add the 'deployment.security.askgrantdialog.notinca.locked' key.\"\n\n if is_on_siprnet\n impact 0.0\n desc 'If the system is on the SIPRNET, therefore this requirement is NA'\n describe 'If the system is on the SIPRNET, therefore this requirement is NA' do\n skip 'If the system is on the SIPRNET, therefore this requirement is NA'\n end\n else\n describe file('/usr/java/jre/lib/deployment.properties') do\n its('content') { should match(/deployment.security.askgrantdialog.notinca.locked/) }\n end\n end\nend\n", "source_location": { - "ref": "./JRE 7 STIG/controls/V-32830.rb", + "ref": "./JRE 7 STIG/controls/V-32829.rb", "line": 2 }, - "id": "V-32830" + "id": "V-32829" }, { "title": "The option to enable online certificate validation must be locked.", @@ -248,107 +277,78 @@ "id": "V-32833" }, { - "title": "The version of the JRE running on the system must be the most current available.", - "desc": "The JRE is being continually updated by the vendor in order to address identified security vulnerabilities. Running an older version of the JRE can introduce security vulnerabilities to the system.", + "title": "The setting for users to check publisher certificates for revocation must be enabled.", + "desc": "A certificate revocation list is a directory which contains a list of certificates that have been revoked for various reasons. Certificates may be revoked due to improper issuance, compromise of the certificate, and failure to adhere to policy. Therefore, any certificate found on a CRL should not be trusted. Permitting execution of an applet published with a revoked certificate may result in spoofing, malware, system modification, invasion of privacy, and denial of service.\n\n NOTE: The 'JRE' directory in the file path may reflect the specific JRE release installed.", "descriptions": { - "default": "The JRE is being continually updated by the vendor in order to address identified security vulnerabilities. Running an older version of the JRE can introduce security vulnerabilities to the system." + "default": "A certificate revocation list is a directory which contains a list of certificates that have been revoked for various reasons. Certificates may be revoked due to improper issuance, compromise of the certificate, and failure to adhere to policy. Therefore, any certificate found on a CRL should not be trusted. Permitting execution of an applet published with a revoked certificate may result in spoofing, malware, system modification, invasion of privacy, and denial of service.\n\n NOTE: The 'JRE' directory in the file path may reflect the specific JRE release installed." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "JRE must be the most recent version available.", - "gid": "V-39239", - "rid": "SV-51133r1_rule", - "stig_id": "JRE0090-UX", - "cci": "CCI-002605", + "gtitle": "JRE0020 Enable revocation check on publisher certificates", + "gid": "V-32830", + "rid": "SV-43604r2_rule", + "stig_id": "JRE0020-UX", + "cci": "CCI-001991", "nist": [ - "SI-2 c", + "IA-5 (2) (d)", "Rev_4" ], - "check": "Open a terminal window and type the command; java -version sans quotes. The return value should contain Java build information; Java (TM) SE Runtime Environment (build x.x.x.x) Cross reference the build information on the system with the Oracle Java site to identify the most recent build available. http://www.oracle.com/technetwork/java/javase/downloads/index.html", - "fix": "Test applications to ensure operational compatibility with new version of Java. Install latest version of Java JRE." + "check": "If the system is on the SIPRNET, this requirement is NA. Navigate to the 'deployment.properties' file for Java, the default location is /usr/java/jre/lib/deployment.properties. If the 'deployment.security.validation.crl' key is not present, this is a finding. If the 'deployment.security.validation.crl' key is present and set to 'false', this is a finding.", + "fix": "Enable the 'Check certificates for revocation using Certificate Revocation Lists (CRL)' option. Navigate to the 'deployment.properties' file for Java, the default location is /usr/java/jre/lib/deployment.properties Add or update the 'deployment.security.validation.crl' key. Set the value to 'true'. " }, - "code": "control 'V-39239' do\n title 'The version of the JRE running on the system must be the most current available.'\n desc 'The JRE is being continually updated by the vendor in order to address identified security vulnerabilities. Running an older version of the JRE can introduce security vulnerabilities to the system.'\n impact 0.5\n tag \"severity\": 'medium'\n tag \"gtitle\": 'JRE must be the most recent version available.'\n tag \"gid\": 'V-39239'\n tag \"rid\": 'SV-51133r1_rule'\n tag \"stig_id\": 'JRE0090-UX'\n tag \"cci\": 'CCI-002605'\n tag \"nist\": ['SI-2 c', 'Rev_4']\n tag \"check\": 'Open a terminal window and type the command; java -version sans quotes. The return value should contain Java build information; Java (TM) SE Runtime Environment (build x.x.x.x) Cross reference the build information on the system with the Oracle Java site to identify the most recent build available. http://www.oracle.com/technetwork/java/javase/downloads/index.html'\n\n tag \"fix\": 'Test applications to ensure operational compatibility with new version of Java. Install latest version of Java JRE.'\n \n java_cmd = command('java -version').stderr&.lines&.first&.strip&.split&.last\n describe 'The java version installed' do\n it \"should be attribute('java_version\" do\n expect(java_cmd).to(match attribute('java_version'))\n end\n end\nend\n", + "code": "control 'V-32830' do\n title 'The setting for users to check publisher certificates for revocation must be enabled.'\n desc \"A certificate revocation list is a directory which contains a list of certificates that have been revoked for various reasons. Certificates may be revoked due to improper issuance, compromise of the certificate, and failure to adhere to policy. Therefore, any certificate found on a CRL should not be trusted. Permitting execution of an applet published with a revoked certificate may result in spoofing, malware, system modification, invasion of privacy, and denial of service.\n\n NOTE: The 'JRE' directory in the file path may reflect the specific JRE release installed.\"\n impact 0.5\n tag \"severity\": 'medium'\n tag \"gtitle\": 'JRE0020 Enable revocation check on publisher certificates'\n tag \"gid\": 'V-32830'\n tag \"rid\": 'SV-43604r2_rule'\n tag \"stig_id\": 'JRE0020-UX'\n tag \"cci\": 'CCI-001991'\n tag \"nist\": ['IA-5 (2) (d)', 'Rev_4']\n tag \"check\": \"If the system is on the SIPRNET, this requirement is NA. Navigate to the 'deployment.properties' file for Java, the default location is /usr/java/jre/lib/deployment.properties. If the 'deployment.security.validation.crl' key is not present, this is a finding. If the 'deployment.security.validation.crl' key is present and set to 'false', this is a finding.\"\n tag \"fix\": \"Enable the 'Check certificates for revocation using Certificate Revocation Lists (CRL)' option. Navigate to the 'deployment.properties' file for Java, the default location is /usr/java/jre/lib/deployment.properties Add or update the 'deployment.security.validation.crl' key. Set the value to 'true'. \"\n\n if is_on_siprnet\n impact 0.0\n desc 'If the system is on the SIPRNET, therefore this requirement is NA'\n describe 'If the system is on the SIPRNET, therefore this requirement is NA' do\n skip 'If the system is on the SIPRNET, therefore this requirement is NA'\n end\n else\n describe file('/usr/java/jre/lib/deployment.properties') do\n its('content') { should match(/deployment.security.validation.crl=true/) }\n end\n end\nend\n", "source_location": { - "ref": "./JRE 7 STIG/controls/V-39239.rb", - "line": 1 + "ref": "./JRE 7 STIG/controls/V-32830.rb", + "line": 2 }, - "id": "V-39239" + "id": "V-32830" }, { - "title": "The configuration file must contain proper keys and values to deploy settings correctly.", - "desc": "This configuration file must hold values of the location of the deployment.properties file as well as the enforcement of these properties. Without a proper path for the properties file, deployment would not be possible. If the path specified does not lead to a properties file the value of the 'deployment.system.config. mandatory' key determines how to handle the situation. If the value of this key is true, JRE will not run if the path to the properties file is invalid. NOTE: The 'JRE' directory in the file path may reflect the specific JRE release installed.", + "title": "The version of the JRE running on the system must be the most current available.", + "desc": "The JRE is being continually updated by the vendor in order to address identified security vulnerabilities. Running an older version of the JRE can introduce security vulnerabilities to the system.", "descriptions": { - "default": "This configuration file must hold values of the location of the deployment.properties file as well as the enforcement of these properties. Without a proper path for the properties file, deployment would not be possible. If the path specified does not lead to a properties file the value of the 'deployment.system.config. mandatory' key determines how to handle the situation. If the value of this key is true, JRE will not run if the path to the properties file is invalid. NOTE: The 'JRE' directory in the file path may reflect the specific JRE release installed." + "default": "The JRE is being continually updated by the vendor in order to address identified security vulnerabilities. Running an older version of the JRE can introduce security vulnerabilities to the system." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "JRE0060 The deployment.config file must be properly configured", - "gid": "V-32842", - "rid": "SV-43649r1_rule", - "stig_id": "JRE0060-UX", - "cci": "CCI-000366", - "nist": [ - "CM-6 b", - "Rev_4" - ], - "check": "Navigate to the deployment.config file. /usr/java/jre/lib/deployment.config If the configuration file does not contain 'deployment.system.config=file:/usr/java/jre/lib/deployment.properties', this is a finding. If the configuration file does not contain 'deployment.system.config.mandatory=false', this is a finding.", - "fix": "Specify the path to the deployment.properties file and set the mandatory configuration values. Navigate to the deployment.config file. /usr/java/jre/lib/deployment.properties Include the following keys in the configuration file: 'deployment.system.config=file:/usr/java/jre/lib/deployment.properties' 'deployment.system.config.mandatory=false'." - }, - "code": "control 'V-32842' do\n title 'The configuration file must contain proper keys and values to deploy settings correctly.'\n desc \"This configuration file must hold values of the location of the deployment.properties file as well as the enforcement of these properties. Without a proper path for the properties file, deployment would not be possible. If the path specified does not lead to a properties file the value of the 'deployment.system.config. mandatory' key determines how to handle the situation. If the value of this key is true, JRE will not run if the path to the properties file is invalid. NOTE: The 'JRE' directory in the file path may reflect the specific JRE release installed.\"\n impact 0.5\n tag \"severity\": 'medium'\n tag \"gtitle\": 'JRE0060 The deployment.config file must be properly configured'\n tag \"gid\": 'V-32842'\n tag \"rid\": 'SV-43649r1_rule'\n tag \"stig_id\": 'JRE0060-UX'\n tag \"cci\": 'CCI-000366'\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"check\": \"Navigate to the deployment.config file. /usr/java/jre/lib/deployment.config If the configuration file does not contain 'deployment.system.config=file:/usr/java/jre/lib/deployment.properties', this is a finding. If the configuration file does not contain 'deployment.system.config.mandatory=false', this is a finding.\"\n tag \"fix\": \"Specify the path to the deployment.properties file and set the mandatory configuration values. Navigate to the deployment.config file. /usr/java/jre/lib/deployment.properties Include the following keys in the configuration file: 'deployment.system.config=file:/usr/java/jre/lib/deployment.properties' 'deployment.system.config.mandatory=false'.\"\n\n describe file('/usr/java/jre/lib/deployment.config') do\n its('content') { should match(%r{deployment.system.config=file:/usr/java/jre/lib/deployment.properties}) }\n end\n describe file('/usr/java/jre/lib/deployment.config') do\n its('content') { should match(/deployment.system.config.mandatory=false/) }\n end\nend\n", - "source_location": { - "ref": "./JRE 7 STIG/controls/V-32842.rb", - "line": 1 - }, - "id": "V-32842" - }, - { - "title": "Java Runtime Environment (JRE) versions that are no longer supported by the vendor for security updates must not be installed on a system.", - "desc": "Java Runtime Environment (JRE) versions that are no longer supported by Oracle for security updates are not evaluated or updated for vulnerabilities leaving them open to potential attack. Organizations must transition to a supported Java Runtime Environment (JRE) version to ensure continued support.", - "descriptions": { - "default": "Java Runtime Environment (JRE) versions that are no longer supported by Oracle for security updates are not evaluated or updated for vulnerabilities leaving them open to potential attack. Organizations must transition to a supported Java Runtime Environment (JRE) version to ensure continued support." - }, - "impact": 0.7, - "refs": [], - "tags": { - "severity": "high", - "gtitle": "Unsupported Java Runtime Environment (JRE) applications", - "gid": "V-61037", - "rid": "SV-75505r2_rule", - "stig_id": "JRE9999-UX", + "gtitle": "JRE must be the most recent version available.", + "gid": "V-39239", + "rid": "SV-51133r1_rule", + "stig_id": "JRE0090-UX", "cci": "CCI-002605", "nist": [ "SI-2 c", "Rev_4" ], - "check": "Oracle support for Java Runtime Environment (JRE) 7 for Unix ended 2015 April. If JRE 7 for Unix is installed on a system, this is a finding. If an extended support agreement providing security patches for the unsupported product is procured from the vendor, this finding may be downgraded to a CAT III.", - "fix": "Upgrade Java Runtime Environment (JRE) 7 for Unix software to a supported version." + "check": "Open a terminal window and type the command; java -version sans quotes. The return value should contain Java build information; Java (TM) SE Runtime Environment (build x.x.x.x) Cross reference the build information on the system with the Oracle Java site to identify the most recent build available. http://www.oracle.com/technetwork/java/javase/downloads/index.html", + "fix": "Test applications to ensure operational compatibility with new version of Java. Install latest version of Java JRE." }, - "code": "control 'V-61037' do\n title 'Java Runtime Environment (JRE) versions that are no longer supported by the vendor for security updates must not be installed on a system.'\n desc 'Java Runtime Environment (JRE) versions that are no longer supported by Oracle for security updates are not evaluated or updated for vulnerabilities leaving them open to potential attack. Organizations must transition to a supported Java Runtime Environment (JRE) version to ensure continued support.'\n impact 0.7\n tag \"severity\": 'high'\n tag \"gtitle\": 'Unsupported Java Runtime Environment (JRE) applications'\n tag \"gid\": 'V-61037'\n tag \"rid\": 'SV-75505r2_rule'\n tag \"stig_id\": 'JRE9999-UX'\n tag \"cci\": 'CCI-002605'\n tag \"nist\": ['SI-2 c', 'Rev_4']\n tag \"check\": 'Oracle support for Java Runtime Environment (JRE) 7 for Unix ended 2015 April. If JRE 7 for Unix is installed on a system, this is a finding. If an extended support agreement providing security patches for the unsupported product is procured from the vendor, this finding may be downgraded to a CAT III.'\n\n tag \"fix\": 'Upgrade Java Runtime Environment (JRE) 7 for Unix software to a supported version.'\n\n\n\n java_cmd = command('java -version').stderr&.lines&.first&.strip&.split&.last\n describe 'The java version installed' do\n it \"should be attribute('java_version\" do\n expect(java_cmd).to(match attribute('java_version'))\n end\n end\nend\n", + "code": "control 'V-39239' do\n title 'The version of the JRE running on the system must be the most current available.'\n desc 'The JRE is being continually updated by the vendor in order to address identified security vulnerabilities. Running an older version of the JRE can introduce security vulnerabilities to the system.'\n impact 0.5\n tag \"severity\": 'medium'\n tag \"gtitle\": 'JRE must be the most recent version available.'\n tag \"gid\": 'V-39239'\n tag \"rid\": 'SV-51133r1_rule'\n tag \"stig_id\": 'JRE0090-UX'\n tag \"cci\": 'CCI-002605'\n tag \"nist\": ['SI-2 c', 'Rev_4']\n tag \"check\": 'Open a terminal window and type the command; java -version sans quotes. The return value should contain Java build information; Java (TM) SE Runtime Environment (build x.x.x.x) Cross reference the build information on the system with the Oracle Java site to identify the most recent build available. http://www.oracle.com/technetwork/java/javase/downloads/index.html'\n\n tag \"fix\": 'Test applications to ensure operational compatibility with new version of Java. Install latest version of Java JRE.'\n \n java_cmd = command('java -version').stderr&.lines&.first&.strip&.split&.last\n describe 'The java version installed' do\n it \"should be attribute('java_version\" do\n expect(java_cmd).to(match attribute('java_version'))\n end\n end\nend\n", "source_location": { - "ref": "./JRE 7 STIG/controls/V-61037.rb", + "ref": "./JRE 7 STIG/controls/V-39239.rb", "line": 1 }, - "id": "V-61037" + "id": "V-39239" } ], "groups": [ { "title": null, "controls": [ - "V-32832" + "V-32842" ], - "id": "controls/V-32832.rb" + "id": "controls/V-32842.rb" }, { "title": null, "controls": [ - "V-32902" + "V-32901" ], - "id": "controls/V-32902.rb" + "id": "controls/V-32901.rb" }, { "title": null, @@ -360,58 +360,58 @@ { "title": null, "controls": [ - "V-32901" + "V-32902" ], - "id": "controls/V-32901.rb" + "id": "controls/V-32902.rb" }, { "title": null, "controls": [ - "V-32829" + "V-32828" ], - "id": "controls/V-32829.rb" + "id": "controls/V-32828.rb" }, { "title": null, "controls": [ - "V-32828" + "V-32832" ], - "id": "controls/V-32828.rb" + "id": "controls/V-32832.rb" }, { "title": null, "controls": [ - "V-32830" + "V-61037" ], - "id": "controls/V-32830.rb" + "id": "controls/V-61037.rb" }, { "title": null, "controls": [ - "V-32833" + "V-32829" ], - "id": "controls/V-32833.rb" + "id": "controls/V-32829.rb" }, { "title": null, "controls": [ - "V-39239" + "V-32833" ], - "id": "controls/V-39239.rb" + "id": "controls/V-32833.rb" }, { "title": null, "controls": [ - "V-32842" + "V-32830" ], - "id": "controls/V-32842.rb" + "id": "controls/V-32830.rb" }, { "title": null, "controls": [ - "V-61037" + "V-39239" ], - "id": "controls/V-61037.rb" + "id": "controls/V-39239.rb" } ], "sha256": "a17fdf711edee8805130b987daf425b8083cba839b0321f7d828bdf367245512", diff --git a/src/assets/data/baselineProfiles/oracle-java-runtime-environment-8-unix-stig-baseline.json b/src/assets/data/baselineProfiles/oracle-java-runtime-environment-8-unix-stig-baseline.json index bed70045..f119a2e6 100644 --- a/src/assets/data/baselineProfiles/oracle-java-runtime-environment-8-unix-stig-baseline.json +++ b/src/assets/data/baselineProfiles/oracle-java-runtime-environment-8-unix-stig-baseline.json @@ -16,33 +16,33 @@ "inputs": [], "controls": [ { - "title": "Oracle JRE 8 must set the option to enable online certificate validation", - "desc": "Online certificate validation provides a real-time option to validate a\ncertificate. When enabled, if a certificate is presented, the status of the\ncertificate is requested. The status is sent back as “current”, “expired”,\nor “unknown”. Online certificate validation provides a greater degree of\nvalidation of certificates when running a signed Java applet. Permitting\nexecution of an applet with an invalid certificate may result in malware,\nsystem modification, invasion of privacy, and denial of service.", + "title": "Oracle JRE 8 must remove previous versions when the latest version is\n installed", + "desc": "Previous versions of software components that are not removed from the\ninformation system after updates have been installed may be exploited by\nadversaries. Some information technology products may remove older versions\nof software automatically from the information system.", "descriptions": { - "default": "Online certificate validation provides a real-time option to validate a\ncertificate. When enabled, if a certificate is presented, the status of the\ncertificate is requested. The status is sent back as “current”, “expired”,\nor “unknown”. Online certificate validation provides a greater degree of\nvalidation of certificates when running a signed Java applet. Permitting\nexecution of an applet with an invalid certificate may result in malware,\nsystem modification, invasion of privacy, and denial of service." + "default": "Previous versions of software components that are not removed from the\ninformation system after updates have been installed may be exploited by\nadversaries. Some information technology products may remove older versions\nof software automatically from the information system." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "SRG-APP-000175", - "gid": "V-66921", - "rid": "SV-81411r1_rule", - "stig_id": "JRE8-UX-000100", - "cci": "CCI-000185", + "gtitle": "SRG-APP-000454", + "gid": "V-66935", + "rid": "SV-81425r1_rule", + "stig_id": "JRE8-UX-000190", + "cci": "CCI-002617", "nist": [ - "IA-5 (2)(a)", + "SI-2 (6)", "Rev_4" ], - "check": "If the system is on the SIPRNet, this requirement is NA.\n Navigate to the system-level “deployment.properties” file for JRE.\n /etc/.java/deployment/deployment.properties If the key\n “deployment.security.validation.ocsp=true” is not present in the\n deployment.properties file, this is a finding. If the key\n “deployment.security.validation.ocsp.locked” is not present in the\n deployment.properties file, this is a finding. If the key\n “deployment.security.validation.ocsp” is set to “false”, this is a finding.", - "fix": "If the system is on the SIPRNet, this requirement is NA. Navigate\n to the system-level “deployment.properties” file for JRE.\n /etc/.java/deployment/deployment.properties Add the key\n “deployment.security.validation.ocsp=true” to the deployment.properties file.\n Add the key “deployment.security.validation.ocsp.locked” to the\n deployment.properties file." + "check": "Review the system configuration to ensure old versions of JRE\n have been removed. There are two ways to uninstall Java. Use the method that\n you used when you installed Java. For example, if you used RPM to install\n Java, then use the RPM uninstall method. If RPM is installed, first query to\n ascertain that JRE was installed using RPM. Search for the JRE package by\n typing: # rpm -qa | grep -i jre If RPM reports a package similar to\n jre--fcs, then JRE is installed with RPM. If JRE is not installed\n using RPM, skip to Self-extracting file uninstall. To uninstall Java via RPM,\n type: # rpm -e jre--fcs Self-extracting file uninstall:\n 1. Browse folders to ascertain where JRE is installed. Common locations are\n /usr/java/jre_ or opt/jre_nb/jre_/bin/java/\n 2. When you have located the directory, you may delete the directory by using\n the following command:\n Note: Ensure JRE is not already installed using RPM before removing\n the directory.\n # rm -r //jre\n Ensure only one instance of JRE is installed on the system.\n # ps -ef | grep -I jre If more than one\n instance of JRE is running, this is a finding.", + "fix": "Remove previous versions of JRE. RPM uninstall: # rpm -e\n jre--fcs Self-extracting file uninstall: # rm -r jre Perform\n for all out of date instances of JRE." }, - "code": "control 'V-66921' do\n title 'Oracle JRE 8 must set the option to enable online certificate validation'\n desc \"\n Online certificate validation provides a real-time option to validate a\n certificate. When enabled, if a certificate is presented, the status of the\n certificate is requested. The status is sent back as “current”, “expired”,\n or “unknown”. Online certificate validation provides a greater degree of\n validation of certificates when running a signed Java applet. Permitting\n execution of an applet with an invalid certificate may result in malware,\n system modification, invasion of privacy, and denial of service.\n \"\n impact 0.5\n tag \"severity\": 'medium'\n tag \"gtitle\": 'SRG-APP-000175'\n tag \"gid\": 'V-66921'\n tag \"rid\": 'SV-81411r1_rule'\n tag \"stig_id\": 'JRE8-UX-000100'\n tag \"cci\": 'CCI-000185'\n tag \"nist\": ['IA-5 (2)(a)', 'Rev_4']\n tag \"check\": 'If the system is on the SIPRNet, this requirement is NA.\n Navigate to the system-level “deployment.properties” file for JRE.\n /etc/.java/deployment/deployment.properties If the key\n “deployment.security.validation.ocsp=true” is not present in the\n deployment.properties file, this is a finding. If the key\n “deployment.security.validation.ocsp.locked” is not present in the\n deployment.properties file, this is a finding. If the key\n “deployment.security.validation.ocsp” is set to “false”, this is a finding.'\n\n tag \"fix\": 'If the system is on the SIPRNet, this requirement is NA. Navigate\n to the system-level “deployment.properties” file for JRE.\n /etc/.java/deployment/deployment.properties Add the key\n “deployment.security.validation.ocsp=true” to the deployment.properties file.\n Add the key “deployment.security.validation.ocsp.locked” to the\n deployment.properties file.'\n\n if is_on_siprnet\n impact 0.0\n desc 'If the system is on the SIPRNET, therefore this requirement is NA'\n describe 'If the system is on the SIPRNET, therefore this requirement is NA' do\n skip 'If the system is on the SIPRNET, therefore this requirement is NA'\n end\n else\n describe file(attribute('deployment_properties_file')) do\n its('content') { should match(/deployment.security.validation.ocsp=true/) }\n end\n describe file(attribute('deployment_properties_file')) do\n its('content') { should match(/deployment.security.validation.ocsp.locked/) }\n end\n end\nend\n", + "code": "control 'V-66935' do\n title 'Oracle JRE 8 must remove previous versions when the latest version is\n installed'\n desc \"\n Previous versions of software components that are not removed from the\n information system after updates have been installed may be exploited by\n adversaries. Some information technology products may remove older versions\n of software automatically from the information system.\n \"\n impact 0.5\n tag \"severity\": 'medium'\n tag \"gtitle\": 'SRG-APP-000454'\n tag \"gid\": 'V-66935'\n tag \"rid\": 'SV-81425r1_rule'\n tag \"stig_id\": 'JRE8-UX-000190'\n tag \"cci\": 'CCI-002617'\n tag \"nist\": ['SI-2 (6)', 'Rev_4']\n tag \"check\": 'Review the system configuration to ensure old versions of JRE\n have been removed. There are two ways to uninstall Java. Use the method that\n you used when you installed Java. For example, if you used RPM to install\n Java, then use the RPM uninstall method. If RPM is installed, first query to\n ascertain that JRE was installed using RPM. Search for the JRE package by\n typing: # rpm -qa | grep -i jre If RPM reports a package similar to\n jre--fcs, then JRE is installed with RPM. If JRE is not installed\n using RPM, skip to Self-extracting file uninstall. To uninstall Java via RPM,\n type: # rpm -e jre--fcs Self-extracting file uninstall:\n 1. Browse folders to ascertain where JRE is installed. Common locations are\n /usr/java/jre_ or opt/jre_nb/jre_/bin/java/\n 2. When you have located the directory, you may delete the directory by using\n the following command:\n Note: Ensure JRE is not already installed using RPM before removing\n the directory.\n # rm -r //jre\n Ensure only one instance of JRE is installed on the system.\n # ps -ef | grep -I jre If more than one\n instance of JRE is running, this is a finding.'\n\n tag \"fix\": 'Remove previous versions of JRE. RPM uninstall: # rpm -e\n jre--fcs Self-extracting file uninstall: # rm -r jre Perform\n for all out of date instances of JRE.'\n\n describe 'A manual review is required to ensure Oracle JRE 8 removes previous versions when the latest version is\n installed' do\n skip 'A manual review is required to ensure Oracle JRE 8 removes previous versions when the latest version is\n installed'\n end\nend\n", "source_location": { - "ref": "./JRE 8 STIG/controls/V-66921.rb", - "line": 2 + "ref": "./JRE 8 STIG/controls/V-66935.rb", + "line": 1 }, - "id": "V-66921" + "id": "V-66935" }, { "title": "Oracle JRE 8 must disable the dialog enabling users to grant\n permissions to execute signed content from an untrusted authority", @@ -74,120 +74,91 @@ "id": "V-66917" }, { - "title": "Oracle JRE 8 must default to the most secure built-in setting", - "desc": "Applications that are signed with a valid certificate and include the\npermissions attribute in the manifest for the main JAR file are allowed to\nrun with security prompts. All other applications are blocked. Unsigned\napplications could perform numerous types of attacks on a system.", - "descriptions": { - "default": "Applications that are signed with a valid certificate and include the\npermissions attribute in the manifest for the main JAR file are allowed to\nrun with security prompts. All other applications are blocked. Unsigned\napplications could perform numerous types of attacks on a system." - }, - "impact": 0.3, - "refs": [], - "tags": { - "severity": "low", - "gtitle": "SRG-APP-000516", - "gid": "V-66913", - "rid": "SV-81403r1_rule", - "stig_id": "JRE8-UX-000060", - "cci": "CCI-000366", - "nist": [ - "CM-6 b", - "Rev_4" - ], - "check": "Navigate to the system-level “deployment.properties” file for\n JRE. /etc/.java/deployment/deployment.properties If the key\n “deployment.security.level=VERY_HIGH” is not present in the\n deployment.properties file, or is set to “HIGH”, this is a finding. If the\n key", - "fix": "Navigate to the system-level “deployment.properties” file for JRE.\n /etc/.java/deployment/deployment.properties Add the key\n “deployment.security.level=VERY_HIGH” to the deployment.properties file. Add\n the key “deployment.security.level.locked” to the deployment.properties file." - }, - "code": "control 'V-66913' do\n title 'Oracle JRE 8 must default to the most secure built-in setting'\n desc \"\n Applications that are signed with a valid certificate and include the\n permissions attribute in the manifest for the main JAR file are allowed to\n run with security prompts. All other applications are blocked. Unsigned\n applications could perform numerous types of attacks on a system.\n \"\n impact 0.3\n tag \"severity\": 'low'\n tag \"gtitle\": 'SRG-APP-000516'\n tag \"gid\": 'V-66913'\n tag \"rid\": 'SV-81403r1_rule'\n tag \"stig_id\": 'JRE8-UX-000060'\n tag \"cci\": 'CCI-000366'\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"check\": 'Navigate to the system-level “deployment.properties” file for\n JRE. /etc/.java/deployment/deployment.properties If the key\n “deployment.security.level=VERY_HIGH” is not present in the\n deployment.properties file, or is set to “HIGH”, this is a finding. If the\n key'\n\n tag \"fix\": 'Navigate to the system-level “deployment.properties” file for JRE.\n /etc/.java/deployment/deployment.properties Add the key\n “deployment.security.level=VERY_HIGH” to the deployment.properties file. Add\n the key “deployment.security.level.locked” to the deployment.properties file.'\n\n describe file(attribute('deployment_properties_file')) do\n its('content') { should match(/deployment.security.level=VERY_HIGH/) }\n end\n describe file(attribute('deployment_properties_file')) do\n its('content') { should match(/deployment.security.level.locked/) }\n end\nend\n", - "source_location": { - "ref": "./JRE 8 STIG/controls/V-66913.rb", - "line": 1 - }, - "id": "V-66913" - }, - { - "title": "Oracle JRE 8 must enable the dialog to enable users to check publisher\n certificates for revocation", - "desc": "A certificate revocation list is a directory which contains a list of\ncertificates that have been revoked for various reasons. Certificates may be\nrevoked due to improper issuance, compromise of the certificate, and failure\nto adhere to policy. Therefore, any certificate found on a CRL should not be\ntrusted. Permitting execution of an applet published with a revoked\ncertificate may result in spoofing, malware, system modification, invasion\nof privacy, and denial of service.", + "title": "Oracle JRE 8 must set the option to enable online certificate validation", + "desc": "Online certificate validation provides a real-time option to validate a\ncertificate. When enabled, if a certificate is presented, the status of the\ncertificate is requested. The status is sent back as “current”, “expired”,\nor “unknown”. Online certificate validation provides a greater degree of\nvalidation of certificates when running a signed Java applet. Permitting\nexecution of an applet with an invalid certificate may result in malware,\nsystem modification, invasion of privacy, and denial of service.", "descriptions": { - "default": "A certificate revocation list is a directory which contains a list of\ncertificates that have been revoked for various reasons. Certificates may be\nrevoked due to improper issuance, compromise of the certificate, and failure\nto adhere to policy. Therefore, any certificate found on a CRL should not be\ntrusted. Permitting execution of an applet published with a revoked\ncertificate may result in spoofing, malware, system modification, invasion\nof privacy, and denial of service." + "default": "Online certificate validation provides a real-time option to validate a\ncertificate. When enabled, if a certificate is presented, the status of the\ncertificate is requested. The status is sent back as “current”, “expired”,\nor “unknown”. Online certificate validation provides a greater degree of\nvalidation of certificates when running a signed Java applet. Permitting\nexecution of an applet with an invalid certificate may result in malware,\nsystem modification, invasion of privacy, and denial of service." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "SRG-APP-000401", - "gid": "V-66929", - "rid": "SV-81419r1_rule", - "stig_id": "JRE8-UX-000150", - "cci": "CCI-001991", + "gtitle": "SRG-APP-000175", + "gid": "V-66921", + "rid": "SV-81411r1_rule", + "stig_id": "JRE8-UX-000100", + "cci": "CCI-000185", "nist": [ - "IA-5 (2) (d)", + "IA-5 (2)(a)", "Rev_4" ], - "check": "If the system is on the SIPRNet, this requirement is NA.\n Navigate to the system-level “deployment.properties” file for JRE.\n /etc/.java/deployment/deployment.properties If the key\n “deployment.security.validation.crl=true” is not present in the\n deployment.properties file, or is set to “false”, this is a finding. If the\n key “deployment.security.validation.crl.locked” is not present in the\n deployment.properties file, this is a finding.", - "fix": "If the system is on the SIPRNet, this requirement is NA. Enable\n the “Check certificates for revocation using Certificate Revocation Lists\n (CRL)” option. Navigate to the system-level “deployment.properties” file for\n JRE. /etc/.java/deployment/deployment.properties Add the key\n “deployment.security.validation.crl=true” to the deployment.properties file.\n Add the key “deployment.security.validation.crl.locked” to the\n deployment.properties file" + "check": "If the system is on the SIPRNet, this requirement is NA.\n Navigate to the system-level “deployment.properties” file for JRE.\n /etc/.java/deployment/deployment.properties If the key\n “deployment.security.validation.ocsp=true” is not present in the\n deployment.properties file, this is a finding. If the key\n “deployment.security.validation.ocsp.locked” is not present in the\n deployment.properties file, this is a finding. If the key\n “deployment.security.validation.ocsp” is set to “false”, this is a finding.", + "fix": "If the system is on the SIPRNet, this requirement is NA. Navigate\n to the system-level “deployment.properties” file for JRE.\n /etc/.java/deployment/deployment.properties Add the key\n “deployment.security.validation.ocsp=true” to the deployment.properties file.\n Add the key “deployment.security.validation.ocsp.locked” to the\n deployment.properties file." }, - "code": "control 'V-66929' do\n title 'Oracle JRE 8 must enable the dialog to enable users to check publisher\n certificates for revocation'\n desc \"\n A certificate revocation list is a directory which contains a list of\n certificates that have been revoked for various reasons. Certificates may be\n revoked due to improper issuance, compromise of the certificate, and failure\n to adhere to policy. Therefore, any certificate found on a CRL should not be\n trusted. Permitting execution of an applet published with a revoked\n certificate may result in spoofing, malware, system modification, invasion\n of privacy, and denial of service.\n \"\n impact 0.5\n tag \"severity\": 'medium'\n tag \"gtitle\": 'SRG-APP-000401'\n tag \"gid\": 'V-66929'\n tag \"rid\": 'SV-81419r1_rule'\n tag \"stig_id\": 'JRE8-UX-000150'\n tag \"cci\": 'CCI-001991'\n tag \"nist\": ['IA-5 (2) (d)', 'Rev_4']\n tag \"check\": 'If the system is on the SIPRNet, this requirement is NA.\n Navigate to the system-level “deployment.properties” file for JRE.\n /etc/.java/deployment/deployment.properties If the key\n “deployment.security.validation.crl=true” is not present in the\n deployment.properties file, or is set to “false”, this is a finding. If the\n key “deployment.security.validation.crl.locked” is not present in the\n deployment.properties file, this is a finding.'\n\n tag \"fix\": 'If the system is on the SIPRNet, this requirement is NA. Enable\n the “Check certificates for revocation using Certificate Revocation Lists\n (CRL)” option. Navigate to the system-level “deployment.properties” file for\n JRE. /etc/.java/deployment/deployment.properties Add the key\n “deployment.security.validation.crl=true” to the deployment.properties file.\n Add the key “deployment.security.validation.crl.locked” to the\n deployment.properties file'\n\n if is_on_siprnet\n impact 0.0\n desc 'If the system is on the SIPRNET, therefore this requirement is NA'\n describe 'If the system is on the SIPRNET, therefore this requirement is NA' do\n skip 'If the system is on the SIPRNET, therefore this requirement is NA'\n end\n else\n describe file(attribute('deployment_properties_file')) do\n its('content') { should match(/deployment.security.validation.crl=true/) }\n end\n describe file(attribute('deployment_properties_file')) do\n its('content') { should match(/deployment.security.validation.crl.locked/) }\n end\n end\nend\n", + "code": "control 'V-66921' do\n title 'Oracle JRE 8 must set the option to enable online certificate validation'\n desc \"\n Online certificate validation provides a real-time option to validate a\n certificate. When enabled, if a certificate is presented, the status of the\n certificate is requested. The status is sent back as “current”, “expired”,\n or “unknown”. Online certificate validation provides a greater degree of\n validation of certificates when running a signed Java applet. Permitting\n execution of an applet with an invalid certificate may result in malware,\n system modification, invasion of privacy, and denial of service.\n \"\n impact 0.5\n tag \"severity\": 'medium'\n tag \"gtitle\": 'SRG-APP-000175'\n tag \"gid\": 'V-66921'\n tag \"rid\": 'SV-81411r1_rule'\n tag \"stig_id\": 'JRE8-UX-000100'\n tag \"cci\": 'CCI-000185'\n tag \"nist\": ['IA-5 (2)(a)', 'Rev_4']\n tag \"check\": 'If the system is on the SIPRNet, this requirement is NA.\n Navigate to the system-level “deployment.properties” file for JRE.\n /etc/.java/deployment/deployment.properties If the key\n “deployment.security.validation.ocsp=true” is not present in the\n deployment.properties file, this is a finding. If the key\n “deployment.security.validation.ocsp.locked” is not present in the\n deployment.properties file, this is a finding. If the key\n “deployment.security.validation.ocsp” is set to “false”, this is a finding.'\n\n tag \"fix\": 'If the system is on the SIPRNet, this requirement is NA. Navigate\n to the system-level “deployment.properties” file for JRE.\n /etc/.java/deployment/deployment.properties Add the key\n “deployment.security.validation.ocsp=true” to the deployment.properties file.\n Add the key “deployment.security.validation.ocsp.locked” to the\n deployment.properties file.'\n\n if is_on_siprnet\n impact 0.0\n desc 'If the system is on the SIPRNET, therefore this requirement is NA'\n describe 'If the system is on the SIPRNET, therefore this requirement is NA' do\n skip 'If the system is on the SIPRNET, therefore this requirement is NA'\n end\n else\n describe file(attribute('deployment_properties_file')) do\n its('content') { should match(/deployment.security.validation.ocsp=true/) }\n end\n describe file(attribute('deployment_properties_file')) do\n its('content') { should match(/deployment.security.validation.ocsp.locked/) }\n end\n end\nend\n", "source_location": { - "ref": "./JRE 8 STIG/controls/V-66929.rb", + "ref": "./JRE 8 STIG/controls/V-66921.rb", "line": 2 }, - "id": "V-66929" + "id": "V-66921" }, { - "title": "The version of Oracle JRE 8 running on the system must be the most\n current available", - "desc": "Oracle JRE 8 is being continually updated by the vendor in order to address\nidentified security vulnerabilities. Running an older version of the JRE can\nintroduce security vulnerabilities to the system.", + "title": "Oracle JRE 8 must lock the dialog enabling users to grant permissions\n to execute signed content from an untrusted authority", + "desc": "Java applets exist both signed and unsigned. Even for signed applets, there\ncan be many sources, some of which may be purveyors of malware. Applet\nsources considered trusted can have their information populated into the\nbrowser, enabling Java to validate applets against trusted sources.\nPermitting execution of signed Java applets from untrusted sources may\nresult in acquiring malware, and risks system modification, invasion of\nprivacy, or denial of service. Ensuring users cannot change settings\ncontributes to a more consistent security profile.", "descriptions": { - "default": "Oracle JRE 8 is being continually updated by the vendor in order to address\nidentified security vulnerabilities. Running an older version of the JRE can\nintroduce security vulnerabilities to the system." + "default": "Java applets exist both signed and unsigned. Even for signed applets, there\ncan be many sources, some of which may be purveyors of malware. Applet\nsources considered trusted can have their information populated into the\nbrowser, enabling Java to validate applets against trusted sources.\nPermitting execution of signed Java applets from untrusted sources may\nresult in acquiring malware, and risks system modification, invasion of\nprivacy, or denial of service. Ensuring users cannot change settings\ncontributes to a more consistent security profile." }, - "impact": 0.7, + "impact": 0.5, "refs": [], "tags": { - "severity": "high", - "gtitle": "SRG-APP-000456", - "gid": "V-66937", - "rid": "SV-81427r1_rule", - "stig_id": "JRE8-UX-000180", - "cci": "CCI-002605", + "severity": "medium", + "gtitle": "SRG-APP-000112", + "gid": "V-66919", + "rid": "SV-81409r1_rule", + "stig_id": "JRE8-UX-000090", + "cci": "CCI-001695", "nist": [ - "SI-2 c", + "SC-18 (3)", "Rev_4" ], - "check": "Review the system configuration to ensure old versions of JRE\n have been removed. There are two ways to uninstall Java. Use the method that\n you used when you installed Java. For example, if you used RPM to install\n Java, then use the RPM uninstall method. If RPM is installed, first query to\n ascertain that JRE was installed using RPM. Search for the JRE package by\n typing: # rpm -qa | grep -i jre If RPM reports a package similar to\n jre--fcs, then JRE is installed with RPM. If JRE is not installed\n using RPM, skip to Self-extracting file uninstall. To uninstall Java via RPM,\n type: # rpm -e jre--fcs Self-extracting file uninstall: 1. Browse\n folders to ascertain where JRE is installed. Common locations are\n /usr/java/jre_ or opt/jre_nb/jre_/bin/java/ 2. When you have\n located the directory, you may delete the directory by using the following\n command: Note: Ensure JRE is not already installed using RPM before removing\n the directory. # rm -r //jre Ensure only one instance of\n JRE is installed on the system. # ps -ef | grep -I jre If more than one\n instance of JRE is running, this is a finding.", - "fix": "Remove previous versions of JRE. RPM uninstall: # rpm -e\n jre--fcs Self-extracting file uninstall: # rm -r jre Perform\n for all out of date instances of JRE." + "check": "If the system is on the SIPRNet, this requirement is NA.\n Navigate to the system-level “deployment.properties” file for JRE.\n /etc/.java/deployment/deployment.properties If the key,\n “deployment.security.askgrantdialog.show=false” is not present, this is a\n finding. If the key, “deployment.security.askgrantdialog.show.locked” is not\n present, this is a finding. If the key\n “deployment.security.askgrantdialog.show” exists and is set to true, this is a\n finding.", + "fix": "If the system is on the SIPRNet, this requirement is NA. Lock the\n “Allow user to grant permissions to content from an untrusted authority”\n feature. Navigate to the system-level “deployment.properties” file for JRE.\n /etc/.java/deployment/deployment.properties Add the key\n “deployment.security.askgrantdialog.show=false” to the deployment.properties\n file. Add the key “deployment.security.askgrantdialog.show.locked” to the\n deployment.properties file." }, - "code": "control 'V-66937' do\n title 'The version of Oracle JRE 8 running on the system must be the most\n current available'\n desc \"\n Oracle JRE 8 is being continually updated by the vendor in order to address\n identified security vulnerabilities. Running an older version of the JRE can\n introduce security vulnerabilities to the system.\n \"\n impact 0.7\n tag \"severity\": 'high'\n tag \"gtitle\": 'SRG-APP-000456'\n tag \"gid\": 'V-66937'\n tag \"rid\": 'SV-81427r1_rule'\n tag \"stig_id\": 'JRE8-UX-000180'\n tag \"cci\": 'CCI-002605'\n tag \"nist\": ['SI-2 c', 'Rev_4']\n tag \"check\": 'Review the system configuration to ensure old versions of JRE\n have been removed. There are two ways to uninstall Java. Use the method that\n you used when you installed Java. For example, if you used RPM to install\n Java, then use the RPM uninstall method. If RPM is installed, first query to\n ascertain that JRE was installed using RPM. Search for the JRE package by\n typing: # rpm -qa | grep -i jre If RPM reports a package similar to\n jre--fcs, then JRE is installed with RPM. If JRE is not installed\n using RPM, skip to Self-extracting file uninstall. To uninstall Java via RPM,\n type: # rpm -e jre--fcs Self-extracting file uninstall: 1. Browse\n folders to ascertain where JRE is installed. Common locations are\n /usr/java/jre_ or opt/jre_nb/jre_/bin/java/ 2. When you have\n located the directory, you may delete the directory by using the following\n command: Note: Ensure JRE is not already installed using RPM before removing\n the directory. # rm -r //jre Ensure only one instance of\n JRE is installed on the system. # ps -ef | grep -I jre If more than one\n instance of JRE is running, this is a finding.'\n\n tag \"fix\": 'Remove previous versions of JRE. RPM uninstall: # rpm -e\n jre--fcs Self-extracting file uninstall: # rm -r jre Perform\n for all out of date instances of JRE.'\n\n java_cmd = command('java -version').stderr&.lines&.first&.strip&.split&.last\n describe 'The java version installed' do\n it \"should be attribute('java_version\" do\n expect(java_cmd).to(match attribute('java_version'))\n end\n end\nend\n", + "code": "control 'V-66919' do\n title 'Oracle JRE 8 must lock the dialog enabling users to grant permissions\n to execute signed content from an untrusted authority'\n desc \"\n Java applets exist both signed and unsigned. Even for signed applets, there\n can be many sources, some of which may be purveyors of malware. Applet\n sources considered trusted can have their information populated into the\n browser, enabling Java to validate applets against trusted sources.\n Permitting execution of signed Java applets from untrusted sources may\n result in acquiring malware, and risks system modification, invasion of\n privacy, or denial of service. Ensuring users cannot change settings\n contributes to a more consistent security profile.\n \"\n impact 0.5\n tag \"severity\": 'medium'\n tag \"gtitle\": 'SRG-APP-000112'\n tag \"gid\": 'V-66919'\n tag \"rid\": 'SV-81409r1_rule'\n tag \"stig_id\": 'JRE8-UX-000090'\n tag \"cci\": 'CCI-001695'\n tag \"nist\": ['SC-18 (3)', 'Rev_4']\n tag \"check\": 'If the system is on the SIPRNet, this requirement is NA.\n Navigate to the system-level “deployment.properties” file for JRE.\n /etc/.java/deployment/deployment.properties If the key,\n “deployment.security.askgrantdialog.show=false” is not present, this is a\n finding. If the key, “deployment.security.askgrantdialog.show.locked” is not\n present, this is a finding. If the key\n “deployment.security.askgrantdialog.show” exists and is set to true, this is a\n finding.'\n\n tag \"fix\": 'If the system is on the SIPRNet, this requirement is NA. Lock the\n “Allow user to grant permissions to content from an untrusted authority”\n feature. Navigate to the system-level “deployment.properties” file for JRE.\n /etc/.java/deployment/deployment.properties Add the key\n “deployment.security.askgrantdialog.show=false” to the deployment.properties\n file. Add the key “deployment.security.askgrantdialog.show.locked” to the\n deployment.properties file.'\n\n if is_on_siprnet\n impact 0.0\n desc 'If the system is on the SIPRNET, therefore this requirement is NA'\n describe 'If the system is on the SIPRNET, therefore this requirement is NA' do\n skip 'If the system is on the SIPRNET, therefore this requirement is NA'\n end\n else\n describe file(attribute('deployment_properties_file')) do\n its('content') { should match(/deployment.security.askgrantdialog.show=false/) }\n end\n describe file(attribute('deployment_properties_file')) do\n its('content') { should match(/deployment.security.askgrantdialog.show.locked/) }\n end\n end\nend\n", "source_location": { - "ref": "./JRE 8 STIG/controls/V-66937.rb", - "line": 1 + "ref": "./JRE 8 STIG/controls/V-66919.rb", + "line": 2 }, - "id": "V-66937" + "id": "V-66919" }, { - "title": "Oracle JRE 8 must have an exception.sites file present.", - "desc": "Utilizing a whitelist provides a configuration management method for\nallowing the execution of only authorized software. Using only authorized\nsoftware decreases risk by limiting the number of potential vulnerabilities.\nThe organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information\nsystems is commonly referred to as whitelisting. Verification of whitelisted\nsoftware can occur either prior to execution or at system startup. This\nrequirement applies to configuration management applications or similar\ntypes of applications designed to manage system processes and configurations\n(e.g., HBSS and software wrappers).", + "title": "Oracle JRE 8 must have a deployment.properties file present", + "desc": "By default no deployment.properties file exists; thus, no system-wide\ndeployment exists. The file must be created. The deployment.properties file\nis used for specifying keys for the Java Runtime Environment. Each option in\nthe Java control panel is represented by property keys. These keys adjust\nthe options in the Java control panel based on the value assigned to that\nkey. Without the deployment.properties file, setting particular options for\nthe Java control panel is impossible.", "descriptions": { - "default": "Utilizing a whitelist provides a configuration management method for\nallowing the execution of only authorized software. Using only authorized\nsoftware decreases risk by limiting the number of potential vulnerabilities.\nThe organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information\nsystems is commonly referred to as whitelisting. Verification of whitelisted\nsoftware can occur either prior to execution or at system startup. This\nrequirement applies to configuration management applications or similar\ntypes of applications designed to manage system processes and configurations\n(e.g., HBSS and software wrappers)." + "default": "By default no deployment.properties file exists; thus, no system-wide\ndeployment exists. The file must be created. The deployment.properties file\nis used for specifying keys for the Java Runtime Environment. Each option in\nthe Java control panel is represented by property keys. These keys adjust\nthe options in the Java control panel based on the value assigned to that\nkey. Without the deployment.properties file, setting particular options for\nthe Java control panel is impossible." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "SRG-APP-000386", - "gid": "V-66927", - "rid": "SV-81417r1_rule", - "stig_id": "JRE8-UX-000130", - "cci": "CCI-001774", + "gtitle": "SRG-APP-000516", + "gid": "V-66911", + "rid": "SV-81401r1_rule", + "stig_id": "JRE8-UX-000030", + "cci": "CCI-000366", "nist": [ - "CM-7 (5) (c)", + "CM-6 b", "Rev_4" ], - "check": "If the system is on the SIPRNet, this requirement is NA.\n Navigate to the “exception.sites” file for Java:\n /etc/.java/deployment/exception.sites If the exception.sites file does not\n exist, it must be created. The exception.sites file is a text file containing\n single-line URLs for accepted risk sites. If there are no AO approved sites to\n be added to the configuration, it is acceptable for this file to be blank. If\n the “exception.sites” file does not exist, this is a finding. If the\n “exception.sites” file contains URLs that are not AO approved, this is a\n finding.", - "fix": "If the system is on the SIPRNet, this requirement is NA. Create\n the JRE exception.sites file: No default file exists. A text file named\n exception.sites, and the directory structure in which it is located must be\n manually created. The location must be aligned as defined in the\n deployment.properties file. /etc/.java/deployment/deployment.properties is an\n example." + "check": "Navigate to the system-level “deployment.properties” file for\n JRE. /etc/.java/deployment/deployment.properties If there is no file entitled\n “deployment.properties”, this is a finding.", + "fix": "Create the Java deployment properties file\n “/etc/.java/deployment/deployment.properties”" }, - "code": "control 'V-66927' do\n title 'Oracle JRE 8 must have an exception.sites file present.'\n desc \"\n Utilizing a whitelist provides a configuration management method for\n allowing the execution of only authorized software. Using only authorized\n software decreases risk by limiting the number of potential vulnerabilities.\n The organization must identify authorized software programs and permit\n execution of authorized software. The process used to identify software\n programs that are authorized to execute on organizational information\n systems is commonly referred to as whitelisting. Verification of whitelisted\n software can occur either prior to execution or at system startup. This\n requirement applies to configuration management applications or similar\n types of applications designed to manage system processes and configurations\n (e.g., HBSS and software wrappers).\n \"\n impact 0.5\n tag \"severity\": 'medium'\n tag \"gtitle\": 'SRG-APP-000386'\n tag \"gid\": 'V-66927'\n tag \"rid\": 'SV-81417r1_rule'\n tag \"stig_id\": 'JRE8-UX-000130'\n tag \"cci\": 'CCI-001774'\n tag \"nist\": ['CM-7 (5) (c)', 'Rev_4']\n tag \"check\": 'If the system is on the SIPRNet, this requirement is NA.\n Navigate to the “exception.sites” file for Java:\n /etc/.java/deployment/exception.sites If the exception.sites file does not\n exist, it must be created. The exception.sites file is a text file containing\n single-line URLs for accepted risk sites. If there are no AO approved sites to\n be added to the configuration, it is acceptable for this file to be blank. If\n the “exception.sites” file does not exist, this is a finding. If the\n “exception.sites” file contains URLs that are not AO approved, this is a\n finding.'\n\n tag \"fix\": 'If the system is on the SIPRNet, this requirement is NA. Create\n the JRE exception.sites file: No default file exists. A text file named\n exception.sites, and the directory structure in which it is located must be\n manually created. The location must be aligned as defined in the\n deployment.properties file. /etc/.java/deployment/deployment.properties is an\n example.'\n\n if is_on_siprnet\n impact 0.0\n desc 'If the system is on the SIPRNET, therefore this requirement is NA'\n describe 'If the system is on the SIPRNET, therefore this requirement is NA' do\n skip 'If the system is on the SIPRNET, therefore this requirement is NA'\n end\n else\n describe file(attribute('deployment_exception_sites_file')) do\n it { should exist }\n end\n end\nend\n", + "code": "control 'V-66911' do\n title 'Oracle JRE 8 must have a deployment.properties file present'\n desc \"\n By default no deployment.properties file exists; thus, no system-wide\n deployment exists. The file must be created. The deployment.properties file\n is used for specifying keys for the Java Runtime Environment. Each option in\n the Java control panel is represented by property keys. These keys adjust\n the options in the Java control panel based on the value assigned to that\n key. Without the deployment.properties file, setting particular options for\n the Java control panel is impossible.\n \"\n impact 0.5\n tag \"severity\": 'medium'\n tag \"gtitle\": 'SRG-APP-000516'\n tag \"gid\": 'V-66911'\n tag \"rid\": 'SV-81401r1_rule'\n tag \"stig_id\": 'JRE8-UX-000030'\n tag \"cci\": 'CCI-000366'\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"check\": 'Navigate to the system-level “deployment.properties” file for\n JRE. /etc/.java/deployment/deployment.properties If there is no file entitled\n “deployment.properties”, this is a finding.'\n\n tag \"fix\": 'Create the Java deployment properties file\n “/etc/.java/deployment/deployment.properties”'\n\n describe file('/etc/.java/deployment/deployment.properties') do\n it { should exist }\n end\nend\n", "source_location": { - "ref": "./JRE 8 STIG/controls/V-66927.rb", - "line": 2 + "ref": "./JRE 8 STIG/controls/V-66911.rb", + "line": 1 }, - "id": "V-66927" + "id": "V-66911" }, { "title": "Oracle JRE 8 must be set to allow Java Web Start (JWS) applications", @@ -219,178 +190,207 @@ "id": "V-66915" }, { - "title": "Oracle JRE 8 must enable the option to use an accepted sites list", - "desc": "Utilizing a whitelist provides a configuration management method for\nallowing the execution of only authorized software. Using only authorized\nsoftware decreases risk by limiting the number of potential vulnerabilities.\nThe organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information\nsystems is commonly referred to as whitelisting. Verification of whitelisted\nsoftware can occur either prior to execution or at system startup. This\nrequirement applies to configuration management applications or similar\ntypes of applications designed to manage system processes and configurations\n(e.g., HBSS and software wrappers).", + "title": "Oracle JRE 8 deployment.config file must contain proper keys and values", + "desc": "The deployment.config configuration file contains two keys. The\ndeployment.properties key includes the path of the deployment.properties\nfile and the deployment.properties.mandatory key contains either a TRUE or\nFALSE value. If the path specified to deployment.properties does not lead to\na deployment.properties file, the value of the\ndeployment.system.config.mandatory key determines how JRE will handle the\nsituation. If the value of the deployment.system.config.mandatory key is\nTRUE and if the path to the deployment.properties file is invalid, the JRE\nwill not allow Java applications to run. This is the desired behavior.", "descriptions": { - "default": "Utilizing a whitelist provides a configuration management method for\nallowing the execution of only authorized software. Using only authorized\nsoftware decreases risk by limiting the number of potential vulnerabilities.\nThe organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information\nsystems is commonly referred to as whitelisting. Verification of whitelisted\nsoftware can occur either prior to execution or at system startup. This\nrequirement applies to configuration management applications or similar\ntypes of applications designed to manage system processes and configurations\n(e.g., HBSS and software wrappers)." + "default": "The deployment.config configuration file contains two keys. The\ndeployment.properties key includes the path of the deployment.properties\nfile and the deployment.properties.mandatory key contains either a TRUE or\nFALSE value. If the path specified to deployment.properties does not lead to\na deployment.properties file, the value of the\ndeployment.system.config.mandatory key determines how JRE will handle the\nsituation. If the value of the deployment.system.config.mandatory key is\nTRUE and if the path to the deployment.properties file is invalid, the JRE\nwill not allow Java applications to run. This is the desired behavior." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "SRG-APP-000386", - "gid": "V-66925", - "rid": "SV-81415r2_rule", - "stig_id": "JRE8-UX-000120", - "cci": "CCI-001774", + "gtitle": "SRG-APP-000516", + "gid": "V-66909", + "rid": "SV-81399r2_rule", + "stig_id": "JRE8-UX-000020", + "cci": "CCI-000366", "nist": [ - "CM-7 (5) (c)", + "CM-6 b", "Rev_4" ], - "check": "Navigate to the system-level “deployment.properties” file for\n JRE. /etc/.java/deployment/deployment.properties If the key\n “deployment.user.security.exception.sites” is not present in the\n deployment.properties file, this is a finding. If the key\n “deployment.user.security.exception.sites” is not set to the location of the\n exception.sites file, this is a finding. An example of a correct setting is:\n deployment.user.security.exception.sites=/etc/.java/deployment/exception.sites", - "fix": "Navigate to the system-level “deployment.properties” file for JRE.\n /etc/.java/deployment/deployment.properties Add the key\n “deployment.user.security.exception.sites=/etc/.java/deployment/exception.sites”\n to the deployment.properties file." + "check": "Navigate to the deployment.config file for JRE:\n /etc/.java/deployment/deployment.config The deployment.config file contains\n two properties: deployment.system.config and\n deployment.system.config.mandatory. The deployment.system.config key points to\n the location of the deployment.properties file. The location is variable. It\n can point to a file on the local disk, or a UNC path. The following is an\n example: deployment.system.config=/etc/.java/deployment/deployment.properties\n If the deployment.system.config key does not exist or does not point to the\n location of the deployment.properties file, this is a finding. If the\n deployment.system.config.mandatory key does not exist or is set to false, this\n is a finding.", + "fix": "Navigate to the deployment.config file for JRE:\n /etc/.java/deployment/deployment.config Add the key\n deployment.system.config= to the\n deployment.config file. The following is an example:\n deployment.system.config=/etc/.java/deployment/deployment.properties. Note the\n use of forward slashes. Add the key deployment.system.config.mandatory=true to\n the deployment.config file." }, - "code": "control 'V-66925' do\n title 'Oracle JRE 8 must enable the option to use an accepted sites list'\n desc \"\n Utilizing a whitelist provides a configuration management method for\n allowing the execution of only authorized software. Using only authorized\n software decreases risk by limiting the number of potential vulnerabilities.\n The organization must identify authorized software programs and permit\n execution of authorized software. The process used to identify software\n programs that are authorized to execute on organizational information\n systems is commonly referred to as whitelisting. Verification of whitelisted\n software can occur either prior to execution or at system startup. This\n requirement applies to configuration management applications or similar\n types of applications designed to manage system processes and configurations\n (e.g., HBSS and software wrappers).\n \"\n impact 0.5\n tag \"severity\": 'medium'\n tag \"gtitle\": 'SRG-APP-000386'\n tag \"gid\": 'V-66925'\n tag \"rid\": 'SV-81415r2_rule'\n tag \"stig_id\": 'JRE8-UX-000120'\n tag \"cci\": 'CCI-001774'\n tag \"nist\": ['CM-7 (5) (c)', 'Rev_4']\n tag \"check\": 'Navigate to the system-level “deployment.properties” file for\n JRE. /etc/.java/deployment/deployment.properties If the key\n “deployment.user.security.exception.sites” is not present in the\n deployment.properties file, this is a finding. If the key\n “deployment.user.security.exception.sites” is not set to the location of the\n exception.sites file, this is a finding. An example of a correct setting is:\n deployment.user.security.exception.sites=/etc/.java/deployment/exception.sites'\n\n tag \"fix\": 'Navigate to the system-level “deployment.properties” file for JRE.\n /etc/.java/deployment/deployment.properties Add the key\n “deployment.user.security.exception.sites=/etc/.java/deployment/exception.sites”\n to the deployment.properties file.'\n\n describe file(attribute('deployment_properties_file')) do\n its('content') { should match(%r{deployment.user.security.exception.sites=/etc/.java/deployment/exception.sites}) }\n end\nend\n", + "code": "control 'V-66909' do\n title 'Oracle JRE 8 deployment.config file must contain proper keys and values'\n desc \"\n The deployment.config configuration file contains two keys. The\n deployment.properties key includes the path of the deployment.properties\n file and the deployment.properties.mandatory key contains either a TRUE or\n FALSE value. If the path specified to deployment.properties does not lead to\n a deployment.properties file, the value of the\n deployment.system.config.mandatory key determines how JRE will handle the\n situation. If the value of the deployment.system.config.mandatory key is\n TRUE and if the path to the deployment.properties file is invalid, the JRE\n will not allow Java applications to run. This is the desired behavior.\n \"\n impact 0.5\n tag \"severity\": 'medium'\n tag \"gtitle\": 'SRG-APP-000516'\n tag \"gid\": 'V-66909'\n tag \"rid\": 'SV-81399r2_rule'\n tag \"stig_id\": 'JRE8-UX-000020'\n tag \"cci\": 'CCI-000366'\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"check\": 'Navigate to the deployment.config file for JRE:\n /etc/.java/deployment/deployment.config The deployment.config file contains\n two properties: deployment.system.config and\n deployment.system.config.mandatory. The deployment.system.config key points to\n the location of the deployment.properties file. The location is variable. It\n can point to a file on the local disk, or a UNC path. The following is an\n example: deployment.system.config=/etc/.java/deployment/deployment.properties\n If the deployment.system.config key does not exist or does not point to the\n location of the deployment.properties file, this is a finding. If the\n deployment.system.config.mandatory key does not exist or is set to false, this\n is a finding.'\n\n tag \"fix\": 'Navigate to the deployment.config file for JRE:\n /etc/.java/deployment/deployment.config Add the key\n deployment.system.config= to the\n deployment.config file. The following is an example:\n deployment.system.config=/etc/.java/deployment/deployment.properties. Note the\n use of forward slashes. Add the key deployment.system.config.mandatory=true to\n the deployment.config file.'\n\n describe file(attribute('deployment_config_file')) do\n its('content') { should match(%r{deployment.system.config=\\/etc\\/.java/deployment\\/deployment.properties}) }\n end\n describe file(attribute('deployment_config_file')) do\n its('content') { should match(/deployment.system.config.mandatory=true/) }\n end\nend\n", "source_location": { - "ref": "./JRE 8 STIG/controls/V-66925.rb", + "ref": "./JRE 8 STIG/controls/V-66909.rb", "line": 1 }, - "id": "V-66925" + "id": "V-66909" }, { - "title": "Oracle JRE 8 must have a deployment.config file present", - "desc": "By default no deployment.config file exists; thus, no system-wide\ndeployment.properties file exists. The file must be created. The\ndeployment.config file is used for specifying the location and execution of\nsystem-level properties for the Java Runtime Environment. Without the\ndeployment.config file, setting particular options for the Java control\npanel is impossible.", + "title": "Oracle JRE 8 must lock the option to enable users to check publisher\n certificates for revocation", + "desc": "Certificates may be revoked due to improper issuance, compromise of the\ncertificate, and failure to adhere to policy. Therefore, any certificate\nfound revoked on a CRL or via Online Certificate Status Protocol (OCSP)\nshould not be trusted. Permitting execution of an applet published with a\nrevoked certificate may result in spoofing, malware, system modification,\ninvasion of privacy, and denial of service. Ensuring users cannot change\nthese settings assures a more consistent security profile.", "descriptions": { - "default": "By default no deployment.config file exists; thus, no system-wide\ndeployment.properties file exists. The file must be created. The\ndeployment.config file is used for specifying the location and execution of\nsystem-level properties for the Java Runtime Environment. Without the\ndeployment.config file, setting particular options for the Java control\npanel is impossible." + "default": "Certificates may be revoked due to improper issuance, compromise of the\ncertificate, and failure to adhere to policy. Therefore, any certificate\nfound revoked on a CRL or via Online Certificate Status Protocol (OCSP)\nshould not be trusted. Permitting execution of an applet published with a\nrevoked certificate may result in spoofing, malware, system modification,\ninvasion of privacy, and denial of service. Ensuring users cannot change\nthese settings assures a more consistent security profile." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "SRG-APP-000516", - "gid": "V-66721", - "rid": "SV-81211r1_rule", - "stig_id": "JRE8-UX-000010", - "cci": "CCI-000366", + "gtitle": "SRG-APP-000401", + "gid": "V-66931", + "rid": "SV-81421r1_rule", + "stig_id": "JRE8-UX-000160", + "cci": "CCI-001991", "nist": [ - "CM-6 b", + "IA-5 (2) (d)", "Rev_4" ], - "check": "Verify a JRE deployment configuration file exists as indicated:\n /etc/.java/deployment/deployment.config If the configuration file does not\n exist as indicated, this is a finding.", - "fix": "Create a JRE deployment configuration file as indicated:\n\n /etc/.java/deployment/deployment.config" + "check": "If the system is on the SIPRNet, this requirement is NA.\n Navigate to the system-level “deployment.properties” file for JRE.\n /etc/.java/deployment/deployment.properties If the key\n “deployment.security.revocation.check=ALL_CERTIFICATES” is not present, or is\n set to “PUBLISHER_ONLY”, or “NO_CHECK”, this is a finding. If the key\n “deployment.security.revocation.check.locked” is not present, this is a\n finding.", + "fix": "If the system is on the SIPRNet, this requirement is NA. Navigate\n to the system-level “deployment.properties” file for JRE.\n /etc/.java/deployment/deployment.properties Add the key\n “deployment.security.revocation.check=ALL_CERTIFICATES” to the\n deployment.properties file. Add the key\n “deployment.security.revocation.check.locked” to the deployment.properties\n file" }, - "code": "control 'V-66721' do\n title 'Oracle JRE 8 must have a deployment.config file present'\n desc \"\n By default no deployment.config file exists; thus, no system-wide\n deployment.properties file exists. The file must be created. The\n deployment.config file is used for specifying the location and execution of\n system-level properties for the Java Runtime Environment. Without the\n deployment.config file, setting particular options for the Java control\n panel is impossible.\n \"\n impact 0.5\n tag \"severity\": 'medium'\n tag \"gtitle\": 'SRG-APP-000516'\n tag \"gid\": 'V-66721'\n tag \"rid\": 'SV-81211r1_rule'\n tag \"stig_id\": 'JRE8-UX-000010'\n tag \"cci\": 'CCI-000366'\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"check\": 'Verify a JRE deployment configuration file exists as indicated:\n /etc/.java/deployment/deployment.config If the configuration file does not\n exist as indicated, this is a finding.'\n\n tag \"fix\": \"Create a JRE deployment configuration file as indicated:\n\n /etc/.java/deployment/deployment.config\"\n\n describe file(attribute('deployment_config_file')) do\n it { should exist }\n end\nend\n", + "code": "control 'V-66931' do\n title 'Oracle JRE 8 must lock the option to enable users to check publisher\n certificates for revocation'\n desc \"\n Certificates may be revoked due to improper issuance, compromise of the\n certificate, and failure to adhere to policy. Therefore, any certificate\n found revoked on a CRL or via Online Certificate Status Protocol (OCSP)\n should not be trusted. Permitting execution of an applet published with a\n revoked certificate may result in spoofing, malware, system modification,\n invasion of privacy, and denial of service. Ensuring users cannot change\n these settings assures a more consistent security profile.\n \"\n impact 0.5\n tag \"severity\": 'medium'\n tag \"gtitle\": 'SRG-APP-000401'\n tag \"gid\": 'V-66931'\n tag \"rid\": 'SV-81421r1_rule'\n tag \"stig_id\": 'JRE8-UX-000160'\n tag \"cci\": 'CCI-001991'\n tag \"nist\": ['IA-5 (2) (d)', 'Rev_4']\n tag \"check\": 'If the system is on the SIPRNet, this requirement is NA.\n Navigate to the system-level “deployment.properties” file for JRE.\n /etc/.java/deployment/deployment.properties If the key\n “deployment.security.revocation.check=ALL_CERTIFICATES” is not present, or is\n set to “PUBLISHER_ONLY”, or “NO_CHECK”, this is a finding. If the key\n “deployment.security.revocation.check.locked” is not present, this is a\n finding.'\n\n tag \"fix\": 'If the system is on the SIPRNet, this requirement is NA. Navigate\n to the system-level “deployment.properties” file for JRE.\n /etc/.java/deployment/deployment.properties Add the key\n “deployment.security.revocation.check=ALL_CERTIFICATES” to the\n deployment.properties file. Add the key\n “deployment.security.revocation.check.locked” to the deployment.properties\n file'\n\n if is_on_siprnet\n impact 0.0\n desc 'If the system is on the SIPRNET, therefore this requirement is NA'\n describe 'If the system is on the SIPRNET, therefore this requirement is NA' do\n skip 'If the system is on the SIPRNET, therefore this requirement is NA'\n end\n else\n describe file(attribute('deployment_properties_file')) do\n its('content') { should match(/deployment.security.revocation.check=ALL_CERTIFICATES/) }\n end\n describe file(attribute('deployment_properties_file')) do\n its('content') { should match(/deployment.security.revocation.check.locked/) }\n end\n end\nend\n", "source_location": { - "ref": "./JRE 8 STIG/controls/V-66721.rb", - "line": 1 + "ref": "./JRE 8 STIG/controls/V-66931.rb", + "line": 2 }, - "id": "V-66721" + "id": "V-66931" }, { - "title": "Oracle JRE 8 must remove previous versions when the latest version is\n installed", - "desc": "Previous versions of software components that are not removed from the\ninformation system after updates have been installed may be exploited by\nadversaries. Some information technology products may remove older versions\nof software automatically from the information system.", + "title": "Oracle JRE 8 must enable the dialog to enable users to check publisher\n certificates for revocation", + "desc": "A certificate revocation list is a directory which contains a list of\ncertificates that have been revoked for various reasons. Certificates may be\nrevoked due to improper issuance, compromise of the certificate, and failure\nto adhere to policy. Therefore, any certificate found on a CRL should not be\ntrusted. Permitting execution of an applet published with a revoked\ncertificate may result in spoofing, malware, system modification, invasion\nof privacy, and denial of service.", "descriptions": { - "default": "Previous versions of software components that are not removed from the\ninformation system after updates have been installed may be exploited by\nadversaries. Some information technology products may remove older versions\nof software automatically from the information system." + "default": "A certificate revocation list is a directory which contains a list of\ncertificates that have been revoked for various reasons. Certificates may be\nrevoked due to improper issuance, compromise of the certificate, and failure\nto adhere to policy. Therefore, any certificate found on a CRL should not be\ntrusted. Permitting execution of an applet published with a revoked\ncertificate may result in spoofing, malware, system modification, invasion\nof privacy, and denial of service." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "SRG-APP-000454", - "gid": "V-66935", - "rid": "SV-81425r1_rule", - "stig_id": "JRE8-UX-000190", - "cci": "CCI-002617", + "gtitle": "SRG-APP-000401", + "gid": "V-66929", + "rid": "SV-81419r1_rule", + "stig_id": "JRE8-UX-000150", + "cci": "CCI-001991", "nist": [ - "SI-2 (6)", + "IA-5 (2) (d)", "Rev_4" ], - "check": "Review the system configuration to ensure old versions of JRE\n have been removed. There are two ways to uninstall Java. Use the method that\n you used when you installed Java. For example, if you used RPM to install\n Java, then use the RPM uninstall method. If RPM is installed, first query to\n ascertain that JRE was installed using RPM. Search for the JRE package by\n typing: # rpm -qa | grep -i jre If RPM reports a package similar to\n jre--fcs, then JRE is installed with RPM. If JRE is not installed\n using RPM, skip to Self-extracting file uninstall. To uninstall Java via RPM,\n type: # rpm -e jre--fcs Self-extracting file uninstall:\n 1. Browse folders to ascertain where JRE is installed. Common locations are\n /usr/java/jre_ or opt/jre_nb/jre_/bin/java/\n 2. When you have located the directory, you may delete the directory by using\n the following command:\n Note: Ensure JRE is not already installed using RPM before removing\n the directory.\n # rm -r //jre\n Ensure only one instance of JRE is installed on the system.\n # ps -ef | grep -I jre If more than one\n instance of JRE is running, this is a finding.", - "fix": "Remove previous versions of JRE. RPM uninstall: # rpm -e\n jre--fcs Self-extracting file uninstall: # rm -r jre Perform\n for all out of date instances of JRE." + "check": "If the system is on the SIPRNet, this requirement is NA.\n Navigate to the system-level “deployment.properties” file for JRE.\n /etc/.java/deployment/deployment.properties If the key\n “deployment.security.validation.crl=true” is not present in the\n deployment.properties file, or is set to “false”, this is a finding. If the\n key “deployment.security.validation.crl.locked” is not present in the\n deployment.properties file, this is a finding.", + "fix": "If the system is on the SIPRNet, this requirement is NA. Enable\n the “Check certificates for revocation using Certificate Revocation Lists\n (CRL)” option. Navigate to the system-level “deployment.properties” file for\n JRE. /etc/.java/deployment/deployment.properties Add the key\n “deployment.security.validation.crl=true” to the deployment.properties file.\n Add the key “deployment.security.validation.crl.locked” to the\n deployment.properties file" }, - "code": "control 'V-66935' do\n title 'Oracle JRE 8 must remove previous versions when the latest version is\n installed'\n desc \"\n Previous versions of software components that are not removed from the\n information system after updates have been installed may be exploited by\n adversaries. Some information technology products may remove older versions\n of software automatically from the information system.\n \"\n impact 0.5\n tag \"severity\": 'medium'\n tag \"gtitle\": 'SRG-APP-000454'\n tag \"gid\": 'V-66935'\n tag \"rid\": 'SV-81425r1_rule'\n tag \"stig_id\": 'JRE8-UX-000190'\n tag \"cci\": 'CCI-002617'\n tag \"nist\": ['SI-2 (6)', 'Rev_4']\n tag \"check\": 'Review the system configuration to ensure old versions of JRE\n have been removed. There are two ways to uninstall Java. Use the method that\n you used when you installed Java. For example, if you used RPM to install\n Java, then use the RPM uninstall method. If RPM is installed, first query to\n ascertain that JRE was installed using RPM. Search for the JRE package by\n typing: # rpm -qa | grep -i jre If RPM reports a package similar to\n jre--fcs, then JRE is installed with RPM. If JRE is not installed\n using RPM, skip to Self-extracting file uninstall. To uninstall Java via RPM,\n type: # rpm -e jre--fcs Self-extracting file uninstall:\n 1. Browse folders to ascertain where JRE is installed. Common locations are\n /usr/java/jre_ or opt/jre_nb/jre_/bin/java/\n 2. When you have located the directory, you may delete the directory by using\n the following command:\n Note: Ensure JRE is not already installed using RPM before removing\n the directory.\n # rm -r //jre\n Ensure only one instance of JRE is installed on the system.\n # ps -ef | grep -I jre If more than one\n instance of JRE is running, this is a finding.'\n\n tag \"fix\": 'Remove previous versions of JRE. RPM uninstall: # rpm -e\n jre--fcs Self-extracting file uninstall: # rm -r jre Perform\n for all out of date instances of JRE.'\n\n describe 'A manual review is required to ensure Oracle JRE 8 removes previous versions when the latest version is\n installed' do\n skip 'A manual review is required to ensure Oracle JRE 8 removes previous versions when the latest version is\n installed'\n end\nend\n", + "code": "control 'V-66929' do\n title 'Oracle JRE 8 must enable the dialog to enable users to check publisher\n certificates for revocation'\n desc \"\n A certificate revocation list is a directory which contains a list of\n certificates that have been revoked for various reasons. Certificates may be\n revoked due to improper issuance, compromise of the certificate, and failure\n to adhere to policy. Therefore, any certificate found on a CRL should not be\n trusted. Permitting execution of an applet published with a revoked\n certificate may result in spoofing, malware, system modification, invasion\n of privacy, and denial of service.\n \"\n impact 0.5\n tag \"severity\": 'medium'\n tag \"gtitle\": 'SRG-APP-000401'\n tag \"gid\": 'V-66929'\n tag \"rid\": 'SV-81419r1_rule'\n tag \"stig_id\": 'JRE8-UX-000150'\n tag \"cci\": 'CCI-001991'\n tag \"nist\": ['IA-5 (2) (d)', 'Rev_4']\n tag \"check\": 'If the system is on the SIPRNet, this requirement is NA.\n Navigate to the system-level “deployment.properties” file for JRE.\n /etc/.java/deployment/deployment.properties If the key\n “deployment.security.validation.crl=true” is not present in the\n deployment.properties file, or is set to “false”, this is a finding. If the\n key “deployment.security.validation.crl.locked” is not present in the\n deployment.properties file, this is a finding.'\n\n tag \"fix\": 'If the system is on the SIPRNet, this requirement is NA. Enable\n the “Check certificates for revocation using Certificate Revocation Lists\n (CRL)” option. Navigate to the system-level “deployment.properties” file for\n JRE. /etc/.java/deployment/deployment.properties Add the key\n “deployment.security.validation.crl=true” to the deployment.properties file.\n Add the key “deployment.security.validation.crl.locked” to the\n deployment.properties file'\n\n if is_on_siprnet\n impact 0.0\n desc 'If the system is on the SIPRNET, therefore this requirement is NA'\n describe 'If the system is on the SIPRNET, therefore this requirement is NA' do\n skip 'If the system is on the SIPRNET, therefore this requirement is NA'\n end\n else\n describe file(attribute('deployment_properties_file')) do\n its('content') { should match(/deployment.security.validation.crl=true/) }\n end\n describe file(attribute('deployment_properties_file')) do\n its('content') { should match(/deployment.security.validation.crl.locked/) }\n end\n end\nend\n", "source_location": { - "ref": "./JRE 8 STIG/controls/V-66935.rb", - "line": 1 + "ref": "./JRE 8 STIG/controls/V-66929.rb", + "line": 2 }, - "id": "V-66935" + "id": "V-66929" }, { - "title": "Oracle JRE 8 must lock the dialog enabling users to grant permissions\n to execute signed content from an untrusted authority", - "desc": "Java applets exist both signed and unsigned. Even for signed applets, there\ncan be many sources, some of which may be purveyors of malware. Applet\nsources considered trusted can have their information populated into the\nbrowser, enabling Java to validate applets against trusted sources.\nPermitting execution of signed Java applets from untrusted sources may\nresult in acquiring malware, and risks system modification, invasion of\nprivacy, or denial of service. Ensuring users cannot change settings\ncontributes to a more consistent security profile.", + "title": "Oracle JRE 8 must enable the option to use an accepted sites list", + "desc": "Utilizing a whitelist provides a configuration management method for\nallowing the execution of only authorized software. Using only authorized\nsoftware decreases risk by limiting the number of potential vulnerabilities.\nThe organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information\nsystems is commonly referred to as whitelisting. Verification of whitelisted\nsoftware can occur either prior to execution or at system startup. This\nrequirement applies to configuration management applications or similar\ntypes of applications designed to manage system processes and configurations\n(e.g., HBSS and software wrappers).", "descriptions": { - "default": "Java applets exist both signed and unsigned. Even for signed applets, there\ncan be many sources, some of which may be purveyors of malware. Applet\nsources considered trusted can have their information populated into the\nbrowser, enabling Java to validate applets against trusted sources.\nPermitting execution of signed Java applets from untrusted sources may\nresult in acquiring malware, and risks system modification, invasion of\nprivacy, or denial of service. Ensuring users cannot change settings\ncontributes to a more consistent security profile." + "default": "Utilizing a whitelist provides a configuration management method for\nallowing the execution of only authorized software. Using only authorized\nsoftware decreases risk by limiting the number of potential vulnerabilities.\nThe organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information\nsystems is commonly referred to as whitelisting. Verification of whitelisted\nsoftware can occur either prior to execution or at system startup. This\nrequirement applies to configuration management applications or similar\ntypes of applications designed to manage system processes and configurations\n(e.g., HBSS and software wrappers)." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "SRG-APP-000112", - "gid": "V-66919", - "rid": "SV-81409r1_rule", - "stig_id": "JRE8-UX-000090", - "cci": "CCI-001695", + "gtitle": "SRG-APP-000386", + "gid": "V-66925", + "rid": "SV-81415r2_rule", + "stig_id": "JRE8-UX-000120", + "cci": "CCI-001774", "nist": [ - "SC-18 (3)", + "CM-7 (5) (c)", "Rev_4" ], - "check": "If the system is on the SIPRNet, this requirement is NA.\n Navigate to the system-level “deployment.properties” file for JRE.\n /etc/.java/deployment/deployment.properties If the key,\n “deployment.security.askgrantdialog.show=false” is not present, this is a\n finding. If the key, “deployment.security.askgrantdialog.show.locked” is not\n present, this is a finding. If the key\n “deployment.security.askgrantdialog.show” exists and is set to true, this is a\n finding.", - "fix": "If the system is on the SIPRNet, this requirement is NA. Lock the\n “Allow user to grant permissions to content from an untrusted authority”\n feature. Navigate to the system-level “deployment.properties” file for JRE.\n /etc/.java/deployment/deployment.properties Add the key\n “deployment.security.askgrantdialog.show=false” to the deployment.properties\n file. Add the key “deployment.security.askgrantdialog.show.locked” to the\n deployment.properties file." + "check": "Navigate to the system-level “deployment.properties” file for\n JRE. /etc/.java/deployment/deployment.properties If the key\n “deployment.user.security.exception.sites” is not present in the\n deployment.properties file, this is a finding. If the key\n “deployment.user.security.exception.sites” is not set to the location of the\n exception.sites file, this is a finding. An example of a correct setting is:\n deployment.user.security.exception.sites=/etc/.java/deployment/exception.sites", + "fix": "Navigate to the system-level “deployment.properties” file for JRE.\n /etc/.java/deployment/deployment.properties Add the key\n “deployment.user.security.exception.sites=/etc/.java/deployment/exception.sites”\n to the deployment.properties file." }, - "code": "control 'V-66919' do\n title 'Oracle JRE 8 must lock the dialog enabling users to grant permissions\n to execute signed content from an untrusted authority'\n desc \"\n Java applets exist both signed and unsigned. Even for signed applets, there\n can be many sources, some of which may be purveyors of malware. Applet\n sources considered trusted can have their information populated into the\n browser, enabling Java to validate applets against trusted sources.\n Permitting execution of signed Java applets from untrusted sources may\n result in acquiring malware, and risks system modification, invasion of\n privacy, or denial of service. Ensuring users cannot change settings\n contributes to a more consistent security profile.\n \"\n impact 0.5\n tag \"severity\": 'medium'\n tag \"gtitle\": 'SRG-APP-000112'\n tag \"gid\": 'V-66919'\n tag \"rid\": 'SV-81409r1_rule'\n tag \"stig_id\": 'JRE8-UX-000090'\n tag \"cci\": 'CCI-001695'\n tag \"nist\": ['SC-18 (3)', 'Rev_4']\n tag \"check\": 'If the system is on the SIPRNet, this requirement is NA.\n Navigate to the system-level “deployment.properties” file for JRE.\n /etc/.java/deployment/deployment.properties If the key,\n “deployment.security.askgrantdialog.show=false” is not present, this is a\n finding. If the key, “deployment.security.askgrantdialog.show.locked” is not\n present, this is a finding. If the key\n “deployment.security.askgrantdialog.show” exists and is set to true, this is a\n finding.'\n\n tag \"fix\": 'If the system is on the SIPRNet, this requirement is NA. Lock the\n “Allow user to grant permissions to content from an untrusted authority”\n feature. Navigate to the system-level “deployment.properties” file for JRE.\n /etc/.java/deployment/deployment.properties Add the key\n “deployment.security.askgrantdialog.show=false” to the deployment.properties\n file. Add the key “deployment.security.askgrantdialog.show.locked” to the\n deployment.properties file.'\n\n if is_on_siprnet\n impact 0.0\n desc 'If the system is on the SIPRNET, therefore this requirement is NA'\n describe 'If the system is on the SIPRNET, therefore this requirement is NA' do\n skip 'If the system is on the SIPRNET, therefore this requirement is NA'\n end\n else\n describe file(attribute('deployment_properties_file')) do\n its('content') { should match(/deployment.security.askgrantdialog.show=false/) }\n end\n describe file(attribute('deployment_properties_file')) do\n its('content') { should match(/deployment.security.askgrantdialog.show.locked/) }\n end\n end\nend\n", + "code": "control 'V-66925' do\n title 'Oracle JRE 8 must enable the option to use an accepted sites list'\n desc \"\n Utilizing a whitelist provides a configuration management method for\n allowing the execution of only authorized software. Using only authorized\n software decreases risk by limiting the number of potential vulnerabilities.\n The organization must identify authorized software programs and permit\n execution of authorized software. The process used to identify software\n programs that are authorized to execute on organizational information\n systems is commonly referred to as whitelisting. Verification of whitelisted\n software can occur either prior to execution or at system startup. This\n requirement applies to configuration management applications or similar\n types of applications designed to manage system processes and configurations\n (e.g., HBSS and software wrappers).\n \"\n impact 0.5\n tag \"severity\": 'medium'\n tag \"gtitle\": 'SRG-APP-000386'\n tag \"gid\": 'V-66925'\n tag \"rid\": 'SV-81415r2_rule'\n tag \"stig_id\": 'JRE8-UX-000120'\n tag \"cci\": 'CCI-001774'\n tag \"nist\": ['CM-7 (5) (c)', 'Rev_4']\n tag \"check\": 'Navigate to the system-level “deployment.properties” file for\n JRE. /etc/.java/deployment/deployment.properties If the key\n “deployment.user.security.exception.sites” is not present in the\n deployment.properties file, this is a finding. If the key\n “deployment.user.security.exception.sites” is not set to the location of the\n exception.sites file, this is a finding. An example of a correct setting is:\n deployment.user.security.exception.sites=/etc/.java/deployment/exception.sites'\n\n tag \"fix\": 'Navigate to the system-level “deployment.properties” file for JRE.\n /etc/.java/deployment/deployment.properties Add the key\n “deployment.user.security.exception.sites=/etc/.java/deployment/exception.sites”\n to the deployment.properties file.'\n\n describe file(attribute('deployment_properties_file')) do\n its('content') { should match(%r{deployment.user.security.exception.sites=/etc/.java/deployment/exception.sites}) }\n end\nend\n", "source_location": { - "ref": "./JRE 8 STIG/controls/V-66919.rb", - "line": 2 + "ref": "./JRE 8 STIG/controls/V-66925.rb", + "line": 1 }, - "id": "V-66919" + "id": "V-66925" }, { - "title": "Oracle JRE 8 must have a deployment.properties file present", - "desc": "By default no deployment.properties file exists; thus, no system-wide\ndeployment exists. The file must be created. The deployment.properties file\nis used for specifying keys for the Java Runtime Environment. Each option in\nthe Java control panel is represented by property keys. These keys adjust\nthe options in the Java control panel based on the value assigned to that\nkey. Without the deployment.properties file, setting particular options for\nthe Java control panel is impossible.", + "title": "Oracle JRE 8 must default to the most secure built-in setting", + "desc": "Applications that are signed with a valid certificate and include the\npermissions attribute in the manifest for the main JAR file are allowed to\nrun with security prompts. All other applications are blocked. Unsigned\napplications could perform numerous types of attacks on a system.", "descriptions": { - "default": "By default no deployment.properties file exists; thus, no system-wide\ndeployment exists. The file must be created. The deployment.properties file\nis used for specifying keys for the Java Runtime Environment. Each option in\nthe Java control panel is represented by property keys. These keys adjust\nthe options in the Java control panel based on the value assigned to that\nkey. Without the deployment.properties file, setting particular options for\nthe Java control panel is impossible." + "default": "Applications that are signed with a valid certificate and include the\npermissions attribute in the manifest for the main JAR file are allowed to\nrun with security prompts. All other applications are blocked. Unsigned\napplications could perform numerous types of attacks on a system." }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { - "severity": "medium", + "severity": "low", "gtitle": "SRG-APP-000516", - "gid": "V-66911", - "rid": "SV-81401r1_rule", - "stig_id": "JRE8-UX-000030", + "gid": "V-66913", + "rid": "SV-81403r1_rule", + "stig_id": "JRE8-UX-000060", "cci": "CCI-000366", "nist": [ "CM-6 b", "Rev_4" ], - "check": "Navigate to the system-level “deployment.properties” file for\n JRE. /etc/.java/deployment/deployment.properties If there is no file entitled\n “deployment.properties”, this is a finding.", - "fix": "Create the Java deployment properties file\n “/etc/.java/deployment/deployment.properties”" + "check": "Navigate to the system-level “deployment.properties” file for\n JRE. /etc/.java/deployment/deployment.properties If the key\n “deployment.security.level=VERY_HIGH” is not present in the\n deployment.properties file, or is set to “HIGH”, this is a finding. If the\n key", + "fix": "Navigate to the system-level “deployment.properties” file for JRE.\n /etc/.java/deployment/deployment.properties Add the key\n “deployment.security.level=VERY_HIGH” to the deployment.properties file. Add\n the key “deployment.security.level.locked” to the deployment.properties file." }, - "code": "control 'V-66911' do\n title 'Oracle JRE 8 must have a deployment.properties file present'\n desc \"\n By default no deployment.properties file exists; thus, no system-wide\n deployment exists. The file must be created. The deployment.properties file\n is used for specifying keys for the Java Runtime Environment. Each option in\n the Java control panel is represented by property keys. These keys adjust\n the options in the Java control panel based on the value assigned to that\n key. Without the deployment.properties file, setting particular options for\n the Java control panel is impossible.\n \"\n impact 0.5\n tag \"severity\": 'medium'\n tag \"gtitle\": 'SRG-APP-000516'\n tag \"gid\": 'V-66911'\n tag \"rid\": 'SV-81401r1_rule'\n tag \"stig_id\": 'JRE8-UX-000030'\n tag \"cci\": 'CCI-000366'\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"check\": 'Navigate to the system-level “deployment.properties” file for\n JRE. /etc/.java/deployment/deployment.properties If there is no file entitled\n “deployment.properties”, this is a finding.'\n\n tag \"fix\": 'Create the Java deployment properties file\n “/etc/.java/deployment/deployment.properties”'\n\n describe file('/etc/.java/deployment/deployment.properties') do\n it { should exist }\n end\nend\n", + "code": "control 'V-66913' do\n title 'Oracle JRE 8 must default to the most secure built-in setting'\n desc \"\n Applications that are signed with a valid certificate and include the\n permissions attribute in the manifest for the main JAR file are allowed to\n run with security prompts. All other applications are blocked. Unsigned\n applications could perform numerous types of attacks on a system.\n \"\n impact 0.3\n tag \"severity\": 'low'\n tag \"gtitle\": 'SRG-APP-000516'\n tag \"gid\": 'V-66913'\n tag \"rid\": 'SV-81403r1_rule'\n tag \"stig_id\": 'JRE8-UX-000060'\n tag \"cci\": 'CCI-000366'\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"check\": 'Navigate to the system-level “deployment.properties” file for\n JRE. /etc/.java/deployment/deployment.properties If the key\n “deployment.security.level=VERY_HIGH” is not present in the\n deployment.properties file, or is set to “HIGH”, this is a finding. If the\n key'\n\n tag \"fix\": 'Navigate to the system-level “deployment.properties” file for JRE.\n /etc/.java/deployment/deployment.properties Add the key\n “deployment.security.level=VERY_HIGH” to the deployment.properties file. Add\n the key “deployment.security.level.locked” to the deployment.properties file.'\n\n describe file(attribute('deployment_properties_file')) do\n its('content') { should match(/deployment.security.level=VERY_HIGH/) }\n end\n describe file(attribute('deployment_properties_file')) do\n its('content') { should match(/deployment.security.level.locked/) }\n end\nend\n", "source_location": { - "ref": "./JRE 8 STIG/controls/V-66911.rb", + "ref": "./JRE 8 STIG/controls/V-66913.rb", "line": 1 }, - "id": "V-66911" + "id": "V-66913" }, { - "title": "Oracle JRE 8 must lock the option to enable users to check publisher\n certificates for revocation", - "desc": "Certificates may be revoked due to improper issuance, compromise of the\ncertificate, and failure to adhere to policy. Therefore, any certificate\nfound revoked on a CRL or via Online Certificate Status Protocol (OCSP)\nshould not be trusted. Permitting execution of an applet published with a\nrevoked certificate may result in spoofing, malware, system modification,\ninvasion of privacy, and denial of service. Ensuring users cannot change\nthese settings assures a more consistent security profile.", + "title": "Oracle JRE 8 must have an exception.sites file present.", + "desc": "Utilizing a whitelist provides a configuration management method for\nallowing the execution of only authorized software. Using only authorized\nsoftware decreases risk by limiting the number of potential vulnerabilities.\nThe organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information\nsystems is commonly referred to as whitelisting. Verification of whitelisted\nsoftware can occur either prior to execution or at system startup. This\nrequirement applies to configuration management applications or similar\ntypes of applications designed to manage system processes and configurations\n(e.g., HBSS and software wrappers).", "descriptions": { - "default": "Certificates may be revoked due to improper issuance, compromise of the\ncertificate, and failure to adhere to policy. Therefore, any certificate\nfound revoked on a CRL or via Online Certificate Status Protocol (OCSP)\nshould not be trusted. Permitting execution of an applet published with a\nrevoked certificate may result in spoofing, malware, system modification,\ninvasion of privacy, and denial of service. Ensuring users cannot change\nthese settings assures a more consistent security profile." + "default": "Utilizing a whitelist provides a configuration management method for\nallowing the execution of only authorized software. Using only authorized\nsoftware decreases risk by limiting the number of potential vulnerabilities.\nThe organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information\nsystems is commonly referred to as whitelisting. Verification of whitelisted\nsoftware can occur either prior to execution or at system startup. This\nrequirement applies to configuration management applications or similar\ntypes of applications designed to manage system processes and configurations\n(e.g., HBSS and software wrappers)." }, "impact": 0.5, "refs": [], "tags": { "severity": "medium", - "gtitle": "SRG-APP-000401", - "gid": "V-66931", - "rid": "SV-81421r1_rule", - "stig_id": "JRE8-UX-000160", - "cci": "CCI-001991", + "gtitle": "SRG-APP-000386", + "gid": "V-66927", + "rid": "SV-81417r1_rule", + "stig_id": "JRE8-UX-000130", + "cci": "CCI-001774", "nist": [ - "IA-5 (2) (d)", + "CM-7 (5) (c)", "Rev_4" ], - "check": "If the system is on the SIPRNet, this requirement is NA.\n Navigate to the system-level “deployment.properties” file for JRE.\n /etc/.java/deployment/deployment.properties If the key\n “deployment.security.revocation.check=ALL_CERTIFICATES” is not present, or is\n set to “PUBLISHER_ONLY”, or “NO_CHECK”, this is a finding. If the key\n “deployment.security.revocation.check.locked” is not present, this is a\n finding.", - "fix": "If the system is on the SIPRNet, this requirement is NA. Navigate\n to the system-level “deployment.properties” file for JRE.\n /etc/.java/deployment/deployment.properties Add the key\n “deployment.security.revocation.check=ALL_CERTIFICATES” to the\n deployment.properties file. Add the key\n “deployment.security.revocation.check.locked” to the deployment.properties\n file" + "check": "If the system is on the SIPRNet, this requirement is NA.\n Navigate to the “exception.sites” file for Java:\n /etc/.java/deployment/exception.sites If the exception.sites file does not\n exist, it must be created. The exception.sites file is a text file containing\n single-line URLs for accepted risk sites. If there are no AO approved sites to\n be added to the configuration, it is acceptable for this file to be blank. If\n the “exception.sites” file does not exist, this is a finding. If the\n “exception.sites” file contains URLs that are not AO approved, this is a\n finding.", + "fix": "If the system is on the SIPRNet, this requirement is NA. Create\n the JRE exception.sites file: No default file exists. A text file named\n exception.sites, and the directory structure in which it is located must be\n manually created. The location must be aligned as defined in the\n deployment.properties file. /etc/.java/deployment/deployment.properties is an\n example." }, - "code": "control 'V-66931' do\n title 'Oracle JRE 8 must lock the option to enable users to check publisher\n certificates for revocation'\n desc \"\n Certificates may be revoked due to improper issuance, compromise of the\n certificate, and failure to adhere to policy. Therefore, any certificate\n found revoked on a CRL or via Online Certificate Status Protocol (OCSP)\n should not be trusted. Permitting execution of an applet published with a\n revoked certificate may result in spoofing, malware, system modification,\n invasion of privacy, and denial of service. Ensuring users cannot change\n these settings assures a more consistent security profile.\n \"\n impact 0.5\n tag \"severity\": 'medium'\n tag \"gtitle\": 'SRG-APP-000401'\n tag \"gid\": 'V-66931'\n tag \"rid\": 'SV-81421r1_rule'\n tag \"stig_id\": 'JRE8-UX-000160'\n tag \"cci\": 'CCI-001991'\n tag \"nist\": ['IA-5 (2) (d)', 'Rev_4']\n tag \"check\": 'If the system is on the SIPRNet, this requirement is NA.\n Navigate to the system-level “deployment.properties” file for JRE.\n /etc/.java/deployment/deployment.properties If the key\n “deployment.security.revocation.check=ALL_CERTIFICATES” is not present, or is\n set to “PUBLISHER_ONLY”, or “NO_CHECK”, this is a finding. If the key\n “deployment.security.revocation.check.locked” is not present, this is a\n finding.'\n\n tag \"fix\": 'If the system is on the SIPRNet, this requirement is NA. Navigate\n to the system-level “deployment.properties” file for JRE.\n /etc/.java/deployment/deployment.properties Add the key\n “deployment.security.revocation.check=ALL_CERTIFICATES” to the\n deployment.properties file. Add the key\n “deployment.security.revocation.check.locked” to the deployment.properties\n file'\n\n if is_on_siprnet\n impact 0.0\n desc 'If the system is on the SIPRNET, therefore this requirement is NA'\n describe 'If the system is on the SIPRNET, therefore this requirement is NA' do\n skip 'If the system is on the SIPRNET, therefore this requirement is NA'\n end\n else\n describe file(attribute('deployment_properties_file')) do\n its('content') { should match(/deployment.security.revocation.check=ALL_CERTIFICATES/) }\n end\n describe file(attribute('deployment_properties_file')) do\n its('content') { should match(/deployment.security.revocation.check.locked/) }\n end\n end\nend\n", + "code": "control 'V-66927' do\n title 'Oracle JRE 8 must have an exception.sites file present.'\n desc \"\n Utilizing a whitelist provides a configuration management method for\n allowing the execution of only authorized software. Using only authorized\n software decreases risk by limiting the number of potential vulnerabilities.\n The organization must identify authorized software programs and permit\n execution of authorized software. The process used to identify software\n programs that are authorized to execute on organizational information\n systems is commonly referred to as whitelisting. Verification of whitelisted\n software can occur either prior to execution or at system startup. This\n requirement applies to configuration management applications or similar\n types of applications designed to manage system processes and configurations\n (e.g., HBSS and software wrappers).\n \"\n impact 0.5\n tag \"severity\": 'medium'\n tag \"gtitle\": 'SRG-APP-000386'\n tag \"gid\": 'V-66927'\n tag \"rid\": 'SV-81417r1_rule'\n tag \"stig_id\": 'JRE8-UX-000130'\n tag \"cci\": 'CCI-001774'\n tag \"nist\": ['CM-7 (5) (c)', 'Rev_4']\n tag \"check\": 'If the system is on the SIPRNet, this requirement is NA.\n Navigate to the “exception.sites” file for Java:\n /etc/.java/deployment/exception.sites If the exception.sites file does not\n exist, it must be created. The exception.sites file is a text file containing\n single-line URLs for accepted risk sites. If there are no AO approved sites to\n be added to the configuration, it is acceptable for this file to be blank. If\n the “exception.sites” file does not exist, this is a finding. If the\n “exception.sites” file contains URLs that are not AO approved, this is a\n finding.'\n\n tag \"fix\": 'If the system is on the SIPRNet, this requirement is NA. Create\n the JRE exception.sites file: No default file exists. A text file named\n exception.sites, and the directory structure in which it is located must be\n manually created. The location must be aligned as defined in the\n deployment.properties file. /etc/.java/deployment/deployment.properties is an\n example.'\n\n if is_on_siprnet\n impact 0.0\n desc 'If the system is on the SIPRNET, therefore this requirement is NA'\n describe 'If the system is on the SIPRNET, therefore this requirement is NA' do\n skip 'If the system is on the SIPRNET, therefore this requirement is NA'\n end\n else\n describe file(attribute('deployment_exception_sites_file')) do\n it { should exist }\n end\n end\nend\n", "source_location": { - "ref": "./JRE 8 STIG/controls/V-66931.rb", + "ref": "./JRE 8 STIG/controls/V-66927.rb", "line": 2 }, - "id": "V-66931" + "id": "V-66927" + }, + { + "title": "Oracle JRE 8 must have a deployment.config file present", + "desc": "By default no deployment.config file exists; thus, no system-wide\ndeployment.properties file exists. The file must be created. The\ndeployment.config file is used for specifying the location and execution of\nsystem-level properties for the Java Runtime Environment. Without the\ndeployment.config file, setting particular options for the Java control\npanel is impossible.", + "descriptions": { + "default": "By default no deployment.config file exists; thus, no system-wide\ndeployment.properties file exists. The file must be created. The\ndeployment.config file is used for specifying the location and execution of\nsystem-level properties for the Java Runtime Environment. Without the\ndeployment.config file, setting particular options for the Java control\npanel is impossible." + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium", + "gtitle": "SRG-APP-000516", + "gid": "V-66721", + "rid": "SV-81211r1_rule", + "stig_id": "JRE8-UX-000010", + "cci": "CCI-000366", + "nist": [ + "CM-6 b", + "Rev_4" + ], + "check": "Verify a JRE deployment configuration file exists as indicated:\n /etc/.java/deployment/deployment.config If the configuration file does not\n exist as indicated, this is a finding.", + "fix": "Create a JRE deployment configuration file as indicated:\n\n /etc/.java/deployment/deployment.config" + }, + "code": "control 'V-66721' do\n title 'Oracle JRE 8 must have a deployment.config file present'\n desc \"\n By default no deployment.config file exists; thus, no system-wide\n deployment.properties file exists. The file must be created. The\n deployment.config file is used for specifying the location and execution of\n system-level properties for the Java Runtime Environment. Without the\n deployment.config file, setting particular options for the Java control\n panel is impossible.\n \"\n impact 0.5\n tag \"severity\": 'medium'\n tag \"gtitle\": 'SRG-APP-000516'\n tag \"gid\": 'V-66721'\n tag \"rid\": 'SV-81211r1_rule'\n tag \"stig_id\": 'JRE8-UX-000010'\n tag \"cci\": 'CCI-000366'\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"check\": 'Verify a JRE deployment configuration file exists as indicated:\n /etc/.java/deployment/deployment.config If the configuration file does not\n exist as indicated, this is a finding.'\n\n tag \"fix\": \"Create a JRE deployment configuration file as indicated:\n\n /etc/.java/deployment/deployment.config\"\n\n describe file(attribute('deployment_config_file')) do\n it { should exist }\n end\nend\n", + "source_location": { + "ref": "./JRE 8 STIG/controls/V-66721.rb", + "line": 1 + }, + "id": "V-66721" }, { "title": "Oracle JRE 8 must prevent the download of prohibited mobile code", @@ -422,33 +422,33 @@ "id": "V-66923" }, { - "title": "Oracle JRE 8 deployment.config file must contain proper keys and values", - "desc": "The deployment.config configuration file contains two keys. The\ndeployment.properties key includes the path of the deployment.properties\nfile and the deployment.properties.mandatory key contains either a TRUE or\nFALSE value. If the path specified to deployment.properties does not lead to\na deployment.properties file, the value of the\ndeployment.system.config.mandatory key determines how JRE will handle the\nsituation. If the value of the deployment.system.config.mandatory key is\nTRUE and if the path to the deployment.properties file is invalid, the JRE\nwill not allow Java applications to run. This is the desired behavior.", + "title": "The version of Oracle JRE 8 running on the system must be the most\n current available", + "desc": "Oracle JRE 8 is being continually updated by the vendor in order to address\nidentified security vulnerabilities. Running an older version of the JRE can\nintroduce security vulnerabilities to the system.", "descriptions": { - "default": "The deployment.config configuration file contains two keys. The\ndeployment.properties key includes the path of the deployment.properties\nfile and the deployment.properties.mandatory key contains either a TRUE or\nFALSE value. If the path specified to deployment.properties does not lead to\na deployment.properties file, the value of the\ndeployment.system.config.mandatory key determines how JRE will handle the\nsituation. If the value of the deployment.system.config.mandatory key is\nTRUE and if the path to the deployment.properties file is invalid, the JRE\nwill not allow Java applications to run. This is the desired behavior." + "default": "Oracle JRE 8 is being continually updated by the vendor in order to address\nidentified security vulnerabilities. Running an older version of the JRE can\nintroduce security vulnerabilities to the system." }, - "impact": 0.5, + "impact": 0.7, "refs": [], "tags": { - "severity": "medium", - "gtitle": "SRG-APP-000516", - "gid": "V-66909", - "rid": "SV-81399r2_rule", - "stig_id": "JRE8-UX-000020", - "cci": "CCI-000366", + "severity": "high", + "gtitle": "SRG-APP-000456", + "gid": "V-66937", + "rid": "SV-81427r1_rule", + "stig_id": "JRE8-UX-000180", + "cci": "CCI-002605", "nist": [ - "CM-6 b", + "SI-2 c", "Rev_4" ], - "check": "Navigate to the deployment.config file for JRE:\n /etc/.java/deployment/deployment.config The deployment.config file contains\n two properties: deployment.system.config and\n deployment.system.config.mandatory. The deployment.system.config key points to\n the location of the deployment.properties file. The location is variable. It\n can point to a file on the local disk, or a UNC path. The following is an\n example: deployment.system.config=/etc/.java/deployment/deployment.properties\n If the deployment.system.config key does not exist or does not point to the\n location of the deployment.properties file, this is a finding. If the\n deployment.system.config.mandatory key does not exist or is set to false, this\n is a finding.", - "fix": "Navigate to the deployment.config file for JRE:\n /etc/.java/deployment/deployment.config Add the key\n deployment.system.config= to the\n deployment.config file. The following is an example:\n deployment.system.config=/etc/.java/deployment/deployment.properties. Note the\n use of forward slashes. Add the key deployment.system.config.mandatory=true to\n the deployment.config file." + "check": "Review the system configuration to ensure old versions of JRE\n have been removed. There are two ways to uninstall Java. Use the method that\n you used when you installed Java. For example, if you used RPM to install\n Java, then use the RPM uninstall method. If RPM is installed, first query to\n ascertain that JRE was installed using RPM. Search for the JRE package by\n typing: # rpm -qa | grep -i jre If RPM reports a package similar to\n jre--fcs, then JRE is installed with RPM. If JRE is not installed\n using RPM, skip to Self-extracting file uninstall. To uninstall Java via RPM,\n type: # rpm -e jre--fcs Self-extracting file uninstall: 1. Browse\n folders to ascertain where JRE is installed. Common locations are\n /usr/java/jre_ or opt/jre_nb/jre_/bin/java/ 2. When you have\n located the directory, you may delete the directory by using the following\n command: Note: Ensure JRE is not already installed using RPM before removing\n the directory. # rm -r //jre Ensure only one instance of\n JRE is installed on the system. # ps -ef | grep -I jre If more than one\n instance of JRE is running, this is a finding.", + "fix": "Remove previous versions of JRE. RPM uninstall: # rpm -e\n jre--fcs Self-extracting file uninstall: # rm -r jre Perform\n for all out of date instances of JRE." }, - "code": "control 'V-66909' do\n title 'Oracle JRE 8 deployment.config file must contain proper keys and values'\n desc \"\n The deployment.config configuration file contains two keys. The\n deployment.properties key includes the path of the deployment.properties\n file and the deployment.properties.mandatory key contains either a TRUE or\n FALSE value. If the path specified to deployment.properties does not lead to\n a deployment.properties file, the value of the\n deployment.system.config.mandatory key determines how JRE will handle the\n situation. If the value of the deployment.system.config.mandatory key is\n TRUE and if the path to the deployment.properties file is invalid, the JRE\n will not allow Java applications to run. This is the desired behavior.\n \"\n impact 0.5\n tag \"severity\": 'medium'\n tag \"gtitle\": 'SRG-APP-000516'\n tag \"gid\": 'V-66909'\n tag \"rid\": 'SV-81399r2_rule'\n tag \"stig_id\": 'JRE8-UX-000020'\n tag \"cci\": 'CCI-000366'\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"check\": 'Navigate to the deployment.config file for JRE:\n /etc/.java/deployment/deployment.config The deployment.config file contains\n two properties: deployment.system.config and\n deployment.system.config.mandatory. The deployment.system.config key points to\n the location of the deployment.properties file. The location is variable. It\n can point to a file on the local disk, or a UNC path. The following is an\n example: deployment.system.config=/etc/.java/deployment/deployment.properties\n If the deployment.system.config key does not exist or does not point to the\n location of the deployment.properties file, this is a finding. If the\n deployment.system.config.mandatory key does not exist or is set to false, this\n is a finding.'\n\n tag \"fix\": 'Navigate to the deployment.config file for JRE:\n /etc/.java/deployment/deployment.config Add the key\n deployment.system.config= to the\n deployment.config file. The following is an example:\n deployment.system.config=/etc/.java/deployment/deployment.properties. Note the\n use of forward slashes. Add the key deployment.system.config.mandatory=true to\n the deployment.config file.'\n\n describe file(attribute('deployment_config_file')) do\n its('content') { should match(%r{deployment.system.config=\\/etc\\/.java/deployment\\/deployment.properties}) }\n end\n describe file(attribute('deployment_config_file')) do\n its('content') { should match(/deployment.system.config.mandatory=true/) }\n end\nend\n", + "code": "control 'V-66937' do\n title 'The version of Oracle JRE 8 running on the system must be the most\n current available'\n desc \"\n Oracle JRE 8 is being continually updated by the vendor in order to address\n identified security vulnerabilities. Running an older version of the JRE can\n introduce security vulnerabilities to the system.\n \"\n impact 0.7\n tag \"severity\": 'high'\n tag \"gtitle\": 'SRG-APP-000456'\n tag \"gid\": 'V-66937'\n tag \"rid\": 'SV-81427r1_rule'\n tag \"stig_id\": 'JRE8-UX-000180'\n tag \"cci\": 'CCI-002605'\n tag \"nist\": ['SI-2 c', 'Rev_4']\n tag \"check\": 'Review the system configuration to ensure old versions of JRE\n have been removed. There are two ways to uninstall Java. Use the method that\n you used when you installed Java. For example, if you used RPM to install\n Java, then use the RPM uninstall method. If RPM is installed, first query to\n ascertain that JRE was installed using RPM. Search for the JRE package by\n typing: # rpm -qa | grep -i jre If RPM reports a package similar to\n jre--fcs, then JRE is installed with RPM. If JRE is not installed\n using RPM, skip to Self-extracting file uninstall. To uninstall Java via RPM,\n type: # rpm -e jre--fcs Self-extracting file uninstall: 1. Browse\n folders to ascertain where JRE is installed. Common locations are\n /usr/java/jre_ or opt/jre_nb/jre_/bin/java/ 2. When you have\n located the directory, you may delete the directory by using the following\n command: Note: Ensure JRE is not already installed using RPM before removing\n the directory. # rm -r //jre Ensure only one instance of\n JRE is installed on the system. # ps -ef | grep -I jre If more than one\n instance of JRE is running, this is a finding.'\n\n tag \"fix\": 'Remove previous versions of JRE. RPM uninstall: # rpm -e\n jre--fcs Self-extracting file uninstall: # rm -r jre Perform\n for all out of date instances of JRE.'\n\n java_cmd = command('java -version').stderr&.lines&.first&.strip&.split&.last\n describe 'The java version installed' do\n it \"should be attribute('java_version\" do\n expect(java_cmd).to(match attribute('java_version'))\n end\n end\nend\n", "source_location": { - "ref": "./JRE 8 STIG/controls/V-66909.rb", + "ref": "./JRE 8 STIG/controls/V-66937.rb", "line": 1 }, - "id": "V-66909" + "id": "V-66937" }, { "title": "Oracle JRE 8 must prompt the user for action prior to executing mobile\n code", @@ -484,9 +484,9 @@ { "title": null, "controls": [ - "V-66921" + "V-66935" ], - "id": "controls/V-66921.rb" + "id": "controls/V-66935.rb" }, { "title": null, @@ -498,79 +498,79 @@ { "title": null, "controls": [ - "V-66913" + "V-66921" ], - "id": "controls/V-66913.rb" + "id": "controls/V-66921.rb" }, { "title": null, "controls": [ - "V-66929" + "V-66919" ], - "id": "controls/V-66929.rb" + "id": "controls/V-66919.rb" }, { "title": null, "controls": [ - "V-66937" + "V-66911" ], - "id": "controls/V-66937.rb" + "id": "controls/V-66911.rb" }, { "title": null, "controls": [ - "V-66927" + "V-66915" ], - "id": "controls/V-66927.rb" + "id": "controls/V-66915.rb" }, { "title": null, "controls": [ - "V-66915" + "V-66909" ], - "id": "controls/V-66915.rb" + "id": "controls/V-66909.rb" }, { "title": null, "controls": [ - "V-66925" + "V-66931" ], - "id": "controls/V-66925.rb" + "id": "controls/V-66931.rb" }, { "title": null, "controls": [ - "V-66721" + "V-66929" ], - "id": "controls/V-66721.rb" + "id": "controls/V-66929.rb" }, { "title": null, "controls": [ - "V-66935" + "V-66925" ], - "id": "controls/V-66935.rb" + "id": "controls/V-66925.rb" }, { "title": null, "controls": [ - "V-66919" + "V-66913" ], - "id": "controls/V-66919.rb" + "id": "controls/V-66913.rb" }, { "title": null, "controls": [ - "V-66911" + "V-66927" ], - "id": "controls/V-66911.rb" + "id": "controls/V-66927.rb" }, { "title": null, "controls": [ - "V-66931" + "V-66721" ], - "id": "controls/V-66931.rb" + "id": "controls/V-66721.rb" }, { "title": null, @@ -582,9 +582,9 @@ { "title": null, "controls": [ - "V-66909" + "V-66937" ], - "id": "controls/V-66909.rb" + "id": "controls/V-66937.rb" }, { "title": null, diff --git a/src/assets/data/baselineProfiles/redhat-enterprise-linux-6-stig-baseline.json b/src/assets/data/baselineProfiles/redhat-enterprise-linux-6-stig-baseline.json index d17e270a..3e8d4f44 100644 --- a/src/assets/data/baselineProfiles/redhat-enterprise-linux-6-stig-baseline.json +++ b/src/assets/data/baselineProfiles/redhat-enterprise-linux-6-stig-baseline.json @@ -12,24 +12,24 @@ "supports": [], "controls": [ { - "title": "The system must disable accounts after excessive login failures within\na 15-minute interval.", - "desc": "Locking out user accounts after a number of incorrect attempts within\na specific period of time prevents direct password guessing attacks.", + "title": "The system must ignore ICMPv4 redirect messages by default.", + "desc": "This feature of the IPv4 protocol has few legitimate uses. It should\nbe disabled unless it is absolutely required.", "descriptions": { - "default": "Locking out user accounts after a number of incorrect attempts within\na specific period of time prevents direct password guessing attacks." + "default": "This feature of the IPv4 protocol has few legitimate uses. It should\nbe disabled unless it is absolutely required." }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { - "gtitle": "SRG-OS-000249", - "gid": "V-38501", - "rid": "SV-50302r4_rule", - "stig_id": "RHEL-06-000357", - "fix_id": "F-43448r6_fix", + "gtitle": "SRG-OS-999999", + "gid": "V-38533", + "rid": "SV-50334r3_rule", + "stig_id": "RHEL-06-000091", + "fix_id": "F-43481r1_fix", "cci": [ - "CCI-001452" + "CCI-000366" ], "nist": [ - "AC-7 a", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -42,35 +42,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To ensure the failed password attempt policy is configured\ncorrectly, run the following command:\n\n$ grep pam_faillock /etc/pam.d/system-auth /etc/pam.d/password-auth\n\nFor each file, the output should show \"fail_interval=\"\nwhere \"interval-in-seconds\" is 900 (15 minutes) or greater. If the\n\"fail_interval\" parameter is not set, the default setting of 900 seconds is\nacceptable. If that is not the case, this is a finding. ", - "fix": "Utilizing \"pam_faillock.so\", the \"fail_interval\" directive\nconfigures the system to lock out accounts after a number of incorrect logon\nattempts. Modify the content of both \"/etc/pam.d/system-auth\" and\n\"/etc/pam.d/password-auth\" as follows:\n\nAdd the following line immediately before the \"pam_unix.so\" statement in the\n\"AUTH\" section:\n\nauth required pam_faillock.so preauth silent deny=3 unlock_time=604800\nfail_interval=900\n\nAdd the following line immediately after the \"pam_unix.so\" statement in the\n\"AUTH\" section:\n\nauth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800\nfail_interval=900\n\nAdd the following line immediately before the \"pam_unix.so\" statement in the\n\"ACCOUNT\" section:\n\naccount required pam_faillock.so\n\nNote that any updates made to \"/etc/pam.d/system-auth\" and\n\"/etc/pam.d/password-auth\" may be overwritten by the \"authconfig\" program.\nThe \"authconfig\" program should not be used." + "check": "The status of the \"net.ipv4.conf.default.accept_redirects\"\nkernel parameter can be queried by running the following command:\n\n$ sysctl net.ipv4.conf.default.accept_redirects\n\nThe output of the command should indicate a value of \"0\". If this value is\nnot the default value, investigate how it could have been adjusted at runtime,\nand verify it is not set improperly in \"/etc/sysctl.conf\".\n\n$ grep net.ipv4.conf.default.accept_redirects /etc/sysctl.conf\n\nIf the correct value is not returned, this is a finding. ", + "fix": "To set the runtime status of the\n\"net.ipv4.conf.default.accept_redirects\" kernel parameter, run the following\ncommand:\n\n# sysctl -w net.ipv4.conf.default.accept_redirects=0\n\nIf this is not the system's default value, add the following line to\n\"/etc/sysctl.conf\":\n\nnet.ipv4.conf.default.accept_redirects = 0" }, - "code": "control \"V-38501\" do\n title \"The system must disable accounts after excessive login failures within\na 15-minute interval.\"\n desc \"Locking out user accounts after a number of incorrect attempts within\na specific period of time prevents direct password guessing attacks.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000249\"\n tag \"gid\": \"V-38501\"\n tag \"rid\": \"SV-50302r4_rule\"\n tag \"stig_id\": \"RHEL-06-000357\"\n tag \"fix_id\": \"F-43448r6_fix\"\n tag \"cci\": [\"CCI-001452\"]\n tag \"nist\": [\"AC-7 a\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To ensure the failed password attempt policy is configured\ncorrectly, run the following command:\n\n$ grep pam_faillock /etc/pam.d/system-auth /etc/pam.d/password-auth\n\nFor each file, the output should show \\\"fail_interval=\\\"\nwhere \\\"interval-in-seconds\\\" is 900 (15 minutes) or greater. If the\n\\\"fail_interval\\\" parameter is not set, the default setting of 900 seconds is\nacceptable. If that is not the case, this is a finding. \"\n tag \"fix\": \"Utilizing \\\"pam_faillock.so\\\", the \\\"fail_interval\\\" directive\nconfigures the system to lock out accounts after a number of incorrect logon\nattempts. Modify the content of both \\\"/etc/pam.d/system-auth\\\" and\n\\\"/etc/pam.d/password-auth\\\" as follows:\n\nAdd the following line immediately before the \\\"pam_unix.so\\\" statement in the\n\\\"AUTH\\\" section:\n\nauth required pam_faillock.so preauth silent deny=3 unlock_time=604800\nfail_interval=900\n\nAdd the following line immediately after the \\\"pam_unix.so\\\" statement in the\n\\\"AUTH\\\" section:\n\nauth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800\nfail_interval=900\n\nAdd the following line immediately before the \\\"pam_unix.so\\\" statement in the\n\\\"ACCOUNT\\\" section:\n\naccount required pam_faillock.so\n\nNote that any updates made to \\\"/etc/pam.d/system-auth\\\" and\n\\\"/etc/pam.d/password-auth\\\" may be overwritten by the \\\"authconfig\\\" program.\nThe \\\"authconfig\\\" program should not be used.\"\n\n file(\"/etc/pam.d/system-auth\").content.to_s.scan(/^\\s*auth\\s+(?:(?:sufficient)|(?:\\[default=die\\]))\\s+pam_faillock\\.so\\s+authfail.*deny=(?:[0-9]+).*unlock_time=(?:[0-9]+).*fail_interval=([0-9]+).*$/).flatten.each do |entry|\n describe entry do\n it { should cmp >= input('pam_faillock_fail_interval') }\n end\n end\n describe file(\"/etc/pam.d/system-auth\") do\n its(\"content\") { should match(/^\\s*auth\\s+(?:(?:sufficient)|(?:\\[default=die\\]))\\s+pam_faillock\\.so\\s+authfail.*deny=(?:[0-9]+).*unlock_time=(?:[0-9]+).*fail_interval=([0-9]+).*$/) }\n end\n file(\"/etc/pam.d/password-auth\").content.to_s.scan(/^\\s*auth\\s+(?:(?:sufficient)|(?:\\[default=die\\]))\\s+pam_faillock\\.so\\s+authfail.*deny=(?:[0-9]+).*unlock_time=(?:[0-9]+).*fail_interval=([0-9]+).*$/).flatten.each do |entry|\n describe entry do\n it { should cmp >= input('pam_faillock_fail_interval') }\n end\n end\n describe file(\"/etc/pam.d/password-auth\") do\n its(\"content\") { should match(/^\\s*auth\\s+(?:(?:sufficient)|(?:\\[default=die\\]))\\s+pam_faillock\\.so\\s+authfail.*deny=(?:[0-9]+).*unlock_time=(?:[0-9]+).*fail_interval=([0-9]+).*$/) }\n end\nend\n", + "code": "control \"V-38533\" do\n title \"The system must ignore ICMPv4 redirect messages by default.\"\n desc \"This feature of the IPv4 protocol has few legitimate uses. It should\nbe disabled unless it is absolutely required.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38533\"\n tag \"rid\": \"SV-50334r3_rule\"\n tag \"stig_id\": \"RHEL-06-000091\"\n tag \"fix_id\": \"F-43481r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"The status of the \\\"net.ipv4.conf.default.accept_redirects\\\"\nkernel parameter can be queried by running the following command:\n\n$ sysctl net.ipv4.conf.default.accept_redirects\n\nThe output of the command should indicate a value of \\\"0\\\". If this value is\nnot the default value, investigate how it could have been adjusted at runtime,\nand verify it is not set improperly in \\\"/etc/sysctl.conf\\\".\n\n$ grep net.ipv4.conf.default.accept_redirects /etc/sysctl.conf\n\nIf the correct value is not returned, this is a finding. \"\n tag \"fix\": \"To set the runtime status of the\n\\\"net.ipv4.conf.default.accept_redirects\\\" kernel parameter, run the following\ncommand:\n\n# sysctl -w net.ipv4.conf.default.accept_redirects=0\n\nIf this is not the system's default value, add the following line to\n\\\"/etc/sysctl.conf\\\":\n\nnet.ipv4.conf.default.accept_redirects = 0\"\n\n describe kernel_parameter(\"net.ipv4.conf.default.accept_redirects\") do\n its(\"value\") { should_not be_nil }\n end\n describe kernel_parameter(\"net.ipv4.conf.default.accept_redirects\") do\n its(\"value\") { should eq 0 }\n end\n describe file(\"/etc/sysctl.conf\") do\n its(\"content\") { should match(/^[\\s]*net.ipv4.conf.default.accept_redirects[\\s]*=[\\s]*0[\\s]*$/) }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38501.rb", + "ref": "./Red Hat 6 STIG/controls/V-38533.rb", "line": 1 }, - "id": "V-38501" + "id": "V-38533" }, { - "title": "The audit system must be configured to audit all discretionary access\ncontrol permission modifications using lchown.", - "desc": "The changing of file permissions could indicate that a user is\nattempting to gain access to information that would otherwise be disallowed.\nAuditing DAC modifications can facilitate the identification of patterns of\nabuse among both authorized and unauthorized users.", + "title": "The system must not have accounts configured with blank or null\npasswords.", + "desc": "If an account has an empty password, anyone could log in and run\ncommands with the privileges of that account. Accounts with empty passwords\nshould never be used in operational environments.", "descriptions": { - "default": "The changing of file permissions could indicate that a user is\nattempting to gain access to information that would otherwise be disallowed.\nAuditing DAC modifications can facilitate the identification of patterns of\nabuse among both authorized and unauthorized users." + "default": "If an account has an empty password, anyone could log in and run\ncommands with the privileges of that account. Accounts with empty passwords\nshould never be used in operational environments." }, - "impact": 0.3, + "impact": 0.7, "refs": [], "tags": { - "gtitle": "SRG-OS-000064", - "gid": "V-38558", - "rid": "SV-50359r3_rule", - "stig_id": "RHEL-06-000192", - "fix_id": "F-43506r2_fix", + "gtitle": "SRG-OS-999999", + "gid": "V-38497", + "rid": "SV-50298r3_rule", + "stig_id": "RHEL-06-000030", + "fix_id": "F-43444r5_fix", "cci": [ - "CCI-000172" + "CCI-000366" ], "nist": [ - "AU-12 c", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -83,30 +83,30 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To determine if the system is configured to audit calls to the\n\"lchown\" system call, run the following command:\n\n$ sudo grep -w \"lchown\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return several\nlines.\n\nIf no line is returned, this is a finding. ", - "fix": "At a minimum, the audit system should collect file permission\nchanges for all users and root. Add the following to\n\"/etc/audit/audit.rules\":\n\n-a always,exit -F arch=b32 -S lchown -F auid>=500 -F auid!=4294967295 \\\n-k perm_mod\n-a always,exit -F arch=b32 -S lchown -F auid=0 -k perm_mod\n\nIf the system is 64-bit, then also add the following:\n\n-a always,exit -F arch=b64 -S lchown -F auid>=500 -F auid!=4294967295 \\\n-k perm_mod\n-a always,exit -F arch=b64 -S lchown -F auid=0 -k perm_mod" + "check": "To verify that null passwords cannot be used, run the following\ncommand:\n\n# grep nullok /etc/pam.d/system-auth /etc/pam.d/password-auth\n\nIf this produces any output, it may be possible to log into accounts with empty\npasswords.\nIf NULL passwords can be used, this is a finding.", + "fix": "If an account is configured for password authentication but does\nnot have an assigned password, it may be possible to log onto the account\nwithout authentication. Remove any instances of the \"nullok\" option in\n\"/etc/pam.d/system-auth\" and \"/etc/pam.d/password-auth\" to prevent logons\nwith empty passwords." }, - "code": "control \"V-38558\" do\n title \"The audit system must be configured to audit all discretionary access\ncontrol permission modifications using lchown.\"\n desc \"The changing of file permissions could indicate that a user is\nattempting to gain access to information that would otherwise be disallowed.\nAuditing DAC modifications can facilitate the identification of patterns of\nabuse among both authorized and unauthorized users.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000064\"\n tag \"gid\": \"V-38558\"\n tag \"rid\": \"SV-50359r3_rule\"\n tag \"stig_id\": \"RHEL-06-000192\"\n tag \"fix_id\": \"F-43506r2_fix\"\n tag \"cci\": [\"CCI-000172\"]\n tag \"nist\": [\"AU-12 c\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To determine if the system is configured to audit calls to the\n\\\"lchown\\\" system call, run the following command:\n\n$ sudo grep -w \\\"lchown\\\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return several\nlines.\n\nIf no line is returned, this is a finding. \"\n tag \"fix\": \"At a minimum, the audit system should collect file permission\nchanges for all users and root. Add the following to\n\\\"/etc/audit/audit.rules\\\":\n\n-a always,exit -F arch=b32 -S lchown -F auid>=500 -F auid!=4294967295 \\\\\n-k perm_mod\n-a always,exit -F arch=b32 -S lchown -F auid=0 -k perm_mod\n\nIf the system is 64-bit, then also add the following:\n\n-a always,exit -F arch=b64 -S lchown -F auid>=500 -F auid!=4294967295 \\\\\n-k perm_mod\n-a always,exit -F arch=b64 -S lchown -F auid=0 -k perm_mod\"\n\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^[\\s]*-a[\\s](?:always,exit|exit,always)+(?:.*-F[\\s]+arch=b32[\\s]+)(?:.*(?:,|-S[\\s]+)lchown(?:,|[\\s]+))(?:.*-F\\s+auid>=500[\\s]+)(?:.*-F\\s+auid!=(?:-1|4294967295)[\\s]+).*-k[\\s]+[\\S]+[\\s]*$/) }\n end\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^[\\s]*-a[\\s](?:always,exit|exit,always)+(?:.*-F[\\s]+arch=b32[\\s]+)(?:.*(?:,|-S[\\s]+)lchown(?:,|[\\s]+))(?:.*-F\\s+auid=0[\\s]+).*-k[\\s]+[\\S]+[\\s]*$/) }\n end\n describe.one do\n \n end\nend\n", + "code": "control \"V-38497\" do\n title \"The system must not have accounts configured with blank or null\npasswords.\"\n desc \"If an account has an empty password, anyone could log in and run\ncommands with the privileges of that account. Accounts with empty passwords\nshould never be used in operational environments.\"\n impact 0.7\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38497\"\n tag \"rid\": \"SV-50298r3_rule\"\n tag \"stig_id\": \"RHEL-06-000030\"\n tag \"fix_id\": \"F-43444r5_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To verify that null passwords cannot be used, run the following\ncommand:\n\n# grep nullok /etc/pam.d/system-auth /etc/pam.d/password-auth\n\nIf this produces any output, it may be possible to log into accounts with empty\npasswords.\nIf NULL passwords can be used, this is a finding.\"\n tag \"fix\": \"If an account is configured for password authentication but does\nnot have an assigned password, it may be possible to log onto the account\nwithout authentication. Remove any instances of the \\\"nullok\\\" option in\n\\\"/etc/pam.d/system-auth\\\" and \\\"/etc/pam.d/password-auth\\\" to prevent logons\nwith empty passwords.\"\n\n describe file(\"/etc/pam.d/system-auth\") do\n its(\"content\") { should_not match(/^[^#]\\s*.*\\snullok\\s*/) }\n end\n describe file(\"/etc/pam.d/password-auth\") do\n its(\"content\") { should_not match(/^[^#]\\s*.*\\snullok\\s*/) }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38558.rb", + "ref": "./Red Hat 6 STIG/controls/V-38497.rb", "line": 1 }, - "id": "V-38558" + "id": "V-38497" }, { - "title": "The mail system must forward all mail for root to one or more system\nadministrators.", - "desc": "A number of system services utilize email messages sent to the root\nuser to notify system administrators of active or impending issues. These\nmessages must be forwarded to at least one monitored email address.", + "title": "The audit system must be configured to audit modifications to the\nsystems network configuration.", + "desc": "The network environment should not be modified by anything other than\nadministrator action. Any change to network parameters should be audited.", "descriptions": { - "default": "A number of system services utilize email messages sent to the root\nuser to notify system administrators of active or impending issues. These\nmessages must be forwarded to at least one monitored email address." + "default": "The network environment should not be modified by anything other than\nadministrator action. Any change to network parameters should be audited." }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { "gtitle": "SRG-OS-999999", - "gid": "V-38446", - "rid": "SV-50246r2_rule", - "stig_id": "RHEL-06-000521", - "fix_id": "F-43391r1_fix", + "gid": "V-38540", + "rid": "SV-50341r4_rule", + "stig_id": "RHEL-06-000182", + "fix_id": "F-43488r2_fix", "cci": [ "CCI-000366" ], @@ -124,35 +124,39 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "Find the list of alias maps used by the Postfix mail server:\n\n# postconf alias_maps\n\nQuery the Postfix alias maps for an alias for \"root\":\n\n# postmap -q root hash:/etc/aliases\n\nIf there are no aliases configured for root that forward to a monitored email\naddress, this is a finding.", - "fix": "Set up an alias for root that forwards to a monitored email\naddress:\n\n# echo \"root: @mail.mil\" >> /etc/aliases\n# newaliases" + "check": "If you are running x86_64 architecture, determine the values\nfor sethostname:\n$ uname -m; ausyscall i386 sethostname; ausyscall x86_64 sethostname\n\t\nIf the values returned are not identical verify that the system is configured\nto monitor network configuration changes for the i386 and x86_64 architectures:\n\n$ sudo egrep -w\n'(sethostname|setdomainname|/etc/issue|/etc/issue.net|/etc/hosts|/etc/sysconfig/network)'\n/etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k\naudit_network_modifications\n-w /etc/issue -p wa -k audit_network_modifications\n-w /etc/issue.net -p wa -k audit_network_modifications\n-w /etc/hosts -p wa -k audit_network_modifications\n-w /etc/sysconfig/network -p wa -k audit_network_modifications\n\n-a always,exit -F arch=b64 -S sethostname -S setdomainname -k\naudit_network_modifications\n-w /etc/issue -p wa -k audit_network_modifications\n-w /etc/issue.net -p wa -k audit_network_modifications\n-w /etc/hosts -p wa -k audit_network_modifications\n-w /etc/sysconfig/network -p wa -k audit_network_modifications\n\nIf the system is configured to watch for network configuration changes, a line\nshould be returned for each file specified for both (and \"-p wa\" should be\nindicated for each).\n\nIf the system is not configured to audit changes of the network configuration,\nthis is a finding.\n", + "fix": "Add the following to \"/etc/audit/audit.rules\", setting ARCH to\neither b32 or b64 as appropriate for your system:\n\n# audit_network_modifications\n-a always,exit -F arch=ARCH -S sethostname -S setdomainname -k\naudit_network_modifications\n-w /etc/issue -p wa -k audit_network_modifications\n-w /etc/issue.net -p wa -k audit_network_modifications\n-w /etc/hosts -p wa -k audit_network_modifications\n-w /etc/sysconfig/network -p wa -k audit_network_modifications" }, - "code": "control \"V-38446\" do\n title \"The mail system must forward all mail for root to one or more system\nadministrators.\"\n desc \"A number of system services utilize email messages sent to the root\nuser to notify system administrators of active or impending issues. These\nmessages must be forwarded to at least one monitored email address.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38446\"\n tag \"rid\": \"SV-50246r2_rule\"\n tag \"stig_id\": \"RHEL-06-000521\"\n tag \"fix_id\": \"F-43391r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Find the list of alias maps used by the Postfix mail server:\n\n# postconf alias_maps\n\nQuery the Postfix alias maps for an alias for \\\"root\\\":\n\n# postmap -q root hash:/etc/aliases\n\nIf there are no aliases configured for root that forward to a monitored email\naddress, this is a finding.\"\n tag \"fix\": \"Set up an alias for root that forwards to a monitored email\naddress:\n\n# echo \\\"root: @mail.mil\\\" >> /etc/aliases\n# newaliases\"\n\n alias_maps = parse_config(command(\"postconf alias_maps\").stdout.strip).params['alias_maps']\n\n describe \"postconf alias_maps\" do\n subject { alias_maps }\n it { should_not be_empty }\n end\n\n describe command(\"postmap -q root #{alias_maps}\") do\n its('stdout.strip') { should_not be_empty }\n end\nend\n", + "code": "control \"V-38540\" do\n title \"The audit system must be configured to audit modifications to the\nsystems network configuration.\"\n desc \"The network environment should not be modified by anything other than\nadministrator action. Any change to network parameters should be audited.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38540\"\n tag \"rid\": \"SV-50341r4_rule\"\n tag \"stig_id\": \"RHEL-06-000182\"\n tag \"fix_id\": \"F-43488r2_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"If you are running x86_64 architecture, determine the values\nfor sethostname:\n$ uname -m; ausyscall i386 sethostname; ausyscall x86_64 sethostname\n\\t\nIf the values returned are not identical verify that the system is configured\nto monitor network configuration changes for the i386 and x86_64 architectures:\n\n$ sudo egrep -w\n'(sethostname|setdomainname|/etc/issue|/etc/issue.net|/etc/hosts|/etc/sysconfig/network)'\n/etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k\naudit_network_modifications\n-w /etc/issue -p wa -k audit_network_modifications\n-w /etc/issue.net -p wa -k audit_network_modifications\n-w /etc/hosts -p wa -k audit_network_modifications\n-w /etc/sysconfig/network -p wa -k audit_network_modifications\n\n-a always,exit -F arch=b64 -S sethostname -S setdomainname -k\naudit_network_modifications\n-w /etc/issue -p wa -k audit_network_modifications\n-w /etc/issue.net -p wa -k audit_network_modifications\n-w /etc/hosts -p wa -k audit_network_modifications\n-w /etc/sysconfig/network -p wa -k audit_network_modifications\n\nIf the system is configured to watch for network configuration changes, a line\nshould be returned for each file specified for both (and \\\"-p wa\\\" should be\nindicated for each).\n\nIf the system is not configured to audit changes of the network configuration,\nthis is a finding.\n\"\n tag \"fix\": \"Add the following to \\\"/etc/audit/audit.rules\\\", setting ARCH to\neither b32 or b64 as appropriate for your system:\n\n# audit_network_modifications\n-a always,exit -F arch=ARCH -S sethostname -S setdomainname -k\naudit_network_modifications\n-w /etc/issue -p wa -k audit_network_modifications\n-w /etc/issue.net -p wa -k audit_network_modifications\n-w /etc/hosts -p wa -k audit_network_modifications\n-w /etc/sysconfig/network -p wa -k audit_network_modifications\"\n\n both_archs = command(\"ausyscall i386 sethostname\").stdout.strip != command(\"ausyscall x86_64 sethostname\").stdout.strip\n\n if os.arch == 'x86_64' or both_archs\n describe command(\"egrep -w '^[^\\#]*sethostname' /etc/audit/audit.rules | grep 'arch=b64'\") do\n its('stdout.strip') { should_not be_empty }\n end\n\n describe command(\"egrep -w '^[^\\#]*setdomainname' /etc/audit/audit.rules | grep 'arch=b64'\") do\n its('stdout.strip') { should_not be_empty }\n end\n end\n\n if os.arch != 'x86_64' or both_archs\n describe command(\"egrep -w '^[^\\#]*sethostname' /etc/audit/audit.rules | grep 'arch=b32'\") do\n its('stdout.strip') { should_not be_empty }\n end\n\n describe command(\"egrep -w '^[^\\#]*setdomainname' /etc/audit/audit.rules | grep 'arch=b32'\") do\n its('stdout.strip') { should_not be_empty }\n end\n end\n\n describe command(\"egrep '^\\\\s*\\\\-w /etc/issue \\\\-p wa' /etc/audit/audit.rules\") do\n its('stdout.strip') { should_not be_empty }\n end\n\n describe command(\"egrep '^\\\\s*\\\\-w /etc/issue.net \\\\-p wa' /etc/audit/audit.rules\") do\n its('stdout.strip') { should_not be_empty }\n end\n\n describe command(\"egrep '^\\\\s*\\\\-w /etc/hosts \\\\-p wa' /etc/audit/audit.rules\") do\n its('stdout.strip') { should_not be_empty }\n end\n\n describe command(\"egrep '^\\\\s*\\\\-w /etc/sysconfig/network \\\\-p wa' /etc/audit/audit.rules\") do\n its('stdout.strip') { should_not be_empty }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38446.rb", + "ref": "./Red Hat 6 STIG/controls/V-38540.rb", "line": 1 }, - "id": "V-38446" + "id": "V-38540" }, { - "title": "The system must not permit root logins using remote access programs\nsuch as ssh.", - "desc": "Permitting direct root login reduces auditable information about who\nran privileged commands on the system and also allows direct attack attempts on\nroot's password.", + "title": "Wireless network adapters must be disabled.", + "desc": "The use of wireless networking can introduce many different attack\nvectors into the organization's network. Common attack vectors such as\nmalicious association and ad hoc networks will allow an attacker to spoof a\nwireless access point (AP), allowing validated systems to connect to the\nmalicious AP and enabling the attacker to monitor and record network traffic.\nThese malicious APs can also serve to create a man-in-the-middle attack or be\nused to create a denial of service to valid network resources.", "descriptions": { - "default": "Permitting direct root login reduces auditable information about who\nran privileged commands on the system and also allows direct attack attempts on\nroot's password." + "default": "The use of wireless networking can introduce many different attack\nvectors into the organization's network. Common attack vectors such as\nmalicious association and ad hoc networks will allow an attacker to spoof a\nwireless access point (AP), allowing validated systems to connect to the\nmalicious AP and enabling the attacker to monitor and record network traffic.\nThese malicious APs can also serve to create a man-in-the-middle attack or be\nused to create a denial of service to valid network resources." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000109", - "gid": "V-38613", - "rid": "SV-50414r1_rule", - "stig_id": "RHEL-06-000237", - "fix_id": "F-43561r1_fix", + "gtitle": "RHEL-06-000293", + "gid": "V-72817", + "rid": "SV-87461r1_rule", + "stig_id": "RHEL-06-000293", + "fix_id": "F-79233r1_fix", "cci": [ - "CCI-000770" + "CCI-001443", + "CCI-001444", + "CCI-002418" ], "nist": [ - "IA-2 (5)", + "AC-18 (1)", + "AC-18 (1)", + "SC-8", "Rev_4" ], "false_negatives": null, @@ -165,35 +169,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To determine how the SSH daemon's \"PermitRootLogin\" option is\nset, run the following command:\n\n# grep -i PermitRootLogin /etc/ssh/sshd_config\n\nIf a line indicating \"no\" is returned, then the required value is set.\nIf the required value is not set, this is a finding.", - "fix": "The root user should never be allowed to log in to a system\ndirectly over a network. To disable root login via SSH, add or correct the\nfollowing line in \"/etc/ssh/sshd_config\":\n\nPermitRootLogin no" + "check": "This is N/A for systems that do not have wireless network\nadapters.\n\nVerify that there are no wireless interfaces configured on the system:\n\n# ifconfig -a\n\n\neth0 Link encap:Ethernet HWaddr b8:ac:6f:65:31:e5\n inet addr:192.168.2.100 Bcast:192.168.2.255 Mask:255.255.255.0\n inet6 addr: fe80::baac:6fff:fe65:31e5/64 Scope:Link\n UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1\n RX packets:2697529 errors:0 dropped:0 overruns:0 frame:0\n TX packets:2630541 errors:0 dropped:0 overruns:0 carrier:0\n collisions:0 txqueuelen:1000\n RX bytes:2159382827 (2.0 GiB) TX bytes:1389552776 (1.2 GiB)\n Interrupt:17\n\nlo Link encap:Local Loopback\n inet addr:127.0.0.1 Mask:255.0.0.0\n inet6 addr: ::1/128 Scope:Host\n UP LOOPBACK RUNNING MTU:16436 Metric:1\n RX packets:2849 errors:0 dropped:0 overruns:0 frame:0\n TX packets:2849 errors:0 dropped:0 overruns:0 carrier:0\n collisions:0 txqueuelen:0\n RX bytes:2778290 (2.6 MiB) TX bytes:2778290 (2.6 MiB)\n\n\nIf a wireless interface is configured, it must be documented and approved by\nthe local Authorizing Official.\n\nIf a wireless interface is configured and has not been documented and approved,\nthis is a finding.\n", + "fix": "Configure the system to disable all wireless network interfaces." }, - "code": "control \"V-38613\" do\n title \"The system must not permit root logins using remote access programs\nsuch as ssh.\"\n desc \"Permitting direct root login reduces auditable information about who\nran privileged commands on the system and also allows direct attack attempts on\nroot's password.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000109\"\n tag \"gid\": \"V-38613\"\n tag \"rid\": \"SV-50414r1_rule\"\n tag \"stig_id\": \"RHEL-06-000237\"\n tag \"fix_id\": \"F-43561r1_fix\"\n tag \"cci\": [\"CCI-000770\"]\n tag \"nist\": [\"IA-2 (5)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To determine how the SSH daemon's \\\"PermitRootLogin\\\" option is\nset, run the following command:\n\n# grep -i PermitRootLogin /etc/ssh/sshd_config\n\nIf a line indicating \\\"no\\\" is returned, then the required value is set.\nIf the required value is not set, this is a finding.\"\n tag \"fix\": \"The root user should never be allowed to log in to a system\ndirectly over a network. To disable root login via SSH, add or correct the\nfollowing line in \\\"/etc/ssh/sshd_config\\\":\n\nPermitRootLogin no\"\n\n describe sshd_config do\n its('PermitRootLogin') { should eq 'no' }\n end\nend\n", + "code": "control \"V-72817\" do\n title \"Wireless network adapters must be disabled.\"\n desc \"The use of wireless networking can introduce many different attack\nvectors into the organization's network. Common attack vectors such as\nmalicious association and ad hoc networks will allow an attacker to spoof a\nwireless access point (AP), allowing validated systems to connect to the\nmalicious AP and enabling the attacker to monitor and record network traffic.\nThese malicious APs can also serve to create a man-in-the-middle attack or be\nused to create a denial of service to valid network resources.\"\n impact 0.5\n tag \"gtitle\": \"RHEL-06-000293\"\n tag \"gid\": \"V-72817\"\n tag \"rid\": \"SV-87461r1_rule\"\n tag \"stig_id\": \"RHEL-06-000293\"\n tag \"fix_id\": \"F-79233r1_fix\"\n tag \"cci\": [\"CCI-001443\", \"CCI-001444\", \"CCI-002418\"]\n tag \"nist\": [\"AC-18 (1)\", \"AC-18 (1)\", \"SC-8\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"This is N/A for systems that do not have wireless network\nadapters.\n\nVerify that there are no wireless interfaces configured on the system:\n\n# ifconfig -a\n\n\neth0 Link encap:Ethernet HWaddr b8:ac:6f:65:31:e5\n inet addr:192.168.2.100 Bcast:192.168.2.255 Mask:255.255.255.0\n inet6 addr: fe80::baac:6fff:fe65:31e5/64 Scope:Link\n UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1\n RX packets:2697529 errors:0 dropped:0 overruns:0 frame:0\n TX packets:2630541 errors:0 dropped:0 overruns:0 carrier:0\n collisions:0 txqueuelen:1000\n RX bytes:2159382827 (2.0 GiB) TX bytes:1389552776 (1.2 GiB)\n Interrupt:17\n\nlo Link encap:Local Loopback\n inet addr:127.0.0.1 Mask:255.0.0.0\n inet6 addr: ::1/128 Scope:Host\n UP LOOPBACK RUNNING MTU:16436 Metric:1\n RX packets:2849 errors:0 dropped:0 overruns:0 frame:0\n TX packets:2849 errors:0 dropped:0 overruns:0 carrier:0\n collisions:0 txqueuelen:0\n RX bytes:2778290 (2.6 MiB) TX bytes:2778290 (2.6 MiB)\n\n\nIf a wireless interface is configured, it must be documented and approved by\nthe local Authorizing Official.\n\nIf a wireless interface is configured and has not been documented and approved,\nthis is a finding.\n\"\n tag \"fix\": \"Configure the system to disable all wireless network interfaces.\"\n\n wlans = command('ls /sys/class/net').stdout.split.select { |e| e.start_with? 'wlan' }\n\n if wlans.empty?\n describe \"No wlan interfaces exist\" do\n subject { true }\n it { should eq true }\n end\n else\n wlans.each do |e|\n describe interface(e) do\n it { should_not be_up }\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38613.rb", + "ref": "./Red Hat 6 STIG/controls/V-72817.rb", "line": 1 }, - "id": "V-38613" + "id": "V-72817" }, { - "title": "The system must allow locking of the console screen in text mode.", - "desc": "Installing \"screen\" ensures a console locking capability is\navailable for users who may need to suspend console logins.", + "title": "The system must use a separate file system for the system audit data\npath.", + "desc": "Placing \"/var/log/audit\" in its own partition enables better\nseparation between audit files and other files, and helps ensure that auditing\ncannot be halted due to the partition running out of space.", "descriptions": { - "default": "Installing \"screen\" ensures a console locking capability is\navailable for users who may need to suspend console logins." + "default": "Placing \"/var/log/audit\" in its own partition enables better\nseparation between audit files and other files, and helps ensure that auditing\ncannot be halted due to the partition running out of space." }, "impact": 0.3, "refs": [], "tags": { - "gtitle": "SRG-OS-000030", - "gid": "V-38590", - "rid": "SV-50391r1_rule", - "stig_id": "RHEL-06-000071", - "fix_id": "F-43538r1_fix", + "gtitle": "SRG-OS-000044", + "gid": "V-38467", + "rid": "SV-50267r1_rule", + "stig_id": "RHEL-06-000004", + "fix_id": "F-43412r1_fix", "cci": [ - "CCI-000058" + "CCI-000137" ], "nist": [ - "AC-11 a", + "AU-4", "Rev_4" ], "false_negatives": null, @@ -206,30 +210,30 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "Run the following command to determine if the \"screen\"\npackage is installed:\n\n# rpm -q screen\n\n\nIf the package is not installed, this is a finding.", - "fix": "To enable console screen locking when in text mode, install the\n\"screen\" package:\n\n# yum install screen\n\nInstruct users to begin new terminal sessions with the following command:\n\n$ screen\n\nThe console can now be locked with the following key combination:\n\nctrl+a x" + "check": "Run the following command to determine if \"/var/log/audit\" is\non its own partition or logical volume:\n\n$ mount | grep \"on /var/log/audit \"\n\nIf \"/var/log/audit\" has its own partition or volume group, a line will be\nreturned.\nIf no line is returned, this is a finding.", + "fix": "Audit logs are stored in the \"/var/log/audit\" directory. Ensure\nthat it has its own partition or logical volume at installation time, or\nmigrate it later using LVM. Make absolutely certain that it is large enough to\nstore all audit logs that will be created by the auditing daemon." }, - "code": "control \"V-38590\" do\n title \"The system must allow locking of the console screen in text mode.\"\n desc \"Installing \\\"screen\\\" ensures a console locking capability is\navailable for users who may need to suspend console logins.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000030\"\n tag \"gid\": \"V-38590\"\n tag \"rid\": \"SV-50391r1_rule\"\n tag \"stig_id\": \"RHEL-06-000071\"\n tag \"fix_id\": \"F-43538r1_fix\"\n tag \"cci\": [\"CCI-000058\"]\n tag \"nist\": [\"AC-11 a\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Run the following command to determine if the \\\"screen\\\"\npackage is installed:\n\n# rpm -q screen\n\n\nIf the package is not installed, this is a finding.\"\n tag \"fix\": \"To enable console screen locking when in text mode, install the\n\\\"screen\\\" package:\n\n# yum install screen\n\nInstruct users to begin new terminal sessions with the following command:\n\n$ screen\n\nThe console can now be locked with the following key combination:\n\nctrl+a x\"\n\n describe package(\"screen\") do\n it { should be_installed }\n end\nend\n", + "code": "control \"V-38467\" do\n title \"The system must use a separate file system for the system audit data\npath.\"\n desc \"Placing \\\"/var/log/audit\\\" in its own partition enables better\nseparation between audit files and other files, and helps ensure that auditing\ncannot be halted due to the partition running out of space.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000044\"\n tag \"gid\": \"V-38467\"\n tag \"rid\": \"SV-50267r1_rule\"\n tag \"stig_id\": \"RHEL-06-000004\"\n tag \"fix_id\": \"F-43412r1_fix\"\n tag \"cci\": [\"CCI-000137\"]\n tag \"nist\": [\"AU-4\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Run the following command to determine if \\\"/var/log/audit\\\" is\non its own partition or logical volume:\n\n$ mount | grep \\\"on /var/log/audit \\\"\n\nIf \\\"/var/log/audit\\\" has its own partition or volume group, a line will be\nreturned.\nIf no line is returned, this is a finding.\"\n tag \"fix\": \"Audit logs are stored in the \\\"/var/log/audit\\\" directory. Ensure\nthat it has its own partition or logical volume at installation time, or\nmigrate it later using LVM. Make absolutely certain that it is large enough to\nstore all audit logs that will be created by the auditing daemon.\"\n\n describe mount(\"/var/log/audit\") do\n it { should be_mounted }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38590.rb", + "ref": "./Red Hat 6 STIG/controls/V-38467.rb", "line": 1 }, - "id": "V-38590" + "id": "V-38467" }, { - "title": "The x86 Ctrl-Alt-Delete key sequence must be disabled.", - "desc": "A locally logged-in user who presses Ctrl-Alt-Delete, when at the\nconsole, can reboot the system. If accidentally pressed, as could happen in the\ncase of mixed OS environment, this can create the risk of short-term loss of\navailability of systems due to unintentional reboot. In the GNOME graphical\nenvironment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is\nreduced because the user will be prompted before any action is taken.", + "title": "The openldap-servers package must not be installed unless required.", + "desc": "Unnecessary packages should not be installed to decrease the attack\nsurface of the system.", "descriptions": { - "default": "A locally logged-in user who presses Ctrl-Alt-Delete, when at the\nconsole, can reboot the system. If accidentally pressed, as could happen in the\ncase of mixed OS environment, this can create the risk of short-term loss of\navailability of systems due to unintentional reboot. In the GNOME graphical\nenvironment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is\nreduced because the user will be prompted before any action is taken." + "default": "Unnecessary packages should not be installed to decrease the attack\nsurface of the system." }, - "impact": 0.7, + "impact": 0.3, "refs": [], "tags": { "gtitle": "SRG-OS-999999", - "gid": "V-38668", - "rid": "SV-50469r4_rule", - "stig_id": "RHEL-06-000286", - "fix_id": "F-43617r3_fix", + "gid": "V-38627", + "rid": "SV-50428r2_rule", + "stig_id": "RHEL-06-000256", + "fix_id": "F-43577r2_fix", "cci": [ "CCI-000366" ], @@ -247,35 +251,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To ensure the system is configured to log a message instead of\nrebooting the system when Ctrl-Alt-Delete is pressed, ensure the following line\nis in \"/etc/init/control-alt-delete.override\":\n\nexec /usr/bin/logger -p authpriv.notice \"Ctrl-Alt-Delete pressed\"\n\nIf the system is not configured to block the shutdown command when\nCtrl-Alt-Delete is pressed, this is a finding. ", - "fix": "By default, the system includes the following line in\n\"/etc/init/control-alt-delete.conf\" to reboot the system when the\nCtrl-Alt-Delete key sequence is pressed:\n\nexec /sbin/shutdown -r now \"Ctrl-Alt-Delete pressed\"\n\n\nTo configure the system to log a message instead of rebooting the system, add\nthe following line to \"/etc/init/control-alt-delete.override\" to read as\nfollows:\n\nexec /usr/bin/logger -p authpriv.notice \"Ctrl-Alt-Delete pressed\"" + "check": "To verify the \"openldap-servers\" package is not installed,\nrun the following command:\n\n$ rpm -q openldap-servers\n\nThe output should show the following.\n\npackage openldap-servers is not installed\n\n\nIf it does not, this is a finding.", + "fix": "The \"openldap-servers\" package should be removed if not in use.\n\n# yum erase openldap-servers\n\nThe openldap-servers RPM is not installed by default on RHEL6 machines. It is\nneeded only by the OpenLDAP server, not by the clients which use LDAP for\nauthentication. If the system is not intended for use as an LDAP Server it\nshould be removed." }, - "code": "control \"V-38668\" do\n title \"The x86 Ctrl-Alt-Delete key sequence must be disabled.\"\n desc \"A locally logged-in user who presses Ctrl-Alt-Delete, when at the\nconsole, can reboot the system. If accidentally pressed, as could happen in the\ncase of mixed OS environment, this can create the risk of short-term loss of\navailability of systems due to unintentional reboot. In the GNOME graphical\nenvironment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is\nreduced because the user will be prompted before any action is taken.\"\n impact 0.7\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38668\"\n tag \"rid\": \"SV-50469r4_rule\"\n tag \"stig_id\": \"RHEL-06-000286\"\n tag \"fix_id\": \"F-43617r3_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To ensure the system is configured to log a message instead of\nrebooting the system when Ctrl-Alt-Delete is pressed, ensure the following line\nis in \\\"/etc/init/control-alt-delete.override\\\":\n\nexec /usr/bin/logger -p authpriv.notice \\\"Ctrl-Alt-Delete pressed\\\"\n\nIf the system is not configured to block the shutdown command when\nCtrl-Alt-Delete is pressed, this is a finding. \"\n tag \"fix\": \"By default, the system includes the following line in\n\\\"/etc/init/control-alt-delete.conf\\\" to reboot the system when the\nCtrl-Alt-Delete key sequence is pressed:\n\nexec /sbin/shutdown -r now \\\"Ctrl-Alt-Delete pressed\\\"\n\n\nTo configure the system to log a message instead of rebooting the system, add\nthe following line to \\\"/etc/init/control-alt-delete.override\\\" to read as\nfollows:\n\nexec /usr/bin/logger -p authpriv.notice \\\"Ctrl-Alt-Delete pressed\\\"\"\n\n describe file(\"/etc/init/control-alt-delete.override\") do\n its(\"content\") { should match(/^\\s*exec \\/usr\\/bin\\/logger -p authpriv\\.notice \"Ctrl-Alt-Delete pressed\"\\s*$/) }\n end\nend\n", + "code": "control \"V-38627\" do\n title \"The openldap-servers package must not be installed unless required.\"\n desc \"Unnecessary packages should not be installed to decrease the attack\nsurface of the system.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38627\"\n tag \"rid\": \"SV-50428r2_rule\"\n tag \"stig_id\": \"RHEL-06-000256\"\n tag \"fix_id\": \"F-43577r2_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To verify the \\\"openldap-servers\\\" package is not installed,\nrun the following command:\n\n$ rpm -q openldap-servers\n\nThe output should show the following.\n\npackage openldap-servers is not installed\n\n\nIf it does not, this is a finding.\"\n tag \"fix\": \"The \\\"openldap-servers\\\" package should be removed if not in use.\n\n# yum erase openldap-servers\n\nThe openldap-servers RPM is not installed by default on RHEL6 machines. It is\nneeded only by the OpenLDAP server, not by the clients which use LDAP for\nauthentication. If the system is not intended for use as an LDAP Server it\nshould be removed.\"\n\n describe package(\"openldap-servers\") do\n it { should_not be_installed }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38668.rb", + "ref": "./Red Hat 6 STIG/controls/V-38627.rb", "line": 1 }, - "id": "V-38668" + "id": "V-38627" }, { - "title": "Remote file systems must be mounted with the nodev option.", - "desc": "Legitimate device files should only exist in the /dev directory. NFS\nmounts should not present device files to users.", + "title": "The system must allow locking of graphical desktop sessions.", + "desc": "The ability to lock graphical desktop sessions manually allows users\nto easily secure their accounts should they need to depart from their\nworkstations temporarily.", "descriptions": { - "default": "Legitimate device files should only exist in the /dev directory. NFS\nmounts should not present device files to users." + "default": "The ability to lock graphical desktop sessions manually allows users\nto easily secure their accounts should they need to depart from their\nworkstations temporarily." }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { - "gtitle": "SRG-OS-999999", - "gid": "V-38652", - "rid": "SV-50453r2_rule", - "stig_id": "RHEL-06-000269", - "fix_id": "F-43601r1_fix", + "gtitle": "SRG-OS-000030", + "gid": "V-38474", + "rid": "SV-50274r2_rule", + "stig_id": "RHEL-06-000508", + "fix_id": "F-43420r1_fix", "cci": [ - "CCI-000366" + "CCI-000058" ], "nist": [ - "CM-6 b", + "AC-11 a", "Rev_4" ], "false_negatives": null, @@ -288,35 +292,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To verify the \"nodev\" option is configured for all NFS\nmounts, run the following command:\n\n$ mount | grep \"nfs \"\n\nAll NFS mounts should show the \"nodev\" setting in parentheses, along with\nother mount options.\nIf the setting does not show, this is a finding.", - "fix": "Add the \"nodev\" option to the fourth column of \"/etc/fstab\"\nfor the line which controls mounting of any NFS mounts." + "check": "If the GConf2 package is not installed, this is not applicable.\n\nVerify the keybindings for the Gnome screensaver:\n\n# gconftool-2 --direct --config-source\nxml:readwrite:/etc/gconf/gconf.xml.mandatory --get\n/apps/gnome_settings_daemon/keybindings/screensaver\n\nIf no output is visible, this is a finding.", + "fix": "Run the following command to set the Gnome desktop keybinding for\nlocking the screen:\n\n# gconftool-2\n--direct \\\n--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \\\n--type string \\\n--set /apps/gnome_settings_daemon/keybindings/screensaver \"l\"\n\nAnother keyboard sequence may be substituted for \"l\", which is\nthe default for the Gnome desktop." }, - "code": "control \"V-38652\" do\n title \"Remote file systems must be mounted with the nodev option.\"\n desc \"Legitimate device files should only exist in the /dev directory. NFS\nmounts should not present device files to users.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38652\"\n tag \"rid\": \"SV-50453r2_rule\"\n tag \"stig_id\": \"RHEL-06-000269\"\n tag \"fix_id\": \"F-43601r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To verify the \\\"nodev\\\" option is configured for all NFS\nmounts, run the following command:\n\n$ mount | grep \\\"nfs \\\"\n\nAll NFS mounts should show the \\\"nodev\\\" setting in parentheses, along with\nother mount options.\nIf the setting does not show, this is a finding.\"\n tag \"fix\": \"Add the \\\"nodev\\\" option to the fourth column of \\\"/etc/fstab\\\"\nfor the line which controls mounting of any NFS mounts.\"\n\n describe command('mount | grep \\\"nfs \\\"') do\n its('stdout.strip.lines') { should all include 'nodev' }\n end\nend\n", + "code": "control \"V-38474\" do\n title \"The system must allow locking of graphical desktop sessions.\"\n desc \"The ability to lock graphical desktop sessions manually allows users\nto easily secure their accounts should they need to depart from their\nworkstations temporarily.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000030\"\n tag \"gid\": \"V-38474\"\n tag \"rid\": \"SV-50274r2_rule\"\n tag \"stig_id\": \"RHEL-06-000508\"\n tag \"fix_id\": \"F-43420r1_fix\"\n tag \"cci\": [\"CCI-000058\"]\n tag \"nist\": [\"AC-11 a\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"If the GConf2 package is not installed, this is not applicable.\n\nVerify the keybindings for the Gnome screensaver:\n\n# gconftool-2 --direct --config-source\nxml:readwrite:/etc/gconf/gconf.xml.mandatory --get\n/apps/gnome_settings_daemon/keybindings/screensaver\n\nIf no output is visible, this is a finding.\"\n tag \"fix\": \"Run the following command to set the Gnome desktop keybinding for\nlocking the screen:\n\n# gconftool-2\n--direct \\\\\n--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \\\\\n--type string \\\\\n--set /apps/gnome_settings_daemon/keybindings/screensaver \\\"l\\\"\n\nAnother keyboard sequence may be substituted for \\\"l\\\", which is\nthe default for the Gnome desktop.\"\n\n if package('GConf2').installed?\n describe command(\"gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gnome-screensaver/mode\") do\n its('stdout.strip') { should_not eq '' }\n end\n else\n impact 0.0\n describe \"Package GConf2 not installed\" do\n skip \"Package GConf2 not installed, this control Not Applicable\"\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38652.rb", + "ref": "./Red Hat 6 STIG/controls/V-38474.rb", "line": 1 }, - "id": "V-38652" + "id": "V-38474" }, { - "title": "The system must require passwords to contain at least one uppercase\nalphabetic character.", - "desc": "Requiring a minimum number of uppercase characters makes password\nguessing attacks more difficult by ensuring a larger search space.", + "title": "The system boot loader configuration file(s) must be owned by root.", + "desc": "Only root should be able to modify important boot parameters.", "descriptions": { - "default": "Requiring a minimum number of uppercase characters makes password\nguessing attacks more difficult by ensuring a larger search space." + "default": "Only root should be able to modify important boot parameters." }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000069", - "gid": "V-38569", - "rid": "SV-50370r2_rule", - "stig_id": "RHEL-06-000057", - "fix_id": "F-43517r2_fix", + "gtitle": "SRG-OS-999999", + "gid": "V-38579", + "rid": "SV-50380r2_rule", + "stig_id": "RHEL-06-000065", + "fix_id": "F-43527r2_fix", "cci": [ - "CCI-000192" + "CCI-000366" ], "nist": [ - "IA-5 (1) (a)", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -329,35 +333,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To check how many uppercase characters are required in a\npassword, run the following command:\n\n$ grep pam_cracklib /etc/pam.d/system-auth /etc/pam.d/password-auth\n\nNote: The \"ucredit\" parameter (as a negative number) will indicate how many\nuppercase characters are required. The DoD requires at least one uppercase\ncharacter in a password. This would appear as \"ucredit=-1\".\n\nIf \"ucredit\" is not found or not set to the required value, this is a finding.", - "fix": "The pam_cracklib module's \"ucredit=\" parameter controls\nrequirements for usage of uppercase letters in a password. When set to a\nnegative number, any password will be required to contain that many uppercase\ncharacters. When set to a positive number, pam_cracklib will grant +1\nadditional length credit for each uppercase character.\n\nEdit /etc/pam.d/system-auth and /etc/pam.d/password-auth adding \"ucredit=-1\"\nafter pam_cracklib.so to require use of an uppercase character in passwords." + "check": "To check the ownership of \"/boot/grub/grub.conf\", run the\ncommand:\n\n$ ls -lL /boot/grub/grub.conf\n\nIf properly configured, the output should indicate that the owner is \"root\".\nIf it does not, this is a finding.", + "fix": "The file \"/boot/grub/grub.conf\" should be owned by the \"root\"\nuser to prevent destruction or modification of the file. To properly set the\nowner of \"/boot/grub/grub.conf\", run the command:\n\n# chown root /boot/grub/grub.conf" }, - "code": "control \"V-38569\" do\n title \"The system must require passwords to contain at least one uppercase\nalphabetic character.\"\n desc \"Requiring a minimum number of uppercase characters makes password\nguessing attacks more difficult by ensuring a larger search space.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000069\"\n tag \"gid\": \"V-38569\"\n tag \"rid\": \"SV-50370r2_rule\"\n tag \"stig_id\": \"RHEL-06-000057\"\n tag \"fix_id\": \"F-43517r2_fix\"\n tag \"cci\": [\"CCI-000192\"]\n tag \"nist\": [\"IA-5 (1) (a)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To check how many uppercase characters are required in a\npassword, run the following command:\n\n$ grep pam_cracklib /etc/pam.d/system-auth /etc/pam.d/password-auth\n\nNote: The \\\"ucredit\\\" parameter (as a negative number) will indicate how many\nuppercase characters are required. The DoD requires at least one uppercase\ncharacter in a password. This would appear as \\\"ucredit=-1\\\".\n\nIf \\\"ucredit\\\" is not found or not set to the required value, this is a finding.\"\n tag \"fix\": \"The pam_cracklib module's \\\"ucredit=\\\" parameter controls\nrequirements for usage of uppercase letters in a password. When set to a\nnegative number, any password will be required to contain that many uppercase\ncharacters. When set to a positive number, pam_cracklib will grant +1\nadditional length credit for each uppercase character.\n\nEdit /etc/pam.d/system-auth and /etc/pam.d/password-auth adding \\\"ucredit=-1\\\"\nafter pam_cracklib.so to require use of an uppercase character in passwords.\"\n\n describe.one do\n describe file(\"/etc/pam.d/system-auth\") do\n its(\"content\") { should match(/^\\s*password\\s+(?:(?:required)|(?:requisite))\\s+(?:(?:\\/lib\\/security\\/\\$ISA\\/pam_cracklib\\.so)|(?:pam_cracklib\\.so))[\\t ]+[^#\\n\\r]*\\s+ucredit=-(\\d+)[^\\n\\r]*$/) }\n end\n file(\"/etc/pam.d/system-auth\").content.to_s.scan(/^\\s*password\\s+(?:(?:required)|(?:requisite))\\s+(?:(?:\\/lib\\/security\\/\\$ISA\\/pam_cracklib\\.so)|(?:pam_cracklib\\.so))[\\t ]+[^#\\n\\r]*\\s+ucredit=-(\\d+)[^\\n\\r]*$/).flatten.each do |entry|\n describe entry do\n it { should cmp >= 1 }\n end\n end\n describe file(\"/etc/pam.d/system-auth\") do\n its(\"content\") { should match(/^\\s*password\\s+(?:(?:required)|(?:requisite))\\s+(?:(?:\\/lib\\/security\\/\\$ISA\\/pam_cracklib\\.so)|(?:pam_cracklib\\.so))\\s+ucredit=-(\\d+)\\s+.*$/) }\n end\n file(\"/etc/pam.d/system-auth\").content.to_s.scan(/^\\s*password\\s+(?:(?:required)|(?:requisite))\\s+(?:(?:\\/lib\\/security\\/\\$ISA\\/pam_cracklib\\.so)|(?:pam_cracklib\\.so))\\s+ucredit=-(\\d+)\\s+.*$/).flatten.each do |entry|\n describe entry do\n it { should cmp >= 1 }\n end\n end\n end\n describe.one do\n describe file(\"/etc/pam.d/password-auth\") do\n its(\"content\") { should match(/^\\s*password\\s+(?:(?:required)|(?:requisite))\\s+(?:(?:\\/lib\\/security\\/\\$ISA\\/pam_cracklib\\.so)|(?:pam_cracklib\\.so))[\\t ]+[^#\\n\\r]*\\s+ucredit=-(\\d+)[^\\n\\r]*$/) }\n end\n file(\"/etc/pam.d/password-auth\").content.to_s.scan(/^\\s*password\\s+(?:(?:required)|(?:requisite))\\s+(?:(?:\\/lib\\/security\\/\\$ISA\\/pam_cracklib\\.so)|(?:pam_cracklib\\.so))[\\t ]+[^#\\n\\r]*\\s+ucredit=-(\\d+)[^\\n\\r]*$/).flatten.each do |entry|\n describe entry do\n it { should cmp >= 1 }\n end\n end\n describe file(\"/etc/pam.d/password-auth\") do\n its(\"content\") { should match(/^\\s*password\\s+(?:(?:required)|(?:requisite))\\s+(?:(?:\\/lib\\/security\\/\\$ISA\\/pam_cracklib\\.so)|(?:pam_cracklib\\.so))\\s+ucredit=-(\\d+)\\s+.*$/) }\n end\n file(\"/etc/pam.d/password-auth\").content.to_s.scan(/^\\s*password\\s+(?:(?:required)|(?:requisite))\\s+(?:(?:\\/lib\\/security\\/\\$ISA\\/pam_cracklib\\.so)|(?:pam_cracklib\\.so))\\s+ucredit=-(\\d+)\\s+.*$/).flatten.each do |entry|\n describe entry do\n it { should cmp >= 1 }\n end\n end\n end\nend\n", + "code": "control \"V-38579\" do\n title \"The system boot loader configuration file(s) must be owned by root.\"\n desc \"Only root should be able to modify important boot parameters.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38579\"\n tag \"rid\": \"SV-50380r2_rule\"\n tag \"stig_id\": \"RHEL-06-000065\"\n tag \"fix_id\": \"F-43527r2_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To check the ownership of \\\"/boot/grub/grub.conf\\\", run the\ncommand:\n\n$ ls -lL /boot/grub/grub.conf\n\nIf properly configured, the output should indicate that the owner is \\\"root\\\".\nIf it does not, this is a finding.\"\n tag \"fix\": \"The file \\\"/boot/grub/grub.conf\\\" should be owned by the \\\"root\\\"\nuser to prevent destruction or modification of the file. To properly set the\nowner of \\\"/boot/grub/grub.conf\\\", run the command:\n\n# chown root /boot/grub/grub.conf\"\n\n describe.one do\n describe file(\"/boot/grub/grub.conf\") do\n it { should exist }\n end\n describe file(\"/boot/grub/grub.conf\") do\n its(\"uid\") { should cmp 0 }\n end\n describe file(\"/boot/efi/EFI/redhat/grub.conf\") do\n it { should exist }\n end\n describe file(\"/boot/efi/EFI/redhat/grub.conf\") do\n its(\"uid\") { should cmp 0 }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38569.rb", + "ref": "./Red Hat 6 STIG/controls/V-38579.rb", "line": 1 }, - "id": "V-38569" + "id": "V-38579" }, { - "title": "The openldap-servers package must not be installed unless required.", - "desc": "Unnecessary packages should not be installed to decrease the attack\nsurface of the system.", + "title": "The system package management tool must verify group-ownership on all\nfiles and directories associated with the audit package.", + "desc": "Group-ownership of audit binaries and configuration files that is\nincorrect could allow an unauthorized user to gain privileges that they should\nnot have. The group-ownership set by the vendor should be maintained. Any\ndeviations from this baseline should be investigated.", "descriptions": { - "default": "Unnecessary packages should not be installed to decrease the attack\nsurface of the system." + "default": "Group-ownership of audit binaries and configuration files that is\nincorrect could allow an unauthorized user to gain privileges that they should\nnot have. The group-ownership set by the vendor should be maintained. Any\ndeviations from this baseline should be investigated." }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-999999", - "gid": "V-38627", - "rid": "SV-50428r2_rule", - "stig_id": "RHEL-06-000256", - "fix_id": "F-43577r2_fix", + "gtitle": "SRG-OS-000258", + "gid": "V-38665", + "rid": "SV-50466r1_rule", + "stig_id": "RHEL-06-000280", + "fix_id": "F-43614r1_fix", "cci": [ - "CCI-000366" + "CCI-001495" ], "nist": [ - "CM-6 b", + "AU-9", "Rev_4" ], "false_negatives": null, @@ -370,35 +374,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To verify the \"openldap-servers\" package is not installed,\nrun the following command:\n\n$ rpm -q openldap-servers\n\nThe output should show the following.\n\npackage openldap-servers is not installed\n\n\nIf it does not, this is a finding.", - "fix": "The \"openldap-servers\" package should be removed if not in use.\n\n# yum erase openldap-servers\n\nThe openldap-servers RPM is not installed by default on RHEL6 machines. It is\nneeded only by the OpenLDAP server, not by the clients which use LDAP for\nauthentication. If the system is not intended for use as an LDAP Server it\nshould be removed." + "check": "The following command will list which audit files on the system\nhave group-ownership different from what is expected by the RPM database:\n\n# rpm -V audit | grep '^......G'\n\n\nIf there is output, this is a finding.", + "fix": "The RPM package management system can restore file\ngroup-ownership of the audit package files and directories. The following\ncommand will update audit files with group-ownership different from what is\nexpected by the RPM database:\n\n# rpm --setugids audit" }, - "code": "control \"V-38627\" do\n title \"The openldap-servers package must not be installed unless required.\"\n desc \"Unnecessary packages should not be installed to decrease the attack\nsurface of the system.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38627\"\n tag \"rid\": \"SV-50428r2_rule\"\n tag \"stig_id\": \"RHEL-06-000256\"\n tag \"fix_id\": \"F-43577r2_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To verify the \\\"openldap-servers\\\" package is not installed,\nrun the following command:\n\n$ rpm -q openldap-servers\n\nThe output should show the following.\n\npackage openldap-servers is not installed\n\n\nIf it does not, this is a finding.\"\n tag \"fix\": \"The \\\"openldap-servers\\\" package should be removed if not in use.\n\n# yum erase openldap-servers\n\nThe openldap-servers RPM is not installed by default on RHEL6 machines. It is\nneeded only by the OpenLDAP server, not by the clients which use LDAP for\nauthentication. If the system is not intended for use as an LDAP Server it\nshould be removed.\"\n\n describe package(\"openldap-servers\") do\n it { should_not be_installed }\n end\nend\n", + "code": "control \"V-38665\" do\n title \"The system package management tool must verify group-ownership on all\nfiles and directories associated with the audit package.\"\n desc \"Group-ownership of audit binaries and configuration files that is\nincorrect could allow an unauthorized user to gain privileges that they should\nnot have. The group-ownership set by the vendor should be maintained. Any\ndeviations from this baseline should be investigated.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000258\"\n tag \"gid\": \"V-38665\"\n tag \"rid\": \"SV-50466r1_rule\"\n tag \"stig_id\": \"RHEL-06-000280\"\n tag \"fix_id\": \"F-43614r1_fix\"\n tag \"cci\": [\"CCI-001495\"]\n tag \"nist\": [\"AU-9\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"The following command will list which audit files on the system\nhave group-ownership different from what is expected by the RPM database:\n\n# rpm -V audit | grep '^......G'\n\n\nIf there is output, this is a finding.\"\n tag \"fix\": \"The RPM package management system can restore file\ngroup-ownership of the audit package files and directories. The following\ncommand will update audit files with group-ownership different from what is\nexpected by the RPM database:\n\n# rpm --setugids audit\"\n\n describe command(\"rpm -V audit | grep '^......G'\") do\n its('stdout.strip') { should be_empty } \n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38627.rb", + "ref": "./Red Hat 6 STIG/controls/V-38665.rb", "line": 1 }, - "id": "V-38627" + "id": "V-38665" }, { - "title": "The audit system must identify staff members to receive notifications\nof audit log storage volume capacity issues.", - "desc": "Email sent to the root account is typically aliased to the\nadministrators of the system, who can take appropriate action.", + "title": "The /etc/shadow file must be owned by root.", + "desc": "The \"/etc/shadow\" file contains the list of local system accounts\nand stores password hashes. Protection of this file is critical for system\nsecurity. Failure to give ownership of this file to root provides the\ndesignated owner with access to sensitive information which could weaken the\nsystem security posture.", "descriptions": { - "default": "Email sent to the root account is typically aliased to the\nadministrators of the system, who can take appropriate action." + "default": "The \"/etc/shadow\" file contains the list of local system accounts\nand stores password hashes. Protection of this file is critical for system\nsecurity. Failure to give ownership of this file to root provides the\ndesignated owner with access to sensitive information which could weaken the\nsystem security posture." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000046", - "gid": "V-38680", - "rid": "SV-50481r1_rule", - "stig_id": "RHEL-06-000313", - "fix_id": "F-43629r1_fix", + "gtitle": "SRG-OS-999999", + "gid": "V-38502", + "rid": "SV-50303r1_rule", + "stig_id": "RHEL-06-000033", + "fix_id": "F-43449r1_fix", "cci": [ - "CCI-000139" + "CCI-000366" ], "nist": [ - "AU-5 a", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -411,35 +415,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "Inspect \"/etc/audit/auditd.conf\" and locate the following\nline to determine if the system is configured to send email to an account when\nit needs to notify an administrator:\n\naction_mail_acct = root\n\n\nIf auditd is not configured to send emails per identified actions, this is a\nfinding.", - "fix": "The \"auditd\" service can be configured to send email to a\ndesignated account in certain situations. Add or correct the following line in\n\"/etc/audit/auditd.conf\" to ensure that administrators are notified via email\nfor those situations:\n\naction_mail_acct = root" + "check": "To check the ownership of \"/etc/shadow\", run the command:\n\n$ ls -l /etc/shadow\n\nIf properly configured, the output should indicate the following owner:\n\"root\"\nIf it does not, this is a finding.", + "fix": "To properly set the owner of \"/etc/shadow\", run the command:\n\n# chown root /etc/shadow" }, - "code": "control \"V-38680\" do\n title \"The audit system must identify staff members to receive notifications\nof audit log storage volume capacity issues.\"\n desc \"Email sent to the root account is typically aliased to the\nadministrators of the system, who can take appropriate action.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000046\"\n tag \"gid\": \"V-38680\"\n tag \"rid\": \"SV-50481r1_rule\"\n tag \"stig_id\": \"RHEL-06-000313\"\n tag \"fix_id\": \"F-43629r1_fix\"\n tag \"cci\": [\"CCI-000139\"]\n tag \"nist\": [\"AU-5 a\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Inspect \\\"/etc/audit/auditd.conf\\\" and locate the following\nline to determine if the system is configured to send email to an account when\nit needs to notify an administrator:\n\naction_mail_acct = root\n\n\nIf auditd is not configured to send emails per identified actions, this is a\nfinding.\"\n tag \"fix\": \"The \\\"auditd\\\" service can be configured to send email to a\ndesignated account in certain situations. Add or correct the following line in\n\\\"/etc/audit/auditd.conf\\\" to ensure that administrators are notified via email\nfor those situations:\n\naction_mail_acct = root\"\n\n describe file(\"/etc/audit/auditd.conf\") do\n its(\"content\") { should match(/^action_mail_acct\\s*=\\s*(\\S+)\\s*$/) }\n end\n file(\"/etc/audit/auditd.conf\").content.to_s.scan(/^action_mail_acct\\s*=\\s*(\\S+)\\s*$/).flatten.each do |entry|\n describe entry do\n it { should eq \"root\" }\n end\n end\nend\n", + "code": "control \"V-38502\" do\n title \"The /etc/shadow file must be owned by root.\"\n desc \"The \\\"/etc/shadow\\\" file contains the list of local system accounts\nand stores password hashes. Protection of this file is critical for system\nsecurity. Failure to give ownership of this file to root provides the\ndesignated owner with access to sensitive information which could weaken the\nsystem security posture.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38502\"\n tag \"rid\": \"SV-50303r1_rule\"\n tag \"stig_id\": \"RHEL-06-000033\"\n tag \"fix_id\": \"F-43449r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To check the ownership of \\\"/etc/shadow\\\", run the command:\n\n$ ls -l /etc/shadow\n\nIf properly configured, the output should indicate the following owner:\n\\\"root\\\"\nIf it does not, this is a finding.\"\n tag \"fix\": \"To properly set the owner of \\\"/etc/shadow\\\", run the command:\n\n# chown root /etc/shadow\"\n\n describe file(\"/etc/shadow\") do\n it { should exist }\n end\n describe file(\"/etc/shadow\") do\n its(\"uid\") { should cmp 0 }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38680.rb", + "ref": "./Red Hat 6 STIG/controls/V-38502.rb", "line": 1 }, - "id": "V-38680" + "id": "V-38502" }, { - "title": "There must be no .netrc files on the system.", - "desc": "Unencrypted passwords for remote FTP servers may be stored in\n\".netrc\" files. DoD policy requires passwords be encrypted in storage and not\nused in access scripts.", + "title": "The snmpd service must use only SNMP protocol version 3 or newer.", + "desc": "Earlier versions of SNMP are considered insecure, as they potentially\nallow unauthorized access to detailed system management information.", "descriptions": { - "default": "Unencrypted passwords for remote FTP servers may be stored in\n\".netrc\" files. DoD policy requires passwords be encrypted in storage and not\nused in access scripts." + "default": "Earlier versions of SNMP are considered insecure, as they potentially\nallow unauthorized access to detailed system management information." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000073", - "gid": "V-38619", - "rid": "SV-50420r2_rule", - "stig_id": "RHEL-06-000347", - "fix_id": "F-43569r2_fix", + "gtitle": "SRG-OS-999999", + "gid": "V-38660", + "rid": "SV-50461r1_rule", + "stig_id": "RHEL-06-000340", + "fix_id": "F-43604r1_fix", "cci": [ - "CCI-000196" + "CCI-000366" ], "nist": [ - "IA-5 (1) (c)", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -452,35 +456,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To check the system for the existence of any \".netrc\" files,\nrun the following command:\n\n$ sudo find /root /home -xdev -name .netrc\n\nIf any .netrc files exist, this is a finding.", - "fix": "The \".netrc\" files contain logon information used to auto-logon\ninto FTP servers and reside in the user's home directory. These files may\ncontain unencrypted passwords to remote FTP servers making them susceptible to\naccess by unauthorized users and should not be used. Any \".netrc\" files\nshould be removed." + "check": "To ensure only SNMPv3 or newer is used, run the following\ncommand:\n\n# grep 'v1\\|v2c\\|com2sec' /etc/snmp/snmpd.conf | grep -v '^#'\n\nThere should be no output.\nIf there is output, this is a finding.", + "fix": "Edit \"/etc/snmp/snmpd.conf\", removing any references to \"v1\",\n\"v2c\", or \"com2sec\". Upon doing that, restart the SNMP service:\n\n# service snmpd restart" }, - "code": "control \"V-38619\" do\n title \"There must be no .netrc files on the system.\"\n desc \"Unencrypted passwords for remote FTP servers may be stored in\n\\\".netrc\\\" files. DoD policy requires passwords be encrypted in storage and not\nused in access scripts.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000073\"\n tag \"gid\": \"V-38619\"\n tag \"rid\": \"SV-50420r2_rule\"\n tag \"stig_id\": \"RHEL-06-000347\"\n tag \"fix_id\": \"F-43569r2_fix\"\n tag \"cci\": [\"CCI-000196\"]\n tag \"nist\": [\"IA-5 (1) (c)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To check the system for the existence of any \\\".netrc\\\" files,\nrun the following command:\n\n$ sudo find /root /home -xdev -name .netrc\n\nIf any .netrc files exist, this is a finding.\"\n tag \"fix\": \"The \\\".netrc\\\" files contain logon information used to auto-logon\ninto FTP servers and reside in the user's home directory. These files may\ncontain unencrypted passwords to remote FTP servers making them susceptible to\naccess by unauthorized users and should not be used. Any \\\".netrc\\\" files\nshould be removed.\"\n\n describe command('find /root /home -xdev -name .netrc') do\n its('stdout') { should be_empty }\n end\nend\n", + "code": "control \"V-38660\" do\n title \"The snmpd service must use only SNMP protocol version 3 or newer.\"\n desc \"Earlier versions of SNMP are considered insecure, as they potentially\nallow unauthorized access to detailed system management information.\n\n \"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38660\"\n tag \"rid\": \"SV-50461r1_rule\"\n tag \"stig_id\": \"RHEL-06-000340\"\n tag \"fix_id\": \"F-43604r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To ensure only SNMPv3 or newer is used, run the following\ncommand:\n\n# grep 'v1\\\\|v2c\\\\|com2sec' /etc/snmp/snmpd.conf | grep -v '^#'\n\nThere should be no output.\nIf there is output, this is a finding.\"\n tag \"fix\": \"Edit \\\"/etc/snmp/snmpd.conf\\\", removing any references to \\\"v1\\\",\n\\\"v2c\\\", or \\\"com2sec\\\". Upon doing that, restart the SNMP service:\n\n# service snmpd restart\"\n\n describe command(\"grep 'v1\\\\|v2c\\\\|com2sec' /etc/snmp/snmpd.conf | grep -v '^#'\") do\n its('stdout.strip') { should be_empty }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38619.rb", + "ref": "./Red Hat 6 STIG/controls/V-38660.rb", "line": 1 }, - "id": "V-38619" + "id": "V-38660" }, { - "title": "The operating system must support the requirement to centrally manage\nthe content of audit records generated by organization defined information\nsystem components.", - "desc": "A log server (loghost) receives syslog messages from one or more\nsystems. This data can be used as an additional log source in the event a\nsystem is compromised and its local logs are suspect. Forwarding log messages\nto a remote loghost also provides system administrators with a centralized\nplace to view the status of multiple hosts within the enterprise.", + "title": "The audit system must be configured to audit successful file system\nmounts.", + "desc": "The unauthorized exportation of data to external media could result in\nan information leak where classified information, Privacy Act information, and\nintellectual property could be lost. An audit trail should be created each time\na filesystem is mounted to help identify and guard against information loss.", "descriptions": { - "default": "A log server (loghost) receives syslog messages from one or more\nsystems. This data can be used as an additional log source in the event a\nsystem is compromised and its local logs are suspect. Forwarding log messages\nto a remote loghost also provides system administrators with a centralized\nplace to view the status of multiple hosts within the enterprise." + "default": "The unauthorized exportation of data to external media could result in\nan information leak where classified information, Privacy Act information, and\nintellectual property could be lost. An audit trail should be created each time\na filesystem is mounted to help identify and guard against information loss." }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { - "gtitle": "SRG-OS-000043", - "gid": "V-38521", - "rid": "SV-50322r1_rule", - "stig_id": "RHEL-06-000137", - "fix_id": "F-43656r1_fix", + "gtitle": "SRG-OS-000064", + "gid": "V-38568", + "rid": "SV-50369r3_rule", + "stig_id": "RHEL-06-000199", + "fix_id": "F-43516r2_fix", "cci": [ - "CCI-000169" + "CCI-000172" ], "nist": [ - "AU-12 a", + "AU-12 c", "Rev_4" ], "false_negatives": null, @@ -493,35 +497,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To ensure logs are sent to a remote host, examine the file\n\"/etc/rsyslog.conf\". If using UDP, a line similar to the following should be\npresent:\n\n*.* @[loghost.example.com]\n\nIf using TCP, a line similar to the following should be present:\n\n*.* @@[loghost.example.com]\n\nIf using RELP, a line similar to the following should be present:\n\n*.* :omrelp:[loghost.example.com]\n\n\nIf none of these are present, this is a finding.", - "fix": "To configure rsyslog to send logs to a remote log server, open\n\"/etc/rsyslog.conf\" and read and understand the last section of the file,\nwhich describes the multiple directives necessary to activate remote logging.\nAlong with these other directives, the system can be configured to forward its\nlogs to a particular log server by adding or correcting one of the following\nlines, substituting \"[loghost.example.com]\" appropriately. The choice of\nprotocol depends on the environment of the system; although TCP and RELP\nprovide more reliable message delivery, they may not be supported in all\nenvironments.\nTo use UDP for log message delivery:\n\n*.* @[loghost.example.com]\n\n\nTo use TCP for log message delivery:\n\n*.* @@[loghost.example.com]\n\n\nTo use RELP for log message delivery:\n\n*.* :omrelp:[loghost.example.com]" + "check": "To verify that auditing is configured for all media exportation\nevents, run the following command:\n\n$ sudo grep -w \"mount\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return several\nlines.\n\nIf no line is returned, this is a finding. ", + "fix": "At a minimum, the audit system should collect media exportation\nevents for all users and root. Add the following to \"/etc/audit/audit.rules\",\nsetting ARCH to either b32 or b64 as appropriate for your system:\n\n-a always,exit -F arch=ARCH -S mount -F auid>=500 -F auid!=4294967295 -k export\n-a always,exit -F arch=ARCH -S mount -F auid=0 -k export" }, - "code": "control \"V-38521\" do\n title \"The operating system must support the requirement to centrally manage\nthe content of audit records generated by organization defined information\nsystem components.\"\n desc \"A log server (loghost) receives syslog messages from one or more\nsystems. This data can be used as an additional log source in the event a\nsystem is compromised and its local logs are suspect. Forwarding log messages\nto a remote loghost also provides system administrators with a centralized\nplace to view the status of multiple hosts within the enterprise.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000043\"\n tag \"gid\": \"V-38521\"\n tag \"rid\": \"SV-50322r1_rule\"\n tag \"stig_id\": \"RHEL-06-000137\"\n tag \"fix_id\": \"F-43656r1_fix\"\n tag \"cci\": [\"CCI-000169\"]\n tag \"nist\": [\"AU-12 a\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To ensure logs are sent to a remote host, examine the file\n\\\"/etc/rsyslog.conf\\\". If using UDP, a line similar to the following should be\npresent:\n\n*.* @[loghost.example.com]\n\nIf using TCP, a line similar to the following should be present:\n\n*.* @@[loghost.example.com]\n\nIf using RELP, a line similar to the following should be present:\n\n*.* :omrelp:[loghost.example.com]\n\n\nIf none of these are present, this is a finding.\"\n tag \"fix\": \"To configure rsyslog to send logs to a remote log server, open\n\\\"/etc/rsyslog.conf\\\" and read and understand the last section of the file,\nwhich describes the multiple directives necessary to activate remote logging.\nAlong with these other directives, the system can be configured to forward its\nlogs to a particular log server by adding or correcting one of the following\nlines, substituting \\\"[loghost.example.com]\\\" appropriately. The choice of\nprotocol depends on the environment of the system; although TCP and RELP\nprovide more reliable message delivery, they may not be supported in all\nenvironments.\nTo use UDP for log message delivery:\n\n*.* @[loghost.example.com]\n\n\nTo use TCP for log message delivery:\n\n*.* @@[loghost.example.com]\n\n\nTo use RELP for log message delivery:\n\n*.* :omrelp:[loghost.example.com]\"\n\n describe file('/etc/rsyslog.conf') do\n its('content') {\n should (match %r{^\\s*\\*\\.\\*\\s+@[^@#]+}).or (match %r{^\\s*\\*\\.\\*\\s+@@[^@#]+}). or (match %r{^\\s*\\*\\.\\*\\s+:omrelp:[^@#]+})\n }\n end\nend\n", + "code": "control \"V-38568\" do\n title \"The audit system must be configured to audit successful file system\nmounts.\"\n desc \"The unauthorized exportation of data to external media could result in\nan information leak where classified information, Privacy Act information, and\nintellectual property could be lost. An audit trail should be created each time\na filesystem is mounted to help identify and guard against information loss.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000064\"\n tag \"gid\": \"V-38568\"\n tag \"rid\": \"SV-50369r3_rule\"\n tag \"stig_id\": \"RHEL-06-000199\"\n tag \"fix_id\": \"F-43516r2_fix\"\n tag \"cci\": [\"CCI-000172\"]\n tag \"nist\": [\"AU-12 c\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To verify that auditing is configured for all media exportation\nevents, run the following command:\n\n$ sudo grep -w \\\"mount\\\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return several\nlines.\n\nIf no line is returned, this is a finding. \"\n tag \"fix\": \"At a minimum, the audit system should collect media exportation\nevents for all users and root. Add the following to \\\"/etc/audit/audit.rules\\\",\nsetting ARCH to either b32 or b64 as appropriate for your system:\n\n-a always,exit -F arch=ARCH -S mount -F auid>=500 -F auid!=4294967295 -k export\n-a always,exit -F arch=ARCH -S mount -F auid=0 -k export\"\n\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^[\\s]*-a[\\s]+(?:always,exit|exit,always)\\s+(-F\\s+arch=b32\\s+).*(?:,|-S\\s+)mount(?:,|\\s+).*-F\\s+auid>=500\\s+-F\\s+auid!=(?:4294967295|-1)\\s+-k\\s+\\S+\\s*$/) }\n end\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^[\\s]*-a[\\s]+(?:always,exit|exit,always)\\s+(-F\\s+arch=b64\\s+).*(?:,|-S\\s+)mount(?:,|\\s+).*-F\\s+auid>=500\\s+-F\\s+auid!=(?:4294967295|-1)\\s+-k\\s+\\S+\\s*$/) }\n end\n describe.one do\n \n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38521.rb", + "ref": "./Red Hat 6 STIG/controls/V-38568.rb", "line": 1 }, - "id": "V-38521" + "id": "V-38568" }, { - "title": "The system must prevent the root account from logging in from serial\nconsoles.", - "desc": "Preventing direct root login to serial port interfaces helps ensure\naccountability for actions taken on the systems using the root account.", + "title": "The Bluetooth service must be disabled.", + "desc": "Disabling the \"bluetooth\" service prevents the system from\nattempting connections to Bluetooth devices, which entails some security risk.\nNevertheless, variation in this risk decision may be expected due to the\nutility of Bluetooth connectivity and its limited range.", "descriptions": { - "default": "Preventing direct root login to serial port interfaces helps ensure\naccountability for actions taken on the systems using the root account." + "default": "Disabling the \"bluetooth\" service prevents the system from\nattempting connections to Bluetooth devices, which entails some security risk.\nNevertheless, variation in this risk decision may be expected due to the\nutility of Bluetooth connectivity and its limited range." }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000109", - "gid": "V-38494", - "rid": "SV-50295r1_rule", - "stig_id": "RHEL-06-000028", - "fix_id": "F-43441r1_fix", + "gtitle": "SRG-OS-000034", + "gid": "V-38691", + "rid": "SV-50492r2_rule", + "stig_id": "RHEL-06-000331", + "fix_id": "F-43640r1_fix", "cci": [ - "CCI-000770" + "CCI-000085" ], "nist": [ - "IA-2 (5)", + "AC-19 c", "Rev_4" ], "false_negatives": null, @@ -534,35 +538,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To check for serial port entries which permit root login, run\nthe following command:\n\n# grep '^ttyS[0-9]' /etc/securetty\n\nIf any output is returned, then root login over serial ports is permitted.\nIf root login over serial ports is permitted, this is a finding.", - "fix": "To restrict root logins on serial ports, ensure lines of this\nform do not appear in \"/etc/securetty\":\n\nttyS0\nttyS1\n\nNote: Serial port entries are not limited to those listed above. Any lines\nstarting with \"ttyS\" followed by numerals should be removed" + "check": "To check that the \"bluetooth\" service is disabled in system\nboot configuration, run the following command:\n\n# chkconfig \"bluetooth\" --list\n\nOutput should indicate the \"bluetooth\" service has either not been installed\nor has been disabled at all runlevels, as shown in the example below:\n\n# chkconfig \"bluetooth\" --list\n\"bluetooth\" 0:off 1:off 2:off 3:off 4:off 5:off 6:off\n\n\nIf the service is configured to run, this is a finding.", + "fix": "The \"bluetooth\" service can be disabled with the following\ncommand:\n\n# chkconfig bluetooth off\n\n\n\n# service bluetooth stop" }, - "code": "control \"V-38494\" do\n title \"The system must prevent the root account from logging in from serial\nconsoles.\"\n desc \"Preventing direct root login to serial port interfaces helps ensure\naccountability for actions taken on the systems using the root account.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000109\"\n tag \"gid\": \"V-38494\"\n tag \"rid\": \"SV-50295r1_rule\"\n tag \"stig_id\": \"RHEL-06-000028\"\n tag \"fix_id\": \"F-43441r1_fix\"\n tag \"cci\": [\"CCI-000770\"]\n tag \"nist\": [\"IA-2 (5)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To check for serial port entries which permit root login, run\nthe following command:\n\n# grep '^ttyS[0-9]' /etc/securetty\n\nIf any output is returned, then root login over serial ports is permitted.\nIf root login over serial ports is permitted, this is a finding.\"\n tag \"fix\": \"To restrict root logins on serial ports, ensure lines of this\nform do not appear in \\\"/etc/securetty\\\":\n\nttyS0\nttyS1\n\nNote: Serial port entries are not limited to those listed above. Any lines\nstarting with \\\"ttyS\\\" followed by numerals should be removed\"\n\n describe file(\"/etc/securetty\") do\n its(\"content\") { should_not match(/^ttyS[0-9]+$/) }\n end\nend\n", + "code": "control \"V-38691\" do\n title \"The Bluetooth service must be disabled.\"\n desc \"Disabling the \\\"bluetooth\\\" service prevents the system from\nattempting connections to Bluetooth devices, which entails some security risk.\nNevertheless, variation in this risk decision may be expected due to the\nutility of Bluetooth connectivity and its limited range.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000034\"\n tag \"gid\": \"V-38691\"\n tag \"rid\": \"SV-50492r2_rule\"\n tag \"stig_id\": \"RHEL-06-000331\"\n tag \"fix_id\": \"F-43640r1_fix\"\n tag \"cci\": [\"CCI-000085\"]\n tag \"nist\": [\"AC-19 c\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To check that the \\\"bluetooth\\\" service is disabled in system\nboot configuration, run the following command:\n\n# chkconfig \\\"bluetooth\\\" --list\n\nOutput should indicate the \\\"bluetooth\\\" service has either not been installed\nor has been disabled at all runlevels, as shown in the example below:\n\n# chkconfig \\\"bluetooth\\\" --list\n\\\"bluetooth\\\" 0:off 1:off 2:off 3:off 4:off 5:off 6:off\n\n\nIf the service is configured to run, this is a finding.\"\n tag \"fix\": \"The \\\"bluetooth\\\" service can be disabled with the following\ncommand:\n\n# chkconfig bluetooth off\n\n\n\n# service bluetooth stop\"\n\n describe service(\"bluetooth\").runlevels(/0/) do\n it { should_not be_enabled }\n end\n describe service(\"bluetooth\").runlevels(/1/) do\n it { should_not be_enabled }\n end\n describe service(\"bluetooth\").runlevels(/2/) do\n it { should_not be_enabled }\n end\n describe service(\"bluetooth\").runlevels(/3/) do\n it { should_not be_enabled }\n end\n describe service(\"bluetooth\").runlevels(/4/) do\n it { should_not be_enabled }\n end\n describe service(\"bluetooth\").runlevels(/5/) do\n it { should_not be_enabled }\n end\n describe service(\"bluetooth\").runlevels(/6/) do\n it { should_not be_enabled }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38494.rb", + "ref": "./Red Hat 6 STIG/controls/V-38691.rb", "line": 1 }, - "id": "V-38494" + "id": "V-38691" }, { - "title": "The audit system must take appropriate action when there are disk\nerrors on the audit storage volume.", - "desc": "Taking appropriate action in case of disk errors will minimize the\npossibility of losing audit records.", + "title": "The system must employ a local IPv6 firewall.", + "desc": "The \"ip6tables\" service provides the system's host-based firewalling\ncapability for IPv6 and ICMPv6.", "descriptions": { - "default": "Taking appropriate action in case of disk errors will minimize the\npossibility of losing audit records." + "default": "The \"ip6tables\" service provides the system's host-based firewalling\ncapability for IPv6 and ICMPv6." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000047", - "gid": "V-38464", - "rid": "SV-50264r1_rule", - "stig_id": "RHEL-06-000511", - "fix_id": "F-43410r1_fix", + "gtitle": "SRG-OS-000152", + "gid": "V-38549", + "rid": "SV-50350r3_rule", + "stig_id": "RHEL-06-000103", + "fix_id": "F-43497r3_fix", "cci": [ - "CCI-000140" + "CCI-001118" ], "nist": [ - "AU-5 b", + "SC-7 (12)", "Rev_4" ], "false_negatives": null, @@ -575,35 +579,43 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "Inspect \"/etc/audit/auditd.conf\" and locate the following\nline to determine if the system is configured to take appropriate action when\ndisk errors occur:\n\n# grep disk_error_action /etc/audit/auditd.conf\ndisk_error_action = [ACTION]\n\n\nIf the system is configured to \"suspend\" when disk errors occur or \"ignore\"\nthem, this is a finding.", - "fix": "Edit the file \"/etc/audit/auditd.conf\". Modify the following\nline, substituting [ACTION] appropriately:\n\ndisk_error_action = [ACTION]\n\nPossible values for [ACTION] are described in the \"auditd.conf\" man page.\nThese include:\n\n\"ignore\"\n\"syslog\"\n\"exec\"\n\"suspend\"\n\"single\"\n\"halt\"\n\n\nSet this to \"syslog\", \"exec\", \"single\", or \"halt\"." + "check": "If the system is a cross-domain system, this is not applicable.\n\nIf IPv6 is disabled, this is not applicable.\n\nRun the following command to determine the current status of the \"ip6tables\"\nservice:\n\n# service ip6tables status\n\nIf the service is not running, it should return the following:\n\nip6tables: Firewall is not running.\n\n\nIf the service is not running, this is a finding.", + "fix": "The \"ip6tables\" service can be enabled with the following\ncommands:\n\n# chkconfig ip6tables on\n# service ip6tables start" }, - "code": "control \"V-38464\" do\n title \"The audit system must take appropriate action when there are disk\nerrors on the audit storage volume.\"\n desc \"Taking appropriate action in case of disk errors will minimize the\npossibility of losing audit records.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000047\"\n tag \"gid\": \"V-38464\"\n tag \"rid\": \"SV-50264r1_rule\"\n tag \"stig_id\": \"RHEL-06-000511\"\n tag \"fix_id\": \"F-43410r1_fix\"\n tag \"cci\": [\"CCI-000140\"]\n tag \"nist\": [\"AU-5 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Inspect \\\"/etc/audit/auditd.conf\\\" and locate the following\nline to determine if the system is configured to take appropriate action when\ndisk errors occur:\n\n# grep disk_error_action /etc/audit/auditd.conf\ndisk_error_action = [ACTION]\n\n\nIf the system is configured to \\\"suspend\\\" when disk errors occur or \\\"ignore\\\"\nthem, this is a finding.\"\n tag \"fix\": \"Edit the file \\\"/etc/audit/auditd.conf\\\". Modify the following\nline, substituting [ACTION] appropriately:\n\ndisk_error_action = [ACTION]\n\nPossible values for [ACTION] are described in the \\\"auditd.conf\\\" man page.\nThese include:\n\n\\\"ignore\\\"\n\\\"syslog\\\"\n\\\"exec\\\"\n\\\"suspend\\\"\n\\\"single\\\"\n\\\"halt\\\"\n\n\nSet this to \\\"syslog\\\", \\\"exec\\\", \\\"single\\\", or \\\"halt\\\".\"\n\n describe parse_config_file('/etc/audit/auditd.conf') do\n its('disk_error_action') { should_not be_nil }\n its('disk_error_action.downcase') { should_not be_in ['suspend', 'ignore'] }\n end\nend\n", + "code": "control \"V-38549\" do\n title \"The system must employ a local IPv6 firewall.\"\n desc \"The \\\"ip6tables\\\" service provides the system's host-based firewalling\ncapability for IPv6 and ICMPv6.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000152\"\n tag \"gid\": \"V-38549\"\n tag \"rid\": \"SV-50350r3_rule\"\n tag \"stig_id\": \"RHEL-06-000103\"\n tag \"fix_id\": \"F-43497r3_fix\"\n tag \"cci\": [\"CCI-001118\"]\n tag \"nist\": [\"SC-7 (12)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"If the system is a cross-domain system, this is not applicable.\n\nIf IPv6 is disabled, this is not applicable.\n\nRun the following command to determine the current status of the \\\"ip6tables\\\"\nservice:\n\n# service ip6tables status\n\nIf the service is not running, it should return the following:\n\nip6tables: Firewall is not running.\n\n\nIf the service is not running, this is a finding.\"\n tag \"fix\": \"The \\\"ip6tables\\\" service can be enabled with the following\ncommands:\n\n# chkconfig ip6tables on\n# service ip6tables start\"\n\n describe service('ip6tables') do\n it { should be_enabled }\n it { should be_running }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38464.rb", + "ref": "./Red Hat 6 STIG/controls/V-38549.rb", "line": 1 }, - "id": "V-38464" + "id": "V-38549" }, { - "title": "The audit system must be configured to audit all attempts to alter\nsystem time through /etc/localtime.", - "desc": "Arbitrary changes to the system time can be used to obfuscate\nnefarious activities in log files, as well as to confuse network services that\nare highly dependent upon an accurate system time (such as sshd). All changes\nto the system time should be audited.", + "title": "The Department of Defense (DoD) login banner must be displayed\nimmediately prior to, or as part of, console login prompts.", + "desc": "An appropriate warning message reinforces policy awareness during the\nlogon process and facilitates possible legal action against attackers.", "descriptions": { - "default": "Arbitrary changes to the system time can be used to obfuscate\nnefarious activities in log files, as well as to confuse network services that\nare highly dependent upon an accurate system time (such as sshd). All changes\nto the system time should be audited." + "default": "An appropriate warning message reinforces policy awareness during the\nlogon process and facilitates possible legal action against attackers." }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000062", - "gid": "V-38530", - "rid": "SV-50331r2_rule", - "stig_id": "RHEL-06-000173", - "fix_id": "F-43477r1_fix", + "gtitle": "SRG-OS-000228", + "gid": "V-38593", + "rid": "SV-50394r3_rule", + "stig_id": "RHEL-06-000073", + "fix_id": "F-43540r3_fix", "cci": [ - "CCI-000169" + "CCI-001384", + "CCI-001385", + "CCI-001386", + "CCI-001387", + "CCI-001388" ], "nist": [ - "AU-12 a", + "AC-8 c 1", + "AC-8 c 2", + "AC-8 c 2", + "AC-8 c 2", + "AC-8 c 3", "Rev_4" ], "false_negatives": null, @@ -616,30 +628,30 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To determine if the system is configured to audit attempts to\nalter time via the /etc/localtime file, run the following command:\n\n$ sudo grep -w \"/etc/localtime\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return a line.\n\nIf the system is not configured to audit time changes, this is a finding.", - "fix": "Add the following to \"/etc/audit/audit.rules\":\n\n-w /etc/localtime -p wa -k audit_time_rules\n\nThe -k option allows for the specification of a key in string form that can be\nused for better reporting capability through ausearch and aureport and should\nalways be used." + "check": "To check if the system login banner is compliant, run the\nfollowing command:\n\n$ cat /etc/issue\n\n\nNote: The full text banner must be implemented unless there are character\nlimitations that prevent the display of the full DoD logon banner.\n\nIf the required DoD logon banner is not displayed, this is a finding.\n", + "fix": "To configure the system login banner:\n\nEdit \"/etc/issue\". Replace the default text with a message compliant with the\nlocal site policy or a legal disclaimer. The DoD required text is either:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is\nprovided for USG-authorized use only. By using this IS (which includes any\ndevice attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for\npurposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct (PM), law enforcement\n(LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject\nto routine monitoring, interception, and search, and may be disclosed or used\nfor any USG-authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls)\nto protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE\nor CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services\nby attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User\nAgreement for details.\"\n\nIf the device cannot support the full DoD logon banner due to character\nlimitations, the following text can be used:\n\n\"I've read & consent to terms in IS user agreem't.\"" }, - "code": "control \"V-38530\" do\n title \"The audit system must be configured to audit all attempts to alter\nsystem time through /etc/localtime.\"\n desc \"Arbitrary changes to the system time can be used to obfuscate\nnefarious activities in log files, as well as to confuse network services that\nare highly dependent upon an accurate system time (such as sshd). All changes\nto the system time should be audited.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000062\"\n tag \"gid\": \"V-38530\"\n tag \"rid\": \"SV-50331r2_rule\"\n tag \"stig_id\": \"RHEL-06-000173\"\n tag \"fix_id\": \"F-43477r1_fix\"\n tag \"cci\": [\"CCI-000169\"]\n tag \"nist\": [\"AU-12 a\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To determine if the system is configured to audit attempts to\nalter time via the /etc/localtime file, run the following command:\n\n$ sudo grep -w \\\"/etc/localtime\\\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return a line.\n\nIf the system is not configured to audit time changes, this is a finding.\"\n tag \"fix\": \"Add the following to \\\"/etc/audit/audit.rules\\\":\n\n-w /etc/localtime -p wa -k audit_time_rules\n\nThe -k option allows for the specification of a key in string form that can be\nused for better reporting capability through ausearch and aureport and should\nalways be used.\"\n\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^[\\s]*-w[\\s]+\\/etc\\/localtime[\\s]+-p[\\s]+\\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\\b.*-k[\\s]+[\\S]+[\\s]*$/) }\n end\nend\n", + "code": "control \"V-38593\" do\n title \"The Department of Defense (DoD) login banner must be displayed\nimmediately prior to, or as part of, console login prompts.\"\n desc \"An appropriate warning message reinforces policy awareness during the\nlogon process and facilitates possible legal action against attackers.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000228\"\n tag \"gid\": \"V-38593\"\n tag \"rid\": \"SV-50394r3_rule\"\n tag \"stig_id\": \"RHEL-06-000073\"\n tag \"fix_id\": \"F-43540r3_fix\"\n tag \"cci\": [\"CCI-001384\", \"CCI-001385\", \"CCI-001386\", \"CCI-001387\",\n\"CCI-001388\"]\n tag \"nist\": [\"AC-8 c 1\", \"AC-8 c 2\", \"AC-8 c 2\", \"AC-8 c 2\", \"AC-8 c 3\",\n\"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To check if the system login banner is compliant, run the\nfollowing command:\n\n$ cat /etc/issue\n\n\nNote: The full text banner must be implemented unless there are character\nlimitations that prevent the display of the full DoD logon banner.\n\nIf the required DoD logon banner is not displayed, this is a finding.\n\"\n tag \"fix\": \"To configure the system login banner:\n\nEdit \\\"/etc/issue\\\". Replace the default text with a message compliant with the\nlocal site policy or a legal disclaimer. The DoD required text is either:\n\n\\\"You are accessing a U.S. Government (USG) Information System (IS) that is\nprovided for USG-authorized use only. By using this IS (which includes any\ndevice attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for\npurposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct (PM), law enforcement\n(LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject\nto routine monitoring, interception, and search, and may be disclosed or used\nfor any USG-authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls)\nto protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE\nor CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services\nby attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User\nAgreement for details.\\\"\n\nIf the device cannot support the full DoD logon banner due to character\nlimitations, the following text can be used:\n\n\\\"I've read & consent to terms in IS user agreem't.\\\"\"\n\n banner_text = file('/etc/issue').content.gsub(%r{[\\r\\n\\s]}, '')\n\n describe \"Banner text\" do\n subject { banner_text }\n it { should eq input('banner_text').gsub(%r{[\\r\\n\\s]}, '') }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38530.rb", + "ref": "./Red Hat 6 STIG/controls/V-38593.rb", "line": 1 }, - "id": "V-38530" + "id": "V-38593" }, { - "title": "The operating system, upon successful logon/access, must display to\nthe user the number of unsuccessful logon/access attempts since the last\nsuccessful logon/access.", - "desc": "Users need to be aware of activity that occurs regarding their\naccount. Providing users with information regarding the number of unsuccessful\nattempts that were made to login to their account allows the user to determine\nif any unauthorized activity has occurred and gives them an opportunity to\nnotify administrators.", + "title": "The /etc/gshadow file must have mode 0000.", + "desc": "The /etc/gshadow file contains group password hashes. Protection of\nthis file is critical for system security.", "descriptions": { - "default": "Users need to be aware of activity that occurs regarding their\naccount. Providing users with information regarding the number of unsuccessful\nattempts that were made to login to their account allows the user to determine\nif any unauthorized activity has occurred and gives them an opportunity to\nnotify administrators." + "default": "The /etc/gshadow file contains group password hashes. Protection of\nthis file is critical for system security." }, "impact": 0.5, "refs": [], "tags": { "gtitle": "SRG-OS-999999", - "gid": "V-51875", - "rid": "SV-66089r1_rule", - "stig_id": "RHEL-06-000372", - "fix_id": "F-56701r1_fix", + "gid": "V-38449", + "rid": "SV-50249r1_rule", + "stig_id": "RHEL-06-000038", + "fix_id": "F-43394r1_fix", "cci": [ "CCI-000366" ], @@ -657,35 +669,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To ensure that last logon/access notification is configured\ncorrectly, run the following command:\n\n# grep pam_lastlog.so /etc/pam.d/system-auth\n\nThe output should show output \"showfailed\". If that is not the case, this is\na finding. ", - "fix": "To configure the system to notify users of last logon/access\nusing \"pam_lastlog\", add the following line immediately after \"session\nrequired pam_limits.so\":\n\nsession required pam_lastlog.so showfailed" + "check": "To check the permissions of \"/etc/gshadow\", run the command:\n\n$ ls -l /etc/gshadow\n\nIf properly configured, the output should indicate the following permissions:\n\"----------\"\nIf it does not, this is a finding.", + "fix": "To properly set the permissions of \"/etc/gshadow\", run the\ncommand:\n\n# chmod 0000 /etc/gshadow" }, - "code": "control \"V-51875\" do\n title \"The operating system, upon successful logon/access, must display to\nthe user the number of unsuccessful logon/access attempts since the last\nsuccessful logon/access.\"\n desc \"Users need to be aware of activity that occurs regarding their\naccount. Providing users with information regarding the number of unsuccessful\nattempts that were made to login to their account allows the user to determine\nif any unauthorized activity has occurred and gives them an opportunity to\nnotify administrators. \"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-51875\"\n tag \"rid\": \"SV-66089r1_rule\"\n tag \"stig_id\": \"RHEL-06-000372\"\n tag \"fix_id\": \"F-56701r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To ensure that last logon/access notification is configured\ncorrectly, run the following command:\n\n# grep pam_lastlog.so /etc/pam.d/system-auth\n\nThe output should show output \\\"showfailed\\\". If that is not the case, this is\na finding. \"\n tag \"fix\": \"To configure the system to notify users of last logon/access\nusing \\\"pam_lastlog\\\", add the following line immediately after \\\"session\nrequired pam_limits.so\\\":\n\nsession required pam_lastlog.so showfailed\"\n\n describe file(\"/etc/pam.d/system-auth\") do\n its(\"content\") { should match(/^\\s*session\\s+(required|requisite)?\\s+pam_lastlog.so[\\s\\w\\d\\=]+showfailed/) }\n end\nend\n", + "code": "control \"V-38449\" do\n title \"The /etc/gshadow file must have mode 0000.\"\n desc \"The /etc/gshadow file contains group password hashes. Protection of\nthis file is critical for system security.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38449\"\n tag \"rid\": \"SV-50249r1_rule\"\n tag \"stig_id\": \"RHEL-06-000038\"\n tag \"fix_id\": \"F-43394r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To check the permissions of \\\"/etc/gshadow\\\", run the command:\n\n$ ls -l /etc/gshadow\n\nIf properly configured, the output should indicate the following permissions:\n\\\"----------\\\"\nIf it does not, this is a finding.\"\n tag \"fix\": \"To properly set the permissions of \\\"/etc/gshadow\\\", run the\ncommand:\n\n# chmod 0000 /etc/gshadow\"\n\n describe file(\"/etc/gshadow\") do\n it { should exist }\n end\n describe file(\"/etc/gshadow\") do\n it { should_not be_executable.by \"group\" }\n end\n describe file(\"/etc/gshadow\") do\n it { should_not be_readable.by \"group\" }\n end\n describe file(\"/etc/gshadow\") do\n its(\"gid\") { should cmp 0 }\n end\n describe file(\"/etc/gshadow\") do\n it { should_not be_writable.by \"group\" }\n end\n describe file(\"/etc/gshadow\") do\n it { should_not be_executable.by \"other\" }\n end\n describe file(\"/etc/gshadow\") do\n it { should_not be_readable.by \"other\" }\n end\n describe file(\"/etc/gshadow\") do\n it { should_not be_writable.by \"other\" }\n end\n describe file(\"/etc/gshadow\") do\n it { should_not be_setgid }\n end\n describe file(\"/etc/gshadow\") do\n it { should_not be_sticky }\n end\n describe file(\"/etc/gshadow\") do\n it { should_not be_setuid }\n end\n describe file(\"/etc/gshadow\") do\n it { should_not be_executable.by \"owner\" }\n end\n describe file(\"/etc/gshadow\") do\n it { should_not be_readable.by \"owner\" }\n end\n describe file(\"/etc/gshadow\") do\n its(\"uid\") { should cmp 0 }\n end\n describe file(\"/etc/gshadow\") do\n it { should_not be_writable.by \"owner\" }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-51875.rb", + "ref": "./Red Hat 6 STIG/controls/V-38449.rb", "line": 1 }, - "id": "V-51875" + "id": "V-38449" }, { - "title": "The graphical desktop environment must have automatic lock enabled.", - "desc": "Enabling the activation of the screen lock after an idle period\nensures password entry will be required in order to access the system,\npreventing access by passersby.", + "title": "The system must prevent the root account from logging in from serial\nconsoles.", + "desc": "Preventing direct root login to serial port interfaces helps ensure\naccountability for actions taken on the systems using the root account.", "descriptions": { - "default": "Enabling the activation of the screen lock after an idle period\nensures password entry will be required in order to access the system,\npreventing access by passersby." + "default": "Preventing direct root login to serial port interfaces helps ensure\naccountability for actions taken on the systems using the root account." }, - "impact": 0, + "impact": 0.3, "refs": [], "tags": { - "gtitle": "SRG-OS-000029", - "gid": "V-38638", - "rid": "SV-50439r3_rule", - "stig_id": "RHEL-06-000259", - "fix_id": "F-43587r1_fix", + "gtitle": "SRG-OS-000109", + "gid": "V-38494", + "rid": "SV-50295r1_rule", + "stig_id": "RHEL-06-000028", + "fix_id": "F-43441r1_fix", "cci": [ - "CCI-000057" + "CCI-000770" ], "nist": [ - "AC-11 a", + "IA-2 (5)", "Rev_4" ], "false_negatives": null, @@ -698,35 +710,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "If the GConf2 package is not installed, this is not applicable.\n\nTo check the status of the idle screen lock activation, run the following\ncommand:\n\n$ gconftool-2 --direct --config-source\nxml:readwrite:/etc/gconf/gconf.xml.mandatory --get\n/apps/gnome-screensaver/lock_enabled\n\nIf properly configured, the output should be \"true\".\nIf it is not, this is a finding.", - "fix": "Run the following command to activate locking of the screensaver\nin the GNOME desktop when it is activated:\n\n# gconftool-2 --direct \\\n--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \\\n--type bool \\\n--set /apps/gnome-screensaver/lock_enabled true" + "check": "To check for serial port entries which permit root login, run\nthe following command:\n\n# grep '^ttyS[0-9]' /etc/securetty\n\nIf any output is returned, then root login over serial ports is permitted.\nIf root login over serial ports is permitted, this is a finding.", + "fix": "To restrict root logins on serial ports, ensure lines of this\nform do not appear in \"/etc/securetty\":\n\nttyS0\nttyS1\n\nNote: Serial port entries are not limited to those listed above. Any lines\nstarting with \"ttyS\" followed by numerals should be removed" }, - "code": "control \"V-38638\" do\n title \"The graphical desktop environment must have automatic lock enabled.\"\n desc \"Enabling the activation of the screen lock after an idle period\nensures password entry will be required in order to access the system,\npreventing access by passersby.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000029\"\n tag \"gid\": \"V-38638\"\n tag \"rid\": \"SV-50439r3_rule\"\n tag \"stig_id\": \"RHEL-06-000259\"\n tag \"fix_id\": \"F-43587r1_fix\"\n tag \"cci\": [\"CCI-000057\"]\n tag \"nist\": [\"AC-11 a\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"If the GConf2 package is not installed, this is not applicable.\n\nTo check the status of the idle screen lock activation, run the following\ncommand:\n\n$ gconftool-2 --direct --config-source\nxml:readwrite:/etc/gconf/gconf.xml.mandatory --get\n/apps/gnome-screensaver/lock_enabled\n\nIf properly configured, the output should be \\\"true\\\".\nIf it is not, this is a finding.\"\n tag \"fix\": \"Run the following command to activate locking of the screensaver\nin the GNOME desktop when it is activated:\n\n# gconftool-2 --direct \\\\\n--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \\\\\n--type bool \\\\\n--set /apps/gnome-screensaver/lock_enabled true\"\n\n if package('GConf2').installed?\n describe command(\"gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gnome-screensaver/lock_enabled\") do\n its('stdout.strip') { should eq 'true' }\n end\n else\n impact 0.0\n describe \"Package GConf2 not installed\" do\n skip \"Package GConf2 not installed, this control Not Applicable\"\n end\n end\nend\n", + "code": "control \"V-38494\" do\n title \"The system must prevent the root account from logging in from serial\nconsoles.\"\n desc \"Preventing direct root login to serial port interfaces helps ensure\naccountability for actions taken on the systems using the root account.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000109\"\n tag \"gid\": \"V-38494\"\n tag \"rid\": \"SV-50295r1_rule\"\n tag \"stig_id\": \"RHEL-06-000028\"\n tag \"fix_id\": \"F-43441r1_fix\"\n tag \"cci\": [\"CCI-000770\"]\n tag \"nist\": [\"IA-2 (5)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To check for serial port entries which permit root login, run\nthe following command:\n\n# grep '^ttyS[0-9]' /etc/securetty\n\nIf any output is returned, then root login over serial ports is permitted.\nIf root login over serial ports is permitted, this is a finding.\"\n tag \"fix\": \"To restrict root logins on serial ports, ensure lines of this\nform do not appear in \\\"/etc/securetty\\\":\n\nttyS0\nttyS1\n\nNote: Serial port entries are not limited to those listed above. Any lines\nstarting with \\\"ttyS\\\" followed by numerals should be removed\"\n\n describe file(\"/etc/securetty\") do\n its(\"content\") { should_not match(/^ttyS[0-9]+$/) }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38638.rb", + "ref": "./Red Hat 6 STIG/controls/V-38494.rb", "line": 1 }, - "id": "V-38638" + "id": "V-38494" }, { - "title": "Library files must have mode 0755 or less permissive.", - "desc": "Files from shared library directories are loaded into the address\nspace of processes (including privileged ones) or of the kernel itself at\nruntime. Restrictive permissions are necessary to protect the integrity of the\nsystem.", + "title": "The operating system must conduct backups of user-level information\ncontained in the operating system per organization defined frequency to conduct\nbackups consistent with recovery time and recovery point objectives.", + "desc": "Operating system backup is a critical step in maintaining data\nassurance and availability. User-level information is data generated by\ninformation system and/or application users. Backups shall be consistent with\norganizational recovery time and recovery point objectives.", "descriptions": { - "default": "Files from shared library directories are loaded into the address\nspace of processes (including privileged ones) or of the kernel itself at\nruntime. Restrictive permissions are necessary to protect the integrity of the\nsystem." + "default": "Operating system backup is a critical step in maintaining data\nassurance and availability. User-level information is data generated by\ninformation system and/or application users. Backups shall be consistent with\norganizational recovery time and recovery point objectives." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000259", - "gid": "V-38465", - "rid": "SV-50265r3_rule", - "stig_id": "RHEL-06-000045", - "fix_id": "F-43409r2_fix", + "gtitle": "SRG-OS-000099", + "gid": "V-38488", + "rid": "SV-50289r1_rule", + "stig_id": "RHEL-06-000504", + "fix_id": "F-43435r1_fix", "cci": [ - "CCI-001499" + "CCI-000535" ], "nist": [ - "CM-5 (6)", + "CP-9a", "Rev_4" ], "false_negatives": null, @@ -739,39 +751,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "System-wide shared library files, which are linked to\nexecutables during process load time or run time, are stored in the following\ndirectories by default:\n\n/lib\n/lib64\n/usr/lib\n/usr/lib64\n\n\nKernel modules, which can be added to the kernel during runtime, are stored in\n\"/lib/modules\". All files in these directories should not be group-writable\nor world-writable. To find shared libraries that are group-writable or\nworld-writable, run the following command for each directory [DIR] which\ncontains shared libraries:\n\n$ find -L [DIR] -perm /022 -type f\n\n\nIf any of these files (excluding broken symlinks) are group-writable or\nworld-writable, this is a finding.", - "fix": "System-wide shared library files, which are linked to executables\nduring process load time or run time, are stored in the following directories\nby default:\n\n/lib\n/lib64\n/usr/lib\n/usr/lib64\n\nIf any file in these directories is found to be group-writable or\nworld-writable, correct its permission with the following command:\n\n# chmod go-w [FILE]" + "check": "Ask an administrator if a process exists to back up user data\nfrom the system.\n\nIf such a process does not exist, this is a finding.", + "fix": "Procedures to back up user data from the system must be\nestablished and executed. The Red Hat operating system provides utilities for\nautomating such a process. Commercial and open-source products are also\navailable.\n\nImplement a process whereby user data is backed up from the system in\naccordance with local policies." }, - "code": "control \"V-38465\" do\n title \"Library files must have mode 0755 or less permissive.\"\n desc \"Files from shared library directories are loaded into the address\nspace of processes (including privileged ones) or of the kernel itself at\nruntime. Restrictive permissions are necessary to protect the integrity of the\nsystem.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000259\"\n tag \"gid\": \"V-38465\"\n tag \"rid\": \"SV-50265r3_rule\"\n tag \"stig_id\": \"RHEL-06-000045\"\n tag \"fix_id\": \"F-43409r2_fix\"\n tag \"cci\": [\"CCI-001499\"]\n tag \"nist\": [\"CM-5 (6)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"System-wide shared library files, which are linked to\nexecutables during process load time or run time, are stored in the following\ndirectories by default:\n\n/lib\n/lib64\n/usr/lib\n/usr/lib64\n\n\nKernel modules, which can be added to the kernel during runtime, are stored in\n\\\"/lib/modules\\\". All files in these directories should not be group-writable\nor world-writable. To find shared libraries that are group-writable or\nworld-writable, run the following command for each directory [DIR] which\ncontains shared libraries:\n\n$ find -L [DIR] -perm /022 -type f\n\n\nIf any of these files (excluding broken symlinks) are group-writable or\nworld-writable, this is a finding.\"\n tag \"fix\": \"System-wide shared library files, which are linked to executables\nduring process load time or run time, are stored in the following directories\nby default:\n\n/lib\n/lib64\n/usr/lib\n/usr/lib64\n\nIf any file in these directories is found to be group-writable or\nworld-writable, correct its permission with the following command:\n\n# chmod go-w [FILE]\"\n\n libs = [\"/lib\", \"/lib64\", \"/usr/lib\", \"/usr/lib64\"]\n libs.each do |l|\n describe command(\"find -L #{l} -perm /022 -type f\") do\n its('stdout.strip') { should be_empty }\n end\n end\nend\n", + "code": "control \"V-38488\" do\n title \"The operating system must conduct backups of user-level information\ncontained in the operating system per organization defined frequency to conduct\nbackups consistent with recovery time and recovery point objectives.\"\n desc \"Operating system backup is a critical step in maintaining data\nassurance and availability. User-level information is data generated by\ninformation system and/or application users. Backups shall be consistent with\norganizational recovery time and recovery point objectives.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000099\"\n tag \"gid\": \"V-38488\"\n tag \"rid\": \"SV-50289r1_rule\"\n tag \"stig_id\": \"RHEL-06-000504\"\n tag \"fix_id\": \"F-43435r1_fix\"\n tag \"cci\": [\"CCI-000535\"]\n tag \"nist\": [\"CP-9a\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Ask an administrator if a process exists to back up user data\nfrom the system.\n\nIf such a process does not exist, this is a finding.\"\n tag \"fix\": \"Procedures to back up user data from the system must be\nestablished and executed. The Red Hat operating system provides utilities for\nautomating such a process. Commercial and open-source products are also\navailable.\n\nImplement a process whereby user data is backed up from the system in\naccordance with local policies.\"\n\n describe \"Manual test\" do\n skip \"This control must be reviewed manually\"\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38465.rb", + "ref": "./Red Hat 6 STIG/controls/V-38488.rb", "line": 1 }, - "id": "V-38465" + "id": "V-38488" }, { - "title": "Wireless network adapters must be disabled.", - "desc": "The use of wireless networking can introduce many different attack\nvectors into the organization's network. Common attack vectors such as\nmalicious association and ad hoc networks will allow an attacker to spoof a\nwireless access point (AP), allowing validated systems to connect to the\nmalicious AP and enabling the attacker to monitor and record network traffic.\nThese malicious APs can also serve to create a man-in-the-middle attack or be\nused to create a denial of service to valid network resources.", + "title": "There must be no .netrc files on the system.", + "desc": "Unencrypted passwords for remote FTP servers may be stored in\n\".netrc\" files. DoD policy requires passwords be encrypted in storage and not\nused in access scripts.", "descriptions": { - "default": "The use of wireless networking can introduce many different attack\nvectors into the organization's network. Common attack vectors such as\nmalicious association and ad hoc networks will allow an attacker to spoof a\nwireless access point (AP), allowing validated systems to connect to the\nmalicious AP and enabling the attacker to monitor and record network traffic.\nThese malicious APs can also serve to create a man-in-the-middle attack or be\nused to create a denial of service to valid network resources." + "default": "Unencrypted passwords for remote FTP servers may be stored in\n\".netrc\" files. DoD policy requires passwords be encrypted in storage and not\nused in access scripts." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "RHEL-06-000293", - "gid": "V-72817", - "rid": "SV-87461r1_rule", - "stig_id": "RHEL-06-000293", - "fix_id": "F-79233r1_fix", + "gtitle": "SRG-OS-000073", + "gid": "V-38619", + "rid": "SV-50420r2_rule", + "stig_id": "RHEL-06-000347", + "fix_id": "F-43569r2_fix", "cci": [ - "CCI-001443", - "CCI-001444", - "CCI-002418" + "CCI-000196" ], "nist": [ - "AC-18 (1)", - "AC-18 (1)", - "SC-8", + "IA-5 (1) (c)", "Rev_4" ], "false_negatives": null, @@ -784,35 +792,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "This is N/A for systems that do not have wireless network\nadapters.\n\nVerify that there are no wireless interfaces configured on the system:\n\n# ifconfig -a\n\n\neth0 Link encap:Ethernet HWaddr b8:ac:6f:65:31:e5\n inet addr:192.168.2.100 Bcast:192.168.2.255 Mask:255.255.255.0\n inet6 addr: fe80::baac:6fff:fe65:31e5/64 Scope:Link\n UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1\n RX packets:2697529 errors:0 dropped:0 overruns:0 frame:0\n TX packets:2630541 errors:0 dropped:0 overruns:0 carrier:0\n collisions:0 txqueuelen:1000\n RX bytes:2159382827 (2.0 GiB) TX bytes:1389552776 (1.2 GiB)\n Interrupt:17\n\nlo Link encap:Local Loopback\n inet addr:127.0.0.1 Mask:255.0.0.0\n inet6 addr: ::1/128 Scope:Host\n UP LOOPBACK RUNNING MTU:16436 Metric:1\n RX packets:2849 errors:0 dropped:0 overruns:0 frame:0\n TX packets:2849 errors:0 dropped:0 overruns:0 carrier:0\n collisions:0 txqueuelen:0\n RX bytes:2778290 (2.6 MiB) TX bytes:2778290 (2.6 MiB)\n\n\nIf a wireless interface is configured, it must be documented and approved by\nthe local Authorizing Official.\n\nIf a wireless interface is configured and has not been documented and approved,\nthis is a finding.\n", - "fix": "Configure the system to disable all wireless network interfaces." + "check": "To check the system for the existence of any \".netrc\" files,\nrun the following command:\n\n$ sudo find /root /home -xdev -name .netrc\n\nIf any .netrc files exist, this is a finding.", + "fix": "The \".netrc\" files contain logon information used to auto-logon\ninto FTP servers and reside in the user's home directory. These files may\ncontain unencrypted passwords to remote FTP servers making them susceptible to\naccess by unauthorized users and should not be used. Any \".netrc\" files\nshould be removed." }, - "code": "control \"V-72817\" do\n title \"Wireless network adapters must be disabled.\"\n desc \"The use of wireless networking can introduce many different attack\nvectors into the organization's network. Common attack vectors such as\nmalicious association and ad hoc networks will allow an attacker to spoof a\nwireless access point (AP), allowing validated systems to connect to the\nmalicious AP and enabling the attacker to monitor and record network traffic.\nThese malicious APs can also serve to create a man-in-the-middle attack or be\nused to create a denial of service to valid network resources.\"\n impact 0.5\n tag \"gtitle\": \"RHEL-06-000293\"\n tag \"gid\": \"V-72817\"\n tag \"rid\": \"SV-87461r1_rule\"\n tag \"stig_id\": \"RHEL-06-000293\"\n tag \"fix_id\": \"F-79233r1_fix\"\n tag \"cci\": [\"CCI-001443\", \"CCI-001444\", \"CCI-002418\"]\n tag \"nist\": [\"AC-18 (1)\", \"AC-18 (1)\", \"SC-8\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"This is N/A for systems that do not have wireless network\nadapters.\n\nVerify that there are no wireless interfaces configured on the system:\n\n# ifconfig -a\n\n\neth0 Link encap:Ethernet HWaddr b8:ac:6f:65:31:e5\n inet addr:192.168.2.100 Bcast:192.168.2.255 Mask:255.255.255.0\n inet6 addr: fe80::baac:6fff:fe65:31e5/64 Scope:Link\n UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1\n RX packets:2697529 errors:0 dropped:0 overruns:0 frame:0\n TX packets:2630541 errors:0 dropped:0 overruns:0 carrier:0\n collisions:0 txqueuelen:1000\n RX bytes:2159382827 (2.0 GiB) TX bytes:1389552776 (1.2 GiB)\n Interrupt:17\n\nlo Link encap:Local Loopback\n inet addr:127.0.0.1 Mask:255.0.0.0\n inet6 addr: ::1/128 Scope:Host\n UP LOOPBACK RUNNING MTU:16436 Metric:1\n RX packets:2849 errors:0 dropped:0 overruns:0 frame:0\n TX packets:2849 errors:0 dropped:0 overruns:0 carrier:0\n collisions:0 txqueuelen:0\n RX bytes:2778290 (2.6 MiB) TX bytes:2778290 (2.6 MiB)\n\n\nIf a wireless interface is configured, it must be documented and approved by\nthe local Authorizing Official.\n\nIf a wireless interface is configured and has not been documented and approved,\nthis is a finding.\n\"\n tag \"fix\": \"Configure the system to disable all wireless network interfaces.\"\n\n wlans = command('ls /sys/class/net').stdout.split.select { |e| e.start_with? 'wlan' }\n\n if wlans.empty?\n describe \"No wlan interfaces exist\" do\n subject { true }\n it { should eq true }\n end\n else\n wlans.each do |e|\n describe interface(e) do\n it { should_not be_up }\n end\n end\n end\nend\n", + "code": "control \"V-38619\" do\n title \"There must be no .netrc files on the system.\"\n desc \"Unencrypted passwords for remote FTP servers may be stored in\n\\\".netrc\\\" files. DoD policy requires passwords be encrypted in storage and not\nused in access scripts.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000073\"\n tag \"gid\": \"V-38619\"\n tag \"rid\": \"SV-50420r2_rule\"\n tag \"stig_id\": \"RHEL-06-000347\"\n tag \"fix_id\": \"F-43569r2_fix\"\n tag \"cci\": [\"CCI-000196\"]\n tag \"nist\": [\"IA-5 (1) (c)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To check the system for the existence of any \\\".netrc\\\" files,\nrun the following command:\n\n$ sudo find /root /home -xdev -name .netrc\n\nIf any .netrc files exist, this is a finding.\"\n tag \"fix\": \"The \\\".netrc\\\" files contain logon information used to auto-logon\ninto FTP servers and reside in the user's home directory. These files may\ncontain unencrypted passwords to remote FTP servers making them susceptible to\naccess by unauthorized users and should not be used. Any \\\".netrc\\\" files\nshould be removed.\"\n\n describe command('find /root /home -xdev -name .netrc') do\n its('stdout') { should be_empty }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-72817.rb", + "ref": "./Red Hat 6 STIG/controls/V-38619.rb", "line": 1 }, - "id": "V-72817" + "id": "V-38619" }, { - "title": "The /etc/gshadow file must be group-owned by root.", - "desc": "The \"/etc/gshadow\" file contains group password hashes. Protection\nof this file is critical for system security.", + "title": "The operating system must employ cryptographic mechanisms to protect\ninformation in storage.", + "desc": "The risk of a system's physical compromise, particularly mobile\nsystems such as laptops, places its data at risk of compromise. Encrypting this\ndata mitigates the risk of its loss if the system is lost.", "descriptions": { - "default": "The \"/etc/gshadow\" file contains group password hashes. Protection\nof this file is critical for system security." + "default": "The risk of a system's physical compromise, particularly mobile\nsystems such as laptops, places its data at risk of compromise. Encrypting this\ndata mitigates the risk of its loss if the system is lost." }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { - "gtitle": "SRG-OS-999999", - "gid": "V-38448", - "rid": "SV-50248r1_rule", - "stig_id": "RHEL-06-000037", - "fix_id": "F-43393r1_fix", + "gtitle": "SRG-OS-000131", + "gid": "V-38659", + "rid": "SV-50460r2_rule", + "stig_id": "RHEL-06-000275", + "fix_id": "F-43609r3_fix", "cci": [ - "CCI-000366" + "CCI-001019" ], "nist": [ - "CM-6 b", + "MP-4 (1)", "Rev_4" ], "false_negatives": null, @@ -825,35 +833,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To check the group ownership of \"/etc/gshadow\", run the\ncommand:\n\n$ ls -l /etc/gshadow\n\nIf properly configured, the output should indicate the following group-owner.\n\"root\"\nIf it does not, this is a finding.", - "fix": "To properly set the group owner of \"/etc/gshadow\", run the\ncommand:\n\n# chgrp root /etc/gshadow" + "check": "Determine if encryption must be used to protect data on the\nsystem.\nIf encryption must be used and is not employed, this is a finding.", + "fix": "Red Hat Enterprise Linux 6 natively supports partition encryption\nthrough the Linux Unified Key Setup-on-disk-format (LUKS) technology. The\neasiest way to encrypt a partition is during installation time.\n\nFor manual installations, select the \"Encrypt\" checkbox during partition\ncreation to encrypt the partition. When this option is selected the system will\nprompt for a passphrase to use in decrypting the partition. The passphrase will\nsubsequently need to be entered manually every time the system boots.\n\nFor automated/unattended installations, it is possible to use Kickstart by\nadding the \"--encrypted\" and \"--passphrase=\" options to the definition of\neach partition to be encrypted. For example, the following line would encrypt\nthe root partition:\n\npart / --fstype=ext3 --size=100 --onpart=hda1 --encrypted\n--passphrase=[PASSPHRASE]\n\nAny [PASSPHRASE] is stored in the Kickstart in plaintext, and the Kickstart\nmust then be protected accordingly. Omitting the \"--passphrase=\" option from\nthe partition definition will cause the installer to pause and interactively\nask for the passphrase during installation.\n\nDetailed information on encrypting partitions using LUKS can be found on the\nRed Hat Documentation web site:\n\nhttps://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-LUKS_Disk_Encryption.html" }, - "code": "control \"V-38448\" do\n title \"The /etc/gshadow file must be group-owned by root.\"\n desc \"The \\\"/etc/gshadow\\\" file contains group password hashes. Protection\nof this file is critical for system security.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38448\"\n tag \"rid\": \"SV-50248r1_rule\"\n tag \"stig_id\": \"RHEL-06-000037\"\n tag \"fix_id\": \"F-43393r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To check the group ownership of \\\"/etc/gshadow\\\", run the\ncommand:\n\n$ ls -l /etc/gshadow\n\nIf properly configured, the output should indicate the following group-owner.\n\\\"root\\\"\nIf it does not, this is a finding.\"\n tag \"fix\": \"To properly set the group owner of \\\"/etc/gshadow\\\", run the\ncommand:\n\n# chgrp root /etc/gshadow\"\n\n describe file(\"/etc/gshadow\") do\n it { should exist }\n end\n describe file(\"/etc/gshadow\") do\n its(\"gid\") { should cmp 0 }\n end\nend\n", + "code": "control \"V-38659\" do\n title \"The operating system must employ cryptographic mechanisms to protect\ninformation in storage.\"\n desc \"The risk of a system's physical compromise, particularly mobile\nsystems such as laptops, places its data at risk of compromise. Encrypting this\ndata mitigates the risk of its loss if the system is lost.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000131\"\n tag \"gid\": \"V-38659\"\n tag \"rid\": \"SV-50460r2_rule\"\n tag \"stig_id\": \"RHEL-06-000275\"\n tag \"fix_id\": \"F-43609r3_fix\"\n tag \"cci\": [\"CCI-001019\"]\n tag \"nist\": [\"MP-4 (1)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Determine if encryption must be used to protect data on the\nsystem.\nIf encryption must be used and is not employed, this is a finding.\"\n tag \"fix\": \"Red Hat Enterprise Linux 6 natively supports partition encryption\nthrough the Linux Unified Key Setup-on-disk-format (LUKS) technology. The\neasiest way to encrypt a partition is during installation time.\n\nFor manual installations, select the \\\"Encrypt\\\" checkbox during partition\ncreation to encrypt the partition. When this option is selected the system will\nprompt for a passphrase to use in decrypting the partition. The passphrase will\nsubsequently need to be entered manually every time the system boots.\n\nFor automated/unattended installations, it is possible to use Kickstart by\nadding the \\\"--encrypted\\\" and \\\"--passphrase=\\\" options to the definition of\neach partition to be encrypted. For example, the following line would encrypt\nthe root partition:\n\npart / --fstype=ext3 --size=100 --onpart=hda1 --encrypted\n--passphrase=[PASSPHRASE]\n\nAny [PASSPHRASE] is stored in the Kickstart in plaintext, and the Kickstart\nmust then be protected accordingly. Omitting the \\\"--passphrase=\\\" option from\nthe partition definition will cause the installer to pause and interactively\nask for the passphrase during installation.\n\nDetailed information on encrypting partitions using LUKS can be found on the\nRed Hat Documentation web site:\n\nhttps://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-LUKS_Disk_Encryption.html\"\n\n describe \"Manual test\" do\n skip \"This control must be reviewed manually\"\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38448.rb", + "ref": "./Red Hat 6 STIG/controls/V-38659.rb", "line": 1 }, - "id": "V-38448" + "id": "V-38659" }, { - "title": "The audit system must provide a warning when allocated audit record\nstorage volume reaches a documented percentage of maximum audit record storage\ncapacity.", - "desc": "Notifying administrators of an impending disk space problem may allow\nthem to take corrective action prior to any disruption.", + "title": "System security patches and updates must be installed and up-to-date.", + "desc": "Installing software updates is a fundamental mitigation against the\nexploitation of publicly-known vulnerabilities.", "descriptions": { - "default": "Notifying administrators of an impending disk space problem may allow\nthem to take corrective action prior to any disruption." + "default": "Installing software updates is a fundamental mitigation against the\nexploitation of publicly-known vulnerabilities." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000048", - "gid": "V-38678", - "rid": "SV-50479r2_rule", - "stig_id": "RHEL-06-000311", - "fix_id": "F-43627r2_fix", + "gtitle": "SRG-OS-000191", + "gid": "V-38481", + "rid": "SV-50281r1_rule", + "stig_id": "RHEL-06-000011", + "fix_id": "F-43426r1_fix", "cci": [ - "CCI-000143" + "CCI-001233" ], "nist": [ - "AU-5 (1)", + "SI-2 (2)", "Rev_4" ], "false_negatives": null, @@ -866,35 +874,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "Inspect \"/etc/audit/auditd.conf\" and locate the following\nline to determine whether the system is configured to email the administrator\nwhen disk space is starting to run low:\n\n# grep space_left /etc/audit/auditd.conf\n\nspace_left = [num_megabytes]\n\n\nIf the \"num_megabytes\" value does not correspond to a documented value for\nremaining audit partition capacity or if there is no locally documented value\nfor remaining audit partition capacity, this is a finding.", - "fix": "The \"auditd\" service can be configured to take an action when\ndisk space starts to run low. Edit the file \"/etc/audit/auditd.conf\". Modify\nthe following line, substituting [num_megabytes] appropriately:\n\nspace_left = [num_megabytes]\n\nThe \"num_megabytes\" value should be set to a fraction of the total audit\nstorage capacity available that will allow a system administrator to be\nnotified with enough time to respond to the situation causing the capacity\nissues. This value must also be documented locally." + "check": "If the system is joined to the Red Hat Network, a Red Hat\nSatellite Server, or a yum server which provides updates, invoking the\nfollowing command will indicate if updates are available:\n\n# yum check-update\n\nIf the system is not configured to update from one of these sources, run the\nfollowing command to list when each package was last updated:\n\n$ rpm -qa -last\n\nCompare this to Red Hat Security Advisories (RHSA) listed at\nhttps://access.redhat.com/security/updates/active/ to determine whether the\nsystem is missing applicable security and bugfix updates.\nIf updates are not installed, this is a finding.", + "fix": "If the system is joined to the Red Hat Network, a Red Hat\nSatellite Server, or a yum server, run the following command to install\nupdates:\n\n# yum update\n\nIf the system is not configured to use one of these sources, updates (in the\nform of RPM packages) can be manually downloaded from the Red Hat Network and\ninstalled using \"rpm\"." }, - "code": "control \"V-38678\" do\n title \"The audit system must provide a warning when allocated audit record\nstorage volume reaches a documented percentage of maximum audit record storage\ncapacity.\"\n desc \"Notifying administrators of an impending disk space problem may allow\nthem to take corrective action prior to any disruption.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000048\"\n tag \"gid\": \"V-38678\"\n tag \"rid\": \"SV-50479r2_rule\"\n tag \"stig_id\": \"RHEL-06-000311\"\n tag \"fix_id\": \"F-43627r2_fix\"\n tag \"cci\": [\"CCI-000143\"]\n tag \"nist\": [\"AU-5 (1)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Inspect \\\"/etc/audit/auditd.conf\\\" and locate the following\nline to determine whether the system is configured to email the administrator\nwhen disk space is starting to run low:\n\n# grep space_left /etc/audit/auditd.conf\n\nspace_left = [num_megabytes]\n\n\nIf the \\\"num_megabytes\\\" value does not correspond to a documented value for\nremaining audit partition capacity or if there is no locally documented value\nfor remaining audit partition capacity, this is a finding.\"\n tag \"fix\": \"The \\\"auditd\\\" service can be configured to take an action when\ndisk space starts to run low. Edit the file \\\"/etc/audit/auditd.conf\\\". Modify\nthe following line, substituting [num_megabytes] appropriately:\n\nspace_left = [num_megabytes]\n\nThe \\\"num_megabytes\\\" value should be set to a fraction of the total audit\nstorage capacity available that will allow a system administrator to be\nnotified with enough time to respond to the situation causing the capacity\nissues. This value must also be documented locally.\"\n\n describe parse_config_file('/etc/audit/auditd.conf') do\n its('space_left') { should cmp input('auditd_space_left') }\n end\nend\n", + "code": "control \"V-38481\" do\n title \"System security patches and updates must be installed and up-to-date.\"\n desc \"Installing software updates is a fundamental mitigation against the\nexploitation of publicly-known vulnerabilities.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000191\"\n tag \"gid\": \"V-38481\"\n tag \"rid\": \"SV-50281r1_rule\"\n tag \"stig_id\": \"RHEL-06-000011\"\n tag \"fix_id\": \"F-43426r1_fix\"\n tag \"cci\": [\"CCI-001233\"]\n tag \"nist\": [\"SI-2 (2)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"If the system is joined to the Red Hat Network, a Red Hat\nSatellite Server, or a yum server which provides updates, invoking the\nfollowing command will indicate if updates are available:\n\n# yum check-update\n\nIf the system is not configured to update from one of these sources, run the\nfollowing command to list when each package was last updated:\n\n$ rpm -qa -last\n\nCompare this to Red Hat Security Advisories (RHSA) listed at\nhttps://access.redhat.com/security/updates/active/ to determine whether the\nsystem is missing applicable security and bugfix updates.\nIf updates are not installed, this is a finding.\"\n tag \"fix\": \"If the system is joined to the Red Hat Network, a Red Hat\nSatellite Server, or a yum server, run the following command to install\nupdates:\n\n# yum update\n\nIf the system is not configured to use one of these sources, updates (in the\nform of RPM packages) can be manually downloaded from the Red Hat Network and\ninstalled using \\\"rpm\\\".\"\n\n describe \"Manual test\" do\n skip \"This control must be reviewed manually\"\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38678.rb", + "ref": "./Red Hat 6 STIG/controls/V-38481.rb", "line": 1 }, - "id": "V-38678" + "id": "V-38481" }, { - "title": "The root account must be the only account having a UID of 0.", - "desc": "An account has root authority if it has a UID of 0. Multiple accounts\nwith a UID of 0 afford more opportunity for potential intruders to guess a\npassword for a privileged account. Proper configuration of sudo is recommended\nto afford multiple system administrators access to root privileges in an\naccountable manner.", + "title": "The ypbind service must not be running.", + "desc": "Disabling the \"ypbind\" service ensures the system is not acting as a\nclient in a NIS or NIS+ domain.", "descriptions": { - "default": "An account has root authority if it has a UID of 0. Multiple accounts\nwith a UID of 0 afford more opportunity for potential intruders to guess a\npassword for a privileged account. Proper configuration of sudo is recommended\nto afford multiple system administrators access to root privileges in an\naccountable manner." + "default": "Disabling the \"ypbind\" service ensures the system is not acting as a\nclient in a NIS or NIS+ domain." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-999999", - "gid": "V-38500", - "rid": "SV-50301r2_rule", - "stig_id": "RHEL-06-000032", - "fix_id": "F-43447r1_fix", + "gtitle": "SRG-OS-000096", + "gid": "V-38604", + "rid": "SV-50405r2_rule", + "stig_id": "RHEL-06-000221", + "fix_id": "F-43552r2_fix", "cci": [ - "CCI-000366" + "CCI-000382" ], "nist": [ - "CM-6 b", + "CM-7 b", "Rev_4" ], "false_negatives": null, @@ -907,35 +915,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To list all password file entries for accounts with UID 0, run\nthe following command:\n\n# awk -F: '($3 == 0) {print}' /etc/passwd\n\nThis should print only one line, for the user root.\nIf any account other than root has a UID of 0, this is a finding.", - "fix": "If any account other than root has a UID of 0, this\nmisconfiguration should be investigated and the accounts other than root should\nbe removed or have their UID changed." + "check": "To check that the \"ypbind\" service is disabled in system boot\nconfiguration, run the following command:\n\n# chkconfig \"ypbind\" --list\n\nOutput should indicate the \"ypbind\" service has either not been installed, or\nhas been disabled at all runlevels, as shown in the example below:\n\n# chkconfig \"ypbind\" --list\n\"ypbind\" 0:off 1:off 2:off 3:off 4:off 5:off 6:off\n\nRun the following command to verify \"ypbind\" is disabled through current\nruntime configuration:\n\n# service ypbind status\n\nIf the service is disabled the command will return the following output:\n\nypbind is stopped\n\n\nIf the service is running, this is a finding.", + "fix": "The \"ypbind\" service, which allows the system to act as a\nclient in a NIS or NIS+ domain, should be disabled. The \"ypbind\" service can\nbe disabled with the following commands:\n\n# chkconfig ypbind off\n# service ypbind stop" }, - "code": "control \"V-38500\" do\n title \"The root account must be the only account having a UID of 0.\"\n desc \"An account has root authority if it has a UID of 0. Multiple accounts\nwith a UID of 0 afford more opportunity for potential intruders to guess a\npassword for a privileged account. Proper configuration of sudo is recommended\nto afford multiple system administrators access to root privileges in an\naccountable manner.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38500\"\n tag \"rid\": \"SV-50301r2_rule\"\n tag \"stig_id\": \"RHEL-06-000032\"\n tag \"fix_id\": \"F-43447r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To list all password file entries for accounts with UID 0, run\nthe following command:\n\n# awk -F: '($3 == 0) {print}' /etc/passwd\n\nThis should print only one line, for the user root.\nIf any account other than root has a UID of 0, this is a finding.\"\n tag \"fix\": \"If any account other than root has a UID of 0, this\nmisconfiguration should be investigated and the accounts other than root should\nbe removed or have their UID changed.\"\n\n describe file(\"/etc/passwd\") do\n its(\"content\") { should_not match(/^(?!root:)[^:]*:[^:]:0/) }\n end\nend\n", + "code": "control \"V-38604\" do\n title \"The ypbind service must not be running.\"\n desc \"Disabling the \\\"ypbind\\\" service ensures the system is not acting as a\nclient in a NIS or NIS+ domain.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000096\"\n tag \"gid\": \"V-38604\"\n tag \"rid\": \"SV-50405r2_rule\"\n tag \"stig_id\": \"RHEL-06-000221\"\n tag \"fix_id\": \"F-43552r2_fix\"\n tag \"cci\": [\"CCI-000382\"]\n tag \"nist\": [\"CM-7 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To check that the \\\"ypbind\\\" service is disabled in system boot\nconfiguration, run the following command:\n\n# chkconfig \\\"ypbind\\\" --list\n\nOutput should indicate the \\\"ypbind\\\" service has either not been installed, or\nhas been disabled at all runlevels, as shown in the example below:\n\n# chkconfig \\\"ypbind\\\" --list\n\\\"ypbind\\\" 0:off 1:off 2:off 3:off 4:off 5:off 6:off\n\nRun the following command to verify \\\"ypbind\\\" is disabled through current\nruntime configuration:\n\n# service ypbind status\n\nIf the service is disabled the command will return the following output:\n\nypbind is stopped\n\n\nIf the service is running, this is a finding.\"\n tag \"fix\": \"The \\\"ypbind\\\" service, which allows the system to act as a\nclient in a NIS or NIS+ domain, should be disabled. The \\\"ypbind\\\" service can\nbe disabled with the following commands:\n\n# chkconfig ypbind off\n# service ypbind stop\"\n\n describe.one do\n describe package(\"ypbind\") do\n it { should_not be_installed }\n end\n describe service(\"ypbind\") do\n its(\"runlevels(?-mix:0)\") { should be_enabled }\n its(\"runlevels(?-mix:1)\") { should be_enabled }\n its(\"runlevels(?-mix:2)\") { should be_enabled }\n its(\"runlevels(?-mix:3)\") { should be_enabled }\n its(\"runlevels(?-mix:4)\") { should be_enabled }\n its(\"runlevels(?-mix:5)\") { should be_enabled }\n its(\"runlevels(?-mix:6)\") { should be_enabled }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38500.rb", + "ref": "./Red Hat 6 STIG/controls/V-38604.rb", "line": 1 }, - "id": "V-38500" + "id": "V-38604" }, { - "title": "The system must use a FIPS 140-2 approved cryptographic hashing\nalgorithm for generating account password hashes (login.defs).", - "desc": "Using a stronger hashing algorithm makes password cracking attacks\nmore difficult.", + "title": "The operating system must detect unauthorized changes to software and\ninformation. ", + "desc": "By default, AIDE does not install itself for periodic execution.\nPeriodically running AIDE may reveal unexpected changes in installed files.", "descriptions": { - "default": "Using a stronger hashing algorithm makes password cracking attacks\nmore difficult." + "default": "By default, AIDE does not install itself for periodic execution.\nPeriodically running AIDE may reveal unexpected changes in installed files." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000120", - "gid": "V-38576", - "rid": "SV-50377r1_rule", - "stig_id": "RHEL-06-000063", - "fix_id": "F-43524r1_fix", + "gtitle": "SRG-OS-000202", + "gid": "V-38670", + "rid": "SV-50471r2_rule", + "stig_id": "RHEL-06-000306", + "fix_id": "F-43619r1_fix", "cci": [ - "CCI-000803" + "CCI-001297" ], "nist": [ - "IA-7", + "SI-7", "Rev_4" ], "false_negatives": null, @@ -948,35 +956,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "Inspect \"/etc/login.defs\" and ensure the following line\nappears:\n\nENCRYPT_METHOD SHA512\n\n\nIf it does not, this is a finding.", - "fix": "In \"/etc/login.defs\", add or correct the following line to\nensure the system will use SHA-512 as the hashing algorithm:\n\nENCRYPT_METHOD SHA512" + "check": "To determine that periodic AIDE execution has been scheduled,\nrun the following command:\n\n# grep aide /etc/crontab /etc/cron.*/*\n\nIf there is no output, this is a finding.", + "fix": "AIDE should be executed on a periodic basis to check for changes.\nTo implement a daily execution of AIDE at 4:05am using cron, add the following\nline to /etc/crontab:\n\n05 4 * * * root /usr/sbin/aide --check\n\nAIDE can be executed periodically through other means; this is merely one\nexample." }, - "code": "control \"V-38576\" do\n title \"The system must use a FIPS 140-2 approved cryptographic hashing\nalgorithm for generating account password hashes (login.defs).\"\n desc \"Using a stronger hashing algorithm makes password cracking attacks\nmore difficult.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000120\"\n tag \"gid\": \"V-38576\"\n tag \"rid\": \"SV-50377r1_rule\"\n tag \"stig_id\": \"RHEL-06-000063\"\n tag \"fix_id\": \"F-43524r1_fix\"\n tag \"cci\": [\"CCI-000803\"]\n tag \"nist\": [\"IA-7\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Inspect \\\"/etc/login.defs\\\" and ensure the following line\nappears:\n\nENCRYPT_METHOD SHA512\n\n\nIf it does not, this is a finding.\"\n tag \"fix\": \"In \\\"/etc/login.defs\\\", add or correct the following line to\nensure the system will use SHA-512 as the hashing algorithm:\n\nENCRYPT_METHOD SHA512\"\n\n describe file(\"/etc/login.defs\") do\n its(\"content\") { should match(/^[\\s]*ENCRYPT_METHOD[\\s]+SHA512[\\s]*$/) }\n end\nend\n", + "code": "control \"V-38670\" do\n title \"The operating system must detect unauthorized changes to software and\ninformation. \"\n desc \"By default, AIDE does not install itself for periodic execution.\nPeriodically running AIDE may reveal unexpected changes in installed files.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000202\"\n tag \"gid\": \"V-38670\"\n tag \"rid\": \"SV-50471r2_rule\"\n tag \"stig_id\": \"RHEL-06-000306\"\n tag \"fix_id\": \"F-43619r1_fix\"\n tag \"cci\": [\"CCI-001297\"]\n tag \"nist\": [\"SI-7\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To determine that periodic AIDE execution has been scheduled,\nrun the following command:\n\n# grep aide /etc/crontab /etc/cron.*/*\n\nIf there is no output, this is a finding.\"\n tag \"fix\": \"AIDE should be executed on a periodic basis to check for changes.\nTo implement a daily execution of AIDE at 4:05am using cron, add the following\nline to /etc/crontab:\n\n05 4 * * * root /usr/sbin/aide --check\n\nAIDE can be executed periodically through other means; this is merely one\nexample.\"\n\n describe command('grep aide /etc/crontab /etc/cron.*/*') do\n its('stdout.strip') { should_not be_empty }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38576.rb", + "ref": "./Red Hat 6 STIG/controls/V-38670.rb", "line": 1 }, - "id": "V-38576" + "id": "V-38670" }, { - "title": "The graphical desktop environment must set the idle timeout to no more\nthan 15 minutes.", - "desc": "Setting the idle delay controls when the screensaver will start, and\ncan be combined with screen locking to prevent access from passersby.", + "title": "The system must use SMB client signing for connecting to samba servers\nusing smbclient.", + "desc": "Packet signing can prevent man-in-the-middle attacks which modify SMB\npackets in transit.", "descriptions": { - "default": "Setting the idle delay controls when the screensaver will start, and\ncan be combined with screen locking to prevent access from passersby." + "default": "Packet signing can prevent man-in-the-middle attacks which modify SMB\npackets in transit." }, - "impact": 0, + "impact": 0.3, "refs": [], "tags": { - "gtitle": "SRG-OS-000029", - "gid": "V-38629", - "rid": "SV-50430r3_rule", - "stig_id": "RHEL-06-000257", - "fix_id": "F-43578r1_fix", + "gtitle": "SRG-OS-999999", + "gid": "V-38656", + "rid": "SV-50457r1_rule", + "stig_id": "RHEL-06-000272", + "fix_id": "F-43606r1_fix", "cci": [ - "CCI-000057" + "CCI-000366" ], "nist": [ - "AC-11 a", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -989,35 +997,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "If the GConf2 package is not installed, this is not applicable.\n\nTo check the current idle time-out value, run the following command:\n\n$ gconftool-2 --direct --config-source\nxml:readwrite:/etc/gconf/gconf.xml.mandatory --get\n/apps/gnome-screensaver/idle_delay\n\nIf properly configured, the output should be \"15\".\n\nIf it is not, this is a finding.", - "fix": "Run the following command to set the idle time-out value for\ninactivity in the GNOME desktop to 15 minutes:\n\n# gconftool-2 \\\n--direct \\\n--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \\\n--type int \\\n--set /apps/gnome-screensaver/idle_delay 15" + "check": "To verify that Samba clients running smbclient must use packet\nsigning, run the following command:\n\n# grep signing /etc/samba/smb.conf\n\nThe output should show:\n\nclient signing = mandatory\n\n\nIf it is not, this is a finding.", + "fix": "To require samba clients running \"smbclient\" to use packet\nsigning, add the following to the \"[global]\" section of the Samba\nconfiguration file in \"/etc/samba/smb.conf\":\n\nclient signing = mandatory\n\nRequiring samba clients such as \"smbclient\" to use packet signing ensures\nthey can only communicate with servers that support packet signing." }, - "code": "control \"V-38629\" do\n title \"The graphical desktop environment must set the idle timeout to no more\nthan 15 minutes.\"\n desc \"Setting the idle delay controls when the screensaver will start, and\ncan be combined with screen locking to prevent access from passersby.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000029\"\n tag \"gid\": \"V-38629\"\n tag \"rid\": \"SV-50430r3_rule\"\n tag \"stig_id\": \"RHEL-06-000257\"\n tag \"fix_id\": \"F-43578r1_fix\"\n tag \"cci\": [\"CCI-000057\"]\n tag \"nist\": [\"AC-11 a\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"If the GConf2 package is not installed, this is not applicable.\n\nTo check the current idle time-out value, run the following command:\n\n$ gconftool-2 --direct --config-source\nxml:readwrite:/etc/gconf/gconf.xml.mandatory --get\n/apps/gnome-screensaver/idle_delay\n\nIf properly configured, the output should be \\\"15\\\".\n\nIf it is not, this is a finding.\"\n tag \"fix\": \"Run the following command to set the idle time-out value for\ninactivity in the GNOME desktop to 15 minutes:\n\n# gconftool-2 \\\\\n--direct \\\\\n--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \\\\\n--type int \\\\\n--set /apps/gnome-screensaver/idle_delay 15\"\n\n if package('GConf2').installed?\n describe command(\"gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gnome-screensaver/idle_delay\") do\n its('stdout.strip') { should cmp <= 15 }\n end\n else\n impact 0.0\n describe \"Package GConf2 not installed\" do\n skip \"Package GConf2 not installed, this control Not Applicable\"\n end\n end\nend\n", + "code": "control \"V-38656\" do\n title \"The system must use SMB client signing for connecting to samba servers\nusing smbclient.\"\n desc \"Packet signing can prevent man-in-the-middle attacks which modify SMB\npackets in transit.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38656\"\n tag \"rid\": \"SV-50457r1_rule\"\n tag \"stig_id\": \"RHEL-06-000272\"\n tag \"fix_id\": \"F-43606r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To verify that Samba clients running smbclient must use packet\nsigning, run the following command:\n\n# grep signing /etc/samba/smb.conf\n\nThe output should show:\n\nclient signing = mandatory\n\n\nIf it is not, this is a finding.\"\n tag \"fix\": \"To require samba clients running \\\"smbclient\\\" to use packet\nsigning, add the following to the \\\"[global]\\\" section of the Samba\nconfiguration file in \\\"/etc/samba/smb.conf\\\":\n\nclient signing = mandatory\n\nRequiring samba clients such as \\\"smbclient\\\" to use packet signing ensures\nthey can only communicate with servers that support packet signing.\"\n\n describe.one do\n describe package(\"samba-common\") do\n it { should_not be_installed }\n end\n describe file(\"/etc/samba/smb.conf\") do\n its(\"content\") { should match(/^[\\s]*client[\\s]+signing[\\s]*=[\\s]*mandatory/) }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38629.rb", + "ref": "./Red Hat 6 STIG/controls/V-38656.rb", "line": 1 }, - "id": "V-38629" + "id": "V-38656" }, { - "title": "The atd service must be disabled.", - "desc": "The \"atd\" service could be used by an unsophisticated insider to\ncarry out activities outside of a normal login session, which could complicate\naccountability. Furthermore, the need to schedule tasks with \"at\" or\n\"batch\" is not common.", + "title": "The system boot loader must require authentication.", + "desc": "Password protection on the boot loader configuration ensures users\nwith physical access cannot trivially alter important bootloader settings.\nThese include which kernel to use, and whether to enter single-user mode.", "descriptions": { - "default": "The \"atd\" service could be used by an unsophisticated insider to\ncarry out activities outside of a normal login session, which could complicate\naccountability. Furthermore, the need to schedule tasks with \"at\" or\n\"batch\" is not common." + "default": "Password protection on the boot loader configuration ensures users\nwith physical access cannot trivially alter important bootloader settings.\nThese include which kernel to use, and whether to enter single-user mode." }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000096", - "gid": "V-38641", - "rid": "SV-50442r3_rule", - "stig_id": "RHEL-06-000262", - "fix_id": "F-43590r2_fix", + "gtitle": "SRG-OS-000080", + "gid": "V-38585", + "rid": "SV-50386r4_rule", + "stig_id": "RHEL-06-000068", + "fix_id": "F-43533r3_fix", "cci": [ - "CCI-000382" + "CCI-000213" ], "nist": [ - "CM-7 b", + "AC-3", "Rev_4" ], "false_negatives": null, @@ -1030,35 +1038,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "If the system requires the use of the \"atd\" service to\nsupport an organizational requirement, this is not applicable.\n\nTo check that the \"atd\" service is disabled in system boot configuration, run\nthe following command:\n\n# chkconfig \"atd\" --list\n\nOutput should indicate the \"atd\" service has either not been installed, or\nhas been disabled at all runlevels, as shown in the example below:\n\n# chkconfig \"atd\" --list\n\"atd\" 0:off 1:off 2:off 3:off 4:off 5:off 6:off\n\nRun the following command to verify \"atd\" is disabled through current runtime\nconfiguration:\n\n# service atd status\n\nIf the service is disabled the command will return the following output:\n\natd is stopped\n\n\nIf the service is running, this is a finding.", - "fix": "The \"at\" and \"batch\" commands can be used to schedule tasks\nthat are meant to be executed only once. This allows delayed execution in a\nmanner similar to cron, except that it is not recurring. The daemon \"atd\"\nkeeps track of tasks scheduled via \"at\" and \"batch\", and executes them at\nthe specified time. The \"atd\" service can be disabled with the following\ncommands:\n\n# chkconfig atd off\n# service atd stop" + "check": "To verify the boot loader password has been set and encrypted,\nrun the following command:\n\n# grep password /boot/grub/grub.conf\n\nThe output should show the following:\n\npassword --encrypted $6$[rest-of-the-password-hash]\n\nIf it does not, this is a finding.\n\nIf the system uses UEFI verify the boot loader password has been set and\nencrypted:\n\n# grep password /boot/efi/EFI/redhat/grub.conf", + "fix": "The grub boot loader should have password protection enabled to\nprotect boot-time settings. To do so, select a password and then generate a\nhash from it by running the following command:\n\n# grub-crypt --sha-512\n\nWhen prompted to enter a password, insert the following line into\n\"/boot/grub/grub.conf\" or \"/boot/efi/EFI/redhat/grub.conf\" immediately after\nthe header comments. (Use the output from \"grub-crypt\" as the value of\n[password-hash]):\n\npassword --encrypted [password-hash]" }, - "code": "control \"V-38641\" do\n title \"The atd service must be disabled.\"\n desc \"The \\\"atd\\\" service could be used by an unsophisticated insider to\ncarry out activities outside of a normal login session, which could complicate\naccountability. Furthermore, the need to schedule tasks with \\\"at\\\" or\n\\\"batch\\\" is not common.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000096\"\n tag \"gid\": \"V-38641\"\n tag \"rid\": \"SV-50442r3_rule\"\n tag \"stig_id\": \"RHEL-06-000262\"\n tag \"fix_id\": \"F-43590r2_fix\"\n tag \"cci\": [\"CCI-000382\"]\n tag \"nist\": [\"CM-7 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"If the system requires the use of the \\\"atd\\\" service to\nsupport an organizational requirement, this is not applicable.\n\nTo check that the \\\"atd\\\" service is disabled in system boot configuration, run\nthe following command:\n\n# chkconfig \\\"atd\\\" --list\n\nOutput should indicate the \\\"atd\\\" service has either not been installed, or\nhas been disabled at all runlevels, as shown in the example below:\n\n# chkconfig \\\"atd\\\" --list\n\\\"atd\\\" 0:off 1:off 2:off 3:off 4:off 5:off 6:off\n\nRun the following command to verify \\\"atd\\\" is disabled through current runtime\nconfiguration:\n\n# service atd status\n\nIf the service is disabled the command will return the following output:\n\natd is stopped\n\n\nIf the service is running, this is a finding.\"\n tag \"fix\": \"The \\\"at\\\" and \\\"batch\\\" commands can be used to schedule tasks\nthat are meant to be executed only once. This allows delayed execution in a\nmanner similar to cron, except that it is not recurring. The daemon \\\"atd\\\"\nkeeps track of tasks scheduled via \\\"at\\\" and \\\"batch\\\", and executes them at\nthe specified time. The \\\"atd\\\" service can be disabled with the following\ncommands:\n\n# chkconfig atd off\n# service atd stop\"\n\n describe.one do\n describe package(\"at\") do\n it { should_not be_installed }\n end\n describe service(\"atd\") do\n its(\"runlevels(?-mix:0)\") { should be_enabled }\n its(\"runlevels(?-mix:1)\") { should be_enabled }\n its(\"runlevels(?-mix:2)\") { should be_enabled }\n its(\"runlevels(?-mix:3)\") { should be_enabled }\n its(\"runlevels(?-mix:4)\") { should be_enabled }\n its(\"runlevels(?-mix:5)\") { should be_enabled }\n its(\"runlevels(?-mix:6)\") { should be_enabled }\n end\n end\nend\n", + "code": "control \"V-38585\" do\n title \"The system boot loader must require authentication.\"\n desc \"Password protection on the boot loader configuration ensures users\nwith physical access cannot trivially alter important bootloader settings.\nThese include which kernel to use, and whether to enter single-user mode.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000080\"\n tag \"gid\": \"V-38585\"\n tag \"rid\": \"SV-50386r4_rule\"\n tag \"stig_id\": \"RHEL-06-000068\"\n tag \"fix_id\": \"F-43533r3_fix\"\n tag \"cci\": [\"CCI-000213\"]\n tag \"nist\": [\"AC-3\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To verify the boot loader password has been set and encrypted,\nrun the following command:\n\n# grep password /boot/grub/grub.conf\n\nThe output should show the following:\n\npassword --encrypted $6$[rest-of-the-password-hash]\n\nIf it does not, this is a finding.\n\nIf the system uses UEFI verify the boot loader password has been set and\nencrypted:\n\n# grep password /boot/efi/EFI/redhat/grub.conf\"\n tag \"fix\": \"The grub boot loader should have password protection enabled to\nprotect boot-time settings. To do so, select a password and then generate a\nhash from it by running the following command:\n\n# grub-crypt --sha-512\n\nWhen prompted to enter a password, insert the following line into\n\\\"/boot/grub/grub.conf\\\" or \\\"/boot/efi/EFI/redhat/grub.conf\\\" immediately after\nthe header comments. (Use the output from \\\"grub-crypt\\\" as the value of\n[password-hash]):\n\npassword --encrypted [password-hash]\"\n\n describe.one do\n describe file(\"/boot/grub/grub.conf\") do\n its(\"content\") { should match(/^\\s*password\\s+--encrypted\\s+.*/) }\n end\n describe file(\"/boot/efi/EFI/redhat/grub.conf\") do\n its(\"content\") { should match(/^\\s*password\\s+--encrypted\\s+.*/) }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38641.rb", + "ref": "./Red Hat 6 STIG/controls/V-38585.rb", "line": 1 }, - "id": "V-38641" + "id": "V-38585" }, { - "title": "Audit log files must be owned by root.", - "desc": "If non-privileged users can write to audit logs, audit trails can be\nmodified or destroyed.", + "title": "The system must use a separate file system for /var.", + "desc": "Ensuring that \"/var\" is mounted on its own partition enables the\nsetting of more restrictive mount options. This helps protect system services\nsuch as daemons or other programs which use it. It is not uncommon for the\n\"/var\" directory to contain world-writable directories, installed by other\nsoftware packages.", "descriptions": { - "default": "If non-privileged users can write to audit logs, audit trails can be\nmodified or destroyed." + "default": "Ensuring that \"/var\" is mounted on its own partition enables the\nsetting of more restrictive mount options. This helps protect system services\nsuch as daemons or other programs which use it. It is not uncommon for the\n\"/var\" directory to contain world-writable directories, installed by other\nsoftware packages." }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { - "gtitle": "SRG-OS-000057", - "gid": "V-38495", - "rid": "SV-50296r1_rule", - "stig_id": "RHEL-06-000384", - "fix_id": "F-43443r1_fix", + "gtitle": "SRG-OS-999999", + "gid": "V-38456", + "rid": "SV-50256r1_rule", + "stig_id": "RHEL-06-000002", + "fix_id": "F-43401r2_fix", "cci": [ - "CCI-000162" + "CCI-000366" ], "nist": [ - "AU-9", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -1071,30 +1079,30 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "Run the following command to check the owner of the system\naudit logs:\n\ngrep \"^log_file\" /etc/audit/auditd.conf|sed s/^[^\\/]*//|xargs stat -c %U:%n\n\nAudit logs must be owned by root.\nIf they are not, this is a finding.", - "fix": "Change the owner of the audit log files with the following\ncommand:\n\n# chown root [audit_file]" + "check": "Run the following command to determine if \"/var\" is on its\nown partition or logical volume:\n\n$ mount | grep \"on /var \"\n\nIf \"/var\" has its own partition or volume group, a line will be returned.\nIf no line is returned, this is a finding.", + "fix": "The \"/var\" directory is used by daemons and other system\nservices to store frequently-changing data. Ensure that \"/var\" has its own\npartition or logical volume at installation time, or migrate it using LVM." }, - "code": "control \"V-38495\" do\n title \"Audit log files must be owned by root.\"\n desc \"If non-privileged users can write to audit logs, audit trails can be\nmodified or destroyed.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000057\"\n tag \"gid\": \"V-38495\"\n tag \"rid\": \"SV-50296r1_rule\"\n tag \"stig_id\": \"RHEL-06-000384\"\n tag \"fix_id\": \"F-43443r1_fix\"\n tag \"cci\": [\"CCI-000162\"]\n tag \"nist\": [\"AU-9\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Run the following command to check the owner of the system\naudit logs:\n\ngrep \\\"^log_file\\\" /etc/audit/auditd.conf|sed s/^[^\\\\/]*//|xargs stat -c %U:%n\n\nAudit logs must be owned by root.\nIf they are not, this is a finding.\"\n tag \"fix\": \"Change the owner of the audit log files with the following\ncommand:\n\n# chown root [audit_file]\"\n\n describe command(\"find /var/log/audit -regex .\\\\*/\\\\^.\\\\*\\\\$ -user 0\") do\n its(\"stdout\") { should_not be_empty }\n end\n describe command(\"find /var/log/audit -type d -user 0\") do\n its(\"stdout\") { should_not be_empty }\n end\nend\n", + "code": "control \"V-38456\" do\n title \"The system must use a separate file system for /var.\"\n desc \"Ensuring that \\\"/var\\\" is mounted on its own partition enables the\nsetting of more restrictive mount options. This helps protect system services\nsuch as daemons or other programs which use it. It is not uncommon for the\n\\\"/var\\\" directory to contain world-writable directories, installed by other\nsoftware packages.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38456\"\n tag \"rid\": \"SV-50256r1_rule\"\n tag \"stig_id\": \"RHEL-06-000002\"\n tag \"fix_id\": \"F-43401r2_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Run the following command to determine if \\\"/var\\\" is on its\nown partition or logical volume:\n\n$ mount | grep \\\"on /var \\\"\n\nIf \\\"/var\\\" has its own partition or volume group, a line will be returned.\nIf no line is returned, this is a finding.\"\n tag \"fix\": \"The \\\"/var\\\" directory is used by daemons and other system\nservices to store frequently-changing data. Ensure that \\\"/var\\\" has its own\npartition or logical volume at installation time, or migrate it using LVM.\"\n\n describe mount(\"/var\") do\n it { should be_mounted }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38495.rb", + "ref": "./Red Hat 6 STIG/controls/V-38456.rb", "line": 1 }, - "id": "V-38495" + "id": "V-38456" }, { - "title": "The /etc/group file must have mode 0644 or less permissive.", - "desc": "The \"/etc/group\" file contains information regarding groups that are\nconfigured on the system. Protection of this file is important for system\nsecurity.", + "title": "The system package management tool must verify permissions on all\nfiles and directories associated with packages.", + "desc": "Permissions on system binaries and configuration files that are too\ngenerous could allow an unauthorized user to gain privileges that they should\nnot have. The permissions set by the vendor should be maintained. Any\ndeviations from this baseline should be investigated.", "descriptions": { - "default": "The \"/etc/group\" file contains information regarding groups that are\nconfigured on the system. Protection of this file is important for system\nsecurity." + "default": "Permissions on system binaries and configuration files that are too\ngenerous could allow an unauthorized user to gain privileges that they should\nnot have. The permissions set by the vendor should be maintained. Any\ndeviations from this baseline should be investigated." }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { "gtitle": "SRG-OS-999999", - "gid": "V-38461", - "rid": "SV-50261r1_rule", - "stig_id": "RHEL-06-000044", - "fix_id": "F-43406r1_fix", + "gid": "V-38452", + "rid": "SV-50252r2_rule", + "stig_id": "RHEL-06-000518", + "fix_id": "F-43398r1_fix", "cci": [ "CCI-000366" ], @@ -1112,30 +1120,30 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To check the permissions of \"/etc/group\", run the command:\n\n$ ls -l /etc/group\n\nIf properly configured, the output should indicate the following permissions:\n\"-rw-r--r--\"\nIf it does not, this is a finding.", - "fix": "To properly set the permissions of \"/etc/group\", run the\ncommand:\n\n# chmod 644 /etc/group" + "check": "The following command will list which files and directories on\nthe system have permissions different from what is expected by the RPM\ndatabase:\n\n# rpm -Va | grep '^.M'\n\nIf there is any output, for each file or directory found, find the associated\nRPM package and compare the RPM-expected permissions with the actual\npermissions on the file or directory:\n\n# rpm -qf [file or directory name]\n# rpm -q --queryformat \"[%{FILENAMES} %{FILEMODES:perms}]\" [package] | grep [filename]\n# ls -dlL [filename]\n\nIf the existing permissions are more permissive than those expected by RPM,\nthis is a finding.", + "fix": "The RPM package management system can restore file access\npermissions of package files and directories. The following command will update\npermissions on files and directories with permissions different from what is\nexpected by the RPM database:\n\n# rpm --setperms [package]" }, - "code": "control \"V-38461\" do\n title \"The /etc/group file must have mode 0644 or less permissive.\"\n desc \"The \\\"/etc/group\\\" file contains information regarding groups that are\nconfigured on the system. Protection of this file is important for system\nsecurity.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38461\"\n tag \"rid\": \"SV-50261r1_rule\"\n tag \"stig_id\": \"RHEL-06-000044\"\n tag \"fix_id\": \"F-43406r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To check the permissions of \\\"/etc/group\\\", run the command:\n\n$ ls -l /etc/group\n\nIf properly configured, the output should indicate the following permissions:\n\\\"-rw-r--r--\\\"\nIf it does not, this is a finding.\"\n tag \"fix\": \"To properly set the permissions of \\\"/etc/group\\\", run the\ncommand:\n\n# chmod 644 /etc/group\"\n\n describe file(\"/etc/group\") do\n it { should exist }\n end\n describe file(\"/etc/group\") do\n it { should_not be_executable.by \"group\" }\n end\n describe file(\"/etc/group\") do\n it { should be_readable.by \"group\" }\n end\n describe file(\"/etc/group\") do\n it { should_not be_writable.by \"group\" }\n end\n describe file(\"/etc/group\") do\n it { should_not be_executable.by \"other\" }\n end\n describe file(\"/etc/group\") do\n it { should be_readable.by \"other\" }\n end\n describe file(\"/etc/group\") do\n it { should_not be_writable.by \"other\" }\n end\n describe file(\"/etc/group\") do\n it { should_not be_executable.by \"owner\" }\n end\n describe file(\"/etc/group\") do\n it { should be_readable.by \"owner\" }\n end\n describe file(\"/etc/group\") do\n it { should be_writable.by \"owner\" }\n end\nend\n", + "code": "control \"V-38452\" do\n title \"The system package management tool must verify permissions on all\nfiles and directories associated with packages.\"\n desc \"Permissions on system binaries and configuration files that are too\ngenerous could allow an unauthorized user to gain privileges that they should\nnot have. The permissions set by the vendor should be maintained. Any\ndeviations from this baseline should be investigated.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38452\"\n tag \"rid\": \"SV-50252r2_rule\"\n tag \"stig_id\": \"RHEL-06-000518\"\n tag \"fix_id\": \"F-43398r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"The following command will list which files and directories on\nthe system have permissions different from what is expected by the RPM\ndatabase:\n\n# rpm -Va | grep '^.M'\n\nIf there is any output, for each file or directory found, find the associated\nRPM package and compare the RPM-expected permissions with the actual\npermissions on the file or directory:\n\n# rpm -qf [file or directory name]\n# rpm -q --queryformat \\\"[%{FILENAMES} %{FILEMODES:perms}\\\n]\\\" [package] | grep [filename]\n# ls -dlL [filename]\n\nIf the existing permissions are more permissive than those expected by RPM,\nthis is a finding.\"\n tag \"fix\": \"The RPM package management system can restore file access\npermissions of package files and directories. The following command will update\npermissions on files and directories with permissions different from what is\nexpected by the RPM database:\n\n# rpm --setperms [package]\"\n\n describe command(\"rpm -Va | grep '^.M'\") do\n its('stdout.strip') { should be_empty }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38461.rb", + "ref": "./Red Hat 6 STIG/controls/V-38452.rb", "line": 1 }, - "id": "V-38461" + "id": "V-38452" }, { - "title": "IP forwarding for IPv4 must not be enabled, unless the system is a\nrouter.", - "desc": "IP forwarding permits the kernel to forward packets from one network\ninterface to another. The ability to forward packets between two networks is\nonly appropriate for systems acting as routers.", + "title": "The system must use a reverse-path filter for IPv4 network traffic\nwhen possible on all interfaces.", + "desc": "Enabling reverse path filtering drops packets with source addresses\nthat should not have been able to be received on the interface they were\nreceived on. It should not be used on systems which are routers for complicated\nnetworks, but is helpful for end hosts and routers serving small networks.", "descriptions": { - "default": "IP forwarding permits the kernel to forward packets from one network\ninterface to another. The ability to forward packets between two networks is\nonly appropriate for systems acting as routers." + "default": "Enabling reverse path filtering drops packets with source addresses\nthat should not have been able to be received on the interface they were\nreceived on. It should not be used on systems which are routers for complicated\nnetworks, but is helpful for end hosts and routers serving small networks." }, "impact": 0.5, "refs": [], "tags": { "gtitle": "SRG-OS-999999", - "gid": "V-38511", - "rid": "SV-50312r2_rule", - "stig_id": "RHEL-06-000082", - "fix_id": "F-43458r2_fix", + "gid": "V-38542", + "rid": "SV-50343r2_rule", + "stig_id": "RHEL-06-000096", + "fix_id": "F-43490r1_fix", "cci": [ "CCI-000366" ], @@ -1153,35 +1161,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "The status of the \"net.ipv4.ip_forward\" kernel parameter can\nbe queried by running the following command:\n\n$ sysctl net.ipv4.ip_forward\n\nThe output of the command should indicate a value of \"0\". If this value is\nnot the default value, investigate how it could have been adjusted at runtime,\nand verify it is not set improperly in \"/etc/sysctl.conf\".\n\n$ grep net.ipv4.ip_forward /etc/sysctl.conf\n\nThe ability to forward packets is only appropriate for routers. If the correct\nvalue is not returned, this is a finding. ", - "fix": "To set the runtime status of the \"net.ipv4.ip_forward\" kernel\nparameter, run the following command:\n\n# sysctl -w net.ipv4.ip_forward=0\n\nIf this is not the system's default value, add the following line to\n\"/etc/sysctl.conf\":\n\nnet.ipv4.ip_forward = 0" + "check": "The status of the \"net.ipv4.conf.all.rp_filter\" kernel\nparameter can be queried by running the following command:\n\n$ sysctl net.ipv4.conf.all.rp_filter\n\nThe output of the command should indicate a value of \"1\". If this value is\nnot the default value, investigate how it could have been adjusted at runtime,\nand verify it is not set improperly in \"/etc/sysctl.conf\".\n\n$ grep net.ipv4.conf.all.rp_filter /etc/sysctl.conf\n\nIf the correct value is not returned, this is a finding. ", + "fix": "To set the runtime status of the \"net.ipv4.conf.all.rp_filter\"\nkernel parameter, run the following command:\n\n# sysctl -w net.ipv4.conf.all.rp_filter=1\n\nIf this is not the system's default value, add the following line to\n\"/etc/sysctl.conf\":\n\nnet.ipv4.conf.all.rp_filter = 1" }, - "code": "control \"V-38511\" do\n title \"IP forwarding for IPv4 must not be enabled, unless the system is a\nrouter.\"\n desc \"IP forwarding permits the kernel to forward packets from one network\ninterface to another. The ability to forward packets between two networks is\nonly appropriate for systems acting as routers.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38511\"\n tag \"rid\": \"SV-50312r2_rule\"\n tag \"stig_id\": \"RHEL-06-000082\"\n tag \"fix_id\": \"F-43458r2_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"The status of the \\\"net.ipv4.ip_forward\\\" kernel parameter can\nbe queried by running the following command:\n\n$ sysctl net.ipv4.ip_forward\n\nThe output of the command should indicate a value of \\\"0\\\". If this value is\nnot the default value, investigate how it could have been adjusted at runtime,\nand verify it is not set improperly in \\\"/etc/sysctl.conf\\\".\n\n$ grep net.ipv4.ip_forward /etc/sysctl.conf\n\nThe ability to forward packets is only appropriate for routers. If the correct\nvalue is not returned, this is a finding. \"\n tag \"fix\": \"To set the runtime status of the \\\"net.ipv4.ip_forward\\\" kernel\nparameter, run the following command:\n\n# sysctl -w net.ipv4.ip_forward=0\n\nIf this is not the system's default value, add the following line to\n\\\"/etc/sysctl.conf\\\":\n\nnet.ipv4.ip_forward = 0\"\n\n describe kernel_parameter(\"net.ipv4.ip_forward\") do\n its(\"value\") { should_not be_nil }\n end\n describe kernel_parameter(\"net.ipv4.ip_forward\") do\n its(\"value\") { should eq 0 }\n end\n describe file(\"/etc/sysctl.conf\") do\n its(\"content\") { should match(/^[\\s]*net.ipv4.ip_forward[\\s]*=[\\s]*0[\\s]*$/) }\n end\nend\n", + "code": "control \"V-38542\" do\n title \"The system must use a reverse-path filter for IPv4 network traffic\nwhen possible on all interfaces.\"\n desc \"Enabling reverse path filtering drops packets with source addresses\nthat should not have been able to be received on the interface they were\nreceived on. It should not be used on systems which are routers for complicated\nnetworks, but is helpful for end hosts and routers serving small networks.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38542\"\n tag \"rid\": \"SV-50343r2_rule\"\n tag \"stig_id\": \"RHEL-06-000096\"\n tag \"fix_id\": \"F-43490r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"The status of the \\\"net.ipv4.conf.all.rp_filter\\\" kernel\nparameter can be queried by running the following command:\n\n$ sysctl net.ipv4.conf.all.rp_filter\n\nThe output of the command should indicate a value of \\\"1\\\". If this value is\nnot the default value, investigate how it could have been adjusted at runtime,\nand verify it is not set improperly in \\\"/etc/sysctl.conf\\\".\n\n$ grep net.ipv4.conf.all.rp_filter /etc/sysctl.conf\n\nIf the correct value is not returned, this is a finding. \"\n tag \"fix\": \"To set the runtime status of the \\\"net.ipv4.conf.all.rp_filter\\\"\nkernel parameter, run the following command:\n\n# sysctl -w net.ipv4.conf.all.rp_filter=1\n\nIf this is not the system's default value, add the following line to\n\\\"/etc/sysctl.conf\\\":\n\nnet.ipv4.conf.all.rp_filter = 1\"\n\n describe kernel_parameter(\"net.ipv4.conf.all.rp_filter\") do\n its(\"value\") { should_not be_nil }\n end\n describe kernel_parameter(\"net.ipv4.conf.all.rp_filter\") do\n its(\"value\") { should eq 1 }\n end\n describe file(\"/etc/sysctl.conf\") do\n its(\"content\") { should match(/^[\\s]*net.ipv4.conf.all.rp_filter[\\s]*=[\\s]*1[\\s]*$/) }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38511.rb", + "ref": "./Red Hat 6 STIG/controls/V-38542.rb", "line": 1 }, - "id": "V-38511" + "id": "V-38542" }, { - "title": "The system must use a separate file system for user home directories.", - "desc": "Ensuring that \"/home\" is mounted on its own partition enables the\nsetting of more restrictive mount options, and also helps ensure that users\ncannot trivially fill partitions used for log or audit data storage.", + "title": "The audit system must be configured to audit all use of setuid and\nsetgid programs.", + "desc": "Privileged programs are subject to escalation-of-privilege attacks,\nwhich attempt to subvert their normal role of providing some necessary but\nlimited capability. As such, motivation exists to monitor these programs for\nunusual activity.", "descriptions": { - "default": "Ensuring that \"/home\" is mounted on its own partition enables the\nsetting of more restrictive mount options, and also helps ensure that users\ncannot trivially fill partitions used for log or audit data storage." + "default": "Privileged programs are subject to escalation-of-privilege attacks,\nwhich attempt to subvert their normal role of providing some necessary but\nlimited capability. As such, motivation exists to monitor these programs for\nunusual activity." }, "impact": 0.3, "refs": [], "tags": { - "gtitle": "SRG-OS-999999", - "gid": "V-38473", - "rid": "SV-50273r1_rule", - "stig_id": "RHEL-06-000007", - "fix_id": "F-43418r1_fix", + "gtitle": "SRG-OS-000020", + "gid": "V-38567", + "rid": "SV-50368r4_rule", + "stig_id": "RHEL-06-000198", + "fix_id": "F-43515r6_fix", "cci": [ - "CCI-000366" + "CCI-000040" ], "nist": [ - "CM-6 b", + "AC-6 (2)", "Rev_4" ], "false_negatives": null, @@ -1194,30 +1202,30 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "Run the following command to determine if \"/home\" is on its\nown partition or logical volume:\n\n$ mount | grep \"on /home \"\n\nIf \"/home\" has its own partition or volume group, a line will be returned.\nIf no line is returned, this is a finding.", - "fix": "If user home directories will be stored locally, create a\nseparate partition for \"/home\" at installation time (or migrate it later\nusing LVM). If \"/home\" will be mounted from another system such as an NFS\nserver, then creating a separate partition is not necessary at installation\ntime, and the mountpoint can instead be configured later." + "check": "To verify that auditing of privileged command use is\nconfigured, run the following command once for each local partition [PART] to\nfind relevant setuid / setgid programs:\n\n$ sudo find [PART] -xdev -type f -perm /6000 2>/dev/null\n\nRun the following command to verify entries in the audit rules for all programs\nfound with the previous command:\n\n$ sudo grep path /etc/audit/audit.rules\n\nIt should be the case that all relevant setuid / setgid programs have a line in\nthe audit rules. If that is not the case, this is a finding. ", + "fix": "At a minimum, the audit system should collect the execution of\nprivileged commands for all users and root. To find the relevant setuid /\nsetgid programs, run the following command for each local partition [PART]:\n\n$ sudo find [PART] -xdev -type f -perm /6000 2>/dev/null\n\nThen, for each setuid / setgid program on the system, add a line of the\nfollowing form to \"/etc/audit/audit.rules\", where [SETUID_PROG_PATH] is the\nfull path to each setuid / setgid program in the list:\n\n-a always,exit -F path=[SETUID_PROG_PATH] -F perm=x -F auid>=500 -F\nauid!=4294967295 -k privileged" }, - "code": "control \"V-38473\" do\n title \"The system must use a separate file system for user home directories.\"\n desc \"Ensuring that \\\"/home\\\" is mounted on its own partition enables the\nsetting of more restrictive mount options, and also helps ensure that users\ncannot trivially fill partitions used for log or audit data storage.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38473\"\n tag \"rid\": \"SV-50273r1_rule\"\n tag \"stig_id\": \"RHEL-06-000007\"\n tag \"fix_id\": \"F-43418r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Run the following command to determine if \\\"/home\\\" is on its\nown partition or logical volume:\n\n$ mount | grep \\\"on /home \\\"\n\nIf \\\"/home\\\" has its own partition or volume group, a line will be returned.\nIf no line is returned, this is a finding.\"\n tag \"fix\": \"If user home directories will be stored locally, create a\nseparate partition for \\\"/home\\\" at installation time (or migrate it later\nusing LVM). If \\\"/home\\\" will be mounted from another system such as an NFS\nserver, then creating a separate partition is not necessary at installation\ntime, and the mountpoint can instead be configured later.\"\n\n describe mount(\"/home\") do\n it { should be_mounted }\n end\nend\n", + "code": "control \"V-38567\" do\n title \"The audit system must be configured to audit all use of setuid and\nsetgid programs.\"\n desc \"Privileged programs are subject to escalation-of-privilege attacks,\nwhich attempt to subvert their normal role of providing some necessary but\nlimited capability. As such, motivation exists to monitor these programs for\nunusual activity.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000020\"\n tag \"gid\": \"V-38567\"\n tag \"rid\": \"SV-50368r4_rule\"\n tag \"stig_id\": \"RHEL-06-000198\"\n tag \"fix_id\": \"F-43515r6_fix\"\n tag \"cci\": [\"CCI-000040\"]\n tag \"nist\": [\"AC-6 (2)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To verify that auditing of privileged command use is\nconfigured, run the following command once for each local partition [PART] to\nfind relevant setuid / setgid programs:\n\n$ sudo find [PART] -xdev -type f -perm /6000 2>/dev/null\n\nRun the following command to verify entries in the audit rules for all programs\nfound with the previous command:\n\n$ sudo grep path /etc/audit/audit.rules\n\nIt should be the case that all relevant setuid / setgid programs have a line in\nthe audit rules. If that is not the case, this is a finding. \"\n tag \"fix\": \"At a minimum, the audit system should collect the execution of\nprivileged commands for all users and root. To find the relevant setuid /\nsetgid programs, run the following command for each local partition [PART]:\n\n$ sudo find [PART] -xdev -type f -perm /6000 2>/dev/null\n\nThen, for each setuid / setgid program on the system, add a line of the\nfollowing form to \\\"/etc/audit/audit.rules\\\", where [SETUID_PROG_PATH] is the\nfull path to each setuid / setgid program in the list:\n\n-a always,exit -F path=[SETUID_PROG_PATH] -F perm=x -F auid>=500 -F\nauid!=4294967295 -k privileged\"\n\n files = command(%(find / -xautofs -noleaf -wholename '/proc' -prune -o -wholename '/sys' -prune -o -wholename '/dev' -prune -o -wholename '/selinux' -prune -o -type f -perm /6000 -print)).stdout.strip.split(\"\\n\")\n \n if files.empty?\n describe \"setuid and setgid files\" do\n subject { files }\n it { should be_empty }\n end\n else\n files.each do |f|\n describe auditd do\n its('lines') { should include match \"path=#{f}\" }\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38473.rb", + "ref": "./Red Hat 6 STIG/controls/V-38567.rb", "line": 1 }, - "id": "V-38473" + "id": "V-38567" }, { - "title": "The system must ignore ICMPv4 redirect messages by default.", - "desc": "This feature of the IPv4 protocol has few legitimate uses. It should\nbe disabled unless it is absolutely required.", + "title": "Remote file systems must be mounted with the nosuid option.", + "desc": "NFS mounts should not present suid binaries to users. Only\nvendor-supplied suid executables should be installed to their default location\non the local filesystem.", "descriptions": { - "default": "This feature of the IPv4 protocol has few legitimate uses. It should\nbe disabled unless it is absolutely required." + "default": "NFS mounts should not present suid binaries to users. Only\nvendor-supplied suid executables should be installed to their default location\non the local filesystem." }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { "gtitle": "SRG-OS-999999", - "gid": "V-38533", - "rid": "SV-50334r3_rule", - "stig_id": "RHEL-06-000091", - "fix_id": "F-43481r1_fix", + "gid": "V-38654", + "rid": "SV-50455r2_rule", + "stig_id": "RHEL-06-000270", + "fix_id": "F-43603r1_fix", "cci": [ "CCI-000366" ], @@ -1235,35 +1243,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "The status of the \"net.ipv4.conf.default.accept_redirects\"\nkernel parameter can be queried by running the following command:\n\n$ sysctl net.ipv4.conf.default.accept_redirects\n\nThe output of the command should indicate a value of \"0\". If this value is\nnot the default value, investigate how it could have been adjusted at runtime,\nand verify it is not set improperly in \"/etc/sysctl.conf\".\n\n$ grep net.ipv4.conf.default.accept_redirects /etc/sysctl.conf\n\nIf the correct value is not returned, this is a finding. ", - "fix": "To set the runtime status of the\n\"net.ipv4.conf.default.accept_redirects\" kernel parameter, run the following\ncommand:\n\n# sysctl -w net.ipv4.conf.default.accept_redirects=0\n\nIf this is not the system's default value, add the following line to\n\"/etc/sysctl.conf\":\n\nnet.ipv4.conf.default.accept_redirects = 0" + "check": "To verify the \"nosuid\" option is configured for all NFS\nmounts, run the following command:\n\n$ mount | grep nfs\n\nAll NFS mounts should show the \"nosuid\" setting in parentheses, along with\nother mount options.\nIf the setting does not show, this is a finding.", + "fix": "Add the \"nosuid\" option to the fourth column of \"/etc/fstab\"\nfor the line which controls mounting of any NFS mounts." }, - "code": "control \"V-38533\" do\n title \"The system must ignore ICMPv4 redirect messages by default.\"\n desc \"This feature of the IPv4 protocol has few legitimate uses. It should\nbe disabled unless it is absolutely required.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38533\"\n tag \"rid\": \"SV-50334r3_rule\"\n tag \"stig_id\": \"RHEL-06-000091\"\n tag \"fix_id\": \"F-43481r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"The status of the \\\"net.ipv4.conf.default.accept_redirects\\\"\nkernel parameter can be queried by running the following command:\n\n$ sysctl net.ipv4.conf.default.accept_redirects\n\nThe output of the command should indicate a value of \\\"0\\\". If this value is\nnot the default value, investigate how it could have been adjusted at runtime,\nand verify it is not set improperly in \\\"/etc/sysctl.conf\\\".\n\n$ grep net.ipv4.conf.default.accept_redirects /etc/sysctl.conf\n\nIf the correct value is not returned, this is a finding. \"\n tag \"fix\": \"To set the runtime status of the\n\\\"net.ipv4.conf.default.accept_redirects\\\" kernel parameter, run the following\ncommand:\n\n# sysctl -w net.ipv4.conf.default.accept_redirects=0\n\nIf this is not the system's default value, add the following line to\n\\\"/etc/sysctl.conf\\\":\n\nnet.ipv4.conf.default.accept_redirects = 0\"\n\n describe kernel_parameter(\"net.ipv4.conf.default.accept_redirects\") do\n its(\"value\") { should_not be_nil }\n end\n describe kernel_parameter(\"net.ipv4.conf.default.accept_redirects\") do\n its(\"value\") { should eq 0 }\n end\n describe file(\"/etc/sysctl.conf\") do\n its(\"content\") { should match(/^[\\s]*net.ipv4.conf.default.accept_redirects[\\s]*=[\\s]*0[\\s]*$/) }\n end\nend\n", + "code": "control \"V-38654\" do\n title \"Remote file systems must be mounted with the nosuid option.\"\n desc \"NFS mounts should not present suid binaries to users. Only\nvendor-supplied suid executables should be installed to their default location\non the local filesystem.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38654\"\n tag \"rid\": \"SV-50455r2_rule\"\n tag \"stig_id\": \"RHEL-06-000270\"\n tag \"fix_id\": \"F-43603r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To verify the \\\"nosuid\\\" option is configured for all NFS\nmounts, run the following command:\n\n$ mount | grep nfs\n\nAll NFS mounts should show the \\\"nosuid\\\" setting in parentheses, along with\nother mount options.\nIf the setting does not show, this is a finding.\"\n tag \"fix\": \"Add the \\\"nosuid\\\" option to the fourth column of \\\"/etc/fstab\\\"\nfor the line which controls mounting of any NFS mounts.\"\n\n describe command('mount | grep nfs') do\n its('stdout.strip.lines') { should all include 'nosuid' }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38533.rb", + "ref": "./Red Hat 6 STIG/controls/V-38654.rb", "line": 1 }, - "id": "V-38533" + "id": "V-38654" }, { - "title": "The system clock must be synchronized continuously, or at least daily.", - "desc": "Enabling the \"ntpd\" service ensures that the \"ntpd\" service will\nbe running and that the system will synchronize its time to any servers\nspecified. This is important whether the system is configured to be a client\n(and synchronize only its own clock) or it is also acting as an NTP server to\nother systems. Synchronizing time is essential for authentication services such\nas Kerberos, but it is also important for maintaining accurate logs and\nauditing possible security breaches.", + "title": "The system must forward audit records to the syslog service.", + "desc": "The auditd service does not include the ability to send audit records\nto a centralized server for management directly. It does, however, include an\naudit event multiplexor plugin (audispd) to pass audit records to the local\nsyslog server.", "descriptions": { - "default": "Enabling the \"ntpd\" service ensures that the \"ntpd\" service will\nbe running and that the system will synchronize its time to any servers\nspecified. This is important whether the system is configured to be a client\n(and synchronize only its own clock) or it is also acting as an NTP server to\nother systems. Synchronizing time is essential for authentication services such\nas Kerberos, but it is also important for maintaining accurate logs and\nauditing possible security breaches." + "default": "The auditd service does not include the ability to send audit records\nto a centralized server for management directly. It does, however, include an\naudit event multiplexor plugin (audispd) to pass audit records to the local\nsyslog server." }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { - "gtitle": "SRG-OS-000056", - "gid": "V-38620", - "rid": "SV-50421r1_rule", - "stig_id": "RHEL-06-000247", - "fix_id": "F-43568r1_fix", + "gtitle": "SRG-OS-000043", + "gid": "V-38471", + "rid": "SV-50271r1_rule", + "stig_id": "RHEL-06-000509", + "fix_id": "F-43416r1_fix", "cci": [ - "CCI-000160" + "CCI-000136" ], "nist": [ - "AU-8 (1)", + "AU-3 (2)", "Rev_4" ], "false_negatives": null, @@ -1276,30 +1284,30 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "Run the following command to determine the current status of\nthe \"ntpd\" service:\n\n# service ntpd status\n\nIf the service is enabled, it should return the following:\n\nntpd is running...\n\n\nIf the service is not running, this is a finding.", - "fix": "The \"ntpd\" service can be enabled with the following command:\n\n# chkconfig ntpd on\n# service ntpd start" + "check": "Verify the audispd plugin is active:\n\n# grep active /etc/audisp/plugins.d/syslog.conf\n\nIf the \"active\" setting is missing or set to \"no\", this is a finding.", + "fix": "Set the \"active\" line in \"/etc/audisp/plugins.d/syslog.conf\"\nto \"yes\". Restart the auditd process.\n\n# service auditd restart" }, - "code": "control \"V-38620\" do\n title \"The system clock must be synchronized continuously, or at least daily.\"\n desc \"Enabling the \\\"ntpd\\\" service ensures that the \\\"ntpd\\\" service will\nbe running and that the system will synchronize its time to any servers\nspecified. This is important whether the system is configured to be a client\n(and synchronize only its own clock) or it is also acting as an NTP server to\nother systems. Synchronizing time is essential for authentication services such\nas Kerberos, but it is also important for maintaining accurate logs and\nauditing possible security breaches.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000056\"\n tag \"gid\": \"V-38620\"\n tag \"rid\": \"SV-50421r1_rule\"\n tag \"stig_id\": \"RHEL-06-000247\"\n tag \"fix_id\": \"F-43568r1_fix\"\n tag \"cci\": [\"CCI-000160\"]\n tag \"nist\": [\"AU-8 (1)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Run the following command to determine the current status of\nthe \\\"ntpd\\\" service:\n\n# service ntpd status\n\nIf the service is enabled, it should return the following:\n\nntpd is running...\n\n\nIf the service is not running, this is a finding.\"\n tag \"fix\": \"The \\\"ntpd\\\" service can be enabled with the following command:\n\n# chkconfig ntpd on\n# service ntpd start\"\n\n describe package(\"ntp\") do\n it { should be_installed }\n end\n describe.one do\n describe service(\"ntpd\").runlevels(/0/) do\n it { should be_enabled }\n end\n describe service(\"ntpd\").runlevels(/1/) do\n it { should be_enabled }\n end\n describe service(\"ntpd\").runlevels(/2/) do\n it { should be_enabled }\n end\n describe service(\"ntpd\").runlevels(/3/) do\n it { should be_enabled }\n end\n describe service(\"ntpd\").runlevels(/4/) do\n it { should be_enabled }\n end\n describe service(\"ntpd\").runlevels(/5/) do\n it { should be_enabled }\n end\n describe service(\"ntpd\").runlevels(/6/) do\n it { should be_enabled }\n end\n end\nend\n", + "code": "control \"V-38471\" do\n title \"The system must forward audit records to the syslog service.\"\n desc \"The auditd service does not include the ability to send audit records\nto a centralized server for management directly. It does, however, include an\naudit event multiplexor plugin (audispd) to pass audit records to the local\nsyslog server.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000043\"\n tag \"gid\": \"V-38471\"\n tag \"rid\": \"SV-50271r1_rule\"\n tag \"stig_id\": \"RHEL-06-000509\"\n tag \"fix_id\": \"F-43416r1_fix\"\n tag \"cci\": [\"CCI-000136\"]\n tag \"nist\": [\"AU-3 (2)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Verify the audispd plugin is active:\n\n# grep active /etc/audisp/plugins.d/syslog.conf\n\nIf the \\\"active\\\" setting is missing or set to \\\"no\\\", this is a finding.\"\n tag \"fix\": \"Set the \\\"active\\\" line in \\\"/etc/audisp/plugins.d/syslog.conf\\\"\nto \\\"yes\\\". Restart the auditd process.\n\n# service auditd restart\"\n\n describe parse_config_file('/etc/audisp/plugins.d/syslog.conf') do\n its('active') { should eq 'yes' }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38620.rb", + "ref": "./Red Hat 6 STIG/controls/V-38471.rb", "line": 1 }, - "id": "V-38620" + "id": "V-38471" }, { - "title": "The /etc/passwd file must be group-owned by root.", - "desc": "The \"/etc/passwd\" file contains information about the users that are\nconfigured on the system. Protection of this file is critical for system\nsecurity.", + "title": "The audit system must be configured to audit modifications to the\nsystems Mandatory Access Control (MAC) configuration (SELinux).", + "desc": "The system's mandatory access policy (SELinux) should not be\narbitrarily changed by anything other than administrator action. All changes to\nMAC policy should be audited.", "descriptions": { - "default": "The \"/etc/passwd\" file contains information about the users that are\nconfigured on the system. Protection of this file is critical for system\nsecurity." + "default": "The system's mandatory access policy (SELinux) should not be\narbitrarily changed by anything other than administrator action. All changes to\nMAC policy should be audited." }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { "gtitle": "SRG-OS-999999", - "gid": "V-38451", - "rid": "SV-50251r1_rule", - "stig_id": "RHEL-06-000040", - "fix_id": "F-43396r1_fix", + "gid": "V-38541", + "rid": "SV-50342r2_rule", + "stig_id": "RHEL-06-000183", + "fix_id": "F-43489r1_fix", "cci": [ "CCI-000366" ], @@ -1317,35 +1325,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To check the group ownership of \"/etc/passwd\", run the\ncommand:\n\n$ ls -l /etc/passwd\n\nIf properly configured, the output should indicate the following group-owner.\n\"root\"\nIf it does not, this is a finding.", - "fix": "To properly set the group owner of \"/etc/passwd\", run the\ncommand:\n\n# chgrp root /etc/passwd" + "check": "To determine if the system is configured to audit changes to\nits SELinux configuration files, run the following command:\n\n$ sudo grep -w \"/etc/selinux\" /etc/audit/audit.rules\n\nIf the system is configured to watch for changes to its SELinux configuration,\na line should be returned (including \"-p wa\" indicating permissions that are\nwatched).\n\nIf the system is not configured to audit attempts to change the MAC policy,\nthis is a finding.", + "fix": "Add the following to \"/etc/audit/audit.rules\":\n\n-w /etc/selinux/ -p wa -k MAC-policy" }, - "code": "control \"V-38451\" do\n title \"The /etc/passwd file must be group-owned by root.\"\n desc \"The \\\"/etc/passwd\\\" file contains information about the users that are\nconfigured on the system. Protection of this file is critical for system\nsecurity.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38451\"\n tag \"rid\": \"SV-50251r1_rule\"\n tag \"stig_id\": \"RHEL-06-000040\"\n tag \"fix_id\": \"F-43396r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To check the group ownership of \\\"/etc/passwd\\\", run the\ncommand:\n\n$ ls -l /etc/passwd\n\nIf properly configured, the output should indicate the following group-owner.\n\\\"root\\\"\nIf it does not, this is a finding.\"\n tag \"fix\": \"To properly set the group owner of \\\"/etc/passwd\\\", run the\ncommand:\n\n# chgrp root /etc/passwd\"\n\n describe file(\"/etc/passwd\") do\n it { should exist }\n end\n describe file(\"/etc/passwd\") do\n its(\"gid\") { should cmp 0 }\n end\nend\n", + "code": "control \"V-38541\" do\n title \"The audit system must be configured to audit modifications to the\nsystems Mandatory Access Control (MAC) configuration (SELinux).\"\n desc \"The system's mandatory access policy (SELinux) should not be\narbitrarily changed by anything other than administrator action. All changes to\nMAC policy should be audited.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38541\"\n tag \"rid\": \"SV-50342r2_rule\"\n tag \"stig_id\": \"RHEL-06-000183\"\n tag \"fix_id\": \"F-43489r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To determine if the system is configured to audit changes to\nits SELinux configuration files, run the following command:\n\n$ sudo grep -w \\\"/etc/selinux\\\" /etc/audit/audit.rules\n\nIf the system is configured to watch for changes to its SELinux configuration,\na line should be returned (including \\\"-p wa\\\" indicating permissions that are\nwatched).\n\nIf the system is not configured to audit attempts to change the MAC policy,\nthis is a finding.\"\n tag \"fix\": \"Add the following to \\\"/etc/audit/audit.rules\\\":\n\n-w /etc/selinux/ -p wa -k MAC-policy\"\n\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^\\-w\\s+\\/etc\\/selinux\\/\\s+\\-p\\s+wa\\s+\\-k\\s+[-\\w]+\\s*$/) }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38451.rb", + "ref": "./Red Hat 6 STIG/controls/V-38541.rb", "line": 1 }, - "id": "V-38451" + "id": "V-38541" }, { - "title": "The system must prevent the root account from logging in from virtual\nconsoles.", - "desc": "Preventing direct root login to virtual console devices helps ensure\naccountability for actions taken on the system using the root account.", + "title": "Accounts must be locked upon 35 days of inactivity.", + "desc": "Disabling inactive accounts ensures that accounts which may not have\nbeen responsibly removed are not available to attackers who may have\ncompromised their credentials.", "descriptions": { - "default": "Preventing direct root login to virtual console devices helps ensure\naccountability for actions taken on the system using the root account." + "default": "Disabling inactive accounts ensures that accounts which may not have\nbeen responsibly removed are not available to attackers who may have\ncompromised their credentials." }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { - "gtitle": "SRG-OS-000109", - "gid": "V-38492", - "rid": "SV-50293r1_rule", - "stig_id": "RHEL-06-000027", - "fix_id": "F-43439r2_fix", + "gtitle": "GEN006660", + "gid": "V-38692", + "rid": "SV-50493r1_rule", + "stig_id": "RHEL-06-000334", + "fix_id": "F-43641r2_fix", "cci": [ - "CCI-000770" + "CCI-000017" ], "nist": [ - "IA-2 (5)", + "AC-2 (3)", "Rev_4" ], "false_negatives": null, @@ -1358,35 +1366,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To check for virtual console entries which permit root login,\nrun the following command:\n\n# grep '^vc/[0-9]' /etc/securetty\n\nIf any output is returned, then root logins over virtual console devices is\npermitted.\nIf root login over virtual console devices is permitted, this is a finding.", - "fix": "To restrict root logins through the (deprecated) virtual console\ndevices, ensure lines of this form do not appear in \"/etc/securetty\":\n\nvc/1\nvc/2\nvc/3\nvc/4\n\nNote: Virtual console entries are not limited to those listed above. Any\nlines starting with \"vc/\" followed by numerals should be removed." + "check": "To verify the \"INACTIVE\" setting, run the following command:\n\ngrep \"INACTIVE\" /etc/default/useradd\n\nThe output should indicate the \"INACTIVE\" configuration option is set to an\nappropriate integer as shown in the example below:\n\n# grep \"INACTIVE\" /etc/default/useradd\nINACTIVE=35\n\nIf it does not, this is a finding.", + "fix": "To specify the number of days after a password expires (which\nsignifies inactivity) until an account is permanently disabled, add or correct\nthe following lines in \"/etc/default/useradd\", substituting \"[NUM_DAYS]\"\nappropriately:\n\nINACTIVE=[NUM_DAYS]\n\nA value of 35 is recommended. If a password is currently on the verge of\nexpiration, then 35 days remain until the account is automatically disabled.\nHowever, if the password will not expire for another 60 days, then 95 days\ncould elapse until the account would be automatically disabled. See the\n\"useradd\" man page for more information. Determining the inactivity timeout\nmust be done with careful consideration of the length of a \"normal\" period of\ninactivity for users in the particular environment. Setting the timeout too low\nincurs support costs and also has the potential to impact availability of the\nsystem to legitimate users." }, - "code": "control \"V-38492\" do\n title \"The system must prevent the root account from logging in from virtual\nconsoles.\"\n desc \"Preventing direct root login to virtual console devices helps ensure\naccountability for actions taken on the system using the root account. \"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000109\"\n tag \"gid\": \"V-38492\"\n tag \"rid\": \"SV-50293r1_rule\"\n tag \"stig_id\": \"RHEL-06-000027\"\n tag \"fix_id\": \"F-43439r2_fix\"\n tag \"cci\": [\"CCI-000770\"]\n tag \"nist\": [\"IA-2 (5)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To check for virtual console entries which permit root login,\nrun the following command:\n\n# grep '^vc/[0-9]' /etc/securetty\n\nIf any output is returned, then root logins over virtual console devices is\npermitted.\nIf root login over virtual console devices is permitted, this is a finding.\"\n tag \"fix\": \"To restrict root logins through the (deprecated) virtual console\ndevices, ensure lines of this form do not appear in \\\"/etc/securetty\\\":\n\nvc/1\nvc/2\nvc/3\nvc/4\n\nNote: Virtual console entries are not limited to those listed above. Any\nlines starting with \\\"vc/\\\" followed by numerals should be removed.\"\n\n describe file(\"/etc/securetty\") do\n its(\"content\") { should_not match(/^vc\\/[0-9]+$/) }\n end\nend\n", + "code": "control \"V-38692\" do\n title \"Accounts must be locked upon 35 days of inactivity.\"\n desc \"Disabling inactive accounts ensures that accounts which may not have\nbeen responsibly removed are not available to attackers who may have\ncompromised their credentials.\"\n impact 0.3\n tag \"gtitle\": \"GEN006660\"\n tag \"gid\": \"V-38692\"\n tag \"rid\": \"SV-50493r1_rule\"\n tag \"stig_id\": \"RHEL-06-000334\"\n tag \"fix_id\": \"F-43641r2_fix\"\n tag \"cci\": [\"CCI-000017\"]\n tag \"nist\": [\"AC-2 (3)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To verify the \\\"INACTIVE\\\" setting, run the following command:\n\ngrep \\\"INACTIVE\\\" /etc/default/useradd\n\nThe output should indicate the \\\"INACTIVE\\\" configuration option is set to an\nappropriate integer as shown in the example below:\n\n# grep \\\"INACTIVE\\\" /etc/default/useradd\nINACTIVE=35\n\nIf it does not, this is a finding.\"\n tag \"fix\": \"To specify the number of days after a password expires (which\nsignifies inactivity) until an account is permanently disabled, add or correct\nthe following lines in \\\"/etc/default/useradd\\\", substituting \\\"[NUM_DAYS]\\\"\nappropriately:\n\nINACTIVE=[NUM_DAYS]\n\nA value of 35 is recommended. If a password is currently on the verge of\nexpiration, then 35 days remain until the account is automatically disabled.\nHowever, if the password will not expire for another 60 days, then 95 days\ncould elapse until the account would be automatically disabled. See the\n\\\"useradd\\\" man page for more information. Determining the inactivity timeout\nmust be done with careful consideration of the length of a \\\"normal\\\" period of\ninactivity for users in the particular environment. Setting the timeout too low\nincurs support costs and also has the potential to impact availability of the\nsystem to legitimate users.\"\n\n describe parse_config_file(\"/etc/default/useradd\") do\n its('INACTIVE') { should cmp <= input('days_of_inactivity') }\n its('INACTIVE') { should cmp >= 0 }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38492.rb", + "ref": "./Red Hat 6 STIG/controls/V-38692.rb", "line": 1 }, - "id": "V-38492" + "id": "V-38692" }, { - "title": "The audit system must be configured to audit all discretionary access\ncontrol permission modifications using fsetxattr.", - "desc": "The changing of file permissions could indicate that a user is\nattempting to gain access to information that would otherwise be disallowed.\nAuditing DAC modifications can facilitate the identification of patterns of\nabuse among both authorized and unauthorized users.", + "title": "The sendmail package must be removed.", + "desc": "The sendmail software was not developed with security in mind and its\ndesign prevents it from being effectively contained by SELinux. Postfix should\nbe used instead.", "descriptions": { - "default": "The changing of file permissions could indicate that a user is\nattempting to gain access to information that would otherwise be disallowed.\nAuditing DAC modifications can facilitate the identification of patterns of\nabuse among both authorized and unauthorized users." + "default": "The sendmail software was not developed with security in mind and its\ndesign prevents it from being effectively contained by SELinux. Postfix should\nbe used instead." }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000064", - "gid": "V-38557", - "rid": "SV-50358r3_rule", - "stig_id": "RHEL-06-000191", - "fix_id": "F-43505r2_fix", + "gtitle": "SRG-OS-999999", + "gid": "V-38671", + "rid": "SV-50472r1_rule", + "stig_id": "RHEL-06-000288", + "fix_id": "F-43620r1_fix", "cci": [ - "CCI-000172" + "CCI-000366" ], "nist": [ - "AU-12 c", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -1399,30 +1407,30 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To determine if the system is configured to audit calls to the\n\"fsetxattr\" system call, run the following command:\n\n$ sudo grep -w \"fsetxattr\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return several\nlines.\n\nIf no line is returned, this is a finding. ", - "fix": "At a minimum, the audit system should collect file permission\nchanges for all users and root. Add the following to\n\"/etc/audit/audit.rules\":\n\n-a always,exit -F arch=b32 -S fsetxattr -F auid>=500 -F auid!=4294967295 \\\n-k perm_mod\n-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -k perm_mod\n\nIf the system is 64-bit, then also add the following:\n\n-a always,exit -F arch=b64 -S fsetxattr -F auid>=500 -F auid!=4294967295 \\\n-k perm_mod\n-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -k perm_mod" + "check": "Run the following command to determine if the \"sendmail\"\npackage is installed:\n\n# rpm -q sendmail\n\n\nIf the package is installed, this is a finding.", + "fix": "Sendmail is not the default mail transfer agent and is not\ninstalled by default. The \"sendmail\" package can be removed with the\nfollowing command:\n\n# yum erase sendmail" }, - "code": "control \"V-38557\" do\n title \"The audit system must be configured to audit all discretionary access\ncontrol permission modifications using fsetxattr.\"\n desc \"The changing of file permissions could indicate that a user is\nattempting to gain access to information that would otherwise be disallowed.\nAuditing DAC modifications can facilitate the identification of patterns of\nabuse among both authorized and unauthorized users.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000064\"\n tag \"gid\": \"V-38557\"\n tag \"rid\": \"SV-50358r3_rule\"\n tag \"stig_id\": \"RHEL-06-000191\"\n tag \"fix_id\": \"F-43505r2_fix\"\n tag \"cci\": [\"CCI-000172\"]\n tag \"nist\": [\"AU-12 c\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To determine if the system is configured to audit calls to the\n\\\"fsetxattr\\\" system call, run the following command:\n\n$ sudo grep -w \\\"fsetxattr\\\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return several\nlines.\n\nIf no line is returned, this is a finding. \"\n tag \"fix\": \"At a minimum, the audit system should collect file permission\nchanges for all users and root. Add the following to\n\\\"/etc/audit/audit.rules\\\":\n\n-a always,exit -F arch=b32 -S fsetxattr -F auid>=500 -F auid!=4294967295 \\\\\n-k perm_mod\n-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -k perm_mod\n\nIf the system is 64-bit, then also add the following:\n\n-a always,exit -F arch=b64 -S fsetxattr -F auid>=500 -F auid!=4294967295 \\\\\n-k perm_mod\n-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -k perm_mod\"\n\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^[\\s]*-a[\\s](?:always,exit|exit,always)+(?:.*-F[\\s]+arch=b32[\\s]+)(?:.*(?:,|-S[\\s]+)fsetxattr(?:,|[\\s]+))(?:.*-F\\s+auid>=500[\\s]+)(?:.*-F\\s+auid!=(?:-1|4294967295)[\\s]+).*-k[\\s]+[\\S]+[\\s]*$/) }\n end\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^[\\s]*-a[\\s](?:always,exit|exit,always)+(?:.*-F[\\s]+arch=b32[\\s]+)(?:.*(?:,|-S[\\s]+)fsetxattr(?:,|[\\s]+))(?:.*-F\\s+auid=0[\\s]+).*-k[\\s]+[\\S]+[\\s]*$/) }\n end\n describe.one do\n \n end\nend\n", + "code": "control \"V-38671\" do\n title \"The sendmail package must be removed.\"\n desc \"The sendmail software was not developed with security in mind and its\ndesign prevents it from being effectively contained by SELinux. Postfix should\nbe used instead.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38671\"\n tag \"rid\": \"SV-50472r1_rule\"\n tag \"stig_id\": \"RHEL-06-000288\"\n tag \"fix_id\": \"F-43620r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Run the following command to determine if the \\\"sendmail\\\"\npackage is installed:\n\n# rpm -q sendmail\n\n\nIf the package is installed, this is a finding.\"\n tag \"fix\": \"Sendmail is not the default mail transfer agent and is not\ninstalled by default. The \\\"sendmail\\\" package can be removed with the\nfollowing command:\n\n# yum erase sendmail\"\n\n describe package(\"sendmail\") do\n it { should_not be_installed }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38557.rb", + "ref": "./Red Hat 6 STIG/controls/V-38671.rb", "line": 1 }, - "id": "V-38557" + "id": "V-38671" }, { - "title": "The postfix service must be enabled for mail delivery.", - "desc": "Local mail delivery is essential to some system maintenance and\nnotification tasks.", + "title": "Automated file system mounting tools must not be enabled unless\nneeded.", + "desc": "All filesystems that are required for the successful operation of the\nsystem should be explicitly listed in \"/etc/fstab\" by an administrator. New\nfilesystems should not be arbitrarily introduced via the automounter.\n\n The \"autofs\" daemon mounts and unmounts filesystems, such as user home\ndirectories shared via NFS, on demand. In addition, autofs can be used to\nhandle removable media, and the default configuration provides the cdrom device\nas \"/misc/cd\". However, this method of providing access to removable media is\nnot common, so autofs can almost always be disabled if NFS is not in use. Even\nif NFS is required, it is almost always possible to configure filesystem mounts\nstatically by editing \"/etc/fstab\" rather than relying on the automounter.", "descriptions": { - "default": "Local mail delivery is essential to some system maintenance and\nnotification tasks." + "default": "All filesystems that are required for the successful operation of the\nsystem should be explicitly listed in \"/etc/fstab\" by an administrator. New\nfilesystems should not be arbitrarily introduced via the automounter.\n\n The \"autofs\" daemon mounts and unmounts filesystems, such as user home\ndirectories shared via NFS, on demand. In addition, autofs can be used to\nhandle removable media, and the default configuration provides the cdrom device\nas \"/misc/cd\". However, this method of providing access to removable media is\nnot common, so autofs can almost always be disabled if NFS is not in use. Even\nif NFS is required, it is almost always possible to configure filesystem mounts\nstatically by editing \"/etc/fstab\" rather than relying on the automounter." }, "impact": 0.3, "refs": [], "tags": { "gtitle": "SRG-OS-999999", - "gid": "V-38669", - "rid": "SV-50470r1_rule", - "stig_id": "RHEL-06-000287", - "fix_id": "F-43618r1_fix", + "gid": "V-38437", + "rid": "SV-50237r1_rule", + "stig_id": "RHEL-06-000526", + "fix_id": "F-43381r1_fix", "cci": [ "CCI-000366" ], @@ -1440,30 +1448,30 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "Run the following command to determine the current status of\nthe \"postfix\" service:\n\n# service postfix status\n\nIf the service is enabled, it should return the following:\n\npostfix is running...\n\nIf the service is not enabled, this is a finding.", - "fix": "The Postfix mail transfer agent is used for local mail delivery\nwithin the system. The default configuration only listens for connections to\nthe default SMTP port (port 25) on the loopback interface (127.0.0.1). It is\nrecommended to leave this service enabled for local mail delivery. The\n\"postfix\" service can be enabled with the following command:\n\n# chkconfig postfix on\n# service postfix start" + "check": "To verify the \"autofs\" service is disabled, run the following\ncommand:\n\nchkconfig --list autofs\n\nIf properly configured, the output should be the following:\n\nautofs 0:off 1:off 2:off 3:off 4:off 5:off 6:off\n\nVerify the \"autofs\" service is not running:\n\n# service autofs status\n\nIf the autofs service is enabled or running, this is a finding.", + "fix": "If the \"autofs\" service is not needed to dynamically mount NFS\nfilesystems or removable media, disable the service for all runlevels:\n\n# chkconfig --level 0123456 autofs off\n\nStop the service if it is already running:\n\n# service autofs stop" }, - "code": "control \"V-38669\" do\n title \"The postfix service must be enabled for mail delivery.\"\n desc \"Local mail delivery is essential to some system maintenance and\nnotification tasks.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38669\"\n tag \"rid\": \"SV-50470r1_rule\"\n tag \"stig_id\": \"RHEL-06-000287\"\n tag \"fix_id\": \"F-43618r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Run the following command to determine the current status of\nthe \\\"postfix\\\" service:\n\n# service postfix status\n\nIf the service is enabled, it should return the following:\n\npostfix is running...\n\nIf the service is not enabled, this is a finding.\"\n tag \"fix\": \"The Postfix mail transfer agent is used for local mail delivery\nwithin the system. The default configuration only listens for connections to\nthe default SMTP port (port 25) on the loopback interface (127.0.0.1). It is\nrecommended to leave this service enabled for local mail delivery. The\n\\\"postfix\\\" service can be enabled with the following command:\n\n# chkconfig postfix on\n# service postfix start\"\n\n describe package(\"postfix\") do\n it { should be_installed }\n end\n describe.one do\n describe service(\"postfix\").runlevels(/0/) do\n it { should be_enabled }\n end\n describe service(\"postfix\").runlevels(/1/) do\n it { should be_enabled }\n end\n describe service(\"postfix\").runlevels(/2/) do\n it { should be_enabled }\n end\n describe service(\"postfix\").runlevels(/3/) do\n it { should be_enabled }\n end\n describe service(\"postfix\").runlevels(/4/) do\n it { should be_enabled }\n end\n describe service(\"postfix\").runlevels(/5/) do\n it { should be_enabled }\n end\n describe service(\"postfix\").runlevels(/6/) do\n it { should be_enabled }\n end\n end\nend\n", + "code": "control \"V-38437\" do\n title \"Automated file system mounting tools must not be enabled unless\nneeded.\"\n desc \"All filesystems that are required for the successful operation of the\nsystem should be explicitly listed in \\\"/etc/fstab\\\" by an administrator. New\nfilesystems should not be arbitrarily introduced via the automounter.\n\n The \\\"autofs\\\" daemon mounts and unmounts filesystems, such as user home\ndirectories shared via NFS, on demand. In addition, autofs can be used to\nhandle removable media, and the default configuration provides the cdrom device\nas \\\"/misc/cd\\\". However, this method of providing access to removable media is\nnot common, so autofs can almost always be disabled if NFS is not in use. Even\nif NFS is required, it is almost always possible to configure filesystem mounts\nstatically by editing \\\"/etc/fstab\\\" rather than relying on the automounter.\n \"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38437\"\n tag \"rid\": \"SV-50237r1_rule\"\n tag \"stig_id\": \"RHEL-06-000526\"\n tag \"fix_id\": \"F-43381r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To verify the \\\"autofs\\\" service is disabled, run the following\ncommand:\n\nchkconfig --list autofs\n\nIf properly configured, the output should be the following:\n\nautofs 0:off 1:off 2:off 3:off 4:off 5:off 6:off\n\nVerify the \\\"autofs\\\" service is not running:\n\n# service autofs status\n\nIf the autofs service is enabled or running, this is a finding.\"\n tag \"fix\": \"If the \\\"autofs\\\" service is not needed to dynamically mount NFS\nfilesystems or removable media, disable the service for all runlevels:\n\n# chkconfig --level 0123456 autofs off\n\nStop the service if it is already running:\n\n# service autofs stop\"\n\n describe service(\"autofs\").runlevels(/0/) do\n it { should_not be_enabled }\n end\n describe service(\"autofs\").runlevels(/1/) do\n it { should_not be_enabled }\n end\n describe service(\"autofs\").runlevels(/2/) do\n it { should_not be_enabled }\n end\n describe service(\"autofs\").runlevels(/3/) do\n it { should_not be_enabled }\n end\n describe service(\"autofs\").runlevels(/4/) do\n it { should_not be_enabled }\n end\n describe service(\"autofs\").runlevels(/5/) do\n it { should_not be_enabled }\n end\n describe service(\"autofs\").runlevels(/6/) do\n it { should_not be_enabled }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38669.rb", + "ref": "./Red Hat 6 STIG/controls/V-38437.rb", "line": 1 }, - "id": "V-38669" + "id": "V-38437" }, { - "title": "The system must use a Linux Security Module configured to limit the\nprivileges of system services.", - "desc": "Setting the SELinux policy to \"targeted\" or a more specialized\npolicy ensures the system will confine processes that are likely to be targeted\nfor exploitation, such as network or system services.", + "title": "The /etc/shadow file must have mode 0000.", + "desc": "The \"/etc/shadow\" file contains the list of local system accounts\nand stores password hashes. Protection of this file is critical for system\nsecurity. Failure to give ownership of this file to root provides the\ndesignated owner with access to sensitive information which could weaken the\nsystem security posture.", "descriptions": { - "default": "Setting the SELinux policy to \"targeted\" or a more specialized\npolicy ensures the system will confine processes that are likely to be targeted\nfor exploitation, such as network or system services." + "default": "The \"/etc/shadow\" file contains the list of local system accounts\nand stores password hashes. Protection of this file is critical for system\nsecurity. Failure to give ownership of this file to root provides the\ndesignated owner with access to sensitive information which could weaken the\nsystem security posture." }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { "gtitle": "SRG-OS-999999", - "gid": "V-51369", - "rid": "SV-65579r1_rule", - "stig_id": "RHEL-06-000023", - "fix_id": "F-56171r1_fix", + "gid": "V-38504", + "rid": "SV-50305r1_rule", + "stig_id": "RHEL-06-000035", + "fix_id": "F-43451r1_fix", "cci": [ "CCI-000366" ], @@ -1481,35 +1489,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "Check the file \"/etc/selinux/config\" and ensure the following\nline appears:\n\nSELINUXTYPE=targeted\n\nIf it does not, this is a finding. ", - "fix": "The SELinux \"targeted\" policy is appropriate for\ngeneral-purpose desktops and servers, as well as systems in many other roles.\nTo configure the system to use this policy, add or correct the following line\nin \"/etc/selinux/config\":\n\nSELINUXTYPE=targeted\n\nOther policies, such as \"mls\", provide additional security labeling and\ngreater confinement but are not compatible with many general-purpose use cases.\n" + "check": "To check the permissions of \"/etc/shadow\", run the command:\n\n$ ls -l /etc/shadow\n\nIf properly configured, the output should indicate the following permissions:\n\"----------\"\nIf it does not, this is a finding.", + "fix": "To properly set the permissions of \"/etc/shadow\", run the\ncommand:\n\n# chmod 0000 /etc/shadow" }, - "code": "control \"V-51369\" do\n title \"The system must use a Linux Security Module configured to limit the\nprivileges of system services.\"\n desc \"Setting the SELinux policy to \\\"targeted\\\" or a more specialized\npolicy ensures the system will confine processes that are likely to be targeted\nfor exploitation, such as network or system services. \"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-51369\"\n tag \"rid\": \"SV-65579r1_rule\"\n tag \"stig_id\": \"RHEL-06-000023\"\n tag \"fix_id\": \"F-56171r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Check the file \\\"/etc/selinux/config\\\" and ensure the following\nline appears:\n\nSELINUXTYPE=targeted\n\nIf it does not, this is a finding. \"\n tag \"fix\": \"The SELinux \\\"targeted\\\" policy is appropriate for\ngeneral-purpose desktops and servers, as well as systems in many other roles.\nTo configure the system to use this policy, add or correct the following line\nin \\\"/etc/selinux/config\\\":\n\nSELINUXTYPE=targeted\n\nOther policies, such as \\\"mls\\\", provide additional security labeling and\ngreater confinement but are not compatible with many general-purpose use cases.\n\"\n\n describe file(\"/etc/selinux/config\") do\n its(\"content\") { should match(/^[\\s]*SELINUXTYPE[\\s]*=[\\s]*([^\\s]*)/) }\n end\n file(\"/etc/selinux/config\").content.to_s.scan(/^[\\s]*SELINUXTYPE[\\s]*=[\\s]*([^\\s]*)/).flatten.each do |entry|\n describe entry do\n it { should eq \"targeted\" }\n end\n end\nend\n", + "code": "control \"V-38504\" do\n title \"The /etc/shadow file must have mode 0000.\"\n desc \"The \\\"/etc/shadow\\\" file contains the list of local system accounts\nand stores password hashes. Protection of this file is critical for system\nsecurity. Failure to give ownership of this file to root provides the\ndesignated owner with access to sensitive information which could weaken the\nsystem security posture.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38504\"\n tag \"rid\": \"SV-50305r1_rule\"\n tag \"stig_id\": \"RHEL-06-000035\"\n tag \"fix_id\": \"F-43451r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To check the permissions of \\\"/etc/shadow\\\", run the command:\n\n$ ls -l /etc/shadow\n\nIf properly configured, the output should indicate the following permissions:\n\\\"----------\\\"\nIf it does not, this is a finding.\"\n tag \"fix\": \"To properly set the permissions of \\\"/etc/shadow\\\", run the\ncommand:\n\n# chmod 0000 /etc/shadow\"\n\n describe file(\"/etc/shadow\") do\n it { should exist }\n end\n describe file(\"/etc/shadow\") do\n it { should_not be_executable.by \"group\" }\n end\n describe file(\"/etc/shadow\") do\n it { should_not be_readable.by \"group\" }\n end\n describe file(\"/etc/shadow\") do\n its(\"gid\") { should cmp 0 }\n end\n describe file(\"/etc/shadow\") do\n it { should_not be_writable.by \"group\" }\n end\n describe file(\"/etc/shadow\") do\n it { should_not be_executable.by \"other\" }\n end\n describe file(\"/etc/shadow\") do\n it { should_not be_readable.by \"other\" }\n end\n describe file(\"/etc/shadow\") do\n it { should_not be_writable.by \"other\" }\n end\n describe file(\"/etc/shadow\") do\n it { should_not be_setgid }\n end\n describe file(\"/etc/shadow\") do\n it { should_not be_sticky }\n end\n describe file(\"/etc/shadow\") do\n it { should_not be_setuid }\n end\n describe file(\"/etc/shadow\") do\n it { should_not be_executable.by \"owner\" }\n end\n describe file(\"/etc/shadow\") do\n it { should_not be_readable.by \"owner\" }\n end\n describe file(\"/etc/shadow\") do\n its(\"uid\") { should cmp 0 }\n end\n describe file(\"/etc/shadow\") do\n it { should_not be_writable.by \"owner\" }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-51369.rb", + "ref": "./Red Hat 6 STIG/controls/V-38504.rb", "line": 1 }, - "id": "V-51369" + "id": "V-38504" }, { - "title": "The TFTP service must not be running.", - "desc": "Disabling the \"tftp\" service ensures the system is not acting as a\ntftp server, which does not provide encryption or authentication.", + "title": "The system must require passwords to contain at least one uppercase\nalphabetic character.", + "desc": "Requiring a minimum number of uppercase characters makes password\nguessing attacks more difficult by ensuring a larger search space.", "descriptions": { - "default": "Disabling the \"tftp\" service ensures the system is not acting as a\ntftp server, which does not provide encryption or authentication." + "default": "Requiring a minimum number of uppercase characters makes password\nguessing attacks more difficult by ensuring a larger search space." }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { - "gtitle": "SRG-OS-000248", - "gid": "V-38609", - "rid": "SV-50410r2_rule", - "stig_id": "RHEL-06-000223", - "fix_id": "F-43557r4_fix", + "gtitle": "SRG-OS-000069", + "gid": "V-38569", + "rid": "SV-50370r2_rule", + "stig_id": "RHEL-06-000057", + "fix_id": "F-43517r2_fix", "cci": [ - "CCI-001436" + "CCI-000192" ], "nist": [ - "AC-17 (8)", + "IA-5 (1) (a)", "Rev_4" ], "false_negatives": null, @@ -1522,35 +1530,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To check that the \"tftp\" service is disabled in system boot\nconfiguration, run the following command:\n\n# chkconfig \"tftp\" --list\n\nOutput should indicate the \"tftp\" service has either not been installed, or\nhas been disabled, as shown in the example below:\n\n# chkconfig \"tftp\" --list\ntftp off\nOR\nerror reading information on service tftp: No such file or directory\n\n\nIf the service is running, this is a finding.", - "fix": "The \"tftp\" service should be disabled. The \"tftp\" service can\nbe disabled with the following command:\n\n# chkconfig tftp off" + "check": "To check how many uppercase characters are required in a\npassword, run the following command:\n\n$ grep pam_cracklib /etc/pam.d/system-auth /etc/pam.d/password-auth\n\nNote: The \"ucredit\" parameter (as a negative number) will indicate how many\nuppercase characters are required. The DoD requires at least one uppercase\ncharacter in a password. This would appear as \"ucredit=-1\".\n\nIf \"ucredit\" is not found or not set to the required value, this is a finding.", + "fix": "The pam_cracklib module's \"ucredit=\" parameter controls\nrequirements for usage of uppercase letters in a password. When set to a\nnegative number, any password will be required to contain that many uppercase\ncharacters. When set to a positive number, pam_cracklib will grant +1\nadditional length credit for each uppercase character.\n\nEdit /etc/pam.d/system-auth and /etc/pam.d/password-auth adding \"ucredit=-1\"\nafter pam_cracklib.so to require use of an uppercase character in passwords." }, - "code": "control \"V-38609\" do\n title \"The TFTP service must not be running.\"\n desc \"Disabling the \\\"tftp\\\" service ensures the system is not acting as a\ntftp server, which does not provide encryption or authentication.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000248\"\n tag \"gid\": \"V-38609\"\n tag \"rid\": \"SV-50410r2_rule\"\n tag \"stig_id\": \"RHEL-06-000223\"\n tag \"fix_id\": \"F-43557r4_fix\"\n tag \"cci\": [\"CCI-001436\"]\n tag \"nist\": [\"AC-17 (8)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To check that the \\\"tftp\\\" service is disabled in system boot\nconfiguration, run the following command:\n\n# chkconfig \\\"tftp\\\" --list\n\nOutput should indicate the \\\"tftp\\\" service has either not been installed, or\nhas been disabled, as shown in the example below:\n\n# chkconfig \\\"tftp\\\" --list\ntftp off\nOR\nerror reading information on service tftp: No such file or directory\n\n\nIf the service is running, this is a finding.\"\n tag \"fix\": \"The \\\"tftp\\\" service should be disabled. The \\\"tftp\\\" service can\nbe disabled with the following command:\n\n# chkconfig tftp off\"\n\n describe service('tftp') do\n it { should_not be_enabled }\n it { should_not be_running }\n end\nend\n", + "code": "control \"V-38569\" do\n title \"The system must require passwords to contain at least one uppercase\nalphabetic character.\"\n desc \"Requiring a minimum number of uppercase characters makes password\nguessing attacks more difficult by ensuring a larger search space.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000069\"\n tag \"gid\": \"V-38569\"\n tag \"rid\": \"SV-50370r2_rule\"\n tag \"stig_id\": \"RHEL-06-000057\"\n tag \"fix_id\": \"F-43517r2_fix\"\n tag \"cci\": [\"CCI-000192\"]\n tag \"nist\": [\"IA-5 (1) (a)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To check how many uppercase characters are required in a\npassword, run the following command:\n\n$ grep pam_cracklib /etc/pam.d/system-auth /etc/pam.d/password-auth\n\nNote: The \\\"ucredit\\\" parameter (as a negative number) will indicate how many\nuppercase characters are required. The DoD requires at least one uppercase\ncharacter in a password. This would appear as \\\"ucredit=-1\\\".\n\nIf \\\"ucredit\\\" is not found or not set to the required value, this is a finding.\"\n tag \"fix\": \"The pam_cracklib module's \\\"ucredit=\\\" parameter controls\nrequirements for usage of uppercase letters in a password. When set to a\nnegative number, any password will be required to contain that many uppercase\ncharacters. When set to a positive number, pam_cracklib will grant +1\nadditional length credit for each uppercase character.\n\nEdit /etc/pam.d/system-auth and /etc/pam.d/password-auth adding \\\"ucredit=-1\\\"\nafter pam_cracklib.so to require use of an uppercase character in passwords.\"\n\n describe.one do\n describe file(\"/etc/pam.d/system-auth\") do\n its(\"content\") { should match(/^\\s*password\\s+(?:(?:required)|(?:requisite))\\s+(?:(?:\\/lib\\/security\\/\\$ISA\\/pam_cracklib\\.so)|(?:pam_cracklib\\.so))[\\t ]+[^#\\n\\r]*\\s+ucredit=-(\\d+)[^\\n\\r]*$/) }\n end\n file(\"/etc/pam.d/system-auth\").content.to_s.scan(/^\\s*password\\s+(?:(?:required)|(?:requisite))\\s+(?:(?:\\/lib\\/security\\/\\$ISA\\/pam_cracklib\\.so)|(?:pam_cracklib\\.so))[\\t ]+[^#\\n\\r]*\\s+ucredit=-(\\d+)[^\\n\\r]*$/).flatten.each do |entry|\n describe entry do\n it { should cmp >= 1 }\n end\n end\n describe file(\"/etc/pam.d/system-auth\") do\n its(\"content\") { should match(/^\\s*password\\s+(?:(?:required)|(?:requisite))\\s+(?:(?:\\/lib\\/security\\/\\$ISA\\/pam_cracklib\\.so)|(?:pam_cracklib\\.so))\\s+ucredit=-(\\d+)\\s+.*$/) }\n end\n file(\"/etc/pam.d/system-auth\").content.to_s.scan(/^\\s*password\\s+(?:(?:required)|(?:requisite))\\s+(?:(?:\\/lib\\/security\\/\\$ISA\\/pam_cracklib\\.so)|(?:pam_cracklib\\.so))\\s+ucredit=-(\\d+)\\s+.*$/).flatten.each do |entry|\n describe entry do\n it { should cmp >= 1 }\n end\n end\n end\n describe.one do\n describe file(\"/etc/pam.d/password-auth\") do\n its(\"content\") { should match(/^\\s*password\\s+(?:(?:required)|(?:requisite))\\s+(?:(?:\\/lib\\/security\\/\\$ISA\\/pam_cracklib\\.so)|(?:pam_cracklib\\.so))[\\t ]+[^#\\n\\r]*\\s+ucredit=-(\\d+)[^\\n\\r]*$/) }\n end\n file(\"/etc/pam.d/password-auth\").content.to_s.scan(/^\\s*password\\s+(?:(?:required)|(?:requisite))\\s+(?:(?:\\/lib\\/security\\/\\$ISA\\/pam_cracklib\\.so)|(?:pam_cracklib\\.so))[\\t ]+[^#\\n\\r]*\\s+ucredit=-(\\d+)[^\\n\\r]*$/).flatten.each do |entry|\n describe entry do\n it { should cmp >= 1 }\n end\n end\n describe file(\"/etc/pam.d/password-auth\") do\n its(\"content\") { should match(/^\\s*password\\s+(?:(?:required)|(?:requisite))\\s+(?:(?:\\/lib\\/security\\/\\$ISA\\/pam_cracklib\\.so)|(?:pam_cracklib\\.so))\\s+ucredit=-(\\d+)\\s+.*$/) }\n end\n file(\"/etc/pam.d/password-auth\").content.to_s.scan(/^\\s*password\\s+(?:(?:required)|(?:requisite))\\s+(?:(?:\\/lib\\/security\\/\\$ISA\\/pam_cracklib\\.so)|(?:pam_cracklib\\.so))\\s+ucredit=-(\\d+)\\s+.*$/).flatten.each do |entry|\n describe entry do\n it { should cmp >= 1 }\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38609.rb", + "ref": "./Red Hat 6 STIG/controls/V-38569.rb", "line": 1 }, - "id": "V-38609" + "id": "V-38569" }, { - "title": "The system must require passwords to contain at least one numeric\ncharacter.", - "desc": "Requiring digits makes password guessing attacks more difficult by\nensuring a larger search space.", + "title": "Audit log files must have mode 0640 or less permissive.", + "desc": "If users can write to audit logs, audit trails can be modified or\ndestroyed.", "descriptions": { - "default": "Requiring digits makes password guessing attacks more difficult by\nensuring a larger search space." + "default": "If users can write to audit logs, audit trails can be modified or\ndestroyed." }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000071", - "gid": "V-38482", - "rid": "SV-50282r2_rule", - "stig_id": "RHEL-06-000056", - "fix_id": "F-43427r2_fix", + "gtitle": "SRG-OS-000058", + "gid": "V-38498", + "rid": "SV-50299r1_rule", + "stig_id": "RHEL-06-000383", + "fix_id": "F-43445r1_fix", "cci": [ - "CCI-000194" + "CCI-000163" ], "nist": [ - "IA-5 (1) (a)", + "AU-9", "Rev_4" ], "false_negatives": null, @@ -1563,35 +1571,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To check how many digits are required in a password, run the\nfollowing command:\n\n$ grep pam_cracklib /etc/pam.d/system-auth /etc/pam.d/password-auth\n\nNote: The \"dcredit\" parameter (as a negative number) will indicate how many\ndigits are required. The DoD requires at least one digit in a password. This\nwould appear as \"dcredit=-1\".\n\nIf \"dcredit\" is not found or not set to the required value, this is a finding.\n", - "fix": "The pam_cracklib module's \"dcredit\" parameter controls\nrequirements for usage of digits in a password. When set to a negative number,\nany password will be required to contain that many digits. When set to a\npositive number, pam_cracklib will grant +1 additional length credit for each\ndigit.\n\nEdit /etc/pam.d/system-auth and /etc/pam.d/password-auth adding \"dcredit=-1\"\nafter pam_cracklib.so to require use of a digit in passwords.\n" + "check": "Run the following command to check the mode of the system audit\nlogs:\n\ngrep \"^log_file\" /etc/audit/auditd.conf|sed s/^[^\\/]*//|xargs stat -c %a:%n\n\nAudit logs must be mode 0640 or less permissive.\nIf any are more permissive, this is a finding.", + "fix": "Change the mode of the audit log files with the following\ncommand:\n\n# chmod 0640 [audit_file]" }, - "code": "control \"V-38482\" do\n title \"The system must require passwords to contain at least one numeric\ncharacter.\"\n desc \"Requiring digits makes password guessing attacks more difficult by\nensuring a larger search space.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000071\"\n tag \"gid\": \"V-38482\"\n tag \"rid\": \"SV-50282r2_rule\"\n tag \"stig_id\": \"RHEL-06-000056\"\n tag \"fix_id\": \"F-43427r2_fix\"\n tag \"cci\": [\"CCI-000194\"]\n tag \"nist\": [\"IA-5 (1) (a)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To check how many digits are required in a password, run the\nfollowing command:\n\n$ grep pam_cracklib /etc/pam.d/system-auth /etc/pam.d/password-auth\n\nNote: The \\\"dcredit\\\" parameter (as a negative number) will indicate how many\ndigits are required. The DoD requires at least one digit in a password. This\nwould appear as \\\"dcredit=-1\\\".\n\nIf \\\"dcredit\\\" is not found or not set to the required value, this is a finding.\n\"\n tag \"fix\": \"The pam_cracklib module's \\\"dcredit\\\" parameter controls\nrequirements for usage of digits in a password. When set to a negative number,\nany password will be required to contain that many digits. When set to a\npositive number, pam_cracklib will grant +1 additional length credit for each\ndigit.\n\nEdit /etc/pam.d/system-auth and /etc/pam.d/password-auth adding \\\"dcredit=-1\\\"\nafter pam_cracklib.so to require use of a digit in passwords.\n\"\n\n describe.one do\n describe file(\"/etc/pam.d/system-auth\") do\n its(\"content\") { should match(/^\\s*password\\s+(?:(?:required)|(?:requisite))\\s+(?:(?:\\/lib\\/security\\/\\$ISA\\/pam_cracklib\\.so)|(?:pam_cracklib\\.so))[\\t ]+[^#\\n\\r]*\\s+dcredit=-(\\d+)[^\\n\\r]*$/) }\n end\n file(\"/etc/pam.d/system-auth\").content.to_s.scan(/^\\s*password\\s+(?:(?:required)|(?:requisite))\\s+(?:(?:\\/lib\\/security\\/\\$ISA\\/pam_cracklib\\.so)|(?:pam_cracklib\\.so))[\\t ]+[^#\\n\\r]*\\s+dcredit=-(\\d+)[^\\n\\r]*$/).flatten.each do |entry|\n describe entry do\n it { should cmp >= 1 }\n end\n end\n describe file(\"/etc/pam.d/system-auth\") do\n its(\"content\") { should match(/^\\s*password\\s+(?:(?:required)|(?:requisite))\\s+(?:(?:\\/lib\\/security\\/\\$ISA\\/pam_cracklib\\.so)|(?:pam_cracklib\\.so))\\s+dcredit=-(\\d+)\\s+.*$/) }\n end\n file(\"/etc/pam.d/system-auth\").content.to_s.scan(/^\\s*password\\s+(?:(?:required)|(?:requisite))\\s+(?:(?:\\/lib\\/security\\/\\$ISA\\/pam_cracklib\\.so)|(?:pam_cracklib\\.so))\\s+dcredit=-(\\d+)\\s+.*$/).flatten.each do |entry|\n describe entry do\n it { should cmp >= 1 }\n end\n end\n end\n describe.one do\n describe file(\"/etc/pam.d/password-auth\") do\n its(\"content\") { should match(/^\\s*password\\s+(?:(?:required)|(?:requisite))\\s+(?:(?:\\/lib\\/security\\/\\$ISA\\/pam_cracklib\\.so)|(?:pam_cracklib\\.so))[\\t ]+[^#\\n\\r]*\\s+dcredit=-(\\d+)[^\\n\\r]*$/) }\n end\n file(\"/etc/pam.d/password-auth\").content.to_s.scan(/^\\s*password\\s+(?:(?:required)|(?:requisite))\\s+(?:(?:\\/lib\\/security\\/\\$ISA\\/pam_cracklib\\.so)|(?:pam_cracklib\\.so))[\\t ]+[^#\\n\\r]*\\s+dcredit=-(\\d+)[^\\n\\r]*$/).flatten.each do |entry|\n describe entry do\n it { should cmp >= 1 }\n end\n end\n describe file(\"/etc/pam.d/password-auth\") do\n its(\"content\") { should match(/^\\s*password\\s+(?:(?:required)|(?:requisite))\\s+(?:(?:\\/lib\\/security\\/\\$ISA\\/pam_cracklib\\.so)|(?:pam_cracklib\\.so))\\s+dcredit=-(\\d+)\\s+.*$/) }\n end\n file(\"/etc/pam.d/password-auth\").content.to_s.scan(/^\\s*password\\s+(?:(?:required)|(?:requisite))\\s+(?:(?:\\/lib\\/security\\/\\$ISA\\/pam_cracklib\\.so)|(?:pam_cracklib\\.so))\\s+dcredit=-(\\d+)\\s+.*$/).flatten.each do |entry|\n describe entry do\n it { should cmp >= 1 }\n end\n end\n end\nend\n", + "code": "control \"V-38498\" do\n title \"Audit log files must have mode 0640 or less permissive.\"\n desc \"If users can write to audit logs, audit trails can be modified or\ndestroyed.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000058\"\n tag \"gid\": \"V-38498\"\n tag \"rid\": \"SV-50299r1_rule\"\n tag \"stig_id\": \"RHEL-06-000383\"\n tag \"fix_id\": \"F-43445r1_fix\"\n tag \"cci\": [\"CCI-000163\"]\n tag \"nist\": [\"AU-9\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Run the following command to check the mode of the system audit\nlogs:\n\ngrep \\\"^log_file\\\" /etc/audit/auditd.conf|sed s/^[^\\\\/]*//|xargs stat -c %a:%n\n\nAudit logs must be mode 0640 or less permissive.\nIf any are more permissive, this is a finding.\"\n tag \"fix\": \"Change the mode of the audit log files with the following\ncommand:\n\n# chmod 0640 [audit_file]\"\n\n describe command(\"find /var/log/audit -regex .\\\\*/\\\\^.\\\\*\\\\$ -perm -07137 -xdev\") do\n its(\"stdout\") { should be_empty }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38482.rb", + "ref": "./Red Hat 6 STIG/controls/V-38498.rb", "line": 1 }, - "id": "V-38482" + "id": "V-38498" }, { - "title": "The operating system must automatically audit account disabling\nactions.", - "desc": "In addition to auditing new user and group accounts, these watches\nwill alert the system administrator(s) to any modifications. Any unexpected\nusers, groups, or modifications should be investigated for legitimacy.", + "title": "The system must use a FIPS 140-2 approved cryptographic hashing\nalgorithm for generating account password hashes (system-auth).", + "desc": "Using a stronger hashing algorithm makes password cracking attacks\nmore difficult.", "descriptions": { - "default": "In addition to auditing new user and group accounts, these watches\nwill alert the system administrator(s) to any modifications. Any unexpected\nusers, groups, or modifications should be investigated for legitimacy." + "default": "Using a stronger hashing algorithm makes password cracking attacks\nmore difficult." }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000240", - "gid": "V-38536", - "rid": "SV-50337r2_rule", - "stig_id": "RHEL-06-000176", - "fix_id": "F-43484r1_fix", + "gtitle": "SRG-OS-000120", + "gid": "V-38574", + "rid": "SV-50375r4_rule", + "stig_id": "RHEL-06-000062", + "fix_id": "F-43522r4_fix", "cci": [ - "CCI-001404" + "CCI-000803" ], "nist": [ - "AC-2 (4)", + "IA-7", "Rev_4" ], "false_negatives": null, @@ -1604,35 +1612,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To determine if the system is configured to audit account\nchanges, run the following command:\n\n$sudo egrep -w\n'(/etc/passwd|/etc/shadow|/etc/group|/etc/gshadow|/etc/security/opasswd)'\n/etc/audit/audit.rules\n\nIf the system is configured to watch for account changes, lines should be\nreturned for each file specified (and with \"-p wa\" for each).\n\nIf the system is not configured to audit account changes, this is a finding.", - "fix": "Add the following to \"/etc/audit/audit.rules\", in order to\ncapture events that modify account changes:\n\n# audit_account_changes\n-w /etc/group -p wa -k audit_account_changes\n-w /etc/passwd -p wa -k audit_account_changes\n-w /etc/gshadow -p wa -k audit_account_changes\n-w /etc/shadow -p wa -k audit_account_changes\n-w /etc/security/opasswd -p wa -k audit_account_changes" + "check": "Inspect the \"password\" section of \"/etc/pam.d/system-auth\",\n\"/etc/pam.d/system-auth-ac\", \"/etc/pam.d/password-auth\",\n\"/etc/pam.d/password-auth-ac\" and other files in \"/etc/pam.d\" to identify\nthe number of occurrences where the \"pam_unix.so\" module is used in the\n\"password\" section.\n\n$ grep -E -c 'password.*pam_unix.so' /etc/pam.d/*\n\n/etc/pam.d/atd:0\n/etc/pam.d/config-util:0\n/etc/pam.d/crond:0\n/etc/pam.d/login:0\n/etc/pam.d/other:0\n/etc/pam.d/passwd:0\n/etc/pam.d/password-auth:1\n/etc/pam.d/password-auth-ac:1\n/etc/pam.d/sshd:0\n/etc/pam.d/su:0\n/etc/pam.d/sudo:0\n/etc/pam.d/system-auth:1\n/etc/pam.d/system-auth-ac:1\n/etc/pam.d/vlock:0\n\nNote: The number adjacent to the file name indicates how many occurrences of\nthe \"pam_unix.so\" module are found in the password section.\n\nIf the \"pam_unix.so\" module is not defined in the \"password\" section of\n\"/etc/pam.d/system-auth\", \"/etc/pam.d/system-auth-ac\",\n\"/etc/pam.d/password-auth\", and \"/etc/pam.d/password-auth-ac\" at a minimum,\nthis is a finding.\n\nVerify that the \"sha512\" variable is used with each instance of the\n\"pam_unix.so\" module in the \"password\" section:\n\n$ grep password /etc/pam.d/* | grep pam_unix.so | grep sha512\n\n/etc/pam.d/password-auth:password \tsufficient pam_unix.so sha512 [other\narguments…]\n/etc/pam.d/password-auth-ac:password sufficient pam_unix.so sha512 [other\narguments…]\n/etc/pam.d/system-auth:password \tsufficient pam_unix.so sha512 [other\narguments…]\n/etc/pam.d/system-auth-ac:password \tsufficient pam_unix.so sha512 [other\narguments…]\n\nIf this list of files does not coincide with the previous command, this is a\nfinding.\n\nIf any of the identified \"pam_unix.so\" modules do not use the \"sha512\"\nvariable, this is a finding.\n", + "fix": "In \"/etc/pam.d/system-auth\", \"/etc/pam.d/system-auth-ac\",\n\"/etc/pam.d/password-auth\", and \"/etc/pam.d/password-auth-ac\", among\npotentially other files, the \"password\" section of the files controls which\nPAM modules execute during a password change. Set the \"pam_unix.so\" module in\nthe \"password\" section to include the argument \"sha512\", as shown below:\n\npassword sufficient pam_unix.so sha512 [other arguments...]\n\nThis will help ensure when local users change their passwords, hashes for the\nnew passwords will be generated using the SHA-512 algorithm. This is the\ndefault.\n\nNote: Any updates made to \"/etc/pam.d/system-auth\" will be overwritten by the\n\"authconfig\" program. The \"authconfig\" program should not be used.\n" }, - "code": "control \"V-38536\" do\n title \"The operating system must automatically audit account disabling\nactions.\"\n desc \"In addition to auditing new user and group accounts, these watches\nwill alert the system administrator(s) to any modifications. Any unexpected\nusers, groups, or modifications should be investigated for legitimacy.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000240\"\n tag \"gid\": \"V-38536\"\n tag \"rid\": \"SV-50337r2_rule\"\n tag \"stig_id\": \"RHEL-06-000176\"\n tag \"fix_id\": \"F-43484r1_fix\"\n tag \"cci\": [\"CCI-001404\"]\n tag \"nist\": [\"AC-2 (4)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To determine if the system is configured to audit account\nchanges, run the following command:\n\n$sudo egrep -w\n'(/etc/passwd|/etc/shadow|/etc/group|/etc/gshadow|/etc/security/opasswd)'\n/etc/audit/audit.rules\n\nIf the system is configured to watch for account changes, lines should be\nreturned for each file specified (and with \\\"-p wa\\\" for each).\n\nIf the system is not configured to audit account changes, this is a finding.\"\n tag \"fix\": \"Add the following to \\\"/etc/audit/audit.rules\\\", in order to\ncapture events that modify account changes:\n\n# audit_account_changes\n-w /etc/group -p wa -k audit_account_changes\n-w /etc/passwd -p wa -k audit_account_changes\n-w /etc/gshadow -p wa -k audit_account_changes\n-w /etc/shadow -p wa -k audit_account_changes\n-w /etc/security/opasswd -p wa -k audit_account_changes\"\n\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^\\-w\\s+\\/etc\\/group\\s+\\-p\\s+wa\\s+\\-k\\s+\\w+\\s*$/) }\n end\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^\\-w\\s+\\/etc\\/passwd\\s+\\-p\\s+wa\\s+\\-k\\s+\\w+\\s*$/) }\n end\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^\\-w\\s+\\/etc\\/gshadow\\s+\\-p\\s+wa\\s+\\-k\\s+\\w+\\s*$/) }\n end\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^\\-w\\s+\\/etc\\/shadow\\s+\\-p\\s+wa\\s+\\-k\\s+\\w+\\s*$/) }\n end\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^\\-w\\s+\\/etc\\/security\\/opasswd\\s+\\-p\\s+wa\\s+\\-k\\s+\\w+\\s*$/) }\n end\nend\n", + "code": "control \"V-38574\" do\n title \"The system must use a FIPS 140-2 approved cryptographic hashing\nalgorithm for generating account password hashes (system-auth).\"\n desc \"Using a stronger hashing algorithm makes password cracking attacks\nmore difficult.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000120\"\n tag \"gid\": \"V-38574\"\n tag \"rid\": \"SV-50375r4_rule\"\n tag \"stig_id\": \"RHEL-06-000062\"\n tag \"fix_id\": \"F-43522r4_fix\"\n tag \"cci\": [\"CCI-000803\"]\n tag \"nist\": [\"IA-7\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Inspect the \\\"password\\\" section of \\\"/etc/pam.d/system-auth\\\",\n\\\"/etc/pam.d/system-auth-ac\\\", \\\"/etc/pam.d/password-auth\\\",\n\\\"/etc/pam.d/password-auth-ac\\\" and other files in \\\"/etc/pam.d\\\" to identify\nthe number of occurrences where the \\\"pam_unix.so\\\" module is used in the\n\\\"password\\\" section.\n\n$ grep -E -c 'password.*pam_unix.so' /etc/pam.d/*\n\n/etc/pam.d/atd:0\n/etc/pam.d/config-util:0\n/etc/pam.d/crond:0\n/etc/pam.d/login:0\n/etc/pam.d/other:0\n/etc/pam.d/passwd:0\n/etc/pam.d/password-auth:1\n/etc/pam.d/password-auth-ac:1\n/etc/pam.d/sshd:0\n/etc/pam.d/su:0\n/etc/pam.d/sudo:0\n/etc/pam.d/system-auth:1\n/etc/pam.d/system-auth-ac:1\n/etc/pam.d/vlock:0\n\nNote: The number adjacent to the file name indicates how many occurrences of\nthe \\\"pam_unix.so\\\" module are found in the password section.\n\nIf the \\\"pam_unix.so\\\" module is not defined in the \\\"password\\\" section of\n\\\"/etc/pam.d/system-auth\\\", \\\"/etc/pam.d/system-auth-ac\\\",\n\\\"/etc/pam.d/password-auth\\\", and \\\"/etc/pam.d/password-auth-ac\\\" at a minimum,\nthis is a finding.\n\nVerify that the \\\"sha512\\\" variable is used with each instance of the\n\\\"pam_unix.so\\\" module in the \\\"password\\\" section:\n\n$ grep password /etc/pam.d/* | grep pam_unix.so | grep sha512\n\n/etc/pam.d/password-auth:password \\tsufficient pam_unix.so sha512 [other\narguments…]\n/etc/pam.d/password-auth-ac:password sufficient pam_unix.so sha512 [other\narguments…]\n/etc/pam.d/system-auth:password \\tsufficient pam_unix.so sha512 [other\narguments…]\n/etc/pam.d/system-auth-ac:password \\tsufficient pam_unix.so sha512 [other\narguments…]\n\nIf this list of files does not coincide with the previous command, this is a\nfinding.\n\nIf any of the identified \\\"pam_unix.so\\\" modules do not use the \\\"sha512\\\"\nvariable, this is a finding.\n\"\n tag \"fix\": \"In \\\"/etc/pam.d/system-auth\\\", \\\"/etc/pam.d/system-auth-ac\\\",\n\\\"/etc/pam.d/password-auth\\\", and \\\"/etc/pam.d/password-auth-ac\\\", among\npotentially other files, the \\\"password\\\" section of the files controls which\nPAM modules execute during a password change. Set the \\\"pam_unix.so\\\" module in\nthe \\\"password\\\" section to include the argument \\\"sha512\\\", as shown below:\n\npassword sufficient pam_unix.so sha512 [other arguments...]\n\nThis will help ensure when local users change their passwords, hashes for the\nnew passwords will be generated using the SHA-512 algorithm. This is the\ndefault.\n\nNote: Any updates made to \\\"/etc/pam.d/system-auth\\\" will be overwritten by the\n\\\"authconfig\\\" program. The \\\"authconfig\\\" program should not be used.\n\"\n\n describe command(\"grep 'password.*pam_unix.so' /etc/pam.d/password-auth\") do\n its('stdout.strip') { should_not be_empty }\n end\n\n describe command(\"grep 'password.*pam_unix.so' /etc/pam.d/system-auth\") do\n its('stdout.strip') { should_not be_empty }\n end\n\n describe command(\"grep password /etc/pam.d/* | grep pam_unix.so\") do\n its('stdout.strip.lines') { should all match %r{\\bsha512\\b} }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38536.rb", + "ref": "./Red Hat 6 STIG/controls/V-38574.rb", "line": 1 }, - "id": "V-38536" + "id": "V-38574" }, { - "title": "All rsyslog-generated log files must be owned by root.", - "desc": "The log files generated by rsyslog contain valuable information\nregarding system configuration, user authentication, and other such\ninformation. Log files should be protected from unauthorized access.", + "title": "All accounts on the system must have unique user or account names", + "desc": "Unique usernames allow for accountability on the system.", "descriptions": { - "default": "The log files generated by rsyslog contain valuable information\nregarding system configuration, user authentication, and other such\ninformation. Log files should be protected from unauthorized access." + "default": "Unique usernames allow for accountability on the system." }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { - "gtitle": "SRG-OS-000206", - "gid": "V-38518", - "rid": "SV-50319r2_rule", - "stig_id": "RHEL-06-000133", - "fix_id": "F-43465r1_fix", + "gtitle": "SRG-OS-000121", + "gid": "V-38683", + "rid": "SV-50484r1_rule", + "stig_id": "RHEL-06-000296", + "fix_id": "F-43632r1_fix", "cci": [ - "CCI-001314" + "CCI-000804" ], "nist": [ - "SI-11 b", + "IA-8", "Rev_4" ], "false_negatives": null, @@ -1645,35 +1653,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "The owner of all log files written by \"rsyslog\" should be\nroot. These log files are determined by the second part of each Rule line in\n\"/etc/rsyslog.conf\" and typically all appear in \"/var/log\". To see the\nowner of a given log file, run the following command:\n\n$ ls -l [LOGFILE]\n\nSome log files referenced in /etc/rsyslog.conf may be created by other programs\nand may require exclusion from consideration.\n\nIf the owner is not root, this is a finding. ", - "fix": "The owner of all log files written by \"rsyslog\" should be root.\nThese log files are determined by the second part of each Rule line in\n\"/etc/rsyslog.conf\" typically all appear in \"/var/log\". For each log file\n[LOGFILE] referenced in \"/etc/rsyslog.conf\", run the following command to\ninspect the file's owner:\n\n$ ls -l [LOGFILE]\n\nIf the owner is not \"root\", run the following command to correct this:\n\n# chown root [LOGFILE]" + "check": "Run the following command to check for duplicate account names:\n\n# pwck -rq\n\nIf there are no duplicate names, no line will be returned.\nIf a line is returned, this is a finding.", + "fix": "Change usernames, or delete accounts, so each has a unique name." }, - "code": "control \"V-38518\" do\n title \"All rsyslog-generated log files must be owned by root.\"\n desc \"The log files generated by rsyslog contain valuable information\nregarding system configuration, user authentication, and other such\ninformation. Log files should be protected from unauthorized access.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000206\"\n tag \"gid\": \"V-38518\"\n tag \"rid\": \"SV-50319r2_rule\"\n tag \"stig_id\": \"RHEL-06-000133\"\n tag \"fix_id\": \"F-43465r1_fix\"\n tag \"cci\": [\"CCI-001314\"]\n tag \"nist\": [\"SI-11 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"The owner of all log files written by \\\"rsyslog\\\" should be\nroot. These log files are determined by the second part of each Rule line in\n\\\"/etc/rsyslog.conf\\\" and typically all appear in \\\"/var/log\\\". To see the\nowner of a given log file, run the following command:\n\n$ ls -l [LOGFILE]\n\nSome log files referenced in /etc/rsyslog.conf may be created by other programs\nand may require exclusion from consideration.\n\nIf the owner is not root, this is a finding. \"\n tag \"fix\": \"The owner of all log files written by \\\"rsyslog\\\" should be root.\nThese log files are determined by the second part of each Rule line in\n\\\"/etc/rsyslog.conf\\\" typically all appear in \\\"/var/log\\\". For each log file\n[LOGFILE] referenced in \\\"/etc/rsyslog.conf\\\", run the following command to\ninspect the file's owner:\n\n$ ls -l [LOGFILE]\n\nIf the owner is not \\\"root\\\", run the following command to correct this:\n\n# chown root [LOGFILE]\"\n\n # strip comments, empty lines, and lines which start with $ in order to get rules\n rules = file('/etc/rsyslog.conf').content.lines.map do |l|\n pound_index = l.index('#')\n l = l.slice(0, pound_index) if !pound_index.nil?\n l.strip\n end.reject { |l| l.empty? or l.start_with? '$' }\n\n paths = rules.map do |r|\n filter, action = r.split(%r{\\s+})\n next if !(action.start_with? '-/' or action.start_with? '/')\n action.sub(%r{^-/}, '/')\n end.reject { |path| path.nil? }\n\n if paths.empty?\n describe \"rsyslog log files\" do\n subject { paths }\n it { should be_empty }\n end\n else\n paths.each do |path|\n describe file(path) do \n its('owner') { should eq 'root' }\n end\n end\n end\nend\n", + "code": "control \"V-38683\" do\n title \"All accounts on the system must have unique user or account names\"\n desc \"Unique usernames allow for accountability on the system.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000121\"\n tag \"gid\": \"V-38683\"\n tag \"rid\": \"SV-50484r1_rule\"\n tag \"stig_id\": \"RHEL-06-000296\"\n tag \"fix_id\": \"F-43632r1_fix\"\n tag \"cci\": [\"CCI-000804\"]\n tag \"nist\": [\"IA-8\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Run the following command to check for duplicate account names:\n\n# pwck -rq\n\nIf there are no duplicate names, no line will be returned.\nIf a line is returned, this is a finding.\"\n tag \"fix\": \"Change usernames, or delete accounts, so each has a unique name.\"\n\n describe command(\"pwck -rq\") do\n its('stdout.strip') { should be_empty }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38518.rb", + "ref": "./Red Hat 6 STIG/controls/V-38683.rb", "line": 1 }, - "id": "V-38518" + "id": "V-38683" }, { - "title": "The operating system must ensure unauthorized, security-relevant\nconfiguration changes detected are tracked.", - "desc": "By default, AIDE does not install itself for periodic execution.\nPeriodically running AIDE may reveal unexpected changes in installed files.", + "title": "The operating system must conduct backups of system-level information\ncontained in the information system per organization defined frequency to\nconduct backups that are consistent with recovery time and recovery point\nobjectives.", + "desc": "Operating system backup is a critical step in maintaining data\nassurance and availability. System-level information includes system-state\ninformation, operating system and application software, and licenses. Backups\nmust be consistent with organizational recovery time and recovery point\nobjectives.", "descriptions": { - "default": "By default, AIDE does not install itself for periodic execution.\nPeriodically running AIDE may reveal unexpected changes in installed files." + "default": "Operating system backup is a critical step in maintaining data\nassurance and availability. System-level information includes system-state\ninformation, operating system and application software, and licenses. Backups\nmust be consistent with organizational recovery time and recovery point\nobjectives." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000265", - "gid": "V-38673", - "rid": "SV-50474r2_rule", - "stig_id": "RHEL-06-000307", - "fix_id": "F-43621r1_fix", + "gtitle": "SRG-OS-000100", + "gid": "V-38486", + "rid": "SV-50287r1_rule", + "stig_id": "RHEL-06-000505", + "fix_id": "F-43434r1_fix", "cci": [ - "CCI-001589" + "CCI-000537" ], "nist": [ - "CM-6 (3)", + "CP-9b", "Rev_4" ], "false_negatives": null, @@ -1686,35 +1694,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To determine that periodic AIDE execution has been scheduled,\nrun the following command:\n\n# grep aide /etc/crontab /etc/cron.*/*\n\nIf there is no output, this is a finding.", - "fix": "AIDE should be executed on a periodic basis to check for changes.\nTo implement a daily execution of AIDE at 4:05am using cron, add the following\nline to /etc/crontab:\n\n05 4 * * * root /usr/sbin/aide --check\n\nAIDE can be executed periodically through other means; this is merely one\nexample." + "check": "Ask an administrator if a process exists to back up OS data\nfrom the system, including configuration data.\n\nIf such a process does not exist, this is a finding.", + "fix": "Procedures to back up OS data from the system must be established\nand executed. The Red Hat operating system provides utilities for automating\nsuch a process. Commercial and open-source products are also available.\n\nImplement a process whereby OS data is backed up from the system in accordance\nwith local policies." }, - "code": "control \"V-38673\" do\n title \"The operating system must ensure unauthorized, security-relevant\nconfiguration changes detected are tracked.\"\n desc \"By default, AIDE does not install itself for periodic execution.\nPeriodically running AIDE may reveal unexpected changes in installed files.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000265\"\n tag \"gid\": \"V-38673\"\n tag \"rid\": \"SV-50474r2_rule\"\n tag \"stig_id\": \"RHEL-06-000307\"\n tag \"fix_id\": \"F-43621r1_fix\"\n tag \"cci\": [\"CCI-001589\"]\n tag \"nist\": [\"CM-6 (3)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To determine that periodic AIDE execution has been scheduled,\nrun the following command:\n\n# grep aide /etc/crontab /etc/cron.*/*\n\nIf there is no output, this is a finding.\"\n tag \"fix\": \"AIDE should be executed on a periodic basis to check for changes.\nTo implement a daily execution of AIDE at 4:05am using cron, add the following\nline to /etc/crontab:\n\n05 4 * * * root /usr/sbin/aide --check\n\nAIDE can be executed periodically through other means; this is merely one\nexample.\"\n\n describe command('grep aide /etc/crontab /etc/cron.*/*') do\n its('stdout.strip') { should_not be_empty }\n end\nend\n", + "code": "control \"V-38486\" do\n title \"The operating system must conduct backups of system-level information\ncontained in the information system per organization defined frequency to\nconduct backups that are consistent with recovery time and recovery point\nobjectives.\"\n desc \"Operating system backup is a critical step in maintaining data\nassurance and availability. System-level information includes system-state\ninformation, operating system and application software, and licenses. Backups\nmust be consistent with organizational recovery time and recovery point\nobjectives.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000100\"\n tag \"gid\": \"V-38486\"\n tag \"rid\": \"SV-50287r1_rule\"\n tag \"stig_id\": \"RHEL-06-000505\"\n tag \"fix_id\": \"F-43434r1_fix\"\n tag \"cci\": [\"CCI-000537\"]\n tag \"nist\": [\"CP-9b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Ask an administrator if a process exists to back up OS data\nfrom the system, including configuration data.\n\nIf such a process does not exist, this is a finding.\"\n tag \"fix\": \"Procedures to back up OS data from the system must be established\nand executed. The Red Hat operating system provides utilities for automating\nsuch a process. Commercial and open-source products are also available.\n\nImplement a process whereby OS data is backed up from the system in accordance\nwith local policies.\"\n\n describe \"Manual test\" do\n skip \"This control must be reviewed manually\"\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38673.rb", + "ref": "./Red Hat 6 STIG/controls/V-38486.rb", "line": 1 }, - "id": "V-38673" + "id": "V-38486" }, { - "title": "The SSH daemon must be configured to use only FIPS 140-2 approved\nciphers.", - "desc": "Approved algorithms should impart some level of confidence in their\nimplementation. These are also required for compliance.", + "title": "The /etc/gshadow file must be group-owned by root.", + "desc": "The \"/etc/gshadow\" file contains group password hashes. Protection\nof this file is critical for system security.", "descriptions": { - "default": "Approved algorithms should impart some level of confidence in their\nimplementation. These are also required for compliance." + "default": "The \"/etc/gshadow\" file contains group password hashes. Protection\nof this file is critical for system security." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000169", - "gid": "V-38617", - "rid": "SV-50418r1_rule", - "stig_id": "RHEL-06-000243", - "fix_id": "F-43566r1_fix", + "gtitle": "SRG-OS-999999", + "gid": "V-38448", + "rid": "SV-50248r1_rule", + "stig_id": "RHEL-06-000037", + "fix_id": "F-43393r1_fix", "cci": [ - "CCI-001144" + "CCI-000366" ], "nist": [ - "SC-13", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -1727,30 +1735,30 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "Only FIPS-approved ciphers should be used. To verify that only\nFIPS-approved ciphers are in use, run the following command:\n\n# grep Ciphers /etc/ssh/sshd_config\n\nThe output should contain only those ciphers which are FIPS-approved, namely,\nthe AES and 3DES ciphers.\nIf that is not the case, this is a finding.", - "fix": "Limit the ciphers to those algorithms which are FIPS-approved.\nCounter (CTR) mode is also preferred over cipher-block chaining (CBC) mode. The\nfollowing line in \"/etc/ssh/sshd_config\" demonstrates use of FIPS-approved\nciphers:\n\nCiphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc\n\nThe man page \"sshd_config(5)\" contains a list of supported ciphers." + "check": "To check the group ownership of \"/etc/gshadow\", run the\ncommand:\n\n$ ls -l /etc/gshadow\n\nIf properly configured, the output should indicate the following group-owner.\n\"root\"\nIf it does not, this is a finding.", + "fix": "To properly set the group owner of \"/etc/gshadow\", run the\ncommand:\n\n# chgrp root /etc/gshadow" }, - "code": "control \"V-38617\" do\n title \"The SSH daemon must be configured to use only FIPS 140-2 approved\nciphers.\"\n desc \"Approved algorithms should impart some level of confidence in their\nimplementation. These are also required for compliance.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000169\"\n tag \"gid\": \"V-38617\"\n tag \"rid\": \"SV-50418r1_rule\"\n tag \"stig_id\": \"RHEL-06-000243\"\n tag \"fix_id\": \"F-43566r1_fix\"\n tag \"cci\": [\"CCI-001144\"]\n tag \"nist\": [\"SC-13\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Only FIPS-approved ciphers should be used. To verify that only\nFIPS-approved ciphers are in use, run the following command:\n\n# grep Ciphers /etc/ssh/sshd_config\n\nThe output should contain only those ciphers which are FIPS-approved, namely,\nthe AES and 3DES ciphers.\nIf that is not the case, this is a finding.\"\n tag \"fix\": \"Limit the ciphers to those algorithms which are FIPS-approved.\nCounter (CTR) mode is also preferred over cipher-block chaining (CBC) mode. The\nfollowing line in \\\"/etc/ssh/sshd_config\\\" demonstrates use of FIPS-approved\nciphers:\n\nCiphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc\n\nThe man page \\\"sshd_config(5)\\\" contains a list of supported ciphers.\"\n\n describe sshd_config do\n its('Ciphers') { should_not be_nil }\n end\n\n ciphers = sshd_config.params['ciphers']\n if !ciphers.nil? \n describe 'sshd_config Ciphers' do\n subject { sshd_config.params['ciphers'].join(',').split(',') }\n it { should all match %r{aes|3des} }\n end\n end\nend\n", + "code": "control \"V-38448\" do\n title \"The /etc/gshadow file must be group-owned by root.\"\n desc \"The \\\"/etc/gshadow\\\" file contains group password hashes. Protection\nof this file is critical for system security.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38448\"\n tag \"rid\": \"SV-50248r1_rule\"\n tag \"stig_id\": \"RHEL-06-000037\"\n tag \"fix_id\": \"F-43393r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To check the group ownership of \\\"/etc/gshadow\\\", run the\ncommand:\n\n$ ls -l /etc/gshadow\n\nIf properly configured, the output should indicate the following group-owner.\n\\\"root\\\"\nIf it does not, this is a finding.\"\n tag \"fix\": \"To properly set the group owner of \\\"/etc/gshadow\\\", run the\ncommand:\n\n# chgrp root /etc/gshadow\"\n\n describe file(\"/etc/gshadow\") do\n it { should exist }\n end\n describe file(\"/etc/gshadow\") do\n its(\"gid\") { should cmp 0 }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38617.rb", + "ref": "./Red Hat 6 STIG/controls/V-38448.rb", "line": 1 }, - "id": "V-38617" + "id": "V-38448" }, { - "title": "The system must use SMB client signing for connecting to samba servers\nusing smbclient.", - "desc": "Packet signing can prevent man-in-the-middle attacks which modify SMB\npackets in transit.", + "title": "The system must not send ICMPv4 redirects by default.", + "desc": "Sending ICMP redirects permits the system to instruct other systems to\nupdate their routing information. The ability to send ICMP redirects is only\nappropriate for systems acting as routers.", "descriptions": { - "default": "Packet signing can prevent man-in-the-middle attacks which modify SMB\npackets in transit." + "default": "Sending ICMP redirects permits the system to instruct other systems to\nupdate their routing information. The ability to send ICMP redirects is only\nappropriate for systems acting as routers." }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { "gtitle": "SRG-OS-999999", - "gid": "V-38656", - "rid": "SV-50457r1_rule", - "stig_id": "RHEL-06-000272", - "fix_id": "F-43606r1_fix", + "gid": "V-38600", + "rid": "SV-50401r2_rule", + "stig_id": "RHEL-06-000080", + "fix_id": "F-43547r1_fix", "cci": [ "CCI-000366" ], @@ -1768,35 +1776,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To verify that Samba clients running smbclient must use packet\nsigning, run the following command:\n\n# grep signing /etc/samba/smb.conf\n\nThe output should show:\n\nclient signing = mandatory\n\n\nIf it is not, this is a finding.", - "fix": "To require samba clients running \"smbclient\" to use packet\nsigning, add the following to the \"[global]\" section of the Samba\nconfiguration file in \"/etc/samba/smb.conf\":\n\nclient signing = mandatory\n\nRequiring samba clients such as \"smbclient\" to use packet signing ensures\nthey can only communicate with servers that support packet signing." + "check": "The status of the \"net.ipv4.conf.default.send_redirects\"\nkernel parameter can be queried by running the following command:\n\n$ sysctl net.ipv4.conf.default.send_redirects\n\nThe output of the command should indicate a value of \"0\". If this value is\nnot the default value, investigate how it could have been adjusted at runtime,\nand verify it is not set improperly in \"/etc/sysctl.conf\".\n\n$ grep net.ipv4.conf.default.send_redirects /etc/sysctl.conf\n\nIf the correct value is not returned, this is a finding. ", + "fix": "To set the runtime status of the\n\"net.ipv4.conf.default.send_redirects\" kernel parameter, run the following\ncommand:\n\n# sysctl -w net.ipv4.conf.default.send_redirects=0\n\nIf this is not the system's default value, add the following line to\n\"/etc/sysctl.conf\":\n\nnet.ipv4.conf.default.send_redirects = 0" }, - "code": "control \"V-38656\" do\n title \"The system must use SMB client signing for connecting to samba servers\nusing smbclient.\"\n desc \"Packet signing can prevent man-in-the-middle attacks which modify SMB\npackets in transit.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38656\"\n tag \"rid\": \"SV-50457r1_rule\"\n tag \"stig_id\": \"RHEL-06-000272\"\n tag \"fix_id\": \"F-43606r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To verify that Samba clients running smbclient must use packet\nsigning, run the following command:\n\n# grep signing /etc/samba/smb.conf\n\nThe output should show:\n\nclient signing = mandatory\n\n\nIf it is not, this is a finding.\"\n tag \"fix\": \"To require samba clients running \\\"smbclient\\\" to use packet\nsigning, add the following to the \\\"[global]\\\" section of the Samba\nconfiguration file in \\\"/etc/samba/smb.conf\\\":\n\nclient signing = mandatory\n\nRequiring samba clients such as \\\"smbclient\\\" to use packet signing ensures\nthey can only communicate with servers that support packet signing.\"\n\n describe.one do\n describe package(\"samba-common\") do\n it { should_not be_installed }\n end\n describe file(\"/etc/samba/smb.conf\") do\n its(\"content\") { should match(/^[\\s]*client[\\s]+signing[\\s]*=[\\s]*mandatory/) }\n end\n end\nend\n", + "code": "control \"V-38600\" do\n title \"The system must not send ICMPv4 redirects by default.\"\n desc \"Sending ICMP redirects permits the system to instruct other systems to\nupdate their routing information. The ability to send ICMP redirects is only\nappropriate for systems acting as routers.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38600\"\n tag \"rid\": \"SV-50401r2_rule\"\n tag \"stig_id\": \"RHEL-06-000080\"\n tag \"fix_id\": \"F-43547r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"The status of the \\\"net.ipv4.conf.default.send_redirects\\\"\nkernel parameter can be queried by running the following command:\n\n$ sysctl net.ipv4.conf.default.send_redirects\n\nThe output of the command should indicate a value of \\\"0\\\". If this value is\nnot the default value, investigate how it could have been adjusted at runtime,\nand verify it is not set improperly in \\\"/etc/sysctl.conf\\\".\n\n$ grep net.ipv4.conf.default.send_redirects /etc/sysctl.conf\n\nIf the correct value is not returned, this is a finding. \"\n tag \"fix\": \"To set the runtime status of the\n\\\"net.ipv4.conf.default.send_redirects\\\" kernel parameter, run the following\ncommand:\n\n# sysctl -w net.ipv4.conf.default.send_redirects=0\n\nIf this is not the system's default value, add the following line to\n\\\"/etc/sysctl.conf\\\":\n\nnet.ipv4.conf.default.send_redirects = 0\"\n\n describe kernel_parameter(\"net.ipv4.conf.default.send_redirects\") do\n its(\"value\") { should_not be_nil }\n end\n describe kernel_parameter(\"net.ipv4.conf.default.send_redirects\") do\n its(\"value\") { should eq 0 }\n end\n describe file(\"/etc/sysctl.conf\") do\n its(\"content\") { should match(/^[\\s]*net.ipv4.conf.default.send_redirects[\\s]*=[\\s]*0[\\s]*$/) }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38656.rb", + "ref": "./Red Hat 6 STIG/controls/V-38600.rb", "line": 1 }, - "id": "V-38656" + "id": "V-38600" }, { - "title": "The audit system must be configured to audit changes to the\n/etc/sudoers file.", - "desc": "The actions taken by system administrators should be audited to keep a\nrecord of what was executed on the system, as well as, for accountability\npurposes.", + "title": "The SSH daemon must set a timeout count on idle sessions.", + "desc": "This ensures a user login will be terminated as soon as the\n\"ClientAliveCountMax\" is reached.", "descriptions": { - "default": "The actions taken by system administrators should be audited to keep a\nrecord of what was executed on the system, as well as, for accountability\npurposes." + "default": "This ensures a user login will be terminated as soon as the\n\"ClientAliveCountMax\" is reached." }, "impact": 0.3, "refs": [], "tags": { - "gtitle": "SRG-OS-000064", - "gid": "V-38578", - "rid": "SV-50379r2_rule", - "stig_id": "RHEL-06-000201", - "fix_id": "F-43526r1_fix", + "gtitle": "SRG-OS-000126", + "gid": "V-38610", + "rid": "SV-50411r1_rule", + "stig_id": "RHEL-06-000231", + "fix_id": "F-43558r1_fix", "cci": [ - "CCI-000172" + "CCI-000879" ], "nist": [ - "AU-12 c", + "MA-4 e", "Rev_4" ], "false_negatives": null, @@ -1809,30 +1817,30 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To verify that auditing is configured for system administrator\nactions, run the following command:\n\n$ sudo grep -w \"/etc/sudoers\" /etc/audit/audit.rules\n\nIf the system is configured to watch for changes to its sudoers configuration,\na line should be returned (including \"-p wa\" indicating permissions that are\nwatched).\n\nIf there is no output, this is a finding.", - "fix": "At a minimum, the audit system should collect administrator\nactions for all users and root. Add the following to\n\"/etc/audit/audit.rules\":\n\n-w /etc/sudoers -p wa -k actions" + "check": "To ensure the SSH idle timeout will occur when the\n\"ClientAliveCountMax\" is set, run the following command:\n\n# grep ClientAliveCountMax /etc/ssh/sshd_config\n\nIf properly configured, output should be:\n\nClientAliveCountMax 0\n\n\nIf it is not, this is a finding.", + "fix": "To ensure the SSH idle timeout occurs precisely when the\n\"ClientAliveCountMax\" is set, edit \"/etc/ssh/sshd_config\" as follows:\n\nClientAliveCountMax 0" }, - "code": "control \"V-38578\" do\n title \"The audit system must be configured to audit changes to the\n/etc/sudoers file.\"\n desc \"The actions taken by system administrators should be audited to keep a\nrecord of what was executed on the system, as well as, for accountability\npurposes.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000064\"\n tag \"gid\": \"V-38578\"\n tag \"rid\": \"SV-50379r2_rule\"\n tag \"stig_id\": \"RHEL-06-000201\"\n tag \"fix_id\": \"F-43526r1_fix\"\n tag \"cci\": [\"CCI-000172\"]\n tag \"nist\": [\"AU-12 c\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To verify that auditing is configured for system administrator\nactions, run the following command:\n\n$ sudo grep -w \\\"/etc/sudoers\\\" /etc/audit/audit.rules\n\nIf the system is configured to watch for changes to its sudoers configuration,\na line should be returned (including \\\"-p wa\\\" indicating permissions that are\nwatched).\n\nIf there is no output, this is a finding.\"\n tag \"fix\": \"At a minimum, the audit system should collect administrator\nactions for all users and root. Add the following to\n\\\"/etc/audit/audit.rules\\\":\n\n-w /etc/sudoers -p wa -k actions\"\n\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^\\-w\\s+\\/etc\\/sudoers\\s+\\-p\\s+wa\\s+\\-k\\s+[-\\w]+\\s*$/) }\n end\nend\n", + "code": "control \"V-38610\" do\n title \"The SSH daemon must set a timeout count on idle sessions.\"\n desc \"This ensures a user login will be terminated as soon as the\n\\\"ClientAliveCountMax\\\" is reached.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000126\"\n tag \"gid\": \"V-38610\"\n tag \"rid\": \"SV-50411r1_rule\"\n tag \"stig_id\": \"RHEL-06-000231\"\n tag \"fix_id\": \"F-43558r1_fix\"\n tag \"cci\": [\"CCI-000879\"]\n tag \"nist\": [\"MA-4 e\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To ensure the SSH idle timeout will occur when the\n\\\"ClientAliveCountMax\\\" is set, run the following command:\n\n# grep ClientAliveCountMax /etc/ssh/sshd_config\n\nIf properly configured, output should be:\n\nClientAliveCountMax 0\n\n\nIf it is not, this is a finding.\"\n tag \"fix\": \"To ensure the SSH idle timeout occurs precisely when the\n\\\"ClientAliveCountMax\\\" is set, edit \\\"/etc/ssh/sshd_config\\\" as follows:\n\nClientAliveCountMax 0\"\n\n describe sshd_config do\n its('ClientAliveCountMax') { should cmp 0 }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38578.rb", + "ref": "./Red Hat 6 STIG/controls/V-38610.rb", "line": 1 }, - "id": "V-38578" + "id": "V-38610" }, { - "title": "The system default umask in /etc/profile must be 077.", - "desc": "The umask value influences the permissions assigned to files when they\nare created. A misconfigured umask value could result in files with excessive\npermissions that can be read and/or written to by unauthorized users.", + "title": "The /etc/group file must be owned by root.", + "desc": "The \"/etc/group\" file contains information regarding groups that are\nconfigured on the system. Protection of this file is important for system\nsecurity.", "descriptions": { - "default": "The umask value influences the permissions assigned to files when they\nare created. A misconfigured umask value could result in files with excessive\npermissions that can be read and/or written to by unauthorized users." + "default": "The \"/etc/group\" file contains information regarding groups that are\nconfigured on the system. Protection of this file is important for system\nsecurity." }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { "gtitle": "SRG-OS-999999", - "gid": "V-38647", - "rid": "SV-50448r1_rule", - "stig_id": "RHEL-06-000344", - "fix_id": "F-43596r1_fix", + "gid": "V-38458", + "rid": "SV-50258r1_rule", + "stig_id": "RHEL-06-000042", + "fix_id": "F-43403r1_fix", "cci": [ "CCI-000366" ], @@ -1850,35 +1858,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "Verify the \"umask\" setting is configured correctly in the\n\"/etc/profile\" file by running the following command:\n\n# grep \"umask\" /etc/profile\n\nAll output must show the value of \"umask\" set to 077, as shown in the below:\n\n# grep \"umask\" /etc/profile\numask 077\n\n\nIf the above command returns no output, or if the umask is configured\nincorrectly, this is a finding.", - "fix": "To ensure the default umask controlled by \"/etc/profile\" is set\nproperly, add or correct the \"umask\" setting in \"/etc/profile\" to read as\nfollows:\n\numask 077" + "check": "To check the ownership of \"/etc/group\", run the command:\n\n$ ls -l /etc/group\n\nIf properly configured, the output should indicate the following owner:\n\"root\"\nIf it does not, this is a finding.", + "fix": "To properly set the owner of \"/etc/group\", run the command:\n\n# chown root /etc/group" }, - "code": "control \"V-38647\" do\n title \"The system default umask in /etc/profile must be 077.\"\n desc \"The umask value influences the permissions assigned to files when they\nare created. A misconfigured umask value could result in files with excessive\npermissions that can be read and/or written to by unauthorized users.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38647\"\n tag \"rid\": \"SV-50448r1_rule\"\n tag \"stig_id\": \"RHEL-06-000344\"\n tag \"fix_id\": \"F-43596r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Verify the \\\"umask\\\" setting is configured correctly in the\n\\\"/etc/profile\\\" file by running the following command:\n\n# grep \\\"umask\\\" /etc/profile\n\nAll output must show the value of \\\"umask\\\" set to 077, as shown in the below:\n\n# grep \\\"umask\\\" /etc/profile\numask 077\n\n\nIf the above command returns no output, or if the umask is configured\nincorrectly, this is a finding.\"\n tag \"fix\": \"To ensure the default umask controlled by \\\"/etc/profile\\\" is set\nproperly, add or correct the \\\"umask\\\" setting in \\\"/etc/profile\\\" to read as\nfollows:\n\numask 077\"\n\n describe file(\"/etc/profile\") do\n its(\"content\") { should match(/^[\\s]*umask[\\s]+([^#\\s]*)/) }\n end\n file(\"/etc/profile\").content.to_s.scan(/^[\\s]*umask[\\s]+([^#\\s]*)/).flatten.each do |entry|\n describe entry do\n it { should eq \"077\" }\n end\n end\nend\n", + "code": "control \"V-38458\" do\n title \"The /etc/group file must be owned by root.\"\n desc \"The \\\"/etc/group\\\" file contains information regarding groups that are\nconfigured on the system. Protection of this file is important for system\nsecurity.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38458\"\n tag \"rid\": \"SV-50258r1_rule\"\n tag \"stig_id\": \"RHEL-06-000042\"\n tag \"fix_id\": \"F-43403r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To check the ownership of \\\"/etc/group\\\", run the command:\n\n$ ls -l /etc/group\n\nIf properly configured, the output should indicate the following owner:\n\\\"root\\\"\nIf it does not, this is a finding.\"\n tag \"fix\": \"To properly set the owner of \\\"/etc/group\\\", run the command:\n\n# chown root /etc/group\"\n\n describe file(\"/etc/group\") do\n it { should exist }\n end\n describe file(\"/etc/group\") do\n its(\"uid\") { should cmp 0 }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38647.rb", + "ref": "./Red Hat 6 STIG/controls/V-38458.rb", "line": 1 }, - "id": "V-38647" + "id": "V-38458" }, { - "title": "The operating system must employ automated mechanisms to detect the\npresence of unauthorized software on organizational information systems and\nnotify designated organizational officials in accordance with the organization\ndefined frequency.", - "desc": "By default, AIDE does not install itself for periodic execution.\nPeriodically running AIDE may reveal unexpected changes in installed files.", + "title": "The Reliable Datagram Sockets (RDS) protocol must be disabled unless\nrequired.", + "desc": "Disabling RDS protects the system against exploitation of any flaws in\nits implementation.", "descriptions": { - "default": "By default, AIDE does not install itself for periodic execution.\nPeriodically running AIDE may reveal unexpected changes in installed files." + "default": "Disabling RDS protects the system against exploitation of any flaws in\nits implementation." }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { - "gtitle": "SRG-OS-000232", - "gid": "V-38698", - "rid": "SV-50499r2_rule", - "stig_id": "RHEL-06-000304", - "fix_id": "F-43647r1_fix", + "gtitle": "SRG-OS-000096", + "gid": "V-38516", + "rid": "SV-50317r3_rule", + "stig_id": "RHEL-06-000126", + "fix_id": "F-43463r4_fix", "cci": [ - "CCI-001069" + "CCI-000382" ], "nist": [ - "RA-5 (7)", + "CM-7 b", "Rev_4" ], "false_negatives": null, @@ -1891,35 +1899,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To determine that periodic AIDE execution has been scheduled,\nrun the following command:\n\n# grep aide /etc/crontab /etc/cron.*/*\n\nIf there is no output, this is a finding.", - "fix": "AIDE should be executed on a periodic basis to check for changes.\nTo implement a daily execution of AIDE at 4:05am using cron, add the following\nline to /etc/crontab:\n\n05 4 * * * root /usr/sbin/aide --check\n\nAIDE can be executed periodically through other means; this is merely one\nexample." + "check": "If the system is configured to prevent the loading of the\n\"rds\" kernel module, it will contain lines inside any file in\n\"/etc/modprobe.d\" or the deprecated \"/etc/modprobe.conf\". These lines\ninstruct the module loading system to run another program (such as\n\"/bin/true\") upon a module \"install\" event. Run the following command to\nsearch for such lines in all files in \"/etc/modprobe.d\" and the deprecated\n\"/etc/modprobe.conf\":\n\n$ grep -r rds /etc/modprobe.conf /etc/modprobe.d\n\nIf no line is returned, this is a finding.", + "fix": "The Reliable Datagram Sockets (RDS) protocol is a transport layer\nprotocol designed to provide reliable high-bandwidth, low-latency\ncommunications between nodes in a cluster. To configure the system to prevent\nthe \"rds\" kernel module from being loaded, add the following line to a file\nin the directory \"/etc/modprobe.d\":\n\ninstall rds /bin/true" }, - "code": "control \"V-38698\" do\n title \"The operating system must employ automated mechanisms to detect the\npresence of unauthorized software on organizational information systems and\nnotify designated organizational officials in accordance with the organization\ndefined frequency.\"\n desc \"By default, AIDE does not install itself for periodic execution.\nPeriodically running AIDE may reveal unexpected changes in installed files.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000232\"\n tag \"gid\": \"V-38698\"\n tag \"rid\": \"SV-50499r2_rule\"\n tag \"stig_id\": \"RHEL-06-000304\"\n tag \"fix_id\": \"F-43647r1_fix\"\n tag \"cci\": [\"CCI-001069\"]\n tag \"nist\": [\"RA-5 (7)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To determine that periodic AIDE execution has been scheduled,\nrun the following command:\n\n# grep aide /etc/crontab /etc/cron.*/*\n\nIf there is no output, this is a finding.\"\n tag \"fix\": \"AIDE should be executed on a periodic basis to check for changes.\nTo implement a daily execution of AIDE at 4:05am using cron, add the following\nline to /etc/crontab:\n\n05 4 * * * root /usr/sbin/aide --check\n\nAIDE can be executed periodically through other means; this is merely one\nexample.\"\n\n describe command('grep aide /etc/crontab /etc/cron.*/*') do\n its('stdout.strip') { should_not be_empty }\n end\nend\n", + "code": "control \"V-38516\" do\n title \"The Reliable Datagram Sockets (RDS) protocol must be disabled unless\nrequired.\"\n desc \"Disabling RDS protects the system against exploitation of any flaws in\nits implementation.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000096\"\n tag \"gid\": \"V-38516\"\n tag \"rid\": \"SV-50317r3_rule\"\n tag \"stig_id\": \"RHEL-06-000126\"\n tag \"fix_id\": \"F-43463r4_fix\"\n tag \"cci\": [\"CCI-000382\"]\n tag \"nist\": [\"CM-7 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"If the system is configured to prevent the loading of the\n\\\"rds\\\" kernel module, it will contain lines inside any file in\n\\\"/etc/modprobe.d\\\" or the deprecated \\\"/etc/modprobe.conf\\\". These lines\ninstruct the module loading system to run another program (such as\n\\\"/bin/true\\\") upon a module \\\"install\\\" event. Run the following command to\nsearch for such lines in all files in \\\"/etc/modprobe.d\\\" and the deprecated\n\\\"/etc/modprobe.conf\\\":\n\n$ grep -r rds /etc/modprobe.conf /etc/modprobe.d\n\nIf no line is returned, this is a finding.\"\n tag \"fix\": \"The Reliable Datagram Sockets (RDS) protocol is a transport layer\nprotocol designed to provide reliable high-bandwidth, low-latency\ncommunications between nodes in a cluster. To configure the system to prevent\nthe \\\"rds\\\" kernel module from being loaded, add the following line to a file\nin the directory \\\"/etc/modprobe.d\\\":\n\ninstall rds /bin/true\"\n\n describe kernel_module('rds') do\n it { should_not be_loaded }\n it { shold_not be_enabled }\n it { should be_blacklisted }\n end\n \nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38698.rb", + "ref": "./Red Hat 6 STIG/controls/V-38516.rb", "line": 1 }, - "id": "V-38698" + "id": "V-38516" }, { - "title": "The rsh-server package must not be installed.", - "desc": "The \"rsh-server\" package provides several obsolete and insecure\nnetwork services. Removing it decreases the risk of those services' accidental\n(or intentional) activation.", + "title": "The system default umask for the csh shell must be 077.", + "desc": "The umask value influences the permissions assigned to files when they\nare created. A misconfigured umask value could result in files with excessive\npermissions that can be read and/or written to by unauthorized users.", "descriptions": { - "default": "The \"rsh-server\" package provides several obsolete and insecure\nnetwork services. Removing it decreases the risk of those services' accidental\n(or intentional) activation." + "default": "The umask value influences the permissions assigned to files when they\nare created. A misconfigured umask value could result in files with excessive\npermissions that can be read and/or written to by unauthorized users." }, - "impact": 0.7, + "impact": 0.3, "refs": [], "tags": { - "gtitle": "SRG-OS-000095", - "gid": "V-38591", - "rid": "SV-50392r1_rule", - "stig_id": "RHEL-06-000213", - "fix_id": "F-43539r1_fix", + "gtitle": "SRG-OS-999999", + "gid": "V-38649", + "rid": "SV-50450r1_rule", + "stig_id": "RHEL-06-000343", + "fix_id": "F-43598r1_fix", "cci": [ - "CCI-000381" + "CCI-000366" ], "nist": [ - "CM-7 a", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -1932,35 +1940,43 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "Run the following command to determine if the \"rsh-server\"\npackage is installed:\n\n# rpm -q rsh-server\n\n\nIf the package is installed, this is a finding.", - "fix": "The \"rsh-server\" package can be uninstalled with the following\ncommand:\n\n# yum erase rsh-server" + "check": "Verify the \"umask\" setting is configured correctly in the\n\"/etc/csh.cshrc\" file by running the following command:\n\n# grep \"umask\" /etc/csh.cshrc\n\nAll output must show the value of \"umask\" set to 077, as shown in the below:\n\n# grep \"umask\" /etc/csh.cshrc\numask 077\n\n\nIf the above command returns no output, or if the umask is configured\nincorrectly, this is a finding.", + "fix": "To ensure the default umask for users of the C shell is set\nproperly, add or correct the \"umask\" setting in \"/etc/csh.cshrc\" to read as\nfollows:\n\numask 077" }, - "code": "control \"V-38591\" do\n title \"The rsh-server package must not be installed.\"\n desc \"The \\\"rsh-server\\\" package provides several obsolete and insecure\nnetwork services. Removing it decreases the risk of those services' accidental\n(or intentional) activation.\"\n impact 0.7\n tag \"gtitle\": \"SRG-OS-000095\"\n tag \"gid\": \"V-38591\"\n tag \"rid\": \"SV-50392r1_rule\"\n tag \"stig_id\": \"RHEL-06-000213\"\n tag \"fix_id\": \"F-43539r1_fix\"\n tag \"cci\": [\"CCI-000381\"]\n tag \"nist\": [\"CM-7 a\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Run the following command to determine if the \\\"rsh-server\\\"\npackage is installed:\n\n# rpm -q rsh-server\n\n\nIf the package is installed, this is a finding.\"\n tag \"fix\": \"The \\\"rsh-server\\\" package can be uninstalled with the following\ncommand:\n\n# yum erase rsh-server\"\n\n describe package(\"rsh-server\") do\n it { should_not be_installed }\n end\nend\n", + "code": "control \"V-38649\" do\n title \"The system default umask for the csh shell must be 077.\"\n desc \"The umask value influences the permissions assigned to files when they\nare created. A misconfigured umask value could result in files with excessive\npermissions that can be read and/or written to by unauthorized users.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38649\"\n tag \"rid\": \"SV-50450r1_rule\"\n tag \"stig_id\": \"RHEL-06-000343\"\n tag \"fix_id\": \"F-43598r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Verify the \\\"umask\\\" setting is configured correctly in the\n\\\"/etc/csh.cshrc\\\" file by running the following command:\n\n# grep \\\"umask\\\" /etc/csh.cshrc\n\nAll output must show the value of \\\"umask\\\" set to 077, as shown in the below:\n\n# grep \\\"umask\\\" /etc/csh.cshrc\numask 077\n\n\nIf the above command returns no output, or if the umask is configured\nincorrectly, this is a finding.\"\n tag \"fix\": \"To ensure the default umask for users of the C shell is set\nproperly, add or correct the \\\"umask\\\" setting in \\\"/etc/csh.cshrc\\\" to read as\nfollows:\n\numask 077\"\n\n describe.one do\n describe file(\"/etc/csh.cshrc\") do\n its(\"content\") { should match(/^[\\s]*umask[\\s]+([^#\\s]*)/) }\n end\n file(\"/etc/csh.cshrc\").content.to_s.scan(/^[\\s]*umask[\\s]+([^#\\s]*)/).flatten.each do |entry|\n describe entry do\n it { should eq \"077\" }\n end\n end\n describe package(\"tcsh\") do\n it { should_not be_installed }\n end\n describe file(\"/etc/csh.cshrc\") do\n it { should_not exist }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38591.rb", + "ref": "./Red Hat 6 STIG/controls/V-38649.rb", "line": 1 }, - "id": "V-38591" + "id": "V-38649" }, { - "title": "The system must disable accounts after three consecutive unsuccessful\nlogon attempts.", - "desc": "Locking out user accounts after a number of incorrect attempts\nprevents direct password guessing attacks.", + "title": "The Department of Defense (DoD) login banner must be displayed\nimmediately prior to, or as part of, graphical desktop environment login\nprompts.", + "desc": "An appropriate warning message reinforces policy awareness during the\nlogon process and facilitates possible legal action against attackers.", "descriptions": { - "default": "Locking out user accounts after a number of incorrect attempts\nprevents direct password guessing attacks." + "default": "An appropriate warning message reinforces policy awareness during the\nlogon process and facilitates possible legal action against attackers." }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { - "gtitle": "SRG-OS-000021", - "gid": "V-38573", - "rid": "SV-50374r4_rule", - "stig_id": "RHEL-06-000061", - "fix_id": "F-43521r8_fix", + "gtitle": "SRG-OS-000228", + "gid": "V-38689", + "rid": "SV-50490r5_rule", + "stig_id": "RHEL-06-000326", + "fix_id": "F-43638r5_fix", "cci": [ - "CCI-000044" + "CCI-001384", + "CCI-001385", + "CCI-001386", + "CCI-001387", + "CCI-001388" ], "nist": [ - "AC-7 a", + "AC-8 c 1", + "AC-8 c 2", + "AC-8 c 2", + "AC-8 c 2", + "AC-8 c 3", "Rev_4" ], "false_negatives": null, @@ -1973,30 +1989,30 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To ensure the failed password attempt policy is configured\ncorrectly, run the following command:\n\n# grep pam_faillock /etc/pam.d/system-auth /etc/pam.d/password-auth\n\nThe output should show \"deny=3\" for both files.\nIf that is not the case, this is a finding.", - "fix": "To configure the system to lock out accounts after a number of\nincorrect logon attempts using \"pam_faillock.so\", modify the content of both\n\"/etc/pam.d/system-auth\" and \"/etc/pam.d/password-auth\" as follows:\n\nAdd the following line immediately before the \"pam_unix.so\" statement in the\n\"AUTH\" section:\n\nauth required pam_faillock.so preauth silent deny=3 unlock_time=604800\nfail_interval=900\n\nAdd the following line immediately after the \"pam_unix.so\" statement in the\n\"AUTH\" section:\n\nauth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800\nfail_interval=900\n\nAdd the following line immediately before the \"pam_unix.so\" statement in the\n\"ACCOUNT\" section:\n\naccount required pam_faillock.so\n\nNote that any updates made to \"/etc/pam.d/system-auth\" and\n\"/etc/pam.d/password-auth\" may be overwritten by the \"authconfig\" program.\nThe \"authconfig\" program should not be used." + "check": "If the GConf2 package is not installed, this is not applicable.\n\nTo ensure login warning banner text is properly set, run the following:\n\n$ gconftool-2 --direct --config-source\nxml:readwrite:/etc/gconf/gconf.xml.mandatory --get\n/apps/gdm/simple-greeter/banner_message_text\n\nIf properly configured, the proper banner text will appear within this schema.\n\nThe DoD required text is either:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is\nprovided for USG-authorized use only. By using this IS (which includes any\ndevice attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for\npurposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct (PM), law enforcement\n(LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject\nto routine monitoring, interception, and search, and may be disclosed or used\nfor any USG-authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls)\nto protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE\nor CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services\nby attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User\nAgreement for details.\"\n\nOR:\n\n\"I've read & consent to terms in IS user agreem't.\"\n\nIf the DoD required banner text does not appear in the schema, this is a\nfinding.", + "fix": "To set the text shown by the GNOME Display Manager in the login\nscreen, run the following command:\n\n# gconftool-2\n--direct \\\n--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \\\n--type string \\\n--set /apps/gdm/simple-greeter/banner_message_text \\\n\"[DoD required text]\"\n\nWhere the DoD required text is either:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is\nprovided for USG-authorized use only. By using this IS (which includes any\ndevice attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for\npurposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct (PM), law enforcement\n(LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject\nto routine monitoring, interception, and search, and may be disclosed or used\nfor any USG-authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls)\nto protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE\nor CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services\nby attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User\nAgreement for details.\"\n\nOR:\n\n\"I've read & consent to terms in IS user agreem't.\"\n\nWhen entering a warning banner that spans several lines, remember to begin and\nend the string with \"\"\". This command writes directly to the file\n\"/etc/gconf/gconf.xml.mandatory/apps/gdm/simple-greeter/%gconf.xml\", and this\nfile can later be edited directly if necessary." }, - "code": "control \"V-38573\" do\n title \"The system must disable accounts after three consecutive unsuccessful\nlogon attempts.\"\n desc \"Locking out user accounts after a number of incorrect attempts\nprevents direct password guessing attacks.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000021\"\n tag \"gid\": \"V-38573\"\n tag \"rid\": \"SV-50374r4_rule\"\n tag \"stig_id\": \"RHEL-06-000061\"\n tag \"fix_id\": \"F-43521r8_fix\"\n tag \"cci\": [\"CCI-000044\"]\n tag \"nist\": [\"AC-7 a\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To ensure the failed password attempt policy is configured\ncorrectly, run the following command:\n\n# grep pam_faillock /etc/pam.d/system-auth /etc/pam.d/password-auth\n\nThe output should show \\\"deny=3\\\" for both files.\nIf that is not the case, this is a finding.\"\n tag \"fix\": \"To configure the system to lock out accounts after a number of\nincorrect logon attempts using \\\"pam_faillock.so\\\", modify the content of both\n\\\"/etc/pam.d/system-auth\\\" and \\\"/etc/pam.d/password-auth\\\" as follows:\n\nAdd the following line immediately before the \\\"pam_unix.so\\\" statement in the\n\\\"AUTH\\\" section:\n\nauth required pam_faillock.so preauth silent deny=3 unlock_time=604800\nfail_interval=900\n\nAdd the following line immediately after the \\\"pam_unix.so\\\" statement in the\n\\\"AUTH\\\" section:\n\nauth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800\nfail_interval=900\n\nAdd the following line immediately before the \\\"pam_unix.so\\\" statement in the\n\\\"ACCOUNT\\\" section:\n\naccount required pam_faillock.so\n\nNote that any updates made to \\\"/etc/pam.d/system-auth\\\" and\n\\\"/etc/pam.d/password-auth\\\" may be overwritten by the \\\"authconfig\\\" program.\nThe \\\"authconfig\\\" program should not be used.\"\n\n file(\"/etc/pam.d/system-auth\").content.to_s.scan(/^\\s*auth\\s+(?:(?:sufficient)|(?:\\[default=die\\]))\\s+pam_faillock\\.so\\s+authfail.*deny=([0-9]+).*$/).flatten.each do |entry|\n describe entry do\n it { should cmp == input('pam_faillock_deny') }\n end\n end\n describe file(\"/etc/pam.d/system-auth\") do\n its(\"content\") { should match(/^\\s*auth\\s+(?:(?:sufficient)|(?:\\[default=die\\]))\\s+pam_faillock\\.so\\s+authfail.*deny=([0-9]+).*$/) }\n end\n file(\"/etc/pam.d/password-auth\").content.to_s.scan(/^\\s*auth\\s+(?:(?:sufficient)|(?:\\[default=die\\]))\\s+pam_faillock\\.so\\s+authfail.*deny=([0-9]+).*$/).flatten.each do |entry|\n describe entry do\n it { should cmp == input('pam_faillock_deny') }\n end\n end\n describe file(\"/etc/pam.d/password-auth\") do\n its(\"content\") { should match(/^\\s*auth\\s+(?:(?:sufficient)|(?:\\[default=die\\]))\\s+pam_faillock\\.so\\s+authfail.*deny=([0-9]+).*$/) }\n end\nend\n", + "code": "control \"V-38689\" do\n title \"The Department of Defense (DoD) login banner must be displayed\nimmediately prior to, or as part of, graphical desktop environment login\nprompts.\"\n desc \"An appropriate warning message reinforces policy awareness during the\nlogon process and facilitates possible legal action against attackers.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000228\"\n tag \"gid\": \"V-38689\"\n tag \"rid\": \"SV-50490r5_rule\"\n tag \"stig_id\": \"RHEL-06-000326\"\n tag \"fix_id\": \"F-43638r5_fix\"\n tag \"cci\": [\"CCI-001384\", \"CCI-001385\", \"CCI-001386\", \"CCI-001387\",\n\"CCI-001388\"]\n tag \"nist\": [\"AC-8 c 1\", \"AC-8 c 2\", \"AC-8 c 2\", \"AC-8 c 2\", \"AC-8 c 3\",\n\"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"If the GConf2 package is not installed, this is not applicable.\n\nTo ensure login warning banner text is properly set, run the following:\n\n$ gconftool-2 --direct --config-source\nxml:readwrite:/etc/gconf/gconf.xml.mandatory --get\n/apps/gdm/simple-greeter/banner_message_text\n\nIf properly configured, the proper banner text will appear within this schema.\n\nThe DoD required text is either:\n\n\\\"You are accessing a U.S. Government (USG) Information System (IS) that is\nprovided for USG-authorized use only. By using this IS (which includes any\ndevice attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for\npurposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct (PM), law enforcement\n(LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject\nto routine monitoring, interception, and search, and may be disclosed or used\nfor any USG-authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls)\nto protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE\nor CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services\nby attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User\nAgreement for details.\\\"\n\nOR:\n\n\\\"I've read & consent to terms in IS user agreem't.\\\"\n\nIf the DoD required banner text does not appear in the schema, this is a\nfinding.\"\n tag \"fix\": \"To set the text shown by the GNOME Display Manager in the login\nscreen, run the following command:\n\n# gconftool-2\n--direct \\\\\n--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \\\\\n--type string \\\\\n--set /apps/gdm/simple-greeter/banner_message_text \\\\\n\\\"[DoD required text]\\\"\n\nWhere the DoD required text is either:\n\n\\\"You are accessing a U.S. Government (USG) Information System (IS) that is\nprovided for USG-authorized use only. By using this IS (which includes any\ndevice attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for\npurposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct (PM), law enforcement\n(LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject\nto routine monitoring, interception, and search, and may be disclosed or used\nfor any USG-authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls)\nto protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE\nor CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services\nby attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User\nAgreement for details.\\\"\n\nOR:\n\n\\\"I've read & consent to terms in IS user agreem't.\\\"\n\nWhen entering a warning banner that spans several lines, remember to begin and\nend the string with \\\"\\\"\\\". This command writes directly to the file\n\\\"/etc/gconf/gconf.xml.mandatory/apps/gdm/simple-greeter/%gconf.xml\\\", and this\nfile can later be edited directly if necessary.\"\n\n if package('GConf2').installed?\n banner_text = command(\"gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gdm/simple-greeter/banner_message_text\").stdout.strip.gsub(%r{[\\r\\n\\s]}, '')\n describe \"gconf2 banner text\" do\n subject { banner_text }\n it { should eq input('banner_text').gsub(%r{[\\r\\n\\s]}, '') }\n end\n else\n impact 0.0\n describe \"Package GConf2 not installed\" do\n skip \"Package GConf2 not installed, this control Not Applicable\"\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38573.rb", + "ref": "./Red Hat 6 STIG/controls/V-38689.rb", "line": 1 }, - "id": "V-38573" + "id": "V-38689" }, { - "title": "Process core dumps must be disabled unless needed.", - "desc": "A core dump includes a memory image taken at the time the operating\nsystem terminates an application. The memory image could contain sensitive data\nand is generally useful only for developers trying to debug problems.", + "title": "The /etc/passwd file must have mode 0644 or less permissive.", + "desc": "If the \"/etc/passwd\" file is writable by a group-owner or the world\nthe risk of its compromise is increased. The file contains the list of accounts\non the system and associated information, and protection of this file is\ncritical for system security.", "descriptions": { - "default": "A core dump includes a memory image taken at the time the operating\nsystem terminates an application. The memory image could contain sensitive data\nand is generally useful only for developers trying to debug problems." + "default": "If the \"/etc/passwd\" file is writable by a group-owner or the world\nthe risk of its compromise is increased. The file contains the list of accounts\non the system and associated information, and protection of this file is\ncritical for system security." }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { "gtitle": "SRG-OS-999999", - "gid": "V-38675", - "rid": "SV-50476r2_rule", - "stig_id": "RHEL-06-000308", - "fix_id": "F-43624r1_fix", + "gid": "V-38457", + "rid": "SV-50257r1_rule", + "stig_id": "RHEL-06-000041", + "fix_id": "F-43397r1_fix", "cci": [ "CCI-000366" ], @@ -2014,30 +2030,30 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To verify that core dumps are disabled for all users, run the\nfollowing command:\n\n$ grep core /etc/security/limits.conf /etc/security/limits.d/*.conf\n\nThe output should be:\n\n* hard core 0\n\nIf it is not, this is a finding. ", - "fix": "To disable core dumps for all users, add the following line to\n\"/etc/security/limits.conf\":\n\n* hard core 0" + "check": "To check the permissions of \"/etc/passwd\", run the command:\n\n$ ls -l /etc/passwd\n\nIf properly configured, the output should indicate the following permissions:\n\"-rw-r--r--\"\nIf it does not, this is a finding.", + "fix": "To properly set the permissions of \"/etc/passwd\", run the\ncommand:\n\n# chmod 0644 /etc/passwd" }, - "code": "control \"V-38675\" do\n title \"Process core dumps must be disabled unless needed.\"\n desc \"A core dump includes a memory image taken at the time the operating\nsystem terminates an application. The memory image could contain sensitive data\nand is generally useful only for developers trying to debug problems.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38675\"\n tag \"rid\": \"SV-50476r2_rule\"\n tag \"stig_id\": \"RHEL-06-000308\"\n tag \"fix_id\": \"F-43624r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To verify that core dumps are disabled for all users, run the\nfollowing command:\n\n$ grep core /etc/security/limits.conf /etc/security/limits.d/*.conf\n\nThe output should be:\n\n* hard core 0\n\nIf it is not, this is a finding. \"\n tag \"fix\": \"To disable core dumps for all users, add the following line to\n\\\"/etc/security/limits.conf\\\":\n\n* hard core 0\"\n\n describe limits_conf do\n its('*') { should include ['hard', 'core', '0'] }\n end\nend\n", + "code": "control \"V-38457\" do\n title \"The /etc/passwd file must have mode 0644 or less permissive.\"\n desc \"If the \\\"/etc/passwd\\\" file is writable by a group-owner or the world\nthe risk of its compromise is increased. The file contains the list of accounts\non the system and associated information, and protection of this file is\ncritical for system security.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38457\"\n tag \"rid\": \"SV-50257r1_rule\"\n tag \"stig_id\": \"RHEL-06-000041\"\n tag \"fix_id\": \"F-43397r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To check the permissions of \\\"/etc/passwd\\\", run the command:\n\n$ ls -l /etc/passwd\n\nIf properly configured, the output should indicate the following permissions:\n\\\"-rw-r--r--\\\"\nIf it does not, this is a finding.\"\n tag \"fix\": \"To properly set the permissions of \\\"/etc/passwd\\\", run the\ncommand:\n\n# chmod 0644 /etc/passwd\"\n\n describe file(\"/etc/passwd\") do\n it { should exist }\n end\n describe file(\"/etc/passwd\") do\n it { should_not be_executable.by \"group\" }\n end\n describe file(\"/etc/passwd\") do\n it { should be_readable.by \"group\" }\n end\n describe file(\"/etc/passwd\") do\n its(\"gid\") { should cmp 0 }\n end\n describe file(\"/etc/passwd\") do\n it { should_not be_writable.by \"group\" }\n end\n describe file(\"/etc/passwd\") do\n it { should_not be_executable.by \"other\" }\n end\n describe file(\"/etc/passwd\") do\n it { should be_readable.by \"other\" }\n end\n describe file(\"/etc/passwd\") do\n it { should_not be_writable.by \"other\" }\n end\n describe file(\"/etc/passwd\") do\n it { should_not be_setgid }\n end\n describe file(\"/etc/passwd\") do\n it { should_not be_sticky }\n end\n describe file(\"/etc/passwd\") do\n it { should_not be_setuid }\n end\n describe file(\"/etc/passwd\") do\n it { should_not be_executable.by \"owner\" }\n end\n describe file(\"/etc/passwd\") do\n it { should be_readable.by \"owner\" }\n end\n describe file(\"/etc/passwd\") do\n its(\"uid\") { should cmp 0 }\n end\n describe file(\"/etc/passwd\") do\n it { should be_writable.by \"owner\" }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38675.rb", + "ref": "./Red Hat 6 STIG/controls/V-38457.rb", "line": 1 }, - "id": "V-38675" + "id": "V-38457" }, { - "title": "The /etc/gshadow file must be owned by root.", - "desc": "The \"/etc/gshadow\" file contains group password hashes. Protection\nof this file is critical for system security.", + "title": "A file integrity baseline must be created.", + "desc": "For AIDE to be effective, an initial database of \"known-good\"\ninformation about files must be captured and it should be able to be verified\nagainst the installed files.", "descriptions": { - "default": "The \"/etc/gshadow\" file contains group password hashes. Protection\nof this file is critical for system security." + "default": "For AIDE to be effective, an initial database of \"known-good\"\ninformation about files must be captured and it should be able to be verified\nagainst the installed files." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-999999", - "gid": "V-38443", - "rid": "SV-50243r1_rule", - "stig_id": "RHEL-06-000036", - "fix_id": "F-43388r1_fix", + "gtitle": "SRG-OS-000232", + "gid": "V-51391", + "rid": "SV-65601r1_rule", + "stig_id": "RHEL-06-000018", + "fix_id": "F-56189r1_fix", "cci": [ "CCI-000366" ], @@ -2055,35 +2071,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To check the ownership of \"/etc/gshadow\", run the command:\n\n$ ls -l /etc/gshadow\n\nIf properly configured, the output should indicate the following owner:\n\"root\"\nIf it does not, this is a finding.", - "fix": "To properly set the owner of \"/etc/gshadow\", run the command:\n\n# chown root /etc/gshadow" + "check": "To find the location of the AIDE database file, run the\nfollowing command:\n\n# grep DBDIR /etc/aide.conf\n\nUsing the defined values of the [DBDIR] and [database] variables, verify the\nexistence of the AIDE database file:\n\n# ls -l [DBDIR]/[database_file_name]\n\nIf there is no database file, this is a finding. ", + "fix": "Run the following command to generate a new database:\n\n# /usr/sbin/aide --init\n\nBy default, the database will be written to the file\n\"/var/lib/aide/aide.db.new.gz\". Storing the database, the configuration file\n\"/etc/aide.conf\", and the binary \"/usr/sbin/aide\" (or hashes of these\nfiles), in a secure location (such as on read-only media) provides additional\nassurance about their integrity. The newly-generated database can be installed\nas follows:\n\n# cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz\n\nTo initiate a manual check, run the following command:\n\n# /usr/sbin/aide --check\n\nIf this check produces any unexpected output, investigate. " }, - "code": "control \"V-38443\" do\n title \"The /etc/gshadow file must be owned by root.\"\n desc \"The \\\"/etc/gshadow\\\" file contains group password hashes. Protection\nof this file is critical for system security.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38443\"\n tag \"rid\": \"SV-50243r1_rule\"\n tag \"stig_id\": \"RHEL-06-000036\"\n tag \"fix_id\": \"F-43388r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To check the ownership of \\\"/etc/gshadow\\\", run the command:\n\n$ ls -l /etc/gshadow\n\nIf properly configured, the output should indicate the following owner:\n\\\"root\\\"\nIf it does not, this is a finding.\"\n tag \"fix\": \"To properly set the owner of \\\"/etc/gshadow\\\", run the command:\n\n# chown root /etc/gshadow\"\n\n describe file(\"/etc/gshadow\") do\n it { should exist }\n end\n describe file(\"/etc/gshadow\") do\n its(\"uid\") { should cmp 0 }\n end\nend\n", + "code": "control \"V-51391\" do\n title \"A file integrity baseline must be created.\"\n desc \"For AIDE to be effective, an initial database of \\\"known-good\\\"\ninformation about files must be captured and it should be able to be verified\nagainst the installed files. \"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000232\"\n tag \"gid\": \"V-51391\"\n tag \"rid\": \"SV-65601r1_rule\"\n tag \"stig_id\": \"RHEL-06-000018\"\n tag \"fix_id\": \"F-56189r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To find the location of the AIDE database file, run the\nfollowing command:\n\n# grep DBDIR /etc/aide.conf\n\nUsing the defined values of the [DBDIR] and [database] variables, verify the\nexistence of the AIDE database file:\n\n# ls -l [DBDIR]/[database_file_name]\n\nIf there is no database file, this is a finding. \"\n tag \"fix\": \"Run the following command to generate a new database:\n\n# /usr/sbin/aide --init\n\nBy default, the database will be written to the file\n\\\"/var/lib/aide/aide.db.new.gz\\\". Storing the database, the configuration file\n\\\"/etc/aide.conf\\\", and the binary \\\"/usr/sbin/aide\\\" (or hashes of these\nfiles), in a secure location (such as on read-only media) provides additional\nassurance about their integrity. The newly-generated database can be installed\nas follows:\n\n# cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz\n\nTo initiate a manual check, run the following command:\n\n# /usr/sbin/aide --check\n\nIf this check produces any unexpected output, investigate. \"\n\n database = parse_config_file('/etc/aide.conf').params['database']\n\n if database.nil?\n describe \"aide.conf database variable\" do\n subject { nil }\n it { should_not be_nil }\n end\n else\n # find the constants which are used by the database variable\n defines = database.match('@@{([A-Z,a-z]+)}')\n if defines.nil?\n defines = []\n else\n defines = defines.captures\n end\n\n # lookup the values of the constants used by the database variable\n aide_conf_file = file('/etc/aide.conf')\n defines_map = defines.map do |d|\n define_match = aide_conf_file.content.match(\"^\\\\s*@@define\\\\s*#{d}\\\\s*(\\\\S*)\\\\s*$\")\n define_value = if define_match.nil? then nil else define_match.captures[0] end\n [d, define_value]\n end.to_h.reject { |k,v| v.nil? }\n\n # substitute the constants names in the database variable with their values\n defines_map.each { |k,v| database.gsub!(\"@@{#{k}}\", v) }\n database.gsub!(%r{^file:}, '')\n\n describe file(database) do\n it { should exist }\n it { should be_file }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38443.rb", + "ref": "./Red Hat 6 STIG/controls/V-51391.rb", "line": 1 }, - "id": "V-38443" + "id": "V-51391" }, { - "title": "The operating system must conduct backups of system-level information\ncontained in the information system per organization defined frequency to\nconduct backups that are consistent with recovery time and recovery point\nobjectives.", - "desc": "Operating system backup is a critical step in maintaining data\nassurance and availability. System-level information includes system-state\ninformation, operating system and application software, and licenses. Backups\nmust be consistent with organizational recovery time and recovery point\nobjectives.", + "title": "The audit system must be configured to audit user deletions of files\nand programs.", + "desc": "Auditing file deletions will create an audit trail for files that are\nremoved from the system. The audit trail could aid in system troubleshooting,\nas well as detecting malicious processes that attempt to delete log files to\nconceal their presence.", "descriptions": { - "default": "Operating system backup is a critical step in maintaining data\nassurance and availability. System-level information includes system-state\ninformation, operating system and application software, and licenses. Backups\nmust be consistent with organizational recovery time and recovery point\nobjectives." + "default": "Auditing file deletions will create an audit trail for files that are\nremoved from the system. The audit trail could aid in system troubleshooting,\nas well as detecting malicious processes that attempt to delete log files to\nconceal their presence." }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { - "gtitle": "SRG-OS-000100", - "gid": "V-38486", - "rid": "SV-50287r1_rule", - "stig_id": "RHEL-06-000505", - "fix_id": "F-43434r1_fix", + "gtitle": "SRG-OS-000064", + "gid": "V-38575", + "rid": "SV-50376r4_rule", + "stig_id": "RHEL-06-000200", + "fix_id": "F-43523r4_fix", "cci": [ - "CCI-000537" + "CCI-000172" ], "nist": [ - "CP-9b", + "AU-12 c", "Rev_4" ], "false_negatives": null, @@ -2096,35 +2112,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "Ask an administrator if a process exists to back up OS data\nfrom the system, including configuration data.\n\nIf such a process does not exist, this is a finding.", - "fix": "Procedures to back up OS data from the system must be established\nand executed. The Red Hat operating system provides utilities for automating\nsuch a process. Commercial and open-source products are also available.\n\nImplement a process whereby OS data is backed up from the system in accordance\nwith local policies." + "check": "To determine if the system is configured to audit calls to the\n\"rmdir\" system call, run the following command:\n\n$ sudo grep -w \"rmdir\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return a line. To\ndetermine if the system is configured to audit calls to the \"unlink\" system\ncall, run the following command:\n\n$ sudo grep -w \"unlink\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return a line. To\ndetermine if the system is configured to audit calls to the \"unlinkat\" system\ncall, run the following command:\n\n$ sudo grep -w \"unlinkat\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return a line. To\ndetermine if the system is configured to audit calls to the \"rename\" system\ncall, run the following command:\n\n$ sudo grep -w \"rename\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return a line. To\ndetermine if the system is configured to audit calls to the \"renameat\" system\ncall, run the following command:\n\n$ sudo grep -w \"renameat\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return a line.\n\nIf no line is returned, this is a finding. ", + "fix": "At a minimum, the audit system should collect file deletion\nevents for all users and root. Add the following (or equivalent) to\n\"/etc/audit/audit.rules\", setting ARCH to either b32 or b64 as appropriate\nfor your system:\n\n-a always,exit -F arch=ARCH -S rmdir -S unlink -S unlinkat -S rename -S\nrenameat -F auid>=500 -F auid!=4294967295 -k delete\n-a always,exit -F arch=ARCH -S rmdir -S unlink -S unlinkat -S rename -S\nrenameat -F auid=0 -k delete\n\n" }, - "code": "control \"V-38486\" do\n title \"The operating system must conduct backups of system-level information\ncontained in the information system per organization defined frequency to\nconduct backups that are consistent with recovery time and recovery point\nobjectives.\"\n desc \"Operating system backup is a critical step in maintaining data\nassurance and availability. System-level information includes system-state\ninformation, operating system and application software, and licenses. Backups\nmust be consistent with organizational recovery time and recovery point\nobjectives.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000100\"\n tag \"gid\": \"V-38486\"\n tag \"rid\": \"SV-50287r1_rule\"\n tag \"stig_id\": \"RHEL-06-000505\"\n tag \"fix_id\": \"F-43434r1_fix\"\n tag \"cci\": [\"CCI-000537\"]\n tag \"nist\": [\"CP-9b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Ask an administrator if a process exists to back up OS data\nfrom the system, including configuration data.\n\nIf such a process does not exist, this is a finding.\"\n tag \"fix\": \"Procedures to back up OS data from the system must be established\nand executed. The Red Hat operating system provides utilities for automating\nsuch a process. Commercial and open-source products are also available.\n\nImplement a process whereby OS data is backed up from the system in accordance\nwith local policies.\"\n\n describe \"Manual test\" do\n skip \"This control must be reviewed manually\"\n end\nend\n", + "code": "control \"V-38575\" do\n title \"The audit system must be configured to audit user deletions of files\nand programs.\"\n desc \"Auditing file deletions will create an audit trail for files that are\nremoved from the system. The audit trail could aid in system troubleshooting,\nas well as detecting malicious processes that attempt to delete log files to\nconceal their presence.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000064\"\n tag \"gid\": \"V-38575\"\n tag \"rid\": \"SV-50376r4_rule\"\n tag \"stig_id\": \"RHEL-06-000200\"\n tag \"fix_id\": \"F-43523r4_fix\"\n tag \"cci\": [\"CCI-000172\"]\n tag \"nist\": [\"AU-12 c\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To determine if the system is configured to audit calls to the\n\\\"rmdir\\\" system call, run the following command:\n\n$ sudo grep -w \\\"rmdir\\\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return a line. To\ndetermine if the system is configured to audit calls to the \\\"unlink\\\" system\ncall, run the following command:\n\n$ sudo grep -w \\\"unlink\\\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return a line. To\ndetermine if the system is configured to audit calls to the \\\"unlinkat\\\" system\ncall, run the following command:\n\n$ sudo grep -w \\\"unlinkat\\\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return a line. To\ndetermine if the system is configured to audit calls to the \\\"rename\\\" system\ncall, run the following command:\n\n$ sudo grep -w \\\"rename\\\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return a line. To\ndetermine if the system is configured to audit calls to the \\\"renameat\\\" system\ncall, run the following command:\n\n$ sudo grep -w \\\"renameat\\\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return a line.\n\nIf no line is returned, this is a finding. \"\n tag \"fix\": \"At a minimum, the audit system should collect file deletion\nevents for all users and root. Add the following (or equivalent) to\n\\\"/etc/audit/audit.rules\\\", setting ARCH to either b32 or b64 as appropriate\nfor your system:\n\n-a always,exit -F arch=ARCH -S rmdir -S unlink -S unlinkat -S rename -S\nrenameat -F auid>=500 -F auid!=4294967295 -k delete\n-a always,exit -F arch=ARCH -S rmdir -S unlink -S unlinkat -S rename -S\nrenameat -F auid=0 -k delete\n\n\"\n\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^[\\s]*-a[\\s](?:always,exit|exit,always)\\s+(?:-F\\s+arch=b32\\s+).*(?:,|-S\\s+)rmdir(?:,|\\s+).*-F\\s+auid>=500\\s+-F\\s+auid!=(?:(?:-1)|(?:4294967295))\\s+-k\\s+\\S+\\s*$/) }\n end\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^[\\s]*-a[\\s](?:always,exit|exit,always)\\s+(?:-F\\s+arch=b32\\s+).*(?:,|-S\\s+)unlink(?:,|\\s+).*-F\\s+auid>=500\\s+-F\\s+auid!=(?:(?:-1)|(?:4294967295))\\s+-k\\s+\\S+\\s*$/) }\n end\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^[\\s]*-a[\\s](?:always,exit|exit,always)\\s+(?:-F\\s+arch=b32\\s+).*(?:,|-S\\s+)unlinkat(?:,|\\s+).*-F\\s+auid>=500\\s+-F\\s+auid!=(?:(?:-1)|(?:4294967295))\\s+-k\\s+\\S+\\s*$/) }\n end\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^[\\s]*-a[\\s](?:always,exit|exit,always)\\s+(?:-F\\s+arch=b32\\s+).*(?:,|-S\\s+)rename(?:,|\\s+).*-F\\s+auid>=500\\s+-F\\s+auid!=(?:(?:-1)|(?:4294967295))\\s+-k\\s+\\S+\\s*$/) }\n end\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^[\\s]*-a[\\s](?:always,exit|exit,always)\\s+(?:-F\\s+arch=b32\\s+).*(?:,|-S\\s+)renameat(?:,|\\s+).*-F\\s+auid>=500\\s+-F\\s+auid!=(?:(?:-1)|(?:4294967295))\\s+-k\\s+\\S+\\s*$/) }\n end\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^[\\s]*-a[\\s](?:always,exit|exit,always)\\s+(?:-F\\s+arch=b32\\s+).*(?:,|-S\\s+)rmdir(?:,|\\s+).*-F\\s+auid=0\\s+-k\\s+\\S+\\s*$/) }\n end\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^[\\s]*-a[\\s](?:always,exit|exit,always)\\s+(?:-F\\s+arch=b32\\s+).*(?:,|-S\\s+)unlink(?:,|\\s+).*-F\\s+auid=0\\s+-k\\s+\\S+\\s*$/) }\n end\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^[\\s]*-a[\\s](?:always,exit|exit,always)\\s+(?:-F\\s+arch=b32\\s+).*(?:,|-S\\s+)unlinkat(?:,|\\s+).*-F\\s+auid=0\\s+-k\\s+\\S+\\s*$/) }\n end\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^[\\s]*-a[\\s](?:always,exit|exit,always)\\s+(?:-F\\s+arch=b32\\s+).*(?:,|-S\\s+)rename(?:,|\\s+).*-F\\s+auid=0\\s+-k\\s+\\S+\\s*$/) }\n end\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^[\\s]*-a[\\s](?:always,exit|exit,always)\\s+(?:-F\\s+arch=b32\\s+).*(?:,|-S\\s+)renameat(?:,|\\s+).*-F\\s+auid=0\\s+-k\\s+\\S+\\s*$/) }\n end\n describe.one do\n \n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38486.rb", + "ref": "./Red Hat 6 STIG/controls/V-38575.rb", "line": 1 }, - "id": "V-38486" + "id": "V-38575" }, { - "title": "The operating system must automatically audit account creation.", - "desc": "In addition to auditing new user and group accounts, these watches\nwill alert the system administrator(s) to any modifications. Any unexpected\nusers, groups, or modifications should be investigated for legitimacy.", + "title": "The /etc/shadow file must be group-owned by root.", + "desc": "The \"/etc/shadow\" file stores password hashes. Protection of this\nfile is critical for system security.", "descriptions": { - "default": "In addition to auditing new user and group accounts, these watches\nwill alert the system administrator(s) to any modifications. Any unexpected\nusers, groups, or modifications should be investigated for legitimacy." + "default": "The \"/etc/shadow\" file stores password hashes. Protection of this\nfile is critical for system security." }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000004", - "gid": "V-38531", - "rid": "SV-50332r2_rule", - "stig_id": "RHEL-06-000174", - "fix_id": "F-43480r1_fix", + "gtitle": "SRG-OS-999999", + "gid": "V-38503", + "rid": "SV-50304r1_rule", + "stig_id": "RHEL-06-000034", + "fix_id": "F-43450r1_fix", "cci": [ - "CCI-000018" + "CCI-000366" ], "nist": [ - "AC-2 (4)", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -2137,15 +2153,15 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To determine if the system is configured to audit account\nchanges, run the following command:\n\n$ sudo egrep -w\n'(/etc/passwd|/etc/shadow|/etc/group|/etc/gshadow|/etc/security/opasswd)'\n/etc/audit/audit.rules\n\nIf the system is configured to watch for account changes, lines should be\nreturned for each file specified (and with \"-p wa\" for each).\n\nIf the system is not configured to audit account changes, this is a finding.", - "fix": "Add the following to \"/etc/audit/audit.rules\", in order to\ncapture events that modify account changes:\n\n# audit_account_changes\n-w /etc/group -p wa -k audit_account_changes\n-w /etc/passwd -p wa -k audit_account_changes\n-w /etc/gshadow -p wa -k audit_account_changes\n-w /etc/shadow -p wa -k audit_account_changes\n-w /etc/security/opasswd -p wa -k audit_account_changes" + "check": "To check the group ownership of \"/etc/shadow\", run the\ncommand:\n\n$ ls -l /etc/shadow\n\nIf properly configured, the output should indicate the following group-owner.\n\"root\"\nIf it does not, this is a finding.", + "fix": "To properly set the group owner of \"/etc/shadow\", run the\ncommand:\n\n# chgrp root /etc/shadow" }, - "code": "control \"V-38531\" do\n title \"The operating system must automatically audit account creation.\"\n desc \"In addition to auditing new user and group accounts, these watches\nwill alert the system administrator(s) to any modifications. Any unexpected\nusers, groups, or modifications should be investigated for legitimacy.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000004\"\n tag \"gid\": \"V-38531\"\n tag \"rid\": \"SV-50332r2_rule\"\n tag \"stig_id\": \"RHEL-06-000174\"\n tag \"fix_id\": \"F-43480r1_fix\"\n tag \"cci\": [\"CCI-000018\"]\n tag \"nist\": [\"AC-2 (4)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To determine if the system is configured to audit account\nchanges, run the following command:\n\n$ sudo egrep -w\n'(/etc/passwd|/etc/shadow|/etc/group|/etc/gshadow|/etc/security/opasswd)'\n/etc/audit/audit.rules\n\nIf the system is configured to watch for account changes, lines should be\nreturned for each file specified (and with \\\"-p wa\\\" for each).\n\nIf the system is not configured to audit account changes, this is a finding.\"\n tag \"fix\": \"Add the following to \\\"/etc/audit/audit.rules\\\", in order to\ncapture events that modify account changes:\n\n# audit_account_changes\n-w /etc/group -p wa -k audit_account_changes\n-w /etc/passwd -p wa -k audit_account_changes\n-w /etc/gshadow -p wa -k audit_account_changes\n-w /etc/shadow -p wa -k audit_account_changes\n-w /etc/security/opasswd -p wa -k audit_account_changes\"\n\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^\\-w\\s+\\/etc\\/group\\s+\\-p\\s+wa\\s+\\-k\\s+\\w+\\s*$/) }\n end\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^\\-w\\s+\\/etc\\/passwd\\s+\\-p\\s+wa\\s+\\-k\\s+\\w+\\s*$/) }\n end\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^\\-w\\s+\\/etc\\/gshadow\\s+\\-p\\s+wa\\s+\\-k\\s+\\w+\\s*$/) }\n end\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^\\-w\\s+\\/etc\\/shadow\\s+\\-p\\s+wa\\s+\\-k\\s+\\w+\\s*$/) }\n end\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^\\-w\\s+\\/etc\\/security\\/opasswd\\s+\\-p\\s+wa\\s+\\-k\\s+\\w+\\s*$/) }\n end\nend\n", + "code": "control \"V-38503\" do\n title \"The /etc/shadow file must be group-owned by root.\"\n desc \"The \\\"/etc/shadow\\\" file stores password hashes. Protection of this\nfile is critical for system security.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38503\"\n tag \"rid\": \"SV-50304r1_rule\"\n tag \"stig_id\": \"RHEL-06-000034\"\n tag \"fix_id\": \"F-43450r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To check the group ownership of \\\"/etc/shadow\\\", run the\ncommand:\n\n$ ls -l /etc/shadow\n\nIf properly configured, the output should indicate the following group-owner.\n\\\"root\\\"\nIf it does not, this is a finding.\"\n tag \"fix\": \"To properly set the group owner of \\\"/etc/shadow\\\", run the\ncommand:\n\n# chgrp root /etc/shadow\"\n\n describe file(\"/etc/shadow\") do\n it { should exist }\n end\n describe file(\"/etc/shadow\") do\n its(\"gid\") { should cmp 0 }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38531.rb", + "ref": "./Red Hat 6 STIG/controls/V-38503.rb", "line": 1 }, - "id": "V-38531" + "id": "V-38503" }, { "title": "The snmpd service must not use a default password.", @@ -2189,24 +2205,24 @@ "id": "V-38653" }, { - "title": "The Datagram Congestion Control Protocol (DCCP) must be disabled\nunless required.", - "desc": "Disabling DCCP protects the system against exploitation of any flaws\nin its implementation.", + "title": "The ypserv package must not be installed.", + "desc": "Removing the \"ypserv\" package decreases the risk of the accidental\n(or intentional) activation of NIS or NIS+ services.", "descriptions": { - "default": "Disabling DCCP protects the system against exploitation of any flaws\nin its implementation." + "default": "Removing the \"ypserv\" package decreases the risk of the accidental\n(or intentional) activation of NIS or NIS+ services." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000096", - "gid": "V-38514", - "rid": "SV-50315r5_rule", - "stig_id": "RHEL-06-000124", - "fix_id": "F-43461r3_fix", + "gtitle": "SRG-OS-000095", + "gid": "V-38603", + "rid": "SV-50404r1_rule", + "stig_id": "RHEL-06-000220", + "fix_id": "F-43551r1_fix", "cci": [ - "CCI-000382" + "CCI-000381" ], "nist": [ - "CM-7 b", + "CM-7 a", "Rev_4" ], "false_negatives": null, @@ -2219,15 +2235,15 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "If the system is configured to prevent the loading of the\n\"dccp\" kernel module, it will contain lines inside any file in\n\"/etc/modprobe.d\" or the deprecated\"/etc/modprobe.conf\". These lines\ninstruct the module loading system to run another program (such as\n\"/bin/true\") upon a module \"install\" event. Run the following command to\nsearch for such lines in all files in \"/etc/modprobe.d\" and the deprecated\n\"/etc/modprobe.conf\":\n\n$ grep -r dccp /etc/modprobe.conf /etc/modprobe.d | grep -i \"/bin/true\"| grep\n-v \"#\"\n\nIf no line is returned, this is a finding.", - "fix": "The Datagram Congestion Control Protocol (DCCP) is a relatively\nnew transport layer protocol, designed to support streaming media and\ntelephony. To configure the system to prevent the \"dccp\" kernel module from\nbeing loaded, add the following line to a file in the directory\n\"/etc/modprobe.d\":\n\ninstall dccp /bin/true" + "check": "Run the following command to determine if the \"ypserv\"\npackage is installed:\n\n# rpm -q ypserv\n\n\nIf the package is installed, this is a finding.", + "fix": "The \"ypserv\" package can be uninstalled with the following\ncommand:\n\n# yum erase ypserv" }, - "code": "control \"V-38514\" do\n title \"The Datagram Congestion Control Protocol (DCCP) must be disabled\nunless required.\"\n desc \"Disabling DCCP protects the system against exploitation of any flaws\nin its implementation.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000096\"\n tag \"gid\": \"V-38514\"\n tag \"rid\": \"SV-50315r5_rule\"\n tag \"stig_id\": \"RHEL-06-000124\"\n tag \"fix_id\": \"F-43461r3_fix\"\n tag \"cci\": [\"CCI-000382\"]\n tag \"nist\": [\"CM-7 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"If the system is configured to prevent the loading of the\n\\\"dccp\\\" kernel module, it will contain lines inside any file in\n\\\"/etc/modprobe.d\\\" or the deprecated\\\"/etc/modprobe.conf\\\". These lines\ninstruct the module loading system to run another program (such as\n\\\"/bin/true\\\") upon a module \\\"install\\\" event. Run the following command to\nsearch for such lines in all files in \\\"/etc/modprobe.d\\\" and the deprecated\n\\\"/etc/modprobe.conf\\\":\n\n$ grep -r dccp /etc/modprobe.conf /etc/modprobe.d | grep -i \\\"/bin/true\\\"| grep\n-v \\\"#\\\"\n\nIf no line is returned, this is a finding.\"\n tag \"fix\": \"The Datagram Congestion Control Protocol (DCCP) is a relatively\nnew transport layer protocol, designed to support streaming media and\ntelephony. To configure the system to prevent the \\\"dccp\\\" kernel module from\nbeing loaded, add the following line to a file in the directory\n\\\"/etc/modprobe.d\\\":\n\ninstall dccp /bin/true\"\n\n describe kernel_module('dccp') do\n it { should_not be_loaded }\n it { shold_not be_enabled }\n it { should be_blacklisted }\n end\nend\n", + "code": "control \"V-38603\" do\n title \"The ypserv package must not be installed.\"\n desc \"Removing the \\\"ypserv\\\" package decreases the risk of the accidental\n(or intentional) activation of NIS or NIS+ services.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000095\"\n tag \"gid\": \"V-38603\"\n tag \"rid\": \"SV-50404r1_rule\"\n tag \"stig_id\": \"RHEL-06-000220\"\n tag \"fix_id\": \"F-43551r1_fix\"\n tag \"cci\": [\"CCI-000381\"]\n tag \"nist\": [\"CM-7 a\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Run the following command to determine if the \\\"ypserv\\\"\npackage is installed:\n\n# rpm -q ypserv\n\n\nIf the package is installed, this is a finding.\"\n tag \"fix\": \"The \\\"ypserv\\\" package can be uninstalled with the following\ncommand:\n\n# yum erase ypserv\"\n\n describe package(\"ypserv\") do\n it { should_not be_installed }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38514.rb", + "ref": "./Red Hat 6 STIG/controls/V-38603.rb", "line": 1 }, - "id": "V-38514" + "id": "V-38603" }, { "title": "The system must require authentication upon booting into single-user\nand maintenance modes.", @@ -2271,24 +2287,24 @@ "id": "V-38586" }, { - "title": "The audit system must be configured to audit all discretionary access\ncontrol permission modifications using fchmodat.", - "desc": "The changing of file permissions could indicate that a user is\nattempting to gain access to information that would otherwise be disallowed.\nAuditing DAC modifications can facilitate the identification of patterns of\nabuse among both authorized and unauthorized users.", + "title": "User passwords must be changed at least every 60 days.", + "desc": "Setting the password maximum age ensures users are required to\nperiodically change their passwords. This could possibly decrease the utility\nof a stolen password. Requiring shorter password lifetimes increases the risk\nof users writing down the password in a convenient location subject to physical\ncompromise.", "descriptions": { - "default": "The changing of file permissions could indicate that a user is\nattempting to gain access to information that would otherwise be disallowed.\nAuditing DAC modifications can facilitate the identification of patterns of\nabuse among both authorized and unauthorized users." + "default": "Setting the password maximum age ensures users are required to\nperiodically change their passwords. This could possibly decrease the utility\nof a stolen password. Requiring shorter password lifetimes increases the risk\nof users writing down the password in a convenient location subject to physical\ncompromise." }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000064", - "gid": "V-38550", - "rid": "SV-50351r3_rule", - "stig_id": "RHEL-06-000187", - "fix_id": "F-43498r2_fix", + "gtitle": "SRG-OS-000076", + "gid": "V-38479", + "rid": "SV-50279r1_rule", + "stig_id": "RHEL-06-000053", + "fix_id": "F-43424r1_fix", "cci": [ - "CCI-000172" + "CCI-000199" ], "nist": [ - "AU-12 c", + "IA-5 (1) (d)", "Rev_4" ], "false_negatives": null, @@ -2301,30 +2317,30 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To determine if the system is configured to audit calls to the\n\"fchmodat\" system call, run the following command:\n\n$ sudo grep -w \"fchmodat\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return several\nlines.\n\nIf no line is returned, this is a finding. ", - "fix": "At a minimum, the audit system should collect file permission\nchanges for all users and root. Add the following to\n\"/etc/audit/audit.rules\":\n\n-a always,exit -F arch=b32 -S fchmodat -F auid>=500 -F auid!=4294967295 \\\n-k perm_mod\n-a always,exit -F arch=b32 -S fchmodat -F auid=0 -k perm_mod\n\nIf the system is 64-bit, then also add the following:\n\n-a always,exit -F arch=b64 -S fchmodat -F auid>=500 -F auid!=4294967295 \\\n-k perm_mod\n-a always,exit -F arch=b64 -S fchmodat -F auid=0 -k perm_mod" + "check": "To check the maximum password age, run the command:\n\n$ grep PASS_MAX_DAYS /etc/login.defs\n\nThe DoD requirement is 60.\nIf it is not set to the required value, this is a finding.", + "fix": "To specify password maximum age for new accounts, edit the file\n\"/etc/login.defs\" and add or correct the following line, replacing [DAYS]\nappropriately:\n\nPASS_MAX_DAYS [DAYS]\n\nThe DoD requirement is 60." }, - "code": "control \"V-38550\" do\n title \"The audit system must be configured to audit all discretionary access\ncontrol permission modifications using fchmodat.\"\n desc \"The changing of file permissions could indicate that a user is\nattempting to gain access to information that would otherwise be disallowed.\nAuditing DAC modifications can facilitate the identification of patterns of\nabuse among both authorized and unauthorized users.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000064\"\n tag \"gid\": \"V-38550\"\n tag \"rid\": \"SV-50351r3_rule\"\n tag \"stig_id\": \"RHEL-06-000187\"\n tag \"fix_id\": \"F-43498r2_fix\"\n tag \"cci\": [\"CCI-000172\"]\n tag \"nist\": [\"AU-12 c\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To determine if the system is configured to audit calls to the\n\\\"fchmodat\\\" system call, run the following command:\n\n$ sudo grep -w \\\"fchmodat\\\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return several\nlines.\n\nIf no line is returned, this is a finding. \"\n tag \"fix\": \"At a minimum, the audit system should collect file permission\nchanges for all users and root. Add the following to\n\\\"/etc/audit/audit.rules\\\":\n\n-a always,exit -F arch=b32 -S fchmodat -F auid>=500 -F auid!=4294967295 \\\\\n-k perm_mod\n-a always,exit -F arch=b32 -S fchmodat -F auid=0 -k perm_mod\n\nIf the system is 64-bit, then also add the following:\n\n-a always,exit -F arch=b64 -S fchmodat -F auid>=500 -F auid!=4294967295 \\\\\n-k perm_mod\n-a always,exit -F arch=b64 -S fchmodat -F auid=0 -k perm_mod\"\n\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^[\\s]*-a[\\s](?:always,exit|exit,always)+(?:.*-F[\\s]+arch=b32[\\s]+)(?:.*(?:-S[\\s]+|,)fchmodat(?:[\\s]+|,))(?:.*-F\\s+auid>=500[\\s]+)(?:.*-F\\s+auid!=(?:-1|4294967295)[\\s]+).*-k[\\s]+[\\S]+[\\s]*$/) }\n end\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^[\\s]*-a[\\s](?:always,exit|exit,always)+(?:.*-F[\\s]+arch=b32[\\s]+)(?:.*(?:-S[\\s]+|,)fchmodat(?:[\\s]+|,))(?:.*-F\\s+auid=0[\\s]+).*-k[\\s]+[\\S]+[\\s]*$/) }\n end\n describe.one do\n \n end\nend\n", + "code": "control \"V-38479\" do\n title \"User passwords must be changed at least every 60 days.\"\n desc \"Setting the password maximum age ensures users are required to\nperiodically change their passwords. This could possibly decrease the utility\nof a stolen password. Requiring shorter password lifetimes increases the risk\nof users writing down the password in a convenient location subject to physical\ncompromise.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000076\"\n tag \"gid\": \"V-38479\"\n tag \"rid\": \"SV-50279r1_rule\"\n tag \"stig_id\": \"RHEL-06-000053\"\n tag \"fix_id\": \"F-43424r1_fix\"\n tag \"cci\": [\"CCI-000199\"]\n tag \"nist\": [\"IA-5 (1) (d)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To check the maximum password age, run the command:\n\n$ grep PASS_MAX_DAYS /etc/login.defs\n\nThe DoD requirement is 60.\nIf it is not set to the required value, this is a finding.\"\n tag \"fix\": \"To specify password maximum age for new accounts, edit the file\n\\\"/etc/login.defs\\\" and add or correct the following line, replacing [DAYS]\nappropriately:\n\nPASS_MAX_DAYS [DAYS]\n\nThe DoD requirement is 60.\"\n\n describe file(\"/etc/login.defs\") do\n its(\"content\") { should match(/^[\\s]*PASS_MAX_DAYS[\\s]+(\\d+)\\s*$/) }\n end\n file(\"/etc/login.defs\").content.to_s.scan(/^[\\s]*PASS_MAX_DAYS[\\s]+(\\d+)\\s*$/).flatten.each do |entry|\n describe entry do\n it { should cmp <= 60 }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38550.rb", + "ref": "./Red Hat 6 STIG/controls/V-38479.rb", "line": 1 }, - "id": "V-38550" + "id": "V-38479" }, { - "title": "The operating system must connect to external networks or information\nsystems only through managed IPv4 interfaces consisting of boundary protection\ndevices arranged in accordance with an organizational security architecture.", - "desc": "The \"iptables\" service provides the system's host-based firewalling\ncapability for IPv4 and ICMP.", + "title": "The operating system must connect to external networks or information\nsystems only through managed IPv6 interfaces consisting of boundary protection\ndevices arranged in accordance with an organizational security architecture.", + "desc": "The \"ip6tables\" service provides the system's host-based firewalling\ncapability for IPv6 and ICMPv6.", "descriptions": { - "default": "The \"iptables\" service provides the system's host-based firewalling\ncapability for IPv4 and ICMP." + "default": "The \"ip6tables\" service provides the system's host-based firewalling\ncapability for IPv6 and ICMPv6." }, "impact": 0.5, "refs": [], "tags": { "gtitle": "SRG-OS-000145", - "gid": "V-38560", - "rid": "SV-50361r2_rule", - "stig_id": "RHEL-06-000116", - "fix_id": "F-43508r2_fix", + "gid": "V-38551", + "rid": "SV-50352r3_rule", + "stig_id": "RHEL-06-000106", + "fix_id": "F-43499r2_fix", "cci": [ "CCI-001098" ], @@ -2342,35 +2358,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "If the system is a cross-domain system, this is not applicable.\n\nRun the following command to determine the current status of the \"iptables\"\nservice:\n\n# service iptables status\n\nIf the service is not running, it should return the following:\n\niptables: Firewall is not running.\n\n\nIf the service is not running, this is a finding.", - "fix": "The \"iptables\" service can be enabled with the following\ncommands:\n\n# chkconfig iptables on\n# service iptables start" + "check": "If the system is a cross-domain system, this is not applicable.\n\nIf IPV6 is disabled, this is not applicable.\n\nRun the following command to determine the current status of the \"ip6tables\"\nservice:\n\n# service ip6tables status\n\nIf the service is not running, it should return the following:\n\nip6tables: Firewall is not running.\n\n\nIf the service is not running, this is a finding.", + "fix": "The \"ip6tables\" service can be enabled with the following\ncommands:\n\n# chkconfig ip6tables on\n# service ip6tables start" }, - "code": "control \"V-38560\" do\n title \"The operating system must connect to external networks or information\nsystems only through managed IPv4 interfaces consisting of boundary protection\ndevices arranged in accordance with an organizational security architecture.\"\n desc \"The \\\"iptables\\\" service provides the system's host-based firewalling\ncapability for IPv4 and ICMP.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000145\"\n tag \"gid\": \"V-38560\"\n tag \"rid\": \"SV-50361r2_rule\"\n tag \"stig_id\": \"RHEL-06-000116\"\n tag \"fix_id\": \"F-43508r2_fix\"\n tag \"cci\": [\"CCI-001098\"]\n tag \"nist\": [\"SC-7 c\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"If the system is a cross-domain system, this is not applicable.\n\nRun the following command to determine the current status of the \\\"iptables\\\"\nservice:\n\n# service iptables status\n\nIf the service is not running, it should return the following:\n\niptables: Firewall is not running.\n\n\nIf the service is not running, this is a finding.\"\n tag \"fix\": \"The \\\"iptables\\\" service can be enabled with the following\ncommands:\n\n# chkconfig iptables on\n# service iptables start\"\n\n describe service('iptables') do\n it { should be_enabled }\n it { should be_running }\n end\nend\n", + "code": "control \"V-38551\" do\n title \"The operating system must connect to external networks or information\nsystems only through managed IPv6 interfaces consisting of boundary protection\ndevices arranged in accordance with an organizational security architecture.\"\n desc \"The \\\"ip6tables\\\" service provides the system's host-based firewalling\ncapability for IPv6 and ICMPv6.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000145\"\n tag \"gid\": \"V-38551\"\n tag \"rid\": \"SV-50352r3_rule\"\n tag \"stig_id\": \"RHEL-06-000106\"\n tag \"fix_id\": \"F-43499r2_fix\"\n tag \"cci\": [\"CCI-001098\"]\n tag \"nist\": [\"SC-7 c\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"If the system is a cross-domain system, this is not applicable.\n\nIf IPV6 is disabled, this is not applicable.\n\nRun the following command to determine the current status of the \\\"ip6tables\\\"\nservice:\n\n# service ip6tables status\n\nIf the service is not running, it should return the following:\n\nip6tables: Firewall is not running.\n\n\nIf the service is not running, this is a finding.\"\n tag \"fix\": \"The \\\"ip6tables\\\" service can be enabled with the following\ncommands:\n\n# chkconfig ip6tables on\n# service ip6tables start\"\n\n describe service('ip6tables') do\n it { should be_enabled }\n it { should be_running }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38560.rb", + "ref": "./Red Hat 6 STIG/controls/V-38551.rb", "line": 1 }, - "id": "V-38560" + "id": "V-38551" }, { - "title": "The system must not send ICMPv4 redirects by default.", - "desc": "Sending ICMP redirects permits the system to instruct other systems to\nupdate their routing information. The ability to send ICMP redirects is only\nappropriate for systems acting as routers.", + "title": "A login banner must be displayed immediately prior to, or as part of,\ngraphical desktop environment login prompts.", + "desc": "An appropriate warning message reinforces policy awareness during the\nlogon process and facilitates possible legal action against attackers.", "descriptions": { - "default": "Sending ICMP redirects permits the system to instruct other systems to\nupdate their routing information. The ability to send ICMP redirects is only\nappropriate for systems acting as routers." + "default": "An appropriate warning message reinforces policy awareness during the\nlogon process and facilitates possible legal action against attackers." }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { - "gtitle": "SRG-OS-999999", - "gid": "V-38600", - "rid": "SV-50401r2_rule", - "stig_id": "RHEL-06-000080", - "fix_id": "F-43547r1_fix", + "gtitle": "SRG-OS-000024", + "gid": "V-38688", + "rid": "SV-50489r3_rule", + "stig_id": "RHEL-06-000324", + "fix_id": "F-43637r2_fix", "cci": [ - "CCI-000366" + "CCI-000050" ], "nist": [ - "CM-6 b", + "AC-8 b", "Rev_4" ], "false_negatives": null, @@ -2383,30 +2399,30 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "The status of the \"net.ipv4.conf.default.send_redirects\"\nkernel parameter can be queried by running the following command:\n\n$ sysctl net.ipv4.conf.default.send_redirects\n\nThe output of the command should indicate a value of \"0\". If this value is\nnot the default value, investigate how it could have been adjusted at runtime,\nand verify it is not set improperly in \"/etc/sysctl.conf\".\n\n$ grep net.ipv4.conf.default.send_redirects /etc/sysctl.conf\n\nIf the correct value is not returned, this is a finding. ", - "fix": "To set the runtime status of the\n\"net.ipv4.conf.default.send_redirects\" kernel parameter, run the following\ncommand:\n\n# sysctl -w net.ipv4.conf.default.send_redirects=0\n\nIf this is not the system's default value, add the following line to\n\"/etc/sysctl.conf\":\n\nnet.ipv4.conf.default.send_redirects = 0" + "check": "If the GConf2 package is not installed, this is not applicable.\n\nTo ensure a login warning banner is enabled, run the following:\n\n$ gconftool-2 --direct --config-source\nxml:readwrite:/etc/gconf/gconf.xml.mandatory --get\n/apps/gdm/simple-greeter/banner_message_enable\n\nSearch for the \"banner_message_enable\" schema. If properly configured, the\n\"default\" value should be \"true\".\nIf it is not, this is a finding.", + "fix": "To enable displaying a login warning banner in the GNOME Display\nManager's login screen, run the following command:\n\n# gconftool-2 --direct \\\n--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \\\n--type bool \\\n--set /apps/gdm/simple-greeter/banner_message_enable true\n\nTo display a banner, this setting must be enabled and then banner text must\nalso be set." }, - "code": "control \"V-38600\" do\n title \"The system must not send ICMPv4 redirects by default.\"\n desc \"Sending ICMP redirects permits the system to instruct other systems to\nupdate their routing information. The ability to send ICMP redirects is only\nappropriate for systems acting as routers.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38600\"\n tag \"rid\": \"SV-50401r2_rule\"\n tag \"stig_id\": \"RHEL-06-000080\"\n tag \"fix_id\": \"F-43547r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"The status of the \\\"net.ipv4.conf.default.send_redirects\\\"\nkernel parameter can be queried by running the following command:\n\n$ sysctl net.ipv4.conf.default.send_redirects\n\nThe output of the command should indicate a value of \\\"0\\\". If this value is\nnot the default value, investigate how it could have been adjusted at runtime,\nand verify it is not set improperly in \\\"/etc/sysctl.conf\\\".\n\n$ grep net.ipv4.conf.default.send_redirects /etc/sysctl.conf\n\nIf the correct value is not returned, this is a finding. \"\n tag \"fix\": \"To set the runtime status of the\n\\\"net.ipv4.conf.default.send_redirects\\\" kernel parameter, run the following\ncommand:\n\n# sysctl -w net.ipv4.conf.default.send_redirects=0\n\nIf this is not the system's default value, add the following line to\n\\\"/etc/sysctl.conf\\\":\n\nnet.ipv4.conf.default.send_redirects = 0\"\n\n describe kernel_parameter(\"net.ipv4.conf.default.send_redirects\") do\n its(\"value\") { should_not be_nil }\n end\n describe kernel_parameter(\"net.ipv4.conf.default.send_redirects\") do\n its(\"value\") { should eq 0 }\n end\n describe file(\"/etc/sysctl.conf\") do\n its(\"content\") { should match(/^[\\s]*net.ipv4.conf.default.send_redirects[\\s]*=[\\s]*0[\\s]*$/) }\n end\nend\n", + "code": "control \"V-38688\" do\n title \"A login banner must be displayed immediately prior to, or as part of,\ngraphical desktop environment login prompts.\"\n desc \"An appropriate warning message reinforces policy awareness during the\nlogon process and facilitates possible legal action against attackers.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000024\"\n tag \"gid\": \"V-38688\"\n tag \"rid\": \"SV-50489r3_rule\"\n tag \"stig_id\": \"RHEL-06-000324\"\n tag \"fix_id\": \"F-43637r2_fix\"\n tag \"cci\": [\"CCI-000050\"]\n tag \"nist\": [\"AC-8 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"If the GConf2 package is not installed, this is not applicable.\n\nTo ensure a login warning banner is enabled, run the following:\n\n$ gconftool-2 --direct --config-source\nxml:readwrite:/etc/gconf/gconf.xml.mandatory --get\n/apps/gdm/simple-greeter/banner_message_enable\n\nSearch for the \\\"banner_message_enable\\\" schema. If properly configured, the\n\\\"default\\\" value should be \\\"true\\\".\nIf it is not, this is a finding.\"\n tag \"fix\": \"To enable displaying a login warning banner in the GNOME Display\nManager's login screen, run the following command:\n\n# gconftool-2 --direct \\\\\n--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \\\\\n--type bool \\\\\n--set /apps/gdm/simple-greeter/banner_message_enable true\n\nTo display a banner, this setting must be enabled and then banner text must\nalso be set.\"\n\n if package('GConf2').installed?\n describe command(\"gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gdm/simple-greeter/banner_message_enable\") do\n its('stdout.strip') { should eq 'true' }\n end\n else\n impact 0.0\n describe \"Package GConf2 not installed\" do\n skip \"Package GConf2 not installed, this control Not Applicable\"\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38600.rb", + "ref": "./Red Hat 6 STIG/controls/V-38688.rb", "line": 1 }, - "id": "V-38600" + "id": "V-38688" }, { - "title": "The TFTP daemon must operate in secure mode which provides access only\nto a single directory on the host file system.", - "desc": "Using the \"-s\" option causes the TFTP service to only serve files\nfrom the given directory. Serving files from an intentionally specified\ndirectory reduces the risk of sharing files which should remain private.", + "title": "Remote file systems must be mounted with the nodev option.", + "desc": "Legitimate device files should only exist in the /dev directory. NFS\nmounts should not present device files to users.", "descriptions": { - "default": "Using the \"-s\" option causes the TFTP service to only serve files\nfrom the given directory. Serving files from an intentionally specified\ndirectory reduces the risk of sharing files which should remain private." + "default": "Legitimate device files should only exist in the /dev directory. NFS\nmounts should not present device files to users." }, - "impact": 0.7, + "impact": 0.5, "refs": [], "tags": { "gtitle": "SRG-OS-999999", - "gid": "V-38701", - "rid": "SV-50502r1_rule", - "stig_id": "RHEL-06-000338", - "fix_id": "F-43650r1_fix", + "gid": "V-38652", + "rid": "SV-50453r2_rule", + "stig_id": "RHEL-06-000269", + "fix_id": "F-43601r1_fix", "cci": [ "CCI-000366" ], @@ -2424,35 +2440,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "Verify \"tftp\" is configured by with the \"-s\" option by\nrunning the following command:\n\ngrep \"server_args\" /etc/xinetd.d/tftp\n\nThe output should indicate the \"server_args\" variable is configured with the\n\"-s\" flag, matching the example below:\n\n# grep \"server_args\" /etc/xinetd.d/tftp\nserver_args = -s /var/lib/tftpboot\n\nIf it does not, this is a finding.", - "fix": "If running the \"tftp\" service is necessary, it should be\nconfigured to change its root directory at startup. To do so, ensure\n\"/etc/xinetd.d/tftp\" includes \"-s\" as a command line argument, as shown in\nthe following example (which is also the default):\n\nserver_args = -s /var/lib/tftpboot" + "check": "To verify the \"nodev\" option is configured for all NFS\nmounts, run the following command:\n\n$ mount | grep \"nfs \"\n\nAll NFS mounts should show the \"nodev\" setting in parentheses, along with\nother mount options.\nIf the setting does not show, this is a finding.", + "fix": "Add the \"nodev\" option to the fourth column of \"/etc/fstab\"\nfor the line which controls mounting of any NFS mounts." }, - "code": "control \"V-38701\" do\n title \"The TFTP daemon must operate in secure mode which provides access only\nto a single directory on the host file system.\"\n desc \"Using the \\\"-s\\\" option causes the TFTP service to only serve files\nfrom the given directory. Serving files from an intentionally specified\ndirectory reduces the risk of sharing files which should remain private.\"\n impact 0.7\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38701\"\n tag \"rid\": \"SV-50502r1_rule\"\n tag \"stig_id\": \"RHEL-06-000338\"\n tag \"fix_id\": \"F-43650r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Verify \\\"tftp\\\" is configured by with the \\\"-s\\\" option by\nrunning the following command:\n\ngrep \\\"server_args\\\" /etc/xinetd.d/tftp\n\nThe output should indicate the \\\"server_args\\\" variable is configured with the\n\\\"-s\\\" flag, matching the example below:\n\n# grep \\\"server_args\\\" /etc/xinetd.d/tftp\nserver_args = -s /var/lib/tftpboot\n\nIf it does not, this is a finding.\"\n tag \"fix\": \"If running the \\\"tftp\\\" service is necessary, it should be\nconfigured to change its root directory at startup. To do so, ensure\n\\\"/etc/xinetd.d/tftp\\\" includes \\\"-s\\\" as a command line argument, as shown in\nthe following example (which is also the default):\n\nserver_args = -s /var/lib/tftpboot\"\n\n describe.one do\n describe package(\"tftp-server\") do\n it { should_not be_installed }\n end\n describe file(\"/etc/xinetd.d/tftp\") do\n its(\"content\") { should match(/^[\\s]*server_args[\\s]+=[\\s]+\\-s[\\s]+.+$/) }\n end\n end\nend\n", + "code": "control \"V-38652\" do\n title \"Remote file systems must be mounted with the nodev option.\"\n desc \"Legitimate device files should only exist in the /dev directory. NFS\nmounts should not present device files to users.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38652\"\n tag \"rid\": \"SV-50453r2_rule\"\n tag \"stig_id\": \"RHEL-06-000269\"\n tag \"fix_id\": \"F-43601r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To verify the \\\"nodev\\\" option is configured for all NFS\nmounts, run the following command:\n\n$ mount | grep \\\"nfs \\\"\n\nAll NFS mounts should show the \\\"nodev\\\" setting in parentheses, along with\nother mount options.\nIf the setting does not show, this is a finding.\"\n tag \"fix\": \"Add the \\\"nodev\\\" option to the fourth column of \\\"/etc/fstab\\\"\nfor the line which controls mounting of any NFS mounts.\"\n\n describe command('mount | grep \\\"nfs \\\"') do\n its('stdout.strip.lines') { should all include 'nodev' }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38701.rb", + "ref": "./Red Hat 6 STIG/controls/V-38652.rb", "line": 1 }, - "id": "V-38701" + "id": "V-38652" }, { - "title": "The noexec option must be added to the /tmp partition.", - "desc": "Allowing users to execute binaries from world-writable directories\nsuch as \"/tmp\" should never be necessary in normal operation and can expose\nthe system to potential compromise.", + "title": "The telnet daemon must not be running.", + "desc": "The telnet protocol uses unencrypted network communication, which\nmeans that data from the login session, including passwords and all other\ninformation transmitted during the session, can be stolen by eavesdroppers on\nthe network. The telnet protocol is also subject to man-in-the-middle attacks.\n\n Mitigation: If an enabled telnet daemon is configured to only allow\nencrypted sessions, such as with Kerberos or the use of encrypted network\ntunnels, the risk of exposing sensitive information is mitigated.", "descriptions": { - "default": "Allowing users to execute binaries from world-writable directories\nsuch as \"/tmp\" should never be necessary in normal operation and can expose\nthe system to potential compromise." + "default": "The telnet protocol uses unencrypted network communication, which\nmeans that data from the login session, including passwords and all other\ninformation transmitted during the session, can be stolen by eavesdroppers on\nthe network. The telnet protocol is also subject to man-in-the-middle attacks.\n\n Mitigation: If an enabled telnet daemon is configured to only allow\nencrypted sessions, such as with Kerberos or the use of encrypted network\ntunnels, the risk of exposing sensitive information is mitigated." }, - "impact": 0.5, + "impact": 0.7, "refs": [], "tags": { - "gtitle": "SRG-OS-999999", - "gid": "V-57569", - "rid": "SV-71919r1_rule", - "stig_id": "RHEL-06-000528", - "fix_id": "F-62639r1_fix", + "gtitle": "SRG-OS-000129", + "gid": "V-38589", + "rid": "SV-50390r2_rule", + "stig_id": "RHEL-06-000211", + "fix_id": "F-43537r1_fix", "cci": [ - "CCI-000381" + "CCI-000888" ], "nist": [ - "CM-7 a", + "MA-4 (6)", "Rev_4" ], "false_negatives": null, @@ -2465,35 +2481,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To verify that binaries cannot be directly executed from the\n/tmp directory, run the following command:\n\n$ grep '\\s/tmp' /etc/fstab\n\nThe resulting output will show whether the /tmp partition has the \"noexec\"\nflag set. If the /tmp partition does not have the noexec flag set, this is a\nfinding.", - "fix": "The \"noexec\" mount option can be used to prevent binaries from\nbeing executed out of \"/tmp\". Add the \"noexec\" option to the fourth column\nof \"/etc/fstab\" for the line which controls mounting of \"/tmp\"." + "check": "To check that the \"telnet\" service is disabled in system boot\nconfiguration, run the following command:\n\n# chkconfig \"telnet\" --list\n\nOutput should indicate the \"telnet\" service has either not been installed, or\nhas been disabled, as shown in the example below:\n\n# chkconfig \"telnet\" --list\ntelnet off\nOR\nerror reading information on service telnet: No such file or directory\n\n\nIf the service is running, this is a finding.", + "fix": "The \"telnet\" service can be disabled with the following\ncommand:\n\n# chkconfig telnet off" }, - "code": "control \"V-57569\" do\n title \"The noexec option must be added to the /tmp partition.\"\n desc \"Allowing users to execute binaries from world-writable directories\nsuch as \\\"/tmp\\\" should never be necessary in normal operation and can expose\nthe system to potential compromise.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-57569\"\n tag \"rid\": \"SV-71919r1_rule\"\n tag \"stig_id\": \"RHEL-06-000528\"\n tag \"fix_id\": \"F-62639r1_fix\"\n tag \"cci\": [\"CCI-000381\"]\n tag \"nist\": [\"CM-7 a\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To verify that binaries cannot be directly executed from the\n/tmp directory, run the following command:\n\n$ grep '\\\\s/tmp' /etc/fstab\n\nThe resulting output will show whether the /tmp partition has the \\\"noexec\\\"\nflag set. If the /tmp partition does not have the noexec flag set, this is a\nfinding.\"\n tag \"fix\": \"The \\\"noexec\\\" mount option can be used to prevent binaries from\nbeing executed out of \\\"/tmp\\\". Add the \\\"noexec\\\" option to the fourth column\nof \\\"/etc/fstab\\\" for the line which controls mounting of \\\"/tmp\\\".\"\n \n # TODO should we check the /dev/shm directory also?\n if mount('/tmp').mounted?\n describe mount('/tmp') do\n its('options') { should include 'noexec' }\n end\n else\n describe \"/tmp partition not found\" do\n skip \"/tmp partition not found, this control must be reviewed manually\"\n end\n end\nend\n", + "code": "control \"V-38589\" do\n title \"The telnet daemon must not be running.\"\n desc \"The telnet protocol uses unencrypted network communication, which\nmeans that data from the login session, including passwords and all other\ninformation transmitted during the session, can be stolen by eavesdroppers on\nthe network. The telnet protocol is also subject to man-in-the-middle attacks.\n\n Mitigation: If an enabled telnet daemon is configured to only allow\nencrypted sessions, such as with Kerberos or the use of encrypted network\ntunnels, the risk of exposing sensitive information is mitigated.\n \"\n impact 0.7\n tag \"gtitle\": \"SRG-OS-000129\"\n tag \"gid\": \"V-38589\"\n tag \"rid\": \"SV-50390r2_rule\"\n tag \"stig_id\": \"RHEL-06-000211\"\n tag \"fix_id\": \"F-43537r1_fix\"\n tag \"cci\": [\"CCI-000888\"]\n tag \"nist\": [\"MA-4 (6)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To check that the \\\"telnet\\\" service is disabled in system boot\nconfiguration, run the following command:\n\n# chkconfig \\\"telnet\\\" --list\n\nOutput should indicate the \\\"telnet\\\" service has either not been installed, or\nhas been disabled, as shown in the example below:\n\n# chkconfig \\\"telnet\\\" --list\ntelnet off\nOR\nerror reading information on service telnet: No such file or directory\n\n\nIf the service is running, this is a finding.\"\n tag \"fix\": \"The \\\"telnet\\\" service can be disabled with the following\ncommand:\n\n# chkconfig telnet off\"\n\n describe.one do\n describe package(\"telnet-server\") do\n it { should_not be_installed }\n end\n describe file(\"/etc/xinetd.d/telnet\") do\n its(\"content\") { should match(/^\\s*disable\\s+=\\s+yes\\s*$/) }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-57569.rb", + "ref": "./Red Hat 6 STIG/controls/V-38589.rb", "line": 1 }, - "id": "V-57569" + "id": "V-38589" }, { - "title": "The operating system must prevent public IPv6 access into an\norganizations internal networks, except as appropriately mediated by managed\ninterfaces employing boundary protection devices.", - "desc": "The \"ip6tables\" service provides the system's host-based firewalling\ncapability for IPv6 and ICMPv6.", + "title": "Mail relaying must be restricted.", + "desc": "This ensures \"postfix\" accepts mail messages (such as cron job\nreports) from the local system only, and not from the network, which protects\nit from network attack.", "descriptions": { - "default": "The \"ip6tables\" service provides the system's host-based firewalling\ncapability for IPv6 and ICMPv6." + "default": "This ensures \"postfix\" accepts mail messages (such as cron job\nreports) from the local system only, and not from the network, which protects\nit from network attack." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000146", - "gid": "V-38553", - "rid": "SV-50354r3_rule", - "stig_id": "RHEL-06-000107", - "fix_id": "F-43501r2_fix", + "gtitle": "SRG-OS-000096", + "gid": "V-38622", + "rid": "SV-50423r2_rule", + "stig_id": "RHEL-06-000249", + "fix_id": "F-43572r1_fix", "cci": [ - "CCI-001100" + "CCI-000382" ], "nist": [ - "SC-7 (2)", + "CM-7 b", "Rev_4" ], "false_negatives": null, @@ -2506,30 +2522,30 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "If the system is a cross-domain system, this is not applicable.\n\nIf IPv6 is disabled, this is not applicable.\n\nRun the following command to determine the current status of the \"ip6tables\"\nservice:\n\n# service ip6tables status\n\nIf the service is not running, it should return the following:\n\nip6tables: Firewall is not running.\n\n\nIf the service is not running, this is a finding.", - "fix": "The \"ip6tables\" service can be enabled with the following\ncommands:\n\n# chkconfig ip6tables on\n# service ip6tables start" + "check": "If the system is an authorized mail relay host, this is not\napplicable.\n\nRun the following command to ensure postfix accepts mail messages from only the\nlocal system:\n\n$ grep inet_interfaces /etc/postfix/main.cf\n\nIf properly configured, the output should show only \"localhost\".\nIf it does not, this is a finding.", + "fix": "Edit the file \"/etc/postfix/main.cf\" to ensure that only the\nfollowing \"inet_interfaces\" line appears:\n\ninet_interfaces = localhost" }, - "code": "control \"V-38553\" do\n title \"The operating system must prevent public IPv6 access into an\norganizations internal networks, except as appropriately mediated by managed\ninterfaces employing boundary protection devices.\"\n desc \"The \\\"ip6tables\\\" service provides the system's host-based firewalling\ncapability for IPv6 and ICMPv6.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000146\"\n tag \"gid\": \"V-38553\"\n tag \"rid\": \"SV-50354r3_rule\"\n tag \"stig_id\": \"RHEL-06-000107\"\n tag \"fix_id\": \"F-43501r2_fix\"\n tag \"cci\": [\"CCI-001100\"]\n tag \"nist\": [\"SC-7 (2)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"If the system is a cross-domain system, this is not applicable.\n\nIf IPv6 is disabled, this is not applicable.\n\nRun the following command to determine the current status of the \\\"ip6tables\\\"\nservice:\n\n# service ip6tables status\n\nIf the service is not running, it should return the following:\n\nip6tables: Firewall is not running.\n\n\nIf the service is not running, this is a finding.\"\n tag \"fix\": \"The \\\"ip6tables\\\" service can be enabled with the following\ncommands:\n\n# chkconfig ip6tables on\n# service ip6tables start\"\n\n describe service('ip6tables') do\n it { should be_enabled }\n it { should be_running }\n end\nend\n", + "code": "control \"V-38622\" do\n title \"Mail relaying must be restricted.\"\n desc \"This ensures \\\"postfix\\\" accepts mail messages (such as cron job\nreports) from the local system only, and not from the network, which protects\nit from network attack.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000096\"\n tag \"gid\": \"V-38622\"\n tag \"rid\": \"SV-50423r2_rule\"\n tag \"stig_id\": \"RHEL-06-000249\"\n tag \"fix_id\": \"F-43572r1_fix\"\n tag \"cci\": [\"CCI-000382\"]\n tag \"nist\": [\"CM-7 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"If the system is an authorized mail relay host, this is not\napplicable.\n\nRun the following command to ensure postfix accepts mail messages from only the\nlocal system:\n\n$ grep inet_interfaces /etc/postfix/main.cf\n\nIf properly configured, the output should show only \\\"localhost\\\".\nIf it does not, this is a finding.\"\n tag \"fix\": \"Edit the file \\\"/etc/postfix/main.cf\\\" to ensure that only the\nfollowing \\\"inet_interfaces\\\" line appears:\n\ninet_interfaces = localhost\"\n\n describe file(\"/etc/postfix/main.cf\") do\n its(\"content\") { should match(/^[\\s]*inet_interfaces[\\s]*=[\\s]*localhost[\\s]*$/) }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38553.rb", + "ref": "./Red Hat 6 STIG/controls/V-38622.rb", "line": 1 }, - "id": "V-38553" + "id": "V-38622" }, { - "title": "The audit system must switch the system to single-user mode when\navailable audit storage volume becomes dangerously low.", - "desc": "Administrators should be made aware of an inability to record audit\nrecords. If a separate partition or logical volume of adequate size is used,\nrunning low on space for audit records should never occur.", + "title": "Users must be warned 7 days in advance of password expiration.", + "desc": "Setting the password warning age enables users to make the change at a\npractical time.", "descriptions": { - "default": "Administrators should be made aware of an inability to record audit\nrecords. If a separate partition or logical volume of adequate size is used,\nrunning low on space for audit records should never occur." + "default": "Setting the password warning age enables users to make the change at a\npractical time." }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { "gtitle": "SRG-OS-999999", - "gid": "V-54381", - "rid": "SV-68627r3_rule", - "stig_id": "RHEL-06-000163", - "fix_id": "F-59235r2_fix", + "gid": "V-38480", + "rid": "SV-50280r1_rule", + "stig_id": "RHEL-06-000054", + "fix_id": "F-43425r1_fix", "cci": [ "CCI-000366" ], @@ -2547,35 +2563,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "Inspect \"/etc/audit/auditd.conf\" and locate the following\nline to determine if the system is configured to either suspend, switch to\nsingle-user mode, or halt when disk space has run low:\n\nadmin_space_left_action = single\n\nIf the system is not configured to switch to single-user mode, suspend, or halt\nfor corrective action, this is a finding. ", - "fix": "The \"auditd\" service can be configured to take an action when\ndisk space is running low but prior to running out of space completely. Edit\nthe file \"/etc/audit/auditd.conf\". Add or modify the following line,\nsubstituting [ACTION] appropriately:\n\nadmin_space_left_action = [ACTION]\n\nSet this value to \"single\" to cause the system to switch to single-user mode\nfor corrective action. Acceptable values also include \"suspend\" and \"halt\".\nFor certain systems, the need for availability outweighs the need to log all\nactions, and a different setting should be determined. Details regarding all\npossible values for [ACTION] are described in the \"auditd.conf\" man page. " + "check": "To check the password warning age, run the command:\n\n$ grep PASS_WARN_AGE /etc/login.defs\n\nThe DoD requirement is 7.\nIf it is not set to the required value, this is a finding.", + "fix": "To specify how many days prior to password expiration that a\nwarning will be issued to users, edit the file \"/etc/login.defs\" and add or\ncorrect the following line, replacing [DAYS] appropriately:\n\nPASS_WARN_AGE [DAYS]\n\nThe DoD requirement is 7." }, - "code": "control \"V-54381\" do\n title \"The audit system must switch the system to single-user mode when\navailable audit storage volume becomes dangerously low.\"\n desc \"Administrators should be made aware of an inability to record audit\nrecords. If a separate partition or logical volume of adequate size is used,\nrunning low on space for audit records should never occur. \"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-54381\"\n tag \"rid\": \"SV-68627r3_rule\"\n tag \"stig_id\": \"RHEL-06-000163\"\n tag \"fix_id\": \"F-59235r2_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Inspect \\\"/etc/audit/auditd.conf\\\" and locate the following\nline to determine if the system is configured to either suspend, switch to\nsingle-user mode, or halt when disk space has run low:\n\nadmin_space_left_action = single\n\nIf the system is not configured to switch to single-user mode, suspend, or halt\nfor corrective action, this is a finding. \"\n tag \"fix\": \"The \\\"auditd\\\" service can be configured to take an action when\ndisk space is running low but prior to running out of space completely. Edit\nthe file \\\"/etc/audit/auditd.conf\\\". Add or modify the following line,\nsubstituting [ACTION] appropriately:\n\nadmin_space_left_action = [ACTION]\n\nSet this value to \\\"single\\\" to cause the system to switch to single-user mode\nfor corrective action. Acceptable values also include \\\"suspend\\\" and \\\"halt\\\".\nFor certain systems, the need for availability outweighs the need to log all\nactions, and a different setting should be determined. Details regarding all\npossible values for [ACTION] are described in the \\\"auditd.conf\\\" man page. \"\n\n describe file(\"/etc/audit/auditd.conf\") do\n its(\"content\") { should match(/^\\s*admin_space_left_action[ ]+=[ ]+(\\S+)\\s*$/) }\n end\n file(\"/etc/audit/auditd.conf\").content.to_s.scan(/^\\s*admin_space_left_action[ ]+=[ ]+(\\S+)\\s*$/).flatten.each do |entry|\n describe entry do\n it { should match(/^(?:[sS][iI][nN][gG][lL][eE]|[sS][uU][sS][pP][eE][nN][dD]|[hH][aA][lL][tT])$/) }\n end\n end\nend\n", + "code": "control \"V-38480\" do\n title \"Users must be warned 7 days in advance of password expiration.\"\n desc \"Setting the password warning age enables users to make the change at a\npractical time.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38480\"\n tag \"rid\": \"SV-50280r1_rule\"\n tag \"stig_id\": \"RHEL-06-000054\"\n tag \"fix_id\": \"F-43425r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To check the password warning age, run the command:\n\n$ grep PASS_WARN_AGE /etc/login.defs\n\nThe DoD requirement is 7.\nIf it is not set to the required value, this is a finding.\"\n tag \"fix\": \"To specify how many days prior to password expiration that a\nwarning will be issued to users, edit the file \\\"/etc/login.defs\\\" and add or\ncorrect the following line, replacing [DAYS] appropriately:\n\nPASS_WARN_AGE [DAYS]\n\nThe DoD requirement is 7.\"\n\n describe file(\"/etc/login.defs\") do\n its(\"content\") { should match(/^[\\s]*PASS_WARN_AGE[\\s]*(\\d+)\\s*$/) }\n end\n file(\"/etc/login.defs\").content.to_s.scan(/^[\\s]*PASS_WARN_AGE[\\s]*(\\d+)\\s*$/).flatten.each do |entry|\n describe entry do\n it { should cmp >= 7 }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-54381.rb", + "ref": "./Red Hat 6 STIG/controls/V-38480.rb", "line": 1 }, - "id": "V-54381" + "id": "V-38480" }, { - "title": "The tftp-server package must not be installed unless required.", - "desc": "Removing the \"tftp-server\" package decreases the risk of the\naccidental (or intentional) activation of tftp services.", + "title": "Library files must have mode 0755 or less permissive.", + "desc": "Files from shared library directories are loaded into the address\nspace of processes (including privileged ones) or of the kernel itself at\nruntime. Restrictive permissions are necessary to protect the integrity of the\nsystem.", "descriptions": { - "default": "Removing the \"tftp-server\" package decreases the risk of the\naccidental (or intentional) activation of tftp services." + "default": "Files from shared library directories are loaded into the address\nspace of processes (including privileged ones) or of the kernel itself at\nruntime. Restrictive permissions are necessary to protect the integrity of the\nsystem." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000095", - "gid": "V-38606", - "rid": "SV-50407r2_rule", - "stig_id": "RHEL-06-000222", - "fix_id": "F-43554r1_fix", + "gtitle": "SRG-OS-000259", + "gid": "V-38465", + "rid": "SV-50265r3_rule", + "stig_id": "RHEL-06-000045", + "fix_id": "F-43409r2_fix", "cci": [ - "CCI-000381" + "CCI-001499" ], "nist": [ - "CM-7 a", + "CM-5 (6)", "Rev_4" ], "false_negatives": null, @@ -2588,35 +2604,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "Run the following command to determine if the \"tftp-server\"\npackage is installed:\n\n# rpm -q tftp-server\n\n\nIf the package is installed, this is a finding.", - "fix": "The \"tftp-server\" package can be removed with the following\ncommand:\n\n# yum erase tftp-server" + "check": "System-wide shared library files, which are linked to\nexecutables during process load time or run time, are stored in the following\ndirectories by default:\n\n/lib\n/lib64\n/usr/lib\n/usr/lib64\n\n\nKernel modules, which can be added to the kernel during runtime, are stored in\n\"/lib/modules\". All files in these directories should not be group-writable\nor world-writable. To find shared libraries that are group-writable or\nworld-writable, run the following command for each directory [DIR] which\ncontains shared libraries:\n\n$ find -L [DIR] -perm /022 -type f\n\n\nIf any of these files (excluding broken symlinks) are group-writable or\nworld-writable, this is a finding.", + "fix": "System-wide shared library files, which are linked to executables\nduring process load time or run time, are stored in the following directories\nby default:\n\n/lib\n/lib64\n/usr/lib\n/usr/lib64\n\nIf any file in these directories is found to be group-writable or\nworld-writable, correct its permission with the following command:\n\n# chmod go-w [FILE]" }, - "code": "control \"V-38606\" do\n title \"The tftp-server package must not be installed unless required.\"\n desc \"Removing the \\\"tftp-server\\\" package decreases the risk of the\naccidental (or intentional) activation of tftp services.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000095\"\n tag \"gid\": \"V-38606\"\n tag \"rid\": \"SV-50407r2_rule\"\n tag \"stig_id\": \"RHEL-06-000222\"\n tag \"fix_id\": \"F-43554r1_fix\"\n tag \"cci\": [\"CCI-000381\"]\n tag \"nist\": [\"CM-7 a\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Run the following command to determine if the \\\"tftp-server\\\"\npackage is installed:\n\n# rpm -q tftp-server\n\n\nIf the package is installed, this is a finding.\"\n tag \"fix\": \"The \\\"tftp-server\\\" package can be removed with the following\ncommand:\n\n# yum erase tftp-server\"\n\n describe package(\"tftp-server\") do\n it { should_not be_installed }\n end\nend\n", + "code": "control \"V-38465\" do\n title \"Library files must have mode 0755 or less permissive.\"\n desc \"Files from shared library directories are loaded into the address\nspace of processes (including privileged ones) or of the kernel itself at\nruntime. Restrictive permissions are necessary to protect the integrity of the\nsystem.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000259\"\n tag \"gid\": \"V-38465\"\n tag \"rid\": \"SV-50265r3_rule\"\n tag \"stig_id\": \"RHEL-06-000045\"\n tag \"fix_id\": \"F-43409r2_fix\"\n tag \"cci\": [\"CCI-001499\"]\n tag \"nist\": [\"CM-5 (6)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"System-wide shared library files, which are linked to\nexecutables during process load time or run time, are stored in the following\ndirectories by default:\n\n/lib\n/lib64\n/usr/lib\n/usr/lib64\n\n\nKernel modules, which can be added to the kernel during runtime, are stored in\n\\\"/lib/modules\\\". All files in these directories should not be group-writable\nor world-writable. To find shared libraries that are group-writable or\nworld-writable, run the following command for each directory [DIR] which\ncontains shared libraries:\n\n$ find -L [DIR] -perm /022 -type f\n\n\nIf any of these files (excluding broken symlinks) are group-writable or\nworld-writable, this is a finding.\"\n tag \"fix\": \"System-wide shared library files, which are linked to executables\nduring process load time or run time, are stored in the following directories\nby default:\n\n/lib\n/lib64\n/usr/lib\n/usr/lib64\n\nIf any file in these directories is found to be group-writable or\nworld-writable, correct its permission with the following command:\n\n# chmod go-w [FILE]\"\n\n libs = [\"/lib\", \"/lib64\", \"/usr/lib\", \"/usr/lib64\"]\n libs.each do |l|\n describe command(\"find -L #{l} -perm /022 -type f\") do\n its('stdout.strip') { should be_empty }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38606.rb", + "ref": "./Red Hat 6 STIG/controls/V-38465.rb", "line": 1 }, - "id": "V-38606" + "id": "V-38465" }, { - "title": "Default operating system accounts, other than root, must be locked.", - "desc": "Disabling authentication for default system accounts makes it more\ndifficult for attackers to make use of them to compromise a system.", + "title": "The operating system must ensure unauthorized, security-relevant\nconfiguration changes detected are tracked.", + "desc": "By default, AIDE does not install itself for periodic execution.\nPeriodically running AIDE may reveal unexpected changes in installed files.", "descriptions": { - "default": "Disabling authentication for default system accounts makes it more\ndifficult for attackers to make use of them to compromise a system." + "default": "By default, AIDE does not install itself for periodic execution.\nPeriodically running AIDE may reveal unexpected changes in installed files." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-999999", - "gid": "V-38496", - "rid": "SV-50297r3_rule", - "stig_id": "RHEL-06-000029", - "fix_id": "F-43442r2_fix", + "gtitle": "SRG-OS-000265", + "gid": "V-38673", + "rid": "SV-50474r2_rule", + "stig_id": "RHEL-06-000307", + "fix_id": "F-43621r1_fix", "cci": [ - "CCI-000366" + "CCI-001589" ], "nist": [ - "CM-6 b", + "CM-6 (3)", "Rev_4" ], "false_negatives": null, @@ -2629,35 +2645,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To obtain a listing of all users and the contents of their\nshadow password field, run the command:\n\n$ awk -F: '$1 !~ /^root$/ && $2 !~ /^[!*]/ {print $1 \":\" $2}' /etc/shadow\n\nIdentify the operating system accounts from this listing. These will primarily\nbe the accounts with UID numbers less than 500, other than root.\n\nIf any default operating system account (other than root) has a valid password\nhash, this is a finding.", - "fix": "Some accounts are not associated with a human user of the system,\nand exist to perform some administrative function. An attacker should not be\nable to log into these accounts.\n\nDisable logon access to these accounts with the command:\n\n# passwd -l [SYSACCT]" + "check": "To determine that periodic AIDE execution has been scheduled,\nrun the following command:\n\n# grep aide /etc/crontab /etc/cron.*/*\n\nIf there is no output, this is a finding.", + "fix": "AIDE should be executed on a periodic basis to check for changes.\nTo implement a daily execution of AIDE at 4:05am using cron, add the following\nline to /etc/crontab:\n\n05 4 * * * root /usr/sbin/aide --check\n\nAIDE can be executed periodically through other means; this is merely one\nexample." }, - "code": "control \"V-38496\" do\n title \"Default operating system accounts, other than root, must be locked.\"\n desc \"Disabling authentication for default system accounts makes it more\ndifficult for attackers to make use of them to compromise a system.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38496\"\n tag \"rid\": \"SV-50297r3_rule\"\n tag \"stig_id\": \"RHEL-06-000029\"\n tag \"fix_id\": \"F-43442r2_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To obtain a listing of all users and the contents of their\nshadow password field, run the command:\n\n$ awk -F: '$1 !~ /^root$/ && $2 !~ /^[!*]/ {print $1 \\\":\\\" $2}' /etc/shadow\n\nIdentify the operating system accounts from this listing. These will primarily\nbe the accounts with UID numbers less than 500, other than root.\n\nIf any default operating system account (other than root) has a valid password\nhash, this is a finding.\"\n tag \"fix\": \"Some accounts are not associated with a human user of the system,\nand exist to perform some administrative function. An attacker should not be\nable to log into these accounts.\n\nDisable logon access to these accounts with the command:\n\n# passwd -l [SYSACCT]\"\n\n passwd_users = command('awk -F: \\'$1 !~ /^root$/ && $2 !~ /^[!*]/ {print $1}\\' /etc/shadow').stdout.strip.split(\"\\n\")\n\n if passwd_users.empty?\n describe \"Users with assigned password\" do\n subject { passwd_users }\n it { should be_empty }\n end\n else\n passwd_users.each do |u|\n describe user(u) do\n its('uid') { should be >= 500 }\n end\n end\n end\nend\n", + "code": "control \"V-38673\" do\n title \"The operating system must ensure unauthorized, security-relevant\nconfiguration changes detected are tracked.\"\n desc \"By default, AIDE does not install itself for periodic execution.\nPeriodically running AIDE may reveal unexpected changes in installed files.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000265\"\n tag \"gid\": \"V-38673\"\n tag \"rid\": \"SV-50474r2_rule\"\n tag \"stig_id\": \"RHEL-06-000307\"\n tag \"fix_id\": \"F-43621r1_fix\"\n tag \"cci\": [\"CCI-001589\"]\n tag \"nist\": [\"CM-6 (3)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To determine that periodic AIDE execution has been scheduled,\nrun the following command:\n\n# grep aide /etc/crontab /etc/cron.*/*\n\nIf there is no output, this is a finding.\"\n tag \"fix\": \"AIDE should be executed on a periodic basis to check for changes.\nTo implement a daily execution of AIDE at 4:05am using cron, add the following\nline to /etc/crontab:\n\n05 4 * * * root /usr/sbin/aide --check\n\nAIDE can be executed periodically through other means; this is merely one\nexample.\"\n\n describe command('grep aide /etc/crontab /etc/cron.*/*') do\n its('stdout.strip') { should_not be_empty }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38496.rb", + "ref": "./Red Hat 6 STIG/controls/V-38673.rb", "line": 1 }, - "id": "V-38496" + "id": "V-38673" }, { - "title": "The audit system must be configured to audit failed attempts to access\nfiles and programs.", - "desc": "Unsuccessful attempts to access files could be an indicator of\nmalicious activity on a system. Auditing these events could serve as evidence\nof potential system compromise.", + "title": "The system package management tool must verify ownership on all files\nand directories associated with packages.", + "desc": "Ownership of system binaries and configuration files that is incorrect\ncould allow an unauthorized user to gain privileges that they should not have.\nThe ownership set by the vendor should be maintained. Any deviations from this\nbaseline should be investigated.", "descriptions": { - "default": "Unsuccessful attempts to access files could be an indicator of\nmalicious activity on a system. Auditing these events could serve as evidence\nof potential system compromise." + "default": "Ownership of system binaries and configuration files that is incorrect\ncould allow an unauthorized user to gain privileges that they should not have.\nThe ownership set by the vendor should be maintained. Any deviations from this\nbaseline should be investigated." }, "impact": 0.3, "refs": [], "tags": { - "gtitle": "SRG-OS-000064", - "gid": "V-38566", - "rid": "SV-50367r2_rule", - "stig_id": "RHEL-06-000197", - "fix_id": "F-43514r2_fix", + "gtitle": "SRG-OS-999999", + "gid": "V-38454", + "rid": "SV-50254r2_rule", + "stig_id": "RHEL-06-000516", + "fix_id": "F-43400r1_fix", "cci": [ - "CCI-000172" + "CCI-000366" ], "nist": [ - "AU-12 c", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -2670,35 +2686,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To verify that the audit system collects unauthorized file\naccesses, run the following commands:\n\n# grep EACCES /etc/audit/audit.rules\n\n\n\n# grep EPERM /etc/audit/audit.rules\n\n\nIf either command lacks output, this is a finding.", - "fix": "At a minimum, the audit system should collect unauthorized file\naccesses for all users and root. Add the following to\n\"/etc/audit/audit.rules\", setting ARCH to either b32 or b64 as appropriate\nfor your system:\n\n-a always,exit -F arch=ARCH -S creat -S open -S openat -S truncate \\\n-S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access\n-a always,exit -F arch=ARCH -S creat -S open -S openat -S truncate \\\n-S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access\n-a always,exit -F arch=ARCH -S creat -S open -S openat -S truncate \\\n-S ftruncate -F exit=-EACCES -F auid=0 -k access\n-a always,exit -F arch=ARCH -S creat -S open -S openat -S truncate \\\n-S ftruncate -F exit=-EPERM -F auid=0 -k access" + "check": "The following command will list which files on the system have\nownership different from what is expected by the RPM database:\n\n# rpm -Va | grep '^.....U'\n\n\nIf any output is produced, verify that the changes were due to STIG application\nand have been documented with the ISSO.\n\nIf any output has not been documented with the ISSO, this is a finding.\n", + "fix": "The RPM package management system can restore ownership of\npackage files and directories. The following command will update files and\ndirectories with ownership different from what is expected by the RPM database:\n\n# rpm -qf [file or directory name]\n# rpm --setugids [package]" }, - "code": "control \"V-38566\" do\n title \"The audit system must be configured to audit failed attempts to access\nfiles and programs.\"\n desc \"Unsuccessful attempts to access files could be an indicator of\nmalicious activity on a system. Auditing these events could serve as evidence\nof potential system compromise.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000064\"\n tag \"gid\": \"V-38566\"\n tag \"rid\": \"SV-50367r2_rule\"\n tag \"stig_id\": \"RHEL-06-000197\"\n tag \"fix_id\": \"F-43514r2_fix\"\n tag \"cci\": [\"CCI-000172\"]\n tag \"nist\": [\"AU-12 c\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To verify that the audit system collects unauthorized file\naccesses, run the following commands:\n\n# grep EACCES /etc/audit/audit.rules\n\n\n\n# grep EPERM /etc/audit/audit.rules\n\n\nIf either command lacks output, this is a finding.\"\n tag \"fix\": \"At a minimum, the audit system should collect unauthorized file\naccesses for all users and root. Add the following to\n\\\"/etc/audit/audit.rules\\\", setting ARCH to either b32 or b64 as appropriate\nfor your system:\n\n-a always,exit -F arch=ARCH -S creat -S open -S openat -S truncate \\\\\n-S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access\n-a always,exit -F arch=ARCH -S creat -S open -S openat -S truncate \\\\\n-S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access\n-a always,exit -F arch=ARCH -S creat -S open -S openat -S truncate \\\\\n-S ftruncate -F exit=-EACCES -F auid=0 -k access\n-a always,exit -F arch=ARCH -S creat -S open -S openat -S truncate \\\\\n-S ftruncate -F exit=-EPERM -F auid=0 -k access\"\n\n describe command(\"grep EACCES /etc/audit/audit.rules\") do\n its('stdout.strip') { should_not eq '' }\n end\n\n describe command(\"grep EPERM /etc/audit/audit.rules\") do\n its('stdout.strip') { should_not eq '' }\n end\nend\n", + "code": "control \"V-38454\" do\n title \"The system package management tool must verify ownership on all files\nand directories associated with packages.\"\n desc \"Ownership of system binaries and configuration files that is incorrect\ncould allow an unauthorized user to gain privileges that they should not have.\nThe ownership set by the vendor should be maintained. Any deviations from this\nbaseline should be investigated.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38454\"\n tag \"rid\": \"SV-50254r2_rule\"\n tag \"stig_id\": \"RHEL-06-000516\"\n tag \"fix_id\": \"F-43400r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"The following command will list which files on the system have\nownership different from what is expected by the RPM database:\n\n# rpm -Va | grep '^.....U'\n\n\nIf any output is produced, verify that the changes were due to STIG application\nand have been documented with the ISSO.\n\nIf any output has not been documented with the ISSO, this is a finding.\n\"\n tag \"fix\": \"The RPM package management system can restore ownership of\npackage files and directories. The following command will update files and\ndirectories with ownership different from what is expected by the RPM database:\n\n# rpm -qf [file or directory name]\n# rpm --setugids [package]\"\n\n describe command(\"rpm -Va | grep '^.....U'\") do\n its('stdout.strip') { should be_empty }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38566.rb", + "ref": "./Red Hat 6 STIG/controls/V-38454.rb", "line": 1 }, - "id": "V-38566" + "id": "V-38454" }, { - "title": "The SSH daemon must not permit user environment settings.", - "desc": "SSH environment options potentially allow users to bypass access\nrestriction in some configurations.", + "title": "The system must implement virtual address space randomization.", + "desc": "Address space layout randomization (ASLR) makes it more difficult for\nan attacker to predict the location of attack code he or she has introduced\ninto a process's address space during an attempt at exploitation. Additionally,\nASLR also makes it more difficult for an attacker to know the location of\nexisting code in order to repurpose it using return oriented programming (ROP)\ntechniques.", "descriptions": { - "default": "SSH environment options potentially allow users to bypass access\nrestriction in some configurations." + "default": "Address space layout randomization (ASLR) makes it more difficult for\nan attacker to predict the location of attack code he or she has introduced\ninto a process's address space during an attempt at exploitation. Additionally,\nASLR also makes it more difficult for an attacker to know the location of\nexisting code in order to repurpose it using return oriented programming (ROP)\ntechniques." }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000242", - "gid": "V-38616", - "rid": "SV-50417r1_rule", - "stig_id": "RHEL-06-000241", - "fix_id": "F-43565r1_fix", + "gtitle": "SRG-OS-999999", + "gid": "V-38596", + "rid": "SV-50397r2_rule", + "stig_id": "RHEL-06-000078", + "fix_id": "F-43543r1_fix", "cci": [ - "CCI-001414" + "CCI-000366" ], "nist": [ - "AC-4", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -2711,35 +2727,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To ensure users are not able to present environment daemons,\nrun the following command:\n\n# grep PermitUserEnvironment /etc/ssh/sshd_config\n\nIf properly configured, output should be:\n\nPermitUserEnvironment no\n\n\nIf it is not, this is a finding.", - "fix": "To ensure users are not able to present environment options to\nthe SSH daemon, add or correct the following line in \"/etc/ssh/sshd_config\":\n\nPermitUserEnvironment no" + "check": "The status of the \"kernel.randomize_va_space\" kernel\nparameter can be queried by running the following commands:\n\n$ sysctl kernel.randomize_va_space\n$ grep kernel.randomize_va_space /etc/sysctl.conf\n\nThe output of the command should indicate a value of at least \"1\" (preferably\n\"2\"). If this value is not the default value, investigate how it could have\nbeen adjusted at runtime, and verify it is not set improperly in\n\"/etc/sysctl.conf\".\nIf the correct value is not returned, this is a finding.", + "fix": "To set the runtime status of the \"kernel.randomize_va_space\"\nkernel parameter, run the following command:\n\n# sysctl -w kernel.randomize_va_space=2\n\nIf this is not the system's default value, add the following line to\n\"/etc/sysctl.conf\":\n\nkernel.randomize_va_space = 2" }, - "code": "control \"V-38616\" do\n title \"The SSH daemon must not permit user environment settings.\"\n desc \"SSH environment options potentially allow users to bypass access\nrestriction in some configurations.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000242\"\n tag \"gid\": \"V-38616\"\n tag \"rid\": \"SV-50417r1_rule\"\n tag \"stig_id\": \"RHEL-06-000241\"\n tag \"fix_id\": \"F-43565r1_fix\"\n tag \"cci\": [\"CCI-001414\"]\n tag \"nist\": [\"AC-4\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To ensure users are not able to present environment daemons,\nrun the following command:\n\n# grep PermitUserEnvironment /etc/ssh/sshd_config\n\nIf properly configured, output should be:\n\nPermitUserEnvironment no\n\n\nIf it is not, this is a finding.\"\n tag \"fix\": \"To ensure users are not able to present environment options to\nthe SSH daemon, add or correct the following line in \\\"/etc/ssh/sshd_config\\\":\n\nPermitUserEnvironment no\"\n\n describe sshd_config do\n its('PermitUserEnvironment') { should eq 'no' }\n end\nend\n", + "code": "control \"V-38596\" do\n title \"The system must implement virtual address space randomization.\"\n desc \"Address space layout randomization (ASLR) makes it more difficult for\nan attacker to predict the location of attack code he or she has introduced\ninto a process's address space during an attempt at exploitation. Additionally,\nASLR also makes it more difficult for an attacker to know the location of\nexisting code in order to repurpose it using return oriented programming (ROP)\ntechniques.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38596\"\n tag \"rid\": \"SV-50397r2_rule\"\n tag \"stig_id\": \"RHEL-06-000078\"\n tag \"fix_id\": \"F-43543r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"The status of the \\\"kernel.randomize_va_space\\\" kernel\nparameter can be queried by running the following commands:\n\n$ sysctl kernel.randomize_va_space\n$ grep kernel.randomize_va_space /etc/sysctl.conf\n\nThe output of the command should indicate a value of at least \\\"1\\\" (preferably\n\\\"2\\\"). If this value is not the default value, investigate how it could have\nbeen adjusted at runtime, and verify it is not set improperly in\n\\\"/etc/sysctl.conf\\\".\nIf the correct value is not returned, this is a finding.\"\n tag \"fix\": \"To set the runtime status of the \\\"kernel.randomize_va_space\\\"\nkernel parameter, run the following command:\n\n# sysctl -w kernel.randomize_va_space=2\n\nIf this is not the system's default value, add the following line to\n\\\"/etc/sysctl.conf\\\":\n\nkernel.randomize_va_space = 2\"\n\n describe command('sysctl -n kernel.randomize_va_space') do\n its('stdout.strip') { should be_in ['1', '2'] }\n end\n\n describe.one do\n describe parse_config_file('/etc/sysctl.conf') do\n its('params') { should be >= { 'kernel.randomize_va_space' => '1' } }\n end\n\n describe parse_config_file('/etc/sysctl.conf') do\n its('params') { should be >= { 'kernel.randomize_va_space' => '2' } }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38616.rb", + "ref": "./Red Hat 6 STIG/controls/V-38596.rb", "line": 1 }, - "id": "V-38616" + "id": "V-38596" }, { - "title": "The /etc/shadow file must be group-owned by root.", - "desc": "The \"/etc/shadow\" file stores password hashes. Protection of this\nfile is critical for system security.", + "title": "The systems local IPv4 firewall must implement a deny-all,\nallow-by-exception policy for inbound packets.", + "desc": "In \"iptables\" the default policy is applied only after all the\napplicable rules in the table are examined for a match. Setting the default\npolicy to \"DROP\" implements proper design for a firewall, i.e., any packets\nwhich are not explicitly permitted should not be accepted.", "descriptions": { - "default": "The \"/etc/shadow\" file stores password hashes. Protection of this\nfile is critical for system security." + "default": "In \"iptables\" the default policy is applied only after all the\napplicable rules in the table are examined for a match. Setting the default\npolicy to \"DROP\" implements proper design for a firewall, i.e., any packets\nwhich are not explicitly permitted should not be accepted." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-999999", - "gid": "V-38503", - "rid": "SV-50304r1_rule", - "stig_id": "RHEL-06-000034", - "fix_id": "F-43450r1_fix", + "gtitle": "SRG-OS-000231", + "gid": "V-38513", + "rid": "SV-50314r2_rule", + "stig_id": "RHEL-06-000120", + "fix_id": "F-43460r1_fix", "cci": [ - "CCI-000366" + "CCI-000066" ], "nist": [ - "CM-6 b", + "AC-17 e", "Rev_4" ], "false_negatives": null, @@ -2752,35 +2768,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To check the group ownership of \"/etc/shadow\", run the\ncommand:\n\n$ ls -l /etc/shadow\n\nIf properly configured, the output should indicate the following group-owner.\n\"root\"\nIf it does not, this is a finding.", - "fix": "To properly set the group owner of \"/etc/shadow\", run the\ncommand:\n\n# chgrp root /etc/shadow" + "check": "Run the following command to ensure the default \"INPUT\"\npolicy is \"DROP\":\n\n# iptables -nvL | grep -i input\n\nChain INPUT (policy DROP 0 packets, 0 bytes)\n\nIf the default policy for the INPUT chain is not set to DROP, this is a\nfinding.", + "fix": "To set the default policy to DROP (instead of ACCEPT) for the\nbuilt-in INPUT chain which processes incoming packets, add or correct the\nfollowing line in \"/etc/sysconfig/iptables\":\n\n:INPUT DROP [0:0]" }, - "code": "control \"V-38503\" do\n title \"The /etc/shadow file must be group-owned by root.\"\n desc \"The \\\"/etc/shadow\\\" file stores password hashes. Protection of this\nfile is critical for system security.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38503\"\n tag \"rid\": \"SV-50304r1_rule\"\n tag \"stig_id\": \"RHEL-06-000034\"\n tag \"fix_id\": \"F-43450r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To check the group ownership of \\\"/etc/shadow\\\", run the\ncommand:\n\n$ ls -l /etc/shadow\n\nIf properly configured, the output should indicate the following group-owner.\n\\\"root\\\"\nIf it does not, this is a finding.\"\n tag \"fix\": \"To properly set the group owner of \\\"/etc/shadow\\\", run the\ncommand:\n\n# chgrp root /etc/shadow\"\n\n describe file(\"/etc/shadow\") do\n it { should exist }\n end\n describe file(\"/etc/shadow\") do\n its(\"gid\") { should cmp 0 }\n end\nend\n", + "code": "control \"V-38513\" do\n title \"The systems local IPv4 firewall must implement a deny-all,\nallow-by-exception policy for inbound packets.\"\n desc \"In \\\"iptables\\\" the default policy is applied only after all the\napplicable rules in the table are examined for a match. Setting the default\npolicy to \\\"DROP\\\" implements proper design for a firewall, i.e., any packets\nwhich are not explicitly permitted should not be accepted.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000231\"\n tag \"gid\": \"V-38513\"\n tag \"rid\": \"SV-50314r2_rule\"\n tag \"stig_id\": \"RHEL-06-000120\"\n tag \"fix_id\": \"F-43460r1_fix\"\n tag \"cci\": [\"CCI-000066\"]\n tag \"nist\": [\"AC-17 e\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Run the following command to ensure the default \\\"INPUT\\\"\npolicy is \\\"DROP\\\":\n\n# iptables -nvL | grep -i input\n\nChain INPUT (policy DROP 0 packets, 0 bytes)\n\nIf the default policy for the INPUT chain is not set to DROP, this is a\nfinding.\"\n tag \"fix\": \"To set the default policy to DROP (instead of ACCEPT) for the\nbuilt-in INPUT chain which processes incoming packets, add or correct the\nfollowing line in \\\"/etc/sysconfig/iptables\\\":\n\n:INPUT DROP [0:0]\"\n\n describe command(\"iptables -nvL | grep -i input\") do\n its('stdout.strip') { should match %r{Chain INPUT \\(policy DROP} }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38503.rb", + "ref": "./Red Hat 6 STIG/controls/V-38513.rb", "line": 1 }, - "id": "V-38503" + "id": "V-38513" }, { - "title": "The audit system must be configured to audit modifications to the\nsystems network configuration.", - "desc": "The network environment should not be modified by anything other than\nadministrator action. Any change to network parameters should be audited.", + "title": "The operating system must automatically audit account disabling\nactions.", + "desc": "In addition to auditing new user and group accounts, these watches\nwill alert the system administrator(s) to any modifications. Any unexpected\nusers, groups, or modifications should be investigated for legitimacy.", "descriptions": { - "default": "The network environment should not be modified by anything other than\nadministrator action. Any change to network parameters should be audited." + "default": "In addition to auditing new user and group accounts, these watches\nwill alert the system administrator(s) to any modifications. Any unexpected\nusers, groups, or modifications should be investigated for legitimacy." }, "impact": 0.3, "refs": [], "tags": { - "gtitle": "SRG-OS-999999", - "gid": "V-38540", - "rid": "SV-50341r4_rule", - "stig_id": "RHEL-06-000182", - "fix_id": "F-43488r2_fix", + "gtitle": "SRG-OS-000240", + "gid": "V-38536", + "rid": "SV-50337r2_rule", + "stig_id": "RHEL-06-000176", + "fix_id": "F-43484r1_fix", "cci": [ - "CCI-000366" + "CCI-001404" ], "nist": [ - "CM-6 b", + "AC-2 (4)", "Rev_4" ], "false_negatives": null, @@ -2793,35 +2809,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "If you are running x86_64 architecture, determine the values\nfor sethostname:\n$ uname -m; ausyscall i386 sethostname; ausyscall x86_64 sethostname\n\t\nIf the values returned are not identical verify that the system is configured\nto monitor network configuration changes for the i386 and x86_64 architectures:\n\n$ sudo egrep -w\n'(sethostname|setdomainname|/etc/issue|/etc/issue.net|/etc/hosts|/etc/sysconfig/network)'\n/etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k\naudit_network_modifications\n-w /etc/issue -p wa -k audit_network_modifications\n-w /etc/issue.net -p wa -k audit_network_modifications\n-w /etc/hosts -p wa -k audit_network_modifications\n-w /etc/sysconfig/network -p wa -k audit_network_modifications\n\n-a always,exit -F arch=b64 -S sethostname -S setdomainname -k\naudit_network_modifications\n-w /etc/issue -p wa -k audit_network_modifications\n-w /etc/issue.net -p wa -k audit_network_modifications\n-w /etc/hosts -p wa -k audit_network_modifications\n-w /etc/sysconfig/network -p wa -k audit_network_modifications\n\nIf the system is configured to watch for network configuration changes, a line\nshould be returned for each file specified for both (and \"-p wa\" should be\nindicated for each).\n\nIf the system is not configured to audit changes of the network configuration,\nthis is a finding.\n", - "fix": "Add the following to \"/etc/audit/audit.rules\", setting ARCH to\neither b32 or b64 as appropriate for your system:\n\n# audit_network_modifications\n-a always,exit -F arch=ARCH -S sethostname -S setdomainname -k\naudit_network_modifications\n-w /etc/issue -p wa -k audit_network_modifications\n-w /etc/issue.net -p wa -k audit_network_modifications\n-w /etc/hosts -p wa -k audit_network_modifications\n-w /etc/sysconfig/network -p wa -k audit_network_modifications" + "check": "To determine if the system is configured to audit account\nchanges, run the following command:\n\n$sudo egrep -w\n'(/etc/passwd|/etc/shadow|/etc/group|/etc/gshadow|/etc/security/opasswd)'\n/etc/audit/audit.rules\n\nIf the system is configured to watch for account changes, lines should be\nreturned for each file specified (and with \"-p wa\" for each).\n\nIf the system is not configured to audit account changes, this is a finding.", + "fix": "Add the following to \"/etc/audit/audit.rules\", in order to\ncapture events that modify account changes:\n\n# audit_account_changes\n-w /etc/group -p wa -k audit_account_changes\n-w /etc/passwd -p wa -k audit_account_changes\n-w /etc/gshadow -p wa -k audit_account_changes\n-w /etc/shadow -p wa -k audit_account_changes\n-w /etc/security/opasswd -p wa -k audit_account_changes" }, - "code": "control \"V-38540\" do\n title \"The audit system must be configured to audit modifications to the\nsystems network configuration.\"\n desc \"The network environment should not be modified by anything other than\nadministrator action. Any change to network parameters should be audited.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38540\"\n tag \"rid\": \"SV-50341r4_rule\"\n tag \"stig_id\": \"RHEL-06-000182\"\n tag \"fix_id\": \"F-43488r2_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"If you are running x86_64 architecture, determine the values\nfor sethostname:\n$ uname -m; ausyscall i386 sethostname; ausyscall x86_64 sethostname\n\\t\nIf the values returned are not identical verify that the system is configured\nto monitor network configuration changes for the i386 and x86_64 architectures:\n\n$ sudo egrep -w\n'(sethostname|setdomainname|/etc/issue|/etc/issue.net|/etc/hosts|/etc/sysconfig/network)'\n/etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k\naudit_network_modifications\n-w /etc/issue -p wa -k audit_network_modifications\n-w /etc/issue.net -p wa -k audit_network_modifications\n-w /etc/hosts -p wa -k audit_network_modifications\n-w /etc/sysconfig/network -p wa -k audit_network_modifications\n\n-a always,exit -F arch=b64 -S sethostname -S setdomainname -k\naudit_network_modifications\n-w /etc/issue -p wa -k audit_network_modifications\n-w /etc/issue.net -p wa -k audit_network_modifications\n-w /etc/hosts -p wa -k audit_network_modifications\n-w /etc/sysconfig/network -p wa -k audit_network_modifications\n\nIf the system is configured to watch for network configuration changes, a line\nshould be returned for each file specified for both (and \\\"-p wa\\\" should be\nindicated for each).\n\nIf the system is not configured to audit changes of the network configuration,\nthis is a finding.\n\"\n tag \"fix\": \"Add the following to \\\"/etc/audit/audit.rules\\\", setting ARCH to\neither b32 or b64 as appropriate for your system:\n\n# audit_network_modifications\n-a always,exit -F arch=ARCH -S sethostname -S setdomainname -k\naudit_network_modifications\n-w /etc/issue -p wa -k audit_network_modifications\n-w /etc/issue.net -p wa -k audit_network_modifications\n-w /etc/hosts -p wa -k audit_network_modifications\n-w /etc/sysconfig/network -p wa -k audit_network_modifications\"\n\n both_archs = command(\"ausyscall i386 sethostname\").stdout.strip != command(\"ausyscall x86_64 sethostname\").stdout.strip\n\n if os.arch == 'x86_64' or both_archs\n describe command(\"egrep -w '^[^\\#]*sethostname' /etc/audit/audit.rules | grep 'arch=b64'\") do\n its('stdout.strip') { should_not be_empty }\n end\n\n describe command(\"egrep -w '^[^\\#]*setdomainname' /etc/audit/audit.rules | grep 'arch=b64'\") do\n its('stdout.strip') { should_not be_empty }\n end\n end\n\n if os.arch != 'x86_64' or both_archs\n describe command(\"egrep -w '^[^\\#]*sethostname' /etc/audit/audit.rules | grep 'arch=b32'\") do\n its('stdout.strip') { should_not be_empty }\n end\n\n describe command(\"egrep -w '^[^\\#]*setdomainname' /etc/audit/audit.rules | grep 'arch=b32'\") do\n its('stdout.strip') { should_not be_empty }\n end\n end\n\n describe command(\"egrep '^\\\\s*\\\\-w /etc/issue \\\\-p wa' /etc/audit/audit.rules\") do\n its('stdout.strip') { should_not be_empty }\n end\n\n describe command(\"egrep '^\\\\s*\\\\-w /etc/issue.net \\\\-p wa' /etc/audit/audit.rules\") do\n its('stdout.strip') { should_not be_empty }\n end\n\n describe command(\"egrep '^\\\\s*\\\\-w /etc/hosts \\\\-p wa' /etc/audit/audit.rules\") do\n its('stdout.strip') { should_not be_empty }\n end\n\n describe command(\"egrep '^\\\\s*\\\\-w /etc/sysconfig/network \\\\-p wa' /etc/audit/audit.rules\") do\n its('stdout.strip') { should_not be_empty }\n end\nend\n", + "code": "control \"V-38536\" do\n title \"The operating system must automatically audit account disabling\nactions.\"\n desc \"In addition to auditing new user and group accounts, these watches\nwill alert the system administrator(s) to any modifications. Any unexpected\nusers, groups, or modifications should be investigated for legitimacy.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000240\"\n tag \"gid\": \"V-38536\"\n tag \"rid\": \"SV-50337r2_rule\"\n tag \"stig_id\": \"RHEL-06-000176\"\n tag \"fix_id\": \"F-43484r1_fix\"\n tag \"cci\": [\"CCI-001404\"]\n tag \"nist\": [\"AC-2 (4)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To determine if the system is configured to audit account\nchanges, run the following command:\n\n$sudo egrep -w\n'(/etc/passwd|/etc/shadow|/etc/group|/etc/gshadow|/etc/security/opasswd)'\n/etc/audit/audit.rules\n\nIf the system is configured to watch for account changes, lines should be\nreturned for each file specified (and with \\\"-p wa\\\" for each).\n\nIf the system is not configured to audit account changes, this is a finding.\"\n tag \"fix\": \"Add the following to \\\"/etc/audit/audit.rules\\\", in order to\ncapture events that modify account changes:\n\n# audit_account_changes\n-w /etc/group -p wa -k audit_account_changes\n-w /etc/passwd -p wa -k audit_account_changes\n-w /etc/gshadow -p wa -k audit_account_changes\n-w /etc/shadow -p wa -k audit_account_changes\n-w /etc/security/opasswd -p wa -k audit_account_changes\"\n\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^\\-w\\s+\\/etc\\/group\\s+\\-p\\s+wa\\s+\\-k\\s+\\w+\\s*$/) }\n end\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^\\-w\\s+\\/etc\\/passwd\\s+\\-p\\s+wa\\s+\\-k\\s+\\w+\\s*$/) }\n end\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^\\-w\\s+\\/etc\\/gshadow\\s+\\-p\\s+wa\\s+\\-k\\s+\\w+\\s*$/) }\n end\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^\\-w\\s+\\/etc\\/shadow\\s+\\-p\\s+wa\\s+\\-k\\s+\\w+\\s*$/) }\n end\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^\\-w\\s+\\/etc\\/security\\/opasswd\\s+\\-p\\s+wa\\s+\\-k\\s+\\w+\\s*$/) }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38540.rb", + "ref": "./Red Hat 6 STIG/controls/V-38536.rb", "line": 1 }, - "id": "V-38540" + "id": "V-38536" }, { - "title": "The system must not accept IPv4 source-routed packets on any\ninterface.", - "desc": "Accepting source-routed packets in the IPv4 protocol has few\nlegitimate uses. It should be disabled unless it is absolutely required.", + "title": "The system must employ a local IPv4 firewall.", + "desc": "The \"iptables\" service provides the system's host-based firewalling\ncapability for IPv4 and ICMP.", "descriptions": { - "default": "Accepting source-routed packets in the IPv4 protocol has few\nlegitimate uses. It should be disabled unless it is absolutely required." + "default": "The \"iptables\" service provides the system's host-based firewalling\ncapability for IPv4 and ICMP." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-999999", - "gid": "V-38523", - "rid": "SV-50324r2_rule", - "stig_id": "RHEL-06-000083", - "fix_id": "F-43471r1_fix", + "gtitle": "SRG-OS-000152", + "gid": "V-38555", + "rid": "SV-50356r2_rule", + "stig_id": "RHEL-06-000113", + "fix_id": "F-43503r2_fix", "cci": [ - "CCI-000366" + "CCI-001118" ], "nist": [ - "CM-6 b", + "SC-7 (12)", "Rev_4" ], "false_negatives": null, @@ -2834,35 +2850,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "The status of the \"net.ipv4.conf.all.accept_source_route\"\nkernel parameter can be queried by running the following command:\n\n$ sysctl net.ipv4.conf.all.accept_source_route\n\nThe output of the command should indicate a value of \"0\". If this value is\nnot the default value, investigate how it could have been adjusted at runtime,\nand verify it is not set improperly in \"/etc/sysctl.conf\".\n\n$ grep net.ipv4.conf.all.accept_source_route /etc/sysctl.conf\n\nIf the correct value is not returned, this is a finding. ", - "fix": "To set the runtime status of the\n\"net.ipv4.conf.all.accept_source_route\" kernel parameter, run the following\ncommand:\n\n# sysctl -w net.ipv4.conf.all.accept_source_route=0\n\nIf this is not the system's default value, add the following line to\n\"/etc/sysctl.conf\":\n\nnet.ipv4.conf.all.accept_source_route = 0" + "check": "If the system is a cross-domain system, this is not applicable.\n\nRun the following command to determine the current status of the \"iptables\"\nservice:\n\n# service iptables status\n\nIf the service is not running, it should return the following:\n\niptables: Firewall is not running.\n\n\nIf the service is not running, this is a finding.", + "fix": "The \"iptables\" service can be enabled with the following\ncommands:\n\n# chkconfig iptables on\n# service iptables start" }, - "code": "control \"V-38523\" do\n title \"The system must not accept IPv4 source-routed packets on any\ninterface.\"\n desc \"Accepting source-routed packets in the IPv4 protocol has few\nlegitimate uses. It should be disabled unless it is absolutely required.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38523\"\n tag \"rid\": \"SV-50324r2_rule\"\n tag \"stig_id\": \"RHEL-06-000083\"\n tag \"fix_id\": \"F-43471r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"The status of the \\\"net.ipv4.conf.all.accept_source_route\\\"\nkernel parameter can be queried by running the following command:\n\n$ sysctl net.ipv4.conf.all.accept_source_route\n\nThe output of the command should indicate a value of \\\"0\\\". If this value is\nnot the default value, investigate how it could have been adjusted at runtime,\nand verify it is not set improperly in \\\"/etc/sysctl.conf\\\".\n\n$ grep net.ipv4.conf.all.accept_source_route /etc/sysctl.conf\n\nIf the correct value is not returned, this is a finding. \"\n tag \"fix\": \"To set the runtime status of the\n\\\"net.ipv4.conf.all.accept_source_route\\\" kernel parameter, run the following\ncommand:\n\n# sysctl -w net.ipv4.conf.all.accept_source_route=0\n\nIf this is not the system's default value, add the following line to\n\\\"/etc/sysctl.conf\\\":\n\nnet.ipv4.conf.all.accept_source_route = 0\"\n\n describe kernel_parameter(\"net.ipv4.conf.all.accept_source_route\") do\n its(\"value\") { should_not be_nil }\n end\n describe kernel_parameter(\"net.ipv4.conf.all.accept_source_route\") do\n its(\"value\") { should eq 0 }\n end\n describe file(\"/etc/sysctl.conf\") do\n its(\"content\") { should match(/^[\\s]*net.ipv4.conf.all.accept_source_route[\\s]*=[\\s]*0[\\s]*$/) }\n end\nend\n", + "code": "control \"V-38555\" do\n title \"The system must employ a local IPv4 firewall.\"\n desc \"The \\\"iptables\\\" service provides the system's host-based firewalling\ncapability for IPv4 and ICMP.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000152\"\n tag \"gid\": \"V-38555\"\n tag \"rid\": \"SV-50356r2_rule\"\n tag \"stig_id\": \"RHEL-06-000113\"\n tag \"fix_id\": \"F-43503r2_fix\"\n tag \"cci\": [\"CCI-001118\"]\n tag \"nist\": [\"SC-7 (12)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"If the system is a cross-domain system, this is not applicable.\n\nRun the following command to determine the current status of the \\\"iptables\\\"\nservice:\n\n# service iptables status\n\nIf the service is not running, it should return the following:\n\niptables: Firewall is not running.\n\n\nIf the service is not running, this is a finding.\"\n tag \"fix\": \"The \\\"iptables\\\" service can be enabled with the following\ncommands:\n\n# chkconfig iptables on\n# service iptables start\"\n\n describe service('iptables') do\n it { should be_enabled }\n it { should be_running }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38523.rb", + "ref": "./Red Hat 6 STIG/controls/V-38555.rb", "line": 1 }, - "id": "V-38523" + "id": "V-38555" }, { - "title": "The system must use a FIPS 140-2 approved cryptographic hashing\nalgorithm for generating account password hashes (libuser.conf).", - "desc": "Using a stronger hashing algorithm makes password cracking attacks\nmore difficult.", + "title": "The operating system must protect the confidentiality and integrity of\ndata at rest. ", + "desc": "The risk of a system's physical compromise, particularly mobile\nsystems such as laptops, places its data at risk of compromise. Encrypting this\ndata mitigates the risk of its loss if the system is lost.", "descriptions": { - "default": "Using a stronger hashing algorithm makes password cracking attacks\nmore difficult." + "default": "The risk of a system's physical compromise, particularly mobile\nsystems such as laptops, places its data at risk of compromise. Encrypting this\ndata mitigates the risk of its loss if the system is lost." }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { - "gtitle": "SRG-OS-000120", - "gid": "V-38577", - "rid": "SV-50378r1_rule", - "stig_id": "RHEL-06-000064", - "fix_id": "F-43525r1_fix", + "gtitle": "SRG-OS-000185", + "gid": "V-38661", + "rid": "SV-50462r2_rule", + "stig_id": "RHEL-06-000276", + "fix_id": "F-43610r3_fix", "cci": [ - "CCI-000803" + "CCI-001199" ], "nist": [ - "IA-7", + "SC-28", "Rev_4" ], "false_negatives": null, @@ -2875,35 +2891,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "Inspect \"/etc/libuser.conf\" and ensure the following line\nappears in the \"[default]\" section:\n\ncrypt_style = sha512\n\n\nIf it does not, this is a finding.", - "fix": "In \"/etc/libuser.conf\", add or correct the following line in\nits \"[defaults]\" section to ensure the system will use the SHA-512 algorithm\nfor password hashing:\n\ncrypt_style = sha512" + "check": "Determine if encryption must be used to protect data on the\nsystem.\nIf encryption must be used and is not employed, this is a finding.", + "fix": "Red Hat Enterprise Linux 6 natively supports partition encryption\nthrough the Linux Unified Key Setup-on-disk-format (LUKS) technology. The\neasiest way to encrypt a partition is during installation time.\n\nFor manual installations, select the \"Encrypt\" checkbox during partition\ncreation to encrypt the partition. When this option is selected the system will\nprompt for a passphrase to use in decrypting the partition. The passphrase will\nsubsequently need to be entered manually every time the system boots.\n\nFor automated/unattended installations, it is possible to use Kickstart by\nadding the \"--encrypted\" and \"--passphrase=\" options to the definition of\neach partition to be encrypted. For example, the following line would encrypt\nthe root partition:\n\npart / --fstype=ext3 --size=100 --onpart=hda1 --encrypted\n--passphrase=[PASSPHRASE]\n\nAny [PASSPHRASE] is stored in the Kickstart in plaintext, and the Kickstart\nmust then be protected accordingly. Omitting the \"--passphrase=\" option from\nthe partition definition will cause the installer to pause and interactively\nask for the passphrase during installation.\n\nDetailed information on encrypting partitions using LUKS can be found on the\nRed Hat Documentation web site:\n\nhttps://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-LUKS_Disk_Encryption.html" }, - "code": "control \"V-38577\" do\n title \"The system must use a FIPS 140-2 approved cryptographic hashing\nalgorithm for generating account password hashes (libuser.conf).\"\n desc \"Using a stronger hashing algorithm makes password cracking attacks\nmore difficult.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000120\"\n tag \"gid\": \"V-38577\"\n tag \"rid\": \"SV-50378r1_rule\"\n tag \"stig_id\": \"RHEL-06-000064\"\n tag \"fix_id\": \"F-43525r1_fix\"\n tag \"cci\": [\"CCI-000803\"]\n tag \"nist\": [\"IA-7\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Inspect \\\"/etc/libuser.conf\\\" and ensure the following line\nappears in the \\\"[default]\\\" section:\n\ncrypt_style = sha512\n\n\nIf it does not, this is a finding.\"\n tag \"fix\": \"In \\\"/etc/libuser.conf\\\", add or correct the following line in\nits \\\"[defaults]\\\" section to ensure the system will use the SHA-512 algorithm\nfor password hashing:\n\ncrypt_style = sha512\"\n\n describe file(\"/etc/libuser.conf\") do\n its(\"content\") { should match(/^[\\s]*crypt_style[\\s]+=[\\s]+(?i)sha512[\\s]*$/) }\n end\nend\n", + "code": "control \"V-38661\" do\n title \"The operating system must protect the confidentiality and integrity of\ndata at rest. \"\n desc \"The risk of a system's physical compromise, particularly mobile\nsystems such as laptops, places its data at risk of compromise. Encrypting this\ndata mitigates the risk of its loss if the system is lost.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000185\"\n tag \"gid\": \"V-38661\"\n tag \"rid\": \"SV-50462r2_rule\"\n tag \"stig_id\": \"RHEL-06-000276\"\n tag \"fix_id\": \"F-43610r3_fix\"\n tag \"cci\": [\"CCI-001199\"]\n tag \"nist\": [\"SC-28\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Determine if encryption must be used to protect data on the\nsystem.\nIf encryption must be used and is not employed, this is a finding.\"\n tag \"fix\": \"Red Hat Enterprise Linux 6 natively supports partition encryption\nthrough the Linux Unified Key Setup-on-disk-format (LUKS) technology. The\neasiest way to encrypt a partition is during installation time.\n\nFor manual installations, select the \\\"Encrypt\\\" checkbox during partition\ncreation to encrypt the partition. When this option is selected the system will\nprompt for a passphrase to use in decrypting the partition. The passphrase will\nsubsequently need to be entered manually every time the system boots.\n\nFor automated/unattended installations, it is possible to use Kickstart by\nadding the \\\"--encrypted\\\" and \\\"--passphrase=\\\" options to the definition of\neach partition to be encrypted. For example, the following line would encrypt\nthe root partition:\n\npart / --fstype=ext3 --size=100 --onpart=hda1 --encrypted\n--passphrase=[PASSPHRASE]\n\nAny [PASSPHRASE] is stored in the Kickstart in plaintext, and the Kickstart\nmust then be protected accordingly. Omitting the \\\"--passphrase=\\\" option from\nthe partition definition will cause the installer to pause and interactively\nask for the passphrase during installation.\n\nDetailed information on encrypting partitions using LUKS can be found on the\nRed Hat Documentation web site:\n\nhttps://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-LUKS_Disk_Encryption.html\"\n\n describe \"Manual test\" do\n skip \"This control must be reviewed manually\"\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38577.rb", + "ref": "./Red Hat 6 STIG/controls/V-38661.rb", "line": 1 }, - "id": "V-38577" + "id": "V-38661" }, { - "title": "The avahi service must be disabled.", - "desc": "Because the Avahi daemon service keeps an open network port, it is\nsubject to network attacks. Its functionality is convenient but is only\nappropriate if the local network can be trusted.", + "title": "The graphical desktop environment must automatically lock after 15\nminutes of inactivity and the system must require user reauthentication to\nunlock the environment.", + "desc": "Enabling idle activation of the screen saver ensures the screensaver\nwill be activated after the idle delay. Applications requiring continuous,\nreal-time screen display (such as network management products) require the\nlogin session does not have administrator rights and the display station is\nlocated in a controlled-access area.", "descriptions": { - "default": "Because the Avahi daemon service keeps an open network port, it is\nsubject to network attacks. Its functionality is convenient but is only\nappropriate if the local network can be trusted." + "default": "Enabling idle activation of the screen saver ensures the screensaver\nwill be activated after the idle delay. Applications requiring continuous,\nreal-time screen display (such as network management products) require the\nlogin session does not have administrator rights and the display station is\nlocated in a controlled-access area." }, - "impact": 0.3, + "impact": 0, "refs": [], "tags": { - "gtitle": "SRG-OS-999999", - "gid": "V-38618", - "rid": "SV-50419r2_rule", - "stig_id": "RHEL-06-000246", - "fix_id": "F-43567r2_fix", + "gtitle": "SRG-OS-000029", + "gid": "V-38630", + "rid": "SV-50431r3_rule", + "stig_id": "RHEL-06-000258", + "fix_id": "F-43579r1_fix", "cci": [ - "CCI-000366" + "CCI-000057" ], "nist": [ - "CM-6 b", + "AC-11 a", "Rev_4" ], "false_negatives": null, @@ -2916,35 +2932,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To check that the \"avahi-daemon\" service is disabled in\nsystem boot configuration, run the following command:\n\n# chkconfig \"avahi-daemon\" --list\n\nOutput should indicate the \"avahi-daemon\" service has either not been\ninstalled, or has been disabled at all runlevels, as shown in the example\nbelow:\n\n# chkconfig \"avahi-daemon\" --list\n\"avahi-daemon\" 0:off 1:off 2:off 3:off 4:off 5:off 6:off\n\nRun the following command to verify \"avahi-daemon\" is disabled through\ncurrent runtime configuration:\n\n# service avahi-daemon status\n\nIf the service is disabled the command will return the following output:\n\navahi-daemon is stopped\n\n\nIf the service is running, this is a finding.", - "fix": "The \"avahi-daemon\" service can be disabled with the following\ncommands:\n\n# chkconfig avahi-daemon off\n# service avahi-daemon stop" + "check": "If the GConf2 package is not installed, this is not applicable.\n\nTo check the screensaver mandatory use status, run the following command:\n\n$ gconftool-2 --direct --config-source\nxml:readwrite:/etc/gconf/gconf.xml.mandatory --get\n/apps/gnome-screensaver/idle_activation_enabled\n\nIf properly configured, the output should be \"true\".\n\nIf it is not, this is a finding.", + "fix": "Run the following command to activate the screensaver in the\nGNOME desktop after a period of inactivity:\n\n# gconftool-2 --direct \\\n--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \\\n--type bool \\\n--set /apps/gnome-screensaver/idle_activation_enabled true" }, - "code": "control \"V-38618\" do\n title \"The avahi service must be disabled.\"\n desc \"Because the Avahi daemon service keeps an open network port, it is\nsubject to network attacks. Its functionality is convenient but is only\nappropriate if the local network can be trusted.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38618\"\n tag \"rid\": \"SV-50419r2_rule\"\n tag \"stig_id\": \"RHEL-06-000246\"\n tag \"fix_id\": \"F-43567r2_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To check that the \\\"avahi-daemon\\\" service is disabled in\nsystem boot configuration, run the following command:\n\n# chkconfig \\\"avahi-daemon\\\" --list\n\nOutput should indicate the \\\"avahi-daemon\\\" service has either not been\ninstalled, or has been disabled at all runlevels, as shown in the example\nbelow:\n\n# chkconfig \\\"avahi-daemon\\\" --list\n\\\"avahi-daemon\\\" 0:off 1:off 2:off 3:off 4:off 5:off 6:off\n\nRun the following command to verify \\\"avahi-daemon\\\" is disabled through\ncurrent runtime configuration:\n\n# service avahi-daemon status\n\nIf the service is disabled the command will return the following output:\n\navahi-daemon is stopped\n\n\nIf the service is running, this is a finding.\"\n tag \"fix\": \"The \\\"avahi-daemon\\\" service can be disabled with the following\ncommands:\n\n# chkconfig avahi-daemon off\n# service avahi-daemon stop\"\n\n describe service(\"avahi-daemon\").runlevels(/0/) do\n it { should_not be_enabled }\n end\n describe service(\"avahi-daemon\").runlevels(/1/) do\n it { should_not be_enabled }\n end\n describe service(\"avahi-daemon\").runlevels(/2/) do\n it { should_not be_enabled }\n end\n describe service(\"avahi-daemon\").runlevels(/3/) do\n it { should_not be_enabled }\n end\n describe service(\"avahi-daemon\").runlevels(/4/) do\n it { should_not be_enabled }\n end\n describe service(\"avahi-daemon\").runlevels(/5/) do\n it { should_not be_enabled }\n end\n describe service(\"avahi-daemon\").runlevels(/6/) do\n it { should_not be_enabled }\n end\nend\n", + "code": "control \"V-38630\" do\n title \"The graphical desktop environment must automatically lock after 15\nminutes of inactivity and the system must require user reauthentication to\nunlock the environment.\"\n desc \"Enabling idle activation of the screen saver ensures the screensaver\nwill be activated after the idle delay. Applications requiring continuous,\nreal-time screen display (such as network management products) require the\nlogin session does not have administrator rights and the display station is\nlocated in a controlled-access area.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000029\"\n tag \"gid\": \"V-38630\"\n tag \"rid\": \"SV-50431r3_rule\"\n tag \"stig_id\": \"RHEL-06-000258\"\n tag \"fix_id\": \"F-43579r1_fix\"\n tag \"cci\": [\"CCI-000057\"]\n tag \"nist\": [\"AC-11 a\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"If the GConf2 package is not installed, this is not applicable.\n\nTo check the screensaver mandatory use status, run the following command:\n\n$ gconftool-2 --direct --config-source\nxml:readwrite:/etc/gconf/gconf.xml.mandatory --get\n/apps/gnome-screensaver/idle_activation_enabled\n\nIf properly configured, the output should be \\\"true\\\".\n\nIf it is not, this is a finding.\"\n tag \"fix\": \"Run the following command to activate the screensaver in the\nGNOME desktop after a period of inactivity:\n\n# gconftool-2 --direct \\\\\n--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \\\\\n--type bool \\\\\n--set /apps/gnome-screensaver/idle_activation_enabled true\"\n\n if package('GConf2').installed?\n describe command(\"gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gnome-screensaver/idle_activation_enabled\") do\n its('stdout.strip') { should eq 'true' }\n end\n else\n impact 0.0\n describe \"Package GConf2 not installed\" do\n skip \"Package GConf2 not installed, this control Not Applicable\"\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38618.rb", + "ref": "./Red Hat 6 STIG/controls/V-38630.rb", "line": 1 }, - "id": "V-38618" + "id": "V-38630" }, { - "title": "The noexec option must be added to removable media partitions.", - "desc": "Allowing users to execute binaries from removable media such as USB\nkeys exposes the system to potential compromise.", + "title": "The audit system must be configured to audit all attempts to alter\nsystem time through settimeofday.", + "desc": "Arbitrary changes to the system time can be used to obfuscate\nnefarious activities in log files, as well as to confuse network services that\nare highly dependent upon an accurate system time (such as sshd). All changes\nto the system time should be audited.", "descriptions": { - "default": "Allowing users to execute binaries from removable media such as USB\nkeys exposes the system to potential compromise." + "default": "Arbitrary changes to the system time can be used to obfuscate\nnefarious activities in log files, as well as to confuse network services that\nare highly dependent upon an accurate system time (such as sshd). All changes\nto the system time should be audited." }, "impact": 0.3, "refs": [], "tags": { - "gtitle": "SRG-OS-000035", - "gid": "V-38655", - "rid": "SV-50456r1_rule", - "stig_id": "RHEL-06-000271", - "fix_id": "F-43605r1_fix", + "gtitle": "SRG-OS-000062", + "gid": "V-38522", + "rid": "SV-50323r3_rule", + "stig_id": "RHEL-06-000167", + "fix_id": "F-43470r2_fix", "cci": [ - "CCI-000087" + "CCI-000169" ], "nist": [ - "AC-19 e", + "AU-12 a", "Rev_4" ], "false_negatives": null, @@ -2957,35 +2973,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To verify that binaries cannot be directly executed from\nremovable media, run the following command:\n\n# grep noexec /etc/fstab\n\nThe output should show \"noexec\" in use.\nIf it does not, this is a finding.", - "fix": "The \"noexec\" mount option prevents the direct execution of\nbinaries on the mounted filesystem. Users should not be allowed to execute\nbinaries that exist on partitions mounted from removable media (such as a USB\nkey). The \"noexec\" option prevents code from being executed directly from the\nmedia itself, and may therefore provide a line of defense against certain types\nof worms or malicious code. Add the \"noexec\" option to the fourth column of\n\"/etc/fstab\" for the line which controls mounting of any removable media\npartitions." + "check": "To determine if the system is configured to audit calls to the\n\"settimeofday\" system call, run the following command:\n\n$ sudo grep -w \"settimeofday\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return a line.\n\nIf the system is not configured to audit time changes, this is a finding. ", + "fix": "On a 32-bit system, add the following to\n\"/etc/audit/audit.rules\":\n\n# audit_time_rules\n-a always,exit -F arch=b32 -S settimeofday -k audit_time_rules\n\nOn a 64-bit system, add the following to \"/etc/audit/audit.rules\":\n\n# audit_time_rules\n-a always,exit -F arch=b64 -S settimeofday -k audit_time_rules\n\nThe -k option allows for the specification of a key in string form that can be\nused for better reporting capability through ausearch and aureport. Multiple\nsystem calls can be defined on the same line to save space if desired, but is\nnot required. See an example of multiple combined syscalls:\n\n-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k\naudit_time_rules" }, - "code": "control \"V-38655\" do\n title \"The noexec option must be added to removable media partitions.\"\n desc \"Allowing users to execute binaries from removable media such as USB\nkeys exposes the system to potential compromise.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000035\"\n tag \"gid\": \"V-38655\"\n tag \"rid\": \"SV-50456r1_rule\"\n tag \"stig_id\": \"RHEL-06-000271\"\n tag \"fix_id\": \"F-43605r1_fix\"\n tag \"cci\": [\"CCI-000087\"]\n tag \"nist\": [\"AC-19 e\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To verify that binaries cannot be directly executed from\nremovable media, run the following command:\n\n# grep noexec /etc/fstab\n\nThe output should show \\\"noexec\\\" in use.\nIf it does not, this is a finding.\"\n tag \"fix\": \"The \\\"noexec\\\" mount option prevents the direct execution of\nbinaries on the mounted filesystem. Users should not be allowed to execute\nbinaries that exist on partitions mounted from removable media (such as a USB\nkey). The \\\"noexec\\\" option prevents code from being executed directly from the\nmedia itself, and may therefore provide a line of defense against certain types\nof worms or malicious code. Add the \\\"noexec\\\" option to the fourth column of\n\\\"/etc/fstab\\\" for the line which controls mounting of any removable media\npartitions.\"\n\n mounts = command('mount').stdout.strip.split(\"\\n\").\n map do |d|\n split_mounts = d.split(%r{\\s+})\n options = split_mounts[-1].match(%r{\\((.*)\\)$}).captures.first.split(',')\n dev_file = file(split_mounts[0])\n dev_link = dev_file.symlink? ? dev_file.link_path : dev_file.path\n {'dev'=>split_mounts[0], 'link'=>dev_link, 'mount'=>split_mounts[2], 'options'=>options}\n end\n\n dev_mounts = mounts.\n select { |mnt| mnt['dev'].start_with? '/' and !mnt['dev'].start_with? '//' }.\n map do |mnt|\n # https://unix.stackexchange.com/a/308724\n partition = ['/sys/class/block', mnt['link'].sub(%r{^/dev/}, ''), 'partition'].join('/')\n if file(partition).exist?\n root_dev = command('basename \"$(readlink -f \"/sys/class/block/sda1/..\")\"').stdout.strip\n mnt['root_dev'] = '/dev/' + root_dev\n else\n mnt['root_dev'] = mnt['link']\n end\n mnt\n end\n\n removable_mounts = dev_mounts.select do |mnt| \n removable = ['/sys/block', mnt['root_dev'].sub(%r{^/dev/}, ''), 'removable'].join('/')\n file(removable).content.strip == '1'\n end\n\n if removable_mounts.empty?\n describe \"Removable mounted devices\" do\n subject { removable_mounts }\n it { should be_empty }\n end\n else\n removable_mounts.each do |mnt|\n describe \"Mount #{mnt['mount']} options\" do\n subject { mnt['options'] }\n it { should include 'noexec' }\n end\n end\n end\nend\n", + "code": "control \"V-38522\" do\n title \"The audit system must be configured to audit all attempts to alter\nsystem time through settimeofday.\"\n desc \"Arbitrary changes to the system time can be used to obfuscate\nnefarious activities in log files, as well as to confuse network services that\nare highly dependent upon an accurate system time (such as sshd). All changes\nto the system time should be audited.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000062\"\n tag \"gid\": \"V-38522\"\n tag \"rid\": \"SV-50323r3_rule\"\n tag \"stig_id\": \"RHEL-06-000167\"\n tag \"fix_id\": \"F-43470r2_fix\"\n tag \"cci\": [\"CCI-000169\"]\n tag \"nist\": [\"AU-12 a\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To determine if the system is configured to audit calls to the\n\\\"settimeofday\\\" system call, run the following command:\n\n$ sudo grep -w \\\"settimeofday\\\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return a line.\n\nIf the system is not configured to audit time changes, this is a finding. \"\n tag \"fix\": \"On a 32-bit system, add the following to\n\\\"/etc/audit/audit.rules\\\":\n\n# audit_time_rules\n-a always,exit -F arch=b32 -S settimeofday -k audit_time_rules\n\nOn a 64-bit system, add the following to \\\"/etc/audit/audit.rules\\\":\n\n# audit_time_rules\n-a always,exit -F arch=b64 -S settimeofday -k audit_time_rules\n\nThe -k option allows for the specification of a key in string form that can be\nused for better reporting capability through ausearch and aureport. Multiple\nsystem calls can be defined on the same line to save space if desired, but is\nnot required. See an example of multiple combined syscalls:\n\n-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k\naudit_time_rules\"\n\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^-[Aa][\\s]*(?:exit,always|always,exit)[\\s]+-F[\\s]+arch=b32.*(?:-S[\\s]+|,)settimeofday(?:[\\s]+|,).*-k[\\s]+[\\S]+[\\s]*$/) }\n end\n describe.one do\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^-[Aa][\\s]*(?:exit,always|always,exit)[\\s]+-F[\\s]+arch=b64.*(?:-S[\\s]+|,)settimeofday(?:[\\s]+|,).*-k[\\s]+[\\S]+[\\s]*$/) }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38655.rb", + "ref": "./Red Hat 6 STIG/controls/V-38522.rb", "line": 1 }, - "id": "V-38655" + "id": "V-38522" }, { - "title": "The audit system must be configured to audit all attempts to alter\nsystem time through stime.", - "desc": "Arbitrary changes to the system time can be used to obfuscate\nnefarious activities in log files, as well as to confuse network services that\nare highly dependent upon an accurate system time (such as sshd). All changes\nto the system time should be audited.", + "title": "A file integrity tool must be installed.", + "desc": "The AIDE package must be installed if it is to be available for\nintegrity checking.", "descriptions": { - "default": "Arbitrary changes to the system time can be used to obfuscate\nnefarious activities in log files, as well as to confuse network services that\nare highly dependent upon an accurate system time (such as sshd). All changes\nto the system time should be audited." + "default": "The AIDE package must be installed if it is to be available for\nintegrity checking." }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000062", - "gid": "V-38525", - "rid": "SV-50326r4_rule", - "stig_id": "RHEL-06-000169", - "fix_id": "F-43473r4_fix", + "gtitle": "SRG-OS-000232", + "gid": "V-38489", + "rid": "SV-50290r1_rule", + "stig_id": "RHEL-06-000016", + "fix_id": "F-43436r1_fix", "cci": [ - "CCI-000169" + "CCI-001069" ], "nist": [ - "AU-12 a", + "RA-5 (7)", "Rev_4" ], "false_negatives": null, @@ -2998,35 +3014,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "If the system is 64-bit only, this is not applicable.\n\nTo determine if the system is configured to audit calls to the \"stime\" system\ncall, run the following command:\n\n$ sudo grep -w \"stime\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return a line.\n\nIf the system is not configured to audit time changes, this is a finding. ", - "fix": "On a 32-bit system, add the following to\n\"/etc/audit/audit.rules\":\n\n# audit_time_rules\n-a always,exit -F arch=b32 -S stime -k audit_time_rules\n\nOn a 64-bit system, the \"-S stime\" is not necessary. The -k option allows for\nthe specification of a key in string form that can be used for better reporting\ncapability through ausearch and aureport. Multiple system calls can be defined\non the same line to save space if desired, but is not required. See an example\nof multiple combined syscalls:\n\n-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k\naudit_time_rules" + "check": "If another file integrity tool is installed, this is not a\nfinding.\n\nRun the following command to determine if the \"aide\" package is installed:\n\n# rpm -q aide\n\n\nIf the package is not installed, this is a finding.", + "fix": "Install the AIDE package with the command:\n\n# yum install aide" }, - "code": "control \"V-38525\" do\n title \"The audit system must be configured to audit all attempts to alter\nsystem time through stime.\"\n desc \"Arbitrary changes to the system time can be used to obfuscate\nnefarious activities in log files, as well as to confuse network services that\nare highly dependent upon an accurate system time (such as sshd). All changes\nto the system time should be audited.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000062\"\n tag \"gid\": \"V-38525\"\n tag \"rid\": \"SV-50326r4_rule\"\n tag \"stig_id\": \"RHEL-06-000169\"\n tag \"fix_id\": \"F-43473r4_fix\"\n tag \"cci\": [\"CCI-000169\"]\n tag \"nist\": [\"AU-12 a\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"If the system is 64-bit only, this is not applicable.\n\nTo determine if the system is configured to audit calls to the \\\"stime\\\" system\ncall, run the following command:\n\n$ sudo grep -w \\\"stime\\\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return a line.\n\nIf the system is not configured to audit time changes, this is a finding. \"\n tag \"fix\": \"On a 32-bit system, add the following to\n\\\"/etc/audit/audit.rules\\\":\n\n# audit_time_rules\n-a always,exit -F arch=b32 -S stime -k audit_time_rules\n\nOn a 64-bit system, the \\\"-S stime\\\" is not necessary. The -k option allows for\nthe specification of a key in string form that can be used for better reporting\ncapability through ausearch and aureport. Multiple system calls can be defined\non the same line to save space if desired, but is not required. See an example\nof multiple combined syscalls:\n\n-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k\naudit_time_rules\"\n\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^-[Aa][\\s]*(?:exit,always|always,exit)[\\s]+-F[\\s]+arch=b32.*(?:-S[\\s]+|,)stime(?:[\\s]+|,).*-k[\\s]+[\\S]+[\\s]*$/) }\n end\nend\n", + "code": "control \"V-38489\" do\n title \"A file integrity tool must be installed.\"\n desc \"The AIDE package must be installed if it is to be available for\nintegrity checking.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000232\"\n tag \"gid\": \"V-38489\"\n tag \"rid\": \"SV-50290r1_rule\"\n tag \"stig_id\": \"RHEL-06-000016\"\n tag \"fix_id\": \"F-43436r1_fix\"\n tag \"cci\": [\"CCI-001069\"]\n tag \"nist\": [\"RA-5 (7)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"If another file integrity tool is installed, this is not a\nfinding.\n\nRun the following command to determine if the \\\"aide\\\" package is installed:\n\n# rpm -q aide\n\n\nIf the package is not installed, this is a finding.\"\n tag \"fix\": \"Install the AIDE package with the command:\n\n# yum install aide\"\n\n describe package(\"aide\") do\n it { should be_installed }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38525.rb", + "ref": "./Red Hat 6 STIG/controls/V-38489.rb", "line": 1 }, - "id": "V-38525" + "id": "V-38489" }, { - "title": "The system must use a reverse-path filter for IPv4 network traffic\nwhen possible by default.", - "desc": "Enabling reverse path filtering drops packets with source addresses\nthat should not have been able to be received on the interface they were\nreceived on. It should not be used on systems which are routers for complicated\nnetworks, but is helpful for end hosts and routers serving small networks.", + "title": "The Bluetooth kernel module must be disabled.", + "desc": "If Bluetooth functionality must be disabled, preventing the kernel\nfrom loading the kernel module provides an additional safeguard against its\nactivation.", "descriptions": { - "default": "Enabling reverse path filtering drops packets with source addresses\nthat should not have been able to be received on the interface they were\nreceived on. It should not be used on systems which are routers for complicated\nnetworks, but is helpful for end hosts and routers serving small networks." + "default": "If Bluetooth functionality must be disabled, preventing the kernel\nfrom loading the kernel module provides an additional safeguard against its\nactivation." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-999999", - "gid": "V-38544", - "rid": "SV-50345r2_rule", - "stig_id": "RHEL-06-000097", - "fix_id": "F-43492r1_fix", + "gtitle": "SRG-OS-000034", + "gid": "V-38682", + "rid": "SV-50483r5_rule", + "stig_id": "RHEL-06-000315", + "fix_id": "F-43631r3_fix", "cci": [ - "CCI-000366" + "CCI-000085" ], "nist": [ - "CM-6 b", + "AC-19 c", "Rev_4" ], "false_negatives": null, @@ -3039,30 +3055,30 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "The status of the \"net.ipv4.conf.default.rp_filter\" kernel\nparameter can be queried by running the following command:\n\n$ sysctl net.ipv4.conf.default.rp_filter\n\nThe output of the command should indicate a value of \"1\". If this value is\nnot the default value, investigate how it could have been adjusted at runtime,\nand verify it is not set improperly in \"/etc/sysctl.conf\".\n\n$ grep net.ipv4.conf.default.rp_filter /etc/sysctl.conf\n\nIf the correct value is not returned, this is a finding. ", - "fix": "To set the runtime status of the\n\"net.ipv4.conf.default.rp_filter\" kernel parameter, run the following\ncommand:\n\n# sysctl -w net.ipv4.conf.default.rp_filter=1\n\nIf this is not the system's default value, add the following line to\n\"/etc/sysctl.conf\":\n\nnet.ipv4.conf.default.rp_filter = 1" + "check": "If the system is configured to prevent the loading of the\n\"bluetooth\" kernel module, it will contain lines inside any file in\n\"/etc/modprobe.d\" or the deprecated\"/etc/modprobe.conf\". These lines\ninstruct the module loading system to run another program (such as\n\"/bin/true\") upon a module \"install\" event. Run the following command to\nsearch for such lines in all files in \"/etc/modprobe.d\" and the deprecated\n\"/etc/modprobe.conf\":\n\n$ grep -r bluetooth /etc/modprobe.conf /etc/modprobe.d | grep -i \"/bin/true\"|\ngrep -v \"#\"\n\nIf no line is returned, this is a finding.\n\nIf the system is configured to prevent the loading of the \"net-pf-31\" kernel\nmodule, it will contain lines inside any file in \"/etc/modprobe.d\" or the\ndeprecated\"/etc/modprobe.conf\". These lines instruct the module loading\nsystem to run another program (such as \"/bin/true\") upon a module \"install\"\nevent. Run the following command to search for such lines in all files in\n\"/etc/modprobe.d\" and the deprecated \"/etc/modprobe.conf\":\n\n$ grep -r net-pf-31 /etc/modprobe.conf /etc/modprobe.d | grep -i \"/bin/true\" |\ngrep -v \"#\"\n\nIf no line is returned, this is a finding.", + "fix": "The kernel's module loading system can be configured to prevent\nloading of the Bluetooth module. Add the following to the appropriate\n\"/etc/modprobe.d\" configuration file to prevent the loading of the Bluetooth\nmodule:\n\ninstall net-pf-31 /bin/true\ninstall bluetooth /bin/true" }, - "code": "control \"V-38544\" do\n title \"The system must use a reverse-path filter for IPv4 network traffic\nwhen possible by default.\"\n desc \"Enabling reverse path filtering drops packets with source addresses\nthat should not have been able to be received on the interface they were\nreceived on. It should not be used on systems which are routers for complicated\nnetworks, but is helpful for end hosts and routers serving small networks.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38544\"\n tag \"rid\": \"SV-50345r2_rule\"\n tag \"stig_id\": \"RHEL-06-000097\"\n tag \"fix_id\": \"F-43492r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"The status of the \\\"net.ipv4.conf.default.rp_filter\\\" kernel\nparameter can be queried by running the following command:\n\n$ sysctl net.ipv4.conf.default.rp_filter\n\nThe output of the command should indicate a value of \\\"1\\\". If this value is\nnot the default value, investigate how it could have been adjusted at runtime,\nand verify it is not set improperly in \\\"/etc/sysctl.conf\\\".\n\n$ grep net.ipv4.conf.default.rp_filter /etc/sysctl.conf\n\nIf the correct value is not returned, this is a finding. \"\n tag \"fix\": \"To set the runtime status of the\n\\\"net.ipv4.conf.default.rp_filter\\\" kernel parameter, run the following\ncommand:\n\n# sysctl -w net.ipv4.conf.default.rp_filter=1\n\nIf this is not the system's default value, add the following line to\n\\\"/etc/sysctl.conf\\\":\n\nnet.ipv4.conf.default.rp_filter = 1\"\n\n describe kernel_parameter(\"net.ipv4.conf.default.rp_filter\") do\n its(\"value\") { should_not be_nil }\n end\n describe kernel_parameter(\"net.ipv4.conf.default.rp_filter\") do\n its(\"value\") { should eq 1 }\n end\n describe file(\"/etc/sysctl.conf\") do\n its(\"content\") { should match(/^[\\s]*net.ipv4.conf.default.rp_filter[\\s]*=[\\s]*1[\\s]*$/) }\n end\nend\n", + "code": "control \"V-38682\" do\n title \"The Bluetooth kernel module must be disabled.\"\n desc \"If Bluetooth functionality must be disabled, preventing the kernel\nfrom loading the kernel module provides an additional safeguard against its\nactivation.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000034\"\n tag \"gid\": \"V-38682\"\n tag \"rid\": \"SV-50483r5_rule\"\n tag \"stig_id\": \"RHEL-06-000315\"\n tag \"fix_id\": \"F-43631r3_fix\"\n tag \"cci\": [\"CCI-000085\"]\n tag \"nist\": [\"AC-19 c\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"If the system is configured to prevent the loading of the\n\\\"bluetooth\\\" kernel module, it will contain lines inside any file in\n\\\"/etc/modprobe.d\\\" or the deprecated\\\"/etc/modprobe.conf\\\". These lines\ninstruct the module loading system to run another program (such as\n\\\"/bin/true\\\") upon a module \\\"install\\\" event. Run the following command to\nsearch for such lines in all files in \\\"/etc/modprobe.d\\\" and the deprecated\n\\\"/etc/modprobe.conf\\\":\n\n$ grep -r bluetooth /etc/modprobe.conf /etc/modprobe.d | grep -i \\\"/bin/true\\\"|\ngrep -v \\\"#\\\"\n\nIf no line is returned, this is a finding.\n\nIf the system is configured to prevent the loading of the \\\"net-pf-31\\\" kernel\nmodule, it will contain lines inside any file in \\\"/etc/modprobe.d\\\" or the\ndeprecated\\\"/etc/modprobe.conf\\\". These lines instruct the module loading\nsystem to run another program (such as \\\"/bin/true\\\") upon a module \\\"install\\\"\nevent. Run the following command to search for such lines in all files in\n\\\"/etc/modprobe.d\\\" and the deprecated \\\"/etc/modprobe.conf\\\":\n\n$ grep -r net-pf-31 /etc/modprobe.conf /etc/modprobe.d | grep -i \\\"/bin/true\\\" |\ngrep -v \\\"#\\\"\n\nIf no line is returned, this is a finding.\"\n tag \"fix\": \"The kernel's module loading system can be configured to prevent\nloading of the Bluetooth module. Add the following to the appropriate\n\\\"/etc/modprobe.d\\\" configuration file to prevent the loading of the Bluetooth\nmodule:\n\ninstall net-pf-31 /bin/true\ninstall bluetooth /bin/true\"\n\n describe kernel_module('bluetooth') do\n it { should_not be_loaded }\n it { shold_not be_enabled }\n it { should be_blacklisted }\n end\n\n describe kernel_module('net-pf-31') do\n it { should_not be_loaded }\n it { shold_not be_enabled }\n it { should be_blacklisted }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38544.rb", + "ref": "./Red Hat 6 STIG/controls/V-38682.rb", "line": 1 }, - "id": "V-38544" + "id": "V-38682" }, { - "title": "All public directories must be owned by a system account.", - "desc": "Allowing a user account to own a world-writable directory is\nundesirable because it allows the owner of that directory to remove or replace\nany files that may be placed in the directory by other users.", + "title": "The system must use a separate file system for user home directories.", + "desc": "Ensuring that \"/home\" is mounted on its own partition enables the\nsetting of more restrictive mount options, and also helps ensure that users\ncannot trivially fill partitions used for log or audit data storage.", "descriptions": { - "default": "Allowing a user account to own a world-writable directory is\nundesirable because it allows the owner of that directory to remove or replace\nany files that may be placed in the directory by other users." + "default": "Ensuring that \"/home\" is mounted on its own partition enables the\nsetting of more restrictive mount options, and also helps ensure that users\ncannot trivially fill partitions used for log or audit data storage." }, "impact": 0.3, "refs": [], "tags": { "gtitle": "SRG-OS-999999", - "gid": "V-38699", - "rid": "SV-50500r2_rule", - "stig_id": "RHEL-06-000337", - "fix_id": "F-43648r1_fix", + "gid": "V-38473", + "rid": "SV-50273r1_rule", + "stig_id": "RHEL-06-000007", + "fix_id": "F-43418r1_fix", "cci": [ "CCI-000366" ], @@ -3080,30 +3096,30 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "The following command will discover and print world-writable\ndirectories that are not owned by a system account, given the assumption that\nonly system accounts have a uid lower than 500. Run it once for each local\npartition [PART]:\n\n# find [PART] -xdev -type d -perm -0002 -uid +499 -print\n\n\nIf there is output, this is a finding.", - "fix": "All directories in local partitions which are world-writable\nshould be owned by root or another system account. If any world-writable\ndirectories are not owned by a system account, this should be investigated.\nFollowing this, the files should be deleted or assigned to an appropriate\ngroup." + "check": "Run the following command to determine if \"/home\" is on its\nown partition or logical volume:\n\n$ mount | grep \"on /home \"\n\nIf \"/home\" has its own partition or volume group, a line will be returned.\nIf no line is returned, this is a finding.", + "fix": "If user home directories will be stored locally, create a\nseparate partition for \"/home\" at installation time (or migrate it later\nusing LVM). If \"/home\" will be mounted from another system such as an NFS\nserver, then creating a separate partition is not necessary at installation\ntime, and the mountpoint can instead be configured later." }, - "code": "control \"V-38699\" do\n title \"All public directories must be owned by a system account.\"\n desc \"Allowing a user account to own a world-writable directory is\nundesirable because it allows the owner of that directory to remove or replace\nany files that may be placed in the directory by other users.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38699\"\n tag \"rid\": \"SV-50500r2_rule\"\n tag \"stig_id\": \"RHEL-06-000337\"\n tag \"fix_id\": \"F-43648r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"The following command will discover and print world-writable\ndirectories that are not owned by a system account, given the assumption that\nonly system accounts have a uid lower than 500. Run it once for each local\npartition [PART]:\n\n# find [PART] -xdev -type d -perm -0002 -uid +499 -print\n\n\nIf there is output, this is a finding.\"\n tag \"fix\": \"All directories in local partitions which are world-writable\nshould be owned by root or another system account. If any world-writable\ndirectories are not owned by a system account, this should be investigated.\nFollowing this, the files should be deleted or assigned to an appropriate\ngroup.\"\n\n dirs = command(%(find / -xautofs -noleaf -wholename '/proc' -prune -o -wholename '/sys' -prune -o -wholename '/dev' -prune -o -wholename '/selinux' -prune -o -type d -perm -0002 -uid +499 -print))\n describe \"World-writable directories not owned by system account\" do\n subject { dirs.stdout.strip.split(\"\\n\") }\n it { should be_empty }\n end\nend\n", + "code": "control \"V-38473\" do\n title \"The system must use a separate file system for user home directories.\"\n desc \"Ensuring that \\\"/home\\\" is mounted on its own partition enables the\nsetting of more restrictive mount options, and also helps ensure that users\ncannot trivially fill partitions used for log or audit data storage.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38473\"\n tag \"rid\": \"SV-50273r1_rule\"\n tag \"stig_id\": \"RHEL-06-000007\"\n tag \"fix_id\": \"F-43418r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Run the following command to determine if \\\"/home\\\" is on its\nown partition or logical volume:\n\n$ mount | grep \\\"on /home \\\"\n\nIf \\\"/home\\\" has its own partition or volume group, a line will be returned.\nIf no line is returned, this is a finding.\"\n tag \"fix\": \"If user home directories will be stored locally, create a\nseparate partition for \\\"/home\\\" at installation time (or migrate it later\nusing LVM). If \\\"/home\\\" will be mounted from another system such as an NFS\nserver, then creating a separate partition is not necessary at installation\ntime, and the mountpoint can instead be configured later.\"\n\n describe mount(\"/home\") do\n it { should be_mounted }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38699.rb", + "ref": "./Red Hat 6 STIG/controls/V-38473.rb", "line": 1 }, - "id": "V-38699" + "id": "V-38473" }, { - "title": "The sticky bit must be set on all public directories.", - "desc": "Failing to set the sticky bit on public directories allows\nunauthorized users to delete files in the directory structure.\n\n The only authorized public directories are those temporary directories\nsupplied with the system, or those designed to be temporary file repositories.\nThe setting is normally reserved for directories used by the system, and by\nusers for temporary file storage - such as /tmp - and for directories requiring\nglobal read/write access.", + "title": "The /etc/gshadow file must be owned by root.", + "desc": "The \"/etc/gshadow\" file contains group password hashes. Protection\nof this file is critical for system security.", "descriptions": { - "default": "Failing to set the sticky bit on public directories allows\nunauthorized users to delete files in the directory structure.\n\n The only authorized public directories are those temporary directories\nsupplied with the system, or those designed to be temporary file repositories.\nThe setting is normally reserved for directories used by the system, and by\nusers for temporary file storage - such as /tmp - and for directories requiring\nglobal read/write access." + "default": "The \"/etc/gshadow\" file contains group password hashes. Protection\nof this file is critical for system security." }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { "gtitle": "SRG-OS-999999", - "gid": "V-38697", - "rid": "SV-50498r2_rule", - "stig_id": "RHEL-06-000336", - "fix_id": "F-43646r1_fix", + "gid": "V-38443", + "rid": "SV-50243r1_rule", + "stig_id": "RHEL-06-000036", + "fix_id": "F-43388r1_fix", "cci": [ "CCI-000366" ], @@ -3121,30 +3137,30 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To find world-writable directories that lack the sticky bit,\nrun the following command for each local partition [PART]:\n\n# find [PART] -xdev -type d -perm -002 \\! -perm -1000\n\n\nIf any world-writable directories are missing the sticky bit, this is a\nfinding.", - "fix": "When the so-called 'sticky bit' is set on a directory, only the\nowner of a given file may remove that file from the directory. Without the\nsticky bit, any user with write access to a directory may remove any file in\nthe directory. Setting the sticky bit prevents users from removing each other's\nfiles. In cases where there is no reason for a directory to be world-writable,\na better solution is to remove that permission rather than to set the sticky\nbit. However, if a directory is used by a particular application, consult that\napplication's documentation instead of blindly changing modes.\nTo set the sticky bit on a world-writable directory [DIR], run the following\ncommand:\n\n# chmod +t [DIR]" + "check": "To check the ownership of \"/etc/gshadow\", run the command:\n\n$ ls -l /etc/gshadow\n\nIf properly configured, the output should indicate the following owner:\n\"root\"\nIf it does not, this is a finding.", + "fix": "To properly set the owner of \"/etc/gshadow\", run the command:\n\n# chown root /etc/gshadow" }, - "code": "control \"V-38697\" do\n title \"The sticky bit must be set on all public directories.\"\n desc \"Failing to set the sticky bit on public directories allows\nunauthorized users to delete files in the directory structure.\n\n The only authorized public directories are those temporary directories\nsupplied with the system, or those designed to be temporary file repositories.\nThe setting is normally reserved for directories used by the system, and by\nusers for temporary file storage - such as /tmp - and for directories requiring\nglobal read/write access.\n \"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38697\"\n tag \"rid\": \"SV-50498r2_rule\"\n tag \"stig_id\": \"RHEL-06-000336\"\n tag \"fix_id\": \"F-43646r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To find world-writable directories that lack the sticky bit,\nrun the following command for each local partition [PART]:\n\n# find [PART] -xdev -type d -perm -002 \\\\! -perm -1000\n\n\nIf any world-writable directories are missing the sticky bit, this is a\nfinding.\"\n tag \"fix\": \"When the so-called 'sticky bit' is set on a directory, only the\nowner of a given file may remove that file from the directory. Without the\nsticky bit, any user with write access to a directory may remove any file in\nthe directory. Setting the sticky bit prevents users from removing each other's\nfiles. In cases where there is no reason for a directory to be world-writable,\na better solution is to remove that permission rather than to set the sticky\nbit. However, if a directory is used by a particular application, consult that\napplication's documentation instead of blindly changing modes.\nTo set the sticky bit on a world-writable directory [DIR], run the following\ncommand:\n\n# chmod +t [DIR]\"\n\n dirs = command(%(find / -xautofs -noleaf -wholename '/proc' -prune -o -wholename '/sys' -prune -o -wholename '/dev' -prune -o -wholename '/selinux' -prune -o -type d -perm -002 \\\\! -perm -1000 -print))\n describe \"World-writable directories lacking sticky bit\" do\n subject { dirs.stdout.strip.split(\"\\n\") }\n it { should be_empty }\n end\nend\n", + "code": "control \"V-38443\" do\n title \"The /etc/gshadow file must be owned by root.\"\n desc \"The \\\"/etc/gshadow\\\" file contains group password hashes. Protection\nof this file is critical for system security.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38443\"\n tag \"rid\": \"SV-50243r1_rule\"\n tag \"stig_id\": \"RHEL-06-000036\"\n tag \"fix_id\": \"F-43388r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To check the ownership of \\\"/etc/gshadow\\\", run the command:\n\n$ ls -l /etc/gshadow\n\nIf properly configured, the output should indicate the following owner:\n\\\"root\\\"\nIf it does not, this is a finding.\"\n tag \"fix\": \"To properly set the owner of \\\"/etc/gshadow\\\", run the command:\n\n# chown root /etc/gshadow\"\n\n describe file(\"/etc/gshadow\") do\n it { should exist }\n end\n describe file(\"/etc/gshadow\") do\n its(\"uid\") { should cmp 0 }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38697.rb", + "ref": "./Red Hat 6 STIG/controls/V-38443.rb", "line": 1 }, - "id": "V-38697" + "id": "V-38443" }, { - "title": "The /etc/shadow file must be owned by root.", - "desc": "The \"/etc/shadow\" file contains the list of local system accounts\nand stores password hashes. Protection of this file is critical for system\nsecurity. Failure to give ownership of this file to root provides the\ndesignated owner with access to sensitive information which could weaken the\nsystem security posture.", + "title": "The system must limit the ability of processes to have simultaneous\nwrite and execute access to memory.", + "desc": "ExecShield uses the segmentation feature on all x86 systems to prevent\nexecution in memory higher than a certain address. It writes an address as a\nlimit in the code segment descriptor, to control where code can be executed, on\na per-process basis. When the kernel places a process's memory regions such as\nthe stack and heap higher than this address, the hardware prevents execution in\nthat address range.", "descriptions": { - "default": "The \"/etc/shadow\" file contains the list of local system accounts\nand stores password hashes. Protection of this file is critical for system\nsecurity. Failure to give ownership of this file to root provides the\ndesignated owner with access to sensitive information which could weaken the\nsystem security posture." + "default": "ExecShield uses the segmentation feature on all x86 systems to prevent\nexecution in memory higher than a certain address. It writes an address as a\nlimit in the code segment descriptor, to control where code can be executed, on\na per-process basis. When the kernel places a process's memory regions such as\nthe stack and heap higher than this address, the hardware prevents execution in\nthat address range." }, "impact": 0.5, "refs": [], "tags": { "gtitle": "SRG-OS-999999", - "gid": "V-38502", - "rid": "SV-50303r1_rule", - "stig_id": "RHEL-06-000033", - "fix_id": "F-43449r1_fix", + "gid": "V-38597", + "rid": "SV-50398r2_rule", + "stig_id": "RHEL-06-000079", + "fix_id": "F-43545r1_fix", "cci": [ "CCI-000366" ], @@ -3162,30 +3178,30 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To check the ownership of \"/etc/shadow\", run the command:\n\n$ ls -l /etc/shadow\n\nIf properly configured, the output should indicate the following owner:\n\"root\"\nIf it does not, this is a finding.", - "fix": "To properly set the owner of \"/etc/shadow\", run the command:\n\n# chown root /etc/shadow" + "check": "The status of the \"kernel.exec-shield\" kernel parameter can\nbe queried by running the following command:\n\n$ sysctl kernel.exec-shield\n$ grep kernel.exec-shield /etc/sysctl.conf\n\nThe output of the command should indicate a value of \"1\". If this value is\nnot the default value, investigate how it could have been adjusted at runtime,\nand verify it is not set improperly in \"/etc/sysctl.conf\".\nIf the correct value is not returned, this is a finding.", + "fix": "To set the runtime status of the \"kernel.exec-shield\" kernel\nparameter, run the following command:\n\n# sysctl -w kernel.exec-shield=1\n\nIf this is not the system's default value, add the following line to\n\"/etc/sysctl.conf\":\n\nkernel.exec-shield = 1" }, - "code": "control \"V-38502\" do\n title \"The /etc/shadow file must be owned by root.\"\n desc \"The \\\"/etc/shadow\\\" file contains the list of local system accounts\nand stores password hashes. Protection of this file is critical for system\nsecurity. Failure to give ownership of this file to root provides the\ndesignated owner with access to sensitive information which could weaken the\nsystem security posture.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38502\"\n tag \"rid\": \"SV-50303r1_rule\"\n tag \"stig_id\": \"RHEL-06-000033\"\n tag \"fix_id\": \"F-43449r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To check the ownership of \\\"/etc/shadow\\\", run the command:\n\n$ ls -l /etc/shadow\n\nIf properly configured, the output should indicate the following owner:\n\\\"root\\\"\nIf it does not, this is a finding.\"\n tag \"fix\": \"To properly set the owner of \\\"/etc/shadow\\\", run the command:\n\n# chown root /etc/shadow\"\n\n describe file(\"/etc/shadow\") do\n it { should exist }\n end\n describe file(\"/etc/shadow\") do\n its(\"uid\") { should cmp 0 }\n end\nend\n", + "code": "control \"V-38597\" do\n title \"The system must limit the ability of processes to have simultaneous\nwrite and execute access to memory.\"\n desc \"ExecShield uses the segmentation feature on all x86 systems to prevent\nexecution in memory higher than a certain address. It writes an address as a\nlimit in the code segment descriptor, to control where code can be executed, on\na per-process basis. When the kernel places a process's memory regions such as\nthe stack and heap higher than this address, the hardware prevents execution in\nthat address range.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38597\"\n tag \"rid\": \"SV-50398r2_rule\"\n tag \"stig_id\": \"RHEL-06-000079\"\n tag \"fix_id\": \"F-43545r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"The status of the \\\"kernel.exec-shield\\\" kernel parameter can\nbe queried by running the following command:\n\n$ sysctl kernel.exec-shield\n$ grep kernel.exec-shield /etc/sysctl.conf\n\nThe output of the command should indicate a value of \\\"1\\\". If this value is\nnot the default value, investigate how it could have been adjusted at runtime,\nand verify it is not set improperly in \\\"/etc/sysctl.conf\\\".\nIf the correct value is not returned, this is a finding.\"\n tag \"fix\": \"To set the runtime status of the \\\"kernel.exec-shield\\\" kernel\nparameter, run the following command:\n\n# sysctl -w kernel.exec-shield=1\n\nIf this is not the system's default value, add the following line to\n\\\"/etc/sysctl.conf\\\":\n\nkernel.exec-shield = 1\"\n\n describe command('sysctl -n kernel.exec-shield') do\n its('stdout.strip') { should eq '1' }\n end\n\n describe parse_config_file('/etc/sysctl.conf') do\n its('params') { should be >= { 'kernel.exec-shield' => '1' } }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38502.rb", + "ref": "./Red Hat 6 STIG/controls/V-38597.rb", "line": 1 }, - "id": "V-38502" + "id": "V-38597" }, { - "title": "The login user list must be disabled.", - "desc": "Leaving the user list enabled is a security risk since it allows\nanyone with physical access to the system to quickly enumerate known user\naccounts without logging in.", + "title": "The system must require passwords to contain no more than three\nconsecutive repeating characters.", + "desc": "Passwords with excessive repeating characters may be more vulnerable\nto password-guessing attacks.", "descriptions": { - "default": "Leaving the user list enabled is a security risk since it allows\nanyone with physical access to the system to quickly enumerate known user\naccounts without logging in." + "default": "Passwords with excessive repeating characters may be more vulnerable\nto password-guessing attacks." }, - "impact": 0, + "impact": 0.3, "refs": [], "tags": { "gtitle": "SRG-OS-999999", - "gid": "V-43150", - "rid": "SV-55880r2_rule", - "stig_id": "RHEL-06-000527", - "fix_id": "F-48722r2_fix", + "gid": "V-38693", + "rid": "SV-50494r3_rule", + "stig_id": "RHEL-06-000299", + "fix_id": "F-43642r3_fix", "cci": [ "CCI-000366" ], @@ -3203,35 +3219,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "If the GConf2 package is not installed, this is not applicable.\n\nTo ensure the user list is disabled, run the following command:\n\n$ gconftool-2 --direct \\\n--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \\\n--get /apps/gdm/simple-greeter/disable_user_list\n\nThe output should be \"true\". If it is not, this is a finding. ", - "fix": "In the default graphical environment, users logging directly into\nthe system are greeted with a login screen that displays all known users. This\nfunctionality should be disabled.\n\nRun the following command to disable the user list:\n\n$ sudo gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --type bool --set /apps/gdm/simple-greeter/disable_user_list true" + "check": "To check the maximum value for consecutive repeating\ncharacters, run the following command:\n\n$ grep pam_cracklib /etc/pam.d/system-auth /etc/pam.d/password-auth\n\nLook for the value of the \"maxrepeat\" parameter.\n\nIf \"maxrepeat\" is not found or is set to a value less than \"3\", this is a\nfinding.", + "fix": "The pam_cracklib module's \"maxrepeat\" parameter controls\nrequirements for consecutive repeating characters. When set to a positive\nnumber, it will reject passwords which contain more than that number of\nconsecutive characters.\n\nEdit /etc/pam.d/system-auth and /etc/pam.d/password-auth adding \"maxrepeat=3\"\nafter pam_cracklib.so to prevent a run of (3 + 1) or more identical characters.\n\npassword required pam_cracklib.so maxrepeat=3 " }, - "code": "control \"V-43150\" do\n title \"The login user list must be disabled.\"\n desc \"Leaving the user list enabled is a security risk since it allows\nanyone with physical access to the system to quickly enumerate known user\naccounts without logging in.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-43150\"\n tag \"rid\": \"SV-55880r2_rule\"\n tag \"stig_id\": \"RHEL-06-000527\"\n tag \"fix_id\": \"F-48722r2_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"If the GConf2 package is not installed, this is not applicable.\n\nTo ensure the user list is disabled, run the following command:\n\n$ gconftool-2 --direct \\\\\n--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \\\\\n--get /apps/gdm/simple-greeter/disable_user_list\n\nThe output should be \\\"true\\\". If it is not, this is a finding. \"\n tag \"fix\": \"In the default graphical environment, users logging directly into\nthe system are greeted with a login screen that displays all known users. This\nfunctionality should be disabled.\n\nRun the following command to disable the user list:\n\n$ sudo gconftool-2 --direct \\\n--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \\\n--type bool --set /apps/gdm/simple-greeter/disable_user_list true\"\n\n if package('GConf2').installed?\n describe command(\"gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gdm/simple-greeter/disable_user_list\") do\n its('stdout.strip') { should eq 'true' }\n end\n else\n impact 0.0\n describe \"Package GConf2 not installed\" do\n skip \"Package GConf2 not installed, this control Not Applicable\"\n end\n end\nend\n", + "code": "control \"V-38693\" do\n title \"The system must require passwords to contain no more than three\nconsecutive repeating characters.\"\n desc \"Passwords with excessive repeating characters may be more vulnerable\nto password-guessing attacks.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38693\"\n tag \"rid\": \"SV-50494r3_rule\"\n tag \"stig_id\": \"RHEL-06-000299\"\n tag \"fix_id\": \"F-43642r3_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To check the maximum value for consecutive repeating\ncharacters, run the following command:\n\n$ grep pam_cracklib /etc/pam.d/system-auth /etc/pam.d/password-auth\n\nLook for the value of the \\\"maxrepeat\\\" parameter.\n\nIf \\\"maxrepeat\\\" is not found or is set to a value less than \\\"3\\\", this is a\nfinding.\"\n tag \"fix\": \"The pam_cracklib module's \\\"maxrepeat\\\" parameter controls\nrequirements for consecutive repeating characters. When set to a positive\nnumber, it will reject passwords which contain more than that number of\nconsecutive characters.\n\nEdit /etc/pam.d/system-auth and /etc/pam.d/password-auth adding \\\"maxrepeat=3\\\"\nafter pam_cracklib.so to prevent a run of (3 + 1) or more identical characters.\n\npassword required pam_cracklib.so maxrepeat=3 \"\n\n pam_files = [\"/etc/pam.d/system-auth\", \"/etc/pam.d/password-auth\"]\n pam_files.each do |pam_file|\n lines = command(\"grep pam_cracklib #{pam_file}\").stdout.strip.split(\"\\n\")\n describe \"pam_cracklib lines in #{pam_file}\" do\n subject { lines }\n it { should_not be_empty }\n end\n\n lines.each do |l|\n describe l do\n it { should match %r{\\bmaxrepeat=([3-9]|[1-9][0-9]+)\\b} }\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-43150.rb", + "ref": "./Red Hat 6 STIG/controls/V-38693.rb", "line": 1 }, - "id": "V-43150" + "id": "V-38693" }, { - "title": "The system package management tool must verify group-ownership on all\nfiles and directories associated with packages.", - "desc": "Group-ownership of system binaries and configuration files that is\nincorrect could allow an unauthorized user to gain privileges that they should\nnot have. The group-ownership set by the vendor should be maintained. Any\ndeviations from this baseline should be investigated.", + "title": "The operating system must automatically audit account creation.", + "desc": "In addition to auditing new user and group accounts, these watches\nwill alert the system administrator(s) to any modifications. Any unexpected\nusers, groups, or modifications should be investigated for legitimacy.", "descriptions": { - "default": "Group-ownership of system binaries and configuration files that is\nincorrect could allow an unauthorized user to gain privileges that they should\nnot have. The group-ownership set by the vendor should be maintained. Any\ndeviations from this baseline should be investigated." + "default": "In addition to auditing new user and group accounts, these watches\nwill alert the system administrator(s) to any modifications. Any unexpected\nusers, groups, or modifications should be investigated for legitimacy." }, "impact": 0.3, "refs": [], "tags": { - "gtitle": "SRG-OS-999999", - "gid": "V-38453", - "rid": "SV-50253r2_rule", - "stig_id": "RHEL-06-000517", - "fix_id": "F-43399r1_fix", + "gtitle": "SRG-OS-000004", + "gid": "V-38531", + "rid": "SV-50332r2_rule", + "stig_id": "RHEL-06-000174", + "fix_id": "F-43480r1_fix", "cci": [ - "CCI-000366" + "CCI-000018" ], "nist": [ - "CM-6 b", + "AC-2 (4)", "Rev_4" ], "false_negatives": null, @@ -3244,30 +3260,30 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "The following command will list which files on the system have\ngroup-ownership different from what is expected by the RPM database:\n\n# rpm -Va | grep '^......G'\n\n\nIf any output is produced, verify that the changes were due to STIG application\nand have been documented with the ISSO.\n\nIf any output has not been documented with the ISSO, this is a finding.\n", - "fix": "The RPM package management system can restore group-ownership of\nthe package files and directories. The following command will update files and\ndirectories with group-ownership different from what is expected by the RPM\ndatabase:\n\n# rpm -qf [file or directory name]\n# rpm --setugids [package]" + "check": "To determine if the system is configured to audit account\nchanges, run the following command:\n\n$ sudo egrep -w\n'(/etc/passwd|/etc/shadow|/etc/group|/etc/gshadow|/etc/security/opasswd)'\n/etc/audit/audit.rules\n\nIf the system is configured to watch for account changes, lines should be\nreturned for each file specified (and with \"-p wa\" for each).\n\nIf the system is not configured to audit account changes, this is a finding.", + "fix": "Add the following to \"/etc/audit/audit.rules\", in order to\ncapture events that modify account changes:\n\n# audit_account_changes\n-w /etc/group -p wa -k audit_account_changes\n-w /etc/passwd -p wa -k audit_account_changes\n-w /etc/gshadow -p wa -k audit_account_changes\n-w /etc/shadow -p wa -k audit_account_changes\n-w /etc/security/opasswd -p wa -k audit_account_changes" }, - "code": "control \"V-38453\" do\n title \"The system package management tool must verify group-ownership on all\nfiles and directories associated with packages.\"\n desc \"Group-ownership of system binaries and configuration files that is\nincorrect could allow an unauthorized user to gain privileges that they should\nnot have. The group-ownership set by the vendor should be maintained. Any\ndeviations from this baseline should be investigated.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38453\"\n tag \"rid\": \"SV-50253r2_rule\"\n tag \"stig_id\": \"RHEL-06-000517\"\n tag \"fix_id\": \"F-43399r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"The following command will list which files on the system have\ngroup-ownership different from what is expected by the RPM database:\n\n# rpm -Va | grep '^......G'\n\n\nIf any output is produced, verify that the changes were due to STIG application\nand have been documented with the ISSO.\n\nIf any output has not been documented with the ISSO, this is a finding.\n\"\n tag \"fix\": \"The RPM package management system can restore group-ownership of\nthe package files and directories. The following command will update files and\ndirectories with group-ownership different from what is expected by the RPM\ndatabase:\n\n# rpm -qf [file or directory name]\n# rpm --setugids [package]\"\n\n # TODO check against an exception list attribute\n describe command(\"rpm -Va | grep '^......G'\") do\n its('stdout.strip') { should eq '' }\n end\nend\n", + "code": "control \"V-38531\" do\n title \"The operating system must automatically audit account creation.\"\n desc \"In addition to auditing new user and group accounts, these watches\nwill alert the system administrator(s) to any modifications. Any unexpected\nusers, groups, or modifications should be investigated for legitimacy.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000004\"\n tag \"gid\": \"V-38531\"\n tag \"rid\": \"SV-50332r2_rule\"\n tag \"stig_id\": \"RHEL-06-000174\"\n tag \"fix_id\": \"F-43480r1_fix\"\n tag \"cci\": [\"CCI-000018\"]\n tag \"nist\": [\"AC-2 (4)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To determine if the system is configured to audit account\nchanges, run the following command:\n\n$ sudo egrep -w\n'(/etc/passwd|/etc/shadow|/etc/group|/etc/gshadow|/etc/security/opasswd)'\n/etc/audit/audit.rules\n\nIf the system is configured to watch for account changes, lines should be\nreturned for each file specified (and with \\\"-p wa\\\" for each).\n\nIf the system is not configured to audit account changes, this is a finding.\"\n tag \"fix\": \"Add the following to \\\"/etc/audit/audit.rules\\\", in order to\ncapture events that modify account changes:\n\n# audit_account_changes\n-w /etc/group -p wa -k audit_account_changes\n-w /etc/passwd -p wa -k audit_account_changes\n-w /etc/gshadow -p wa -k audit_account_changes\n-w /etc/shadow -p wa -k audit_account_changes\n-w /etc/security/opasswd -p wa -k audit_account_changes\"\n\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^\\-w\\s+\\/etc\\/group\\s+\\-p\\s+wa\\s+\\-k\\s+\\w+\\s*$/) }\n end\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^\\-w\\s+\\/etc\\/passwd\\s+\\-p\\s+wa\\s+\\-k\\s+\\w+\\s*$/) }\n end\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^\\-w\\s+\\/etc\\/gshadow\\s+\\-p\\s+wa\\s+\\-k\\s+\\w+\\s*$/) }\n end\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^\\-w\\s+\\/etc\\/shadow\\s+\\-p\\s+wa\\s+\\-k\\s+\\w+\\s*$/) }\n end\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^\\-w\\s+\\/etc\\/security\\/opasswd\\s+\\-p\\s+wa\\s+\\-k\\s+\\w+\\s*$/) }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38453.rb", + "ref": "./Red Hat 6 STIG/controls/V-38531.rb", "line": 1 }, - "id": "V-38453" + "id": "V-38531" }, { - "title": "The system must use a reverse-path filter for IPv4 network traffic\nwhen possible on all interfaces.", - "desc": "Enabling reverse path filtering drops packets with source addresses\nthat should not have been able to be received on the interface they were\nreceived on. It should not be used on systems which are routers for complicated\nnetworks, but is helpful for end hosts and routers serving small networks.", + "title": "The system must not respond to ICMPv4 sent to a broadcast address.", + "desc": "Ignoring ICMP echo requests (pings) sent to broadcast or multicast\naddresses makes the system slightly more difficult to enumerate on the network.", "descriptions": { - "default": "Enabling reverse path filtering drops packets with source addresses\nthat should not have been able to be received on the interface they were\nreceived on. It should not be used on systems which are routers for complicated\nnetworks, but is helpful for end hosts and routers serving small networks." + "default": "Ignoring ICMP echo requests (pings) sent to broadcast or multicast\naddresses makes the system slightly more difficult to enumerate on the network." }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { "gtitle": "SRG-OS-999999", - "gid": "V-38542", - "rid": "SV-50343r2_rule", - "stig_id": "RHEL-06-000096", - "fix_id": "F-43490r1_fix", + "gid": "V-38535", + "rid": "SV-50336r2_rule", + "stig_id": "RHEL-06-000092", + "fix_id": "F-43483r1_fix", "cci": [ "CCI-000366" ], @@ -3285,35 +3301,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "The status of the \"net.ipv4.conf.all.rp_filter\" kernel\nparameter can be queried by running the following command:\n\n$ sysctl net.ipv4.conf.all.rp_filter\n\nThe output of the command should indicate a value of \"1\". If this value is\nnot the default value, investigate how it could have been adjusted at runtime,\nand verify it is not set improperly in \"/etc/sysctl.conf\".\n\n$ grep net.ipv4.conf.all.rp_filter /etc/sysctl.conf\n\nIf the correct value is not returned, this is a finding. ", - "fix": "To set the runtime status of the \"net.ipv4.conf.all.rp_filter\"\nkernel parameter, run the following command:\n\n# sysctl -w net.ipv4.conf.all.rp_filter=1\n\nIf this is not the system's default value, add the following line to\n\"/etc/sysctl.conf\":\n\nnet.ipv4.conf.all.rp_filter = 1" + "check": "The status of the \"net.ipv4.icmp_echo_ignore_broadcasts\"\nkernel parameter can be queried by running the following command:\n\n$ sysctl net.ipv4.icmp_echo_ignore_broadcasts\n\nThe output of the command should indicate a value of \"1\". If this value is\nnot the default value, investigate how it could have been adjusted at runtime,\nand verify it is not set improperly in \"/etc/sysctl.conf\".\n\n$ grep net.ipv4.icmp_echo_ignore_broadcasts /etc/sysctl.conf\n\nIf the correct value is not returned, this is a finding. ", + "fix": "To set the runtime status of the\n\"net.ipv4.icmp_echo_ignore_broadcasts\" kernel parameter, run the following\ncommand:\n\n# sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1\n\nIf this is not the system's default value, add the following line to\n\"/etc/sysctl.conf\":\n\nnet.ipv4.icmp_echo_ignore_broadcasts = 1" }, - "code": "control \"V-38542\" do\n title \"The system must use a reverse-path filter for IPv4 network traffic\nwhen possible on all interfaces.\"\n desc \"Enabling reverse path filtering drops packets with source addresses\nthat should not have been able to be received on the interface they were\nreceived on. It should not be used on systems which are routers for complicated\nnetworks, but is helpful for end hosts and routers serving small networks.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38542\"\n tag \"rid\": \"SV-50343r2_rule\"\n tag \"stig_id\": \"RHEL-06-000096\"\n tag \"fix_id\": \"F-43490r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"The status of the \\\"net.ipv4.conf.all.rp_filter\\\" kernel\nparameter can be queried by running the following command:\n\n$ sysctl net.ipv4.conf.all.rp_filter\n\nThe output of the command should indicate a value of \\\"1\\\". If this value is\nnot the default value, investigate how it could have been adjusted at runtime,\nand verify it is not set improperly in \\\"/etc/sysctl.conf\\\".\n\n$ grep net.ipv4.conf.all.rp_filter /etc/sysctl.conf\n\nIf the correct value is not returned, this is a finding. \"\n tag \"fix\": \"To set the runtime status of the \\\"net.ipv4.conf.all.rp_filter\\\"\nkernel parameter, run the following command:\n\n# sysctl -w net.ipv4.conf.all.rp_filter=1\n\nIf this is not the system's default value, add the following line to\n\\\"/etc/sysctl.conf\\\":\n\nnet.ipv4.conf.all.rp_filter = 1\"\n\n describe kernel_parameter(\"net.ipv4.conf.all.rp_filter\") do\n its(\"value\") { should_not be_nil }\n end\n describe kernel_parameter(\"net.ipv4.conf.all.rp_filter\") do\n its(\"value\") { should eq 1 }\n end\n describe file(\"/etc/sysctl.conf\") do\n its(\"content\") { should match(/^[\\s]*net.ipv4.conf.all.rp_filter[\\s]*=[\\s]*1[\\s]*$/) }\n end\nend\n", + "code": "control \"V-38535\" do\n title \"The system must not respond to ICMPv4 sent to a broadcast address.\"\n desc \"Ignoring ICMP echo requests (pings) sent to broadcast or multicast\naddresses makes the system slightly more difficult to enumerate on the network.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38535\"\n tag \"rid\": \"SV-50336r2_rule\"\n tag \"stig_id\": \"RHEL-06-000092\"\n tag \"fix_id\": \"F-43483r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"The status of the \\\"net.ipv4.icmp_echo_ignore_broadcasts\\\"\nkernel parameter can be queried by running the following command:\n\n$ sysctl net.ipv4.icmp_echo_ignore_broadcasts\n\nThe output of the command should indicate a value of \\\"1\\\". If this value is\nnot the default value, investigate how it could have been adjusted at runtime,\nand verify it is not set improperly in \\\"/etc/sysctl.conf\\\".\n\n$ grep net.ipv4.icmp_echo_ignore_broadcasts /etc/sysctl.conf\n\nIf the correct value is not returned, this is a finding. \"\n tag \"fix\": \"To set the runtime status of the\n\\\"net.ipv4.icmp_echo_ignore_broadcasts\\\" kernel parameter, run the following\ncommand:\n\n# sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1\n\nIf this is not the system's default value, add the following line to\n\\\"/etc/sysctl.conf\\\":\n\nnet.ipv4.icmp_echo_ignore_broadcasts = 1\"\n\n describe kernel_parameter(\"net.ipv4.icmp_echo_ignore_broadcasts\") do\n its(\"value\") { should_not be_nil }\n end\n describe kernel_parameter(\"net.ipv4.icmp_echo_ignore_broadcasts\") do\n its(\"value\") { should eq 1 }\n end\n describe file(\"/etc/sysctl.conf\") do\n its(\"content\") { should match(/^[\\s]*net.ipv4.icmp_echo_ignore_broadcasts[\\s]*=[\\s]*1[\\s]*$/) }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38542.rb", + "ref": "./Red Hat 6 STIG/controls/V-38535.rb", "line": 1 }, - "id": "V-38542" + "id": "V-38535" }, { - "title": "The system clock must be synchronized to an authoritative DoD time\nsource.", - "desc": "Synchronizing with an NTP server makes it possible to collate system\nlogs from multiple sources or correlate computer events with real time events.\nUsing a trusted NTP server provided by your organization is recommended.", + "title": "The SSH daemon must be configured to use only the SSHv2 protocol.", + "desc": "SSH protocol version 1 suffers from design flaws that result in\nsecurity vulnerabilities and should not be used.", "descriptions": { - "default": "Synchronizing with an NTP server makes it possible to collate system\nlogs from multiple sources or correlate computer events with real time events.\nUsing a trusted NTP server provided by your organization is recommended." + "default": "SSH protocol version 1 suffers from design flaws that result in\nsecurity vulnerabilities and should not be used." }, - "impact": 0.5, + "impact": 0.7, "refs": [], "tags": { - "gtitle": "SRG-OS-000056", - "gid": "V-38621", - "rid": "SV-50422r1_rule", - "stig_id": "RHEL-06-000248", - "fix_id": "F-43570r1_fix", + "gtitle": "SRG-OS-000112", + "gid": "V-38607", + "rid": "SV-50408r1_rule", + "stig_id": "RHEL-06-000227", + "fix_id": "F-43555r1_fix", "cci": [ - "CCI-000160" + "CCI-000774" ], "nist": [ - "AU-8 (1)", + "IA-2 (8)", "Rev_4" ], "false_negatives": null, @@ -3326,35 +3342,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "A remote NTP server should be configured for time\nsynchronization. To verify one is configured, open the following file.\n\n/etc/ntp.conf\n\nIn the file, there should be a section similar to the following:\n\n# --- OUR TIMESERVERS -----\nserver [ntpserver]\n\n\nIf this is not the case, this is a finding.", - "fix": "To specify a remote NTP server for time synchronization, edit the\nfile \"/etc/ntp.conf\". Add or correct the following lines, substituting the IP\nor hostname of a remote NTP server for ntpserver.\n\nserver [ntpserver]\n\nThis instructs the NTP software to contact that remote server to obtain time\ndata." + "check": "To check which SSH protocol version is allowed, run the\nfollowing command:\n\n# grep Protocol /etc/ssh/sshd_config\n\nIf configured properly, output should be\n\nProtocol 2\n\n\nIf it is not, this is a finding.", + "fix": "Only SSH protocol version 2 connections should be permitted. The\ndefault setting in \"/etc/ssh/sshd_config\" is correct, and can be verified by\nensuring that the following line appears:\n\nProtocol 2" }, - "code": "control \"V-38621\" do\n title \"The system clock must be synchronized to an authoritative DoD time\nsource.\"\n desc \"Synchronizing with an NTP server makes it possible to collate system\nlogs from multiple sources or correlate computer events with real time events.\nUsing a trusted NTP server provided by your organization is recommended.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000056\"\n tag \"gid\": \"V-38621\"\n tag \"rid\": \"SV-50422r1_rule\"\n tag \"stig_id\": \"RHEL-06-000248\"\n tag \"fix_id\": \"F-43570r1_fix\"\n tag \"cci\": [\"CCI-000160\"]\n tag \"nist\": [\"AU-8 (1)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"A remote NTP server should be configured for time\nsynchronization. To verify one is configured, open the following file.\n\n/etc/ntp.conf\n\nIn the file, there should be a section similar to the following:\n\n# --- OUR TIMESERVERS -----\nserver [ntpserver]\n\n\nIf this is not the case, this is a finding.\"\n tag \"fix\": \"To specify a remote NTP server for time synchronization, edit the\nfile \\\"/etc/ntp.conf\\\". Add or correct the following lines, substituting the IP\nor hostname of a remote NTP server for ntpserver.\n\nserver [ntpserver]\n\nThis instructs the NTP software to contact that remote server to obtain time\ndata.\"\n\n describe file(\"/etc/ntp.conf\") do\n its(\"content\") { should match(/^[\\s]*server[\\s]+.+$/) }\n end\nend\n", + "code": "control \"V-38607\" do\n title \"The SSH daemon must be configured to use only the SSHv2 protocol.\"\n desc \"SSH protocol version 1 suffers from design flaws that result in\nsecurity vulnerabilities and should not be used.\"\n impact 0.7\n tag \"gtitle\": \"SRG-OS-000112\"\n tag \"gid\": \"V-38607\"\n tag \"rid\": \"SV-50408r1_rule\"\n tag \"stig_id\": \"RHEL-06-000227\"\n tag \"fix_id\": \"F-43555r1_fix\"\n tag \"cci\": [\"CCI-000774\"]\n tag \"nist\": [\"IA-2 (8)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To check which SSH protocol version is allowed, run the\nfollowing command:\n\n# grep Protocol /etc/ssh/sshd_config\n\nIf configured properly, output should be\n\nProtocol 2\n\n\nIf it is not, this is a finding.\"\n tag \"fix\": \"Only SSH protocol version 2 connections should be permitted. The\ndefault setting in \\\"/etc/ssh/sshd_config\\\" is correct, and can be verified by\nensuring that the following line appears:\n\nProtocol 2\"\n\n describe sshd_config do\n its('Protocol') { should cmp 2 }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38621.rb", + "ref": "./Red Hat 6 STIG/controls/V-38607.rb", "line": 1 }, - "id": "V-38621" + "id": "V-38607" }, { - "title": "The system must require passwords to contain a minimum of 15\ncharacters.", - "desc": "Requiring a minimum password length makes password cracking attacks\nmore difficult by ensuring a larger search space. However, any security benefit\nfrom an onerous requirement must be carefully weighed against usability\nproblems, support costs, or counterproductive behavior that may result.\n\n While it does not negate the password length requirement, it is preferable\nto migrate from a password-based authentication scheme to a stronger one based\non PKI (public key infrastructure).", + "title": "The operating system must enforce requirements for the connection of\nmobile devices to operating systems.", + "desc": "USB storage devices such as thumb drives can be used to introduce\nunauthorized software and other vulnerabilities. Support for these devices\nshould be disabled and the devices themselves should be tightly controlled.", "descriptions": { - "default": "Requiring a minimum password length makes password cracking attacks\nmore difficult by ensuring a larger search space. However, any security benefit\nfrom an onerous requirement must be carefully weighed against usability\nproblems, support costs, or counterproductive behavior that may result.\n\n While it does not negate the password length requirement, it is preferable\nto migrate from a password-based authentication scheme to a stronger one based\non PKI (public key infrastructure)." + "default": "USB storage devices such as thumb drives can be used to introduce\nunauthorized software and other vulnerabilities. Support for these devices\nshould be disabled and the devices themselves should be tightly controlled." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000078", - "gid": "V-38475", - "rid": "SV-50275r3_rule", - "stig_id": "RHEL-06-000050", - "fix_id": "F-43419r3_fix", + "gtitle": "SRG-OS-000273", + "gid": "V-38490", + "rid": "SV-50291r6_rule", + "stig_id": "RHEL-06-000503", + "fix_id": "F-43437r3_fix", "cci": [ - "CCI-000205" + "CCI-000086" ], "nist": [ - "IA-5 (1) (a)", + "AC-19 d", "Rev_4" ], "false_negatives": null, @@ -3367,35 +3383,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To check the minimum password length, run the command:\n\n$ grep PASS_MIN_LEN /etc/login.defs\n\nThe DoD requirement is \"15\".\n\nIf it is not set to the required value, this is a finding.\n\n$ grep –E 'pam_cracklib.so.*minlen' /etc/pam.d/*\n\nIf no results are returned, this is not a finding.\n\nIf any results are returned and are not set to \"15\" or greater, this is a\nfinding.\n", - "fix": "To specify password length requirements for new accounts, edit\nthe file \"/etc/login.defs\" and add or correct the following lines:\n\nPASS_MIN_LEN 15\n\nThe DoD requirement is \"15\". If a program consults \"/etc/login.defs\" and\nalso another PAM module (such as \"pam_cracklib\") during a password change\noperation, then the most restrictive must be satisfied." + "check": "If the system is configured to prevent the loading of the\n\"usb-storage\" kernel module, it will contain lines inside any file in\n\"/etc/modprobe.d\" or the deprecated\"/etc/modprobe.conf\". These lines\ninstruct the module loading system to run another program (such as\n\"/bin/true\") upon a module \"install\" event. Run the following command to\nsearch for such lines in all files in \"/etc/modprobe.d\" and the deprecated\n\"/etc/modprobe.conf\":\n\n$ grep -r usb-storage /etc/modprobe.conf /etc/modprobe.d | grep -i \"/bin/true\"\n| grep -v \"#\"\n\nIf no line is returned, this is a finding.", + "fix": "To prevent USB storage devices from being used, configure the\nkernel module loading system to prevent automatic loading of the USB storage\ndriver. To configure the system to prevent the \"usb-storage\" kernel module\nfrom being loaded, add the following line to a file in the directory\n\"/etc/modprobe.d\":\n\ninstall usb-storage /bin/true\n\nThis will prevent the \"modprobe\" program from loading the \"usb-storage\"\nmodule, but will not prevent an administrator (or another program) from using\nthe \"insmod\" program to load the module manually." }, - "code": "control \"V-38475\" do\n title \"The system must require passwords to contain a minimum of 15\ncharacters.\"\n desc \"Requiring a minimum password length makes password cracking attacks\nmore difficult by ensuring a larger search space. However, any security benefit\nfrom an onerous requirement must be carefully weighed against usability\nproblems, support costs, or counterproductive behavior that may result.\n\n While it does not negate the password length requirement, it is preferable\nto migrate from a password-based authentication scheme to a stronger one based\non PKI (public key infrastructure).\n \"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000078\"\n tag \"gid\": \"V-38475\"\n tag \"rid\": \"SV-50275r3_rule\"\n tag \"stig_id\": \"RHEL-06-000050\"\n tag \"fix_id\": \"F-43419r3_fix\"\n tag \"cci\": [\"CCI-000205\"]\n tag \"nist\": [\"IA-5 (1) (a)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To check the minimum password length, run the command:\n\n$ grep PASS_MIN_LEN /etc/login.defs\n\nThe DoD requirement is \\\"15\\\".\n\nIf it is not set to the required value, this is a finding.\n\n$ grep –E 'pam_cracklib.so.*minlen' /etc/pam.d/*\n\nIf no results are returned, this is not a finding.\n\nIf any results are returned and are not set to \\\"15\\\" or greater, this is a\nfinding.\n\"\n tag \"fix\": \"To specify password length requirements for new accounts, edit\nthe file \\\"/etc/login.defs\\\" and add or correct the following lines:\n\nPASS_MIN_LEN 15\n\nThe DoD requirement is \\\"15\\\". If a program consults \\\"/etc/login.defs\\\" and\nalso another PAM module (such as \\\"pam_cracklib\\\") during a password change\noperation, then the most restrictive must be satisfied.\"\n\n describe file(\"/etc/login.defs\") do\n its(\"content\") { should match(/^PASS_MIN_LEN\\s+(\\d+)\\s*$/) }\n end\n file(\"/etc/login.defs\").content.to_s.scan(/^PASS_MIN_LEN\\s+(\\d+)\\s*$/).flatten.each do |entry|\n describe entry do\n it { should cmp >= 15 }\n end\n end\nend\n", + "code": "control \"V-38490\" do\n title \"The operating system must enforce requirements for the connection of\nmobile devices to operating systems.\"\n desc \"USB storage devices such as thumb drives can be used to introduce\nunauthorized software and other vulnerabilities. Support for these devices\nshould be disabled and the devices themselves should be tightly controlled.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000273\"\n tag \"gid\": \"V-38490\"\n tag \"rid\": \"SV-50291r6_rule\"\n tag \"stig_id\": \"RHEL-06-000503\"\n tag \"fix_id\": \"F-43437r3_fix\"\n tag \"cci\": [\"CCI-000086\"]\n tag \"nist\": [\"AC-19 d\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"If the system is configured to prevent the loading of the\n\\\"usb-storage\\\" kernel module, it will contain lines inside any file in\n\\\"/etc/modprobe.d\\\" or the deprecated\\\"/etc/modprobe.conf\\\". These lines\ninstruct the module loading system to run another program (such as\n\\\"/bin/true\\\") upon a module \\\"install\\\" event. Run the following command to\nsearch for such lines in all files in \\\"/etc/modprobe.d\\\" and the deprecated\n\\\"/etc/modprobe.conf\\\":\n\n$ grep -r usb-storage /etc/modprobe.conf /etc/modprobe.d | grep -i \\\"/bin/true\\\"\n| grep -v \\\"#\\\"\n\nIf no line is returned, this is a finding.\"\n tag \"fix\": \"To prevent USB storage devices from being used, configure the\nkernel module loading system to prevent automatic loading of the USB storage\ndriver. To configure the system to prevent the \\\"usb-storage\\\" kernel module\nfrom being loaded, add the following line to a file in the directory\n\\\"/etc/modprobe.d\\\":\n\ninstall usb-storage /bin/true\n\nThis will prevent the \\\"modprobe\\\" program from loading the \\\"usb-storage\\\"\nmodule, but will not prevent an administrator (or another program) from using\nthe \\\"insmod\\\" program to load the module manually.\"\n\n describe kernel_module('usb-storage') do\n it { should_not be_loaded }\n it { shold_not be_enabled }\n it { should be_blacklisted }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38475.rb", + "ref": "./Red Hat 6 STIG/controls/V-38490.rb", "line": 1 }, - "id": "V-38475" + "id": "V-38490" }, { - "title": "The systems local IPv4 firewall must implement a deny-all,\nallow-by-exception policy for inbound packets.", - "desc": "In \"iptables\" the default policy is applied only after all the\napplicable rules in the table are examined for a match. Setting the default\npolicy to \"DROP\" implements proper design for a firewall, i.e., any packets\nwhich are not explicitly permitted should not be accepted.", + "title": "The operating system must employ automated mechanisms to facilitate\nthe monitoring and control of remote access methods.", + "desc": "Ensuring the \"auditd\" service is active ensures audit records\ngenerated by the kernel can be written to disk, or that appropriate actions\nwill be taken if other obstacles exist.", "descriptions": { - "default": "In \"iptables\" the default policy is applied only after all the\napplicable rules in the table are examined for a match. Setting the default\npolicy to \"DROP\" implements proper design for a firewall, i.e., any packets\nwhich are not explicitly permitted should not be accepted." + "default": "Ensuring the \"auditd\" service is active ensures audit records\ngenerated by the kernel can be written to disk, or that appropriate actions\nwill be taken if other obstacles exist." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000231", - "gid": "V-38513", - "rid": "SV-50314r2_rule", - "stig_id": "RHEL-06-000120", - "fix_id": "F-43460r1_fix", + "gtitle": "SRG-OS-000032", + "gid": "V-38631", + "rid": "SV-50432r2_rule", + "stig_id": "RHEL-06-000148", + "fix_id": "F-43580r2_fix", "cci": [ - "CCI-000066" + "CCI-000067" ], "nist": [ - "AC-17 e", + "AC-17 (1)", "Rev_4" ], "false_negatives": null, @@ -3408,35 +3424,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "Run the following command to ensure the default \"INPUT\"\npolicy is \"DROP\":\n\n# iptables -nvL | grep -i input\n\nChain INPUT (policy DROP 0 packets, 0 bytes)\n\nIf the default policy for the INPUT chain is not set to DROP, this is a\nfinding.", - "fix": "To set the default policy to DROP (instead of ACCEPT) for the\nbuilt-in INPUT chain which processes incoming packets, add or correct the\nfollowing line in \"/etc/sysconfig/iptables\":\n\n:INPUT DROP [0:0]" + "check": "Run the following command to determine the current status of\nthe \"auditd\" service:\n\n# service auditd status\n\nIf the service is enabled, it should return the following:\n\nauditd is running...\n\n\nIf the service is not running, this is a finding.", + "fix": "The \"auditd\" service is an essential userspace component of the\nLinux Auditing System, as it is responsible for writing audit records to disk.\nThe \"auditd\" service can be enabled with the following commands:\n\n# chkconfig auditd on\n# service auditd start" }, - "code": "control \"V-38513\" do\n title \"The systems local IPv4 firewall must implement a deny-all,\nallow-by-exception policy for inbound packets.\"\n desc \"In \\\"iptables\\\" the default policy is applied only after all the\napplicable rules in the table are examined for a match. Setting the default\npolicy to \\\"DROP\\\" implements proper design for a firewall, i.e., any packets\nwhich are not explicitly permitted should not be accepted.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000231\"\n tag \"gid\": \"V-38513\"\n tag \"rid\": \"SV-50314r2_rule\"\n tag \"stig_id\": \"RHEL-06-000120\"\n tag \"fix_id\": \"F-43460r1_fix\"\n tag \"cci\": [\"CCI-000066\"]\n tag \"nist\": [\"AC-17 e\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Run the following command to ensure the default \\\"INPUT\\\"\npolicy is \\\"DROP\\\":\n\n# iptables -nvL | grep -i input\n\nChain INPUT (policy DROP 0 packets, 0 bytes)\n\nIf the default policy for the INPUT chain is not set to DROP, this is a\nfinding.\"\n tag \"fix\": \"To set the default policy to DROP (instead of ACCEPT) for the\nbuilt-in INPUT chain which processes incoming packets, add or correct the\nfollowing line in \\\"/etc/sysconfig/iptables\\\":\n\n:INPUT DROP [0:0]\"\n\n describe command(\"iptables -nvL | grep -i input\") do\n its('stdout.strip') { should match %r{Chain INPUT \\(policy DROP} }\n end\nend\n", + "code": "control \"V-38631\" do\n title \"The operating system must employ automated mechanisms to facilitate\nthe monitoring and control of remote access methods.\"\n desc \"Ensuring the \\\"auditd\\\" service is active ensures audit records\ngenerated by the kernel can be written to disk, or that appropriate actions\nwill be taken if other obstacles exist.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000032\"\n tag \"gid\": \"V-38631\"\n tag \"rid\": \"SV-50432r2_rule\"\n tag \"stig_id\": \"RHEL-06-000148\"\n tag \"fix_id\": \"F-43580r2_fix\"\n tag \"cci\": [\"CCI-000067\"]\n tag \"nist\": [\"AC-17 (1)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Run the following command to determine the current status of\nthe \\\"auditd\\\" service:\n\n# service auditd status\n\nIf the service is enabled, it should return the following:\n\nauditd is running...\n\n\nIf the service is not running, this is a finding.\"\n tag \"fix\": \"The \\\"auditd\\\" service is an essential userspace component of the\nLinux Auditing System, as it is responsible for writing audit records to disk.\nThe \\\"auditd\\\" service can be enabled with the following commands:\n\n# chkconfig auditd on\n# service auditd start\"\n\n describe service('auditd') do\n it { should be_enabled }\n it { should be_running }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38513.rb", + "ref": "./Red Hat 6 STIG/controls/V-38631.rb", "line": 1 }, - "id": "V-38513" + "id": "V-38631" }, { - "title": "The Stream Control Transmission Protocol (SCTP) must be disabled\nunless required.", - "desc": "Disabling SCTP protects the system against exploitation of any flaws\nin its implementation.", + "title": "The audit system must be configured to audit the loading and unloading\nof dynamic kernel modules.", + "desc": "The addition/removal of kernel modules can be used to alter the\nbehavior of the kernel and potentially introduce malicious code into kernel\nspace. It is important to have an audit trail of modules that have been\nintroduced into the kernel.", "descriptions": { - "default": "Disabling SCTP protects the system against exploitation of any flaws\nin its implementation." + "default": "The addition/removal of kernel modules can be used to alter the\nbehavior of the kernel and potentially introduce malicious code into kernel\nspace. It is important to have an audit trail of modules that have been\nintroduced into the kernel." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000096", - "gid": "V-38515", - "rid": "SV-50316r5_rule", - "stig_id": "RHEL-06-000125", - "fix_id": "F-43462r3_fix", + "gtitle": "SRG-OS-000064", + "gid": "V-38580", + "rid": "SV-50381r2_rule", + "stig_id": "RHEL-06-000202", + "fix_id": "F-43528r2_fix", "cci": [ - "CCI-000382" + "CCI-000172" ], "nist": [ - "CM-7 b", + "AU-12 c", "Rev_4" ], "false_negatives": null, @@ -3449,35 +3465,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "If the system is configured to prevent the loading of the\n\"sctp\" kernel module, it will contain lines inside any file in\n\"/etc/modprobe.d\" or the deprecated\"/etc/modprobe.conf\". These lines\ninstruct the module loading system to run another program (such as\n\"/bin/true\") upon a module \"install\" event. Run the following command to\nsearch for such lines in all files in \"/etc/modprobe.d\" and the deprecated\n\"/etc/modprobe.conf\":\n\n$ grep -r sctp /etc/modprobe.conf /etc/modprobe.d | grep -i \"/bin/true\"| grep\n-v \"#\"\n\nIf no line is returned, this is a finding.", - "fix": "The Stream Control Transmission Protocol (SCTP) is a transport\nlayer protocol, designed to support the idea of message-oriented communication,\nwith several streams of messages within one connection. To configure the system\nto prevent the \"sctp\" kernel module from being loaded, add the following line\nto a file in the directory \"/etc/modprobe.d\":\n\ninstall sctp /bin/true" + "check": "To determine if the system is configured to audit execution of\nmodule management programs, run the following commands:\n\n$ sudo egrep -e \"(-w |-F path=)/sbin/insmod\" /etc/audit/audit.rules\n$ sudo egrep -e \"(-w |-F path=)/sbin/rmmod\" /etc/audit/audit.rules\n$ sudo egrep -e \"(-w |-F path=)/sbin/modprobe\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return a line.\n\nTo determine if the system is configured to audit calls to the \"init_module\"\nsystem call, run the following command:\n\n$ sudo grep -w \"init_module\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return a line.\n\nTo determine if the system is configured to audit calls to the\n\"delete_module\" system call, run the following command:\n\n$ sudo grep -w \"delete_module\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return a line.\n\nIf no line is returned for any of these commands, this is a finding. ", + "fix": "Add the following to \"/etc/audit/audit.rules\" in order to\ncapture kernel module loading and unloading events, setting ARCH to either b32\nor b64 as appropriate for your system:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=[ARCH] -S init_module -S delete_module -k modules" }, - "code": "control \"V-38515\" do\n title \"The Stream Control Transmission Protocol (SCTP) must be disabled\nunless required.\"\n desc \"Disabling SCTP protects the system against exploitation of any flaws\nin its implementation.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000096\"\n tag \"gid\": \"V-38515\"\n tag \"rid\": \"SV-50316r5_rule\"\n tag \"stig_id\": \"RHEL-06-000125\"\n tag \"fix_id\": \"F-43462r3_fix\"\n tag \"cci\": [\"CCI-000382\"]\n tag \"nist\": [\"CM-7 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"If the system is configured to prevent the loading of the\n\\\"sctp\\\" kernel module, it will contain lines inside any file in\n\\\"/etc/modprobe.d\\\" or the deprecated\\\"/etc/modprobe.conf\\\". These lines\ninstruct the module loading system to run another program (such as\n\\\"/bin/true\\\") upon a module \\\"install\\\" event. Run the following command to\nsearch for such lines in all files in \\\"/etc/modprobe.d\\\" and the deprecated\n\\\"/etc/modprobe.conf\\\":\n\n$ grep -r sctp /etc/modprobe.conf /etc/modprobe.d | grep -i \\\"/bin/true\\\"| grep\n-v \\\"#\\\"\n\nIf no line is returned, this is a finding.\"\n tag \"fix\": \"The Stream Control Transmission Protocol (SCTP) is a transport\nlayer protocol, designed to support the idea of message-oriented communication,\nwith several streams of messages within one connection. To configure the system\nto prevent the \\\"sctp\\\" kernel module from being loaded, add the following line\nto a file in the directory \\\"/etc/modprobe.d\\\":\n\ninstall sctp /bin/true\"\n\n describe kernel_module('sctp') do\n it { should_not be_loaded }\n it { shold_not be_enabled }\n it { should be_blacklisted }\n end \nend\n", + "code": "control \"V-38580\" do\n title \"The audit system must be configured to audit the loading and unloading\nof dynamic kernel modules.\"\n desc \"The addition/removal of kernel modules can be used to alter the\nbehavior of the kernel and potentially introduce malicious code into kernel\nspace. It is important to have an audit trail of modules that have been\nintroduced into the kernel.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000064\"\n tag \"gid\": \"V-38580\"\n tag \"rid\": \"SV-50381r2_rule\"\n tag \"stig_id\": \"RHEL-06-000202\"\n tag \"fix_id\": \"F-43528r2_fix\"\n tag \"cci\": [\"CCI-000172\"]\n tag \"nist\": [\"AU-12 c\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To determine if the system is configured to audit execution of\nmodule management programs, run the following commands:\n\n$ sudo egrep -e \\\"(-w |-F path=)/sbin/insmod\\\" /etc/audit/audit.rules\n$ sudo egrep -e \\\"(-w |-F path=)/sbin/rmmod\\\" /etc/audit/audit.rules\n$ sudo egrep -e \\\"(-w |-F path=)/sbin/modprobe\\\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return a line.\n\nTo determine if the system is configured to audit calls to the \\\"init_module\\\"\nsystem call, run the following command:\n\n$ sudo grep -w \\\"init_module\\\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return a line.\n\nTo determine if the system is configured to audit calls to the\n\\\"delete_module\\\" system call, run the following command:\n\n$ sudo grep -w \\\"delete_module\\\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return a line.\n\nIf no line is returned for any of these commands, this is a finding. \"\n tag \"fix\": \"Add the following to \\\"/etc/audit/audit.rules\\\" in order to\ncapture kernel module loading and unloading events, setting ARCH to either b32\nor b64 as appropriate for your system:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=[ARCH] -S init_module -S delete_module -k modules\"\n\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^(?:-w\\s+|-a\\s+(?:always,exit|exit,always)\\s+-F\\s+path=)\\/sbin\\/insmod\\s+-p\\s+[rwa]*x[rwa]*\\s+-k\\s+\\S+\\s*$/) }\n end\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^(?:-w\\s+|-a\\s+(?:always,exit|exit,always)\\s+-F\\s+path=)\\/sbin\\/rmmod\\s+-p\\s+[rwa]*x[rwa]*\\s+-k\\s+\\S+\\s*$/) }\n end\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^(?:-w\\s+|-a\\s+(?:always,exit|exit,always)\\s+-F\\s+path=)\\/sbin\\/modprobe\\s+-p\\s+[rwa]*x[rwa]*\\s+-k\\s+\\S+\\s*$/) }\n end\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^[\\s]*-a[\\s](?:always,exit|exit,always)+(?:.*-F[\\s]+arch=b32\\s+).*(?:,|-S\\s+)delete_module(?:,|\\s+).*-k\\s+\\S+\\s*$/) }\n end\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^[\\s]*-a[\\s](?:always,exit|exit,always)(?:.*-F[\\s]+arch=b32\\s+).*(?:,|-S\\s+)init_module(?:,|\\s+).*-k\\s+\\S+\\s*$/) }\n end\n describe.one do\n \n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38515.rb", + "ref": "./Red Hat 6 STIG/controls/V-38580.rb", "line": 1 }, - "id": "V-38515" + "id": "V-38580" }, { - "title": "All system command files must be owned by root.", - "desc": "System binaries are executed by privileged users as well as system\nservices, and restrictive permissions are necessary to ensure that their\nexecution of these programs cannot be co-opted.", + "title": "The rexecd service must not be running.", + "desc": "The rexec service uses unencrypted network communications, which means\nthat data from the login session, including passwords and all other information\ntransmitted during the session, can be stolen by eavesdroppers on the network.", "descriptions": { - "default": "System binaries are executed by privileged users as well as system\nservices, and restrictive permissions are necessary to ensure that their\nexecution of these programs cannot be co-opted." + "default": "The rexec service uses unencrypted network communications, which means\nthat data from the login session, including passwords and all other information\ntransmitted during the session, can be stolen by eavesdroppers on the network." }, - "impact": 0.5, + "impact": 0.7, "refs": [], "tags": { - "gtitle": "SRG-OS-000259", - "gid": "V-38472", - "rid": "SV-50272r1_rule", - "stig_id": "RHEL-06-000048", - "fix_id": "F-43417r1_fix", + "gtitle": "SRG-OS-000033", + "gid": "V-38598", + "rid": "SV-50399r2_rule", + "stig_id": "RHEL-06-000216", + "fix_id": "F-43546r3_fix", "cci": [ - "CCI-001499" + "CCI-000068" ], "nist": [ - "CM-5 (6)", + "AC-17 (2)", "Rev_4" ], "false_negatives": null, @@ -3490,35 +3506,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "System executables are stored in the following directories by\ndefault:\n\n/bin\n/usr/bin\n/usr/local/bin\n/sbin\n/usr/sbin\n/usr/local/sbin\n\nAll files in these directories should not be group-writable or world-writable.\nTo find system executables that are not owned by \"root\", run the following\ncommand for each directory [DIR] which contains system executables:\n\n$ find -L [DIR] \\! -user root\n\n\nIf any system executables are found to not be owned by root, this is a finding.", - "fix": "System executables are stored in the following directories by\ndefault:\n\n/bin\n/usr/bin\n/usr/local/bin\n/sbin\n/usr/sbin\n/usr/local/sbin\n\nIf any file [FILE] in these directories is found to be owned by a user other\nthan root, correct its ownership with the following command:\n\n# chown root [FILE]" + "check": "To check that the \"rexec\" service is disabled in system boot\nconfiguration, run the following command:\n\n# chkconfig \"rexec\" --list\n\nOutput should indicate the \"rexec\" service has either not been installed, or\nhas been disabled, as shown in the example below:\n\n# chkconfig \"rexec\" --list\nrexec off\nOR\nerror reading information on service rexec: No such file or directory\n\n\nIf the service is running, this is a finding.", + "fix": "The \"rexec\" service, which is available with the \"rsh-server\"\npackage and runs as a service through xinetd, should be disabled. The \"rexec\"\nservice can be disabled with the following command:\n\n# chkconfig rexec off" }, - "code": "control \"V-38472\" do\n title \"All system command files must be owned by root.\"\n desc \"System binaries are executed by privileged users as well as system\nservices, and restrictive permissions are necessary to ensure that their\nexecution of these programs cannot be co-opted.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000259\"\n tag \"gid\": \"V-38472\"\n tag \"rid\": \"SV-50272r1_rule\"\n tag \"stig_id\": \"RHEL-06-000048\"\n tag \"fix_id\": \"F-43417r1_fix\"\n tag \"cci\": [\"CCI-001499\"]\n tag \"nist\": [\"CM-5 (6)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"System executables are stored in the following directories by\ndefault:\n\n/bin\n/usr/bin\n/usr/local/bin\n/sbin\n/usr/sbin\n/usr/local/sbin\n\nAll files in these directories should not be group-writable or world-writable.\nTo find system executables that are not owned by \\\"root\\\", run the following\ncommand for each directory [DIR] which contains system executables:\n\n$ find -L [DIR] \\\\! -user root\n\n\nIf any system executables are found to not be owned by root, this is a finding.\"\n tag \"fix\": \"System executables are stored in the following directories by\ndefault:\n\n/bin\n/usr/bin\n/usr/local/bin\n/sbin\n/usr/sbin\n/usr/local/sbin\n\nIf any file [FILE] in these directories is found to be owned by a user other\nthan root, correct its ownership with the following command:\n\n# chown root [FILE]\"\n\n dirs = [\"/bin\", \"/usr/bin\", \"/usr/local/bin\", \"/sbin\", \"/usr/sbin\", \"/usr/local/sbin\"]\n dirs.each do |d|\n describe command(\"find -L #{d} \\\\! -user root\") do\n its('stdout.strip') { should be_empty }\n end\n end\nend\n", + "code": "control \"V-38598\" do\n title \"The rexecd service must not be running.\"\n desc \"The rexec service uses unencrypted network communications, which means\nthat data from the login session, including passwords and all other information\ntransmitted during the session, can be stolen by eavesdroppers on the network.\"\n impact 0.7\n tag \"gtitle\": \"SRG-OS-000033\"\n tag \"gid\": \"V-38598\"\n tag \"rid\": \"SV-50399r2_rule\"\n tag \"stig_id\": \"RHEL-06-000216\"\n tag \"fix_id\": \"F-43546r3_fix\"\n tag \"cci\": [\"CCI-000068\"]\n tag \"nist\": [\"AC-17 (2)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To check that the \\\"rexec\\\" service is disabled in system boot\nconfiguration, run the following command:\n\n# chkconfig \\\"rexec\\\" --list\n\nOutput should indicate the \\\"rexec\\\" service has either not been installed, or\nhas been disabled, as shown in the example below:\n\n# chkconfig \\\"rexec\\\" --list\nrexec off\nOR\nerror reading information on service rexec: No such file or directory\n\n\nIf the service is running, this is a finding.\"\n tag \"fix\": \"The \\\"rexec\\\" service, which is available with the \\\"rsh-server\\\"\npackage and runs as a service through xinetd, should be disabled. The \\\"rexec\\\"\nservice can be disabled with the following command:\n\n# chkconfig rexec off\"\n\n describe.one do\n describe package(\"rsh-server\") do\n it { should_not be_installed }\n end\n describe file(\"/etc/xinetd.d/rexec\") do\n its(\"content\") { should match(/^\\s*disable\\s+=\\s+yes\\s*$/) }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38472.rb", + "ref": "./Red Hat 6 STIG/controls/V-38598.rb", "line": 1 }, - "id": "V-38472" + "id": "V-38598" }, { - "title": "The system package management tool must verify permissions on all\nfiles and directories associated with the audit package.", - "desc": "Permissions on audit binaries and configuration files that are too\ngenerous could allow an unauthorized user to gain privileges that they should\nnot have. The permissions set by the vendor should be maintained. Any\ndeviations from this baseline should be investigated.", + "title": "All GIDs referenced in /etc/passwd must be defined in /etc/group", + "desc": "Inconsistency in GIDs between /etc/passwd and /etc/group could lead to\na user having unintended rights.", "descriptions": { - "default": "Permissions on audit binaries and configuration files that are too\ngenerous could allow an unauthorized user to gain privileges that they should\nnot have. The permissions set by the vendor should be maintained. Any\ndeviations from this baseline should be investigated." + "default": "Inconsistency in GIDs between /etc/passwd and /etc/group could lead to\na user having unintended rights." }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { - "gtitle": "SRG-OS-000256", - "gid": "V-38663", - "rid": "SV-50464r1_rule", - "stig_id": "RHEL-06-000278", - "fix_id": "F-43612r1_fix", + "gtitle": "SRG-OS-999999", + "gid": "V-38681", + "rid": "SV-50482r2_rule", + "stig_id": "RHEL-06-000294", + "fix_id": "F-43630r1_fix", "cci": [ - "CCI-001493" + "CCI-000366" ], "nist": [ - "AU-9", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -3531,35 +3547,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "The following command will list which audit files on the system\nhave permissions different from what is expected by the RPM database:\n\n# rpm -V audit | grep '^.M'\n\nIf there is any output, for each file or directory found, compare the\nRPM-expected permissions with the permissions on the file or directory:\n\n# rpm -q --queryformat \"[%{FILENAMES} %{FILEMODES:perms}]\" audit | grep [filename]\n# ls -lL [filename]\n\nIf the existing permissions are more permissive than those expected by RPM,\nthis is a finding.", - "fix": "The RPM package management system can restore file access\npermissions of the audit package files and directories. The following command\nwill update audit files with permissions different from what is expected by the\nRPM database:\n\n# rpm --setperms audit" + "check": "To ensure all GIDs referenced in /etc/passwd are defined in\n/etc/group, run the following command:\n\n# pwck -r | grep 'no group'\n\nThere should be no output.\nIf there is output, this is a finding.", + "fix": "Add a group to the system for each GID referenced without a\ncorresponding group." }, - "code": "control \"V-38663\" do\n title \"The system package management tool must verify permissions on all\nfiles and directories associated with the audit package.\"\n desc \"Permissions on audit binaries and configuration files that are too\ngenerous could allow an unauthorized user to gain privileges that they should\nnot have. The permissions set by the vendor should be maintained. Any\ndeviations from this baseline should be investigated.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000256\"\n tag \"gid\": \"V-38663\"\n tag \"rid\": \"SV-50464r1_rule\"\n tag \"stig_id\": \"RHEL-06-000278\"\n tag \"fix_id\": \"F-43612r1_fix\"\n tag \"cci\": [\"CCI-001493\"]\n tag \"nist\": [\"AU-9\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"The following command will list which audit files on the system\nhave permissions different from what is expected by the RPM database:\n\n# rpm -V audit | grep '^.M'\n\nIf there is any output, for each file or directory found, compare the\nRPM-expected permissions with the permissions on the file or directory:\n\n# rpm -q --queryformat \\\"[%{FILENAMES} %{FILEMODES:perms}\\\n]\\\" audit | grep [filename]\n# ls -lL [filename]\n\nIf the existing permissions are more permissive than those expected by RPM,\nthis is a finding.\"\n tag \"fix\": \"The RPM package management system can restore file access\npermissions of the audit package files and directories. The following command\nwill update audit files with permissions different from what is expected by the\nRPM database:\n\n# rpm --setperms audit\"\n\n describe command('rpm -V audit | grep \\'^.M\\'') do\n its('stdout.strip') { should be_empty }\n end\nend\n", + "code": "control \"V-38681\" do\n title \"All GIDs referenced in /etc/passwd must be defined in /etc/group\"\n desc \"Inconsistency in GIDs between /etc/passwd and /etc/group could lead to\na user having unintended rights.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38681\"\n tag \"rid\": \"SV-50482r2_rule\"\n tag \"stig_id\": \"RHEL-06-000294\"\n tag \"fix_id\": \"F-43630r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To ensure all GIDs referenced in /etc/passwd are defined in\n/etc/group, run the following command:\n\n# pwck -r | grep 'no group'\n\nThere should be no output.\nIf there is output, this is a finding.\"\n tag \"fix\": \"Add a group to the system for each GID referenced without a\ncorresponding group.\"\n\n describe command(\"pwck -r | grep 'no group'\") do\n its('stdout.strip') { should be_empty }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38663.rb", + "ref": "./Red Hat 6 STIG/controls/V-38681.rb", "line": 1 }, - "id": "V-38663" + "id": "V-38681" }, { - "title": "The rexecd service must not be running.", - "desc": "The rexec service uses unencrypted network communications, which means\nthat data from the login session, including passwords and all other information\ntransmitted during the session, can be stolen by eavesdroppers on the network.", + "title": "The SSH daemon must be configured with the Department of Defense (DoD)\nlogin banner.", + "desc": "The warning message reinforces policy awareness during the logon\nprocess and facilitates possible legal action against attackers. Alternatively,\nsystems whose ownership should not be obvious should ensure usage of a banner\nthat does not provide easy attribution.", "descriptions": { - "default": "The rexec service uses unencrypted network communications, which means\nthat data from the login session, including passwords and all other information\ntransmitted during the session, can be stolen by eavesdroppers on the network." + "default": "The warning message reinforces policy awareness during the logon\nprocess and facilitates possible legal action against attackers. Alternatively,\nsystems whose ownership should not be obvious should ensure usage of a banner\nthat does not provide easy attribution." }, - "impact": 0.7, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000033", - "gid": "V-38598", - "rid": "SV-50399r2_rule", - "stig_id": "RHEL-06-000216", - "fix_id": "F-43546r3_fix", + "gtitle": "SRG-OS-000023", + "gid": "V-38615", + "rid": "SV-50416r1_rule", + "stig_id": "RHEL-06-000240", + "fix_id": "F-43563r1_fix", "cci": [ - "CCI-000068" + "CCI-000048" ], "nist": [ - "AC-17 (2)", + "AC-8 a", "Rev_4" ], "false_negatives": null, @@ -3572,35 +3588,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To check that the \"rexec\" service is disabled in system boot\nconfiguration, run the following command:\n\n# chkconfig \"rexec\" --list\n\nOutput should indicate the \"rexec\" service has either not been installed, or\nhas been disabled, as shown in the example below:\n\n# chkconfig \"rexec\" --list\nrexec off\nOR\nerror reading information on service rexec: No such file or directory\n\n\nIf the service is running, this is a finding.", - "fix": "The \"rexec\" service, which is available with the \"rsh-server\"\npackage and runs as a service through xinetd, should be disabled. The \"rexec\"\nservice can be disabled with the following command:\n\n# chkconfig rexec off" + "check": "To determine how the SSH daemon's \"Banner\" option is set, run\nthe following command:\n\n# grep -i Banner /etc/ssh/sshd_config\n\nIf a line indicating /etc/issue is returned, then the required value is set.\nIf the required value is not set, this is a finding.", + "fix": "To enable the warning banner and ensure it is consistent across\nthe system, add or correct the following line in \"/etc/ssh/sshd_config\":\n\nBanner /etc/issue\n\nAnother section contains information on how to create an appropriate\nsystem-wide warning banner." }, - "code": "control \"V-38598\" do\n title \"The rexecd service must not be running.\"\n desc \"The rexec service uses unencrypted network communications, which means\nthat data from the login session, including passwords and all other information\ntransmitted during the session, can be stolen by eavesdroppers on the network.\"\n impact 0.7\n tag \"gtitle\": \"SRG-OS-000033\"\n tag \"gid\": \"V-38598\"\n tag \"rid\": \"SV-50399r2_rule\"\n tag \"stig_id\": \"RHEL-06-000216\"\n tag \"fix_id\": \"F-43546r3_fix\"\n tag \"cci\": [\"CCI-000068\"]\n tag \"nist\": [\"AC-17 (2)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To check that the \\\"rexec\\\" service is disabled in system boot\nconfiguration, run the following command:\n\n# chkconfig \\\"rexec\\\" --list\n\nOutput should indicate the \\\"rexec\\\" service has either not been installed, or\nhas been disabled, as shown in the example below:\n\n# chkconfig \\\"rexec\\\" --list\nrexec off\nOR\nerror reading information on service rexec: No such file or directory\n\n\nIf the service is running, this is a finding.\"\n tag \"fix\": \"The \\\"rexec\\\" service, which is available with the \\\"rsh-server\\\"\npackage and runs as a service through xinetd, should be disabled. The \\\"rexec\\\"\nservice can be disabled with the following command:\n\n# chkconfig rexec off\"\n\n describe.one do\n describe package(\"rsh-server\") do\n it { should_not be_installed }\n end\n describe file(\"/etc/xinetd.d/rexec\") do\n its(\"content\") { should match(/^\\s*disable\\s+=\\s+yes\\s*$/) }\n end\n end\nend\n", + "code": "control \"V-38615\" do\n title \"The SSH daemon must be configured with the Department of Defense (DoD)\nlogin banner.\"\n desc \"The warning message reinforces policy awareness during the logon\nprocess and facilitates possible legal action against attackers. Alternatively,\nsystems whose ownership should not be obvious should ensure usage of a banner\nthat does not provide easy attribution.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000023\"\n tag \"gid\": \"V-38615\"\n tag \"rid\": \"SV-50416r1_rule\"\n tag \"stig_id\": \"RHEL-06-000240\"\n tag \"fix_id\": \"F-43563r1_fix\"\n tag \"cci\": [\"CCI-000048\"]\n tag \"nist\": [\"AC-8 a\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To determine how the SSH daemon's \\\"Banner\\\" option is set, run\nthe following command:\n\n# grep -i Banner /etc/ssh/sshd_config\n\nIf a line indicating /etc/issue is returned, then the required value is set.\nIf the required value is not set, this is a finding.\"\n tag \"fix\": \"To enable the warning banner and ensure it is consistent across\nthe system, add or correct the following line in \\\"/etc/ssh/sshd_config\\\":\n\nBanner /etc/issue\n\nAnother section contains information on how to create an appropriate\nsystem-wide warning banner.\"\n\n describe sshd_config do\n its('Banner') { should eq '/etc/issue' }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38598.rb", + "ref": "./Red Hat 6 STIG/controls/V-38615.rb", "line": 1 }, - "id": "V-38598" + "id": "V-38615" }, { - "title": "The system must retain enough rotated audit logs to cover the required\nlog retention period.", - "desc": "The total storage for audit log files must be large enough to retain\nlog information over the period required. This is a function of the maximum log\nfile size and the number of logs retained.", + "title": "There must be no .rhosts or hosts.equiv files on the system.", + "desc": "Trust files are convenient, but when used in conjunction with the\nR-services, they can allow unauthenticated access to a system.", "descriptions": { - "default": "The total storage for audit log files must be large enough to retain\nlog information over the period required. This is a function of the maximum log\nfile size and the number of logs retained." + "default": "Trust files are convenient, but when used in conjunction with the\nR-services, they can allow unauthenticated access to a system." }, - "impact": 0.5, + "impact": 0.7, "refs": [], "tags": { - "gtitle": "SRG-OS-999999", - "gid": "V-38636", - "rid": "SV-50437r1_rule", - "stig_id": "RHEL-06-000159", - "fix_id": "F-43585r1_fix", + "gtitle": "SRG-OS-000248", + "gid": "V-38491", + "rid": "SV-50292r1_rule", + "stig_id": "RHEL-06-000019", + "fix_id": "F-43438r1_fix", "cci": [ - "CCI-000366" + "CCI-001436" ], "nist": [ - "CM-6 b", + "AC-17 (8)", "Rev_4" ], "false_negatives": null, @@ -3613,35 +3629,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "Inspect \"/etc/audit/auditd.conf\" and locate the following\nline to determine how many logs the system is configured to retain after\nrotation: \"# grep num_logs /etc/audit/auditd.conf\"\n\nnum_logs = 5\n\n\nIf the overall system log file(s) retention hasn't been properly set up, this\nis a finding.", - "fix": "Determine how many log files \"auditd\" should retain when it\nrotates logs. Edit the file \"/etc/audit/auditd.conf\". Add or modify the\nfollowing line, substituting [NUMLOGS] with the correct value:\n\nnum_logs = [NUMLOGS]\n\nSet the value to 5 for general-purpose systems. Note that values less than 2\nresult in no log rotation." + "check": "The existence of the file \"/etc/hosts.equiv\" or a file named\n\".rhosts\" inside a user home directory indicates the presence of an Rsh trust\nrelationship.\nIf these files exist, this is a finding.", + "fix": "The files \"/etc/hosts.equiv\" and \"~/.rhosts\" (in each user's\nhome directory) list remote hosts and users that are trusted by the local\nsystem when using the rshd daemon. To remove these files, run the following\ncommand to delete them from any location.\n\n# rm /etc/hosts.equiv\n\n\n\n$ rm ~/.rhosts" }, - "code": "control \"V-38636\" do\n title \"The system must retain enough rotated audit logs to cover the required\nlog retention period.\"\n desc \"The total storage for audit log files must be large enough to retain\nlog information over the period required. This is a function of the maximum log\nfile size and the number of logs retained.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38636\"\n tag \"rid\": \"SV-50437r1_rule\"\n tag \"stig_id\": \"RHEL-06-000159\"\n tag \"fix_id\": \"F-43585r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Inspect \\\"/etc/audit/auditd.conf\\\" and locate the following\nline to determine how many logs the system is configured to retain after\nrotation: \\\"# grep num_logs /etc/audit/auditd.conf\\\"\n\nnum_logs = 5\n\n\nIf the overall system log file(s) retention hasn't been properly set up, this\nis a finding.\"\n tag \"fix\": \"Determine how many log files \\\"auditd\\\" should retain when it\nrotates logs. Edit the file \\\"/etc/audit/auditd.conf\\\". Add or modify the\nfollowing line, substituting [NUMLOGS] with the correct value:\n\nnum_logs = [NUMLOGS]\n\nSet the value to 5 for general-purpose systems. Note that values less than 2\nresult in no log rotation.\"\n\n describe file(\"/etc/audit/auditd.conf\") do\n its(\"content\") { should match(/^num_logs\\s*=\\s*(\\d+)\\s*$/) }\n end\n file(\"/etc/audit/auditd.conf\").content.to_s.scan(/^num_logs\\s*=\\s*(\\d+)\\s*$/).flatten.each do |entry|\n describe entry do\n it { should cmp >= 5 }\n end\n end\nend\n", + "code": "control \"V-38491\" do\n title \"There must be no .rhosts or hosts.equiv files on the system.\"\n desc \"Trust files are convenient, but when used in conjunction with the\nR-services, they can allow unauthenticated access to a system.\"\n impact 0.7\n tag \"gtitle\": \"SRG-OS-000248\"\n tag \"gid\": \"V-38491\"\n tag \"rid\": \"SV-50292r1_rule\"\n tag \"stig_id\": \"RHEL-06-000019\"\n tag \"fix_id\": \"F-43438r1_fix\"\n tag \"cci\": [\"CCI-001436\"]\n tag \"nist\": [\"AC-17 (8)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"The existence of the file \\\"/etc/hosts.equiv\\\" or a file named\n\\\".rhosts\\\" inside a user home directory indicates the presence of an Rsh trust\nrelationship.\nIf these files exist, this is a finding.\"\n tag \"fix\": \"The files \\\"/etc/hosts.equiv\\\" and \\\"~/.rhosts\\\" (in each user's\nhome directory) list remote hosts and users that are trusted by the local\nsystem when using the rshd daemon. To remove these files, run the following\ncommand to delete them from any location.\n\n# rm /etc/hosts.equiv\n\n\n\n$ rm ~/.rhosts\"\n\n describe file(\"/root/^\\\\.(r|s)hosts$\") do\n it { should_not exist }\n end\n describe command(\"find /home -regex .\\\\*/\\\\^\\\\\\\\.\\\\(r\\\\|s\\\\)hosts\\\\$ -type f -maxdepth 1\") do\n its(\"stdout\") { should be_empty }\n end\n describe file(\"/etc/^s?hosts\\\\.equiv$\") do\n it { should_not exist }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38636.rb", + "ref": "./Red Hat 6 STIG/controls/V-38491.rb", "line": 1 }, - "id": "V-38636" + "id": "V-38491" }, { - "title": "The ypserv package must not be installed.", - "desc": "Removing the \"ypserv\" package decreases the risk of the accidental\n(or intentional) activation of NIS or NIS+ services.", + "title": "The operating system must employ automated mechanisms to detect the\npresence of unauthorized software on organizational information systems and\nnotify designated organizational officials in accordance with the organization\ndefined frequency.", + "desc": "By default, AIDE does not install itself for periodic execution.\nPeriodically running AIDE may reveal unexpected changes in installed files.", "descriptions": { - "default": "Removing the \"ypserv\" package decreases the risk of the accidental\n(or intentional) activation of NIS or NIS+ services." + "default": "By default, AIDE does not install itself for periodic execution.\nPeriodically running AIDE may reveal unexpected changes in installed files." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000095", - "gid": "V-38603", - "rid": "SV-50404r1_rule", - "stig_id": "RHEL-06-000220", - "fix_id": "F-43551r1_fix", + "gtitle": "SRG-OS-000232", + "gid": "V-38698", + "rid": "SV-50499r2_rule", + "stig_id": "RHEL-06-000304", + "fix_id": "F-43647r1_fix", "cci": [ - "CCI-000381" + "CCI-001069" ], "nist": [ - "CM-7 a", + "RA-5 (7)", "Rev_4" ], "false_negatives": null, @@ -3654,35 +3670,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "Run the following command to determine if the \"ypserv\"\npackage is installed:\n\n# rpm -q ypserv\n\n\nIf the package is installed, this is a finding.", - "fix": "The \"ypserv\" package can be uninstalled with the following\ncommand:\n\n# yum erase ypserv" + "check": "To determine that periodic AIDE execution has been scheduled,\nrun the following command:\n\n# grep aide /etc/crontab /etc/cron.*/*\n\nIf there is no output, this is a finding.", + "fix": "AIDE should be executed on a periodic basis to check for changes.\nTo implement a daily execution of AIDE at 4:05am using cron, add the following\nline to /etc/crontab:\n\n05 4 * * * root /usr/sbin/aide --check\n\nAIDE can be executed periodically through other means; this is merely one\nexample." }, - "code": "control \"V-38603\" do\n title \"The ypserv package must not be installed.\"\n desc \"Removing the \\\"ypserv\\\" package decreases the risk of the accidental\n(or intentional) activation of NIS or NIS+ services.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000095\"\n tag \"gid\": \"V-38603\"\n tag \"rid\": \"SV-50404r1_rule\"\n tag \"stig_id\": \"RHEL-06-000220\"\n tag \"fix_id\": \"F-43551r1_fix\"\n tag \"cci\": [\"CCI-000381\"]\n tag \"nist\": [\"CM-7 a\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Run the following command to determine if the \\\"ypserv\\\"\npackage is installed:\n\n# rpm -q ypserv\n\n\nIf the package is installed, this is a finding.\"\n tag \"fix\": \"The \\\"ypserv\\\" package can be uninstalled with the following\ncommand:\n\n# yum erase ypserv\"\n\n describe package(\"ypserv\") do\n it { should_not be_installed }\n end\nend\n", + "code": "control \"V-38698\" do\n title \"The operating system must employ automated mechanisms to detect the\npresence of unauthorized software on organizational information systems and\nnotify designated organizational officials in accordance with the organization\ndefined frequency.\"\n desc \"By default, AIDE does not install itself for periodic execution.\nPeriodically running AIDE may reveal unexpected changes in installed files.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000232\"\n tag \"gid\": \"V-38698\"\n tag \"rid\": \"SV-50499r2_rule\"\n tag \"stig_id\": \"RHEL-06-000304\"\n tag \"fix_id\": \"F-43647r1_fix\"\n tag \"cci\": [\"CCI-001069\"]\n tag \"nist\": [\"RA-5 (7)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To determine that periodic AIDE execution has been scheduled,\nrun the following command:\n\n# grep aide /etc/crontab /etc/cron.*/*\n\nIf there is no output, this is a finding.\"\n tag \"fix\": \"AIDE should be executed on a periodic basis to check for changes.\nTo implement a daily execution of AIDE at 4:05am using cron, add the following\nline to /etc/crontab:\n\n05 4 * * * root /usr/sbin/aide --check\n\nAIDE can be executed periodically through other means; this is merely one\nexample.\"\n\n describe command('grep aide /etc/crontab /etc/cron.*/*') do\n its('stdout.strip') { should_not be_empty }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38603.rb", + "ref": "./Red Hat 6 STIG/controls/V-38698.rb", "line": 1 }, - "id": "V-38603" + "id": "V-38698" }, { - "title": "The audit system must be configured to audit all discretionary access\ncontrol permission modifications using chmod.", - "desc": "The changing of file permissions could indicate that a user is\nattempting to gain access to information that would otherwise be disallowed.\nAuditing DAC modifications can facilitate the identification of patterns of\nabuse among both authorized and unauthorized users.", + "title": "The SSH daemon must set a timeout interval on idle sessions.", + "desc": "Causing idle users to be automatically logged out guards against\ncompromises one system leading trivially to compromises on another.", "descriptions": { - "default": "The changing of file permissions could indicate that a user is\nattempting to gain access to information that would otherwise be disallowed.\nAuditing DAC modifications can facilitate the identification of patterns of\nabuse among both authorized and unauthorized users." + "default": "Causing idle users to be automatically logged out guards against\ncompromises one system leading trivially to compromises on another." }, "impact": 0.3, "refs": [], "tags": { - "gtitle": "SRG-OS-000064", - "gid": "V-38543", - "rid": "SV-50344r3_rule", - "stig_id": "RHEL-06-000184", - "fix_id": "F-43491r2_fix", + "gtitle": "SRG-OS-000163", + "gid": "V-38608", + "rid": "SV-50409r1_rule", + "stig_id": "RHEL-06-000230", + "fix_id": "F-43556r1_fix", "cci": [ - "CCI-000172" + "CCI-001133" ], "nist": [ - "AU-12 c", + "SC-10", "Rev_4" ], "false_negatives": null, @@ -3695,35 +3711,76 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To determine if the system is configured to audit calls to the\n\"chmod\" system call, run the following command:\n\n$ sudo grep -w \"chmod\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return several\nlines.\n\nIf the system is not configured to audit permission changes, this is a finding.\n", - "fix": "At a minimum, the audit system should collect file permission\nchanges for all users and root. Add the following to\n\"/etc/audit/audit.rules\":\n\n-a always,exit -F arch=b32 -S chmod -F auid>=500 -F auid!=4294967295 \\\n-k perm_mod\n-a always,exit -F arch=b32 -S chmod -F auid=0 -k perm_mod\n\nIf the system is 64-bit, then also add the following:\n\n-a always,exit -F arch=b64 -S chmod -F auid>=500 -F auid!=4294967295 \\\n-k perm_mod\n-a always,exit -F arch=b64 -S chmod -F auid=0 -k perm_mod" + "check": "Run the following command to see what the timeout interval is:\n\n# grep ClientAliveInterval /etc/ssh/sshd_config\n\nIf properly configured, the output should be:\n\nClientAliveInterval 900\n\n\nIf it is not, this is a finding.", + "fix": "SSH allows administrators to set an idle timeout interval. After\nthis interval has passed, the idle user will be automatically logged out.\n\nTo set an idle timeout interval, edit the following line in\n\"/etc/ssh/sshd_config\" as follows:\n\nClientAliveInterval [interval]\n\nThe timeout [interval] is given in seconds. To have a timeout of 15 minutes,\nset [interval] to 900.\n\nIf a shorter timeout has already been set for the login shell, that value will\npreempt any SSH setting made here. Keep in mind that some processes may stop\nSSH from correctly detecting that the user is idle." }, - "code": "control \"V-38543\" do\n title \"The audit system must be configured to audit all discretionary access\ncontrol permission modifications using chmod.\"\n desc \"The changing of file permissions could indicate that a user is\nattempting to gain access to information that would otherwise be disallowed.\nAuditing DAC modifications can facilitate the identification of patterns of\nabuse among both authorized and unauthorized users.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000064\"\n tag \"gid\": \"V-38543\"\n tag \"rid\": \"SV-50344r3_rule\"\n tag \"stig_id\": \"RHEL-06-000184\"\n tag \"fix_id\": \"F-43491r2_fix\"\n tag \"cci\": [\"CCI-000172\"]\n tag \"nist\": [\"AU-12 c\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To determine if the system is configured to audit calls to the\n\\\"chmod\\\" system call, run the following command:\n\n$ sudo grep -w \\\"chmod\\\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return several\nlines.\n\nIf the system is not configured to audit permission changes, this is a finding.\n\"\n tag \"fix\": \"At a minimum, the audit system should collect file permission\nchanges for all users and root. Add the following to\n\\\"/etc/audit/audit.rules\\\":\n\n-a always,exit -F arch=b32 -S chmod -F auid>=500 -F auid!=4294967295 \\\\\n-k perm_mod\n-a always,exit -F arch=b32 -S chmod -F auid=0 -k perm_mod\n\nIf the system is 64-bit, then also add the following:\n\n-a always,exit -F arch=b64 -S chmod -F auid>=500 -F auid!=4294967295 \\\\\n-k perm_mod\n-a always,exit -F arch=b64 -S chmod -F auid=0 -k perm_mod\"\n\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^[\\s]*-a[\\s](?:always,exit|exit,always)+(?:.*-F[\\s]+arch=b32[\\s]+)(?:.*(?:-S[\\s]+|,)chmod(?:[\\s]+|,))(?:.*-F\\s+auid>=500[\\s]+)(?:.*-F\\s+auid!=(?:-1|4294967295)[\\s]+).*-k[\\s]+[\\S]+[\\s]*$/) }\n end\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^[\\s]*-a[\\s](?:always,exit|exit,always)+(?:.*-F[\\s]+arch=b32[\\s]+)(?:.*(?:-S[\\s]+|,)chmod(?:[\\s]+|,))(?:.*-F\\s+auid=0[\\s]+).*-k[\\s]+[\\S]+[\\s]*$/) }\n end\n describe.one do\n \n end\nend\n", + "code": "control \"V-38608\" do\n title \"The SSH daemon must set a timeout interval on idle sessions.\"\n desc \"Causing idle users to be automatically logged out guards against\ncompromises one system leading trivially to compromises on another.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000163\"\n tag \"gid\": \"V-38608\"\n tag \"rid\": \"SV-50409r1_rule\"\n tag \"stig_id\": \"RHEL-06-000230\"\n tag \"fix_id\": \"F-43556r1_fix\"\n tag \"cci\": [\"CCI-001133\"]\n tag \"nist\": [\"SC-10\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Run the following command to see what the timeout interval is:\n\n# grep ClientAliveInterval /etc/ssh/sshd_config\n\nIf properly configured, the output should be:\n\nClientAliveInterval 900\n\n\nIf it is not, this is a finding.\"\n tag \"fix\": \"SSH allows administrators to set an idle timeout interval. After\nthis interval has passed, the idle user will be automatically logged out.\n\nTo set an idle timeout interval, edit the following line in\n\\\"/etc/ssh/sshd_config\\\" as follows:\n\nClientAliveInterval [interval]\n\nThe timeout [interval] is given in seconds. To have a timeout of 15 minutes,\nset [interval] to 900.\n\nIf a shorter timeout has already been set for the login shell, that value will\npreempt any SSH setting made here. Keep in mind that some processes may stop\nSSH from correctly detecting that the user is idle.\"\n\n describe sshd_config do\n its(\"ClientAliveInterval.to_i\"){should cmp >= 1}\n its(\"ClientAliveInterval.to_i\"){should cmp <= input('client_alive_interval')}\n its(\"ClientAliveInterval\"){should_not eq nil}\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38543.rb", + "ref": "./Red Hat 6 STIG/controls/V-38608.rb", "line": 1 }, - "id": "V-38543" + "id": "V-38608" }, { - "title": "The system must be configured to use TCP syncookies when experiencing\na TCP SYN flood.", - "desc": "A TCP SYN flood attack can cause a denial of service by filling a\nsystem's TCP connection table with connections in the SYN_RCVD state.\nSyncookies can be used to track a connection when a subsequent ACK is received,\nverifying the initiator is attempting a valid connection and is not a flood\nsource. This feature is activated when a flood condition is detected, and\nenables the system to continue servicing valid connection requests.", + "title": "The system default umask in /etc/login.defs must be 077.", + "desc": "The umask value influences the permissions assigned to files when they\nare created. A misconfigured umask value could result in files with excessive\npermissions that can be read and/or written to by unauthorized users.", "descriptions": { - "default": "A TCP SYN flood attack can cause a denial of service by filling a\nsystem's TCP connection table with connections in the SYN_RCVD state.\nSyncookies can be used to track a connection when a subsequent ACK is received,\nverifying the initiator is attempting a valid connection and is not a flood\nsource. This feature is activated when a flood condition is detected, and\nenables the system to continue servicing valid connection requests." + "default": "The umask value influences the permissions assigned to files when they\nare created. A misconfigured umask value could result in files with excessive\npermissions that can be read and/or written to by unauthorized users." + }, + "impact": 0.3, + "refs": [], + "tags": { + "gtitle": "SRG-OS-999999", + "gid": "V-38645", + "rid": "SV-50446r1_rule", + "stig_id": "RHEL-06-000345", + "fix_id": "F-43594r1_fix", + "cci": [ + "CCI-000366" + ], + "nist": [ + "CM-6 b", + "Rev_4" + ], + "false_negatives": null, + "false_positives": null, + "documentable": false, + "mitigations": null, + "severity_override_guidance": false, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_controls": null, + "responsibility": null, + "ia_controls": null, + "check": "Verify the \"umask\" setting is configured correctly in the\n\"/etc/login.defs\" file by running the following command:\n\n# grep -i \"umask\" /etc/login.defs\n\nAll output must show the value of \"umask\" set to 077, as shown in the below:\n\n# grep -i \"umask\" /etc/login.defs\nUMASK 077\n\n\nIf the above command returns no output, or if the umask is configured\nincorrectly, this is a finding.", + "fix": "To ensure the default umask controlled by \"/etc/login.defs\" is\nset properly, add or correct the \"umask\" setting in \"/etc/login.defs\" to\nread as follows:\n\nUMASK 077" + }, + "code": "control \"V-38645\" do\n title \"The system default umask in /etc/login.defs must be 077.\"\n desc \"The umask value influences the permissions assigned to files when they\nare created. A misconfigured umask value could result in files with excessive\npermissions that can be read and/or written to by unauthorized users.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38645\"\n tag \"rid\": \"SV-50446r1_rule\"\n tag \"stig_id\": \"RHEL-06-000345\"\n tag \"fix_id\": \"F-43594r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Verify the \\\"umask\\\" setting is configured correctly in the\n\\\"/etc/login.defs\\\" file by running the following command:\n\n# grep -i \\\"umask\\\" /etc/login.defs\n\nAll output must show the value of \\\"umask\\\" set to 077, as shown in the below:\n\n# grep -i \\\"umask\\\" /etc/login.defs\nUMASK 077\n\n\nIf the above command returns no output, or if the umask is configured\nincorrectly, this is a finding.\"\n tag \"fix\": \"To ensure the default umask controlled by \\\"/etc/login.defs\\\" is\nset properly, add or correct the \\\"umask\\\" setting in \\\"/etc/login.defs\\\" to\nread as follows:\n\nUMASK 077\"\n\n describe file(\"/etc/login.defs\") do\n its(\"content\") { should match(/^[\\s]*UMASK[\\s]+([^#\\s]*)/) }\n end\n file(\"/etc/login.defs\").content.to_s.scan(/^[\\s]*UMASK[\\s]+([^#\\s]*)/).flatten.each do |entry|\n describe entry do\n it { should eq \"077\" }\n end\n end\nend\n", + "source_location": { + "ref": "./Red Hat 6 STIG/controls/V-38645.rb", + "line": 1 + }, + "id": "V-38645" + }, + { + "title": "The Datagram Congestion Control Protocol (DCCP) must be disabled\nunless required.", + "desc": "Disabling DCCP protects the system against exploitation of any flaws\nin its implementation.", + "descriptions": { + "default": "Disabling DCCP protects the system against exploitation of any flaws\nin its implementation." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000142", - "gid": "V-38539", - "rid": "SV-50340r2_rule", - "stig_id": "RHEL-06-000095", - "fix_id": "F-43487r1_fix", + "gtitle": "SRG-OS-000096", + "gid": "V-38514", + "rid": "SV-50315r5_rule", + "stig_id": "RHEL-06-000124", + "fix_id": "F-43461r3_fix", "cci": [ - "CCI-001095" + "CCI-000382" ], "nist": [ - "SC-5 (2)", + "CM-7 b", "Rev_4" ], "false_negatives": null, @@ -3736,30 +3793,30 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "The status of the \"net.ipv4.tcp_syncookies\" kernel parameter\ncan be queried by running the following command:\n\n$ sysctl net.ipv4.tcp_syncookies\n\nThe output of the command should indicate a value of \"1\". If this value is\nnot the default value, investigate how it could have been adjusted at runtime,\nand verify it is not set improperly in \"/etc/sysctl.conf\".\n\n$ grep net.ipv4.tcp_syncookies /etc/sysctl.conf\n\nIf the correct value is not returned, this is a finding. ", - "fix": "To set the runtime status of the \"net.ipv4.tcp_syncookies\"\nkernel parameter, run the following command:\n\n# sysctl -w net.ipv4.tcp_syncookies=1\n\nIf this is not the system's default value, add the following line to\n\"/etc/sysctl.conf\":\n\nnet.ipv4.tcp_syncookies = 1" + "check": "If the system is configured to prevent the loading of the\n\"dccp\" kernel module, it will contain lines inside any file in\n\"/etc/modprobe.d\" or the deprecated\"/etc/modprobe.conf\". These lines\ninstruct the module loading system to run another program (such as\n\"/bin/true\") upon a module \"install\" event. Run the following command to\nsearch for such lines in all files in \"/etc/modprobe.d\" and the deprecated\n\"/etc/modprobe.conf\":\n\n$ grep -r dccp /etc/modprobe.conf /etc/modprobe.d | grep -i \"/bin/true\"| grep\n-v \"#\"\n\nIf no line is returned, this is a finding.", + "fix": "The Datagram Congestion Control Protocol (DCCP) is a relatively\nnew transport layer protocol, designed to support streaming media and\ntelephony. To configure the system to prevent the \"dccp\" kernel module from\nbeing loaded, add the following line to a file in the directory\n\"/etc/modprobe.d\":\n\ninstall dccp /bin/true" }, - "code": "control \"V-38539\" do\n title \"The system must be configured to use TCP syncookies when experiencing\na TCP SYN flood.\"\n desc \"A TCP SYN flood attack can cause a denial of service by filling a\nsystem's TCP connection table with connections in the SYN_RCVD state.\nSyncookies can be used to track a connection when a subsequent ACK is received,\nverifying the initiator is attempting a valid connection and is not a flood\nsource. This feature is activated when a flood condition is detected, and\nenables the system to continue servicing valid connection requests.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000142\"\n tag \"gid\": \"V-38539\"\n tag \"rid\": \"SV-50340r2_rule\"\n tag \"stig_id\": \"RHEL-06-000095\"\n tag \"fix_id\": \"F-43487r1_fix\"\n tag \"cci\": [\"CCI-001095\"]\n tag \"nist\": [\"SC-5 (2)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"The status of the \\\"net.ipv4.tcp_syncookies\\\" kernel parameter\ncan be queried by running the following command:\n\n$ sysctl net.ipv4.tcp_syncookies\n\nThe output of the command should indicate a value of \\\"1\\\". If this value is\nnot the default value, investigate how it could have been adjusted at runtime,\nand verify it is not set improperly in \\\"/etc/sysctl.conf\\\".\n\n$ grep net.ipv4.tcp_syncookies /etc/sysctl.conf\n\nIf the correct value is not returned, this is a finding. \"\n tag \"fix\": \"To set the runtime status of the \\\"net.ipv4.tcp_syncookies\\\"\nkernel parameter, run the following command:\n\n# sysctl -w net.ipv4.tcp_syncookies=1\n\nIf this is not the system's default value, add the following line to\n\\\"/etc/sysctl.conf\\\":\n\nnet.ipv4.tcp_syncookies = 1\"\n\n describe kernel_parameter(\"net.ipv4.tcp_syncookies\") do\n its(\"value\") { should_not be_nil }\n end\n describe kernel_parameter(\"net.ipv4.tcp_syncookies\") do\n its(\"value\") { should eq 1 }\n end\n describe file(\"/etc/sysctl.conf\") do\n its(\"content\") { should match(/^[\\s]*net.ipv4.tcp_syncookies[\\s]*=[\\s]*1[\\s]*$/) }\n end\nend\n", + "code": "control \"V-38514\" do\n title \"The Datagram Congestion Control Protocol (DCCP) must be disabled\nunless required.\"\n desc \"Disabling DCCP protects the system against exploitation of any flaws\nin its implementation.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000096\"\n tag \"gid\": \"V-38514\"\n tag \"rid\": \"SV-50315r5_rule\"\n tag \"stig_id\": \"RHEL-06-000124\"\n tag \"fix_id\": \"F-43461r3_fix\"\n tag \"cci\": [\"CCI-000382\"]\n tag \"nist\": [\"CM-7 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"If the system is configured to prevent the loading of the\n\\\"dccp\\\" kernel module, it will contain lines inside any file in\n\\\"/etc/modprobe.d\\\" or the deprecated\\\"/etc/modprobe.conf\\\". These lines\ninstruct the module loading system to run another program (such as\n\\\"/bin/true\\\") upon a module \\\"install\\\" event. Run the following command to\nsearch for such lines in all files in \\\"/etc/modprobe.d\\\" and the deprecated\n\\\"/etc/modprobe.conf\\\":\n\n$ grep -r dccp /etc/modprobe.conf /etc/modprobe.d | grep -i \\\"/bin/true\\\"| grep\n-v \\\"#\\\"\n\nIf no line is returned, this is a finding.\"\n tag \"fix\": \"The Datagram Congestion Control Protocol (DCCP) is a relatively\nnew transport layer protocol, designed to support streaming media and\ntelephony. To configure the system to prevent the \\\"dccp\\\" kernel module from\nbeing loaded, add the following line to a file in the directory\n\\\"/etc/modprobe.d\\\":\n\ninstall dccp /bin/true\"\n\n describe kernel_module('dccp') do\n it { should_not be_loaded }\n it { shold_not be_enabled }\n it { should be_blacklisted }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38539.rb", + "ref": "./Red Hat 6 STIG/controls/V-38514.rb", "line": 1 }, - "id": "V-38539" + "id": "V-38514" }, { - "title": "The system must not have accounts configured with blank or null\npasswords.", - "desc": "If an account has an empty password, anyone could log in and run\ncommands with the privileges of that account. Accounts with empty passwords\nshould never be used in operational environments.", + "title": "The system boot loader configuration file(s) must have mode 0600 or\nless permissive.", + "desc": "Proper permissions ensure that only the root user can modify important\nboot parameters.", "descriptions": { - "default": "If an account has an empty password, anyone could log in and run\ncommands with the privileges of that account. Accounts with empty passwords\nshould never be used in operational environments." + "default": "Proper permissions ensure that only the root user can modify important\nboot parameters." }, - "impact": 0.7, + "impact": 0.5, "refs": [], "tags": { "gtitle": "SRG-OS-999999", - "gid": "V-38497", - "rid": "SV-50298r3_rule", - "stig_id": "RHEL-06-000030", - "fix_id": "F-43444r5_fix", + "gid": "V-38583", + "rid": "SV-50384r4_rule", + "stig_id": "RHEL-06-000067", + "fix_id": "F-43531r3_fix", "cci": [ "CCI-000366" ], @@ -3777,35 +3834,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To verify that null passwords cannot be used, run the following\ncommand:\n\n# grep nullok /etc/pam.d/system-auth /etc/pam.d/password-auth\n\nIf this produces any output, it may be possible to log into accounts with empty\npasswords.\nIf NULL passwords can be used, this is a finding.", - "fix": "If an account is configured for password authentication but does\nnot have an assigned password, it may be possible to log onto the account\nwithout authentication. Remove any instances of the \"nullok\" option in\n\"/etc/pam.d/system-auth\" and \"/etc/pam.d/password-auth\" to prevent logons\nwith empty passwords." + "check": "To check the permissions of \"/boot/grub/grub.conf\", run the\ncommand:\n\n$ sudo ls -lL /boot/grub/grub.conf\n\nIf the system uses UEFI check the permissions of\n\"/boot/efi/EFI/redhat/grub.conf\" file:\n\n$ sudo ls –lL /boot/efi/EFI/redhat/grub.conf\n\nIf properly configured, the output should indicate the following permissions:\n\"-rw-------\"\n\nIf it does not, this is a finding.", + "fix": "File permissions for \"/boot/grub/grub.conf\" and\n\"/boot/efi/EFI/redhat/grub.conf\" should be set to 600, which is the default.\n\nTo properly set the permissions of \"/boot/grub/grub.conf\", run the command:\n\n$ chmod 600 /boot/grub/grub.conf\n\nTo properly set the permissions of \"/boot/efi/EFI/redhat/grub.conf\", run the\ncommand:\n\n$ chmod 600 /boot/efi/EFI/redhat/grub.conf\n\nBoot partitions based on VFAT, NTFS, or other non-standard configurations may\nrequire alternative measures.\n" }, - "code": "control \"V-38497\" do\n title \"The system must not have accounts configured with blank or null\npasswords.\"\n desc \"If an account has an empty password, anyone could log in and run\ncommands with the privileges of that account. Accounts with empty passwords\nshould never be used in operational environments.\"\n impact 0.7\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38497\"\n tag \"rid\": \"SV-50298r3_rule\"\n tag \"stig_id\": \"RHEL-06-000030\"\n tag \"fix_id\": \"F-43444r5_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To verify that null passwords cannot be used, run the following\ncommand:\n\n# grep nullok /etc/pam.d/system-auth /etc/pam.d/password-auth\n\nIf this produces any output, it may be possible to log into accounts with empty\npasswords.\nIf NULL passwords can be used, this is a finding.\"\n tag \"fix\": \"If an account is configured for password authentication but does\nnot have an assigned password, it may be possible to log onto the account\nwithout authentication. Remove any instances of the \\\"nullok\\\" option in\n\\\"/etc/pam.d/system-auth\\\" and \\\"/etc/pam.d/password-auth\\\" to prevent logons\nwith empty passwords.\"\n\n describe file(\"/etc/pam.d/system-auth\") do\n its(\"content\") { should_not match(/^[^#]\\s*.*\\snullok\\s*/) }\n end\n describe file(\"/etc/pam.d/password-auth\") do\n its(\"content\") { should_not match(/^[^#]\\s*.*\\snullok\\s*/) }\n end\nend\n", + "code": "control \"V-38583\" do\n title \"The system boot loader configuration file(s) must have mode 0600 or\nless permissive.\"\n desc \"Proper permissions ensure that only the root user can modify important\nboot parameters.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38583\"\n tag \"rid\": \"SV-50384r4_rule\"\n tag \"stig_id\": \"RHEL-06-000067\"\n tag \"fix_id\": \"F-43531r3_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To check the permissions of \\\"/boot/grub/grub.conf\\\", run the\ncommand:\n\n$ sudo ls -lL /boot/grub/grub.conf\n\nIf the system uses UEFI check the permissions of\n\\\"/boot/efi/EFI/redhat/grub.conf\\\" file:\n\n$ sudo ls –lL /boot/efi/EFI/redhat/grub.conf\n\nIf properly configured, the output should indicate the following permissions:\n\\\"-rw-------\\\"\n\nIf it does not, this is a finding.\"\n tag \"fix\": \"File permissions for \\\"/boot/grub/grub.conf\\\" and\n\\\"/boot/efi/EFI/redhat/grub.conf\\\" should be set to 600, which is the default.\n\nTo properly set the permissions of \\\"/boot/grub/grub.conf\\\", run the command:\n\n$ chmod 600 /boot/grub/grub.conf\n\nTo properly set the permissions of \\\"/boot/efi/EFI/redhat/grub.conf\\\", run the\ncommand:\n\n$ chmod 600 /boot/efi/EFI/redhat/grub.conf\n\nBoot partitions based on VFAT, NTFS, or other non-standard configurations may\nrequire alternative measures.\n\"\n\n describe file(\"/boot/grub/grub.conf\") do\n it { should exist }\n end\n describe file(\"/boot/grub/grub.conf\") do\n it { should_not be_executable.by \"group\" }\n end\n describe file(\"/boot/grub/grub.conf\") do\n it { should_not be_readable.by \"group\" }\n end\n describe file(\"/boot/grub/grub.conf\") do\n it { should_not be_writable.by \"group\" }\n end\n describe file(\"/boot/grub/grub.conf\") do\n it { should_not be_executable.by \"other\" }\n end\n describe file(\"/boot/grub/grub.conf\") do\n it { should_not be_readable.by \"other\" }\n end\n describe file(\"/boot/grub/grub.conf\") do\n it { should_not be_writable.by \"other\" }\n end\n describe file(\"/boot/grub/grub.conf\") do\n it { should_not be_executable.by \"owner\" }\n end\n describe file(\"/boot/grub/grub.conf\") do\n it { should be_readable.by \"owner\" }\n end\n describe file(\"/boot/grub/grub.conf\") do\n it { should be_writable.by \"owner\" }\n end\n describe file(\"/boot/efi/EFI/redhat/grub.conf\") do\n it { should exist }\n end\n describe file(\"/boot/efi/EFI/redhat/grub.conf\") do\n it { should_not be_executable.by \"group\" }\n end\n describe file(\"/boot/efi/EFI/redhat/grub.conf\") do\n it { should_not be_readable.by \"group\" }\n end\n describe file(\"/boot/efi/EFI/redhat/grub.conf\") do\n it { should_not be_writable.by \"group\" }\n end\n describe file(\"/boot/efi/EFI/redhat/grub.conf\") do\n it { should_not be_executable.by \"other\" }\n end\n describe file(\"/boot/efi/EFI/redhat/grub.conf\") do\n it { should_not be_readable.by \"other\" }\n end\n describe file(\"/boot/efi/EFI/redhat/grub.conf\") do\n it { should_not be_writable.by \"other\" }\n end\n describe file(\"/boot/efi/EFI/redhat/grub.conf\") do\n it { should_not be_executable.by \"owner\" }\n end\n describe file(\"/boot/efi/EFI/redhat/grub.conf\") do\n it { should be_readable.by \"owner\" }\n end\n describe file(\"/boot/efi/EFI/redhat/grub.conf\") do\n it { should be_writable.by \"owner\" }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38497.rb", + "ref": "./Red Hat 6 STIG/controls/V-38583.rb", "line": 1 }, - "id": "V-38497" + "id": "V-38583" }, { - "title": "User passwords must be changed at least every 60 days.", - "desc": "Setting the password maximum age ensures users are required to\nperiodically change their passwords. This could possibly decrease the utility\nof a stolen password. Requiring shorter password lifetimes increases the risk\nof users writing down the password in a convenient location subject to physical\ncompromise.", + "title": "The systems local IPv6 firewall must implement a deny-all,\nallow-by-exception policy for inbound packets.", + "desc": "In \"ip6tables\" the default policy is applied only after all the\napplicable rules in the table are examined for a match. Setting the default\npolicy to \"DROP\" implements proper design for a firewall, i.e., any packets\nwhich are not explicitly permitted should not be accepted.", "descriptions": { - "default": "Setting the password maximum age ensures users are required to\nperiodically change their passwords. This could possibly decrease the utility\nof a stolen password. Requiring shorter password lifetimes increases the risk\nof users writing down the password in a convenient location subject to physical\ncompromise." + "default": "In \"ip6tables\" the default policy is applied only after all the\napplicable rules in the table are examined for a match. Setting the default\npolicy to \"DROP\" implements proper design for a firewall, i.e., any packets\nwhich are not explicitly permitted should not be accepted." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000076", - "gid": "V-38479", - "rid": "SV-50279r1_rule", - "stig_id": "RHEL-06-000053", - "fix_id": "F-43424r1_fix", + "gtitle": "SRG-OS-000231", + "gid": "V-38444", + "rid": "SV-50244r2_rule", + "stig_id": "RHEL-06-000523", + "fix_id": "F-43389r3_fix", "cci": [ - "CCI-000199" + "CCI-000066" ], "nist": [ - "IA-5 (1) (d)", + "AC-17 e", "Rev_4" ], "false_negatives": null, @@ -3818,18 +3875,18 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To check the maximum password age, run the command:\n\n$ grep PASS_MAX_DAYS /etc/login.defs\n\nThe DoD requirement is 60.\nIf it is not set to the required value, this is a finding.", - "fix": "To specify password maximum age for new accounts, edit the file\n\"/etc/login.defs\" and add or correct the following line, replacing [DAYS]\nappropriately:\n\nPASS_MAX_DAYS [DAYS]\n\nThe DoD requirement is 60." + "check": "If IPv6 is disabled, this is not applicable.\n\nInspect the file \"/etc/sysconfig/ip6tables\" to determine the default policy\nfor the INPUT chain. It should be set to DROP:\n\n# grep \":INPUT\" /etc/sysconfig/ip6tables\n\nIf the default policy for the INPUT chain is not set to DROP, this is a\nfinding. ", + "fix": "To set the default policy to DROP (instead of ACCEPT) for the\nbuilt-in INPUT chain which processes incoming packets, add or correct the\nfollowing line in \"/etc/sysconfig/ip6tables\":\n\n:INPUT DROP [0:0]\n\nRestart the IPv6 firewall:\n\n# service ip6tables restart" }, - "code": "control \"V-38479\" do\n title \"User passwords must be changed at least every 60 days.\"\n desc \"Setting the password maximum age ensures users are required to\nperiodically change their passwords. This could possibly decrease the utility\nof a stolen password. Requiring shorter password lifetimes increases the risk\nof users writing down the password in a convenient location subject to physical\ncompromise.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000076\"\n tag \"gid\": \"V-38479\"\n tag \"rid\": \"SV-50279r1_rule\"\n tag \"stig_id\": \"RHEL-06-000053\"\n tag \"fix_id\": \"F-43424r1_fix\"\n tag \"cci\": [\"CCI-000199\"]\n tag \"nist\": [\"IA-5 (1) (d)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To check the maximum password age, run the command:\n\n$ grep PASS_MAX_DAYS /etc/login.defs\n\nThe DoD requirement is 60.\nIf it is not set to the required value, this is a finding.\"\n tag \"fix\": \"To specify password maximum age for new accounts, edit the file\n\\\"/etc/login.defs\\\" and add or correct the following line, replacing [DAYS]\nappropriately:\n\nPASS_MAX_DAYS [DAYS]\n\nThe DoD requirement is 60.\"\n\n describe file(\"/etc/login.defs\") do\n its(\"content\") { should match(/^[\\s]*PASS_MAX_DAYS[\\s]+(\\d+)\\s*$/) }\n end\n file(\"/etc/login.defs\").content.to_s.scan(/^[\\s]*PASS_MAX_DAYS[\\s]+(\\d+)\\s*$/).flatten.each do |entry|\n describe entry do\n it { should cmp <= 60 }\n end\n end\nend\n", + "code": "control \"V-38444\" do\n title \"The systems local IPv6 firewall must implement a deny-all,\nallow-by-exception policy for inbound packets.\"\n desc \"In \\\"ip6tables\\\" the default policy is applied only after all the\napplicable rules in the table are examined for a match. Setting the default\npolicy to \\\"DROP\\\" implements proper design for a firewall, i.e., any packets\nwhich are not explicitly permitted should not be accepted.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000231\"\n tag \"gid\": \"V-38444\"\n tag \"rid\": \"SV-50244r2_rule\"\n tag \"stig_id\": \"RHEL-06-000523\"\n tag \"fix_id\": \"F-43389r3_fix\"\n tag \"cci\": [\"CCI-000066\"]\n tag \"nist\": [\"AC-17 e\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"If IPv6 is disabled, this is not applicable.\n\nInspect the file \\\"/etc/sysconfig/ip6tables\\\" to determine the default policy\nfor the INPUT chain. It should be set to DROP:\n\n# grep \\\":INPUT\\\" /etc/sysconfig/ip6tables\n\nIf the default policy for the INPUT chain is not set to DROP, this is a\nfinding. \"\n tag \"fix\": \"To set the default policy to DROP (instead of ACCEPT) for the\nbuilt-in INPUT chain which processes incoming packets, add or correct the\nfollowing line in \\\"/etc/sysconfig/ip6tables\\\":\n\n:INPUT DROP [0:0]\n\nRestart the IPv6 firewall:\n\n# service ip6tables restart\"\n\n describe command(\"ip6tables -nvL | grep -i input\") do\n its('stdout.strip') { should match %r{Chain INPUT \\(policy DROP\\) } }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38479.rb", + "ref": "./Red Hat 6 STIG/controls/V-38444.rb", "line": 1 }, - "id": "V-38479" + "id": "V-38444" }, { - "title": "The audit system must be configured to audit all discretionary access\ncontrol permission modifications using fremovexattr.", + "title": "The audit system must be configured to audit all discretionary access\ncontrol permission modifications using lsetxattr.", "desc": "The changing of file permissions could indicate that a user is\nattempting to gain access to information that would otherwise be disallowed.\nAuditing DAC modifications can facilitate the identification of patterns of\nabuse among both authorized and unauthorized users.", "descriptions": { "default": "The changing of file permissions could indicate that a user is\nattempting to gain access to information that would otherwise be disallowed.\nAuditing DAC modifications can facilitate the identification of patterns of\nabuse among both authorized and unauthorized users." @@ -3838,10 +3895,10 @@ "refs": [], "tags": { "gtitle": "SRG-OS-000064", - "gid": "V-38556", - "rid": "SV-50357r3_rule", - "stig_id": "RHEL-06-000190", - "fix_id": "F-43504r2_fix", + "gid": "V-38561", + "rid": "SV-50362r3_rule", + "stig_id": "RHEL-06-000194", + "fix_id": "F-43509r2_fix", "cci": [ "CCI-000172" ], @@ -3859,35 +3916,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To determine if the system is configured to audit calls to the\n\"fremovexattr\" system call, run the following command:\n\n$ sudo grep -w \"fremovexattr\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return several\nlines.\n\nIf no line is returned, this is a finding. ", - "fix": "At a minimum, the audit system should collect file permission\nchanges for all users and root. Add the following to\n\"/etc/audit/audit.rules\":\n\n-a always,exit -F arch=b32 -S fremovexattr -F auid>=500 -F auid!=4294967295 \\\n-k perm_mod\n-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -k perm_mod\n\nIf the system is 64-bit, then also add the following:\n\n-a always,exit -F arch=b64 -S fremovexattr -F auid>=500 -F auid!=4294967295 \\\n-k perm_mod\n-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -k perm_mod" + "check": "To determine if the system is configured to audit calls to the\n\"lsetxattr\" system call, run the following command:\n\n$ sudo grep -w \"lsetxattr\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return several\nlines.\n\nIf no line is returned, this is a finding. ", + "fix": "At a minimum, the audit system should collect file permission\nchanges for all users and root. Add the following to\n\"/etc/audit/audit.rules\":\n\n-a always,exit -F arch=b32 -S lsetxattr -F auid>=500 -F auid!=4294967295 \\\n-k perm_mod\n-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -k perm_mod\n\nIf the system is 64-bit, then also add the following:\n\n-a always,exit -F arch=b64 -S lsetxattr -F auid>=500 -F auid!=4294967295 \\\n-k perm_mod\n-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -k perm_mod" }, - "code": "control \"V-38556\" do\n title \"The audit system must be configured to audit all discretionary access\ncontrol permission modifications using fremovexattr.\"\n desc \"The changing of file permissions could indicate that a user is\nattempting to gain access to information that would otherwise be disallowed.\nAuditing DAC modifications can facilitate the identification of patterns of\nabuse among both authorized and unauthorized users.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000064\"\n tag \"gid\": \"V-38556\"\n tag \"rid\": \"SV-50357r3_rule\"\n tag \"stig_id\": \"RHEL-06-000190\"\n tag \"fix_id\": \"F-43504r2_fix\"\n tag \"cci\": [\"CCI-000172\"]\n tag \"nist\": [\"AU-12 c\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To determine if the system is configured to audit calls to the\n\\\"fremovexattr\\\" system call, run the following command:\n\n$ sudo grep -w \\\"fremovexattr\\\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return several\nlines.\n\nIf no line is returned, this is a finding. \"\n tag \"fix\": \"At a minimum, the audit system should collect file permission\nchanges for all users and root. Add the following to\n\\\"/etc/audit/audit.rules\\\":\n\n-a always,exit -F arch=b32 -S fremovexattr -F auid>=500 -F auid!=4294967295 \\\\\n-k perm_mod\n-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -k perm_mod\n\nIf the system is 64-bit, then also add the following:\n\n-a always,exit -F arch=b64 -S fremovexattr -F auid>=500 -F auid!=4294967295 \\\\\n-k perm_mod\n-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -k perm_mod\"\n\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^[\\s]*-a[\\s](?:always,exit|exit,always)+(?:.*-F[\\s]+arch=b32[\\s]+)(?:.*(?:,|-S[\\s]+)fremovexattr(?:,|[\\s]+))(?:.*-F\\s+auid>=500[\\s]+)(?:.*-F\\s+auid!=(?:-1|4294967295)[\\s]+).*-k[\\s]+[\\S]+[\\s]*$/) }\n end\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^[\\s]*-a[\\s](?:always,exit|exit,always)+(?:.*-F[\\s]+arch=b32[\\s]+)(?:.*(?:,|-S[\\s]+)fremovexattr(?:,|[\\s]+))(?:.*-F\\s+auid=0[\\s]+).*-k[\\s]+[\\S]+[\\s]*$/) }\n end\n describe.one do\n \n end\nend\n", + "code": "control \"V-38561\" do\n title \"The audit system must be configured to audit all discretionary access\ncontrol permission modifications using lsetxattr.\"\n desc \"The changing of file permissions could indicate that a user is\nattempting to gain access to information that would otherwise be disallowed.\nAuditing DAC modifications can facilitate the identification of patterns of\nabuse among both authorized and unauthorized users.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000064\"\n tag \"gid\": \"V-38561\"\n tag \"rid\": \"SV-50362r3_rule\"\n tag \"stig_id\": \"RHEL-06-000194\"\n tag \"fix_id\": \"F-43509r2_fix\"\n tag \"cci\": [\"CCI-000172\"]\n tag \"nist\": [\"AU-12 c\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To determine if the system is configured to audit calls to the\n\\\"lsetxattr\\\" system call, run the following command:\n\n$ sudo grep -w \\\"lsetxattr\\\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return several\nlines.\n\nIf no line is returned, this is a finding. \"\n tag \"fix\": \"At a minimum, the audit system should collect file permission\nchanges for all users and root. Add the following to\n\\\"/etc/audit/audit.rules\\\":\n\n-a always,exit -F arch=b32 -S lsetxattr -F auid>=500 -F auid!=4294967295 \\\\\n-k perm_mod\n-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -k perm_mod\n\nIf the system is 64-bit, then also add the following:\n\n-a always,exit -F arch=b64 -S lsetxattr -F auid>=500 -F auid!=4294967295 \\\\\n-k perm_mod\n-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -k perm_mod\"\n\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^[\\s]*-a[\\s](?:always,exit|exit,always)+(?:.*-F[\\s]+arch=b32[\\s]+)(?:.*(?:,|-S[\\s]+)lsetxattr(?:,|[\\s]+))(?:.*-F\\s+auid>=500[\\s]+)(?:.*-F\\s+auid!=(?:-1|4294967295)[\\s]+).*-k[\\s]+[\\S]+[\\s]*$/) }\n end\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^[\\s]*-a[\\s](?:always,exit|exit,always)+(?:.*-F[\\s]+arch=b32[\\s]+)(?:.*(?:,|-S[\\s]+)lsetxattr(?:,|[\\s]+))(?:.*-F\\s+auid=0[\\s]+).*-k[\\s]+[\\S]+[\\s]*$/) }\n end\n describe.one do\n \n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38556.rb", + "ref": "./Red Hat 6 STIG/controls/V-38561.rb", "line": 1 }, - "id": "V-38556" + "id": "V-38561" }, { - "title": "The systems local firewall must implement a deny-all,\nallow-by-exception policy for forwarded packets.", - "desc": "In \"iptables\" the default policy is applied only after all the\napplicable rules in the table are examined for a match. Setting the default\npolicy to \"DROP\" implements proper design for a firewall, i.e., any packets\nwhich are not explicitly permitted should not be accepted.", + "title": "The NFS server must not have the insecure file locking option enabled.", + "desc": "Allowing insecure file locking could allow for sensitive data to be\nviewed or edited by an unauthorized user.", "descriptions": { - "default": "In \"iptables\" the default policy is applied only after all the\napplicable rules in the table are examined for a match. Setting the default\npolicy to \"DROP\" implements proper design for a firewall, i.e., any packets\nwhich are not explicitly permitted should not be accepted." + "default": "Allowing insecure file locking could allow for sensitive data to be\nviewed or edited by an unauthorized user." }, - "impact": 0.5, + "impact": 0.7, "refs": [], "tags": { - "gtitle": "SRG-OS-000147", - "gid": "V-38686", - "rid": "SV-50487r2_rule", - "stig_id": "RHEL-06-000320", - "fix_id": "F-43635r1_fix", + "gtitle": "SRG-OS-000104", + "gid": "V-38677", + "rid": "SV-50478r1_rule", + "stig_id": "RHEL-06-000309", + "fix_id": "F-43626r1_fix", "cci": [ - "CCI-001109" + "CCI-000764" ], "nist": [ - "SC-7 (5)", + "IA-2", "Rev_4" ], "false_negatives": null, @@ -3900,35 +3957,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "Run the following command to ensure the default \"FORWARD\"\npolicy is \"DROP\":\n\n# iptables -nvL | grep -i forward\n\nChain FORWARD (policy DROP 0 packets, 0 bytes)\n\nIf the default policy for the FORWARD chain is not set to DROP, this is a\nfinding.", - "fix": "To set the default policy to DROP (instead of ACCEPT) for the\nbuilt-in FORWARD chain which processes packets that will be forwarded from one\ninterface to another, add or correct the following line in\n\"/etc/sysconfig/iptables\":\n\n:FORWARD DROP [0:0]" + "check": "To verify insecure file locking has been disabled, run the\nfollowing command:\n\n# grep insecure_locks /etc/exports\n\n\nIf there is output, this is a finding.", + "fix": "By default the NFS server requires secure file-lock requests,\nwhich require credentials from the client in order to lock a file. Most NFS\nclients send credentials with file lock requests, however, there are a few\nclients that do not send credentials when requesting a file-lock, allowing the\nclient to only be able to lock world-readable files. To get around this, the\n\"insecure_locks\" option can be used so these clients can access the desired\nexport. This poses a security risk by potentially allowing the client access to\ndata for which it does not have authorization. Remove any instances of the\n\"insecure_locks\" option from the file \"/etc/exports\"." }, - "code": "control \"V-38686\" do\n title \"The systems local firewall must implement a deny-all,\nallow-by-exception policy for forwarded packets.\"\n desc \"In \\\"iptables\\\" the default policy is applied only after all the\napplicable rules in the table are examined for a match. Setting the default\npolicy to \\\"DROP\\\" implements proper design for a firewall, i.e., any packets\nwhich are not explicitly permitted should not be accepted.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000147\"\n tag \"gid\": \"V-38686\"\n tag \"rid\": \"SV-50487r2_rule\"\n tag \"stig_id\": \"RHEL-06-000320\"\n tag \"fix_id\": \"F-43635r1_fix\"\n tag \"cci\": [\"CCI-001109\"]\n tag \"nist\": [\"SC-7 (5)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Run the following command to ensure the default \\\"FORWARD\\\"\npolicy is \\\"DROP\\\":\n\n# iptables -nvL | grep -i forward\n\nChain FORWARD (policy DROP 0 packets, 0 bytes)\n\nIf the default policy for the FORWARD chain is not set to DROP, this is a\nfinding.\"\n tag \"fix\": \"To set the default policy to DROP (instead of ACCEPT) for the\nbuilt-in FORWARD chain which processes packets that will be forwarded from one\ninterface to another, add or correct the following line in\n\\\"/etc/sysconfig/iptables\\\":\n\n:FORWARD DROP [0:0]\"\n\n describe command(\"iptables -nvL | grep -i forward\") do\n its('stdout.strip') { should match %r{Chain FORWARD \\(policy DROP} }\n end\nend\n", + "code": "control \"V-38677\" do\n title \"The NFS server must not have the insecure file locking option enabled.\"\n desc \"Allowing insecure file locking could allow for sensitive data to be\nviewed or edited by an unauthorized user.\"\n impact 0.7\n tag \"gtitle\": \"SRG-OS-000104\"\n tag \"gid\": \"V-38677\"\n tag \"rid\": \"SV-50478r1_rule\"\n tag \"stig_id\": \"RHEL-06-000309\"\n tag \"fix_id\": \"F-43626r1_fix\"\n tag \"cci\": [\"CCI-000764\"]\n tag \"nist\": [\"IA-2\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To verify insecure file locking has been disabled, run the\nfollowing command:\n\n# grep insecure_locks /etc/exports\n\n\nIf there is output, this is a finding.\"\n tag \"fix\": \"By default the NFS server requires secure file-lock requests,\nwhich require credentials from the client in order to lock a file. Most NFS\nclients send credentials with file lock requests, however, there are a few\nclients that do not send credentials when requesting a file-lock, allowing the\nclient to only be able to lock world-readable files. To get around this, the\n\\\"insecure_locks\\\" option can be used so these clients can access the desired\nexport. This poses a security risk by potentially allowing the client access to\ndata for which it does not have authorization. Remove any instances of the\n\\\"insecure_locks\\\" option from the file \\\"/etc/exports\\\".\"\n\n describe file(\"/etc/exports\") do\n its(\"content\") { should_not match(/^[^#]*insecure_locks.*$/) }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38686.rb", + "ref": "./Red Hat 6 STIG/controls/V-38677.rb", "line": 1 }, - "id": "V-38686" + "id": "V-38677" }, { - "title": "The audit system must be configured to audit successful file system\nmounts.", - "desc": "The unauthorized exportation of data to external media could result in\nan information leak where classified information, Privacy Act information, and\nintellectual property could be lost. An audit trail should be created each time\na filesystem is mounted to help identify and guard against information loss.", + "title": "The system must disable accounts after excessive login failures within\na 15-minute interval.", + "desc": "Locking out user accounts after a number of incorrect attempts within\na specific period of time prevents direct password guessing attacks.", "descriptions": { - "default": "The unauthorized exportation of data to external media could result in\nan information leak where classified information, Privacy Act information, and\nintellectual property could be lost. An audit trail should be created each time\na filesystem is mounted to help identify and guard against information loss." + "default": "Locking out user accounts after a number of incorrect attempts within\na specific period of time prevents direct password guessing attacks." }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000064", - "gid": "V-38568", - "rid": "SV-50369r3_rule", - "stig_id": "RHEL-06-000199", - "fix_id": "F-43516r2_fix", + "gtitle": "SRG-OS-000249", + "gid": "V-38501", + "rid": "SV-50302r4_rule", + "stig_id": "RHEL-06-000357", + "fix_id": "F-43448r6_fix", "cci": [ - "CCI-000172" + "CCI-001452" ], "nist": [ - "AU-12 c", + "AC-7 a", "Rev_4" ], "false_negatives": null, @@ -3941,35 +3998,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To verify that auditing is configured for all media exportation\nevents, run the following command:\n\n$ sudo grep -w \"mount\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return several\nlines.\n\nIf no line is returned, this is a finding. ", - "fix": "At a minimum, the audit system should collect media exportation\nevents for all users and root. Add the following to \"/etc/audit/audit.rules\",\nsetting ARCH to either b32 or b64 as appropriate for your system:\n\n-a always,exit -F arch=ARCH -S mount -F auid>=500 -F auid!=4294967295 -k export\n-a always,exit -F arch=ARCH -S mount -F auid=0 -k export" + "check": "To ensure the failed password attempt policy is configured\ncorrectly, run the following command:\n\n$ grep pam_faillock /etc/pam.d/system-auth /etc/pam.d/password-auth\n\nFor each file, the output should show \"fail_interval=\"\nwhere \"interval-in-seconds\" is 900 (15 minutes) or greater. If the\n\"fail_interval\" parameter is not set, the default setting of 900 seconds is\nacceptable. If that is not the case, this is a finding. ", + "fix": "Utilizing \"pam_faillock.so\", the \"fail_interval\" directive\nconfigures the system to lock out accounts after a number of incorrect logon\nattempts. Modify the content of both \"/etc/pam.d/system-auth\" and\n\"/etc/pam.d/password-auth\" as follows:\n\nAdd the following line immediately before the \"pam_unix.so\" statement in the\n\"AUTH\" section:\n\nauth required pam_faillock.so preauth silent deny=3 unlock_time=604800\nfail_interval=900\n\nAdd the following line immediately after the \"pam_unix.so\" statement in the\n\"AUTH\" section:\n\nauth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800\nfail_interval=900\n\nAdd the following line immediately before the \"pam_unix.so\" statement in the\n\"ACCOUNT\" section:\n\naccount required pam_faillock.so\n\nNote that any updates made to \"/etc/pam.d/system-auth\" and\n\"/etc/pam.d/password-auth\" may be overwritten by the \"authconfig\" program.\nThe \"authconfig\" program should not be used." }, - "code": "control \"V-38568\" do\n title \"The audit system must be configured to audit successful file system\nmounts.\"\n desc \"The unauthorized exportation of data to external media could result in\nan information leak where classified information, Privacy Act information, and\nintellectual property could be lost. An audit trail should be created each time\na filesystem is mounted to help identify and guard against information loss.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000064\"\n tag \"gid\": \"V-38568\"\n tag \"rid\": \"SV-50369r3_rule\"\n tag \"stig_id\": \"RHEL-06-000199\"\n tag \"fix_id\": \"F-43516r2_fix\"\n tag \"cci\": [\"CCI-000172\"]\n tag \"nist\": [\"AU-12 c\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To verify that auditing is configured for all media exportation\nevents, run the following command:\n\n$ sudo grep -w \\\"mount\\\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return several\nlines.\n\nIf no line is returned, this is a finding. \"\n tag \"fix\": \"At a minimum, the audit system should collect media exportation\nevents for all users and root. Add the following to \\\"/etc/audit/audit.rules\\\",\nsetting ARCH to either b32 or b64 as appropriate for your system:\n\n-a always,exit -F arch=ARCH -S mount -F auid>=500 -F auid!=4294967295 -k export\n-a always,exit -F arch=ARCH -S mount -F auid=0 -k export\"\n\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^[\\s]*-a[\\s]+(?:always,exit|exit,always)\\s+(-F\\s+arch=b32\\s+).*(?:,|-S\\s+)mount(?:,|\\s+).*-F\\s+auid>=500\\s+-F\\s+auid!=(?:4294967295|-1)\\s+-k\\s+\\S+\\s*$/) }\n end\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^[\\s]*-a[\\s]+(?:always,exit|exit,always)\\s+(-F\\s+arch=b64\\s+).*(?:,|-S\\s+)mount(?:,|\\s+).*-F\\s+auid>=500\\s+-F\\s+auid!=(?:4294967295|-1)\\s+-k\\s+\\S+\\s*$/) }\n end\n describe.one do\n \n end\nend\n", + "code": "control \"V-38501\" do\n title \"The system must disable accounts after excessive login failures within\na 15-minute interval.\"\n desc \"Locking out user accounts after a number of incorrect attempts within\na specific period of time prevents direct password guessing attacks.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000249\"\n tag \"gid\": \"V-38501\"\n tag \"rid\": \"SV-50302r4_rule\"\n tag \"stig_id\": \"RHEL-06-000357\"\n tag \"fix_id\": \"F-43448r6_fix\"\n tag \"cci\": [\"CCI-001452\"]\n tag \"nist\": [\"AC-7 a\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To ensure the failed password attempt policy is configured\ncorrectly, run the following command:\n\n$ grep pam_faillock /etc/pam.d/system-auth /etc/pam.d/password-auth\n\nFor each file, the output should show \\\"fail_interval=\\\"\nwhere \\\"interval-in-seconds\\\" is 900 (15 minutes) or greater. If the\n\\\"fail_interval\\\" parameter is not set, the default setting of 900 seconds is\nacceptable. If that is not the case, this is a finding. \"\n tag \"fix\": \"Utilizing \\\"pam_faillock.so\\\", the \\\"fail_interval\\\" directive\nconfigures the system to lock out accounts after a number of incorrect logon\nattempts. Modify the content of both \\\"/etc/pam.d/system-auth\\\" and\n\\\"/etc/pam.d/password-auth\\\" as follows:\n\nAdd the following line immediately before the \\\"pam_unix.so\\\" statement in the\n\\\"AUTH\\\" section:\n\nauth required pam_faillock.so preauth silent deny=3 unlock_time=604800\nfail_interval=900\n\nAdd the following line immediately after the \\\"pam_unix.so\\\" statement in the\n\\\"AUTH\\\" section:\n\nauth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800\nfail_interval=900\n\nAdd the following line immediately before the \\\"pam_unix.so\\\" statement in the\n\\\"ACCOUNT\\\" section:\n\naccount required pam_faillock.so\n\nNote that any updates made to \\\"/etc/pam.d/system-auth\\\" and\n\\\"/etc/pam.d/password-auth\\\" may be overwritten by the \\\"authconfig\\\" program.\nThe \\\"authconfig\\\" program should not be used.\"\n\n file(\"/etc/pam.d/system-auth\").content.to_s.scan(/^\\s*auth\\s+(?:(?:sufficient)|(?:\\[default=die\\]))\\s+pam_faillock\\.so\\s+authfail.*deny=(?:[0-9]+).*unlock_time=(?:[0-9]+).*fail_interval=([0-9]+).*$/).flatten.each do |entry|\n describe entry do\n it { should cmp >= input('pam_faillock_fail_interval') }\n end\n end\n describe file(\"/etc/pam.d/system-auth\") do\n its(\"content\") { should match(/^\\s*auth\\s+(?:(?:sufficient)|(?:\\[default=die\\]))\\s+pam_faillock\\.so\\s+authfail.*deny=(?:[0-9]+).*unlock_time=(?:[0-9]+).*fail_interval=([0-9]+).*$/) }\n end\n file(\"/etc/pam.d/password-auth\").content.to_s.scan(/^\\s*auth\\s+(?:(?:sufficient)|(?:\\[default=die\\]))\\s+pam_faillock\\.so\\s+authfail.*deny=(?:[0-9]+).*unlock_time=(?:[0-9]+).*fail_interval=([0-9]+).*$/).flatten.each do |entry|\n describe entry do\n it { should cmp >= input('pam_faillock_fail_interval') }\n end\n end\n describe file(\"/etc/pam.d/password-auth\") do\n its(\"content\") { should match(/^\\s*auth\\s+(?:(?:sufficient)|(?:\\[default=die\\]))\\s+pam_faillock\\.so\\s+authfail.*deny=(?:[0-9]+).*unlock_time=(?:[0-9]+).*fail_interval=([0-9]+).*$/) }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38568.rb", + "ref": "./Red Hat 6 STIG/controls/V-38501.rb", "line": 1 }, - "id": "V-38568" + "id": "V-38501" }, { - "title": "The systems local IPv6 firewall must implement a deny-all,\nallow-by-exception policy for inbound packets.", - "desc": "In \"ip6tables\" the default policy is applied only after all the\napplicable rules in the table are examined for a match. Setting the default\npolicy to \"DROP\" implements proper design for a firewall, i.e., any packets\nwhich are not explicitly permitted should not be accepted.", + "title": "The system boot loader configuration file(s) must be group-owned by\nroot.", + "desc": "The \"root\" group is a highly-privileged group. Furthermore, the\ngroup-owner of this file should not have any access privileges anyway.", "descriptions": { - "default": "In \"ip6tables\" the default policy is applied only after all the\napplicable rules in the table are examined for a match. Setting the default\npolicy to \"DROP\" implements proper design for a firewall, i.e., any packets\nwhich are not explicitly permitted should not be accepted." + "default": "The \"root\" group is a highly-privileged group. Furthermore, the\ngroup-owner of this file should not have any access privileges anyway." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000231", - "gid": "V-38444", - "rid": "SV-50244r2_rule", - "stig_id": "RHEL-06-000523", - "fix_id": "F-43389r3_fix", + "gtitle": "SRG-OS-999999", + "gid": "V-38581", + "rid": "SV-50382r2_rule", + "stig_id": "RHEL-06-000066", + "fix_id": "F-43529r2_fix", "cci": [ - "CCI-000066" + "CCI-000366" ], "nist": [ - "AC-17 e", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -3982,30 +4039,30 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "If IPv6 is disabled, this is not applicable.\n\nInspect the file \"/etc/sysconfig/ip6tables\" to determine the default policy\nfor the INPUT chain. It should be set to DROP:\n\n# grep \":INPUT\" /etc/sysconfig/ip6tables\n\nIf the default policy for the INPUT chain is not set to DROP, this is a\nfinding. ", - "fix": "To set the default policy to DROP (instead of ACCEPT) for the\nbuilt-in INPUT chain which processes incoming packets, add or correct the\nfollowing line in \"/etc/sysconfig/ip6tables\":\n\n:INPUT DROP [0:0]\n\nRestart the IPv6 firewall:\n\n# service ip6tables restart" + "check": "To check the group ownership of \"/boot/grub/grub.conf\", run\nthe command:\n\n$ ls -lL /boot/grub/grub.conf\n\nIf properly configured, the output should indicate the group-owner is \"root\".\nIf it does not, this is a finding.", + "fix": "The file \"/boot/grub/grub.conf\" should be group-owned by the\n\"root\" group to prevent destruction or modification of the file. To properly\nset the group owner of \"/boot/grub/grub.conf\", run the command:\n\n# chgrp root /boot/grub/grub.conf" }, - "code": "control \"V-38444\" do\n title \"The systems local IPv6 firewall must implement a deny-all,\nallow-by-exception policy for inbound packets.\"\n desc \"In \\\"ip6tables\\\" the default policy is applied only after all the\napplicable rules in the table are examined for a match. Setting the default\npolicy to \\\"DROP\\\" implements proper design for a firewall, i.e., any packets\nwhich are not explicitly permitted should not be accepted.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000231\"\n tag \"gid\": \"V-38444\"\n tag \"rid\": \"SV-50244r2_rule\"\n tag \"stig_id\": \"RHEL-06-000523\"\n tag \"fix_id\": \"F-43389r3_fix\"\n tag \"cci\": [\"CCI-000066\"]\n tag \"nist\": [\"AC-17 e\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"If IPv6 is disabled, this is not applicable.\n\nInspect the file \\\"/etc/sysconfig/ip6tables\\\" to determine the default policy\nfor the INPUT chain. It should be set to DROP:\n\n# grep \\\":INPUT\\\" /etc/sysconfig/ip6tables\n\nIf the default policy for the INPUT chain is not set to DROP, this is a\nfinding. \"\n tag \"fix\": \"To set the default policy to DROP (instead of ACCEPT) for the\nbuilt-in INPUT chain which processes incoming packets, add or correct the\nfollowing line in \\\"/etc/sysconfig/ip6tables\\\":\n\n:INPUT DROP [0:0]\n\nRestart the IPv6 firewall:\n\n# service ip6tables restart\"\n\n describe command(\"ip6tables -nvL | grep -i input\") do\n its('stdout.strip') { should match %r{Chain INPUT \\(policy DROP\\) } }\n end\nend\n", + "code": "control \"V-38581\" do\n title \"The system boot loader configuration file(s) must be group-owned by\nroot.\"\n desc \"The \\\"root\\\" group is a highly-privileged group. Furthermore, the\ngroup-owner of this file should not have any access privileges anyway.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38581\"\n tag \"rid\": \"SV-50382r2_rule\"\n tag \"stig_id\": \"RHEL-06-000066\"\n tag \"fix_id\": \"F-43529r2_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To check the group ownership of \\\"/boot/grub/grub.conf\\\", run\nthe command:\n\n$ ls -lL /boot/grub/grub.conf\n\nIf properly configured, the output should indicate the group-owner is \\\"root\\\".\nIf it does not, this is a finding.\"\n tag \"fix\": \"The file \\\"/boot/grub/grub.conf\\\" should be group-owned by the\n\\\"root\\\" group to prevent destruction or modification of the file. To properly\nset the group owner of \\\"/boot/grub/grub.conf\\\", run the command:\n\n# chgrp root /boot/grub/grub.conf\"\n\n describe.one do\n describe file(\"/boot/grub/grub.conf\") do\n it { should exist }\n end\n describe file(\"/boot/grub/grub.conf\") do\n its(\"gid\") { should cmp 0 }\n end\n describe file(\"/boot/efi/EFI/redhat/grub.conf\") do\n it { should exist }\n end\n describe file(\"/boot/efi/EFI/redhat/grub.conf\") do\n its(\"gid\") { should cmp 0 }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38444.rb", + "ref": "./Red Hat 6 STIG/controls/V-38581.rb", "line": 1 }, - "id": "V-38444" + "id": "V-38581" }, { - "title": "The xinetd service must be uninstalled if no network services\nutilizing it are enabled.", - "desc": "Removing the \"xinetd\" package decreases the risk of the xinetd\nservice's accidental (or intentional) activation.", + "title": "The Transparent Inter-Process Communication (TIPC) protocol must be\ndisabled unless required.", + "desc": "Disabling TIPC protects the system against exploitation of any flaws\nin its implementation.", "descriptions": { - "default": "Removing the \"xinetd\" package decreases the risk of the xinetd\nservice's accidental (or intentional) activation." + "default": "Disabling TIPC protects the system against exploitation of any flaws\nin its implementation." }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { "gtitle": "SRG-OS-000096", - "gid": "V-38584", - "rid": "SV-50385r1_rule", - "stig_id": "RHEL-06-000204", - "fix_id": "F-43532r1_fix", + "gid": "V-38517", + "rid": "SV-50318r5_rule", + "stig_id": "RHEL-06-000127", + "fix_id": "F-43464r3_fix", "cci": [ "CCI-000382" ], @@ -4023,35 +4080,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "If network services are using the xinetd service, this is not\napplicable.\n\nRun the following command to determine if the \"xinetd\" package is installed:\n\n# rpm -q xinetd\n\n\nIf the package is installed, this is a finding.", - "fix": "The \"xinetd\" package can be uninstalled with the following\ncommand:\n\n# yum erase xinetd" + "check": "If the system is configured to prevent the loading of the\n\"tipc\" kernel module, it will contain lines inside any file in\n\"/etc/modprobe.d\" or the deprecated\"/etc/modprobe.conf\". These lines\ninstruct the module loading system to run another program (such as\n\"/bin/true\") upon a module \"install\" event. Run the following command to\nsearch for such lines in all files in \"/etc/modprobe.d\" and the deprecated\n\"/etc/modprobe.conf\":\n\n$ grep -r tipc /etc/modprobe.conf /etc/modprobe.d | grep -i \"/bin/true\"| grep\n-v \"#\"\n\nIf no line is returned, this is a finding.", + "fix": "The Transparent Inter-Process Communication (TIPC) protocol is\ndesigned to provide communications between nodes in a cluster. To configure the\nsystem to prevent the \"tipc\" kernel module from being loaded, add the\nfollowing line to a file in the directory \"/etc/modprobe.d\":\n\ninstall tipc /bin/true" }, - "code": "control \"V-38584\" do\n title \"The xinetd service must be uninstalled if no network services\nutilizing it are enabled.\"\n desc \"Removing the \\\"xinetd\\\" package decreases the risk of the xinetd\nservice's accidental (or intentional) activation.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000096\"\n tag \"gid\": \"V-38584\"\n tag \"rid\": \"SV-50385r1_rule\"\n tag \"stig_id\": \"RHEL-06-000204\"\n tag \"fix_id\": \"F-43532r1_fix\"\n tag \"cci\": [\"CCI-000382\"]\n tag \"nist\": [\"CM-7 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"If network services are using the xinetd service, this is not\napplicable.\n\nRun the following command to determine if the \\\"xinetd\\\" package is installed:\n\n# rpm -q xinetd\n\n\nIf the package is installed, this is a finding.\"\n tag \"fix\": \"The \\\"xinetd\\\" package can be uninstalled with the following\ncommand:\n\n# yum erase xinetd\"\n\n describe package(\"xinetd\") do\n it { should_not be_installed }\n end\nend\n", + "code": "control \"V-38517\" do\n title \"The Transparent Inter-Process Communication (TIPC) protocol must be\ndisabled unless required.\"\n desc \"Disabling TIPC protects the system against exploitation of any flaws\nin its implementation.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000096\"\n tag \"gid\": \"V-38517\"\n tag \"rid\": \"SV-50318r5_rule\"\n tag \"stig_id\": \"RHEL-06-000127\"\n tag \"fix_id\": \"F-43464r3_fix\"\n tag \"cci\": [\"CCI-000382\"]\n tag \"nist\": [\"CM-7 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"If the system is configured to prevent the loading of the\n\\\"tipc\\\" kernel module, it will contain lines inside any file in\n\\\"/etc/modprobe.d\\\" or the deprecated\\\"/etc/modprobe.conf\\\". These lines\ninstruct the module loading system to run another program (such as\n\\\"/bin/true\\\") upon a module \\\"install\\\" event. Run the following command to\nsearch for such lines in all files in \\\"/etc/modprobe.d\\\" and the deprecated\n\\\"/etc/modprobe.conf\\\":\n\n$ grep -r tipc /etc/modprobe.conf /etc/modprobe.d | grep -i \\\"/bin/true\\\"| grep\n-v \\\"#\\\"\n\nIf no line is returned, this is a finding.\"\n tag \"fix\": \"The Transparent Inter-Process Communication (TIPC) protocol is\ndesigned to provide communications between nodes in a cluster. To configure the\nsystem to prevent the \\\"tipc\\\" kernel module from being loaded, add the\nfollowing line to a file in the directory \\\"/etc/modprobe.d\\\":\n\ninstall tipc /bin/true\"\n\n describe kernel_module('tipc') do\n it { should_not be_loaded }\n it { shold_not be_enabled }\n it { should be_blacklisted }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38584.rb", + "ref": "./Red Hat 6 STIG/controls/V-38517.rb", "line": 1 }, - "id": "V-38584" + "id": "V-38517" }, { - "title": "The system default umask in /etc/login.defs must be 077.", - "desc": "The umask value influences the permissions assigned to files when they\nare created. A misconfigured umask value could result in files with excessive\npermissions that can be read and/or written to by unauthorized users.", + "title": "The audit system must be configured to audit all discretionary access\ncontrol permission modifications using fremovexattr.", + "desc": "The changing of file permissions could indicate that a user is\nattempting to gain access to information that would otherwise be disallowed.\nAuditing DAC modifications can facilitate the identification of patterns of\nabuse among both authorized and unauthorized users.", "descriptions": { - "default": "The umask value influences the permissions assigned to files when they\nare created. A misconfigured umask value could result in files with excessive\npermissions that can be read and/or written to by unauthorized users." + "default": "The changing of file permissions could indicate that a user is\nattempting to gain access to information that would otherwise be disallowed.\nAuditing DAC modifications can facilitate the identification of patterns of\nabuse among both authorized and unauthorized users." }, "impact": 0.3, "refs": [], "tags": { - "gtitle": "SRG-OS-999999", - "gid": "V-38645", - "rid": "SV-50446r1_rule", - "stig_id": "RHEL-06-000345", - "fix_id": "F-43594r1_fix", + "gtitle": "SRG-OS-000064", + "gid": "V-38556", + "rid": "SV-50357r3_rule", + "stig_id": "RHEL-06-000190", + "fix_id": "F-43504r2_fix", "cci": [ - "CCI-000366" + "CCI-000172" ], "nist": [ - "CM-6 b", + "AU-12 c", "Rev_4" ], "false_negatives": null, @@ -4064,35 +4121,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "Verify the \"umask\" setting is configured correctly in the\n\"/etc/login.defs\" file by running the following command:\n\n# grep -i \"umask\" /etc/login.defs\n\nAll output must show the value of \"umask\" set to 077, as shown in the below:\n\n# grep -i \"umask\" /etc/login.defs\nUMASK 077\n\n\nIf the above command returns no output, or if the umask is configured\nincorrectly, this is a finding.", - "fix": "To ensure the default umask controlled by \"/etc/login.defs\" is\nset properly, add or correct the \"umask\" setting in \"/etc/login.defs\" to\nread as follows:\n\nUMASK 077" + "check": "To determine if the system is configured to audit calls to the\n\"fremovexattr\" system call, run the following command:\n\n$ sudo grep -w \"fremovexattr\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return several\nlines.\n\nIf no line is returned, this is a finding. ", + "fix": "At a minimum, the audit system should collect file permission\nchanges for all users and root. Add the following to\n\"/etc/audit/audit.rules\":\n\n-a always,exit -F arch=b32 -S fremovexattr -F auid>=500 -F auid!=4294967295 \\\n-k perm_mod\n-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -k perm_mod\n\nIf the system is 64-bit, then also add the following:\n\n-a always,exit -F arch=b64 -S fremovexattr -F auid>=500 -F auid!=4294967295 \\\n-k perm_mod\n-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -k perm_mod" }, - "code": "control \"V-38645\" do\n title \"The system default umask in /etc/login.defs must be 077.\"\n desc \"The umask value influences the permissions assigned to files when they\nare created. A misconfigured umask value could result in files with excessive\npermissions that can be read and/or written to by unauthorized users.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38645\"\n tag \"rid\": \"SV-50446r1_rule\"\n tag \"stig_id\": \"RHEL-06-000345\"\n tag \"fix_id\": \"F-43594r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Verify the \\\"umask\\\" setting is configured correctly in the\n\\\"/etc/login.defs\\\" file by running the following command:\n\n# grep -i \\\"umask\\\" /etc/login.defs\n\nAll output must show the value of \\\"umask\\\" set to 077, as shown in the below:\n\n# grep -i \\\"umask\\\" /etc/login.defs\nUMASK 077\n\n\nIf the above command returns no output, or if the umask is configured\nincorrectly, this is a finding.\"\n tag \"fix\": \"To ensure the default umask controlled by \\\"/etc/login.defs\\\" is\nset properly, add or correct the \\\"umask\\\" setting in \\\"/etc/login.defs\\\" to\nread as follows:\n\nUMASK 077\"\n\n describe file(\"/etc/login.defs\") do\n its(\"content\") { should match(/^[\\s]*UMASK[\\s]+([^#\\s]*)/) }\n end\n file(\"/etc/login.defs\").content.to_s.scan(/^[\\s]*UMASK[\\s]+([^#\\s]*)/).flatten.each do |entry|\n describe entry do\n it { should eq \"077\" }\n end\n end\nend\n", + "code": "control \"V-38556\" do\n title \"The audit system must be configured to audit all discretionary access\ncontrol permission modifications using fremovexattr.\"\n desc \"The changing of file permissions could indicate that a user is\nattempting to gain access to information that would otherwise be disallowed.\nAuditing DAC modifications can facilitate the identification of patterns of\nabuse among both authorized and unauthorized users.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000064\"\n tag \"gid\": \"V-38556\"\n tag \"rid\": \"SV-50357r3_rule\"\n tag \"stig_id\": \"RHEL-06-000190\"\n tag \"fix_id\": \"F-43504r2_fix\"\n tag \"cci\": [\"CCI-000172\"]\n tag \"nist\": [\"AU-12 c\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To determine if the system is configured to audit calls to the\n\\\"fremovexattr\\\" system call, run the following command:\n\n$ sudo grep -w \\\"fremovexattr\\\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return several\nlines.\n\nIf no line is returned, this is a finding. \"\n tag \"fix\": \"At a minimum, the audit system should collect file permission\nchanges for all users and root. Add the following to\n\\\"/etc/audit/audit.rules\\\":\n\n-a always,exit -F arch=b32 -S fremovexattr -F auid>=500 -F auid!=4294967295 \\\\\n-k perm_mod\n-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -k perm_mod\n\nIf the system is 64-bit, then also add the following:\n\n-a always,exit -F arch=b64 -S fremovexattr -F auid>=500 -F auid!=4294967295 \\\\\n-k perm_mod\n-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -k perm_mod\"\n\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^[\\s]*-a[\\s](?:always,exit|exit,always)+(?:.*-F[\\s]+arch=b32[\\s]+)(?:.*(?:,|-S[\\s]+)fremovexattr(?:,|[\\s]+))(?:.*-F\\s+auid>=500[\\s]+)(?:.*-F\\s+auid!=(?:-1|4294967295)[\\s]+).*-k[\\s]+[\\S]+[\\s]*$/) }\n end\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^[\\s]*-a[\\s](?:always,exit|exit,always)+(?:.*-F[\\s]+arch=b32[\\s]+)(?:.*(?:,|-S[\\s]+)fremovexattr(?:,|[\\s]+))(?:.*-F\\s+auid=0[\\s]+).*-k[\\s]+[\\S]+[\\s]*$/) }\n end\n describe.one do\n \n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38645.rb", + "ref": "./Red Hat 6 STIG/controls/V-38556.rb", "line": 1 }, - "id": "V-38645" + "id": "V-38556" }, { - "title": "The audit system must be configured to audit all discretionary access\ncontrol permission modifications using removexattr.", - "desc": "The changing of file permissions could indicate that a user is\nattempting to gain access to information that would otherwise be disallowed.\nAuditing DAC modifications can facilitate the identification of patterns of\nabuse among both authorized and unauthorized users.", + "title": "The audit system must be configured to audit all attempts to alter\nsystem time through /etc/localtime.", + "desc": "Arbitrary changes to the system time can be used to obfuscate\nnefarious activities in log files, as well as to confuse network services that\nare highly dependent upon an accurate system time (such as sshd). All changes\nto the system time should be audited.", "descriptions": { - "default": "The changing of file permissions could indicate that a user is\nattempting to gain access to information that would otherwise be disallowed.\nAuditing DAC modifications can facilitate the identification of patterns of\nabuse among both authorized and unauthorized users." + "default": "Arbitrary changes to the system time can be used to obfuscate\nnefarious activities in log files, as well as to confuse network services that\nare highly dependent upon an accurate system time (such as sshd). All changes\nto the system time should be audited." }, "impact": 0.3, "refs": [], "tags": { - "gtitle": "SRG-OS-000064", - "gid": "V-38563", - "rid": "SV-50364r3_rule", - "stig_id": "RHEL-06-000195", - "fix_id": "F-43511r2_fix", + "gtitle": "SRG-OS-000062", + "gid": "V-38530", + "rid": "SV-50331r2_rule", + "stig_id": "RHEL-06-000173", + "fix_id": "F-43477r1_fix", "cci": [ - "CCI-000172" + "CCI-000169" ], "nist": [ - "AU-12 c", + "AU-12 a", "Rev_4" ], "false_negatives": null, @@ -4105,35 +4162,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To determine if the system is configured to audit calls to the\n\"removexattr\" system call, run the following command:\n\n$ sudo grep -w \"removexattr\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return several\nlines.\n\nIf no line is returned, this is a finding.", - "fix": "At a minimum, the audit system should collect file permission\nchanges for all users and root. Add the following to\n\"/etc/audit/audit.rules\":\n\n-a always,exit -F arch=b32 -S removexattr -F auid>=500 -F auid!=4294967295 \\\n-k perm_mod\n-a always,exit -F arch=b32 -S removexattr -F auid=0 -k perm_mod\n\nIf the system is 64-bit, then also add the following:\n\n-a always,exit -F arch=b64 -S removexattr -F auid>=500 -F auid!=4294967295 \\\n-k perm_mod\n-a always,exit -F arch=b64 -S removexattr -F auid=0 -k perm_mod" + "check": "To determine if the system is configured to audit attempts to\nalter time via the /etc/localtime file, run the following command:\n\n$ sudo grep -w \"/etc/localtime\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return a line.\n\nIf the system is not configured to audit time changes, this is a finding.", + "fix": "Add the following to \"/etc/audit/audit.rules\":\n\n-w /etc/localtime -p wa -k audit_time_rules\n\nThe -k option allows for the specification of a key in string form that can be\nused for better reporting capability through ausearch and aureport and should\nalways be used." }, - "code": "control \"V-38563\" do\n title \"The audit system must be configured to audit all discretionary access\ncontrol permission modifications using removexattr.\"\n desc \"The changing of file permissions could indicate that a user is\nattempting to gain access to information that would otherwise be disallowed.\nAuditing DAC modifications can facilitate the identification of patterns of\nabuse among both authorized and unauthorized users.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000064\"\n tag \"gid\": \"V-38563\"\n tag \"rid\": \"SV-50364r3_rule\"\n tag \"stig_id\": \"RHEL-06-000195\"\n tag \"fix_id\": \"F-43511r2_fix\"\n tag \"cci\": [\"CCI-000172\"]\n tag \"nist\": [\"AU-12 c\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To determine if the system is configured to audit calls to the\n\\\"removexattr\\\" system call, run the following command:\n\n$ sudo grep -w \\\"removexattr\\\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return several\nlines.\n\nIf no line is returned, this is a finding.\"\n tag \"fix\": \"At a minimum, the audit system should collect file permission\nchanges for all users and root. Add the following to\n\\\"/etc/audit/audit.rules\\\":\n\n-a always,exit -F arch=b32 -S removexattr -F auid>=500 -F auid!=4294967295 \\\\\n-k perm_mod\n-a always,exit -F arch=b32 -S removexattr -F auid=0 -k perm_mod\n\nIf the system is 64-bit, then also add the following:\n\n-a always,exit -F arch=b64 -S removexattr -F auid>=500 -F auid!=4294967295 \\\\\n-k perm_mod\n-a always,exit -F arch=b64 -S removexattr -F auid=0 -k perm_mod\"\n\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^-[Aa][\\s]*(?:exit,always|always,exit)+(?:.*-F[\\s]+arch=b32[\\s]+)(?:.*(?:,|-S[\\s]+)removexattr(?:,|[\\s]+))(?:.*-F\\s+auid>=500[\\s]+)(?:.*-F\\s+auid!=(?:-1|4294967295)[\\s]+).*-k[\\s]+[\\S]+[\\s]*$/) }\n end\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^-[Aa][\\s]*(?:exit,always|always,exit)+(?:.*-F[\\s]+arch=b32[\\s]+)(?:.*(?:,|-S[\\s]+)removexattr(?:,|[\\s]+))(?:.*-F\\s+auid=0[\\s]+).*-k[\\s]+[\\S]+[\\s]*$/) }\n end\n describe.one do\n \n end\nend\n", + "code": "control \"V-38530\" do\n title \"The audit system must be configured to audit all attempts to alter\nsystem time through /etc/localtime.\"\n desc \"Arbitrary changes to the system time can be used to obfuscate\nnefarious activities in log files, as well as to confuse network services that\nare highly dependent upon an accurate system time (such as sshd). All changes\nto the system time should be audited.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000062\"\n tag \"gid\": \"V-38530\"\n tag \"rid\": \"SV-50331r2_rule\"\n tag \"stig_id\": \"RHEL-06-000173\"\n tag \"fix_id\": \"F-43477r1_fix\"\n tag \"cci\": [\"CCI-000169\"]\n tag \"nist\": [\"AU-12 a\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To determine if the system is configured to audit attempts to\nalter time via the /etc/localtime file, run the following command:\n\n$ sudo grep -w \\\"/etc/localtime\\\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return a line.\n\nIf the system is not configured to audit time changes, this is a finding.\"\n tag \"fix\": \"Add the following to \\\"/etc/audit/audit.rules\\\":\n\n-w /etc/localtime -p wa -k audit_time_rules\n\nThe -k option allows for the specification of a key in string form that can be\nused for better reporting capability through ausearch and aureport and should\nalways be used.\"\n\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^[\\s]*-w[\\s]+\\/etc\\/localtime[\\s]+-p[\\s]+\\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\\b.*-k[\\s]+[\\S]+[\\s]*$/) }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38563.rb", + "ref": "./Red Hat 6 STIG/controls/V-38530.rb", "line": 1 }, - "id": "V-38563" + "id": "V-38530" }, { - "title": "The operating system must provide a near real-time alert when any of\nthe organization defined list of compromise or potential compromise indicators\noccurs. ", - "desc": "By default, AIDE does not install itself for periodic execution.\nPeriodically running AIDE may reveal unexpected changes in installed files.", + "title": "The operating system must employ cryptographic mechanisms to prevent\nunauthorized disclosure of data at rest unless otherwise protected by\nalternative physical measures.", + "desc": "The risk of a system's physical compromise, particularly mobile\nsystems such as laptops, places its data at risk of compromise. Encrypting this\ndata mitigates the risk of its loss if the system is lost.", "descriptions": { - "default": "By default, AIDE does not install itself for periodic execution.\nPeriodically running AIDE may reveal unexpected changes in installed files." + "default": "The risk of a system's physical compromise, particularly mobile\nsystems such as laptops, places its data at risk of compromise. Encrypting this\ndata mitigates the risk of its loss if the system is lost." }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { - "gtitle": "SRG-OS-000196", - "gid": "V-38700", - "rid": "SV-50501r2_rule", - "stig_id": "RHEL-06-000305", - "fix_id": "F-43649r1_fix", + "gtitle": "SRG-OS-000230", + "gid": "V-38662", + "rid": "SV-50463r2_rule", + "stig_id": "RHEL-06-000277", + "fix_id": "F-43611r3_fix", "cci": [ - "CCI-001263" + "CCI-001200" ], "nist": [ - "SI-4 (5)", + "SC-28 (1)", "Rev_4" ], "false_negatives": null, @@ -4146,35 +4203,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To determine that periodic AIDE execution has been scheduled,\nrun the following command:\n\n# grep aide /etc/crontab /etc/cron.*/*\n\nIf there is no output, this is a finding.", - "fix": "AIDE should be executed on a periodic basis to check for changes.\nTo implement a daily execution of AIDE at 4:05am using cron, add the following\nline to /etc/crontab:\n\n05 4 * * * root /usr/sbin/aide --check\n\nAIDE can be executed periodically through other means; this is merely one\nexample." + "check": "Determine if encryption must be used to protect data on the\nsystem.\nIf encryption must be used and is not employed, this is a finding.", + "fix": "Red Hat Enterprise Linux 6 natively supports partition encryption\nthrough the Linux Unified Key Setup-on-disk-format (LUKS) technology. The\neasiest way to encrypt a partition is during installation time.\n\nFor manual installations, select the \"Encrypt\" checkbox during partition\ncreation to encrypt the partition. When this option is selected the system will\nprompt for a passphrase to use in decrypting the partition. The passphrase will\nsubsequently need to be entered manually every time the system boots.\n\nFor automated/unattended installations, it is possible to use Kickstart by\nadding the \"--encrypted\" and \"--passphrase=\" options to the definition of\neach partition to be encrypted. For example, the following line would encrypt\nthe root partition:\n\npart / --fstype=ext3 --size=100 --onpart=hda1 --encrypted\n--passphrase=[PASSPHRASE]\n\nAny [PASSPHRASE] is stored in the Kickstart in plaintext, and the Kickstart\nmust then be protected accordingly. Omitting the \"--passphrase=\" option from\nthe partition definition will cause the installer to pause and interactively\nask for the passphrase during installation.\n\nDetailed information on encrypting partitions using LUKS can be found on the\nRed Hat Documentation web site:\n\nhttps://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-LUKS_Disk_Encryption.html" }, - "code": "control \"V-38700\" do\n title \"The operating system must provide a near real-time alert when any of\nthe organization defined list of compromise or potential compromise indicators\noccurs. \"\n desc \"By default, AIDE does not install itself for periodic execution.\nPeriodically running AIDE may reveal unexpected changes in installed files.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000196\"\n tag \"gid\": \"V-38700\"\n tag \"rid\": \"SV-50501r2_rule\"\n tag \"stig_id\": \"RHEL-06-000305\"\n tag \"fix_id\": \"F-43649r1_fix\"\n tag \"cci\": [\"CCI-001263\"]\n tag \"nist\": [\"SI-4 (5)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To determine that periodic AIDE execution has been scheduled,\nrun the following command:\n\n# grep aide /etc/crontab /etc/cron.*/*\n\nIf there is no output, this is a finding.\"\n tag \"fix\": \"AIDE should be executed on a periodic basis to check for changes.\nTo implement a daily execution of AIDE at 4:05am using cron, add the following\nline to /etc/crontab:\n\n05 4 * * * root /usr/sbin/aide --check\n\nAIDE can be executed periodically through other means; this is merely one\nexample.\"\n\n describe command('grep aide /etc/crontab /etc/cron.*/*') do\n its('stdout.strip') { should_not be_empty }\n end\nend\n", + "code": "control \"V-38662\" do\n title \"The operating system must employ cryptographic mechanisms to prevent\nunauthorized disclosure of data at rest unless otherwise protected by\nalternative physical measures.\"\n desc \"The risk of a system's physical compromise, particularly mobile\nsystems such as laptops, places its data at risk of compromise. Encrypting this\ndata mitigates the risk of its loss if the system is lost.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000230\"\n tag \"gid\": \"V-38662\"\n tag \"rid\": \"SV-50463r2_rule\"\n tag \"stig_id\": \"RHEL-06-000277\"\n tag \"fix_id\": \"F-43611r3_fix\"\n tag \"cci\": [\"CCI-001200\"]\n tag \"nist\": [\"SC-28 (1)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Determine if encryption must be used to protect data on the\nsystem.\nIf encryption must be used and is not employed, this is a finding.\"\n tag \"fix\": \"Red Hat Enterprise Linux 6 natively supports partition encryption\nthrough the Linux Unified Key Setup-on-disk-format (LUKS) technology. The\neasiest way to encrypt a partition is during installation time.\n\nFor manual installations, select the \\\"Encrypt\\\" checkbox during partition\ncreation to encrypt the partition. When this option is selected the system will\nprompt for a passphrase to use in decrypting the partition. The passphrase will\nsubsequently need to be entered manually every time the system boots.\n\nFor automated/unattended installations, it is possible to use Kickstart by\nadding the \\\"--encrypted\\\" and \\\"--passphrase=\\\" options to the definition of\neach partition to be encrypted. For example, the following line would encrypt\nthe root partition:\n\npart / --fstype=ext3 --size=100 --onpart=hda1 --encrypted\n--passphrase=[PASSPHRASE]\n\nAny [PASSPHRASE] is stored in the Kickstart in plaintext, and the Kickstart\nmust then be protected accordingly. Omitting the \\\"--passphrase=\\\" option from\nthe partition definition will cause the installer to pause and interactively\nask for the passphrase during installation.\n\nDetailed information on encrypting partitions using LUKS can be found on the\nRed Hat Documentation web site:\n\nhttps://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-LUKS_Disk_Encryption.html\"\n\n describe \"Manual test\" do\n skip \"This control must be reviewed manually\"\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38700.rb", + "ref": "./Red Hat 6 STIG/controls/V-38662.rb", "line": 1 }, - "id": "V-38700" + "id": "V-38662" }, { - "title": "The FTPS/FTP service on the system must be configured with the\nDepartment of Defense (DoD) login banner.", - "desc": "This setting will cause the system greeting banner to be used for FTP\nconnections as well.", + "title": "The audit system must be configured to audit all discretionary access\ncontrol permission modifications using removexattr.", + "desc": "The changing of file permissions could indicate that a user is\nattempting to gain access to information that would otherwise be disallowed.\nAuditing DAC modifications can facilitate the identification of patterns of\nabuse among both authorized and unauthorized users.", "descriptions": { - "default": "This setting will cause the system greeting banner to be used for FTP\nconnections as well." + "default": "The changing of file permissions could indicate that a user is\nattempting to gain access to information that would otherwise be disallowed.\nAuditing DAC modifications can facilitate the identification of patterns of\nabuse among both authorized and unauthorized users." }, - "impact": 0, + "impact": 0.3, "refs": [], "tags": { - "gtitle": "SRG-OS-000023", - "gid": "V-38599", - "rid": "SV-50400r2_rule", - "stig_id": "RHEL-06-000348", - "fix_id": "F-43564r3_fix", + "gtitle": "SRG-OS-000064", + "gid": "V-38563", + "rid": "SV-50364r3_rule", + "stig_id": "RHEL-06-000195", + "fix_id": "F-43511r2_fix", "cci": [ - "CCI-000048" + "CCI-000172" ], "nist": [ - "AC-8 a", + "AU-12 c", "Rev_4" ], "false_negatives": null, @@ -4187,35 +4244,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To verify this configuration, run the following command:\n\ngrep \"banner_file\" /etc/vsftpd/vsftpd.conf\n\nThe output should show the value of \"banner_file\" is set to \"/etc/issue\",\nan example of which is shown below.\n\n# grep \"banner_file\" /etc/vsftpd/vsftpd.conf\nbanner_file=/etc/issue\n\n\nIf it does not, this is a finding.", - "fix": "Edit the vsftpd configuration file, which resides at\n\"/etc/vsftpd/vsftpd.conf\" by default. Add or correct the following\nconfiguration options.\n\nbanner_file=/etc/issue\n\nRestart the vsftpd daemon.\n\n# service vsftpd restart" + "check": "To determine if the system is configured to audit calls to the\n\"removexattr\" system call, run the following command:\n\n$ sudo grep -w \"removexattr\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return several\nlines.\n\nIf no line is returned, this is a finding.", + "fix": "At a minimum, the audit system should collect file permission\nchanges for all users and root. Add the following to\n\"/etc/audit/audit.rules\":\n\n-a always,exit -F arch=b32 -S removexattr -F auid>=500 -F auid!=4294967295 \\\n-k perm_mod\n-a always,exit -F arch=b32 -S removexattr -F auid=0 -k perm_mod\n\nIf the system is 64-bit, then also add the following:\n\n-a always,exit -F arch=b64 -S removexattr -F auid>=500 -F auid!=4294967295 \\\n-k perm_mod\n-a always,exit -F arch=b64 -S removexattr -F auid=0 -k perm_mod" }, - "code": "control \"V-38599\" do\n title \"The FTPS/FTP service on the system must be configured with the\nDepartment of Defense (DoD) login banner.\"\n desc \"This setting will cause the system greeting banner to be used for FTP\nconnections as well.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000023\"\n tag \"gid\": \"V-38599\"\n tag \"rid\": \"SV-50400r2_rule\"\n tag \"stig_id\": \"RHEL-06-000348\"\n tag \"fix_id\": \"F-43564r3_fix\"\n tag \"cci\": [\"CCI-000048\"]\n tag \"nist\": [\"AC-8 a\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To verify this configuration, run the following command:\n\ngrep \\\"banner_file\\\" /etc/vsftpd/vsftpd.conf\n\nThe output should show the value of \\\"banner_file\\\" is set to \\\"/etc/issue\\\",\nan example of which is shown below.\n\n# grep \\\"banner_file\\\" /etc/vsftpd/vsftpd.conf\nbanner_file=/etc/issue\n\n\nIf it does not, this is a finding.\"\n tag \"fix\": \"Edit the vsftpd configuration file, which resides at\n\\\"/etc/vsftpd/vsftpd.conf\\\" by default. Add or correct the following\nconfiguration options.\n\nbanner_file=/etc/issue\n\nRestart the vsftpd daemon.\n\n# service vsftpd restart\"\n\n if package('vsftpd').installed?\n describe file('/etc/vsftpd/vsftpd.conf') do\n it { should exist }\n end\n describe parse_config_file('/etc/vsftpd/vsftpd.conf') do\n its('banner_file') { should eq '/etc/issue' }\n end\n else\n impact 0.0\n describe \"Package vsftpd not installed\" do\n skip \"Package vsftpd not installed, this control Not Applicable\"\n end\n end\nend\n", + "code": "control \"V-38563\" do\n title \"The audit system must be configured to audit all discretionary access\ncontrol permission modifications using removexattr.\"\n desc \"The changing of file permissions could indicate that a user is\nattempting to gain access to information that would otherwise be disallowed.\nAuditing DAC modifications can facilitate the identification of patterns of\nabuse among both authorized and unauthorized users.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000064\"\n tag \"gid\": \"V-38563\"\n tag \"rid\": \"SV-50364r3_rule\"\n tag \"stig_id\": \"RHEL-06-000195\"\n tag \"fix_id\": \"F-43511r2_fix\"\n tag \"cci\": [\"CCI-000172\"]\n tag \"nist\": [\"AU-12 c\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To determine if the system is configured to audit calls to the\n\\\"removexattr\\\" system call, run the following command:\n\n$ sudo grep -w \\\"removexattr\\\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return several\nlines.\n\nIf no line is returned, this is a finding.\"\n tag \"fix\": \"At a minimum, the audit system should collect file permission\nchanges for all users and root. Add the following to\n\\\"/etc/audit/audit.rules\\\":\n\n-a always,exit -F arch=b32 -S removexattr -F auid>=500 -F auid!=4294967295 \\\\\n-k perm_mod\n-a always,exit -F arch=b32 -S removexattr -F auid=0 -k perm_mod\n\nIf the system is 64-bit, then also add the following:\n\n-a always,exit -F arch=b64 -S removexattr -F auid>=500 -F auid!=4294967295 \\\\\n-k perm_mod\n-a always,exit -F arch=b64 -S removexattr -F auid=0 -k perm_mod\"\n\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^-[Aa][\\s]*(?:exit,always|always,exit)+(?:.*-F[\\s]+arch=b32[\\s]+)(?:.*(?:,|-S[\\s]+)removexattr(?:,|[\\s]+))(?:.*-F\\s+auid>=500[\\s]+)(?:.*-F\\s+auid!=(?:-1|4294967295)[\\s]+).*-k[\\s]+[\\S]+[\\s]*$/) }\n end\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^-[Aa][\\s]*(?:exit,always|always,exit)+(?:.*-F[\\s]+arch=b32[\\s]+)(?:.*(?:,|-S[\\s]+)removexattr(?:,|[\\s]+))(?:.*-F\\s+auid=0[\\s]+).*-k[\\s]+[\\S]+[\\s]*$/) }\n end\n describe.one do\n \n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38599.rb", + "ref": "./Red Hat 6 STIG/controls/V-38563.rb", "line": 1 }, - "id": "V-38599" + "id": "V-38563" }, { - "title": "The telnet-server package must not be installed.", - "desc": "Removing the \"telnet-server\" package decreases the risk of the\nunencrypted telnet service's accidental (or intentional) activation.\n\n Mitigation: If the telnet-server package is configured to only allow\nencrypted sessions, such as with Kerberos or the use of encrypted network\ntunnels, the risk of exposing sensitive information is mitigated.", + "title": "The SSH daemon must not allow authentication using an empty password.", + "desc": "Configuring this setting for the SSH daemon provides additional\nassurance that remote login via SSH will require a password, even in the event\nof misconfiguration elsewhere.", "descriptions": { - "default": "Removing the \"telnet-server\" package decreases the risk of the\nunencrypted telnet service's accidental (or intentional) activation.\n\n Mitigation: If the telnet-server package is configured to only allow\nencrypted sessions, such as with Kerberos or the use of encrypted network\ntunnels, the risk of exposing sensitive information is mitigated." + "default": "Configuring this setting for the SSH daemon provides additional\nassurance that remote login via SSH will require a password, even in the event\nof misconfiguration elsewhere." }, "impact": 0.7, "refs": [], "tags": { - "gtitle": "SRG-OS-000095", - "gid": "V-38587", - "rid": "SV-50388r1_rule", - "stig_id": "RHEL-06-000206", - "fix_id": "F-43535r1_fix", + "gtitle": "SRG-OS-000106", + "gid": "V-38614", + "rid": "SV-50415r1_rule", + "stig_id": "RHEL-06-000239", + "fix_id": "F-43562r1_fix", "cci": [ - "CCI-000381" + "CCI-000766" ], "nist": [ - "CM-7 a", + "IA-2 (2)", "Rev_4" ], "false_negatives": null, @@ -4228,35 +4285,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "Run the following command to determine if the \"telnet-server\"\npackage is installed:\n\n# rpm -q telnet-server\n\n\nIf the package is installed, this is a finding.", - "fix": "The \"telnet-server\" package can be uninstalled with the\nfollowing command:\n\n# yum erase telnet-server" + "check": "To determine how the SSH daemon's \"PermitEmptyPasswords\"\noption is set, run the following command:\n\n# grep -i PermitEmptyPasswords /etc/ssh/sshd_config\n\nIf no line, a commented line, or a line indicating the value \"no\" is\nreturned, then the required value is set.\nIf the required value is not set, this is a finding.", + "fix": "To explicitly disallow remote login from accounts with empty\npasswords, add or correct the following line in \"/etc/ssh/sshd_config\":\n\nPermitEmptyPasswords no\n\nAny accounts with empty passwords should be disabled immediately, and PAM\nconfiguration should prevent users from being able to assign themselves empty\npasswords." }, - "code": "control \"V-38587\" do\n title \"The telnet-server package must not be installed.\"\n desc \"Removing the \\\"telnet-server\\\" package decreases the risk of the\nunencrypted telnet service's accidental (or intentional) activation.\n\n Mitigation: If the telnet-server package is configured to only allow\nencrypted sessions, such as with Kerberos or the use of encrypted network\ntunnels, the risk of exposing sensitive information is mitigated.\n \"\n impact 0.7\n tag \"gtitle\": \"SRG-OS-000095\"\n tag \"gid\": \"V-38587\"\n tag \"rid\": \"SV-50388r1_rule\"\n tag \"stig_id\": \"RHEL-06-000206\"\n tag \"fix_id\": \"F-43535r1_fix\"\n tag \"cci\": [\"CCI-000381\"]\n tag \"nist\": [\"CM-7 a\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Run the following command to determine if the \\\"telnet-server\\\"\npackage is installed:\n\n# rpm -q telnet-server\n\n\nIf the package is installed, this is a finding.\"\n tag \"fix\": \"The \\\"telnet-server\\\" package can be uninstalled with the\nfollowing command:\n\n# yum erase telnet-server\"\n\n describe package(\"telnet-server\") do\n it { should_not be_installed }\n end\nend\n", + "code": "control \"V-38614\" do\n title \"The SSH daemon must not allow authentication using an empty password.\"\n desc \"Configuring this setting for the SSH daemon provides additional\nassurance that remote login via SSH will require a password, even in the event\nof misconfiguration elsewhere.\"\n impact 0.7\n tag \"gtitle\": \"SRG-OS-000106\"\n tag \"gid\": \"V-38614\"\n tag \"rid\": \"SV-50415r1_rule\"\n tag \"stig_id\": \"RHEL-06-000239\"\n tag \"fix_id\": \"F-43562r1_fix\"\n tag \"cci\": [\"CCI-000766\"]\n tag \"nist\": [\"IA-2 (2)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To determine how the SSH daemon's \\\"PermitEmptyPasswords\\\"\noption is set, run the following command:\n\n# grep -i PermitEmptyPasswords /etc/ssh/sshd_config\n\nIf no line, a commented line, or a line indicating the value \\\"no\\\" is\nreturned, then the required value is set.\nIf the required value is not set, this is a finding.\"\n tag \"fix\": \"To explicitly disallow remote login from accounts with empty\npasswords, add or correct the following line in \\\"/etc/ssh/sshd_config\\\":\n\nPermitEmptyPasswords no\n\nAny accounts with empty passwords should be disabled immediately, and PAM\nconfiguration should prevent users from being able to assign themselves empty\npasswords.\"\n\n describe sshd_config do\n its('PermitEmptyPasswords') { should (eq 'no').or be_nil }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38587.rb", + "ref": "./Red Hat 6 STIG/controls/V-38614.rb", "line": 1 }, - "id": "V-38587" + "id": "V-38614" }, { - "title": "The /etc/passwd file must be owned by root.", - "desc": "The \"/etc/passwd\" file contains information about the users that are\nconfigured on the system. Protection of this file is critical for system\nsecurity.", + "title": "The Red Hat Enterprise Linux operating system must mount /dev/shm with\nthe nosuid option.", + "desc": "The \"nosuid\" mount option causes the system to not execute\n\"setuid\" and \"setgid\" files with owner privileges. This option must be used\nfor mounting any file system not containing approved \"setuid\" and \"setguid\"\nfiles. Executing files from untrusted file systems increases the opportunity\nfor unprivileged users to attain unauthorized administrative access.", "descriptions": { - "default": "The \"/etc/passwd\" file contains information about the users that are\nconfigured on the system. Protection of this file is critical for system\nsecurity." + "default": "The \"nosuid\" mount option causes the system to not execute\n\"setuid\" and \"setgid\" files with owner privileges. This option must be used\nfor mounting any file system not containing approved \"setuid\" and \"setguid\"\nfiles. Executing files from untrusted file systems increases the opportunity\nfor unprivileged users to attain unauthorized administrative access." }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { - "gtitle": "SRG-OS-999999", - "gid": "V-38450", - "rid": "SV-50250r1_rule", - "stig_id": "RHEL-06-000039", - "fix_id": "F-43395r1_fix", + "gtitle": "SRG-OS-000368-GPOS-00154", + "gid": "V-81447", + "rid": "SV-96161r1_rule", + "stig_id": "RHEL-06-000531", + "fix_id": "F-88265r1_fix", "cci": [ - "CCI-000366" + "CCI-001764" ], "nist": [ - "CM-6 b", + "CM-7 (2)", "Rev_4" ], "false_negatives": null, @@ -4269,35 +4326,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To check the ownership of \"/etc/passwd\", run the command:\n\n$ ls -l /etc/passwd\n\nIf properly configured, the output should indicate the following owner:\n\"root\"\nIf it does not, this is a finding.", - "fix": "To properly set the owner of \"/etc/passwd\", run the command:\n\n# chown root /etc/passwd" + "check": "Verify that the \"nosuid\" option is configured for /dev/shm.\n\nCheck that the operating system is configured to use the \"nosuid\" option for\n/dev/shm with the following command:\n\n# cat /etc/fstab | grep /dev/shm | grep nosuid\n\ntmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0\n\nIf the \"nosuid\" option is not present on the line for \"/dev/shm\", this is a\nfinding.\n\nVerify \"/dev/shm\" is mounted with the \"nosuid\" option:\n\n# mount | grep \"/dev/shm\" | grep nosuid\n\nIf no results are returned, this is a finding.", + "fix": "Configure the \"/etc/fstab\" to use the \"nosuid\" option for all\nlines containing \"/dev/shm\"." }, - "code": "control \"V-38450\" do\n title \"The /etc/passwd file must be owned by root.\"\n desc \"The \\\"/etc/passwd\\\" file contains information about the users that are\nconfigured on the system. Protection of this file is critical for system\nsecurity.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38450\"\n tag \"rid\": \"SV-50250r1_rule\"\n tag \"stig_id\": \"RHEL-06-000039\"\n tag \"fix_id\": \"F-43395r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To check the ownership of \\\"/etc/passwd\\\", run the command:\n\n$ ls -l /etc/passwd\n\nIf properly configured, the output should indicate the following owner:\n\\\"root\\\"\nIf it does not, this is a finding.\"\n tag \"fix\": \"To properly set the owner of \\\"/etc/passwd\\\", run the command:\n\n# chown root /etc/passwd\"\n\n describe file(\"/etc/passwd\") do\n it { should exist }\n end\n describe file(\"/etc/passwd\") do\n its(\"uid\") { should cmp 0 }\n end\nend\n", + "code": "control \"V-81447\" do\n title \"The Red Hat Enterprise Linux operating system must mount /dev/shm with\nthe nosuid option.\"\n desc \"The \\\"nosuid\\\" mount option causes the system to not execute\n\\\"setuid\\\" and \\\"setgid\\\" files with owner privileges. This option must be used\nfor mounting any file system not containing approved \\\"setuid\\\" and \\\"setguid\\\"\nfiles. Executing files from untrusted file systems increases the opportunity\nfor unprivileged users to attain unauthorized administrative access.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000368-GPOS-00154\"\n tag \"gid\": \"V-81447\"\n tag \"rid\": \"SV-96161r1_rule\"\n tag \"stig_id\": \"RHEL-06-000531\"\n tag \"fix_id\": \"F-88265r1_fix\"\n tag \"cci\": [\"CCI-001764\"]\n tag \"nist\": [\"CM-7 (2)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Verify that the \\\"nosuid\\\" option is configured for /dev/shm.\n\nCheck that the operating system is configured to use the \\\"nosuid\\\" option for\n/dev/shm with the following command:\n\n# cat /etc/fstab | grep /dev/shm | grep nosuid\n\ntmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0\n\nIf the \\\"nosuid\\\" option is not present on the line for \\\"/dev/shm\\\", this is a\nfinding.\n\nVerify \\\"/dev/shm\\\" is mounted with the \\\"nosuid\\\" option:\n\n# mount | grep \\\"/dev/shm\\\" | grep nosuid\n\nIf no results are returned, this is a finding.\"\n tag \"fix\": \"Configure the \\\"/etc/fstab\\\" to use the \\\"nosuid\\\" option for all\nlines containing \\\"/dev/shm\\\".\"\n\n describe file(\"/etc/fstab\") do\n its(\"content\") { should match(/^[^#\\s]+[ \\t]+\\/dev\\/shm[ \\t]+[\\w\\d]+[ \\t]+([\\w,]+)\\s*.*$/) }\n end\n file(\"/etc/fstab\").content.to_s.scan(/^[^#\\s]+[ \\t]+\\/dev\\/shm[ \\t]+[\\w\\d]+[ \\t]+([\\w,]+)\\s*.*$/).flatten.each do |entry|\n describe entry do\n it { should match(/^(?:nosuid|[\\w,]+,nosuid)(?:$|,[\\w,]+$)/) }\n end\n end\n describe file(\"/etc/mtab\") do\n its(\"content\") { should match(/^[^#\\s]+[ \\t]+\\/dev\\/shm[ \\t]+[\\w\\d]+[ \\t]+([\\w,]+)\\s*.*$/) }\n end\n file(\"/etc/mtab\").content.to_s.scan(/^[^#\\s]+[ \\t]+\\/dev\\/shm[ \\t]+[\\w\\d]+[ \\t]+([\\w,]+)\\s*.*$/).flatten.each do |entry|\n describe entry do\n it { should match(/^(?:nosuid|[\\w,]+,nosuid)(?:$|,[\\w,]+$)/) }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38450.rb", + "ref": "./Red Hat 6 STIG/controls/V-81447.rb", "line": 1 }, - "id": "V-38450" + "id": "V-81447" }, { - "title": "The audit system must be configured to audit all attempts to alter\nsystem time through adjtimex.", - "desc": "Arbitrary changes to the system time can be used to obfuscate\nnefarious activities in log files, as well as to confuse network services that\nare highly dependent upon an accurate system time (such as sshd). All changes\nto the system time should be audited.", + "title": "All rsyslog-generated log files must be owned by root.", + "desc": "The log files generated by rsyslog contain valuable information\nregarding system configuration, user authentication, and other such\ninformation. Log files should be protected from unauthorized access.", "descriptions": { - "default": "Arbitrary changes to the system time can be used to obfuscate\nnefarious activities in log files, as well as to confuse network services that\nare highly dependent upon an accurate system time (such as sshd). All changes\nto the system time should be audited." + "default": "The log files generated by rsyslog contain valuable information\nregarding system configuration, user authentication, and other such\ninformation. Log files should be protected from unauthorized access." }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000062", - "gid": "V-81441", - "rid": "SV-96155r1_rule", - "stig_id": "RHEL-06-000166", - "fix_id": "F-88259r1_fix", + "gtitle": "SRG-OS-000206", + "gid": "V-38518", + "rid": "SV-50319r2_rule", + "stig_id": "RHEL-06-000133", + "fix_id": "F-43465r1_fix", "cci": [ - "CCI-000169" + "CCI-001314" ], "nist": [ - "AU-12 a", + "SI-11 b", "Rev_4" ], "false_negatives": null, @@ -4310,35 +4367,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To determine if the system is configured to audit calls to the\n\"adjtimex\" system call, run the following command:\n\n$ sudo grep -w \"adjtimex\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return a line.\n\nIf the system is not configured to audit time changes, this is a finding.\n", - "fix": "On a 32-bit system, add the following to\n\"/etc/audit/audit.rules\":\n\n# audit_time_rules\n-a always,exit -F arch=b32 -S adjtimex -k audit_time_rules\n\nOn a 64-bit system, add the following to \"/etc/audit/audit.rules\":\n\n# audit_time_rules\n-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k\naudit_time_rules" + "check": "The owner of all log files written by \"rsyslog\" should be\nroot. These log files are determined by the second part of each Rule line in\n\"/etc/rsyslog.conf\" and typically all appear in \"/var/log\". To see the\nowner of a given log file, run the following command:\n\n$ ls -l [LOGFILE]\n\nSome log files referenced in /etc/rsyslog.conf may be created by other programs\nand may require exclusion from consideration.\n\nIf the owner is not root, this is a finding. ", + "fix": "The owner of all log files written by \"rsyslog\" should be root.\nThese log files are determined by the second part of each Rule line in\n\"/etc/rsyslog.conf\" typically all appear in \"/var/log\". For each log file\n[LOGFILE] referenced in \"/etc/rsyslog.conf\", run the following command to\ninspect the file's owner:\n\n$ ls -l [LOGFILE]\n\nIf the owner is not \"root\", run the following command to correct this:\n\n# chown root [LOGFILE]" }, - "code": "control \"V-81441\" do\n title \"The audit system must be configured to audit all attempts to alter\nsystem time through adjtimex.\"\n desc \"Arbitrary changes to the system time can be used to obfuscate\nnefarious activities in log files, as well as to confuse network services that\nare highly dependent upon an accurate system time (such as sshd). All changes\nto the system time should be audited.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000062\"\n tag \"gid\": \"V-81441\"\n tag \"rid\": \"SV-96155r1_rule\"\n tag \"stig_id\": \"RHEL-06-000166\"\n tag \"fix_id\": \"F-88259r1_fix\"\n tag \"cci\": [\"CCI-000169\"]\n tag \"nist\": [\"AU-12 a\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To determine if the system is configured to audit calls to the\n\\\"adjtimex\\\" system call, run the following command:\n\n$ sudo grep -w \\\"adjtimex\\\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return a line.\n\nIf the system is not configured to audit time changes, this is a finding.\n\"\n tag \"fix\": \"On a 32-bit system, add the following to\n\\\"/etc/audit/audit.rules\\\":\n\n# audit_time_rules\n-a always,exit -F arch=b32 -S adjtimex -k audit_time_rules\n\nOn a 64-bit system, add the following to \\\"/etc/audit/audit.rules\\\":\n\n# audit_time_rules\n-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k\naudit_time_rules\"\n\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^-[Aa][\\s]*(?:exit,always|always,exit)[\\s]+-F[\\s]+arch=b32.*(?:,|-S[\\s]+)adjtimex(?:,|[\\s]+).*-k[\\s]+[\\S]+[\\s]*$/) }\n end\n describe.one do\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^-[Aa][\\s]*(?:exit,always|always,exit)[\\s]+-F[\\s]+arch=b64.*(?:,|-S[\\s]+)adjtimex(?:,|[\\s]+).*-k[\\s]+[\\S]+[\\s]*$/) }\n end\n end\nend\n", + "code": "control \"V-38518\" do\n title \"All rsyslog-generated log files must be owned by root.\"\n desc \"The log files generated by rsyslog contain valuable information\nregarding system configuration, user authentication, and other such\ninformation. Log files should be protected from unauthorized access.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000206\"\n tag \"gid\": \"V-38518\"\n tag \"rid\": \"SV-50319r2_rule\"\n tag \"stig_id\": \"RHEL-06-000133\"\n tag \"fix_id\": \"F-43465r1_fix\"\n tag \"cci\": [\"CCI-001314\"]\n tag \"nist\": [\"SI-11 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"The owner of all log files written by \\\"rsyslog\\\" should be\nroot. These log files are determined by the second part of each Rule line in\n\\\"/etc/rsyslog.conf\\\" and typically all appear in \\\"/var/log\\\". To see the\nowner of a given log file, run the following command:\n\n$ ls -l [LOGFILE]\n\nSome log files referenced in /etc/rsyslog.conf may be created by other programs\nand may require exclusion from consideration.\n\nIf the owner is not root, this is a finding. \"\n tag \"fix\": \"The owner of all log files written by \\\"rsyslog\\\" should be root.\nThese log files are determined by the second part of each Rule line in\n\\\"/etc/rsyslog.conf\\\" typically all appear in \\\"/var/log\\\". For each log file\n[LOGFILE] referenced in \\\"/etc/rsyslog.conf\\\", run the following command to\ninspect the file's owner:\n\n$ ls -l [LOGFILE]\n\nIf the owner is not \\\"root\\\", run the following command to correct this:\n\n# chown root [LOGFILE]\"\n\n # strip comments, empty lines, and lines which start with $ in order to get rules\n rules = file('/etc/rsyslog.conf').content.lines.map do |l|\n pound_index = l.index('#')\n l = l.slice(0, pound_index) if !pound_index.nil?\n l.strip\n end.reject { |l| l.empty? or l.start_with? '$' }\n\n paths = rules.map do |r|\n filter, action = r.split(%r{\\s+})\n next if !(action.start_with? '-/' or action.start_with? '/')\n action.sub(%r{^-/}, '/')\n end.reject { |path| path.nil? }\n\n if paths.empty?\n describe \"rsyslog log files\" do\n subject { paths }\n it { should be_empty }\n end\n else\n paths.each do |path|\n describe file(path) do \n its('owner') { should eq 'root' }\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-81441.rb", + "ref": "./Red Hat 6 STIG/controls/V-38518.rb", "line": 1 }, - "id": "V-81441" + "id": "V-38518" }, { - "title": "The system must require passwords to contain at least one special\ncharacter.", - "desc": "Requiring a minimum number of special characters makes password\nguessing attacks more difficult by ensuring a larger search space.", + "title": "The cron service must be running.", + "desc": "Due to its usage for maintenance and security-supporting tasks,\nenabling the cron daemon is essential.", "descriptions": { - "default": "Requiring a minimum number of special characters makes password\nguessing attacks more difficult by ensuring a larger search space." + "default": "Due to its usage for maintenance and security-supporting tasks,\nenabling the cron daemon is essential." }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000266", - "gid": "V-38570", - "rid": "SV-50371r2_rule", - "stig_id": "RHEL-06-000058", - "fix_id": "F-43518r2_fix", + "gtitle": "SRG-OS-999999", + "gid": "V-38605", + "rid": "SV-50406r2_rule", + "stig_id": "RHEL-06-000224", + "fix_id": "F-43553r2_fix", "cci": [ - "CCI-001619" + "CCI-000366" ], "nist": [ - "IA-5 (1) (a)", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -4351,35 +4408,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To check how many special characters are required in a\npassword, run the following command:\n\n$ grep pam_cracklib /etc/pam.d/system-auth /etc/pam.d/password-auth\n\nNote: The \"ocredit\" parameter (as a negative number) will indicate how many\nspecial characters are required. The DoD requires at least one special\ncharacter in a password. This would appear as \"ocredit=-1\".\n\nIf \"ocredit\" is not found or not set to the required value, this is a finding.", - "fix": "The pam_cracklib module's \"ocredit=\" parameter controls\nrequirements for usage of special (or \"other\") characters in a password. When\nset to a negative number, any password will be required to contain that many\nspecial characters. When set to a positive number, pam_cracklib will grant +1\nadditional length credit for each special character.\n\nEdit /etc/pam.d/system-auth and /etc/pam.d/password-auth adding \"ocredit=-1\"\nafter pam_cracklib.so to require use of a special character in passwords." + "check": "Run the following command to determine the current status of\nthe \"crond\" service:\n\n# service crond status\n\nIf the service is enabled, it should return the following:\n\ncrond is running...\n\n\nIf the service is not running, this is a finding.", + "fix": "The \"crond\" service is used to execute commands at\npreconfigured times. It is required by almost all systems to perform necessary\nmaintenance tasks, such as notifying root of system activity. The \"crond\"\nservice can be enabled with the following commands:\n\n# chkconfig crond on\n# service crond start" }, - "code": "control \"V-38570\" do\n title \"The system must require passwords to contain at least one special\ncharacter.\"\n desc \"Requiring a minimum number of special characters makes password\nguessing attacks more difficult by ensuring a larger search space.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000266\"\n tag \"gid\": \"V-38570\"\n tag \"rid\": \"SV-50371r2_rule\"\n tag \"stig_id\": \"RHEL-06-000058\"\n tag \"fix_id\": \"F-43518r2_fix\"\n tag \"cci\": [\"CCI-001619\"]\n tag \"nist\": [\"IA-5 (1) (a)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To check how many special characters are required in a\npassword, run the following command:\n\n$ grep pam_cracklib /etc/pam.d/system-auth /etc/pam.d/password-auth\n\nNote: The \\\"ocredit\\\" parameter (as a negative number) will indicate how many\nspecial characters are required. The DoD requires at least one special\ncharacter in a password. This would appear as \\\"ocredit=-1\\\".\n\nIf \\\"ocredit\\\" is not found or not set to the required value, this is a finding.\"\n tag \"fix\": \"The pam_cracklib module's \\\"ocredit=\\\" parameter controls\nrequirements for usage of special (or \\\"other\\\") characters in a password. When\nset to a negative number, any password will be required to contain that many\nspecial characters. When set to a positive number, pam_cracklib will grant +1\nadditional length credit for each special character.\n\nEdit /etc/pam.d/system-auth and /etc/pam.d/password-auth adding \\\"ocredit=-1\\\"\nafter pam_cracklib.so to require use of a special character in passwords.\"\n\n describe.one do\n describe file(\"/etc/pam.d/system-auth\") do\n its(\"content\") { should match(/^\\s*password\\s+(?:(?:required)|(?:requisite))\\s+(?:(?:\\/lib\\/security\\/\\$ISA\\/pam_cracklib\\.so)|(?:pam_cracklib\\.so))[\\t ]+[^#\\n\\r]*\\s+ocredit=-(\\d+)[^\\n\\r]*$/) }\n end\n file(\"/etc/pam.d/system-auth\").content.to_s.scan(/^\\s*password\\s+(?:(?:required)|(?:requisite))\\s+(?:(?:\\/lib\\/security\\/\\$ISA\\/pam_cracklib\\.so)|(?:pam_cracklib\\.so))[\\t ]+[^#\\n\\r]*\\s+ocredit=-(\\d+)[^\\n\\r]*$/).flatten.each do |entry|\n describe entry do\n it { should cmp >= 1 }\n end\n end\n describe file(\"/etc/pam.d/system-auth\") do\n its(\"content\") { should match(/^\\s*password\\s+(?:(?:required)|(?:requisite))\\s+(?:(?:\\/lib\\/security\\/\\$ISA\\/pam_cracklib\\.so)|(?:pam_cracklib\\.so))\\s+ocredit=-(\\d+)\\s+.*$/) }\n end\n file(\"/etc/pam.d/system-auth\").content.to_s.scan(/^\\s*password\\s+(?:(?:required)|(?:requisite))\\s+(?:(?:\\/lib\\/security\\/\\$ISA\\/pam_cracklib\\.so)|(?:pam_cracklib\\.so))\\s+ocredit=-(\\d+)\\s+.*$/).flatten.each do |entry|\n describe entry do\n it { should cmp >= 1 }\n end\n end\n end\n describe.one do\n describe file(\"/etc/pam.d/password-auth\") do\n its(\"content\") { should match(/^\\s*password\\s+(?:(?:required)|(?:requisite))\\s+(?:(?:\\/lib\\/security\\/\\$ISA\\/pam_cracklib\\.so)|(?:pam_cracklib\\.so))[\\t ]+[^#\\n\\r]*\\s+ocredit=-(\\d+)[^\\n\\r]*$/) }\n end\n file(\"/etc/pam.d/password-auth\").content.to_s.scan(/^\\s*password\\s+(?:(?:required)|(?:requisite))\\s+(?:(?:\\/lib\\/security\\/\\$ISA\\/pam_cracklib\\.so)|(?:pam_cracklib\\.so))[\\t ]+[^#\\n\\r]*\\s+ocredit=-(\\d+)[^\\n\\r]*$/).flatten.each do |entry|\n describe entry do\n it { should cmp >= 1 }\n end\n end\n describe file(\"/etc/pam.d/password-auth\") do\n its(\"content\") { should match(/^\\s*password\\s+(?:(?:required)|(?:requisite))\\s+(?:(?:\\/lib\\/security\\/\\$ISA\\/pam_cracklib\\.so)|(?:pam_cracklib\\.so))\\s+ocredit=-(\\d+)\\s+.*$/) }\n end\n file(\"/etc/pam.d/password-auth\").content.to_s.scan(/^\\s*password\\s+(?:(?:required)|(?:requisite))\\s+(?:(?:\\/lib\\/security\\/\\$ISA\\/pam_cracklib\\.so)|(?:pam_cracklib\\.so))\\s+ocredit=-(\\d+)\\s+.*$/).flatten.each do |entry|\n describe entry do\n it { should cmp >= 1 }\n end\n end\n end\nend\n", + "code": "control \"V-38605\" do\n title \"The cron service must be running.\"\n desc \"Due to its usage for maintenance and security-supporting tasks,\nenabling the cron daemon is essential.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38605\"\n tag \"rid\": \"SV-50406r2_rule\"\n tag \"stig_id\": \"RHEL-06-000224\"\n tag \"fix_id\": \"F-43553r2_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Run the following command to determine the current status of\nthe \\\"crond\\\" service:\n\n# service crond status\n\nIf the service is enabled, it should return the following:\n\ncrond is running...\n\n\nIf the service is not running, this is a finding.\"\n tag \"fix\": \"The \\\"crond\\\" service is used to execute commands at\npreconfigured times. It is required by almost all systems to perform necessary\nmaintenance tasks, such as notifying root of system activity. The \\\"crond\\\"\nservice can be enabled with the following commands:\n\n# chkconfig crond on\n# service crond start\"\n\n describe package(\"cronie\") do\n it { should be_installed }\n end\n describe.one do\n describe service(\"crond\").runlevels(/0/) do\n it { should be_enabled }\n end\n describe service(\"crond\").runlevels(/1/) do\n it { should be_enabled }\n end\n describe service(\"crond\").runlevels(/2/) do\n it { should be_enabled }\n end\n describe service(\"crond\").runlevels(/3/) do\n it { should be_enabled }\n end\n describe service(\"crond\").runlevels(/4/) do\n it { should be_enabled }\n end\n describe service(\"crond\").runlevels(/5/) do\n it { should be_enabled }\n end\n describe service(\"crond\").runlevels(/6/) do\n it { should be_enabled }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38570.rb", + "ref": "./Red Hat 6 STIG/controls/V-38605.rb", "line": 1 }, - "id": "V-38570" + "id": "V-38605" }, { - "title": "The SSH daemon must not allow authentication using an empty password.", - "desc": "Configuring this setting for the SSH daemon provides additional\nassurance that remote login via SSH will require a password, even in the event\nof misconfiguration elsewhere.", + "title": "The system clock must be synchronized continuously, or at least daily.", + "desc": "Enabling the \"ntpd\" service ensures that the \"ntpd\" service will\nbe running and that the system will synchronize its time to any servers\nspecified. This is important whether the system is configured to be a client\n(and synchronize only its own clock) or it is also acting as an NTP server to\nother systems. Synchronizing time is essential for authentication services such\nas Kerberos, but it is also important for maintaining accurate logs and\nauditing possible security breaches.", "descriptions": { - "default": "Configuring this setting for the SSH daemon provides additional\nassurance that remote login via SSH will require a password, even in the event\nof misconfiguration elsewhere." + "default": "Enabling the \"ntpd\" service ensures that the \"ntpd\" service will\nbe running and that the system will synchronize its time to any servers\nspecified. This is important whether the system is configured to be a client\n(and synchronize only its own clock) or it is also acting as an NTP server to\nother systems. Synchronizing time is essential for authentication services such\nas Kerberos, but it is also important for maintaining accurate logs and\nauditing possible security breaches." }, - "impact": 0.7, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000106", - "gid": "V-38614", - "rid": "SV-50415r1_rule", - "stig_id": "RHEL-06-000239", - "fix_id": "F-43562r1_fix", + "gtitle": "SRG-OS-000056", + "gid": "V-38620", + "rid": "SV-50421r1_rule", + "stig_id": "RHEL-06-000247", + "fix_id": "F-43568r1_fix", "cci": [ - "CCI-000766" + "CCI-000160" ], "nist": [ - "IA-2 (2)", + "AU-8 (1)", "Rev_4" ], "false_negatives": null, @@ -4392,35 +4449,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To determine how the SSH daemon's \"PermitEmptyPasswords\"\noption is set, run the following command:\n\n# grep -i PermitEmptyPasswords /etc/ssh/sshd_config\n\nIf no line, a commented line, or a line indicating the value \"no\" is\nreturned, then the required value is set.\nIf the required value is not set, this is a finding.", - "fix": "To explicitly disallow remote login from accounts with empty\npasswords, add or correct the following line in \"/etc/ssh/sshd_config\":\n\nPermitEmptyPasswords no\n\nAny accounts with empty passwords should be disabled immediately, and PAM\nconfiguration should prevent users from being able to assign themselves empty\npasswords." + "check": "Run the following command to determine the current status of\nthe \"ntpd\" service:\n\n# service ntpd status\n\nIf the service is enabled, it should return the following:\n\nntpd is running...\n\n\nIf the service is not running, this is a finding.", + "fix": "The \"ntpd\" service can be enabled with the following command:\n\n# chkconfig ntpd on\n# service ntpd start" }, - "code": "control \"V-38614\" do\n title \"The SSH daemon must not allow authentication using an empty password.\"\n desc \"Configuring this setting for the SSH daemon provides additional\nassurance that remote login via SSH will require a password, even in the event\nof misconfiguration elsewhere.\"\n impact 0.7\n tag \"gtitle\": \"SRG-OS-000106\"\n tag \"gid\": \"V-38614\"\n tag \"rid\": \"SV-50415r1_rule\"\n tag \"stig_id\": \"RHEL-06-000239\"\n tag \"fix_id\": \"F-43562r1_fix\"\n tag \"cci\": [\"CCI-000766\"]\n tag \"nist\": [\"IA-2 (2)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To determine how the SSH daemon's \\\"PermitEmptyPasswords\\\"\noption is set, run the following command:\n\n# grep -i PermitEmptyPasswords /etc/ssh/sshd_config\n\nIf no line, a commented line, or a line indicating the value \\\"no\\\" is\nreturned, then the required value is set.\nIf the required value is not set, this is a finding.\"\n tag \"fix\": \"To explicitly disallow remote login from accounts with empty\npasswords, add or correct the following line in \\\"/etc/ssh/sshd_config\\\":\n\nPermitEmptyPasswords no\n\nAny accounts with empty passwords should be disabled immediately, and PAM\nconfiguration should prevent users from being able to assign themselves empty\npasswords.\"\n\n describe sshd_config do\n its('PermitEmptyPasswords') { should (eq 'no').or be_nil }\n end\nend\n", + "code": "control \"V-38620\" do\n title \"The system clock must be synchronized continuously, or at least daily.\"\n desc \"Enabling the \\\"ntpd\\\" service ensures that the \\\"ntpd\\\" service will\nbe running and that the system will synchronize its time to any servers\nspecified. This is important whether the system is configured to be a client\n(and synchronize only its own clock) or it is also acting as an NTP server to\nother systems. Synchronizing time is essential for authentication services such\nas Kerberos, but it is also important for maintaining accurate logs and\nauditing possible security breaches.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000056\"\n tag \"gid\": \"V-38620\"\n tag \"rid\": \"SV-50421r1_rule\"\n tag \"stig_id\": \"RHEL-06-000247\"\n tag \"fix_id\": \"F-43568r1_fix\"\n tag \"cci\": [\"CCI-000160\"]\n tag \"nist\": [\"AU-8 (1)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Run the following command to determine the current status of\nthe \\\"ntpd\\\" service:\n\n# service ntpd status\n\nIf the service is enabled, it should return the following:\n\nntpd is running...\n\n\nIf the service is not running, this is a finding.\"\n tag \"fix\": \"The \\\"ntpd\\\" service can be enabled with the following command:\n\n# chkconfig ntpd on\n# service ntpd start\"\n\n describe package(\"ntp\") do\n it { should be_installed }\n end\n describe.one do\n describe service(\"ntpd\").runlevels(/0/) do\n it { should be_enabled }\n end\n describe service(\"ntpd\").runlevels(/1/) do\n it { should be_enabled }\n end\n describe service(\"ntpd\").runlevels(/2/) do\n it { should be_enabled }\n end\n describe service(\"ntpd\").runlevels(/3/) do\n it { should be_enabled }\n end\n describe service(\"ntpd\").runlevels(/4/) do\n it { should be_enabled }\n end\n describe service(\"ntpd\").runlevels(/5/) do\n it { should be_enabled }\n end\n describe service(\"ntpd\").runlevels(/6/) do\n it { should be_enabled }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38614.rb", + "ref": "./Red Hat 6 STIG/controls/V-38620.rb", "line": 1 }, - "id": "V-38614" + "id": "V-38620" }, { - "title": "The ntpdate service must not be running.", - "desc": "The \"ntpdate\" service may only be suitable for systems which are\nrebooted frequently enough that clock drift does not cause problems between\nreboots. In any event, the functionality of the ntpdate service is now\navailable in the ntpd program and should be considered deprecated.", + "title": "The system must not accept ICMPv4 redirect packets on any interface.", + "desc": "Accepting ICMP redirects has few legitimate uses. It should be\ndisabled unless it is absolutely required.", "descriptions": { - "default": "The \"ntpdate\" service may only be suitable for systems which are\nrebooted frequently enough that clock drift does not cause problems between\nreboots. In any event, the functionality of the ntpdate service is now\navailable in the ntpd program and should be considered deprecated." + "default": "Accepting ICMP redirects has few legitimate uses. It should be\ndisabled unless it is absolutely required." }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000096", - "gid": "V-38644", - "rid": "SV-50445r2_rule", - "stig_id": "RHEL-06-000265", - "fix_id": "F-43593r2_fix", + "gtitle": "SRG-OS-999999", + "gid": "V-38524", + "rid": "SV-50325r2_rule", + "stig_id": "RHEL-06-000084", + "fix_id": "F-43472r1_fix", "cci": [ - "CCI-000382" + "CCI-000366" ], "nist": [ - "CM-7 b", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -4433,35 +4490,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To check that the \"ntpdate\" service is disabled in system\nboot configuration, run the following command:\n\n# chkconfig \"ntpdate\" --list\n\nOutput should indicate the \"ntpdate\" service has either not been installed,\nor has been disabled at all runlevels, as shown in the example below:\n\n# chkconfig \"ntpdate\" --list\n\"ntpdate\" 0:off 1:off 2:off 3:off 4:off 5:off 6:off\n\nRun the following command to verify \"ntpdate\" is disabled through current\nruntime configuration:\n\n# service ntpdate status\n\nIf the service is disabled the command will return the following output:\n\nntpdate is stopped\n\n\nIf the service is running, this is a finding.", - "fix": "The ntpdate service sets the local hardware clock by polling NTP\nservers when the system boots. It synchronizes to the NTP servers listed in\n\"/etc/ntp/step-tickers\" or \"/etc/ntp.conf\" and then sets the local hardware\nclock to the newly synchronized system time. The \"ntpdate\" service can be\ndisabled with the following commands:\n\n# chkconfig ntpdate off\n# service ntpdate stop" + "check": "The status of the \"net.ipv4.conf.all.accept_redirects\" kernel\nparameter can be queried by running the following command:\n\n$ sysctl net.ipv4.conf.all.accept_redirects\n\nThe output of the command should indicate a value of \"0\". If this value is\nnot the default value, investigate how it could have been adjusted at runtime,\nand verify it is not set improperly in \"/etc/sysctl.conf\".\n\n$ grep net.ipv4.conf.all.accept_redirects /etc/sysctl.conf\n\nIf the correct value is not returned, this is a finding. ", + "fix": "To set the runtime status of the\n\"net.ipv4.conf.all.accept_redirects\" kernel parameter, run the following\ncommand:\n\n# sysctl -w net.ipv4.conf.all.accept_redirects=0\n\nIf this is not the system's default value, add the following line to\n\"/etc/sysctl.conf\":\n\nnet.ipv4.conf.all.accept_redirects = 0" }, - "code": "control \"V-38644\" do\n title \"The ntpdate service must not be running.\"\n desc \"The \\\"ntpdate\\\" service may only be suitable for systems which are\nrebooted frequently enough that clock drift does not cause problems between\nreboots. In any event, the functionality of the ntpdate service is now\navailable in the ntpd program and should be considered deprecated.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000096\"\n tag \"gid\": \"V-38644\"\n tag \"rid\": \"SV-50445r2_rule\"\n tag \"stig_id\": \"RHEL-06-000265\"\n tag \"fix_id\": \"F-43593r2_fix\"\n tag \"cci\": [\"CCI-000382\"]\n tag \"nist\": [\"CM-7 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To check that the \\\"ntpdate\\\" service is disabled in system\nboot configuration, run the following command:\n\n# chkconfig \\\"ntpdate\\\" --list\n\nOutput should indicate the \\\"ntpdate\\\" service has either not been installed,\nor has been disabled at all runlevels, as shown in the example below:\n\n# chkconfig \\\"ntpdate\\\" --list\n\\\"ntpdate\\\" 0:off 1:off 2:off 3:off 4:off 5:off 6:off\n\nRun the following command to verify \\\"ntpdate\\\" is disabled through current\nruntime configuration:\n\n# service ntpdate status\n\nIf the service is disabled the command will return the following output:\n\nntpdate is stopped\n\n\nIf the service is running, this is a finding.\"\n tag \"fix\": \"The ntpdate service sets the local hardware clock by polling NTP\nservers when the system boots. It synchronizes to the NTP servers listed in\n\\\"/etc/ntp/step-tickers\\\" or \\\"/etc/ntp.conf\\\" and then sets the local hardware\nclock to the newly synchronized system time. The \\\"ntpdate\\\" service can be\ndisabled with the following commands:\n\n# chkconfig ntpdate off\n# service ntpdate stop\"\n\n describe.one do\n describe package(\"ntpdate\") do\n it { should_not be_installed }\n end\n describe service(\"ntpdate\") do\n its(\"runlevels(?-mix:0)\") { should be_enabled }\n its(\"runlevels(?-mix:1)\") { should be_enabled }\n its(\"runlevels(?-mix:2)\") { should be_enabled }\n its(\"runlevels(?-mix:3)\") { should be_enabled }\n its(\"runlevels(?-mix:4)\") { should be_enabled }\n its(\"runlevels(?-mix:5)\") { should be_enabled }\n its(\"runlevels(?-mix:6)\") { should be_enabled }\n end\n end\nend\n", + "code": "control \"V-38524\" do\n title \"The system must not accept ICMPv4 redirect packets on any interface.\"\n desc \"Accepting ICMP redirects has few legitimate uses. It should be\ndisabled unless it is absolutely required.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38524\"\n tag \"rid\": \"SV-50325r2_rule\"\n tag \"stig_id\": \"RHEL-06-000084\"\n tag \"fix_id\": \"F-43472r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"The status of the \\\"net.ipv4.conf.all.accept_redirects\\\" kernel\nparameter can be queried by running the following command:\n\n$ sysctl net.ipv4.conf.all.accept_redirects\n\nThe output of the command should indicate a value of \\\"0\\\". If this value is\nnot the default value, investigate how it could have been adjusted at runtime,\nand verify it is not set improperly in \\\"/etc/sysctl.conf\\\".\n\n$ grep net.ipv4.conf.all.accept_redirects /etc/sysctl.conf\n\nIf the correct value is not returned, this is a finding. \"\n tag \"fix\": \"To set the runtime status of the\n\\\"net.ipv4.conf.all.accept_redirects\\\" kernel parameter, run the following\ncommand:\n\n# sysctl -w net.ipv4.conf.all.accept_redirects=0\n\nIf this is not the system's default value, add the following line to\n\\\"/etc/sysctl.conf\\\":\n\nnet.ipv4.conf.all.accept_redirects = 0\"\n\n describe kernel_parameter(\"net.ipv4.conf.all.accept_redirects\") do\n its(\"value\") { should_not be_nil }\n end\n describe kernel_parameter(\"net.ipv4.conf.all.accept_redirects\") do\n its(\"value\") { should eq 0 }\n end\n describe file(\"/etc/sysctl.conf\") do\n its(\"content\") { should match(/^[\\s]*net.ipv4.conf.all.accept_redirects[\\s]*=[\\s]*0[\\s]*$/) }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38644.rb", + "ref": "./Red Hat 6 STIG/controls/V-38524.rb", "line": 1 }, - "id": "V-38644" + "id": "V-38524" }, { - "title": "The operating system must employ automated mechanisms to facilitate\nthe monitoring and control of remote access methods.", - "desc": "Ensuring the \"auditd\" service is active ensures audit records\ngenerated by the kernel can be written to disk, or that appropriate actions\nwill be taken if other obstacles exist.", + "title": "The system must not permit interactive boot.", + "desc": "Using interactive boot, the console user could disable auditing,\nfirewalls, or other services, weakening system security.", "descriptions": { - "default": "Ensuring the \"auditd\" service is active ensures audit records\ngenerated by the kernel can be written to disk, or that appropriate actions\nwill be taken if other obstacles exist." + "default": "Using interactive boot, the console user could disable auditing,\nfirewalls, or other services, weakening system security." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000032", - "gid": "V-38631", - "rid": "SV-50432r2_rule", - "stig_id": "RHEL-06-000148", - "fix_id": "F-43580r2_fix", + "gtitle": "SRG-OS-000080", + "gid": "V-38588", + "rid": "SV-50389r1_rule", + "stig_id": "RHEL-06-000070", + "fix_id": "F-43536r1_fix", "cci": [ - "CCI-000067" + "CCI-000213" ], "nist": [ - "AC-17 (1)", + "AC-3", "Rev_4" ], "false_negatives": null, @@ -4474,35 +4531,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "Run the following command to determine the current status of\nthe \"auditd\" service:\n\n# service auditd status\n\nIf the service is enabled, it should return the following:\n\nauditd is running...\n\n\nIf the service is not running, this is a finding.", - "fix": "The \"auditd\" service is an essential userspace component of the\nLinux Auditing System, as it is responsible for writing audit records to disk.\nThe \"auditd\" service can be enabled with the following commands:\n\n# chkconfig auditd on\n# service auditd start" + "check": "To check whether interactive boot is disabled, run the\nfollowing command:\n\n$ grep PROMPT /etc/sysconfig/init\n\nIf interactive boot is disabled, the output will show:\n\nPROMPT=no\n\n\nIf it does not, this is a finding.", + "fix": "To disable the ability for users to perform interactive startups,\nedit the file \"/etc/sysconfig/init\". Add or correct the line:\n\nPROMPT=no\n\nThe \"PROMPT\" option allows the console user to perform an interactive system\nstartup, in which it is possible to select the set of services which are\nstarted on boot." }, - "code": "control \"V-38631\" do\n title \"The operating system must employ automated mechanisms to facilitate\nthe monitoring and control of remote access methods.\"\n desc \"Ensuring the \\\"auditd\\\" service is active ensures audit records\ngenerated by the kernel can be written to disk, or that appropriate actions\nwill be taken if other obstacles exist.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000032\"\n tag \"gid\": \"V-38631\"\n tag \"rid\": \"SV-50432r2_rule\"\n tag \"stig_id\": \"RHEL-06-000148\"\n tag \"fix_id\": \"F-43580r2_fix\"\n tag \"cci\": [\"CCI-000067\"]\n tag \"nist\": [\"AC-17 (1)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Run the following command to determine the current status of\nthe \\\"auditd\\\" service:\n\n# service auditd status\n\nIf the service is enabled, it should return the following:\n\nauditd is running...\n\n\nIf the service is not running, this is a finding.\"\n tag \"fix\": \"The \\\"auditd\\\" service is an essential userspace component of the\nLinux Auditing System, as it is responsible for writing audit records to disk.\nThe \\\"auditd\\\" service can be enabled with the following commands:\n\n# chkconfig auditd on\n# service auditd start\"\n\n describe service('auditd') do\n it { should be_enabled }\n it { should be_running }\n end\nend\n", + "code": "control \"V-38588\" do\n title \"The system must not permit interactive boot.\"\n desc \"Using interactive boot, the console user could disable auditing,\nfirewalls, or other services, weakening system security.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000080\"\n tag \"gid\": \"V-38588\"\n tag \"rid\": \"SV-50389r1_rule\"\n tag \"stig_id\": \"RHEL-06-000070\"\n tag \"fix_id\": \"F-43536r1_fix\"\n tag \"cci\": [\"CCI-000213\"]\n tag \"nist\": [\"AC-3\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To check whether interactive boot is disabled, run the\nfollowing command:\n\n$ grep PROMPT /etc/sysconfig/init\n\nIf interactive boot is disabled, the output will show:\n\nPROMPT=no\n\n\nIf it does not, this is a finding.\"\n tag \"fix\": \"To disable the ability for users to perform interactive startups,\nedit the file \\\"/etc/sysconfig/init\\\". Add or correct the line:\n\nPROMPT=no\n\nThe \\\"PROMPT\\\" option allows the console user to perform an interactive system\nstartup, in which it is possible to select the set of services which are\nstarted on boot.\"\n\n describe file(\"/etc/sysconfig/init\") do\n its(\"content\") { should match(/^[\\s]*PROMPT[\\s]*=[\\s]*no[\\s]*$/) }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38631.rb", + "ref": "./Red Hat 6 STIG/controls/V-38588.rb", "line": 1 }, - "id": "V-38631" + "id": "V-38588" }, { - "title": "The Transparent Inter-Process Communication (TIPC) protocol must be\ndisabled unless required.", - "desc": "Disabling TIPC protects the system against exploitation of any flaws\nin its implementation.", + "title": "The system package management tool must verify contents of all files\nassociated with the audit package.", + "desc": "The hash on important files like audit system executables should match\nthe information given by the RPM database. Audit executables with erroneous\nhashes could be a sign of nefarious activity on the system.", "descriptions": { - "default": "Disabling TIPC protects the system against exploitation of any flaws\nin its implementation." + "default": "The hash on important files like audit system executables should match\nthe information given by the RPM database. Audit executables with erroneous\nhashes could be a sign of nefarious activity on the system." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000096", - "gid": "V-38517", - "rid": "SV-50318r5_rule", - "stig_id": "RHEL-06-000127", - "fix_id": "F-43464r3_fix", + "gtitle": "SRG-OS-000278", + "gid": "V-38637", + "rid": "SV-50438r2_rule", + "stig_id": "RHEL-06-000281", + "fix_id": "F-43586r1_fix", "cci": [ - "CCI-000382" + "CCI-001496" ], "nist": [ - "CM-7 b", + "AU-9 (3)", "Rev_4" ], "false_negatives": null, @@ -4515,30 +4572,30 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "If the system is configured to prevent the loading of the\n\"tipc\" kernel module, it will contain lines inside any file in\n\"/etc/modprobe.d\" or the deprecated\"/etc/modprobe.conf\". These lines\ninstruct the module loading system to run another program (such as\n\"/bin/true\") upon a module \"install\" event. Run the following command to\nsearch for such lines in all files in \"/etc/modprobe.d\" and the deprecated\n\"/etc/modprobe.conf\":\n\n$ grep -r tipc /etc/modprobe.conf /etc/modprobe.d | grep -i \"/bin/true\"| grep\n-v \"#\"\n\nIf no line is returned, this is a finding.", - "fix": "The Transparent Inter-Process Communication (TIPC) protocol is\ndesigned to provide communications between nodes in a cluster. To configure the\nsystem to prevent the \"tipc\" kernel module from being loaded, add the\nfollowing line to a file in the directory \"/etc/modprobe.d\":\n\ninstall tipc /bin/true" + "check": "The following command will list which audit files on the system\nhave file hashes different from what is expected by the RPM database.\n\n# rpm -V audit | awk '$1 ~ /..5/ && $2 != \"c\"'\n\n\nIf there is output, this is a finding.", + "fix": "The RPM package management system can check the hashes of audit\nsystem package files. Run the following command to list which audit files on\nthe system have hashes that differ from what is expected by the RPM database:\n\n# rpm -V audit | grep '^..5'\n\nA \"c\" in the second column indicates that a file is a configuration file,\nwhich may appropriately be expected to change. If the file that has changed was\nnot expected to then refresh from distribution media or online repositories.\n\nrpm -Uvh [affected_package]\n\nOR\n\nyum reinstall [affected_package]" }, - "code": "control \"V-38517\" do\n title \"The Transparent Inter-Process Communication (TIPC) protocol must be\ndisabled unless required.\"\n desc \"Disabling TIPC protects the system against exploitation of any flaws\nin its implementation.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000096\"\n tag \"gid\": \"V-38517\"\n tag \"rid\": \"SV-50318r5_rule\"\n tag \"stig_id\": \"RHEL-06-000127\"\n tag \"fix_id\": \"F-43464r3_fix\"\n tag \"cci\": [\"CCI-000382\"]\n tag \"nist\": [\"CM-7 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"If the system is configured to prevent the loading of the\n\\\"tipc\\\" kernel module, it will contain lines inside any file in\n\\\"/etc/modprobe.d\\\" or the deprecated\\\"/etc/modprobe.conf\\\". These lines\ninstruct the module loading system to run another program (such as\n\\\"/bin/true\\\") upon a module \\\"install\\\" event. Run the following command to\nsearch for such lines in all files in \\\"/etc/modprobe.d\\\" and the deprecated\n\\\"/etc/modprobe.conf\\\":\n\n$ grep -r tipc /etc/modprobe.conf /etc/modprobe.d | grep -i \\\"/bin/true\\\"| grep\n-v \\\"#\\\"\n\nIf no line is returned, this is a finding.\"\n tag \"fix\": \"The Transparent Inter-Process Communication (TIPC) protocol is\ndesigned to provide communications between nodes in a cluster. To configure the\nsystem to prevent the \\\"tipc\\\" kernel module from being loaded, add the\nfollowing line to a file in the directory \\\"/etc/modprobe.d\\\":\n\ninstall tipc /bin/true\"\n\n describe kernel_module('tipc') do\n it { should_not be_loaded }\n it { shold_not be_enabled }\n it { should be_blacklisted }\n end\nend\n", + "code": "control \"V-38637\" do\n title \"The system package management tool must verify contents of all files\nassociated with the audit package.\"\n desc \"The hash on important files like audit system executables should match\nthe information given by the RPM database. Audit executables with erroneous\nhashes could be a sign of nefarious activity on the system.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000278\"\n tag \"gid\": \"V-38637\"\n tag \"rid\": \"SV-50438r2_rule\"\n tag \"stig_id\": \"RHEL-06-000281\"\n tag \"fix_id\": \"F-43586r1_fix\"\n tag \"cci\": [\"CCI-001496\"]\n tag \"nist\": [\"AU-9 (3)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"The following command will list which audit files on the system\nhave file hashes different from what is expected by the RPM database.\n\n# rpm -V audit | awk '$1 ~ /..5/ && $2 != \\\"c\\\"'\n\n\nIf there is output, this is a finding.\"\n tag \"fix\": \"The RPM package management system can check the hashes of audit\nsystem package files. Run the following command to list which audit files on\nthe system have hashes that differ from what is expected by the RPM database:\n\n# rpm -V audit | grep '^..5'\n\nA \\\"c\\\" in the second column indicates that a file is a configuration file,\nwhich may appropriately be expected to change. If the file that has changed was\nnot expected to then refresh from distribution media or online repositories.\n\nrpm -Uvh [affected_package]\n\nOR\n\nyum reinstall [affected_package]\"\n\n describe command(\"rpm -V audit | awk '$1 ~ /..5/ && $2 != \\\"c\\\"'\") do\n its('stdout.strip') { should be_empty }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38517.rb", + "ref": "./Red Hat 6 STIG/controls/V-38637.rb", "line": 1 }, - "id": "V-38517" + "id": "V-38637" }, { - "title": "The system must use a separate file system for /var.", - "desc": "Ensuring that \"/var\" is mounted on its own partition enables the\nsetting of more restrictive mount options. This helps protect system services\nsuch as daemons or other programs which use it. It is not uncommon for the\n\"/var\" directory to contain world-writable directories, installed by other\nsoftware packages.", + "title": "The root account must be the only account having a UID of 0.", + "desc": "An account has root authority if it has a UID of 0. Multiple accounts\nwith a UID of 0 afford more opportunity for potential intruders to guess a\npassword for a privileged account. Proper configuration of sudo is recommended\nto afford multiple system administrators access to root privileges in an\naccountable manner.", "descriptions": { - "default": "Ensuring that \"/var\" is mounted on its own partition enables the\nsetting of more restrictive mount options. This helps protect system services\nsuch as daemons or other programs which use it. It is not uncommon for the\n\"/var\" directory to contain world-writable directories, installed by other\nsoftware packages." + "default": "An account has root authority if it has a UID of 0. Multiple accounts\nwith a UID of 0 afford more opportunity for potential intruders to guess a\npassword for a privileged account. Proper configuration of sudo is recommended\nto afford multiple system administrators access to root privileges in an\naccountable manner." }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { "gtitle": "SRG-OS-999999", - "gid": "V-38456", - "rid": "SV-50256r1_rule", - "stig_id": "RHEL-06-000002", - "fix_id": "F-43401r2_fix", + "gid": "V-38500", + "rid": "SV-50301r2_rule", + "stig_id": "RHEL-06-000032", + "fix_id": "F-43447r1_fix", "cci": [ "CCI-000366" ], @@ -4556,35 +4613,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "Run the following command to determine if \"/var\" is on its\nown partition or logical volume:\n\n$ mount | grep \"on /var \"\n\nIf \"/var\" has its own partition or volume group, a line will be returned.\nIf no line is returned, this is a finding.", - "fix": "The \"/var\" directory is used by daemons and other system\nservices to store frequently-changing data. Ensure that \"/var\" has its own\npartition or logical volume at installation time, or migrate it using LVM." + "check": "To list all password file entries for accounts with UID 0, run\nthe following command:\n\n# awk -F: '($3 == 0) {print}' /etc/passwd\n\nThis should print only one line, for the user root.\nIf any account other than root has a UID of 0, this is a finding.", + "fix": "If any account other than root has a UID of 0, this\nmisconfiguration should be investigated and the accounts other than root should\nbe removed or have their UID changed." }, - "code": "control \"V-38456\" do\n title \"The system must use a separate file system for /var.\"\n desc \"Ensuring that \\\"/var\\\" is mounted on its own partition enables the\nsetting of more restrictive mount options. This helps protect system services\nsuch as daemons or other programs which use it. It is not uncommon for the\n\\\"/var\\\" directory to contain world-writable directories, installed by other\nsoftware packages.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38456\"\n tag \"rid\": \"SV-50256r1_rule\"\n tag \"stig_id\": \"RHEL-06-000002\"\n tag \"fix_id\": \"F-43401r2_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Run the following command to determine if \\\"/var\\\" is on its\nown partition or logical volume:\n\n$ mount | grep \\\"on /var \\\"\n\nIf \\\"/var\\\" has its own partition or volume group, a line will be returned.\nIf no line is returned, this is a finding.\"\n tag \"fix\": \"The \\\"/var\\\" directory is used by daemons and other system\nservices to store frequently-changing data. Ensure that \\\"/var\\\" has its own\npartition or logical volume at installation time, or migrate it using LVM.\"\n\n describe mount(\"/var\") do\n it { should be_mounted }\n end\nend\n", + "code": "control \"V-38500\" do\n title \"The root account must be the only account having a UID of 0.\"\n desc \"An account has root authority if it has a UID of 0. Multiple accounts\nwith a UID of 0 afford more opportunity for potential intruders to guess a\npassword for a privileged account. Proper configuration of sudo is recommended\nto afford multiple system administrators access to root privileges in an\naccountable manner.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38500\"\n tag \"rid\": \"SV-50301r2_rule\"\n tag \"stig_id\": \"RHEL-06-000032\"\n tag \"fix_id\": \"F-43447r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To list all password file entries for accounts with UID 0, run\nthe following command:\n\n# awk -F: '($3 == 0) {print}' /etc/passwd\n\nThis should print only one line, for the user root.\nIf any account other than root has a UID of 0, this is a finding.\"\n tag \"fix\": \"If any account other than root has a UID of 0, this\nmisconfiguration should be investigated and the accounts other than root should\nbe removed or have their UID changed.\"\n\n describe file(\"/etc/passwd\") do\n its(\"content\") { should_not match(/^(?!root:)[^:]*:[^:]:0/) }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38456.rb", + "ref": "./Red Hat 6 STIG/controls/V-38500.rb", "line": 1 }, - "id": "V-38456" + "id": "V-38500" }, { - "title": "The operating system must conduct backups of user-level information\ncontained in the operating system per organization defined frequency to conduct\nbackups consistent with recovery time and recovery point objectives.", - "desc": "Operating system backup is a critical step in maintaining data\nassurance and availability. User-level information is data generated by\ninformation system and/or application users. Backups shall be consistent with\norganizational recovery time and recovery point objectives.", + "title": "The operating system must employ automated mechanisms, per\norganization defined frequency, to detect the addition of unauthorized\ncomponents/devices into the operating system.", + "desc": "By default, AIDE does not install itself for periodic execution.\nPeriodically running AIDE may reveal unexpected changes in installed files.", "descriptions": { - "default": "Operating system backup is a critical step in maintaining data\nassurance and availability. User-level information is data generated by\ninformation system and/or application users. Backups shall be consistent with\norganizational recovery time and recovery point objectives." + "default": "By default, AIDE does not install itself for periodic execution.\nPeriodically running AIDE may reveal unexpected changes in installed files." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000099", - "gid": "V-38488", - "rid": "SV-50289r1_rule", - "stig_id": "RHEL-06-000504", - "fix_id": "F-43435r1_fix", + "gtitle": "SRG-OS-000098", + "gid": "V-38696", + "rid": "SV-50497r2_rule", + "stig_id": "RHEL-06-000303", + "fix_id": "F-43645r1_fix", "cci": [ - "CCI-000535" + "CCI-000416" ], "nist": [ - "CP-9a", + "CM-8 (3) (a)", "Rev_4" ], "false_negatives": null, @@ -4597,43 +4654,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "Ask an administrator if a process exists to back up user data\nfrom the system.\n\nIf such a process does not exist, this is a finding.", - "fix": "Procedures to back up user data from the system must be\nestablished and executed. The Red Hat operating system provides utilities for\nautomating such a process. Commercial and open-source products are also\navailable.\n\nImplement a process whereby user data is backed up from the system in\naccordance with local policies." + "check": "To determine that periodic AIDE execution has been scheduled,\nrun the following command:\n\n# grep aide /etc/crontab /etc/cron.*/*\n\nIf there is no output, this is a finding.", + "fix": "AIDE should be executed on a periodic basis to check for changes.\nTo implement a daily execution of AIDE at 4:05am using cron, add the following\nline to /etc/crontab:\n\n05 4 * * * root /usr/sbin/aide --check\n\nAIDE can be executed periodically through other means; this is merely one\nexample." }, - "code": "control \"V-38488\" do\n title \"The operating system must conduct backups of user-level information\ncontained in the operating system per organization defined frequency to conduct\nbackups consistent with recovery time and recovery point objectives.\"\n desc \"Operating system backup is a critical step in maintaining data\nassurance and availability. User-level information is data generated by\ninformation system and/or application users. Backups shall be consistent with\norganizational recovery time and recovery point objectives.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000099\"\n tag \"gid\": \"V-38488\"\n tag \"rid\": \"SV-50289r1_rule\"\n tag \"stig_id\": \"RHEL-06-000504\"\n tag \"fix_id\": \"F-43435r1_fix\"\n tag \"cci\": [\"CCI-000535\"]\n tag \"nist\": [\"CP-9a\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Ask an administrator if a process exists to back up user data\nfrom the system.\n\nIf such a process does not exist, this is a finding.\"\n tag \"fix\": \"Procedures to back up user data from the system must be\nestablished and executed. The Red Hat operating system provides utilities for\nautomating such a process. Commercial and open-source products are also\navailable.\n\nImplement a process whereby user data is backed up from the system in\naccordance with local policies.\"\n\n describe \"Manual test\" do\n skip \"This control must be reviewed manually\"\n end\nend\n", + "code": "control \"V-38696\" do\n title \"The operating system must employ automated mechanisms, per\norganization defined frequency, to detect the addition of unauthorized\ncomponents/devices into the operating system.\"\n desc \"By default, AIDE does not install itself for periodic execution.\nPeriodically running AIDE may reveal unexpected changes in installed files.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000098\"\n tag \"gid\": \"V-38696\"\n tag \"rid\": \"SV-50497r2_rule\"\n tag \"stig_id\": \"RHEL-06-000303\"\n tag \"fix_id\": \"F-43645r1_fix\"\n tag \"cci\": [\"CCI-000416\"]\n tag \"nist\": [\"CM-8 (3) (a)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To determine that periodic AIDE execution has been scheduled,\nrun the following command:\n\n# grep aide /etc/crontab /etc/cron.*/*\n\nIf there is no output, this is a finding.\"\n tag \"fix\": \"AIDE should be executed on a periodic basis to check for changes.\nTo implement a daily execution of AIDE at 4:05am using cron, add the following\nline to /etc/crontab:\n\n05 4 * * * root /usr/sbin/aide --check\n\nAIDE can be executed periodically through other means; this is merely one\nexample.\"\n\n describe command('grep aide /etc/crontab /etc/cron.*/*') do\n its('stdout.strip') { should_not be_empty }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38488.rb", + "ref": "./Red Hat 6 STIG/controls/V-38696.rb", "line": 1 }, - "id": "V-38488" + "id": "V-38696" }, { - "title": "The Department of Defense (DoD) login banner must be displayed\nimmediately prior to, or as part of, graphical desktop environment login\nprompts.", - "desc": "An appropriate warning message reinforces policy awareness during the\nlogon process and facilitates possible legal action against attackers.", + "title": "The audit system must be configured to audit all discretionary access\ncontrol permission modifications using fchown.", + "desc": "The changing of file permissions could indicate that a user is\nattempting to gain access to information that would otherwise be disallowed.\nAuditing DAC modifications can facilitate the identification of patterns of\nabuse among both authorized and unauthorized users.", "descriptions": { - "default": "An appropriate warning message reinforces policy awareness during the\nlogon process and facilitates possible legal action against attackers." + "default": "The changing of file permissions could indicate that a user is\nattempting to gain access to information that would otherwise be disallowed.\nAuditing DAC modifications can facilitate the identification of patterns of\nabuse among both authorized and unauthorized users." }, - "impact": 0, + "impact": 0.3, "refs": [], "tags": { - "gtitle": "SRG-OS-000228", - "gid": "V-38689", - "rid": "SV-50490r5_rule", - "stig_id": "RHEL-06-000326", - "fix_id": "F-43638r5_fix", + "gtitle": "SRG-OS-000064", + "gid": "V-38552", + "rid": "SV-50353r3_rule", + "stig_id": "RHEL-06-000188", + "fix_id": "F-43500r2_fix", "cci": [ - "CCI-001384", - "CCI-001385", - "CCI-001386", - "CCI-001387", - "CCI-001388" + "CCI-000172" ], "nist": [ - "AC-8 c 1", - "AC-8 c 2", - "AC-8 c 2", - "AC-8 c 2", - "AC-8 c 3", + "AU-12 c", "Rev_4" ], "false_negatives": null, @@ -4646,35 +4695,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "If the GConf2 package is not installed, this is not applicable.\n\nTo ensure login warning banner text is properly set, run the following:\n\n$ gconftool-2 --direct --config-source\nxml:readwrite:/etc/gconf/gconf.xml.mandatory --get\n/apps/gdm/simple-greeter/banner_message_text\n\nIf properly configured, the proper banner text will appear within this schema.\n\nThe DoD required text is either:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is\nprovided for USG-authorized use only. By using this IS (which includes any\ndevice attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for\npurposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct (PM), law enforcement\n(LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject\nto routine monitoring, interception, and search, and may be disclosed or used\nfor any USG-authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls)\nto protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE\nor CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services\nby attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User\nAgreement for details.\"\n\nOR:\n\n\"I've read & consent to terms in IS user agreem't.\"\n\nIf the DoD required banner text does not appear in the schema, this is a\nfinding.", - "fix": "To set the text shown by the GNOME Display Manager in the login\nscreen, run the following command:\n\n# gconftool-2\n--direct \\\n--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \\\n--type string \\\n--set /apps/gdm/simple-greeter/banner_message_text \\\n\"[DoD required text]\"\n\nWhere the DoD required text is either:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is\nprovided for USG-authorized use only. By using this IS (which includes any\ndevice attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for\npurposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct (PM), law enforcement\n(LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject\nto routine monitoring, interception, and search, and may be disclosed or used\nfor any USG-authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls)\nto protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE\nor CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services\nby attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User\nAgreement for details.\"\n\nOR:\n\n\"I've read & consent to terms in IS user agreem't.\"\n\nWhen entering a warning banner that spans several lines, remember to begin and\nend the string with \"\"\". This command writes directly to the file\n\"/etc/gconf/gconf.xml.mandatory/apps/gdm/simple-greeter/%gconf.xml\", and this\nfile can later be edited directly if necessary." + "check": "To determine if the system is configured to audit calls to the\n\"fchown\" system call, run the following command:\n\n$ sudo grep -w \"fchown\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return several\nlines.\n\nIf no line is returned, this is a finding. ", + "fix": "At a minimum, the audit system should collect file permission\nchanges for all users and root. Add the following to\n\"/etc/audit/audit.rules\":\n\n-a always,exit -F arch=b32 -S fchown -F auid>=500 -F auid!=4294967295 \\\n-k perm_mod\n-a always,exit -F arch=b32 -S fchown -F auid=0 -k perm_mod\n\nIf the system is 64-bit, then also add the following:\n\n-a always,exit -F arch=b64 -S fchown -F auid>=500 -F auid!=4294967295 \\\n-k perm_mod\n-a always,exit -F arch=b64 -S fchown -F auid=0 -k perm_mod" }, - "code": "control \"V-38689\" do\n title \"The Department of Defense (DoD) login banner must be displayed\nimmediately prior to, or as part of, graphical desktop environment login\nprompts.\"\n desc \"An appropriate warning message reinforces policy awareness during the\nlogon process and facilitates possible legal action against attackers.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000228\"\n tag \"gid\": \"V-38689\"\n tag \"rid\": \"SV-50490r5_rule\"\n tag \"stig_id\": \"RHEL-06-000326\"\n tag \"fix_id\": \"F-43638r5_fix\"\n tag \"cci\": [\"CCI-001384\", \"CCI-001385\", \"CCI-001386\", \"CCI-001387\",\n\"CCI-001388\"]\n tag \"nist\": [\"AC-8 c 1\", \"AC-8 c 2\", \"AC-8 c 2\", \"AC-8 c 2\", \"AC-8 c 3\",\n\"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"If the GConf2 package is not installed, this is not applicable.\n\nTo ensure login warning banner text is properly set, run the following:\n\n$ gconftool-2 --direct --config-source\nxml:readwrite:/etc/gconf/gconf.xml.mandatory --get\n/apps/gdm/simple-greeter/banner_message_text\n\nIf properly configured, the proper banner text will appear within this schema.\n\nThe DoD required text is either:\n\n\\\"You are accessing a U.S. Government (USG) Information System (IS) that is\nprovided for USG-authorized use only. By using this IS (which includes any\ndevice attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for\npurposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct (PM), law enforcement\n(LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject\nto routine monitoring, interception, and search, and may be disclosed or used\nfor any USG-authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls)\nto protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE\nor CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services\nby attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User\nAgreement for details.\\\"\n\nOR:\n\n\\\"I've read & consent to terms in IS user agreem't.\\\"\n\nIf the DoD required banner text does not appear in the schema, this is a\nfinding.\"\n tag \"fix\": \"To set the text shown by the GNOME Display Manager in the login\nscreen, run the following command:\n\n# gconftool-2\n--direct \\\\\n--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \\\\\n--type string \\\\\n--set /apps/gdm/simple-greeter/banner_message_text \\\\\n\\\"[DoD required text]\\\"\n\nWhere the DoD required text is either:\n\n\\\"You are accessing a U.S. Government (USG) Information System (IS) that is\nprovided for USG-authorized use only. By using this IS (which includes any\ndevice attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for\npurposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct (PM), law enforcement\n(LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject\nto routine monitoring, interception, and search, and may be disclosed or used\nfor any USG-authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls)\nto protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE\nor CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services\nby attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User\nAgreement for details.\\\"\n\nOR:\n\n\\\"I've read & consent to terms in IS user agreem't.\\\"\n\nWhen entering a warning banner that spans several lines, remember to begin and\nend the string with \\\"\\\"\\\". This command writes directly to the file\n\\\"/etc/gconf/gconf.xml.mandatory/apps/gdm/simple-greeter/%gconf.xml\\\", and this\nfile can later be edited directly if necessary.\"\n\n if package('GConf2').installed?\n banner_text = command(\"gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gdm/simple-greeter/banner_message_text\").stdout.strip.gsub(%r{[\\r\\n\\s]}, '')\n describe \"gconf2 banner text\" do\n subject { banner_text }\n it { should eq input('banner_text').gsub(%r{[\\r\\n\\s]}, '') }\n end\n else\n impact 0.0\n describe \"Package GConf2 not installed\" do\n skip \"Package GConf2 not installed, this control Not Applicable\"\n end\n end\nend\n", + "code": "control \"V-38552\" do\n title \"The audit system must be configured to audit all discretionary access\ncontrol permission modifications using fchown.\"\n desc \"The changing of file permissions could indicate that a user is\nattempting to gain access to information that would otherwise be disallowed.\nAuditing DAC modifications can facilitate the identification of patterns of\nabuse among both authorized and unauthorized users.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000064\"\n tag \"gid\": \"V-38552\"\n tag \"rid\": \"SV-50353r3_rule\"\n tag \"stig_id\": \"RHEL-06-000188\"\n tag \"fix_id\": \"F-43500r2_fix\"\n tag \"cci\": [\"CCI-000172\"]\n tag \"nist\": [\"AU-12 c\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To determine if the system is configured to audit calls to the\n\\\"fchown\\\" system call, run the following command:\n\n$ sudo grep -w \\\"fchown\\\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return several\nlines.\n\nIf no line is returned, this is a finding. \"\n tag \"fix\": \"At a minimum, the audit system should collect file permission\nchanges for all users and root. Add the following to\n\\\"/etc/audit/audit.rules\\\":\n\n-a always,exit -F arch=b32 -S fchown -F auid>=500 -F auid!=4294967295 \\\\\n-k perm_mod\n-a always,exit -F arch=b32 -S fchown -F auid=0 -k perm_mod\n\nIf the system is 64-bit, then also add the following:\n\n-a always,exit -F arch=b64 -S fchown -F auid>=500 -F auid!=4294967295 \\\\\n-k perm_mod\n-a always,exit -F arch=b64 -S fchown -F auid=0 -k perm_mod\"\n\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^[\\s]*-a[\\s](?:always,exit|exit,always)+(?:.*-F[\\s]+arch=b32[\\s]+)(?:.*(?:-S[\\s]+|,)fchown(?:[\\s]+|,))(?:.*-F\\s+auid>=500[\\s]+)(?:.*-F\\s+auid!=(?:-1|4294967295)[\\s]+).*-k[\\s]+[\\S]+[\\s]*$/) }\n end\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^[\\s]*-a[\\s](?:always,exit|exit,always)+(?:.*-F[\\s]+arch=b32[\\s]+)(?:.*(?:-S[\\s]+|,)fchown(?:[\\s]+|,))(?:.*-F\\s+auid=0[\\s]+).*-k[\\s]+[\\S]+[\\s]*$/) }\n end\n describe.one do\n \n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38689.rb", + "ref": "./Red Hat 6 STIG/controls/V-38552.rb", "line": 1 }, - "id": "V-38689" + "id": "V-38552" }, { - "title": "The graphical desktop environment must automatically lock after 15\nminutes of inactivity and the system must require user reauthentication to\nunlock the environment.", - "desc": "Enabling idle activation of the screen saver ensures the screensaver\nwill be activated after the idle delay. Applications requiring continuous,\nreal-time screen display (such as network management products) require the\nlogin session does not have administrator rights and the display station is\nlocated in a controlled-access area.", + "title": "The /etc/passwd file must be owned by root.", + "desc": "The \"/etc/passwd\" file contains information about the users that are\nconfigured on the system. Protection of this file is critical for system\nsecurity.", "descriptions": { - "default": "Enabling idle activation of the screen saver ensures the screensaver\nwill be activated after the idle delay. Applications requiring continuous,\nreal-time screen display (such as network management products) require the\nlogin session does not have administrator rights and the display station is\nlocated in a controlled-access area." + "default": "The \"/etc/passwd\" file contains information about the users that are\nconfigured on the system. Protection of this file is critical for system\nsecurity." }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000029", - "gid": "V-38630", - "rid": "SV-50431r3_rule", - "stig_id": "RHEL-06-000258", - "fix_id": "F-43579r1_fix", + "gtitle": "SRG-OS-999999", + "gid": "V-38450", + "rid": "SV-50250r1_rule", + "stig_id": "RHEL-06-000039", + "fix_id": "F-43395r1_fix", "cci": [ - "CCI-000057" + "CCI-000366" ], "nist": [ - "AC-11 a", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -4687,35 +4736,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "If the GConf2 package is not installed, this is not applicable.\n\nTo check the screensaver mandatory use status, run the following command:\n\n$ gconftool-2 --direct --config-source\nxml:readwrite:/etc/gconf/gconf.xml.mandatory --get\n/apps/gnome-screensaver/idle_activation_enabled\n\nIf properly configured, the output should be \"true\".\n\nIf it is not, this is a finding.", - "fix": "Run the following command to activate the screensaver in the\nGNOME desktop after a period of inactivity:\n\n# gconftool-2 --direct \\\n--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \\\n--type bool \\\n--set /apps/gnome-screensaver/idle_activation_enabled true" + "check": "To check the ownership of \"/etc/passwd\", run the command:\n\n$ ls -l /etc/passwd\n\nIf properly configured, the output should indicate the following owner:\n\"root\"\nIf it does not, this is a finding.", + "fix": "To properly set the owner of \"/etc/passwd\", run the command:\n\n# chown root /etc/passwd" }, - "code": "control \"V-38630\" do\n title \"The graphical desktop environment must automatically lock after 15\nminutes of inactivity and the system must require user reauthentication to\nunlock the environment.\"\n desc \"Enabling idle activation of the screen saver ensures the screensaver\nwill be activated after the idle delay. Applications requiring continuous,\nreal-time screen display (such as network management products) require the\nlogin session does not have administrator rights and the display station is\nlocated in a controlled-access area.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000029\"\n tag \"gid\": \"V-38630\"\n tag \"rid\": \"SV-50431r3_rule\"\n tag \"stig_id\": \"RHEL-06-000258\"\n tag \"fix_id\": \"F-43579r1_fix\"\n tag \"cci\": [\"CCI-000057\"]\n tag \"nist\": [\"AC-11 a\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"If the GConf2 package is not installed, this is not applicable.\n\nTo check the screensaver mandatory use status, run the following command:\n\n$ gconftool-2 --direct --config-source\nxml:readwrite:/etc/gconf/gconf.xml.mandatory --get\n/apps/gnome-screensaver/idle_activation_enabled\n\nIf properly configured, the output should be \\\"true\\\".\n\nIf it is not, this is a finding.\"\n tag \"fix\": \"Run the following command to activate the screensaver in the\nGNOME desktop after a period of inactivity:\n\n# gconftool-2 --direct \\\\\n--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \\\\\n--type bool \\\\\n--set /apps/gnome-screensaver/idle_activation_enabled true\"\n\n if package('GConf2').installed?\n describe command(\"gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gnome-screensaver/idle_activation_enabled\") do\n its('stdout.strip') { should eq 'true' }\n end\n else\n impact 0.0\n describe \"Package GConf2 not installed\" do\n skip \"Package GConf2 not installed, this control Not Applicable\"\n end\n end\nend\n", + "code": "control \"V-38450\" do\n title \"The /etc/passwd file must be owned by root.\"\n desc \"The \\\"/etc/passwd\\\" file contains information about the users that are\nconfigured on the system. Protection of this file is critical for system\nsecurity.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38450\"\n tag \"rid\": \"SV-50250r1_rule\"\n tag \"stig_id\": \"RHEL-06-000039\"\n tag \"fix_id\": \"F-43395r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To check the ownership of \\\"/etc/passwd\\\", run the command:\n\n$ ls -l /etc/passwd\n\nIf properly configured, the output should indicate the following owner:\n\\\"root\\\"\nIf it does not, this is a finding.\"\n tag \"fix\": \"To properly set the owner of \\\"/etc/passwd\\\", run the command:\n\n# chown root /etc/passwd\"\n\n describe file(\"/etc/passwd\") do\n it { should exist }\n end\n describe file(\"/etc/passwd\") do\n its(\"uid\") { should cmp 0 }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38630.rb", + "ref": "./Red Hat 6 STIG/controls/V-38450.rb", "line": 1 }, - "id": "V-38630" + "id": "V-38450" }, { - "title": "Users must be warned 7 days in advance of password expiration.", - "desc": "Setting the password warning age enables users to make the change at a\npractical time.", + "title": "The audit system must take appropriate action when the audit storage\nvolume is full.", + "desc": "Taking appropriate action in case of a filled audit storage volume\nwill minimize the possibility of losing audit records.", "descriptions": { - "default": "Setting the password warning age enables users to make the change at a\npractical time." + "default": "Taking appropriate action in case of a filled audit storage volume\nwill minimize the possibility of losing audit records." }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-999999", - "gid": "V-38480", - "rid": "SV-50280r1_rule", - "stig_id": "RHEL-06-000054", - "fix_id": "F-43425r1_fix", + "gtitle": "SRG-OS-000047", + "gid": "V-38468", + "rid": "SV-50268r1_rule", + "stig_id": "RHEL-06-000510", + "fix_id": "F-43413r1_fix", "cci": [ - "CCI-000366" + "CCI-000140" ], "nist": [ - "CM-6 b", + "AU-5 b", "Rev_4" ], "false_negatives": null, @@ -4728,35 +4777,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To check the password warning age, run the command:\n\n$ grep PASS_WARN_AGE /etc/login.defs\n\nThe DoD requirement is 7.\nIf it is not set to the required value, this is a finding.", - "fix": "To specify how many days prior to password expiration that a\nwarning will be issued to users, edit the file \"/etc/login.defs\" and add or\ncorrect the following line, replacing [DAYS] appropriately:\n\nPASS_WARN_AGE [DAYS]\n\nThe DoD requirement is 7." + "check": "Inspect \"/etc/audit/auditd.conf\" and locate the following\nline to determine if the system is configured to take appropriate action when\nthe audit storage volume is full:\n\n# grep disk_full_action /etc/audit/auditd.conf\ndisk_full_action = [ACTION]\n\n\nIf the system is configured to \"suspend\" when the volume is full or\n\"ignore\" that it is full, this is a finding.", + "fix": "The \"auditd\" service can be configured to take an action when\ndisk space starts to run low. Edit the file \"/etc/audit/auditd.conf\". Modify\nthe following line, substituting [ACTION] appropriately:\n\ndisk_full_action = [ACTION]\n\nPossible values for [ACTION] are described in the \"auditd.conf\" man page.\nThese include:\n\n\"ignore\"\n\"syslog\"\n\"exec\"\n\"suspend\"\n\"single\"\n\"halt\"\n\n\nSet this to \"syslog\", \"exec\", \"single\", or \"halt\"." }, - "code": "control \"V-38480\" do\n title \"Users must be warned 7 days in advance of password expiration.\"\n desc \"Setting the password warning age enables users to make the change at a\npractical time.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38480\"\n tag \"rid\": \"SV-50280r1_rule\"\n tag \"stig_id\": \"RHEL-06-000054\"\n tag \"fix_id\": \"F-43425r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To check the password warning age, run the command:\n\n$ grep PASS_WARN_AGE /etc/login.defs\n\nThe DoD requirement is 7.\nIf it is not set to the required value, this is a finding.\"\n tag \"fix\": \"To specify how many days prior to password expiration that a\nwarning will be issued to users, edit the file \\\"/etc/login.defs\\\" and add or\ncorrect the following line, replacing [DAYS] appropriately:\n\nPASS_WARN_AGE [DAYS]\n\nThe DoD requirement is 7.\"\n\n describe file(\"/etc/login.defs\") do\n its(\"content\") { should match(/^[\\s]*PASS_WARN_AGE[\\s]*(\\d+)\\s*$/) }\n end\n file(\"/etc/login.defs\").content.to_s.scan(/^[\\s]*PASS_WARN_AGE[\\s]*(\\d+)\\s*$/).flatten.each do |entry|\n describe entry do\n it { should cmp >= 7 }\n end\n end\nend\n", + "code": "control \"V-38468\" do\n title \"The audit system must take appropriate action when the audit storage\nvolume is full.\"\n desc \"Taking appropriate action in case of a filled audit storage volume\nwill minimize the possibility of losing audit records.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000047\"\n tag \"gid\": \"V-38468\"\n tag \"rid\": \"SV-50268r1_rule\"\n tag \"stig_id\": \"RHEL-06-000510\"\n tag \"fix_id\": \"F-43413r1_fix\"\n tag \"cci\": [\"CCI-000140\"]\n tag \"nist\": [\"AU-5 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Inspect \\\"/etc/audit/auditd.conf\\\" and locate the following\nline to determine if the system is configured to take appropriate action when\nthe audit storage volume is full:\n\n# grep disk_full_action /etc/audit/auditd.conf\ndisk_full_action = [ACTION]\n\n\nIf the system is configured to \\\"suspend\\\" when the volume is full or\n\\\"ignore\\\" that it is full, this is a finding.\"\n tag \"fix\": \"The \\\"auditd\\\" service can be configured to take an action when\ndisk space starts to run low. Edit the file \\\"/etc/audit/auditd.conf\\\". Modify\nthe following line, substituting [ACTION] appropriately:\n\ndisk_full_action = [ACTION]\n\nPossible values for [ACTION] are described in the \\\"auditd.conf\\\" man page.\nThese include:\n\n\\\"ignore\\\"\n\\\"syslog\\\"\n\\\"exec\\\"\n\\\"suspend\\\"\n\\\"single\\\"\n\\\"halt\\\"\n\n\nSet this to \\\"syslog\\\", \\\"exec\\\", \\\"single\\\", or \\\"halt\\\".\"\n\n describe parse_config_file('/etc/audit/auditd.conf') do\n its('disk_full_action') { should_not be_nil }\n its('disk_full_action.downcase') { should_not be_in ['suspend', 'ignore'] }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38480.rb", + "ref": "./Red Hat 6 STIG/controls/V-38468.rb", "line": 1 }, - "id": "V-38480" + "id": "V-38468" }, { - "title": "The ypbind service must not be running.", - "desc": "Disabling the \"ypbind\" service ensures the system is not acting as a\nclient in a NIS or NIS+ domain.", + "title": "Audit log files must be group-owned by root.", + "desc": "If non-privileged users can write to audit logs, audit trails can be\nmodified or destroyed.", "descriptions": { - "default": "Disabling the \"ypbind\" service ensures the system is not acting as a\nclient in a NIS or NIS+ domain." + "default": "If non-privileged users can write to audit logs, audit trails can be\nmodified or destroyed." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000096", - "gid": "V-38604", - "rid": "SV-50405r2_rule", - "stig_id": "RHEL-06-000221", - "fix_id": "F-43552r2_fix", + "gtitle": "SRG-OS-000057", + "gid": "V-38445", + "rid": "SV-50245r2_rule", + "stig_id": "RHEL-06-000522", + "fix_id": "F-43390r1_fix", "cci": [ - "CCI-000382" + "CCI-000162" ], "nist": [ - "CM-7 b", + "AU-9", "Rev_4" ], "false_negatives": null, @@ -4769,35 +4818,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To check that the \"ypbind\" service is disabled in system boot\nconfiguration, run the following command:\n\n# chkconfig \"ypbind\" --list\n\nOutput should indicate the \"ypbind\" service has either not been installed, or\nhas been disabled at all runlevels, as shown in the example below:\n\n# chkconfig \"ypbind\" --list\n\"ypbind\" 0:off 1:off 2:off 3:off 4:off 5:off 6:off\n\nRun the following command to verify \"ypbind\" is disabled through current\nruntime configuration:\n\n# service ypbind status\n\nIf the service is disabled the command will return the following output:\n\nypbind is stopped\n\n\nIf the service is running, this is a finding.", - "fix": "The \"ypbind\" service, which allows the system to act as a\nclient in a NIS or NIS+ domain, should be disabled. The \"ypbind\" service can\nbe disabled with the following commands:\n\n# chkconfig ypbind off\n# service ypbind stop" + "check": "Run the following command to check the group owner of the\nsystem audit logs:\n\ngrep \"^log_file\" /etc/audit/auditd.conf|sed s/^[^\\/]*//|xargs stat -c %G:%n\n\nAudit logs must be group-owned by root.\nIf they are not, this is a finding.", + "fix": "Change the group owner of the audit log files with the following\ncommand:\n\n# chgrp root [audit_file]" }, - "code": "control \"V-38604\" do\n title \"The ypbind service must not be running.\"\n desc \"Disabling the \\\"ypbind\\\" service ensures the system is not acting as a\nclient in a NIS or NIS+ domain.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000096\"\n tag \"gid\": \"V-38604\"\n tag \"rid\": \"SV-50405r2_rule\"\n tag \"stig_id\": \"RHEL-06-000221\"\n tag \"fix_id\": \"F-43552r2_fix\"\n tag \"cci\": [\"CCI-000382\"]\n tag \"nist\": [\"CM-7 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To check that the \\\"ypbind\\\" service is disabled in system boot\nconfiguration, run the following command:\n\n# chkconfig \\\"ypbind\\\" --list\n\nOutput should indicate the \\\"ypbind\\\" service has either not been installed, or\nhas been disabled at all runlevels, as shown in the example below:\n\n# chkconfig \\\"ypbind\\\" --list\n\\\"ypbind\\\" 0:off 1:off 2:off 3:off 4:off 5:off 6:off\n\nRun the following command to verify \\\"ypbind\\\" is disabled through current\nruntime configuration:\n\n# service ypbind status\n\nIf the service is disabled the command will return the following output:\n\nypbind is stopped\n\n\nIf the service is running, this is a finding.\"\n tag \"fix\": \"The \\\"ypbind\\\" service, which allows the system to act as a\nclient in a NIS or NIS+ domain, should be disabled. The \\\"ypbind\\\" service can\nbe disabled with the following commands:\n\n# chkconfig ypbind off\n# service ypbind stop\"\n\n describe.one do\n describe package(\"ypbind\") do\n it { should_not be_installed }\n end\n describe service(\"ypbind\") do\n its(\"runlevels(?-mix:0)\") { should be_enabled }\n its(\"runlevels(?-mix:1)\") { should be_enabled }\n its(\"runlevels(?-mix:2)\") { should be_enabled }\n its(\"runlevels(?-mix:3)\") { should be_enabled }\n its(\"runlevels(?-mix:4)\") { should be_enabled }\n its(\"runlevels(?-mix:5)\") { should be_enabled }\n its(\"runlevels(?-mix:6)\") { should be_enabled }\n end\n end\nend\n", + "code": "control \"V-38445\" do\n title \"Audit log files must be group-owned by root.\"\n desc \"If non-privileged users can write to audit logs, audit trails can be\nmodified or destroyed.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000057\"\n tag \"gid\": \"V-38445\"\n tag \"rid\": \"SV-50245r2_rule\"\n tag \"stig_id\": \"RHEL-06-000522\"\n tag \"fix_id\": \"F-43390r1_fix\"\n tag \"cci\": [\"CCI-000162\"]\n tag \"nist\": [\"AU-9\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Run the following command to check the group owner of the\nsystem audit logs:\n\ngrep \\\"^log_file\\\" /etc/audit/auditd.conf|sed s/^[^\\\\/]*//|xargs stat -c %G:%n\n\nAudit logs must be group-owned by root.\nIf they are not, this is a finding.\"\n tag \"fix\": \"Change the group owner of the audit log files with the following\ncommand:\n\n# chgrp root [audit_file]\"\n\n describe command(\"grep \\\"^log_file\\\" /etc/audit/auditd.conf|sed s/^[^\\\\/]*//|xargs stat -c %G:%n\") do\n its('stdout.lines') { should all match %{^root:} }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38604.rb", + "ref": "./Red Hat 6 STIG/controls/V-38445.rb", "line": 1 }, - "id": "V-38604" + "id": "V-38445" }, { - "title": "The system package management tool must cryptographically verify the\nauthenticity of all software packages during installation.", - "desc": "Ensuring all packages' cryptographic signatures are valid prior to\ninstallation ensures the provenance of the software and protects against\nmalicious tampering.", + "title": "The system must not permit root logins using remote access programs\nsuch as ssh.", + "desc": "Permitting direct root login reduces auditable information about who\nran privileged commands on the system and also allows direct attack attempts on\nroot's password.", "descriptions": { - "default": "Ensuring all packages' cryptographic signatures are valid prior to\ninstallation ensures the provenance of the software and protects against\nmalicious tampering." + "default": "Permitting direct root login reduces auditable information about who\nran privileged commands on the system and also allows direct attack attempts on\nroot's password." }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000103", - "gid": "V-38487", - "rid": "SV-50288r1_rule", - "stig_id": "RHEL-06-000015", - "fix_id": "F-43433r1_fix", + "gtitle": "SRG-OS-000109", + "gid": "V-38613", + "rid": "SV-50414r1_rule", + "stig_id": "RHEL-06-000237", + "fix_id": "F-43561r1_fix", "cci": [ - "CCI-000663" + "CCI-000770" ], "nist": [ - "SA-7", + "IA-2 (5)", "Rev_4" ], "false_negatives": null, @@ -4810,35 +4859,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To determine whether \"yum\" has been configured to disable\n\"gpgcheck\" for any repos, inspect all files in \"/etc/yum.repos.d\" and\nensure the following does not appear in any sections:\n\ngpgcheck=0\n\nA value of \"0\" indicates that \"gpgcheck\" has been disabled for that repo.\nIf GPG checking is disabled, this is a finding.\n\nIf the \"yum\" system package management tool is not used to update the system,\nverify with the SA that installed packages are cryptographically signed.", - "fix": "To ensure signature checking is not disabled for any repos,\nremove any lines from files in \"/etc/yum.repos.d\" of the form:\n\ngpgcheck=0" + "check": "To determine how the SSH daemon's \"PermitRootLogin\" option is\nset, run the following command:\n\n# grep -i PermitRootLogin /etc/ssh/sshd_config\n\nIf a line indicating \"no\" is returned, then the required value is set.\nIf the required value is not set, this is a finding.", + "fix": "The root user should never be allowed to log in to a system\ndirectly over a network. To disable root login via SSH, add or correct the\nfollowing line in \"/etc/ssh/sshd_config\":\n\nPermitRootLogin no" }, - "code": "control \"V-38487\" do\n title \"The system package management tool must cryptographically verify the\nauthenticity of all software packages during installation.\"\n desc \"Ensuring all packages' cryptographic signatures are valid prior to\ninstallation ensures the provenance of the software and protects against\nmalicious tampering.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000103\"\n tag \"gid\": \"V-38487\"\n tag \"rid\": \"SV-50288r1_rule\"\n tag \"stig_id\": \"RHEL-06-000015\"\n tag \"fix_id\": \"F-43433r1_fix\"\n tag \"cci\": [\"CCI-000663\"]\n tag \"nist\": [\"SA-7\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To determine whether \\\"yum\\\" has been configured to disable\n\\\"gpgcheck\\\" for any repos, inspect all files in \\\"/etc/yum.repos.d\\\" and\nensure the following does not appear in any sections:\n\ngpgcheck=0\n\nA value of \\\"0\\\" indicates that \\\"gpgcheck\\\" has been disabled for that repo.\nIf GPG checking is disabled, this is a finding.\n\nIf the \\\"yum\\\" system package management tool is not used to update the system,\nverify with the SA that installed packages are cryptographically signed.\"\n tag \"fix\": \"To ensure signature checking is not disabled for any repos,\nremove any lines from files in \\\"/etc/yum.repos.d\\\" of the form:\n\ngpgcheck=0\"\n\n command(\"find /etc/yum.repos.d -type f -regex .\\\\*/.\\\\*\").stdout.split.each do |entry|\n describe file(entry) do\n its(\"content\") { should_not match(/^\\s*gpgcheck\\s*=\\s*0\\s*$/) }\n end\n end\nend\n", + "code": "control \"V-38613\" do\n title \"The system must not permit root logins using remote access programs\nsuch as ssh.\"\n desc \"Permitting direct root login reduces auditable information about who\nran privileged commands on the system and also allows direct attack attempts on\nroot's password.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000109\"\n tag \"gid\": \"V-38613\"\n tag \"rid\": \"SV-50414r1_rule\"\n tag \"stig_id\": \"RHEL-06-000237\"\n tag \"fix_id\": \"F-43561r1_fix\"\n tag \"cci\": [\"CCI-000770\"]\n tag \"nist\": [\"IA-2 (5)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To determine how the SSH daemon's \\\"PermitRootLogin\\\" option is\nset, run the following command:\n\n# grep -i PermitRootLogin /etc/ssh/sshd_config\n\nIf a line indicating \\\"no\\\" is returned, then the required value is set.\nIf the required value is not set, this is a finding.\"\n tag \"fix\": \"The root user should never be allowed to log in to a system\ndirectly over a network. To disable root login via SSH, add or correct the\nfollowing line in \\\"/etc/ssh/sshd_config\\\":\n\nPermitRootLogin no\"\n\n describe sshd_config do\n its('PermitRootLogin') { should eq 'no' }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38487.rb", + "ref": "./Red Hat 6 STIG/controls/V-38613.rb", "line": 1 }, - "id": "V-38487" + "id": "V-38613" }, { - "title": "All accounts on the system must have unique user or account names", - "desc": "Unique usernames allow for accountability on the system.", + "title": "The system must ignore ICMPv6 redirects by default.", + "desc": "An illicit ICMP redirect message could result in a man-in-the-middle\nattack.", "descriptions": { - "default": "Unique usernames allow for accountability on the system." + "default": "An illicit ICMP redirect message could result in a man-in-the-middle\nattack." }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000121", - "gid": "V-38683", - "rid": "SV-50484r1_rule", - "stig_id": "RHEL-06-000296", - "fix_id": "F-43632r1_fix", + "gtitle": "SRG-OS-999999", + "gid": "V-38548", + "rid": "SV-50349r3_rule", + "stig_id": "RHEL-06-000099", + "fix_id": "F-43496r1_fix", "cci": [ - "CCI-000804" + "CCI-000366" ], "nist": [ - "IA-8", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -4851,30 +4900,30 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "Run the following command to check for duplicate account names:\n\n# pwck -rq\n\nIf there are no duplicate names, no line will be returned.\nIf a line is returned, this is a finding.", - "fix": "Change usernames, or delete accounts, so each has a unique name." + "check": "If IPv6 is disabled, this is not applicable.\n\nThe status of the \"net.ipv6.conf.default.accept_redirects\" kernel parameter\ncan be queried by running the following command:\n\n$ sysctl net.ipv6.conf.default.accept_redirects\n\nThe output of the command should indicate a value of \"0\". If this value is\nnot the default value, investigate how it could have been adjusted at runtime,\nand verify it is not set improperly in \"/etc/sysctl.conf\".\n\n$ grep net.ipv6.conf.default.accept_redirects /etc/sysctl.conf\n\nIf the correct value is not returned, this is a finding. ", + "fix": "To set the runtime status of the\n\"net.ipv6.conf.default.accept_redirects\" kernel parameter, run the following\ncommand:\n\n# sysctl -w net.ipv6.conf.default.accept_redirects=0\n\nIf this is not the system's default value, add the following line to\n\"/etc/sysctl.conf\":\n\nnet.ipv6.conf.default.accept_redirects = 0" }, - "code": "control \"V-38683\" do\n title \"All accounts on the system must have unique user or account names\"\n desc \"Unique usernames allow for accountability on the system.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000121\"\n tag \"gid\": \"V-38683\"\n tag \"rid\": \"SV-50484r1_rule\"\n tag \"stig_id\": \"RHEL-06-000296\"\n tag \"fix_id\": \"F-43632r1_fix\"\n tag \"cci\": [\"CCI-000804\"]\n tag \"nist\": [\"IA-8\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Run the following command to check for duplicate account names:\n\n# pwck -rq\n\nIf there are no duplicate names, no line will be returned.\nIf a line is returned, this is a finding.\"\n tag \"fix\": \"Change usernames, or delete accounts, so each has a unique name.\"\n\n describe command(\"pwck -rq\") do\n its('stdout.strip') { should be_empty }\n end\nend\n", + "code": "control \"V-38548\" do\n title \"The system must ignore ICMPv6 redirects by default.\"\n desc \"An illicit ICMP redirect message could result in a man-in-the-middle\nattack.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38548\"\n tag \"rid\": \"SV-50349r3_rule\"\n tag \"stig_id\": \"RHEL-06-000099\"\n tag \"fix_id\": \"F-43496r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"If IPv6 is disabled, this is not applicable.\n\nThe status of the \\\"net.ipv6.conf.default.accept_redirects\\\" kernel parameter\ncan be queried by running the following command:\n\n$ sysctl net.ipv6.conf.default.accept_redirects\n\nThe output of the command should indicate a value of \\\"0\\\". If this value is\nnot the default value, investigate how it could have been adjusted at runtime,\nand verify it is not set improperly in \\\"/etc/sysctl.conf\\\".\n\n$ grep net.ipv6.conf.default.accept_redirects /etc/sysctl.conf\n\nIf the correct value is not returned, this is a finding. \"\n tag \"fix\": \"To set the runtime status of the\n\\\"net.ipv6.conf.default.accept_redirects\\\" kernel parameter, run the following\ncommand:\n\n# sysctl -w net.ipv6.conf.default.accept_redirects=0\n\nIf this is not the system's default value, add the following line to\n\\\"/etc/sysctl.conf\\\":\n\nnet.ipv6.conf.default.accept_redirects = 0\"\n\n describe kernel_parameter(\"net.ipv6.conf.default.accept_redirects\") do\n its(\"value\") { should eq 0 }\n end\n describe file(\"/etc/sysctl.conf\") do\n its(\"content\") { should match(/^[\\s]*net.ipv6.conf.default.accept_redirects[\\s]*=[\\s]*0[\\s]*$/) }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38683.rb", + "ref": "./Red Hat 6 STIG/controls/V-38548.rb", "line": 1 }, - "id": "V-38683" + "id": "V-38548" }, { - "title": "The snmpd service must use only SNMP protocol version 3 or newer.", - "desc": "Earlier versions of SNMP are considered insecure, as they potentially\nallow unauthorized access to detailed system management information.", + "title": "The system must use a reverse-path filter for IPv4 network traffic\nwhen possible by default.", + "desc": "Enabling reverse path filtering drops packets with source addresses\nthat should not have been able to be received on the interface they were\nreceived on. It should not be used on systems which are routers for complicated\nnetworks, but is helpful for end hosts and routers serving small networks.", "descriptions": { - "default": "Earlier versions of SNMP are considered insecure, as they potentially\nallow unauthorized access to detailed system management information." + "default": "Enabling reverse path filtering drops packets with source addresses\nthat should not have been able to be received on the interface they were\nreceived on. It should not be used on systems which are routers for complicated\nnetworks, but is helpful for end hosts and routers serving small networks." }, "impact": 0.5, "refs": [], "tags": { "gtitle": "SRG-OS-999999", - "gid": "V-38660", - "rid": "SV-50461r1_rule", - "stig_id": "RHEL-06-000340", - "fix_id": "F-43604r1_fix", + "gid": "V-38544", + "rid": "SV-50345r2_rule", + "stig_id": "RHEL-06-000097", + "fix_id": "F-43492r1_fix", "cci": [ "CCI-000366" ], @@ -4892,35 +4941,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To ensure only SNMPv3 or newer is used, run the following\ncommand:\n\n# grep 'v1\\|v2c\\|com2sec' /etc/snmp/snmpd.conf | grep -v '^#'\n\nThere should be no output.\nIf there is output, this is a finding.", - "fix": "Edit \"/etc/snmp/snmpd.conf\", removing any references to \"v1\",\n\"v2c\", or \"com2sec\". Upon doing that, restart the SNMP service:\n\n# service snmpd restart" + "check": "The status of the \"net.ipv4.conf.default.rp_filter\" kernel\nparameter can be queried by running the following command:\n\n$ sysctl net.ipv4.conf.default.rp_filter\n\nThe output of the command should indicate a value of \"1\". If this value is\nnot the default value, investigate how it could have been adjusted at runtime,\nand verify it is not set improperly in \"/etc/sysctl.conf\".\n\n$ grep net.ipv4.conf.default.rp_filter /etc/sysctl.conf\n\nIf the correct value is not returned, this is a finding. ", + "fix": "To set the runtime status of the\n\"net.ipv4.conf.default.rp_filter\" kernel parameter, run the following\ncommand:\n\n# sysctl -w net.ipv4.conf.default.rp_filter=1\n\nIf this is not the system's default value, add the following line to\n\"/etc/sysctl.conf\":\n\nnet.ipv4.conf.default.rp_filter = 1" }, - "code": "control \"V-38660\" do\n title \"The snmpd service must use only SNMP protocol version 3 or newer.\"\n desc \"Earlier versions of SNMP are considered insecure, as they potentially\nallow unauthorized access to detailed system management information.\n\n \"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38660\"\n tag \"rid\": \"SV-50461r1_rule\"\n tag \"stig_id\": \"RHEL-06-000340\"\n tag \"fix_id\": \"F-43604r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To ensure only SNMPv3 or newer is used, run the following\ncommand:\n\n# grep 'v1\\\\|v2c\\\\|com2sec' /etc/snmp/snmpd.conf | grep -v '^#'\n\nThere should be no output.\nIf there is output, this is a finding.\"\n tag \"fix\": \"Edit \\\"/etc/snmp/snmpd.conf\\\", removing any references to \\\"v1\\\",\n\\\"v2c\\\", or \\\"com2sec\\\". Upon doing that, restart the SNMP service:\n\n# service snmpd restart\"\n\n describe command(\"grep 'v1\\\\|v2c\\\\|com2sec' /etc/snmp/snmpd.conf | grep -v '^#'\") do\n its('stdout.strip') { should be_empty }\n end\nend\n", + "code": "control \"V-38544\" do\n title \"The system must use a reverse-path filter for IPv4 network traffic\nwhen possible by default.\"\n desc \"Enabling reverse path filtering drops packets with source addresses\nthat should not have been able to be received on the interface they were\nreceived on. It should not be used on systems which are routers for complicated\nnetworks, but is helpful for end hosts and routers serving small networks.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38544\"\n tag \"rid\": \"SV-50345r2_rule\"\n tag \"stig_id\": \"RHEL-06-000097\"\n tag \"fix_id\": \"F-43492r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"The status of the \\\"net.ipv4.conf.default.rp_filter\\\" kernel\nparameter can be queried by running the following command:\n\n$ sysctl net.ipv4.conf.default.rp_filter\n\nThe output of the command should indicate a value of \\\"1\\\". If this value is\nnot the default value, investigate how it could have been adjusted at runtime,\nand verify it is not set improperly in \\\"/etc/sysctl.conf\\\".\n\n$ grep net.ipv4.conf.default.rp_filter /etc/sysctl.conf\n\nIf the correct value is not returned, this is a finding. \"\n tag \"fix\": \"To set the runtime status of the\n\\\"net.ipv4.conf.default.rp_filter\\\" kernel parameter, run the following\ncommand:\n\n# sysctl -w net.ipv4.conf.default.rp_filter=1\n\nIf this is not the system's default value, add the following line to\n\\\"/etc/sysctl.conf\\\":\n\nnet.ipv4.conf.default.rp_filter = 1\"\n\n describe kernel_parameter(\"net.ipv4.conf.default.rp_filter\") do\n its(\"value\") { should_not be_nil }\n end\n describe kernel_parameter(\"net.ipv4.conf.default.rp_filter\") do\n its(\"value\") { should eq 1 }\n end\n describe file(\"/etc/sysctl.conf\") do\n its(\"content\") { should match(/^[\\s]*net.ipv4.conf.default.rp_filter[\\s]*=[\\s]*1[\\s]*$/) }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38660.rb", + "ref": "./Red Hat 6 STIG/controls/V-38544.rb", "line": 1 }, - "id": "V-38660" + "id": "V-38544" }, { - "title": "The system boot loader configuration file(s) must have mode 0600 or\nless permissive.", - "desc": "Proper permissions ensure that only the root user can modify important\nboot parameters.", + "title": "The operating system must provide a near real-time alert when any of\nthe organization defined list of compromise or potential compromise indicators\noccurs. ", + "desc": "By default, AIDE does not install itself for periodic execution.\nPeriodically running AIDE may reveal unexpected changes in installed files.", "descriptions": { - "default": "Proper permissions ensure that only the root user can modify important\nboot parameters." + "default": "By default, AIDE does not install itself for periodic execution.\nPeriodically running AIDE may reveal unexpected changes in installed files." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-999999", - "gid": "V-38583", - "rid": "SV-50384r4_rule", - "stig_id": "RHEL-06-000067", - "fix_id": "F-43531r3_fix", + "gtitle": "SRG-OS-000196", + "gid": "V-38700", + "rid": "SV-50501r2_rule", + "stig_id": "RHEL-06-000305", + "fix_id": "F-43649r1_fix", "cci": [ - "CCI-000366" + "CCI-001263" ], "nist": [ - "CM-6 b", + "SI-4 (5)", "Rev_4" ], "false_negatives": null, @@ -4933,35 +4982,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To check the permissions of \"/boot/grub/grub.conf\", run the\ncommand:\n\n$ sudo ls -lL /boot/grub/grub.conf\n\nIf the system uses UEFI check the permissions of\n\"/boot/efi/EFI/redhat/grub.conf\" file:\n\n$ sudo ls –lL /boot/efi/EFI/redhat/grub.conf\n\nIf properly configured, the output should indicate the following permissions:\n\"-rw-------\"\n\nIf it does not, this is a finding.", - "fix": "File permissions for \"/boot/grub/grub.conf\" and\n\"/boot/efi/EFI/redhat/grub.conf\" should be set to 600, which is the default.\n\nTo properly set the permissions of \"/boot/grub/grub.conf\", run the command:\n\n$ chmod 600 /boot/grub/grub.conf\n\nTo properly set the permissions of \"/boot/efi/EFI/redhat/grub.conf\", run the\ncommand:\n\n$ chmod 600 /boot/efi/EFI/redhat/grub.conf\n\nBoot partitions based on VFAT, NTFS, or other non-standard configurations may\nrequire alternative measures.\n" - }, - "code": "control \"V-38583\" do\n title \"The system boot loader configuration file(s) must have mode 0600 or\nless permissive.\"\n desc \"Proper permissions ensure that only the root user can modify important\nboot parameters.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38583\"\n tag \"rid\": \"SV-50384r4_rule\"\n tag \"stig_id\": \"RHEL-06-000067\"\n tag \"fix_id\": \"F-43531r3_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To check the permissions of \\\"/boot/grub/grub.conf\\\", run the\ncommand:\n\n$ sudo ls -lL /boot/grub/grub.conf\n\nIf the system uses UEFI check the permissions of\n\\\"/boot/efi/EFI/redhat/grub.conf\\\" file:\n\n$ sudo ls –lL /boot/efi/EFI/redhat/grub.conf\n\nIf properly configured, the output should indicate the following permissions:\n\\\"-rw-------\\\"\n\nIf it does not, this is a finding.\"\n tag \"fix\": \"File permissions for \\\"/boot/grub/grub.conf\\\" and\n\\\"/boot/efi/EFI/redhat/grub.conf\\\" should be set to 600, which is the default.\n\nTo properly set the permissions of \\\"/boot/grub/grub.conf\\\", run the command:\n\n$ chmod 600 /boot/grub/grub.conf\n\nTo properly set the permissions of \\\"/boot/efi/EFI/redhat/grub.conf\\\", run the\ncommand:\n\n$ chmod 600 /boot/efi/EFI/redhat/grub.conf\n\nBoot partitions based on VFAT, NTFS, or other non-standard configurations may\nrequire alternative measures.\n\"\n\n describe file(\"/boot/grub/grub.conf\") do\n it { should exist }\n end\n describe file(\"/boot/grub/grub.conf\") do\n it { should_not be_executable.by \"group\" }\n end\n describe file(\"/boot/grub/grub.conf\") do\n it { should_not be_readable.by \"group\" }\n end\n describe file(\"/boot/grub/grub.conf\") do\n it { should_not be_writable.by \"group\" }\n end\n describe file(\"/boot/grub/grub.conf\") do\n it { should_not be_executable.by \"other\" }\n end\n describe file(\"/boot/grub/grub.conf\") do\n it { should_not be_readable.by \"other\" }\n end\n describe file(\"/boot/grub/grub.conf\") do\n it { should_not be_writable.by \"other\" }\n end\n describe file(\"/boot/grub/grub.conf\") do\n it { should_not be_executable.by \"owner\" }\n end\n describe file(\"/boot/grub/grub.conf\") do\n it { should be_readable.by \"owner\" }\n end\n describe file(\"/boot/grub/grub.conf\") do\n it { should be_writable.by \"owner\" }\n end\n describe file(\"/boot/efi/EFI/redhat/grub.conf\") do\n it { should exist }\n end\n describe file(\"/boot/efi/EFI/redhat/grub.conf\") do\n it { should_not be_executable.by \"group\" }\n end\n describe file(\"/boot/efi/EFI/redhat/grub.conf\") do\n it { should_not be_readable.by \"group\" }\n end\n describe file(\"/boot/efi/EFI/redhat/grub.conf\") do\n it { should_not be_writable.by \"group\" }\n end\n describe file(\"/boot/efi/EFI/redhat/grub.conf\") do\n it { should_not be_executable.by \"other\" }\n end\n describe file(\"/boot/efi/EFI/redhat/grub.conf\") do\n it { should_not be_readable.by \"other\" }\n end\n describe file(\"/boot/efi/EFI/redhat/grub.conf\") do\n it { should_not be_writable.by \"other\" }\n end\n describe file(\"/boot/efi/EFI/redhat/grub.conf\") do\n it { should_not be_executable.by \"owner\" }\n end\n describe file(\"/boot/efi/EFI/redhat/grub.conf\") do\n it { should be_readable.by \"owner\" }\n end\n describe file(\"/boot/efi/EFI/redhat/grub.conf\") do\n it { should be_writable.by \"owner\" }\n end\nend\n", + "check": "To determine that periodic AIDE execution has been scheduled,\nrun the following command:\n\n# grep aide /etc/crontab /etc/cron.*/*\n\nIf there is no output, this is a finding.", + "fix": "AIDE should be executed on a periodic basis to check for changes.\nTo implement a daily execution of AIDE at 4:05am using cron, add the following\nline to /etc/crontab:\n\n05 4 * * * root /usr/sbin/aide --check\n\nAIDE can be executed periodically through other means; this is merely one\nexample." + }, + "code": "control \"V-38700\" do\n title \"The operating system must provide a near real-time alert when any of\nthe organization defined list of compromise or potential compromise indicators\noccurs. \"\n desc \"By default, AIDE does not install itself for periodic execution.\nPeriodically running AIDE may reveal unexpected changes in installed files.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000196\"\n tag \"gid\": \"V-38700\"\n tag \"rid\": \"SV-50501r2_rule\"\n tag \"stig_id\": \"RHEL-06-000305\"\n tag \"fix_id\": \"F-43649r1_fix\"\n tag \"cci\": [\"CCI-001263\"]\n tag \"nist\": [\"SI-4 (5)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To determine that periodic AIDE execution has been scheduled,\nrun the following command:\n\n# grep aide /etc/crontab /etc/cron.*/*\n\nIf there is no output, this is a finding.\"\n tag \"fix\": \"AIDE should be executed on a periodic basis to check for changes.\nTo implement a daily execution of AIDE at 4:05am using cron, add the following\nline to /etc/crontab:\n\n05 4 * * * root /usr/sbin/aide --check\n\nAIDE can be executed periodically through other means; this is merely one\nexample.\"\n\n describe command('grep aide /etc/crontab /etc/cron.*/*') do\n its('stdout.strip') { should_not be_empty }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38583.rb", + "ref": "./Red Hat 6 STIG/controls/V-38700.rb", "line": 1 }, - "id": "V-38583" + "id": "V-38700" }, { - "title": "The system must have a host-based intrusion detection tool installed.", - "desc": "Adding host-based intrusion detection tools can provide the capability\nto automatically take actions in response to malicious behavior, which can\nprovide additional agility in reacting to network threats. These tools also\noften include a reporting capability to provide network awareness of system,\nwhich may not otherwise exist in an organization's systems management regime.", + "title": "All public directories must be owned by a system account.", + "desc": "Allowing a user account to own a world-writable directory is\nundesirable because it allows the owner of that directory to remove or replace\nany files that may be placed in the directory by other users.", "descriptions": { - "default": "Adding host-based intrusion detection tools can provide the capability\nto automatically take actions in response to malicious behavior, which can\nprovide additional agility in reacting to network threats. These tools also\noften include a reporting capability to provide network awareness of system,\nwhich may not otherwise exist in an organization's systems management regime." + "default": "Allowing a user account to own a world-writable directory is\nundesirable because it allows the owner of that directory to remove or replace\nany files that may be placed in the directory by other users." }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { - "gtitle": "SRG-OS-000196", - "gid": "V-38667", - "rid": "SV-50468r3_rule", - "stig_id": "RHEL-06-000285", - "fix_id": "F-43616r3_fix", + "gtitle": "SRG-OS-999999", + "gid": "V-38699", + "rid": "SV-50500r2_rule", + "stig_id": "RHEL-06-000337", + "fix_id": "F-43648r1_fix", "cci": [ - "CCI-001263" + "CCI-000366" ], "nist": [ - "SI-4 (5)", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -4974,35 +5023,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "Ask the SA or ISSO if a host-based intrusion detection\napplication is loaded on the system. Per OPORD 16-0080 the preferred intrusion\ndetection system is McAfee HBSS available through Cybercom.\n\nIf another host-based intrusion detection application is in use, such as\nSELinux, this must be documented and approved by the local Authorizing Official.\n\nProcedure:\nExamine the system to see if the Host Intrusion Prevention System (HIPS) is\ninstalled:\n\n# rpm -qa | grep MFEhiplsm\n\nVerify that the McAfee HIPS module is active on the system:\n\n# ps -ef | grep -i \"hipclient\"\n\nIf the MFEhiplsm package is not installed, check for another intrusion\ndetection system:\n\n# find / -name \n\nWhere is the name of the primary application daemon to determine\nif the application is loaded on the system.\n\nDetermine if the application is active on the system:\n\n# ps -ef | grep -i \n\nIf the MFEhiplsm package is not installed and an alternate host-based intrusion\ndetection application has not been documented for use, this is a finding.\n\nIf no host-based intrusion detection system is installed and running on the\nsystem, this is a finding.\n", - "fix": "Install and enable the latest McAfee HIPS package, available from\nCybercom.\n\nIf the system does not support the McAfee HIPS package, install and enable a\nsupported intrusion detection system application and document its use with the\nAuthorizing Official.\n" + "check": "The following command will discover and print world-writable\ndirectories that are not owned by a system account, given the assumption that\nonly system accounts have a uid lower than 500. Run it once for each local\npartition [PART]:\n\n# find [PART] -xdev -type d -perm -0002 -uid +499 -print\n\n\nIf there is output, this is a finding.", + "fix": "All directories in local partitions which are world-writable\nshould be owned by root or another system account. If any world-writable\ndirectories are not owned by a system account, this should be investigated.\nFollowing this, the files should be deleted or assigned to an appropriate\ngroup." }, - "code": "control \"V-38667\" do\n title \"The system must have a host-based intrusion detection tool installed.\"\n desc \"Adding host-based intrusion detection tools can provide the capability\nto automatically take actions in response to malicious behavior, which can\nprovide additional agility in reacting to network threats. These tools also\noften include a reporting capability to provide network awareness of system,\nwhich may not otherwise exist in an organization's systems management regime.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000196\"\n tag \"gid\": \"V-38667\"\n tag \"rid\": \"SV-50468r3_rule\"\n tag \"stig_id\": \"RHEL-06-000285\"\n tag \"fix_id\": \"F-43616r3_fix\"\n tag \"cci\": [\"CCI-001263\"]\n tag \"nist\": [\"SI-4 (5)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Ask the SA or ISSO if a host-based intrusion detection\napplication is loaded on the system. Per OPORD 16-0080 the preferred intrusion\ndetection system is McAfee HBSS available through Cybercom.\n\nIf another host-based intrusion detection application is in use, such as\nSELinux, this must be documented and approved by the local Authorizing Official.\n\nProcedure:\nExamine the system to see if the Host Intrusion Prevention System (HIPS) is\ninstalled:\n\n# rpm -qa | grep MFEhiplsm\n\nVerify that the McAfee HIPS module is active on the system:\n\n# ps -ef | grep -i \\\"hipclient\\\"\n\nIf the MFEhiplsm package is not installed, check for another intrusion\ndetection system:\n\n# find / -name \n\nWhere is the name of the primary application daemon to determine\nif the application is loaded on the system.\n\nDetermine if the application is active on the system:\n\n# ps -ef | grep -i \n\nIf the MFEhiplsm package is not installed and an alternate host-based intrusion\ndetection application has not been documented for use, this is a finding.\n\nIf no host-based intrusion detection system is installed and running on the\nsystem, this is a finding.\n\"\n tag \"fix\": \"Install and enable the latest McAfee HIPS package, available from\nCybercom.\n\nIf the system does not support the McAfee HIPS package, install and enable a\nsupported intrusion detection system application and document its use with the\nAuthorizing Official.\n\"\n\n describe \"Manual test\" do\n skip \"This control must be reviewed manually\"\n end\nend\n", + "code": "control \"V-38699\" do\n title \"All public directories must be owned by a system account.\"\n desc \"Allowing a user account to own a world-writable directory is\nundesirable because it allows the owner of that directory to remove or replace\nany files that may be placed in the directory by other users.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38699\"\n tag \"rid\": \"SV-50500r2_rule\"\n tag \"stig_id\": \"RHEL-06-000337\"\n tag \"fix_id\": \"F-43648r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"The following command will discover and print world-writable\ndirectories that are not owned by a system account, given the assumption that\nonly system accounts have a uid lower than 500. Run it once for each local\npartition [PART]:\n\n# find [PART] -xdev -type d -perm -0002 -uid +499 -print\n\n\nIf there is output, this is a finding.\"\n tag \"fix\": \"All directories in local partitions which are world-writable\nshould be owned by root or another system account. If any world-writable\ndirectories are not owned by a system account, this should be investigated.\nFollowing this, the files should be deleted or assigned to an appropriate\ngroup.\"\n\n dirs = command(%(find / -xautofs -noleaf -wholename '/proc' -prune -o -wholename '/sys' -prune -o -wholename '/dev' -prune -o -wholename '/selinux' -prune -o -type d -perm -0002 -uid +499 -print))\n describe \"World-writable directories not owned by system account\" do\n subject { dirs.stdout.strip.split(\"\\n\") }\n it { should be_empty }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38667.rb", + "ref": "./Red Hat 6 STIG/controls/V-38699.rb", "line": 1 }, - "id": "V-38667" + "id": "V-38699" }, { - "title": "The audit system must be configured to audit the loading and unloading\nof dynamic kernel modules.", - "desc": "The addition/removal of kernel modules can be used to alter the\nbehavior of the kernel and potentially introduce malicious code into kernel\nspace. It is important to have an audit trail of modules that have been\nintroduced into the kernel.", + "title": "The operating system, upon successful logon/access, must display to\nthe user the number of unsuccessful logon/access attempts since the last\nsuccessful logon/access.", + "desc": "Users need to be aware of activity that occurs regarding their\naccount. Providing users with information regarding the number of unsuccessful\nattempts that were made to login to their account allows the user to determine\nif any unauthorized activity has occurred and gives them an opportunity to\nnotify administrators.", "descriptions": { - "default": "The addition/removal of kernel modules can be used to alter the\nbehavior of the kernel and potentially introduce malicious code into kernel\nspace. It is important to have an audit trail of modules that have been\nintroduced into the kernel." + "default": "Users need to be aware of activity that occurs regarding their\naccount. Providing users with information regarding the number of unsuccessful\nattempts that were made to login to their account allows the user to determine\nif any unauthorized activity has occurred and gives them an opportunity to\nnotify administrators." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000064", - "gid": "V-38580", - "rid": "SV-50381r2_rule", - "stig_id": "RHEL-06-000202", - "fix_id": "F-43528r2_fix", + "gtitle": "SRG-OS-999999", + "gid": "V-51875", + "rid": "SV-66089r1_rule", + "stig_id": "RHEL-06-000372", + "fix_id": "F-56701r1_fix", "cci": [ - "CCI-000172" + "CCI-000366" ], "nist": [ - "AU-12 c", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -5015,35 +5064,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To determine if the system is configured to audit execution of\nmodule management programs, run the following commands:\n\n$ sudo egrep -e \"(-w |-F path=)/sbin/insmod\" /etc/audit/audit.rules\n$ sudo egrep -e \"(-w |-F path=)/sbin/rmmod\" /etc/audit/audit.rules\n$ sudo egrep -e \"(-w |-F path=)/sbin/modprobe\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return a line.\n\nTo determine if the system is configured to audit calls to the \"init_module\"\nsystem call, run the following command:\n\n$ sudo grep -w \"init_module\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return a line.\n\nTo determine if the system is configured to audit calls to the\n\"delete_module\" system call, run the following command:\n\n$ sudo grep -w \"delete_module\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return a line.\n\nIf no line is returned for any of these commands, this is a finding. ", - "fix": "Add the following to \"/etc/audit/audit.rules\" in order to\ncapture kernel module loading and unloading events, setting ARCH to either b32\nor b64 as appropriate for your system:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=[ARCH] -S init_module -S delete_module -k modules" + "check": "To ensure that last logon/access notification is configured\ncorrectly, run the following command:\n\n# grep pam_lastlog.so /etc/pam.d/system-auth\n\nThe output should show output \"showfailed\". If that is not the case, this is\na finding. ", + "fix": "To configure the system to notify users of last logon/access\nusing \"pam_lastlog\", add the following line immediately after \"session\nrequired pam_limits.so\":\n\nsession required pam_lastlog.so showfailed" }, - "code": "control \"V-38580\" do\n title \"The audit system must be configured to audit the loading and unloading\nof dynamic kernel modules.\"\n desc \"The addition/removal of kernel modules can be used to alter the\nbehavior of the kernel and potentially introduce malicious code into kernel\nspace. It is important to have an audit trail of modules that have been\nintroduced into the kernel.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000064\"\n tag \"gid\": \"V-38580\"\n tag \"rid\": \"SV-50381r2_rule\"\n tag \"stig_id\": \"RHEL-06-000202\"\n tag \"fix_id\": \"F-43528r2_fix\"\n tag \"cci\": [\"CCI-000172\"]\n tag \"nist\": [\"AU-12 c\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To determine if the system is configured to audit execution of\nmodule management programs, run the following commands:\n\n$ sudo egrep -e \\\"(-w |-F path=)/sbin/insmod\\\" /etc/audit/audit.rules\n$ sudo egrep -e \\\"(-w |-F path=)/sbin/rmmod\\\" /etc/audit/audit.rules\n$ sudo egrep -e \\\"(-w |-F path=)/sbin/modprobe\\\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return a line.\n\nTo determine if the system is configured to audit calls to the \\\"init_module\\\"\nsystem call, run the following command:\n\n$ sudo grep -w \\\"init_module\\\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return a line.\n\nTo determine if the system is configured to audit calls to the\n\\\"delete_module\\\" system call, run the following command:\n\n$ sudo grep -w \\\"delete_module\\\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return a line.\n\nIf no line is returned for any of these commands, this is a finding. \"\n tag \"fix\": \"Add the following to \\\"/etc/audit/audit.rules\\\" in order to\ncapture kernel module loading and unloading events, setting ARCH to either b32\nor b64 as appropriate for your system:\n\n-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n-a always,exit -F arch=[ARCH] -S init_module -S delete_module -k modules\"\n\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^(?:-w\\s+|-a\\s+(?:always,exit|exit,always)\\s+-F\\s+path=)\\/sbin\\/insmod\\s+-p\\s+[rwa]*x[rwa]*\\s+-k\\s+\\S+\\s*$/) }\n end\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^(?:-w\\s+|-a\\s+(?:always,exit|exit,always)\\s+-F\\s+path=)\\/sbin\\/rmmod\\s+-p\\s+[rwa]*x[rwa]*\\s+-k\\s+\\S+\\s*$/) }\n end\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^(?:-w\\s+|-a\\s+(?:always,exit|exit,always)\\s+-F\\s+path=)\\/sbin\\/modprobe\\s+-p\\s+[rwa]*x[rwa]*\\s+-k\\s+\\S+\\s*$/) }\n end\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^[\\s]*-a[\\s](?:always,exit|exit,always)+(?:.*-F[\\s]+arch=b32\\s+).*(?:,|-S\\s+)delete_module(?:,|\\s+).*-k\\s+\\S+\\s*$/) }\n end\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^[\\s]*-a[\\s](?:always,exit|exit,always)(?:.*-F[\\s]+arch=b32\\s+).*(?:,|-S\\s+)init_module(?:,|\\s+).*-k\\s+\\S+\\s*$/) }\n end\n describe.one do\n \n end\nend\n", + "code": "control \"V-51875\" do\n title \"The operating system, upon successful logon/access, must display to\nthe user the number of unsuccessful logon/access attempts since the last\nsuccessful logon/access.\"\n desc \"Users need to be aware of activity that occurs regarding their\naccount. Providing users with information regarding the number of unsuccessful\nattempts that were made to login to their account allows the user to determine\nif any unauthorized activity has occurred and gives them an opportunity to\nnotify administrators. \"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-51875\"\n tag \"rid\": \"SV-66089r1_rule\"\n tag \"stig_id\": \"RHEL-06-000372\"\n tag \"fix_id\": \"F-56701r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To ensure that last logon/access notification is configured\ncorrectly, run the following command:\n\n# grep pam_lastlog.so /etc/pam.d/system-auth\n\nThe output should show output \\\"showfailed\\\". If that is not the case, this is\na finding. \"\n tag \"fix\": \"To configure the system to notify users of last logon/access\nusing \\\"pam_lastlog\\\", add the following line immediately after \\\"session\nrequired pam_limits.so\\\":\n\nsession required pam_lastlog.so showfailed\"\n\n describe file(\"/etc/pam.d/system-auth\") do\n its(\"content\") { should match(/^\\s*session\\s+(required|requisite)?\\s+pam_lastlog.so[\\s\\w\\d\\=]+showfailed/) }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38580.rb", + "ref": "./Red Hat 6 STIG/controls/V-51875.rb", "line": 1 }, - "id": "V-38580" + "id": "V-51875" }, { - "title": "The system must provide VPN connectivity for communications over\nuntrusted networks.", - "desc": "Providing the ability for remote users or systems to initiate a secure\nVPN connection protects information when it is transmitted over a wide area\nnetwork.", + "title": "The /etc/group file must have mode 0644 or less permissive.", + "desc": "The \"/etc/group\" file contains information regarding groups that are\nconfigured on the system. Protection of this file is important for system\nsecurity.", "descriptions": { - "default": "Providing the ability for remote users or systems to initiate a secure\nVPN connection protects information when it is transmitted over a wide area\nnetwork." + "default": "The \"/etc/group\" file contains information regarding groups that are\nconfigured on the system. Protection of this file is important for system\nsecurity." }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000160", - "gid": "V-38687", - "rid": "SV-50488r3_rule", - "stig_id": "RHEL-06-000321", - "fix_id": "F-43636r2_fix", + "gtitle": "SRG-OS-999999", + "gid": "V-38461", + "rid": "SV-50261r1_rule", + "stig_id": "RHEL-06-000044", + "fix_id": "F-43406r1_fix", "cci": [ - "CCI-001130" + "CCI-000366" ], "nist": [ - "SC-9", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -5056,35 +5105,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "If the system does not communicate over untrusted networks,\nthis is not applicable.\n\nRun the following command to determine if the \"libreswan\" package is\ninstalled:\n\n# rpm -q libreswan\n\nIf the package is not installed, this is a finding.", - "fix": "The \"libreswan\" package provides an implementation of IPsec and\nIKE, which permits the creation of secure tunnels over untrusted networks. The\n\"libreswan\" package can be installed with the following command:\n\n# yum install libreswan\n" + "check": "To check the permissions of \"/etc/group\", run the command:\n\n$ ls -l /etc/group\n\nIf properly configured, the output should indicate the following permissions:\n\"-rw-r--r--\"\nIf it does not, this is a finding.", + "fix": "To properly set the permissions of \"/etc/group\", run the\ncommand:\n\n# chmod 644 /etc/group" }, - "code": "control \"V-38687\" do\n title \"The system must provide VPN connectivity for communications over\nuntrusted networks.\"\n desc \"Providing the ability for remote users or systems to initiate a secure\nVPN connection protects information when it is transmitted over a wide area\nnetwork.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000160\"\n tag \"gid\": \"V-38687\"\n tag \"rid\": \"SV-50488r3_rule\"\n tag \"stig_id\": \"RHEL-06-000321\"\n tag \"fix_id\": \"F-43636r2_fix\"\n tag \"cci\": [\"CCI-001130\"]\n tag \"nist\": [\"SC-9\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"If the system does not communicate over untrusted networks,\nthis is not applicable.\n\nRun the following command to determine if the \\\"libreswan\\\" package is\ninstalled:\n\n# rpm -q libreswan\n\nIf the package is not installed, this is a finding.\"\n tag \"fix\": \"The \\\"libreswan\\\" package provides an implementation of IPsec and\nIKE, which permits the creation of secure tunnels over untrusted networks. The\n\\\"libreswan\\\" package can be installed with the following command:\n\n# yum install libreswan\n\"\n\n describe package(\"libreswan\") do\n it { should be_installed }\n end\nend\n", + "code": "control \"V-38461\" do\n title \"The /etc/group file must have mode 0644 or less permissive.\"\n desc \"The \\\"/etc/group\\\" file contains information regarding groups that are\nconfigured on the system. Protection of this file is important for system\nsecurity.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38461\"\n tag \"rid\": \"SV-50261r1_rule\"\n tag \"stig_id\": \"RHEL-06-000044\"\n tag \"fix_id\": \"F-43406r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To check the permissions of \\\"/etc/group\\\", run the command:\n\n$ ls -l /etc/group\n\nIf properly configured, the output should indicate the following permissions:\n\\\"-rw-r--r--\\\"\nIf it does not, this is a finding.\"\n tag \"fix\": \"To properly set the permissions of \\\"/etc/group\\\", run the\ncommand:\n\n# chmod 644 /etc/group\"\n\n describe file(\"/etc/group\") do\n it { should exist }\n end\n describe file(\"/etc/group\") do\n it { should_not be_executable.by \"group\" }\n end\n describe file(\"/etc/group\") do\n it { should be_readable.by \"group\" }\n end\n describe file(\"/etc/group\") do\n it { should_not be_writable.by \"group\" }\n end\n describe file(\"/etc/group\") do\n it { should_not be_executable.by \"other\" }\n end\n describe file(\"/etc/group\") do\n it { should be_readable.by \"other\" }\n end\n describe file(\"/etc/group\") do\n it { should_not be_writable.by \"other\" }\n end\n describe file(\"/etc/group\") do\n it { should_not be_executable.by \"owner\" }\n end\n describe file(\"/etc/group\") do\n it { should be_readable.by \"owner\" }\n end\n describe file(\"/etc/group\") do\n it { should be_writable.by \"owner\" }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38687.rb", + "ref": "./Red Hat 6 STIG/controls/V-38461.rb", "line": 1 }, - "id": "V-38687" + "id": "V-38461" }, { - "title": "A file integrity tool must be used at least weekly to check for\nunauthorized file changes, particularly the addition of unauthorized system\nlibraries or binaries, or for unauthorized modification to authorized system\nlibraries or binaries.", - "desc": "By default, AIDE does not install itself for periodic execution.\nPeriodically running AIDE may reveal unexpected changes in installed files.", + "title": "The /etc/group file must be group-owned by root.", + "desc": "The \"/etc/group\" file contains information regarding groups that are\nconfigured on the system. Protection of this file is important for system\nsecurity.", "descriptions": { - "default": "By default, AIDE does not install itself for periodic execution.\nPeriodically running AIDE may reveal unexpected changes in installed files." + "default": "The \"/etc/group\" file contains information regarding groups that are\nconfigured on the system. Protection of this file is important for system\nsecurity." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000094", - "gid": "V-38695", - "rid": "SV-50496r2_rule", - "stig_id": "RHEL-06-000302", - "fix_id": "F-43644r1_fix", + "gtitle": "SRG-OS-999999", + "gid": "V-38459", + "rid": "SV-50259r1_rule", + "stig_id": "RHEL-06-000043", + "fix_id": "F-43404r1_fix", "cci": [ - "CCI-000374" + "CCI-000366" ], "nist": [ - "CM-6 (2)", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -5097,35 +5146,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To determine that periodic AIDE execution has been scheduled,\nrun the following command:\n\n# grep aide /etc/crontab /etc/cron.*/*\n\nIf there is no output or if aide is not run at least weekly, this is a finding.", - "fix": "AIDE should be executed on a periodic basis to check for changes.\nTo implement a daily execution of AIDE at 4:05am using cron, add the following\nline to /etc/crontab:\n\n05 4 * * * root /usr/sbin/aide --check\n\nAIDE can be executed periodically through other means; this is merely one\nexample." + "check": "To check the group ownership of \"/etc/group\", run the\ncommand:\n\n$ ls -l /etc/group\n\nIf properly configured, the output should indicate the following group-owner.\n\"root\"\nIf it does not, this is a finding.", + "fix": "To properly set the group owner of \"/etc/group\", run the\ncommand:\n\n# chgrp root /etc/group" }, - "code": "control \"V-38695\" do\n title \"A file integrity tool must be used at least weekly to check for\nunauthorized file changes, particularly the addition of unauthorized system\nlibraries or binaries, or for unauthorized modification to authorized system\nlibraries or binaries.\"\n desc \"By default, AIDE does not install itself for periodic execution.\nPeriodically running AIDE may reveal unexpected changes in installed files.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000094\"\n tag \"gid\": \"V-38695\"\n tag \"rid\": \"SV-50496r2_rule\"\n tag \"stig_id\": \"RHEL-06-000302\"\n tag \"fix_id\": \"F-43644r1_fix\"\n tag \"cci\": [\"CCI-000374\"]\n tag \"nist\": [\"CM-6 (2)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To determine that periodic AIDE execution has been scheduled,\nrun the following command:\n\n# grep aide /etc/crontab /etc/cron.*/*\n\nIf there is no output or if aide is not run at least weekly, this is a finding.\"\n tag \"fix\": \"AIDE should be executed on a periodic basis to check for changes.\nTo implement a daily execution of AIDE at 4:05am using cron, add the following\nline to /etc/crontab:\n\n05 4 * * * root /usr/sbin/aide --check\n\nAIDE can be executed periodically through other means; this is merely one\nexample.\"\n\n describe command('grep aide /etc/crontab /etc/cron.*/*') do\n its('stdout.strip') { should_not be_empty }\n end\nend\n", + "code": "control \"V-38459\" do\n title \"The /etc/group file must be group-owned by root.\"\n desc \"The \\\"/etc/group\\\" file contains information regarding groups that are\nconfigured on the system. Protection of this file is important for system\nsecurity.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38459\"\n tag \"rid\": \"SV-50259r1_rule\"\n tag \"stig_id\": \"RHEL-06-000043\"\n tag \"fix_id\": \"F-43404r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To check the group ownership of \\\"/etc/group\\\", run the\ncommand:\n\n$ ls -l /etc/group\n\nIf properly configured, the output should indicate the following group-owner.\n\\\"root\\\"\nIf it does not, this is a finding.\"\n tag \"fix\": \"To properly set the group owner of \\\"/etc/group\\\", run the\ncommand:\n\n# chgrp root /etc/group\"\n\n describe file(\"/etc/group\") do\n it { should exist }\n end\n describe file(\"/etc/group\") do\n its(\"gid\") { should cmp 0 }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38695.rb", + "ref": "./Red Hat 6 STIG/controls/V-38459.rb", "line": 1 }, - "id": "V-38695" + "id": "V-38459" }, { - "title": "The system must use a Linux Security Module configured to enforce\nlimits on system services.", - "desc": "Setting the SELinux state to enforcing ensures SELinux is able to\nconfine potentially compromised processes to the security policy, which is\ndesigned to prevent them from causing damage to the system or further elevating\ntheir privileges.", + "title": "The SSH daemon must not allow host-based authentication.", + "desc": "SSH trust relationships mean a compromise on one host can allow an\nattacker to move trivially to other hosts.", "descriptions": { - "default": "Setting the SELinux state to enforcing ensures SELinux is able to\nconfine potentially compromised processes to the security policy, which is\ndesigned to prevent them from causing damage to the system or further elevating\ntheir privileges." + "default": "SSH trust relationships mean a compromise on one host can allow an\nattacker to move trivially to other hosts." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-999999", - "gid": "V-51363", - "rid": "SV-65573r1_rule", - "stig_id": "RHEL-06-000020", - "fix_id": "F-56165r1_fix", + "gtitle": "SRG-OS-000106", + "gid": "V-38612", + "rid": "SV-50413r1_rule", + "stig_id": "RHEL-06-000236", + "fix_id": "F-43560r1_fix", "cci": [ - "CCI-000366" + "CCI-000766" ], "nist": [ - "CM-6 b", + "IA-2 (2)", "Rev_4" ], "false_negatives": null, @@ -5138,18 +5187,18 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "Check the file \"/etc/selinux/config\" and ensure the following\nline appears:\n\nSELINUX=enforcing\n\nIf SELINUX is not set to enforcing, this is a finding. ", - "fix": "The SELinux state should be set to \"enforcing\" at system boot\ntime. In the file \"/etc/selinux/config\", add or correct the following line to\nconfigure the system to boot into enforcing mode:\n\nSELINUX=enforcing" + "check": "To determine how the SSH daemon's \"HostbasedAuthentication\"\noption is set, run the following command:\n\n# grep -i HostbasedAuthentication /etc/ssh/sshd_config\n\nIf no line, a commented line, or a line indicating the value \"no\" is\nreturned, then the required value is set.\nIf the required value is not set, this is a finding.", + "fix": "SSH's cryptographic host-based authentication is more secure than\n\".rhosts\" authentication, since hosts are cryptographically authenticated.\nHowever, it is not recommended that hosts unilaterally trust one another, even\nwithin an organization.\n\nTo disable host-based authentication, add or correct the following line in\n\"/etc/ssh/sshd_config\":\n\nHostbasedAuthentication no" }, - "code": "control \"V-51363\" do\n title \"The system must use a Linux Security Module configured to enforce\nlimits on system services.\"\n desc \"Setting the SELinux state to enforcing ensures SELinux is able to\nconfine potentially compromised processes to the security policy, which is\ndesigned to prevent them from causing damage to the system or further elevating\ntheir privileges. \"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-51363\"\n tag \"rid\": \"SV-65573r1_rule\"\n tag \"stig_id\": \"RHEL-06-000020\"\n tag \"fix_id\": \"F-56165r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Check the file \\\"/etc/selinux/config\\\" and ensure the following\nline appears:\n\nSELINUX=enforcing\n\nIf SELINUX is not set to enforcing, this is a finding. \"\n tag \"fix\": \"The SELinux state should be set to \\\"enforcing\\\" at system boot\ntime. In the file \\\"/etc/selinux/config\\\", add or correct the following line to\nconfigure the system to boot into enforcing mode:\n\nSELINUX=enforcing\"\n\n describe file(\"/etc/selinux/config\") do\n its(\"content\") { should match(/^[\\s]*SELINUX[\\s]*=[\\s]*(.*)[\\s]*$/) }\n end\n file(\"/etc/selinux/config\").content.to_s.scan(/^[\\s]*SELINUX[\\s]*=[\\s]*(.*)[\\s]*$/).flatten.each do |entry|\n describe entry do\n it { should eq \"enforcing\" }\n end\n end\nend\n", + "code": "control \"V-38612\" do\n title \"The SSH daemon must not allow host-based authentication.\"\n desc \"SSH trust relationships mean a compromise on one host can allow an\nattacker to move trivially to other hosts.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000106\"\n tag \"gid\": \"V-38612\"\n tag \"rid\": \"SV-50413r1_rule\"\n tag \"stig_id\": \"RHEL-06-000236\"\n tag \"fix_id\": \"F-43560r1_fix\"\n tag \"cci\": [\"CCI-000766\"]\n tag \"nist\": [\"IA-2 (2)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To determine how the SSH daemon's \\\"HostbasedAuthentication\\\"\noption is set, run the following command:\n\n# grep -i HostbasedAuthentication /etc/ssh/sshd_config\n\nIf no line, a commented line, or a line indicating the value \\\"no\\\" is\nreturned, then the required value is set.\nIf the required value is not set, this is a finding.\"\n tag \"fix\": \"SSH's cryptographic host-based authentication is more secure than\n\\\".rhosts\\\" authentication, since hosts are cryptographically authenticated.\nHowever, it is not recommended that hosts unilaterally trust one another, even\nwithin an organization.\n\nTo disable host-based authentication, add or correct the following line in\n\\\"/etc/ssh/sshd_config\\\":\n\nHostbasedAuthentication no\"\n\n describe sshd_config do\n its('HostbasedAuthentication') { should (eq 'no').or be_nil }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-51363.rb", + "ref": "./Red Hat 6 STIG/controls/V-38612.rb", "line": 1 }, - "id": "V-51363" + "id": "V-38612" }, { - "title": "The audit system must be configured to audit all discretionary access\ncontrol permission modifications using fchmod.", + "title": "The audit system must be configured to audit all discretionary access\ncontrol permission modifications using fchownat.", "desc": "The changing of file permissions could indicate that a user is\nattempting to gain access to information that would otherwise be disallowed.\nAuditing DAC modifications can facilitate the identification of patterns of\nabuse among both authorized and unauthorized users.", "descriptions": { "default": "The changing of file permissions could indicate that a user is\nattempting to gain access to information that would otherwise be disallowed.\nAuditing DAC modifications can facilitate the identification of patterns of\nabuse among both authorized and unauthorized users." @@ -5158,10 +5207,10 @@ "refs": [], "tags": { "gtitle": "SRG-OS-000064", - "gid": "V-38547", - "rid": "SV-50348r3_rule", - "stig_id": "RHEL-06-000186", - "fix_id": "F-43495r2_fix", + "gid": "V-38554", + "rid": "SV-50355r3_rule", + "stig_id": "RHEL-06-000189", + "fix_id": "F-43502r2_fix", "cci": [ "CCI-000172" ], @@ -5179,35 +5228,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To determine if the system is configured to audit calls to the\n\"fchmod\" system call, run the following command:\n\n$ sudo grep -w \"fchmod\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return several\nlines.\n\nIf no line is returned, this is a finding. ", - "fix": "At a minimum, the audit system should collect file permission\nchanges for all users and root. Add the following to\n\"/etc/audit/audit.rules\":\n\n-a always,exit -F arch=b32 -S fchmod -F auid>=500 -F auid!=4294967295 \\\n-k perm_mod\n-a always,exit -F arch=b32 -S fchmod -F auid=0 -k perm_mod\n\nIf the system is 64-bit, then also add the following:\n\n-a always,exit -F arch=b64 -S fchmod -F auid>=500 -F auid!=4294967295 \\\n-k perm_mod\n-a always,exit -F arch=b64 -S fchmod -F auid=0 -k perm_mod" + "check": "To determine if the system is configured to audit calls to the\n\"fchownat\" system call, run the following command:\n\n$ sudo grep -w \"fchownat\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return several\nlines.\n\nIf no line is returned, this is a finding. ", + "fix": "At a minimum, the audit system should collect file permission\nchanges for all users and root. Add the following to\n\"/etc/audit/audit.rules\":\n\n-a always,exit -F arch=b32 -S fchownat -F auid>=500 -F auid!=4294967295 \\\n-k perm_mod\n-a always,exit -F arch=b32 -S fchownat -F auid=0 -k perm_mod\n\nIf the system is 64-bit, then also add the following:\n\n-a always,exit -F arch=b64 -S fchownat -F auid>=500 -F auid!=4294967295 \\\n-k perm_mod\n-a always,exit -F arch=b64 -S fchownat -F auid=0 -k perm_mod" }, - "code": "control \"V-38547\" do\n title \"The audit system must be configured to audit all discretionary access\ncontrol permission modifications using fchmod.\"\n desc \"The changing of file permissions could indicate that a user is\nattempting to gain access to information that would otherwise be disallowed.\nAuditing DAC modifications can facilitate the identification of patterns of\nabuse among both authorized and unauthorized users.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000064\"\n tag \"gid\": \"V-38547\"\n tag \"rid\": \"SV-50348r3_rule\"\n tag \"stig_id\": \"RHEL-06-000186\"\n tag \"fix_id\": \"F-43495r2_fix\"\n tag \"cci\": [\"CCI-000172\"]\n tag \"nist\": [\"AU-12 c\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To determine if the system is configured to audit calls to the\n\\\"fchmod\\\" system call, run the following command:\n\n$ sudo grep -w \\\"fchmod\\\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return several\nlines.\n\nIf no line is returned, this is a finding. \"\n tag \"fix\": \"At a minimum, the audit system should collect file permission\nchanges for all users and root. Add the following to\n\\\"/etc/audit/audit.rules\\\":\n\n-a always,exit -F arch=b32 -S fchmod -F auid>=500 -F auid!=4294967295 \\\\\n-k perm_mod\n-a always,exit -F arch=b32 -S fchmod -F auid=0 -k perm_mod\n\nIf the system is 64-bit, then also add the following:\n\n-a always,exit -F arch=b64 -S fchmod -F auid>=500 -F auid!=4294967295 \\\\\n-k perm_mod\n-a always,exit -F arch=b64 -S fchmod -F auid=0 -k perm_mod\"\n\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^[\\s]*-a[\\s](?:always,exit|exit,always)+(?:.*-F[\\s]+arch=b32[\\s]+)(?:.*(?:-S[\\s]+|,)fchmod(?:[\\s]+|,))(?:.*-F\\s+auid>=500[\\s]+)(?:.*-F\\s+auid!=(?:-1|4294967295)[\\s]+).*-k[\\s]+[\\S]+[\\s]*$/) }\n end\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^[\\s]*-a[\\s](?:always,exit|exit,always)+(?:.*-F[\\s]+arch=b32[\\s]+)(?:.*(?:-S[\\s]+|,)fchmod(?:[\\s]+|,))(?:.*-F\\s+auid=0[\\s]+).*-k[\\s]+[\\S]+[\\s]*$/) }\n end\n describe.one do\n \n end\nend\n", + "code": "control \"V-38554\" do\n title \"The audit system must be configured to audit all discretionary access\ncontrol permission modifications using fchownat.\"\n desc \"The changing of file permissions could indicate that a user is\nattempting to gain access to information that would otherwise be disallowed.\nAuditing DAC modifications can facilitate the identification of patterns of\nabuse among both authorized and unauthorized users.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000064\"\n tag \"gid\": \"V-38554\"\n tag \"rid\": \"SV-50355r3_rule\"\n tag \"stig_id\": \"RHEL-06-000189\"\n tag \"fix_id\": \"F-43502r2_fix\"\n tag \"cci\": [\"CCI-000172\"]\n tag \"nist\": [\"AU-12 c\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To determine if the system is configured to audit calls to the\n\\\"fchownat\\\" system call, run the following command:\n\n$ sudo grep -w \\\"fchownat\\\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return several\nlines.\n\nIf no line is returned, this is a finding. \"\n tag \"fix\": \"At a minimum, the audit system should collect file permission\nchanges for all users and root. Add the following to\n\\\"/etc/audit/audit.rules\\\":\n\n-a always,exit -F arch=b32 -S fchownat -F auid>=500 -F auid!=4294967295 \\\\\n-k perm_mod\n-a always,exit -F arch=b32 -S fchownat -F auid=0 -k perm_mod\n\nIf the system is 64-bit, then also add the following:\n\n-a always,exit -F arch=b64 -S fchownat -F auid>=500 -F auid!=4294967295 \\\\\n-k perm_mod\n-a always,exit -F arch=b64 -S fchownat -F auid=0 -k perm_mod\"\n\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^[\\s]*-a[\\s](?:always,exit|exit,always)+(?:.*-F[\\s]+arch=b32[\\s]+)(?:.*(?:-S[\\s]+|,)fchownat(?:[\\s]+|,))(?:.*-F\\s+auid>=500[\\s]+)(?:.*-F\\s+auid!=(?:-1|4294967295)[\\s]+).*-k[\\s]+[\\S]+[\\s]*$/) }\n end\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^[\\s]*-a[\\s](?:always,exit|exit,always)+(?:.*-F[\\s]+arch=b32[\\s]+)(?:.*(?:-S[\\s]+|,)fchownat(?:[\\s]+|,))(?:.*-F\\s+auid=0[\\s]+).*-k[\\s]+[\\S]+[\\s]*$/) }\n end\n describe.one do\n \n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38547.rb", + "ref": "./Red Hat 6 STIG/controls/V-38554.rb", "line": 1 }, - "id": "V-38547" + "id": "V-38554" }, { - "title": "The SSH daemon must not allow host-based authentication.", - "desc": "SSH trust relationships mean a compromise on one host can allow an\nattacker to move trivially to other hosts.", + "title": "The system package management tool must verify permissions on all\nfiles and directories associated with the audit package.", + "desc": "Permissions on audit binaries and configuration files that are too\ngenerous could allow an unauthorized user to gain privileges that they should\nnot have. The permissions set by the vendor should be maintained. Any\ndeviations from this baseline should be investigated.", "descriptions": { - "default": "SSH trust relationships mean a compromise on one host can allow an\nattacker to move trivially to other hosts." + "default": "Permissions on audit binaries and configuration files that are too\ngenerous could allow an unauthorized user to gain privileges that they should\nnot have. The permissions set by the vendor should be maintained. Any\ndeviations from this baseline should be investigated." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000106", - "gid": "V-38612", - "rid": "SV-50413r1_rule", - "stig_id": "RHEL-06-000236", - "fix_id": "F-43560r1_fix", + "gtitle": "SRG-OS-000256", + "gid": "V-38663", + "rid": "SV-50464r1_rule", + "stig_id": "RHEL-06-000278", + "fix_id": "F-43612r1_fix", "cci": [ - "CCI-000766" + "CCI-001493" ], "nist": [ - "IA-2 (2)", + "AU-9", "Rev_4" ], "false_negatives": null, @@ -5220,35 +5269,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To determine how the SSH daemon's \"HostbasedAuthentication\"\noption is set, run the following command:\n\n# grep -i HostbasedAuthentication /etc/ssh/sshd_config\n\nIf no line, a commented line, or a line indicating the value \"no\" is\nreturned, then the required value is set.\nIf the required value is not set, this is a finding.", - "fix": "SSH's cryptographic host-based authentication is more secure than\n\".rhosts\" authentication, since hosts are cryptographically authenticated.\nHowever, it is not recommended that hosts unilaterally trust one another, even\nwithin an organization.\n\nTo disable host-based authentication, add or correct the following line in\n\"/etc/ssh/sshd_config\":\n\nHostbasedAuthentication no" + "check": "The following command will list which audit files on the system\nhave permissions different from what is expected by the RPM database:\n\n# rpm -V audit | grep '^.M'\n\nIf there is any output, for each file or directory found, compare the\nRPM-expected permissions with the permissions on the file or directory:\n\n# rpm -q --queryformat \"[%{FILENAMES} %{FILEMODES:perms}]\" audit | grep [filename]\n# ls -lL [filename]\n\nIf the existing permissions are more permissive than those expected by RPM,\nthis is a finding.", + "fix": "The RPM package management system can restore file access\npermissions of the audit package files and directories. The following command\nwill update audit files with permissions different from what is expected by the\nRPM database:\n\n# rpm --setperms audit" }, - "code": "control \"V-38612\" do\n title \"The SSH daemon must not allow host-based authentication.\"\n desc \"SSH trust relationships mean a compromise on one host can allow an\nattacker to move trivially to other hosts.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000106\"\n tag \"gid\": \"V-38612\"\n tag \"rid\": \"SV-50413r1_rule\"\n tag \"stig_id\": \"RHEL-06-000236\"\n tag \"fix_id\": \"F-43560r1_fix\"\n tag \"cci\": [\"CCI-000766\"]\n tag \"nist\": [\"IA-2 (2)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To determine how the SSH daemon's \\\"HostbasedAuthentication\\\"\noption is set, run the following command:\n\n# grep -i HostbasedAuthentication /etc/ssh/sshd_config\n\nIf no line, a commented line, or a line indicating the value \\\"no\\\" is\nreturned, then the required value is set.\nIf the required value is not set, this is a finding.\"\n tag \"fix\": \"SSH's cryptographic host-based authentication is more secure than\n\\\".rhosts\\\" authentication, since hosts are cryptographically authenticated.\nHowever, it is not recommended that hosts unilaterally trust one another, even\nwithin an organization.\n\nTo disable host-based authentication, add or correct the following line in\n\\\"/etc/ssh/sshd_config\\\":\n\nHostbasedAuthentication no\"\n\n describe sshd_config do\n its('HostbasedAuthentication') { should (eq 'no').or be_nil }\n end\nend\n", + "code": "control \"V-38663\" do\n title \"The system package management tool must verify permissions on all\nfiles and directories associated with the audit package.\"\n desc \"Permissions on audit binaries and configuration files that are too\ngenerous could allow an unauthorized user to gain privileges that they should\nnot have. The permissions set by the vendor should be maintained. Any\ndeviations from this baseline should be investigated.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000256\"\n tag \"gid\": \"V-38663\"\n tag \"rid\": \"SV-50464r1_rule\"\n tag \"stig_id\": \"RHEL-06-000278\"\n tag \"fix_id\": \"F-43612r1_fix\"\n tag \"cci\": [\"CCI-001493\"]\n tag \"nist\": [\"AU-9\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"The following command will list which audit files on the system\nhave permissions different from what is expected by the RPM database:\n\n# rpm -V audit | grep '^.M'\n\nIf there is any output, for each file or directory found, compare the\nRPM-expected permissions with the permissions on the file or directory:\n\n# rpm -q --queryformat \\\"[%{FILENAMES} %{FILEMODES:perms}\\\n]\\\" audit | grep [filename]\n# ls -lL [filename]\n\nIf the existing permissions are more permissive than those expected by RPM,\nthis is a finding.\"\n tag \"fix\": \"The RPM package management system can restore file access\npermissions of the audit package files and directories. The following command\nwill update audit files with permissions different from what is expected by the\nRPM database:\n\n# rpm --setperms audit\"\n\n describe command('rpm -V audit | grep \\'^.M\\'') do\n its('stdout.strip') { should be_empty }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38612.rb", + "ref": "./Red Hat 6 STIG/controls/V-38663.rb", "line": 1 }, - "id": "V-38612" + "id": "V-38663" }, { - "title": "The SSH daemon must set a timeout count on idle sessions.", - "desc": "This ensures a user login will be terminated as soon as the\n\"ClientAliveCountMax\" is reached.", + "title": "The SSH daemon must ignore .rhosts files.", + "desc": "SSH trust relationships mean a compromise on one host can allow an\nattacker to move trivially to other hosts.", "descriptions": { - "default": "This ensures a user login will be terminated as soon as the\n\"ClientAliveCountMax\" is reached." + "default": "SSH trust relationships mean a compromise on one host can allow an\nattacker to move trivially to other hosts." }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000126", - "gid": "V-38610", - "rid": "SV-50411r1_rule", - "stig_id": "RHEL-06-000231", - "fix_id": "F-43558r1_fix", + "gtitle": "SRG-OS-000106", + "gid": "V-38611", + "rid": "SV-50412r1_rule", + "stig_id": "RHEL-06-000234", + "fix_id": "F-43559r1_fix", "cci": [ - "CCI-000879" + "CCI-000766" ], "nist": [ - "MA-4 e", + "IA-2 (2)", "Rev_4" ], "false_negatives": null, @@ -5261,35 +5310,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To ensure the SSH idle timeout will occur when the\n\"ClientAliveCountMax\" is set, run the following command:\n\n# grep ClientAliveCountMax /etc/ssh/sshd_config\n\nIf properly configured, output should be:\n\nClientAliveCountMax 0\n\n\nIf it is not, this is a finding.", - "fix": "To ensure the SSH idle timeout occurs precisely when the\n\"ClientAliveCountMax\" is set, edit \"/etc/ssh/sshd_config\" as follows:\n\nClientAliveCountMax 0" + "check": "To determine how the SSH daemon's \"IgnoreRhosts\" option is\nset, run the following command:\n\n# grep -i IgnoreRhosts /etc/ssh/sshd_config\n\nIf no line, a commented line, or a line indicating the value \"yes\" is\nreturned, then the required value is set.\nIf the required value is not set, this is a finding.", + "fix": "SSH can emulate the behavior of the obsolete rsh command in\nallowing users to enable insecure access to their accounts via \".rhosts\"\nfiles.\n\nTo ensure this behavior is disabled, add or correct the following line in\n\"/etc/ssh/sshd_config\":\n\nIgnoreRhosts yes" }, - "code": "control \"V-38610\" do\n title \"The SSH daemon must set a timeout count on idle sessions.\"\n desc \"This ensures a user login will be terminated as soon as the\n\\\"ClientAliveCountMax\\\" is reached.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000126\"\n tag \"gid\": \"V-38610\"\n tag \"rid\": \"SV-50411r1_rule\"\n tag \"stig_id\": \"RHEL-06-000231\"\n tag \"fix_id\": \"F-43558r1_fix\"\n tag \"cci\": [\"CCI-000879\"]\n tag \"nist\": [\"MA-4 e\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To ensure the SSH idle timeout will occur when the\n\\\"ClientAliveCountMax\\\" is set, run the following command:\n\n# grep ClientAliveCountMax /etc/ssh/sshd_config\n\nIf properly configured, output should be:\n\nClientAliveCountMax 0\n\n\nIf it is not, this is a finding.\"\n tag \"fix\": \"To ensure the SSH idle timeout occurs precisely when the\n\\\"ClientAliveCountMax\\\" is set, edit \\\"/etc/ssh/sshd_config\\\" as follows:\n\nClientAliveCountMax 0\"\n\n describe sshd_config do\n its('ClientAliveCountMax') { should cmp 0 }\n end\nend\n", + "code": "control \"V-38611\" do\n title \"The SSH daemon must ignore .rhosts files.\"\n desc \"SSH trust relationships mean a compromise on one host can allow an\nattacker to move trivially to other hosts.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000106\"\n tag \"gid\": \"V-38611\"\n tag \"rid\": \"SV-50412r1_rule\"\n tag \"stig_id\": \"RHEL-06-000234\"\n tag \"fix_id\": \"F-43559r1_fix\"\n tag \"cci\": [\"CCI-000766\"]\n tag \"nist\": [\"IA-2 (2)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To determine how the SSH daemon's \\\"IgnoreRhosts\\\" option is\nset, run the following command:\n\n# grep -i IgnoreRhosts /etc/ssh/sshd_config\n\nIf no line, a commented line, or a line indicating the value \\\"yes\\\" is\nreturned, then the required value is set.\nIf the required value is not set, this is a finding.\"\n tag \"fix\": \"SSH can emulate the behavior of the obsolete rsh command in\nallowing users to enable insecure access to their accounts via \\\".rhosts\\\"\nfiles.\n\nTo ensure this behavior is disabled, add or correct the following line in\n\\\"/etc/ssh/sshd_config\\\":\n\nIgnoreRhosts yes\"\n\n describe sshd_config do\n its('IgnoreRhosts') { should (eq 'yes').or be_nil }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38610.rb", + "ref": "./Red Hat 6 STIG/controls/V-38611.rb", "line": 1 }, - "id": "V-38610" + "id": "V-38611" }, { - "title": "The system must allow locking of graphical desktop sessions.", - "desc": "The ability to lock graphical desktop sessions manually allows users\nto easily secure their accounts should they need to depart from their\nworkstations temporarily.", + "title": "The operating system must produce audit records containing sufficient\ninformation to establish the identity of any user/subject associated with the\nevent.", + "desc": "Ensuring the \"auditd\" service is active ensures audit records\ngenerated by the kernel can be written to disk, or that appropriate actions\nwill be taken if other obstacles exist.", "descriptions": { - "default": "The ability to lock graphical desktop sessions manually allows users\nto easily secure their accounts should they need to depart from their\nworkstations temporarily." + "default": "Ensuring the \"auditd\" service is active ensures audit records\ngenerated by the kernel can be written to disk, or that appropriate actions\nwill be taken if other obstacles exist." }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000030", - "gid": "V-38474", - "rid": "SV-50274r2_rule", - "stig_id": "RHEL-06-000508", - "fix_id": "F-43420r1_fix", + "gtitle": "SRG-OS-000255", + "gid": "V-38628", + "rid": "SV-50429r2_rule", + "stig_id": "RHEL-06-000145", + "fix_id": "F-43576r2_fix", "cci": [ - "CCI-000058" + "CCI-001487" ], "nist": [ - "AC-11 a", + "AU-3", "Rev_4" ], "false_negatives": null, @@ -5302,35 +5351,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "If the GConf2 package is not installed, this is not applicable.\n\nVerify the keybindings for the Gnome screensaver:\n\n# gconftool-2 --direct --config-source\nxml:readwrite:/etc/gconf/gconf.xml.mandatory --get\n/apps/gnome_settings_daemon/keybindings/screensaver\n\nIf no output is visible, this is a finding.", - "fix": "Run the following command to set the Gnome desktop keybinding for\nlocking the screen:\n\n# gconftool-2\n--direct \\\n--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \\\n--type string \\\n--set /apps/gnome_settings_daemon/keybindings/screensaver \"l\"\n\nAnother keyboard sequence may be substituted for \"l\", which is\nthe default for the Gnome desktop." + "check": "Run the following command to determine the current status of\nthe \"auditd\" service:\n\n# service auditd status\n\nIf the service is enabled, it should return the following:\n\nauditd is running...\n\n\nIf the service is not running, this is a finding.", + "fix": "The \"auditd\" service is an essential userspace component of the\nLinux Auditing System, as it is responsible for writing audit records to disk.\nThe \"auditd\" service can be enabled with the following commands:\n\n# chkconfig auditd on\n# service auditd start" }, - "code": "control \"V-38474\" do\n title \"The system must allow locking of graphical desktop sessions.\"\n desc \"The ability to lock graphical desktop sessions manually allows users\nto easily secure their accounts should they need to depart from their\nworkstations temporarily.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000030\"\n tag \"gid\": \"V-38474\"\n tag \"rid\": \"SV-50274r2_rule\"\n tag \"stig_id\": \"RHEL-06-000508\"\n tag \"fix_id\": \"F-43420r1_fix\"\n tag \"cci\": [\"CCI-000058\"]\n tag \"nist\": [\"AC-11 a\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"If the GConf2 package is not installed, this is not applicable.\n\nVerify the keybindings for the Gnome screensaver:\n\n# gconftool-2 --direct --config-source\nxml:readwrite:/etc/gconf/gconf.xml.mandatory --get\n/apps/gnome_settings_daemon/keybindings/screensaver\n\nIf no output is visible, this is a finding.\"\n tag \"fix\": \"Run the following command to set the Gnome desktop keybinding for\nlocking the screen:\n\n# gconftool-2\n--direct \\\\\n--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \\\\\n--type string \\\\\n--set /apps/gnome_settings_daemon/keybindings/screensaver \\\"l\\\"\n\nAnother keyboard sequence may be substituted for \\\"l\\\", which is\nthe default for the Gnome desktop.\"\n\n if package('GConf2').installed?\n describe command(\"gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gnome-screensaver/mode\") do\n its('stdout.strip') { should_not eq '' }\n end\n else\n impact 0.0\n describe \"Package GConf2 not installed\" do\n skip \"Package GConf2 not installed, this control Not Applicable\"\n end\n end\nend\n", + "code": "control \"V-38628\" do\n title \"The operating system must produce audit records containing sufficient\ninformation to establish the identity of any user/subject associated with the\nevent.\"\n desc \"Ensuring the \\\"auditd\\\" service is active ensures audit records\ngenerated by the kernel can be written to disk, or that appropriate actions\nwill be taken if other obstacles exist.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000255\"\n tag \"gid\": \"V-38628\"\n tag \"rid\": \"SV-50429r2_rule\"\n tag \"stig_id\": \"RHEL-06-000145\"\n tag \"fix_id\": \"F-43576r2_fix\"\n tag \"cci\": [\"CCI-001487\"]\n tag \"nist\": [\"AU-3\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Run the following command to determine the current status of\nthe \\\"auditd\\\" service:\n\n# service auditd status\n\nIf the service is enabled, it should return the following:\n\nauditd is running...\n\n\nIf the service is not running, this is a finding.\"\n tag \"fix\": \"The \\\"auditd\\\" service is an essential userspace component of the\nLinux Auditing System, as it is responsible for writing audit records to disk.\nThe \\\"auditd\\\" service can be enabled with the following commands:\n\n# chkconfig auditd on\n# service auditd start\"\n\n describe service('auditd') do\n it { should be_enabled }\n it { should be_running }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38474.rb", + "ref": "./Red Hat 6 STIG/controls/V-38628.rb", "line": 1 }, - "id": "V-38474" + "id": "V-38628" }, { - "title": "The audit system must be configured to audit all discretionary access\ncontrol permission modifications using setxattr.", - "desc": "The changing of file permissions could indicate that a user is\nattempting to gain access to information that would otherwise be disallowed.\nAuditing DAC modifications can facilitate the identification of patterns of\nabuse among both authorized and unauthorized users.", + "title": "The SSH daemon must not permit user environment settings.", + "desc": "SSH environment options potentially allow users to bypass access\nrestriction in some configurations.", "descriptions": { - "default": "The changing of file permissions could indicate that a user is\nattempting to gain access to information that would otherwise be disallowed.\nAuditing DAC modifications can facilitate the identification of patterns of\nabuse among both authorized and unauthorized users." + "default": "SSH environment options potentially allow users to bypass access\nrestriction in some configurations." }, "impact": 0.3, "refs": [], "tags": { - "gtitle": "SRG-OS-000064", - "gid": "V-38565", - "rid": "SV-50366r3_rule", - "stig_id": "RHEL-06-000196", - "fix_id": "F-43513r2_fix", + "gtitle": "SRG-OS-000242", + "gid": "V-38616", + "rid": "SV-50417r1_rule", + "stig_id": "RHEL-06-000241", + "fix_id": "F-43565r1_fix", "cci": [ - "CCI-000172" + "CCI-001414" ], "nist": [ - "AU-12 c", + "AC-4", "Rev_4" ], "false_negatives": null, @@ -5343,35 +5392,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To determine if the system is configured to audit calls to the\n\"setxattr\" system call, run the following command:\n\n$ sudo grep -w \"setxattr\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return several\nlines.\n\nIf no line is returned, this is a finding. ", - "fix": "At a minimum, the audit system should collect file permission\nchanges for all users and root. Add the following to\n\"/etc/audit/audit.rules\":\n\n-a always,exit -F arch=b32 -S setxattr -F auid>=500 -F auid!=4294967295 \\\n-k perm_mod\n-a always,exit -F arch=b32 -S setxattr -F auid=0 -k perm_mod\n\nIf the system is 64-bit, then also add the following:\n\n-a always,exit -F arch=b64 -S setxattr -F auid>=500 -F auid!=4294967295 \\\n-k perm_mod\n-a always,exit -F arch=b64 -S setxattr -F auid=0 -k perm_mod" + "check": "To ensure users are not able to present environment daemons,\nrun the following command:\n\n# grep PermitUserEnvironment /etc/ssh/sshd_config\n\nIf properly configured, output should be:\n\nPermitUserEnvironment no\n\n\nIf it is not, this is a finding.", + "fix": "To ensure users are not able to present environment options to\nthe SSH daemon, add or correct the following line in \"/etc/ssh/sshd_config\":\n\nPermitUserEnvironment no" }, - "code": "control \"V-38565\" do\n title \"The audit system must be configured to audit all discretionary access\ncontrol permission modifications using setxattr.\"\n desc \"The changing of file permissions could indicate that a user is\nattempting to gain access to information that would otherwise be disallowed.\nAuditing DAC modifications can facilitate the identification of patterns of\nabuse among both authorized and unauthorized users.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000064\"\n tag \"gid\": \"V-38565\"\n tag \"rid\": \"SV-50366r3_rule\"\n tag \"stig_id\": \"RHEL-06-000196\"\n tag \"fix_id\": \"F-43513r2_fix\"\n tag \"cci\": [\"CCI-000172\"]\n tag \"nist\": [\"AU-12 c\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To determine if the system is configured to audit calls to the\n\\\"setxattr\\\" system call, run the following command:\n\n$ sudo grep -w \\\"setxattr\\\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return several\nlines.\n\nIf no line is returned, this is a finding. \"\n tag \"fix\": \"At a minimum, the audit system should collect file permission\nchanges for all users and root. Add the following to\n\\\"/etc/audit/audit.rules\\\":\n\n-a always,exit -F arch=b32 -S setxattr -F auid>=500 -F auid!=4294967295 \\\\\n-k perm_mod\n-a always,exit -F arch=b32 -S setxattr -F auid=0 -k perm_mod\n\nIf the system is 64-bit, then also add the following:\n\n-a always,exit -F arch=b64 -S setxattr -F auid>=500 -F auid!=4294967295 \\\\\n-k perm_mod\n-a always,exit -F arch=b64 -S setxattr -F auid=0 -k perm_mod\"\n\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^[\\s]*-a[\\s](?:always,exit|exit,always)+(?:.*-F[\\s]+arch=b32[\\s]+)(?:.*(?:,|-S[\\s]+)setxattr(?:,|[\\s]+))(?:.*-F\\s+auid>=500[\\s]+)(?:.*-F\\s+auid!=(?:-1|4294967295)[\\s]+).*-k[\\s]+[\\S]+[\\s]*$/) }\n end\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^[\\s]*-a[\\s](?:always,exit|exit,always)+(?:.*-F[\\s]+arch=b32[\\s]+)(?:.*(?:,|-S[\\s]+)setxattr(?:,|[\\s]+))(?:.*-F\\s+auid=0[\\s]+).*-k[\\s]+[\\S]+[\\s]*$/) }\n end\n describe.one do\n \n end\nend\n", + "code": "control \"V-38616\" do\n title \"The SSH daemon must not permit user environment settings.\"\n desc \"SSH environment options potentially allow users to bypass access\nrestriction in some configurations.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000242\"\n tag \"gid\": \"V-38616\"\n tag \"rid\": \"SV-50417r1_rule\"\n tag \"stig_id\": \"RHEL-06-000241\"\n tag \"fix_id\": \"F-43565r1_fix\"\n tag \"cci\": [\"CCI-001414\"]\n tag \"nist\": [\"AC-4\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To ensure users are not able to present environment daemons,\nrun the following command:\n\n# grep PermitUserEnvironment /etc/ssh/sshd_config\n\nIf properly configured, output should be:\n\nPermitUserEnvironment no\n\n\nIf it is not, this is a finding.\"\n tag \"fix\": \"To ensure users are not able to present environment options to\nthe SSH daemon, add or correct the following line in \\\"/etc/ssh/sshd_config\\\":\n\nPermitUserEnvironment no\"\n\n describe sshd_config do\n its('PermitUserEnvironment') { should eq 'no' }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38565.rb", + "ref": "./Red Hat 6 STIG/controls/V-38616.rb", "line": 1 }, - "id": "V-38565" + "id": "V-38616" }, { - "title": "The Reliable Datagram Sockets (RDS) protocol must be disabled unless\nrequired.", - "desc": "Disabling RDS protects the system against exploitation of any flaws in\nits implementation.", + "title": "The system clock must be synchronized to an authoritative DoD time\nsource.", + "desc": "Synchronizing with an NTP server makes it possible to collate system\nlogs from multiple sources or correlate computer events with real time events.\nUsing a trusted NTP server provided by your organization is recommended.", "descriptions": { - "default": "Disabling RDS protects the system against exploitation of any flaws in\nits implementation." + "default": "Synchronizing with an NTP server makes it possible to collate system\nlogs from multiple sources or correlate computer events with real time events.\nUsing a trusted NTP server provided by your organization is recommended." }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000096", - "gid": "V-38516", - "rid": "SV-50317r3_rule", - "stig_id": "RHEL-06-000126", - "fix_id": "F-43463r4_fix", + "gtitle": "SRG-OS-000056", + "gid": "V-38621", + "rid": "SV-50422r1_rule", + "stig_id": "RHEL-06-000248", + "fix_id": "F-43570r1_fix", "cci": [ - "CCI-000382" + "CCI-000160" ], "nist": [ - "CM-7 b", + "AU-8 (1)", "Rev_4" ], "false_negatives": null, @@ -5384,15 +5433,56 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "If the system is configured to prevent the loading of the\n\"rds\" kernel module, it will contain lines inside any file in\n\"/etc/modprobe.d\" or the deprecated \"/etc/modprobe.conf\". These lines\ninstruct the module loading system to run another program (such as\n\"/bin/true\") upon a module \"install\" event. Run the following command to\nsearch for such lines in all files in \"/etc/modprobe.d\" and the deprecated\n\"/etc/modprobe.conf\":\n\n$ grep -r rds /etc/modprobe.conf /etc/modprobe.d\n\nIf no line is returned, this is a finding.", - "fix": "The Reliable Datagram Sockets (RDS) protocol is a transport layer\nprotocol designed to provide reliable high-bandwidth, low-latency\ncommunications between nodes in a cluster. To configure the system to prevent\nthe \"rds\" kernel module from being loaded, add the following line to a file\nin the directory \"/etc/modprobe.d\":\n\ninstall rds /bin/true" + "check": "A remote NTP server should be configured for time\nsynchronization. To verify one is configured, open the following file.\n\n/etc/ntp.conf\n\nIn the file, there should be a section similar to the following:\n\n# --- OUR TIMESERVERS -----\nserver [ntpserver]\n\n\nIf this is not the case, this is a finding.", + "fix": "To specify a remote NTP server for time synchronization, edit the\nfile \"/etc/ntp.conf\". Add or correct the following lines, substituting the IP\nor hostname of a remote NTP server for ntpserver.\n\nserver [ntpserver]\n\nThis instructs the NTP software to contact that remote server to obtain time\ndata." }, - "code": "control \"V-38516\" do\n title \"The Reliable Datagram Sockets (RDS) protocol must be disabled unless\nrequired.\"\n desc \"Disabling RDS protects the system against exploitation of any flaws in\nits implementation.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000096\"\n tag \"gid\": \"V-38516\"\n tag \"rid\": \"SV-50317r3_rule\"\n tag \"stig_id\": \"RHEL-06-000126\"\n tag \"fix_id\": \"F-43463r4_fix\"\n tag \"cci\": [\"CCI-000382\"]\n tag \"nist\": [\"CM-7 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"If the system is configured to prevent the loading of the\n\\\"rds\\\" kernel module, it will contain lines inside any file in\n\\\"/etc/modprobe.d\\\" or the deprecated \\\"/etc/modprobe.conf\\\". These lines\ninstruct the module loading system to run another program (such as\n\\\"/bin/true\\\") upon a module \\\"install\\\" event. Run the following command to\nsearch for such lines in all files in \\\"/etc/modprobe.d\\\" and the deprecated\n\\\"/etc/modprobe.conf\\\":\n\n$ grep -r rds /etc/modprobe.conf /etc/modprobe.d\n\nIf no line is returned, this is a finding.\"\n tag \"fix\": \"The Reliable Datagram Sockets (RDS) protocol is a transport layer\nprotocol designed to provide reliable high-bandwidth, low-latency\ncommunications between nodes in a cluster. To configure the system to prevent\nthe \\\"rds\\\" kernel module from being loaded, add the following line to a file\nin the directory \\\"/etc/modprobe.d\\\":\n\ninstall rds /bin/true\"\n\n describe kernel_module('rds') do\n it { should_not be_loaded }\n it { shold_not be_enabled }\n it { should be_blacklisted }\n end\n \nend\n", + "code": "control \"V-38621\" do\n title \"The system clock must be synchronized to an authoritative DoD time\nsource.\"\n desc \"Synchronizing with an NTP server makes it possible to collate system\nlogs from multiple sources or correlate computer events with real time events.\nUsing a trusted NTP server provided by your organization is recommended.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000056\"\n tag \"gid\": \"V-38621\"\n tag \"rid\": \"SV-50422r1_rule\"\n tag \"stig_id\": \"RHEL-06-000248\"\n tag \"fix_id\": \"F-43570r1_fix\"\n tag \"cci\": [\"CCI-000160\"]\n tag \"nist\": [\"AU-8 (1)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"A remote NTP server should be configured for time\nsynchronization. To verify one is configured, open the following file.\n\n/etc/ntp.conf\n\nIn the file, there should be a section similar to the following:\n\n# --- OUR TIMESERVERS -----\nserver [ntpserver]\n\n\nIf this is not the case, this is a finding.\"\n tag \"fix\": \"To specify a remote NTP server for time synchronization, edit the\nfile \\\"/etc/ntp.conf\\\". Add or correct the following lines, substituting the IP\nor hostname of a remote NTP server for ntpserver.\n\nserver [ntpserver]\n\nThis instructs the NTP software to contact that remote server to obtain time\ndata.\"\n\n describe file(\"/etc/ntp.conf\") do\n its(\"content\") { should match(/^[\\s]*server[\\s]+.+$/) }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38516.rb", + "ref": "./Red Hat 6 STIG/controls/V-38621.rb", "line": 1 }, - "id": "V-38516" + "id": "V-38621" + }, + { + "title": "The audit system must provide a warning when allocated audit record\nstorage volume reaches a documented percentage of maximum audit record storage\ncapacity.", + "desc": "Notifying administrators of an impending disk space problem may allow\nthem to take corrective action prior to any disruption.", + "descriptions": { + "default": "Notifying administrators of an impending disk space problem may allow\nthem to take corrective action prior to any disruption." + }, + "impact": 0.5, + "refs": [], + "tags": { + "gtitle": "SRG-OS-000048", + "gid": "V-38678", + "rid": "SV-50479r2_rule", + "stig_id": "RHEL-06-000311", + "fix_id": "F-43627r2_fix", + "cci": [ + "CCI-000143" + ], + "nist": [ + "AU-5 (1)", + "Rev_4" + ], + "false_negatives": null, + "false_positives": null, + "documentable": false, + "mitigations": null, + "severity_override_guidance": false, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_controls": null, + "responsibility": null, + "ia_controls": null, + "check": "Inspect \"/etc/audit/auditd.conf\" and locate the following\nline to determine whether the system is configured to email the administrator\nwhen disk space is starting to run low:\n\n# grep space_left /etc/audit/auditd.conf\n\nspace_left = [num_megabytes]\n\n\nIf the \"num_megabytes\" value does not correspond to a documented value for\nremaining audit partition capacity or if there is no locally documented value\nfor remaining audit partition capacity, this is a finding.", + "fix": "The \"auditd\" service can be configured to take an action when\ndisk space starts to run low. Edit the file \"/etc/audit/auditd.conf\". Modify\nthe following line, substituting [num_megabytes] appropriately:\n\nspace_left = [num_megabytes]\n\nThe \"num_megabytes\" value should be set to a fraction of the total audit\nstorage capacity available that will allow a system administrator to be\nnotified with enough time to respond to the situation causing the capacity\nissues. This value must also be documented locally." + }, + "code": "control \"V-38678\" do\n title \"The audit system must provide a warning when allocated audit record\nstorage volume reaches a documented percentage of maximum audit record storage\ncapacity.\"\n desc \"Notifying administrators of an impending disk space problem may allow\nthem to take corrective action prior to any disruption.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000048\"\n tag \"gid\": \"V-38678\"\n tag \"rid\": \"SV-50479r2_rule\"\n tag \"stig_id\": \"RHEL-06-000311\"\n tag \"fix_id\": \"F-43627r2_fix\"\n tag \"cci\": [\"CCI-000143\"]\n tag \"nist\": [\"AU-5 (1)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Inspect \\\"/etc/audit/auditd.conf\\\" and locate the following\nline to determine whether the system is configured to email the administrator\nwhen disk space is starting to run low:\n\n# grep space_left /etc/audit/auditd.conf\n\nspace_left = [num_megabytes]\n\n\nIf the \\\"num_megabytes\\\" value does not correspond to a documented value for\nremaining audit partition capacity or if there is no locally documented value\nfor remaining audit partition capacity, this is a finding.\"\n tag \"fix\": \"The \\\"auditd\\\" service can be configured to take an action when\ndisk space starts to run low. Edit the file \\\"/etc/audit/auditd.conf\\\". Modify\nthe following line, substituting [num_megabytes] appropriately:\n\nspace_left = [num_megabytes]\n\nThe \\\"num_megabytes\\\" value should be set to a fraction of the total audit\nstorage capacity available that will allow a system administrator to be\nnotified with enough time to respond to the situation causing the capacity\nissues. This value must also be documented locally.\"\n\n describe parse_config_file('/etc/audit/auditd.conf') do\n its('space_left') { should cmp input('auditd_space_left') }\n end\nend\n", + "source_location": { + "ref": "./Red Hat 6 STIG/controls/V-38678.rb", + "line": 1 + }, + "id": "V-38678" }, { "title": "Users must not be able to change passwords more than once every 24\nhours.", @@ -5436,24 +5526,24 @@ "id": "V-38477" }, { - "title": "The system package management tool must verify ownership on all files\nand directories associated with packages.", - "desc": "Ownership of system binaries and configuration files that is incorrect\ncould allow an unauthorized user to gain privileges that they should not have.\nThe ownership set by the vendor should be maintained. Any deviations from this\nbaseline should be investigated.", + "title": "All system command files must be owned by root.", + "desc": "System binaries are executed by privileged users as well as system\nservices, and restrictive permissions are necessary to ensure that their\nexecution of these programs cannot be co-opted.", "descriptions": { - "default": "Ownership of system binaries and configuration files that is incorrect\ncould allow an unauthorized user to gain privileges that they should not have.\nThe ownership set by the vendor should be maintained. Any deviations from this\nbaseline should be investigated." + "default": "System binaries are executed by privileged users as well as system\nservices, and restrictive permissions are necessary to ensure that their\nexecution of these programs cannot be co-opted." }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-999999", - "gid": "V-38454", - "rid": "SV-50254r2_rule", - "stig_id": "RHEL-06-000516", - "fix_id": "F-43400r1_fix", + "gtitle": "SRG-OS-000259", + "gid": "V-38472", + "rid": "SV-50272r1_rule", + "stig_id": "RHEL-06-000048", + "fix_id": "F-43417r1_fix", "cci": [ - "CCI-000366" + "CCI-001499" ], "nist": [ - "CM-6 b", + "CM-5 (6)", "Rev_4" ], "false_negatives": null, @@ -5466,30 +5556,30 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "The following command will list which files on the system have\nownership different from what is expected by the RPM database:\n\n# rpm -Va | grep '^.....U'\n\n\nIf any output is produced, verify that the changes were due to STIG application\nand have been documented with the ISSO.\n\nIf any output has not been documented with the ISSO, this is a finding.\n", - "fix": "The RPM package management system can restore ownership of\npackage files and directories. The following command will update files and\ndirectories with ownership different from what is expected by the RPM database:\n\n# rpm -qf [file or directory name]\n# rpm --setugids [package]" + "check": "System executables are stored in the following directories by\ndefault:\n\n/bin\n/usr/bin\n/usr/local/bin\n/sbin\n/usr/sbin\n/usr/local/sbin\n\nAll files in these directories should not be group-writable or world-writable.\nTo find system executables that are not owned by \"root\", run the following\ncommand for each directory [DIR] which contains system executables:\n\n$ find -L [DIR] \\! -user root\n\n\nIf any system executables are found to not be owned by root, this is a finding.", + "fix": "System executables are stored in the following directories by\ndefault:\n\n/bin\n/usr/bin\n/usr/local/bin\n/sbin\n/usr/sbin\n/usr/local/sbin\n\nIf any file [FILE] in these directories is found to be owned by a user other\nthan root, correct its ownership with the following command:\n\n# chown root [FILE]" }, - "code": "control \"V-38454\" do\n title \"The system package management tool must verify ownership on all files\nand directories associated with packages.\"\n desc \"Ownership of system binaries and configuration files that is incorrect\ncould allow an unauthorized user to gain privileges that they should not have.\nThe ownership set by the vendor should be maintained. Any deviations from this\nbaseline should be investigated.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38454\"\n tag \"rid\": \"SV-50254r2_rule\"\n tag \"stig_id\": \"RHEL-06-000516\"\n tag \"fix_id\": \"F-43400r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"The following command will list which files on the system have\nownership different from what is expected by the RPM database:\n\n# rpm -Va | grep '^.....U'\n\n\nIf any output is produced, verify that the changes were due to STIG application\nand have been documented with the ISSO.\n\nIf any output has not been documented with the ISSO, this is a finding.\n\"\n tag \"fix\": \"The RPM package management system can restore ownership of\npackage files and directories. The following command will update files and\ndirectories with ownership different from what is expected by the RPM database:\n\n# rpm -qf [file or directory name]\n# rpm --setugids [package]\"\n\n describe command(\"rpm -Va | grep '^.....U'\") do\n its('stdout.strip') { should be_empty }\n end\nend\n", + "code": "control \"V-38472\" do\n title \"All system command files must be owned by root.\"\n desc \"System binaries are executed by privileged users as well as system\nservices, and restrictive permissions are necessary to ensure that their\nexecution of these programs cannot be co-opted.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000259\"\n tag \"gid\": \"V-38472\"\n tag \"rid\": \"SV-50272r1_rule\"\n tag \"stig_id\": \"RHEL-06-000048\"\n tag \"fix_id\": \"F-43417r1_fix\"\n tag \"cci\": [\"CCI-001499\"]\n tag \"nist\": [\"CM-5 (6)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"System executables are stored in the following directories by\ndefault:\n\n/bin\n/usr/bin\n/usr/local/bin\n/sbin\n/usr/sbin\n/usr/local/sbin\n\nAll files in these directories should not be group-writable or world-writable.\nTo find system executables that are not owned by \\\"root\\\", run the following\ncommand for each directory [DIR] which contains system executables:\n\n$ find -L [DIR] \\\\! -user root\n\n\nIf any system executables are found to not be owned by root, this is a finding.\"\n tag \"fix\": \"System executables are stored in the following directories by\ndefault:\n\n/bin\n/usr/bin\n/usr/local/bin\n/sbin\n/usr/sbin\n/usr/local/sbin\n\nIf any file [FILE] in these directories is found to be owned by a user other\nthan root, correct its ownership with the following command:\n\n# chown root [FILE]\"\n\n dirs = [\"/bin\", \"/usr/bin\", \"/usr/local/bin\", \"/sbin\", \"/usr/sbin\", \"/usr/local/sbin\"]\n dirs.each do |d|\n describe command(\"find -L #{d} \\\\! -user root\") do\n its('stdout.strip') { should be_empty }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38454.rb", + "ref": "./Red Hat 6 STIG/controls/V-38472.rb", "line": 1 }, - "id": "V-38454" + "id": "V-38472" }, { - "title": "The audit system must be configured to audit modifications to the\nsystems Mandatory Access Control (MAC) configuration (SELinux).", - "desc": "The system's mandatory access policy (SELinux) should not be\narbitrarily changed by anything other than administrator action. All changes to\nMAC policy should be audited.", + "title": "The system must use a separate file system for /tmp.", + "desc": "The \"/tmp\" partition is used as temporary storage by many programs.\nPlacing \"/tmp\" in its own partition enables the setting of more restrictive\nmount options, which can help protect programs which use it.", "descriptions": { - "default": "The system's mandatory access policy (SELinux) should not be\narbitrarily changed by anything other than administrator action. All changes to\nMAC policy should be audited." + "default": "The \"/tmp\" partition is used as temporary storage by many programs.\nPlacing \"/tmp\" in its own partition enables the setting of more restrictive\nmount options, which can help protect programs which use it." }, "impact": 0.3, "refs": [], "tags": { "gtitle": "SRG-OS-999999", - "gid": "V-38541", - "rid": "SV-50342r2_rule", - "stig_id": "RHEL-06-000183", - "fix_id": "F-43489r1_fix", + "gid": "V-38455", + "rid": "SV-50255r1_rule", + "stig_id": "RHEL-06-000001", + "fix_id": "F-43387r1_fix", "cci": [ "CCI-000366" ], @@ -5507,35 +5597,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To determine if the system is configured to audit changes to\nits SELinux configuration files, run the following command:\n\n$ sudo grep -w \"/etc/selinux\" /etc/audit/audit.rules\n\nIf the system is configured to watch for changes to its SELinux configuration,\na line should be returned (including \"-p wa\" indicating permissions that are\nwatched).\n\nIf the system is not configured to audit attempts to change the MAC policy,\nthis is a finding.", - "fix": "Add the following to \"/etc/audit/audit.rules\":\n\n-w /etc/selinux/ -p wa -k MAC-policy" + "check": "Run the following command to determine if \"/tmp\" is on its\nown partition or logical volume:\n\n$ mount | grep \"on /tmp \"\n\nIf \"/tmp\" has its own partition or volume group, a line will be returned.\nIf no line is returned, this is a finding.", + "fix": "The \"/tmp\" directory is a world-writable directory used for\ntemporary file storage. Ensure it has its own partition or logical volume at\ninstallation time, or migrate it using LVM." }, - "code": "control \"V-38541\" do\n title \"The audit system must be configured to audit modifications to the\nsystems Mandatory Access Control (MAC) configuration (SELinux).\"\n desc \"The system's mandatory access policy (SELinux) should not be\narbitrarily changed by anything other than administrator action. All changes to\nMAC policy should be audited.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38541\"\n tag \"rid\": \"SV-50342r2_rule\"\n tag \"stig_id\": \"RHEL-06-000183\"\n tag \"fix_id\": \"F-43489r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To determine if the system is configured to audit changes to\nits SELinux configuration files, run the following command:\n\n$ sudo grep -w \\\"/etc/selinux\\\" /etc/audit/audit.rules\n\nIf the system is configured to watch for changes to its SELinux configuration,\na line should be returned (including \\\"-p wa\\\" indicating permissions that are\nwatched).\n\nIf the system is not configured to audit attempts to change the MAC policy,\nthis is a finding.\"\n tag \"fix\": \"Add the following to \\\"/etc/audit/audit.rules\\\":\n\n-w /etc/selinux/ -p wa -k MAC-policy\"\n\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^\\-w\\s+\\/etc\\/selinux\\/\\s+\\-p\\s+wa\\s+\\-k\\s+[-\\w]+\\s*$/) }\n end\nend\n", + "code": "control \"V-38455\" do\n title \"The system must use a separate file system for /tmp.\"\n desc \"The \\\"/tmp\\\" partition is used as temporary storage by many programs.\nPlacing \\\"/tmp\\\" in its own partition enables the setting of more restrictive\nmount options, which can help protect programs which use it.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38455\"\n tag \"rid\": \"SV-50255r1_rule\"\n tag \"stig_id\": \"RHEL-06-000001\"\n tag \"fix_id\": \"F-43387r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Run the following command to determine if \\\"/tmp\\\" is on its\nown partition or logical volume:\n\n$ mount | grep \\\"on /tmp \\\"\n\nIf \\\"/tmp\\\" has its own partition or volume group, a line will be returned.\nIf no line is returned, this is a finding.\"\n tag \"fix\": \"The \\\"/tmp\\\" directory is a world-writable directory used for\ntemporary file storage. Ensure it has its own partition or logical volume at\ninstallation time, or migrate it using LVM.\"\n\n describe mount(\"/tmp\") do\n it { should be_mounted }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38541.rb", + "ref": "./Red Hat 6 STIG/controls/V-38455.rb", "line": 1 }, - "id": "V-38541" + "id": "V-38455" }, { - "title": "A file integrity tool must be installed.", - "desc": "The AIDE package must be installed if it is to be available for\nintegrity checking.", + "title": "The system must have a host-based intrusion detection tool installed.", + "desc": "Adding host-based intrusion detection tools can provide the capability\nto automatically take actions in response to malicious behavior, which can\nprovide additional agility in reacting to network threats. These tools also\noften include a reporting capability to provide network awareness of system,\nwhich may not otherwise exist in an organization's systems management regime.", "descriptions": { - "default": "The AIDE package must be installed if it is to be available for\nintegrity checking." + "default": "Adding host-based intrusion detection tools can provide the capability\nto automatically take actions in response to malicious behavior, which can\nprovide additional agility in reacting to network threats. These tools also\noften include a reporting capability to provide network awareness of system,\nwhich may not otherwise exist in an organization's systems management regime." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000232", - "gid": "V-38489", - "rid": "SV-50290r1_rule", - "stig_id": "RHEL-06-000016", - "fix_id": "F-43436r1_fix", + "gtitle": "SRG-OS-000196", + "gid": "V-38667", + "rid": "SV-50468r3_rule", + "stig_id": "RHEL-06-000285", + "fix_id": "F-43616r3_fix", "cci": [ - "CCI-001069" + "CCI-001263" ], "nist": [ - "RA-5 (7)", + "SI-4 (5)", "Rev_4" ], "false_negatives": null, @@ -5548,35 +5638,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "If another file integrity tool is installed, this is not a\nfinding.\n\nRun the following command to determine if the \"aide\" package is installed:\n\n# rpm -q aide\n\n\nIf the package is not installed, this is a finding.", - "fix": "Install the AIDE package with the command:\n\n# yum install aide" + "check": "Ask the SA or ISSO if a host-based intrusion detection\napplication is loaded on the system. Per OPORD 16-0080 the preferred intrusion\ndetection system is McAfee HBSS available through Cybercom.\n\nIf another host-based intrusion detection application is in use, such as\nSELinux, this must be documented and approved by the local Authorizing Official.\n\nProcedure:\nExamine the system to see if the Host Intrusion Prevention System (HIPS) is\ninstalled:\n\n# rpm -qa | grep MFEhiplsm\n\nVerify that the McAfee HIPS module is active on the system:\n\n# ps -ef | grep -i \"hipclient\"\n\nIf the MFEhiplsm package is not installed, check for another intrusion\ndetection system:\n\n# find / -name \n\nWhere is the name of the primary application daemon to determine\nif the application is loaded on the system.\n\nDetermine if the application is active on the system:\n\n# ps -ef | grep -i \n\nIf the MFEhiplsm package is not installed and an alternate host-based intrusion\ndetection application has not been documented for use, this is a finding.\n\nIf no host-based intrusion detection system is installed and running on the\nsystem, this is a finding.\n", + "fix": "Install and enable the latest McAfee HIPS package, available from\nCybercom.\n\nIf the system does not support the McAfee HIPS package, install and enable a\nsupported intrusion detection system application and document its use with the\nAuthorizing Official.\n" }, - "code": "control \"V-38489\" do\n title \"A file integrity tool must be installed.\"\n desc \"The AIDE package must be installed if it is to be available for\nintegrity checking.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000232\"\n tag \"gid\": \"V-38489\"\n tag \"rid\": \"SV-50290r1_rule\"\n tag \"stig_id\": \"RHEL-06-000016\"\n tag \"fix_id\": \"F-43436r1_fix\"\n tag \"cci\": [\"CCI-001069\"]\n tag \"nist\": [\"RA-5 (7)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"If another file integrity tool is installed, this is not a\nfinding.\n\nRun the following command to determine if the \\\"aide\\\" package is installed:\n\n# rpm -q aide\n\n\nIf the package is not installed, this is a finding.\"\n tag \"fix\": \"Install the AIDE package with the command:\n\n# yum install aide\"\n\n describe package(\"aide\") do\n it { should be_installed }\n end\nend\n", + "code": "control \"V-38667\" do\n title \"The system must have a host-based intrusion detection tool installed.\"\n desc \"Adding host-based intrusion detection tools can provide the capability\nto automatically take actions in response to malicious behavior, which can\nprovide additional agility in reacting to network threats. These tools also\noften include a reporting capability to provide network awareness of system,\nwhich may not otherwise exist in an organization's systems management regime.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000196\"\n tag \"gid\": \"V-38667\"\n tag \"rid\": \"SV-50468r3_rule\"\n tag \"stig_id\": \"RHEL-06-000285\"\n tag \"fix_id\": \"F-43616r3_fix\"\n tag \"cci\": [\"CCI-001263\"]\n tag \"nist\": [\"SI-4 (5)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Ask the SA or ISSO if a host-based intrusion detection\napplication is loaded on the system. Per OPORD 16-0080 the preferred intrusion\ndetection system is McAfee HBSS available through Cybercom.\n\nIf another host-based intrusion detection application is in use, such as\nSELinux, this must be documented and approved by the local Authorizing Official.\n\nProcedure:\nExamine the system to see if the Host Intrusion Prevention System (HIPS) is\ninstalled:\n\n# rpm -qa | grep MFEhiplsm\n\nVerify that the McAfee HIPS module is active on the system:\n\n# ps -ef | grep -i \\\"hipclient\\\"\n\nIf the MFEhiplsm package is not installed, check for another intrusion\ndetection system:\n\n# find / -name \n\nWhere is the name of the primary application daemon to determine\nif the application is loaded on the system.\n\nDetermine if the application is active on the system:\n\n# ps -ef | grep -i \n\nIf the MFEhiplsm package is not installed and an alternate host-based intrusion\ndetection application has not been documented for use, this is a finding.\n\nIf no host-based intrusion detection system is installed and running on the\nsystem, this is a finding.\n\"\n tag \"fix\": \"Install and enable the latest McAfee HIPS package, available from\nCybercom.\n\nIf the system does not support the McAfee HIPS package, install and enable a\nsupported intrusion detection system application and document its use with the\nAuthorizing Official.\n\"\n\n describe \"Manual test\" do\n skip \"This control must be reviewed manually\"\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38489.rb", + "ref": "./Red Hat 6 STIG/controls/V-38667.rb", "line": 1 }, - "id": "V-38489" + "id": "V-38667" }, { - "title": "The system must ignore ICMPv4 bogus error responses.", - "desc": "Ignoring bogus ICMP error responses reduces log size, although some\nactivity would not be logged.", + "title": "The system must require passwords to contain at least one special\ncharacter.", + "desc": "Requiring a minimum number of special characters makes password\nguessing attacks more difficult by ensuring a larger search space.", "descriptions": { - "default": "Ignoring bogus ICMP error responses reduces log size, although some\nactivity would not be logged." + "default": "Requiring a minimum number of special characters makes password\nguessing attacks more difficult by ensuring a larger search space." }, "impact": 0.3, "refs": [], "tags": { - "gtitle": "SRG-OS-999999", - "gid": "V-38537", - "rid": "SV-50338r2_rule", - "stig_id": "RHEL-06-000093", - "fix_id": "F-43485r1_fix", + "gtitle": "SRG-OS-000266", + "gid": "V-38570", + "rid": "SV-50371r2_rule", + "stig_id": "RHEL-06-000058", + "fix_id": "F-43518r2_fix", "cci": [ - "CCI-000366" + "CCI-001619" ], "nist": [ - "CM-6 b", + "IA-5 (1) (a)", "Rev_4" ], "false_negatives": null, @@ -5589,30 +5679,30 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "The status of the\n\"net.ipv4.icmp_ignore_bogus_error_responses\" kernel parameter can be queried\nby running the following command:\n\n$ sysctl net.ipv4.icmp_ignore_bogus_error_responses\n\nThe output of the command should indicate a value of \"1\". If this value is\nnot the default value, investigate how it could have been adjusted at runtime,\nand verify it is not set improperly in \"/etc/sysctl.conf\".\n\n$ grep net.ipv4.icmp_ignore_bogus_error_responses /etc/sysctl.conf\n\nIf the correct value is not returned, this is a finding. ", - "fix": "To set the runtime status of the\n\"net.ipv4.icmp_ignore_bogus_error_responses\" kernel parameter, run the\nfollowing command:\n\n# sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1\n\nIf this is not the system's default value, add the following line to\n\"/etc/sysctl.conf\":\n\nnet.ipv4.icmp_ignore_bogus_error_responses = 1" + "check": "To check how many special characters are required in a\npassword, run the following command:\n\n$ grep pam_cracklib /etc/pam.d/system-auth /etc/pam.d/password-auth\n\nNote: The \"ocredit\" parameter (as a negative number) will indicate how many\nspecial characters are required. The DoD requires at least one special\ncharacter in a password. This would appear as \"ocredit=-1\".\n\nIf \"ocredit\" is not found or not set to the required value, this is a finding.", + "fix": "The pam_cracklib module's \"ocredit=\" parameter controls\nrequirements for usage of special (or \"other\") characters in a password. When\nset to a negative number, any password will be required to contain that many\nspecial characters. When set to a positive number, pam_cracklib will grant +1\nadditional length credit for each special character.\n\nEdit /etc/pam.d/system-auth and /etc/pam.d/password-auth adding \"ocredit=-1\"\nafter pam_cracklib.so to require use of a special character in passwords." }, - "code": "control \"V-38537\" do\n title \"The system must ignore ICMPv4 bogus error responses.\"\n desc \"Ignoring bogus ICMP error responses reduces log size, although some\nactivity would not be logged.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38537\"\n tag \"rid\": \"SV-50338r2_rule\"\n tag \"stig_id\": \"RHEL-06-000093\"\n tag \"fix_id\": \"F-43485r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"The status of the\n\\\"net.ipv4.icmp_ignore_bogus_error_responses\\\" kernel parameter can be queried\nby running the following command:\n\n$ sysctl net.ipv4.icmp_ignore_bogus_error_responses\n\nThe output of the command should indicate a value of \\\"1\\\". If this value is\nnot the default value, investigate how it could have been adjusted at runtime,\nand verify it is not set improperly in \\\"/etc/sysctl.conf\\\".\n\n$ grep net.ipv4.icmp_ignore_bogus_error_responses /etc/sysctl.conf\n\nIf the correct value is not returned, this is a finding. \"\n tag \"fix\": \"To set the runtime status of the\n\\\"net.ipv4.icmp_ignore_bogus_error_responses\\\" kernel parameter, run the\nfollowing command:\n\n# sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1\n\nIf this is not the system's default value, add the following line to\n\\\"/etc/sysctl.conf\\\":\n\nnet.ipv4.icmp_ignore_bogus_error_responses = 1\"\n\n describe kernel_parameter(\"net.ipv4.icmp_ignore_bogus_error_responses\") do\n its(\"value\") { should_not be_nil }\n end\n describe kernel_parameter(\"net.ipv4.icmp_ignore_bogus_error_responses\") do\n its(\"value\") { should eq 1 }\n end\n describe file(\"/etc/sysctl.conf\") do\n its(\"content\") { should match(/^[\\s]*net.ipv4.icmp_ignore_bogus_error_responses[\\s]*=[\\s]*1[\\s]*$/) }\n end\nend\n", + "code": "control \"V-38570\" do\n title \"The system must require passwords to contain at least one special\ncharacter.\"\n desc \"Requiring a minimum number of special characters makes password\nguessing attacks more difficult by ensuring a larger search space.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000266\"\n tag \"gid\": \"V-38570\"\n tag \"rid\": \"SV-50371r2_rule\"\n tag \"stig_id\": \"RHEL-06-000058\"\n tag \"fix_id\": \"F-43518r2_fix\"\n tag \"cci\": [\"CCI-001619\"]\n tag \"nist\": [\"IA-5 (1) (a)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To check how many special characters are required in a\npassword, run the following command:\n\n$ grep pam_cracklib /etc/pam.d/system-auth /etc/pam.d/password-auth\n\nNote: The \\\"ocredit\\\" parameter (as a negative number) will indicate how many\nspecial characters are required. The DoD requires at least one special\ncharacter in a password. This would appear as \\\"ocredit=-1\\\".\n\nIf \\\"ocredit\\\" is not found or not set to the required value, this is a finding.\"\n tag \"fix\": \"The pam_cracklib module's \\\"ocredit=\\\" parameter controls\nrequirements for usage of special (or \\\"other\\\") characters in a password. When\nset to a negative number, any password will be required to contain that many\nspecial characters. When set to a positive number, pam_cracklib will grant +1\nadditional length credit for each special character.\n\nEdit /etc/pam.d/system-auth and /etc/pam.d/password-auth adding \\\"ocredit=-1\\\"\nafter pam_cracklib.so to require use of a special character in passwords.\"\n\n describe.one do\n describe file(\"/etc/pam.d/system-auth\") do\n its(\"content\") { should match(/^\\s*password\\s+(?:(?:required)|(?:requisite))\\s+(?:(?:\\/lib\\/security\\/\\$ISA\\/pam_cracklib\\.so)|(?:pam_cracklib\\.so))[\\t ]+[^#\\n\\r]*\\s+ocredit=-(\\d+)[^\\n\\r]*$/) }\n end\n file(\"/etc/pam.d/system-auth\").content.to_s.scan(/^\\s*password\\s+(?:(?:required)|(?:requisite))\\s+(?:(?:\\/lib\\/security\\/\\$ISA\\/pam_cracklib\\.so)|(?:pam_cracklib\\.so))[\\t ]+[^#\\n\\r]*\\s+ocredit=-(\\d+)[^\\n\\r]*$/).flatten.each do |entry|\n describe entry do\n it { should cmp >= 1 }\n end\n end\n describe file(\"/etc/pam.d/system-auth\") do\n its(\"content\") { should match(/^\\s*password\\s+(?:(?:required)|(?:requisite))\\s+(?:(?:\\/lib\\/security\\/\\$ISA\\/pam_cracklib\\.so)|(?:pam_cracklib\\.so))\\s+ocredit=-(\\d+)\\s+.*$/) }\n end\n file(\"/etc/pam.d/system-auth\").content.to_s.scan(/^\\s*password\\s+(?:(?:required)|(?:requisite))\\s+(?:(?:\\/lib\\/security\\/\\$ISA\\/pam_cracklib\\.so)|(?:pam_cracklib\\.so))\\s+ocredit=-(\\d+)\\s+.*$/).flatten.each do |entry|\n describe entry do\n it { should cmp >= 1 }\n end\n end\n end\n describe.one do\n describe file(\"/etc/pam.d/password-auth\") do\n its(\"content\") { should match(/^\\s*password\\s+(?:(?:required)|(?:requisite))\\s+(?:(?:\\/lib\\/security\\/\\$ISA\\/pam_cracklib\\.so)|(?:pam_cracklib\\.so))[\\t ]+[^#\\n\\r]*\\s+ocredit=-(\\d+)[^\\n\\r]*$/) }\n end\n file(\"/etc/pam.d/password-auth\").content.to_s.scan(/^\\s*password\\s+(?:(?:required)|(?:requisite))\\s+(?:(?:\\/lib\\/security\\/\\$ISA\\/pam_cracklib\\.so)|(?:pam_cracklib\\.so))[\\t ]+[^#\\n\\r]*\\s+ocredit=-(\\d+)[^\\n\\r]*$/).flatten.each do |entry|\n describe entry do\n it { should cmp >= 1 }\n end\n end\n describe file(\"/etc/pam.d/password-auth\") do\n its(\"content\") { should match(/^\\s*password\\s+(?:(?:required)|(?:requisite))\\s+(?:(?:\\/lib\\/security\\/\\$ISA\\/pam_cracklib\\.so)|(?:pam_cracklib\\.so))\\s+ocredit=-(\\d+)\\s+.*$/) }\n end\n file(\"/etc/pam.d/password-auth\").content.to_s.scan(/^\\s*password\\s+(?:(?:required)|(?:requisite))\\s+(?:(?:\\/lib\\/security\\/\\$ISA\\/pam_cracklib\\.so)|(?:pam_cracklib\\.so))\\s+ocredit=-(\\d+)\\s+.*$/).flatten.each do |entry|\n describe entry do\n it { should cmp >= 1 }\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38537.rb", + "ref": "./Red Hat 6 STIG/controls/V-38570.rb", "line": 1 }, - "id": "V-38537" + "id": "V-38570" }, { - "title": "All GIDs referenced in /etc/passwd must be defined in /etc/group", - "desc": "Inconsistency in GIDs between /etc/passwd and /etc/group could lead to\na user having unintended rights.", + "title": "The system package management tool must verify contents of all files\nassociated with packages.", + "desc": "The hash on important files like system executables should match the\ninformation given by the RPM database. Executables with erroneous hashes could\nbe a sign of nefarious activity on the system.", "descriptions": { - "default": "Inconsistency in GIDs between /etc/passwd and /etc/group could lead to\na user having unintended rights." + "default": "The hash on important files like system executables should match the\ninformation given by the RPM database. Executables with erroneous hashes could\nbe a sign of nefarious activity on the system." }, "impact": 0.3, "refs": [], "tags": { "gtitle": "SRG-OS-999999", - "gid": "V-38681", - "rid": "SV-50482r2_rule", - "stig_id": "RHEL-06-000294", - "fix_id": "F-43630r1_fix", + "gid": "V-38447", + "rid": "SV-50247r4_rule", + "stig_id": "RHEL-06-000519", + "fix_id": "F-43392r5_fix", "cci": [ "CCI-000366" ], @@ -5630,35 +5720,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To ensure all GIDs referenced in /etc/passwd are defined in\n/etc/group, run the following command:\n\n# pwck -r | grep 'no group'\n\nThere should be no output.\nIf there is output, this is a finding.", - "fix": "Add a group to the system for each GID referenced without a\ncorresponding group." + "check": "The following command will list which files on the system have\nfile hashes different from what is expected by the RPM database:\n\n# rpm -Va | awk '$1 ~ /..5/ && $2 != \"c\"'\n\nIf there is any output from the command for system binaries, verify that the\nchanges were due to STIG application and have been documented with the ISSO.\n\nIf there are changes to system binaries and they are not documented with the\nISSO, this is a finding.\n", + "fix": "The RPM package management system can check the hashes of\ninstalled software packages, including many that are important to system\nsecurity. Run the following command to list which files on the system have\nhashes that differ from what is expected by the RPM database:\n\n# rpm -Va | awk '$1 ~ /..5/ && $2 != \"c\"'\n\nIf the file that has changed was not expected to, refresh from distribution\nmedia or online repositories.\n\nrpm -Uvh [affected_package]\n\nOR\n\nyum reinstall [affected_package]\n" }, - "code": "control \"V-38681\" do\n title \"All GIDs referenced in /etc/passwd must be defined in /etc/group\"\n desc \"Inconsistency in GIDs between /etc/passwd and /etc/group could lead to\na user having unintended rights.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38681\"\n tag \"rid\": \"SV-50482r2_rule\"\n tag \"stig_id\": \"RHEL-06-000294\"\n tag \"fix_id\": \"F-43630r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To ensure all GIDs referenced in /etc/passwd are defined in\n/etc/group, run the following command:\n\n# pwck -r | grep 'no group'\n\nThere should be no output.\nIf there is output, this is a finding.\"\n tag \"fix\": \"Add a group to the system for each GID referenced without a\ncorresponding group.\"\n\n describe command(\"pwck -r | grep 'no group'\") do\n its('stdout.strip') { should be_empty }\n end\nend\n", + "code": "control \"V-38447\" do\n title \"The system package management tool must verify contents of all files\nassociated with packages.\"\n desc \"The hash on important files like system executables should match the\ninformation given by the RPM database. Executables with erroneous hashes could\nbe a sign of nefarious activity on the system.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38447\"\n tag \"rid\": \"SV-50247r4_rule\"\n tag \"stig_id\": \"RHEL-06-000519\"\n tag \"fix_id\": \"F-43392r5_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"The following command will list which files on the system have\nfile hashes different from what is expected by the RPM database:\n\n# rpm -Va | awk '$1 ~ /..5/ && $2 != \\\"c\\\"'\n\nIf there is any output from the command for system binaries, verify that the\nchanges were due to STIG application and have been documented with the ISSO.\n\nIf there are changes to system binaries and they are not documented with the\nISSO, this is a finding.\n\"\n tag \"fix\": \"The RPM package management system can check the hashes of\ninstalled software packages, including many that are important to system\nsecurity. Run the following command to list which files on the system have\nhashes that differ from what is expected by the RPM database:\n\n# rpm -Va | awk '$1 ~ /..5/ && $2 != \\\"c\\\"'\n\nIf the file that has changed was not expected to, refresh from distribution\nmedia or online repositories.\n\nrpm -Uvh [affected_package]\n\nOR\n\nyum reinstall [affected_package]\n\"\n\n # TODO check against an exception list attribute\n describe command(\"rpm -Va | awk '$1 ~ /..5/ && $2 != \\\"c\\\"'\") do\n its('stdout.strip') { should be_empty }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38681.rb", + "ref": "./Red Hat 6 STIG/controls/V-38447.rb", "line": 1 }, - "id": "V-38681" + "id": "V-38447" }, { - "title": "The Red Hat Enterprise Linux operating system must mount /dev/shm with\nthe nodev option.", - "desc": "The \"nodev\" mount option causes the system to not interpret\ncharacter or block special devices. Executing character or block special\ndevices from untrusted file systems increases the opportunity for unprivileged\nusers to attain unauthorized administrative access.", + "title": "The xorg-x11-server-common (X Windows) package must not be installed,\nunless required.", + "desc": "Unnecessary packages should not be installed to decrease the attack\nsurface of the system.", "descriptions": { - "default": "The \"nodev\" mount option causes the system to not interpret\ncharacter or block special devices. Executing character or block special\ndevices from untrusted file systems increases the opportunity for unprivileged\nusers to attain unauthorized administrative access." + "default": "Unnecessary packages should not be installed to decrease the attack\nsurface of the system." }, "impact": 0.3, "refs": [], "tags": { - "gtitle": "SRG-OS-000368-GPOS-00154", - "gid": "V-81445", - "rid": "SV-96159r1_rule", - "stig_id": "RHEL-06-000530", - "fix_id": "F-88263r1_fix", + "gtitle": "SRG-OS-999999", + "gid": "V-38676", + "rid": "SV-50477r2_rule", + "stig_id": "RHEL-06-000291", + "fix_id": "F-43625r1_fix", "cci": [ - "CCI-001764" + "CCI-000366" ], "nist": [ - "CM-7 (2)", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -5671,35 +5761,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "Verify that the \"nodev\" option is configured for /dev/shm.\n\nCheck that the operating system is configured to use the \"nodev\" option for\n/dev/shm with the following command:\n\n# cat /etc/fstab | grep /dev/shm | grep nodev\n\ntmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0\n\nIf the \"nodev\" option is not present on the line for \"/dev/shm\", this is a\nfinding.\n\nVerify \"/dev/shm\" is mounted with the \"nodev\" option:\n\n# mount | grep \"/dev/shm\" | grep nodev\n\nIf no results are returned, this is a finding.\n", - "fix": "Configure the \"/etc/fstab\" to use the \"nodev\" option for all\nlines containing \"/dev/shm\"." + "check": "To ensure the X Windows package group is removed, run the\nfollowing command:\n\n$ rpm -qi xorg-x11-server-common\n\nThe output should be:\n\npackage xorg-x11-server-common is not installed\n\n\nIf it is not, this is a finding.", + "fix": "Removing all packages which constitute the X Window System\nensures users or malicious software cannot start X. To do so, run the following\ncommand:\n\n# yum groupremove \"X Window System\"" }, - "code": "control \"V-81445\" do\n title \"The Red Hat Enterprise Linux operating system must mount /dev/shm with\nthe nodev option.\"\n desc \"The \\\"nodev\\\" mount option causes the system to not interpret\ncharacter or block special devices. Executing character or block special\ndevices from untrusted file systems increases the opportunity for unprivileged\nusers to attain unauthorized administrative access.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000368-GPOS-00154\"\n tag \"gid\": \"V-81445\"\n tag \"rid\": \"SV-96159r1_rule\"\n tag \"stig_id\": \"RHEL-06-000530\"\n tag \"fix_id\": \"F-88263r1_fix\"\n tag \"cci\": [\"CCI-001764\"]\n tag \"nist\": [\"CM-7 (2)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Verify that the \\\"nodev\\\" option is configured for /dev/shm.\n\nCheck that the operating system is configured to use the \\\"nodev\\\" option for\n/dev/shm with the following command:\n\n# cat /etc/fstab | grep /dev/shm | grep nodev\n\ntmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0\n\nIf the \\\"nodev\\\" option is not present on the line for \\\"/dev/shm\\\", this is a\nfinding.\n\nVerify \\\"/dev/shm\\\" is mounted with the \\\"nodev\\\" option:\n\n# mount | grep \\\"/dev/shm\\\" | grep nodev\n\nIf no results are returned, this is a finding.\n\"\n tag \"fix\": \"Configure the \\\"/etc/fstab\\\" to use the \\\"nodev\\\" option for all\nlines containing \\\"/dev/shm\\\".\"\n\n describe file(\"/etc/fstab\") do\n its(\"content\") { should match(/^[^#\\s]+[ \\t]+\\/dev\\/shm[ \\t]+[\\w\\d]+[ \\t]+([\\w,]+)\\s*.*$/) }\n end\n file(\"/etc/fstab\").content.to_s.scan(/^[^#\\s]+[ \\t]+\\/dev\\/shm[ \\t]+[\\w\\d]+[ \\t]+([\\w,]+)\\s*.*$/).flatten.each do |entry|\n describe entry do\n it { should match(/^(?:nodev|[\\w,]+,nodev)(?:$|,[\\w,]+$)/) }\n end\n end\n describe file(\"/etc/mtab\") do\n its(\"content\") { should match(/^[^#\\s]+[ \\t]+\\/dev\\/shm[ \\t]+[\\w\\d]+[ \\t]+([\\w,]+)\\s*.*$/) }\n end\n file(\"/etc/mtab\").content.to_s.scan(/^[^#\\s]+[ \\t]+\\/dev\\/shm[ \\t]+[\\w\\d]+[ \\t]+([\\w,]+)\\s*.*$/).flatten.each do |entry|\n describe entry do\n it { should match(/^(?:nodev|[\\w,]+,nodev)(?:$|,[\\w,]+$)/) }\n end\n end\nend\n", + "code": "control \"V-38676\" do\n title \"The xorg-x11-server-common (X Windows) package must not be installed,\nunless required.\"\n desc \"Unnecessary packages should not be installed to decrease the attack\nsurface of the system.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38676\"\n tag \"rid\": \"SV-50477r2_rule\"\n tag \"stig_id\": \"RHEL-06-000291\"\n tag \"fix_id\": \"F-43625r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To ensure the X Windows package group is removed, run the\nfollowing command:\n\n$ rpm -qi xorg-x11-server-common\n\nThe output should be:\n\npackage xorg-x11-server-common is not installed\n\n\nIf it is not, this is a finding.\"\n tag \"fix\": \"Removing all packages which constitute the X Window System\nensures users or malicious software cannot start X. To do so, run the following\ncommand:\n\n# yum groupremove \\\"X Window System\\\"\"\n\n describe package(\"xorg-x11-server-common\") do\n it { should_not be_installed }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-81445.rb", + "ref": "./Red Hat 6 STIG/controls/V-38676.rb", "line": 1 }, - "id": "V-81445" + "id": "V-38676" }, { - "title": "System logs must be rotated daily.", - "desc": "Log files that are not properly rotated run the risk of growing so\nlarge that they fill up the /var/log partition. Valuable logging information\ncould be lost if the /var/log partition becomes full.", + "title": "The system must be configured to require the use of a CAC, PIV\ncompliant hardware token, or Alternate Logon Token (ALT) for authentication.", + "desc": "Smart card login provides two-factor authentication stronger than that\nprovided by a username/password combination. Smart cards leverage a PKI (public\nkey infrastructure) in order to provide and verify credentials.", "descriptions": { - "default": "Log files that are not properly rotated run the risk of growing so\nlarge that they fill up the /var/log partition. Valuable logging information\ncould be lost if the /var/log partition becomes full." + "default": "Smart card login provides two-factor authentication stronger than that\nprovided by a username/password combination. Smart cards leverage a PKI (public\nkey infrastructure) in order to provide and verify credentials." }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-999999", - "gid": "V-38624", - "rid": "SV-50425r1_rule", - "stig_id": "RHEL-06-000138", - "fix_id": "F-43573r1_fix", + "gtitle": "SRG-OS-000105", + "gid": "V-38595", + "rid": "SV-50396r3_rule", + "stig_id": "RHEL-06-000349", + "fix_id": "F-43544r2_fix", "cci": [ - "CCI-000366" + "CCI-000765" ], "nist": [ - "CM-6 b", + "IA-2 (1)", "Rev_4" ], "false_negatives": null, @@ -5712,35 +5802,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "Run the following commands to determine the current status of\nthe \"logrotate\" service:\n\n# grep logrotate /var/log/cron*\n\nIf the logrotate service is not run on a daily basis by cron, this is a\nfinding.", - "fix": "The \"logrotate\" service should be installed or reinstalled if\nit is not installed and operating properly, by running the following command:\n\n# yum reinstall logrotate" + "check": "Interview the SA to determine if all accounts not exempted by\npolicy are using CAC authentication. For DoD systems, the following systems and\naccounts are exempt from using smart card (CAC) authentication:\n\nStandalone systems\nApplication accounts\nTemporary employee accounts, such as students or interns, who cannot easily\nreceive a CAC or PIV\nOperational tactical locations that are not collocated with RAPIDS workstations\nto issue CAC or ALT\nTest systems, such as those with an Interim Approval to Test (IATT) and use a\nseparate VPN, firewall, or security measure preventing access to network and\nsystem components from outside the protection boundary documented in the IATT.\n\n\n\nIf non-exempt accounts are not using CAC authentication, this is a finding.", + "fix": "To enable smart card authentication, consult the documentation at:\n\nhttps://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Smart_Cards/enabling-smart-card-login.html\n\nFor guidance on enabling SSH to authenticate against a Common Access Card\n(CAC), consult documentation at:\n\nhttps://access.redhat.com/solutions/82273" }, - "code": "control \"V-38624\" do\n title \"System logs must be rotated daily.\"\n desc \"Log files that are not properly rotated run the risk of growing so\nlarge that they fill up the /var/log partition. Valuable logging information\ncould be lost if the /var/log partition becomes full.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38624\"\n tag \"rid\": \"SV-50425r1_rule\"\n tag \"stig_id\": \"RHEL-06-000138\"\n tag \"fix_id\": \"F-43573r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Run the following commands to determine the current status of\nthe \\\"logrotate\\\" service:\n\n# grep logrotate /var/log/cron*\n\nIf the logrotate service is not run on a daily basis by cron, this is a\nfinding.\"\n tag \"fix\": \"The \\\"logrotate\\\" service should be installed or reinstalled if\nit is not installed and operating properly, by running the following command:\n\n# yum reinstall logrotate\"\n\n # TODO is this too specific?\n describe bash(\"grep logrotate /var/log/cron*\") do\n its('stdout.strip') { should match %r{cron\\.daily} }\n end\nend\n", + "code": "control \"V-38595\" do\n title \"The system must be configured to require the use of a CAC, PIV\ncompliant hardware token, or Alternate Logon Token (ALT) for authentication.\"\n desc \"Smart card login provides two-factor authentication stronger than that\nprovided by a username/password combination. Smart cards leverage a PKI (public\nkey infrastructure) in order to provide and verify credentials.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000105\"\n tag \"gid\": \"V-38595\"\n tag \"rid\": \"SV-50396r3_rule\"\n tag \"stig_id\": \"RHEL-06-000349\"\n tag \"fix_id\": \"F-43544r2_fix\"\n tag \"cci\": [\"CCI-000765\"]\n tag \"nist\": [\"IA-2 (1)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Interview the SA to determine if all accounts not exempted by\npolicy are using CAC authentication. For DoD systems, the following systems and\naccounts are exempt from using smart card (CAC) authentication:\n\nStandalone systems\nApplication accounts\nTemporary employee accounts, such as students or interns, who cannot easily\nreceive a CAC or PIV\nOperational tactical locations that are not collocated with RAPIDS workstations\nto issue CAC or ALT\nTest systems, such as those with an Interim Approval to Test (IATT) and use a\nseparate VPN, firewall, or security measure preventing access to network and\nsystem components from outside the protection boundary documented in the IATT.\n\n\n\nIf non-exempt accounts are not using CAC authentication, this is a finding.\"\n tag \"fix\": \"To enable smart card authentication, consult the documentation at:\n\nhttps://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Smart_Cards/enabling-smart-card-login.html\n\nFor guidance on enabling SSH to authenticate against a Common Access Card\n(CAC), consult documentation at:\n\nhttps://access.redhat.com/solutions/82273\"\n\n describe \"Manual test\" do\n skip \"This control must be reviewed manually\"\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38624.rb", + "ref": "./Red Hat 6 STIG/controls/V-38595.rb", "line": 1 }, - "id": "V-38624" + "id": "V-38595" }, { - "title": "The FTP daemon must be configured for logging or verbose mode.", - "desc": "To trace malicious activity facilitated by the FTP service, it must be\nconfigured to ensure that all commands sent to the ftp server are logged using\nthe verbose vsftpd log format. The default vsftpd log file is\n/var/log/vsftpd.log.", + "title": "The system must use a Linux Security Module configured to enforce\nlimits on system services.", + "desc": "Setting the SELinux state to enforcing ensures SELinux is able to\nconfine potentially compromised processes to the security policy, which is\ndesigned to prevent them from causing damage to the system or further elevating\ntheir privileges.", "descriptions": { - "default": "To trace malicious activity facilitated by the FTP service, it must be\nconfigured to ensure that all commands sent to the ftp server are logged using\nthe verbose vsftpd log format. The default vsftpd log file is\n/var/log/vsftpd.log." + "default": "Setting the SELinux state to enforcing ensures SELinux is able to\nconfine potentially compromised processes to the security policy, which is\ndesigned to prevent them from causing damage to the system or further elevating\ntheir privileges." }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000037", - "gid": "V-38702", - "rid": "SV-50503r1_rule", - "stig_id": "RHEL-06-000339", - "fix_id": "F-43651r1_fix", + "gtitle": "SRG-OS-999999", + "gid": "V-51363", + "rid": "SV-65573r1_rule", + "stig_id": "RHEL-06-000020", + "fix_id": "F-56165r1_fix", "cci": [ - "CCI-000130" + "CCI-000366" ], "nist": [ - "AU-3", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -5753,35 +5843,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "Find if logging is applied to the ftp daemon.\n\nProcedures:\n\nIf vsftpd is started by xinetd the following command will indicate the xinetd.d\nstartup file.\n\n# grep vsftpd /etc/xinetd.d/*\n\n\n\n# grep server_args [vsftpd xinetd.d startup file]\n\nThis will indicate the vsftpd config file used when starting through xinetd. If\nthe [server_args]line is missing or does not include the vsftpd configuration\nfile, then the default config file (/etc/vsftpd/vsftpd.conf) is used.\n\n# grep xferlog_enable [vsftpd config file]\n\n\nIf xferlog_enable is missing, or is not set to yes, this is a finding.", - "fix": "Add or correct the following configuration options within the\n\"vsftpd\" configuration file, located at \"/etc/vsftpd/vsftpd.conf\".\n\nxferlog_enable=YES\nxferlog_std_format=NO\nlog_ftp_protocol=YES" + "check": "Check the file \"/etc/selinux/config\" and ensure the following\nline appears:\n\nSELINUX=enforcing\n\nIf SELINUX is not set to enforcing, this is a finding. ", + "fix": "The SELinux state should be set to \"enforcing\" at system boot\ntime. In the file \"/etc/selinux/config\", add or correct the following line to\nconfigure the system to boot into enforcing mode:\n\nSELINUX=enforcing" }, - "code": "control \"V-38702\" do\n title \"The FTP daemon must be configured for logging or verbose mode.\"\n desc \"To trace malicious activity facilitated by the FTP service, it must be\nconfigured to ensure that all commands sent to the ftp server are logged using\nthe verbose vsftpd log format. The default vsftpd log file is\n/var/log/vsftpd.log.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000037\"\n tag \"gid\": \"V-38702\"\n tag \"rid\": \"SV-50503r1_rule\"\n tag \"stig_id\": \"RHEL-06-000339\"\n tag \"fix_id\": \"F-43651r1_fix\"\n tag \"cci\": [\"CCI-000130\"]\n tag \"nist\": [\"AU-3\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Find if logging is applied to the ftp daemon.\n\nProcedures:\n\nIf vsftpd is started by xinetd the following command will indicate the xinetd.d\nstartup file.\n\n# grep vsftpd /etc/xinetd.d/*\n\n\n\n# grep server_args [vsftpd xinetd.d startup file]\n\nThis will indicate the vsftpd config file used when starting through xinetd. If\nthe [server_args]line is missing or does not include the vsftpd configuration\nfile, then the default config file (/etc/vsftpd/vsftpd.conf) is used.\n\n# grep xferlog_enable [vsftpd config file]\n\n\nIf xferlog_enable is missing, or is not set to yes, this is a finding.\"\n tag \"fix\": \"Add or correct the following configuration options within the\n\\\"vsftpd\\\" configuration file, located at \\\"/etc/vsftpd/vsftpd.conf\\\".\n\nxferlog_enable=YES\nxferlog_std_format=NO\nlog_ftp_protocol=YES\"\n\n describe parse_config_file('/etc/vsftpd/vsftpd.conf') do\n its('xferlog_enable') { should eq 'YES' }\n end\nend\n", + "code": "control \"V-51363\" do\n title \"The system must use a Linux Security Module configured to enforce\nlimits on system services.\"\n desc \"Setting the SELinux state to enforcing ensures SELinux is able to\nconfine potentially compromised processes to the security policy, which is\ndesigned to prevent them from causing damage to the system or further elevating\ntheir privileges. \"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-51363\"\n tag \"rid\": \"SV-65573r1_rule\"\n tag \"stig_id\": \"RHEL-06-000020\"\n tag \"fix_id\": \"F-56165r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Check the file \\\"/etc/selinux/config\\\" and ensure the following\nline appears:\n\nSELINUX=enforcing\n\nIf SELINUX is not set to enforcing, this is a finding. \"\n tag \"fix\": \"The SELinux state should be set to \\\"enforcing\\\" at system boot\ntime. In the file \\\"/etc/selinux/config\\\", add or correct the following line to\nconfigure the system to boot into enforcing mode:\n\nSELINUX=enforcing\"\n\n describe file(\"/etc/selinux/config\") do\n its(\"content\") { should match(/^[\\s]*SELINUX[\\s]*=[\\s]*(.*)[\\s]*$/) }\n end\n file(\"/etc/selinux/config\").content.to_s.scan(/^[\\s]*SELINUX[\\s]*=[\\s]*(.*)[\\s]*$/).flatten.each do |entry|\n describe entry do\n it { should eq \"enforcing\" }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38702.rb", + "ref": "./Red Hat 6 STIG/controls/V-51363.rb", "line": 1 }, - "id": "V-38702" + "id": "V-51363" }, { - "title": "Remote file systems must be mounted with the nosuid option.", - "desc": "NFS mounts should not present suid binaries to users. Only\nvendor-supplied suid executables should be installed to their default location\non the local filesystem.", + "title": "The oddjobd service must not be running.", + "desc": "The \"oddjobd\" service may provide necessary functionality in some\nenvironments but it can be disabled if it is not needed. Execution of tasks by\nprivileged programs, on behalf of unprivileged ones, has traditionally been a\nsource of privilege escalation security issues.", "descriptions": { - "default": "NFS mounts should not present suid binaries to users. Only\nvendor-supplied suid executables should be installed to their default location\non the local filesystem." + "default": "The \"oddjobd\" service may provide necessary functionality in some\nenvironments but it can be disabled if it is not needed. Execution of tasks by\nprivileged programs, on behalf of unprivileged ones, has traditionally been a\nsource of privilege escalation security issues." }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { - "gtitle": "SRG-OS-999999", - "gid": "V-38654", - "rid": "SV-50455r2_rule", - "stig_id": "RHEL-06-000270", - "fix_id": "F-43603r1_fix", + "gtitle": "SRG-OS-000096", + "gid": "V-38646", + "rid": "SV-50447r2_rule", + "stig_id": "RHEL-06-000266", + "fix_id": "F-43595r2_fix", "cci": [ - "CCI-000366" + "CCI-000382" ], "nist": [ - "CM-6 b", + "CM-7 b", "Rev_4" ], "false_negatives": null, @@ -5794,30 +5884,30 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To verify the \"nosuid\" option is configured for all NFS\nmounts, run the following command:\n\n$ mount | grep nfs\n\nAll NFS mounts should show the \"nosuid\" setting in parentheses, along with\nother mount options.\nIf the setting does not show, this is a finding.", - "fix": "Add the \"nosuid\" option to the fourth column of \"/etc/fstab\"\nfor the line which controls mounting of any NFS mounts." + "check": "To check that the \"oddjobd\" service is disabled in system\nboot configuration, run the following command:\n\n# chkconfig \"oddjobd\" --list\n\nOutput should indicate the \"oddjobd\" service has either not been installed,\nor has been disabled at all runlevels, as shown in the example below:\n\n# chkconfig \"oddjobd\" --list\n\"oddjobd\" 0:off 1:off 2:off 3:off 4:off 5:off 6:off\n\nRun the following command to verify \"oddjobd\" is disabled through current\nruntime configuration:\n\n# service oddjobd status\n\nIf the service is disabled the command will return the following output:\n\noddjobd is stopped\n\n\nIf the service is running, this is a finding.", + "fix": "The \"oddjobd\" service exists to provide an interface and access\ncontrol mechanism through which specified privileged tasks can run tasks for\nunprivileged client applications. Communication with \"oddjobd\" is through the\nsystem message bus. The \"oddjobd\" service can be disabled with the following\ncommands:\n\n# chkconfig oddjobd off\n# service oddjobd stop" }, - "code": "control \"V-38654\" do\n title \"Remote file systems must be mounted with the nosuid option.\"\n desc \"NFS mounts should not present suid binaries to users. Only\nvendor-supplied suid executables should be installed to their default location\non the local filesystem.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38654\"\n tag \"rid\": \"SV-50455r2_rule\"\n tag \"stig_id\": \"RHEL-06-000270\"\n tag \"fix_id\": \"F-43603r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To verify the \\\"nosuid\\\" option is configured for all NFS\nmounts, run the following command:\n\n$ mount | grep nfs\n\nAll NFS mounts should show the \\\"nosuid\\\" setting in parentheses, along with\nother mount options.\nIf the setting does not show, this is a finding.\"\n tag \"fix\": \"Add the \\\"nosuid\\\" option to the fourth column of \\\"/etc/fstab\\\"\nfor the line which controls mounting of any NFS mounts.\"\n\n describe command('mount | grep nfs') do\n its('stdout.strip.lines') { should all include 'nosuid' }\n end\nend\n", + "code": "control \"V-38646\" do\n title \"The oddjobd service must not be running.\"\n desc \"The \\\"oddjobd\\\" service may provide necessary functionality in some\nenvironments but it can be disabled if it is not needed. Execution of tasks by\nprivileged programs, on behalf of unprivileged ones, has traditionally been a\nsource of privilege escalation security issues.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000096\"\n tag \"gid\": \"V-38646\"\n tag \"rid\": \"SV-50447r2_rule\"\n tag \"stig_id\": \"RHEL-06-000266\"\n tag \"fix_id\": \"F-43595r2_fix\"\n tag \"cci\": [\"CCI-000382\"]\n tag \"nist\": [\"CM-7 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To check that the \\\"oddjobd\\\" service is disabled in system\nboot configuration, run the following command:\n\n# chkconfig \\\"oddjobd\\\" --list\n\nOutput should indicate the \\\"oddjobd\\\" service has either not been installed,\nor has been disabled at all runlevels, as shown in the example below:\n\n# chkconfig \\\"oddjobd\\\" --list\n\\\"oddjobd\\\" 0:off 1:off 2:off 3:off 4:off 5:off 6:off\n\nRun the following command to verify \\\"oddjobd\\\" is disabled through current\nruntime configuration:\n\n# service oddjobd status\n\nIf the service is disabled the command will return the following output:\n\noddjobd is stopped\n\n\nIf the service is running, this is a finding.\"\n tag \"fix\": \"The \\\"oddjobd\\\" service exists to provide an interface and access\ncontrol mechanism through which specified privileged tasks can run tasks for\nunprivileged client applications. Communication with \\\"oddjobd\\\" is through the\nsystem message bus. The \\\"oddjobd\\\" service can be disabled with the following\ncommands:\n\n# chkconfig oddjobd off\n# service oddjobd stop\"\n\n describe.one do\n describe package(\"oddjob\") do\n it { should_not be_installed }\n end\n describe service(\"oddjobd\") do\n its(\"runlevels(?-mix:0)\") { should be_enabled }\n its(\"runlevels(?-mix:1)\") { should be_enabled }\n its(\"runlevels(?-mix:2)\") { should be_enabled }\n its(\"runlevels(?-mix:3)\") { should be_enabled }\n its(\"runlevels(?-mix:4)\") { should be_enabled }\n its(\"runlevels(?-mix:5)\") { should be_enabled }\n its(\"runlevels(?-mix:6)\") { should be_enabled }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38654.rb", + "ref": "./Red Hat 6 STIG/controls/V-38646.rb", "line": 1 }, - "id": "V-38654" + "id": "V-38646" }, { - "title": "The system must limit the ability of processes to have simultaneous\nwrite and execute access to memory.", - "desc": "ExecShield uses the segmentation feature on all x86 systems to prevent\nexecution in memory higher than a certain address. It writes an address as a\nlimit in the code segment descriptor, to control where code can be executed, on\na per-process basis. When the kernel places a process's memory regions such as\nthe stack and heap higher than this address, the hardware prevents execution in\nthat address range.", + "title": "The system must retain enough rotated audit logs to cover the required\nlog retention period.", + "desc": "The total storage for audit log files must be large enough to retain\nlog information over the period required. This is a function of the maximum log\nfile size and the number of logs retained.", "descriptions": { - "default": "ExecShield uses the segmentation feature on all x86 systems to prevent\nexecution in memory higher than a certain address. It writes an address as a\nlimit in the code segment descriptor, to control where code can be executed, on\na per-process basis. When the kernel places a process's memory regions such as\nthe stack and heap higher than this address, the hardware prevents execution in\nthat address range." + "default": "The total storage for audit log files must be large enough to retain\nlog information over the period required. This is a function of the maximum log\nfile size and the number of logs retained." }, "impact": 0.5, "refs": [], "tags": { "gtitle": "SRG-OS-999999", - "gid": "V-38597", - "rid": "SV-50398r2_rule", - "stig_id": "RHEL-06-000079", - "fix_id": "F-43545r1_fix", + "gid": "V-38636", + "rid": "SV-50437r1_rule", + "stig_id": "RHEL-06-000159", + "fix_id": "F-43585r1_fix", "cci": [ "CCI-000366" ], @@ -5835,35 +5925,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "The status of the \"kernel.exec-shield\" kernel parameter can\nbe queried by running the following command:\n\n$ sysctl kernel.exec-shield\n$ grep kernel.exec-shield /etc/sysctl.conf\n\nThe output of the command should indicate a value of \"1\". If this value is\nnot the default value, investigate how it could have been adjusted at runtime,\nand verify it is not set improperly in \"/etc/sysctl.conf\".\nIf the correct value is not returned, this is a finding.", - "fix": "To set the runtime status of the \"kernel.exec-shield\" kernel\nparameter, run the following command:\n\n# sysctl -w kernel.exec-shield=1\n\nIf this is not the system's default value, add the following line to\n\"/etc/sysctl.conf\":\n\nkernel.exec-shield = 1" + "check": "Inspect \"/etc/audit/auditd.conf\" and locate the following\nline to determine how many logs the system is configured to retain after\nrotation: \"# grep num_logs /etc/audit/auditd.conf\"\n\nnum_logs = 5\n\n\nIf the overall system log file(s) retention hasn't been properly set up, this\nis a finding.", + "fix": "Determine how many log files \"auditd\" should retain when it\nrotates logs. Edit the file \"/etc/audit/auditd.conf\". Add or modify the\nfollowing line, substituting [NUMLOGS] with the correct value:\n\nnum_logs = [NUMLOGS]\n\nSet the value to 5 for general-purpose systems. Note that values less than 2\nresult in no log rotation." }, - "code": "control \"V-38597\" do\n title \"The system must limit the ability of processes to have simultaneous\nwrite and execute access to memory.\"\n desc \"ExecShield uses the segmentation feature on all x86 systems to prevent\nexecution in memory higher than a certain address. It writes an address as a\nlimit in the code segment descriptor, to control where code can be executed, on\na per-process basis. When the kernel places a process's memory regions such as\nthe stack and heap higher than this address, the hardware prevents execution in\nthat address range.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38597\"\n tag \"rid\": \"SV-50398r2_rule\"\n tag \"stig_id\": \"RHEL-06-000079\"\n tag \"fix_id\": \"F-43545r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"The status of the \\\"kernel.exec-shield\\\" kernel parameter can\nbe queried by running the following command:\n\n$ sysctl kernel.exec-shield\n$ grep kernel.exec-shield /etc/sysctl.conf\n\nThe output of the command should indicate a value of \\\"1\\\". If this value is\nnot the default value, investigate how it could have been adjusted at runtime,\nand verify it is not set improperly in \\\"/etc/sysctl.conf\\\".\nIf the correct value is not returned, this is a finding.\"\n tag \"fix\": \"To set the runtime status of the \\\"kernel.exec-shield\\\" kernel\nparameter, run the following command:\n\n# sysctl -w kernel.exec-shield=1\n\nIf this is not the system's default value, add the following line to\n\\\"/etc/sysctl.conf\\\":\n\nkernel.exec-shield = 1\"\n\n describe command('sysctl -n kernel.exec-shield') do\n its('stdout.strip') { should eq '1' }\n end\n\n describe parse_config_file('/etc/sysctl.conf') do\n its('params') { should be >= { 'kernel.exec-shield' => '1' } }\n end\nend\n", + "code": "control \"V-38636\" do\n title \"The system must retain enough rotated audit logs to cover the required\nlog retention period.\"\n desc \"The total storage for audit log files must be large enough to retain\nlog information over the period required. This is a function of the maximum log\nfile size and the number of logs retained.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38636\"\n tag \"rid\": \"SV-50437r1_rule\"\n tag \"stig_id\": \"RHEL-06-000159\"\n tag \"fix_id\": \"F-43585r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Inspect \\\"/etc/audit/auditd.conf\\\" and locate the following\nline to determine how many logs the system is configured to retain after\nrotation: \\\"# grep num_logs /etc/audit/auditd.conf\\\"\n\nnum_logs = 5\n\n\nIf the overall system log file(s) retention hasn't been properly set up, this\nis a finding.\"\n tag \"fix\": \"Determine how many log files \\\"auditd\\\" should retain when it\nrotates logs. Edit the file \\\"/etc/audit/auditd.conf\\\". Add or modify the\nfollowing line, substituting [NUMLOGS] with the correct value:\n\nnum_logs = [NUMLOGS]\n\nSet the value to 5 for general-purpose systems. Note that values less than 2\nresult in no log rotation.\"\n\n describe file(\"/etc/audit/auditd.conf\") do\n its(\"content\") { should match(/^num_logs\\s*=\\s*(\\d+)\\s*$/) }\n end\n file(\"/etc/audit/auditd.conf\").content.to_s.scan(/^num_logs\\s*=\\s*(\\d+)\\s*$/).flatten.each do |entry|\n describe entry do\n it { should cmp >= 5 }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38597.rb", + "ref": "./Red Hat 6 STIG/controls/V-38636.rb", "line": 1 }, - "id": "V-38597" + "id": "V-38636" }, { - "title": "All rsyslog-generated log files must be group-owned by root.", - "desc": "The log files generated by rsyslog contain valuable information\nregarding system configuration, user authentication, and other such\ninformation. Log files should be protected from unauthorized access.", + "title": "The tftp-server package must not be installed unless required.", + "desc": "Removing the \"tftp-server\" package decreases the risk of the\naccidental (or intentional) activation of tftp services.", "descriptions": { - "default": "The log files generated by rsyslog contain valuable information\nregarding system configuration, user authentication, and other such\ninformation. Log files should be protected from unauthorized access." + "default": "Removing the \"tftp-server\" package decreases the risk of the\naccidental (or intentional) activation of tftp services." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000206", - "gid": "V-38519", - "rid": "SV-50320r2_rule", - "stig_id": "RHEL-06-000134", - "fix_id": "F-43466r1_fix", + "gtitle": "SRG-OS-000095", + "gid": "V-38606", + "rid": "SV-50407r2_rule", + "stig_id": "RHEL-06-000222", + "fix_id": "F-43554r1_fix", "cci": [ - "CCI-001314" + "CCI-000381" ], "nist": [ - "SI-11 b", + "CM-7 a", "Rev_4" ], "false_negatives": null, @@ -5876,35 +5966,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "The group-owner of all log files written by \"rsyslog\" should\nbe root. These log files are determined by the second part of each Rule line in\n\"/etc/rsyslog.conf\" and typically all appear in \"/var/log\". To see the\ngroup-owner of a given log file, run the following command:\n\n$ ls -l [LOGFILE]\n\nSome log files referenced in /etc/rsyslog.conf may be created by other programs\nand may require exclusion from consideration.\n\nIf the group-owner is not root, this is a finding.", - "fix": "The group-owner of all log files written by \"rsyslog\" should be\nroot. These log files are determined by the second part of each Rule line in\n\"/etc/rsyslog.conf\" and typically all appear in \"/var/log\". For each log\nfile [LOGFILE] referenced in \"/etc/rsyslog.conf\", run the following command\nto inspect the file's group owner:\n\n$ ls -l [LOGFILE]\n\nIf the owner is not \"root\", run the following command to correct this:\n\n# chgrp root [LOGFILE]" + "check": "Run the following command to determine if the \"tftp-server\"\npackage is installed:\n\n# rpm -q tftp-server\n\n\nIf the package is installed, this is a finding.", + "fix": "The \"tftp-server\" package can be removed with the following\ncommand:\n\n# yum erase tftp-server" }, - "code": "control \"V-38519\" do\n title \"All rsyslog-generated log files must be group-owned by root.\"\n desc \"The log files generated by rsyslog contain valuable information\nregarding system configuration, user authentication, and other such\ninformation. Log files should be protected from unauthorized access.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000206\"\n tag \"gid\": \"V-38519\"\n tag \"rid\": \"SV-50320r2_rule\"\n tag \"stig_id\": \"RHEL-06-000134\"\n tag \"fix_id\": \"F-43466r1_fix\"\n tag \"cci\": [\"CCI-001314\"]\n tag \"nist\": [\"SI-11 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"The group-owner of all log files written by \\\"rsyslog\\\" should\nbe root. These log files are determined by the second part of each Rule line in\n\\\"/etc/rsyslog.conf\\\" and typically all appear in \\\"/var/log\\\". To see the\ngroup-owner of a given log file, run the following command:\n\n$ ls -l [LOGFILE]\n\nSome log files referenced in /etc/rsyslog.conf may be created by other programs\nand may require exclusion from consideration.\n\nIf the group-owner is not root, this is a finding.\"\n tag \"fix\": \"The group-owner of all log files written by \\\"rsyslog\\\" should be\nroot. These log files are determined by the second part of each Rule line in\n\\\"/etc/rsyslog.conf\\\" and typically all appear in \\\"/var/log\\\". For each log\nfile [LOGFILE] referenced in \\\"/etc/rsyslog.conf\\\", run the following command\nto inspect the file's group owner:\n\n$ ls -l [LOGFILE]\n\nIf the owner is not \\\"root\\\", run the following command to correct this:\n\n# chgrp root [LOGFILE]\"\n\n # strip comments, empty lines, and lines which start with $ in order to get rules\n rules = file('/etc/rsyslog.conf').content.lines.map do |l|\n pound_index = l.index('#')\n l = l.slice(0, pound_index) if !pound_index.nil?\n l.strip\n end.reject { |l| l.empty? or l.start_with? '$' }\n\n paths = rules.map do |r|\n filter, action = r.split(%r{\\s+})\n next if !(action.start_with? '-/' or action.start_with? '/')\n action.sub(%r{^-/}, '/')\n end.reject { |path| path.nil? }\n\n if paths.empty?\n describe \"rsyslog log files\" do\n subject { paths }\n it { should be_empty }\n end\n else\n paths.each do |path|\n describe file(path) do \n its('group') { should eq 'root' }\n end\n end\n end\nend\n", + "code": "control \"V-38606\" do\n title \"The tftp-server package must not be installed unless required.\"\n desc \"Removing the \\\"tftp-server\\\" package decreases the risk of the\naccidental (or intentional) activation of tftp services.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000095\"\n tag \"gid\": \"V-38606\"\n tag \"rid\": \"SV-50407r2_rule\"\n tag \"stig_id\": \"RHEL-06-000222\"\n tag \"fix_id\": \"F-43554r1_fix\"\n tag \"cci\": [\"CCI-000381\"]\n tag \"nist\": [\"CM-7 a\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Run the following command to determine if the \\\"tftp-server\\\"\npackage is installed:\n\n# rpm -q tftp-server\n\n\nIf the package is installed, this is a finding.\"\n tag \"fix\": \"The \\\"tftp-server\\\" package can be removed with the following\ncommand:\n\n# yum erase tftp-server\"\n\n describe package(\"tftp-server\") do\n it { should_not be_installed }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38519.rb", + "ref": "./Red Hat 6 STIG/controls/V-38606.rb", "line": 1 }, - "id": "V-38519" + "id": "V-38606" }, { - "title": "The operating system must employ cryptographic mechanisms to protect\ninformation in storage.", - "desc": "The risk of a system's physical compromise, particularly mobile\nsystems such as laptops, places its data at risk of compromise. Encrypting this\ndata mitigates the risk of its loss if the system is lost.", + "title": "The operating system must back up audit records on an organization\ndefined frequency onto a different system or media than the system being\naudited.", + "desc": "A log server (loghost) receives syslog messages from one or more\nsystems. This data can be used as an additional log source in the event a\nsystem is compromised and its local logs are suspect. Forwarding log messages\nto a remote loghost also provides system administrators with a centralized\nplace to view the status of multiple hosts within the enterprise.", "descriptions": { - "default": "The risk of a system's physical compromise, particularly mobile\nsystems such as laptops, places its data at risk of compromise. Encrypting this\ndata mitigates the risk of its loss if the system is lost." + "default": "A log server (loghost) receives syslog messages from one or more\nsystems. This data can be used as an additional log source in the event a\nsystem is compromised and its local logs are suspect. Forwarding log messages\nto a remote loghost also provides system administrators with a centralized\nplace to view the status of multiple hosts within the enterprise." }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000131", - "gid": "V-38659", - "rid": "SV-50460r2_rule", - "stig_id": "RHEL-06-000275", - "fix_id": "F-43609r3_fix", + "gtitle": "SRG-OS-000215", + "gid": "V-38520", + "rid": "SV-50321r1_rule", + "stig_id": "RHEL-06-000136", + "fix_id": "F-43468r1_fix", "cci": [ - "CCI-001019" + "CCI-001348" ], "nist": [ - "MP-4 (1)", + "AU-9 (2)", "Rev_4" ], "false_negatives": null, @@ -5917,35 +6007,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "Determine if encryption must be used to protect data on the\nsystem.\nIf encryption must be used and is not employed, this is a finding.", - "fix": "Red Hat Enterprise Linux 6 natively supports partition encryption\nthrough the Linux Unified Key Setup-on-disk-format (LUKS) technology. The\neasiest way to encrypt a partition is during installation time.\n\nFor manual installations, select the \"Encrypt\" checkbox during partition\ncreation to encrypt the partition. When this option is selected the system will\nprompt for a passphrase to use in decrypting the partition. The passphrase will\nsubsequently need to be entered manually every time the system boots.\n\nFor automated/unattended installations, it is possible to use Kickstart by\nadding the \"--encrypted\" and \"--passphrase=\" options to the definition of\neach partition to be encrypted. For example, the following line would encrypt\nthe root partition:\n\npart / --fstype=ext3 --size=100 --onpart=hda1 --encrypted\n--passphrase=[PASSPHRASE]\n\nAny [PASSPHRASE] is stored in the Kickstart in plaintext, and the Kickstart\nmust then be protected accordingly. Omitting the \"--passphrase=\" option from\nthe partition definition will cause the installer to pause and interactively\nask for the passphrase during installation.\n\nDetailed information on encrypting partitions using LUKS can be found on the\nRed Hat Documentation web site:\n\nhttps://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-LUKS_Disk_Encryption.html" + "check": "To ensure logs are sent to a remote host, examine the file\n\"/etc/rsyslog.conf\". If using UDP, a line similar to the following should be\npresent:\n\n*.* @[loghost.example.com]\n\nIf using TCP, a line similar to the following should be present:\n\n*.* @@[loghost.example.com]\n\nIf using RELP, a line similar to the following should be present:\n\n*.* :omrelp:[loghost.example.com]\n\n\nIf none of these are present, this is a finding.", + "fix": "To configure rsyslog to send logs to a remote log server, open\n\"/etc/rsyslog.conf\" and read and understand the last section of the file,\nwhich describes the multiple directives necessary to activate remote logging.\nAlong with these other directives, the system can be configured to forward its\nlogs to a particular log server by adding or correcting one of the following\nlines, substituting \"[loghost.example.com]\" appropriately. The choice of\nprotocol depends on the environment of the system; although TCP and RELP\nprovide more reliable message delivery, they may not be supported in all\nenvironments.\nTo use UDP for log message delivery:\n\n*.* @[loghost.example.com]\n\n\nTo use TCP for log message delivery:\n\n*.* @@[loghost.example.com]\n\n\nTo use RELP for log message delivery:\n\n*.* :omrelp:[loghost.example.com]" }, - "code": "control \"V-38659\" do\n title \"The operating system must employ cryptographic mechanisms to protect\ninformation in storage.\"\n desc \"The risk of a system's physical compromise, particularly mobile\nsystems such as laptops, places its data at risk of compromise. Encrypting this\ndata mitigates the risk of its loss if the system is lost.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000131\"\n tag \"gid\": \"V-38659\"\n tag \"rid\": \"SV-50460r2_rule\"\n tag \"stig_id\": \"RHEL-06-000275\"\n tag \"fix_id\": \"F-43609r3_fix\"\n tag \"cci\": [\"CCI-001019\"]\n tag \"nist\": [\"MP-4 (1)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Determine if encryption must be used to protect data on the\nsystem.\nIf encryption must be used and is not employed, this is a finding.\"\n tag \"fix\": \"Red Hat Enterprise Linux 6 natively supports partition encryption\nthrough the Linux Unified Key Setup-on-disk-format (LUKS) technology. The\neasiest way to encrypt a partition is during installation time.\n\nFor manual installations, select the \\\"Encrypt\\\" checkbox during partition\ncreation to encrypt the partition. When this option is selected the system will\nprompt for a passphrase to use in decrypting the partition. The passphrase will\nsubsequently need to be entered manually every time the system boots.\n\nFor automated/unattended installations, it is possible to use Kickstart by\nadding the \\\"--encrypted\\\" and \\\"--passphrase=\\\" options to the definition of\neach partition to be encrypted. For example, the following line would encrypt\nthe root partition:\n\npart / --fstype=ext3 --size=100 --onpart=hda1 --encrypted\n--passphrase=[PASSPHRASE]\n\nAny [PASSPHRASE] is stored in the Kickstart in plaintext, and the Kickstart\nmust then be protected accordingly. Omitting the \\\"--passphrase=\\\" option from\nthe partition definition will cause the installer to pause and interactively\nask for the passphrase during installation.\n\nDetailed information on encrypting partitions using LUKS can be found on the\nRed Hat Documentation web site:\n\nhttps://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-LUKS_Disk_Encryption.html\"\n\n describe \"Manual test\" do\n skip \"This control must be reviewed manually\"\n end\nend\n", + "code": "control \"V-38520\" do\n title \"The operating system must back up audit records on an organization\ndefined frequency onto a different system or media than the system being\naudited.\"\n desc \"A log server (loghost) receives syslog messages from one or more\nsystems. This data can be used as an additional log source in the event a\nsystem is compromised and its local logs are suspect. Forwarding log messages\nto a remote loghost also provides system administrators with a centralized\nplace to view the status of multiple hosts within the enterprise.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000215\"\n tag \"gid\": \"V-38520\"\n tag \"rid\": \"SV-50321r1_rule\"\n tag \"stig_id\": \"RHEL-06-000136\"\n tag \"fix_id\": \"F-43468r1_fix\"\n tag \"cci\": [\"CCI-001348\"]\n tag \"nist\": [\"AU-9 (2)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To ensure logs are sent to a remote host, examine the file\n\\\"/etc/rsyslog.conf\\\". If using UDP, a line similar to the following should be\npresent:\n\n*.* @[loghost.example.com]\n\nIf using TCP, a line similar to the following should be present:\n\n*.* @@[loghost.example.com]\n\nIf using RELP, a line similar to the following should be present:\n\n*.* :omrelp:[loghost.example.com]\n\n\nIf none of these are present, this is a finding.\"\n tag \"fix\": \"To configure rsyslog to send logs to a remote log server, open\n\\\"/etc/rsyslog.conf\\\" and read and understand the last section of the file,\nwhich describes the multiple directives necessary to activate remote logging.\nAlong with these other directives, the system can be configured to forward its\nlogs to a particular log server by adding or correcting one of the following\nlines, substituting \\\"[loghost.example.com]\\\" appropriately. The choice of\nprotocol depends on the environment of the system; although TCP and RELP\nprovide more reliable message delivery, they may not be supported in all\nenvironments.\nTo use UDP for log message delivery:\n\n*.* @[loghost.example.com]\n\n\nTo use TCP for log message delivery:\n\n*.* @@[loghost.example.com]\n\n\nTo use RELP for log message delivery:\n\n*.* :omrelp:[loghost.example.com]\"\n\n describe file('/etc/rsyslog.conf') do\n its('content') {\n should (match %r{^\\s*\\*\\.\\*\\s+@[^@#]+}).or (match %r{^\\s*\\*\\.\\*\\s+@@[^@#]+}). or (match %r{^\\s*\\*\\.\\*\\s+:omrelp:[^@#]+})\n }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38659.rb", + "ref": "./Red Hat 6 STIG/controls/V-38520.rb", "line": 1 }, - "id": "V-38659" + "id": "V-38520" }, { - "title": "The /etc/passwd file must not contain password hashes.", - "desc": "The hashes for all user account passwords should be stored in the file\n\"/etc/shadow\" and never in \"/etc/passwd\", which is readable by all users.", + "title": "The audit system must be configured to audit all discretionary access\ncontrol permission modifications using fsetxattr.", + "desc": "The changing of file permissions could indicate that a user is\nattempting to gain access to information that would otherwise be disallowed.\nAuditing DAC modifications can facilitate the identification of patterns of\nabuse among both authorized and unauthorized users.", "descriptions": { - "default": "The hashes for all user account passwords should be stored in the file\n\"/etc/shadow\" and never in \"/etc/passwd\", which is readable by all users." + "default": "The changing of file permissions could indicate that a user is\nattempting to gain access to information that would otherwise be disallowed.\nAuditing DAC modifications can facilitate the identification of patterns of\nabuse among both authorized and unauthorized users." }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { - "gtitle": "SRG-OS-999999", - "gid": "V-38499", - "rid": "SV-50300r1_rule", - "stig_id": "RHEL-06-000031", - "fix_id": "F-43446r1_fix", + "gtitle": "SRG-OS-000064", + "gid": "V-38557", + "rid": "SV-50358r3_rule", + "stig_id": "RHEL-06-000191", + "fix_id": "F-43505r2_fix", "cci": [ - "CCI-000366" + "CCI-000172" ], "nist": [ - "CM-6 b", + "AU-12 c", "Rev_4" ], "false_negatives": null, @@ -5958,35 +6048,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To check that no password hashes are stored in \"/etc/passwd\",\nrun the following command:\n\n# awk -F: '($2 != \"x\") {print}' /etc/passwd\n\nIf it produces any output, then a password hash is stored in \"/etc/passwd\".\nIf any stored hashes are found in /etc/passwd, this is a finding.", - "fix": "If any password hashes are stored in \"/etc/passwd\" (in the\nsecond field, instead of an \"x\"), the cause of this misconfiguration should\nbe investigated. The account should have its password reset and the hash should\nbe properly stored, or the account should be deleted entirely." + "check": "To determine if the system is configured to audit calls to the\n\"fsetxattr\" system call, run the following command:\n\n$ sudo grep -w \"fsetxattr\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return several\nlines.\n\nIf no line is returned, this is a finding. ", + "fix": "At a minimum, the audit system should collect file permission\nchanges for all users and root. Add the following to\n\"/etc/audit/audit.rules\":\n\n-a always,exit -F arch=b32 -S fsetxattr -F auid>=500 -F auid!=4294967295 \\\n-k perm_mod\n-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -k perm_mod\n\nIf the system is 64-bit, then also add the following:\n\n-a always,exit -F arch=b64 -S fsetxattr -F auid>=500 -F auid!=4294967295 \\\n-k perm_mod\n-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -k perm_mod" }, - "code": "control \"V-38499\" do\n title \"The /etc/passwd file must not contain password hashes.\"\n desc \"The hashes for all user account passwords should be stored in the file\n\\\"/etc/shadow\\\" and never in \\\"/etc/passwd\\\", which is readable by all users.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38499\"\n tag \"rid\": \"SV-50300r1_rule\"\n tag \"stig_id\": \"RHEL-06-000031\"\n tag \"fix_id\": \"F-43446r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To check that no password hashes are stored in \\\"/etc/passwd\\\",\nrun the following command:\n\n# awk -F: '($2 != \\\"x\\\") {print}' /etc/passwd\n\nIf it produces any output, then a password hash is stored in \\\"/etc/passwd\\\".\nIf any stored hashes are found in /etc/passwd, this is a finding.\"\n tag \"fix\": \"If any password hashes are stored in \\\"/etc/passwd\\\" (in the\nsecond field, instead of an \\\"x\\\"), the cause of this misconfiguration should\nbe investigated. The account should have its password reset and the hash should\nbe properly stored, or the account should be deleted entirely.\"\n\n describe file(\"/etc/passwd\") do\n its(\"content\") { should match(/^[^:]*:([^:]*):/) }\n end\n file(\"/etc/passwd\").content.to_s.scan(/^[^:]*:([^:]*):/).flatten.each do |entry|\n describe entry do\n it { should eq \"x\" }\n end\n end\nend\n", + "code": "control \"V-38557\" do\n title \"The audit system must be configured to audit all discretionary access\ncontrol permission modifications using fsetxattr.\"\n desc \"The changing of file permissions could indicate that a user is\nattempting to gain access to information that would otherwise be disallowed.\nAuditing DAC modifications can facilitate the identification of patterns of\nabuse among both authorized and unauthorized users.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000064\"\n tag \"gid\": \"V-38557\"\n tag \"rid\": \"SV-50358r3_rule\"\n tag \"stig_id\": \"RHEL-06-000191\"\n tag \"fix_id\": \"F-43505r2_fix\"\n tag \"cci\": [\"CCI-000172\"]\n tag \"nist\": [\"AU-12 c\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To determine if the system is configured to audit calls to the\n\\\"fsetxattr\\\" system call, run the following command:\n\n$ sudo grep -w \\\"fsetxattr\\\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return several\nlines.\n\nIf no line is returned, this is a finding. \"\n tag \"fix\": \"At a minimum, the audit system should collect file permission\nchanges for all users and root. Add the following to\n\\\"/etc/audit/audit.rules\\\":\n\n-a always,exit -F arch=b32 -S fsetxattr -F auid>=500 -F auid!=4294967295 \\\\\n-k perm_mod\n-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -k perm_mod\n\nIf the system is 64-bit, then also add the following:\n\n-a always,exit -F arch=b64 -S fsetxattr -F auid>=500 -F auid!=4294967295 \\\\\n-k perm_mod\n-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -k perm_mod\"\n\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^[\\s]*-a[\\s](?:always,exit|exit,always)+(?:.*-F[\\s]+arch=b32[\\s]+)(?:.*(?:,|-S[\\s]+)fsetxattr(?:,|[\\s]+))(?:.*-F\\s+auid>=500[\\s]+)(?:.*-F\\s+auid!=(?:-1|4294967295)[\\s]+).*-k[\\s]+[\\S]+[\\s]*$/) }\n end\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^[\\s]*-a[\\s](?:always,exit|exit,always)+(?:.*-F[\\s]+arch=b32[\\s]+)(?:.*(?:,|-S[\\s]+)fsetxattr(?:,|[\\s]+))(?:.*-F\\s+auid=0[\\s]+).*-k[\\s]+[\\S]+[\\s]*$/) }\n end\n describe.one do\n \n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38499.rb", + "ref": "./Red Hat 6 STIG/controls/V-38557.rb", "line": 1 }, - "id": "V-38499" + "id": "V-38557" }, { - "title": "A login banner must be displayed immediately prior to, or as part of,\ngraphical desktop environment login prompts.", - "desc": "An appropriate warning message reinforces policy awareness during the\nlogon process and facilitates possible legal action against attackers.", + "title": "The Red Hat Enterprise Linux operating system must mount /dev/shm with\nthe nodev option.", + "desc": "The \"nodev\" mount option causes the system to not interpret\ncharacter or block special devices. Executing character or block special\ndevices from untrusted file systems increases the opportunity for unprivileged\nusers to attain unauthorized administrative access.", "descriptions": { - "default": "An appropriate warning message reinforces policy awareness during the\nlogon process and facilitates possible legal action against attackers." + "default": "The \"nodev\" mount option causes the system to not interpret\ncharacter or block special devices. Executing character or block special\ndevices from untrusted file systems increases the opportunity for unprivileged\nusers to attain unauthorized administrative access." }, - "impact": 0, + "impact": 0.3, "refs": [], "tags": { - "gtitle": "SRG-OS-000024", - "gid": "V-38688", - "rid": "SV-50489r3_rule", - "stig_id": "RHEL-06-000324", - "fix_id": "F-43637r2_fix", + "gtitle": "SRG-OS-000368-GPOS-00154", + "gid": "V-81445", + "rid": "SV-96159r1_rule", + "stig_id": "RHEL-06-000530", + "fix_id": "F-88263r1_fix", "cci": [ - "CCI-000050" + "CCI-001764" ], "nist": [ - "AC-8 b", + "CM-7 (2)", "Rev_4" ], "false_negatives": null, @@ -5999,30 +6089,30 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "If the GConf2 package is not installed, this is not applicable.\n\nTo ensure a login warning banner is enabled, run the following:\n\n$ gconftool-2 --direct --config-source\nxml:readwrite:/etc/gconf/gconf.xml.mandatory --get\n/apps/gdm/simple-greeter/banner_message_enable\n\nSearch for the \"banner_message_enable\" schema. If properly configured, the\n\"default\" value should be \"true\".\nIf it is not, this is a finding.", - "fix": "To enable displaying a login warning banner in the GNOME Display\nManager's login screen, run the following command:\n\n# gconftool-2 --direct \\\n--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \\\n--type bool \\\n--set /apps/gdm/simple-greeter/banner_message_enable true\n\nTo display a banner, this setting must be enabled and then banner text must\nalso be set." + "check": "Verify that the \"nodev\" option is configured for /dev/shm.\n\nCheck that the operating system is configured to use the \"nodev\" option for\n/dev/shm with the following command:\n\n# cat /etc/fstab | grep /dev/shm | grep nodev\n\ntmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0\n\nIf the \"nodev\" option is not present on the line for \"/dev/shm\", this is a\nfinding.\n\nVerify \"/dev/shm\" is mounted with the \"nodev\" option:\n\n# mount | grep \"/dev/shm\" | grep nodev\n\nIf no results are returned, this is a finding.\n", + "fix": "Configure the \"/etc/fstab\" to use the \"nodev\" option for all\nlines containing \"/dev/shm\"." }, - "code": "control \"V-38688\" do\n title \"A login banner must be displayed immediately prior to, or as part of,\ngraphical desktop environment login prompts.\"\n desc \"An appropriate warning message reinforces policy awareness during the\nlogon process and facilitates possible legal action against attackers.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000024\"\n tag \"gid\": \"V-38688\"\n tag \"rid\": \"SV-50489r3_rule\"\n tag \"stig_id\": \"RHEL-06-000324\"\n tag \"fix_id\": \"F-43637r2_fix\"\n tag \"cci\": [\"CCI-000050\"]\n tag \"nist\": [\"AC-8 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"If the GConf2 package is not installed, this is not applicable.\n\nTo ensure a login warning banner is enabled, run the following:\n\n$ gconftool-2 --direct --config-source\nxml:readwrite:/etc/gconf/gconf.xml.mandatory --get\n/apps/gdm/simple-greeter/banner_message_enable\n\nSearch for the \\\"banner_message_enable\\\" schema. If properly configured, the\n\\\"default\\\" value should be \\\"true\\\".\nIf it is not, this is a finding.\"\n tag \"fix\": \"To enable displaying a login warning banner in the GNOME Display\nManager's login screen, run the following command:\n\n# gconftool-2 --direct \\\\\n--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \\\\\n--type bool \\\\\n--set /apps/gdm/simple-greeter/banner_message_enable true\n\nTo display a banner, this setting must be enabled and then banner text must\nalso be set.\"\n\n if package('GConf2').installed?\n describe command(\"gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gdm/simple-greeter/banner_message_enable\") do\n its('stdout.strip') { should eq 'true' }\n end\n else\n impact 0.0\n describe \"Package GConf2 not installed\" do\n skip \"Package GConf2 not installed, this control Not Applicable\"\n end\n end\nend\n", + "code": "control \"V-81445\" do\n title \"The Red Hat Enterprise Linux operating system must mount /dev/shm with\nthe nodev option.\"\n desc \"The \\\"nodev\\\" mount option causes the system to not interpret\ncharacter or block special devices. Executing character or block special\ndevices from untrusted file systems increases the opportunity for unprivileged\nusers to attain unauthorized administrative access.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000368-GPOS-00154\"\n tag \"gid\": \"V-81445\"\n tag \"rid\": \"SV-96159r1_rule\"\n tag \"stig_id\": \"RHEL-06-000530\"\n tag \"fix_id\": \"F-88263r1_fix\"\n tag \"cci\": [\"CCI-001764\"]\n tag \"nist\": [\"CM-7 (2)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Verify that the \\\"nodev\\\" option is configured for /dev/shm.\n\nCheck that the operating system is configured to use the \\\"nodev\\\" option for\n/dev/shm with the following command:\n\n# cat /etc/fstab | grep /dev/shm | grep nodev\n\ntmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0\n\nIf the \\\"nodev\\\" option is not present on the line for \\\"/dev/shm\\\", this is a\nfinding.\n\nVerify \\\"/dev/shm\\\" is mounted with the \\\"nodev\\\" option:\n\n# mount | grep \\\"/dev/shm\\\" | grep nodev\n\nIf no results are returned, this is a finding.\n\"\n tag \"fix\": \"Configure the \\\"/etc/fstab\\\" to use the \\\"nodev\\\" option for all\nlines containing \\\"/dev/shm\\\".\"\n\n describe file(\"/etc/fstab\") do\n its(\"content\") { should match(/^[^#\\s]+[ \\t]+\\/dev\\/shm[ \\t]+[\\w\\d]+[ \\t]+([\\w,]+)\\s*.*$/) }\n end\n file(\"/etc/fstab\").content.to_s.scan(/^[^#\\s]+[ \\t]+\\/dev\\/shm[ \\t]+[\\w\\d]+[ \\t]+([\\w,]+)\\s*.*$/).flatten.each do |entry|\n describe entry do\n it { should match(/^(?:nodev|[\\w,]+,nodev)(?:$|,[\\w,]+$)/) }\n end\n end\n describe file(\"/etc/mtab\") do\n its(\"content\") { should match(/^[^#\\s]+[ \\t]+\\/dev\\/shm[ \\t]+[\\w\\d]+[ \\t]+([\\w,]+)\\s*.*$/) }\n end\n file(\"/etc/mtab\").content.to_s.scan(/^[^#\\s]+[ \\t]+\\/dev\\/shm[ \\t]+[\\w\\d]+[ \\t]+([\\w,]+)\\s*.*$/).flatten.each do |entry|\n describe entry do\n it { should match(/^(?:nodev|[\\w,]+,nodev)(?:$|,[\\w,]+$)/) }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38688.rb", + "ref": "./Red Hat 6 STIG/controls/V-81445.rb", "line": 1 }, - "id": "V-38688" + "id": "V-81445" }, { - "title": "The system must set a maximum audit log file size.", - "desc": "The total storage for audit log files must be large enough to retain\nlog information over the period required. This is a function of the maximum log\nfile size and the number of logs retained.", + "title": "Process core dumps must be disabled unless needed.", + "desc": "A core dump includes a memory image taken at the time the operating\nsystem terminates an application. The memory image could contain sensitive data\nand is generally useful only for developers trying to debug problems.", "descriptions": { - "default": "The total storage for audit log files must be large enough to retain\nlog information over the period required. This is a function of the maximum log\nfile size and the number of logs retained." + "default": "A core dump includes a memory image taken at the time the operating\nsystem terminates an application. The memory image could contain sensitive data\nand is generally useful only for developers trying to debug problems." }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { "gtitle": "SRG-OS-999999", - "gid": "V-38633", - "rid": "SV-50434r1_rule", - "stig_id": "RHEL-06-000160", - "fix_id": "F-43582r1_fix", + "gid": "V-38675", + "rid": "SV-50476r2_rule", + "stig_id": "RHEL-06-000308", + "fix_id": "F-43624r1_fix", "cci": [ "CCI-000366" ], @@ -6040,35 +6130,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "Inspect \"/etc/audit/auditd.conf\" and locate the following\nline to determine how much data the system will retain in each audit log file:\n\"# grep max_log_file /etc/audit/auditd.conf\"\n\nmax_log_file = 6\n\n\nIf the system audit data threshold hasn't been properly set up, this is a\nfinding.", - "fix": "Determine the amount of audit data (in megabytes) which should be\nretained in each log file. Edit the file \"/etc/audit/auditd.conf\". Add or\nmodify the following line, substituting the correct value for [STOREMB]:\n\nmax_log_file = [STOREMB]\n\nSet the value to \"6\" (MB) or higher for general-purpose systems. Larger\nvalues, of course, support retention of even more audit data." + "check": "To verify that core dumps are disabled for all users, run the\nfollowing command:\n\n$ grep core /etc/security/limits.conf /etc/security/limits.d/*.conf\n\nThe output should be:\n\n* hard core 0\n\nIf it is not, this is a finding. ", + "fix": "To disable core dumps for all users, add the following line to\n\"/etc/security/limits.conf\":\n\n* hard core 0" }, - "code": "control \"V-38633\" do\n title \"The system must set a maximum audit log file size.\"\n desc \"The total storage for audit log files must be large enough to retain\nlog information over the period required. This is a function of the maximum log\nfile size and the number of logs retained.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38633\"\n tag \"rid\": \"SV-50434r1_rule\"\n tag \"stig_id\": \"RHEL-06-000160\"\n tag \"fix_id\": \"F-43582r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Inspect \\\"/etc/audit/auditd.conf\\\" and locate the following\nline to determine how much data the system will retain in each audit log file:\n\\\"# grep max_log_file /etc/audit/auditd.conf\\\"\n\nmax_log_file = 6\n\n\nIf the system audit data threshold hasn't been properly set up, this is a\nfinding.\"\n tag \"fix\": \"Determine the amount of audit data (in megabytes) which should be\nretained in each log file. Edit the file \\\"/etc/audit/auditd.conf\\\". Add or\nmodify the following line, substituting the correct value for [STOREMB]:\n\nmax_log_file = [STOREMB]\n\nSet the value to \\\"6\\\" (MB) or higher for general-purpose systems. Larger\nvalues, of course, support retention of even more audit data.\"\n\n describe file(\"/etc/audit/auditd.conf\") do\n its(\"content\") { should match(/^max_log_file\\s*=\\s*(\\d+)\\s*$/) }\n end\n file(\"/etc/audit/auditd.conf\").content.to_s.scan(/^max_log_file\\s*=\\s*(\\d+)\\s*$/).flatten.each do |entry|\n describe entry do\n it { should cmp >= 6 }\n end\n end\nend\n", + "code": "control \"V-38675\" do\n title \"Process core dumps must be disabled unless needed.\"\n desc \"A core dump includes a memory image taken at the time the operating\nsystem terminates an application. The memory image could contain sensitive data\nand is generally useful only for developers trying to debug problems.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38675\"\n tag \"rid\": \"SV-50476r2_rule\"\n tag \"stig_id\": \"RHEL-06-000308\"\n tag \"fix_id\": \"F-43624r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To verify that core dumps are disabled for all users, run the\nfollowing command:\n\n$ grep core /etc/security/limits.conf /etc/security/limits.d/*.conf\n\nThe output should be:\n\n* hard core 0\n\nIf it is not, this is a finding. \"\n tag \"fix\": \"To disable core dumps for all users, add the following line to\n\\\"/etc/security/limits.conf\\\":\n\n* hard core 0\"\n\n describe limits_conf do\n its('*') { should include ['hard', 'core', '0'] }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38633.rb", + "ref": "./Red Hat 6 STIG/controls/V-38675.rb", "line": 1 }, - "id": "V-38633" + "id": "V-38675" }, { - "title": "The SSH daemon must be configured with the Department of Defense (DoD)\nlogin banner.", - "desc": "The warning message reinforces policy awareness during the logon\nprocess and facilitates possible legal action against attackers. Alternatively,\nsystems whose ownership should not be obvious should ensure usage of a banner\nthat does not provide easy attribution.", + "title": "Temporary accounts must be provisioned with an expiration date.", + "desc": "When temporary accounts are created, there is a risk they may remain\nin place and active after the need for them no longer exists. Account\nexpiration greatly reduces the risk of accounts being misused or hijacked.", "descriptions": { - "default": "The warning message reinforces policy awareness during the logon\nprocess and facilitates possible legal action against attackers. Alternatively,\nsystems whose ownership should not be obvious should ensure usage of a banner\nthat does not provide easy attribution." + "default": "When temporary accounts are created, there is a risk they may remain\nin place and active after the need for them no longer exists. Account\nexpiration greatly reduces the risk of accounts being misused or hijacked." }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { - "gtitle": "SRG-OS-000023", - "gid": "V-38615", - "rid": "SV-50416r1_rule", - "stig_id": "RHEL-06-000240", - "fix_id": "F-43563r1_fix", + "gtitle": "SRG-OS-000002", + "gid": "V-38685", + "rid": "SV-50486r1_rule", + "stig_id": "RHEL-06-000297", + "fix_id": "F-43634r1_fix", "cci": [ - "CCI-000048" + "CCI-000016" ], "nist": [ - "AC-8 a", + "AC-2 (2)", "Rev_4" ], "false_negatives": null, @@ -6081,35 +6171,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To determine how the SSH daemon's \"Banner\" option is set, run\nthe following command:\n\n# grep -i Banner /etc/ssh/sshd_config\n\nIf a line indicating /etc/issue is returned, then the required value is set.\nIf the required value is not set, this is a finding.", - "fix": "To enable the warning banner and ensure it is consistent across\nthe system, add or correct the following line in \"/etc/ssh/sshd_config\":\n\nBanner /etc/issue\n\nAnother section contains information on how to create an appropriate\nsystem-wide warning banner." + "check": "For every temporary account, run the following command to\nobtain its account aging and expiration information:\n\n# chage -l [USER]\n\nVerify each of these accounts has an expiration date set as documented.\nIf any temporary accounts have no expiration date set or do not expire within a\ndocumented time frame, this is a finding.", + "fix": "In the event temporary accounts are required, configure the\nsystem to terminate them after a documented time period. For every temporary\naccount, run the following command to set an expiration date on it,\nsubstituting \"[USER]\" and \"[YYYY-MM-DD]\" appropriately:\n\n# chage -E [YYYY-MM-DD] [USER]\n\n\"[YYYY-MM-DD]\" indicates the documented expiration date for the account." }, - "code": "control \"V-38615\" do\n title \"The SSH daemon must be configured with the Department of Defense (DoD)\nlogin banner.\"\n desc \"The warning message reinforces policy awareness during the logon\nprocess and facilitates possible legal action against attackers. Alternatively,\nsystems whose ownership should not be obvious should ensure usage of a banner\nthat does not provide easy attribution.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000023\"\n tag \"gid\": \"V-38615\"\n tag \"rid\": \"SV-50416r1_rule\"\n tag \"stig_id\": \"RHEL-06-000240\"\n tag \"fix_id\": \"F-43563r1_fix\"\n tag \"cci\": [\"CCI-000048\"]\n tag \"nist\": [\"AC-8 a\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To determine how the SSH daemon's \\\"Banner\\\" option is set, run\nthe following command:\n\n# grep -i Banner /etc/ssh/sshd_config\n\nIf a line indicating /etc/issue is returned, then the required value is set.\nIf the required value is not set, this is a finding.\"\n tag \"fix\": \"To enable the warning banner and ensure it is consistent across\nthe system, add or correct the following line in \\\"/etc/ssh/sshd_config\\\":\n\nBanner /etc/issue\n\nAnother section contains information on how to create an appropriate\nsystem-wide warning banner.\"\n\n describe sshd_config do\n its('Banner') { should eq '/etc/issue' }\n end\nend\n", + "code": "control \"V-38685\" do\n title \"Temporary accounts must be provisioned with an expiration date.\"\n desc \"When temporary accounts are created, there is a risk they may remain\nin place and active after the need for them no longer exists. Account\nexpiration greatly reduces the risk of accounts being misused or hijacked.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000002\"\n tag \"gid\": \"V-38685\"\n tag \"rid\": \"SV-50486r1_rule\"\n tag \"stig_id\": \"RHEL-06-000297\"\n tag \"fix_id\": \"F-43634r1_fix\"\n tag \"cci\": [\"CCI-000016\"]\n tag \"nist\": [\"AC-2 (2)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"For every temporary account, run the following command to\nobtain its account aging and expiration information:\n\n# chage -l [USER]\n\nVerify each of these accounts has an expiration date set as documented.\nIf any temporary accounts have no expiration date set or do not expire within a\ndocumented time frame, this is a finding.\"\n tag \"fix\": \"In the event temporary accounts are required, configure the\nsystem to terminate them after a documented time period. For every temporary\naccount, run the following command to set an expiration date on it,\nsubstituting \\\"[USER]\\\" and \\\"[YYYY-MM-DD]\\\" appropriately:\n\n# chage -E [YYYY-MM-DD] [USER]\n\n\\\"[YYYY-MM-DD]\\\" indicates the documented expiration date for the account.\"\n\n temporary_accounts = input('temporary_accounts')\n\n if temporary_accounts.empty?\n describe \"Temporary accounts\" do\n it { should_be empty }\n end\n else\n temporary_accounts.each do |acct|\n describe shadow.users(acct) do\n its('max_days.first.to_i') { should cmp <= input('temporary_accounts_expiration_days') }\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38615.rb", + "ref": "./Red Hat 6 STIG/controls/V-38685.rb", "line": 1 }, - "id": "V-38615" + "id": "V-38685" }, { - "title": "The system must rotate audit log files that reach the maximum file\nsize.", - "desc": "Automatically rotating logs (by setting this to \"rotate\") minimizes\nthe chances of the system unexpectedly running out of disk space by being\noverwhelmed with log data. However, for systems that must never discard log\ndata, or which use external processes to transfer it and reclaim space,\n\"keep_logs\" can be employed.", + "title": "The telnet-server package must not be installed.", + "desc": "Removing the \"telnet-server\" package decreases the risk of the\nunencrypted telnet service's accidental (or intentional) activation.\n\n Mitigation: If the telnet-server package is configured to only allow\nencrypted sessions, such as with Kerberos or the use of encrypted network\ntunnels, the risk of exposing sensitive information is mitigated.", "descriptions": { - "default": "Automatically rotating logs (by setting this to \"rotate\") minimizes\nthe chances of the system unexpectedly running out of disk space by being\noverwhelmed with log data. However, for systems that must never discard log\ndata, or which use external processes to transfer it and reclaim space,\n\"keep_logs\" can be employed." + "default": "Removing the \"telnet-server\" package decreases the risk of the\nunencrypted telnet service's accidental (or intentional) activation.\n\n Mitigation: If the telnet-server package is configured to only allow\nencrypted sessions, such as with Kerberos or the use of encrypted network\ntunnels, the risk of exposing sensitive information is mitigated." }, - "impact": 0.5, + "impact": 0.7, "refs": [], "tags": { - "gtitle": "SRG-OS-999999", - "gid": "V-38634", - "rid": "SV-50435r2_rule", - "stig_id": "RHEL-06-000161", - "fix_id": "F-43583r1_fix", + "gtitle": "SRG-OS-000095", + "gid": "V-38587", + "rid": "SV-50388r1_rule", + "stig_id": "RHEL-06-000206", + "fix_id": "F-43535r1_fix", "cci": [ - "CCI-000366" + "CCI-000381" ], "nist": [ - "CM-6 b", + "CM-7 a", "Rev_4" ], "false_negatives": null, @@ -6122,35 +6212,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "Inspect \"/etc/audit/auditd.conf\" and locate the following\nline to determine if the system is configured to rotate logs when they reach\ntheir maximum size:\n\n# grep max_log_file_action /etc/audit/auditd.conf\nmax_log_file_action = rotate\n\nIf the \"keep_logs\" option is configured for the \"max_log_file_action\" line\nin \"/etc/audit/auditd.conf\" and an alternate process is in place to ensure\naudit data does not overwhelm local audit storage, this is not a finding.\n\nIf the system has not been properly set up to rotate audit logs, this is a\nfinding.", - "fix": "The default action to take when the logs reach their maximum size\nis to rotate the log files, discarding the oldest one. To configure the action\ntaken by \"auditd\", add or correct the line in \"/etc/audit/auditd.conf\":\n\nmax_log_file_action = [ACTION]\n\nPossible values for [ACTION] are described in the \"auditd.conf\" man page.\nThese include:\n\n\"ignore\"\n\"syslog\"\n\"suspend\"\n\"rotate\"\n\"keep_logs\"\n\n\nSet the \"[ACTION]\" to \"rotate\" to ensure log rotation occurs. This is the\ndefault. The setting is case-insensitive." + "check": "Run the following command to determine if the \"telnet-server\"\npackage is installed:\n\n# rpm -q telnet-server\n\n\nIf the package is installed, this is a finding.", + "fix": "The \"telnet-server\" package can be uninstalled with the\nfollowing command:\n\n# yum erase telnet-server" }, - "code": "control \"V-38634\" do\n title \"The system must rotate audit log files that reach the maximum file\nsize.\"\n desc \"Automatically rotating logs (by setting this to \\\"rotate\\\") minimizes\nthe chances of the system unexpectedly running out of disk space by being\noverwhelmed with log data. However, for systems that must never discard log\ndata, or which use external processes to transfer it and reclaim space,\n\\\"keep_logs\\\" can be employed.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38634\"\n tag \"rid\": \"SV-50435r2_rule\"\n tag \"stig_id\": \"RHEL-06-000161\"\n tag \"fix_id\": \"F-43583r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Inspect \\\"/etc/audit/auditd.conf\\\" and locate the following\nline to determine if the system is configured to rotate logs when they reach\ntheir maximum size:\n\n# grep max_log_file_action /etc/audit/auditd.conf\nmax_log_file_action = rotate\n\nIf the \\\"keep_logs\\\" option is configured for the \\\"max_log_file_action\\\" line\nin \\\"/etc/audit/auditd.conf\\\" and an alternate process is in place to ensure\naudit data does not overwhelm local audit storage, this is not a finding.\n\nIf the system has not been properly set up to rotate audit logs, this is a\nfinding.\"\n tag \"fix\": \"The default action to take when the logs reach their maximum size\nis to rotate the log files, discarding the oldest one. To configure the action\ntaken by \\\"auditd\\\", add or correct the line in \\\"/etc/audit/auditd.conf\\\":\n\nmax_log_file_action = [ACTION]\n\nPossible values for [ACTION] are described in the \\\"auditd.conf\\\" man page.\nThese include:\n\n\\\"ignore\\\"\n\\\"syslog\\\"\n\\\"suspend\\\"\n\\\"rotate\\\"\n\\\"keep_logs\\\"\n\n\nSet the \\\"[ACTION]\\\" to \\\"rotate\\\" to ensure log rotation occurs. This is the\ndefault. The setting is case-insensitive.\"\n\n describe parse_config_file('/etc/audit/auditd.conf') do\n its('max_log_file_action.downcase') { should be_in ['rotate', 'keep_logs'] }\n end\nend\n", + "code": "control \"V-38587\" do\n title \"The telnet-server package must not be installed.\"\n desc \"Removing the \\\"telnet-server\\\" package decreases the risk of the\nunencrypted telnet service's accidental (or intentional) activation.\n\n Mitigation: If the telnet-server package is configured to only allow\nencrypted sessions, such as with Kerberos or the use of encrypted network\ntunnels, the risk of exposing sensitive information is mitigated.\n \"\n impact 0.7\n tag \"gtitle\": \"SRG-OS-000095\"\n tag \"gid\": \"V-38587\"\n tag \"rid\": \"SV-50388r1_rule\"\n tag \"stig_id\": \"RHEL-06-000206\"\n tag \"fix_id\": \"F-43535r1_fix\"\n tag \"cci\": [\"CCI-000381\"]\n tag \"nist\": [\"CM-7 a\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Run the following command to determine if the \\\"telnet-server\\\"\npackage is installed:\n\n# rpm -q telnet-server\n\n\nIf the package is installed, this is a finding.\"\n tag \"fix\": \"The \\\"telnet-server\\\" package can be uninstalled with the\nfollowing command:\n\n# yum erase telnet-server\"\n\n describe package(\"telnet-server\") do\n it { should_not be_installed }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38634.rb", + "ref": "./Red Hat 6 STIG/controls/V-38587.rb", "line": 1 }, - "id": "V-38634" + "id": "V-38587" }, { - "title": "The system must limit users to 10 simultaneous system logins, or a\nsite-defined number, in accordance with operational requirements.", - "desc": "Limiting simultaneous user logins can insulate the system from denial\nof service problems caused by excessive logins. Automated login processes\noperating improperly or maliciously may result in an exceptional number of\nsimultaneous login sessions.", + "title": "The system default umask for daemons must be 027 or 022.", + "desc": "The umask influences the permissions assigned to files created by a\nprocess at run time. An unnecessarily permissive umask could result in files\nbeing created with insecure permissions.", "descriptions": { - "default": "Limiting simultaneous user logins can insulate the system from denial\nof service problems caused by excessive logins. Automated login processes\noperating improperly or maliciously may result in an exceptional number of\nsimultaneous login sessions." + "default": "The umask influences the permissions assigned to files created by a\nprocess at run time. An unnecessarily permissive umask could result in files\nbeing created with insecure permissions." }, "impact": 0.3, "refs": [], "tags": { - "gtitle": "SRG-OS-000027", - "gid": "V-38684", - "rid": "SV-50485r2_rule", - "stig_id": "RHEL-06-000319", - "fix_id": "F-43633r1_fix", + "gtitle": "SRG-OS-999999", + "gid": "V-38642", + "rid": "SV-50443r1_rule", + "stig_id": "RHEL-06-000346", + "fix_id": "F-43592r1_fix", "cci": [ - "CCI-000054" + "CCI-000366" ], "nist": [ - "AC-10", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -6163,35 +6253,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "Run the following command to ensure the \"maxlogins\" value is\nconfigured for all users on the system:\n\n$ grep \"maxlogins\" /etc/security/limits.conf /etc/security/limits.d/*.conf\n\nYou should receive output similar to the following:\n\n* hard maxlogins 10\n\nIf it is not similar, this is a finding. ", - "fix": "Limiting the number of allowed users and sessions per user can\nlimit risks related to denial of service attacks. This addresses concurrent\nsessions for a single account and does not address concurrent sessions by a\nsingle user via multiple accounts. To set the number of concurrent sessions per\nuser add the following line in \"/etc/security/limits.conf\":\n\n* hard maxlogins 10\n\nA documented site-defined number may be substituted for 10 in the above." + "check": "To check the value of the \"umask\", run the following command:\n\n$ grep umask /etc/init.d/functions\n\nThe output should show either \"022\" or \"027\".\nIf it does not, this is a finding.", + "fix": "The file \"/etc/init.d/functions\" includes initialization\nparameters for most or all daemons started at boot time. The default umask of\n022 prevents creation of group- or world-writable files. To set the default\numask for daemons, edit the following line, inserting 022 or 027 for [UMASK]\nappropriately:\n\numask [UMASK]\n\nSetting the umask to too restrictive a setting can cause serious errors at\nruntime. Many daemons on the system already individually restrict themselves to\na umask of 077 in their own init scripts." }, - "code": "control \"V-38684\" do\n title \"The system must limit users to 10 simultaneous system logins, or a\nsite-defined number, in accordance with operational requirements.\"\n desc \"Limiting simultaneous user logins can insulate the system from denial\nof service problems caused by excessive logins. Automated login processes\noperating improperly or maliciously may result in an exceptional number of\nsimultaneous login sessions.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000027\"\n tag \"gid\": \"V-38684\"\n tag \"rid\": \"SV-50485r2_rule\"\n tag \"stig_id\": \"RHEL-06-000319\"\n tag \"fix_id\": \"F-43633r1_fix\"\n tag \"cci\": [\"CCI-000054\"]\n tag \"nist\": [\"AC-10\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Run the following command to ensure the \\\"maxlogins\\\" value is\nconfigured for all users on the system:\n\n$ grep \\\"maxlogins\\\" /etc/security/limits.conf /etc/security/limits.d/*.conf\n\nYou should receive output similar to the following:\n\n* hard maxlogins 10\n\nIf it is not similar, this is a finding. \"\n tag \"fix\": \"Limiting the number of allowed users and sessions per user can\nlimit risks related to denial of service attacks. This addresses concurrent\nsessions for a single account and does not address concurrent sessions by a\nsingle user via multiple accounts. To set the number of concurrent sessions per\nuser add the following line in \\\"/etc/security/limits.conf\\\":\n\n* hard maxlogins 10\n\nA documented site-defined number may be substituted for 10 in the above.\"\n\n describe limits_conf do\n its('*') { should include ['hard', 'maxlogins', input('maxlogins').to_s] }\n end\nend\n", + "code": "control \"V-38642\" do\n title \"The system default umask for daemons must be 027 or 022.\"\n desc \"The umask influences the permissions assigned to files created by a\nprocess at run time. An unnecessarily permissive umask could result in files\nbeing created with insecure permissions.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38642\"\n tag \"rid\": \"SV-50443r1_rule\"\n tag \"stig_id\": \"RHEL-06-000346\"\n tag \"fix_id\": \"F-43592r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To check the value of the \\\"umask\\\", run the following command:\n\n$ grep umask /etc/init.d/functions\n\nThe output should show either \\\"022\\\" or \\\"027\\\".\nIf it does not, this is a finding.\"\n tag \"fix\": \"The file \\\"/etc/init.d/functions\\\" includes initialization\nparameters for most or all daemons started at boot time. The default umask of\n022 prevents creation of group- or world-writable files. To set the default\numask for daemons, edit the following line, inserting 022 or 027 for [UMASK]\nappropriately:\n\numask [UMASK]\n\nSetting the umask to too restrictive a setting can cause serious errors at\nruntime. Many daemons on the system already individually restrict themselves to\na umask of 077 in their own init scripts.\"\n\n describe file(\"/etc/rc.d/init.d/functions\") do\n its(\"content\") { should match(/^\\s*umask\\s+([^#\\s]*)/) }\n end\n file(\"/etc/rc.d/init.d/functions\").content.to_s.scan(/^\\s*umask\\s+([^#\\s]*)/).flatten.each do |entry|\n describe entry do\n it { should match(/^0?(022|027)$/) }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38684.rb", + "ref": "./Red Hat 6 STIG/controls/V-38642.rb", "line": 1 }, - "id": "V-38684" + "id": "V-38642" }, { - "title": "The operating system must detect unauthorized changes to software and\ninformation. ", - "desc": "By default, AIDE does not install itself for periodic execution.\nPeriodically running AIDE may reveal unexpected changes in installed files.", + "title": "The SSH daemon must be configured to use only FIPS 140-2 approved\nciphers.", + "desc": "Approved algorithms should impart some level of confidence in their\nimplementation. These are also required for compliance.", "descriptions": { - "default": "By default, AIDE does not install itself for periodic execution.\nPeriodically running AIDE may reveal unexpected changes in installed files." + "default": "Approved algorithms should impart some level of confidence in their\nimplementation. These are also required for compliance." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000202", - "gid": "V-38670", - "rid": "SV-50471r2_rule", - "stig_id": "RHEL-06-000306", - "fix_id": "F-43619r1_fix", + "gtitle": "SRG-OS-000169", + "gid": "V-38617", + "rid": "SV-50418r1_rule", + "stig_id": "RHEL-06-000243", + "fix_id": "F-43566r1_fix", "cci": [ - "CCI-001297" + "CCI-001144" ], "nist": [ - "SI-7", + "SC-13", "Rev_4" ], "false_negatives": null, @@ -6204,76 +6294,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To determine that periodic AIDE execution has been scheduled,\nrun the following command:\n\n# grep aide /etc/crontab /etc/cron.*/*\n\nIf there is no output, this is a finding.", - "fix": "AIDE should be executed on a periodic basis to check for changes.\nTo implement a daily execution of AIDE at 4:05am using cron, add the following\nline to /etc/crontab:\n\n05 4 * * * root /usr/sbin/aide --check\n\nAIDE can be executed periodically through other means; this is merely one\nexample." + "check": "Only FIPS-approved ciphers should be used. To verify that only\nFIPS-approved ciphers are in use, run the following command:\n\n# grep Ciphers /etc/ssh/sshd_config\n\nThe output should contain only those ciphers which are FIPS-approved, namely,\nthe AES and 3DES ciphers.\nIf that is not the case, this is a finding.", + "fix": "Limit the ciphers to those algorithms which are FIPS-approved.\nCounter (CTR) mode is also preferred over cipher-block chaining (CBC) mode. The\nfollowing line in \"/etc/ssh/sshd_config\" demonstrates use of FIPS-approved\nciphers:\n\nCiphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc\n\nThe man page \"sshd_config(5)\" contains a list of supported ciphers." }, - "code": "control \"V-38670\" do\n title \"The operating system must detect unauthorized changes to software and\ninformation. \"\n desc \"By default, AIDE does not install itself for periodic execution.\nPeriodically running AIDE may reveal unexpected changes in installed files.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000202\"\n tag \"gid\": \"V-38670\"\n tag \"rid\": \"SV-50471r2_rule\"\n tag \"stig_id\": \"RHEL-06-000306\"\n tag \"fix_id\": \"F-43619r1_fix\"\n tag \"cci\": [\"CCI-001297\"]\n tag \"nist\": [\"SI-7\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To determine that periodic AIDE execution has been scheduled,\nrun the following command:\n\n# grep aide /etc/crontab /etc/cron.*/*\n\nIf there is no output, this is a finding.\"\n tag \"fix\": \"AIDE should be executed on a periodic basis to check for changes.\nTo implement a daily execution of AIDE at 4:05am using cron, add the following\nline to /etc/crontab:\n\n05 4 * * * root /usr/sbin/aide --check\n\nAIDE can be executed periodically through other means; this is merely one\nexample.\"\n\n describe command('grep aide /etc/crontab /etc/cron.*/*') do\n its('stdout.strip') { should_not be_empty }\n end\nend\n", + "code": "control \"V-38617\" do\n title \"The SSH daemon must be configured to use only FIPS 140-2 approved\nciphers.\"\n desc \"Approved algorithms should impart some level of confidence in their\nimplementation. These are also required for compliance.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000169\"\n tag \"gid\": \"V-38617\"\n tag \"rid\": \"SV-50418r1_rule\"\n tag \"stig_id\": \"RHEL-06-000243\"\n tag \"fix_id\": \"F-43566r1_fix\"\n tag \"cci\": [\"CCI-001144\"]\n tag \"nist\": [\"SC-13\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Only FIPS-approved ciphers should be used. To verify that only\nFIPS-approved ciphers are in use, run the following command:\n\n# grep Ciphers /etc/ssh/sshd_config\n\nThe output should contain only those ciphers which are FIPS-approved, namely,\nthe AES and 3DES ciphers.\nIf that is not the case, this is a finding.\"\n tag \"fix\": \"Limit the ciphers to those algorithms which are FIPS-approved.\nCounter (CTR) mode is also preferred over cipher-block chaining (CBC) mode. The\nfollowing line in \\\"/etc/ssh/sshd_config\\\" demonstrates use of FIPS-approved\nciphers:\n\nCiphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc\n\nThe man page \\\"sshd_config(5)\\\" contains a list of supported ciphers.\"\n\n describe sshd_config do\n its('Ciphers') { should_not be_nil }\n end\n\n ciphers = sshd_config.params['ciphers']\n if !ciphers.nil? \n describe 'sshd_config Ciphers' do\n subject { sshd_config.params['ciphers'].join(',').split(',') }\n it { should all match %r{aes|3des} }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38670.rb", + "ref": "./Red Hat 6 STIG/controls/V-38617.rb", "line": 1 }, - "id": "V-38670" + "id": "V-38617" }, { - "title": "The xorg-x11-server-common (X Windows) package must not be installed,\nunless required.", - "desc": "Unnecessary packages should not be installed to decrease the attack\nsurface of the system.", + "title": "The FTP daemon must be configured for logging or verbose mode.", + "desc": "To trace malicious activity facilitated by the FTP service, it must be\nconfigured to ensure that all commands sent to the ftp server are logged using\nthe verbose vsftpd log format. The default vsftpd log file is\n/var/log/vsftpd.log.", "descriptions": { - "default": "Unnecessary packages should not be installed to decrease the attack\nsurface of the system." + "default": "To trace malicious activity facilitated by the FTP service, it must be\nconfigured to ensure that all commands sent to the ftp server are logged using\nthe verbose vsftpd log format. The default vsftpd log file is\n/var/log/vsftpd.log." }, "impact": 0.3, "refs": [], "tags": { - "gtitle": "SRG-OS-999999", - "gid": "V-38676", - "rid": "SV-50477r2_rule", - "stig_id": "RHEL-06-000291", - "fix_id": "F-43625r1_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b", - "Rev_4" - ], - "false_negatives": null, - "false_positives": null, - "documentable": false, - "mitigations": null, - "severity_override_guidance": false, - "potential_impacts": null, - "third_party_tools": null, - "mitigation_controls": null, - "responsibility": null, - "ia_controls": null, - "check": "To ensure the X Windows package group is removed, run the\nfollowing command:\n\n$ rpm -qi xorg-x11-server-common\n\nThe output should be:\n\npackage xorg-x11-server-common is not installed\n\n\nIf it is not, this is a finding.", - "fix": "Removing all packages which constitute the X Window System\nensures users or malicious software cannot start X. To do so, run the following\ncommand:\n\n# yum groupremove \"X Window System\"" - }, - "code": "control \"V-38676\" do\n title \"The xorg-x11-server-common (X Windows) package must not be installed,\nunless required.\"\n desc \"Unnecessary packages should not be installed to decrease the attack\nsurface of the system.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38676\"\n tag \"rid\": \"SV-50477r2_rule\"\n tag \"stig_id\": \"RHEL-06-000291\"\n tag \"fix_id\": \"F-43625r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To ensure the X Windows package group is removed, run the\nfollowing command:\n\n$ rpm -qi xorg-x11-server-common\n\nThe output should be:\n\npackage xorg-x11-server-common is not installed\n\n\nIf it is not, this is a finding.\"\n tag \"fix\": \"Removing all packages which constitute the X Window System\nensures users or malicious software cannot start X. To do so, run the following\ncommand:\n\n# yum groupremove \\\"X Window System\\\"\"\n\n describe package(\"xorg-x11-server-common\") do\n it { should_not be_installed }\n end\nend\n", - "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38676.rb", - "line": 1 - }, - "id": "V-38676" - }, - { - "title": "The system must provide automated support for account management\nfunctions.", - "desc": "A comprehensive account management process that includes automation\nhelps to ensure the accounts designated as requiring attention are consistently\nand promptly addressed. Enterprise environments make user account management\nchallenging and complex. A user management process requiring administrators to\nmanually address account management functions adds risk of potential oversight.", - "descriptions": { - "default": "A comprehensive account management process that includes automation\nhelps to ensure the accounts designated as requiring attention are consistently\nand promptly addressed. Enterprise environments make user account management\nchallenging and complex. A user management process requiring administrators to\nmanually address account management functions adds risk of potential oversight." - }, - "impact": 0.5, - "refs": [], - "tags": { - "gtitle": "SRG-OS-000001", - "gid": "V-38439", - "rid": "SV-50239r1_rule", - "stig_id": "RHEL-06-000524", - "fix_id": "F-43384r1_fix", + "gtitle": "SRG-OS-000037", + "gid": "V-38702", + "rid": "SV-50503r1_rule", + "stig_id": "RHEL-06-000339", + "fix_id": "F-43651r1_fix", "cci": [ - "CCI-000015" + "CCI-000130" ], "nist": [ - "AC-2 (1)", + "AU-3", "Rev_4" ], "false_negatives": null, @@ -6286,15 +6335,15 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "Interview the SA to determine if there is an automated system\nfor managing user accounts, preferably integrated with an existing enterprise\nuser management system.\n\nIf there is not, this is a finding.", - "fix": "Implement an automated system for managing user accounts that\nminimizes the risk of errors, either intentional or deliberate. If possible,\nthis system should integrate with an existing enterprise user management\nsystem, such as, one based Active Directory or Kerberos." + "check": "Find if logging is applied to the ftp daemon.\n\nProcedures:\n\nIf vsftpd is started by xinetd the following command will indicate the xinetd.d\nstartup file.\n\n# grep vsftpd /etc/xinetd.d/*\n\n\n\n# grep server_args [vsftpd xinetd.d startup file]\n\nThis will indicate the vsftpd config file used when starting through xinetd. If\nthe [server_args]line is missing or does not include the vsftpd configuration\nfile, then the default config file (/etc/vsftpd/vsftpd.conf) is used.\n\n# grep xferlog_enable [vsftpd config file]\n\n\nIf xferlog_enable is missing, or is not set to yes, this is a finding.", + "fix": "Add or correct the following configuration options within the\n\"vsftpd\" configuration file, located at \"/etc/vsftpd/vsftpd.conf\".\n\nxferlog_enable=YES\nxferlog_std_format=NO\nlog_ftp_protocol=YES" }, - "code": "control \"V-38439\" do\n title \"The system must provide automated support for account management\nfunctions.\"\n desc \"A comprehensive account management process that includes automation\nhelps to ensure the accounts designated as requiring attention are consistently\nand promptly addressed. Enterprise environments make user account management\nchallenging and complex. A user management process requiring administrators to\nmanually address account management functions adds risk of potential oversight.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000001\"\n tag \"gid\": \"V-38439\"\n tag \"rid\": \"SV-50239r1_rule\"\n tag \"stig_id\": \"RHEL-06-000524\"\n tag \"fix_id\": \"F-43384r1_fix\"\n tag \"cci\": [\"CCI-000015\"]\n tag \"nist\": [\"AC-2 (1)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Interview the SA to determine if there is an automated system\nfor managing user accounts, preferably integrated with an existing enterprise\nuser management system.\n\nIf there is not, this is a finding.\"\n tag \"fix\": \"Implement an automated system for managing user accounts that\nminimizes the risk of errors, either intentional or deliberate. If possible,\nthis system should integrate with an existing enterprise user management\nsystem, such as, one based Active Directory or Kerberos.\"\n\n describe \"Manual test\" do\n skip \"This control must be reviewed manually\"\n end\nend\n", + "code": "control \"V-38702\" do\n title \"The FTP daemon must be configured for logging or verbose mode.\"\n desc \"To trace malicious activity facilitated by the FTP service, it must be\nconfigured to ensure that all commands sent to the ftp server are logged using\nthe verbose vsftpd log format. The default vsftpd log file is\n/var/log/vsftpd.log.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000037\"\n tag \"gid\": \"V-38702\"\n tag \"rid\": \"SV-50503r1_rule\"\n tag \"stig_id\": \"RHEL-06-000339\"\n tag \"fix_id\": \"F-43651r1_fix\"\n tag \"cci\": [\"CCI-000130\"]\n tag \"nist\": [\"AU-3\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Find if logging is applied to the ftp daemon.\n\nProcedures:\n\nIf vsftpd is started by xinetd the following command will indicate the xinetd.d\nstartup file.\n\n# grep vsftpd /etc/xinetd.d/*\n\n\n\n# grep server_args [vsftpd xinetd.d startup file]\n\nThis will indicate the vsftpd config file used when starting through xinetd. If\nthe [server_args]line is missing or does not include the vsftpd configuration\nfile, then the default config file (/etc/vsftpd/vsftpd.conf) is used.\n\n# grep xferlog_enable [vsftpd config file]\n\n\nIf xferlog_enable is missing, or is not set to yes, this is a finding.\"\n tag \"fix\": \"Add or correct the following configuration options within the\n\\\"vsftpd\\\" configuration file, located at \\\"/etc/vsftpd/vsftpd.conf\\\".\n\nxferlog_enable=YES\nxferlog_std_format=NO\nlog_ftp_protocol=YES\"\n\n describe parse_config_file('/etc/vsftpd/vsftpd.conf') do\n its('xferlog_enable') { should eq 'YES' }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38439.rb", + "ref": "./Red Hat 6 STIG/controls/V-38702.rb", "line": 1 }, - "id": "V-38439" + "id": "V-38702" }, { "title": "The Red Hat Enterprise Linux operating system must mount /dev/shm with\nthe noexec option.", @@ -6338,24 +6387,24 @@ "id": "V-81449" }, { - "title": "The operating system must automatically audit account modification.", - "desc": "In addition to auditing new user and group accounts, these watches\nwill alert the system administrator(s) to any modifications. Any unexpected\nusers, groups, or modifications should be investigated for legitimacy.", + "title": "The audit system must be configured to audit failed attempts to access\nfiles and programs.", + "desc": "Unsuccessful attempts to access files could be an indicator of\nmalicious activity on a system. Auditing these events could serve as evidence\nof potential system compromise.", "descriptions": { - "default": "In addition to auditing new user and group accounts, these watches\nwill alert the system administrator(s) to any modifications. Any unexpected\nusers, groups, or modifications should be investigated for legitimacy." + "default": "Unsuccessful attempts to access files could be an indicator of\nmalicious activity on a system. Auditing these events could serve as evidence\nof potential system compromise." }, "impact": 0.3, "refs": [], "tags": { - "gtitle": "SRG-OS-000239", - "gid": "V-38534", - "rid": "SV-50335r2_rule", - "stig_id": "RHEL-06-000175", - "fix_id": "F-43482r1_fix", + "gtitle": "SRG-OS-000064", + "gid": "V-38566", + "rid": "SV-50367r2_rule", + "stig_id": "RHEL-06-000197", + "fix_id": "F-43514r2_fix", "cci": [ - "CCI-001403" + "CCI-000172" ], "nist": [ - "AC-2 (4)", + "AU-12 c", "Rev_4" ], "false_negatives": null, @@ -6368,30 +6417,30 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To determine if the system is configured to audit account\nchanges, run the following command:\n\n$sudo egrep -w\n'(/etc/passwd|/etc/shadow|/etc/group|/etc/gshadow|/etc/security/opasswd)'\n/etc/audit/audit.rules\n\nIf the system is configured to watch for account changes, lines should be\nreturned for each file specified (and with \"-p wa\" for each).\n\nIf the system is not configured to audit account changes, this is a finding.", - "fix": "Add the following to \"/etc/audit/audit.rules\", in order to\ncapture events that modify account changes:\n\n# audit_account_changes\n-w /etc/group -p wa -k audit_account_changes\n-w /etc/passwd -p wa -k audit_account_changes\n-w /etc/gshadow -p wa -k audit_account_changes\n-w /etc/shadow -p wa -k audit_account_changes\n-w /etc/security/opasswd -p wa -k audit_account_changes" + "check": "To verify that the audit system collects unauthorized file\naccesses, run the following commands:\n\n# grep EACCES /etc/audit/audit.rules\n\n\n\n# grep EPERM /etc/audit/audit.rules\n\n\nIf either command lacks output, this is a finding.", + "fix": "At a minimum, the audit system should collect unauthorized file\naccesses for all users and root. Add the following to\n\"/etc/audit/audit.rules\", setting ARCH to either b32 or b64 as appropriate\nfor your system:\n\n-a always,exit -F arch=ARCH -S creat -S open -S openat -S truncate \\\n-S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access\n-a always,exit -F arch=ARCH -S creat -S open -S openat -S truncate \\\n-S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access\n-a always,exit -F arch=ARCH -S creat -S open -S openat -S truncate \\\n-S ftruncate -F exit=-EACCES -F auid=0 -k access\n-a always,exit -F arch=ARCH -S creat -S open -S openat -S truncate \\\n-S ftruncate -F exit=-EPERM -F auid=0 -k access" }, - "code": "control \"V-38534\" do\n title \"The operating system must automatically audit account modification.\"\n desc \"In addition to auditing new user and group accounts, these watches\nwill alert the system administrator(s) to any modifications. Any unexpected\nusers, groups, or modifications should be investigated for legitimacy.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000239\"\n tag \"gid\": \"V-38534\"\n tag \"rid\": \"SV-50335r2_rule\"\n tag \"stig_id\": \"RHEL-06-000175\"\n tag \"fix_id\": \"F-43482r1_fix\"\n tag \"cci\": [\"CCI-001403\"]\n tag \"nist\": [\"AC-2 (4)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To determine if the system is configured to audit account\nchanges, run the following command:\n\n$sudo egrep -w\n'(/etc/passwd|/etc/shadow|/etc/group|/etc/gshadow|/etc/security/opasswd)'\n/etc/audit/audit.rules\n\nIf the system is configured to watch for account changes, lines should be\nreturned for each file specified (and with \\\"-p wa\\\" for each).\n\nIf the system is not configured to audit account changes, this is a finding.\"\n tag \"fix\": \"Add the following to \\\"/etc/audit/audit.rules\\\", in order to\ncapture events that modify account changes:\n\n# audit_account_changes\n-w /etc/group -p wa -k audit_account_changes\n-w /etc/passwd -p wa -k audit_account_changes\n-w /etc/gshadow -p wa -k audit_account_changes\n-w /etc/shadow -p wa -k audit_account_changes\n-w /etc/security/opasswd -p wa -k audit_account_changes\"\n\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^\\-w\\s+\\/etc\\/group\\s+\\-p\\s+wa\\s+\\-k\\s+\\w+\\s*$/) }\n end\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^\\-w\\s+\\/etc\\/passwd\\s+\\-p\\s+wa\\s+\\-k\\s+\\w+\\s*$/) }\n end\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^\\-w\\s+\\/etc\\/gshadow\\s+\\-p\\s+wa\\s+\\-k\\s+\\w+\\s*$/) }\n end\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^\\-w\\s+\\/etc\\/shadow\\s+\\-p\\s+wa\\s+\\-k\\s+\\w+\\s*$/) }\n end\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^\\-w\\s+\\/etc\\/security\\/opasswd\\s+\\-p\\s+wa\\s+\\-k\\s+\\w+\\s*$/) }\n end\nend\n", + "code": "control \"V-38566\" do\n title \"The audit system must be configured to audit failed attempts to access\nfiles and programs.\"\n desc \"Unsuccessful attempts to access files could be an indicator of\nmalicious activity on a system. Auditing these events could serve as evidence\nof potential system compromise.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000064\"\n tag \"gid\": \"V-38566\"\n tag \"rid\": \"SV-50367r2_rule\"\n tag \"stig_id\": \"RHEL-06-000197\"\n tag \"fix_id\": \"F-43514r2_fix\"\n tag \"cci\": [\"CCI-000172\"]\n tag \"nist\": [\"AU-12 c\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To verify that the audit system collects unauthorized file\naccesses, run the following commands:\n\n# grep EACCES /etc/audit/audit.rules\n\n\n\n# grep EPERM /etc/audit/audit.rules\n\n\nIf either command lacks output, this is a finding.\"\n tag \"fix\": \"At a minimum, the audit system should collect unauthorized file\naccesses for all users and root. Add the following to\n\\\"/etc/audit/audit.rules\\\", setting ARCH to either b32 or b64 as appropriate\nfor your system:\n\n-a always,exit -F arch=ARCH -S creat -S open -S openat -S truncate \\\\\n-S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access\n-a always,exit -F arch=ARCH -S creat -S open -S openat -S truncate \\\\\n-S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access\n-a always,exit -F arch=ARCH -S creat -S open -S openat -S truncate \\\\\n-S ftruncate -F exit=-EACCES -F auid=0 -k access\n-a always,exit -F arch=ARCH -S creat -S open -S openat -S truncate \\\\\n-S ftruncate -F exit=-EPERM -F auid=0 -k access\"\n\n describe command(\"grep EACCES /etc/audit/audit.rules\") do\n its('stdout.strip') { should_not eq '' }\n end\n\n describe command(\"grep EPERM /etc/audit/audit.rules\") do\n its('stdout.strip') { should_not eq '' }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38534.rb", + "ref": "./Red Hat 6 STIG/controls/V-38566.rb", "line": 1 }, - "id": "V-38534" + "id": "V-38566" }, { - "title": "The system default umask for the bash shell must be 077.", - "desc": "The umask value influences the permissions assigned to files when they\nare created. A misconfigured umask value could result in files with excessive\npermissions that can be read and/or written to by unauthorized users.", + "title": "The TFTP daemon must operate in secure mode which provides access only\nto a single directory on the host file system.", + "desc": "Using the \"-s\" option causes the TFTP service to only serve files\nfrom the given directory. Serving files from an intentionally specified\ndirectory reduces the risk of sharing files which should remain private.", "descriptions": { - "default": "The umask value influences the permissions assigned to files when they\nare created. A misconfigured umask value could result in files with excessive\npermissions that can be read and/or written to by unauthorized users." + "default": "Using the \"-s\" option causes the TFTP service to only serve files\nfrom the given directory. Serving files from an intentionally specified\ndirectory reduces the risk of sharing files which should remain private." }, - "impact": 0.3, + "impact": 0.7, "refs": [], "tags": { "gtitle": "SRG-OS-999999", - "gid": "V-38651", - "rid": "SV-50452r1_rule", - "stig_id": "RHEL-06-000342", - "fix_id": "F-43600r1_fix", + "gid": "V-38701", + "rid": "SV-50502r1_rule", + "stig_id": "RHEL-06-000338", + "fix_id": "F-43650r1_fix", "cci": [ "CCI-000366" ], @@ -6409,35 +6458,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "Verify the \"umask\" setting is configured correctly in the\n\"/etc/bashrc\" file by running the following command:\n\n# grep \"umask\" /etc/bashrc\n\nAll output must show the value of \"umask\" set to 077, as shown below:\n\n# grep \"umask\" /etc/bashrc\numask 077\numask 077\n\n\nIf the above command returns no output, or if the umask is configured\nincorrectly, this is a finding.", - "fix": "To ensure the default umask for users of the Bash shell is set\nproperly, add or correct the \"umask\" setting in \"/etc/bashrc\" to read as\nfollows:\n\numask 077" + "check": "Verify \"tftp\" is configured by with the \"-s\" option by\nrunning the following command:\n\ngrep \"server_args\" /etc/xinetd.d/tftp\n\nThe output should indicate the \"server_args\" variable is configured with the\n\"-s\" flag, matching the example below:\n\n# grep \"server_args\" /etc/xinetd.d/tftp\nserver_args = -s /var/lib/tftpboot\n\nIf it does not, this is a finding.", + "fix": "If running the \"tftp\" service is necessary, it should be\nconfigured to change its root directory at startup. To do so, ensure\n\"/etc/xinetd.d/tftp\" includes \"-s\" as a command line argument, as shown in\nthe following example (which is also the default):\n\nserver_args = -s /var/lib/tftpboot" }, - "code": "control \"V-38651\" do\n title \"The system default umask for the bash shell must be 077.\"\n desc \"The umask value influences the permissions assigned to files when they\nare created. A misconfigured umask value could result in files with excessive\npermissions that can be read and/or written to by unauthorized users.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38651\"\n tag \"rid\": \"SV-50452r1_rule\"\n tag \"stig_id\": \"RHEL-06-000342\"\n tag \"fix_id\": \"F-43600r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Verify the \\\"umask\\\" setting is configured correctly in the\n\\\"/etc/bashrc\\\" file by running the following command:\n\n# grep \\\"umask\\\" /etc/bashrc\n\nAll output must show the value of \\\"umask\\\" set to 077, as shown below:\n\n# grep \\\"umask\\\" /etc/bashrc\numask 077\numask 077\n\n\nIf the above command returns no output, or if the umask is configured\nincorrectly, this is a finding.\"\n tag \"fix\": \"To ensure the default umask for users of the Bash shell is set\nproperly, add or correct the \\\"umask\\\" setting in \\\"/etc/bashrc\\\" to read as\nfollows:\n\numask 077\"\n\n describe file(\"/etc/bashrc\") do\n its(\"content\") { should match(/^[\\s]*umask[\\s]+([^#\\s]*)/) }\n end\n file(\"/etc/bashrc\").content.to_s.scan(/^[\\s]*umask[\\s]+([^#\\s]*)/).flatten.each do |entry|\n describe entry do\n it { should eq \"077\" }\n end\n end\nend\n", + "code": "control \"V-38701\" do\n title \"The TFTP daemon must operate in secure mode which provides access only\nto a single directory on the host file system.\"\n desc \"Using the \\\"-s\\\" option causes the TFTP service to only serve files\nfrom the given directory. Serving files from an intentionally specified\ndirectory reduces the risk of sharing files which should remain private.\"\n impact 0.7\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38701\"\n tag \"rid\": \"SV-50502r1_rule\"\n tag \"stig_id\": \"RHEL-06-000338\"\n tag \"fix_id\": \"F-43650r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Verify \\\"tftp\\\" is configured by with the \\\"-s\\\" option by\nrunning the following command:\n\ngrep \\\"server_args\\\" /etc/xinetd.d/tftp\n\nThe output should indicate the \\\"server_args\\\" variable is configured with the\n\\\"-s\\\" flag, matching the example below:\n\n# grep \\\"server_args\\\" /etc/xinetd.d/tftp\nserver_args = -s /var/lib/tftpboot\n\nIf it does not, this is a finding.\"\n tag \"fix\": \"If running the \\\"tftp\\\" service is necessary, it should be\nconfigured to change its root directory at startup. To do so, ensure\n\\\"/etc/xinetd.d/tftp\\\" includes \\\"-s\\\" as a command line argument, as shown in\nthe following example (which is also the default):\n\nserver_args = -s /var/lib/tftpboot\"\n\n describe.one do\n describe package(\"tftp-server\") do\n it { should_not be_installed }\n end\n describe file(\"/etc/xinetd.d/tftp\") do\n its(\"content\") { should match(/^[\\s]*server_args[\\s]+=[\\s]+\\-s[\\s]+.+$/) }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38651.rb", + "ref": "./Red Hat 6 STIG/controls/V-38701.rb", "line": 1 }, - "id": "V-38651" + "id": "V-38701" }, { - "title": "Accounts must be locked upon 35 days of inactivity.", - "desc": "Disabling inactive accounts ensures that accounts which may not have\nbeen responsibly removed are not available to attackers who may have\ncompromised their credentials.", + "title": "The audit system must alert designated staff members when the audit\nstorage volume approaches capacity.", + "desc": "Notifying administrators of an impending disk space problem may allow\nthem to take corrective action prior to any disruption.", "descriptions": { - "default": "Disabling inactive accounts ensures that accounts which may not have\nbeen responsibly removed are not available to attackers who may have\ncompromised their credentials." + "default": "Notifying administrators of an impending disk space problem may allow\nthem to take corrective action prior to any disruption." }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "GEN006660", - "gid": "V-38692", - "rid": "SV-50493r1_rule", - "stig_id": "RHEL-06-000334", - "fix_id": "F-43641r2_fix", + "gtitle": "SRG-OS-000045", + "gid": "V-38470", + "rid": "SV-50270r2_rule", + "stig_id": "RHEL-06-000005", + "fix_id": "F-43415r2_fix", "cci": [ - "CCI-000017" + "CCI-000138" ], "nist": [ - "AC-2 (3)", + "AU-4", "Rev_4" ], "false_negatives": null, @@ -6450,35 +6499,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To verify the \"INACTIVE\" setting, run the following command:\n\ngrep \"INACTIVE\" /etc/default/useradd\n\nThe output should indicate the \"INACTIVE\" configuration option is set to an\nappropriate integer as shown in the example below:\n\n# grep \"INACTIVE\" /etc/default/useradd\nINACTIVE=35\n\nIf it does not, this is a finding.", - "fix": "To specify the number of days after a password expires (which\nsignifies inactivity) until an account is permanently disabled, add or correct\nthe following lines in \"/etc/default/useradd\", substituting \"[NUM_DAYS]\"\nappropriately:\n\nINACTIVE=[NUM_DAYS]\n\nA value of 35 is recommended. If a password is currently on the verge of\nexpiration, then 35 days remain until the account is automatically disabled.\nHowever, if the password will not expire for another 60 days, then 95 days\ncould elapse until the account would be automatically disabled. See the\n\"useradd\" man page for more information. Determining the inactivity timeout\nmust be done with careful consideration of the length of a \"normal\" period of\ninactivity for users in the particular environment. Setting the timeout too low\nincurs support costs and also has the potential to impact availability of the\nsystem to legitimate users." + "check": "Inspect \"/etc/audit/auditd.conf\" and locate the following\nline to determine if the system is configured to email the administrator when\ndisk space is starting to run low:\n\n# grep space_left_action /etc/audit/auditd.conf\nspace_left_action = email\n\n\nIf the system is not configured to send an email to the system administrator\nwhen disk space is starting to run low, this is a finding. The \"syslog\"\noption is acceptable when it can be demonstrated that the local log management\ninfrastructure notifies an appropriate administrator in a timely manner.", + "fix": "The \"auditd\" service can be configured to take an action when\ndisk space starts to run low. Edit the file \"/etc/audit/auditd.conf\". Modify\nthe following line, substituting [ACTION] appropriately:\n\nspace_left_action = [ACTION]\n\nPossible values for [ACTION] are described in the \"auditd.conf\" man page.\nThese include:\n\n\"ignore\"\n\"syslog\"\n\"email\"\n\"exec\"\n\"suspend\"\n\"single\"\n\"halt\"\n\n\nSet this to \"email\" (instead of the default, which is \"suspend\") as it is\nmore likely to get prompt attention. The \"syslog\" option is acceptable,\nprovided the local log management infrastructure notifies an appropriate\nadministrator in a timely manner.\n\nRHEL-06-000521 ensures that the email generated through the operation\n\"space_left_action\" will be sent to an administrator." }, - "code": "control \"V-38692\" do\n title \"Accounts must be locked upon 35 days of inactivity.\"\n desc \"Disabling inactive accounts ensures that accounts which may not have\nbeen responsibly removed are not available to attackers who may have\ncompromised their credentials.\"\n impact 0.3\n tag \"gtitle\": \"GEN006660\"\n tag \"gid\": \"V-38692\"\n tag \"rid\": \"SV-50493r1_rule\"\n tag \"stig_id\": \"RHEL-06-000334\"\n tag \"fix_id\": \"F-43641r2_fix\"\n tag \"cci\": [\"CCI-000017\"]\n tag \"nist\": [\"AC-2 (3)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To verify the \\\"INACTIVE\\\" setting, run the following command:\n\ngrep \\\"INACTIVE\\\" /etc/default/useradd\n\nThe output should indicate the \\\"INACTIVE\\\" configuration option is set to an\nappropriate integer as shown in the example below:\n\n# grep \\\"INACTIVE\\\" /etc/default/useradd\nINACTIVE=35\n\nIf it does not, this is a finding.\"\n tag \"fix\": \"To specify the number of days after a password expires (which\nsignifies inactivity) until an account is permanently disabled, add or correct\nthe following lines in \\\"/etc/default/useradd\\\", substituting \\\"[NUM_DAYS]\\\"\nappropriately:\n\nINACTIVE=[NUM_DAYS]\n\nA value of 35 is recommended. If a password is currently on the verge of\nexpiration, then 35 days remain until the account is automatically disabled.\nHowever, if the password will not expire for another 60 days, then 95 days\ncould elapse until the account would be automatically disabled. See the\n\\\"useradd\\\" man page for more information. Determining the inactivity timeout\nmust be done with careful consideration of the length of a \\\"normal\\\" period of\ninactivity for users in the particular environment. Setting the timeout too low\nincurs support costs and also has the potential to impact availability of the\nsystem to legitimate users.\"\n\n describe parse_config_file(\"/etc/default/useradd\") do\n its('INACTIVE') { should cmp <= input('days_of_inactivity') }\n its('INACTIVE') { should cmp >= 0 }\n end\nend\n", + "code": "control \"V-38470\" do\n title \"The audit system must alert designated staff members when the audit\nstorage volume approaches capacity.\"\n desc \"Notifying administrators of an impending disk space problem may allow\nthem to take corrective action prior to any disruption.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000045\"\n tag \"gid\": \"V-38470\"\n tag \"rid\": \"SV-50270r2_rule\"\n tag \"stig_id\": \"RHEL-06-000005\"\n tag \"fix_id\": \"F-43415r2_fix\"\n tag \"cci\": [\"CCI-000138\"]\n tag \"nist\": [\"AU-4\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Inspect \\\"/etc/audit/auditd.conf\\\" and locate the following\nline to determine if the system is configured to email the administrator when\ndisk space is starting to run low:\n\n# grep space_left_action /etc/audit/auditd.conf\nspace_left_action = email\n\n\nIf the system is not configured to send an email to the system administrator\nwhen disk space is starting to run low, this is a finding. The \\\"syslog\\\"\noption is acceptable when it can be demonstrated that the local log management\ninfrastructure notifies an appropriate administrator in a timely manner.\"\n tag \"fix\": \"The \\\"auditd\\\" service can be configured to take an action when\ndisk space starts to run low. Edit the file \\\"/etc/audit/auditd.conf\\\". Modify\nthe following line, substituting [ACTION] appropriately:\n\nspace_left_action = [ACTION]\n\nPossible values for [ACTION] are described in the \\\"auditd.conf\\\" man page.\nThese include:\n\n\\\"ignore\\\"\n\\\"syslog\\\"\n\\\"email\\\"\n\\\"exec\\\"\n\\\"suspend\\\"\n\\\"single\\\"\n\\\"halt\\\"\n\n\nSet this to \\\"email\\\" (instead of the default, which is \\\"suspend\\\") as it is\nmore likely to get prompt attention. The \\\"syslog\\\" option is acceptable,\nprovided the local log management infrastructure notifies an appropriate\nadministrator in a timely manner.\n\nRHEL-06-000521 ensures that the email generated through the operation\n\\\"space_left_action\\\" will be sent to an administrator.\"\n\n describe file(\"/etc/audit/auditd.conf\") do\n its(\"content\") { should match(/^[ ]*space_left_action[ ]+=[ ]+(\\S+)[ ]*$/) }\n end\n file(\"/etc/audit/auditd.conf\").content.to_s.scan(/^[ ]*space_left_action[ ]+=[ ]+(\\S+)[ ]*$/).flatten.each do |entry|\n describe entry do\n it { should cmp \"email\" }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38692.rb", + "ref": "./Red Hat 6 STIG/controls/V-38470.rb", "line": 1 }, - "id": "V-38692" + "id": "V-38470" }, { - "title": "The SSH daemon must set a timeout interval on idle sessions.", - "desc": "Causing idle users to be automatically logged out guards against\ncompromises one system leading trivially to compromises on another.", + "title": "The NFS server must not have the all_squash option enabled.", + "desc": "The \"all_squash\" option maps all client requests to a single\nanonymous uid/gid on the NFS server, negating the ability to track file access\nby user ID.", "descriptions": { - "default": "Causing idle users to be automatically logged out guards against\ncompromises one system leading trivially to compromises on another." + "default": "The \"all_squash\" option maps all client requests to a single\nanonymous uid/gid on the NFS server, negating the ability to track file access\nby user ID." }, "impact": 0.3, "refs": [], "tags": { - "gtitle": "SRG-OS-000163", - "gid": "V-38608", - "rid": "SV-50409r1_rule", - "stig_id": "RHEL-06-000230", - "fix_id": "F-43556r1_fix", + "gtitle": "SRG-OS-000104", + "gid": "V-38460", + "rid": "SV-50260r1_rule", + "stig_id": "RHEL-06-000515", + "fix_id": "F-43405r1_fix", "cci": [ - "CCI-001133" + "CCI-000764" ], "nist": [ - "SC-10", + "IA-2", "Rev_4" ], "false_negatives": null, @@ -6491,35 +6540,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "Run the following command to see what the timeout interval is:\n\n# grep ClientAliveInterval /etc/ssh/sshd_config\n\nIf properly configured, the output should be:\n\nClientAliveInterval 900\n\n\nIf it is not, this is a finding.", - "fix": "SSH allows administrators to set an idle timeout interval. After\nthis interval has passed, the idle user will be automatically logged out.\n\nTo set an idle timeout interval, edit the following line in\n\"/etc/ssh/sshd_config\" as follows:\n\nClientAliveInterval [interval]\n\nThe timeout [interval] is given in seconds. To have a timeout of 15 minutes,\nset [interval] to 900.\n\nIf a shorter timeout has already been set for the login shell, that value will\npreempt any SSH setting made here. Keep in mind that some processes may stop\nSSH from correctly detecting that the user is idle." + "check": "If the NFS server is read-only, in support of unrestricted\naccess to organizational content, this is not applicable.\n\nThe related \"root_squash\" option provides protection against remote\nadministrator-level access to NFS server content. Its use is not a finding.\n\nTo verify the \"all_squash\" option has been disabled, run the following\ncommand:\n\n# grep all_squash /etc/exports\n\n\nIf there is output, this is a finding.", + "fix": "Remove any instances of the \"all_squash\" option from the file\n\"/etc/exports\". Restart the NFS daemon for the changes to take effect.\n\n# service nfs restart" }, - "code": "control \"V-38608\" do\n title \"The SSH daemon must set a timeout interval on idle sessions.\"\n desc \"Causing idle users to be automatically logged out guards against\ncompromises one system leading trivially to compromises on another.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000163\"\n tag \"gid\": \"V-38608\"\n tag \"rid\": \"SV-50409r1_rule\"\n tag \"stig_id\": \"RHEL-06-000230\"\n tag \"fix_id\": \"F-43556r1_fix\"\n tag \"cci\": [\"CCI-001133\"]\n tag \"nist\": [\"SC-10\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Run the following command to see what the timeout interval is:\n\n# grep ClientAliveInterval /etc/ssh/sshd_config\n\nIf properly configured, the output should be:\n\nClientAliveInterval 900\n\n\nIf it is not, this is a finding.\"\n tag \"fix\": \"SSH allows administrators to set an idle timeout interval. After\nthis interval has passed, the idle user will be automatically logged out.\n\nTo set an idle timeout interval, edit the following line in\n\\\"/etc/ssh/sshd_config\\\" as follows:\n\nClientAliveInterval [interval]\n\nThe timeout [interval] is given in seconds. To have a timeout of 15 minutes,\nset [interval] to 900.\n\nIf a shorter timeout has already been set for the login shell, that value will\npreempt any SSH setting made here. Keep in mind that some processes may stop\nSSH from correctly detecting that the user is idle.\"\n\n describe sshd_config do\n its(\"ClientAliveInterval.to_i\"){should cmp >= 1}\n its(\"ClientAliveInterval.to_i\"){should cmp <= input('client_alive_interval')}\n its(\"ClientAliveInterval\"){should_not eq nil}\n end\nend\n", + "code": "control \"V-38460\" do\n title \"The NFS server must not have the all_squash option enabled.\"\n desc \"The \\\"all_squash\\\" option maps all client requests to a single\nanonymous uid/gid on the NFS server, negating the ability to track file access\nby user ID.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000104\"\n tag \"gid\": \"V-38460\"\n tag \"rid\": \"SV-50260r1_rule\"\n tag \"stig_id\": \"RHEL-06-000515\"\n tag \"fix_id\": \"F-43405r1_fix\"\n tag \"cci\": [\"CCI-000764\"]\n tag \"nist\": [\"IA-2\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"If the NFS server is read-only, in support of unrestricted\naccess to organizational content, this is not applicable.\n\nThe related \\\"root_squash\\\" option provides protection against remote\nadministrator-level access to NFS server content. Its use is not a finding.\n\nTo verify the \\\"all_squash\\\" option has been disabled, run the following\ncommand:\n\n# grep all_squash /etc/exports\n\n\nIf there is output, this is a finding.\"\n tag \"fix\": \"Remove any instances of the \\\"all_squash\\\" option from the file\n\\\"/etc/exports\\\". Restart the NFS daemon for the changes to take effect.\n\n# service nfs restart\"\n\n describe command(\"grep all_squash /etc/exports\") do\n its('stdout.strip') { should be_empty }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38608.rb", + "ref": "./Red Hat 6 STIG/controls/V-38460.rb", "line": 1 }, - "id": "V-38608" + "id": "V-38460" }, { - "title": "The operating system must employ cryptographic mechanisms to prevent\nunauthorized disclosure of data at rest unless otherwise protected by\nalternative physical measures.", - "desc": "The risk of a system's physical compromise, particularly mobile\nsystems such as laptops, places its data at risk of compromise. Encrypting this\ndata mitigates the risk of its loss if the system is lost.", + "title": "Library files must be owned by a system account.", + "desc": "Files from shared library directories are loaded into the address\nspace of processes (including privileged ones) or of the kernel itself at\nruntime. Proper ownership is necessary to protect the integrity of the system.", "descriptions": { - "default": "The risk of a system's physical compromise, particularly mobile\nsystems such as laptops, places its data at risk of compromise. Encrypting this\ndata mitigates the risk of its loss if the system is lost." + "default": "Files from shared library directories are loaded into the address\nspace of processes (including privileged ones) or of the kernel itself at\nruntime. Proper ownership is necessary to protect the integrity of the system." }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000230", - "gid": "V-38662", - "rid": "SV-50463r2_rule", - "stig_id": "RHEL-06-000277", - "fix_id": "F-43611r3_fix", + "gtitle": "SRG-OS-000259", + "gid": "V-38466", + "rid": "SV-50266r4_rule", + "stig_id": "RHEL-06-000046", + "fix_id": "F-43411r4_fix", "cci": [ - "CCI-001200" + "CCI-001499" ], "nist": [ - "SC-28 (1)", + "CM-5 (6)", "Rev_4" ], "false_negatives": null, @@ -6532,35 +6581,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "Determine if encryption must be used to protect data on the\nsystem.\nIf encryption must be used and is not employed, this is a finding.", - "fix": "Red Hat Enterprise Linux 6 natively supports partition encryption\nthrough the Linux Unified Key Setup-on-disk-format (LUKS) technology. The\neasiest way to encrypt a partition is during installation time.\n\nFor manual installations, select the \"Encrypt\" checkbox during partition\ncreation to encrypt the partition. When this option is selected the system will\nprompt for a passphrase to use in decrypting the partition. The passphrase will\nsubsequently need to be entered manually every time the system boots.\n\nFor automated/unattended installations, it is possible to use Kickstart by\nadding the \"--encrypted\" and \"--passphrase=\" options to the definition of\neach partition to be encrypted. For example, the following line would encrypt\nthe root partition:\n\npart / --fstype=ext3 --size=100 --onpart=hda1 --encrypted\n--passphrase=[PASSPHRASE]\n\nAny [PASSPHRASE] is stored in the Kickstart in plaintext, and the Kickstart\nmust then be protected accordingly. Omitting the \"--passphrase=\" option from\nthe partition definition will cause the installer to pause and interactively\nask for the passphrase during installation.\n\nDetailed information on encrypting partitions using LUKS can be found on the\nRed Hat Documentation web site:\n\nhttps://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-LUKS_Disk_Encryption.html" + "check": "System-wide shared library files, which are linked to\nexecutables during process load time or run time, are stored in the following\ndirectories by default:\n\n/lib\n/lib64\n/usr/lib\n/usr/lib64\n/usr/local/lib\n/usr/local/lib64\n\nKernel modules, which can be added to the kernel during runtime, are stored in\n\"/lib/modules\". All files in these directories should not be group-writable\nor world-writable. To find shared libraries that are not owned by \"root\" and\ndo not match what is expected by the RPM, run the following command:\n\nfor i in /lib /lib64 /usr/lib /usr/lib64\ndo\n for j in `find -L $i \\! -user root`\n do\n rpm -V -f $j | grep '^.....U'\n done\ndone\n\n\nIf the command returns any results, this is a finding.", + "fix": "System-wide shared library files, which are linked to executables\nduring process load time or run time, are stored in the following directories\nby default:\n\n/lib\n/lib64\n/usr/lib\n/usr/lib64\n/usr/local/lib\n/usr/local/lib64\n\nIf any file in these directories is found to be owned by a user other than\n\"root\" and does not match what is expected by the RPM, correct its ownership by\nrunning one of the following commands:\n\n\n# rpm --setugids [PACKAGE_NAME]\n\nOr\n\n# chown root [FILE]" }, - "code": "control \"V-38662\" do\n title \"The operating system must employ cryptographic mechanisms to prevent\nunauthorized disclosure of data at rest unless otherwise protected by\nalternative physical measures.\"\n desc \"The risk of a system's physical compromise, particularly mobile\nsystems such as laptops, places its data at risk of compromise. Encrypting this\ndata mitigates the risk of its loss if the system is lost.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000230\"\n tag \"gid\": \"V-38662\"\n tag \"rid\": \"SV-50463r2_rule\"\n tag \"stig_id\": \"RHEL-06-000277\"\n tag \"fix_id\": \"F-43611r3_fix\"\n tag \"cci\": [\"CCI-001200\"]\n tag \"nist\": [\"SC-28 (1)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Determine if encryption must be used to protect data on the\nsystem.\nIf encryption must be used and is not employed, this is a finding.\"\n tag \"fix\": \"Red Hat Enterprise Linux 6 natively supports partition encryption\nthrough the Linux Unified Key Setup-on-disk-format (LUKS) technology. The\neasiest way to encrypt a partition is during installation time.\n\nFor manual installations, select the \\\"Encrypt\\\" checkbox during partition\ncreation to encrypt the partition. When this option is selected the system will\nprompt for a passphrase to use in decrypting the partition. The passphrase will\nsubsequently need to be entered manually every time the system boots.\n\nFor automated/unattended installations, it is possible to use Kickstart by\nadding the \\\"--encrypted\\\" and \\\"--passphrase=\\\" options to the definition of\neach partition to be encrypted. For example, the following line would encrypt\nthe root partition:\n\npart / --fstype=ext3 --size=100 --onpart=hda1 --encrypted\n--passphrase=[PASSPHRASE]\n\nAny [PASSPHRASE] is stored in the Kickstart in plaintext, and the Kickstart\nmust then be protected accordingly. Omitting the \\\"--passphrase=\\\" option from\nthe partition definition will cause the installer to pause and interactively\nask for the passphrase during installation.\n\nDetailed information on encrypting partitions using LUKS can be found on the\nRed Hat Documentation web site:\n\nhttps://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-LUKS_Disk_Encryption.html\"\n\n describe \"Manual test\" do\n skip \"This control must be reviewed manually\"\n end\nend\n", + "code": "control \"V-38466\" do\n title \"Library files must be owned by a system account.\"\n desc \"Files from shared library directories are loaded into the address\nspace of processes (including privileged ones) or of the kernel itself at\nruntime. Proper ownership is necessary to protect the integrity of the system.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000259\"\n tag \"gid\": \"V-38466\"\n tag \"rid\": \"SV-50266r4_rule\"\n tag \"stig_id\": \"RHEL-06-000046\"\n tag \"fix_id\": \"F-43411r4_fix\"\n tag \"cci\": [\"CCI-001499\"]\n tag \"nist\": [\"CM-5 (6)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"System-wide shared library files, which are linked to\nexecutables during process load time or run time, are stored in the following\ndirectories by default:\n\n/lib\n/lib64\n/usr/lib\n/usr/lib64\n/usr/local/lib\n/usr/local/lib64\n\nKernel modules, which can be added to the kernel during runtime, are stored in\n\\\"/lib/modules\\\". All files in these directories should not be group-writable\nor world-writable. To find shared libraries that are not owned by \\\"root\\\" and\ndo not match what is expected by the RPM, run the following command:\n\nfor i in /lib /lib64 /usr/lib /usr/lib64\ndo\n for j in `find -L $i \\\\! -user root`\n do\n rpm -V -f $j | grep '^.....U'\n done\ndone\n\n\nIf the command returns any results, this is a finding.\"\n tag \"fix\": \"System-wide shared library files, which are linked to executables\nduring process load time or run time, are stored in the following directories\nby default:\n\n/lib\n/lib64\n/usr/lib\n/usr/lib64\n/usr/local/lib\n/usr/local/lib64\n\nIf any file in these directories is found to be owned by a user other than\n\\\"root\\\" and does not match what is expected by the RPM, correct its ownership by\nrunning one of the following commands:\n\n\n# rpm --setugids [PACKAGE_NAME]\n\nOr\n\n# chown root [FILE]\"\n\n libs = [\"/lib\", \"/lib64\", \"/usr/lib\", \"/usr/lib64\", \"/usr/local/lib\", \"/usr/local/lib64\"]\n libs.each do |l|\n files = command(\"find -L #{l} \\\\! -user root\").stdout.strip.split(\"\\n\")\n if files.empty?\n describe \"`find -L #{l} \\\\! -user root`\" do\n subject { files }\n it { should be_empty }\n end\n end\n files.each do |f|\n describe command(\"rpm -V -f #{f} | grep '^.....U'\") do\n its('stdout.strip') { should be_empty }\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38662.rb", + "ref": "./Red Hat 6 STIG/controls/V-38466.rb", "line": 1 }, - "id": "V-38662" + "id": "V-38466" }, { - "title": "The NFS server must not have the all_squash option enabled.", - "desc": "The \"all_squash\" option maps all client requests to a single\nanonymous uid/gid on the NFS server, negating the ability to track file access\nby user ID.", + "title": "The avahi service must be disabled.", + "desc": "Because the Avahi daemon service keeps an open network port, it is\nsubject to network attacks. Its functionality is convenient but is only\nappropriate if the local network can be trusted.", "descriptions": { - "default": "The \"all_squash\" option maps all client requests to a single\nanonymous uid/gid on the NFS server, negating the ability to track file access\nby user ID." + "default": "Because the Avahi daemon service keeps an open network port, it is\nsubject to network attacks. Its functionality is convenient but is only\nappropriate if the local network can be trusted." }, "impact": 0.3, "refs": [], "tags": { - "gtitle": "SRG-OS-000104", - "gid": "V-38460", - "rid": "SV-50260r1_rule", - "stig_id": "RHEL-06-000515", - "fix_id": "F-43405r1_fix", + "gtitle": "SRG-OS-999999", + "gid": "V-38618", + "rid": "SV-50419r2_rule", + "stig_id": "RHEL-06-000246", + "fix_id": "F-43567r2_fix", "cci": [ - "CCI-000764" + "CCI-000366" ], "nist": [ - "IA-2", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -6573,35 +6622,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "If the NFS server is read-only, in support of unrestricted\naccess to organizational content, this is not applicable.\n\nThe related \"root_squash\" option provides protection against remote\nadministrator-level access to NFS server content. Its use is not a finding.\n\nTo verify the \"all_squash\" option has been disabled, run the following\ncommand:\n\n# grep all_squash /etc/exports\n\n\nIf there is output, this is a finding.", - "fix": "Remove any instances of the \"all_squash\" option from the file\n\"/etc/exports\". Restart the NFS daemon for the changes to take effect.\n\n# service nfs restart" + "check": "To check that the \"avahi-daemon\" service is disabled in\nsystem boot configuration, run the following command:\n\n# chkconfig \"avahi-daemon\" --list\n\nOutput should indicate the \"avahi-daemon\" service has either not been\ninstalled, or has been disabled at all runlevels, as shown in the example\nbelow:\n\n# chkconfig \"avahi-daemon\" --list\n\"avahi-daemon\" 0:off 1:off 2:off 3:off 4:off 5:off 6:off\n\nRun the following command to verify \"avahi-daemon\" is disabled through\ncurrent runtime configuration:\n\n# service avahi-daemon status\n\nIf the service is disabled the command will return the following output:\n\navahi-daemon is stopped\n\n\nIf the service is running, this is a finding.", + "fix": "The \"avahi-daemon\" service can be disabled with the following\ncommands:\n\n# chkconfig avahi-daemon off\n# service avahi-daemon stop" }, - "code": "control \"V-38460\" do\n title \"The NFS server must not have the all_squash option enabled.\"\n desc \"The \\\"all_squash\\\" option maps all client requests to a single\nanonymous uid/gid on the NFS server, negating the ability to track file access\nby user ID.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000104\"\n tag \"gid\": \"V-38460\"\n tag \"rid\": \"SV-50260r1_rule\"\n tag \"stig_id\": \"RHEL-06-000515\"\n tag \"fix_id\": \"F-43405r1_fix\"\n tag \"cci\": [\"CCI-000764\"]\n tag \"nist\": [\"IA-2\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"If the NFS server is read-only, in support of unrestricted\naccess to organizational content, this is not applicable.\n\nThe related \\\"root_squash\\\" option provides protection against remote\nadministrator-level access to NFS server content. Its use is not a finding.\n\nTo verify the \\\"all_squash\\\" option has been disabled, run the following\ncommand:\n\n# grep all_squash /etc/exports\n\n\nIf there is output, this is a finding.\"\n tag \"fix\": \"Remove any instances of the \\\"all_squash\\\" option from the file\n\\\"/etc/exports\\\". Restart the NFS daemon for the changes to take effect.\n\n# service nfs restart\"\n\n describe command(\"grep all_squash /etc/exports\") do\n its('stdout.strip') { should be_empty }\n end\nend\n", + "code": "control \"V-38618\" do\n title \"The avahi service must be disabled.\"\n desc \"Because the Avahi daemon service keeps an open network port, it is\nsubject to network attacks. Its functionality is convenient but is only\nappropriate if the local network can be trusted.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38618\"\n tag \"rid\": \"SV-50419r2_rule\"\n tag \"stig_id\": \"RHEL-06-000246\"\n tag \"fix_id\": \"F-43567r2_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To check that the \\\"avahi-daemon\\\" service is disabled in\nsystem boot configuration, run the following command:\n\n# chkconfig \\\"avahi-daemon\\\" --list\n\nOutput should indicate the \\\"avahi-daemon\\\" service has either not been\ninstalled, or has been disabled at all runlevels, as shown in the example\nbelow:\n\n# chkconfig \\\"avahi-daemon\\\" --list\n\\\"avahi-daemon\\\" 0:off 1:off 2:off 3:off 4:off 5:off 6:off\n\nRun the following command to verify \\\"avahi-daemon\\\" is disabled through\ncurrent runtime configuration:\n\n# service avahi-daemon status\n\nIf the service is disabled the command will return the following output:\n\navahi-daemon is stopped\n\n\nIf the service is running, this is a finding.\"\n tag \"fix\": \"The \\\"avahi-daemon\\\" service can be disabled with the following\ncommands:\n\n# chkconfig avahi-daemon off\n# service avahi-daemon stop\"\n\n describe service(\"avahi-daemon\").runlevels(/0/) do\n it { should_not be_enabled }\n end\n describe service(\"avahi-daemon\").runlevels(/1/) do\n it { should_not be_enabled }\n end\n describe service(\"avahi-daemon\").runlevels(/2/) do\n it { should_not be_enabled }\n end\n describe service(\"avahi-daemon\").runlevels(/3/) do\n it { should_not be_enabled }\n end\n describe service(\"avahi-daemon\").runlevels(/4/) do\n it { should_not be_enabled }\n end\n describe service(\"avahi-daemon\").runlevels(/5/) do\n it { should_not be_enabled }\n end\n describe service(\"avahi-daemon\").runlevels(/6/) do\n it { should_not be_enabled }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38460.rb", + "ref": "./Red Hat 6 STIG/controls/V-38618.rb", "line": 1 }, - "id": "V-38460" + "id": "V-38618" }, { - "title": "The cron service must be running.", - "desc": "Due to its usage for maintenance and security-supporting tasks,\nenabling the cron daemon is essential.", + "title": "The qpidd service must not be running.", + "desc": "The qpidd service is automatically installed when the \"base\" package\nselection is selected during installation. The qpidd service listens for\nnetwork connections which increases the attack surface of the system. If the\nsystem is not intended to receive AMQP traffic then the \"qpidd\" service is\nnot needed and should be disabled or removed.", "descriptions": { - "default": "Due to its usage for maintenance and security-supporting tasks,\nenabling the cron daemon is essential." + "default": "The qpidd service is automatically installed when the \"base\" package\nselection is selected during installation. The qpidd service listens for\nnetwork connections which increases the attack surface of the system. If the\nsystem is not intended to receive AMQP traffic then the \"qpidd\" service is\nnot needed and should be disabled or removed." }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { - "gtitle": "SRG-OS-999999", - "gid": "V-38605", - "rid": "SV-50406r2_rule", - "stig_id": "RHEL-06-000224", - "fix_id": "F-43553r2_fix", + "gtitle": "SRG-OS-000096", + "gid": "V-38648", + "rid": "SV-50449r2_rule", + "stig_id": "RHEL-06-000267", + "fix_id": "F-43597r2_fix", "cci": [ - "CCI-000366" + "CCI-000382" ], "nist": [ - "CM-6 b", + "CM-7 b", "Rev_4" ], "false_negatives": null, @@ -6614,30 +6663,30 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "Run the following command to determine the current status of\nthe \"crond\" service:\n\n# service crond status\n\nIf the service is enabled, it should return the following:\n\ncrond is running...\n\n\nIf the service is not running, this is a finding.", - "fix": "The \"crond\" service is used to execute commands at\npreconfigured times. It is required by almost all systems to perform necessary\nmaintenance tasks, such as notifying root of system activity. The \"crond\"\nservice can be enabled with the following commands:\n\n# chkconfig crond on\n# service crond start" + "check": "To check that the \"qpidd\" service is disabled in system boot\nconfiguration, run the following command:\n\n# chkconfig \"qpidd\" --list\n\nOutput should indicate the \"qpidd\" service has either not been installed, or\nhas been disabled at all runlevels, as shown in the example below:\n\n# chkconfig \"qpidd\" --list\n\"qpidd\" 0:off 1:off 2:off 3:off 4:off 5:off 6:off\n\nRun the following command to verify \"qpidd\" is disabled through current\nruntime configuration:\n\n# service qpidd status\n\nIf the service is disabled the command will return the following output:\n\nqpidd is stopped\n\n\nIf the service is running, this is a finding.", + "fix": "The \"qpidd\" service provides high speed, secure, guaranteed\ndelivery services. It is an implementation of the Advanced Message Queuing\nProtocol. By default the qpidd service will bind to port 5672 and listen for\nconnection attempts. The \"qpidd\" service can be disabled with the following\ncommands:\n\n# chkconfig qpidd off\n# service qpidd stop" }, - "code": "control \"V-38605\" do\n title \"The cron service must be running.\"\n desc \"Due to its usage for maintenance and security-supporting tasks,\nenabling the cron daemon is essential.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38605\"\n tag \"rid\": \"SV-50406r2_rule\"\n tag \"stig_id\": \"RHEL-06-000224\"\n tag \"fix_id\": \"F-43553r2_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Run the following command to determine the current status of\nthe \\\"crond\\\" service:\n\n# service crond status\n\nIf the service is enabled, it should return the following:\n\ncrond is running...\n\n\nIf the service is not running, this is a finding.\"\n tag \"fix\": \"The \\\"crond\\\" service is used to execute commands at\npreconfigured times. It is required by almost all systems to perform necessary\nmaintenance tasks, such as notifying root of system activity. The \\\"crond\\\"\nservice can be enabled with the following commands:\n\n# chkconfig crond on\n# service crond start\"\n\n describe package(\"cronie\") do\n it { should be_installed }\n end\n describe.one do\n describe service(\"crond\").runlevels(/0/) do\n it { should be_enabled }\n end\n describe service(\"crond\").runlevels(/1/) do\n it { should be_enabled }\n end\n describe service(\"crond\").runlevels(/2/) do\n it { should be_enabled }\n end\n describe service(\"crond\").runlevels(/3/) do\n it { should be_enabled }\n end\n describe service(\"crond\").runlevels(/4/) do\n it { should be_enabled }\n end\n describe service(\"crond\").runlevels(/5/) do\n it { should be_enabled }\n end\n describe service(\"crond\").runlevels(/6/) do\n it { should be_enabled }\n end\n end\nend\n", + "code": "control \"V-38648\" do\n title \"The qpidd service must not be running.\"\n desc \"The qpidd service is automatically installed when the \\\"base\\\" package\nselection is selected during installation. The qpidd service listens for\nnetwork connections which increases the attack surface of the system. If the\nsystem is not intended to receive AMQP traffic then the \\\"qpidd\\\" service is\nnot needed and should be disabled or removed.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000096\"\n tag \"gid\": \"V-38648\"\n tag \"rid\": \"SV-50449r2_rule\"\n tag \"stig_id\": \"RHEL-06-000267\"\n tag \"fix_id\": \"F-43597r2_fix\"\n tag \"cci\": [\"CCI-000382\"]\n tag \"nist\": [\"CM-7 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To check that the \\\"qpidd\\\" service is disabled in system boot\nconfiguration, run the following command:\n\n# chkconfig \\\"qpidd\\\" --list\n\nOutput should indicate the \\\"qpidd\\\" service has either not been installed, or\nhas been disabled at all runlevels, as shown in the example below:\n\n# chkconfig \\\"qpidd\\\" --list\n\\\"qpidd\\\" 0:off 1:off 2:off 3:off 4:off 5:off 6:off\n\nRun the following command to verify \\\"qpidd\\\" is disabled through current\nruntime configuration:\n\n# service qpidd status\n\nIf the service is disabled the command will return the following output:\n\nqpidd is stopped\n\n\nIf the service is running, this is a finding.\"\n tag \"fix\": \"The \\\"qpidd\\\" service provides high speed, secure, guaranteed\ndelivery services. It is an implementation of the Advanced Message Queuing\nProtocol. By default the qpidd service will bind to port 5672 and listen for\nconnection attempts. The \\\"qpidd\\\" service can be disabled with the following\ncommands:\n\n# chkconfig qpidd off\n# service qpidd stop\"\n\n describe.one do\n describe package(\"qpid-cpp-server\") do\n it { should_not be_installed }\n end\n describe service(\"qpidd\") do\n its(\"runlevels(?-mix:0)\") { should be_enabled }\n its(\"runlevels(?-mix:1)\") { should be_enabled }\n its(\"runlevels(?-mix:2)\") { should be_enabled }\n its(\"runlevels(?-mix:3)\") { should be_enabled }\n its(\"runlevels(?-mix:4)\") { should be_enabled }\n its(\"runlevels(?-mix:5)\") { should be_enabled }\n its(\"runlevels(?-mix:6)\") { should be_enabled }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38605.rb", + "ref": "./Red Hat 6 STIG/controls/V-38648.rb", "line": 1 }, - "id": "V-38605" + "id": "V-38648" }, { - "title": "The system must use a separate file system for /tmp.", - "desc": "The \"/tmp\" partition is used as temporary storage by many programs.\nPlacing \"/tmp\" in its own partition enables the setting of more restrictive\nmount options, which can help protect programs which use it.", + "title": "The system must not accept ICMPv4 secure redirect packets by default.", + "desc": "Accepting \"secure\" ICMP redirects (from those gateways listed as\ndefault gateways) has few legitimate uses. It should be disabled unless it is\nabsolutely required.", "descriptions": { - "default": "The \"/tmp\" partition is used as temporary storage by many programs.\nPlacing \"/tmp\" in its own partition enables the setting of more restrictive\nmount options, which can help protect programs which use it." + "default": "Accepting \"secure\" ICMP redirects (from those gateways listed as\ndefault gateways) has few legitimate uses. It should be disabled unless it is\nabsolutely required." }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { "gtitle": "SRG-OS-999999", - "gid": "V-38455", - "rid": "SV-50255r1_rule", - "stig_id": "RHEL-06-000001", - "fix_id": "F-43387r1_fix", + "gid": "V-38532", + "rid": "SV-50333r2_rule", + "stig_id": "RHEL-06-000090", + "fix_id": "F-43479r1_fix", "cci": [ "CCI-000366" ], @@ -6655,35 +6704,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "Run the following command to determine if \"/tmp\" is on its\nown partition or logical volume:\n\n$ mount | grep \"on /tmp \"\n\nIf \"/tmp\" has its own partition or volume group, a line will be returned.\nIf no line is returned, this is a finding.", - "fix": "The \"/tmp\" directory is a world-writable directory used for\ntemporary file storage. Ensure it has its own partition or logical volume at\ninstallation time, or migrate it using LVM." + "check": "The status of the \"net.ipv4.conf.default.secure_redirects\"\nkernel parameter can be queried by running the following command:\n\n$ sysctl net.ipv4.conf.default.secure_redirects\n\nThe output of the command should indicate a value of \"0\". If this value is\nnot the default value, investigate how it could have been adjusted at runtime,\nand verify it is not set improperly in \"/etc/sysctl.conf\".\n\n$ grep net.ipv4.conf.default.secure_redirects /etc/sysctl.conf\n\nIf the correct value is not returned, this is a finding. ", + "fix": "To set the runtime status of the\n\"net.ipv4.conf.default.secure_redirects\" kernel parameter, run the following\ncommand:\n\n# sysctl -w net.ipv4.conf.default.secure_redirects=0\n\nIf this is not the system's default value, add the following line to\n\"/etc/sysctl.conf\":\n\nnet.ipv4.conf.default.secure_redirects = 0" }, - "code": "control \"V-38455\" do\n title \"The system must use a separate file system for /tmp.\"\n desc \"The \\\"/tmp\\\" partition is used as temporary storage by many programs.\nPlacing \\\"/tmp\\\" in its own partition enables the setting of more restrictive\nmount options, which can help protect programs which use it.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38455\"\n tag \"rid\": \"SV-50255r1_rule\"\n tag \"stig_id\": \"RHEL-06-000001\"\n tag \"fix_id\": \"F-43387r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Run the following command to determine if \\\"/tmp\\\" is on its\nown partition or logical volume:\n\n$ mount | grep \\\"on /tmp \\\"\n\nIf \\\"/tmp\\\" has its own partition or volume group, a line will be returned.\nIf no line is returned, this is a finding.\"\n tag \"fix\": \"The \\\"/tmp\\\" directory is a world-writable directory used for\ntemporary file storage. Ensure it has its own partition or logical volume at\ninstallation time, or migrate it using LVM.\"\n\n describe mount(\"/tmp\") do\n it { should be_mounted }\n end\nend\n", + "code": "control \"V-38532\" do\n title \"The system must not accept ICMPv4 secure redirect packets by default.\"\n desc \"Accepting \\\"secure\\\" ICMP redirects (from those gateways listed as\ndefault gateways) has few legitimate uses. It should be disabled unless it is\nabsolutely required.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38532\"\n tag \"rid\": \"SV-50333r2_rule\"\n tag \"stig_id\": \"RHEL-06-000090\"\n tag \"fix_id\": \"F-43479r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"The status of the \\\"net.ipv4.conf.default.secure_redirects\\\"\nkernel parameter can be queried by running the following command:\n\n$ sysctl net.ipv4.conf.default.secure_redirects\n\nThe output of the command should indicate a value of \\\"0\\\". If this value is\nnot the default value, investigate how it could have been adjusted at runtime,\nand verify it is not set improperly in \\\"/etc/sysctl.conf\\\".\n\n$ grep net.ipv4.conf.default.secure_redirects /etc/sysctl.conf\n\nIf the correct value is not returned, this is a finding. \"\n tag \"fix\": \"To set the runtime status of the\n\\\"net.ipv4.conf.default.secure_redirects\\\" kernel parameter, run the following\ncommand:\n\n# sysctl -w net.ipv4.conf.default.secure_redirects=0\n\nIf this is not the system's default value, add the following line to\n\\\"/etc/sysctl.conf\\\":\n\nnet.ipv4.conf.default.secure_redirects = 0\"\n\n describe kernel_parameter(\"net.ipv4.conf.default.secure_redirects\") do\n its(\"value\") { should_not be_nil }\n end\n describe kernel_parameter(\"net.ipv4.conf.default.secure_redirects\") do\n its(\"value\") { should eq 0 }\n end\n describe file(\"/etc/sysctl.conf\") do\n its(\"content\") { should match(/^[\\s]*net.ipv4.conf.default.secure_redirects[\\s]*=[\\s]*0[\\s]*$/) }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38455.rb", + "ref": "./Red Hat 6 STIG/controls/V-38532.rb", "line": 1 }, - "id": "V-38455" + "id": "V-38532" }, { - "title": "The rlogind service must not be running.", - "desc": "The rlogin service uses unencrypted network communications, which\nmeans that data from the login session, including passwords and all other\ninformation transmitted during the session, can be stolen by eavesdroppers on\nthe network.", + "title": "The xinetd service must be uninstalled if no network services\nutilizing it are enabled.", + "desc": "Removing the \"xinetd\" package decreases the risk of the xinetd\nservice's accidental (or intentional) activation.", "descriptions": { - "default": "The rlogin service uses unencrypted network communications, which\nmeans that data from the login session, including passwords and all other\ninformation transmitted during the session, can be stolen by eavesdroppers on\nthe network." + "default": "Removing the \"xinetd\" package decreases the risk of the xinetd\nservice's accidental (or intentional) activation." }, - "impact": 0.7, + "impact": 0.3, "refs": [], "tags": { - "gtitle": "SRG-OS-000248", - "gid": "V-38602", - "rid": "SV-50403r2_rule", - "stig_id": "RHEL-06-000218", - "fix_id": "F-43549r3_fix", + "gtitle": "SRG-OS-000096", + "gid": "V-38584", + "rid": "SV-50385r1_rule", + "stig_id": "RHEL-06-000204", + "fix_id": "F-43532r1_fix", "cci": [ - "CCI-001436" + "CCI-000382" ], "nist": [ - "AC-17 (8)", + "CM-7 b", "Rev_4" ], "false_negatives": null, @@ -6696,35 +6745,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "\nTo check that the \"rlogin\" service is disabled in system boot configuration,\nrun the following command:\n\n# chkconfig \"rlogin\" --list\n\nOutput should indicate the \"rlogin\" service has either not been installed, or\nhas been disabled, as shown in the example below:\n\n# chkconfig \"rlogin\" --list\nrlogin off\nOR\nerror reading information on service rlogin: No such file or directory\n\n\nIf the service is running, this is a finding.", - "fix": "The \"rlogin\" service, which is available with the\n\"rsh-server\" package and runs as a service through xinetd, should be\ndisabled. The \"rlogin\" service can be disabled with the following command:\n\n# chkconfig rlogin off" - }, - "code": "control \"V-38602\" do\n title \"The rlogind service must not be running.\"\n desc \"The rlogin service uses unencrypted network communications, which\nmeans that data from the login session, including passwords and all other\ninformation transmitted during the session, can be stolen by eavesdroppers on\nthe network.\"\n impact 0.7\n tag \"gtitle\": \"SRG-OS-000248\"\n tag \"gid\": \"V-38602\"\n tag \"rid\": \"SV-50403r2_rule\"\n tag \"stig_id\": \"RHEL-06-000218\"\n tag \"fix_id\": \"F-43549r3_fix\"\n tag \"cci\": [\"CCI-001436\"]\n tag \"nist\": [\"AC-17 (8)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"\nTo check that the \\\"rlogin\\\" service is disabled in system boot configuration,\nrun the following command:\n\n# chkconfig \\\"rlogin\\\" --list\n\nOutput should indicate the \\\"rlogin\\\" service has either not been installed, or\nhas been disabled, as shown in the example below:\n\n# chkconfig \\\"rlogin\\\" --list\nrlogin off\nOR\nerror reading information on service rlogin: No such file or directory\n\n\nIf the service is running, this is a finding.\"\n tag \"fix\": \"The \\\"rlogin\\\" service, which is available with the\n\\\"rsh-server\\\" package and runs as a service through xinetd, should be\ndisabled. The \\\"rlogin\\\" service can be disabled with the following command:\n\n# chkconfig rlogin off\"\n\n describe.one do\n describe package(\"rsh-server\") do\n it { should_not be_installed }\n end\n describe file(\"/etc/xinetd.d/rlogin\") do\n its(\"content\") { should match(/^\\s*disable\\s+=\\s+yes\\s*$/) }\n end\n end\nend\n", + "check": "If network services are using the xinetd service, this is not\napplicable.\n\nRun the following command to determine if the \"xinetd\" package is installed:\n\n# rpm -q xinetd\n\n\nIf the package is installed, this is a finding.", + "fix": "The \"xinetd\" package can be uninstalled with the following\ncommand:\n\n# yum erase xinetd" + }, + "code": "control \"V-38584\" do\n title \"The xinetd service must be uninstalled if no network services\nutilizing it are enabled.\"\n desc \"Removing the \\\"xinetd\\\" package decreases the risk of the xinetd\nservice's accidental (or intentional) activation.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000096\"\n tag \"gid\": \"V-38584\"\n tag \"rid\": \"SV-50385r1_rule\"\n tag \"stig_id\": \"RHEL-06-000204\"\n tag \"fix_id\": \"F-43532r1_fix\"\n tag \"cci\": [\"CCI-000382\"]\n tag \"nist\": [\"CM-7 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"If network services are using the xinetd service, this is not\napplicable.\n\nRun the following command to determine if the \\\"xinetd\\\" package is installed:\n\n# rpm -q xinetd\n\n\nIf the package is installed, this is a finding.\"\n tag \"fix\": \"The \\\"xinetd\\\" package can be uninstalled with the following\ncommand:\n\n# yum erase xinetd\"\n\n describe package(\"xinetd\") do\n it { should_not be_installed }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38602.rb", + "ref": "./Red Hat 6 STIG/controls/V-38584.rb", "line": 1 }, - "id": "V-38602" + "id": "V-38584" }, { - "title": "The audit system must be configured to audit all discretionary access\ncontrol permission modifications using fchownat.", - "desc": "The changing of file permissions could indicate that a user is\nattempting to gain access to information that would otherwise be disallowed.\nAuditing DAC modifications can facilitate the identification of patterns of\nabuse among both authorized and unauthorized users.", + "title": "The operating system must connect to external networks or information\nsystems only through managed IPv4 interfaces consisting of boundary protection\ndevices arranged in accordance with an organizational security architecture.", + "desc": "The \"iptables\" service provides the system's host-based firewalling\ncapability for IPv4 and ICMP.", "descriptions": { - "default": "The changing of file permissions could indicate that a user is\nattempting to gain access to information that would otherwise be disallowed.\nAuditing DAC modifications can facilitate the identification of patterns of\nabuse among both authorized and unauthorized users." + "default": "The \"iptables\" service provides the system's host-based firewalling\ncapability for IPv4 and ICMP." }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000064", - "gid": "V-38554", - "rid": "SV-50355r3_rule", - "stig_id": "RHEL-06-000189", - "fix_id": "F-43502r2_fix", + "gtitle": "SRG-OS-000145", + "gid": "V-38560", + "rid": "SV-50361r2_rule", + "stig_id": "RHEL-06-000116", + "fix_id": "F-43508r2_fix", "cci": [ - "CCI-000172" + "CCI-001098" ], "nist": [ - "AU-12 c", + "SC-7 c", "Rev_4" ], "false_negatives": null, @@ -6737,35 +6786,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To determine if the system is configured to audit calls to the\n\"fchownat\" system call, run the following command:\n\n$ sudo grep -w \"fchownat\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return several\nlines.\n\nIf no line is returned, this is a finding. ", - "fix": "At a minimum, the audit system should collect file permission\nchanges for all users and root. Add the following to\n\"/etc/audit/audit.rules\":\n\n-a always,exit -F arch=b32 -S fchownat -F auid>=500 -F auid!=4294967295 \\\n-k perm_mod\n-a always,exit -F arch=b32 -S fchownat -F auid=0 -k perm_mod\n\nIf the system is 64-bit, then also add the following:\n\n-a always,exit -F arch=b64 -S fchownat -F auid>=500 -F auid!=4294967295 \\\n-k perm_mod\n-a always,exit -F arch=b64 -S fchownat -F auid=0 -k perm_mod" + "check": "If the system is a cross-domain system, this is not applicable.\n\nRun the following command to determine the current status of the \"iptables\"\nservice:\n\n# service iptables status\n\nIf the service is not running, it should return the following:\n\niptables: Firewall is not running.\n\n\nIf the service is not running, this is a finding.", + "fix": "The \"iptables\" service can be enabled with the following\ncommands:\n\n# chkconfig iptables on\n# service iptables start" }, - "code": "control \"V-38554\" do\n title \"The audit system must be configured to audit all discretionary access\ncontrol permission modifications using fchownat.\"\n desc \"The changing of file permissions could indicate that a user is\nattempting to gain access to information that would otherwise be disallowed.\nAuditing DAC modifications can facilitate the identification of patterns of\nabuse among both authorized and unauthorized users.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000064\"\n tag \"gid\": \"V-38554\"\n tag \"rid\": \"SV-50355r3_rule\"\n tag \"stig_id\": \"RHEL-06-000189\"\n tag \"fix_id\": \"F-43502r2_fix\"\n tag \"cci\": [\"CCI-000172\"]\n tag \"nist\": [\"AU-12 c\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To determine if the system is configured to audit calls to the\n\\\"fchownat\\\" system call, run the following command:\n\n$ sudo grep -w \\\"fchownat\\\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return several\nlines.\n\nIf no line is returned, this is a finding. \"\n tag \"fix\": \"At a minimum, the audit system should collect file permission\nchanges for all users and root. Add the following to\n\\\"/etc/audit/audit.rules\\\":\n\n-a always,exit -F arch=b32 -S fchownat -F auid>=500 -F auid!=4294967295 \\\\\n-k perm_mod\n-a always,exit -F arch=b32 -S fchownat -F auid=0 -k perm_mod\n\nIf the system is 64-bit, then also add the following:\n\n-a always,exit -F arch=b64 -S fchownat -F auid>=500 -F auid!=4294967295 \\\\\n-k perm_mod\n-a always,exit -F arch=b64 -S fchownat -F auid=0 -k perm_mod\"\n\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^[\\s]*-a[\\s](?:always,exit|exit,always)+(?:.*-F[\\s]+arch=b32[\\s]+)(?:.*(?:-S[\\s]+|,)fchownat(?:[\\s]+|,))(?:.*-F\\s+auid>=500[\\s]+)(?:.*-F\\s+auid!=(?:-1|4294967295)[\\s]+).*-k[\\s]+[\\S]+[\\s]*$/) }\n end\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^[\\s]*-a[\\s](?:always,exit|exit,always)+(?:.*-F[\\s]+arch=b32[\\s]+)(?:.*(?:-S[\\s]+|,)fchownat(?:[\\s]+|,))(?:.*-F\\s+auid=0[\\s]+).*-k[\\s]+[\\S]+[\\s]*$/) }\n end\n describe.one do\n \n end\nend\n", + "code": "control \"V-38560\" do\n title \"The operating system must connect to external networks or information\nsystems only through managed IPv4 interfaces consisting of boundary protection\ndevices arranged in accordance with an organizational security architecture.\"\n desc \"The \\\"iptables\\\" service provides the system's host-based firewalling\ncapability for IPv4 and ICMP.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000145\"\n tag \"gid\": \"V-38560\"\n tag \"rid\": \"SV-50361r2_rule\"\n tag \"stig_id\": \"RHEL-06-000116\"\n tag \"fix_id\": \"F-43508r2_fix\"\n tag \"cci\": [\"CCI-001098\"]\n tag \"nist\": [\"SC-7 c\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"If the system is a cross-domain system, this is not applicable.\n\nRun the following command to determine the current status of the \\\"iptables\\\"\nservice:\n\n# service iptables status\n\nIf the service is not running, it should return the following:\n\niptables: Firewall is not running.\n\n\nIf the service is not running, this is a finding.\"\n tag \"fix\": \"The \\\"iptables\\\" service can be enabled with the following\ncommands:\n\n# chkconfig iptables on\n# service iptables start\"\n\n describe service('iptables') do\n it { should be_enabled }\n it { should be_running }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38554.rb", + "ref": "./Red Hat 6 STIG/controls/V-38560.rb", "line": 1 }, - "id": "V-38554" + "id": "V-38560" }, { - "title": "The audit system must take appropriate action when the audit storage\nvolume is full.", - "desc": "Taking appropriate action in case of a filled audit storage volume\nwill minimize the possibility of losing audit records.", + "title": "The system must rotate audit log files that reach the maximum file\nsize.", + "desc": "Automatically rotating logs (by setting this to \"rotate\") minimizes\nthe chances of the system unexpectedly running out of disk space by being\noverwhelmed with log data. However, for systems that must never discard log\ndata, or which use external processes to transfer it and reclaim space,\n\"keep_logs\" can be employed.", "descriptions": { - "default": "Taking appropriate action in case of a filled audit storage volume\nwill minimize the possibility of losing audit records." + "default": "Automatically rotating logs (by setting this to \"rotate\") minimizes\nthe chances of the system unexpectedly running out of disk space by being\noverwhelmed with log data. However, for systems that must never discard log\ndata, or which use external processes to transfer it and reclaim space,\n\"keep_logs\" can be employed." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000047", - "gid": "V-38468", - "rid": "SV-50268r1_rule", - "stig_id": "RHEL-06-000510", - "fix_id": "F-43413r1_fix", + "gtitle": "SRG-OS-999999", + "gid": "V-38634", + "rid": "SV-50435r2_rule", + "stig_id": "RHEL-06-000161", + "fix_id": "F-43583r1_fix", "cci": [ - "CCI-000140" + "CCI-000366" ], "nist": [ - "AU-5 b", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -6778,15 +6827,15 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "Inspect \"/etc/audit/auditd.conf\" and locate the following\nline to determine if the system is configured to take appropriate action when\nthe audit storage volume is full:\n\n# grep disk_full_action /etc/audit/auditd.conf\ndisk_full_action = [ACTION]\n\n\nIf the system is configured to \"suspend\" when the volume is full or\n\"ignore\" that it is full, this is a finding.", - "fix": "The \"auditd\" service can be configured to take an action when\ndisk space starts to run low. Edit the file \"/etc/audit/auditd.conf\". Modify\nthe following line, substituting [ACTION] appropriately:\n\ndisk_full_action = [ACTION]\n\nPossible values for [ACTION] are described in the \"auditd.conf\" man page.\nThese include:\n\n\"ignore\"\n\"syslog\"\n\"exec\"\n\"suspend\"\n\"single\"\n\"halt\"\n\n\nSet this to \"syslog\", \"exec\", \"single\", or \"halt\"." + "check": "Inspect \"/etc/audit/auditd.conf\" and locate the following\nline to determine if the system is configured to rotate logs when they reach\ntheir maximum size:\n\n# grep max_log_file_action /etc/audit/auditd.conf\nmax_log_file_action = rotate\n\nIf the \"keep_logs\" option is configured for the \"max_log_file_action\" line\nin \"/etc/audit/auditd.conf\" and an alternate process is in place to ensure\naudit data does not overwhelm local audit storage, this is not a finding.\n\nIf the system has not been properly set up to rotate audit logs, this is a\nfinding.", + "fix": "The default action to take when the logs reach their maximum size\nis to rotate the log files, discarding the oldest one. To configure the action\ntaken by \"auditd\", add or correct the line in \"/etc/audit/auditd.conf\":\n\nmax_log_file_action = [ACTION]\n\nPossible values for [ACTION] are described in the \"auditd.conf\" man page.\nThese include:\n\n\"ignore\"\n\"syslog\"\n\"suspend\"\n\"rotate\"\n\"keep_logs\"\n\n\nSet the \"[ACTION]\" to \"rotate\" to ensure log rotation occurs. This is the\ndefault. The setting is case-insensitive." }, - "code": "control \"V-38468\" do\n title \"The audit system must take appropriate action when the audit storage\nvolume is full.\"\n desc \"Taking appropriate action in case of a filled audit storage volume\nwill minimize the possibility of losing audit records.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000047\"\n tag \"gid\": \"V-38468\"\n tag \"rid\": \"SV-50268r1_rule\"\n tag \"stig_id\": \"RHEL-06-000510\"\n tag \"fix_id\": \"F-43413r1_fix\"\n tag \"cci\": [\"CCI-000140\"]\n tag \"nist\": [\"AU-5 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Inspect \\\"/etc/audit/auditd.conf\\\" and locate the following\nline to determine if the system is configured to take appropriate action when\nthe audit storage volume is full:\n\n# grep disk_full_action /etc/audit/auditd.conf\ndisk_full_action = [ACTION]\n\n\nIf the system is configured to \\\"suspend\\\" when the volume is full or\n\\\"ignore\\\" that it is full, this is a finding.\"\n tag \"fix\": \"The \\\"auditd\\\" service can be configured to take an action when\ndisk space starts to run low. Edit the file \\\"/etc/audit/auditd.conf\\\". Modify\nthe following line, substituting [ACTION] appropriately:\n\ndisk_full_action = [ACTION]\n\nPossible values for [ACTION] are described in the \\\"auditd.conf\\\" man page.\nThese include:\n\n\\\"ignore\\\"\n\\\"syslog\\\"\n\\\"exec\\\"\n\\\"suspend\\\"\n\\\"single\\\"\n\\\"halt\\\"\n\n\nSet this to \\\"syslog\\\", \\\"exec\\\", \\\"single\\\", or \\\"halt\\\".\"\n\n describe parse_config_file('/etc/audit/auditd.conf') do\n its('disk_full_action') { should_not be_nil }\n its('disk_full_action.downcase') { should_not be_in ['suspend', 'ignore'] }\n end\nend\n", + "code": "control \"V-38634\" do\n title \"The system must rotate audit log files that reach the maximum file\nsize.\"\n desc \"Automatically rotating logs (by setting this to \\\"rotate\\\") minimizes\nthe chances of the system unexpectedly running out of disk space by being\noverwhelmed with log data. However, for systems that must never discard log\ndata, or which use external processes to transfer it and reclaim space,\n\\\"keep_logs\\\" can be employed.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38634\"\n tag \"rid\": \"SV-50435r2_rule\"\n tag \"stig_id\": \"RHEL-06-000161\"\n tag \"fix_id\": \"F-43583r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Inspect \\\"/etc/audit/auditd.conf\\\" and locate the following\nline to determine if the system is configured to rotate logs when they reach\ntheir maximum size:\n\n# grep max_log_file_action /etc/audit/auditd.conf\nmax_log_file_action = rotate\n\nIf the \\\"keep_logs\\\" option is configured for the \\\"max_log_file_action\\\" line\nin \\\"/etc/audit/auditd.conf\\\" and an alternate process is in place to ensure\naudit data does not overwhelm local audit storage, this is not a finding.\n\nIf the system has not been properly set up to rotate audit logs, this is a\nfinding.\"\n tag \"fix\": \"The default action to take when the logs reach their maximum size\nis to rotate the log files, discarding the oldest one. To configure the action\ntaken by \\\"auditd\\\", add or correct the line in \\\"/etc/audit/auditd.conf\\\":\n\nmax_log_file_action = [ACTION]\n\nPossible values for [ACTION] are described in the \\\"auditd.conf\\\" man page.\nThese include:\n\n\\\"ignore\\\"\n\\\"syslog\\\"\n\\\"suspend\\\"\n\\\"rotate\\\"\n\\\"keep_logs\\\"\n\n\nSet the \\\"[ACTION]\\\" to \\\"rotate\\\" to ensure log rotation occurs. This is the\ndefault. The setting is case-insensitive.\"\n\n describe parse_config_file('/etc/audit/auditd.conf') do\n its('max_log_file_action.downcase') { should be_in ['rotate', 'keep_logs'] }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38468.rb", + "ref": "./Red Hat 6 STIG/controls/V-38634.rb", "line": 1 }, - "id": "V-38468" + "id": "V-38634" }, { "title": "All system command files must have mode 755 or less permissive.", @@ -6830,24 +6879,24 @@ "id": "V-38469" }, { - "title": "The system must not send ICMPv4 redirects from any interface.", - "desc": "Sending ICMP redirects permits the system to instruct other systems to\nupdate their routing information. The ability to send ICMP redirects is only\nappropriate for systems acting as routers.", + "title": "The operating system must automatically audit account modification.", + "desc": "In addition to auditing new user and group accounts, these watches\nwill alert the system administrator(s) to any modifications. Any unexpected\nusers, groups, or modifications should be investigated for legitimacy.", "descriptions": { - "default": "Sending ICMP redirects permits the system to instruct other systems to\nupdate their routing information. The ability to send ICMP redirects is only\nappropriate for systems acting as routers." + "default": "In addition to auditing new user and group accounts, these watches\nwill alert the system administrator(s) to any modifications. Any unexpected\nusers, groups, or modifications should be investigated for legitimacy." }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { - "gtitle": "SRG-OS-999999", - "gid": "V-38601", - "rid": "SV-50402r2_rule", - "stig_id": "RHEL-06-000081", - "fix_id": "F-43548r1_fix", + "gtitle": "SRG-OS-000239", + "gid": "V-38534", + "rid": "SV-50335r2_rule", + "stig_id": "RHEL-06-000175", + "fix_id": "F-43482r1_fix", "cci": [ - "CCI-000366" + "CCI-001403" ], "nist": [ - "CM-6 b", + "AC-2 (4)", "Rev_4" ], "false_negatives": null, @@ -6860,35 +6909,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "The status of the \"net.ipv4.conf.all.send_redirects\" kernel\nparameter can be queried by running the following command:\n\n$ sysctl net.ipv4.conf.all.send_redirects\n\nThe output of the command should indicate a value of \"0\". If this value is\nnot the default value, investigate how it could have been adjusted at runtime,\nand verify it is not set improperly in \"/etc/sysctl.conf\".\n\n$ grep net.ipv4.conf.all.send_redirects /etc/sysctl.conf\n\nIf the correct value is not returned, this is a finding. ", - "fix": "To set the runtime status of the\n\"net.ipv4.conf.all.send_redirects\" kernel parameter, run the following\ncommand:\n\n# sysctl -w net.ipv4.conf.all.send_redirects=0\n\nIf this is not the system's default value, add the following line to\n\"/etc/sysctl.conf\":\n\nnet.ipv4.conf.all.send_redirects = 0" + "check": "To determine if the system is configured to audit account\nchanges, run the following command:\n\n$sudo egrep -w\n'(/etc/passwd|/etc/shadow|/etc/group|/etc/gshadow|/etc/security/opasswd)'\n/etc/audit/audit.rules\n\nIf the system is configured to watch for account changes, lines should be\nreturned for each file specified (and with \"-p wa\" for each).\n\nIf the system is not configured to audit account changes, this is a finding.", + "fix": "Add the following to \"/etc/audit/audit.rules\", in order to\ncapture events that modify account changes:\n\n# audit_account_changes\n-w /etc/group -p wa -k audit_account_changes\n-w /etc/passwd -p wa -k audit_account_changes\n-w /etc/gshadow -p wa -k audit_account_changes\n-w /etc/shadow -p wa -k audit_account_changes\n-w /etc/security/opasswd -p wa -k audit_account_changes" }, - "code": "control \"V-38601\" do\n title \"The system must not send ICMPv4 redirects from any interface.\"\n desc \"Sending ICMP redirects permits the system to instruct other systems to\nupdate their routing information. The ability to send ICMP redirects is only\nappropriate for systems acting as routers.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38601\"\n tag \"rid\": \"SV-50402r2_rule\"\n tag \"stig_id\": \"RHEL-06-000081\"\n tag \"fix_id\": \"F-43548r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"The status of the \\\"net.ipv4.conf.all.send_redirects\\\" kernel\nparameter can be queried by running the following command:\n\n$ sysctl net.ipv4.conf.all.send_redirects\n\nThe output of the command should indicate a value of \\\"0\\\". If this value is\nnot the default value, investigate how it could have been adjusted at runtime,\nand verify it is not set improperly in \\\"/etc/sysctl.conf\\\".\n\n$ grep net.ipv4.conf.all.send_redirects /etc/sysctl.conf\n\nIf the correct value is not returned, this is a finding. \"\n tag \"fix\": \"To set the runtime status of the\n\\\"net.ipv4.conf.all.send_redirects\\\" kernel parameter, run the following\ncommand:\n\n# sysctl -w net.ipv4.conf.all.send_redirects=0\n\nIf this is not the system's default value, add the following line to\n\\\"/etc/sysctl.conf\\\":\n\nnet.ipv4.conf.all.send_redirects = 0\"\n\n describe kernel_parameter(\"net.ipv4.conf.all.send_redirects\") do\n its(\"value\") { should_not be_nil }\n end\n describe kernel_parameter(\"net.ipv4.conf.all.send_redirects\") do\n its(\"value\") { should eq 0 }\n end\n describe file(\"/etc/sysctl.conf\") do\n its(\"content\") { should match(/^[\\s]*net.ipv4.conf.all.send_redirects[\\s]*=[\\s]*0[\\s]*$/) }\n end\nend\n", + "code": "control \"V-38534\" do\n title \"The operating system must automatically audit account modification.\"\n desc \"In addition to auditing new user and group accounts, these watches\nwill alert the system administrator(s) to any modifications. Any unexpected\nusers, groups, or modifications should be investigated for legitimacy.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000239\"\n tag \"gid\": \"V-38534\"\n tag \"rid\": \"SV-50335r2_rule\"\n tag \"stig_id\": \"RHEL-06-000175\"\n tag \"fix_id\": \"F-43482r1_fix\"\n tag \"cci\": [\"CCI-001403\"]\n tag \"nist\": [\"AC-2 (4)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To determine if the system is configured to audit account\nchanges, run the following command:\n\n$sudo egrep -w\n'(/etc/passwd|/etc/shadow|/etc/group|/etc/gshadow|/etc/security/opasswd)'\n/etc/audit/audit.rules\n\nIf the system is configured to watch for account changes, lines should be\nreturned for each file specified (and with \\\"-p wa\\\" for each).\n\nIf the system is not configured to audit account changes, this is a finding.\"\n tag \"fix\": \"Add the following to \\\"/etc/audit/audit.rules\\\", in order to\ncapture events that modify account changes:\n\n# audit_account_changes\n-w /etc/group -p wa -k audit_account_changes\n-w /etc/passwd -p wa -k audit_account_changes\n-w /etc/gshadow -p wa -k audit_account_changes\n-w /etc/shadow -p wa -k audit_account_changes\n-w /etc/security/opasswd -p wa -k audit_account_changes\"\n\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^\\-w\\s+\\/etc\\/group\\s+\\-p\\s+wa\\s+\\-k\\s+\\w+\\s*$/) }\n end\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^\\-w\\s+\\/etc\\/passwd\\s+\\-p\\s+wa\\s+\\-k\\s+\\w+\\s*$/) }\n end\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^\\-w\\s+\\/etc\\/gshadow\\s+\\-p\\s+wa\\s+\\-k\\s+\\w+\\s*$/) }\n end\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^\\-w\\s+\\/etc\\/shadow\\s+\\-p\\s+wa\\s+\\-k\\s+\\w+\\s*$/) }\n end\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^\\-w\\s+\\/etc\\/security\\/opasswd\\s+\\-p\\s+wa\\s+\\-k\\s+\\w+\\s*$/) }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38601.rb", + "ref": "./Red Hat 6 STIG/controls/V-38534.rb", "line": 1 }, - "id": "V-38601" + "id": "V-38534" }, { - "title": "The NFS server must not have the insecure file locking option enabled.", - "desc": "Allowing insecure file locking could allow for sensitive data to be\nviewed or edited by an unauthorized user.", + "title": "The audit system must be configured to audit all discretionary access\ncontrol permission modifications using chown.", + "desc": "The changing of file permissions could indicate that a user is\nattempting to gain access to information that would otherwise be disallowed.\nAuditing DAC modifications can facilitate the identification of patterns of\nabuse among both authorized and unauthorized users.", "descriptions": { - "default": "Allowing insecure file locking could allow for sensitive data to be\nviewed or edited by an unauthorized user." + "default": "The changing of file permissions could indicate that a user is\nattempting to gain access to information that would otherwise be disallowed.\nAuditing DAC modifications can facilitate the identification of patterns of\nabuse among both authorized and unauthorized users." }, - "impact": 0.7, + "impact": 0.3, "refs": [], "tags": { - "gtitle": "SRG-OS-000104", - "gid": "V-38677", - "rid": "SV-50478r1_rule", - "stig_id": "RHEL-06-000309", - "fix_id": "F-43626r1_fix", + "gtitle": "SRG-OS-000064", + "gid": "V-38545", + "rid": "SV-50346r3_rule", + "stig_id": "RHEL-06-000185", + "fix_id": "F-43493r2_fix", "cci": [ - "CCI-000764" + "CCI-000172" ], "nist": [ - "IA-2", + "AU-12 c", "Rev_4" ], "false_negatives": null, @@ -6901,35 +6950,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To verify insecure file locking has been disabled, run the\nfollowing command:\n\n# grep insecure_locks /etc/exports\n\n\nIf there is output, this is a finding.", - "fix": "By default the NFS server requires secure file-lock requests,\nwhich require credentials from the client in order to lock a file. Most NFS\nclients send credentials with file lock requests, however, there are a few\nclients that do not send credentials when requesting a file-lock, allowing the\nclient to only be able to lock world-readable files. To get around this, the\n\"insecure_locks\" option can be used so these clients can access the desired\nexport. This poses a security risk by potentially allowing the client access to\ndata for which it does not have authorization. Remove any instances of the\n\"insecure_locks\" option from the file \"/etc/exports\"." + "check": "To determine if the system is configured to audit calls to the\n\"chown\" system call, run the following command:\n\n$ sudo grep -w \"chown\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return several\nlines.\n\nIf no line is returned, this is a finding. ", + "fix": "At a minimum, the audit system should collect file permission\nchanges for all users and root. Add the following to\n\"/etc/audit/audit.rules\":\n\n-a always,exit -F arch=b32 -S chown -F auid>=500 -F auid!=4294967295 \\\n-k perm_mod\n-a always,exit -F arch=b32 -S chown -F auid=0 -k perm_mod\n\nIf the system is 64-bit, then also add the following:\n\n-a always,exit -F arch=b64 -S chown -F auid>=500 -F auid!=4294967295 \\\n-k perm_mod\n-a always,exit -F arch=b64 -S chown -F auid=0 -k perm_mod" }, - "code": "control \"V-38677\" do\n title \"The NFS server must not have the insecure file locking option enabled.\"\n desc \"Allowing insecure file locking could allow for sensitive data to be\nviewed or edited by an unauthorized user.\"\n impact 0.7\n tag \"gtitle\": \"SRG-OS-000104\"\n tag \"gid\": \"V-38677\"\n tag \"rid\": \"SV-50478r1_rule\"\n tag \"stig_id\": \"RHEL-06-000309\"\n tag \"fix_id\": \"F-43626r1_fix\"\n tag \"cci\": [\"CCI-000764\"]\n tag \"nist\": [\"IA-2\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To verify insecure file locking has been disabled, run the\nfollowing command:\n\n# grep insecure_locks /etc/exports\n\n\nIf there is output, this is a finding.\"\n tag \"fix\": \"By default the NFS server requires secure file-lock requests,\nwhich require credentials from the client in order to lock a file. Most NFS\nclients send credentials with file lock requests, however, there are a few\nclients that do not send credentials when requesting a file-lock, allowing the\nclient to only be able to lock world-readable files. To get around this, the\n\\\"insecure_locks\\\" option can be used so these clients can access the desired\nexport. This poses a security risk by potentially allowing the client access to\ndata for which it does not have authorization. Remove any instances of the\n\\\"insecure_locks\\\" option from the file \\\"/etc/exports\\\".\"\n\n describe file(\"/etc/exports\") do\n its(\"content\") { should_not match(/^[^#]*insecure_locks.*$/) }\n end\nend\n", + "code": "control \"V-38545\" do\n title \"The audit system must be configured to audit all discretionary access\ncontrol permission modifications using chown.\"\n desc \"The changing of file permissions could indicate that a user is\nattempting to gain access to information that would otherwise be disallowed.\nAuditing DAC modifications can facilitate the identification of patterns of\nabuse among both authorized and unauthorized users.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000064\"\n tag \"gid\": \"V-38545\"\n tag \"rid\": \"SV-50346r3_rule\"\n tag \"stig_id\": \"RHEL-06-000185\"\n tag \"fix_id\": \"F-43493r2_fix\"\n tag \"cci\": [\"CCI-000172\"]\n tag \"nist\": [\"AU-12 c\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To determine if the system is configured to audit calls to the\n\\\"chown\\\" system call, run the following command:\n\n$ sudo grep -w \\\"chown\\\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return several\nlines.\n\nIf no line is returned, this is a finding. \"\n tag \"fix\": \"At a minimum, the audit system should collect file permission\nchanges for all users and root. Add the following to\n\\\"/etc/audit/audit.rules\\\":\n\n-a always,exit -F arch=b32 -S chown -F auid>=500 -F auid!=4294967295 \\\\\n-k perm_mod\n-a always,exit -F arch=b32 -S chown -F auid=0 -k perm_mod\n\nIf the system is 64-bit, then also add the following:\n\n-a always,exit -F arch=b64 -S chown -F auid>=500 -F auid!=4294967295 \\\\\n-k perm_mod\n-a always,exit -F arch=b64 -S chown -F auid=0 -k perm_mod\"\n\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^[\\s]*-a[\\s](?:always,exit|exit,always)+(?:.*-F[\\s]+arch=b32[\\s]+)(?:.*(?:-S[\\s]+|,)chown(?:[\\s]+|,))(?:.*-F\\s+auid>=500[\\s]+)(?:.*-F\\s+auid!=(?:-1|4294967295)[\\s]+).*-k[\\s]+[\\S]+[\\s]*$/) }\n end\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^[\\s]*-a[\\s](?:always,exit|exit,always)+(?:.*-F[\\s]+arch=b32[\\s]+)(?:.*(?:-S[\\s]+|,)chown(?:[\\s]+|,))(?:.*-F\\s+auid=0[\\s]+).*-k[\\s]+[\\S]+[\\s]*$/) }\n end\n describe.one do\n \n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38677.rb", + "ref": "./Red Hat 6 STIG/controls/V-38545.rb", "line": 1 }, - "id": "V-38677" + "id": "V-38545" }, { - "title": "The Bluetooth kernel module must be disabled.", - "desc": "If Bluetooth functionality must be disabled, preventing the kernel\nfrom loading the kernel module provides an additional safeguard against its\nactivation.", + "title": "The audit system must be configured to audit all discretionary access\ncontrol permission modifications using lchown.", + "desc": "The changing of file permissions could indicate that a user is\nattempting to gain access to information that would otherwise be disallowed.\nAuditing DAC modifications can facilitate the identification of patterns of\nabuse among both authorized and unauthorized users.", "descriptions": { - "default": "If Bluetooth functionality must be disabled, preventing the kernel\nfrom loading the kernel module provides an additional safeguard against its\nactivation." + "default": "The changing of file permissions could indicate that a user is\nattempting to gain access to information that would otherwise be disallowed.\nAuditing DAC modifications can facilitate the identification of patterns of\nabuse among both authorized and unauthorized users." }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { - "gtitle": "SRG-OS-000034", - "gid": "V-38682", - "rid": "SV-50483r5_rule", - "stig_id": "RHEL-06-000315", - "fix_id": "F-43631r3_fix", + "gtitle": "SRG-OS-000064", + "gid": "V-38558", + "rid": "SV-50359r3_rule", + "stig_id": "RHEL-06-000192", + "fix_id": "F-43506r2_fix", "cci": [ - "CCI-000085" + "CCI-000172" ], "nist": [ - "AC-19 c", + "AU-12 c", "Rev_4" ], "false_negatives": null, @@ -6942,30 +6991,30 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "If the system is configured to prevent the loading of the\n\"bluetooth\" kernel module, it will contain lines inside any file in\n\"/etc/modprobe.d\" or the deprecated\"/etc/modprobe.conf\". These lines\ninstruct the module loading system to run another program (such as\n\"/bin/true\") upon a module \"install\" event. Run the following command to\nsearch for such lines in all files in \"/etc/modprobe.d\" and the deprecated\n\"/etc/modprobe.conf\":\n\n$ grep -r bluetooth /etc/modprobe.conf /etc/modprobe.d | grep -i \"/bin/true\"|\ngrep -v \"#\"\n\nIf no line is returned, this is a finding.\n\nIf the system is configured to prevent the loading of the \"net-pf-31\" kernel\nmodule, it will contain lines inside any file in \"/etc/modprobe.d\" or the\ndeprecated\"/etc/modprobe.conf\". These lines instruct the module loading\nsystem to run another program (such as \"/bin/true\") upon a module \"install\"\nevent. Run the following command to search for such lines in all files in\n\"/etc/modprobe.d\" and the deprecated \"/etc/modprobe.conf\":\n\n$ grep -r net-pf-31 /etc/modprobe.conf /etc/modprobe.d | grep -i \"/bin/true\" |\ngrep -v \"#\"\n\nIf no line is returned, this is a finding.", - "fix": "The kernel's module loading system can be configured to prevent\nloading of the Bluetooth module. Add the following to the appropriate\n\"/etc/modprobe.d\" configuration file to prevent the loading of the Bluetooth\nmodule:\n\ninstall net-pf-31 /bin/true\ninstall bluetooth /bin/true" + "check": "To determine if the system is configured to audit calls to the\n\"lchown\" system call, run the following command:\n\n$ sudo grep -w \"lchown\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return several\nlines.\n\nIf no line is returned, this is a finding. ", + "fix": "At a minimum, the audit system should collect file permission\nchanges for all users and root. Add the following to\n\"/etc/audit/audit.rules\":\n\n-a always,exit -F arch=b32 -S lchown -F auid>=500 -F auid!=4294967295 \\\n-k perm_mod\n-a always,exit -F arch=b32 -S lchown -F auid=0 -k perm_mod\n\nIf the system is 64-bit, then also add the following:\n\n-a always,exit -F arch=b64 -S lchown -F auid>=500 -F auid!=4294967295 \\\n-k perm_mod\n-a always,exit -F arch=b64 -S lchown -F auid=0 -k perm_mod" }, - "code": "control \"V-38682\" do\n title \"The Bluetooth kernel module must be disabled.\"\n desc \"If Bluetooth functionality must be disabled, preventing the kernel\nfrom loading the kernel module provides an additional safeguard against its\nactivation.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000034\"\n tag \"gid\": \"V-38682\"\n tag \"rid\": \"SV-50483r5_rule\"\n tag \"stig_id\": \"RHEL-06-000315\"\n tag \"fix_id\": \"F-43631r3_fix\"\n tag \"cci\": [\"CCI-000085\"]\n tag \"nist\": [\"AC-19 c\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"If the system is configured to prevent the loading of the\n\\\"bluetooth\\\" kernel module, it will contain lines inside any file in\n\\\"/etc/modprobe.d\\\" or the deprecated\\\"/etc/modprobe.conf\\\". These lines\ninstruct the module loading system to run another program (such as\n\\\"/bin/true\\\") upon a module \\\"install\\\" event. Run the following command to\nsearch for such lines in all files in \\\"/etc/modprobe.d\\\" and the deprecated\n\\\"/etc/modprobe.conf\\\":\n\n$ grep -r bluetooth /etc/modprobe.conf /etc/modprobe.d | grep -i \\\"/bin/true\\\"|\ngrep -v \\\"#\\\"\n\nIf no line is returned, this is a finding.\n\nIf the system is configured to prevent the loading of the \\\"net-pf-31\\\" kernel\nmodule, it will contain lines inside any file in \\\"/etc/modprobe.d\\\" or the\ndeprecated\\\"/etc/modprobe.conf\\\". These lines instruct the module loading\nsystem to run another program (such as \\\"/bin/true\\\") upon a module \\\"install\\\"\nevent. Run the following command to search for such lines in all files in\n\\\"/etc/modprobe.d\\\" and the deprecated \\\"/etc/modprobe.conf\\\":\n\n$ grep -r net-pf-31 /etc/modprobe.conf /etc/modprobe.d | grep -i \\\"/bin/true\\\" |\ngrep -v \\\"#\\\"\n\nIf no line is returned, this is a finding.\"\n tag \"fix\": \"The kernel's module loading system can be configured to prevent\nloading of the Bluetooth module. Add the following to the appropriate\n\\\"/etc/modprobe.d\\\" configuration file to prevent the loading of the Bluetooth\nmodule:\n\ninstall net-pf-31 /bin/true\ninstall bluetooth /bin/true\"\n\n describe kernel_module('bluetooth') do\n it { should_not be_loaded }\n it { shold_not be_enabled }\n it { should be_blacklisted }\n end\n\n describe kernel_module('net-pf-31') do\n it { should_not be_loaded }\n it { shold_not be_enabled }\n it { should be_blacklisted }\n end\nend\n", + "code": "control \"V-38558\" do\n title \"The audit system must be configured to audit all discretionary access\ncontrol permission modifications using lchown.\"\n desc \"The changing of file permissions could indicate that a user is\nattempting to gain access to information that would otherwise be disallowed.\nAuditing DAC modifications can facilitate the identification of patterns of\nabuse among both authorized and unauthorized users.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000064\"\n tag \"gid\": \"V-38558\"\n tag \"rid\": \"SV-50359r3_rule\"\n tag \"stig_id\": \"RHEL-06-000192\"\n tag \"fix_id\": \"F-43506r2_fix\"\n tag \"cci\": [\"CCI-000172\"]\n tag \"nist\": [\"AU-12 c\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To determine if the system is configured to audit calls to the\n\\\"lchown\\\" system call, run the following command:\n\n$ sudo grep -w \\\"lchown\\\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return several\nlines.\n\nIf no line is returned, this is a finding. \"\n tag \"fix\": \"At a minimum, the audit system should collect file permission\nchanges for all users and root. Add the following to\n\\\"/etc/audit/audit.rules\\\":\n\n-a always,exit -F arch=b32 -S lchown -F auid>=500 -F auid!=4294967295 \\\\\n-k perm_mod\n-a always,exit -F arch=b32 -S lchown -F auid=0 -k perm_mod\n\nIf the system is 64-bit, then also add the following:\n\n-a always,exit -F arch=b64 -S lchown -F auid>=500 -F auid!=4294967295 \\\\\n-k perm_mod\n-a always,exit -F arch=b64 -S lchown -F auid=0 -k perm_mod\"\n\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^[\\s]*-a[\\s](?:always,exit|exit,always)+(?:.*-F[\\s]+arch=b32[\\s]+)(?:.*(?:,|-S[\\s]+)lchown(?:,|[\\s]+))(?:.*-F\\s+auid>=500[\\s]+)(?:.*-F\\s+auid!=(?:-1|4294967295)[\\s]+).*-k[\\s]+[\\S]+[\\s]*$/) }\n end\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^[\\s]*-a[\\s](?:always,exit|exit,always)+(?:.*-F[\\s]+arch=b32[\\s]+)(?:.*(?:,|-S[\\s]+)lchown(?:,|[\\s]+))(?:.*-F\\s+auid=0[\\s]+).*-k[\\s]+[\\S]+[\\s]*$/) }\n end\n describe.one do\n \n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38682.rb", + "ref": "./Red Hat 6 STIG/controls/V-38558.rb", "line": 1 }, - "id": "V-38682" + "id": "V-38558" }, { - "title": "The DHCP client must be disabled if not needed.", - "desc": "DHCP relies on trusting the local network. If the local network is not\ntrusted, then it should not be used. However, the automatic configuration\nprovided by DHCP is commonly used and the alternative, manual configuration,\npresents an unacceptable burden in many circumstances.", + "title": "The mail system must forward all mail for root to one or more system\nadministrators.", + "desc": "A number of system services utilize email messages sent to the root\nuser to notify system administrators of active or impending issues. These\nmessages must be forwarded to at least one monitored email address.", "descriptions": { - "default": "DHCP relies on trusting the local network. If the local network is not\ntrusted, then it should not be used. However, the automatic configuration\nprovided by DHCP is commonly used and the alternative, manual configuration,\npresents an unacceptable burden in many circumstances." + "default": "A number of system services utilize email messages sent to the root\nuser to notify system administrators of active or impending issues. These\nmessages must be forwarded to at least one monitored email address." }, "impact": 0.5, "refs": [], "tags": { "gtitle": "SRG-OS-999999", - "gid": "V-38679", - "rid": "SV-50480r3_rule", - "stig_id": "RHEL-06-000292", - "fix_id": "F-43628r2_fix", + "gid": "V-38446", + "rid": "SV-50246r2_rule", + "stig_id": "RHEL-06-000521", + "fix_id": "F-43391r1_fix", "cci": [ "CCI-000366" ], @@ -6983,35 +7032,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "If DHCP is required by the organization, this is Not Applicable.\n\nFor each interface [IFACE] on the system (e.g. eth0), verify that DHCP is not\nbeing used:\n\n# cat /etc/sysconfig/network-scripts/ifcfg-[IFACE] | grep -i \"bootproto\" | grep\n–v \"#\"\n\nBOOTPROTO=none\n\nIf no output is returned this is a finding.\nIf BOOTPROTO is not set to \"none\", this is a finding.\n", - "fix": "For each interface [IFACE] on the system (e.g. eth0), edit\n\"/etc/sysconfig/network-scripts/ifcfg-[IFACE]\" and make the following\nchanges.\n\nCorrect the BOOTPROTO line to read:\n\nBOOTPROTO=none\n\n\nAdd or correct the following lines, substituting the appropriate values based\non your site's addressing scheme:\n\nNETMASK=[local LAN netmask]\nIPADDR=[assigned IP address]\nGATEWAY=[local LAN default gateway]" + "check": "Find the list of alias maps used by the Postfix mail server:\n\n# postconf alias_maps\n\nQuery the Postfix alias maps for an alias for \"root\":\n\n# postmap -q root hash:/etc/aliases\n\nIf there are no aliases configured for root that forward to a monitored email\naddress, this is a finding.", + "fix": "Set up an alias for root that forwards to a monitored email\naddress:\n\n# echo \"root: @mail.mil\" >> /etc/aliases\n# newaliases" }, - "code": "control \"V-38679\" do\n title \"The DHCP client must be disabled if not needed.\"\n desc \"DHCP relies on trusting the local network. If the local network is not\ntrusted, then it should not be used. However, the automatic configuration\nprovided by DHCP is commonly used and the alternative, manual configuration,\npresents an unacceptable burden in many circumstances.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38679\"\n tag \"rid\": \"SV-50480r3_rule\"\n tag \"stig_id\": \"RHEL-06-000292\"\n tag \"fix_id\": \"F-43628r2_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"If DHCP is required by the organization, this is Not Applicable.\n\nFor each interface [IFACE] on the system (e.g. eth0), verify that DHCP is not\nbeing used:\n\n# cat /etc/sysconfig/network-scripts/ifcfg-[IFACE] | grep -i \\\"bootproto\\\" | grep\n–v \\\"#\\\"\n\nBOOTPROTO=none\n\nIf no output is returned this is a finding.\nIf BOOTPROTO is not set to \\\"none\\\", this is a finding.\n\"\n tag \"fix\": \"For each interface [IFACE] on the system (e.g. eth0), edit\n\\\"/etc/sysconfig/network-scripts/ifcfg-[IFACE]\\\" and make the following\nchanges.\n\nCorrect the BOOTPROTO line to read:\n\nBOOTPROTO=none\n\n\nAdd or correct the following lines, substituting the appropriate values based\non your site's addressing scheme:\n\nNETMASK=[local LAN netmask]\nIPADDR=[assigned IP address]\nGATEWAY=[local LAN default gateway]\"\n\n command(\"find /etc/sysconfig/network-scripts -type f -regex .\\\\*/ifcfg-.\\\\*\").stdout.split.each do |entry|\n describe file(entry) do\n its(\"content\") { should match(/^[\\s]*BOOTPROTO[\\s]*=[\\s\"]*([^#\"\\s]*)/) }\n end\n end\nend\n", + "code": "control \"V-38446\" do\n title \"The mail system must forward all mail for root to one or more system\nadministrators.\"\n desc \"A number of system services utilize email messages sent to the root\nuser to notify system administrators of active or impending issues. These\nmessages must be forwarded to at least one monitored email address.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38446\"\n tag \"rid\": \"SV-50246r2_rule\"\n tag \"stig_id\": \"RHEL-06-000521\"\n tag \"fix_id\": \"F-43391r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Find the list of alias maps used by the Postfix mail server:\n\n# postconf alias_maps\n\nQuery the Postfix alias maps for an alias for \\\"root\\\":\n\n# postmap -q root hash:/etc/aliases\n\nIf there are no aliases configured for root that forward to a monitored email\naddress, this is a finding.\"\n tag \"fix\": \"Set up an alias for root that forwards to a monitored email\naddress:\n\n# echo \\\"root: @mail.mil\\\" >> /etc/aliases\n# newaliases\"\n\n alias_maps = parse_config(command(\"postconf alias_maps\").stdout.strip).params['alias_maps']\n\n describe \"postconf alias_maps\" do\n subject { alias_maps }\n it { should_not be_empty }\n end\n\n describe command(\"postmap -q root #{alias_maps}\") do\n its('stdout.strip') { should_not be_empty }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38679.rb", + "ref": "./Red Hat 6 STIG/controls/V-38446.rb", "line": 1 }, - "id": "V-38679" + "id": "V-38446" }, { - "title": "The operating system must connect to external networks or information\nsystems only through managed IPv6 interfaces consisting of boundary protection\ndevices arranged in accordance with an organizational security architecture.", - "desc": "The \"ip6tables\" service provides the system's host-based firewalling\ncapability for IPv6 and ICMPv6.", + "title": "The postfix service must be enabled for mail delivery.", + "desc": "Local mail delivery is essential to some system maintenance and\nnotification tasks.", "descriptions": { - "default": "The \"ip6tables\" service provides the system's host-based firewalling\ncapability for IPv6 and ICMPv6." + "default": "Local mail delivery is essential to some system maintenance and\nnotification tasks." }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { - "gtitle": "SRG-OS-000145", - "gid": "V-38551", - "rid": "SV-50352r3_rule", - "stig_id": "RHEL-06-000106", - "fix_id": "F-43499r2_fix", + "gtitle": "SRG-OS-999999", + "gid": "V-38669", + "rid": "SV-50470r1_rule", + "stig_id": "RHEL-06-000287", + "fix_id": "F-43618r1_fix", "cci": [ - "CCI-001098" + "CCI-000366" ], "nist": [ - "SC-7 c", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -7024,35 +7073,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "If the system is a cross-domain system, this is not applicable.\n\nIf IPV6 is disabled, this is not applicable.\n\nRun the following command to determine the current status of the \"ip6tables\"\nservice:\n\n# service ip6tables status\n\nIf the service is not running, it should return the following:\n\nip6tables: Firewall is not running.\n\n\nIf the service is not running, this is a finding.", - "fix": "The \"ip6tables\" service can be enabled with the following\ncommands:\n\n# chkconfig ip6tables on\n# service ip6tables start" + "check": "Run the following command to determine the current status of\nthe \"postfix\" service:\n\n# service postfix status\n\nIf the service is enabled, it should return the following:\n\npostfix is running...\n\nIf the service is not enabled, this is a finding.", + "fix": "The Postfix mail transfer agent is used for local mail delivery\nwithin the system. The default configuration only listens for connections to\nthe default SMTP port (port 25) on the loopback interface (127.0.0.1). It is\nrecommended to leave this service enabled for local mail delivery. The\n\"postfix\" service can be enabled with the following command:\n\n# chkconfig postfix on\n# service postfix start" }, - "code": "control \"V-38551\" do\n title \"The operating system must connect to external networks or information\nsystems only through managed IPv6 interfaces consisting of boundary protection\ndevices arranged in accordance with an organizational security architecture.\"\n desc \"The \\\"ip6tables\\\" service provides the system's host-based firewalling\ncapability for IPv6 and ICMPv6.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000145\"\n tag \"gid\": \"V-38551\"\n tag \"rid\": \"SV-50352r3_rule\"\n tag \"stig_id\": \"RHEL-06-000106\"\n tag \"fix_id\": \"F-43499r2_fix\"\n tag \"cci\": [\"CCI-001098\"]\n tag \"nist\": [\"SC-7 c\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"If the system is a cross-domain system, this is not applicable.\n\nIf IPV6 is disabled, this is not applicable.\n\nRun the following command to determine the current status of the \\\"ip6tables\\\"\nservice:\n\n# service ip6tables status\n\nIf the service is not running, it should return the following:\n\nip6tables: Firewall is not running.\n\n\nIf the service is not running, this is a finding.\"\n tag \"fix\": \"The \\\"ip6tables\\\" service can be enabled with the following\ncommands:\n\n# chkconfig ip6tables on\n# service ip6tables start\"\n\n describe service('ip6tables') do\n it { should be_enabled }\n it { should be_running }\n end\nend\n", + "code": "control \"V-38669\" do\n title \"The postfix service must be enabled for mail delivery.\"\n desc \"Local mail delivery is essential to some system maintenance and\nnotification tasks.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38669\"\n tag \"rid\": \"SV-50470r1_rule\"\n tag \"stig_id\": \"RHEL-06-000287\"\n tag \"fix_id\": \"F-43618r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Run the following command to determine the current status of\nthe \\\"postfix\\\" service:\n\n# service postfix status\n\nIf the service is enabled, it should return the following:\n\npostfix is running...\n\nIf the service is not enabled, this is a finding.\"\n tag \"fix\": \"The Postfix mail transfer agent is used for local mail delivery\nwithin the system. The default configuration only listens for connections to\nthe default SMTP port (port 25) on the loopback interface (127.0.0.1). It is\nrecommended to leave this service enabled for local mail delivery. The\n\\\"postfix\\\" service can be enabled with the following command:\n\n# chkconfig postfix on\n# service postfix start\"\n\n describe package(\"postfix\") do\n it { should be_installed }\n end\n describe.one do\n describe service(\"postfix\").runlevels(/0/) do\n it { should be_enabled }\n end\n describe service(\"postfix\").runlevels(/1/) do\n it { should be_enabled }\n end\n describe service(\"postfix\").runlevels(/2/) do\n it { should be_enabled }\n end\n describe service(\"postfix\").runlevels(/3/) do\n it { should be_enabled }\n end\n describe service(\"postfix\").runlevels(/4/) do\n it { should be_enabled }\n end\n describe service(\"postfix\").runlevels(/5/) do\n it { should be_enabled }\n end\n describe service(\"postfix\").runlevels(/6/) do\n it { should be_enabled }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38551.rb", + "ref": "./Red Hat 6 STIG/controls/V-38669.rb", "line": 1 }, - "id": "V-38551" + "id": "V-38669" }, { - "title": "The audit system must be configured to audit all use of setuid and\nsetgid programs.", - "desc": "Privileged programs are subject to escalation-of-privilege attacks,\nwhich attempt to subvert their normal role of providing some necessary but\nlimited capability. As such, motivation exists to monitor these programs for\nunusual activity.", + "title": "The system must use a FIPS 140-2 approved cryptographic hashing\nalgorithm for generating account password hashes (login.defs).", + "desc": "Using a stronger hashing algorithm makes password cracking attacks\nmore difficult.", "descriptions": { - "default": "Privileged programs are subject to escalation-of-privilege attacks,\nwhich attempt to subvert their normal role of providing some necessary but\nlimited capability. As such, motivation exists to monitor these programs for\nunusual activity." + "default": "Using a stronger hashing algorithm makes password cracking attacks\nmore difficult." }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000020", - "gid": "V-38567", - "rid": "SV-50368r4_rule", - "stig_id": "RHEL-06-000198", - "fix_id": "F-43515r6_fix", + "gtitle": "SRG-OS-000120", + "gid": "V-38576", + "rid": "SV-50377r1_rule", + "stig_id": "RHEL-06-000063", + "fix_id": "F-43524r1_fix", "cci": [ - "CCI-000040" + "CCI-000803" ], "nist": [ - "AC-6 (2)", + "IA-7", "Rev_4" ], "false_negatives": null, @@ -7065,35 +7114,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To verify that auditing of privileged command use is\nconfigured, run the following command once for each local partition [PART] to\nfind relevant setuid / setgid programs:\n\n$ sudo find [PART] -xdev -type f -perm /6000 2>/dev/null\n\nRun the following command to verify entries in the audit rules for all programs\nfound with the previous command:\n\n$ sudo grep path /etc/audit/audit.rules\n\nIt should be the case that all relevant setuid / setgid programs have a line in\nthe audit rules. If that is not the case, this is a finding. ", - "fix": "At a minimum, the audit system should collect the execution of\nprivileged commands for all users and root. To find the relevant setuid /\nsetgid programs, run the following command for each local partition [PART]:\n\n$ sudo find [PART] -xdev -type f -perm /6000 2>/dev/null\n\nThen, for each setuid / setgid program on the system, add a line of the\nfollowing form to \"/etc/audit/audit.rules\", where [SETUID_PROG_PATH] is the\nfull path to each setuid / setgid program in the list:\n\n-a always,exit -F path=[SETUID_PROG_PATH] -F perm=x -F auid>=500 -F\nauid!=4294967295 -k privileged" + "check": "Inspect \"/etc/login.defs\" and ensure the following line\nappears:\n\nENCRYPT_METHOD SHA512\n\n\nIf it does not, this is a finding.", + "fix": "In \"/etc/login.defs\", add or correct the following line to\nensure the system will use SHA-512 as the hashing algorithm:\n\nENCRYPT_METHOD SHA512" }, - "code": "control \"V-38567\" do\n title \"The audit system must be configured to audit all use of setuid and\nsetgid programs.\"\n desc \"Privileged programs are subject to escalation-of-privilege attacks,\nwhich attempt to subvert their normal role of providing some necessary but\nlimited capability. As such, motivation exists to monitor these programs for\nunusual activity.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000020\"\n tag \"gid\": \"V-38567\"\n tag \"rid\": \"SV-50368r4_rule\"\n tag \"stig_id\": \"RHEL-06-000198\"\n tag \"fix_id\": \"F-43515r6_fix\"\n tag \"cci\": [\"CCI-000040\"]\n tag \"nist\": [\"AC-6 (2)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To verify that auditing of privileged command use is\nconfigured, run the following command once for each local partition [PART] to\nfind relevant setuid / setgid programs:\n\n$ sudo find [PART] -xdev -type f -perm /6000 2>/dev/null\n\nRun the following command to verify entries in the audit rules for all programs\nfound with the previous command:\n\n$ sudo grep path /etc/audit/audit.rules\n\nIt should be the case that all relevant setuid / setgid programs have a line in\nthe audit rules. If that is not the case, this is a finding. \"\n tag \"fix\": \"At a minimum, the audit system should collect the execution of\nprivileged commands for all users and root. To find the relevant setuid /\nsetgid programs, run the following command for each local partition [PART]:\n\n$ sudo find [PART] -xdev -type f -perm /6000 2>/dev/null\n\nThen, for each setuid / setgid program on the system, add a line of the\nfollowing form to \\\"/etc/audit/audit.rules\\\", where [SETUID_PROG_PATH] is the\nfull path to each setuid / setgid program in the list:\n\n-a always,exit -F path=[SETUID_PROG_PATH] -F perm=x -F auid>=500 -F\nauid!=4294967295 -k privileged\"\n\n files = command(%(find / -xautofs -noleaf -wholename '/proc' -prune -o -wholename '/sys' -prune -o -wholename '/dev' -prune -o -wholename '/selinux' -prune -o -type f -perm /6000 -print)).stdout.strip.split(\"\\n\")\n \n if files.empty?\n describe \"setuid and setgid files\" do\n subject { files }\n it { should be_empty }\n end\n else\n files.each do |f|\n describe auditd do\n its('lines') { should include match \"path=#{f}\" }\n end\n end\n end\nend\n", + "code": "control \"V-38576\" do\n title \"The system must use a FIPS 140-2 approved cryptographic hashing\nalgorithm for generating account password hashes (login.defs).\"\n desc \"Using a stronger hashing algorithm makes password cracking attacks\nmore difficult.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000120\"\n tag \"gid\": \"V-38576\"\n tag \"rid\": \"SV-50377r1_rule\"\n tag \"stig_id\": \"RHEL-06-000063\"\n tag \"fix_id\": \"F-43524r1_fix\"\n tag \"cci\": [\"CCI-000803\"]\n tag \"nist\": [\"IA-7\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Inspect \\\"/etc/login.defs\\\" and ensure the following line\nappears:\n\nENCRYPT_METHOD SHA512\n\n\nIf it does not, this is a finding.\"\n tag \"fix\": \"In \\\"/etc/login.defs\\\", add or correct the following line to\nensure the system will use SHA-512 as the hashing algorithm:\n\nENCRYPT_METHOD SHA512\"\n\n describe file(\"/etc/login.defs\") do\n its(\"content\") { should match(/^[\\s]*ENCRYPT_METHOD[\\s]+SHA512[\\s]*$/) }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38567.rb", + "ref": "./Red Hat 6 STIG/controls/V-38576.rb", "line": 1 }, - "id": "V-38567" + "id": "V-38576" }, { - "title": "The system must use SMB client signing for connecting to samba servers\nusing mount.cifs.", - "desc": "Packet signing can prevent man-in-the-middle attacks which modify SMB\npackets in transit.", + "title": "The noexec option must be added to removable media partitions.", + "desc": "Allowing users to execute binaries from removable media such as USB\nkeys exposes the system to potential compromise.", "descriptions": { - "default": "Packet signing can prevent man-in-the-middle attacks which modify SMB\npackets in transit." + "default": "Allowing users to execute binaries from removable media such as USB\nkeys exposes the system to potential compromise." }, - "impact": 0, + "impact": 0.3, "refs": [], "tags": { - "gtitle": "SRG-OS-999999", - "gid": "V-38657", - "rid": "SV-50458r2_rule", - "stig_id": "RHEL-06-000273", - "fix_id": "F-43607r1_fix", + "gtitle": "SRG-OS-000035", + "gid": "V-38655", + "rid": "SV-50456r1_rule", + "stig_id": "RHEL-06-000271", + "fix_id": "F-43605r1_fix", "cci": [ - "CCI-000366" + "CCI-000087" ], "nist": [ - "CM-6 b", + "AC-19 e", "Rev_4" ], "false_negatives": null, @@ -7106,35 +7155,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "If Samba is not in use, this is not applicable.\n\nTo verify that Samba clients using mount.cifs must use packet signing, run the\nfollowing command:\n\n# grep sec /etc/fstab /etc/mtab\n\nThe output should show either \"krb5i\" or \"ntlmv2i\" in use.\nIf it does not, this is a finding.", - "fix": "Require packet signing of clients who mount Samba shares using\nthe \"mount.cifs\" program (e.g., those who specify shares in \"/etc/fstab\").\nTo do so, ensure signing options (either \"sec=krb5i\" or \"sec=ntlmv2i\") are\nused.\n\nSee the \"mount.cifs(8)\" man page for more information. A Samba client should\nonly communicate with servers who can support SMB packet signing." + "check": "To verify that binaries cannot be directly executed from\nremovable media, run the following command:\n\n# grep noexec /etc/fstab\n\nThe output should show \"noexec\" in use.\nIf it does not, this is a finding.", + "fix": "The \"noexec\" mount option prevents the direct execution of\nbinaries on the mounted filesystem. Users should not be allowed to execute\nbinaries that exist on partitions mounted from removable media (such as a USB\nkey). The \"noexec\" option prevents code from being executed directly from the\nmedia itself, and may therefore provide a line of defense against certain types\nof worms or malicious code. Add the \"noexec\" option to the fourth column of\n\"/etc/fstab\" for the line which controls mounting of any removable media\npartitions." }, - "code": "control \"V-38657\" do\n title \"The system must use SMB client signing for connecting to samba servers\nusing mount.cifs.\"\n desc \"Packet signing can prevent man-in-the-middle attacks which modify SMB\npackets in transit.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38657\"\n tag \"rid\": \"SV-50458r2_rule\"\n tag \"stig_id\": \"RHEL-06-000273\"\n tag \"fix_id\": \"F-43607r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"If Samba is not in use, this is not applicable.\n\nTo verify that Samba clients using mount.cifs must use packet signing, run the\nfollowing command:\n\n# grep sec /etc/fstab /etc/mtab\n\nThe output should show either \\\"krb5i\\\" or \\\"ntlmv2i\\\" in use.\nIf it does not, this is a finding.\"\n tag \"fix\": \"Require packet signing of clients who mount Samba shares using\nthe \\\"mount.cifs\\\" program (e.g., those who specify shares in \\\"/etc/fstab\\\").\nTo do so, ensure signing options (either \\\"sec=krb5i\\\" or \\\"sec=ntlmv2i\\\") are\nused.\n\nSee the \\\"mount.cifs(8)\\\" man page for more information. A Samba client should\nonly communicate with servers who can support SMB packet signing.\"\n\n mounts = command('mount').stdout.strip.split(\"\\n\").\n map do |d|\n split_mounts = d.split(%r{\\s+})\n options = split_mounts[-1].match(%r{\\((.*)\\)$}).captures.first.split(',')\n dev_file = file(split_mounts[0])\n dev_link = dev_file.symlink? ? dev_file.link_path : dev_file.path\n {'dev'=>split_mounts[0], 'link'=>dev_link, 'mount'=>split_mounts[2], 'options'=>options, 'type'=> split_mounts[-2]}\n end\n\n cifs_mounts = mounts.select { |mnt| mnt['type'] == 'cifs' }\n\n if cifs_mounts.empty?\n impact 0.0\n describe \"Samba shares not in use\" do\n skip \"Samba shares not in use, this control Not Applicable\"\n end\n else\n cifs_mounts.each do |mnt|\n describe \"Mount #{mnt['mount']} options\" do\n subject { mnt['options'] }\n it { should (include 'sec=krb5i').or include 'sec=ntlmv2i' }\n end\n end\n end\nend\n", + "code": "control \"V-38655\" do\n title \"The noexec option must be added to removable media partitions.\"\n desc \"Allowing users to execute binaries from removable media such as USB\nkeys exposes the system to potential compromise.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000035\"\n tag \"gid\": \"V-38655\"\n tag \"rid\": \"SV-50456r1_rule\"\n tag \"stig_id\": \"RHEL-06-000271\"\n tag \"fix_id\": \"F-43605r1_fix\"\n tag \"cci\": [\"CCI-000087\"]\n tag \"nist\": [\"AC-19 e\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To verify that binaries cannot be directly executed from\nremovable media, run the following command:\n\n# grep noexec /etc/fstab\n\nThe output should show \\\"noexec\\\" in use.\nIf it does not, this is a finding.\"\n tag \"fix\": \"The \\\"noexec\\\" mount option prevents the direct execution of\nbinaries on the mounted filesystem. Users should not be allowed to execute\nbinaries that exist on partitions mounted from removable media (such as a USB\nkey). The \\\"noexec\\\" option prevents code from being executed directly from the\nmedia itself, and may therefore provide a line of defense against certain types\nof worms or malicious code. Add the \\\"noexec\\\" option to the fourth column of\n\\\"/etc/fstab\\\" for the line which controls mounting of any removable media\npartitions.\"\n\n mounts = command('mount').stdout.strip.split(\"\\n\").\n map do |d|\n split_mounts = d.split(%r{\\s+})\n options = split_mounts[-1].match(%r{\\((.*)\\)$}).captures.first.split(',')\n dev_file = file(split_mounts[0])\n dev_link = dev_file.symlink? ? dev_file.link_path : dev_file.path\n {'dev'=>split_mounts[0], 'link'=>dev_link, 'mount'=>split_mounts[2], 'options'=>options}\n end\n\n dev_mounts = mounts.\n select { |mnt| mnt['dev'].start_with? '/' and !mnt['dev'].start_with? '//' }.\n map do |mnt|\n # https://unix.stackexchange.com/a/308724\n partition = ['/sys/class/block', mnt['link'].sub(%r{^/dev/}, ''), 'partition'].join('/')\n if file(partition).exist?\n root_dev = command('basename \"$(readlink -f \"/sys/class/block/sda1/..\")\"').stdout.strip\n mnt['root_dev'] = '/dev/' + root_dev\n else\n mnt['root_dev'] = mnt['link']\n end\n mnt\n end\n\n removable_mounts = dev_mounts.select do |mnt| \n removable = ['/sys/block', mnt['root_dev'].sub(%r{^/dev/}, ''), 'removable'].join('/')\n file(removable).content.strip == '1'\n end\n\n if removable_mounts.empty?\n describe \"Removable mounted devices\" do\n subject { removable_mounts }\n it { should be_empty }\n end\n else\n removable_mounts.each do |mnt|\n describe \"Mount #{mnt['mount']} options\" do\n subject { mnt['options'] }\n it { should include 'noexec' }\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38657.rb", + "ref": "./Red Hat 6 STIG/controls/V-38655.rb", "line": 1 }, - "id": "V-38657" + "id": "V-38655" }, { - "title": "The rdisc service must not be running.", - "desc": "General-purpose systems typically have their network and routing\ninformation configured statically by a system administrator. Workstations or\nsome special-purpose systems often use DHCP (instead of IRDP) to retrieve\ndynamic network configuration information.", + "title": "The /etc/passwd file must not contain password hashes.", + "desc": "The hashes for all user account passwords should be stored in the file\n\"/etc/shadow\" and never in \"/etc/passwd\", which is readable by all users.", "descriptions": { - "default": "General-purpose systems typically have their network and routing\ninformation configured statically by a system administrator. Workstations or\nsome special-purpose systems often use DHCP (instead of IRDP) to retrieve\ndynamic network configuration information." + "default": "The hashes for all user account passwords should be stored in the file\n\"/etc/shadow\" and never in \"/etc/passwd\", which is readable by all users." }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000096", - "gid": "V-38650", - "rid": "SV-50451r2_rule", - "stig_id": "RHEL-06-000268", - "fix_id": "F-43599r2_fix", + "gtitle": "SRG-OS-999999", + "gid": "V-38499", + "rid": "SV-50300r1_rule", + "stig_id": "RHEL-06-000031", + "fix_id": "F-43446r1_fix", "cci": [ - "CCI-000382" + "CCI-000366" ], "nist": [ - "CM-7 b", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -7147,35 +7196,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To check that the \"rdisc\" service is disabled in system boot\nconfiguration, run the following command:\n\n# chkconfig \"rdisc\" --list\n\nOutput should indicate the \"rdisc\" service has either not been installed, or\nhas been disabled at all runlevels, as shown in the example below:\n\n# chkconfig \"rdisc\" --list\n\"rdisc\" 0:off 1:off 2:off 3:off 4:off 5:off 6:off\n\nRun the following command to verify \"rdisc\" is disabled through current\nruntime configuration:\n\n# service rdisc status\n\nIf the service is disabled the command will return the following output:\n\nrdisc is stopped\n\n\nIf the service is running, this is a finding.", - "fix": "The \"rdisc\" service implements the client side of the ICMP\nInternet Router Discovery Protocol (IRDP), which allows discovery of routers on\nthe local subnet. If a router is discovered then the local routing table is\nupdated with a corresponding default route. By default this daemon is disabled.\nThe \"rdisc\" service can be disabled with the following commands:\n\n# chkconfig rdisc off\n# service rdisc stop" + "check": "To check that no password hashes are stored in \"/etc/passwd\",\nrun the following command:\n\n# awk -F: '($2 != \"x\") {print}' /etc/passwd\n\nIf it produces any output, then a password hash is stored in \"/etc/passwd\".\nIf any stored hashes are found in /etc/passwd, this is a finding.", + "fix": "If any password hashes are stored in \"/etc/passwd\" (in the\nsecond field, instead of an \"x\"), the cause of this misconfiguration should\nbe investigated. The account should have its password reset and the hash should\nbe properly stored, or the account should be deleted entirely." }, - "code": "control \"V-38650\" do\n title \"The rdisc service must not be running.\"\n desc \"General-purpose systems typically have their network and routing\ninformation configured statically by a system administrator. Workstations or\nsome special-purpose systems often use DHCP (instead of IRDP) to retrieve\ndynamic network configuration information.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000096\"\n tag \"gid\": \"V-38650\"\n tag \"rid\": \"SV-50451r2_rule\"\n tag \"stig_id\": \"RHEL-06-000268\"\n tag \"fix_id\": \"F-43599r2_fix\"\n tag \"cci\": [\"CCI-000382\"]\n tag \"nist\": [\"CM-7 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To check that the \\\"rdisc\\\" service is disabled in system boot\nconfiguration, run the following command:\n\n# chkconfig \\\"rdisc\\\" --list\n\nOutput should indicate the \\\"rdisc\\\" service has either not been installed, or\nhas been disabled at all runlevels, as shown in the example below:\n\n# chkconfig \\\"rdisc\\\" --list\n\\\"rdisc\\\" 0:off 1:off 2:off 3:off 4:off 5:off 6:off\n\nRun the following command to verify \\\"rdisc\\\" is disabled through current\nruntime configuration:\n\n# service rdisc status\n\nIf the service is disabled the command will return the following output:\n\nrdisc is stopped\n\n\nIf the service is running, this is a finding.\"\n tag \"fix\": \"The \\\"rdisc\\\" service implements the client side of the ICMP\nInternet Router Discovery Protocol (IRDP), which allows discovery of routers on\nthe local subnet. If a router is discovered then the local routing table is\nupdated with a corresponding default route. By default this daemon is disabled.\nThe \\\"rdisc\\\" service can be disabled with the following commands:\n\n# chkconfig rdisc off\n# service rdisc stop\"\n\n describe.one do\n describe package(\"iputils\") do\n it { should_not be_installed }\n end\n describe service(\"rdisc\") do\n its(\"runlevels(?-mix:0)\") { should be_enabled }\n its(\"runlevels(?-mix:1)\") { should be_enabled }\n its(\"runlevels(?-mix:2)\") { should be_enabled }\n its(\"runlevels(?-mix:3)\") { should be_enabled }\n its(\"runlevels(?-mix:4)\") { should be_enabled }\n its(\"runlevels(?-mix:5)\") { should be_enabled }\n its(\"runlevels(?-mix:6)\") { should be_enabled }\n end\n end\nend\n", + "code": "control \"V-38499\" do\n title \"The /etc/passwd file must not contain password hashes.\"\n desc \"The hashes for all user account passwords should be stored in the file\n\\\"/etc/shadow\\\" and never in \\\"/etc/passwd\\\", which is readable by all users.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38499\"\n tag \"rid\": \"SV-50300r1_rule\"\n tag \"stig_id\": \"RHEL-06-000031\"\n tag \"fix_id\": \"F-43446r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To check that no password hashes are stored in \\\"/etc/passwd\\\",\nrun the following command:\n\n# awk -F: '($2 != \\\"x\\\") {print}' /etc/passwd\n\nIf it produces any output, then a password hash is stored in \\\"/etc/passwd\\\".\nIf any stored hashes are found in /etc/passwd, this is a finding.\"\n tag \"fix\": \"If any password hashes are stored in \\\"/etc/passwd\\\" (in the\nsecond field, instead of an \\\"x\\\"), the cause of this misconfiguration should\nbe investigated. The account should have its password reset and the hash should\nbe properly stored, or the account should be deleted entirely.\"\n\n describe file(\"/etc/passwd\") do\n its(\"content\") { should match(/^[^:]*:([^:]*):/) }\n end\n file(\"/etc/passwd\").content.to_s.scan(/^[^:]*:([^:]*):/).flatten.each do |entry|\n describe entry do\n it { should eq \"x\" }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38650.rb", + "ref": "./Red Hat 6 STIG/controls/V-38499.rb", "line": 1 }, - "id": "V-38650" + "id": "V-38499" }, { - "title": "There must be no .rhosts or hosts.equiv files on the system.", - "desc": "Trust files are convenient, but when used in conjunction with the\nR-services, they can allow unauthenticated access to a system.", + "title": "The rsh-server package must not be installed.", + "desc": "The \"rsh-server\" package provides several obsolete and insecure\nnetwork services. Removing it decreases the risk of those services' accidental\n(or intentional) activation.", "descriptions": { - "default": "Trust files are convenient, but when used in conjunction with the\nR-services, they can allow unauthenticated access to a system." + "default": "The \"rsh-server\" package provides several obsolete and insecure\nnetwork services. Removing it decreases the risk of those services' accidental\n(or intentional) activation." }, "impact": 0.7, "refs": [], "tags": { - "gtitle": "SRG-OS-000248", - "gid": "V-38491", - "rid": "SV-50292r1_rule", - "stig_id": "RHEL-06-000019", - "fix_id": "F-43438r1_fix", + "gtitle": "SRG-OS-000095", + "gid": "V-38591", + "rid": "SV-50392r1_rule", + "stig_id": "RHEL-06-000213", + "fix_id": "F-43539r1_fix", "cci": [ - "CCI-001436" + "CCI-000381" ], "nist": [ - "AC-17 (8)", + "CM-7 a", "Rev_4" ], "false_negatives": null, @@ -7188,35 +7237,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "The existence of the file \"/etc/hosts.equiv\" or a file named\n\".rhosts\" inside a user home directory indicates the presence of an Rsh trust\nrelationship.\nIf these files exist, this is a finding.", - "fix": "The files \"/etc/hosts.equiv\" and \"~/.rhosts\" (in each user's\nhome directory) list remote hosts and users that are trusted by the local\nsystem when using the rshd daemon. To remove these files, run the following\ncommand to delete them from any location.\n\n# rm /etc/hosts.equiv\n\n\n\n$ rm ~/.rhosts" + "check": "Run the following command to determine if the \"rsh-server\"\npackage is installed:\n\n# rpm -q rsh-server\n\n\nIf the package is installed, this is a finding.", + "fix": "The \"rsh-server\" package can be uninstalled with the following\ncommand:\n\n# yum erase rsh-server" }, - "code": "control \"V-38491\" do\n title \"There must be no .rhosts or hosts.equiv files on the system.\"\n desc \"Trust files are convenient, but when used in conjunction with the\nR-services, they can allow unauthenticated access to a system.\"\n impact 0.7\n tag \"gtitle\": \"SRG-OS-000248\"\n tag \"gid\": \"V-38491\"\n tag \"rid\": \"SV-50292r1_rule\"\n tag \"stig_id\": \"RHEL-06-000019\"\n tag \"fix_id\": \"F-43438r1_fix\"\n tag \"cci\": [\"CCI-001436\"]\n tag \"nist\": [\"AC-17 (8)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"The existence of the file \\\"/etc/hosts.equiv\\\" or a file named\n\\\".rhosts\\\" inside a user home directory indicates the presence of an Rsh trust\nrelationship.\nIf these files exist, this is a finding.\"\n tag \"fix\": \"The files \\\"/etc/hosts.equiv\\\" and \\\"~/.rhosts\\\" (in each user's\nhome directory) list remote hosts and users that are trusted by the local\nsystem when using the rshd daemon. To remove these files, run the following\ncommand to delete them from any location.\n\n# rm /etc/hosts.equiv\n\n\n\n$ rm ~/.rhosts\"\n\n describe file(\"/root/^\\\\.(r|s)hosts$\") do\n it { should_not exist }\n end\n describe command(\"find /home -regex .\\\\*/\\\\^\\\\\\\\.\\\\(r\\\\|s\\\\)hosts\\\\$ -type f -maxdepth 1\") do\n its(\"stdout\") { should be_empty }\n end\n describe file(\"/etc/^s?hosts\\\\.equiv$\") do\n it { should_not exist }\n end\nend\n", + "code": "control \"V-38591\" do\n title \"The rsh-server package must not be installed.\"\n desc \"The \\\"rsh-server\\\" package provides several obsolete and insecure\nnetwork services. Removing it decreases the risk of those services' accidental\n(or intentional) activation.\"\n impact 0.7\n tag \"gtitle\": \"SRG-OS-000095\"\n tag \"gid\": \"V-38591\"\n tag \"rid\": \"SV-50392r1_rule\"\n tag \"stig_id\": \"RHEL-06-000213\"\n tag \"fix_id\": \"F-43539r1_fix\"\n tag \"cci\": [\"CCI-000381\"]\n tag \"nist\": [\"CM-7 a\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Run the following command to determine if the \\\"rsh-server\\\"\npackage is installed:\n\n# rpm -q rsh-server\n\n\nIf the package is installed, this is a finding.\"\n tag \"fix\": \"The \\\"rsh-server\\\" package can be uninstalled with the following\ncommand:\n\n# yum erase rsh-server\"\n\n describe package(\"rsh-server\") do\n it { should_not be_installed }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38491.rb", + "ref": "./Red Hat 6 STIG/controls/V-38591.rb", "line": 1 }, - "id": "V-38491" + "id": "V-38591" }, { - "title": "X Windows must not be enabled unless required.", - "desc": "Unnecessary services should be disabled to decrease the attack surface\nof the system.", + "title": "The DHCP client must be disabled if not needed.", + "desc": "DHCP relies on trusting the local network. If the local network is not\ntrusted, then it should not be used. However, the automatic configuration\nprovided by DHCP is commonly used and the alternative, manual configuration,\npresents an unacceptable burden in many circumstances.", "descriptions": { - "default": "Unnecessary services should be disabled to decrease the attack surface\nof the system." + "default": "DHCP relies on trusting the local network. If the local network is not\ntrusted, then it should not be used. However, the automatic configuration\nprovided by DHCP is commonly used and the alternative, manual configuration,\npresents an unacceptable burden in many circumstances." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000248", - "gid": "V-38674", - "rid": "SV-50475r1_rule", - "stig_id": "RHEL-06-000290", - "fix_id": "F-43623r1_fix", + "gtitle": "SRG-OS-999999", + "gid": "V-38679", + "rid": "SV-50480r3_rule", + "stig_id": "RHEL-06-000292", + "fix_id": "F-43628r2_fix", "cci": [ - "CCI-001436" + "CCI-000366" ], "nist": [ - "AC-17 (8)", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -7229,35 +7278,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To verify the default runlevel is 3, run the following command:\n\n# grep initdefault /etc/inittab\n\nThe output should show the following:\n\nid:3:initdefault:\n\n\nIf it does not, this is a finding.", - "fix": "Setting the system's runlevel to 3 will prevent automatic startup\nof the X server. To do so, ensure the following line in \"/etc/inittab\"\nfeatures a \"3\" as shown:\n\nid:3:initdefault:" + "check": "If DHCP is required by the organization, this is Not Applicable.\n\nFor each interface [IFACE] on the system (e.g. eth0), verify that DHCP is not\nbeing used:\n\n# cat /etc/sysconfig/network-scripts/ifcfg-[IFACE] | grep -i \"bootproto\" | grep\n–v \"#\"\n\nBOOTPROTO=none\n\nIf no output is returned this is a finding.\nIf BOOTPROTO is not set to \"none\", this is a finding.\n", + "fix": "For each interface [IFACE] on the system (e.g. eth0), edit\n\"/etc/sysconfig/network-scripts/ifcfg-[IFACE]\" and make the following\nchanges.\n\nCorrect the BOOTPROTO line to read:\n\nBOOTPROTO=none\n\n\nAdd or correct the following lines, substituting the appropriate values based\non your site's addressing scheme:\n\nNETMASK=[local LAN netmask]\nIPADDR=[assigned IP address]\nGATEWAY=[local LAN default gateway]" }, - "code": "control \"V-38674\" do\n title \"X Windows must not be enabled unless required.\"\n desc \"Unnecessary services should be disabled to decrease the attack surface\nof the system.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000248\"\n tag \"gid\": \"V-38674\"\n tag \"rid\": \"SV-50475r1_rule\"\n tag \"stig_id\": \"RHEL-06-000290\"\n tag \"fix_id\": \"F-43623r1_fix\"\n tag \"cci\": [\"CCI-001436\"]\n tag \"nist\": [\"AC-17 (8)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To verify the default runlevel is 3, run the following command:\n\n# grep initdefault /etc/inittab\n\nThe output should show the following:\n\nid:3:initdefault:\n\n\nIf it does not, this is a finding.\"\n tag \"fix\": \"Setting the system's runlevel to 3 will prevent automatic startup\nof the X server. To do so, ensure the following line in \\\"/etc/inittab\\\"\nfeatures a \\\"3\\\" as shown:\n\nid:3:initdefault:\"\n\n describe file(\"/etc/inittab\") do\n its(\"content\") { should match(/^[\\s]*id:3:initdefault:[\\s]*$/) }\n end\nend\n", + "code": "control \"V-38679\" do\n title \"The DHCP client must be disabled if not needed.\"\n desc \"DHCP relies on trusting the local network. If the local network is not\ntrusted, then it should not be used. However, the automatic configuration\nprovided by DHCP is commonly used and the alternative, manual configuration,\npresents an unacceptable burden in many circumstances.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38679\"\n tag \"rid\": \"SV-50480r3_rule\"\n tag \"stig_id\": \"RHEL-06-000292\"\n tag \"fix_id\": \"F-43628r2_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"If DHCP is required by the organization, this is Not Applicable.\n\nFor each interface [IFACE] on the system (e.g. eth0), verify that DHCP is not\nbeing used:\n\n# cat /etc/sysconfig/network-scripts/ifcfg-[IFACE] | grep -i \\\"bootproto\\\" | grep\n–v \\\"#\\\"\n\nBOOTPROTO=none\n\nIf no output is returned this is a finding.\nIf BOOTPROTO is not set to \\\"none\\\", this is a finding.\n\"\n tag \"fix\": \"For each interface [IFACE] on the system (e.g. eth0), edit\n\\\"/etc/sysconfig/network-scripts/ifcfg-[IFACE]\\\" and make the following\nchanges.\n\nCorrect the BOOTPROTO line to read:\n\nBOOTPROTO=none\n\n\nAdd or correct the following lines, substituting the appropriate values based\non your site's addressing scheme:\n\nNETMASK=[local LAN netmask]\nIPADDR=[assigned IP address]\nGATEWAY=[local LAN default gateway]\"\n\n command(\"find /etc/sysconfig/network-scripts -type f -regex .\\\\*/ifcfg-.\\\\*\").stdout.split.each do |entry|\n describe file(entry) do\n its(\"content\") { should match(/^[\\s]*BOOTPROTO[\\s]*=[\\s\"]*([^#\"\\s]*)/) }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38674.rb", + "ref": "./Red Hat 6 STIG/controls/V-38679.rb", "line": 1 }, - "id": "V-38674" + "id": "V-38679" }, { - "title": "The system must require administrator action to unlock an account\nlocked by excessive failed login attempts.", - "desc": "Locking out user accounts after a number of incorrect attempts\nprevents direct password guessing attacks. Ensuring that an administrator is\ninvolved in unlocking locked accounts draws appropriate attention to such\nsituations.", + "title": "The TFTP service must not be running.", + "desc": "Disabling the \"tftp\" service ensures the system is not acting as a\ntftp server, which does not provide encryption or authentication.", "descriptions": { - "default": "Locking out user accounts after a number of incorrect attempts\nprevents direct password guessing attacks. Ensuring that an administrator is\ninvolved in unlocking locked accounts draws appropriate attention to such\nsituations." + "default": "Disabling the \"tftp\" service ensures the system is not acting as a\ntftp server, which does not provide encryption or authentication." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000022", - "gid": "V-38592", - "rid": "SV-50393r4_rule", - "stig_id": "RHEL-06-000356", - "fix_id": "F-43541r6_fix", + "gtitle": "SRG-OS-000248", + "gid": "V-38609", + "rid": "SV-50410r2_rule", + "stig_id": "RHEL-06-000223", + "fix_id": "F-43557r4_fix", "cci": [ - "CCI-000047" + "CCI-001436" ], "nist": [ - "AC-7 b", + "AC-17 (8)", "Rev_4" ], "false_negatives": null, @@ -7270,35 +7319,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To ensure the failed password attempt policy is configured\ncorrectly, run the following command:\n\n# grep pam_faillock /etc/pam.d/system-auth /etc/pam.d/password-auth\n\nThe output should show \"unlock_time=\"; the largest\nacceptable value is 604800 seconds (one week).\nIf that is not the case, this is a finding.", - "fix": "To configure the system to lock out accounts after a number of\nincorrect logon attempts and require an administrator to unlock the account\nusing \"pam_faillock.so\", modify the content of both\n\"/etc/pam.d/system-auth\" and \"/etc/pam.d/password-auth\" as follows:\n\nAdd the following line immediately before the \"pam_unix.so\" statement in the\n\"AUTH\" section:\n\nauth required pam_faillock.so preauth silent deny=3 unlock_time=604800\nfail_interval=900\n\nAdd the following line immediately after the \"pam_unix.so\" statement in the\n\"AUTH\" section:\n\nauth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800\nfail_interval=900\n\nAdd the following line immediately before the \"pam_unix.so\" statement in the\n\"ACCOUNT\" section:\n\naccount required pam_faillock.so\n\nNote that any updates made to \"/etc/pam.d/system-auth\" and\n\"/etc/pam.d/password-auth\" may be overwritten by the \"authconfig\" program.\nThe \"authconfig\" program should not be used." + "check": "To check that the \"tftp\" service is disabled in system boot\nconfiguration, run the following command:\n\n# chkconfig \"tftp\" --list\n\nOutput should indicate the \"tftp\" service has either not been installed, or\nhas been disabled, as shown in the example below:\n\n# chkconfig \"tftp\" --list\ntftp off\nOR\nerror reading information on service tftp: No such file or directory\n\n\nIf the service is running, this is a finding.", + "fix": "The \"tftp\" service should be disabled. The \"tftp\" service can\nbe disabled with the following command:\n\n# chkconfig tftp off" }, - "code": "control \"V-38592\" do\n title \"The system must require administrator action to unlock an account\nlocked by excessive failed login attempts.\"\n desc \"Locking out user accounts after a number of incorrect attempts\nprevents direct password guessing attacks. Ensuring that an administrator is\ninvolved in unlocking locked accounts draws appropriate attention to such\nsituations.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000022\"\n tag \"gid\": \"V-38592\"\n tag \"rid\": \"SV-50393r4_rule\"\n tag \"stig_id\": \"RHEL-06-000356\"\n tag \"fix_id\": \"F-43541r6_fix\"\n tag \"cci\": [\"CCI-000047\"]\n tag \"nist\": [\"AC-7 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To ensure the failed password attempt policy is configured\ncorrectly, run the following command:\n\n# grep pam_faillock /etc/pam.d/system-auth /etc/pam.d/password-auth\n\nThe output should show \\\"unlock_time=\\\"; the largest\nacceptable value is 604800 seconds (one week).\nIf that is not the case, this is a finding.\"\n tag \"fix\": \"To configure the system to lock out accounts after a number of\nincorrect logon attempts and require an administrator to unlock the account\nusing \\\"pam_faillock.so\\\", modify the content of both\n\\\"/etc/pam.d/system-auth\\\" and \\\"/etc/pam.d/password-auth\\\" as follows:\n\nAdd the following line immediately before the \\\"pam_unix.so\\\" statement in the\n\\\"AUTH\\\" section:\n\nauth required pam_faillock.so preauth silent deny=3 unlock_time=604800\nfail_interval=900\n\nAdd the following line immediately after the \\\"pam_unix.so\\\" statement in the\n\\\"AUTH\\\" section:\n\nauth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800\nfail_interval=900\n\nAdd the following line immediately before the \\\"pam_unix.so\\\" statement in the\n\\\"ACCOUNT\\\" section:\n\naccount required pam_faillock.so\n\nNote that any updates made to \\\"/etc/pam.d/system-auth\\\" and\n\\\"/etc/pam.d/password-auth\\\" may be overwritten by the \\\"authconfig\\\" program.\nThe \\\"authconfig\\\" program should not be used.\"\n\n file(\"/etc/pam.d/system-auth\").content.to_s.scan(/^\\s*auth\\s+(?:(?:sufficient)|(?:\\[default=die\\]))\\s+pam_faillock\\.so\\s+authfail.*\\s+unlock_time=([0-9]+).*$/).flatten.each do |entry|\n describe entry do\n it { should cmp >= input('pam_faillock_unlock_time') }\n end\n end\n describe file(\"/etc/pam.d/system-auth\") do\n its(\"content\") { should match(/^\\s*auth\\s+(?:(?:sufficient)|(?:\\[default=die\\]))\\s+pam_faillock\\.so\\s+authfail.*\\s+unlock_time=([0-9]+).*$/) }\n end\n file(\"/etc/pam.d/password-auth\").content.to_s.scan(/^\\s*auth\\s+(?:(?:sufficient)|(?:\\[default=die\\]))\\s+pam_faillock\\.so\\s+authfail.*\\s+unlock_time=([0-9]+).*$/).flatten.each do |entry|\n describe entry do\n it { should cmp >= input('pam_faillock_unlock_time') }\n end\n end\n describe file(\"/etc/pam.d/password-auth\") do\n its(\"content\") { should match(/^\\s*auth\\s+(?:(?:sufficient)|(?:\\[default=die\\]))\\s+pam_faillock\\.so\\s+authfail.*\\s+unlock_time=([0-9]+).*$/) }\n end\nend\n", + "code": "control \"V-38609\" do\n title \"The TFTP service must not be running.\"\n desc \"Disabling the \\\"tftp\\\" service ensures the system is not acting as a\ntftp server, which does not provide encryption or authentication.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000248\"\n tag \"gid\": \"V-38609\"\n tag \"rid\": \"SV-50410r2_rule\"\n tag \"stig_id\": \"RHEL-06-000223\"\n tag \"fix_id\": \"F-43557r4_fix\"\n tag \"cci\": [\"CCI-001436\"]\n tag \"nist\": [\"AC-17 (8)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To check that the \\\"tftp\\\" service is disabled in system boot\nconfiguration, run the following command:\n\n# chkconfig \\\"tftp\\\" --list\n\nOutput should indicate the \\\"tftp\\\" service has either not been installed, or\nhas been disabled, as shown in the example below:\n\n# chkconfig \\\"tftp\\\" --list\ntftp off\nOR\nerror reading information on service tftp: No such file or directory\n\n\nIf the service is running, this is a finding.\"\n tag \"fix\": \"The \\\"tftp\\\" service should be disabled. The \\\"tftp\\\" service can\nbe disabled with the following command:\n\n# chkconfig tftp off\"\n\n describe service('tftp') do\n it { should_not be_enabled }\n it { should_not be_running }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38592.rb", + "ref": "./Red Hat 6 STIG/controls/V-38609.rb", "line": 1 }, - "id": "V-38592" + "id": "V-38609" }, { - "title": "The system package management tool must verify group-ownership on all\nfiles and directories associated with the audit package.", - "desc": "Group-ownership of audit binaries and configuration files that is\nincorrect could allow an unauthorized user to gain privileges that they should\nnot have. The group-ownership set by the vendor should be maintained. Any\ndeviations from this baseline should be investigated.", + "title": "Auditing must be enabled at boot by setting a kernel parameter.", + "desc": "Each process on the system carries an \"auditable\" flag which\nindicates whether its activities can be audited. Although \"auditd\" takes care\nof enabling this for all processes which launch after it does, adding the\nkernel argument ensures it is set for every process during boot.", "descriptions": { - "default": "Group-ownership of audit binaries and configuration files that is\nincorrect could allow an unauthorized user to gain privileges that they should\nnot have. The group-ownership set by the vendor should be maintained. Any\ndeviations from this baseline should be investigated." + "default": "Each process on the system carries an \"auditable\" flag which\nindicates whether its activities can be audited. Although \"auditd\" takes care\nof enabling this for all processes which launch after it does, adding the\nkernel argument ensures it is set for every process during boot." }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { - "gtitle": "SRG-OS-000258", - "gid": "V-38665", - "rid": "SV-50466r1_rule", - "stig_id": "RHEL-06-000280", - "fix_id": "F-43614r1_fix", + "gtitle": "SRG-OS-000062", + "gid": "V-38438", + "rid": "SV-50238r4_rule", + "stig_id": "RHEL-06-000525", + "fix_id": "F-43382r4_fix", "cci": [ - "CCI-001495" + "CCI-000169" ], "nist": [ - "AU-9", + "AU-12 a", "Rev_4" ], "false_negatives": null, @@ -7311,35 +7360,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "The following command will list which audit files on the system\nhave group-ownership different from what is expected by the RPM database:\n\n# rpm -V audit | grep '^......G'\n\n\nIf there is output, this is a finding.", - "fix": "The RPM package management system can restore file\ngroup-ownership of the audit package files and directories. The following\ncommand will update audit files with group-ownership different from what is\nexpected by the RPM database:\n\n# rpm --setugids audit" + "check": "Inspect the kernel boot arguments (which follow the word\n\"kernel\") in \"/boot/grub/grub.conf\". If they include \"audit=1\", then\nauditing is enabled at boot time.\n\nIf auditing is not enabled at boot time, this is a finding.\n\nIf the system uses UEFI inspect the kernel boot arguments (which follow the\nword \"kernel\") in \"/boot/efi/EFI/redhat/grub.conf\". If they include\n\"audit=1\", then auditing is enabled at boot time.", + "fix": "To ensure all processes can be audited, even those which start\nprior to the audit daemon, add the argument \"audit=1\" to the kernel line in\n\"/boot/grub/grub.conf\" or \"/boot/efi/EFI/redhat/grub.conf\", in the manner\nbelow:\n\nkernel /vmlinuz-version ro vga=ext root=/dev/VolGroup00/LogVol00 rhgb quiet\naudit=1\n\nUEFI systems may prepend \"/boot\" to the \"/vmlinuz-version\" argument." }, - "code": "control \"V-38665\" do\n title \"The system package management tool must verify group-ownership on all\nfiles and directories associated with the audit package.\"\n desc \"Group-ownership of audit binaries and configuration files that is\nincorrect could allow an unauthorized user to gain privileges that they should\nnot have. The group-ownership set by the vendor should be maintained. Any\ndeviations from this baseline should be investigated.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000258\"\n tag \"gid\": \"V-38665\"\n tag \"rid\": \"SV-50466r1_rule\"\n tag \"stig_id\": \"RHEL-06-000280\"\n tag \"fix_id\": \"F-43614r1_fix\"\n tag \"cci\": [\"CCI-001495\"]\n tag \"nist\": [\"AU-9\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"The following command will list which audit files on the system\nhave group-ownership different from what is expected by the RPM database:\n\n# rpm -V audit | grep '^......G'\n\n\nIf there is output, this is a finding.\"\n tag \"fix\": \"The RPM package management system can restore file\ngroup-ownership of the audit package files and directories. The following\ncommand will update audit files with group-ownership different from what is\nexpected by the RPM database:\n\n# rpm --setugids audit\"\n\n describe command(\"rpm -V audit | grep '^......G'\") do\n its('stdout.strip') { should be_empty } \n end\nend\n", + "code": "control \"V-38438\" do\n title \"Auditing must be enabled at boot by setting a kernel parameter.\"\n desc \"Each process on the system carries an \\\"auditable\\\" flag which\nindicates whether its activities can be audited. Although \\\"auditd\\\" takes care\nof enabling this for all processes which launch after it does, adding the\nkernel argument ensures it is set for every process during boot.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000062\"\n tag \"gid\": \"V-38438\"\n tag \"rid\": \"SV-50238r4_rule\"\n tag \"stig_id\": \"RHEL-06-000525\"\n tag \"fix_id\": \"F-43382r4_fix\"\n tag \"cci\": [\"CCI-000169\"]\n tag \"nist\": [\"AU-12 a\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Inspect the kernel boot arguments (which follow the word\n\\\"kernel\\\") in \\\"/boot/grub/grub.conf\\\". If they include \\\"audit=1\\\", then\nauditing is enabled at boot time.\n\nIf auditing is not enabled at boot time, this is a finding.\n\nIf the system uses UEFI inspect the kernel boot arguments (which follow the\nword \\\"kernel\\\") in \\\"/boot/efi/EFI/redhat/grub.conf\\\". If they include\n\\\"audit=1\\\", then auditing is enabled at boot time.\"\n tag \"fix\": \"To ensure all processes can be audited, even those which start\nprior to the audit daemon, add the argument \\\"audit=1\\\" to the kernel line in\n\\\"/boot/grub/grub.conf\\\" or \\\"/boot/efi/EFI/redhat/grub.conf\\\", in the manner\nbelow:\n\nkernel /vmlinuz-version ro vga=ext root=/dev/VolGroup00/LogVol00 rhgb quiet\naudit=1\n\nUEFI systems may prepend \\\"/boot\\\" to the \\\"/vmlinuz-version\\\" argument.\"\n\n describe.one do\n describe file(\"/boot/grub/grub.conf\") do\n its(\"content\") { should match(/^\\s*kernel\\s(?:\\/boot)?\\/vmlinuz.*audit=1.*$/) }\n end\n describe file(\"/boot/efi/EFI/redhat/grub.conf\") do\n its(\"content\") { should match(/^\\s*kernel\\s(?:\\/boot)?\\/vmlinuz.*audit=1.*$/) }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38665.rb", + "ref": "./Red Hat 6 STIG/controls/V-38438.rb", "line": 1 }, - "id": "V-38665" + "id": "V-38438" }, { - "title": "The operating system must produce audit records containing sufficient\ninformation to establish what type of events occurred.", - "desc": "Ensuring the \"auditd\" service is active ensures audit records\ngenerated by the kernel can be written to disk, or that appropriate actions\nwill be taken if other obstacles exist.", + "title": "The netconsole service must be disabled unless required.", + "desc": "The \"netconsole\" service is not necessary unless there is a need to\ndebug kernel panics, which is not common.", "descriptions": { - "default": "Ensuring the \"auditd\" service is active ensures audit records\ngenerated by the kernel can be written to disk, or that appropriate actions\nwill be taken if other obstacles exist." + "default": "The \"netconsole\" service is not necessary unless there is a need to\ndebug kernel panics, which is not common." }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { - "gtitle": "SRG-OS-000037", - "gid": "V-38632", - "rid": "SV-50433r2_rule", - "stig_id": "RHEL-06-000154", - "fix_id": "F-43581r2_fix", + "gtitle": "SRG-OS-000096", + "gid": "V-38672", + "rid": "SV-50473r2_rule", + "stig_id": "RHEL-06-000289", + "fix_id": "F-43622r2_fix", "cci": [ - "CCI-000130" + "CCI-000382" ], "nist": [ - "AU-3", + "CM-7 b", "Rev_4" ], "false_negatives": null, @@ -7352,30 +7401,30 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "Run the following command to determine the current status of\nthe \"auditd\" service:\n\n# service auditd status\n\nIf the service is enabled, it should return the following:\n\nauditd is running...\n\n\nIf the service is not running, this is a finding.", - "fix": "The \"auditd\" service is an essential userspace component of the\nLinux Auditing System, as it is responsible for writing audit records to disk.\nThe \"auditd\" service can be enabled with the following commands:\n\n# chkconfig auditd on\n# service auditd start" + "check": "To check that the \"netconsole\" service is disabled in system\nboot configuration, run the following command:\n\n# chkconfig \"netconsole\" --list\n\nOutput should indicate the \"netconsole\" service has either not been\ninstalled, or has been disabled at all runlevels, as shown in the example\nbelow:\n\n# chkconfig \"netconsole\" --list\n\"netconsole\" 0:off 1:off 2:off 3:off 4:off 5:off 6:off\n\nRun the following command to verify \"netconsole\" is disabled through current\nruntime configuration:\n\n# service netconsole status\n\nIf the service is disabled the command will return the following output:\n\nnetconsole is stopped\n\n\nIf the service is running, this is a finding.", + "fix": "The \"netconsole\" service is responsible for loading the\nnetconsole kernel module, which logs kernel printk messages over UDP to a\nsyslog server. This allows debugging of problems where disk logging fails and\nserial consoles are impractical. The \"netconsole\" service can be disabled\nwith the following commands:\n\n# chkconfig netconsole off\n# service netconsole stop" }, - "code": "control \"V-38632\" do\n title \"The operating system must produce audit records containing sufficient\ninformation to establish what type of events occurred.\"\n desc \"Ensuring the \\\"auditd\\\" service is active ensures audit records\ngenerated by the kernel can be written to disk, or that appropriate actions\nwill be taken if other obstacles exist.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000037\"\n tag \"gid\": \"V-38632\"\n tag \"rid\": \"SV-50433r2_rule\"\n tag \"stig_id\": \"RHEL-06-000154\"\n tag \"fix_id\": \"F-43581r2_fix\"\n tag \"cci\": [\"CCI-000130\"]\n tag \"nist\": [\"AU-3\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Run the following command to determine the current status of\nthe \\\"auditd\\\" service:\n\n# service auditd status\n\nIf the service is enabled, it should return the following:\n\nauditd is running...\n\n\nIf the service is not running, this is a finding.\"\n tag \"fix\": \"The \\\"auditd\\\" service is an essential userspace component of the\nLinux Auditing System, as it is responsible for writing audit records to disk.\nThe \\\"auditd\\\" service can be enabled with the following commands:\n\n# chkconfig auditd on\n# service auditd start\"\n\n describe service('auditd') do\n it { should be_enabled }\n it { should be_running }\n end\nend\n", + "code": "control \"V-38672\" do\n title \"The netconsole service must be disabled unless required.\"\n desc \"The \\\"netconsole\\\" service is not necessary unless there is a need to\ndebug kernel panics, which is not common.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000096\"\n tag \"gid\": \"V-38672\"\n tag \"rid\": \"SV-50473r2_rule\"\n tag \"stig_id\": \"RHEL-06-000289\"\n tag \"fix_id\": \"F-43622r2_fix\"\n tag \"cci\": [\"CCI-000382\"]\n tag \"nist\": [\"CM-7 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To check that the \\\"netconsole\\\" service is disabled in system\nboot configuration, run the following command:\n\n# chkconfig \\\"netconsole\\\" --list\n\nOutput should indicate the \\\"netconsole\\\" service has either not been\ninstalled, or has been disabled at all runlevels, as shown in the example\nbelow:\n\n# chkconfig \\\"netconsole\\\" --list\n\\\"netconsole\\\" 0:off 1:off 2:off 3:off 4:off 5:off 6:off\n\nRun the following command to verify \\\"netconsole\\\" is disabled through current\nruntime configuration:\n\n# service netconsole status\n\nIf the service is disabled the command will return the following output:\n\nnetconsole is stopped\n\n\nIf the service is running, this is a finding.\"\n tag \"fix\": \"The \\\"netconsole\\\" service is responsible for loading the\nnetconsole kernel module, which logs kernel printk messages over UDP to a\nsyslog server. This allows debugging of problems where disk logging fails and\nserial consoles are impractical. The \\\"netconsole\\\" service can be disabled\nwith the following commands:\n\n# chkconfig netconsole off\n# service netconsole stop\"\n\n describe service(\"netconsole\").runlevels(/0/) do\n it { should_not be_enabled }\n end\n describe service(\"netconsole\").runlevels(/1/) do\n it { should_not be_enabled }\n end\n describe service(\"netconsole\").runlevels(/2/) do\n it { should_not be_enabled }\n end\n describe service(\"netconsole\").runlevels(/3/) do\n it { should_not be_enabled }\n end\n describe service(\"netconsole\").runlevels(/4/) do\n it { should_not be_enabled }\n end\n describe service(\"netconsole\").runlevels(/5/) do\n it { should_not be_enabled }\n end\n describe service(\"netconsole\").runlevels(/6/) do\n it { should_not be_enabled }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38632.rb", + "ref": "./Red Hat 6 STIG/controls/V-38672.rb", "line": 1 }, - "id": "V-38632" + "id": "V-38672" }, { - "title": "The system boot loader configuration file(s) must be group-owned by\nroot.", - "desc": "The \"root\" group is a highly-privileged group. Furthermore, the\ngroup-owner of this file should not have any access privileges anyway.", + "title": "The system must not accept ICMPv4 secure redirect packets on any\ninterface.", + "desc": "Accepting \"secure\" ICMP redirects (from those gateways listed as\ndefault gateways) has few legitimate uses. It should be disabled unless it is\nabsolutely required.", "descriptions": { - "default": "The \"root\" group is a highly-privileged group. Furthermore, the\ngroup-owner of this file should not have any access privileges anyway." + "default": "Accepting \"secure\" ICMP redirects (from those gateways listed as\ndefault gateways) has few legitimate uses. It should be disabled unless it is\nabsolutely required." }, "impact": 0.5, "refs": [], "tags": { "gtitle": "SRG-OS-999999", - "gid": "V-38581", - "rid": "SV-50382r2_rule", - "stig_id": "RHEL-06-000066", - "fix_id": "F-43529r2_fix", + "gid": "V-38526", + "rid": "SV-50327r2_rule", + "stig_id": "RHEL-06-000086", + "fix_id": "F-43474r1_fix", "cci": [ "CCI-000366" ], @@ -7393,35 +7442,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To check the group ownership of \"/boot/grub/grub.conf\", run\nthe command:\n\n$ ls -lL /boot/grub/grub.conf\n\nIf properly configured, the output should indicate the group-owner is \"root\".\nIf it does not, this is a finding.", - "fix": "The file \"/boot/grub/grub.conf\" should be group-owned by the\n\"root\" group to prevent destruction or modification of the file. To properly\nset the group owner of \"/boot/grub/grub.conf\", run the command:\n\n# chgrp root /boot/grub/grub.conf" + "check": "The status of the \"net.ipv4.conf.all.secure_redirects\" kernel\nparameter can be queried by running the following command:\n\n$ sysctl net.ipv4.conf.all.secure_redirects\n\nThe output of the command should indicate a value of \"0\". If this value is\nnot the default value, investigate how it could have been adjusted at runtime,\nand verify it is not set improperly in \"/etc/sysctl.conf\".\n\n$ grep net.ipv4.conf.all.secure_redirects /etc/sysctl.conf\n\nIf the correct value is not returned, this is a finding.", + "fix": "To set the runtime status of the\n\"net.ipv4.conf.all.secure_redirects\" kernel parameter, run the following\ncommand:\n\n# sysctl -w net.ipv4.conf.all.secure_redirects=0\n\nIf this is not the system's default value, add the following line to\n\"/etc/sysctl.conf\":\n\nnet.ipv4.conf.all.secure_redirects = 0" }, - "code": "control \"V-38581\" do\n title \"The system boot loader configuration file(s) must be group-owned by\nroot.\"\n desc \"The \\\"root\\\" group is a highly-privileged group. Furthermore, the\ngroup-owner of this file should not have any access privileges anyway.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38581\"\n tag \"rid\": \"SV-50382r2_rule\"\n tag \"stig_id\": \"RHEL-06-000066\"\n tag \"fix_id\": \"F-43529r2_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To check the group ownership of \\\"/boot/grub/grub.conf\\\", run\nthe command:\n\n$ ls -lL /boot/grub/grub.conf\n\nIf properly configured, the output should indicate the group-owner is \\\"root\\\".\nIf it does not, this is a finding.\"\n tag \"fix\": \"The file \\\"/boot/grub/grub.conf\\\" should be group-owned by the\n\\\"root\\\" group to prevent destruction or modification of the file. To properly\nset the group owner of \\\"/boot/grub/grub.conf\\\", run the command:\n\n# chgrp root /boot/grub/grub.conf\"\n\n describe.one do\n describe file(\"/boot/grub/grub.conf\") do\n it { should exist }\n end\n describe file(\"/boot/grub/grub.conf\") do\n its(\"gid\") { should cmp 0 }\n end\n describe file(\"/boot/efi/EFI/redhat/grub.conf\") do\n it { should exist }\n end\n describe file(\"/boot/efi/EFI/redhat/grub.conf\") do\n its(\"gid\") { should cmp 0 }\n end\n end\nend\n", + "code": "control \"V-38526\" do\n title \"The system must not accept ICMPv4 secure redirect packets on any\ninterface.\"\n desc \"Accepting \\\"secure\\\" ICMP redirects (from those gateways listed as\ndefault gateways) has few legitimate uses. It should be disabled unless it is\nabsolutely required.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38526\"\n tag \"rid\": \"SV-50327r2_rule\"\n tag \"stig_id\": \"RHEL-06-000086\"\n tag \"fix_id\": \"F-43474r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"The status of the \\\"net.ipv4.conf.all.secure_redirects\\\" kernel\nparameter can be queried by running the following command:\n\n$ sysctl net.ipv4.conf.all.secure_redirects\n\nThe output of the command should indicate a value of \\\"0\\\". If this value is\nnot the default value, investigate how it could have been adjusted at runtime,\nand verify it is not set improperly in \\\"/etc/sysctl.conf\\\".\n\n$ grep net.ipv4.conf.all.secure_redirects /etc/sysctl.conf\n\nIf the correct value is not returned, this is a finding.\"\n tag \"fix\": \"To set the runtime status of the\n\\\"net.ipv4.conf.all.secure_redirects\\\" kernel parameter, run the following\ncommand:\n\n# sysctl -w net.ipv4.conf.all.secure_redirects=0\n\nIf this is not the system's default value, add the following line to\n\\\"/etc/sysctl.conf\\\":\n\nnet.ipv4.conf.all.secure_redirects = 0\"\n\n describe kernel_parameter(\"net.ipv4.conf.all.secure_redirects\") do\n its(\"value\") { should_not be_nil }\n end\n describe kernel_parameter(\"net.ipv4.conf.all.secure_redirects\") do\n its(\"value\") { should eq 0 }\n end\n describe file(\"/etc/sysctl.conf\") do\n its(\"content\") { should match(/^[\\s]*net.ipv4.conf.all.secure_redirects[\\s]*=[\\s]*0[\\s]*$/) }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38581.rb", + "ref": "./Red Hat 6 STIG/controls/V-38526.rb", "line": 1 }, - "id": "V-38581" + "id": "V-38526" }, { - "title": "The /etc/group file must be owned by root.", - "desc": "The \"/etc/group\" file contains information regarding groups that are\nconfigured on the system. Protection of this file is important for system\nsecurity.", + "title": "The audit system must take appropriate action when there are disk\nerrors on the audit storage volume.", + "desc": "Taking appropriate action in case of disk errors will minimize the\npossibility of losing audit records.", "descriptions": { - "default": "The \"/etc/group\" file contains information regarding groups that are\nconfigured on the system. Protection of this file is important for system\nsecurity." + "default": "Taking appropriate action in case of disk errors will minimize the\npossibility of losing audit records." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-999999", - "gid": "V-38458", - "rid": "SV-50258r1_rule", - "stig_id": "RHEL-06-000042", - "fix_id": "F-43403r1_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b", + "gtitle": "SRG-OS-000047", + "gid": "V-38464", + "rid": "SV-50264r1_rule", + "stig_id": "RHEL-06-000511", + "fix_id": "F-43410r1_fix", + "cci": [ + "CCI-000140" + ], + "nist": [ + "AU-5 b", "Rev_4" ], "false_negatives": null, @@ -7434,35 +7483,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To check the ownership of \"/etc/group\", run the command:\n\n$ ls -l /etc/group\n\nIf properly configured, the output should indicate the following owner:\n\"root\"\nIf it does not, this is a finding.", - "fix": "To properly set the owner of \"/etc/group\", run the command:\n\n# chown root /etc/group" + "check": "Inspect \"/etc/audit/auditd.conf\" and locate the following\nline to determine if the system is configured to take appropriate action when\ndisk errors occur:\n\n# grep disk_error_action /etc/audit/auditd.conf\ndisk_error_action = [ACTION]\n\n\nIf the system is configured to \"suspend\" when disk errors occur or \"ignore\"\nthem, this is a finding.", + "fix": "Edit the file \"/etc/audit/auditd.conf\". Modify the following\nline, substituting [ACTION] appropriately:\n\ndisk_error_action = [ACTION]\n\nPossible values for [ACTION] are described in the \"auditd.conf\" man page.\nThese include:\n\n\"ignore\"\n\"syslog\"\n\"exec\"\n\"suspend\"\n\"single\"\n\"halt\"\n\n\nSet this to \"syslog\", \"exec\", \"single\", or \"halt\"." }, - "code": "control \"V-38458\" do\n title \"The /etc/group file must be owned by root.\"\n desc \"The \\\"/etc/group\\\" file contains information regarding groups that are\nconfigured on the system. Protection of this file is important for system\nsecurity.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38458\"\n tag \"rid\": \"SV-50258r1_rule\"\n tag \"stig_id\": \"RHEL-06-000042\"\n tag \"fix_id\": \"F-43403r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To check the ownership of \\\"/etc/group\\\", run the command:\n\n$ ls -l /etc/group\n\nIf properly configured, the output should indicate the following owner:\n\\\"root\\\"\nIf it does not, this is a finding.\"\n tag \"fix\": \"To properly set the owner of \\\"/etc/group\\\", run the command:\n\n# chown root /etc/group\"\n\n describe file(\"/etc/group\") do\n it { should exist }\n end\n describe file(\"/etc/group\") do\n its(\"uid\") { should cmp 0 }\n end\nend\n", + "code": "control \"V-38464\" do\n title \"The audit system must take appropriate action when there are disk\nerrors on the audit storage volume.\"\n desc \"Taking appropriate action in case of disk errors will minimize the\npossibility of losing audit records.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000047\"\n tag \"gid\": \"V-38464\"\n tag \"rid\": \"SV-50264r1_rule\"\n tag \"stig_id\": \"RHEL-06-000511\"\n tag \"fix_id\": \"F-43410r1_fix\"\n tag \"cci\": [\"CCI-000140\"]\n tag \"nist\": [\"AU-5 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Inspect \\\"/etc/audit/auditd.conf\\\" and locate the following\nline to determine if the system is configured to take appropriate action when\ndisk errors occur:\n\n# grep disk_error_action /etc/audit/auditd.conf\ndisk_error_action = [ACTION]\n\n\nIf the system is configured to \\\"suspend\\\" when disk errors occur or \\\"ignore\\\"\nthem, this is a finding.\"\n tag \"fix\": \"Edit the file \\\"/etc/audit/auditd.conf\\\". Modify the following\nline, substituting [ACTION] appropriately:\n\ndisk_error_action = [ACTION]\n\nPossible values for [ACTION] are described in the \\\"auditd.conf\\\" man page.\nThese include:\n\n\\\"ignore\\\"\n\\\"syslog\\\"\n\\\"exec\\\"\n\\\"suspend\\\"\n\\\"single\\\"\n\\\"halt\\\"\n\n\nSet this to \\\"syslog\\\", \\\"exec\\\", \\\"single\\\", or \\\"halt\\\".\"\n\n describe parse_config_file('/etc/audit/auditd.conf') do\n its('disk_error_action') { should_not be_nil }\n its('disk_error_action.downcase') { should_not be_in ['suspend', 'ignore'] }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38458.rb", + "ref": "./Red Hat 6 STIG/controls/V-38464.rb", "line": 1 }, - "id": "V-38458" + "id": "V-38464" }, { - "title": "All device files must be monitored by the system Linux Security\nModule.", - "desc": "If a device file carries the SELinux type \"unlabeled_t\", then\nSELinux cannot properly restrict access to the device file.", + "title": "The operating system must prevent public IPv6 access into an\norganizations internal networks, except as appropriately mediated by managed\ninterfaces employing boundary protection devices.", + "desc": "The \"ip6tables\" service provides the system's host-based firewalling\ncapability for IPv6 and ICMPv6.", "descriptions": { - "default": "If a device file carries the SELinux type \"unlabeled_t\", then\nSELinux cannot properly restrict access to the device file." + "default": "The \"ip6tables\" service provides the system's host-based firewalling\ncapability for IPv6 and ICMPv6." }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-999999", - "gid": "V-51379", - "rid": "SV-65589r1_rule", - "stig_id": "RHEL-06-000025", - "fix_id": "F-56179r1_fix", + "gtitle": "SRG-OS-000146", + "gid": "V-38553", + "rid": "SV-50354r3_rule", + "stig_id": "RHEL-06-000107", + "fix_id": "F-43501r2_fix", "cci": [ - "CCI-000366" + "CCI-001100" ], "nist": [ - "CM-6 b", + "SC-7 (2)", "Rev_4" ], "false_negatives": null, @@ -7475,35 +7524,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To check for unlabeled device files, run the following command:\n\n# ls -RZ /dev | grep unlabeled_t\n\nIt should produce no output in a well-configured system.\n\nIf there is output, this is a finding. ", - "fix": "Device files, which are used for communication with important\nsystem resources, should be labeled with proper SELinux types. If any device\nfiles carry the SELinux type \"unlabeled_t\", investigate the cause and correct\nthe file's context. " + "check": "If the system is a cross-domain system, this is not applicable.\n\nIf IPv6 is disabled, this is not applicable.\n\nRun the following command to determine the current status of the \"ip6tables\"\nservice:\n\n# service ip6tables status\n\nIf the service is not running, it should return the following:\n\nip6tables: Firewall is not running.\n\n\nIf the service is not running, this is a finding.", + "fix": "The \"ip6tables\" service can be enabled with the following\ncommands:\n\n# chkconfig ip6tables on\n# service ip6tables start" }, - "code": "control \"V-51379\" do\n title \"All device files must be monitored by the system Linux Security\nModule.\"\n desc \"If a device file carries the SELinux type \\\"unlabeled_t\\\", then\nSELinux cannot properly restrict access to the device file. \"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-51379\"\n tag \"rid\": \"SV-65589r1_rule\"\n tag \"stig_id\": \"RHEL-06-000025\"\n tag \"fix_id\": \"F-56179r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To check for unlabeled device files, run the following command:\n\n# ls -RZ /dev | grep unlabeled_t\n\nIt should produce no output in a well-configured system.\n\nIf there is output, this is a finding. \"\n tag \"fix\": \"Device files, which are used for communication with important\nsystem resources, should be labeled with proper SELinux types. If any device\nfiles carry the SELinux type \\\"unlabeled_t\\\", investigate the cause and correct\nthe file's context. \"\n\n describe command(\"ls -RZ /dev | grep unlabeled_t\") do\n its('stdout.strip') { should be_empty }\n end\nend\n", + "code": "control \"V-38553\" do\n title \"The operating system must prevent public IPv6 access into an\norganizations internal networks, except as appropriately mediated by managed\ninterfaces employing boundary protection devices.\"\n desc \"The \\\"ip6tables\\\" service provides the system's host-based firewalling\ncapability for IPv6 and ICMPv6.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000146\"\n tag \"gid\": \"V-38553\"\n tag \"rid\": \"SV-50354r3_rule\"\n tag \"stig_id\": \"RHEL-06-000107\"\n tag \"fix_id\": \"F-43501r2_fix\"\n tag \"cci\": [\"CCI-001100\"]\n tag \"nist\": [\"SC-7 (2)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"If the system is a cross-domain system, this is not applicable.\n\nIf IPv6 is disabled, this is not applicable.\n\nRun the following command to determine the current status of the \\\"ip6tables\\\"\nservice:\n\n# service ip6tables status\n\nIf the service is not running, it should return the following:\n\nip6tables: Firewall is not running.\n\n\nIf the service is not running, this is a finding.\"\n tag \"fix\": \"The \\\"ip6tables\\\" service can be enabled with the following\ncommands:\n\n# chkconfig ip6tables on\n# service ip6tables start\"\n\n describe service('ip6tables') do\n it { should be_enabled }\n it { should be_running }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-51379.rb", + "ref": "./Red Hat 6 STIG/controls/V-38553.rb", "line": 1 }, - "id": "V-51379" + "id": "V-38553" }, { - "title": "The system must use a separate file system for the system audit data\npath.", - "desc": "Placing \"/var/log/audit\" in its own partition enables better\nseparation between audit files and other files, and helps ensure that auditing\ncannot be halted due to the partition running out of space.", + "title": "The audit system must be configured to audit all attempts to alter\nsystem time through stime.", + "desc": "Arbitrary changes to the system time can be used to obfuscate\nnefarious activities in log files, as well as to confuse network services that\nare highly dependent upon an accurate system time (such as sshd). All changes\nto the system time should be audited.", "descriptions": { - "default": "Placing \"/var/log/audit\" in its own partition enables better\nseparation between audit files and other files, and helps ensure that auditing\ncannot be halted due to the partition running out of space." + "default": "Arbitrary changes to the system time can be used to obfuscate\nnefarious activities in log files, as well as to confuse network services that\nare highly dependent upon an accurate system time (such as sshd). All changes\nto the system time should be audited." }, "impact": 0.3, "refs": [], "tags": { - "gtitle": "SRG-OS-000044", - "gid": "V-38467", - "rid": "SV-50267r1_rule", - "stig_id": "RHEL-06-000004", - "fix_id": "F-43412r1_fix", + "gtitle": "SRG-OS-000062", + "gid": "V-38525", + "rid": "SV-50326r4_rule", + "stig_id": "RHEL-06-000169", + "fix_id": "F-43473r4_fix", "cci": [ - "CCI-000137" + "CCI-000169" ], "nist": [ - "AU-4", + "AU-12 a", "Rev_4" ], "false_negatives": null, @@ -7516,35 +7565,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "Run the following command to determine if \"/var/log/audit\" is\non its own partition or logical volume:\n\n$ mount | grep \"on /var/log/audit \"\n\nIf \"/var/log/audit\" has its own partition or volume group, a line will be\nreturned.\nIf no line is returned, this is a finding.", - "fix": "Audit logs are stored in the \"/var/log/audit\" directory. Ensure\nthat it has its own partition or logical volume at installation time, or\nmigrate it later using LVM. Make absolutely certain that it is large enough to\nstore all audit logs that will be created by the auditing daemon." + "check": "If the system is 64-bit only, this is not applicable.\n\nTo determine if the system is configured to audit calls to the \"stime\" system\ncall, run the following command:\n\n$ sudo grep -w \"stime\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return a line.\n\nIf the system is not configured to audit time changes, this is a finding. ", + "fix": "On a 32-bit system, add the following to\n\"/etc/audit/audit.rules\":\n\n# audit_time_rules\n-a always,exit -F arch=b32 -S stime -k audit_time_rules\n\nOn a 64-bit system, the \"-S stime\" is not necessary. The -k option allows for\nthe specification of a key in string form that can be used for better reporting\ncapability through ausearch and aureport. Multiple system calls can be defined\non the same line to save space if desired, but is not required. See an example\nof multiple combined syscalls:\n\n-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k\naudit_time_rules" }, - "code": "control \"V-38467\" do\n title \"The system must use a separate file system for the system audit data\npath.\"\n desc \"Placing \\\"/var/log/audit\\\" in its own partition enables better\nseparation between audit files and other files, and helps ensure that auditing\ncannot be halted due to the partition running out of space.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000044\"\n tag \"gid\": \"V-38467\"\n tag \"rid\": \"SV-50267r1_rule\"\n tag \"stig_id\": \"RHEL-06-000004\"\n tag \"fix_id\": \"F-43412r1_fix\"\n tag \"cci\": [\"CCI-000137\"]\n tag \"nist\": [\"AU-4\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Run the following command to determine if \\\"/var/log/audit\\\" is\non its own partition or logical volume:\n\n$ mount | grep \\\"on /var/log/audit \\\"\n\nIf \\\"/var/log/audit\\\" has its own partition or volume group, a line will be\nreturned.\nIf no line is returned, this is a finding.\"\n tag \"fix\": \"Audit logs are stored in the \\\"/var/log/audit\\\" directory. Ensure\nthat it has its own partition or logical volume at installation time, or\nmigrate it later using LVM. Make absolutely certain that it is large enough to\nstore all audit logs that will be created by the auditing daemon.\"\n\n describe mount(\"/var/log/audit\") do\n it { should be_mounted }\n end\nend\n", + "code": "control \"V-38525\" do\n title \"The audit system must be configured to audit all attempts to alter\nsystem time through stime.\"\n desc \"Arbitrary changes to the system time can be used to obfuscate\nnefarious activities in log files, as well as to confuse network services that\nare highly dependent upon an accurate system time (such as sshd). All changes\nto the system time should be audited.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000062\"\n tag \"gid\": \"V-38525\"\n tag \"rid\": \"SV-50326r4_rule\"\n tag \"stig_id\": \"RHEL-06-000169\"\n tag \"fix_id\": \"F-43473r4_fix\"\n tag \"cci\": [\"CCI-000169\"]\n tag \"nist\": [\"AU-12 a\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"If the system is 64-bit only, this is not applicable.\n\nTo determine if the system is configured to audit calls to the \\\"stime\\\" system\ncall, run the following command:\n\n$ sudo grep -w \\\"stime\\\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return a line.\n\nIf the system is not configured to audit time changes, this is a finding. \"\n tag \"fix\": \"On a 32-bit system, add the following to\n\\\"/etc/audit/audit.rules\\\":\n\n# audit_time_rules\n-a always,exit -F arch=b32 -S stime -k audit_time_rules\n\nOn a 64-bit system, the \\\"-S stime\\\" is not necessary. The -k option allows for\nthe specification of a key in string form that can be used for better reporting\ncapability through ausearch and aureport. Multiple system calls can be defined\non the same line to save space if desired, but is not required. See an example\nof multiple combined syscalls:\n\n-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k\naudit_time_rules\"\n\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^-[Aa][\\s]*(?:exit,always|always,exit)[\\s]+-F[\\s]+arch=b32.*(?:-S[\\s]+|,)stime(?:[\\s]+|,).*-k[\\s]+[\\S]+[\\s]*$/) }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38467.rb", + "ref": "./Red Hat 6 STIG/controls/V-38525.rb", "line": 1 }, - "id": "V-38467" + "id": "V-38525" }, { - "title": "The system must use a separate file system for /var/log.", - "desc": "Placing \"/var/log\" in its own partition enables better separation\nbetween log files and other files in \"/var/\".", + "title": "Audit log files must be owned by root.", + "desc": "If non-privileged users can write to audit logs, audit trails can be\nmodified or destroyed.", "descriptions": { - "default": "Placing \"/var/log\" in its own partition enables better separation\nbetween log files and other files in \"/var/\"." + "default": "If non-privileged users can write to audit logs, audit trails can be\nmodified or destroyed." }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-999999", - "gid": "V-38463", - "rid": "SV-50263r1_rule", - "stig_id": "RHEL-06-000003", - "fix_id": "F-43408r1_fix", + "gtitle": "SRG-OS-000057", + "gid": "V-38495", + "rid": "SV-50296r1_rule", + "stig_id": "RHEL-06-000384", + "fix_id": "F-43443r1_fix", "cci": [ - "CCI-000366" + "CCI-000162" ], "nist": [ - "CM-6 b", + "AU-9", "Rev_4" ], "false_negatives": null, @@ -7557,35 +7606,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "Run the following command to determine if \"/var/log\" is on\nits own partition or logical volume:\n\n$ mount | grep \"on /var/log \"\n\nIf \"/var/log\" has its own partition or volume group, a line will be returned.\nIf no line is returned, this is a finding.", - "fix": "System logs are stored in the \"/var/log\" directory. Ensure that\nit has its own partition or logical volume at installation time, or migrate it\nusing LVM." + "check": "Run the following command to check the owner of the system\naudit logs:\n\ngrep \"^log_file\" /etc/audit/auditd.conf|sed s/^[^\\/]*//|xargs stat -c %U:%n\n\nAudit logs must be owned by root.\nIf they are not, this is a finding.", + "fix": "Change the owner of the audit log files with the following\ncommand:\n\n# chown root [audit_file]" }, - "code": "control \"V-38463\" do\n title \"The system must use a separate file system for /var/log.\"\n desc \"Placing \\\"/var/log\\\" in its own partition enables better separation\nbetween log files and other files in \\\"/var/\\\".\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38463\"\n tag \"rid\": \"SV-50263r1_rule\"\n tag \"stig_id\": \"RHEL-06-000003\"\n tag \"fix_id\": \"F-43408r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Run the following command to determine if \\\"/var/log\\\" is on\nits own partition or logical volume:\n\n$ mount | grep \\\"on /var/log \\\"\n\nIf \\\"/var/log\\\" has its own partition or volume group, a line will be returned.\nIf no line is returned, this is a finding.\"\n tag \"fix\": \"System logs are stored in the \\\"/var/log\\\" directory. Ensure that\nit has its own partition or logical volume at installation time, or migrate it\nusing LVM.\"\n\n describe mount(\"/var/log\") do\n it { should be_mounted }\n end\nend\n", + "code": "control \"V-38495\" do\n title \"Audit log files must be owned by root.\"\n desc \"If non-privileged users can write to audit logs, audit trails can be\nmodified or destroyed.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000057\"\n tag \"gid\": \"V-38495\"\n tag \"rid\": \"SV-50296r1_rule\"\n tag \"stig_id\": \"RHEL-06-000384\"\n tag \"fix_id\": \"F-43443r1_fix\"\n tag \"cci\": [\"CCI-000162\"]\n tag \"nist\": [\"AU-9\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Run the following command to check the owner of the system\naudit logs:\n\ngrep \\\"^log_file\\\" /etc/audit/auditd.conf|sed s/^[^\\\\/]*//|xargs stat -c %U:%n\n\nAudit logs must be owned by root.\nIf they are not, this is a finding.\"\n tag \"fix\": \"Change the owner of the audit log files with the following\ncommand:\n\n# chown root [audit_file]\"\n\n describe command(\"find /var/log/audit -regex .\\\\*/\\\\^.\\\\*\\\\$ -user 0\") do\n its(\"stdout\") { should_not be_empty }\n end\n describe command(\"find /var/log/audit -type d -user 0\") do\n its(\"stdout\") { should_not be_empty }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38463.rb", + "ref": "./Red Hat 6 STIG/controls/V-38495.rb", "line": 1 }, - "id": "V-38463" + "id": "V-38495" }, { - "title": "The system must not accept ICMPv4 secure redirect packets by default.", - "desc": "Accepting \"secure\" ICMP redirects (from those gateways listed as\ndefault gateways) has few legitimate uses. It should be disabled unless it is\nabsolutely required.", + "title": "The audit system must be configured to audit all discretionary access\ncontrol permission modifications using fchmodat.", + "desc": "The changing of file permissions could indicate that a user is\nattempting to gain access to information that would otherwise be disallowed.\nAuditing DAC modifications can facilitate the identification of patterns of\nabuse among both authorized and unauthorized users.", "descriptions": { - "default": "Accepting \"secure\" ICMP redirects (from those gateways listed as\ndefault gateways) has few legitimate uses. It should be disabled unless it is\nabsolutely required." + "default": "The changing of file permissions could indicate that a user is\nattempting to gain access to information that would otherwise be disallowed.\nAuditing DAC modifications can facilitate the identification of patterns of\nabuse among both authorized and unauthorized users." }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { - "gtitle": "SRG-OS-999999", - "gid": "V-38532", - "rid": "SV-50333r2_rule", - "stig_id": "RHEL-06-000090", - "fix_id": "F-43479r1_fix", + "gtitle": "SRG-OS-000064", + "gid": "V-38550", + "rid": "SV-50351r3_rule", + "stig_id": "RHEL-06-000187", + "fix_id": "F-43498r2_fix", "cci": [ - "CCI-000366" + "CCI-000172" ], "nist": [ - "CM-6 b", + "AU-12 c", "Rev_4" ], "false_negatives": null, @@ -7598,35 +7647,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "The status of the \"net.ipv4.conf.default.secure_redirects\"\nkernel parameter can be queried by running the following command:\n\n$ sysctl net.ipv4.conf.default.secure_redirects\n\nThe output of the command should indicate a value of \"0\". If this value is\nnot the default value, investigate how it could have been adjusted at runtime,\nand verify it is not set improperly in \"/etc/sysctl.conf\".\n\n$ grep net.ipv4.conf.default.secure_redirects /etc/sysctl.conf\n\nIf the correct value is not returned, this is a finding. ", - "fix": "To set the runtime status of the\n\"net.ipv4.conf.default.secure_redirects\" kernel parameter, run the following\ncommand:\n\n# sysctl -w net.ipv4.conf.default.secure_redirects=0\n\nIf this is not the system's default value, add the following line to\n\"/etc/sysctl.conf\":\n\nnet.ipv4.conf.default.secure_redirects = 0" + "check": "To determine if the system is configured to audit calls to the\n\"fchmodat\" system call, run the following command:\n\n$ sudo grep -w \"fchmodat\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return several\nlines.\n\nIf no line is returned, this is a finding. ", + "fix": "At a minimum, the audit system should collect file permission\nchanges for all users and root. Add the following to\n\"/etc/audit/audit.rules\":\n\n-a always,exit -F arch=b32 -S fchmodat -F auid>=500 -F auid!=4294967295 \\\n-k perm_mod\n-a always,exit -F arch=b32 -S fchmodat -F auid=0 -k perm_mod\n\nIf the system is 64-bit, then also add the following:\n\n-a always,exit -F arch=b64 -S fchmodat -F auid>=500 -F auid!=4294967295 \\\n-k perm_mod\n-a always,exit -F arch=b64 -S fchmodat -F auid=0 -k perm_mod" }, - "code": "control \"V-38532\" do\n title \"The system must not accept ICMPv4 secure redirect packets by default.\"\n desc \"Accepting \\\"secure\\\" ICMP redirects (from those gateways listed as\ndefault gateways) has few legitimate uses. It should be disabled unless it is\nabsolutely required.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38532\"\n tag \"rid\": \"SV-50333r2_rule\"\n tag \"stig_id\": \"RHEL-06-000090\"\n tag \"fix_id\": \"F-43479r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"The status of the \\\"net.ipv4.conf.default.secure_redirects\\\"\nkernel parameter can be queried by running the following command:\n\n$ sysctl net.ipv4.conf.default.secure_redirects\n\nThe output of the command should indicate a value of \\\"0\\\". If this value is\nnot the default value, investigate how it could have been adjusted at runtime,\nand verify it is not set improperly in \\\"/etc/sysctl.conf\\\".\n\n$ grep net.ipv4.conf.default.secure_redirects /etc/sysctl.conf\n\nIf the correct value is not returned, this is a finding. \"\n tag \"fix\": \"To set the runtime status of the\n\\\"net.ipv4.conf.default.secure_redirects\\\" kernel parameter, run the following\ncommand:\n\n# sysctl -w net.ipv4.conf.default.secure_redirects=0\n\nIf this is not the system's default value, add the following line to\n\\\"/etc/sysctl.conf\\\":\n\nnet.ipv4.conf.default.secure_redirects = 0\"\n\n describe kernel_parameter(\"net.ipv4.conf.default.secure_redirects\") do\n its(\"value\") { should_not be_nil }\n end\n describe kernel_parameter(\"net.ipv4.conf.default.secure_redirects\") do\n its(\"value\") { should eq 0 }\n end\n describe file(\"/etc/sysctl.conf\") do\n its(\"content\") { should match(/^[\\s]*net.ipv4.conf.default.secure_redirects[\\s]*=[\\s]*0[\\s]*$/) }\n end\nend\n", + "code": "control \"V-38550\" do\n title \"The audit system must be configured to audit all discretionary access\ncontrol permission modifications using fchmodat.\"\n desc \"The changing of file permissions could indicate that a user is\nattempting to gain access to information that would otherwise be disallowed.\nAuditing DAC modifications can facilitate the identification of patterns of\nabuse among both authorized and unauthorized users.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000064\"\n tag \"gid\": \"V-38550\"\n tag \"rid\": \"SV-50351r3_rule\"\n tag \"stig_id\": \"RHEL-06-000187\"\n tag \"fix_id\": \"F-43498r2_fix\"\n tag \"cci\": [\"CCI-000172\"]\n tag \"nist\": [\"AU-12 c\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To determine if the system is configured to audit calls to the\n\\\"fchmodat\\\" system call, run the following command:\n\n$ sudo grep -w \\\"fchmodat\\\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return several\nlines.\n\nIf no line is returned, this is a finding. \"\n tag \"fix\": \"At a minimum, the audit system should collect file permission\nchanges for all users and root. Add the following to\n\\\"/etc/audit/audit.rules\\\":\n\n-a always,exit -F arch=b32 -S fchmodat -F auid>=500 -F auid!=4294967295 \\\\\n-k perm_mod\n-a always,exit -F arch=b32 -S fchmodat -F auid=0 -k perm_mod\n\nIf the system is 64-bit, then also add the following:\n\n-a always,exit -F arch=b64 -S fchmodat -F auid>=500 -F auid!=4294967295 \\\\\n-k perm_mod\n-a always,exit -F arch=b64 -S fchmodat -F auid=0 -k perm_mod\"\n\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^[\\s]*-a[\\s](?:always,exit|exit,always)+(?:.*-F[\\s]+arch=b32[\\s]+)(?:.*(?:-S[\\s]+|,)fchmodat(?:[\\s]+|,))(?:.*-F\\s+auid>=500[\\s]+)(?:.*-F\\s+auid!=(?:-1|4294967295)[\\s]+).*-k[\\s]+[\\S]+[\\s]*$/) }\n end\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^[\\s]*-a[\\s](?:always,exit|exit,always)+(?:.*-F[\\s]+arch=b32[\\s]+)(?:.*(?:-S[\\s]+|,)fchmodat(?:[\\s]+|,))(?:.*-F\\s+auid=0[\\s]+).*-k[\\s]+[\\S]+[\\s]*$/) }\n end\n describe.one do\n \n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38532.rb", + "ref": "./Red Hat 6 STIG/controls/V-38550.rb", "line": 1 }, - "id": "V-38532" + "id": "V-38550" }, { - "title": "The xinetd service must be disabled if no network services utilizing\nit are enabled.", - "desc": "The xinetd service provides a dedicated listener service for some\nprograms, which is no longer necessary for commonly-used network services.\nDisabling it ensures that these uncommon services are not running, and also\nprevents attacks against xinetd itself.", + "title": "The rlogind service must not be running.", + "desc": "The rlogin service uses unencrypted network communications, which\nmeans that data from the login session, including passwords and all other\ninformation transmitted during the session, can be stolen by eavesdroppers on\nthe network.", "descriptions": { - "default": "The xinetd service provides a dedicated listener service for some\nprograms, which is no longer necessary for commonly-used network services.\nDisabling it ensures that these uncommon services are not running, and also\nprevents attacks against xinetd itself." + "default": "The rlogin service uses unencrypted network communications, which\nmeans that data from the login session, including passwords and all other\ninformation transmitted during the session, can be stolen by eavesdroppers on\nthe network." }, - "impact": 0.5, + "impact": 0.7, "refs": [], "tags": { - "gtitle": "SRG-OS-000096", - "gid": "V-38582", - "rid": "SV-50383r2_rule", - "stig_id": "RHEL-06-000203", - "fix_id": "F-43530r2_fix", + "gtitle": "SRG-OS-000248", + "gid": "V-38602", + "rid": "SV-50403r2_rule", + "stig_id": "RHEL-06-000218", + "fix_id": "F-43549r3_fix", "cci": [ - "CCI-000382" + "CCI-001436" ], "nist": [ - "CM-7 b", + "AC-17 (8)", "Rev_4" ], "false_negatives": null, @@ -7639,35 +7688,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "If network services are using the xinetd service, this is not\napplicable.\n\nTo check that the \"xinetd\" service is disabled in system boot configuration,\nrun the following command:\n\n# chkconfig \"xinetd\" --list\n\nOutput should indicate the \"xinetd\" service has either not been installed, or\nhas been disabled at all runlevels, as shown in the example below:\n\n# chkconfig \"xinetd\" --list\n\"xinetd\" 0:off 1:off 2:off 3:off 4:off 5:off 6:off\n\nRun the following command to verify \"xinetd\" is disabled through current\nruntime configuration:\n\n# service xinetd status\n\nIf the service is disabled the command will return the following output:\n\nxinetd is stopped\n\n\nIf the service is running, this is a finding.", - "fix": "The \"xinetd\" service can be disabled with the following\ncommands:\n\n# chkconfig xinetd off\n# service xinetd stop" + "check": "\nTo check that the \"rlogin\" service is disabled in system boot configuration,\nrun the following command:\n\n# chkconfig \"rlogin\" --list\n\nOutput should indicate the \"rlogin\" service has either not been installed, or\nhas been disabled, as shown in the example below:\n\n# chkconfig \"rlogin\" --list\nrlogin off\nOR\nerror reading information on service rlogin: No such file or directory\n\n\nIf the service is running, this is a finding.", + "fix": "The \"rlogin\" service, which is available with the\n\"rsh-server\" package and runs as a service through xinetd, should be\ndisabled. The \"rlogin\" service can be disabled with the following command:\n\n# chkconfig rlogin off" }, - "code": "control \"V-38582\" do\n title \"The xinetd service must be disabled if no network services utilizing\nit are enabled.\"\n desc \"The xinetd service provides a dedicated listener service for some\nprograms, which is no longer necessary for commonly-used network services.\nDisabling it ensures that these uncommon services are not running, and also\nprevents attacks against xinetd itself.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000096\"\n tag \"gid\": \"V-38582\"\n tag \"rid\": \"SV-50383r2_rule\"\n tag \"stig_id\": \"RHEL-06-000203\"\n tag \"fix_id\": \"F-43530r2_fix\"\n tag \"cci\": [\"CCI-000382\"]\n tag \"nist\": [\"CM-7 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"If network services are using the xinetd service, this is not\napplicable.\n\nTo check that the \\\"xinetd\\\" service is disabled in system boot configuration,\nrun the following command:\n\n# chkconfig \\\"xinetd\\\" --list\n\nOutput should indicate the \\\"xinetd\\\" service has either not been installed, or\nhas been disabled at all runlevels, as shown in the example below:\n\n# chkconfig \\\"xinetd\\\" --list\n\\\"xinetd\\\" 0:off 1:off 2:off 3:off 4:off 5:off 6:off\n\nRun the following command to verify \\\"xinetd\\\" is disabled through current\nruntime configuration:\n\n# service xinetd status\n\nIf the service is disabled the command will return the following output:\n\nxinetd is stopped\n\n\nIf the service is running, this is a finding.\"\n tag \"fix\": \"The \\\"xinetd\\\" service can be disabled with the following\ncommands:\n\n# chkconfig xinetd off\n# service xinetd stop\"\n\n describe.one do\n describe package(\"xinetd\") do\n it { should_not be_installed }\n end\n describe service(\"xinetd\") do\n its(\"runlevels(?-mix:0)\") { should be_enabled }\n its(\"runlevels(?-mix:1)\") { should be_enabled }\n its(\"runlevels(?-mix:2)\") { should be_enabled }\n its(\"runlevels(?-mix:3)\") { should be_enabled }\n its(\"runlevels(?-mix:4)\") { should be_enabled }\n its(\"runlevels(?-mix:5)\") { should be_enabled }\n its(\"runlevels(?-mix:6)\") { should be_enabled }\n end\n end\nend\n", + "code": "control \"V-38602\" do\n title \"The rlogind service must not be running.\"\n desc \"The rlogin service uses unencrypted network communications, which\nmeans that data from the login session, including passwords and all other\ninformation transmitted during the session, can be stolen by eavesdroppers on\nthe network.\"\n impact 0.7\n tag \"gtitle\": \"SRG-OS-000248\"\n tag \"gid\": \"V-38602\"\n tag \"rid\": \"SV-50403r2_rule\"\n tag \"stig_id\": \"RHEL-06-000218\"\n tag \"fix_id\": \"F-43549r3_fix\"\n tag \"cci\": [\"CCI-001436\"]\n tag \"nist\": [\"AC-17 (8)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"\nTo check that the \\\"rlogin\\\" service is disabled in system boot configuration,\nrun the following command:\n\n# chkconfig \\\"rlogin\\\" --list\n\nOutput should indicate the \\\"rlogin\\\" service has either not been installed, or\nhas been disabled, as shown in the example below:\n\n# chkconfig \\\"rlogin\\\" --list\nrlogin off\nOR\nerror reading information on service rlogin: No such file or directory\n\n\nIf the service is running, this is a finding.\"\n tag \"fix\": \"The \\\"rlogin\\\" service, which is available with the\n\\\"rsh-server\\\" package and runs as a service through xinetd, should be\ndisabled. The \\\"rlogin\\\" service can be disabled with the following command:\n\n# chkconfig rlogin off\"\n\n describe.one do\n describe package(\"rsh-server\") do\n it { should_not be_installed }\n end\n describe file(\"/etc/xinetd.d/rlogin\") do\n its(\"content\") { should match(/^\\s*disable\\s+=\\s+yes\\s*$/) }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38582.rb", + "ref": "./Red Hat 6 STIG/controls/V-38602.rb", "line": 1 }, - "id": "V-38582" + "id": "V-38602" }, { - "title": "All rsyslog-generated log files must have mode 0600 or less\npermissive.", - "desc": "Log files can contain valuable information regarding system\nconfiguration. If the system log files are not protected, unauthorized users\ncould change the logged data, eliminating their forensic value.", + "title": "The system must use a FIPS 140-2 approved cryptographic hashing\nalgorithm for generating account password hashes (libuser.conf).", + "desc": "Using a stronger hashing algorithm makes password cracking attacks\nmore difficult.", "descriptions": { - "default": "Log files can contain valuable information regarding system\nconfiguration. If the system log files are not protected, unauthorized users\ncould change the logged data, eliminating their forensic value." + "default": "Using a stronger hashing algorithm makes password cracking attacks\nmore difficult." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000206", - "gid": "V-38623", - "rid": "SV-50424r2_rule", - "stig_id": "RHEL-06-000135", - "fix_id": "F-43571r1_fix", + "gtitle": "SRG-OS-000120", + "gid": "V-38577", + "rid": "SV-50378r1_rule", + "stig_id": "RHEL-06-000064", + "fix_id": "F-43525r1_fix", "cci": [ - "CCI-001314" + "CCI-000803" ], "nist": [ - "SI-11 b", + "IA-7", "Rev_4" ], "false_negatives": null, @@ -7680,35 +7729,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "The file permissions for all log files written by rsyslog\nshould be set to 600, or more restrictive. These log files are determined by\nthe second part of each Rule line in \"/etc/rsyslog.conf\" and typically all\nappear in \"/var/log\". For each log file [LOGFILE] referenced in\n\"/etc/rsyslog.conf\", run the following command to inspect the file's\npermissions:\n\n$ ls -l [LOGFILE]\n\nThe permissions should be 600, or more restrictive. Some log files referenced\nin /etc/rsyslog.conf may be created by other programs and may require exclusion\nfrom consideration.\n\nIf the permissions are not correct, this is a finding.", - "fix": "The file permissions for all log files written by rsyslog should\nbe set to 600, or more restrictive. These log files are determined by the\nsecond part of each Rule line in \"/etc/rsyslog.conf\" and typically all appear\nin \"/var/log\". For each log file [LOGFILE] referenced in\n\"/etc/rsyslog.conf\", run the following command to inspect the file's\npermissions:\n\n$ ls -l [LOGFILE]\n\nIf the permissions are not 600 or more restrictive, run the following command\nto correct this:\n\n# chmod 0600 [LOGFILE]" + "check": "Inspect \"/etc/libuser.conf\" and ensure the following line\nappears in the \"[default]\" section:\n\ncrypt_style = sha512\n\n\nIf it does not, this is a finding.", + "fix": "In \"/etc/libuser.conf\", add or correct the following line in\nits \"[defaults]\" section to ensure the system will use the SHA-512 algorithm\nfor password hashing:\n\ncrypt_style = sha512" }, - "code": "control \"V-38623\" do\n title \"All rsyslog-generated log files must have mode 0600 or less\npermissive.\"\n desc \"Log files can contain valuable information regarding system\nconfiguration. If the system log files are not protected, unauthorized users\ncould change the logged data, eliminating their forensic value.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000206\"\n tag \"gid\": \"V-38623\"\n tag \"rid\": \"SV-50424r2_rule\"\n tag \"stig_id\": \"RHEL-06-000135\"\n tag \"fix_id\": \"F-43571r1_fix\"\n tag \"cci\": [\"CCI-001314\"]\n tag \"nist\": [\"SI-11 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"The file permissions for all log files written by rsyslog\nshould be set to 600, or more restrictive. These log files are determined by\nthe second part of each Rule line in \\\"/etc/rsyslog.conf\\\" and typically all\nappear in \\\"/var/log\\\". For each log file [LOGFILE] referenced in\n\\\"/etc/rsyslog.conf\\\", run the following command to inspect the file's\npermissions:\n\n$ ls -l [LOGFILE]\n\nThe permissions should be 600, or more restrictive. Some log files referenced\nin /etc/rsyslog.conf may be created by other programs and may require exclusion\nfrom consideration.\n\nIf the permissions are not correct, this is a finding.\"\n tag \"fix\": \"The file permissions for all log files written by rsyslog should\nbe set to 600, or more restrictive. These log files are determined by the\nsecond part of each Rule line in \\\"/etc/rsyslog.conf\\\" and typically all appear\nin \\\"/var/log\\\". For each log file [LOGFILE] referenced in\n\\\"/etc/rsyslog.conf\\\", run the following command to inspect the file's\npermissions:\n\n$ ls -l [LOGFILE]\n\nIf the permissions are not 600 or more restrictive, run the following command\nto correct this:\n\n# chmod 0600 [LOGFILE]\"\n\n # strip comments, empty lines, and lines which start with $ in order to get rules\n rules = file('/etc/rsyslog.conf').content.lines.map do |l|\n pound_index = l.index('#')\n l = l.slice(0, pound_index) if !pound_index.nil?\n l.strip\n end.reject { |l| l.empty? or l.start_with? '$' }\n\n paths = rules.map do |r|\n filter, action = r.split(%r{\\s+})\n next if !(action.start_with? '-/' or action.start_with? '/')\n action.sub(%r{^-/}, '/')\n end.reject { |path| path.nil? }\n\n if paths.empty?\n describe \"rsyslog log files\" do\n subject { paths }\n it { should be_empty }\n end\n else\n paths.each do |path|\n describe file(path) do \n it { should_not be_executable }\n it { should_not be_readable.by('group') }\n it { should_not be_writable.by('group') }\n it { should_not be_readable.by('others') }\n it { should_not be_writable.by('others') }\n end\n end\n end\nend\n", + "code": "control \"V-38577\" do\n title \"The system must use a FIPS 140-2 approved cryptographic hashing\nalgorithm for generating account password hashes (libuser.conf).\"\n desc \"Using a stronger hashing algorithm makes password cracking attacks\nmore difficult.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000120\"\n tag \"gid\": \"V-38577\"\n tag \"rid\": \"SV-50378r1_rule\"\n tag \"stig_id\": \"RHEL-06-000064\"\n tag \"fix_id\": \"F-43525r1_fix\"\n tag \"cci\": [\"CCI-000803\"]\n tag \"nist\": [\"IA-7\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Inspect \\\"/etc/libuser.conf\\\" and ensure the following line\nappears in the \\\"[default]\\\" section:\n\ncrypt_style = sha512\n\n\nIf it does not, this is a finding.\"\n tag \"fix\": \"In \\\"/etc/libuser.conf\\\", add or correct the following line in\nits \\\"[defaults]\\\" section to ensure the system will use the SHA-512 algorithm\nfor password hashing:\n\ncrypt_style = sha512\"\n\n describe file(\"/etc/libuser.conf\") do\n its(\"content\") { should match(/^[\\s]*crypt_style[\\s]+=[\\s]+(?i)sha512[\\s]*$/) }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38623.rb", + "ref": "./Red Hat 6 STIG/controls/V-38577.rb", "line": 1 }, - "id": "V-38623" + "id": "V-38577" }, { - "title": "The audit system must be configured to audit all discretionary access\ncontrol permission modifications using fchown.", - "desc": "The changing of file permissions could indicate that a user is\nattempting to gain access to information that would otherwise be disallowed.\nAuditing DAC modifications can facilitate the identification of patterns of\nabuse among both authorized and unauthorized users.", + "title": "The system package management tool must verify group-ownership on all\nfiles and directories associated with packages.", + "desc": "Group-ownership of system binaries and configuration files that is\nincorrect could allow an unauthorized user to gain privileges that they should\nnot have. The group-ownership set by the vendor should be maintained. Any\ndeviations from this baseline should be investigated.", "descriptions": { - "default": "The changing of file permissions could indicate that a user is\nattempting to gain access to information that would otherwise be disallowed.\nAuditing DAC modifications can facilitate the identification of patterns of\nabuse among both authorized and unauthorized users." + "default": "Group-ownership of system binaries and configuration files that is\nincorrect could allow an unauthorized user to gain privileges that they should\nnot have. The group-ownership set by the vendor should be maintained. Any\ndeviations from this baseline should be investigated." }, "impact": 0.3, "refs": [], "tags": { - "gtitle": "SRG-OS-000064", - "gid": "V-38552", - "rid": "SV-50353r3_rule", - "stig_id": "RHEL-06-000188", - "fix_id": "F-43500r2_fix", + "gtitle": "SRG-OS-999999", + "gid": "V-38453", + "rid": "SV-50253r2_rule", + "stig_id": "RHEL-06-000517", + "fix_id": "F-43399r1_fix", "cci": [ - "CCI-000172" + "CCI-000366" ], "nist": [ - "AU-12 c", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -7721,35 +7770,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To determine if the system is configured to audit calls to the\n\"fchown\" system call, run the following command:\n\n$ sudo grep -w \"fchown\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return several\nlines.\n\nIf no line is returned, this is a finding. ", - "fix": "At a minimum, the audit system should collect file permission\nchanges for all users and root. Add the following to\n\"/etc/audit/audit.rules\":\n\n-a always,exit -F arch=b32 -S fchown -F auid>=500 -F auid!=4294967295 \\\n-k perm_mod\n-a always,exit -F arch=b32 -S fchown -F auid=0 -k perm_mod\n\nIf the system is 64-bit, then also add the following:\n\n-a always,exit -F arch=b64 -S fchown -F auid>=500 -F auid!=4294967295 \\\n-k perm_mod\n-a always,exit -F arch=b64 -S fchown -F auid=0 -k perm_mod" + "check": "The following command will list which files on the system have\ngroup-ownership different from what is expected by the RPM database:\n\n# rpm -Va | grep '^......G'\n\n\nIf any output is produced, verify that the changes were due to STIG application\nand have been documented with the ISSO.\n\nIf any output has not been documented with the ISSO, this is a finding.\n", + "fix": "The RPM package management system can restore group-ownership of\nthe package files and directories. The following command will update files and\ndirectories with group-ownership different from what is expected by the RPM\ndatabase:\n\n# rpm -qf [file or directory name]\n# rpm --setugids [package]" }, - "code": "control \"V-38552\" do\n title \"The audit system must be configured to audit all discretionary access\ncontrol permission modifications using fchown.\"\n desc \"The changing of file permissions could indicate that a user is\nattempting to gain access to information that would otherwise be disallowed.\nAuditing DAC modifications can facilitate the identification of patterns of\nabuse among both authorized and unauthorized users.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000064\"\n tag \"gid\": \"V-38552\"\n tag \"rid\": \"SV-50353r3_rule\"\n tag \"stig_id\": \"RHEL-06-000188\"\n tag \"fix_id\": \"F-43500r2_fix\"\n tag \"cci\": [\"CCI-000172\"]\n tag \"nist\": [\"AU-12 c\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To determine if the system is configured to audit calls to the\n\\\"fchown\\\" system call, run the following command:\n\n$ sudo grep -w \\\"fchown\\\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return several\nlines.\n\nIf no line is returned, this is a finding. \"\n tag \"fix\": \"At a minimum, the audit system should collect file permission\nchanges for all users and root. Add the following to\n\\\"/etc/audit/audit.rules\\\":\n\n-a always,exit -F arch=b32 -S fchown -F auid>=500 -F auid!=4294967295 \\\\\n-k perm_mod\n-a always,exit -F arch=b32 -S fchown -F auid=0 -k perm_mod\n\nIf the system is 64-bit, then also add the following:\n\n-a always,exit -F arch=b64 -S fchown -F auid>=500 -F auid!=4294967295 \\\\\n-k perm_mod\n-a always,exit -F arch=b64 -S fchown -F auid=0 -k perm_mod\"\n\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^[\\s]*-a[\\s](?:always,exit|exit,always)+(?:.*-F[\\s]+arch=b32[\\s]+)(?:.*(?:-S[\\s]+|,)fchown(?:[\\s]+|,))(?:.*-F\\s+auid>=500[\\s]+)(?:.*-F\\s+auid!=(?:-1|4294967295)[\\s]+).*-k[\\s]+[\\S]+[\\s]*$/) }\n end\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^[\\s]*-a[\\s](?:always,exit|exit,always)+(?:.*-F[\\s]+arch=b32[\\s]+)(?:.*(?:-S[\\s]+|,)fchown(?:[\\s]+|,))(?:.*-F\\s+auid=0[\\s]+).*-k[\\s]+[\\S]+[\\s]*$/) }\n end\n describe.one do\n \n end\nend\n", + "code": "control \"V-38453\" do\n title \"The system package management tool must verify group-ownership on all\nfiles and directories associated with packages.\"\n desc \"Group-ownership of system binaries and configuration files that is\nincorrect could allow an unauthorized user to gain privileges that they should\nnot have. The group-ownership set by the vendor should be maintained. Any\ndeviations from this baseline should be investigated.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38453\"\n tag \"rid\": \"SV-50253r2_rule\"\n tag \"stig_id\": \"RHEL-06-000517\"\n tag \"fix_id\": \"F-43399r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"The following command will list which files on the system have\ngroup-ownership different from what is expected by the RPM database:\n\n# rpm -Va | grep '^......G'\n\n\nIf any output is produced, verify that the changes were due to STIG application\nand have been documented with the ISSO.\n\nIf any output has not been documented with the ISSO, this is a finding.\n\"\n tag \"fix\": \"The RPM package management system can restore group-ownership of\nthe package files and directories. The following command will update files and\ndirectories with group-ownership different from what is expected by the RPM\ndatabase:\n\n# rpm -qf [file or directory name]\n# rpm --setugids [package]\"\n\n # TODO check against an exception list attribute\n describe command(\"rpm -Va | grep '^......G'\") do\n its('stdout.strip') { should eq '' }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38552.rb", + "ref": "./Red Hat 6 STIG/controls/V-38453.rb", "line": 1 }, - "id": "V-38552" + "id": "V-38453" }, { - "title": "The system must require at least eight characters be changed between\nthe old and new passwords during a password change.", - "desc": "Requiring a minimum number of different characters during password\nchanges ensures that newly changed passwords should not resemble previously\ncompromised ones. Note that passwords which are changed on compromised systems\nwill still be compromised, however.", + "title": "The Red Hat Network Service (rhnsd) service must not be running,\nunless using RHN or an RHN Satellite.", + "desc": "Although systems management and patching is extremely important to\nsystem security, management by a system outside the enterprise enclave is not\ndesirable for some environments. However, if the system is being managed by RHN\nor RHN Satellite Server the \"rhnsd\" daemon can remain on.", "descriptions": { - "default": "Requiring a minimum number of different characters during password\nchanges ensures that newly changed passwords should not resemble previously\ncompromised ones. Note that passwords which are changed on compromised systems\nwill still be compromised, however." + "default": "Although systems management and patching is extremely important to\nsystem security, management by a system outside the enterprise enclave is not\ndesirable for some environments. However, if the system is being managed by RHN\nor RHN Satellite Server the \"rhnsd\" daemon can remain on." }, "impact": 0.3, "refs": [], "tags": { - "gtitle": "SRG-OS-000072", - "gid": "V-38572", - "rid": "SV-50373r3_rule", - "stig_id": "RHEL-06-000060", - "fix_id": "F-43520r4_fix", + "gtitle": "SRG-OS-000096", + "gid": "V-38478", + "rid": "SV-50278r2_rule", + "stig_id": "RHEL-06-000009", + "fix_id": "F-43423r2_fix", "cci": [ - "CCI-000195" + "CCI-000382" ], "nist": [ - "IA-5 (1) (b)", + "CM-7 b", "Rev_4" ], "false_negatives": null, @@ -7762,35 +7811,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To check how many characters must differ during a password\nchange, run the following command:\n\n$ grep pam_cracklib /etc/pam.d/system-auth /etc/pam.d/password-auth\n\nNote: The \"difok\" parameter will indicate how many characters must differ.\nThe DoD requires eight characters differ during a password change. This would\nappear as \"difok=8\".\n\nIf \"difok\" is not found or is set to a value less than \"8\", this is a finding.", - "fix": "The pam_cracklib module's \"difok\" parameter controls\nrequirements for usage of different characters during a password change.\n\nEdit /etc/pam.d/system-auth and /etc/pam.d/password-auth adding \"difok=[NUM]\"\nafter pam_cracklib.so to require differing characters when changing passwords,\nsubstituting [NUM] appropriately. The DoD requirement is 8.\n" + "check": "If the system uses RHN or an RHN Satellite, this is not\napplicable.\n\nTo check that the \"rhnsd\" service is disabled in system boot configuration,\nrun the following command:\n\n# chkconfig \"rhnsd\" --list\n\nOutput should indicate the \"rhnsd\" service has either not been installed, or\nhas been disabled at all runlevels, as shown in the example below:\n\n# chkconfig \"rhnsd\" --list\n\"rhnsd\" 0:off 1:off 2:off 3:off 4:off 5:off 6:off\n\nRun the following command to verify \"rhnsd\" is disabled through current\nruntime configuration:\n\n# service rhnsd status\n\nIf the service is disabled the command will return the following output:\n\nrhnsd is stopped\n\n\nIf the service is running, this is a finding.", + "fix": "The Red Hat Network service automatically queries Red Hat Network\nservers to determine whether there are any actions that should be executed,\nsuch as package updates. This only occurs if the system was registered to an\nRHN server or satellite and managed as such. The \"rhnsd\" service can be\ndisabled with the following commands:\n\n# chkconfig rhnsd off\n# service rhnsd stop" }, - "code": "control \"V-38572\" do\n title \"The system must require at least eight characters be changed between\nthe old and new passwords during a password change.\"\n desc \"Requiring a minimum number of different characters during password\nchanges ensures that newly changed passwords should not resemble previously\ncompromised ones. Note that passwords which are changed on compromised systems\nwill still be compromised, however.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000072\"\n tag \"gid\": \"V-38572\"\n tag \"rid\": \"SV-50373r3_rule\"\n tag \"stig_id\": \"RHEL-06-000060\"\n tag \"fix_id\": \"F-43520r4_fix\"\n tag \"cci\": [\"CCI-000195\"]\n tag \"nist\": [\"IA-5 (1) (b)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To check how many characters must differ during a password\nchange, run the following command:\n\n$ grep pam_cracklib /etc/pam.d/system-auth /etc/pam.d/password-auth\n\nNote: The \\\"difok\\\" parameter will indicate how many characters must differ.\nThe DoD requires eight characters differ during a password change. This would\nappear as \\\"difok=8\\\".\n\nIf \\\"difok\\\" is not found or is set to a value less than \\\"8\\\", this is a finding.\"\n tag \"fix\": \"The pam_cracklib module's \\\"difok\\\" parameter controls\nrequirements for usage of different characters during a password change.\n\nEdit /etc/pam.d/system-auth and /etc/pam.d/password-auth adding \\\"difok=[NUM]\\\"\nafter pam_cracklib.so to require differing characters when changing passwords,\nsubstituting [NUM] appropriately. The DoD requirement is 8.\n\"\n\n describe.one do\n describe file(\"/etc/pam.d/system-auth\") do\n its(\"content\") { should match(/^\\s*password\\s+(?:(?:required)|(?:requisite))\\s+(?:(?:\\/lib\\/security\\/\\$ISA\\/pam_cracklib\\.so)|(?:pam_cracklib\\.so))[\\t ]+[^#\\n\\r]*\\s+difok=(\\d+)[^\\n\\r]*$/) }\n end\n file(\"/etc/pam.d/system-auth\").content.to_s.scan(/^\\s*password\\s+(?:(?:required)|(?:requisite))\\s+(?:(?:\\/lib\\/security\\/\\$ISA\\/pam_cracklib\\.so)|(?:pam_cracklib\\.so))[\\t ]+[^#\\n\\r]*\\s+difok=(\\d+)[^\\n\\r]*$/).flatten.each do |entry|\n describe entry do\n it { should cmp >= input('pam_cracklib_difok') }\n end\n end\n describe file(\"/etc/pam.d/system-auth\") do\n its(\"content\") { should match(/^\\s*password\\s+(?:(?:required)|(?:requisite))\\s+(?:(?:\\/lib\\/security\\/\\$ISA\\/pam_cracklib\\.so)|(?:pam_cracklib\\.so))\\s+difok=(\\d+)\\s+.*$/) }\n end\n file(\"/etc/pam.d/system-auth\").content.to_s.scan(/^\\s*password\\s+(?:(?:required)|(?:requisite))\\s+(?:(?:\\/lib\\/security\\/\\$ISA\\/pam_cracklib\\.so)|(?:pam_cracklib\\.so))\\s+difok=(\\d+)\\s+.*$/).flatten.each do |entry|\n describe entry do\n it { should cmp >= input('pam_cracklib_difok') }\n end\n end\n end\n describe.one do\n describe file(\"/etc/pam.d/password-auth\") do\n its(\"content\") { should match(/^\\s*password\\s+(?:(?:required)|(?:requisite))\\s+(?:(?:\\/lib\\/security\\/\\$ISA\\/pam_cracklib\\.so)|(?:pam_cracklib\\.so))[\\t ]+[^#\\n\\r]*\\s+difok=(\\d+)[^\\n\\r]*$/) }\n end\n file(\"/etc/pam.d/password-auth\").content.to_s.scan(/^\\s*password\\s+(?:(?:required)|(?:requisite))\\s+(?:(?:\\/lib\\/security\\/\\$ISA\\/pam_cracklib\\.so)|(?:pam_cracklib\\.so))[\\t ]+[^#\\n\\r]*\\s+difok=(\\d+)[^\\n\\r]*$/).flatten.each do |entry|\n describe entry do\n it { should cmp >= input('pam_cracklib_difok') }\n end\n end\n describe file(\"/etc/pam.d/password-auth\") do\n its(\"content\") { should match(/^\\s*password\\s+(?:(?:required)|(?:requisite))\\s+(?:(?:\\/lib\\/security\\/\\$ISA\\/pam_cracklib\\.so)|(?:pam_cracklib\\.so))\\s+difok=(\\d+)\\s+.*$/) }\n end\n file(\"/etc/pam.d/password-auth\").content.to_s.scan(/^\\s*password\\s+(?:(?:required)|(?:requisite))\\s+(?:(?:\\/lib\\/security\\/\\$ISA\\/pam_cracklib\\.so)|(?:pam_cracklib\\.so))\\s+difok=(\\d+)\\s+.*$/).flatten.each do |entry|\n describe entry do\n it { should cmp >= input('pam_cracklib_difok') }\n end\n end\n end\nend\n", + "code": "control \"V-38478\" do\n title \"The Red Hat Network Service (rhnsd) service must not be running,\nunless using RHN or an RHN Satellite.\"\n desc \"Although systems management and patching is extremely important to\nsystem security, management by a system outside the enterprise enclave is not\ndesirable for some environments. However, if the system is being managed by RHN\nor RHN Satellite Server the \\\"rhnsd\\\" daemon can remain on.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000096\"\n tag \"gid\": \"V-38478\"\n tag \"rid\": \"SV-50278r2_rule\"\n tag \"stig_id\": \"RHEL-06-000009\"\n tag \"fix_id\": \"F-43423r2_fix\"\n tag \"cci\": [\"CCI-000382\"]\n tag \"nist\": [\"CM-7 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"If the system uses RHN or an RHN Satellite, this is not\napplicable.\n\nTo check that the \\\"rhnsd\\\" service is disabled in system boot configuration,\nrun the following command:\n\n# chkconfig \\\"rhnsd\\\" --list\n\nOutput should indicate the \\\"rhnsd\\\" service has either not been installed, or\nhas been disabled at all runlevels, as shown in the example below:\n\n# chkconfig \\\"rhnsd\\\" --list\n\\\"rhnsd\\\" 0:off 1:off 2:off 3:off 4:off 5:off 6:off\n\nRun the following command to verify \\\"rhnsd\\\" is disabled through current\nruntime configuration:\n\n# service rhnsd status\n\nIf the service is disabled the command will return the following output:\n\nrhnsd is stopped\n\n\nIf the service is running, this is a finding.\"\n tag \"fix\": \"The Red Hat Network service automatically queries Red Hat Network\nservers to determine whether there are any actions that should be executed,\nsuch as package updates. This only occurs if the system was registered to an\nRHN server or satellite and managed as such. The \\\"rhnsd\\\" service can be\ndisabled with the following commands:\n\n# chkconfig rhnsd off\n# service rhnsd stop\"\n\n describe service(\"rhnsd\") do\n it { should_not be_running }\n it { should_not be_enabled }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38572.rb", + "ref": "./Red Hat 6 STIG/controls/V-38478.rb", "line": 1 }, - "id": "V-38572" + "id": "V-38478" }, { - "title": "The rshd service must not be running.", - "desc": "The rsh service uses unencrypted network communications, which means\nthat data from the login session, including passwords and all other information\ntransmitted during the session, can be stolen by eavesdroppers on the network.", + "title": "The audit system must be configured to audit all attempts to alter\nsystem time through adjtimex.", + "desc": "Arbitrary changes to the system time can be used to obfuscate\nnefarious activities in log files, as well as to confuse network services that\nare highly dependent upon an accurate system time (such as sshd). All changes\nto the system time should be audited.", "descriptions": { - "default": "The rsh service uses unencrypted network communications, which means\nthat data from the login session, including passwords and all other information\ntransmitted during the session, can be stolen by eavesdroppers on the network." + "default": "Arbitrary changes to the system time can be used to obfuscate\nnefarious activities in log files, as well as to confuse network services that\nare highly dependent upon an accurate system time (such as sshd). All changes\nto the system time should be audited." }, - "impact": 0.7, + "impact": 0.3, "refs": [], "tags": { - "gtitle": "SRG-OS-000033", - "gid": "V-38594", - "rid": "SV-50395r2_rule", - "stig_id": "RHEL-06-000214", - "fix_id": "F-43542r3_fix", + "gtitle": "SRG-OS-000062", + "gid": "V-81441", + "rid": "SV-96155r1_rule", + "stig_id": "RHEL-06-000166", + "fix_id": "F-88259r1_fix", "cci": [ - "CCI-000068" + "CCI-000169" ], "nist": [ - "AC-17 (2)", + "AU-12 a", "Rev_4" ], "false_negatives": null, @@ -7803,30 +7852,30 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To check that the \"rsh\" service is disabled in system boot\nconfiguration, run the following command:\n\n# chkconfig \"rsh\" --list\n\nOutput should indicate the \"rsh\" service has either not been installed, or\nhas been disabled, as shown in the example below:\n\n# chkconfig \"rsh\" --list\nrsh off\nOR\nerror reading information on service rsh: No such file or directory\n\n\nIf the service is running, this is a finding.", - "fix": "The \"rsh\" service, which is available with the \"rsh-server\"\npackage and runs as a service through xinetd, should be disabled. The \"rsh\"\nservice can be disabled with the following command:\n\n# chkconfig rsh off" + "check": "To determine if the system is configured to audit calls to the\n\"adjtimex\" system call, run the following command:\n\n$ sudo grep -w \"adjtimex\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return a line.\n\nIf the system is not configured to audit time changes, this is a finding.\n", + "fix": "On a 32-bit system, add the following to\n\"/etc/audit/audit.rules\":\n\n# audit_time_rules\n-a always,exit -F arch=b32 -S adjtimex -k audit_time_rules\n\nOn a 64-bit system, add the following to \"/etc/audit/audit.rules\":\n\n# audit_time_rules\n-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k\naudit_time_rules" }, - "code": "control \"V-38594\" do\n title \"The rshd service must not be running.\"\n desc \"The rsh service uses unencrypted network communications, which means\nthat data from the login session, including passwords and all other information\ntransmitted during the session, can be stolen by eavesdroppers on the network.\"\n impact 0.7\n tag \"gtitle\": \"SRG-OS-000033\"\n tag \"gid\": \"V-38594\"\n tag \"rid\": \"SV-50395r2_rule\"\n tag \"stig_id\": \"RHEL-06-000214\"\n tag \"fix_id\": \"F-43542r3_fix\"\n tag \"cci\": [\"CCI-000068\"]\n tag \"nist\": [\"AC-17 (2)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To check that the \\\"rsh\\\" service is disabled in system boot\nconfiguration, run the following command:\n\n# chkconfig \\\"rsh\\\" --list\n\nOutput should indicate the \\\"rsh\\\" service has either not been installed, or\nhas been disabled, as shown in the example below:\n\n# chkconfig \\\"rsh\\\" --list\nrsh off\nOR\nerror reading information on service rsh: No such file or directory\n\n\nIf the service is running, this is a finding.\"\n tag \"fix\": \"The \\\"rsh\\\" service, which is available with the \\\"rsh-server\\\"\npackage and runs as a service through xinetd, should be disabled. The \\\"rsh\\\"\nservice can be disabled with the following command:\n\n# chkconfig rsh off\"\n\n describe.one do\n describe package(\"rsh-server\") do\n it { should_not be_installed }\n end\n describe file(\"/etc/xinetd.d/rsh\") do\n its(\"content\") { should match(/^\\s*disable\\s+=\\s+yes\\s*$/) }\n end\n end\nend\n", + "code": "control \"V-81441\" do\n title \"The audit system must be configured to audit all attempts to alter\nsystem time through adjtimex.\"\n desc \"Arbitrary changes to the system time can be used to obfuscate\nnefarious activities in log files, as well as to confuse network services that\nare highly dependent upon an accurate system time (such as sshd). All changes\nto the system time should be audited.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000062\"\n tag \"gid\": \"V-81441\"\n tag \"rid\": \"SV-96155r1_rule\"\n tag \"stig_id\": \"RHEL-06-000166\"\n tag \"fix_id\": \"F-88259r1_fix\"\n tag \"cci\": [\"CCI-000169\"]\n tag \"nist\": [\"AU-12 a\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To determine if the system is configured to audit calls to the\n\\\"adjtimex\\\" system call, run the following command:\n\n$ sudo grep -w \\\"adjtimex\\\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return a line.\n\nIf the system is not configured to audit time changes, this is a finding.\n\"\n tag \"fix\": \"On a 32-bit system, add the following to\n\\\"/etc/audit/audit.rules\\\":\n\n# audit_time_rules\n-a always,exit -F arch=b32 -S adjtimex -k audit_time_rules\n\nOn a 64-bit system, add the following to \\\"/etc/audit/audit.rules\\\":\n\n# audit_time_rules\n-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k\naudit_time_rules\"\n\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^-[Aa][\\s]*(?:exit,always|always,exit)[\\s]+-F[\\s]+arch=b32.*(?:,|-S[\\s]+)adjtimex(?:,|[\\s]+).*-k[\\s]+[\\S]+[\\s]*$/) }\n end\n describe.one do\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^-[Aa][\\s]*(?:exit,always|always,exit)[\\s]+-F[\\s]+arch=b64.*(?:,|-S[\\s]+)adjtimex(?:,|[\\s]+).*-k[\\s]+[\\S]+[\\s]*$/) }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38594.rb", + "ref": "./Red Hat 6 STIG/controls/V-81441.rb", "line": 1 }, - "id": "V-38594" + "id": "V-81441" }, { - "title": "The system must require passwords to contain no more than three\nconsecutive repeating characters.", - "desc": "Passwords with excessive repeating characters may be more vulnerable\nto password-guessing attacks.", + "title": "The system default umask in /etc/profile must be 077.", + "desc": "The umask value influences the permissions assigned to files when they\nare created. A misconfigured umask value could result in files with excessive\npermissions that can be read and/or written to by unauthorized users.", "descriptions": { - "default": "Passwords with excessive repeating characters may be more vulnerable\nto password-guessing attacks." + "default": "The umask value influences the permissions assigned to files when they\nare created. A misconfigured umask value could result in files with excessive\npermissions that can be read and/or written to by unauthorized users." }, "impact": 0.3, "refs": [], "tags": { "gtitle": "SRG-OS-999999", - "gid": "V-38693", - "rid": "SV-50494r3_rule", - "stig_id": "RHEL-06-000299", - "fix_id": "F-43642r3_fix", + "gid": "V-38647", + "rid": "SV-50448r1_rule", + "stig_id": "RHEL-06-000344", + "fix_id": "F-43596r1_fix", "cci": [ "CCI-000366" ], @@ -7844,35 +7893,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To check the maximum value for consecutive repeating\ncharacters, run the following command:\n\n$ grep pam_cracklib /etc/pam.d/system-auth /etc/pam.d/password-auth\n\nLook for the value of the \"maxrepeat\" parameter.\n\nIf \"maxrepeat\" is not found or is set to a value less than \"3\", this is a\nfinding.", - "fix": "The pam_cracklib module's \"maxrepeat\" parameter controls\nrequirements for consecutive repeating characters. When set to a positive\nnumber, it will reject passwords which contain more than that number of\nconsecutive characters.\n\nEdit /etc/pam.d/system-auth and /etc/pam.d/password-auth adding \"maxrepeat=3\"\nafter pam_cracklib.so to prevent a run of (3 + 1) or more identical characters.\n\npassword required pam_cracklib.so maxrepeat=3 " + "check": "Verify the \"umask\" setting is configured correctly in the\n\"/etc/profile\" file by running the following command:\n\n# grep \"umask\" /etc/profile\n\nAll output must show the value of \"umask\" set to 077, as shown in the below:\n\n# grep \"umask\" /etc/profile\numask 077\n\n\nIf the above command returns no output, or if the umask is configured\nincorrectly, this is a finding.", + "fix": "To ensure the default umask controlled by \"/etc/profile\" is set\nproperly, add or correct the \"umask\" setting in \"/etc/profile\" to read as\nfollows:\n\numask 077" }, - "code": "control \"V-38693\" do\n title \"The system must require passwords to contain no more than three\nconsecutive repeating characters.\"\n desc \"Passwords with excessive repeating characters may be more vulnerable\nto password-guessing attacks.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38693\"\n tag \"rid\": \"SV-50494r3_rule\"\n tag \"stig_id\": \"RHEL-06-000299\"\n tag \"fix_id\": \"F-43642r3_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To check the maximum value for consecutive repeating\ncharacters, run the following command:\n\n$ grep pam_cracklib /etc/pam.d/system-auth /etc/pam.d/password-auth\n\nLook for the value of the \\\"maxrepeat\\\" parameter.\n\nIf \\\"maxrepeat\\\" is not found or is set to a value less than \\\"3\\\", this is a\nfinding.\"\n tag \"fix\": \"The pam_cracklib module's \\\"maxrepeat\\\" parameter controls\nrequirements for consecutive repeating characters. When set to a positive\nnumber, it will reject passwords which contain more than that number of\nconsecutive characters.\n\nEdit /etc/pam.d/system-auth and /etc/pam.d/password-auth adding \\\"maxrepeat=3\\\"\nafter pam_cracklib.so to prevent a run of (3 + 1) or more identical characters.\n\npassword required pam_cracklib.so maxrepeat=3 \"\n\n pam_files = [\"/etc/pam.d/system-auth\", \"/etc/pam.d/password-auth\"]\n pam_files.each do |pam_file|\n lines = command(\"grep pam_cracklib #{pam_file}\").stdout.strip.split(\"\\n\")\n describe \"pam_cracklib lines in #{pam_file}\" do\n subject { lines }\n it { should_not be_empty }\n end\n\n lines.each do |l|\n describe l do\n it { should match %r{\\bmaxrepeat=([3-9]|[1-9][0-9]+)\\b} }\n end\n end\n end\nend\n", + "code": "control \"V-38647\" do\n title \"The system default umask in /etc/profile must be 077.\"\n desc \"The umask value influences the permissions assigned to files when they\nare created. A misconfigured umask value could result in files with excessive\npermissions that can be read and/or written to by unauthorized users.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38647\"\n tag \"rid\": \"SV-50448r1_rule\"\n tag \"stig_id\": \"RHEL-06-000344\"\n tag \"fix_id\": \"F-43596r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Verify the \\\"umask\\\" setting is configured correctly in the\n\\\"/etc/profile\\\" file by running the following command:\n\n# grep \\\"umask\\\" /etc/profile\n\nAll output must show the value of \\\"umask\\\" set to 077, as shown in the below:\n\n# grep \\\"umask\\\" /etc/profile\numask 077\n\n\nIf the above command returns no output, or if the umask is configured\nincorrectly, this is a finding.\"\n tag \"fix\": \"To ensure the default umask controlled by \\\"/etc/profile\\\" is set\nproperly, add or correct the \\\"umask\\\" setting in \\\"/etc/profile\\\" to read as\nfollows:\n\numask 077\"\n\n describe file(\"/etc/profile\") do\n its(\"content\") { should match(/^[\\s]*umask[\\s]+([^#\\s]*)/) }\n end\n file(\"/etc/profile\").content.to_s.scan(/^[\\s]*umask[\\s]+([^#\\s]*)/).flatten.each do |entry|\n describe entry do\n it { should eq \"077\" }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38693.rb", + "ref": "./Red Hat 6 STIG/controls/V-38647.rb", "line": 1 }, - "id": "V-38693" + "id": "V-38647" }, { - "title": "Auditing must be enabled at boot by setting a kernel parameter.", - "desc": "Each process on the system carries an \"auditable\" flag which\nindicates whether its activities can be audited. Although \"auditd\" takes care\nof enabling this for all processes which launch after it does, adding the\nkernel argument ensures it is set for every process during boot.", + "title": "The operating system must automatically audit account termination.", + "desc": "In addition to auditing new user and group accounts, these watches\nwill alert the system administrator(s) to any modifications. Any unexpected\nusers, groups, or modifications should be investigated for legitimacy.", "descriptions": { - "default": "Each process on the system carries an \"auditable\" flag which\nindicates whether its activities can be audited. Although \"auditd\" takes care\nof enabling this for all processes which launch after it does, adding the\nkernel argument ensures it is set for every process during boot." + "default": "In addition to auditing new user and group accounts, these watches\nwill alert the system administrator(s) to any modifications. Any unexpected\nusers, groups, or modifications should be investigated for legitimacy." }, "impact": 0.3, "refs": [], "tags": { - "gtitle": "SRG-OS-000062", - "gid": "V-38438", - "rid": "SV-50238r4_rule", - "stig_id": "RHEL-06-000525", - "fix_id": "F-43382r4_fix", + "gtitle": "SRG-OS-000241", + "gid": "V-38538", + "rid": "SV-50339r2_rule", + "stig_id": "RHEL-06-000177", + "fix_id": "F-43486r1_fix", "cci": [ - "CCI-000169" + "CCI-001405" ], "nist": [ - "AU-12 a", + "AC-2 (4)", "Rev_4" ], "false_negatives": null, @@ -7885,30 +7934,30 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "Inspect the kernel boot arguments (which follow the word\n\"kernel\") in \"/boot/grub/grub.conf\". If they include \"audit=1\", then\nauditing is enabled at boot time.\n\nIf auditing is not enabled at boot time, this is a finding.\n\nIf the system uses UEFI inspect the kernel boot arguments (which follow the\nword \"kernel\") in \"/boot/efi/EFI/redhat/grub.conf\". If they include\n\"audit=1\", then auditing is enabled at boot time.", - "fix": "To ensure all processes can be audited, even those which start\nprior to the audit daemon, add the argument \"audit=1\" to the kernel line in\n\"/boot/grub/grub.conf\" or \"/boot/efi/EFI/redhat/grub.conf\", in the manner\nbelow:\n\nkernel /vmlinuz-version ro vga=ext root=/dev/VolGroup00/LogVol00 rhgb quiet\naudit=1\n\nUEFI systems may prepend \"/boot\" to the \"/vmlinuz-version\" argument." + "check": "To determine if the system is configured to audit account\nchanges, run the following command:\n\n$sudo egrep -w\n'(/etc/passwd|/etc/shadow|/etc/group|/etc/gshadow|/etc/security/opasswd)'\n/etc/audit/audit.rules\n\nIf the system is configured to watch for account changes, lines should be\nreturned for each file specified (and with \"-p wa\" for each).\n\nIf the system is not configured to audit account changes, this is a finding.", + "fix": "Add the following to \"/etc/audit/audit.rules\", in order to\ncapture events that modify account changes:\n\n# audit_account_changes\n-w /etc/group -p wa -k audit_account_changes\n-w /etc/passwd -p wa -k audit_account_changes\n-w /etc/gshadow -p wa -k audit_account_changes\n-w /etc/shadow -p wa -k audit_account_changes\n-w /etc/security/opasswd -p wa -k audit_account_changes" }, - "code": "control \"V-38438\" do\n title \"Auditing must be enabled at boot by setting a kernel parameter.\"\n desc \"Each process on the system carries an \\\"auditable\\\" flag which\nindicates whether its activities can be audited. Although \\\"auditd\\\" takes care\nof enabling this for all processes which launch after it does, adding the\nkernel argument ensures it is set for every process during boot.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000062\"\n tag \"gid\": \"V-38438\"\n tag \"rid\": \"SV-50238r4_rule\"\n tag \"stig_id\": \"RHEL-06-000525\"\n tag \"fix_id\": \"F-43382r4_fix\"\n tag \"cci\": [\"CCI-000169\"]\n tag \"nist\": [\"AU-12 a\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Inspect the kernel boot arguments (which follow the word\n\\\"kernel\\\") in \\\"/boot/grub/grub.conf\\\". If they include \\\"audit=1\\\", then\nauditing is enabled at boot time.\n\nIf auditing is not enabled at boot time, this is a finding.\n\nIf the system uses UEFI inspect the kernel boot arguments (which follow the\nword \\\"kernel\\\") in \\\"/boot/efi/EFI/redhat/grub.conf\\\". If they include\n\\\"audit=1\\\", then auditing is enabled at boot time.\"\n tag \"fix\": \"To ensure all processes can be audited, even those which start\nprior to the audit daemon, add the argument \\\"audit=1\\\" to the kernel line in\n\\\"/boot/grub/grub.conf\\\" or \\\"/boot/efi/EFI/redhat/grub.conf\\\", in the manner\nbelow:\n\nkernel /vmlinuz-version ro vga=ext root=/dev/VolGroup00/LogVol00 rhgb quiet\naudit=1\n\nUEFI systems may prepend \\\"/boot\\\" to the \\\"/vmlinuz-version\\\" argument.\"\n\n describe.one do\n describe file(\"/boot/grub/grub.conf\") do\n its(\"content\") { should match(/^\\s*kernel\\s(?:\\/boot)?\\/vmlinuz.*audit=1.*$/) }\n end\n describe file(\"/boot/efi/EFI/redhat/grub.conf\") do\n its(\"content\") { should match(/^\\s*kernel\\s(?:\\/boot)?\\/vmlinuz.*audit=1.*$/) }\n end\n end\nend\n", + "code": "control \"V-38538\" do\n title \"The operating system must automatically audit account termination.\"\n desc \"In addition to auditing new user and group accounts, these watches\nwill alert the system administrator(s) to any modifications. Any unexpected\nusers, groups, or modifications should be investigated for legitimacy.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000241\"\n tag \"gid\": \"V-38538\"\n tag \"rid\": \"SV-50339r2_rule\"\n tag \"stig_id\": \"RHEL-06-000177\"\n tag \"fix_id\": \"F-43486r1_fix\"\n tag \"cci\": [\"CCI-001405\"]\n tag \"nist\": [\"AC-2 (4)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To determine if the system is configured to audit account\nchanges, run the following command:\n\n$sudo egrep -w\n'(/etc/passwd|/etc/shadow|/etc/group|/etc/gshadow|/etc/security/opasswd)'\n/etc/audit/audit.rules\n\nIf the system is configured to watch for account changes, lines should be\nreturned for each file specified (and with \\\"-p wa\\\" for each).\n\nIf the system is not configured to audit account changes, this is a finding.\"\n tag \"fix\": \"Add the following to \\\"/etc/audit/audit.rules\\\", in order to\ncapture events that modify account changes:\n\n# audit_account_changes\n-w /etc/group -p wa -k audit_account_changes\n-w /etc/passwd -p wa -k audit_account_changes\n-w /etc/gshadow -p wa -k audit_account_changes\n-w /etc/shadow -p wa -k audit_account_changes\n-w /etc/security/opasswd -p wa -k audit_account_changes\"\n\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^\\-w\\s+\\/etc\\/group\\s+\\-p\\s+wa\\s+\\-k\\s+\\w+\\s*$/) }\n end\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^\\-w\\s+\\/etc\\/passwd\\s+\\-p\\s+wa\\s+\\-k\\s+\\w+\\s*$/) }\n end\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^\\-w\\s+\\/etc\\/gshadow\\s+\\-p\\s+wa\\s+\\-k\\s+\\w+\\s*$/) }\n end\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^\\-w\\s+\\/etc\\/shadow\\s+\\-p\\s+wa\\s+\\-k\\s+\\w+\\s*$/) }\n end\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^\\-w\\s+\\/etc\\/security\\/opasswd\\s+\\-p\\s+wa\\s+\\-k\\s+\\w+\\s*$/) }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38438.rb", + "ref": "./Red Hat 6 STIG/controls/V-38538.rb", "line": 1 }, - "id": "V-38438" + "id": "V-38538" }, { - "title": "The system boot loader configuration file(s) must be owned by root.", - "desc": "Only root should be able to modify important boot parameters.", + "title": "The x86 Ctrl-Alt-Delete key sequence must be disabled.", + "desc": "A locally logged-in user who presses Ctrl-Alt-Delete, when at the\nconsole, can reboot the system. If accidentally pressed, as could happen in the\ncase of mixed OS environment, this can create the risk of short-term loss of\navailability of systems due to unintentional reboot. In the GNOME graphical\nenvironment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is\nreduced because the user will be prompted before any action is taken.", "descriptions": { - "default": "Only root should be able to modify important boot parameters." + "default": "A locally logged-in user who presses Ctrl-Alt-Delete, when at the\nconsole, can reboot the system. If accidentally pressed, as could happen in the\ncase of mixed OS environment, this can create the risk of short-term loss of\navailability of systems due to unintentional reboot. In the GNOME graphical\nenvironment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is\nreduced because the user will be prompted before any action is taken." }, - "impact": 0.5, + "impact": 0.7, "refs": [], "tags": { "gtitle": "SRG-OS-999999", - "gid": "V-38579", - "rid": "SV-50380r2_rule", - "stig_id": "RHEL-06-000065", - "fix_id": "F-43527r2_fix", + "gid": "V-38668", + "rid": "SV-50469r4_rule", + "stig_id": "RHEL-06-000286", + "fix_id": "F-43617r3_fix", "cci": [ "CCI-000366" ], @@ -7926,35 +7975,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To check the ownership of \"/boot/grub/grub.conf\", run the\ncommand:\n\n$ ls -lL /boot/grub/grub.conf\n\nIf properly configured, the output should indicate that the owner is \"root\".\nIf it does not, this is a finding.", - "fix": "The file \"/boot/grub/grub.conf\" should be owned by the \"root\"\nuser to prevent destruction or modification of the file. To properly set the\nowner of \"/boot/grub/grub.conf\", run the command:\n\n# chown root /boot/grub/grub.conf" + "check": "To ensure the system is configured to log a message instead of\nrebooting the system when Ctrl-Alt-Delete is pressed, ensure the following line\nis in \"/etc/init/control-alt-delete.override\":\n\nexec /usr/bin/logger -p authpriv.notice \"Ctrl-Alt-Delete pressed\"\n\nIf the system is not configured to block the shutdown command when\nCtrl-Alt-Delete is pressed, this is a finding. ", + "fix": "By default, the system includes the following line in\n\"/etc/init/control-alt-delete.conf\" to reboot the system when the\nCtrl-Alt-Delete key sequence is pressed:\n\nexec /sbin/shutdown -r now \"Ctrl-Alt-Delete pressed\"\n\n\nTo configure the system to log a message instead of rebooting the system, add\nthe following line to \"/etc/init/control-alt-delete.override\" to read as\nfollows:\n\nexec /usr/bin/logger -p authpriv.notice \"Ctrl-Alt-Delete pressed\"" }, - "code": "control \"V-38579\" do\n title \"The system boot loader configuration file(s) must be owned by root.\"\n desc \"Only root should be able to modify important boot parameters.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38579\"\n tag \"rid\": \"SV-50380r2_rule\"\n tag \"stig_id\": \"RHEL-06-000065\"\n tag \"fix_id\": \"F-43527r2_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To check the ownership of \\\"/boot/grub/grub.conf\\\", run the\ncommand:\n\n$ ls -lL /boot/grub/grub.conf\n\nIf properly configured, the output should indicate that the owner is \\\"root\\\".\nIf it does not, this is a finding.\"\n tag \"fix\": \"The file \\\"/boot/grub/grub.conf\\\" should be owned by the \\\"root\\\"\nuser to prevent destruction or modification of the file. To properly set the\nowner of \\\"/boot/grub/grub.conf\\\", run the command:\n\n# chown root /boot/grub/grub.conf\"\n\n describe.one do\n describe file(\"/boot/grub/grub.conf\") do\n it { should exist }\n end\n describe file(\"/boot/grub/grub.conf\") do\n its(\"uid\") { should cmp 0 }\n end\n describe file(\"/boot/efi/EFI/redhat/grub.conf\") do\n it { should exist }\n end\n describe file(\"/boot/efi/EFI/redhat/grub.conf\") do\n its(\"uid\") { should cmp 0 }\n end\n end\nend\n", + "code": "control \"V-38668\" do\n title \"The x86 Ctrl-Alt-Delete key sequence must be disabled.\"\n desc \"A locally logged-in user who presses Ctrl-Alt-Delete, when at the\nconsole, can reboot the system. If accidentally pressed, as could happen in the\ncase of mixed OS environment, this can create the risk of short-term loss of\navailability of systems due to unintentional reboot. In the GNOME graphical\nenvironment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is\nreduced because the user will be prompted before any action is taken.\"\n impact 0.7\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38668\"\n tag \"rid\": \"SV-50469r4_rule\"\n tag \"stig_id\": \"RHEL-06-000286\"\n tag \"fix_id\": \"F-43617r3_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To ensure the system is configured to log a message instead of\nrebooting the system when Ctrl-Alt-Delete is pressed, ensure the following line\nis in \\\"/etc/init/control-alt-delete.override\\\":\n\nexec /usr/bin/logger -p authpriv.notice \\\"Ctrl-Alt-Delete pressed\\\"\n\nIf the system is not configured to block the shutdown command when\nCtrl-Alt-Delete is pressed, this is a finding. \"\n tag \"fix\": \"By default, the system includes the following line in\n\\\"/etc/init/control-alt-delete.conf\\\" to reboot the system when the\nCtrl-Alt-Delete key sequence is pressed:\n\nexec /sbin/shutdown -r now \\\"Ctrl-Alt-Delete pressed\\\"\n\n\nTo configure the system to log a message instead of rebooting the system, add\nthe following line to \\\"/etc/init/control-alt-delete.override\\\" to read as\nfollows:\n\nexec /usr/bin/logger -p authpriv.notice \\\"Ctrl-Alt-Delete pressed\\\"\"\n\n describe file(\"/etc/init/control-alt-delete.override\") do\n its(\"content\") { should match(/^\\s*exec \\/usr\\/bin\\/logger -p authpriv\\.notice \"Ctrl-Alt-Delete pressed\"\\s*$/) }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38579.rb", + "ref": "./Red Hat 6 STIG/controls/V-38668.rb", "line": 1 }, - "id": "V-38579" + "id": "V-38668" }, { - "title": "The operating system must employ automated mechanisms, per\norganization defined frequency, to detect the addition of unauthorized\ncomponents/devices into the operating system.", - "desc": "By default, AIDE does not install itself for periodic execution.\nPeriodically running AIDE may reveal unexpected changes in installed files.", + "title": "The system must not accept IPv4 source-routed packets by default.", + "desc": "Accepting source-routed packets in the IPv4 protocol has few\nlegitimate uses. It should be disabled unless it is absolutely required.", "descriptions": { - "default": "By default, AIDE does not install itself for periodic execution.\nPeriodically running AIDE may reveal unexpected changes in installed files." + "default": "Accepting source-routed packets in the IPv4 protocol has few\nlegitimate uses. It should be disabled unless it is absolutely required." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000098", - "gid": "V-38696", - "rid": "SV-50497r2_rule", - "stig_id": "RHEL-06-000303", - "fix_id": "F-43645r1_fix", + "gtitle": "SRG-OS-999999", + "gid": "V-38529", + "rid": "SV-50330r2_rule", + "stig_id": "RHEL-06-000089", + "fix_id": "F-43478r1_fix", "cci": [ - "CCI-000416" + "CCI-000366" ], "nist": [ - "CM-8 (3) (a)", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -7967,35 +8016,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To determine that periodic AIDE execution has been scheduled,\nrun the following command:\n\n# grep aide /etc/crontab /etc/cron.*/*\n\nIf there is no output, this is a finding.", - "fix": "AIDE should be executed on a periodic basis to check for changes.\nTo implement a daily execution of AIDE at 4:05am using cron, add the following\nline to /etc/crontab:\n\n05 4 * * * root /usr/sbin/aide --check\n\nAIDE can be executed periodically through other means; this is merely one\nexample." + "check": "The status of the \"net.ipv4.conf.default.accept_source_route\"\nkernel parameter can be queried by running the following command:\n\n$ sysctl net.ipv4.conf.default.accept_source_route\n\nThe output of the command should indicate a value of \"0\". If this value is\nnot the default value, investigate how it could have been adjusted at runtime,\nand verify it is not set improperly in \"/etc/sysctl.conf\".\n\n$ grep net.ipv4.conf.default.accept_source_route /etc/sysctl.conf\n\nIf the correct value is not returned, this is a finding. ", + "fix": "To set the runtime status of the\n\"net.ipv4.conf.default.accept_source_route\" kernel parameter, run the\nfollowing command:\n\n# sysctl -w net.ipv4.conf.default.accept_source_route=0\n\nIf this is not the system's default value, add the following line to\n\"/etc/sysctl.conf\":\n\nnet.ipv4.conf.default.accept_source_route = 0" }, - "code": "control \"V-38696\" do\n title \"The operating system must employ automated mechanisms, per\norganization defined frequency, to detect the addition of unauthorized\ncomponents/devices into the operating system.\"\n desc \"By default, AIDE does not install itself for periodic execution.\nPeriodically running AIDE may reveal unexpected changes in installed files.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000098\"\n tag \"gid\": \"V-38696\"\n tag \"rid\": \"SV-50497r2_rule\"\n tag \"stig_id\": \"RHEL-06-000303\"\n tag \"fix_id\": \"F-43645r1_fix\"\n tag \"cci\": [\"CCI-000416\"]\n tag \"nist\": [\"CM-8 (3) (a)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To determine that periodic AIDE execution has been scheduled,\nrun the following command:\n\n# grep aide /etc/crontab /etc/cron.*/*\n\nIf there is no output, this is a finding.\"\n tag \"fix\": \"AIDE should be executed on a periodic basis to check for changes.\nTo implement a daily execution of AIDE at 4:05am using cron, add the following\nline to /etc/crontab:\n\n05 4 * * * root /usr/sbin/aide --check\n\nAIDE can be executed periodically through other means; this is merely one\nexample.\"\n\n describe command('grep aide /etc/crontab /etc/cron.*/*') do\n its('stdout.strip') { should_not be_empty }\n end\nend\n", + "code": "control \"V-38529\" do\n title \"The system must not accept IPv4 source-routed packets by default.\"\n desc \"Accepting source-routed packets in the IPv4 protocol has few\nlegitimate uses. It should be disabled unless it is absolutely required.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38529\"\n tag \"rid\": \"SV-50330r2_rule\"\n tag \"stig_id\": \"RHEL-06-000089\"\n tag \"fix_id\": \"F-43478r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"The status of the \\\"net.ipv4.conf.default.accept_source_route\\\"\nkernel parameter can be queried by running the following command:\n\n$ sysctl net.ipv4.conf.default.accept_source_route\n\nThe output of the command should indicate a value of \\\"0\\\". If this value is\nnot the default value, investigate how it could have been adjusted at runtime,\nand verify it is not set improperly in \\\"/etc/sysctl.conf\\\".\n\n$ grep net.ipv4.conf.default.accept_source_route /etc/sysctl.conf\n\nIf the correct value is not returned, this is a finding. \"\n tag \"fix\": \"To set the runtime status of the\n\\\"net.ipv4.conf.default.accept_source_route\\\" kernel parameter, run the\nfollowing command:\n\n# sysctl -w net.ipv4.conf.default.accept_source_route=0\n\nIf this is not the system's default value, add the following line to\n\\\"/etc/sysctl.conf\\\":\n\nnet.ipv4.conf.default.accept_source_route = 0\"\n\n describe kernel_parameter(\"net.ipv4.conf.default.accept_source_route\") do\n its(\"value\") { should_not be_nil }\n end\n describe kernel_parameter(\"net.ipv4.conf.default.accept_source_route\") do\n its(\"value\") { should eq 0 }\n end\n describe file(\"/etc/sysctl.conf\") do\n its(\"content\") { should match(/^[\\s]*net.ipv4.conf.default.accept_source_route[\\s]*=[\\s]*0[\\s]*$/) }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38696.rb", + "ref": "./Red Hat 6 STIG/controls/V-38529.rb", "line": 1 }, - "id": "V-38696" + "id": "V-38529" }, { - "title": "The system boot loader must require authentication.", - "desc": "Password protection on the boot loader configuration ensures users\nwith physical access cannot trivially alter important bootloader settings.\nThese include which kernel to use, and whether to enter single-user mode.", + "title": "The graphical desktop environment must have automatic lock enabled.", + "desc": "Enabling the activation of the screen lock after an idle period\nensures password entry will be required in order to access the system,\npreventing access by passersby.", "descriptions": { - "default": "Password protection on the boot loader configuration ensures users\nwith physical access cannot trivially alter important bootloader settings.\nThese include which kernel to use, and whether to enter single-user mode." + "default": "Enabling the activation of the screen lock after an idle period\nensures password entry will be required in order to access the system,\npreventing access by passersby." }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { - "gtitle": "SRG-OS-000080", - "gid": "V-38585", - "rid": "SV-50386r4_rule", - "stig_id": "RHEL-06-000068", - "fix_id": "F-43533r3_fix", + "gtitle": "SRG-OS-000029", + "gid": "V-38638", + "rid": "SV-50439r3_rule", + "stig_id": "RHEL-06-000259", + "fix_id": "F-43587r1_fix", "cci": [ - "CCI-000213" + "CCI-000057" ], "nist": [ - "AC-3", + "AC-11 a", "Rev_4" ], "false_negatives": null, @@ -8008,35 +8057,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To verify the boot loader password has been set and encrypted,\nrun the following command:\n\n# grep password /boot/grub/grub.conf\n\nThe output should show the following:\n\npassword --encrypted $6$[rest-of-the-password-hash]\n\nIf it does not, this is a finding.\n\nIf the system uses UEFI verify the boot loader password has been set and\nencrypted:\n\n# grep password /boot/efi/EFI/redhat/grub.conf", - "fix": "The grub boot loader should have password protection enabled to\nprotect boot-time settings. To do so, select a password and then generate a\nhash from it by running the following command:\n\n# grub-crypt --sha-512\n\nWhen prompted to enter a password, insert the following line into\n\"/boot/grub/grub.conf\" or \"/boot/efi/EFI/redhat/grub.conf\" immediately after\nthe header comments. (Use the output from \"grub-crypt\" as the value of\n[password-hash]):\n\npassword --encrypted [password-hash]" + "check": "If the GConf2 package is not installed, this is not applicable.\n\nTo check the status of the idle screen lock activation, run the following\ncommand:\n\n$ gconftool-2 --direct --config-source\nxml:readwrite:/etc/gconf/gconf.xml.mandatory --get\n/apps/gnome-screensaver/lock_enabled\n\nIf properly configured, the output should be \"true\".\nIf it is not, this is a finding.", + "fix": "Run the following command to activate locking of the screensaver\nin the GNOME desktop when it is activated:\n\n# gconftool-2 --direct \\\n--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \\\n--type bool \\\n--set /apps/gnome-screensaver/lock_enabled true" }, - "code": "control \"V-38585\" do\n title \"The system boot loader must require authentication.\"\n desc \"Password protection on the boot loader configuration ensures users\nwith physical access cannot trivially alter important bootloader settings.\nThese include which kernel to use, and whether to enter single-user mode.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000080\"\n tag \"gid\": \"V-38585\"\n tag \"rid\": \"SV-50386r4_rule\"\n tag \"stig_id\": \"RHEL-06-000068\"\n tag \"fix_id\": \"F-43533r3_fix\"\n tag \"cci\": [\"CCI-000213\"]\n tag \"nist\": [\"AC-3\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To verify the boot loader password has been set and encrypted,\nrun the following command:\n\n# grep password /boot/grub/grub.conf\n\nThe output should show the following:\n\npassword --encrypted $6$[rest-of-the-password-hash]\n\nIf it does not, this is a finding.\n\nIf the system uses UEFI verify the boot loader password has been set and\nencrypted:\n\n# grep password /boot/efi/EFI/redhat/grub.conf\"\n tag \"fix\": \"The grub boot loader should have password protection enabled to\nprotect boot-time settings. To do so, select a password and then generate a\nhash from it by running the following command:\n\n# grub-crypt --sha-512\n\nWhen prompted to enter a password, insert the following line into\n\\\"/boot/grub/grub.conf\\\" or \\\"/boot/efi/EFI/redhat/grub.conf\\\" immediately after\nthe header comments. (Use the output from \\\"grub-crypt\\\" as the value of\n[password-hash]):\n\npassword --encrypted [password-hash]\"\n\n describe.one do\n describe file(\"/boot/grub/grub.conf\") do\n its(\"content\") { should match(/^\\s*password\\s+--encrypted\\s+.*/) }\n end\n describe file(\"/boot/efi/EFI/redhat/grub.conf\") do\n its(\"content\") { should match(/^\\s*password\\s+--encrypted\\s+.*/) }\n end\n end\nend\n", + "code": "control \"V-38638\" do\n title \"The graphical desktop environment must have automatic lock enabled.\"\n desc \"Enabling the activation of the screen lock after an idle period\nensures password entry will be required in order to access the system,\npreventing access by passersby.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000029\"\n tag \"gid\": \"V-38638\"\n tag \"rid\": \"SV-50439r3_rule\"\n tag \"stig_id\": \"RHEL-06-000259\"\n tag \"fix_id\": \"F-43587r1_fix\"\n tag \"cci\": [\"CCI-000057\"]\n tag \"nist\": [\"AC-11 a\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"If the GConf2 package is not installed, this is not applicable.\n\nTo check the status of the idle screen lock activation, run the following\ncommand:\n\n$ gconftool-2 --direct --config-source\nxml:readwrite:/etc/gconf/gconf.xml.mandatory --get\n/apps/gnome-screensaver/lock_enabled\n\nIf properly configured, the output should be \\\"true\\\".\nIf it is not, this is a finding.\"\n tag \"fix\": \"Run the following command to activate locking of the screensaver\nin the GNOME desktop when it is activated:\n\n# gconftool-2 --direct \\\\\n--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \\\\\n--type bool \\\\\n--set /apps/gnome-screensaver/lock_enabled true\"\n\n if package('GConf2').installed?\n describe command(\"gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gnome-screensaver/lock_enabled\") do\n its('stdout.strip') { should eq 'true' }\n end\n else\n impact 0.0\n describe \"Package GConf2 not installed\" do\n skip \"Package GConf2 not installed, this control Not Applicable\"\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38585.rb", + "ref": "./Red Hat 6 STIG/controls/V-38638.rb", "line": 1 }, - "id": "V-38585" + "id": "V-38638" }, { - "title": "The system must require passwords to contain at least one lower-case\nalphabetic character.", - "desc": "Requiring a minimum number of lower-case characters makes password\nguessing attacks more difficult by ensuring a larger search space.", + "title": "The system package management tool must cryptographically verify the\nauthenticity of all software packages during installation.", + "desc": "Ensuring all packages' cryptographic signatures are valid prior to\ninstallation ensures the provenance of the software and protects against\nmalicious tampering.", "descriptions": { - "default": "Requiring a minimum number of lower-case characters makes password\nguessing attacks more difficult by ensuring a larger search space." + "default": "Ensuring all packages' cryptographic signatures are valid prior to\ninstallation ensures the provenance of the software and protects against\nmalicious tampering." }, "impact": 0.3, "refs": [], "tags": { - "gtitle": "SRG-OS-000070", - "gid": "V-38571", - "rid": "SV-50372r3_rule", - "stig_id": "RHEL-06-000059", - "fix_id": "F-43519r3_fix", + "gtitle": "SRG-OS-000103", + "gid": "V-38487", + "rid": "SV-50288r1_rule", + "stig_id": "RHEL-06-000015", + "fix_id": "F-43433r1_fix", "cci": [ - "CCI-000193" + "CCI-000663" ], "nist": [ - "IA-5 (1) (a)", + "SA-7", "Rev_4" ], "false_negatives": null, @@ -8049,35 +8098,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To check how many lower-case characters are required in a\npassword, run the following command:\n\n$ grep pam_cracklib /etc/pam.d/system-auth /etc/pam.d/password-auth\n\nNote: The \"lcredit\" parameter (as a negative number) will indicate how many\nlower-case characters are required. The DoD requires at least one lower-case\ncharacter in a password. This would appear as \"lcredit=-1\".\n\nIf \"lcredit\" is not found or not set to the required value, this is a finding.", - "fix": "The pam_cracklib module's \"lcredit=\" parameter controls\nrequirements for usage of lower-case letters in a password. When set to a\nnegative number, any password will be required to contain that many lower-case\ncharacters.\n\nEdit /etc/pam.d/system-auth and /etc/pam.d/password-auth adding \"lcredit=-1\"\nafter pam_cracklib.so to require use of a lower-case character in passwords.\n" + "check": "To determine whether \"yum\" has been configured to disable\n\"gpgcheck\" for any repos, inspect all files in \"/etc/yum.repos.d\" and\nensure the following does not appear in any sections:\n\ngpgcheck=0\n\nA value of \"0\" indicates that \"gpgcheck\" has been disabled for that repo.\nIf GPG checking is disabled, this is a finding.\n\nIf the \"yum\" system package management tool is not used to update the system,\nverify with the SA that installed packages are cryptographically signed.", + "fix": "To ensure signature checking is not disabled for any repos,\nremove any lines from files in \"/etc/yum.repos.d\" of the form:\n\ngpgcheck=0" }, - "code": "control \"V-38571\" do\n title \"The system must require passwords to contain at least one lower-case\nalphabetic character.\"\n desc \"Requiring a minimum number of lower-case characters makes password\nguessing attacks more difficult by ensuring a larger search space.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000070\"\n tag \"gid\": \"V-38571\"\n tag \"rid\": \"SV-50372r3_rule\"\n tag \"stig_id\": \"RHEL-06-000059\"\n tag \"fix_id\": \"F-43519r3_fix\"\n tag \"cci\": [\"CCI-000193\"]\n tag \"nist\": [\"IA-5 (1) (a)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To check how many lower-case characters are required in a\npassword, run the following command:\n\n$ grep pam_cracklib /etc/pam.d/system-auth /etc/pam.d/password-auth\n\nNote: The \\\"lcredit\\\" parameter (as a negative number) will indicate how many\nlower-case characters are required. The DoD requires at least one lower-case\ncharacter in a password. This would appear as \\\"lcredit=-1\\\".\n\nIf \\\"lcredit\\\" is not found or not set to the required value, this is a finding.\"\n tag \"fix\": \"The pam_cracklib module's \\\"lcredit=\\\" parameter controls\nrequirements for usage of lower-case letters in a password. When set to a\nnegative number, any password will be required to contain that many lower-case\ncharacters.\n\nEdit /etc/pam.d/system-auth and /etc/pam.d/password-auth adding \\\"lcredit=-1\\\"\nafter pam_cracklib.so to require use of a lower-case character in passwords.\n\"\n\n describe.one do\n describe file(\"/etc/pam.d/system-auth\") do\n its(\"content\") { should match(/^\\s*password\\s+(?:(?:required)|(?:requisite))\\s+(?:(?:\\/lib\\/security\\/\\$ISA\\/pam_cracklib\\.so)|(?:pam_cracklib\\.so))[\\t ]+[^#\\n\\r]*\\s+lcredit=-(\\d+)[^\\n\\r]*$/) }\n end\n file(\"/etc/pam.d/system-auth\").content.to_s.scan(/^\\s*password\\s+(?:(?:required)|(?:requisite))\\s+(?:(?:\\/lib\\/security\\/\\$ISA\\/pam_cracklib\\.so)|(?:pam_cracklib\\.so))[\\t ]+[^#\\n\\r]*\\s+lcredit=-(\\d+)[^\\n\\r]*$/).flatten.each do |entry|\n describe entry do\n it { should cmp >= 1 }\n end\n end\n describe file(\"/etc/pam.d/system-auth\") do\n its(\"content\") { should match(/^\\s*password\\s+(?:(?:required)|(?:requisite))\\s+(?:(?:\\/lib\\/security\\/\\$ISA\\/pam_cracklib\\.so)|(?:pam_cracklib\\.so))\\s+lcredit=-(\\d+)\\s+.*$/) }\n end\n file(\"/etc/pam.d/system-auth\").content.to_s.scan(/^\\s*password\\s+(?:(?:required)|(?:requisite))\\s+(?:(?:\\/lib\\/security\\/\\$ISA\\/pam_cracklib\\.so)|(?:pam_cracklib\\.so))\\s+lcredit=-(\\d+)\\s+.*$/).flatten.each do |entry|\n describe entry do\n it { should cmp >= 1 }\n end\n end\n end\n describe.one do\n describe file(\"/etc/pam.d/password-auth\") do\n its(\"content\") { should match(/^\\s*password\\s+(?:(?:required)|(?:requisite))\\s+(?:(?:\\/lib\\/security\\/\\$ISA\\/pam_cracklib\\.so)|(?:pam_cracklib\\.so))[\\t ]+[^#\\n\\r]*\\s+lcredit=-(\\d+)[^\\n\\r]*$/) }\n end\n file(\"/etc/pam.d/password-auth\").content.to_s.scan(/^\\s*password\\s+(?:(?:required)|(?:requisite))\\s+(?:(?:\\/lib\\/security\\/\\$ISA\\/pam_cracklib\\.so)|(?:pam_cracklib\\.so))[\\t ]+[^#\\n\\r]*\\s+lcredit=-(\\d+)[^\\n\\r]*$/).flatten.each do |entry|\n describe entry do\n it { should cmp >= 1 }\n end\n end\n describe file(\"/etc/pam.d/password-auth\") do\n its(\"content\") { should match(/^\\s*password\\s+(?:(?:required)|(?:requisite))\\s+(?:(?:\\/lib\\/security\\/\\$ISA\\/pam_cracklib\\.so)|(?:pam_cracklib\\.so))\\s+lcredit=-(\\d+)\\s+.*$/) }\n end\n file(\"/etc/pam.d/password-auth\").content.to_s.scan(/^\\s*password\\s+(?:(?:required)|(?:requisite))\\s+(?:(?:\\/lib\\/security\\/\\$ISA\\/pam_cracklib\\.so)|(?:pam_cracklib\\.so))\\s+lcredit=-(\\d+)\\s+.*$/).flatten.each do |entry|\n describe entry do\n it { should cmp >= 1 }\n end\n end\n end\nend\n", + "code": "control \"V-38487\" do\n title \"The system package management tool must cryptographically verify the\nauthenticity of all software packages during installation.\"\n desc \"Ensuring all packages' cryptographic signatures are valid prior to\ninstallation ensures the provenance of the software and protects against\nmalicious tampering.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000103\"\n tag \"gid\": \"V-38487\"\n tag \"rid\": \"SV-50288r1_rule\"\n tag \"stig_id\": \"RHEL-06-000015\"\n tag \"fix_id\": \"F-43433r1_fix\"\n tag \"cci\": [\"CCI-000663\"]\n tag \"nist\": [\"SA-7\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To determine whether \\\"yum\\\" has been configured to disable\n\\\"gpgcheck\\\" for any repos, inspect all files in \\\"/etc/yum.repos.d\\\" and\nensure the following does not appear in any sections:\n\ngpgcheck=0\n\nA value of \\\"0\\\" indicates that \\\"gpgcheck\\\" has been disabled for that repo.\nIf GPG checking is disabled, this is a finding.\n\nIf the \\\"yum\\\" system package management tool is not used to update the system,\nverify with the SA that installed packages are cryptographically signed.\"\n tag \"fix\": \"To ensure signature checking is not disabled for any repos,\nremove any lines from files in \\\"/etc/yum.repos.d\\\" of the form:\n\ngpgcheck=0\"\n\n command(\"find /etc/yum.repos.d -type f -regex .\\\\*/.\\\\*\").stdout.split.each do |entry|\n describe file(entry) do\n its(\"content\") { should_not match(/^\\s*gpgcheck\\s*=\\s*0\\s*$/) }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38571.rb", + "ref": "./Red Hat 6 STIG/controls/V-38487.rb", "line": 1 }, - "id": "V-38571" + "id": "V-38487" }, { - "title": "The sudo command must require authentication.", - "desc": "The \"sudo\" command allows authorized users to run programs\n(including shells) as other users, system users, and root. The \"/etc/sudoers\"\nfile is used to configure authorized \"sudo\" users as well as the programs\nthey are allowed to run. Some configuration options in the \"/etc/sudoers\"\nfile allow configured users to run programs without re-authenticating. Use of\nthese configuration options makes it easier for one compromised account to be\nused to compromise other accounts.", + "title": "The FTPS/FTP service on the system must be configured with the\nDepartment of Defense (DoD) login banner.", + "desc": "This setting will cause the system greeting banner to be used for FTP\nconnections as well.", "descriptions": { - "default": "The \"sudo\" command allows authorized users to run programs\n(including shells) as other users, system users, and root. The \"/etc/sudoers\"\nfile is used to configure authorized \"sudo\" users as well as the programs\nthey are allowed to run. Some configuration options in the \"/etc/sudoers\"\nfile allow configured users to run programs without re-authenticating. Use of\nthese configuration options makes it easier for one compromised account to be\nused to compromise other accounts." + "default": "This setting will cause the system greeting banner to be used for FTP\nconnections as well." }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { - "gtitle": "SRG-OS-000373", - "gid": "V-58901", - "rid": "SV-73331r2_rule", - "stig_id": "RHEL-06-000529", - "fix_id": "F-64285r1_fix", + "gtitle": "SRG-OS-000023", + "gid": "V-38599", + "rid": "SV-50400r2_rule", + "stig_id": "RHEL-06-000348", + "fix_id": "F-43564r3_fix", "cci": [ - "CCI-002038" + "CCI-000048" ], "nist": [ - "IA-11", + "AC-8 a", "Rev_4" ], "false_negatives": null, @@ -8090,35 +8139,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "If passwords are not being used for authentication, this is Not\nApplicable.\n\nVerify neither the \"NOPASSWD\" option nor the \"!authenticate\" option is\nconfigured for use in \"/etc/sudoers\" and associated files. Note that the\n\"#include\" and \"#includedir\" directives may be used to include\nconfiguration data from locations other than the defaults enumerated here.\n\n# egrep '^[^#]*NOPASSWD' /etc/sudoers /etc/sudoers.d/*\n# egrep '^[^#]*!authenticate' /etc/sudoers /etc/sudoers.d/*\n\nIf the \"NOPASSWD\" or \"!authenticate\" options are configured for use in\n\"/etc/sudoers\" or associated files, this is a finding.", - "fix": "Update the \"/etc/sudoers\" or other sudo configuration files to\nremove or comment out lines utilizing the \"NOPASSWD\" and \"!authenticate\"\noptions.\n\n# visudo\n# visudo -f [other sudo configuration file]" + "check": "To verify this configuration, run the following command:\n\ngrep \"banner_file\" /etc/vsftpd/vsftpd.conf\n\nThe output should show the value of \"banner_file\" is set to \"/etc/issue\",\nan example of which is shown below.\n\n# grep \"banner_file\" /etc/vsftpd/vsftpd.conf\nbanner_file=/etc/issue\n\n\nIf it does not, this is a finding.", + "fix": "Edit the vsftpd configuration file, which resides at\n\"/etc/vsftpd/vsftpd.conf\" by default. Add or correct the following\nconfiguration options.\n\nbanner_file=/etc/issue\n\nRestart the vsftpd daemon.\n\n# service vsftpd restart" }, - "code": "control \"V-58901\" do\n title \"The sudo command must require authentication.\"\n desc \"The \\\"sudo\\\" command allows authorized users to run programs\n(including shells) as other users, system users, and root. The \\\"/etc/sudoers\\\"\nfile is used to configure authorized \\\"sudo\\\" users as well as the programs\nthey are allowed to run. Some configuration options in the \\\"/etc/sudoers\\\"\nfile allow configured users to run programs without re-authenticating. Use of\nthese configuration options makes it easier for one compromised account to be\nused to compromise other accounts.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000373\"\n tag \"gid\": \"V-58901\"\n tag \"rid\": \"SV-73331r2_rule\"\n tag \"stig_id\": \"RHEL-06-000529\"\n tag \"fix_id\": \"F-64285r1_fix\"\n tag \"cci\": [\"CCI-002038\"]\n tag \"nist\": [\"IA-11\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"If passwords are not being used for authentication, this is Not\nApplicable.\n\nVerify neither the \\\"NOPASSWD\\\" option nor the \\\"!authenticate\\\" option is\nconfigured for use in \\\"/etc/sudoers\\\" and associated files. Note that the\n\\\"#include\\\" and \\\"#includedir\\\" directives may be used to include\nconfiguration data from locations other than the defaults enumerated here.\n\n# egrep '^[^#]*NOPASSWD' /etc/sudoers /etc/sudoers.d/*\n# egrep '^[^#]*!authenticate' /etc/sudoers /etc/sudoers.d/*\n\nIf the \\\"NOPASSWD\\\" or \\\"!authenticate\\\" options are configured for use in\n\\\"/etc/sudoers\\\" or associated files, this is a finding.\"\n tag \"fix\": \"Update the \\\"/etc/sudoers\\\" or other sudo configuration files to\nremove or comment out lines utilizing the \\\"NOPASSWD\\\" and \\\"!authenticate\\\"\noptions.\n\n# visudo\n# visudo -f [other sudo configuration file]\"\n\n describe command(\"grep -ie '^[^#]*NOPASSWD' /etc/sudoers /etc/sudoers.d/*\") do\n its('stdout') { should be_empty }\n end\n\n describe command(\"grep -ie '^[^#]*!authenticate' /etc/sudoers /etc/sudoers.d/*\") do\n its('stdout') { should be_empty }\n end\nend\n", + "code": "control \"V-38599\" do\n title \"The FTPS/FTP service on the system must be configured with the\nDepartment of Defense (DoD) login banner.\"\n desc \"This setting will cause the system greeting banner to be used for FTP\nconnections as well.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000023\"\n tag \"gid\": \"V-38599\"\n tag \"rid\": \"SV-50400r2_rule\"\n tag \"stig_id\": \"RHEL-06-000348\"\n tag \"fix_id\": \"F-43564r3_fix\"\n tag \"cci\": [\"CCI-000048\"]\n tag \"nist\": [\"AC-8 a\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To verify this configuration, run the following command:\n\ngrep \\\"banner_file\\\" /etc/vsftpd/vsftpd.conf\n\nThe output should show the value of \\\"banner_file\\\" is set to \\\"/etc/issue\\\",\nan example of which is shown below.\n\n# grep \\\"banner_file\\\" /etc/vsftpd/vsftpd.conf\nbanner_file=/etc/issue\n\n\nIf it does not, this is a finding.\"\n tag \"fix\": \"Edit the vsftpd configuration file, which resides at\n\\\"/etc/vsftpd/vsftpd.conf\\\" by default. Add or correct the following\nconfiguration options.\n\nbanner_file=/etc/issue\n\nRestart the vsftpd daemon.\n\n# service vsftpd restart\"\n\n if package('vsftpd').installed?\n describe file('/etc/vsftpd/vsftpd.conf') do\n it { should exist }\n end\n describe parse_config_file('/etc/vsftpd/vsftpd.conf') do\n its('banner_file') { should eq '/etc/issue' }\n end\n else\n impact 0.0\n describe \"Package vsftpd not installed\" do\n skip \"Package vsftpd not installed, this control Not Applicable\"\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-58901.rb", + "ref": "./Red Hat 6 STIG/controls/V-38599.rb", "line": 1 }, - "id": "V-58901" + "id": "V-38599" }, { - "title": "Temporary accounts must be provisioned with an expiration date.", - "desc": "When temporary accounts are created, there is a risk they may remain\nin place and active after the need for them no longer exists. Account\nexpiration greatly reduces the risk of accounts being misused or hijacked.", + "title": "The operating system must support the requirement to centrally manage\nthe content of audit records generated by organization defined information\nsystem components.", + "desc": "A log server (loghost) receives syslog messages from one or more\nsystems. This data can be used as an additional log source in the event a\nsystem is compromised and its local logs are suspect. Forwarding log messages\nto a remote loghost also provides system administrators with a centralized\nplace to view the status of multiple hosts within the enterprise.", "descriptions": { - "default": "When temporary accounts are created, there is a risk they may remain\nin place and active after the need for them no longer exists. Account\nexpiration greatly reduces the risk of accounts being misused or hijacked." + "default": "A log server (loghost) receives syslog messages from one or more\nsystems. This data can be used as an additional log source in the event a\nsystem is compromised and its local logs are suspect. Forwarding log messages\nto a remote loghost also provides system administrators with a centralized\nplace to view the status of multiple hosts within the enterprise." }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000002", - "gid": "V-38685", - "rid": "SV-50486r1_rule", - "stig_id": "RHEL-06-000297", - "fix_id": "F-43634r1_fix", + "gtitle": "SRG-OS-000043", + "gid": "V-38521", + "rid": "SV-50322r1_rule", + "stig_id": "RHEL-06-000137", + "fix_id": "F-43656r1_fix", "cci": [ - "CCI-000016" + "CCI-000169" ], "nist": [ - "AC-2 (2)", + "AU-12 a", "Rev_4" ], "false_negatives": null, @@ -8131,35 +8180,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "For every temporary account, run the following command to\nobtain its account aging and expiration information:\n\n# chage -l [USER]\n\nVerify each of these accounts has an expiration date set as documented.\nIf any temporary accounts have no expiration date set or do not expire within a\ndocumented time frame, this is a finding.", - "fix": "In the event temporary accounts are required, configure the\nsystem to terminate them after a documented time period. For every temporary\naccount, run the following command to set an expiration date on it,\nsubstituting \"[USER]\" and \"[YYYY-MM-DD]\" appropriately:\n\n# chage -E [YYYY-MM-DD] [USER]\n\n\"[YYYY-MM-DD]\" indicates the documented expiration date for the account." + "check": "To ensure logs are sent to a remote host, examine the file\n\"/etc/rsyslog.conf\". If using UDP, a line similar to the following should be\npresent:\n\n*.* @[loghost.example.com]\n\nIf using TCP, a line similar to the following should be present:\n\n*.* @@[loghost.example.com]\n\nIf using RELP, a line similar to the following should be present:\n\n*.* :omrelp:[loghost.example.com]\n\n\nIf none of these are present, this is a finding.", + "fix": "To configure rsyslog to send logs to a remote log server, open\n\"/etc/rsyslog.conf\" and read and understand the last section of the file,\nwhich describes the multiple directives necessary to activate remote logging.\nAlong with these other directives, the system can be configured to forward its\nlogs to a particular log server by adding or correcting one of the following\nlines, substituting \"[loghost.example.com]\" appropriately. The choice of\nprotocol depends on the environment of the system; although TCP and RELP\nprovide more reliable message delivery, they may not be supported in all\nenvironments.\nTo use UDP for log message delivery:\n\n*.* @[loghost.example.com]\n\n\nTo use TCP for log message delivery:\n\n*.* @@[loghost.example.com]\n\n\nTo use RELP for log message delivery:\n\n*.* :omrelp:[loghost.example.com]" }, - "code": "control \"V-38685\" do\n title \"Temporary accounts must be provisioned with an expiration date.\"\n desc \"When temporary accounts are created, there is a risk they may remain\nin place and active after the need for them no longer exists. Account\nexpiration greatly reduces the risk of accounts being misused or hijacked.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000002\"\n tag \"gid\": \"V-38685\"\n tag \"rid\": \"SV-50486r1_rule\"\n tag \"stig_id\": \"RHEL-06-000297\"\n tag \"fix_id\": \"F-43634r1_fix\"\n tag \"cci\": [\"CCI-000016\"]\n tag \"nist\": [\"AC-2 (2)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"For every temporary account, run the following command to\nobtain its account aging and expiration information:\n\n# chage -l [USER]\n\nVerify each of these accounts has an expiration date set as documented.\nIf any temporary accounts have no expiration date set or do not expire within a\ndocumented time frame, this is a finding.\"\n tag \"fix\": \"In the event temporary accounts are required, configure the\nsystem to terminate them after a documented time period. For every temporary\naccount, run the following command to set an expiration date on it,\nsubstituting \\\"[USER]\\\" and \\\"[YYYY-MM-DD]\\\" appropriately:\n\n# chage -E [YYYY-MM-DD] [USER]\n\n\\\"[YYYY-MM-DD]\\\" indicates the documented expiration date for the account.\"\n\n temporary_accounts = input('temporary_accounts')\n\n if temporary_accounts.empty?\n describe \"Temporary accounts\" do\n it { should_be empty }\n end\n else\n temporary_accounts.each do |acct|\n describe shadow.users(acct) do\n its('max_days.first.to_i') { should cmp <= input('temporary_accounts_expiration_days') }\n end\n end\n end\nend\n", + "code": "control \"V-38521\" do\n title \"The operating system must support the requirement to centrally manage\nthe content of audit records generated by organization defined information\nsystem components.\"\n desc \"A log server (loghost) receives syslog messages from one or more\nsystems. This data can be used as an additional log source in the event a\nsystem is compromised and its local logs are suspect. Forwarding log messages\nto a remote loghost also provides system administrators with a centralized\nplace to view the status of multiple hosts within the enterprise.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000043\"\n tag \"gid\": \"V-38521\"\n tag \"rid\": \"SV-50322r1_rule\"\n tag \"stig_id\": \"RHEL-06-000137\"\n tag \"fix_id\": \"F-43656r1_fix\"\n tag \"cci\": [\"CCI-000169\"]\n tag \"nist\": [\"AU-12 a\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To ensure logs are sent to a remote host, examine the file\n\\\"/etc/rsyslog.conf\\\". If using UDP, a line similar to the following should be\npresent:\n\n*.* @[loghost.example.com]\n\nIf using TCP, a line similar to the following should be present:\n\n*.* @@[loghost.example.com]\n\nIf using RELP, a line similar to the following should be present:\n\n*.* :omrelp:[loghost.example.com]\n\n\nIf none of these are present, this is a finding.\"\n tag \"fix\": \"To configure rsyslog to send logs to a remote log server, open\n\\\"/etc/rsyslog.conf\\\" and read and understand the last section of the file,\nwhich describes the multiple directives necessary to activate remote logging.\nAlong with these other directives, the system can be configured to forward its\nlogs to a particular log server by adding or correcting one of the following\nlines, substituting \\\"[loghost.example.com]\\\" appropriately. The choice of\nprotocol depends on the environment of the system; although TCP and RELP\nprovide more reliable message delivery, they may not be supported in all\nenvironments.\nTo use UDP for log message delivery:\n\n*.* @[loghost.example.com]\n\n\nTo use TCP for log message delivery:\n\n*.* @@[loghost.example.com]\n\n\nTo use RELP for log message delivery:\n\n*.* :omrelp:[loghost.example.com]\"\n\n describe file('/etc/rsyslog.conf') do\n its('content') {\n should (match %r{^\\s*\\*\\.\\*\\s+@[^@#]+}).or (match %r{^\\s*\\*\\.\\*\\s+@@[^@#]+}). or (match %r{^\\s*\\*\\.\\*\\s+:omrelp:[^@#]+})\n }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38685.rb", + "ref": "./Red Hat 6 STIG/controls/V-38521.rb", "line": 1 }, - "id": "V-38685" + "id": "V-38521" }, { - "title": "The audit system must be configured to audit user deletions of files\nand programs.", - "desc": "Auditing file deletions will create an audit trail for files that are\nremoved from the system. The audit trail could aid in system troubleshooting,\nas well as detecting malicious processes that attempt to delete log files to\nconceal their presence.", + "title": "All rsyslog-generated log files must be group-owned by root.", + "desc": "The log files generated by rsyslog contain valuable information\nregarding system configuration, user authentication, and other such\ninformation. Log files should be protected from unauthorized access.", "descriptions": { - "default": "Auditing file deletions will create an audit trail for files that are\nremoved from the system. The audit trail could aid in system troubleshooting,\nas well as detecting malicious processes that attempt to delete log files to\nconceal their presence." + "default": "The log files generated by rsyslog contain valuable information\nregarding system configuration, user authentication, and other such\ninformation. Log files should be protected from unauthorized access." }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000064", - "gid": "V-38575", - "rid": "SV-50376r4_rule", - "stig_id": "RHEL-06-000200", - "fix_id": "F-43523r4_fix", + "gtitle": "SRG-OS-000206", + "gid": "V-38519", + "rid": "SV-50320r2_rule", + "stig_id": "RHEL-06-000134", + "fix_id": "F-43466r1_fix", "cci": [ - "CCI-000172" + "CCI-001314" ], "nist": [ - "AU-12 c", + "SI-11 b", "Rev_4" ], "false_negatives": null, @@ -8172,30 +8221,30 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To determine if the system is configured to audit calls to the\n\"rmdir\" system call, run the following command:\n\n$ sudo grep -w \"rmdir\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return a line. To\ndetermine if the system is configured to audit calls to the \"unlink\" system\ncall, run the following command:\n\n$ sudo grep -w \"unlink\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return a line. To\ndetermine if the system is configured to audit calls to the \"unlinkat\" system\ncall, run the following command:\n\n$ sudo grep -w \"unlinkat\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return a line. To\ndetermine if the system is configured to audit calls to the \"rename\" system\ncall, run the following command:\n\n$ sudo grep -w \"rename\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return a line. To\ndetermine if the system is configured to audit calls to the \"renameat\" system\ncall, run the following command:\n\n$ sudo grep -w \"renameat\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return a line.\n\nIf no line is returned, this is a finding. ", - "fix": "At a minimum, the audit system should collect file deletion\nevents for all users and root. Add the following (or equivalent) to\n\"/etc/audit/audit.rules\", setting ARCH to either b32 or b64 as appropriate\nfor your system:\n\n-a always,exit -F arch=ARCH -S rmdir -S unlink -S unlinkat -S rename -S\nrenameat -F auid>=500 -F auid!=4294967295 -k delete\n-a always,exit -F arch=ARCH -S rmdir -S unlink -S unlinkat -S rename -S\nrenameat -F auid=0 -k delete\n\n" + "check": "The group-owner of all log files written by \"rsyslog\" should\nbe root. These log files are determined by the second part of each Rule line in\n\"/etc/rsyslog.conf\" and typically all appear in \"/var/log\". To see the\ngroup-owner of a given log file, run the following command:\n\n$ ls -l [LOGFILE]\n\nSome log files referenced in /etc/rsyslog.conf may be created by other programs\nand may require exclusion from consideration.\n\nIf the group-owner is not root, this is a finding.", + "fix": "The group-owner of all log files written by \"rsyslog\" should be\nroot. These log files are determined by the second part of each Rule line in\n\"/etc/rsyslog.conf\" and typically all appear in \"/var/log\". For each log\nfile [LOGFILE] referenced in \"/etc/rsyslog.conf\", run the following command\nto inspect the file's group owner:\n\n$ ls -l [LOGFILE]\n\nIf the owner is not \"root\", run the following command to correct this:\n\n# chgrp root [LOGFILE]" }, - "code": "control \"V-38575\" do\n title \"The audit system must be configured to audit user deletions of files\nand programs.\"\n desc \"Auditing file deletions will create an audit trail for files that are\nremoved from the system. The audit trail could aid in system troubleshooting,\nas well as detecting malicious processes that attempt to delete log files to\nconceal their presence.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000064\"\n tag \"gid\": \"V-38575\"\n tag \"rid\": \"SV-50376r4_rule\"\n tag \"stig_id\": \"RHEL-06-000200\"\n tag \"fix_id\": \"F-43523r4_fix\"\n tag \"cci\": [\"CCI-000172\"]\n tag \"nist\": [\"AU-12 c\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To determine if the system is configured to audit calls to the\n\\\"rmdir\\\" system call, run the following command:\n\n$ sudo grep -w \\\"rmdir\\\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return a line. To\ndetermine if the system is configured to audit calls to the \\\"unlink\\\" system\ncall, run the following command:\n\n$ sudo grep -w \\\"unlink\\\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return a line. To\ndetermine if the system is configured to audit calls to the \\\"unlinkat\\\" system\ncall, run the following command:\n\n$ sudo grep -w \\\"unlinkat\\\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return a line. To\ndetermine if the system is configured to audit calls to the \\\"rename\\\" system\ncall, run the following command:\n\n$ sudo grep -w \\\"rename\\\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return a line. To\ndetermine if the system is configured to audit calls to the \\\"renameat\\\" system\ncall, run the following command:\n\n$ sudo grep -w \\\"renameat\\\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return a line.\n\nIf no line is returned, this is a finding. \"\n tag \"fix\": \"At a minimum, the audit system should collect file deletion\nevents for all users and root. Add the following (or equivalent) to\n\\\"/etc/audit/audit.rules\\\", setting ARCH to either b32 or b64 as appropriate\nfor your system:\n\n-a always,exit -F arch=ARCH -S rmdir -S unlink -S unlinkat -S rename -S\nrenameat -F auid>=500 -F auid!=4294967295 -k delete\n-a always,exit -F arch=ARCH -S rmdir -S unlink -S unlinkat -S rename -S\nrenameat -F auid=0 -k delete\n\n\"\n\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^[\\s]*-a[\\s](?:always,exit|exit,always)\\s+(?:-F\\s+arch=b32\\s+).*(?:,|-S\\s+)rmdir(?:,|\\s+).*-F\\s+auid>=500\\s+-F\\s+auid!=(?:(?:-1)|(?:4294967295))\\s+-k\\s+\\S+\\s*$/) }\n end\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^[\\s]*-a[\\s](?:always,exit|exit,always)\\s+(?:-F\\s+arch=b32\\s+).*(?:,|-S\\s+)unlink(?:,|\\s+).*-F\\s+auid>=500\\s+-F\\s+auid!=(?:(?:-1)|(?:4294967295))\\s+-k\\s+\\S+\\s*$/) }\n end\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^[\\s]*-a[\\s](?:always,exit|exit,always)\\s+(?:-F\\s+arch=b32\\s+).*(?:,|-S\\s+)unlinkat(?:,|\\s+).*-F\\s+auid>=500\\s+-F\\s+auid!=(?:(?:-1)|(?:4294967295))\\s+-k\\s+\\S+\\s*$/) }\n end\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^[\\s]*-a[\\s](?:always,exit|exit,always)\\s+(?:-F\\s+arch=b32\\s+).*(?:,|-S\\s+)rename(?:,|\\s+).*-F\\s+auid>=500\\s+-F\\s+auid!=(?:(?:-1)|(?:4294967295))\\s+-k\\s+\\S+\\s*$/) }\n end\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^[\\s]*-a[\\s](?:always,exit|exit,always)\\s+(?:-F\\s+arch=b32\\s+).*(?:,|-S\\s+)renameat(?:,|\\s+).*-F\\s+auid>=500\\s+-F\\s+auid!=(?:(?:-1)|(?:4294967295))\\s+-k\\s+\\S+\\s*$/) }\n end\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^[\\s]*-a[\\s](?:always,exit|exit,always)\\s+(?:-F\\s+arch=b32\\s+).*(?:,|-S\\s+)rmdir(?:,|\\s+).*-F\\s+auid=0\\s+-k\\s+\\S+\\s*$/) }\n end\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^[\\s]*-a[\\s](?:always,exit|exit,always)\\s+(?:-F\\s+arch=b32\\s+).*(?:,|-S\\s+)unlink(?:,|\\s+).*-F\\s+auid=0\\s+-k\\s+\\S+\\s*$/) }\n end\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^[\\s]*-a[\\s](?:always,exit|exit,always)\\s+(?:-F\\s+arch=b32\\s+).*(?:,|-S\\s+)unlinkat(?:,|\\s+).*-F\\s+auid=0\\s+-k\\s+\\S+\\s*$/) }\n end\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^[\\s]*-a[\\s](?:always,exit|exit,always)\\s+(?:-F\\s+arch=b32\\s+).*(?:,|-S\\s+)rename(?:,|\\s+).*-F\\s+auid=0\\s+-k\\s+\\S+\\s*$/) }\n end\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^[\\s]*-a[\\s](?:always,exit|exit,always)\\s+(?:-F\\s+arch=b32\\s+).*(?:,|-S\\s+)renameat(?:,|\\s+).*-F\\s+auid=0\\s+-k\\s+\\S+\\s*$/) }\n end\n describe.one do\n \n end\nend\n", + "code": "control \"V-38519\" do\n title \"All rsyslog-generated log files must be group-owned by root.\"\n desc \"The log files generated by rsyslog contain valuable information\nregarding system configuration, user authentication, and other such\ninformation. Log files should be protected from unauthorized access.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000206\"\n tag \"gid\": \"V-38519\"\n tag \"rid\": \"SV-50320r2_rule\"\n tag \"stig_id\": \"RHEL-06-000134\"\n tag \"fix_id\": \"F-43466r1_fix\"\n tag \"cci\": [\"CCI-001314\"]\n tag \"nist\": [\"SI-11 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"The group-owner of all log files written by \\\"rsyslog\\\" should\nbe root. These log files are determined by the second part of each Rule line in\n\\\"/etc/rsyslog.conf\\\" and typically all appear in \\\"/var/log\\\". To see the\ngroup-owner of a given log file, run the following command:\n\n$ ls -l [LOGFILE]\n\nSome log files referenced in /etc/rsyslog.conf may be created by other programs\nand may require exclusion from consideration.\n\nIf the group-owner is not root, this is a finding.\"\n tag \"fix\": \"The group-owner of all log files written by \\\"rsyslog\\\" should be\nroot. These log files are determined by the second part of each Rule line in\n\\\"/etc/rsyslog.conf\\\" and typically all appear in \\\"/var/log\\\". For each log\nfile [LOGFILE] referenced in \\\"/etc/rsyslog.conf\\\", run the following command\nto inspect the file's group owner:\n\n$ ls -l [LOGFILE]\n\nIf the owner is not \\\"root\\\", run the following command to correct this:\n\n# chgrp root [LOGFILE]\"\n\n # strip comments, empty lines, and lines which start with $ in order to get rules\n rules = file('/etc/rsyslog.conf').content.lines.map do |l|\n pound_index = l.index('#')\n l = l.slice(0, pound_index) if !pound_index.nil?\n l.strip\n end.reject { |l| l.empty? or l.start_with? '$' }\n\n paths = rules.map do |r|\n filter, action = r.split(%r{\\s+})\n next if !(action.start_with? '-/' or action.start_with? '/')\n action.sub(%r{^-/}, '/')\n end.reject { |path| path.nil? }\n\n if paths.empty?\n describe \"rsyslog log files\" do\n subject { paths }\n it { should be_empty }\n end\n else\n paths.each do |path|\n describe file(path) do \n its('group') { should eq 'root' }\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38575.rb", + "ref": "./Red Hat 6 STIG/controls/V-38519.rb", "line": 1 }, - "id": "V-38575" + "id": "V-38519" }, { - "title": "A file integrity baseline must be created.", - "desc": "For AIDE to be effective, an initial database of \"known-good\"\ninformation about files must be captured and it should be able to be verified\nagainst the installed files.", + "title": "The system must not accept IPv4 source-routed packets on any\ninterface.", + "desc": "Accepting source-routed packets in the IPv4 protocol has few\nlegitimate uses. It should be disabled unless it is absolutely required.", "descriptions": { - "default": "For AIDE to be effective, an initial database of \"known-good\"\ninformation about files must be captured and it should be able to be verified\nagainst the installed files." + "default": "Accepting source-routed packets in the IPv4 protocol has few\nlegitimate uses. It should be disabled unless it is absolutely required." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000232", - "gid": "V-51391", - "rid": "SV-65601r1_rule", - "stig_id": "RHEL-06-000018", - "fix_id": "F-56189r1_fix", + "gtitle": "SRG-OS-999999", + "gid": "V-38523", + "rid": "SV-50324r2_rule", + "stig_id": "RHEL-06-000083", + "fix_id": "F-43471r1_fix", "cci": [ "CCI-000366" ], @@ -8213,35 +8262,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To find the location of the AIDE database file, run the\nfollowing command:\n\n# grep DBDIR /etc/aide.conf\n\nUsing the defined values of the [DBDIR] and [database] variables, verify the\nexistence of the AIDE database file:\n\n# ls -l [DBDIR]/[database_file_name]\n\nIf there is no database file, this is a finding. ", - "fix": "Run the following command to generate a new database:\n\n# /usr/sbin/aide --init\n\nBy default, the database will be written to the file\n\"/var/lib/aide/aide.db.new.gz\". Storing the database, the configuration file\n\"/etc/aide.conf\", and the binary \"/usr/sbin/aide\" (or hashes of these\nfiles), in a secure location (such as on read-only media) provides additional\nassurance about their integrity. The newly-generated database can be installed\nas follows:\n\n# cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz\n\nTo initiate a manual check, run the following command:\n\n# /usr/sbin/aide --check\n\nIf this check produces any unexpected output, investigate. " + "check": "The status of the \"net.ipv4.conf.all.accept_source_route\"\nkernel parameter can be queried by running the following command:\n\n$ sysctl net.ipv4.conf.all.accept_source_route\n\nThe output of the command should indicate a value of \"0\". If this value is\nnot the default value, investigate how it could have been adjusted at runtime,\nand verify it is not set improperly in \"/etc/sysctl.conf\".\n\n$ grep net.ipv4.conf.all.accept_source_route /etc/sysctl.conf\n\nIf the correct value is not returned, this is a finding. ", + "fix": "To set the runtime status of the\n\"net.ipv4.conf.all.accept_source_route\" kernel parameter, run the following\ncommand:\n\n# sysctl -w net.ipv4.conf.all.accept_source_route=0\n\nIf this is not the system's default value, add the following line to\n\"/etc/sysctl.conf\":\n\nnet.ipv4.conf.all.accept_source_route = 0" }, - "code": "control \"V-51391\" do\n title \"A file integrity baseline must be created.\"\n desc \"For AIDE to be effective, an initial database of \\\"known-good\\\"\ninformation about files must be captured and it should be able to be verified\nagainst the installed files. \"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000232\"\n tag \"gid\": \"V-51391\"\n tag \"rid\": \"SV-65601r1_rule\"\n tag \"stig_id\": \"RHEL-06-000018\"\n tag \"fix_id\": \"F-56189r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To find the location of the AIDE database file, run the\nfollowing command:\n\n# grep DBDIR /etc/aide.conf\n\nUsing the defined values of the [DBDIR] and [database] variables, verify the\nexistence of the AIDE database file:\n\n# ls -l [DBDIR]/[database_file_name]\n\nIf there is no database file, this is a finding. \"\n tag \"fix\": \"Run the following command to generate a new database:\n\n# /usr/sbin/aide --init\n\nBy default, the database will be written to the file\n\\\"/var/lib/aide/aide.db.new.gz\\\". Storing the database, the configuration file\n\\\"/etc/aide.conf\\\", and the binary \\\"/usr/sbin/aide\\\" (or hashes of these\nfiles), in a secure location (such as on read-only media) provides additional\nassurance about their integrity. The newly-generated database can be installed\nas follows:\n\n# cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz\n\nTo initiate a manual check, run the following command:\n\n# /usr/sbin/aide --check\n\nIf this check produces any unexpected output, investigate. \"\n\n database = parse_config_file('/etc/aide.conf').params['database']\n\n if database.nil?\n describe \"aide.conf database variable\" do\n subject { nil }\n it { should_not be_nil }\n end\n else\n # find the constants which are used by the database variable\n defines = database.match('@@{([A-Z,a-z]+)}')\n if defines.nil?\n defines = []\n else\n defines = defines.captures\n end\n\n # lookup the values of the constants used by the database variable\n aide_conf_file = file('/etc/aide.conf')\n defines_map = defines.map do |d|\n define_match = aide_conf_file.content.match(\"^\\\\s*@@define\\\\s*#{d}\\\\s*(\\\\S*)\\\\s*$\")\n define_value = if define_match.nil? then nil else define_match.captures[0] end\n [d, define_value]\n end.to_h.reject { |k,v| v.nil? }\n\n # substitute the constants names in the database variable with their values\n defines_map.each { |k,v| database.gsub!(\"@@{#{k}}\", v) }\n database.gsub!(%r{^file:}, '')\n\n describe file(database) do\n it { should exist }\n it { should be_file }\n end\n end\nend\n", + "code": "control \"V-38523\" do\n title \"The system must not accept IPv4 source-routed packets on any\ninterface.\"\n desc \"Accepting source-routed packets in the IPv4 protocol has few\nlegitimate uses. It should be disabled unless it is absolutely required.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38523\"\n tag \"rid\": \"SV-50324r2_rule\"\n tag \"stig_id\": \"RHEL-06-000083\"\n tag \"fix_id\": \"F-43471r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"The status of the \\\"net.ipv4.conf.all.accept_source_route\\\"\nkernel parameter can be queried by running the following command:\n\n$ sysctl net.ipv4.conf.all.accept_source_route\n\nThe output of the command should indicate a value of \\\"0\\\". If this value is\nnot the default value, investigate how it could have been adjusted at runtime,\nand verify it is not set improperly in \\\"/etc/sysctl.conf\\\".\n\n$ grep net.ipv4.conf.all.accept_source_route /etc/sysctl.conf\n\nIf the correct value is not returned, this is a finding. \"\n tag \"fix\": \"To set the runtime status of the\n\\\"net.ipv4.conf.all.accept_source_route\\\" kernel parameter, run the following\ncommand:\n\n# sysctl -w net.ipv4.conf.all.accept_source_route=0\n\nIf this is not the system's default value, add the following line to\n\\\"/etc/sysctl.conf\\\":\n\nnet.ipv4.conf.all.accept_source_route = 0\"\n\n describe kernel_parameter(\"net.ipv4.conf.all.accept_source_route\") do\n its(\"value\") { should_not be_nil }\n end\n describe kernel_parameter(\"net.ipv4.conf.all.accept_source_route\") do\n its(\"value\") { should eq 0 }\n end\n describe file(\"/etc/sysctl.conf\") do\n its(\"content\") { should match(/^[\\s]*net.ipv4.conf.all.accept_source_route[\\s]*=[\\s]*0[\\s]*$/) }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-51391.rb", + "ref": "./Red Hat 6 STIG/controls/V-38523.rb", "line": 1 }, - "id": "V-51391" + "id": "V-38523" }, { - "title": "The system package management tool must verify contents of all files\nassociated with packages.", - "desc": "The hash on important files like system executables should match the\ninformation given by the RPM database. Executables with erroneous hashes could\nbe a sign of nefarious activity on the system.", + "title": "The system must require administrator action to unlock an account\nlocked by excessive failed login attempts.", + "desc": "Locking out user accounts after a number of incorrect attempts\nprevents direct password guessing attacks. Ensuring that an administrator is\ninvolved in unlocking locked accounts draws appropriate attention to such\nsituations.", "descriptions": { - "default": "The hash on important files like system executables should match the\ninformation given by the RPM database. Executables with erroneous hashes could\nbe a sign of nefarious activity on the system." + "default": "Locking out user accounts after a number of incorrect attempts\nprevents direct password guessing attacks. Ensuring that an administrator is\ninvolved in unlocking locked accounts draws appropriate attention to such\nsituations." }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-999999", - "gid": "V-38447", - "rid": "SV-50247r4_rule", - "stig_id": "RHEL-06-000519", - "fix_id": "F-43392r5_fix", + "gtitle": "SRG-OS-000022", + "gid": "V-38592", + "rid": "SV-50393r4_rule", + "stig_id": "RHEL-06-000356", + "fix_id": "F-43541r6_fix", "cci": [ - "CCI-000366" + "CCI-000047" ], "nist": [ - "CM-6 b", + "AC-7 b", "Rev_4" ], "false_negatives": null, @@ -8254,35 +8303,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "The following command will list which files on the system have\nfile hashes different from what is expected by the RPM database:\n\n# rpm -Va | awk '$1 ~ /..5/ && $2 != \"c\"'\n\nIf there is any output from the command for system binaries, verify that the\nchanges were due to STIG application and have been documented with the ISSO.\n\nIf there are changes to system binaries and they are not documented with the\nISSO, this is a finding.\n", - "fix": "The RPM package management system can check the hashes of\ninstalled software packages, including many that are important to system\nsecurity. Run the following command to list which files on the system have\nhashes that differ from what is expected by the RPM database:\n\n# rpm -Va | awk '$1 ~ /..5/ && $2 != \"c\"'\n\nIf the file that has changed was not expected to, refresh from distribution\nmedia or online repositories.\n\nrpm -Uvh [affected_package]\n\nOR\n\nyum reinstall [affected_package]\n" + "check": "To ensure the failed password attempt policy is configured\ncorrectly, run the following command:\n\n# grep pam_faillock /etc/pam.d/system-auth /etc/pam.d/password-auth\n\nThe output should show \"unlock_time=\"; the largest\nacceptable value is 604800 seconds (one week).\nIf that is not the case, this is a finding.", + "fix": "To configure the system to lock out accounts after a number of\nincorrect logon attempts and require an administrator to unlock the account\nusing \"pam_faillock.so\", modify the content of both\n\"/etc/pam.d/system-auth\" and \"/etc/pam.d/password-auth\" as follows:\n\nAdd the following line immediately before the \"pam_unix.so\" statement in the\n\"AUTH\" section:\n\nauth required pam_faillock.so preauth silent deny=3 unlock_time=604800\nfail_interval=900\n\nAdd the following line immediately after the \"pam_unix.so\" statement in the\n\"AUTH\" section:\n\nauth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800\nfail_interval=900\n\nAdd the following line immediately before the \"pam_unix.so\" statement in the\n\"ACCOUNT\" section:\n\naccount required pam_faillock.so\n\nNote that any updates made to \"/etc/pam.d/system-auth\" and\n\"/etc/pam.d/password-auth\" may be overwritten by the \"authconfig\" program.\nThe \"authconfig\" program should not be used." }, - "code": "control \"V-38447\" do\n title \"The system package management tool must verify contents of all files\nassociated with packages.\"\n desc \"The hash on important files like system executables should match the\ninformation given by the RPM database. Executables with erroneous hashes could\nbe a sign of nefarious activity on the system.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38447\"\n tag \"rid\": \"SV-50247r4_rule\"\n tag \"stig_id\": \"RHEL-06-000519\"\n tag \"fix_id\": \"F-43392r5_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"The following command will list which files on the system have\nfile hashes different from what is expected by the RPM database:\n\n# rpm -Va | awk '$1 ~ /..5/ && $2 != \\\"c\\\"'\n\nIf there is any output from the command for system binaries, verify that the\nchanges were due to STIG application and have been documented with the ISSO.\n\nIf there are changes to system binaries and they are not documented with the\nISSO, this is a finding.\n\"\n tag \"fix\": \"The RPM package management system can check the hashes of\ninstalled software packages, including many that are important to system\nsecurity. Run the following command to list which files on the system have\nhashes that differ from what is expected by the RPM database:\n\n# rpm -Va | awk '$1 ~ /..5/ && $2 != \\\"c\\\"'\n\nIf the file that has changed was not expected to, refresh from distribution\nmedia or online repositories.\n\nrpm -Uvh [affected_package]\n\nOR\n\nyum reinstall [affected_package]\n\"\n\n # TODO check against an exception list attribute\n describe command(\"rpm -Va | awk '$1 ~ /..5/ && $2 != \\\"c\\\"'\") do\n its('stdout.strip') { should be_empty }\n end\nend\n", + "code": "control \"V-38592\" do\n title \"The system must require administrator action to unlock an account\nlocked by excessive failed login attempts.\"\n desc \"Locking out user accounts after a number of incorrect attempts\nprevents direct password guessing attacks. Ensuring that an administrator is\ninvolved in unlocking locked accounts draws appropriate attention to such\nsituations.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000022\"\n tag \"gid\": \"V-38592\"\n tag \"rid\": \"SV-50393r4_rule\"\n tag \"stig_id\": \"RHEL-06-000356\"\n tag \"fix_id\": \"F-43541r6_fix\"\n tag \"cci\": [\"CCI-000047\"]\n tag \"nist\": [\"AC-7 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To ensure the failed password attempt policy is configured\ncorrectly, run the following command:\n\n# grep pam_faillock /etc/pam.d/system-auth /etc/pam.d/password-auth\n\nThe output should show \\\"unlock_time=\\\"; the largest\nacceptable value is 604800 seconds (one week).\nIf that is not the case, this is a finding.\"\n tag \"fix\": \"To configure the system to lock out accounts after a number of\nincorrect logon attempts and require an administrator to unlock the account\nusing \\\"pam_faillock.so\\\", modify the content of both\n\\\"/etc/pam.d/system-auth\\\" and \\\"/etc/pam.d/password-auth\\\" as follows:\n\nAdd the following line immediately before the \\\"pam_unix.so\\\" statement in the\n\\\"AUTH\\\" section:\n\nauth required pam_faillock.so preauth silent deny=3 unlock_time=604800\nfail_interval=900\n\nAdd the following line immediately after the \\\"pam_unix.so\\\" statement in the\n\\\"AUTH\\\" section:\n\nauth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800\nfail_interval=900\n\nAdd the following line immediately before the \\\"pam_unix.so\\\" statement in the\n\\\"ACCOUNT\\\" section:\n\naccount required pam_faillock.so\n\nNote that any updates made to \\\"/etc/pam.d/system-auth\\\" and\n\\\"/etc/pam.d/password-auth\\\" may be overwritten by the \\\"authconfig\\\" program.\nThe \\\"authconfig\\\" program should not be used.\"\n\n file(\"/etc/pam.d/system-auth\").content.to_s.scan(/^\\s*auth\\s+(?:(?:sufficient)|(?:\\[default=die\\]))\\s+pam_faillock\\.so\\s+authfail.*\\s+unlock_time=([0-9]+).*$/).flatten.each do |entry|\n describe entry do\n it { should cmp >= input('pam_faillock_unlock_time') }\n end\n end\n describe file(\"/etc/pam.d/system-auth\") do\n its(\"content\") { should match(/^\\s*auth\\s+(?:(?:sufficient)|(?:\\[default=die\\]))\\s+pam_faillock\\.so\\s+authfail.*\\s+unlock_time=([0-9]+).*$/) }\n end\n file(\"/etc/pam.d/password-auth\").content.to_s.scan(/^\\s*auth\\s+(?:(?:sufficient)|(?:\\[default=die\\]))\\s+pam_faillock\\.so\\s+authfail.*\\s+unlock_time=([0-9]+).*$/).flatten.each do |entry|\n describe entry do\n it { should cmp >= input('pam_faillock_unlock_time') }\n end\n end\n describe file(\"/etc/pam.d/password-auth\") do\n its(\"content\") { should match(/^\\s*auth\\s+(?:(?:sufficient)|(?:\\[default=die\\]))\\s+pam_faillock\\.so\\s+authfail.*\\s+unlock_time=([0-9]+).*$/) }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38447.rb", + "ref": "./Red Hat 6 STIG/controls/V-38592.rb", "line": 1 }, - "id": "V-38447" + "id": "V-38592" }, { - "title": "The system package management tool must cryptographically verify the\nauthenticity of system software packages during installation.", - "desc": "Ensuring the validity of packages' cryptographic signatures prior to\ninstallation ensures the provenance of the software and protects against\nmalicious tampering.", + "title": "System logs must be rotated daily.", + "desc": "Log files that are not properly rotated run the risk of growing so\nlarge that they fill up the /var/log partition. Valuable logging information\ncould be lost if the /var/log partition becomes full.", "descriptions": { - "default": "Ensuring the validity of packages' cryptographic signatures prior to\ninstallation ensures the provenance of the software and protects against\nmalicious tampering." + "default": "Log files that are not properly rotated run the risk of growing so\nlarge that they fill up the /var/log partition. Valuable logging information\ncould be lost if the /var/log partition becomes full." }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { - "gtitle": "SRG-OS-000103", - "gid": "V-38483", - "rid": "SV-50283r1_rule", - "stig_id": "RHEL-06-000013", - "fix_id": "F-43429r1_fix", + "gtitle": "SRG-OS-999999", + "gid": "V-38624", + "rid": "SV-50425r1_rule", + "stig_id": "RHEL-06-000138", + "fix_id": "F-43573r1_fix", "cci": [ - "CCI-000663" + "CCI-000366" ], "nist": [ - "SA-7", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -8295,43 +8344,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To determine whether \"yum\" is configured to use \"gpgcheck\",\ninspect \"/etc/yum.conf\" and ensure the following appears in the \"[main]\"\nsection:\n\ngpgcheck=1\n\nA value of \"1\" indicates that \"gpgcheck\" is enabled. Absence of a\n\"gpgcheck\" line or a setting of \"0\" indicates that it is disabled.\nIf GPG checking is not enabled, this is a finding.\n\nIf the \"yum\" system package management tool is not used to update the system,\nverify with the SA that installed packages are cryptographically signed.", - "fix": "The \"gpgcheck\" option should be used to ensure checking of an\nRPM package's signature always occurs prior to its installation. To configure\nyum to check package signatures before installing them, ensure the following\nline appears in \"/etc/yum.conf\" in the \"[main]\" section:\n\ngpgcheck=1" + "check": "Run the following commands to determine the current status of\nthe \"logrotate\" service:\n\n# grep logrotate /var/log/cron*\n\nIf the logrotate service is not run on a daily basis by cron, this is a\nfinding.", + "fix": "The \"logrotate\" service should be installed or reinstalled if\nit is not installed and operating properly, by running the following command:\n\n# yum reinstall logrotate" }, - "code": "control \"V-38483\" do\n title \"The system package management tool must cryptographically verify the\nauthenticity of system software packages during installation.\"\n desc \"Ensuring the validity of packages' cryptographic signatures prior to\ninstallation ensures the provenance of the software and protects against\nmalicious tampering.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000103\"\n tag \"gid\": \"V-38483\"\n tag \"rid\": \"SV-50283r1_rule\"\n tag \"stig_id\": \"RHEL-06-000013\"\n tag \"fix_id\": \"F-43429r1_fix\"\n tag \"cci\": [\"CCI-000663\"]\n tag \"nist\": [\"SA-7\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To determine whether \\\"yum\\\" is configured to use \\\"gpgcheck\\\",\ninspect \\\"/etc/yum.conf\\\" and ensure the following appears in the \\\"[main]\\\"\nsection:\n\ngpgcheck=1\n\nA value of \\\"1\\\" indicates that \\\"gpgcheck\\\" is enabled. Absence of a\n\\\"gpgcheck\\\" line or a setting of \\\"0\\\" indicates that it is disabled.\nIf GPG checking is not enabled, this is a finding.\n\nIf the \\\"yum\\\" system package management tool is not used to update the system,\nverify with the SA that installed packages are cryptographically signed.\"\n tag \"fix\": \"The \\\"gpgcheck\\\" option should be used to ensure checking of an\nRPM package's signature always occurs prior to its installation. To configure\nyum to check package signatures before installing them, ensure the following\nline appears in \\\"/etc/yum.conf\\\" in the \\\"[main]\\\" section:\n\ngpgcheck=1\"\n\n describe file(\"/etc/yum.conf\") do\n its(\"content\") { should match(/^\\s*gpgcheck\\s*=\\s*1\\s*$/) }\n end\nend\n", + "code": "control \"V-38624\" do\n title \"System logs must be rotated daily.\"\n desc \"Log files that are not properly rotated run the risk of growing so\nlarge that they fill up the /var/log partition. Valuable logging information\ncould be lost if the /var/log partition becomes full.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38624\"\n tag \"rid\": \"SV-50425r1_rule\"\n tag \"stig_id\": \"RHEL-06-000138\"\n tag \"fix_id\": \"F-43573r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Run the following commands to determine the current status of\nthe \\\"logrotate\\\" service:\n\n# grep logrotate /var/log/cron*\n\nIf the logrotate service is not run on a daily basis by cron, this is a\nfinding.\"\n tag \"fix\": \"The \\\"logrotate\\\" service should be installed or reinstalled if\nit is not installed and operating properly, by running the following command:\n\n# yum reinstall logrotate\"\n\n # TODO is this too specific?\n describe bash(\"grep logrotate /var/log/cron*\") do\n its('stdout.strip') { should match %r{cron\\.daily} }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38483.rb", + "ref": "./Red Hat 6 STIG/controls/V-38624.rb", "line": 1 }, - "id": "V-38483" + "id": "V-38624" }, { - "title": "The Department of Defense (DoD) login banner must be displayed\nimmediately prior to, or as part of, console login prompts.", - "desc": "An appropriate warning message reinforces policy awareness during the\nlogon process and facilitates possible legal action against attackers.", + "title": "The noexec option must be added to the /tmp partition.", + "desc": "Allowing users to execute binaries from world-writable directories\nsuch as \"/tmp\" should never be necessary in normal operation and can expose\nthe system to potential compromise.", "descriptions": { - "default": "An appropriate warning message reinforces policy awareness during the\nlogon process and facilitates possible legal action against attackers." + "default": "Allowing users to execute binaries from world-writable directories\nsuch as \"/tmp\" should never be necessary in normal operation and can expose\nthe system to potential compromise." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000228", - "gid": "V-38593", - "rid": "SV-50394r3_rule", - "stig_id": "RHEL-06-000073", - "fix_id": "F-43540r3_fix", + "gtitle": "SRG-OS-999999", + "gid": "V-57569", + "rid": "SV-71919r1_rule", + "stig_id": "RHEL-06-000528", + "fix_id": "F-62639r1_fix", "cci": [ - "CCI-001384", - "CCI-001385", - "CCI-001386", - "CCI-001387", - "CCI-001388" + "CCI-000381" ], "nist": [ - "AC-8 c 1", - "AC-8 c 2", - "AC-8 c 2", - "AC-8 c 2", - "AC-8 c 3", + "CM-7 a", "Rev_4" ], "false_negatives": null, @@ -8344,35 +8385,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To check if the system login banner is compliant, run the\nfollowing command:\n\n$ cat /etc/issue\n\n\nNote: The full text banner must be implemented unless there are character\nlimitations that prevent the display of the full DoD logon banner.\n\nIf the required DoD logon banner is not displayed, this is a finding.\n", - "fix": "To configure the system login banner:\n\nEdit \"/etc/issue\". Replace the default text with a message compliant with the\nlocal site policy or a legal disclaimer. The DoD required text is either:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is\nprovided for USG-authorized use only. By using this IS (which includes any\ndevice attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for\npurposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct (PM), law enforcement\n(LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject\nto routine monitoring, interception, and search, and may be disclosed or used\nfor any USG-authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls)\nto protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE\nor CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services\nby attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User\nAgreement for details.\"\n\nIf the device cannot support the full DoD logon banner due to character\nlimitations, the following text can be used:\n\n\"I've read & consent to terms in IS user agreem't.\"" + "check": "To verify that binaries cannot be directly executed from the\n/tmp directory, run the following command:\n\n$ grep '\\s/tmp' /etc/fstab\n\nThe resulting output will show whether the /tmp partition has the \"noexec\"\nflag set. If the /tmp partition does not have the noexec flag set, this is a\nfinding.", + "fix": "The \"noexec\" mount option can be used to prevent binaries from\nbeing executed out of \"/tmp\". Add the \"noexec\" option to the fourth column\nof \"/etc/fstab\" for the line which controls mounting of \"/tmp\"." }, - "code": "control \"V-38593\" do\n title \"The Department of Defense (DoD) login banner must be displayed\nimmediately prior to, or as part of, console login prompts.\"\n desc \"An appropriate warning message reinforces policy awareness during the\nlogon process and facilitates possible legal action against attackers.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000228\"\n tag \"gid\": \"V-38593\"\n tag \"rid\": \"SV-50394r3_rule\"\n tag \"stig_id\": \"RHEL-06-000073\"\n tag \"fix_id\": \"F-43540r3_fix\"\n tag \"cci\": [\"CCI-001384\", \"CCI-001385\", \"CCI-001386\", \"CCI-001387\",\n\"CCI-001388\"]\n tag \"nist\": [\"AC-8 c 1\", \"AC-8 c 2\", \"AC-8 c 2\", \"AC-8 c 2\", \"AC-8 c 3\",\n\"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To check if the system login banner is compliant, run the\nfollowing command:\n\n$ cat /etc/issue\n\n\nNote: The full text banner must be implemented unless there are character\nlimitations that prevent the display of the full DoD logon banner.\n\nIf the required DoD logon banner is not displayed, this is a finding.\n\"\n tag \"fix\": \"To configure the system login banner:\n\nEdit \\\"/etc/issue\\\". Replace the default text with a message compliant with the\nlocal site policy or a legal disclaimer. The DoD required text is either:\n\n\\\"You are accessing a U.S. Government (USG) Information System (IS) that is\nprovided for USG-authorized use only. By using this IS (which includes any\ndevice attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for\npurposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct (PM), law enforcement\n(LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject\nto routine monitoring, interception, and search, and may be disclosed or used\nfor any USG-authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls)\nto protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE\nor CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services\nby attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User\nAgreement for details.\\\"\n\nIf the device cannot support the full DoD logon banner due to character\nlimitations, the following text can be used:\n\n\\\"I've read & consent to terms in IS user agreem't.\\\"\"\n\n banner_text = file('/etc/issue').content.gsub(%r{[\\r\\n\\s]}, '')\n\n describe \"Banner text\" do\n subject { banner_text }\n it { should eq input('banner_text').gsub(%r{[\\r\\n\\s]}, '') }\n end\nend\n", + "code": "control \"V-57569\" do\n title \"The noexec option must be added to the /tmp partition.\"\n desc \"Allowing users to execute binaries from world-writable directories\nsuch as \\\"/tmp\\\" should never be necessary in normal operation and can expose\nthe system to potential compromise.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-57569\"\n tag \"rid\": \"SV-71919r1_rule\"\n tag \"stig_id\": \"RHEL-06-000528\"\n tag \"fix_id\": \"F-62639r1_fix\"\n tag \"cci\": [\"CCI-000381\"]\n tag \"nist\": [\"CM-7 a\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To verify that binaries cannot be directly executed from the\n/tmp directory, run the following command:\n\n$ grep '\\\\s/tmp' /etc/fstab\n\nThe resulting output will show whether the /tmp partition has the \\\"noexec\\\"\nflag set. If the /tmp partition does not have the noexec flag set, this is a\nfinding.\"\n tag \"fix\": \"The \\\"noexec\\\" mount option can be used to prevent binaries from\nbeing executed out of \\\"/tmp\\\". Add the \\\"noexec\\\" option to the fourth column\nof \\\"/etc/fstab\\\" for the line which controls mounting of \\\"/tmp\\\".\"\n \n # TODO should we check the /dev/shm directory also?\n if mount('/tmp').mounted?\n describe mount('/tmp') do\n its('options') { should include 'noexec' }\n end\n else\n describe \"/tmp partition not found\" do\n skip \"/tmp partition not found, this control must be reviewed manually\"\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38593.rb", + "ref": "./Red Hat 6 STIG/controls/V-57569.rb", "line": 1 }, - "id": "V-38593" + "id": "V-57569" }, { - "title": "The operating system must enforce requirements for the connection of\nmobile devices to operating systems.", - "desc": "USB storage devices such as thumb drives can be used to introduce\nunauthorized software and other vulnerabilities. Support for these devices\nshould be disabled and the devices themselves should be tightly controlled.", + "title": "The audit system must be configured to audit all attempts to alter\nsystem time through clock_settime.", + "desc": "Arbitrary changes to the system time can be used to obfuscate\nnefarious activities in log files, as well as to confuse network services that\nare highly dependent upon an accurate system time (such as sshd). All changes\nto the system time should be audited.", "descriptions": { - "default": "USB storage devices such as thumb drives can be used to introduce\nunauthorized software and other vulnerabilities. Support for these devices\nshould be disabled and the devices themselves should be tightly controlled." + "default": "Arbitrary changes to the system time can be used to obfuscate\nnefarious activities in log files, as well as to confuse network services that\nare highly dependent upon an accurate system time (such as sshd). All changes\nto the system time should be audited." }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { - "gtitle": "SRG-OS-000273", - "gid": "V-38490", - "rid": "SV-50291r6_rule", - "stig_id": "RHEL-06-000503", - "fix_id": "F-43437r3_fix", + "gtitle": "SRG-OS-000062", + "gid": "V-38527", + "rid": "SV-50328r3_rule", + "stig_id": "RHEL-06-000171", + "fix_id": "F-43475r2_fix", "cci": [ - "CCI-000086" + "CCI-000169" ], "nist": [ - "AC-19 d", + "AU-12 a", "Rev_4" ], "false_negatives": null, @@ -8385,35 +8426,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "If the system is configured to prevent the loading of the\n\"usb-storage\" kernel module, it will contain lines inside any file in\n\"/etc/modprobe.d\" or the deprecated\"/etc/modprobe.conf\". These lines\ninstruct the module loading system to run another program (such as\n\"/bin/true\") upon a module \"install\" event. Run the following command to\nsearch for such lines in all files in \"/etc/modprobe.d\" and the deprecated\n\"/etc/modprobe.conf\":\n\n$ grep -r usb-storage /etc/modprobe.conf /etc/modprobe.d | grep -i \"/bin/true\"\n| grep -v \"#\"\n\nIf no line is returned, this is a finding.", - "fix": "To prevent USB storage devices from being used, configure the\nkernel module loading system to prevent automatic loading of the USB storage\ndriver. To configure the system to prevent the \"usb-storage\" kernel module\nfrom being loaded, add the following line to a file in the directory\n\"/etc/modprobe.d\":\n\ninstall usb-storage /bin/true\n\nThis will prevent the \"modprobe\" program from loading the \"usb-storage\"\nmodule, but will not prevent an administrator (or another program) from using\nthe \"insmod\" program to load the module manually." + "check": "To determine if the system is configured to audit calls to the\n\"clock_settime\" system call, run the following command:\n\n$ sudo grep -w \"clock_settime\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return a line.\n\nIf the system is not configured to audit time changes, this is a finding. ", + "fix": "On a 32-bit system, add the following to\n\"/etc/audit/audit.rules\":\n\n# audit_time_rules\n-a always,exit -F arch=b32 -S clock_settime -k audit_time_rules\n\nOn a 64-bit system, add the following to \"/etc/audit/audit.rules\":\n\n# audit_time_rules\n-a always,exit -F arch=b64 -S clock_settime -k audit_time_rules\n\nThe -k option allows for the specification of a key in string form that can be\nused for better reporting capability through ausearch and aureport. Multiple\nsystem calls can be defined on the same line to save space if desired, but is\nnot required. See an example of multiple combined syscalls:\n\n-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k\naudit_time_rules" }, - "code": "control \"V-38490\" do\n title \"The operating system must enforce requirements for the connection of\nmobile devices to operating systems.\"\n desc \"USB storage devices such as thumb drives can be used to introduce\nunauthorized software and other vulnerabilities. Support for these devices\nshould be disabled and the devices themselves should be tightly controlled.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000273\"\n tag \"gid\": \"V-38490\"\n tag \"rid\": \"SV-50291r6_rule\"\n tag \"stig_id\": \"RHEL-06-000503\"\n tag \"fix_id\": \"F-43437r3_fix\"\n tag \"cci\": [\"CCI-000086\"]\n tag \"nist\": [\"AC-19 d\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"If the system is configured to prevent the loading of the\n\\\"usb-storage\\\" kernel module, it will contain lines inside any file in\n\\\"/etc/modprobe.d\\\" or the deprecated\\\"/etc/modprobe.conf\\\". These lines\ninstruct the module loading system to run another program (such as\n\\\"/bin/true\\\") upon a module \\\"install\\\" event. Run the following command to\nsearch for such lines in all files in \\\"/etc/modprobe.d\\\" and the deprecated\n\\\"/etc/modprobe.conf\\\":\n\n$ grep -r usb-storage /etc/modprobe.conf /etc/modprobe.d | grep -i \\\"/bin/true\\\"\n| grep -v \\\"#\\\"\n\nIf no line is returned, this is a finding.\"\n tag \"fix\": \"To prevent USB storage devices from being used, configure the\nkernel module loading system to prevent automatic loading of the USB storage\ndriver. To configure the system to prevent the \\\"usb-storage\\\" kernel module\nfrom being loaded, add the following line to a file in the directory\n\\\"/etc/modprobe.d\\\":\n\ninstall usb-storage /bin/true\n\nThis will prevent the \\\"modprobe\\\" program from loading the \\\"usb-storage\\\"\nmodule, but will not prevent an administrator (or another program) from using\nthe \\\"insmod\\\" program to load the module manually.\"\n\n describe kernel_module('usb-storage') do\n it { should_not be_loaded }\n it { shold_not be_enabled }\n it { should be_blacklisted }\n end\nend\n", + "code": "control \"V-38527\" do\n title \"The audit system must be configured to audit all attempts to alter\nsystem time through clock_settime.\"\n desc \"Arbitrary changes to the system time can be used to obfuscate\nnefarious activities in log files, as well as to confuse network services that\nare highly dependent upon an accurate system time (such as sshd). All changes\nto the system time should be audited.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000062\"\n tag \"gid\": \"V-38527\"\n tag \"rid\": \"SV-50328r3_rule\"\n tag \"stig_id\": \"RHEL-06-000171\"\n tag \"fix_id\": \"F-43475r2_fix\"\n tag \"cci\": [\"CCI-000169\"]\n tag \"nist\": [\"AU-12 a\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To determine if the system is configured to audit calls to the\n\\\"clock_settime\\\" system call, run the following command:\n\n$ sudo grep -w \\\"clock_settime\\\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return a line.\n\nIf the system is not configured to audit time changes, this is a finding. \"\n tag \"fix\": \"On a 32-bit system, add the following to\n\\\"/etc/audit/audit.rules\\\":\n\n# audit_time_rules\n-a always,exit -F arch=b32 -S clock_settime -k audit_time_rules\n\nOn a 64-bit system, add the following to \\\"/etc/audit/audit.rules\\\":\n\n# audit_time_rules\n-a always,exit -F arch=b64 -S clock_settime -k audit_time_rules\n\nThe -k option allows for the specification of a key in string form that can be\nused for better reporting capability through ausearch and aureport. Multiple\nsystem calls can be defined on the same line to save space if desired, but is\nnot required. See an example of multiple combined syscalls:\n\n-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k\naudit_time_rules\"\n\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^-[Aa][\\s]*(?:exit,always|always,exit)[\\s]+-F[\\s]+arch=b32.*(?:-S[\\s]+|,)clock_settime(?:[\\s]+|,).*-k[\\s]+[\\S]+[\\s]*$/) }\n end\n describe.one do\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^-[Aa][\\s]*(?:exit,always|always,exit)[\\s]+-F[\\s]+arch=b64.*(?:-S[\\s]+|,)clock_settime(?:[\\s]+|,).*-k[\\s]+[\\S]+[\\s]*$/) }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38490.rb", + "ref": "./Red Hat 6 STIG/controls/V-38527.rb", "line": 1 }, - "id": "V-38490" + "id": "V-38527" }, { - "title": "The SSH daemon must be configured to use only the SSHv2 protocol.", - "desc": "SSH protocol version 1 suffers from design flaws that result in\nsecurity vulnerabilities and should not be used.", + "title": "The operating system, upon successful logon, must display to the user\nthe date and time of the last logon or access via ssh.", + "desc": "Users need to be aware of activity that occurs regarding their\naccount. Providing users with information regarding the date and time of their\nlast successful login allows the user to determine if any unauthorized activity\nhas occurred and gives them an opportunity to notify administrators.\n\n At ssh login, a user must be presented with the last successful login date\nand time.", "descriptions": { - "default": "SSH protocol version 1 suffers from design flaws that result in\nsecurity vulnerabilities and should not be used." + "default": "Users need to be aware of activity that occurs regarding their\naccount. Providing users with information regarding the date and time of their\nlast successful login allows the user to determine if any unauthorized activity\nhas occurred and gives them an opportunity to notify administrators.\n\n At ssh login, a user must be presented with the last successful login date\nand time." }, - "impact": 0.7, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000112", - "gid": "V-38607", - "rid": "SV-50408r1_rule", - "stig_id": "RHEL-06-000227", - "fix_id": "F-43555r1_fix", + "gtitle": "SRG-OS-000025", + "gid": "V-38484", + "rid": "SV-50285r2_rule", + "stig_id": "RHEL-06-000507", + "fix_id": "F-43431r2_fix", "cci": [ - "CCI-000774" + "CCI-000052" ], "nist": [ - "IA-2 (8)", + "AC-9", "Rev_4" ], "false_negatives": null, @@ -8426,35 +8467,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To check which SSH protocol version is allowed, run the\nfollowing command:\n\n# grep Protocol /etc/ssh/sshd_config\n\nIf configured properly, output should be\n\nProtocol 2\n\n\nIf it is not, this is a finding.", - "fix": "Only SSH protocol version 2 connections should be permitted. The\ndefault setting in \"/etc/ssh/sshd_config\" is correct, and can be verified by\nensuring that the following line appears:\n\nProtocol 2" + "check": "Verify the value associated with the \"PrintLastLog\" keyword\nin /etc/ssh/sshd_config:\n\n# grep -i \"^PrintLastLog\" /etc/ssh/sshd_config\n\nIf the \"PrintLastLog\" keyword is not present, this is not a finding. If the\nvalue is not set to \"yes\", this is a finding.", + "fix": "Update the \"PrintLastLog\" keyword to \"yes\" in\n/etc/ssh/sshd_config:\n\nPrintLastLog yes\n\nWhile it is acceptable to remove the keyword entirely since the default action\nfor the SSH daemon is to print the last logon date and time, it is preferred to\nhave the value explicitly documented." }, - "code": "control \"V-38607\" do\n title \"The SSH daemon must be configured to use only the SSHv2 protocol.\"\n desc \"SSH protocol version 1 suffers from design flaws that result in\nsecurity vulnerabilities and should not be used.\"\n impact 0.7\n tag \"gtitle\": \"SRG-OS-000112\"\n tag \"gid\": \"V-38607\"\n tag \"rid\": \"SV-50408r1_rule\"\n tag \"stig_id\": \"RHEL-06-000227\"\n tag \"fix_id\": \"F-43555r1_fix\"\n tag \"cci\": [\"CCI-000774\"]\n tag \"nist\": [\"IA-2 (8)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To check which SSH protocol version is allowed, run the\nfollowing command:\n\n# grep Protocol /etc/ssh/sshd_config\n\nIf configured properly, output should be\n\nProtocol 2\n\n\nIf it is not, this is a finding.\"\n tag \"fix\": \"Only SSH protocol version 2 connections should be permitted. The\ndefault setting in \\\"/etc/ssh/sshd_config\\\" is correct, and can be verified by\nensuring that the following line appears:\n\nProtocol 2\"\n\n describe sshd_config do\n its('Protocol') { should cmp 2 }\n end\nend\n", + "code": "control \"V-38484\" do\n title \"The operating system, upon successful logon, must display to the user\nthe date and time of the last logon or access via ssh.\"\n desc \"Users need to be aware of activity that occurs regarding their\naccount. Providing users with information regarding the date and time of their\nlast successful login allows the user to determine if any unauthorized activity\nhas occurred and gives them an opportunity to notify administrators.\n\n At ssh login, a user must be presented with the last successful login date\nand time.\n \"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000025\"\n tag \"gid\": \"V-38484\"\n tag \"rid\": \"SV-50285r2_rule\"\n tag \"stig_id\": \"RHEL-06-000507\"\n tag \"fix_id\": \"F-43431r2_fix\"\n tag \"cci\": [\"CCI-000052\"]\n tag \"nist\": [\"AC-9\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Verify the value associated with the \\\"PrintLastLog\\\" keyword\nin /etc/ssh/sshd_config:\n\n# grep -i \\\"^PrintLastLog\\\" /etc/ssh/sshd_config\n\nIf the \\\"PrintLastLog\\\" keyword is not present, this is not a finding. If the\nvalue is not set to \\\"yes\\\", this is a finding.\"\n tag \"fix\": \"Update the \\\"PrintLastLog\\\" keyword to \\\"yes\\\" in\n/etc/ssh/sshd_config:\n\nPrintLastLog yes\n\nWhile it is acceptable to remove the keyword entirely since the default action\nfor the SSH daemon is to print the last logon date and time, it is preferred to\nhave the value explicitly documented.\"\n\n describe sshd_config do\n its('PrintLastLog') { should be_nil.or eq 'yes' }\n end \nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38607.rb", + "ref": "./Red Hat 6 STIG/controls/V-38484.rb", "line": 1 }, - "id": "V-38607" + "id": "V-38484" }, { - "title": "Emergency accounts must be provisioned with an expiration date.\n", - "desc": "When emergency accounts are created, there is a risk they may remain\nin place and active after the need for them no longer exists. Account\nexpiration greatly reduces the risk of accounts being misused or hijacked.", + "title": "The system must use a Linux Security Module configured to limit the\nprivileges of system services.", + "desc": "Setting the SELinux policy to \"targeted\" or a more specialized\npolicy ensures the system will confine processes that are likely to be targeted\nfor exploitation, such as network or system services.", "descriptions": { - "default": "When emergency accounts are created, there is a risk they may remain\nin place and active after the need for them no longer exists. Account\nexpiration greatly reduces the risk of accounts being misused or hijacked." + "default": "Setting the SELinux policy to \"targeted\" or a more specialized\npolicy ensures the system will confine processes that are likely to be targeted\nfor exploitation, such as network or system services." }, "impact": 0.3, "refs": [], "tags": { - "gtitle": "SRG-OS-000123", - "gid": "V-38690", - "rid": "SV-50491r1_rule", - "stig_id": "RHEL-06-000298", - "fix_id": "F-43639r1_fix", + "gtitle": "SRG-OS-999999", + "gid": "V-51369", + "rid": "SV-65579r1_rule", + "stig_id": "RHEL-06-000023", + "fix_id": "F-56171r1_fix", "cci": [ - "CCI-001682" + "CCI-000366" ], "nist": [ - "AC-2 (2)", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -8467,35 +8508,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "For every emergency account, run the following command to\nobtain its account aging and expiration information:\n\n# chage -l [USER]\n\nVerify each of these accounts has an expiration date set as documented.\nIf any emergency accounts have no expiration date set or do not expire within a\ndocumented time frame, this is a finding.", - "fix": "In the event emergency accounts are required, configure the\nsystem to terminate them after a documented time period. For every emergency\naccount, run the following command to set an expiration date on it,\nsubstituting \"[USER]\" and \"[YYYY-MM-DD]\" appropriately:\n\n# chage -E [YYYY-MM-DD] [USER]\n\n\"[YYYY-MM-DD]\" indicates the documented expiration date for the account." + "check": "Check the file \"/etc/selinux/config\" and ensure the following\nline appears:\n\nSELINUXTYPE=targeted\n\nIf it does not, this is a finding. ", + "fix": "The SELinux \"targeted\" policy is appropriate for\ngeneral-purpose desktops and servers, as well as systems in many other roles.\nTo configure the system to use this policy, add or correct the following line\nin \"/etc/selinux/config\":\n\nSELINUXTYPE=targeted\n\nOther policies, such as \"mls\", provide additional security labeling and\ngreater confinement but are not compatible with many general-purpose use cases.\n" }, - "code": "control \"V-38690\" do\n title \"Emergency accounts must be provisioned with an expiration date.\n\"\n desc \"When emergency accounts are created, there is a risk they may remain\nin place and active after the need for them no longer exists. Account\nexpiration greatly reduces the risk of accounts being misused or hijacked.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000123\"\n tag \"gid\": \"V-38690\"\n tag \"rid\": \"SV-50491r1_rule\"\n tag \"stig_id\": \"RHEL-06-000298\"\n tag \"fix_id\": \"F-43639r1_fix\"\n tag \"cci\": [\"CCI-001682\"]\n tag \"nist\": [\"AC-2 (2)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"For every emergency account, run the following command to\nobtain its account aging and expiration information:\n\n# chage -l [USER]\n\nVerify each of these accounts has an expiration date set as documented.\nIf any emergency accounts have no expiration date set or do not expire within a\ndocumented time frame, this is a finding.\"\n tag \"fix\": \"In the event emergency accounts are required, configure the\nsystem to terminate them after a documented time period. For every emergency\naccount, run the following command to set an expiration date on it,\nsubstituting \\\"[USER]\\\" and \\\"[YYYY-MM-DD]\\\" appropriately:\n\n# chage -E [YYYY-MM-DD] [USER]\n\n\\\"[YYYY-MM-DD]\\\" indicates the documented expiration date for the account.\"\n\n emergency_accounts = input('emergency_accounts')\n\n if emergency_accounts.empty?\n describe \"Emergency accounts\" do\n it { should_be empty }\n end\n else\n emergency_accounts.each do |acct|\n describe command(\"chage -l #{acct} | grep 'Account expires'\") do\n its('stdout.strip') { should_not match %r{:\\s*never} }\n end\n end\n\n emergency_accounts.each do |acct|\n describe shadow.users(acct) do\n its('max_days.first.to_i') { should cmp <= input('emergency_accounts_expiration_days') }\n end\n end\n end\nend\n", + "code": "control \"V-51369\" do\n title \"The system must use a Linux Security Module configured to limit the\nprivileges of system services.\"\n desc \"Setting the SELinux policy to \\\"targeted\\\" or a more specialized\npolicy ensures the system will confine processes that are likely to be targeted\nfor exploitation, such as network or system services. \"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-51369\"\n tag \"rid\": \"SV-65579r1_rule\"\n tag \"stig_id\": \"RHEL-06-000023\"\n tag \"fix_id\": \"F-56171r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Check the file \\\"/etc/selinux/config\\\" and ensure the following\nline appears:\n\nSELINUXTYPE=targeted\n\nIf it does not, this is a finding. \"\n tag \"fix\": \"The SELinux \\\"targeted\\\" policy is appropriate for\ngeneral-purpose desktops and servers, as well as systems in many other roles.\nTo configure the system to use this policy, add or correct the following line\nin \\\"/etc/selinux/config\\\":\n\nSELINUXTYPE=targeted\n\nOther policies, such as \\\"mls\\\", provide additional security labeling and\ngreater confinement but are not compatible with many general-purpose use cases.\n\"\n\n describe file(\"/etc/selinux/config\") do\n its(\"content\") { should match(/^[\\s]*SELINUXTYPE[\\s]*=[\\s]*([^\\s]*)/) }\n end\n file(\"/etc/selinux/config\").content.to_s.scan(/^[\\s]*SELINUXTYPE[\\s]*=[\\s]*([^\\s]*)/).flatten.each do |entry|\n describe entry do\n it { should eq \"targeted\" }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38690.rb", + "ref": "./Red Hat 6 STIG/controls/V-51369.rb", "line": 1 }, - "id": "V-38690" + "id": "V-51369" }, { - "title": "The audit system must be configured to audit all attempts to alter\nsystem time through clock_settime.", - "desc": "Arbitrary changes to the system time can be used to obfuscate\nnefarious activities in log files, as well as to confuse network services that\nare highly dependent upon an accurate system time (such as sshd). All changes\nto the system time should be audited.", + "title": "All device files must be monitored by the system Linux Security\nModule.", + "desc": "If a device file carries the SELinux type \"unlabeled_t\", then\nSELinux cannot properly restrict access to the device file.", "descriptions": { - "default": "Arbitrary changes to the system time can be used to obfuscate\nnefarious activities in log files, as well as to confuse network services that\nare highly dependent upon an accurate system time (such as sshd). All changes\nto the system time should be audited." + "default": "If a device file carries the SELinux type \"unlabeled_t\", then\nSELinux cannot properly restrict access to the device file." }, "impact": 0.3, "refs": [], "tags": { - "gtitle": "SRG-OS-000062", - "gid": "V-38527", - "rid": "SV-50328r3_rule", - "stig_id": "RHEL-06-000171", - "fix_id": "F-43475r2_fix", + "gtitle": "SRG-OS-999999", + "gid": "V-51379", + "rid": "SV-65589r1_rule", + "stig_id": "RHEL-06-000025", + "fix_id": "F-56179r1_fix", "cci": [ - "CCI-000169" + "CCI-000366" ], "nist": [ - "AU-12 a", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -8508,35 +8549,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To determine if the system is configured to audit calls to the\n\"clock_settime\" system call, run the following command:\n\n$ sudo grep -w \"clock_settime\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return a line.\n\nIf the system is not configured to audit time changes, this is a finding. ", - "fix": "On a 32-bit system, add the following to\n\"/etc/audit/audit.rules\":\n\n# audit_time_rules\n-a always,exit -F arch=b32 -S clock_settime -k audit_time_rules\n\nOn a 64-bit system, add the following to \"/etc/audit/audit.rules\":\n\n# audit_time_rules\n-a always,exit -F arch=b64 -S clock_settime -k audit_time_rules\n\nThe -k option allows for the specification of a key in string form that can be\nused for better reporting capability through ausearch and aureport. Multiple\nsystem calls can be defined on the same line to save space if desired, but is\nnot required. See an example of multiple combined syscalls:\n\n-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k\naudit_time_rules" + "check": "To check for unlabeled device files, run the following command:\n\n# ls -RZ /dev | grep unlabeled_t\n\nIt should produce no output in a well-configured system.\n\nIf there is output, this is a finding. ", + "fix": "Device files, which are used for communication with important\nsystem resources, should be labeled with proper SELinux types. If any device\nfiles carry the SELinux type \"unlabeled_t\", investigate the cause and correct\nthe file's context. " }, - "code": "control \"V-38527\" do\n title \"The audit system must be configured to audit all attempts to alter\nsystem time through clock_settime.\"\n desc \"Arbitrary changes to the system time can be used to obfuscate\nnefarious activities in log files, as well as to confuse network services that\nare highly dependent upon an accurate system time (such as sshd). All changes\nto the system time should be audited.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000062\"\n tag \"gid\": \"V-38527\"\n tag \"rid\": \"SV-50328r3_rule\"\n tag \"stig_id\": \"RHEL-06-000171\"\n tag \"fix_id\": \"F-43475r2_fix\"\n tag \"cci\": [\"CCI-000169\"]\n tag \"nist\": [\"AU-12 a\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To determine if the system is configured to audit calls to the\n\\\"clock_settime\\\" system call, run the following command:\n\n$ sudo grep -w \\\"clock_settime\\\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return a line.\n\nIf the system is not configured to audit time changes, this is a finding. \"\n tag \"fix\": \"On a 32-bit system, add the following to\n\\\"/etc/audit/audit.rules\\\":\n\n# audit_time_rules\n-a always,exit -F arch=b32 -S clock_settime -k audit_time_rules\n\nOn a 64-bit system, add the following to \\\"/etc/audit/audit.rules\\\":\n\n# audit_time_rules\n-a always,exit -F arch=b64 -S clock_settime -k audit_time_rules\n\nThe -k option allows for the specification of a key in string form that can be\nused for better reporting capability through ausearch and aureport. Multiple\nsystem calls can be defined on the same line to save space if desired, but is\nnot required. See an example of multiple combined syscalls:\n\n-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k\naudit_time_rules\"\n\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^-[Aa][\\s]*(?:exit,always|always,exit)[\\s]+-F[\\s]+arch=b32.*(?:-S[\\s]+|,)clock_settime(?:[\\s]+|,).*-k[\\s]+[\\S]+[\\s]*$/) }\n end\n describe.one do\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^-[Aa][\\s]*(?:exit,always|always,exit)[\\s]+-F[\\s]+arch=b64.*(?:-S[\\s]+|,)clock_settime(?:[\\s]+|,).*-k[\\s]+[\\S]+[\\s]*$/) }\n end\n end\nend\n", + "code": "control \"V-51379\" do\n title \"All device files must be monitored by the system Linux Security\nModule.\"\n desc \"If a device file carries the SELinux type \\\"unlabeled_t\\\", then\nSELinux cannot properly restrict access to the device file. \"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-51379\"\n tag \"rid\": \"SV-65589r1_rule\"\n tag \"stig_id\": \"RHEL-06-000025\"\n tag \"fix_id\": \"F-56179r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To check for unlabeled device files, run the following command:\n\n# ls -RZ /dev | grep unlabeled_t\n\nIt should produce no output in a well-configured system.\n\nIf there is output, this is a finding. \"\n tag \"fix\": \"Device files, which are used for communication with important\nsystem resources, should be labeled with proper SELinux types. If any device\nfiles carry the SELinux type \\\"unlabeled_t\\\", investigate the cause and correct\nthe file's context. \"\n\n describe command(\"ls -RZ /dev | grep unlabeled_t\") do\n its('stdout.strip') { should be_empty }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38527.rb", + "ref": "./Red Hat 6 STIG/controls/V-51379.rb", "line": 1 }, - "id": "V-38527" + "id": "V-51379" }, { - "title": "The /etc/passwd file must have mode 0644 or less permissive.", - "desc": "If the \"/etc/passwd\" file is writable by a group-owner or the world\nthe risk of its compromise is increased. The file contains the list of accounts\non the system and associated information, and protection of this file is\ncritical for system security.", + "title": "Audit log directories must have mode 0755 or less permissive.", + "desc": "If users can delete audit logs, audit trails can be modified or\ndestroyed.", "descriptions": { - "default": "If the \"/etc/passwd\" file is writable by a group-owner or the world\nthe risk of its compromise is increased. The file contains the list of accounts\non the system and associated information, and protection of this file is\ncritical for system security." + "default": "If users can delete audit logs, audit trails can be modified or\ndestroyed." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-999999", - "gid": "V-38457", - "rid": "SV-50257r1_rule", - "stig_id": "RHEL-06-000041", - "fix_id": "F-43397r1_fix", + "gtitle": "SRG-OS-000059", + "gid": "V-38493", + "rid": "SV-50294r1_rule", + "stig_id": "RHEL-06-000385", + "fix_id": "F-43440r1_fix", "cci": [ - "CCI-000366" + "CCI-000164" ], "nist": [ - "CM-6 b", + "AU-9", "Rev_4" ], "false_negatives": null, @@ -8549,30 +8590,30 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To check the permissions of \"/etc/passwd\", run the command:\n\n$ ls -l /etc/passwd\n\nIf properly configured, the output should indicate the following permissions:\n\"-rw-r--r--\"\nIf it does not, this is a finding.", - "fix": "To properly set the permissions of \"/etc/passwd\", run the\ncommand:\n\n# chmod 0644 /etc/passwd" + "check": "Run the following command to check the mode of the system audit\ndirectories:\n\ngrep \"^log_file\" /etc/audit/auditd.conf|sed 's/^[^/]*//; s/[^/]*$//'|xargs stat -c %a:%n\n\nAudit directories must be mode 0755 or less permissive.\nIf any are more permissive, this is a finding.", + "fix": "Change the mode of the audit log directories with the following\ncommand:\n\n# chmod go-w [audit_directory]" }, - "code": "control \"V-38457\" do\n title \"The /etc/passwd file must have mode 0644 or less permissive.\"\n desc \"If the \\\"/etc/passwd\\\" file is writable by a group-owner or the world\nthe risk of its compromise is increased. The file contains the list of accounts\non the system and associated information, and protection of this file is\ncritical for system security.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38457\"\n tag \"rid\": \"SV-50257r1_rule\"\n tag \"stig_id\": \"RHEL-06-000041\"\n tag \"fix_id\": \"F-43397r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To check the permissions of \\\"/etc/passwd\\\", run the command:\n\n$ ls -l /etc/passwd\n\nIf properly configured, the output should indicate the following permissions:\n\\\"-rw-r--r--\\\"\nIf it does not, this is a finding.\"\n tag \"fix\": \"To properly set the permissions of \\\"/etc/passwd\\\", run the\ncommand:\n\n# chmod 0644 /etc/passwd\"\n\n describe file(\"/etc/passwd\") do\n it { should exist }\n end\n describe file(\"/etc/passwd\") do\n it { should_not be_executable.by \"group\" }\n end\n describe file(\"/etc/passwd\") do\n it { should be_readable.by \"group\" }\n end\n describe file(\"/etc/passwd\") do\n its(\"gid\") { should cmp 0 }\n end\n describe file(\"/etc/passwd\") do\n it { should_not be_writable.by \"group\" }\n end\n describe file(\"/etc/passwd\") do\n it { should_not be_executable.by \"other\" }\n end\n describe file(\"/etc/passwd\") do\n it { should be_readable.by \"other\" }\n end\n describe file(\"/etc/passwd\") do\n it { should_not be_writable.by \"other\" }\n end\n describe file(\"/etc/passwd\") do\n it { should_not be_setgid }\n end\n describe file(\"/etc/passwd\") do\n it { should_not be_sticky }\n end\n describe file(\"/etc/passwd\") do\n it { should_not be_setuid }\n end\n describe file(\"/etc/passwd\") do\n it { should_not be_executable.by \"owner\" }\n end\n describe file(\"/etc/passwd\") do\n it { should be_readable.by \"owner\" }\n end\n describe file(\"/etc/passwd\") do\n its(\"uid\") { should cmp 0 }\n end\n describe file(\"/etc/passwd\") do\n it { should be_writable.by \"owner\" }\n end\nend\n", + "code": "control \"V-38493\" do\n title \"Audit log directories must have mode 0755 or less permissive.\"\n desc \"If users can delete audit logs, audit trails can be modified or\ndestroyed.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000059\"\n tag \"gid\": \"V-38493\"\n tag \"rid\": \"SV-50294r1_rule\"\n tag \"stig_id\": \"RHEL-06-000385\"\n tag \"fix_id\": \"F-43440r1_fix\"\n tag \"cci\": [\"CCI-000164\"]\n tag \"nist\": [\"AU-9\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Run the following command to check the mode of the system audit\ndirectories:\n\ngrep \\\"^log_file\\\" /etc/audit/auditd.conf|sed 's/^[^/]*//; s/[^/]*$//'|xargs stat -c %a:%n\n\nAudit directories must be mode 0755 or less permissive.\nIf any are more permissive, this is a finding.\"\n tag \"fix\": \"Change the mode of the audit log directories with the following\ncommand:\n\n# chmod go-w [audit_directory]\"\n\n log_file = command(\"grep \\\"^log_file\\\" /etc/audit/auditd.conf|sed 's/^[^/]*//; s/[^/]*$//'\").stdout.strip\n describe file(log_file) do\n it { should exist }\n it { should_not be_writable.by('group') }\n it { should_not be_writable.by('others') }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38457.rb", + "ref": "./Red Hat 6 STIG/controls/V-38493.rb", "line": 1 }, - "id": "V-38457" + "id": "V-38493" }, { - "title": "The Red Hat Network Service (rhnsd) service must not be running,\nunless using RHN or an RHN Satellite.", - "desc": "Although systems management and patching is extremely important to\nsystem security, management by a system outside the enterprise enclave is not\ndesirable for some environments. However, if the system is being managed by RHN\nor RHN Satellite Server the \"rhnsd\" daemon can remain on.", + "title": "The rdisc service must not be running.", + "desc": "General-purpose systems typically have their network and routing\ninformation configured statically by a system administrator. Workstations or\nsome special-purpose systems often use DHCP (instead of IRDP) to retrieve\ndynamic network configuration information.", "descriptions": { - "default": "Although systems management and patching is extremely important to\nsystem security, management by a system outside the enterprise enclave is not\ndesirable for some environments. However, if the system is being managed by RHN\nor RHN Satellite Server the \"rhnsd\" daemon can remain on." + "default": "General-purpose systems typically have their network and routing\ninformation configured statically by a system administrator. Workstations or\nsome special-purpose systems often use DHCP (instead of IRDP) to retrieve\ndynamic network configuration information." }, "impact": 0.3, "refs": [], "tags": { "gtitle": "SRG-OS-000096", - "gid": "V-38478", - "rid": "SV-50278r2_rule", - "stig_id": "RHEL-06-000009", - "fix_id": "F-43423r2_fix", + "gid": "V-38650", + "rid": "SV-50451r2_rule", + "stig_id": "RHEL-06-000268", + "fix_id": "F-43599r2_fix", "cci": [ "CCI-000382" ], @@ -8590,35 +8631,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "If the system uses RHN or an RHN Satellite, this is not\napplicable.\n\nTo check that the \"rhnsd\" service is disabled in system boot configuration,\nrun the following command:\n\n# chkconfig \"rhnsd\" --list\n\nOutput should indicate the \"rhnsd\" service has either not been installed, or\nhas been disabled at all runlevels, as shown in the example below:\n\n# chkconfig \"rhnsd\" --list\n\"rhnsd\" 0:off 1:off 2:off 3:off 4:off 5:off 6:off\n\nRun the following command to verify \"rhnsd\" is disabled through current\nruntime configuration:\n\n# service rhnsd status\n\nIf the service is disabled the command will return the following output:\n\nrhnsd is stopped\n\n\nIf the service is running, this is a finding.", - "fix": "The Red Hat Network service automatically queries Red Hat Network\nservers to determine whether there are any actions that should be executed,\nsuch as package updates. This only occurs if the system was registered to an\nRHN server or satellite and managed as such. The \"rhnsd\" service can be\ndisabled with the following commands:\n\n# chkconfig rhnsd off\n# service rhnsd stop" + "check": "To check that the \"rdisc\" service is disabled in system boot\nconfiguration, run the following command:\n\n# chkconfig \"rdisc\" --list\n\nOutput should indicate the \"rdisc\" service has either not been installed, or\nhas been disabled at all runlevels, as shown in the example below:\n\n# chkconfig \"rdisc\" --list\n\"rdisc\" 0:off 1:off 2:off 3:off 4:off 5:off 6:off\n\nRun the following command to verify \"rdisc\" is disabled through current\nruntime configuration:\n\n# service rdisc status\n\nIf the service is disabled the command will return the following output:\n\nrdisc is stopped\n\n\nIf the service is running, this is a finding.", + "fix": "The \"rdisc\" service implements the client side of the ICMP\nInternet Router Discovery Protocol (IRDP), which allows discovery of routers on\nthe local subnet. If a router is discovered then the local routing table is\nupdated with a corresponding default route. By default this daemon is disabled.\nThe \"rdisc\" service can be disabled with the following commands:\n\n# chkconfig rdisc off\n# service rdisc stop" }, - "code": "control \"V-38478\" do\n title \"The Red Hat Network Service (rhnsd) service must not be running,\nunless using RHN or an RHN Satellite.\"\n desc \"Although systems management and patching is extremely important to\nsystem security, management by a system outside the enterprise enclave is not\ndesirable for some environments. However, if the system is being managed by RHN\nor RHN Satellite Server the \\\"rhnsd\\\" daemon can remain on.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000096\"\n tag \"gid\": \"V-38478\"\n tag \"rid\": \"SV-50278r2_rule\"\n tag \"stig_id\": \"RHEL-06-000009\"\n tag \"fix_id\": \"F-43423r2_fix\"\n tag \"cci\": [\"CCI-000382\"]\n tag \"nist\": [\"CM-7 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"If the system uses RHN or an RHN Satellite, this is not\napplicable.\n\nTo check that the \\\"rhnsd\\\" service is disabled in system boot configuration,\nrun the following command:\n\n# chkconfig \\\"rhnsd\\\" --list\n\nOutput should indicate the \\\"rhnsd\\\" service has either not been installed, or\nhas been disabled at all runlevels, as shown in the example below:\n\n# chkconfig \\\"rhnsd\\\" --list\n\\\"rhnsd\\\" 0:off 1:off 2:off 3:off 4:off 5:off 6:off\n\nRun the following command to verify \\\"rhnsd\\\" is disabled through current\nruntime configuration:\n\n# service rhnsd status\n\nIf the service is disabled the command will return the following output:\n\nrhnsd is stopped\n\n\nIf the service is running, this is a finding.\"\n tag \"fix\": \"The Red Hat Network service automatically queries Red Hat Network\nservers to determine whether there are any actions that should be executed,\nsuch as package updates. This only occurs if the system was registered to an\nRHN server or satellite and managed as such. The \\\"rhnsd\\\" service can be\ndisabled with the following commands:\n\n# chkconfig rhnsd off\n# service rhnsd stop\"\n\n describe service(\"rhnsd\") do\n it { should_not be_running }\n it { should_not be_enabled }\n end\nend\n", + "code": "control \"V-38650\" do\n title \"The rdisc service must not be running.\"\n desc \"General-purpose systems typically have their network and routing\ninformation configured statically by a system administrator. Workstations or\nsome special-purpose systems often use DHCP (instead of IRDP) to retrieve\ndynamic network configuration information.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000096\"\n tag \"gid\": \"V-38650\"\n tag \"rid\": \"SV-50451r2_rule\"\n tag \"stig_id\": \"RHEL-06-000268\"\n tag \"fix_id\": \"F-43599r2_fix\"\n tag \"cci\": [\"CCI-000382\"]\n tag \"nist\": [\"CM-7 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To check that the \\\"rdisc\\\" service is disabled in system boot\nconfiguration, run the following command:\n\n# chkconfig \\\"rdisc\\\" --list\n\nOutput should indicate the \\\"rdisc\\\" service has either not been installed, or\nhas been disabled at all runlevels, as shown in the example below:\n\n# chkconfig \\\"rdisc\\\" --list\n\\\"rdisc\\\" 0:off 1:off 2:off 3:off 4:off 5:off 6:off\n\nRun the following command to verify \\\"rdisc\\\" is disabled through current\nruntime configuration:\n\n# service rdisc status\n\nIf the service is disabled the command will return the following output:\n\nrdisc is stopped\n\n\nIf the service is running, this is a finding.\"\n tag \"fix\": \"The \\\"rdisc\\\" service implements the client side of the ICMP\nInternet Router Discovery Protocol (IRDP), which allows discovery of routers on\nthe local subnet. If a router is discovered then the local routing table is\nupdated with a corresponding default route. By default this daemon is disabled.\nThe \\\"rdisc\\\" service can be disabled with the following commands:\n\n# chkconfig rdisc off\n# service rdisc stop\"\n\n describe.one do\n describe package(\"iputils\") do\n it { should_not be_installed }\n end\n describe service(\"rdisc\") do\n its(\"runlevels(?-mix:0)\") { should be_enabled }\n its(\"runlevels(?-mix:1)\") { should be_enabled }\n its(\"runlevels(?-mix:2)\") { should be_enabled }\n its(\"runlevels(?-mix:3)\") { should be_enabled }\n its(\"runlevels(?-mix:4)\") { should be_enabled }\n its(\"runlevels(?-mix:5)\") { should be_enabled }\n its(\"runlevels(?-mix:6)\") { should be_enabled }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38478.rb", + "ref": "./Red Hat 6 STIG/controls/V-38650.rb", "line": 1 }, - "id": "V-38478" + "id": "V-38650" }, { - "title": "There must be no world-writable files on the system.", - "desc": "Data in world-writable files can be modified by any user on the\nsystem. In almost all circumstances, files can be configured using a\ncombination of user and group permissions to support whatever legitimate access\nis needed without the risk caused by world-writable files.", + "title": "The system must require passwords to contain a minimum of 15\ncharacters.", + "desc": "Requiring a minimum password length makes password cracking attacks\nmore difficult by ensuring a larger search space. However, any security benefit\nfrom an onerous requirement must be carefully weighed against usability\nproblems, support costs, or counterproductive behavior that may result.\n\n While it does not negate the password length requirement, it is preferable\nto migrate from a password-based authentication scheme to a stronger one based\non PKI (public key infrastructure).", "descriptions": { - "default": "Data in world-writable files can be modified by any user on the\nsystem. In almost all circumstances, files can be configured using a\ncombination of user and group permissions to support whatever legitimate access\nis needed without the risk caused by world-writable files." + "default": "Requiring a minimum password length makes password cracking attacks\nmore difficult by ensuring a larger search space. However, any security benefit\nfrom an onerous requirement must be carefully weighed against usability\nproblems, support costs, or counterproductive behavior that may result.\n\n While it does not negate the password length requirement, it is preferable\nto migrate from a password-based authentication scheme to a stronger one based\non PKI (public key infrastructure)." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-999999", - "gid": "V-38643", - "rid": "SV-50444r3_rule", - "stig_id": "RHEL-06-000282", - "fix_id": "F-43591r1_fix", + "gtitle": "SRG-OS-000078", + "gid": "V-38475", + "rid": "SV-50275r3_rule", + "stig_id": "RHEL-06-000050", + "fix_id": "F-43419r3_fix", "cci": [ - "CCI-000366" + "CCI-000205" ], "nist": [ - "CM-6 b", + "IA-5 (1) (a)", "Rev_4" ], "false_negatives": null, @@ -8631,35 +8672,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To find world-writable files, run the following command for\neach local partition [PART], excluding special filesystems such as /selinux,\n/proc, or /sys:\n\n# find [PART] -xdev -type f -perm -002\n\nIf there is output, this is a finding.", - "fix": "It is generally a good idea to remove global (other) write access\nto a file when it is discovered. However, check with documentation for specific\napplications before making changes. Also, monitor for recurring world-writable\nfiles, as these may be symptoms of a misconfigured application or user account." + "check": "To check the minimum password length, run the command:\n\n$ grep PASS_MIN_LEN /etc/login.defs\n\nThe DoD requirement is \"15\".\n\nIf it is not set to the required value, this is a finding.\n\n$ grep –E 'pam_cracklib.so.*minlen' /etc/pam.d/*\n\nIf no results are returned, this is not a finding.\n\nIf any results are returned and are not set to \"15\" or greater, this is a\nfinding.\n", + "fix": "To specify password length requirements for new accounts, edit\nthe file \"/etc/login.defs\" and add or correct the following lines:\n\nPASS_MIN_LEN 15\n\nThe DoD requirement is \"15\". If a program consults \"/etc/login.defs\" and\nalso another PAM module (such as \"pam_cracklib\") during a password change\noperation, then the most restrictive must be satisfied." }, - "code": "control \"V-38643\" do\n title \"There must be no world-writable files on the system.\"\n desc \"Data in world-writable files can be modified by any user on the\nsystem. In almost all circumstances, files can be configured using a\ncombination of user and group permissions to support whatever legitimate access\nis needed without the risk caused by world-writable files.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38643\"\n tag \"rid\": \"SV-50444r3_rule\"\n tag \"stig_id\": \"RHEL-06-000282\"\n tag \"fix_id\": \"F-43591r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To find world-writable files, run the following command for\neach local partition [PART], excluding special filesystems such as /selinux,\n/proc, or /sys:\n\n# find [PART] -xdev -type f -perm -002\n\nIf there is output, this is a finding.\"\n tag \"fix\": \"It is generally a good idea to remove global (other) write access\nto a file when it is discovered. However, check with documentation for specific\napplications before making changes. Also, monitor for recurring world-writable\nfiles, as these may be symptoms of a misconfigured application or user account.\"\n\n files = command(%(find / -xautofs -noleaf -wholename '/proc' -prune -o -wholename '/sys' -prune -o -wholename '/dev' -prune -o -wholename '/selinux' -prune -o -type f -perm -002 -print))\n describe \"World-writable files\" do\n subject { files.stdout.strip.split(\"\\n\") }\n it { should be_empty }\n end\nend\n", + "code": "control \"V-38475\" do\n title \"The system must require passwords to contain a minimum of 15\ncharacters.\"\n desc \"Requiring a minimum password length makes password cracking attacks\nmore difficult by ensuring a larger search space. However, any security benefit\nfrom an onerous requirement must be carefully weighed against usability\nproblems, support costs, or counterproductive behavior that may result.\n\n While it does not negate the password length requirement, it is preferable\nto migrate from a password-based authentication scheme to a stronger one based\non PKI (public key infrastructure).\n \"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000078\"\n tag \"gid\": \"V-38475\"\n tag \"rid\": \"SV-50275r3_rule\"\n tag \"stig_id\": \"RHEL-06-000050\"\n tag \"fix_id\": \"F-43419r3_fix\"\n tag \"cci\": [\"CCI-000205\"]\n tag \"nist\": [\"IA-5 (1) (a)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To check the minimum password length, run the command:\n\n$ grep PASS_MIN_LEN /etc/login.defs\n\nThe DoD requirement is \\\"15\\\".\n\nIf it is not set to the required value, this is a finding.\n\n$ grep –E 'pam_cracklib.so.*minlen' /etc/pam.d/*\n\nIf no results are returned, this is not a finding.\n\nIf any results are returned and are not set to \\\"15\\\" or greater, this is a\nfinding.\n\"\n tag \"fix\": \"To specify password length requirements for new accounts, edit\nthe file \\\"/etc/login.defs\\\" and add or correct the following lines:\n\nPASS_MIN_LEN 15\n\nThe DoD requirement is \\\"15\\\". If a program consults \\\"/etc/login.defs\\\" and\nalso another PAM module (such as \\\"pam_cracklib\\\") during a password change\noperation, then the most restrictive must be satisfied.\"\n\n describe file(\"/etc/login.defs\") do\n its(\"content\") { should match(/^PASS_MIN_LEN\\s+(\\d+)\\s*$/) }\n end\n file(\"/etc/login.defs\").content.to_s.scan(/^PASS_MIN_LEN\\s+(\\d+)\\s*$/).flatten.each do |entry|\n describe entry do\n it { should cmp >= 15 }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38643.rb", + "ref": "./Red Hat 6 STIG/controls/V-38475.rb", "line": 1 }, - "id": "V-38643" + "id": "V-38475" }, { - "title": "Vendor-provided cryptographic certificates must be installed to verify\nthe integrity of system software.", - "desc": "The Red Hat GPG keys are necessary to cryptographically verify\npackages are from Red Hat.", + "title": "The sudo command must require authentication.", + "desc": "The \"sudo\" command allows authorized users to run programs\n(including shells) as other users, system users, and root. The \"/etc/sudoers\"\nfile is used to configure authorized \"sudo\" users as well as the programs\nthey are allowed to run. Some configuration options in the \"/etc/sudoers\"\nfile allow configured users to run programs without re-authenticating. Use of\nthese configuration options makes it easier for one compromised account to be\nused to compromise other accounts.", "descriptions": { - "default": "The Red Hat GPG keys are necessary to cryptographically verify\npackages are from Red Hat." + "default": "The \"sudo\" command allows authorized users to run programs\n(including shells) as other users, system users, and root. The \"/etc/sudoers\"\nfile is used to configure authorized \"sudo\" users as well as the programs\nthey are allowed to run. Some configuration options in the \"/etc/sudoers\"\nfile allow configured users to run programs without re-authenticating. Use of\nthese configuration options makes it easier for one compromised account to be\nused to compromise other accounts." }, - "impact": 0.7, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000090", - "gid": "V-38476", - "rid": "SV-50276r3_rule", - "stig_id": "RHEL-06-000008", - "fix_id": "F-43421r3_fix", + "gtitle": "SRG-OS-000373", + "gid": "V-58901", + "rid": "SV-73331r2_rule", + "stig_id": "RHEL-06-000529", + "fix_id": "F-64285r1_fix", "cci": [ - "CCI-000352" + "CCI-002038" ], "nist": [ - "CM-5 (3)", + "IA-11", "Rev_4" ], "false_negatives": null, @@ -8672,35 +8713,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To ensure that the GPG keys are installed, run:\n\n$ rpm -q gpg-pubkey\n\nThe command should return the strings below:\n\ngpg-pubkey-fd431d51-4ae0493b\ngpg-pubkey-2fa658e0-45700c69\n\nIf the Red Hat GPG Keys are not installed, this is a finding.", - "fix": "To ensure the system can cryptographically verify base software\npackages come from Red Hat (and to connect to the Red Hat Network to receive\nthem), the Red Hat GPG keys must be installed properly. To install the Red Hat\nGPG keys, run:\n\n# rhn_register\n\nIf the system is not connected to the Internet or an RHN Satellite, then\ninstall the Red Hat GPG keys from trusted media such as the Red Hat\ninstallation CD-ROM or DVD. Assuming the disc is mounted in \"/media/cdrom\",\nuse the following command as the root user to import them into the keyring:\n\n# rpm --import /media/cdrom/RPM-GPG-KEY" + "check": "If passwords are not being used for authentication, this is Not\nApplicable.\n\nVerify neither the \"NOPASSWD\" option nor the \"!authenticate\" option is\nconfigured for use in \"/etc/sudoers\" and associated files. Note that the\n\"#include\" and \"#includedir\" directives may be used to include\nconfiguration data from locations other than the defaults enumerated here.\n\n# egrep '^[^#]*NOPASSWD' /etc/sudoers /etc/sudoers.d/*\n# egrep '^[^#]*!authenticate' /etc/sudoers /etc/sudoers.d/*\n\nIf the \"NOPASSWD\" or \"!authenticate\" options are configured for use in\n\"/etc/sudoers\" or associated files, this is a finding.", + "fix": "Update the \"/etc/sudoers\" or other sudo configuration files to\nremove or comment out lines utilizing the \"NOPASSWD\" and \"!authenticate\"\noptions.\n\n# visudo\n# visudo -f [other sudo configuration file]" }, - "code": "control \"V-38476\" do\n title \"Vendor-provided cryptographic certificates must be installed to verify\nthe integrity of system software.\"\n desc \"The Red Hat GPG keys are necessary to cryptographically verify\npackages are from Red Hat. \"\n impact 0.7\n tag \"gtitle\": \"SRG-OS-000090\"\n tag \"gid\": \"V-38476\"\n tag \"rid\": \"SV-50276r3_rule\"\n tag \"stig_id\": \"RHEL-06-000008\"\n tag \"fix_id\": \"F-43421r3_fix\"\n tag \"cci\": [\"CCI-000352\"]\n tag \"nist\": [\"CM-5 (3)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To ensure that the GPG keys are installed, run:\n\n$ rpm -q gpg-pubkey\n\nThe command should return the strings below:\n\ngpg-pubkey-fd431d51-4ae0493b\ngpg-pubkey-2fa658e0-45700c69\n\nIf the Red Hat GPG Keys are not installed, this is a finding.\"\n tag \"fix\": \"To ensure the system can cryptographically verify base software\npackages come from Red Hat (and to connect to the Red Hat Network to receive\nthem), the Red Hat GPG keys must be installed properly. To install the Red Hat\nGPG keys, run:\n\n# rhn_register\n\nIf the system is not connected to the Internet or an RHN Satellite, then\ninstall the Red Hat GPG keys from trusted media such as the Red Hat\ninstallation CD-ROM or DVD. Assuming the disc is mounted in \\\"/media/cdrom\\\",\nuse the following command as the root user to import them into the keyring:\n\n# rpm --import /media/cdrom/RPM-GPG-KEY\"\n\n keys = input('package_signing_keys')\n\n describe command('rpm -q gpg-pubkey') do\n keys.each do |key|\n its('stdout.strip') { should match key }\n end\n end\nend\n", + "code": "control \"V-58901\" do\n title \"The sudo command must require authentication.\"\n desc \"The \\\"sudo\\\" command allows authorized users to run programs\n(including shells) as other users, system users, and root. The \\\"/etc/sudoers\\\"\nfile is used to configure authorized \\\"sudo\\\" users as well as the programs\nthey are allowed to run. Some configuration options in the \\\"/etc/sudoers\\\"\nfile allow configured users to run programs without re-authenticating. Use of\nthese configuration options makes it easier for one compromised account to be\nused to compromise other accounts.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000373\"\n tag \"gid\": \"V-58901\"\n tag \"rid\": \"SV-73331r2_rule\"\n tag \"stig_id\": \"RHEL-06-000529\"\n tag \"fix_id\": \"F-64285r1_fix\"\n tag \"cci\": [\"CCI-002038\"]\n tag \"nist\": [\"IA-11\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"If passwords are not being used for authentication, this is Not\nApplicable.\n\nVerify neither the \\\"NOPASSWD\\\" option nor the \\\"!authenticate\\\" option is\nconfigured for use in \\\"/etc/sudoers\\\" and associated files. Note that the\n\\\"#include\\\" and \\\"#includedir\\\" directives may be used to include\nconfiguration data from locations other than the defaults enumerated here.\n\n# egrep '^[^#]*NOPASSWD' /etc/sudoers /etc/sudoers.d/*\n# egrep '^[^#]*!authenticate' /etc/sudoers /etc/sudoers.d/*\n\nIf the \\\"NOPASSWD\\\" or \\\"!authenticate\\\" options are configured for use in\n\\\"/etc/sudoers\\\" or associated files, this is a finding.\"\n tag \"fix\": \"Update the \\\"/etc/sudoers\\\" or other sudo configuration files to\nremove or comment out lines utilizing the \\\"NOPASSWD\\\" and \\\"!authenticate\\\"\noptions.\n\n# visudo\n# visudo -f [other sudo configuration file]\"\n\n describe command(\"grep -ie '^[^#]*NOPASSWD' /etc/sudoers /etc/sudoers.d/*\") do\n its('stdout') { should be_empty }\n end\n\n describe command(\"grep -ie '^[^#]*!authenticate' /etc/sudoers /etc/sudoers.d/*\") do\n its('stdout') { should be_empty }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38476.rb", + "ref": "./Red Hat 6 STIG/controls/V-58901.rb", "line": 1 }, - "id": "V-38476" + "id": "V-58901" }, { - "title": "The system must display a publicly-viewable pattern during a graphical\ndesktop environment session lock.", - "desc": "Setting the screensaver mode to blank-only conceals the contents of\nthe display from passersby.", + "title": "The system package management tool must verify ownership on all files\nand directories associated with the audit package.", + "desc": "Ownership of audit binaries and configuration files that is incorrect\ncould allow an unauthorized user to gain privileges that they should not have.\nThe ownership set by the vendor should be maintained. Any deviations from this\nbaseline should be investigated.", "descriptions": { - "default": "Setting the screensaver mode to blank-only conceals the contents of\nthe display from passersby." + "default": "Ownership of audit binaries and configuration files that is incorrect\ncould allow an unauthorized user to gain privileges that they should not have.\nThe ownership set by the vendor should be maintained. Any deviations from this\nbaseline should be investigated." }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000031", - "gid": "V-38639", - "rid": "SV-50440r3_rule", - "stig_id": "RHEL-06-000260", - "fix_id": "F-43588r2_fix", + "gtitle": "SRG-OS-000257", + "gid": "V-38664", + "rid": "SV-50465r1_rule", + "stig_id": "RHEL-06-000279", + "fix_id": "F-43613r1_fix", "cci": [ - "CCI-000060" + "CCI-001494" ], "nist": [ - "AC-11 (1)", + "AU-9", "Rev_4" ], "false_negatives": null, @@ -8713,30 +8754,30 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "If the GConf2 package is not installed, this is not applicable.\n\nTo ensure the screensaver is configured to be blank, run the following command:\n\n$ gconftool-2 --direct --config-source\nxml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gnome-screensaver/mode\n\nIf properly configured, the output should be \"blank-only\".\nIf it is not, this is a finding.", - "fix": "Run the following command to set the screensaver mode in the\nGNOME desktop to a blank screen:\n\n# gconftool-2 \\\n--direct \\\n--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \\\n--type string \\\n--set /apps/gnome-screensaver/mode blank-only" + "check": "The following command will list which audit files on the system\nhave ownership different from what is expected by the RPM database:\n\n# rpm -V audit | grep '^.....U'\n\n\nIf there is output, this is a finding.", + "fix": "The RPM package management system can restore file ownership of\nthe audit package files and directories. The following command will update\naudit files with ownership different from what is expected by the RPM database:\n\n# rpm --setugids audit" }, - "code": "control \"V-38639\" do\n title \"The system must display a publicly-viewable pattern during a graphical\ndesktop environment session lock.\"\n desc \"Setting the screensaver mode to blank-only conceals the contents of\nthe display from passersby.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000031\"\n tag \"gid\": \"V-38639\"\n tag \"rid\": \"SV-50440r3_rule\"\n tag \"stig_id\": \"RHEL-06-000260\"\n tag \"fix_id\": \"F-43588r2_fix\"\n tag \"cci\": [\"CCI-000060\"]\n tag \"nist\": [\"AC-11 (1)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"If the GConf2 package is not installed, this is not applicable.\n\nTo ensure the screensaver is configured to be blank, run the following command:\n\n$ gconftool-2 --direct --config-source\nxml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gnome-screensaver/mode\n\nIf properly configured, the output should be \\\"blank-only\\\".\nIf it is not, this is a finding.\"\n tag \"fix\": \"Run the following command to set the screensaver mode in the\nGNOME desktop to a blank screen:\n\n# gconftool-2 \\\\\n--direct \\\\\n--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \\\\\n--type string \\\\\n--set /apps/gnome-screensaver/mode blank-only\"\n\n if package('GConf2').installed?\n describe command(\"gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gnome-screensaver/mode\") do\n its('stdout.strip') { should eq 'blank-only' }\n end\n else\n impact 0.0\n describe \"Package GConf2 not installed\" do\n skip \"Package GConf2 not installed, this control Not Applicable\"\n end\n end\nend\n", + "code": "control \"V-38664\" do\n title \"The system package management tool must verify ownership on all files\nand directories associated with the audit package.\"\n desc \"Ownership of audit binaries and configuration files that is incorrect\ncould allow an unauthorized user to gain privileges that they should not have.\nThe ownership set by the vendor should be maintained. Any deviations from this\nbaseline should be investigated.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000257\"\n tag \"gid\": \"V-38664\"\n tag \"rid\": \"SV-50465r1_rule\"\n tag \"stig_id\": \"RHEL-06-000279\"\n tag \"fix_id\": \"F-43613r1_fix\"\n tag \"cci\": [\"CCI-001494\"]\n tag \"nist\": [\"AU-9\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"The following command will list which audit files on the system\nhave ownership different from what is expected by the RPM database:\n\n# rpm -V audit | grep '^.....U'\n\n\nIf there is output, this is a finding.\"\n tag \"fix\": \"The RPM package management system can restore file ownership of\nthe audit package files and directories. The following command will update\naudit files with ownership different from what is expected by the RPM database:\n\n# rpm --setugids audit\"\n\n describe command(\"rpm -V audit | grep '^.....U'\") do\n its('stdout.strip') { should be_empty }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38639.rb", + "ref": "./Red Hat 6 STIG/controls/V-38664.rb", "line": 1 }, - "id": "V-38639" + "id": "V-38664" }, { - "title": "The netconsole service must be disabled unless required.", - "desc": "The \"netconsole\" service is not necessary unless there is a need to\ndebug kernel panics, which is not common.", + "title": "The xinetd service must be disabled if no network services utilizing\nit are enabled.", + "desc": "The xinetd service provides a dedicated listener service for some\nprograms, which is no longer necessary for commonly-used network services.\nDisabling it ensures that these uncommon services are not running, and also\nprevents attacks against xinetd itself.", "descriptions": { - "default": "The \"netconsole\" service is not necessary unless there is a need to\ndebug kernel panics, which is not common." + "default": "The xinetd service provides a dedicated listener service for some\nprograms, which is no longer necessary for commonly-used network services.\nDisabling it ensures that these uncommon services are not running, and also\nprevents attacks against xinetd itself." }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { "gtitle": "SRG-OS-000096", - "gid": "V-38672", - "rid": "SV-50473r2_rule", - "stig_id": "RHEL-06-000289", - "fix_id": "F-43622r2_fix", + "gid": "V-38582", + "rid": "SV-50383r2_rule", + "stig_id": "RHEL-06-000203", + "fix_id": "F-43530r2_fix", "cci": [ "CCI-000382" ], @@ -8754,35 +8795,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To check that the \"netconsole\" service is disabled in system\nboot configuration, run the following command:\n\n# chkconfig \"netconsole\" --list\n\nOutput should indicate the \"netconsole\" service has either not been\ninstalled, or has been disabled at all runlevels, as shown in the example\nbelow:\n\n# chkconfig \"netconsole\" --list\n\"netconsole\" 0:off 1:off 2:off 3:off 4:off 5:off 6:off\n\nRun the following command to verify \"netconsole\" is disabled through current\nruntime configuration:\n\n# service netconsole status\n\nIf the service is disabled the command will return the following output:\n\nnetconsole is stopped\n\n\nIf the service is running, this is a finding.", - "fix": "The \"netconsole\" service is responsible for loading the\nnetconsole kernel module, which logs kernel printk messages over UDP to a\nsyslog server. This allows debugging of problems where disk logging fails and\nserial consoles are impractical. The \"netconsole\" service can be disabled\nwith the following commands:\n\n# chkconfig netconsole off\n# service netconsole stop" + "check": "If network services are using the xinetd service, this is not\napplicable.\n\nTo check that the \"xinetd\" service is disabled in system boot configuration,\nrun the following command:\n\n# chkconfig \"xinetd\" --list\n\nOutput should indicate the \"xinetd\" service has either not been installed, or\nhas been disabled at all runlevels, as shown in the example below:\n\n# chkconfig \"xinetd\" --list\n\"xinetd\" 0:off 1:off 2:off 3:off 4:off 5:off 6:off\n\nRun the following command to verify \"xinetd\" is disabled through current\nruntime configuration:\n\n# service xinetd status\n\nIf the service is disabled the command will return the following output:\n\nxinetd is stopped\n\n\nIf the service is running, this is a finding.", + "fix": "The \"xinetd\" service can be disabled with the following\ncommands:\n\n# chkconfig xinetd off\n# service xinetd stop" }, - "code": "control \"V-38672\" do\n title \"The netconsole service must be disabled unless required.\"\n desc \"The \\\"netconsole\\\" service is not necessary unless there is a need to\ndebug kernel panics, which is not common.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000096\"\n tag \"gid\": \"V-38672\"\n tag \"rid\": \"SV-50473r2_rule\"\n tag \"stig_id\": \"RHEL-06-000289\"\n tag \"fix_id\": \"F-43622r2_fix\"\n tag \"cci\": [\"CCI-000382\"]\n tag \"nist\": [\"CM-7 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To check that the \\\"netconsole\\\" service is disabled in system\nboot configuration, run the following command:\n\n# chkconfig \\\"netconsole\\\" --list\n\nOutput should indicate the \\\"netconsole\\\" service has either not been\ninstalled, or has been disabled at all runlevels, as shown in the example\nbelow:\n\n# chkconfig \\\"netconsole\\\" --list\n\\\"netconsole\\\" 0:off 1:off 2:off 3:off 4:off 5:off 6:off\n\nRun the following command to verify \\\"netconsole\\\" is disabled through current\nruntime configuration:\n\n# service netconsole status\n\nIf the service is disabled the command will return the following output:\n\nnetconsole is stopped\n\n\nIf the service is running, this is a finding.\"\n tag \"fix\": \"The \\\"netconsole\\\" service is responsible for loading the\nnetconsole kernel module, which logs kernel printk messages over UDP to a\nsyslog server. This allows debugging of problems where disk logging fails and\nserial consoles are impractical. The \\\"netconsole\\\" service can be disabled\nwith the following commands:\n\n# chkconfig netconsole off\n# service netconsole stop\"\n\n describe service(\"netconsole\").runlevels(/0/) do\n it { should_not be_enabled }\n end\n describe service(\"netconsole\").runlevels(/1/) do\n it { should_not be_enabled }\n end\n describe service(\"netconsole\").runlevels(/2/) do\n it { should_not be_enabled }\n end\n describe service(\"netconsole\").runlevels(/3/) do\n it { should_not be_enabled }\n end\n describe service(\"netconsole\").runlevels(/4/) do\n it { should_not be_enabled }\n end\n describe service(\"netconsole\").runlevels(/5/) do\n it { should_not be_enabled }\n end\n describe service(\"netconsole\").runlevels(/6/) do\n it { should_not be_enabled }\n end\nend\n", + "code": "control \"V-38582\" do\n title \"The xinetd service must be disabled if no network services utilizing\nit are enabled.\"\n desc \"The xinetd service provides a dedicated listener service for some\nprograms, which is no longer necessary for commonly-used network services.\nDisabling it ensures that these uncommon services are not running, and also\nprevents attacks against xinetd itself.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000096\"\n tag \"gid\": \"V-38582\"\n tag \"rid\": \"SV-50383r2_rule\"\n tag \"stig_id\": \"RHEL-06-000203\"\n tag \"fix_id\": \"F-43530r2_fix\"\n tag \"cci\": [\"CCI-000382\"]\n tag \"nist\": [\"CM-7 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"If network services are using the xinetd service, this is not\napplicable.\n\nTo check that the \\\"xinetd\\\" service is disabled in system boot configuration,\nrun the following command:\n\n# chkconfig \\\"xinetd\\\" --list\n\nOutput should indicate the \\\"xinetd\\\" service has either not been installed, or\nhas been disabled at all runlevels, as shown in the example below:\n\n# chkconfig \\\"xinetd\\\" --list\n\\\"xinetd\\\" 0:off 1:off 2:off 3:off 4:off 5:off 6:off\n\nRun the following command to verify \\\"xinetd\\\" is disabled through current\nruntime configuration:\n\n# service xinetd status\n\nIf the service is disabled the command will return the following output:\n\nxinetd is stopped\n\n\nIf the service is running, this is a finding.\"\n tag \"fix\": \"The \\\"xinetd\\\" service can be disabled with the following\ncommands:\n\n# chkconfig xinetd off\n# service xinetd stop\"\n\n describe.one do\n describe package(\"xinetd\") do\n it { should_not be_installed }\n end\n describe service(\"xinetd\") do\n its(\"runlevels(?-mix:0)\") { should be_enabled }\n its(\"runlevels(?-mix:1)\") { should be_enabled }\n its(\"runlevels(?-mix:2)\") { should be_enabled }\n its(\"runlevels(?-mix:3)\") { should be_enabled }\n its(\"runlevels(?-mix:4)\") { should be_enabled }\n its(\"runlevels(?-mix:5)\") { should be_enabled }\n its(\"runlevels(?-mix:6)\") { should be_enabled }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38672.rb", + "ref": "./Red Hat 6 STIG/controls/V-38582.rb", "line": 1 }, - "id": "V-38672" + "id": "V-38582" }, { - "title": "Library files must be owned by a system account.", - "desc": "Files from shared library directories are loaded into the address\nspace of processes (including privileged ones) or of the kernel itself at\nruntime. Proper ownership is necessary to protect the integrity of the system.", + "title": "The system must display a publicly-viewable pattern during a graphical\ndesktop environment session lock.", + "desc": "Setting the screensaver mode to blank-only conceals the contents of\nthe display from passersby.", "descriptions": { - "default": "Files from shared library directories are loaded into the address\nspace of processes (including privileged ones) or of the kernel itself at\nruntime. Proper ownership is necessary to protect the integrity of the system." + "default": "Setting the screensaver mode to blank-only conceals the contents of\nthe display from passersby." }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { - "gtitle": "SRG-OS-000259", - "gid": "V-38466", - "rid": "SV-50266r4_rule", - "stig_id": "RHEL-06-000046", - "fix_id": "F-43411r4_fix", + "gtitle": "SRG-OS-000031", + "gid": "V-38639", + "rid": "SV-50440r3_rule", + "stig_id": "RHEL-06-000260", + "fix_id": "F-43588r2_fix", "cci": [ - "CCI-001499" + "CCI-000060" ], "nist": [ - "CM-5 (6)", + "AC-11 (1)", "Rev_4" ], "false_negatives": null, @@ -8795,30 +8836,30 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "System-wide shared library files, which are linked to\nexecutables during process load time or run time, are stored in the following\ndirectories by default:\n\n/lib\n/lib64\n/usr/lib\n/usr/lib64\n/usr/local/lib\n/usr/local/lib64\n\nKernel modules, which can be added to the kernel during runtime, are stored in\n\"/lib/modules\". All files in these directories should not be group-writable\nor world-writable. To find shared libraries that are not owned by \"root\" and\ndo not match what is expected by the RPM, run the following command:\n\nfor i in /lib /lib64 /usr/lib /usr/lib64\ndo\n for j in `find -L $i \\! -user root`\n do\n rpm -V -f $j | grep '^.....U'\n done\ndone\n\n\nIf the command returns any results, this is a finding.", - "fix": "System-wide shared library files, which are linked to executables\nduring process load time or run time, are stored in the following directories\nby default:\n\n/lib\n/lib64\n/usr/lib\n/usr/lib64\n/usr/local/lib\n/usr/local/lib64\n\nIf any file in these directories is found to be owned by a user other than\n\"root\" and does not match what is expected by the RPM, correct its ownership by\nrunning one of the following commands:\n\n\n# rpm --setugids [PACKAGE_NAME]\n\nOr\n\n# chown root [FILE]" + "check": "If the GConf2 package is not installed, this is not applicable.\n\nTo ensure the screensaver is configured to be blank, run the following command:\n\n$ gconftool-2 --direct --config-source\nxml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gnome-screensaver/mode\n\nIf properly configured, the output should be \"blank-only\".\nIf it is not, this is a finding.", + "fix": "Run the following command to set the screensaver mode in the\nGNOME desktop to a blank screen:\n\n# gconftool-2 \\\n--direct \\\n--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \\\n--type string \\\n--set /apps/gnome-screensaver/mode blank-only" }, - "code": "control \"V-38466\" do\n title \"Library files must be owned by a system account.\"\n desc \"Files from shared library directories are loaded into the address\nspace of processes (including privileged ones) or of the kernel itself at\nruntime. Proper ownership is necessary to protect the integrity of the system.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000259\"\n tag \"gid\": \"V-38466\"\n tag \"rid\": \"SV-50266r4_rule\"\n tag \"stig_id\": \"RHEL-06-000046\"\n tag \"fix_id\": \"F-43411r4_fix\"\n tag \"cci\": [\"CCI-001499\"]\n tag \"nist\": [\"CM-5 (6)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"System-wide shared library files, which are linked to\nexecutables during process load time or run time, are stored in the following\ndirectories by default:\n\n/lib\n/lib64\n/usr/lib\n/usr/lib64\n/usr/local/lib\n/usr/local/lib64\n\nKernel modules, which can be added to the kernel during runtime, are stored in\n\\\"/lib/modules\\\". All files in these directories should not be group-writable\nor world-writable. To find shared libraries that are not owned by \\\"root\\\" and\ndo not match what is expected by the RPM, run the following command:\n\nfor i in /lib /lib64 /usr/lib /usr/lib64\ndo\n for j in `find -L $i \\\\! -user root`\n do\n rpm -V -f $j | grep '^.....U'\n done\ndone\n\n\nIf the command returns any results, this is a finding.\"\n tag \"fix\": \"System-wide shared library files, which are linked to executables\nduring process load time or run time, are stored in the following directories\nby default:\n\n/lib\n/lib64\n/usr/lib\n/usr/lib64\n/usr/local/lib\n/usr/local/lib64\n\nIf any file in these directories is found to be owned by a user other than\n\\\"root\\\" and does not match what is expected by the RPM, correct its ownership by\nrunning one of the following commands:\n\n\n# rpm --setugids [PACKAGE_NAME]\n\nOr\n\n# chown root [FILE]\"\n\n libs = [\"/lib\", \"/lib64\", \"/usr/lib\", \"/usr/lib64\", \"/usr/local/lib\", \"/usr/local/lib64\"]\n libs.each do |l|\n files = command(\"find -L #{l} \\\\! -user root\").stdout.strip.split(\"\\n\")\n if files.empty?\n describe \"`find -L #{l} \\\\! -user root`\" do\n subject { files }\n it { should be_empty }\n end\n end\n files.each do |f|\n describe command(\"rpm -V -f #{f} | grep '^.....U'\") do\n its('stdout.strip') { should be_empty }\n end\n end\n end\nend\n", + "code": "control \"V-38639\" do\n title \"The system must display a publicly-viewable pattern during a graphical\ndesktop environment session lock.\"\n desc \"Setting the screensaver mode to blank-only conceals the contents of\nthe display from passersby.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000031\"\n tag \"gid\": \"V-38639\"\n tag \"rid\": \"SV-50440r3_rule\"\n tag \"stig_id\": \"RHEL-06-000260\"\n tag \"fix_id\": \"F-43588r2_fix\"\n tag \"cci\": [\"CCI-000060\"]\n tag \"nist\": [\"AC-11 (1)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"If the GConf2 package is not installed, this is not applicable.\n\nTo ensure the screensaver is configured to be blank, run the following command:\n\n$ gconftool-2 --direct --config-source\nxml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gnome-screensaver/mode\n\nIf properly configured, the output should be \\\"blank-only\\\".\nIf it is not, this is a finding.\"\n tag \"fix\": \"Run the following command to set the screensaver mode in the\nGNOME desktop to a blank screen:\n\n# gconftool-2 \\\\\n--direct \\\\\n--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \\\\\n--type string \\\\\n--set /apps/gnome-screensaver/mode blank-only\"\n\n if package('GConf2').installed?\n describe command(\"gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gnome-screensaver/mode\") do\n its('stdout.strip') { should eq 'blank-only' }\n end\n else\n impact 0.0\n describe \"Package GConf2 not installed\" do\n skip \"Package GConf2 not installed, this control Not Applicable\"\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38466.rb", + "ref": "./Red Hat 6 STIG/controls/V-38639.rb", "line": 1 }, - "id": "V-38466" + "id": "V-38639" }, { - "title": "The system package management tool must verify permissions on all\nfiles and directories associated with packages.", - "desc": "Permissions on system binaries and configuration files that are too\ngenerous could allow an unauthorized user to gain privileges that they should\nnot have. The permissions set by the vendor should be maintained. Any\ndeviations from this baseline should be investigated.", + "title": "The system must use SMB client signing for connecting to samba servers\nusing mount.cifs.", + "desc": "Packet signing can prevent man-in-the-middle attacks which modify SMB\npackets in transit.", "descriptions": { - "default": "Permissions on system binaries and configuration files that are too\ngenerous could allow an unauthorized user to gain privileges that they should\nnot have. The permissions set by the vendor should be maintained. Any\ndeviations from this baseline should be investigated." + "default": "Packet signing can prevent man-in-the-middle attacks which modify SMB\npackets in transit." }, - "impact": 0.3, + "impact": 0, "refs": [], "tags": { "gtitle": "SRG-OS-999999", - "gid": "V-38452", - "rid": "SV-50252r2_rule", - "stig_id": "RHEL-06-000518", - "fix_id": "F-43398r1_fix", + "gid": "V-38657", + "rid": "SV-50458r2_rule", + "stig_id": "RHEL-06-000273", + "fix_id": "F-43607r1_fix", "cci": [ "CCI-000366" ], @@ -8836,30 +8877,30 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "The following command will list which files and directories on\nthe system have permissions different from what is expected by the RPM\ndatabase:\n\n# rpm -Va | grep '^.M'\n\nIf there is any output, for each file or directory found, find the associated\nRPM package and compare the RPM-expected permissions with the actual\npermissions on the file or directory:\n\n# rpm -qf [file or directory name]\n# rpm -q --queryformat \"[%{FILENAMES} %{FILEMODES:perms}]\" [package] | grep [filename]\n# ls -dlL [filename]\n\nIf the existing permissions are more permissive than those expected by RPM,\nthis is a finding.", - "fix": "The RPM package management system can restore file access\npermissions of package files and directories. The following command will update\npermissions on files and directories with permissions different from what is\nexpected by the RPM database:\n\n# rpm --setperms [package]" + "check": "If Samba is not in use, this is not applicable.\n\nTo verify that Samba clients using mount.cifs must use packet signing, run the\nfollowing command:\n\n# grep sec /etc/fstab /etc/mtab\n\nThe output should show either \"krb5i\" or \"ntlmv2i\" in use.\nIf it does not, this is a finding.", + "fix": "Require packet signing of clients who mount Samba shares using\nthe \"mount.cifs\" program (e.g., those who specify shares in \"/etc/fstab\").\nTo do so, ensure signing options (either \"sec=krb5i\" or \"sec=ntlmv2i\") are\nused.\n\nSee the \"mount.cifs(8)\" man page for more information. A Samba client should\nonly communicate with servers who can support SMB packet signing." }, - "code": "control \"V-38452\" do\n title \"The system package management tool must verify permissions on all\nfiles and directories associated with packages.\"\n desc \"Permissions on system binaries and configuration files that are too\ngenerous could allow an unauthorized user to gain privileges that they should\nnot have. The permissions set by the vendor should be maintained. Any\ndeviations from this baseline should be investigated.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38452\"\n tag \"rid\": \"SV-50252r2_rule\"\n tag \"stig_id\": \"RHEL-06-000518\"\n tag \"fix_id\": \"F-43398r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"The following command will list which files and directories on\nthe system have permissions different from what is expected by the RPM\ndatabase:\n\n# rpm -Va | grep '^.M'\n\nIf there is any output, for each file or directory found, find the associated\nRPM package and compare the RPM-expected permissions with the actual\npermissions on the file or directory:\n\n# rpm -qf [file or directory name]\n# rpm -q --queryformat \\\"[%{FILENAMES} %{FILEMODES:perms}\\\n]\\\" [package] | grep [filename]\n# ls -dlL [filename]\n\nIf the existing permissions are more permissive than those expected by RPM,\nthis is a finding.\"\n tag \"fix\": \"The RPM package management system can restore file access\npermissions of package files and directories. The following command will update\npermissions on files and directories with permissions different from what is\nexpected by the RPM database:\n\n# rpm --setperms [package]\"\n\n describe command(\"rpm -Va | grep '^.M'\") do\n its('stdout.strip') { should be_empty }\n end\nend\n", + "code": "control \"V-38657\" do\n title \"The system must use SMB client signing for connecting to samba servers\nusing mount.cifs.\"\n desc \"Packet signing can prevent man-in-the-middle attacks which modify SMB\npackets in transit.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38657\"\n tag \"rid\": \"SV-50458r2_rule\"\n tag \"stig_id\": \"RHEL-06-000273\"\n tag \"fix_id\": \"F-43607r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"If Samba is not in use, this is not applicable.\n\nTo verify that Samba clients using mount.cifs must use packet signing, run the\nfollowing command:\n\n# grep sec /etc/fstab /etc/mtab\n\nThe output should show either \\\"krb5i\\\" or \\\"ntlmv2i\\\" in use.\nIf it does not, this is a finding.\"\n tag \"fix\": \"Require packet signing of clients who mount Samba shares using\nthe \\\"mount.cifs\\\" program (e.g., those who specify shares in \\\"/etc/fstab\\\").\nTo do so, ensure signing options (either \\\"sec=krb5i\\\" or \\\"sec=ntlmv2i\\\") are\nused.\n\nSee the \\\"mount.cifs(8)\\\" man page for more information. A Samba client should\nonly communicate with servers who can support SMB packet signing.\"\n\n mounts = command('mount').stdout.strip.split(\"\\n\").\n map do |d|\n split_mounts = d.split(%r{\\s+})\n options = split_mounts[-1].match(%r{\\((.*)\\)$}).captures.first.split(',')\n dev_file = file(split_mounts[0])\n dev_link = dev_file.symlink? ? dev_file.link_path : dev_file.path\n {'dev'=>split_mounts[0], 'link'=>dev_link, 'mount'=>split_mounts[2], 'options'=>options, 'type'=> split_mounts[-2]}\n end\n\n cifs_mounts = mounts.select { |mnt| mnt['type'] == 'cifs' }\n\n if cifs_mounts.empty?\n impact 0.0\n describe \"Samba shares not in use\" do\n skip \"Samba shares not in use, this control Not Applicable\"\n end\n else\n cifs_mounts.each do |mnt|\n describe \"Mount #{mnt['mount']} options\" do\n subject { mnt['options'] }\n it { should (include 'sec=krb5i').or include 'sec=ntlmv2i' }\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38452.rb", + "ref": "./Red Hat 6 STIG/controls/V-38657.rb", "line": 1 }, - "id": "V-38452" + "id": "V-38657" }, { - "title": "The /etc/group file must be group-owned by root.", - "desc": "The \"/etc/group\" file contains information regarding groups that are\nconfigured on the system. Protection of this file is important for system\nsecurity.", + "title": "The login user list must be disabled.", + "desc": "Leaving the user list enabled is a security risk since it allows\nanyone with physical access to the system to quickly enumerate known user\naccounts without logging in.", "descriptions": { - "default": "The \"/etc/group\" file contains information regarding groups that are\nconfigured on the system. Protection of this file is important for system\nsecurity." + "default": "Leaving the user list enabled is a security risk since it allows\nanyone with physical access to the system to quickly enumerate known user\naccounts without logging in." }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { "gtitle": "SRG-OS-999999", - "gid": "V-38459", - "rid": "SV-50259r1_rule", - "stig_id": "RHEL-06-000043", - "fix_id": "F-43404r1_fix", + "gid": "V-43150", + "rid": "SV-55880r2_rule", + "stig_id": "RHEL-06-000527", + "fix_id": "F-48722r2_fix", "cci": [ "CCI-000366" ], @@ -8877,35 +8918,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To check the group ownership of \"/etc/group\", run the\ncommand:\n\n$ ls -l /etc/group\n\nIf properly configured, the output should indicate the following group-owner.\n\"root\"\nIf it does not, this is a finding.", - "fix": "To properly set the group owner of \"/etc/group\", run the\ncommand:\n\n# chgrp root /etc/group" + "check": "If the GConf2 package is not installed, this is not applicable.\n\nTo ensure the user list is disabled, run the following command:\n\n$ gconftool-2 --direct \\\n--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \\\n--get /apps/gdm/simple-greeter/disable_user_list\n\nThe output should be \"true\". If it is not, this is a finding. ", + "fix": "In the default graphical environment, users logging directly into\nthe system are greeted with a login screen that displays all known users. This\nfunctionality should be disabled.\n\nRun the following command to disable the user list:\n\n$ sudo gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --type bool --set /apps/gdm/simple-greeter/disable_user_list true" }, - "code": "control \"V-38459\" do\n title \"The /etc/group file must be group-owned by root.\"\n desc \"The \\\"/etc/group\\\" file contains information regarding groups that are\nconfigured on the system. Protection of this file is important for system\nsecurity.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38459\"\n tag \"rid\": \"SV-50259r1_rule\"\n tag \"stig_id\": \"RHEL-06-000043\"\n tag \"fix_id\": \"F-43404r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To check the group ownership of \\\"/etc/group\\\", run the\ncommand:\n\n$ ls -l /etc/group\n\nIf properly configured, the output should indicate the following group-owner.\n\\\"root\\\"\nIf it does not, this is a finding.\"\n tag \"fix\": \"To properly set the group owner of \\\"/etc/group\\\", run the\ncommand:\n\n# chgrp root /etc/group\"\n\n describe file(\"/etc/group\") do\n it { should exist }\n end\n describe file(\"/etc/group\") do\n its(\"gid\") { should cmp 0 }\n end\nend\n", + "code": "control \"V-43150\" do\n title \"The login user list must be disabled.\"\n desc \"Leaving the user list enabled is a security risk since it allows\nanyone with physical access to the system to quickly enumerate known user\naccounts without logging in.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-43150\"\n tag \"rid\": \"SV-55880r2_rule\"\n tag \"stig_id\": \"RHEL-06-000527\"\n tag \"fix_id\": \"F-48722r2_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"If the GConf2 package is not installed, this is not applicable.\n\nTo ensure the user list is disabled, run the following command:\n\n$ gconftool-2 --direct \\\\\n--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \\\\\n--get /apps/gdm/simple-greeter/disable_user_list\n\nThe output should be \\\"true\\\". If it is not, this is a finding. \"\n tag \"fix\": \"In the default graphical environment, users logging directly into\nthe system are greeted with a login screen that displays all known users. This\nfunctionality should be disabled.\n\nRun the following command to disable the user list:\n\n$ sudo gconftool-2 --direct \\\n--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \\\n--type bool --set /apps/gdm/simple-greeter/disable_user_list true\"\n\n if package('GConf2').installed?\n describe command(\"gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gdm/simple-greeter/disable_user_list\") do\n its('stdout.strip') { should eq 'true' }\n end\n else\n impact 0.0\n describe \"Package GConf2 not installed\" do\n skip \"Package GConf2 not installed, this control Not Applicable\"\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38459.rb", + "ref": "./Red Hat 6 STIG/controls/V-43150.rb", "line": 1 }, - "id": "V-38459" + "id": "V-43150" }, { - "title": "The system must use a Linux Security Module at boot time.", - "desc": "Disabling a major host protection feature, such as SELinux, at boot\ntime prevents it from confining system services at boot time. Further, it\nincreases the chances that it will remain off during system operation.", + "title": "All rsyslog-generated log files must have mode 0600 or less\npermissive.", + "desc": "Log files can contain valuable information regarding system\nconfiguration. If the system log files are not protected, unauthorized users\ncould change the logged data, eliminating their forensic value.", "descriptions": { - "default": "Disabling a major host protection feature, such as SELinux, at boot\ntime prevents it from confining system services at boot time. Further, it\nincreases the chances that it will remain off during system operation." + "default": "Log files can contain valuable information regarding system\nconfiguration. If the system log files are not protected, unauthorized users\ncould change the logged data, eliminating their forensic value." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-999999", - "gid": "V-51337", - "rid": "SV-65547r2_rule", - "stig_id": "RHEL-06-000017", - "fix_id": "F-56147r2_fix", + "gtitle": "SRG-OS-000206", + "gid": "V-38623", + "rid": "SV-50424r2_rule", + "stig_id": "RHEL-06-000135", + "fix_id": "F-43571r1_fix", "cci": [ - "CCI-000366" + "CCI-001314" ], "nist": [ - "CM-6 b", + "SI-11 b", "Rev_4" ], "false_negatives": null, @@ -8918,35 +8959,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "Inspect \"/boot/grub/grub.conf\" for any instances of\n\"selinux=0\" in the kernel boot arguments. Presence of \"selinux=0\" indicates\nthat SELinux is disabled at boot time. If SELinux is disabled at boot time,\nthis is a finding.", - "fix": "SELinux can be disabled at boot time by an argument in\n\"/boot/grub/grub.conf\". Remove any instances of \"selinux=0\" from the kernel\narguments in that file to prevent SELinux from being disabled at boot. " + "check": "The file permissions for all log files written by rsyslog\nshould be set to 600, or more restrictive. These log files are determined by\nthe second part of each Rule line in \"/etc/rsyslog.conf\" and typically all\nappear in \"/var/log\". For each log file [LOGFILE] referenced in\n\"/etc/rsyslog.conf\", run the following command to inspect the file's\npermissions:\n\n$ ls -l [LOGFILE]\n\nThe permissions should be 600, or more restrictive. Some log files referenced\nin /etc/rsyslog.conf may be created by other programs and may require exclusion\nfrom consideration.\n\nIf the permissions are not correct, this is a finding.", + "fix": "The file permissions for all log files written by rsyslog should\nbe set to 600, or more restrictive. These log files are determined by the\nsecond part of each Rule line in \"/etc/rsyslog.conf\" and typically all appear\nin \"/var/log\". For each log file [LOGFILE] referenced in\n\"/etc/rsyslog.conf\", run the following command to inspect the file's\npermissions:\n\n$ ls -l [LOGFILE]\n\nIf the permissions are not 600 or more restrictive, run the following command\nto correct this:\n\n# chmod 0600 [LOGFILE]" }, - "code": "control \"V-51337\" do\n title \"The system must use a Linux Security Module at boot time.\"\n desc \"Disabling a major host protection feature, such as SELinux, at boot\ntime prevents it from confining system services at boot time. Further, it\nincreases the chances that it will remain off during system operation.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-51337\"\n tag \"rid\": \"SV-65547r2_rule\"\n tag \"stig_id\": \"RHEL-06-000017\"\n tag \"fix_id\": \"F-56147r2_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Inspect \\\"/boot/grub/grub.conf\\\" for any instances of\n\\\"selinux=0\\\" in the kernel boot arguments. Presence of \\\"selinux=0\\\" indicates\nthat SELinux is disabled at boot time. If SELinux is disabled at boot time,\nthis is a finding.\"\n tag \"fix\": \"SELinux can be disabled at boot time by an argument in\n\\\"/boot/grub/grub.conf\\\". Remove any instances of \\\"selinux=0\\\" from the kernel\narguments in that file to prevent SELinux from being disabled at boot. \"\n\n describe file(\"/boot/grub/grub.conf\") do\n its(\"content\") { should_not match(/^[\\s]*kernel[\\s]+.*(selinux|enforcing)=0.*$/) }\n end\nend\n", + "code": "control \"V-38623\" do\n title \"All rsyslog-generated log files must have mode 0600 or less\npermissive.\"\n desc \"Log files can contain valuable information regarding system\nconfiguration. If the system log files are not protected, unauthorized users\ncould change the logged data, eliminating their forensic value.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000206\"\n tag \"gid\": \"V-38623\"\n tag \"rid\": \"SV-50424r2_rule\"\n tag \"stig_id\": \"RHEL-06-000135\"\n tag \"fix_id\": \"F-43571r1_fix\"\n tag \"cci\": [\"CCI-001314\"]\n tag \"nist\": [\"SI-11 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"The file permissions for all log files written by rsyslog\nshould be set to 600, or more restrictive. These log files are determined by\nthe second part of each Rule line in \\\"/etc/rsyslog.conf\\\" and typically all\nappear in \\\"/var/log\\\". For each log file [LOGFILE] referenced in\n\\\"/etc/rsyslog.conf\\\", run the following command to inspect the file's\npermissions:\n\n$ ls -l [LOGFILE]\n\nThe permissions should be 600, or more restrictive. Some log files referenced\nin /etc/rsyslog.conf may be created by other programs and may require exclusion\nfrom consideration.\n\nIf the permissions are not correct, this is a finding.\"\n tag \"fix\": \"The file permissions for all log files written by rsyslog should\nbe set to 600, or more restrictive. These log files are determined by the\nsecond part of each Rule line in \\\"/etc/rsyslog.conf\\\" and typically all appear\nin \\\"/var/log\\\". For each log file [LOGFILE] referenced in\n\\\"/etc/rsyslog.conf\\\", run the following command to inspect the file's\npermissions:\n\n$ ls -l [LOGFILE]\n\nIf the permissions are not 600 or more restrictive, run the following command\nto correct this:\n\n# chmod 0600 [LOGFILE]\"\n\n # strip comments, empty lines, and lines which start with $ in order to get rules\n rules = file('/etc/rsyslog.conf').content.lines.map do |l|\n pound_index = l.index('#')\n l = l.slice(0, pound_index) if !pound_index.nil?\n l.strip\n end.reject { |l| l.empty? or l.start_with? '$' }\n\n paths = rules.map do |r|\n filter, action = r.split(%r{\\s+})\n next if !(action.start_with? '-/' or action.start_with? '/')\n action.sub(%r{^-/}, '/')\n end.reject { |path| path.nil? }\n\n if paths.empty?\n describe \"rsyslog log files\" do\n subject { paths }\n it { should be_empty }\n end\n else\n paths.each do |path|\n describe file(path) do \n it { should_not be_executable }\n it { should_not be_readable.by('group') }\n it { should_not be_writable.by('group') }\n it { should_not be_readable.by('others') }\n it { should_not be_writable.by('others') }\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-51337.rb", + "ref": "./Red Hat 6 STIG/controls/V-38623.rb", "line": 1 }, - "id": "V-51337" + "id": "V-38623" }, { - "title": "The Automatic Bug Reporting Tool (abrtd) service must not be running.", - "desc": "Mishandling crash data could expose sensitive information about\nvulnerabilities in software executing on the local machine, as well as\nsensitive information from within a process's address space or registers.", + "title": "The system must disable accounts after three consecutive unsuccessful\nlogon attempts.", + "desc": "Locking out user accounts after a number of incorrect attempts\nprevents direct password guessing attacks.", "descriptions": { - "default": "Mishandling crash data could expose sensitive information about\nvulnerabilities in software executing on the local machine, as well as\nsensitive information from within a process's address space or registers." + "default": "Locking out user accounts after a number of incorrect attempts\nprevents direct password guessing attacks." }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000096", - "gid": "V-38640", - "rid": "SV-50441r2_rule", - "stig_id": "RHEL-06-000261", - "fix_id": "F-43589r2_fix", + "gtitle": "SRG-OS-000021", + "gid": "V-38573", + "rid": "SV-50374r4_rule", + "stig_id": "RHEL-06-000061", + "fix_id": "F-43521r8_fix", "cci": [ - "CCI-000382" + "CCI-000044" ], "nist": [ - "CM-7 b", + "AC-7 a", "Rev_4" ], "false_negatives": null, @@ -8959,35 +9000,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To check that the \"abrtd\" service is disabled in system boot\nconfiguration, run the following command:\n\n# chkconfig \"abrtd\" --list\n\nOutput should indicate the \"abrtd\" service has either not been installed, or\nhas been disabled at all runlevels, as shown in the example below:\n\n# chkconfig \"abrtd\" --list\n\"abrtd\" 0:off 1:off 2:off 3:off 4:off 5:off 6:off\n\nRun the following command to verify \"abrtd\" is disabled through current\nruntime configuration:\n\n# service abrtd status\n\nIf the service is disabled the command will return the following output:\n\nabrtd is stopped\n\n\nIf the service is running, this is a finding.", - "fix": "The Automatic Bug Reporting Tool (\"abrtd\") daemon collects and\nreports crash data when an application crash is detected. Using a variety of\nplugins, abrtd can email crash reports to system administrators, log crash\nreports to files, or forward crash reports to a centralized issue tracking\nsystem such as RHTSupport. The \"abrtd\" service can be disabled with the\nfollowing commands:\n\n# chkconfig abrtd off\n# service abrtd stop" + "check": "To ensure the failed password attempt policy is configured\ncorrectly, run the following command:\n\n# grep pam_faillock /etc/pam.d/system-auth /etc/pam.d/password-auth\n\nThe output should show \"deny=3\" for both files.\nIf that is not the case, this is a finding.", + "fix": "To configure the system to lock out accounts after a number of\nincorrect logon attempts using \"pam_faillock.so\", modify the content of both\n\"/etc/pam.d/system-auth\" and \"/etc/pam.d/password-auth\" as follows:\n\nAdd the following line immediately before the \"pam_unix.so\" statement in the\n\"AUTH\" section:\n\nauth required pam_faillock.so preauth silent deny=3 unlock_time=604800\nfail_interval=900\n\nAdd the following line immediately after the \"pam_unix.so\" statement in the\n\"AUTH\" section:\n\nauth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800\nfail_interval=900\n\nAdd the following line immediately before the \"pam_unix.so\" statement in the\n\"ACCOUNT\" section:\n\naccount required pam_faillock.so\n\nNote that any updates made to \"/etc/pam.d/system-auth\" and\n\"/etc/pam.d/password-auth\" may be overwritten by the \"authconfig\" program.\nThe \"authconfig\" program should not be used." }, - "code": "control \"V-38640\" do\n title \"The Automatic Bug Reporting Tool (abrtd) service must not be running.\"\n desc \"Mishandling crash data could expose sensitive information about\nvulnerabilities in software executing on the local machine, as well as\nsensitive information from within a process's address space or registers.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000096\"\n tag \"gid\": \"V-38640\"\n tag \"rid\": \"SV-50441r2_rule\"\n tag \"stig_id\": \"RHEL-06-000261\"\n tag \"fix_id\": \"F-43589r2_fix\"\n tag \"cci\": [\"CCI-000382\"]\n tag \"nist\": [\"CM-7 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To check that the \\\"abrtd\\\" service is disabled in system boot\nconfiguration, run the following command:\n\n# chkconfig \\\"abrtd\\\" --list\n\nOutput should indicate the \\\"abrtd\\\" service has either not been installed, or\nhas been disabled at all runlevels, as shown in the example below:\n\n# chkconfig \\\"abrtd\\\" --list\n\\\"abrtd\\\" 0:off 1:off 2:off 3:off 4:off 5:off 6:off\n\nRun the following command to verify \\\"abrtd\\\" is disabled through current\nruntime configuration:\n\n# service abrtd status\n\nIf the service is disabled the command will return the following output:\n\nabrtd is stopped\n\n\nIf the service is running, this is a finding.\"\n tag \"fix\": \"The Automatic Bug Reporting Tool (\\\"abrtd\\\") daemon collects and\nreports crash data when an application crash is detected. Using a variety of\nplugins, abrtd can email crash reports to system administrators, log crash\nreports to files, or forward crash reports to a centralized issue tracking\nsystem such as RHTSupport. The \\\"abrtd\\\" service can be disabled with the\nfollowing commands:\n\n# chkconfig abrtd off\n# service abrtd stop\"\n\n describe.one do\n describe package(\"abrt\") do\n it { should_not be_installed }\n end\n describe service(\"abrtd\") do\n its(\"runlevels(?-mix:0)\") { should be_enabled }\n its(\"runlevels(?-mix:1)\") { should be_enabled }\n its(\"runlevels(?-mix:2)\") { should be_enabled }\n its(\"runlevels(?-mix:3)\") { should be_enabled }\n its(\"runlevels(?-mix:4)\") { should be_enabled }\n its(\"runlevels(?-mix:5)\") { should be_enabled }\n its(\"runlevels(?-mix:6)\") { should be_enabled }\n end\n end\nend\n", + "code": "control \"V-38573\" do\n title \"The system must disable accounts after three consecutive unsuccessful\nlogon attempts.\"\n desc \"Locking out user accounts after a number of incorrect attempts\nprevents direct password guessing attacks.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000021\"\n tag \"gid\": \"V-38573\"\n tag \"rid\": \"SV-50374r4_rule\"\n tag \"stig_id\": \"RHEL-06-000061\"\n tag \"fix_id\": \"F-43521r8_fix\"\n tag \"cci\": [\"CCI-000044\"]\n tag \"nist\": [\"AC-7 a\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To ensure the failed password attempt policy is configured\ncorrectly, run the following command:\n\n# grep pam_faillock /etc/pam.d/system-auth /etc/pam.d/password-auth\n\nThe output should show \\\"deny=3\\\" for both files.\nIf that is not the case, this is a finding.\"\n tag \"fix\": \"To configure the system to lock out accounts after a number of\nincorrect logon attempts using \\\"pam_faillock.so\\\", modify the content of both\n\\\"/etc/pam.d/system-auth\\\" and \\\"/etc/pam.d/password-auth\\\" as follows:\n\nAdd the following line immediately before the \\\"pam_unix.so\\\" statement in the\n\\\"AUTH\\\" section:\n\nauth required pam_faillock.so preauth silent deny=3 unlock_time=604800\nfail_interval=900\n\nAdd the following line immediately after the \\\"pam_unix.so\\\" statement in the\n\\\"AUTH\\\" section:\n\nauth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800\nfail_interval=900\n\nAdd the following line immediately before the \\\"pam_unix.so\\\" statement in the\n\\\"ACCOUNT\\\" section:\n\naccount required pam_faillock.so\n\nNote that any updates made to \\\"/etc/pam.d/system-auth\\\" and\n\\\"/etc/pam.d/password-auth\\\" may be overwritten by the \\\"authconfig\\\" program.\nThe \\\"authconfig\\\" program should not be used.\"\n\n file(\"/etc/pam.d/system-auth\").content.to_s.scan(/^\\s*auth\\s+(?:(?:sufficient)|(?:\\[default=die\\]))\\s+pam_faillock\\.so\\s+authfail.*deny=([0-9]+).*$/).flatten.each do |entry|\n describe entry do\n it { should cmp == input('pam_faillock_deny') }\n end\n end\n describe file(\"/etc/pam.d/system-auth\") do\n its(\"content\") { should match(/^\\s*auth\\s+(?:(?:sufficient)|(?:\\[default=die\\]))\\s+pam_faillock\\.so\\s+authfail.*deny=([0-9]+).*$/) }\n end\n file(\"/etc/pam.d/password-auth\").content.to_s.scan(/^\\s*auth\\s+(?:(?:sufficient)|(?:\\[default=die\\]))\\s+pam_faillock\\.so\\s+authfail.*deny=([0-9]+).*$/).flatten.each do |entry|\n describe entry do\n it { should cmp == input('pam_faillock_deny') }\n end\n end\n describe file(\"/etc/pam.d/password-auth\") do\n its(\"content\") { should match(/^\\s*auth\\s+(?:(?:sufficient)|(?:\\[default=die\\]))\\s+pam_faillock\\.so\\s+authfail.*deny=([0-9]+).*$/) }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38640.rb", + "ref": "./Red Hat 6 STIG/controls/V-38573.rb", "line": 1 }, - "id": "V-38640" + "id": "V-38573" }, { - "title": "The system must employ a local IPv4 firewall.", - "desc": "The \"iptables\" service provides the system's host-based firewalling\ncapability for IPv4 and ICMP.", + "title": "The system must require at least eight characters be changed between\nthe old and new passwords during a password change.", + "desc": "Requiring a minimum number of different characters during password\nchanges ensures that newly changed passwords should not resemble previously\ncompromised ones. Note that passwords which are changed on compromised systems\nwill still be compromised, however.", "descriptions": { - "default": "The \"iptables\" service provides the system's host-based firewalling\ncapability for IPv4 and ICMP." + "default": "Requiring a minimum number of different characters during password\nchanges ensures that newly changed passwords should not resemble previously\ncompromised ones. Note that passwords which are changed on compromised systems\nwill still be compromised, however." }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { - "gtitle": "SRG-OS-000152", - "gid": "V-38555", - "rid": "SV-50356r2_rule", - "stig_id": "RHEL-06-000113", - "fix_id": "F-43503r2_fix", + "gtitle": "SRG-OS-000072", + "gid": "V-38572", + "rid": "SV-50373r3_rule", + "stig_id": "RHEL-06-000060", + "fix_id": "F-43520r4_fix", "cci": [ - "CCI-001118" + "CCI-000195" ], "nist": [ - "SC-7 (12)", + "IA-5 (1) (b)", "Rev_4" ], "false_negatives": null, @@ -9000,30 +9041,30 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "If the system is a cross-domain system, this is not applicable.\n\nRun the following command to determine the current status of the \"iptables\"\nservice:\n\n# service iptables status\n\nIf the service is not running, it should return the following:\n\niptables: Firewall is not running.\n\n\nIf the service is not running, this is a finding.", - "fix": "The \"iptables\" service can be enabled with the following\ncommands:\n\n# chkconfig iptables on\n# service iptables start" + "check": "To check how many characters must differ during a password\nchange, run the following command:\n\n$ grep pam_cracklib /etc/pam.d/system-auth /etc/pam.d/password-auth\n\nNote: The \"difok\" parameter will indicate how many characters must differ.\nThe DoD requires eight characters differ during a password change. This would\nappear as \"difok=8\".\n\nIf \"difok\" is not found or is set to a value less than \"8\", this is a finding.", + "fix": "The pam_cracklib module's \"difok\" parameter controls\nrequirements for usage of different characters during a password change.\n\nEdit /etc/pam.d/system-auth and /etc/pam.d/password-auth adding \"difok=[NUM]\"\nafter pam_cracklib.so to require differing characters when changing passwords,\nsubstituting [NUM] appropriately. The DoD requirement is 8.\n" }, - "code": "control \"V-38555\" do\n title \"The system must employ a local IPv4 firewall.\"\n desc \"The \\\"iptables\\\" service provides the system's host-based firewalling\ncapability for IPv4 and ICMP.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000152\"\n tag \"gid\": \"V-38555\"\n tag \"rid\": \"SV-50356r2_rule\"\n tag \"stig_id\": \"RHEL-06-000113\"\n tag \"fix_id\": \"F-43503r2_fix\"\n tag \"cci\": [\"CCI-001118\"]\n tag \"nist\": [\"SC-7 (12)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"If the system is a cross-domain system, this is not applicable.\n\nRun the following command to determine the current status of the \\\"iptables\\\"\nservice:\n\n# service iptables status\n\nIf the service is not running, it should return the following:\n\niptables: Firewall is not running.\n\n\nIf the service is not running, this is a finding.\"\n tag \"fix\": \"The \\\"iptables\\\" service can be enabled with the following\ncommands:\n\n# chkconfig iptables on\n# service iptables start\"\n\n describe service('iptables') do\n it { should be_enabled }\n it { should be_running }\n end\nend\n", + "code": "control \"V-38572\" do\n title \"The system must require at least eight characters be changed between\nthe old and new passwords during a password change.\"\n desc \"Requiring a minimum number of different characters during password\nchanges ensures that newly changed passwords should not resemble previously\ncompromised ones. Note that passwords which are changed on compromised systems\nwill still be compromised, however.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000072\"\n tag \"gid\": \"V-38572\"\n tag \"rid\": \"SV-50373r3_rule\"\n tag \"stig_id\": \"RHEL-06-000060\"\n tag \"fix_id\": \"F-43520r4_fix\"\n tag \"cci\": [\"CCI-000195\"]\n tag \"nist\": [\"IA-5 (1) (b)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To check how many characters must differ during a password\nchange, run the following command:\n\n$ grep pam_cracklib /etc/pam.d/system-auth /etc/pam.d/password-auth\n\nNote: The \\\"difok\\\" parameter will indicate how many characters must differ.\nThe DoD requires eight characters differ during a password change. This would\nappear as \\\"difok=8\\\".\n\nIf \\\"difok\\\" is not found or is set to a value less than \\\"8\\\", this is a finding.\"\n tag \"fix\": \"The pam_cracklib module's \\\"difok\\\" parameter controls\nrequirements for usage of different characters during a password change.\n\nEdit /etc/pam.d/system-auth and /etc/pam.d/password-auth adding \\\"difok=[NUM]\\\"\nafter pam_cracklib.so to require differing characters when changing passwords,\nsubstituting [NUM] appropriately. The DoD requirement is 8.\n\"\n\n describe.one do\n describe file(\"/etc/pam.d/system-auth\") do\n its(\"content\") { should match(/^\\s*password\\s+(?:(?:required)|(?:requisite))\\s+(?:(?:\\/lib\\/security\\/\\$ISA\\/pam_cracklib\\.so)|(?:pam_cracklib\\.so))[\\t ]+[^#\\n\\r]*\\s+difok=(\\d+)[^\\n\\r]*$/) }\n end\n file(\"/etc/pam.d/system-auth\").content.to_s.scan(/^\\s*password\\s+(?:(?:required)|(?:requisite))\\s+(?:(?:\\/lib\\/security\\/\\$ISA\\/pam_cracklib\\.so)|(?:pam_cracklib\\.so))[\\t ]+[^#\\n\\r]*\\s+difok=(\\d+)[^\\n\\r]*$/).flatten.each do |entry|\n describe entry do\n it { should cmp >= input('pam_cracklib_difok') }\n end\n end\n describe file(\"/etc/pam.d/system-auth\") do\n its(\"content\") { should match(/^\\s*password\\s+(?:(?:required)|(?:requisite))\\s+(?:(?:\\/lib\\/security\\/\\$ISA\\/pam_cracklib\\.so)|(?:pam_cracklib\\.so))\\s+difok=(\\d+)\\s+.*$/) }\n end\n file(\"/etc/pam.d/system-auth\").content.to_s.scan(/^\\s*password\\s+(?:(?:required)|(?:requisite))\\s+(?:(?:\\/lib\\/security\\/\\$ISA\\/pam_cracklib\\.so)|(?:pam_cracklib\\.so))\\s+difok=(\\d+)\\s+.*$/).flatten.each do |entry|\n describe entry do\n it { should cmp >= input('pam_cracklib_difok') }\n end\n end\n end\n describe.one do\n describe file(\"/etc/pam.d/password-auth\") do\n its(\"content\") { should match(/^\\s*password\\s+(?:(?:required)|(?:requisite))\\s+(?:(?:\\/lib\\/security\\/\\$ISA\\/pam_cracklib\\.so)|(?:pam_cracklib\\.so))[\\t ]+[^#\\n\\r]*\\s+difok=(\\d+)[^\\n\\r]*$/) }\n end\n file(\"/etc/pam.d/password-auth\").content.to_s.scan(/^\\s*password\\s+(?:(?:required)|(?:requisite))\\s+(?:(?:\\/lib\\/security\\/\\$ISA\\/pam_cracklib\\.so)|(?:pam_cracklib\\.so))[\\t ]+[^#\\n\\r]*\\s+difok=(\\d+)[^\\n\\r]*$/).flatten.each do |entry|\n describe entry do\n it { should cmp >= input('pam_cracklib_difok') }\n end\n end\n describe file(\"/etc/pam.d/password-auth\") do\n its(\"content\") { should match(/^\\s*password\\s+(?:(?:required)|(?:requisite))\\s+(?:(?:\\/lib\\/security\\/\\$ISA\\/pam_cracklib\\.so)|(?:pam_cracklib\\.so))\\s+difok=(\\d+)\\s+.*$/) }\n end\n file(\"/etc/pam.d/password-auth\").content.to_s.scan(/^\\s*password\\s+(?:(?:required)|(?:requisite))\\s+(?:(?:\\/lib\\/security\\/\\$ISA\\/pam_cracklib\\.so)|(?:pam_cracklib\\.so))\\s+difok=(\\d+)\\s+.*$/).flatten.each do |entry|\n describe entry do\n it { should cmp >= input('pam_cracklib_difok') }\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38555.rb", + "ref": "./Red Hat 6 STIG/controls/V-38572.rb", "line": 1 }, - "id": "V-38555" + "id": "V-38572" }, { - "title": "The /etc/gshadow file must have mode 0000.", - "desc": "The /etc/gshadow file contains group password hashes. Protection of\nthis file is critical for system security.", + "title": "The system must use a separate file system for /var/log.", + "desc": "Placing \"/var/log\" in its own partition enables better separation\nbetween log files and other files in \"/var/\".", "descriptions": { - "default": "The /etc/gshadow file contains group password hashes. Protection of\nthis file is critical for system security." + "default": "Placing \"/var/log\" in its own partition enables better separation\nbetween log files and other files in \"/var/\"." }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { "gtitle": "SRG-OS-999999", - "gid": "V-38449", - "rid": "SV-50249r1_rule", - "stig_id": "RHEL-06-000038", - "fix_id": "F-43394r1_fix", + "gid": "V-38463", + "rid": "SV-50263r1_rule", + "stig_id": "RHEL-06-000003", + "fix_id": "F-43408r1_fix", "cci": [ "CCI-000366" ], @@ -9041,35 +9082,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To check the permissions of \"/etc/gshadow\", run the command:\n\n$ ls -l /etc/gshadow\n\nIf properly configured, the output should indicate the following permissions:\n\"----------\"\nIf it does not, this is a finding.", - "fix": "To properly set the permissions of \"/etc/gshadow\", run the\ncommand:\n\n# chmod 0000 /etc/gshadow" + "check": "Run the following command to determine if \"/var/log\" is on\nits own partition or logical volume:\n\n$ mount | grep \"on /var/log \"\n\nIf \"/var/log\" has its own partition or volume group, a line will be returned.\nIf no line is returned, this is a finding.", + "fix": "System logs are stored in the \"/var/log\" directory. Ensure that\nit has its own partition or logical volume at installation time, or migrate it\nusing LVM." }, - "code": "control \"V-38449\" do\n title \"The /etc/gshadow file must have mode 0000.\"\n desc \"The /etc/gshadow file contains group password hashes. Protection of\nthis file is critical for system security.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38449\"\n tag \"rid\": \"SV-50249r1_rule\"\n tag \"stig_id\": \"RHEL-06-000038\"\n tag \"fix_id\": \"F-43394r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To check the permissions of \\\"/etc/gshadow\\\", run the command:\n\n$ ls -l /etc/gshadow\n\nIf properly configured, the output should indicate the following permissions:\n\\\"----------\\\"\nIf it does not, this is a finding.\"\n tag \"fix\": \"To properly set the permissions of \\\"/etc/gshadow\\\", run the\ncommand:\n\n# chmod 0000 /etc/gshadow\"\n\n describe file(\"/etc/gshadow\") do\n it { should exist }\n end\n describe file(\"/etc/gshadow\") do\n it { should_not be_executable.by \"group\" }\n end\n describe file(\"/etc/gshadow\") do\n it { should_not be_readable.by \"group\" }\n end\n describe file(\"/etc/gshadow\") do\n its(\"gid\") { should cmp 0 }\n end\n describe file(\"/etc/gshadow\") do\n it { should_not be_writable.by \"group\" }\n end\n describe file(\"/etc/gshadow\") do\n it { should_not be_executable.by \"other\" }\n end\n describe file(\"/etc/gshadow\") do\n it { should_not be_readable.by \"other\" }\n end\n describe file(\"/etc/gshadow\") do\n it { should_not be_writable.by \"other\" }\n end\n describe file(\"/etc/gshadow\") do\n it { should_not be_setgid }\n end\n describe file(\"/etc/gshadow\") do\n it { should_not be_sticky }\n end\n describe file(\"/etc/gshadow\") do\n it { should_not be_setuid }\n end\n describe file(\"/etc/gshadow\") do\n it { should_not be_executable.by \"owner\" }\n end\n describe file(\"/etc/gshadow\") do\n it { should_not be_readable.by \"owner\" }\n end\n describe file(\"/etc/gshadow\") do\n its(\"uid\") { should cmp 0 }\n end\n describe file(\"/etc/gshadow\") do\n it { should_not be_writable.by \"owner\" }\n end\nend\n", + "code": "control \"V-38463\" do\n title \"The system must use a separate file system for /var/log.\"\n desc \"Placing \\\"/var/log\\\" in its own partition enables better separation\nbetween log files and other files in \\\"/var/\\\".\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38463\"\n tag \"rid\": \"SV-50263r1_rule\"\n tag \"stig_id\": \"RHEL-06-000003\"\n tag \"fix_id\": \"F-43408r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Run the following command to determine if \\\"/var/log\\\" is on\nits own partition or logical volume:\n\n$ mount | grep \\\"on /var/log \\\"\n\nIf \\\"/var/log\\\" has its own partition or volume group, a line will be returned.\nIf no line is returned, this is a finding.\"\n tag \"fix\": \"System logs are stored in the \\\"/var/log\\\" directory. Ensure that\nit has its own partition or logical volume at installation time, or migrate it\nusing LVM.\"\n\n describe mount(\"/var/log\") do\n it { should be_mounted }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38449.rb", + "ref": "./Red Hat 6 STIG/controls/V-38463.rb", "line": 1 }, - "id": "V-38449" + "id": "V-38463" }, { - "title": "Audit log directories must have mode 0755 or less permissive.", - "desc": "If users can delete audit logs, audit trails can be modified or\ndestroyed.", + "title": "The operating system must manage information system identifiers for\nusers and devices by disabling the user identifier after an organization\ndefined time period of inactivity.", + "desc": "Disabling inactive accounts ensures that accounts which may not have\nbeen responsibly removed are not available to attackers who may have\ncompromised their credentials.", "descriptions": { - "default": "If users can delete audit logs, audit trails can be modified or\ndestroyed." + "default": "Disabling inactive accounts ensures that accounts which may not have\nbeen responsibly removed are not available to attackers who may have\ncompromised their credentials." }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { - "gtitle": "SRG-OS-000059", - "gid": "V-38493", - "rid": "SV-50294r1_rule", - "stig_id": "RHEL-06-000385", - "fix_id": "F-43440r1_fix", + "gtitle": "SRG-OS-000118", + "gid": "V-38694", + "rid": "SV-50495r1_rule", + "stig_id": "RHEL-06-000335", + "fix_id": "F-43643r2_fix", "cci": [ - "CCI-000164" + "CCI-000795" ], "nist": [ - "AU-9", + "IA-4 e", "Rev_4" ], "false_negatives": null, @@ -9082,35 +9123,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "Run the following command to check the mode of the system audit\ndirectories:\n\ngrep \"^log_file\" /etc/audit/auditd.conf|sed 's/^[^/]*//; s/[^/]*$//'|xargs stat -c %a:%n\n\nAudit directories must be mode 0755 or less permissive.\nIf any are more permissive, this is a finding.", - "fix": "Change the mode of the audit log directories with the following\ncommand:\n\n# chmod go-w [audit_directory]" + "check": "To verify the \"INACTIVE\" setting, run the following command:\n\ngrep \"INACTIVE\" /etc/default/useradd\n\nThe output should indicate the \"INACTIVE\" configuration option is set to an\nappropriate integer as shown in the example below:\n\n# grep \"INACTIVE\" /etc/default/useradd\nINACTIVE=35\n\nIf it does not, this is a finding.", + "fix": "To specify the number of days after a password expires (which\nsignifies inactivity) until an account is permanently disabled, add or correct\nthe following lines in \"/etc/default/useradd\", substituting \"[NUM_DAYS]\"\nappropriately:\n\nINACTIVE=[NUM_DAYS]\n\nA value of 35 is recommended. If a password is currently on the verge of\nexpiration, then 35 days remain until the account is automatically disabled.\nHowever, if the password will not expire for another 60 days, then 95 days\ncould elapse until the account would be automatically disabled. See the\n\"useradd\" man page for more information. Determining the inactivity timeout\nmust be done with careful consideration of the length of a \"normal\" period of\ninactivity for users in the particular environment. Setting the timeout too low\nincurs support costs and also has the potential to impact availability of the\nsystem to legitimate users." }, - "code": "control \"V-38493\" do\n title \"Audit log directories must have mode 0755 or less permissive.\"\n desc \"If users can delete audit logs, audit trails can be modified or\ndestroyed.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000059\"\n tag \"gid\": \"V-38493\"\n tag \"rid\": \"SV-50294r1_rule\"\n tag \"stig_id\": \"RHEL-06-000385\"\n tag \"fix_id\": \"F-43440r1_fix\"\n tag \"cci\": [\"CCI-000164\"]\n tag \"nist\": [\"AU-9\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Run the following command to check the mode of the system audit\ndirectories:\n\ngrep \\\"^log_file\\\" /etc/audit/auditd.conf|sed 's/^[^/]*//; s/[^/]*$//'|xargs stat -c %a:%n\n\nAudit directories must be mode 0755 or less permissive.\nIf any are more permissive, this is a finding.\"\n tag \"fix\": \"Change the mode of the audit log directories with the following\ncommand:\n\n# chmod go-w [audit_directory]\"\n\n log_file = command(\"grep \\\"^log_file\\\" /etc/audit/auditd.conf|sed 's/^[^/]*//; s/[^/]*$//'\").stdout.strip\n describe file(log_file) do\n it { should exist }\n it { should_not be_writable.by('group') }\n it { should_not be_writable.by('others') }\n end\nend\n", + "code": "control \"V-38694\" do\n title \"The operating system must manage information system identifiers for\nusers and devices by disabling the user identifier after an organization\ndefined time period of inactivity.\"\n desc \"Disabling inactive accounts ensures that accounts which may not have\nbeen responsibly removed are not available to attackers who may have\ncompromised their credentials.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000118\"\n tag \"gid\": \"V-38694\"\n tag \"rid\": \"SV-50495r1_rule\"\n tag \"stig_id\": \"RHEL-06-000335\"\n tag \"fix_id\": \"F-43643r2_fix\"\n tag \"cci\": [\"CCI-000795\"]\n tag \"nist\": [\"IA-4 e\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To verify the \\\"INACTIVE\\\" setting, run the following command:\n\ngrep \\\"INACTIVE\\\" /etc/default/useradd\n\nThe output should indicate the \\\"INACTIVE\\\" configuration option is set to an\nappropriate integer as shown in the example below:\n\n# grep \\\"INACTIVE\\\" /etc/default/useradd\nINACTIVE=35\n\nIf it does not, this is a finding.\"\n tag \"fix\": \"To specify the number of days after a password expires (which\nsignifies inactivity) until an account is permanently disabled, add or correct\nthe following lines in \\\"/etc/default/useradd\\\", substituting \\\"[NUM_DAYS]\\\"\nappropriately:\n\nINACTIVE=[NUM_DAYS]\n\nA value of 35 is recommended. If a password is currently on the verge of\nexpiration, then 35 days remain until the account is automatically disabled.\nHowever, if the password will not expire for another 60 days, then 95 days\ncould elapse until the account would be automatically disabled. See the\n\\\"useradd\\\" man page for more information. Determining the inactivity timeout\nmust be done with careful consideration of the length of a \\\"normal\\\" period of\ninactivity for users in the particular environment. Setting the timeout too low\nincurs support costs and also has the potential to impact availability of the\nsystem to legitimate users.\"\n\n describe parse_config_file(\"/etc/default/useradd\") do\n its('INACTIVE') { should cmp <= input('days_of_inactivity') }\n its('INACTIVE') { should cmp >= 0 }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38493.rb", + "ref": "./Red Hat 6 STIG/controls/V-38694.rb", "line": 1 }, - "id": "V-38493" + "id": "V-38694" }, { - "title": "The operating system must protect the confidentiality and integrity of\ndata at rest. ", - "desc": "The risk of a system's physical compromise, particularly mobile\nsystems such as laptops, places its data at risk of compromise. Encrypting this\ndata mitigates the risk of its loss if the system is lost.", + "title": "The system package management tool must cryptographically verify the\nauthenticity of system software packages during installation.", + "desc": "Ensuring the validity of packages' cryptographic signatures prior to\ninstallation ensures the provenance of the software and protects against\nmalicious tampering.", "descriptions": { - "default": "The risk of a system's physical compromise, particularly mobile\nsystems such as laptops, places its data at risk of compromise. Encrypting this\ndata mitigates the risk of its loss if the system is lost." + "default": "Ensuring the validity of packages' cryptographic signatures prior to\ninstallation ensures the provenance of the software and protects against\nmalicious tampering." }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000185", - "gid": "V-38661", - "rid": "SV-50462r2_rule", - "stig_id": "RHEL-06-000276", - "fix_id": "F-43610r3_fix", + "gtitle": "SRG-OS-000103", + "gid": "V-38483", + "rid": "SV-50283r1_rule", + "stig_id": "RHEL-06-000013", + "fix_id": "F-43429r1_fix", "cci": [ - "CCI-001199" + "CCI-000663" ], "nist": [ - "SC-28", + "SA-7", "Rev_4" ], "false_negatives": null, @@ -9123,76 +9164,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "Determine if encryption must be used to protect data on the\nsystem.\nIf encryption must be used and is not employed, this is a finding.", - "fix": "Red Hat Enterprise Linux 6 natively supports partition encryption\nthrough the Linux Unified Key Setup-on-disk-format (LUKS) technology. The\neasiest way to encrypt a partition is during installation time.\n\nFor manual installations, select the \"Encrypt\" checkbox during partition\ncreation to encrypt the partition. When this option is selected the system will\nprompt for a passphrase to use in decrypting the partition. The passphrase will\nsubsequently need to be entered manually every time the system boots.\n\nFor automated/unattended installations, it is possible to use Kickstart by\nadding the \"--encrypted\" and \"--passphrase=\" options to the definition of\neach partition to be encrypted. For example, the following line would encrypt\nthe root partition:\n\npart / --fstype=ext3 --size=100 --onpart=hda1 --encrypted\n--passphrase=[PASSPHRASE]\n\nAny [PASSPHRASE] is stored in the Kickstart in plaintext, and the Kickstart\nmust then be protected accordingly. Omitting the \"--passphrase=\" option from\nthe partition definition will cause the installer to pause and interactively\nask for the passphrase during installation.\n\nDetailed information on encrypting partitions using LUKS can be found on the\nRed Hat Documentation web site:\n\nhttps://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-LUKS_Disk_Encryption.html" + "check": "To determine whether \"yum\" is configured to use \"gpgcheck\",\ninspect \"/etc/yum.conf\" and ensure the following appears in the \"[main]\"\nsection:\n\ngpgcheck=1\n\nA value of \"1\" indicates that \"gpgcheck\" is enabled. Absence of a\n\"gpgcheck\" line or a setting of \"0\" indicates that it is disabled.\nIf GPG checking is not enabled, this is a finding.\n\nIf the \"yum\" system package management tool is not used to update the system,\nverify with the SA that installed packages are cryptographically signed.", + "fix": "The \"gpgcheck\" option should be used to ensure checking of an\nRPM package's signature always occurs prior to its installation. To configure\nyum to check package signatures before installing them, ensure the following\nline appears in \"/etc/yum.conf\" in the \"[main]\" section:\n\ngpgcheck=1" }, - "code": "control \"V-38661\" do\n title \"The operating system must protect the confidentiality and integrity of\ndata at rest. \"\n desc \"The risk of a system's physical compromise, particularly mobile\nsystems such as laptops, places its data at risk of compromise. Encrypting this\ndata mitigates the risk of its loss if the system is lost.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000185\"\n tag \"gid\": \"V-38661\"\n tag \"rid\": \"SV-50462r2_rule\"\n tag \"stig_id\": \"RHEL-06-000276\"\n tag \"fix_id\": \"F-43610r3_fix\"\n tag \"cci\": [\"CCI-001199\"]\n tag \"nist\": [\"SC-28\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Determine if encryption must be used to protect data on the\nsystem.\nIf encryption must be used and is not employed, this is a finding.\"\n tag \"fix\": \"Red Hat Enterprise Linux 6 natively supports partition encryption\nthrough the Linux Unified Key Setup-on-disk-format (LUKS) technology. The\neasiest way to encrypt a partition is during installation time.\n\nFor manual installations, select the \\\"Encrypt\\\" checkbox during partition\ncreation to encrypt the partition. When this option is selected the system will\nprompt for a passphrase to use in decrypting the partition. The passphrase will\nsubsequently need to be entered manually every time the system boots.\n\nFor automated/unattended installations, it is possible to use Kickstart by\nadding the \\\"--encrypted\\\" and \\\"--passphrase=\\\" options to the definition of\neach partition to be encrypted. For example, the following line would encrypt\nthe root partition:\n\npart / --fstype=ext3 --size=100 --onpart=hda1 --encrypted\n--passphrase=[PASSPHRASE]\n\nAny [PASSPHRASE] is stored in the Kickstart in plaintext, and the Kickstart\nmust then be protected accordingly. Omitting the \\\"--passphrase=\\\" option from\nthe partition definition will cause the installer to pause and interactively\nask for the passphrase during installation.\n\nDetailed information on encrypting partitions using LUKS can be found on the\nRed Hat Documentation web site:\n\nhttps://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-LUKS_Disk_Encryption.html\"\n\n describe \"Manual test\" do\n skip \"This control must be reviewed manually\"\n end\nend\n", + "code": "control \"V-38483\" do\n title \"The system package management tool must cryptographically verify the\nauthenticity of system software packages during installation.\"\n desc \"Ensuring the validity of packages' cryptographic signatures prior to\ninstallation ensures the provenance of the software and protects against\nmalicious tampering.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000103\"\n tag \"gid\": \"V-38483\"\n tag \"rid\": \"SV-50283r1_rule\"\n tag \"stig_id\": \"RHEL-06-000013\"\n tag \"fix_id\": \"F-43429r1_fix\"\n tag \"cci\": [\"CCI-000663\"]\n tag \"nist\": [\"SA-7\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To determine whether \\\"yum\\\" is configured to use \\\"gpgcheck\\\",\ninspect \\\"/etc/yum.conf\\\" and ensure the following appears in the \\\"[main]\\\"\nsection:\n\ngpgcheck=1\n\nA value of \\\"1\\\" indicates that \\\"gpgcheck\\\" is enabled. Absence of a\n\\\"gpgcheck\\\" line or a setting of \\\"0\\\" indicates that it is disabled.\nIf GPG checking is not enabled, this is a finding.\n\nIf the \\\"yum\\\" system package management tool is not used to update the system,\nverify with the SA that installed packages are cryptographically signed.\"\n tag \"fix\": \"The \\\"gpgcheck\\\" option should be used to ensure checking of an\nRPM package's signature always occurs prior to its installation. To configure\nyum to check package signatures before installing them, ensure the following\nline appears in \\\"/etc/yum.conf\\\" in the \\\"[main]\\\" section:\n\ngpgcheck=1\"\n\n describe file(\"/etc/yum.conf\") do\n its(\"content\") { should match(/^\\s*gpgcheck\\s*=\\s*1\\s*$/) }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38661.rb", + "ref": "./Red Hat 6 STIG/controls/V-38483.rb", "line": 1 }, - "id": "V-38661" + "id": "V-38483" }, { - "title": "The sendmail package must be removed.", - "desc": "The sendmail software was not developed with security in mind and its\ndesign prevents it from being effectively contained by SELinux. Postfix should\nbe used instead.", + "title": "The graphical desktop environment must set the idle timeout to no more\nthan 15 minutes.", + "desc": "Setting the idle delay controls when the screensaver will start, and\ncan be combined with screen locking to prevent access from passersby.", "descriptions": { - "default": "The sendmail software was not developed with security in mind and its\ndesign prevents it from being effectively contained by SELinux. Postfix should\nbe used instead." + "default": "Setting the idle delay controls when the screensaver will start, and\ncan be combined with screen locking to prevent access from passersby." }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { - "gtitle": "SRG-OS-999999", - "gid": "V-38671", - "rid": "SV-50472r1_rule", - "stig_id": "RHEL-06-000288", - "fix_id": "F-43620r1_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b", - "Rev_4" - ], - "false_negatives": null, - "false_positives": null, - "documentable": false, - "mitigations": null, - "severity_override_guidance": false, - "potential_impacts": null, - "third_party_tools": null, - "mitigation_controls": null, - "responsibility": null, - "ia_controls": null, - "check": "Run the following command to determine if the \"sendmail\"\npackage is installed:\n\n# rpm -q sendmail\n\n\nIf the package is installed, this is a finding.", - "fix": "Sendmail is not the default mail transfer agent and is not\ninstalled by default. The \"sendmail\" package can be removed with the\nfollowing command:\n\n# yum erase sendmail" - }, - "code": "control \"V-38671\" do\n title \"The sendmail package must be removed.\"\n desc \"The sendmail software was not developed with security in mind and its\ndesign prevents it from being effectively contained by SELinux. Postfix should\nbe used instead.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38671\"\n tag \"rid\": \"SV-50472r1_rule\"\n tag \"stig_id\": \"RHEL-06-000288\"\n tag \"fix_id\": \"F-43620r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Run the following command to determine if the \\\"sendmail\\\"\npackage is installed:\n\n# rpm -q sendmail\n\n\nIf the package is installed, this is a finding.\"\n tag \"fix\": \"Sendmail is not the default mail transfer agent and is not\ninstalled by default. The \\\"sendmail\\\" package can be removed with the\nfollowing command:\n\n# yum erase sendmail\"\n\n describe package(\"sendmail\") do\n it { should_not be_installed }\n end\nend\n", - "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38671.rb", - "line": 1 - }, - "id": "V-38671" - }, - { - "title": "The system must use a FIPS 140-2 approved cryptographic hashing\nalgorithm for generating account password hashes (system-auth).", - "desc": "Using a stronger hashing algorithm makes password cracking attacks\nmore difficult.", - "descriptions": { - "default": "Using a stronger hashing algorithm makes password cracking attacks\nmore difficult." - }, - "impact": 0.5, - "refs": [], - "tags": { - "gtitle": "SRG-OS-000120", - "gid": "V-38574", - "rid": "SV-50375r4_rule", - "stig_id": "RHEL-06-000062", - "fix_id": "F-43522r4_fix", + "gtitle": "SRG-OS-000029", + "gid": "V-38629", + "rid": "SV-50430r3_rule", + "stig_id": "RHEL-06-000257", + "fix_id": "F-43578r1_fix", "cci": [ - "CCI-000803" + "CCI-000057" ], "nist": [ - "IA-7", + "AC-11 a", "Rev_4" ], "false_negatives": null, @@ -9205,35 +9205,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "Inspect the \"password\" section of \"/etc/pam.d/system-auth\",\n\"/etc/pam.d/system-auth-ac\", \"/etc/pam.d/password-auth\",\n\"/etc/pam.d/password-auth-ac\" and other files in \"/etc/pam.d\" to identify\nthe number of occurrences where the \"pam_unix.so\" module is used in the\n\"password\" section.\n\n$ grep -E -c 'password.*pam_unix.so' /etc/pam.d/*\n\n/etc/pam.d/atd:0\n/etc/pam.d/config-util:0\n/etc/pam.d/crond:0\n/etc/pam.d/login:0\n/etc/pam.d/other:0\n/etc/pam.d/passwd:0\n/etc/pam.d/password-auth:1\n/etc/pam.d/password-auth-ac:1\n/etc/pam.d/sshd:0\n/etc/pam.d/su:0\n/etc/pam.d/sudo:0\n/etc/pam.d/system-auth:1\n/etc/pam.d/system-auth-ac:1\n/etc/pam.d/vlock:0\n\nNote: The number adjacent to the file name indicates how many occurrences of\nthe \"pam_unix.so\" module are found in the password section.\n\nIf the \"pam_unix.so\" module is not defined in the \"password\" section of\n\"/etc/pam.d/system-auth\", \"/etc/pam.d/system-auth-ac\",\n\"/etc/pam.d/password-auth\", and \"/etc/pam.d/password-auth-ac\" at a minimum,\nthis is a finding.\n\nVerify that the \"sha512\" variable is used with each instance of the\n\"pam_unix.so\" module in the \"password\" section:\n\n$ grep password /etc/pam.d/* | grep pam_unix.so | grep sha512\n\n/etc/pam.d/password-auth:password \tsufficient pam_unix.so sha512 [other\narguments…]\n/etc/pam.d/password-auth-ac:password sufficient pam_unix.so sha512 [other\narguments…]\n/etc/pam.d/system-auth:password \tsufficient pam_unix.so sha512 [other\narguments…]\n/etc/pam.d/system-auth-ac:password \tsufficient pam_unix.so sha512 [other\narguments…]\n\nIf this list of files does not coincide with the previous command, this is a\nfinding.\n\nIf any of the identified \"pam_unix.so\" modules do not use the \"sha512\"\nvariable, this is a finding.\n", - "fix": "In \"/etc/pam.d/system-auth\", \"/etc/pam.d/system-auth-ac\",\n\"/etc/pam.d/password-auth\", and \"/etc/pam.d/password-auth-ac\", among\npotentially other files, the \"password\" section of the files controls which\nPAM modules execute during a password change. Set the \"pam_unix.so\" module in\nthe \"password\" section to include the argument \"sha512\", as shown below:\n\npassword sufficient pam_unix.so sha512 [other arguments...]\n\nThis will help ensure when local users change their passwords, hashes for the\nnew passwords will be generated using the SHA-512 algorithm. This is the\ndefault.\n\nNote: Any updates made to \"/etc/pam.d/system-auth\" will be overwritten by the\n\"authconfig\" program. The \"authconfig\" program should not be used.\n" + "check": "If the GConf2 package is not installed, this is not applicable.\n\nTo check the current idle time-out value, run the following command:\n\n$ gconftool-2 --direct --config-source\nxml:readwrite:/etc/gconf/gconf.xml.mandatory --get\n/apps/gnome-screensaver/idle_delay\n\nIf properly configured, the output should be \"15\".\n\nIf it is not, this is a finding.", + "fix": "Run the following command to set the idle time-out value for\ninactivity in the GNOME desktop to 15 minutes:\n\n# gconftool-2 \\\n--direct \\\n--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \\\n--type int \\\n--set /apps/gnome-screensaver/idle_delay 15" }, - "code": "control \"V-38574\" do\n title \"The system must use a FIPS 140-2 approved cryptographic hashing\nalgorithm for generating account password hashes (system-auth).\"\n desc \"Using a stronger hashing algorithm makes password cracking attacks\nmore difficult.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000120\"\n tag \"gid\": \"V-38574\"\n tag \"rid\": \"SV-50375r4_rule\"\n tag \"stig_id\": \"RHEL-06-000062\"\n tag \"fix_id\": \"F-43522r4_fix\"\n tag \"cci\": [\"CCI-000803\"]\n tag \"nist\": [\"IA-7\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Inspect the \\\"password\\\" section of \\\"/etc/pam.d/system-auth\\\",\n\\\"/etc/pam.d/system-auth-ac\\\", \\\"/etc/pam.d/password-auth\\\",\n\\\"/etc/pam.d/password-auth-ac\\\" and other files in \\\"/etc/pam.d\\\" to identify\nthe number of occurrences where the \\\"pam_unix.so\\\" module is used in the\n\\\"password\\\" section.\n\n$ grep -E -c 'password.*pam_unix.so' /etc/pam.d/*\n\n/etc/pam.d/atd:0\n/etc/pam.d/config-util:0\n/etc/pam.d/crond:0\n/etc/pam.d/login:0\n/etc/pam.d/other:0\n/etc/pam.d/passwd:0\n/etc/pam.d/password-auth:1\n/etc/pam.d/password-auth-ac:1\n/etc/pam.d/sshd:0\n/etc/pam.d/su:0\n/etc/pam.d/sudo:0\n/etc/pam.d/system-auth:1\n/etc/pam.d/system-auth-ac:1\n/etc/pam.d/vlock:0\n\nNote: The number adjacent to the file name indicates how many occurrences of\nthe \\\"pam_unix.so\\\" module are found in the password section.\n\nIf the \\\"pam_unix.so\\\" module is not defined in the \\\"password\\\" section of\n\\\"/etc/pam.d/system-auth\\\", \\\"/etc/pam.d/system-auth-ac\\\",\n\\\"/etc/pam.d/password-auth\\\", and \\\"/etc/pam.d/password-auth-ac\\\" at a minimum,\nthis is a finding.\n\nVerify that the \\\"sha512\\\" variable is used with each instance of the\n\\\"pam_unix.so\\\" module in the \\\"password\\\" section:\n\n$ grep password /etc/pam.d/* | grep pam_unix.so | grep sha512\n\n/etc/pam.d/password-auth:password \\tsufficient pam_unix.so sha512 [other\narguments…]\n/etc/pam.d/password-auth-ac:password sufficient pam_unix.so sha512 [other\narguments…]\n/etc/pam.d/system-auth:password \\tsufficient pam_unix.so sha512 [other\narguments…]\n/etc/pam.d/system-auth-ac:password \\tsufficient pam_unix.so sha512 [other\narguments…]\n\nIf this list of files does not coincide with the previous command, this is a\nfinding.\n\nIf any of the identified \\\"pam_unix.so\\\" modules do not use the \\\"sha512\\\"\nvariable, this is a finding.\n\"\n tag \"fix\": \"In \\\"/etc/pam.d/system-auth\\\", \\\"/etc/pam.d/system-auth-ac\\\",\n\\\"/etc/pam.d/password-auth\\\", and \\\"/etc/pam.d/password-auth-ac\\\", among\npotentially other files, the \\\"password\\\" section of the files controls which\nPAM modules execute during a password change. Set the \\\"pam_unix.so\\\" module in\nthe \\\"password\\\" section to include the argument \\\"sha512\\\", as shown below:\n\npassword sufficient pam_unix.so sha512 [other arguments...]\n\nThis will help ensure when local users change their passwords, hashes for the\nnew passwords will be generated using the SHA-512 algorithm. This is the\ndefault.\n\nNote: Any updates made to \\\"/etc/pam.d/system-auth\\\" will be overwritten by the\n\\\"authconfig\\\" program. The \\\"authconfig\\\" program should not be used.\n\"\n\n describe command(\"grep 'password.*pam_unix.so' /etc/pam.d/password-auth\") do\n its('stdout.strip') { should_not be_empty }\n end\n\n describe command(\"grep 'password.*pam_unix.so' /etc/pam.d/system-auth\") do\n its('stdout.strip') { should_not be_empty }\n end\n\n describe command(\"grep password /etc/pam.d/* | grep pam_unix.so\") do\n its('stdout.strip.lines') { should all match %r{\\bsha512\\b} }\n end\nend\n", + "code": "control \"V-38629\" do\n title \"The graphical desktop environment must set the idle timeout to no more\nthan 15 minutes.\"\n desc \"Setting the idle delay controls when the screensaver will start, and\ncan be combined with screen locking to prevent access from passersby.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000029\"\n tag \"gid\": \"V-38629\"\n tag \"rid\": \"SV-50430r3_rule\"\n tag \"stig_id\": \"RHEL-06-000257\"\n tag \"fix_id\": \"F-43578r1_fix\"\n tag \"cci\": [\"CCI-000057\"]\n tag \"nist\": [\"AC-11 a\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"If the GConf2 package is not installed, this is not applicable.\n\nTo check the current idle time-out value, run the following command:\n\n$ gconftool-2 --direct --config-source\nxml:readwrite:/etc/gconf/gconf.xml.mandatory --get\n/apps/gnome-screensaver/idle_delay\n\nIf properly configured, the output should be \\\"15\\\".\n\nIf it is not, this is a finding.\"\n tag \"fix\": \"Run the following command to set the idle time-out value for\ninactivity in the GNOME desktop to 15 minutes:\n\n# gconftool-2 \\\\\n--direct \\\\\n--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \\\\\n--type int \\\\\n--set /apps/gnome-screensaver/idle_delay 15\"\n\n if package('GConf2').installed?\n describe command(\"gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gnome-screensaver/idle_delay\") do\n its('stdout.strip') { should cmp <= 15 }\n end\n else\n impact 0.0\n describe \"Package GConf2 not installed\" do\n skip \"Package GConf2 not installed, this control Not Applicable\"\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38574.rb", + "ref": "./Red Hat 6 STIG/controls/V-38629.rb", "line": 1 }, - "id": "V-38574" + "id": "V-38629" }, { - "title": "The system must prohibit the reuse of passwords within five\niterations.", - "desc": "Preventing reuse of previous passwords helps ensure that a compromised\npassword is not reused by a user.", + "title": "The audit system must be configured to audit all discretionary access\ncontrol permission modifications using lremovexattr.", + "desc": "The changing of file permissions could indicate that a user is\nattempting to gain access to information that would otherwise be disallowed.\nAuditing DAC modifications can facilitate the identification of patterns of\nabuse among both authorized and unauthorized users.", "descriptions": { - "default": "Preventing reuse of previous passwords helps ensure that a compromised\npassword is not reused by a user." + "default": "The changing of file permissions could indicate that a user is\nattempting to gain access to information that would otherwise be disallowed.\nAuditing DAC modifications can facilitate the identification of patterns of\nabuse among both authorized and unauthorized users." }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { - "gtitle": "SRG-OS-000077", - "gid": "V-38658", - "rid": "SV-50459r6_rule", - "stig_id": "RHEL-06-000274", - "fix_id": "F-43608r6_fix", + "gtitle": "SRG-OS-000064", + "gid": "V-38559", + "rid": "SV-50360r3_rule", + "stig_id": "RHEL-06-000193", + "fix_id": "F-43507r2_fix", "cci": [ - "CCI-000200" + "CCI-000172" ], "nist": [ - "IA-5 (1) (e)", + "AU-12 c", "Rev_4" ], "false_negatives": null, @@ -9246,30 +9246,30 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To verify the password reuse setting is compliant, run the\nfollowing command:\n\n# grep remember /etc/pam.d/system-auth /etc/pam.d/password-auth\n\nIf the line is commented out, the line does not contain \"password required\npam_pwhistory.so\" or \"password requisite pam_pwhistory.so\", or the value for\n\"remember\" is less than \"5\", this is a finding.", - "fix": "Do not allow users to reuse recent passwords. This can be\naccomplished by using the \"remember\" option for the \"pam_pwhistory\" PAM\nmodule. In the file \"/etc/pam.d/system-auth\" and /etc/pam.d/password-auth,\nappend \"remember=5\" to the lines that refer to the \"pam_pwhistory.so\"\nmodule, as shown:\n\npassword required pam_pwhistory.so [existing_options] remember=5\n\nor\n\npassword requisite pam_pwhistory.so [existing_options] remember=5\n\nThe DoD requirement is five passwords." + "check": "To determine if the system is configured to audit calls to the\n\"lremovexattr\" system call, run the following command:\n\n$ sudo grep -w \"lremovexattr\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return several\nlines.\n\nIf no line is returned, this is a finding. ", + "fix": "At a minimum, the audit system should collect file permission\nchanges for all users and root. Add the following to\n\"/etc/audit/audit.rules\":\n\n-a always,exit -F arch=b32 -S lremovexattr -F auid>=500 -F auid!=4294967295 \\\n-k perm_mod\n-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -k perm_mod\n\nIf the system is 64-bit, then also add the following:\n\n-a always,exit -F arch=b64 -S lremovexattr -F auid>=500 -F auid!=4294967295 \\\n-k perm_mod\n-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -k perm_mod" }, - "code": "control \"V-38658\" do\n title \"The system must prohibit the reuse of passwords within five\niterations.\"\n desc \"Preventing reuse of previous passwords helps ensure that a compromised\npassword is not reused by a user.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000077\"\n tag \"gid\": \"V-38658\"\n tag \"rid\": \"SV-50459r6_rule\"\n tag \"stig_id\": \"RHEL-06-000274\"\n tag \"fix_id\": \"F-43608r6_fix\"\n tag \"cci\": [\"CCI-000200\"]\n tag \"nist\": [\"IA-5 (1) (e)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To verify the password reuse setting is compliant, run the\nfollowing command:\n\n# grep remember /etc/pam.d/system-auth /etc/pam.d/password-auth\n\nIf the line is commented out, the line does not contain \\\"password required\npam_pwhistory.so\\\" or \\\"password requisite pam_pwhistory.so\\\", or the value for\n\\\"remember\\\" is less than \\\"5\\\", this is a finding.\"\n tag \"fix\": \"Do not allow users to reuse recent passwords. This can be\naccomplished by using the \\\"remember\\\" option for the \\\"pam_pwhistory\\\" PAM\nmodule. In the file \\\"/etc/pam.d/system-auth\\\" and /etc/pam.d/password-auth,\nappend \\\"remember=5\\\" to the lines that refer to the \\\"pam_pwhistory.so\\\"\nmodule, as shown:\n\npassword required pam_pwhistory.so [existing_options] remember=5\n\nor\n\npassword requisite pam_pwhistory.so [existing_options] remember=5\n\nThe DoD requirement is five passwords.\"\n\n describe.one do\n describe file(\"/etc/pam.d/system-auth\") do\n its(\"content\") { should match(/^\\s*password\\s+(?:(?:requisite)|(?:required))\\s+pam_pwhistory\\.so[\\t ]+[^#\\n\\r]*\\s+remember=(\\d+)(?:(?:\\s)|(?:$))/) }\n end\n file(\"/etc/pam.d/system-auth\").content.to_s.scan(/^\\s*password\\s+(?:(?:requisite)|(?:required))\\s+pam_pwhistory\\.so[\\t ]+[^#\\n\\r]*\\s+remember=(\\d+)(?:(?:\\s)|(?:$))/).flatten.each do |entry|\n describe entry do\n it { should cmp >= input('min_reuse_generations') }\n end\n end\n describe file(\"/etc/pam.d/system-auth\") do\n its(\"content\") { should match(/^\\s*password\\s+(?:(?:requisite)|(?:required))\\s+pam_pwhistory\\.so\\s+remember=(\\d+)(?:(?:\\s)|(?:$))/) }\n end\n file(\"/etc/pam.d/system-auth\").content.to_s.scan(/^\\s*password\\s+(?:(?:requisite)|(?:required))\\s+pam_pwhistory\\.so\\s+remember=(\\d+)(?:(?:\\s)|(?:$))/).flatten.each do |entry|\n describe entry do\n it { should cmp >= input('min_reuse_generations') }\n end\n end\n end\n describe.one do\n describe file(\"/etc/pam.d/password-auth\") do\n its(\"content\") { should match(/^\\s*password\\s+(?:(?:requisite)|(?:required))\\s+pam_pwhistory\\.so[\\t ]+[^#\\n\\r]*\\s+remember=(\\d+)(?:(?:\\s)|(?:$))/) }\n end\n file(\"/etc/pam.d/password-auth\").content.to_s.scan(/^\\s*password\\s+(?:(?:requisite)|(?:required))\\s+pam_pwhistory\\.so[\\t ]+[^#\\n\\r]*\\s+remember=(\\d+)(?:(?:\\s)|(?:$))/).flatten.each do |entry|\n describe entry do\n it { should cmp >= input('min_reuse_generations') }\n end\n end\n describe file(\"/etc/pam.d/password-auth\") do\n its(\"content\") { should match(/^\\s*password\\s+(?:(?:requisite)|(?:required))\\s+pam_pwhistory\\.so\\s+remember=(\\d+)(?:(?:\\s)|(?:$))/) }\n end\n file(\"/etc/pam.d/password-auth\").content.to_s.scan(/^\\s*password\\s+(?:(?:requisite)|(?:required))\\s+pam_pwhistory\\.so\\s+remember=(\\d+)(?:(?:\\s)|(?:$))/).flatten.each do |entry|\n describe entry do\n it { should cmp >= input('min_reuse_generations') }\n end\n end\n end\nend\n", + "code": "control \"V-38559\" do\n title \"The audit system must be configured to audit all discretionary access\ncontrol permission modifications using lremovexattr.\"\n desc \"The changing of file permissions could indicate that a user is\nattempting to gain access to information that would otherwise be disallowed.\nAuditing DAC modifications can facilitate the identification of patterns of\nabuse among both authorized and unauthorized users.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000064\"\n tag \"gid\": \"V-38559\"\n tag \"rid\": \"SV-50360r3_rule\"\n tag \"stig_id\": \"RHEL-06-000193\"\n tag \"fix_id\": \"F-43507r2_fix\"\n tag \"cci\": [\"CCI-000172\"]\n tag \"nist\": [\"AU-12 c\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To determine if the system is configured to audit calls to the\n\\\"lremovexattr\\\" system call, run the following command:\n\n$ sudo grep -w \\\"lremovexattr\\\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return several\nlines.\n\nIf no line is returned, this is a finding. \"\n tag \"fix\": \"At a minimum, the audit system should collect file permission\nchanges for all users and root. Add the following to\n\\\"/etc/audit/audit.rules\\\":\n\n-a always,exit -F arch=b32 -S lremovexattr -F auid>=500 -F auid!=4294967295 \\\\\n-k perm_mod\n-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -k perm_mod\n\nIf the system is 64-bit, then also add the following:\n\n-a always,exit -F arch=b64 -S lremovexattr -F auid>=500 -F auid!=4294967295 \\\\\n-k perm_mod\n-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -k perm_mod\"\n\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^[\\s]*-a[\\s](?:always,exit|exit,always)+(?:.*-F[\\s]+arch=b32[\\s]+)(?:.*(?:,|-S[\\s]+)lremovexattr(?:,|[\\s]+))(?:.*-F\\s+auid>=500[\\s]+)(?:.*-F\\s+auid!=(?:-1|4294967295)[\\s]+).*-k[\\s]+[\\S]+[\\s]*$/) }\n end\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^[\\s]*-a[\\s](?:always,exit|exit,always)+(?:.*-F[\\s]+arch=b32[\\s]+)(?:.*(?:,|-S[\\s]+)lremovexattr(?:,|[\\s]+))(?:.*-F\\s+auid=0[\\s]+).*-k[\\s]+[\\S]+[\\s]*$/) }\n end\n describe.one do\n \n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38658.rb", + "ref": "./Red Hat 6 STIG/controls/V-38559.rb", "line": 1 }, - "id": "V-38658" + "id": "V-38559" }, { - "title": "The system default umask for daemons must be 027 or 022.", - "desc": "The umask influences the permissions assigned to files created by a\nprocess at run time. An unnecessarily permissive umask could result in files\nbeing created with insecure permissions.", + "title": "The /etc/passwd file must be group-owned by root.", + "desc": "The \"/etc/passwd\" file contains information about the users that are\nconfigured on the system. Protection of this file is critical for system\nsecurity.", "descriptions": { - "default": "The umask influences the permissions assigned to files created by a\nprocess at run time. An unnecessarily permissive umask could result in files\nbeing created with insecure permissions." + "default": "The \"/etc/passwd\" file contains information about the users that are\nconfigured on the system. Protection of this file is critical for system\nsecurity." }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { "gtitle": "SRG-OS-999999", - "gid": "V-38642", - "rid": "SV-50443r1_rule", - "stig_id": "RHEL-06-000346", - "fix_id": "F-43592r1_fix", + "gid": "V-38451", + "rid": "SV-50251r1_rule", + "stig_id": "RHEL-06-000040", + "fix_id": "F-43396r1_fix", "cci": [ "CCI-000366" ], @@ -9287,35 +9287,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To check the value of the \"umask\", run the following command:\n\n$ grep umask /etc/init.d/functions\n\nThe output should show either \"022\" or \"027\".\nIf it does not, this is a finding.", - "fix": "The file \"/etc/init.d/functions\" includes initialization\nparameters for most or all daemons started at boot time. The default umask of\n022 prevents creation of group- or world-writable files. To set the default\numask for daemons, edit the following line, inserting 022 or 027 for [UMASK]\nappropriately:\n\numask [UMASK]\n\nSetting the umask to too restrictive a setting can cause serious errors at\nruntime. Many daemons on the system already individually restrict themselves to\na umask of 077 in their own init scripts." + "check": "To check the group ownership of \"/etc/passwd\", run the\ncommand:\n\n$ ls -l /etc/passwd\n\nIf properly configured, the output should indicate the following group-owner.\n\"root\"\nIf it does not, this is a finding.", + "fix": "To properly set the group owner of \"/etc/passwd\", run the\ncommand:\n\n# chgrp root /etc/passwd" }, - "code": "control \"V-38642\" do\n title \"The system default umask for daemons must be 027 or 022.\"\n desc \"The umask influences the permissions assigned to files created by a\nprocess at run time. An unnecessarily permissive umask could result in files\nbeing created with insecure permissions.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38642\"\n tag \"rid\": \"SV-50443r1_rule\"\n tag \"stig_id\": \"RHEL-06-000346\"\n tag \"fix_id\": \"F-43592r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To check the value of the \\\"umask\\\", run the following command:\n\n$ grep umask /etc/init.d/functions\n\nThe output should show either \\\"022\\\" or \\\"027\\\".\nIf it does not, this is a finding.\"\n tag \"fix\": \"The file \\\"/etc/init.d/functions\\\" includes initialization\nparameters for most or all daemons started at boot time. The default umask of\n022 prevents creation of group- or world-writable files. To set the default\numask for daemons, edit the following line, inserting 022 or 027 for [UMASK]\nappropriately:\n\numask [UMASK]\n\nSetting the umask to too restrictive a setting can cause serious errors at\nruntime. Many daemons on the system already individually restrict themselves to\na umask of 077 in their own init scripts.\"\n\n describe file(\"/etc/rc.d/init.d/functions\") do\n its(\"content\") { should match(/^\\s*umask\\s+([^#\\s]*)/) }\n end\n file(\"/etc/rc.d/init.d/functions\").content.to_s.scan(/^\\s*umask\\s+([^#\\s]*)/).flatten.each do |entry|\n describe entry do\n it { should match(/^0?(022|027)$/) }\n end\n end\nend\n", + "code": "control \"V-38451\" do\n title \"The /etc/passwd file must be group-owned by root.\"\n desc \"The \\\"/etc/passwd\\\" file contains information about the users that are\nconfigured on the system. Protection of this file is critical for system\nsecurity.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38451\"\n tag \"rid\": \"SV-50251r1_rule\"\n tag \"stig_id\": \"RHEL-06-000040\"\n tag \"fix_id\": \"F-43396r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To check the group ownership of \\\"/etc/passwd\\\", run the\ncommand:\n\n$ ls -l /etc/passwd\n\nIf properly configured, the output should indicate the following group-owner.\n\\\"root\\\"\nIf it does not, this is a finding.\"\n tag \"fix\": \"To properly set the group owner of \\\"/etc/passwd\\\", run the\ncommand:\n\n# chgrp root /etc/passwd\"\n\n describe file(\"/etc/passwd\") do\n it { should exist }\n end\n describe file(\"/etc/passwd\") do\n its(\"gid\") { should cmp 0 }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38642.rb", + "ref": "./Red Hat 6 STIG/controls/V-38451.rb", "line": 1 }, - "id": "V-38642" + "id": "V-38451" }, { - "title": "System security patches and updates must be installed and up-to-date.", - "desc": "Installing software updates is a fundamental mitigation against the\nexploitation of publicly-known vulnerabilities.", + "title": "A file integrity tool must be used at least weekly to check for\nunauthorized file changes, particularly the addition of unauthorized system\nlibraries or binaries, or for unauthorized modification to authorized system\nlibraries or binaries.", + "desc": "By default, AIDE does not install itself for periodic execution.\nPeriodically running AIDE may reveal unexpected changes in installed files.", "descriptions": { - "default": "Installing software updates is a fundamental mitigation against the\nexploitation of publicly-known vulnerabilities." + "default": "By default, AIDE does not install itself for periodic execution.\nPeriodically running AIDE may reveal unexpected changes in installed files." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000191", - "gid": "V-38481", - "rid": "SV-50281r1_rule", - "stig_id": "RHEL-06-000011", - "fix_id": "F-43426r1_fix", + "gtitle": "SRG-OS-000094", + "gid": "V-38695", + "rid": "SV-50496r2_rule", + "stig_id": "RHEL-06-000302", + "fix_id": "F-43644r1_fix", "cci": [ - "CCI-001233" + "CCI-000374" ], "nist": [ - "SI-2 (2)", + "CM-6 (2)", "Rev_4" ], "false_negatives": null, @@ -9328,30 +9328,30 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "If the system is joined to the Red Hat Network, a Red Hat\nSatellite Server, or a yum server which provides updates, invoking the\nfollowing command will indicate if updates are available:\n\n# yum check-update\n\nIf the system is not configured to update from one of these sources, run the\nfollowing command to list when each package was last updated:\n\n$ rpm -qa -last\n\nCompare this to Red Hat Security Advisories (RHSA) listed at\nhttps://access.redhat.com/security/updates/active/ to determine whether the\nsystem is missing applicable security and bugfix updates.\nIf updates are not installed, this is a finding.", - "fix": "If the system is joined to the Red Hat Network, a Red Hat\nSatellite Server, or a yum server, run the following command to install\nupdates:\n\n# yum update\n\nIf the system is not configured to use one of these sources, updates (in the\nform of RPM packages) can be manually downloaded from the Red Hat Network and\ninstalled using \"rpm\"." + "check": "To determine that periodic AIDE execution has been scheduled,\nrun the following command:\n\n# grep aide /etc/crontab /etc/cron.*/*\n\nIf there is no output or if aide is not run at least weekly, this is a finding.", + "fix": "AIDE should be executed on a periodic basis to check for changes.\nTo implement a daily execution of AIDE at 4:05am using cron, add the following\nline to /etc/crontab:\n\n05 4 * * * root /usr/sbin/aide --check\n\nAIDE can be executed periodically through other means; this is merely one\nexample." }, - "code": "control \"V-38481\" do\n title \"System security patches and updates must be installed and up-to-date.\"\n desc \"Installing software updates is a fundamental mitigation against the\nexploitation of publicly-known vulnerabilities.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000191\"\n tag \"gid\": \"V-38481\"\n tag \"rid\": \"SV-50281r1_rule\"\n tag \"stig_id\": \"RHEL-06-000011\"\n tag \"fix_id\": \"F-43426r1_fix\"\n tag \"cci\": [\"CCI-001233\"]\n tag \"nist\": [\"SI-2 (2)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"If the system is joined to the Red Hat Network, a Red Hat\nSatellite Server, or a yum server which provides updates, invoking the\nfollowing command will indicate if updates are available:\n\n# yum check-update\n\nIf the system is not configured to update from one of these sources, run the\nfollowing command to list when each package was last updated:\n\n$ rpm -qa -last\n\nCompare this to Red Hat Security Advisories (RHSA) listed at\nhttps://access.redhat.com/security/updates/active/ to determine whether the\nsystem is missing applicable security and bugfix updates.\nIf updates are not installed, this is a finding.\"\n tag \"fix\": \"If the system is joined to the Red Hat Network, a Red Hat\nSatellite Server, or a yum server, run the following command to install\nupdates:\n\n# yum update\n\nIf the system is not configured to use one of these sources, updates (in the\nform of RPM packages) can be manually downloaded from the Red Hat Network and\ninstalled using \\\"rpm\\\".\"\n\n describe \"Manual test\" do\n skip \"This control must be reviewed manually\"\n end\nend\n", + "code": "control \"V-38695\" do\n title \"A file integrity tool must be used at least weekly to check for\nunauthorized file changes, particularly the addition of unauthorized system\nlibraries or binaries, or for unauthorized modification to authorized system\nlibraries or binaries.\"\n desc \"By default, AIDE does not install itself for periodic execution.\nPeriodically running AIDE may reveal unexpected changes in installed files.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000094\"\n tag \"gid\": \"V-38695\"\n tag \"rid\": \"SV-50496r2_rule\"\n tag \"stig_id\": \"RHEL-06-000302\"\n tag \"fix_id\": \"F-43644r1_fix\"\n tag \"cci\": [\"CCI-000374\"]\n tag \"nist\": [\"CM-6 (2)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To determine that periodic AIDE execution has been scheduled,\nrun the following command:\n\n# grep aide /etc/crontab /etc/cron.*/*\n\nIf there is no output or if aide is not run at least weekly, this is a finding.\"\n tag \"fix\": \"AIDE should be executed on a periodic basis to check for changes.\nTo implement a daily execution of AIDE at 4:05am using cron, add the following\nline to /etc/crontab:\n\n05 4 * * * root /usr/sbin/aide --check\n\nAIDE can be executed periodically through other means; this is merely one\nexample.\"\n\n describe command('grep aide /etc/crontab /etc/cron.*/*') do\n its('stdout.strip') { should_not be_empty }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38481.rb", + "ref": "./Red Hat 6 STIG/controls/V-38695.rb", "line": 1 }, - "id": "V-38481" + "id": "V-38695" }, { - "title": "The system must not accept ICMPv4 secure redirect packets on any\ninterface.", - "desc": "Accepting \"secure\" ICMP redirects (from those gateways listed as\ndefault gateways) has few legitimate uses. It should be disabled unless it is\nabsolutely required.", + "title": "The system must use a Linux Security Module at boot time.", + "desc": "Disabling a major host protection feature, such as SELinux, at boot\ntime prevents it from confining system services at boot time. Further, it\nincreases the chances that it will remain off during system operation.", "descriptions": { - "default": "Accepting \"secure\" ICMP redirects (from those gateways listed as\ndefault gateways) has few legitimate uses. It should be disabled unless it is\nabsolutely required." + "default": "Disabling a major host protection feature, such as SELinux, at boot\ntime prevents it from confining system services at boot time. Further, it\nincreases the chances that it will remain off during system operation." }, "impact": 0.5, "refs": [], "tags": { "gtitle": "SRG-OS-999999", - "gid": "V-38526", - "rid": "SV-50327r2_rule", - "stig_id": "RHEL-06-000086", - "fix_id": "F-43474r1_fix", + "gid": "V-51337", + "rid": "SV-65547r2_rule", + "stig_id": "RHEL-06-000017", + "fix_id": "F-56147r2_fix", "cci": [ "CCI-000366" ], @@ -9369,35 +9369,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "The status of the \"net.ipv4.conf.all.secure_redirects\" kernel\nparameter can be queried by running the following command:\n\n$ sysctl net.ipv4.conf.all.secure_redirects\n\nThe output of the command should indicate a value of \"0\". If this value is\nnot the default value, investigate how it could have been adjusted at runtime,\nand verify it is not set improperly in \"/etc/sysctl.conf\".\n\n$ grep net.ipv4.conf.all.secure_redirects /etc/sysctl.conf\n\nIf the correct value is not returned, this is a finding.", - "fix": "To set the runtime status of the\n\"net.ipv4.conf.all.secure_redirects\" kernel parameter, run the following\ncommand:\n\n# sysctl -w net.ipv4.conf.all.secure_redirects=0\n\nIf this is not the system's default value, add the following line to\n\"/etc/sysctl.conf\":\n\nnet.ipv4.conf.all.secure_redirects = 0" + "check": "Inspect \"/boot/grub/grub.conf\" for any instances of\n\"selinux=0\" in the kernel boot arguments. Presence of \"selinux=0\" indicates\nthat SELinux is disabled at boot time. If SELinux is disabled at boot time,\nthis is a finding.", + "fix": "SELinux can be disabled at boot time by an argument in\n\"/boot/grub/grub.conf\". Remove any instances of \"selinux=0\" from the kernel\narguments in that file to prevent SELinux from being disabled at boot. " }, - "code": "control \"V-38526\" do\n title \"The system must not accept ICMPv4 secure redirect packets on any\ninterface.\"\n desc \"Accepting \\\"secure\\\" ICMP redirects (from those gateways listed as\ndefault gateways) has few legitimate uses. It should be disabled unless it is\nabsolutely required.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38526\"\n tag \"rid\": \"SV-50327r2_rule\"\n tag \"stig_id\": \"RHEL-06-000086\"\n tag \"fix_id\": \"F-43474r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"The status of the \\\"net.ipv4.conf.all.secure_redirects\\\" kernel\nparameter can be queried by running the following command:\n\n$ sysctl net.ipv4.conf.all.secure_redirects\n\nThe output of the command should indicate a value of \\\"0\\\". If this value is\nnot the default value, investigate how it could have been adjusted at runtime,\nand verify it is not set improperly in \\\"/etc/sysctl.conf\\\".\n\n$ grep net.ipv4.conf.all.secure_redirects /etc/sysctl.conf\n\nIf the correct value is not returned, this is a finding.\"\n tag \"fix\": \"To set the runtime status of the\n\\\"net.ipv4.conf.all.secure_redirects\\\" kernel parameter, run the following\ncommand:\n\n# sysctl -w net.ipv4.conf.all.secure_redirects=0\n\nIf this is not the system's default value, add the following line to\n\\\"/etc/sysctl.conf\\\":\n\nnet.ipv4.conf.all.secure_redirects = 0\"\n\n describe kernel_parameter(\"net.ipv4.conf.all.secure_redirects\") do\n its(\"value\") { should_not be_nil }\n end\n describe kernel_parameter(\"net.ipv4.conf.all.secure_redirects\") do\n its(\"value\") { should eq 0 }\n end\n describe file(\"/etc/sysctl.conf\") do\n its(\"content\") { should match(/^[\\s]*net.ipv4.conf.all.secure_redirects[\\s]*=[\\s]*0[\\s]*$/) }\n end\nend\n", + "code": "control \"V-51337\" do\n title \"The system must use a Linux Security Module at boot time.\"\n desc \"Disabling a major host protection feature, such as SELinux, at boot\ntime prevents it from confining system services at boot time. Further, it\nincreases the chances that it will remain off during system operation.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-51337\"\n tag \"rid\": \"SV-65547r2_rule\"\n tag \"stig_id\": \"RHEL-06-000017\"\n tag \"fix_id\": \"F-56147r2_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Inspect \\\"/boot/grub/grub.conf\\\" for any instances of\n\\\"selinux=0\\\" in the kernel boot arguments. Presence of \\\"selinux=0\\\" indicates\nthat SELinux is disabled at boot time. If SELinux is disabled at boot time,\nthis is a finding.\"\n tag \"fix\": \"SELinux can be disabled at boot time by an argument in\n\\\"/boot/grub/grub.conf\\\". Remove any instances of \\\"selinux=0\\\" from the kernel\narguments in that file to prevent SELinux from being disabled at boot. \"\n\n describe file(\"/boot/grub/grub.conf\") do\n its(\"content\") { should_not match(/^[\\s]*kernel[\\s]+.*(selinux|enforcing)=0.*$/) }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38526.rb", + "ref": "./Red Hat 6 STIG/controls/V-51337.rb", "line": 1 }, - "id": "V-38526" + "id": "V-51337" }, { - "title": "The oddjobd service must not be running.", - "desc": "The \"oddjobd\" service may provide necessary functionality in some\nenvironments but it can be disabled if it is not needed. Execution of tasks by\nprivileged programs, on behalf of unprivileged ones, has traditionally been a\nsource of privilege escalation security issues.", + "title": "The audit system must be configured to audit all discretionary access\ncontrol permission modifications using setxattr.", + "desc": "The changing of file permissions could indicate that a user is\nattempting to gain access to information that would otherwise be disallowed.\nAuditing DAC modifications can facilitate the identification of patterns of\nabuse among both authorized and unauthorized users.", "descriptions": { - "default": "The \"oddjobd\" service may provide necessary functionality in some\nenvironments but it can be disabled if it is not needed. Execution of tasks by\nprivileged programs, on behalf of unprivileged ones, has traditionally been a\nsource of privilege escalation security issues." + "default": "The changing of file permissions could indicate that a user is\nattempting to gain access to information that would otherwise be disallowed.\nAuditing DAC modifications can facilitate the identification of patterns of\nabuse among both authorized and unauthorized users." }, "impact": 0.3, "refs": [], "tags": { - "gtitle": "SRG-OS-000096", - "gid": "V-38646", - "rid": "SV-50447r2_rule", - "stig_id": "RHEL-06-000266", - "fix_id": "F-43595r2_fix", + "gtitle": "SRG-OS-000064", + "gid": "V-38565", + "rid": "SV-50366r3_rule", + "stig_id": "RHEL-06-000196", + "fix_id": "F-43513r2_fix", "cci": [ - "CCI-000382" + "CCI-000172" ], "nist": [ - "CM-7 b", + "AU-12 c", "Rev_4" ], "false_negatives": null, @@ -9410,35 +9410,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To check that the \"oddjobd\" service is disabled in system\nboot configuration, run the following command:\n\n# chkconfig \"oddjobd\" --list\n\nOutput should indicate the \"oddjobd\" service has either not been installed,\nor has been disabled at all runlevels, as shown in the example below:\n\n# chkconfig \"oddjobd\" --list\n\"oddjobd\" 0:off 1:off 2:off 3:off 4:off 5:off 6:off\n\nRun the following command to verify \"oddjobd\" is disabled through current\nruntime configuration:\n\n# service oddjobd status\n\nIf the service is disabled the command will return the following output:\n\noddjobd is stopped\n\n\nIf the service is running, this is a finding.", - "fix": "The \"oddjobd\" service exists to provide an interface and access\ncontrol mechanism through which specified privileged tasks can run tasks for\nunprivileged client applications. Communication with \"oddjobd\" is through the\nsystem message bus. The \"oddjobd\" service can be disabled with the following\ncommands:\n\n# chkconfig oddjobd off\n# service oddjobd stop" + "check": "To determine if the system is configured to audit calls to the\n\"setxattr\" system call, run the following command:\n\n$ sudo grep -w \"setxattr\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return several\nlines.\n\nIf no line is returned, this is a finding. ", + "fix": "At a minimum, the audit system should collect file permission\nchanges for all users and root. Add the following to\n\"/etc/audit/audit.rules\":\n\n-a always,exit -F arch=b32 -S setxattr -F auid>=500 -F auid!=4294967295 \\\n-k perm_mod\n-a always,exit -F arch=b32 -S setxattr -F auid=0 -k perm_mod\n\nIf the system is 64-bit, then also add the following:\n\n-a always,exit -F arch=b64 -S setxattr -F auid>=500 -F auid!=4294967295 \\\n-k perm_mod\n-a always,exit -F arch=b64 -S setxattr -F auid=0 -k perm_mod" }, - "code": "control \"V-38646\" do\n title \"The oddjobd service must not be running.\"\n desc \"The \\\"oddjobd\\\" service may provide necessary functionality in some\nenvironments but it can be disabled if it is not needed. Execution of tasks by\nprivileged programs, on behalf of unprivileged ones, has traditionally been a\nsource of privilege escalation security issues.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000096\"\n tag \"gid\": \"V-38646\"\n tag \"rid\": \"SV-50447r2_rule\"\n tag \"stig_id\": \"RHEL-06-000266\"\n tag \"fix_id\": \"F-43595r2_fix\"\n tag \"cci\": [\"CCI-000382\"]\n tag \"nist\": [\"CM-7 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To check that the \\\"oddjobd\\\" service is disabled in system\nboot configuration, run the following command:\n\n# chkconfig \\\"oddjobd\\\" --list\n\nOutput should indicate the \\\"oddjobd\\\" service has either not been installed,\nor has been disabled at all runlevels, as shown in the example below:\n\n# chkconfig \\\"oddjobd\\\" --list\n\\\"oddjobd\\\" 0:off 1:off 2:off 3:off 4:off 5:off 6:off\n\nRun the following command to verify \\\"oddjobd\\\" is disabled through current\nruntime configuration:\n\n# service oddjobd status\n\nIf the service is disabled the command will return the following output:\n\noddjobd is stopped\n\n\nIf the service is running, this is a finding.\"\n tag \"fix\": \"The \\\"oddjobd\\\" service exists to provide an interface and access\ncontrol mechanism through which specified privileged tasks can run tasks for\nunprivileged client applications. Communication with \\\"oddjobd\\\" is through the\nsystem message bus. The \\\"oddjobd\\\" service can be disabled with the following\ncommands:\n\n# chkconfig oddjobd off\n# service oddjobd stop\"\n\n describe.one do\n describe package(\"oddjob\") do\n it { should_not be_installed }\n end\n describe service(\"oddjobd\") do\n its(\"runlevels(?-mix:0)\") { should be_enabled }\n its(\"runlevels(?-mix:1)\") { should be_enabled }\n its(\"runlevels(?-mix:2)\") { should be_enabled }\n its(\"runlevels(?-mix:3)\") { should be_enabled }\n its(\"runlevels(?-mix:4)\") { should be_enabled }\n its(\"runlevels(?-mix:5)\") { should be_enabled }\n its(\"runlevels(?-mix:6)\") { should be_enabled }\n end\n end\nend\n", + "code": "control \"V-38565\" do\n title \"The audit system must be configured to audit all discretionary access\ncontrol permission modifications using setxattr.\"\n desc \"The changing of file permissions could indicate that a user is\nattempting to gain access to information that would otherwise be disallowed.\nAuditing DAC modifications can facilitate the identification of patterns of\nabuse among both authorized and unauthorized users.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000064\"\n tag \"gid\": \"V-38565\"\n tag \"rid\": \"SV-50366r3_rule\"\n tag \"stig_id\": \"RHEL-06-000196\"\n tag \"fix_id\": \"F-43513r2_fix\"\n tag \"cci\": [\"CCI-000172\"]\n tag \"nist\": [\"AU-12 c\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To determine if the system is configured to audit calls to the\n\\\"setxattr\\\" system call, run the following command:\n\n$ sudo grep -w \\\"setxattr\\\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return several\nlines.\n\nIf no line is returned, this is a finding. \"\n tag \"fix\": \"At a minimum, the audit system should collect file permission\nchanges for all users and root. Add the following to\n\\\"/etc/audit/audit.rules\\\":\n\n-a always,exit -F arch=b32 -S setxattr -F auid>=500 -F auid!=4294967295 \\\\\n-k perm_mod\n-a always,exit -F arch=b32 -S setxattr -F auid=0 -k perm_mod\n\nIf the system is 64-bit, then also add the following:\n\n-a always,exit -F arch=b64 -S setxattr -F auid>=500 -F auid!=4294967295 \\\\\n-k perm_mod\n-a always,exit -F arch=b64 -S setxattr -F auid=0 -k perm_mod\"\n\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^[\\s]*-a[\\s](?:always,exit|exit,always)+(?:.*-F[\\s]+arch=b32[\\s]+)(?:.*(?:,|-S[\\s]+)setxattr(?:,|[\\s]+))(?:.*-F\\s+auid>=500[\\s]+)(?:.*-F\\s+auid!=(?:-1|4294967295)[\\s]+).*-k[\\s]+[\\S]+[\\s]*$/) }\n end\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^[\\s]*-a[\\s](?:always,exit|exit,always)+(?:.*-F[\\s]+arch=b32[\\s]+)(?:.*(?:,|-S[\\s]+)setxattr(?:,|[\\s]+))(?:.*-F\\s+auid=0[\\s]+).*-k[\\s]+[\\S]+[\\s]*$/) }\n end\n describe.one do\n \n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38646.rb", + "ref": "./Red Hat 6 STIG/controls/V-38565.rb", "line": 1 }, - "id": "V-38646" + "id": "V-38565" }, { - "title": "The telnet daemon must not be running.", - "desc": "The telnet protocol uses unencrypted network communication, which\nmeans that data from the login session, including passwords and all other\ninformation transmitted during the session, can be stolen by eavesdroppers on\nthe network. The telnet protocol is also subject to man-in-the-middle attacks.\n\n Mitigation: If an enabled telnet daemon is configured to only allow\nencrypted sessions, such as with Kerberos or the use of encrypted network\ntunnels, the risk of exposing sensitive information is mitigated.", + "title": "The system must prevent the root account from logging in from virtual\nconsoles.", + "desc": "Preventing direct root login to virtual console devices helps ensure\naccountability for actions taken on the system using the root account.", "descriptions": { - "default": "The telnet protocol uses unencrypted network communication, which\nmeans that data from the login session, including passwords and all other\ninformation transmitted during the session, can be stolen by eavesdroppers on\nthe network. The telnet protocol is also subject to man-in-the-middle attacks.\n\n Mitigation: If an enabled telnet daemon is configured to only allow\nencrypted sessions, such as with Kerberos or the use of encrypted network\ntunnels, the risk of exposing sensitive information is mitigated." + "default": "Preventing direct root login to virtual console devices helps ensure\naccountability for actions taken on the system using the root account." }, - "impact": 0.7, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000129", - "gid": "V-38589", - "rid": "SV-50390r2_rule", - "stig_id": "RHEL-06-000211", - "fix_id": "F-43537r1_fix", + "gtitle": "SRG-OS-000109", + "gid": "V-38492", + "rid": "SV-50293r1_rule", + "stig_id": "RHEL-06-000027", + "fix_id": "F-43439r2_fix", "cci": [ - "CCI-000888" + "CCI-000770" ], "nist": [ - "MA-4 (6)", + "IA-2 (5)", "Rev_4" ], "false_negatives": null, @@ -9451,35 +9451,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To check that the \"telnet\" service is disabled in system boot\nconfiguration, run the following command:\n\n# chkconfig \"telnet\" --list\n\nOutput should indicate the \"telnet\" service has either not been installed, or\nhas been disabled, as shown in the example below:\n\n# chkconfig \"telnet\" --list\ntelnet off\nOR\nerror reading information on service telnet: No such file or directory\n\n\nIf the service is running, this is a finding.", - "fix": "The \"telnet\" service can be disabled with the following\ncommand:\n\n# chkconfig telnet off" + "check": "To check for virtual console entries which permit root login,\nrun the following command:\n\n# grep '^vc/[0-9]' /etc/securetty\n\nIf any output is returned, then root logins over virtual console devices is\npermitted.\nIf root login over virtual console devices is permitted, this is a finding.", + "fix": "To restrict root logins through the (deprecated) virtual console\ndevices, ensure lines of this form do not appear in \"/etc/securetty\":\n\nvc/1\nvc/2\nvc/3\nvc/4\n\nNote: Virtual console entries are not limited to those listed above. Any\nlines starting with \"vc/\" followed by numerals should be removed." }, - "code": "control \"V-38589\" do\n title \"The telnet daemon must not be running.\"\n desc \"The telnet protocol uses unencrypted network communication, which\nmeans that data from the login session, including passwords and all other\ninformation transmitted during the session, can be stolen by eavesdroppers on\nthe network. The telnet protocol is also subject to man-in-the-middle attacks.\n\n Mitigation: If an enabled telnet daemon is configured to only allow\nencrypted sessions, such as with Kerberos or the use of encrypted network\ntunnels, the risk of exposing sensitive information is mitigated.\n \"\n impact 0.7\n tag \"gtitle\": \"SRG-OS-000129\"\n tag \"gid\": \"V-38589\"\n tag \"rid\": \"SV-50390r2_rule\"\n tag \"stig_id\": \"RHEL-06-000211\"\n tag \"fix_id\": \"F-43537r1_fix\"\n tag \"cci\": [\"CCI-000888\"]\n tag \"nist\": [\"MA-4 (6)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To check that the \\\"telnet\\\" service is disabled in system boot\nconfiguration, run the following command:\n\n# chkconfig \\\"telnet\\\" --list\n\nOutput should indicate the \\\"telnet\\\" service has either not been installed, or\nhas been disabled, as shown in the example below:\n\n# chkconfig \\\"telnet\\\" --list\ntelnet off\nOR\nerror reading information on service telnet: No such file or directory\n\n\nIf the service is running, this is a finding.\"\n tag \"fix\": \"The \\\"telnet\\\" service can be disabled with the following\ncommand:\n\n# chkconfig telnet off\"\n\n describe.one do\n describe package(\"telnet-server\") do\n it { should_not be_installed }\n end\n describe file(\"/etc/xinetd.d/telnet\") do\n its(\"content\") { should match(/^\\s*disable\\s+=\\s+yes\\s*$/) }\n end\n end\nend\n", + "code": "control \"V-38492\" do\n title \"The system must prevent the root account from logging in from virtual\nconsoles.\"\n desc \"Preventing direct root login to virtual console devices helps ensure\naccountability for actions taken on the system using the root account. \"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000109\"\n tag \"gid\": \"V-38492\"\n tag \"rid\": \"SV-50293r1_rule\"\n tag \"stig_id\": \"RHEL-06-000027\"\n tag \"fix_id\": \"F-43439r2_fix\"\n tag \"cci\": [\"CCI-000770\"]\n tag \"nist\": [\"IA-2 (5)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To check for virtual console entries which permit root login,\nrun the following command:\n\n# grep '^vc/[0-9]' /etc/securetty\n\nIf any output is returned, then root logins over virtual console devices is\npermitted.\nIf root login over virtual console devices is permitted, this is a finding.\"\n tag \"fix\": \"To restrict root logins through the (deprecated) virtual console\ndevices, ensure lines of this form do not appear in \\\"/etc/securetty\\\":\n\nvc/1\nvc/2\nvc/3\nvc/4\n\nNote: Virtual console entries are not limited to those listed above. Any\nlines starting with \\\"vc/\\\" followed by numerals should be removed.\"\n\n describe file(\"/etc/securetty\") do\n its(\"content\") { should_not match(/^vc\\/[0-9]+$/) }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38589.rb", + "ref": "./Red Hat 6 STIG/controls/V-38492.rb", "line": 1 }, - "id": "V-38589" + "id": "V-38492" }, { - "title": "The audit system must be configured to audit all discretionary access\ncontrol permission modifications using chown.", - "desc": "The changing of file permissions could indicate that a user is\nattempting to gain access to information that would otherwise be disallowed.\nAuditing DAC modifications can facilitate the identification of patterns of\nabuse among both authorized and unauthorized users.", + "title": "The audit system must switch the system to single-user mode when\navailable audit storage volume becomes dangerously low.", + "desc": "Administrators should be made aware of an inability to record audit\nrecords. If a separate partition or logical volume of adequate size is used,\nrunning low on space for audit records should never occur.", "descriptions": { - "default": "The changing of file permissions could indicate that a user is\nattempting to gain access to information that would otherwise be disallowed.\nAuditing DAC modifications can facilitate the identification of patterns of\nabuse among both authorized and unauthorized users." + "default": "Administrators should be made aware of an inability to record audit\nrecords. If a separate partition or logical volume of adequate size is used,\nrunning low on space for audit records should never occur." }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000064", - "gid": "V-38545", - "rid": "SV-50346r3_rule", - "stig_id": "RHEL-06-000185", - "fix_id": "F-43493r2_fix", + "gtitle": "SRG-OS-999999", + "gid": "V-54381", + "rid": "SV-68627r3_rule", + "stig_id": "RHEL-06-000163", + "fix_id": "F-59235r2_fix", "cci": [ - "CCI-000172" + "CCI-000366" ], "nist": [ - "AU-12 c", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -9492,35 +9492,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To determine if the system is configured to audit calls to the\n\"chown\" system call, run the following command:\n\n$ sudo grep -w \"chown\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return several\nlines.\n\nIf no line is returned, this is a finding. ", - "fix": "At a minimum, the audit system should collect file permission\nchanges for all users and root. Add the following to\n\"/etc/audit/audit.rules\":\n\n-a always,exit -F arch=b32 -S chown -F auid>=500 -F auid!=4294967295 \\\n-k perm_mod\n-a always,exit -F arch=b32 -S chown -F auid=0 -k perm_mod\n\nIf the system is 64-bit, then also add the following:\n\n-a always,exit -F arch=b64 -S chown -F auid>=500 -F auid!=4294967295 \\\n-k perm_mod\n-a always,exit -F arch=b64 -S chown -F auid=0 -k perm_mod" + "check": "Inspect \"/etc/audit/auditd.conf\" and locate the following\nline to determine if the system is configured to either suspend, switch to\nsingle-user mode, or halt when disk space has run low:\n\nadmin_space_left_action = single\n\nIf the system is not configured to switch to single-user mode, suspend, or halt\nfor corrective action, this is a finding. ", + "fix": "The \"auditd\" service can be configured to take an action when\ndisk space is running low but prior to running out of space completely. Edit\nthe file \"/etc/audit/auditd.conf\". Add or modify the following line,\nsubstituting [ACTION] appropriately:\n\nadmin_space_left_action = [ACTION]\n\nSet this value to \"single\" to cause the system to switch to single-user mode\nfor corrective action. Acceptable values also include \"suspend\" and \"halt\".\nFor certain systems, the need for availability outweighs the need to log all\nactions, and a different setting should be determined. Details regarding all\npossible values for [ACTION] are described in the \"auditd.conf\" man page. " }, - "code": "control \"V-38545\" do\n title \"The audit system must be configured to audit all discretionary access\ncontrol permission modifications using chown.\"\n desc \"The changing of file permissions could indicate that a user is\nattempting to gain access to information that would otherwise be disallowed.\nAuditing DAC modifications can facilitate the identification of patterns of\nabuse among both authorized and unauthorized users.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000064\"\n tag \"gid\": \"V-38545\"\n tag \"rid\": \"SV-50346r3_rule\"\n tag \"stig_id\": \"RHEL-06-000185\"\n tag \"fix_id\": \"F-43493r2_fix\"\n tag \"cci\": [\"CCI-000172\"]\n tag \"nist\": [\"AU-12 c\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To determine if the system is configured to audit calls to the\n\\\"chown\\\" system call, run the following command:\n\n$ sudo grep -w \\\"chown\\\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return several\nlines.\n\nIf no line is returned, this is a finding. \"\n tag \"fix\": \"At a minimum, the audit system should collect file permission\nchanges for all users and root. Add the following to\n\\\"/etc/audit/audit.rules\\\":\n\n-a always,exit -F arch=b32 -S chown -F auid>=500 -F auid!=4294967295 \\\\\n-k perm_mod\n-a always,exit -F arch=b32 -S chown -F auid=0 -k perm_mod\n\nIf the system is 64-bit, then also add the following:\n\n-a always,exit -F arch=b64 -S chown -F auid>=500 -F auid!=4294967295 \\\\\n-k perm_mod\n-a always,exit -F arch=b64 -S chown -F auid=0 -k perm_mod\"\n\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^[\\s]*-a[\\s](?:always,exit|exit,always)+(?:.*-F[\\s]+arch=b32[\\s]+)(?:.*(?:-S[\\s]+|,)chown(?:[\\s]+|,))(?:.*-F\\s+auid>=500[\\s]+)(?:.*-F\\s+auid!=(?:-1|4294967295)[\\s]+).*-k[\\s]+[\\S]+[\\s]*$/) }\n end\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^[\\s]*-a[\\s](?:always,exit|exit,always)+(?:.*-F[\\s]+arch=b32[\\s]+)(?:.*(?:-S[\\s]+|,)chown(?:[\\s]+|,))(?:.*-F\\s+auid=0[\\s]+).*-k[\\s]+[\\S]+[\\s]*$/) }\n end\n describe.one do\n \n end\nend\n", + "code": "control \"V-54381\" do\n title \"The audit system must switch the system to single-user mode when\navailable audit storage volume becomes dangerously low.\"\n desc \"Administrators should be made aware of an inability to record audit\nrecords. If a separate partition or logical volume of adequate size is used,\nrunning low on space for audit records should never occur. \"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-54381\"\n tag \"rid\": \"SV-68627r3_rule\"\n tag \"stig_id\": \"RHEL-06-000163\"\n tag \"fix_id\": \"F-59235r2_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Inspect \\\"/etc/audit/auditd.conf\\\" and locate the following\nline to determine if the system is configured to either suspend, switch to\nsingle-user mode, or halt when disk space has run low:\n\nadmin_space_left_action = single\n\nIf the system is not configured to switch to single-user mode, suspend, or halt\nfor corrective action, this is a finding. \"\n tag \"fix\": \"The \\\"auditd\\\" service can be configured to take an action when\ndisk space is running low but prior to running out of space completely. Edit\nthe file \\\"/etc/audit/auditd.conf\\\". Add or modify the following line,\nsubstituting [ACTION] appropriately:\n\nadmin_space_left_action = [ACTION]\n\nSet this value to \\\"single\\\" to cause the system to switch to single-user mode\nfor corrective action. Acceptable values also include \\\"suspend\\\" and \\\"halt\\\".\nFor certain systems, the need for availability outweighs the need to log all\nactions, and a different setting should be determined. Details regarding all\npossible values for [ACTION] are described in the \\\"auditd.conf\\\" man page. \"\n\n describe file(\"/etc/audit/auditd.conf\") do\n its(\"content\") { should match(/^\\s*admin_space_left_action[ ]+=[ ]+(\\S+)\\s*$/) }\n end\n file(\"/etc/audit/auditd.conf\").content.to_s.scan(/^\\s*admin_space_left_action[ ]+=[ ]+(\\S+)\\s*$/).flatten.each do |entry|\n describe entry do\n it { should match(/^(?:[sS][iI][nN][gG][lL][eE]|[sS][uU][sS][pP][eE][nN][dD]|[hH][aA][lL][tT])$/) }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38545.rb", + "ref": "./Red Hat 6 STIG/controls/V-54381.rb", "line": 1 }, - "id": "V-38545" + "id": "V-54381" }, { - "title": "The system must not respond to ICMPv4 sent to a broadcast address.", - "desc": "Ignoring ICMP echo requests (pings) sent to broadcast or multicast\naddresses makes the system slightly more difficult to enumerate on the network.", + "title": "The system must require passwords to contain at least one lower-case\nalphabetic character.", + "desc": "Requiring a minimum number of lower-case characters makes password\nguessing attacks more difficult by ensuring a larger search space.", "descriptions": { - "default": "Ignoring ICMP echo requests (pings) sent to broadcast or multicast\naddresses makes the system slightly more difficult to enumerate on the network." + "default": "Requiring a minimum number of lower-case characters makes password\nguessing attacks more difficult by ensuring a larger search space." }, "impact": 0.3, "refs": [], "tags": { - "gtitle": "SRG-OS-999999", - "gid": "V-38535", - "rid": "SV-50336r2_rule", - "stig_id": "RHEL-06-000092", - "fix_id": "F-43483r1_fix", + "gtitle": "SRG-OS-000070", + "gid": "V-38571", + "rid": "SV-50372r3_rule", + "stig_id": "RHEL-06-000059", + "fix_id": "F-43519r3_fix", "cci": [ - "CCI-000366" + "CCI-000193" ], "nist": [ - "CM-6 b", + "IA-5 (1) (a)", "Rev_4" ], "false_negatives": null, @@ -9533,35 +9533,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "The status of the \"net.ipv4.icmp_echo_ignore_broadcasts\"\nkernel parameter can be queried by running the following command:\n\n$ sysctl net.ipv4.icmp_echo_ignore_broadcasts\n\nThe output of the command should indicate a value of \"1\". If this value is\nnot the default value, investigate how it could have been adjusted at runtime,\nand verify it is not set improperly in \"/etc/sysctl.conf\".\n\n$ grep net.ipv4.icmp_echo_ignore_broadcasts /etc/sysctl.conf\n\nIf the correct value is not returned, this is a finding. ", - "fix": "To set the runtime status of the\n\"net.ipv4.icmp_echo_ignore_broadcasts\" kernel parameter, run the following\ncommand:\n\n# sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1\n\nIf this is not the system's default value, add the following line to\n\"/etc/sysctl.conf\":\n\nnet.ipv4.icmp_echo_ignore_broadcasts = 1" + "check": "To check how many lower-case characters are required in a\npassword, run the following command:\n\n$ grep pam_cracklib /etc/pam.d/system-auth /etc/pam.d/password-auth\n\nNote: The \"lcredit\" parameter (as a negative number) will indicate how many\nlower-case characters are required. The DoD requires at least one lower-case\ncharacter in a password. This would appear as \"lcredit=-1\".\n\nIf \"lcredit\" is not found or not set to the required value, this is a finding.", + "fix": "The pam_cracklib module's \"lcredit=\" parameter controls\nrequirements for usage of lower-case letters in a password. When set to a\nnegative number, any password will be required to contain that many lower-case\ncharacters.\n\nEdit /etc/pam.d/system-auth and /etc/pam.d/password-auth adding \"lcredit=-1\"\nafter pam_cracklib.so to require use of a lower-case character in passwords.\n" }, - "code": "control \"V-38535\" do\n title \"The system must not respond to ICMPv4 sent to a broadcast address.\"\n desc \"Ignoring ICMP echo requests (pings) sent to broadcast or multicast\naddresses makes the system slightly more difficult to enumerate on the network.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38535\"\n tag \"rid\": \"SV-50336r2_rule\"\n tag \"stig_id\": \"RHEL-06-000092\"\n tag \"fix_id\": \"F-43483r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"The status of the \\\"net.ipv4.icmp_echo_ignore_broadcasts\\\"\nkernel parameter can be queried by running the following command:\n\n$ sysctl net.ipv4.icmp_echo_ignore_broadcasts\n\nThe output of the command should indicate a value of \\\"1\\\". If this value is\nnot the default value, investigate how it could have been adjusted at runtime,\nand verify it is not set improperly in \\\"/etc/sysctl.conf\\\".\n\n$ grep net.ipv4.icmp_echo_ignore_broadcasts /etc/sysctl.conf\n\nIf the correct value is not returned, this is a finding. \"\n tag \"fix\": \"To set the runtime status of the\n\\\"net.ipv4.icmp_echo_ignore_broadcasts\\\" kernel parameter, run the following\ncommand:\n\n# sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1\n\nIf this is not the system's default value, add the following line to\n\\\"/etc/sysctl.conf\\\":\n\nnet.ipv4.icmp_echo_ignore_broadcasts = 1\"\n\n describe kernel_parameter(\"net.ipv4.icmp_echo_ignore_broadcasts\") do\n its(\"value\") { should_not be_nil }\n end\n describe kernel_parameter(\"net.ipv4.icmp_echo_ignore_broadcasts\") do\n its(\"value\") { should eq 1 }\n end\n describe file(\"/etc/sysctl.conf\") do\n its(\"content\") { should match(/^[\\s]*net.ipv4.icmp_echo_ignore_broadcasts[\\s]*=[\\s]*1[\\s]*$/) }\n end\nend\n", + "code": "control \"V-38571\" do\n title \"The system must require passwords to contain at least one lower-case\nalphabetic character.\"\n desc \"Requiring a minimum number of lower-case characters makes password\nguessing attacks more difficult by ensuring a larger search space.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000070\"\n tag \"gid\": \"V-38571\"\n tag \"rid\": \"SV-50372r3_rule\"\n tag \"stig_id\": \"RHEL-06-000059\"\n tag \"fix_id\": \"F-43519r3_fix\"\n tag \"cci\": [\"CCI-000193\"]\n tag \"nist\": [\"IA-5 (1) (a)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To check how many lower-case characters are required in a\npassword, run the following command:\n\n$ grep pam_cracklib /etc/pam.d/system-auth /etc/pam.d/password-auth\n\nNote: The \\\"lcredit\\\" parameter (as a negative number) will indicate how many\nlower-case characters are required. The DoD requires at least one lower-case\ncharacter in a password. This would appear as \\\"lcredit=-1\\\".\n\nIf \\\"lcredit\\\" is not found or not set to the required value, this is a finding.\"\n tag \"fix\": \"The pam_cracklib module's \\\"lcredit=\\\" parameter controls\nrequirements for usage of lower-case letters in a password. When set to a\nnegative number, any password will be required to contain that many lower-case\ncharacters.\n\nEdit /etc/pam.d/system-auth and /etc/pam.d/password-auth adding \\\"lcredit=-1\\\"\nafter pam_cracklib.so to require use of a lower-case character in passwords.\n\"\n\n describe.one do\n describe file(\"/etc/pam.d/system-auth\") do\n its(\"content\") { should match(/^\\s*password\\s+(?:(?:required)|(?:requisite))\\s+(?:(?:\\/lib\\/security\\/\\$ISA\\/pam_cracklib\\.so)|(?:pam_cracklib\\.so))[\\t ]+[^#\\n\\r]*\\s+lcredit=-(\\d+)[^\\n\\r]*$/) }\n end\n file(\"/etc/pam.d/system-auth\").content.to_s.scan(/^\\s*password\\s+(?:(?:required)|(?:requisite))\\s+(?:(?:\\/lib\\/security\\/\\$ISA\\/pam_cracklib\\.so)|(?:pam_cracklib\\.so))[\\t ]+[^#\\n\\r]*\\s+lcredit=-(\\d+)[^\\n\\r]*$/).flatten.each do |entry|\n describe entry do\n it { should cmp >= 1 }\n end\n end\n describe file(\"/etc/pam.d/system-auth\") do\n its(\"content\") { should match(/^\\s*password\\s+(?:(?:required)|(?:requisite))\\s+(?:(?:\\/lib\\/security\\/\\$ISA\\/pam_cracklib\\.so)|(?:pam_cracklib\\.so))\\s+lcredit=-(\\d+)\\s+.*$/) }\n end\n file(\"/etc/pam.d/system-auth\").content.to_s.scan(/^\\s*password\\s+(?:(?:required)|(?:requisite))\\s+(?:(?:\\/lib\\/security\\/\\$ISA\\/pam_cracklib\\.so)|(?:pam_cracklib\\.so))\\s+lcredit=-(\\d+)\\s+.*$/).flatten.each do |entry|\n describe entry do\n it { should cmp >= 1 }\n end\n end\n end\n describe.one do\n describe file(\"/etc/pam.d/password-auth\") do\n its(\"content\") { should match(/^\\s*password\\s+(?:(?:required)|(?:requisite))\\s+(?:(?:\\/lib\\/security\\/\\$ISA\\/pam_cracklib\\.so)|(?:pam_cracklib\\.so))[\\t ]+[^#\\n\\r]*\\s+lcredit=-(\\d+)[^\\n\\r]*$/) }\n end\n file(\"/etc/pam.d/password-auth\").content.to_s.scan(/^\\s*password\\s+(?:(?:required)|(?:requisite))\\s+(?:(?:\\/lib\\/security\\/\\$ISA\\/pam_cracklib\\.so)|(?:pam_cracklib\\.so))[\\t ]+[^#\\n\\r]*\\s+lcredit=-(\\d+)[^\\n\\r]*$/).flatten.each do |entry|\n describe entry do\n it { should cmp >= 1 }\n end\n end\n describe file(\"/etc/pam.d/password-auth\") do\n its(\"content\") { should match(/^\\s*password\\s+(?:(?:required)|(?:requisite))\\s+(?:(?:\\/lib\\/security\\/\\$ISA\\/pam_cracklib\\.so)|(?:pam_cracklib\\.so))\\s+lcredit=-(\\d+)\\s+.*$/) }\n end\n file(\"/etc/pam.d/password-auth\").content.to_s.scan(/^\\s*password\\s+(?:(?:required)|(?:requisite))\\s+(?:(?:\\/lib\\/security\\/\\$ISA\\/pam_cracklib\\.so)|(?:pam_cracklib\\.so))\\s+lcredit=-(\\d+)\\s+.*$/).flatten.each do |entry|\n describe entry do\n it { should cmp >= 1 }\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38535.rb", + "ref": "./Red Hat 6 STIG/controls/V-38571.rb", "line": 1 }, - "id": "V-38535" + "id": "V-38571" }, { - "title": "The system must ignore ICMPv6 redirects by default.", - "desc": "An illicit ICMP redirect message could result in a man-in-the-middle\nattack.", + "title": "The system must allow locking of the console screen in text mode.", + "desc": "Installing \"screen\" ensures a console locking capability is\navailable for users who may need to suspend console logins.", "descriptions": { - "default": "An illicit ICMP redirect message could result in a man-in-the-middle\nattack." + "default": "Installing \"screen\" ensures a console locking capability is\navailable for users who may need to suspend console logins." }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { - "gtitle": "SRG-OS-999999", - "gid": "V-38548", - "rid": "SV-50349r3_rule", - "stig_id": "RHEL-06-000099", - "fix_id": "F-43496r1_fix", + "gtitle": "SRG-OS-000030", + "gid": "V-38590", + "rid": "SV-50391r1_rule", + "stig_id": "RHEL-06-000071", + "fix_id": "F-43538r1_fix", "cci": [ - "CCI-000366" + "CCI-000058" ], "nist": [ - "CM-6 b", + "AC-11 a", "Rev_4" ], "false_negatives": null, @@ -9574,35 +9574,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "If IPv6 is disabled, this is not applicable.\n\nThe status of the \"net.ipv6.conf.default.accept_redirects\" kernel parameter\ncan be queried by running the following command:\n\n$ sysctl net.ipv6.conf.default.accept_redirects\n\nThe output of the command should indicate a value of \"0\". If this value is\nnot the default value, investigate how it could have been adjusted at runtime,\nand verify it is not set improperly in \"/etc/sysctl.conf\".\n\n$ grep net.ipv6.conf.default.accept_redirects /etc/sysctl.conf\n\nIf the correct value is not returned, this is a finding. ", - "fix": "To set the runtime status of the\n\"net.ipv6.conf.default.accept_redirects\" kernel parameter, run the following\ncommand:\n\n# sysctl -w net.ipv6.conf.default.accept_redirects=0\n\nIf this is not the system's default value, add the following line to\n\"/etc/sysctl.conf\":\n\nnet.ipv6.conf.default.accept_redirects = 0" + "check": "Run the following command to determine if the \"screen\"\npackage is installed:\n\n# rpm -q screen\n\n\nIf the package is not installed, this is a finding.", + "fix": "To enable console screen locking when in text mode, install the\n\"screen\" package:\n\n# yum install screen\n\nInstruct users to begin new terminal sessions with the following command:\n\n$ screen\n\nThe console can now be locked with the following key combination:\n\nctrl+a x" }, - "code": "control \"V-38548\" do\n title \"The system must ignore ICMPv6 redirects by default.\"\n desc \"An illicit ICMP redirect message could result in a man-in-the-middle\nattack.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38548\"\n tag \"rid\": \"SV-50349r3_rule\"\n tag \"stig_id\": \"RHEL-06-000099\"\n tag \"fix_id\": \"F-43496r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"If IPv6 is disabled, this is not applicable.\n\nThe status of the \\\"net.ipv6.conf.default.accept_redirects\\\" kernel parameter\ncan be queried by running the following command:\n\n$ sysctl net.ipv6.conf.default.accept_redirects\n\nThe output of the command should indicate a value of \\\"0\\\". If this value is\nnot the default value, investigate how it could have been adjusted at runtime,\nand verify it is not set improperly in \\\"/etc/sysctl.conf\\\".\n\n$ grep net.ipv6.conf.default.accept_redirects /etc/sysctl.conf\n\nIf the correct value is not returned, this is a finding. \"\n tag \"fix\": \"To set the runtime status of the\n\\\"net.ipv6.conf.default.accept_redirects\\\" kernel parameter, run the following\ncommand:\n\n# sysctl -w net.ipv6.conf.default.accept_redirects=0\n\nIf this is not the system's default value, add the following line to\n\\\"/etc/sysctl.conf\\\":\n\nnet.ipv6.conf.default.accept_redirects = 0\"\n\n describe kernel_parameter(\"net.ipv6.conf.default.accept_redirects\") do\n its(\"value\") { should eq 0 }\n end\n describe file(\"/etc/sysctl.conf\") do\n its(\"content\") { should match(/^[\\s]*net.ipv6.conf.default.accept_redirects[\\s]*=[\\s]*0[\\s]*$/) }\n end\nend\n", + "code": "control \"V-38590\" do\n title \"The system must allow locking of the console screen in text mode.\"\n desc \"Installing \\\"screen\\\" ensures a console locking capability is\navailable for users who may need to suspend console logins.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000030\"\n tag \"gid\": \"V-38590\"\n tag \"rid\": \"SV-50391r1_rule\"\n tag \"stig_id\": \"RHEL-06-000071\"\n tag \"fix_id\": \"F-43538r1_fix\"\n tag \"cci\": [\"CCI-000058\"]\n tag \"nist\": [\"AC-11 a\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Run the following command to determine if the \\\"screen\\\"\npackage is installed:\n\n# rpm -q screen\n\n\nIf the package is not installed, this is a finding.\"\n tag \"fix\": \"To enable console screen locking when in text mode, install the\n\\\"screen\\\" package:\n\n# yum install screen\n\nInstruct users to begin new terminal sessions with the following command:\n\n$ screen\n\nThe console can now be locked with the following key combination:\n\nctrl+a x\"\n\n describe package(\"screen\") do\n it { should be_installed }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38548.rb", + "ref": "./Red Hat 6 STIG/controls/V-38590.rb", "line": 1 }, - "id": "V-38548" + "id": "V-38590" }, { - "title": "The operating system must back up audit records on an organization\ndefined frequency onto a different system or media than the system being\naudited.", - "desc": "A log server (loghost) receives syslog messages from one or more\nsystems. This data can be used as an additional log source in the event a\nsystem is compromised and its local logs are suspect. Forwarding log messages\nto a remote loghost also provides system administrators with a centralized\nplace to view the status of multiple hosts within the enterprise.", + "title": "IP forwarding for IPv4 must not be enabled, unless the system is a\nrouter.", + "desc": "IP forwarding permits the kernel to forward packets from one network\ninterface to another. The ability to forward packets between two networks is\nonly appropriate for systems acting as routers.", "descriptions": { - "default": "A log server (loghost) receives syslog messages from one or more\nsystems. This data can be used as an additional log source in the event a\nsystem is compromised and its local logs are suspect. Forwarding log messages\nto a remote loghost also provides system administrators with a centralized\nplace to view the status of multiple hosts within the enterprise." + "default": "IP forwarding permits the kernel to forward packets from one network\ninterface to another. The ability to forward packets between two networks is\nonly appropriate for systems acting as routers." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000215", - "gid": "V-38520", - "rid": "SV-50321r1_rule", - "stig_id": "RHEL-06-000136", - "fix_id": "F-43468r1_fix", + "gtitle": "SRG-OS-999999", + "gid": "V-38511", + "rid": "SV-50312r2_rule", + "stig_id": "RHEL-06-000082", + "fix_id": "F-43458r2_fix", "cci": [ - "CCI-001348" + "CCI-000366" ], "nist": [ - "AU-9 (2)", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -9615,30 +9615,30 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To ensure logs are sent to a remote host, examine the file\n\"/etc/rsyslog.conf\". If using UDP, a line similar to the following should be\npresent:\n\n*.* @[loghost.example.com]\n\nIf using TCP, a line similar to the following should be present:\n\n*.* @@[loghost.example.com]\n\nIf using RELP, a line similar to the following should be present:\n\n*.* :omrelp:[loghost.example.com]\n\n\nIf none of these are present, this is a finding.", - "fix": "To configure rsyslog to send logs to a remote log server, open\n\"/etc/rsyslog.conf\" and read and understand the last section of the file,\nwhich describes the multiple directives necessary to activate remote logging.\nAlong with these other directives, the system can be configured to forward its\nlogs to a particular log server by adding or correcting one of the following\nlines, substituting \"[loghost.example.com]\" appropriately. The choice of\nprotocol depends on the environment of the system; although TCP and RELP\nprovide more reliable message delivery, they may not be supported in all\nenvironments.\nTo use UDP for log message delivery:\n\n*.* @[loghost.example.com]\n\n\nTo use TCP for log message delivery:\n\n*.* @@[loghost.example.com]\n\n\nTo use RELP for log message delivery:\n\n*.* :omrelp:[loghost.example.com]" + "check": "The status of the \"net.ipv4.ip_forward\" kernel parameter can\nbe queried by running the following command:\n\n$ sysctl net.ipv4.ip_forward\n\nThe output of the command should indicate a value of \"0\". If this value is\nnot the default value, investigate how it could have been adjusted at runtime,\nand verify it is not set improperly in \"/etc/sysctl.conf\".\n\n$ grep net.ipv4.ip_forward /etc/sysctl.conf\n\nThe ability to forward packets is only appropriate for routers. If the correct\nvalue is not returned, this is a finding. ", + "fix": "To set the runtime status of the \"net.ipv4.ip_forward\" kernel\nparameter, run the following command:\n\n# sysctl -w net.ipv4.ip_forward=0\n\nIf this is not the system's default value, add the following line to\n\"/etc/sysctl.conf\":\n\nnet.ipv4.ip_forward = 0" }, - "code": "control \"V-38520\" do\n title \"The operating system must back up audit records on an organization\ndefined frequency onto a different system or media than the system being\naudited.\"\n desc \"A log server (loghost) receives syslog messages from one or more\nsystems. This data can be used as an additional log source in the event a\nsystem is compromised and its local logs are suspect. Forwarding log messages\nto a remote loghost also provides system administrators with a centralized\nplace to view the status of multiple hosts within the enterprise.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000215\"\n tag \"gid\": \"V-38520\"\n tag \"rid\": \"SV-50321r1_rule\"\n tag \"stig_id\": \"RHEL-06-000136\"\n tag \"fix_id\": \"F-43468r1_fix\"\n tag \"cci\": [\"CCI-001348\"]\n tag \"nist\": [\"AU-9 (2)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To ensure logs are sent to a remote host, examine the file\n\\\"/etc/rsyslog.conf\\\". If using UDP, a line similar to the following should be\npresent:\n\n*.* @[loghost.example.com]\n\nIf using TCP, a line similar to the following should be present:\n\n*.* @@[loghost.example.com]\n\nIf using RELP, a line similar to the following should be present:\n\n*.* :omrelp:[loghost.example.com]\n\n\nIf none of these are present, this is a finding.\"\n tag \"fix\": \"To configure rsyslog to send logs to a remote log server, open\n\\\"/etc/rsyslog.conf\\\" and read and understand the last section of the file,\nwhich describes the multiple directives necessary to activate remote logging.\nAlong with these other directives, the system can be configured to forward its\nlogs to a particular log server by adding or correcting one of the following\nlines, substituting \\\"[loghost.example.com]\\\" appropriately. The choice of\nprotocol depends on the environment of the system; although TCP and RELP\nprovide more reliable message delivery, they may not be supported in all\nenvironments.\nTo use UDP for log message delivery:\n\n*.* @[loghost.example.com]\n\n\nTo use TCP for log message delivery:\n\n*.* @@[loghost.example.com]\n\n\nTo use RELP for log message delivery:\n\n*.* :omrelp:[loghost.example.com]\"\n\n describe file('/etc/rsyslog.conf') do\n its('content') {\n should (match %r{^\\s*\\*\\.\\*\\s+@[^@#]+}).or (match %r{^\\s*\\*\\.\\*\\s+@@[^@#]+}). or (match %r{^\\s*\\*\\.\\*\\s+:omrelp:[^@#]+})\n }\n end\nend\n", + "code": "control \"V-38511\" do\n title \"IP forwarding for IPv4 must not be enabled, unless the system is a\nrouter.\"\n desc \"IP forwarding permits the kernel to forward packets from one network\ninterface to another. The ability to forward packets between two networks is\nonly appropriate for systems acting as routers.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38511\"\n tag \"rid\": \"SV-50312r2_rule\"\n tag \"stig_id\": \"RHEL-06-000082\"\n tag \"fix_id\": \"F-43458r2_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"The status of the \\\"net.ipv4.ip_forward\\\" kernel parameter can\nbe queried by running the following command:\n\n$ sysctl net.ipv4.ip_forward\n\nThe output of the command should indicate a value of \\\"0\\\". If this value is\nnot the default value, investigate how it could have been adjusted at runtime,\nand verify it is not set improperly in \\\"/etc/sysctl.conf\\\".\n\n$ grep net.ipv4.ip_forward /etc/sysctl.conf\n\nThe ability to forward packets is only appropriate for routers. If the correct\nvalue is not returned, this is a finding. \"\n tag \"fix\": \"To set the runtime status of the \\\"net.ipv4.ip_forward\\\" kernel\nparameter, run the following command:\n\n# sysctl -w net.ipv4.ip_forward=0\n\nIf this is not the system's default value, add the following line to\n\\\"/etc/sysctl.conf\\\":\n\nnet.ipv4.ip_forward = 0\"\n\n describe kernel_parameter(\"net.ipv4.ip_forward\") do\n its(\"value\") { should_not be_nil }\n end\n describe kernel_parameter(\"net.ipv4.ip_forward\") do\n its(\"value\") { should eq 0 }\n end\n describe file(\"/etc/sysctl.conf\") do\n its(\"content\") { should match(/^[\\s]*net.ipv4.ip_forward[\\s]*=[\\s]*0[\\s]*$/) }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38520.rb", + "ref": "./Red Hat 6 STIG/controls/V-38511.rb", "line": 1 }, - "id": "V-38520" + "id": "V-38511" }, { - "title": "The system must implement virtual address space randomization.", - "desc": "Address space layout randomization (ASLR) makes it more difficult for\nan attacker to predict the location of attack code he or she has introduced\ninto a process's address space during an attempt at exploitation. Additionally,\nASLR also makes it more difficult for an attacker to know the location of\nexisting code in order to repurpose it using return oriented programming (ROP)\ntechniques.", + "title": "The system must set a maximum audit log file size.", + "desc": "The total storage for audit log files must be large enough to retain\nlog information over the period required. This is a function of the maximum log\nfile size and the number of logs retained.", "descriptions": { - "default": "Address space layout randomization (ASLR) makes it more difficult for\nan attacker to predict the location of attack code he or she has introduced\ninto a process's address space during an attempt at exploitation. Additionally,\nASLR also makes it more difficult for an attacker to know the location of\nexisting code in order to repurpose it using return oriented programming (ROP)\ntechniques." + "default": "The total storage for audit log files must be large enough to retain\nlog information over the period required. This is a function of the maximum log\nfile size and the number of logs retained." }, "impact": 0.5, "refs": [], "tags": { "gtitle": "SRG-OS-999999", - "gid": "V-38596", - "rid": "SV-50397r2_rule", - "stig_id": "RHEL-06-000078", - "fix_id": "F-43543r1_fix", + "gid": "V-38633", + "rid": "SV-50434r1_rule", + "stig_id": "RHEL-06-000160", + "fix_id": "F-43582r1_fix", "cci": [ "CCI-000366" ], @@ -9656,35 +9656,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "The status of the \"kernel.randomize_va_space\" kernel\nparameter can be queried by running the following commands:\n\n$ sysctl kernel.randomize_va_space\n$ grep kernel.randomize_va_space /etc/sysctl.conf\n\nThe output of the command should indicate a value of at least \"1\" (preferably\n\"2\"). If this value is not the default value, investigate how it could have\nbeen adjusted at runtime, and verify it is not set improperly in\n\"/etc/sysctl.conf\".\nIf the correct value is not returned, this is a finding.", - "fix": "To set the runtime status of the \"kernel.randomize_va_space\"\nkernel parameter, run the following command:\n\n# sysctl -w kernel.randomize_va_space=2\n\nIf this is not the system's default value, add the following line to\n\"/etc/sysctl.conf\":\n\nkernel.randomize_va_space = 2" + "check": "Inspect \"/etc/audit/auditd.conf\" and locate the following\nline to determine how much data the system will retain in each audit log file:\n\"# grep max_log_file /etc/audit/auditd.conf\"\n\nmax_log_file = 6\n\n\nIf the system audit data threshold hasn't been properly set up, this is a\nfinding.", + "fix": "Determine the amount of audit data (in megabytes) which should be\nretained in each log file. Edit the file \"/etc/audit/auditd.conf\". Add or\nmodify the following line, substituting the correct value for [STOREMB]:\n\nmax_log_file = [STOREMB]\n\nSet the value to \"6\" (MB) or higher for general-purpose systems. Larger\nvalues, of course, support retention of even more audit data." }, - "code": "control \"V-38596\" do\n title \"The system must implement virtual address space randomization.\"\n desc \"Address space layout randomization (ASLR) makes it more difficult for\nan attacker to predict the location of attack code he or she has introduced\ninto a process's address space during an attempt at exploitation. Additionally,\nASLR also makes it more difficult for an attacker to know the location of\nexisting code in order to repurpose it using return oriented programming (ROP)\ntechniques.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38596\"\n tag \"rid\": \"SV-50397r2_rule\"\n tag \"stig_id\": \"RHEL-06-000078\"\n tag \"fix_id\": \"F-43543r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"The status of the \\\"kernel.randomize_va_space\\\" kernel\nparameter can be queried by running the following commands:\n\n$ sysctl kernel.randomize_va_space\n$ grep kernel.randomize_va_space /etc/sysctl.conf\n\nThe output of the command should indicate a value of at least \\\"1\\\" (preferably\n\\\"2\\\"). If this value is not the default value, investigate how it could have\nbeen adjusted at runtime, and verify it is not set improperly in\n\\\"/etc/sysctl.conf\\\".\nIf the correct value is not returned, this is a finding.\"\n tag \"fix\": \"To set the runtime status of the \\\"kernel.randomize_va_space\\\"\nkernel parameter, run the following command:\n\n# sysctl -w kernel.randomize_va_space=2\n\nIf this is not the system's default value, add the following line to\n\\\"/etc/sysctl.conf\\\":\n\nkernel.randomize_va_space = 2\"\n\n describe command('sysctl -n kernel.randomize_va_space') do\n its('stdout.strip') { should be_in ['1', '2'] }\n end\n\n describe.one do\n describe parse_config_file('/etc/sysctl.conf') do\n its('params') { should be >= { 'kernel.randomize_va_space' => '1' } }\n end\n\n describe parse_config_file('/etc/sysctl.conf') do\n its('params') { should be >= { 'kernel.randomize_va_space' => '2' } }\n end\n end\nend\n", + "code": "control \"V-38633\" do\n title \"The system must set a maximum audit log file size.\"\n desc \"The total storage for audit log files must be large enough to retain\nlog information over the period required. This is a function of the maximum log\nfile size and the number of logs retained.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38633\"\n tag \"rid\": \"SV-50434r1_rule\"\n tag \"stig_id\": \"RHEL-06-000160\"\n tag \"fix_id\": \"F-43582r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Inspect \\\"/etc/audit/auditd.conf\\\" and locate the following\nline to determine how much data the system will retain in each audit log file:\n\\\"# grep max_log_file /etc/audit/auditd.conf\\\"\n\nmax_log_file = 6\n\n\nIf the system audit data threshold hasn't been properly set up, this is a\nfinding.\"\n tag \"fix\": \"Determine the amount of audit data (in megabytes) which should be\nretained in each log file. Edit the file \\\"/etc/audit/auditd.conf\\\". Add or\nmodify the following line, substituting the correct value for [STOREMB]:\n\nmax_log_file = [STOREMB]\n\nSet the value to \\\"6\\\" (MB) or higher for general-purpose systems. Larger\nvalues, of course, support retention of even more audit data.\"\n\n describe file(\"/etc/audit/auditd.conf\") do\n its(\"content\") { should match(/^max_log_file\\s*=\\s*(\\d+)\\s*$/) }\n end\n file(\"/etc/audit/auditd.conf\").content.to_s.scan(/^max_log_file\\s*=\\s*(\\d+)\\s*$/).flatten.each do |entry|\n describe entry do\n it { should cmp >= 6 }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38596.rb", + "ref": "./Red Hat 6 STIG/controls/V-38633.rb", "line": 1 }, - "id": "V-38596" + "id": "V-38633" }, { - "title": "The audit system must alert designated staff members when the audit\nstorage volume approaches capacity.", - "desc": "Notifying administrators of an impending disk space problem may allow\nthem to take corrective action prior to any disruption.", + "title": "The system must log Martian packets.", + "desc": "The presence of \"martian\" packets (which have impossible addresses)\nas well as spoofed packets, source-routed packets, and redirects could be a\nsign of nefarious network activity. Logging these packets enables this activity\nto be detected.", "descriptions": { - "default": "Notifying administrators of an impending disk space problem may allow\nthem to take corrective action prior to any disruption." + "default": "The presence of \"martian\" packets (which have impossible addresses)\nas well as spoofed packets, source-routed packets, and redirects could be a\nsign of nefarious network activity. Logging these packets enables this activity\nto be detected." }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { - "gtitle": "SRG-OS-000045", - "gid": "V-38470", - "rid": "SV-50270r2_rule", - "stig_id": "RHEL-06-000005", - "fix_id": "F-43415r2_fix", + "gtitle": "SRG-OS-999999", + "gid": "V-38528", + "rid": "SV-50329r2_rule", + "stig_id": "RHEL-06-000088", + "fix_id": "F-43476r1_fix", "cci": [ - "CCI-000138" + "CCI-000366" ], "nist": [ - "AU-4", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -9697,35 +9697,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "Inspect \"/etc/audit/auditd.conf\" and locate the following\nline to determine if the system is configured to email the administrator when\ndisk space is starting to run low:\n\n# grep space_left_action /etc/audit/auditd.conf\nspace_left_action = email\n\n\nIf the system is not configured to send an email to the system administrator\nwhen disk space is starting to run low, this is a finding. The \"syslog\"\noption is acceptable when it can be demonstrated that the local log management\ninfrastructure notifies an appropriate administrator in a timely manner.", - "fix": "The \"auditd\" service can be configured to take an action when\ndisk space starts to run low. Edit the file \"/etc/audit/auditd.conf\". Modify\nthe following line, substituting [ACTION] appropriately:\n\nspace_left_action = [ACTION]\n\nPossible values for [ACTION] are described in the \"auditd.conf\" man page.\nThese include:\n\n\"ignore\"\n\"syslog\"\n\"email\"\n\"exec\"\n\"suspend\"\n\"single\"\n\"halt\"\n\n\nSet this to \"email\" (instead of the default, which is \"suspend\") as it is\nmore likely to get prompt attention. The \"syslog\" option is acceptable,\nprovided the local log management infrastructure notifies an appropriate\nadministrator in a timely manner.\n\nRHEL-06-000521 ensures that the email generated through the operation\n\"space_left_action\" will be sent to an administrator." + "check": "The status of the \"net.ipv4.conf.all.log_martians\" kernel\nparameter can be queried by running the following command:\n\n$ sysctl net.ipv4.conf.all.log_martians\n\nThe output of the command should indicate a value of \"1\". If this value is\nnot the default value, investigate how it could have been adjusted at runtime,\nand verify it is not set improperly in \"/etc/sysctl.conf\".\n\n$ grep net.ipv4.conf.all.log_martians /etc/sysctl.conf\n\nIf the correct value is not returned, this is a finding. ", + "fix": "To set the runtime status of the\n\"net.ipv4.conf.all.log_martians\" kernel parameter, run the following command:\n\n# sysctl -w net.ipv4.conf.all.log_martians=1\n\nIf this is not the system's default value, add the following line to\n\"/etc/sysctl.conf\":\n\nnet.ipv4.conf.all.log_martians = 1" }, - "code": "control \"V-38470\" do\n title \"The audit system must alert designated staff members when the audit\nstorage volume approaches capacity.\"\n desc \"Notifying administrators of an impending disk space problem may allow\nthem to take corrective action prior to any disruption.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000045\"\n tag \"gid\": \"V-38470\"\n tag \"rid\": \"SV-50270r2_rule\"\n tag \"stig_id\": \"RHEL-06-000005\"\n tag \"fix_id\": \"F-43415r2_fix\"\n tag \"cci\": [\"CCI-000138\"]\n tag \"nist\": [\"AU-4\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Inspect \\\"/etc/audit/auditd.conf\\\" and locate the following\nline to determine if the system is configured to email the administrator when\ndisk space is starting to run low:\n\n# grep space_left_action /etc/audit/auditd.conf\nspace_left_action = email\n\n\nIf the system is not configured to send an email to the system administrator\nwhen disk space is starting to run low, this is a finding. The \\\"syslog\\\"\noption is acceptable when it can be demonstrated that the local log management\ninfrastructure notifies an appropriate administrator in a timely manner.\"\n tag \"fix\": \"The \\\"auditd\\\" service can be configured to take an action when\ndisk space starts to run low. Edit the file \\\"/etc/audit/auditd.conf\\\". Modify\nthe following line, substituting [ACTION] appropriately:\n\nspace_left_action = [ACTION]\n\nPossible values for [ACTION] are described in the \\\"auditd.conf\\\" man page.\nThese include:\n\n\\\"ignore\\\"\n\\\"syslog\\\"\n\\\"email\\\"\n\\\"exec\\\"\n\\\"suspend\\\"\n\\\"single\\\"\n\\\"halt\\\"\n\n\nSet this to \\\"email\\\" (instead of the default, which is \\\"suspend\\\") as it is\nmore likely to get prompt attention. The \\\"syslog\\\" option is acceptable,\nprovided the local log management infrastructure notifies an appropriate\nadministrator in a timely manner.\n\nRHEL-06-000521 ensures that the email generated through the operation\n\\\"space_left_action\\\" will be sent to an administrator.\"\n\n describe file(\"/etc/audit/auditd.conf\") do\n its(\"content\") { should match(/^[ ]*space_left_action[ ]+=[ ]+(\\S+)[ ]*$/) }\n end\n file(\"/etc/audit/auditd.conf\").content.to_s.scan(/^[ ]*space_left_action[ ]+=[ ]+(\\S+)[ ]*$/).flatten.each do |entry|\n describe entry do\n it { should cmp \"email\" }\n end\n end\nend\n", + "code": "control \"V-38528\" do\n title \"The system must log Martian packets.\"\n desc \"The presence of \\\"martian\\\" packets (which have impossible addresses)\nas well as spoofed packets, source-routed packets, and redirects could be a\nsign of nefarious network activity. Logging these packets enables this activity\nto be detected.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38528\"\n tag \"rid\": \"SV-50329r2_rule\"\n tag \"stig_id\": \"RHEL-06-000088\"\n tag \"fix_id\": \"F-43476r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"The status of the \\\"net.ipv4.conf.all.log_martians\\\" kernel\nparameter can be queried by running the following command:\n\n$ sysctl net.ipv4.conf.all.log_martians\n\nThe output of the command should indicate a value of \\\"1\\\". If this value is\nnot the default value, investigate how it could have been adjusted at runtime,\nand verify it is not set improperly in \\\"/etc/sysctl.conf\\\".\n\n$ grep net.ipv4.conf.all.log_martians /etc/sysctl.conf\n\nIf the correct value is not returned, this is a finding. \"\n tag \"fix\": \"To set the runtime status of the\n\\\"net.ipv4.conf.all.log_martians\\\" kernel parameter, run the following command:\n\n# sysctl -w net.ipv4.conf.all.log_martians=1\n\nIf this is not the system's default value, add the following line to\n\\\"/etc/sysctl.conf\\\":\n\nnet.ipv4.conf.all.log_martians = 1\"\n\n describe kernel_parameter(\"net.ipv4.conf.all.log_martians\") do\n its(\"value\") { should_not be_nil }\n end\n describe kernel_parameter(\"net.ipv4.conf.all.log_martians\") do\n its(\"value\") { should eq 1 }\n end\n describe file(\"/etc/sysctl.conf\") do\n its(\"content\") { should match(/^[\\s]*net.ipv4.conf.all.log_martians[\\s]*=[\\s]*1[\\s]*$/) }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38470.rb", + "ref": "./Red Hat 6 STIG/controls/V-38528.rb", "line": 1 }, - "id": "V-38470" + "id": "V-38528" }, { - "title": "The system must be configured to require the use of a CAC, PIV\ncompliant hardware token, or Alternate Logon Token (ALT) for authentication.", - "desc": "Smart card login provides two-factor authentication stronger than that\nprovided by a username/password combination. Smart cards leverage a PKI (public\nkey infrastructure) in order to provide and verify credentials.", + "title": "The rshd service must not be running.", + "desc": "The rsh service uses unencrypted network communications, which means\nthat data from the login session, including passwords and all other information\ntransmitted during the session, can be stolen by eavesdroppers on the network.", "descriptions": { - "default": "Smart card login provides two-factor authentication stronger than that\nprovided by a username/password combination. Smart cards leverage a PKI (public\nkey infrastructure) in order to provide and verify credentials." + "default": "The rsh service uses unencrypted network communications, which means\nthat data from the login session, including passwords and all other information\ntransmitted during the session, can be stolen by eavesdroppers on the network." }, - "impact": 0.5, + "impact": 0.7, "refs": [], "tags": { - "gtitle": "SRG-OS-000105", - "gid": "V-38595", - "rid": "SV-50396r3_rule", - "stig_id": "RHEL-06-000349", - "fix_id": "F-43544r2_fix", + "gtitle": "SRG-OS-000033", + "gid": "V-38594", + "rid": "SV-50395r2_rule", + "stig_id": "RHEL-06-000214", + "fix_id": "F-43542r3_fix", "cci": [ - "CCI-000765" + "CCI-000068" ], "nist": [ - "IA-2 (1)", + "AC-17 (2)", "Rev_4" ], "false_negatives": null, @@ -9738,30 +9738,30 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "Interview the SA to determine if all accounts not exempted by\npolicy are using CAC authentication. For DoD systems, the following systems and\naccounts are exempt from using smart card (CAC) authentication:\n\nStandalone systems\nApplication accounts\nTemporary employee accounts, such as students or interns, who cannot easily\nreceive a CAC or PIV\nOperational tactical locations that are not collocated with RAPIDS workstations\nto issue CAC or ALT\nTest systems, such as those with an Interim Approval to Test (IATT) and use a\nseparate VPN, firewall, or security measure preventing access to network and\nsystem components from outside the protection boundary documented in the IATT.\n\n\n\nIf non-exempt accounts are not using CAC authentication, this is a finding.", - "fix": "To enable smart card authentication, consult the documentation at:\n\nhttps://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Smart_Cards/enabling-smart-card-login.html\n\nFor guidance on enabling SSH to authenticate against a Common Access Card\n(CAC), consult documentation at:\n\nhttps://access.redhat.com/solutions/82273" + "check": "To check that the \"rsh\" service is disabled in system boot\nconfiguration, run the following command:\n\n# chkconfig \"rsh\" --list\n\nOutput should indicate the \"rsh\" service has either not been installed, or\nhas been disabled, as shown in the example below:\n\n# chkconfig \"rsh\" --list\nrsh off\nOR\nerror reading information on service rsh: No such file or directory\n\n\nIf the service is running, this is a finding.", + "fix": "The \"rsh\" service, which is available with the \"rsh-server\"\npackage and runs as a service through xinetd, should be disabled. The \"rsh\"\nservice can be disabled with the following command:\n\n# chkconfig rsh off" }, - "code": "control \"V-38595\" do\n title \"The system must be configured to require the use of a CAC, PIV\ncompliant hardware token, or Alternate Logon Token (ALT) for authentication.\"\n desc \"Smart card login provides two-factor authentication stronger than that\nprovided by a username/password combination. Smart cards leverage a PKI (public\nkey infrastructure) in order to provide and verify credentials.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000105\"\n tag \"gid\": \"V-38595\"\n tag \"rid\": \"SV-50396r3_rule\"\n tag \"stig_id\": \"RHEL-06-000349\"\n tag \"fix_id\": \"F-43544r2_fix\"\n tag \"cci\": [\"CCI-000765\"]\n tag \"nist\": [\"IA-2 (1)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Interview the SA to determine if all accounts not exempted by\npolicy are using CAC authentication. For DoD systems, the following systems and\naccounts are exempt from using smart card (CAC) authentication:\n\nStandalone systems\nApplication accounts\nTemporary employee accounts, such as students or interns, who cannot easily\nreceive a CAC or PIV\nOperational tactical locations that are not collocated with RAPIDS workstations\nto issue CAC or ALT\nTest systems, such as those with an Interim Approval to Test (IATT) and use a\nseparate VPN, firewall, or security measure preventing access to network and\nsystem components from outside the protection boundary documented in the IATT.\n\n\n\nIf non-exempt accounts are not using CAC authentication, this is a finding.\"\n tag \"fix\": \"To enable smart card authentication, consult the documentation at:\n\nhttps://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Smart_Cards/enabling-smart-card-login.html\n\nFor guidance on enabling SSH to authenticate against a Common Access Card\n(CAC), consult documentation at:\n\nhttps://access.redhat.com/solutions/82273\"\n\n describe \"Manual test\" do\n skip \"This control must be reviewed manually\"\n end\nend\n", + "code": "control \"V-38594\" do\n title \"The rshd service must not be running.\"\n desc \"The rsh service uses unencrypted network communications, which means\nthat data from the login session, including passwords and all other information\ntransmitted during the session, can be stolen by eavesdroppers on the network.\"\n impact 0.7\n tag \"gtitle\": \"SRG-OS-000033\"\n tag \"gid\": \"V-38594\"\n tag \"rid\": \"SV-50395r2_rule\"\n tag \"stig_id\": \"RHEL-06-000214\"\n tag \"fix_id\": \"F-43542r3_fix\"\n tag \"cci\": [\"CCI-000068\"]\n tag \"nist\": [\"AC-17 (2)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To check that the \\\"rsh\\\" service is disabled in system boot\nconfiguration, run the following command:\n\n# chkconfig \\\"rsh\\\" --list\n\nOutput should indicate the \\\"rsh\\\" service has either not been installed, or\nhas been disabled, as shown in the example below:\n\n# chkconfig \\\"rsh\\\" --list\nrsh off\nOR\nerror reading information on service rsh: No such file or directory\n\n\nIf the service is running, this is a finding.\"\n tag \"fix\": \"The \\\"rsh\\\" service, which is available with the \\\"rsh-server\\\"\npackage and runs as a service through xinetd, should be disabled. The \\\"rsh\\\"\nservice can be disabled with the following command:\n\n# chkconfig rsh off\"\n\n describe.one do\n describe package(\"rsh-server\") do\n it { should_not be_installed }\n end\n describe file(\"/etc/xinetd.d/rsh\") do\n its(\"content\") { should match(/^\\s*disable\\s+=\\s+yes\\s*$/) }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38595.rb", + "ref": "./Red Hat 6 STIG/controls/V-38594.rb", "line": 1 }, - "id": "V-38595" + "id": "V-38594" }, { - "title": "The system must not accept IPv4 source-routed packets by default.", - "desc": "Accepting source-routed packets in the IPv4 protocol has few\nlegitimate uses. It should be disabled unless it is absolutely required.", + "title": "Default operating system accounts, other than root, must be locked.", + "desc": "Disabling authentication for default system accounts makes it more\ndifficult for attackers to make use of them to compromise a system.", "descriptions": { - "default": "Accepting source-routed packets in the IPv4 protocol has few\nlegitimate uses. It should be disabled unless it is absolutely required." + "default": "Disabling authentication for default system accounts makes it more\ndifficult for attackers to make use of them to compromise a system." }, "impact": 0.5, "refs": [], "tags": { "gtitle": "SRG-OS-999999", - "gid": "V-38529", - "rid": "SV-50330r2_rule", - "stig_id": "RHEL-06-000089", - "fix_id": "F-43478r1_fix", + "gid": "V-38496", + "rid": "SV-50297r3_rule", + "stig_id": "RHEL-06-000029", + "fix_id": "F-43442r2_fix", "cci": [ "CCI-000366" ], @@ -9779,35 +9779,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "The status of the \"net.ipv4.conf.default.accept_source_route\"\nkernel parameter can be queried by running the following command:\n\n$ sysctl net.ipv4.conf.default.accept_source_route\n\nThe output of the command should indicate a value of \"0\". If this value is\nnot the default value, investigate how it could have been adjusted at runtime,\nand verify it is not set improperly in \"/etc/sysctl.conf\".\n\n$ grep net.ipv4.conf.default.accept_source_route /etc/sysctl.conf\n\nIf the correct value is not returned, this is a finding. ", - "fix": "To set the runtime status of the\n\"net.ipv4.conf.default.accept_source_route\" kernel parameter, run the\nfollowing command:\n\n# sysctl -w net.ipv4.conf.default.accept_source_route=0\n\nIf this is not the system's default value, add the following line to\n\"/etc/sysctl.conf\":\n\nnet.ipv4.conf.default.accept_source_route = 0" + "check": "To obtain a listing of all users and the contents of their\nshadow password field, run the command:\n\n$ awk -F: '$1 !~ /^root$/ && $2 !~ /^[!*]/ {print $1 \":\" $2}' /etc/shadow\n\nIdentify the operating system accounts from this listing. These will primarily\nbe the accounts with UID numbers less than 500, other than root.\n\nIf any default operating system account (other than root) has a valid password\nhash, this is a finding.", + "fix": "Some accounts are not associated with a human user of the system,\nand exist to perform some administrative function. An attacker should not be\nable to log into these accounts.\n\nDisable logon access to these accounts with the command:\n\n# passwd -l [SYSACCT]" }, - "code": "control \"V-38529\" do\n title \"The system must not accept IPv4 source-routed packets by default.\"\n desc \"Accepting source-routed packets in the IPv4 protocol has few\nlegitimate uses. It should be disabled unless it is absolutely required.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38529\"\n tag \"rid\": \"SV-50330r2_rule\"\n tag \"stig_id\": \"RHEL-06-000089\"\n tag \"fix_id\": \"F-43478r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"The status of the \\\"net.ipv4.conf.default.accept_source_route\\\"\nkernel parameter can be queried by running the following command:\n\n$ sysctl net.ipv4.conf.default.accept_source_route\n\nThe output of the command should indicate a value of \\\"0\\\". If this value is\nnot the default value, investigate how it could have been adjusted at runtime,\nand verify it is not set improperly in \\\"/etc/sysctl.conf\\\".\n\n$ grep net.ipv4.conf.default.accept_source_route /etc/sysctl.conf\n\nIf the correct value is not returned, this is a finding. \"\n tag \"fix\": \"To set the runtime status of the\n\\\"net.ipv4.conf.default.accept_source_route\\\" kernel parameter, run the\nfollowing command:\n\n# sysctl -w net.ipv4.conf.default.accept_source_route=0\n\nIf this is not the system's default value, add the following line to\n\\\"/etc/sysctl.conf\\\":\n\nnet.ipv4.conf.default.accept_source_route = 0\"\n\n describe kernel_parameter(\"net.ipv4.conf.default.accept_source_route\") do\n its(\"value\") { should_not be_nil }\n end\n describe kernel_parameter(\"net.ipv4.conf.default.accept_source_route\") do\n its(\"value\") { should eq 0 }\n end\n describe file(\"/etc/sysctl.conf\") do\n its(\"content\") { should match(/^[\\s]*net.ipv4.conf.default.accept_source_route[\\s]*=[\\s]*0[\\s]*$/) }\n end\nend\n", + "code": "control \"V-38496\" do\n title \"Default operating system accounts, other than root, must be locked.\"\n desc \"Disabling authentication for default system accounts makes it more\ndifficult for attackers to make use of them to compromise a system.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38496\"\n tag \"rid\": \"SV-50297r3_rule\"\n tag \"stig_id\": \"RHEL-06-000029\"\n tag \"fix_id\": \"F-43442r2_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To obtain a listing of all users and the contents of their\nshadow password field, run the command:\n\n$ awk -F: '$1 !~ /^root$/ && $2 !~ /^[!*]/ {print $1 \\\":\\\" $2}' /etc/shadow\n\nIdentify the operating system accounts from this listing. These will primarily\nbe the accounts with UID numbers less than 500, other than root.\n\nIf any default operating system account (other than root) has a valid password\nhash, this is a finding.\"\n tag \"fix\": \"Some accounts are not associated with a human user of the system,\nand exist to perform some administrative function. An attacker should not be\nable to log into these accounts.\n\nDisable logon access to these accounts with the command:\n\n# passwd -l [SYSACCT]\"\n\n passwd_users = command('awk -F: \\'$1 !~ /^root$/ && $2 !~ /^[!*]/ {print $1}\\' /etc/shadow').stdout.strip.split(\"\\n\")\n\n if passwd_users.empty?\n describe \"Users with assigned password\" do\n subject { passwd_users }\n it { should be_empty }\n end\n else\n passwd_users.each do |u|\n describe user(u) do\n its('uid') { should be >= 500 }\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38529.rb", + "ref": "./Red Hat 6 STIG/controls/V-38496.rb", "line": 1 }, - "id": "V-38529" + "id": "V-38496" }, { - "title": "The operating system must produce audit records containing sufficient\ninformation to establish the identity of any user/subject associated with the\nevent.", - "desc": "Ensuring the \"auditd\" service is active ensures audit records\ngenerated by the kernel can be written to disk, or that appropriate actions\nwill be taken if other obstacles exist.", + "title": "The system must not send ICMPv4 redirects from any interface.", + "desc": "Sending ICMP redirects permits the system to instruct other systems to\nupdate their routing information. The ability to send ICMP redirects is only\nappropriate for systems acting as routers.", "descriptions": { - "default": "Ensuring the \"auditd\" service is active ensures audit records\ngenerated by the kernel can be written to disk, or that appropriate actions\nwill be taken if other obstacles exist." + "default": "Sending ICMP redirects permits the system to instruct other systems to\nupdate their routing information. The ability to send ICMP redirects is only\nappropriate for systems acting as routers." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000255", - "gid": "V-38628", - "rid": "SV-50429r2_rule", - "stig_id": "RHEL-06-000145", - "fix_id": "F-43576r2_fix", + "gtitle": "SRG-OS-999999", + "gid": "V-38601", + "rid": "SV-50402r2_rule", + "stig_id": "RHEL-06-000081", + "fix_id": "F-43548r1_fix", "cci": [ - "CCI-001487" + "CCI-000366" ], "nist": [ - "AU-3", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -9820,35 +9820,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "Run the following command to determine the current status of\nthe \"auditd\" service:\n\n# service auditd status\n\nIf the service is enabled, it should return the following:\n\nauditd is running...\n\n\nIf the service is not running, this is a finding.", - "fix": "The \"auditd\" service is an essential userspace component of the\nLinux Auditing System, as it is responsible for writing audit records to disk.\nThe \"auditd\" service can be enabled with the following commands:\n\n# chkconfig auditd on\n# service auditd start" + "check": "The status of the \"net.ipv4.conf.all.send_redirects\" kernel\nparameter can be queried by running the following command:\n\n$ sysctl net.ipv4.conf.all.send_redirects\n\nThe output of the command should indicate a value of \"0\". If this value is\nnot the default value, investigate how it could have been adjusted at runtime,\nand verify it is not set improperly in \"/etc/sysctl.conf\".\n\n$ grep net.ipv4.conf.all.send_redirects /etc/sysctl.conf\n\nIf the correct value is not returned, this is a finding. ", + "fix": "To set the runtime status of the\n\"net.ipv4.conf.all.send_redirects\" kernel parameter, run the following\ncommand:\n\n# sysctl -w net.ipv4.conf.all.send_redirects=0\n\nIf this is not the system's default value, add the following line to\n\"/etc/sysctl.conf\":\n\nnet.ipv4.conf.all.send_redirects = 0" }, - "code": "control \"V-38628\" do\n title \"The operating system must produce audit records containing sufficient\ninformation to establish the identity of any user/subject associated with the\nevent.\"\n desc \"Ensuring the \\\"auditd\\\" service is active ensures audit records\ngenerated by the kernel can be written to disk, or that appropriate actions\nwill be taken if other obstacles exist.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000255\"\n tag \"gid\": \"V-38628\"\n tag \"rid\": \"SV-50429r2_rule\"\n tag \"stig_id\": \"RHEL-06-000145\"\n tag \"fix_id\": \"F-43576r2_fix\"\n tag \"cci\": [\"CCI-001487\"]\n tag \"nist\": [\"AU-3\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Run the following command to determine the current status of\nthe \\\"auditd\\\" service:\n\n# service auditd status\n\nIf the service is enabled, it should return the following:\n\nauditd is running...\n\n\nIf the service is not running, this is a finding.\"\n tag \"fix\": \"The \\\"auditd\\\" service is an essential userspace component of the\nLinux Auditing System, as it is responsible for writing audit records to disk.\nThe \\\"auditd\\\" service can be enabled with the following commands:\n\n# chkconfig auditd on\n# service auditd start\"\n\n describe service('auditd') do\n it { should be_enabled }\n it { should be_running }\n end\nend\n", + "code": "control \"V-38601\" do\n title \"The system must not send ICMPv4 redirects from any interface.\"\n desc \"Sending ICMP redirects permits the system to instruct other systems to\nupdate their routing information. The ability to send ICMP redirects is only\nappropriate for systems acting as routers.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38601\"\n tag \"rid\": \"SV-50402r2_rule\"\n tag \"stig_id\": \"RHEL-06-000081\"\n tag \"fix_id\": \"F-43548r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"The status of the \\\"net.ipv4.conf.all.send_redirects\\\" kernel\nparameter can be queried by running the following command:\n\n$ sysctl net.ipv4.conf.all.send_redirects\n\nThe output of the command should indicate a value of \\\"0\\\". If this value is\nnot the default value, investigate how it could have been adjusted at runtime,\nand verify it is not set improperly in \\\"/etc/sysctl.conf\\\".\n\n$ grep net.ipv4.conf.all.send_redirects /etc/sysctl.conf\n\nIf the correct value is not returned, this is a finding. \"\n tag \"fix\": \"To set the runtime status of the\n\\\"net.ipv4.conf.all.send_redirects\\\" kernel parameter, run the following\ncommand:\n\n# sysctl -w net.ipv4.conf.all.send_redirects=0\n\nIf this is not the system's default value, add the following line to\n\\\"/etc/sysctl.conf\\\":\n\nnet.ipv4.conf.all.send_redirects = 0\"\n\n describe kernel_parameter(\"net.ipv4.conf.all.send_redirects\") do\n its(\"value\") { should_not be_nil }\n end\n describe kernel_parameter(\"net.ipv4.conf.all.send_redirects\") do\n its(\"value\") { should eq 0 }\n end\n describe file(\"/etc/sysctl.conf\") do\n its(\"content\") { should match(/^[\\s]*net.ipv4.conf.all.send_redirects[\\s]*=[\\s]*0[\\s]*$/) }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38628.rb", + "ref": "./Red Hat 6 STIG/controls/V-38601.rb", "line": 1 }, - "id": "V-38628" + "id": "V-38601" }, { - "title": "The system must forward audit records to the syslog service.", - "desc": "The auditd service does not include the ability to send audit records\nto a centralized server for management directly. It does, however, include an\naudit event multiplexor plugin (audispd) to pass audit records to the local\nsyslog server.", + "title": "The system must provide automated support for account management\nfunctions.", + "desc": "A comprehensive account management process that includes automation\nhelps to ensure the accounts designated as requiring attention are consistently\nand promptly addressed. Enterprise environments make user account management\nchallenging and complex. A user management process requiring administrators to\nmanually address account management functions adds risk of potential oversight.", "descriptions": { - "default": "The auditd service does not include the ability to send audit records\nto a centralized server for management directly. It does, however, include an\naudit event multiplexor plugin (audispd) to pass audit records to the local\nsyslog server." + "default": "A comprehensive account management process that includes automation\nhelps to ensure the accounts designated as requiring attention are consistently\nand promptly addressed. Enterprise environments make user account management\nchallenging and complex. A user management process requiring administrators to\nmanually address account management functions adds risk of potential oversight." }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000043", - "gid": "V-38471", - "rid": "SV-50271r1_rule", - "stig_id": "RHEL-06-000509", - "fix_id": "F-43416r1_fix", + "gtitle": "SRG-OS-000001", + "gid": "V-38439", + "rid": "SV-50239r1_rule", + "stig_id": "RHEL-06-000524", + "fix_id": "F-43384r1_fix", "cci": [ - "CCI-000136" + "CCI-000015" ], "nist": [ - "AU-3 (2)", + "AC-2 (1)", "Rev_4" ], "false_negatives": null, @@ -9861,35 +9861,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "Verify the audispd plugin is active:\n\n# grep active /etc/audisp/plugins.d/syslog.conf\n\nIf the \"active\" setting is missing or set to \"no\", this is a finding.", - "fix": "Set the \"active\" line in \"/etc/audisp/plugins.d/syslog.conf\"\nto \"yes\". Restart the auditd process.\n\n# service auditd restart" + "check": "Interview the SA to determine if there is an automated system\nfor managing user accounts, preferably integrated with an existing enterprise\nuser management system.\n\nIf there is not, this is a finding.", + "fix": "Implement an automated system for managing user accounts that\nminimizes the risk of errors, either intentional or deliberate. If possible,\nthis system should integrate with an existing enterprise user management\nsystem, such as, one based Active Directory or Kerberos." }, - "code": "control \"V-38471\" do\n title \"The system must forward audit records to the syslog service.\"\n desc \"The auditd service does not include the ability to send audit records\nto a centralized server for management directly. It does, however, include an\naudit event multiplexor plugin (audispd) to pass audit records to the local\nsyslog server.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000043\"\n tag \"gid\": \"V-38471\"\n tag \"rid\": \"SV-50271r1_rule\"\n tag \"stig_id\": \"RHEL-06-000509\"\n tag \"fix_id\": \"F-43416r1_fix\"\n tag \"cci\": [\"CCI-000136\"]\n tag \"nist\": [\"AU-3 (2)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Verify the audispd plugin is active:\n\n# grep active /etc/audisp/plugins.d/syslog.conf\n\nIf the \\\"active\\\" setting is missing or set to \\\"no\\\", this is a finding.\"\n tag \"fix\": \"Set the \\\"active\\\" line in \\\"/etc/audisp/plugins.d/syslog.conf\\\"\nto \\\"yes\\\". Restart the auditd process.\n\n# service auditd restart\"\n\n describe parse_config_file('/etc/audisp/plugins.d/syslog.conf') do\n its('active') { should eq 'yes' }\n end\nend\n", + "code": "control \"V-38439\" do\n title \"The system must provide automated support for account management\nfunctions.\"\n desc \"A comprehensive account management process that includes automation\nhelps to ensure the accounts designated as requiring attention are consistently\nand promptly addressed. Enterprise environments make user account management\nchallenging and complex. A user management process requiring administrators to\nmanually address account management functions adds risk of potential oversight.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000001\"\n tag \"gid\": \"V-38439\"\n tag \"rid\": \"SV-50239r1_rule\"\n tag \"stig_id\": \"RHEL-06-000524\"\n tag \"fix_id\": \"F-43384r1_fix\"\n tag \"cci\": [\"CCI-000015\"]\n tag \"nist\": [\"AC-2 (1)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Interview the SA to determine if there is an automated system\nfor managing user accounts, preferably integrated with an existing enterprise\nuser management system.\n\nIf there is not, this is a finding.\"\n tag \"fix\": \"Implement an automated system for managing user accounts that\nminimizes the risk of errors, either intentional or deliberate. If possible,\nthis system should integrate with an existing enterprise user management\nsystem, such as, one based Active Directory or Kerberos.\"\n\n describe \"Manual test\" do\n skip \"This control must be reviewed manually\"\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38471.rb", + "ref": "./Red Hat 6 STIG/controls/V-38439.rb", "line": 1 }, - "id": "V-38471" + "id": "V-38439" }, { - "title": "The audit system must be configured to audit all attempts to alter\nsystem time through settimeofday.", - "desc": "Arbitrary changes to the system time can be used to obfuscate\nnefarious activities in log files, as well as to confuse network services that\nare highly dependent upon an accurate system time (such as sshd). All changes\nto the system time should be audited.", + "title": "The sticky bit must be set on all public directories.", + "desc": "Failing to set the sticky bit on public directories allows\nunauthorized users to delete files in the directory structure.\n\n The only authorized public directories are those temporary directories\nsupplied with the system, or those designed to be temporary file repositories.\nThe setting is normally reserved for directories used by the system, and by\nusers for temporary file storage - such as /tmp - and for directories requiring\nglobal read/write access.", "descriptions": { - "default": "Arbitrary changes to the system time can be used to obfuscate\nnefarious activities in log files, as well as to confuse network services that\nare highly dependent upon an accurate system time (such as sshd). All changes\nto the system time should be audited." + "default": "Failing to set the sticky bit on public directories allows\nunauthorized users to delete files in the directory structure.\n\n The only authorized public directories are those temporary directories\nsupplied with the system, or those designed to be temporary file repositories.\nThe setting is normally reserved for directories used by the system, and by\nusers for temporary file storage - such as /tmp - and for directories requiring\nglobal read/write access." }, - "impact": 0.3, - "refs": [], - "tags": { - "gtitle": "SRG-OS-000062", - "gid": "V-38522", - "rid": "SV-50323r3_rule", - "stig_id": "RHEL-06-000167", - "fix_id": "F-43470r2_fix", + "impact": 0.3, + "refs": [], + "tags": { + "gtitle": "SRG-OS-999999", + "gid": "V-38697", + "rid": "SV-50498r2_rule", + "stig_id": "RHEL-06-000336", + "fix_id": "F-43646r1_fix", "cci": [ - "CCI-000169" + "CCI-000366" ], "nist": [ - "AU-12 a", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -9902,35 +9902,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To determine if the system is configured to audit calls to the\n\"settimeofday\" system call, run the following command:\n\n$ sudo grep -w \"settimeofday\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return a line.\n\nIf the system is not configured to audit time changes, this is a finding. ", - "fix": "On a 32-bit system, add the following to\n\"/etc/audit/audit.rules\":\n\n# audit_time_rules\n-a always,exit -F arch=b32 -S settimeofday -k audit_time_rules\n\nOn a 64-bit system, add the following to \"/etc/audit/audit.rules\":\n\n# audit_time_rules\n-a always,exit -F arch=b64 -S settimeofday -k audit_time_rules\n\nThe -k option allows for the specification of a key in string form that can be\nused for better reporting capability through ausearch and aureport. Multiple\nsystem calls can be defined on the same line to save space if desired, but is\nnot required. See an example of multiple combined syscalls:\n\n-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k\naudit_time_rules" + "check": "To find world-writable directories that lack the sticky bit,\nrun the following command for each local partition [PART]:\n\n# find [PART] -xdev -type d -perm -002 \\! -perm -1000\n\n\nIf any world-writable directories are missing the sticky bit, this is a\nfinding.", + "fix": "When the so-called 'sticky bit' is set on a directory, only the\nowner of a given file may remove that file from the directory. Without the\nsticky bit, any user with write access to a directory may remove any file in\nthe directory. Setting the sticky bit prevents users from removing each other's\nfiles. In cases where there is no reason for a directory to be world-writable,\na better solution is to remove that permission rather than to set the sticky\nbit. However, if a directory is used by a particular application, consult that\napplication's documentation instead of blindly changing modes.\nTo set the sticky bit on a world-writable directory [DIR], run the following\ncommand:\n\n# chmod +t [DIR]" }, - "code": "control \"V-38522\" do\n title \"The audit system must be configured to audit all attempts to alter\nsystem time through settimeofday.\"\n desc \"Arbitrary changes to the system time can be used to obfuscate\nnefarious activities in log files, as well as to confuse network services that\nare highly dependent upon an accurate system time (such as sshd). All changes\nto the system time should be audited.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000062\"\n tag \"gid\": \"V-38522\"\n tag \"rid\": \"SV-50323r3_rule\"\n tag \"stig_id\": \"RHEL-06-000167\"\n tag \"fix_id\": \"F-43470r2_fix\"\n tag \"cci\": [\"CCI-000169\"]\n tag \"nist\": [\"AU-12 a\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To determine if the system is configured to audit calls to the\n\\\"settimeofday\\\" system call, run the following command:\n\n$ sudo grep -w \\\"settimeofday\\\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return a line.\n\nIf the system is not configured to audit time changes, this is a finding. \"\n tag \"fix\": \"On a 32-bit system, add the following to\n\\\"/etc/audit/audit.rules\\\":\n\n# audit_time_rules\n-a always,exit -F arch=b32 -S settimeofday -k audit_time_rules\n\nOn a 64-bit system, add the following to \\\"/etc/audit/audit.rules\\\":\n\n# audit_time_rules\n-a always,exit -F arch=b64 -S settimeofday -k audit_time_rules\n\nThe -k option allows for the specification of a key in string form that can be\nused for better reporting capability through ausearch and aureport. Multiple\nsystem calls can be defined on the same line to save space if desired, but is\nnot required. See an example of multiple combined syscalls:\n\n-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k\naudit_time_rules\"\n\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^-[Aa][\\s]*(?:exit,always|always,exit)[\\s]+-F[\\s]+arch=b32.*(?:-S[\\s]+|,)settimeofday(?:[\\s]+|,).*-k[\\s]+[\\S]+[\\s]*$/) }\n end\n describe.one do\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^-[Aa][\\s]*(?:exit,always|always,exit)[\\s]+-F[\\s]+arch=b64.*(?:-S[\\s]+|,)settimeofday(?:[\\s]+|,).*-k[\\s]+[\\S]+[\\s]*$/) }\n end\n end\nend\n", + "code": "control \"V-38697\" do\n title \"The sticky bit must be set on all public directories.\"\n desc \"Failing to set the sticky bit on public directories allows\nunauthorized users to delete files in the directory structure.\n\n The only authorized public directories are those temporary directories\nsupplied with the system, or those designed to be temporary file repositories.\nThe setting is normally reserved for directories used by the system, and by\nusers for temporary file storage - such as /tmp - and for directories requiring\nglobal read/write access.\n \"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38697\"\n tag \"rid\": \"SV-50498r2_rule\"\n tag \"stig_id\": \"RHEL-06-000336\"\n tag \"fix_id\": \"F-43646r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To find world-writable directories that lack the sticky bit,\nrun the following command for each local partition [PART]:\n\n# find [PART] -xdev -type d -perm -002 \\\\! -perm -1000\n\n\nIf any world-writable directories are missing the sticky bit, this is a\nfinding.\"\n tag \"fix\": \"When the so-called 'sticky bit' is set on a directory, only the\nowner of a given file may remove that file from the directory. Without the\nsticky bit, any user with write access to a directory may remove any file in\nthe directory. Setting the sticky bit prevents users from removing each other's\nfiles. In cases where there is no reason for a directory to be world-writable,\na better solution is to remove that permission rather than to set the sticky\nbit. However, if a directory is used by a particular application, consult that\napplication's documentation instead of blindly changing modes.\nTo set the sticky bit on a world-writable directory [DIR], run the following\ncommand:\n\n# chmod +t [DIR]\"\n\n dirs = command(%(find / -xautofs -noleaf -wholename '/proc' -prune -o -wholename '/sys' -prune -o -wholename '/dev' -prune -o -wholename '/selinux' -prune -o -type d -perm -002 \\\\! -perm -1000 -print))\n describe \"World-writable directories lacking sticky bit\" do\n subject { dirs.stdout.strip.split(\"\\n\") }\n it { should be_empty }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38522.rb", + "ref": "./Red Hat 6 STIG/controls/V-38697.rb", "line": 1 }, - "id": "V-38522" + "id": "V-38697" }, { - "title": "The audit system must be configured to audit all discretionary access\ncontrol permission modifications using lremovexattr.", - "desc": "The changing of file permissions could indicate that a user is\nattempting to gain access to information that would otherwise be disallowed.\nAuditing DAC modifications can facilitate the identification of patterns of\nabuse among both authorized and unauthorized users.", + "title": "The system must limit users to 10 simultaneous system logins, or a\nsite-defined number, in accordance with operational requirements.", + "desc": "Limiting simultaneous user logins can insulate the system from denial\nof service problems caused by excessive logins. Automated login processes\noperating improperly or maliciously may result in an exceptional number of\nsimultaneous login sessions.", "descriptions": { - "default": "The changing of file permissions could indicate that a user is\nattempting to gain access to information that would otherwise be disallowed.\nAuditing DAC modifications can facilitate the identification of patterns of\nabuse among both authorized and unauthorized users." + "default": "Limiting simultaneous user logins can insulate the system from denial\nof service problems caused by excessive logins. Automated login processes\noperating improperly or maliciously may result in an exceptional number of\nsimultaneous login sessions." }, "impact": 0.3, "refs": [], "tags": { - "gtitle": "SRG-OS-000064", - "gid": "V-38559", - "rid": "SV-50360r3_rule", - "stig_id": "RHEL-06-000193", - "fix_id": "F-43507r2_fix", + "gtitle": "SRG-OS-000027", + "gid": "V-38684", + "rid": "SV-50485r2_rule", + "stig_id": "RHEL-06-000319", + "fix_id": "F-43633r1_fix", "cci": [ - "CCI-000172" + "CCI-000054" ], "nist": [ - "AU-12 c", + "AC-10", "Rev_4" ], "false_negatives": null, @@ -9943,35 +9943,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To determine if the system is configured to audit calls to the\n\"lremovexattr\" system call, run the following command:\n\n$ sudo grep -w \"lremovexattr\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return several\nlines.\n\nIf no line is returned, this is a finding. ", - "fix": "At a minimum, the audit system should collect file permission\nchanges for all users and root. Add the following to\n\"/etc/audit/audit.rules\":\n\n-a always,exit -F arch=b32 -S lremovexattr -F auid>=500 -F auid!=4294967295 \\\n-k perm_mod\n-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -k perm_mod\n\nIf the system is 64-bit, then also add the following:\n\n-a always,exit -F arch=b64 -S lremovexattr -F auid>=500 -F auid!=4294967295 \\\n-k perm_mod\n-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -k perm_mod" + "check": "Run the following command to ensure the \"maxlogins\" value is\nconfigured for all users on the system:\n\n$ grep \"maxlogins\" /etc/security/limits.conf /etc/security/limits.d/*.conf\n\nYou should receive output similar to the following:\n\n* hard maxlogins 10\n\nIf it is not similar, this is a finding. ", + "fix": "Limiting the number of allowed users and sessions per user can\nlimit risks related to denial of service attacks. This addresses concurrent\nsessions for a single account and does not address concurrent sessions by a\nsingle user via multiple accounts. To set the number of concurrent sessions per\nuser add the following line in \"/etc/security/limits.conf\":\n\n* hard maxlogins 10\n\nA documented site-defined number may be substituted for 10 in the above." }, - "code": "control \"V-38559\" do\n title \"The audit system must be configured to audit all discretionary access\ncontrol permission modifications using lremovexattr.\"\n desc \"The changing of file permissions could indicate that a user is\nattempting to gain access to information that would otherwise be disallowed.\nAuditing DAC modifications can facilitate the identification of patterns of\nabuse among both authorized and unauthorized users.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000064\"\n tag \"gid\": \"V-38559\"\n tag \"rid\": \"SV-50360r3_rule\"\n tag \"stig_id\": \"RHEL-06-000193\"\n tag \"fix_id\": \"F-43507r2_fix\"\n tag \"cci\": [\"CCI-000172\"]\n tag \"nist\": [\"AU-12 c\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To determine if the system is configured to audit calls to the\n\\\"lremovexattr\\\" system call, run the following command:\n\n$ sudo grep -w \\\"lremovexattr\\\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return several\nlines.\n\nIf no line is returned, this is a finding. \"\n tag \"fix\": \"At a minimum, the audit system should collect file permission\nchanges for all users and root. Add the following to\n\\\"/etc/audit/audit.rules\\\":\n\n-a always,exit -F arch=b32 -S lremovexattr -F auid>=500 -F auid!=4294967295 \\\\\n-k perm_mod\n-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -k perm_mod\n\nIf the system is 64-bit, then also add the following:\n\n-a always,exit -F arch=b64 -S lremovexattr -F auid>=500 -F auid!=4294967295 \\\\\n-k perm_mod\n-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -k perm_mod\"\n\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^[\\s]*-a[\\s](?:always,exit|exit,always)+(?:.*-F[\\s]+arch=b32[\\s]+)(?:.*(?:,|-S[\\s]+)lremovexattr(?:,|[\\s]+))(?:.*-F\\s+auid>=500[\\s]+)(?:.*-F\\s+auid!=(?:-1|4294967295)[\\s]+).*-k[\\s]+[\\S]+[\\s]*$/) }\n end\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^[\\s]*-a[\\s](?:always,exit|exit,always)+(?:.*-F[\\s]+arch=b32[\\s]+)(?:.*(?:,|-S[\\s]+)lremovexattr(?:,|[\\s]+))(?:.*-F\\s+auid=0[\\s]+).*-k[\\s]+[\\S]+[\\s]*$/) }\n end\n describe.one do\n \n end\nend\n", + "code": "control \"V-38684\" do\n title \"The system must limit users to 10 simultaneous system logins, or a\nsite-defined number, in accordance with operational requirements.\"\n desc \"Limiting simultaneous user logins can insulate the system from denial\nof service problems caused by excessive logins. Automated login processes\noperating improperly or maliciously may result in an exceptional number of\nsimultaneous login sessions.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000027\"\n tag \"gid\": \"V-38684\"\n tag \"rid\": \"SV-50485r2_rule\"\n tag \"stig_id\": \"RHEL-06-000319\"\n tag \"fix_id\": \"F-43633r1_fix\"\n tag \"cci\": [\"CCI-000054\"]\n tag \"nist\": [\"AC-10\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Run the following command to ensure the \\\"maxlogins\\\" value is\nconfigured for all users on the system:\n\n$ grep \\\"maxlogins\\\" /etc/security/limits.conf /etc/security/limits.d/*.conf\n\nYou should receive output similar to the following:\n\n* hard maxlogins 10\n\nIf it is not similar, this is a finding. \"\n tag \"fix\": \"Limiting the number of allowed users and sessions per user can\nlimit risks related to denial of service attacks. This addresses concurrent\nsessions for a single account and does not address concurrent sessions by a\nsingle user via multiple accounts. To set the number of concurrent sessions per\nuser add the following line in \\\"/etc/security/limits.conf\\\":\n\n* hard maxlogins 10\n\nA documented site-defined number may be substituted for 10 in the above.\"\n\n describe limits_conf do\n its('*') { should include ['hard', 'maxlogins', input('maxlogins').to_s] }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38559.rb", + "ref": "./Red Hat 6 STIG/controls/V-38684.rb", "line": 1 }, - "id": "V-38559" + "id": "V-38684" }, { - "title": "Audit log files must have mode 0640 or less permissive.", - "desc": "If users can write to audit logs, audit trails can be modified or\ndestroyed.", + "title": "The system must provide VPN connectivity for communications over\nuntrusted networks.", + "desc": "Providing the ability for remote users or systems to initiate a secure\nVPN connection protects information when it is transmitted over a wide area\nnetwork.", "descriptions": { - "default": "If users can write to audit logs, audit trails can be modified or\ndestroyed." + "default": "Providing the ability for remote users or systems to initiate a secure\nVPN connection protects information when it is transmitted over a wide area\nnetwork." }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { - "gtitle": "SRG-OS-000058", - "gid": "V-38498", - "rid": "SV-50299r1_rule", - "stig_id": "RHEL-06-000383", - "fix_id": "F-43445r1_fix", + "gtitle": "SRG-OS-000160", + "gid": "V-38687", + "rid": "SV-50488r3_rule", + "stig_id": "RHEL-06-000321", + "fix_id": "F-43636r2_fix", "cci": [ - "CCI-000163" + "CCI-001130" ], "nist": [ - "AU-9", + "SC-9", "Rev_4" ], "false_negatives": null, @@ -9984,35 +9984,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "Run the following command to check the mode of the system audit\nlogs:\n\ngrep \"^log_file\" /etc/audit/auditd.conf|sed s/^[^\\/]*//|xargs stat -c %a:%n\n\nAudit logs must be mode 0640 or less permissive.\nIf any are more permissive, this is a finding.", - "fix": "Change the mode of the audit log files with the following\ncommand:\n\n# chmod 0640 [audit_file]" + "check": "If the system does not communicate over untrusted networks,\nthis is not applicable.\n\nRun the following command to determine if the \"libreswan\" package is\ninstalled:\n\n# rpm -q libreswan\n\nIf the package is not installed, this is a finding.", + "fix": "The \"libreswan\" package provides an implementation of IPsec and\nIKE, which permits the creation of secure tunnels over untrusted networks. The\n\"libreswan\" package can be installed with the following command:\n\n# yum install libreswan\n" }, - "code": "control \"V-38498\" do\n title \"Audit log files must have mode 0640 or less permissive.\"\n desc \"If users can write to audit logs, audit trails can be modified or\ndestroyed.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000058\"\n tag \"gid\": \"V-38498\"\n tag \"rid\": \"SV-50299r1_rule\"\n tag \"stig_id\": \"RHEL-06-000383\"\n tag \"fix_id\": \"F-43445r1_fix\"\n tag \"cci\": [\"CCI-000163\"]\n tag \"nist\": [\"AU-9\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Run the following command to check the mode of the system audit\nlogs:\n\ngrep \\\"^log_file\\\" /etc/audit/auditd.conf|sed s/^[^\\\\/]*//|xargs stat -c %a:%n\n\nAudit logs must be mode 0640 or less permissive.\nIf any are more permissive, this is a finding.\"\n tag \"fix\": \"Change the mode of the audit log files with the following\ncommand:\n\n# chmod 0640 [audit_file]\"\n\n describe command(\"find /var/log/audit -regex .\\\\*/\\\\^.\\\\*\\\\$ -perm -07137 -xdev\") do\n its(\"stdout\") { should be_empty }\n end\nend\n", + "code": "control \"V-38687\" do\n title \"The system must provide VPN connectivity for communications over\nuntrusted networks.\"\n desc \"Providing the ability for remote users or systems to initiate a secure\nVPN connection protects information when it is transmitted over a wide area\nnetwork.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000160\"\n tag \"gid\": \"V-38687\"\n tag \"rid\": \"SV-50488r3_rule\"\n tag \"stig_id\": \"RHEL-06-000321\"\n tag \"fix_id\": \"F-43636r2_fix\"\n tag \"cci\": [\"CCI-001130\"]\n tag \"nist\": [\"SC-9\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"If the system does not communicate over untrusted networks,\nthis is not applicable.\n\nRun the following command to determine if the \\\"libreswan\\\" package is\ninstalled:\n\n# rpm -q libreswan\n\nIf the package is not installed, this is a finding.\"\n tag \"fix\": \"The \\\"libreswan\\\" package provides an implementation of IPsec and\nIKE, which permits the creation of secure tunnels over untrusted networks. The\n\\\"libreswan\\\" package can be installed with the following command:\n\n# yum install libreswan\n\"\n\n describe package(\"libreswan\") do\n it { should be_installed }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38498.rb", + "ref": "./Red Hat 6 STIG/controls/V-38687.rb", "line": 1 }, - "id": "V-38498" + "id": "V-38687" }, { - "title": "The system must employ a local IPv6 firewall.", - "desc": "The \"ip6tables\" service provides the system's host-based firewalling\ncapability for IPv6 and ICMPv6.", + "title": "The Stream Control Transmission Protocol (SCTP) must be disabled\nunless required.", + "desc": "Disabling SCTP protects the system against exploitation of any flaws\nin its implementation.", "descriptions": { - "default": "The \"ip6tables\" service provides the system's host-based firewalling\ncapability for IPv6 and ICMPv6." + "default": "Disabling SCTP protects the system against exploitation of any flaws\nin its implementation." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000152", - "gid": "V-38549", - "rid": "SV-50350r3_rule", - "stig_id": "RHEL-06-000103", - "fix_id": "F-43497r3_fix", + "gtitle": "SRG-OS-000096", + "gid": "V-38515", + "rid": "SV-50316r5_rule", + "stig_id": "RHEL-06-000125", + "fix_id": "F-43462r3_fix", "cci": [ - "CCI-001118" + "CCI-000382" ], "nist": [ - "SC-7 (12)", + "CM-7 b", "Rev_4" ], "false_negatives": null, @@ -10025,35 +10025,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "If the system is a cross-domain system, this is not applicable.\n\nIf IPv6 is disabled, this is not applicable.\n\nRun the following command to determine the current status of the \"ip6tables\"\nservice:\n\n# service ip6tables status\n\nIf the service is not running, it should return the following:\n\nip6tables: Firewall is not running.\n\n\nIf the service is not running, this is a finding.", - "fix": "The \"ip6tables\" service can be enabled with the following\ncommands:\n\n# chkconfig ip6tables on\n# service ip6tables start" + "check": "If the system is configured to prevent the loading of the\n\"sctp\" kernel module, it will contain lines inside any file in\n\"/etc/modprobe.d\" or the deprecated\"/etc/modprobe.conf\". These lines\ninstruct the module loading system to run another program (such as\n\"/bin/true\") upon a module \"install\" event. Run the following command to\nsearch for such lines in all files in \"/etc/modprobe.d\" and the deprecated\n\"/etc/modprobe.conf\":\n\n$ grep -r sctp /etc/modprobe.conf /etc/modprobe.d | grep -i \"/bin/true\"| grep\n-v \"#\"\n\nIf no line is returned, this is a finding.", + "fix": "The Stream Control Transmission Protocol (SCTP) is a transport\nlayer protocol, designed to support the idea of message-oriented communication,\nwith several streams of messages within one connection. To configure the system\nto prevent the \"sctp\" kernel module from being loaded, add the following line\nto a file in the directory \"/etc/modprobe.d\":\n\ninstall sctp /bin/true" }, - "code": "control \"V-38549\" do\n title \"The system must employ a local IPv6 firewall.\"\n desc \"The \\\"ip6tables\\\" service provides the system's host-based firewalling\ncapability for IPv6 and ICMPv6.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000152\"\n tag \"gid\": \"V-38549\"\n tag \"rid\": \"SV-50350r3_rule\"\n tag \"stig_id\": \"RHEL-06-000103\"\n tag \"fix_id\": \"F-43497r3_fix\"\n tag \"cci\": [\"CCI-001118\"]\n tag \"nist\": [\"SC-7 (12)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"If the system is a cross-domain system, this is not applicable.\n\nIf IPv6 is disabled, this is not applicable.\n\nRun the following command to determine the current status of the \\\"ip6tables\\\"\nservice:\n\n# service ip6tables status\n\nIf the service is not running, it should return the following:\n\nip6tables: Firewall is not running.\n\n\nIf the service is not running, this is a finding.\"\n tag \"fix\": \"The \\\"ip6tables\\\" service can be enabled with the following\ncommands:\n\n# chkconfig ip6tables on\n# service ip6tables start\"\n\n describe service('ip6tables') do\n it { should be_enabled }\n it { should be_running }\n end\nend\n", + "code": "control \"V-38515\" do\n title \"The Stream Control Transmission Protocol (SCTP) must be disabled\nunless required.\"\n desc \"Disabling SCTP protects the system against exploitation of any flaws\nin its implementation.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000096\"\n tag \"gid\": \"V-38515\"\n tag \"rid\": \"SV-50316r5_rule\"\n tag \"stig_id\": \"RHEL-06-000125\"\n tag \"fix_id\": \"F-43462r3_fix\"\n tag \"cci\": [\"CCI-000382\"]\n tag \"nist\": [\"CM-7 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"If the system is configured to prevent the loading of the\n\\\"sctp\\\" kernel module, it will contain lines inside any file in\n\\\"/etc/modprobe.d\\\" or the deprecated\\\"/etc/modprobe.conf\\\". These lines\ninstruct the module loading system to run another program (such as\n\\\"/bin/true\\\") upon a module \\\"install\\\" event. Run the following command to\nsearch for such lines in all files in \\\"/etc/modprobe.d\\\" and the deprecated\n\\\"/etc/modprobe.conf\\\":\n\n$ grep -r sctp /etc/modprobe.conf /etc/modprobe.d | grep -i \\\"/bin/true\\\"| grep\n-v \\\"#\\\"\n\nIf no line is returned, this is a finding.\"\n tag \"fix\": \"The Stream Control Transmission Protocol (SCTP) is a transport\nlayer protocol, designed to support the idea of message-oriented communication,\nwith several streams of messages within one connection. To configure the system\nto prevent the \\\"sctp\\\" kernel module from being loaded, add the following line\nto a file in the directory \\\"/etc/modprobe.d\\\":\n\ninstall sctp /bin/true\"\n\n describe kernel_module('sctp') do\n it { should_not be_loaded }\n it { shold_not be_enabled }\n it { should be_blacklisted }\n end \nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38549.rb", + "ref": "./Red Hat 6 STIG/controls/V-38515.rb", "line": 1 }, - "id": "V-38549" + "id": "V-38515" }, { - "title": "The system package management tool must verify contents of all files\nassociated with the audit package.", - "desc": "The hash on important files like audit system executables should match\nthe information given by the RPM database. Audit executables with erroneous\nhashes could be a sign of nefarious activity on the system.", + "title": "The audit system must be configured to audit changes to the\n/etc/sudoers file.", + "desc": "The actions taken by system administrators should be audited to keep a\nrecord of what was executed on the system, as well as, for accountability\npurposes.", "descriptions": { - "default": "The hash on important files like audit system executables should match\nthe information given by the RPM database. Audit executables with erroneous\nhashes could be a sign of nefarious activity on the system." + "default": "The actions taken by system administrators should be audited to keep a\nrecord of what was executed on the system, as well as, for accountability\npurposes." }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { - "gtitle": "SRG-OS-000278", - "gid": "V-38637", - "rid": "SV-50438r2_rule", - "stig_id": "RHEL-06-000281", - "fix_id": "F-43586r1_fix", + "gtitle": "SRG-OS-000064", + "gid": "V-38578", + "rid": "SV-50379r2_rule", + "stig_id": "RHEL-06-000201", + "fix_id": "F-43526r1_fix", "cci": [ - "CCI-001496" + "CCI-000172" ], "nist": [ - "AU-9 (3)", + "AU-12 c", "Rev_4" ], "false_negatives": null, @@ -10066,35 +10066,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "The following command will list which audit files on the system\nhave file hashes different from what is expected by the RPM database.\n\n# rpm -V audit | awk '$1 ~ /..5/ && $2 != \"c\"'\n\n\nIf there is output, this is a finding.", - "fix": "The RPM package management system can check the hashes of audit\nsystem package files. Run the following command to list which audit files on\nthe system have hashes that differ from what is expected by the RPM database:\n\n# rpm -V audit | grep '^..5'\n\nA \"c\" in the second column indicates that a file is a configuration file,\nwhich may appropriately be expected to change. If the file that has changed was\nnot expected to then refresh from distribution media or online repositories.\n\nrpm -Uvh [affected_package]\n\nOR\n\nyum reinstall [affected_package]" + "check": "To verify that auditing is configured for system administrator\nactions, run the following command:\n\n$ sudo grep -w \"/etc/sudoers\" /etc/audit/audit.rules\n\nIf the system is configured to watch for changes to its sudoers configuration,\na line should be returned (including \"-p wa\" indicating permissions that are\nwatched).\n\nIf there is no output, this is a finding.", + "fix": "At a minimum, the audit system should collect administrator\nactions for all users and root. Add the following to\n\"/etc/audit/audit.rules\":\n\n-w /etc/sudoers -p wa -k actions" }, - "code": "control \"V-38637\" do\n title \"The system package management tool must verify contents of all files\nassociated with the audit package.\"\n desc \"The hash on important files like audit system executables should match\nthe information given by the RPM database. Audit executables with erroneous\nhashes could be a sign of nefarious activity on the system.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000278\"\n tag \"gid\": \"V-38637\"\n tag \"rid\": \"SV-50438r2_rule\"\n tag \"stig_id\": \"RHEL-06-000281\"\n tag \"fix_id\": \"F-43586r1_fix\"\n tag \"cci\": [\"CCI-001496\"]\n tag \"nist\": [\"AU-9 (3)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"The following command will list which audit files on the system\nhave file hashes different from what is expected by the RPM database.\n\n# rpm -V audit | awk '$1 ~ /..5/ && $2 != \\\"c\\\"'\n\n\nIf there is output, this is a finding.\"\n tag \"fix\": \"The RPM package management system can check the hashes of audit\nsystem package files. Run the following command to list which audit files on\nthe system have hashes that differ from what is expected by the RPM database:\n\n# rpm -V audit | grep '^..5'\n\nA \\\"c\\\" in the second column indicates that a file is a configuration file,\nwhich may appropriately be expected to change. If the file that has changed was\nnot expected to then refresh from distribution media or online repositories.\n\nrpm -Uvh [affected_package]\n\nOR\n\nyum reinstall [affected_package]\"\n\n describe command(\"rpm -V audit | awk '$1 ~ /..5/ && $2 != \\\"c\\\"'\") do\n its('stdout.strip') { should be_empty }\n end\nend\n", + "code": "control \"V-38578\" do\n title \"The audit system must be configured to audit changes to the\n/etc/sudoers file.\"\n desc \"The actions taken by system administrators should be audited to keep a\nrecord of what was executed on the system, as well as, for accountability\npurposes.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000064\"\n tag \"gid\": \"V-38578\"\n tag \"rid\": \"SV-50379r2_rule\"\n tag \"stig_id\": \"RHEL-06-000201\"\n tag \"fix_id\": \"F-43526r1_fix\"\n tag \"cci\": [\"CCI-000172\"]\n tag \"nist\": [\"AU-12 c\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To verify that auditing is configured for system administrator\nactions, run the following command:\n\n$ sudo grep -w \\\"/etc/sudoers\\\" /etc/audit/audit.rules\n\nIf the system is configured to watch for changes to its sudoers configuration,\na line should be returned (including \\\"-p wa\\\" indicating permissions that are\nwatched).\n\nIf there is no output, this is a finding.\"\n tag \"fix\": \"At a minimum, the audit system should collect administrator\nactions for all users and root. Add the following to\n\\\"/etc/audit/audit.rules\\\":\n\n-w /etc/sudoers -p wa -k actions\"\n\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^\\-w\\s+\\/etc\\/sudoers\\s+\\-p\\s+wa\\s+\\-k\\s+[-\\w]+\\s*$/) }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38637.rb", + "ref": "./Red Hat 6 STIG/controls/V-38578.rb", "line": 1 }, - "id": "V-38637" + "id": "V-38578" }, { - "title": "The system package management tool must verify ownership on all files\nand directories associated with the audit package.", - "desc": "Ownership of audit binaries and configuration files that is incorrect\ncould allow an unauthorized user to gain privileges that they should not have.\nThe ownership set by the vendor should be maintained. Any deviations from this\nbaseline should be investigated.", + "title": "Emergency accounts must be provisioned with an expiration date.\n", + "desc": "When emergency accounts are created, there is a risk they may remain\nin place and active after the need for them no longer exists. Account\nexpiration greatly reduces the risk of accounts being misused or hijacked.", "descriptions": { - "default": "Ownership of audit binaries and configuration files that is incorrect\ncould allow an unauthorized user to gain privileges that they should not have.\nThe ownership set by the vendor should be maintained. Any deviations from this\nbaseline should be investigated." + "default": "When emergency accounts are created, there is a risk they may remain\nin place and active after the need for them no longer exists. Account\nexpiration greatly reduces the risk of accounts being misused or hijacked." }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { - "gtitle": "SRG-OS-000257", - "gid": "V-38664", - "rid": "SV-50465r1_rule", - "stig_id": "RHEL-06-000279", - "fix_id": "F-43613r1_fix", + "gtitle": "SRG-OS-000123", + "gid": "V-38690", + "rid": "SV-50491r1_rule", + "stig_id": "RHEL-06-000298", + "fix_id": "F-43639r1_fix", "cci": [ - "CCI-001494" + "CCI-001682" ], "nist": [ - "AU-9", + "AC-2 (2)", "Rev_4" ], "false_negatives": null, @@ -10107,35 +10107,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "The following command will list which audit files on the system\nhave ownership different from what is expected by the RPM database:\n\n# rpm -V audit | grep '^.....U'\n\n\nIf there is output, this is a finding.", - "fix": "The RPM package management system can restore file ownership of\nthe audit package files and directories. The following command will update\naudit files with ownership different from what is expected by the RPM database:\n\n# rpm --setugids audit" + "check": "For every emergency account, run the following command to\nobtain its account aging and expiration information:\n\n# chage -l [USER]\n\nVerify each of these accounts has an expiration date set as documented.\nIf any emergency accounts have no expiration date set or do not expire within a\ndocumented time frame, this is a finding.", + "fix": "In the event emergency accounts are required, configure the\nsystem to terminate them after a documented time period. For every emergency\naccount, run the following command to set an expiration date on it,\nsubstituting \"[USER]\" and \"[YYYY-MM-DD]\" appropriately:\n\n# chage -E [YYYY-MM-DD] [USER]\n\n\"[YYYY-MM-DD]\" indicates the documented expiration date for the account." }, - "code": "control \"V-38664\" do\n title \"The system package management tool must verify ownership on all files\nand directories associated with the audit package.\"\n desc \"Ownership of audit binaries and configuration files that is incorrect\ncould allow an unauthorized user to gain privileges that they should not have.\nThe ownership set by the vendor should be maintained. Any deviations from this\nbaseline should be investigated.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000257\"\n tag \"gid\": \"V-38664\"\n tag \"rid\": \"SV-50465r1_rule\"\n tag \"stig_id\": \"RHEL-06-000279\"\n tag \"fix_id\": \"F-43613r1_fix\"\n tag \"cci\": [\"CCI-001494\"]\n tag \"nist\": [\"AU-9\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"The following command will list which audit files on the system\nhave ownership different from what is expected by the RPM database:\n\n# rpm -V audit | grep '^.....U'\n\n\nIf there is output, this is a finding.\"\n tag \"fix\": \"The RPM package management system can restore file ownership of\nthe audit package files and directories. The following command will update\naudit files with ownership different from what is expected by the RPM database:\n\n# rpm --setugids audit\"\n\n describe command(\"rpm -V audit | grep '^.....U'\") do\n its('stdout.strip') { should be_empty }\n end\nend\n", + "code": "control \"V-38690\" do\n title \"Emergency accounts must be provisioned with an expiration date.\n\"\n desc \"When emergency accounts are created, there is a risk they may remain\nin place and active after the need for them no longer exists. Account\nexpiration greatly reduces the risk of accounts being misused or hijacked.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000123\"\n tag \"gid\": \"V-38690\"\n tag \"rid\": \"SV-50491r1_rule\"\n tag \"stig_id\": \"RHEL-06-000298\"\n tag \"fix_id\": \"F-43639r1_fix\"\n tag \"cci\": [\"CCI-001682\"]\n tag \"nist\": [\"AC-2 (2)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"For every emergency account, run the following command to\nobtain its account aging and expiration information:\n\n# chage -l [USER]\n\nVerify each of these accounts has an expiration date set as documented.\nIf any emergency accounts have no expiration date set or do not expire within a\ndocumented time frame, this is a finding.\"\n tag \"fix\": \"In the event emergency accounts are required, configure the\nsystem to terminate them after a documented time period. For every emergency\naccount, run the following command to set an expiration date on it,\nsubstituting \\\"[USER]\\\" and \\\"[YYYY-MM-DD]\\\" appropriately:\n\n# chage -E [YYYY-MM-DD] [USER]\n\n\\\"[YYYY-MM-DD]\\\" indicates the documented expiration date for the account.\"\n\n emergency_accounts = input('emergency_accounts')\n\n if emergency_accounts.empty?\n describe \"Emergency accounts\" do\n it { should_be empty }\n end\n else\n emergency_accounts.each do |acct|\n describe command(\"chage -l #{acct} | grep 'Account expires'\") do\n its('stdout.strip') { should_not match %r{:\\s*never} }\n end\n end\n\n emergency_accounts.each do |acct|\n describe shadow.users(acct) do\n its('max_days.first.to_i') { should cmp <= input('emergency_accounts_expiration_days') }\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38664.rb", + "ref": "./Red Hat 6 STIG/controls/V-38690.rb", "line": 1 }, - "id": "V-38664" + "id": "V-38690" }, { - "title": "The system must not accept ICMPv4 redirect packets on any interface.", - "desc": "Accepting ICMP redirects has few legitimate uses. It should be\ndisabled unless it is absolutely required.", + "title": "The system must require passwords to contain at least one numeric\ncharacter.", + "desc": "Requiring digits makes password guessing attacks more difficult by\nensuring a larger search space.", "descriptions": { - "default": "Accepting ICMP redirects has few legitimate uses. It should be\ndisabled unless it is absolutely required." + "default": "Requiring digits makes password guessing attacks more difficult by\nensuring a larger search space." }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { - "gtitle": "SRG-OS-999999", - "gid": "V-38524", - "rid": "SV-50325r2_rule", - "stig_id": "RHEL-06-000084", - "fix_id": "F-43472r1_fix", + "gtitle": "SRG-OS-000071", + "gid": "V-38482", + "rid": "SV-50282r2_rule", + "stig_id": "RHEL-06-000056", + "fix_id": "F-43427r2_fix", "cci": [ - "CCI-000366" + "CCI-000194" ], "nist": [ - "CM-6 b", + "IA-5 (1) (a)", "Rev_4" ], "false_negatives": null, @@ -10148,35 +10148,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "The status of the \"net.ipv4.conf.all.accept_redirects\" kernel\nparameter can be queried by running the following command:\n\n$ sysctl net.ipv4.conf.all.accept_redirects\n\nThe output of the command should indicate a value of \"0\". If this value is\nnot the default value, investigate how it could have been adjusted at runtime,\nand verify it is not set improperly in \"/etc/sysctl.conf\".\n\n$ grep net.ipv4.conf.all.accept_redirects /etc/sysctl.conf\n\nIf the correct value is not returned, this is a finding. ", - "fix": "To set the runtime status of the\n\"net.ipv4.conf.all.accept_redirects\" kernel parameter, run the following\ncommand:\n\n# sysctl -w net.ipv4.conf.all.accept_redirects=0\n\nIf this is not the system's default value, add the following line to\n\"/etc/sysctl.conf\":\n\nnet.ipv4.conf.all.accept_redirects = 0" + "check": "To check how many digits are required in a password, run the\nfollowing command:\n\n$ grep pam_cracklib /etc/pam.d/system-auth /etc/pam.d/password-auth\n\nNote: The \"dcredit\" parameter (as a negative number) will indicate how many\ndigits are required. The DoD requires at least one digit in a password. This\nwould appear as \"dcredit=-1\".\n\nIf \"dcredit\" is not found or not set to the required value, this is a finding.\n", + "fix": "The pam_cracklib module's \"dcredit\" parameter controls\nrequirements for usage of digits in a password. When set to a negative number,\nany password will be required to contain that many digits. When set to a\npositive number, pam_cracklib will grant +1 additional length credit for each\ndigit.\n\nEdit /etc/pam.d/system-auth and /etc/pam.d/password-auth adding \"dcredit=-1\"\nafter pam_cracklib.so to require use of a digit in passwords.\n" }, - "code": "control \"V-38524\" do\n title \"The system must not accept ICMPv4 redirect packets on any interface.\"\n desc \"Accepting ICMP redirects has few legitimate uses. It should be\ndisabled unless it is absolutely required.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38524\"\n tag \"rid\": \"SV-50325r2_rule\"\n tag \"stig_id\": \"RHEL-06-000084\"\n tag \"fix_id\": \"F-43472r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"The status of the \\\"net.ipv4.conf.all.accept_redirects\\\" kernel\nparameter can be queried by running the following command:\n\n$ sysctl net.ipv4.conf.all.accept_redirects\n\nThe output of the command should indicate a value of \\\"0\\\". If this value is\nnot the default value, investigate how it could have been adjusted at runtime,\nand verify it is not set improperly in \\\"/etc/sysctl.conf\\\".\n\n$ grep net.ipv4.conf.all.accept_redirects /etc/sysctl.conf\n\nIf the correct value is not returned, this is a finding. \"\n tag \"fix\": \"To set the runtime status of the\n\\\"net.ipv4.conf.all.accept_redirects\\\" kernel parameter, run the following\ncommand:\n\n# sysctl -w net.ipv4.conf.all.accept_redirects=0\n\nIf this is not the system's default value, add the following line to\n\\\"/etc/sysctl.conf\\\":\n\nnet.ipv4.conf.all.accept_redirects = 0\"\n\n describe kernel_parameter(\"net.ipv4.conf.all.accept_redirects\") do\n its(\"value\") { should_not be_nil }\n end\n describe kernel_parameter(\"net.ipv4.conf.all.accept_redirects\") do\n its(\"value\") { should eq 0 }\n end\n describe file(\"/etc/sysctl.conf\") do\n its(\"content\") { should match(/^[\\s]*net.ipv4.conf.all.accept_redirects[\\s]*=[\\s]*0[\\s]*$/) }\n end\nend\n", + "code": "control \"V-38482\" do\n title \"The system must require passwords to contain at least one numeric\ncharacter.\"\n desc \"Requiring digits makes password guessing attacks more difficult by\nensuring a larger search space.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000071\"\n tag \"gid\": \"V-38482\"\n tag \"rid\": \"SV-50282r2_rule\"\n tag \"stig_id\": \"RHEL-06-000056\"\n tag \"fix_id\": \"F-43427r2_fix\"\n tag \"cci\": [\"CCI-000194\"]\n tag \"nist\": [\"IA-5 (1) (a)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To check how many digits are required in a password, run the\nfollowing command:\n\n$ grep pam_cracklib /etc/pam.d/system-auth /etc/pam.d/password-auth\n\nNote: The \\\"dcredit\\\" parameter (as a negative number) will indicate how many\ndigits are required. The DoD requires at least one digit in a password. This\nwould appear as \\\"dcredit=-1\\\".\n\nIf \\\"dcredit\\\" is not found or not set to the required value, this is a finding.\n\"\n tag \"fix\": \"The pam_cracklib module's \\\"dcredit\\\" parameter controls\nrequirements for usage of digits in a password. When set to a negative number,\nany password will be required to contain that many digits. When set to a\npositive number, pam_cracklib will grant +1 additional length credit for each\ndigit.\n\nEdit /etc/pam.d/system-auth and /etc/pam.d/password-auth adding \\\"dcredit=-1\\\"\nafter pam_cracklib.so to require use of a digit in passwords.\n\"\n\n describe.one do\n describe file(\"/etc/pam.d/system-auth\") do\n its(\"content\") { should match(/^\\s*password\\s+(?:(?:required)|(?:requisite))\\s+(?:(?:\\/lib\\/security\\/\\$ISA\\/pam_cracklib\\.so)|(?:pam_cracklib\\.so))[\\t ]+[^#\\n\\r]*\\s+dcredit=-(\\d+)[^\\n\\r]*$/) }\n end\n file(\"/etc/pam.d/system-auth\").content.to_s.scan(/^\\s*password\\s+(?:(?:required)|(?:requisite))\\s+(?:(?:\\/lib\\/security\\/\\$ISA\\/pam_cracklib\\.so)|(?:pam_cracklib\\.so))[\\t ]+[^#\\n\\r]*\\s+dcredit=-(\\d+)[^\\n\\r]*$/).flatten.each do |entry|\n describe entry do\n it { should cmp >= 1 }\n end\n end\n describe file(\"/etc/pam.d/system-auth\") do\n its(\"content\") { should match(/^\\s*password\\s+(?:(?:required)|(?:requisite))\\s+(?:(?:\\/lib\\/security\\/\\$ISA\\/pam_cracklib\\.so)|(?:pam_cracklib\\.so))\\s+dcredit=-(\\d+)\\s+.*$/) }\n end\n file(\"/etc/pam.d/system-auth\").content.to_s.scan(/^\\s*password\\s+(?:(?:required)|(?:requisite))\\s+(?:(?:\\/lib\\/security\\/\\$ISA\\/pam_cracklib\\.so)|(?:pam_cracklib\\.so))\\s+dcredit=-(\\d+)\\s+.*$/).flatten.each do |entry|\n describe entry do\n it { should cmp >= 1 }\n end\n end\n end\n describe.one do\n describe file(\"/etc/pam.d/password-auth\") do\n its(\"content\") { should match(/^\\s*password\\s+(?:(?:required)|(?:requisite))\\s+(?:(?:\\/lib\\/security\\/\\$ISA\\/pam_cracklib\\.so)|(?:pam_cracklib\\.so))[\\t ]+[^#\\n\\r]*\\s+dcredit=-(\\d+)[^\\n\\r]*$/) }\n end\n file(\"/etc/pam.d/password-auth\").content.to_s.scan(/^\\s*password\\s+(?:(?:required)|(?:requisite))\\s+(?:(?:\\/lib\\/security\\/\\$ISA\\/pam_cracklib\\.so)|(?:pam_cracklib\\.so))[\\t ]+[^#\\n\\r]*\\s+dcredit=-(\\d+)[^\\n\\r]*$/).flatten.each do |entry|\n describe entry do\n it { should cmp >= 1 }\n end\n end\n describe file(\"/etc/pam.d/password-auth\") do\n its(\"content\") { should match(/^\\s*password\\s+(?:(?:required)|(?:requisite))\\s+(?:(?:\\/lib\\/security\\/\\$ISA\\/pam_cracklib\\.so)|(?:pam_cracklib\\.so))\\s+dcredit=-(\\d+)\\s+.*$/) }\n end\n file(\"/etc/pam.d/password-auth\").content.to_s.scan(/^\\s*password\\s+(?:(?:required)|(?:requisite))\\s+(?:(?:\\/lib\\/security\\/\\$ISA\\/pam_cracklib\\.so)|(?:pam_cracklib\\.so))\\s+dcredit=-(\\d+)\\s+.*$/).flatten.each do |entry|\n describe entry do\n it { should cmp >= 1 }\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38524.rb", + "ref": "./Red Hat 6 STIG/controls/V-38482.rb", "line": 1 }, - "id": "V-38524" + "id": "V-38482" }, { - "title": "The system default umask for the csh shell must be 077.", - "desc": "The umask value influences the permissions assigned to files when they\nare created. A misconfigured umask value could result in files with excessive\npermissions that can be read and/or written to by unauthorized users.", + "title": "The Red Hat Enterprise Linux operating system must have an anti-virus\nsolution installed.", + "desc": "Virus scanning software can be used to protect a system from\npenetration from computer viruses and to limit their spread through\nintermediate systems.", "descriptions": { - "default": "The umask value influences the permissions assigned to files when they\nare created. A misconfigured umask value could result in files with excessive\npermissions that can be read and/or written to by unauthorized users." + "default": "Virus scanning software can be used to protect a system from\npenetration from computer viruses and to limit their spread through\nintermediate systems." }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-999999", - "gid": "V-38649", - "rid": "SV-50450r1_rule", - "stig_id": "RHEL-06-000343", - "fix_id": "F-43598r1_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-81443", + "rid": "SV-96157r1_rule", + "stig_id": "RHEL-06-000533", + "fix_id": "F-88261r1_fix", "cci": [ - "CCI-000366" + "CCI-001668" ], "nist": [ - "CM-6 b", + "SI-3 a", "Rev_4" ], "false_negatives": null, @@ -10189,35 +10189,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "Verify the \"umask\" setting is configured correctly in the\n\"/etc/csh.cshrc\" file by running the following command:\n\n# grep \"umask\" /etc/csh.cshrc\n\nAll output must show the value of \"umask\" set to 077, as shown in the below:\n\n# grep \"umask\" /etc/csh.cshrc\numask 077\n\n\nIf the above command returns no output, or if the umask is configured\nincorrectly, this is a finding.", - "fix": "To ensure the default umask for users of the C shell is set\nproperly, add or correct the \"umask\" setting in \"/etc/csh.cshrc\" to read as\nfollows:\n\numask 077" + "check": "Verify an anti-virus solution is installed on the system. The\nanti-virus solution may be bundled with an approved host-based security\nsolution.\n\nIf there is no anti-virus solution installed on the system, this is a finding.\n", + "fix": "Install an anti-virus solution on the system. " }, - "code": "control \"V-38649\" do\n title \"The system default umask for the csh shell must be 077.\"\n desc \"The umask value influences the permissions assigned to files when they\nare created. A misconfigured umask value could result in files with excessive\npermissions that can be read and/or written to by unauthorized users.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38649\"\n tag \"rid\": \"SV-50450r1_rule\"\n tag \"stig_id\": \"RHEL-06-000343\"\n tag \"fix_id\": \"F-43598r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Verify the \\\"umask\\\" setting is configured correctly in the\n\\\"/etc/csh.cshrc\\\" file by running the following command:\n\n# grep \\\"umask\\\" /etc/csh.cshrc\n\nAll output must show the value of \\\"umask\\\" set to 077, as shown in the below:\n\n# grep \\\"umask\\\" /etc/csh.cshrc\numask 077\n\n\nIf the above command returns no output, or if the umask is configured\nincorrectly, this is a finding.\"\n tag \"fix\": \"To ensure the default umask for users of the C shell is set\nproperly, add or correct the \\\"umask\\\" setting in \\\"/etc/csh.cshrc\\\" to read as\nfollows:\n\numask 077\"\n\n describe.one do\n describe file(\"/etc/csh.cshrc\") do\n its(\"content\") { should match(/^[\\s]*umask[\\s]+([^#\\s]*)/) }\n end\n file(\"/etc/csh.cshrc\").content.to_s.scan(/^[\\s]*umask[\\s]+([^#\\s]*)/).flatten.each do |entry|\n describe entry do\n it { should eq \"077\" }\n end\n end\n describe package(\"tcsh\") do\n it { should_not be_installed }\n end\n describe file(\"/etc/csh.cshrc\") do\n it { should_not exist }\n end\n end\nend\n", + "code": "control \"V-81443\" do\n title \"The Red Hat Enterprise Linux operating system must have an anti-virus\nsolution installed.\"\n desc \"Virus scanning software can be used to protect a system from\npenetration from computer viruses and to limit their spread through\nintermediate systems. \"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000480-GPOS-00227\"\n tag \"gid\": \"V-81443\"\n tag \"rid\": \"SV-96157r1_rule\"\n tag \"stig_id\": \"RHEL-06-000533\"\n tag \"fix_id\": \"F-88261r1_fix\"\n tag \"cci\": [\"CCI-001668\"]\n tag \"nist\": [\"SI-3 a\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Verify an anti-virus solution is installed on the system. The\nanti-virus solution may be bundled with an approved host-based security\nsolution.\n\nIf there is no anti-virus solution installed on the system, this is a finding.\n\"\n tag \"fix\": \"Install an anti-virus solution on the system. \"\n\n describe \"Manual test\" do\n skip \"This control must be reviewed manually\"\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38649.rb", + "ref": "./Red Hat 6 STIG/controls/V-81443.rb", "line": 1 }, - "id": "V-38649" + "id": "V-81443" }, { - "title": "Audit log files must be group-owned by root.", - "desc": "If non-privileged users can write to audit logs, audit trails can be\nmodified or destroyed.", + "title": "The atd service must be disabled.", + "desc": "The \"atd\" service could be used by an unsophisticated insider to\ncarry out activities outside of a normal login session, which could complicate\naccountability. Furthermore, the need to schedule tasks with \"at\" or\n\"batch\" is not common.", "descriptions": { - "default": "If non-privileged users can write to audit logs, audit trails can be\nmodified or destroyed." + "default": "The \"atd\" service could be used by an unsophisticated insider to\ncarry out activities outside of a normal login session, which could complicate\naccountability. Furthermore, the need to schedule tasks with \"at\" or\n\"batch\" is not common." }, - "impact": 0.5, + "impact": 0.3, "refs": [], - "tags": { - "gtitle": "SRG-OS-000057", - "gid": "V-38445", - "rid": "SV-50245r2_rule", - "stig_id": "RHEL-06-000522", - "fix_id": "F-43390r1_fix", + "tags": { + "gtitle": "SRG-OS-000096", + "gid": "V-38641", + "rid": "SV-50442r3_rule", + "stig_id": "RHEL-06-000262", + "fix_id": "F-43590r2_fix", "cci": [ - "CCI-000162" + "CCI-000382" ], "nist": [ - "AU-9", + "CM-7 b", "Rev_4" ], "false_negatives": null, @@ -10230,35 +10230,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "Run the following command to check the group owner of the\nsystem audit logs:\n\ngrep \"^log_file\" /etc/audit/auditd.conf|sed s/^[^\\/]*//|xargs stat -c %G:%n\n\nAudit logs must be group-owned by root.\nIf they are not, this is a finding.", - "fix": "Change the group owner of the audit log files with the following\ncommand:\n\n# chgrp root [audit_file]" + "check": "If the system requires the use of the \"atd\" service to\nsupport an organizational requirement, this is not applicable.\n\nTo check that the \"atd\" service is disabled in system boot configuration, run\nthe following command:\n\n# chkconfig \"atd\" --list\n\nOutput should indicate the \"atd\" service has either not been installed, or\nhas been disabled at all runlevels, as shown in the example below:\n\n# chkconfig \"atd\" --list\n\"atd\" 0:off 1:off 2:off 3:off 4:off 5:off 6:off\n\nRun the following command to verify \"atd\" is disabled through current runtime\nconfiguration:\n\n# service atd status\n\nIf the service is disabled the command will return the following output:\n\natd is stopped\n\n\nIf the service is running, this is a finding.", + "fix": "The \"at\" and \"batch\" commands can be used to schedule tasks\nthat are meant to be executed only once. This allows delayed execution in a\nmanner similar to cron, except that it is not recurring. The daemon \"atd\"\nkeeps track of tasks scheduled via \"at\" and \"batch\", and executes them at\nthe specified time. The \"atd\" service can be disabled with the following\ncommands:\n\n# chkconfig atd off\n# service atd stop" }, - "code": "control \"V-38445\" do\n title \"Audit log files must be group-owned by root.\"\n desc \"If non-privileged users can write to audit logs, audit trails can be\nmodified or destroyed.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000057\"\n tag \"gid\": \"V-38445\"\n tag \"rid\": \"SV-50245r2_rule\"\n tag \"stig_id\": \"RHEL-06-000522\"\n tag \"fix_id\": \"F-43390r1_fix\"\n tag \"cci\": [\"CCI-000162\"]\n tag \"nist\": [\"AU-9\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Run the following command to check the group owner of the\nsystem audit logs:\n\ngrep \\\"^log_file\\\" /etc/audit/auditd.conf|sed s/^[^\\\\/]*//|xargs stat -c %G:%n\n\nAudit logs must be group-owned by root.\nIf they are not, this is a finding.\"\n tag \"fix\": \"Change the group owner of the audit log files with the following\ncommand:\n\n# chgrp root [audit_file]\"\n\n describe command(\"grep \\\"^log_file\\\" /etc/audit/auditd.conf|sed s/^[^\\\\/]*//|xargs stat -c %G:%n\") do\n its('stdout.lines') { should all match %{^root:} }\n end\nend\n", + "code": "control \"V-38641\" do\n title \"The atd service must be disabled.\"\n desc \"The \\\"atd\\\" service could be used by an unsophisticated insider to\ncarry out activities outside of a normal login session, which could complicate\naccountability. Furthermore, the need to schedule tasks with \\\"at\\\" or\n\\\"batch\\\" is not common.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000096\"\n tag \"gid\": \"V-38641\"\n tag \"rid\": \"SV-50442r3_rule\"\n tag \"stig_id\": \"RHEL-06-000262\"\n tag \"fix_id\": \"F-43590r2_fix\"\n tag \"cci\": [\"CCI-000382\"]\n tag \"nist\": [\"CM-7 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"If the system requires the use of the \\\"atd\\\" service to\nsupport an organizational requirement, this is not applicable.\n\nTo check that the \\\"atd\\\" service is disabled in system boot configuration, run\nthe following command:\n\n# chkconfig \\\"atd\\\" --list\n\nOutput should indicate the \\\"atd\\\" service has either not been installed, or\nhas been disabled at all runlevels, as shown in the example below:\n\n# chkconfig \\\"atd\\\" --list\n\\\"atd\\\" 0:off 1:off 2:off 3:off 4:off 5:off 6:off\n\nRun the following command to verify \\\"atd\\\" is disabled through current runtime\nconfiguration:\n\n# service atd status\n\nIf the service is disabled the command will return the following output:\n\natd is stopped\n\n\nIf the service is running, this is a finding.\"\n tag \"fix\": \"The \\\"at\\\" and \\\"batch\\\" commands can be used to schedule tasks\nthat are meant to be executed only once. This allows delayed execution in a\nmanner similar to cron, except that it is not recurring. The daemon \\\"atd\\\"\nkeeps track of tasks scheduled via \\\"at\\\" and \\\"batch\\\", and executes them at\nthe specified time. The \\\"atd\\\" service can be disabled with the following\ncommands:\n\n# chkconfig atd off\n# service atd stop\"\n\n describe.one do\n describe package(\"at\") do\n it { should_not be_installed }\n end\n describe service(\"atd\") do\n its(\"runlevels(?-mix:0)\") { should be_enabled }\n its(\"runlevels(?-mix:1)\") { should be_enabled }\n its(\"runlevels(?-mix:2)\") { should be_enabled }\n its(\"runlevels(?-mix:3)\") { should be_enabled }\n its(\"runlevels(?-mix:4)\") { should be_enabled }\n its(\"runlevels(?-mix:5)\") { should be_enabled }\n its(\"runlevels(?-mix:6)\") { should be_enabled }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38445.rb", + "ref": "./Red Hat 6 STIG/controls/V-38641.rb", "line": 1 }, - "id": "V-38445" + "id": "V-38641" }, { - "title": "The system must log Martian packets.", - "desc": "The presence of \"martian\" packets (which have impossible addresses)\nas well as spoofed packets, source-routed packets, and redirects could be a\nsign of nefarious network activity. Logging these packets enables this activity\nto be detected.", + "title": "The ntpdate service must not be running.", + "desc": "The \"ntpdate\" service may only be suitable for systems which are\nrebooted frequently enough that clock drift does not cause problems between\nreboots. In any event, the functionality of the ntpdate service is now\navailable in the ntpd program and should be considered deprecated.", "descriptions": { - "default": "The presence of \"martian\" packets (which have impossible addresses)\nas well as spoofed packets, source-routed packets, and redirects could be a\nsign of nefarious network activity. Logging these packets enables this activity\nto be detected." + "default": "The \"ntpdate\" service may only be suitable for systems which are\nrebooted frequently enough that clock drift does not cause problems between\nreboots. In any event, the functionality of the ntpdate service is now\navailable in the ntpd program and should be considered deprecated." }, "impact": 0.3, "refs": [], "tags": { - "gtitle": "SRG-OS-999999", - "gid": "V-38528", - "rid": "SV-50329r2_rule", - "stig_id": "RHEL-06-000088", - "fix_id": "F-43476r1_fix", + "gtitle": "SRG-OS-000096", + "gid": "V-38644", + "rid": "SV-50445r2_rule", + "stig_id": "RHEL-06-000265", + "fix_id": "F-43593r2_fix", "cci": [ - "CCI-000366" + "CCI-000382" ], "nist": [ - "CM-6 b", + "CM-7 b", "Rev_4" ], "false_negatives": null, @@ -10271,35 +10271,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "The status of the \"net.ipv4.conf.all.log_martians\" kernel\nparameter can be queried by running the following command:\n\n$ sysctl net.ipv4.conf.all.log_martians\n\nThe output of the command should indicate a value of \"1\". If this value is\nnot the default value, investigate how it could have been adjusted at runtime,\nand verify it is not set improperly in \"/etc/sysctl.conf\".\n\n$ grep net.ipv4.conf.all.log_martians /etc/sysctl.conf\n\nIf the correct value is not returned, this is a finding. ", - "fix": "To set the runtime status of the\n\"net.ipv4.conf.all.log_martians\" kernel parameter, run the following command:\n\n# sysctl -w net.ipv4.conf.all.log_martians=1\n\nIf this is not the system's default value, add the following line to\n\"/etc/sysctl.conf\":\n\nnet.ipv4.conf.all.log_martians = 1" + "check": "To check that the \"ntpdate\" service is disabled in system\nboot configuration, run the following command:\n\n# chkconfig \"ntpdate\" --list\n\nOutput should indicate the \"ntpdate\" service has either not been installed,\nor has been disabled at all runlevels, as shown in the example below:\n\n# chkconfig \"ntpdate\" --list\n\"ntpdate\" 0:off 1:off 2:off 3:off 4:off 5:off 6:off\n\nRun the following command to verify \"ntpdate\" is disabled through current\nruntime configuration:\n\n# service ntpdate status\n\nIf the service is disabled the command will return the following output:\n\nntpdate is stopped\n\n\nIf the service is running, this is a finding.", + "fix": "The ntpdate service sets the local hardware clock by polling NTP\nservers when the system boots. It synchronizes to the NTP servers listed in\n\"/etc/ntp/step-tickers\" or \"/etc/ntp.conf\" and then sets the local hardware\nclock to the newly synchronized system time. The \"ntpdate\" service can be\ndisabled with the following commands:\n\n# chkconfig ntpdate off\n# service ntpdate stop" }, - "code": "control \"V-38528\" do\n title \"The system must log Martian packets.\"\n desc \"The presence of \\\"martian\\\" packets (which have impossible addresses)\nas well as spoofed packets, source-routed packets, and redirects could be a\nsign of nefarious network activity. Logging these packets enables this activity\nto be detected.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38528\"\n tag \"rid\": \"SV-50329r2_rule\"\n tag \"stig_id\": \"RHEL-06-000088\"\n tag \"fix_id\": \"F-43476r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"The status of the \\\"net.ipv4.conf.all.log_martians\\\" kernel\nparameter can be queried by running the following command:\n\n$ sysctl net.ipv4.conf.all.log_martians\n\nThe output of the command should indicate a value of \\\"1\\\". If this value is\nnot the default value, investigate how it could have been adjusted at runtime,\nand verify it is not set improperly in \\\"/etc/sysctl.conf\\\".\n\n$ grep net.ipv4.conf.all.log_martians /etc/sysctl.conf\n\nIf the correct value is not returned, this is a finding. \"\n tag \"fix\": \"To set the runtime status of the\n\\\"net.ipv4.conf.all.log_martians\\\" kernel parameter, run the following command:\n\n# sysctl -w net.ipv4.conf.all.log_martians=1\n\nIf this is not the system's default value, add the following line to\n\\\"/etc/sysctl.conf\\\":\n\nnet.ipv4.conf.all.log_martians = 1\"\n\n describe kernel_parameter(\"net.ipv4.conf.all.log_martians\") do\n its(\"value\") { should_not be_nil }\n end\n describe kernel_parameter(\"net.ipv4.conf.all.log_martians\") do\n its(\"value\") { should eq 1 }\n end\n describe file(\"/etc/sysctl.conf\") do\n its(\"content\") { should match(/^[\\s]*net.ipv4.conf.all.log_martians[\\s]*=[\\s]*1[\\s]*$/) }\n end\nend\n", + "code": "control \"V-38644\" do\n title \"The ntpdate service must not be running.\"\n desc \"The \\\"ntpdate\\\" service may only be suitable for systems which are\nrebooted frequently enough that clock drift does not cause problems between\nreboots. In any event, the functionality of the ntpdate service is now\navailable in the ntpd program and should be considered deprecated.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000096\"\n tag \"gid\": \"V-38644\"\n tag \"rid\": \"SV-50445r2_rule\"\n tag \"stig_id\": \"RHEL-06-000265\"\n tag \"fix_id\": \"F-43593r2_fix\"\n tag \"cci\": [\"CCI-000382\"]\n tag \"nist\": [\"CM-7 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To check that the \\\"ntpdate\\\" service is disabled in system\nboot configuration, run the following command:\n\n# chkconfig \\\"ntpdate\\\" --list\n\nOutput should indicate the \\\"ntpdate\\\" service has either not been installed,\nor has been disabled at all runlevels, as shown in the example below:\n\n# chkconfig \\\"ntpdate\\\" --list\n\\\"ntpdate\\\" 0:off 1:off 2:off 3:off 4:off 5:off 6:off\n\nRun the following command to verify \\\"ntpdate\\\" is disabled through current\nruntime configuration:\n\n# service ntpdate status\n\nIf the service is disabled the command will return the following output:\n\nntpdate is stopped\n\n\nIf the service is running, this is a finding.\"\n tag \"fix\": \"The ntpdate service sets the local hardware clock by polling NTP\nservers when the system boots. It synchronizes to the NTP servers listed in\n\\\"/etc/ntp/step-tickers\\\" or \\\"/etc/ntp.conf\\\" and then sets the local hardware\nclock to the newly synchronized system time. The \\\"ntpdate\\\" service can be\ndisabled with the following commands:\n\n# chkconfig ntpdate off\n# service ntpdate stop\"\n\n describe.one do\n describe package(\"ntpdate\") do\n it { should_not be_installed }\n end\n describe service(\"ntpdate\") do\n its(\"runlevels(?-mix:0)\") { should be_enabled }\n its(\"runlevels(?-mix:1)\") { should be_enabled }\n its(\"runlevels(?-mix:2)\") { should be_enabled }\n its(\"runlevels(?-mix:3)\") { should be_enabled }\n its(\"runlevels(?-mix:4)\") { should be_enabled }\n its(\"runlevels(?-mix:5)\") { should be_enabled }\n its(\"runlevels(?-mix:6)\") { should be_enabled }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38528.rb", + "ref": "./Red Hat 6 STIG/controls/V-38644.rb", "line": 1 }, - "id": "V-38528" + "id": "V-38644" }, { - "title": "The operating system must manage information system identifiers for\nusers and devices by disabling the user identifier after an organization\ndefined time period of inactivity.", - "desc": "Disabling inactive accounts ensures that accounts which may not have\nbeen responsibly removed are not available to attackers who may have\ncompromised their credentials.", + "title": "The systems local firewall must implement a deny-all,\nallow-by-exception policy for forwarded packets.", + "desc": "In \"iptables\" the default policy is applied only after all the\napplicable rules in the table are examined for a match. Setting the default\npolicy to \"DROP\" implements proper design for a firewall, i.e., any packets\nwhich are not explicitly permitted should not be accepted.", "descriptions": { - "default": "Disabling inactive accounts ensures that accounts which may not have\nbeen responsibly removed are not available to attackers who may have\ncompromised their credentials." + "default": "In \"iptables\" the default policy is applied only after all the\napplicable rules in the table are examined for a match. Setting the default\npolicy to \"DROP\" implements proper design for a firewall, i.e., any packets\nwhich are not explicitly permitted should not be accepted." }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000118", - "gid": "V-38694", - "rid": "SV-50495r1_rule", - "stig_id": "RHEL-06-000335", - "fix_id": "F-43643r2_fix", + "gtitle": "SRG-OS-000147", + "gid": "V-38686", + "rid": "SV-50487r2_rule", + "stig_id": "RHEL-06-000320", + "fix_id": "F-43635r1_fix", "cci": [ - "CCI-000795" + "CCI-001109" ], "nist": [ - "IA-4 e", + "SC-7 (5)", "Rev_4" ], "false_negatives": null, @@ -10312,35 +10312,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To verify the \"INACTIVE\" setting, run the following command:\n\ngrep \"INACTIVE\" /etc/default/useradd\n\nThe output should indicate the \"INACTIVE\" configuration option is set to an\nappropriate integer as shown in the example below:\n\n# grep \"INACTIVE\" /etc/default/useradd\nINACTIVE=35\n\nIf it does not, this is a finding.", - "fix": "To specify the number of days after a password expires (which\nsignifies inactivity) until an account is permanently disabled, add or correct\nthe following lines in \"/etc/default/useradd\", substituting \"[NUM_DAYS]\"\nappropriately:\n\nINACTIVE=[NUM_DAYS]\n\nA value of 35 is recommended. If a password is currently on the verge of\nexpiration, then 35 days remain until the account is automatically disabled.\nHowever, if the password will not expire for another 60 days, then 95 days\ncould elapse until the account would be automatically disabled. See the\n\"useradd\" man page for more information. Determining the inactivity timeout\nmust be done with careful consideration of the length of a \"normal\" period of\ninactivity for users in the particular environment. Setting the timeout too low\nincurs support costs and also has the potential to impact availability of the\nsystem to legitimate users." + "check": "Run the following command to ensure the default \"FORWARD\"\npolicy is \"DROP\":\n\n# iptables -nvL | grep -i forward\n\nChain FORWARD (policy DROP 0 packets, 0 bytes)\n\nIf the default policy for the FORWARD chain is not set to DROP, this is a\nfinding.", + "fix": "To set the default policy to DROP (instead of ACCEPT) for the\nbuilt-in FORWARD chain which processes packets that will be forwarded from one\ninterface to another, add or correct the following line in\n\"/etc/sysconfig/iptables\":\n\n:FORWARD DROP [0:0]" }, - "code": "control \"V-38694\" do\n title \"The operating system must manage information system identifiers for\nusers and devices by disabling the user identifier after an organization\ndefined time period of inactivity.\"\n desc \"Disabling inactive accounts ensures that accounts which may not have\nbeen responsibly removed are not available to attackers who may have\ncompromised their credentials.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000118\"\n tag \"gid\": \"V-38694\"\n tag \"rid\": \"SV-50495r1_rule\"\n tag \"stig_id\": \"RHEL-06-000335\"\n tag \"fix_id\": \"F-43643r2_fix\"\n tag \"cci\": [\"CCI-000795\"]\n tag \"nist\": [\"IA-4 e\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To verify the \\\"INACTIVE\\\" setting, run the following command:\n\ngrep \\\"INACTIVE\\\" /etc/default/useradd\n\nThe output should indicate the \\\"INACTIVE\\\" configuration option is set to an\nappropriate integer as shown in the example below:\n\n# grep \\\"INACTIVE\\\" /etc/default/useradd\nINACTIVE=35\n\nIf it does not, this is a finding.\"\n tag \"fix\": \"To specify the number of days after a password expires (which\nsignifies inactivity) until an account is permanently disabled, add or correct\nthe following lines in \\\"/etc/default/useradd\\\", substituting \\\"[NUM_DAYS]\\\"\nappropriately:\n\nINACTIVE=[NUM_DAYS]\n\nA value of 35 is recommended. If a password is currently on the verge of\nexpiration, then 35 days remain until the account is automatically disabled.\nHowever, if the password will not expire for another 60 days, then 95 days\ncould elapse until the account would be automatically disabled. See the\n\\\"useradd\\\" man page for more information. Determining the inactivity timeout\nmust be done with careful consideration of the length of a \\\"normal\\\" period of\ninactivity for users in the particular environment. Setting the timeout too low\nincurs support costs and also has the potential to impact availability of the\nsystem to legitimate users.\"\n\n describe parse_config_file(\"/etc/default/useradd\") do\n its('INACTIVE') { should cmp <= input('days_of_inactivity') }\n its('INACTIVE') { should cmp >= 0 }\n end\nend\n", + "code": "control \"V-38686\" do\n title \"The systems local firewall must implement a deny-all,\nallow-by-exception policy for forwarded packets.\"\n desc \"In \\\"iptables\\\" the default policy is applied only after all the\napplicable rules in the table are examined for a match. Setting the default\npolicy to \\\"DROP\\\" implements proper design for a firewall, i.e., any packets\nwhich are not explicitly permitted should not be accepted.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000147\"\n tag \"gid\": \"V-38686\"\n tag \"rid\": \"SV-50487r2_rule\"\n tag \"stig_id\": \"RHEL-06-000320\"\n tag \"fix_id\": \"F-43635r1_fix\"\n tag \"cci\": [\"CCI-001109\"]\n tag \"nist\": [\"SC-7 (5)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Run the following command to ensure the default \\\"FORWARD\\\"\npolicy is \\\"DROP\\\":\n\n# iptables -nvL | grep -i forward\n\nChain FORWARD (policy DROP 0 packets, 0 bytes)\n\nIf the default policy for the FORWARD chain is not set to DROP, this is a\nfinding.\"\n tag \"fix\": \"To set the default policy to DROP (instead of ACCEPT) for the\nbuilt-in FORWARD chain which processes packets that will be forwarded from one\ninterface to another, add or correct the following line in\n\\\"/etc/sysconfig/iptables\\\":\n\n:FORWARD DROP [0:0]\"\n\n describe command(\"iptables -nvL | grep -i forward\") do\n its('stdout.strip') { should match %r{Chain FORWARD \\(policy DROP} }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38694.rb", + "ref": "./Red Hat 6 STIG/controls/V-38686.rb", "line": 1 }, - "id": "V-38694" + "id": "V-38686" }, { - "title": "Mail relaying must be restricted.", - "desc": "This ensures \"postfix\" accepts mail messages (such as cron job\nreports) from the local system only, and not from the network, which protects\nit from network attack.", + "title": "The system must ignore ICMPv4 bogus error responses.", + "desc": "Ignoring bogus ICMP error responses reduces log size, although some\nactivity would not be logged.", "descriptions": { - "default": "This ensures \"postfix\" accepts mail messages (such as cron job\nreports) from the local system only, and not from the network, which protects\nit from network attack." + "default": "Ignoring bogus ICMP error responses reduces log size, although some\nactivity would not be logged." }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { - "gtitle": "SRG-OS-000096", - "gid": "V-38622", - "rid": "SV-50423r2_rule", - "stig_id": "RHEL-06-000249", - "fix_id": "F-43572r1_fix", + "gtitle": "SRG-OS-999999", + "gid": "V-38537", + "rid": "SV-50338r2_rule", + "stig_id": "RHEL-06-000093", + "fix_id": "F-43485r1_fix", "cci": [ - "CCI-000382" + "CCI-000366" ], "nist": [ - "CM-7 b", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -10353,35 +10353,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "If the system is an authorized mail relay host, this is not\napplicable.\n\nRun the following command to ensure postfix accepts mail messages from only the\nlocal system:\n\n$ grep inet_interfaces /etc/postfix/main.cf\n\nIf properly configured, the output should show only \"localhost\".\nIf it does not, this is a finding.", - "fix": "Edit the file \"/etc/postfix/main.cf\" to ensure that only the\nfollowing \"inet_interfaces\" line appears:\n\ninet_interfaces = localhost" + "check": "The status of the\n\"net.ipv4.icmp_ignore_bogus_error_responses\" kernel parameter can be queried\nby running the following command:\n\n$ sysctl net.ipv4.icmp_ignore_bogus_error_responses\n\nThe output of the command should indicate a value of \"1\". If this value is\nnot the default value, investigate how it could have been adjusted at runtime,\nand verify it is not set improperly in \"/etc/sysctl.conf\".\n\n$ grep net.ipv4.icmp_ignore_bogus_error_responses /etc/sysctl.conf\n\nIf the correct value is not returned, this is a finding. ", + "fix": "To set the runtime status of the\n\"net.ipv4.icmp_ignore_bogus_error_responses\" kernel parameter, run the\nfollowing command:\n\n# sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1\n\nIf this is not the system's default value, add the following line to\n\"/etc/sysctl.conf\":\n\nnet.ipv4.icmp_ignore_bogus_error_responses = 1" }, - "code": "control \"V-38622\" do\n title \"Mail relaying must be restricted.\"\n desc \"This ensures \\\"postfix\\\" accepts mail messages (such as cron job\nreports) from the local system only, and not from the network, which protects\nit from network attack.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000096\"\n tag \"gid\": \"V-38622\"\n tag \"rid\": \"SV-50423r2_rule\"\n tag \"stig_id\": \"RHEL-06-000249\"\n tag \"fix_id\": \"F-43572r1_fix\"\n tag \"cci\": [\"CCI-000382\"]\n tag \"nist\": [\"CM-7 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"If the system is an authorized mail relay host, this is not\napplicable.\n\nRun the following command to ensure postfix accepts mail messages from only the\nlocal system:\n\n$ grep inet_interfaces /etc/postfix/main.cf\n\nIf properly configured, the output should show only \\\"localhost\\\".\nIf it does not, this is a finding.\"\n tag \"fix\": \"Edit the file \\\"/etc/postfix/main.cf\\\" to ensure that only the\nfollowing \\\"inet_interfaces\\\" line appears:\n\ninet_interfaces = localhost\"\n\n describe file(\"/etc/postfix/main.cf\") do\n its(\"content\") { should match(/^[\\s]*inet_interfaces[\\s]*=[\\s]*localhost[\\s]*$/) }\n end\nend\n", + "code": "control \"V-38537\" do\n title \"The system must ignore ICMPv4 bogus error responses.\"\n desc \"Ignoring bogus ICMP error responses reduces log size, although some\nactivity would not be logged.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38537\"\n tag \"rid\": \"SV-50338r2_rule\"\n tag \"stig_id\": \"RHEL-06-000093\"\n tag \"fix_id\": \"F-43485r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"The status of the\n\\\"net.ipv4.icmp_ignore_bogus_error_responses\\\" kernel parameter can be queried\nby running the following command:\n\n$ sysctl net.ipv4.icmp_ignore_bogus_error_responses\n\nThe output of the command should indicate a value of \\\"1\\\". If this value is\nnot the default value, investigate how it could have been adjusted at runtime,\nand verify it is not set improperly in \\\"/etc/sysctl.conf\\\".\n\n$ grep net.ipv4.icmp_ignore_bogus_error_responses /etc/sysctl.conf\n\nIf the correct value is not returned, this is a finding. \"\n tag \"fix\": \"To set the runtime status of the\n\\\"net.ipv4.icmp_ignore_bogus_error_responses\\\" kernel parameter, run the\nfollowing command:\n\n# sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1\n\nIf this is not the system's default value, add the following line to\n\\\"/etc/sysctl.conf\\\":\n\nnet.ipv4.icmp_ignore_bogus_error_responses = 1\"\n\n describe kernel_parameter(\"net.ipv4.icmp_ignore_bogus_error_responses\") do\n its(\"value\") { should_not be_nil }\n end\n describe kernel_parameter(\"net.ipv4.icmp_ignore_bogus_error_responses\") do\n its(\"value\") { should eq 1 }\n end\n describe file(\"/etc/sysctl.conf\") do\n its(\"content\") { should match(/^[\\s]*net.ipv4.icmp_ignore_bogus_error_responses[\\s]*=[\\s]*1[\\s]*$/) }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38622.rb", + "ref": "./Red Hat 6 STIG/controls/V-38537.rb", "line": 1 }, - "id": "V-38622" + "id": "V-38537" }, { - "title": "The Bluetooth service must be disabled.", - "desc": "Disabling the \"bluetooth\" service prevents the system from\nattempting connections to Bluetooth devices, which entails some security risk.\nNevertheless, variation in this risk decision may be expected due to the\nutility of Bluetooth connectivity and its limited range.", + "title": "The system must prohibit the reuse of passwords within five\niterations.", + "desc": "Preventing reuse of previous passwords helps ensure that a compromised\npassword is not reused by a user.", "descriptions": { - "default": "Disabling the \"bluetooth\" service prevents the system from\nattempting connections to Bluetooth devices, which entails some security risk.\nNevertheless, variation in this risk decision may be expected due to the\nutility of Bluetooth connectivity and its limited range." + "default": "Preventing reuse of previous passwords helps ensure that a compromised\npassword is not reused by a user." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000034", - "gid": "V-38691", - "rid": "SV-50492r2_rule", - "stig_id": "RHEL-06-000331", - "fix_id": "F-43640r1_fix", + "gtitle": "SRG-OS-000077", + "gid": "V-38658", + "rid": "SV-50459r6_rule", + "stig_id": "RHEL-06-000274", + "fix_id": "F-43608r6_fix", "cci": [ - "CCI-000085" + "CCI-000200" ], "nist": [ - "AC-19 c", + "IA-5 (1) (e)", "Rev_4" ], "false_negatives": null, @@ -10394,35 +10394,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To check that the \"bluetooth\" service is disabled in system\nboot configuration, run the following command:\n\n# chkconfig \"bluetooth\" --list\n\nOutput should indicate the \"bluetooth\" service has either not been installed\nor has been disabled at all runlevels, as shown in the example below:\n\n# chkconfig \"bluetooth\" --list\n\"bluetooth\" 0:off 1:off 2:off 3:off 4:off 5:off 6:off\n\n\nIf the service is configured to run, this is a finding.", - "fix": "The \"bluetooth\" service can be disabled with the following\ncommand:\n\n# chkconfig bluetooth off\n\n\n\n# service bluetooth stop" + "check": "To verify the password reuse setting is compliant, run the\nfollowing command:\n\n# grep remember /etc/pam.d/system-auth /etc/pam.d/password-auth\n\nIf the line is commented out, the line does not contain \"password required\npam_pwhistory.so\" or \"password requisite pam_pwhistory.so\", or the value for\n\"remember\" is less than \"5\", this is a finding.", + "fix": "Do not allow users to reuse recent passwords. This can be\naccomplished by using the \"remember\" option for the \"pam_pwhistory\" PAM\nmodule. In the file \"/etc/pam.d/system-auth\" and /etc/pam.d/password-auth,\nappend \"remember=5\" to the lines that refer to the \"pam_pwhistory.so\"\nmodule, as shown:\n\npassword required pam_pwhistory.so [existing_options] remember=5\n\nor\n\npassword requisite pam_pwhistory.so [existing_options] remember=5\n\nThe DoD requirement is five passwords." }, - "code": "control \"V-38691\" do\n title \"The Bluetooth service must be disabled.\"\n desc \"Disabling the \\\"bluetooth\\\" service prevents the system from\nattempting connections to Bluetooth devices, which entails some security risk.\nNevertheless, variation in this risk decision may be expected due to the\nutility of Bluetooth connectivity and its limited range.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000034\"\n tag \"gid\": \"V-38691\"\n tag \"rid\": \"SV-50492r2_rule\"\n tag \"stig_id\": \"RHEL-06-000331\"\n tag \"fix_id\": \"F-43640r1_fix\"\n tag \"cci\": [\"CCI-000085\"]\n tag \"nist\": [\"AC-19 c\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To check that the \\\"bluetooth\\\" service is disabled in system\nboot configuration, run the following command:\n\n# chkconfig \\\"bluetooth\\\" --list\n\nOutput should indicate the \\\"bluetooth\\\" service has either not been installed\nor has been disabled at all runlevels, as shown in the example below:\n\n# chkconfig \\\"bluetooth\\\" --list\n\\\"bluetooth\\\" 0:off 1:off 2:off 3:off 4:off 5:off 6:off\n\n\nIf the service is configured to run, this is a finding.\"\n tag \"fix\": \"The \\\"bluetooth\\\" service can be disabled with the following\ncommand:\n\n# chkconfig bluetooth off\n\n\n\n# service bluetooth stop\"\n\n describe service(\"bluetooth\").runlevels(/0/) do\n it { should_not be_enabled }\n end\n describe service(\"bluetooth\").runlevels(/1/) do\n it { should_not be_enabled }\n end\n describe service(\"bluetooth\").runlevels(/2/) do\n it { should_not be_enabled }\n end\n describe service(\"bluetooth\").runlevels(/3/) do\n it { should_not be_enabled }\n end\n describe service(\"bluetooth\").runlevels(/4/) do\n it { should_not be_enabled }\n end\n describe service(\"bluetooth\").runlevels(/5/) do\n it { should_not be_enabled }\n end\n describe service(\"bluetooth\").runlevels(/6/) do\n it { should_not be_enabled }\n end\nend\n", + "code": "control \"V-38658\" do\n title \"The system must prohibit the reuse of passwords within five\niterations.\"\n desc \"Preventing reuse of previous passwords helps ensure that a compromised\npassword is not reused by a user.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000077\"\n tag \"gid\": \"V-38658\"\n tag \"rid\": \"SV-50459r6_rule\"\n tag \"stig_id\": \"RHEL-06-000274\"\n tag \"fix_id\": \"F-43608r6_fix\"\n tag \"cci\": [\"CCI-000200\"]\n tag \"nist\": [\"IA-5 (1) (e)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To verify the password reuse setting is compliant, run the\nfollowing command:\n\n# grep remember /etc/pam.d/system-auth /etc/pam.d/password-auth\n\nIf the line is commented out, the line does not contain \\\"password required\npam_pwhistory.so\\\" or \\\"password requisite pam_pwhistory.so\\\", or the value for\n\\\"remember\\\" is less than \\\"5\\\", this is a finding.\"\n tag \"fix\": \"Do not allow users to reuse recent passwords. This can be\naccomplished by using the \\\"remember\\\" option for the \\\"pam_pwhistory\\\" PAM\nmodule. In the file \\\"/etc/pam.d/system-auth\\\" and /etc/pam.d/password-auth,\nappend \\\"remember=5\\\" to the lines that refer to the \\\"pam_pwhistory.so\\\"\nmodule, as shown:\n\npassword required pam_pwhistory.so [existing_options] remember=5\n\nor\n\npassword requisite pam_pwhistory.so [existing_options] remember=5\n\nThe DoD requirement is five passwords.\"\n\n describe.one do\n describe file(\"/etc/pam.d/system-auth\") do\n its(\"content\") { should match(/^\\s*password\\s+(?:(?:requisite)|(?:required))\\s+pam_pwhistory\\.so[\\t ]+[^#\\n\\r]*\\s+remember=(\\d+)(?:(?:\\s)|(?:$))/) }\n end\n file(\"/etc/pam.d/system-auth\").content.to_s.scan(/^\\s*password\\s+(?:(?:requisite)|(?:required))\\s+pam_pwhistory\\.so[\\t ]+[^#\\n\\r]*\\s+remember=(\\d+)(?:(?:\\s)|(?:$))/).flatten.each do |entry|\n describe entry do\n it { should cmp >= input('min_reuse_generations') }\n end\n end\n describe file(\"/etc/pam.d/system-auth\") do\n its(\"content\") { should match(/^\\s*password\\s+(?:(?:requisite)|(?:required))\\s+pam_pwhistory\\.so\\s+remember=(\\d+)(?:(?:\\s)|(?:$))/) }\n end\n file(\"/etc/pam.d/system-auth\").content.to_s.scan(/^\\s*password\\s+(?:(?:requisite)|(?:required))\\s+pam_pwhistory\\.so\\s+remember=(\\d+)(?:(?:\\s)|(?:$))/).flatten.each do |entry|\n describe entry do\n it { should cmp >= input('min_reuse_generations') }\n end\n end\n end\n describe.one do\n describe file(\"/etc/pam.d/password-auth\") do\n its(\"content\") { should match(/^\\s*password\\s+(?:(?:requisite)|(?:required))\\s+pam_pwhistory\\.so[\\t ]+[^#\\n\\r]*\\s+remember=(\\d+)(?:(?:\\s)|(?:$))/) }\n end\n file(\"/etc/pam.d/password-auth\").content.to_s.scan(/^\\s*password\\s+(?:(?:requisite)|(?:required))\\s+pam_pwhistory\\.so[\\t ]+[^#\\n\\r]*\\s+remember=(\\d+)(?:(?:\\s)|(?:$))/).flatten.each do |entry|\n describe entry do\n it { should cmp >= input('min_reuse_generations') }\n end\n end\n describe file(\"/etc/pam.d/password-auth\") do\n its(\"content\") { should match(/^\\s*password\\s+(?:(?:requisite)|(?:required))\\s+pam_pwhistory\\.so\\s+remember=(\\d+)(?:(?:\\s)|(?:$))/) }\n end\n file(\"/etc/pam.d/password-auth\").content.to_s.scan(/^\\s*password\\s+(?:(?:requisite)|(?:required))\\s+pam_pwhistory\\.so\\s+remember=(\\d+)(?:(?:\\s)|(?:$))/).flatten.each do |entry|\n describe entry do\n it { should cmp >= input('min_reuse_generations') }\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38691.rb", + "ref": "./Red Hat 6 STIG/controls/V-38658.rb", "line": 1 }, - "id": "V-38691" + "id": "V-38658" }, { - "title": "The audit system must be configured to audit all discretionary access\ncontrol permission modifications using lsetxattr.", - "desc": "The changing of file permissions could indicate that a user is\nattempting to gain access to information that would otherwise be disallowed.\nAuditing DAC modifications can facilitate the identification of patterns of\nabuse among both authorized and unauthorized users.", + "title": "The Automatic Bug Reporting Tool (abrtd) service must not be running.", + "desc": "Mishandling crash data could expose sensitive information about\nvulnerabilities in software executing on the local machine, as well as\nsensitive information from within a process's address space or registers.", "descriptions": { - "default": "The changing of file permissions could indicate that a user is\nattempting to gain access to information that would otherwise be disallowed.\nAuditing DAC modifications can facilitate the identification of patterns of\nabuse among both authorized and unauthorized users." + "default": "Mishandling crash data could expose sensitive information about\nvulnerabilities in software executing on the local machine, as well as\nsensitive information from within a process's address space or registers." }, "impact": 0.3, "refs": [], "tags": { - "gtitle": "SRG-OS-000064", - "gid": "V-38561", - "rid": "SV-50362r3_rule", - "stig_id": "RHEL-06-000194", - "fix_id": "F-43509r2_fix", + "gtitle": "SRG-OS-000096", + "gid": "V-38640", + "rid": "SV-50441r2_rule", + "stig_id": "RHEL-06-000261", + "fix_id": "F-43589r2_fix", "cci": [ - "CCI-000172" + "CCI-000382" ], "nist": [ - "AU-12 c", + "CM-7 b", "Rev_4" ], "false_negatives": null, @@ -10435,35 +10435,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To determine if the system is configured to audit calls to the\n\"lsetxattr\" system call, run the following command:\n\n$ sudo grep -w \"lsetxattr\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return several\nlines.\n\nIf no line is returned, this is a finding. ", - "fix": "At a minimum, the audit system should collect file permission\nchanges for all users and root. Add the following to\n\"/etc/audit/audit.rules\":\n\n-a always,exit -F arch=b32 -S lsetxattr -F auid>=500 -F auid!=4294967295 \\\n-k perm_mod\n-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -k perm_mod\n\nIf the system is 64-bit, then also add the following:\n\n-a always,exit -F arch=b64 -S lsetxattr -F auid>=500 -F auid!=4294967295 \\\n-k perm_mod\n-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -k perm_mod" + "check": "To check that the \"abrtd\" service is disabled in system boot\nconfiguration, run the following command:\n\n# chkconfig \"abrtd\" --list\n\nOutput should indicate the \"abrtd\" service has either not been installed, or\nhas been disabled at all runlevels, as shown in the example below:\n\n# chkconfig \"abrtd\" --list\n\"abrtd\" 0:off 1:off 2:off 3:off 4:off 5:off 6:off\n\nRun the following command to verify \"abrtd\" is disabled through current\nruntime configuration:\n\n# service abrtd status\n\nIf the service is disabled the command will return the following output:\n\nabrtd is stopped\n\n\nIf the service is running, this is a finding.", + "fix": "The Automatic Bug Reporting Tool (\"abrtd\") daemon collects and\nreports crash data when an application crash is detected. Using a variety of\nplugins, abrtd can email crash reports to system administrators, log crash\nreports to files, or forward crash reports to a centralized issue tracking\nsystem such as RHTSupport. The \"abrtd\" service can be disabled with the\nfollowing commands:\n\n# chkconfig abrtd off\n# service abrtd stop" }, - "code": "control \"V-38561\" do\n title \"The audit system must be configured to audit all discretionary access\ncontrol permission modifications using lsetxattr.\"\n desc \"The changing of file permissions could indicate that a user is\nattempting to gain access to information that would otherwise be disallowed.\nAuditing DAC modifications can facilitate the identification of patterns of\nabuse among both authorized and unauthorized users.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000064\"\n tag \"gid\": \"V-38561\"\n tag \"rid\": \"SV-50362r3_rule\"\n tag \"stig_id\": \"RHEL-06-000194\"\n tag \"fix_id\": \"F-43509r2_fix\"\n tag \"cci\": [\"CCI-000172\"]\n tag \"nist\": [\"AU-12 c\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To determine if the system is configured to audit calls to the\n\\\"lsetxattr\\\" system call, run the following command:\n\n$ sudo grep -w \\\"lsetxattr\\\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return several\nlines.\n\nIf no line is returned, this is a finding. \"\n tag \"fix\": \"At a minimum, the audit system should collect file permission\nchanges for all users and root. Add the following to\n\\\"/etc/audit/audit.rules\\\":\n\n-a always,exit -F arch=b32 -S lsetxattr -F auid>=500 -F auid!=4294967295 \\\\\n-k perm_mod\n-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -k perm_mod\n\nIf the system is 64-bit, then also add the following:\n\n-a always,exit -F arch=b64 -S lsetxattr -F auid>=500 -F auid!=4294967295 \\\\\n-k perm_mod\n-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -k perm_mod\"\n\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^[\\s]*-a[\\s](?:always,exit|exit,always)+(?:.*-F[\\s]+arch=b32[\\s]+)(?:.*(?:,|-S[\\s]+)lsetxattr(?:,|[\\s]+))(?:.*-F\\s+auid>=500[\\s]+)(?:.*-F\\s+auid!=(?:-1|4294967295)[\\s]+).*-k[\\s]+[\\S]+[\\s]*$/) }\n end\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^[\\s]*-a[\\s](?:always,exit|exit,always)+(?:.*-F[\\s]+arch=b32[\\s]+)(?:.*(?:,|-S[\\s]+)lsetxattr(?:,|[\\s]+))(?:.*-F\\s+auid=0[\\s]+).*-k[\\s]+[\\S]+[\\s]*$/) }\n end\n describe.one do\n \n end\nend\n", + "code": "control \"V-38640\" do\n title \"The Automatic Bug Reporting Tool (abrtd) service must not be running.\"\n desc \"Mishandling crash data could expose sensitive information about\nvulnerabilities in software executing on the local machine, as well as\nsensitive information from within a process's address space or registers.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000096\"\n tag \"gid\": \"V-38640\"\n tag \"rid\": \"SV-50441r2_rule\"\n tag \"stig_id\": \"RHEL-06-000261\"\n tag \"fix_id\": \"F-43589r2_fix\"\n tag \"cci\": [\"CCI-000382\"]\n tag \"nist\": [\"CM-7 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To check that the \\\"abrtd\\\" service is disabled in system boot\nconfiguration, run the following command:\n\n# chkconfig \\\"abrtd\\\" --list\n\nOutput should indicate the \\\"abrtd\\\" service has either not been installed, or\nhas been disabled at all runlevels, as shown in the example below:\n\n# chkconfig \\\"abrtd\\\" --list\n\\\"abrtd\\\" 0:off 1:off 2:off 3:off 4:off 5:off 6:off\n\nRun the following command to verify \\\"abrtd\\\" is disabled through current\nruntime configuration:\n\n# service abrtd status\n\nIf the service is disabled the command will return the following output:\n\nabrtd is stopped\n\n\nIf the service is running, this is a finding.\"\n tag \"fix\": \"The Automatic Bug Reporting Tool (\\\"abrtd\\\") daemon collects and\nreports crash data when an application crash is detected. Using a variety of\nplugins, abrtd can email crash reports to system administrators, log crash\nreports to files, or forward crash reports to a centralized issue tracking\nsystem such as RHTSupport. The \\\"abrtd\\\" service can be disabled with the\nfollowing commands:\n\n# chkconfig abrtd off\n# service abrtd stop\"\n\n describe.one do\n describe package(\"abrt\") do\n it { should_not be_installed }\n end\n describe service(\"abrtd\") do\n its(\"runlevels(?-mix:0)\") { should be_enabled }\n its(\"runlevels(?-mix:1)\") { should be_enabled }\n its(\"runlevels(?-mix:2)\") { should be_enabled }\n its(\"runlevels(?-mix:3)\") { should be_enabled }\n its(\"runlevels(?-mix:4)\") { should be_enabled }\n its(\"runlevels(?-mix:5)\") { should be_enabled }\n its(\"runlevels(?-mix:6)\") { should be_enabled }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38561.rb", + "ref": "./Red Hat 6 STIG/controls/V-38640.rb", "line": 1 }, - "id": "V-38561" + "id": "V-38640" }, { - "title": "Automated file system mounting tools must not be enabled unless\nneeded.", - "desc": "All filesystems that are required for the successful operation of the\nsystem should be explicitly listed in \"/etc/fstab\" by an administrator. New\nfilesystems should not be arbitrarily introduced via the automounter.\n\n The \"autofs\" daemon mounts and unmounts filesystems, such as user home\ndirectories shared via NFS, on demand. In addition, autofs can be used to\nhandle removable media, and the default configuration provides the cdrom device\nas \"/misc/cd\". However, this method of providing access to removable media is\nnot common, so autofs can almost always be disabled if NFS is not in use. Even\nif NFS is required, it is almost always possible to configure filesystem mounts\nstatically by editing \"/etc/fstab\" rather than relying on the automounter.", + "title": "The audit system must be configured to audit all discretionary access\ncontrol permission modifications using chmod.", + "desc": "The changing of file permissions could indicate that a user is\nattempting to gain access to information that would otherwise be disallowed.\nAuditing DAC modifications can facilitate the identification of patterns of\nabuse among both authorized and unauthorized users.", "descriptions": { - "default": "All filesystems that are required for the successful operation of the\nsystem should be explicitly listed in \"/etc/fstab\" by an administrator. New\nfilesystems should not be arbitrarily introduced via the automounter.\n\n The \"autofs\" daemon mounts and unmounts filesystems, such as user home\ndirectories shared via NFS, on demand. In addition, autofs can be used to\nhandle removable media, and the default configuration provides the cdrom device\nas \"/misc/cd\". However, this method of providing access to removable media is\nnot common, so autofs can almost always be disabled if NFS is not in use. Even\nif NFS is required, it is almost always possible to configure filesystem mounts\nstatically by editing \"/etc/fstab\" rather than relying on the automounter." + "default": "The changing of file permissions could indicate that a user is\nattempting to gain access to information that would otherwise be disallowed.\nAuditing DAC modifications can facilitate the identification of patterns of\nabuse among both authorized and unauthorized users." }, "impact": 0.3, "refs": [], "tags": { - "gtitle": "SRG-OS-999999", - "gid": "V-38437", - "rid": "SV-50237r1_rule", - "stig_id": "RHEL-06-000526", - "fix_id": "F-43381r1_fix", + "gtitle": "SRG-OS-000064", + "gid": "V-38543", + "rid": "SV-50344r3_rule", + "stig_id": "RHEL-06-000184", + "fix_id": "F-43491r2_fix", "cci": [ - "CCI-000366" + "CCI-000172" ], "nist": [ - "CM-6 b", + "AU-12 c", "Rev_4" ], "false_negatives": null, @@ -10476,35 +10476,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To verify the \"autofs\" service is disabled, run the following\ncommand:\n\nchkconfig --list autofs\n\nIf properly configured, the output should be the following:\n\nautofs 0:off 1:off 2:off 3:off 4:off 5:off 6:off\n\nVerify the \"autofs\" service is not running:\n\n# service autofs status\n\nIf the autofs service is enabled or running, this is a finding.", - "fix": "If the \"autofs\" service is not needed to dynamically mount NFS\nfilesystems or removable media, disable the service for all runlevels:\n\n# chkconfig --level 0123456 autofs off\n\nStop the service if it is already running:\n\n# service autofs stop" + "check": "To determine if the system is configured to audit calls to the\n\"chmod\" system call, run the following command:\n\n$ sudo grep -w \"chmod\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return several\nlines.\n\nIf the system is not configured to audit permission changes, this is a finding.\n", + "fix": "At a minimum, the audit system should collect file permission\nchanges for all users and root. Add the following to\n\"/etc/audit/audit.rules\":\n\n-a always,exit -F arch=b32 -S chmod -F auid>=500 -F auid!=4294967295 \\\n-k perm_mod\n-a always,exit -F arch=b32 -S chmod -F auid=0 -k perm_mod\n\nIf the system is 64-bit, then also add the following:\n\n-a always,exit -F arch=b64 -S chmod -F auid>=500 -F auid!=4294967295 \\\n-k perm_mod\n-a always,exit -F arch=b64 -S chmod -F auid=0 -k perm_mod" }, - "code": "control \"V-38437\" do\n title \"Automated file system mounting tools must not be enabled unless\nneeded.\"\n desc \"All filesystems that are required for the successful operation of the\nsystem should be explicitly listed in \\\"/etc/fstab\\\" by an administrator. New\nfilesystems should not be arbitrarily introduced via the automounter.\n\n The \\\"autofs\\\" daemon mounts and unmounts filesystems, such as user home\ndirectories shared via NFS, on demand. In addition, autofs can be used to\nhandle removable media, and the default configuration provides the cdrom device\nas \\\"/misc/cd\\\". However, this method of providing access to removable media is\nnot common, so autofs can almost always be disabled if NFS is not in use. Even\nif NFS is required, it is almost always possible to configure filesystem mounts\nstatically by editing \\\"/etc/fstab\\\" rather than relying on the automounter.\n \"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38437\"\n tag \"rid\": \"SV-50237r1_rule\"\n tag \"stig_id\": \"RHEL-06-000526\"\n tag \"fix_id\": \"F-43381r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To verify the \\\"autofs\\\" service is disabled, run the following\ncommand:\n\nchkconfig --list autofs\n\nIf properly configured, the output should be the following:\n\nautofs 0:off 1:off 2:off 3:off 4:off 5:off 6:off\n\nVerify the \\\"autofs\\\" service is not running:\n\n# service autofs status\n\nIf the autofs service is enabled or running, this is a finding.\"\n tag \"fix\": \"If the \\\"autofs\\\" service is not needed to dynamically mount NFS\nfilesystems or removable media, disable the service for all runlevels:\n\n# chkconfig --level 0123456 autofs off\n\nStop the service if it is already running:\n\n# service autofs stop\"\n\n describe service(\"autofs\").runlevels(/0/) do\n it { should_not be_enabled }\n end\n describe service(\"autofs\").runlevels(/1/) do\n it { should_not be_enabled }\n end\n describe service(\"autofs\").runlevels(/2/) do\n it { should_not be_enabled }\n end\n describe service(\"autofs\").runlevels(/3/) do\n it { should_not be_enabled }\n end\n describe service(\"autofs\").runlevels(/4/) do\n it { should_not be_enabled }\n end\n describe service(\"autofs\").runlevels(/5/) do\n it { should_not be_enabled }\n end\n describe service(\"autofs\").runlevels(/6/) do\n it { should_not be_enabled }\n end\nend\n", + "code": "control \"V-38543\" do\n title \"The audit system must be configured to audit all discretionary access\ncontrol permission modifications using chmod.\"\n desc \"The changing of file permissions could indicate that a user is\nattempting to gain access to information that would otherwise be disallowed.\nAuditing DAC modifications can facilitate the identification of patterns of\nabuse among both authorized and unauthorized users.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000064\"\n tag \"gid\": \"V-38543\"\n tag \"rid\": \"SV-50344r3_rule\"\n tag \"stig_id\": \"RHEL-06-000184\"\n tag \"fix_id\": \"F-43491r2_fix\"\n tag \"cci\": [\"CCI-000172\"]\n tag \"nist\": [\"AU-12 c\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To determine if the system is configured to audit calls to the\n\\\"chmod\\\" system call, run the following command:\n\n$ sudo grep -w \\\"chmod\\\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return several\nlines.\n\nIf the system is not configured to audit permission changes, this is a finding.\n\"\n tag \"fix\": \"At a minimum, the audit system should collect file permission\nchanges for all users and root. Add the following to\n\\\"/etc/audit/audit.rules\\\":\n\n-a always,exit -F arch=b32 -S chmod -F auid>=500 -F auid!=4294967295 \\\\\n-k perm_mod\n-a always,exit -F arch=b32 -S chmod -F auid=0 -k perm_mod\n\nIf the system is 64-bit, then also add the following:\n\n-a always,exit -F arch=b64 -S chmod -F auid>=500 -F auid!=4294967295 \\\\\n-k perm_mod\n-a always,exit -F arch=b64 -S chmod -F auid=0 -k perm_mod\"\n\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^[\\s]*-a[\\s](?:always,exit|exit,always)+(?:.*-F[\\s]+arch=b32[\\s]+)(?:.*(?:-S[\\s]+|,)chmod(?:[\\s]+|,))(?:.*-F\\s+auid>=500[\\s]+)(?:.*-F\\s+auid!=(?:-1|4294967295)[\\s]+).*-k[\\s]+[\\S]+[\\s]*$/) }\n end\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^[\\s]*-a[\\s](?:always,exit|exit,always)+(?:.*-F[\\s]+arch=b32[\\s]+)(?:.*(?:-S[\\s]+|,)chmod(?:[\\s]+|,))(?:.*-F\\s+auid=0[\\s]+).*-k[\\s]+[\\S]+[\\s]*$/) }\n end\n describe.one do\n \n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38437.rb", + "ref": "./Red Hat 6 STIG/controls/V-38543.rb", "line": 1 }, - "id": "V-38437" + "id": "V-38543" }, { - "title": "The SSH daemon must ignore .rhosts files.", - "desc": "SSH trust relationships mean a compromise on one host can allow an\nattacker to move trivially to other hosts.", + "title": "Vendor-provided cryptographic certificates must be installed to verify\nthe integrity of system software.", + "desc": "The Red Hat GPG keys are necessary to cryptographically verify\npackages are from Red Hat.", "descriptions": { - "default": "SSH trust relationships mean a compromise on one host can allow an\nattacker to move trivially to other hosts." + "default": "The Red Hat GPG keys are necessary to cryptographically verify\npackages are from Red Hat." }, - "impact": 0.5, + "impact": 0.7, "refs": [], "tags": { - "gtitle": "SRG-OS-000106", - "gid": "V-38611", - "rid": "SV-50412r1_rule", - "stig_id": "RHEL-06-000234", - "fix_id": "F-43559r1_fix", + "gtitle": "SRG-OS-000090", + "gid": "V-38476", + "rid": "SV-50276r3_rule", + "stig_id": "RHEL-06-000008", + "fix_id": "F-43421r3_fix", "cci": [ - "CCI-000766" + "CCI-000352" ], "nist": [ - "IA-2 (2)", + "CM-5 (3)", "Rev_4" ], "false_negatives": null, @@ -10517,35 +10517,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To determine how the SSH daemon's \"IgnoreRhosts\" option is\nset, run the following command:\n\n# grep -i IgnoreRhosts /etc/ssh/sshd_config\n\nIf no line, a commented line, or a line indicating the value \"yes\" is\nreturned, then the required value is set.\nIf the required value is not set, this is a finding.", - "fix": "SSH can emulate the behavior of the obsolete rsh command in\nallowing users to enable insecure access to their accounts via \".rhosts\"\nfiles.\n\nTo ensure this behavior is disabled, add or correct the following line in\n\"/etc/ssh/sshd_config\":\n\nIgnoreRhosts yes" + "check": "To ensure that the GPG keys are installed, run:\n\n$ rpm -q gpg-pubkey\n\nThe command should return the strings below:\n\ngpg-pubkey-fd431d51-4ae0493b\ngpg-pubkey-2fa658e0-45700c69\n\nIf the Red Hat GPG Keys are not installed, this is a finding.", + "fix": "To ensure the system can cryptographically verify base software\npackages come from Red Hat (and to connect to the Red Hat Network to receive\nthem), the Red Hat GPG keys must be installed properly. To install the Red Hat\nGPG keys, run:\n\n# rhn_register\n\nIf the system is not connected to the Internet or an RHN Satellite, then\ninstall the Red Hat GPG keys from trusted media such as the Red Hat\ninstallation CD-ROM or DVD. Assuming the disc is mounted in \"/media/cdrom\",\nuse the following command as the root user to import them into the keyring:\n\n# rpm --import /media/cdrom/RPM-GPG-KEY" }, - "code": "control \"V-38611\" do\n title \"The SSH daemon must ignore .rhosts files.\"\n desc \"SSH trust relationships mean a compromise on one host can allow an\nattacker to move trivially to other hosts.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000106\"\n tag \"gid\": \"V-38611\"\n tag \"rid\": \"SV-50412r1_rule\"\n tag \"stig_id\": \"RHEL-06-000234\"\n tag \"fix_id\": \"F-43559r1_fix\"\n tag \"cci\": [\"CCI-000766\"]\n tag \"nist\": [\"IA-2 (2)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To determine how the SSH daemon's \\\"IgnoreRhosts\\\" option is\nset, run the following command:\n\n# grep -i IgnoreRhosts /etc/ssh/sshd_config\n\nIf no line, a commented line, or a line indicating the value \\\"yes\\\" is\nreturned, then the required value is set.\nIf the required value is not set, this is a finding.\"\n tag \"fix\": \"SSH can emulate the behavior of the obsolete rsh command in\nallowing users to enable insecure access to their accounts via \\\".rhosts\\\"\nfiles.\n\nTo ensure this behavior is disabled, add or correct the following line in\n\\\"/etc/ssh/sshd_config\\\":\n\nIgnoreRhosts yes\"\n\n describe sshd_config do\n its('IgnoreRhosts') { should (eq 'yes').or be_nil }\n end\nend\n", + "code": "control \"V-38476\" do\n title \"Vendor-provided cryptographic certificates must be installed to verify\nthe integrity of system software.\"\n desc \"The Red Hat GPG keys are necessary to cryptographically verify\npackages are from Red Hat. \"\n impact 0.7\n tag \"gtitle\": \"SRG-OS-000090\"\n tag \"gid\": \"V-38476\"\n tag \"rid\": \"SV-50276r3_rule\"\n tag \"stig_id\": \"RHEL-06-000008\"\n tag \"fix_id\": \"F-43421r3_fix\"\n tag \"cci\": [\"CCI-000352\"]\n tag \"nist\": [\"CM-5 (3)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To ensure that the GPG keys are installed, run:\n\n$ rpm -q gpg-pubkey\n\nThe command should return the strings below:\n\ngpg-pubkey-fd431d51-4ae0493b\ngpg-pubkey-2fa658e0-45700c69\n\nIf the Red Hat GPG Keys are not installed, this is a finding.\"\n tag \"fix\": \"To ensure the system can cryptographically verify base software\npackages come from Red Hat (and to connect to the Red Hat Network to receive\nthem), the Red Hat GPG keys must be installed properly. To install the Red Hat\nGPG keys, run:\n\n# rhn_register\n\nIf the system is not connected to the Internet or an RHN Satellite, then\ninstall the Red Hat GPG keys from trusted media such as the Red Hat\ninstallation CD-ROM or DVD. Assuming the disc is mounted in \\\"/media/cdrom\\\",\nuse the following command as the root user to import them into the keyring:\n\n# rpm --import /media/cdrom/RPM-GPG-KEY\"\n\n keys = input('package_signing_keys')\n\n describe command('rpm -q gpg-pubkey') do\n keys.each do |key|\n its('stdout.strip') { should match key }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38611.rb", + "ref": "./Red Hat 6 STIG/controls/V-38476.rb", "line": 1 }, - "id": "V-38611" + "id": "V-38476" }, { - "title": "The operating system, upon successful logon, must display to the user\nthe date and time of the last logon or access via ssh.", - "desc": "Users need to be aware of activity that occurs regarding their\naccount. Providing users with information regarding the date and time of their\nlast successful login allows the user to determine if any unauthorized activity\nhas occurred and gives them an opportunity to notify administrators.\n\n At ssh login, a user must be presented with the last successful login date\nand time.", + "title": "The audit system must identify staff members to receive notifications\nof audit log storage volume capacity issues.", + "desc": "Email sent to the root account is typically aliased to the\nadministrators of the system, who can take appropriate action.", "descriptions": { - "default": "Users need to be aware of activity that occurs regarding their\naccount. Providing users with information regarding the date and time of their\nlast successful login allows the user to determine if any unauthorized activity\nhas occurred and gives them an opportunity to notify administrators.\n\n At ssh login, a user must be presented with the last successful login date\nand time." + "default": "Email sent to the root account is typically aliased to the\nadministrators of the system, who can take appropriate action." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000025", - "gid": "V-38484", - "rid": "SV-50285r2_rule", - "stig_id": "RHEL-06-000507", - "fix_id": "F-43431r2_fix", + "gtitle": "SRG-OS-000046", + "gid": "V-38680", + "rid": "SV-50481r1_rule", + "stig_id": "RHEL-06-000313", + "fix_id": "F-43629r1_fix", "cci": [ - "CCI-000052" + "CCI-000139" ], "nist": [ - "AC-9", + "AU-5 a", "Rev_4" ], "false_negatives": null, @@ -10558,35 +10558,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "Verify the value associated with the \"PrintLastLog\" keyword\nin /etc/ssh/sshd_config:\n\n# grep -i \"^PrintLastLog\" /etc/ssh/sshd_config\n\nIf the \"PrintLastLog\" keyword is not present, this is not a finding. If the\nvalue is not set to \"yes\", this is a finding.", - "fix": "Update the \"PrintLastLog\" keyword to \"yes\" in\n/etc/ssh/sshd_config:\n\nPrintLastLog yes\n\nWhile it is acceptable to remove the keyword entirely since the default action\nfor the SSH daemon is to print the last logon date and time, it is preferred to\nhave the value explicitly documented." + "check": "Inspect \"/etc/audit/auditd.conf\" and locate the following\nline to determine if the system is configured to send email to an account when\nit needs to notify an administrator:\n\naction_mail_acct = root\n\n\nIf auditd is not configured to send emails per identified actions, this is a\nfinding.", + "fix": "The \"auditd\" service can be configured to send email to a\ndesignated account in certain situations. Add or correct the following line in\n\"/etc/audit/auditd.conf\" to ensure that administrators are notified via email\nfor those situations:\n\naction_mail_acct = root" }, - "code": "control \"V-38484\" do\n title \"The operating system, upon successful logon, must display to the user\nthe date and time of the last logon or access via ssh.\"\n desc \"Users need to be aware of activity that occurs regarding their\naccount. Providing users with information regarding the date and time of their\nlast successful login allows the user to determine if any unauthorized activity\nhas occurred and gives them an opportunity to notify administrators.\n\n At ssh login, a user must be presented with the last successful login date\nand time.\n \"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000025\"\n tag \"gid\": \"V-38484\"\n tag \"rid\": \"SV-50285r2_rule\"\n tag \"stig_id\": \"RHEL-06-000507\"\n tag \"fix_id\": \"F-43431r2_fix\"\n tag \"cci\": [\"CCI-000052\"]\n tag \"nist\": [\"AC-9\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Verify the value associated with the \\\"PrintLastLog\\\" keyword\nin /etc/ssh/sshd_config:\n\n# grep -i \\\"^PrintLastLog\\\" /etc/ssh/sshd_config\n\nIf the \\\"PrintLastLog\\\" keyword is not present, this is not a finding. If the\nvalue is not set to \\\"yes\\\", this is a finding.\"\n tag \"fix\": \"Update the \\\"PrintLastLog\\\" keyword to \\\"yes\\\" in\n/etc/ssh/sshd_config:\n\nPrintLastLog yes\n\nWhile it is acceptable to remove the keyword entirely since the default action\nfor the SSH daemon is to print the last logon date and time, it is preferred to\nhave the value explicitly documented.\"\n\n describe sshd_config do\n its('PrintLastLog') { should be_nil.or eq 'yes' }\n end \nend\n", + "code": "control \"V-38680\" do\n title \"The audit system must identify staff members to receive notifications\nof audit log storage volume capacity issues.\"\n desc \"Email sent to the root account is typically aliased to the\nadministrators of the system, who can take appropriate action.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000046\"\n tag \"gid\": \"V-38680\"\n tag \"rid\": \"SV-50481r1_rule\"\n tag \"stig_id\": \"RHEL-06-000313\"\n tag \"fix_id\": \"F-43629r1_fix\"\n tag \"cci\": [\"CCI-000139\"]\n tag \"nist\": [\"AU-5 a\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Inspect \\\"/etc/audit/auditd.conf\\\" and locate the following\nline to determine if the system is configured to send email to an account when\nit needs to notify an administrator:\n\naction_mail_acct = root\n\n\nIf auditd is not configured to send emails per identified actions, this is a\nfinding.\"\n tag \"fix\": \"The \\\"auditd\\\" service can be configured to send email to a\ndesignated account in certain situations. Add or correct the following line in\n\\\"/etc/audit/auditd.conf\\\" to ensure that administrators are notified via email\nfor those situations:\n\naction_mail_acct = root\"\n\n describe file(\"/etc/audit/auditd.conf\") do\n its(\"content\") { should match(/^action_mail_acct\\s*=\\s*(\\S+)\\s*$/) }\n end\n file(\"/etc/audit/auditd.conf\").content.to_s.scan(/^action_mail_acct\\s*=\\s*(\\S+)\\s*$/).flatten.each do |entry|\n describe entry do\n it { should eq \"root\" }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38484.rb", + "ref": "./Red Hat 6 STIG/controls/V-38680.rb", "line": 1 }, - "id": "V-38484" + "id": "V-38680" }, { - "title": "The qpidd service must not be running.", - "desc": "The qpidd service is automatically installed when the \"base\" package\nselection is selected during installation. The qpidd service listens for\nnetwork connections which increases the attack surface of the system. If the\nsystem is not intended to receive AMQP traffic then the \"qpidd\" service is\nnot needed and should be disabled or removed.", + "title": "X Windows must not be enabled unless required.", + "desc": "Unnecessary services should be disabled to decrease the attack surface\nof the system.", "descriptions": { - "default": "The qpidd service is automatically installed when the \"base\" package\nselection is selected during installation. The qpidd service listens for\nnetwork connections which increases the attack surface of the system. If the\nsystem is not intended to receive AMQP traffic then the \"qpidd\" service is\nnot needed and should be disabled or removed." + "default": "Unnecessary services should be disabled to decrease the attack surface\nof the system." }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000096", - "gid": "V-38648", - "rid": "SV-50449r2_rule", - "stig_id": "RHEL-06-000267", - "fix_id": "F-43597r2_fix", + "gtitle": "SRG-OS-000248", + "gid": "V-38674", + "rid": "SV-50475r1_rule", + "stig_id": "RHEL-06-000290", + "fix_id": "F-43623r1_fix", "cci": [ - "CCI-000382" + "CCI-001436" ], "nist": [ - "CM-7 b", + "AC-17 (8)", "Rev_4" ], "false_negatives": null, @@ -10599,35 +10599,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To check that the \"qpidd\" service is disabled in system boot\nconfiguration, run the following command:\n\n# chkconfig \"qpidd\" --list\n\nOutput should indicate the \"qpidd\" service has either not been installed, or\nhas been disabled at all runlevels, as shown in the example below:\n\n# chkconfig \"qpidd\" --list\n\"qpidd\" 0:off 1:off 2:off 3:off 4:off 5:off 6:off\n\nRun the following command to verify \"qpidd\" is disabled through current\nruntime configuration:\n\n# service qpidd status\n\nIf the service is disabled the command will return the following output:\n\nqpidd is stopped\n\n\nIf the service is running, this is a finding.", - "fix": "The \"qpidd\" service provides high speed, secure, guaranteed\ndelivery services. It is an implementation of the Advanced Message Queuing\nProtocol. By default the qpidd service will bind to port 5672 and listen for\nconnection attempts. The \"qpidd\" service can be disabled with the following\ncommands:\n\n# chkconfig qpidd off\n# service qpidd stop" + "check": "To verify the default runlevel is 3, run the following command:\n\n# grep initdefault /etc/inittab\n\nThe output should show the following:\n\nid:3:initdefault:\n\n\nIf it does not, this is a finding.", + "fix": "Setting the system's runlevel to 3 will prevent automatic startup\nof the X server. To do so, ensure the following line in \"/etc/inittab\"\nfeatures a \"3\" as shown:\n\nid:3:initdefault:" }, - "code": "control \"V-38648\" do\n title \"The qpidd service must not be running.\"\n desc \"The qpidd service is automatically installed when the \\\"base\\\" package\nselection is selected during installation. The qpidd service listens for\nnetwork connections which increases the attack surface of the system. If the\nsystem is not intended to receive AMQP traffic then the \\\"qpidd\\\" service is\nnot needed and should be disabled or removed.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000096\"\n tag \"gid\": \"V-38648\"\n tag \"rid\": \"SV-50449r2_rule\"\n tag \"stig_id\": \"RHEL-06-000267\"\n tag \"fix_id\": \"F-43597r2_fix\"\n tag \"cci\": [\"CCI-000382\"]\n tag \"nist\": [\"CM-7 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To check that the \\\"qpidd\\\" service is disabled in system boot\nconfiguration, run the following command:\n\n# chkconfig \\\"qpidd\\\" --list\n\nOutput should indicate the \\\"qpidd\\\" service has either not been installed, or\nhas been disabled at all runlevels, as shown in the example below:\n\n# chkconfig \\\"qpidd\\\" --list\n\\\"qpidd\\\" 0:off 1:off 2:off 3:off 4:off 5:off 6:off\n\nRun the following command to verify \\\"qpidd\\\" is disabled through current\nruntime configuration:\n\n# service qpidd status\n\nIf the service is disabled the command will return the following output:\n\nqpidd is stopped\n\n\nIf the service is running, this is a finding.\"\n tag \"fix\": \"The \\\"qpidd\\\" service provides high speed, secure, guaranteed\ndelivery services. It is an implementation of the Advanced Message Queuing\nProtocol. By default the qpidd service will bind to port 5672 and listen for\nconnection attempts. The \\\"qpidd\\\" service can be disabled with the following\ncommands:\n\n# chkconfig qpidd off\n# service qpidd stop\"\n\n describe.one do\n describe package(\"qpid-cpp-server\") do\n it { should_not be_installed }\n end\n describe service(\"qpidd\") do\n its(\"runlevels(?-mix:0)\") { should be_enabled }\n its(\"runlevels(?-mix:1)\") { should be_enabled }\n its(\"runlevels(?-mix:2)\") { should be_enabled }\n its(\"runlevels(?-mix:3)\") { should be_enabled }\n its(\"runlevels(?-mix:4)\") { should be_enabled }\n its(\"runlevels(?-mix:5)\") { should be_enabled }\n its(\"runlevels(?-mix:6)\") { should be_enabled }\n end\n end\nend\n", + "code": "control \"V-38674\" do\n title \"X Windows must not be enabled unless required.\"\n desc \"Unnecessary services should be disabled to decrease the attack surface\nof the system.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000248\"\n tag \"gid\": \"V-38674\"\n tag \"rid\": \"SV-50475r1_rule\"\n tag \"stig_id\": \"RHEL-06-000290\"\n tag \"fix_id\": \"F-43623r1_fix\"\n tag \"cci\": [\"CCI-001436\"]\n tag \"nist\": [\"AC-17 (8)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To verify the default runlevel is 3, run the following command:\n\n# grep initdefault /etc/inittab\n\nThe output should show the following:\n\nid:3:initdefault:\n\n\nIf it does not, this is a finding.\"\n tag \"fix\": \"Setting the system's runlevel to 3 will prevent automatic startup\nof the X server. To do so, ensure the following line in \\\"/etc/inittab\\\"\nfeatures a \\\"3\\\" as shown:\n\nid:3:initdefault:\"\n\n describe file(\"/etc/inittab\") do\n its(\"content\") { should match(/^[\\s]*id:3:initdefault:[\\s]*$/) }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38648.rb", + "ref": "./Red Hat 6 STIG/controls/V-38674.rb", "line": 1 }, - "id": "V-38648" + "id": "V-38674" }, { - "title": "The system must not permit interactive boot.", - "desc": "Using interactive boot, the console user could disable auditing,\nfirewalls, or other services, weakening system security.", + "title": "The audit system must be configured to audit all discretionary access\ncontrol permission modifications using fchmod.", + "desc": "The changing of file permissions could indicate that a user is\nattempting to gain access to information that would otherwise be disallowed.\nAuditing DAC modifications can facilitate the identification of patterns of\nabuse among both authorized and unauthorized users.", "descriptions": { - "default": "Using interactive boot, the console user could disable auditing,\nfirewalls, or other services, weakening system security." + "default": "The changing of file permissions could indicate that a user is\nattempting to gain access to information that would otherwise be disallowed.\nAuditing DAC modifications can facilitate the identification of patterns of\nabuse among both authorized and unauthorized users." }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { - "gtitle": "SRG-OS-000080", - "gid": "V-38588", - "rid": "SV-50389r1_rule", - "stig_id": "RHEL-06-000070", - "fix_id": "F-43536r1_fix", + "gtitle": "SRG-OS-000064", + "gid": "V-38547", + "rid": "SV-50348r3_rule", + "stig_id": "RHEL-06-000186", + "fix_id": "F-43495r2_fix", "cci": [ - "CCI-000213" + "CCI-000172" ], "nist": [ - "AC-3", + "AU-12 c", "Rev_4" ], "false_negatives": null, @@ -10640,35 +10640,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To check whether interactive boot is disabled, run the\nfollowing command:\n\n$ grep PROMPT /etc/sysconfig/init\n\nIf interactive boot is disabled, the output will show:\n\nPROMPT=no\n\n\nIf it does not, this is a finding.", - "fix": "To disable the ability for users to perform interactive startups,\nedit the file \"/etc/sysconfig/init\". Add or correct the line:\n\nPROMPT=no\n\nThe \"PROMPT\" option allows the console user to perform an interactive system\nstartup, in which it is possible to select the set of services which are\nstarted on boot." + "check": "To determine if the system is configured to audit calls to the\n\"fchmod\" system call, run the following command:\n\n$ sudo grep -w \"fchmod\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return several\nlines.\n\nIf no line is returned, this is a finding. ", + "fix": "At a minimum, the audit system should collect file permission\nchanges for all users and root. Add the following to\n\"/etc/audit/audit.rules\":\n\n-a always,exit -F arch=b32 -S fchmod -F auid>=500 -F auid!=4294967295 \\\n-k perm_mod\n-a always,exit -F arch=b32 -S fchmod -F auid=0 -k perm_mod\n\nIf the system is 64-bit, then also add the following:\n\n-a always,exit -F arch=b64 -S fchmod -F auid>=500 -F auid!=4294967295 \\\n-k perm_mod\n-a always,exit -F arch=b64 -S fchmod -F auid=0 -k perm_mod" }, - "code": "control \"V-38588\" do\n title \"The system must not permit interactive boot.\"\n desc \"Using interactive boot, the console user could disable auditing,\nfirewalls, or other services, weakening system security.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000080\"\n tag \"gid\": \"V-38588\"\n tag \"rid\": \"SV-50389r1_rule\"\n tag \"stig_id\": \"RHEL-06-000070\"\n tag \"fix_id\": \"F-43536r1_fix\"\n tag \"cci\": [\"CCI-000213\"]\n tag \"nist\": [\"AC-3\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To check whether interactive boot is disabled, run the\nfollowing command:\n\n$ grep PROMPT /etc/sysconfig/init\n\nIf interactive boot is disabled, the output will show:\n\nPROMPT=no\n\n\nIf it does not, this is a finding.\"\n tag \"fix\": \"To disable the ability for users to perform interactive startups,\nedit the file \\\"/etc/sysconfig/init\\\". Add or correct the line:\n\nPROMPT=no\n\nThe \\\"PROMPT\\\" option allows the console user to perform an interactive system\nstartup, in which it is possible to select the set of services which are\nstarted on boot.\"\n\n describe file(\"/etc/sysconfig/init\") do\n its(\"content\") { should match(/^[\\s]*PROMPT[\\s]*=[\\s]*no[\\s]*$/) }\n end\nend\n", + "code": "control \"V-38547\" do\n title \"The audit system must be configured to audit all discretionary access\ncontrol permission modifications using fchmod.\"\n desc \"The changing of file permissions could indicate that a user is\nattempting to gain access to information that would otherwise be disallowed.\nAuditing DAC modifications can facilitate the identification of patterns of\nabuse among both authorized and unauthorized users.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000064\"\n tag \"gid\": \"V-38547\"\n tag \"rid\": \"SV-50348r3_rule\"\n tag \"stig_id\": \"RHEL-06-000186\"\n tag \"fix_id\": \"F-43495r2_fix\"\n tag \"cci\": [\"CCI-000172\"]\n tag \"nist\": [\"AU-12 c\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To determine if the system is configured to audit calls to the\n\\\"fchmod\\\" system call, run the following command:\n\n$ sudo grep -w \\\"fchmod\\\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return several\nlines.\n\nIf no line is returned, this is a finding. \"\n tag \"fix\": \"At a minimum, the audit system should collect file permission\nchanges for all users and root. Add the following to\n\\\"/etc/audit/audit.rules\\\":\n\n-a always,exit -F arch=b32 -S fchmod -F auid>=500 -F auid!=4294967295 \\\\\n-k perm_mod\n-a always,exit -F arch=b32 -S fchmod -F auid=0 -k perm_mod\n\nIf the system is 64-bit, then also add the following:\n\n-a always,exit -F arch=b64 -S fchmod -F auid>=500 -F auid!=4294967295 \\\\\n-k perm_mod\n-a always,exit -F arch=b64 -S fchmod -F auid=0 -k perm_mod\"\n\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^[\\s]*-a[\\s](?:always,exit|exit,always)+(?:.*-F[\\s]+arch=b32[\\s]+)(?:.*(?:-S[\\s]+|,)fchmod(?:[\\s]+|,))(?:.*-F\\s+auid>=500[\\s]+)(?:.*-F\\s+auid!=(?:-1|4294967295)[\\s]+).*-k[\\s]+[\\S]+[\\s]*$/) }\n end\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^[\\s]*-a[\\s](?:always,exit|exit,always)+(?:.*-F[\\s]+arch=b32[\\s]+)(?:.*(?:-S[\\s]+|,)fchmod(?:[\\s]+|,))(?:.*-F\\s+auid=0[\\s]+).*-k[\\s]+[\\S]+[\\s]*$/) }\n end\n describe.one do\n \n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38588.rb", + "ref": "./Red Hat 6 STIG/controls/V-38547.rb", "line": 1 }, - "id": "V-38588" + "id": "V-38547" }, { - "title": "The operating system must prevent public IPv4 access into an\norganizations internal networks, except as appropriately mediated by managed\ninterfaces employing boundary protection devices.", - "desc": "The \"iptables\" service provides the system's host-based firewalling\ncapability for IPv4 and ICMP.", + "title": "There must be no world-writable files on the system.", + "desc": "Data in world-writable files can be modified by any user on the\nsystem. In almost all circumstances, files can be configured using a\ncombination of user and group permissions to support whatever legitimate access\nis needed without the risk caused by world-writable files.", "descriptions": { - "default": "The \"iptables\" service provides the system's host-based firewalling\ncapability for IPv4 and ICMP." + "default": "Data in world-writable files can be modified by any user on the\nsystem. In almost all circumstances, files can be configured using a\ncombination of user and group permissions to support whatever legitimate access\nis needed without the risk caused by world-writable files." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000146", - "gid": "V-38512", - "rid": "SV-50313r2_rule", - "stig_id": "RHEL-06-000117", - "fix_id": "F-43459r2_fix", + "gtitle": "SRG-OS-999999", + "gid": "V-38643", + "rid": "SV-50444r3_rule", + "stig_id": "RHEL-06-000282", + "fix_id": "F-43591r1_fix", "cci": [ - "CCI-001100" + "CCI-000366" ], "nist": [ - "SC-7 (2)", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -10681,35 +10681,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "If the system is a cross-domain system, this is not applicable.\n\nRun the following command to determine the current status of the \"iptables\"\nservice:\n\n# service iptables status\n\nIf the service is not running, it should return the following:\n\niptables: Firewall is not running.\n\n\nIf the service is not running, this is a finding.", - "fix": "The \"iptables\" service can be enabled with the following\ncommands:\n\n# chkconfig iptables on\n# service iptables start" + "check": "To find world-writable files, run the following command for\neach local partition [PART], excluding special filesystems such as /selinux,\n/proc, or /sys:\n\n# find [PART] -xdev -type f -perm -002\n\nIf there is output, this is a finding.", + "fix": "It is generally a good idea to remove global (other) write access\nto a file when it is discovered. However, check with documentation for specific\napplications before making changes. Also, monitor for recurring world-writable\nfiles, as these may be symptoms of a misconfigured application or user account." }, - "code": "control \"V-38512\" do\n title \"The operating system must prevent public IPv4 access into an\norganizations internal networks, except as appropriately mediated by managed\ninterfaces employing boundary protection devices.\"\n desc \"The \\\"iptables\\\" service provides the system's host-based firewalling\ncapability for IPv4 and ICMP.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000146\"\n tag \"gid\": \"V-38512\"\n tag \"rid\": \"SV-50313r2_rule\"\n tag \"stig_id\": \"RHEL-06-000117\"\n tag \"fix_id\": \"F-43459r2_fix\"\n tag \"cci\": [\"CCI-001100\"]\n tag \"nist\": [\"SC-7 (2)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"If the system is a cross-domain system, this is not applicable.\n\nRun the following command to determine the current status of the \\\"iptables\\\"\nservice:\n\n# service iptables status\n\nIf the service is not running, it should return the following:\n\niptables: Firewall is not running.\n\n\nIf the service is not running, this is a finding.\"\n tag \"fix\": \"The \\\"iptables\\\" service can be enabled with the following\ncommands:\n\n# chkconfig iptables on\n# service iptables start\"\n\n describe service('iptables') do\n it { should be_enabled }\n it { should be_running }\n end\nend\n", + "code": "control \"V-38643\" do\n title \"There must be no world-writable files on the system.\"\n desc \"Data in world-writable files can be modified by any user on the\nsystem. In almost all circumstances, files can be configured using a\ncombination of user and group permissions to support whatever legitimate access\nis needed without the risk caused by world-writable files.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38643\"\n tag \"rid\": \"SV-50444r3_rule\"\n tag \"stig_id\": \"RHEL-06-000282\"\n tag \"fix_id\": \"F-43591r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To find world-writable files, run the following command for\neach local partition [PART], excluding special filesystems such as /selinux,\n/proc, or /sys:\n\n# find [PART] -xdev -type f -perm -002\n\nIf there is output, this is a finding.\"\n tag \"fix\": \"It is generally a good idea to remove global (other) write access\nto a file when it is discovered. However, check with documentation for specific\napplications before making changes. Also, monitor for recurring world-writable\nfiles, as these may be symptoms of a misconfigured application or user account.\"\n\n files = command(%(find / -xautofs -noleaf -wholename '/proc' -prune -o -wholename '/sys' -prune -o -wholename '/dev' -prune -o -wholename '/selinux' -prune -o -type f -perm -002 -print))\n describe \"World-writable files\" do\n subject { files.stdout.strip.split(\"\\n\") }\n it { should be_empty }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38512.rb", + "ref": "./Red Hat 6 STIG/controls/V-38643.rb", "line": 1 }, - "id": "V-38512" + "id": "V-38643" }, { - "title": "The operating system must automatically audit account termination.", - "desc": "In addition to auditing new user and group accounts, these watches\nwill alert the system administrator(s) to any modifications. Any unexpected\nusers, groups, or modifications should be investigated for legitimacy.", + "title": "The operating system must produce audit records containing sufficient\ninformation to establish what type of events occurred.", + "desc": "Ensuring the \"auditd\" service is active ensures audit records\ngenerated by the kernel can be written to disk, or that appropriate actions\nwill be taken if other obstacles exist.", "descriptions": { - "default": "In addition to auditing new user and group accounts, these watches\nwill alert the system administrator(s) to any modifications. Any unexpected\nusers, groups, or modifications should be investigated for legitimacy." + "default": "Ensuring the \"auditd\" service is active ensures audit records\ngenerated by the kernel can be written to disk, or that appropriate actions\nwill be taken if other obstacles exist." }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000241", - "gid": "V-38538", - "rid": "SV-50339r2_rule", - "stig_id": "RHEL-06-000177", - "fix_id": "F-43486r1_fix", + "gtitle": "SRG-OS-000037", + "gid": "V-38632", + "rid": "SV-50433r2_rule", + "stig_id": "RHEL-06-000154", + "fix_id": "F-43581r2_fix", "cci": [ - "CCI-001405" + "CCI-000130" ], "nist": [ - "AC-2 (4)", + "AU-3", "Rev_4" ], "false_negatives": null, @@ -10722,35 +10722,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To determine if the system is configured to audit account\nchanges, run the following command:\n\n$sudo egrep -w\n'(/etc/passwd|/etc/shadow|/etc/group|/etc/gshadow|/etc/security/opasswd)'\n/etc/audit/audit.rules\n\nIf the system is configured to watch for account changes, lines should be\nreturned for each file specified (and with \"-p wa\" for each).\n\nIf the system is not configured to audit account changes, this is a finding.", - "fix": "Add the following to \"/etc/audit/audit.rules\", in order to\ncapture events that modify account changes:\n\n# audit_account_changes\n-w /etc/group -p wa -k audit_account_changes\n-w /etc/passwd -p wa -k audit_account_changes\n-w /etc/gshadow -p wa -k audit_account_changes\n-w /etc/shadow -p wa -k audit_account_changes\n-w /etc/security/opasswd -p wa -k audit_account_changes" + "check": "Run the following command to determine the current status of\nthe \"auditd\" service:\n\n# service auditd status\n\nIf the service is enabled, it should return the following:\n\nauditd is running...\n\n\nIf the service is not running, this is a finding.", + "fix": "The \"auditd\" service is an essential userspace component of the\nLinux Auditing System, as it is responsible for writing audit records to disk.\nThe \"auditd\" service can be enabled with the following commands:\n\n# chkconfig auditd on\n# service auditd start" }, - "code": "control \"V-38538\" do\n title \"The operating system must automatically audit account termination.\"\n desc \"In addition to auditing new user and group accounts, these watches\nwill alert the system administrator(s) to any modifications. Any unexpected\nusers, groups, or modifications should be investigated for legitimacy.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000241\"\n tag \"gid\": \"V-38538\"\n tag \"rid\": \"SV-50339r2_rule\"\n tag \"stig_id\": \"RHEL-06-000177\"\n tag \"fix_id\": \"F-43486r1_fix\"\n tag \"cci\": [\"CCI-001405\"]\n tag \"nist\": [\"AC-2 (4)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To determine if the system is configured to audit account\nchanges, run the following command:\n\n$sudo egrep -w\n'(/etc/passwd|/etc/shadow|/etc/group|/etc/gshadow|/etc/security/opasswd)'\n/etc/audit/audit.rules\n\nIf the system is configured to watch for account changes, lines should be\nreturned for each file specified (and with \\\"-p wa\\\" for each).\n\nIf the system is not configured to audit account changes, this is a finding.\"\n tag \"fix\": \"Add the following to \\\"/etc/audit/audit.rules\\\", in order to\ncapture events that modify account changes:\n\n# audit_account_changes\n-w /etc/group -p wa -k audit_account_changes\n-w /etc/passwd -p wa -k audit_account_changes\n-w /etc/gshadow -p wa -k audit_account_changes\n-w /etc/shadow -p wa -k audit_account_changes\n-w /etc/security/opasswd -p wa -k audit_account_changes\"\n\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^\\-w\\s+\\/etc\\/group\\s+\\-p\\s+wa\\s+\\-k\\s+\\w+\\s*$/) }\n end\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^\\-w\\s+\\/etc\\/passwd\\s+\\-p\\s+wa\\s+\\-k\\s+\\w+\\s*$/) }\n end\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^\\-w\\s+\\/etc\\/gshadow\\s+\\-p\\s+wa\\s+\\-k\\s+\\w+\\s*$/) }\n end\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^\\-w\\s+\\/etc\\/shadow\\s+\\-p\\s+wa\\s+\\-k\\s+\\w+\\s*$/) }\n end\n describe file(\"/etc/audit/audit.rules\") do\n its(\"content\") { should match(/^\\-w\\s+\\/etc\\/security\\/opasswd\\s+\\-p\\s+wa\\s+\\-k\\s+\\w+\\s*$/) }\n end\nend\n", + "code": "control \"V-38632\" do\n title \"The operating system must produce audit records containing sufficient\ninformation to establish what type of events occurred.\"\n desc \"Ensuring the \\\"auditd\\\" service is active ensures audit records\ngenerated by the kernel can be written to disk, or that appropriate actions\nwill be taken if other obstacles exist.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000037\"\n tag \"gid\": \"V-38632\"\n tag \"rid\": \"SV-50433r2_rule\"\n tag \"stig_id\": \"RHEL-06-000154\"\n tag \"fix_id\": \"F-43581r2_fix\"\n tag \"cci\": [\"CCI-000130\"]\n tag \"nist\": [\"AU-3\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Run the following command to determine the current status of\nthe \\\"auditd\\\" service:\n\n# service auditd status\n\nIf the service is enabled, it should return the following:\n\nauditd is running...\n\n\nIf the service is not running, this is a finding.\"\n tag \"fix\": \"The \\\"auditd\\\" service is an essential userspace component of the\nLinux Auditing System, as it is responsible for writing audit records to disk.\nThe \\\"auditd\\\" service can be enabled with the following commands:\n\n# chkconfig auditd on\n# service auditd start\"\n\n describe service('auditd') do\n it { should be_enabled }\n it { should be_running }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38538.rb", + "ref": "./Red Hat 6 STIG/controls/V-38632.rb", "line": 1 }, - "id": "V-38538" + "id": "V-38632" }, { - "title": "The Red Hat Enterprise Linux operating system must mount /dev/shm with\nthe nosuid option.", - "desc": "The \"nosuid\" mount option causes the system to not execute\n\"setuid\" and \"setgid\" files with owner privileges. This option must be used\nfor mounting any file system not containing approved \"setuid\" and \"setguid\"\nfiles. Executing files from untrusted file systems increases the opportunity\nfor unprivileged users to attain unauthorized administrative access.", + "title": "The system must be configured to use TCP syncookies when experiencing\na TCP SYN flood.", + "desc": "A TCP SYN flood attack can cause a denial of service by filling a\nsystem's TCP connection table with connections in the SYN_RCVD state.\nSyncookies can be used to track a connection when a subsequent ACK is received,\nverifying the initiator is attempting a valid connection and is not a flood\nsource. This feature is activated when a flood condition is detected, and\nenables the system to continue servicing valid connection requests.", "descriptions": { - "default": "The \"nosuid\" mount option causes the system to not execute\n\"setuid\" and \"setgid\" files with owner privileges. This option must be used\nfor mounting any file system not containing approved \"setuid\" and \"setguid\"\nfiles. Executing files from untrusted file systems increases the opportunity\nfor unprivileged users to attain unauthorized administrative access." + "default": "A TCP SYN flood attack can cause a denial of service by filling a\nsystem's TCP connection table with connections in the SYN_RCVD state.\nSyncookies can be used to track a connection when a subsequent ACK is received,\nverifying the initiator is attempting a valid connection and is not a flood\nsource. This feature is activated when a flood condition is detected, and\nenables the system to continue servicing valid connection requests." }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-000368-GPOS-00154", - "gid": "V-81447", - "rid": "SV-96161r1_rule", - "stig_id": "RHEL-06-000531", - "fix_id": "F-88265r1_fix", + "gtitle": "SRG-OS-000142", + "gid": "V-38539", + "rid": "SV-50340r2_rule", + "stig_id": "RHEL-06-000095", + "fix_id": "F-43487r1_fix", "cci": [ - "CCI-001764" + "CCI-001095" ], "nist": [ - "CM-7 (2)", + "SC-5 (2)", "Rev_4" ], "false_negatives": null, @@ -10763,35 +10763,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "Verify that the \"nosuid\" option is configured for /dev/shm.\n\nCheck that the operating system is configured to use the \"nosuid\" option for\n/dev/shm with the following command:\n\n# cat /etc/fstab | grep /dev/shm | grep nosuid\n\ntmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0\n\nIf the \"nosuid\" option is not present on the line for \"/dev/shm\", this is a\nfinding.\n\nVerify \"/dev/shm\" is mounted with the \"nosuid\" option:\n\n# mount | grep \"/dev/shm\" | grep nosuid\n\nIf no results are returned, this is a finding.", - "fix": "Configure the \"/etc/fstab\" to use the \"nosuid\" option for all\nlines containing \"/dev/shm\"." + "check": "The status of the \"net.ipv4.tcp_syncookies\" kernel parameter\ncan be queried by running the following command:\n\n$ sysctl net.ipv4.tcp_syncookies\n\nThe output of the command should indicate a value of \"1\". If this value is\nnot the default value, investigate how it could have been adjusted at runtime,\nand verify it is not set improperly in \"/etc/sysctl.conf\".\n\n$ grep net.ipv4.tcp_syncookies /etc/sysctl.conf\n\nIf the correct value is not returned, this is a finding. ", + "fix": "To set the runtime status of the \"net.ipv4.tcp_syncookies\"\nkernel parameter, run the following command:\n\n# sysctl -w net.ipv4.tcp_syncookies=1\n\nIf this is not the system's default value, add the following line to\n\"/etc/sysctl.conf\":\n\nnet.ipv4.tcp_syncookies = 1" }, - "code": "control \"V-81447\" do\n title \"The Red Hat Enterprise Linux operating system must mount /dev/shm with\nthe nosuid option.\"\n desc \"The \\\"nosuid\\\" mount option causes the system to not execute\n\\\"setuid\\\" and \\\"setgid\\\" files with owner privileges. This option must be used\nfor mounting any file system not containing approved \\\"setuid\\\" and \\\"setguid\\\"\nfiles. Executing files from untrusted file systems increases the opportunity\nfor unprivileged users to attain unauthorized administrative access.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-000368-GPOS-00154\"\n tag \"gid\": \"V-81447\"\n tag \"rid\": \"SV-96161r1_rule\"\n tag \"stig_id\": \"RHEL-06-000531\"\n tag \"fix_id\": \"F-88265r1_fix\"\n tag \"cci\": [\"CCI-001764\"]\n tag \"nist\": [\"CM-7 (2)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Verify that the \\\"nosuid\\\" option is configured for /dev/shm.\n\nCheck that the operating system is configured to use the \\\"nosuid\\\" option for\n/dev/shm with the following command:\n\n# cat /etc/fstab | grep /dev/shm | grep nosuid\n\ntmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0\n\nIf the \\\"nosuid\\\" option is not present on the line for \\\"/dev/shm\\\", this is a\nfinding.\n\nVerify \\\"/dev/shm\\\" is mounted with the \\\"nosuid\\\" option:\n\n# mount | grep \\\"/dev/shm\\\" | grep nosuid\n\nIf no results are returned, this is a finding.\"\n tag \"fix\": \"Configure the \\\"/etc/fstab\\\" to use the \\\"nosuid\\\" option for all\nlines containing \\\"/dev/shm\\\".\"\n\n describe file(\"/etc/fstab\") do\n its(\"content\") { should match(/^[^#\\s]+[ \\t]+\\/dev\\/shm[ \\t]+[\\w\\d]+[ \\t]+([\\w,]+)\\s*.*$/) }\n end\n file(\"/etc/fstab\").content.to_s.scan(/^[^#\\s]+[ \\t]+\\/dev\\/shm[ \\t]+[\\w\\d]+[ \\t]+([\\w,]+)\\s*.*$/).flatten.each do |entry|\n describe entry do\n it { should match(/^(?:nosuid|[\\w,]+,nosuid)(?:$|,[\\w,]+$)/) }\n end\n end\n describe file(\"/etc/mtab\") do\n its(\"content\") { should match(/^[^#\\s]+[ \\t]+\\/dev\\/shm[ \\t]+[\\w\\d]+[ \\t]+([\\w,]+)\\s*.*$/) }\n end\n file(\"/etc/mtab\").content.to_s.scan(/^[^#\\s]+[ \\t]+\\/dev\\/shm[ \\t]+[\\w\\d]+[ \\t]+([\\w,]+)\\s*.*$/).flatten.each do |entry|\n describe entry do\n it { should match(/^(?:nosuid|[\\w,]+,nosuid)(?:$|,[\\w,]+$)/) }\n end\n end\nend\n", + "code": "control \"V-38539\" do\n title \"The system must be configured to use TCP syncookies when experiencing\na TCP SYN flood.\"\n desc \"A TCP SYN flood attack can cause a denial of service by filling a\nsystem's TCP connection table with connections in the SYN_RCVD state.\nSyncookies can be used to track a connection when a subsequent ACK is received,\nverifying the initiator is attempting a valid connection and is not a flood\nsource. This feature is activated when a flood condition is detected, and\nenables the system to continue servicing valid connection requests.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000142\"\n tag \"gid\": \"V-38539\"\n tag \"rid\": \"SV-50340r2_rule\"\n tag \"stig_id\": \"RHEL-06-000095\"\n tag \"fix_id\": \"F-43487r1_fix\"\n tag \"cci\": [\"CCI-001095\"]\n tag \"nist\": [\"SC-5 (2)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"The status of the \\\"net.ipv4.tcp_syncookies\\\" kernel parameter\ncan be queried by running the following command:\n\n$ sysctl net.ipv4.tcp_syncookies\n\nThe output of the command should indicate a value of \\\"1\\\". If this value is\nnot the default value, investigate how it could have been adjusted at runtime,\nand verify it is not set improperly in \\\"/etc/sysctl.conf\\\".\n\n$ grep net.ipv4.tcp_syncookies /etc/sysctl.conf\n\nIf the correct value is not returned, this is a finding. \"\n tag \"fix\": \"To set the runtime status of the \\\"net.ipv4.tcp_syncookies\\\"\nkernel parameter, run the following command:\n\n# sysctl -w net.ipv4.tcp_syncookies=1\n\nIf this is not the system's default value, add the following line to\n\\\"/etc/sysctl.conf\\\":\n\nnet.ipv4.tcp_syncookies = 1\"\n\n describe kernel_parameter(\"net.ipv4.tcp_syncookies\") do\n its(\"value\") { should_not be_nil }\n end\n describe kernel_parameter(\"net.ipv4.tcp_syncookies\") do\n its(\"value\") { should eq 1 }\n end\n describe file(\"/etc/sysctl.conf\") do\n its(\"content\") { should match(/^[\\s]*net.ipv4.tcp_syncookies[\\s]*=[\\s]*1[\\s]*$/) }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-81447.rb", + "ref": "./Red Hat 6 STIG/controls/V-38539.rb", "line": 1 }, - "id": "V-81447" + "id": "V-38539" }, { - "title": "The Red Hat Enterprise Linux operating system must have an anti-virus\nsolution installed.", - "desc": "Virus scanning software can be used to protect a system from\npenetration from computer viruses and to limit their spread through\nintermediate systems.", + "title": "The system default umask for the bash shell must be 077.", + "desc": "The umask value influences the permissions assigned to files when they\nare created. A misconfigured umask value could result in files with excessive\npermissions that can be read and/or written to by unauthorized users.", "descriptions": { - "default": "Virus scanning software can be used to protect a system from\npenetration from computer viruses and to limit their spread through\nintermediate systems." + "default": "The umask value influences the permissions assigned to files when they\nare created. A misconfigured umask value could result in files with excessive\npermissions that can be read and/or written to by unauthorized users." }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-81443", - "rid": "SV-96157r1_rule", - "stig_id": "RHEL-06-000533", - "fix_id": "F-88261r1_fix", + "gtitle": "SRG-OS-999999", + "gid": "V-38651", + "rid": "SV-50452r1_rule", + "stig_id": "RHEL-06-000342", + "fix_id": "F-43600r1_fix", "cci": [ - "CCI-001668" + "CCI-000366" ], "nist": [ - "SI-3 a", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -10804,35 +10804,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "Verify an anti-virus solution is installed on the system. The\nanti-virus solution may be bundled with an approved host-based security\nsolution.\n\nIf there is no anti-virus solution installed on the system, this is a finding.\n", - "fix": "Install an anti-virus solution on the system. " + "check": "Verify the \"umask\" setting is configured correctly in the\n\"/etc/bashrc\" file by running the following command:\n\n# grep \"umask\" /etc/bashrc\n\nAll output must show the value of \"umask\" set to 077, as shown below:\n\n# grep \"umask\" /etc/bashrc\numask 077\numask 077\n\n\nIf the above command returns no output, or if the umask is configured\nincorrectly, this is a finding.", + "fix": "To ensure the default umask for users of the Bash shell is set\nproperly, add or correct the \"umask\" setting in \"/etc/bashrc\" to read as\nfollows:\n\numask 077" }, - "code": "control \"V-81443\" do\n title \"The Red Hat Enterprise Linux operating system must have an anti-virus\nsolution installed.\"\n desc \"Virus scanning software can be used to protect a system from\npenetration from computer viruses and to limit their spread through\nintermediate systems. \"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000480-GPOS-00227\"\n tag \"gid\": \"V-81443\"\n tag \"rid\": \"SV-96157r1_rule\"\n tag \"stig_id\": \"RHEL-06-000533\"\n tag \"fix_id\": \"F-88261r1_fix\"\n tag \"cci\": [\"CCI-001668\"]\n tag \"nist\": [\"SI-3 a\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Verify an anti-virus solution is installed on the system. The\nanti-virus solution may be bundled with an approved host-based security\nsolution.\n\nIf there is no anti-virus solution installed on the system, this is a finding.\n\"\n tag \"fix\": \"Install an anti-virus solution on the system. \"\n\n describe \"Manual test\" do\n skip \"This control must be reviewed manually\"\n end\nend\n", + "code": "control \"V-38651\" do\n title \"The system default umask for the bash shell must be 077.\"\n desc \"The umask value influences the permissions assigned to files when they\nare created. A misconfigured umask value could result in files with excessive\npermissions that can be read and/or written to by unauthorized users.\"\n impact 0.3\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38651\"\n tag \"rid\": \"SV-50452r1_rule\"\n tag \"stig_id\": \"RHEL-06-000342\"\n tag \"fix_id\": \"F-43600r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Verify the \\\"umask\\\" setting is configured correctly in the\n\\\"/etc/bashrc\\\" file by running the following command:\n\n# grep \\\"umask\\\" /etc/bashrc\n\nAll output must show the value of \\\"umask\\\" set to 077, as shown below:\n\n# grep \\\"umask\\\" /etc/bashrc\numask 077\numask 077\n\n\nIf the above command returns no output, or if the umask is configured\nincorrectly, this is a finding.\"\n tag \"fix\": \"To ensure the default umask for users of the Bash shell is set\nproperly, add or correct the \\\"umask\\\" setting in \\\"/etc/bashrc\\\" to read as\nfollows:\n\numask 077\"\n\n describe file(\"/etc/bashrc\") do\n its(\"content\") { should match(/^[\\s]*umask[\\s]+([^#\\s]*)/) }\n end\n file(\"/etc/bashrc\").content.to_s.scan(/^[\\s]*umask[\\s]+([^#\\s]*)/).flatten.each do |entry|\n describe entry do\n it { should eq \"077\" }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-81443.rb", + "ref": "./Red Hat 6 STIG/controls/V-38651.rb", "line": 1 }, - "id": "V-81443" + "id": "V-38651" }, { - "title": "The /etc/shadow file must have mode 0000.", - "desc": "The \"/etc/shadow\" file contains the list of local system accounts\nand stores password hashes. Protection of this file is critical for system\nsecurity. Failure to give ownership of this file to root provides the\ndesignated owner with access to sensitive information which could weaken the\nsystem security posture.", + "title": "The operating system must prevent public IPv4 access into an\norganizations internal networks, except as appropriately mediated by managed\ninterfaces employing boundary protection devices.", + "desc": "The \"iptables\" service provides the system's host-based firewalling\ncapability for IPv4 and ICMP.", "descriptions": { - "default": "The \"/etc/shadow\" file contains the list of local system accounts\nand stores password hashes. Protection of this file is critical for system\nsecurity. Failure to give ownership of this file to root provides the\ndesignated owner with access to sensitive information which could weaken the\nsystem security posture." + "default": "The \"iptables\" service provides the system's host-based firewalling\ncapability for IPv4 and ICMP." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-OS-999999", - "gid": "V-38504", - "rid": "SV-50305r1_rule", - "stig_id": "RHEL-06-000035", - "fix_id": "F-43451r1_fix", + "gtitle": "SRG-OS-000146", + "gid": "V-38512", + "rid": "SV-50313r2_rule", + "stig_id": "RHEL-06-000117", + "fix_id": "F-43459r2_fix", "cci": [ - "CCI-000366" + "CCI-001100" ], "nist": [ - "CM-6 b", + "SC-7 (2)", "Rev_4" ], "false_negatives": null, @@ -10845,381 +10845,381 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "To check the permissions of \"/etc/shadow\", run the command:\n\n$ ls -l /etc/shadow\n\nIf properly configured, the output should indicate the following permissions:\n\"----------\"\nIf it does not, this is a finding.", - "fix": "To properly set the permissions of \"/etc/shadow\", run the\ncommand:\n\n# chmod 0000 /etc/shadow" + "check": "If the system is a cross-domain system, this is not applicable.\n\nRun the following command to determine the current status of the \"iptables\"\nservice:\n\n# service iptables status\n\nIf the service is not running, it should return the following:\n\niptables: Firewall is not running.\n\n\nIf the service is not running, this is a finding.", + "fix": "The \"iptables\" service can be enabled with the following\ncommands:\n\n# chkconfig iptables on\n# service iptables start" }, - "code": "control \"V-38504\" do\n title \"The /etc/shadow file must have mode 0000.\"\n desc \"The \\\"/etc/shadow\\\" file contains the list of local system accounts\nand stores password hashes. Protection of this file is critical for system\nsecurity. Failure to give ownership of this file to root provides the\ndesignated owner with access to sensitive information which could weaken the\nsystem security posture.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-999999\"\n tag \"gid\": \"V-38504\"\n tag \"rid\": \"SV-50305r1_rule\"\n tag \"stig_id\": \"RHEL-06-000035\"\n tag \"fix_id\": \"F-43451r1_fix\"\n tag \"cci\": [\"CCI-000366\"]\n tag \"nist\": [\"CM-6 b\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"To check the permissions of \\\"/etc/shadow\\\", run the command:\n\n$ ls -l /etc/shadow\n\nIf properly configured, the output should indicate the following permissions:\n\\\"----------\\\"\nIf it does not, this is a finding.\"\n tag \"fix\": \"To properly set the permissions of \\\"/etc/shadow\\\", run the\ncommand:\n\n# chmod 0000 /etc/shadow\"\n\n describe file(\"/etc/shadow\") do\n it { should exist }\n end\n describe file(\"/etc/shadow\") do\n it { should_not be_executable.by \"group\" }\n end\n describe file(\"/etc/shadow\") do\n it { should_not be_readable.by \"group\" }\n end\n describe file(\"/etc/shadow\") do\n its(\"gid\") { should cmp 0 }\n end\n describe file(\"/etc/shadow\") do\n it { should_not be_writable.by \"group\" }\n end\n describe file(\"/etc/shadow\") do\n it { should_not be_executable.by \"other\" }\n end\n describe file(\"/etc/shadow\") do\n it { should_not be_readable.by \"other\" }\n end\n describe file(\"/etc/shadow\") do\n it { should_not be_writable.by \"other\" }\n end\n describe file(\"/etc/shadow\") do\n it { should_not be_setgid }\n end\n describe file(\"/etc/shadow\") do\n it { should_not be_sticky }\n end\n describe file(\"/etc/shadow\") do\n it { should_not be_setuid }\n end\n describe file(\"/etc/shadow\") do\n it { should_not be_executable.by \"owner\" }\n end\n describe file(\"/etc/shadow\") do\n it { should_not be_readable.by \"owner\" }\n end\n describe file(\"/etc/shadow\") do\n its(\"uid\") { should cmp 0 }\n end\n describe file(\"/etc/shadow\") do\n it { should_not be_writable.by \"owner\" }\n end\nend\n", + "code": "control \"V-38512\" do\n title \"The operating system must prevent public IPv4 access into an\norganizations internal networks, except as appropriately mediated by managed\ninterfaces employing boundary protection devices.\"\n desc \"The \\\"iptables\\\" service provides the system's host-based firewalling\ncapability for IPv4 and ICMP.\"\n impact 0.5\n tag \"gtitle\": \"SRG-OS-000146\"\n tag \"gid\": \"V-38512\"\n tag \"rid\": \"SV-50313r2_rule\"\n tag \"stig_id\": \"RHEL-06-000117\"\n tag \"fix_id\": \"F-43459r2_fix\"\n tag \"cci\": [\"CCI-001100\"]\n tag \"nist\": [\"SC-7 (2)\", \"Rev_4\"]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"If the system is a cross-domain system, this is not applicable.\n\nRun the following command to determine the current status of the \\\"iptables\\\"\nservice:\n\n# service iptables status\n\nIf the service is not running, it should return the following:\n\niptables: Firewall is not running.\n\n\nIf the service is not running, this is a finding.\"\n tag \"fix\": \"The \\\"iptables\\\" service can be enabled with the following\ncommands:\n\n# chkconfig iptables on\n# service iptables start\"\n\n describe service('iptables') do\n it { should be_enabled }\n it { should be_running }\n end\nend\n", "source_location": { - "ref": "./Red Hat 6 STIG/controls/V-38504.rb", + "ref": "./Red Hat 6 STIG/controls/V-38512.rb", "line": 1 }, - "id": "V-38504" + "id": "V-38512" } ], "groups": [ { "title": null, "controls": [ - "V-38501" + "V-38533" ], - "id": "controls/V-38501.rb" + "id": "controls/V-38533.rb" }, { "title": null, "controls": [ - "V-38558" + "V-38497" ], - "id": "controls/V-38558.rb" + "id": "controls/V-38497.rb" }, { "title": null, "controls": [ - "V-38446" + "V-38540" ], - "id": "controls/V-38446.rb" + "id": "controls/V-38540.rb" }, { "title": null, "controls": [ - "V-38613" + "V-72817" ], - "id": "controls/V-38613.rb" + "id": "controls/V-72817.rb" }, { "title": null, "controls": [ - "V-38590" + "V-38467" ], - "id": "controls/V-38590.rb" + "id": "controls/V-38467.rb" }, { "title": null, "controls": [ - "V-38668" + "V-38627" ], - "id": "controls/V-38668.rb" + "id": "controls/V-38627.rb" }, { "title": null, "controls": [ - "V-38652" + "V-38474" ], - "id": "controls/V-38652.rb" + "id": "controls/V-38474.rb" }, { "title": null, "controls": [ - "V-38569" + "V-38579" ], - "id": "controls/V-38569.rb" + "id": "controls/V-38579.rb" }, { "title": null, "controls": [ - "V-38627" + "V-38665" ], - "id": "controls/V-38627.rb" + "id": "controls/V-38665.rb" }, { "title": null, "controls": [ - "V-38680" + "V-38502" ], - "id": "controls/V-38680.rb" + "id": "controls/V-38502.rb" }, { "title": null, "controls": [ - "V-38619" + "V-38660" ], - "id": "controls/V-38619.rb" + "id": "controls/V-38660.rb" }, { "title": null, "controls": [ - "V-38521" + "V-38568" ], - "id": "controls/V-38521.rb" + "id": "controls/V-38568.rb" }, { "title": null, "controls": [ - "V-38494" + "V-38691" ], - "id": "controls/V-38494.rb" + "id": "controls/V-38691.rb" }, { "title": null, "controls": [ - "V-38464" + "V-38549" ], - "id": "controls/V-38464.rb" + "id": "controls/V-38549.rb" }, { "title": null, "controls": [ - "V-38530" + "V-38593" ], - "id": "controls/V-38530.rb" + "id": "controls/V-38593.rb" }, { "title": null, "controls": [ - "V-51875" + "V-38449" ], - "id": "controls/V-51875.rb" + "id": "controls/V-38449.rb" }, { "title": null, "controls": [ - "V-38638" + "V-38494" ], - "id": "controls/V-38638.rb" + "id": "controls/V-38494.rb" }, { "title": null, "controls": [ - "V-38465" + "V-38488" ], - "id": "controls/V-38465.rb" + "id": "controls/V-38488.rb" }, { "title": null, "controls": [ - "V-72817" + "V-38619" ], - "id": "controls/V-72817.rb" + "id": "controls/V-38619.rb" }, { "title": null, "controls": [ - "V-38448" + "V-38659" ], - "id": "controls/V-38448.rb" + "id": "controls/V-38659.rb" }, { "title": null, "controls": [ - "V-38678" + "V-38481" ], - "id": "controls/V-38678.rb" + "id": "controls/V-38481.rb" }, { "title": null, "controls": [ - "V-38500" + "V-38604" ], - "id": "controls/V-38500.rb" + "id": "controls/V-38604.rb" }, { "title": null, "controls": [ - "V-38576" + "V-38670" ], - "id": "controls/V-38576.rb" + "id": "controls/V-38670.rb" }, { "title": null, "controls": [ - "V-38629" + "V-38656" ], - "id": "controls/V-38629.rb" + "id": "controls/V-38656.rb" }, { "title": null, "controls": [ - "V-38641" + "V-38585" ], - "id": "controls/V-38641.rb" + "id": "controls/V-38585.rb" }, { "title": null, "controls": [ - "V-38495" + "V-38456" ], - "id": "controls/V-38495.rb" + "id": "controls/V-38456.rb" }, { "title": null, "controls": [ - "V-38461" + "V-38452" ], - "id": "controls/V-38461.rb" + "id": "controls/V-38452.rb" }, { "title": null, "controls": [ - "V-38511" + "V-38542" ], - "id": "controls/V-38511.rb" + "id": "controls/V-38542.rb" }, { "title": null, "controls": [ - "V-38473" + "V-38567" ], - "id": "controls/V-38473.rb" + "id": "controls/V-38567.rb" }, { "title": null, "controls": [ - "V-38533" + "V-38654" ], - "id": "controls/V-38533.rb" + "id": "controls/V-38654.rb" }, { "title": null, "controls": [ - "V-38620" + "V-38471" ], - "id": "controls/V-38620.rb" + "id": "controls/V-38471.rb" }, { "title": null, "controls": [ - "V-38451" + "V-38541" ], - "id": "controls/V-38451.rb" + "id": "controls/V-38541.rb" }, { "title": null, "controls": [ - "V-38492" + "V-38692" ], - "id": "controls/V-38492.rb" + "id": "controls/V-38692.rb" }, { "title": null, "controls": [ - "V-38557" + "V-38671" ], - "id": "controls/V-38557.rb" + "id": "controls/V-38671.rb" }, { "title": null, "controls": [ - "V-38669" + "V-38437" ], - "id": "controls/V-38669.rb" + "id": "controls/V-38437.rb" }, { "title": null, "controls": [ - "V-51369" + "V-38504" ], - "id": "controls/V-51369.rb" + "id": "controls/V-38504.rb" }, { "title": null, "controls": [ - "V-38609" + "V-38569" ], - "id": "controls/V-38609.rb" + "id": "controls/V-38569.rb" }, { "title": null, "controls": [ - "V-38482" + "V-38498" ], - "id": "controls/V-38482.rb" + "id": "controls/V-38498.rb" }, { "title": null, "controls": [ - "V-38536" + "V-38574" ], - "id": "controls/V-38536.rb" + "id": "controls/V-38574.rb" }, { "title": null, "controls": [ - "V-38518" + "V-38683" ], - "id": "controls/V-38518.rb" + "id": "controls/V-38683.rb" }, { "title": null, "controls": [ - "V-38673" + "V-38486" ], - "id": "controls/V-38673.rb" + "id": "controls/V-38486.rb" }, { "title": null, "controls": [ - "V-38617" + "V-38448" ], - "id": "controls/V-38617.rb" + "id": "controls/V-38448.rb" }, { "title": null, "controls": [ - "V-38656" + "V-38600" ], - "id": "controls/V-38656.rb" + "id": "controls/V-38600.rb" }, { "title": null, "controls": [ - "V-38578" + "V-38610" ], - "id": "controls/V-38578.rb" + "id": "controls/V-38610.rb" }, { "title": null, "controls": [ - "V-38647" + "V-38458" ], - "id": "controls/V-38647.rb" + "id": "controls/V-38458.rb" }, { "title": null, "controls": [ - "V-38698" + "V-38516" ], - "id": "controls/V-38698.rb" + "id": "controls/V-38516.rb" }, { "title": null, "controls": [ - "V-38591" + "V-38649" ], - "id": "controls/V-38591.rb" + "id": "controls/V-38649.rb" }, { "title": null, "controls": [ - "V-38573" + "V-38689" ], - "id": "controls/V-38573.rb" + "id": "controls/V-38689.rb" }, { "title": null, "controls": [ - "V-38675" + "V-38457" ], - "id": "controls/V-38675.rb" + "id": "controls/V-38457.rb" }, { "title": null, "controls": [ - "V-38443" + "V-51391" ], - "id": "controls/V-38443.rb" + "id": "controls/V-51391.rb" }, { "title": null, "controls": [ - "V-38486" + "V-38575" ], - "id": "controls/V-38486.rb" + "id": "controls/V-38575.rb" }, { "title": null, "controls": [ - "V-38531" + "V-38503" ], - "id": "controls/V-38531.rb" + "id": "controls/V-38503.rb" }, { "title": null, @@ -11231,9 +11231,9 @@ { "title": null, "controls": [ - "V-38514" + "V-38603" ], - "id": "controls/V-38514.rb" + "id": "controls/V-38603.rb" }, { "title": null, @@ -11245,688 +11245,695 @@ { "title": null, "controls": [ - "V-38550" + "V-38479" ], - "id": "controls/V-38550.rb" + "id": "controls/V-38479.rb" }, { "title": null, "controls": [ - "V-38560" + "V-38551" ], - "id": "controls/V-38560.rb" + "id": "controls/V-38551.rb" }, { "title": null, "controls": [ - "V-38600" + "V-38688" ], - "id": "controls/V-38600.rb" + "id": "controls/V-38688.rb" }, { "title": null, "controls": [ - "V-38701" + "V-38652" ], - "id": "controls/V-38701.rb" + "id": "controls/V-38652.rb" }, { "title": null, "controls": [ - "V-57569" + "V-38589" ], - "id": "controls/V-57569.rb" + "id": "controls/V-38589.rb" }, { "title": null, "controls": [ - "V-38553" + "V-38622" ], - "id": "controls/V-38553.rb" + "id": "controls/V-38622.rb" }, { "title": null, "controls": [ - "V-54381" + "V-38480" ], - "id": "controls/V-54381.rb" + "id": "controls/V-38480.rb" }, { "title": null, "controls": [ - "V-38606" + "V-38465" ], - "id": "controls/V-38606.rb" + "id": "controls/V-38465.rb" }, { "title": null, "controls": [ - "V-38496" + "V-38673" ], - "id": "controls/V-38496.rb" + "id": "controls/V-38673.rb" }, { "title": null, "controls": [ - "V-38566" + "V-38454" ], - "id": "controls/V-38566.rb" + "id": "controls/V-38454.rb" }, { "title": null, "controls": [ - "V-38616" + "V-38596" ], - "id": "controls/V-38616.rb" + "id": "controls/V-38596.rb" }, { "title": null, "controls": [ - "V-38503" + "V-38513" ], - "id": "controls/V-38503.rb" + "id": "controls/V-38513.rb" }, { "title": null, "controls": [ - "V-38540" + "V-38536" ], - "id": "controls/V-38540.rb" + "id": "controls/V-38536.rb" }, { "title": null, "controls": [ - "V-38523" + "V-38555" ], - "id": "controls/V-38523.rb" + "id": "controls/V-38555.rb" }, { "title": null, "controls": [ - "V-38577" + "V-38661" ], - "id": "controls/V-38577.rb" + "id": "controls/V-38661.rb" }, { "title": null, "controls": [ - "V-38618" + "V-38630" ], - "id": "controls/V-38618.rb" + "id": "controls/V-38630.rb" + }, + { + "title": null, + "controls": [ + "V-38522" + ], + "id": "controls/V-38522.rb" }, { "title": null, "controls": [ - "V-38655" + "V-38489" ], - "id": "controls/V-38655.rb" + "id": "controls/V-38489.rb" }, { "title": null, "controls": [ - "V-38525" + "V-38682" ], - "id": "controls/V-38525.rb" + "id": "controls/V-38682.rb" }, { "title": null, "controls": [ - "V-38544" + "V-38473" ], - "id": "controls/V-38544.rb" + "id": "controls/V-38473.rb" }, { "title": null, "controls": [ - "V-38699" + "V-38443" ], - "id": "controls/V-38699.rb" + "id": "controls/V-38443.rb" }, { "title": null, "controls": [ - "V-38697" + "V-38597" ], - "id": "controls/V-38697.rb" + "id": "controls/V-38597.rb" }, { "title": null, "controls": [ - "V-38502" + "V-38693" ], - "id": "controls/V-38502.rb" + "id": "controls/V-38693.rb" }, { "title": null, "controls": [ - "V-43150" + "V-38531" ], - "id": "controls/V-43150.rb" + "id": "controls/V-38531.rb" }, { "title": null, "controls": [ - "V-38453" + "V-38535" ], - "id": "controls/V-38453.rb" + "id": "controls/V-38535.rb" }, { "title": null, "controls": [ - "V-38542" + "V-38607" ], - "id": "controls/V-38542.rb" + "id": "controls/V-38607.rb" }, { "title": null, "controls": [ - "V-38621" + "V-38490" ], - "id": "controls/V-38621.rb" + "id": "controls/V-38490.rb" }, { "title": null, "controls": [ - "V-38475" + "V-38631" ], - "id": "controls/V-38475.rb" + "id": "controls/V-38631.rb" }, { "title": null, "controls": [ - "V-38513" + "V-38580" ], - "id": "controls/V-38513.rb" + "id": "controls/V-38580.rb" }, { "title": null, "controls": [ - "V-38515" + "V-38598" ], - "id": "controls/V-38515.rb" + "id": "controls/V-38598.rb" }, { "title": null, "controls": [ - "V-38472" + "V-38681" ], - "id": "controls/V-38472.rb" + "id": "controls/V-38681.rb" }, { "title": null, "controls": [ - "V-38663" + "V-38615" ], - "id": "controls/V-38663.rb" + "id": "controls/V-38615.rb" }, { "title": null, "controls": [ - "V-38598" + "V-38491" ], - "id": "controls/V-38598.rb" + "id": "controls/V-38491.rb" }, { "title": null, "controls": [ - "V-38636" + "V-38698" ], - "id": "controls/V-38636.rb" + "id": "controls/V-38698.rb" }, { "title": null, "controls": [ - "V-38603" + "V-38608" ], - "id": "controls/V-38603.rb" + "id": "controls/V-38608.rb" }, { "title": null, "controls": [ - "V-38543" + "V-38645" ], - "id": "controls/V-38543.rb" + "id": "controls/V-38645.rb" }, { "title": null, "controls": [ - "V-38539" + "V-38514" ], - "id": "controls/V-38539.rb" + "id": "controls/V-38514.rb" }, { "title": null, "controls": [ - "V-38497" + "V-38583" ], - "id": "controls/V-38497.rb" + "id": "controls/V-38583.rb" }, { "title": null, "controls": [ - "V-38479" + "V-38444" ], - "id": "controls/V-38479.rb" + "id": "controls/V-38444.rb" }, { "title": null, "controls": [ - "V-38556" + "V-38561" ], - "id": "controls/V-38556.rb" + "id": "controls/V-38561.rb" }, { "title": null, "controls": [ - "V-38686" + "V-38677" ], - "id": "controls/V-38686.rb" + "id": "controls/V-38677.rb" }, { "title": null, "controls": [ - "V-38568" + "V-38501" ], - "id": "controls/V-38568.rb" + "id": "controls/V-38501.rb" }, { "title": null, "controls": [ - "V-38444" + "V-38581" ], - "id": "controls/V-38444.rb" + "id": "controls/V-38581.rb" }, { "title": null, "controls": [ - "V-38584" + "V-38517" ], - "id": "controls/V-38584.rb" + "id": "controls/V-38517.rb" }, { "title": null, "controls": [ - "V-38645" + "V-38556" ], - "id": "controls/V-38645.rb" + "id": "controls/V-38556.rb" }, { "title": null, "controls": [ - "V-38563" + "V-38530" ], - "id": "controls/V-38563.rb" + "id": "controls/V-38530.rb" }, { "title": null, "controls": [ - "V-38700" + "V-38662" ], - "id": "controls/V-38700.rb" + "id": "controls/V-38662.rb" }, { "title": null, "controls": [ - "V-38599" + "V-38563" ], - "id": "controls/V-38599.rb" + "id": "controls/V-38563.rb" }, { "title": null, "controls": [ - "V-38587" + "V-38614" ], - "id": "controls/V-38587.rb" + "id": "controls/V-38614.rb" }, { "title": null, "controls": [ - "V-38450" + "V-81447" ], - "id": "controls/V-38450.rb" + "id": "controls/V-81447.rb" }, { "title": null, "controls": [ - "V-81441" + "V-38518" ], - "id": "controls/V-81441.rb" + "id": "controls/V-38518.rb" }, { "title": null, "controls": [ - "V-38570" + "V-38605" ], - "id": "controls/V-38570.rb" + "id": "controls/V-38605.rb" }, { "title": null, "controls": [ - "V-38614" + "V-38620" ], - "id": "controls/V-38614.rb" + "id": "controls/V-38620.rb" }, { "title": null, "controls": [ - "V-38644" + "V-38524" ], - "id": "controls/V-38644.rb" + "id": "controls/V-38524.rb" }, { "title": null, "controls": [ - "V-38631" + "V-38588" ], - "id": "controls/V-38631.rb" + "id": "controls/V-38588.rb" }, { "title": null, "controls": [ - "V-38517" + "V-38637" ], - "id": "controls/V-38517.rb" + "id": "controls/V-38637.rb" }, { "title": null, "controls": [ - "V-38456" + "V-38500" ], - "id": "controls/V-38456.rb" + "id": "controls/V-38500.rb" }, { "title": null, "controls": [ - "V-38488" + "V-38696" ], - "id": "controls/V-38488.rb" + "id": "controls/V-38696.rb" }, { "title": null, "controls": [ - "V-38689" + "V-38552" ], - "id": "controls/V-38689.rb" + "id": "controls/V-38552.rb" }, { "title": null, "controls": [ - "V-38630" + "V-38450" ], - "id": "controls/V-38630.rb" + "id": "controls/V-38450.rb" }, { "title": null, "controls": [ - "V-38480" + "V-38468" ], - "id": "controls/V-38480.rb" + "id": "controls/V-38468.rb" }, { "title": null, "controls": [ - "V-38604" + "V-38445" ], - "id": "controls/V-38604.rb" + "id": "controls/V-38445.rb" }, { "title": null, "controls": [ - "V-38487" + "V-38613" ], - "id": "controls/V-38487.rb" + "id": "controls/V-38613.rb" }, { "title": null, "controls": [ - "V-38683" + "V-38548" ], - "id": "controls/V-38683.rb" + "id": "controls/V-38548.rb" }, { "title": null, "controls": [ - "V-38660" + "V-38544" ], - "id": "controls/V-38660.rb" + "id": "controls/V-38544.rb" }, { "title": null, "controls": [ - "V-38583" + "V-38700" ], - "id": "controls/V-38583.rb" + "id": "controls/V-38700.rb" }, { "title": null, "controls": [ - "V-38667" + "V-38699" ], - "id": "controls/V-38667.rb" + "id": "controls/V-38699.rb" }, { "title": null, "controls": [ - "V-38580" + "V-51875" ], - "id": "controls/V-38580.rb" + "id": "controls/V-51875.rb" }, { "title": null, "controls": [ - "V-38687" + "V-38461" ], - "id": "controls/V-38687.rb" + "id": "controls/V-38461.rb" }, { "title": null, "controls": [ - "V-38695" + "V-38459" ], - "id": "controls/V-38695.rb" + "id": "controls/V-38459.rb" }, { "title": null, "controls": [ - "V-51363" + "V-38612" ], - "id": "controls/V-51363.rb" + "id": "controls/V-38612.rb" }, { "title": null, "controls": [ - "V-38547" + "V-38554" ], - "id": "controls/V-38547.rb" + "id": "controls/V-38554.rb" }, { "title": null, "controls": [ - "V-38612" + "V-38663" ], - "id": "controls/V-38612.rb" + "id": "controls/V-38663.rb" }, { "title": null, "controls": [ - "V-38610" + "V-38611" ], - "id": "controls/V-38610.rb" + "id": "controls/V-38611.rb" }, { "title": null, "controls": [ - "V-38474" + "V-38628" ], - "id": "controls/V-38474.rb" + "id": "controls/V-38628.rb" }, { "title": null, "controls": [ - "V-38565" + "V-38616" ], - "id": "controls/V-38565.rb" + "id": "controls/V-38616.rb" }, { "title": null, "controls": [ - "V-38516" + "V-38621" ], - "id": "controls/V-38516.rb" + "id": "controls/V-38621.rb" }, { "title": null, "controls": [ - "V-38477" + "V-38678" ], - "id": "controls/V-38477.rb" + "id": "controls/V-38678.rb" }, { "title": null, "controls": [ - "V-38454" + "V-38477" ], - "id": "controls/V-38454.rb" + "id": "controls/V-38477.rb" }, { "title": null, "controls": [ - "V-38541" + "V-38472" ], - "id": "controls/V-38541.rb" + "id": "controls/V-38472.rb" }, { "title": null, "controls": [ - "V-38489" + "V-38455" ], - "id": "controls/V-38489.rb" + "id": "controls/V-38455.rb" }, { "title": null, "controls": [ - "V-38537" + "V-38667" ], - "id": "controls/V-38537.rb" + "id": "controls/V-38667.rb" }, { "title": null, "controls": [ - "V-38681" + "V-38570" ], - "id": "controls/V-38681.rb" + "id": "controls/V-38570.rb" }, { "title": null, "controls": [ - "V-81445" + "V-38447" ], - "id": "controls/V-81445.rb" + "id": "controls/V-38447.rb" }, { "title": null, "controls": [ - "V-38624" + "V-38676" ], - "id": "controls/V-38624.rb" + "id": "controls/V-38676.rb" }, { "title": null, "controls": [ - "V-38702" + "V-38595" ], - "id": "controls/V-38702.rb" + "id": "controls/V-38595.rb" }, { "title": null, "controls": [ - "V-38654" + "V-51363" ], - "id": "controls/V-38654.rb" + "id": "controls/V-51363.rb" }, { "title": null, "controls": [ - "V-38597" + "V-38646" ], - "id": "controls/V-38597.rb" + "id": "controls/V-38646.rb" }, { "title": null, "controls": [ - "V-38519" + "V-38636" ], - "id": "controls/V-38519.rb" + "id": "controls/V-38636.rb" }, { "title": null, "controls": [ - "V-38659" + "V-38606" ], - "id": "controls/V-38659.rb" + "id": "controls/V-38606.rb" }, { "title": null, "controls": [ - "V-38499" + "V-38520" ], - "id": "controls/V-38499.rb" + "id": "controls/V-38520.rb" }, { "title": null, "controls": [ - "V-38688" + "V-38557" ], - "id": "controls/V-38688.rb" + "id": "controls/V-38557.rb" }, { "title": null, "controls": [ - "V-38633" + "V-81445" ], - "id": "controls/V-38633.rb" + "id": "controls/V-81445.rb" }, { "title": null, "controls": [ - "V-38615" + "V-38675" ], - "id": "controls/V-38615.rb" + "id": "controls/V-38675.rb" }, { "title": null, "controls": [ - "V-38634" + "V-38685" ], - "id": "controls/V-38634.rb" + "id": "controls/V-38685.rb" }, { "title": null, "controls": [ - "V-38684" + "V-38587" ], - "id": "controls/V-38684.rb" + "id": "controls/V-38587.rb" }, { "title": null, "controls": [ - "V-38670" + "V-38642" ], - "id": "controls/V-38670.rb" + "id": "controls/V-38642.rb" }, { "title": null, "controls": [ - "V-38676" + "V-38617" ], - "id": "controls/V-38676.rb" + "id": "controls/V-38617.rb" }, { "title": null, "controls": [ - "V-38439" + "V-38702" ], - "id": "controls/V-38439.rb" + "id": "controls/V-38702.rb" }, { "title": null, @@ -11938,79 +11945,79 @@ { "title": null, "controls": [ - "V-38534" + "V-38566" ], - "id": "controls/V-38534.rb" + "id": "controls/V-38566.rb" }, { "title": null, "controls": [ - "V-38651" + "V-38701" ], - "id": "controls/V-38651.rb" + "id": "controls/V-38701.rb" }, { "title": null, "controls": [ - "V-38692" + "V-38470" ], - "id": "controls/V-38692.rb" + "id": "controls/V-38470.rb" }, { "title": null, "controls": [ - "V-38608" + "V-38460" ], - "id": "controls/V-38608.rb" + "id": "controls/V-38460.rb" }, { "title": null, "controls": [ - "V-38662" + "V-38466" ], - "id": "controls/V-38662.rb" + "id": "controls/V-38466.rb" }, { "title": null, "controls": [ - "V-38460" + "V-38618" ], - "id": "controls/V-38460.rb" + "id": "controls/V-38618.rb" }, { "title": null, "controls": [ - "V-38605" + "V-38648" ], - "id": "controls/V-38605.rb" + "id": "controls/V-38648.rb" }, { "title": null, "controls": [ - "V-38455" + "V-38532" ], - "id": "controls/V-38455.rb" + "id": "controls/V-38532.rb" }, { "title": null, "controls": [ - "V-38602" + "V-38584" ], - "id": "controls/V-38602.rb" + "id": "controls/V-38584.rb" }, { "title": null, "controls": [ - "V-38554" + "V-38560" ], - "id": "controls/V-38554.rb" + "id": "controls/V-38560.rb" }, { "title": null, "controls": [ - "V-38468" + "V-38634" ], - "id": "controls/V-38468.rb" + "id": "controls/V-38634.rb" }, { "title": null, @@ -12022,688 +12029,681 @@ { "title": null, "controls": [ - "V-38601" - ], - "id": "controls/V-38601.rb" - }, - { - "title": null, - "controls": [ - "V-38677" + "V-38534" ], - "id": "controls/V-38677.rb" + "id": "controls/V-38534.rb" }, { "title": null, "controls": [ - "V-38682" + "V-38545" ], - "id": "controls/V-38682.rb" + "id": "controls/V-38545.rb" }, { "title": null, "controls": [ - "V-38679" + "V-38558" ], - "id": "controls/V-38679.rb" + "id": "controls/V-38558.rb" }, { "title": null, "controls": [ - "V-38551" + "V-38446" ], - "id": "controls/V-38551.rb" + "id": "controls/V-38446.rb" }, { "title": null, "controls": [ - "V-38567" + "V-38669" ], - "id": "controls/V-38567.rb" + "id": "controls/V-38669.rb" }, { "title": null, "controls": [ - "V-38657" + "V-38576" ], - "id": "controls/V-38657.rb" + "id": "controls/V-38576.rb" }, { "title": null, "controls": [ - "V-38650" + "V-38655" ], - "id": "controls/V-38650.rb" + "id": "controls/V-38655.rb" }, { "title": null, "controls": [ - "V-38491" + "V-38499" ], - "id": "controls/V-38491.rb" + "id": "controls/V-38499.rb" }, { "title": null, "controls": [ - "V-38674" + "V-38591" ], - "id": "controls/V-38674.rb" + "id": "controls/V-38591.rb" }, { "title": null, "controls": [ - "V-38592" + "V-38679" ], - "id": "controls/V-38592.rb" + "id": "controls/V-38679.rb" }, { "title": null, "controls": [ - "V-38665" + "V-38609" ], - "id": "controls/V-38665.rb" + "id": "controls/V-38609.rb" }, { "title": null, "controls": [ - "V-38632" + "V-38438" ], - "id": "controls/V-38632.rb" + "id": "controls/V-38438.rb" }, { "title": null, "controls": [ - "V-38581" + "V-38672" ], - "id": "controls/V-38581.rb" + "id": "controls/V-38672.rb" }, { "title": null, "controls": [ - "V-38458" + "V-38526" ], - "id": "controls/V-38458.rb" + "id": "controls/V-38526.rb" }, { "title": null, "controls": [ - "V-51379" + "V-38464" ], - "id": "controls/V-51379.rb" + "id": "controls/V-38464.rb" }, { "title": null, "controls": [ - "V-38467" + "V-38553" ], - "id": "controls/V-38467.rb" + "id": "controls/V-38553.rb" }, { "title": null, "controls": [ - "V-38463" + "V-38525" ], - "id": "controls/V-38463.rb" + "id": "controls/V-38525.rb" }, { "title": null, "controls": [ - "V-38532" + "V-38495" ], - "id": "controls/V-38532.rb" + "id": "controls/V-38495.rb" }, { "title": null, "controls": [ - "V-38582" + "V-38550" ], - "id": "controls/V-38582.rb" + "id": "controls/V-38550.rb" }, { "title": null, "controls": [ - "V-38623" + "V-38602" ], - "id": "controls/V-38623.rb" + "id": "controls/V-38602.rb" }, { "title": null, "controls": [ - "V-38552" + "V-38577" ], - "id": "controls/V-38552.rb" + "id": "controls/V-38577.rb" }, { "title": null, "controls": [ - "V-38572" + "V-38453" ], - "id": "controls/V-38572.rb" + "id": "controls/V-38453.rb" }, { "title": null, "controls": [ - "V-38594" + "V-38478" ], - "id": "controls/V-38594.rb" + "id": "controls/V-38478.rb" }, { "title": null, "controls": [ - "V-38693" + "V-81441" ], - "id": "controls/V-38693.rb" + "id": "controls/V-81441.rb" }, { "title": null, "controls": [ - "V-38438" + "V-38647" ], - "id": "controls/V-38438.rb" + "id": "controls/V-38647.rb" }, { "title": null, "controls": [ - "V-38579" + "V-38538" ], - "id": "controls/V-38579.rb" + "id": "controls/V-38538.rb" }, { "title": null, "controls": [ - "V-38696" + "V-38668" ], - "id": "controls/V-38696.rb" + "id": "controls/V-38668.rb" }, { "title": null, "controls": [ - "V-38585" + "V-38529" ], - "id": "controls/V-38585.rb" + "id": "controls/V-38529.rb" }, { "title": null, "controls": [ - "V-38571" + "V-38638" ], - "id": "controls/V-38571.rb" + "id": "controls/V-38638.rb" }, { "title": null, "controls": [ - "V-58901" + "V-38487" ], - "id": "controls/V-58901.rb" + "id": "controls/V-38487.rb" }, { "title": null, "controls": [ - "V-38685" + "V-38599" ], - "id": "controls/V-38685.rb" + "id": "controls/V-38599.rb" }, { "title": null, "controls": [ - "V-38575" + "V-38521" ], - "id": "controls/V-38575.rb" + "id": "controls/V-38521.rb" }, { "title": null, "controls": [ - "V-51391" + "V-38519" ], - "id": "controls/V-51391.rb" + "id": "controls/V-38519.rb" }, { "title": null, "controls": [ - "V-38447" + "V-38523" ], - "id": "controls/V-38447.rb" + "id": "controls/V-38523.rb" }, { "title": null, "controls": [ - "V-38483" + "V-38592" ], - "id": "controls/V-38483.rb" + "id": "controls/V-38592.rb" }, { "title": null, "controls": [ - "V-38593" + "V-38624" ], - "id": "controls/V-38593.rb" + "id": "controls/V-38624.rb" }, { "title": null, "controls": [ - "V-38490" + "V-57569" ], - "id": "controls/V-38490.rb" + "id": "controls/V-57569.rb" }, { "title": null, "controls": [ - "V-38607" + "V-38527" ], - "id": "controls/V-38607.rb" + "id": "controls/V-38527.rb" }, { "title": null, "controls": [ - "V-38690" + "V-38484" ], - "id": "controls/V-38690.rb" + "id": "controls/V-38484.rb" }, { "title": null, "controls": [ - "V-38527" + "V-51369" ], - "id": "controls/V-38527.rb" + "id": "controls/V-51369.rb" }, { "title": null, "controls": [ - "V-38457" + "V-51379" ], - "id": "controls/V-38457.rb" + "id": "controls/V-51379.rb" }, { "title": null, "controls": [ - "V-38478" + "V-38493" ], - "id": "controls/V-38478.rb" + "id": "controls/V-38493.rb" }, { "title": null, "controls": [ - "V-38643" + "V-38650" ], - "id": "controls/V-38643.rb" + "id": "controls/V-38650.rb" }, { "title": null, "controls": [ - "V-38476" + "V-38475" ], - "id": "controls/V-38476.rb" + "id": "controls/V-38475.rb" }, { "title": null, "controls": [ - "V-38639" + "V-58901" ], - "id": "controls/V-38639.rb" + "id": "controls/V-58901.rb" }, { "title": null, "controls": [ - "V-38672" + "V-38664" ], - "id": "controls/V-38672.rb" + "id": "controls/V-38664.rb" }, { "title": null, "controls": [ - "V-38466" + "V-38582" ], - "id": "controls/V-38466.rb" + "id": "controls/V-38582.rb" }, { "title": null, "controls": [ - "V-38452" + "V-38639" ], - "id": "controls/V-38452.rb" + "id": "controls/V-38639.rb" }, { "title": null, "controls": [ - "V-38459" + "V-38657" ], - "id": "controls/V-38459.rb" + "id": "controls/V-38657.rb" }, { "title": null, "controls": [ - "V-51337" + "V-43150" ], - "id": "controls/V-51337.rb" + "id": "controls/V-43150.rb" }, { "title": null, "controls": [ - "V-38640" + "V-38623" ], - "id": "controls/V-38640.rb" + "id": "controls/V-38623.rb" }, { "title": null, "controls": [ - "V-38555" + "V-38573" ], - "id": "controls/V-38555.rb" + "id": "controls/V-38573.rb" }, { "title": null, "controls": [ - "V-38449" + "V-38572" ], - "id": "controls/V-38449.rb" + "id": "controls/V-38572.rb" }, { "title": null, "controls": [ - "V-38493" + "V-38463" ], - "id": "controls/V-38493.rb" + "id": "controls/V-38463.rb" }, { "title": null, "controls": [ - "V-38661" + "V-38694" ], - "id": "controls/V-38661.rb" + "id": "controls/V-38694.rb" }, { "title": null, "controls": [ - "V-38671" + "V-38483" ], - "id": "controls/V-38671.rb" + "id": "controls/V-38483.rb" }, { "title": null, "controls": [ - "V-38574" + "V-38629" ], - "id": "controls/V-38574.rb" + "id": "controls/V-38629.rb" }, { "title": null, "controls": [ - "V-38658" + "V-38559" ], - "id": "controls/V-38658.rb" + "id": "controls/V-38559.rb" }, { "title": null, "controls": [ - "V-38642" + "V-38451" ], - "id": "controls/V-38642.rb" + "id": "controls/V-38451.rb" }, { "title": null, "controls": [ - "V-38481" + "V-38695" ], - "id": "controls/V-38481.rb" + "id": "controls/V-38695.rb" }, { "title": null, "controls": [ - "V-38526" + "V-51337" ], - "id": "controls/V-38526.rb" + "id": "controls/V-51337.rb" }, { "title": null, "controls": [ - "V-38646" + "V-38565" ], - "id": "controls/V-38646.rb" + "id": "controls/V-38565.rb" }, { "title": null, "controls": [ - "V-38589" + "V-38492" ], - "id": "controls/V-38589.rb" + "id": "controls/V-38492.rb" }, { "title": null, "controls": [ - "V-38545" + "V-54381" ], - "id": "controls/V-38545.rb" + "id": "controls/V-54381.rb" }, { "title": null, "controls": [ - "V-38535" + "V-38571" ], - "id": "controls/V-38535.rb" + "id": "controls/V-38571.rb" }, { "title": null, "controls": [ - "V-38548" + "V-38590" ], - "id": "controls/V-38548.rb" + "id": "controls/V-38590.rb" }, { "title": null, "controls": [ - "V-38520" + "V-38511" ], - "id": "controls/V-38520.rb" + "id": "controls/V-38511.rb" }, { "title": null, "controls": [ - "V-38596" + "V-38633" ], - "id": "controls/V-38596.rb" + "id": "controls/V-38633.rb" }, { "title": null, "controls": [ - "V-38470" + "V-38528" ], - "id": "controls/V-38470.rb" + "id": "controls/V-38528.rb" }, { "title": null, "controls": [ - "V-38595" + "V-38594" ], - "id": "controls/V-38595.rb" + "id": "controls/V-38594.rb" }, { "title": null, "controls": [ - "V-38529" + "V-38496" ], - "id": "controls/V-38529.rb" + "id": "controls/V-38496.rb" }, { "title": null, "controls": [ - "V-38628" + "V-38601" ], - "id": "controls/V-38628.rb" + "id": "controls/V-38601.rb" }, { "title": null, "controls": [ - "V-38471" + "V-38439" ], - "id": "controls/V-38471.rb" + "id": "controls/V-38439.rb" }, { "title": null, "controls": [ - "V-38522" + "V-38697" ], - "id": "controls/V-38522.rb" + "id": "controls/V-38697.rb" }, { "title": null, "controls": [ - "V-38559" + "V-38684" ], - "id": "controls/V-38559.rb" + "id": "controls/V-38684.rb" }, { "title": null, "controls": [ - "V-38498" + "V-38687" ], - "id": "controls/V-38498.rb" + "id": "controls/V-38687.rb" }, { "title": null, "controls": [ - "V-38549" + "V-38515" ], - "id": "controls/V-38549.rb" + "id": "controls/V-38515.rb" }, { "title": null, "controls": [ - "V-38637" + "V-38578" ], - "id": "controls/V-38637.rb" + "id": "controls/V-38578.rb" }, { "title": null, "controls": [ - "V-38664" + "V-38690" ], - "id": "controls/V-38664.rb" + "id": "controls/V-38690.rb" }, { "title": null, "controls": [ - "V-38524" + "V-38482" ], - "id": "controls/V-38524.rb" + "id": "controls/V-38482.rb" }, { "title": null, "controls": [ - "V-38649" + "V-81443" ], - "id": "controls/V-38649.rb" + "id": "controls/V-81443.rb" }, { "title": null, "controls": [ - "V-38445" + "V-38641" ], - "id": "controls/V-38445.rb" + "id": "controls/V-38641.rb" }, { "title": null, "controls": [ - "V-38528" + "V-38644" ], - "id": "controls/V-38528.rb" + "id": "controls/V-38644.rb" }, { "title": null, "controls": [ - "V-38694" + "V-38686" ], - "id": "controls/V-38694.rb" + "id": "controls/V-38686.rb" }, { "title": null, "controls": [ - "V-38622" + "V-38537" ], - "id": "controls/V-38622.rb" + "id": "controls/V-38537.rb" }, { "title": null, "controls": [ - "V-38691" + "V-38658" ], - "id": "controls/V-38691.rb" + "id": "controls/V-38658.rb" }, { "title": null, "controls": [ - "V-38561" + "V-38640" ], - "id": "controls/V-38561.rb" + "id": "controls/V-38640.rb" }, { "title": null, "controls": [ - "V-38437" + "V-38543" ], - "id": "controls/V-38437.rb" + "id": "controls/V-38543.rb" }, { "title": null, "controls": [ - "V-38611" + "V-38476" ], - "id": "controls/V-38611.rb" + "id": "controls/V-38476.rb" }, { "title": null, "controls": [ - "V-38484" + "V-38680" ], - "id": "controls/V-38484.rb" + "id": "controls/V-38680.rb" }, { "title": null, "controls": [ - "V-38648" + "V-38674" ], - "id": "controls/V-38648.rb" + "id": "controls/V-38674.rb" }, { "title": null, "controls": [ - "V-38588" + "V-38547" ], - "id": "controls/V-38588.rb" + "id": "controls/V-38547.rb" }, { "title": null, "controls": [ - "V-38512" + "V-38643" ], - "id": "controls/V-38512.rb" + "id": "controls/V-38643.rb" }, { "title": null, "controls": [ - "V-38538" + "V-38632" ], - "id": "controls/V-38538.rb" + "id": "controls/V-38632.rb" }, { "title": null, "controls": [ - "V-81447" + "V-38539" ], - "id": "controls/V-81447.rb" + "id": "controls/V-38539.rb" }, { "title": null, "controls": [ - "V-81443" + "V-38651" ], - "id": "controls/V-81443.rb" + "id": "controls/V-38651.rb" }, { "title": null, "controls": [ - "V-38504" + "V-38512" ], - "id": "controls/V-38504.rb" + "id": "controls/V-38512.rb" } ], "sha256": "715e650fab18752d13106d23672aa121df2dbdab9bc54687384fd2eeb0938717", diff --git a/src/assets/data/baselineProfiles/redhat-enterprise-linux-7-stig-baseline.json b/src/assets/data/baselineProfiles/redhat-enterprise-linux-7-stig-baseline.json index 63ab1686..d1120995 100644 --- a/src/assets/data/baselineProfiles/redhat-enterprise-linux-7-stig-baseline.json +++ b/src/assets/data/baselineProfiles/redhat-enterprise-linux-7-stig-baseline.json @@ -25,59 +25,66 @@ "inputs": [], "controls": [ { - "title": "The Red Hat Enterprise Linux operating system must have the screen package installed.", - "desc": "A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.\n\nThe screen and tmux packages allow for a session lock to be implemented and configured.", + "title": "The Red Hat Enterprise Linux operating system must disable Kernel core dumps unless needed.", + "desc": "Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps\n may consume a considerable amount of disk space and may result in denial of service by exhausting the available\n space on the target file system partition.", "descriptions": { - "default": "A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.\n\nThe screen and tmux packages allow for a session lock to be implemented and configured.", - "check": "Verify the operating system has the screen package installed.\n\nCheck to see if the screen package is installed with the following command:\n\n # yum list installed screen\n screen-4.3.1-3-x86_64.rpm\n\nIf the screen package is not installed, check to see if the tmux package is installed with the following command:\n\n # yum list installed tmux\n tmux-1.8-4.el7.x86_64.rpm\n\nIf either the screen package or the tmux package is not installed, this is a finding.", - "fix": "Install the screen package to allow the initiation of a session lock after a 15-minute period of inactivity.\n\nInstall the screen program (if it is not on the system) with the following command:\n\n # yum install screen\n\nOR\n\nInstall the tmux program (if it is not on the system) with the following command:\n\n # yum install tmux" + "default": "Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps\n may consume a considerable amount of disk space and may result in denial of service by exhausting the available\n space on the target file system partition.", + "check": "Verify that kernel core dumps are disabled unless needed.\n Check the status of the \"kdump\" service with the following command:\n # systemctl status kdump.service\n kdump.service - Crash recovery kernel arming\n Loaded: loaded (/usr/lib/systemd/system/kdump.service; enabled)\n Active: active (exited) since Wed 2015-08-26 13:08:09 EDT; 43min ago\n Main PID: 1130 (code=exited, status=0/SUCCESS)\n kernel arming.\n If the \"kdump\" service is active, ask the System Administrator if the use of the service is required and documented\n with the Information System Security Officer (ISSO).\n If the service is active and is not documented, this is a finding.", + "fix": "If kernel core dumps are not required, disable the \"kdump\" service with the following command:\n # systemctl disable kdump.service\n If kernel core dumps are required, document the need with the ISSO." }, "impact": 0.5, "refs": [], "tags": { - "check_id": "C-59603r880777_chk", + "legacy": [ + "SV-86681", + "V-72057" + ], "severity": "medium", - "gid": "V-255926", - "rid": "SV-255926r880779_rule", - "stig_id": "RHEL-07-010090", - "gtitle": "SRG-OS-000029-GPOS-00010", - "fix_id": "F-59546r880778_fix", - "documentable": null, + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-204492", + "rid": "SV-204492r603261_rule", + "stig_id": "RHEL-07-021300", + "fix_id": "F-4616r88669_fix", "cci": [ - "CCI-000057" + "CCI-000366" ], "nist": [ - "AC-11 a" - ] + "CM-6 b" + ], + "subsystems": [ + "kdump", + "kernel" + ], + "host": null }, - "code": "control 'SV-255926' do\n title 'The Red Hat Enterprise Linux operating system must have the screen package installed.'\n desc \"A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.\n\nThe screen and tmux packages allow for a session lock to be implemented and configured.\"\n desc 'check', 'Verify the operating system has the screen package installed.\n\nCheck to see if the screen package is installed with the following command:\n\n # yum list installed screen\n screen-4.3.1-3-x86_64.rpm\n\nIf the screen package is not installed, check to see if the tmux package is installed with the following command:\n\n # yum list installed tmux\n tmux-1.8-4.el7.x86_64.rpm\n\nIf either the screen package or the tmux package is not installed, this is a finding.'\n desc 'fix', \"Install the screen package to allow the initiation of a session lock after a #{input('system_activity_timeout')/60}-minute period of inactivity.\n\nInstall the screen program (if it is not on the system) with the following command:\n\n # yum install screen\n\nOR\n\nInstall the tmux program (if it is not on the system) with the following command:\n\n # yum install tmux\"\n impact 0.5\n tag check_id: 'C-59603r880777_chk'\n tag severity: 'medium'\n tag gid: 'V-255926'\n tag rid: 'SV-255926r880779_rule'\n tag stig_id: 'RHEL-07-010090'\n tag gtitle: 'SRG-OS-000029-GPOS-00010'\n tag fix_id: 'F-59546r880778_fix'\n tag 'documentable'\n tag cci: ['CCI-000057']\n tag nist: ['AC-11 a']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n else\n describe.one do\n describe package('screen') do\n it { should be_installed }\n end\n describe package('tmux') do\n it { should be_installed }\n end\n end\n end\nend\n", + "code": "control 'SV-204492' do\n title 'The Red Hat Enterprise Linux operating system must disable Kernel core dumps unless needed.'\n desc 'Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps\n may consume a considerable amount of disk space and may result in denial of service by exhausting the available\n space on the target file system partition.'\n desc 'check', 'Verify that kernel core dumps are disabled unless needed.\n Check the status of the \"kdump\" service with the following command:\n # systemctl status kdump.service\n kdump.service - Crash recovery kernel arming\n Loaded: loaded (/usr/lib/systemd/system/kdump.service; enabled)\n Active: active (exited) since Wed 2015-08-26 13:08:09 EDT; 43min ago\n Main PID: 1130 (code=exited, status=0/SUCCESS)\n kernel arming.\n If the \"kdump\" service is active, ask the System Administrator if the use of the service is required and documented\n with the Information System Security Officer (ISSO).\n If the service is active and is not documented, this is a finding.'\n desc 'fix', 'If kernel core dumps are not required, disable the \"kdump\" service with the following command:\n # systemctl disable kdump.service\n If kernel core dumps are required, document the need with the ISSO.'\n impact 0.5\n tag legacy: ['SV-86681', 'V-72057']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204492'\n tag rid: 'SV-204492r603261_rule'\n tag stig_id: 'RHEL-07-021300'\n tag fix_id: 'F-4616r88669_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['kdump', 'kernel']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - Kernel config must be done on the host' do\n skip 'Control not applicable - Kernel config must be done on the host'\n end\n else\n describe systemd_service('kdump.service') do\n it { should_not be_running }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-255926.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204492.rb", "line": 1 }, - "id": "SV-255926" + "id": "SV-204492" }, { - "title": "The Red Hat Enterprise Linux operating system must be configured so that all local interactive user\n accounts, upon creation, are assigned a home directory.", - "desc": "If local interactive users are not assigned a valid home directory, there is no place for the storage and\n control of files they should own.", + "title": "The Red Hat Enterprise Linux operating system must be configured to prevent unrestricted mail relaying.", + "desc": "If unrestricted mail relaying is permitted, unauthorized senders could use this host as a mail relay for the\n purpose of sending spam or other unauthorized activity.", "descriptions": { - "default": "If local interactive users are not assigned a valid home directory, there is no place for the storage and\n control of files they should own.", - "check": "Verify all local interactive users on the system are assigned a home directory upon creation.\n Check to see if the system is configured to create home directories for local interactive users with the following\n command:\n # grep -i create_home /etc/login.defs\n CREATE_HOME yes\n If the value for \"CREATE_HOME\" parameter is not set to \"yes\", the line is missing, or the line is commented out,\n this is a finding.", - "fix": "Configure the operating system to assign home directories to all new local interactive users by\n setting the \"CREATE_HOME\" parameter in \"/etc/login.defs\" to \"yes\" as follows.\n CREATE_HOME yes" + "default": "If unrestricted mail relaying is permitted, unauthorized senders could use this host as a mail relay for the\n purpose of sending spam or other unauthorized activity.", + "check": "Verify the system is configured to prevent unrestricted mail relaying.\n Determine if \"postfix\" is installed with the following commands:\n # yum list installed postfix\n postfix-2.6.6-6.el7.x86_64.rpm\n If postfix is not installed, this is Not Applicable.\n If postfix is installed, determine if it is configured to reject connections from unknown or untrusted networks with\n the following command:\n # postconf -n smtpd_client_restrictions\n smtpd_client_restrictions = permit_mynetworks, reject\n If the \"smtpd_client_restrictions\" parameter contains any entries other than \"permit_mynetworks\" and \"reject\", this\n is a finding.", + "fix": "If \"postfix\" is installed, modify the \"/etc/postfix/main.cf\" file to restrict client connections to\n the local network with the following command:\n # postconf -e 'smtpd_client_restrictions = permit_mynetworks,reject'" }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "V-72013", - "SV-86637" + "SV-86921", + "V-72297" ], "severity": "medium", "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-204466", - "rid": "SV-204466r603261_rule", - "stig_id": "RHEL-07-020610", - "fix_id": "F-4590r88591_fix", + "gid": "V-204619", + "rid": "SV-204619r603261_rule", + "stig_id": "RHEL-07-040680", + "fix_id": "F-4743r89050_fix", "cci": [ "CCI-000366" ], @@ -85,49 +92,52 @@ "CM-6 b" ], "subsystems": [ - "login_defs" + "postfix" ], "host": null, "container": null }, - "code": "control 'SV-204466' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that all local interactive user\n accounts, upon creation, are assigned a home directory.'\n desc 'If local interactive users are not assigned a valid home directory, there is no place for the storage and\n control of files they should own.'\n desc 'check', 'Verify all local interactive users on the system are assigned a home directory upon creation.\n Check to see if the system is configured to create home directories for local interactive users with the following\n command:\n # grep -i create_home /etc/login.defs\n CREATE_HOME yes\n If the value for \"CREATE_HOME\" parameter is not set to \"yes\", the line is missing, or the line is commented out,\n this is a finding.'\n desc 'fix', 'Configure the operating system to assign home directories to all new local interactive users by\n setting the \"CREATE_HOME\" parameter in \"/etc/login.defs\" to \"yes\" as follows.\n CREATE_HOME yes'\n impact 0.5\n tag legacy: ['V-72013', 'SV-86637']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204466'\n tag rid: 'SV-204466r603261_rule'\n tag stig_id: 'RHEL-07-020610'\n tag fix_id: 'F-4590r88591_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['login_defs']\n tag 'host'\n tag 'container'\n\n describe login_defs do\n its('CREATE_HOME') { should eq 'yes' }\n end\nend\n", + "code": "control 'SV-204619' do\n title 'The Red Hat Enterprise Linux operating system must be configured to prevent unrestricted mail relaying.'\n desc 'If unrestricted mail relaying is permitted, unauthorized senders could use this host as a mail relay for the\n purpose of sending spam or other unauthorized activity.'\n desc 'check', 'Verify the system is configured to prevent unrestricted mail relaying.\n Determine if \"postfix\" is installed with the following commands:\n # yum list installed postfix\n postfix-2.6.6-6.el7.x86_64.rpm\n If postfix is not installed, this is Not Applicable.\n If postfix is installed, determine if it is configured to reject connections from unknown or untrusted networks with\n the following command:\n # postconf -n smtpd_client_restrictions\n smtpd_client_restrictions = permit_mynetworks, reject\n If the \"smtpd_client_restrictions\" parameter contains any entries other than \"permit_mynetworks\" and \"reject\", this\n is a finding.'\n desc 'fix', %q(If \"postfix\" is installed, modify the \"/etc/postfix/main.cf\" file to restrict client connections to\n the local network with the following command:\n # postconf -e 'smtpd_client_restrictions = permit_mynetworks,reject')\n impact 0.5\n tag legacy: ['SV-86921', 'V-72297']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204619'\n tag rid: 'SV-204619r603261_rule'\n tag stig_id: 'RHEL-07-040680'\n tag fix_id: 'F-4743r89050_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['postfix']\n tag 'host'\n tag 'container'\n\n if package('postfix').installed?\n options = { assignment_regex: /^\\s*([^=]*?)\\s*=\\s*(.*?)\\s*$/ }\n\n if defined? parse_config_file('/etc/postfix/main.cf', options).params['smtpd_client_restrictions']\n pf_config = parse_config_file('/etc/postfix/main.cf', options).params['smtpd_client_restrictions'].split(',')\n end\n\n describe 'Postfix config setting smptd_client_restrictions' do\n it \"should be set to 'permit_mynetworks', 'reject', or both\" do\n expect(pf_config).to all satisfy { |x| ['permit_mynetworks', 'reject'].include?(x) }\n end\n end\n else\n describe 'The `postfix` package is not installed' do\n skip 'The `postfix` package is not installed, this control is Not Applicable'\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204466.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204619.rb", "line": 1 }, - "id": "SV-204466" + "id": "SV-204619" }, { - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the umount command.", - "desc": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough\n information.\n At a minimum, the organization must audit the full-text recording of privileged mount commands. The organization\n must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of\n compromise.\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.", + "title": "The Red Hat Enterprise Linux operating system must audit all uses of the gpasswd command.", + "desc": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough\n information.\n At a minimum, the organization must audit the full-text recording of privileged password commands. The organization\n must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of\n compromise.\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.", "descriptions": { - "default": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough\n information.\n At a minimum, the organization must audit the full-text recording of privileged mount commands. The organization\n must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of\n compromise.\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.", - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"umount\" command occur.\n\nCheck that the following system call is being audited by performing the following series of commands to check the file system rules in \"/etc/audit/audit.rules\":\n\n$ sudo grep -w \"/usr/bin/umount\" /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount\n\nIf the command does not return any output, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"umount\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount\n\nThe audit daemon must be restarted for the changes to take effect." + "default": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough\n information.\n At a minimum, the organization must audit the full-text recording of privileged password commands. The organization\n must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of\n compromise.\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.", + "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"gpasswd\" command occur.\n\nCheck the file system rule in \"/etc/audit/audit.rules\" with the following command:\n\n$ sudo grep -w \"/usr/bin/gpasswd\" /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd\n\nIf the command does not return any output, this is a finding.", + "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"gpasswd\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd\n\nThe audit daemon must be restarted for the changes to take effect." }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "V-72173", - "SV-86797" + "SV-86777", + "V-72153" ], "severity": "medium", "gtitle": "SRG-OS-000042-GPOS-00020", "satisfies": [ "SRG-OS-000042-GPOS-00020", - "SRG-OS-000392-GPOS-00172" + "SRG-OS-000392-GPOS-00172", + "SRG-OS-000471-GPOS-00215" ], - "gid": "V-204553", - "rid": "SV-204553r861056_rule", - "stig_id": "RHEL-07-030750", - "fix_id": "F-4677r861055_fix", + "gid": "V-204544", + "rid": "SV-204544r861032_rule", + "stig_id": "RHEL-07-030650", + "fix_id": "F-4668r861031_fix", "cci": [ "CCI-000135", + "CCI-000172", "CCI-002884" ], "nist": [ "AU-3 (1)", + "AU-12 c", "MA-4 (1) (a)" ], "subsystems": [ @@ -137,116 +147,113 @@ ], "host": null }, - "code": "control 'SV-204553' do\n title 'The Red Hat Enterprise Linux operating system must audit all uses of the umount command.'\n desc 'Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough\n information.\n At a minimum, the organization must audit the full-text recording of privileged mount commands. The organization\n must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of\n compromise.\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.'\n desc 'check', 'Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"umount\" command occur.\n\nCheck that the following system call is being audited by performing the following series of commands to check the file system rules in \"/etc/audit/audit.rules\":\n\n$ sudo grep -w \"/usr/bin/umount\" /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount\n\nIf the command does not return any output, this is a finding.'\n desc 'fix', 'Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"umount\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount\n\nThe audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n tag legacy: ['V-72173', 'SV-86797']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000042-GPOS-00020'\n tag satisfies: ['SRG-OS-000042-GPOS-00020', 'SRG-OS-000392-GPOS-00172']\n tag gid: 'V-204553'\n tag rid: 'SV-204553r861056_rule'\n tag stig_id: 'RHEL-07-030750'\n tag fix_id: 'F-4677r861055_fix'\n tag cci: ['CCI-000135', 'CCI-002884']\n tag nist: ['AU-3 (1)', 'MA-4 (1) (a)']\n tag subsystems: ['audit', 'auditd', 'audit_rule']\n tag 'host'\n\n audit_command = '/usr/bin/umount'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - audit config must be done on the host' do\n skip 'Control not applicable - audit config must be done on the host'\n end\n else\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include('privileged-mount')\n end\n end\n end\nend\n", + "code": "control 'SV-204544' do\n title 'The Red Hat Enterprise Linux operating system must audit all uses of the gpasswd command.'\n desc 'Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough\n information.\n At a minimum, the organization must audit the full-text recording of privileged password commands. The organization\n must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of\n compromise.\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.'\n desc 'check', 'Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"gpasswd\" command occur.\n\nCheck the file system rule in \"/etc/audit/audit.rules\" with the following command:\n\n$ sudo grep -w \"/usr/bin/gpasswd\" /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd\n\nIf the command does not return any output, this is a finding.'\n desc 'fix', 'Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"gpasswd\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd\n\nThe audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n tag legacy: ['SV-86777', 'V-72153']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000042-GPOS-00020'\n tag satisfies: ['SRG-OS-000042-GPOS-00020', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000471-GPOS-00215']\n tag gid: 'V-204544'\n tag rid: 'SV-204544r861032_rule'\n tag stig_id: 'RHEL-07-030650'\n tag fix_id: 'F-4668r861031_fix'\n tag cci: ['CCI-000135', 'CCI-000172', 'CCI-002884']\n tag nist: ['AU-3 (1)', 'AU-12 c', 'MA-4 (1) (a)']\n tag subsystems: ['audit', 'auditd', 'audit_rule']\n tag 'host'\n\n audit_command = '/usr/bin/gpasswd'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - audit config must be done on the host' do\n skip 'Control not applicable - audit config must be done on the host'\n end\n else\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include('privileged-passwd')\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204553.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204544.rb", "line": 1 }, - "id": "SV-204553" + "id": "SV-204544" }, { - "title": "For Red Hat Enterprise Linux operating systems using DNS resolution, at least two name servers must be\n configured.", - "desc": "To provide availability for name resolution services, multiple redundant name servers are mandated. A\n failure in name resolution could lead to the failure of security functions requiring name resolution, which may\n include time synchronization, centralized authentication, and remote system logging.", + "title": "The Red Hat Enterprise Linux operating system SSH daemon must prevent remote hosts from connecting to the proxy display.", + "desc": "When X11 forwarding is enabled, there may be additional exposure to the server and client displays if the sshd proxy display is configured to listen on the wildcard address. By default, sshd binds the forwarding server to the loopback address and sets the hostname part of the DIPSLAY environment variable to localhost. This prevents remote hosts from connecting to the proxy display.", "descriptions": { - "default": "To provide availability for name resolution services, multiple redundant name servers are mandated. A\n failure in name resolution could lead to the failure of security functions requiring name resolution, which may\n include time synchronization, centralized authentication, and remote system logging.", - "check": "Determine whether the system is using local or DNS name resolution with the following command:\n # grep hosts /etc/nsswitch.conf\n hosts: files dns\n If the DNS entry is missing from the host's line in the \"/etc/nsswitch.conf\" file, the \"/etc/resolv.conf\" file must\n be empty.\n Verify the \"/etc/resolv.conf\" file is empty with the following command:\n # ls -al /etc/resolv.conf\n -rw-r--r-- 1 root root 0 Aug 19 08:31 resolv.conf\n If local host authentication is being used and the \"/etc/resolv.conf\" file is not empty, this is a finding.\n If the DNS entry is found on the host's line of the \"/etc/nsswitch.conf\" file, verify the operating system is\n configured to use two or more name servers for DNS resolution.\n Determine the name servers used by the system with the following command:\n # grep nameserver /etc/resolv.conf\n nameserver 192.168.1.2\n nameserver 192.168.1.3\n If less than two lines are returned that are not commented out, this is a finding.\n Verify that the \"/etc/resolv.conf\" file is immutable with the following command:\n # sudo lsattr /etc/resolv.conf\n ----i----------- /etc/resolv.conf\n If the file is mutable and has not been documented with the Information System Security Officer (ISSO), this is a\n finding.", - "fix": "Configure the operating system to use two or more name servers for DNS resolution.\n Edit the \"/etc/resolv.conf\" file to uncomment or add the two or more \"nameserver\" option lines with the IP address\n of local authoritative name servers. If local host resolution is being performed, the \"/etc/resolv.conf\" file must\n be empty. An empty \"/etc/resolv.conf\" file can be created as follows:\n # echo -n > /etc/resolv.conf\n And then make the file immutable with the following command:\n # chattr +i /etc/resolv.conf\n If the \"/etc/resolv.conf\" file must be mutable, the required configuration must be documented with the Information\n System Security Officer (ISSO) and the file must be verified by the system file integrity tool." + "default": "When X11 forwarding is enabled, there may be additional exposure to the server and client displays if the sshd proxy display is configured to listen on the wildcard address. By default, sshd binds the forwarding server to the loopback address and sets the hostname part of the DIPSLAY environment variable to localhost. This prevents remote hosts from connecting to the proxy display.", + "check": "Verify the SSH daemon prevents remote hosts from connecting to the proxy display.\n\nCheck the SSH X11UseLocalhost setting with the following command:\n\n# sudo grep -i x11uselocalhost /etc/ssh/sshd_config\nX11UseLocalhost yes\n\nIf the \"X11UseLocalhost\" keyword is set to \"no\", is missing, or is commented out, this is a finding.", + "fix": "Configure the SSH daemon to prevent remote hosts from connecting to the proxy display.\n\nEdit the \"/etc/ssh/sshd_config\" file to uncomment or add the line for the \"X11UseLocalhost\" keyword and set its value to \"yes\" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor):\n\nX11UseLocalhost yes" }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { - "legacy": [ - "SV-86905", - "V-72281" - ], - "severity": "low", + "severity": "medium", "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-204608", - "rid": "SV-204608r603261_rule", - "stig_id": "RHEL-07-040600", - "fix_id": "F-4732r89017_fix", + "satisfies": null, + "gid": "V-233307", + "rid": "SV-233307r603301_rule", + "stig_id": "RHEL-07-040711", + "fix_id": "F-36466r622234_fix", "cci": [ "CCI-000366" ], + "legacy": [], "nist": [ "CM-6 b" ], "subsystems": [ - "dns", - "resolv" + "ssh" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-204608' do\n title 'For Red Hat Enterprise Linux operating systems using DNS resolution, at least two name servers must be\n configured.'\n desc 'To provide availability for name resolution services, multiple redundant name servers are mandated. A\n failure in name resolution could lead to the failure of security functions requiring name resolution, which may\n include time synchronization, centralized authentication, and remote system logging.'\n desc 'check', %q(Determine whether the system is using local or DNS name resolution with the following command:\n # grep hosts /etc/nsswitch.conf\n hosts: files dns\n If the DNS entry is missing from the host's line in the \"/etc/nsswitch.conf\" file, the \"/etc/resolv.conf\" file must\n be empty.\n Verify the \"/etc/resolv.conf\" file is empty with the following command:\n # ls -al /etc/resolv.conf\n -rw-r--r-- 1 root root 0 Aug 19 08:31 resolv.conf\n If local host authentication is being used and the \"/etc/resolv.conf\" file is not empty, this is a finding.\n If the DNS entry is found on the host's line of the \"/etc/nsswitch.conf\" file, verify the operating system is\n configured to use two or more name servers for DNS resolution.\n Determine the name servers used by the system with the following command:\n # grep nameserver /etc/resolv.conf\n nameserver 192.168.1.2\n nameserver 192.168.1.3\n If less than two lines are returned that are not commented out, this is a finding.\n Verify that the \"/etc/resolv.conf\" file is immutable with the following command:\n # sudo lsattr /etc/resolv.conf\n ----i----------- /etc/resolv.conf\n If the file is mutable and has not been documented with the Information System Security Officer (ISSO), this is a\n finding.)\n desc 'fix', 'Configure the operating system to use two or more name servers for DNS resolution.\n Edit the \"/etc/resolv.conf\" file to uncomment or add the two or more \"nameserver\" option lines with the IP address\n of local authoritative name servers. If local host resolution is being performed, the \"/etc/resolv.conf\" file must\n be empty. An empty \"/etc/resolv.conf\" file can be created as follows:\n # echo -n > /etc/resolv.conf\n And then make the file immutable with the following command:\n # chattr +i /etc/resolv.conf\n If the \"/etc/resolv.conf\" file must be mutable, the required configuration must be documented with the Information\n System Security Officer (ISSO) and the file must be verified by the system file integrity tool.'\n impact 0.3\n tag legacy: ['SV-86905', 'V-72281']\n tag severity: 'low'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204608'\n tag rid: 'SV-204608r603261_rule'\n tag stig_id: 'RHEL-07-040600'\n tag fix_id: 'F-4732r89017_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['dns', 'resolv']\n tag 'host'\n tag 'container'\n\n dns_in_host_line = parse_config_file('/etc/nsswitch.conf',\n {\n comment_char: '#',\n assignment_regex: /^\\s*([^:]*?)\\s*:\\s*(.*?)\\s*$/\n }).params['hosts'].include?('dns')\n\n unless dns_in_host_line\n describe 'If `local` resolution is being used, a `hosts` entry in /etc/nsswitch.conf having `dns`' do\n subject { dns_in_host_line }\n it { should be false }\n end\n end\n\n unless dns_in_host_line\n describe 'If `local` resoultion is being used, the /etc/resolv.conf file should' do\n subject do\n parse_config_file('/etc/resolv.conf', { comment_char: '#' }).params\n end\n it { should be_empty }\n end\n end\n\n nameservers = parse_config_file('/etc/resolv.conf',\n { comment_char: '#' }).params.keys.grep(/nameserver/)\n\n if dns_in_host_line\n describe \"The system's nameservers: #{nameservers}\" do\n subject { nameservers }\n it { should_not be nil }\n end\n end\n\n if dns_in_host_line\n describe 'The number of nameservers' do\n subject { nameservers.count }\n it { should cmp >= 2 }\n end\n end\n\n describe '/etc/resolv.conf should be immutable -- file attributes' do\n subject { command('lsattr /etc/resolve.conf').stdout }\n it { should match /i/ }\n end\nend\n", + "code": "control 'SV-233307' do\n title 'The Red Hat Enterprise Linux operating system SSH daemon must prevent remote hosts from connecting to the proxy display.'\n desc 'When X11 forwarding is enabled, there may be additional exposure to the server and client displays if the sshd proxy display is configured to listen on the wildcard address. By default, sshd binds the forwarding server to the loopback address and sets the hostname part of the DIPSLAY environment variable to localhost. This prevents remote hosts from connecting to the proxy display.'\n desc 'check', 'Verify the SSH daemon prevents remote hosts from connecting to the proxy display.\n\nCheck the SSH X11UseLocalhost setting with the following command:\n\n# sudo grep -i x11uselocalhost /etc/ssh/sshd_config\nX11UseLocalhost yes\n\nIf the \"X11UseLocalhost\" keyword is set to \"no\", is missing, or is commented out, this is a finding.'\n desc 'fix', 'Configure the SSH daemon to prevent remote hosts from connecting to the proxy display.\n\nEdit the \"/etc/ssh/sshd_config\" file to uncomment or add the line for the \"X11UseLocalhost\" keyword and set its value to \"yes\" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor):\n\nX11UseLocalhost yes'\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag satisfies: nil\n tag gid: 'V-233307'\n tag rid: 'SV-233307r603301_rule'\n tag stig_id: 'RHEL-07-040711'\n tag fix_id: 'F-36466r622234_fix'\n tag cci: ['CCI-000366']\n tag legacy: []\n tag nist: ['CM-6 b']\n tag subsystems: ['ssh']\n tag 'host'\n\n if virtualization.system.eql?('docker') && !file('/etc/sysconfig/sshd').exist?\n impact 0.0\n describe 'Control not applicable - SSH is not installed within containerized RHEL' do\n skip 'Control not applicable - SSH is not installed within containerized RHEL'\n end\n else\n describe sshd_config do\n its('X11UseLocalhost') { should eq 'yes' }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204608.rb", + "ref": "./Red Hat 7 STIG/controls/SV-233307.rb", "line": 1 }, - "id": "SV-204608" + "id": "SV-233307" }, { - "title": "The Red Hat Enterprise Linux operating system must be configured so that passwords are a minimum of 15\n characters in length.", - "desc": "The shorter the password, the lower the number of possible combinations that need to be tested before the\n password is compromised.\n Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing\n and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it\n takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or\n resources required to compromise the password.", + "title": "The Red Hat Enterprise Linux operating system must implement the Endpoint Security for Linux Threat\n Prevention tool.", + "desc": "Adding endpoint security tools can provide the capability to automatically take actions in response to\n malicious behavior, which can provide additional agility in reacting to network threats. These tools also often\n include a reporting capability to provide network awareness of the system, which may not otherwise exist in an\n organization's systems management regime.", "descriptions": { - "default": "The shorter the password, the lower the number of possible combinations that need to be tested before the\n password is compromised.\n Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing\n and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it\n takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or\n resources required to compromise the password.", - "check": "Verify the operating system enforces a minimum 15-character password length. The \"minlen\" option\n sets the minimum number of characters in a new password.\n Check for the value of the \"minlen\" option in \"/etc/security/pwquality.conf\" with the following command:\n # grep minlen /etc/security/pwquality.conf\n minlen = 15\n If the command does not return a \"minlen\" value of 15 or greater, this is a finding.", - "fix": "Configure operating system to enforce a minimum 15-character password length.\n Add the following line to \"/etc/security/pwquality.conf\" (or modify the line to have the required value):\n minlen = 15" + "default": "Adding endpoint security tools can provide the capability to automatically take actions in response to\n malicious behavior, which can provide additional agility in reacting to network threats. These tools also often\n include a reporting capability to provide network awareness of the system, which may not otherwise exist in an\n organization's systems management regime.", + "check": "Per OPORD 16-0080, the preferred endpoint security tool is McAfee Endpoint Security for Linux (ENSL)\n in conjunction with SELinux.\n Procedure:\n Check that the following package has been installed:\n # rpm -qa | grep -i mcafeetp\n If the \"mcafeetp\" package is not installed, this is a finding.\n Verify that the daemon is running:\n # ps -ef | grep -i mfetpd\n If the daemon is not running, this is a finding.", + "fix": "Install and enable the latest McAfee ENSLTP package." }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "V-71935", - "SV-86559" + "V-92255", + "SV-102357" ], "severity": "medium", - "gtitle": "SRG-OS-000078-GPOS-00046", - "gid": "V-204423", - "rid": "SV-204423r603261_rule", - "stig_id": "RHEL-07-010280", - "fix_id": "F-4547r88462_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-214800", + "rid": "SV-214800r854323_rule", + "stig_id": "RHEL-07-020019", + "fix_id": "F-36317r754750_fix", "cci": [ - "CCI-000205" + "CCI-001263", + "CCI-000366" ], "nist": [ - "IA-5 (1) (a)" + "SI-4 (5)", + "CM-6 b" ], "subsystems": [ - "pwquality", - "password" + "endpoint_security" ], "host": null, "container": null }, - "code": "control 'SV-204423' do\n title \"The Red Hat Enterprise Linux operating system must be configured so that passwords are a minimum of #{input('min_len')}\n characters in length.\"\n desc \"The shorter the password, the lower the number of possible combinations that need to be tested before the\n password is compromised.\n Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing\n and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it\n takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or\n resources required to compromise the password.\"\n desc 'check', \"Verify the operating system enforces a minimum #{input('min_len')}-character password length. The \\\"minlen\\\" option\n sets the minimum number of characters in a new password.\n Check for the value of the \\\"minlen\\\" option in \\\"/etc/security/pwquality.conf\\\" with the following command:\n # grep minlen /etc/security/pwquality.conf\n minlen = #{input('min_len')}\n If the command does not return a \\\"minlen\\\" value of #{input('min_len')} or greater, this is a finding.\"\n desc 'fix', \"Configure operating system to enforce a minimum #{input('min_len')}-character password length.\n Add the following line to \\\"/etc/security/pwquality.conf\\\" (or modify the line to have the required value):\n minlen = #{input('min_len')}\"\n impact 0.5\n tag legacy: ['V-71935', 'SV-86559']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000078-GPOS-00046'\n tag gid: 'V-204423'\n tag rid: 'SV-204423r603261_rule'\n tag stig_id: 'RHEL-07-010280'\n tag fix_id: 'F-4547r88462_fix'\n tag cci: ['CCI-000205']\n tag nist: ['IA-5 (1) (a)']\n tag subsystems: ['pwquality', 'password']\n tag 'host'\n tag 'container'\n\n describe parse_config_file('/etc/security/pwquality.conf') do\n its('minlen') { should cmp >= input('min_len') }\n end\nend\n", + "code": "control 'SV-214800' do\n title 'The Red Hat Enterprise Linux operating system must implement the Endpoint Security for Linux Threat\n Prevention tool.'\n desc \"Adding endpoint security tools can provide the capability to automatically take actions in response to\n malicious behavior, which can provide additional agility in reacting to network threats. These tools also often\n include a reporting capability to provide network awareness of the system, which may not otherwise exist in an\n organization's systems management regime.\"\n desc 'check', 'Per OPORD 16-0080, the preferred endpoint security tool is McAfee Endpoint Security for Linux (ENSL)\n in conjunction with SELinux.\n Procedure:\n Check that the following package has been installed:\n # rpm -qa | grep -i mcafeetp\n If the \"mcafeetp\" package is not installed, this is a finding.\n Verify that the daemon is running:\n # ps -ef | grep -i mfetpd\n If the daemon is not running, this is a finding.'\n desc 'fix', 'Install and enable the latest McAfee ENSLTP package.'\n impact 0.5\n tag legacy: ['V-92255', 'SV-102357']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-214800'\n tag rid: 'SV-214800r854323_rule'\n tag stig_id: 'RHEL-07-020019'\n tag fix_id: 'F-36317r754750_fix'\n tag cci: ['CCI-001263', 'CCI-000366']\n tag nist: ['SI-4 (5)', 'CM-6 b']\n tag subsystems: ['endpoint_security']\n tag 'host'\n tag 'container'\n\n describe package('mcafeetp') do\n it { should be_installed }\n end\n describe service('mfetpd') do\n it { should be_installed }\n it { should be_enabled }\n it { should be_running }\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204423.rb", + "ref": "./Red Hat 7 STIG/controls/SV-214800.rb", "line": 1 }, - "id": "SV-204423" + "id": "SV-214800" }, { - "title": "The Red Hat Enterprise Linux operating system must use a separate file system for /var.", - "desc": "The use of separate file systems for different paths can protect the system from failures resulting from a\n file system becoming full or failing.", + "title": "The Red Hat Enterprise Linux operating system must use a file integrity tool that is configured to use FIPS\n 140-2 approved cryptographic hashes for validating file contents and directories.", + "desc": "File integrity tools use cryptographic hashes for verifying file contents and directories have not been\n altered. These hashes must be FIPS 140-2 approved cryptographic hashes.\n Red Hat Enterprise Linux operating system installation media ships with an optional file integrity tool called\n Advanced Intrusion Detection Environment (AIDE). AIDE is highly configurable at install time. This requirement\n assumes the \"aide.conf\" file is under the \"/etc\" directory.", "descriptions": { - "default": "The use of separate file systems for different paths can protect the system from failures resulting from a\n file system becoming full or failing.", - "check": "Verify that a separate file system/partition has been created for \"/var\".\n Check that a file system/partition has been created for \"/var\" with the following command:\n # grep /var /etc/fstab\n UUID=c274f65f /var ext4 noatime,nobarrier 1 2\n If a separate entry for \"/var\" is not in use, this is a finding.", - "fix": "Migrate the \"/var\" path onto a separate file system." + "default": "File integrity tools use cryptographic hashes for verifying file contents and directories have not been\n altered. These hashes must be FIPS 140-2 approved cryptographic hashes.\n Red Hat Enterprise Linux operating system installation media ships with an optional file integrity tool called\n Advanced Intrusion Detection Environment (AIDE). AIDE is highly configurable at install time. This requirement\n assumes the \"aide.conf\" file is under the \"/etc\" directory.", + "check": "Verify the file integrity tool is configured to use FIPS 140-2-approved cryptographic hashes for validating file contents and directories.\n\nNote: AIDE is highly configurable at install time. These commands assume the \"aide.conf\" file is under the \"/etc\" directory.\n\nUse the following command to determine if the file is in another location:\n\n # find / -name aide.conf\n\nCheck the \"aide.conf\" file to determine if the \"sha512\" rule has been added to the rule list being applied to the files and directories selection lists. Exclude any log files, or files expected to change frequently, to reduce unnecessary notifications.\n\nAn example rule that includes the \"sha512\" rule follows:\n\n All=p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux\n /bin All # apply the custom rule to the files in bin\n /sbin All # apply the same custom rule to the files in sbin\n\nIf the \"sha512\" rule is not being used on all uncommented selection lines in the \"/etc/aide.conf\" file, or another file integrity tool is not using FIPS 140-2-approved cryptographic hashes for validating file contents and directories, this is a finding.", + "fix": "Configure the file integrity tool to use FIPS 140-2 cryptographic hashes for validating file and\n directory contents.\n If AIDE is installed, ensure the \"sha512\" rule is present on all uncommented file and directory selection lists.\n Exclude any log files, or files expected to change frequently, to reduce unnecessary notifications." }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { "legacy": [ - "V-72061", - "SV-86685" + "SV-86697", + "V-72073" ], - "severity": "low", + "severity": "medium", "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-204494", - "rid": "SV-204494r603261_rule", - "stig_id": "RHEL-07-021320", - "fix_id": "F-4618r88675_fix", + "gid": "V-204500", + "rid": "SV-204500r880860_rule", + "stig_id": "RHEL-07-021620", + "fix_id": "F-4624r792830_fix", "cci": [ "CCI-000366" ], @@ -254,167 +261,168 @@ "CM-6 b" ], "subsystems": [ - "/var", - "file_system" + "file_integrity_tool" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-204494' do\n title 'The Red Hat Enterprise Linux operating system must use a separate file system for /var.'\n desc 'The use of separate file systems for different paths can protect the system from failures resulting from a\n file system becoming full or failing.'\n desc 'check', 'Verify that a separate file system/partition has been created for \"/var\".\n Check that a file system/partition has been created for \"/var\" with the following command:\n # grep /var /etc/fstab\n UUID=c274f65f /var ext4 noatime,nobarrier 1 2\n If a separate entry for \"/var\" is not in use, this is a finding.'\n desc 'fix', 'Migrate the \"/var\" path onto a separate file system.'\n impact 0.3\n tag legacy: ['V-72061', 'SV-86685']\n tag severity: 'low'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204494'\n tag rid: 'SV-204494r603261_rule'\n tag stig_id: 'RHEL-07-021320'\n tag fix_id: 'F-4618r88675_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['/var', 'file_system']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n else\n describe etc_fstab.where { mount_point == '/var/log' } do\n it { should exist }\n end\n end\nend\n", + "code": "control 'SV-204500' do\n title 'The Red Hat Enterprise Linux operating system must use a file integrity tool that is configured to use FIPS\n 140-2 approved cryptographic hashes for validating file contents and directories.'\n desc 'File integrity tools use cryptographic hashes for verifying file contents and directories have not been\n altered. These hashes must be FIPS 140-2 approved cryptographic hashes.\n Red Hat Enterprise Linux operating system installation media ships with an optional file integrity tool called\n Advanced Intrusion Detection Environment (AIDE). AIDE is highly configurable at install time. This requirement\n assumes the \"aide.conf\" file is under the \"/etc\" directory.'\n desc 'check', 'Verify the file integrity tool is configured to use FIPS 140-2-approved cryptographic hashes for validating file contents and directories.\n\nNote: AIDE is highly configurable at install time. These commands assume the \"aide.conf\" file is under the \"/etc\" directory.\n\nUse the following command to determine if the file is in another location:\n\n # find / -name aide.conf\n\nCheck the \"aide.conf\" file to determine if the \"sha512\" rule has been added to the rule list being applied to the files and directories selection lists. Exclude any log files, or files expected to change frequently, to reduce unnecessary notifications.\n\nAn example rule that includes the \"sha512\" rule follows:\n\n All=p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux\n /bin All # apply the custom rule to the files in bin\n /sbin All # apply the same custom rule to the files in sbin\n\nIf the \"sha512\" rule is not being used on all uncommented selection lines in the \"/etc/aide.conf\" file, or another file integrity tool is not using FIPS 140-2-approved cryptographic hashes for validating file contents and directories, this is a finding.'\n desc 'fix', 'Configure the file integrity tool to use FIPS 140-2 cryptographic hashes for validating file and\n directory contents.\n If AIDE is installed, ensure the \"sha512\" rule is present on all uncommented file and directory selection lists.\n Exclude any log files, or files expected to change frequently, to reduce unnecessary notifications.'\n impact 0.5\n tag legacy: ['SV-86697', 'V-72073']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204500'\n tag rid: 'SV-204500r880860_rule'\n tag stig_id: 'RHEL-07-021620'\n tag fix_id: 'F-4624r792830_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['file_integrity_tool']\n tag 'host'\n tag 'container'\n\n file_integrity_tool = input('file_integrity_tool')\n aide_conf_file_path = input('aide_conf_path')\n\n if file_integrity_tool == 'aide'\n if aide_conf(aide_conf_file_path).exist?\n exclude_patterns = input('aide_exclude_patterns')\n\n findings = aide_conf.where do\n !selection_line.start_with?('!') && !exclude_patterns.include?(selection_line) && !rules.include?('sha512')\n end\n\n describe \"List of monitored files/directories without 'sha512' rule\" do\n subject { findings.selection_lines }\n it { should be_empty }\n end\n else\n describe \"AIDE configuration file at: #{aide_conf_file_path}\" do\n subject { aide_conf(aide_conf_file_path) }\n it { should exist }\n end\n end\n else\n describe 'Need manual review of file integrity tool' do\n skip 'A manual review of the file integrity tool is required to ensure that it verifies ACLs.'\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204494.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204500.rb", "line": 1 }, - "id": "SV-204494" + "id": "SV-204500" }, { - "title": "The Red Hat Enterprise Linux operating system must be configured so that the rsyslog daemon does not accept\n log messages from other servers unless the server is being used for log aggregation.", - "desc": "Unintentionally running a rsyslog server accepting remote messages puts the system at increased risk.\n Malicious rsyslog messages sent to the server could exploit vulnerabilities in the server software itself, could\n introduce misleading information in to the system's logs, or could fill the system's storage leading to a Denial of\n Service.\n If the system is intended to be a log aggregation server its use must be documented with the ISSO.", + "title": "The Red Hat Enterprise Linux operating system must audit all uses of the setfiles command.", + "desc": "Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.", "descriptions": { - "default": "Unintentionally running a rsyslog server accepting remote messages puts the system at increased risk.\n Malicious rsyslog messages sent to the server could exploit vulnerabilities in the server software itself, could\n introduce misleading information in to the system's logs, or could fill the system's storage leading to a Denial of\n Service.\n If the system is intended to be a log aggregation server its use must be documented with the ISSO.", - "check": "Verify that the system is not accepting \"rsyslog\" messages from other systems unless it is\n documented as a log aggregation server.\n Check the configuration of \"rsyslog\" with the following command:\n # grep imtcp /etc/rsyslog.conf\n $ModLoad imtcp\n # grep imudp /etc/rsyslog.conf\n $ModLoad imudp\n # grep imrelp /etc/rsyslog.conf\n $ModLoad imrelp\n If any of the above modules are being loaded in the \"/etc/rsyslog.conf\" file, ask to see the documentation for the\n system being used for log aggregation.\n If the documentation does not exist, or does not specify the server as a log aggregation system, this is a finding.", - "fix": "Modify the \"/etc/rsyslog.conf\" file to remove the \"ModLoad imtcp\", \"ModLoad imudp\", and \"ModLoad\n imrelp\" configuration lines, or document the system as being used for log aggregation." + "default": "Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.", + "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"setfiles\" command occur.\n\nCheck the file system rule in \"/etc/audit/audit.rules\" with the following command:\n\n$ sudo grep -w \"/usr/sbin/setfiles\" /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change\n\nIf the command does not return any output, this is a finding.", + "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"setfiles\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change\n\nThe audit daemon must be restarted for the changes to take effect." }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "SV-86835", - "V-72211" + "V-72141", + "SV-86765" ], "severity": "medium", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-204575", - "rid": "SV-204575r853986_rule", - "stig_id": "RHEL-07-031010", - "fix_id": "F-4699r88918_fix", - "cci": [ - "CCI-000318", - "CCI-000368", - "CCI-001812", - "CCI-001813", - "CCI-001814" + "gtitle": "SRG-OS-000392-GPOS-00172", + "satisfies": [ + "SRG-OS-000392-GPOS-00172", + "SRG-OS-000463-GPOS-00207", + "SRG-OS-000465-GPOS-00209" ], - "nist": [ - "CM-3 f", - "CM-6 c", - "CM-11 (2)", - "CM-5 (1)", - "CM-5 (1) (a)" + "gid": "V-204539", + "rid": "SV-204539r861023_rule", + "stig_id": "RHEL-07-030590", + "fix_id": "F-4663r861022_fix", + "cci": [ + "CCI-000172", + "CCI-002884" + ], + "nist": [ + "AU-12 c", + "MA-4 (1) (a)" ], "subsystems": [ - "rsyslog" + "audit", + "auditd", + "audit_rule" ], "host": null }, - "code": "control 'SV-204575' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that the rsyslog daemon does not accept\n log messages from other servers unless the server is being used for log aggregation.'\n desc \"Unintentionally running a rsyslog server accepting remote messages puts the system at increased risk.\n Malicious rsyslog messages sent to the server could exploit vulnerabilities in the server software itself, could\n introduce misleading information in to the system's logs, or could fill the system's storage leading to a Denial of\n Service.\n If the system is intended to be a log aggregation server its use must be documented with the ISSO.\"\n desc 'check', 'Verify that the system is not accepting \"rsyslog\" messages from other systems unless it is\n documented as a log aggregation server.\n Check the configuration of \"rsyslog\" with the following command:\n # grep imtcp /etc/rsyslog.conf\n $ModLoad imtcp\n # grep imudp /etc/rsyslog.conf\n $ModLoad imudp\n # grep imrelp /etc/rsyslog.conf\n $ModLoad imrelp\n If any of the above modules are being loaded in the \"/etc/rsyslog.conf\" file, ask to see the documentation for the\n system being used for log aggregation.\n If the documentation does not exist, or does not specify the server as a log aggregation system, this is a finding.'\n desc 'fix', 'Modify the \"/etc/rsyslog.conf\" file to remove the \"ModLoad imtcp\", \"ModLoad imudp\", and \"ModLoad\n imrelp\" configuration lines, or document the system as being used for log aggregation.'\n impact 0.5\n tag legacy: ['SV-86835', 'V-72211']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204575'\n tag rid: 'SV-204575r853986_rule'\n tag stig_id: 'RHEL-07-031010'\n tag fix_id: 'F-4699r88918_fix'\n tag cci: ['CCI-000318', 'CCI-000368', 'CCI-001812', 'CCI-001813', 'CCI-001814']\n tag nist: ['CM-3 f', 'CM-6 c', 'CM-11 (2)', 'CM-5 (1)', 'CM-5 (1) (a)']\n tag subsystems: ['rsyslog']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n else\n log_aggregation_server = input('log_aggregation_server')\n\n if log_aggregation_server\n describe file('/etc/rsyslog.conf') do\n its('content') { should match(/^\\$ModLoad\\s+imtcp.*\\n?$/) }\n end\n else\n describe.one do\n describe file('/etc/rsyslog.conf') do\n its('content') { should match(/\\$ModLoad\\s+imtcp.*\\n?$/) }\n end\n describe file('/etc/rsyslog.conf') do\n its('content') { should_not match(/^\\$ModLoad\\s+imtcp.*\\n?$/) }\n end\n end\n end\n end\nend\n", + "code": "control 'SV-204539' do\n title 'The Red Hat Enterprise Linux operating system must audit all uses of the setfiles command.'\n desc 'Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.'\n desc 'check', 'Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"setfiles\" command occur.\n\nCheck the file system rule in \"/etc/audit/audit.rules\" with the following command:\n\n$ sudo grep -w \"/usr/sbin/setfiles\" /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change\n\nIf the command does not return any output, this is a finding.'\n desc 'fix', 'Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"setfiles\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change\n\nThe audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n tag legacy: ['V-72141', 'SV-86765']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000392-GPOS-00172'\n tag satisfies: ['SRG-OS-000392-GPOS-00172', 'SRG-OS-000463-GPOS-00207', 'SRG-OS-000465-GPOS-00209']\n tag gid: 'V-204539'\n tag rid: 'SV-204539r861023_rule'\n tag stig_id: 'RHEL-07-030590'\n tag fix_id: 'F-4663r861022_fix'\n tag cci: ['CCI-000172', 'CCI-002884']\n tag nist: ['AU-12 c', 'MA-4 (1) (a)']\n tag subsystems: ['audit', 'auditd', 'audit_rule']\n tag 'host'\n\n audit_command = '/usr/sbin/setfiles'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - audit config must be done on the host' do\n skip 'Control not applicable - audit config must be done on the host'\n end\n else\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include('privileged-priv_change')\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204575.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204539.rb", "line": 1 }, - "id": "SV-204575" + "id": "SV-204539" }, { - "title": "The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed a\n minimum of four character classes must be changed.", - "desc": "Use of a complex password helps to increase the time and resources required to compromise the password.\n Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing\n and brute-force attacks.\n Password complexity is one factor of several that determines how long it takes to crack a password. The more complex\n the password, the greater the number of possible combinations that need to be tested before the password is\n compromised.", + "title": "The Red Hat Enterprise Linux operating system must prevent binary files from being executed on file systems\n that are being imported via Network File System (NFS).", + "desc": "The \"noexec\" mount option causes the system to not execute binary files. This option must be used for\n mounting any file system not containing approved binary files as they may be incompatible. Executing files from\n untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative\n access.", "descriptions": { - "default": "Use of a complex password helps to increase the time and resources required to compromise the password.\n Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing\n and brute-force attacks.\n Password complexity is one factor of several that determines how long it takes to crack a password. The more complex\n the password, the greater the number of possible combinations that need to be tested before the password is\n compromised.", - "check": "The \"minclass\" option sets the minimum number of required classes of characters for the new password\n (digits, upper-case, lower-case, others).\n Check for the value of the \"minclass\" option in \"/etc/security/pwquality.conf\" with the following command:\n # grep minclass /etc/security/pwquality.conf\n minclass = 4\n If the value of \"minclass\" is set to less than \"4\", this is a finding.", - "fix": "Configure the operating system to require the change of at least four character classes when passwords\n are changed by setting the \"minclass\" option.\n Add the following line to \"/etc/security/pwquality.conf conf\" (or modify the line to have the required value):\n minclass = 4" + "default": "The \"noexec\" mount option causes the system to not execute binary files. This option must be used for\n mounting any file system not containing approved binary files as they may be incompatible. Executing files from\n untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative\n access.", + "check": "Verify file systems that are being NFS imported are configured with the \"noexec\" option.\n Find the file system(s) that contain the directories being imported with the following command:\n # more /etc/fstab | grep nfs\n UUID=e06097bb-cfcd-437b-9e4d-a691f5662a7d /store nfs rw,noexec 0 0\n If a file system found in \"/etc/fstab\" refers to NFS and it does not have the \"noexec\" option set, and use of NFS\n imported binaries is not documented with the Information System Security Officer (ISSO) as an operational\n requirement, this is a finding.\n Verify the NFS is mounted with the \"noexec\"option:\n # mount | grep nfs | grep noexec\n If no results are returned and use of NFS imported binaries is not documented with the Information System Security\n Officer (ISSO) as an operational requirement, this is a finding.", + "fix": "Configure the \"/etc/fstab\" to use the \"noexec\" option on file systems that are being imported via\n NFS." }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "V-71913", - "SV-86537" + "SV-87813", + "V-73161" ], "severity": "medium", - "gtitle": "SRG-OS-000072-GPOS-00040", - "gid": "V-204412", - "rid": "SV-204412r603261_rule", - "stig_id": "RHEL-07-010170", - "fix_id": "F-4536r88429_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-204483", + "rid": "SV-204483r603261_rule", + "stig_id": "RHEL-07-021021", + "fix_id": "F-4607r88642_fix", "cci": [ - "CCI-000195" + "CCI-000366" ], "nist": [ - "IA-5 (1) (b)" + "CM-6 b" ], "subsystems": [ - "pwquality", - "password" + "etc_fstab" ], "host": null, "container": null }, - "code": "control 'SV-204412' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed a\n minimum of four character classes must be changed.'\n desc 'Use of a complex password helps to increase the time and resources required to compromise the password.\n Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing\n and brute-force attacks.\n Password complexity is one factor of several that determines how long it takes to crack a password. The more complex\n the password, the greater the number of possible combinations that need to be tested before the password is\n compromised.'\n desc 'check', 'The \"minclass\" option sets the minimum number of required classes of characters for the new password\n (digits, upper-case, lower-case, others).\n Check for the value of the \"minclass\" option in \"/etc/security/pwquality.conf\" with the following command:\n # grep minclass /etc/security/pwquality.conf\n minclass = 4\n If the value of \"minclass\" is set to less than \"4\", this is a finding.'\n desc 'fix', 'Configure the operating system to require the change of at least four character classes when passwords\n are changed by setting the \"minclass\" option.\n Add the following line to \"/etc/security/pwquality.conf conf\" (or modify the line to have the required value):\n minclass = 4'\n impact 0.5\n tag legacy: ['V-71913', 'SV-86537']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000072-GPOS-00040'\n tag gid: 'V-204412'\n tag rid: 'SV-204412r603261_rule'\n tag stig_id: 'RHEL-07-010170'\n tag fix_id: 'F-4536r88429_fix'\n tag cci: ['CCI-000195']\n tag nist: ['IA-5 (1) (b)']\n tag subsystems: ['pwquality', 'password']\n tag 'host'\n tag 'container'\n\n describe parse_config_file('/etc/security/pwquality.conf') do\n its('minclass') { should cmp >= input('minclass') }\n end\nend\n", + "code": "control 'SV-204483' do\n title 'The Red Hat Enterprise Linux operating system must prevent binary files from being executed on file systems\n that are being imported via Network File System (NFS).'\n desc 'The \"noexec\" mount option causes the system to not execute binary files. This option must be used for\n mounting any file system not containing approved binary files as they may be incompatible. Executing files from\n untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative\n access.'\n desc 'check', 'Verify file systems that are being NFS imported are configured with the \"noexec\" option.\n Find the file system(s) that contain the directories being imported with the following command:\n # more /etc/fstab | grep nfs\n UUID=e06097bb-cfcd-437b-9e4d-a691f5662a7d /store nfs rw,noexec 0 0\n If a file system found in \"/etc/fstab\" refers to NFS and it does not have the \"noexec\" option set, and use of NFS\n imported binaries is not documented with the Information System Security Officer (ISSO) as an operational\n requirement, this is a finding.\n Verify the NFS is mounted with the \"noexec\"option:\n # mount | grep nfs | grep noexec\n If no results are returned and use of NFS imported binaries is not documented with the Information System Security\n Officer (ISSO) as an operational requirement, this is a finding.'\n desc 'fix', 'Configure the \"/etc/fstab\" to use the \"noexec\" option on file systems that are being imported via\n NFS.'\n impact 0.5\n tag legacy: ['SV-87813', 'V-73161']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204483'\n tag rid: 'SV-204483r603261_rule'\n tag stig_id: 'RHEL-07-021021'\n tag fix_id: 'F-4607r88642_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['etc_fstab']\n tag 'host'\n tag 'container'\n\n nfs_systems = etc_fstab.nfs_file_systems.entries\n\n if !nfs_systems.nil? && !nfs_systems.empty?\n nfs_systems.each do |nfs_system|\n describe \"Network File System mounted on #{nfs_system['mount_point']}\" do\n subject { nfs_system }\n its('mount_options') { should include 'noexec' }\n end\n end\n else\n describe 'No NFS file systems were found' do\n subject { nfs_systems.nil? || nfs_systems.empty? }\n it { should eq true }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204412.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204483.rb", "line": 1 }, - "id": "SV-204412" + "id": "SV-204483" }, { - "title": "The Red Hat Enterprise Linux operating system must not contain .shosts files.", - "desc": "The .shosts files are used to configure host-based authentication for individual users or the system via\n SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not\n require interactive identification and authentication of a connection request, or for the use of two-factor\n authentication.", + "title": "The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new\n passwords are established, the new password must contain at least 1 upper-case character.", + "desc": "Use of a complex password helps to increase the time and resources required to compromise the password.\n Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing\n and brute-force attacks.\n Password complexity is one factor of several that determines how long it takes to crack a password. The more complex\n the password, the greater the number of possible combinations that need to be tested before the password is\n compromised.", "descriptions": { - "default": "The .shosts files are used to configure host-based authentication for individual users or the system via\n SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not\n require interactive identification and authentication of a connection request, or for the use of two-factor\n authentication.", - "check": "Verify there are no \".shosts\" files on the system.\n Check the system for the existence of these files with the following command:\n # find / -name '*.shosts'\n If any \".shosts\" files are found on the system, this is a finding.", - "fix": "Remove any found \".shosts\" files from the system.\n # rm /[path]/[to]/[file]/.shosts" + "default": "Use of a complex password helps to increase the time and resources required to compromise the password.\n Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing\n and brute-force attacks.\n Password complexity is one factor of several that determines how long it takes to crack a password. The more complex\n the password, the greater the number of possible combinations that need to be tested before the password is\n compromised.", + "check": "Note: The value to require a number of upper-case characters to be set is expressed as a negative\n number in '/etc/security/pwquality.conf'.\n Check the value for 'ucredit' in '/etc/security/pwquality.conf' with the following command:\n # grep ucredit /etc/security/pwquality.conf\n ucredit = -1\n If the value of 'ucredit' is not set to a negative value, this is a finding.", + "fix": "Configure the operating system to enforce password complexity by requiring that at least 1\n upper-case character be used by setting the 'ucredit' option.\n Add the following line to '/etc/security/pwquality.conf' (or modify the line to have the required value):\n ucredit = -1" }, - "impact": 0.7, + "impact": 0.5, "refs": [], "tags": { "legacy": [ - "SV-86901", - "V-72277" + "SV-86527", + "V-71903" ], - "severity": "high", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-204606", - "rid": "SV-204606r603261_rule", - "stig_id": "RHEL-07-040540", - "fix_id": "F-4730r89011_fix", + "severity": "medium", + "gtitle": "SRG-OS-000069-GPOS-00037", + "gid": "V-204407", + "rid": "SV-204407r603261_rule", + "stig_id": "RHEL-07-010120", + "fix_id": "F-4531r88414_fix", "cci": [ - "CCI-000366" + "CCI-000192" ], "nist": [ - "CM-6 b" + "IA-5 (1) (a)" ], "subsystems": [ - "ssh" + "pwquality", + "password" ], "host": null, "container": null }, - "code": "control 'SV-204606' do\n title 'The Red Hat Enterprise Linux operating system must not contain .shosts files.'\n desc 'The .shosts files are used to configure host-based authentication for individual users or the system via\n SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not\n require interactive identification and authentication of a connection request, or for the use of two-factor\n authentication.'\n desc 'check', %q(Verify there are no \".shosts\" files on the system.\n Check the system for the existence of these files with the following command:\n # find / -name '*.shosts'\n If any \".shosts\" files are found on the system, this is a finding.)\n desc 'fix', 'Remove any found \".shosts\" files from the system.\n # rm /[path]/[to]/[file]/.shosts'\n impact 0.7\n tag legacy: ['SV-86901', 'V-72277']\n tag severity: 'high'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204606'\n tag rid: 'SV-204606r603261_rule'\n tag stig_id: 'RHEL-07-040540'\n tag fix_id: 'F-4730r89011_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['ssh']\n tag 'host'\n tag 'container'\n\n if virtualization.system.eql?('docker') && !file('/etc/sysconfig/sshd').exist?\n impact 0.0\n describe 'Control not applicable - SSH is not installed within containerized RHEL' do\n skip 'Control not applicable - SSH is not installed within containerized RHEL'\n end\n else\n describe command(\"find / -xdev -xautofs -name '*.shosts'\") do\n its('stdout.strip') { should be_empty }\n end\n end\nend\n", + "code": "control 'SV-204407' do\n title \"The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new\n passwords are established, the new password must contain at least #{input('min_uppercase_characters')} upper-case character.\"\n desc \"Use of a complex password helps to increase the time and resources required to compromise the password.\n Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing\n and brute-force attacks.\n Password complexity is one factor of several that determines how long it takes to crack a password. The more complex\n the password, the greater the number of possible combinations that need to be tested before the password is\n compromised.\"\n desc 'check', \"Note: The value to require a number of upper-case characters to be set is expressed as a negative\n number in '/etc/security/pwquality.conf'.\n Check the value for 'ucredit' in '/etc/security/pwquality.conf' with the following command:\n # grep ucredit /etc/security/pwquality.conf\n ucredit = -#{input('min_uppercase_characters')}\n If the value of 'ucredit' is not set to a negative value, this is a finding.\"\n desc 'fix', \"Configure the operating system to enforce password complexity by requiring that at least #{input('min_uppercase_characters')}\n upper-case character be used by setting the 'ucredit' option.\n Add the following line to '/etc/security/pwquality.conf' (or modify the line to have the required value):\n ucredit = -#{input('min_uppercase_characters')}\"\n impact 0.5\n tag legacy: ['SV-86527', 'V-71903']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000069-GPOS-00037'\n tag gid: 'V-204407'\n tag rid: 'SV-204407r603261_rule'\n tag stig_id: 'RHEL-07-010120'\n tag fix_id: 'F-4531r88414_fix'\n tag cci: ['CCI-000192']\n tag nist: ['IA-5 (1) (a)']\n tag subsystems: ['pwquality', 'password']\n tag 'host'\n tag 'container'\n\n describe parse_config_file('/etc/security/pwquality.conf') do\n its('ucredit') { should cmp <= -input('min_uppercase_characters')}\n its('ucredit') { should_not be_nil }\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204606.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204407.rb", "line": 1 }, - "id": "SV-204606" + "id": "SV-204407" }, { - "title": "The Red Hat Enterprise Linux operating system must not have unnecessary accounts.", - "desc": "Accounts providing no operational purpose provide additional opportunities for system compromise.\n Unnecessary accounts include user accounts for individuals not requiring access to the system and application\n accounts for applications not installed on the system.", + "title": "The Red Hat Enterprise Linux operating system must be configured so that all local interactive user\n initialization files executable search paths contain only paths that resolve to the users home directory.", + "desc": "The executable search path (typically the PATH environment variable) contains a list of directories for the\n shell to search to find executables. If this path includes the current working directory (other than the user's home\n directory), executables in these directories may be executed instead of system commands. This variable is formatted\n as a colon-separated list of directories. If there is an empty entry, such as a leading or trailing colon or two\n consecutive colons, this is interpreted as the current working directory. If deviations from the default system\n search path for the local interactive user are required, they must be documented with the Information System\n Security Officer (ISSO).", "descriptions": { - "default": "Accounts providing no operational purpose provide additional opportunities for system compromise.\n Unnecessary accounts include user accounts for individuals not requiring access to the system and application\n accounts for applications not installed on the system.", - "check": "Verify all accounts on the system are assigned to an active system, application, or user account.\n Obtain the list of authorized system accounts from the Information System Security Officer (ISSO).\n Check the system accounts on the system with the following command:\n # more /etc/passwd\n root:x:0:0:root:/root:/bin/bash\n bin:x:1:1:bin:/bin:/sbin/nologin\n daemon:x:2:2:daemon:/sbin:/sbin/nologin\n sync:x:5:0:sync:/sbin:/bin/sync\n shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown\n halt:x:7:0:halt:/sbin:/sbin/halt\n games:x:12:100:games:/usr/games:/sbin/nologin\n gopher:x:13:30:gopher:/var/gopher:/sbin/nologin\n Accounts such as \"games\" and \"gopher\" are not authorized accounts as they do not support authorized system\n functions.\n If the accounts on the system do not match the provided documentation, or accounts that do not support an authorized\n system function are present, this is a finding.", - "fix": "Configure the system so all accounts on the system are assigned to an active system, application, or\n user account.\n Remove accounts that do not support approved system activities or that allow for a normal user to perform\n administrative-level actions.\n Document all authorized accounts on the system." + "default": "The executable search path (typically the PATH environment variable) contains a list of directories for the\n shell to search to find executables. If this path includes the current working directory (other than the user's home\n directory), executables in these directories may be executed instead of system commands. This variable is formatted\n as a colon-separated list of directories. If there is an empty entry, such as a leading or trailing colon or two\n consecutive colons, this is interpreted as the current working directory. If deviations from the default system\n search path for the local interactive user are required, they must be documented with the Information System\n Security Officer (ISSO).", + "check": "Verify that all local interactive user initialization files' executable search path statements do\n not contain statements that will reference a working directory other than the user's home directory.\n Check the executable search path statement for all local interactive user initialization files in the user's home\n directory with the following commands:\n Note: The example will be for the smithj user, which has a home directory of \"/home/smithj\".\n # grep -i path= /home/smithj/.*\n /home/smithj/.bash_profile:PATH=$PATH:$HOME/.local/bin:$HOME/bin\n If any local interactive user initialization files have executable search path statements that include directories\n outside of their home directory, this is a finding.", + "fix": "Edit the local interactive user initialization files to change any PATH variable statements that\n reference directories other than their home directory.\n If a local interactive user requires path variables to reference a directory owned by the application, it must be\n documented with the ISSO." }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "SV-86625", - "V-72001" + "V-72035", + "SV-86659" ], "severity": "medium", "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-204460", - "rid": "SV-204460r603261_rule", - "stig_id": "RHEL-07-020270", - "fix_id": "F-4584r88573_fix", + "gid": "V-204477", + "rid": "SV-204477r792828_rule", + "stig_id": "RHEL-07-020720", + "fix_id": "F-4601r88624_fix", "cci": [ "CCI-000366" ], @@ -422,300 +430,293 @@ "CM-6 b" ], "subsystems": [ - "accounts" + "init_files" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-204460' do\n title 'The Red Hat Enterprise Linux operating system must not have unnecessary accounts.'\n desc 'Accounts providing no operational purpose provide additional opportunities for system compromise.\n Unnecessary accounts include user accounts for individuals not requiring access to the system and application\n accounts for applications not installed on the system.'\n desc 'check', 'Verify all accounts on the system are assigned to an active system, application, or user account.\n Obtain the list of authorized system accounts from the Information System Security Officer (ISSO).\n Check the system accounts on the system with the following command:\n # more /etc/passwd\n root:x:0:0:root:/root:/bin/bash\n bin:x:1:1:bin:/bin:/sbin/nologin\n daemon:x:2:2:daemon:/sbin:/sbin/nologin\n sync:x:5:0:sync:/sbin:/bin/sync\n shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown\n halt:x:7:0:halt:/sbin:/sbin/halt\n games:x:12:100:games:/usr/games:/sbin/nologin\n gopher:x:13:30:gopher:/var/gopher:/sbin/nologin\n Accounts such as \"games\" and \"gopher\" are not authorized accounts as they do not support authorized system\n functions.\n If the accounts on the system do not match the provided documentation, or accounts that do not support an authorized\n system function are present, this is a finding.'\n desc 'fix', 'Configure the system so all accounts on the system are assigned to an active system, application, or\n user account.\n Remove accounts that do not support approved system activities or that allow for a normal user to perform\n administrative-level actions.\n Document all authorized accounts on the system.'\n impact 0.5\n tag legacy: ['SV-86625', 'V-72001']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204460'\n tag rid: 'SV-204460r603261_rule'\n tag stig_id: 'RHEL-07-020270'\n tag fix_id: 'F-4584r88573_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['accounts']\n tag 'host'\n tag 'container'\n\n known_system_accounts = input('known_system_accounts')\n user_accounts = input('user_accounts')\n\n allowed_accounts = (known_system_accounts + user_accounts).uniq\n describe 'All user accounts' do\n it 'are known system accounts or known user accounts' do\n fail_msg = \"Accounts not part of the known account lists: #{(passwd.users - allowed_accounts).join(', ')}\"\n expect(passwd.users).to all(be_in allowed_accounts), fail_msg\n end\n end\nend\n", + "code": "control 'SV-204477' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that all local interactive user\n initialization files executable search paths contain only paths that resolve to the users home directory.'\n desc \"The executable search path (typically the PATH environment variable) contains a list of directories for the\n shell to search to find executables. If this path includes the current working directory (other than the user's home\n directory), executables in these directories may be executed instead of system commands. This variable is formatted\n as a colon-separated list of directories. If there is an empty entry, such as a leading or trailing colon or two\n consecutive colons, this is interpreted as the current working directory. If deviations from the default system\n search path for the local interactive user are required, they must be documented with the Information System\n Security Officer (ISSO).\"\n desc 'check', %q(Verify that all local interactive user initialization files' executable search path statements do\n not contain statements that will reference a working directory other than the user's home directory.\n Check the executable search path statement for all local interactive user initialization files in the user's home\n directory with the following commands:\n Note: The example will be for the smithj user, which has a home directory of \"/home/smithj\".\n # grep -i path= /home/smithj/.*\n /home/smithj/.bash_profile:PATH=$PATH:$HOME/.local/bin:$HOME/bin\n If any local interactive user initialization files have executable search path statements that include directories\n outside of their home directory, this is a finding.)\n desc 'fix', 'Edit the local interactive user initialization files to change any PATH variable statements that\n reference directories other than their home directory.\n If a local interactive user requires path variables to reference a directory owned by the application, it must be\n documented with the ISSO.'\n impact 0.5\n tag legacy: ['V-72035', 'SV-86659']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204477'\n tag rid: 'SV-204477r792828_rule'\n tag stig_id: 'RHEL-07-020720'\n tag fix_id: 'F-4601r88624_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['init_files']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n\n exempt_home_users = input('exempt_home_users')\n non_interactive_shells = input('non_interactive_shells')\n\n ignore_shells = non_interactive_shells.join('|')\n\n findings = Set[]\n users.where do\n !shell.match(ignore_shells) && (uid >= 1000 || uid == 0)\n end.entries.each do |user_info|\n next if exempt_home_users.include?(user_info.username.to_s)\n\n grep_results = command(\"grep -i path --exclude=\\\".bash_history\\\" #{user_info.home}/.*\").stdout.split('\\\\n')\n grep_results.each do |result|\n result.slice! 'PATH='\n # Case when last value in exec search path is :\n result += ' ' if result[-1] == ':'\n result.slice! '$PATH:'\n result.gsub! '$HOME', user_info.home.to_s\n result.gsub! '~', user_info.home.to_s\n line_arr = result.split(':')\n line_arr.delete_at(0)\n line_arr.each do |line|\n # Don't run test on line that exports PATH and is not commented out\n next unless !line.start_with?('export') && !line.start_with?('#')\n\n # Case when :: found in exec search path or : found at beginning\n if line.strip.empty?\n curr_work_dir = command('pwd').stdout.gsub(\"\\n\", '')\n line = curr_work_dir if curr_work_dir.start_with?(user_info.home.to_s)\n end\n # This will fail if non-home directory found in path\n findings.add(line) unless line.start_with?(user_info.home)\n end\n end\n end\n describe.one do\n describe etc_fstab do\n its('home_mount_options') { should include 'nosuid' }\n end\n describe 'Initialization files that include executable search paths that include directories outside their home directories' do\n subject { findings.to_a }\n it { should be_empty }\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204460.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204477.rb", "line": 1 }, - "id": "SV-204460" + "id": "SV-204477" }, { - "title": "The Red Hat Enterprise Linux operating system must set the umask value to 077 for all local interactive\n user accounts.", - "desc": "The umask controls the default access mode assigned to newly created files. A umask of 077 limits new files\n to mode 700 or less permissive. Although umask can be represented as a four-digit number, the first digit\n representing special access modes is typically ignored or required to be \"0\". This requirement applies to the\n globally configured system defaults and the local interactive user defaults for each account on the system.", + "title": "The Red Hat Enterprise Linux operating system must be configured so that all wireless network adapters are\n disabled.", + "desc": "The use of wireless networking can introduce many different attack vectors into the organization's network.\n Common attack vectors such as malicious association and ad hoc networks will allow an attacker to spoof a wireless\n access point (AP), allowing validated systems to connect to the malicious AP and enabling the attacker to monitor\n and record network traffic. These malicious APs can also serve to create a man-in-the-middle attack or be used to\n create a denial of service to valid network resources.", "descriptions": { - "default": "The umask controls the default access mode assigned to newly created files. A umask of 077 limits new files\n to mode 700 or less permissive. Although umask can be represented as a four-digit number, the first digit\n representing special access modes is typically ignored or required to be \"0\". This requirement applies to the\n globally configured system defaults and the local interactive user defaults for each account on the system.", - "check": "Verify that the default umask for all local interactive users is \"077\".\n\nIdentify the locations of all local interactive user home directories by looking at the \"/etc/passwd\" file.\n\nCheck all local interactive user initialization files for interactive users with the following command:\n\nNote: The example is for a system that is configured to create users home directories in the \"/home\" directory.\n\n$ sudo grep -ir ^umask /home | grep -v '.bash_history'\n\nIf any local interactive user initialization files are found to have a umask statement that has a value less restrictive than \"077\", this is a finding.", - "fix": "Remove the umask statement from all local interactive user's initialization files.\n If the account is for an application, the requirement for a umask less restrictive than \"077\" can be documented with\n the Information System Security Officer, but the user agreement for access to the account must specify that the\n local interactive user must log on to their account first and then switch the user to the application account with\n the correct option to gain the account's environment variables." + "default": "The use of wireless networking can introduce many different attack vectors into the organization's network.\n Common attack vectors such as malicious association and ad hoc networks will allow an attacker to spoof a wireless\n access point (AP), allowing validated systems to connect to the malicious AP and enabling the attacker to monitor\n and record network traffic. These malicious APs can also serve to create a man-in-the-middle attack or be used to\n create a denial of service to valid network resources.", + "check": "Verify that there are no wireless interfaces configured on the system.\n This is N/A for systems that do not have wireless network adapters.\n Check for the presence of active wireless interfaces with the following command:\n # nmcli device\n DEVICE TYPE STATE\n eth0 ethernet connected\n wlp3s0 wifi disconnected\n lo loopback unmanaged\n If a wireless interface is configured and its use on the system is not documented with the Information System\n Security Officer (ISSO), this is a finding.", + "fix": "Configure the system to disable all wireless network interfaces with the following command:\n #nmcli radio wifi off" }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "V-72049", - "SV-86673" + "V-73177", + "SV-87829" ], "severity": "medium", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-204488", - "rid": "SV-204488r861006_rule", - "stig_id": "RHEL-07-021040", - "fix_id": "F-4612r88657_fix", + "gtitle": "SRG-OS-000424-GPOS-00188", + "gid": "V-204634", + "rid": "SV-204634r877465_rule", + "stig_id": "RHEL-07-041010", + "fix_id": "F-4758r89095_fix", "cci": [ - "CCI-000318", - "CCI-000368", - "CCI-001812", - "CCI-001813", - "CCI-001814" + "CCI-001443", + "CCI-001444", + "CCI-002418" ], "nist": [ - "CM-3 f", - "CM-6 c", - "CM-11 (2)", - "CM-5 (1)", - "CM-5 (1) (a)" + "AC-18 (1)", + "AC-18 (1)", + "SC-8" ], "subsystems": [ - "init_files", - "home_dirs" + "network", + "wifi", + "nmcli" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-204488' do\n title 'The Red Hat Enterprise Linux operating system must set the umask value to 077 for all local interactive\n user accounts.'\n desc 'The umask controls the default access mode assigned to newly created files. A umask of 077 limits new files\n to mode 700 or less permissive. Although umask can be represented as a four-digit number, the first digit\n representing special access modes is typically ignored or required to be \"0\". This requirement applies to the\n globally configured system defaults and the local interactive user defaults for each account on the system.'\n desc 'check', %q(Verify that the default umask for all local interactive users is \"077\".\n\nIdentify the locations of all local interactive user home directories by looking at the \"/etc/passwd\" file.\n\nCheck all local interactive user initialization files for interactive users with the following command:\n\nNote: The example is for a system that is configured to create users home directories in the \"/home\" directory.\n\n$ sudo grep -ir ^umask /home | grep -v '.bash_history'\n\nIf any local interactive user initialization files are found to have a umask statement that has a value less restrictive than \"077\", this is a finding.)\n desc 'fix', %q(Remove the umask statement from all local interactive user's initialization files.\n If the account is for an application, the requirement for a umask less restrictive than \"077\" can be documented with\n the Information System Security Officer, but the user agreement for access to the account must specify that the\n local interactive user must log on to their account first and then switch the user to the application account with\n the correct option to gain the account's environment variables.)\n impact 0.5\n tag legacy: ['V-72049', 'SV-86673']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204488'\n tag rid: 'SV-204488r861006_rule'\n tag stig_id: 'RHEL-07-021040'\n tag fix_id: 'F-4612r88657_fix'\n tag cci: ['CCI-000318', 'CCI-000368', 'CCI-001812', 'CCI-001813', 'CCI-001814']\n tag nist: ['CM-3 f', 'CM-6 c', 'CM-11 (2)', 'CM-5 (1)', 'CM-5 (1) (a)']\n tag subsystems: ['init_files', 'home_dirs']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n\n non_interactive_shells = input('non_interactive_shells')\n\n # Get all interactive users\n ignore_shells = non_interactive_shells.join('|')\n\n # Get home directory for users with UID >= 1000 or UID == 0 and support interactive logins.\n findings = Set[]\n dotfiles = Set[]\n umasks = {}\n umask_findings = Set[]\n\n # Get UID_MIN from login.defs\n uid_min = 1000\n if file('/etc/login.defs').exist?\n uid_min_val = command(\"grep '^UID_MIN' /etc/login.defs | grep -Po '[0-9]+'\").stdout.split(\"\\n\")\n uid_min = uid_min_val[0].to_i unless uid_min_val.empty?\n end\n\n interactive_users = users.where do\n !shell.match(ignore_shells) && (uid >= uid_min || uid == 0)\n end.entries\n\n # For each user, build and execute a find command that identifies initialization files\n # in a user's home directory.\n interactive_users.each do |u|\n # Only check if the home directory is local\n is_local = command(\"df -l #{u.home}\").exit_status\n\n if is_local == 0\n # Get user's initialization files\n dotfiles.add(command(\"find #{u.home} -xdev -maxdepth 2 -name '.*' ! -name '.bash_history' -type f\").stdout.split(\"\\n\"))\n\n # Get user's umask\n umasks.store(u.username,\n command(\"su -c 'umask' -l #{u.username}\").stdout.chomp(\"\\n\"))\n\n # Check all local initialization files to see whether or not they are less restrictive than the input UMASK.\n dotfiles.to_a.flatten.uniq.each do |df|\n findings.add(df) if file(df).more_permissive_than?(input('user_umask'))\n end\n\n # Check umask for all interactive users\n umasks.each do |key, value|\n max_mode = (input('user_umask')).to_i(8)\n inverse_mode = 0777 ^ max_mode\n umask_findings.add(key) if inverse_mode & (value).to_i(8) != 0\n end\n else\n describe 'This control skips non-local filesystems' do\n skip \"This control has skipped the #{u.home} home directory for #{u.username} because it is not a local filesystem.\"\n end\n end\n end\n\n # Report on any interactive files that are less restrictive than the input UMASK.\n describe 'No interactive user initialization files with a less restrictive umask were found.' do\n subject { findings.empty? }\n it { should eq true }\n end\n\n # Report on any interactive users that have a umask less restrictive than the input UMASK.\n describe 'No users were found with a less restrictive umask were found.' do\n subject { umask_findings.empty? }\n it { should eq true }\n end\n end\nend\n", + "code": "control 'SV-204634' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that all wireless network adapters are\n disabled.'\n desc \"The use of wireless networking can introduce many different attack vectors into the organization's network.\n Common attack vectors such as malicious association and ad hoc networks will allow an attacker to spoof a wireless\n access point (AP), allowing validated systems to connect to the malicious AP and enabling the attacker to monitor\n and record network traffic. These malicious APs can also serve to create a man-in-the-middle attack or be used to\n create a denial of service to valid network resources.\"\n desc 'check', 'Verify that there are no wireless interfaces configured on the system.\n This is N/A for systems that do not have wireless network adapters.\n Check for the presence of active wireless interfaces with the following command:\n # nmcli device\n DEVICE TYPE STATE\n eth0 ethernet connected\n wlp3s0 wifi disconnected\n lo loopback unmanaged\n If a wireless interface is configured and its use on the system is not documented with the Information System\n Security Officer (ISSO), this is a finding.'\n desc 'fix', 'Configure the system to disable all wireless network interfaces with the following command:\n #nmcli radio wifi off'\n impact 0.5\n tag legacy: ['V-73177', 'SV-87829']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000424-GPOS-00188'\n tag gid: 'V-204634'\n tag rid: 'SV-204634r877465_rule'\n tag stig_id: 'RHEL-07-041010'\n tag fix_id: 'F-4758r89095_fix'\n tag cci: ['CCI-001443', 'CCI-001444', 'CCI-002418']\n tag nist: ['AC-18 (1)', 'AC-18 (1)', 'SC-8']\n tag subsystems: ['network', 'wifi', 'nmcli']\n tag 'host'\n tag 'container'\n\n describe command('nmcli device') do\n its('stdout.strip') { should_not match(/wifi connected/) }\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204488.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204634.rb", "line": 1 }, - "id": "SV-204488" + "id": "SV-204634" }, { - "title": "The Red Hat Enterprise Linux operating system must not have the telnet-server package installed.", - "desc": "It is detrimental for operating systems to provide, or install by default, functionality exceeding\n requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore\n may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n Operating systems are capable of providing a wide variety of functions and services. Some of the functions and\n services, provided by default, may not be necessary to support essential organizational operations (e.g., key\n missions, functions).\n Examples of non-essential capabilities include, but are not limited to, games, software packages, tools, and\n demonstration software not related to requirements or providing a wide array of functionality not required for every\n mission, but which cannot be disabled.", + "title": "Red Hat Enterprise Linux operating systems version 7.2 or newer using Unified Extensible Firmware Interface\n (UEFI) must require authentication upon booting into single-user and maintenance modes.", + "desc": "If the system does not require valid authentication before it boots into single-user or maintenance mode,\n anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2\n is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make\n modifications to the boot menu.", "descriptions": { - "default": "It is detrimental for operating systems to provide, or install by default, functionality exceeding\n requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore\n may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n Operating systems are capable of providing a wide variety of functions and services. Some of the functions and\n services, provided by default, may not be necessary to support essential organizational operations (e.g., key\n missions, functions).\n Examples of non-essential capabilities include, but are not limited to, games, software packages, tools, and\n demonstration software not related to requirements or providing a wide array of functionality not required for every\n mission, but which cannot be disabled.", - "check": "Verify the operating system is configured to disable non-essential capabilities. The most secure way\n of ensuring a non-essential capability is disabled is to not have the capability installed.\n The telnet service provides an unencrypted remote access service that does not provide for the confidentiality and\n integrity of user passwords or the remote session.\n If a privileged user were to log on using this service, the privileged user password could be compromised.\n Check to see if the telnet-server package is installed with the following command:\n # yum list installed telnet-server\n If the telnet-server package is installed, this is a finding.", - "fix": "Configure the operating system to disable non-essential capabilities by removing the telnet-server\n package from the system with the following command:\n # yum remove telnet-server" + "default": "If the system does not require valid authentication before it boots into single-user or maintenance mode,\n anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2\n is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make\n modifications to the boot menu.", + "check": "For systems that use BIOS, this is Not Applicable.\n For systems that are running a version of RHEL prior to 7.2, this is Not Applicable.\n Check to see if an encrypted grub superusers password is set. On systems that use UEFI, use the following command:\n $ sudo grep -iw grub2_password /boot/efi/EFI/redhat/user.cfg\n GRUB2_PASSWORD=grub.pbkdf2.sha512.[password_hash]\n If the grub superusers password does not begin with \"grub.pbkdf2.sha512\", this is a finding.", + "fix": "Configure the system to encrypt the boot password for the grub superusers account with the\n grub2-setpassword command, which creates/overwrites the /boot/efi/EFI/redhat/user.cfg file.\n Generate an encrypted grub2 password for the grub superusers account with the following command:\n $ sudo grub2-setpassword\n Enter password:\n Confirm password:" }, - "impact": 0.7, + "impact": 0, "refs": [], "tags": { "legacy": [ - "V-72077", - "SV-86701" + "SV-95719", + "V-81007" ], "severity": "high", - "gtitle": "SRG-OS-000095-GPOS-00049", - "gid": "V-204502", - "rid": "SV-204502r603261_rule", - "stig_id": "RHEL-07-021710", - "fix_id": "F-4626r88699_fix", + "gtitle": "SRG-OS-000080-GPOS-00048", + "gid": "V-204440", + "rid": "SV-204440r744098_rule", + "stig_id": "RHEL-07-010491", + "fix_id": "F-4564r744097_fix", "cci": [ - "CCI-000381" + "CCI-000213" ], "nist": [ - "CM-7 a" + "AC-3" ], "subsystems": [ - "packages" + "boot", + "uefi" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-204502' do\n title 'The Red Hat Enterprise Linux operating system must not have the telnet-server package installed.'\n desc 'It is detrimental for operating systems to provide, or install by default, functionality exceeding\n requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore\n may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n Operating systems are capable of providing a wide variety of functions and services. Some of the functions and\n services, provided by default, may not be necessary to support essential organizational operations (e.g., key\n missions, functions).\n Examples of non-essential capabilities include, but are not limited to, games, software packages, tools, and\n demonstration software not related to requirements or providing a wide array of functionality not required for every\n mission, but which cannot be disabled.'\n desc 'check', 'Verify the operating system is configured to disable non-essential capabilities. The most secure way\n of ensuring a non-essential capability is disabled is to not have the capability installed.\n The telnet service provides an unencrypted remote access service that does not provide for the confidentiality and\n integrity of user passwords or the remote session.\n If a privileged user were to log on using this service, the privileged user password could be compromised.\n Check to see if the telnet-server package is installed with the following command:\n # yum list installed telnet-server\n If the telnet-server package is installed, this is a finding.'\n desc 'fix', 'Configure the operating system to disable non-essential capabilities by removing the telnet-server\n package from the system with the following command:\n # yum remove telnet-server'\n impact 0.7\n tag legacy: ['V-72077', 'SV-86701']\n tag severity: 'high'\n tag gtitle: 'SRG-OS-000095-GPOS-00049'\n tag gid: 'V-204502'\n tag rid: 'SV-204502r603261_rule'\n tag stig_id: 'RHEL-07-021710'\n tag fix_id: 'F-4626r88699_fix'\n tag cci: ['CCI-000381']\n tag nist: ['CM-7 a']\n tag subsystems: ['packages']\n tag 'host'\n tag 'container'\n\n describe package('telnet-server') do\n it { should_not be_installed }\n end\nend\n", + "code": "control 'SV-204440' do\n title 'Red Hat Enterprise Linux operating systems version 7.2 or newer using Unified Extensible Firmware Interface\n (UEFI) must require authentication upon booting into single-user and maintenance modes.'\n desc 'If the system does not require valid authentication before it boots into single-user or maintenance mode,\n anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2\n is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make\n modifications to the boot menu.'\n desc 'check', 'For systems that use BIOS, this is Not Applicable.\n For systems that are running a version of RHEL prior to 7.2, this is Not Applicable.\n Check to see if an encrypted grub superusers password is set. On systems that use UEFI, use the following command:\n $ sudo grep -iw grub2_password /boot/efi/EFI/redhat/user.cfg\n GRUB2_PASSWORD=grub.pbkdf2.sha512.[password_hash]\n If the grub superusers password does not begin with \"grub.pbkdf2.sha512\", this is a finding.'\n desc 'fix', 'Configure the system to encrypt the boot password for the grub superusers account with the\n grub2-setpassword command, which creates/overwrites the /boot/efi/EFI/redhat/user.cfg file.\n Generate an encrypted grub2 password for the grub superusers account with the following command:\n $ sudo grub2-setpassword\n Enter password:\n Confirm password:'\n impact 0.7\n tag legacy: ['SV-95719', 'V-81007']\n tag severity: 'high'\n tag gtitle: 'SRG-OS-000080-GPOS-00048'\n tag gid: 'V-204440'\n tag rid: 'SV-204440r744098_rule'\n tag stig_id: 'RHEL-07-010491'\n tag fix_id: 'F-4564r744097_fix'\n tag cci: ['CCI-000213']\n tag nist: ['AC-3']\n tag subsystems: ['boot', 'uefi']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n elsif file('/sys/firmware/efi').exist?\n\n if os[:release] >= '7.2'\n impact 0.7\n input('grub_uefi_user_boot_files').each do |grub_user_file|\n describe parse_config_file(grub_user_file) do\n its('GRUB2_PASSWORD') { should include 'grub.pbkdf2.sha512' }\n end\n end\n\n describe parse_config_file(input('grub_uefi_main_cfg')) do\n its('set superusers') { should cmp '\"root\"' }\n end\n else\n impact 0.0\n describe 'System running version of RHEL prior to 7.2' do\n skip 'The System is running an outdated version of RHEL, this control is Not Applicable.'\n end\n end\n else\n impact 0.0\n describe 'System running BIOS' do\n skip 'The System is running BIOS, this control is Not Applicable.'\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204502.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204440.rb", "line": 1 }, - "id": "SV-204502" + "id": "SV-204440" }, { - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the chage command.", - "desc": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough\n information.\n At a minimum, the organization must audit the full-text recording of privileged password commands. The organization\n must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of\n compromise.\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.", + "title": "The Red Hat Enterprise Linux operating system must be configured so that all files and directories\n contained in local interactive user home directories have a valid owner.", + "desc": "Unowned files and directories may be unintentionally inherited if a user is assigned the same User\n Identifier \"UID\" as the UID of the un-owned files.", "descriptions": { - "default": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough\n information.\n At a minimum, the organization must audit the full-text recording of privileged password commands. The organization\n must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of\n compromise.\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.", - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"chage\" command occur.\n\nCheck the file system rule in \"/etc/audit/audit.rules\" with the following command:\n\n$ sudo grep -w \"/usr/bin/chage\" /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd\n\nIf the command does not return any output, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"chage\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd\n\nThe audit daemon must be restarted for the changes to take effect." + "default": "Unowned files and directories may be unintentionally inherited if a user is assigned the same User\n Identifier \"UID\" as the UID of the un-owned files.", + "check": "Verify all files and directories in a local interactive user's home directory have a valid owner.\n Check the owner of all files and directories in a local interactive user's home directory with the following\n command:\n Note: The example will be for the user \"smithj\", who has a home directory of \"/home/smithj\".\n $ sudo ls -lLR /home/smithj\n -rw-r--r-- 1 smithj smithj 18 Mar 5 17:06 file1\n -rw-r--r-- 1 smithj smithj 193 Mar 5 17:06 file2\n -rw-r--r-- 1 smithj smithj 231 Mar 5 17:06 file3\n If any files or directories are found without an owner, this is a finding.", + "fix": "Either remove all files and directories from the system that do not have a valid user, or assign a\n valid user to all unowned files and directories on RHEL 7 with the \"chown\" command:\n Note: The example will be for the user smithj, who has a home directory of \"/home/smithj\".\n $ sudo chown smithj /home/smithj/" }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "SV-86779", - "V-72155" + "SV-86647", + "V-72023" ], "severity": "medium", - "gtitle": "SRG-OS-000042-GPOS-00020", - "satisfies": [ - "SRG-OS-000042-GPOS-00020", - "SRG-OS-000392-GPOS-00172", - "SRG-OS-000471-GPOS-00215" - ], - "gid": "V-204545", - "rid": "SV-204545r861035_rule", - "stig_id": "RHEL-07-030660", - "fix_id": "F-4669r861034_fix", - "cci": [ - "CCI-000135", - "CCI-000172", - "CCI-002884" + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-204471", + "rid": "SV-204471r744105_rule", + "stig_id": "RHEL-07-020660", + "fix_id": "F-4595r744104_fix", + "cci": [ + "CCI-000366" ], "nist": [ - "AU-3 (1)", - "AU-12 c", - "MA-4 (1) (a)" + "CM-6 b" ], "subsystems": [ - "audit", - "auditd", - "audit_rule" + "home_dirs" ], "host": null }, - "code": "control 'SV-204545' do\n title 'The Red Hat Enterprise Linux operating system must audit all uses of the chage command.'\n desc 'Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough\n information.\n At a minimum, the organization must audit the full-text recording of privileged password commands. The organization\n must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of\n compromise.\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.'\n desc 'check', 'Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"chage\" command occur.\n\nCheck the file system rule in \"/etc/audit/audit.rules\" with the following command:\n\n$ sudo grep -w \"/usr/bin/chage\" /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd\n\nIf the command does not return any output, this is a finding.'\n desc 'fix', 'Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"chage\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd\n\nThe audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n tag legacy: ['SV-86779', 'V-72155']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000042-GPOS-00020'\n tag satisfies: ['SRG-OS-000042-GPOS-00020', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000471-GPOS-00215']\n tag gid: 'V-204545'\n tag rid: 'SV-204545r861035_rule'\n tag stig_id: 'RHEL-07-030660'\n tag fix_id: 'F-4669r861034_fix'\n tag cci: ['CCI-000135', 'CCI-000172', 'CCI-002884']\n tag nist: ['AU-3 (1)', 'AU-12 c', 'MA-4 (1) (a)']\n tag subsystems: ['audit', 'auditd', 'audit_rule']\n tag 'host'\n\n audit_command = '/usr/bin/chage'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - audit config must be done on the host' do\n skip 'Control not applicable - audit config must be done on the host'\n end\n else\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include('privileged-passwd')\n end\n end\n end\nend\n", + "code": "control 'SV-204471' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that all files and directories\n contained in local interactive user home directories have a valid owner.'\n desc 'Unowned files and directories may be unintentionally inherited if a user is assigned the same User\n Identifier \"UID\" as the UID of the un-owned files.'\n desc 'check', %q(Verify all files and directories in a local interactive user's home directory have a valid owner.\n Check the owner of all files and directories in a local interactive user's home directory with the following\n command:\n Note: The example will be for the user \"smithj\", who has a home directory of \"/home/smithj\".\n $ sudo ls -lLR /home/smithj\n -rw-r--r-- 1 smithj smithj 18 Mar 5 17:06 file1\n -rw-r--r-- 1 smithj smithj 193 Mar 5 17:06 file2\n -rw-r--r-- 1 smithj smithj 231 Mar 5 17:06 file3\n If any files or directories are found without an owner, this is a finding.)\n desc 'fix', 'Either remove all files and directories from the system that do not have a valid user, or assign a\n valid user to all unowned files and directories on RHEL 7 with the \"chown\" command:\n Note: The example will be for the user smithj, who has a home directory of \"/home/smithj\".\n $ sudo chown smithj /home/smithj/'\n impact 0.5\n tag legacy: ['SV-86647', 'V-72023']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204471'\n tag rid: 'SV-204471r744105_rule'\n tag stig_id: 'RHEL-07-020660'\n tag fix_id: 'F-4595r744104_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['home_dirs']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n\n exempt_home_users = input('exempt_home_users')\n non_interactive_shells = input('non_interactive_shells')\n\n ignore_shells = non_interactive_shells.join('|')\n\n uid_min = login_defs.read_params['UID_MIN'].to_i\n uid_min = 1000 if uid_min.nil?\n\n findings = Set[]\n users.where do\n !shell.match(ignore_shells) && (uid >= uid_min || uid == 0)\n end.entries.each do |user_info|\n next if exempt_home_users.include?(user_info.username.to_s)\n\n findings += command(\"find #{user_info.home} -xdev -xautofs -not -user #{user_info.username}\").stdout.split(\"\\n\")\n end\n describe 'Files and directories that are not owned by the user' do\n subject { findings.to_a }\n it { should be_empty }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204545.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204471.rb", "line": 1 }, - "id": "SV-204545" + "id": "SV-204471" }, { - "title": "The Red Hat Enterprise Linux operating system must be configured so that designated personnel are notified\n if baseline configurations are changed in an unauthorized manner.", - "desc": "Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security.\n\nDetecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information System Security Manager (ISSM)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.", + "title": "The Red Hat Enterprise Linux operating system must prevent a user from overriding the screensaver\n lock-enabled setting for the graphical user interface.", + "desc": "A session lock is a temporary action taken when a user stops work and moves away from the immediate physical\n vicinity of the information system but does not want to log out because of the temporary nature of the absence.\n The session lock is implemented at the point where session activity can be determined.\n The ability to enable/disable a session lock is given to the user by default. Disabling the user’s ability to\n disengage the graphical user interface session lock provides the assurance that all sessions will lock after the\n specified period of time.", "descriptions": { - "default": "Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security.\n\nDetecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information System Security Manager (ISSM)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.", - "check": "Verify the operating system notifies designated personnel if baseline configurations are changed in an unauthorized manner.\n\nNote: A file integrity tool other than Advanced Intrusion Detection Environment (AIDE) may be used, but the tool must be executed and notify specified individuals via email or an alert.\n\nCheck for the presence of a cron job running routinely on the system that executes AIDE to scan for changes to the system baseline. The commands used in the example will use a daily occurrence.\n\nCheck the cron directories for a \"crontab\" script file controlling the execution of the file integrity application. For example, if AIDE is installed on the system, use the following command:\n\n # ls -al /etc/cron.* | grep aide\n -rwxr-xr-x 1 root root 602 Mar 6 20:02 aide\n\n # grep aide /etc/crontab /var/spool/cron/root\n /etc/crontab: 30 04 * * * root /usr/sbin/aide --check\n /var/spool/cron/root: 30 04 * * * /usr/sbin/aide --check\n\nAIDE does not have a configuration that will send a notification, so the cron job uses the mail application on the system to email the results of the file integrity run as in the following example:\n\n # more /etc/cron.daily/aide\n #!/bin/bash\n\n /usr/sbin/aide --check | /var/spool/mail -s \"$HOSTNAME - Daily aide integrity check run\" root@sysname.mil\n\nIf the file integrity application does not notify designated personnel of changes, this is a finding.", - "fix": "Configure the operating system to notify designated personnel if baseline configurations are changed in an unauthorized manner. The AIDE tool can be configured to email designated personnel with the use of the cron system.\n\nThe following example output is generic. It will set cron to run AIDE daily and to send email at the completion of the analysis.\n\n # more /etc/cron.daily/aide\n\n /usr/sbin/aide --check | /var/spool/mail -s \"$HOSTNAME - Daily aide integrity check run\" root@sysname.mil" + "default": "A session lock is a temporary action taken when a user stops work and moves away from the immediate physical\n vicinity of the information system but does not want to log out because of the temporary nature of the absence.\n The session lock is implemented at the point where session activity can be determined.\n The ability to enable/disable a session lock is given to the user by default. Disabling the user’s ability to\n disengage the graphical user interface session lock provides the assurance that all sessions will lock after the\n specified period of time.", + "check": "Verify the operating system prevents a user from overriding the screensaver lock-enabled setting for the graphical user interface.\n\nNote: If the system does not have GNOME installed, this requirement is Not Applicable.\n\nDetermine which profile the system database is using with the following command:\n # grep system-db /etc/dconf/profile/user\n system-db:local\n\nCheck for the lock-enabled setting with the following command:\n\nNote: The example below is using the database \"local\" for the system, so the path is \"/etc/dconf/db/local.d\". This path must be modified if a database other than \"local\" is being used.\n\n # grep -i lock-enabled /etc/dconf/db/local.d/locks/*\n /org/gnome/desktop/screensaver/lock-enabled\n\nIf the command does not return a result, this is a finding.", + "fix": "Configure the operating system to prevent a user from overriding a screensaver lock after a 15-minute\n period of inactivity for graphical user interfaces.\n Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following\n command:\n Note: The example below is using the database \"local\" for the system, so if the system is using another database in\n \"/etc/dconf/profile/user\", the file should be created under the appropriate subdirectory.\n # touch /etc/dconf/db/local.d/locks/session\n Add the setting to lock the screensaver lock-enabled setting:\n /org/gnome/desktop/screensaver/lock-enabled" }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { "legacy": [ - "V-71975", - "SV-86599" + "V-78995", + "SV-93701" ], "severity": "medium", - "gtitle": "SRG-OS-000363-GPOS-00150", - "gid": "V-204446", - "rid": "SV-204446r880851_rule", - "stig_id": "RHEL-07-020040", - "fix_id": "F-36305r880850_fix", + "gtitle": "SRG-OS-000029-GPOS-00010", + "gid": "V-214937", + "rid": "SV-214937r880767_rule", + "stig_id": "RHEL-07-010062", + "fix_id": "F-16135r880766_fix", "cci": [ - "CCI-001744" + "CCI-000057" ], "nist": [ - "CM-3 (5)" + "AC-11 a" ], "subsystems": [ - "file_integrity_tool" + "gui" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-204446' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that designated personnel are notified\n if baseline configurations are changed in an unauthorized manner.'\n desc \"Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security.\n\nDetecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information System Security Manager (ISSM)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.\"\n desc 'check', 'Verify the operating system notifies designated personnel if baseline configurations are changed in an unauthorized manner.\n\nNote: A file integrity tool other than Advanced Intrusion Detection Environment (AIDE) may be used, but the tool must be executed and notify specified individuals via email or an alert.\n\nCheck for the presence of a cron job running routinely on the system that executes AIDE to scan for changes to the system baseline. The commands used in the example will use a daily occurrence.\n\nCheck the cron directories for a \"crontab\" script file controlling the execution of the file integrity application. For example, if AIDE is installed on the system, use the following command:\n\n # ls -al /etc/cron.* | grep aide\n -rwxr-xr-x 1 root root 602 Mar 6 20:02 aide\n\n # grep aide /etc/crontab /var/spool/cron/root\n /etc/crontab: 30 04 * * * root /usr/sbin/aide --check\n /var/spool/cron/root: 30 04 * * * /usr/sbin/aide --check\n\nAIDE does not have a configuration that will send a notification, so the cron job uses the mail application on the system to email the results of the file integrity run as in the following example:\n\n # more /etc/cron.daily/aide\n #!/bin/bash\n\n /usr/sbin/aide --check | /var/spool/mail -s \"$HOSTNAME - Daily aide integrity check run\" root@sysname.mil\n\nIf the file integrity application does not notify designated personnel of changes, this is a finding.'\n desc 'fix', 'Configure the operating system to notify designated personnel if baseline configurations are changed in an unauthorized manner. The AIDE tool can be configured to email designated personnel with the use of the cron system.\n\nThe following example output is generic. It will set cron to run AIDE daily and to send email at the completion of the analysis.\n\n # more /etc/cron.daily/aide\n\n /usr/sbin/aide --check | /var/spool/mail -s \"$HOSTNAME - Daily aide integrity check run\" root@sysname.mil'\n impact 0.5\n tag legacy: ['V-71975', 'SV-86599']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000363-GPOS-00150'\n tag gid: 'V-204446'\n tag rid: 'SV-204446r880851_rule'\n tag stig_id: 'RHEL-07-020040'\n tag fix_id: 'F-36305r880850_fix'\n tag cci: ['CCI-001744']\n tag nist: ['CM-3 (5)']\n tag subsystems: ['file_integrity_tool']\n tag 'host'\n tag 'container'\n\n file_integrity_tool = input('file_integrity_tool')\n\n describe.one do\n describe file(\"/etc/cron.daily/#{file_integrity_tool}\") do\n its('content') { should match %r{/var/spool/mail} }\n end\n describe file(\"/etc/cron.weekly/#{file_integrity_tool}\") do\n its('content') { should match %r{/var/spool/mail} }\n end\n describe crontab('root').where {\n command =~ /#{file_integrity_tool}/\n } do\n its('commands.flatten') { should include(match %r{/var/spool/mail}) }\n end\n if file(\"/etc/cron.d/#{file_integrity_tool}\").exist?\n describe crontab(path: \"/etc/cron.d/#{file_integrity_tool}\") do\n its('commands') { should include(match %r{/var/spool/mail}) }\n end\n end\n end\nend\n", + "code": "control 'SV-214937' do\n title 'The Red Hat Enterprise Linux operating system must prevent a user from overriding the screensaver\n lock-enabled setting for the graphical user interface.'\n desc 'A session lock is a temporary action taken when a user stops work and moves away from the immediate physical\n vicinity of the information system but does not want to log out because of the temporary nature of the absence.\n The session lock is implemented at the point where session activity can be determined.\n The ability to enable/disable a session lock is given to the user by default. Disabling the user’s ability to\n disengage the graphical user interface session lock provides the assurance that all sessions will lock after the\n specified period of time.'\n desc 'check', 'Verify the operating system prevents a user from overriding the screensaver lock-enabled setting for the graphical user interface.\n\nNote: If the system does not have GNOME installed, this requirement is Not Applicable.\n\nDetermine which profile the system database is using with the following command:\n # grep system-db /etc/dconf/profile/user\n system-db:local\n\nCheck for the lock-enabled setting with the following command:\n\nNote: The example below is using the database \"local\" for the system, so the path is \"/etc/dconf/db/local.d\". This path must be modified if a database other than \"local\" is being used.\n\n # grep -i lock-enabled /etc/dconf/db/local.d/locks/*\n /org/gnome/desktop/screensaver/lock-enabled\n\nIf the command does not return a result, this is a finding.'\n desc 'fix', \"Configure the operating system to prevent a user from overriding a screensaver lock after a #{input('system_activity_timeout')/60}-minute\n period of inactivity for graphical user interfaces.\n Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following\n command:\n Note: The example below is using the database \\\"local\\\" for the system, so if the system is using another database in\n \\\"/etc/dconf/profile/user\\\", the file should be created under the appropriate subdirectory.\n # touch /etc/dconf/db/local.d/locks/session\n Add the setting to lock the screensaver lock-enabled setting:\n /org/gnome/desktop/screensaver/lock-enabled\"\n impact 0.5\n tag legacy: ['V-78995', 'SV-93701']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000029-GPOS-00010'\n tag gid: 'V-214937'\n tag rid: 'SV-214937r880767_rule'\n tag stig_id: 'RHEL-07-010062'\n tag fix_id: 'F-16135r880766_fix'\n tag cci: ['CCI-000057']\n tag nist: ['AC-11 a']\n tag subsystems: ['gui']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n elsif package('gnome-desktop3').installed?\n describe command('gsettings writable org.gnome.desktop.screensaver lock-enabled') do\n its('stdout.strip') { should cmp 'false' }\n end\n else\n impact 0.0\n describe 'The GNOME desktop is not installed' do\n skip 'The GNOME desktop is not installed, this control is Not Applicable.'\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204446.rb", + "ref": "./Red Hat 7 STIG/controls/SV-214937.rb", "line": 1 }, - "id": "SV-204446" + "id": "SV-214937" }, { - "title": "The Red Hat Enterprise Linux operating system must be configured so that users must provide a password for\n privilege escalation.", - "desc": "Without re-authentication, users may access resources or perform tasks for which they do not have\n authorization.\n When operating systems provide the capability to escalate a functional capability, it is critical the user\n re-authenticate.", + "title": "The Red Hat Enterprise Linux operating system must audit all uses of the creat, open, openat,\n open_by_handle_at, truncate, and ftruncate syscalls.", + "desc": "Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the\n system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect\n performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining\n syscalls into one rule whenever possible.", "descriptions": { - "default": "Without re-authentication, users may access resources or perform tasks for which they do not have\n authorization.\n When operating systems provide the capability to escalate a functional capability, it is critical the user\n re-authenticate.", - "check": "Verify the operating system requires users to supply a password for privilege escalation.\n\nCheck the configuration of the \"/etc/sudoers\" and \"/etc/sudoers.d/*\" files with the following command:\n\n$ sudo grep -ir nopasswd /etc/sudoers /etc/sudoers.d\n\nIf any occurrences of \"NOPASSWD\" are returned from the command and have not been documented with the Information System Security Officer (ISSO) as an organizationally defined administrative group utilizing MFA, this is a finding.", - "fix": "Configure the operating system to require users to supply a password for privilege escalation.\n\nCheck the configuration of the \"/etc/sudoers\" file with the following command:\n$ sudo visudo\n\nRemove any occurrences of \"NOPASSWD\" tags in the file.\n\nCheck the configuration of the /etc/sudoers.d/* files with the following command:\n$ sudo grep -ir nopasswd /etc/sudoers.d\n\nRemove any occurrences of \"NOPASSWD\" tags in the file." + "default": "Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the\n system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect\n performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining\n syscalls into one rule whenever possible.", + "check": "Verify the operating system generates audit records upon successful/unsuccessful attempts to use the\n \"creat\", \"open\", \"openat\", \"open_by_handle_at\", \"truncate\", and \"ftruncate\" syscalls.\n Check the file system rules in \"/etc/audit/audit.rules\" with the following commands:\n # grep 'open\\|truncate\\|creat' /etc/audit/audit.rules\n -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F\n auid!=unset -k access\n -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000\n -F auid!=unset -k access\n -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F\n auid!=unset -k access\n -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000\n -F auid!=unset -k access\n If both the \"b32\" and \"b64\" audit rules are not defined for the \"creat\", \"open\", \"openat\", \"open_by_handle_at\",\n \"truncate\", and \"ftruncate\" syscalls, this is a finding.\n If the output does not produce rules containing \"-F exit=-EPERM\", this is a finding.\n If the output does not produce rules containing \"-F exit=-EACCES\", this is a finding.", + "fix": "Configure the operating system to generate audit records upon successful/unsuccessful attempts to use\n the \"creat\", \"open\", \"openat\", \"open_by_handle_at\", \"truncate\", and \"ftruncate\" syscalls.\n Add or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F\n auid!=unset -k access\n -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000\n -F auid!=unset -k access\n -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F\n auid!=unset -k access\n -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000\n -F auid!=unset -k access\n The audit daemon must be restarted for the changes to take effect." }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "V-71947", - "SV-86571" + "SV-86749", + "V-72125" ], "severity": "medium", - "gtitle": "SRG-OS-000373-GPOS-00156", + "gtitle": "SRG-OS-000064-GPOS-00033", "satisfies": [ - "SRG-OS-000373-GPOS-00156", - "SRG-OS-000373-GPOS-00157", - "SRG-OS-000373-GPOS-00158" + "SRG-OS-000064-GPOS-00033", + "SRG-OS-000458-GPOS-00203", + "SRG-OS-000461-GPOS-00205", + "SRG-OS-000392-GPOS-00172" ], - "gid": "V-204429", - "rid": "SV-204429r861003_rule", - "stig_id": "RHEL-07-010340", - "fix_id": "F-36303r861002_fix", + "gid": "V-204531", + "rid": "SV-204531r853917_rule", + "stig_id": "RHEL-07-030510", + "fix_id": "F-4655r853916_fix", "cci": [ - "CCI-002038" + "CCI-000172", + "CCI-002884" ], "nist": [ - "IA-11" + "AU-12 c", + "MA-4 (1) (a)" ], "subsystems": [ - "sudo" + "audit", + "auditd", + "audit_rule" ], "host": null }, - "code": "control 'SV-204429' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that users must provide a password for\n privilege escalation.'\n desc 'Without re-authentication, users may access resources or perform tasks for which they do not have\n authorization.\n When operating systems provide the capability to escalate a functional capability, it is critical the user\n re-authenticate.'\n desc 'check', 'Verify the operating system requires users to supply a password for privilege escalation.\n\nCheck the configuration of the \"/etc/sudoers\" and \"/etc/sudoers.d/*\" files with the following command:\n\n$ sudo grep -ir nopasswd /etc/sudoers /etc/sudoers.d\n\nIf any occurrences of \"NOPASSWD\" are returned from the command and have not been documented with the Information System Security Officer (ISSO) as an organizationally defined administrative group utilizing MFA, this is a finding.'\n desc 'fix', 'Configure the operating system to require users to supply a password for privilege escalation.\n\nCheck the configuration of the \"/etc/sudoers\" file with the following command:\n$ sudo visudo\n\nRemove any occurrences of \"NOPASSWD\" tags in the file.\n\nCheck the configuration of the /etc/sudoers.d/* files with the following command:\n$ sudo grep -ir nopasswd /etc/sudoers.d\n\nRemove any occurrences of \"NOPASSWD\" tags in the file.'\n impact 0.5\n tag legacy: ['V-71947', 'SV-86571']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000373-GPOS-00156'\n tag satisfies: ['SRG-OS-000373-GPOS-00156', 'SRG-OS-000373-GPOS-00157', 'SRG-OS-000373-GPOS-00158']\n tag gid: 'V-204429'\n tag rid: 'SV-204429r861003_rule'\n tag stig_id: 'RHEL-07-010340'\n tag fix_id: 'F-36303r861002_fix'\n tag cci: ['CCI-002038']\n tag nist: ['IA-11']\n tag subsystems: ['sudo']\n tag 'host'\n\n if virtualization.system.eql?('docker') && !command('sudo').exist?\n impact 0.0\n describe 'Control not applicable within a container without sudo enabled' do\n skip 'Control not applicable within a container without sudo enabled'\n end\n else\n processed = []\n to_process = ['/etc/sudoers', '/etc/sudoers.d']\n\n until to_process.empty?\n in_process = to_process.pop\n next if processed.include? in_process\n\n processed.push in_process\n\n if file(in_process).directory?\n to_process.concat(\n command(\"find #{in_process} -maxdepth 1 -mindepth 1\")\n .stdout.strip.split(\"\\n\")\n .select { |f| file(f).file? }\n )\n elsif file(in_process).file?\n to_process.concat(\n command(\"grep -E '#include\\\\s+' #{in_process} | sed 's/.*#include[[:space:]]*//g'\")\n .stdout.strip.split(\"\\n\")\n .map do |f|\n if f.start_with?('/')\n f\n else\n File.join(\n File.dirname(in_process), f\n )\n end\n end\n .select do |f|\n file(f).exist?\n end\n )\n to_process.concat(\n command(\"grep -E '#includedir\\\\s+' #{in_process} | sed 's/.*#includedir[[:space:]]*//g'\")\n .stdout.strip.split(\"\\n\")\n .map do |f|\n if f.start_with?('/')\n f\n else\n File.join(\n File.dirname(in_process), f\n )\n end\n end\n .select do |f|\n file(f).exist?\n end\n )\n end\n end\n\n sudoers = processed.select { |f| file(f).file? }\n\n sudoers.each do |sudoer|\n sudo_content = file(sudoer).content.strip.split(\"\\n\")\n nopasswd_lines = sudo_content.select { |l| l.match?(/^[^#].*NOPASSWD/) }\n describe \"#{sudoer} rules containing NOPASSWD\" do\n subject { nopasswd_lines }\n it { should be_empty }\n end\n end\n end\nend\n", + "code": "control 'SV-204531' do\n title 'The Red Hat Enterprise Linux operating system must audit all uses of the creat, open, openat,\n open_by_handle_at, truncate, and ftruncate syscalls.'\n desc 'Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the\n system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect\n performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining\n syscalls into one rule whenever possible.'\n desc 'check', %q(Verify the operating system generates audit records upon successful/unsuccessful attempts to use the\n \"creat\", \"open\", \"openat\", \"open_by_handle_at\", \"truncate\", and \"ftruncate\" syscalls.\n Check the file system rules in \"/etc/audit/audit.rules\" with the following commands:\n # grep 'open\\|truncate\\|creat' /etc/audit/audit.rules\n -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F\n auid!=unset -k access\n -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000\n -F auid!=unset -k access\n -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F\n auid!=unset -k access\n -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000\n -F auid!=unset -k access\n If both the \"b32\" and \"b64\" audit rules are not defined for the \"creat\", \"open\", \"openat\", \"open_by_handle_at\",\n \"truncate\", and \"ftruncate\" syscalls, this is a finding.\n If the output does not produce rules containing \"-F exit=-EPERM\", this is a finding.\n If the output does not produce rules containing \"-F exit=-EACCES\", this is a finding.)\n desc 'fix', 'Configure the operating system to generate audit records upon successful/unsuccessful attempts to use\n the \"creat\", \"open\", \"openat\", \"open_by_handle_at\", \"truncate\", and \"ftruncate\" syscalls.\n Add or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F\n auid!=unset -k access\n -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000\n -F auid!=unset -k access\n -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F\n auid!=unset -k access\n -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000\n -F auid!=unset -k access\n The audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n tag legacy: ['SV-86749', 'V-72125']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000064-GPOS-00033'\n tag satisfies: ['SRG-OS-000064-GPOS-00033', 'SRG-OS-000458-GPOS-00203', 'SRG-OS-000461-GPOS-00205', 'SRG-OS-000392-GPOS-00172']\n tag gid: 'V-204531'\n tag rid: 'SV-204531r853917_rule'\n tag stig_id: 'RHEL-07-030510'\n tag fix_id: 'F-4655r853916_fix'\n tag cci: ['CCI-000172', 'CCI-002884']\n tag nist: ['AU-12 c', 'MA-4 (1) (a)']\n tag subsystems: ['audit', 'auditd', 'audit_rule']\n tag 'host'\n\n audit_syscalls = ['creat', 'open', 'openat', 'open_by_handle_at', 'truncate', 'ftruncate']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - audit config must be done on the host' do\n skip 'Control not applicable - audit config must be done on the host'\n end\n else\n describe 'Syscall' do\n audit_syscalls.each do |audit_syscall|\n it \"#{audit_syscall} is audited properly\" do\n audit_rule = auditd.syscall(audit_syscall)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n if os.arch.match(/64/)\n expect(audit_rule.arch.uniq).to include('b32', 'b64')\n else\n expect(audit_rule.arch.uniq).to cmp 'b32'\n end\n expect(audit_rule.fields.flatten).to include('auid>=1000', 'auid!=-1', 'exit=-EACCES', 'exit=-EPERM')\n expect(audit_rule.key.uniq).to include('access')\n end\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204429.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204531.rb", "line": 1 }, - "id": "SV-204429" + "id": "SV-204531" }, { - "title": "The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon is configured to\n only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.", - "desc": "DoD information systems are required to use FIPS 140-2 approved cryptographic hash functions. The only SSHv2\n hash algorithm meeting this requirement is SHA.\n The system will attempt to use the first hash presented by the client that matches the server list. Listing the\n values \"strongest to weakest\" is a method to ensure the use of the strongest hash available to secure the SSH\n connection.", + "title": "The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new\n passwords are established, pwquality must be used.", + "desc": "Use of a complex password helps to increase the time and resources required to compromise the password.\n Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing\n and brute-force attacks. \"pwquality\" enforces complex password construction configuration and has the ability to\n limit brute-force attacks on the system.", "descriptions": { - "default": "DoD information systems are required to use FIPS 140-2 approved cryptographic hash functions. The only SSHv2\n hash algorithm meeting this requirement is SHA.\n The system will attempt to use the first hash presented by the client that matches the server list. Listing the\n values \"strongest to weakest\" is a method to ensure the use of the strongest hash available to secure the SSH\n connection.", - "check": "Verify the SSH daemon is configured to only use MACs employing FIPS 140-2-approved hashes.\n Note: If RHEL-07-021350 is a finding, this is automatically a finding as the system cannot implement FIPS\n 140-2-approved cryptographic algorithms and hashes.\n Check that the SSH daemon is configured to only use MACs employing FIPS 140-2-approved hashes with the following\n command:\n # grep -i macs /etc/ssh/sshd_config\n MACs hmac-sha2-512,hmac-sha2-256\n If any hashes other than \"hmac-sha2-512\" or \"hmac-sha2-256\" are listed, the order differs from the example above,\n they are missing, or the returned line is commented out, this is a finding.", - "fix": "Edit the \"/etc/ssh/sshd_config\" file to uncomment or add the line for the \"MACs\" keyword and set its\n value to \"hmac-sha2-512\" and/or \"hmac-sha2-256\" (this file may be named differently or be in a different location if\n using a version of SSH that is provided by a third-party vendor):\n MACs hmac-sha2-512,hmac-sha2-256\n The SSH service must be restarted for changes to take effect." + "default": "Use of a complex password helps to increase the time and resources required to compromise the password.\n Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing\n and brute-force attacks. \"pwquality\" enforces complex password construction configuration and has the ability to\n limit brute-force attacks on the system.", + "check": "Verify the operating system uses \"pwquality\" to enforce the password complexity rules.\n Check for the use of \"pwquality\" with the following command:\n # cat /etc/pam.d/system-auth | grep pam_pwquality\n password required pam_pwquality.so retry=3\n If the command does not return an uncommented line containing the value \"pam_pwquality.so\", this is a finding.\n If the value of \"retry\" is set to \"0\" or greater than \"3\", this is a finding.", + "fix": "Configure the operating system to use \"pwquality\" to enforce password complexity rules.\n Add the following line to \"/etc/pam.d/system-auth\" (or modify the line to have the required value):\n password required pam_pwquality.so retry=3\n Note: The value of \"retry\" should be between \"1\" and \"3\"." }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "SV-86877", - "V-72253" + "SV-87811", + "V-73159" ], "severity": "medium", - "gtitle": "SRG-OS-000250-GPOS-00093", - "gid": "V-204595", - "rid": "SV-204595r877394_rule", - "stig_id": "RHEL-07-040400", - "fix_id": "F-4719r622309_fix", + "gtitle": "SRG-OS-000069-GPOS-00037", + "gid": "V-204406", + "rid": "SV-204406r603261_rule", + "stig_id": "RHEL-07-010119", + "fix_id": "F-4530r88411_fix", "cci": [ - "CCI-001453" + "CCI-000192" ], "nist": [ - "AC-17 (2)" + "IA-5 (1) (a)" ], "subsystems": [ - "ssh" + "pam", + "pwquality", + "password" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-204595' do\n title \"The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon is configured to\n only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.\"\n desc \"#{input('org_name')[:acronym]} information systems are required to use FIPS 140-2 approved cryptographic hash functions. The only SSHv2\n hash algorithm meeting this requirement is SHA.\n The system will attempt to use the first hash presented by the client that matches the server list. Listing the\n values \\\"strongest to weakest\\\" is a method to ensure the use of the strongest hash available to secure the SSH\n connection.\"\n desc 'check', \"Verify the SSH daemon is configured to only use MACs employing FIPS 140-2-approved hashes.\n Note: If RHEL-07-021350 is a finding, this is automatically a finding as the system cannot implement FIPS\n 140-2-approved cryptographic algorithms and hashes.\n Check that the SSH daemon is configured to only use MACs employing FIPS 140-2-approved hashes with the following\n command:\n # grep -i macs /etc/ssh/sshd_config\n MACs hmac-sha2-512,hmac-sha2-256\n If any hashes other than \\\"hmac-sha2-512\\\" or \\\"hmac-sha2-256\\\" are listed, the order differs from the example above,\n they are missing, or the returned line is commented out, this is a finding.\"\n desc 'fix', \"Edit the \\\"/etc/ssh/sshd_config\\\" file to uncomment or add the line for the \\\"MACs\\\" keyword and set its\n value to \\\"hmac-sha2-512\\\" and/or \\\"hmac-sha2-256\\\" (this file may be named differently or be in a different location if\n using a version of SSH that is provided by a third-party vendor):\n MACs hmac-sha2-512,hmac-sha2-256\n The SSH service must be restarted for changes to take effect.\"\n impact 0.5\n tag legacy: ['SV-86877', 'V-72253']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000250-GPOS-00093'\n tag gid: 'V-204595'\n tag rid: 'SV-204595r877394_rule'\n tag stig_id: 'RHEL-07-040400'\n tag fix_id: 'F-4719r622309_fix'\n tag cci: ['CCI-001453']\n tag nist: ['AC-17 (2)']\n tag subsystems: ['ssh']\n tag 'host'\n\n if virtualization.system.eql?('docker') && !file('/etc/sysconfig/sshd').exist?\n impact 0.0\n describe 'Control not applicable - SSH is not installed within containerized RHEL' do\n skip 'Control not applicable - SSH is not installed within containerized RHEL'\n end\n else\n\n macs = sshd_config.params('macs')\n if macs.nil?\n # fail fast\n describe 'The `sshd_config` setting for `MACs`' do\n subject { macs }\n it 'should be explicitly set and not commented out' do\n expect(subject).not_to be_nil\n end\n end\n else\n describe 'The list of MACs enabled on the system' do\n subject { macs }\n it { should cmp 'hmac-sha2-512,hmac-sha2-256' }\n end\n end\n end\nend\n", + "code": "control 'SV-204406' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new\n passwords are established, pwquality must be used.'\n desc 'Use of a complex password helps to increase the time and resources required to compromise the password.\n Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing\n and brute-force attacks. \"pwquality\" enforces complex password construction configuration and has the ability to\n limit brute-force attacks on the system.'\n desc 'check', 'Verify the operating system uses \"pwquality\" to enforce the password complexity rules.\n Check for the use of \"pwquality\" with the following command:\n # cat /etc/pam.d/system-auth | grep pam_pwquality\n password required pam_pwquality.so retry=3\n If the command does not return an uncommented line containing the value \"pam_pwquality.so\", this is a finding.\n If the value of \"retry\" is set to \"0\" or greater than \"3\", this is a finding.'\n desc 'fix', 'Configure the operating system to use \"pwquality\" to enforce password complexity rules.\n Add the following line to \"/etc/pam.d/system-auth\" (or modify the line to have the required value):\n password required pam_pwquality.so retry=3\n Note: The value of \"retry\" should be between \"1\" and \"3\".'\n impact 0.5\n tag legacy: ['SV-87811', 'V-73159']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000069-GPOS-00037'\n tag gid: 'V-204406'\n tag rid: 'SV-204406r603261_rule'\n tag stig_id: 'RHEL-07-010119'\n tag fix_id: 'F-4530r88411_fix'\n tag cci: ['CCI-000192']\n tag nist: ['IA-5 (1) (a)']\n tag subsystems: ['pam', 'pwquality', 'password']\n tag 'host'\n tag 'container'\n\n describe pam('/etc/pam.d/system-auth') do\n its('lines') { should match_pam_rule(\"password required pam_pwquality.so retry=#{input('retry')}\") }\n end\n\n describe 'input value' do\n it 'for retry should be in line with maximum/minimum allowed values by policy' do\n expect(input('retry')).to be_between(1, input('retry'))\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204595.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204406.rb", "line": 1 }, - "id": "SV-204595" + "id": "SV-204406" }, { - "title": "The Red Hat Enterprise Linux operating system must be configured so that the file integrity tool is\n configured to verify extended attributes.", - "desc": "Extended attributes in file systems are used to contain arbitrary data and file metadata with security\n implications.", + "title": "The Red Hat Enterprise Linux operating system must be configured so that file systems containing user home\n directories are mounted to prevent files with the setuid and setgid bit set from being executed.", + "desc": "The \"nosuid\" mount option causes the system to not execute setuid and setgid files with owner privileges.\n This option must be used for mounting any file system not containing approved setuid and setguid files. Executing\n files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized\n administrative access.", "descriptions": { - "default": "Extended attributes in file systems are used to contain arbitrary data and file metadata with security\n implications.", - "check": "Verify the file integrity tool is configured to verify extended attributes.\n\nNote: AIDE is highly configurable at install time. These commands assume the \"aide.conf\" file is under the \"/etc\" directory.\n\nUse the following command to determine if the file is in another location:\n # find / -name aide.conf\n\nCheck the \"aide.conf\" file to determine if the \"xattrs\" rule has been added to the rule list being applied to the files and directories selection lists.\n\nAn example rule that includes the \"xattrs\" rule follows:\n\n All= p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux\n /bin All # apply the custom rule to the files in bin\n /sbin All # apply the same custom rule to the files in sbin\n\nIf the \"xattrs\" rule is not being used on all uncommented selection lines in the \"/etc/aide.conf\" file, or extended attributes are not being checked by another file integrity tool, this is a finding.", - "fix": "Configure the file integrity tool to check file and directory extended attributes.\n If AIDE is installed, ensure the \"xattrs\" rule is present on all uncommented file and directory selection lists." + "default": "The \"nosuid\" mount option causes the system to not execute setuid and setgid files with owner privileges.\n This option must be used for mounting any file system not containing approved setuid and setguid files. Executing\n files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized\n administrative access.", + "check": "Verify file systems that contain user home directories are mounted with the \"nosuid\" option.\n Find the file system(s) that contain the user home directories with the following command:\n Note: If a separate file system has not been created for the user home directories (user home directories are\n mounted under \"/\"), this is not a finding as the \"nosuid\" option cannot be used on the \"/\" system.\n # awk -F: '($3>=1000)&&($7 !~ /nologin/){print $1, $3, $6}' /etc/passwd\n smithj 1001 /home/smithj\n thomasr 1002 /home/thomasr\n Check the file systems that are mounted at boot time with the following command:\n # more /etc/fstab\n UUID=a411dc99-f2a1-4c87-9e05-184977be8539 /home ext4 rw,relatime,discard,data=ordered,nosuid 0 2\n If a file system found in \"/etc/fstab\" refers to the user home directory file system and it does not have the\n \"nosuid\" option set, this is a finding.", + "fix": "Configure the \"/etc/fstab\" to use the \"nosuid\" option on file systems that contain user home\n directories." }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { "legacy": [ - "SV-86695", - "V-72071" + "SV-86665", + "V-72041" ], - "severity": "low", + "severity": "medium", "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-204499", - "rid": "SV-204499r880858_rule", - "stig_id": "RHEL-07-021610", - "fix_id": "F-4623r88690_fix", + "gid": "V-204480", + "rid": "SV-204480r603838_rule", + "stig_id": "RHEL-07-021000", + "fix_id": "F-4604r88633_fix", "cci": [ "CCI-000366" ], @@ -723,51 +724,49 @@ "CM-6 b" ], "subsystems": [ - "file_integrity_tool" + "home_dirs", + "file_system" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-204499' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that the file integrity tool is\n configured to verify extended attributes.'\n desc 'Extended attributes in file systems are used to contain arbitrary data and file metadata with security\n implications.'\n desc 'check', 'Verify the file integrity tool is configured to verify extended attributes.\n\nNote: AIDE is highly configurable at install time. These commands assume the \"aide.conf\" file is under the \"/etc\" directory.\n\nUse the following command to determine if the file is in another location:\n # find / -name aide.conf\n\nCheck the \"aide.conf\" file to determine if the \"xattrs\" rule has been added to the rule list being applied to the files and directories selection lists.\n\nAn example rule that includes the \"xattrs\" rule follows:\n\n All= p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux\n /bin All # apply the custom rule to the files in bin\n /sbin All # apply the same custom rule to the files in sbin\n\nIf the \"xattrs\" rule is not being used on all uncommented selection lines in the \"/etc/aide.conf\" file, or extended attributes are not being checked by another file integrity tool, this is a finding.'\n desc 'fix', 'Configure the file integrity tool to check file and directory extended attributes.\n If AIDE is installed, ensure the \"xattrs\" rule is present on all uncommented file and directory selection lists.'\n impact 0.3\n tag legacy: ['SV-86695', 'V-72071']\n tag severity: 'low'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204499'\n tag rid: 'SV-204499r880858_rule'\n tag stig_id: 'RHEL-07-021610'\n tag fix_id: 'F-4623r88690_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['file_integrity_tool']\n tag 'host'\n tag 'container'\n\n file_integrity_tool = input('file_integrity_tool')\n aide_conf_file_path = input('aide_conf_path')\n\n if file_integrity_tool == 'aide'\n if aide_conf(aide_conf_file_path).exist?\n findings = []\n aide_conf.where { !selection_line.start_with? '!' }.entries.each do |selection|\n unless selection.rules.include? 'xattrs'\n findings.append(selection.selection_line)\n end\n end\n\n describe \"List of monitored files/directories without 'xattrs' rule\" do\n subject { findings }\n it { should be_empty }\n end\n else\n describe \"AIDE configuration file at: #{aide_conf_file_path}\" do\n subject { aide_conf(aide_conf_file_path) }\n it { should exist }\n end\n end\n else\n describe 'Need manual review of file integrity tool' do\n skip 'A manual review of the file integrity tool is required to ensure that it verifies ACLs.'\n end\n end\nend\n", + "code": "control 'SV-204480' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that file systems containing user home\n directories are mounted to prevent files with the setuid and setgid bit set from being executed.'\n desc 'The \"nosuid\" mount option causes the system to not execute setuid and setgid files with owner privileges.\n This option must be used for mounting any file system not containing approved setuid and setguid files. Executing\n files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized\n administrative access.'\n desc 'check', %q(Verify file systems that contain user home directories are mounted with the \"nosuid\" option.\n Find the file system(s) that contain the user home directories with the following command:\n Note: If a separate file system has not been created for the user home directories (user home directories are\n mounted under \"/\"), this is not a finding as the \"nosuid\" option cannot be used on the \"/\" system.\n # awk -F: '($3>=1000)&&($7 !~ /nologin/){print $1, $3, $6}' /etc/passwd\n smithj 1001 /home/smithj\n thomasr 1002 /home/thomasr\n Check the file systems that are mounted at boot time with the following command:\n # more /etc/fstab\n UUID=a411dc99-f2a1-4c87-9e05-184977be8539 /home ext4 rw,relatime,discard,data=ordered,nosuid 0 2\n If a file system found in \"/etc/fstab\" refers to the user home directory file system and it does not have the\n \"nosuid\" option set, this is a finding.)\n desc 'fix', 'Configure the \"/etc/fstab\" to use the \"nosuid\" option on file systems that contain user home\n directories.'\n impact 0.5\n tag legacy: ['SV-86665', 'V-72041']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204480'\n tag rid: 'SV-204480r603838_rule'\n tag stig_id: 'RHEL-07-021000'\n tag fix_id: 'F-4604r88633_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['home_dirs', 'file_system']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n\n describe mount('/home') do\n its('options') { should include 'nosuid' }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204499.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204480.rb", "line": 1 }, - "id": "SV-204499" + "id": "SV-204480" }, { - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the setfiles command.", - "desc": "Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.", + "title": "The Red Hat Enterprise Linux operating system must audit all uses of the chmod, fchmod, and fchmodat\n syscalls.", + "desc": "Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the\n system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect\n performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining\n syscalls into one rule whenever possible.", "descriptions": { - "default": "Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.", - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"setfiles\" command occur.\n\nCheck the file system rule in \"/etc/audit/audit.rules\" with the following command:\n\n$ sudo grep -w \"/usr/sbin/setfiles\" /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change\n\nIf the command does not return any output, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"setfiles\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change\n\nThe audit daemon must be restarted for the changes to take effect." + "default": "Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the\n system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect\n performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining\n syscalls into one rule whenever possible.", + "check": "Verify the operating system generates audit records upon successful/unsuccessful attempts to use the\n \"chmod\", \"fchmod\", and \"fchmodat\" syscalls.\n Check the file system rules in \"/etc/audit/audit.rules\" with the following command:\n # grep chmod /etc/audit/audit.rules\n -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod\n -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod\n If both the \"b32\" and \"b64\" audit rules are not defined for the \"chmod\", \"fchmod\", and \"fchmodat\" syscalls, this is\n a finding.", + "fix": "Configure the operating system to generate audit records upon successful/unsuccessful attempts to use\n the \"chmod\", \"fchmod\", and \"fchmodat\" syscalls.\n Add or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod\n -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod\n The audit daemon must be restarted for the changes to take effect." }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "V-72141", - "SV-86765" + "SV-86729", + "V-72105" ], "severity": "medium", - "gtitle": "SRG-OS-000392-GPOS-00172", + "gtitle": "SRG-OS-000458-GPOS-00203", "satisfies": [ + "SRG-OS-000458-GPOS-00203", "SRG-OS-000392-GPOS-00172", - "SRG-OS-000463-GPOS-00207", - "SRG-OS-000465-GPOS-00209" + "SRG-OS-000064-GPOS-00033" ], - "gid": "V-204539", - "rid": "SV-204539r861023_rule", - "stig_id": "RHEL-07-030590", - "fix_id": "F-4663r861022_fix", + "gid": "V-204521", + "rid": "SV-204521r809772_rule", + "stig_id": "RHEL-07-030410", + "fix_id": "F-4645r809771_fix", "cci": [ - "CCI-000172", - "CCI-002884" + "CCI-000172" ], "nist": [ - "AU-12 c", - "MA-4 (1) (a)" + "AU-12 c" ], "subsystems": [ "audit", @@ -776,549 +775,539 @@ ], "host": null }, - "code": "control 'SV-204539' do\n title 'The Red Hat Enterprise Linux operating system must audit all uses of the setfiles command.'\n desc 'Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.'\n desc 'check', 'Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"setfiles\" command occur.\n\nCheck the file system rule in \"/etc/audit/audit.rules\" with the following command:\n\n$ sudo grep -w \"/usr/sbin/setfiles\" /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change\n\nIf the command does not return any output, this is a finding.'\n desc 'fix', 'Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"setfiles\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change\n\nThe audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n tag legacy: ['V-72141', 'SV-86765']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000392-GPOS-00172'\n tag satisfies: ['SRG-OS-000392-GPOS-00172', 'SRG-OS-000463-GPOS-00207', 'SRG-OS-000465-GPOS-00209']\n tag gid: 'V-204539'\n tag rid: 'SV-204539r861023_rule'\n tag stig_id: 'RHEL-07-030590'\n tag fix_id: 'F-4663r861022_fix'\n tag cci: ['CCI-000172', 'CCI-002884']\n tag nist: ['AU-12 c', 'MA-4 (1) (a)']\n tag subsystems: ['audit', 'auditd', 'audit_rule']\n tag 'host'\n\n audit_command = '/usr/sbin/setfiles'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - audit config must be done on the host' do\n skip 'Control not applicable - audit config must be done on the host'\n end\n else\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include('privileged-priv_change')\n end\n end\n end\nend\n", + "code": "control 'SV-204521' do\n title 'The Red Hat Enterprise Linux operating system must audit all uses of the chmod, fchmod, and fchmodat\n syscalls.'\n desc 'Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the\n system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect\n performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining\n syscalls into one rule whenever possible.'\n desc 'check', 'Verify the operating system generates audit records upon successful/unsuccessful attempts to use the\n \"chmod\", \"fchmod\", and \"fchmodat\" syscalls.\n Check the file system rules in \"/etc/audit/audit.rules\" with the following command:\n # grep chmod /etc/audit/audit.rules\n -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod\n -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod\n If both the \"b32\" and \"b64\" audit rules are not defined for the \"chmod\", \"fchmod\", and \"fchmodat\" syscalls, this is\n a finding.'\n desc 'fix', 'Configure the operating system to generate audit records upon successful/unsuccessful attempts to use\n the \"chmod\", \"fchmod\", and \"fchmodat\" syscalls.\n Add or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod\n -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod\n The audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n tag legacy: ['SV-86729', 'V-72105']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000458-GPOS-00203'\n tag satisfies: ['SRG-OS-000458-GPOS-00203', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000064-GPOS-00033']\n tag gid: 'V-204521'\n tag rid: 'SV-204521r809772_rule'\n tag stig_id: 'RHEL-07-030410'\n tag fix_id: 'F-4645r809771_fix'\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag subsystems: ['audit', 'auditd', 'audit_rule']\n tag 'host'\n\n audit_syscalls = ['chmod', 'fchmod', 'fchmodat']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - audit config must be done on the host' do\n skip 'Control not applicable - audit config must be done on the host'\n end\n else\n describe 'Syscall' do\n audit_syscalls.each do |audit_syscall|\n it \"#{audit_syscall} is audited properly\" do\n audit_rule = auditd.syscall(audit_syscall)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n if os.arch.match(/64/)\n expect(audit_rule.arch.uniq).to include('b32', 'b64')\n else\n expect(audit_rule.arch.uniq).to cmp 'b32'\n end\n expect(audit_rule.fields.flatten).to include('auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include('perm_mod')\n end\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204539.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204521.rb", "line": 1 }, - "id": "SV-204539" + "id": "SV-204521" }, { - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the mount command and syscall.", - "desc": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough\n information.\n At a minimum, the organization must audit the full-text recording of privileged mount commands. The organization\n must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of\n compromise.\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.", + "title": "The Red Hat Enterprise Linux operating system must not be performing packet forwarding unless the system is\n a router.", + "desc": "Routing protocol daemons are typically used on routers to exchange network topology information with other\n routers. If this software is used when not required, system network information may be unnecessarily transmitted\n across the network.", "descriptions": { - "default": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough\n information.\n At a minimum, the organization must audit the full-text recording of privileged mount commands. The organization\n must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of\n compromise.\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.", - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"mount\" command and syscall occur.\n\nCheck that the following system call is being audited by performing the following series of commands to check the file system rules in \"/etc/audit/audit.rules\":\n\n$ sudo grep -w \"mount\" /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -k privileged-mount\n-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -k privileged-mount\n-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"mount\" syscall, this is a finding.\n\nIf all uses of the \"mount\" command are not being audited, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"mount\" command and syscall occur.\n\nAdd or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -k privileged-mount\n-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -k privileged-mount\n-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount\n\nThe audit daemon must be restarted for the changes to take effect." + "default": "Routing protocol daemons are typically used on routers to exchange network topology information with other\n routers. If this software is used when not required, system network information may be unnecessarily transmitted\n across the network.", + "check": "Verify the system is not performing packet forwarding, unless the system is a router.\n\n # grep -r net.ipv4.ip_forward /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null\n net.ipv4.ip_forward = 0\n\nIf \"net.ipv4.ip_forward\" is not configured in the /etc/sysctl.conf file or in any of the other sysctl.d directories, is commented out, or does not have a value of \"0\", this is a finding.\n\nCheck that the operating system does not implement IP forwarding using the following command:\n\n # /sbin/sysctl -a | grep net.ipv4.ip_forward\n net.ipv4.ip_forward = 0\n\nIf IP forwarding value is \"1\" and the system is hosting any application, database, or web servers, this is a finding.\n\nIf conflicting results are returned, this is a finding.", + "fix": "Set the system to the required kernel parameter by adding the following\nline to \"/etc/sysctl.conf\" or a configuration file in the /etc/sysctl.d/\ndirectory (or modify the line to have the required value):\n\n net.ipv4.ip_forward = 0\n\n Issue the following command to make the changes take effect:\n\n # sysctl --system" }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "V-72171", - "SV-86795" + "SV-86933", + "V-72309" ], "severity": "medium", - "gtitle": "SRG-OS-000042-GPOS-00020", - "satisfies": [ - "SRG-OS-000042-GPOS-00020", - "SRG-OS-000392-GPOS-00172" - ], - "gid": "V-204552", - "rid": "SV-204552r861053_rule", - "stig_id": "RHEL-07-030740", - "fix_id": "F-4676r861052_fix", - "cci": [ - "CCI-000135", - "CCI-002884" + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-204625", + "rid": "SV-204625r880824_rule", + "stig_id": "RHEL-07-040740", + "fix_id": "F-4749r880823_fix", + "cci": [ + "CCI-000366" ], "nist": [ - "AU-3 (1)", - "MA-4 (1) (a)" + "CM-6 b" ], "subsystems": [ - "audit", - "auditd", - "audit_rule" + "kernel_parameter" ], "host": null }, - "code": "control 'SV-204552' do\n title 'The Red Hat Enterprise Linux operating system must audit all uses of the mount command and syscall.'\n desc 'Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough\n information.\n At a minimum, the organization must audit the full-text recording of privileged mount commands. The organization\n must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of\n compromise.\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.'\n desc 'check', 'Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"mount\" command and syscall occur.\n\nCheck that the following system call is being audited by performing the following series of commands to check the file system rules in \"/etc/audit/audit.rules\":\n\n$ sudo grep -w \"mount\" /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -k privileged-mount\n-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -k privileged-mount\n-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"mount\" syscall, this is a finding.\n\nIf all uses of the \"mount\" command are not being audited, this is a finding.'\n desc 'fix', 'Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"mount\" command and syscall occur.\n\nAdd or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -k privileged-mount\n-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -k privileged-mount\n-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount\n\nThe audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n tag legacy: ['V-72171', 'SV-86795']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000042-GPOS-00020'\n tag satisfies: ['SRG-OS-000042-GPOS-00020', 'SRG-OS-000392-GPOS-00172']\n tag gid: 'V-204552'\n tag rid: 'SV-204552r861053_rule'\n tag stig_id: 'RHEL-07-030740'\n tag fix_id: 'F-4676r861052_fix'\n tag cci: ['CCI-000135', 'CCI-002884']\n tag nist: ['AU-3 (1)', 'MA-4 (1) (a)']\n tag subsystems: ['audit', 'auditd', 'audit_rule']\n tag 'host'\n\n audit_syscall = 'mount'\n audit_command = '/usr/bin/mount'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - audit config must be done on the host' do\n skip 'Control not applicable - audit config must be done on the host'\n end\n else\n describe 'Syscall' do\n it \"#{audit_syscall} is audited properly\" do\n audit_rule = auditd.syscall(audit_syscall)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n if os.arch.match(/64/)\n expect(audit_rule.arch.uniq).to include('b32', 'b64')\n else\n expect(audit_rule.arch.uniq).to cmp 'b32'\n end\n expect(audit_rule.fields.flatten).to include('auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include('privileged-mount')\n end\n end\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include('privileged-mount')\n end\n end\n end\nend\n", + "code": "control 'SV-204625' do\n title 'The Red Hat Enterprise Linux operating system must not be performing packet forwarding unless the system is\n a router.'\n desc 'Routing protocol daemons are typically used on routers to exchange network topology information with other\n routers. If this software is used when not required, system network information may be unnecessarily transmitted\n across the network.'\n desc 'check', 'Verify the system is not performing packet forwarding, unless the system is a router.\n\n # grep -r net.ipv4.ip_forward /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null\n net.ipv4.ip_forward = 0\n\nIf \"net.ipv4.ip_forward\" is not configured in the /etc/sysctl.conf file or in any of the other sysctl.d directories, is commented out, or does not have a value of \"0\", this is a finding.\n\nCheck that the operating system does not implement IP forwarding using the following command:\n\n # /sbin/sysctl -a | grep net.ipv4.ip_forward\n net.ipv4.ip_forward = 0\n\nIf IP forwarding value is \"1\" and the system is hosting any application, database, or web servers, this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Set the system to the required kernel parameter by adding the following\nline to \"/etc/sysctl.conf\" or a configuration file in the /etc/sysctl.d/\ndirectory (or modify the line to have the required value):\n\n net.ipv4.ip_forward = 0\n\n Issue the following command to make the changes take effect:\n\n # sysctl --system'\n impact 0.5\n tag legacy: ['SV-86933', 'V-72309']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204625'\n tag rid: 'SV-204625r880824_rule'\n tag stig_id: 'RHEL-07-040740'\n tag fix_id: 'F-4749r880823_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['kernel_parameter']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - Kernel config must be done on the host' do\n skip 'Control not applicable - Kernel config must be done on the host'\n end\n else\n ip_forward = 0\n config_file_values = command('grep -r net.ipv4.ip_forward /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null')\n .stdout.strip.split(\"\\n\")\n .map { |file| parse_config(file).params }\n config_file_values_uncompliant = config_file_values.select { |entry| entry.values != [ip_forward.to_s] }\n\n unless config_file_values_uncompliant.empty?\n describe 'All configuration files' do\n it \"should set ip_forward to #{ip_forward}, or not define it at all\" do\n fail_msg = \"Found incorrect configuration:\\n#{config_file_values_uncompliant.join(\"\\n\")}\"\n expect(config_file_values_uncompliant).to be_empty, fail_msg\n end\n end\n end\n\n describe 'The runtime kernel parameter net.ipv4.ip_forward' do\n subject { kernel_parameter('net.ipv4.ip_forward') }\n its('value') { should eq ip_forward }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204552.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204625.rb", "line": 1 }, - "id": "SV-204552" + "id": "SV-204625" }, { - "title": "The Red Hat Enterprise Linux operating system must be configured so that /etc/pam.d/passwd implements\n /etc/pam.d/system-auth when changing passwords.", - "desc": "Pluggable authentication modules (PAM) allow for a modular approach to integrating authentication methods.\n PAM operates in a top-down processing model and if the modules are not listed in the correct order, an important\n security function could be bypassed if stack entries are not centralized.", + "title": "The Red Hat Enterprise Linux operating system must display the date and time of the last successful account\n logon upon an SSH logon.", + "desc": "Providing users with feedback on when account accesses via SSH last occurred facilitates user recognition\n and reporting of unauthorized account use.", "descriptions": { - "default": "Pluggable authentication modules (PAM) allow for a modular approach to integrating authentication methods.\n PAM operates in a top-down processing model and if the modules are not listed in the correct order, an important\n security function could be bypassed if stack entries are not centralized.", - "check": "Verify that /etc/pam.d/passwd is configured to use /etc/pam.d/system-auth when changing passwords:\n # cat /etc/pam.d/passwd | grep -i substack | grep -i system-auth\n password substack system-auth\n If no results are returned, the line is commented out, this is a finding.", - "fix": "Configure PAM to utilize /etc/pam.d/system-auth when changing passwords.\n Add the following line to \"/etc/pam.d/passwd\" (or modify the line to have the required value):\n password substack system-auth" + "default": "Providing users with feedback on when account accesses via SSH last occurred facilitates user recognition\n and reporting of unauthorized account use.", + "check": "Verify SSH provides users with feedback on when account accesses last occurred.\n Check that \"PrintLastLog\" keyword in the sshd daemon configuration file is used and set to \"yes\" with the following\n command:\n # grep -i printlastlog /etc/ssh/sshd_config\n PrintLastLog yes\n If the \"PrintLastLog\" keyword is set to \"no\", is missing, or is commented out, this is a finding.", + "fix": "Configure SSH to provide users with feedback on when account accesses last occurred by setting the\n required configuration options in \"/etc/pam.d/sshd\" or in the \"sshd_config\" file used by the system\n (\"/etc/ssh/sshd_config\" will be used in the example) (this file may be named differently or be in a different\n location if using a version of SSH that is provided by a third-party vendor).\n Modify the \"PrintLastLog\" line in \"/etc/ssh/sshd_config\" to match the following:\n PrintLastLog yes\n The SSH service must be restarted for changes to \"sshd_config\" to take effect." }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "SV-95715", - "V-81003" + "V-72245", + "SV-86869" ], "severity": "medium", - "gtitle": "SRG-OS-000069-GPOS-00037", - "gid": "V-204405", - "rid": "SV-204405r603261_rule", - "stig_id": "RHEL-07-010118", - "fix_id": "F-4529r88408_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-204591", + "rid": "SV-204591r858477_rule", + "stig_id": "RHEL-07-040360", + "fix_id": "F-4715r88966_fix", "cci": [ - "CCI-000192" + "CCI-000366", + "CCI-000052" + ], + "nist": [ + "CM-6 b", + "AC-9" ], "subsystems": [ "pam", - "password" - ], - "nist": [ - "IA-5 (1) (a)" + "ssh", + "lastlog" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-204405' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that /etc/pam.d/passwd implements\n /etc/pam.d/system-auth when changing passwords.'\n desc 'Pluggable authentication modules (PAM) allow for a modular approach to integrating authentication methods.\n PAM operates in a top-down processing model and if the modules are not listed in the correct order, an important\n security function could be bypassed if stack entries are not centralized.'\n desc 'check', 'Verify that /etc/pam.d/passwd is configured to use /etc/pam.d/system-auth when changing passwords:\n # cat /etc/pam.d/passwd | grep -i substack | grep -i system-auth\n password substack system-auth\n If no results are returned, the line is commented out, this is a finding.'\n desc 'fix', 'Configure PAM to utilize /etc/pam.d/system-auth when changing passwords.\n Add the following line to \"/etc/pam.d/passwd\" (or modify the line to have the required value):\n password substack system-auth'\n impact 0.5\n tag legacy: ['SV-95715', 'V-81003']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000069-GPOS-00037'\n tag gid: 'V-204405'\n tag rid: 'SV-204405r603261_rule'\n tag stig_id: 'RHEL-07-010118'\n tag fix_id: 'F-4529r88408_fix'\n tag cci: ['CCI-000192']\n tag subsystems: ['pam', 'password']\n tag nist: ['IA-5 (1) (a)']\n tag 'host'\n tag 'container'\n\n describe pam('/etc/pam.d/password-auth') do\n its('lines') { should match_pam_rule('password substack system-auth') }\n end\nend\n", + "code": "control 'SV-204591' do\n title 'The Red Hat Enterprise Linux operating system must display the date and time of the last successful account\n logon upon an SSH logon.'\n desc 'Providing users with feedback on when account accesses via SSH last occurred facilitates user recognition\n and reporting of unauthorized account use.'\n desc 'check', 'Verify SSH provides users with feedback on when account accesses last occurred.\n Check that \"PrintLastLog\" keyword in the sshd daemon configuration file is used and set to \"yes\" with the following\n command:\n # grep -i printlastlog /etc/ssh/sshd_config\n PrintLastLog yes\n If the \"PrintLastLog\" keyword is set to \"no\", is missing, or is commented out, this is a finding.'\n desc 'fix', 'Configure SSH to provide users with feedback on when account accesses last occurred by setting the\n required configuration options in \"/etc/pam.d/sshd\" or in the \"sshd_config\" file used by the system\n (\"/etc/ssh/sshd_config\" will be used in the example) (this file may be named differently or be in a different\n location if using a version of SSH that is provided by a third-party vendor).\n Modify the \"PrintLastLog\" line in \"/etc/ssh/sshd_config\" to match the following:\n PrintLastLog yes\n The SSH service must be restarted for changes to \"sshd_config\" to take effect.'\n impact 0.5\n tag legacy: ['V-72245', 'SV-86869']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204591'\n tag rid: 'SV-204591r858477_rule'\n tag stig_id: 'RHEL-07-040360'\n tag fix_id: 'F-4715r88966_fix'\n tag cci: ['CCI-000366', 'CCI-000052']\n tag nist: ['CM-6 b', 'AC-9']\n tag subsystems: ['pam', 'ssh', 'lastlog']\n tag 'host'\n\n if virtualization.system.eql?('docker') && !file('/etc/sysconfig/sshd').exist?\n impact 0.0\n describe 'Control not applicable - SSH is not installed within containerized RHEL' do\n skip 'Control not applicable - SSH is not installed within containerized RHEL'\n end\n elsif sshd_config.params['printlastlog'] == ['yes']\n\n describe sshd_config do\n its('PrintLastLog') { should cmp 'yes' }\n end\n else\n describe pam('/etc/pam.d/sshd') do\n its('lines') do\n should match_pam_rule('session required pam_lastlog.so showfailed')\n end\n its('lines') do\n should_not match_pam_rule('session required pam_lastlog.so showfailed silent')\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204405.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204591.rb", "line": 1 }, - "id": "SV-204405" + "id": "SV-204591" }, { - "title": "The Red Hat Enterprise Linux operating system must prevent the installation of software, patches, service\n packs, device drivers, or operating system components of local packages without verification they have been\n digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved\n by the organization.", - "desc": "Changes to any software components can have significant effects on the overall security of the operating\n system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted\n vendor.\n Accordingly, patches, service packs, device drivers, or operating system components must be signed with a\n certificate recognized and approved by the organization.\n Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade\n received from a vendor. This verifies the software has not been tampered with and that it has been provided by a\n trusted vendor. Self-signed certificates are disallowed by this requirement. The operating system should not have to\n verify the software again. This requirement does not mandate DoD certificates for this purpose; however, the\n certificate used to verify the software must be from an approved CA.", + "title": "The Red Hat Enterprise Linux operating system must use a separate file system for /tmp (or equivalent).", + "desc": "The use of separate file systems for different paths can protect the system from failures resulting from a\n file system becoming full or failing.", "descriptions": { - "default": "Changes to any software components can have significant effects on the overall security of the operating\n system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted\n vendor.\n Accordingly, patches, service packs, device drivers, or operating system components must be signed with a\n certificate recognized and approved by the organization.\n Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade\n received from a vendor. This verifies the software has not been tampered with and that it has been provided by a\n trusted vendor. Self-signed certificates are disallowed by this requirement. The operating system should not have to\n verify the software again. This requirement does not mandate DoD certificates for this purpose; however, the\n certificate used to verify the software must be from an approved CA.", - "check": "Verify the operating system prevents the installation of patches, service packs, device drivers, or\n operating system components of local packages without verification that they have been digitally signed using a\n certificate that is recognized and approved by the organization.\n Check that yum verifies the signature of local packages prior to install with the following command:\n # grep localpkg_gpgcheck /etc/yum.conf\n localpkg_gpgcheck=1\n If \"localpkg_gpgcheck\" is not set to \"1\", or if options are missing or commented out, ask the System Administrator\n how the signatures of local packages and other operating system components are verified.\n If there is no process to validate the signatures of local packages that is approved by the organization, this is a\n finding.", - "fix": "Configure the operating system to verify the signature of local packages prior to install by setting\n the following option in the \"/etc/yum.conf\" file:\n localpkg_gpgcheck=1" + "default": "The use of separate file systems for different paths can protect the system from failures resulting from a\n file system becoming full or failing.", + "check": "Verify that a separate file system/partition has been created for \"/tmp\".\n Check that a file system/partition has been created for \"/tmp\" with the following command:\n # systemctl is-enabled tmp.mount\n enabled\n If the \"tmp.mount\" service is not enabled, check to see if \"/tmp\" is defined in the fstab with a device and mount\n point:\n # grep -i /tmp /etc/fstab\n UUID=a411dc99-f2a1-4c87-9e05-184977be8539 /tmp ext4 rw,relatime,discard,data=ordered,nosuid,noexec, 0 0\n If \"tmp.mount\" service is not enabled or the \"/tmp\" directory is not defined in the fstab with a device and mount\n point, this is a finding.", + "fix": "Start the \"tmp.mount\" service with the following command:\n # systemctl enable tmp.mount\n OR\n Edit the \"/etc/fstab\" file and ensure the \"/tmp\" directory is defined in the fstab with a device and mount point." }, - "impact": 0.7, + "impact": 0.3, "refs": [], "tags": { "legacy": [ - "V-71979", - "SV-86603" + "SV-86689", + "V-72065" ], - "severity": "high", - "gtitle": "SRG-OS-000366-GPOS-00153", - "gid": "V-204448", - "rid": "SV-204448r877463_rule", - "stig_id": "RHEL-07-020060", - "fix_id": "F-4572r88537_fix", + "severity": "low", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-204496", + "rid": "SV-204496r603261_rule", + "stig_id": "RHEL-07-021340", + "fix_id": "F-36309r602637_fix", "cci": [ - "CCI-001749" + "CCI-000366" ], "nist": [ - "CM-5 (3)" + "CM-6 b" ], "subsystems": [ - "yum" + "file_system", + "tmp" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-204448' do\n title \"The Red Hat Enterprise Linux operating system must prevent the installation of software, patches, service\n packs, device drivers, or operating system components of local packages without verification they have been\n digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved\n by the organization.\"\n desc \"Changes to any software components can have significant effects on the overall security of the operating\n system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted\n vendor.\n Accordingly, patches, service packs, device drivers, or operating system components must be signed with a\n certificate recognized and approved by the organization.\n Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade\n received from a vendor. This verifies the software has not been tampered with and that it has been provided by a\n trusted vendor. Self-signed certificates are disallowed by this requirement. The operating system should not have to\n verify the software again. This requirement does not mandate #{input('org_name')[:acronym]} certificates for this purpose; however, the\n certificate used to verify the software must be from an approved CA.\"\n desc 'check', \"Verify the operating system prevents the installation of patches, service packs, device drivers, or\n operating system components of local packages without verification that they have been digitally signed using a\n certificate that is recognized and approved by the organization.\n Check that yum verifies the signature of local packages prior to install with the following command:\n # grep localpkg_gpgcheck /etc/yum.conf\n localpkg_gpgcheck=1\n If \\\"localpkg_gpgcheck\\\" is not set to \\\"1\\\", or if options are missing or commented out, ask the System Administrator\n how the signatures of local packages and other operating system components are verified.\n If there is no process to validate the signatures of local packages that is approved by the organization, this is a\n finding.\"\n desc 'fix', \"Configure the operating system to verify the signature of local packages prior to install by setting\n the following option in the \\\"/etc/yum.conf\\\" file:\n localpkg_gpgcheck=1\"\n impact 0.7\n tag legacy: ['V-71979', 'SV-86603']\n tag severity: 'high'\n tag gtitle: 'SRG-OS-000366-GPOS-00153'\n tag gid: 'V-204448'\n tag rid: 'SV-204448r877463_rule'\n tag stig_id: 'RHEL-07-020060'\n tag fix_id: 'F-4572r88537_fix'\n tag cci: ['CCI-001749']\n tag nist: ['CM-5 (3)']\n tag subsystems: ['yum']\n tag 'host'\n tag 'container'\n\n yum_conf = '/etc/yum.conf'\n\n if (f = file(yum_conf)).exist?\n describe ini(yum_conf) do\n its('main.localpkg_gpgcheck') { cmp 1 }\n end\n else\n describe f do\n it { should exist }\n end\n end\nend\n", + "code": "control 'SV-204496' do\n title 'The Red Hat Enterprise Linux operating system must use a separate file system for /tmp (or equivalent).'\n desc 'The use of separate file systems for different paths can protect the system from failures resulting from a\n file system becoming full or failing.'\n desc 'check', 'Verify that a separate file system/partition has been created for \"/tmp\".\n Check that a file system/partition has been created for \"/tmp\" with the following command:\n # systemctl is-enabled tmp.mount\n enabled\n If the \"tmp.mount\" service is not enabled, check to see if \"/tmp\" is defined in the fstab with a device and mount\n point:\n # grep -i /tmp /etc/fstab\n UUID=a411dc99-f2a1-4c87-9e05-184977be8539 /tmp ext4 rw,relatime,discard,data=ordered,nosuid,noexec, 0 0\n If \"tmp.mount\" service is not enabled or the \"/tmp\" directory is not defined in the fstab with a device and mount\n point, this is a finding.'\n desc 'fix', 'Start the \"tmp.mount\" service with the following command:\n # systemctl enable tmp.mount\n OR\n Edit the \"/etc/fstab\" file and ensure the \"/tmp\" directory is defined in the fstab with a device and mount point.'\n impact 0.3\n tag legacy: ['SV-86689', 'V-72065']\n tag severity: 'low'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204496'\n tag rid: 'SV-204496r603261_rule'\n tag stig_id: 'RHEL-07-021340'\n tag fix_id: 'F-36309r602637_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['file_system', 'tmp']\n tag 'host'\n\n describe.one do\n describe systemd_service('tmp.mount') do\n it { should be_enabled }\n end\n describe etc_fstab.where { mount_point == '/tmp' } do\n its('count') { should cmp 1 }\n it 'Should have a device name specified' do\n expect(subject.device_name[0]).to_not(be_empty)\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204448.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204496.rb", "line": 1 }, - "id": "SV-204448" + "id": "SV-204496" }, { - "title": "The Red Hat Enterprise Linux operating system must be configured so that the cryptographic hash of system\n files and commands matches vendor values.", - "desc": "Without cryptographic integrity protections, system command and files can be altered by unauthorized users\n without detection.\n Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash\n functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while\n maintaining the confidentiality of the key used to generate the hash.", + "title": "The Red Hat Enterprise Linux operating system must be configured so that local initialization files do not\n execute world-writable programs.", + "desc": "If user start-up files execute world-writable programs, especially in\n unprotected directories, they could be maliciously modified to destroy user\n files or otherwise compromise the system at the user level. If the system is\n compromised at the user level, it is easier to elevate privileges to eventually\n compromise the system at the root and network level.", "descriptions": { - "default": "Without cryptographic integrity protections, system command and files can be altered by unauthorized users\n without detection.\n Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash\n functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while\n maintaining the confidentiality of the key used to generate the hash.", - "check": "Verify the cryptographic hash of system files and commands match the vendor values.\n Check the cryptographic hash of system files and commands with the following command:\n Note: System configuration files (indicated by a \"c\" in the second column) are expected to change over time. Unusual\n modifications should be investigated through the system audit log.\n # rpm -Va --noconfig | grep '^..5'\n If there is any output from the command for system files or binaries, this is a finding.", - "fix": "Run the following command to determine which package owns the file:\n\n # rpm -qf \n\n The package can be reinstalled from a yum repository using the command:\n\n # sudo yum reinstall \n\n Alternatively, the package can be reinstalled from trusted media using the\ncommand:\n\n # sudo rpm -Uvh " + "default": "If user start-up files execute world-writable programs, especially in\n unprotected directories, they could be maliciously modified to destroy user\n files or otherwise compromise the system at the user level. If the system is\n compromised at the user level, it is easier to elevate privileges to eventually\n compromise the system at the root and network level.", + "check": "Verify that local initialization files do not execute world-writable programs.\n Check the system for world-writable files with the following command:\n # find / -xdev -perm -002 -type f -exec ls -ld {} \\; | more\n For all files listed, check for their presence in the local initialization files with the following commands:\n Note: The example will be for a system that is configured to create users' home directories in the \"/home\"\n directory.\n # grep /home/*/.*\n If any local initialization files are found to reference world-writable files, this is a finding.", + "fix": "Set the mode on files being executed by the local initialization files with\nthe following command:\n\n # chmod 0755 " }, - "impact": 0.7, + "impact": 0.5, "refs": [], "tags": { "legacy": [ - "SV-86479", - "V-71855" + "SV-86661", + "V-72037" ], - "severity": "high", + "severity": "medium", "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-214799", - "rid": "SV-214799r854001_rule", - "stig_id": "RHEL-07-010020", - "fix_id": "F-15997r192363_fix", + "gid": "V-204478", + "rid": "SV-204478r603261_rule", + "stig_id": "RHEL-07-020730", + "fix_id": "F-4602r88627_fix", "cci": [ - "CCI-001749" + "CCI-000366" ], "nist": [ - "CM-5 (3)" + "CM-6 b" ], "subsystems": [ - "rpm", - "package" + "init_files" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-214799' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that the cryptographic hash of system\n files and commands matches vendor values.'\n desc 'Without cryptographic integrity protections, system command and files can be altered by unauthorized users\n without detection.\n Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash\n functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while\n maintaining the confidentiality of the key used to generate the hash.'\n desc 'check', %q(Verify the cryptographic hash of system files and commands match the vendor values.\n Check the cryptographic hash of system files and commands with the following command:\n Note: System configuration files (indicated by a \"c\" in the second column) are expected to change over time. Unusual\n modifications should be investigated through the system audit log.\n # rpm -Va --noconfig | grep '^..5'\n If there is any output from the command for system files or binaries, this is a finding.)\n desc 'fix', 'Run the following command to determine which package owns the file:\n\n # rpm -qf \n\n The package can be reinstalled from a yum repository using the command:\n\n # sudo yum reinstall \n\n Alternatively, the package can be reinstalled from trusted media using the\ncommand:\n\n # sudo rpm -Uvh '\n impact 0.7\n tag legacy: ['SV-86479', 'V-71855']\n tag severity: 'high'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-214799'\n tag rid: 'SV-214799r854001_rule'\n tag stig_id: 'RHEL-07-010020'\n tag fix_id: 'F-15997r192363_fix'\n tag cci: ['CCI-001749']\n tag nist: ['CM-5 (3)']\n tag subsystems: ['rpm', 'package']\n tag 'host'\n tag 'container'\n\n if input('disable_slow_controls')\n describe \"This control consistently takes a long to run and has been disabled\n using the disable_slow_controls attribute.\" do\n skip \"This control consistently takes a long to run and has been disabled\n using the disable_slow_controls attribute. You must enable this control for a\n full accredidation for production.\"\n end\n else\n allowlist = input('rpm_verify_integrity_except')\n\n misconfigured_packages = command('rpm -Va --noconfig').stdout.split(\"\\n\")\n .select { |package| package[0..7].match(/5/) }\n .map { |package| package.match(/\\S+$/)[0] }\n\n if misconfigured_packages.empty?\n describe 'The list of rpm packages with hashes changed from the vendor values' do\n subject { misconfigured_packages }\n it { should be_empty }\n end\n else\n describe 'The list of rpm packages with hashes changed from the vendor values' do\n fail_msg = \"Files with hashes that are changed from vendor values but are not in the allowlist: #{(misconfigured_packages - allowlist).join(', ')}\"\n it 'should all appear in the allowlist' do\n expect(misconfigured_packages).to all(be_in allowlist), fail_msg\n end\n end\n end\n end\nend\n", + "code": "control 'SV-204478' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that local initialization files do not\n execute world-writable programs.'\n desc 'If user start-up files execute world-writable programs, especially in\n unprotected directories, they could be maliciously modified to destroy user\n files or otherwise compromise the system at the user level. If the system is\n compromised at the user level, it is easier to elevate privileges to eventually\n compromise the system at the root and network level.'\n desc 'check', %q(Verify that local initialization files do not execute world-writable programs.\n Check the system for world-writable files with the following command:\n # find / -xdev -perm -002 -type f -exec ls -ld {} \\; | more\n For all files listed, check for their presence in the local initialization files with the following commands:\n Note: The example will be for a system that is configured to create users' home directories in the \"/home\"\n directory.\n # grep /home/*/.*\n If any local initialization files are found to reference world-writable files, this is a finding.)\n desc 'fix', 'Set the mode on files being executed by the local initialization files with\nthe following command:\n\n # chmod 0755 '\n impact 0.5\n tag legacy: ['SV-86661', 'V-72037']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204478'\n tag rid: 'SV-204478r603261_rule'\n tag stig_id: 'RHEL-07-020730'\n tag fix_id: 'F-4602r88627_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['init_files']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n\n exempt_home_users = input('exempt_home_users')\n non_interactive_shells = input('non_interactive_shells')\n\n if input('disable_slow_controls')\n describe \"This control consistently takes a long to run and has been disabled\n using the disable_slow_controls attribute.\" do\n skip \"This control consistently takes a long to run and has been disabled\n using the disable_slow_controls attribute. You must enable this control for a\n full accredidation for production.\"\n end\n else\n ignore_shells = non_interactive_shells.join('|')\n\n # Get home directory for users with UID >= 1000 or UID == 0 and support interactive logins.\n dotfiles = Set[]\n u = users.where do\n !shell.match(ignore_shells) && (uid >= 1000 || uid == 0)\n end.entries\n # For each user, build and execute a find command that identifies initialization files\n # in a user's home directory.\n u.each do |user|\n dotfiles += command(\"find #{user.home} -xdev -maxdepth 2 ( -name '.*' ! -name '.bash_history' ) -type f\").stdout.split(\"\\n\")\n end\n ww_files = Set[]\n ww_files = command('find / -xdev -perm -002 -type f -exec ls {} \\;').stdout.lines\n\n # To reduce the number of commands ran, we use a pattern file in the grep command below\n # So we don't have too long of a grep command, we chunk the list of ww_files\n # into strings not longer than PATTERN_FILE_MAX_LENGTH\n # Based on MAX_ARG_STRLEN, /usr/include/linux/binfmts.h\n # We cut off 100 to leave room for the rest of the arguments\n PATTERN_FILE_MAX_LENGTH = command('getconf PAGE_SIZE').stdout.to_i * 32 - 100\n ww_chunked = ['']\n ww_files.each do |item|\n item = item.strip\n if item.length + \"\\n\".length > PATTERN_FILE_MAX_LENGTH\n raise 'Single pattern is longer than PATTERN_FILE_MAX_LENGTH'\n end\n\n if ww_chunked[-1].length + \"\\n\".length + item.length > PATTERN_FILE_MAX_LENGTH\n ww_chunked.append('')\n end\n ww_chunked[-1] += \"\\n\" + item # This will leave an extra newline at the beginning of chunks\n end\n ww_chunked = ww_chunked.map(&:strip) # This gets rid of the beginning newlines\n if ww_chunked[0] == ''\n ww_chunked = [] # If we didn't have any ww_files, this will prevent an empty grep pattern\n end\n\n # Check each dotfile for existence of each world-writeable file\n findings = Set[]\n dotfiles.each do |dotfile|\n dotfile = dotfile.strip\n ww_chunked.each do |ww_pattern_file|\n count = command(\"grep -c -f <(echo \\\"#{ww_pattern_file}\\\") \\\"#{dotfile}\\\"\").stdout.strip.to_i\n findings << dotfile if count > 0\n end\n end\n describe 'Local initialization files that are found to reference world-writable files' do\n subject { findings.to_a }\n it { should be_empty }\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-214799.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204478.rb", "line": 1 }, - "id": "SV-214799" + "id": "SV-204478" }, { - "title": "The Red Hat Enterprise Linux operating system must uniquely identify and must authenticate users using\n multifactor authentication via a graphical user logon.", - "desc": "To assure accountability and prevent unauthenticated access, users must be identified and authenticated to\n prevent potential misuse and compromise of the system.\n Multifactor solutions that require devices separate from information systems gaining access include, for example,\n hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S.\n Government Personal Identity Verification card and the DoD Common Access Card.", + "title": "The Red Hat Enterprise Linux operating system must require re-authentication when using the \"sudo\" command.", + "desc": "Without re-authentication, users may access resources or perform tasks for which they do not have authorization.\n\nWhen operating systems provide the capability to escalate a functional capability, it is critical the organization requires the user to re-authenticate when using the \"sudo\" command.\n\nIf the value is set to an integer less than 0, the user's time stamp will not expire and the user will not have to re-authenticate for privileged actions until the user's session is terminated.", "descriptions": { - "default": "To assure accountability and prevent unauthenticated access, users must be identified and authenticated to\n prevent potential misuse and compromise of the system.\n Multifactor solutions that require devices separate from information systems gaining access include, for example,\n hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S.\n Government Personal Identity Verification card and the DoD Common Access Card.", - "check": "Verify the operating system uniquely identifies and authenticates users using multifactor\n authentication via a graphical user logon.\n Note: If the system does not have GNOME installed, this requirement is Not Applicable.\n Determine which profile the system database is using with the following command:\n # grep system-db /etc/dconf/profile/user\n system-db:local\n Note: The example is using the database local for the system, so the path is \"/etc/dconf/db/local.d\". This path must\n be modified if a database other than local is being used.\n # grep enable-smartcard-authentication /etc/dconf/db/local.d/*\n enable-smartcard-authentication=true\n If \"enable-smartcard-authentication\" is set to \"false\" or the keyword is missing, this is a finding.", - "fix": "Configure the operating system to uniquely identify and authenticate users using multifactor\n authentication via a graphical user logon.\n Note: If the system does not have GNOME installed, this requirement is Not Applicable.\n Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following\n command:\n Note: The example is using the database local for the system, so if the system is using another database in\n \"/etc/dconf/profile/user\", the file should be created under the appropriate subdirectory.\n # touch /etc/dconf/db/local.d/00-defaults\n Edit \"[org/gnome/login-screen]\" and add or update the following line:\n enable-smartcard-authentication=true\n Update the system databases:\n # dconf update" + "default": "Without re-authentication, users may access resources or perform tasks for which they do not have authorization.\n\nWhen operating systems provide the capability to escalate a functional capability, it is critical the organization requires the user to re-authenticate when using the \"sudo\" command.\n\nIf the value is set to an integer less than 0, the user's time stamp will not expire and the user will not have to re-authenticate for privileged actions until the user's session is terminated.", + "check": "Verify the operating system requires re-authentication when using the \"sudo\" command to elevate privileges.\n\n$ sudo grep -ir 'timestamp_timeout' /etc/sudoers /etc/sudoers.d\n/etc/sudoers:Defaults timestamp_timeout=0\n\nIf conflicting results are returned, this is a finding.\n\nIf \"timestamp_timeout\" is set to a negative number, is commented out, or no results are returned, this is a finding.", + "fix": "Configure the \"sudo\" command to require re-authentication.\nEdit the /etc/sudoers file:\n$ sudo visudo\n\nAdd or modify the following line:\nDefaults timestamp_timeout=[value]\nNote: The \"[value]\" must be a number that is greater than or equal to \"0\".\n\nRemove any duplicate or conflicting lines from /etc/sudoers and /etc/sudoers.d/ files." }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { - "legacy": [ - "V-77819", - "SV-92515" - ], "severity": "medium", - "gtitle": "SRG-OS-000375-GPOS-00160", - "satisfies": [ - "SRG-OS-000375-GPOS-00161", - "SRG-OS-000375-GPOS-00162" - ], - "gid": "V-204397", - "rid": "SV-204397r853879_rule", - "stig_id": "RHEL-07-010061", - "fix_id": "F-4521r88384_fix", + "gtitle": "SRG-OS-000373-GPOS-00156", + "satisfies": null, + "gid": "V-237635", + "rid": "SV-237635r861075_rule", + "stig_id": "RHEL-07-010343", + "fix_id": "F-40817r858491_fix", "cci": [ - "CCI-001948", - "CCI-001953", - "CCI-001954" + "CCI-002038" ], + "legacy": [], "nist": [ - "IA-2 (11)", - "IA-2 (12)", - "IA-2 (12)" + "IA-11" ], "subsystems": [ - "gui" + "sudo" ], "host": null }, - "code": "control 'SV-204397' do\n title 'The Red Hat Enterprise Linux operating system must uniquely identify and must authenticate users using\n multifactor authentication via a graphical user logon.'\n desc \"To assure accountability and prevent unauthenticated access, users must be identified and authenticated to\n prevent potential misuse and compromise of the system.\n Multifactor solutions that require devices separate from information systems gaining access include, for example,\n hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S.\n Government Personal Identity Verification card and the #{input('org_name')[:acronym]} Common Access Card.\"\n desc 'check', 'Verify the operating system uniquely identifies and authenticates users using multifactor\n authentication via a graphical user logon.\n Note: If the system does not have GNOME installed, this requirement is Not Applicable.\n Determine which profile the system database is using with the following command:\n # grep system-db /etc/dconf/profile/user\n system-db:local\n Note: The example is using the database local for the system, so the path is \"/etc/dconf/db/local.d\". This path must\n be modified if a database other than local is being used.\n # grep enable-smartcard-authentication /etc/dconf/db/local.d/*\n enable-smartcard-authentication=true\n If \"enable-smartcard-authentication\" is set to \"false\" or the keyword is missing, this is a finding.'\n desc 'fix', 'Configure the operating system to uniquely identify and authenticate users using multifactor\n authentication via a graphical user logon.\n Note: If the system does not have GNOME installed, this requirement is Not Applicable.\n Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following\n command:\n Note: The example is using the database local for the system, so if the system is using another database in\n \"/etc/dconf/profile/user\", the file should be created under the appropriate subdirectory.\n # touch /etc/dconf/db/local.d/00-defaults\n Edit \"[org/gnome/login-screen]\" and add or update the following line:\n enable-smartcard-authentication=true\n Update the system databases:\n # dconf update'\n impact 0.5\n tag legacy: ['V-77819', 'SV-92515']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000375-GPOS-00160'\n tag satisfies: ['SRG-OS-000375-GPOS-00161', 'SRG-OS-000375-GPOS-00162']\n tag gid: 'V-204397'\n tag rid: 'SV-204397r853879_rule'\n tag stig_id: 'RHEL-07-010061'\n tag fix_id: 'F-4521r88384_fix'\n tag cci: ['CCI-001948', 'CCI-001953', 'CCI-001954']\n tag nist: ['IA-2 (11)', 'IA-2 (12)', 'IA-2 (12)']\n tag subsystems: ['gui']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n else\n\n multifactor_enabled = input('multifactor_enabled')\n dconf_user = input('dconf_user')\n\n if package('gnome-desktop3').installed? && (package('pcsc-lite').installed? || package('esc').installed?)\n impact 0.5\n if !dconf_user.nil? && command('whoami').stdout.strip == 'root'\n describe command(\"sudo -u #{dconf_user} dconf read /org/gnome/login-screen/enable-smartcard-authentication\") do\n its('stdout.strip') { should eq multifactor_enabled.to_s }\n end\n else\n describe command('dconf read /org/gnome/login-screen/enable-smartcard-authentication') do\n its('stdout.strip') { should eq multifactor_enabled.to_s }\n end\n end\n else\n impact 0.0\n unless package('gnome-desktop3').installed?\n describe 'The GNOME desktop is not installed' do\n skip 'The GNOME desktop is not installed, this control is Not Applicable.'\n end\n end\n\n unless package('pcsc-lite').installed?\n describe 'The pcsc-lite package is not installed' do\n skip 'The pcsc-lite package is not installed, this control is Not Applicable.'\n end\n end\n unless package('esc').installed?\n describe 'The esc package is not installed' do\n skip 'The esc package is not installed, this control is Not Applicable.'\n end\n end\n end\n end\nend\n", + "code": "control 'SV-237635' do\n title 'The Red Hat Enterprise Linux operating system must require re-authentication when using the \"sudo\" command.'\n desc %q(Without re-authentication, users may access resources or perform tasks for which they do not have authorization.\n\nWhen operating systems provide the capability to escalate a functional capability, it is critical the organization requires the user to re-authenticate when using the \"sudo\" command.\n\nIf the value is set to an integer less than 0, the user's time stamp will not expire and the user will not have to re-authenticate for privileged actions until the user's session is terminated.)\n desc 'check', %q(Verify the operating system requires re-authentication when using the \"sudo\" command to elevate privileges.\n\n$ sudo grep -ir 'timestamp_timeout' /etc/sudoers /etc/sudoers.d\n/etc/sudoers:Defaults timestamp_timeout=0\n\nIf conflicting results are returned, this is a finding.\n\nIf \"timestamp_timeout\" is set to a negative number, is commented out, or no results are returned, this is a finding.)\n desc 'fix', 'Configure the \"sudo\" command to require re-authentication.\nEdit the /etc/sudoers file:\n$ sudo visudo\n\nAdd or modify the following line:\nDefaults timestamp_timeout=[value]\nNote: The \"[value]\" must be a number that is greater than or equal to \"0\".\n\nRemove any duplicate or conflicting lines from /etc/sudoers and /etc/sudoers.d/ files.'\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000373-GPOS-00156'\n tag satisfies: nil\n tag gid: 'V-237635'\n tag rid: 'SV-237635r861075_rule'\n tag stig_id: 'RHEL-07-010343'\n tag fix_id: 'F-40817r858491_fix'\n tag cci: ['CCI-002038']\n tag legacy: []\n tag nist: ['IA-11']\n tag subsystems: ['sudo']\n tag 'host'\n\n if virtualization.system.eql?('docker') && !command('sudo').exist?\n impact 0.0\n describe 'Control not applicable within a container without sudo enabled' do\n skip 'Control not applicable within a container without sudo enabled'\n end\n else\n describe command(\"grep -ir 'timestamp_timeout' /etc/sudoers /etc/sudoers.d\").stdout.strip do\n it { should match /^[^#].*Defaults timestamp_timeout=\\d/ }\n it { should_not match /\\n/ }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204397.rb", + "ref": "./Red Hat 7 STIG/controls/SV-237635.rb", "line": 1 }, - "id": "SV-204397" + "id": "SV-237635" }, { - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the unix_chkpwd command.", - "desc": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough\n information.\n At a minimum, the organization must audit the full-text recording of privileged password commands. The organization\n must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of\n compromise.\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.", + "title": "The Red Hat Enterprise Linux operating system must be configured so that /etc/pam.d/passwd implements\n /etc/pam.d/system-auth when changing passwords.", + "desc": "Pluggable authentication modules (PAM) allow for a modular approach to integrating authentication methods.\n PAM operates in a top-down processing model and if the modules are not listed in the correct order, an important\n security function could be bypassed if stack entries are not centralized.", "descriptions": { - "default": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough\n information.\n At a minimum, the organization must audit the full-text recording of privileged password commands. The organization\n must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of\n compromise.\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.", - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"unix_chkpwd\" command occur.\n\nCheck the file system rule in \"/etc/audit/audit.rules\" with the following command:\n\n$ sudo grep -w \"/usr/sbin/unix_chkpwd\" /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd\n\nIf the command does not return any output, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"unix_chkpwd\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd\n\nThe audit daemon must be restarted for the changes to take effect." + "default": "Pluggable authentication modules (PAM) allow for a modular approach to integrating authentication methods.\n PAM operates in a top-down processing model and if the modules are not listed in the correct order, an important\n security function could be bypassed if stack entries are not centralized.", + "check": "Verify that /etc/pam.d/passwd is configured to use /etc/pam.d/system-auth when changing passwords:\n # cat /etc/pam.d/passwd | grep -i substack | grep -i system-auth\n password substack system-auth\n If no results are returned, the line is commented out, this is a finding.", + "fix": "Configure PAM to utilize /etc/pam.d/system-auth when changing passwords.\n Add the following line to \"/etc/pam.d/passwd\" (or modify the line to have the required value):\n password substack system-auth" }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "SV-86775", - "V-72151" + "SV-95715", + "V-81003" ], "severity": "medium", - "gtitle": "SRG-OS-000042-GPOS-00020", - "satisfies": [ - "SRG-OS-000042-GPOS-00020", - "SRG-OS-000392-GPOS-00172", - "SRG-OS-000471-GPOS-00215" - ], - "gid": "V-204543", - "rid": "SV-204543r861029_rule", - "stig_id": "RHEL-07-030640", - "fix_id": "F-4667r861028_fix", + "gtitle": "SRG-OS-000069-GPOS-00037", + "gid": "V-204405", + "rid": "SV-204405r603261_rule", + "stig_id": "RHEL-07-010118", + "fix_id": "F-4529r88408_fix", "cci": [ - "CCI-000135", - "CCI-000172", - "CCI-002884" - ], - "nist": [ - "AU-3 (1)", - "AU-12 c", - "MA-4 (1) (a)" + "CCI-000192" ], "subsystems": [ - "audit", - "auditd", - "audit_rule" + "pam", + "password" ], - "host": null + "nist": [ + "IA-5 (1) (a)" + ], + "host": null, + "container": null }, - "code": "control 'SV-204543' do\n title 'The Red Hat Enterprise Linux operating system must audit all uses of the unix_chkpwd command.'\n desc 'Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough\n information.\n At a minimum, the organization must audit the full-text recording of privileged password commands. The organization\n must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of\n compromise.\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.'\n desc 'check', 'Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"unix_chkpwd\" command occur.\n\nCheck the file system rule in \"/etc/audit/audit.rules\" with the following command:\n\n$ sudo grep -w \"/usr/sbin/unix_chkpwd\" /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd\n\nIf the command does not return any output, this is a finding.'\n desc 'fix', 'Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"unix_chkpwd\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd\n\nThe audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n tag legacy: ['SV-86775', 'V-72151']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000042-GPOS-00020'\n tag satisfies: ['SRG-OS-000042-GPOS-00020', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000471-GPOS-00215']\n tag gid: 'V-204543'\n tag rid: 'SV-204543r861029_rule'\n tag stig_id: 'RHEL-07-030640'\n tag fix_id: 'F-4667r861028_fix'\n tag cci: ['CCI-000135', 'CCI-000172', 'CCI-002884']\n tag nist: ['AU-3 (1)', 'AU-12 c', 'MA-4 (1) (a)']\n tag subsystems: ['audit', 'auditd', 'audit_rule']\n tag 'host'\n\n audit_command = '/usr/sbin/unix_chkpwd'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - audit config must be done on the host' do\n skip 'Control not applicable - audit config must be done on the host'\n end\n else\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include('privileged-passwd')\n end\n end\n end\nend\n", + "code": "control 'SV-204405' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that /etc/pam.d/passwd implements\n /etc/pam.d/system-auth when changing passwords.'\n desc 'Pluggable authentication modules (PAM) allow for a modular approach to integrating authentication methods.\n PAM operates in a top-down processing model and if the modules are not listed in the correct order, an important\n security function could be bypassed if stack entries are not centralized.'\n desc 'check', 'Verify that /etc/pam.d/passwd is configured to use /etc/pam.d/system-auth when changing passwords:\n # cat /etc/pam.d/passwd | grep -i substack | grep -i system-auth\n password substack system-auth\n If no results are returned, the line is commented out, this is a finding.'\n desc 'fix', 'Configure PAM to utilize /etc/pam.d/system-auth when changing passwords.\n Add the following line to \"/etc/pam.d/passwd\" (or modify the line to have the required value):\n password substack system-auth'\n impact 0.5\n tag legacy: ['SV-95715', 'V-81003']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000069-GPOS-00037'\n tag gid: 'V-204405'\n tag rid: 'SV-204405r603261_rule'\n tag stig_id: 'RHEL-07-010118'\n tag fix_id: 'F-4529r88408_fix'\n tag cci: ['CCI-000192']\n tag subsystems: ['pam', 'password']\n tag nist: ['IA-5 (1) (a)']\n tag 'host'\n tag 'container'\n\n describe pam('/etc/pam.d/password-auth') do\n its('lines') { should match_pam_rule('password substack system-auth') }\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204543.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204405.rb", "line": 1 }, - "id": "SV-204543" + "id": "SV-204405" }, { - "title": "The Red Hat Enterprise Linux operating system must prevent a user from overriding the screensaver\n lock-enabled setting for the graphical user interface.", - "desc": "A session lock is a temporary action taken when a user stops work and moves away from the immediate physical\n vicinity of the information system but does not want to log out because of the temporary nature of the absence.\n The session lock is implemented at the point where session activity can be determined.\n The ability to enable/disable a session lock is given to the user by default. Disabling the user’s ability to\n disengage the graphical user interface session lock provides the assurance that all sessions will lock after the\n specified period of time.", + "title": "The Red Hat Enterprise Linux operating system must prevent non-privileged users from executing privileged\n functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.", + "desc": "Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized\n individuals or processes may gain unnecessary access to information or privileges.\n Privileged functions include, for example, establishing accounts, performing system integrity checks, or\n administering cryptographic key management activities. Non-privileged users are individuals who do not possess\n appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection\n mechanisms are examples of privileged functions that require protection from non-privileged users.", "descriptions": { - "default": "A session lock is a temporary action taken when a user stops work and moves away from the immediate physical\n vicinity of the information system but does not want to log out because of the temporary nature of the absence.\n The session lock is implemented at the point where session activity can be determined.\n The ability to enable/disable a session lock is given to the user by default. Disabling the user’s ability to\n disengage the graphical user interface session lock provides the assurance that all sessions will lock after the\n specified period of time.", - "check": "Verify the operating system prevents a user from overriding the screensaver lock-enabled setting for the graphical user interface.\n\nNote: If the system does not have GNOME installed, this requirement is Not Applicable.\n\nDetermine which profile the system database is using with the following command:\n # grep system-db /etc/dconf/profile/user\n system-db:local\n\nCheck for the lock-enabled setting with the following command:\n\nNote: The example below is using the database \"local\" for the system, so the path is \"/etc/dconf/db/local.d\". This path must be modified if a database other than \"local\" is being used.\n\n # grep -i lock-enabled /etc/dconf/db/local.d/locks/*\n /org/gnome/desktop/screensaver/lock-enabled\n\nIf the command does not return a result, this is a finding.", - "fix": "Configure the operating system to prevent a user from overriding a screensaver lock after a 15-minute\n period of inactivity for graphical user interfaces.\n Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following\n command:\n Note: The example below is using the database \"local\" for the system, so if the system is using another database in\n \"/etc/dconf/profile/user\", the file should be created under the appropriate subdirectory.\n # touch /etc/dconf/db/local.d/locks/session\n Add the setting to lock the screensaver lock-enabled setting:\n /org/gnome/desktop/screensaver/lock-enabled" + "default": "Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized\n individuals or processes may gain unnecessary access to information or privileges.\n Privileged functions include, for example, establishing accounts, performing system integrity checks, or\n administering cryptographic key management activities. Non-privileged users are individuals who do not possess\n appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection\n mechanisms are examples of privileged functions that require protection from non-privileged users.", + "check": "Note: Per OPORD 16-0080, the preferred endpoint security tool is Endpoint Security for Linux (ENSL)\n in conjunction with SELinux.\n Verify the operating system prevents non-privileged users from executing privileged functions to include disabling,\n circumventing, or altering implemented security safeguards/countermeasures.\n Get a list of authorized users for the system.\n Check the list against the system by using the following command:\n $ sudo semanage login -l | more\n Login Name SELinux User MLS/MCS Range Service\n __default__ user_u s0-s0:c0.c1023 *\n root unconfined_u s0-s0:c0.c1023 *\n system_u system_u s0-s0:c0.c1023 *\n joe staff_u s0-s0:c0.c1023 *\n All administrators must be mapped to the , \"staff_u\", or an appropriately tailored confined SELinux user as defined\n by the organization.\n All authorized non-administrative users must be mapped to the \"user_u\" SELinux user.\n If they are not mapped in this way, this is a finding.\n If administrator accounts are mapped to the \"sysadm_u\" SELinux user and are not documented as an operational\n requirement with the ISSO, this is a finding.\n If administrator accounts are mapped to the \"sysadm_u\" SELinux user and are documented as an operational requirement\n with the ISSO, this can be downgraded to a CAT III.", + "fix": "Configure the operating system to prevent non-privileged users from executing privileged functions to\n include disabling, circumventing, or altering implemented security safeguards/countermeasures.\n Use the following command to map a new user to the \"staff_u\" SELinux user:\n $ sudo semanage login -a -s staff_u \n Use the following command to map an existing user to the \"staff_u\" SELinux user:\n $ sudo semanage login -m -s staff_u \n Use the following command to map a new user to the \"user_u\" SELinux user:\n $ sudo semanage login -a -s user_u \n Use the following command to map an existing user to the \"user_u\" SELinux user:\n $ sudo semanage login -m -s user_u " }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { "legacy": [ - "V-78995", - "SV-93701" + "SV-86595", + "V-71971" ], "severity": "medium", - "gtitle": "SRG-OS-000029-GPOS-00010", - "gid": "V-214937", - "rid": "SV-214937r880767_rule", - "stig_id": "RHEL-07-010062", - "fix_id": "F-16135r880766_fix", + "gtitle": "SRG-OS-000324-GPOS-00125", + "gid": "V-204444", + "rid": "SV-204444r877392_rule", + "stig_id": "RHEL-07-020020", + "fix_id": "F-4568r792825_fix", "cci": [ - "CCI-000057" + "CCI-002165", + "CCI-002235" ], "nist": [ - "AC-11 a" + "AC-3 (4)", + "AC-6 (10)" ], "subsystems": [ - "gui" + "selinux" ], "host": null }, - "code": "control 'SV-214937' do\n title 'The Red Hat Enterprise Linux operating system must prevent a user from overriding the screensaver\n lock-enabled setting for the graphical user interface.'\n desc 'A session lock is a temporary action taken when a user stops work and moves away from the immediate physical\n vicinity of the information system but does not want to log out because of the temporary nature of the absence.\n The session lock is implemented at the point where session activity can be determined.\n The ability to enable/disable a session lock is given to the user by default. Disabling the user’s ability to\n disengage the graphical user interface session lock provides the assurance that all sessions will lock after the\n specified period of time.'\n desc 'check', 'Verify the operating system prevents a user from overriding the screensaver lock-enabled setting for the graphical user interface.\n\nNote: If the system does not have GNOME installed, this requirement is Not Applicable.\n\nDetermine which profile the system database is using with the following command:\n # grep system-db /etc/dconf/profile/user\n system-db:local\n\nCheck for the lock-enabled setting with the following command:\n\nNote: The example below is using the database \"local\" for the system, so the path is \"/etc/dconf/db/local.d\". This path must be modified if a database other than \"local\" is being used.\n\n # grep -i lock-enabled /etc/dconf/db/local.d/locks/*\n /org/gnome/desktop/screensaver/lock-enabled\n\nIf the command does not return a result, this is a finding.'\n desc 'fix', \"Configure the operating system to prevent a user from overriding a screensaver lock after a #{input('system_activity_timeout')/60}-minute\n period of inactivity for graphical user interfaces.\n Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following\n command:\n Note: The example below is using the database \\\"local\\\" for the system, so if the system is using another database in\n \\\"/etc/dconf/profile/user\\\", the file should be created under the appropriate subdirectory.\n # touch /etc/dconf/db/local.d/locks/session\n Add the setting to lock the screensaver lock-enabled setting:\n /org/gnome/desktop/screensaver/lock-enabled\"\n impact 0.5\n tag legacy: ['V-78995', 'SV-93701']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000029-GPOS-00010'\n tag gid: 'V-214937'\n tag rid: 'SV-214937r880767_rule'\n tag stig_id: 'RHEL-07-010062'\n tag fix_id: 'F-16135r880766_fix'\n tag cci: ['CCI-000057']\n tag nist: ['AC-11 a']\n tag subsystems: ['gui']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n elsif package('gnome-desktop3').installed?\n describe command('gsettings writable org.gnome.desktop.screensaver lock-enabled') do\n its('stdout.strip') { should cmp 'false' }\n end\n else\n impact 0.0\n describe 'The GNOME desktop is not installed' do\n skip 'The GNOME desktop is not installed, this control is Not Applicable.'\n end\n end\nend\n", + "code": "control 'SV-204444' do\n title 'The Red Hat Enterprise Linux operating system must prevent non-privileged users from executing privileged\n functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.'\n desc 'Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized\n individuals or processes may gain unnecessary access to information or privileges.\n Privileged functions include, for example, establishing accounts, performing system integrity checks, or\n administering cryptographic key management activities. Non-privileged users are individuals who do not possess\n appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection\n mechanisms are examples of privileged functions that require protection from non-privileged users.'\n desc 'check', 'Note: Per OPORD 16-0080, the preferred endpoint security tool is Endpoint Security for Linux (ENSL)\n in conjunction with SELinux.\n Verify the operating system prevents non-privileged users from executing privileged functions to include disabling,\n circumventing, or altering implemented security safeguards/countermeasures.\n Get a list of authorized users for the system.\n Check the list against the system by using the following command:\n $ sudo semanage login -l | more\n Login Name SELinux User MLS/MCS Range Service\n __default__ user_u s0-s0:c0.c1023 *\n root unconfined_u s0-s0:c0.c1023 *\n system_u system_u s0-s0:c0.c1023 *\n joe staff_u s0-s0:c0.c1023 *\n All administrators must be mapped to the , \"staff_u\", or an appropriately tailored confined SELinux user as defined\n by the organization.\n All authorized non-administrative users must be mapped to the \"user_u\" SELinux user.\n If they are not mapped in this way, this is a finding.\n If administrator accounts are mapped to the \"sysadm_u\" SELinux user and are not documented as an operational\n requirement with the ISSO, this is a finding.\n If administrator accounts are mapped to the \"sysadm_u\" SELinux user and are documented as an operational requirement\n with the ISSO, this can be downgraded to a CAT III.'\n desc 'fix', 'Configure the operating system to prevent non-privileged users from executing privileged functions to\n include disabling, circumventing, or altering implemented security safeguards/countermeasures.\n Use the following command to map a new user to the \"staff_u\" SELinux user:\n $ sudo semanage login -a -s staff_u \n Use the following command to map an existing user to the \"staff_u\" SELinux user:\n $ sudo semanage login -m -s staff_u \n Use the following command to map a new user to the \"user_u\" SELinux user:\n $ sudo semanage login -a -s user_u \n Use the following command to map an existing user to the \"user_u\" SELinux user:\n $ sudo semanage login -m -s user_u '\n impact 0.5\n tag legacy: ['SV-86595', 'V-71971']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000324-GPOS-00125'\n tag gid: 'V-204444'\n tag rid: 'SV-204444r877392_rule'\n tag stig_id: 'RHEL-07-020020'\n tag fix_id: 'F-4568r792825_fix'\n tag cci: ['CCI-002165', 'CCI-002235']\n tag nist: ['AC-3 (4)', 'AC-6 (10)']\n tag subsystems: ['selinux']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - SELinux settings must be handled on host' do\n skip 'Control not applicable - SELinux settings must be handled on host'\n end\n else\n\n admin_logins = input('admin_logins')\n\n describe command('selinuxenabled') do\n its('exist?') { should be true }\n its('exit_status') { should eq 0 }\n end\n\n selinux_mode = file('/etc/selinux/config').content.lines\n .grep(/\\A\\s*SELINUXTYPE=/).last.split('=').last.strip\n\n seusers = file(\"/etc/selinux/#{selinux_mode}/seusers\").content.lines\n .grep_v(/(#|\\A\\s+\\Z)/).map(&:strip)\n\n seusers = seusers.map { |x| x.split(':')[0..1] }\n\n describe 'seusers' do\n it { expect(seusers).to_not be_empty }\n end\n\n users_to_ignore = [\n 'root',\n 'system_u'\n ]\n\n seusers.each do |user, context|\n next if users_to_ignore.include?(user)\n\n describe \"SELinux login #{user}\" do\n if user == '__default__'\n let(:valid_users) { ['user_u'] }\n elsif admin_logins.include?(user)\n let(:valid_users) do\n [\n 'staff_u'\n ]\n end\n else\n let(:valid_users) do\n [\n 'user_u',\n 'guest_u',\n 'xguest_u'\n ]\n end\n end\n\n it { expect(context).to be_in(valid_users) }\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-214937.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204444.rb", "line": 1 }, - "id": "SV-214937" + "id": "SV-204444" }, { - "title": "The Red Hat Enterprise Linux operating system must not send Internet Protocol version 4 (IPv4) Internet\n Control Message Protocol (ICMP) redirects.", - "desc": "ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular\n destination. These messages contain information from the system's route table, possibly revealing portions of the\n network topology.", + "title": "The Red Hat Enterprise Linux operating system must generate audit records for all account creations,\n modifications, disabling, and termination events that affect /etc/shadow.", + "desc": "Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).", "descriptions": { - "default": "ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular\n destination. These messages contain information from the system's route table, possibly revealing portions of the\n network topology.", - "check": "Verify the system does not send IPv4 ICMP redirect messages.\n\n # grep -r net.ipv4.conf.all.send_redirects /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null\n\nIf \"net.ipv4.conf.all.send_redirects\" is not configured in the /etc/sysctl.conf file or in any of the other sysctl.d directories, is commented out or does not have a value of \"0\", this is a finding.\n\nCheck that the operating system implements the \"all send_redirects\" variables with the following command:\n\n # /sbin/sysctl -a | grep net.ipv4.conf.all.send_redirects\n net.ipv4.conf.all.send_redirects = 0\n\nIf the returned line does not have a value of \"0\", this is a finding.\n\nIf conflicting results are returned, this is a finding.", - "fix": "Configure the system to not allow interfaces to perform IPv4 ICMP redirects.\n Set the system to the required kernel parameter by adding the following line to \"/etc/sysctl.conf\" or a\n configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value):\n net.ipv4.conf.all.send_redirects = 0\n Issue the following command to make the changes take effect:\n # sysctl --system" + "default": "Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).", + "check": "Verify the operating system must generate audit records for all account creations, modifications,\n disabling, and termination events that affect /etc/shadow.\n Check the auditing rules in \"/etc/audit/audit.rules\" with the following command:\n # grep /etc/shadow /etc/audit/audit.rules\n -w /etc/shadow -p wa -k identity\n If the command does not return a line, or the line is commented out, this is a finding.", + "fix": "Configure the operating system to generate audit records for all account creations, modifications,\n disabling, and termination events that affect /etc/shadow.\n Add or update the following file system rule in \"/etc/audit/rules.d/audit.rules\":\n -w /etc/shadow -p wa -k identity\n The audit daemon must be restarted for the changes to take effect." }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "V-72293", - "SV-86917" + "SV-87823", + "V-73171" ], "severity": "medium", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-204617", - "rid": "SV-204617r880821_rule", - "stig_id": "RHEL-07-040660", - "fix_id": "F-4741r880820_fix", + "gtitle": "SRG-OS-000004-GPOS-00004", + "gid": "V-204567", + "rid": "SV-204567r853981_rule", + "stig_id": "RHEL-07-030873", + "fix_id": "F-4691r88894_fix", "cci": [ - "CCI-000366" + "CCI-000018", + "CCI-000172", + "CCI-001403", + "CCI-002130" ], "nist": [ - "CM-6 b" + "AC-2 (4)", + "AU-12 c", + "AC-2 (4)", + "AC-2 (4)" ], "subsystems": [ - "kernel_parameter", - "ipv4" + "audit", + "auditd", + "audit_rule" ], "host": null }, - "code": "control 'SV-204617' do\n title 'The Red Hat Enterprise Linux operating system must not send Internet Protocol version 4 (IPv4) Internet\n Control Message Protocol (ICMP) redirects.'\n desc \"ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular\n destination. These messages contain information from the system's route table, possibly revealing portions of the\n network topology.\"\n desc 'check', 'Verify the system does not send IPv4 ICMP redirect messages.\n\n # grep -r net.ipv4.conf.all.send_redirects /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null\n\nIf \"net.ipv4.conf.all.send_redirects\" is not configured in the /etc/sysctl.conf file or in any of the other sysctl.d directories, is commented out or does not have a value of \"0\", this is a finding.\n\nCheck that the operating system implements the \"all send_redirects\" variables with the following command:\n\n # /sbin/sysctl -a | grep net.ipv4.conf.all.send_redirects\n net.ipv4.conf.all.send_redirects = 0\n\nIf the returned line does not have a value of \"0\", this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure the system to not allow interfaces to perform IPv4 ICMP redirects.\n Set the system to the required kernel parameter by adding the following line to \"/etc/sysctl.conf\" or a\n configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value):\n net.ipv4.conf.all.send_redirects = 0\n Issue the following command to make the changes take effect:\n # sysctl --system'\n impact 0.5\n tag legacy: ['V-72293', 'SV-86917']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204617'\n tag rid: 'SV-204617r880821_rule'\n tag stig_id: 'RHEL-07-040660'\n tag fix_id: 'F-4741r880820_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['kernel_parameter', 'ipv4']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - Kernel config must be done on the host' do\n skip 'Control not applicable - Kernel config must be done on the host'\n end\n else\n send_redirects = 0\n config_file_values = command('grep -r net.ipv4.conf.all.send_redirects /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null')\n .stdout.strip.split(\"\\n\")\n .map { |file| parse_config(file).params }\n config_file_values_uncompliant = config_file_values.select { |entry| entry.values != [send_redirects.to_s] }\n\n unless config_file_values_uncompliant.empty?\n describe 'All configuration files' do\n it \"should set send_redirects to #{send_redirects}, or not define it at all\" do\n fail_msg = \"Found incorrect configuration:\\n#{config_file_values_uncompliant.join(\"\\n\")}\"\n expect(config_file_values_uncompliant).to be_empty, fail_msg\n end\n end\n end\n\n describe 'The runtime kernel parameter net.ipv4.conf.all.send_redirects' do\n subject { kernel_parameter('net.ipv4.conf.all.send_redirects') }\n its('value') { should eq send_redirects }\n end\n end\nend\n", + "code": "control 'SV-204567' do\n title 'The Red Hat Enterprise Linux operating system must generate audit records for all account creations,\n modifications, disabling, and termination events that affect /etc/shadow.'\n desc 'Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).'\n desc 'check', 'Verify the operating system must generate audit records for all account creations, modifications,\n disabling, and termination events that affect /etc/shadow.\n Check the auditing rules in \"/etc/audit/audit.rules\" with the following command:\n # grep /etc/shadow /etc/audit/audit.rules\n -w /etc/shadow -p wa -k identity\n If the command does not return a line, or the line is commented out, this is a finding.'\n desc 'fix', 'Configure the operating system to generate audit records for all account creations, modifications,\n disabling, and termination events that affect /etc/shadow.\n Add or update the following file system rule in \"/etc/audit/rules.d/audit.rules\":\n -w /etc/shadow -p wa -k identity\n The audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n tag legacy: ['SV-87823', 'V-73171']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000004-GPOS-00004'\n tag gid: 'V-204567'\n tag rid: 'SV-204567r853981_rule'\n tag stig_id: 'RHEL-07-030873'\n tag fix_id: 'F-4691r88894_fix'\n tag cci: ['CCI-000018', 'CCI-000172', 'CCI-001403', 'CCI-002130']\n tag nist: ['AC-2 (4)', 'AU-12 c', 'AC-2 (4)', 'AC-2 (4)']\n tag subsystems: ['audit', 'auditd', 'audit_rule']\n tag 'host'\n\n audit_command = '/etc/shadow'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - audit config must be done on the host' do\n skip 'Control not applicable - audit config must be done on the host'\n end\n else\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.key).to cmp 'identity'\n expect(audit_rule.permissions.flatten).to include('w', 'a')\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204617.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204567.rb", "line": 1 }, - "id": "SV-204617" + "id": "SV-204567" }, { - "title": "SNMP community strings on the Red Hat Enterprise Linux operating system must be changed from the default.", - "desc": "Whether active or not, default Simple Network Management Protocol (SNMP) community strings must be changed\n to maintain security. If the service is running with the default authenticators, anyone can gather data about the\n system and the network and use the information to potentially compromise the integrity of the system or network(s).\n It is highly recommended that SNMP version 3 user authentication and message encryption be used in place of the\n version 2 community strings.", + "title": "The Red Hat Enterprise Linux operating system must not have the Trivial File Transfer Protocol (TFTP)\n server package installed if not required for operational support.", + "desc": "If TFTP is required for operational support (such as the transmission of router configurations) its use must\n be documented with the Information System Security Officer (ISSO), restricted to only authorized personnel, and have\n access control rules established.", "descriptions": { - "default": "Whether active or not, default Simple Network Management Protocol (SNMP) community strings must be changed\n to maintain security. If the service is running with the default authenticators, anyone can gather data about the\n system and the network and use the information to potentially compromise the integrity of the system or network(s).\n It is highly recommended that SNMP version 3 user authentication and message encryption be used in place of the\n version 2 community strings.", - "check": "Verify that a system using SNMP is not using default community strings.\n Check to see if the \"/etc/snmp/snmpd.conf\" file exists with the following command:\n # ls -al /etc/snmp/snmpd.conf\n -rw------- 1 root root 52640 Mar 12 11:08 snmpd.conf\n If the file does not exist, this is Not Applicable.\n If the file does exist, check for the default community strings with the following commands:\n # grep public /etc/snmp/snmpd.conf\n # grep private /etc/snmp/snmpd.conf\n If either of these commands returns any output, this is a finding.", - "fix": "If the \"/etc/snmp/snmpd.conf\" file exists, modify any lines that contain a community string value of\n \"public\" or \"private\" to another string value." + "default": "If TFTP is required for operational support (such as the transmission of router configurations) its use must\n be documented with the Information System Security Officer (ISSO), restricted to only authorized personnel, and have\n access control rules established.", + "check": "Verify a TFTP server has not been installed on the system.\n Check to see if a TFTP server has been installed with the following command:\n # yum list installed tftp-server\n tftp-server-0.49-9.el7.x86_64.rpm\n If TFTP is installed and the requirement for TFTP is not documented with the ISSO, this is a finding.", + "fix": "Remove the TFTP package from the system with the following command:\n # yum remove tftp-server" }, - "impact": 0, + "impact": 0.7, "refs": [], "tags": { "legacy": [ - "SV-86937", - "V-72313" + "SV-86925", + "V-72301" ], "severity": "high", "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-204627", - "rid": "SV-204627r603261_rule", - "stig_id": "RHEL-07-040800", - "fix_id": "F-4751r89074_fix", + "gid": "V-204621", + "rid": "SV-204621r853996_rule", + "stig_id": "RHEL-07-040700", + "fix_id": "F-4745r89056_fix", "cci": [ - "CCI-000366" + "CCI-000318", + "CCI-000368", + "CCI-001812", + "CCI-001813", + "CCI-001814" ], "nist": [ - "CM-6 b" + "CM-3 f", + "CM-6 c", + "CM-11 (2)", + "CM-5 (1)", + "CM-5 (1) (a)" ], "subsystems": [ - "snmp" + "tftp" ], "host": null, "container": null }, - "code": "control 'SV-204627' do\n title 'SNMP community strings on the Red Hat Enterprise Linux operating system must be changed from the default.'\n desc 'Whether active or not, default Simple Network Management Protocol (SNMP) community strings must be changed\n to maintain security. If the service is running with the default authenticators, anyone can gather data about the\n system and the network and use the information to potentially compromise the integrity of the system or network(s).\n It is highly recommended that SNMP version 3 user authentication and message encryption be used in place of the\n version 2 community strings.'\n desc 'check', 'Verify that a system using SNMP is not using default community strings.\n Check to see if the \"/etc/snmp/snmpd.conf\" file exists with the following command:\n # ls -al /etc/snmp/snmpd.conf\n -rw------- 1 root root 52640 Mar 12 11:08 snmpd.conf\n If the file does not exist, this is Not Applicable.\n If the file does exist, check for the default community strings with the following commands:\n # grep public /etc/snmp/snmpd.conf\n # grep private /etc/snmp/snmpd.conf\n If either of these commands returns any output, this is a finding.'\n desc 'fix', 'If the \"/etc/snmp/snmpd.conf\" file exists, modify any lines that contain a community string value of\n \"public\" or \"private\" to another string value.'\n impact 0.7\n tag legacy: ['SV-86937', 'V-72313']\n tag severity: 'high'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204627'\n tag rid: 'SV-204627r603261_rule'\n tag stig_id: 'RHEL-07-040800'\n tag fix_id: 'F-4751r89074_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['snmp']\n tag 'host'\n tag 'container'\n\n if file('/etc/snmp/snmpd.conf').exist?\n impact 0.7\n processed = []\n to_process = ['/etc/snmp/snmpd.conf']\n\n until to_process.empty?\n in_process = to_process.pop\n next if processed.include? in_process\n\n processed.push in_process\n\n if file(in_process).directory?\n to_process.concat(\n command(\"find #{in_process} -maxdepth 1 -mindepth 1 -name '*.conf'\")\n .stdout.strip.split(\"\\n\")\n .select do |f|\n file(f).file?\n end\n )\n elsif file(in_process).file?\n to_process.concat(\n command(\"grep -E '^\\\\s*includeFile\\\\s+' #{in_process} | sed 's/^[[:space:]]*includeFile[[:space:]]*//g'\")\n .stdout.strip.split(/\\n+/)\n .map do |f|\n if f.start_with?('/')\n f\n else\n File.join(\n File.dirname(in_process), f\n )\n end\n end\n .select do |f|\n file(f).file?\n end\n )\n to_process.concat(\n command(\"grep -E '^\\\\s*includeDir\\\\s+' #{in_process} | sed 's/^[[:space:]]*includeDir[[:space:]]*//g'\")\n .stdout.strip.split(/\\n+/)\n .map { |f|\n f.start_with?('/') ? f : File.join('/', f)\n } # relative dirs are treated as absolute\n .select do |f|\n file(f).directory?\n end\n )\n end\n end\n\n config_files = processed.select { |f| file(f).file? }\n\n config_files.each do |config|\n describe file(config) do\n its('content') { should_not match(/^[^#]*(public|private)/) }\n end\n end\n else\n impact 0.0\n describe 'The `snmpd.conf` does not exist' do\n skip 'The snmpd.conf file does not exist, this control is Not Applicable'\n end\n end\nend\n", + "code": "control 'SV-204621' do\n title 'The Red Hat Enterprise Linux operating system must not have the Trivial File Transfer Protocol (TFTP)\n server package installed if not required for operational support.'\n desc 'If TFTP is required for operational support (such as the transmission of router configurations) its use must\n be documented with the Information System Security Officer (ISSO), restricted to only authorized personnel, and have\n access control rules established.'\n desc 'check', 'Verify a TFTP server has not been installed on the system.\n Check to see if a TFTP server has been installed with the following command:\n # yum list installed tftp-server\n tftp-server-0.49-9.el7.x86_64.rpm\n If TFTP is installed and the requirement for TFTP is not documented with the ISSO, this is a finding.'\n desc 'fix', 'Remove the TFTP package from the system with the following command:\n # yum remove tftp-server'\n impact 0.7\n tag legacy: ['SV-86925', 'V-72301']\n tag severity: 'high'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204621'\n tag rid: 'SV-204621r853996_rule'\n tag stig_id: 'RHEL-07-040700'\n tag fix_id: 'F-4745r89056_fix'\n tag cci: ['CCI-000318', 'CCI-000368', 'CCI-001812', 'CCI-001813', 'CCI-001814']\n tag nist: ['CM-3 f', 'CM-6 c', 'CM-11 (2)', 'CM-5 (1)', 'CM-5 (1) (a)']\n tag subsystems: ['tftp']\n tag 'host'\n tag 'container'\n\n describe package('tftp-server') do\n it { should_not be_installed }\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204627.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204621.rb", "line": 1 }, - "id": "SV-204627" + "id": "SV-204621" }, { - "title": "The Red Hat Enterprise Linux operating system must display the approved Standard Mandatory DoD Notice and\n Consent Banner before granting local or remote access to the system via a graphical user logon.", - "desc": "Display of a standardized and approved use notification before granting access to the operating system\n ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive\n Orders, directives, policies, regulations, standards, and guidance.\n System use notifications are required only for access via logon interfaces with human users and are not required\n when such human interfaces do not exist.\n The banner must be formatted in accordance with applicable DoD policy.\n \"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"", + "title": "The Red Hat Enterprise Linux operating system SSH server must be configured to use only FIPS-validated key exchange algorithms.", + "desc": "The use of FIPS-validated cryptographic algorithms is enforced by enabling kernel FIPS mode. In the event that kernel FIPS mode is disabled, the use of nonvalidated cryptographic algorithms will be permitted systemwide. The SSH server configuration must manually define only FIPS-validated key exchange algorithms to prevent the use of nonvalidated algorithms.", "descriptions": { - "default": "Display of a standardized and approved use notification before granting access to the operating system\n ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive\n Orders, directives, policies, regulations, standards, and guidance.\n System use notifications are required only for access via logon interfaces with human users and are not required\n when such human interfaces do not exist.\n The banner must be formatted in accordance with applicable DoD policy.\n \"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"", - "check": "Verify the operating system displays the approved Standard Mandatory DoD Notice and Consent Banner\n before granting access to the operating system via a graphical user logon.\n Note: If the system does not have a Graphical User Interface installed, this requirement is Not Applicable.\n Check that the operating system displays the exact approved Standard Mandatory DoD Notice and Consent Banner text\n with the command:\n # grep banner-message-text /etc/dconf/db/local.d/*\n banner-message-text='You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.'\n Note: The \"\\n \" characters are for formatting only. They will not be displayed on the Graphical User Interface.\n If the banner does not match the approved Standard Mandatory DoD Notice and Consent Banner, this is a finding.", - "fix": "Configure the operating system to display the approved Standard Mandatory DoD Notice and Consent\n Banner before granting access to the system.\n Note: If the system does not have a Graphical User Interface installed, this requirement is Not Applicable.\n Create a database to contain the system-wide graphical user logon settings (if it does not already exist) with the\n following command:\n # touch /etc/dconf/db/local.d/01-banner-message\n Add the following line to the [org/gnome/login-screen] section of the \"/etc/dconf/db/local.d/01-banner-message\":\n [org/gnome/login-screen]\n banner-message-enable=true\n banner-message-text='You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.'\n Note: The \"\\n \" characters are for formatting only. They will not be displayed on the Graphical User Interface.\n Run the following command to update the database:\n # dconf update" + "default": "The use of FIPS-validated cryptographic algorithms is enforced by enabling kernel FIPS mode. In the event that kernel FIPS mode is disabled, the use of nonvalidated cryptographic algorithms will be permitted systemwide. The SSH server configuration must manually define only FIPS-validated key exchange algorithms to prevent the use of nonvalidated algorithms.", + "check": "Verify that the SSH server is configured to use only FIPS-validated key exchange algorithms:\n\n $ sudo grep -i kexalgorithms /etc/ssh/sshd_config\n KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256\n\nIf \"KexAlgorithms\" is not configured, is commented out, or does not contain only the algorithms \"ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256\" in exact order, this is a finding.", + "fix": "Configure the SSH server to use only FIPS-validated key exchange algorithms by adding or modifying the following line in \"/etc/ssh/sshd_config\":\n\n KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256\n\nRestart the \"sshd\" service for changes to take effect:\n\n $ sudo systemctl restart sshd" }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { - "legacy": [ - "V-71861", - "SV-86485" - ], + "check_id": "C-59602r880747_chk", "severity": "medium", - "gtitle": "SRG-OS-000023-GPOS-00006", - "satisfies": [ - "SRG-OS-000023-GPOS-00006", - "SRG-OS-000024-GPOS-00007", - "SRG-OS-000228-GPOS-00088" - ], - "gid": "V-204394", - "rid": "SV-204394r603261_rule", - "stig_id": "RHEL-07-010040", - "fix_id": "F-4518r297479_fix", + "gid": "V-255925", + "rid": "SV-255925r880749_rule", + "stig_id": "RHEL-07-040712", + "gtitle": "SRG-OS-000033-GPOS-00014", + "fix_id": "F-59545r880748_fix", + "documentable": null, "cci": [ - "CCI-000048" + "CCI-001453" ], "nist": [ - "AC-8 a" - ], - "subsystems": [ - "gdm" - ], - "host": null + "AC-17 (2)" + ] }, - "code": "control 'SV-204394' do\n title \"The Red Hat Enterprise Linux operating system must display the approved Standard Mandatory #{input('org_name')[:acronym]} Notice and\n Consent Banner before granting local or remote access to the system via a graphical user logon.\"\n desc \"Display of a standardized and approved use notification before granting access to the operating system\n ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive\n Orders, directives, policies, regulations, standards, and guidance.\n System use notifications are required only for access via logon interfaces with human users and are not required\n when such human interfaces do not exist.\n The banner must be formatted in accordance with applicable #{input('org_name')[:acronym]} policy.\n \\\"#{input('banner_message_text_gui')}\\\" \"\n desc 'check', \"Verify the operating system displays the approved Standard Mandatory #{input('org_name')[:acronym]} Notice and Consent Banner\n before granting access to the operating system via a graphical user logon.\n Note: If the system does not have a Graphical User Interface installed, this requirement is Not Applicable.\n Check that the operating system displays the exact approved Standard Mandatory #{input('org_name')[:acronym]} Notice and Consent Banner text\n with the command:\n # grep banner-message-text /etc/dconf/db/local.d/*\n banner-message-text='#{input('banner_message_text_gui')}'\n Note: The \\\"\\\\n \\\" characters are for formatting only. They will not be displayed on the Graphical User Interface.\n If the banner does not match the approved Standard Mandatory #{input('org_name')[:acronym]} Notice and Consent Banner, this is a finding.\"\n desc 'fix', \"Configure the operating system to display the approved Standard Mandatory #{input('org_name')[:acronym]} Notice and Consent\n Banner before granting access to the system.\n Note: If the system does not have a Graphical User Interface installed, this requirement is Not Applicable.\n Create a database to contain the system-wide graphical user logon settings (if it does not already exist) with the\n following command:\n # touch /etc/dconf/db/local.d/01-banner-message\n Add the following line to the [org/gnome/login-screen] section of the \\\"/etc/dconf/db/local.d/01-banner-message\\\":\n [org/gnome/login-screen]\n banner-message-enable=true\n banner-message-text='#{input('banner_message_text_gui')}'\n Note: The \\\"\\\\n \\\" characters are for formatting only. They will not be displayed on the Graphical User Interface.\n Run the following command to update the database:\n # dconf update\"\n impact 0.5\n tag legacy: ['V-71861', 'SV-86485']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000023-GPOS-00006'\n tag satisfies: ['SRG-OS-000023-GPOS-00006', 'SRG-OS-000024-GPOS-00007', 'SRG-OS-000228-GPOS-00088']\n tag gid: 'V-204394'\n tag rid: 'SV-204394r603261_rule'\n tag stig_id: 'RHEL-07-010040'\n tag fix_id: 'F-4518r297479_fix'\n tag cci: ['CCI-000048']\n tag nist: ['AC-8 a']\n tag subsystems: ['gdm']\n tag 'host'\n\n if package('gnome-desktop3').installed?\n # Get all files that have the banner-message-text specified.\n banner_files =\n command('grep -l banner-message-text /etc/dconf/db/local.d/*').stdout.split(\"\\n\")\n # If there are no banner files then this is a finding.\n banner_missing = banner_files.empty?\n if banner_missing\n describe 'If no files specify the banner text then this is a finding' do\n subject { banner_missing }\n it { should be false }\n end\n end\n # If there are banner files then check them to make sure they have the correct text.\n banner_files.each do |banner_file|\n banner_message =\n parse_config_file(banner_file).params('org/gnome/login-screen', 'banner-message-text').gsub(\n /[\\r\\n\\s]/, ''\n )\n # dconf expects the banner-message-text to be quoted so remove leading and trailing quote.\n # See https://developer.gnome.org/dconf/unstable/dconf-tool.html which states:\n # VALUE arguments must be in GVariant format, so e.g. a string must include\n # explicit quotes: \"'foo'\". This format is also used when printing out values.\n if banner_message.start_with?('\"') || banner_message.start_with?('\\'')\n banner_message = banner_message[1, banner_message.length]\n end\n if banner_message.end_with?('\"') || banner_message.end_with?('\\'')\n banner_message = banner_message.chop\n end\n banner_message.gsub!('\\\\n', '')\n foo = input('banner_message_text_gui')\n foo2 = input('banner_message_text_gui_limited')\n describe.one do\n describe banner_message do\n it { should cmp foo.gsub(/[\\r\\n\\s]/, '') }\n end\n describe banner_message do\n it { should cmp foo2.gsub(/[\\r\\n\\s]/, '') }\n end\n end\n end\n else\n impact 0.0\n describe 'The system does not have GNOME installed' do\n skip \"The system does not have GNOME installed, this requirement is Not\n Applicable.\"\n end\n end\nend\n", + "code": "control 'SV-255925' do\n title 'The Red Hat Enterprise Linux operating system SSH server must be configured to use only FIPS-validated key exchange algorithms.'\n desc 'The use of FIPS-validated cryptographic algorithms is enforced by enabling kernel FIPS mode. In the event that kernel FIPS mode is disabled, the use of nonvalidated cryptographic algorithms will be permitted systemwide. The SSH server configuration must manually define only FIPS-validated key exchange algorithms to prevent the use of nonvalidated algorithms.'\n desc 'check', 'Verify that the SSH server is configured to use only FIPS-validated key exchange algorithms:\n\n $ sudo grep -i kexalgorithms /etc/ssh/sshd_config\n KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256\n\nIf \"KexAlgorithms\" is not configured, is commented out, or does not contain only the algorithms \"ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256\" in exact order, this is a finding.'\n desc 'fix', 'Configure the SSH server to use only FIPS-validated key exchange algorithms by adding or modifying the following line in \"/etc/ssh/sshd_config\":\n\n KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256\n\nRestart the \"sshd\" service for changes to take effect:\n\n $ sudo systemctl restart sshd'\n impact 0.5\n tag check_id: 'C-59602r880747_chk'\n tag severity: 'medium'\n tag gid: 'V-255925'\n tag rid: 'SV-255925r880749_rule'\n tag stig_id: 'RHEL-07-040712'\n tag gtitle: 'SRG-OS-000033-GPOS-00014'\n tag fix_id: 'F-59545r880748_fix'\n tag 'documentable'\n tag cci: ['CCI-001453']\n tag nist: ['AC-17 (2)']\n\n describe sshd_config('/etc/ssh/sshd_config') do\n its('KexAlgorithms') { should cmp 'ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256' }\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204394.rb", + "ref": "./Red Hat 7 STIG/controls/SV-255925.rb", "line": 1 }, - "id": "SV-204394" + "id": "SV-255925" }, { - "title": "The Red Hat Enterprise Linux operating system must label all off-loaded audit logs before sending them to\n the central log server.", - "desc": "Information stored in one location is vulnerable to accidental or incidental deletion or alteration.\n Off-loading is a common process in information systems with limited audit storage capacity.\n One method of off-loading audit logs in Red Hat Enterprise Linux is with the use of the audisp-remote dameon. When\n audit logs are not labeled before they are sent to a central log server, the audit data will not be able to be\n analyzed and tied back to the correct system.", + "title": "The Red Hat Enterprise Linux 7 operating system must implement DoD-approved encryption to protect the\n confidentiality of SSH connections.", + "desc": "Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and\n therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised.\n Operating systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to\n cryptographic modules.\n FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize\n authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general\n purpose computing system.\n The system will attempt to use the first cipher presented by the client that matches the server list. Listing the\n values \"strongest to weakest\" is a method to ensure the use of the strongest cipher available to secure the SSH\n connection.", "descriptions": { - "default": "Information stored in one location is vulnerable to accidental or incidental deletion or alteration.\n Off-loading is a common process in information systems with limited audit storage capacity.\n One method of off-loading audit logs in Red Hat Enterprise Linux is with the use of the audisp-remote dameon. When\n audit logs are not labeled before they are sent to a central log server, the audit data will not be able to be\n analyzed and tied back to the correct system.", - "check": "Verify the audisp daemon is configured to label all off-loaded audit logs:\n # grep \"name_format\" /etc/audisp/audispd.conf\n name_format = hostname\n If the \"name_format\" option is not \"hostname\", \"fqd\", or \"numeric\", or the line is commented out, ask the System\n Administrator to indicate how the audit logs are off-loaded to a different system or storage media, and to indicate\n if the logs are labeled appropriately.\n If there is no evidence that the system is configured to off-load audit logs to a different system or storage media,\n or if the configuration does not appropriately label logs before they are off-loaded, this is a finding.", - "fix": "Edit the /etc/audisp/audispd.conf file and add or update the \"name_format\" option:\n name_format = hostname\n The audit daemon must be restarted for changes to take effect:\n # service auditd restart" + "default": "Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and\n therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised.\n Operating systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to\n cryptographic modules.\n FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize\n authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general\n purpose computing system.\n The system will attempt to use the first cipher presented by the client that matches the server list. Listing the\n values \"strongest to weakest\" is a method to ensure the use of the strongest cipher available to secure the SSH\n connection.", + "check": "Verify the operating system uses mechanisms meeting the requirements of applicable federal laws,\n Executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic\n module.\n The location of the \"sshd_config\" file may vary if a different daemon is in use.\n Inspect the \"Ciphers\" configuration with the following command:\n # grep -i ciphers /etc/ssh/sshd_config\n Ciphers aes256-ctr,aes192-ctr,aes128-ctr\n If any ciphers other than \"aes256-ctr\", \"aes192-ctr\", or \"aes128-ctr\" are listed, the order differs from the example\n above, the \"Ciphers\" keyword is missing, or the returned line is commented out, this is a finding.", + "fix": "Configure SSH to use FIPS 140-2 approved cryptographic algorithms.\n Add the following line (or modify the line to have the required value) to the \"/etc/ssh/sshd_config\" file (this file\n may be named differently or be in a different location if using a version of SSH that is provided by a third-party\n vendor).\n Ciphers aes256-ctr,aes192-ctr,aes128-ctr\n The SSH service must be restarted for changes to take effect." }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "SV-95733", - "V-81021" + "V-72221", + "SV-86845" ], "severity": "medium", - "gtitle": "SRG-OS-000342-GPOS-00133", + "gtitle": "SRG-OS-000033-GPOS-00014", "satisfies": [ - "SRG-OS-000342-GPOS-00133", - "SRG-OS-000479-GPOS-00224" + "SRG-OS-000033-GPOS-00014", + "SRG-OS-000120-GPOS-00061", + "SRG-OS-000125-GPOS-00065", + "SRG-OS-000250-GPOS-00093", + "SRG-OS-000393-GPOS-00173" ], - "gid": "V-204508", - "rid": "SV-204508r877390_rule", - "stig_id": "RHEL-07-030211", - "fix_id": "F-36313r602649_fix", + "gid": "V-204578", + "rid": "SV-204578r877398_rule", + "stig_id": "RHEL-07-040110", + "fix_id": "F-4702r622306_fix", "cci": [ - "CCI-001851" + "CCI-000068", + "CCI-000366", + "CCI-000803" ], "nist": [ - "AU-4 (1)" + "AC-17 (2)", + "CM-6 b", + "IA-7" ], "subsystems": [ - "audit", - "audisp" + "ssh" ], "host": null }, - "code": "control 'SV-204508' do\n title 'The Red Hat Enterprise Linux operating system must label all off-loaded audit logs before sending them to\n the central log server.'\n desc 'Information stored in one location is vulnerable to accidental or incidental deletion or alteration.\n Off-loading is a common process in information systems with limited audit storage capacity.\n One method of off-loading audit logs in Red Hat Enterprise Linux is with the use of the audisp-remote dameon. When\n audit logs are not labeled before they are sent to a central log server, the audit data will not be able to be\n analyzed and tied back to the correct system.'\n desc 'check', 'Verify the audisp daemon is configured to label all off-loaded audit logs:\n # grep \"name_format\" /etc/audisp/audispd.conf\n name_format = hostname\n If the \"name_format\" option is not \"hostname\", \"fqd\", or \"numeric\", or the line is commented out, ask the System\n Administrator to indicate how the audit logs are off-loaded to a different system or storage media, and to indicate\n if the logs are labeled appropriately.\n If there is no evidence that the system is configured to off-load audit logs to a different system or storage media,\n or if the configuration does not appropriately label logs before they are off-loaded, this is a finding.'\n desc 'fix', 'Edit the /etc/audisp/audispd.conf file and add or update the \"name_format\" option:\n name_format = hostname\n The audit daemon must be restarted for changes to take effect:\n # service auditd restart'\n impact 0.5\n tag legacy: ['SV-95733', 'V-81021']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000342-GPOS-00133'\n tag satisfies: ['SRG-OS-000342-GPOS-00133', 'SRG-OS-000479-GPOS-00224']\n tag gid: 'V-204508'\n tag rid: 'SV-204508r877390_rule'\n tag stig_id: 'RHEL-07-030211'\n tag fix_id: 'F-36313r602649_fix'\n tag cci: ['CCI-001851']\n tag nist: ['AU-4 (1)']\n tag subsystems: ['audit', 'audisp']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - audit config must be done on the host' do\n skip 'Control not applicable - audit config must be done on the host'\n end\n elsif file('/etc/audisp/audispd.conf').exist?\n\n describe parse_config_file('/etc/audisp/audispd.conf') do\n its('name_format') { should match(/^hostname$|^fqd$|^numeric$/i) }\n end\n else\n describe \"File '/etc/audisp/audispd.conf' cannot be found. This test cannot be checked in a automated fashion and you must check it manually\" do\n skip \"File '/etc/audisp/audispd.conf' cannot be found. This check must be performed manually\"\n end\n end\nend\n", + "code": "control 'SV-204578' do\n title \"The Red Hat Enterprise Linux 7 operating system must implement #{input('org_name')[:acronym]}-approved encryption to protect the\n confidentiality of SSH connections.\"\n desc \"Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and\n therefore cannot be relied upon to provide confidentiality or integrity, and #{input('org_name')[:acronym]} data may be compromised.\n Operating systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to\n cryptographic modules.\n FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize\n authentication that meets #{input('org_name')[:acronym]} requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general\n purpose computing system.\n The system will attempt to use the first cipher presented by the client that matches the server list. Listing the\n values \\\"strongest to weakest\\\" is a method to ensure the use of the strongest cipher available to secure the SSH\n connection.\"\n desc 'check', 'Verify the operating system uses mechanisms meeting the requirements of applicable federal laws,\n Executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic\n module.\n The location of the \"sshd_config\" file may vary if a different daemon is in use.\n Inspect the \"Ciphers\" configuration with the following command:\n # grep -i ciphers /etc/ssh/sshd_config\n Ciphers aes256-ctr,aes192-ctr,aes128-ctr\n If any ciphers other than \"aes256-ctr\", \"aes192-ctr\", or \"aes128-ctr\" are listed, the order differs from the example\n above, the \"Ciphers\" keyword is missing, or the returned line is commented out, this is a finding.'\n desc 'fix', 'Configure SSH to use FIPS 140-2 approved cryptographic algorithms.\n Add the following line (or modify the line to have the required value) to the \"/etc/ssh/sshd_config\" file (this file\n may be named differently or be in a different location if using a version of SSH that is provided by a third-party\n vendor).\n Ciphers aes256-ctr,aes192-ctr,aes128-ctr\n The SSH service must be restarted for changes to take effect.'\n impact 0.5\n tag legacy: ['V-72221', 'SV-86845']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000033-GPOS-00014'\n tag satisfies: ['SRG-OS-000033-GPOS-00014', 'SRG-OS-000120-GPOS-00061', 'SRG-OS-000125-GPOS-00065', 'SRG-OS-000250-GPOS-00093', 'SRG-OS-000393-GPOS-00173']\n tag gid: 'V-204578'\n tag rid: 'SV-204578r877398_rule'\n tag stig_id: 'RHEL-07-040110'\n tag fix_id: 'F-4702r622306_fix'\n tag cci: ['CCI-000068', 'CCI-000366', 'CCI-000803']\n tag nist: ['AC-17 (2)', 'CM-6 b', 'IA-7']\n tag subsystems: ['ssh']\n tag 'host'\n\n if virtualization.system.eql?('docker') && !file('/etc/sysconfig/sshd').exist?\n impact 0.0\n describe 'Control not applicable - SSH is not installed within containerized RHEL' do\n skip 'Control not applicable - SSH is not installed within containerized RHEL'\n end\n else\n ciphers_array = sshd_config.params('ciphers')\n\n ciphers_array = ciphers_array.first.split(',') unless ciphers_array.nil?\n\n describe 'List of encryption algortihms used for SSH connections' do\n subject { ciphers_array }\n it { should_not be_nil }\n it { should eq ['aes256-ctr', 'aes192-ctr', 'aes128-ctr'] }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204508.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204578.rb", "line": 1 }, - "id": "SV-204508" + "id": "SV-204578" }, { - "title": "The Red Hat Enterprise Linux operating system must be configured so that all network connections associated\n with a communication session are terminated at the end of the session or after 15 minutes of inactivity from the\n user at a command prompt, except to fulfill documented and validated mission requirements.", - "desc": "Terminating an idle session within a short time period reduces the window of opportunity for unauthorized\n personnel to take control of a management session enabled on the console or console port that has been left\n unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed\n network element.\n Terminating network connections associated with communications sessions includes, for example, de-allocating\n associated TCP/IP address/port pairs at the operating system level and de-allocating networking assignments at the\n application level if multiple application sessions are using a single operating system-level network connection.\n This does not mean that the operating system terminates all sessions or network access; it only ends the inactive\n session and releases the resources associated with that session.", + "title": "The Red Hat Enterprise Linux operating system must audit all uses of the mount command and syscall.", + "desc": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough\n information.\n At a minimum, the organization must audit the full-text recording of privileged mount commands. The organization\n must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of\n compromise.\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.", "descriptions": { - "default": "Terminating an idle session within a short time period reduces the window of opportunity for unauthorized\n personnel to take control of a management session enabled on the console or console port that has been left\n unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed\n network element.\n Terminating network connections associated with communications sessions includes, for example, de-allocating\n associated TCP/IP address/port pairs at the operating system level and de-allocating networking assignments at the\n application level if multiple application sessions are using a single operating system-level network connection.\n This does not mean that the operating system terminates all sessions or network access; it only ends the inactive\n session and releases the resources associated with that session.", - "check": "Verify the operating system terminates all network connections associated with a communications session at the end of the session or based on inactivity.\n\nCheck the value of the system inactivity timeout with the following command:\n\n$ sudo grep -irw tmout /etc/profile /etc/bashrc /etc/profile.d\n\netc/profile.d/tmout.sh:declare -xr TMOUT=900\n\nIf conflicting results are returned, this is a finding.\nIf 'TMOUT' is not set to 900 or less to enforce session termination after inactivity, this is a finding.", - "fix": "Configure the operating system to terminate all network connections associated with a communications\n session at the end of the session or after a period of inactivity.\n Create a script to enforce the inactivity timeout (for example /etc/profile.d/tmout.sh) such as:\n #!/bin/bash\n declare -xr TMOUT=900" + "default": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough\n information.\n At a minimum, the organization must audit the full-text recording of privileged mount commands. The organization\n must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of\n compromise.\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.", + "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"mount\" command and syscall occur.\n\nCheck that the following system call is being audited by performing the following series of commands to check the file system rules in \"/etc/audit/audit.rules\":\n\n$ sudo grep -w \"mount\" /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -k privileged-mount\n-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -k privileged-mount\n-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"mount\" syscall, this is a finding.\n\nIf all uses of the \"mount\" command are not being audited, this is a finding.", + "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"mount\" command and syscall occur.\n\nAdd or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -k privileged-mount\n-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -k privileged-mount\n-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount\n\nThe audit daemon must be restarted for the changes to take effect." }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "SV-86847", - "V-72223" + "V-72171", + "SV-86795" ], "severity": "medium", - "gtitle": "SRG-OS-000163-GPOS-00072", - "gid": "V-204579", - "rid": "SV-204579r861070_rule", - "stig_id": "RHEL-07-040160", - "fix_id": "F-4703r646843_fix", - "cci": [ - "CCI-001133", - "CCI-002361" - ], - "nist": [ - "SC-10", - "AC-12" + "gtitle": "SRG-OS-000042-GPOS-00020", + "satisfies": [ + "SRG-OS-000042-GPOS-00020", + "SRG-OS-000392-GPOS-00172" + ], + "gid": "V-204552", + "rid": "SV-204552r861053_rule", + "stig_id": "RHEL-07-030740", + "fix_id": "F-4676r861052_fix", + "cci": [ + "CCI-000135", + "CCI-002884" + ], + "nist": [ + "AU-3 (1)", + "MA-4 (1) (a)" ], "subsystems": [ - "user_profile" + "audit", + "auditd", + "audit_rule" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-204579' do\n title \"The Red Hat Enterprise Linux operating system must be configured so that all network connections associated\n with a communication session are terminated at the end of the session or after #{input('system_activity_timeout')/60} minutes of inactivity from the\n user at a command prompt, except to fulfill documented and validated mission requirements.\"\n desc 'Terminating an idle session within a short time period reduces the window of opportunity for unauthorized\n personnel to take control of a management session enabled on the console or console port that has been left\n unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed\n network element.\n Terminating network connections associated with communications sessions includes, for example, de-allocating\n associated TCP/IP address/port pairs at the operating system level and de-allocating networking assignments at the\n application level if multiple application sessions are using a single operating system-level network connection.\n This does not mean that the operating system terminates all sessions or network access; it only ends the inactive\n session and releases the resources associated with that session.'\n desc 'check', \"Verify the operating system terminates all network connections associated with a communications session at the end of the session or based on inactivity.\n\nCheck the value of the system inactivity timeout with the following command:\n\n$ sudo grep -irw tmout /etc/profile /etc/bashrc /etc/profile.d\n\netc/profile.d/tmout.sh:declare -xr TMOUT=#{input('system_activity_timeout')}\n\nIf conflicting results are returned, this is a finding.\nIf 'TMOUT' is not set to #{input('system_activity_timeout')} or less to enforce session termination after inactivity, this is a finding.\"\n desc 'fix', \"Configure the operating system to terminate all network connections associated with a communications\n session at the end of the session or after a period of inactivity.\n Create a script to enforce the inactivity timeout (for example /etc/profile.d/tmout.sh) such as:\n #!/bin/bash\n declare -xr TMOUT=#{input('system_activity_timeout')}\"\n impact 0.5\n tag legacy: ['SV-86847', 'V-72223']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000163-GPOS-00072'\n tag gid: 'V-204579'\n tag rid: 'SV-204579r861070_rule'\n tag stig_id: 'RHEL-07-040160'\n tag fix_id: 'F-4703r646843_fix'\n tag cci: ['CCI-001133', 'CCI-002361']\n tag nist: ['SC-10', 'AC-12']\n tag subsystems: ['user_profile']\n tag 'host'\n tag 'container'\n\n # Get current TMOUT environment variable (active test)\n describe 'Environment variable TMOUT' do\n subject { os_env('TMOUT').content.to_i }\n it { should cmp <= input('system_activity_timeout') }\n end\n\n # Check if TMOUT is set in files (passive test)\n files = ['/etc/bashrc'] + ['/etc/profile'] + command('find /etc/profile.d/*').stdout.split(\"\\n\")\n latest_val = nil\n\n files.each do |file|\n readonly = false\n\n # Skip to next file if TMOUT isn't present. Otherwise, get the last occurrence of TMOUT\n if (values = command(\"grep -Po '.*TMOUT.*' #{file}\").stdout.split(\"\\n\")).empty?\n next\n end\n\n # Loop through each TMOUT match and see if set TMOUT's value or makes it readonly\n values.each_with_index do |value, index|\n # Skip if starts with '#' - it represents a comment\n next unless value.match(/^#/).nil?\n\n # If readonly and value is inline - use that value\n if !value.match(/^readonly\\s+TMOUT\\s*=\\s*\\d+$/).nil?\n latest_val = value.match(/\\d+/)[0].to_i\n readonly = true\n break\n # If readonly, but, value is not inline - use the most recent value\n elsif !value.match(/^readonly\\s+(\\w+\\s+)?TMOUT\\s*(\\s+\\w+\\s*)*$/).nil?\n # If the index is greater than 0, the configuraiton setting value.\n # Otherwise, the configuration setting value is in the previous file\n # and is already set in latest_val.\n latest_val = values[index - 1].match(/\\d+/)[0].to_i if index >= 1\n readonly = true\n break\n # Readonly is not set use the lastest value\n else\n latest_val = value.match(/\\d+/)[0].to_i\n end\n end\n # Readonly is set - stop processing files\n break if readonly === true\n end\n\n if latest_val.nil?\n describe 'The TMOUT setting is configured' do\n subject { !latest_val.nil? }\n it { should be true }\n end\n else\n describe 'The TMOUT setting is configured properly' do\n subject { latest_val }\n it { should cmp <= input('system_activity_timeout') }\n end\n end\nend\n", + "code": "control 'SV-204552' do\n title 'The Red Hat Enterprise Linux operating system must audit all uses of the mount command and syscall.'\n desc 'Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough\n information.\n At a minimum, the organization must audit the full-text recording of privileged mount commands. The organization\n must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of\n compromise.\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.'\n desc 'check', 'Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"mount\" command and syscall occur.\n\nCheck that the following system call is being audited by performing the following series of commands to check the file system rules in \"/etc/audit/audit.rules\":\n\n$ sudo grep -w \"mount\" /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -k privileged-mount\n-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -k privileged-mount\n-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"mount\" syscall, this is a finding.\n\nIf all uses of the \"mount\" command are not being audited, this is a finding.'\n desc 'fix', 'Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"mount\" command and syscall occur.\n\nAdd or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -k privileged-mount\n-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -k privileged-mount\n-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount\n\nThe audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n tag legacy: ['V-72171', 'SV-86795']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000042-GPOS-00020'\n tag satisfies: ['SRG-OS-000042-GPOS-00020', 'SRG-OS-000392-GPOS-00172']\n tag gid: 'V-204552'\n tag rid: 'SV-204552r861053_rule'\n tag stig_id: 'RHEL-07-030740'\n tag fix_id: 'F-4676r861052_fix'\n tag cci: ['CCI-000135', 'CCI-002884']\n tag nist: ['AU-3 (1)', 'MA-4 (1) (a)']\n tag subsystems: ['audit', 'auditd', 'audit_rule']\n tag 'host'\n\n audit_syscall = 'mount'\n audit_command = '/usr/bin/mount'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - audit config must be done on the host' do\n skip 'Control not applicable - audit config must be done on the host'\n end\n else\n describe 'Syscall' do\n it \"#{audit_syscall} is audited properly\" do\n audit_rule = auditd.syscall(audit_syscall)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n if os.arch.match(/64/)\n expect(audit_rule.arch.uniq).to include('b32', 'b64')\n else\n expect(audit_rule.arch.uniq).to cmp 'b32'\n end\n expect(audit_rule.fields.flatten).to include('auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include('privileged-mount')\n end\n end\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include('privileged-mount')\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204579.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204552.rb", "line": 1 }, - "id": "SV-204579" + "id": "SV-204552" }, { - "title": "The Red Hat Enterprise Linux operating system must not permit direct logons to the root account using\n remote access via SSH.", - "desc": "Even though the communications channel may be encrypted, an additional layer of security is gained by\n extending the policy of not logging on directly as root. In addition, logging on with a user-specific account\n provides individual accountability of actions performed on the system.", + "title": "The Red Hat Enterprise Linux operating system must use a reverse-path filter for IPv4 network traffic when\n possible by default.", + "desc": "Enabling reverse path filtering drops packets with source addresses that should not have been able to be\n received on the interface they were received on. It should not be used on systems which are routers for complicated\n networks, but is helpful for end hosts and routers serving small networks.", "descriptions": { - "default": "Even though the communications channel may be encrypted, an additional layer of security is gained by\n extending the policy of not logging on directly as root. In addition, logging on with a user-specific account\n provides individual accountability of actions performed on the system.", - "check": "Verify remote access using SSH prevents users from logging on directly as root.\n Check that SSH prevents users from logging on directly as root with the following command:\n # grep -i permitrootlogin /etc/ssh/sshd_config\n PermitRootLogin no\n If the \"PermitRootLogin\" keyword is set to \"yes\", is missing, or is commented out, this is a finding.", - "fix": "Configure SSH to stop users from logging on remotely as the root user.\n Edit the appropriate \"/etc/ssh/sshd_config\" file to uncomment or add the line for the \"PermitRootLogin\" keyword and\n set its value to \"no\" (this file may be named differently or be in a different location if using a version of SSH\n that is provided by a third-party vendor):\n PermitRootLogin no\n The SSH service must be restarted for changes to take effect." + "default": "Enabling reverse path filtering drops packets with source addresses that should not have been able to be\n received on the interface they were received on. It should not be used on systems which are routers for complicated\n networks, but is helpful for end hosts and routers serving small networks.", + "check": "Verify the system uses a reverse-path filter for IPv4:\n\n # grep -r net.ipv4.conf.default.rp_filter /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null\n net.ipv4.conf.default.rp_filter = 1\n\nIf \"net.ipv4.conf.default.rp_filter\" is not configured in the /etc/sysctl.conf file or in any of the other sysctl.d directories, is commented out, or does not have a value of \"1\", this is a finding.\n\nCheck that the operating system implements the accept source route variable with the following command:\n\n # /sbin/sysctl -a | grep net.ipv4.conf.default.rp_filter\n net.ipv4.conf.default.rp_filter = 1\n\nIf the returned line does not have a value of \"1\", this is a finding.\n\nIf conflicting results are returned, this is a finding.", + "fix": "Set the system to the required kernel parameter by adding the following\nline to \"/etc/sysctl.conf\" or a configuration file in the /etc/sysctl.d/\ndirectory (or modify the line to have the required value):\n\n net.ipv4.conf.default.rp_filter = 1\n\n Issue the following command to make the changes take effect:\n\n # sysctl --system" }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "V-72247", - "SV-86871" + "V-92253", + "SV-102355" ], "severity": "medium", "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-204592", - "rid": "SV-204592r603261_rule", - "stig_id": "RHEL-07-040370", - "fix_id": "F-4716r88969_fix", + "gid": "V-204611", + "rid": "SV-204611r880803_rule", + "stig_id": "RHEL-07-040612", + "fix_id": "F-4735r880802_fix", "cci": [ "CCI-000366" ], @@ -1326,360 +1315,305 @@ "CM-6 b" ], "subsystems": [ - "ssh" + "kernel_parameter", + "ipv4" ], "host": null }, - "code": "control 'SV-204592' do\n title 'The Red Hat Enterprise Linux operating system must not permit direct logons to the root account using\n remote access via SSH.'\n desc 'Even though the communications channel may be encrypted, an additional layer of security is gained by\n extending the policy of not logging on directly as root. In addition, logging on with a user-specific account\n provides individual accountability of actions performed on the system.'\n desc 'check', 'Verify remote access using SSH prevents users from logging on directly as root.\n Check that SSH prevents users from logging on directly as root with the following command:\n # grep -i permitrootlogin /etc/ssh/sshd_config\n PermitRootLogin no\n If the \"PermitRootLogin\" keyword is set to \"yes\", is missing, or is commented out, this is a finding.'\n desc 'fix', 'Configure SSH to stop users from logging on remotely as the root user.\n Edit the appropriate \"/etc/ssh/sshd_config\" file to uncomment or add the line for the \"PermitRootLogin\" keyword and\n set its value to \"no\" (this file may be named differently or be in a different location if using a version of SSH\n that is provided by a third-party vendor):\n PermitRootLogin no\n The SSH service must be restarted for changes to take effect.'\n impact 0.5\n tag legacy: ['V-72247', 'SV-86871']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204592'\n tag rid: 'SV-204592r603261_rule'\n tag stig_id: 'RHEL-07-040370'\n tag fix_id: 'F-4716r88969_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['ssh']\n tag 'host'\n\n if virtualization.system.eql?('docker') && !file('/etc/sysconfig/sshd').exist?\n impact 0.0\n describe 'Control not applicable - SSH is not installed within containerized RHEL' do\n skip 'Control not applicable - SSH is not installed within containerized RHEL'\n end\n else\n describe sshd_config do\n its('PermitRootLogin') { should cmp 'no' }\n end\n end\nend\n", + "code": "control 'SV-204611' do\n title 'The Red Hat Enterprise Linux operating system must use a reverse-path filter for IPv4 network traffic when\n possible by default.'\n desc 'Enabling reverse path filtering drops packets with source addresses that should not have been able to be\n received on the interface they were received on. It should not be used on systems which are routers for complicated\n networks, but is helpful for end hosts and routers serving small networks.'\n desc 'check', 'Verify the system uses a reverse-path filter for IPv4:\n\n # grep -r net.ipv4.conf.default.rp_filter /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null\n net.ipv4.conf.default.rp_filter = 1\n\nIf \"net.ipv4.conf.default.rp_filter\" is not configured in the /etc/sysctl.conf file or in any of the other sysctl.d directories, is commented out, or does not have a value of \"1\", this is a finding.\n\nCheck that the operating system implements the accept source route variable with the following command:\n\n # /sbin/sysctl -a | grep net.ipv4.conf.default.rp_filter\n net.ipv4.conf.default.rp_filter = 1\n\nIf the returned line does not have a value of \"1\", this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Set the system to the required kernel parameter by adding the following\nline to \"/etc/sysctl.conf\" or a configuration file in the /etc/sysctl.d/\ndirectory (or modify the line to have the required value):\n\n net.ipv4.conf.default.rp_filter = 1\n\n Issue the following command to make the changes take effect:\n\n # sysctl --system'\n impact 0.5\n tag legacy: ['V-92253', 'SV-102355']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204611'\n tag rid: 'SV-204611r880803_rule'\n tag stig_id: 'RHEL-07-040612'\n tag fix_id: 'F-4735r880802_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['kernel_parameter', 'ipv4']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - Kernel config must be done on the host' do\n skip 'Control not applicable - Kernel config must be done on the host'\n end\n else\n rp_filter = 1\n config_file_values = command('grep -r net.ipv4.conf.default.rp_filter /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null')\n .stdout.strip.split(\"\\n\")\n .map { |file| parse_config(file).params }\n config_file_values_uncompliant = config_file_values.select { |entry| entry.values != [rp_filter.to_s] }\n\n unless config_file_values_uncompliant.empty?\n describe 'All configuration files' do\n it \"should set rp_filter to #{rp_filter}, or not define it at all\" do\n fail_msg = \"Found incorrect configuration:\\n#{config_file_values_uncompliant.join(\"\\n\")}\"\n expect(config_file_values_uncompliant).to be_empty, fail_msg\n end\n end\n end\n\n describe 'The runtime kernel parameter net.ipv4.conf.default.rp_filter' do\n subject { kernel_parameter('net.ipv4.conf.default.rp_filter') }\n its('value') { should eq rp_filter }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204592.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204611.rb", "line": 1 }, - "id": "SV-204592" + "id": "SV-204611" }, { - "title": "The Red Hat Enterprise Linux operating system must enable SELinux.", - "desc": "Without verification of the security functions, security functions may not operate correctly and the failure\n may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system\n responsible for enforcing the system security policy and supporting the isolation of code and data on which the\n protection is based. Security functionality includes, but is not limited to, establishing system accounts,\n configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting\n intrusion detection parameters.\n This requirement applies to operating systems performing security function verification/testing and/or systems and\n environments that require this functionality.", + "title": "The Red Hat Enterprise Linux operating system must audit all uses of the postdrop command.", + "desc": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough\n information.\n At a minimum, the organization must audit the full-text recording of privileged postfix commands. The organization\n must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of\n compromise.\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.", "descriptions": { - "default": "Without verification of the security functions, security functions may not operate correctly and the failure\n may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system\n responsible for enforcing the system security policy and supporting the isolation of code and data on which the\n protection is based. Security functionality includes, but is not limited to, establishing system accounts,\n configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting\n intrusion detection parameters.\n This requirement applies to operating systems performing security function verification/testing and/or systems and\n environments that require this functionality.", - "check": "Per OPORD 16-0080, the preferred endpoint security tool is Endpoint Security for Linux (ENSL) in\n conjunction with SELinux.\n Verify the operating system verifies correct operation of all security functions.\n Check if \"SELinux\" is active and in \"Enforcing\" mode with the following command:\n # getenforce\n Enforcing\n If \"SELinux\" is not active and not in \"Enforcing\" mode, this is a finding.", - "fix": "Configure the operating system to verify correct operation of all security functions.\n Set the \"SELinux\" status and the \"Enforcing\" mode by modifying the \"/etc/selinux/config\" file to have the following\n line:\n SELINUX=enforcing\n A reboot is required for the changes to take effect." + "default": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough\n information.\n At a minimum, the organization must audit the full-text recording of privileged postfix commands. The organization\n must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of\n compromise.\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.", + "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"postdrop\" command occur.\n\nCheck that the following system call is being audited by performing the following command to check the file system rules in \"/etc/audit/audit.rules\":\n\n$ sudo grep -w \"/usr/sbin/postdrop\" /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -k privileged-postfix\n\nIf the command does not return any output, this is a finding.", + "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"postdrop\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -k privileged-postfix\n\nThe audit daemon must be restarted for the changes to take effect." }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "V-71989", - "SV-86613" + "V-72175", + "SV-86799" ], "severity": "medium", - "gtitle": "SRG-OS-000445-GPOS-00199", - "gid": "V-204453", - "rid": "SV-204453r853895_rule", - "stig_id": "RHEL-07-020210", - "fix_id": "F-36306r602628_fix", + "gtitle": "SRG-OS-000042-GPOS-00020", + "satisfies": [ + "SRG-OS-000042-GPOS-00020", + "SRG-OS-000392-GPOS-00172" + ], + "gid": "V-204554", + "rid": "SV-204554r861059_rule", + "stig_id": "RHEL-07-030760", + "fix_id": "F-4678r861058_fix", "cci": [ - "CCI-002165", - "CCI-002696" + "CCI-000135", + "CCI-002884" ], "nist": [ - "AC-3 (4)", - "SI-6 a" + "AU-3 (1)", + "MA-4 (1) (a)" ], "subsystems": [ - "selinux" + "audit", + "auditd", + "audit_rule" ], "host": null }, - "code": "control 'SV-204453' do\n title 'The Red Hat Enterprise Linux operating system must enable SELinux.'\n desc 'Without verification of the security functions, security functions may not operate correctly and the failure\n may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system\n responsible for enforcing the system security policy and supporting the isolation of code and data on which the\n protection is based. Security functionality includes, but is not limited to, establishing system accounts,\n configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting\n intrusion detection parameters.\n This requirement applies to operating systems performing security function verification/testing and/or systems and\n environments that require this functionality.'\n desc 'check', 'Per OPORD 16-0080, the preferred endpoint security tool is Endpoint Security for Linux (ENSL) in\n conjunction with SELinux.\n Verify the operating system verifies correct operation of all security functions.\n Check if \"SELinux\" is active and in \"Enforcing\" mode with the following command:\n # getenforce\n Enforcing\n If \"SELinux\" is not active and not in \"Enforcing\" mode, this is a finding.'\n desc 'fix', 'Configure the operating system to verify correct operation of all security functions.\n Set the \"SELinux\" status and the \"Enforcing\" mode by modifying the \"/etc/selinux/config\" file to have the following\n line:\n SELINUX=enforcing\n A reboot is required for the changes to take effect.'\n impact 0.5\n tag legacy: ['V-71989', 'SV-86613']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000445-GPOS-00199'\n tag gid: 'V-204453'\n tag rid: 'SV-204453r853895_rule'\n tag stig_id: 'RHEL-07-020210'\n tag fix_id: 'F-36306r602628_fix'\n tag cci: ['CCI-002165', 'CCI-002696']\n tag nist: ['AC-3 (4)', 'SI-6 a']\n tag subsystems: ['selinux']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - SELinux settings must be handled on host' do\n skip 'Control not applicable - SELinux settings must be handled on host'\n end\n else\n describe command('getenforce') do\n its('stdout.strip') { should eq 'Enforcing' }\n end\n end\nend\n", + "code": "control 'SV-204554' do\n title 'The Red Hat Enterprise Linux operating system must audit all uses of the postdrop command.'\n desc 'Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough\n information.\n At a minimum, the organization must audit the full-text recording of privileged postfix commands. The organization\n must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of\n compromise.\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.'\n desc 'check', 'Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"postdrop\" command occur.\n\nCheck that the following system call is being audited by performing the following command to check the file system rules in \"/etc/audit/audit.rules\":\n\n$ sudo grep -w \"/usr/sbin/postdrop\" /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -k privileged-postfix\n\nIf the command does not return any output, this is a finding.'\n desc 'fix', 'Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"postdrop\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -k privileged-postfix\n\nThe audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n tag legacy: ['V-72175', 'SV-86799']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000042-GPOS-00020'\n tag satisfies: ['SRG-OS-000042-GPOS-00020', 'SRG-OS-000392-GPOS-00172']\n tag gid: 'V-204554'\n tag rid: 'SV-204554r861059_rule'\n tag stig_id: 'RHEL-07-030760'\n tag fix_id: 'F-4678r861058_fix'\n tag cci: ['CCI-000135', 'CCI-002884']\n tag nist: ['AU-3 (1)', 'MA-4 (1) (a)']\n tag subsystems: ['audit', 'auditd', 'audit_rule']\n tag 'host'\n\n audit_command = '/usr/sbin/postdrop'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - audit config must be done on the host' do\n skip 'Control not applicable - audit config must be done on the host'\n end\n else\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include('privileged-postfix')\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204453.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204554.rb", "line": 1 }, - "id": "SV-204453" + "id": "SV-204554" }, { - "title": "The Red Hat Enterprise Linux operating system must mount /dev/shm with secure options.", - "desc": "The \"noexec\" mount option causes the system to not execute binary files. This option must be used for\n mounting any file system not containing approved binary files as they may be incompatible. Executing files from\n untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative\n access.\n The \"nodev\" mount option causes the system to not interpret character or block special devices. Executing character\n or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain\n unauthorized administrative access.\n The \"nosuid\" mount option causes the system to not execute \"setuid\" and \"setgid\" files with owner privileges. This\n option must be used for mounting any file system not containing approved \"setuid\" and \"setguid\" files. Executing\n files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized\n administrative access.", + "title": "The Red Hat Enterprise Linux operating system must prevent the installation of software, patches, service\n packs, device drivers, or operating system components from a repository without verification they have been\n digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved\n by the organization.", + "desc": "Changes to any software components can have significant effects on the overall security of the operating\n system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted\n vendor.\n Accordingly, patches, service packs, device drivers, or operating system components must be signed with a\n certificate recognized and approved by the organization.\n Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade\n received from a vendor. This verifies the software has not been tampered with and that it has been provided by a\n trusted vendor. Self-signed certificates are disallowed by this requirement. The operating system should not have to\n verify the software again. This requirement does not mandate DoD certificates for this purpose; however, the\n certificate used to verify the software must be from an approved CA.", "descriptions": { - "default": "The \"noexec\" mount option causes the system to not execute binary files. This option must be used for\n mounting any file system not containing approved binary files as they may be incompatible. Executing files from\n untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative\n access.\n The \"nodev\" mount option causes the system to not interpret character or block special devices. Executing character\n or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain\n unauthorized administrative access.\n The \"nosuid\" mount option causes the system to not execute \"setuid\" and \"setgid\" files with owner privileges. This\n option must be used for mounting any file system not containing approved \"setuid\" and \"setguid\" files. Executing\n files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized\n administrative access.", - "check": "Verify that the \"nodev\",\"nosuid\", and \"noexec\" options are configured for /dev/shm:\n # cat /etc/fstab | grep /dev/shm\n tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0\n If results are returned and the \"nodev\", \"nosuid\", or \"noexec\" options are missing, this is a finding.\n Verify \"/dev/shm\" is mounted with the \"nodev\", \"nosuid\", and \"noexec\" options:\n # mount | grep /dev/shm\n tmpfs on /dev/shm type tmpfs (rw,nodev,nosuid,noexec,seclabel)\n If /dev/shm is mounted without secure options \"nodev\", \"nosuid\", and \"noexec\", this is a finding.", - "fix": "Configure the system so that /dev/shm is mounted with the \"nodev\", \"nosuid\", and \"noexec\" options by\n adding /modifying the /etc/fstab with the following line:\n tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0" + "default": "Changes to any software components can have significant effects on the overall security of the operating\n system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted\n vendor.\n Accordingly, patches, service packs, device drivers, or operating system components must be signed with a\n certificate recognized and approved by the organization.\n Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade\n received from a vendor. This verifies the software has not been tampered with and that it has been provided by a\n trusted vendor. Self-signed certificates are disallowed by this requirement. The operating system should not have to\n verify the software again. This requirement does not mandate DoD certificates for this purpose; however, the\n certificate used to verify the software must be from an approved CA.", + "check": "Verify the operating system prevents the installation of patches, service packs, device drivers, or\n operating system components from a repository without verification that they have been digitally signed using a\n certificate that is recognized and approved by the organization.\n Check that yum verifies the signature of packages from a repository prior to install with the following command:\n # grep gpgcheck /etc/yum.conf\n gpgcheck=1\n If \"gpgcheck\" is not set to \"1\", or if options are missing or commented out, ask the System Administrator how the\n certificates for patches and other operating system components are verified.\n If there is no process to validate certificates that is approved by the organization, this is a finding.", + "fix": "Configure the operating system to verify the signature of packages from a repository prior to install\n by setting the following option in the \"/etc/yum.conf\" file:\n gpgcheck=1" }, - "impact": 0.3, + "impact": 0.7, "refs": [], "tags": { "legacy": [ - "SV-95725", - "V-81013" + "V-71977", + "SV-86601" ], - "severity": "low", - "gtitle": "SRG-OS-000368-GPOS-00154", - "gid": "V-204486", - "rid": "SV-204486r853900_rule", - "stig_id": "RHEL-07-021024", - "fix_id": "F-4610r462553_fix", + "severity": "high", + "gtitle": "SRG-OS-000366-GPOS-00153", + "gid": "V-204447", + "rid": "SV-204447r877463_rule", + "stig_id": "RHEL-07-020050", + "fix_id": "F-4571r88534_fix", "cci": [ - "CCI-001764" + "CCI-001749" ], "nist": [ - "CM-7 (2)" + "CM-5 (3)" ], "subsystems": [ - "etc_fstab", - "mount" + "yum" ], "host": null, "container": null }, - "code": "control 'SV-204486' do\n title 'The Red Hat Enterprise Linux operating system must mount /dev/shm with secure options.'\n desc 'The \"noexec\" mount option causes the system to not execute binary files. This option must be used for\n mounting any file system not containing approved binary files as they may be incompatible. Executing files from\n untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative\n access.\n The \"nodev\" mount option causes the system to not interpret character or block special devices. Executing character\n or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain\n unauthorized administrative access.\n The \"nosuid\" mount option causes the system to not execute \"setuid\" and \"setgid\" files with owner privileges. This\n option must be used for mounting any file system not containing approved \"setuid\" and \"setguid\" files. Executing\n files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized\n administrative access.'\n desc 'check', 'Verify that the \"nodev\",\"nosuid\", and \"noexec\" options are configured for /dev/shm:\n # cat /etc/fstab | grep /dev/shm\n tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0\n If results are returned and the \"nodev\", \"nosuid\", or \"noexec\" options are missing, this is a finding.\n Verify \"/dev/shm\" is mounted with the \"nodev\", \"nosuid\", and \"noexec\" options:\n # mount | grep /dev/shm\n tmpfs on /dev/shm type tmpfs (rw,nodev,nosuid,noexec,seclabel)\n If /dev/shm is mounted without secure options \"nodev\", \"nosuid\", and \"noexec\", this is a finding.'\n desc 'fix', 'Configure the system so that /dev/shm is mounted with the \"nodev\", \"nosuid\", and \"noexec\" options by\n adding /modifying the /etc/fstab with the following line:\n tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0'\n impact 0.3\n tag legacy: ['SV-95725', 'V-81013']\n tag severity: 'low'\n tag gtitle: 'SRG-OS-000368-GPOS-00154'\n tag gid: 'V-204486'\n tag rid: 'SV-204486r853900_rule'\n tag stig_id: 'RHEL-07-021024'\n tag fix_id: 'F-4610r462553_fix'\n tag cci: ['CCI-001764']\n tag nist: ['CM-7 (2)']\n tag subsystems: ['etc_fstab', 'mount']\n tag 'host'\n tag 'container'\n\n if mount('/dev/shm').mounted?\n\n mount_file = etc_fstab.where { mount_point == '/dev/shm' }\n mount_command = mount('/dev/shm').file.mounted.stdout\n .match(/\\((.*)\\)/)[1].split(',')\n\n describe.one do\n describe '/etc/fstab mount options for /dev/shm' do\n subject { mount_file }\n its('mount_options.flatten') { should include 'nodev' }\n its('mount_options.flatten') { should include 'nosuid' }\n its('mount_options.flatten') { should include 'noexec' }\n end\n describe '/etc/fstab mount options for /dev/shm' do\n subject { mount_file }\n it { should_not exist }\n end\n end\n describe 'mount command options for /dev/shm' do\n subject { mount_command }\n it { should include 'nodev' }\n it { should include 'nosuid' }\n it { should include 'noexec' }\n end\n else\n describe mount('/dev/shm') do\n it { should_not be_mounted }\n end\n end\nend\n", + "code": "control 'SV-204447' do\n title \"The Red Hat Enterprise Linux operating system must prevent the installation of software, patches, service\n packs, device drivers, or operating system components from a repository without verification they have been\n digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved\n by the organization.\"\n desc \"Changes to any software components can have significant effects on the overall security of the operating\n system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted\n vendor.\n Accordingly, patches, service packs, device drivers, or operating system components must be signed with a\n certificate recognized and approved by the organization.\n Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade\n received from a vendor. This verifies the software has not been tampered with and that it has been provided by a\n trusted vendor. Self-signed certificates are disallowed by this requirement. The operating system should not have to\n verify the software again. This requirement does not mandate #{input('org_name')[:acronym]} certificates for this purpose; however, the\n certificate used to verify the software must be from an approved CA.\"\n desc 'check', \"Verify the operating system prevents the installation of patches, service packs, device drivers, or\n operating system components from a repository without verification that they have been digitally signed using a\n certificate that is recognized and approved by the organization.\n Check that yum verifies the signature of packages from a repository prior to install with the following command:\n # grep gpgcheck /etc/yum.conf\n gpgcheck=1\n If \\\"gpgcheck\\\" is not set to \\\"1\\\", or if options are missing or commented out, ask the System Administrator how the\n certificates for patches and other operating system components are verified.\n If there is no process to validate certificates that is approved by the organization, this is a finding.\"\n desc 'fix', \"Configure the operating system to verify the signature of packages from a repository prior to install\n by setting the following option in the \\\"/etc/yum.conf\\\" file:\n gpgcheck=1\"\n impact 0.7\n tag legacy: ['V-71977', 'SV-86601']\n tag severity: 'high'\n tag gtitle: 'SRG-OS-000366-GPOS-00153'\n tag gid: 'V-204447'\n tag rid: 'SV-204447r877463_rule'\n tag stig_id: 'RHEL-07-020050'\n tag fix_id: 'F-4571r88534_fix'\n tag cci: ['CCI-001749']\n tag nist: ['CM-5 (3)']\n tag subsystems: ['yum']\n tag 'host'\n tag 'container'\n\n yum_conf = '/etc/yum.conf'\n\n if (f = file(yum_conf)).exist?\n describe ini(yum_conf) do\n its('main.gpgcheck') { should cmp 1 }\n end\n else\n describe f do\n it { should exist }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204486.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204447.rb", "line": 1 }, - "id": "SV-204486" + "id": "SV-204447" }, { - "title": "The Red Hat Enterprise Linux operating system must be configured so that existing passwords are restricted\n to a 60-day maximum lifetime.", - "desc": "Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed\n periodically. If the operating system does not limit the lifetime of passwords and force users to change their\n passwords, there is the risk that the operating system passwords could be compromised.", + "title": "The Red Hat Enterprise Linux operating system must not allow users to override SSH environment variables.", + "desc": "Failure to restrict system access to authenticated users negatively impacts operating system security.", "descriptions": { - "default": "Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed\n periodically. If the operating system does not limit the lifetime of passwords and force users to change their\n passwords, there is the risk that the operating system passwords could be compromised.", - "check": "Check whether the maximum time period for existing passwords is restricted to 60 days.\n # awk -F: '$5 > 60 {print $1 \" \" $5}' /etc/shadow\n If any results are returned that are not associated with a system account, this is a finding.", - "fix": "Configure non-compliant accounts to enforce a 60-day maximum password lifetime restriction.\n # chage -M 60 [user]" + "default": "Failure to restrict system access to authenticated users negatively impacts operating system security.", + "check": "Verify the operating system does not allow users to override environment variables to the SSH\n daemon.\n Check for the value of the \"PermitUserEnvironment\" keyword with the following command:\n # grep -i permituserenvironment /etc/ssh/sshd_config\n PermitUserEnvironment no\n If the \"PermitUserEnvironment\" keyword is not set to \"no\", is missing, or is commented out, this is a finding.", + "fix": "Configure the operating system to not allow users to override environment variables to the SSH daemon.\n Edit the \"/etc/ssh/sshd_config\" file to uncomment or add the line for \"PermitUserEnvironment\" keyword and set the\n value to \"no\":\n PermitUserEnvironment no\n The SSH service must be restarted for changes to take effect." }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "V-71931", - "SV-86555" + "SV-86581", + "V-71957" ], "severity": "medium", - "gtitle": "SRG-OS-000076-GPOS-00044", - "gid": "V-204421", - "rid": "SV-204421r603261_rule", - "stig_id": "RHEL-07-010260", - "fix_id": "F-4545r88456_fix", + "gtitle": "SRG-OS-000480-GPOS-00229", + "gid": "V-204434", + "rid": "SV-204434r877377_rule", + "stig_id": "RHEL-07-010460", + "fix_id": "F-4558r88495_fix", "cci": [ - "CCI-000199" + "CCI-000366" ], "nist": [ - "IA-5 (1) (d)" + "CM-6 b" ], "subsystems": [ - "password", - "/etc/shadow", - "tty" + "ssh" ], "host": null }, - "code": "control 'SV-204421' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that existing passwords are restricted\n to a 60-day maximum lifetime.'\n desc 'Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed\n periodically. If the operating system does not limit the lifetime of passwords and force users to change their\n passwords, there is the risk that the operating system passwords could be compromised.'\n desc 'check', %q(Check whether the maximum time period for existing passwords is restricted to 60 days.\n # awk -F: '$5 > 60 {print $1 \" \" $5}' /etc/shadow\n If any results are returned that are not associated with a system account, this is a finding.)\n desc 'fix', 'Configure non-compliant accounts to enforce a 60-day maximum password lifetime restriction.\n # chage -M 60 [user]'\n impact 0.5\n tag legacy: ['V-71931', 'SV-86555']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000076-GPOS-00044'\n tag gid: 'V-204421'\n tag rid: 'SV-204421r603261_rule'\n tag stig_id: 'RHEL-07-010260'\n tag fix_id: 'F-4545r88456_fix'\n tag cci: ['CCI-000199']\n tag nist: ['IA-5 (1) (d)']\n tag subsystems: ['password', '/etc/shadow', 'tty']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n shadow.users.each do |user|\n # filtering on non-system accounts (uid >= 1000)\n next unless user(user).uid >= 1000\n\n describe shadow.users(user) do\n its('max_days.first') { should cmp input('max_password_lifetime') }\n end\n end\n end\nend\n", + "code": "control 'SV-204434' do\n title 'The Red Hat Enterprise Linux operating system must not allow users to override SSH environment variables.'\n desc 'Failure to restrict system access to authenticated users negatively impacts operating system security.'\n desc 'check', 'Verify the operating system does not allow users to override environment variables to the SSH\n daemon.\n Check for the value of the \"PermitUserEnvironment\" keyword with the following command:\n # grep -i permituserenvironment /etc/ssh/sshd_config\n PermitUserEnvironment no\n If the \"PermitUserEnvironment\" keyword is not set to \"no\", is missing, or is commented out, this is a finding.'\n desc 'fix', 'Configure the operating system to not allow users to override environment variables to the SSH daemon.\n Edit the \"/etc/ssh/sshd_config\" file to uncomment or add the line for \"PermitUserEnvironment\" keyword and set the\n value to \"no\":\n PermitUserEnvironment no\n The SSH service must be restarted for changes to take effect.'\n impact 0.5\n tag legacy: ['SV-86581', 'V-71957']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00229'\n tag gid: 'V-204434'\n tag rid: 'SV-204434r877377_rule'\n tag stig_id: 'RHEL-07-010460'\n tag fix_id: 'F-4558r88495_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['ssh']\n tag 'host'\n\n if virtualization.system.eql?('docker') && !file('/etc/sysconfig/sshd').exist?\n impact 0.0\n describe 'Control not applicable - SSH is not installed within containerized RHEL' do\n skip 'Control not applicable - SSH is not installed within containerized RHEL'\n end\n else\n describe sshd_config do\n its('PermitUserEnvironment') { should eq 'no' }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204421.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204434.rb", "line": 1 }, - "id": "SV-204421" + "id": "SV-204434" }, { - "title": "The Red Hat Enterprise Linux operating system must not allow a non-certificate trusted host SSH logon to\n the system.", - "desc": "Failure to restrict system access to authenticated users negatively impacts operating system security.", + "title": "The Red Hat Enterprise Linux operating system must be configured so that the Datagram Congestion Control\n Protocol (DCCP) kernel module is disabled unless required.", + "desc": "Disabling DCCP protects the system against exploitation of any flaws in the protocol implementation.", "descriptions": { - "default": "Failure to restrict system access to authenticated users negatively impacts operating system security.", - "check": "Verify the operating system does not allow a non-certificate trusted host SSH logon to the system.\n Check for the value of the \"HostbasedAuthentication\" keyword with the following command:\n # grep -i hostbasedauthentication /etc/ssh/sshd_config\n HostbasedAuthentication no\n If the \"HostbasedAuthentication\" keyword is not set to \"no\", is missing, or is commented out, this is a finding.", - "fix": "Configure the operating system to not allow a non-certificate trusted host SSH logon to the system.\n Edit the \"/etc/ssh/sshd_config\" file to uncomment or add the line for \"HostbasedAuthentication\" keyword and set the\n value to \"no\":\n HostbasedAuthentication no\n The SSH service must be restarted for changes to take effect." + "default": "Disabling DCCP protects the system against exploitation of any flaws in the protocol implementation.", + "check": "Verify the operating system disables the ability to load the DCCP kernel module.\n # grep -r dccp /etc/modprobe.d/* | grep -i \"/bin/true\" | grep -v \"^#\"\n install dccp /bin/true\n If the command does not return any output, or the line is commented out, and use of DCCP is not documented with the\n Information System Security Officer (ISSO) as an operational requirement, this is a finding.\n Verify the operating system disables the ability to use the DCCP kernel module.\n Check to see if the DCCP kernel module is disabled with the following command:\n # grep -i dccp /etc/modprobe.d/* | grep -i \"blacklist\" | grep -v \"^#\"\n blacklist dccp\n If the command does not return any output or the output is not \"blacklist dccp\", and use of the dccp kernel module\n is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a\n finding.", + "fix": "Configure the operating system to disable the ability to use the DCCP kernel module.\n Create a file under \"/etc/modprobe.d\" with the following command:\n # touch /etc/modprobe.d/dccp.conf\n Add the following line to the created file:\n install dccp /bin/true\n Ensure that the DCCP module is blacklisted:\n # vi /etc/modprobe.d/blacklist.conf\n Add or update the line:\n blacklist dccp" }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "SV-86583", - "V-71959" + "V-77821", + "SV-92517" ], "severity": "medium", - "gtitle": "SRG-OS-000480-GPOS-00229", - "gid": "V-204435", - "rid": "SV-204435r877377_rule", - "stig_id": "RHEL-07-010470", - "fix_id": "F-4559r88498_fix", + "gtitle": "SRG-OS-000378-GPOS-00163", + "gid": "V-204450", + "rid": "SV-204450r853892_rule", + "stig_id": "RHEL-07-020101", + "fix_id": "F-4574r88543_fix", "cci": [ - "CCI-000366" + "CCI-001958" ], "nist": [ - "CM-6 b" + "IA-3" ], "subsystems": [ - "ssh" + "dccp", + "kernel_module" ], "host": null }, - "code": "control 'SV-204435' do\n title 'The Red Hat Enterprise Linux operating system must not allow a non-certificate trusted host SSH logon to\n the system.'\n desc 'Failure to restrict system access to authenticated users negatively impacts operating system security.'\n desc 'check', 'Verify the operating system does not allow a non-certificate trusted host SSH logon to the system.\n Check for the value of the \"HostbasedAuthentication\" keyword with the following command:\n # grep -i hostbasedauthentication /etc/ssh/sshd_config\n HostbasedAuthentication no\n If the \"HostbasedAuthentication\" keyword is not set to \"no\", is missing, or is commented out, this is a finding.'\n desc 'fix', 'Configure the operating system to not allow a non-certificate trusted host SSH logon to the system.\n Edit the \"/etc/ssh/sshd_config\" file to uncomment or add the line for \"HostbasedAuthentication\" keyword and set the\n value to \"no\":\n HostbasedAuthentication no\n The SSH service must be restarted for changes to take effect.'\n impact 0.5\n tag legacy: ['SV-86583', 'V-71959']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00229'\n tag gid: 'V-204435'\n tag rid: 'SV-204435r877377_rule'\n tag stig_id: 'RHEL-07-010470'\n tag fix_id: 'F-4559r88498_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['ssh']\n tag 'host'\n\n if virtualization.system.eql?('docker') && !file('/etc/sysconfig/sshd').exist?\n impact 0.0\n describe 'Control not applicable - SSH is not installed within containerized RHEL' do\n skip 'Control not applicable - SSH is not installed within containerized RHEL'\n end\n else\n describe sshd_config do\n its('HostbasedAuthentication') { should eq 'no' }\n end\n end\nend\n", + "code": "control 'SV-204450' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that the Datagram Congestion Control\n Protocol (DCCP) kernel module is disabled unless required.'\n desc 'Disabling DCCP protects the system against exploitation of any flaws in the protocol implementation.'\n desc 'check', 'Verify the operating system disables the ability to load the DCCP kernel module.\n # grep -r dccp /etc/modprobe.d/* | grep -i \"/bin/true\" | grep -v \"^#\"\n install dccp /bin/true\n If the command does not return any output, or the line is commented out, and use of DCCP is not documented with the\n Information System Security Officer (ISSO) as an operational requirement, this is a finding.\n Verify the operating system disables the ability to use the DCCP kernel module.\n Check to see if the DCCP kernel module is disabled with the following command:\n # grep -i dccp /etc/modprobe.d/* | grep -i \"blacklist\" | grep -v \"^#\"\n blacklist dccp\n If the command does not return any output or the output is not \"blacklist dccp\", and use of the dccp kernel module\n is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a\n finding.'\n desc 'fix', 'Configure the operating system to disable the ability to use the DCCP kernel module.\n Create a file under \"/etc/modprobe.d\" with the following command:\n # touch /etc/modprobe.d/dccp.conf\n Add the following line to the created file:\n install dccp /bin/true\n Ensure that the DCCP module is blacklisted:\n # vi /etc/modprobe.d/blacklist.conf\n Add or update the line:\n blacklist dccp'\n impact 0.5\n tag legacy: ['V-77821', 'SV-92517']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000378-GPOS-00163'\n tag gid: 'V-204450'\n tag rid: 'SV-204450r853892_rule'\n tag stig_id: 'RHEL-07-020101'\n tag fix_id: 'F-4574r88543_fix'\n tag cci: ['CCI-001958']\n tag nist: ['IA-3']\n tag subsystems: ['dccp', 'kernel_module']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - Kernel config must be done on the host' do\n skip 'Control not applicable - Kernel config must be done on the host'\n end\n else\n\n describe kernel_module('dccp') do\n it { should_not be_loaded }\n it { should be_blacklisted }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204435.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204450.rb", "line": 1 }, - "id": "SV-204435" + "id": "SV-204450" }, { - "title": "The Red Hat Enterprise Linux operating system must remove all software components after updated versions\n have been installed.", - "desc": "Previous versions of software components that are not removed from the information system after updates have\n been installed may be exploited by adversaries. Some information technology products may remove older versions of\n software automatically from the information system.", + "title": "The Red Hat Enterprise Linux operating system must not be configured to bypass password requirements for privilege escalation.", + "desc": "Without re-authentication, users may access resources or perform tasks for which they do not have authorization.\n\nWhen operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate.", "descriptions": { - "default": "Previous versions of software components that are not removed from the information system after updates have\n been installed may be exploited by adversaries. Some information technology products may remove older versions of\n software automatically from the information system.", - "check": "Verify the operating system removes all software components after updated versions have been\n installed.\n Check if yum is configured to remove unneeded packages with the following command:\n # grep -i clean_requirements_on_remove /etc/yum.conf\n clean_requirements_on_remove=1\n If \"clean_requirements_on_remove\" is not set to \"1\", \"True\", or \"yes\", or is not set in \"/etc/yum.conf\", this is a\n finding.", - "fix": "Configure the operating system to remove all software components after updated versions have been\n installed.\n Set the \"clean_requirements_on_remove\" option to \"1\" in the \"/etc/yum.conf\" file:\n clean_requirements_on_remove=1" + "default": "Without re-authentication, users may access resources or perform tasks for which they do not have authorization.\n\nWhen operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate.", + "check": "Verify the operating system is not be configured to bypass password requirements for privilege escalation.\n\nCheck the configuration of the \"/etc/pam.d/sudo\" file with the following command:\n\n$ sudo grep pam_succeed_if /etc/pam.d/sudo\n\nIf any occurrences of \"pam_succeed_if\" is returned from the command, this is a finding.", + "fix": "Configure the operating system to require users to supply a password for privilege escalation.\n\nCheck the configuration of the \"/etc/ pam.d/sudo\" file with the following command:\n$ sudo vi /etc/pam.d/sudo\n\nRemove any occurrences of \"pam_succeed_if\" in the file." }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { - "legacy": [ - "V-71987", - "SV-86611" + "severity": "medium", + "gtitle": "SRG-OS-000373-GPOS-00156", + "satisfies": [ + "SRG-OS-000373-GPOS-00156", + "SRG-OS-000373-GPOS-00157", + "SRG-OS-000373-GPOS-00158" ], - "severity": "low", - "gtitle": "SRG-OS-000437-GPOS-00194", - "gid": "V-204452", - "rid": "SV-204452r853894_rule", - "stig_id": "RHEL-07-020200", - "fix_id": "F-4576r88549_fix", + "gid": "V-251704", + "rid": "SV-251704r854012_rule", + "stig_id": "RHEL-07-010344", + "fix_id": "F-55095r854011_fix", "cci": [ - "CCI-002617" + "CCI-002038" ], + "legacy": [], "nist": [ - "SI-2 (6)" + "IA-11" ], "subsystems": [ - "yum" - ], - "host": null, - "container": null - }, - "code": "control 'SV-204452' do\n title 'The Red Hat Enterprise Linux operating system must remove all software components after updated versions\n have been installed.'\n desc 'Previous versions of software components that are not removed from the information system after updates have\n been installed may be exploited by adversaries. Some information technology products may remove older versions of\n software automatically from the information system.'\n desc 'check', 'Verify the operating system removes all software components after updated versions have been\n installed.\n Check if yum is configured to remove unneeded packages with the following command:\n # grep -i clean_requirements_on_remove /etc/yum.conf\n clean_requirements_on_remove=1\n If \"clean_requirements_on_remove\" is not set to \"1\", \"True\", or \"yes\", or is not set in \"/etc/yum.conf\", this is a\n finding.'\n desc 'fix', 'Configure the operating system to remove all software components after updated versions have been\n installed.\n Set the \"clean_requirements_on_remove\" option to \"1\" in the \"/etc/yum.conf\" file:\n clean_requirements_on_remove=1'\n impact 0.3\n tag legacy: ['V-71987', 'SV-86611']\n tag severity: 'low'\n tag gtitle: 'SRG-OS-000437-GPOS-00194'\n tag gid: 'V-204452'\n tag rid: 'SV-204452r853894_rule'\n tag stig_id: 'RHEL-07-020200'\n tag fix_id: 'F-4576r88549_fix'\n tag cci: ['CCI-002617']\n tag nist: ['SI-2 (6)']\n tag subsystems: ['yum']\n tag 'host'\n tag 'container'\n\n describe parse_config_file('/etc/yum.conf') do\n its('main.clean_requirements_on_remove') { should match(/1|True|yes/i) }\n end\nend\n", - "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204452.rb", - "line": 1 - }, - "id": "SV-204452" - }, - { - "title": "Red Hat Enterprise Linux operating systems version 7.2 or newer booted with a BIOS must have a unique name for the grub superusers account when booting into single-user and maintenance modes.", - "desc": "If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.\nThe GRUB 2 superuser account is an account of last resort. Establishing a unique username for this account hardens the boot loader against brute force attacks. Due to the nature of the superuser account database being distinct from the OS account database, this allows the use of a username that is not among those within the OS account database. Examples of non-unique superusers names are root, superuser, unlock, etc.", - "descriptions": { - "default": "If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.\nThe GRUB 2 superuser account is an account of last resort. Establishing a unique username for this account hardens the boot loader against brute force attacks. Due to the nature of the superuser account database being distinct from the OS account database, this allows the use of a username that is not among those within the OS account database. Examples of non-unique superusers names are root, superuser, unlock, etc.", - "check": "For systems that use UEFI, this is Not Applicable.\n\nFor systems that are running a version of RHEL prior to 7.2, this is Not Applicable.\n\nVerify that a unique name is set as the \"superusers\" account:\n\n# grep -iw \"superusers\" /boot/grub2/grub.cfg\n set superusers=\"[someuniquestringhere]\"\n export superusers\n\nIf \"superusers\" is identical to any OS account name or is missing a name, this is a finding.", - "fix": "Configure the system to have a unique name for the grub superusers account.\n\nEdit the /etc/grub.d/01_users file and add or modify the following lines:\n\nset superusers=\"[someuniquestringhere]\"\nexport superusers\npassword_pbkdf2 [someuniquestringhere] ${GRUB2_PASSWORD}\n\nGenerate a new grub.cfg file with the following command:\n\n$ sudo grub2-mkconfig -o /boot/grub2/grub.cfg" - }, - "impact": 0.5, - "refs": [], - "tags": { - "severity": "medium", - "gtitle": "SRG-OS-000080-GPOS-00048", - "satisfies": null, - "gid": "V-244557", - "rid": "SV-244557r833185_rule", - "stig_id": "RHEL-07-010483", - "fix_id": "F-47789r833184_fix", - "cci": [ - "CCI-000213" - ], - "legacy": [], - "nist": [ - "AC-3" - ], - "subsystems": [ - "grub" + "sudo" ], "host": null }, - "code": "control 'SV-244557' do\n title 'Red Hat Enterprise Linux operating systems version 7.2 or newer booted with a BIOS must have a unique name for the grub superusers account when booting into single-user and maintenance modes.'\n desc 'If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.\nThe GRUB 2 superuser account is an account of last resort. Establishing a unique username for this account hardens the boot loader against brute force attacks. Due to the nature of the superuser account database being distinct from the OS account database, this allows the use of a username that is not among those within the OS account database. Examples of non-unique superusers names are root, superuser, unlock, etc.'\n desc 'check', 'For systems that use UEFI, this is Not Applicable.\n\nFor systems that are running a version of RHEL prior to 7.2, this is Not Applicable.\n\nVerify that a unique name is set as the \"superusers\" account:\n\n# grep -iw \"superusers\" /boot/grub2/grub.cfg\n set superusers=\"[someuniquestringhere]\"\n export superusers\n\nIf \"superusers\" is identical to any OS account name or is missing a name, this is a finding.'\n desc 'fix', 'Configure the system to have a unique name for the grub superusers account.\n\nEdit the /etc/grub.d/01_users file and add or modify the following lines:\n\nset superusers=\"[someuniquestringhere]\"\nexport superusers\npassword_pbkdf2 [someuniquestringhere] ${GRUB2_PASSWORD}\n\nGenerate a new grub.cfg file with the following command:\n\n$ sudo grub2-mkconfig -o /boot/grub2/grub.cfg'\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000080-GPOS-00048'\n tag satisfies: nil\n tag gid: 'V-244557'\n tag rid: 'SV-244557r833185_rule'\n tag stig_id: 'RHEL-07-010483'\n tag fix_id: 'F-47789r833184_fix'\n tag cci: ['CCI-000213']\n tag legacy: []\n tag nist: ['AC-3']\n tag subsystems: ['grub']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n elsif file('/sys/firmware/efi').exist?\n impact 0.0\n describe 'System running UEFI' do\n skip 'The System is running UEFI, this control is Not Applicable.'\n end\n elsif os[:release] >= '7.2'\n options = {\n assignment_regex: /^\\s*(.*)=\\\"?([^\\\"]+)\\\"?$/\n }\n\n describe parse_config_file(input('grub_main_cfg'), options) do\n its('set superusers') { should_not be nil }\n its('set superusers') { should_not be_in users.usernames }\n end\n\n else\n impact 0.0\n describe 'System running version of RHEL prior to 7.2' do\n skip 'The System is running an outdated version of RHEL, this control is Not Applicable.'\n end\n end\nend\n", + "code": "control 'SV-251704' do\n title 'The Red Hat Enterprise Linux operating system must not be configured to bypass password requirements for privilege escalation.'\n desc 'Without re-authentication, users may access resources or perform tasks for which they do not have authorization.\n\nWhen operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate.'\n desc 'check', 'Verify the operating system is not be configured to bypass password requirements for privilege escalation.\n\nCheck the configuration of the \"/etc/pam.d/sudo\" file with the following command:\n\n$ sudo grep pam_succeed_if /etc/pam.d/sudo\n\nIf any occurrences of \"pam_succeed_if\" is returned from the command, this is a finding.'\n desc 'fix', 'Configure the operating system to require users to supply a password for privilege escalation.\n\nCheck the configuration of the \"/etc/ pam.d/sudo\" file with the following command:\n$ sudo vi /etc/pam.d/sudo\n\nRemove any occurrences of \"pam_succeed_if\" in the file.'\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000373-GPOS-00156'\n tag satisfies: ['SRG-OS-000373-GPOS-00156', 'SRG-OS-000373-GPOS-00157', 'SRG-OS-000373-GPOS-00158']\n tag gid: 'V-251704'\n tag rid: 'SV-251704r854012_rule'\n tag stig_id: 'RHEL-07-010344'\n tag fix_id: 'F-55095r854011_fix'\n tag cci: ['CCI-002038']\n tag legacy: []\n tag nist: ['IA-11']\n tag subsystems: ['sudo']\n tag 'host'\n\n if virtualization.system.eql?('docker') && !command('sudo').exist?\n impact 0.0\n describe 'Control not applicable within a container without sudo enabled' do\n skip 'Control not applicable within a container without sudo enabled'\n end\n else\n describe parse_config_file('/etc/pam.d/sudo') do\n its('content') { should_not match /pam_succeed_if/ }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-244557.rb", + "ref": "./Red Hat 7 STIG/controls/SV-251704.rb", "line": 1 }, - "id": "SV-244557" + "id": "SV-251704" }, { - "title": "The Red Hat Enterprise Linux operating system must implement certificate status checking for PKI\n authentication.", - "desc": "Using an authentication device, such as a CAC or token that is separate from the information system, ensures\n that even if the information system is compromised, that compromise will not affect credentials stored on the\n authentication device.\n Multifactor solutions that require devices separate from information systems gaining access include, for example,\n hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S.\n Government Personal Identity Verification card and the DoD Common Access Card.\n A privileged account is defined as an information system account with authorizations of a privileged user.\n Remote access is access to DoD nonpublic information systems by an authorized user (or an information system)\n communicating through an external, non-organization-controlled network. Remote access methods include, for example,\n dial-up, broadband, and wireless.\n This requirement only applies to components where this is specific to the function of the device or has the concept\n of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of\n configuring the device itself (management).", + "title": "The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed the\n number of repeating characters of the same character class must not be more than four characters.", + "desc": "Use of a complex password helps to increase the time and resources required to compromise the password.\n Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing\n and brute-force attacks.\n Password complexity is one factor of several that determines how long it takes to crack a password. The more complex\n the password, the greater the number of possible combinations that need to be tested before the password is\n compromised.", "descriptions": { - "default": "Using an authentication device, such as a CAC or token that is separate from the information system, ensures\n that even if the information system is compromised, that compromise will not affect credentials stored on the\n authentication device.\n Multifactor solutions that require devices separate from information systems gaining access include, for example,\n hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S.\n Government Personal Identity Verification card and the DoD Common Access Card.\n A privileged account is defined as an information system account with authorizations of a privileged user.\n Remote access is access to DoD nonpublic information systems by an authorized user (or an information system)\n communicating through an external, non-organization-controlled network. Remote access methods include, for example,\n dial-up, broadband, and wireless.\n This requirement only applies to components where this is specific to the function of the device or has the concept\n of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of\n configuring the device itself (management).", - "check": "Verify the operating system implements certificate status checking for PKI\nauthentication.\n\n Check to see if Online Certificate Status Protocol (OCSP) is enabled on the\nsystem with the following command:\n\n # grep cert_policy /etc/pam_pkcs11/pam_pkcs11.conf | grep -v \"^#\"\n\n cert_policy = ca, ocsp_on, signature;\n cert_policy = ca, ocsp_on, signature;\n cert_policy = ca, ocsp_on, signature;\n\n There should be at least three lines returned.\n\n If \"ocsp_on\" is not present in all uncommented \"cert_policy\" lines in\n\"/etc/pam_pkcs11/pam_pkcs11.conf\", this is a finding.", - "fix": "Configure the operating system to do certificate status checking for PKI\nauthentication.\n\n Modify all of the \"cert_policy\" lines in\n\"/etc/pam_pkcs11/pam_pkcs11.conf\" to include \"ocsp_on\"." + "default": "Use of a complex password helps to increase the time and resources required to compromise the password.\n Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing\n and brute-force attacks.\n Password complexity is one factor of several that determines how long it takes to crack a password. The more complex\n the password, the greater the number of possible combinations that need to be tested before the password is\n compromised.", + "check": "The \"maxclassrepeat\" option sets the maximum number of allowed same consecutive characters in the\n same class in the new password.\n Check for the value of the \"maxclassrepeat\" option in \"/etc/security/pwquality.conf\" with the following command:\n $ sudo grep maxclassrepeat /etc/security/pwquality.conf\n maxclassrepeat = 4\n If the value of \"maxclassrepeat\" is set to \"0\", more than \"4\" or is commented out, this is a finding.", + "fix": "Configure the operating system to require the change of the number of repeating characters of the same\n character class when passwords are changed by setting the \"maxclassrepeat\" option.\n Add the following line to \"/etc/security/pwquality.conf\" conf (or modify the line to have the required value):\n maxclassrepeat = 4" }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "V-72433", - "SV-87057" + "SV-86541", + "V-71917" ], "severity": "medium", - "gtitle": "SRG-OS-000375-GPOS-00160", - "satisfies": [ - "SRG-OS-000375-GPOS-00160", - "SRG-OS-000375-GPOS-00161", - "SRG-OS-000375-GPOS-00162" - ], - "gid": "V-204633", - "rid": "SV-204633r853999_rule", - "stig_id": "RHEL-07-041003", - "fix_id": "F-4757r89092_fix", + "gtitle": "SRG-OS-000072-GPOS-00040", + "gid": "V-204414", + "rid": "SV-204414r809186_rule", + "stig_id": "RHEL-07-010190", + "fix_id": "F-4538r88435_fix", "cci": [ - "CCI-001948", - "CCI-001953", - "CCI-001954" + "CCI-000195" ], "nist": [ - "IA-2 (11)", - "IA-2 (12)", - "IA-2 (12)" + "IA-5 (1) (b)" ], "subsystems": [ - "pam_pkcs11", - "pam", - "pkcs11" + "pwquality", + "password" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-204633' do\n title 'The Red Hat Enterprise Linux operating system must implement certificate status checking for PKI\n authentication.'\n desc \"Using an authentication device, such as a CAC or token that is separate from the information system, ensures\n that even if the information system is compromised, that compromise will not affect credentials stored on the\n authentication device.\n Multifactor solutions that require devices separate from information systems gaining access include, for example,\n hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S.\n Government Personal Identity Verification card and the #{input('org_name')[:acronym]} Common Access Card.\n A privileged account is defined as an information system account with authorizations of a privileged user.\n Remote access is access to #{input('org_name')[:acronym]} nonpublic information systems by an authorized user (or an information system)\n communicating through an external, non-organization-controlled network. Remote access methods include, for example,\n dial-up, broadband, and wireless.\n This requirement only applies to components where this is specific to the function of the device or has the concept\n of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of\n configuring the device itself (management).\"\n desc 'check', 'Verify the operating system implements certificate status checking for PKI\nauthentication.\n\n Check to see if Online Certificate Status Protocol (OCSP) is enabled on the\nsystem with the following command:\n\n # grep cert_policy /etc/pam_pkcs11/pam_pkcs11.conf | grep -v \"^#\"\n\n cert_policy = ca, ocsp_on, signature;\n cert_policy = ca, ocsp_on, signature;\n cert_policy = ca, ocsp_on, signature;\n\n There should be at least three lines returned.\n\n If \"ocsp_on\" is not present in all uncommented \"cert_policy\" lines in\n\"/etc/pam_pkcs11/pam_pkcs11.conf\", this is a finding.'\n desc 'fix', 'Configure the operating system to do certificate status checking for PKI\nauthentication.\n\n Modify all of the \"cert_policy\" lines in\n\"/etc/pam_pkcs11/pam_pkcs11.conf\" to include \"ocsp_on\".'\n impact 0.5\n tag legacy: ['V-72433', 'SV-87057']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000375-GPOS-00160'\n tag satisfies: ['SRG-OS-000375-GPOS-00160', 'SRG-OS-000375-GPOS-00161', 'SRG-OS-000375-GPOS-00162']\n tag gid: 'V-204633'\n tag rid: 'SV-204633r853999_rule'\n tag stig_id: 'RHEL-07-041003'\n tag fix_id: 'F-4757r89092_fix'\n tag cci: ['CCI-001948', 'CCI-001953', 'CCI-001954']\n tag nist: ['IA-2 (11)', 'IA-2 (12)', 'IA-2 (12)']\n tag subsystems: ['pam_pkcs11', 'pam', 'pkcs11']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n\n smart_card_status = input('smart_card_status')\n\n if smart_card_status.eql?('enabled')\n impact 0.5\n if (pam_file = file('/etc/pam_pkcs11/pam_pkcs11.conf')).exist?\n cert_policy_lines = if pam_file.content.nil?\n []\n else\n pam_file.content.lines.grep(/^(?!.+#).*cert_policy/i)\n end\n if cert_policy_lines.length < 3\n describe 'should contain at least 3 cert policy lines' do\n subject { cert_policy_lines.length }\n it { should >= 3 }\n end\n else\n describe 'each cert policy line should include oscp_on' do\n cert_policy_lines.each do |line|\n subject { line }\n it { should match(/ocsp_on/i) }\n end\n end\n end\n else\n describe pam_file do\n it { should exist }\n end\n end\n else\n impact 0.0\n describe 'The system is not smartcard enabled' do\n skip 'The system is not using Smartcards / PIVs to fulfil the MFA requirement, this control is Not Applicable.'\n end\n end\n end\nend\n", + "code": "control 'SV-204414' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed the\n number of repeating characters of the same character class must not be more than four characters.'\n desc 'Use of a complex password helps to increase the time and resources required to compromise the password.\n Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing\n and brute-force attacks.\n Password complexity is one factor of several that determines how long it takes to crack a password. The more complex\n the password, the greater the number of possible combinations that need to be tested before the password is\n compromised.'\n desc 'check', 'The \"maxclassrepeat\" option sets the maximum number of allowed same consecutive characters in the\n same class in the new password.\n Check for the value of the \"maxclassrepeat\" option in \"/etc/security/pwquality.conf\" with the following command:\n $ sudo grep maxclassrepeat /etc/security/pwquality.conf\n maxclassrepeat = 4\n If the value of \"maxclassrepeat\" is set to \"0\", more than \"4\" or is commented out, this is a finding.'\n desc 'fix', 'Configure the operating system to require the change of the number of repeating characters of the same\n character class when passwords are changed by setting the \"maxclassrepeat\" option.\n Add the following line to \"/etc/security/pwquality.conf\" conf (or modify the line to have the required value):\n maxclassrepeat = 4'\n impact 0.5\n tag legacy: ['SV-86541', 'V-71917']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000072-GPOS-00040'\n tag gid: 'V-204414'\n tag rid: 'SV-204414r809186_rule'\n tag stig_id: 'RHEL-07-010190'\n tag fix_id: 'F-4538r88435_fix'\n tag cci: ['CCI-000195']\n tag nist: ['IA-5 (1) (b)']\n tag subsystems: ['pwquality', 'password']\n tag 'host'\n tag 'container'\n\n describe parse_config_file('/etc/security/pwquality.conf') do\n its('maxclassrepeat') { should_not cmp > input('max_classrepeat') }\n its('maxclassrepeat') { should_not cmp <= 0 }\n its('maxclassrepeat') { should_not be_nil }\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204633.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204414.rb", "line": 1 }, - "id": "SV-204633" + "id": "SV-204414" }, { - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the newgrp command.", - "desc": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough\n information.\n At a minimum, the organization must audit the full-text recording of privileged access commands. The organization\n must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of\n compromise.\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.", + "title": "The Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of\n Lightweight Directory Access Protocol (LDAP) communications.", + "desc": "Without cryptographic integrity protections, information can be altered by unauthorized users without\n detection.\n Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash\n functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while\n maintaining the confidentiality of the key used to generate the hash.", "descriptions": { - "default": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough\n information.\n At a minimum, the organization must audit the full-text recording of privileged access commands. The organization\n must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of\n compromise.\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.", - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"newgrp\" command occur.\n\nCheck that the following system call is being audited by performing the following command to check the file system rules in \"/etc/audit/audit.rules\":\n\n$ sudo grep -w \"/usr/bin/newgrp\" /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change\n\nIf the command does not return any output, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"newgrp\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change\n\nThe audit daemon must be restarted for the changes to take effect." + "default": "Without cryptographic integrity protections, information can be altered by unauthorized users without\n detection.\n Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash\n functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while\n maintaining the confidentiality of the key used to generate the hash.", + "check": "If LDAP is not being utilized, this requirement is Not Applicable.\n Verify the operating system implements cryptography to protect the integrity of remote LDAP access sessions.\n To determine if LDAP is being used for authentication, use the following command:\n # systemctl status sssd.service\n sssd.service - System Security Services Daemon\n Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: disabled)\n Active: active (running) since Wed 2018-06-27 10:58:11 EST; 1h 50min ago\n If the \"sssd.service\" is \"active\", then LDAP is being used.\n Determine the \"id_provider\" that the LDAP is currently using:\n # grep -i \"id_provider\" /etc/sssd/sssd.conf\n id_provider = ad\n If \"id_provider\" is set to \"ad\", this is Not Applicable.\n Check the path to the X.509 certificate for peer authentication with the following command:\n # grep -i tls_cacert /etc/sssd/sssd.conf\n ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt\n Verify the \"ldap_tls_cacert\" option points to a file that contains the trusted CA certificate.\n If this file does not exist, or the option is commented out or missing, this is a finding.", + "fix": "Configure the operating system to implement cryptography to protect the integrity of LDAP remote\n access sessions.\n Add or modify the following line in \"/etc/sssd/sssd.conf\":\n ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt" }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { "legacy": [ - "V-72165", - "SV-86789" + "SV-86855", + "V-72231" ], "severity": "medium", - "gtitle": "SRG-OS-000037-GPOS-00015", - "satisfies": [ - "SRG-OS-000037-GPOS-00015", - "SRG-OS-000042-GPOS-00020", - "SRG-OS-000392-GPOS-00172", - "SRG-OS-000462-GPOS-00206", - "SRG-OS-000471-GPOS-00215" - ], - "gid": "V-204550", - "rid": "SV-204550r861047_rule", - "stig_id": "RHEL-07-030710", - "fix_id": "F-4674r861046_fix", + "gtitle": "SRG-OS-000250-GPOS-00093", + "gid": "V-204583", + "rid": "SV-204583r877394_rule", + "stig_id": "RHEL-07-040200", + "fix_id": "F-4707r88942_fix", "cci": [ - "CCI-000130", - "CCI-000135", - "CCI-000172", - "CCI-002884" + "CCI-001453" ], "nist": [ - "AU-3", - "AU-3 (1)", - "AU-12 c", - "MA-4 (1) (a)", - "AU-3 a" + "AC-17 (2)" ], "subsystems": [ - "audit", - "auditd", - "audit_rule" + "sssd", + "ldap" ], "host": null }, - "code": "control 'SV-204550' do\n title 'The Red Hat Enterprise Linux operating system must audit all uses of the newgrp command.'\n desc 'Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough\n information.\n At a minimum, the organization must audit the full-text recording of privileged access commands. The organization\n must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of\n compromise.\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.'\n desc 'check', 'Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"newgrp\" command occur.\n\nCheck that the following system call is being audited by performing the following command to check the file system rules in \"/etc/audit/audit.rules\":\n\n$ sudo grep -w \"/usr/bin/newgrp\" /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change\n\nIf the command does not return any output, this is a finding.'\n desc 'fix', 'Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"newgrp\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change\n\nThe audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n tag legacy: ['V-72165', 'SV-86789']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000037-GPOS-00015'\n tag satisfies: ['SRG-OS-000037-GPOS-00015', 'SRG-OS-000042-GPOS-00020', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000471-GPOS-00215']\n tag gid: 'V-204550'\n tag rid: 'SV-204550r861047_rule'\n tag stig_id: 'RHEL-07-030710'\n tag fix_id: 'F-4674r861046_fix'\n tag cci: ['CCI-000130', 'CCI-000135', 'CCI-000172', 'CCI-002884']\n tag nist: ['AU-3', 'AU-3 (1)', 'AU-12 c', 'MA-4 (1) (a)', 'AU-3 a']\n tag subsystems: ['audit', 'auditd', 'audit_rule']\n tag 'host'\n\n audit_command = '/usr/bin/newgrp'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - audit config must be done on the host' do\n skip 'Control not applicable - audit config must be done on the host'\n end\n else\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include('privileged-priv_change')\n end\n end\n end\nend\n", + "code": "control 'SV-204583' do\n title 'The Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of\n Lightweight Directory Access Protocol (LDAP) communications.'\n desc 'Without cryptographic integrity protections, information can be altered by unauthorized users without\n detection.\n Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash\n functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while\n maintaining the confidentiality of the key used to generate the hash.'\n desc 'check', 'If LDAP is not being utilized, this requirement is Not Applicable.\n Verify the operating system implements cryptography to protect the integrity of remote LDAP access sessions.\n To determine if LDAP is being used for authentication, use the following command:\n # systemctl status sssd.service\n sssd.service - System Security Services Daemon\n Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: disabled)\n Active: active (running) since Wed 2018-06-27 10:58:11 EST; 1h 50min ago\n If the \"sssd.service\" is \"active\", then LDAP is being used.\n Determine the \"id_provider\" that the LDAP is currently using:\n # grep -i \"id_provider\" /etc/sssd/sssd.conf\n id_provider = ad\n If \"id_provider\" is set to \"ad\", this is Not Applicable.\n Check the path to the X.509 certificate for peer authentication with the following command:\n # grep -i tls_cacert /etc/sssd/sssd.conf\n ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt\n Verify the \"ldap_tls_cacert\" option points to a file that contains the trusted CA certificate.\n If this file does not exist, or the option is commented out or missing, this is a finding.'\n desc 'fix', 'Configure the operating system to implement cryptography to protect the integrity of LDAP remote\n access sessions.\n Add or modify the following line in \"/etc/sssd/sssd.conf\":\n ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt'\n impact 0.5\n tag legacy: ['SV-86855', 'V-72231']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000250-GPOS-00093'\n tag gid: 'V-204583'\n tag rid: 'SV-204583r877394_rule'\n tag stig_id: 'RHEL-07-040200'\n tag fix_id: 'F-4707r88942_fix'\n tag cci: ['CCI-001453']\n tag nist: ['AC-17 (2)']\n tag subsystems: ['sssd', 'ldap']\n tag 'host'\n\n if virtualization.system.eql?('docker') && !file('/etc/sysconfig/sshd').exist?\n impact 0.0\n describe 'Control not applicable - SSH is not installed within containerized RHEL' do\n skip 'Control not applicable - SSH is not installed within containerized RHEL'\n end\n else\n\n sssd_id_ldap_enabled = (package('sssd').installed? and\n !command('grep \"^\\s*id_provider\\s*=\\s*ldap\" /etc/sssd/sssd.conf').stdout.strip.empty?)\n\n sssd_ldap_enabled = (package('sssd').installed? and\n !command('grep \"^\\s*[a-z]*_provider\\s*=\\s*ldap\" /etc/sssd/sssd.conf').stdout.strip.empty?)\n\n pam_ldap_enabled = !command('grep \"^[^#]*pam_ldap\\.so\" /etc/pam.d/*').stdout.strip.empty?\n\n unless sssd_id_ldap_enabled or sssd_ldap_enabled or pam_ldap_enabled\n impact 0.0\n describe 'LDAP not enabled' do\n skip 'LDAP not enabled using any known mechanisms, this control is Not Applicable.'\n end\n end\n\n if sssd_id_ldap_enabled\n ldap_id_use_start_tls = command('grep ldap_id_use_start_tls /etc/sssd/sssd.conf')\n describe ldap_id_use_start_tls do\n its('stdout.strip') do\n should match(/^ldap_id_use_start_tls\\s*=\\s*true$/)\n end\n end\n\n ldap_id_use_start_tls.stdout.strip.each_line do |line|\n describe line do\n it { should match(/^ldap_id_use_start_tls\\s*=\\s*true$/) }\n end\n end\n end\n\n if sssd_ldap_enabled\n ldap_tls_cacert = command('grep -i ldap_tls_cacert /etc/sssd/sssd.conf')\n .stdout.strip.scan(/^ldap_tls_cacert\\s*=\\s*(.*)/).last\n\n describe 'ldap_tls_cacert' do\n subject { ldap_tls_cacert }\n it { should_not eq nil }\n end\n\n unless ldap_tls_cacert.nil?\n describe file(ldap_tls_cacert.last) do\n it { should exist }\n it { should be_file }\n end\n end\n end\n\n if pam_ldap_enabled\n tls_cacertfile = command('grep -i tls_cacertfile /etc/pam_ldap.conf')\n .stdout.strip.scan(/^tls_cacertfile\\s+(.*)/).last\n\n describe 'tls_cacertfile' do\n subject { tls_cacertfile }\n it { should_not eq nil }\n end\n\n unless tls_cacertfile.nil?\n describe file(tls_cacertfile.last) do\n it { should exist }\n it { should be_file }\n end\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204550.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204583.rb", "line": 1 }, - "id": "SV-204550" + "id": "SV-204583" }, { "title": "The Red Hat Enterprise Linux operating system must specify the default \"include\" directory for the /etc/sudoers file.", @@ -1719,559 +1653,549 @@ "id": "SV-251703" }, { - "title": "The Red Hat Enterprise Linux operating system must be configured to use the shadow file to store only\n encrypted representations of passwords.", - "desc": "Passwords need to be protected at all times, and encryption is the standard method for protecting passwords.\n If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords\n encrypted with a weak algorithm are no more protected than if they are kept in plain text.", + "title": "The Red Hat Enterprise Linux operating system must enable the SELinux targeted policy.", + "desc": "Without verification of the security functions, security functions may not operate correctly and the failure\n may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system\n responsible for enforcing the system security policy and supporting the isolation of code and data on which the\n protection is based. Security functionality includes, but is not limited to, establishing system accounts,\n configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting\n intrusion detection parameters.\n This requirement applies to operating systems performing security function verification/testing and/or systems and\n environments that require this functionality.", "descriptions": { - "default": "Passwords need to be protected at all times, and encryption is the standard method for protecting passwords.\n If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords\n encrypted with a weak algorithm are no more protected than if they are kept in plain text.", - "check": "Verify the system's shadow file is configured to store only encrypted representations of passwords.\n The strength of encryption that must be used to hash passwords for all accounts is SHA512.\n Check that the system is configured to create SHA512 hashed passwords with the following command:\n # grep -i encrypt /etc/login.defs\n ENCRYPT_METHOD SHA512\n If the \"/etc/login.defs\" configuration file does not exist or allows for password hashes other than SHA512 to be\n used, this is a finding.", - "fix": "Configure the operating system to store only SHA512 encrypted representations of passwords.\n Add or update the following line in \"/etc/login.defs\":\n ENCRYPT_METHOD SHA512" + "default": "Without verification of the security functions, security functions may not operate correctly and the failure\n may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system\n responsible for enforcing the system security policy and supporting the isolation of code and data on which the\n protection is based. Security functionality includes, but is not limited to, establishing system accounts,\n configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting\n intrusion detection parameters.\n This requirement applies to operating systems performing security function verification/testing and/or systems and\n environments that require this functionality.", + "check": "Per OPORD 16-0080, the preferred endpoint security tool is Endpoint Security for Linux (ENSL) in\n conjunction with SELinux.\n Verify the operating system verifies correct operation of all security functions.\n Check if \"SELinux\" is active and is enforcing the targeted policy with the following command:\n # sestatus\n SELinux status: enabled\n SELinuxfs mount: /selinux\n SELinux root directory: /etc/selinux\n Loaded policy name: targeted\n Current mode: enforcing\n Mode from config file: enforcing\n Policy MLS status: enabled\n Policy deny_unknown status: allowed\n Max kernel policy version: 28\n If the \"Loaded policy name\" is not set to \"targeted\", this is a finding.\n Verify that the /etc/selinux/config file is configured to the \"SELINUXTYPE\" to \"targeted\":\n # grep -i \"selinuxtype\" /etc/selinux/config | grep -v '^#'\n SELINUXTYPE = targeted\n If no results are returned or \"SELINUXTYPE\" is not set to \"targeted\", this is a finding.", + "fix": "Configure the operating system to verify correct operation of all security functions.\n Set the \"SELinuxtype\" to the \"targeted\" policy by modifying the \"/etc/selinux/config\" file to have the following\n line:\n SELINUXTYPE=targeted\n A reboot is required for the changes to take effect." }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "V-71921", - "SV-86545" + "V-71991", + "SV-86615" ], "severity": "medium", - "gtitle": "SRG-OS-000073-GPOS-00041", - "gid": "V-204416", - "rid": "SV-204416r877397_rule", - "stig_id": "RHEL-07-010210", - "fix_id": "F-4540r88441_fix", + "gtitle": "SRG-OS-000445-GPOS-00199", + "gid": "V-204454", + "rid": "SV-204454r853896_rule", + "stig_id": "RHEL-07-020220", + "fix_id": "F-36307r602631_fix", "cci": [ - "CCI-000196" + "CCI-002165", + "CCI-002696" ], "nist": [ - "IA-5 (1) (c)" + "AC-3 (4)", + "SI-6 a" ], "subsystems": [ - "login_defs", - "password" + "selinux" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-204416' do\n title 'The Red Hat Enterprise Linux operating system must be configured to use the shadow file to store only\n encrypted representations of passwords.'\n desc 'Passwords need to be protected at all times, and encryption is the standard method for protecting passwords.\n If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords\n encrypted with a weak algorithm are no more protected than if they are kept in plain text.'\n desc 'check', %q(Verify the system's shadow file is configured to store only encrypted representations of passwords.\n The strength of encryption that must be used to hash passwords for all accounts is SHA512.\n Check that the system is configured to create SHA512 hashed passwords with the following command:\n # grep -i encrypt /etc/login.defs\n ENCRYPT_METHOD SHA512\n If the \"/etc/login.defs\" configuration file does not exist or allows for password hashes other than SHA512 to be\n used, this is a finding.)\n desc 'fix', 'Configure the operating system to store only SHA512 encrypted representations of passwords.\n Add or update the following line in \"/etc/login.defs\":\n ENCRYPT_METHOD SHA512'\n impact 0.5\n tag legacy: ['V-71921', 'SV-86545']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000073-GPOS-00041'\n tag gid: 'V-204416'\n tag rid: 'SV-204416r877397_rule'\n tag stig_id: 'RHEL-07-010210'\n tag fix_id: 'F-4540r88441_fix'\n tag cci: ['CCI-000196']\n tag nist: ['IA-5 (1) (c)']\n tag subsystems: ['login_defs', 'password']\n tag 'host'\n tag 'container'\n\n describe login_defs do\n its('ENCRYPT_METHOD') { should cmp 'SHA512' }\n end\nend\n", + "code": "control 'SV-204454' do\n title 'The Red Hat Enterprise Linux operating system must enable the SELinux targeted policy.'\n desc 'Without verification of the security functions, security functions may not operate correctly and the failure\n may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system\n responsible for enforcing the system security policy and supporting the isolation of code and data on which the\n protection is based. Security functionality includes, but is not limited to, establishing system accounts,\n configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting\n intrusion detection parameters.\n This requirement applies to operating systems performing security function verification/testing and/or systems and\n environments that require this functionality.'\n desc 'check', %q(Per OPORD 16-0080, the preferred endpoint security tool is Endpoint Security for Linux (ENSL) in\n conjunction with SELinux.\n Verify the operating system verifies correct operation of all security functions.\n Check if \"SELinux\" is active and is enforcing the targeted policy with the following command:\n # sestatus\n SELinux status: enabled\n SELinuxfs mount: /selinux\n SELinux root directory: /etc/selinux\n Loaded policy name: targeted\n Current mode: enforcing\n Mode from config file: enforcing\n Policy MLS status: enabled\n Policy deny_unknown status: allowed\n Max kernel policy version: 28\n If the \"Loaded policy name\" is not set to \"targeted\", this is a finding.\n Verify that the /etc/selinux/config file is configured to the \"SELINUXTYPE\" to \"targeted\":\n # grep -i \"selinuxtype\" /etc/selinux/config | grep -v '^#'\n SELINUXTYPE = targeted\n If no results are returned or \"SELINUXTYPE\" is not set to \"targeted\", this is a finding.)\n desc 'fix', 'Configure the operating system to verify correct operation of all security functions.\n Set the \"SELinuxtype\" to the \"targeted\" policy by modifying the \"/etc/selinux/config\" file to have the following\n line:\n SELINUXTYPE=targeted\n A reboot is required for the changes to take effect.'\n impact 0.5\n tag legacy: ['V-71991', 'SV-86615']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000445-GPOS-00199'\n tag gid: 'V-204454'\n tag rid: 'SV-204454r853896_rule'\n tag stig_id: 'RHEL-07-020220'\n tag fix_id: 'F-36307r602631_fix'\n tag cci: ['CCI-002165', 'CCI-002696']\n tag nist: ['AC-3 (4)', 'SI-6 a']\n tag subsystems: ['selinux']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - SELinux settings must be handled on host' do\n skip 'Control not applicable - SELinux settings must be handled on host'\n end\n else\n describe command('sestatus') do\n its('stdout') { should match(/^Loaded\\spolicy\\sname:\\s+targeted\\n?$/) }\n end\n describe parse_config_file('/etc/selinux/config') do\n its('SELINUXTYPE') { should eq 'targeted' }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204416.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204454.rb", "line": 1 }, - "id": "SV-204416" + "id": "SV-204454" }, { - "title": "The Red Hat Enterprise Linux operating system must disable the graphical user interface automounter unless required.", - "desc": "Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity.", + "title": "The Red Hat Enterprise Linux operating system must generate audit records for all account creations,\n modifications, disabling, and termination events that affect /etc/security/opasswd.", + "desc": "Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).", "descriptions": { - "default": "Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity.", - "check": "Note: If the operating system does not have a graphical user interface installed, this requirement is Not Applicable.\n\nVerify the operating system disables the ability to automount devices in a graphical user interface.\n\nNote: The example below is using the database \"local\" for the system, so the path is \"/etc/dconf/db/local.d\". This path must be modified if a database other than \"local\" is being used.\n\nCheck to see if automounter service is disabled with the following commands:\n# cat /etc/dconf/db/local.d/00-No-Automount\n\n[org/gnome/desktop/media-handling]\n\nautomount=false\n\nautomount-open=false\n\nautorun-never=true\n\nIf the output does not match the example above, this is a finding.\n\n# cat /etc/dconf/db/local.d/locks/00-No-Automount\n\n/org/gnome/desktop/media-handling/automount\n\n/org/gnome/desktop/media-handling/automount-open\n\n/org/gnome/desktop/media-handling/autorun-never\n\nIf the output does not match the example, this is a finding.", - "fix": "Configure the graphical user interface to disable the ability to automount devices.\n\nNote: The example below is using the database \"local\" for the system, so the path is \"/etc/dconf/db/local.d\". This path must be modified if a database other than \"local\" is being used.\n\nCreate or edit the /etc/dconf/db/local.d/00-No-Automount file and add the following:\n\n[org/gnome/desktop/media-handling]\n\nautomount=false\n\nautomount-open=false\n\nautorun-never=true\n\nCreate or edit the /etc/dconf/db/local.d/locks/00-No-Automount file and add the following:\n/org/gnome/desktop/media-handling/automount\n\n/org/gnome/desktop/media-handling/automount-open\n\n/org/gnome/desktop/media-handling/autorun-never\n\nRun the following command to update the database:\n\n# dconf update" + "default": "Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).", + "check": "Verify the operating system must generate audit records for all account creations, modifications,\n disabling, and termination events that affect /etc/security/opasswd.\n Check the auditing rules in \"/etc/audit/audit.rules\" with the following command:\n # grep /etc/security/opasswd /etc/audit/audit.rules\n -w /etc/security/opasswd -p wa -k identity\n If the command does not return a line, or the line is commented out, this is a finding.", + "fix": "Configure the operating system to generate audit records for all account creations, modifications,\n disabling, and termination events that affect /etc/security/opasswd.\n Add or update the following file system rule in \"/etc/audit/rules.d/audit.rules\":\n -w /etc/security/opasswd -p wa -k identity\n The audit daemon must be restarted for the changes to take effect:\n # systemctl restart auditd" }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { - "severity": "medium", - "gtitle": "SRG-OS-000114-GPOS-00059", - "satisfies": [ - "SRG-OS-000114-GPOS-00059", - "SRG-OS-000378-GPOS-00163", - "SRG-OS-000480-GPOS-00227" + "legacy": [ + "SV-87825", + "V-73173" ], - "gid": "V-219059", - "rid": "SV-219059r854002_rule", - "stig_id": "RHEL-07-020111", - "fix_id": "F-36318r602663_fix", + "severity": "medium", + "gtitle": "SRG-OS-000004-GPOS-00004", + "gid": "V-204568", + "rid": "SV-204568r853982_rule", + "stig_id": "RHEL-07-030874", + "fix_id": "F-4692r744114_fix", "cci": [ - "CCI-000366", - "CCI-000778", - "CCI-001958" - ], - "legacy": [ - "V-100023", - "SV-109127" + "CCI-000018", + "CCI-000172", + "CCI-001403", + "CCI-002130" ], "nist": [ - "CM-6 b", - "IA-3" + "AC-2 (4)", + "AU-12 c", + "AC-2 (4)", + "AC-2 (4)" ], "subsystems": [ - "gui", - "automount" + "audit", + "auditd", + "audit_rule" ], "host": null }, - "code": "control 'SV-219059' do\n title 'The Red Hat Enterprise Linux operating system must disable the graphical user interface automounter unless required.'\n desc 'Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity.'\n desc 'check', 'Note: If the operating system does not have a graphical user interface installed, this requirement is Not Applicable.\n\nVerify the operating system disables the ability to automount devices in a graphical user interface.\n\nNote: The example below is using the database \"local\" for the system, so the path is \"/etc/dconf/db/local.d\". This path must be modified if a database other than \"local\" is being used.\n\nCheck to see if automounter service is disabled with the following commands:\n# cat /etc/dconf/db/local.d/00-No-Automount\n\n[org/gnome/desktop/media-handling]\n\nautomount=false\n\nautomount-open=false\n\nautorun-never=true\n\nIf the output does not match the example above, this is a finding.\n\n# cat /etc/dconf/db/local.d/locks/00-No-Automount\n\n/org/gnome/desktop/media-handling/automount\n\n/org/gnome/desktop/media-handling/automount-open\n\n/org/gnome/desktop/media-handling/autorun-never\n\nIf the output does not match the example, this is a finding.'\n desc 'fix', 'Configure the graphical user interface to disable the ability to automount devices.\n\nNote: The example below is using the database \"local\" for the system, so the path is \"/etc/dconf/db/local.d\". This path must be modified if a database other than \"local\" is being used.\n\nCreate or edit the /etc/dconf/db/local.d/00-No-Automount file and add the following:\n\n[org/gnome/desktop/media-handling]\n\nautomount=false\n\nautomount-open=false\n\nautorun-never=true\n\nCreate or edit the /etc/dconf/db/local.d/locks/00-No-Automount file and add the following:\n/org/gnome/desktop/media-handling/automount\n\n/org/gnome/desktop/media-handling/automount-open\n\n/org/gnome/desktop/media-handling/autorun-never\n\nRun the following command to update the database:\n\n# dconf update'\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000114-GPOS-00059'\n tag satisfies: ['SRG-OS-000114-GPOS-00059', 'SRG-OS-000378-GPOS-00163', 'SRG-OS-000480-GPOS-00227']\n tag gid: 'V-219059'\n tag rid: 'SV-219059r854002_rule'\n tag stig_id: 'RHEL-07-020111'\n tag fix_id: 'F-36318r602663_fix'\n tag cci: ['CCI-000366', 'CCI-000778', 'CCI-001958']\n tag legacy: ['V-100023', 'SV-109127']\n tag nist: ['CM-6 b', 'IA-3']\n tag subsystems: ['gui', 'automount']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n elsif package('gnome-desktop3').installed?\n options = {\n assignment_regex: /^\\s*([^=]*?)\\s*=\\s*(.*?)\\s*$/\n }\n\n describe parse_config_file(input('automount_config'), options) do\n its('automount') { should cmp 'false' }\n its('automount-open') { should cmp 'false' }\n its('autorun-never') { should cmp 'true' }\n end\n describe file(input('automount_locks_config')) do\n its('content') { should match /automount$/ }\n its('content') { should match /automount-open$/ }\n its('content') { should match /autorun-never$/ }\n end\n\n else\n impact 0.0\n describe 'The system does not have GNOME installed' do\n skip \"The system does not have GNOME installed, this requirement is Not\n Applicable.\"\n end\n end\nend\n", + "code": "control 'SV-204568' do\n title 'The Red Hat Enterprise Linux operating system must generate audit records for all account creations,\n modifications, disabling, and termination events that affect /etc/security/opasswd.'\n desc 'Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).'\n desc 'check', 'Verify the operating system must generate audit records for all account creations, modifications,\n disabling, and termination events that affect /etc/security/opasswd.\n Check the auditing rules in \"/etc/audit/audit.rules\" with the following command:\n # grep /etc/security/opasswd /etc/audit/audit.rules\n -w /etc/security/opasswd -p wa -k identity\n If the command does not return a line, or the line is commented out, this is a finding.'\n desc 'fix', 'Configure the operating system to generate audit records for all account creations, modifications,\n disabling, and termination events that affect /etc/security/opasswd.\n Add or update the following file system rule in \"/etc/audit/rules.d/audit.rules\":\n -w /etc/security/opasswd -p wa -k identity\n The audit daemon must be restarted for the changes to take effect:\n # systemctl restart auditd'\n impact 0.5\n tag legacy: ['SV-87825', 'V-73173']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000004-GPOS-00004'\n tag gid: 'V-204568'\n tag rid: 'SV-204568r853982_rule'\n tag stig_id: 'RHEL-07-030874'\n tag fix_id: 'F-4692r744114_fix'\n tag cci: ['CCI-000018', 'CCI-000172', 'CCI-001403', 'CCI-002130']\n tag nist: ['AC-2 (4)', 'AU-12 c', 'AC-2 (4)', 'AC-2 (4)']\n tag subsystems: ['audit', 'auditd', 'audit_rule']\n tag 'host'\n\n audit_command = '/etc/security/opasswd'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - audit config must be done on the host' do\n skip 'Control not applicable - audit config must be done on the host'\n end\n else\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.key).to cmp 'identity'\n expect(audit_rule.permissions.flatten).to include('w', 'a')\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-219059.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204568.rb", "line": 1 }, - "id": "SV-219059" + "id": "SV-204568" }, { - "title": "The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed the\n number of repeating consecutive characters must not be more than three characters.", - "desc": "Use of a complex password helps to increase the time and resources required to compromise the password.\n Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing\n and brute-force attacks.\n Password complexity is one factor of several that determines how long it takes to crack a password. The more complex\n the password, the greater the number of possible combinations that need to be tested before the password is\n compromised.", + "title": "The Red Hat Enterprise Linux operating system must audit all executions of privileged functions.", + "desc": "Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by\n unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern\n and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to\n detect such misuse and identify the risk from insider threats and the advanced persistent threat.", "descriptions": { - "default": "Use of a complex password helps to increase the time and resources required to compromise the password.\n Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing\n and brute-force attacks.\n Password complexity is one factor of several that determines how long it takes to crack a password. The more complex\n the password, the greater the number of possible combinations that need to be tested before the password is\n compromised.", - "check": "The \"maxrepeat\" option sets the maximum number of allowed same consecutive characters in a new\n password.\n Check for the value of the \"maxrepeat\" option in \"/etc/security/pwquality.conf\" with the following command:\n # grep maxrepeat /etc/security/pwquality.conf\n maxrepeat = 3\n If the value of \"maxrepeat\" is set to more than \"3\", this is a finding.", - "fix": "Configure the operating system to require the change of the number of repeating consecutive characters\n when passwords are changed by setting the \"maxrepeat\" option.\n Add the following line to \"/etc/security/pwquality.conf conf\" (or modify the line to have the required value):\n maxrepeat = 3" + "default": "Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by\n unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern\n and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to\n detect such misuse and identify the risk from insider threats and the advanced persistent threat.", + "check": "Verify the operating system audits the execution of privileged functions using the following\n command:\n # grep -iw execve /etc/audit/audit.rules\n -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid\n -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid\n -a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid\n -a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid\n If both the \"b32\" and \"b64\" audit rules for \"SUID\" files are not defined, this is a finding.\n If both the \"b32\" and \"b64\" audit rules for \"SGID\" files are not defined, this is a finding.", + "fix": "Configure the operating system to audit the execution of privileged functions.\n Add or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid\n -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid\n -a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid\n -a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid\n The audit daemon must be restarted for the changes to take effect." }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "SV-86539", - "V-71915" + "V-72095", + "SV-86719" ], "severity": "medium", - "gtitle": "SRG-OS-000072-GPOS-00040", - "gid": "V-204413", - "rid": "SV-204413r603261_rule", - "stig_id": "RHEL-07-010180", - "fix_id": "F-4537r88432_fix", + "gtitle": "SRG-OS-000327-GPOS-00127", + "gid": "V-204516", + "rid": "SV-204516r853914_rule", + "stig_id": "RHEL-07-030360", + "fix_id": "F-4640r88741_fix", "cci": [ - "CCI-000195" + "CCI-002234" ], "nist": [ - "IA-5 (1) (b)" + "AC-6 (9)" ], "subsystems": [ - "pwquality", - "password" + "audit", + "auditd", + "audit_rule" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-204413' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed the\n number of repeating consecutive characters must not be more than three characters.'\n desc 'Use of a complex password helps to increase the time and resources required to compromise the password.\n Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing\n and brute-force attacks.\n Password complexity is one factor of several that determines how long it takes to crack a password. The more complex\n the password, the greater the number of possible combinations that need to be tested before the password is\n compromised.'\n desc 'check', 'The \"maxrepeat\" option sets the maximum number of allowed same consecutive characters in a new\n password.\n Check for the value of the \"maxrepeat\" option in \"/etc/security/pwquality.conf\" with the following command:\n # grep maxrepeat /etc/security/pwquality.conf\n maxrepeat = 3\n If the value of \"maxrepeat\" is set to more than \"3\", this is a finding.'\n desc 'fix', 'Configure the operating system to require the change of the number of repeating consecutive characters\n when passwords are changed by setting the \"maxrepeat\" option.\n Add the following line to \"/etc/security/pwquality.conf conf\" (or modify the line to have the required value):\n maxrepeat = 3'\n impact 0.5\n tag legacy: ['SV-86539', 'V-71915']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000072-GPOS-00040'\n tag gid: 'V-204413'\n tag rid: 'SV-204413r603261_rule'\n tag stig_id: 'RHEL-07-010180'\n tag fix_id: 'F-4537r88432_fix'\n tag cci: ['CCI-000195']\n tag nist: ['IA-5 (1) (b)']\n tag subsystems: ['pwquality', 'password']\n tag 'host'\n tag 'container'\n\n describe parse_config_file('/etc/security/pwquality.conf') do\n its('maxrepeat') { should cmp <= input('passwd_repeats') }\n end\nend\n", + "code": "control 'SV-204516' do\n title 'The Red Hat Enterprise Linux operating system must audit all executions of privileged functions.'\n desc 'Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by\n unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern\n and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to\n detect such misuse and identify the risk from insider threats and the advanced persistent threat.'\n desc 'check', 'Verify the operating system audits the execution of privileged functions using the following\n command:\n # grep -iw execve /etc/audit/audit.rules\n -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid\n -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid\n -a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid\n -a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid\n If both the \"b32\" and \"b64\" audit rules for \"SUID\" files are not defined, this is a finding.\n If both the \"b32\" and \"b64\" audit rules for \"SGID\" files are not defined, this is a finding.'\n desc 'fix', 'Configure the operating system to audit the execution of privileged functions.\n Add or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid\n -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid\n -a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid\n -a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid\n The audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n tag legacy: ['V-72095', 'SV-86719']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000327-GPOS-00127'\n tag gid: 'V-204516'\n tag rid: 'SV-204516r853914_rule'\n tag stig_id: 'RHEL-07-030360'\n tag fix_id: 'F-4640r88741_fix'\n tag cci: ['CCI-002234']\n tag nist: ['AC-6 (9)']\n tag subsystems: ['audit', 'auditd', 'audit_rule']\n tag 'host'\n\n audit_syscalls = ['execve']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - audit config must be done on the host' do\n skip 'Control not applicable - audit config must be done on the host'\n end\n else\n describe 'Syscall' do\n audit_syscalls.each do |audit_syscall|\n it \"#{audit_syscall} is audited properly\" do\n audit_rule = auditd.syscall(audit_syscall)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n if os.arch.match(/64/)\n expect(audit_rule.arch.uniq).to include('b32', 'b64')\n else\n expect(audit_rule.arch.uniq).to cmp 'b32'\n end\n expect(audit_rule.fields.flatten).to include('uid!=euid', 'gid!=egid', 'euid=0', 'egid=0')\n expect(audit_rule.key.uniq).to include('setuid', 'setgid')\n end\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204413.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204516.rb", "line": 1 }, - "id": "SV-204413" + "id": "SV-204516" }, { - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the gpasswd command.", - "desc": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough\n information.\n At a minimum, the organization must audit the full-text recording of privileged password commands. The organization\n must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of\n compromise.\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.", + "title": "The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon is configured to\n only use the SSHv2 protocol.", + "desc": "SSHv1 is an insecure implementation of the SSH protocol and has many well-known vulnerability exploits.\n Exploits of the SSH daemon could provide immediate root access to the system.", "descriptions": { - "default": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough\n information.\n At a minimum, the organization must audit the full-text recording of privileged password commands. The organization\n must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of\n compromise.\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.", - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"gpasswd\" command occur.\n\nCheck the file system rule in \"/etc/audit/audit.rules\" with the following command:\n\n$ sudo grep -w \"/usr/bin/gpasswd\" /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd\n\nIf the command does not return any output, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"gpasswd\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd\n\nThe audit daemon must be restarted for the changes to take effect." + "default": "SSHv1 is an insecure implementation of the SSH protocol and has many well-known vulnerability exploits.\n Exploits of the SSH daemon could provide immediate root access to the system.", + "check": "Check the version of the operating system with the following command:\n # cat /etc/redhat-release\n If the release is 7.4 or newer this requirement is Not Applicable.\n Verify the SSH daemon is configured to only use the SSHv2 protocol.\n Check that the SSH daemon is configured to only use the SSHv2 protocol with the following command:\n # grep -i protocol /etc/ssh/sshd_config\n Protocol 2\n #Protocol 1,2\n If any protocol line other than \"Protocol 2\" is uncommented, this is a finding.", + "fix": "Remove all Protocol lines that reference version \"1\" in \"/etc/ssh/sshd_config\" (this file may be named\n differently or be in a different location if using a version of SSH that is provided by a third-party vendor). The\n \"Protocol\" line must be as follows:\n Protocol 2\n The SSH service must be restarted for changes to take effect." }, - "impact": 0.5, + "impact": 0.7, "refs": [], "tags": { "legacy": [ - "SV-86777", - "V-72153" + "SV-86875", + "V-72251" ], - "severity": "medium", - "gtitle": "SRG-OS-000042-GPOS-00020", + "severity": "high", + "gtitle": "SRG-OS-000074-GPOS-00042", "satisfies": [ - "SRG-OS-000042-GPOS-00020", - "SRG-OS-000392-GPOS-00172", - "SRG-OS-000471-GPOS-00215" + "SRG-OS-000074-GPOS-00042", + "SRG-OS-000480-GPOS-00227" ], - "gid": "V-204544", - "rid": "SV-204544r861032_rule", - "stig_id": "RHEL-07-030650", - "fix_id": "F-4668r861031_fix", + "gid": "V-204594", + "rid": "SV-204594r877396_rule", + "stig_id": "RHEL-07-040390", + "fix_id": "F-4718r88975_fix", "cci": [ - "CCI-000135", - "CCI-000172", - "CCI-002884" + "CCI-000197", + "CCI-000366" ], "nist": [ - "AU-3 (1)", - "AU-12 c", - "MA-4 (1) (a)" + "IA-5 (1) (c)", + "CM-6 b" ], "subsystems": [ - "audit", - "auditd", - "audit_rule" + "ssh" ], "host": null }, - "code": "control 'SV-204544' do\n title 'The Red Hat Enterprise Linux operating system must audit all uses of the gpasswd command.'\n desc 'Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough\n information.\n At a minimum, the organization must audit the full-text recording of privileged password commands. The organization\n must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of\n compromise.\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.'\n desc 'check', 'Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"gpasswd\" command occur.\n\nCheck the file system rule in \"/etc/audit/audit.rules\" with the following command:\n\n$ sudo grep -w \"/usr/bin/gpasswd\" /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd\n\nIf the command does not return any output, this is a finding.'\n desc 'fix', 'Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"gpasswd\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd\n\nThe audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n tag legacy: ['SV-86777', 'V-72153']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000042-GPOS-00020'\n tag satisfies: ['SRG-OS-000042-GPOS-00020', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000471-GPOS-00215']\n tag gid: 'V-204544'\n tag rid: 'SV-204544r861032_rule'\n tag stig_id: 'RHEL-07-030650'\n tag fix_id: 'F-4668r861031_fix'\n tag cci: ['CCI-000135', 'CCI-000172', 'CCI-002884']\n tag nist: ['AU-3 (1)', 'AU-12 c', 'MA-4 (1) (a)']\n tag subsystems: ['audit', 'auditd', 'audit_rule']\n tag 'host'\n\n audit_command = '/usr/bin/gpasswd'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - audit config must be done on the host' do\n skip 'Control not applicable - audit config must be done on the host'\n end\n else\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include('privileged-passwd')\n end\n end\n end\nend\n", + "code": "control 'SV-204594' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon is configured to\n only use the SSHv2 protocol.'\n desc 'SSHv1 is an insecure implementation of the SSH protocol and has many well-known vulnerability exploits.\n Exploits of the SSH daemon could provide immediate root access to the system.'\n desc 'check', 'Check the version of the operating system with the following command:\n # cat /etc/redhat-release\n If the release is 7.4 or newer this requirement is Not Applicable.\n Verify the SSH daemon is configured to only use the SSHv2 protocol.\n Check that the SSH daemon is configured to only use the SSHv2 protocol with the following command:\n # grep -i protocol /etc/ssh/sshd_config\n Protocol 2\n #Protocol 1,2\n If any protocol line other than \"Protocol 2\" is uncommented, this is a finding.'\n desc 'fix', 'Remove all Protocol lines that reference version \"1\" in \"/etc/ssh/sshd_config\" (this file may be named\n differently or be in a different location if using a version of SSH that is provided by a third-party vendor). The\n \"Protocol\" line must be as follows:\n Protocol 2\n The SSH service must be restarted for changes to take effect.'\n impact 0.7\n tag legacy: ['SV-86875', 'V-72251']\n tag severity: 'high'\n tag gtitle: 'SRG-OS-000074-GPOS-00042'\n tag satisfies: ['SRG-OS-000074-GPOS-00042', 'SRG-OS-000480-GPOS-00227']\n tag gid: 'V-204594'\n tag rid: 'SV-204594r877396_rule'\n tag stig_id: 'RHEL-07-040390'\n tag fix_id: 'F-4718r88975_fix'\n tag cci: ['CCI-000197', 'CCI-000366']\n tag nist: ['IA-5 (1) (c)', 'CM-6 b']\n tag subsystems: ['ssh']\n tag 'host'\n\n if virtualization.system.eql?('docker') && !file('/etc/sysconfig/sshd').exist?\n impact 0.0\n describe 'Control not applicable - SSH is not installed within containerized RHEL' do\n skip 'Control not applicable - SSH is not installed within containerized RHEL'\n end\n elsif os.release.to_f >= 7.4\n\n impact 0.0\n describe \"The release is #{os.release}\" do\n skip 'The release is newer than 7.4; this control is Not Applicable.'\n end\n else\n describe sshd_config do\n its('Protocol') { should cmp '2' }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204544.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204594.rb", "line": 1 }, - "id": "SV-204544" + "id": "SV-204594" }, { - "title": "The Red Hat Enterprise Linux operating system must require authentication upon booting into single-user and\n maintenance modes.", - "desc": "If the system does not require valid root authentication before it boots into single-user or maintenance\n mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system.", + "title": "The Red Hat Enterprise Linux operating system must be configured so that all local initialization files for\n local interactive users are be group-owned by the users primary group or root.", + "desc": "Local initialization files for interactive users are used to configure the user's shell environment upon\n logon. Malicious modification of these files could compromise accounts upon logon.", "descriptions": { - "default": "If the system does not require valid root authentication before it boots into single-user or maintenance\n mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system.", - "check": "Verify the operating system must require authentication upon booting into single-user and\n maintenance modes.\n Check that the operating system requires authentication upon booting into single-user mode with the following\n command:\n # grep -i execstart /usr/lib/systemd/system/rescue.service | grep -i sulogin\n ExecStart=-/bin/sh -c \"/usr/sbin/sulogin; /usr/bin/systemctl --fail --no-block default\"\n If \"ExecStart\" does not have \"/usr/sbin/sulogin\" as an option, this is a finding.", - "fix": "Configure the operating system to require authentication upon booting into single-user and maintenance\n modes.\n Add or modify the \"ExecStart\" line in \"/usr/lib/systemd/system/rescue.service\" to include \"/usr/sbin/sulogin\":\n ExecStart=-/bin/sh -c \"/usr/sbin/sulogin; /usr/bin/systemctl --fail --no-block default\"" + "default": "Local initialization files for interactive users are used to configure the user's shell environment upon\n logon. Malicious modification of these files could compromise accounts upon logon.", + "check": "Verify the local initialization files of all local interactive users are group-owned by that user's\n primary Group Identifier (GID).\n Check the home directory assignment for all non-privileged users on the system with the following command:\n Note: The example will be for the smithj user, who has a home directory of \"/home/smithj\" and a primary group of\n \"users\".\n # awk -F: '($4>=1000)&&($7 !~ /nologin/){print $1, $4, $6}' /etc/passwd\n smithj 1000 /home/smithj\n # grep 1000 /etc/group\n users:x:1000:smithj,jonesj,jacksons\n Note: This may miss interactive users that have been assigned a privileged User Identifier (UID). Evidence of\n interactive use may be obtained from a number of log files containing system logon information.\n Check the group owner of all local interactive user's initialization files with the following command:\n # ls -al /home/smithj/.[^.]* | more\n -rwxr-xr-x 1 smithj users 896 Mar 10 2011 .profile\n -rwxr-xr-x 1 smithj users 497 Jan 6 2007 .login\n -rwxr-xr-x 1 smithj users 886 Jan 6 2007 .something\n If all local interactive user's initialization files are not group-owned by that user's primary GID, this is a\n finding.", + "fix": "Change the group owner of a local interactive user's files to the group found in \"/etc/passwd\" for the\n user. To change the group owner of a local interactive user's home directory, use the following command:\n Note: The example will be for the user smithj, who has a home directory of \"/home/smithj\", and has a primary group\n of users.\n # chgrp users /home/smithj/.[^.]*" }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "V-77823", - "SV-92519" + "V-72031", + "SV-86655" ], "severity": "medium", - "gtitle": "SRG-OS-000080-GPOS-00048", - "gid": "V-204437", - "rid": "SV-204437r603261_rule", - "stig_id": "RHEL-07-010481", - "fix_id": "F-4561r88504_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-204475", + "rid": "SV-204475r603836_rule", + "stig_id": "RHEL-07-020700", + "fix_id": "F-4599r88618_fix", "cci": [ - "CCI-000213" + "CCI-000366" ], "nist": [ - "AC-3" + "CM-6 b" ], "subsystems": [ - "root", - "sulogin" + "init_files" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-204437' do\n title 'The Red Hat Enterprise Linux operating system must require authentication upon booting into single-user and\n maintenance modes.'\n desc 'If the system does not require valid root authentication before it boots into single-user or maintenance\n mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system.'\n desc 'check', 'Verify the operating system must require authentication upon booting into single-user and\n maintenance modes.\n Check that the operating system requires authentication upon booting into single-user mode with the following\n command:\n # grep -i execstart /usr/lib/systemd/system/rescue.service | grep -i sulogin\n ExecStart=-/bin/sh -c \"/usr/sbin/sulogin; /usr/bin/systemctl --fail --no-block default\"\n If \"ExecStart\" does not have \"/usr/sbin/sulogin\" as an option, this is a finding.'\n desc 'fix', 'Configure the operating system to require authentication upon booting into single-user and maintenance\n modes.\n Add or modify the \"ExecStart\" line in \"/usr/lib/systemd/system/rescue.service\" to include \"/usr/sbin/sulogin\":\n ExecStart=-/bin/sh -c \"/usr/sbin/sulogin; /usr/bin/systemctl --fail --no-block default\"'\n impact 0.5\n tag legacy: ['V-77823', 'SV-92519']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000080-GPOS-00048'\n tag gid: 'V-204437'\n tag rid: 'SV-204437r603261_rule'\n tag stig_id: 'RHEL-07-010481'\n tag fix_id: 'F-4561r88504_fix'\n tag cci: ['CCI-000213']\n tag nist: ['AC-3']\n tag subsystems: ['root', 'sulogin']\n tag 'host'\n tag 'container'\n\n describe command('grep -i execstart /usr/lib/systemd/system/rescue.service') do\n its('stdout.strip') { should match %r{/usr/sbin/sulogin} }\n end\nend\n", + "code": "control 'SV-204475' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that all local initialization files for\n local interactive users are be group-owned by the users primary group or root.'\n desc \"Local initialization files for interactive users are used to configure the user's shell environment upon\n logon. Malicious modification of these files could compromise accounts upon logon.\"\n desc 'check', %q(Verify the local initialization files of all local interactive users are group-owned by that user's\n primary Group Identifier (GID).\n Check the home directory assignment for all non-privileged users on the system with the following command:\n Note: The example will be for the smithj user, who has a home directory of \"/home/smithj\" and a primary group of\n \"users\".\n # awk -F: '($4>=1000)&&($7 !~ /nologin/){print $1, $4, $6}' /etc/passwd\n smithj 1000 /home/smithj\n # grep 1000 /etc/group\n users:x:1000:smithj,jonesj,jacksons\n Note: This may miss interactive users that have been assigned a privileged User Identifier (UID). Evidence of\n interactive use may be obtained from a number of log files containing system logon information.\n Check the group owner of all local interactive user's initialization files with the following command:\n # ls -al /home/smithj/.[^.]* | more\n -rwxr-xr-x 1 smithj users 896 Mar 10 2011 .profile\n -rwxr-xr-x 1 smithj users 497 Jan 6 2007 .login\n -rwxr-xr-x 1 smithj users 886 Jan 6 2007 .something\n If all local interactive user's initialization files are not group-owned by that user's primary GID, this is a\n finding.)\n desc 'fix', %q(Change the group owner of a local interactive user's files to the group found in \"/etc/passwd\" for the\n user. To change the group owner of a local interactive user's home directory, use the following command:\n Note: The example will be for the user smithj, who has a home directory of \"/home/smithj\", and has a primary group\n of users.\n # chgrp users /home/smithj/.[^.]*)\n impact 0.5\n tag legacy: ['V-72031', 'SV-86655']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204475'\n tag rid: 'SV-204475r603836_rule'\n tag stig_id: 'RHEL-07-020700'\n tag fix_id: 'F-4599r88618_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['init_files']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n\n exempt_home_users = input('exempt_home_users')\n non_interactive_shells = input('non_interactive_shells')\n\n ignore_shells = non_interactive_shells.join('|')\n\n findings = Set[]\n users.where do\n !shell.match(ignore_shells) && (uid >= 1000 || uid == 0)\n end.entries.each do |user_info|\n findings += command(\"find #{user_info.home} -name '.*' -not -gid #{user_info.gid} -not -group root\").stdout.split(\"\\n\")\n end\n describe findings do\n its('length') { should == 0 }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204437.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204475.rb", "line": 1 }, - "id": "SV-204437" + "id": "SV-204475" }, { - "title": "The Red Hat Enterprise Linux operating system must audit all executions of privileged functions.", - "desc": "Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by\n unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern\n and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to\n detect such misuse and identify the risk from insider threats and the advanced persistent threat.", + "title": "The Red Hat Enterprise Linux operating system must not allow a non-certificate trusted host SSH logon to\n the system.", + "desc": "Failure to restrict system access to authenticated users negatively impacts operating system security.", "descriptions": { - "default": "Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by\n unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern\n and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to\n detect such misuse and identify the risk from insider threats and the advanced persistent threat.", - "check": "Verify the operating system audits the execution of privileged functions using the following\n command:\n # grep -iw execve /etc/audit/audit.rules\n -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid\n -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid\n -a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid\n -a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid\n If both the \"b32\" and \"b64\" audit rules for \"SUID\" files are not defined, this is a finding.\n If both the \"b32\" and \"b64\" audit rules for \"SGID\" files are not defined, this is a finding.", - "fix": "Configure the operating system to audit the execution of privileged functions.\n Add or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid\n -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid\n -a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid\n -a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid\n The audit daemon must be restarted for the changes to take effect." + "default": "Failure to restrict system access to authenticated users negatively impacts operating system security.", + "check": "Verify the operating system does not allow a non-certificate trusted host SSH logon to the system.\n Check for the value of the \"HostbasedAuthentication\" keyword with the following command:\n # grep -i hostbasedauthentication /etc/ssh/sshd_config\n HostbasedAuthentication no\n If the \"HostbasedAuthentication\" keyword is not set to \"no\", is missing, or is commented out, this is a finding.", + "fix": "Configure the operating system to not allow a non-certificate trusted host SSH logon to the system.\n Edit the \"/etc/ssh/sshd_config\" file to uncomment or add the line for \"HostbasedAuthentication\" keyword and set the\n value to \"no\":\n HostbasedAuthentication no\n The SSH service must be restarted for changes to take effect." }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "V-72095", - "SV-86719" + "SV-86583", + "V-71959" ], "severity": "medium", - "gtitle": "SRG-OS-000327-GPOS-00127", - "gid": "V-204516", - "rid": "SV-204516r853914_rule", - "stig_id": "RHEL-07-030360", - "fix_id": "F-4640r88741_fix", + "gtitle": "SRG-OS-000480-GPOS-00229", + "gid": "V-204435", + "rid": "SV-204435r877377_rule", + "stig_id": "RHEL-07-010470", + "fix_id": "F-4559r88498_fix", "cci": [ - "CCI-002234" + "CCI-000366" ], "nist": [ - "AC-6 (9)" + "CM-6 b" ], "subsystems": [ - "audit", - "auditd", - "audit_rule" + "ssh" ], "host": null }, - "code": "control 'SV-204516' do\n title 'The Red Hat Enterprise Linux operating system must audit all executions of privileged functions.'\n desc 'Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by\n unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern\n and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to\n detect such misuse and identify the risk from insider threats and the advanced persistent threat.'\n desc 'check', 'Verify the operating system audits the execution of privileged functions using the following\n command:\n # grep -iw execve /etc/audit/audit.rules\n -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid\n -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid\n -a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid\n -a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid\n If both the \"b32\" and \"b64\" audit rules for \"SUID\" files are not defined, this is a finding.\n If both the \"b32\" and \"b64\" audit rules for \"SGID\" files are not defined, this is a finding.'\n desc 'fix', 'Configure the operating system to audit the execution of privileged functions.\n Add or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid\n -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid\n -a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid\n -a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid\n The audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n tag legacy: ['V-72095', 'SV-86719']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000327-GPOS-00127'\n tag gid: 'V-204516'\n tag rid: 'SV-204516r853914_rule'\n tag stig_id: 'RHEL-07-030360'\n tag fix_id: 'F-4640r88741_fix'\n tag cci: ['CCI-002234']\n tag nist: ['AC-6 (9)']\n tag subsystems: ['audit', 'auditd', 'audit_rule']\n tag 'host'\n\n audit_syscalls = ['execve']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - audit config must be done on the host' do\n skip 'Control not applicable - audit config must be done on the host'\n end\n else\n describe 'Syscall' do\n audit_syscalls.each do |audit_syscall|\n it \"#{audit_syscall} is audited properly\" do\n audit_rule = auditd.syscall(audit_syscall)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n if os.arch.match(/64/)\n expect(audit_rule.arch.uniq).to include('b32', 'b64')\n else\n expect(audit_rule.arch.uniq).to cmp 'b32'\n end\n expect(audit_rule.fields.flatten).to include('uid!=euid', 'gid!=egid', 'euid=0', 'egid=0')\n expect(audit_rule.key.uniq).to include('setuid', 'setgid')\n end\n end\n end\n end\nend\n", + "code": "control 'SV-204435' do\n title 'The Red Hat Enterprise Linux operating system must not allow a non-certificate trusted host SSH logon to\n the system.'\n desc 'Failure to restrict system access to authenticated users negatively impacts operating system security.'\n desc 'check', 'Verify the operating system does not allow a non-certificate trusted host SSH logon to the system.\n Check for the value of the \"HostbasedAuthentication\" keyword with the following command:\n # grep -i hostbasedauthentication /etc/ssh/sshd_config\n HostbasedAuthentication no\n If the \"HostbasedAuthentication\" keyword is not set to \"no\", is missing, or is commented out, this is a finding.'\n desc 'fix', 'Configure the operating system to not allow a non-certificate trusted host SSH logon to the system.\n Edit the \"/etc/ssh/sshd_config\" file to uncomment or add the line for \"HostbasedAuthentication\" keyword and set the\n value to \"no\":\n HostbasedAuthentication no\n The SSH service must be restarted for changes to take effect.'\n impact 0.5\n tag legacy: ['SV-86583', 'V-71959']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00229'\n tag gid: 'V-204435'\n tag rid: 'SV-204435r877377_rule'\n tag stig_id: 'RHEL-07-010470'\n tag fix_id: 'F-4559r88498_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['ssh']\n tag 'host'\n\n if virtualization.system.eql?('docker') && !file('/etc/sysconfig/sshd').exist?\n impact 0.0\n describe 'Control not applicable - SSH is not installed within containerized RHEL' do\n skip 'Control not applicable - SSH is not installed within containerized RHEL'\n end\n else\n describe sshd_config do\n its('HostbasedAuthentication') { should eq 'no' }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204516.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204435.rb", "line": 1 }, - "id": "SV-204516" + "id": "SV-204435" }, { - "title": "The Red Hat Enterprise Linux operating system must be configured so that all files and directories have a\n valid owner.", - "desc": "Unowned files and directories may be unintentionally inherited if a user is assigned the same User\n Identifier \"UID\" as the UID of the un-owned files.", + "title": "The Red Hat Enterprise Linux operating system must display the Standard Mandatory DoD Notice and Consent\n Banner before granting local or remote access to the system via a graphical user logon.", + "desc": "Display of a standardized and approved use notification before granting access to the operating system\n ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive\n Orders, directives, policies, regulations, standards, and guidance.\n System use notifications are required only for access via logon interfaces with human users and are not required\n when such human interfaces do not exist.\n The banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating\n systems that can accommodate banners of 1300 characters:\n \"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"", "descriptions": { - "default": "Unowned files and directories may be unintentionally inherited if a user is assigned the same User\n Identifier \"UID\" as the UID of the un-owned files.", - "check": "Verify all files and directories on the system have a valid owner.\n Check the owner of all files and directories with the following command:\n Note: The value after -fstype must be replaced with the filesystem type. XFS is used as an example.\n # find / -fstype xfs -nouser\n If any files on the system do not have an assigned owner, this is a finding.", - "fix": "Either remove all files and directories from the system that do not have a valid user, or assign a\n valid user to all unowned files and directories on the system with the \"chown\" command:\n # chown " + "default": "Display of a standardized and approved use notification before granting access to the operating system\n ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive\n Orders, directives, policies, regulations, standards, and guidance.\n System use notifications are required only for access via logon interfaces with human users and are not required\n when such human interfaces do not exist.\n The banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating\n systems that can accommodate banners of 1300 characters:\n \"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"", + "check": "Verify the operating system displays the Standard Mandatory DoD Notice and Consent Banner before\n granting access to the operating system via a graphical user logon.\n Note: If the system does not have GNOME installed, this requirement is Not Applicable.\n Check to see if the operating system displays a banner at the logon screen with the following command:\n # grep banner-message-enable /etc/dconf/db/local.d/*\n banner-message-enable=true\n If \"banner-message-enable\" is set to \"false\" or is missing, this is a finding.", + "fix": "Configure the operating system to display the Standard Mandatory DoD Notice and Consent Banner before\n granting access to the system.\n Note: If the system does not have GNOME installed, this requirement is Not Applicable.\n Create a database to contain the system-wide graphical user logon settings (if it does not already exist) with the\n following command:\n # touch /etc/dconf/db/local.d/01-banner-message\n Add the following line to the [org/gnome/login-screen] section of the \"/etc/dconf/db/local.d/01-banner-message\":\n [org/gnome/login-screen]\n banner-message-enable=true\n Update the system databases:\n # dconf update\n Users must log out and back in again before the system-wide settings take effect." }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { "legacy": [ - "SV-86631", - "V-72007" + "V-71859", + "SV-86483" ], "severity": "medium", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-204463", - "rid": "SV-204463r853897_rule", - "stig_id": "RHEL-07-020320", - "fix_id": "F-4587r88582_fix", + "gtitle": "SRG-OS-000023-GPOS-00006", + "satisfies": [ + "SRG-OS-000023-GPOS-00006", + "SRG-OS-000024-GPOS-00007", + "SRG-OS-000228-GPOS-00088" + ], + "gid": "V-204393", + "rid": "SV-204393r603261_rule", + "stig_id": "RHEL-07-010030", + "fix_id": "F-4517r88372_fix", "cci": [ - "CCI-002165" + "CCI-000048" ], "nist": [ - "AC-3 (4)" + "AC-8 a" ], "subsystems": [ - "file_system", - "users", - "files" - ], - "host": null, - "container": null + "gui", + "banner" + ] }, - "code": "control 'SV-204463' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that all files and directories have a\n valid owner.'\n desc 'Unowned files and directories may be unintentionally inherited if a user is assigned the same User\n Identifier \"UID\" as the UID of the un-owned files.'\n desc 'check', 'Verify all files and directories on the system have a valid owner.\n Check the owner of all files and directories with the following command:\n Note: The value after -fstype must be replaced with the filesystem type. XFS is used as an example.\n # find / -fstype xfs -nouser\n If any files on the system do not have an assigned owner, this is a finding.'\n desc 'fix', 'Either remove all files and directories from the system that do not have a valid user, or assign a\n valid user to all unowned files and directories on the system with the \"chown\" command:\n # chown '\n impact 0.5\n tag legacy: ['SV-86631', 'V-72007']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204463'\n tag rid: 'SV-204463r853897_rule'\n tag stig_id: 'RHEL-07-020320'\n tag fix_id: 'F-4587r88582_fix'\n tag cci: ['CCI-002165']\n tag nist: ['AC-3 (4)']\n tag subsystems: ['file_system', 'users', 'files']\n tag 'host'\n tag 'container'\n\n command('grep -v \"nodev\" /proc/filesystems | awk \\'NF{ print $NF }\\'')\n .stdout.strip.split(\"\\n\").each do |fs|\n describe command(\"find / -xdev -xautofs -fstype #{fs} -nouser\") do\n its('stdout.strip') { should be_empty }\n end\n end\nend\n", + "code": "control 'SV-204393' do\n title \"The Red Hat Enterprise Linux operating system must display the Standard Mandatory #{input('org_name')[:acronym]} Notice and Consent\n Banner before granting local or remote access to the system via a graphical user logon.\"\n desc \"Display of a standardized and approved use notification before granting access to the operating system\n ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive\n Orders, directives, policies, regulations, standards, and guidance.\n System use notifications are required only for access via logon interfaces with human users and are not required\n when such human interfaces do not exist.\n The banner must be formatted in accordance with applicable #{input('org_name')[:acronym]} policy. Use the following verbiage for operating\n systems that can accommodate banners of 1300 characters:\n \\\"#{input('banner_message_text_gui')}\\\" \"\n desc 'check',\"Verify the operating system displays the Standard Mandatory #{input('org_name')[:acronym]} Notice and Consent Banner before\n granting access to the operating system via a graphical user logon.\n Note: If the system does not have GNOME installed, this requirement is Not Applicable.\n Check to see if the operating system displays a banner at the logon screen with the following command:\n # grep banner-message-enable /etc/dconf/db/local.d/*\n banner-message-enable=true\n If \\\"banner-message-enable\\\" is set to \\\"false\\\" or is missing, this is a finding.\"\n desc 'fix', \"Configure the operating system to display the Standard Mandatory #{input('org_name')[:acronym]} Notice and Consent Banner before\n granting access to the system.\n Note: If the system does not have GNOME installed, this requirement is Not Applicable.\n Create a database to contain the system-wide graphical user logon settings (if it does not already exist) with the\n following command:\n # touch /etc/dconf/db/local.d/01-banner-message\n Add the following line to the [org/gnome/login-screen] section of the \\\"/etc/dconf/db/local.d/01-banner-message\\\":\n [org/gnome/login-screen]\n banner-message-enable=true\n Update the system databases:\n # dconf update\n Users must log out and back in again before the system-wide settings take effect.\"\n impact 0.5\n tag legacy: ['V-71859', 'SV-86483']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000023-GPOS-00006'\n tag satisfies: ['SRG-OS-000023-GPOS-00006', 'SRG-OS-000024-GPOS-00007', 'SRG-OS-000228-GPOS-00088']\n tag gid: 'V-204393'\n tag rid: 'SV-204393r603261_rule'\n tag stig_id: 'RHEL-07-010030'\n tag fix_id: 'F-4517r88372_fix'\n tag cci: ['CCI-000048']\n tag nist: ['AC-8 a']\n tag subsystems: ['gui', 'banner']\n\n if package('gnome-desktop3').installed?\n if !input('dconf_user').nil? and command('whoami').stdout.strip == 'root'\n describe command(\"sudo -u input('dconf_user') dconf read /org/gnome/login-screen/banner-message-enable\") do\n its('stdout.strip') do\n should cmp input('banner_message_enabled').to_s\n end\n end\n else\n describe command('dconf read /org/gnome/login-screen/banner-message-enable') do\n its('stdout.strip') do\n should cmp input('banner_message_enabled').to_s\n end\n end\n end\n else\n impact 0.0\n describe 'The GNOME desktop is not installed' do\n skip 'The GNOME desktop is not installed, this control is Not Applicable.'\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204463.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204393.rb", "line": 1 }, - "id": "SV-204463" + "id": "SV-204393" }, { - "title": "The Red Hat Enterprise Linux operating system must be configured so that the cron.allow file, if it exists,\n is owned by root.", - "desc": "If the owner of the \"cron.allow\" file is not set to root, the possibility exists for an unauthorized user to\n view or to edit sensitive information.", + "title": "The Red Hat Enterprise Linux operating system must be configured so that existing passwords are restricted\n to a 60-day maximum lifetime.", + "desc": "Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed\n periodically. If the operating system does not limit the lifetime of passwords and force users to change their\n passwords, there is the risk that the operating system passwords could be compromised.", "descriptions": { - "default": "If the owner of the \"cron.allow\" file is not set to root, the possibility exists for an unauthorized user to\n view or to edit sensitive information.", - "check": "Verify that the \"cron.allow\" file is owned by root.\n Check the owner of the \"cron.allow\" file with the following command:\n # ls -al /etc/cron.allow\n -rw------- 1 root root 6 Mar 5 2011 /etc/cron.allow\n If the \"cron.allow\" file exists and has an owner other than root, this is a finding.", - "fix": "Set the owner on the \"/etc/cron.allow\" file to root with the following\ncommand:\n\n # chown root /etc/cron.allow" + "default": "Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed\n periodically. If the operating system does not limit the lifetime of passwords and force users to change their\n passwords, there is the risk that the operating system passwords could be compromised.", + "check": "Check whether the maximum time period for existing passwords is restricted to 60 days.\n # awk -F: '$5 > 60 {print $1 \" \" $5}' /etc/shadow\n If any results are returned that are not associated with a system account, this is a finding.", + "fix": "Configure non-compliant accounts to enforce a 60-day maximum password lifetime restriction.\n # chage -M 60 [user]" }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "V-72053", - "SV-86677" + "V-71931", + "SV-86555" ], "severity": "medium", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-204490", - "rid": "SV-204490r603261_rule", - "stig_id": "RHEL-07-021110", - "fix_id": "F-4614r88663_fix", + "gtitle": "SRG-OS-000076-GPOS-00044", + "gid": "V-204421", + "rid": "SV-204421r603261_rule", + "stig_id": "RHEL-07-010260", + "fix_id": "F-4545r88456_fix", "cci": [ - "CCI-000366" + "CCI-000199" ], "nist": [ - "CM-6 b" + "IA-5 (1) (d)" ], "subsystems": [ - "cron" + "password", + "/etc/shadow", + "tty" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-204490' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that the cron.allow file, if it exists,\n is owned by root.'\n desc 'If the owner of the \"cron.allow\" file is not set to root, the possibility exists for an unauthorized user to\n view or to edit sensitive information.'\n desc 'check', 'Verify that the \"cron.allow\" file is owned by root.\n Check the owner of the \"cron.allow\" file with the following command:\n # ls -al /etc/cron.allow\n -rw------- 1 root root 6 Mar 5 2011 /etc/cron.allow\n If the \"cron.allow\" file exists and has an owner other than root, this is a finding.'\n desc 'fix', 'Set the owner on the \"/etc/cron.allow\" file to root with the following\ncommand:\n\n # chown root /etc/cron.allow'\n impact 0.5\n tag legacy: ['V-72053', 'SV-86677']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204490'\n tag rid: 'SV-204490r603261_rule'\n tag stig_id: 'RHEL-07-021110'\n tag fix_id: 'F-4614r88663_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['cron']\n tag 'host'\n tag 'container'\n\n describe.one do\n # case where file doesn't exist\n describe file('/etc/cron.allow') do\n it { should_not exist }\n end\n # case where file exists\n describe file('/etc/cron.allow') do\n it { should be_owned_by 'root' }\n end\n end\nend\n", + "code": "control 'SV-204421' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that existing passwords are restricted\n to a 60-day maximum lifetime.'\n desc 'Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed\n periodically. If the operating system does not limit the lifetime of passwords and force users to change their\n passwords, there is the risk that the operating system passwords could be compromised.'\n desc 'check', %q(Check whether the maximum time period for existing passwords is restricted to 60 days.\n # awk -F: '$5 > 60 {print $1 \" \" $5}' /etc/shadow\n If any results are returned that are not associated with a system account, this is a finding.)\n desc 'fix', 'Configure non-compliant accounts to enforce a 60-day maximum password lifetime restriction.\n # chage -M 60 [user]'\n impact 0.5\n tag legacy: ['V-71931', 'SV-86555']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000076-GPOS-00044'\n tag gid: 'V-204421'\n tag rid: 'SV-204421r603261_rule'\n tag stig_id: 'RHEL-07-010260'\n tag fix_id: 'F-4545r88456_fix'\n tag cci: ['CCI-000199']\n tag nist: ['IA-5 (1) (d)']\n tag subsystems: ['password', '/etc/shadow', 'tty']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n shadow.users.each do |user|\n # filtering on non-system accounts (uid >= 1000)\n next unless user(user).uid >= 1000\n\n describe shadow.users(user) do\n its('max_days.first') { should cmp input('max_password_lifetime') }\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204490.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204421.rb", "line": 1 }, - "id": "SV-204490" + "id": "SV-204421" }, { - "title": "The Red Hat Enterprise Linux operating system must not allow interfaces to perform Internet Protocol\n version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects by default.", - "desc": "ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular\n destination. These messages contain information from the system's route table, possibly revealing portions of the\n network topology.", + "title": "The Red Hat Enterprise Linux operating system must audit all uses of the unix_chkpwd command.", + "desc": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough\n information.\n At a minimum, the organization must audit the full-text recording of privileged password commands. The organization\n must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of\n compromise.\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.", "descriptions": { - "default": "ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular\n destination. These messages contain information from the system's route table, possibly revealing portions of the\n network topology.", - "check": "Verify the system does not allow interfaces to perform IPv4 ICMP redirects by default.\n\n # grep -r net.ipv4.conf.default.send_redirects /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null\n\nIf \"net.ipv4.conf.default.send_redirects\" is not configured in the \"/etc/sysctl.conf\" file or in any of the other sysctl.d directories, is commented out or does not have a value of \"0\", this is a finding.\n\nCheck that the operating system implements the \"default send_redirects\" variables with the following command:\n\n # /sbin/sysctl -a | grep net.ipv4.conf.default.send_redirects\n net.ipv4.conf.default.send_redirects = 0\n\nIf the returned line does not have a value of \"0\", this is a finding.\n\nIf conflicting results are returned, this is a finding.", - "fix": "Configure the system to not allow interfaces to perform IPv4 ICMP redirects by default.\n Set the system to the required kernel parameter by adding the following line to \"/etc/sysctl.conf\" or a\n configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value):\n net.ipv4.conf.default.send_redirects = 0\n Issue the following command to make the changes take effect:\n # sysctl --system" + "default": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough\n information.\n At a minimum, the organization must audit the full-text recording of privileged password commands. The organization\n must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of\n compromise.\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.", + "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"unix_chkpwd\" command occur.\n\nCheck the file system rule in \"/etc/audit/audit.rules\" with the following command:\n\n$ sudo grep -w \"/usr/sbin/unix_chkpwd\" /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd\n\nIf the command does not return any output, this is a finding.", + "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"unix_chkpwd\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd\n\nThe audit daemon must be restarted for the changes to take effect." }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "V-72291", - "SV-86915" + "SV-86775", + "V-72151" ], "severity": "medium", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-204616", - "rid": "SV-204616r880818_rule", - "stig_id": "RHEL-07-040650", - "fix_id": "F-4740r880817_fix", + "gtitle": "SRG-OS-000042-GPOS-00020", + "satisfies": [ + "SRG-OS-000042-GPOS-00020", + "SRG-OS-000392-GPOS-00172", + "SRG-OS-000471-GPOS-00215" + ], + "gid": "V-204543", + "rid": "SV-204543r861029_rule", + "stig_id": "RHEL-07-030640", + "fix_id": "F-4667r861028_fix", "cci": [ - "CCI-000366" + "CCI-000135", + "CCI-000172", + "CCI-002884" ], "nist": [ - "CM-6 b" + "AU-3 (1)", + "AU-12 c", + "MA-4 (1) (a)" ], "subsystems": [ - "kernel_parameter", - "ipv4" + "audit", + "auditd", + "audit_rule" ], "host": null }, - "code": "control 'SV-204616' do\n title 'The Red Hat Enterprise Linux operating system must not allow interfaces to perform Internet Protocol\n version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects by default.'\n desc \"ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular\n destination. These messages contain information from the system's route table, possibly revealing portions of the\n network topology.\"\n desc 'check', 'Verify the system does not allow interfaces to perform IPv4 ICMP redirects by default.\n\n # grep -r net.ipv4.conf.default.send_redirects /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null\n\nIf \"net.ipv4.conf.default.send_redirects\" is not configured in the \"/etc/sysctl.conf\" file or in any of the other sysctl.d directories, is commented out or does not have a value of \"0\", this is a finding.\n\nCheck that the operating system implements the \"default send_redirects\" variables with the following command:\n\n # /sbin/sysctl -a | grep net.ipv4.conf.default.send_redirects\n net.ipv4.conf.default.send_redirects = 0\n\nIf the returned line does not have a value of \"0\", this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure the system to not allow interfaces to perform IPv4 ICMP redirects by default.\n Set the system to the required kernel parameter by adding the following line to \"/etc/sysctl.conf\" or a\n configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value):\n net.ipv4.conf.default.send_redirects = 0\n Issue the following command to make the changes take effect:\n # sysctl --system'\n impact 0.5\n tag legacy: ['V-72291', 'SV-86915']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204616'\n tag rid: 'SV-204616r880818_rule'\n tag stig_id: 'RHEL-07-040650'\n tag fix_id: 'F-4740r880817_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['kernel_parameter', 'ipv4']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - Kernel config must be done on the host' do\n skip 'Control not applicable - Kernel config must be done on the host'\n end\n else\n send_redirects = 0\n config_file_values = command('grep -r net.ipv4.conf.default.send_redirects /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null')\n .stdout.strip.split(\"\\n\")\n .map { |file| parse_config(file).params }\n config_file_values_uncompliant = config_file_values.select { |entry| entry.values != [send_redirects.to_s] }\n\n unless config_file_values_uncompliant.empty?\n describe 'All configuration files' do\n it \"should set send_redirects to #{send_redirects}, or not define it at all\" do\n fail_msg = \"Found incorrect configuration:\\n#{config_file_values_uncompliant.join(\"\\n\")}\"\n expect(config_file_values_uncompliant).to be_empty, fail_msg\n end\n end\n end\n\n describe 'The runtime kernel parameter net.ipv4.conf.default.send_redirects' do\n subject { kernel_parameter('net.ipv4.conf.default.send_redirects') }\n its('value') { should eq send_redirects }\n end\n end\nend\n", + "code": "control 'SV-204543' do\n title 'The Red Hat Enterprise Linux operating system must audit all uses of the unix_chkpwd command.'\n desc 'Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough\n information.\n At a minimum, the organization must audit the full-text recording of privileged password commands. The organization\n must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of\n compromise.\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.'\n desc 'check', 'Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"unix_chkpwd\" command occur.\n\nCheck the file system rule in \"/etc/audit/audit.rules\" with the following command:\n\n$ sudo grep -w \"/usr/sbin/unix_chkpwd\" /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd\n\nIf the command does not return any output, this is a finding.'\n desc 'fix', 'Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"unix_chkpwd\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd\n\nThe audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n tag legacy: ['SV-86775', 'V-72151']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000042-GPOS-00020'\n tag satisfies: ['SRG-OS-000042-GPOS-00020', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000471-GPOS-00215']\n tag gid: 'V-204543'\n tag rid: 'SV-204543r861029_rule'\n tag stig_id: 'RHEL-07-030640'\n tag fix_id: 'F-4667r861028_fix'\n tag cci: ['CCI-000135', 'CCI-000172', 'CCI-002884']\n tag nist: ['AU-3 (1)', 'AU-12 c', 'MA-4 (1) (a)']\n tag subsystems: ['audit', 'auditd', 'audit_rule']\n tag 'host'\n\n audit_command = '/usr/sbin/unix_chkpwd'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - audit config must be done on the host' do\n skip 'Control not applicable - audit config must be done on the host'\n end\n else\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include('privileged-passwd')\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204616.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204543.rb", "line": 1 }, - "id": "SV-204616" + "id": "SV-204543" }, { - "title": "The Red Hat Enterprise Linux operating system must be configured so that a file integrity tool verifies the\n baseline operating system configuration at least weekly.", - "desc": "Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security.\n\nDetecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information System Security Manager (ISSM)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.", + "title": "The Red Hat Enterprise Linux operating system must immediately notify the System Administrator (SA) and\n Information System Security Officer (ISSO) (at a minimum) via email when the threshold for the repository maximum\n audit record storage capacity is reached.", + "desc": "If security personnel are not notified immediately when the threshold for the repository maximum audit\n record storage capacity is reached, they are unable to expand the audit record storage capacity before records are\n lost.", "descriptions": { - "default": "Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security.\n\nDetecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information System Security Manager (ISSM)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.", - "check": "Verify the operating system routinely checks the baseline configuration for unauthorized changes.\n\nNote: A file integrity tool other than Advanced Intrusion Detection Environment (AIDE) may be used, but the tool must be executed at least once per week.\n\nCheck for the presence of a cron job running daily or weekly on the system that executes AIDE daily to scan for changes to the system baseline. The command used in the example will use a daily occurrence.\n\nCheck the cron directories for a script file controlling the execution of the file integrity application. For example, if AIDE is installed on the system, use the following command:\n\n # ls -al /etc/cron.* | grep aide\n -rwxr-xr-x 1 root root 602 Mar 6 20:02 aide\n\n # grep aide /etc/crontab /var/spool/cron/root\n /etc/crontab: 30 04 * * * root /usr/sbin/aide --check\n /var/spool/cron/root: 30 04 * * * /usr/sbin/aide --check\n\nIf the file integrity application does not exist, or a script file controlling the execution of the file integrity application does not exist, this is a finding.", - "fix": "Configure the file integrity tool to run automatically on the system at least weekly. The following example output is generic. It will set cron to run AIDE daily, but other file integrity tools may be used:\n\n # more /etc/cron.daily/aide\n #!/bin/bash\n\n /usr/sbin/aide --check | /var/spool/mail -s \"$HOSTNAME - Daily aide integrity check run\" root@sysname.mil" + "default": "If security personnel are not notified immediately when the threshold for the repository maximum audit\n record storage capacity is reached, they are unable to expand the audit record storage capacity before records are\n lost.", + "check": "Verify the operating system immediately notifies the SA and ISSO (at a minimum) via email when the\n allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.\n Check what action the operating system takes when the threshold for the repository maximum audit record storage\n capacity is reached with the following command:\n # grep -i space_left_action /etc/audit/auditd.conf\n space_left_action = email\n If the value of the \"space_left_action\" keyword is not set to \"email\", this is a finding.", + "fix": "Configure the operating system to immediately notify the SA and ISSO (at a minimum) when the threshold\n for the repository maximum audit record storage capacity is reached.\n Uncomment or edit the \"space_left_action\" keyword in \"/etc/audit/auditd.conf\" and set it to \"email\".\n space_left_action = email" }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "SV-86597", - "V-71973" + "V-72091", + "SV-86715" ], "severity": "medium", - "gtitle": "SRG-OS-000363-GPOS-00150", - "gid": "V-204445", - "rid": "SV-204445r880848_rule", - "stig_id": "RHEL-07-020030", - "fix_id": "F-36304r880847_fix", + "gtitle": "SRG-OS-000343-GPOS-00134", + "gid": "V-204514", + "rid": "SV-204514r877389_rule", + "stig_id": "RHEL-07-030340", + "fix_id": "F-4638r88735_fix", "cci": [ - "CCI-001744" + "CCI-001855" ], "nist": [ - "CM-3 (5)" + "AU-5 (1)" ], "subsystems": [ - "file_integrity_tool" + "audit", + "auditd" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-204445' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that a file integrity tool verifies the\n baseline operating system configuration at least weekly.'\n desc \"Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security.\n\nDetecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information System Security Manager (ISSM)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.\"\n desc 'check', 'Verify the operating system routinely checks the baseline configuration for unauthorized changes.\n\nNote: A file integrity tool other than Advanced Intrusion Detection Environment (AIDE) may be used, but the tool must be executed at least once per week.\n\nCheck for the presence of a cron job running daily or weekly on the system that executes AIDE daily to scan for changes to the system baseline. The command used in the example will use a daily occurrence.\n\nCheck the cron directories for a script file controlling the execution of the file integrity application. For example, if AIDE is installed on the system, use the following command:\n\n # ls -al /etc/cron.* | grep aide\n -rwxr-xr-x 1 root root 602 Mar 6 20:02 aide\n\n # grep aide /etc/crontab /var/spool/cron/root\n /etc/crontab: 30 04 * * * root /usr/sbin/aide --check\n /var/spool/cron/root: 30 04 * * * /usr/sbin/aide --check\n\nIf the file integrity application does not exist, or a script file controlling the execution of the file integrity application does not exist, this is a finding.'\n desc 'fix', 'Configure the file integrity tool to run automatically on the system at least weekly. The following example output is generic. It will set cron to run AIDE daily, but other file integrity tools may be used:\n\n # more /etc/cron.daily/aide\n #!/bin/bash\n\n /usr/sbin/aide --check | /var/spool/mail -s \"$HOSTNAME - Daily aide integrity check run\" root@sysname.mil'\n impact 0.5\n tag legacy: ['SV-86597', 'V-71973']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000363-GPOS-00150'\n tag gid: 'V-204445'\n tag rid: 'SV-204445r880848_rule'\n tag stig_id: 'RHEL-07-020030'\n tag fix_id: 'F-36304r880847_fix'\n tag cci: ['CCI-001744']\n tag nist: ['CM-3 (5)']\n tag subsystems: ['file_integrity_tool']\n tag 'host'\n tag 'container'\n\n file_integrity_tool = input('file_integrity_tool')\n file_integrity_interval = input('file_integrity_interval')\n\n if file_integrity_tool == 'aide'\n if file_integrity_interval == 'monthly'\n describe.one do\n describe file(\"/etc/cron.daily/#{file_integrity_tool}\") do\n it { should exist }\n end\n describe file(\"/etc/cron.weekly/#{file_integrity_tool}\") do\n it { should exist }\n end\n describe file(\"/etc/cron.monthly/#{file_integrity_tool}\") do\n it { should exist }\n end\n if file(\"/etc/cron.d/#{file_integrity_tool}\").exist?\n describe crontab(path: \"/etc/cron.d/#{file_integrity_tool}\") do\n its('months') { should cmp '*' }\n its('weekdays') { should cmp '*' }\n end\n describe crontab(path: \"/etc/cron.d/#{file_integrity_tool}\") do\n its('days') { should cmp '*' }\n its('months') { should cmp '*' }\n end\n end\n describe crontab('root').where {\n command =~ /#{file_integrity_tool}/\n } do\n its('months') { should cmp '*' }\n its('weekdays') { should cmp '*' }\n end\n describe crontab('root').where {\n command =~ /#{file_integrity_tool}/\n } do\n its('days') { should cmp '*' }\n its('months') { should cmp '*' }\n end\n end\n elsif file_integrity_interval == 'weekly'\n describe.one do\n describe file(\"/etc/cron.daily/#{file_integrity_tool}\") do\n it { should exist }\n end\n describe file(\"/etc/cron.weekly/#{file_integrity_tool}\") do\n it { should exist }\n end\n if file(\"/etc/cron.d/#{file_integrity_tool}\").exist?\n describe crontab(path: \"/etc/cron.d/#{file_integrity_tool}\") do\n its('days') { should cmp '*' }\n its('months') { should cmp '*' }\n end\n end\n describe crontab('root').where {\n command =~ /#{file_integrity_tool}/\n } do\n its('days') { should cmp '*' }\n its('months') { should cmp '*' }\n end\n end\n elsif file_integrity_interval == 'daily'\n describe.one do\n describe file(\"/etc/cron.daily/#{file_integrity_tool}\") do\n it { should exist }\n end\n if file(\"/etc/cron.d/#{file_integrity_tool}\").exist?\n describe crontab(path: \"/etc/cron.d/#{file_integrity_tool}\") do\n its('days') { should cmp '*' }\n its('months') { should cmp '*' }\n its('weekdays') { should cmp '*' }\n end\n end\n describe crontab('root').where {\n command =~ /#{file_integrity_tool}/\n } do\n its('days') { should cmp '*' }\n its('months') { should cmp '*' }\n its('weekdays') { should cmp '*' }\n end\n end\n end\n else\n describe 'Need manual review of file integrity tool' do\n skip 'A manual review of the file integrity tool is required to ensure that it verifies the baseline operating system configuration at least weekly.'\n end\n end\nend\n", + "code": "control 'SV-204514' do\n title \"The Red Hat Enterprise Linux operating system must immediately notify the System Administrator (SA) and\n Information System Security Officer (ISSO) (at a minimum) via email when the threshold for the repository maximum\n audit record storage capacity is reached.\"\n desc \"If security personnel are not notified immediately when the threshold for the repository maximum audit\n record storage capacity is reached, they are unable to expand the audit record storage capacity before records are\n lost.\"\n desc 'check', \"Verify the operating system immediately notifies the SA and ISSO (at a minimum) via email when the\n allocated audit record storage volume reaches #{input('storage_volume')} percent of the repository maximum audit record storage capacity.\n Check what action the operating system takes when the threshold for the repository maximum audit record storage\n capacity is reached with the following command:\n # grep -i space_left_action /etc/audit/auditd.conf\n space_left_action = email\n If the value of the \\\"space_left_action\\\" keyword is not set to \\\"email\\\", this is a finding.\"\n desc 'fix', \"Configure the operating system to immediately notify the SA and ISSO (at a minimum) when the threshold\n for the repository maximum audit record storage capacity is reached.\n Uncomment or edit the \\\"space_left_action\\\" keyword in \\\"/etc/audit/auditd.conf\\\" and set it to \\\"email\\\".\n space_left_action = email\"\n impact 0.5\n tag legacy: ['V-72091', 'SV-86715']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000343-GPOS-00134'\n tag gid: 'V-204514'\n tag rid: 'SV-204514r877389_rule'\n tag stig_id: 'RHEL-07-030340'\n tag fix_id: 'F-4638r88735_fix'\n tag cci: ['CCI-001855']\n tag nist: ['AU-5 (1)']\n tag subsystems: ['audit', 'auditd']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - audit config must be done on the host' do\n skip 'Control not applicable - audit config must be done on the host'\n end\n else\n describe auditd_conf do\n its('space_left_action.downcase') { should cmp 'email' }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204445.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204514.rb", "line": 1 }, - "id": "SV-204445" + "id": "SV-204514" }, { - "title": "The Red Hat Enterprise Linux operating system must be configured so that all local initialization files\n have mode 0740 or less permissive.", - "desc": "Local initialization files are used to configure the user's shell environment upon logon. Malicious\n modification of these files could compromise accounts upon logon.", + "title": "The Red Hat Enterprise Linux operating system must audit all uses of the crontab command.", + "desc": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough\n information.\n At a minimum, the organization must audit the full-text recording of privileged commands. The organization must\n maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.", "descriptions": { - "default": "Local initialization files are used to configure the user's shell environment upon logon. Malicious\n modification of these files could compromise accounts upon logon.", - "check": "Verify that all local initialization files have a mode of \"0740\" or less permissive.\n Check the mode on all local initialization files with the following command:\n Note: The example will be for the \"smithj\" user, who has a home directory of \"/home/smithj\".\n # ls -al /home/smithj/.[^.]* | more\n -rwxr----- 1 smithj users 896 Mar 10 2011 .profile\n -rwxr----- 1 smithj users 497 Jan 6 2007 .login\n -rwxr----- 1 smithj users 886 Jan 6 2007 .something\n If any local initialization files have a mode more permissive than \"0740\", this is a finding.", - "fix": "Set the mode of the local initialization files to \"0740\" with the\nfollowing command:\n\n Note: The example will be for the \"smithj\" user, who has a home directory\nof \"/home/smithj\".\n\n # chmod 0740 /home/smithj/.[^.]*" + "default": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough\n information.\n At a minimum, the organization must audit the full-text recording of privileged commands. The organization must\n maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.", + "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"crontab\" command occur.\n\nCheck that the following system call is being audited by performing the following command to check the file system rules in \"/etc/audit/audit.rules\":\n\n$ sudo grep -w \"/usr/bin/crontab\" /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -k privileged-cron\n\nIf the command does not return any output, this is a finding.", + "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"crontab\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -k privileged-cron\n\nThe audit daemon must be restarted for the changes to take effect." }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "SV-86657", - "V-72033" + "SV-86807", + "V-72183" ], "severity": "medium", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-204476", - "rid": "SV-204476r603261_rule", - "stig_id": "RHEL-07-020710", - "fix_id": "F-4600r88621_fix", + "gtitle": "SRG-OS-000042-GPOS-00020", + "satisfies": [ + "SRG-OS-000042-GPOS-00020", + "SRG-OS-000392-GPOS-00172", + "SRG-OS-000471-GPOS-00215" + ], + "gid": "V-204557", + "rid": "SV-204557r861068_rule", + "stig_id": "RHEL-07-030800", + "fix_id": "F-4681r861067_fix", "cci": [ - "CCI-000366" + "CCI-000135", + "CCI-000172", + "CCI-002884" ], "nist": [ - "CM-6 b" + "AU-3 (1)", + "AU-12 c", + "MA-4 (1) (a)" ], "subsystems": [ - "init_files" + "audit", + "auditd", + "audit_rule" ], "host": null }, - "code": "control 'SV-204476' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that all local initialization files\n have mode 0740 or less permissive.'\n desc \"Local initialization files are used to configure the user's shell environment upon logon. Malicious\n modification of these files could compromise accounts upon logon.\"\n desc 'check', 'Verify that all local initialization files have a mode of \"0740\" or less permissive.\n Check the mode on all local initialization files with the following command:\n Note: The example will be for the \"smithj\" user, who has a home directory of \"/home/smithj\".\n # ls -al /home/smithj/.[^.]* | more\n -rwxr----- 1 smithj users 896 Mar 10 2011 .profile\n -rwxr----- 1 smithj users 497 Jan 6 2007 .login\n -rwxr----- 1 smithj users 886 Jan 6 2007 .something\n If any local initialization files have a mode more permissive than \"0740\", this is a finding.'\n desc 'fix', 'Set the mode of the local initialization files to \"0740\" with the\nfollowing command:\n\n Note: The example will be for the \"smithj\" user, who has a home directory\nof \"/home/smithj\".\n\n # chmod 0740 /home/smithj/.[^.]*'\n impact 0.5\n tag legacy: ['SV-86657', 'V-72033']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204476'\n tag rid: 'SV-204476r603261_rule'\n tag stig_id: 'RHEL-07-020710'\n tag fix_id: 'F-4600r88621_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['init_files']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n\n exempt_home_users = input('exempt_home_users')\n non_interactive_shells = input('non_interactive_shells')\n\n ignore_shells = non_interactive_shells.join('|')\n\n findings = Set[]\n users.where do\n !shell.match(ignore_shells) && (uid >= 1000 || uid == 0)\n end.entries.each do |user_info|\n findings += command(\"find #{user_info.home} -xdev -maxdepth 1 -name '.*' -type f -perm -#{input('init_files_mode')}\").stdout.split(\"\\n\")\n end\n describe findings do\n it { should be_empty }\n end\n end\nend\n", - "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204476.rb", - "line": 1 - }, - "id": "SV-204476" - }, - { - "title": "The Red Hat Enterprise Linux operating system must restrict access to the kernel message buffer.", - "desc": "Restricting access to the kernel message buffer limits access only to root. This prevents attackers from gaining additional system information as a non-privileged user.", - "descriptions": { - "default": "Restricting access to the kernel message buffer limits access only to root. This prevents attackers from gaining additional system information as a non-privileged user.", - "check": "Verify the operating system is configured to restrict access to the kernel message buffer with the following commands:\n\n $ sudo sysctl kernel.dmesg_restrict\n kernel.dmesg_restrict = 1\n\nIf \"kernel.dmesg_restrict\" is not set to \"1\" or is missing, this is a finding.\n\nCheck that the configuration files are present to enable this kernel parameter:\n\n $ sudo grep -r kernel.dmesg_restrict /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null\n /etc/sysctl.conf:kernel.dmesg_restrict = 1\n /etc/sysctl.d/99-sysctl.conf:kernel.dmesg_restrict = 1\n\nIf \"kernel.dmesg_restrict\" is not set to \"1\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.", - "fix": "Configure the operating system to restrict access to the kernel message buffer.\n\nSet the system to the required kernel parameter by adding or modifying the following line in /etc/sysctl.conf or a config file in the /etc/sysctl.d/ directory:\n\n kernel.dmesg_restrict = 1\n\nRemove any configurations that conflict with the above from the following locations:\n /run/sysctl.d/\n /etc/sysctl.d/\n /usr/local/lib/sysctl.d/\n /usr/lib/sysctl.d/\n /lib/sysctl.d/\n /etc/sysctl.conf\n\nReload settings from all system configuration files with the following command:\n\n $ sudo sysctl --system" - }, - "impact": 0.3, - "refs": [], - "tags": { - "check_id": "C-59604r880789_chk", - "severity": "low", - "gid": "V-255927", - "rid": "SV-255927r880791_rule", - "stig_id": "RHEL-07-010375", - "gtitle": "SRG-OS-000138-GPOS-00069", - "fix_id": "F-59547r880790_fix", - "documentable": null, - "cci": [ - "CCI-001090" - ], - "nist": [ - "SC-4" - ] - }, - "code": "control 'SV-255927' do\n title 'The Red Hat Enterprise Linux operating system must restrict access to the kernel message buffer.'\n desc 'Restricting access to the kernel message buffer limits access only to root. This prevents attackers from gaining additional system information as a non-privileged user.'\n desc 'check', 'Verify the operating system is configured to restrict access to the kernel message buffer with the following commands:\n\n $ sudo sysctl kernel.dmesg_restrict\n kernel.dmesg_restrict = 1\n\nIf \"kernel.dmesg_restrict\" is not set to \"1\" or is missing, this is a finding.\n\nCheck that the configuration files are present to enable this kernel parameter:\n\n $ sudo grep -r kernel.dmesg_restrict /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null\n /etc/sysctl.conf:kernel.dmesg_restrict = 1\n /etc/sysctl.d/99-sysctl.conf:kernel.dmesg_restrict = 1\n\nIf \"kernel.dmesg_restrict\" is not set to \"1\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure the operating system to restrict access to the kernel message buffer.\n\nSet the system to the required kernel parameter by adding or modifying the following line in /etc/sysctl.conf or a config file in the /etc/sysctl.d/ directory:\n\n kernel.dmesg_restrict = 1\n\nRemove any configurations that conflict with the above from the following locations:\n /run/sysctl.d/\n /etc/sysctl.d/\n /usr/local/lib/sysctl.d/\n /usr/lib/sysctl.d/\n /lib/sysctl.d/\n /etc/sysctl.conf\n\nReload settings from all system configuration files with the following command:\n\n $ sudo sysctl --system'\n impact 0.3\n tag check_id: 'C-59604r880789_chk'\n tag severity: 'low'\n tag gid: 'V-255927'\n tag rid: 'SV-255927r880791_rule'\n tag stig_id: 'RHEL-07-010375'\n tag gtitle: 'SRG-OS-000138-GPOS-00069'\n tag fix_id: 'F-59547r880790_fix'\n tag 'documentable'\n tag cci: ['CCI-001090']\n tag nist: ['SC-4']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n else\n dmesg_restrict = 1\n config_file_values = command('grep -r kernel.dmesg_restrict /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null')\n .stdout.strip.split(\"\\n\")\n .map { |file| parse_config(file).params }\n config_file_values_uncompliant = config_file_values.select { |entry| entry.values != [dmesg_restrict.to_s] }\n\n unless config_file_values_uncompliant.empty?\n describe 'All configuration files' do\n it \"should set dmesg_restrict to #{dmesg_restrict}, or not define it at all\" do\n fail_msg = \"Found incorrect configuration:\\n#{config_file_values_uncompliant.join(\"\\n\")}\"\n expect(config_file_values_uncompliant).to be_empty, fail_msg\n end\n end\n end\n\n describe 'The runtime kernel parameter kernel.dmesg_restrict' do\n subject { kernel_parameter('kernel.dmesg_restrict') }\n its('value') { should eq dmesg_restrict }\n end\n end\nend\n", + "code": "control 'SV-204557' do\n title 'The Red Hat Enterprise Linux operating system must audit all uses of the crontab command.'\n desc 'Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough\n information.\n At a minimum, the organization must audit the full-text recording of privileged commands. The organization must\n maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.'\n desc 'check', 'Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"crontab\" command occur.\n\nCheck that the following system call is being audited by performing the following command to check the file system rules in \"/etc/audit/audit.rules\":\n\n$ sudo grep -w \"/usr/bin/crontab\" /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -k privileged-cron\n\nIf the command does not return any output, this is a finding.'\n desc 'fix', 'Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"crontab\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -k privileged-cron\n\nThe audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n tag legacy: ['SV-86807', 'V-72183']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000042-GPOS-00020'\n tag satisfies: ['SRG-OS-000042-GPOS-00020', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000471-GPOS-00215']\n tag gid: 'V-204557'\n tag rid: 'SV-204557r861068_rule'\n tag stig_id: 'RHEL-07-030800'\n tag fix_id: 'F-4681r861067_fix'\n tag cci: ['CCI-000135', 'CCI-000172', 'CCI-002884']\n tag nist: ['AU-3 (1)', 'AU-12 c', 'MA-4 (1) (a)']\n tag subsystems: ['audit', 'auditd', 'audit_rule']\n tag 'host'\n\n audit_command = '/usr/bin/crontab'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - audit config must be done on the host' do\n skip 'Control not applicable - audit config must be done on the host'\n end\n else\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include('privileged-cron')\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-255927.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204557.rb", "line": 1 }, - "id": "SV-255927" + "id": "SV-204557" }, { - "title": "The Red Hat Enterprise Linux operating system must require re-authentication when using the \"sudo\" command.", - "desc": "Without re-authentication, users may access resources or perform tasks for which they do not have authorization.\n\nWhen operating systems provide the capability to escalate a functional capability, it is critical the organization requires the user to re-authenticate when using the \"sudo\" command.\n\nIf the value is set to an integer less than 0, the user's time stamp will not expire and the user will not have to re-authenticate for privileged actions until the user's session is terminated.", + "title": "The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new\n passwords are assigned, the new password must contain at least 1 numeric character.", + "desc": "Use of a complex password helps to increase the time and resources required to compromise the password.\n Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing\n and brute-force attacks.\n Password complexity is one factor of several that determines how long it takes to crack a password. The more complex\n the password, the greater the number of possible combinations that need to be tested before the password is\n compromised.", "descriptions": { - "default": "Without re-authentication, users may access resources or perform tasks for which they do not have authorization.\n\nWhen operating systems provide the capability to escalate a functional capability, it is critical the organization requires the user to re-authenticate when using the \"sudo\" command.\n\nIf the value is set to an integer less than 0, the user's time stamp will not expire and the user will not have to re-authenticate for privileged actions until the user's session is terminated.", - "check": "Verify the operating system requires re-authentication when using the \"sudo\" command to elevate privileges.\n\n$ sudo grep -ir 'timestamp_timeout' /etc/sudoers /etc/sudoers.d\n/etc/sudoers:Defaults timestamp_timeout=0\n\nIf conflicting results are returned, this is a finding.\n\nIf \"timestamp_timeout\" is set to a negative number, is commented out, or no results are returned, this is a finding.", - "fix": "Configure the \"sudo\" command to require re-authentication.\nEdit the /etc/sudoers file:\n$ sudo visudo\n\nAdd or modify the following line:\nDefaults timestamp_timeout=[value]\nNote: The \"[value]\" must be a number that is greater than or equal to \"0\".\n\nRemove any duplicate or conflicting lines from /etc/sudoers and /etc/sudoers.d/ files." + "default": "Use of a complex password helps to increase the time and resources required to compromise the password.\n Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing\n and brute-force attacks.\n Password complexity is one factor of several that determines how long it takes to crack a password. The more complex\n the password, the greater the number of possible combinations that need to be tested before the password is\n compromised.", + "check": "Note: The value to require a number of numeric characters to be set is expressed as a negative\n number in \"/etc/security/pwquality.conf\".\n Check the value for \"dcredit\" in \"/etc/security/pwquality.conf\" with the following command:\n # grep dcredit /etc/security/pwquality.conf\n dcredit = -1\n If the value of \"dcredit\" is not set to a negative value, this is a finding.", + "fix": "Configure the operating system to enforce password complexity by requiring that at least 1 numeric\n character be used by setting the \"dcredit\" option.\n Add the following line to /etc/security/pwquality.conf (or modify the line to have the required value):\n dcredit = -1" }, "impact": 0.5, "refs": [], "tags": { + "legacy": [ + "SV-86531", + "V-71907" + ], "severity": "medium", - "gtitle": "SRG-OS-000373-GPOS-00156", - "satisfies": null, - "gid": "V-237635", - "rid": "SV-237635r861075_rule", - "stig_id": "RHEL-07-010343", - "fix_id": "F-40817r858491_fix", + "gtitle": "SRG-OS-000071-GPOS-00039", + "gid": "V-204409", + "rid": "SV-204409r603261_rule", + "stig_id": "RHEL-07-010140", + "fix_id": "F-4533r88420_fix", "cci": [ - "CCI-002038" + "CCI-000194" ], - "legacy": [], "nist": [ - "IA-11" + "IA-5 (1) (a)" ], "subsystems": [ - "sudo" + "pwquality", + "password" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-237635' do\n title 'The Red Hat Enterprise Linux operating system must require re-authentication when using the \"sudo\" command.'\n desc %q(Without re-authentication, users may access resources or perform tasks for which they do not have authorization.\n\nWhen operating systems provide the capability to escalate a functional capability, it is critical the organization requires the user to re-authenticate when using the \"sudo\" command.\n\nIf the value is set to an integer less than 0, the user's time stamp will not expire and the user will not have to re-authenticate for privileged actions until the user's session is terminated.)\n desc 'check', %q(Verify the operating system requires re-authentication when using the \"sudo\" command to elevate privileges.\n\n$ sudo grep -ir 'timestamp_timeout' /etc/sudoers /etc/sudoers.d\n/etc/sudoers:Defaults timestamp_timeout=0\n\nIf conflicting results are returned, this is a finding.\n\nIf \"timestamp_timeout\" is set to a negative number, is commented out, or no results are returned, this is a finding.)\n desc 'fix', 'Configure the \"sudo\" command to require re-authentication.\nEdit the /etc/sudoers file:\n$ sudo visudo\n\nAdd or modify the following line:\nDefaults timestamp_timeout=[value]\nNote: The \"[value]\" must be a number that is greater than or equal to \"0\".\n\nRemove any duplicate or conflicting lines from /etc/sudoers and /etc/sudoers.d/ files.'\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000373-GPOS-00156'\n tag satisfies: nil\n tag gid: 'V-237635'\n tag rid: 'SV-237635r861075_rule'\n tag stig_id: 'RHEL-07-010343'\n tag fix_id: 'F-40817r858491_fix'\n tag cci: ['CCI-002038']\n tag legacy: []\n tag nist: ['IA-11']\n tag subsystems: ['sudo']\n tag 'host'\n\n if virtualization.system.eql?('docker') && !command('sudo').exist?\n impact 0.0\n describe 'Control not applicable within a container without sudo enabled' do\n skip 'Control not applicable within a container without sudo enabled'\n end\n else\n describe command(\"grep -ir 'timestamp_timeout' /etc/sudoers /etc/sudoers.d\").stdout.strip do\n it { should match /^[^#].*Defaults timestamp_timeout=\\d/ }\n it { should_not match /\\n/ }\n end\n end\nend\n", + "code": "control 'SV-204409' do\n title \"The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new\n passwords are assigned, the new password must contain at least #{input('min_numeric_characters')} numeric character.\"\n desc 'Use of a complex password helps to increase the time and resources required to compromise the password.\n Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing\n and brute-force attacks.\n Password complexity is one factor of several that determines how long it takes to crack a password. The more complex\n the password, the greater the number of possible combinations that need to be tested before the password is\n compromised.'\n desc 'check', \"Note: The value to require a number of numeric characters to be set is expressed as a negative\n number in \\\"/etc/security/pwquality.conf\\\".\n Check the value for \\\"dcredit\\\" in \\\"/etc/security/pwquality.conf\\\" with the following command:\n # grep dcredit /etc/security/pwquality.conf\n dcredit = -#{input('min_numeric_characters')}\n If the value of \\\"dcredit\\\" is not set to a negative value, this is a finding.\"\n desc 'fix', \"Configure the operating system to enforce password complexity by requiring that at least #{input('min_numeric_characters')} numeric\n character be used by setting the \\\"dcredit\\\" option.\n Add the following line to /etc/security/pwquality.conf (or modify the line to have the required value):\n dcredit = -#{input('min_numeric_characters')}\"\n impact 0.5\n tag legacy: ['SV-86531', 'V-71907']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000071-GPOS-00039'\n tag gid: 'V-204409'\n tag rid: 'SV-204409r603261_rule'\n tag stig_id: 'RHEL-07-010140'\n tag fix_id: 'F-4533r88420_fix'\n tag cci: ['CCI-000194']\n tag nist: ['IA-5 (1) (a)']\n tag subsystems: ['pwquality', 'password']\n tag 'host'\n tag 'container'\n\n describe parse_config_file('/etc/security/pwquality.conf') do\n its('dcredit') { should cmp <= -input('min_numeric_characters') }\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-237635.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204409.rb", "line": 1 }, - "id": "SV-237635" + "id": "SV-204409" }, { - "title": "The Red Hat Enterprise Linux operating system must be configured so that if the Trivial File Transfer\n Protocol (TFTP) server is required, the TFTP daemon is configured to operate in secure mode.", - "desc": "Restricting TFTP to a specific directory prevents remote users from copying, transferring, or overwriting\n system files.", + "title": "The Red Hat Enterprise Linux operating system must enable an application firewall, if available.", + "desc": "Firewalls protect computers from network attacks by blocking or limiting access to open network ports.\n Application firewalls limit which applications are allowed to communicate over the network.", "descriptions": { - "default": "Restricting TFTP to a specific directory prevents remote users from copying, transferring, or overwriting\n system files.", - "check": "Verify the TFTP daemon is configured to operate in secure mode.\n Check to see if a TFTP server has been installed with the following commands:\n # yum list installed tftp-server\n tftp-server.x86_64 x.x-x.el7 rhel-7-server-rpms\n If a TFTP server is not installed, this is Not Applicable.\n If a TFTP server is installed, check for the server arguments with the following command:\n # grep server_args /etc/xinetd.d/tftp\n server_args = -s /var/lib/tftpboot\n If the \"server_args\" line does not have a \"-s\" option and a subdirectory is not assigned, this is a finding.", - "fix": "Configure the TFTP daemon to operate in secure mode by adding the following line to\n \"/etc/xinetd.d/tftp\" (or modify the line to have the required value):\n server_args = -s /var/lib/tftpboot" + "default": "Firewalls protect computers from network attacks by blocking or limiting access to open network ports.\n Application firewalls limit which applications are allowed to communicate over the network.", + "check": "Verify the operating system enabled an application firewall.\n Check to see if \"firewalld\" is installed with the following command:\n # yum list installed firewalld\n firewalld-0.3.9-11.el7.noarch.rpm\n If the \"firewalld\" package is not installed, ask the System Administrator if another firewall application (such as\n iptables) is installed.\n If an application firewall is not installed, this is a finding.\n Check to see if the firewall is loaded and active with the following command:\n # systemctl status firewalld\n firewalld.service - firewalld - dynamic firewall daemon\n Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)\n Active: active (running) since Tue 2014-06-17 11:14:49 CEST; 5 days ago\n If \"firewalld\" does not show a status of \"loaded\" and \"active\", this is a finding.\n Check the state of the firewall:\n # firewall-cmd --state\n running\n If \"firewalld\" does not show a state of \"running\", this is a finding.", + "fix": "Ensure the operating system's application firewall is enabled.\n Install the \"firewalld\" package, if it is not on the system, with the following command:\n # yum install firewalld\n Start the firewall via \"systemctl\" with the following command:\n # systemctl start firewalld" }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { "legacy": [ - "SV-86929", - "V-72305" + "SV-86897", + "V-72273" ], "severity": "medium", "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-204623", - "rid": "SV-204623r603261_rule", - "stig_id": "RHEL-07-040720", - "fix_id": "F-4747r89062_fix", + "satisfies": [ + "SRG-OS-000480-GPOS-00227", + "SRG-OS-000480-GPOS-00231", + "SRG-OS-000480-GPOS-00232" + ], + "gid": "V-204604", + "rid": "SV-204604r603261_rule", + "stig_id": "RHEL-07-040520", + "fix_id": "F-4728r89005_fix", "cci": [ "CCI-000366" ], @@ -2279,216 +2203,219 @@ "CM-6 b" ], "subsystems": [ - "tftp" + "firewalld", + "iptables" ], "host": null, "container": null }, - "code": "control 'SV-204623' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that if the Trivial File Transfer\n Protocol (TFTP) server is required, the TFTP daemon is configured to operate in secure mode.'\n desc 'Restricting TFTP to a specific directory prevents remote users from copying, transferring, or overwriting\n system files.'\n desc 'check', 'Verify the TFTP daemon is configured to operate in secure mode.\n Check to see if a TFTP server has been installed with the following commands:\n # yum list installed tftp-server\n tftp-server.x86_64 x.x-x.el7 rhel-7-server-rpms\n If a TFTP server is not installed, this is Not Applicable.\n If a TFTP server is installed, check for the server arguments with the following command:\n # grep server_args /etc/xinetd.d/tftp\n server_args = -s /var/lib/tftpboot\n If the \"server_args\" line does not have a \"-s\" option and a subdirectory is not assigned, this is a finding.'\n desc 'fix', 'Configure the TFTP daemon to operate in secure mode by adding the following line to\n \"/etc/xinetd.d/tftp\" (or modify the line to have the required value):\n server_args = -s /var/lib/tftpboot'\n impact 0.5\n tag legacy: ['SV-86929', 'V-72305']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204623'\n tag rid: 'SV-204623r603261_rule'\n tag stig_id: 'RHEL-07-040720'\n tag fix_id: 'F-4747r89062_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['tftp']\n tag 'host'\n tag 'container'\n\n if package('tftp-server').installed?\n impact 0.5\n describe command('grep server_args /etc/xinetd.d/tftp') do\n its('stdout.strip') do\n should match %r{^\\s*server_args\\s+=\\s+(-s|--secure)\\s(/\\S+)$}\n end\n end\n else\n impact 0.0\n describe 'The TFTP package is not installed' do\n skip 'If a TFTP server is not installed, this is Not Applicable.'\n end\n end\nend\n", + "code": "control 'SV-204604' do\n title 'The Red Hat Enterprise Linux operating system must enable an application firewall, if available.'\n desc 'Firewalls protect computers from network attacks by blocking or limiting access to open network ports.\n Application firewalls limit which applications are allowed to communicate over the network.'\n desc 'check', 'Verify the operating system enabled an application firewall.\n Check to see if \"firewalld\" is installed with the following command:\n # yum list installed firewalld\n firewalld-0.3.9-11.el7.noarch.rpm\n If the \"firewalld\" package is not installed, ask the System Administrator if another firewall application (such as\n iptables) is installed.\n If an application firewall is not installed, this is a finding.\n Check to see if the firewall is loaded and active with the following command:\n # systemctl status firewalld\n firewalld.service - firewalld - dynamic firewall daemon\n Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)\n Active: active (running) since Tue 2014-06-17 11:14:49 CEST; 5 days ago\n If \"firewalld\" does not show a status of \"loaded\" and \"active\", this is a finding.\n Check the state of the firewall:\n # firewall-cmd --state\n running\n If \"firewalld\" does not show a state of \"running\", this is a finding.'\n desc 'fix', %q(Ensure the operating system's application firewall is enabled.\n Install the \"firewalld\" package, if it is not on the system, with the following command:\n # yum install firewalld\n Start the firewall via \"systemctl\" with the following command:\n # systemctl start firewalld)\n impact 0.5\n tag legacy: ['SV-86897', 'V-72273']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag satisfies: ['SRG-OS-000480-GPOS-00227', 'SRG-OS-000480-GPOS-00231', 'SRG-OS-000480-GPOS-00232']\n tag gid: 'V-204604'\n tag rid: 'SV-204604r603261_rule'\n tag stig_id: 'RHEL-07-040520'\n tag fix_id: 'F-4728r89005_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['firewalld', 'iptables']\n tag 'host'\n tag 'container'\n\n describe.one do\n describe package('firewalld') do\n it { should be_installed }\n end\n describe package('iptables') do\n it { should be_installed }\n end\n if input('firewall_application_package') != ''\n describe package(input('firewall_application_package')) do\n it { should be_installed }\n end\n end\n end\n describe.one do\n describe systemd_service('firewalld.service') do\n it { should be_running }\n end\n describe systemd_service('iptables.service') do\n it { should be_running }\n end\n if input('firewall_application_service') != ''\n describe systemd_service(input('firewall_application_service')) do\n it { should be_running }\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204623.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204604.rb", "line": 1 }, - "id": "SV-204623" + "id": "SV-204604" }, { - "title": "The Red Hat Enterprise Linux operating system must be configured so that passwords for new users are\n restricted to a 60-day maximum lifetime.", - "desc": "Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed\n periodically. If the operating system does not limit the lifetime of passwords and force users to change their\n passwords, there is the risk that the operating system passwords could be compromised.", + "title": "The Red Hat Enterprise Linux operating system must be configured so that the delay between logon prompts\n following a failed console logon attempt is at least four seconds.", + "desc": "Configuring the operating system to implement organization-wide security implementation guides and security\n checklists verifies compliance with federal standards and establishes a common security baseline across DoD that\n reflects the most restrictive security posture consistent with operational requirements.\n Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components\n of the system that affect the security posture and/or functionality of the system. Security-related parameters are\n those parameters impacting the security state of the system, including the parameters required to satisfy other\n security control requirements. Security-related parameters include, for example, registry settings; account, file,\n and directory permission settings; and settings for functions, ports, protocols, services, and remote connections.", "descriptions": { - "default": "Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed\n periodically. If the operating system does not limit the lifetime of passwords and force users to change their\n passwords, there is the risk that the operating system passwords could be compromised.", - "check": "If passwords are not being used for authentication, this is Not Applicable.\n Verify the operating system enforces a 60-day maximum password lifetime restriction for new user accounts.\n Check for the value of \"PASS_MAX_DAYS\" in \"/etc/login.defs\" with the following command:\n # grep -i pass_max_days /etc/login.defs\n PASS_MAX_DAYS 60\n If the \"PASS_MAX_DAYS\" parameter value is not 60 or less, or is commented out, this is a finding.", - "fix": "Configure the operating system to enforce a 60-day maximum password lifetime restriction.\n Add the following line in \"/etc/login.defs\" (or modify the line to have the required value):\n PASS_MAX_DAYS 60" + "default": "Configuring the operating system to implement organization-wide security implementation guides and security\n checklists verifies compliance with federal standards and establishes a common security baseline across DoD that\n reflects the most restrictive security posture consistent with operational requirements.\n Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components\n of the system that affect the security posture and/or functionality of the system. Security-related parameters are\n those parameters impacting the security state of the system, including the parameters required to satisfy other\n security control requirements. Security-related parameters include, for example, registry settings; account, file,\n and directory permission settings; and settings for functions, ports, protocols, services, and remote connections.", + "check": "Verify the operating system enforces a delay of at least four seconds between console logon prompts\n following a failed logon attempt.\n Check the value of the \"fail_delay\" parameter in the \"/etc/login.defs\" file with the following command:\n # grep -i fail_delay /etc/login.defs\n FAIL_DELAY 4\n If the value of \"FAIL_DELAY\" is not set to \"4\" or greater, or the line is commented out, this is a finding.", + "fix": "Configure the operating system to enforce a delay of at least four seconds between logon prompts\n following a failed console logon attempt.\n Modify the \"/etc/login.defs\" file to set the \"FAIL_DELAY\" parameter to \"4\" or greater:\n FAIL_DELAY 4" }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "V-71929", - "SV-86553" + "SV-86575", + "V-71951" ], "severity": "medium", - "gtitle": "SRG-OS-000076-GPOS-00044", - "gid": "V-204420", - "rid": "SV-204420r603261_rule", - "stig_id": "RHEL-07-010250", - "fix_id": "F-4544r88453_fix", + "gtitle": "SRG-OS-000480-GPOS-00226", + "gid": "V-204431", + "rid": "SV-204431r603261_rule", + "stig_id": "RHEL-07-010430", + "fix_id": "F-4555r88486_fix", "cci": [ - "CCI-000199" + "CCI-000366" ], "nist": [ - "IA-5 (1) (d)" + "CM-6 b" ], "subsystems": [ - "login_defs", - "password" + "login_defs" ], "host": null, "container": null }, - "code": "control 'SV-204420' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that passwords for new users are\n restricted to a 60-day maximum lifetime.'\n desc 'Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed\n periodically. If the operating system does not limit the lifetime of passwords and force users to change their\n passwords, there is the risk that the operating system passwords could be compromised.'\n desc 'check', 'If passwords are not being used for authentication, this is Not Applicable.\n Verify the operating system enforces a 60-day maximum password lifetime restriction for new user accounts.\n Check for the value of \"PASS_MAX_DAYS\" in \"/etc/login.defs\" with the following command:\n # grep -i pass_max_days /etc/login.defs\n PASS_MAX_DAYS 60\n If the \"PASS_MAX_DAYS\" parameter value is not 60 or less, or is commented out, this is a finding.'\n desc 'fix', 'Configure the operating system to enforce a 60-day maximum password lifetime restriction.\n Add the following line in \"/etc/login.defs\" (or modify the line to have the required value):\n PASS_MAX_DAYS 60'\n impact 0.5\n tag legacy: ['V-71929', 'SV-86553']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000076-GPOS-00044'\n tag gid: 'V-204420'\n tag rid: 'SV-204420r603261_rule'\n tag stig_id: 'RHEL-07-010250'\n tag fix_id: 'F-4544r88453_fix'\n tag cci: ['CCI-000199']\n tag nist: ['IA-5 (1) (d)']\n tag subsystems: ['login_defs', 'password']\n tag 'host'\n tag 'container'\n\n if command(\"grep 'pam_unix.so' /etc/pam.d/system-auth | grep 'auth ' | grep 'optional'\").stdout.empty? && command(\"grep 'pam_permit.so' /etc/pam.d/system-auth | grep 'auth ' | grep 'required'\").stdout.empty?\n describe login_defs do\n its('PASS_MAX_DAYS') { should cmp <= input('pass_max_days') }\n its('PASS_MAX_DAYS') { should_not be_nil }\n end\n else\n impact 0.0\n describe 'The system is not using password for authentication' do\n skip 'The system is not using password for authentication, this control is Not Applicable.'\n end\n end\nend\n", + "code": "control 'SV-204431' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that the delay between logon prompts\n following a failed console logon attempt is at least four seconds.'\n desc \"Configuring the operating system to implement organization-wide security implementation guides and security\n checklists verifies compliance with federal standards and establishes a common security baseline across #{input('org_name')[:acronym]} that\n reflects the most restrictive security posture consistent with operational requirements.\n Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components\n of the system that affect the security posture and/or functionality of the system. Security-related parameters are\n those parameters impacting the security state of the system, including the parameters required to satisfy other\n security control requirements. Security-related parameters include, for example, registry settings; account, file,\n and directory permission settings; and settings for functions, ports, protocols, services, and remote connections.\"\n desc 'check', 'Verify the operating system enforces a delay of at least four seconds between console logon prompts\n following a failed logon attempt.\n Check the value of the \"fail_delay\" parameter in the \"/etc/login.defs\" file with the following command:\n # grep -i fail_delay /etc/login.defs\n FAIL_DELAY 4\n If the value of \"FAIL_DELAY\" is not set to \"4\" or greater, or the line is commented out, this is a finding.'\n desc 'fix', 'Configure the operating system to enforce a delay of at least four seconds between logon prompts\n following a failed console logon attempt.\n Modify the \"/etc/login.defs\" file to set the \"FAIL_DELAY\" parameter to \"4\" or greater:\n FAIL_DELAY 4'\n impact 0.5\n tag legacy: ['SV-86575', 'V-71951']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00226'\n tag gid: 'V-204431'\n tag rid: 'SV-204431r603261_rule'\n tag stig_id: 'RHEL-07-010430'\n tag fix_id: 'F-4555r88486_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['login_defs']\n tag 'host'\n tag 'container'\n\n describe login_defs do\n its('FAIL_DELAY') { should cmp >= input('fail_delay') }\n its('FAIL_DELAY') { should_not be_nil }\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204420.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204431.rb", "line": 1 }, - "id": "SV-204420" + "id": "SV-204431" }, { - "title": "The Red Hat Enterprise Linux operating system must generate audit records for all successful account access\n events.", - "desc": "Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).", + "title": "The Red Hat Enterprise Linux operating system must be configured so that users must re-authenticate for\n privilege escalation.", + "desc": "Without re-authentication, users may access resources or perform tasks for which they do not have\n authorization.\n When operating systems provide the capability to escalate a functional capability, it is critical the user\n reauthenticate.", "descriptions": { - "default": "Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).", - "check": "Verify the operating system generates audit records when successful account access events occur.\n Check the file system rules in \"/etc/audit/audit.rules\" with the following commands:\n # grep -i /var/log/lastlog /etc/audit/audit.rules\n -w /var/log/lastlog -p wa -k logins\n If the command does not return any output, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful account access events occur.\n Add or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n -w /var/log/lastlog -p wa -k logins\n The audit daemon must be restarted for the changes to take effect." + "default": "Without re-authentication, users may access resources or perform tasks for which they do not have\n authorization.\n When operating systems provide the capability to escalate a functional capability, it is critical the user\n reauthenticate.", + "check": "Verify the operating system requires users to reauthenticate for privilege escalation.\n Check the configuration of the \"/etc/sudoers\" and \"/etc/sudoers.d/*\" files with the following command:\n # grep -i authenticate /etc/sudoers /etc/sudoers.d/*\n If any uncommented line is found with a \"!authenticate\" tag, this is a finding.", + "fix": "Configure the operating system to require users to reauthenticate for privilege escalation.\n Check the configuration of the \"/etc/sudoers\" file with the following command:\n # visudo\n Remove any occurrences of \"!authenticate\" tags in the file.\n Check the configuration of the \"/etc/sudoers.d/*\" files with the following command:\n # grep -i authenticate /etc/sudoers /etc/sudoers.d/*\n Remove any occurrences of \"!authenticate\" tags in the file(s)." }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "V-72147", - "SV-86771" + "V-71949", + "SV-86573" ], "severity": "medium", - "gtitle": "SRG-OS-000392-GPOS-00172", + "gtitle": "SRG-OS-000373-GPOS-00156", "satisfies": [ - "SRG-OS-000392-GPOS-00172", - "SRG-OS-000470-GPOS-00214", - "SRG-OS-000473-GPOS-00218" + "SRG-OS-000373-GPOS-00156", + "SRG-OS-000373-GPOS-00157", + "SRG-OS-000373-GPOS-00158" ], - "gid": "V-204541", - "rid": "SV-204541r853931_rule", - "stig_id": "RHEL-07-030620", - "fix_id": "F-4665r88816_fix", + "gid": "V-204430", + "rid": "SV-204430r853885_rule", + "stig_id": "RHEL-07-010350", + "fix_id": "F-4554r88483_fix", "cci": [ - "CCI-000126", - "CCI-000172", - "CCI-002884" + "CCI-002038" ], "nist": [ - "AU-2 d", - "AU-12 c", - "MA-4 (1) (a)", - "AU-2 c" + "IA-11" ], "subsystems": [ - "audit", - "auditd", - "audit_rule" + "sudo" ], "host": null }, - "code": "control 'SV-204541' do\n title 'The Red Hat Enterprise Linux operating system must generate audit records for all successful account access\n events.'\n desc 'Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).'\n desc 'check', 'Verify the operating system generates audit records when successful account access events occur.\n Check the file system rules in \"/etc/audit/audit.rules\" with the following commands:\n # grep -i /var/log/lastlog /etc/audit/audit.rules\n -w /var/log/lastlog -p wa -k logins\n If the command does not return any output, this is a finding.'\n desc 'fix', 'Configure the operating system to generate audit records when successful account access events occur.\n Add or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n -w /var/log/lastlog -p wa -k logins\n The audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n tag legacy: ['V-72147', 'SV-86771']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000392-GPOS-00172'\n tag satisfies: ['SRG-OS-000392-GPOS-00172', 'SRG-OS-000470-GPOS-00214', 'SRG-OS-000473-GPOS-00218']\n tag gid: 'V-204541'\n tag rid: 'SV-204541r853931_rule'\n tag stig_id: 'RHEL-07-030620'\n tag fix_id: 'F-4665r88816_fix'\n tag cci: ['CCI-000126', 'CCI-000172', 'CCI-002884']\n tag nist: ['AU-2 d', 'AU-12 c', 'MA-4 (1) (a)', 'AU-2 c']\n tag subsystems: ['audit', 'auditd', 'audit_rule']\n tag 'host'\n\n audit_command = '/var/log/lastlog'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - audit config must be done on the host' do\n skip 'Control not applicable - audit config must be done on the host'\n end\n else\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.key).to cmp 'logins'\n expect(audit_rule.permissions.flatten).to include('w', 'a')\n end\n end\n end\nend\n", + "code": "control 'SV-204430' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that users must re-authenticate for\n privilege escalation.'\n desc 'Without re-authentication, users may access resources or perform tasks for which they do not have\n authorization.\n When operating systems provide the capability to escalate a functional capability, it is critical the user\n reauthenticate.'\n desc 'check', 'Verify the operating system requires users to reauthenticate for privilege escalation.\n Check the configuration of the \"/etc/sudoers\" and \"/etc/sudoers.d/*\" files with the following command:\n # grep -i authenticate /etc/sudoers /etc/sudoers.d/*\n If any uncommented line is found with a \"!authenticate\" tag, this is a finding.'\n desc 'fix', 'Configure the operating system to require users to reauthenticate for privilege escalation.\n Check the configuration of the \"/etc/sudoers\" file with the following command:\n # visudo\n Remove any occurrences of \"!authenticate\" tags in the file.\n Check the configuration of the \"/etc/sudoers.d/*\" files with the following command:\n # grep -i authenticate /etc/sudoers /etc/sudoers.d/*\n Remove any occurrences of \"!authenticate\" tags in the file(s).'\n impact 0.5\n tag legacy: ['V-71949', 'SV-86573']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000373-GPOS-00156'\n tag satisfies: ['SRG-OS-000373-GPOS-00156', 'SRG-OS-000373-GPOS-00157', 'SRG-OS-000373-GPOS-00158']\n tag gid: 'V-204430'\n tag rid: 'SV-204430r853885_rule'\n tag stig_id: 'RHEL-07-010350'\n tag fix_id: 'F-4554r88483_fix'\n tag cci: ['CCI-002038']\n tag nist: ['IA-11']\n tag subsystems: ['sudo']\n tag 'host'\n\n if virtualization.system.eql?('docker') && !command('sudo').exist?\n impact 0.0\n describe 'Control not applicable within a container without sudo enabled' do\n skip 'Control not applicable within a container without sudo enabled'\n end\n else\n describe command('grep -ir authenticate /etc/sudoers /etc/sudoers.d/*') do\n its('stdout') { should_not match(/!authenticate/) }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204541.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204430.rb", "line": 1 }, - "id": "SV-204541" + "id": "SV-204430" }, { - "title": "The Red Hat Enterprise Linux operating system must be configured so that passwords are prohibited from\n reuse for a minimum of 5 generations.", - "desc": "Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at\n guessing and brute-force attacks. If the information system or application allows the user to consecutively reuse\n their password when that password has exceeded its defined lifetime, the end result is a password that is not\n changed per policy requirements.", + "title": "The Red Hat Enterprise Linux operating system must be configured so that all network connections associated\n with a communication session are terminated at the end of the session or after 15 minutes of inactivity from the\n user at a command prompt, except to fulfill documented and validated mission requirements.", + "desc": "Terminating an idle session within a short time period reduces the window of opportunity for unauthorized\n personnel to take control of a management session enabled on the console or console port that has been left\n unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed\n network element.\n Terminating network connections associated with communications sessions includes, for example, de-allocating\n associated TCP/IP address/port pairs at the operating system level and de-allocating networking assignments at the\n application level if multiple application sessions are using a single operating system-level network connection.\n This does not mean that the operating system terminates all sessions or network access; it only ends the inactive\n session and releases the resources associated with that session.", "descriptions": { - "default": "Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at\n guessing and brute-force attacks. If the information system or application allows the user to consecutively reuse\n their password when that password has exceeded its defined lifetime, the end result is a password that is not\n changed per policy requirements.", - "check": "Verify the operating system prohibits password reuse for a minimum of 5 generations.\n Check for the value of the \"remember\" argument in \"/etc/pam.d/system-auth\" and \"/etc/pam.d/password-auth\" with the\n following command:\n # grep -i remember /etc/pam.d/system-auth /etc/pam.d/password-auth\n password requisite pam_pwhistory.so use_authtok remember=5 retry=3\n If the line containing the \"pam_pwhistory.so\" line does not have the \"remember\" module argument set, is commented\n out, or the value of the \"remember\" module argument is set to less than \"5\", this is a finding.", - "fix": "Configure the operating system to prohibit password reuse for a minimum of 5 generations.\n\nAdd the following line in \"/etc/pam.d/system-auth\" and \"/etc/pam.d/password-auth\" (or modify the line to have the required value):\n\n password requisite pam_pwhistory.so use_authtok remember=5 retry=3\n\nNote: Per requirement RHEL-07-010199, RHEL 7 must be configured to not overwrite custom authentication configuration settings while using the authconfig utility, otherwise manual changes to the listed files will be overwritten whenever the authconfig utility is used." + "default": "Terminating an idle session within a short time period reduces the window of opportunity for unauthorized\n personnel to take control of a management session enabled on the console or console port that has been left\n unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed\n network element.\n Terminating network connections associated with communications sessions includes, for example, de-allocating\n associated TCP/IP address/port pairs at the operating system level and de-allocating networking assignments at the\n application level if multiple application sessions are using a single operating system-level network connection.\n This does not mean that the operating system terminates all sessions or network access; it only ends the inactive\n session and releases the resources associated with that session.", + "check": "Verify the operating system terminates all network connections associated with a communications session at the end of the session or based on inactivity.\n\nCheck the value of the system inactivity timeout with the following command:\n\n$ sudo grep -irw tmout /etc/profile /etc/bashrc /etc/profile.d\n\netc/profile.d/tmout.sh:declare -xr TMOUT=900\n\nIf conflicting results are returned, this is a finding.\nIf 'TMOUT' is not set to 900 or less to enforce session termination after inactivity, this is a finding.", + "fix": "Configure the operating system to terminate all network connections associated with a communications\n session at the end of the session or after a period of inactivity.\n Create a script to enforce the inactivity timeout (for example /etc/profile.d/tmout.sh) such as:\n #!/bin/bash\n declare -xr TMOUT=900" }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "V-71933", - "SV-86557" + "SV-86847", + "V-72223" ], "severity": "medium", - "gtitle": "SRG-OS-000077-GPOS-00045", - "gid": "V-204422", - "rid": "SV-204422r880836_rule", - "stig_id": "RHEL-07-010270", - "fix_id": "F-4546r880835_fix", + "gtitle": "SRG-OS-000163-GPOS-00072", + "gid": "V-204579", + "rid": "SV-204579r861070_rule", + "stig_id": "RHEL-07-040160", + "fix_id": "F-4703r646843_fix", "cci": [ - "CCI-000200" + "CCI-001133", + "CCI-002361" ], "nist": [ - "IA-5 (1) (e)" + "SC-10", + "AC-12" ], "subsystems": [ - "pam", - "password" + "user_profile" ], "host": null, "container": null }, - "code": "control 'SV-204422' do\n title \"The Red Hat Enterprise Linux operating system must be configured so that passwords are prohibited from\n reuse for a minimum of #{input('min_reuse_generations')} generations.\"\n desc 'Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at\n guessing and brute-force attacks. If the information system or application allows the user to consecutively reuse\n their password when that password has exceeded its defined lifetime, the end result is a password that is not\n changed per policy requirements.'\n desc 'check', \"Verify the operating system prohibits password reuse for a minimum of #{input('min_reuse_generations')} generations.\n Check for the value of the \\\"remember\\\" argument in \\\"/etc/pam.d/system-auth\\\" and \\\"/etc/pam.d/password-auth\\\" with the\n following command:\n # grep -i remember /etc/pam.d/system-auth /etc/pam.d/password-auth\n password requisite pam_pwhistory.so use_authtok remember=#{input('min_reuse_generations')} retry=#{input('retry')}\n If the line containing the \\\"pam_pwhistory.so\\\" line does not have the \\\"remember\\\" module argument set, is commented\n out, or the value of the \\\"remember\\\" module argument is set to less than \\\"#{input('min_reuse_generations')}\\\", this is a finding.\"\n desc 'fix', \"Configure the operating system to prohibit password reuse for a minimum of #{input('min_reuse_generations')} generations.\n\nAdd the following line in \\\"/etc/pam.d/system-auth\\\" and \\\"/etc/pam.d/password-auth\\\" (or modify the line to have the required value):\n\n password requisite pam_pwhistory.so use_authtok remember=#{input('min_reuse_generations')} retry=#{input('retry')}\n\nNote: Per requirement RHEL-07-010199, RHEL 7 must be configured to not overwrite custom authentication configuration settings while using the authconfig utility, otherwise manual changes to the listed files will be overwritten whenever the authconfig utility is used.\"\n impact 0.5\n tag legacy: ['V-71933', 'SV-86557']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000077-GPOS-00045'\n tag gid: 'V-204422'\n tag rid: 'SV-204422r880836_rule'\n tag stig_id: 'RHEL-07-010270'\n tag fix_id: 'F-4546r880835_fix'\n tag cci: ['CCI-000200']\n tag nist: ['IA-5 (1) (e)']\n tag subsystems: ['pam', 'password']\n tag 'host'\n tag 'container'\n\n min_reuse_generations = input('min_reuse_generations')\n\n describe pam('/etc/pam.d/system-auth') do\n its('lines') { should match_pam_rule(\"password (required|requisite|sufficient) pam_(unix|pwhistory).so use_authtok remember=#{min_reuse_generations}\") }\n end\n describe pam('/etc/pam.d/password-auth') do\n its('lines') { should match_pam_rule(\"password (required|requisite|sufficient) pam_(unix|pwhistory).so use_authtok remember=#{min_reuse_generations}\") }\n end\nend\n", + "code": "control 'SV-204579' do\n title \"The Red Hat Enterprise Linux operating system must be configured so that all network connections associated\n with a communication session are terminated at the end of the session or after #{input('system_activity_timeout')/60} minutes of inactivity from the\n user at a command prompt, except to fulfill documented and validated mission requirements.\"\n desc 'Terminating an idle session within a short time period reduces the window of opportunity for unauthorized\n personnel to take control of a management session enabled on the console or console port that has been left\n unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed\n network element.\n Terminating network connections associated with communications sessions includes, for example, de-allocating\n associated TCP/IP address/port pairs at the operating system level and de-allocating networking assignments at the\n application level if multiple application sessions are using a single operating system-level network connection.\n This does not mean that the operating system terminates all sessions or network access; it only ends the inactive\n session and releases the resources associated with that session.'\n desc 'check', \"Verify the operating system terminates all network connections associated with a communications session at the end of the session or based on inactivity.\n\nCheck the value of the system inactivity timeout with the following command:\n\n$ sudo grep -irw tmout /etc/profile /etc/bashrc /etc/profile.d\n\netc/profile.d/tmout.sh:declare -xr TMOUT=#{input('system_activity_timeout')}\n\nIf conflicting results are returned, this is a finding.\nIf 'TMOUT' is not set to #{input('system_activity_timeout')} or less to enforce session termination after inactivity, this is a finding.\"\n desc 'fix', \"Configure the operating system to terminate all network connections associated with a communications\n session at the end of the session or after a period of inactivity.\n Create a script to enforce the inactivity timeout (for example /etc/profile.d/tmout.sh) such as:\n #!/bin/bash\n declare -xr TMOUT=#{input('system_activity_timeout')}\"\n impact 0.5\n tag legacy: ['SV-86847', 'V-72223']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000163-GPOS-00072'\n tag gid: 'V-204579'\n tag rid: 'SV-204579r861070_rule'\n tag stig_id: 'RHEL-07-040160'\n tag fix_id: 'F-4703r646843_fix'\n tag cci: ['CCI-001133', 'CCI-002361']\n tag nist: ['SC-10', 'AC-12']\n tag subsystems: ['user_profile']\n tag 'host'\n tag 'container'\n\n # Get current TMOUT environment variable (active test)\n describe 'Environment variable TMOUT' do\n subject { os_env('TMOUT').content.to_i }\n it { should cmp <= input('system_activity_timeout') }\n end\n\n # Check if TMOUT is set in files (passive test)\n files = ['/etc/bashrc'] + ['/etc/profile'] + command('find /etc/profile.d/*').stdout.split(\"\\n\")\n latest_val = nil\n\n files.each do |file|\n readonly = false\n\n # Skip to next file if TMOUT isn't present. Otherwise, get the last occurrence of TMOUT\n if (values = command(\"grep -Po '.*TMOUT.*' #{file}\").stdout.split(\"\\n\")).empty?\n next\n end\n\n # Loop through each TMOUT match and see if set TMOUT's value or makes it readonly\n values.each_with_index do |value, index|\n # Skip if starts with '#' - it represents a comment\n next unless value.match(/^#/).nil?\n\n # If readonly and value is inline - use that value\n if !value.match(/^readonly\\s+TMOUT\\s*=\\s*\\d+$/).nil?\n latest_val = value.match(/\\d+/)[0].to_i\n readonly = true\n break\n # If readonly, but, value is not inline - use the most recent value\n elsif !value.match(/^readonly\\s+(\\w+\\s+)?TMOUT\\s*(\\s+\\w+\\s*)*$/).nil?\n # If the index is greater than 0, the configuraiton setting value.\n # Otherwise, the configuration setting value is in the previous file\n # and is already set in latest_val.\n latest_val = values[index - 1].match(/\\d+/)[0].to_i if index >= 1\n readonly = true\n break\n # Readonly is not set use the lastest value\n else\n latest_val = value.match(/\\d+/)[0].to_i\n end\n end\n # Readonly is set - stop processing files\n break if readonly === true\n end\n\n if latest_val.nil?\n describe 'The TMOUT setting is configured' do\n subject { !latest_val.nil? }\n it { should be true }\n end\n else\n describe 'The TMOUT setting is configured properly' do\n subject { latest_val }\n it { should cmp <= input('system_activity_timeout') }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204422.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204579.rb", "line": 1 }, - "id": "SV-204422" + "id": "SV-204579" }, { - "title": "The Red Hat Enterprise Linux operating system must be configured so that the SSH private host key files have mode 0640 or less permissive.", - "desc": "If an unauthorized user obtains the private SSH host key file, the host could be impersonated.", + "title": "The Red Hat Enterprise Linux operating system must display the date and time of the last successful account\n logon upon logon.", + "desc": "Providing users with feedback on when account accesses last occurred facilitates user recognition and\n reporting of unauthorized account use.", "descriptions": { - "default": "If an unauthorized user obtains the private SSH host key file, the host could be impersonated.", - "check": "Verify the SSH private host key files have mode \"0640\" or less permissive.\n\nThe following command will find all SSH private key files on the system and list their modes:\n\n # find / -name '*ssh_host*key' | xargs ls -lL\n\n -rw-r----- 1 root ssh_keys 112 Apr 1 11:59 ssh_host_dsa_key\n -rw-r----- 1 root ssh_keys 202 Apr 1 11:59 ssh_host_key\n -rw-r----- 1 root ssh_keys 352 Apr 1 11:59 ssh_host_rsa_key\n\nIf any file has a mode more permissive than \"0640\", this is a finding.", - "fix": "Configure the mode of SSH private host key files under \"/etc/ssh\" to \"0640\" with the following command:\n\n# chmod 0640 /path/to/file/ssh_host*key" + "default": "Providing users with feedback on when account accesses last occurred facilitates user recognition and\n reporting of unauthorized account use.", + "check": "Verify users are provided with feedback on when account accesses last occurred.\n Check that \"pam_lastlog\" is used and not silent with the following command:\n # grep pam_lastlog /etc/pam.d/postlogin\n session required pam_lastlog.so showfailed\n If \"pam_lastlog\" is missing from \"/etc/pam.d/postlogin\" file, or the silent option is present, this is a finding.", + "fix": "Configure the operating system to provide users with feedback on when account accesses last occurred\n by setting the required configuration options in \"/etc/pam.d/postlogin\".\n Add the following line to the top of \"/etc/pam.d/postlogin\":\n session required pam_lastlog.so showfailed" }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { "legacy": [ - "V-72257", - "SV-86881" + "SV-86899", + "V-72275" ], - "severity": "medium", + "severity": "low", "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-204597", - "rid": "SV-204597r880743_rule", - "stig_id": "RHEL-07-040420", - "fix_id": "F-4721r880742_fix", + "gid": "V-204605", + "rid": "SV-204605r858478_rule", + "stig_id": "RHEL-07-040530", + "fix_id": "F-4729r89008_fix", "cci": [ - "CCI-000366" + "CCI-000366", + "CCI-000052" ], "nist": [ - "CM-6 b" + "CM-6 b", + "AC-9" ], "subsystems": [ + "pam", + "lastlog", "ssh" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-204597' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that the SSH private host key files have mode 0640 or less permissive.'\n desc 'If an unauthorized user obtains the private SSH host key file, the host could be impersonated.'\n desc 'check', %q(Verify the SSH private host key files have mode \"0640\" or less permissive.\n\nThe following command will find all SSH private key files on the system and list their modes:\n\n # find / -name '*ssh_host*key' | xargs ls -lL\n\n -rw-r----- 1 root ssh_keys 112 Apr 1 11:59 ssh_host_dsa_key\n -rw-r----- 1 root ssh_keys 202 Apr 1 11:59 ssh_host_key\n -rw-r----- 1 root ssh_keys 352 Apr 1 11:59 ssh_host_rsa_key\n\nIf any file has a mode more permissive than \"0640\", this is a finding.)\n desc 'fix', 'Configure the mode of SSH private host key files under \"/etc/ssh\" to \"0640\" with the following command:\n\n# chmod 0640 /path/to/file/ssh_host*key'\n impact 0.5\n tag legacy: ['V-72257', 'SV-86881']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204597'\n tag rid: 'SV-204597r880743_rule'\n tag stig_id: 'RHEL-07-040420'\n tag fix_id: 'F-4721r880742_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['ssh']\n tag 'host'\n\n if virtualization.system.eql?('docker') && !file('/etc/sysconfig/sshd').exist?\n impact 0.0\n describe 'Control not applicable - SSH is not installed within containerized RHEL' do\n skip 'Control not applicable - SSH is not installed within containerized RHEL'\n end\n else\n pub_files = command(\"find #{input('private_host_key_directories').join(' ')} -xdev -name '*ssh_host*key'\").stdout.split(\"\\n\")\n if !pub_files.nil? and !pub_files.empty?\n pub_files.each do |pubfile|\n describe file(pubfile) do\n it { should_not be_more_permissive_than(input('private_host_key_file_mode')) }\n end\n end\n else\n describe 'No public host key files found.' do\n subject { pub_files.nil? or pub_files.empty? }\n it { should eq true }\n end\n end\n end\nend\n", + "code": "control 'SV-204605' do\n title 'The Red Hat Enterprise Linux operating system must display the date and time of the last successful account\n logon upon logon.'\n desc 'Providing users with feedback on when account accesses last occurred facilitates user recognition and\n reporting of unauthorized account use.'\n desc 'check', 'Verify users are provided with feedback on when account accesses last occurred.\n Check that \"pam_lastlog\" is used and not silent with the following command:\n # grep pam_lastlog /etc/pam.d/postlogin\n session required pam_lastlog.so showfailed\n If \"pam_lastlog\" is missing from \"/etc/pam.d/postlogin\" file, or the silent option is present, this is a finding.'\n desc 'fix', 'Configure the operating system to provide users with feedback on when account accesses last occurred\n by setting the required configuration options in \"/etc/pam.d/postlogin\".\n Add the following line to the top of \"/etc/pam.d/postlogin\":\n session required pam_lastlog.so showfailed'\n impact 0.3\n tag legacy: ['SV-86899', 'V-72275']\n tag severity: 'low'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204605'\n tag rid: 'SV-204605r858478_rule'\n tag stig_id: 'RHEL-07-040530'\n tag fix_id: 'F-4729r89008_fix'\n tag cci: ['CCI-000366', 'CCI-000052']\n tag nist: ['CM-6 b', 'AC-9']\n tag subsystems: ['pam', 'lastlog', 'ssh']\n tag 'host'\n tag 'container'\n\n describe pam('/etc/pam.d/postlogin') do\n its('lines') do\n should match_pam_rule('session .* pam_lastlog.so showfailed')\n end\n end\n\n unless virtualization.system.eql?('docker') && !file('/etc/sysconfig/sshd').exist?\n describe.one do\n describe sshd_config do\n its('PrintLastLog') { should cmp 'yes' }\n end\n describe pam('/etc/pam.d/postlogin') do\n its('lines') do\n should_not match_pam_rule('session .* pam_lastlog.so showfailed silent')\n end\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204597.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204605.rb", "line": 1 }, - "id": "SV-204597" + "id": "SV-204605" }, { - "title": "The Red Hat Enterprise Linux operating system must immediately notify the System Administrator (SA) and\n Information System Security Officer (ISSO) (at a minimum) via email when the threshold for the repository maximum\n audit record storage capacity is reached.", - "desc": "If security personnel are not notified immediately when the threshold for the repository maximum audit\n record storage capacity is reached, they are unable to expand the audit record storage capacity before records are\n lost.", + "title": "The Red Hat Enterprise Linux operating system must shut down upon audit processing failure, unless\n availability is an overriding concern. If availability is a concern, the system must alert the designated staff\n (System Administrator [SA] and Information System Security Officer [ISSO] at a minimum) in the event of an audit\n processing failure.", + "desc": "It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit\n logs as required. Without this notification, the security personnel may be unaware of an impending failure of the\n audit capability, and system operation may be adversely affected.\n Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit\n storage capacity being reached or exceeded.\n This requirement applies to each audit data storage repository (i.e., distinct information system component where\n audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage\n repositories combined), or both.", "descriptions": { - "default": "If security personnel are not notified immediately when the threshold for the repository maximum audit\n record storage capacity is reached, they are unable to expand the audit record storage capacity before records are\n lost.", - "check": "Verify the operating system immediately notifies the SA and ISSO (at a minimum) via email when the\n allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.\n Check what action the operating system takes when the threshold for the repository maximum audit record storage\n capacity is reached with the following command:\n # grep -i space_left_action /etc/audit/auditd.conf\n space_left_action = email\n If the value of the \"space_left_action\" keyword is not set to \"email\", this is a finding.", - "fix": "Configure the operating system to immediately notify the SA and ISSO (at a minimum) when the threshold\n for the repository maximum audit record storage capacity is reached.\n Uncomment or edit the \"space_left_action\" keyword in \"/etc/audit/auditd.conf\" and set it to \"email\".\n space_left_action = email" + "default": "It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit\n logs as required. Without this notification, the security personnel may be unaware of an impending failure of the\n audit capability, and system operation may be adversely affected.\n Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit\n storage capacity being reached or exceeded.\n This requirement applies to each audit data storage repository (i.e., distinct information system component where\n audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage\n repositories combined), or both.", + "check": "Confirm the audit configuration regarding how auditing processing failures are handled.\n\nCheck to see what level \"auditctl\" is set to with following command:\n\n # auditctl -s | grep -i \"fail\"\n failure 2\n\nNote: If the value of \"failure\" is set to \"2\", the system is configured to panic (shut down) in the event of an auditing failure. If the value of \"failure\" is set to \"1\", the system will not shut down and instead will record the audit failure in the kernel log. If the system is configured as per requirement RHEL-07-031000, the kernel log will be sent to a log aggregation server and generate an alert.\n\nIf the \"failure\" setting is set to any value other than \"1\" or \"2\", this is a finding.\n\nIf the \"failure\" setting is not set, this should be upgraded to a CAT I finding.\n\nIf the \"failure\" setting is set to \"1\" but the availability concern is not documented or there is no monitoring of the kernel log, this should be downgraded to a CAT III finding.", + "fix": "Configure the operating system to shut down in the event of an audit processing failure.\n Add or correct the option to shut down the operating system with the following command:\n # auditctl -f 2\n Edit the \"/etc/audit/rules.d/audit.rules\" file and add the following line:\n -f 2\n If availability has been determined to be more important, and this decision is documented with the ISSO, configure\n the operating system to notify system administration staff and ISSO staff in the event of an audit processing\n failure with the following command:\n # auditctl -f 1\n Edit the \"/etc/audit/rules.d/audit.rules\" file and add the following line:\n -f 1\n Kernel log monitoring must also be configured to properly alert designated staff.\n The audit daemon must be restarted for the changes to take effect." }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "V-72091", - "SV-86715" + "V-72081", + "SV-86705" ], "severity": "medium", - "gtitle": "SRG-OS-000343-GPOS-00134", - "gid": "V-204514", - "rid": "SV-204514r877389_rule", - "stig_id": "RHEL-07-030340", - "fix_id": "F-4638r88735_fix", + "gtitle": "SRG-OS-000046-GPOS-00022", + "satisfies": [ + "SRG-OS-000046-GPOS-00022", + "SRG-OS-000047-GPOS-00023" + ], + "gid": "V-204504", + "rid": "SV-204504r880761_rule", + "stig_id": "RHEL-07-030010", + "fix_id": "F-4628r880760_fix", "cci": [ - "CCI-001855" + "CCI-000139" ], "nist": [ - "AU-5 (1)" + "AU-5 a" ], "subsystems": [ "audit", @@ -2496,263 +2423,244 @@ ], "host": null }, - "code": "control 'SV-204514' do\n title \"The Red Hat Enterprise Linux operating system must immediately notify the System Administrator (SA) and\n Information System Security Officer (ISSO) (at a minimum) via email when the threshold for the repository maximum\n audit record storage capacity is reached.\"\n desc \"If security personnel are not notified immediately when the threshold for the repository maximum audit\n record storage capacity is reached, they are unable to expand the audit record storage capacity before records are\n lost.\"\n desc 'check', \"Verify the operating system immediately notifies the SA and ISSO (at a minimum) via email when the\n allocated audit record storage volume reaches #{input('storage_volume')} percent of the repository maximum audit record storage capacity.\n Check what action the operating system takes when the threshold for the repository maximum audit record storage\n capacity is reached with the following command:\n # grep -i space_left_action /etc/audit/auditd.conf\n space_left_action = email\n If the value of the \\\"space_left_action\\\" keyword is not set to \\\"email\\\", this is a finding.\"\n desc 'fix', \"Configure the operating system to immediately notify the SA and ISSO (at a minimum) when the threshold\n for the repository maximum audit record storage capacity is reached.\n Uncomment or edit the \\\"space_left_action\\\" keyword in \\\"/etc/audit/auditd.conf\\\" and set it to \\\"email\\\".\n space_left_action = email\"\n impact 0.5\n tag legacy: ['V-72091', 'SV-86715']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000343-GPOS-00134'\n tag gid: 'V-204514'\n tag rid: 'SV-204514r877389_rule'\n tag stig_id: 'RHEL-07-030340'\n tag fix_id: 'F-4638r88735_fix'\n tag cci: ['CCI-001855']\n tag nist: ['AU-5 (1)']\n tag subsystems: ['audit', 'auditd']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - audit config must be done on the host' do\n skip 'Control not applicable - audit config must be done on the host'\n end\n else\n describe auditd_conf do\n its('space_left_action.downcase') { should cmp 'email' }\n end\n end\nend\n", + "code": "control 'SV-204504' do\n title 'The Red Hat Enterprise Linux operating system must shut down upon audit processing failure, unless\n availability is an overriding concern. If availability is a concern, the system must alert the designated staff\n (System Administrator [SA] and Information System Security Officer [ISSO] at a minimum) in the event of an audit\n processing failure.'\n desc 'It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit\n logs as required. Without this notification, the security personnel may be unaware of an impending failure of the\n audit capability, and system operation may be adversely affected.\n Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit\n storage capacity being reached or exceeded.\n This requirement applies to each audit data storage repository (i.e., distinct information system component where\n audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage\n repositories combined), or both.'\n desc 'check', 'Confirm the audit configuration regarding how auditing processing failures are handled.\n\nCheck to see what level \"auditctl\" is set to with following command:\n\n # auditctl -s | grep -i \"fail\"\n failure 2\n\nNote: If the value of \"failure\" is set to \"2\", the system is configured to panic (shut down) in the event of an auditing failure. If the value of \"failure\" is set to \"1\", the system will not shut down and instead will record the audit failure in the kernel log. If the system is configured as per requirement RHEL-07-031000, the kernel log will be sent to a log aggregation server and generate an alert.\n\nIf the \"failure\" setting is set to any value other than \"1\" or \"2\", this is a finding.\n\nIf the \"failure\" setting is not set, this should be upgraded to a CAT I finding.\n\nIf the \"failure\" setting is set to \"1\" but the availability concern is not documented or there is no monitoring of the kernel log, this should be downgraded to a CAT III finding.'\n desc 'fix', 'Configure the operating system to shut down in the event of an audit processing failure.\n Add or correct the option to shut down the operating system with the following command:\n # auditctl -f 2\n Edit the \"/etc/audit/rules.d/audit.rules\" file and add the following line:\n -f 2\n If availability has been determined to be more important, and this decision is documented with the ISSO, configure\n the operating system to notify system administration staff and ISSO staff in the event of an audit processing\n failure with the following command:\n # auditctl -f 1\n Edit the \"/etc/audit/rules.d/audit.rules\" file and add the following line:\n -f 1\n Kernel log monitoring must also be configured to properly alert designated staff.\n The audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n tag legacy: ['V-72081', 'SV-86705']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000046-GPOS-00022'\n tag satisfies: ['SRG-OS-000046-GPOS-00022', 'SRG-OS-000047-GPOS-00023']\n tag gid: 'V-204504'\n tag rid: 'SV-204504r880761_rule'\n tag stig_id: 'RHEL-07-030010'\n tag fix_id: 'F-4628r880760_fix'\n tag cci: ['CCI-000139']\n tag nist: ['AU-5 a']\n tag subsystems: ['audit', 'auditd']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - Kernel config must be done on the host' do\n skip 'Control not applicable - Kernel config must be done on the host'\n end\n else\n monitor_kernel_log = input('monitor_kernel_log')\n\n if auditd.status['failure'].nil?\n impact 0.5\n elsif auditd.status['failure'].match?(/^1$/) && !monitor_kernel_log\n impact 0.3\n end\n\n if !monitor_kernel_log\n describe auditd.status['failure'] do\n it { should match(/^2$/) }\n end\n else\n describe auditd.status['failure'] do\n it { should match(/^(1|2)$/) }\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204514.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204504.rb", "line": 1 }, - "id": "SV-204514" + "id": "SV-204504" }, { - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the postdrop command.", - "desc": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough\n information.\n At a minimum, the organization must audit the full-text recording of privileged postfix commands. The organization\n must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of\n compromise.\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.", + "title": "The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow\n authentication using rhosts authentication.", + "desc": "Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will\n require a password, even in the event of misconfiguration elsewhere.", "descriptions": { - "default": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough\n information.\n At a minimum, the organization must audit the full-text recording of privileged postfix commands. The organization\n must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of\n compromise.\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.", - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"postdrop\" command occur.\n\nCheck that the following system call is being audited by performing the following command to check the file system rules in \"/etc/audit/audit.rules\":\n\n$ sudo grep -w \"/usr/sbin/postdrop\" /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -k privileged-postfix\n\nIf the command does not return any output, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"postdrop\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -k privileged-postfix\n\nThe audit daemon must be restarted for the changes to take effect." + "default": "Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will\n require a password, even in the event of misconfiguration elsewhere.", + "check": "Verify the SSH daemon does not allow authentication using known hosts authentication.\n To determine how the SSH daemon's \"IgnoreRhosts\" option is set, run the following command:\n # grep -i IgnoreRhosts /etc/ssh/sshd_config\n IgnoreRhosts yes\n If the value is returned as \"no\", the returned line is commented out, or no output is returned, this is a finding.", + "fix": "Configure the SSH daemon to not allow authentication using known hosts authentication.\n Add the following line in \"/etc/ssh/sshd_config\", or uncomment the line and set the value to \"yes\":\n IgnoreRhosts yes" }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "V-72175", - "SV-86799" + "V-72243", + "SV-86867" ], "severity": "medium", - "gtitle": "SRG-OS-000042-GPOS-00020", - "satisfies": [ - "SRG-OS-000042-GPOS-00020", - "SRG-OS-000392-GPOS-00172" - ], - "gid": "V-204554", - "rid": "SV-204554r861059_rule", - "stig_id": "RHEL-07-030760", - "fix_id": "F-4678r861058_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-204590", + "rid": "SV-204590r603261_rule", + "stig_id": "RHEL-07-040350", + "fix_id": "F-4714r88963_fix", "cci": [ - "CCI-000135", - "CCI-002884" + "CCI-000366" ], "nist": [ - "AU-3 (1)", - "MA-4 (1) (a)" + "CM-6 b" ], "subsystems": [ - "audit", - "auditd", - "audit_rule" + "ssh" ], "host": null }, - "code": "control 'SV-204554' do\n title 'The Red Hat Enterprise Linux operating system must audit all uses of the postdrop command.'\n desc 'Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough\n information.\n At a minimum, the organization must audit the full-text recording of privileged postfix commands. The organization\n must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of\n compromise.\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.'\n desc 'check', 'Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"postdrop\" command occur.\n\nCheck that the following system call is being audited by performing the following command to check the file system rules in \"/etc/audit/audit.rules\":\n\n$ sudo grep -w \"/usr/sbin/postdrop\" /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -k privileged-postfix\n\nIf the command does not return any output, this is a finding.'\n desc 'fix', 'Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"postdrop\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -k privileged-postfix\n\nThe audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n tag legacy: ['V-72175', 'SV-86799']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000042-GPOS-00020'\n tag satisfies: ['SRG-OS-000042-GPOS-00020', 'SRG-OS-000392-GPOS-00172']\n tag gid: 'V-204554'\n tag rid: 'SV-204554r861059_rule'\n tag stig_id: 'RHEL-07-030760'\n tag fix_id: 'F-4678r861058_fix'\n tag cci: ['CCI-000135', 'CCI-002884']\n tag nist: ['AU-3 (1)', 'MA-4 (1) (a)']\n tag subsystems: ['audit', 'auditd', 'audit_rule']\n tag 'host'\n\n audit_command = '/usr/sbin/postdrop'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - audit config must be done on the host' do\n skip 'Control not applicable - audit config must be done on the host'\n end\n else\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include('privileged-postfix')\n end\n end\n end\nend\n", + "code": "control 'SV-204590' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow\n authentication using rhosts authentication.'\n desc 'Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will\n require a password, even in the event of misconfiguration elsewhere.'\n desc 'check', %q(Verify the SSH daemon does not allow authentication using known hosts authentication.\n To determine how the SSH daemon's \"IgnoreRhosts\" option is set, run the following command:\n # grep -i IgnoreRhosts /etc/ssh/sshd_config\n IgnoreRhosts yes\n If the value is returned as \"no\", the returned line is commented out, or no output is returned, this is a finding.)\n desc 'fix', 'Configure the SSH daemon to not allow authentication using known hosts authentication.\n Add the following line in \"/etc/ssh/sshd_config\", or uncomment the line and set the value to \"yes\":\n IgnoreRhosts yes'\n impact 0.5\n tag legacy: ['V-72243', 'SV-86867']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204590'\n tag rid: 'SV-204590r603261_rule'\n tag stig_id: 'RHEL-07-040350'\n tag fix_id: 'F-4714r88963_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['ssh']\n tag 'host'\n\n if virtualization.system.eql?('docker') && !file('/etc/sysconfig/sshd').exist?\n impact 0.0\n describe 'Control not applicable - SSH is not installed within containerized RHEL' do\n skip 'Control not applicable - SSH is not installed within containerized RHEL'\n end\n else\n describe sshd_config do\n its('IgnoreRhosts') { should cmp 'yes' }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204554.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204590.rb", "line": 1 }, - "id": "SV-204554" + "id": "SV-204590" }, { - "title": "The Red Hat Enterprise Linux operating system must generate audit records for all account creations,\n modifications, disabling, and termination events that affect /etc/security/opasswd.", - "desc": "Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).", + "title": "The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed a\n minimum of eight of the total number of characters must be changed.", + "desc": "Use of a complex password helps to increase the time and resources required to compromise the password.\n Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing\n and brute-force attacks.\n Password complexity is one factor of several that determines how long it takes to crack a password. The more complex\n the password, the greater the number of possible combinations that need to be tested before the password is\n compromised.", "descriptions": { - "default": "Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).", - "check": "Verify the operating system must generate audit records for all account creations, modifications,\n disabling, and termination events that affect /etc/security/opasswd.\n Check the auditing rules in \"/etc/audit/audit.rules\" with the following command:\n # grep /etc/security/opasswd /etc/audit/audit.rules\n -w /etc/security/opasswd -p wa -k identity\n If the command does not return a line, or the line is commented out, this is a finding.", - "fix": "Configure the operating system to generate audit records for all account creations, modifications,\n disabling, and termination events that affect /etc/security/opasswd.\n Add or update the following file system rule in \"/etc/audit/rules.d/audit.rules\":\n -w /etc/security/opasswd -p wa -k identity\n The audit daemon must be restarted for the changes to take effect:\n # systemctl restart auditd" + "default": "Use of a complex password helps to increase the time and resources required to compromise the password.\n Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing\n and brute-force attacks.\n Password complexity is one factor of several that determines how long it takes to crack a password. The more complex\n the password, the greater the number of possible combinations that need to be tested before the password is\n compromised.", + "check": "The \"difok\" option sets the number of characters in a password that must not be present in the old\n password.\n Check for the value of the \"difok\" option in \"/etc/security/pwquality.conf\" with the following command:\n # grep difok /etc/security/pwquality.conf\n difok = 8\n If the value of \"difok\" is set to less than \"8\", this is a finding.", + "fix": "Configure the operating system to require the change of at least eight of the total number of\n characters when passwords are changed by setting the \"difok\" option.\n Add the following line to \"/etc/security/pwquality.conf\" (or modify the line to have the required value):\n difok = 8" }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "SV-87825", - "V-73173" + "V-71911", + "SV-86535" ], "severity": "medium", - "gtitle": "SRG-OS-000004-GPOS-00004", - "gid": "V-204568", - "rid": "SV-204568r853982_rule", - "stig_id": "RHEL-07-030874", - "fix_id": "F-4692r744114_fix", + "gtitle": "SRG-OS-000072-GPOS-00040", + "gid": "V-204411", + "rid": "SV-204411r603261_rule", + "stig_id": "RHEL-07-010160", + "fix_id": "F-4535r88426_fix", "cci": [ - "CCI-000018", - "CCI-000172", - "CCI-001403", - "CCI-002130" + "CCI-000195" ], "nist": [ - "AC-2 (4)", - "AU-12 c", - "AC-2 (4)", - "AC-2 (4)" + "IA-5 (1) (b)" ], "subsystems": [ - "audit", - "auditd", - "audit_rule" + "pwquality", + "password" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-204568' do\n title 'The Red Hat Enterprise Linux operating system must generate audit records for all account creations,\n modifications, disabling, and termination events that affect /etc/security/opasswd.'\n desc 'Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).'\n desc 'check', 'Verify the operating system must generate audit records for all account creations, modifications,\n disabling, and termination events that affect /etc/security/opasswd.\n Check the auditing rules in \"/etc/audit/audit.rules\" with the following command:\n # grep /etc/security/opasswd /etc/audit/audit.rules\n -w /etc/security/opasswd -p wa -k identity\n If the command does not return a line, or the line is commented out, this is a finding.'\n desc 'fix', 'Configure the operating system to generate audit records for all account creations, modifications,\n disabling, and termination events that affect /etc/security/opasswd.\n Add or update the following file system rule in \"/etc/audit/rules.d/audit.rules\":\n -w /etc/security/opasswd -p wa -k identity\n The audit daemon must be restarted for the changes to take effect:\n # systemctl restart auditd'\n impact 0.5\n tag legacy: ['SV-87825', 'V-73173']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000004-GPOS-00004'\n tag gid: 'V-204568'\n tag rid: 'SV-204568r853982_rule'\n tag stig_id: 'RHEL-07-030874'\n tag fix_id: 'F-4692r744114_fix'\n tag cci: ['CCI-000018', 'CCI-000172', 'CCI-001403', 'CCI-002130']\n tag nist: ['AC-2 (4)', 'AU-12 c', 'AC-2 (4)', 'AC-2 (4)']\n tag subsystems: ['audit', 'auditd', 'audit_rule']\n tag 'host'\n\n audit_command = '/etc/security/opasswd'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - audit config must be done on the host' do\n skip 'Control not applicable - audit config must be done on the host'\n end\n else\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.key).to cmp 'identity'\n expect(audit_rule.permissions.flatten).to include('w', 'a')\n end\n end\n end\nend\n", + "code": "control 'SV-204411' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed a\n minimum of eight of the total number of characters must be changed.'\n desc 'Use of a complex password helps to increase the time and resources required to compromise the password.\n Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing\n and brute-force attacks.\n Password complexity is one factor of several that determines how long it takes to crack a password. The more complex\n the password, the greater the number of possible combinations that need to be tested before the password is\n compromised.'\n desc 'check', 'The \"difok\" option sets the number of characters in a password that must not be present in the old\n password.\n Check for the value of the \"difok\" option in \"/etc/security/pwquality.conf\" with the following command:\n # grep difok /etc/security/pwquality.conf\n difok = 8\n If the value of \"difok\" is set to less than \"8\", this is a finding.'\n desc 'fix', 'Configure the operating system to require the change of at least eight of the total number of\n characters when passwords are changed by setting the \"difok\" option.\n Add the following line to \"/etc/security/pwquality.conf\" (or modify the line to have the required value):\n difok = 8'\n impact 0.5\n tag legacy: ['V-71911', 'SV-86535']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000072-GPOS-00040'\n tag gid: 'V-204411'\n tag rid: 'SV-204411r603261_rule'\n tag stig_id: 'RHEL-07-010160'\n tag fix_id: 'F-4535r88426_fix'\n tag cci: ['CCI-000195']\n tag nist: ['IA-5 (1) (b)']\n tag subsystems: ['pwquality', 'password']\n tag 'host'\n tag 'container'\n\n describe parse_config_file('/etc/security/pwquality.conf') do\n its('difok') { should cmp >= input('difok') }\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204568.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204411.rb", "line": 1 }, - "id": "SV-204568" + "id": "SV-204411" }, { - "title": "The Red Hat Enterprise Linux operating system must be configured so that all local initialization files for\n local interactive users are be group-owned by the users primary group or root.", - "desc": "Local initialization files for interactive users are used to configure the user's shell environment upon\n logon. Malicious modification of these files could compromise accounts upon logon.", + "title": "The Red Hat Enterprise Linux operating system must audit all uses of the userhelper command.", + "desc": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough\n information.\n At a minimum, the organization must audit the full-text recording of privileged password commands. The organization\n must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of\n compromise.\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.", "descriptions": { - "default": "Local initialization files for interactive users are used to configure the user's shell environment upon\n logon. Malicious modification of these files could compromise accounts upon logon.", - "check": "Verify the local initialization files of all local interactive users are group-owned by that user's\n primary Group Identifier (GID).\n Check the home directory assignment for all non-privileged users on the system with the following command:\n Note: The example will be for the smithj user, who has a home directory of \"/home/smithj\" and a primary group of\n \"users\".\n # awk -F: '($4>=1000)&&($7 !~ /nologin/){print $1, $4, $6}' /etc/passwd\n smithj 1000 /home/smithj\n # grep 1000 /etc/group\n users:x:1000:smithj,jonesj,jacksons\n Note: This may miss interactive users that have been assigned a privileged User Identifier (UID). Evidence of\n interactive use may be obtained from a number of log files containing system logon information.\n Check the group owner of all local interactive user's initialization files with the following command:\n # ls -al /home/smithj/.[^.]* | more\n -rwxr-xr-x 1 smithj users 896 Mar 10 2011 .profile\n -rwxr-xr-x 1 smithj users 497 Jan 6 2007 .login\n -rwxr-xr-x 1 smithj users 886 Jan 6 2007 .something\n If all local interactive user's initialization files are not group-owned by that user's primary GID, this is a\n finding.", - "fix": "Change the group owner of a local interactive user's files to the group found in \"/etc/passwd\" for the\n user. To change the group owner of a local interactive user's home directory, use the following command:\n Note: The example will be for the user smithj, who has a home directory of \"/home/smithj\", and has a primary group\n of users.\n # chgrp users /home/smithj/.[^.]*" + "default": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough\n information.\n At a minimum, the organization must audit the full-text recording of privileged password commands. The organization\n must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of\n compromise.\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.", + "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"userhelper\" command occur.\n\nCheck the file system rule in \"/etc/audit/audit.rules\" with the following command:\n\n$ sudo grep -w \"/usr/sbin/userhelper\" /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd\n\nIf the command does not return any output, this is a finding.", + "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"userhelper\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd\n\nThe audit daemon must be restarted for the changes to take effect." }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "V-72031", - "SV-86655" + "SV-86781", + "V-72157" ], "severity": "medium", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-204475", - "rid": "SV-204475r603836_rule", - "stig_id": "RHEL-07-020700", - "fix_id": "F-4599r88618_fix", + "gtitle": "SRG-OS-000042-GPOS-00020", + "satisfies": [ + "SRG-OS-000042-GPOS-00020", + "SRG-OS-000392-GPOS-00172", + "SRG-OS-000471-GPOS-00215" + ], + "gid": "V-204546", + "rid": "SV-204546r861038_rule", + "stig_id": "RHEL-07-030670", + "fix_id": "F-4670r861037_fix", "cci": [ - "CCI-000366" + "CCI-000135", + "CCI-000172", + "CCI-002884" ], "nist": [ - "CM-6 b" + "AU-3 (1)", + "AU-12 c", + "MA-4 (1) (a)" ], "subsystems": [ - "init_files" + "audit", + "auditd", + "audit_rule" ], "host": null }, - "code": "control 'SV-204475' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that all local initialization files for\n local interactive users are be group-owned by the users primary group or root.'\n desc \"Local initialization files for interactive users are used to configure the user's shell environment upon\n logon. Malicious modification of these files could compromise accounts upon logon.\"\n desc 'check', %q(Verify the local initialization files of all local interactive users are group-owned by that user's\n primary Group Identifier (GID).\n Check the home directory assignment for all non-privileged users on the system with the following command:\n Note: The example will be for the smithj user, who has a home directory of \"/home/smithj\" and a primary group of\n \"users\".\n # awk -F: '($4>=1000)&&($7 !~ /nologin/){print $1, $4, $6}' /etc/passwd\n smithj 1000 /home/smithj\n # grep 1000 /etc/group\n users:x:1000:smithj,jonesj,jacksons\n Note: This may miss interactive users that have been assigned a privileged User Identifier (UID). Evidence of\n interactive use may be obtained from a number of log files containing system logon information.\n Check the group owner of all local interactive user's initialization files with the following command:\n # ls -al /home/smithj/.[^.]* | more\n -rwxr-xr-x 1 smithj users 896 Mar 10 2011 .profile\n -rwxr-xr-x 1 smithj users 497 Jan 6 2007 .login\n -rwxr-xr-x 1 smithj users 886 Jan 6 2007 .something\n If all local interactive user's initialization files are not group-owned by that user's primary GID, this is a\n finding.)\n desc 'fix', %q(Change the group owner of a local interactive user's files to the group found in \"/etc/passwd\" for the\n user. To change the group owner of a local interactive user's home directory, use the following command:\n Note: The example will be for the user smithj, who has a home directory of \"/home/smithj\", and has a primary group\n of users.\n # chgrp users /home/smithj/.[^.]*)\n impact 0.5\n tag legacy: ['V-72031', 'SV-86655']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204475'\n tag rid: 'SV-204475r603836_rule'\n tag stig_id: 'RHEL-07-020700'\n tag fix_id: 'F-4599r88618_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['init_files']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n\n exempt_home_users = input('exempt_home_users')\n non_interactive_shells = input('non_interactive_shells')\n\n ignore_shells = non_interactive_shells.join('|')\n\n findings = Set[]\n users.where do\n !shell.match(ignore_shells) && (uid >= 1000 || uid == 0)\n end.entries.each do |user_info|\n findings += command(\"find #{user_info.home} -name '.*' -not -gid #{user_info.gid} -not -group root\").stdout.split(\"\\n\")\n end\n describe findings do\n its('length') { should == 0 }\n end\n end\nend\n", + "code": "control 'SV-204546' do\n title 'The Red Hat Enterprise Linux operating system must audit all uses of the userhelper command.'\n desc 'Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough\n information.\n At a minimum, the organization must audit the full-text recording of privileged password commands. The organization\n must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of\n compromise.\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.'\n desc 'check', 'Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"userhelper\" command occur.\n\nCheck the file system rule in \"/etc/audit/audit.rules\" with the following command:\n\n$ sudo grep -w \"/usr/sbin/userhelper\" /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd\n\nIf the command does not return any output, this is a finding.'\n desc 'fix', 'Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"userhelper\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd\n\nThe audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n tag legacy: ['SV-86781', 'V-72157']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000042-GPOS-00020'\n tag satisfies: ['SRG-OS-000042-GPOS-00020', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000471-GPOS-00215']\n tag gid: 'V-204546'\n tag rid: 'SV-204546r861038_rule'\n tag stig_id: 'RHEL-07-030670'\n tag fix_id: 'F-4670r861037_fix'\n tag cci: ['CCI-000135', 'CCI-000172', 'CCI-002884']\n tag nist: ['AU-3 (1)', 'AU-12 c', 'MA-4 (1) (a)']\n tag subsystems: ['audit', 'auditd', 'audit_rule']\n tag 'host'\n\n audit_command = '/usr/sbin/userhelper'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - audit config must be done on the host' do\n skip 'Control not applicable - audit config must be done on the host'\n end\n else\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include('privileged-passwd')\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204475.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204546.rb", "line": 1 }, - "id": "SV-204475" + "id": "SV-204546" }, { - "title": "The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not permit\n Kerberos authentication unless needed.", - "desc": "Kerberos authentication for SSH is often implemented using Generic Security Service Application Program\n Interface (GSSAPI). If Kerberos is enabled through SSH, the SSH daemon provides a means of access to the system's\n Kerberos implementation. Vulnerabilities in the system's Kerberos implementation may then be subject to\n exploitation. To reduce the attack surface of the system, the Kerberos authentication mechanism within SSH must be\n disabled for systems not using this capability.", + "title": "The Red Hat Enterprise Linux operating system must be configured so that the root account must be the only\n account having unrestricted access to the system.", + "desc": "If an account other than root also has a User Identifier (UID) of \"0\", it has root authority, giving that\n account unrestricted access to the entire operating system. Multiple accounts with a UID of \"0\" afford an\n opportunity for potential intruders to guess a password for a privileged account.", "descriptions": { - "default": "Kerberos authentication for SSH is often implemented using Generic Security Service Application Program\n Interface (GSSAPI). If Kerberos is enabled through SSH, the SSH daemon provides a means of access to the system's\n Kerberos implementation. Vulnerabilities in the system's Kerberos implementation may then be subject to\n exploitation. To reduce the attack surface of the system, the Kerberos authentication mechanism within SSH must be\n disabled for systems not using this capability.", - "check": "Verify the SSH daemon does not permit Kerberos to authenticate passwords unless approved.\n Check that the SSH daemon does not permit Kerberos to authenticate passwords with the following command:\n # grep -i kerberosauth /etc/ssh/sshd_config\n KerberosAuthentication no\n If the \"KerberosAuthentication\" keyword is missing, or is set to \"yes\" and is not documented with the Information\n System Security Officer (ISSO), or the returned line is commented out, this is a finding.", - "fix": "Uncomment the \"KerberosAuthentication\" keyword in \"/etc/ssh/sshd_config\" (this file may be named\n differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and\n set the value to \"no\":\n KerberosAuthentication no\n The SSH service must be restarted for changes to take effect.\n If Kerberos authentication is required, it must be documented, to include the location of the configuration file,\n with the ISSO." + "default": "If an account other than root also has a User Identifier (UID) of \"0\", it has root authority, giving that\n account unrestricted access to the entire operating system. Multiple accounts with a UID of \"0\" afford an\n opportunity for potential intruders to guess a password for a privileged account.", + "check": "Check the system for duplicate UID \"0\" assignments with the following command:\n # awk -F: '$3 == 0 {print $1}' /etc/passwd\n If any accounts other than root have a UID of \"0\", this is a finding.", + "fix": "Change the UID of any account on the system, other than root, that has a UID of \"0\".\n If the account is associated with system commands or applications, the UID should be changed to one greater than \"0\"\n but less than \"1000\". Otherwise, assign a UID of greater than \"1000\" that has not already been assigned." }, - "impact": 0.5, + "impact": 0.7, "refs": [], "tags": { "legacy": [ - "V-72261", - "SV-86885" + "SV-86629", + "V-72005" ], - "severity": "medium", - "gtitle": "SRG-OS-000364-GPOS-00151", - "gid": "V-204599", - "rid": "SV-204599r853994_rule", - "stig_id": "RHEL-07-040440", - "fix_id": "F-4723r88990_fix", + "severity": "high", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-204462", + "rid": "SV-204462r603261_rule", + "stig_id": "RHEL-07-020310", + "fix_id": "F-4586r88579_fix", "cci": [ - "CCI-000318", - "CCI-000368", - "CCI-001812", - "CCI-001813", - "CCI-001814" + "CCI-000366" ], "nist": [ - "CM-3 f", - "CM-6 c", - "CM-11 (2)", - "CM-5 (1)", - "CM-5 (1) (a)" + "CM-6 b" ], "subsystems": [ - "ssh" + "accounts" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-204599' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not permit\n Kerberos authentication unless needed.'\n desc \"Kerberos authentication for SSH is often implemented using Generic Security Service Application Program\n Interface (GSSAPI). If Kerberos is enabled through SSH, the SSH daemon provides a means of access to the system's\n Kerberos implementation. Vulnerabilities in the system's Kerberos implementation may then be subject to\n exploitation. To reduce the attack surface of the system, the Kerberos authentication mechanism within SSH must be\n disabled for systems not using this capability.\"\n desc 'check', 'Verify the SSH daemon does not permit Kerberos to authenticate passwords unless approved.\n Check that the SSH daemon does not permit Kerberos to authenticate passwords with the following command:\n # grep -i kerberosauth /etc/ssh/sshd_config\n KerberosAuthentication no\n If the \"KerberosAuthentication\" keyword is missing, or is set to \"yes\" and is not documented with the Information\n System Security Officer (ISSO), or the returned line is commented out, this is a finding.'\n desc 'fix', 'Uncomment the \"KerberosAuthentication\" keyword in \"/etc/ssh/sshd_config\" (this file may be named\n differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and\n set the value to \"no\":\n KerberosAuthentication no\n The SSH service must be restarted for changes to take effect.\n If Kerberos authentication is required, it must be documented, to include the location of the configuration file,\n with the ISSO.'\n impact 0.5\n tag legacy: ['V-72261', 'SV-86885']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000364-GPOS-00151'\n tag gid: 'V-204599'\n tag rid: 'SV-204599r853994_rule'\n tag stig_id: 'RHEL-07-040440'\n tag fix_id: 'F-4723r88990_fix'\n tag cci: ['CCI-000318', 'CCI-000368', 'CCI-001812', 'CCI-001813', 'CCI-001814']\n tag nist: ['CM-3 f', 'CM-6 c', 'CM-11 (2)', 'CM-5 (1)', 'CM-5 (1) (a)']\n tag subsystems: ['ssh']\n tag 'host'\n\n if virtualization.system.eql?('docker') && !file('/etc/sysconfig/sshd').exist?\n impact 0.0\n describe 'Control not applicable - SSH is not installed within containerized RHEL' do\n skip 'Control not applicable - SSH is not installed within containerized RHEL'\n end\n else\n describe sshd_config do\n its('KerberosAuthentication') { should cmp 'no' }\n end\n end\nend\n", + "code": "control 'SV-204462' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that the root account must be the only\n account having unrestricted access to the system.'\n desc 'If an account other than root also has a User Identifier (UID) of \"0\", it has root authority, giving that\n account unrestricted access to the entire operating system. Multiple accounts with a UID of \"0\" afford an\n opportunity for potential intruders to guess a password for a privileged account.'\n desc 'check', %q(Check the system for duplicate UID \"0\" assignments with the following command:\n # awk -F: '$3 == 0 {print $1}' /etc/passwd\n If any accounts other than root have a UID of \"0\", this is a finding.)\n desc 'fix', 'Change the UID of any account on the system, other than root, that has a UID of \"0\".\n If the account is associated with system commands or applications, the UID should be changed to one greater than \"0\"\n but less than \"1000\". Otherwise, assign a UID of greater than \"1000\" that has not already been assigned.'\n impact 0.7\n tag legacy: ['SV-86629', 'V-72005']\n tag severity: 'high'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204462'\n tag rid: 'SV-204462r603261_rule'\n tag stig_id: 'RHEL-07-020310'\n tag fix_id: 'F-4586r88579_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['accounts']\n tag 'host'\n tag 'container'\n\n describe passwd.uids(0) do\n its('users') { should cmp 'root' }\n its('entries.length') { should eq 1 }\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204599.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204462.rb", "line": 1 }, - "id": "SV-204599" + "id": "SV-204462" }, { - "title": "The Red Hat Enterprise Linux operating system must have the required packages for multifactor\n authentication installed.", - "desc": "Using an authentication device, such as a CAC or token that is separate from the information system, ensures\n that even if the information system is compromised, that compromise will not affect credentials stored on the\n authentication device.\n Multifactor solutions that require devices separate from information systems gaining access include, for example,\n hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S.\n Government Personal Identity Verification card and the DoD Common Access Card.\n A privileged account is defined as an information system account with authorizations of a privileged user.\n Remote access is access to DoD nonpublic information systems by an authorized user (or an information system)\n communicating through an external, non-organization-controlled network. Remote access methods include, for example,\n dial-up, broadband, and wireless.\n This requirement only applies to components where this is specific to the function of the device or has the concept\n of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of\n configuring the device itself (management).", + "title": "The Red Hat Enterprise Linux operating system must implement virtual address space randomization.", + "desc": "Address space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of\n attack code he or she has introduced into a process's address space during an attempt at exploitation. Additionally,\n ASLR also makes it more difficult for an attacker to know the location of existing code in order to repurpose it\n using return-oriented programming (ROP) techniques.", "descriptions": { - "default": "Using an authentication device, such as a CAC or token that is separate from the information system, ensures\n that even if the information system is compromised, that compromise will not affect credentials stored on the\n authentication device.\n Multifactor solutions that require devices separate from information systems gaining access include, for example,\n hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S.\n Government Personal Identity Verification card and the DoD Common Access Card.\n A privileged account is defined as an information system account with authorizations of a privileged user.\n Remote access is access to DoD nonpublic information systems by an authorized user (or an information system)\n communicating through an external, non-organization-controlled network. Remote access methods include, for example,\n dial-up, broadband, and wireless.\n This requirement only applies to components where this is specific to the function of the device or has the concept\n of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of\n configuring the device itself (management).", - "check": "Verify the operating system has the packages required for multifactor authentication installed.\n Check for the presence of the packages required to support multifactor authentication with the following commands:\n # yum list installed pam_pkcs11\n pam_pkcs11-0.6.2-14.el7.noarch.rpm\n If the \"pam_pkcs11\" package is not installed, this is a finding.", - "fix": "Configure the operating system to implement multifactor authentication by installing the required packages.\n\nInstall the pam_pkcs11 package with the following command:\n\n# yum install pam_pkcs11" + "default": "Address space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of\n attack code he or she has introduced into a process's address space during an attempt at exploitation. Additionally,\n ASLR also makes it more difficult for an attacker to know the location of existing code in order to repurpose it\n using return-oriented programming (ROP) techniques.", + "check": "Verify the operating system implements virtual address space randomization.\n\n # grep -r kernel.randomize_va_space /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null\n kernel.randomize_va_space = 2\n\nIf \"kernel.randomize_va_space\" is not configured in the /etc/sysctl.conf file or or in any of the other sysctl.d directories, is commented out or does not have a value of \"2\", this is a finding.\n\nCheck that the operating system implements virtual address space randomization with the following command:\n\n # /sbin/sysctl -a | grep kernel.randomize_va_space\n kernel.randomize_va_space = 2\n\nIf \"kernel.randomize_va_space\" does not have a value of \"2\", this is a finding.\n\nIf conflicting results are returned, this is a finding.", + "fix": "Configure the operating system implement virtual address space randomization.\n Set the system to the required kernel parameter by adding the following line to \"/etc/sysctl.conf\" or a config file\n in the /etc/sysctl.d/ directory (or modify the line to have the required value):\n kernel.randomize_va_space = 2\n Issue the following command to make the changes take effect:\n # sysctl --system" }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "SV-87041", - "V-72417" + "SV-92521", + "V-77825" ], "severity": "medium", - "gtitle": "SRG-OS-000375-GPOS-00160", - "satisfies": [ - "SRG-OS-000375-GPOS-00160", - "SRG-OS-000375-GPOS-00161", - "SRG-OS-000375-GPOS-00162" - ], - "gid": "V-204631", - "rid": "SV-204631r853997_rule", - "stig_id": "RHEL-07-041001", - "fix_id": "F-4755r462473_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-204584", + "rid": "SV-204584r880794_rule", + "stig_id": "RHEL-07-040201", + "fix_id": "F-4708r880793_fix", "cci": [ - "CCI-001948", - "CCI-001953", - "CCI-001954" + "CCI-000366" ], "nist": [ - "IA-2 (11)", - "IA-2 (12)", - "IA-2 (12)" + "CM-6 b" ], "subsystems": [ - "MFA", - "smartcard" + "aslr", + "kernel_parameter" ], "host": null }, - "code": "control 'SV-204631' do\n title 'The Red Hat Enterprise Linux operating system must have the required packages for multifactor\n authentication installed.'\n desc \"Using an authentication device, such as a CAC or token that is separate from the information system, ensures\n that even if the information system is compromised, that compromise will not affect credentials stored on the\n authentication device.\n Multifactor solutions that require devices separate from information systems gaining access include, for example,\n hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S.\n Government Personal Identity Verification card and the #{input('org_name')[:acronym]} Common Access Card.\n A privileged account is defined as an information system account with authorizations of a privileged user.\n Remote access is access to #{input('org_name')[:acronym]} nonpublic information systems by an authorized user (or an information system)\n communicating through an external, non-organization-controlled network. Remote access methods include, for example,\n dial-up, broadband, and wireless.\n This requirement only applies to components where this is specific to the function of the device or has the concept\n of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of\n configuring the device itself (management).\"\n desc 'check', 'Verify the operating system has the packages required for multifactor authentication installed.\n Check for the presence of the packages required to support multifactor authentication with the following commands:\n # yum list installed pam_pkcs11\n pam_pkcs11-0.6.2-14.el7.noarch.rpm\n If the \"pam_pkcs11\" package is not installed, this is a finding.'\n desc 'fix', 'Configure the operating system to implement multifactor authentication by installing the required packages.\n\nInstall the pam_pkcs11 package with the following command:\n\n# yum install pam_pkcs11'\n impact 0.5\n tag legacy: ['SV-87041', 'V-72417']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000375-GPOS-00160'\n tag satisfies: ['SRG-OS-000375-GPOS-00160', 'SRG-OS-000375-GPOS-00161', 'SRG-OS-000375-GPOS-00162']\n tag gid: 'V-204631'\n tag rid: 'SV-204631r853997_rule'\n tag stig_id: 'RHEL-07-041001'\n tag fix_id: 'F-4755r462473_fix'\n tag cci: ['CCI-001948', 'CCI-001953', 'CCI-001954']\n tag nist: ['IA-2 (11)', 'IA-2 (12)', 'IA-2 (12)']\n tag subsystems: ['MFA', 'smartcard']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n\n mfa_pkg_list = input('mfa_pkg_list')\n smart_card_status = input('smart_card_status')\n\n if smart_card_status.eql?('disabled')\n impact 0.5\n describe 'The system is not smartcard enabled thus this control is Not Applicable' do\n skip 'The system is not using Smartcards / PIVs to fulfill the MFA requirement, this control is Not Applicable.'\n end\n elsif mfa_pkg_list.empty?\n describe 'The required Smartcard packages have not been defined, please define them in your `inputs`' do\n subject { mfa_pkg_list }\n it { should_not be_empty }\n end\n else\n mfa_pkg_list.each do |pkg|\n describe \"As required for MFA, the package '#{pkg}'\" do\n subject { package(pkg.to_s) }\n it { should be_installed }\n end\n end\n end\n end\nend\n", + "code": "control 'SV-204584' do\n title 'The Red Hat Enterprise Linux operating system must implement virtual address space randomization.'\n desc \"Address space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of\n attack code he or she has introduced into a process's address space during an attempt at exploitation. Additionally,\n ASLR also makes it more difficult for an attacker to know the location of existing code in order to repurpose it\n using return-oriented programming (ROP) techniques.\"\n desc 'check', 'Verify the operating system implements virtual address space randomization.\n\n # grep -r kernel.randomize_va_space /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null\n kernel.randomize_va_space = 2\n\nIf \"kernel.randomize_va_space\" is not configured in the /etc/sysctl.conf file or or in any of the other sysctl.d directories, is commented out or does not have a value of \"2\", this is a finding.\n\nCheck that the operating system implements virtual address space randomization with the following command:\n\n # /sbin/sysctl -a | grep kernel.randomize_va_space\n kernel.randomize_va_space = 2\n\nIf \"kernel.randomize_va_space\" does not have a value of \"2\", this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure the operating system implement virtual address space randomization.\n Set the system to the required kernel parameter by adding the following line to \"/etc/sysctl.conf\" or a config file\n in the /etc/sysctl.d/ directory (or modify the line to have the required value):\n kernel.randomize_va_space = 2\n Issue the following command to make the changes take effect:\n # sysctl --system'\n impact 0.5\n tag legacy: ['SV-92521', 'V-77825']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204584'\n tag rid: 'SV-204584r880794_rule'\n tag stig_id: 'RHEL-07-040201'\n tag fix_id: 'F-4708r880793_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['aslr', 'kernel_parameter']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - Kernel config must be done on the host' do\n skip 'Control not applicable - Kernel config must be done on the host'\n end\n else\n randomize_va_space = input('randomize_va_space')\n config_file_values = command('grep -r kernel.randomize_va_space /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null')\n .stdout.strip.split(\"\\n\")\n .map { |file| parse_config(file).params }\n config_file_values_uncompliant = config_file_values.select { |entry| entry.values != [randomize_va_space.to_s] }\n\n unless config_file_values_uncompliant.empty?\n describe 'All configuration files' do\n it \"should set randomize_va_space to #{randomize_va_space}, or not define it at all\" do\n fail_msg = \"Found incorrect configuration:\\n#{config_file_values_uncompliant.join(\"\\n\")}\"\n expect(config_file_values_uncompliant).to be_empty, fail_msg\n end\n end\n end\n\n describe 'The runtime kernel parameter kernel.randomize_va_space' do\n subject { kernel_parameter('kernel.randomize_va_space') }\n its('value') { should eq randomize_va_space }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204631.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204584.rb", "line": 1 }, - "id": "SV-204631" + "id": "SV-204584" }, { - "title": "The Red Hat Enterprise Linux operating system must use a reverse-path filter for IPv4 network traffic when\n possible on all interfaces.", - "desc": "Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems that are routers for complicated networks, but is helpful for end hosts and routers serving small networks.", + "title": "The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow\n compression or only allows compression after successful authentication.", + "desc": "If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression\n software could result in compromise of the system from an unauthenticated connection, potentially with root\n privileges.", "descriptions": { - "default": "Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems that are routers for complicated networks, but is helpful for end hosts and routers serving small networks.", - "check": "Verify the system uses a reverse-path filter for IPv4:\n\n # grep -r net.ipv4.conf.all.rp_filter /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null\n net.ipv4.conf.all.rp_filter = 1\n\nIf \"net.ipv4.conf.all.rp_filter\" is not configured in the /etc/sysctl.conf file or in any of the other sysctl.d directories, is commented out, or does not have a value of \"1\", this is a finding.\n\nCheck that the operating system implements the accept source route variable with the following command:\n\n # /sbin/sysctl -a | grep net.ipv4.conf.all.rp_filter\n net.ipv4.conf.all.rp_filter = 1\n\nIf the returned line does not have a value of \"1\", this is a finding.\n\nIf conflicting results are returned, this is a finding.", - "fix": "Set the system to the required kernel parameter by adding the following\nline to \"/etc/sysctl.conf\" or a configuration file in the /etc/sysctl.d/\ndirectory (or modify the line to have the required value):\n\n net.ipv4.conf.all.rp_filter = 1\n\n Issue the following command to make the changes take effect:\n\n # sysctl --system" + "default": "If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression\n software could result in compromise of the system from an unauthenticated connection, potentially with root\n privileges.", + "check": "Note: For RHEL 7.4 and above, this requirement is not applicable.\n\nVerify the SSH daemon performs compression after a user successfully authenticates.\n\nCheck that the SSH daemon performs compression after a user successfully authenticates with the following command:\n\n # grep -i compression /etc/ssh/sshd_config\n Compression delayed\n\nIf the \"Compression\" keyword is set to \"yes\", is missing, or the returned line is commented out, this is a finding.", + "fix": "Uncomment the \"Compression\" keyword in \"/etc/ssh/sshd_config\" (this file may be named differently or\n be in a different location if using a version of SSH that is provided by a third-party vendor) on the system and set\n the value to \"delayed\" or \"no\":\n Compression no\n The SSH service must be restarted for changes to take effect." }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "V-92251", - "SV-102353" + "SV-86891", + "V-72267" ], "severity": "medium", "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-204610", - "rid": "SV-204610r880800_rule", - "stig_id": "RHEL-07-040611", - "fix_id": "F-4734r880799_fix", + "gid": "V-204602", + "rid": "SV-204602r880758_rule", + "stig_id": "RHEL-07-040470", + "fix_id": "F-4726r880757_fix", "cci": [ "CCI-000366" ], @@ -2760,128 +2668,158 @@ "CM-6 b" ], "subsystems": [ - "kernel_parameter", - "ipv4" + "ssh" ], "host": null }, - "code": "control 'SV-204610' do\n title 'The Red Hat Enterprise Linux operating system must use a reverse-path filter for IPv4 network traffic when\n possible on all interfaces.'\n desc 'Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems that are routers for complicated networks, but is helpful for end hosts and routers serving small networks.'\n desc 'check', 'Verify the system uses a reverse-path filter for IPv4:\n\n # grep -r net.ipv4.conf.all.rp_filter /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null\n net.ipv4.conf.all.rp_filter = 1\n\nIf \"net.ipv4.conf.all.rp_filter\" is not configured in the /etc/sysctl.conf file or in any of the other sysctl.d directories, is commented out, or does not have a value of \"1\", this is a finding.\n\nCheck that the operating system implements the accept source route variable with the following command:\n\n # /sbin/sysctl -a | grep net.ipv4.conf.all.rp_filter\n net.ipv4.conf.all.rp_filter = 1\n\nIf the returned line does not have a value of \"1\", this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Set the system to the required kernel parameter by adding the following\nline to \"/etc/sysctl.conf\" or a configuration file in the /etc/sysctl.d/\ndirectory (or modify the line to have the required value):\n\n net.ipv4.conf.all.rp_filter = 1\n\n Issue the following command to make the changes take effect:\n\n # sysctl --system'\n impact 0.5\n tag legacy: ['V-92251', 'SV-102353']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204610'\n tag rid: 'SV-204610r880800_rule'\n tag stig_id: 'RHEL-07-040611'\n tag fix_id: 'F-4734r880799_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['kernel_parameter', 'ipv4']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - Kernel config must be done on the host' do\n skip 'Control not applicable - Kernel config must be done on the host'\n end\n else\n rp_filter = 1\n config_file_values = command('grep -r net.ipv4.conf.all.rp_filter /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null')\n .stdout.strip.split(\"\\n\")\n .map { |file| parse_config(file).params }\n config_file_values_uncompliant = config_file_values.select { |entry| entry.values != [rp_filter.to_s] }\n\n unless config_file_values_uncompliant.empty?\n describe 'All configuration files' do\n it \"should set rp_filter to #{rp_filter}, or not define it at all\" do\n fail_msg = \"Found incorrect configuration:\\n#{config_file_values_uncompliant.join(\"\\n\")}\"\n expect(config_file_values_uncompliant).to be_empty, fail_msg\n end\n end\n end\n\n describe 'The runtime kernel parameter net.ipv4.conf.all.rp_filter' do\n subject { kernel_parameter('net.ipv4.conf.all.rp_filter') }\n its('value') { should eq rp_filter }\n end\n end\nend\n", + "code": "control 'SV-204602' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow\n compression or only allows compression after successful authentication.'\n desc 'If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression\n software could result in compromise of the system from an unauthenticated connection, potentially with root\n privileges.'\n desc 'check', 'Note: For RHEL 7.4 and above, this requirement is not applicable.\n\nVerify the SSH daemon performs compression after a user successfully authenticates.\n\nCheck that the SSH daemon performs compression after a user successfully authenticates with the following command:\n\n # grep -i compression /etc/ssh/sshd_config\n Compression delayed\n\nIf the \"Compression\" keyword is set to \"yes\", is missing, or the returned line is commented out, this is a finding.'\n desc 'fix', 'Uncomment the \"Compression\" keyword in \"/etc/ssh/sshd_config\" (this file may be named differently or\n be in a different location if using a version of SSH that is provided by a third-party vendor) on the system and set\n the value to \"delayed\" or \"no\":\n Compression no\n The SSH service must be restarted for changes to take effect.'\n impact 0.5\n tag legacy: ['SV-86891', 'V-72267']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204602'\n tag rid: 'SV-204602r880758_rule'\n tag stig_id: 'RHEL-07-040470'\n tag fix_id: 'F-4726r880757_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['ssh']\n tag 'host'\n\n if virtualization.system.eql?('docker') && !file('/etc/sysconfig/sshd').exist?\n impact 0.0\n describe 'Control not applicable - SSH is not installed within containerized RHEL' do\n skip 'Control not applicable - SSH is not installed within containerized RHEL'\n end\n\n elsif os.release.to_f >= 7.4\n impact 0.0\n describe \"The release is #{os.release}\" do\n skip 'For RHEL 7.4 and above, this requirement is not applicable.'\n end\n\n else\n\n describe.one do\n describe sshd_config do\n its('Compression') { should cmp 'delayed' }\n end\n describe sshd_config do\n its('Compression') { should cmp 'no' }\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204610.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204602.rb", "line": 1 }, - "id": "SV-204610" + "id": "SV-204602" }, { - "title": "The Red Hat Enterprise Linux operating system must be configured so that auditing is configured to produce\n records containing information to establish what type of events occurred, where the events occurred, the source of\n the events, and the outcome of the events. These audit records must also identify individual identities of group\n account users.", - "desc": "Without establishing what type of events occurred, it would be difficult to establish, correlate, and\n investigate the events leading up to an outage or attack.\n Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source\n and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames\n involved, and access control or flow control rules invoked.\n Associating event types with detected events in the operating system audit logs provides a means of investigating an\n attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating\n system.", + "title": "The Red Hat Enterprise Linux operating system must be configured so that all system device files are\n correctly labeled to prevent unauthorized modification.", + "desc": "If an unauthorized or modified device is allowed to exist on the system, there is the possibility the system\n may perform unintended or unauthorized operations.", "descriptions": { - "default": "Without establishing what type of events occurred, it would be difficult to establish, correlate, and\n investigate the events leading up to an outage or attack.\n Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source\n and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames\n involved, and access control or flow control rules invoked.\n Associating event types with detected events in the operating system audit logs provides a means of investigating an\n attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating\n system.", - "check": "Verify the operating system produces audit records containing information to establish when (date\n and time) the events occurred.\n Check to see if auditing is active by issuing the following command:\n # systemctl is-active auditd.service\n active\n If the \"auditd\" status is not active, this is a finding.", - "fix": "Configure the operating system to produce audit records containing information to establish when (date\n and time) the events occurred.\n Enable the auditd service with the following command:\n # systemctl start auditd.service" + "default": "If an unauthorized or modified device is allowed to exist on the system, there is the possibility the system\n may perform unintended or unauthorized operations.", + "check": "Verify that all system device files are correctly labeled to prevent unauthorized modification.\n\nList all device files on the system that are incorrectly labeled with the following commands:\n\nNote: Device files are normally found under \"/dev\", but applications may place device files in other directories and may necessitate a search of the entire system.\n\n#find /dev -context *:device_t:* ( -type c -o -type b ) -printf \"%p %Z\\n\"\n\n#find /dev -context *:unlabeled_t:* ( -type c -o -type b ) -printf \"%p %Z\\n\"\n\nNote: There are device files, such as \"/dev/vmci\", that are used when the operating system is a host virtual machine. They will not be owned by a user on the system and require the \"device_t\" label to operate. These device files are not a finding.\n\nIf there is output from either of these commands, other than already noted, this is a finding.", + "fix": "Run the following command to determine which package owns the device file:\n\n # rpm -qf \n\n The package can be reinstalled from a yum repository using the command:\n\n # sudo yum reinstall \n\n Alternatively, the package can be reinstalled from trusted media using the\ncommand:\n\n # sudo rpm -Uvh " }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "SV-86703", - "V-72079" + "SV-86663", + "V-72039" ], "severity": "medium", - "gtitle": "SRG-OS-000038-GPOS-00016", - "satisfies": [ - "SRG-OS-000038-GPOS-00016", - "SRG-OS-000039-GPOS-00017", - "SRG-OS-000042-GPOS-00021", - "SRG-OS-000254-GPOS-00095", - "SRG-OS-000255-GPOS-00096" - ], - "gid": "V-204503", - "rid": "SV-204503r603261_rule", - "stig_id": "RHEL-07-030000", - "fix_id": "F-36311r602643_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-204479", + "rid": "SV-204479r853899_rule", + "stig_id": "RHEL-07-020900", + "fix_id": "F-4603r88630_fix", "cci": [ - "CCI-000126", - "CCI-000131" + "CCI-000318", + "CCI-000368", + "CCI-001812", + "CCI-001813", + "CCI-001814" ], "nist": [ - "AU-2 d", - "AU-3", - "AU-2 c", - "AU-3 b" - ], + "CM-3 f", + "CM-6 c", + "CM-11 (2)", + "CM-5 (1)", + "CM-5 (1) (a)" + ], "subsystems": [ - "audit", - "auditd" + "system_device", + "device_files" ], "host": null }, - "code": "control 'SV-204503' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that auditing is configured to produce\n records containing information to establish what type of events occurred, where the events occurred, the source of\n the events, and the outcome of the events. These audit records must also identify individual identities of group\n account users.'\n desc 'Without establishing what type of events occurred, it would be difficult to establish, correlate, and\n investigate the events leading up to an outage or attack.\n Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source\n and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames\n involved, and access control or flow control rules invoked.\n Associating event types with detected events in the operating system audit logs provides a means of investigating an\n attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating\n system.'\n desc 'check', 'Verify the operating system produces audit records containing information to establish when (date\n and time) the events occurred.\n Check to see if auditing is active by issuing the following command:\n # systemctl is-active auditd.service\n active\n If the \"auditd\" status is not active, this is a finding.'\n desc 'fix', 'Configure the operating system to produce audit records containing information to establish when (date\n and time) the events occurred.\n Enable the auditd service with the following command:\n # systemctl start auditd.service'\n impact 0.5\n tag legacy: ['SV-86703', 'V-72079']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000038-GPOS-00016'\n tag satisfies: ['SRG-OS-000038-GPOS-00016', 'SRG-OS-000039-GPOS-00017', 'SRG-OS-000042-GPOS-00021', 'SRG-OS-000254-GPOS-00095', 'SRG-OS-000255-GPOS-00096']\n tag gid: 'V-204503'\n tag rid: 'SV-204503r603261_rule'\n tag stig_id: 'RHEL-07-030000'\n tag fix_id: 'F-36311r602643_fix'\n tag cci: ['CCI-000126', 'CCI-000131']\n tag nist: ['AU-2 d', 'AU-3', 'AU-2 c', 'AU-3 b']\n tag subsystems: ['audit', 'auditd']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - audit config must be done on the host' do\n skip 'Control not applicable - audit config must be done on the host'\n end\n else\n describe service('auditd') do\n it { should be_running }\n end\n end\nend\n", + "code": "control 'SV-204479' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that all system device files are\n correctly labeled to prevent unauthorized modification.'\n desc 'If an unauthorized or modified device is allowed to exist on the system, there is the possibility the system\n may perform unintended or unauthorized operations.'\n desc 'check', %q(Verify that all system device files are correctly labeled to prevent unauthorized modification.\n\nList all device files on the system that are incorrectly labeled with the following commands:\n\nNote: Device files are normally found under \"/dev\", but applications may place device files in other directories and may necessitate a search of the entire system.\n\n#find /dev -context *:device_t:* \\( -type c -o -type b \\) -printf \"%p %Z\\n\"\n\n#find /dev -context *:unlabeled_t:* \\( -type c -o -type b \\) -printf \"%p %Z\\n\"\n\nNote: There are device files, such as \"/dev/vmci\", that are used when the operating system is a host virtual machine. They will not be owned by a user on the system and require the \"device_t\" label to operate. These device files are not a finding.\n\nIf there is output from either of these commands, other than already noted, this is a finding.)\n desc 'fix', 'Run the following command to determine which package owns the device file:\n\n # rpm -qf \n\n The package can be reinstalled from a yum repository using the command:\n\n # sudo yum reinstall \n\n Alternatively, the package can be reinstalled from trusted media using the\ncommand:\n\n # sudo rpm -Uvh '\n impact 0.5\n tag legacy: ['SV-86663', 'V-72039']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204479'\n tag rid: 'SV-204479r853899_rule'\n tag stig_id: 'RHEL-07-020900'\n tag fix_id: 'F-4603r88630_fix'\n tag cci: ['CCI-000318', 'CCI-000368', 'CCI-001812', 'CCI-001813', 'CCI-001814']\n tag nist: ['CM-3 f', 'CM-6 c', 'CM-11 (2)', 'CM-5 (1)', 'CM-5 (1) (a)']\n tag subsystems: ['system_device', 'device_files']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n virtual_machine = input('virtual_machine')\n\n findings = Set[]\n findings += command('find / -xdev -context *:device_t:* \\( -type c -o -type b \\) -printf \"%p %Z\\n\"').stdout.split(\"\\n\")\n findings += command('find / -xdev -context *:unlabeled_t:* \\( -type c -o -type b \\) -printf \"%p %Z\\n\"').stdout.split(\"\\n\")\n findings += command('find / -xdev -context *:vmci_device_t:* \\( -type c -o -type b \\) -printf \"%p %Z\\n\"').stdout.split(\"\\n\")\n\n describe findings do\n if virtual_machine\n its('length') { should cmp 1 }\n its('first') { should include '/dev/vmci' }\n else\n its('length') { should cmp 0 }\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204503.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204479.rb", "line": 1 }, - "id": "SV-204503" + "id": "SV-204479" }, { - "title": "The Red Hat Enterprise Linux operating system must be configured so that all network connections associated\n with SSH traffic terminate after a period of inactivity.", - "desc": "Terminating an idle SSH session within a short time period reduces the window of opportunity for\n unauthorized personnel to take control of a management session enabled on the console or console port that has been\n left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the\n managed network element.\n Terminating network connections associated with communications sessions includes, for example, de-allocating\n associated TCP/IP address/port pairs at the operating system level and de-allocating networking assignments at the\n application level if multiple application sessions are using a single operating system-level network connection.\n This does not mean that the operating system terminates all sessions or network access; it only ends the inactive\n session and releases the resources associated with that session.", + "title": "The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow\n authentication using RSA rhosts authentication.", + "desc": "Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will\n require a password, even in the event of misconfiguration elsewhere.", "descriptions": { - "default": "Terminating an idle SSH session within a short time period reduces the window of opportunity for\n unauthorized personnel to take control of a management session enabled on the console or console port that has been\n left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the\n managed network element.\n Terminating network connections associated with communications sessions includes, for example, de-allocating\n associated TCP/IP address/port pairs at the operating system level and de-allocating networking assignments at the\n application level if multiple application sessions are using a single operating system-level network connection.\n This does not mean that the operating system terminates all sessions or network access; it only ends the inactive\n session and releases the resources associated with that session.", - "check": "Verify the operating system automatically terminates a user session after inactivity time-outs have\n expired.\n Check for the value of the \"ClientAliveCountMax\" keyword with the following command:\n # grep -i clientalivecount /etc/ssh/sshd_config\n ClientAliveCountMax 0\n If \"ClientAliveCountMax\" is not set to \"0\", this is a finding.", - "fix": "Configure the operating system to terminate automatically a user session after inactivity time-outs\n have expired or at shutdown.\n Add the following line (or modify the line to have the required value) to the \"/etc/ssh/sshd_config\" file (this file\n may be named differently or be in a different location if using a version of SSH that is provided by a third-party\n vendor):\n ClientAliveCountMax 0\n The SSH service must be restarted for changes to take effect." + "default": "Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will\n require a password, even in the event of misconfiguration elsewhere.", + "check": "Check the version of the operating system with the following command:\n # cat /etc/redhat-release\n If the release is 7.4 or newer this requirement is Not Applicable.\n Verify the SSH daemon does not allow authentication using RSA rhosts authentication.\n To determine how the SSH daemon's \"RhostsRSAAuthentication\" option is set, run the following command:\n # grep RhostsRSAAuthentication /etc/ssh/sshd_config\n RhostsRSAAuthentication no\n If the value is returned as \"yes\", the returned line is commented out, or no output is returned, this is a finding.", + "fix": "Configure the SSH daemon to not allow authentication using RSA rhosts authentication.\n Add the following line in \"/etc/ssh/sshd_config\", or uncomment the line and set the value to \"no\":\n RhostsRSAAuthentication no\n The SSH service must be restarted for changes to take effect." }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "SV-86865", - "V-72241" + "V-72239", + "SV-86863" ], "severity": "medium", - "gtitle": "SRG-OS-000163-GPOS-00072", - "satisfies": [ - "SRG-OS-000163-GPOS-00072", - "SRG-OS-000279-GPOS-00109" - ], - "gid": "V-204589", - "rid": "SV-204589r853992_rule", - "stig_id": "RHEL-07-040340", - "fix_id": "F-4713r88960_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-204588", + "rid": "SV-204588r603261_rule", + "stig_id": "RHEL-07-040330", + "fix_id": "F-4712r88957_fix", "cci": [ - "CCI-001133", - "CCI-002361" + "CCI-000366" ], "nist": [ - "SC-10", - "AC-12" + "CM-6 b" ], "subsystems": [ "ssh" ], "host": null }, - "code": "control 'SV-204589' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that all network connections associated\n with SSH traffic terminate after a period of inactivity.'\n desc 'Terminating an idle SSH session within a short time period reduces the window of opportunity for\n unauthorized personnel to take control of a management session enabled on the console or console port that has been\n left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the\n managed network element.\n Terminating network connections associated with communications sessions includes, for example, de-allocating\n associated TCP/IP address/port pairs at the operating system level and de-allocating networking assignments at the\n application level if multiple application sessions are using a single operating system-level network connection.\n This does not mean that the operating system terminates all sessions or network access; it only ends the inactive\n session and releases the resources associated with that session.'\n desc 'check', 'Verify the operating system automatically terminates a user session after inactivity time-outs have\n expired.\n Check for the value of the \"ClientAliveCountMax\" keyword with the following command:\n # grep -i clientalivecount /etc/ssh/sshd_config\n ClientAliveCountMax 0\n If \"ClientAliveCountMax\" is not set to \"0\", this is a finding.'\n desc 'fix', 'Configure the operating system to terminate automatically a user session after inactivity time-outs\n have expired or at shutdown.\n Add the following line (or modify the line to have the required value) to the \"/etc/ssh/sshd_config\" file (this file\n may be named differently or be in a different location if using a version of SSH that is provided by a third-party\n vendor):\n ClientAliveCountMax 0\n The SSH service must be restarted for changes to take effect.'\n impact 0.5\n tag legacy: ['SV-86865', 'V-72241']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000163-GPOS-00072'\n tag satisfies: ['SRG-OS-000163-GPOS-00072', 'SRG-OS-000279-GPOS-00109']\n tag gid: 'V-204589'\n tag rid: 'SV-204589r853992_rule'\n tag stig_id: 'RHEL-07-040340'\n tag fix_id: 'F-4713r88960_fix'\n tag cci: ['CCI-001133', 'CCI-002361']\n tag nist: ['SC-10', 'AC-12']\n tag subsystems: ['ssh']\n tag 'host'\n\n if virtualization.system.eql?('docker') && !file('/etc/sysconfig/sshd').exist?\n impact 0.0\n describe 'Control not applicable - SSH is not installed within containerized RHEL' do\n skip 'Control not applicable - SSH is not installed within containerized RHEL'\n end\n elsif os.release.to_f >= 7.4\n impact 0.0\n describe \"The release is #{os.release}\" do\n skip 'The release is newer than 7.4; this control is Not Applicable.'\n end\n else\n describe sshd_config do\n its('ClientAliveCountMax') { should cmp '0' }\n end\n end\nend\n", + "code": "control 'SV-204588' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow\n authentication using RSA rhosts authentication.'\n desc 'Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will\n require a password, even in the event of misconfiguration elsewhere.'\n desc 'check', %q(Check the version of the operating system with the following command:\n # cat /etc/redhat-release\n If the release is 7.4 or newer this requirement is Not Applicable.\n Verify the SSH daemon does not allow authentication using RSA rhosts authentication.\n To determine how the SSH daemon's \"RhostsRSAAuthentication\" option is set, run the following command:\n # grep RhostsRSAAuthentication /etc/ssh/sshd_config\n RhostsRSAAuthentication no\n If the value is returned as \"yes\", the returned line is commented out, or no output is returned, this is a finding.)\n desc 'fix', 'Configure the SSH daemon to not allow authentication using RSA rhosts authentication.\n Add the following line in \"/etc/ssh/sshd_config\", or uncomment the line and set the value to \"no\":\n RhostsRSAAuthentication no\n The SSH service must be restarted for changes to take effect.'\n impact 0.5\n tag legacy: ['V-72239', 'SV-86863']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204588'\n tag rid: 'SV-204588r603261_rule'\n tag stig_id: 'RHEL-07-040330'\n tag fix_id: 'F-4712r88957_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['ssh']\n tag 'host'\n\n if virtualization.system.eql?('docker') && !file('/etc/sysconfig/sshd').exist?\n impact 0.0\n describe 'Control not applicable - SSH is not installed within containerized RHEL' do\n skip 'Control not applicable - SSH is not installed within containerized RHEL'\n end\n elsif os.release.to_f >= 7.4\n impact 0.0\n describe \"The release is #{os.release}\" do\n skip 'For RHEL 7.4 and above, this requirement is not applicable.'\n end\n else\n describe sshd_config do\n its('RhostsRSAAuthentication') { should cmp 'no' }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204589.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204588.rb", "line": 1 }, - "id": "SV-204589" + "id": "SV-204588" }, { - "title": "The Red Hat Enterprise Linux operating system must lock the associated account after 3 unsuccessful\n root logon attempts are made within a 15-minute period.", - "desc": "By limiting the number of failed logon attempts, the risk of unauthorized system access via user password\n guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account.", + "title": "The Red Hat Enterprise Linux operating system must be configured so that all files and directories\n contained in local interactive user home directories have a mode of 0750 or less permissive.", + "desc": "If a local interactive user files have excessive permissions, unintended users may be able to access or\n modify them.", "descriptions": { - "default": "By limiting the number of failed logon attempts, the risk of unauthorized system access via user password\n guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account.", - "check": "Verify the operating system automatically locks the root account, for a minimum of 15 minutes, when\n 3 unsuccessful logon attempts in 15 minutes are made.\n # grep pam_faillock.so /etc/pam.d/password-auth\n auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900\n auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900\n account required pam_faillock.so\n If the \"even_deny_root\" setting is not defined on both lines with the \"pam_faillock.so\" module, is commented out, or\n is missing from a line, this is a finding.\n # grep pam_faillock.so /etc/pam.d/system-auth\n auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900\n auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900\n account required pam_faillock.so\n If the \"even_deny_root\" setting is not defined on both lines with the \"pam_faillock.so\" module, is commented out, or\n is missing from a line, this is a finding.", - "fix": "Configure the operating system to automatically lock the root account, for a minimum of 15 minutes, when 3 unsuccessful logon attempts in 15 minutes are made.\n\nModify the first 3 lines of the auth section and the first line of the account section of the \"/etc/pam.d/system-auth\" and \"/etc/pam.d/password-auth\" files to match the following lines:\n\nauth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900\nauth sufficient pam_unix.so try_first_pass\nauth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900\naccount required pam_faillock.so\n\nNote: Per requirement RHEL-07-010199, RHEL 7 must be configured to not overwrite custom authentication configuration settings while using the authconfig utility, otherwise manual changes to the listed files will be overwritten whenever the authconfig utility is used." + "default": "If a local interactive user files have excessive permissions, unintended users may be able to access or\n modify them.", + "check": "Verify all files and directories contained in a local interactive user home directory, excluding\n local initialization files, have a mode of \"0750\".\n Check the mode of all non-initialization files in a local interactive user home directory with the following\n command:\n Files that begin with a \".\" are excluded from this requirement.\n Note: The example will be for the user \"smithj\", who has a home directory of \"/home/smithj\".\n # ls -lLR /home/smithj\n -rwxr-x--- 1 smithj smithj 18 Mar 5 17:06 file1\n -rwxr----- 1 smithj smithj 193 Mar 5 17:06 file2\n -rw-r-x--- 1 smithj smithj 231 Mar 5 17:06 file3\n If any files are found with a mode more permissive than \"0750\", this is a finding.", + "fix": "Set the mode on files and directories in the local interactive user home\ndirectory with the following command:\n\n Note: The example will be for the user smithj, who has a home directory of\n\"/home/smithj\" and is a member of the users group.\n\n # chmod 0750 /home/smithj/" }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "V-71945", - "SV-86569" + "V-72027", + "SV-86651" + ], + "severity": "medium", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-204473", + "rid": "SV-204473r603261_rule", + "stig_id": "RHEL-07-020680", + "fix_id": "F-4597r88612_fix", + "cci": [ + "CCI-000366" + ], + "nist": [ + "CM-6 b" + ], + "subsystems": [ + "home_dirs" + ], + "host": null, + "container": null + }, + "code": "control 'SV-204473' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that all files and directories\n contained in local interactive user home directories have a mode of 0750 or less permissive.'\n desc 'If a local interactive user files have excessive permissions, unintended users may be able to access or\n modify them.'\n desc 'check', 'Verify all files and directories contained in a local interactive user home directory, excluding\n local initialization files, have a mode of \"0750\".\n Check the mode of all non-initialization files in a local interactive user home directory with the following\n command:\n Files that begin with a \".\" are excluded from this requirement.\n Note: The example will be for the user \"smithj\", who has a home directory of \"/home/smithj\".\n # ls -lLR /home/smithj\n -rwxr-x--- 1 smithj smithj 18 Mar 5 17:06 file1\n -rwxr----- 1 smithj smithj 193 Mar 5 17:06 file2\n -rw-r-x--- 1 smithj smithj 231 Mar 5 17:06 file3\n If any files are found with a mode more permissive than \"0750\", this is a finding.'\n desc 'fix', 'Set the mode on files and directories in the local interactive user home\ndirectory with the following command:\n\n Note: The example will be for the user smithj, who has a home directory of\n\"/home/smithj\" and is a member of the users group.\n\n # chmod 0750 /home/smithj/'\n impact 0.5\n tag legacy: ['V-72027', 'SV-86651']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204473'\n tag rid: 'SV-204473r603261_rule'\n tag stig_id: 'RHEL-07-020680'\n tag fix_id: 'F-4597r88612_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['home_dirs']\n tag 'host'\n tag 'container'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n\n exempt_home_users = input('exempt_home_users')\n non_interactive_shells = input('non_interactive_shells')\n\n ignore_shells = non_interactive_shells.join('|')\n\n findings = Set[]\n users.where do\n !shell.match(ignore_shells) && (uid >= 1000 || uid == 0)\n end.entries.each do |user_info|\n next if exempt_home_users.include?(user_info.username.to_s)\n\n findings += command(\"find #{user_info.home} -xdev ! -name '.*' -perm -#{input('home_dir_files_mode')} ! -type l\").stdout.split(\"\\n\")\n end\n describe 'Home directories with excessive permissions' do\n subject { findings.to_a }\n it { should be_empty }\n end\n end\nend\n", + "source_location": { + "ref": "./Red Hat 7 STIG/controls/SV-204473.rb", + "line": 1 + }, + "id": "SV-204473" + }, + { + "title": "The Red Hat Enterprise Linux operating system must be configured to lock accounts for a minimum of 15\n minutes after 3 unsuccessful logon attempts within a 15-minute timeframe.", + "desc": "By limiting the number of failed logon attempts, the risk of unauthorized system access via user password\n guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.", + "descriptions": { + "default": "By limiting the number of failed logon attempts, the risk of unauthorized system access via user password\n guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.", + "check": "Check that the system locks an account for a minimum of 15 minutes after 3 unsuccessful logon\n attempts within a period of 15 minutes with the following command:\n # grep pam_faillock.so /etc/pam.d/password-auth\n auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900\n auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900\n account required pam_faillock.so\n If the \"deny\" parameter is set to \"0\" or a value greater than '3' on both \"auth\" lines with the \"pam_faillock.so\"\n module, or is missing from these lines, this is a finding.\n If the \"even_deny_root\" parameter is not set on both \"auth\" lines with the \"pam_faillock.so\" module, or is missing\n from these lines, this is a finding.\n If the \"fail_interval\" parameter is set to \"0\" or is set to a value less than '900' on both \"auth\" lines with the\n \"pam_faillock.so\" module, or is missing from these lines, this is a finding.\n If the \"unlock_time\" parameter is not set to \"0\", \"never\", or is set to a value less than '900' on both \"auth\" lines\n with the \"pam_faillock.so\" module, or is missing from these lines, this is a finding.\n Note: The maximum configurable value for \"unlock_time\" is \"604800\".\n If any line referencing the \"pam_faillock.so\" module is commented out, this is a finding.\n # grep pam_faillock.so /etc/pam.d/system-auth\n auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900\n auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900\n account required pam_faillock.so\n If the \"deny\" parameter is set to \"0\" or a value greater than '3' on both \"auth\" lines with the \"pam_faillock.so\"\n module, or is missing from these lines, this is a finding.\n If the \"even_deny_root\" parameter is not set on both \"auth\" lines with the \"pam_faillock.so\" module, or is missing\n from these lines, this is a finding.\n If the \"fail_interval\" parameter is set to \"0\" or is set to a value less than '900' on both \"auth\" lines with the\n \"pam_faillock.so\" module, or is missing from these lines, this is a finding.\n If the \"unlock_time\" parameter is not set to \"0\", \"never\", or is set to a value less than '900' on both \"auth\" lines\n with the \"pam_faillock.so\" module or is missing from these lines, this is a finding.\n Note: The maximum configurable value for \"unlock_time\" is \"604800\".\n If any line referencing the \"pam_faillock.so\" module is commented out, this is a finding.", + "fix": "Configure the operating system to lock an account for the maximum period when three unsuccessful logon attempts in 15 minutes are made.\n\nAdd/Modify the appropriate sections of the \"/etc/pam.d/system-auth\" and \"/etc/pam.d/password-auth\" files to match the following lines:\n\nauth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900\nauth sufficient pam_unix.so try_first_pass\nauth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900\naccount required pam_faillock.so\n\nNote: Per requirement RHEL-07-010199, RHEL 7 must be configured to not overwrite custom authentication configuration settings while using the authconfig utility, otherwise manual changes to the listed files will be overwritten whenever the authconfig utility is used." + }, + "impact": 0.5, + "refs": [], + "tags": { + "legacy": [ + "V-71943", + "SV-86567" ], "severity": "medium", "gtitle": "SRG-OS-000329-GPOS-00128", @@ -2889,135 +2827,142 @@ "SRG-OS-000329-GPOS-00128", "SRG-OS-000021-GPOS-00005" ], - "gid": "V-204428", - "rid": "SV-204428r880845_rule", - "stig_id": "RHEL-07-010330", - "fix_id": "F-4552r880844_fix", + "gid": "V-204427", + "rid": "SV-204427r880842_rule", + "stig_id": "RHEL-07-010320", + "fix_id": "F-4551r880841_fix", "cci": [ + "CCI-000044", + "CCI-002236", + "CCI-002237", "CCI-002238" ], "nist": [ + "AC-7 a", + "AC-7 b", + "AC-7 b", "AC-7 b" ], "subsystems": [ - "pam" + "pam", + "faillock" ], "host": null, "container": null }, - "code": "control 'SV-204428' do\n title \"The Red Hat Enterprise Linux operating system must lock the associated account after #{input('unsuccessful_attempts')} unsuccessful\n root logon attempts are made within a #{input('fail_interval')/60}-minute period.\"\n desc 'By limiting the number of failed logon attempts, the risk of unauthorized system access via user password\n guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account.'\n desc 'check', \"Verify the operating system automatically locks the root account, for a minimum of #{input('lockout_time')/60} minutes, when\n #{input('unsuccessful_attempts')} unsuccessful logon attempts in #{input('fail_interval')/60} minutes are made.\n # grep pam_faillock.so /etc/pam.d/password-auth\n auth required pam_faillock.so preauth silent audit deny=#{input('unsuccessful_attempts')} even_deny_root fail_interval=#{input('fail_interval')} unlock_time=#{input('lockout_time')}\n auth [default=die] pam_faillock.so authfail audit deny=#{input('unsuccessful_attempts')} even_deny_root fail_interval=#{input('fail_interval')} unlock_time=#{input('lockout_time')}\n account required pam_faillock.so\n If the \\\"even_deny_root\\\" setting is not defined on both lines with the \\\"pam_faillock.so\\\" module, is commented out, or\n is missing from a line, this is a finding.\n # grep pam_faillock.so /etc/pam.d/system-auth\n auth required pam_faillock.so preauth silent audit deny=#{input('unsuccessful_attempts')} even_deny_root fail_interval=#{input('fail_interval')} unlock_time=#{input('lockout_time')}\n auth [default=die] pam_faillock.so authfail audit deny=#{input('unsuccessful_attempts')} even_deny_root fail_interval=#{input('fail_interval')} unlock_time=#{input('lockout_time')}\n account required pam_faillock.so\n If the \\\"even_deny_root\\\" setting is not defined on both lines with the \\\"pam_faillock.so\\\" module, is commented out, or\n is missing from a line, this is a finding.\"\n desc 'fix', \"Configure the operating system to automatically lock the root account, for a minimum of #{input('lockout_time')/60} minutes, when #{input('unsuccessful_attempts')} unsuccessful logon attempts in #{input('fail_interval')/60} minutes are made.\n\nModify the first #{input('unsuccessful_attempts')} lines of the auth section and the first line of the account section of the \\\"/etc/pam.d/system-auth\\\" and \\\"/etc/pam.d/password-auth\\\" files to match the following lines:\n\nauth required pam_faillock.so preauth silent audit deny=#{input('unsuccessful_attempts')} even_deny_root fail_interval=#{input('fail_interval')} unlock_time=#{input('lockout_time')}\nauth sufficient pam_unix.so try_first_pass\nauth [default=die] pam_faillock.so authfail audit deny=#{input('unsuccessful_attempts')} even_deny_root fail_interval=#{input('fail_interval')} unlock_time=#{input('lockout_time')}\naccount required pam_faillock.so\n\nNote: Per requirement RHEL-07-010199, RHEL 7 must be configured to not overwrite custom authentication configuration settings while using the authconfig utility, otherwise manual changes to the listed files will be overwritten whenever the authconfig utility is used.\"\n impact 0.5\n tag legacy: ['V-71945', 'SV-86569']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000329-GPOS-00128'\n tag satisfies: ['SRG-OS-000329-GPOS-00128', 'SRG-OS-000021-GPOS-00005']\n tag gid: 'V-204428'\n tag rid: 'SV-204428r880845_rule'\n tag stig_id: 'RHEL-07-010330'\n tag fix_id: 'F-4552r880844_fix'\n tag cci: ['CCI-002238']\n tag nist: ['AC-7 b']\n tag subsystems: ['pam']\n tag 'host'\n tag 'container'\n\n describe pam('/etc/pam.d/password-auth') do\n its('lines') do\n should match_pam_rule('auth .* pam_faillock.so preauth even_deny_root')\n end\n its('lines') do\n should match_pam_rule('auth .* pam_faillock.so authfail even_deny_root')\n end\n end\n describe pam('/etc/pam.d/system-auth') do\n its('lines') do\n should match_pam_rule('auth .* pam_faillock.so preauth even_deny_root')\n end\n its('lines') do\n should match_pam_rule('auth .* pam_faillock.so authfail even_deny_root')\n end\n end\nend\n", + "code": "control 'SV-204427' do\n title \"The Red Hat Enterprise Linux operating system must be configured to lock accounts for a minimum of #{input('lockout_time')/60}\n minutes after #{input('unsuccessful_attempts')} unsuccessful logon attempts within a #{input('fail_interval')/60}-minute timeframe.\"\n desc \"By limiting the number of failed logon attempts, the risk of unauthorized system access via user password\n guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.\"\n desc 'check', \"Check that the system locks an account for a minimum of #{input('lockout_time')/60} minutes after #{input('unsuccessful_attempts')} unsuccessful logon\n attempts within a period of #{input('fail_interval')/60} minutes with the following command:\n # grep pam_faillock.so /etc/pam.d/password-auth\n auth required pam_faillock.so preauth silent audit deny=#{input('unsuccessful_attempts')} even_deny_root fail_interval=#{input('fail_interval')} unlock_time=#{input('lockout_time')}\n auth [default=die] pam_faillock.so authfail audit deny=#{input('unsuccessful_attempts')} even_deny_root fail_interval=#{input('fail_interval')} unlock_time=#{input('lockout_time')}\n account required pam_faillock.so\n If the \\\"deny\\\" parameter is set to \\\"0\\\" or a value greater than '#{input('unsuccessful_attempts')}' on both \\\"auth\\\" lines with the \\\"pam_faillock.so\\\"\n module, or is missing from these lines, this is a finding.\n If the \\\"even_deny_root\\\" parameter is not set on both \\\"auth\\\" lines with the \\\"pam_faillock.so\\\" module, or is missing\n from these lines, this is a finding.\n If the \\\"fail_interval\\\" parameter is set to \\\"0\\\" or is set to a value less than '#{input('fail_interval')}' on both \\\"auth\\\" lines with the\n \\\"pam_faillock.so\\\" module, or is missing from these lines, this is a finding.\n If the \\\"unlock_time\\\" parameter is not set to \\\"0\\\", \\\"never\\\", or is set to a value less than '#{input('lockout_time')}' on both \\\"auth\\\" lines\n with the \\\"pam_faillock.so\\\" module, or is missing from these lines, this is a finding.\n Note: The maximum configurable value for \\\"unlock_time\\\" is \\\"604800\\\".\n If any line referencing the \\\"pam_faillock.so\\\" module is commented out, this is a finding.\n # grep pam_faillock.so /etc/pam.d/system-auth\n auth required pam_faillock.so preauth silent audit deny=#{input('unsuccessful_attempts')} even_deny_root fail_interval=#{input('fail_interval')} unlock_time=#{input('lockout_time')}\n auth [default=die] pam_faillock.so authfail audit deny=#{input('unsuccessful_attempts')} even_deny_root fail_interval=#{input('fail_interval')} unlock_time=#{input('lockout_time')}\n account required pam_faillock.so\n If the \\\"deny\\\" parameter is set to \\\"0\\\" or a value greater than '#{input('unsuccessful_attempts')}' on both \\\"auth\\\" lines with the \\\"pam_faillock.so\\\"\n module, or is missing from these lines, this is a finding.\n If the \\\"even_deny_root\\\" parameter is not set on both \\\"auth\\\" lines with the \\\"pam_faillock.so\\\" module, or is missing\n from these lines, this is a finding.\n If the \\\"fail_interval\\\" parameter is set to \\\"0\\\" or is set to a value less than '#{input('fail_interval')}' on both \\\"auth\\\" lines with the\n \\\"pam_faillock.so\\\" module, or is missing from these lines, this is a finding.\n If the \\\"unlock_time\\\" parameter is not set to \\\"0\\\", \\\"never\\\", or is set to a value less than '#{input('lockout_time')}' on both \\\"auth\\\" lines\n with the \\\"pam_faillock.so\\\" module or is missing from these lines, this is a finding.\n Note: The maximum configurable value for \\\"unlock_time\\\" is \\\"604800\\\".\n If any line referencing the \\\"pam_faillock.so\\\" module is commented out, this is a finding.\"\n desc 'fix', \"Configure the operating system to lock an account for the maximum period when three unsuccessful logon attempts in #{input('fail_interval')/60} minutes are made.\n\nAdd/Modify the appropriate sections of the \\\"/etc/pam.d/system-auth\\\" and \\\"/etc/pam.d/password-auth\\\" files to match the following lines:\n\nauth required pam_faillock.so preauth silent audit deny=#{input('unsuccessful_attempts')} even_deny_root fail_interval=#{input('fail_interval')} unlock_time=#{input('lockout_time')}\nauth sufficient pam_unix.so try_first_pass\nauth [default=die] pam_faillock.so authfail audit deny=#{input('unsuccessful_attempts')} even_deny_root fail_interval=#{input('fail_interval')} unlock_time=#{input('lockout_time')}\naccount required pam_faillock.so\n\nNote: Per requirement RHEL-07-010199, RHEL 7 must be configured to not overwrite custom authentication configuration settings while using the authconfig utility, otherwise manual changes to the listed files will be overwritten whenever the authconfig utility is used.\"\n impact 0.5\n tag legacy: ['V-71943', 'SV-86567']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000329-GPOS-00128'\n tag satisfies: ['SRG-OS-000329-GPOS-00128', 'SRG-OS-000021-GPOS-00005']\n tag gid: 'V-204427'\n tag rid: 'SV-204427r880842_rule'\n tag stig_id: 'RHEL-07-010320'\n tag fix_id: 'F-4551r880841_fix'\n tag cci: ['CCI-000044', 'CCI-002236', 'CCI-002237', 'CCI-002238']\n tag nist: ['AC-7 a', 'AC-7 b', 'AC-7 b', 'AC-7 b']\n tag subsystems: ['pam', 'faillock']\n tag 'host'\n tag 'container'\n\n # pam rules files to check\n pa_rules = pam('/etc/pam.d/password-auth').lines\n sa_rules = pam('/etc/pam.d/system-auth').lines\n\n # rule patterns to match for\n faillock_rule_pattern = 'auth [default=die]|required pam_faillock.so'\n deny_pattern = faillock_rule_pattern + \" deny=#{input('unsuccessful_attempts')}\"\n fail_interval_pattern = faillock_rule_pattern + \" fail_interval=#{input('fail_interval')}\"\n unlock_time_pattern = faillock_rule_pattern + \" unlock_time=(0|never|#{input('lockout_time')})\"\n\n # explicit rulesets to look for\n req = input('required_rules')\n alt = input('alternate_rules')\n\n describe.one do\n describe 'pam rules for the faillock module' do\n it 'should exactly match an appropriately configured ruleset in password-auth' do\n expect(pa_rules).to match_pam_rules(req).exactly, \"missing required rules: #{req.select { |rule| !pa_rules.include?(rule) }}\"\n end\n end\n describe 'pam rules for the faillock module' do\n it 'should exactly match an appropriately configured ruleset in password-auth' do\n expect(pa_rules).to match_pam_rules(alt).exactly, \"missing alternate rules: #{alt.select { |rule| !pa_rules.include?(rule) }}\"\n end\n end\n end\n\n describe 'pam rules for the faillock module' do\n it 'should have the expected settings enabled in password-auth' do\n expect(pa_rules).to match_pam_rule(deny_pattern), \"missing: #{deny_pattern}\"\n expect(pa_rules).to match_pam_rule(fail_interval_pattern), \"missing: #{fail_interval_pattern}\"\n expect(pa_rules).to match_pam_rule(unlock_time_pattern), 'missing or misconfigured unlock_time'\n end\n end\n\n describe.one do\n describe 'pam rules for the faillock module' do\n it 'should exactly match an appropriately configured ruleset in system-auth' do\n expect(sa_rules).to match_pam_rules(req).exactly, \"missing required rules: #{req.select { |rule| !sa_rules.include?(rule) }}\"\n end\n end\n describe 'pam rules for the faillock module' do\n it 'should exactly match an appropriately configured ruleset in system-auth' do\n expect(sa_rules).to match_pam_rules(alt).exactly, \"missing alternate rules: #{alt.select { |rule| !sa_rules.include?(rule) }}\"\n end\n end\n end\n\n describe 'pam rules for the faillock module' do\n it 'should have the expected settings enabled in system-auth' do\n expect(sa_rules).to match_pam_rule(deny_pattern), \"missing: #{deny_pattern}\"\n expect(sa_rules).to match_pam_rule(fail_interval_pattern), \"missing: #{fail_interval_pattern}\"\n expect(sa_rules).to match_pam_rule(unlock_time_pattern), 'missing or misconfigured unlock_time'\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204428.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204427.rb", "line": 1 }, - "id": "SV-204428" + "id": "SV-204427" }, { - "title": "The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new\n passwords are assigned, the new password must contain at least 1 numeric character.", - "desc": "Use of a complex password helps to increase the time and resources required to compromise the password.\n Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing\n and brute-force attacks.\n Password complexity is one factor of several that determines how long it takes to crack a password. The more complex\n the password, the greater the number of possible combinations that need to be tested before the password is\n compromised.", + "title": "The Red Hat Enterprise Linux operating system must ignore Internet Protocol version 4 (IPv4) Internet\n Control Message Protocol (ICMP) redirect messages.", + "desc": "ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular\n destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message\n could result in a man-in-the-middle attack.", "descriptions": { - "default": "Use of a complex password helps to increase the time and resources required to compromise the password.\n Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing\n and brute-force attacks.\n Password complexity is one factor of several that determines how long it takes to crack a password. The more complex\n the password, the greater the number of possible combinations that need to be tested before the password is\n compromised.", - "check": "Note: The value to require a number of numeric characters to be set is expressed as a negative\n number in \"/etc/security/pwquality.conf\".\n Check the value for \"dcredit\" in \"/etc/security/pwquality.conf\" with the following command:\n # grep dcredit /etc/security/pwquality.conf\n dcredit = -1\n If the value of \"dcredit\" is not set to a negative value, this is a finding.", - "fix": "Configure the operating system to enforce password complexity by requiring that at least 1 numeric\n character be used by setting the \"dcredit\" option.\n Add the following line to /etc/security/pwquality.conf (or modify the line to have the required value):\n dcredit = -1" + "default": "ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular\n destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message\n could result in a man-in-the-middle attack.", + "check": "Verify the system ignores IPv4 ICMP redirect messages.\n\n # grep -r net.ipv4.conf.all.accept_redirects /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null\n\nIf \"net.ipv4.conf.all.accept_redirects\" is not configured in the /etc/sysctl.conf file or in any of the other sysctl.d directories, is commented out, or does not have a value of \"0\", this is a finding.\n\nCheck that the operating system implements the \"accept_redirects\" variables with the following command:\n\n # /sbin/sysctl -a | grep net.ipv4.conf.all.accept_redirects\n net.ipv4.conf.all.accept_redirects = 0\n\nIf the returned line does not have a value of \"0\", this is a finding.\n\nIf conflicting results are returned, this is a finding.", + "fix": "Set the system to ignore IPv4 ICMP redirect messages by adding the\nfollowing line to \"/etc/sysctl.conf\" or a configuration file in the\n/etc/sysctl.d/ directory (or modify the line to have the required value):\n\n net.ipv4.conf.all.accept_redirects = 0\n\n Issue the following command to make the changes take effect:\n\n # sysctl --system" }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "SV-86531", - "V-71907" + "SV-87827", + "V-73175" ], "severity": "medium", - "gtitle": "SRG-OS-000071-GPOS-00039", - "gid": "V-204409", - "rid": "SV-204409r603261_rule", - "stig_id": "RHEL-07-010140", - "fix_id": "F-4533r88420_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-204615", + "rid": "SV-204615r880815_rule", + "stig_id": "RHEL-07-040641", + "fix_id": "F-4739r880814_fix", "cci": [ - "CCI-000194" + "CCI-000366" ], "nist": [ - "IA-5 (1) (a)" + "CM-6 b" ], "subsystems": [ - "pwquality", - "password" + "kernel_parameter", + "ipv4" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-204409' do\n title \"The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new\n passwords are assigned, the new password must contain at least #{input('min_numeric_characters')} numeric character.\"\n desc 'Use of a complex password helps to increase the time and resources required to compromise the password.\n Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing\n and brute-force attacks.\n Password complexity is one factor of several that determines how long it takes to crack a password. The more complex\n the password, the greater the number of possible combinations that need to be tested before the password is\n compromised.'\n desc 'check', \"Note: The value to require a number of numeric characters to be set is expressed as a negative\n number in \\\"/etc/security/pwquality.conf\\\".\n Check the value for \\\"dcredit\\\" in \\\"/etc/security/pwquality.conf\\\" with the following command:\n # grep dcredit /etc/security/pwquality.conf\n dcredit = -#{input('min_numeric_characters')}\n If the value of \\\"dcredit\\\" is not set to a negative value, this is a finding.\"\n desc 'fix', \"Configure the operating system to enforce password complexity by requiring that at least #{input('min_numeric_characters')} numeric\n character be used by setting the \\\"dcredit\\\" option.\n Add the following line to /etc/security/pwquality.conf (or modify the line to have the required value):\n dcredit = -#{input('min_numeric_characters')}\"\n impact 0.5\n tag legacy: ['SV-86531', 'V-71907']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000071-GPOS-00039'\n tag gid: 'V-204409'\n tag rid: 'SV-204409r603261_rule'\n tag stig_id: 'RHEL-07-010140'\n tag fix_id: 'F-4533r88420_fix'\n tag cci: ['CCI-000194']\n tag nist: ['IA-5 (1) (a)']\n tag subsystems: ['pwquality', 'password']\n tag 'host'\n tag 'container'\n\n describe parse_config_file('/etc/security/pwquality.conf') do\n its('dcredit') { should cmp <= -input('min_numeric_characters') }\n end\nend\n", + "code": "control 'SV-204615' do\n title 'The Red Hat Enterprise Linux operating system must ignore Internet Protocol version 4 (IPv4) Internet\n Control Message Protocol (ICMP) redirect messages.'\n desc \"ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular\n destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message\n could result in a man-in-the-middle attack.\"\n desc 'check', 'Verify the system ignores IPv4 ICMP redirect messages.\n\n # grep -r net.ipv4.conf.all.accept_redirects /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null\n\nIf \"net.ipv4.conf.all.accept_redirects\" is not configured in the /etc/sysctl.conf file or in any of the other sysctl.d directories, is commented out, or does not have a value of \"0\", this is a finding.\n\nCheck that the operating system implements the \"accept_redirects\" variables with the following command:\n\n # /sbin/sysctl -a | grep net.ipv4.conf.all.accept_redirects\n net.ipv4.conf.all.accept_redirects = 0\n\nIf the returned line does not have a value of \"0\", this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Set the system to ignore IPv4 ICMP redirect messages by adding the\nfollowing line to \"/etc/sysctl.conf\" or a configuration file in the\n/etc/sysctl.d/ directory (or modify the line to have the required value):\n\n net.ipv4.conf.all.accept_redirects = 0\n\n Issue the following command to make the changes take effect:\n\n # sysctl --system'\n impact 0.5\n tag legacy: ['SV-87827', 'V-73175']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204615'\n tag rid: 'SV-204615r880815_rule'\n tag stig_id: 'RHEL-07-040641'\n tag fix_id: 'F-4739r880814_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['kernel_parameter', 'ipv4']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - Kernel config must be done on the host' do\n skip 'Control not applicable - Kernel config must be done on the host'\n end\n else\n accept_redirects = 0\n config_file_values = command('grep -r net.ipv4.conf.all.accept_redirects /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null')\n .stdout.strip.split(\"\\n\")\n .map { |file| parse_config(file).params }\n config_file_values_uncompliant = config_file_values.select { |entry| entry.values != [accept_redirects.to_s] }\n\n unless config_file_values_uncompliant.empty?\n describe 'All configuration files' do\n it \"should set accept_redirects to #{accept_redirects}, or not define it at all\" do\n fail_msg = \"Found incorrect configuration:\\n#{config_file_values_uncompliant.join(\"\\n\")}\"\n expect(config_file_values_uncompliant).to be_empty, fail_msg\n end\n end\n end\n\n describe 'The runtime kernel parameter net.ipv4.conf.all.accept_redirects' do\n subject { kernel_parameter('net.ipv4.conf.all.accept_redirects') }\n its('value') { should eq accept_redirects }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204409.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204615.rb", "line": 1 }, - "id": "SV-204409" + "id": "SV-204615" }, { - "title": "The Red Hat Enterprise Linux operating system must display the date and time of the last successful account\n logon upon logon.", - "desc": "Providing users with feedback on when account accesses last occurred facilitates user recognition and\n reporting of unauthorized account use.", + "title": "The Red Hat Enterprise Linux operating system must audit all uses of the create_module syscall.", + "desc": "Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).", "descriptions": { - "default": "Providing users with feedback on when account accesses last occurred facilitates user recognition and\n reporting of unauthorized account use.", - "check": "Verify users are provided with feedback on when account accesses last occurred.\n Check that \"pam_lastlog\" is used and not silent with the following command:\n # grep pam_lastlog /etc/pam.d/postlogin\n session required pam_lastlog.so showfailed\n If \"pam_lastlog\" is missing from \"/etc/pam.d/postlogin\" file, or the silent option is present, this is a finding.", - "fix": "Configure the operating system to provide users with feedback on when account accesses last occurred\n by setting the required configuration options in \"/etc/pam.d/postlogin\".\n Add the following line to the top of \"/etc/pam.d/postlogin\":\n session required pam_lastlog.so showfailed" + "default": "Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).", + "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"create_module\" syscall occur.\n\nCheck the auditing rules in \"/etc/audit/audit.rules\" with the following command:\n\n$ sudo grep -w \"create_module\" /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S create_module -F auid>=1000 -F auid!=unset -k module-change\n\n-a always,exit -F arch=b64 -S create_module -F auid>=1000 -F auid!=unset -k module-change\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"create_module\" syscall, this is a finding.", + "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"create_module\" syscall occur.\n\nAdd or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S create_module -F auid>=1000 -F auid!=unset -k module-change\n\n-a always,exit -F arch=b64 -S create_module -F auid>=1000 -F auid!=unset -k module-change\n\nThe audit daemon must be restarted for the changes to take effect." }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { "legacy": [ - "SV-86899", - "V-72275" + "V-78999", + "SV-93705" ], - "severity": "low", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-204605", - "rid": "SV-204605r858478_rule", - "stig_id": "RHEL-07-040530", - "fix_id": "F-4729r89008_fix", + "severity": "medium", + "gtitle": "SRG-OS-000471-GPOS-00216", + "satisfies": [ + "SRG-OS-000471-GPOS-00216", + "SRG-OS-000477-GPOS-00222" + ], + "gid": "V-204559", + "rid": "SV-204559r833169_rule", + "stig_id": "RHEL-07-030819", + "fix_id": "F-4683r833168_fix", "cci": [ - "CCI-000366", - "CCI-000052" + "CCI-000172" ], "nist": [ - "CM-6 b", - "AC-9" + "AU-12 c" ], "subsystems": [ - "pam", - "lastlog", - "ssh" + "audit", + "auditd", + "audit_rule" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-204605' do\n title 'The Red Hat Enterprise Linux operating system must display the date and time of the last successful account\n logon upon logon.'\n desc 'Providing users with feedback on when account accesses last occurred facilitates user recognition and\n reporting of unauthorized account use.'\n desc 'check', 'Verify users are provided with feedback on when account accesses last occurred.\n Check that \"pam_lastlog\" is used and not silent with the following command:\n # grep pam_lastlog /etc/pam.d/postlogin\n session required pam_lastlog.so showfailed\n If \"pam_lastlog\" is missing from \"/etc/pam.d/postlogin\" file, or the silent option is present, this is a finding.'\n desc 'fix', 'Configure the operating system to provide users with feedback on when account accesses last occurred\n by setting the required configuration options in \"/etc/pam.d/postlogin\".\n Add the following line to the top of \"/etc/pam.d/postlogin\":\n session required pam_lastlog.so showfailed'\n impact 0.3\n tag legacy: ['SV-86899', 'V-72275']\n tag severity: 'low'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204605'\n tag rid: 'SV-204605r858478_rule'\n tag stig_id: 'RHEL-07-040530'\n tag fix_id: 'F-4729r89008_fix'\n tag cci: ['CCI-000366', 'CCI-000052']\n tag nist: ['CM-6 b', 'AC-9']\n tag subsystems: ['pam', 'lastlog', 'ssh']\n tag 'host'\n tag 'container'\n\n describe pam('/etc/pam.d/postlogin') do\n its('lines') do\n should match_pam_rule('session .* pam_lastlog.so showfailed')\n end\n end\n\n unless virtualization.system.eql?('docker') && !file('/etc/sysconfig/sshd').exist?\n describe.one do\n describe sshd_config do\n its('PrintLastLog') { should cmp 'yes' }\n end\n describe pam('/etc/pam.d/postlogin') do\n its('lines') do\n should_not match_pam_rule('session .* pam_lastlog.so showfailed silent')\n end\n end\n end\n end\nend\n", + "code": "control 'SV-204559' do\n title 'The Red Hat Enterprise Linux operating system must audit all uses of the create_module syscall.'\n desc 'Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).'\n desc 'check', 'Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"create_module\" syscall occur.\n\nCheck the auditing rules in \"/etc/audit/audit.rules\" with the following command:\n\n$ sudo grep -w \"create_module\" /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S create_module -F auid>=1000 -F auid!=unset -k module-change\n\n-a always,exit -F arch=b64 -S create_module -F auid>=1000 -F auid!=unset -k module-change\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"create_module\" syscall, this is a finding.'\n desc 'fix', 'Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"create_module\" syscall occur.\n\nAdd or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S create_module -F auid>=1000 -F auid!=unset -k module-change\n\n-a always,exit -F arch=b64 -S create_module -F auid>=1000 -F auid!=unset -k module-change\n\nThe audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n tag legacy: ['V-78999', 'SV-93705']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000471-GPOS-00216'\n tag satisfies: ['SRG-OS-000471-GPOS-00216', 'SRG-OS-000477-GPOS-00222']\n tag gid: 'V-204559'\n tag rid: 'SV-204559r833169_rule'\n tag stig_id: 'RHEL-07-030819'\n tag fix_id: 'F-4683r833168_fix'\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag subsystems: ['audit', 'auditd', 'audit_rule']\n tag 'host'\n\n audit_syscalls = ['create_module']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - audit config must be done on the host' do\n skip 'Control not applicable - audit config must be done on the host'\n end\n else\n describe 'Syscall' do\n audit_syscalls.each do |audit_syscall|\n it \"#{audit_syscall} is audited properly\" do\n audit_rule = auditd.syscall(audit_syscall)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n if os.arch.match(/64/)\n expect(audit_rule.arch.uniq).to include('b32', 'b64')\n else\n expect(audit_rule.arch.uniq).to cmp 'b32'\n end\n expect(audit_rule.fields.flatten).to include('auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include('module-change')\n end\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204605.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204559.rb", "line": 1 }, - "id": "SV-204605" + "id": "SV-204559" }, { - "title": "The Red Hat Enterprise Linux operating system must not forward Internet Protocol version 4 (IPv4)\n source-routed packets by default.", - "desc": "Source-routed packets allow the source of the packet to suggest that routers forward the packet along a\n different path than configured on the router, which can be used to bypass network security measures. This\n requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is enabled and the\n system is functioning as a router.", + "title": "The Red Hat Enterprise Linux operating system must not allow interfaces to perform Internet Protocol\n version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects by default.", + "desc": "ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular\n destination. These messages contain information from the system's route table, possibly revealing portions of the\n network topology.", "descriptions": { - "default": "Source-routed packets allow the source of the packet to suggest that routers forward the packet along a\n different path than configured on the router, which can be used to bypass network security measures. This\n requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is enabled and the\n system is functioning as a router.", - "check": "Verify the system does not accept IPv4 source-routed packets by default.\n\n # grep -r net.ipv4.conf.default.accept_source_route /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null\n net.ipv4.conf.default.accept_source_route = 0\n\nIf \"net.ipv4.conf.default.accept_source_route\" is not configured in the /etc/sysctl.conf file or in any of the other sysctl.d directories, is commented out, or does not have a value of \"0\", this is a finding.\n\nCheck that the operating system implements the accept source route variable with the following command:\n\n # /sbin/sysctl -a | grep net.ipv4.conf.default.accept_source_route\n net.ipv4.conf.default.accept_source_route = 0\n\nIf the returned line does not have a value of \"0\", this is a finding.\n\nIf conflicting results are returned, this is a finding.", - "fix": "Set the system to the required kernel parameter by adding the following\nline to \"/etc/sysctl.conf\" or a configuration file in the /etc/sysctl.d/\ndirectory (or modify the line to have the required value):\n\n net.ipv4.conf.default.accept_source_route = 0\n\n Issue the following command to make the changes take effect:\n\n # sysctl --system" + "default": "ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular\n destination. These messages contain information from the system's route table, possibly revealing portions of the\n network topology.", + "check": "Verify the system does not allow interfaces to perform IPv4 ICMP redirects by default.\n\n # grep -r net.ipv4.conf.default.send_redirects /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null\n\nIf \"net.ipv4.conf.default.send_redirects\" is not configured in the \"/etc/sysctl.conf\" file or in any of the other sysctl.d directories, is commented out or does not have a value of \"0\", this is a finding.\n\nCheck that the operating system implements the \"default send_redirects\" variables with the following command:\n\n # /sbin/sysctl -a | grep net.ipv4.conf.default.send_redirects\n net.ipv4.conf.default.send_redirects = 0\n\nIf the returned line does not have a value of \"0\", this is a finding.\n\nIf conflicting results are returned, this is a finding.", + "fix": "Configure the system to not allow interfaces to perform IPv4 ICMP redirects by default.\n Set the system to the required kernel parameter by adding the following line to \"/etc/sysctl.conf\" or a\n configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value):\n net.ipv4.conf.default.send_redirects = 0\n Issue the following command to make the changes take effect:\n # sysctl --system" }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "V-72285", - "SV-86909" + "V-72291", + "SV-86915" ], "severity": "medium", "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-204612", - "rid": "SV-204612r880806_rule", - "stig_id": "RHEL-07-040620", - "fix_id": "F-4736r880805_fix", + "gid": "V-204616", + "rid": "SV-204616r880818_rule", + "stig_id": "RHEL-07-040650", + "fix_id": "F-4740r880817_fix", "cci": [ "CCI-000366" ], @@ -3030,280 +2975,284 @@ ], "host": null }, - "code": "control 'SV-204612' do\n title 'The Red Hat Enterprise Linux operating system must not forward Internet Protocol version 4 (IPv4)\n source-routed packets by default.'\n desc 'Source-routed packets allow the source of the packet to suggest that routers forward the packet along a\n different path than configured on the router, which can be used to bypass network security measures. This\n requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is enabled and the\n system is functioning as a router.'\n desc 'check', 'Verify the system does not accept IPv4 source-routed packets by default.\n\n # grep -r net.ipv4.conf.default.accept_source_route /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null\n net.ipv4.conf.default.accept_source_route = 0\n\nIf \"net.ipv4.conf.default.accept_source_route\" is not configured in the /etc/sysctl.conf file or in any of the other sysctl.d directories, is commented out, or does not have a value of \"0\", this is a finding.\n\nCheck that the operating system implements the accept source route variable with the following command:\n\n # /sbin/sysctl -a | grep net.ipv4.conf.default.accept_source_route\n net.ipv4.conf.default.accept_source_route = 0\n\nIf the returned line does not have a value of \"0\", this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Set the system to the required kernel parameter by adding the following\nline to \"/etc/sysctl.conf\" or a configuration file in the /etc/sysctl.d/\ndirectory (or modify the line to have the required value):\n\n net.ipv4.conf.default.accept_source_route = 0\n\n Issue the following command to make the changes take effect:\n\n # sysctl --system'\n impact 0.5\n tag legacy: ['V-72285', 'SV-86909']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204612'\n tag rid: 'SV-204612r880806_rule'\n tag stig_id: 'RHEL-07-040620'\n tag fix_id: 'F-4736r880805_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['kernel_parameter', 'ipv4']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - Kernel config must be done on the host' do\n skip 'Control not applicable - Kernel config must be done on the host'\n end\n else\n accept_source_route = 0\n\n config_file_values = command('grep -r net.ipv4.conf.default.accept_source_route /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null')\n .stdout.strip.split(\"\\n\")\n .map { |file| parse_config(file).params }\n config_file_values_uncompliant = config_file_values.select { |entry| entry.values != [accept_source_route.to_s] }\n\n unless config_file_values_uncompliant.empty?\n describe 'All configuration files' do\n it \"should set accept_source_route to #{accept_source_route}, or not define it at all\" do\n fail_msg = \"Found incorrect configuration:\\n#{config_file_values_uncompliant.join(\"\\n\")}\"\n expect(config_file_values_uncompliant).to be_empty, fail_msg\n end\n end\n end\n\n describe 'The runtime kernel parameter net.ipv4.conf.default.accept_source_route' do\n subject { kernel_parameter('net.ipv4.conf.default.accept_source_route') }\n its('value') { should eq accept_source_route }\n end\n end\nend\n", + "code": "control 'SV-204616' do\n title 'The Red Hat Enterprise Linux operating system must not allow interfaces to perform Internet Protocol\n version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects by default.'\n desc \"ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular\n destination. These messages contain information from the system's route table, possibly revealing portions of the\n network topology.\"\n desc 'check', 'Verify the system does not allow interfaces to perform IPv4 ICMP redirects by default.\n\n # grep -r net.ipv4.conf.default.send_redirects /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null\n\nIf \"net.ipv4.conf.default.send_redirects\" is not configured in the \"/etc/sysctl.conf\" file or in any of the other sysctl.d directories, is commented out or does not have a value of \"0\", this is a finding.\n\nCheck that the operating system implements the \"default send_redirects\" variables with the following command:\n\n # /sbin/sysctl -a | grep net.ipv4.conf.default.send_redirects\n net.ipv4.conf.default.send_redirects = 0\n\nIf the returned line does not have a value of \"0\", this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure the system to not allow interfaces to perform IPv4 ICMP redirects by default.\n Set the system to the required kernel parameter by adding the following line to \"/etc/sysctl.conf\" or a\n configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value):\n net.ipv4.conf.default.send_redirects = 0\n Issue the following command to make the changes take effect:\n # sysctl --system'\n impact 0.5\n tag legacy: ['V-72291', 'SV-86915']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204616'\n tag rid: 'SV-204616r880818_rule'\n tag stig_id: 'RHEL-07-040650'\n tag fix_id: 'F-4740r880817_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['kernel_parameter', 'ipv4']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - Kernel config must be done on the host' do\n skip 'Control not applicable - Kernel config must be done on the host'\n end\n else\n send_redirects = 0\n config_file_values = command('grep -r net.ipv4.conf.default.send_redirects /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null')\n .stdout.strip.split(\"\\n\")\n .map { |file| parse_config(file).params }\n config_file_values_uncompliant = config_file_values.select { |entry| entry.values != [send_redirects.to_s] }\n\n unless config_file_values_uncompliant.empty?\n describe 'All configuration files' do\n it \"should set send_redirects to #{send_redirects}, or not define it at all\" do\n fail_msg = \"Found incorrect configuration:\\n#{config_file_values_uncompliant.join(\"\\n\")}\"\n expect(config_file_values_uncompliant).to be_empty, fail_msg\n end\n end\n end\n\n describe 'The runtime kernel parameter net.ipv4.conf.default.send_redirects' do\n subject { kernel_parameter('net.ipv4.conf.default.send_redirects') }\n its('value') { should eq send_redirects }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204612.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204616.rb", "line": 1 }, - "id": "SV-204612" + "id": "SV-204616" }, { - "title": "The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the\n following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring\n data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies,\n regulations, and standards.", - "desc": "Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data.\n The operating system must implement cryptographic modules adhering to the higher standards approved by the federal\n government since this provides assurance they have been tested and validated.", + "title": "The Red Hat Enterprise Linux operating system must encrypt the transfer of audit records off-loaded onto a\n different system or media from the system being audited.", + "desc": "Information stored in one location is vulnerable to accidental or incidental deletion or alteration.\n Off-loading is a common process in information systems with limited audit storage capacity.", "descriptions": { - "default": "Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data.\n The operating system must implement cryptographic modules adhering to the higher standards approved by the federal\n government since this provides assurance they have been tested and validated.", - "check": "Verify the operating system implements DoD-approved encryption to protect the confidentiality of\n remote access sessions.\n Check to see if the \"dracut-fips\" package is installed with the following command:\n # yum list installed dracut-fips\n dracut-fips-033-360.el7_2.x86_64.rpm\n If a \"dracut-fips\" package is installed, check to see if the kernel command line is configured to use FIPS mode with\n the following command:\n Note: GRUB 2 reads its configuration from the \"/boot/grub2/grub.cfg\" file on traditional BIOS-based machines and\n from the \"/boot/efi/EFI/redhat/grub.cfg\" file on UEFI machines.\n # grep fips /boot/grub2/grub.cfg\n /vmlinuz-3.8.0-0.40.el7.x86_64 root=/dev/mapper/rhel-root ro rd.md=0 rd.dm=0 rd.lvm.lv=rhel/swap crashkernel=auto\n rd.luks=0 vconsole.keymap=us rd.lvm.lv=rhel/root rhgb fips=1 quiet\n If the kernel command line is configured to use FIPS mode, check to see if the system is in FIPS mode with the\n following command:\n # cat /proc/sys/crypto/fips_enabled\n 1\n If a \"dracut-fips\" package is not installed, the kernel command line does not have a fips entry, or the system has a\n value of \"0\" for \"fips_enabled\" in \"/proc/sys/crypto\", this is a finding.\n Verify the file /etc/system-fips exists.\n # ls -l /etc/system-fips\n If this file does not exist, this is a finding.", - "fix": "Configure the operating system to implement DoD-approved encryption by installing the dracut-fips\n package.\n To enable strict FIPS compliance, the fips=1 kernel option needs to be added to the kernel command line during\n system installation so key generation is done with FIPS-approved algorithms and continuous monitoring tests in\n place.\n Configure the operating system to implement DoD-approved encryption by following the steps below:\n The fips=1 kernel option needs to be added to the kernel command line during system installation so that key\n generation is done with FIPS-approved algorithms and continuous monitoring tests in place. Users should also ensure\n that the system has plenty of entropy during the installation process by moving the mouse around, or if no mouse is\n available, ensuring that many keystrokes are typed. The recommended amount of keystrokes is 256 and more. Less than\n 256 keystrokes may generate a non-unique key.\n Install the dracut-fips package with the following command:\n # yum install dracut-fips\n Recreate the \"initramfs\" file with the following command:\n Note: This command will overwrite the existing \"initramfs\" file.\n # dracut -f\n Modify the kernel command line of the current kernel in the \"grub.cfg\" file by adding the following option to the\n GRUB_CMDLINE_LINUX key in the \"/etc/default/grub\" file and then rebuild the \"grub.cfg\" file:\n fips=1\n Changes to \"/etc/default/grub\" require rebuilding the \"grub.cfg\" file as follows:\n On BIOS-based machines, use the following command:\n # grub2-mkconfig -o /boot/grub2/grub.cfg\n On UEFI-based machines, use the following command:\n # grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg\n If /boot or /boot/efi reside on separate partitions, the kernel parameter boot=\n must be added to the kernel command line. You can identify a partition by running the df /boot or df /boot/efi\n command:\n # df /boot\n Filesystem 1K-blocks Used Available Use% Mounted on\n /dev/sda1 495844 53780 416464 12% /boot\n To ensure the \"boot=\" configuration option will work even if device naming changes occur between boots, identify the\n universally unique identifier (UUID) of the partition with the following command:\n # blkid /dev/sda1\n /dev/sda1: UUID=\"05c000f1-a213-759e-c7a2-f11b7424c797\" TYPE=\"ext4\"\n For the example above, append the following string to the kernel command line:\n boot=UUID=05c000f1-a213-759e-c7a2-f11b7424c797\n If the file /etc/system-fips does not exists, recreate it:\n # touch /etc/ system-fips\n Reboot the system for the changes to take effect." + "default": "Information stored in one location is vulnerable to accidental or incidental deletion or alteration.\n Off-loading is a common process in information systems with limited audit storage capacity.", + "check": "Verify the operating system encrypts audit records off-loaded onto a different system or media from\n the system being audited.\n To determine if the transfer is encrypted, use the following command:\n # grep -i enable_krb5 /etc/audisp/audisp-remote.conf\n enable_krb5 = yes\n If the value of the \"enable_krb5\" option is not set to \"yes\" or the line is commented out, ask the System\n Administrator to indicate how the audit logs are off-loaded to a different system or media.\n If there is no evidence that the transfer of the audit logs being off-loaded to another system or media is\n encrypted, this is a finding.", + "fix": "Configure the operating system to encrypt the transfer of off-loaded audit records onto a different\n system or media from the system being audited.\n Uncomment the \"enable_krb5\" option in \"/etc/audisp/audisp-remote.conf\" and set it with the following line:\n enable_krb5 = yes" }, - "impact": 0.7, + "impact": 0.5, "refs": [], "tags": { "legacy": [ - "SV-86691", - "V-72067" + "V-72085", + "SV-86709" ], - "severity": "high", - "gtitle": "SRG-OS-000033-GPOS-00014", + "severity": "medium", + "gtitle": "SRG-OS-000342-GPOS-00133", "satisfies": [ - "SRG-OS-000033-GPOS-00014", - "SRG-OS-000185-GPOS-00079", - "SRG-OS-000396-GPOS-00176", - "SRG-OS-000405-GPOS-00184", - "SRG-OS-000478-GPOS-00223" + "SRG-OS-000342-GPOS-00133", + "SRG-OS-000479-GPOS-00224" ], - "gid": "V-204497", - "rid": "SV-204497r877398_rule", - "stig_id": "RHEL-07-021350", - "fix_id": "F-36310r602640_fix", + "gid": "V-204510", + "rid": "SV-204510r877390_rule", + "stig_id": "RHEL-07-030310", + "fix_id": "F-4634r88723_fix", "cci": [ - "CCI-000068", - "CCI-001199", - "CCI-002450", - "CCI-002476" + "CCI-001851" ], "nist": [ - "AC-17 (2)", - "SC-28", - "SC-13", - "SC-28 (1)", - "SC-13 b" + "AU-4 (1)" ], "subsystems": [ - "fips" + "audit", + "audisp" ], "host": null }, - "code": "control 'SV-204497' do\n title \"The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the\n following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring\n data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies,\n regulations, and standards.\"\n desc \"Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data.\n The operating system must implement cryptographic modules adhering to the higher standards approved by the federal\n government since this provides assurance they have been tested and validated.\"\n desc 'check', \"Verify the operating system implements #{input('org_name')[:acronym]}-approved encryption to protect the confidentiality of\n remote access sessions.\n Check to see if the \\\"dracut-fips\\\" package is installed with the following command:\n # yum list installed dracut-fips\n dracut-fips-033-360.el7_2.x86_64.rpm\n If a \\\"dracut-fips\\\" package is installed, check to see if the kernel command line is configured to use FIPS mode with\n the following command:\n Note: GRUB 2 reads its configuration from the \\\"/boot/grub2/grub.cfg\\\" file on traditional BIOS-based machines and\n from the \\\"/boot/efi/EFI/redhat/grub.cfg\\\" file on UEFI machines.\n # grep fips /boot/grub2/grub.cfg\n /vmlinuz-3.8.0-0.40.el7.x86_64 root=/dev/mapper/rhel-root ro rd.md=0 rd.dm=0 rd.lvm.lv=rhel/swap crashkernel=auto\n rd.luks=0 vconsole.keymap=us rd.lvm.lv=rhel/root rhgb fips=1 quiet\n If the kernel command line is configured to use FIPS mode, check to see if the system is in FIPS mode with the\n following command:\n # cat /proc/sys/crypto/fips_enabled\n 1\n If a \\\"dracut-fips\\\" package is not installed, the kernel command line does not have a fips entry, or the system has a\n value of \\\"0\\\" for \\\"fips_enabled\\\" in \\\"/proc/sys/crypto\\\", this is a finding.\n Verify the file /etc/system-fips exists.\n # ls -l /etc/system-fips\n If this file does not exist, this is a finding.\"\n desc 'fix', \"Configure the operating system to implement #{input('org_name')[:acronym]}-approved encryption by installing the dracut-fips\n package.\n To enable strict FIPS compliance, the fips=1 kernel option needs to be added to the kernel command line during\n system installation so key generation is done with FIPS-approved algorithms and continuous monitoring tests in\n place.\n Configure the operating system to implement #{input('org_name')[:acronym]}-approved encryption by following the steps below:\n The fips=1 kernel option needs to be added to the kernel command line during system installation so that key\n generation is done with FIPS-approved algorithms and continuous monitoring tests in place. Users should also ensure\n that the system has plenty of entropy during the installation process by moving the mouse around, or if no mouse is\n available, ensuring that many keystrokes are typed. The recommended amount of keystrokes is 256 and more. Less than\n 256 keystrokes may generate a non-unique key.\n Install the dracut-fips package with the following command:\n # yum install dracut-fips\n Recreate the \\\"initramfs\\\" file with the following command:\n Note: This command will overwrite the existing \\\"initramfs\\\" file.\n # dracut -f\n Modify the kernel command line of the current kernel in the \\\"grub.cfg\\\" file by adding the following option to the\n GRUB_CMDLINE_LINUX key in the \\\"/etc/default/grub\\\" file and then rebuild the \\\"grub.cfg\\\" file:\n fips=1\n Changes to \\\"/etc/default/grub\\\" require rebuilding the \\\"grub.cfg\\\" file as follows:\n On BIOS-based machines, use the following command:\n # grub2-mkconfig -o /boot/grub2/grub.cfg\n On UEFI-based machines, use the following command:\n # grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg\n If /boot or /boot/efi reside on separate partitions, the kernel parameter boot=\n must be added to the kernel command line. You can identify a partition by running the df /boot or df /boot/efi\n command:\n # df /boot\n Filesystem 1K-blocks Used Available Use% Mounted on\n /dev/sda1 495844 53780 416464 12% /boot\n To ensure the \\\"boot=\\\" configuration option will work even if device naming changes occur between boots, identify the\n universally unique identifier (UUID) of the partition with the following command:\n # blkid /dev/sda1\n /dev/sda1: UUID=\\\"05c000f1-a213-759e-c7a2-f11b7424c797\\\" TYPE=\\\"ext4\\\"\n For the example above, append the following string to the kernel command line:\n boot=UUID=05c000f1-a213-759e-c7a2-f11b7424c797\n If the file /etc/system-fips does not exists, recreate it:\n # touch /etc/ system-fips\n Reboot the system for the changes to take effect.\"\n impact 0.7\n tag legacy: ['SV-86691', 'V-72067']\n tag severity: 'high'\n tag gtitle: 'SRG-OS-000033-GPOS-00014'\n tag satisfies: ['SRG-OS-000033-GPOS-00014', 'SRG-OS-000185-GPOS-00079', 'SRG-OS-000396-GPOS-00176', 'SRG-OS-000405-GPOS-00184', 'SRG-OS-000478-GPOS-00223']\n tag gid: 'V-204497'\n tag rid: 'SV-204497r877398_rule'\n tag stig_id: 'RHEL-07-021350'\n tag fix_id: 'F-36310r602640_fix'\n tag cci: ['CCI-000068', 'CCI-001199', 'CCI-002450', 'CCI-002476']\n tag nist: ['AC-17 (2)', 'SC-28', 'SC-13', 'SC-28 (1)', 'SC-13 b']\n tag subsystems: ['fips']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - Kernel config for FIPS capability must be done on the host' do\n skip 'Control not applicable - Kernel config for FIPS capability must be done on the host'\n end\n else\n describe package('dracut-fips') do\n it { should be_installed }\n end\n\n all_args = # strip outer quotes if they exist\n command('grubby --info=ALL | grep \"^args=\" | sed \"s/^args=//g\"')\n .stdout.strip.split(\"\\n\")\n .map do |s|\n s.sub(/^\"(.*)\"$/, '\\1')\n end\n all_args.each do |args|\n describe args do\n it { should match(/\\bfips=1\\b/) }\n end\n end\n\n describe file('/proc/sys/crypto/fips_enabled') do\n its('content.strip') { should cmp 1 }\n end\n\n describe file('/etc/system-fips') do\n it { should exist }\n end\n end\nend\n", + "code": "control 'SV-204510' do\n title 'The Red Hat Enterprise Linux operating system must encrypt the transfer of audit records off-loaded onto a\n different system or media from the system being audited.'\n desc 'Information stored in one location is vulnerable to accidental or incidental deletion or alteration.\n Off-loading is a common process in information systems with limited audit storage capacity.'\n desc 'check', 'Verify the operating system encrypts audit records off-loaded onto a different system or media from\n the system being audited.\n To determine if the transfer is encrypted, use the following command:\n # grep -i enable_krb5 /etc/audisp/audisp-remote.conf\n enable_krb5 = yes\n If the value of the \"enable_krb5\" option is not set to \"yes\" or the line is commented out, ask the System\n Administrator to indicate how the audit logs are off-loaded to a different system or media.\n If there is no evidence that the transfer of the audit logs being off-loaded to another system or media is\n encrypted, this is a finding.'\n desc 'fix', 'Configure the operating system to encrypt the transfer of off-loaded audit records onto a different\n system or media from the system being audited.\n Uncomment the \"enable_krb5\" option in \"/etc/audisp/audisp-remote.conf\" and set it with the following line:\n enable_krb5 = yes'\n impact 0.5\n tag legacy: ['V-72085', 'SV-86709']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000342-GPOS-00133'\n tag satisfies: ['SRG-OS-000342-GPOS-00133', 'SRG-OS-000479-GPOS-00224']\n tag gid: 'V-204510'\n tag rid: 'SV-204510r877390_rule'\n tag stig_id: 'RHEL-07-030310'\n tag fix_id: 'F-4634r88723_fix'\n tag cci: ['CCI-001851']\n tag nist: ['AU-4 (1)']\n tag subsystems: ['audit', 'audisp']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - audit config must be done on the host' do\n skip 'Control not applicable - audit config must be done on the host'\n end\n else\n describe parse_config_file('/etc/audisp/audisp-remote.conf') do\n its('enable_krb5'.to_s) { should cmp 'yes' }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204497.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204510.rb", "line": 1 }, - "id": "SV-204497" + "id": "SV-204510" }, { - "title": "Red Hat Enterprise Linux operating systems version 7.2 or newer with a Basic Input/Output System (BIOS)\n must require authentication upon booting into single-user and maintenance modes.", - "desc": "If the system does not require valid authentication before it boots into single-user or maintenance mode,\n anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2\n is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make\n modifications to the boot menu.", + "title": "The Red Hat Enterprise Linux operating system must not have unauthorized IP tunnels configured.", + "desc": "IP tunneling mechanisms can be used to bypass network filtering. If tunneling is required, it must be\n documented with the Information System Security Officer (ISSO).", "descriptions": { - "default": "If the system does not require valid authentication before it boots into single-user or maintenance mode,\n anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2\n is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make\n modifications to the boot menu.", - "check": "For systems that use UEFI, this is Not Applicable.\n For systems that are running a version of RHEL prior to 7.2, this is Not Applicable.\n Check to see if an encrypted grub superusers password is set. On systems that use a BIOS, use the following command:\n $ sudo grep -iw grub2_password /boot/grub2/user.cfg\n GRUB2_PASSWORD=grub.pbkdf2.sha512.[password_hash]\n If the grub superusers password does not begin with \"grub.pbkdf2.sha512\", this is a finding.", - "fix": "Configure the system to encrypt the boot password for the grub superusers account with the\n grub2-setpassword command, which creates/overwrites the /boot/grub2/user.cfg file.\n Generate an encrypted grub2 password for the grub superusers account with the following command:\n $ sudo grub2-setpassword\n Enter password:\n Confirm password:" + "default": "IP tunneling mechanisms can be used to bypass network filtering. If tunneling is required, it must be\n documented with the Information System Security Officer (ISSO).", + "check": "Verify the system does not have unauthorized IP tunnels configured.\n Check to see if \"libreswan\" is installed with the following command:\n # yum list installed libreswan\n libreswan.x86-64 3.20-5.el7_4\n If \"libreswan\" is installed, check to see if the \"IPsec\" service is active with the following command:\n # systemctl status ipsec\n ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec\n Loaded: loaded (/usr/lib/systemd/system/ipsec.service; disabled)\n Active: inactive (dead)\n If the \"IPsec\" service is active, check to see if any tunnels are configured in \"/etc/ipsec.conf\" and\n \"/etc/ipsec.d/\" with the following commands:\n # grep -iw conn /etc/ipsec.conf /etc/ipsec.d/*.conf\n If there are indications that a \"conn\" parameter is configured for a tunnel, ask the System Administrator if the\n tunnel is documented with the ISSO.\n If \"libreswan\" is installed, \"IPsec\" is active, and an undocumented tunnel is active, this is a finding.", + "fix": "Remove all unapproved tunnels from the system, or document them with the ISSO." }, - "impact": 0.7, + "impact": 0, "refs": [], "tags": { "legacy": [ - "SV-95717", - "V-81005" + "V-72317", + "SV-86941" ], - "severity": "high", - "gtitle": "SRG-OS-000080-GPOS-00048", - "gid": "V-204438", - "rid": "SV-204438r744095_rule", - "stig_id": "RHEL-07-010482", - "fix_id": "F-4562r744094_fix", + "severity": "medium", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-204629", + "rid": "SV-204629r603261_rule", + "stig_id": "RHEL-07-040820", + "fix_id": "F-4753r89080_fix", "cci": [ - "CCI-000213" + "CCI-000366" ], "nist": [ - "AC-3" + "CM-6 b" ], "subsystems": [ - "boot", - "bios" + "libreswan", + "ipsec" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-204438' do\n title 'Red Hat Enterprise Linux operating systems version 7.2 or newer with a Basic Input/Output System (BIOS)\n must require authentication upon booting into single-user and maintenance modes.'\n desc 'If the system does not require valid authentication before it boots into single-user or maintenance mode,\n anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2\n is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make\n modifications to the boot menu.'\n desc 'check', 'For systems that use UEFI, this is Not Applicable.\n For systems that are running a version of RHEL prior to 7.2, this is Not Applicable.\n Check to see if an encrypted grub superusers password is set. On systems that use a BIOS, use the following command:\n $ sudo grep -iw grub2_password /boot/grub2/user.cfg\n GRUB2_PASSWORD=grub.pbkdf2.sha512.[password_hash]\n If the grub superusers password does not begin with \"grub.pbkdf2.sha512\", this is a finding.'\n desc 'fix', 'Configure the system to encrypt the boot password for the grub superusers account with the\n grub2-setpassword command, which creates/overwrites the /boot/grub2/user.cfg file.\n Generate an encrypted grub2 password for the grub superusers account with the following command:\n $ sudo grub2-setpassword\n Enter password:\n Confirm password:'\n impact 0.7\n tag legacy: ['SV-95717', 'V-81005']\n tag severity: 'high'\n tag gtitle: 'SRG-OS-000080-GPOS-00048'\n tag gid: 'V-204438'\n tag rid: 'SV-204438r744095_rule'\n tag stig_id: 'RHEL-07-010482'\n tag fix_id: 'F-4562r744094_fix'\n tag cci: ['CCI-000213']\n tag nist: ['AC-3']\n tag subsystems: ['boot', 'bios']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n elsif file('/sys/firmware/efi').exist?\n impact 0.0\n describe 'System running UEFI' do\n skip 'The System is running UEFI, this control is Not Applicable.'\n end\n elsif os[:release] >= '7.2'\n impact 0.7\n input('grub_user_boot_files').each do |grub_user_file|\n describe parse_config_file(grub_user_file) do\n its('GRUB2_PASSWORD') { should include 'grub.pbkdf2.sha512' }\n end\n end\n else\n impact 0.0\n describe 'System running version of RHEL prior to 7.2' do\n skip 'The System is running an outdated version of RHEL, this control is Not Applicable.'\n end\n end\nend\n", + "code": "control 'SV-204629' do\n title 'The Red Hat Enterprise Linux operating system must not have unauthorized IP tunnels configured.'\n desc 'IP tunneling mechanisms can be used to bypass network filtering. If tunneling is required, it must be\n documented with the Information System Security Officer (ISSO).'\n desc 'check', 'Verify the system does not have unauthorized IP tunnels configured.\n Check to see if \"libreswan\" is installed with the following command:\n # yum list installed libreswan\n libreswan.x86-64 3.20-5.el7_4\n If \"libreswan\" is installed, check to see if the \"IPsec\" service is active with the following command:\n # systemctl status ipsec\n ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec\n Loaded: loaded (/usr/lib/systemd/system/ipsec.service; disabled)\n Active: inactive (dead)\n If the \"IPsec\" service is active, check to see if any tunnels are configured in \"/etc/ipsec.conf\" and\n \"/etc/ipsec.d/\" with the following commands:\n # grep -iw conn /etc/ipsec.conf /etc/ipsec.d/*.conf\n If there are indications that a \"conn\" parameter is configured for a tunnel, ask the System Administrator if the\n tunnel is documented with the ISSO.\n If \"libreswan\" is installed, \"IPsec\" is active, and an undocumented tunnel is active, this is a finding.'\n desc 'fix', 'Remove all unapproved tunnels from the system, or document them with the ISSO.'\n impact 0.5\n tag legacy: ['V-72317', 'SV-86941']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204629'\n tag rid: 'SV-204629r603261_rule'\n tag stig_id: 'RHEL-07-040820'\n tag fix_id: 'F-4753r89080_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['libreswan', 'ipsec']\n tag 'host'\n tag 'container'\n\n approved_tunnels = input('approved_tunnels')\n\n if package('libreswan').installed? && service('ipsec.service').running?\n impact 0.5\n processed = []\n to_process = ['/etc/ipsec.conf']\n\n until to_process.empty?\n in_process = to_process.pop\n next if processed.include? in_process\n\n processed.push in_process\n\n to_process.concat(\n command(\"grep -E '^\\\\s*include\\\\s+' #{in_process} | sed 's/^[[:space:]]*include[[:space:]]*//g'\")\n .stdout.strip.split(/\\s*\\n+\\s*/)\n .map do |f|\n if f.start_with?('/')\n f\n else\n File.join(\n File.dirname(in_process), f\n )\n end\n end\n .map do |f|\n dir = f.sub(%r{[^/]*[*?\\[].*$}, '') # gets the longest ancestor path which doesn't contain wildcards\n command(\"find #{dir} -wholename '#{f}'\").stdout.strip.split(\"\\n\")\n end\n .flatten\n .select do |f|\n file(f).file?\n end\n )\n end\n\n conn_grep = processed.map do |conf|\n command(\"grep -E '^\\\\s*conn\\\\s+' #{conf}\")\n .stdout.strip.split(/\\s*\\n\\s*/)\n end.flatten\n\n describe conn_grep do\n it { should all(be_in(approved_tunnels)) }\n end\n else\n impact 0.0\n describe \"The system does not have libreswan installed or the ipsec.service isn't running\" do\n skip \"The system does not have libreswan installed or the ipsec.service isn't running, this requirement is Not Applicable.\"\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204438.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204629.rb", "line": 1 }, - "id": "SV-204438" + "id": "SV-204629" }, { - "title": "The Red Hat Enterprise Linux operating system must prevent files with the setuid and setgid bit set from\n being executed on file systems that are being imported via Network File System (NFS).", - "desc": "The \"nosuid\" mount option causes the system to not execute \"setuid\" and \"setgid\" files with owner\n privileges. This option must be used for mounting any file system not containing approved \"setuid\" and \"setguid\"\n files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain\n unauthorized administrative access.", + "title": "The Red Hat Enterprise Linux operating system must be configured so that all Group Identifiers (GIDs)\n referenced in the /etc/passwd file are defined in the /etc/group file.", + "desc": "If a user is assigned the GID of a group not existing on the system, and a group with the GID is\n subsequently created, the user may have unintended rights to any files associated with the group.", "descriptions": { - "default": "The \"nosuid\" mount option causes the system to not execute \"setuid\" and \"setgid\" files with owner\n privileges. This option must be used for mounting any file system not containing approved \"setuid\" and \"setguid\"\n files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain\n unauthorized administrative access.", - "check": "Verify file systems that are being NFS imported are configured with the \"nosuid\" option.\n Find the file system(s) that contain the directories being exported with the following command:\n # more /etc/fstab | grep nfs\n UUID=e06097bb-cfcd-437b-9e4d-a691f5662a7d /store nfs rw,nosuid 0 0\n If a file system found in \"/etc/fstab\" refers to NFS and it does not have the \"nosuid\" option set, this is a\n finding.\n Verify the NFS is mounted with the \"nosuid\" option:\n # mount | grep nfs | grep nosuid\n If no results are returned, this is a finding.", - "fix": "Configure the \"/etc/fstab\" to use the \"nosuid\" option on file systems that are being imported via\n NFS." + "default": "If a user is assigned the GID of a group not existing on the system, and a group with the GID is\n subsequently created, the user may have unintended rights to any files associated with the group.", + "check": "Verify all GIDs referenced in the \"/etc/passwd\" file are defined in the \"/etc/group\" file.\n Check that all referenced GIDs exist with the following command:\n # pwck -r\n If GIDs referenced in \"/etc/passwd\" file are returned as not defined in \"/etc/group\" file, this is a finding.", + "fix": "Configure the system to define all GIDs found in the \"/etc/passwd\" file by modifying the \"/etc/group\"\n file to add any non-existent group referenced in the \"/etc/passwd\" file, or change the GIDs referenced in the\n \"/etc/passwd\" file to a group that exists in \"/etc/group\"." }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { "legacy": [ - "SV-86669", - "V-72045" + "V-72003", + "SV-86627" ], - "severity": "medium", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-204482", - "rid": "SV-204482r603261_rule", - "stig_id": "RHEL-07-021020", - "fix_id": "F-4606r88639_fix", + "severity": "low", + "gtitle": "SRG-OS-000104-GPOS-00051", + "gid": "V-204461", + "rid": "SV-204461r603261_rule", + "stig_id": "RHEL-07-020300", + "fix_id": "F-4585r88576_fix", "cci": [ - "CCI-000366" + "CCI-000764" ], "nist": [ - "CM-6 b" + "IA-2" ], "subsystems": [ - "etc_fstab" + "accounts" ], "host": null, "container": null }, - "code": "control 'SV-204482' do\n title 'The Red Hat Enterprise Linux operating system must prevent files with the setuid and setgid bit set from\n being executed on file systems that are being imported via Network File System (NFS).'\n desc 'The \"nosuid\" mount option causes the system to not execute \"setuid\" and \"setgid\" files with owner\n privileges. This option must be used for mounting any file system not containing approved \"setuid\" and \"setguid\"\n files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain\n unauthorized administrative access.'\n desc 'check', 'Verify file systems that are being NFS imported are configured with the \"nosuid\" option.\n Find the file system(s) that contain the directories being exported with the following command:\n # more /etc/fstab | grep nfs\n UUID=e06097bb-cfcd-437b-9e4d-a691f5662a7d /store nfs rw,nosuid 0 0\n If a file system found in \"/etc/fstab\" refers to NFS and it does not have the \"nosuid\" option set, this is a\n finding.\n Verify the NFS is mounted with the \"nosuid\" option:\n # mount | grep nfs | grep nosuid\n If no results are returned, this is a finding.'\n desc 'fix', 'Configure the \"/etc/fstab\" to use the \"nosuid\" option on file systems that are being imported via\n NFS.'\n impact 0.5\n tag legacy: ['SV-86669', 'V-72045']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204482'\n tag rid: 'SV-204482r603261_rule'\n tag stig_id: 'RHEL-07-021020'\n tag fix_id: 'F-4606r88639_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['etc_fstab']\n tag 'host'\n tag 'container'\n\n nfs_systems = etc_fstab.nfs_file_systems.entries\n\n if !nfs_systems.nil? && !nfs_systems.empty?\n nfs_systems.each do |nfs_system|\n describe \"Network File System mounted on #{nfs_system['mount_point']}\" do\n subject { nfs_system }\n its('mount_options') { should include 'nosuid' }\n end\n end\n else\n describe 'No NFS file systems were found' do\n subject { nfs_systems.nil? || nfs_systems.empty? }\n it { should eq true }\n end\n end\nend\n", + "code": "control 'SV-204461' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that all Group Identifiers (GIDs)\n referenced in the /etc/passwd file are defined in the /etc/group file.'\n desc 'If a user is assigned the GID of a group not existing on the system, and a group with the GID is\n subsequently created, the user may have unintended rights to any files associated with the group.'\n desc 'check', 'Verify all GIDs referenced in the \"/etc/passwd\" file are defined in the \"/etc/group\" file.\n Check that all referenced GIDs exist with the following command:\n # pwck -r\n If GIDs referenced in \"/etc/passwd\" file are returned as not defined in \"/etc/group\" file, this is a finding.'\n desc 'fix', 'Configure the system to define all GIDs found in the \"/etc/passwd\" file by modifying the \"/etc/group\"\n file to add any non-existent group referenced in the \"/etc/passwd\" file, or change the GIDs referenced in the\n \"/etc/passwd\" file to a group that exists in \"/etc/group\".'\n impact 0.3\n tag legacy: ['V-72003', 'SV-86627']\n tag severity: 'low'\n tag gtitle: 'SRG-OS-000104-GPOS-00051'\n tag gid: 'V-204461'\n tag rid: 'SV-204461r603261_rule'\n tag stig_id: 'RHEL-07-020300'\n tag fix_id: 'F-4585r88576_fix'\n tag cci: ['CCI-000764']\n tag nist: ['IA-2']\n tag subsystems: ['accounts']\n tag 'host'\n tag 'container'\n\n describe 'All group identifiers in /etc/passwd' do\n it 'should be defined in /etc/groups' do\n expect(passwd.gids.map { |gid| gid.to_i }).to all(be_in etc_group.gids),\n \"missing gids: #{passwd.gids.select { |gid| !etc_group.gids.include?(gid.to_i) }}\"\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204482.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204461.rb", "line": 1 }, - "id": "SV-204482" + "id": "SV-204461" }, { - "title": "The Red Hat Enterprise Linux operating system must be configured to prevent overwriting of custom authentication configuration settings by the authconfig utility.", - "desc": "When using the authconfig utility to modify authentication configuration settings, the \"system-auth\" and \"password-auth\" files and any custom settings that they may contain are overwritten. This can be avoided by creating new local configuration files and creating new or moving existing symbolic links to them. The authconfig utility will recognize the local configuration files and not overwrite them, while writing its own settings to the original configuration files.", + "title": "The Red Hat Enterprise Linux operating system must be configured so that the cron.allow file, if it exists,\n is group-owned by root.", + "desc": "If the group owner of the \"cron.allow\" file is not set to root, sensitive information could be viewed or\n edited by unauthorized users.", "descriptions": { - "default": "When using the authconfig utility to modify authentication configuration settings, the \"system-auth\" and \"password-auth\" files and any custom settings that they may contain are overwritten. This can be avoided by creating new local configuration files and creating new or moving existing symbolic links to them. The authconfig utility will recognize the local configuration files and not overwrite them, while writing its own settings to the original configuration files.", - "check": "Verify \"system-auth\" and \"password-auth\" files are symbolic links pointing to \"system-auth-local\" and \"password-auth-local\":\n $ sudo ls -l /etc/pam.d/{password,system}-auth\n\n lrwxrwxrwx. 1 root root 30 Apr 1 11:59 /etc/pam.d/password-auth -> /etc/pam.d/password-auth-local\n lrwxrwxrwx. 1 root root 28 Apr 1 11:59 /etc/pam.d/system-auth -> /etc/pam.d/system-auth-local\n\nIf system-auth and password-auth files are not symbolic links, this is a finding.\n\nIf system-auth and password-auth are symbolic links but do not point to \"system-auth-local\" and \"password-auth-local\", this is a finding.", - "fix": "Create custom configuration files and their corresponding symbolic links:\n\nRename the existing configuration files (skip this step if symbolic links are already present):\n $ sudo mv /etc/pam.d/system-auth /etc/pam.d/system-auth-ac\n $ sudo mv /etc/pam.d/password-auth /etc/pam.d/password-auth-ac\n\nCreate custom system-auth configuration file:\n $ sudo vi /etc/pam.d/system-auth-local\n\nThe new file, at minimum, must contain the following lines:\n\nauth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900\nauth include system-auth-ac\nauth sufficient pam_unix.so try_first_pass\nauth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900\n\naccount required pam_faillock.so\naccount include system-auth-ac\n\npassword requisite pam_pwhistory.so use_authtok remember=5 retry=3\npassword include system-auth-ac\npassword sufficient pam_unix.so sha512 shadow try_first_pass use_authtok\n\nsession include system-auth-ac\n\nCreate custom password-auth configuration file:\n $ sudo vi /etc/pam.d/password-auth-local\n\nThe new file, at minimum, must contain the following lines:\n\nauth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900\nauth include password-auth-ac\nauth sufficient pam_unix.so try_first_pass\nauth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900\n\naccount required pam_faillock.so\naccount include password-auth-ac\n\npassword requisite pam_pwhistory.so use_authtok remember=5 retry=3\npassword include password-auth-ac\npassword sufficient pam_unix.so sha512 shadow try_first_pass use_authtok\n\nsession include password-auth-ac\n\nCreate new or move existing symbolic links to the new custom configuration files:\n $ sudo ln -sf /etc/pam.d/system-auth-local /etc/pam.d/system-auth\n $ sudo ln -sf /etc/pam.d/password-auth-local /etc/pam.d/password-auth\n\nOnce finished you should have the following file structure:\n $ sudo ls -1 /etc/pam.d/{password,system}-auth*\n\n /etc/pam.d/password-auth\n /etc/pam.d/password-auth-ac\n /etc/pam.d/password-auth-local\n /etc/pam.d/system-auth\n /etc/pam.d/system-auth-ac\n /etc/pam.d/system-auth-local\n\nDone.\n\nNote: With this solution in place any custom settings to \"system-auth\" and \"password-auth\" will be retained and not overwritten by the use of the authconfig utility. The authconfig utility will write its settings to \"system-auth-ac\" and \"password-auth-ac\" and continue to function as expected." + "default": "If the group owner of the \"cron.allow\" file is not set to root, sensitive information could be viewed or\n edited by unauthorized users.", + "check": "Verify that the \"cron.allow\" file is group-owned by root.\n Check the group owner of the \"cron.allow\" file with the following command:\n # ls -al /etc/cron.allow\n -rw------- 1 root root 6 Mar 5 2011 /etc/cron.allow\n If the \"cron.allow\" file exists and has a group owner other than root, this is a finding.", + "fix": "Set the group owner on the \"/etc/cron.allow\" file to root with the\nfollowing command:\n\n # chgrp root /etc/cron.allow" }, "impact": 0.5, "refs": [], "tags": { - "check_id": "C-59605r880828_chk", + "legacy": [ + "SV-86679", + "V-72055" + ], "severity": "medium", - "gid": "V-255928", - "rid": "SV-255928r880830_rule", - "stig_id": "RHEL-07-010199", - "gtitle": "SRG-OS-000073-GPOS-00041", - "fix_id": "F-59548r880829_fix", - "documentable": null, + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-204491", + "rid": "SV-204491r603261_rule", + "stig_id": "RHEL-07-021120", + "fix_id": "F-4615r88666_fix", "cci": [ - "CCI-000196" + "CCI-000366" ], "nist": [ - "IA-5 (1) (c)" - ] + "CM-6 b" + ], + "subsystems": [ + "cron" + ], + "host": null, + "container": null }, - "code": "control 'SV-255928' do\n title \"The Red Hat Enterprise Linux operating system must be configured to prevent overwriting of custom authentication configuration settings by the authconfig utility.\"\n desc \"When using the authconfig utility to modify authentication configuration settings, the \\\"system-auth\\\" and \\\"password-auth\\\" files and any custom settings that they may contain are overwritten. This can be avoided by creating new local configuration files and creating new or moving existing symbolic links to them. The authconfig utility will recognize the local configuration files and not overwrite them, while writing its own settings to the original configuration files.\"\n desc 'check', \"Verify \\\"system-auth\\\" and \\\"password-auth\\\" files are symbolic links pointing to \\\"system-auth-local\\\" and \\\"password-auth-local\\\":\n $ sudo ls -l /etc/pam.d/{password,system}-auth\n\n lrwxrwxrwx. 1 root root 30 Apr 1 11:59 /etc/pam.d/password-auth -> /etc/pam.d/password-auth-local\n lrwxrwxrwx. 1 root root 28 Apr 1 11:59 /etc/pam.d/system-auth -> /etc/pam.d/system-auth-local\n\nIf system-auth and password-auth files are not symbolic links, this is a finding.\n\nIf system-auth and password-auth are symbolic links but do not point to \\\"system-auth-local\\\" and \\\"password-auth-local\\\", this is a finding.\"\n desc 'fix', \"Create custom configuration files and their corresponding symbolic links:\n\nRename the existing configuration files (skip this step if symbolic links are already present):\n $ sudo mv /etc/pam.d/system-auth /etc/pam.d/system-auth-ac\n $ sudo mv /etc/pam.d/password-auth /etc/pam.d/password-auth-ac\n\nCreate custom system-auth configuration file:\n $ sudo vi /etc/pam.d/system-auth-local\n\nThe new file, at minimum, must contain the following lines:\n\nauth required pam_faillock.so preauth silent audit deny=#{input('unsuccessful_attempts')} even_deny_root fail_interval=#{input('fail_interval')} unlock_time=#{input('lockout_time')}\nauth include system-auth-ac\nauth sufficient pam_unix.so try_first_pass\nauth [default=die] pam_faillock.so authfail audit deny=#{input('unsuccessful_attempts')} even_deny_root fail_interval=#{input('fail_interval')} unlock_time=#{input('lockout_time')}\n\naccount required pam_faillock.so\naccount include system-auth-ac\n\npassword requisite pam_pwhistory.so use_authtok remember=#{input('min_reuse_generations')} retry=#{input('retry')}\npassword include system-auth-ac\npassword sufficient pam_unix.so sha512 shadow try_first_pass use_authtok\n\nsession include system-auth-ac\n\nCreate custom password-auth configuration file:\n $ sudo vi /etc/pam.d/password-auth-local\n\nThe new file, at minimum, must contain the following lines:\n\nauth required pam_faillock.so preauth silent audit deny=#{input('unsuccessful_attempts')} even_deny_root fail_interval=#{input('fail_interval')} unlock_time=#{input('lockout_time')}\nauth include password-auth-ac\nauth sufficient pam_unix.so try_first_pass\nauth [default=die] pam_faillock.so authfail audit deny=#{input('unsuccessful_attempts')} even_deny_root fail_interval=#{input('fail_interval')} unlock_time=#{input('lockout_time')}\n\naccount required pam_faillock.so\naccount include password-auth-ac\n\npassword requisite pam_pwhistory.so use_authtok remember=#{input('min_reuse_generations')} retry=#{input('retry')}\npassword include password-auth-ac\npassword sufficient pam_unix.so sha512 shadow try_first_pass use_authtok\n\nsession include password-auth-ac\n\nCreate new or move existing symbolic links to the new custom configuration files:\n $ sudo ln -sf /etc/pam.d/system-auth-local /etc/pam.d/system-auth\n $ sudo ln -sf /etc/pam.d/password-auth-local /etc/pam.d/password-auth\n\nOnce finished you should have the following file structure:\n $ sudo ls -1 /etc/pam.d/{password,system}-auth*\n\n /etc/pam.d/password-auth\n /etc/pam.d/password-auth-ac\n /etc/pam.d/password-auth-local\n /etc/pam.d/system-auth\n /etc/pam.d/system-auth-ac\n /etc/pam.d/system-auth-local\n\nDone.\n\nNote: With this solution in place any custom settings to \\\"system-auth\\\" and \\\"password-auth\\\" will be retained and not overwritten by the use of the authconfig utility. The authconfig utility will write its settings to \\\"system-auth-ac\\\" and \\\"password-auth-ac\\\" and continue to function as expected.\"\n impact 0.5\n tag check_id: 'C-59605r880828_chk'\n tag severity: 'medium'\n tag gid: 'V-255928'\n tag rid: 'SV-255928r880830_rule'\n tag stig_id: 'RHEL-07-010199'\n tag gtitle: 'SRG-OS-000073-GPOS-00041'\n tag fix_id: 'F-59548r880829_fix'\n tag 'documentable'\n tag cci: ['CCI-000196']\n tag nist: ['IA-5 (1) (c)']\n\n describe file('/etc/pam.d/system-auth') do\n it { should be_symlink }\n its('link_path') { should cmp '/etc/pam.d/system-auth-local' }\n end\n\n if file('/etc/pam.d/system-auth').symlink? && file('/etc/pam.d/system-auth').link_path == '/etc/pam.d/system-auth-local'\n describe '/etc/pam.d/system-auth-local should contain the minimum configuration settings' do\n subject { parse_config_file('/etc/pam.d/system-auth-local').content.strip }\n it { should match /auth.*required.*pam_faillock.so.*preauth.*silent.*audit.*deny=#{input('unsuccessful_attempts')}.*even_deny_root.*fail_interval=#{input('fail_interval')}.*unlock_time=#{input('lockout_time')}/ }\n it { should match /auth.*include.*system-auth-ac/ }\n it { should match /auth.*sufficient.*pam_unix.so.*try_first_pass/ }\n it { should match /auth.*default=die.*pam_faillock.so.*authfail.*audit.*deny=#{input('unsuccessful_attempts')}.*even_deny_root.*fail_interval=#{input('fail_interval')}.*unlock_time=#{input('lockout_time')}/ }\n it { should match /account.*required.*pam_faillock.so/ }\n it { should match /account.*include.*system-auth-ac/ }\n it { should match /password.*requisite.*pam_pwhistory.so.*use_authtok.*remember=#{input('min_reuse_generations')}.*retry=#{input('retry')}/ }\n it { should match /password.*include.*system-auth-ac/ }\n it { should match /password.*sufficient.*pam_unix.so.*sha512.*shadow.*try_first_pass.*use_authtok/ }\n it { should match /session.*include.*system-auth-ac/ }\n end\n end\n\n describe file('/etc/pam.d/password-auth') do\n it { should be_symlink }\n its('link_path') { should cmp '/etc/pam.d/password-auth-local' }\n end\n\n if file('/etc/pam.d/password-auth').symlink? && file('/etc/pam.d/password-auth').link_path == '/etc/pam.d/password-auth-local'\n\n describe '/etc/pam.d/password-auth-local should contain the minimum configuration settings' do\n subject { parse_config_file('/etc/pam.d/password-auth-local').content.strip }\n it { should match /auth.*required.*pam_faillock.so.*preauth.*silent.*audit.*deny=#{input('unsuccessful_attempts')}.*even_deny_root.*fail_interval=#{input('fail_interval')}.*unlock_time=#{input('lockout_time')}/ }\n it { should match /auth.*include.*password-auth-ac/ }\n it { should match /auth.*sufficient.*pam_unix.so.*try_first_pass/ }\n it { should match /auth.*default=die.*pam_faillock.so.*authfail.*audit.*deny=#{input('unsuccessful_attempts')}.*even_deny_root.*fail_interval=#{input('fail_interval')}.*unlock_time=#{input('lockout_time')}/ }\n it { should match /account.*required.*pam_faillock.so/ }\n it { should match /account.*include.*password-auth-ac/ }\n it { should match /password.*requisite.*pam_pwhistory.so.*use_authtok.*remember=#{input('min_reuse_generations')}.*retry=#{input('retry')}/ }\n it { should match /password.*include.*password-auth-ac/ }\n it { should match /password.*sufficient.*pam_unix.so.*sha512.*shadow.*try_first_pass.*use_authtok/ }\n it { should match /session.*include.*password-auth-ac/ }\n end\n end\nend\n", + "code": "control 'SV-204491' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that the cron.allow file, if it exists,\n is group-owned by root.'\n desc 'If the group owner of the \"cron.allow\" file is not set to root, sensitive information could be viewed or\n edited by unauthorized users.'\n desc 'check', 'Verify that the \"cron.allow\" file is group-owned by root.\n Check the group owner of the \"cron.allow\" file with the following command:\n # ls -al /etc/cron.allow\n -rw------- 1 root root 6 Mar 5 2011 /etc/cron.allow\n If the \"cron.allow\" file exists and has a group owner other than root, this is a finding.'\n desc 'fix', 'Set the group owner on the \"/etc/cron.allow\" file to root with the\nfollowing command:\n\n # chgrp root /etc/cron.allow'\n impact 0.5\n tag legacy: ['SV-86679', 'V-72055']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204491'\n tag rid: 'SV-204491r603261_rule'\n tag stig_id: 'RHEL-07-021120'\n tag fix_id: 'F-4615r88666_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['cron']\n tag 'host'\n tag 'container'\n\n describe.one do\n # case where file doesn't exist\n describe file('/etc/cron.allow') do\n it { should_not exist }\n end\n # case where file exists\n describe file('/etc/cron.allow') do\n its('group') { should eq 'root' }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-255928.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204491.rb", "line": 1 }, - "id": "SV-255928" + "id": "SV-204491" }, { - "title": "The Red Hat Enterprise Linux operating system must immediately notify the System Administrator (SA) and\n Information System Security Officer (ISSO) (at a minimum) when the threshold for the repository maximum audit record\n storage capacity is reached.", - "desc": "If security personnel are not notified immediately when the threshold for the repository maximum audit\n record storage capacity is reached, they are unable to expand the audit record storage capacity before records are\n lost.", + "title": "The Red Hat Enterprise Linux operating system must prevent a user from overriding the screensaver\n idle-activation-enabled setting for the graphical user interface.", + "desc": "A session lock is a temporary action taken when a user stops work and moves away from the immediate physical\n vicinity of the information system but does not want to log out because of the temporary nature of the absence.\n The session lock is implemented at the point where session activity can be determined.\n The ability to enable/disable a session lock is given to the user by default. Disabling the user's ability to\n disengage the graphical user interface session lock provides the assurance that all sessions will lock after the\n specified period of time.", "descriptions": { - "default": "If security personnel are not notified immediately when the threshold for the repository maximum audit\n record storage capacity is reached, they are unable to expand the audit record storage capacity before records are\n lost.", - "check": "Verify the operating system immediately notifies the SA and ISSO (at a minimum) via email when the\n threshold for the repository maximum audit record storage capacity is reached.\n Check what account the operating system emails when the threshold for the repository maximum audit record storage\n capacity is reached with the following command:\n # grep -i action_mail_acct /etc/audit/auditd.conf\n action_mail_acct = root\n If the value of the \"action_mail_acct\" keyword is not set to \"root\" and other accounts for security personnel, this\n is a finding.", - "fix": "Configure the operating system to immediately notify the SA and ISSO (at a minimum) when the threshold\n for the repository maximum audit record storage capacity is reached.\n Uncomment or edit the \"action_mail_acct\" keyword in \"/etc/audit/auditd.conf\" and set it to root and any other\n accounts associated with security personnel.\n action_mail_acct = root" + "default": "A session lock is a temporary action taken when a user stops work and moves away from the immediate physical\n vicinity of the information system but does not want to log out because of the temporary nature of the absence.\n The session lock is implemented at the point where session activity can be determined.\n The ability to enable/disable a session lock is given to the user by default. Disabling the user's ability to\n disengage the graphical user interface session lock provides the assurance that all sessions will lock after the\n specified period of time.", + "check": "Verify the operating system prevents a user from overriding the screensaver idle-activation-enabled setting for the graphical user interface.\n\nNote: If the system does not have GNOME installed, this requirement is Not Applicable.\n\nDetermine which profile the system database is using with the following command:\n # grep system-db /etc/dconf/profile/user\n\n system-db:local\n\nCheck for the idle-activation-enabled setting with the following command:\n\nNote: The example below is using the database \"local\" for the system, so the path is \"/etc/dconf/db/local.d\". This path must be modified if a database other than \"local\" is being used.\n\n # grep -i idle-activation-enabled /etc/dconf/db/local.d/locks/*\n\n /org/gnome/desktop/screensaver/idle-activation-enabled\n\nIf the command does not return a result, this is a finding.", + "fix": "Configure the operating system to prevent a user from overriding a screensaver lock after a 15-minute\n period of inactivity for graphical user interfaces.\n Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following\n command:\n Note: The example below is using the database \"local\" for the system, so if the system is using another database in\n \"/etc/dconf/profile/user\", the file should be created under the appropriate subdirectory.\n # touch /etc/dconf/db/local.d/locks/session\n Add the setting to lock the screensaver idle-activation-enabled setting:\n /org/gnome/desktop/screensaver/idle-activation-enabled" }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { "legacy": [ - "V-72093", - "SV-86717" + "V-78997", + "SV-93703" ], "severity": "medium", - "gtitle": "SRG-OS-000343-GPOS-00134", - "gid": "V-204515", - "rid": "SV-204515r877389_rule", - "stig_id": "RHEL-07-030350", - "fix_id": "F-4639r88738_fix", + "gtitle": "SRG-OS-000029-GPOS-00010", + "gid": "V-204403", + "rid": "SV-204403r880785_rule", + "stig_id": "RHEL-07-010101", + "fix_id": "F-4527r880784_fix", "cci": [ - "CCI-001855" + "CCI-000057" ], "nist": [ - "AU-5 (1)" + "AC-11 a" ], "subsystems": [ - "audit", - "auditd" + "gui" ], "host": null }, - "code": "control 'SV-204515' do\n title 'The Red Hat Enterprise Linux operating system must immediately notify the System Administrator (SA) and\n Information System Security Officer (ISSO) (at a minimum) when the threshold for the repository maximum audit record\n storage capacity is reached.'\n desc 'If security personnel are not notified immediately when the threshold for the repository maximum audit\n record storage capacity is reached, they are unable to expand the audit record storage capacity before records are\n lost.'\n desc 'check', 'Verify the operating system immediately notifies the SA and ISSO (at a minimum) via email when the\n threshold for the repository maximum audit record storage capacity is reached.\n Check what account the operating system emails when the threshold for the repository maximum audit record storage\n capacity is reached with the following command:\n # grep -i action_mail_acct /etc/audit/auditd.conf\n action_mail_acct = root\n If the value of the \"action_mail_acct\" keyword is not set to \"root\" and other accounts for security personnel, this\n is a finding.'\n desc 'fix', 'Configure the operating system to immediately notify the SA and ISSO (at a minimum) when the threshold\n for the repository maximum audit record storage capacity is reached.\n Uncomment or edit the \"action_mail_acct\" keyword in \"/etc/audit/auditd.conf\" and set it to root and any other\n accounts associated with security personnel.\n action_mail_acct = root'\n impact 0.5\n tag legacy: ['V-72093', 'SV-86717']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000343-GPOS-00134'\n tag gid: 'V-204515'\n tag rid: 'SV-204515r877389_rule'\n tag stig_id: 'RHEL-07-030350'\n tag fix_id: 'F-4639r88738_fix'\n tag cci: ['CCI-001855']\n tag nist: ['AU-5 (1)']\n tag subsystems: ['audit', 'auditd']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - audit config must be done on the host' do\n skip 'Control not applicable - audit config must be done on the host'\n end\n else\n describe auditd_conf do\n its('action_mail_acct') { should cmp 'root' }\n end\n end\nend\n", + "code": "control 'SV-204403' do\n title 'The Red Hat Enterprise Linux operating system must prevent a user from overriding the screensaver\n idle-activation-enabled setting for the graphical user interface.'\n desc \"A session lock is a temporary action taken when a user stops work and moves away from the immediate physical\n vicinity of the information system but does not want to log out because of the temporary nature of the absence.\n The session lock is implemented at the point where session activity can be determined.\n The ability to enable/disable a session lock is given to the user by default. Disabling the user's ability to\n disengage the graphical user interface session lock provides the assurance that all sessions will lock after the\n specified period of time.\"\n desc 'check', 'Verify the operating system prevents a user from overriding the screensaver idle-activation-enabled setting for the graphical user interface.\n\nNote: If the system does not have GNOME installed, this requirement is Not Applicable.\n\nDetermine which profile the system database is using with the following command:\n # grep system-db /etc/dconf/profile/user\n\n system-db:local\n\nCheck for the idle-activation-enabled setting with the following command:\n\nNote: The example below is using the database \"local\" for the system, so the path is \"/etc/dconf/db/local.d\". This path must be modified if a database other than \"local\" is being used.\n\n # grep -i idle-activation-enabled /etc/dconf/db/local.d/locks/*\n\n /org/gnome/desktop/screensaver/idle-activation-enabled\n\nIf the command does not return a result, this is a finding.'\n desc 'fix', \"Configure the operating system to prevent a user from overriding a screensaver lock after a #{input('system_activity_timeout')/60}-minute\n period of inactivity for graphical user interfaces.\n Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following\n command:\n Note: The example below is using the database \\\"local\\\" for the system, so if the system is using another database in\n \\\"/etc/dconf/profile/user\\\", the file should be created under the appropriate subdirectory.\n # touch /etc/dconf/db/local.d/locks/session\n Add the setting to lock the screensaver idle-activation-enabled setting:\n /org/gnome/desktop/screensaver/idle-activation-enabled\"\n impact 0.5\n tag legacy: ['V-78997', 'SV-93703']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000029-GPOS-00010'\n tag gid: 'V-204403'\n tag rid: 'SV-204403r880785_rule'\n tag stig_id: 'RHEL-07-010101'\n tag fix_id: 'F-4527r880784_fix'\n tag cci: ['CCI-000057']\n tag nist: ['AC-11 a']\n tag subsystems: ['gui']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n else\n\n if package('gnome-desktop3').installed?\n impact 0.5\n else\n impact 0.0\n end\n\n if package('gnome-desktop3').installed?\n describe command('gsettings writable org.gnome.desktop.screensaver idle-activation-enabled') do\n its('stdout.strip') { should cmp 'false' }\n end\n end\n\n unless package('gnome-desktop3').installed?\n describe 'The GNOME desktop is not installed' do\n skip 'The GNOME desktop is not installed, this control is Not Applicable.'\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204515.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204403.rb", "line": 1 }, - "id": "SV-204515" + "id": "SV-204403" }, { - "title": "The Red Hat Enterprise Linux operating system must disable account identifiers (individuals, groups, roles,\n and devices) if the password expires.", - "desc": "Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive\n identifier and potentially obtain undetected access to the system. Owners of inactive accounts will not notice if\n unauthorized access to their user account has been obtained.\n Operating systems need to track periods of inactivity and disable application identifiers after 35 days of\n inactivity.", + "title": "The Red Hat Enterprise Linux operating system must enable a user session lock until that user\n re-establishes access using established identification and authentication procedures.", + "desc": "A session lock is a temporary action taken when a user stops work and moves away from the immediate physical\n vicinity of the information system but does not want to log out because of the temporary nature of the absence.\n The session lock is implemented at the point where session activity can be determined.\n Regardless of where the session lock is determined and implemented, once invoked, the session lock must remain in\n place until the user reauthenticates. No other activity aside from reauthentication must unlock the system.", "descriptions": { - "default": "Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive\n identifier and potentially obtain undetected access to the system. Owners of inactive accounts will not notice if\n unauthorized access to their user account has been obtained.\n Operating systems need to track periods of inactivity and disable application identifiers after 35 days of\n inactivity.", - "check": "If passwords are not being used for authentication, this is Not Applicable.\n Verify the operating system disables account identifiers (individuals, groups, roles, and devices) after the\n password expires with the following command:\n # grep -i inactive /etc/default/useradd\n INACTIVE=35\n If \"INACTIVE\" is set to \"-1\", a value greater than '35', is commented out, or is not defined, this is a finding.", - "fix": "Configure the operating system to disable account identifiers (individuals, groups, roles, and\n devices) 35 days after the password expires.\n Add the following line to \"/etc/default/useradd\" (or modify the line to have the required value):\n INACTIVE=35\n DoD recommendation is 35 days, but a lower value is acceptable. The value \"-1\" will disable this feature, and \"0\"\n will disable the account immediately after the password expires." + "default": "A session lock is a temporary action taken when a user stops work and moves away from the immediate physical\n vicinity of the information system but does not want to log out because of the temporary nature of the absence.\n The session lock is implemented at the point where session activity can be determined.\n Regardless of where the session lock is determined and implemented, once invoked, the session lock must remain in\n place until the user reauthenticates. No other activity aside from reauthentication must unlock the system.", + "check": "Verify the operating system enables a user's session lock until that user re-establishes access using established identification and authentication procedures.\n\nNote: If the system does not have GNOME installed, this requirement is Not Applicable.\n\nCheck to see if the screen lock is enabled with the following command:\n\n # grep -ir lock-enabled /etc/dconf/db/local.d/ | grep -v locks\n lock-enabled=true\n\nIf the \"lock-enabled\" setting is missing or is not set to \"true\", this is a finding.", + "fix": "Configure the operating system to enable a user's session lock until that user re-establishes access\n using established identification and authentication procedures.\n Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following\n example:\n # touch /etc/dconf/db/local.d/00-screensaver\n Edit the \"[org/gnome/desktop/screensaver]\" section of the database file and add or update the following lines:\n # Set this to true to lock the screen when the screensaver activates\n lock-enabled=true\n Update the system databases:\n # dconf update\n Users must log out and back in again before the system-wide settings take effect." }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { "legacy": [ - "SV-86565", - "V-71941" + "SV-86515", + "V-71891" ], "severity": "medium", - "gtitle": "SRG-OS-000118-GPOS-00060", - "gid": "V-204426", - "rid": "SV-204426r809190_rule", - "stig_id": "RHEL-07-010310", - "fix_id": "F-4550r809189_fix", + "gtitle": "SRG-OS-000028-GPOS-00009", + "satisfies": [ + "SRG-OS-000028-GPOS-00009", + "SRG-OS-000030-GPOS-00011" + ], + "gid": "V-204396", + "rid": "SV-204396r880746_rule", + "stig_id": "RHEL-07-010060", + "fix_id": "F-4520r880745_fix", "cci": [ - "CCI-000795" + "CCI-000056" ], "nist": [ - "IA-4 e" + "AC-11 b" ], "subsystems": [ - "user" + "session", + "lock", + "gui", + "screensaver" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-204426' do\n title 'The Red Hat Enterprise Linux operating system must disable account identifiers (individuals, groups, roles,\n and devices) if the password expires.'\n desc \"Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive\n identifier and potentially obtain undetected access to the system. Owners of inactive accounts will not notice if\n unauthorized access to their user account has been obtained.\n Operating systems need to track periods of inactivity and disable application identifiers after #{input('days_of_inactivity')} days of\n inactivity.\"\n desc 'check', \"If passwords are not being used for authentication, this is Not Applicable.\n Verify the operating system disables account identifiers (individuals, groups, roles, and devices) after the\n password expires with the following command:\n # grep -i inactive /etc/default/useradd\n INACTIVE=#{input('days_of_inactivity')}\n If \\\"INACTIVE\\\" is set to \\\"-1\\\", a value greater than '#{input('days_of_inactivity')}', is commented out, or is not defined, this is a finding.\"\n desc 'fix', \"Configure the operating system to disable account identifiers (individuals, groups, roles, and\n devices) #{input('days_of_inactivity')} days after the password expires.\n Add the following line to \\\"/etc/default/useradd\\\" (or modify the line to have the required value):\n INACTIVE=#{input('days_of_inactivity')}\n #{input('org_name')[:acronym]} recommendation is #{input('days_of_inactivity')} days, but a lower value is acceptable. The value \\\"-1\\\" will disable this feature, and \\\"0\\\"\n will disable the account immediately after the password expires.\"\n impact 0.5\n tag legacy: ['SV-86565', 'V-71941']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000118-GPOS-00060'\n tag gid: 'V-204426'\n tag rid: 'SV-204426r809190_rule'\n tag stig_id: 'RHEL-07-010310'\n tag fix_id: 'F-4550r809189_fix'\n tag cci: ['CCI-000795']\n tag nist: ['IA-4 e']\n tag subsystems: ['user']\n tag 'host'\n tag 'container'\n\n if command(\"grep 'pam_unix.so' /etc/pam.d/system-auth | grep 'auth ' | grep 'optional'\").stdout.empty? && command(\"grep 'pam_permit.so' /etc/pam.d/system-auth | grep 'auth ' | grep 'required'\").stdout.empty?\n describe parse_config_file('/etc/default/useradd') do\n its('INACTIVE') { should cmp <= input('days_of_inactivity') }\n its('INACTIVE') { should_not cmp -1 }\n its('INACTIVE') { should_not be_nil }\n end\n else\n impact 0.0\n describe 'The system is not using password for authentication' do\n skip 'The system is not using password for authentication, this control is Not Applicable.'\n end\n end\nend\n", + "code": "control 'SV-204396' do\n title 'The Red Hat Enterprise Linux operating system must enable a user session lock until that user\n re-establishes access using established identification and authentication procedures.'\n desc 'A session lock is a temporary action taken when a user stops work and moves away from the immediate physical\n vicinity of the information system but does not want to log out because of the temporary nature of the absence.\n The session lock is implemented at the point where session activity can be determined.\n Regardless of where the session lock is determined and implemented, once invoked, the session lock must remain in\n place until the user reauthenticates. No other activity aside from reauthentication must unlock the system.'\n desc 'check', %q(Verify the operating system enables a user's session lock until that user re-establishes access using established identification and authentication procedures.\n\nNote: If the system does not have GNOME installed, this requirement is Not Applicable.\n\nCheck to see if the screen lock is enabled with the following command:\n\n # grep -ir lock-enabled /etc/dconf/db/local.d/ | grep -v locks\n lock-enabled=true\n\nIf the \"lock-enabled\" setting is missing or is not set to \"true\", this is a finding.)\n desc 'fix', %q(Configure the operating system to enable a user's session lock until that user re-establishes access\n using established identification and authentication procedures.\n Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following\n example:\n # touch /etc/dconf/db/local.d/00-screensaver\n Edit the \"[org/gnome/desktop/screensaver]\" section of the database file and add or update the following lines:\n # Set this to true to lock the screen when the screensaver activates\n lock-enabled=true\n Update the system databases:\n # dconf update\n Users must log out and back in again before the system-wide settings take effect.)\n impact 0.5\n tag legacy: ['SV-86515', 'V-71891']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000028-GPOS-00009'\n tag satisfies: ['SRG-OS-000028-GPOS-00009', 'SRG-OS-000030-GPOS-00011']\n tag gid: 'V-204396'\n tag rid: 'SV-204396r880746_rule'\n tag stig_id: 'RHEL-07-010060'\n tag fix_id: 'F-4520r880745_fix'\n tag cci: ['CCI-000056']\n tag nist: ['AC-11 b']\n tag subsystems: ['session', 'lock', 'gui', 'screensaver']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n elsif package('gnome-desktop3').installed?\n\n describe command('gsettings get org.gnome.desktop.screensaver lock-enabled') do\n its('stdout.strip') { should cmp 'true' }\n end\n else\n impact 0.0\n describe 'The system does not have GNOME installed' do\n skip \"The system does not have GNOME installed, this requirement is Not\n Applicable.\"\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204426.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204396.rb", "line": 1 }, - "id": "SV-204426" + "id": "SV-204396" }, { - "title": "The Red Hat Enterprise Linux operating system must be configured so that all local interactive user\n initialization files executable search paths contain only paths that resolve to the users home directory.", - "desc": "The executable search path (typically the PATH environment variable) contains a list of directories for the\n shell to search to find executables. If this path includes the current working directory (other than the user's home\n directory), executables in these directories may be executed instead of system commands. This variable is formatted\n as a colon-separated list of directories. If there is an empty entry, such as a leading or trailing colon or two\n consecutive colons, this is interpreted as the current working directory. If deviations from the default system\n search path for the local interactive user are required, they must be documented with the Information System\n Security Officer (ISSO).", + "title": "The Red Hat Enterprise Linux operating system must not send Internet Protocol version 4 (IPv4) Internet\n Control Message Protocol (ICMP) redirects.", + "desc": "ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular\n destination. These messages contain information from the system's route table, possibly revealing portions of the\n network topology.", "descriptions": { - "default": "The executable search path (typically the PATH environment variable) contains a list of directories for the\n shell to search to find executables. If this path includes the current working directory (other than the user's home\n directory), executables in these directories may be executed instead of system commands. This variable is formatted\n as a colon-separated list of directories. If there is an empty entry, such as a leading or trailing colon or two\n consecutive colons, this is interpreted as the current working directory. If deviations from the default system\n search path for the local interactive user are required, they must be documented with the Information System\n Security Officer (ISSO).", - "check": "Verify that all local interactive user initialization files' executable search path statements do\n not contain statements that will reference a working directory other than the user's home directory.\n Check the executable search path statement for all local interactive user initialization files in the user's home\n directory with the following commands:\n Note: The example will be for the smithj user, which has a home directory of \"/home/smithj\".\n # grep -i path= /home/smithj/.*\n /home/smithj/.bash_profile:PATH=$PATH:$HOME/.local/bin:$HOME/bin\n If any local interactive user initialization files have executable search path statements that include directories\n outside of their home directory, this is a finding.", - "fix": "Edit the local interactive user initialization files to change any PATH variable statements that\n reference directories other than their home directory.\n If a local interactive user requires path variables to reference a directory owned by the application, it must be\n documented with the ISSO." + "default": "ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular\n destination. These messages contain information from the system's route table, possibly revealing portions of the\n network topology.", + "check": "Verify the system does not send IPv4 ICMP redirect messages.\n\n # grep -r net.ipv4.conf.all.send_redirects /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null\n\nIf \"net.ipv4.conf.all.send_redirects\" is not configured in the /etc/sysctl.conf file or in any of the other sysctl.d directories, is commented out or does not have a value of \"0\", this is a finding.\n\nCheck that the operating system implements the \"all send_redirects\" variables with the following command:\n\n # /sbin/sysctl -a | grep net.ipv4.conf.all.send_redirects\n net.ipv4.conf.all.send_redirects = 0\n\nIf the returned line does not have a value of \"0\", this is a finding.\n\nIf conflicting results are returned, this is a finding.", + "fix": "Configure the system to not allow interfaces to perform IPv4 ICMP redirects.\n Set the system to the required kernel parameter by adding the following line to \"/etc/sysctl.conf\" or a\n configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value):\n net.ipv4.conf.all.send_redirects = 0\n Issue the following command to make the changes take effect:\n # sysctl --system" }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "V-72035", - "SV-86659" + "V-72293", + "SV-86917" ], "severity": "medium", "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-204477", - "rid": "SV-204477r792828_rule", - "stig_id": "RHEL-07-020720", - "fix_id": "F-4601r88624_fix", + "gid": "V-204617", + "rid": "SV-204617r880821_rule", + "stig_id": "RHEL-07-040660", + "fix_id": "F-4741r880820_fix", "cci": [ "CCI-000366" ], @@ -3311,94 +3260,48 @@ "CM-6 b" ], "subsystems": [ - "init_files" + "kernel_parameter", + "ipv4" ], "host": null }, - "code": "control 'SV-204477' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that all local interactive user\n initialization files executable search paths contain only paths that resolve to the users home directory.'\n desc \"The executable search path (typically the PATH environment variable) contains a list of directories for the\n shell to search to find executables. If this path includes the current working directory (other than the user's home\n directory), executables in these directories may be executed instead of system commands. This variable is formatted\n as a colon-separated list of directories. If there is an empty entry, such as a leading or trailing colon or two\n consecutive colons, this is interpreted as the current working directory. If deviations from the default system\n search path for the local interactive user are required, they must be documented with the Information System\n Security Officer (ISSO).\"\n desc 'check', %q(Verify that all local interactive user initialization files' executable search path statements do\n not contain statements that will reference a working directory other than the user's home directory.\n Check the executable search path statement for all local interactive user initialization files in the user's home\n directory with the following commands:\n Note: The example will be for the smithj user, which has a home directory of \"/home/smithj\".\n # grep -i path= /home/smithj/.*\n /home/smithj/.bash_profile:PATH=$PATH:$HOME/.local/bin:$HOME/bin\n If any local interactive user initialization files have executable search path statements that include directories\n outside of their home directory, this is a finding.)\n desc 'fix', 'Edit the local interactive user initialization files to change any PATH variable statements that\n reference directories other than their home directory.\n If a local interactive user requires path variables to reference a directory owned by the application, it must be\n documented with the ISSO.'\n impact 0.5\n tag legacy: ['V-72035', 'SV-86659']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204477'\n tag rid: 'SV-204477r792828_rule'\n tag stig_id: 'RHEL-07-020720'\n tag fix_id: 'F-4601r88624_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['init_files']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n\n exempt_home_users = input('exempt_home_users')\n non_interactive_shells = input('non_interactive_shells')\n\n ignore_shells = non_interactive_shells.join('|')\n\n findings = Set[]\n users.where do\n !shell.match(ignore_shells) && (uid >= 1000 || uid == 0)\n end.entries.each do |user_info|\n next if exempt_home_users.include?(user_info.username.to_s)\n\n grep_results = command(\"grep -i path --exclude=\\\".bash_history\\\" #{user_info.home}/.*\").stdout.split('\\\\n')\n grep_results.each do |result|\n result.slice! 'PATH='\n # Case when last value in exec search path is :\n result += ' ' if result[-1] == ':'\n result.slice! '$PATH:'\n result.gsub! '$HOME', user_info.home.to_s\n result.gsub! '~', user_info.home.to_s\n line_arr = result.split(':')\n line_arr.delete_at(0)\n line_arr.each do |line|\n # Don't run test on line that exports PATH and is not commented out\n next unless !line.start_with?('export') && !line.start_with?('#')\n\n # Case when :: found in exec search path or : found at beginning\n if line.strip.empty?\n curr_work_dir = command('pwd').stdout.gsub(\"\\n\", '')\n line = curr_work_dir if curr_work_dir.start_with?(user_info.home.to_s)\n end\n # This will fail if non-home directory found in path\n findings.add(line) unless line.start_with?(user_info.home)\n end\n end\n end\n describe.one do\n describe etc_fstab do\n its('home_mount_options') { should include 'nosuid' }\n end\n describe 'Initialization files that include executable search paths that include directories outside their home directories' do\n subject { findings.to_a }\n it { should be_empty }\n end\n end\n end\nend\n", - "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204477.rb", - "line": 1 - }, - "id": "SV-204477" - }, - { - "title": "The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new\n passwords are established, the new password must contain at least 1 special character.", - "desc": "Use of a complex password helps to increase the time and resources required to compromise the password.\n Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing\n and brute-force attacks.\n Password complexity is one factor of several that determines how long it takes to crack a password. The more complex\n the password, the greater the number of possible combinations that need to be tested before the password is\n compromised.", - "descriptions": { - "default": "Use of a complex password helps to increase the time and resources required to compromise the password.\n Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing\n and brute-force attacks.\n Password complexity is one factor of several that determines how long it takes to crack a password. The more complex\n the password, the greater the number of possible combinations that need to be tested before the password is\n compromised.", - "check": "Verify the operating system enforces password complexity by requiring that at least 1 special\n character be used.\n Note: The value to require a number of special characters to be set is expressed as a negative number in\n \"/etc/security/pwquality.conf\".\n Check the value for \"ocredit\" in \"/etc/security/pwquality.conf\" with the following command:\n # grep ocredit /etc/security/pwquality.conf\n ocredit=-1\n If the value of \"ocredit\" is not set to a negative value, this is a finding.", - "fix": "Configure the operating system to enforce password complexity by requiring that at least 1 special\n character be used by setting the \"ocredit\" option.\n Add the following line to \"/etc/security/pwquality.conf\" (or modify the line to have the required value):\n ocredit = -1" - }, - "impact": 0.5, - "refs": [], - "tags": { - "legacy": [ - "SV-86533", - "V-71909" - ], - "severity": "medium", - "gtitle": "SRG-OS-000266-GPOS-00101", - "gid": "V-204410", - "rid": "SV-204410r603261_rule", - "stig_id": "RHEL-07-010150", - "fix_id": "F-4534r88423_fix", - "cci": [ - "CCI-001619" - ], - "nist": [ - "IA-5 (1) (a)" - ], - "subsystems": [ - "pwquality", - "password" - ], - "host": null, - "container": null - }, - "code": "control 'SV-204410' do\n title \"The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new\n passwords are established, the new password must contain at least #{input('min_special_characters')} special character.\"\n desc 'Use of a complex password helps to increase the time and resources required to compromise the password.\n Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing\n and brute-force attacks.\n Password complexity is one factor of several that determines how long it takes to crack a password. The more complex\n the password, the greater the number of possible combinations that need to be tested before the password is\n compromised.'\n desc 'check', \"Verify the operating system enforces password complexity by requiring that at least #{input('min_special_characters')} special\n character be used.\n Note: The value to require a number of special characters to be set is expressed as a negative number in\n \\\"/etc/security/pwquality.conf\\\".\n Check the value for \\\"ocredit\\\" in \\\"/etc/security/pwquality.conf\\\" with the following command:\n # grep ocredit /etc/security/pwquality.conf\n ocredit=-#{input('min_special_characters')}\n If the value of \\\"ocredit\\\" is not set to a negative value, this is a finding.\"\n desc 'fix', \"Configure the operating system to enforce password complexity by requiring that at least #{input('min_special_characters')} special\n character be used by setting the \\\"ocredit\\\" option.\n Add the following line to \\\"/etc/security/pwquality.conf\\\" (or modify the line to have the required value):\n ocredit = -#{input('min_special_characters')}\"\n impact 0.5\n tag legacy: ['SV-86533', 'V-71909']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000266-GPOS-00101'\n tag gid: 'V-204410'\n tag rid: 'SV-204410r603261_rule'\n tag stig_id: 'RHEL-07-010150'\n tag fix_id: 'F-4534r88423_fix'\n tag cci: ['CCI-001619']\n tag nist: ['IA-5 (1) (a)']\n tag subsystems: ['pwquality', 'password']\n tag 'host'\n tag 'container'\n\n describe parse_config_file('/etc/security/pwquality.conf') do\n its('ocredit') { should cmp <= -input('min_special_characters') }\n end\nend\n", + "code": "control 'SV-204617' do\n title 'The Red Hat Enterprise Linux operating system must not send Internet Protocol version 4 (IPv4) Internet\n Control Message Protocol (ICMP) redirects.'\n desc \"ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular\n destination. These messages contain information from the system's route table, possibly revealing portions of the\n network topology.\"\n desc 'check', 'Verify the system does not send IPv4 ICMP redirect messages.\n\n # grep -r net.ipv4.conf.all.send_redirects /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null\n\nIf \"net.ipv4.conf.all.send_redirects\" is not configured in the /etc/sysctl.conf file or in any of the other sysctl.d directories, is commented out or does not have a value of \"0\", this is a finding.\n\nCheck that the operating system implements the \"all send_redirects\" variables with the following command:\n\n # /sbin/sysctl -a | grep net.ipv4.conf.all.send_redirects\n net.ipv4.conf.all.send_redirects = 0\n\nIf the returned line does not have a value of \"0\", this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure the system to not allow interfaces to perform IPv4 ICMP redirects.\n Set the system to the required kernel parameter by adding the following line to \"/etc/sysctl.conf\" or a\n configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value):\n net.ipv4.conf.all.send_redirects = 0\n Issue the following command to make the changes take effect:\n # sysctl --system'\n impact 0.5\n tag legacy: ['V-72293', 'SV-86917']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204617'\n tag rid: 'SV-204617r880821_rule'\n tag stig_id: 'RHEL-07-040660'\n tag fix_id: 'F-4741r880820_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['kernel_parameter', 'ipv4']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - Kernel config must be done on the host' do\n skip 'Control not applicable - Kernel config must be done on the host'\n end\n else\n send_redirects = 0\n config_file_values = command('grep -r net.ipv4.conf.all.send_redirects /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null')\n .stdout.strip.split(\"\\n\")\n .map { |file| parse_config(file).params }\n config_file_values_uncompliant = config_file_values.select { |entry| entry.values != [send_redirects.to_s] }\n\n unless config_file_values_uncompliant.empty?\n describe 'All configuration files' do\n it \"should set send_redirects to #{send_redirects}, or not define it at all\" do\n fail_msg = \"Found incorrect configuration:\\n#{config_file_values_uncompliant.join(\"\\n\")}\"\n expect(config_file_values_uncompliant).to be_empty, fail_msg\n end\n end\n end\n\n describe 'The runtime kernel parameter net.ipv4.conf.all.send_redirects' do\n subject { kernel_parameter('net.ipv4.conf.all.send_redirects') }\n its('value') { should eq send_redirects }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204410.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204617.rb", "line": 1 }, - "id": "SV-204410" + "id": "SV-204617" }, { - "title": "The Red Hat Enterprise Linux operating system must generate audit records for all unsuccessful account\n access events.", - "desc": "Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).", + "title": "The Red Hat Enterprise Linux operating system must audit all uses of the init_module and finit_module\n syscalls.", + "desc": "Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).\n The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the\n system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect\n performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining\n syscalls into one rule whenever possible.", "descriptions": { - "default": "Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).", - "check": "Verify the operating system generates audit records when unsuccessful account access events occur.\n Check the file system rule in \"/etc/audit/audit.rules\" with the following commands:\n # grep -i /var/run/faillock /etc/audit/audit.rules\n -w /var/run/faillock -p wa -k logins\n If the command does not return any output, this is a finding.", - "fix": "Configure the operating system to generate audit records when unsuccessful account access events\n occur.\n Add or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n -w /var/run/faillock -p wa -k logins\n The audit daemon must be restarted for the changes to take effect." + "default": "Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).\n The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the\n system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect\n performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining\n syscalls into one rule whenever possible.", + "check": "Verify the operating system generates audit records upon successful/unsuccessful attempts to use the \"init_module\" and \"finit_module\" syscalls.\n\nCheck the auditing rules in \"/etc/audit/audit.rules\" with the following command:\n\n$ sudo grep init_module /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k modulechange\n\n-a always,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k modulechange\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"init_module\" and \"finit_module\" syscalls, this is a finding.", + "fix": "Configure the operating system to generate audit records upon successful/unsuccessful attempts to use the \"init_module\" and \"finit_module\" syscalls.\n\nAdd or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k modulechange\n\n-a always,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k modulechange\n\nThe audit daemon must be restarted for the changes to take effect." }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "V-72145", - "SV-86769" + "V-72187", + "SV-86811" ], "severity": "medium", - "gtitle": "SRG-OS-000392-GPOS-00172", + "gtitle": "SRG-OS-000471-GPOS-00216", "satisfies": [ - "SRG-OS-000392-GPOS-00172", - "SRG-OS-000470-GPOS-00214", - "SRG-OS-000473-GPOS-00218" + "SRG-OS-000471-GPOS-00216", + "SRG-OS-000477-GPOS-00222" ], - "gid": "V-204540", - "rid": "SV-204540r853930_rule", - "stig_id": "RHEL-07-030610", - "fix_id": "F-4664r88813_fix", + "gid": "V-204560", + "rid": "SV-204560r833172_rule", + "stig_id": "RHEL-07-030820", + "fix_id": "F-4684r833171_fix", "cci": [ - "CCI-000126", - "CCI-000172", - "CCI-002884" + "CCI-000172" ], "nist": [ - "AU-2 d", - "AU-12 c", - "MA-4 (1) (a)", - "AU-2 c" + "AU-12 c" ], "subsystems": [ "audit", @@ -3407,103 +3310,105 @@ ], "host": null }, - "code": "control 'SV-204540' do\n title 'The Red Hat Enterprise Linux operating system must generate audit records for all unsuccessful account\n access events.'\n desc 'Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).'\n desc 'check', 'Verify the operating system generates audit records when unsuccessful account access events occur.\n Check the file system rule in \"/etc/audit/audit.rules\" with the following commands:\n # grep -i /var/run/faillock /etc/audit/audit.rules\n -w /var/run/faillock -p wa -k logins\n If the command does not return any output, this is a finding.'\n desc 'fix', 'Configure the operating system to generate audit records when unsuccessful account access events\n occur.\n Add or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n -w /var/run/faillock -p wa -k logins\n The audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n tag legacy: ['V-72145', 'SV-86769']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000392-GPOS-00172'\n tag satisfies: ['SRG-OS-000392-GPOS-00172', 'SRG-OS-000470-GPOS-00214', 'SRG-OS-000473-GPOS-00218']\n tag gid: 'V-204540'\n tag rid: 'SV-204540r853930_rule'\n tag stig_id: 'RHEL-07-030610'\n tag fix_id: 'F-4664r88813_fix'\n tag cci: ['CCI-000126', 'CCI-000172', 'CCI-002884']\n tag nist: ['AU-2 d', 'AU-12 c', 'MA-4 (1) (a)', 'AU-2 c']\n tag subsystems: ['audit', 'auditd', 'audit_rule']\n tag 'host'\n\n audit_command = '/var/run/faillock'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - audit config must be done on the host' do\n skip 'Control not applicable - audit config must be done on the host'\n end\n else\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.key).to cmp 'logins'\n expect(audit_rule.permissions.flatten).to include('w', 'a')\n end\n end\n end\nend\n", + "code": "control 'SV-204560' do\n title 'The Red Hat Enterprise Linux operating system must audit all uses of the init_module and finit_module\n syscalls.'\n desc 'Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).\n The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the\n system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect\n performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining\n syscalls into one rule whenever possible.'\n desc 'check', 'Verify the operating system generates audit records upon successful/unsuccessful attempts to use the \"init_module\" and \"finit_module\" syscalls.\n\nCheck the auditing rules in \"/etc/audit/audit.rules\" with the following command:\n\n$ sudo grep init_module /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k modulechange\n\n-a always,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k modulechange\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"init_module\" and \"finit_module\" syscalls, this is a finding.'\n desc 'fix', 'Configure the operating system to generate audit records upon successful/unsuccessful attempts to use the \"init_module\" and \"finit_module\" syscalls.\n\nAdd or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k modulechange\n\n-a always,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k modulechange\n\nThe audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n tag legacy: ['V-72187', 'SV-86811']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000471-GPOS-00216'\n tag satisfies: ['SRG-OS-000471-GPOS-00216', 'SRG-OS-000477-GPOS-00222']\n tag gid: 'V-204560'\n tag rid: 'SV-204560r833172_rule'\n tag stig_id: 'RHEL-07-030820'\n tag fix_id: 'F-4684r833171_fix'\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag subsystems: ['audit', 'auditd', 'audit_rule']\n tag 'host'\n\n audit_syscalls = ['init_module', 'finit_module']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - audit config must be done on the host' do\n skip 'Control not applicable - audit config must be done on the host'\n end\n else\n describe 'Syscall' do\n audit_syscalls.each do |audit_syscall|\n it \"#{audit_syscall} is audited properly\" do\n audit_rule = auditd.syscall(audit_syscall)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n if os.arch.match(/64/)\n expect(audit_rule.arch.uniq).to include('b32', 'b64')\n else\n expect(audit_rule.arch.uniq).to cmp 'b32'\n end\n expect(audit_rule.fields.flatten).to include('auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include('modulechange')\n end\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204540.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204560.rb", "line": 1 }, - "id": "SV-204540" + "id": "SV-204560" }, { - "title": "The Red Hat Enterprise Linux operating system must be configured to lock accounts for a minimum of 15\n minutes after 3 unsuccessful logon attempts within a 15-minute timeframe.", - "desc": "By limiting the number of failed logon attempts, the risk of unauthorized system access via user password\n guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.", + "title": "The Red Hat Enterprise Linux operating system must use a file integrity tool to verify correct operation of all security functions.", + "desc": "Without verification of the security functions, security functions may not operate correctly, and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters.\n\nThis requirement applies to the Red Hat Enterprise Linux operating system performing security function verification/testing and/or systems and environments that require this functionality.", "descriptions": { - "default": "By limiting the number of failed logon attempts, the risk of unauthorized system access via user password\n guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.", - "check": "Check that the system locks an account for a minimum of 15 minutes after 3 unsuccessful logon\n attempts within a period of 15 minutes with the following command:\n # grep pam_faillock.so /etc/pam.d/password-auth\n auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900\n auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900\n account required pam_faillock.so\n If the \"deny\" parameter is set to \"0\" or a value greater than '3' on both \"auth\" lines with the \"pam_faillock.so\"\n module, or is missing from these lines, this is a finding.\n If the \"even_deny_root\" parameter is not set on both \"auth\" lines with the \"pam_faillock.so\" module, or is missing\n from these lines, this is a finding.\n If the \"fail_interval\" parameter is set to \"0\" or is set to a value less than '900' on both \"auth\" lines with the\n \"pam_faillock.so\" module, or is missing from these lines, this is a finding.\n If the \"unlock_time\" parameter is not set to \"0\", \"never\", or is set to a value less than '900' on both \"auth\" lines\n with the \"pam_faillock.so\" module, or is missing from these lines, this is a finding.\n Note: The maximum configurable value for \"unlock_time\" is \"604800\".\n If any line referencing the \"pam_faillock.so\" module is commented out, this is a finding.\n # grep pam_faillock.so /etc/pam.d/system-auth\n auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900\n auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900\n account required pam_faillock.so\n If the \"deny\" parameter is set to \"0\" or a value greater than '3' on both \"auth\" lines with the \"pam_faillock.so\"\n module, or is missing from these lines, this is a finding.\n If the \"even_deny_root\" parameter is not set on both \"auth\" lines with the \"pam_faillock.so\" module, or is missing\n from these lines, this is a finding.\n If the \"fail_interval\" parameter is set to \"0\" or is set to a value less than '900' on both \"auth\" lines with the\n \"pam_faillock.so\" module, or is missing from these lines, this is a finding.\n If the \"unlock_time\" parameter is not set to \"0\", \"never\", or is set to a value less than '900' on both \"auth\" lines\n with the \"pam_faillock.so\" module or is missing from these lines, this is a finding.\n Note: The maximum configurable value for \"unlock_time\" is \"604800\".\n If any line referencing the \"pam_faillock.so\" module is commented out, this is a finding.", - "fix": "Configure the operating system to lock an account for the maximum period when three unsuccessful logon attempts in 15 minutes are made.\n\nAdd/Modify the appropriate sections of the \"/etc/pam.d/system-auth\" and \"/etc/pam.d/password-auth\" files to match the following lines:\n\nauth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900\nauth sufficient pam_unix.so try_first_pass\nauth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900\naccount required pam_faillock.so\n\nNote: Per requirement RHEL-07-010199, RHEL 7 must be configured to not overwrite custom authentication configuration settings while using the authconfig utility, otherwise manual changes to the listed files will be overwritten whenever the authconfig utility is used." + "default": "Without verification of the security functions, security functions may not operate correctly, and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters.\n\nThis requirement applies to the Red Hat Enterprise Linux operating system performing security function verification/testing and/or systems and environments that require this functionality.", + "check": "Verify that Advanced Intrusion Detection Environment (AIDE) is installed and verifies the correct operation of all security functions.\n\nCheck that the AIDE package is installed with the following command:\n $ sudo rpm -q aide\n\n aide-0.15.1-13.el7.x86_64\n\nIf AIDE is not installed, ask the System Administrator how file integrity checks are performed on the system.\n\nIf there is no application installed to perform integrity checks, this is a finding.\n\nIf AIDE is installed, check if it has been initialized with the following command:\n $ sudo /usr/sbin/aide --check\n\nIf the output is \"Couldn't open file /var/lib/aide/aide.db.gz for reading\", this is a finding.", + "fix": "Install AIDE, initialize it, and perform a manual check.\n\nInstall AIDE:\n $ sudo yum install aide\n\nInitialize it:\n $ sudo /usr/sbin/aide --init\n\n AIDE, version 0.15.1\n ### AIDE database at /var/lib/aide/aide.db.new.gz initialized.\n\nThe new database will need to be renamed to be read by AIDE:\n $ sudo mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz\n\nPerform a manual check:\n $ sudo /usr/sbin/aide --check\n\n AIDE, version 0.15.1\n ### All files match AIDE database. Looks okay!\n\nDone." }, "impact": 0.5, "refs": [], "tags": { - "legacy": [ - "V-71943", - "SV-86567" - ], "severity": "medium", - "gtitle": "SRG-OS-000329-GPOS-00128", - "satisfies": [ - "SRG-OS-000329-GPOS-00128", - "SRG-OS-000021-GPOS-00005" - ], - "gid": "V-204427", - "rid": "SV-204427r880842_rule", - "stig_id": "RHEL-07-010320", - "fix_id": "F-4551r880841_fix", + "gtitle": "SRG-OS-000445-GPOS-00199", + "satisfies": null, + "gid": "V-251705", + "rid": "SV-251705r880854_rule", + "stig_id": "RHEL-07-020029", + "fix_id": "F-55096r880853_fix", "cci": [ - "CCI-000044", - "CCI-002236", - "CCI-002237", - "CCI-002238" + "CCI-002696" ], + "legacy": [], "nist": [ - "AC-7 a", - "AC-7 b", - "AC-7 b", - "AC-7 b" + "SI-6 a" ], "subsystems": [ - "pam", - "faillock" + "file_integrity_tool" ], "host": null, "container": null }, - "code": "control 'SV-204427' do\n title \"The Red Hat Enterprise Linux operating system must be configured to lock accounts for a minimum of #{input('lockout_time')/60}\n minutes after #{input('unsuccessful_attempts')} unsuccessful logon attempts within a #{input('fail_interval')/60}-minute timeframe.\"\n desc \"By limiting the number of failed logon attempts, the risk of unauthorized system access via user password\n guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.\"\n desc 'check', \"Check that the system locks an account for a minimum of #{input('lockout_time')/60} minutes after #{input('unsuccessful_attempts')} unsuccessful logon\n attempts within a period of #{input('fail_interval')/60} minutes with the following command:\n # grep pam_faillock.so /etc/pam.d/password-auth\n auth required pam_faillock.so preauth silent audit deny=#{input('unsuccessful_attempts')} even_deny_root fail_interval=#{input('fail_interval')} unlock_time=#{input('lockout_time')}\n auth [default=die] pam_faillock.so authfail audit deny=#{input('unsuccessful_attempts')} even_deny_root fail_interval=#{input('fail_interval')} unlock_time=#{input('lockout_time')}\n account required pam_faillock.so\n If the \\\"deny\\\" parameter is set to \\\"0\\\" or a value greater than '#{input('unsuccessful_attempts')}' on both \\\"auth\\\" lines with the \\\"pam_faillock.so\\\"\n module, or is missing from these lines, this is a finding.\n If the \\\"even_deny_root\\\" parameter is not set on both \\\"auth\\\" lines with the \\\"pam_faillock.so\\\" module, or is missing\n from these lines, this is a finding.\n If the \\\"fail_interval\\\" parameter is set to \\\"0\\\" or is set to a value less than '#{input('fail_interval')}' on both \\\"auth\\\" lines with the\n \\\"pam_faillock.so\\\" module, or is missing from these lines, this is a finding.\n If the \\\"unlock_time\\\" parameter is not set to \\\"0\\\", \\\"never\\\", or is set to a value less than '#{input('lockout_time')}' on both \\\"auth\\\" lines\n with the \\\"pam_faillock.so\\\" module, or is missing from these lines, this is a finding.\n Note: The maximum configurable value for \\\"unlock_time\\\" is \\\"604800\\\".\n If any line referencing the \\\"pam_faillock.so\\\" module is commented out, this is a finding.\n # grep pam_faillock.so /etc/pam.d/system-auth\n auth required pam_faillock.so preauth silent audit deny=#{input('unsuccessful_attempts')} even_deny_root fail_interval=#{input('fail_interval')} unlock_time=#{input('lockout_time')}\n auth [default=die] pam_faillock.so authfail audit deny=#{input('unsuccessful_attempts')} even_deny_root fail_interval=#{input('fail_interval')} unlock_time=#{input('lockout_time')}\n account required pam_faillock.so\n If the \\\"deny\\\" parameter is set to \\\"0\\\" or a value greater than '#{input('unsuccessful_attempts')}' on both \\\"auth\\\" lines with the \\\"pam_faillock.so\\\"\n module, or is missing from these lines, this is a finding.\n If the \\\"even_deny_root\\\" parameter is not set on both \\\"auth\\\" lines with the \\\"pam_faillock.so\\\" module, or is missing\n from these lines, this is a finding.\n If the \\\"fail_interval\\\" parameter is set to \\\"0\\\" or is set to a value less than '#{input('fail_interval')}' on both \\\"auth\\\" lines with the\n \\\"pam_faillock.so\\\" module, or is missing from these lines, this is a finding.\n If the \\\"unlock_time\\\" parameter is not set to \\\"0\\\", \\\"never\\\", or is set to a value less than '#{input('lockout_time')}' on both \\\"auth\\\" lines\n with the \\\"pam_faillock.so\\\" module or is missing from these lines, this is a finding.\n Note: The maximum configurable value for \\\"unlock_time\\\" is \\\"604800\\\".\n If any line referencing the \\\"pam_faillock.so\\\" module is commented out, this is a finding.\"\n desc 'fix', \"Configure the operating system to lock an account for the maximum period when three unsuccessful logon attempts in #{input('fail_interval')/60} minutes are made.\n\nAdd/Modify the appropriate sections of the \\\"/etc/pam.d/system-auth\\\" and \\\"/etc/pam.d/password-auth\\\" files to match the following lines:\n\nauth required pam_faillock.so preauth silent audit deny=#{input('unsuccessful_attempts')} even_deny_root fail_interval=#{input('fail_interval')} unlock_time=#{input('lockout_time')}\nauth sufficient pam_unix.so try_first_pass\nauth [default=die] pam_faillock.so authfail audit deny=#{input('unsuccessful_attempts')} even_deny_root fail_interval=#{input('fail_interval')} unlock_time=#{input('lockout_time')}\naccount required pam_faillock.so\n\nNote: Per requirement RHEL-07-010199, RHEL 7 must be configured to not overwrite custom authentication configuration settings while using the authconfig utility, otherwise manual changes to the listed files will be overwritten whenever the authconfig utility is used.\"\n impact 0.5\n tag legacy: ['V-71943', 'SV-86567']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000329-GPOS-00128'\n tag satisfies: ['SRG-OS-000329-GPOS-00128', 'SRG-OS-000021-GPOS-00005']\n tag gid: 'V-204427'\n tag rid: 'SV-204427r880842_rule'\n tag stig_id: 'RHEL-07-010320'\n tag fix_id: 'F-4551r880841_fix'\n tag cci: ['CCI-000044', 'CCI-002236', 'CCI-002237', 'CCI-002238']\n tag nist: ['AC-7 a', 'AC-7 b', 'AC-7 b', 'AC-7 b']\n tag subsystems: ['pam', 'faillock']\n tag 'host'\n tag 'container'\n\n # pam rules files to check\n pa_rules = pam('/etc/pam.d/password-auth').lines\n sa_rules = pam('/etc/pam.d/system-auth').lines\n\n # rule patterns to match for\n faillock_rule_pattern = 'auth [default=die]|required pam_faillock.so'\n deny_pattern = faillock_rule_pattern + \" deny=#{input('unsuccessful_attempts')}\"\n fail_interval_pattern = faillock_rule_pattern + \" fail_interval=#{input('fail_interval')}\"\n unlock_time_pattern = faillock_rule_pattern + \" unlock_time=(0|never|#{input('lockout_time')})\"\n\n # explicit rulesets to look for\n req = input('required_rules')\n alt = input('alternate_rules')\n\n describe.one do\n describe 'pam rules for the faillock module' do\n it 'should exactly match an appropriately configured ruleset in password-auth' do\n expect(pa_rules).to match_pam_rules(req).exactly, \"missing required rules: #{req.select { |rule| !pa_rules.include?(rule) }}\"\n end\n end\n describe 'pam rules for the faillock module' do\n it 'should exactly match an appropriately configured ruleset in password-auth' do\n expect(pa_rules).to match_pam_rules(alt).exactly, \"missing alternate rules: #{alt.select { |rule| !pa_rules.include?(rule) }}\"\n end\n end\n end\n\n describe 'pam rules for the faillock module' do\n it 'should have the expected settings enabled in password-auth' do\n expect(pa_rules).to match_pam_rule(deny_pattern), \"missing: #{deny_pattern}\"\n expect(pa_rules).to match_pam_rule(fail_interval_pattern), \"missing: #{fail_interval_pattern}\"\n expect(pa_rules).to match_pam_rule(unlock_time_pattern), 'missing or misconfigured unlock_time'\n end\n end\n\n describe.one do\n describe 'pam rules for the faillock module' do\n it 'should exactly match an appropriately configured ruleset in system-auth' do\n expect(sa_rules).to match_pam_rules(req).exactly, \"missing required rules: #{req.select { |rule| !sa_rules.include?(rule) }}\"\n end\n end\n describe 'pam rules for the faillock module' do\n it 'should exactly match an appropriately configured ruleset in system-auth' do\n expect(sa_rules).to match_pam_rules(alt).exactly, \"missing alternate rules: #{alt.select { |rule| !sa_rules.include?(rule) }}\"\n end\n end\n end\n\n describe 'pam rules for the faillock module' do\n it 'should have the expected settings enabled in system-auth' do\n expect(sa_rules).to match_pam_rule(deny_pattern), \"missing: #{deny_pattern}\"\n expect(sa_rules).to match_pam_rule(fail_interval_pattern), \"missing: #{fail_interval_pattern}\"\n expect(sa_rules).to match_pam_rule(unlock_time_pattern), 'missing or misconfigured unlock_time'\n end\n end\nend\n", + "code": "control 'SV-251705' do\n title 'The Red Hat Enterprise Linux operating system must use a file integrity tool to verify correct operation of all security functions.'\n desc 'Without verification of the security functions, security functions may not operate correctly, and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters.\n\nThis requirement applies to the Red Hat Enterprise Linux operating system performing security function verification/testing and/or systems and environments that require this functionality.'\n desc 'check', %q(Verify that Advanced Intrusion Detection Environment (AIDE) is installed and verifies the correct operation of all security functions.\n\nCheck that the AIDE package is installed with the following command:\n $ sudo rpm -q aide\n\n aide-0.15.1-13.el7.x86_64\n\nIf AIDE is not installed, ask the System Administrator how file integrity checks are performed on the system.\n\nIf there is no application installed to perform integrity checks, this is a finding.\n\nIf AIDE is installed, check if it has been initialized with the following command:\n $ sudo /usr/sbin/aide --check\n\nIf the output is \"Couldn't open file /var/lib/aide/aide.db.gz for reading\", this is a finding.)\n desc 'fix', 'Install AIDE, initialize it, and perform a manual check.\n\nInstall AIDE:\n $ sudo yum install aide\n\nInitialize it:\n $ sudo /usr/sbin/aide --init\n\n AIDE, version 0.15.1\n ### AIDE database at /var/lib/aide/aide.db.new.gz initialized.\n\nThe new database will need to be renamed to be read by AIDE:\n $ sudo mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz\n\nPerform a manual check:\n $ sudo /usr/sbin/aide --check\n\n AIDE, version 0.15.1\n ### All files match AIDE database. Looks okay!\n\nDone.'\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000445-GPOS-00199'\n tag satisfies: nil\n tag gid: 'V-251705'\n tag rid: 'SV-251705r880854_rule'\n tag stig_id: 'RHEL-07-020029'\n tag fix_id: 'F-55096r880853_fix'\n tag cci: ['CCI-002696']\n tag legacy: []\n tag nist: ['SI-6 a']\n tag subsystems: ['file_integrity_tool']\n tag 'host'\n tag 'container'\n\n tool = input('file_integrity_tool')\n\n if tool == 'aide'\n describe package('aide') do\n it { should be_installed }\n end\n\n aide_initialization = command('sudo /usr/sbin/aide --check').stdout.strip\n\n describe \"File integrity tool #{tool} should be initialized\" do\n subject { aide_initialization }\n it { should_not match /Couldn't\\sopen\\sfile/ }\n end\n else\n describe \"Manually review that #{tool} is installed and configured to perform file integrity checks\" do\n skip \"Manually review that #{tool} is installed and configured to perform file integrity checks\"\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204427.rb", + "ref": "./Red Hat 7 STIG/controls/SV-251705.rb", "line": 1 }, - "id": "SV-204427" + "id": "SV-251705" }, { - "title": "The Red Hat Enterprise Linux operating system must be configured so that the audit system takes appropriate\n action when the audit storage volume is full.", - "desc": "Taking appropriate action in case of a filled audit storage volume will minimize the possibility of losing\n audit records.\n One method of off-loading audit logs in Red Hat Enterprise Linux is with the use of the audisp-remote dameon.", + "title": "The Red Hat Enterprise Linux operating system must audit all uses of the sudo command.", + "desc": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough\n information.\n At a minimum, the organization must audit the full-text recording of privileged access commands. The organization\n must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of\n compromise.\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.", "descriptions": { - "default": "Taking appropriate action in case of a filled audit storage volume will minimize the possibility of losing\n audit records.\n One method of off-loading audit logs in Red Hat Enterprise Linux is with the use of the audisp-remote dameon.", - "check": "Verify the action the operating system takes if the disk the audit records are written to becomes\n full.\n To determine the action that takes place if the disk is full on the remote server, use the following command:\n # grep -i disk_full_action /etc/audisp/audisp-remote.conf\n disk_full_action = single\n If the value of the \"disk_full_action\" option is not \"syslog\", \"single\", or \"halt\", or the line is commented out,\n ask the System Administrator to indicate how the audit logs are off-loaded to a different system or storage media,\n and to indicate the action taken when the disk is full on the remote server.\n If there is no evidence that the system is configured to off-load audit logs to a different system or storage media,\n or if the configuration does not take appropriate action when the disk is full on the remote server, this is a\n finding.", - "fix": "Configure the action the operating system takes if the disk the audit records are written to becomes\n full.\n Uncomment or edit the \"disk_full_action\" option in \"/etc/audisp/audisp-remote.conf\" and set it to \"syslog\",\n \"single\", or \"halt\", such as the following line:\n disk_full_action = single" + "default": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough\n information.\n At a minimum, the organization must audit the full-text recording of privileged access commands. The organization\n must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of\n compromise.\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.", + "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"sudo\" command occur.\n\nCheck that the following system call is being audited by performing the following command to check the file system rules in \"/etc/audit/audit.rules\":\n\n$ sudo grep -w \"/usr/bin/sudo\" /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change\n\nIf the command does not return any output, this is a finding.", + "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"sudo\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change\n\nThe audit daemon must be restarted for the changes to take effect." }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "V-72087", - "SV-86711" + "V-72161", + "SV-86785" ], "severity": "medium", - "gtitle": "SRG-OS-000342-GPOS-00133", - "gid": "V-204511", - "rid": "SV-204511r877390_rule", - "stig_id": "RHEL-07-030320", - "fix_id": "F-36314r602652_fix", + "gtitle": "SRG-OS-000037-GPOS-00015", + "satisfies": [ + "SRG-OS-000037-GPOS-00015", + "SRG-OS-000042-GPOS-00020", + "SRG-OS-000392-GPOS-00172", + "SRG-OS-000462-GPOS-00206", + "SRG-OS-000471-GPOS-00215" + ], + "gid": "V-204548", + "rid": "SV-204548r861044_rule", + "stig_id": "RHEL-07-030690", + "fix_id": "F-4672r861043_fix", "cci": [ - "CCI-001851" + "CCI-000130", + "CCI-000135", + "CCI-000172", + "CCI-002884" ], "nist": [ - "AU-4 (1)" + "AU-3", + "AU-3 (1)", + "AU-12 c", + "MA-4 (1) (a)", + "AU-3 a" ], "subsystems": [ "audit", - "audisp" + "auditd", + "audit_rule" ], "host": null }, - "code": "control 'SV-204511' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that the audit system takes appropriate\n action when the audit storage volume is full.'\n desc 'Taking appropriate action in case of a filled audit storage volume will minimize the possibility of losing\n audit records.\n One method of off-loading audit logs in Red Hat Enterprise Linux is with the use of the audisp-remote dameon.'\n desc 'check', 'Verify the action the operating system takes if the disk the audit records are written to becomes\n full.\n To determine the action that takes place if the disk is full on the remote server, use the following command:\n # grep -i disk_full_action /etc/audisp/audisp-remote.conf\n disk_full_action = single\n If the value of the \"disk_full_action\" option is not \"syslog\", \"single\", or \"halt\", or the line is commented out,\n ask the System Administrator to indicate how the audit logs are off-loaded to a different system or storage media,\n and to indicate the action taken when the disk is full on the remote server.\n If there is no evidence that the system is configured to off-load audit logs to a different system or storage media,\n or if the configuration does not take appropriate action when the disk is full on the remote server, this is a\n finding.'\n desc 'fix', 'Configure the action the operating system takes if the disk the audit records are written to becomes\n full.\n Uncomment or edit the \"disk_full_action\" option in \"/etc/audisp/audisp-remote.conf\" and set it to \"syslog\",\n \"single\", or \"halt\", such as the following line:\n disk_full_action = single'\n impact 0.5\n tag legacy: ['V-72087', 'SV-86711']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000342-GPOS-00133'\n tag gid: 'V-204511'\n tag rid: 'SV-204511r877390_rule'\n tag stig_id: 'RHEL-07-030320'\n tag fix_id: 'F-36314r602652_fix'\n tag cci: ['CCI-001851']\n tag nist: ['AU-4 (1)']\n tag subsystems: ['audit', 'audisp']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - audit config must be done on the host' do\n skip 'Control not applicable - audit config must be done on the host'\n end\n else\n describe parse_config_file('/etc/audisp/audisp-remote.conf') do\n its('disk_full_action'.to_s) { should cmp input('expected_disk_full_action') }\n its('disk_full_action'.to_s) { should be_in ['syslog', 'single', 'halt'] }\n end\n end\nend\n", + "code": "control 'SV-204548' do\n title 'The Red Hat Enterprise Linux operating system must audit all uses of the sudo command.'\n desc 'Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough\n information.\n At a minimum, the organization must audit the full-text recording of privileged access commands. The organization\n must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of\n compromise.\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.'\n desc 'check', 'Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"sudo\" command occur.\n\nCheck that the following system call is being audited by performing the following command to check the file system rules in \"/etc/audit/audit.rules\":\n\n$ sudo grep -w \"/usr/bin/sudo\" /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change\n\nIf the command does not return any output, this is a finding.'\n desc 'fix', 'Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"sudo\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change\n\nThe audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n tag legacy: ['V-72161', 'SV-86785']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000037-GPOS-00015'\n tag satisfies: ['SRG-OS-000037-GPOS-00015', 'SRG-OS-000042-GPOS-00020', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000471-GPOS-00215']\n tag gid: 'V-204548'\n tag rid: 'SV-204548r861044_rule'\n tag stig_id: 'RHEL-07-030690'\n tag fix_id: 'F-4672r861043_fix'\n tag cci: ['CCI-000130', 'CCI-000135', 'CCI-000172', 'CCI-002884']\n tag nist: ['AU-3', 'AU-3 (1)', 'AU-12 c', 'MA-4 (1) (a)', 'AU-3 a']\n tag subsystems: ['audit', 'auditd', 'audit_rule']\n tag 'host'\n\n audit_command = '/usr/bin/sudo'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - audit config must be done on the host' do\n skip 'Control not applicable - audit config must be done on the host'\n end\n else\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include('privileged-priv_change')\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204511.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204548.rb", "line": 1 }, - "id": "SV-204511" + "id": "SV-204548" }, { "title": "The Red Hat Enterprise Linux operating system must use a virus scan program.", @@ -3550,250 +3455,239 @@ "id": "SV-214801" }, { - "title": "The Red Hat Enterprise Linux operating system must disable the file system automounter unless required.", - "desc": "Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating\n malicious activity.", + "title": "The Red Hat Enterprise Linux operating system must audit all uses of the setxattr, fsetxattr, lsetxattr,\n removexattr, fremovexattr, and lremovexattr syscalls.", + "desc": "Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the\n system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect\n performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining\n syscalls into one rule whenever possible.", "descriptions": { - "default": "Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating\n malicious activity.", - "check": "Verify the operating system disables the ability to automount devices.\n Check to see if automounter service is active with the following command:\n # systemctl status autofs\n autofs.service - Automounts filesystems on demand\n Loaded: loaded (/usr/lib/systemd/system/autofs.service; disabled)\n Active: inactive (dead)\n If the \"autofs\" status is set to \"active\" and is not documented with the Information System Security Officer (ISSO)\n as an operational requirement, this is a finding.", - "fix": "Configure the operating system to disable the ability to automount devices.\n Turn off the automount service with the following commands:\n # systemctl stop autofs\n # systemctl disable autofs\n If \"autofs\" is required for Network File System (NFS), it must be documented with the ISSO." + "default": "Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the\n system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect\n performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining\n syscalls into one rule whenever possible.", + "check": "Verify the operating system generates audit records upon successful/unsuccessful attempts to use the\n \"setxattr\", \"fsetxattr\", \"lsetxattr\", \"removexattr\", \"fremovexattr\", and \"lremovexattr\" syscalls.\n Check the file system rules in \"/etc/audit/audit.rules\" with the following commands:\n # grep xattr /etc/audit/audit.rules\n -a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F\n auid!=unset -k perm_mod\n -a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F\n auid!=unset -k perm_mod\n If both the \"b32\" and \"b64\" audit rules are not defined for the \"setxattr\", \"fsetxattr\", \"lsetxattr\", \"removexattr\",\n \"fremovexattr\", and \"lremovexattr\" syscalls, this is a finding.", + "fix": "Configure the operating system to generate audit records upon successful/unsuccessful attempts to use\n the \"setxattr\", \"fsetxattr\", \"lsetxattr\", \"removexattr\", \"fremovexattr\", and \"lremovexattr\" syscalls.\n Add or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n -a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F\n auid!=unset -k perm_mod\n -a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F\n auid!=unset -k perm_mod\n The audit daemon must be restarted for the changes to take effect." }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "V-71985", - "SV-86609" + "SV-86735", + "V-72111" ], "severity": "medium", - "gtitle": "SRG-OS-000114-GPOS-00059", + "gtitle": "SRG-OS-000458-GPOS-00203", "satisfies": [ - "SRG-OS-000114-GPOS-00059", - "SRG-OS-000378-GPOS-00163", - "SRG-OS-000480-GPOS-00227" + "SRG-OS-000458-GPOS-00203", + "SRG-OS-000392-GPOS-00172", + "SRG-OS-000064-GPOS-00033" ], - "gid": "V-204451", - "rid": "SV-204451r853893_rule", - "stig_id": "RHEL-07-020110", - "fix_id": "F-4575r88546_fix", - "cci": [ - "CCI-000366", - "CCI-000778", - "CCI-001958" + "gid": "V-204524", + "rid": "SV-204524r809775_rule", + "stig_id": "RHEL-07-030440", + "fix_id": "F-4648r809774_fix", + "cci": [ + "CCI-000172" ], "nist": [ - "CM-6 b", - "IA-3", - "IA-3" + "AU-12 c" ], "subsystems": [ - "file_system", - "nfs", - "autofs" + "audit", + "auditd", + "audit_rule" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-204451' do\n title 'The Red Hat Enterprise Linux operating system must disable the file system automounter unless required.'\n desc 'Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating\n malicious activity.'\n desc 'check', 'Verify the operating system disables the ability to automount devices.\n Check to see if automounter service is active with the following command:\n # systemctl status autofs\n autofs.service - Automounts filesystems on demand\n Loaded: loaded (/usr/lib/systemd/system/autofs.service; disabled)\n Active: inactive (dead)\n If the \"autofs\" status is set to \"active\" and is not documented with the Information System Security Officer (ISSO)\n as an operational requirement, this is a finding.'\n desc 'fix', 'Configure the operating system to disable the ability to automount devices.\n Turn off the automount service with the following commands:\n # systemctl stop autofs\n # systemctl disable autofs\n If \"autofs\" is required for Network File System (NFS), it must be documented with the ISSO.'\n impact 0.5\n tag legacy: ['V-71985', 'SV-86609']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000114-GPOS-00059'\n tag satisfies: ['SRG-OS-000114-GPOS-00059', 'SRG-OS-000378-GPOS-00163', 'SRG-OS-000480-GPOS-00227']\n tag gid: 'V-204451'\n tag rid: 'SV-204451r853893_rule'\n tag stig_id: 'RHEL-07-020110'\n tag fix_id: 'F-4575r88546_fix'\n tag cci: ['CCI-000366', 'CCI-000778', 'CCI-001958']\n tag nist: ['CM-6 b', 'IA-3', 'IA-3']\n tag subsystems: ['file_system', 'nfs', 'autofs']\n tag 'host'\n tag 'container'\n\n describe systemd_service('autofs.service') do\n it { should_not be_running }\n it { should_not be_enabled }\n it { should_not be_installed }\n end\nend\n", + "code": "control 'SV-204524' do\n title 'The Red Hat Enterprise Linux operating system must audit all uses of the setxattr, fsetxattr, lsetxattr,\n removexattr, fremovexattr, and lremovexattr syscalls.'\n desc 'Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the\n system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect\n performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining\n syscalls into one rule whenever possible.'\n desc 'check', 'Verify the operating system generates audit records upon successful/unsuccessful attempts to use the\n \"setxattr\", \"fsetxattr\", \"lsetxattr\", \"removexattr\", \"fremovexattr\", and \"lremovexattr\" syscalls.\n Check the file system rules in \"/etc/audit/audit.rules\" with the following commands:\n # grep xattr /etc/audit/audit.rules\n -a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F\n auid!=unset -k perm_mod\n -a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F\n auid!=unset -k perm_mod\n If both the \"b32\" and \"b64\" audit rules are not defined for the \"setxattr\", \"fsetxattr\", \"lsetxattr\", \"removexattr\",\n \"fremovexattr\", and \"lremovexattr\" syscalls, this is a finding.'\n desc 'fix', 'Configure the operating system to generate audit records upon successful/unsuccessful attempts to use\n the \"setxattr\", \"fsetxattr\", \"lsetxattr\", \"removexattr\", \"fremovexattr\", and \"lremovexattr\" syscalls.\n Add or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n -a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F\n auid!=unset -k perm_mod\n -a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F\n auid!=unset -k perm_mod\n The audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n tag legacy: ['SV-86735', 'V-72111']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000458-GPOS-00203'\n tag satisfies: ['SRG-OS-000458-GPOS-00203', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000064-GPOS-00033']\n tag gid: 'V-204524'\n tag rid: 'SV-204524r809775_rule'\n tag stig_id: 'RHEL-07-030440'\n tag fix_id: 'F-4648r809774_fix'\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag subsystems: ['audit', 'auditd', 'audit_rule']\n tag 'host'\n\n audit_syscalls = ['setxattr', 'fsetxattr', 'lsetxattr', 'removexattr', 'fremovexattr', 'lremovexattr']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - audit config must be done on the host' do\n skip 'Control not applicable - audit config must be done on the host'\n end\n else\n describe 'Syscall' do\n audit_syscalls.each do |audit_syscall|\n it \"#{audit_syscall} is audited properly\" do\n audit_rule = auditd.syscall(audit_syscall)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n if os.arch.match(/64/)\n expect(audit_rule.arch.uniq).to include('b32', 'b64')\n else\n expect(audit_rule.arch.uniq).to cmp 'b32'\n end\n expect(audit_rule.fields.flatten).to include('auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include('perm_mod')\n end\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204451.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204524.rb", "line": 1 }, - "id": "SV-204451" + "id": "SV-204524" }, { - "title": "The Red Hat Enterprise Linux operating system must, for networked systems, synchronize clocks with a server\n that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, a time server\n designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS).", - "desc": "Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis.\n Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis\n and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate.\n Synchronizing internal information system clocks provides uniformity of time stamps for information systems with\n multiple system clocks and systems connected over a network.\n Organizations should consider endpoints that may not have regular access to the authoritative time server (e.g.,\n mobile, teleworking, and tactical endpoints).", + "title": "The Red Hat Enterprise Linux operating system must be configured so that passwords are prohibited from\n reuse for a minimum of 5 generations.", + "desc": "Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at\n guessing and brute-force attacks. If the information system or application allows the user to consecutively reuse\n their password when that password has exceeded its defined lifetime, the end result is a password that is not\n changed per policy requirements.", "descriptions": { - "default": "Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis.\n Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis\n and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate.\n Synchronizing internal information system clocks provides uniformity of time stamps for information systems with\n multiple system clocks and systems connected over a network.\n Organizations should consider endpoints that may not have regular access to the authoritative time server (e.g.,\n mobile, teleworking, and tactical endpoints).", - "check": "Check to see if NTP is running in continuous mode:\n # ps -ef | grep ntp\n If NTP is not running, check to see if \"chronyd\" is running in continuous mode:\n # ps -ef | grep chronyd\n If NTP or \"chronyd\" is not running, this is a finding.\n If the NTP process is found, then check the \"ntp.conf\" file for the \"maxpoll\" option setting:\n # grep maxpoll /etc/ntp.conf\n server 0.rhel.pool.ntp.org iburst maxpoll 16\n If the \"maxpoll\" option is set to a number greater than 16 or the line is commented out, this is a finding.\n If the file does not exist, check the \"/etc/cron.daily\" subdirectory for a crontab file controlling the execution of\n the \"ntpd -q\" command.\n # grep -i \"ntpd -q\" /etc/cron.daily/*\n # ls -al /etc/cron.* | grep ntp\n ntp\n If a crontab file does not exist in the \"/etc/cron.daily\" that executes the \"ntpd -q\" command, this is a finding.\n If the \"chronyd\" process is found, then check the \"chrony.conf\" file for the \"maxpoll\" option setting:\n # grep maxpoll /etc/chrony.conf\n server 0.rhel.pool.ntp.org iburst maxpoll 16\n If the option is not set or the line is commented out, this is a finding.", - "fix": "Edit the \"/etc/ntp.conf\" or \"/etc/chrony.conf\" file and add or update an entry to define \"maxpoll\" to\n \"16\" as follows:\n server 0.rhel.pool.ntp.org iburst maxpoll 16\n If NTP was running and \"maxpoll\" was updated, the NTP service must be restarted:\n # systemctl restart ntpd\n If NTP was not running, it must be started:\n # systemctl start ntpd\n If \"chronyd\" was running and \"maxpoll\" was updated, the service must be restarted:\n # systemctl restart chronyd.service\n If \"chronyd\" was not running, it must be started:\n # systemctl start chronyd.service" + "default": "Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at\n guessing and brute-force attacks. If the information system or application allows the user to consecutively reuse\n their password when that password has exceeded its defined lifetime, the end result is a password that is not\n changed per policy requirements.", + "check": "Verify the operating system prohibits password reuse for a minimum of 5 generations.\n Check for the value of the \"remember\" argument in \"/etc/pam.d/system-auth\" and \"/etc/pam.d/password-auth\" with the\n following command:\n # grep -i remember /etc/pam.d/system-auth /etc/pam.d/password-auth\n password requisite pam_pwhistory.so use_authtok remember=5 retry=3\n If the line containing the \"pam_pwhistory.so\" line does not have the \"remember\" module argument set, is commented\n out, or the value of the \"remember\" module argument is set to less than \"5\", this is a finding.", + "fix": "Configure the operating system to prohibit password reuse for a minimum of 5 generations.\n\nAdd the following line in \"/etc/pam.d/system-auth\" and \"/etc/pam.d/password-auth\" (or modify the line to have the required value):\n\n password requisite pam_pwhistory.so use_authtok remember=5 retry=3\n\nNote: Per requirement RHEL-07-010199, RHEL 7 must be configured to not overwrite custom authentication configuration settings while using the authconfig utility, otherwise manual changes to the listed files will be overwritten whenever the authconfig utility is used." }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "V-72269", - "SV-86893" + "V-71933", + "SV-86557" ], "severity": "medium", - "gtitle": "SRG-OS-000355-GPOS-00143", - "satisfies": [ - "SRG-OS-000355-GPOS-00143", - "SRG-OS-000356-GPOS-00144" - ], - "gid": "V-204603", - "rid": "SV-204603r877038_rule", - "stig_id": "RHEL-07-040500", - "fix_id": "F-4727r809210_fix", + "gtitle": "SRG-OS-000077-GPOS-00045", + "gid": "V-204422", + "rid": "SV-204422r880836_rule", + "stig_id": "RHEL-07-010270", + "fix_id": "F-4546r880835_fix", "cci": [ - "CCI-001891", - "CCI-002046" + "CCI-000200" ], "nist": [ - "AU-8 (1) (a)", - "AU-8 (1) (b)" + "IA-5 (1) (e)" ], "subsystems": [ - "ntp" + "pam", + "password" ], "host": null, "container": null }, - "code": "control 'SV-204603' do\n title \"The Red Hat Enterprise Linux operating system must, for networked systems, synchronize clocks with a server\n that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, a time server\n designated for the appropriate #{input('org_name')[:acronym]} network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS).\"\n desc 'Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis.\n Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis\n and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate.\n Synchronizing internal information system clocks provides uniformity of time stamps for information systems with\n multiple system clocks and systems connected over a network.\n Organizations should consider endpoints that may not have regular access to the authoritative time server (e.g.,\n mobile, teleworking, and tactical endpoints).'\n desc 'check', 'Check to see if NTP is running in continuous mode:\n # ps -ef | grep ntp\n If NTP is not running, check to see if \"chronyd\" is running in continuous mode:\n # ps -ef | grep chronyd\n If NTP or \"chronyd\" is not running, this is a finding.\n If the NTP process is found, then check the \"ntp.conf\" file for the \"maxpoll\" option setting:\n # grep maxpoll /etc/ntp.conf\n server 0.rhel.pool.ntp.org iburst maxpoll 16\n If the \"maxpoll\" option is set to a number greater than 16 or the line is commented out, this is a finding.\n If the file does not exist, check the \"/etc/cron.daily\" subdirectory for a crontab file controlling the execution of\n the \"ntpd -q\" command.\n # grep -i \"ntpd -q\" /etc/cron.daily/*\n # ls -al /etc/cron.* | grep ntp\n ntp\n If a crontab file does not exist in the \"/etc/cron.daily\" that executes the \"ntpd -q\" command, this is a finding.\n If the \"chronyd\" process is found, then check the \"chrony.conf\" file for the \"maxpoll\" option setting:\n # grep maxpoll /etc/chrony.conf\n server 0.rhel.pool.ntp.org iburst maxpoll 16\n If the option is not set or the line is commented out, this is a finding.'\n desc 'fix', 'Edit the \"/etc/ntp.conf\" or \"/etc/chrony.conf\" file and add or update an entry to define \"maxpoll\" to\n \"16\" as follows:\n server 0.rhel.pool.ntp.org iburst maxpoll 16\n If NTP was running and \"maxpoll\" was updated, the NTP service must be restarted:\n # systemctl restart ntpd\n If NTP was not running, it must be started:\n # systemctl start ntpd\n If \"chronyd\" was running and \"maxpoll\" was updated, the service must be restarted:\n # systemctl restart chronyd.service\n If \"chronyd\" was not running, it must be started:\n # systemctl start chronyd.service'\n impact 0.5\n tag legacy: ['V-72269', 'SV-86893']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000355-GPOS-00143'\n tag satisfies: ['SRG-OS-000355-GPOS-00143', 'SRG-OS-000356-GPOS-00144']\n tag gid: 'V-204603'\n tag rid: 'SV-204603r877038_rule'\n tag stig_id: 'RHEL-07-040500'\n tag fix_id: 'F-4727r809210_fix'\n tag cci: ['CCI-001891', 'CCI-002046']\n tag nist: ['AU-8 (1) (a)', 'AU-8 (1) (b)']\n tag subsystems: ['ntp']\n tag 'host'\n tag 'container'\n\n # Either ntpd or chronyd should be running\n describe.one do\n [service('ntpd'), service('chronyd')].each do |time_service|\n describe time_service do\n it { should be_running }\n it { should be_enabled }\n it { should be_installed }\n end\n end\n end\n\n if service('ntpd').installed?\n time_service = service('ntpd')\n time_sources = ntp_conf('/etc/ntp.conf').server\n max_poll_values = time_sources.map do |val|\n if val.match?(/.*maxpoll.*/)\n val.gsub(/.*maxpoll\\s+(\\d+)(\\s+.*|$)/,\n '\\1').to_i\n else\n 99\n end\n end\n ntpdate_crons = command('grep -l \"ntpd -q\" /etc/cron.daily/*').stdout.strip.lines\n\n describe 'ntpd time sources list' do\n subject { time_sources }\n it { should_not be_empty }\n end\n\n describe.one do\n # Case where maxpoll empty\n describe \"Daily cron jobs for 'ntpd -q'\" do\n subject { ntpdate_crons }\n it { should_not be_empty }\n end\n # All time sources must contain valid maxpoll entries\n describe 'ntpd maxpoll values (99=maxpoll absent)' do\n subject { max_poll_values }\n it { should all be <= input('maxpoll') }\n end\n end\n end\n\n if service('chronyd').installed?\n time_service = service('chronyd')\n time_sources = ntp_conf('/etc/chrony.conf').server\n max_poll_values = time_sources.map do |val|\n if val.match?(/.*maxpoll.*/)\n val.gsub(/.*maxpoll\\s+(\\d+)(\\s+.*|$)/,\n '\\1').to_i\n else\n 99\n end\n end\n\n describe 'chronyd time sources list' do\n subject { time_sources }\n it { should_not be_empty }\n end\n\n # All time sources must contain valid maxpoll entries\n describe 'chronyd maxpoll values (99=maxpoll absent)' do\n subject { max_poll_values }\n it { should all be <= input('maxpoll') }\n end\n end\nend\n", + "code": "control 'SV-204422' do\n title \"The Red Hat Enterprise Linux operating system must be configured so that passwords are prohibited from\n reuse for a minimum of #{input('min_reuse_generations')} generations.\"\n desc 'Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at\n guessing and brute-force attacks. If the information system or application allows the user to consecutively reuse\n their password when that password has exceeded its defined lifetime, the end result is a password that is not\n changed per policy requirements.'\n desc 'check', \"Verify the operating system prohibits password reuse for a minimum of #{input('min_reuse_generations')} generations.\n Check for the value of the \\\"remember\\\" argument in \\\"/etc/pam.d/system-auth\\\" and \\\"/etc/pam.d/password-auth\\\" with the\n following command:\n # grep -i remember /etc/pam.d/system-auth /etc/pam.d/password-auth\n password requisite pam_pwhistory.so use_authtok remember=#{input('min_reuse_generations')} retry=#{input('retry')}\n If the line containing the \\\"pam_pwhistory.so\\\" line does not have the \\\"remember\\\" module argument set, is commented\n out, or the value of the \\\"remember\\\" module argument is set to less than \\\"#{input('min_reuse_generations')}\\\", this is a finding.\"\n desc 'fix', \"Configure the operating system to prohibit password reuse for a minimum of #{input('min_reuse_generations')} generations.\n\nAdd the following line in \\\"/etc/pam.d/system-auth\\\" and \\\"/etc/pam.d/password-auth\\\" (or modify the line to have the required value):\n\n password requisite pam_pwhistory.so use_authtok remember=#{input('min_reuse_generations')} retry=#{input('retry')}\n\nNote: Per requirement RHEL-07-010199, RHEL 7 must be configured to not overwrite custom authentication configuration settings while using the authconfig utility, otherwise manual changes to the listed files will be overwritten whenever the authconfig utility is used.\"\n impact 0.5\n tag legacy: ['V-71933', 'SV-86557']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000077-GPOS-00045'\n tag gid: 'V-204422'\n tag rid: 'SV-204422r880836_rule'\n tag stig_id: 'RHEL-07-010270'\n tag fix_id: 'F-4546r880835_fix'\n tag cci: ['CCI-000200']\n tag nist: ['IA-5 (1) (e)']\n tag subsystems: ['pam', 'password']\n tag 'host'\n tag 'container'\n\n min_reuse_generations = input('min_reuse_generations')\n\n describe pam('/etc/pam.d/system-auth') do\n its('lines') { should match_pam_rule(\"password (required|requisite|sufficient) pam_(unix|pwhistory).so use_authtok remember=#{min_reuse_generations}\") }\n end\n describe pam('/etc/pam.d/password-auth') do\n its('lines') { should match_pam_rule(\"password (required|requisite|sufficient) pam_(unix|pwhistory).so use_authtok remember=#{min_reuse_generations}\") }\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204603.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204422.rb", "line": 1 }, - "id": "SV-204603" + "id": "SV-204422" }, { - "title": "The Red Hat Enterprise Linux operating system must be configured so that the SSH public host key files have\n mode 0644 or less permissive.", - "desc": "If a public host key file is modified by an unauthorized user, the SSH service may be compromised.", + "title": "The Red Hat Enterprise Linux operating system must initiate a session lock for the screensaver after a\n period of inactivity for graphical user interfaces.", + "desc": "A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate\n physical vicinity of the information system but does not log out because of the temporary nature of the absence.\n Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity,\n operating systems need to be able to identify when a user's session has idled and take action to initiate the\n session lock.\n The session lock is implemented at the point where session activity can be determined and/or controlled.", "descriptions": { - "default": "If a public host key file is modified by an unauthorized user, the SSH service may be compromised.", - "check": "Verify the SSH public host key files have mode \"0644\" or less permissive.\n Note: SSH public key files may be found in other directories on the system depending on the installation.\n The following command will find all SSH public key files on the system:\n # find /etc/ssh -name '*.pub' -exec ls -lL {} \\;\n -rw-r--r-- 1 root root 618 Nov 28 06:43 ssh_host_dsa_key.pub\n -rw-r--r-- 1 root root 347 Nov 28 06:43 ssh_host_key.pub\n -rw-r--r-- 1 root root 238 Nov 28 06:43 ssh_host_rsa_key.pub\n If any file has a mode more permissive than \"0644\", this is a finding.", - "fix": "Note: SSH public key files may be found in other directories on the system depending on the\n installation.\n Change the mode of public host key files under \"/etc/ssh\" to \"0644\" with the following command:\n # chmod 0644 /etc/ssh/*.key.pub" + "default": "A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate\n physical vicinity of the information system but does not log out because of the temporary nature of the absence.\n Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity,\n operating systems need to be able to identify when a user's session has idled and take action to initiate the\n session lock.\n The session lock is implemented at the point where session activity can be determined and/or controlled.", + "check": "Verify the operating system initiates a session lock after a 15-minute period of inactivity for graphical user interfaces.\n\nNote: If the system does not have a GNOME installed, this requirement is Not Applicable.\n\nCheck for the session lock settings with the following commands:\n\n # grep -i idle-activation-enabled /etc/dconf/db/local.d/*\n idle-activation-enabled=true\n \nIf \"idle-activation-enabled\" is not set to \"true\", this is a finding.", + "fix": "Configure the operating system to initiate a session lock after a 15-minute period of inactivity for\n graphical user interfaces.\n Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following\n command:\n # touch /etc/dconf/db/local.d/00-screensaver\n Add the setting to enable screensaver locking after 15 minutes of inactivity:\n [org/gnome/desktop/screensaver]\n idle-activation-enabled=true\n Update the system databases:\n # dconf update\n Users must log out and back in again before the system-wide settings take effect." }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { "legacy": [ - "V-72255", - "SV-86879" + "V-71899", + "SV-86523" ], "severity": "medium", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-204596", - "rid": "SV-204596r603261_rule", - "stig_id": "RHEL-07-040410", - "fix_id": "F-4720r88981_fix", + "gtitle": "SRG-OS-000029-GPOS-00010", + "gid": "V-204402", + "rid": "SV-204402r880782_rule", + "stig_id": "RHEL-07-010100", + "fix_id": "F-4526r880781_fix", "cci": [ - "CCI-000366" + "CCI-000057" ], "nist": [ - "CM-6 b" + "AC-11 a" ], "subsystems": [ - "ssh" + "gui", + "session", + "lock" ], "host": null }, - "code": "control 'SV-204596' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that the SSH public host key files have\n mode 0644 or less permissive.'\n desc 'If a public host key file is modified by an unauthorized user, the SSH service may be compromised.'\n desc 'check', %q(Verify the SSH public host key files have mode \"0644\" or less permissive.\n Note: SSH public key files may be found in other directories on the system depending on the installation.\n The following command will find all SSH public key files on the system:\n # find /etc/ssh -name '*.pub' -exec ls -lL {} \\;\n -rw-r--r-- 1 root root 618 Nov 28 06:43 ssh_host_dsa_key.pub\n -rw-r--r-- 1 root root 347 Nov 28 06:43 ssh_host_key.pub\n -rw-r--r-- 1 root root 238 Nov 28 06:43 ssh_host_rsa_key.pub\n If any file has a mode more permissive than \"0644\", this is a finding.)\n desc 'fix', 'Note: SSH public key files may be found in other directories on the system depending on the\n installation.\n Change the mode of public host key files under \"/etc/ssh\" to \"0644\" with the following command:\n # chmod 0644 /etc/ssh/*.key.pub'\n impact 0.5\n tag legacy: ['V-72255', 'SV-86879']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204596'\n tag rid: 'SV-204596r603261_rule'\n tag stig_id: 'RHEL-07-040410'\n tag fix_id: 'F-4720r88981_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['ssh']\n tag 'host'\n\n if virtualization.system.eql?('docker') && !file('/etc/sysconfig/sshd').exist?\n impact 0.0\n describe 'Control not applicable - SSH is not installed within containerized RHEL' do\n skip 'Control not applicable - SSH is not installed within containerized RHEL'\n end\n else\n pub_files = command(\"find #{input('public_host_key_directories').join(' ')} -xdev -name '*.pub'\").stdout.split(\"\\n\")\n if !pub_files.nil? and !pub_files.empty?\n pub_files.each do |pubfile|\n describe file(pubfile) do\n it { should_not be_more_permissive_than(input('public_host_key_file_mode')) }\n end\n end\n else\n describe 'No public host key files found.' do\n subject { pub_files.nil? or pub_files.empty? }\n it { should eq true }\n end\n end\n end\nend\n", + "code": "control 'SV-204402' do\n title 'The Red Hat Enterprise Linux operating system must initiate a session lock for the screensaver after a\n period of inactivity for graphical user interfaces.'\n desc \"A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate\n physical vicinity of the information system but does not log out because of the temporary nature of the absence.\n Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity,\n operating systems need to be able to identify when a user's session has idled and take action to initiate the\n session lock.\n The session lock is implemented at the point where session activity can be determined and/or controlled.\"\n desc 'check', \"Verify the operating system initiates a session lock after a #{input('system_activity_timeout')/60}-minute period of inactivity for graphical user interfaces.\n\nNote: If the system does not have a GNOME installed, this requirement is Not Applicable.\n\nCheck for the session lock settings with the following commands:\n\n # grep -i idle-activation-enabled /etc/dconf/db/local.d/*\n idle-activation-enabled=true\n \nIf \\\"idle-activation-enabled\\\" is not set to \\\"true\\\", this is a finding.\"\n desc 'fix', \"Configure the operating system to initiate a session lock after a #{input('system_activity_timeout')/60}-minute period of inactivity for\n graphical user interfaces.\n Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following\n command:\n # touch /etc/dconf/db/local.d/00-screensaver\n Add the setting to enable screensaver locking after #{input('system_activity_timeout')/60} minutes of inactivity:\n [org/gnome/desktop/screensaver]\n idle-activation-enabled=true\n Update the system databases:\n # dconf update\n Users must log out and back in again before the system-wide settings take effect.\"\n impact 0.5\n tag legacy: ['V-71899', 'SV-86523']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000029-GPOS-00010'\n tag gid: 'V-204402'\n tag rid: 'SV-204402r880782_rule'\n tag stig_id: 'RHEL-07-010100'\n tag fix_id: 'F-4526r880781_fix'\n tag cci: ['CCI-000057']\n tag nist: ['AC-11 a']\n tag subsystems: ['gui', 'session', 'lock']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n elsif package('gnome-desktop3').installed?\n\n describe command('gsettings get org.gnome.desktop.screensaver idle-activation-enabled') do\n its('stdout.strip') { should cmp 'true' }\n end\n else\n impact 0.0\n describe 'The system does not have GNOME installed' do\n skip \"The system does not have GNOME installed, this requirement is Not\n Applicable.\"\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204596.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204402.rb", "line": 1 }, - "id": "SV-204596" + "id": "SV-204402" }, { - "title": "The Red Hat Enterprise Linux operating system must uniquely identify and must authenticate organizational\n users (or processes acting on behalf of organizational users) using multifactor authentication.", - "desc": "To assure accountability and prevent unauthenticated access, organizational users must be identified and\n authenticated to prevent potential misuse and compromise of the system.\n Organizational users include organizational employees or individuals the organization deems to have equivalent\n status of employees (e.g., contractors). Organizational users (and processes acting on behalf of users) must be\n uniquely identified and authenticated to all accesses, except for the following:\n 1) Accesses explicitly identified and documented by the organization. Organizations document specific user actions\n that can be performed on the information system without identification or authentication;\n and\n 2) Accesses that occur through authorized use of group authenticators without individual authentication.\n Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts)\n or for detailed accountability of individual activity.", + "title": "The Red Hat Enterprise Linux operating system must be configured so that users must provide a password for\n privilege escalation.", + "desc": "Without re-authentication, users may access resources or perform tasks for which they do not have\n authorization.\n When operating systems provide the capability to escalate a functional capability, it is critical the user\n re-authenticate.", "descriptions": { - "default": "To assure accountability and prevent unauthenticated access, organizational users must be identified and\n authenticated to prevent potential misuse and compromise of the system.\n Organizational users include organizational employees or individuals the organization deems to have equivalent\n status of employees (e.g., contractors). Organizational users (and processes acting on behalf of users) must be\n uniquely identified and authenticated to all accesses, except for the following:\n 1) Accesses explicitly identified and documented by the organization. Organizations document specific user actions\n that can be performed on the information system without identification or authentication;\n and\n 2) Accesses that occur through authorized use of group authenticators without individual authentication.\n Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts)\n or for detailed accountability of individual activity.", - "check": "Verify the operating system requires multifactor authentication to uniquely identify organizational users using multifactor authentication.\n\nCheck to see if smartcard authentication is enforced on the system:\n\n# authconfig --test | grep \"pam_pkcs11 is enabled\"\n\nIf no results are returned, this is a finding.\n\n# authconfig --test | grep \"smartcard removal action\"\n\nIf \"smartcard removal action\" is blank, this is a finding.\n\n# authconfig --test | grep \"smartcard module\"\n\nIf any of the above checks are not configured, ask the administrator to indicate the AO-approved multifactor authentication in use and the configuration to support it. If there is no evidence of multifactor authentication, this is a finding.", - "fix": "Configure the operating system to require individuals to be authenticated with a multifactor\n authenticator.\n Enable smartcard logons with the following commands:\n # authconfig --enablesmartcard --smartcardaction=0 --update\n # authconfig --enablerequiresmartcard -update\n Modify the \"/etc/pam_pkcs11/pkcs11_eventmgr.conf\" file to uncomment the following line:\n #/usr/X11R6/bin/xscreensaver-command -lock\n Modify the \"/etc/pam_pkcs11/pam_pkcs11.conf\" file to use the cackey module if required." + "default": "Without re-authentication, users may access resources or perform tasks for which they do not have\n authorization.\n When operating systems provide the capability to escalate a functional capability, it is critical the user\n re-authenticate.", + "check": "Verify the operating system requires users to supply a password for privilege escalation.\n\nCheck the configuration of the \"/etc/sudoers\" and \"/etc/sudoers.d/*\" files with the following command:\n\n$ sudo grep -ir nopasswd /etc/sudoers /etc/sudoers.d\n\nIf any occurrences of \"NOPASSWD\" are returned from the command and have not been documented with the Information System Security Officer (ISSO) as an organizationally defined administrative group utilizing MFA, this is a finding.", + "fix": "Configure the operating system to require users to supply a password for privilege escalation.\n\nCheck the configuration of the \"/etc/sudoers\" file with the following command:\n$ sudo visudo\n\nRemove any occurrences of \"NOPASSWD\" tags in the file.\n\nCheck the configuration of the /etc/sudoers.d/* files with the following command:\n$ sudo grep -ir nopasswd /etc/sudoers.d\n\nRemove any occurrences of \"NOPASSWD\" tags in the file." }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "V-71965", - "SV-86589" + "V-71947", + "SV-86571" ], "severity": "medium", - "gtitle": "SRG-OS-000104-GPOS-00051", + "gtitle": "SRG-OS-000373-GPOS-00156", "satisfies": [ - "SRG-OS-000104-GPOS-00051", - "SRG-OS-000106-GPOS-00053", - "SRG-OS-000107-GPOS-00054", - "SRG-OS-000109-GPOS-00056", - "SRG-OS-000108-GPOS-00055", - "SRG-OS-000108-GPOS-00057", - "SRG-OS-000108-GPOS-00058" + "SRG-OS-000373-GPOS-00156", + "SRG-OS-000373-GPOS-00157", + "SRG-OS-000373-GPOS-00158" ], - "gid": "V-204441", - "rid": "SV-204441r818813_rule", - "stig_id": "RHEL-07-010500", - "fix_id": "F-4565r88516_fix", + "gid": "V-204429", + "rid": "SV-204429r861003_rule", + "stig_id": "RHEL-07-010340", + "fix_id": "F-36303r861002_fix", "cci": [ - "CCI-000766" + "CCI-002038" ], "nist": [ - "IA-2 (2)" + "IA-11" ], "subsystems": [ - "pam", - "smartcard" + "sudo" ], "host": null }, - "code": "control 'SV-204441' do\n title 'The Red Hat Enterprise Linux operating system must uniquely identify and must authenticate organizational\n users (or processes acting on behalf of organizational users) using multifactor authentication.'\n desc 'To assure accountability and prevent unauthenticated access, organizational users must be identified and\n authenticated to prevent potential misuse and compromise of the system.\n Organizational users include organizational employees or individuals the organization deems to have equivalent\n status of employees (e.g., contractors). Organizational users (and processes acting on behalf of users) must be\n uniquely identified and authenticated to all accesses, except for the following:\n 1) Accesses explicitly identified and documented by the organization. Organizations document specific user actions\n that can be performed on the information system without identification or authentication;\n and\n 2) Accesses that occur through authorized use of group authenticators without individual authentication.\n Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts)\n or for detailed accountability of individual activity.'\n desc 'check', 'Verify the operating system requires multifactor authentication to uniquely identify organizational users using multifactor authentication.\n\nCheck to see if smartcard authentication is enforced on the system:\n\n# authconfig --test | grep \"pam_pkcs11 is enabled\"\n\nIf no results are returned, this is a finding.\n\n# authconfig --test | grep \"smartcard removal action\"\n\nIf \"smartcard removal action\" is blank, this is a finding.\n\n# authconfig --test | grep \"smartcard module\"\n\nIf any of the above checks are not configured, ask the administrator to indicate the AO-approved multifactor authentication in use and the configuration to support it. If there is no evidence of multifactor authentication, this is a finding.'\n desc 'fix', 'Configure the operating system to require individuals to be authenticated with a multifactor\n authenticator.\n Enable smartcard logons with the following commands:\n # authconfig --enablesmartcard --smartcardaction=0 --update\n # authconfig --enablerequiresmartcard -update\n Modify the \"/etc/pam_pkcs11/pkcs11_eventmgr.conf\" file to uncomment the following line:\n #/usr/X11R6/bin/xscreensaver-command -lock\n Modify the \"/etc/pam_pkcs11/pam_pkcs11.conf\" file to use the cackey module if required.'\n impact 0.5\n tag legacy: ['V-71965', 'SV-86589']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000104-GPOS-00051'\n tag satisfies: ['SRG-OS-000104-GPOS-00051', 'SRG-OS-000106-GPOS-00053', 'SRG-OS-000107-GPOS-00054', 'SRG-OS-000109-GPOS-00056', 'SRG-OS-000108-GPOS-00055', 'SRG-OS-000108-GPOS-00057', 'SRG-OS-000108-GPOS-00058']\n tag gid: 'V-204441'\n tag rid: 'SV-204441r818813_rule'\n tag stig_id: 'RHEL-07-010500'\n tag fix_id: 'F-4565r88516_fix'\n tag cci: ['CCI-000766']\n tag nist: ['IA-2 (2)']\n tag subsystems: ['pam', 'smartcard']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n else\n smart_card_status = input('smart_card_status')\n if smart_card_status.eql?('enabled')\n impact 0.5\n describe command(\"authconfig --test | grep 'pam_pkcs11'\") do\n its('stdout') { should match(/pam_pkcs11\\sis\\senabled/) }\n end\n describe command('authconfig --test | grep -i smartcard') do\n its('stdout') { should match(/use\\sonly\\ssmartcard\\sfor\\slogin\\sis\\s#{smart_card_status}/) }\n its('stdout') { should match(/smartcard\\smodule\\s=\\s\".+\"/) }\n its('stdout') { should match(/smartcard\\sremoval\\saction\\s=\\s\".+\"/) }\n end\n else\n impact 0.0\n describe 'The system is not smartcard enabled' do\n skip 'The system is not using Smartcards / PIVs to fulfil the MFA requirement, this control is Not Applicable.'\n end\n end\n end\nend\n", + "code": "control 'SV-204429' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that users must provide a password for\n privilege escalation.'\n desc 'Without re-authentication, users may access resources or perform tasks for which they do not have\n authorization.\n When operating systems provide the capability to escalate a functional capability, it is critical the user\n re-authenticate.'\n desc 'check', 'Verify the operating system requires users to supply a password for privilege escalation.\n\nCheck the configuration of the \"/etc/sudoers\" and \"/etc/sudoers.d/*\" files with the following command:\n\n$ sudo grep -ir nopasswd /etc/sudoers /etc/sudoers.d\n\nIf any occurrences of \"NOPASSWD\" are returned from the command and have not been documented with the Information System Security Officer (ISSO) as an organizationally defined administrative group utilizing MFA, this is a finding.'\n desc 'fix', 'Configure the operating system to require users to supply a password for privilege escalation.\n\nCheck the configuration of the \"/etc/sudoers\" file with the following command:\n$ sudo visudo\n\nRemove any occurrences of \"NOPASSWD\" tags in the file.\n\nCheck the configuration of the /etc/sudoers.d/* files with the following command:\n$ sudo grep -ir nopasswd /etc/sudoers.d\n\nRemove any occurrences of \"NOPASSWD\" tags in the file.'\n impact 0.5\n tag legacy: ['V-71947', 'SV-86571']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000373-GPOS-00156'\n tag satisfies: ['SRG-OS-000373-GPOS-00156', 'SRG-OS-000373-GPOS-00157', 'SRG-OS-000373-GPOS-00158']\n tag gid: 'V-204429'\n tag rid: 'SV-204429r861003_rule'\n tag stig_id: 'RHEL-07-010340'\n tag fix_id: 'F-36303r861002_fix'\n tag cci: ['CCI-002038']\n tag nist: ['IA-11']\n tag subsystems: ['sudo']\n tag 'host'\n\n if virtualization.system.eql?('docker') && !command('sudo').exist?\n impact 0.0\n describe 'Control not applicable within a container without sudo enabled' do\n skip 'Control not applicable within a container without sudo enabled'\n end\n else\n processed = []\n to_process = ['/etc/sudoers', '/etc/sudoers.d']\n\n until to_process.empty?\n in_process = to_process.pop\n next if processed.include? in_process\n\n processed.push in_process\n\n if file(in_process).directory?\n to_process.concat(\n command(\"find #{in_process} -maxdepth 1 -mindepth 1\")\n .stdout.strip.split(\"\\n\")\n .select { |f| file(f).file? }\n )\n elsif file(in_process).file?\n to_process.concat(\n command(\"grep -E '#include\\\\s+' #{in_process} | sed 's/.*#include[[:space:]]*//g'\")\n .stdout.strip.split(\"\\n\")\n .map do |f|\n if f.start_with?('/')\n f\n else\n File.join(\n File.dirname(in_process), f\n )\n end\n end\n .select do |f|\n file(f).exist?\n end\n )\n to_process.concat(\n command(\"grep -E '#includedir\\\\s+' #{in_process} | sed 's/.*#includedir[[:space:]]*//g'\")\n .stdout.strip.split(\"\\n\")\n .map do |f|\n if f.start_with?('/')\n f\n else\n File.join(\n File.dirname(in_process), f\n )\n end\n end\n .select do |f|\n file(f).exist?\n end\n )\n end\n end\n\n sudoers = processed.select { |f| file(f).file? }\n\n sudoers.each do |sudoer|\n sudo_content = file(sudoer).content.strip.split(\"\\n\")\n nopasswd_lines = sudo_content.select { |l| l.match?(/^[^#].*NOPASSWD/) }\n describe \"#{sudoer} rules containing NOPASSWD\" do\n subject { nopasswd_lines }\n it { should be_empty }\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204441.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204429.rb", "line": 1 }, - "id": "SV-204441" + "id": "SV-204429" }, { - "title": "The Red Hat Enterprise Linux operating system must be configured so that all files and directories\n contained in local interactive user home directories are group-owned by a group of which the home directory owner is\n a member.", - "desc": "If a local interactive user's files are group-owned by a group of which the user is not a member, unintended\n users may be able to access them.", + "title": "The Red Hat Enterprise Linux operating system must be configured to use the shadow file to store only\n encrypted representations of passwords.", + "desc": "Passwords need to be protected at all times, and encryption is the standard method for protecting passwords.\n If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords\n encrypted with a weak algorithm are no more protected than if they are kept in plain text.", "descriptions": { - "default": "If a local interactive user's files are group-owned by a group of which the user is not a member, unintended\n users may be able to access them.", - "check": "Verify all files and directories in a local interactive user home directory are group-owned by a\n group the user is a member of.\n Check the group owner of all files and directories in a local interactive user's home directory with the following\n command:\n Note: The example will be for the user \"smithj\", who has a home directory of \"/home/smithj\".\n # ls -lLR ///\n -rw-r--r-- 1 smithj smithj 18 Mar 5 17:06 file1\n -rw-r--r-- 1 smithj smithj 193 Mar 5 17:06 file2\n -rw-r--r-- 1 smithj sa 231 Mar 5 17:06 file3\n If any files are found with an owner different than the group home directory user, check to see if the user is a\n member of that group with the following command:\n # grep smithj /etc/group\n sa:x:100:juan,shelley,bob,smithj\n smithj:x:521:smithj\n If the user is not a member of a group that group owns file(s) in a local interactive user's home directory, this is\n a finding.", - "fix": "Change the group of a local interactive user's files and directories to a group that the interactive\n user is a member of. To change the group owner of a local interactive user's files and directories, use the\n following command:\n Note: The example will be for the user smithj, who has a home directory of \"/home/smithj\" and is a member of the\n users group.\n # chgrp users /home/smithj/" + "default": "Passwords need to be protected at all times, and encryption is the standard method for protecting passwords.\n If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords\n encrypted with a weak algorithm are no more protected than if they are kept in plain text.", + "check": "Verify the system's shadow file is configured to store only encrypted representations of passwords.\n The strength of encryption that must be used to hash passwords for all accounts is SHA512.\n Check that the system is configured to create SHA512 hashed passwords with the following command:\n # grep -i encrypt /etc/login.defs\n ENCRYPT_METHOD SHA512\n If the \"/etc/login.defs\" configuration file does not exist or allows for password hashes other than SHA512 to be\n used, this is a finding.", + "fix": "Configure the operating system to store only SHA512 encrypted representations of passwords.\n Add or update the following line in \"/etc/login.defs\":\n ENCRYPT_METHOD SHA512" }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "V-72025", - "SV-86649" + "V-71921", + "SV-86545" ], "severity": "medium", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-204472", - "rid": "SV-204472r603261_rule", - "stig_id": "RHEL-07-020670", - "fix_id": "F-4596r88609_fix", + "gtitle": "SRG-OS-000073-GPOS-00041", + "gid": "V-204416", + "rid": "SV-204416r877397_rule", + "stig_id": "RHEL-07-010210", + "fix_id": "F-4540r88441_fix", "cci": [ - "CCI-000366" + "CCI-000196" ], "nist": [ - "CM-6 b" + "IA-5 (1) (c)" ], "subsystems": [ - "home_dirs" + "login_defs", + "password" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-204472' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that all files and directories\n contained in local interactive user home directories are group-owned by a group of which the home directory owner is\n a member.'\n desc \"If a local interactive user's files are group-owned by a group of which the user is not a member, unintended\n users may be able to access them.\"\n desc 'check', %q(Verify all files and directories in a local interactive user home directory are group-owned by a\n group the user is a member of.\n Check the group owner of all files and directories in a local interactive user's home directory with the following\n command:\n Note: The example will be for the user \"smithj\", who has a home directory of \"/home/smithj\".\n # ls -lLR ///\n -rw-r--r-- 1 smithj smithj 18 Mar 5 17:06 file1\n -rw-r--r-- 1 smithj smithj 193 Mar 5 17:06 file2\n -rw-r--r-- 1 smithj sa 231 Mar 5 17:06 file3\n If any files are found with an owner different than the group home directory user, check to see if the user is a\n member of that group with the following command:\n # grep smithj /etc/group\n sa:x:100:juan,shelley,bob,smithj\n smithj:x:521:smithj\n If the user is not a member of a group that group owns file(s) in a local interactive user's home directory, this is\n a finding.)\n desc 'fix', %q(Change the group of a local interactive user's files and directories to a group that the interactive\n user is a member of. To change the group owner of a local interactive user's files and directories, use the\n following command:\n Note: The example will be for the user smithj, who has a home directory of \"/home/smithj\" and is a member of the\n users group.\n # chgrp users /home/smithj/)\n impact 0.5\n tag legacy: ['V-72025', 'SV-86649']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204472'\n tag rid: 'SV-204472r603261_rule'\n tag stig_id: 'RHEL-07-020670'\n tag fix_id: 'F-4596r88609_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['home_dirs']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n\n exempt_home_users = input('exempt_home_users')\n non_interactive_shells = input('non_interactive_shells')\n\n ignore_shells = non_interactive_shells.join('|')\n\n uid_min = login_defs.read_params['UID_MIN'].to_i\n uid_min = 1000 if uid_min.nil?\n\n findings = Set[]\n users.where do\n !shell.match(ignore_shells) && (uid >= uid_min || uid == 0)\n end.entries.each do |user_info|\n next if exempt_home_users.include?(user_info.username.to_s)\n\n find_args = ''\n user_info.groups.each do |curr_group|\n # some key files and secure dirs (like .ssh) are group owned 'root'\n find_args += \"-not -group #{curr_group} -o root\"\n end\n findings += command(\"find #{user_info.home} -xdev -xautofs #{find_args}\").stdout.split(\"\\n\")\n end\n describe \"Home directory files with incorrect group ownership or not 'root' owned\" do\n subject { findings.to_a }\n it { should be_empty }\n end\n end\nend\n", + "code": "control 'SV-204416' do\n title 'The Red Hat Enterprise Linux operating system must be configured to use the shadow file to store only\n encrypted representations of passwords.'\n desc 'Passwords need to be protected at all times, and encryption is the standard method for protecting passwords.\n If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords\n encrypted with a weak algorithm are no more protected than if they are kept in plain text.'\n desc 'check', %q(Verify the system's shadow file is configured to store only encrypted representations of passwords.\n The strength of encryption that must be used to hash passwords for all accounts is SHA512.\n Check that the system is configured to create SHA512 hashed passwords with the following command:\n # grep -i encrypt /etc/login.defs\n ENCRYPT_METHOD SHA512\n If the \"/etc/login.defs\" configuration file does not exist or allows for password hashes other than SHA512 to be\n used, this is a finding.)\n desc 'fix', 'Configure the operating system to store only SHA512 encrypted representations of passwords.\n Add or update the following line in \"/etc/login.defs\":\n ENCRYPT_METHOD SHA512'\n impact 0.5\n tag legacy: ['V-71921', 'SV-86545']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000073-GPOS-00041'\n tag gid: 'V-204416'\n tag rid: 'SV-204416r877397_rule'\n tag stig_id: 'RHEL-07-010210'\n tag fix_id: 'F-4540r88441_fix'\n tag cci: ['CCI-000196']\n tag nist: ['IA-5 (1) (c)']\n tag subsystems: ['login_defs', 'password']\n tag 'host'\n tag 'container'\n\n describe login_defs do\n its('ENCRYPT_METHOD') { should cmp 'SHA512' }\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204472.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204416.rb", "line": 1 }, - "id": "SV-204472" + "id": "SV-204416" }, { - "title": "The Red Hat Enterprise Linux operating system must not respond to Internet Protocol version 4 (IPv4)\n Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.", - "desc": "Responding to broadcast (ICMP) echoes facilitates network mapping and provides a vector for amplification\n attacks.", + "title": "The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow\n authentication using known hosts authentication.", + "desc": "Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will\n require a password, even in the event of misconfiguration elsewhere.", "descriptions": { - "default": "Responding to broadcast (ICMP) echoes facilitates network mapping and provides a vector for amplification\n attacks.", - "check": "Verify the system does not respond to IPv4 ICMP echoes sent to a broadcast address.\n\n # grep -r net.ipv4.icmp_echo_ignore_broadcasts /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null\n\nIf \"net.ipv4.icmp_echo_ignore_broadcasts\" is not configured in the /etc/sysctl.conf file or in any of the other sysctl.d directories, is commented out, or does not have a value of \"1\", this is a finding.\n\nCheck that the operating system implements the \"icmp_echo_ignore_broadcasts\" variable with the following command:\n\n # /sbin/sysctl -a | grep net.ipv4.icmp_echo_ignore_broadcasts\n net.ipv4.icmp_echo_ignore_broadcasts = 1\n\nIf the returned line does not have a value of \"1\", this is a finding.\n\nIf conflicting results are returned, this is a finding.", - "fix": "Set the system to the required kernel parameter by adding the following\nline to \"/etc/sysctl.conf\" or a configuration file in the /etc/sysctl.d/\ndirectory (or modify the line to have the required value):\n\n net.ipv4.icmp_echo_ignore_broadcasts = 1\n\n Issue the following command to make the changes take effect:\n\n # sysctl --system" + "default": "Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will\n require a password, even in the event of misconfiguration elsewhere.", + "check": "Verify the SSH daemon does not allow authentication using known hosts authentication.\n To determine how the SSH daemon's \"IgnoreUserKnownHosts\" option is set, run the following command:\n # grep -i IgnoreUserKnownHosts /etc/ssh/sshd_config\n IgnoreUserKnownHosts yes\n If the value is returned as \"no\", the returned line is commented out, or no output is returned, this is a finding.", + "fix": "Configure the SSH daemon to not allow authentication using known hosts authentication.\n Add the following line in \"/etc/ssh/sshd_config\", or uncomment the line and set the value to \"yes\":\n IgnoreUserKnownHosts yes\n The SSH service must be restarted for changes to take effect." }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "V-72287", - "SV-86911" + "V-72249", + "SV-86873" ], "severity": "medium", "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-204613", - "rid": "SV-204613r880809_rule", - "stig_id": "RHEL-07-040630", - "fix_id": "F-4737r880808_fix", + "gid": "V-204593", + "rid": "SV-204593r603261_rule", + "stig_id": "RHEL-07-040380", + "fix_id": "F-4717r88972_fix", "cci": [ "CCI-000366" ], @@ -3801,39 +3695,38 @@ "CM-6 b" ], "subsystems": [ - "kernel_parameter", - "ipv4" + "ssh" ], "host": null }, - "code": "control 'SV-204613' do\n title 'The Red Hat Enterprise Linux operating system must not respond to Internet Protocol version 4 (IPv4)\n Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.'\n desc 'Responding to broadcast (ICMP) echoes facilitates network mapping and provides a vector for amplification\n attacks.'\n desc 'check', 'Verify the system does not respond to IPv4 ICMP echoes sent to a broadcast address.\n\n # grep -r net.ipv4.icmp_echo_ignore_broadcasts /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null\n\nIf \"net.ipv4.icmp_echo_ignore_broadcasts\" is not configured in the /etc/sysctl.conf file or in any of the other sysctl.d directories, is commented out, or does not have a value of \"1\", this is a finding.\n\nCheck that the operating system implements the \"icmp_echo_ignore_broadcasts\" variable with the following command:\n\n # /sbin/sysctl -a | grep net.ipv4.icmp_echo_ignore_broadcasts\n net.ipv4.icmp_echo_ignore_broadcasts = 1\n\nIf the returned line does not have a value of \"1\", this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Set the system to the required kernel parameter by adding the following\nline to \"/etc/sysctl.conf\" or a configuration file in the /etc/sysctl.d/\ndirectory (or modify the line to have the required value):\n\n net.ipv4.icmp_echo_ignore_broadcasts = 1\n\n Issue the following command to make the changes take effect:\n\n # sysctl --system'\n impact 0.5\n tag legacy: ['V-72287', 'SV-86911']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204613'\n tag rid: 'SV-204613r880809_rule'\n tag stig_id: 'RHEL-07-040630'\n tag fix_id: 'F-4737r880808_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['kernel_parameter', 'ipv4']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - Kernel config must be done on the host' do\n skip 'Control not applicable - Kernel config must be done on the host'\n end\n else\n icmp_echo_ignore_broadcasts = 1\n\n config_file_values = command('grep -r net.ipv4.icmp_echo_ignore_broadcasts /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null')\n .stdout.strip.split(\"\\n\")\n .map { |file| parse_config(file).params }\n config_file_values_uncompliant = config_file_values.select { |entry| entry.values != [icmp_echo_ignore_broadcasts.to_s] }\n\n unless config_file_values_uncompliant.empty?\n describe 'All configuration files' do\n it \"should set icmp_echo_ignore_broadcasts to #{icmp_echo_ignore_broadcasts}, or not define it at all\" do\n fail_msg = \"Found incorrect configuration:\\n#{config_file_values_uncompliant.join(\"\\n\")}\"\n expect(config_file_values_uncompliant).to be_empty, fail_msg\n end\n end\n end\n\n describe 'The runtime kernel parameter net.ipv4.icmp_echo_ignore_broadcasts' do\n subject { kernel_parameter('net.ipv4.icmp_echo_ignore_broadcasts') }\n its('value') { should eq icmp_echo_ignore_broadcasts }\n end\n end\nend\n", + "code": "control 'SV-204593' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow\n authentication using known hosts authentication.'\n desc 'Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will\n require a password, even in the event of misconfiguration elsewhere.'\n desc 'check', %q(Verify the SSH daemon does not allow authentication using known hosts authentication.\n To determine how the SSH daemon's \"IgnoreUserKnownHosts\" option is set, run the following command:\n # grep -i IgnoreUserKnownHosts /etc/ssh/sshd_config\n IgnoreUserKnownHosts yes\n If the value is returned as \"no\", the returned line is commented out, or no output is returned, this is a finding.)\n desc 'fix', 'Configure the SSH daemon to not allow authentication using known hosts authentication.\n Add the following line in \"/etc/ssh/sshd_config\", or uncomment the line and set the value to \"yes\":\n IgnoreUserKnownHosts yes\n The SSH service must be restarted for changes to take effect.'\n impact 0.5\n tag legacy: ['V-72249', 'SV-86873']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204593'\n tag rid: 'SV-204593r603261_rule'\n tag stig_id: 'RHEL-07-040380'\n tag fix_id: 'F-4717r88972_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['ssh']\n tag 'host'\n\n if virtualization.system.eql?('docker') && !file('/etc/sysconfig/sshd').exist?\n impact 0.0\n describe 'Control not applicable - SSH is not installed within containerized RHEL' do\n skip 'Control not applicable - SSH is not installed within containerized RHEL'\n end\n else\n describe sshd_config do\n its('IgnoreUserKnownHosts') { should cmp 'yes' }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204613.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204593.rb", "line": 1 }, - "id": "SV-204613" + "id": "SV-204593" }, { - "title": "The Red Hat Enterprise Linux operating system must be configured so that local initialization files do not\n execute world-writable programs.", - "desc": "If user start-up files execute world-writable programs, especially in\n unprotected directories, they could be maliciously modified to destroy user\n files or otherwise compromise the system at the user level. If the system is\n compromised at the user level, it is easier to elevate privileges to eventually\n compromise the system at the root and network level.", + "title": "The Red Hat Enterprise Linux operating system must use a separate file system for /var.", + "desc": "The use of separate file systems for different paths can protect the system from failures resulting from a\n file system becoming full or failing.", "descriptions": { - "default": "If user start-up files execute world-writable programs, especially in\n unprotected directories, they could be maliciously modified to destroy user\n files or otherwise compromise the system at the user level. If the system is\n compromised at the user level, it is easier to elevate privileges to eventually\n compromise the system at the root and network level.", - "check": "Verify that local initialization files do not execute world-writable programs.\n Check the system for world-writable files with the following command:\n # find / -xdev -perm -002 -type f -exec ls -ld {} \\; | more\n For all files listed, check for their presence in the local initialization files with the following commands:\n Note: The example will be for a system that is configured to create users' home directories in the \"/home\"\n directory.\n # grep /home/*/.*\n If any local initialization files are found to reference world-writable files, this is a finding.", - "fix": "Set the mode on files being executed by the local initialization files with\nthe following command:\n\n # chmod 0755 " + "default": "The use of separate file systems for different paths can protect the system from failures resulting from a\n file system becoming full or failing.", + "check": "Verify that a separate file system/partition has been created for \"/var\".\n Check that a file system/partition has been created for \"/var\" with the following command:\n # grep /var /etc/fstab\n UUID=c274f65f /var ext4 noatime,nobarrier 1 2\n If a separate entry for \"/var\" is not in use, this is a finding.", + "fix": "Migrate the \"/var\" path onto a separate file system." }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { "legacy": [ - "SV-86661", - "V-72037" + "V-72061", + "SV-86685" ], - "severity": "medium", + "severity": "low", "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-204478", - "rid": "SV-204478r603261_rule", - "stig_id": "RHEL-07-020730", - "fix_id": "F-4602r88627_fix", + "gid": "V-204494", + "rid": "SV-204494r603261_rule", + "stig_id": "RHEL-07-021320", + "fix_id": "F-4618r88675_fix", "cci": [ "CCI-000366" ], @@ -3841,38 +3734,39 @@ "CM-6 b" ], "subsystems": [ - "init_files" + "/var", + "file_system" ], "host": null }, - "code": "control 'SV-204478' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that local initialization files do not\n execute world-writable programs.'\n desc 'If user start-up files execute world-writable programs, especially in\n unprotected directories, they could be maliciously modified to destroy user\n files or otherwise compromise the system at the user level. If the system is\n compromised at the user level, it is easier to elevate privileges to eventually\n compromise the system at the root and network level.'\n desc 'check', %q(Verify that local initialization files do not execute world-writable programs.\n Check the system for world-writable files with the following command:\n # find / -xdev -perm -002 -type f -exec ls -ld {} \\; | more\n For all files listed, check for their presence in the local initialization files with the following commands:\n Note: The example will be for a system that is configured to create users' home directories in the \"/home\"\n directory.\n # grep /home/*/.*\n If any local initialization files are found to reference world-writable files, this is a finding.)\n desc 'fix', 'Set the mode on files being executed by the local initialization files with\nthe following command:\n\n # chmod 0755 '\n impact 0.5\n tag legacy: ['SV-86661', 'V-72037']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204478'\n tag rid: 'SV-204478r603261_rule'\n tag stig_id: 'RHEL-07-020730'\n tag fix_id: 'F-4602r88627_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['init_files']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n\n exempt_home_users = input('exempt_home_users')\n non_interactive_shells = input('non_interactive_shells')\n\n if input('disable_slow_controls')\n describe \"This control consistently takes a long to run and has been disabled\n using the disable_slow_controls attribute.\" do\n skip \"This control consistently takes a long to run and has been disabled\n using the disable_slow_controls attribute. You must enable this control for a\n full accredidation for production.\"\n end\n else\n ignore_shells = non_interactive_shells.join('|')\n\n # Get home directory for users with UID >= 1000 or UID == 0 and support interactive logins.\n dotfiles = Set[]\n u = users.where do\n !shell.match(ignore_shells) && (uid >= 1000 || uid == 0)\n end.entries\n # For each user, build and execute a find command that identifies initialization files\n # in a user's home directory.\n u.each do |user|\n dotfiles += command(\"find #{user.home} -xdev -maxdepth 2 ( -name '.*' ! -name '.bash_history' ) -type f\").stdout.split(\"\\n\")\n end\n ww_files = Set[]\n ww_files = command('find / -xdev -perm -002 -type f -exec ls {} \\;').stdout.lines\n\n # To reduce the number of commands ran, we use a pattern file in the grep command below\n # So we don't have too long of a grep command, we chunk the list of ww_files\n # into strings not longer than PATTERN_FILE_MAX_LENGTH\n # Based on MAX_ARG_STRLEN, /usr/include/linux/binfmts.h\n # We cut off 100 to leave room for the rest of the arguments\n PATTERN_FILE_MAX_LENGTH = command('getconf PAGE_SIZE').stdout.to_i * 32 - 100\n ww_chunked = ['']\n ww_files.each do |item|\n item = item.strip\n if item.length + \"\\n\".length > PATTERN_FILE_MAX_LENGTH\n raise 'Single pattern is longer than PATTERN_FILE_MAX_LENGTH'\n end\n\n if ww_chunked[-1].length + \"\\n\".length + item.length > PATTERN_FILE_MAX_LENGTH\n ww_chunked.append('')\n end\n ww_chunked[-1] += \"\\n\" + item # This will leave an extra newline at the beginning of chunks\n end\n ww_chunked = ww_chunked.map(&:strip) # This gets rid of the beginning newlines\n if ww_chunked[0] == ''\n ww_chunked = [] # If we didn't have any ww_files, this will prevent an empty grep pattern\n end\n\n # Check each dotfile for existence of each world-writeable file\n findings = Set[]\n dotfiles.each do |dotfile|\n dotfile = dotfile.strip\n ww_chunked.each do |ww_pattern_file|\n count = command(\"grep -c -f <(echo \\\"#{ww_pattern_file}\\\") \\\"#{dotfile}\\\"\").stdout.strip.to_i\n findings << dotfile if count > 0\n end\n end\n describe 'Local initialization files that are found to reference world-writable files' do\n subject { findings.to_a }\n it { should be_empty }\n end\n end\n end\nend\n", + "code": "control 'SV-204494' do\n title 'The Red Hat Enterprise Linux operating system must use a separate file system for /var.'\n desc 'The use of separate file systems for different paths can protect the system from failures resulting from a\n file system becoming full or failing.'\n desc 'check', 'Verify that a separate file system/partition has been created for \"/var\".\n Check that a file system/partition has been created for \"/var\" with the following command:\n # grep /var /etc/fstab\n UUID=c274f65f /var ext4 noatime,nobarrier 1 2\n If a separate entry for \"/var\" is not in use, this is a finding.'\n desc 'fix', 'Migrate the \"/var\" path onto a separate file system.'\n impact 0.3\n tag legacy: ['V-72061', 'SV-86685']\n tag severity: 'low'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204494'\n tag rid: 'SV-204494r603261_rule'\n tag stig_id: 'RHEL-07-021320'\n tag fix_id: 'F-4618r88675_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['/var', 'file_system']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n else\n describe etc_fstab.where { mount_point == '/var/log' } do\n it { should exist }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204478.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204494.rb", "line": 1 }, - "id": "SV-204478" + "id": "SV-204494" }, { - "title": "The Red Hat Enterprise Linux operating system must be configured so that remote X connections are disabled\n except to fulfill documented and validated mission requirements.", - "desc": "The security risk of using X11 forwarding is that the client's X11 display server may be exposed to attack\n when the SSH client requests forwarding. A system administrator may have a stance in which they want to protect\n clients that may expose themselves to attack by unwittingly requesting X11 forwarding, which can warrant a ''no''\n setting.\n X11 forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host\n (for the user's X11 authorization database) can access the local X11 display through the forwarded connection. An\n attacker may then be able to perform activities such as keystroke monitoring if the ForwardX11Trusted option is also\n enabled.\n If X11 services are not required for the system's intended function, they should be disabled or restricted as\n appropriate to the system’s needs.", + "title": "The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny\n system access to specific hosts and services.", + "desc": "If the systems access control program is not configured with appropriate rules for allowing and denying\n access to system network resources, services may be accessible to unauthorized hosts.", "descriptions": { - "default": "The security risk of using X11 forwarding is that the client's X11 display server may be exposed to attack\n when the SSH client requests forwarding. A system administrator may have a stance in which they want to protect\n clients that may expose themselves to attack by unwittingly requesting X11 forwarding, which can warrant a ''no''\n setting.\n X11 forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host\n (for the user's X11 authorization database) can access the local X11 display through the forwarded connection. An\n attacker may then be able to perform activities such as keystroke monitoring if the ForwardX11Trusted option is also\n enabled.\n If X11 services are not required for the system's intended function, they should be disabled or restricted as\n appropriate to the system’s needs.", - "check": "Determine if X11Forwarding is disabled with the following command:\n # grep -i x11forwarding /etc/ssh/sshd_config | grep -v \"^#\"\n X11Forwarding no\n If the \"X11Forwarding\" keyword is set to \"yes\" and is not documented with the Information System Security Officer\n (ISSO) as an operational requirement or is missing, this is a finding.", - "fix": "Edit the \"/etc/ssh/sshd_config\" file to uncomment or add the line for the \"X11Forwarding\" keyword and\n set its value to \"no\" (this file may be named differently or be in a different location if using a version of SSH\n that is provided by a third-party vendor):\n X11Forwarding no\n The SSH service must be restarted for changes to take effect:\n # systemctl restart sshd" + "default": "If the systems access control program is not configured with appropriate rules for allowing and denying\n access to system network resources, services may be accessible to unauthorized hosts.", + "check": "If the \"firewalld\" package is not installed, ask the System Administrator (SA) if another firewall\n application (such as iptables) is installed. If an application firewall is not installed, this is a finding.\n Verify the system's access control program is configured to grant or deny system access to specific hosts.\n Check to see if \"firewalld\" is active with the following command:\n # systemctl status firewalld\n firewalld.service - firewalld - dynamic firewall daemon\n Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)\n Active: active (running) since Sun 2014-04-20 14:06:46 BST; 30s ago\n If \"firewalld\" is active, check to see if it is configured to grant or deny access to specific hosts or services\n with the following commands:\n # firewall-cmd --get-default-zone\n public\n # firewall-cmd --list-all --zone=public\n public (active)\n target: default\n icmp-block-inversion: no\n interfaces: eth0\n sources:\n services: mdns ssh\n ports:\n protocols:\n masquerade: no\n forward-ports:\n icmp-blocks:\n If \"firewalld\" is not active, determine whether \"tcpwrappers\" is being used by checking whether the \"hosts.allow\"\n and \"hosts.deny\" files are empty with the following commands:\n # ls -al /etc/hosts.allow\n rw-r----- 1 root root 9 Aug 2 23:13 /etc/hosts.allow\n # ls -al /etc/hosts.deny\n -rw-r----- 1 root root 9 Apr 9 2007 /etc/hosts.deny\n If \"firewalld\" and \"tcpwrappers\" are not installed, configured, and active, ask the SA if another access control\n program (such as iptables) is installed and active. Ask the SA to show that the running configuration grants or\n denies access to specific hosts or services.\n If \"firewalld\" is active and is not configured to grant access to specific hosts or \"tcpwrappers\" is not configured\n to grant or deny access to specific hosts, this is a finding.", + "fix": "If \"firewalld\" is installed and active on the system, configure rules for allowing specific services\n and hosts.\n If \"firewalld\" is not \"active\", enable \"tcpwrappers\" by configuring \"/etc/hosts.allow\" and \"/etc/hosts.deny\" to\n allow or deny access to specific hosts." }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "SV-86927", - "V-72303" + "SV-86939", + "V-72315" ], "severity": "medium", "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-204622", - "rid": "SV-204622r603849_rule", - "stig_id": "RHEL-07-040710", - "fix_id": "F-4746r622312_fix", + "gid": "V-204628", + "rid": "SV-204628r603261_rule", + "stig_id": "RHEL-07-040810", + "fix_id": "F-4752r89077_fix", "cci": [ "CCI-000366" ], @@ -3880,148 +3774,128 @@ "CM-6 b" ], "subsystems": [ - "ssh" + "iptables", + "firewall" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-204622' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that remote X connections are disabled\n except to fulfill documented and validated mission requirements.'\n desc \"The security risk of using X11 forwarding is that the client's X11 display server may be exposed to attack\n when the SSH client requests forwarding. A system administrator may have a stance in which they want to protect\n clients that may expose themselves to attack by unwittingly requesting X11 forwarding, which can warrant a ''no''\n setting.\n X11 forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host\n (for the user's X11 authorization database) can access the local X11 display through the forwarded connection. An\n attacker may then be able to perform activities such as keystroke monitoring if the ForwardX11Trusted option is also\n enabled.\n If X11 services are not required for the system's intended function, they should be disabled or restricted as\n appropriate to the system’s needs.\"\n desc 'check', 'Determine if X11Forwarding is disabled with the following command:\n # grep -i x11forwarding /etc/ssh/sshd_config | grep -v \"^#\"\n X11Forwarding no\n If the \"X11Forwarding\" keyword is set to \"yes\" and is not documented with the Information System Security Officer\n (ISSO) as an operational requirement or is missing, this is a finding.'\n desc 'fix', 'Edit the \"/etc/ssh/sshd_config\" file to uncomment or add the line for the \"X11Forwarding\" keyword and\n set its value to \"no\" (this file may be named differently or be in a different location if using a version of SSH\n that is provided by a third-party vendor):\n X11Forwarding no\n The SSH service must be restarted for changes to take effect:\n # systemctl restart sshd'\n impact 0.5\n tag legacy: ['SV-86927', 'V-72303']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204622'\n tag rid: 'SV-204622r603849_rule'\n tag stig_id: 'RHEL-07-040710'\n tag fix_id: 'F-4746r622312_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['ssh']\n tag 'host'\n\n if virtualization.system.eql?('docker') && !file('/etc/sysconfig/sshd').exist?\n impact 0.0\n describe 'Control not applicable - SSH is not installed within containerized RHEL' do\n skip 'Control not applicable - SSH is not installed within containerized RHEL'\n end\n else\n describe sshd_config do\n its('X11Forwarding') { should cmp 'no' }\n end\n end\nend\n", + "code": "control 'SV-204628' do\n title 'The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny\n system access to specific hosts and services.'\n desc 'If the systems access control program is not configured with appropriate rules for allowing and denying\n access to system network resources, services may be accessible to unauthorized hosts.'\n desc 'check', %q(If the \"firewalld\" package is not installed, ask the System Administrator (SA) if another firewall\n application (such as iptables) is installed. If an application firewall is not installed, this is a finding.\n Verify the system's access control program is configured to grant or deny system access to specific hosts.\n Check to see if \"firewalld\" is active with the following command:\n # systemctl status firewalld\n firewalld.service - firewalld - dynamic firewall daemon\n Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)\n Active: active (running) since Sun 2014-04-20 14:06:46 BST; 30s ago\n If \"firewalld\" is active, check to see if it is configured to grant or deny access to specific hosts or services\n with the following commands:\n # firewall-cmd --get-default-zone\n public\n # firewall-cmd --list-all --zone=public\n public (active)\n target: default\n icmp-block-inversion: no\n interfaces: eth0\n sources:\n services: mdns ssh\n ports:\n protocols:\n masquerade: no\n forward-ports:\n icmp-blocks:\n If \"firewalld\" is not active, determine whether \"tcpwrappers\" is being used by checking whether the \"hosts.allow\"\n and \"hosts.deny\" files are empty with the following commands:\n # ls -al /etc/hosts.allow\n rw-r----- 1 root root 9 Aug 2 23:13 /etc/hosts.allow\n # ls -al /etc/hosts.deny\n -rw-r----- 1 root root 9 Apr 9 2007 /etc/hosts.deny\n If \"firewalld\" and \"tcpwrappers\" are not installed, configured, and active, ask the SA if another access control\n program (such as iptables) is installed and active. Ask the SA to show that the running configuration grants or\n denies access to specific hosts or services.\n If \"firewalld\" is active and is not configured to grant access to specific hosts or \"tcpwrappers\" is not configured\n to grant or deny access to specific hosts, this is a finding.)\n desc 'fix', 'If \"firewalld\" is installed and active on the system, configure rules for allowing specific services\n and hosts.\n If \"firewalld\" is not \"active\", enable \"tcpwrappers\" by configuring \"/etc/hosts.allow\" and \"/etc/hosts.deny\" to\n allow or deny access to specific hosts.'\n impact 0.5\n tag legacy: ['SV-86939', 'V-72315']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204628'\n tag rid: 'SV-204628r603261_rule'\n tag stig_id: 'RHEL-07-040810'\n tag fix_id: 'F-4752r89077_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['iptables', 'firewall']\n tag 'host'\n tag 'container'\n\n if input('firewall_application_package') != ''\n describe 'Manual review of third-party firewall needed' do\n skip \"A manual review of firewall application \\'#{input('firewall_application_package')}\\' is needed to determine if it is properly configured\"\n end\n else\n\n firewalld_services = input('firewalld_services')\n firewalld_hosts_allow = input('firewalld_hosts_allow')\n firewalld_hosts_deny = input('firewalld_hosts_deny')\n firewalld_ports_allow = input('firewalld_ports_allow')\n firewalld_ports_deny = input('firewalld_ports_deny')\n tcpwrappers_allow = input('tcpwrappers_allow')\n tcpwrappers_deny = input('tcpwrappers_deny')\n iptable_rules = input('iptables_rules')\n\n if service('firewalld').running?\n @default_zone = firewalld.default_zone\n\n describe firewalld.where { zone = @default_zone } do\n its('services') { should be_in firewalld_services }\n end\n\n describe firewalld do\n firewalld_hosts_allow.each do |rule|\n it { should have_rule_enabled(rule) }\n end\n firewalld_hosts_deny.each do |rule|\n it { should_not have_rule_enabled(rule) }\n end\n firewalld_ports_allow.each do |port|\n it { should have_port_enabled_in_zone(port) }\n end\n firewalld_ports_deny.each do |port|\n it { should_not have_port_enabled_in_zone(port) }\n end\n end\n elsif service('iptables').running?\n describe iptables do\n iptable_rules.each do |rule|\n it { should have_rule(rule) }\n end\n end\n else\n describe package('tcp_wrappers') do\n it { should be_installed }\n end\n tcpwrappers_allow.each do |rule|\n describe etc_hosts_allow.where { daemon == rule['daemon'] } do\n its('client_list') { should be rule['client_list'] }\n its('options') { should be rule['options'] }\n end\n end\n tcpwrappers_deny.each do |rule|\n describe etc_hosts_deny.where { daemon == rule['daemon'] } do\n its('client_list') { should be rule['client_list'] }\n its('options') { should be rule['options'] }\n end\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204622.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204628.rb", "line": 1 }, - "id": "SV-204622" + "id": "SV-204628" }, { - "title": "The Red Hat Enterprise Linux operating system emergency accounts must be automatically removed or disabled after the crisis is resolved or within 72 hours.", - "desc": "Emergency accounts are privileged accounts established in response to crisis situations where the need for rapid account activation is required. Therefore, emergency account activation may bypass normal account authorization processes. If these accounts are automatically disabled, system maintenance during emergencies may not be possible, thus adversely affecting system availability.\n\nEmergency accounts are different from infrequently used accounts (i.e., local logon accounts used by the organization's system administrators when network or normal logon/access is not available). Infrequently used accounts are not subject to automatic termination dates. Emergency accounts are accounts created in response to crisis situations, usually for use by maintenance personnel. The automatic expiration or disabling time period may be extended as needed until the crisis is resolved; however, it must not be extended indefinitely. A permanent account should be established for privileged users who need long-term maintenance accounts.\n\nTo address access requirements, many RHEL systems can be integrated with enterprise-level authentication/access mechanisms that meet or exceed access control policy requirements.", + "title": "The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon performs strict\n mode checking of home directory configuration files.", + "desc": "If other users have access to modify user-specific SSH configuration files, they may be able to log on to\n the system as another user.", "descriptions": { - "default": "Emergency accounts are privileged accounts established in response to crisis situations where the need for rapid account activation is required. Therefore, emergency account activation may bypass normal account authorization processes. If these accounts are automatically disabled, system maintenance during emergencies may not be possible, thus adversely affecting system availability.\n\nEmergency accounts are different from infrequently used accounts (i.e., local logon accounts used by the organization's system administrators when network or normal logon/access is not available). Infrequently used accounts are not subject to automatic termination dates. Emergency accounts are accounts created in response to crisis situations, usually for use by maintenance personnel. The automatic expiration or disabling time period may be extended as needed until the crisis is resolved; however, it must not be extended indefinitely. A permanent account should be established for privileged users who need long-term maintenance accounts.\n\nTo address access requirements, many RHEL systems can be integrated with enterprise-level authentication/access mechanisms that meet or exceed access control policy requirements.", - "check": "Verify emergency accounts have been provisioned with an expiration date of 72 hours.\n\nFor every existing emergency account, run the following command to obtain its account expiration information.\n\n$ sudo chage -l system_account_name\n\nVerify each of these accounts has an expiration date set within 72 hours.\nIf any emergency accounts have no expiration date set or do not expire within 72 hours, this is a finding.", - "fix": "If an emergency account must be created, configure the system to terminate the account after 72 hours with the following command to set an expiration date for the account. Substitute \"system_account_name\" with the account to be created.\n\n$ sudo chage -E `date -d '+3 days' +%Y-%m-%d` system_account_name\n\nThe automatic expiration or disabling time period may be extended as needed until the crisis is resolved." + "default": "If other users have access to modify user-specific SSH configuration files, they may be able to log on to\n the system as another user.", + "check": "Verify the SSH daemon performs strict mode checking of home directory configuration files.\n The location of the \"sshd_config\" file may vary if a different daemon is in use.\n Inspect the \"sshd_config\" file with the following command:\n # grep -i strictmodes /etc/ssh/sshd_config\n StrictModes yes\n If \"StrictModes\" is set to \"no\", is missing, or the returned line is commented out, this is a finding.", + "fix": "Uncomment the \"StrictModes\" keyword in \"/etc/ssh/sshd_config\" (this file may be named differently or\n be in a different location if using a version of SSH that is provided by a third-party vendor) and set the value to\n \"yes\":\n StrictModes yes\n The SSH service must be restarted for changes to take effect." }, "impact": 0.5, "refs": [], "tags": { - "check_id": "C-58007r858499_chk", - "severity": "medium", - "gid": "V-254523", - "rid": "SV-254523r858501_rule", - "stig_id": "RHEL-07-010271", - "gtitle": "SRG-OS-000123-GPOS-00064", - "fix_id": "F-57956r858500_fix", - "documentable": null, - "cci": [ - "CCI-001682" + "legacy": [ + "SV-86887", + "V-72263" ], - "nist": [ - "AC-2 (2)" - ] - }, - "code": "control 'SV-254523' do\n title \"The Red Hat Enterprise Linux operating system emergency accounts must be automatically removed or disabled after the crisis is resolved or within #{input('emergency_account_disable')} hours.\"\n desc \"Emergency accounts are privileged accounts established in response to crisis situations where the need for rapid account activation is required. Therefore, emergency account activation may bypass normal account authorization processes. If these accounts are automatically disabled, system maintenance during emergencies may not be possible, thus adversely affecting system availability.\n\nEmergency accounts are different from infrequently used accounts (i.e., local logon accounts used by the organization's system administrators when network or normal logon/access is not available). Infrequently used accounts are not subject to automatic termination dates. Emergency accounts are accounts created in response to crisis situations, usually for use by maintenance personnel. The automatic expiration or disabling time period may be extended as needed until the crisis is resolved; however, it must not be extended indefinitely. A permanent account should be established for privileged users who need long-term maintenance accounts.\n\nTo address access requirements, many RHEL systems can be integrated with enterprise-level authentication/access mechanisms that meet or exceed access control policy requirements.\"\n desc 'check', \"Verify emergency accounts have been provisioned with an expiration date of #{input('emergency_account_disable')} hours.\n\nFor every existing emergency account, run the following command to obtain its account expiration information.\n\n$ sudo chage -l system_account_name\n\nVerify each of these accounts has an expiration date set within #{input('emergency_account_disable')} hours.\nIf any emergency accounts have no expiration date set or do not expire within #{input('emergency_account_disable')} hours, this is a finding.\"\n desc 'fix', \"If an emergency account must be created, configure the system to terminate the account after #{input('emergency_account_disable')} hours with the following command to set an expiration date for the account. Substitute \\\"system_account_name\\\" with the account to be created.\n\n$ sudo chage -E `date -d '+#{input('emergency_account_disable')/24} days' +%Y-%m-%d` system_account_name\n\nThe automatic expiration or disabling time period may be extended as needed until the crisis is resolved.\"\n impact 0.5\n tag check_id: 'C-58007r858499_chk'\n tag severity: 'medium'\n tag gid: 'V-254523'\n tag rid: 'SV-254523r858501_rule'\n tag stig_id: 'RHEL-07-010271'\n tag gtitle: 'SRG-OS-000123-GPOS-00064'\n tag fix_id: 'F-57956r858500_fix'\n tag 'documentable'\n tag cci: ['CCI-001682']\n tag nist: ['AC-2 (2)']\n\n emergency_accounts = input('emergency_accounts')\n\n if emergency_accounts.empty?\n describe 'Emergency accounts' do\n subject { emergency_accounts }\n it { should be_empty }\n end\n else\n emergency_accounts.each do |acct|\n describe user(acct.to_s) do\n its('maxdays') { should cmp <= (input('emergency_account_disable')/24) }\n its('maxdays') { should cmp > 0 }\n end\n end\n end\nend\n", - "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-254523.rb", - "line": 1 - }, - "id": "SV-254523" - }, - { - "title": "The Red Hat Enterprise Linux operating system must use the invoking user's password for privilege escalation when using \"sudo\".", - "desc": "The sudoers security policy requires that users authenticate themselves before they can use sudo. When sudoers requires authentication, it validates the invoking user's credentials. If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt the invoking user for the \"root\" user password.\nFor more information on each of the listed configurations, reference the sudoers(5) manual page.", - "descriptions": { - "default": "The sudoers security policy requires that users authenticate themselves before they can use sudo. When sudoers requires authentication, it validates the invoking user's credentials. If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt the invoking user for the \"root\" user password.\nFor more information on each of the listed configurations, reference the sudoers(5) manual page.", - "check": "Verify that the sudoers security policy is configured to use the invoking user's password for privilege escalation.\n\n $ sudo grep -Eir '(rootpw|targetpw|runaspw)' /etc/sudoers /etc/sudoers.d* | grep -v '#'\n\n /etc/sudoers:Defaults !targetpw\n /etc/sudoers:Defaults !rootpw\n /etc/sudoers:Defaults !runaspw\n\nIf conflicting results are returned, this is a finding.\nIf \"Defaults !targetpw\" is not defined, this is a finding.\nIf \"Defaults !rootpw\" is not defined, this is a finding.\nIf \"Defaults !runaspw\" is not defined, this is a finding.", - "fix": "Define the following in the Defaults section of the /etc/sudoers file or a configuration file in the /etc/sudoers.d/ directory:\n Defaults !targetpw\n Defaults !rootpw\n Defaults !runaspw\n\nRemove any configurations that conflict with the above from the following locations:\n /etc/sudoers\n /etc/sudoers.d/" - }, - "impact": 0.5, - "refs": [], - "tags": { "severity": "medium", "gtitle": "SRG-OS-000480-GPOS-00227", - "satisfies": null, - "gid": "V-237634", - "rid": "SV-237634r880755_rule", - "stig_id": "RHEL-07-010342", - "fix_id": "F-40816r880754_fix", + "gid": "V-204600", + "rid": "SV-204600r603261_rule", + "stig_id": "RHEL-07-040450", + "fix_id": "F-4724r88993_fix", "cci": [ - "CCI-002227" + "CCI-000366" ], - "legacy": [], "nist": [ - "AC-6 (5)" + "CM-6 b" ], "subsystems": [ - "sudo" + "ssh" ], "host": null }, - "code": "control 'SV-237634' do\n title %q(The Red Hat Enterprise Linux operating system must use the invoking user's password for privilege escalation when using \"sudo\".)\n desc %q(The sudoers security policy requires that users authenticate themselves before they can use sudo. When sudoers requires authentication, it validates the invoking user's credentials. If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt the invoking user for the \"root\" user password.\nFor more information on each of the listed configurations, reference the sudoers(5) manual page.)\n desc 'check', %q(Verify that the sudoers security policy is configured to use the invoking user's password for privilege escalation.\n\n $ sudo grep -Eir '(rootpw|targetpw|runaspw)' /etc/sudoers /etc/sudoers.d* | grep -v '#'\n\n /etc/sudoers:Defaults !targetpw\n /etc/sudoers:Defaults !rootpw\n /etc/sudoers:Defaults !runaspw\n\nIf conflicting results are returned, this is a finding.\nIf \"Defaults !targetpw\" is not defined, this is a finding.\nIf \"Defaults !rootpw\" is not defined, this is a finding.\nIf \"Defaults !runaspw\" is not defined, this is a finding.)\n desc 'fix', 'Define the following in the Defaults section of the /etc/sudoers file or a configuration file in the /etc/sudoers.d/ directory:\n Defaults !targetpw\n Defaults !rootpw\n Defaults !runaspw\n\nRemove any configurations that conflict with the above from the following locations:\n /etc/sudoers\n /etc/sudoers.d/'\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag satisfies: nil\n tag gid: 'V-237634'\n tag rid: 'SV-237634r880755_rule'\n tag stig_id: 'RHEL-07-010342'\n tag fix_id: 'F-40816r880754_fix'\n tag cci: ['CCI-002227']\n tag legacy: []\n tag nist: ['AC-6 (5)']\n tag subsystems: ['sudo']\n tag 'host'\n\n if virtualization.system.eql?('docker') && !command('sudo').exist?\n impact 0.0\n describe 'Control not applicable within a container without sudo enabled' do\n skip 'Control not applicable within a container without sudo enabled'\n end\n else\n sudoers_settings = command(\"grep -Eir '(rootpw|targetpw|runaspw)' /etc/sudoers /etc/sudoers.d | grep -v '#'\").stdout.strip\n\n target_match = sudoers_settings.scan(/^([^:]+):Defaults\\s+!targetpw$/).flatten\n root_match = sudoers_settings.scan(/^([^:]+):Defaults\\s+!rootpw$/).flatten\n runas_match = sudoers_settings.scan(/^([^:]+):Defaults\\s+!runaspw$/).flatten\n\n target_match_file = target_match.empty? ? nil : target_match.first\n\n describe '!targetpw flag' do\n it 'should be set' do\n expect(target_match).not_to be_empty\n end\n it 'should be set in exactly one file' do\n expect(target_match.count).to cmp 1\n end\n end\n\n describe '!rootpw flag' do\n it 'should be set' do\n expect(root_match).not_to be_empty\n end\n it 'should be set in the same file as targetpw' do\n expect(root_match.first).to cmp target_match_file\n end\n it 'should be set in exactly one file' do\n expect(root_match.count).to cmp 1\n end\n end\n\n describe '!runaspw flag' do\n it 'should be set' do\n expect(runas_match).not_to be_empty\n end\n it 'should be set in the same file as targetpw' do\n expect(runas_match.first).to cmp target_match_file\n end\n it 'should be set in exactly one file' do\n expect(runas_match.count).to cmp 1\n end\n end\n end\nend\n", + "code": "control 'SV-204600' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon performs strict\n mode checking of home directory configuration files.'\n desc 'If other users have access to modify user-specific SSH configuration files, they may be able to log on to\n the system as another user.'\n desc 'check', 'Verify the SSH daemon performs strict mode checking of home directory configuration files.\n The location of the \"sshd_config\" file may vary if a different daemon is in use.\n Inspect the \"sshd_config\" file with the following command:\n # grep -i strictmodes /etc/ssh/sshd_config\n StrictModes yes\n If \"StrictModes\" is set to \"no\", is missing, or the returned line is commented out, this is a finding.'\n desc 'fix', 'Uncomment the \"StrictModes\" keyword in \"/etc/ssh/sshd_config\" (this file may be named differently or\n be in a different location if using a version of SSH that is provided by a third-party vendor) and set the value to\n \"yes\":\n StrictModes yes\n The SSH service must be restarted for changes to take effect.'\n impact 0.5\n tag legacy: ['SV-86887', 'V-72263']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204600'\n tag rid: 'SV-204600r603261_rule'\n tag stig_id: 'RHEL-07-040450'\n tag fix_id: 'F-4724r88993_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['ssh']\n tag 'host'\n\n if virtualization.system.eql?('docker') && !file('/etc/sysconfig/sshd').exist?\n impact 0.0\n describe 'Control not applicable - SSH is not installed within containerized RHEL' do\n skip 'Control not applicable - SSH is not installed within containerized RHEL'\n end\n else\n describe sshd_config do\n its('StrictModes') { should cmp 'yes' }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-237634.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204600.rb", "line": 1 }, - "id": "SV-237634" + "id": "SV-204600" }, { - "title": "The Red Hat Enterprise Linux operating system must be configured so that the audit system takes appropriate\n action when there is an error sending audit records to a remote system.", - "desc": "Taking appropriate action when there is an error sending audit records to a remote system will minimize the\n possibility of losing audit records.\n One method of off-loading audit logs in Red Hat Enterprise Linux is with the use of the audisp-remote dameon.", + "title": "The Red Hat Enterprise Linux operating system must audit all uses of the unlink, unlinkat, rename,\n renameat, and rmdir syscalls.", + "desc": "If the system is not configured to audit certain activities and write them to an audit log, it is more\n difficult to detect and track system compromises and damages incurred during a system compromise.\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the\n system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect\n performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining\n syscalls into one rule whenever possible.", "descriptions": { - "default": "Taking appropriate action when there is an error sending audit records to a remote system will minimize the\n possibility of losing audit records.\n One method of off-loading audit logs in Red Hat Enterprise Linux is with the use of the audisp-remote dameon.", - "check": "Verify the action the operating system takes if there is an error sending audit records to a remote\n system.\n Check the action that takes place if there is an error sending audit records to a remote system with the following\n command:\n # grep -i network_failure_action /etc/audisp/audisp-remote.conf\n network_failure_action = syslog\n If the value of the \"network_failure_action\" option is not \"syslog\", \"single\", or \"halt\", or the line is commented\n out, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or storage\n media, and to indicate the action taken if there is an error sending audit records to the remote system.\n If there is no evidence that the system is configured to off-load audit logs to a different system or storage media,\n or if the configuration does not take appropriate action if there is an error sending audit records to the remote\n system, this is a finding.", - "fix": "Configure the action the operating system takes if there is an error sending audit records to a remote\n system.\n Uncomment the \"network_failure_action\" option in \"/etc/audisp/audisp-remote.conf\" and set it to \"syslog\", \"single\",\n or \"halt\".\n network_failure_action = syslog" + "default": "If the system is not configured to audit certain activities and write them to an audit log, it is more\n difficult to detect and track system compromises and damages incurred during a system compromise.\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the\n system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect\n performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining\n syscalls into one rule whenever possible.", + "check": "Verify the operating system generates audit records upon successful/unsuccessful attempts to use the\n \"unlink\", \"unlinkat\", \"rename\", \"renameat\", and \"rmdir\" syscalls.\n Check the file system rules in \"/etc/audit/audit.rules\" with the following commands:\n # grep 'unlink\\|rename\\|rmdir' /etc/audit/audit.rules\n -a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=unset -k delete\n -a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=unset -k delete\n If both the \"b32\" and \"b64\" audit rules are not defined for the \"unlink\", \"unlinkat\", \"rename\", \"renameat\", and\n \"rmdir\" syscalls, this is a finding.", + "fix": "Configure the operating system to generate audit records upon successful/unsuccessful attempts to use\n the \"unlink\", \"unlinkat\", \"rename\", \"renameat\", and \"rmdir\" syscalls.\n Add the following rules in \"/etc/audit/rules.d/audit.rules\":\n -a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=unset -k delete\n -a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=unset -k delete\n The audit daemon must be restarted for the changes to take effect." }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "V-73163", - "SV-87815" + "V-72205", + "SV-86829" ], "severity": "medium", - "gtitle": "SRG-OS-000342-GPOS-00133", - "gid": "V-204512", - "rid": "SV-204512r877390_rule", - "stig_id": "RHEL-07-030321", - "fix_id": "F-36315r602655_fix", + "gtitle": "SRG-OS-000466-GPOS-00210", + "satisfies": [ + "SRG-OS-000466-GPOS-00210", + "SRG-OS-000467-GPOS-00211", + "SRG-OS-000468-GPOS-00212", + "SRG-OS-000392-GPOS-00172" + ], + "gid": "V-204572", + "rid": "SV-204572r853985_rule", + "stig_id": "RHEL-07-030910", + "fix_id": "F-4696r853984_fix", "cci": [ - "CCI-001851" + "CCI-000172", + "CCI-002884" ], "nist": [ - "AU-4 (1)" + "AU-12 c", + "MA-4 (1) (a)" ], "subsystems": [ "audit", - "audisp" + "auditd", + "audit_rule" ], "host": null }, - "code": "control 'SV-204512' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that the audit system takes appropriate\n action when there is an error sending audit records to a remote system.'\n desc 'Taking appropriate action when there is an error sending audit records to a remote system will minimize the\n possibility of losing audit records.\n One method of off-loading audit logs in Red Hat Enterprise Linux is with the use of the audisp-remote dameon.'\n desc 'check', 'Verify the action the operating system takes if there is an error sending audit records to a remote\n system.\n Check the action that takes place if there is an error sending audit records to a remote system with the following\n command:\n # grep -i network_failure_action /etc/audisp/audisp-remote.conf\n network_failure_action = syslog\n If the value of the \"network_failure_action\" option is not \"syslog\", \"single\", or \"halt\", or the line is commented\n out, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or storage\n media, and to indicate the action taken if there is an error sending audit records to the remote system.\n If there is no evidence that the system is configured to off-load audit logs to a different system or storage media,\n or if the configuration does not take appropriate action if there is an error sending audit records to the remote\n system, this is a finding.'\n desc 'fix', 'Configure the action the operating system takes if there is an error sending audit records to a remote\n system.\n Uncomment the \"network_failure_action\" option in \"/etc/audisp/audisp-remote.conf\" and set it to \"syslog\", \"single\",\n or \"halt\".\n network_failure_action = syslog'\n impact 0.5\n tag legacy: ['V-73163', 'SV-87815']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000342-GPOS-00133'\n tag gid: 'V-204512'\n tag rid: 'SV-204512r877390_rule'\n tag stig_id: 'RHEL-07-030321'\n tag fix_id: 'F-36315r602655_fix'\n tag cci: ['CCI-001851']\n tag nist: ['AU-4 (1)']\n tag subsystems: ['audit', 'audisp']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - audit config must be done on the host' do\n skip 'Control not applicable - audit config must be done on the host'\n end\n else\n describe parse_config_file('/etc/audisp/audisp-remote.conf') do\n its('network_failure_action'.to_s) { should cmp input('expected_network_failure_action') }\n its('network_failure_action'.to_s) { should be_in ['syslog', 'single', 'halt'] }\n end\n end\nend\n", + "code": "control 'SV-204572' do\n title 'The Red Hat Enterprise Linux operating system must audit all uses of the unlink, unlinkat, rename,\n renameat, and rmdir syscalls.'\n desc 'If the system is not configured to audit certain activities and write them to an audit log, it is more\n difficult to detect and track system compromises and damages incurred during a system compromise.\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the\n system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect\n performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining\n syscalls into one rule whenever possible.'\n desc 'check', %q(Verify the operating system generates audit records upon successful/unsuccessful attempts to use the\n \"unlink\", \"unlinkat\", \"rename\", \"renameat\", and \"rmdir\" syscalls.\n Check the file system rules in \"/etc/audit/audit.rules\" with the following commands:\n # grep 'unlink\\|rename\\|rmdir' /etc/audit/audit.rules\n -a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=unset -k delete\n -a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=unset -k delete\n If both the \"b32\" and \"b64\" audit rules are not defined for the \"unlink\", \"unlinkat\", \"rename\", \"renameat\", and\n \"rmdir\" syscalls, this is a finding.)\n desc 'fix', 'Configure the operating system to generate audit records upon successful/unsuccessful attempts to use\n the \"unlink\", \"unlinkat\", \"rename\", \"renameat\", and \"rmdir\" syscalls.\n Add the following rules in \"/etc/audit/rules.d/audit.rules\":\n -a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=unset -k delete\n -a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=unset -k delete\n The audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n tag legacy: ['V-72205', 'SV-86829']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000466-GPOS-00210'\n tag satisfies: ['SRG-OS-000466-GPOS-00210', 'SRG-OS-000467-GPOS-00211', 'SRG-OS-000468-GPOS-00212', 'SRG-OS-000392-GPOS-00172']\n tag gid: 'V-204572'\n tag rid: 'SV-204572r853985_rule'\n tag stig_id: 'RHEL-07-030910'\n tag fix_id: 'F-4696r853984_fix'\n tag cci: ['CCI-000172', 'CCI-002884']\n tag nist: ['AU-12 c', 'MA-4 (1) (a)']\n tag subsystems: ['audit', 'auditd', 'audit_rule']\n tag 'host'\n\n audit_syscalls = ['unlink', 'unlinkat', 'rename', 'renameat', 'rmdir']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - audit config must be done on the host' do\n skip 'Control not applicable - audit config must be done on the host'\n end\n else\n describe 'Syscall' do\n audit_syscalls.each do |audit_syscall|\n it \"#{audit_syscall} is audited properly\" do\n audit_rule = auditd.syscall(audit_syscall)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n if os.arch.match(/64/)\n expect(audit_rule.arch.uniq).to include('b32', 'b64')\n else\n expect(audit_rule.arch.uniq).to cmp 'b32'\n end\n expect(audit_rule.fields.flatten).to include('auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include('delete')\n end\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204512.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204572.rb", "line": 1 }, - "id": "SV-204512" + "id": "SV-204572" }, { - "title": "The Red Hat Enterprise Linux operating system must be configured so that the x86 Ctrl-Alt-Delete key\n sequence is disabled in the Graphical User Interface.", - "desc": "A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the system. If\n accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term\n loss of availability of systems due to unintentional reboot. In the graphical environment, risk of unintentional\n reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.", + "title": "The Red Hat Enterprise Linux operating system must be configured so that a separate file system is used for\n user home directories (such as /home or an equivalent).", + "desc": "The use of separate file systems for different paths can protect the system from failures resulting from a\n file system becoming full or failing.", "descriptions": { - "default": "A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the system. If\n accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term\n loss of availability of systems due to unintentional reboot. In the graphical environment, risk of unintentional\n reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.", - "check": "Note: If the operating system does not have a graphical user interface installed, this requirement\n is Not Applicable.\n Verify the operating system is not configured to reboot the system when Ctrl-Alt-Delete is pressed.\n Check that the ctrl-alt-del.target is masked and not active in the graphical user interface with the following\n command:\n # grep logout /etc/dconf/db/local.d/*\n logout=''\n If \"logout\" is not set to use two single quotations, or is missing, this is a finding.", - "fix": "Configure the system to disable the Ctrl-Alt-Delete sequence for the graphical user interface with the\n following command:\n # touch /etc/dconf/db/local.d/00-disable-CAD\n Add the setting to disable the Ctrl-Alt-Delete sequence for the graphical user interface:\n [org/gnome/settings-daemon/plugins/media-keys]\n logout=''" + "default": "The use of separate file systems for different paths can protect the system from failures resulting from a\n file system becoming full or failing.", + "check": "Verify that a separate file system/partition has been created for non-privileged local interactive\n user home directories.\n Check the home directory assignment for all non-privileged users (those with a UID of 1000 or greater) on the system\n with the following command:\n # awk -F: '($3>=1000)&&($7 !~ /nologin/){print $1, $3, $6, $7}' /etc/passwd\n adamsj 1000 /home/adamsj /bin/bash\n jacksonm 1001 /home/jacksonm /bin/bash\n smithj 1002 /home/smithj /bin/bash\n The output of the command will give the directory/partition that contains the home directories for the\n non-privileged users on the system (in this example, /home) and users' shell. All accounts with a valid shell (such\n as /bin/bash) are considered interactive users.\n Check that a file system/partition has been created for the non-privileged interactive users with the following\n command:\n Note: The partition of /home is used in the example.\n # grep /home /etc/fstab\n UUID=333ada18 /home ext4 noatime,nobarrier,nodev 1 2\n If a separate entry for the file system/partition that contains the non-privileged interactive users' home\n directories does not exist, this is a finding.", + "fix": "Migrate the \"/home\" directory onto a separate file system/partition." }, - "impact": 0, + "impact": 0.3, "refs": [], "tags": { "legacy": [ - "V-94843", - "SV-104673" + "SV-86683", + "V-72059" ], - "severity": "high", + "severity": "low", "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-204456", - "rid": "SV-204456r603261_rule", - "stig_id": "RHEL-07-020231", - "fix_id": "F-4580r590041_fix", + "gid": "V-204493", + "rid": "SV-204493r603840_rule", + "stig_id": "RHEL-07-021310", + "fix_id": "F-4617r88672_fix", "cci": [ "CCI-000366" ], @@ -4029,168 +3903,126 @@ "CM-6 b" ], "subsystems": [ - "gui", - "general" + "home_dirs", + "file_system" ], "host": null }, - "code": "control 'SV-204456' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that the x86 Ctrl-Alt-Delete key\n sequence is disabled in the Graphical User Interface.'\n desc 'A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the system. If\n accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term\n loss of availability of systems due to unintentional reboot. In the graphical environment, risk of unintentional\n reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.'\n desc 'check', %q(Note: If the operating system does not have a graphical user interface installed, this requirement\n is Not Applicable.\n Verify the operating system is not configured to reboot the system when Ctrl-Alt-Delete is pressed.\n Check that the ctrl-alt-del.target is masked and not active in the graphical user interface with the following\n command:\n # grep logout /etc/dconf/db/local.d/*\n logout=''\n If \"logout\" is not set to use two single quotations, or is missing, this is a finding.)\n desc 'fix', \"Configure the system to disable the Ctrl-Alt-Delete sequence for the graphical user interface with the\n following command:\n # touch /etc/dconf/db/local.d/00-disable-CAD\n Add the setting to disable the Ctrl-Alt-Delete sequence for the graphical user interface:\n [org/gnome/settings-daemon/plugins/media-keys]\n logout=''\"\n impact 0.7\n tag legacy: ['V-94843', 'SV-104673']\n tag severity: 'high'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204456'\n tag rid: 'SV-204456r603261_rule'\n tag stig_id: 'RHEL-07-020231'\n tag fix_id: 'F-4580r590041_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['gui', 'general']\n tag 'host'\n\n if package('gnome-settings-daemon').installed?\n describe command('gsettings get org.gnome.settings-daemon.media-keys logout') do\n its('stdout.strip') { should cmp \"''\" }\n end\n else\n impact 0.0\n describe 'The system does not have GNOME installed' do\n skip \"The system does not have GNOME installed, this requirement is Not\n Applicable.\"\n end\n end\nend\n", + "code": "control 'SV-204493' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that a separate file system is used for\n user home directories (such as /home or an equivalent).'\n desc 'The use of separate file systems for different paths can protect the system from failures resulting from a\n file system becoming full or failing.'\n desc 'check', \"Verify that a separate file system/partition has been created for non-privileged local interactive\n user home directories.\n Check the home directory assignment for all non-privileged users (those with a UID of 1000 or greater) on the system\n with the following command:\n # awk -F: '($3>=1000)&&($7 !~ /nologin/){print $1, $3, $6, $7}' /etc/passwd\n adamsj 1000 /home/adamsj /bin/bash\n jacksonm 1001 /home/jacksonm /bin/bash\n smithj 1002 /home/smithj /bin/bash\n The output of the command will give the directory/partition that contains the home directories for the\n non-privileged users on the system (in this example, /home) and users' shell. All accounts with a valid shell (such\n as /bin/bash) are considered interactive users.\n Check that a file system/partition has been created for the non-privileged interactive users with the following\n command:\n Note: The partition of /home is used in the example.\n # grep /home /etc/fstab\n UUID=333ada18 /home ext4 noatime,nobarrier,nodev 1 2\n If a separate entry for the file system/partition that contains the non-privileged interactive users' home\n directories does not exist, this is a finding.\"\n desc 'fix', 'Migrate the \"/home\" directory onto a separate file system/partition.'\n impact 0.3\n tag legacy: ['SV-86683', 'V-72059']\n tag severity: 'low'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204493'\n tag rid: 'SV-204493r603840_rule'\n tag stig_id: 'RHEL-07-021310'\n tag fix_id: 'F-4617r88672_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['home_dirs', 'file_system']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n\n exempt_home_users = input('exempt_home_users')\n non_interactive_shells = input('non_interactive_shells')\n\n ignore_shells = non_interactive_shells.join('|')\n\n uid_min = login_defs.read_params['UID_MIN'].to_i\n uid_min = 1000 if uid_min.nil?\n\n # excluding root because its home directory is usually \"/root\" (mountpoint \"/\")\n users.where do\n !shell.match(ignore_shells) && (uid >= uid_min)\n end.entries.each do |user_info|\n next if exempt_home_users.include?(user_info.username.to_s)\n\n home_mount = command(%(df #{user_info.home} --output=target | tail -1)).stdout.strip\n describe user_info.username do\n context 'with mountpoint' do\n context home_mount do\n it { should_not be_empty }\n it { should_not match(%r{^/$}) }\n end\n end\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204456.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204493.rb", "line": 1 }, - "id": "SV-204456" + "id": "SV-204493" }, { - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the setxattr, fsetxattr, lsetxattr,\n removexattr, fremovexattr, and lremovexattr syscalls.", - "desc": "Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the\n system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect\n performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining\n syscalls into one rule whenever possible.", + "title": "The Red Hat Enterprise Linux operating system must set the umask value to 077 for all local interactive\n user accounts.", + "desc": "The umask controls the default access mode assigned to newly created files. A umask of 077 limits new files\n to mode 700 or less permissive. Although umask can be represented as a four-digit number, the first digit\n representing special access modes is typically ignored or required to be \"0\". This requirement applies to the\n globally configured system defaults and the local interactive user defaults for each account on the system.", "descriptions": { - "default": "Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the\n system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect\n performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining\n syscalls into one rule whenever possible.", - "check": "Verify the operating system generates audit records upon successful/unsuccessful attempts to use the\n \"setxattr\", \"fsetxattr\", \"lsetxattr\", \"removexattr\", \"fremovexattr\", and \"lremovexattr\" syscalls.\n Check the file system rules in \"/etc/audit/audit.rules\" with the following commands:\n # grep xattr /etc/audit/audit.rules\n -a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F\n auid!=unset -k perm_mod\n -a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F\n auid!=unset -k perm_mod\n If both the \"b32\" and \"b64\" audit rules are not defined for the \"setxattr\", \"fsetxattr\", \"lsetxattr\", \"removexattr\",\n \"fremovexattr\", and \"lremovexattr\" syscalls, this is a finding.", - "fix": "Configure the operating system to generate audit records upon successful/unsuccessful attempts to use\n the \"setxattr\", \"fsetxattr\", \"lsetxattr\", \"removexattr\", \"fremovexattr\", and \"lremovexattr\" syscalls.\n Add or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n -a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F\n auid!=unset -k perm_mod\n -a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F\n auid!=unset -k perm_mod\n The audit daemon must be restarted for the changes to take effect." + "default": "The umask controls the default access mode assigned to newly created files. A umask of 077 limits new files\n to mode 700 or less permissive. Although umask can be represented as a four-digit number, the first digit\n representing special access modes is typically ignored or required to be \"0\". This requirement applies to the\n globally configured system defaults and the local interactive user defaults for each account on the system.", + "check": "Verify that the default umask for all local interactive users is \"077\".\n\nIdentify the locations of all local interactive user home directories by looking at the \"/etc/passwd\" file.\n\nCheck all local interactive user initialization files for interactive users with the following command:\n\nNote: The example is for a system that is configured to create users home directories in the \"/home\" directory.\n\n$ sudo grep -ir ^umask /home | grep -v '.bash_history'\n\nIf any local interactive user initialization files are found to have a umask statement that has a value less restrictive than \"077\", this is a finding.", + "fix": "Remove the umask statement from all local interactive user's initialization files.\n If the account is for an application, the requirement for a umask less restrictive than \"077\" can be documented with\n the Information System Security Officer, but the user agreement for access to the account must specify that the\n local interactive user must log on to their account first and then switch the user to the application account with\n the correct option to gain the account's environment variables." }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "SV-86735", - "V-72111" + "V-72049", + "SV-86673" ], "severity": "medium", - "gtitle": "SRG-OS-000458-GPOS-00203", - "satisfies": [ - "SRG-OS-000458-GPOS-00203", - "SRG-OS-000392-GPOS-00172", - "SRG-OS-000064-GPOS-00033" - ], - "gid": "V-204524", - "rid": "SV-204524r809775_rule", - "stig_id": "RHEL-07-030440", - "fix_id": "F-4648r809774_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-204488", + "rid": "SV-204488r861006_rule", + "stig_id": "RHEL-07-021040", + "fix_id": "F-4612r88657_fix", "cci": [ - "CCI-000172" + "CCI-000318", + "CCI-000368", + "CCI-001812", + "CCI-001813", + "CCI-001814" ], "nist": [ - "AU-12 c" + "CM-3 f", + "CM-6 c", + "CM-11 (2)", + "CM-5 (1)", + "CM-5 (1) (a)" ], "subsystems": [ - "audit", - "auditd", - "audit_rule" + "init_files", + "home_dirs" ], "host": null }, - "code": "control 'SV-204524' do\n title 'The Red Hat Enterprise Linux operating system must audit all uses of the setxattr, fsetxattr, lsetxattr,\n removexattr, fremovexattr, and lremovexattr syscalls.'\n desc 'Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the\n system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect\n performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining\n syscalls into one rule whenever possible.'\n desc 'check', 'Verify the operating system generates audit records upon successful/unsuccessful attempts to use the\n \"setxattr\", \"fsetxattr\", \"lsetxattr\", \"removexattr\", \"fremovexattr\", and \"lremovexattr\" syscalls.\n Check the file system rules in \"/etc/audit/audit.rules\" with the following commands:\n # grep xattr /etc/audit/audit.rules\n -a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F\n auid!=unset -k perm_mod\n -a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F\n auid!=unset -k perm_mod\n If both the \"b32\" and \"b64\" audit rules are not defined for the \"setxattr\", \"fsetxattr\", \"lsetxattr\", \"removexattr\",\n \"fremovexattr\", and \"lremovexattr\" syscalls, this is a finding.'\n desc 'fix', 'Configure the operating system to generate audit records upon successful/unsuccessful attempts to use\n the \"setxattr\", \"fsetxattr\", \"lsetxattr\", \"removexattr\", \"fremovexattr\", and \"lremovexattr\" syscalls.\n Add or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n -a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F\n auid!=unset -k perm_mod\n -a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F\n auid!=unset -k perm_mod\n The audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n tag legacy: ['SV-86735', 'V-72111']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000458-GPOS-00203'\n tag satisfies: ['SRG-OS-000458-GPOS-00203', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000064-GPOS-00033']\n tag gid: 'V-204524'\n tag rid: 'SV-204524r809775_rule'\n tag stig_id: 'RHEL-07-030440'\n tag fix_id: 'F-4648r809774_fix'\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag subsystems: ['audit', 'auditd', 'audit_rule']\n tag 'host'\n\n audit_syscalls = ['setxattr', 'fsetxattr', 'lsetxattr', 'removexattr', 'fremovexattr', 'lremovexattr']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - audit config must be done on the host' do\n skip 'Control not applicable - audit config must be done on the host'\n end\n else\n describe 'Syscall' do\n audit_syscalls.each do |audit_syscall|\n it \"#{audit_syscall} is audited properly\" do\n audit_rule = auditd.syscall(audit_syscall)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n if os.arch.match(/64/)\n expect(audit_rule.arch.uniq).to include('b32', 'b64')\n else\n expect(audit_rule.arch.uniq).to cmp 'b32'\n end\n expect(audit_rule.fields.flatten).to include('auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include('perm_mod')\n end\n end\n end\n end\nend\n", + "code": "control 'SV-204488' do\n title 'The Red Hat Enterprise Linux operating system must set the umask value to 077 for all local interactive\n user accounts.'\n desc 'The umask controls the default access mode assigned to newly created files. A umask of 077 limits new files\n to mode 700 or less permissive. Although umask can be represented as a four-digit number, the first digit\n representing special access modes is typically ignored or required to be \"0\". This requirement applies to the\n globally configured system defaults and the local interactive user defaults for each account on the system.'\n desc 'check', %q(Verify that the default umask for all local interactive users is \"077\".\n\nIdentify the locations of all local interactive user home directories by looking at the \"/etc/passwd\" file.\n\nCheck all local interactive user initialization files for interactive users with the following command:\n\nNote: The example is for a system that is configured to create users home directories in the \"/home\" directory.\n\n$ sudo grep -ir ^umask /home | grep -v '.bash_history'\n\nIf any local interactive user initialization files are found to have a umask statement that has a value less restrictive than \"077\", this is a finding.)\n desc 'fix', %q(Remove the umask statement from all local interactive user's initialization files.\n If the account is for an application, the requirement for a umask less restrictive than \"077\" can be documented with\n the Information System Security Officer, but the user agreement for access to the account must specify that the\n local interactive user must log on to their account first and then switch the user to the application account with\n the correct option to gain the account's environment variables.)\n impact 0.5\n tag legacy: ['V-72049', 'SV-86673']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204488'\n tag rid: 'SV-204488r861006_rule'\n tag stig_id: 'RHEL-07-021040'\n tag fix_id: 'F-4612r88657_fix'\n tag cci: ['CCI-000318', 'CCI-000368', 'CCI-001812', 'CCI-001813', 'CCI-001814']\n tag nist: ['CM-3 f', 'CM-6 c', 'CM-11 (2)', 'CM-5 (1)', 'CM-5 (1) (a)']\n tag subsystems: ['init_files', 'home_dirs']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n\n non_interactive_shells = input('non_interactive_shells')\n\n # Get all interactive users\n ignore_shells = non_interactive_shells.join('|')\n\n # Get home directory for users with UID >= 1000 or UID == 0 and support interactive logins.\n findings = Set[]\n dotfiles = Set[]\n umasks = {}\n umask_findings = Set[]\n\n # Get UID_MIN from login.defs\n uid_min = 1000\n if file('/etc/login.defs').exist?\n uid_min_val = command(\"grep '^UID_MIN' /etc/login.defs | grep -Po '[0-9]+'\").stdout.split(\"\\n\")\n uid_min = uid_min_val[0].to_i unless uid_min_val.empty?\n end\n\n interactive_users = users.where do\n !shell.match(ignore_shells) && (uid >= uid_min || uid == 0)\n end.entries\n\n # For each user, build and execute a find command that identifies initialization files\n # in a user's home directory.\n interactive_users.each do |u|\n # Only check if the home directory is local\n is_local = command(\"df -l #{u.home}\").exit_status\n\n if is_local == 0\n # Get user's initialization files\n dotfiles.add(command(\"find #{u.home} -xdev -maxdepth 2 -name '.*' ! -name '.bash_history' -type f\").stdout.split(\"\\n\"))\n\n # Get user's umask\n umasks.store(u.username,\n command(\"su -c 'umask' -l #{u.username}\").stdout.chomp(\"\\n\"))\n\n # Check all local initialization files to see whether or not they are less restrictive than the input UMASK.\n dotfiles.to_a.flatten.uniq.each do |df|\n findings.add(df) if file(df).more_permissive_than?(input('user_umask'))\n end\n\n # Check umask for all interactive users\n umasks.each do |key, value|\n max_mode = (input('user_umask')).to_i(8)\n inverse_mode = 0777 ^ max_mode\n umask_findings.add(key) if inverse_mode & (value).to_i(8) != 0\n end\n else\n describe 'This control skips non-local filesystems' do\n skip \"This control has skipped the #{u.home} home directory for #{u.username} because it is not a local filesystem.\"\n end\n end\n end\n\n # Report on any interactive files that are less restrictive than the input UMASK.\n describe 'No interactive user initialization files with a less restrictive umask were found.' do\n subject { findings.empty? }\n it { should eq true }\n end\n\n # Report on any interactive users that have a umask less restrictive than the input UMASK.\n describe 'No users were found with a less restrictive umask were found.' do\n subject { umask_findings.empty? }\n it { should eq true }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204524.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204488.rb", "line": 1 }, - "id": "SV-204524" + "id": "SV-204488" }, { - "title": "The Red Hat Enterprise Linux operating system must display the Standard Mandatory DoD Notice and Consent\n Banner before granting local or remote access to the system via a command line user logon.", - "desc": "Display of a standardized and approved use notification before granting access to the operating system\n ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive\n Orders, directives, policies, regulations, standards, and guidance.\n System use notifications are required only for access via logon interfaces with human users and are not required\n when such human interfaces do not exist.\n The banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating\n systems that can accommodate banners of 1300 characters:\n \"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"", + "title": "The Red Hat Enterprise Linux operating system must not allow an unattended or automatic logon to the system\n via a graphical user interface.", + "desc": "Failure to restrict system access to authenticated users negatively impacts operating system security.", "descriptions": { - "default": "Display of a standardized and approved use notification before granting access to the operating system\n ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive\n Orders, directives, policies, regulations, standards, and guidance.\n System use notifications are required only for access via logon interfaces with human users and are not required\n when such human interfaces do not exist.\n The banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating\n systems that can accommodate banners of 1300 characters:\n \"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"", - "check": "Verify the operating system displays the Standard Mandatory DoD Notice and Consent Banner before\n granting access to the operating system via a command line user logon.\n Check to see if the operating system displays a banner at the command line logon screen with the following command:\n # more /etc/issue\n The command should return the following text:\n \"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n If the operating system does not display a graphical logon banner or the banner does not match the Standard\n Mandatory DoD Notice and Consent Banner, this is a finding.\n If the text in the \"/etc/issue\" file does not match the Standard Mandatory DoD Notice and Consent Banner, this is a\n finding.", - "fix": "Configure the operating system to display the Standard Mandatory DoD Notice and Consent Banner before\n granting access to the system via the command line by editing the \"/etc/issue\" file.\n Replace the default text with the Standard Mandatory DoD Notice and Consent Banner. The DoD required text is:\n \"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"" + "default": "Failure to restrict system access to authenticated users negatively impacts operating system security.", + "check": "Verify the operating system does not allow an unattended or automatic logon to the system via a\n graphical user interface.\n Note: If the system does not have GNOME installed, this requirement is Not Applicable.\n Check for the value of the \"AutomaticLoginEnable\" in the \"/etc/gdm/custom.conf\" file with the following command:\n # grep -i automaticloginenable /etc/gdm/custom.conf\n AutomaticLoginEnable=false\n If the value of \"AutomaticLoginEnable\" is not set to \"false\", this is a finding.", + "fix": "Configure the operating system to not allow an unattended or automatic logon to the system via a\n graphical user interface.\n Note: If the system does not have GNOME installed, this requirement is Not Applicable.\n Add or edit the line for the \"AutomaticLoginEnable\" parameter in the [daemon] section of the \"/etc/gdm/custom.conf\"\n file to \"false\":\n [daemon]\n AutomaticLoginEnable=false" }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { "legacy": [ - "V-71863", - "SV-86487" - ], - "severity": "medium", - "gtitle": "SRG-OS-000023-GPOS-00006", - "satisfies": [ - "SRG-OS-000023-GPOS-00006", - "SRG-OS-000024-GPOS-00007" - ], - "gid": "V-204395", - "rid": "SV-204395r603261_rule", - "stig_id": "RHEL-07-010050", - "fix_id": "F-4519r88378_fix", - "cci": [ - "CCI-000048" - ], - "nist": [ - "AC-8 a" - ], - "subsystems": [ - "banner", - "/etc/issue" + "V-71953", + "SV-86577" ], - "host": null - }, - "code": "control 'SV-204395' do\n title \"The Red Hat Enterprise Linux operating system must display the Standard Mandatory #{input('org_name')[:acronym]} Notice and Consent\n Banner before granting local or remote access to the system via a command line user logon.\"\n desc \"Display of a standardized and approved use notification before granting access to the operating system\n ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive\n Orders, directives, policies, regulations, standards, and guidance.\n System use notifications are required only for access via logon interfaces with human users and are not required\n when such human interfaces do not exist.\n The banner must be formatted in accordance with applicable #{input('org_name')[:acronym]} policy. Use the following verbiage for operating\n systems that can accommodate banners of 1300 characters:\n \\\"#{input('banner_message_text_cli')}\\\"\"\n desc 'check', \"Verify the operating system displays the Standard Mandatory #{input('org_name')[:acronym]} Notice and Consent Banner before\n granting access to the operating system via a command line user logon.\n Check to see if the operating system displays a banner at the command line logon screen with the following command:\n # more /etc/issue\n The command should return the following text:\n \\\"#{input('banner_message_text_cli')}\\\"\n If the operating system does not display a graphical logon banner or the banner does not match the Standard\n Mandatory #{input('org_name')[:acronym]} Notice and Consent Banner, this is a finding.\n If the text in the \\\"/etc/issue\\\" file does not match the Standard Mandatory #{input('org_name')[:acronym]} Notice and Consent Banner, this is a\n finding.\"\n desc 'fix', \"Configure the operating system to display the Standard Mandatory #{input('org_name')[:acronym]} Notice and Consent Banner before\n granting access to the system via the command line by editing the \\\"/etc/issue\\\" file.\n Replace the default text with the Standard Mandatory #{input('org_name')[:acronym]} Notice and Consent Banner. The #{input('org_name')[:acronym]} required text is:\n \\\"#{input('banner_message_text_cli')}\\\" \"\n impact 0.5\n tag legacy: ['V-71863', 'SV-86487']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000023-GPOS-00006'\n tag satisfies: ['SRG-OS-000023-GPOS-00006', 'SRG-OS-000024-GPOS-00007']\n tag gid: 'V-204395'\n tag rid: 'SV-204395r603261_rule'\n tag stig_id: 'RHEL-07-010050'\n tag fix_id: 'F-4519r88378_fix'\n tag cci: ['CCI-000048']\n tag nist: ['AC-8 a']\n tag subsystems: ['banner', '/etc/issue']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n else\n\n banner_message_text_cli = input('banner_message_text_cli')\n banner_message_text_cli_limited = input('banner_message_text_cli_limited')\n\n clean_banner = banner_message_text_cli.gsub(/[\\r\\n\\s]/, '')\n clean_banner_limited = banner_message_text_cli_limited.gsub(/[\\r\\n\\s]/,\n '')\n banner_file = file('/etc/issue')\n banner_missing = !banner_file.exist?\n\n if banner_missing\n describe 'The banner text is not set because /etc/issue does not exist' do\n subject { banner_missing }\n it { should be false }\n end\n end\n\n banner_message = banner_file.content.gsub(/[\\r\\n\\s]/, '')\n unless banner_missing\n describe.one do\n describe 'The banner text should match the standard banner' do\n subject { banner_message }\n it { should cmp clean_banner }\n end\n describe 'The banner text should match the limited banner' do\n subject { banner_message }\n it { should cmp clean_banner_limited }\n end\n end\n end\n end\nend\n", - "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204395.rb", - "line": 1 - }, - "id": "SV-204395" - }, - { - "title": "The Red Hat Enterprise Linux operating system must not allow privileged accounts to utilize SSH.", - "desc": "Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges.\n\nPrivileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users.", - "descriptions": { - "default": "Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges.\n\nPrivileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users.", - "check": "Note: Per OPORD 16-0080, the preferred endpoint security tool is Endpoint Security for Linux (ENSL) in conjunction with SELinux.\n\nVerify the operating system prevents privileged accounts from utilizing SSH.\nCheck the SELinux ssh_sysadm_login boolean with the following command:\n\n$ sudo getsebool ssh_sysadm_login\nssh_sysadm_login --> off\n\nIf the \"ssh_sysadm_login\" boolean is not \"off\" and is not documented with the ISSO as an operational requirement, this is a finding.", - "fix": "Configure the operating system to prevent privileged accounts from utilizing SSH.\nUse the following command to set the \"ssh_sysadm_login\" boolean to \"off\":\n\n$ sudo setsebool -P ssh_sysadm_login off\n\nNote: SELinux confined users mapped to sysadm_u are not allowed to login to the system over SSH, by default. If this is a required function, it can be configured by setting the ssh_sysadm_login SELinux boolean to \"on\" with the following command:\n\n$ sudo setsebool -P ssh_sysadm_login on\n\nThis must be documented with the ISSO as an operational requirement." - }, - "impact": 0.5, - "refs": [], - "tags": { - "severity": "medium", - "gtitle": "SRG-OS-000324-GPOS-00125", - "satisfies": null, - "gid": "V-250313", - "rid": "SV-250313r877392_rule", - "stig_id": "RHEL-07-020022", - "fix_id": "F-53701r792845_fix", + "severity": "high", + "gtitle": "SRG-OS-000480-GPOS-00229", + "gid": "V-204432", + "rid": "SV-204432r877377_rule", + "stig_id": "RHEL-07-010440", + "fix_id": "F-4556r88489_fix", "cci": [ - "CCI-002165", - "CCI-002235" + "CCI-000366" ], - "legacy": [], "nist": [ - "AC-3 (4)", - "AC-6 (10)" + "CM-6 b" ], "subsystems": [ - "ssh" + "gdm" ], "host": null }, - "code": "control 'SV-250313' do\n title 'The Red Hat Enterprise Linux operating system must not allow privileged accounts to utilize SSH.'\n desc 'Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges.\n\nPrivileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users.'\n desc 'check', 'Note: Per OPORD 16-0080, the preferred endpoint security tool is Endpoint Security for Linux (ENSL) in conjunction with SELinux.\n\nVerify the operating system prevents privileged accounts from utilizing SSH.\nCheck the SELinux ssh_sysadm_login boolean with the following command:\n\n$ sudo getsebool ssh_sysadm_login\nssh_sysadm_login --> off\n\nIf the \"ssh_sysadm_login\" boolean is not \"off\" and is not documented with the ISSO as an operational requirement, this is a finding.'\n desc 'fix', 'Configure the operating system to prevent privileged accounts from utilizing SSH.\nUse the following command to set the \"ssh_sysadm_login\" boolean to \"off\":\n\n$ sudo setsebool -P ssh_sysadm_login off\n\nNote: SELinux confined users mapped to sysadm_u are not allowed to login to the system over SSH, by default. If this is a required function, it can be configured by setting the ssh_sysadm_login SELinux boolean to \"on\" with the following command:\n\n$ sudo setsebool -P ssh_sysadm_login on\n\nThis must be documented with the ISSO as an operational requirement.'\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000324-GPOS-00125'\n tag satisfies: nil\n tag gid: 'V-250313'\n tag rid: 'SV-250313r877392_rule'\n tag stig_id: 'RHEL-07-020022'\n tag fix_id: 'F-53701r792845_fix'\n tag cci: ['CCI-002165', 'CCI-002235']\n tag legacy: []\n tag nist: ['AC-3 (4)', 'AC-6 (10)']\n tag subsystems: ['ssh']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container -- kernel config' do\n skip 'Control not applicable within a container -- kernel config'\n end\n else\n describe command('getsebool ssh_sysadm_login').stdout.strip do\n it { should eq 'ssh_sysadm_login --> off' }\n end\n end\nend\n", + "code": "control 'SV-204432' do\n title 'The Red Hat Enterprise Linux operating system must not allow an unattended or automatic logon to the system\n via a graphical user interface.'\n desc 'Failure to restrict system access to authenticated users negatively impacts operating system security.'\n desc 'check', 'Verify the operating system does not allow an unattended or automatic logon to the system via a\n graphical user interface.\n Note: If the system does not have GNOME installed, this requirement is Not Applicable.\n Check for the value of the \"AutomaticLoginEnable\" in the \"/etc/gdm/custom.conf\" file with the following command:\n # grep -i automaticloginenable /etc/gdm/custom.conf\n AutomaticLoginEnable=false\n If the value of \"AutomaticLoginEnable\" is not set to \"false\", this is a finding.'\n desc 'fix', 'Configure the operating system to not allow an unattended or automatic logon to the system via a\n graphical user interface.\n Note: If the system does not have GNOME installed, this requirement is Not Applicable.\n Add or edit the line for the \"AutomaticLoginEnable\" parameter in the [daemon] section of the \"/etc/gdm/custom.conf\"\n file to \"false\":\n [daemon]\n AutomaticLoginEnable=false'\n impact 0.7\n tag legacy: ['V-71953', 'SV-86577']\n tag severity: 'high'\n tag gtitle: 'SRG-OS-000480-GPOS-00229'\n tag gid: 'V-204432'\n tag rid: 'SV-204432r877377_rule'\n tag stig_id: 'RHEL-07-010440'\n tag fix_id: 'F-4556r88489_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['gdm']\n tag 'host'\n\n custom_conf = '/etc/gdm/custom.conf'\n\n if package('gdm').installed?\n if (f = file(custom_conf)).exist?\n describe ini(custom_conf) do\n its('daemon.AutomaticLoginEnable') { cmp false }\n end\n else\n describe f do\n it { should exist }\n end\n end\n else\n impact 0.0\n describe 'The system does not have GDM installed' do\n skip 'The system does not have GDM installed, this requirement is Not Applicable.'\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-250313.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204432.rb", "line": 1 }, - "id": "SV-250313" + "id": "SV-204432" }, { - "title": "The Red Hat Enterprise Linux operating system must generate audit records for all account creations,\n modifications, disabling, and termination events that affect /etc/gshadow.", + "title": "The Red Hat Enterprise Linux operating system must generate audit records for all account creations,\n modifications, disabling, and termination events that affect /etc/group.", "desc": "Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).", "descriptions": { "default": "Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).", - "check": "Verify the operating system must generate audit records for all account creations, modifications,\n disabling, and termination events that affect \"/etc/gshadow\".\n Check the auditing rules in \"/etc/audit/audit.rules\" with the following command:\n # grep /etc/gshadow /etc/audit/audit.rules\n -w /etc/gshadow -p wa -k identity\n If the command does not return a line, or the line is commented out, this is a finding.", - "fix": "Configure the operating system to generate audit records for all account creations, modifications,\n disabling, and termination events that affect \"/etc/gshadow\".\n Add or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n -w /etc/gshadow -p wa -k identity\n The audit daemon must be restarted for the changes to take effect." + "check": "Verify the operating system must generate audit records for all account creations, modifications,\n disabling, and termination events that affect \"/etc/group\".\n Check the auditing rules in \"/etc/audit/audit.rules\" with the following command:\n # grep /etc/group /etc/audit/audit.rules\n -w /etc/group -p wa -k identity\n If the command does not return a line, or the line is commented out, this is a finding.", + "fix": "Configure the operating system to generate audit records for all account creations, modifications,\n disabling, and termination events that affect \"/etc/group\".\n Add or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n -w /etc/group -p wa -k identity\n The audit daemon must be restarted for the changes to take effect." }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "SV-87819", - "V-73167" + "SV-87817", + "V-73165" ], "severity": "medium", "gtitle": "SRG-OS-000004-GPOS-00004", - "gid": "V-204566", - "rid": "SV-204566r853980_rule", - "stig_id": "RHEL-07-030872", - "fix_id": "F-4690r88891_fix", + "gid": "V-204565", + "rid": "SV-204565r853979_rule", + "stig_id": "RHEL-07-030871", + "fix_id": "F-4689r88888_fix", "cci": [ "CCI-000018", "CCI-000172", @@ -4210,78 +4042,75 @@ ], "host": null }, - "code": "control 'SV-204566' do\n title 'The Red Hat Enterprise Linux operating system must generate audit records for all account creations,\n modifications, disabling, and termination events that affect /etc/gshadow.'\n desc 'Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).'\n desc 'check', 'Verify the operating system must generate audit records for all account creations, modifications,\n disabling, and termination events that affect \"/etc/gshadow\".\n Check the auditing rules in \"/etc/audit/audit.rules\" with the following command:\n # grep /etc/gshadow /etc/audit/audit.rules\n -w /etc/gshadow -p wa -k identity\n If the command does not return a line, or the line is commented out, this is a finding.'\n desc 'fix', 'Configure the operating system to generate audit records for all account creations, modifications,\n disabling, and termination events that affect \"/etc/gshadow\".\n Add or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n -w /etc/gshadow -p wa -k identity\n The audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n tag legacy: ['SV-87819', 'V-73167']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000004-GPOS-00004'\n tag gid: 'V-204566'\n tag rid: 'SV-204566r853980_rule'\n tag stig_id: 'RHEL-07-030872'\n tag fix_id: 'F-4690r88891_fix'\n tag cci: ['CCI-000018', 'CCI-000172', 'CCI-001403', 'CCI-002130']\n tag nist: ['AC-2 (4)', 'AU-12 c', 'AC-2 (4)', 'AC-2 (4)']\n tag subsystems: ['audit', 'auditd', 'audit_rule']\n tag 'host'\n\n audit_command = '/etc/gshadow'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - audit config must be done on the host' do\n skip 'Control not applicable - audit config must be done on the host'\n end\n else\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.key).to cmp 'identity'\n expect(audit_rule.permissions.flatten).to include('w', 'a')\n end\n end\n end\nend\n", + "code": "control 'SV-204565' do\n title 'The Red Hat Enterprise Linux operating system must generate audit records for all account creations,\n modifications, disabling, and termination events that affect /etc/group.'\n desc 'Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).'\n desc 'check', 'Verify the operating system must generate audit records for all account creations, modifications,\n disabling, and termination events that affect \"/etc/group\".\n Check the auditing rules in \"/etc/audit/audit.rules\" with the following command:\n # grep /etc/group /etc/audit/audit.rules\n -w /etc/group -p wa -k identity\n If the command does not return a line, or the line is commented out, this is a finding.'\n desc 'fix', 'Configure the operating system to generate audit records for all account creations, modifications,\n disabling, and termination events that affect \"/etc/group\".\n Add or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n -w /etc/group -p wa -k identity\n The audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n tag legacy: ['SV-87817', 'V-73165']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000004-GPOS-00004'\n tag gid: 'V-204565'\n tag rid: 'SV-204565r853979_rule'\n tag stig_id: 'RHEL-07-030871'\n tag fix_id: 'F-4689r88888_fix'\n tag cci: ['CCI-000018', 'CCI-000172', 'CCI-001403', 'CCI-002130']\n tag nist: ['AC-2 (4)', 'AU-12 c', 'AC-2 (4)', 'AC-2 (4)']\n tag subsystems: ['audit', 'auditd', 'audit_rule']\n tag 'host'\n\n audit_command = '/etc/group'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - audit config must be done on the host' do\n skip 'Control not applicable - audit config must be done on the host'\n end\n else\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.key).to cmp 'identity'\n expect(audit_rule.permissions.flatten).to include('w', 'a')\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204566.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204565.rb", "line": 1 }, - "id": "SV-204566" + "id": "SV-204565" }, { - "title": "The Red Hat Enterprise Linux operating system must be configured to off-load audit logs onto a different\n system or storage media from the system being audited.", - "desc": "Information stored in one location is vulnerable to accidental or incidental deletion or alteration.\n Off-loading is a common process in information systems with limited audit storage capacity.\n One method of off-loading audit logs in Red Hat Enterprise Linux is with the use of the audisp-remote dameon.\n Without the configuration of the \"au-remote\" plugin, the audisp-remote daemon will not off load the logs from the\n system being audited.", + "title": "The Red Hat Enterprise Linux operating system must be configured so that passwords are a minimum of 15\n characters in length.", + "desc": "The shorter the password, the lower the number of possible combinations that need to be tested before the\n password is compromised.\n Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing\n and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it\n takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or\n resources required to compromise the password.", "descriptions": { - "default": "Information stored in one location is vulnerable to accidental or incidental deletion or alteration.\n Off-loading is a common process in information systems with limited audit storage capacity.\n One method of off-loading audit logs in Red Hat Enterprise Linux is with the use of the audisp-remote dameon.\n Without the configuration of the \"au-remote\" plugin, the audisp-remote daemon will not off load the logs from the\n system being audited.", - "check": "Verify the \"au-remote\" plugin is configured to always off-load audit logs using the audisp-remote\n daemon:\n # cat /etc/audisp/plugins.d/au-remote.conf | grep -v \"^#\"\n active = yes\n direction = out\n path = /sbin/audisp-remote\n type = always\n format = string\n If \"active\" is not set to \"yes\", \"direction\" is not set to \"out\", \"path\" is not set to \"/sbin/audisp-remote\", \"type\"\n is not set to \"always\", or any of the lines are commented out, ask the System Administrator to indicate how the\n audit logs are off-loaded to a different system or storage media.\n If there is no evidence that the system is configured to off-load audit logs to a different system or storage media,\n this is a finding.", - "fix": "Edit the /etc/audisp/plugins.d/au-remote.conf file and add or update the following values:\n\nactive = yes\ndirection = out\npath = /sbin/audisp-remote\ntype = always\n\nThe audit daemon must be restarted for changes to take effect:\n\n# service auditd restart" + "default": "The shorter the password, the lower the number of possible combinations that need to be tested before the\n password is compromised.\n Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing\n and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it\n takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or\n resources required to compromise the password.", + "check": "Verify the operating system enforces a minimum 15-character password length. The \"minlen\" option\n sets the minimum number of characters in a new password.\n Check for the value of the \"minlen\" option in \"/etc/security/pwquality.conf\" with the following command:\n # grep minlen /etc/security/pwquality.conf\n minlen = 15\n If the command does not return a \"minlen\" value of 15 or greater, this is a finding.", + "fix": "Configure operating system to enforce a minimum 15-character password length.\n Add the following line to \"/etc/security/pwquality.conf\" (or modify the line to have the required value):\n minlen = 15" }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "SV-95729", - "V-81017" + "V-71935", + "SV-86559" ], "severity": "medium", - "gtitle": "SRG-OS-000342-GPOS-00133", - "satisfies": [ - "SRG-OS-000342-GPOS-00133", - "SRG-OS-000479-GPOS-00224" - ], - "gid": "V-204506", - "rid": "SV-204506r877390_rule", - "stig_id": "RHEL-07-030201", - "fix_id": "F-4630r858479_fix", + "gtitle": "SRG-OS-000078-GPOS-00046", + "gid": "V-204423", + "rid": "SV-204423r603261_rule", + "stig_id": "RHEL-07-010280", + "fix_id": "F-4547r88462_fix", "cci": [ - "CCI-001851" + "CCI-000205" ], "nist": [ - "AU-4 (1)" + "IA-5 (1) (a)" ], "subsystems": [ - "audit", - "audisp" + "pwquality", + "password" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-204506' do\n title 'The Red Hat Enterprise Linux operating system must be configured to off-load audit logs onto a different\n system or storage media from the system being audited.'\n desc 'Information stored in one location is vulnerable to accidental or incidental deletion or alteration.\n Off-loading is a common process in information systems with limited audit storage capacity.\n One method of off-loading audit logs in Red Hat Enterprise Linux is with the use of the audisp-remote dameon.\n Without the configuration of the \"au-remote\" plugin, the audisp-remote daemon will not off load the logs from the\n system being audited.'\n desc 'check', 'Verify the \"au-remote\" plugin is configured to always off-load audit logs using the audisp-remote\n daemon:\n # cat /etc/audisp/plugins.d/au-remote.conf | grep -v \"^#\"\n active = yes\n direction = out\n path = /sbin/audisp-remote\n type = always\n format = string\n If \"active\" is not set to \"yes\", \"direction\" is not set to \"out\", \"path\" is not set to \"/sbin/audisp-remote\", \"type\"\n is not set to \"always\", or any of the lines are commented out, ask the System Administrator to indicate how the\n audit logs are off-loaded to a different system or storage media.\n If there is no evidence that the system is configured to off-load audit logs to a different system or storage media,\n this is a finding.'\n desc 'fix', 'Edit the /etc/audisp/plugins.d/au-remote.conf file and add or update the following values:\n\nactive = yes\ndirection = out\npath = /sbin/audisp-remote\ntype = always\n\nThe audit daemon must be restarted for changes to take effect:\n\n# service auditd restart'\n impact 0.5\n tag legacy: ['SV-95729', 'V-81017']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000342-GPOS-00133'\n tag satisfies: ['SRG-OS-000342-GPOS-00133', 'SRG-OS-000479-GPOS-00224']\n tag gid: 'V-204506'\n tag rid: 'SV-204506r877390_rule'\n tag stig_id: 'RHEL-07-030201'\n tag fix_id: 'F-4630r858479_fix'\n tag cci: ['CCI-001851']\n tag nist: ['AU-4 (1)']\n tag subsystems: ['audit', 'audisp']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - audit config must be done on the host' do\n skip 'Control not applicable - audit config must be done on the host'\n end\n else\n test_file = '/etc/audisp/plugins.d/au-remote.conf'\n\n if file(test_file).exist?\n describe parse_config_file(test_file) do\n its('active') { should match(/yes$/) }\n its('direction') { should match(/out$/) }\n its('path') { should match %r{/sbin/audisp-remote$} }\n its('type') { should match(/always$/) }\n end\n else\n describe \"File '#{test_file}' cannot be found. This test cannot be checked in a automated fashion and you must check it manually\" do\n skip \"File '#{test_file}' cannot be found. This check must be performed manually\"\n end\n end\n end\nend\n", + "code": "control 'SV-204423' do\n title \"The Red Hat Enterprise Linux operating system must be configured so that passwords are a minimum of #{input('min_len')}\n characters in length.\"\n desc \"The shorter the password, the lower the number of possible combinations that need to be tested before the\n password is compromised.\n Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing\n and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it\n takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or\n resources required to compromise the password.\"\n desc 'check', \"Verify the operating system enforces a minimum #{input('min_len')}-character password length. The \\\"minlen\\\" option\n sets the minimum number of characters in a new password.\n Check for the value of the \\\"minlen\\\" option in \\\"/etc/security/pwquality.conf\\\" with the following command:\n # grep minlen /etc/security/pwquality.conf\n minlen = #{input('min_len')}\n If the command does not return a \\\"minlen\\\" value of #{input('min_len')} or greater, this is a finding.\"\n desc 'fix', \"Configure operating system to enforce a minimum #{input('min_len')}-character password length.\n Add the following line to \\\"/etc/security/pwquality.conf\\\" (or modify the line to have the required value):\n minlen = #{input('min_len')}\"\n impact 0.5\n tag legacy: ['V-71935', 'SV-86559']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000078-GPOS-00046'\n tag gid: 'V-204423'\n tag rid: 'SV-204423r603261_rule'\n tag stig_id: 'RHEL-07-010280'\n tag fix_id: 'F-4547r88462_fix'\n tag cci: ['CCI-000205']\n tag nist: ['IA-5 (1) (a)']\n tag subsystems: ['pwquality', 'password']\n tag 'host'\n tag 'container'\n\n describe parse_config_file('/etc/security/pwquality.conf') do\n its('minlen') { should cmp >= input('min_len') }\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204506.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204423.rb", "line": 1 }, - "id": "SV-204506" + "id": "SV-204423" }, { - "title": "The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow\n authentication using RSA rhosts authentication.", - "desc": "Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will\n require a password, even in the event of misconfiguration elsewhere.", + "title": "The Red Hat Enterprise Linux operating system must use a reverse-path filter for IPv4 network traffic when\n possible on all interfaces.", + "desc": "Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems that are routers for complicated networks, but is helpful for end hosts and routers serving small networks.", "descriptions": { - "default": "Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will\n require a password, even in the event of misconfiguration elsewhere.", - "check": "Check the version of the operating system with the following command:\n # cat /etc/redhat-release\n If the release is 7.4 or newer this requirement is Not Applicable.\n Verify the SSH daemon does not allow authentication using RSA rhosts authentication.\n To determine how the SSH daemon's \"RhostsRSAAuthentication\" option is set, run the following command:\n # grep RhostsRSAAuthentication /etc/ssh/sshd_config\n RhostsRSAAuthentication no\n If the value is returned as \"yes\", the returned line is commented out, or no output is returned, this is a finding.", - "fix": "Configure the SSH daemon to not allow authentication using RSA rhosts authentication.\n Add the following line in \"/etc/ssh/sshd_config\", or uncomment the line and set the value to \"no\":\n RhostsRSAAuthentication no\n The SSH service must be restarted for changes to take effect." + "default": "Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems that are routers for complicated networks, but is helpful for end hosts and routers serving small networks.", + "check": "Verify the system uses a reverse-path filter for IPv4:\n\n # grep -r net.ipv4.conf.all.rp_filter /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null\n net.ipv4.conf.all.rp_filter = 1\n\nIf \"net.ipv4.conf.all.rp_filter\" is not configured in the /etc/sysctl.conf file or in any of the other sysctl.d directories, is commented out, or does not have a value of \"1\", this is a finding.\n\nCheck that the operating system implements the accept source route variable with the following command:\n\n # /sbin/sysctl -a | grep net.ipv4.conf.all.rp_filter\n net.ipv4.conf.all.rp_filter = 1\n\nIf the returned line does not have a value of \"1\", this is a finding.\n\nIf conflicting results are returned, this is a finding.", + "fix": "Set the system to the required kernel parameter by adding the following\nline to \"/etc/sysctl.conf\" or a configuration file in the /etc/sysctl.d/\ndirectory (or modify the line to have the required value):\n\n net.ipv4.conf.all.rp_filter = 1\n\n Issue the following command to make the changes take effect:\n\n # sysctl --system" }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "V-72239", - "SV-86863" + "V-92251", + "SV-102353" ], "severity": "medium", "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-204588", - "rid": "SV-204588r603261_rule", - "stig_id": "RHEL-07-040330", - "fix_id": "F-4712r88957_fix", + "gid": "V-204610", + "rid": "SV-204610r880800_rule", + "stig_id": "RHEL-07-040611", + "fix_id": "F-4734r880799_fix", "cci": [ "CCI-000366" ], @@ -4289,242 +4118,221 @@ "CM-6 b" ], "subsystems": [ - "ssh" + "kernel_parameter", + "ipv4" ], "host": null }, - "code": "control 'SV-204588' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow\n authentication using RSA rhosts authentication.'\n desc 'Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will\n require a password, even in the event of misconfiguration elsewhere.'\n desc 'check', %q(Check the version of the operating system with the following command:\n # cat /etc/redhat-release\n If the release is 7.4 or newer this requirement is Not Applicable.\n Verify the SSH daemon does not allow authentication using RSA rhosts authentication.\n To determine how the SSH daemon's \"RhostsRSAAuthentication\" option is set, run the following command:\n # grep RhostsRSAAuthentication /etc/ssh/sshd_config\n RhostsRSAAuthentication no\n If the value is returned as \"yes\", the returned line is commented out, or no output is returned, this is a finding.)\n desc 'fix', 'Configure the SSH daemon to not allow authentication using RSA rhosts authentication.\n Add the following line in \"/etc/ssh/sshd_config\", or uncomment the line and set the value to \"no\":\n RhostsRSAAuthentication no\n The SSH service must be restarted for changes to take effect.'\n impact 0.5\n tag legacy: ['V-72239', 'SV-86863']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204588'\n tag rid: 'SV-204588r603261_rule'\n tag stig_id: 'RHEL-07-040330'\n tag fix_id: 'F-4712r88957_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['ssh']\n tag 'host'\n\n if virtualization.system.eql?('docker') && !file('/etc/sysconfig/sshd').exist?\n impact 0.0\n describe 'Control not applicable - SSH is not installed within containerized RHEL' do\n skip 'Control not applicable - SSH is not installed within containerized RHEL'\n end\n elsif os.release.to_f >= 7.4\n impact 0.0\n describe \"The release is #{os.release}\" do\n skip 'For RHEL 7.4 and above, this requirement is not applicable.'\n end\n else\n describe sshd_config do\n its('RhostsRSAAuthentication') { should cmp 'no' }\n end\n end\nend\n", + "code": "control 'SV-204610' do\n title 'The Red Hat Enterprise Linux operating system must use a reverse-path filter for IPv4 network traffic when\n possible on all interfaces.'\n desc 'Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems that are routers for complicated networks, but is helpful for end hosts and routers serving small networks.'\n desc 'check', 'Verify the system uses a reverse-path filter for IPv4:\n\n # grep -r net.ipv4.conf.all.rp_filter /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null\n net.ipv4.conf.all.rp_filter = 1\n\nIf \"net.ipv4.conf.all.rp_filter\" is not configured in the /etc/sysctl.conf file or in any of the other sysctl.d directories, is commented out, or does not have a value of \"1\", this is a finding.\n\nCheck that the operating system implements the accept source route variable with the following command:\n\n # /sbin/sysctl -a | grep net.ipv4.conf.all.rp_filter\n net.ipv4.conf.all.rp_filter = 1\n\nIf the returned line does not have a value of \"1\", this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Set the system to the required kernel parameter by adding the following\nline to \"/etc/sysctl.conf\" or a configuration file in the /etc/sysctl.d/\ndirectory (or modify the line to have the required value):\n\n net.ipv4.conf.all.rp_filter = 1\n\n Issue the following command to make the changes take effect:\n\n # sysctl --system'\n impact 0.5\n tag legacy: ['V-92251', 'SV-102353']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204610'\n tag rid: 'SV-204610r880800_rule'\n tag stig_id: 'RHEL-07-040611'\n tag fix_id: 'F-4734r880799_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['kernel_parameter', 'ipv4']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - Kernel config must be done on the host' do\n skip 'Control not applicable - Kernel config must be done on the host'\n end\n else\n rp_filter = 1\n config_file_values = command('grep -r net.ipv4.conf.all.rp_filter /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null')\n .stdout.strip.split(\"\\n\")\n .map { |file| parse_config(file).params }\n config_file_values_uncompliant = config_file_values.select { |entry| entry.values != [rp_filter.to_s] }\n\n unless config_file_values_uncompliant.empty?\n describe 'All configuration files' do\n it \"should set rp_filter to #{rp_filter}, or not define it at all\" do\n fail_msg = \"Found incorrect configuration:\\n#{config_file_values_uncompliant.join(\"\\n\")}\"\n expect(config_file_values_uncompliant).to be_empty, fail_msg\n end\n end\n end\n\n describe 'The runtime kernel parameter net.ipv4.conf.all.rp_filter' do\n subject { kernel_parameter('net.ipv4.conf.all.rp_filter') }\n its('value') { should eq rp_filter }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204588.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204610.rb", "line": 1 }, - "id": "SV-204588" + "id": "SV-204610" }, { - "title": "The Red Hat Enterprise Linux operating system must enable a user session lock until that user\n re-establishes access using established identification and authentication procedures.", - "desc": "A session lock is a temporary action taken when a user stops work and moves away from the immediate physical\n vicinity of the information system but does not want to log out because of the temporary nature of the absence.\n The session lock is implemented at the point where session activity can be determined.\n Regardless of where the session lock is determined and implemented, once invoked, the session lock must remain in\n place until the user reauthenticates. No other activity aside from reauthentication must unlock the system.", + "title": "The Red Hat Enterprise Linux operating system must generate audit records for all unsuccessful account\n access events.", + "desc": "Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).", "descriptions": { - "default": "A session lock is a temporary action taken when a user stops work and moves away from the immediate physical\n vicinity of the information system but does not want to log out because of the temporary nature of the absence.\n The session lock is implemented at the point where session activity can be determined.\n Regardless of where the session lock is determined and implemented, once invoked, the session lock must remain in\n place until the user reauthenticates. No other activity aside from reauthentication must unlock the system.", - "check": "Verify the operating system enables a user's session lock until that user re-establishes access using established identification and authentication procedures.\n\nNote: If the system does not have GNOME installed, this requirement is Not Applicable.\n\nCheck to see if the screen lock is enabled with the following command:\n\n # grep -ir lock-enabled /etc/dconf/db/local.d/ | grep -v locks\n lock-enabled=true\n\nIf the \"lock-enabled\" setting is missing or is not set to \"true\", this is a finding.", - "fix": "Configure the operating system to enable a user's session lock until that user re-establishes access\n using established identification and authentication procedures.\n Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following\n example:\n # touch /etc/dconf/db/local.d/00-screensaver\n Edit the \"[org/gnome/desktop/screensaver]\" section of the database file and add or update the following lines:\n # Set this to true to lock the screen when the screensaver activates\n lock-enabled=true\n Update the system databases:\n # dconf update\n Users must log out and back in again before the system-wide settings take effect." + "default": "Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).", + "check": "Verify the operating system generates audit records when unsuccessful account access events occur.\n Check the file system rule in \"/etc/audit/audit.rules\" with the following commands:\n # grep -i /var/run/faillock /etc/audit/audit.rules\n -w /var/run/faillock -p wa -k logins\n If the command does not return any output, this is a finding.", + "fix": "Configure the operating system to generate audit records when unsuccessful account access events\n occur.\n Add or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n -w /var/run/faillock -p wa -k logins\n The audit daemon must be restarted for the changes to take effect." }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { "legacy": [ - "SV-86515", - "V-71891" + "V-72145", + "SV-86769" ], "severity": "medium", - "gtitle": "SRG-OS-000028-GPOS-00009", + "gtitle": "SRG-OS-000392-GPOS-00172", "satisfies": [ - "SRG-OS-000028-GPOS-00009", - "SRG-OS-000030-GPOS-00011" + "SRG-OS-000392-GPOS-00172", + "SRG-OS-000470-GPOS-00214", + "SRG-OS-000473-GPOS-00218" ], - "gid": "V-204396", - "rid": "SV-204396r880746_rule", - "stig_id": "RHEL-07-010060", - "fix_id": "F-4520r880745_fix", + "gid": "V-204540", + "rid": "SV-204540r853930_rule", + "stig_id": "RHEL-07-030610", + "fix_id": "F-4664r88813_fix", "cci": [ - "CCI-000056" + "CCI-000126", + "CCI-000172", + "CCI-002884" ], "nist": [ - "AC-11 b" + "AU-2 d", + "AU-12 c", + "MA-4 (1) (a)", + "AU-2 c" ], "subsystems": [ - "session", - "lock", - "gui", - "screensaver" + "audit", + "auditd", + "audit_rule" ], "host": null }, - "code": "control 'SV-204396' do\n title 'The Red Hat Enterprise Linux operating system must enable a user session lock until that user\n re-establishes access using established identification and authentication procedures.'\n desc 'A session lock is a temporary action taken when a user stops work and moves away from the immediate physical\n vicinity of the information system but does not want to log out because of the temporary nature of the absence.\n The session lock is implemented at the point where session activity can be determined.\n Regardless of where the session lock is determined and implemented, once invoked, the session lock must remain in\n place until the user reauthenticates. No other activity aside from reauthentication must unlock the system.'\n desc 'check', %q(Verify the operating system enables a user's session lock until that user re-establishes access using established identification and authentication procedures.\n\nNote: If the system does not have GNOME installed, this requirement is Not Applicable.\n\nCheck to see if the screen lock is enabled with the following command:\n\n # grep -ir lock-enabled /etc/dconf/db/local.d/ | grep -v locks\n lock-enabled=true\n\nIf the \"lock-enabled\" setting is missing or is not set to \"true\", this is a finding.)\n desc 'fix', %q(Configure the operating system to enable a user's session lock until that user re-establishes access\n using established identification and authentication procedures.\n Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following\n example:\n # touch /etc/dconf/db/local.d/00-screensaver\n Edit the \"[org/gnome/desktop/screensaver]\" section of the database file and add or update the following lines:\n # Set this to true to lock the screen when the screensaver activates\n lock-enabled=true\n Update the system databases:\n # dconf update\n Users must log out and back in again before the system-wide settings take effect.)\n impact 0.5\n tag legacy: ['SV-86515', 'V-71891']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000028-GPOS-00009'\n tag satisfies: ['SRG-OS-000028-GPOS-00009', 'SRG-OS-000030-GPOS-00011']\n tag gid: 'V-204396'\n tag rid: 'SV-204396r880746_rule'\n tag stig_id: 'RHEL-07-010060'\n tag fix_id: 'F-4520r880745_fix'\n tag cci: ['CCI-000056']\n tag nist: ['AC-11 b']\n tag subsystems: ['session', 'lock', 'gui', 'screensaver']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n elsif package('gnome-desktop3').installed?\n\n describe command('gsettings get org.gnome.desktop.screensaver lock-enabled') do\n its('stdout.strip') { should cmp 'true' }\n end\n else\n impact 0.0\n describe 'The system does not have GNOME installed' do\n skip \"The system does not have GNOME installed, this requirement is Not\n Applicable.\"\n end\n end\nend\n", + "code": "control 'SV-204540' do\n title 'The Red Hat Enterprise Linux operating system must generate audit records for all unsuccessful account\n access events.'\n desc 'Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).'\n desc 'check', 'Verify the operating system generates audit records when unsuccessful account access events occur.\n Check the file system rule in \"/etc/audit/audit.rules\" with the following commands:\n # grep -i /var/run/faillock /etc/audit/audit.rules\n -w /var/run/faillock -p wa -k logins\n If the command does not return any output, this is a finding.'\n desc 'fix', 'Configure the operating system to generate audit records when unsuccessful account access events\n occur.\n Add or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n -w /var/run/faillock -p wa -k logins\n The audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n tag legacy: ['V-72145', 'SV-86769']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000392-GPOS-00172'\n tag satisfies: ['SRG-OS-000392-GPOS-00172', 'SRG-OS-000470-GPOS-00214', 'SRG-OS-000473-GPOS-00218']\n tag gid: 'V-204540'\n tag rid: 'SV-204540r853930_rule'\n tag stig_id: 'RHEL-07-030610'\n tag fix_id: 'F-4664r88813_fix'\n tag cci: ['CCI-000126', 'CCI-000172', 'CCI-002884']\n tag nist: ['AU-2 d', 'AU-12 c', 'MA-4 (1) (a)', 'AU-2 c']\n tag subsystems: ['audit', 'auditd', 'audit_rule']\n tag 'host'\n\n audit_command = '/var/run/faillock'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - audit config must be done on the host' do\n skip 'Control not applicable - audit config must be done on the host'\n end\n else\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.key).to cmp 'logins'\n expect(audit_rule.permissions.flatten).to include('w', 'a')\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204396.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204540.rb", "line": 1 }, - "id": "SV-204396" + "id": "SV-204540" }, { - "title": "The Red Hat Enterprise Linux operating system must generate audit records for all account creations,\n modifications, disabling, and termination events that affect /etc/passwd.", - "desc": "Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).", + "title": "The Red Hat Enterprise Linux operating system must be configured so that user and group account\n administration utilities are configured to store only encrypted representations of passwords.", + "desc": "Passwords need to be protected at all times, and encryption is the standard method for protecting passwords.\n If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords\n encrypted with a weak algorithm are no more protected than if they are kept in plain text.", "descriptions": { - "default": "Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).", - "check": "Verify the operating system must generate audit records for all account creations, modifications,\n disabling, and termination events that affect \"/etc/passwd\".\n Check the auditing rules in \"/etc/audit/audit.rules\" with the following command:\n # grep /etc/passwd /etc/audit/audit.rules\n -w /etc/passwd -p wa -k identity\n If the command does not return a line, or the line is commented out, this is a finding.", - "fix": "Configure the operating system to generate audit records for all account creations, modifications,\n disabling, and termination events that affect \"/etc/passwd\".\n Add or update the following rule \"/etc/audit/rules.d/audit.rules\":\n -w /etc/passwd -p wa -k identity\n The audit daemon must be restarted for the changes to take effect." + "default": "Passwords need to be protected at all times, and encryption is the standard method for protecting passwords.\n If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords\n encrypted with a weak algorithm are no more protected than if they are kept in plain text.", + "check": "Verify the user and group account administration utilities are configured to store only encrypted\n representations of passwords. The strength of encryption that must be used to hash passwords for all accounts is\n \"SHA512\".\n Check that the system is configured to create \"SHA512\" hashed passwords with the following command:\n # grep -i sha512 /etc/libuser.conf\n crypt_style = sha512\n If the \"crypt_style\" variable is not set to \"sha512\", is not in the defaults section, is commented out, or does not\n exist, this is a finding.", + "fix": "Configure the operating system to store only SHA512 encrypted representations of passwords.\n Add or update the following line in \"/etc/libuser.conf\" in the [defaults] section:\n crypt_style = sha512" }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "SV-86821", - "V-72197" + "V-71923", + "SV-86547" ], "severity": "medium", - "gtitle": "SRG-OS-000004-GPOS-00004", - "satisfies": [ - "SRG-OS-000004-GPOS-00004", - "SRG-OS-000239-GPOS-00089", - "SRG-OS-000240-GPOS-00090", - "SRG-OS-000241-GPOS-00091", - "SRG-OS-000303-GPOS-00120", - "SRG-OS-000476-GPOS-00221" - ], - "gid": "V-204564", - "rid": "SV-204564r853978_rule", - "stig_id": "RHEL-07-030870", - "fix_id": "F-4688r88885_fix", + "gtitle": "SRG-OS-000073-GPOS-00041", + "gid": "V-204417", + "rid": "SV-204417r877397_rule", + "stig_id": "RHEL-07-010220", + "fix_id": "F-4541r88444_fix", "cci": [ - "CCI-000018", - "CCI-000172", - "CCI-001403", - "CCI-002130" + "CCI-000196" ], "nist": [ - "AC-2 (4)", - "AU-12 c", - "AC-2 (4)", - "AC-2 (4)" + "IA-5 (1) (c)" ], "subsystems": [ - "audit", - "auditd", - "audit_rule" + "libuser_conf", + "password" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-204564' do\n title 'The Red Hat Enterprise Linux operating system must generate audit records for all account creations,\n modifications, disabling, and termination events that affect /etc/passwd.'\n desc 'Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).'\n desc 'check', 'Verify the operating system must generate audit records for all account creations, modifications,\n disabling, and termination events that affect \"/etc/passwd\".\n Check the auditing rules in \"/etc/audit/audit.rules\" with the following command:\n # grep /etc/passwd /etc/audit/audit.rules\n -w /etc/passwd -p wa -k identity\n If the command does not return a line, or the line is commented out, this is a finding.'\n desc 'fix', 'Configure the operating system to generate audit records for all account creations, modifications,\n disabling, and termination events that affect \"/etc/passwd\".\n Add or update the following rule \"/etc/audit/rules.d/audit.rules\":\n -w /etc/passwd -p wa -k identity\n The audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n tag legacy: ['SV-86821', 'V-72197']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000004-GPOS-00004'\n tag satisfies: ['SRG-OS-000004-GPOS-00004', 'SRG-OS-000239-GPOS-00089', 'SRG-OS-000240-GPOS-00090', 'SRG-OS-000241-GPOS-00091', 'SRG-OS-000303-GPOS-00120', 'SRG-OS-000476-GPOS-00221']\n tag gid: 'V-204564'\n tag rid: 'SV-204564r853978_rule'\n tag stig_id: 'RHEL-07-030870'\n tag fix_id: 'F-4688r88885_fix'\n tag cci: ['CCI-000018', 'CCI-000172', 'CCI-001403', 'CCI-002130']\n tag nist: ['AC-2 (4)', 'AU-12 c', 'AC-2 (4)', 'AC-2 (4)']\n tag subsystems: ['audit', 'auditd', 'audit_rule']\n tag 'host'\n\n audit_command = '/etc/passwd'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - audit config must be done on the host' do\n skip 'Control not applicable - audit config must be done on the host'\n end\n else\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.key).to cmp 'identity'\n expect(audit_rule.permissions.flatten).to include('w', 'a')\n end\n end\n end\nend\n", + "code": "control 'SV-204417' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that user and group account\n administration utilities are configured to store only encrypted representations of passwords.'\n desc 'Passwords need to be protected at all times, and encryption is the standard method for protecting passwords.\n If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords\n encrypted with a weak algorithm are no more protected than if they are kept in plain text.'\n desc 'check', 'Verify the user and group account administration utilities are configured to store only encrypted\n representations of passwords. The strength of encryption that must be used to hash passwords for all accounts is\n \"SHA512\".\n Check that the system is configured to create \"SHA512\" hashed passwords with the following command:\n # grep -i sha512 /etc/libuser.conf\n crypt_style = sha512\n If the \"crypt_style\" variable is not set to \"sha512\", is not in the defaults section, is commented out, or does not\n exist, this is a finding.'\n desc 'fix', 'Configure the operating system to store only SHA512 encrypted representations of passwords.\n Add or update the following line in \"/etc/libuser.conf\" in the [defaults] section:\n crypt_style = sha512'\n impact 0.5\n tag legacy: ['V-71923', 'SV-86547']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000073-GPOS-00041'\n tag gid: 'V-204417'\n tag rid: 'SV-204417r877397_rule'\n tag stig_id: 'RHEL-07-010220'\n tag fix_id: 'F-4541r88444_fix'\n tag cci: ['CCI-000196']\n tag nist: ['IA-5 (1) (c)']\n tag subsystems: ['libuser_conf', 'password']\n tag 'host'\n tag 'container'\n\n describe command('cat /etc/libuser.conf | grep -i sha512') do\n its('stdout.strip') { should match(/^crypt_style = sha512$/) }\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204564.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204417.rb", "line": 1 }, - "id": "SV-204564" + "id": "SV-204417" }, { - "title": "The Red Hat Enterprise Linux operating system must display the Standard Mandatory DoD Notice and Consent\n Banner before granting local or remote access to the system via a graphical user logon.", - "desc": "Display of a standardized and approved use notification before granting access to the operating system\n ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive\n Orders, directives, policies, regulations, standards, and guidance.\n System use notifications are required only for access via logon interfaces with human users and are not required\n when such human interfaces do not exist.\n The banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating\n systems that can accommodate banners of 1300 characters:\n \"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"", + "title": "The Red Hat Enterprise Linux operating system must be configured so that all local interactive users have a\n home directory assigned and defined in the /etc/passwd file.", + "desc": "If local interactive users are not assigned a valid home directory, there is no place for the storage and\n control of files they should own.\n In addition, if a local interactive user has a home directory defined that does not exist, the user may be given\n access to the / directory as the current working directory upon logon. This could create a Denial of Service because\n the user would not be able to access their logon configuration files, and it may give them visibility to system\n files they normally would not be able to access.", "descriptions": { - "default": "Display of a standardized and approved use notification before granting access to the operating system\n ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive\n Orders, directives, policies, regulations, standards, and guidance.\n System use notifications are required only for access via logon interfaces with human users and are not required\n when such human interfaces do not exist.\n The banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating\n systems that can accommodate banners of 1300 characters:\n \"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"", - "check": "Verify the operating system displays the Standard Mandatory DoD Notice and Consent Banner before\n granting access to the operating system via a graphical user logon.\n Note: If the system does not have GNOME installed, this requirement is Not Applicable.\n Check to see if the operating system displays a banner at the logon screen with the following command:\n # grep banner-message-enable /etc/dconf/db/local.d/*\n banner-message-enable=true\n If \"banner-message-enable\" is set to \"false\" or is missing, this is a finding.", - "fix": "Configure the operating system to display the Standard Mandatory DoD Notice and Consent Banner before\n granting access to the system.\n Note: If the system does not have GNOME installed, this requirement is Not Applicable.\n Create a database to contain the system-wide graphical user logon settings (if it does not already exist) with the\n following command:\n # touch /etc/dconf/db/local.d/01-banner-message\n Add the following line to the [org/gnome/login-screen] section of the \"/etc/dconf/db/local.d/01-banner-message\":\n [org/gnome/login-screen]\n banner-message-enable=true\n Update the system databases:\n # dconf update\n Users must log out and back in again before the system-wide settings take effect." + "default": "If local interactive users are not assigned a valid home directory, there is no place for the storage and\n control of files they should own.\n In addition, if a local interactive user has a home directory defined that does not exist, the user may be given\n access to the / directory as the current working directory upon logon. This could create a Denial of Service because\n the user would not be able to access their logon configuration files, and it may give them visibility to system\n files they normally would not be able to access.", + "check": "Verify local interactive users on the system have a home directory assigned and the directory\n exists.\n Check the home directory assignment for all local interactive non-privileged users on the system with the following\n command:\n # awk -F: '($3>=1000)&&($7 !~ /nologin/){print $1, $3, $6}' /etc/passwd\n smithj 1001 /home/smithj\n Note: This may miss interactive users that have been assigned a privileged UID. Evidence of interactive use may be\n obtained from a number of log files containing system logon information.\n Check that all referenced home directories exist with the following command:\n # pwck -r\n user 'smithj': directory '/home/smithj' does not exist\n If any home directories referenced in \"/etc/passwd\" are returned as not defined, or if any interactive users do not\n have a home directory assigned, this is a finding.", + "fix": "Create home directories to all local interactive users that currently do not have a home directory\n assigned. Use the following commands to create the user home directory assigned in \"/etc/ passwd\":\n Note: The example will be for the user smithj, who has a home directory of \"/home/smithj\", a UID of \"smithj\", and a\n Group Identifier (GID) of \"users\" assigned in \"/etc/passwd\".\n # mkdir /home/smithj\n # chown smithj /home/smithj\n # chgrp users /home/smithj\n # chmod 0750 /home/smithj" }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { "legacy": [ - "V-71859", - "SV-86483" + "V-72015", + "SV-86639" ], "severity": "medium", - "gtitle": "SRG-OS-000023-GPOS-00006", - "satisfies": [ - "SRG-OS-000023-GPOS-00006", - "SRG-OS-000024-GPOS-00007", - "SRG-OS-000228-GPOS-00088" - ], - "gid": "V-204393", - "rid": "SV-204393r603261_rule", - "stig_id": "RHEL-07-010030", - "fix_id": "F-4517r88372_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-204467", + "rid": "SV-204467r603826_rule", + "stig_id": "RHEL-07-020620", + "fix_id": "F-4591r462550_fix", "cci": [ - "CCI-000048" + "CCI-000366" ], "nist": [ - "AC-8 a" + "CM-6 b" ], "subsystems": [ - "gui", - "banner" - ] + "accounts" + ], + "host": null }, - "code": "control 'SV-204393' do\n title \"The Red Hat Enterprise Linux operating system must display the Standard Mandatory #{input('org_name')[:acronym]} Notice and Consent\n Banner before granting local or remote access to the system via a graphical user logon.\"\n desc \"Display of a standardized and approved use notification before granting access to the operating system\n ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive\n Orders, directives, policies, regulations, standards, and guidance.\n System use notifications are required only for access via logon interfaces with human users and are not required\n when such human interfaces do not exist.\n The banner must be formatted in accordance with applicable #{input('org_name')[:acronym]} policy. Use the following verbiage for operating\n systems that can accommodate banners of 1300 characters:\n \\\"#{input('banner_message_text_gui')}\\\" \"\n desc 'check',\"Verify the operating system displays the Standard Mandatory #{input('org_name')[:acronym]} Notice and Consent Banner before\n granting access to the operating system via a graphical user logon.\n Note: If the system does not have GNOME installed, this requirement is Not Applicable.\n Check to see if the operating system displays a banner at the logon screen with the following command:\n # grep banner-message-enable /etc/dconf/db/local.d/*\n banner-message-enable=true\n If \\\"banner-message-enable\\\" is set to \\\"false\\\" or is missing, this is a finding.\"\n desc 'fix', \"Configure the operating system to display the Standard Mandatory #{input('org_name')[:acronym]} Notice and Consent Banner before\n granting access to the system.\n Note: If the system does not have GNOME installed, this requirement is Not Applicable.\n Create a database to contain the system-wide graphical user logon settings (if it does not already exist) with the\n following command:\n # touch /etc/dconf/db/local.d/01-banner-message\n Add the following line to the [org/gnome/login-screen] section of the \\\"/etc/dconf/db/local.d/01-banner-message\\\":\n [org/gnome/login-screen]\n banner-message-enable=true\n Update the system databases:\n # dconf update\n Users must log out and back in again before the system-wide settings take effect.\"\n impact 0.5\n tag legacy: ['V-71859', 'SV-86483']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000023-GPOS-00006'\n tag satisfies: ['SRG-OS-000023-GPOS-00006', 'SRG-OS-000024-GPOS-00007', 'SRG-OS-000228-GPOS-00088']\n tag gid: 'V-204393'\n tag rid: 'SV-204393r603261_rule'\n tag stig_id: 'RHEL-07-010030'\n tag fix_id: 'F-4517r88372_fix'\n tag cci: ['CCI-000048']\n tag nist: ['AC-8 a']\n tag subsystems: ['gui', 'banner']\n\n if package('gnome-desktop3').installed?\n if !input('dconf_user').nil? and command('whoami').stdout.strip == 'root'\n describe command(\"sudo -u input('dconf_user') dconf read /org/gnome/login-screen/banner-message-enable\") do\n its('stdout.strip') do\n should cmp input('banner_message_enabled').to_s\n end\n end\n else\n describe command('dconf read /org/gnome/login-screen/banner-message-enable') do\n its('stdout.strip') do\n should cmp input('banner_message_enabled').to_s\n end\n end\n end\n else\n impact 0.0\n describe 'The GNOME desktop is not installed' do\n skip 'The GNOME desktop is not installed, this control is Not Applicable.'\n end\n end\nend\n", + "code": "control 'SV-204467' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that all local interactive users have a\n home directory assigned and defined in the /etc/passwd file.'\n desc 'If local interactive users are not assigned a valid home directory, there is no place for the storage and\n control of files they should own.\n In addition, if a local interactive user has a home directory defined that does not exist, the user may be given\n access to the / directory as the current working directory upon logon. This could create a Denial of Service because\n the user would not be able to access their logon configuration files, and it may give them visibility to system\n files they normally would not be able to access.'\n desc 'check', %q(Verify local interactive users on the system have a home directory assigned and the directory\n exists.\n Check the home directory assignment for all local interactive non-privileged users on the system with the following\n command:\n # awk -F: '($3>=1000)&&($7 !~ /nologin/){print $1, $3, $6}' /etc/passwd\n smithj 1001 /home/smithj\n Note: This may miss interactive users that have been assigned a privileged UID. Evidence of interactive use may be\n obtained from a number of log files containing system logon information.\n Check that all referenced home directories exist with the following command:\n # pwck -r\n user 'smithj': directory '/home/smithj' does not exist\n If any home directories referenced in \"/etc/passwd\" are returned as not defined, or if any interactive users do not\n have a home directory assigned, this is a finding.)\n desc 'fix', 'Create home directories to all local interactive users that currently do not have a home directory\n assigned. Use the following commands to create the user home directory assigned in \"/etc/ passwd\":\n Note: The example will be for the user smithj, who has a home directory of \"/home/smithj\", a UID of \"smithj\", and a\n Group Identifier (GID) of \"users\" assigned in \"/etc/passwd\".\n # mkdir /home/smithj\n # chown smithj /home/smithj\n # chgrp users /home/smithj\n # chmod 0750 /home/smithj'\n impact 0.5\n tag legacy: ['V-72015', 'SV-86639']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204467'\n tag rid: 'SV-204467r603826_rule'\n tag stig_id: 'RHEL-07-020620'\n tag fix_id: 'F-4591r462550_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['accounts']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n\n exempt_home_users = input('exempt_home_users')\n non_interactive_shells = input('non_interactive_shells')\n\n ignore_shells = non_interactive_shells.join('|')\n\n uid_min = login_defs.read_params['UID_MIN'].to_i\n uid_min = 1000 if uid_min.nil?\n\n users.where do\n !shell.match(ignore_shells) && (uid >= uid_min || uid == 0)\n end.entries.each do |user_info|\n next if exempt_home_users.include?(user_info.username.to_s)\n\n describe directory(user_info.home) do\n it { should exist }\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204393.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204467.rb", "line": 1 }, - "id": "SV-204393" + "id": "SV-204467" }, { - "title": "The Red Hat Enterprise Linux operating system must prevent binary files from being executed on file systems\n that are being imported via Network File System (NFS).", - "desc": "The \"noexec\" mount option causes the system to not execute binary files. This option must be used for\n mounting any file system not containing approved binary files as they may be incompatible. Executing files from\n untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative\n access.", + "title": "The Red Hat Enterprise Linux operating system must remove all software components after updated versions\n have been installed.", + "desc": "Previous versions of software components that are not removed from the information system after updates have\n been installed may be exploited by adversaries. Some information technology products may remove older versions of\n software automatically from the information system.", "descriptions": { - "default": "The \"noexec\" mount option causes the system to not execute binary files. This option must be used for\n mounting any file system not containing approved binary files as they may be incompatible. Executing files from\n untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative\n access.", - "check": "Verify file systems that are being NFS imported are configured with the \"noexec\" option.\n Find the file system(s) that contain the directories being imported with the following command:\n # more /etc/fstab | grep nfs\n UUID=e06097bb-cfcd-437b-9e4d-a691f5662a7d /store nfs rw,noexec 0 0\n If a file system found in \"/etc/fstab\" refers to NFS and it does not have the \"noexec\" option set, and use of NFS\n imported binaries is not documented with the Information System Security Officer (ISSO) as an operational\n requirement, this is a finding.\n Verify the NFS is mounted with the \"noexec\"option:\n # mount | grep nfs | grep noexec\n If no results are returned and use of NFS imported binaries is not documented with the Information System Security\n Officer (ISSO) as an operational requirement, this is a finding.", - "fix": "Configure the \"/etc/fstab\" to use the \"noexec\" option on file systems that are being imported via\n NFS." + "default": "Previous versions of software components that are not removed from the information system after updates have\n been installed may be exploited by adversaries. Some information technology products may remove older versions of\n software automatically from the information system.", + "check": "Verify the operating system removes all software components after updated versions have been\n installed.\n Check if yum is configured to remove unneeded packages with the following command:\n # grep -i clean_requirements_on_remove /etc/yum.conf\n clean_requirements_on_remove=1\n If \"clean_requirements_on_remove\" is not set to \"1\", \"True\", or \"yes\", or is not set in \"/etc/yum.conf\", this is a\n finding.", + "fix": "Configure the operating system to remove all software components after updated versions have been\n installed.\n Set the \"clean_requirements_on_remove\" option to \"1\" in the \"/etc/yum.conf\" file:\n clean_requirements_on_remove=1" }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { "legacy": [ - "SV-87813", - "V-73161" + "V-71987", + "SV-86611" ], - "severity": "medium", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-204483", - "rid": "SV-204483r603261_rule", - "stig_id": "RHEL-07-021021", - "fix_id": "F-4607r88642_fix", + "severity": "low", + "gtitle": "SRG-OS-000437-GPOS-00194", + "gid": "V-204452", + "rid": "SV-204452r853894_rule", + "stig_id": "RHEL-07-020200", + "fix_id": "F-4576r88549_fix", "cci": [ - "CCI-000366" + "CCI-002617" ], "nist": [ - "CM-6 b" + "SI-2 (6)" ], "subsystems": [ - "etc_fstab" + "yum" ], "host": null, "container": null }, - "code": "control 'SV-204483' do\n title 'The Red Hat Enterprise Linux operating system must prevent binary files from being executed on file systems\n that are being imported via Network File System (NFS).'\n desc 'The \"noexec\" mount option causes the system to not execute binary files. This option must be used for\n mounting any file system not containing approved binary files as they may be incompatible. Executing files from\n untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative\n access.'\n desc 'check', 'Verify file systems that are being NFS imported are configured with the \"noexec\" option.\n Find the file system(s) that contain the directories being imported with the following command:\n # more /etc/fstab | grep nfs\n UUID=e06097bb-cfcd-437b-9e4d-a691f5662a7d /store nfs rw,noexec 0 0\n If a file system found in \"/etc/fstab\" refers to NFS and it does not have the \"noexec\" option set, and use of NFS\n imported binaries is not documented with the Information System Security Officer (ISSO) as an operational\n requirement, this is a finding.\n Verify the NFS is mounted with the \"noexec\"option:\n # mount | grep nfs | grep noexec\n If no results are returned and use of NFS imported binaries is not documented with the Information System Security\n Officer (ISSO) as an operational requirement, this is a finding.'\n desc 'fix', 'Configure the \"/etc/fstab\" to use the \"noexec\" option on file systems that are being imported via\n NFS.'\n impact 0.5\n tag legacy: ['SV-87813', 'V-73161']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204483'\n tag rid: 'SV-204483r603261_rule'\n tag stig_id: 'RHEL-07-021021'\n tag fix_id: 'F-4607r88642_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['etc_fstab']\n tag 'host'\n tag 'container'\n\n nfs_systems = etc_fstab.nfs_file_systems.entries\n\n if !nfs_systems.nil? && !nfs_systems.empty?\n nfs_systems.each do |nfs_system|\n describe \"Network File System mounted on #{nfs_system['mount_point']}\" do\n subject { nfs_system }\n its('mount_options') { should include 'noexec' }\n end\n end\n else\n describe 'No NFS file systems were found' do\n subject { nfs_systems.nil? || nfs_systems.empty? }\n it { should eq true }\n end\n end\nend\n", + "code": "control 'SV-204452' do\n title 'The Red Hat Enterprise Linux operating system must remove all software components after updated versions\n have been installed.'\n desc 'Previous versions of software components that are not removed from the information system after updates have\n been installed may be exploited by adversaries. Some information technology products may remove older versions of\n software automatically from the information system.'\n desc 'check', 'Verify the operating system removes all software components after updated versions have been\n installed.\n Check if yum is configured to remove unneeded packages with the following command:\n # grep -i clean_requirements_on_remove /etc/yum.conf\n clean_requirements_on_remove=1\n If \"clean_requirements_on_remove\" is not set to \"1\", \"True\", or \"yes\", or is not set in \"/etc/yum.conf\", this is a\n finding.'\n desc 'fix', 'Configure the operating system to remove all software components after updated versions have been\n installed.\n Set the \"clean_requirements_on_remove\" option to \"1\" in the \"/etc/yum.conf\" file:\n clean_requirements_on_remove=1'\n impact 0.3\n tag legacy: ['V-71987', 'SV-86611']\n tag severity: 'low'\n tag gtitle: 'SRG-OS-000437-GPOS-00194'\n tag gid: 'V-204452'\n tag rid: 'SV-204452r853894_rule'\n tag stig_id: 'RHEL-07-020200'\n tag fix_id: 'F-4576r88549_fix'\n tag cci: ['CCI-002617']\n tag nist: ['SI-2 (6)']\n tag subsystems: ['yum']\n tag 'host'\n tag 'container'\n\n describe parse_config_file('/etc/yum.conf') do\n its('main.clean_requirements_on_remove') { should match(/1|True|yes/i) }\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204483.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204452.rb", "line": 1 }, - "id": "SV-204483" + "id": "SV-204452" }, { - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the chsh command.", - "desc": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough\n information.\n At a minimum, the organization must audit the full-text recording of privileged access commands. The organization\n must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of\n compromise.\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.", + "title": "The Red Hat Enterprise Linux operating system must generate audit records for all account creations,\n modifications, disabling, and termination events that affect /etc/gshadow.", + "desc": "Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).", "descriptions": { - "default": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough\n information.\n At a minimum, the organization must audit the full-text recording of privileged access commands. The organization\n must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of\n compromise.\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.", - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"chsh\" command occur.\n\nCheck that the following system call is being audited by performing the following command to check the file system rules in \"/etc/audit/audit.rules\":\n\n$ sudo grep -w \"/usr/bin/chsh\" /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change\n\nIf the command does not return any output, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"chsh\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change\n\nThe audit daemon must be restarted for the changes to take effect." + "default": "Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).", + "check": "Verify the operating system must generate audit records for all account creations, modifications,\n disabling, and termination events that affect \"/etc/gshadow\".\n Check the auditing rules in \"/etc/audit/audit.rules\" with the following command:\n # grep /etc/gshadow /etc/audit/audit.rules\n -w /etc/gshadow -p wa -k identity\n If the command does not return a line, or the line is commented out, this is a finding.", + "fix": "Configure the operating system to generate audit records for all account creations, modifications,\n disabling, and termination events that affect \"/etc/gshadow\".\n Add or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n -w /etc/gshadow -p wa -k identity\n The audit daemon must be restarted for the changes to take effect." }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "SV-86791", - "V-72167" + "SV-87819", + "V-73167" ], "severity": "medium", - "gtitle": "SRG-OS-000037-GPOS-00015", - "satisfies": [ - "SRG-OS-000037-GPOS-00015", - "SRG-OS-000042-GPOS-00020", - "SRG-OS-000392-GPOS-00172", - "SRG-OS-000462-GPOS-00206", - "SRG-OS-000471-GPOS-00215" - ], - "gid": "V-204551", - "rid": "SV-204551r861050_rule", - "stig_id": "RHEL-07-030720", - "fix_id": "F-4675r861049_fix", + "gtitle": "SRG-OS-000004-GPOS-00004", + "gid": "V-204566", + "rid": "SV-204566r853980_rule", + "stig_id": "RHEL-07-030872", + "fix_id": "F-4690r88891_fix", "cci": [ - "CCI-000130", - "CCI-000135", + "CCI-000018", "CCI-000172", - "CCI-002884" + "CCI-001403", + "CCI-002130" ], "nist": [ - "AU-3", - "AU-3 (1)", + "AC-2 (4)", "AU-12 c", - "MA-4 (1) (a)", - "AU-3 a" + "AC-2 (4)", + "AC-2 (4)" ], "subsystems": [ "audit", @@ -4533,34 +4341,34 @@ ], "host": null }, - "code": "control 'SV-204551' do\n title 'The Red Hat Enterprise Linux operating system must audit all uses of the chsh command.'\n desc 'Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough\n information.\n At a minimum, the organization must audit the full-text recording of privileged access commands. The organization\n must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of\n compromise.\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.'\n desc 'check', 'Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"chsh\" command occur.\n\nCheck that the following system call is being audited by performing the following command to check the file system rules in \"/etc/audit/audit.rules\":\n\n$ sudo grep -w \"/usr/bin/chsh\" /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change\n\nIf the command does not return any output, this is a finding.'\n desc 'fix', 'Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"chsh\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change\n\nThe audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n tag legacy: ['SV-86791', 'V-72167']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000037-GPOS-00015'\n tag satisfies: ['SRG-OS-000037-GPOS-00015', 'SRG-OS-000042-GPOS-00020', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000471-GPOS-00215']\n tag gid: 'V-204551'\n tag rid: 'SV-204551r861050_rule'\n tag stig_id: 'RHEL-07-030720'\n tag fix_id: 'F-4675r861049_fix'\n tag cci: ['CCI-000130', 'CCI-000135', 'CCI-000172', 'CCI-002884']\n tag nist: ['AU-3', 'AU-3 (1)', 'AU-12 c', 'MA-4 (1) (a)', 'AU-3 a']\n tag subsystems: ['audit', 'auditd', 'audit_rule']\n tag 'host'\n\n audit_command = '/usr/bin/chsh'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - audit config must be done on the host' do\n skip 'Control not applicable - audit config must be done on the host'\n end\n else\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include('privileged-priv_change')\n end\n end\n end\nend\n", + "code": "control 'SV-204566' do\n title 'The Red Hat Enterprise Linux operating system must generate audit records for all account creations,\n modifications, disabling, and termination events that affect /etc/gshadow.'\n desc 'Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).'\n desc 'check', 'Verify the operating system must generate audit records for all account creations, modifications,\n disabling, and termination events that affect \"/etc/gshadow\".\n Check the auditing rules in \"/etc/audit/audit.rules\" with the following command:\n # grep /etc/gshadow /etc/audit/audit.rules\n -w /etc/gshadow -p wa -k identity\n If the command does not return a line, or the line is commented out, this is a finding.'\n desc 'fix', 'Configure the operating system to generate audit records for all account creations, modifications,\n disabling, and termination events that affect \"/etc/gshadow\".\n Add or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n -w /etc/gshadow -p wa -k identity\n The audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n tag legacy: ['SV-87819', 'V-73167']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000004-GPOS-00004'\n tag gid: 'V-204566'\n tag rid: 'SV-204566r853980_rule'\n tag stig_id: 'RHEL-07-030872'\n tag fix_id: 'F-4690r88891_fix'\n tag cci: ['CCI-000018', 'CCI-000172', 'CCI-001403', 'CCI-002130']\n tag nist: ['AC-2 (4)', 'AU-12 c', 'AC-2 (4)', 'AC-2 (4)']\n tag subsystems: ['audit', 'auditd', 'audit_rule']\n tag 'host'\n\n audit_command = '/etc/gshadow'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - audit config must be done on the host' do\n skip 'Control not applicable - audit config must be done on the host'\n end\n else\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.key).to cmp 'identity'\n expect(audit_rule.permissions.flatten).to include('w', 'a')\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204551.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204566.rb", "line": 1 }, - "id": "SV-204551" + "id": "SV-204566" }, { - "title": "The Red Hat Enterprise Linux operating system must use a separate file system for the system audit data\n path.", - "desc": "The use of separate file systems for different paths can protect the system from failures resulting from a\n file system becoming full or failing.", + "title": "The Red Hat Enterprise Linux operating system must be configured so that the file integrity tool is\n configured to verify Access Control Lists (ACLs).", + "desc": "ACLs can provide permissions beyond those permitted through the file mode and must be verified by file\n integrity tools.", "descriptions": { - "default": "The use of separate file systems for different paths can protect the system from failures resulting from a\n file system becoming full or failing.", - "check": "Determine if the operating system is configured to have the \"/var/log/audit\" path is on a separate\n file system.\n # grep /var/log/audit /etc/fstab\n If no result is returned, or the operating system is not configured to have \"/var/log/audit\" on a separate file\n system, this is a finding.\n Verify that \"/var/log/audit\" is mounted on a separate file system:\n # mount | grep \"/var/log/audit\"\n If no result is returned, or \"/var/log/audit\" is not on a separate file system, this is a finding.", - "fix": "Migrate the system audit data path onto a separate file system." + "default": "ACLs can provide permissions beyond those permitted through the file mode and must be verified by file\n integrity tools.", + "check": "Verify the file integrity tool is configured to verify ACLs.\n\nNote: AIDE is highly configurable at install time. These commands assume the \"aide.conf\" file is under the \"/etc\" directory.\n\nUse the following command to determine if the file is in another location:\n\n # find / -name aide.conf\n\nCheck the \"aide.conf\" file to determine if the \"acl\" rule has been added to the rule list being applied to the files and directories selection lists.\n\nAn example rule that includes the \"acl\" rule is below:\n\n All= p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux\n /bin All # apply the custom rule to the files in bin\n /sbin All # apply the same custom rule to the files in sbin\n\nIf the \"acl\" rule is not being used on all uncommented selection lines in the \"/etc/aide.conf\" file, or ACLs are not being checked by another file integrity tool, this is a finding.", + "fix": "Configure the file integrity tool to check file and directory ACLs.\n If AIDE is installed, ensure the \"acl\" rule is present on all uncommented file and directory selection lists." }, "impact": 0.3, "refs": [], "tags": { "legacy": [ - "SV-86687", - "V-72063" + "SV-86693", + "V-72069" ], "severity": "low", "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-204495", - "rid": "SV-204495r603261_rule", - "stig_id": "RHEL-07-021330", - "fix_id": "F-4619r88678_fix", + "gid": "V-204498", + "rid": "SV-204498r880856_rule", + "stig_id": "RHEL-07-021600", + "fix_id": "F-4622r88687_fix", "cci": [ "CCI-000366" ], @@ -4568,393 +4376,332 @@ "CM-6 b" ], "subsystems": [ - "file_system", - "audit" + "file_integrity_tool" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-204495' do\n title 'The Red Hat Enterprise Linux operating system must use a separate file system for the system audit data\n path.'\n desc 'The use of separate file systems for different paths can protect the system from failures resulting from a\n file system becoming full or failing.'\n desc 'check', 'Determine if the operating system is configured to have the \"/var/log/audit\" path is on a separate\n file system.\n # grep /var/log/audit /etc/fstab\n If no result is returned, or the operating system is not configured to have \"/var/log/audit\" on a separate file\n system, this is a finding.\n Verify that \"/var/log/audit\" is mounted on a separate file system:\n # mount | grep \"/var/log/audit\"\n If no result is returned, or \"/var/log/audit\" is not on a separate file system, this is a finding.'\n desc 'fix', 'Migrate the system audit data path onto a separate file system.'\n impact 0.3\n tag legacy: ['SV-86687', 'V-72063']\n tag severity: 'low'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204495'\n tag rid: 'SV-204495r603261_rule'\n tag stig_id: 'RHEL-07-021330'\n tag fix_id: 'F-4619r88678_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['file_system', 'audit']\n tag 'host'\n\n audit_data_path = command(\"dirname #{auditd_conf.log_file}\").stdout.strip\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n else\n describe etc_fstab.where { mount_point == audit_data_path } do\n it { should exist }\n end\n end\nend\n", + "code": "control 'SV-204498' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that the file integrity tool is\n configured to verify Access Control Lists (ACLs).'\n desc 'ACLs can provide permissions beyond those permitted through the file mode and must be verified by file\n integrity tools.'\n desc 'check', 'Verify the file integrity tool is configured to verify ACLs.\n\nNote: AIDE is highly configurable at install time. These commands assume the \"aide.conf\" file is under the \"/etc\" directory.\n\nUse the following command to determine if the file is in another location:\n\n # find / -name aide.conf\n\nCheck the \"aide.conf\" file to determine if the \"acl\" rule has been added to the rule list being applied to the files and directories selection lists.\n\nAn example rule that includes the \"acl\" rule is below:\n\n All= p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux\n /bin All # apply the custom rule to the files in bin\n /sbin All # apply the same custom rule to the files in sbin\n\nIf the \"acl\" rule is not being used on all uncommented selection lines in the \"/etc/aide.conf\" file, or ACLs are not being checked by another file integrity tool, this is a finding.'\n desc 'fix', 'Configure the file integrity tool to check file and directory ACLs.\n If AIDE is installed, ensure the \"acl\" rule is present on all uncommented file and directory selection lists.'\n impact 0.3\n tag legacy: ['SV-86693', 'V-72069']\n tag severity: 'low'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204498'\n tag rid: 'SV-204498r880856_rule'\n tag stig_id: 'RHEL-07-021600'\n tag fix_id: 'F-4622r88687_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['file_integrity_tool']\n tag 'host'\n tag 'container'\n\n file_integrity_tool = input('file_integrity_tool')\n aide_conf_file_path = input('aide_conf_path')\n\n if file_integrity_tool == 'aide'\n if aide_conf(aide_conf_file_path).exist?\n findings = []\n aide_conf.where { !selection_line.start_with? '!' }.entries.each do |selection|\n unless selection.rules.include? 'acl'\n findings.append(selection.selection_line)\n end\n end\n\n describe \"List of monitored files/directories without 'acl' rule\" do\n subject { findings }\n it { should be_empty }\n end\n else\n describe \"AIDE configuration file at: #{aide_conf_file_path}\" do\n subject { aide_conf(aide_conf_file_path) }\n it { should exist }\n end\n end\n else\n describe 'Need manual review of file integrity tool' do\n skip 'A manual review of the file integrity tool is required to ensure that it verifies ACLs.'\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204495.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204498.rb", "line": 1 }, - "id": "SV-204495" + "id": "SV-204498" }, { - "title": "The Red Hat Enterprise Linux operating system must be configured so that all world-writable directories are\n group-owned by root, sys, bin, or an application group.", - "desc": "If a world-writable directory is not group-owned by root, sys, bin, or an application Group Identifier\n (GID), unauthorized users may be able to modify files created by others.\n The only authorized public directories are those temporary directories supplied with the system or those designed to\n be temporary file repositories. The setting is normally reserved for directories used by the system and by users for\n temporary file storage, (e.g., /tmp), and for directories requiring global read/write access.", + "title": "The Red Hat Enterprise Linux operating system must be configured to off-load audit logs onto a different\n system or storage media from the system being audited.", + "desc": "Information stored in one location is vulnerable to accidental or incidental deletion or alteration.\n Off-loading is a common process in information systems with limited audit storage capacity.\n One method of off-loading audit logs in Red Hat Enterprise Linux is with the use of the audisp-remote dameon.\n Without the configuration of the \"au-remote\" plugin, the audisp-remote daemon will not off load the logs from the\n system being audited.", "descriptions": { - "default": "If a world-writable directory is not group-owned by root, sys, bin, or an application Group Identifier\n (GID), unauthorized users may be able to modify files created by others.\n The only authorized public directories are those temporary directories supplied with the system or those designed to\n be temporary file repositories. The setting is normally reserved for directories used by the system and by users for\n temporary file storage, (e.g., /tmp), and for directories requiring global read/write access.", - "check": "The following command will discover and print world-writable directories that are not group-owned by\n a system account, assuming only system accounts have a GID lower than 1000. Run it once for each local partition\n [PART]:\n # find [PART] -xdev -type d -perm -0002 -gid +999 -print\n If there is output, this is a finding.", - "fix": "All directories in local partitions which are world-writable should be group-owned by root or another\n system account. If any world-writable directories are not group-owned by a system account, this should be\n investigated. Following this, the directories should be deleted or assigned to an appropriate group." + "default": "Information stored in one location is vulnerable to accidental or incidental deletion or alteration.\n Off-loading is a common process in information systems with limited audit storage capacity.\n One method of off-loading audit logs in Red Hat Enterprise Linux is with the use of the audisp-remote dameon.\n Without the configuration of the \"au-remote\" plugin, the audisp-remote daemon will not off load the logs from the\n system being audited.", + "check": "Verify the \"au-remote\" plugin is configured to always off-load audit logs using the audisp-remote\n daemon:\n # cat /etc/audisp/plugins.d/au-remote.conf | grep -v \"^#\"\n active = yes\n direction = out\n path = /sbin/audisp-remote\n type = always\n format = string\n If \"active\" is not set to \"yes\", \"direction\" is not set to \"out\", \"path\" is not set to \"/sbin/audisp-remote\", \"type\"\n is not set to \"always\", or any of the lines are commented out, ask the System Administrator to indicate how the\n audit logs are off-loaded to a different system or storage media.\n If there is no evidence that the system is configured to off-load audit logs to a different system or storage media,\n this is a finding.", + "fix": "Edit the /etc/audisp/plugins.d/au-remote.conf file and add or update the following values:\n\nactive = yes\ndirection = out\npath = /sbin/audisp-remote\ntype = always\n\nThe audit daemon must be restarted for changes to take effect:\n\n# service auditd restart" }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "V-72047", - "SV-86671" + "SV-95729", + "V-81017" ], "severity": "medium", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-204487", - "rid": "SV-204487r744106_rule", - "stig_id": "RHEL-07-021030", - "fix_id": "F-36308r602634_fix", + "gtitle": "SRG-OS-000342-GPOS-00133", + "satisfies": [ + "SRG-OS-000342-GPOS-00133", + "SRG-OS-000479-GPOS-00224" + ], + "gid": "V-204506", + "rid": "SV-204506r877390_rule", + "stig_id": "RHEL-07-030201", + "fix_id": "F-4630r858479_fix", "cci": [ - "CCI-000366" + "CCI-001851" ], "nist": [ - "CM-6 b" + "AU-4 (1)" ], "subsystems": [ - "world_writable", - "ww_dirs" + "audit", + "audisp" ], "host": null }, - "code": "control 'SV-204487' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that all world-writable directories are\n group-owned by root, sys, bin, or an application group.'\n desc 'If a world-writable directory is not group-owned by root, sys, bin, or an application Group Identifier\n (GID), unauthorized users may be able to modify files created by others.\n The only authorized public directories are those temporary directories supplied with the system or those designed to\n be temporary file repositories. The setting is normally reserved for directories used by the system and by users for\n temporary file storage, (e.g., /tmp), and for directories requiring global read/write access.'\n desc 'check', 'The following command will discover and print world-writable directories that are not group-owned by\n a system account, assuming only system accounts have a GID lower than 1000. Run it once for each local partition\n [PART]:\n # find [PART] -xdev -type d -perm -0002 -gid +999 -print\n If there is output, this is a finding.'\n desc 'fix', 'All directories in local partitions which are world-writable should be group-owned by root or another\n system account. If any world-writable directories are not group-owned by a system account, this should be\n investigated. Following this, the directories should be deleted or assigned to an appropriate group.'\n impact 0.5\n tag legacy: ['V-72047', 'SV-86671']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204487'\n tag rid: 'SV-204487r744106_rule'\n tag stig_id: 'RHEL-07-021030'\n tag fix_id: 'F-36308r602634_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['world_writable', 'ww_dirs']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n\n ww_dirs = Set[]\n partitions = etc_fstab.params.map do |partition|\n partition['mount_point']\n end.uniq\n partitions.each do |part|\n cmd = \"find #{part} -xdev -type d -perm -0002 -gid +999 -print\"\n ww_dirs += command(cmd).stdout.split(\"\\n\")\n end\n describe 'List of world-writeable directories not group-owned by a system account' do\n it 'should be empty' do\n expect(ww_dirs).to be_empty, \"Found world-writeable dirs not group-owned by system account: #{ww_dirs.to_a.join(', ')}\"\n end\n end\n end\nend\n", + "code": "control 'SV-204506' do\n title 'The Red Hat Enterprise Linux operating system must be configured to off-load audit logs onto a different\n system or storage media from the system being audited.'\n desc 'Information stored in one location is vulnerable to accidental or incidental deletion or alteration.\n Off-loading is a common process in information systems with limited audit storage capacity.\n One method of off-loading audit logs in Red Hat Enterprise Linux is with the use of the audisp-remote dameon.\n Without the configuration of the \"au-remote\" plugin, the audisp-remote daemon will not off load the logs from the\n system being audited.'\n desc 'check', 'Verify the \"au-remote\" plugin is configured to always off-load audit logs using the audisp-remote\n daemon:\n # cat /etc/audisp/plugins.d/au-remote.conf | grep -v \"^#\"\n active = yes\n direction = out\n path = /sbin/audisp-remote\n type = always\n format = string\n If \"active\" is not set to \"yes\", \"direction\" is not set to \"out\", \"path\" is not set to \"/sbin/audisp-remote\", \"type\"\n is not set to \"always\", or any of the lines are commented out, ask the System Administrator to indicate how the\n audit logs are off-loaded to a different system or storage media.\n If there is no evidence that the system is configured to off-load audit logs to a different system or storage media,\n this is a finding.'\n desc 'fix', 'Edit the /etc/audisp/plugins.d/au-remote.conf file and add or update the following values:\n\nactive = yes\ndirection = out\npath = /sbin/audisp-remote\ntype = always\n\nThe audit daemon must be restarted for changes to take effect:\n\n# service auditd restart'\n impact 0.5\n tag legacy: ['SV-95729', 'V-81017']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000342-GPOS-00133'\n tag satisfies: ['SRG-OS-000342-GPOS-00133', 'SRG-OS-000479-GPOS-00224']\n tag gid: 'V-204506'\n tag rid: 'SV-204506r877390_rule'\n tag stig_id: 'RHEL-07-030201'\n tag fix_id: 'F-4630r858479_fix'\n tag cci: ['CCI-001851']\n tag nist: ['AU-4 (1)']\n tag subsystems: ['audit', 'audisp']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - audit config must be done on the host' do\n skip 'Control not applicable - audit config must be done on the host'\n end\n else\n test_file = '/etc/audisp/plugins.d/au-remote.conf'\n\n if file(test_file).exist?\n describe parse_config_file(test_file) do\n its('active') { should match(/yes$/) }\n its('direction') { should match(/out$/) }\n its('path') { should match %r{/sbin/audisp-remote$} }\n its('type') { should match(/always$/) }\n end\n else\n describe \"File '#{test_file}' cannot be found. This test cannot be checked in a automated fashion and you must check it manually\" do\n skip \"File '#{test_file}' cannot be found. This check must be performed manually\"\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204487.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204506.rb", "line": 1 }, - "id": "SV-204487" + "id": "SV-204506" }, { - "title": "The Red Hat Enterprise Linux operating system must be configured so that the x86 Ctrl-Alt-Delete key\n sequence is disabled on the command line.", - "desc": "A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the system. If\n accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term\n loss of availability of systems due to unintentional reboot. In the GNOME graphical environment, risk of\n unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any\n action is taken.", + "title": "The Red Hat Enterprise Linux operating system must audit all uses of the umount command.", + "desc": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough\n information.\n At a minimum, the organization must audit the full-text recording of privileged mount commands. The organization\n must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of\n compromise.\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.", "descriptions": { - "default": "A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the system. If\n accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term\n loss of availability of systems due to unintentional reboot. In the GNOME graphical environment, risk of\n unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any\n action is taken.", - "check": "Verify the operating system is not configured to reboot the system when Ctrl-Alt-Delete is pressed.\n\nCheck that the ctrl-alt-del.target is masked and not active with the following command:\n\n$ sudo systemctl status ctrl-alt-del.target\n\nctrl-alt-del.target\nLoaded: masked (/dev/null; bad)\nActive: inactive (dead)\n\nIf the ctrl-alt-del.target is not masked, this is a finding.\n\nIf the ctrl-alt-del.target is active, this is a finding.", - "fix": "Configure the system to disable the Ctrl-Alt-Delete sequence for the command line with the following commands:\n\n$ sudo systemctl disable ctrl-alt-del.target\n\n$ sudo systemctl mask ctrl-alt-del.target" + "default": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough\n information.\n At a minimum, the organization must audit the full-text recording of privileged mount commands. The organization\n must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of\n compromise.\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.", + "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"umount\" command occur.\n\nCheck that the following system call is being audited by performing the following series of commands to check the file system rules in \"/etc/audit/audit.rules\":\n\n$ sudo grep -w \"/usr/bin/umount\" /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount\n\nIf the command does not return any output, this is a finding.", + "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"umount\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount\n\nThe audit daemon must be restarted for the changes to take effect." }, - "impact": 0.7, + "impact": 0.5, "refs": [], "tags": { "legacy": [ - "SV-86617", - "V-71993" + "V-72173", + "SV-86797" ], - "severity": "high", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-204455", - "rid": "SV-204455r833106_rule", - "stig_id": "RHEL-07-020230", - "fix_id": "F-4579r833105_fix", + "severity": "medium", + "gtitle": "SRG-OS-000042-GPOS-00020", + "satisfies": [ + "SRG-OS-000042-GPOS-00020", + "SRG-OS-000392-GPOS-00172" + ], + "gid": "V-204553", + "rid": "SV-204553r861056_rule", + "stig_id": "RHEL-07-030750", + "fix_id": "F-4677r861055_fix", "cci": [ - "CCI-000366" + "CCI-000135", + "CCI-002884" ], "nist": [ - "CM-6 b" + "AU-3 (1)", + "MA-4 (1) (a)" ], "subsystems": [ - "gui", - "general" + "audit", + "auditd", + "audit_rule" ], "host": null }, - "code": "control 'SV-204455' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that the x86 Ctrl-Alt-Delete key\n sequence is disabled on the command line.'\n desc 'A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the system. If\n accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term\n loss of availability of systems due to unintentional reboot. In the GNOME graphical environment, risk of\n unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any\n action is taken.'\n desc 'check', 'Verify the operating system is not configured to reboot the system when Ctrl-Alt-Delete is pressed.\n\nCheck that the ctrl-alt-del.target is masked and not active with the following command:\n\n$ sudo systemctl status ctrl-alt-del.target\n\nctrl-alt-del.target\nLoaded: masked (/dev/null; bad)\nActive: inactive (dead)\n\nIf the ctrl-alt-del.target is not masked, this is a finding.\n\nIf the ctrl-alt-del.target is active, this is a finding.'\n desc 'fix', 'Configure the system to disable the Ctrl-Alt-Delete sequence for the command line with the following commands:\n\n$ sudo systemctl disable ctrl-alt-del.target\n\n$ sudo systemctl mask ctrl-alt-del.target'\n impact 0.7\n tag legacy: ['SV-86617', 'V-71993']\n tag severity: 'high'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204455'\n tag rid: 'SV-204455r833106_rule'\n tag stig_id: 'RHEL-07-020230'\n tag fix_id: 'F-4579r833105_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['gui', 'general']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n service_load_state = systemd_service('ctrl-alt-del.target').params.LoadState\n service_active_state = systemd_service('ctrl-alt-del.target').params.ActiveState\n\n describe 'ctrl-alt-del.target' do\n it 'should be masked' do\n expect(service_load_state).to cmp('masked')\n end\n end\n\n describe 'ctrl-alt-del.target' do\n it 'should be inactive' do\n expect(service_active_state).to cmp('inactive')\n end\n end\n end\nend\n", + "code": "control 'SV-204553' do\n title 'The Red Hat Enterprise Linux operating system must audit all uses of the umount command.'\n desc 'Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough\n information.\n At a minimum, the organization must audit the full-text recording of privileged mount commands. The organization\n must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of\n compromise.\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.'\n desc 'check', 'Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"umount\" command occur.\n\nCheck that the following system call is being audited by performing the following series of commands to check the file system rules in \"/etc/audit/audit.rules\":\n\n$ sudo grep -w \"/usr/bin/umount\" /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount\n\nIf the command does not return any output, this is a finding.'\n desc 'fix', 'Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"umount\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount\n\nThe audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n tag legacy: ['V-72173', 'SV-86797']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000042-GPOS-00020'\n tag satisfies: ['SRG-OS-000042-GPOS-00020', 'SRG-OS-000392-GPOS-00172']\n tag gid: 'V-204553'\n tag rid: 'SV-204553r861056_rule'\n tag stig_id: 'RHEL-07-030750'\n tag fix_id: 'F-4677r861055_fix'\n tag cci: ['CCI-000135', 'CCI-002884']\n tag nist: ['AU-3 (1)', 'MA-4 (1) (a)']\n tag subsystems: ['audit', 'auditd', 'audit_rule']\n tag 'host'\n\n audit_command = '/usr/bin/umount'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - audit config must be done on the host' do\n skip 'Control not applicable - audit config must be done on the host'\n end\n else\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include('privileged-mount')\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204455.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204553.rb", "line": 1 }, - "id": "SV-204455" + "id": "SV-204553" }, { - "title": "Red Hat Enterprise Linux operating systems version 7.2 or newer using Unified Extensible Firmware Interface\n (UEFI) must require authentication upon booting into single-user and maintenance modes.", - "desc": "If the system does not require valid authentication before it boots into single-user or maintenance mode,\n anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2\n is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make\n modifications to the boot menu.", + "title": "The Red Hat Enterprise Linux operating system emergency accounts must be automatically removed or disabled after the crisis is resolved or within 72 hours.", + "desc": "Emergency accounts are privileged accounts established in response to crisis situations where the need for rapid account activation is required. Therefore, emergency account activation may bypass normal account authorization processes. If these accounts are automatically disabled, system maintenance during emergencies may not be possible, thus adversely affecting system availability.\n\nEmergency accounts are different from infrequently used accounts (i.e., local logon accounts used by the organization's system administrators when network or normal logon/access is not available). Infrequently used accounts are not subject to automatic termination dates. Emergency accounts are accounts created in response to crisis situations, usually for use by maintenance personnel. The automatic expiration or disabling time period may be extended as needed until the crisis is resolved; however, it must not be extended indefinitely. A permanent account should be established for privileged users who need long-term maintenance accounts.\n\nTo address access requirements, many RHEL systems can be integrated with enterprise-level authentication/access mechanisms that meet or exceed access control policy requirements.", "descriptions": { - "default": "If the system does not require valid authentication before it boots into single-user or maintenance mode,\n anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2\n is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make\n modifications to the boot menu.", - "check": "For systems that use BIOS, this is Not Applicable.\n For systems that are running a version of RHEL prior to 7.2, this is Not Applicable.\n Check to see if an encrypted grub superusers password is set. On systems that use UEFI, use the following command:\n $ sudo grep -iw grub2_password /boot/efi/EFI/redhat/user.cfg\n GRUB2_PASSWORD=grub.pbkdf2.sha512.[password_hash]\n If the grub superusers password does not begin with \"grub.pbkdf2.sha512\", this is a finding.", - "fix": "Configure the system to encrypt the boot password for the grub superusers account with the\n grub2-setpassword command, which creates/overwrites the /boot/efi/EFI/redhat/user.cfg file.\n Generate an encrypted grub2 password for the grub superusers account with the following command:\n $ sudo grub2-setpassword\n Enter password:\n Confirm password:" + "default": "Emergency accounts are privileged accounts established in response to crisis situations where the need for rapid account activation is required. Therefore, emergency account activation may bypass normal account authorization processes. If these accounts are automatically disabled, system maintenance during emergencies may not be possible, thus adversely affecting system availability.\n\nEmergency accounts are different from infrequently used accounts (i.e., local logon accounts used by the organization's system administrators when network or normal logon/access is not available). Infrequently used accounts are not subject to automatic termination dates. Emergency accounts are accounts created in response to crisis situations, usually for use by maintenance personnel. The automatic expiration or disabling time period may be extended as needed until the crisis is resolved; however, it must not be extended indefinitely. A permanent account should be established for privileged users who need long-term maintenance accounts.\n\nTo address access requirements, many RHEL systems can be integrated with enterprise-level authentication/access mechanisms that meet or exceed access control policy requirements.", + "check": "Verify emergency accounts have been provisioned with an expiration date of 72 hours.\n\nFor every existing emergency account, run the following command to obtain its account expiration information.\n\n$ sudo chage -l system_account_name\n\nVerify each of these accounts has an expiration date set within 72 hours.\nIf any emergency accounts have no expiration date set or do not expire within 72 hours, this is a finding.", + "fix": "If an emergency account must be created, configure the system to terminate the account after 72 hours with the following command to set an expiration date for the account. Substitute \"system_account_name\" with the account to be created.\n\n$ sudo chage -E `date -d '+3 days' +%Y-%m-%d` system_account_name\n\nThe automatic expiration or disabling time period may be extended as needed until the crisis is resolved." }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { - "legacy": [ - "SV-95719", - "V-81007" - ], - "severity": "high", - "gtitle": "SRG-OS-000080-GPOS-00048", - "gid": "V-204440", - "rid": "SV-204440r744098_rule", - "stig_id": "RHEL-07-010491", - "fix_id": "F-4564r744097_fix", + "check_id": "C-58007r858499_chk", + "severity": "medium", + "gid": "V-254523", + "rid": "SV-254523r858501_rule", + "stig_id": "RHEL-07-010271", + "gtitle": "SRG-OS-000123-GPOS-00064", + "fix_id": "F-57956r858500_fix", + "documentable": null, "cci": [ - "CCI-000213" + "CCI-001682" ], "nist": [ - "AC-3" - ], - "subsystems": [ - "boot", - "uefi" - ], - "host": null + "AC-2 (2)" + ] }, - "code": "control 'SV-204440' do\n title 'Red Hat Enterprise Linux operating systems version 7.2 or newer using Unified Extensible Firmware Interface\n (UEFI) must require authentication upon booting into single-user and maintenance modes.'\n desc 'If the system does not require valid authentication before it boots into single-user or maintenance mode,\n anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2\n is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make\n modifications to the boot menu.'\n desc 'check', 'For systems that use BIOS, this is Not Applicable.\n For systems that are running a version of RHEL prior to 7.2, this is Not Applicable.\n Check to see if an encrypted grub superusers password is set. On systems that use UEFI, use the following command:\n $ sudo grep -iw grub2_password /boot/efi/EFI/redhat/user.cfg\n GRUB2_PASSWORD=grub.pbkdf2.sha512.[password_hash]\n If the grub superusers password does not begin with \"grub.pbkdf2.sha512\", this is a finding.'\n desc 'fix', 'Configure the system to encrypt the boot password for the grub superusers account with the\n grub2-setpassword command, which creates/overwrites the /boot/efi/EFI/redhat/user.cfg file.\n Generate an encrypted grub2 password for the grub superusers account with the following command:\n $ sudo grub2-setpassword\n Enter password:\n Confirm password:'\n impact 0.7\n tag legacy: ['SV-95719', 'V-81007']\n tag severity: 'high'\n tag gtitle: 'SRG-OS-000080-GPOS-00048'\n tag gid: 'V-204440'\n tag rid: 'SV-204440r744098_rule'\n tag stig_id: 'RHEL-07-010491'\n tag fix_id: 'F-4564r744097_fix'\n tag cci: ['CCI-000213']\n tag nist: ['AC-3']\n tag subsystems: ['boot', 'uefi']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n elsif file('/sys/firmware/efi').exist?\n\n if os[:release] >= '7.2'\n impact 0.7\n input('grub_uefi_user_boot_files').each do |grub_user_file|\n describe parse_config_file(grub_user_file) do\n its('GRUB2_PASSWORD') { should include 'grub.pbkdf2.sha512' }\n end\n end\n\n describe parse_config_file(input('grub_uefi_main_cfg')) do\n its('set superusers') { should cmp '\"root\"' }\n end\n else\n impact 0.0\n describe 'System running version of RHEL prior to 7.2' do\n skip 'The System is running an outdated version of RHEL, this control is Not Applicable.'\n end\n end\n else\n impact 0.0\n describe 'System running BIOS' do\n skip 'The System is running BIOS, this control is Not Applicable.'\n end\n end\nend\n", + "code": "control 'SV-254523' do\n title \"The Red Hat Enterprise Linux operating system emergency accounts must be automatically removed or disabled after the crisis is resolved or within #{input('emergency_account_disable')} hours.\"\n desc \"Emergency accounts are privileged accounts established in response to crisis situations where the need for rapid account activation is required. Therefore, emergency account activation may bypass normal account authorization processes. If these accounts are automatically disabled, system maintenance during emergencies may not be possible, thus adversely affecting system availability.\n\nEmergency accounts are different from infrequently used accounts (i.e., local logon accounts used by the organization's system administrators when network or normal logon/access is not available). Infrequently used accounts are not subject to automatic termination dates. Emergency accounts are accounts created in response to crisis situations, usually for use by maintenance personnel. The automatic expiration or disabling time period may be extended as needed until the crisis is resolved; however, it must not be extended indefinitely. A permanent account should be established for privileged users who need long-term maintenance accounts.\n\nTo address access requirements, many RHEL systems can be integrated with enterprise-level authentication/access mechanisms that meet or exceed access control policy requirements.\"\n desc 'check', \"Verify emergency accounts have been provisioned with an expiration date of #{input('emergency_account_disable')} hours.\n\nFor every existing emergency account, run the following command to obtain its account expiration information.\n\n$ sudo chage -l system_account_name\n\nVerify each of these accounts has an expiration date set within #{input('emergency_account_disable')} hours.\nIf any emergency accounts have no expiration date set or do not expire within #{input('emergency_account_disable')} hours, this is a finding.\"\n desc 'fix', \"If an emergency account must be created, configure the system to terminate the account after #{input('emergency_account_disable')} hours with the following command to set an expiration date for the account. Substitute \\\"system_account_name\\\" with the account to be created.\n\n$ sudo chage -E `date -d '+#{input('emergency_account_disable')/24} days' +%Y-%m-%d` system_account_name\n\nThe automatic expiration or disabling time period may be extended as needed until the crisis is resolved.\"\n impact 0.5\n tag check_id: 'C-58007r858499_chk'\n tag severity: 'medium'\n tag gid: 'V-254523'\n tag rid: 'SV-254523r858501_rule'\n tag stig_id: 'RHEL-07-010271'\n tag gtitle: 'SRG-OS-000123-GPOS-00064'\n tag fix_id: 'F-57956r858500_fix'\n tag 'documentable'\n tag cci: ['CCI-001682']\n tag nist: ['AC-2 (2)']\n\n emergency_accounts = input('emergency_accounts')\n\n if emergency_accounts.empty?\n describe 'Emergency accounts' do\n subject { emergency_accounts }\n it { should be_empty }\n end\n else\n emergency_accounts.each do |acct|\n describe user(acct.to_s) do\n its('maxdays') { should cmp <= (input('emergency_account_disable')/24) }\n its('maxdays') { should cmp > 0 }\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204440.rb", + "ref": "./Red Hat 7 STIG/controls/SV-254523.rb", "line": 1 }, - "id": "SV-204440" + "id": "SV-254523" }, { - "title": "The Red Hat Enterprise Linux operating system must be configured so that all networked systems use SSH for\n confidentiality and integrity of transmitted and received information as well as information during preparation for\n transmission.", - "desc": "Without protection of the transmitted information, confidentiality and integrity may be compromised because\n unprotected communications can be intercepted and either read or altered.\n This requirement applies to both internal and external networks and all types of information system components from\n which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers,\n scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are\n exposed to the possibility of interception and modification.\n Protecting the confidentiality and integrity of organizational information can be accomplished by physical means\n (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If\n physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice\n versa.", + "title": "The Red Hat Enterprise Linux operating system must be configured so that the audit system takes appropriate\n action when the audit storage volume is full.", + "desc": "Taking appropriate action in case of a filled audit storage volume will minimize the possibility of losing\n audit records.\n One method of off-loading audit logs in Red Hat Enterprise Linux is with the use of the audisp-remote dameon.", "descriptions": { - "default": "Without protection of the transmitted information, confidentiality and integrity may be compromised because\n unprotected communications can be intercepted and either read or altered.\n This requirement applies to both internal and external networks and all types of information system components from\n which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers,\n scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are\n exposed to the possibility of interception and modification.\n Protecting the confidentiality and integrity of organizational information can be accomplished by physical means\n (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If\n physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice\n versa.", - "check": "Verify SSH is loaded and active with the following command:\n # systemctl status sshd\n sshd.service - OpenSSH server daemon\n Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled)\n Active: active (running) since Tue 2015-11-17 15:17:22 EST; 4 weeks 0 days ago\n Main PID: 1348 (sshd)\n CGroup: /system.slice/sshd.service\n 1053 /usr/sbin/sshd -D\n If \"sshd\" does not show a status of \"active\" and \"running\", this is a finding.", - "fix": "Configure the SSH service to automatically start after reboot with the following command:\n # systemctl enable sshd.service" + "default": "Taking appropriate action in case of a filled audit storage volume will minimize the possibility of losing\n audit records.\n One method of off-loading audit logs in Red Hat Enterprise Linux is with the use of the audisp-remote dameon.", + "check": "Verify the action the operating system takes if the disk the audit records are written to becomes\n full.\n To determine the action that takes place if the disk is full on the remote server, use the following command:\n # grep -i disk_full_action /etc/audisp/audisp-remote.conf\n disk_full_action = single\n If the value of the \"disk_full_action\" option is not \"syslog\", \"single\", or \"halt\", or the line is commented out,\n ask the System Administrator to indicate how the audit logs are off-loaded to a different system or storage media,\n and to indicate the action taken when the disk is full on the remote server.\n If there is no evidence that the system is configured to off-load audit logs to a different system or storage media,\n or if the configuration does not take appropriate action when the disk is full on the remote server, this is a\n finding.", + "fix": "Configure the action the operating system takes if the disk the audit records are written to becomes\n full.\n Uncomment or edit the \"disk_full_action\" option in \"/etc/audisp/audisp-remote.conf\" and set it to \"syslog\",\n \"single\", or \"halt\", such as the following line:\n disk_full_action = single" }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "SV-86859", - "V-72235" + "V-72087", + "SV-86711" ], "severity": "medium", - "gtitle": "SRG-OS-000423-GPOS-00187", - "satisfies": [ - "SRG-OS-000423-GPOS-00187", - "SRG-OS-000423-GPOS-00188", - "SRG-OS-000423-GPOS-00189", - "SRG-OS-000423-GPOS-00190", - "SRG-OS-000424-GPOS-00188", - "SRG-OS-000425-GPOS-00189", - "SRG-OS-000426-GPOS-00190" - ], - "gid": "V-204586", - "rid": "SV-204586r861071_rule", - "stig_id": "RHEL-07-040310", - "fix_id": "F-4710r88951_fix", + "gtitle": "SRG-OS-000342-GPOS-00133", + "gid": "V-204511", + "rid": "SV-204511r877390_rule", + "stig_id": "RHEL-07-030320", + "fix_id": "F-36314r602652_fix", "cci": [ - "CCI-002418", - "CCI-002420", - "CCI-002421", - "CCI-002422" + "CCI-001851" ], "nist": [ - "SC-8", - "SC-8 (2)", - "SC-8 (1)", - "SC-8 (2)" + "AU-4 (1)" ], "subsystems": [ - "ssh" + "audit", + "audisp" ], "host": null }, - "code": "control 'SV-204586' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that all networked systems use SSH for\n confidentiality and integrity of transmitted and received information as well as information during preparation for\n transmission.'\n desc 'Without protection of the transmitted information, confidentiality and integrity may be compromised because\n unprotected communications can be intercepted and either read or altered.\n This requirement applies to both internal and external networks and all types of information system components from\n which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers,\n scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are\n exposed to the possibility of interception and modification.\n Protecting the confidentiality and integrity of organizational information can be accomplished by physical means\n (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If\n physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice\n versa.'\n desc 'check', 'Verify SSH is loaded and active with the following command:\n # systemctl status sshd\n sshd.service - OpenSSH server daemon\n Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled)\n Active: active (running) since Tue 2015-11-17 15:17:22 EST; 4 weeks 0 days ago\n Main PID: 1348 (sshd)\n CGroup: /system.slice/sshd.service\n 1053 /usr/sbin/sshd -D\n If \"sshd\" does not show a status of \"active\" and \"running\", this is a finding.'\n desc 'fix', 'Configure the SSH service to automatically start after reboot with the following command:\n # systemctl enable sshd.service'\n impact 0.5\n tag legacy: ['SV-86859', 'V-72235']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000423-GPOS-00187'\n tag satisfies: ['SRG-OS-000423-GPOS-00187', 'SRG-OS-000423-GPOS-00188', 'SRG-OS-000423-GPOS-00189', 'SRG-OS-000423-GPOS-00190', 'SRG-OS-000424-GPOS-00188', 'SRG-OS-000425-GPOS-00189', 'SRG-OS-000426-GPOS-00190']\n tag gid: 'V-204586'\n tag rid: 'SV-204586r861071_rule'\n tag stig_id: 'RHEL-07-040310'\n tag fix_id: 'F-4710r88951_fix'\n tag cci: ['CCI-002418', 'CCI-002420', 'CCI-002421', 'CCI-002422']\n tag nist: ['SC-8', 'SC-8 (2)', 'SC-8 (1)', 'SC-8 (2)']\n tag subsystems: ['ssh']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - SSH is not installed within containerized RHEL' do\n skip 'Control not applicable - SSH is not installed within containerized RHEL'\n end\n else\n describe systemd_service('sshd.service') do\n it { should be_running }\n end\n end\nend\n", + "code": "control 'SV-204511' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that the audit system takes appropriate\n action when the audit storage volume is full.'\n desc 'Taking appropriate action in case of a filled audit storage volume will minimize the possibility of losing\n audit records.\n One method of off-loading audit logs in Red Hat Enterprise Linux is with the use of the audisp-remote dameon.'\n desc 'check', 'Verify the action the operating system takes if the disk the audit records are written to becomes\n full.\n To determine the action that takes place if the disk is full on the remote server, use the following command:\n # grep -i disk_full_action /etc/audisp/audisp-remote.conf\n disk_full_action = single\n If the value of the \"disk_full_action\" option is not \"syslog\", \"single\", or \"halt\", or the line is commented out,\n ask the System Administrator to indicate how the audit logs are off-loaded to a different system or storage media,\n and to indicate the action taken when the disk is full on the remote server.\n If there is no evidence that the system is configured to off-load audit logs to a different system or storage media,\n or if the configuration does not take appropriate action when the disk is full on the remote server, this is a\n finding.'\n desc 'fix', 'Configure the action the operating system takes if the disk the audit records are written to becomes\n full.\n Uncomment or edit the \"disk_full_action\" option in \"/etc/audisp/audisp-remote.conf\" and set it to \"syslog\",\n \"single\", or \"halt\", such as the following line:\n disk_full_action = single'\n impact 0.5\n tag legacy: ['V-72087', 'SV-86711']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000342-GPOS-00133'\n tag gid: 'V-204511'\n tag rid: 'SV-204511r877390_rule'\n tag stig_id: 'RHEL-07-030320'\n tag fix_id: 'F-36314r602652_fix'\n tag cci: ['CCI-001851']\n tag nist: ['AU-4 (1)']\n tag subsystems: ['audit', 'audisp']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - audit config must be done on the host' do\n skip 'Control not applicable - audit config must be done on the host'\n end\n else\n describe parse_config_file('/etc/audisp/audisp-remote.conf') do\n its('disk_full_action'.to_s) { should cmp input('expected_disk_full_action') }\n its('disk_full_action'.to_s) { should be_in ['syslog', 'single', 'halt'] }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204586.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204511.rb", "line": 1 }, - "id": "SV-204586" + "id": "SV-204511" }, { - "title": "The Red Hat Enterprise Linux operating system must be configured so that all local interactive users have a\n home directory assigned and defined in the /etc/passwd file.", - "desc": "If local interactive users are not assigned a valid home directory, there is no place for the storage and\n control of files they should own.\n In addition, if a local interactive user has a home directory defined that does not exist, the user may be given\n access to the / directory as the current working directory upon logon. This could create a Denial of Service because\n the user would not be able to access their logon configuration files, and it may give them visibility to system\n files they normally would not be able to access.", + "title": "The Red Hat Enterprise Linux operating system must audit all uses of the postqueue command.", + "desc": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough\n information.\n At a minimum, the organization must audit the full-text recording of privileged postfix commands. The organization\n must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of\n compromise.\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.", "descriptions": { - "default": "If local interactive users are not assigned a valid home directory, there is no place for the storage and\n control of files they should own.\n In addition, if a local interactive user has a home directory defined that does not exist, the user may be given\n access to the / directory as the current working directory upon logon. This could create a Denial of Service because\n the user would not be able to access their logon configuration files, and it may give them visibility to system\n files they normally would not be able to access.", - "check": "Verify local interactive users on the system have a home directory assigned and the directory\n exists.\n Check the home directory assignment for all local interactive non-privileged users on the system with the following\n command:\n # awk -F: '($3>=1000)&&($7 !~ /nologin/){print $1, $3, $6}' /etc/passwd\n smithj 1001 /home/smithj\n Note: This may miss interactive users that have been assigned a privileged UID. Evidence of interactive use may be\n obtained from a number of log files containing system logon information.\n Check that all referenced home directories exist with the following command:\n # pwck -r\n user 'smithj': directory '/home/smithj' does not exist\n If any home directories referenced in \"/etc/passwd\" are returned as not defined, or if any interactive users do not\n have a home directory assigned, this is a finding.", - "fix": "Create home directories to all local interactive users that currently do not have a home directory\n assigned. Use the following commands to create the user home directory assigned in \"/etc/ passwd\":\n Note: The example will be for the user smithj, who has a home directory of \"/home/smithj\", a UID of \"smithj\", and a\n Group Identifier (GID) of \"users\" assigned in \"/etc/passwd\".\n # mkdir /home/smithj\n # chown smithj /home/smithj\n # chgrp users /home/smithj\n # chmod 0750 /home/smithj" + "default": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough\n information.\n At a minimum, the organization must audit the full-text recording of privileged postfix commands. The organization\n must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of\n compromise.\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.", + "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"postqueue\" command occur.\n\nCheck that the following system call is being audited by performing the following command to check the file system rules in \"/etc/audit/audit.rules\":\n\n$ sudo grep -w \"/usr/sbin/postqueue\" /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -k privileged-postfix\n\nIf the command does not return any output, this is a finding.", + "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"postqueue\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -k privileged-postfix\n\nThe audit daemon must be restarted for the changes to take effect." }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "V-72015", - "SV-86639" + "SV-86801", + "V-72177" ], "severity": "medium", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-204467", - "rid": "SV-204467r603826_rule", - "stig_id": "RHEL-07-020620", - "fix_id": "F-4591r462550_fix", + "gtitle": "SRG-OS-000042-GPOS-00020", + "satisfies": [ + "SRG-OS-000042-GPOS-00020", + "SRG-OS-000392-GPOS-00172" + ], + "gid": "V-204555", + "rid": "SV-204555r861062_rule", + "stig_id": "RHEL-07-030770", + "fix_id": "F-4679r861061_fix", "cci": [ - "CCI-000366" + "CCI-000135", + "CCI-002884" ], "nist": [ - "CM-6 b" + "AU-3 (1)", + "MA-4 (1) (a)" ], "subsystems": [ - "accounts" + "audit", + "auditd", + "audit_rule" ], "host": null }, - "code": "control 'SV-204467' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that all local interactive users have a\n home directory assigned and defined in the /etc/passwd file.'\n desc 'If local interactive users are not assigned a valid home directory, there is no place for the storage and\n control of files they should own.\n In addition, if a local interactive user has a home directory defined that does not exist, the user may be given\n access to the / directory as the current working directory upon logon. This could create a Denial of Service because\n the user would not be able to access their logon configuration files, and it may give them visibility to system\n files they normally would not be able to access.'\n desc 'check', %q(Verify local interactive users on the system have a home directory assigned and the directory\n exists.\n Check the home directory assignment for all local interactive non-privileged users on the system with the following\n command:\n # awk -F: '($3>=1000)&&($7 !~ /nologin/){print $1, $3, $6}' /etc/passwd\n smithj 1001 /home/smithj\n Note: This may miss interactive users that have been assigned a privileged UID. Evidence of interactive use may be\n obtained from a number of log files containing system logon information.\n Check that all referenced home directories exist with the following command:\n # pwck -r\n user 'smithj': directory '/home/smithj' does not exist\n If any home directories referenced in \"/etc/passwd\" are returned as not defined, or if any interactive users do not\n have a home directory assigned, this is a finding.)\n desc 'fix', 'Create home directories to all local interactive users that currently do not have a home directory\n assigned. Use the following commands to create the user home directory assigned in \"/etc/ passwd\":\n Note: The example will be for the user smithj, who has a home directory of \"/home/smithj\", a UID of \"smithj\", and a\n Group Identifier (GID) of \"users\" assigned in \"/etc/passwd\".\n # mkdir /home/smithj\n # chown smithj /home/smithj\n # chgrp users /home/smithj\n # chmod 0750 /home/smithj'\n impact 0.5\n tag legacy: ['V-72015', 'SV-86639']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204467'\n tag rid: 'SV-204467r603826_rule'\n tag stig_id: 'RHEL-07-020620'\n tag fix_id: 'F-4591r462550_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['accounts']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n\n exempt_home_users = input('exempt_home_users')\n non_interactive_shells = input('non_interactive_shells')\n\n ignore_shells = non_interactive_shells.join('|')\n\n uid_min = login_defs.read_params['UID_MIN'].to_i\n uid_min = 1000 if uid_min.nil?\n\n users.where do\n !shell.match(ignore_shells) && (uid >= uid_min || uid == 0)\n end.entries.each do |user_info|\n next if exempt_home_users.include?(user_info.username.to_s)\n\n describe directory(user_info.home) do\n it { should exist }\n end\n end\n end\nend\n", + "code": "control 'SV-204555' do\n title 'The Red Hat Enterprise Linux operating system must audit all uses of the postqueue command.'\n desc 'Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough\n information.\n At a minimum, the organization must audit the full-text recording of privileged postfix commands. The organization\n must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of\n compromise.\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.'\n desc 'check', 'Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"postqueue\" command occur.\n\nCheck that the following system call is being audited by performing the following command to check the file system rules in \"/etc/audit/audit.rules\":\n\n$ sudo grep -w \"/usr/sbin/postqueue\" /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -k privileged-postfix\n\nIf the command does not return any output, this is a finding.'\n desc 'fix', 'Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"postqueue\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -k privileged-postfix\n\nThe audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n tag legacy: ['SV-86801', 'V-72177']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000042-GPOS-00020'\n tag satisfies: ['SRG-OS-000042-GPOS-00020', 'SRG-OS-000392-GPOS-00172']\n tag gid: 'V-204555'\n tag rid: 'SV-204555r861062_rule'\n tag stig_id: 'RHEL-07-030770'\n tag fix_id: 'F-4679r861061_fix'\n tag cci: ['CCI-000135', 'CCI-002884']\n tag nist: ['AU-3 (1)', 'MA-4 (1) (a)']\n tag subsystems: ['audit', 'auditd', 'audit_rule']\n tag 'host'\n\n audit_command = '/usr/sbin/postqueue'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - audit config must be done on the host' do\n skip 'Control not applicable - audit config must be done on the host'\n end\n else\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include('privileged-postfix')\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204467.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204555.rb", "line": 1 }, - "id": "SV-204467" + "id": "SV-204555" }, { - "title": "The Red Hat Enterprise Linux operating system must be configured so that all system device files are\n correctly labeled to prevent unauthorized modification.", - "desc": "If an unauthorized or modified device is allowed to exist on the system, there is the possibility the system\n may perform unintended or unauthorized operations.", + "title": "The Red Hat Enterprise Linux operating system must audit all uses of the chsh command.", + "desc": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough\n information.\n At a minimum, the organization must audit the full-text recording of privileged access commands. The organization\n must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of\n compromise.\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.", "descriptions": { - "default": "If an unauthorized or modified device is allowed to exist on the system, there is the possibility the system\n may perform unintended or unauthorized operations.", - "check": "Verify that all system device files are correctly labeled to prevent unauthorized modification.\n\nList all device files on the system that are incorrectly labeled with the following commands:\n\nNote: Device files are normally found under \"/dev\", but applications may place device files in other directories and may necessitate a search of the entire system.\n\n#find /dev -context *:device_t:* ( -type c -o -type b ) -printf \"%p %Z\\n\"\n\n#find /dev -context *:unlabeled_t:* ( -type c -o -type b ) -printf \"%p %Z\\n\"\n\nNote: There are device files, such as \"/dev/vmci\", that are used when the operating system is a host virtual machine. They will not be owned by a user on the system and require the \"device_t\" label to operate. These device files are not a finding.\n\nIf there is output from either of these commands, other than already noted, this is a finding.", - "fix": "Run the following command to determine which package owns the device file:\n\n # rpm -qf \n\n The package can be reinstalled from a yum repository using the command:\n\n # sudo yum reinstall \n\n Alternatively, the package can be reinstalled from trusted media using the\ncommand:\n\n # sudo rpm -Uvh " + "default": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough\n information.\n At a minimum, the organization must audit the full-text recording of privileged access commands. The organization\n must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of\n compromise.\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.", + "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"chsh\" command occur.\n\nCheck that the following system call is being audited by performing the following command to check the file system rules in \"/etc/audit/audit.rules\":\n\n$ sudo grep -w \"/usr/bin/chsh\" /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change\n\nIf the command does not return any output, this is a finding.", + "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"chsh\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change\n\nThe audit daemon must be restarted for the changes to take effect." }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "SV-86663", - "V-72039" + "SV-86791", + "V-72167" ], "severity": "medium", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-204479", - "rid": "SV-204479r853899_rule", - "stig_id": "RHEL-07-020900", - "fix_id": "F-4603r88630_fix", + "gtitle": "SRG-OS-000037-GPOS-00015", + "satisfies": [ + "SRG-OS-000037-GPOS-00015", + "SRG-OS-000042-GPOS-00020", + "SRG-OS-000392-GPOS-00172", + "SRG-OS-000462-GPOS-00206", + "SRG-OS-000471-GPOS-00215" + ], + "gid": "V-204551", + "rid": "SV-204551r861050_rule", + "stig_id": "RHEL-07-030720", + "fix_id": "F-4675r861049_fix", "cci": [ - "CCI-000318", - "CCI-000368", - "CCI-001812", - "CCI-001813", - "CCI-001814" + "CCI-000130", + "CCI-000135", + "CCI-000172", + "CCI-002884" ], "nist": [ - "CM-3 f", - "CM-6 c", - "CM-11 (2)", - "CM-5 (1)", - "CM-5 (1) (a)" + "AU-3", + "AU-3 (1)", + "AU-12 c", + "MA-4 (1) (a)", + "AU-3 a" ], "subsystems": [ - "system_device", - "device_files" + "audit", + "auditd", + "audit_rule" ], "host": null }, - "code": "control 'SV-204479' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that all system device files are\n correctly labeled to prevent unauthorized modification.'\n desc 'If an unauthorized or modified device is allowed to exist on the system, there is the possibility the system\n may perform unintended or unauthorized operations.'\n desc 'check', %q(Verify that all system device files are correctly labeled to prevent unauthorized modification.\n\nList all device files on the system that are incorrectly labeled with the following commands:\n\nNote: Device files are normally found under \"/dev\", but applications may place device files in other directories and may necessitate a search of the entire system.\n\n#find /dev -context *:device_t:* \\( -type c -o -type b \\) -printf \"%p %Z\\n\"\n\n#find /dev -context *:unlabeled_t:* \\( -type c -o -type b \\) -printf \"%p %Z\\n\"\n\nNote: There are device files, such as \"/dev/vmci\", that are used when the operating system is a host virtual machine. They will not be owned by a user on the system and require the \"device_t\" label to operate. These device files are not a finding.\n\nIf there is output from either of these commands, other than already noted, this is a finding.)\n desc 'fix', 'Run the following command to determine which package owns the device file:\n\n # rpm -qf \n\n The package can be reinstalled from a yum repository using the command:\n\n # sudo yum reinstall \n\n Alternatively, the package can be reinstalled from trusted media using the\ncommand:\n\n # sudo rpm -Uvh '\n impact 0.5\n tag legacy: ['SV-86663', 'V-72039']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204479'\n tag rid: 'SV-204479r853899_rule'\n tag stig_id: 'RHEL-07-020900'\n tag fix_id: 'F-4603r88630_fix'\n tag cci: ['CCI-000318', 'CCI-000368', 'CCI-001812', 'CCI-001813', 'CCI-001814']\n tag nist: ['CM-3 f', 'CM-6 c', 'CM-11 (2)', 'CM-5 (1)', 'CM-5 (1) (a)']\n tag subsystems: ['system_device', 'device_files']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n virtual_machine = input('virtual_machine')\n\n findings = Set[]\n findings += command('find / -xdev -context *:device_t:* \\( -type c -o -type b \\) -printf \"%p %Z\\n\"').stdout.split(\"\\n\")\n findings += command('find / -xdev -context *:unlabeled_t:* \\( -type c -o -type b \\) -printf \"%p %Z\\n\"').stdout.split(\"\\n\")\n findings += command('find / -xdev -context *:vmci_device_t:* \\( -type c -o -type b \\) -printf \"%p %Z\\n\"').stdout.split(\"\\n\")\n\n describe findings do\n if virtual_machine\n its('length') { should cmp 1 }\n its('first') { should include '/dev/vmci' }\n else\n its('length') { should cmp 0 }\n end\n end\n end\nend\n", + "code": "control 'SV-204551' do\n title 'The Red Hat Enterprise Linux operating system must audit all uses of the chsh command.'\n desc 'Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough\n information.\n At a minimum, the organization must audit the full-text recording of privileged access commands. The organization\n must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of\n compromise.\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.'\n desc 'check', 'Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"chsh\" command occur.\n\nCheck that the following system call is being audited by performing the following command to check the file system rules in \"/etc/audit/audit.rules\":\n\n$ sudo grep -w \"/usr/bin/chsh\" /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change\n\nIf the command does not return any output, this is a finding.'\n desc 'fix', 'Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"chsh\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change\n\nThe audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n tag legacy: ['SV-86791', 'V-72167']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000037-GPOS-00015'\n tag satisfies: ['SRG-OS-000037-GPOS-00015', 'SRG-OS-000042-GPOS-00020', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000471-GPOS-00215']\n tag gid: 'V-204551'\n tag rid: 'SV-204551r861050_rule'\n tag stig_id: 'RHEL-07-030720'\n tag fix_id: 'F-4675r861049_fix'\n tag cci: ['CCI-000130', 'CCI-000135', 'CCI-000172', 'CCI-002884']\n tag nist: ['AU-3', 'AU-3 (1)', 'AU-12 c', 'MA-4 (1) (a)', 'AU-3 a']\n tag subsystems: ['audit', 'auditd', 'audit_rule']\n tag 'host'\n\n audit_command = '/usr/bin/chsh'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - audit config must be done on the host' do\n skip 'Control not applicable - audit config must be done on the host'\n end\n else\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include('privileged-priv_change')\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204479.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204551.rb", "line": 1 }, - "id": "SV-204479" + "id": "SV-204551" }, { - "title": "The Red Hat Enterprise Linux operating system SSH server must be configured to use only FIPS-validated key exchange algorithms.", - "desc": "The use of FIPS-validated cryptographic algorithms is enforced by enabling kernel FIPS mode. In the event that kernel FIPS mode is disabled, the use of nonvalidated cryptographic algorithms will be permitted systemwide. The SSH server configuration must manually define only FIPS-validated key exchange algorithms to prevent the use of nonvalidated algorithms.", + "title": "The Red Hat Enterprise Linux operating system must uniquely identify and must authenticate organizational\n users (or processes acting on behalf of organizational users) using multifactor authentication.", + "desc": "To assure accountability and prevent unauthenticated access, organizational users must be identified and\n authenticated to prevent potential misuse and compromise of the system.\n Organizational users include organizational employees or individuals the organization deems to have equivalent\n status of employees (e.g., contractors). Organizational users (and processes acting on behalf of users) must be\n uniquely identified and authenticated to all accesses, except for the following:\n 1) Accesses explicitly identified and documented by the organization. Organizations document specific user actions\n that can be performed on the information system without identification or authentication;\n and\n 2) Accesses that occur through authorized use of group authenticators without individual authentication.\n Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts)\n or for detailed accountability of individual activity.", "descriptions": { - "default": "The use of FIPS-validated cryptographic algorithms is enforced by enabling kernel FIPS mode. In the event that kernel FIPS mode is disabled, the use of nonvalidated cryptographic algorithms will be permitted systemwide. The SSH server configuration must manually define only FIPS-validated key exchange algorithms to prevent the use of nonvalidated algorithms.", - "check": "Verify that the SSH server is configured to use only FIPS-validated key exchange algorithms:\n\n $ sudo grep -i kexalgorithms /etc/ssh/sshd_config\n KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256\n\nIf \"KexAlgorithms\" is not configured, is commented out, or does not contain only the algorithms \"ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256\" in exact order, this is a finding.", - "fix": "Configure the SSH server to use only FIPS-validated key exchange algorithms by adding or modifying the following line in \"/etc/ssh/sshd_config\":\n\n KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256\n\nRestart the \"sshd\" service for changes to take effect:\n\n $ sudo systemctl restart sshd" + "default": "To assure accountability and prevent unauthenticated access, organizational users must be identified and\n authenticated to prevent potential misuse and compromise of the system.\n Organizational users include organizational employees or individuals the organization deems to have equivalent\n status of employees (e.g., contractors). Organizational users (and processes acting on behalf of users) must be\n uniquely identified and authenticated to all accesses, except for the following:\n 1) Accesses explicitly identified and documented by the organization. Organizations document specific user actions\n that can be performed on the information system without identification or authentication;\n and\n 2) Accesses that occur through authorized use of group authenticators without individual authentication.\n Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts)\n or for detailed accountability of individual activity.", + "check": "Verify the operating system requires multifactor authentication to uniquely identify organizational users using multifactor authentication.\n\nCheck to see if smartcard authentication is enforced on the system:\n\n# authconfig --test | grep \"pam_pkcs11 is enabled\"\n\nIf no results are returned, this is a finding.\n\n# authconfig --test | grep \"smartcard removal action\"\n\nIf \"smartcard removal action\" is blank, this is a finding.\n\n# authconfig --test | grep \"smartcard module\"\n\nIf any of the above checks are not configured, ask the administrator to indicate the AO-approved multifactor authentication in use and the configuration to support it. If there is no evidence of multifactor authentication, this is a finding.", + "fix": "Configure the operating system to require individuals to be authenticated with a multifactor\n authenticator.\n Enable smartcard logons with the following commands:\n # authconfig --enablesmartcard --smartcardaction=0 --update\n # authconfig --enablerequiresmartcard -update\n Modify the \"/etc/pam_pkcs11/pkcs11_eventmgr.conf\" file to uncomment the following line:\n #/usr/X11R6/bin/xscreensaver-command -lock\n Modify the \"/etc/pam_pkcs11/pam_pkcs11.conf\" file to use the cackey module if required." }, "impact": 0.5, "refs": [], "tags": { - "check_id": "C-59602r880747_chk", - "severity": "medium", - "gid": "V-255925", - "rid": "SV-255925r880749_rule", - "stig_id": "RHEL-07-040712", - "gtitle": "SRG-OS-000033-GPOS-00014", - "fix_id": "F-59545r880748_fix", - "documentable": null, - "cci": [ - "CCI-001453" - ], - "nist": [ - "AC-17 (2)" - ] - }, - "code": "control 'SV-255925' do\n title 'The Red Hat Enterprise Linux operating system SSH server must be configured to use only FIPS-validated key exchange algorithms.'\n desc 'The use of FIPS-validated cryptographic algorithms is enforced by enabling kernel FIPS mode. In the event that kernel FIPS mode is disabled, the use of nonvalidated cryptographic algorithms will be permitted systemwide. The SSH server configuration must manually define only FIPS-validated key exchange algorithms to prevent the use of nonvalidated algorithms.'\n desc 'check', 'Verify that the SSH server is configured to use only FIPS-validated key exchange algorithms:\n\n $ sudo grep -i kexalgorithms /etc/ssh/sshd_config\n KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256\n\nIf \"KexAlgorithms\" is not configured, is commented out, or does not contain only the algorithms \"ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256\" in exact order, this is a finding.'\n desc 'fix', 'Configure the SSH server to use only FIPS-validated key exchange algorithms by adding or modifying the following line in \"/etc/ssh/sshd_config\":\n\n KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256\n\nRestart the \"sshd\" service for changes to take effect:\n\n $ sudo systemctl restart sshd'\n impact 0.5\n tag check_id: 'C-59602r880747_chk'\n tag severity: 'medium'\n tag gid: 'V-255925'\n tag rid: 'SV-255925r880749_rule'\n tag stig_id: 'RHEL-07-040712'\n tag gtitle: 'SRG-OS-000033-GPOS-00014'\n tag fix_id: 'F-59545r880748_fix'\n tag 'documentable'\n tag cci: ['CCI-001453']\n tag nist: ['AC-17 (2)']\n\n describe sshd_config('/etc/ssh/sshd_config') do\n its('KexAlgorithms') { should cmp 'ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256' }\n end\nend\n", - "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-255925.rb", - "line": 1 - }, - "id": "SV-255925" - }, - { - "title": "The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new\n passwords are established, pwquality must be used.", - "desc": "Use of a complex password helps to increase the time and resources required to compromise the password.\n Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing\n and brute-force attacks. \"pwquality\" enforces complex password construction configuration and has the ability to\n limit brute-force attacks on the system.", - "descriptions": { - "default": "Use of a complex password helps to increase the time and resources required to compromise the password.\n Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing\n and brute-force attacks. \"pwquality\" enforces complex password construction configuration and has the ability to\n limit brute-force attacks on the system.", - "check": "Verify the operating system uses \"pwquality\" to enforce the password complexity rules.\n Check for the use of \"pwquality\" with the following command:\n # cat /etc/pam.d/system-auth | grep pam_pwquality\n password required pam_pwquality.so retry=3\n If the command does not return an uncommented line containing the value \"pam_pwquality.so\", this is a finding.\n If the value of \"retry\" is set to \"0\" or greater than \"3\", this is a finding.", - "fix": "Configure the operating system to use \"pwquality\" to enforce password complexity rules.\n Add the following line to \"/etc/pam.d/system-auth\" (or modify the line to have the required value):\n password required pam_pwquality.so retry=3\n Note: The value of \"retry\" should be between \"1\" and \"3\"." - }, - "impact": 0.5, - "refs": [], - "tags": { - "legacy": [ - "SV-87811", - "V-73159" + "legacy": [ + "V-71965", + "SV-86589" ], "severity": "medium", - "gtitle": "SRG-OS-000069-GPOS-00037", - "gid": "V-204406", - "rid": "SV-204406r603261_rule", - "stig_id": "RHEL-07-010119", - "fix_id": "F-4530r88411_fix", - "cci": [ - "CCI-000192" - ], - "nist": [ - "IA-5 (1) (a)" - ], - "subsystems": [ - "pam", - "pwquality", - "password" - ], - "host": null, - "container": null - }, - "code": "control 'SV-204406' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new\n passwords are established, pwquality must be used.'\n desc 'Use of a complex password helps to increase the time and resources required to compromise the password.\n Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing\n and brute-force attacks. \"pwquality\" enforces complex password construction configuration and has the ability to\n limit brute-force attacks on the system.'\n desc 'check', 'Verify the operating system uses \"pwquality\" to enforce the password complexity rules.\n Check for the use of \"pwquality\" with the following command:\n # cat /etc/pam.d/system-auth | grep pam_pwquality\n password required pam_pwquality.so retry=3\n If the command does not return an uncommented line containing the value \"pam_pwquality.so\", this is a finding.\n If the value of \"retry\" is set to \"0\" or greater than \"3\", this is a finding.'\n desc 'fix', 'Configure the operating system to use \"pwquality\" to enforce password complexity rules.\n Add the following line to \"/etc/pam.d/system-auth\" (or modify the line to have the required value):\n password required pam_pwquality.so retry=3\n Note: The value of \"retry\" should be between \"1\" and \"3\".'\n impact 0.5\n tag legacy: ['SV-87811', 'V-73159']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000069-GPOS-00037'\n tag gid: 'V-204406'\n tag rid: 'SV-204406r603261_rule'\n tag stig_id: 'RHEL-07-010119'\n tag fix_id: 'F-4530r88411_fix'\n tag cci: ['CCI-000192']\n tag nist: ['IA-5 (1) (a)']\n tag subsystems: ['pam', 'pwquality', 'password']\n tag 'host'\n tag 'container'\n\n describe pam('/etc/pam.d/system-auth') do\n its('lines') { should match_pam_rule(\"password required pam_pwquality.so retry=#{input('retry')}\") }\n end\n\n describe 'input value' do\n it 'for retry should be in line with maximum/minimum allowed values by policy' do\n expect(input('retry')).to be_between(1, input('retry'))\n end\n end\nend\n", - "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204406.rb", - "line": 1 - }, - "id": "SV-204406" - }, - { - "title": "The Red Hat Enterprise Linux operating system must prevent the installation of software, patches, service\n packs, device drivers, or operating system components from a repository without verification they have been\n digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved\n by the organization.", - "desc": "Changes to any software components can have significant effects on the overall security of the operating\n system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted\n vendor.\n Accordingly, patches, service packs, device drivers, or operating system components must be signed with a\n certificate recognized and approved by the organization.\n Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade\n received from a vendor. This verifies the software has not been tampered with and that it has been provided by a\n trusted vendor. Self-signed certificates are disallowed by this requirement. The operating system should not have to\n verify the software again. This requirement does not mandate DoD certificates for this purpose; however, the\n certificate used to verify the software must be from an approved CA.", - "descriptions": { - "default": "Changes to any software components can have significant effects on the overall security of the operating\n system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted\n vendor.\n Accordingly, patches, service packs, device drivers, or operating system components must be signed with a\n certificate recognized and approved by the organization.\n Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade\n received from a vendor. This verifies the software has not been tampered with and that it has been provided by a\n trusted vendor. Self-signed certificates are disallowed by this requirement. The operating system should not have to\n verify the software again. This requirement does not mandate DoD certificates for this purpose; however, the\n certificate used to verify the software must be from an approved CA.", - "check": "Verify the operating system prevents the installation of patches, service packs, device drivers, or\n operating system components from a repository without verification that they have been digitally signed using a\n certificate that is recognized and approved by the organization.\n Check that yum verifies the signature of packages from a repository prior to install with the following command:\n # grep gpgcheck /etc/yum.conf\n gpgcheck=1\n If \"gpgcheck\" is not set to \"1\", or if options are missing or commented out, ask the System Administrator how the\n certificates for patches and other operating system components are verified.\n If there is no process to validate certificates that is approved by the organization, this is a finding.", - "fix": "Configure the operating system to verify the signature of packages from a repository prior to install\n by setting the following option in the \"/etc/yum.conf\" file:\n gpgcheck=1" - }, - "impact": 0.7, - "refs": [], - "tags": { - "legacy": [ - "V-71977", - "SV-86601" + "gtitle": "SRG-OS-000104-GPOS-00051", + "satisfies": [ + "SRG-OS-000104-GPOS-00051", + "SRG-OS-000106-GPOS-00053", + "SRG-OS-000107-GPOS-00054", + "SRG-OS-000109-GPOS-00056", + "SRG-OS-000108-GPOS-00055", + "SRG-OS-000108-GPOS-00057", + "SRG-OS-000108-GPOS-00058" ], - "severity": "high", - "gtitle": "SRG-OS-000366-GPOS-00153", - "gid": "V-204447", - "rid": "SV-204447r877463_rule", - "stig_id": "RHEL-07-020050", - "fix_id": "F-4571r88534_fix", + "gid": "V-204441", + "rid": "SV-204441r818813_rule", + "stig_id": "RHEL-07-010500", + "fix_id": "F-4565r88516_fix", "cci": [ - "CCI-001749" + "CCI-000766" ], "nist": [ - "CM-5 (3)" + "IA-2 (2)" ], "subsystems": [ - "yum" + "pam", + "smartcard" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-204447' do\n title \"The Red Hat Enterprise Linux operating system must prevent the installation of software, patches, service\n packs, device drivers, or operating system components from a repository without verification they have been\n digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved\n by the organization.\"\n desc \"Changes to any software components can have significant effects on the overall security of the operating\n system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted\n vendor.\n Accordingly, patches, service packs, device drivers, or operating system components must be signed with a\n certificate recognized and approved by the organization.\n Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade\n received from a vendor. This verifies the software has not been tampered with and that it has been provided by a\n trusted vendor. Self-signed certificates are disallowed by this requirement. The operating system should not have to\n verify the software again. This requirement does not mandate #{input('org_name')[:acronym]} certificates for this purpose; however, the\n certificate used to verify the software must be from an approved CA.\"\n desc 'check', \"Verify the operating system prevents the installation of patches, service packs, device drivers, or\n operating system components from a repository without verification that they have been digitally signed using a\n certificate that is recognized and approved by the organization.\n Check that yum verifies the signature of packages from a repository prior to install with the following command:\n # grep gpgcheck /etc/yum.conf\n gpgcheck=1\n If \\\"gpgcheck\\\" is not set to \\\"1\\\", or if options are missing or commented out, ask the System Administrator how the\n certificates for patches and other operating system components are verified.\n If there is no process to validate certificates that is approved by the organization, this is a finding.\"\n desc 'fix', \"Configure the operating system to verify the signature of packages from a repository prior to install\n by setting the following option in the \\\"/etc/yum.conf\\\" file:\n gpgcheck=1\"\n impact 0.7\n tag legacy: ['V-71977', 'SV-86601']\n tag severity: 'high'\n tag gtitle: 'SRG-OS-000366-GPOS-00153'\n tag gid: 'V-204447'\n tag rid: 'SV-204447r877463_rule'\n tag stig_id: 'RHEL-07-020050'\n tag fix_id: 'F-4571r88534_fix'\n tag cci: ['CCI-001749']\n tag nist: ['CM-5 (3)']\n tag subsystems: ['yum']\n tag 'host'\n tag 'container'\n\n yum_conf = '/etc/yum.conf'\n\n if (f = file(yum_conf)).exist?\n describe ini(yum_conf) do\n its('main.gpgcheck') { should cmp 1 }\n end\n else\n describe f do\n it { should exist }\n end\n end\nend\n", + "code": "control 'SV-204441' do\n title 'The Red Hat Enterprise Linux operating system must uniquely identify and must authenticate organizational\n users (or processes acting on behalf of organizational users) using multifactor authentication.'\n desc 'To assure accountability and prevent unauthenticated access, organizational users must be identified and\n authenticated to prevent potential misuse and compromise of the system.\n Organizational users include organizational employees or individuals the organization deems to have equivalent\n status of employees (e.g., contractors). Organizational users (and processes acting on behalf of users) must be\n uniquely identified and authenticated to all accesses, except for the following:\n 1) Accesses explicitly identified and documented by the organization. Organizations document specific user actions\n that can be performed on the information system without identification or authentication;\n and\n 2) Accesses that occur through authorized use of group authenticators without individual authentication.\n Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts)\n or for detailed accountability of individual activity.'\n desc 'check', 'Verify the operating system requires multifactor authentication to uniquely identify organizational users using multifactor authentication.\n\nCheck to see if smartcard authentication is enforced on the system:\n\n# authconfig --test | grep \"pam_pkcs11 is enabled\"\n\nIf no results are returned, this is a finding.\n\n# authconfig --test | grep \"smartcard removal action\"\n\nIf \"smartcard removal action\" is blank, this is a finding.\n\n# authconfig --test | grep \"smartcard module\"\n\nIf any of the above checks are not configured, ask the administrator to indicate the AO-approved multifactor authentication in use and the configuration to support it. If there is no evidence of multifactor authentication, this is a finding.'\n desc 'fix', 'Configure the operating system to require individuals to be authenticated with a multifactor\n authenticator.\n Enable smartcard logons with the following commands:\n # authconfig --enablesmartcard --smartcardaction=0 --update\n # authconfig --enablerequiresmartcard -update\n Modify the \"/etc/pam_pkcs11/pkcs11_eventmgr.conf\" file to uncomment the following line:\n #/usr/X11R6/bin/xscreensaver-command -lock\n Modify the \"/etc/pam_pkcs11/pam_pkcs11.conf\" file to use the cackey module if required.'\n impact 0.5\n tag legacy: ['V-71965', 'SV-86589']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000104-GPOS-00051'\n tag satisfies: ['SRG-OS-000104-GPOS-00051', 'SRG-OS-000106-GPOS-00053', 'SRG-OS-000107-GPOS-00054', 'SRG-OS-000109-GPOS-00056', 'SRG-OS-000108-GPOS-00055', 'SRG-OS-000108-GPOS-00057', 'SRG-OS-000108-GPOS-00058']\n tag gid: 'V-204441'\n tag rid: 'SV-204441r818813_rule'\n tag stig_id: 'RHEL-07-010500'\n tag fix_id: 'F-4565r88516_fix'\n tag cci: ['CCI-000766']\n tag nist: ['IA-2 (2)']\n tag subsystems: ['pam', 'smartcard']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n else\n smart_card_status = input('smart_card_status')\n if smart_card_status.eql?('enabled')\n impact 0.5\n describe command(\"authconfig --test | grep 'pam_pkcs11'\") do\n its('stdout') { should match(/pam_pkcs11\\sis\\senabled/) }\n end\n describe command('authconfig --test | grep -i smartcard') do\n its('stdout') { should match(/use\\sonly\\ssmartcard\\sfor\\slogin\\sis\\s#{smart_card_status}/) }\n its('stdout') { should match(/smartcard\\smodule\\s=\\s\".+\"/) }\n its('stdout') { should match(/smartcard\\sremoval\\saction\\s=\\s\".+\"/) }\n end\n else\n impact 0.0\n describe 'The system is not smartcard enabled' do\n skip 'The system is not using Smartcards / PIVs to fulfil the MFA requirement, this control is Not Applicable.'\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204447.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204441.rb", "line": 1 }, - "id": "SV-204447" + "id": "SV-204441" }, { "title": "The Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of\n Lightweight Directory Access Protocol (LDAP) authentication communications.", @@ -4997,188 +4744,250 @@ "id": "SV-204581" }, { - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the pam_timestamp_check command.", - "desc": "Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.", + "title": "SNMP community strings on the Red Hat Enterprise Linux operating system must be changed from the default.", + "desc": "Whether active or not, default Simple Network Management Protocol (SNMP) community strings must be changed\n to maintain security. If the service is running with the default authenticators, anyone can gather data about the\n system and the network and use the information to potentially compromise the integrity of the system or network(s).\n It is highly recommended that SNMP version 3 user authentication and message encryption be used in place of the\n version 2 community strings.", "descriptions": { - "default": "Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.", - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"pam_timestamp_check\" command occur.\n\nCheck the auditing rules in \"/etc/audit/audit.rules\" with the following command:\n\n$ sudo grep -w \"/usr/sbin/pam_timestamp_check\" /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -k privileged-pam\n\nIf the command does not return any output, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"pam_timestamp_check\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -k privileged-pam\n\nThe audit daemon must be restarted for the changes to take effect." + "default": "Whether active or not, default Simple Network Management Protocol (SNMP) community strings must be changed\n to maintain security. If the service is running with the default authenticators, anyone can gather data about the\n system and the network and use the information to potentially compromise the integrity of the system or network(s).\n It is highly recommended that SNMP version 3 user authentication and message encryption be used in place of the\n version 2 community strings.", + "check": "Verify that a system using SNMP is not using default community strings.\n Check to see if the \"/etc/snmp/snmpd.conf\" file exists with the following command:\n # ls -al /etc/snmp/snmpd.conf\n -rw------- 1 root root 52640 Mar 12 11:08 snmpd.conf\n If the file does not exist, this is Not Applicable.\n If the file does exist, check for the default community strings with the following commands:\n # grep public /etc/snmp/snmpd.conf\n # grep private /etc/snmp/snmpd.conf\n If either of these commands returns any output, this is a finding.", + "fix": "If the \"/etc/snmp/snmpd.conf\" file exists, modify any lines that contain a community string value of\n \"public\" or \"private\" to another string value." }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { "legacy": [ - "V-72185", - "SV-86809" + "SV-86937", + "V-72313" ], - "severity": "medium", - "gtitle": "SRG-OS-000471-GPOS-00215", - "gid": "V-204558", - "rid": "SV-204558r833166_rule", - "stig_id": "RHEL-07-030810", - "fix_id": "F-4682r833165_fix", + "severity": "high", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-204627", + "rid": "SV-204627r603261_rule", + "stig_id": "RHEL-07-040800", + "fix_id": "F-4751r89074_fix", "cci": [ - "CCI-000172" + "CCI-000366" ], "nist": [ - "AU-12 c" + "CM-6 b" ], "subsystems": [ - "audit", - "auditd", - "audit_rule" + "snmp" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-204558' do\n title 'The Red Hat Enterprise Linux operating system must audit all uses of the pam_timestamp_check command.'\n desc 'Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.'\n desc 'check', 'Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"pam_timestamp_check\" command occur.\n\nCheck the auditing rules in \"/etc/audit/audit.rules\" with the following command:\n\n$ sudo grep -w \"/usr/sbin/pam_timestamp_check\" /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -k privileged-pam\n\nIf the command does not return any output, this is a finding.'\n desc 'fix', 'Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"pam_timestamp_check\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -k privileged-pam\n\nThe audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n tag legacy: ['V-72185', 'SV-86809']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000471-GPOS-00215'\n tag gid: 'V-204558'\n tag rid: 'SV-204558r833166_rule'\n tag stig_id: 'RHEL-07-030810'\n tag fix_id: 'F-4682r833165_fix'\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag subsystems: ['audit', 'auditd', 'audit_rule']\n tag 'host'\n\n audit_command = '/usr/sbin/pam_timestamp_check'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - audit config must be done on the host' do\n skip 'Control not applicable - audit config must be done on the host'\n end\n else\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include('privileged-pam')\n end\n end\n end\nend\n", + "code": "control 'SV-204627' do\n title 'SNMP community strings on the Red Hat Enterprise Linux operating system must be changed from the default.'\n desc 'Whether active or not, default Simple Network Management Protocol (SNMP) community strings must be changed\n to maintain security. If the service is running with the default authenticators, anyone can gather data about the\n system and the network and use the information to potentially compromise the integrity of the system or network(s).\n It is highly recommended that SNMP version 3 user authentication and message encryption be used in place of the\n version 2 community strings.'\n desc 'check', 'Verify that a system using SNMP is not using default community strings.\n Check to see if the \"/etc/snmp/snmpd.conf\" file exists with the following command:\n # ls -al /etc/snmp/snmpd.conf\n -rw------- 1 root root 52640 Mar 12 11:08 snmpd.conf\n If the file does not exist, this is Not Applicable.\n If the file does exist, check for the default community strings with the following commands:\n # grep public /etc/snmp/snmpd.conf\n # grep private /etc/snmp/snmpd.conf\n If either of these commands returns any output, this is a finding.'\n desc 'fix', 'If the \"/etc/snmp/snmpd.conf\" file exists, modify any lines that contain a community string value of\n \"public\" or \"private\" to another string value.'\n impact 0.7\n tag legacy: ['SV-86937', 'V-72313']\n tag severity: 'high'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204627'\n tag rid: 'SV-204627r603261_rule'\n tag stig_id: 'RHEL-07-040800'\n tag fix_id: 'F-4751r89074_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['snmp']\n tag 'host'\n tag 'container'\n\n if file('/etc/snmp/snmpd.conf').exist?\n impact 0.7\n processed = []\n to_process = ['/etc/snmp/snmpd.conf']\n\n until to_process.empty?\n in_process = to_process.pop\n next if processed.include? in_process\n\n processed.push in_process\n\n if file(in_process).directory?\n to_process.concat(\n command(\"find #{in_process} -maxdepth 1 -mindepth 1 -name '*.conf'\")\n .stdout.strip.split(\"\\n\")\n .select do |f|\n file(f).file?\n end\n )\n elsif file(in_process).file?\n to_process.concat(\n command(\"grep -E '^\\\\s*includeFile\\\\s+' #{in_process} | sed 's/^[[:space:]]*includeFile[[:space:]]*//g'\")\n .stdout.strip.split(/\\n+/)\n .map do |f|\n if f.start_with?('/')\n f\n else\n File.join(\n File.dirname(in_process), f\n )\n end\n end\n .select do |f|\n file(f).file?\n end\n )\n to_process.concat(\n command(\"grep -E '^\\\\s*includeDir\\\\s+' #{in_process} | sed 's/^[[:space:]]*includeDir[[:space:]]*//g'\")\n .stdout.strip.split(/\\n+/)\n .map { |f|\n f.start_with?('/') ? f : File.join('/', f)\n } # relative dirs are treated as absolute\n .select do |f|\n file(f).directory?\n end\n )\n end\n end\n\n config_files = processed.select { |f| file(f).file? }\n\n config_files.each do |config|\n describe file(config) do\n its('content') { should_not match(/^[^#]*(public|private)/) }\n end\n end\n else\n impact 0.0\n describe 'The `snmpd.conf` does not exist' do\n skip 'The snmpd.conf file does not exist, this control is Not Applicable'\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204558.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204627.rb", "line": 1 }, - "id": "SV-204558" + "id": "SV-204627" }, { - "title": "The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new\n passwords are established, the new password must contain at least 1 upper-case character.", - "desc": "Use of a complex password helps to increase the time and resources required to compromise the password.\n Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing\n and brute-force attacks.\n Password complexity is one factor of several that determines how long it takes to crack a password. The more complex\n the password, the greater the number of possible combinations that need to be tested before the password is\n compromised.", + "title": "The Red Hat Enterprise Linux operating system must be configured so that the rsyslog daemon does not accept\n log messages from other servers unless the server is being used for log aggregation.", + "desc": "Unintentionally running a rsyslog server accepting remote messages puts the system at increased risk.\n Malicious rsyslog messages sent to the server could exploit vulnerabilities in the server software itself, could\n introduce misleading information in to the system's logs, or could fill the system's storage leading to a Denial of\n Service.\n If the system is intended to be a log aggregation server its use must be documented with the ISSO.", "descriptions": { - "default": "Use of a complex password helps to increase the time and resources required to compromise the password.\n Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing\n and brute-force attacks.\n Password complexity is one factor of several that determines how long it takes to crack a password. The more complex\n the password, the greater the number of possible combinations that need to be tested before the password is\n compromised.", - "check": "Note: The value to require a number of upper-case characters to be set is expressed as a negative\n number in '/etc/security/pwquality.conf'.\n Check the value for 'ucredit' in '/etc/security/pwquality.conf' with the following command:\n # grep ucredit /etc/security/pwquality.conf\n ucredit = -1\n If the value of 'ucredit' is not set to a negative value, this is a finding.", - "fix": "Configure the operating system to enforce password complexity by requiring that at least 1\n upper-case character be used by setting the 'ucredit' option.\n Add the following line to '/etc/security/pwquality.conf' (or modify the line to have the required value):\n ucredit = -1" + "default": "Unintentionally running a rsyslog server accepting remote messages puts the system at increased risk.\n Malicious rsyslog messages sent to the server could exploit vulnerabilities in the server software itself, could\n introduce misleading information in to the system's logs, or could fill the system's storage leading to a Denial of\n Service.\n If the system is intended to be a log aggregation server its use must be documented with the ISSO.", + "check": "Verify that the system is not accepting \"rsyslog\" messages from other systems unless it is\n documented as a log aggregation server.\n Check the configuration of \"rsyslog\" with the following command:\n # grep imtcp /etc/rsyslog.conf\n $ModLoad imtcp\n # grep imudp /etc/rsyslog.conf\n $ModLoad imudp\n # grep imrelp /etc/rsyslog.conf\n $ModLoad imrelp\n If any of the above modules are being loaded in the \"/etc/rsyslog.conf\" file, ask to see the documentation for the\n system being used for log aggregation.\n If the documentation does not exist, or does not specify the server as a log aggregation system, this is a finding.", + "fix": "Modify the \"/etc/rsyslog.conf\" file to remove the \"ModLoad imtcp\", \"ModLoad imudp\", and \"ModLoad\n imrelp\" configuration lines, or document the system as being used for log aggregation." }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "SV-86527", - "V-71903" + "SV-86835", + "V-72211" ], "severity": "medium", - "gtitle": "SRG-OS-000069-GPOS-00037", - "gid": "V-204407", - "rid": "SV-204407r603261_rule", - "stig_id": "RHEL-07-010120", - "fix_id": "F-4531r88414_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-204575", + "rid": "SV-204575r853986_rule", + "stig_id": "RHEL-07-031010", + "fix_id": "F-4699r88918_fix", "cci": [ - "CCI-000192" + "CCI-000318", + "CCI-000368", + "CCI-001812", + "CCI-001813", + "CCI-001814" ], "nist": [ - "IA-5 (1) (a)" + "CM-3 f", + "CM-6 c", + "CM-11 (2)", + "CM-5 (1)", + "CM-5 (1) (a)" ], "subsystems": [ - "pwquality", - "password" + "rsyslog" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-204407' do\n title \"The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new\n passwords are established, the new password must contain at least #{input('min_uppercase_characters')} upper-case character.\"\n desc \"Use of a complex password helps to increase the time and resources required to compromise the password.\n Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing\n and brute-force attacks.\n Password complexity is one factor of several that determines how long it takes to crack a password. The more complex\n the password, the greater the number of possible combinations that need to be tested before the password is\n compromised.\"\n desc 'check', \"Note: The value to require a number of upper-case characters to be set is expressed as a negative\n number in '/etc/security/pwquality.conf'.\n Check the value for 'ucredit' in '/etc/security/pwquality.conf' with the following command:\n # grep ucredit /etc/security/pwquality.conf\n ucredit = -#{input('min_uppercase_characters')}\n If the value of 'ucredit' is not set to a negative value, this is a finding.\"\n desc 'fix', \"Configure the operating system to enforce password complexity by requiring that at least #{input('min_uppercase_characters')}\n upper-case character be used by setting the 'ucredit' option.\n Add the following line to '/etc/security/pwquality.conf' (or modify the line to have the required value):\n ucredit = -#{input('min_uppercase_characters')}\"\n impact 0.5\n tag legacy: ['SV-86527', 'V-71903']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000069-GPOS-00037'\n tag gid: 'V-204407'\n tag rid: 'SV-204407r603261_rule'\n tag stig_id: 'RHEL-07-010120'\n tag fix_id: 'F-4531r88414_fix'\n tag cci: ['CCI-000192']\n tag nist: ['IA-5 (1) (a)']\n tag subsystems: ['pwquality', 'password']\n tag 'host'\n tag 'container'\n\n describe parse_config_file('/etc/security/pwquality.conf') do\n its('ucredit') { should cmp <= -input('min_uppercase_characters')}\n its('ucredit') { should_not be_nil }\n end\nend\n", + "code": "control 'SV-204575' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that the rsyslog daemon does not accept\n log messages from other servers unless the server is being used for log aggregation.'\n desc \"Unintentionally running a rsyslog server accepting remote messages puts the system at increased risk.\n Malicious rsyslog messages sent to the server could exploit vulnerabilities in the server software itself, could\n introduce misleading information in to the system's logs, or could fill the system's storage leading to a Denial of\n Service.\n If the system is intended to be a log aggregation server its use must be documented with the ISSO.\"\n desc 'check', 'Verify that the system is not accepting \"rsyslog\" messages from other systems unless it is\n documented as a log aggregation server.\n Check the configuration of \"rsyslog\" with the following command:\n # grep imtcp /etc/rsyslog.conf\n $ModLoad imtcp\n # grep imudp /etc/rsyslog.conf\n $ModLoad imudp\n # grep imrelp /etc/rsyslog.conf\n $ModLoad imrelp\n If any of the above modules are being loaded in the \"/etc/rsyslog.conf\" file, ask to see the documentation for the\n system being used for log aggregation.\n If the documentation does not exist, or does not specify the server as a log aggregation system, this is a finding.'\n desc 'fix', 'Modify the \"/etc/rsyslog.conf\" file to remove the \"ModLoad imtcp\", \"ModLoad imudp\", and \"ModLoad\n imrelp\" configuration lines, or document the system as being used for log aggregation.'\n impact 0.5\n tag legacy: ['SV-86835', 'V-72211']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204575'\n tag rid: 'SV-204575r853986_rule'\n tag stig_id: 'RHEL-07-031010'\n tag fix_id: 'F-4699r88918_fix'\n tag cci: ['CCI-000318', 'CCI-000368', 'CCI-001812', 'CCI-001813', 'CCI-001814']\n tag nist: ['CM-3 f', 'CM-6 c', 'CM-11 (2)', 'CM-5 (1)', 'CM-5 (1) (a)']\n tag subsystems: ['rsyslog']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n else\n log_aggregation_server = input('log_aggregation_server')\n\n if log_aggregation_server\n describe file('/etc/rsyslog.conf') do\n its('content') { should match(/^\\$ModLoad\\s+imtcp.*\\n?$/) }\n end\n else\n describe.one do\n describe file('/etc/rsyslog.conf') do\n its('content') { should match(/\\$ModLoad\\s+imtcp.*\\n?$/) }\n end\n describe file('/etc/rsyslog.conf') do\n its('content') { should_not match(/^\\$ModLoad\\s+imtcp.*\\n?$/) }\n end\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204407.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204575.rb", "line": 1 }, - "id": "SV-204407" + "id": "SV-204575" }, { - "title": "The Red Hat Enterprise Linux operating system must use a reverse-path filter for IPv4 network traffic when\n possible by default.", - "desc": "Enabling reverse path filtering drops packets with source addresses that should not have been able to be\n received on the interface they were received on. It should not be used on systems which are routers for complicated\n networks, but is helpful for end hosts and routers serving small networks.", + "title": "The Red Hat Enterprise Linux operating system must display the Standard Mandatory DoD Notice and Consent\n Banner before granting local or remote access to the system via a command line user logon.", + "desc": "Display of a standardized and approved use notification before granting access to the operating system\n ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive\n Orders, directives, policies, regulations, standards, and guidance.\n System use notifications are required only for access via logon interfaces with human users and are not required\n when such human interfaces do not exist.\n The banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating\n systems that can accommodate banners of 1300 characters:\n \"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"", "descriptions": { - "default": "Enabling reverse path filtering drops packets with source addresses that should not have been able to be\n received on the interface they were received on. It should not be used on systems which are routers for complicated\n networks, but is helpful for end hosts and routers serving small networks.", - "check": "Verify the system uses a reverse-path filter for IPv4:\n\n # grep -r net.ipv4.conf.default.rp_filter /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null\n net.ipv4.conf.default.rp_filter = 1\n\nIf \"net.ipv4.conf.default.rp_filter\" is not configured in the /etc/sysctl.conf file or in any of the other sysctl.d directories, is commented out, or does not have a value of \"1\", this is a finding.\n\nCheck that the operating system implements the accept source route variable with the following command:\n\n # /sbin/sysctl -a | grep net.ipv4.conf.default.rp_filter\n net.ipv4.conf.default.rp_filter = 1\n\nIf the returned line does not have a value of \"1\", this is a finding.\n\nIf conflicting results are returned, this is a finding.", - "fix": "Set the system to the required kernel parameter by adding the following\nline to \"/etc/sysctl.conf\" or a configuration file in the /etc/sysctl.d/\ndirectory (or modify the line to have the required value):\n\n net.ipv4.conf.default.rp_filter = 1\n\n Issue the following command to make the changes take effect:\n\n # sysctl --system" + "default": "Display of a standardized and approved use notification before granting access to the operating system\n ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive\n Orders, directives, policies, regulations, standards, and guidance.\n System use notifications are required only for access via logon interfaces with human users and are not required\n when such human interfaces do not exist.\n The banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating\n systems that can accommodate banners of 1300 characters:\n \"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"", + "check": "Verify the operating system displays the Standard Mandatory DoD Notice and Consent Banner before\n granting access to the operating system via a command line user logon.\n Check to see if the operating system displays a banner at the command line logon screen with the following command:\n # more /etc/issue\n The command should return the following text:\n \"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n If the operating system does not display a graphical logon banner or the banner does not match the Standard\n Mandatory DoD Notice and Consent Banner, this is a finding.\n If the text in the \"/etc/issue\" file does not match the Standard Mandatory DoD Notice and Consent Banner, this is a\n finding.", + "fix": "Configure the operating system to display the Standard Mandatory DoD Notice and Consent Banner before\n granting access to the system via the command line by editing the \"/etc/issue\" file.\n Replace the default text with the Standard Mandatory DoD Notice and Consent Banner. The DoD required text is:\n \"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"" }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "V-92253", - "SV-102355" + "V-71863", + "SV-86487" ], "severity": "medium", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-204611", - "rid": "SV-204611r880803_rule", - "stig_id": "RHEL-07-040612", - "fix_id": "F-4735r880802_fix", + "gtitle": "SRG-OS-000023-GPOS-00006", + "satisfies": [ + "SRG-OS-000023-GPOS-00006", + "SRG-OS-000024-GPOS-00007" + ], + "gid": "V-204395", + "rid": "SV-204395r603261_rule", + "stig_id": "RHEL-07-010050", + "fix_id": "F-4519r88378_fix", "cci": [ - "CCI-000366" + "CCI-000048" ], "nist": [ - "CM-6 b" + "AC-8 a" ], "subsystems": [ - "kernel_parameter", - "ipv4" + "banner", + "/etc/issue" ], "host": null }, - "code": "control 'SV-204611' do\n title 'The Red Hat Enterprise Linux operating system must use a reverse-path filter for IPv4 network traffic when\n possible by default.'\n desc 'Enabling reverse path filtering drops packets with source addresses that should not have been able to be\n received on the interface they were received on. It should not be used on systems which are routers for complicated\n networks, but is helpful for end hosts and routers serving small networks.'\n desc 'check', 'Verify the system uses a reverse-path filter for IPv4:\n\n # grep -r net.ipv4.conf.default.rp_filter /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null\n net.ipv4.conf.default.rp_filter = 1\n\nIf \"net.ipv4.conf.default.rp_filter\" is not configured in the /etc/sysctl.conf file or in any of the other sysctl.d directories, is commented out, or does not have a value of \"1\", this is a finding.\n\nCheck that the operating system implements the accept source route variable with the following command:\n\n # /sbin/sysctl -a | grep net.ipv4.conf.default.rp_filter\n net.ipv4.conf.default.rp_filter = 1\n\nIf the returned line does not have a value of \"1\", this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Set the system to the required kernel parameter by adding the following\nline to \"/etc/sysctl.conf\" or a configuration file in the /etc/sysctl.d/\ndirectory (or modify the line to have the required value):\n\n net.ipv4.conf.default.rp_filter = 1\n\n Issue the following command to make the changes take effect:\n\n # sysctl --system'\n impact 0.5\n tag legacy: ['V-92253', 'SV-102355']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204611'\n tag rid: 'SV-204611r880803_rule'\n tag stig_id: 'RHEL-07-040612'\n tag fix_id: 'F-4735r880802_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['kernel_parameter', 'ipv4']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - Kernel config must be done on the host' do\n skip 'Control not applicable - Kernel config must be done on the host'\n end\n else\n rp_filter = 1\n config_file_values = command('grep -r net.ipv4.conf.default.rp_filter /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null')\n .stdout.strip.split(\"\\n\")\n .map { |file| parse_config(file).params }\n config_file_values_uncompliant = config_file_values.select { |entry| entry.values != [rp_filter.to_s] }\n\n unless config_file_values_uncompliant.empty?\n describe 'All configuration files' do\n it \"should set rp_filter to #{rp_filter}, or not define it at all\" do\n fail_msg = \"Found incorrect configuration:\\n#{config_file_values_uncompliant.join(\"\\n\")}\"\n expect(config_file_values_uncompliant).to be_empty, fail_msg\n end\n end\n end\n\n describe 'The runtime kernel parameter net.ipv4.conf.default.rp_filter' do\n subject { kernel_parameter('net.ipv4.conf.default.rp_filter') }\n its('value') { should eq rp_filter }\n end\n end\nend\n", + "code": "control 'SV-204395' do\n title \"The Red Hat Enterprise Linux operating system must display the Standard Mandatory #{input('org_name')[:acronym]} Notice and Consent\n Banner before granting local or remote access to the system via a command line user logon.\"\n desc \"Display of a standardized and approved use notification before granting access to the operating system\n ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive\n Orders, directives, policies, regulations, standards, and guidance.\n System use notifications are required only for access via logon interfaces with human users and are not required\n when such human interfaces do not exist.\n The banner must be formatted in accordance with applicable #{input('org_name')[:acronym]} policy. Use the following verbiage for operating\n systems that can accommodate banners of 1300 characters:\n \\\"#{input('banner_message_text_cli')}\\\"\"\n desc 'check', \"Verify the operating system displays the Standard Mandatory #{input('org_name')[:acronym]} Notice and Consent Banner before\n granting access to the operating system via a command line user logon.\n Check to see if the operating system displays a banner at the command line logon screen with the following command:\n # more /etc/issue\n The command should return the following text:\n \\\"#{input('banner_message_text_cli')}\\\"\n If the operating system does not display a graphical logon banner or the banner does not match the Standard\n Mandatory #{input('org_name')[:acronym]} Notice and Consent Banner, this is a finding.\n If the text in the \\\"/etc/issue\\\" file does not match the Standard Mandatory #{input('org_name')[:acronym]} Notice and Consent Banner, this is a\n finding.\"\n desc 'fix', \"Configure the operating system to display the Standard Mandatory #{input('org_name')[:acronym]} Notice and Consent Banner before\n granting access to the system via the command line by editing the \\\"/etc/issue\\\" file.\n Replace the default text with the Standard Mandatory #{input('org_name')[:acronym]} Notice and Consent Banner. The #{input('org_name')[:acronym]} required text is:\n \\\"#{input('banner_message_text_cli')}\\\" \"\n impact 0.5\n tag legacy: ['V-71863', 'SV-86487']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000023-GPOS-00006'\n tag satisfies: ['SRG-OS-000023-GPOS-00006', 'SRG-OS-000024-GPOS-00007']\n tag gid: 'V-204395'\n tag rid: 'SV-204395r603261_rule'\n tag stig_id: 'RHEL-07-010050'\n tag fix_id: 'F-4519r88378_fix'\n tag cci: ['CCI-000048']\n tag nist: ['AC-8 a']\n tag subsystems: ['banner', '/etc/issue']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n else\n\n banner_message_text_cli = input('banner_message_text_cli')\n banner_message_text_cli_limited = input('banner_message_text_cli_limited')\n\n clean_banner = banner_message_text_cli.gsub(/[\\r\\n\\s]/, '')\n clean_banner_limited = banner_message_text_cli_limited.gsub(/[\\r\\n\\s]/,\n '')\n banner_file = file('/etc/issue')\n banner_missing = !banner_file.exist?\n\n if banner_missing\n describe 'The banner text is not set because /etc/issue does not exist' do\n subject { banner_missing }\n it { should be false }\n end\n end\n\n banner_message = banner_file.content.gsub(/[\\r\\n\\s]/, '')\n unless banner_missing\n describe.one do\n describe 'The banner text should match the standard banner' do\n subject { banner_message }\n it { should cmp clean_banner }\n end\n describe 'The banner text should match the limited banner' do\n subject { banner_message }\n it { should cmp clean_banner_limited }\n end\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204611.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204395.rb", "line": 1 }, - "id": "SV-204611" + "id": "SV-204395" }, { - "title": "The Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of\n Lightweight Directory Access Protocol (LDAP) communications.", - "desc": "Without cryptographic integrity protections, information can be altered by unauthorized users without\n detection.\n Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash\n functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while\n maintaining the confidentiality of the key used to generate the hash.", + "title": "The Red Hat Enterprise Linux operating system must be configured so that auditing is configured to produce\n records containing information to establish what type of events occurred, where the events occurred, the source of\n the events, and the outcome of the events. These audit records must also identify individual identities of group\n account users.", + "desc": "Without establishing what type of events occurred, it would be difficult to establish, correlate, and\n investigate the events leading up to an outage or attack.\n Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source\n and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames\n involved, and access control or flow control rules invoked.\n Associating event types with detected events in the operating system audit logs provides a means of investigating an\n attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating\n system.", "descriptions": { - "default": "Without cryptographic integrity protections, information can be altered by unauthorized users without\n detection.\n Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash\n functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while\n maintaining the confidentiality of the key used to generate the hash.", - "check": "If LDAP is not being utilized, this requirement is Not Applicable.\n Verify the operating system implements cryptography to protect the integrity of remote LDAP access sessions.\n To determine if LDAP is being used for authentication, use the following command:\n # systemctl status sssd.service\n sssd.service - System Security Services Daemon\n Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: disabled)\n Active: active (running) since Wed 2018-06-27 10:58:11 EST; 1h 50min ago\n If the \"sssd.service\" is \"active\", then LDAP is being used.\n Determine the \"id_provider\" the LDAP is currently using:\n # grep -i \"id_provider\" /etc/sssd/sssd.conf\n id_provider = ad\n If \"id_provider\" is set to \"ad\", this is Not Applicable.\n Verify the sssd service is configured to require the use of certificates:\n # grep -i tls_reqcert /etc/sssd/sssd.conf\n ldap_tls_reqcert = demand\n If the \"ldap_tls_reqcert\" setting is missing, commented out, or does not exist, this is a finding.\n If the \"ldap_tls_reqcert\" setting is not set to \"demand\" or \"hard\", this is a finding.", - "fix": "Configure the operating system to implement cryptography to protect the integrity of LDAP remote\n access sessions.\n Add or modify the following line in \"/etc/sssd/sssd.conf\":\n ldap_tls_reqcert = demand" + "default": "Without establishing what type of events occurred, it would be difficult to establish, correlate, and\n investigate the events leading up to an outage or attack.\n Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source\n and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames\n involved, and access control or flow control rules invoked.\n Associating event types with detected events in the operating system audit logs provides a means of investigating an\n attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating\n system.", + "check": "Verify the operating system produces audit records containing information to establish when (date\n and time) the events occurred.\n Check to see if auditing is active by issuing the following command:\n # systemctl is-active auditd.service\n active\n If the \"auditd\" status is not active, this is a finding.", + "fix": "Configure the operating system to produce audit records containing information to establish when (date\n and time) the events occurred.\n Enable the auditd service with the following command:\n # systemctl start auditd.service" }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { "legacy": [ - "V-72229", - "SV-86853" + "SV-86703", + "V-72079" ], "severity": "medium", - "gtitle": "SRG-OS-000250-GPOS-00093", - "gid": "V-204582", - "rid": "SV-204582r877394_rule", - "stig_id": "RHEL-07-040190", - "fix_id": "F-4706r88939_fix", + "gtitle": "SRG-OS-000038-GPOS-00016", + "satisfies": [ + "SRG-OS-000038-GPOS-00016", + "SRG-OS-000039-GPOS-00017", + "SRG-OS-000042-GPOS-00021", + "SRG-OS-000254-GPOS-00095", + "SRG-OS-000255-GPOS-00096" + ], + "gid": "V-204503", + "rid": "SV-204503r603261_rule", + "stig_id": "RHEL-07-030000", + "fix_id": "F-36311r602643_fix", "cci": [ - "CCI-001453" + "CCI-000126", + "CCI-000131" ], "nist": [ - "AC-17 (2)" + "AU-2 d", + "AU-3", + "AU-2 c", + "AU-3 b" ], "subsystems": [ - "sssd", - "ldap" + "audit", + "auditd" ], "host": null }, - "code": "control 'SV-204582' do\n title 'The Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of\n Lightweight Directory Access Protocol (LDAP) communications.'\n desc 'Without cryptographic integrity protections, information can be altered by unauthorized users without\n detection.\n Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash\n functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while\n maintaining the confidentiality of the key used to generate the hash.'\n desc 'check', 'If LDAP is not being utilized, this requirement is Not Applicable.\n Verify the operating system implements cryptography to protect the integrity of remote LDAP access sessions.\n To determine if LDAP is being used for authentication, use the following command:\n # systemctl status sssd.service\n sssd.service - System Security Services Daemon\n Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: disabled)\n Active: active (running) since Wed 2018-06-27 10:58:11 EST; 1h 50min ago\n If the \"sssd.service\" is \"active\", then LDAP is being used.\n Determine the \"id_provider\" the LDAP is currently using:\n # grep -i \"id_provider\" /etc/sssd/sssd.conf\n id_provider = ad\n If \"id_provider\" is set to \"ad\", this is Not Applicable.\n Verify the sssd service is configured to require the use of certificates:\n # grep -i tls_reqcert /etc/sssd/sssd.conf\n ldap_tls_reqcert = demand\n If the \"ldap_tls_reqcert\" setting is missing, commented out, or does not exist, this is a finding.\n If the \"ldap_tls_reqcert\" setting is not set to \"demand\" or \"hard\", this is a finding.'\n desc 'fix', 'Configure the operating system to implement cryptography to protect the integrity of LDAP remote\n access sessions.\n Add or modify the following line in \"/etc/sssd/sssd.conf\":\n ldap_tls_reqcert = demand'\n impact 0.5\n tag legacy: ['V-72229', 'SV-86853']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000250-GPOS-00093'\n tag gid: 'V-204582'\n tag rid: 'SV-204582r877394_rule'\n tag stig_id: 'RHEL-07-040190'\n tag fix_id: 'F-4706r88939_fix'\n tag cci: ['CCI-001453']\n tag nist: ['AC-17 (2)']\n tag subsystems: ['sssd', 'ldap']\n tag 'host'\n\n if virtualization.system.eql?('docker') && !file('/etc/sysconfig/sshd').exist?\n impact 0.0\n describe 'Control not applicable - SSH is not installed within containerized RHEL' do\n skip 'Control not applicable - SSH is not installed within containerized RHEL'\n end\n else\n\n sssd_id_ldap_enabled = (package('sssd').installed? and\n !command('grep \"^\\s*id_provider\\s*=\\s*ldap\" /etc/sssd/sssd.conf').stdout.strip.empty?)\n\n sssd_ldap_enabled = (package('sssd').installed? and\n !command('grep \"^\\s*[a-z]*_provider\\s*=\\s*ldap\" /etc/sssd/sssd.conf').stdout.strip.empty?)\n\n pam_ldap_enabled = !command('grep \"^[^#]*pam_ldap\\.so\" /etc/pam.d/*').stdout.strip.empty?\n\n unless sssd_id_ldap_enabled or sssd_ldap_enabled or pam_ldap_enabled\n impact 0.0\n describe 'LDAP not enabled' do\n skip 'LDAP not enabled using any known mechanisms, this control is Not Applicable.'\n end\n end\n\n if sssd_id_ldap_enabled\n ldap_id_use_start_tls = command('grep ldap_id_use_start_tls /etc/sssd/sssd.conf')\n describe ldap_id_use_start_tls do\n its('stdout.strip') do\n should match(/^ldap_id_use_start_tls\\s*=\\s*true$/)\n end\n end\n\n ldap_id_use_start_tls.stdout.strip.each_line do |line|\n describe line do\n it { should match(/^ldap_id_use_start_tls\\s*=\\s*true$/) }\n end\n end\n end\n\n if sssd_ldap_enabled\n ldap_tls_cacertdir = command('grep -i ldap_tls_cacertdir /etc/sssd/sssd.conf')\n .stdout.strip.scan(/^ldap_tls_cacertdir\\s*=\\s*(.*)/).last\n\n describe 'ldap_tls_cacertdir' do\n subject { ldap_tls_cacertdir }\n it { should_not eq nil }\n end\n\n unless ldap_tls_cacertdir.nil?\n describe file(ldap_tls_cacertdir.last) do\n it { should exist }\n it { should be_directory }\n end\n end\n end\n\n if pam_ldap_enabled\n tls_cacertdir = command('grep -i tls_cacertdir /etc/pam_ldap.conf')\n .stdout.strip.scan(/^tls_cacertdir\\s+(.*)/).last\n\n describe 'tls_cacertdir' do\n subject { tls_cacertdir }\n it { should_not eq nil }\n end\n\n unless tls_cacertdir.nil?\n describe file(tls_cacertdir.last) do\n it { should exist }\n it { should be_directory }\n end\n end\n end\n end\nend\n", + "code": "control 'SV-204503' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that auditing is configured to produce\n records containing information to establish what type of events occurred, where the events occurred, the source of\n the events, and the outcome of the events. These audit records must also identify individual identities of group\n account users.'\n desc 'Without establishing what type of events occurred, it would be difficult to establish, correlate, and\n investigate the events leading up to an outage or attack.\n Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source\n and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames\n involved, and access control or flow control rules invoked.\n Associating event types with detected events in the operating system audit logs provides a means of investigating an\n attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating\n system.'\n desc 'check', 'Verify the operating system produces audit records containing information to establish when (date\n and time) the events occurred.\n Check to see if auditing is active by issuing the following command:\n # systemctl is-active auditd.service\n active\n If the \"auditd\" status is not active, this is a finding.'\n desc 'fix', 'Configure the operating system to produce audit records containing information to establish when (date\n and time) the events occurred.\n Enable the auditd service with the following command:\n # systemctl start auditd.service'\n impact 0.5\n tag legacy: ['SV-86703', 'V-72079']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000038-GPOS-00016'\n tag satisfies: ['SRG-OS-000038-GPOS-00016', 'SRG-OS-000039-GPOS-00017', 'SRG-OS-000042-GPOS-00021', 'SRG-OS-000254-GPOS-00095', 'SRG-OS-000255-GPOS-00096']\n tag gid: 'V-204503'\n tag rid: 'SV-204503r603261_rule'\n tag stig_id: 'RHEL-07-030000'\n tag fix_id: 'F-36311r602643_fix'\n tag cci: ['CCI-000126', 'CCI-000131']\n tag nist: ['AU-2 d', 'AU-3', 'AU-2 c', 'AU-3 b']\n tag subsystems: ['audit', 'auditd']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - audit config must be done on the host' do\n skip 'Control not applicable - audit config must be done on the host'\n end\n else\n describe service('auditd') do\n it { should be_running }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204582.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204503.rb", "line": 1 }, - "id": "SV-204582" + "id": "SV-204503" }, { - "title": "The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home\n directories are owned by their respective users.", - "desc": "If a local interactive user does not own their home directory, unauthorized users could access or modify the\n user's files, and the users may not be able to access their own files.", + "title": "The Red Hat Enterprise Linux operating system must be configured so that all files and directories have a\n valid group owner.", + "desc": "Files without a valid group owner may be unintentionally inherited if a group is assigned the same Group\n Identifier (GID) as the GID of the files without a valid group owner.", "descriptions": { - "default": "If a local interactive user does not own their home directory, unauthorized users could access or modify the\n user's files, and the users may not be able to access their own files.", - "check": "Verify the assigned home directory of all local interactive users on the system exists.\n Check the home directory assignment for all local interactive users on the system with the following command:\n # ls -ld $(awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}' /etc/passwd)\n -rwxr-x--- 1 smithj users 18 Mar 5 17:06 /home/smithj\n If any home directories referenced in \"/etc/passwd\" are not owned by the interactive user, this is a finding.", - "fix": "Change the owner of a local interactive user's home directories to that owner. To change the owner of\n a local interactive user's home directory, use the following command:\n Note: The example will be for the user smithj, who has a home directory of \"/home/smithj\".\n # chown smithj /home/smithj" + "default": "Files without a valid group owner may be unintentionally inherited if a group is assigned the same Group\n Identifier (GID) as the GID of the files without a valid group owner.", + "check": "Verify all files and directories on the system have a valid group.\n Check the owner of all files and directories with the following command:\n Note: The value after -fstype must be replaced with the filesystem type. XFS is used as an example.\n # find / -fstype xfs -nogroup\n If any files on the system do not have an assigned group, this is a finding.", + "fix": "Either remove all files and directories from the system that do not have a valid group, or assign a\n valid group to all files and directories on the system with the \"chgrp\" command:\n # chgrp " }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "SV-86643", - "V-72019" + "V-72009", + "SV-86633" ], "severity": "medium", "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-204469", - "rid": "SV-204469r603830_rule", - "stig_id": "RHEL-07-020640", - "fix_id": "F-4593r88600_fix", + "gid": "V-204464", + "rid": "SV-204464r853898_rule", + "stig_id": "RHEL-07-020330", + "fix_id": "F-4588r88585_fix", + "cci": [ + "CCI-002165" + ], + "nist": [ + "AC-3 (4)" + ], + "subsystems": [ + "file_system", + "groups", + "files" + ], + "host": null, + "container": null + }, + "code": "control 'SV-204464' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that all files and directories have a\n valid group owner.'\n desc 'Files without a valid group owner may be unintentionally inherited if a group is assigned the same Group\n Identifier (GID) as the GID of the files without a valid group owner.'\n desc 'check', 'Verify all files and directories on the system have a valid group.\n Check the owner of all files and directories with the following command:\n Note: The value after -fstype must be replaced with the filesystem type. XFS is used as an example.\n # find / -fstype xfs -nogroup\n If any files on the system do not have an assigned group, this is a finding.'\n desc 'fix', 'Either remove all files and directories from the system that do not have a valid group, or assign a\n valid group to all files and directories on the system with the \"chgrp\" command:\n # chgrp '\n impact 0.5\n tag legacy: ['V-72009', 'SV-86633']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204464'\n tag rid: 'SV-204464r853898_rule'\n tag stig_id: 'RHEL-07-020330'\n tag fix_id: 'F-4588r88585_fix'\n tag cci: ['CCI-002165']\n tag nist: ['AC-3 (4)']\n tag subsystems: ['file_system', 'groups', 'files']\n tag 'host'\n tag 'container'\n\n command('grep -v \"nodev\" /proc/filesystems | awk \\'NF{ print $NF }\\'')\n .stdout.strip.split(\"\\n\").each do |fs|\n describe command(\"find / -xdev -xautofs -fstype #{fs} -nogroup\") do\n its('stdout.strip') { should be_empty }\n end\n end\nend\n", + "source_location": { + "ref": "./Red Hat 7 STIG/controls/SV-204464.rb", + "line": 1 + }, + "id": "SV-204464" + }, + { + "title": "The Red Hat Enterprise Linux operating system must not allow an unrestricted logon to the system.", + "desc": "Failure to restrict system access to authenticated users negatively impacts operating system security.", + "descriptions": { + "default": "Failure to restrict system access to authenticated users negatively impacts operating system security.", + "check": "Verify the operating system does not allow an unrestricted logon to the system via a graphical user\n interface.\n Note: If the system does not have GNOME installed, this requirement is Not Applicable.\n Check for the value of the \"TimedLoginEnable\" parameter in \"/etc/gdm/custom.conf\" file with the following command:\n # grep -i timedloginenable /etc/gdm/custom.conf\n TimedLoginEnable=false\n If the value of \"TimedLoginEnable\" is not set to \"false\", this is a finding.", + "fix": "Configure the operating system to not allow an unrestricted account to log on to the system via a\n graphical user interface.\n Note: If the system does not have GNOME installed, this requirement is Not Applicable.\n Add or edit the line for the \"TimedLoginEnable\" parameter in the [daemon] section of the \"/etc/gdm/custom.conf\" file\n to \"false\":\n [daemon]\n TimedLoginEnable=false" + }, + "impact": 0, + "refs": [], + "tags": { + "legacy": [ + "V-71955", + "SV-86579" + ], + "severity": "high", + "gtitle": "SRG-OS-000480-GPOS-00229", + "gid": "V-204433", + "rid": "SV-204433r877377_rule", + "stig_id": "RHEL-07-010450", + "fix_id": "F-4557r88492_fix", "cci": [ "CCI-000366" ], @@ -5186,50 +4995,48 @@ "CM-6 b" ], "subsystems": [ - "home_dirs" + "gdm" ], "host": null }, - "code": "control 'SV-204469' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home\n directories are owned by their respective users.'\n desc \"If a local interactive user does not own their home directory, unauthorized users could access or modify the\n user's files, and the users may not be able to access their own files.\"\n desc 'check', %q(Verify the assigned home directory of all local interactive users on the system exists.\n Check the home directory assignment for all local interactive users on the system with the following command:\n # ls -ld $(awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}' /etc/passwd)\n -rwxr-x--- 1 smithj users 18 Mar 5 17:06 /home/smithj\n If any home directories referenced in \"/etc/passwd\" are not owned by the interactive user, this is a finding.)\n desc 'fix', %q(Change the owner of a local interactive user's home directories to that owner. To change the owner of\n a local interactive user's home directory, use the following command:\n Note: The example will be for the user smithj, who has a home directory of \"/home/smithj\".\n # chown smithj /home/smithj)\n impact 0.5\n tag legacy: ['SV-86643', 'V-72019']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204469'\n tag rid: 'SV-204469r603830_rule'\n tag stig_id: 'RHEL-07-020640'\n tag fix_id: 'F-4593r88600_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['home_dirs']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n exempt_home_users = input('exempt_home_users')\n non_interactive_shells = input('non_interactive_shells')\n\n ignore_shells = non_interactive_shells.join('|')\n\n uid_min = login_defs.read_params['UID_MIN'].to_i\n uid_min = 1000 if uid_min.nil?\n\n findings = Set[]\n users.where do\n !shell.match(ignore_shells) && (uid >= uid_min || uid == 0)\n end.entries.each do |user_info|\n next if exempt_home_users.include?(user_info.username.to_s)\n\n describe directory(user_info.home) do\n it { should exist }\n its('owner') { should eq user_info.username }\n end\n end\n end\nend\n", + "code": "control 'SV-204433' do\n title 'The Red Hat Enterprise Linux operating system must not allow an unrestricted logon to the system.'\n desc 'Failure to restrict system access to authenticated users negatively impacts operating system security.'\n desc 'check', 'Verify the operating system does not allow an unrestricted logon to the system via a graphical user\n interface.\n Note: If the system does not have GNOME installed, this requirement is Not Applicable.\n Check for the value of the \"TimedLoginEnable\" parameter in \"/etc/gdm/custom.conf\" file with the following command:\n # grep -i timedloginenable /etc/gdm/custom.conf\n TimedLoginEnable=false\n If the value of \"TimedLoginEnable\" is not set to \"false\", this is a finding.'\n desc 'fix', 'Configure the operating system to not allow an unrestricted account to log on to the system via a\n graphical user interface.\n Note: If the system does not have GNOME installed, this requirement is Not Applicable.\n Add or edit the line for the \"TimedLoginEnable\" parameter in the [daemon] section of the \"/etc/gdm/custom.conf\" file\n to \"false\":\n [daemon]\n TimedLoginEnable=false'\n impact 0.7\n tag legacy: ['V-71955', 'SV-86579']\n tag severity: 'high'\n tag gtitle: 'SRG-OS-000480-GPOS-00229'\n tag gid: 'V-204433'\n tag rid: 'SV-204433r877377_rule'\n tag stig_id: 'RHEL-07-010450'\n tag fix_id: 'F-4557r88492_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['gdm']\n tag 'host'\n\n custom_conf = '/etc/gdm/custom.conf'\n\n if package('gdm').installed?\n impact 0.7\n if (f = file(custom_conf)).exist?\n describe ini(custom_conf) do\n its('daemon.TimedLoginEnable') { cmp false }\n end\n else\n describe f do\n it { should exist }\n end\n end\n else\n impact 0.0\n describe 'The system does not have GDM installed' do\n skip 'The system does not have GDM installed, this requirement is Not Applicable.'\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204469.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204433.rb", "line": 1 }, - "id": "SV-204469" + "id": "SV-204433" }, { - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the passwd command.", - "desc": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough\n information.\n At a minimum, the organization must audit the full-text recording of privileged password commands. The organization\n must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of\n compromise.\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.", + "title": "The Red Hat Enterprise Linux operating system must audit all uses of the setsebool command.", + "desc": "Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.", "descriptions": { - "default": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough\n information.\n At a minimum, the organization must audit the full-text recording of privileged password commands. The organization\n must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of\n compromise.\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.", - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"passwd\" command occur.\n\nCheck the file system rule in \"/etc/audit/audit.rules\" with the following command:\n\n$ sudo grep -w \"/usr/bin/passwd\" /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd\n\nIf the command does not return any output, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"passwd\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd\n\nThe audit daemon must be restarted for the changes to take effect." + "default": "Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.", + "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"setsebool\" command occur.\n\nCheck the file system rule in \"/etc/audit/audit.rules\" with the following command:\n\n$ sudo grep -w \"/usr/sbin/setsebool\" /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change\n\nIf the command does not return any output, this is a finding.", + "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"setsebool\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change\n\nThe audit daemon must be restarted for the changes to take effect." }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "SV-86773", - "V-72149" + "V-72137", + "SV-86761" ], "severity": "medium", - "gtitle": "SRG-OS-000042-GPOS-00020", + "gtitle": "SRG-OS-000392-GPOS-00172", "satisfies": [ - "SRG-OS-000042-GPOS-00020", "SRG-OS-000392-GPOS-00172", - "SRG-OS-000471-GPOS-00215" + "SRG-OS-000463-GPOS-00207", + "SRG-OS-000465-GPOS-00209" ], - "gid": "V-204542", - "rid": "SV-204542r861026_rule", - "stig_id": "RHEL-07-030630", - "fix_id": "F-4666r861025_fix", + "gid": "V-204537", + "rid": "SV-204537r861017_rule", + "stig_id": "RHEL-07-030570", + "fix_id": "F-4661r861016_fix", "cci": [ - "CCI-000135", "CCI-000172", "CCI-002884" ], "nist": [ - "AU-3 (1)", "AU-12 c", "MA-4 (1) (a)" ], @@ -5240,585 +5047,624 @@ ], "host": null }, - "code": "control 'SV-204542' do\n title 'The Red Hat Enterprise Linux operating system must audit all uses of the passwd command.'\n desc 'Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough\n information.\n At a minimum, the organization must audit the full-text recording of privileged password commands. The organization\n must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of\n compromise.\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.'\n desc 'check', 'Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"passwd\" command occur.\n\nCheck the file system rule in \"/etc/audit/audit.rules\" with the following command:\n\n$ sudo grep -w \"/usr/bin/passwd\" /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd\n\nIf the command does not return any output, this is a finding.'\n desc 'fix', 'Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"passwd\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd\n\nThe audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n tag legacy: ['SV-86773', 'V-72149']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000042-GPOS-00020'\n tag satisfies: ['SRG-OS-000042-GPOS-00020', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000471-GPOS-00215']\n tag gid: 'V-204542'\n tag rid: 'SV-204542r861026_rule'\n tag stig_id: 'RHEL-07-030630'\n tag fix_id: 'F-4666r861025_fix'\n tag cci: ['CCI-000135', 'CCI-000172', 'CCI-002884']\n tag nist: ['AU-3 (1)', 'AU-12 c', 'MA-4 (1) (a)']\n tag subsystems: ['audit', 'auditd', 'audit_rule']\n tag 'host'\n\n audit_command = '/usr/bin/passwd'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - audit config must be done on the host' do\n skip 'Control not applicable - audit config must be done on the host'\n end\n else\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include('privileged-passwd')\n end\n end\n end\nend\n", + "code": "control 'SV-204537' do\n title 'The Red Hat Enterprise Linux operating system must audit all uses of the setsebool command.'\n desc 'Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.'\n desc 'check', 'Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"setsebool\" command occur.\n\nCheck the file system rule in \"/etc/audit/audit.rules\" with the following command:\n\n$ sudo grep -w \"/usr/sbin/setsebool\" /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change\n\nIf the command does not return any output, this is a finding.'\n desc 'fix', 'Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"setsebool\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change\n\nThe audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n tag legacy: ['V-72137', 'SV-86761']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000392-GPOS-00172'\n tag satisfies: ['SRG-OS-000392-GPOS-00172', 'SRG-OS-000463-GPOS-00207', 'SRG-OS-000465-GPOS-00209']\n tag gid: 'V-204537'\n tag rid: 'SV-204537r861017_rule'\n tag stig_id: 'RHEL-07-030570'\n tag fix_id: 'F-4661r861016_fix'\n tag cci: ['CCI-000172', 'CCI-002884']\n tag nist: ['AU-12 c', 'MA-4 (1) (a)']\n tag subsystems: ['audit', 'auditd', 'audit_rule']\n tag 'host'\n\n audit_command = '/usr/sbin/setsebool'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - audit config must be done on the host' do\n skip 'Control not applicable - audit config must be done on the host'\n end\n else\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include('privileged-priv_change')\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204542.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204537.rb", "line": 1 }, - "id": "SV-204542" + "id": "SV-204537" }, { - "title": "The Red Hat Enterprise Linux operating system must be configured so that file systems containing user home\n directories are mounted to prevent files with the setuid and setgid bit set from being executed.", - "desc": "The \"nosuid\" mount option causes the system to not execute setuid and setgid files with owner privileges.\n This option must be used for mounting any file system not containing approved setuid and setguid files. Executing\n files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized\n administrative access.", + "title": "The Red Hat Enterprise Linux operating system must not have accounts configured with blank or null passwords.", + "desc": "If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.", "descriptions": { - "default": "The \"nosuid\" mount option causes the system to not execute setuid and setgid files with owner privileges.\n This option must be used for mounting any file system not containing approved setuid and setguid files. Executing\n files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized\n administrative access.", - "check": "Verify file systems that contain user home directories are mounted with the \"nosuid\" option.\n Find the file system(s) that contain the user home directories with the following command:\n Note: If a separate file system has not been created for the user home directories (user home directories are\n mounted under \"/\"), this is not a finding as the \"nosuid\" option cannot be used on the \"/\" system.\n # awk -F: '($3>=1000)&&($7 !~ /nologin/){print $1, $3, $6}' /etc/passwd\n smithj 1001 /home/smithj\n thomasr 1002 /home/thomasr\n Check the file systems that are mounted at boot time with the following command:\n # more /etc/fstab\n UUID=a411dc99-f2a1-4c87-9e05-184977be8539 /home ext4 rw,relatime,discard,data=ordered,nosuid 0 2\n If a file system found in \"/etc/fstab\" refers to the user home directory file system and it does not have the\n \"nosuid\" option set, this is a finding.", - "fix": "Configure the \"/etc/fstab\" to use the \"nosuid\" option on file systems that contain user home\n directories." + "default": "If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.", + "check": "Check the \"/etc/shadow\" file for blank passwords with the following command:\n\n$ sudo awk -F: '!$2 {print $1}' /etc/shadow\n\nIf the command returns any results, this is a finding.", + "fix": "Configure all accounts on the system to have a password or lock the account with the following commands:\n\nPerform a password reset:\n$ sudo passwd [username]\nLock an account:\n$ sudo passwd -l [username]" }, - "impact": 0.5, + "impact": 0.7, "refs": [], "tags": { - "legacy": [ - "SV-86665", - "V-72041" - ], - "severity": "medium", + "severity": "high", "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-204480", - "rid": "SV-204480r603838_rule", - "stig_id": "RHEL-07-021000", - "fix_id": "F-4604r88633_fix", + "satisfies": null, + "gid": "V-251702", + "rid": "SV-251702r809220_rule", + "stig_id": "RHEL-07-010291", + "fix_id": "F-55093r809219_fix", "cci": [ "CCI-000366" ], + "legacy": [], "nist": [ "CM-6 b" ], "subsystems": [ - "home_dirs", - "file_system" + "password", + "/etc/shadow" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-204480' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that file systems containing user home\n directories are mounted to prevent files with the setuid and setgid bit set from being executed.'\n desc 'The \"nosuid\" mount option causes the system to not execute setuid and setgid files with owner privileges.\n This option must be used for mounting any file system not containing approved setuid and setguid files. Executing\n files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized\n administrative access.'\n desc 'check', %q(Verify file systems that contain user home directories are mounted with the \"nosuid\" option.\n Find the file system(s) that contain the user home directories with the following command:\n Note: If a separate file system has not been created for the user home directories (user home directories are\n mounted under \"/\"), this is not a finding as the \"nosuid\" option cannot be used on the \"/\" system.\n # awk -F: '($3>=1000)&&($7 !~ /nologin/){print $1, $3, $6}' /etc/passwd\n smithj 1001 /home/smithj\n thomasr 1002 /home/thomasr\n Check the file systems that are mounted at boot time with the following command:\n # more /etc/fstab\n UUID=a411dc99-f2a1-4c87-9e05-184977be8539 /home ext4 rw,relatime,discard,data=ordered,nosuid 0 2\n If a file system found in \"/etc/fstab\" refers to the user home directory file system and it does not have the\n \"nosuid\" option set, this is a finding.)\n desc 'fix', 'Configure the \"/etc/fstab\" to use the \"nosuid\" option on file systems that contain user home\n directories.'\n impact 0.5\n tag legacy: ['SV-86665', 'V-72041']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204480'\n tag rid: 'SV-204480r603838_rule'\n tag stig_id: 'RHEL-07-021000'\n tag fix_id: 'F-4604r88633_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['home_dirs', 'file_system']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n\n describe mount('/home') do\n its('options') { should include 'nosuid' }\n end\n end\nend\n", + "code": "control 'SV-251702' do\n title 'The Red Hat Enterprise Linux operating system must not have accounts configured with blank or null passwords.'\n desc 'If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.'\n desc 'check', %q(Check the \"/etc/shadow\" file for blank passwords with the following command:\n\n$ sudo awk -F: '!$2 {print $1}' /etc/shadow\n\nIf the command returns any results, this is a finding.)\n desc 'fix', 'Configure all accounts on the system to have a password or lock the account with the following commands:\n\nPerform a password reset:\n$ sudo passwd [username]\nLock an account:\n$ sudo passwd -l [username]'\n impact 0.7\n tag severity: 'high'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag satisfies: nil\n tag gid: 'V-251702'\n tag rid: 'SV-251702r809220_rule'\n tag stig_id: 'RHEL-07-010291'\n tag fix_id: 'F-55093r809219_fix'\n tag cci: ['CCI-000366']\n tag legacy: []\n tag nist: ['CM-6 b']\n tag subsystems: ['password', '/etc/shadow']\n tag 'host'\n tag 'container'\n\n empty_pw_users = shadow.where { password == '' }.users\n\n describe 'Passwords in /etc/shadow' do\n it 'should not be empty' do\n message = \"Users with empty passwords: #{empty_pw_users.join(', ')}\"\n expect(empty_pw_users).to be_empty, message\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204480.rb", + "ref": "./Red Hat 7 STIG/controls/SV-251702.rb", "line": 1 }, - "id": "SV-204480" + "id": "SV-251702" }, { - "title": "The Red Hat Enterprise Linux operating system must be configured so that all files and directories\n contained in local interactive user home directories have a valid owner.", - "desc": "Unowned files and directories may be unintentionally inherited if a user is assigned the same User\n Identifier \"UID\" as the UID of the un-owned files.", + "title": "The Red Hat Enterprise Linux operating system must not have the rsh-server package installed.", + "desc": "It is detrimental for operating systems to provide, or install by default, functionality exceeding\n requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore\n may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n Operating systems are capable of providing a wide variety of functions and services. Some of the functions and\n services, provided by default, may not be necessary to support essential organizational operations (e.g., key\n missions, functions).\n The rsh-server service provides an unencrypted remote access service that does not provide for the confidentiality\n and integrity of user passwords or the remote session and has very weak authentication.\n If a privileged user were to log on using this service, the privileged user password could be compromised.", "descriptions": { - "default": "Unowned files and directories may be unintentionally inherited if a user is assigned the same User\n Identifier \"UID\" as the UID of the un-owned files.", - "check": "Verify all files and directories in a local interactive user's home directory have a valid owner.\n Check the owner of all files and directories in a local interactive user's home directory with the following\n command:\n Note: The example will be for the user \"smithj\", who has a home directory of \"/home/smithj\".\n $ sudo ls -lLR /home/smithj\n -rw-r--r-- 1 smithj smithj 18 Mar 5 17:06 file1\n -rw-r--r-- 1 smithj smithj 193 Mar 5 17:06 file2\n -rw-r--r-- 1 smithj smithj 231 Mar 5 17:06 file3\n If any files or directories are found without an owner, this is a finding.", - "fix": "Either remove all files and directories from the system that do not have a valid user, or assign a\n valid user to all unowned files and directories on RHEL 7 with the \"chown\" command:\n Note: The example will be for the user smithj, who has a home directory of \"/home/smithj\".\n $ sudo chown smithj /home/smithj/" + "default": "It is detrimental for operating systems to provide, or install by default, functionality exceeding\n requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore\n may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n Operating systems are capable of providing a wide variety of functions and services. Some of the functions and\n services, provided by default, may not be necessary to support essential organizational operations (e.g., key\n missions, functions).\n The rsh-server service provides an unencrypted remote access service that does not provide for the confidentiality\n and integrity of user passwords or the remote session and has very weak authentication.\n If a privileged user were to log on using this service, the privileged user password could be compromised.", + "check": "Check to see if the rsh-server package is installed with the following command:\n # yum list installed rsh-server\n If the rsh-server package is installed, this is a finding.", + "fix": "Configure the operating system to disable non-essential capabilities by removing the rsh-server\n package from the system with the following command:\n # yum remove rsh-server" }, - "impact": 0.5, + "impact": 0.7, "refs": [], "tags": { "legacy": [ - "SV-86647", - "V-72023" + "V-71967", + "SV-86591" ], - "severity": "medium", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-204471", - "rid": "SV-204471r744105_rule", - "stig_id": "RHEL-07-020660", - "fix_id": "F-4595r744104_fix", + "severity": "high", + "gtitle": "SRG-OS-000095-GPOS-00049", + "gid": "V-204442", + "rid": "SV-204442r603261_rule", + "stig_id": "RHEL-07-020000", + "fix_id": "F-4566r88519_fix", "cci": [ - "CCI-000366" + "CCI-000381" ], "nist": [ - "CM-6 b" + "CM-7 a" ], "subsystems": [ - "home_dirs" + "packages" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-204471' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that all files and directories\n contained in local interactive user home directories have a valid owner.'\n desc 'Unowned files and directories may be unintentionally inherited if a user is assigned the same User\n Identifier \"UID\" as the UID of the un-owned files.'\n desc 'check', %q(Verify all files and directories in a local interactive user's home directory have a valid owner.\n Check the owner of all files and directories in a local interactive user's home directory with the following\n command:\n Note: The example will be for the user \"smithj\", who has a home directory of \"/home/smithj\".\n $ sudo ls -lLR /home/smithj\n -rw-r--r-- 1 smithj smithj 18 Mar 5 17:06 file1\n -rw-r--r-- 1 smithj smithj 193 Mar 5 17:06 file2\n -rw-r--r-- 1 smithj smithj 231 Mar 5 17:06 file3\n If any files or directories are found without an owner, this is a finding.)\n desc 'fix', 'Either remove all files and directories from the system that do not have a valid user, or assign a\n valid user to all unowned files and directories on RHEL 7 with the \"chown\" command:\n Note: The example will be for the user smithj, who has a home directory of \"/home/smithj\".\n $ sudo chown smithj /home/smithj/'\n impact 0.5\n tag legacy: ['SV-86647', 'V-72023']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204471'\n tag rid: 'SV-204471r744105_rule'\n tag stig_id: 'RHEL-07-020660'\n tag fix_id: 'F-4595r744104_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['home_dirs']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n\n exempt_home_users = input('exempt_home_users')\n non_interactive_shells = input('non_interactive_shells')\n\n ignore_shells = non_interactive_shells.join('|')\n\n uid_min = login_defs.read_params['UID_MIN'].to_i\n uid_min = 1000 if uid_min.nil?\n\n findings = Set[]\n users.where do\n !shell.match(ignore_shells) && (uid >= uid_min || uid == 0)\n end.entries.each do |user_info|\n next if exempt_home_users.include?(user_info.username.to_s)\n\n findings += command(\"find #{user_info.home} -xdev -xautofs -not -user #{user_info.username}\").stdout.split(\"\\n\")\n end\n describe 'Files and directories that are not owned by the user' do\n subject { findings.to_a }\n it { should be_empty }\n end\n end\nend\n", + "code": "control 'SV-204442' do\n title 'The Red Hat Enterprise Linux operating system must not have the rsh-server package installed.'\n desc 'It is detrimental for operating systems to provide, or install by default, functionality exceeding\n requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore\n may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n Operating systems are capable of providing a wide variety of functions and services. Some of the functions and\n services, provided by default, may not be necessary to support essential organizational operations (e.g., key\n missions, functions).\n The rsh-server service provides an unencrypted remote access service that does not provide for the confidentiality\n and integrity of user passwords or the remote session and has very weak authentication.\n If a privileged user were to log on using this service, the privileged user password could be compromised.'\n desc 'check', 'Check to see if the rsh-server package is installed with the following command:\n # yum list installed rsh-server\n If the rsh-server package is installed, this is a finding.'\n desc 'fix', 'Configure the operating system to disable non-essential capabilities by removing the rsh-server\n package from the system with the following command:\n # yum remove rsh-server'\n impact 0.7\n tag legacy: ['V-71967', 'SV-86591']\n tag severity: 'high'\n tag gtitle: 'SRG-OS-000095-GPOS-00049'\n tag gid: 'V-204442'\n tag rid: 'SV-204442r603261_rule'\n tag stig_id: 'RHEL-07-020000'\n tag fix_id: 'F-4566r88519_fix'\n tag cci: ['CCI-000381']\n tag nist: ['CM-7 a']\n tag subsystems: ['packages']\n tag 'host'\n tag 'container'\n\n describe package('rsh-server') do\n it { should_not be_installed }\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204471.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204442.rb", "line": 1 }, - "id": "SV-204471" + "id": "SV-204442" }, { - "title": "The Red Hat Enterprise Linux operating system must prevent non-privileged users from executing privileged\n functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.", - "desc": "Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized\n individuals or processes may gain unnecessary access to information or privileges.\n Privileged functions include, for example, establishing accounts, performing system integrity checks, or\n administering cryptographic key management activities. Non-privileged users are individuals who do not possess\n appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection\n mechanisms are examples of privileged functions that require protection from non-privileged users.", + "title": "The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the\n following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring\n data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies,\n regulations, and standards.", + "desc": "Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data.\n The operating system must implement cryptographic modules adhering to the higher standards approved by the federal\n government since this provides assurance they have been tested and validated.", "descriptions": { - "default": "Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized\n individuals or processes may gain unnecessary access to information or privileges.\n Privileged functions include, for example, establishing accounts, performing system integrity checks, or\n administering cryptographic key management activities. Non-privileged users are individuals who do not possess\n appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection\n mechanisms are examples of privileged functions that require protection from non-privileged users.", - "check": "Note: Per OPORD 16-0080, the preferred endpoint security tool is Endpoint Security for Linux (ENSL)\n in conjunction with SELinux.\n Verify the operating system prevents non-privileged users from executing privileged functions to include disabling,\n circumventing, or altering implemented security safeguards/countermeasures.\n Get a list of authorized users for the system.\n Check the list against the system by using the following command:\n $ sudo semanage login -l | more\n Login Name SELinux User MLS/MCS Range Service\n __default__ user_u s0-s0:c0.c1023 *\n root unconfined_u s0-s0:c0.c1023 *\n system_u system_u s0-s0:c0.c1023 *\n joe staff_u s0-s0:c0.c1023 *\n All administrators must be mapped to the , \"staff_u\", or an appropriately tailored confined SELinux user as defined\n by the organization.\n All authorized non-administrative users must be mapped to the \"user_u\" SELinux user.\n If they are not mapped in this way, this is a finding.\n If administrator accounts are mapped to the \"sysadm_u\" SELinux user and are not documented as an operational\n requirement with the ISSO, this is a finding.\n If administrator accounts are mapped to the \"sysadm_u\" SELinux user and are documented as an operational requirement\n with the ISSO, this can be downgraded to a CAT III.", - "fix": "Configure the operating system to prevent non-privileged users from executing privileged functions to\n include disabling, circumventing, or altering implemented security safeguards/countermeasures.\n Use the following command to map a new user to the \"staff_u\" SELinux user:\n $ sudo semanage login -a -s staff_u \n Use the following command to map an existing user to the \"staff_u\" SELinux user:\n $ sudo semanage login -m -s staff_u \n Use the following command to map a new user to the \"user_u\" SELinux user:\n $ sudo semanage login -a -s user_u \n Use the following command to map an existing user to the \"user_u\" SELinux user:\n $ sudo semanage login -m -s user_u " + "default": "Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data.\n The operating system must implement cryptographic modules adhering to the higher standards approved by the federal\n government since this provides assurance they have been tested and validated.", + "check": "Verify the operating system implements DoD-approved encryption to protect the confidentiality of\n remote access sessions.\n Check to see if the \"dracut-fips\" package is installed with the following command:\n # yum list installed dracut-fips\n dracut-fips-033-360.el7_2.x86_64.rpm\n If a \"dracut-fips\" package is installed, check to see if the kernel command line is configured to use FIPS mode with\n the following command:\n Note: GRUB 2 reads its configuration from the \"/boot/grub2/grub.cfg\" file on traditional BIOS-based machines and\n from the \"/boot/efi/EFI/redhat/grub.cfg\" file on UEFI machines.\n # grep fips /boot/grub2/grub.cfg\n /vmlinuz-3.8.0-0.40.el7.x86_64 root=/dev/mapper/rhel-root ro rd.md=0 rd.dm=0 rd.lvm.lv=rhel/swap crashkernel=auto\n rd.luks=0 vconsole.keymap=us rd.lvm.lv=rhel/root rhgb fips=1 quiet\n If the kernel command line is configured to use FIPS mode, check to see if the system is in FIPS mode with the\n following command:\n # cat /proc/sys/crypto/fips_enabled\n 1\n If a \"dracut-fips\" package is not installed, the kernel command line does not have a fips entry, or the system has a\n value of \"0\" for \"fips_enabled\" in \"/proc/sys/crypto\", this is a finding.\n Verify the file /etc/system-fips exists.\n # ls -l /etc/system-fips\n If this file does not exist, this is a finding.", + "fix": "Configure the operating system to implement DoD-approved encryption by installing the dracut-fips\n package.\n To enable strict FIPS compliance, the fips=1 kernel option needs to be added to the kernel command line during\n system installation so key generation is done with FIPS-approved algorithms and continuous monitoring tests in\n place.\n Configure the operating system to implement DoD-approved encryption by following the steps below:\n The fips=1 kernel option needs to be added to the kernel command line during system installation so that key\n generation is done with FIPS-approved algorithms and continuous monitoring tests in place. Users should also ensure\n that the system has plenty of entropy during the installation process by moving the mouse around, or if no mouse is\n available, ensuring that many keystrokes are typed. The recommended amount of keystrokes is 256 and more. Less than\n 256 keystrokes may generate a non-unique key.\n Install the dracut-fips package with the following command:\n # yum install dracut-fips\n Recreate the \"initramfs\" file with the following command:\n Note: This command will overwrite the existing \"initramfs\" file.\n # dracut -f\n Modify the kernel command line of the current kernel in the \"grub.cfg\" file by adding the following option to the\n GRUB_CMDLINE_LINUX key in the \"/etc/default/grub\" file and then rebuild the \"grub.cfg\" file:\n fips=1\n Changes to \"/etc/default/grub\" require rebuilding the \"grub.cfg\" file as follows:\n On BIOS-based machines, use the following command:\n # grub2-mkconfig -o /boot/grub2/grub.cfg\n On UEFI-based machines, use the following command:\n # grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg\n If /boot or /boot/efi reside on separate partitions, the kernel parameter boot=\n must be added to the kernel command line. You can identify a partition by running the df /boot or df /boot/efi\n command:\n # df /boot\n Filesystem 1K-blocks Used Available Use% Mounted on\n /dev/sda1 495844 53780 416464 12% /boot\n To ensure the \"boot=\" configuration option will work even if device naming changes occur between boots, identify the\n universally unique identifier (UUID) of the partition with the following command:\n # blkid /dev/sda1\n /dev/sda1: UUID=\"05c000f1-a213-759e-c7a2-f11b7424c797\" TYPE=\"ext4\"\n For the example above, append the following string to the kernel command line:\n boot=UUID=05c000f1-a213-759e-c7a2-f11b7424c797\n If the file /etc/system-fips does not exists, recreate it:\n # touch /etc/ system-fips\n Reboot the system for the changes to take effect." }, - "impact": 0.5, + "impact": 0.7, "refs": [], "tags": { "legacy": [ - "SV-86595", - "V-71971" + "SV-86691", + "V-72067" ], - "severity": "medium", - "gtitle": "SRG-OS-000324-GPOS-00125", - "gid": "V-204444", - "rid": "SV-204444r877392_rule", - "stig_id": "RHEL-07-020020", - "fix_id": "F-4568r792825_fix", + "severity": "high", + "gtitle": "SRG-OS-000033-GPOS-00014", + "satisfies": [ + "SRG-OS-000033-GPOS-00014", + "SRG-OS-000185-GPOS-00079", + "SRG-OS-000396-GPOS-00176", + "SRG-OS-000405-GPOS-00184", + "SRG-OS-000478-GPOS-00223" + ], + "gid": "V-204497", + "rid": "SV-204497r877398_rule", + "stig_id": "RHEL-07-021350", + "fix_id": "F-36310r602640_fix", "cci": [ - "CCI-002165", - "CCI-002235" + "CCI-000068", + "CCI-001199", + "CCI-002450", + "CCI-002476" ], "nist": [ - "AC-3 (4)", - "AC-6 (10)" + "AC-17 (2)", + "SC-28", + "SC-13", + "SC-28 (1)", + "SC-13 b" ], "subsystems": [ - "selinux" + "fips" ], "host": null }, - "code": "control 'SV-204444' do\n title 'The Red Hat Enterprise Linux operating system must prevent non-privileged users from executing privileged\n functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.'\n desc 'Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized\n individuals or processes may gain unnecessary access to information or privileges.\n Privileged functions include, for example, establishing accounts, performing system integrity checks, or\n administering cryptographic key management activities. Non-privileged users are individuals who do not possess\n appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection\n mechanisms are examples of privileged functions that require protection from non-privileged users.'\n desc 'check', 'Note: Per OPORD 16-0080, the preferred endpoint security tool is Endpoint Security for Linux (ENSL)\n in conjunction with SELinux.\n Verify the operating system prevents non-privileged users from executing privileged functions to include disabling,\n circumventing, or altering implemented security safeguards/countermeasures.\n Get a list of authorized users for the system.\n Check the list against the system by using the following command:\n $ sudo semanage login -l | more\n Login Name SELinux User MLS/MCS Range Service\n __default__ user_u s0-s0:c0.c1023 *\n root unconfined_u s0-s0:c0.c1023 *\n system_u system_u s0-s0:c0.c1023 *\n joe staff_u s0-s0:c0.c1023 *\n All administrators must be mapped to the , \"staff_u\", or an appropriately tailored confined SELinux user as defined\n by the organization.\n All authorized non-administrative users must be mapped to the \"user_u\" SELinux user.\n If they are not mapped in this way, this is a finding.\n If administrator accounts are mapped to the \"sysadm_u\" SELinux user and are not documented as an operational\n requirement with the ISSO, this is a finding.\n If administrator accounts are mapped to the \"sysadm_u\" SELinux user and are documented as an operational requirement\n with the ISSO, this can be downgraded to a CAT III.'\n desc 'fix', 'Configure the operating system to prevent non-privileged users from executing privileged functions to\n include disabling, circumventing, or altering implemented security safeguards/countermeasures.\n Use the following command to map a new user to the \"staff_u\" SELinux user:\n $ sudo semanage login -a -s staff_u \n Use the following command to map an existing user to the \"staff_u\" SELinux user:\n $ sudo semanage login -m -s staff_u \n Use the following command to map a new user to the \"user_u\" SELinux user:\n $ sudo semanage login -a -s user_u \n Use the following command to map an existing user to the \"user_u\" SELinux user:\n $ sudo semanage login -m -s user_u '\n impact 0.5\n tag legacy: ['SV-86595', 'V-71971']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000324-GPOS-00125'\n tag gid: 'V-204444'\n tag rid: 'SV-204444r877392_rule'\n tag stig_id: 'RHEL-07-020020'\n tag fix_id: 'F-4568r792825_fix'\n tag cci: ['CCI-002165', 'CCI-002235']\n tag nist: ['AC-3 (4)', 'AC-6 (10)']\n tag subsystems: ['selinux']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - SELinux settings must be handled on host' do\n skip 'Control not applicable - SELinux settings must be handled on host'\n end\n else\n\n admin_logins = input('admin_logins')\n\n describe command('selinuxenabled') do\n its('exist?') { should be true }\n its('exit_status') { should eq 0 }\n end\n\n selinux_mode = file('/etc/selinux/config').content.lines\n .grep(/\\A\\s*SELINUXTYPE=/).last.split('=').last.strip\n\n seusers = file(\"/etc/selinux/#{selinux_mode}/seusers\").content.lines\n .grep_v(/(#|\\A\\s+\\Z)/).map(&:strip)\n\n seusers = seusers.map { |x| x.split(':')[0..1] }\n\n describe 'seusers' do\n it { expect(seusers).to_not be_empty }\n end\n\n users_to_ignore = [\n 'root',\n 'system_u'\n ]\n\n seusers.each do |user, context|\n next if users_to_ignore.include?(user)\n\n describe \"SELinux login #{user}\" do\n if user == '__default__'\n let(:valid_users) { ['user_u'] }\n elsif admin_logins.include?(user)\n let(:valid_users) do\n [\n 'staff_u'\n ]\n end\n else\n let(:valid_users) do\n [\n 'user_u',\n 'guest_u',\n 'xguest_u'\n ]\n end\n end\n\n it { expect(context).to be_in(valid_users) }\n end\n end\n end\nend\n", + "code": "control 'SV-204497' do\n title \"The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the\n following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring\n data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies,\n regulations, and standards.\"\n desc \"Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data.\n The operating system must implement cryptographic modules adhering to the higher standards approved by the federal\n government since this provides assurance they have been tested and validated.\"\n desc 'check', \"Verify the operating system implements #{input('org_name')[:acronym]}-approved encryption to protect the confidentiality of\n remote access sessions.\n Check to see if the \\\"dracut-fips\\\" package is installed with the following command:\n # yum list installed dracut-fips\n dracut-fips-033-360.el7_2.x86_64.rpm\n If a \\\"dracut-fips\\\" package is installed, check to see if the kernel command line is configured to use FIPS mode with\n the following command:\n Note: GRUB 2 reads its configuration from the \\\"/boot/grub2/grub.cfg\\\" file on traditional BIOS-based machines and\n from the \\\"/boot/efi/EFI/redhat/grub.cfg\\\" file on UEFI machines.\n # grep fips /boot/grub2/grub.cfg\n /vmlinuz-3.8.0-0.40.el7.x86_64 root=/dev/mapper/rhel-root ro rd.md=0 rd.dm=0 rd.lvm.lv=rhel/swap crashkernel=auto\n rd.luks=0 vconsole.keymap=us rd.lvm.lv=rhel/root rhgb fips=1 quiet\n If the kernel command line is configured to use FIPS mode, check to see if the system is in FIPS mode with the\n following command:\n # cat /proc/sys/crypto/fips_enabled\n 1\n If a \\\"dracut-fips\\\" package is not installed, the kernel command line does not have a fips entry, or the system has a\n value of \\\"0\\\" for \\\"fips_enabled\\\" in \\\"/proc/sys/crypto\\\", this is a finding.\n Verify the file /etc/system-fips exists.\n # ls -l /etc/system-fips\n If this file does not exist, this is a finding.\"\n desc 'fix', \"Configure the operating system to implement #{input('org_name')[:acronym]}-approved encryption by installing the dracut-fips\n package.\n To enable strict FIPS compliance, the fips=1 kernel option needs to be added to the kernel command line during\n system installation so key generation is done with FIPS-approved algorithms and continuous monitoring tests in\n place.\n Configure the operating system to implement #{input('org_name')[:acronym]}-approved encryption by following the steps below:\n The fips=1 kernel option needs to be added to the kernel command line during system installation so that key\n generation is done with FIPS-approved algorithms and continuous monitoring tests in place. Users should also ensure\n that the system has plenty of entropy during the installation process by moving the mouse around, or if no mouse is\n available, ensuring that many keystrokes are typed. The recommended amount of keystrokes is 256 and more. Less than\n 256 keystrokes may generate a non-unique key.\n Install the dracut-fips package with the following command:\n # yum install dracut-fips\n Recreate the \\\"initramfs\\\" file with the following command:\n Note: This command will overwrite the existing \\\"initramfs\\\" file.\n # dracut -f\n Modify the kernel command line of the current kernel in the \\\"grub.cfg\\\" file by adding the following option to the\n GRUB_CMDLINE_LINUX key in the \\\"/etc/default/grub\\\" file and then rebuild the \\\"grub.cfg\\\" file:\n fips=1\n Changes to \\\"/etc/default/grub\\\" require rebuilding the \\\"grub.cfg\\\" file as follows:\n On BIOS-based machines, use the following command:\n # grub2-mkconfig -o /boot/grub2/grub.cfg\n On UEFI-based machines, use the following command:\n # grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg\n If /boot or /boot/efi reside on separate partitions, the kernel parameter boot=\n must be added to the kernel command line. You can identify a partition by running the df /boot or df /boot/efi\n command:\n # df /boot\n Filesystem 1K-blocks Used Available Use% Mounted on\n /dev/sda1 495844 53780 416464 12% /boot\n To ensure the \\\"boot=\\\" configuration option will work even if device naming changes occur between boots, identify the\n universally unique identifier (UUID) of the partition with the following command:\n # blkid /dev/sda1\n /dev/sda1: UUID=\\\"05c000f1-a213-759e-c7a2-f11b7424c797\\\" TYPE=\\\"ext4\\\"\n For the example above, append the following string to the kernel command line:\n boot=UUID=05c000f1-a213-759e-c7a2-f11b7424c797\n If the file /etc/system-fips does not exists, recreate it:\n # touch /etc/ system-fips\n Reboot the system for the changes to take effect.\"\n impact 0.7\n tag legacy: ['SV-86691', 'V-72067']\n tag severity: 'high'\n tag gtitle: 'SRG-OS-000033-GPOS-00014'\n tag satisfies: ['SRG-OS-000033-GPOS-00014', 'SRG-OS-000185-GPOS-00079', 'SRG-OS-000396-GPOS-00176', 'SRG-OS-000405-GPOS-00184', 'SRG-OS-000478-GPOS-00223']\n tag gid: 'V-204497'\n tag rid: 'SV-204497r877398_rule'\n tag stig_id: 'RHEL-07-021350'\n tag fix_id: 'F-36310r602640_fix'\n tag cci: ['CCI-000068', 'CCI-001199', 'CCI-002450', 'CCI-002476']\n tag nist: ['AC-17 (2)', 'SC-28', 'SC-13', 'SC-28 (1)', 'SC-13 b']\n tag subsystems: ['fips']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - Kernel config for FIPS capability must be done on the host' do\n skip 'Control not applicable - Kernel config for FIPS capability must be done on the host'\n end\n else\n describe package('dracut-fips') do\n it { should be_installed }\n end\n\n all_args = # strip outer quotes if they exist\n command('grubby --info=ALL | grep \"^args=\" | sed \"s/^args=//g\"')\n .stdout.strip.split(\"\\n\")\n .map do |s|\n s.sub(/^\"(.*)\"$/, '\\1')\n end\n all_args.each do |args|\n describe args do\n it { should match(/\\bfips=1\\b/) }\n end\n end\n\n describe file('/proc/sys/crypto/fips_enabled') do\n its('content.strip') { should cmp 1 }\n end\n\n describe file('/etc/system-fips') do\n it { should exist }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204444.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204497.rb", "line": 1 }, - "id": "SV-204444" + "id": "SV-204497" }, { - "title": "The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home\n directories have mode 0750 or less permissive.", - "desc": "Excessive permissions on local interactive user home directories may allow unauthorized access to user files\n by other users.", + "title": "The Red Hat Enterprise Linux operating system must be configured to prevent overwriting of custom authentication configuration settings by the authconfig utility.", + "desc": "When using the authconfig utility to modify authentication configuration settings, the \"system-auth\" and \"password-auth\" files and any custom settings that they may contain are overwritten. This can be avoided by creating new local configuration files and creating new or moving existing symbolic links to them. The authconfig utility will recognize the local configuration files and not overwrite them, while writing its own settings to the original configuration files.", "descriptions": { - "default": "Excessive permissions on local interactive user home directories may allow unauthorized access to user files\n by other users.", - "check": "Verify the assigned home directory of all local interactive users has a mode of \"0750\" or less\n permissive.\n Check the home directory assignment for all non-privileged users on the system with the following command:\n Note: This may miss interactive users that have been assigned a privileged User Identifier (UID). Evidence of\n interactive use may be obtained from a number of log files containing system logon information.\n # ls -ld $(awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}' /etc/passwd)\n -rwxr-x--- 1 smithj users 18 Mar 5 17:06 /home/smithj\n If home directories referenced in \"/etc/passwd\" do not have a mode of \"0750\" or less permissive, this is a finding.", - "fix": "Change the mode of interactive user's home directories to \"0750\". To change the mode of a local\n interactive user's home directory, use the following command:\n Note: The example will be for the user \"smithj\".\n # chmod 0750 /home/smithj" + "default": "When using the authconfig utility to modify authentication configuration settings, the \"system-auth\" and \"password-auth\" files and any custom settings that they may contain are overwritten. This can be avoided by creating new local configuration files and creating new or moving existing symbolic links to them. The authconfig utility will recognize the local configuration files and not overwrite them, while writing its own settings to the original configuration files.", + "check": "Verify \"system-auth\" and \"password-auth\" files are symbolic links pointing to \"system-auth-local\" and \"password-auth-local\":\n $ sudo ls -l /etc/pam.d/{password,system}-auth\n\n lrwxrwxrwx. 1 root root 30 Apr 1 11:59 /etc/pam.d/password-auth -> /etc/pam.d/password-auth-local\n lrwxrwxrwx. 1 root root 28 Apr 1 11:59 /etc/pam.d/system-auth -> /etc/pam.d/system-auth-local\n\nIf system-auth and password-auth files are not symbolic links, this is a finding.\n\nIf system-auth and password-auth are symbolic links but do not point to \"system-auth-local\" and \"password-auth-local\", this is a finding.", + "fix": "Create custom configuration files and their corresponding symbolic links:\n\nRename the existing configuration files (skip this step if symbolic links are already present):\n $ sudo mv /etc/pam.d/system-auth /etc/pam.d/system-auth-ac\n $ sudo mv /etc/pam.d/password-auth /etc/pam.d/password-auth-ac\n\nCreate custom system-auth configuration file:\n $ sudo vi /etc/pam.d/system-auth-local\n\nThe new file, at minimum, must contain the following lines:\n\nauth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900\nauth include system-auth-ac\nauth sufficient pam_unix.so try_first_pass\nauth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900\n\naccount required pam_faillock.so\naccount include system-auth-ac\n\npassword requisite pam_pwhistory.so use_authtok remember=5 retry=3\npassword include system-auth-ac\npassword sufficient pam_unix.so sha512 shadow try_first_pass use_authtok\n\nsession include system-auth-ac\n\nCreate custom password-auth configuration file:\n $ sudo vi /etc/pam.d/password-auth-local\n\nThe new file, at minimum, must contain the following lines:\n\nauth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900\nauth include password-auth-ac\nauth sufficient pam_unix.so try_first_pass\nauth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900\n\naccount required pam_faillock.so\naccount include password-auth-ac\n\npassword requisite pam_pwhistory.so use_authtok remember=5 retry=3\npassword include password-auth-ac\npassword sufficient pam_unix.so sha512 shadow try_first_pass use_authtok\n\nsession include password-auth-ac\n\nCreate new or move existing symbolic links to the new custom configuration files:\n $ sudo ln -sf /etc/pam.d/system-auth-local /etc/pam.d/system-auth\n $ sudo ln -sf /etc/pam.d/password-auth-local /etc/pam.d/password-auth\n\nOnce finished you should have the following file structure:\n $ sudo ls -1 /etc/pam.d/{password,system}-auth*\n\n /etc/pam.d/password-auth\n /etc/pam.d/password-auth-ac\n /etc/pam.d/password-auth-local\n /etc/pam.d/system-auth\n /etc/pam.d/system-auth-ac\n /etc/pam.d/system-auth-local\n\nDone.\n\nNote: With this solution in place any custom settings to \"system-auth\" and \"password-auth\" will be retained and not overwritten by the use of the authconfig utility. The authconfig utility will write its settings to \"system-auth-ac\" and \"password-auth-ac\" and continue to function as expected." }, "impact": 0.5, "refs": [], "tags": { - "legacy": [ - "SV-86641", - "V-72017" - ], + "check_id": "C-59605r880828_chk", "severity": "medium", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-204468", - "rid": "SV-204468r603828_rule", - "stig_id": "RHEL-07-020630", - "fix_id": "F-4592r88597_fix", + "gid": "V-255928", + "rid": "SV-255928r880830_rule", + "stig_id": "RHEL-07-010199", + "gtitle": "SRG-OS-000073-GPOS-00041", + "fix_id": "F-59548r880829_fix", + "documentable": null, "cci": [ - "CCI-000366" + "CCI-000196" ], "nist": [ - "CM-6 b" - ], - "subsystems": [ - "home_dirs" + "IA-5 (1) (c)" + ] + }, + "code": "control 'SV-255928' do\n title \"The Red Hat Enterprise Linux operating system must be configured to prevent overwriting of custom authentication configuration settings by the authconfig utility.\"\n desc \"When using the authconfig utility to modify authentication configuration settings, the \\\"system-auth\\\" and \\\"password-auth\\\" files and any custom settings that they may contain are overwritten. This can be avoided by creating new local configuration files and creating new or moving existing symbolic links to them. The authconfig utility will recognize the local configuration files and not overwrite them, while writing its own settings to the original configuration files.\"\n desc 'check', \"Verify \\\"system-auth\\\" and \\\"password-auth\\\" files are symbolic links pointing to \\\"system-auth-local\\\" and \\\"password-auth-local\\\":\n $ sudo ls -l /etc/pam.d/{password,system}-auth\n\n lrwxrwxrwx. 1 root root 30 Apr 1 11:59 /etc/pam.d/password-auth -> /etc/pam.d/password-auth-local\n lrwxrwxrwx. 1 root root 28 Apr 1 11:59 /etc/pam.d/system-auth -> /etc/pam.d/system-auth-local\n\nIf system-auth and password-auth files are not symbolic links, this is a finding.\n\nIf system-auth and password-auth are symbolic links but do not point to \\\"system-auth-local\\\" and \\\"password-auth-local\\\", this is a finding.\"\n desc 'fix', \"Create custom configuration files and their corresponding symbolic links:\n\nRename the existing configuration files (skip this step if symbolic links are already present):\n $ sudo mv /etc/pam.d/system-auth /etc/pam.d/system-auth-ac\n $ sudo mv /etc/pam.d/password-auth /etc/pam.d/password-auth-ac\n\nCreate custom system-auth configuration file:\n $ sudo vi /etc/pam.d/system-auth-local\n\nThe new file, at minimum, must contain the following lines:\n\nauth required pam_faillock.so preauth silent audit deny=#{input('unsuccessful_attempts')} even_deny_root fail_interval=#{input('fail_interval')} unlock_time=#{input('lockout_time')}\nauth include system-auth-ac\nauth sufficient pam_unix.so try_first_pass\nauth [default=die] pam_faillock.so authfail audit deny=#{input('unsuccessful_attempts')} even_deny_root fail_interval=#{input('fail_interval')} unlock_time=#{input('lockout_time')}\n\naccount required pam_faillock.so\naccount include system-auth-ac\n\npassword requisite pam_pwhistory.so use_authtok remember=#{input('min_reuse_generations')} retry=#{input('retry')}\npassword include system-auth-ac\npassword sufficient pam_unix.so sha512 shadow try_first_pass use_authtok\n\nsession include system-auth-ac\n\nCreate custom password-auth configuration file:\n $ sudo vi /etc/pam.d/password-auth-local\n\nThe new file, at minimum, must contain the following lines:\n\nauth required pam_faillock.so preauth silent audit deny=#{input('unsuccessful_attempts')} even_deny_root fail_interval=#{input('fail_interval')} unlock_time=#{input('lockout_time')}\nauth include password-auth-ac\nauth sufficient pam_unix.so try_first_pass\nauth [default=die] pam_faillock.so authfail audit deny=#{input('unsuccessful_attempts')} even_deny_root fail_interval=#{input('fail_interval')} unlock_time=#{input('lockout_time')}\n\naccount required pam_faillock.so\naccount include password-auth-ac\n\npassword requisite pam_pwhistory.so use_authtok remember=#{input('min_reuse_generations')} retry=#{input('retry')}\npassword include password-auth-ac\npassword sufficient pam_unix.so sha512 shadow try_first_pass use_authtok\n\nsession include password-auth-ac\n\nCreate new or move existing symbolic links to the new custom configuration files:\n $ sudo ln -sf /etc/pam.d/system-auth-local /etc/pam.d/system-auth\n $ sudo ln -sf /etc/pam.d/password-auth-local /etc/pam.d/password-auth\n\nOnce finished you should have the following file structure:\n $ sudo ls -1 /etc/pam.d/{password,system}-auth*\n\n /etc/pam.d/password-auth\n /etc/pam.d/password-auth-ac\n /etc/pam.d/password-auth-local\n /etc/pam.d/system-auth\n /etc/pam.d/system-auth-ac\n /etc/pam.d/system-auth-local\n\nDone.\n\nNote: With this solution in place any custom settings to \\\"system-auth\\\" and \\\"password-auth\\\" will be retained and not overwritten by the use of the authconfig utility. The authconfig utility will write its settings to \\\"system-auth-ac\\\" and \\\"password-auth-ac\\\" and continue to function as expected.\"\n impact 0.5\n tag check_id: 'C-59605r880828_chk'\n tag severity: 'medium'\n tag gid: 'V-255928'\n tag rid: 'SV-255928r880830_rule'\n tag stig_id: 'RHEL-07-010199'\n tag gtitle: 'SRG-OS-000073-GPOS-00041'\n tag fix_id: 'F-59548r880829_fix'\n tag 'documentable'\n tag cci: ['CCI-000196']\n tag nist: ['IA-5 (1) (c)']\n\n describe file('/etc/pam.d/system-auth') do\n it { should be_symlink }\n its('link_path') { should cmp '/etc/pam.d/system-auth-local' }\n end\n\n if file('/etc/pam.d/system-auth').symlink? && file('/etc/pam.d/system-auth').link_path == '/etc/pam.d/system-auth-local'\n describe '/etc/pam.d/system-auth-local should contain the minimum configuration settings' do\n subject { parse_config_file('/etc/pam.d/system-auth-local').content.strip }\n it { should match /auth.*required.*pam_faillock.so.*preauth.*silent.*audit.*deny=#{input('unsuccessful_attempts')}.*even_deny_root.*fail_interval=#{input('fail_interval')}.*unlock_time=#{input('lockout_time')}/ }\n it { should match /auth.*include.*system-auth-ac/ }\n it { should match /auth.*sufficient.*pam_unix.so.*try_first_pass/ }\n it { should match /auth.*default=die.*pam_faillock.so.*authfail.*audit.*deny=#{input('unsuccessful_attempts')}.*even_deny_root.*fail_interval=#{input('fail_interval')}.*unlock_time=#{input('lockout_time')}/ }\n it { should match /account.*required.*pam_faillock.so/ }\n it { should match /account.*include.*system-auth-ac/ }\n it { should match /password.*requisite.*pam_pwhistory.so.*use_authtok.*remember=#{input('min_reuse_generations')}.*retry=#{input('retry')}/ }\n it { should match /password.*include.*system-auth-ac/ }\n it { should match /password.*sufficient.*pam_unix.so.*sha512.*shadow.*try_first_pass.*use_authtok/ }\n it { should match /session.*include.*system-auth-ac/ }\n end\n end\n\n describe file('/etc/pam.d/password-auth') do\n it { should be_symlink }\n its('link_path') { should cmp '/etc/pam.d/password-auth-local' }\n end\n\n if file('/etc/pam.d/password-auth').symlink? && file('/etc/pam.d/password-auth').link_path == '/etc/pam.d/password-auth-local'\n\n describe '/etc/pam.d/password-auth-local should contain the minimum configuration settings' do\n subject { parse_config_file('/etc/pam.d/password-auth-local').content.strip }\n it { should match /auth.*required.*pam_faillock.so.*preauth.*silent.*audit.*deny=#{input('unsuccessful_attempts')}.*even_deny_root.*fail_interval=#{input('fail_interval')}.*unlock_time=#{input('lockout_time')}/ }\n it { should match /auth.*include.*password-auth-ac/ }\n it { should match /auth.*sufficient.*pam_unix.so.*try_first_pass/ }\n it { should match /auth.*default=die.*pam_faillock.so.*authfail.*audit.*deny=#{input('unsuccessful_attempts')}.*even_deny_root.*fail_interval=#{input('fail_interval')}.*unlock_time=#{input('lockout_time')}/ }\n it { should match /account.*required.*pam_faillock.so/ }\n it { should match /account.*include.*password-auth-ac/ }\n it { should match /password.*requisite.*pam_pwhistory.so.*use_authtok.*remember=#{input('min_reuse_generations')}.*retry=#{input('retry')}/ }\n it { should match /password.*include.*password-auth-ac/ }\n it { should match /password.*sufficient.*pam_unix.so.*sha512.*shadow.*try_first_pass.*use_authtok/ }\n it { should match /session.*include.*password-auth-ac/ }\n end\n end\nend\n", + "source_location": { + "ref": "./Red Hat 7 STIG/controls/SV-255928.rb", + "line": 1 + }, + "id": "SV-255928" + }, + { + "title": "The Red Hat Enterprise Linux operating system must restrict access to the kernel message buffer.", + "desc": "Restricting access to the kernel message buffer limits access only to root. This prevents attackers from gaining additional system information as a non-privileged user.", + "descriptions": { + "default": "Restricting access to the kernel message buffer limits access only to root. This prevents attackers from gaining additional system information as a non-privileged user.", + "check": "Verify the operating system is configured to restrict access to the kernel message buffer with the following commands:\n\n $ sudo sysctl kernel.dmesg_restrict\n kernel.dmesg_restrict = 1\n\nIf \"kernel.dmesg_restrict\" is not set to \"1\" or is missing, this is a finding.\n\nCheck that the configuration files are present to enable this kernel parameter:\n\n $ sudo grep -r kernel.dmesg_restrict /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null\n /etc/sysctl.conf:kernel.dmesg_restrict = 1\n /etc/sysctl.d/99-sysctl.conf:kernel.dmesg_restrict = 1\n\nIf \"kernel.dmesg_restrict\" is not set to \"1\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.", + "fix": "Configure the operating system to restrict access to the kernel message buffer.\n\nSet the system to the required kernel parameter by adding or modifying the following line in /etc/sysctl.conf or a config file in the /etc/sysctl.d/ directory:\n\n kernel.dmesg_restrict = 1\n\nRemove any configurations that conflict with the above from the following locations:\n /run/sysctl.d/\n /etc/sysctl.d/\n /usr/local/lib/sysctl.d/\n /usr/lib/sysctl.d/\n /lib/sysctl.d/\n /etc/sysctl.conf\n\nReload settings from all system configuration files with the following command:\n\n $ sudo sysctl --system" + }, + "impact": 0.3, + "refs": [], + "tags": { + "check_id": "C-59604r880789_chk", + "severity": "low", + "gid": "V-255927", + "rid": "SV-255927r880791_rule", + "stig_id": "RHEL-07-010375", + "gtitle": "SRG-OS-000138-GPOS-00069", + "fix_id": "F-59547r880790_fix", + "documentable": null, + "cci": [ + "CCI-001090" ], - "host": null + "nist": [ + "SC-4" + ] }, - "code": "control 'SV-204468' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home\n directories have mode 0750 or less permissive.'\n desc 'Excessive permissions on local interactive user home directories may allow unauthorized access to user files\n by other users.'\n desc 'check', %q(Verify the assigned home directory of all local interactive users has a mode of \"0750\" or less\n permissive.\n Check the home directory assignment for all non-privileged users on the system with the following command:\n Note: This may miss interactive users that have been assigned a privileged User Identifier (UID). Evidence of\n interactive use may be obtained from a number of log files containing system logon information.\n # ls -ld $(awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}' /etc/passwd)\n -rwxr-x--- 1 smithj users 18 Mar 5 17:06 /home/smithj\n If home directories referenced in \"/etc/passwd\" do not have a mode of \"0750\" or less permissive, this is a finding.)\n desc 'fix', %q(Change the mode of interactive user's home directories to \"0750\". To change the mode of a local\n interactive user's home directory, use the following command:\n Note: The example will be for the user \"smithj\".\n # chmod 0750 /home/smithj)\n impact 0.5\n tag legacy: ['SV-86641', 'V-72017']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204468'\n tag rid: 'SV-204468r603828_rule'\n tag stig_id: 'RHEL-07-020630'\n tag fix_id: 'F-4592r88597_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['home_dirs']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n\n exempt_home_users = input('exempt_home_users')\n non_interactive_shells = input('non_interactive_shells')\n\n ignore_shells = non_interactive_shells.join('|')\n\n uid_min = login_defs.read_params['UID_MIN'].to_i\n uid_min = 1000 if uid_min.nil?\n\n findings = Set[]\n users.where do\n !shell.match(ignore_shells) && (uid >= uid_min || uid == 0)\n end.entries.each do |user_info|\n next if exempt_home_users.include?(user_info.username.to_s)\n\n findings += command(\"find #{user_info.home} -maxdepth 0 -perm -#{input('home_dir_mode')}\").stdout.split(\"\\n\")\n end\n describe 'Home directories with excessive permissions' do\n subject { findings.to_a }\n it { should be_empty }\n end\n end\nend\n", + "code": "control 'SV-255927' do\n title 'The Red Hat Enterprise Linux operating system must restrict access to the kernel message buffer.'\n desc 'Restricting access to the kernel message buffer limits access only to root. This prevents attackers from gaining additional system information as a non-privileged user.'\n desc 'check', 'Verify the operating system is configured to restrict access to the kernel message buffer with the following commands:\n\n $ sudo sysctl kernel.dmesg_restrict\n kernel.dmesg_restrict = 1\n\nIf \"kernel.dmesg_restrict\" is not set to \"1\" or is missing, this is a finding.\n\nCheck that the configuration files are present to enable this kernel parameter:\n\n $ sudo grep -r kernel.dmesg_restrict /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null\n /etc/sysctl.conf:kernel.dmesg_restrict = 1\n /etc/sysctl.d/99-sysctl.conf:kernel.dmesg_restrict = 1\n\nIf \"kernel.dmesg_restrict\" is not set to \"1\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure the operating system to restrict access to the kernel message buffer.\n\nSet the system to the required kernel parameter by adding or modifying the following line in /etc/sysctl.conf or a config file in the /etc/sysctl.d/ directory:\n\n kernel.dmesg_restrict = 1\n\nRemove any configurations that conflict with the above from the following locations:\n /run/sysctl.d/\n /etc/sysctl.d/\n /usr/local/lib/sysctl.d/\n /usr/lib/sysctl.d/\n /lib/sysctl.d/\n /etc/sysctl.conf\n\nReload settings from all system configuration files with the following command:\n\n $ sudo sysctl --system'\n impact 0.3\n tag check_id: 'C-59604r880789_chk'\n tag severity: 'low'\n tag gid: 'V-255927'\n tag rid: 'SV-255927r880791_rule'\n tag stig_id: 'RHEL-07-010375'\n tag gtitle: 'SRG-OS-000138-GPOS-00069'\n tag fix_id: 'F-59547r880790_fix'\n tag 'documentable'\n tag cci: ['CCI-001090']\n tag nist: ['SC-4']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n else\n dmesg_restrict = 1\n config_file_values = command('grep -r kernel.dmesg_restrict /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null')\n .stdout.strip.split(\"\\n\")\n .map { |file| parse_config(file).params }\n config_file_values_uncompliant = config_file_values.select { |entry| entry.values != [dmesg_restrict.to_s] }\n\n unless config_file_values_uncompliant.empty?\n describe 'All configuration files' do\n it \"should set dmesg_restrict to #{dmesg_restrict}, or not define it at all\" do\n fail_msg = \"Found incorrect configuration:\\n#{config_file_values_uncompliant.join(\"\\n\")}\"\n expect(config_file_values_uncompliant).to be_empty, fail_msg\n end\n end\n end\n\n describe 'The runtime kernel parameter kernel.dmesg_restrict' do\n subject { kernel_parameter('kernel.dmesg_restrict') }\n its('value') { should eq dmesg_restrict }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204468.rb", + "ref": "./Red Hat 7 STIG/controls/SV-255927.rb", "line": 1 }, - "id": "SV-204468" + "id": "SV-255927" }, { - "title": "The Red Hat Enterprise Linux operating system must be configured so that the file permissions, ownership,\n and group membership of system files and commands match the vendor values.", - "desc": "Discretionary access control is weakened if a user or group has access permissions to system files and\n directories greater than the default.", + "title": "The Red Hat Enterprise Linux operating system must disable the file system automounter unless required.", + "desc": "Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating\n malicious activity.", "descriptions": { - "default": "Discretionary access control is weakened if a user or group has access permissions to system files and\n directories greater than the default.", - "check": "Verify the file permissions, ownership, and group membership of system files and commands match the vendor values.\n\nCheck the default file permissions, ownership, and group membership of system files and commands with the following command:\n\n # for i in `rpm -Va | grep -E '^.{1}M|^.{5}U|^.{6}G' | cut -d \" \" -f 4,5`;do for j in `rpm -qf $i`;do rpm -ql $j --dump | cut -d \" \" -f 1,5,6,7 | grep $i;done;done\n\n /var/log/gdm 040755 root root\n /etc/audisp/audisp-remote.conf 0100640 root root\n /usr/bin/passwd 0104755 root root\n\nFor each file returned, verify the current permissions, ownership, and group membership:\n # ls -la \n\n -rw-------. 1 root root 2017 Nov 1 10:03 /etc/audisp/audisp-remote.conf\n\nIf the file is more permissive than the default permissions, this is a finding.\n\nIf the file is not owned by the default owner and is not documented with the Information System Security Officer (ISSO), this is a finding.\n\nIf the file is not a member of the default group and is not documented with the Information System Security Officer (ISSO), this is a finding.", - "fix": "Run the following command to determine which package owns the file:\n\n # rpm -qf \n\n Reset the user and group ownership of files within a package with the\nfollowing command:\n\n #rpm --setugids \n\n\n Reset the permissions of files within a package with the following command:\n\n #rpm --setperms " + "default": "Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating\n malicious activity.", + "check": "Verify the operating system disables the ability to automount devices.\n Check to see if automounter service is active with the following command:\n # systemctl status autofs\n autofs.service - Automounts filesystems on demand\n Loaded: loaded (/usr/lib/systemd/system/autofs.service; disabled)\n Active: inactive (dead)\n If the \"autofs\" status is set to \"active\" and is not documented with the Information System Security Officer (ISSO)\n as an operational requirement, this is a finding.", + "fix": "Configure the operating system to disable the ability to automount devices.\n Turn off the automount service with the following commands:\n # systemctl stop autofs\n # systemctl disable autofs\n If \"autofs\" is required for Network File System (NFS), it must be documented with the ISSO." }, - "impact": 0.7, + "impact": 0.5, "refs": [], "tags": { "legacy": [ - "V-71849", - "SV-86473" + "V-71985", + "SV-86609" ], - "severity": "high", - "gtitle": "SRG-OS-000257-GPOS-00098", + "severity": "medium", + "gtitle": "SRG-OS-000114-GPOS-00059", "satisfies": [ - "SRG-OS-000257-GPOS-00098", - "SRG-OS-000278-GPOS-00108" + "SRG-OS-000114-GPOS-00059", + "SRG-OS-000378-GPOS-00163", + "SRG-OS-000480-GPOS-00227" ], - "gid": "V-204392", - "rid": "SV-204392r880752_rule", - "stig_id": "RHEL-07-010010", - "fix_id": "F-36302r880751_fix", + "gid": "V-204451", + "rid": "SV-204451r853893_rule", + "stig_id": "RHEL-07-020110", + "fix_id": "F-4575r88546_fix", "cci": [ - "CCI-001494", - "CCI-001496", - "CCI-002165", - "CCI-002235" + "CCI-000366", + "CCI-000778", + "CCI-001958" ], "nist": [ - "AU-9", - "AU-9 (3)", - "AC-3 (4)", - "AC-6 (10)" + "CM-6 b", + "IA-3", + "IA-3" ], "subsystems": [ - "permissions", - "package", - "rpm" + "file_system", + "nfs", + "autofs" ], "host": null, "container": null }, - "code": "control 'SV-204392' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that the file permissions, ownership,\n and group membership of system files and commands match the vendor values.'\n desc 'Discretionary access control is weakened if a user or group has access permissions to system files and\n directories greater than the default.'\n desc 'check', %q(Verify the file permissions, ownership, and group membership of system files and commands match the vendor values.\n\nCheck the default file permissions, ownership, and group membership of system files and commands with the following command:\n\n # for i in `rpm -Va | grep -E '^.{1}M|^.{5}U|^.{6}G' | cut -d \" \" -f 4,5`;do for j in `rpm -qf $i`;do rpm -ql $j --dump | cut -d \" \" -f 1,5,6,7 | grep $i;done;done\n\n /var/log/gdm 040755 root root\n /etc/audisp/audisp-remote.conf 0100640 root root\n /usr/bin/passwd 0104755 root root\n\nFor each file returned, verify the current permissions, ownership, and group membership:\n # ls -la \n\n -rw-------. 1 root root 2017 Nov 1 10:03 /etc/audisp/audisp-remote.conf\n\nIf the file is more permissive than the default permissions, this is a finding.\n\nIf the file is not owned by the default owner and is not documented with the Information System Security Officer (ISSO), this is a finding.\n\nIf the file is not a member of the default group and is not documented with the Information System Security Officer (ISSO), this is a finding.)\n desc 'fix', 'Run the following command to determine which package owns the file:\n\n # rpm -qf \n\n Reset the user and group ownership of files within a package with the\nfollowing command:\n\n #rpm --setugids \n\n\n Reset the permissions of files within a package with the following command:\n\n #rpm --setperms '\n impact 0.7\n tag legacy: ['V-71849', 'SV-86473']\n tag severity: 'high'\n tag gtitle: 'SRG-OS-000257-GPOS-00098'\n tag satisfies: ['SRG-OS-000257-GPOS-00098', 'SRG-OS-000278-GPOS-00108']\n tag gid: 'V-204392'\n tag rid: 'SV-204392r880752_rule'\n tag stig_id: 'RHEL-07-010010'\n tag fix_id: 'F-36302r880751_fix'\n tag cci: ['CCI-001494', 'CCI-001496', 'CCI-002165', 'CCI-002235']\n tag nist: ['AU-9', 'AU-9 (3)', 'AC-3 (4)', 'AC-6 (10)']\n tag subsystems: ['permissions', 'package', 'rpm']\n tag 'host'\n tag 'container'\n\n if input('disable_slow_controls')\n describe \"This control consistently takes a long time to run and has been disabled\n using the disable_slow_controls attribute.\" do\n skip \"This control consistently takes a long time to run and has been disabled\n using the disable_slow_controls attribute. You must enable this control for a\n full accredidation for production.\"\n end\n else\n\n allowlist = input('rpm_verify_perms_except')\n\n misconfigured_packages = command('rpm -Va').stdout.split(\"\\n\")\n .select { |package| package[0..7].match(/M|U|G/) }\n .map { |package| package.match(/\\S+$/)[0] }\n\n if misconfigured_packages.empty?\n describe 'The list of rpm packages with permissions changed from the vendor values' do\n subject { misconfigured_packages }\n it { should be_empty }\n end\n else\n describe 'The list of rpm packages with permissions changed from the vendor values' do\n fail_msg = \"Files that have been modified from vendor-approved permissions but are not in the allowlist: #{(misconfigured_packages - allowlist).join(', ')}\"\n it 'should all appear in the allowlist' do\n expect(misconfigured_packages).to all(be_in allowlist), fail_msg\n end\n end\n end\n end\nend\n", + "code": "control 'SV-204451' do\n title 'The Red Hat Enterprise Linux operating system must disable the file system automounter unless required.'\n desc 'Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating\n malicious activity.'\n desc 'check', 'Verify the operating system disables the ability to automount devices.\n Check to see if automounter service is active with the following command:\n # systemctl status autofs\n autofs.service - Automounts filesystems on demand\n Loaded: loaded (/usr/lib/systemd/system/autofs.service; disabled)\n Active: inactive (dead)\n If the \"autofs\" status is set to \"active\" and is not documented with the Information System Security Officer (ISSO)\n as an operational requirement, this is a finding.'\n desc 'fix', 'Configure the operating system to disable the ability to automount devices.\n Turn off the automount service with the following commands:\n # systemctl stop autofs\n # systemctl disable autofs\n If \"autofs\" is required for Network File System (NFS), it must be documented with the ISSO.'\n impact 0.5\n tag legacy: ['V-71985', 'SV-86609']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000114-GPOS-00059'\n tag satisfies: ['SRG-OS-000114-GPOS-00059', 'SRG-OS-000378-GPOS-00163', 'SRG-OS-000480-GPOS-00227']\n tag gid: 'V-204451'\n tag rid: 'SV-204451r853893_rule'\n tag stig_id: 'RHEL-07-020110'\n tag fix_id: 'F-4575r88546_fix'\n tag cci: ['CCI-000366', 'CCI-000778', 'CCI-001958']\n tag nist: ['CM-6 b', 'IA-3', 'IA-3']\n tag subsystems: ['file_system', 'nfs', 'autofs']\n tag 'host'\n tag 'container'\n\n describe systemd_service('autofs.service') do\n it { should_not be_running }\n it { should_not be_enabled }\n it { should_not be_installed }\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204392.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204451.rb", "line": 1 }, - "id": "SV-204392" + "id": "SV-204451" }, { - "title": "The Red Hat Enterprise Linux operating system must not be configured to bypass password requirements for privilege escalation.", - "desc": "Without re-authentication, users may access resources or perform tasks for which they do not have authorization.\n\nWhen operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate.", + "title": "The Red Hat Enterprise Linux operating system must be configured so that the cryptographic hash of system\n files and commands matches vendor values.", + "desc": "Without cryptographic integrity protections, system command and files can be altered by unauthorized users\n without detection.\n Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash\n functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while\n maintaining the confidentiality of the key used to generate the hash.", "descriptions": { - "default": "Without re-authentication, users may access resources or perform tasks for which they do not have authorization.\n\nWhen operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate.", - "check": "Verify the operating system is not be configured to bypass password requirements for privilege escalation.\n\nCheck the configuration of the \"/etc/pam.d/sudo\" file with the following command:\n\n$ sudo grep pam_succeed_if /etc/pam.d/sudo\n\nIf any occurrences of \"pam_succeed_if\" is returned from the command, this is a finding.", - "fix": "Configure the operating system to require users to supply a password for privilege escalation.\n\nCheck the configuration of the \"/etc/ pam.d/sudo\" file with the following command:\n$ sudo vi /etc/pam.d/sudo\n\nRemove any occurrences of \"pam_succeed_if\" in the file." + "default": "Without cryptographic integrity protections, system command and files can be altered by unauthorized users\n without detection.\n Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash\n functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while\n maintaining the confidentiality of the key used to generate the hash.", + "check": "Verify the cryptographic hash of system files and commands match the vendor values.\n Check the cryptographic hash of system files and commands with the following command:\n Note: System configuration files (indicated by a \"c\" in the second column) are expected to change over time. Unusual\n modifications should be investigated through the system audit log.\n # rpm -Va --noconfig | grep '^..5'\n If there is any output from the command for system files or binaries, this is a finding.", + "fix": "Run the following command to determine which package owns the file:\n\n # rpm -qf \n\n The package can be reinstalled from a yum repository using the command:\n\n # sudo yum reinstall \n\n Alternatively, the package can be reinstalled from trusted media using the\ncommand:\n\n # sudo rpm -Uvh " }, - "impact": 0.5, + "impact": 0.7, "refs": [], "tags": { - "severity": "medium", - "gtitle": "SRG-OS-000373-GPOS-00156", - "satisfies": [ - "SRG-OS-000373-GPOS-00156", - "SRG-OS-000373-GPOS-00157", - "SRG-OS-000373-GPOS-00158" + "legacy": [ + "SV-86479", + "V-71855" ], - "gid": "V-251704", - "rid": "SV-251704r854012_rule", - "stig_id": "RHEL-07-010344", - "fix_id": "F-55095r854011_fix", + "severity": "high", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-214799", + "rid": "SV-214799r854001_rule", + "stig_id": "RHEL-07-010020", + "fix_id": "F-15997r192363_fix", "cci": [ - "CCI-002038" + "CCI-001749" ], - "legacy": [], "nist": [ - "IA-11" + "CM-5 (3)" ], "subsystems": [ - "sudo" + "rpm", + "package" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-251704' do\n title 'The Red Hat Enterprise Linux operating system must not be configured to bypass password requirements for privilege escalation.'\n desc 'Without re-authentication, users may access resources or perform tasks for which they do not have authorization.\n\nWhen operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate.'\n desc 'check', 'Verify the operating system is not be configured to bypass password requirements for privilege escalation.\n\nCheck the configuration of the \"/etc/pam.d/sudo\" file with the following command:\n\n$ sudo grep pam_succeed_if /etc/pam.d/sudo\n\nIf any occurrences of \"pam_succeed_if\" is returned from the command, this is a finding.'\n desc 'fix', 'Configure the operating system to require users to supply a password for privilege escalation.\n\nCheck the configuration of the \"/etc/ pam.d/sudo\" file with the following command:\n$ sudo vi /etc/pam.d/sudo\n\nRemove any occurrences of \"pam_succeed_if\" in the file.'\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000373-GPOS-00156'\n tag satisfies: ['SRG-OS-000373-GPOS-00156', 'SRG-OS-000373-GPOS-00157', 'SRG-OS-000373-GPOS-00158']\n tag gid: 'V-251704'\n tag rid: 'SV-251704r854012_rule'\n tag stig_id: 'RHEL-07-010344'\n tag fix_id: 'F-55095r854011_fix'\n tag cci: ['CCI-002038']\n tag legacy: []\n tag nist: ['IA-11']\n tag subsystems: ['sudo']\n tag 'host'\n\n if virtualization.system.eql?('docker') && !command('sudo').exist?\n impact 0.0\n describe 'Control not applicable within a container without sudo enabled' do\n skip 'Control not applicable within a container without sudo enabled'\n end\n else\n describe parse_config_file('/etc/pam.d/sudo') do\n its('content') { should_not match /pam_succeed_if/ }\n end\n end\nend\n", + "code": "control 'SV-214799' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that the cryptographic hash of system\n files and commands matches vendor values.'\n desc 'Without cryptographic integrity protections, system command and files can be altered by unauthorized users\n without detection.\n Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash\n functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while\n maintaining the confidentiality of the key used to generate the hash.'\n desc 'check', %q(Verify the cryptographic hash of system files and commands match the vendor values.\n Check the cryptographic hash of system files and commands with the following command:\n Note: System configuration files (indicated by a \"c\" in the second column) are expected to change over time. Unusual\n modifications should be investigated through the system audit log.\n # rpm -Va --noconfig | grep '^..5'\n If there is any output from the command for system files or binaries, this is a finding.)\n desc 'fix', 'Run the following command to determine which package owns the file:\n\n # rpm -qf \n\n The package can be reinstalled from a yum repository using the command:\n\n # sudo yum reinstall \n\n Alternatively, the package can be reinstalled from trusted media using the\ncommand:\n\n # sudo rpm -Uvh '\n impact 0.7\n tag legacy: ['SV-86479', 'V-71855']\n tag severity: 'high'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-214799'\n tag rid: 'SV-214799r854001_rule'\n tag stig_id: 'RHEL-07-010020'\n tag fix_id: 'F-15997r192363_fix'\n tag cci: ['CCI-001749']\n tag nist: ['CM-5 (3)']\n tag subsystems: ['rpm', 'package']\n tag 'host'\n tag 'container'\n\n if input('disable_slow_controls')\n describe \"This control consistently takes a long to run and has been disabled\n using the disable_slow_controls attribute.\" do\n skip \"This control consistently takes a long to run and has been disabled\n using the disable_slow_controls attribute. You must enable this control for a\n full accredidation for production.\"\n end\n else\n allowlist = input('rpm_verify_integrity_except')\n\n misconfigured_packages = command('rpm -Va --noconfig').stdout.split(\"\\n\")\n .select { |package| package[0..7].match(/5/) }\n .map { |package| package.match(/\\S+$/)[0] }\n\n if misconfigured_packages.empty?\n describe 'The list of rpm packages with hashes changed from the vendor values' do\n subject { misconfigured_packages }\n it { should be_empty }\n end\n else\n describe 'The list of rpm packages with hashes changed from the vendor values' do\n fail_msg = \"Files with hashes that are changed from vendor values but are not in the allowlist: #{(misconfigured_packages - allowlist).join(', ')}\"\n it 'should all appear in the allowlist' do\n expect(misconfigured_packages).to all(be_in allowlist), fail_msg\n end\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-251704.rb", + "ref": "./Red Hat 7 STIG/controls/SV-214799.rb", "line": 1 }, - "id": "SV-251704" + "id": "SV-214799" }, { - "title": "The Red Hat Enterprise Linux operating system must elevate the SELinux context when an administrator calls the sudo command.", - "desc": "Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges.\n\nPrivileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users.", + "title": "The Red Hat Enterprise Linux operating system security patches and updates must be installed and up to\n date.", + "desc": "Timely patching is critical for maintaining the operational availability, confidentiality, and integrity of\n information technology (IT) systems. However, failure to keep operating system and application software patched is a\n common mistake made by IT professionals. New patches are released daily, and it is often difficult for even\n experienced System Administrators to keep abreast of all the new patches. When new weaknesses in an operating system\n exist, patches are usually made available by the vendor to resolve the problems. If the most recent security patches\n and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The\n lack of prompt attention to patching could result in a system compromise.", "descriptions": { - "default": "Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges.\n\nPrivileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users.", - "check": "Verify the operating system elevates the SELinux context when an administrator calls the sudo command with the following command:\n\nThis command must be ran as root:\n# grep -r sysadm_r /etc/sudoers /etc/sudoers.d\n%wheel ALL=(ALL) TYPE=sysadm_t ROLE=sysadm_r ALL\n\nIf conflicting results are returned, this is a finding.\n\nIf a designated sudoers administrator group or account(s) is not configured to elevate the SELinux type and role to \"sysadm_t\" and \"sysadm_r\" with the use of the sudo command, this is a finding.", - "fix": "Configure the operating system to elevate the SELinux context when an administrator calls the sudo command.\nEdit a file in the /etc/sudoers.d directory with the following command:\n$ sudo visudo -f /etc/sudoers.d/\n\nUse the following example to build the in the /etc/sudoers.d directory to allow any administrator belonging to a designated sudoers admin group to elevate their SELinux context with the use of the sudo command:\n%wheel ALL=(ALL) TYPE=sysadm_t ROLE=sysadm_r ALL\n\nRemove any configurations that conflict with the above from the following locations:\n/etc/sudoers\n/etc/sudoers.d/" + "default": "Timely patching is critical for maintaining the operational availability, confidentiality, and integrity of\n information technology (IT) systems. However, failure to keep operating system and application software patched is a\n common mistake made by IT professionals. New patches are released daily, and it is often difficult for even\n experienced System Administrators to keep abreast of all the new patches. When new weaknesses in an operating system\n exist, patches are usually made available by the vendor to resolve the problems. If the most recent security patches\n and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The\n lack of prompt attention to patching could result in a system compromise.", + "check": "Verify the operating system security patches and updates are installed and up to date. Updates are required to be applied with a frequency determined by the site or Program Management Office (PMO).\n\nObtain the list of available package security updates from Red Hat. The URL for updates is https://rhn.redhat.com/errata/. It is important to note that updates provided by Red Hat may not be present on the system if the underlying packages are not installed.\n\nCheck that the available package security updates have been installed on the system with the following command:\n\n# yum history list | more\nLoaded plugins: langpacks, product-id, subscription-manager\nID | Command line | Date and time | Action(s) | Altered\n-------------------------------------------------------------------------------\n 70 | install aide | 2016-05-05 10:58 | Install | 1\n 69 | update -y | 2016-05-04 14:34 | Update | 18 EE\n 68 | install vlc | 2016-04-21 17:12 | Install | 21\n 67 | update -y | 2016-04-21 17:04 | Update | 7 EE\n 66 | update -y | 2016-04-15 16:47 | E, I, U | 84 EE\n\nIf package updates have not been performed on the system within the timeframe that the site/program documentation requires, this is a finding.\n\nTypical update frequency may be overridden by Information Assurance Vulnerability Alert (IAVA) notifications from CYBERCOM.\n\nIf the operating system is in non-compliance with the Information Assurance Vulnerability Management (IAVM) process, this is a finding.", + "fix": "Install the operating system patches or updated packages available from Red Hat within 30 days or\n sooner as local policy dictates." }, "impact": 0.5, "refs": [], "tags": { + "legacy": [ + "SV-86623", + "V-71999" + ], "severity": "medium", - "gtitle": "SRG-OS-000324-GPOS-00125", - "satisfies": null, - "gid": "V-250314", - "rid": "SV-250314r877392_rule", - "stig_id": "RHEL-07-020023", - "fix_id": "F-53702r858494_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-204459", + "rid": "SV-204459r603261_rule", + "stig_id": "RHEL-07-020260", + "fix_id": "F-4583r88570_fix", "cci": [ - "CCI-002165", - "CCI-002235" + "CCI-000366" ], - "legacy": [], "nist": [ - "AC-3 (4)", - "AC-6 (10)" + "CM-6 b" ], "subsystems": [ - "selinux" + "packages" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-250314' do\n title 'The Red Hat Enterprise Linux operating system must elevate the SELinux context when an administrator calls the sudo command.'\n desc 'Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges.\n\nPrivileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users.'\n desc 'check', 'Verify the operating system elevates the SELinux context when an administrator calls the sudo command with the following command:\n\nThis command must be ran as root:\n# grep -r sysadm_r /etc/sudoers /etc/sudoers.d\n%wheel ALL=(ALL) TYPE=sysadm_t ROLE=sysadm_r ALL\n\nIf conflicting results are returned, this is a finding.\n\nIf a designated sudoers administrator group or account(s) is not configured to elevate the SELinux type and role to \"sysadm_t\" and \"sysadm_r\" with the use of the sudo command, this is a finding.'\n desc 'fix', 'Configure the operating system to elevate the SELinux context when an administrator calls the sudo command.\nEdit a file in the /etc/sudoers.d directory with the following command:\n$ sudo visudo -f /etc/sudoers.d/\n\nUse the following example to build the in the /etc/sudoers.d directory to allow any administrator belonging to a designated sudoers admin group to elevate their SELinux context with the use of the sudo command:\n%wheel ALL=(ALL) TYPE=sysadm_t ROLE=sysadm_r ALL\n\nRemove any configurations that conflict with the above from the following locations:\n/etc/sudoers\n/etc/sudoers.d/'\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000324-GPOS-00125'\n tag satisfies: nil\n tag gid: 'V-250314'\n tag rid: 'SV-250314r877392_rule'\n tag stig_id: 'RHEL-07-020023'\n tag fix_id: 'F-53702r858494_fix'\n tag cci: ['CCI-002165', 'CCI-002235']\n tag legacy: []\n tag nist: ['AC-3 (4)', 'AC-6 (10)']\n tag subsystems: ['selinux']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container -- kernel config' do\n skip 'Control not applicable within a container -- kernel config'\n end\n else\n describe command('grep -r sysadm_r /etc/sudoers /etc/sudoers.d').stdout.strip do\n it { should match /TYPE=sysadm_t\\s+ROLE=sysadm_r/ }\n it { should_not match /\\n/ }\n end\n end\nend\n", + "code": "control 'SV-204459' do\n title 'The Red Hat Enterprise Linux operating system security patches and updates must be installed and up to\n date.'\n desc 'Timely patching is critical for maintaining the operational availability, confidentiality, and integrity of\n information technology (IT) systems. However, failure to keep operating system and application software patched is a\n common mistake made by IT professionals. New patches are released daily, and it is often difficult for even\n experienced System Administrators to keep abreast of all the new patches. When new weaknesses in an operating system\n exist, patches are usually made available by the vendor to resolve the problems. If the most recent security patches\n and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The\n lack of prompt attention to patching could result in a system compromise.'\n desc 'check', 'Verify the operating system security patches and updates are installed and up to date. Updates are required to be applied with a frequency determined by the site or Program Management Office (PMO).\n\nObtain the list of available package security updates from Red Hat. The URL for updates is https://rhn.redhat.com/errata/. It is important to note that updates provided by Red Hat may not be present on the system if the underlying packages are not installed.\n\nCheck that the available package security updates have been installed on the system with the following command:\n\n# yum history list | more\nLoaded plugins: langpacks, product-id, subscription-manager\nID | Command line | Date and time | Action(s) | Altered\n-------------------------------------------------------------------------------\n 70 | install aide | 2016-05-05 10:58 | Install | 1\n 69 | update -y | 2016-05-04 14:34 | Update | 18 EE\n 68 | install vlc | 2016-04-21 17:12 | Install | 21\n 67 | update -y | 2016-04-21 17:04 | Update | 7 EE\n 66 | update -y | 2016-04-15 16:47 | E, I, U | 84 EE\n\nIf package updates have not been performed on the system within the timeframe that the site/program documentation requires, this is a finding.\n\nTypical update frequency may be overridden by Information Assurance Vulnerability Alert (IAVA) notifications from CYBERCOM.\n\nIf the operating system is in non-compliance with the Information Assurance Vulnerability Management (IAVM) process, this is a finding.'\n desc 'fix', 'Install the operating system patches or updated packages available from Red Hat within 30 days or\n sooner as local policy dictates.'\n impact 0.5\n tag legacy: ['SV-86623', 'V-71999']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204459'\n tag rid: 'SV-204459r603261_rule'\n tag stig_id: 'RHEL-07-020260'\n tag fix_id: 'F-4583r88570_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['packages']\n tag 'host'\n tag 'container'\n\n if input('disconnected_system')\n describe \"The system is set to a `disconnected` state and you must validate\n the state of the system packages manually\" do\n skip \"The system is set to a `disconnected` state and you must validate\n the state of the system packages manually, or through another process, if you\n have an established update and patch process, please set this control as\n `Not Applicable` with a `caevat` via an overlay.\"\n end\n else\n updates = linux_update.updates\n package_names = updates.map { |h| h['name'] }\n\n describe.one do\n describe 'List of out-of-date packages' do\n subject { package_names }\n it { should be_empty }\n end\n\n updates.each do |update|\n describe package(update['name']) do\n its('version') { should eq update['version'] }\n end\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-250314.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204459.rb", "line": 1 }, - "id": "SV-250314" + "id": "SV-204459" }, { - "title": "The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon uses privilege\n separation.", - "desc": "SSH daemon privilege separation causes the SSH process to drop root privileges when not needed, which would\n decrease the impact of software vulnerabilities in the unprivileged section.", + "title": "The Red Hat Enterprise Linux operating system must be configured so that the audit system takes appropriate\n action when there is an error sending audit records to a remote system.", + "desc": "Taking appropriate action when there is an error sending audit records to a remote system will minimize the\n possibility of losing audit records.\n One method of off-loading audit logs in Red Hat Enterprise Linux is with the use of the audisp-remote dameon.", "descriptions": { - "default": "SSH daemon privilege separation causes the SSH process to drop root privileges when not needed, which would\n decrease the impact of software vulnerabilities in the unprivileged section.", - "check": "Verify the SSH daemon performs privilege separation.\n Check that the SSH daemon performs privilege separation with the following command:\n # grep -i usepriv /etc/ssh/sshd_config\n UsePrivilegeSeparation sandbox\n If the \"UsePrivilegeSeparation\" keyword is set to \"no\", is missing, or the returned line is commented out, this is a\n finding.", - "fix": "Uncomment the \"UsePrivilegeSeparation\" keyword in \"/etc/ssh/sshd_config\" (this file may be named\n differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and\n set the value to \"sandbox\" or \"yes\":\n UsePrivilegeSeparation sandbox\n The SSH service must be restarted for changes to take effect." + "default": "Taking appropriate action when there is an error sending audit records to a remote system will minimize the\n possibility of losing audit records.\n One method of off-loading audit logs in Red Hat Enterprise Linux is with the use of the audisp-remote dameon.", + "check": "Verify the action the operating system takes if there is an error sending audit records to a remote\n system.\n Check the action that takes place if there is an error sending audit records to a remote system with the following\n command:\n # grep -i network_failure_action /etc/audisp/audisp-remote.conf\n network_failure_action = syslog\n If the value of the \"network_failure_action\" option is not \"syslog\", \"single\", or \"halt\", or the line is commented\n out, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or storage\n media, and to indicate the action taken if there is an error sending audit records to the remote system.\n If there is no evidence that the system is configured to off-load audit logs to a different system or storage media,\n or if the configuration does not take appropriate action if there is an error sending audit records to the remote\n system, this is a finding.", + "fix": "Configure the action the operating system takes if there is an error sending audit records to a remote\n system.\n Uncomment the \"network_failure_action\" option in \"/etc/audisp/audisp-remote.conf\" and set it to \"syslog\", \"single\",\n or \"halt\".\n network_failure_action = syslog" }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "SV-86889", - "V-72265" + "V-73163", + "SV-87815" ], "severity": "medium", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-204601", - "rid": "SV-204601r603261_rule", - "stig_id": "RHEL-07-040460", - "fix_id": "F-4725r88996_fix", + "gtitle": "SRG-OS-000342-GPOS-00133", + "gid": "V-204512", + "rid": "SV-204512r877390_rule", + "stig_id": "RHEL-07-030321", + "fix_id": "F-36315r602655_fix", "cci": [ - "CCI-000366" + "CCI-001851" ], "nist": [ - "CM-6 b" + "AU-4 (1)" ], "subsystems": [ - "ssh" + "audit", + "audisp" ], "host": null }, - "code": "control 'SV-204601' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon uses privilege\n separation.'\n desc 'SSH daemon privilege separation causes the SSH process to drop root privileges when not needed, which would\n decrease the impact of software vulnerabilities in the unprivileged section.'\n desc 'check', 'Verify the SSH daemon performs privilege separation.\n Check that the SSH daemon performs privilege separation with the following command:\n # grep -i usepriv /etc/ssh/sshd_config\n UsePrivilegeSeparation sandbox\n If the \"UsePrivilegeSeparation\" keyword is set to \"no\", is missing, or the returned line is commented out, this is a\n finding.'\n desc 'fix', 'Uncomment the \"UsePrivilegeSeparation\" keyword in \"/etc/ssh/sshd_config\" (this file may be named\n differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and\n set the value to \"sandbox\" or \"yes\":\n UsePrivilegeSeparation sandbox\n The SSH service must be restarted for changes to take effect.'\n impact 0.5\n tag legacy: ['SV-86889', 'V-72265']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204601'\n tag rid: 'SV-204601r603261_rule'\n tag stig_id: 'RHEL-07-040460'\n tag fix_id: 'F-4725r88996_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['ssh']\n tag 'host'\n\n if virtualization.system.eql?('docker') && !file('/etc/sysconfig/sshd').exist?\n impact 0.0\n describe 'Control not applicable - SSH is not installed within containerized RHEL' do\n skip 'Control not applicable - SSH is not installed within containerized RHEL'\n end\n else\n describe.one do\n describe sshd_config do\n its('UsePrivilegeSeparation') { should cmp 'sandbox' }\n end\n describe sshd_config do\n its('UsePrivilegeSeparation') { should cmp 'yes' }\n end\n end\n end\nend\n", + "code": "control 'SV-204512' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that the audit system takes appropriate\n action when there is an error sending audit records to a remote system.'\n desc 'Taking appropriate action when there is an error sending audit records to a remote system will minimize the\n possibility of losing audit records.\n One method of off-loading audit logs in Red Hat Enterprise Linux is with the use of the audisp-remote dameon.'\n desc 'check', 'Verify the action the operating system takes if there is an error sending audit records to a remote\n system.\n Check the action that takes place if there is an error sending audit records to a remote system with the following\n command:\n # grep -i network_failure_action /etc/audisp/audisp-remote.conf\n network_failure_action = syslog\n If the value of the \"network_failure_action\" option is not \"syslog\", \"single\", or \"halt\", or the line is commented\n out, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or storage\n media, and to indicate the action taken if there is an error sending audit records to the remote system.\n If there is no evidence that the system is configured to off-load audit logs to a different system or storage media,\n or if the configuration does not take appropriate action if there is an error sending audit records to the remote\n system, this is a finding.'\n desc 'fix', 'Configure the action the operating system takes if there is an error sending audit records to a remote\n system.\n Uncomment the \"network_failure_action\" option in \"/etc/audisp/audisp-remote.conf\" and set it to \"syslog\", \"single\",\n or \"halt\".\n network_failure_action = syslog'\n impact 0.5\n tag legacy: ['V-73163', 'SV-87815']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000342-GPOS-00133'\n tag gid: 'V-204512'\n tag rid: 'SV-204512r877390_rule'\n tag stig_id: 'RHEL-07-030321'\n tag fix_id: 'F-36315r602655_fix'\n tag cci: ['CCI-001851']\n tag nist: ['AU-4 (1)']\n tag subsystems: ['audit', 'audisp']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - audit config must be done on the host' do\n skip 'Control not applicable - audit config must be done on the host'\n end\n else\n describe parse_config_file('/etc/audisp/audisp-remote.conf') do\n its('network_failure_action'.to_s) { should cmp input('expected_network_failure_action') }\n its('network_failure_action'.to_s) { should be_in ['syslog', 'single', 'halt'] }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204601.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204512.rb", "line": 1 }, - "id": "SV-204601" + "id": "SV-204512" }, { - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the userhelper command.", - "desc": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough\n information.\n At a minimum, the organization must audit the full-text recording of privileged password commands. The organization\n must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of\n compromise.\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.", + "title": "The Red Hat Enterprise Linux operating system must disable the graphical user interface automounter unless required.", + "desc": "Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity.", "descriptions": { - "default": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough\n information.\n At a minimum, the organization must audit the full-text recording of privileged password commands. The organization\n must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of\n compromise.\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.", - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"userhelper\" command occur.\n\nCheck the file system rule in \"/etc/audit/audit.rules\" with the following command:\n\n$ sudo grep -w \"/usr/sbin/userhelper\" /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd\n\nIf the command does not return any output, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"userhelper\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd\n\nThe audit daemon must be restarted for the changes to take effect." + "default": "Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity.", + "check": "Note: If the operating system does not have a graphical user interface installed, this requirement is Not Applicable.\n\nVerify the operating system disables the ability to automount devices in a graphical user interface.\n\nNote: The example below is using the database \"local\" for the system, so the path is \"/etc/dconf/db/local.d\". This path must be modified if a database other than \"local\" is being used.\n\nCheck to see if automounter service is disabled with the following commands:\n# cat /etc/dconf/db/local.d/00-No-Automount\n\n[org/gnome/desktop/media-handling]\n\nautomount=false\n\nautomount-open=false\n\nautorun-never=true\n\nIf the output does not match the example above, this is a finding.\n\n# cat /etc/dconf/db/local.d/locks/00-No-Automount\n\n/org/gnome/desktop/media-handling/automount\n\n/org/gnome/desktop/media-handling/automount-open\n\n/org/gnome/desktop/media-handling/autorun-never\n\nIf the output does not match the example, this is a finding.", + "fix": "Configure the graphical user interface to disable the ability to automount devices.\n\nNote: The example below is using the database \"local\" for the system, so the path is \"/etc/dconf/db/local.d\". This path must be modified if a database other than \"local\" is being used.\n\nCreate or edit the /etc/dconf/db/local.d/00-No-Automount file and add the following:\n\n[org/gnome/desktop/media-handling]\n\nautomount=false\n\nautomount-open=false\n\nautorun-never=true\n\nCreate or edit the /etc/dconf/db/local.d/locks/00-No-Automount file and add the following:\n/org/gnome/desktop/media-handling/automount\n\n/org/gnome/desktop/media-handling/automount-open\n\n/org/gnome/desktop/media-handling/autorun-never\n\nRun the following command to update the database:\n\n# dconf update" }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { - "legacy": [ - "SV-86781", - "V-72157" - ], "severity": "medium", - "gtitle": "SRG-OS-000042-GPOS-00020", + "gtitle": "SRG-OS-000114-GPOS-00059", "satisfies": [ - "SRG-OS-000042-GPOS-00020", - "SRG-OS-000392-GPOS-00172", - "SRG-OS-000471-GPOS-00215" + "SRG-OS-000114-GPOS-00059", + "SRG-OS-000378-GPOS-00163", + "SRG-OS-000480-GPOS-00227" ], - "gid": "V-204546", - "rid": "SV-204546r861038_rule", - "stig_id": "RHEL-07-030670", - "fix_id": "F-4670r861037_fix", + "gid": "V-219059", + "rid": "SV-219059r854002_rule", + "stig_id": "RHEL-07-020111", + "fix_id": "F-36318r602663_fix", "cci": [ - "CCI-000135", - "CCI-000172", - "CCI-002884" + "CCI-000366", + "CCI-000778", + "CCI-001958" + ], + "legacy": [ + "V-100023", + "SV-109127" ], "nist": [ - "AU-3 (1)", - "AU-12 c", - "MA-4 (1) (a)" + "CM-6 b", + "IA-3" ], "subsystems": [ - "audit", - "auditd", - "audit_rule" + "gui", + "automount" ], "host": null }, - "code": "control 'SV-204546' do\n title 'The Red Hat Enterprise Linux operating system must audit all uses of the userhelper command.'\n desc 'Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough\n information.\n At a minimum, the organization must audit the full-text recording of privileged password commands. The organization\n must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of\n compromise.\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.'\n desc 'check', 'Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"userhelper\" command occur.\n\nCheck the file system rule in \"/etc/audit/audit.rules\" with the following command:\n\n$ sudo grep -w \"/usr/sbin/userhelper\" /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd\n\nIf the command does not return any output, this is a finding.'\n desc 'fix', 'Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"userhelper\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd\n\nThe audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n tag legacy: ['SV-86781', 'V-72157']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000042-GPOS-00020'\n tag satisfies: ['SRG-OS-000042-GPOS-00020', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000471-GPOS-00215']\n tag gid: 'V-204546'\n tag rid: 'SV-204546r861038_rule'\n tag stig_id: 'RHEL-07-030670'\n tag fix_id: 'F-4670r861037_fix'\n tag cci: ['CCI-000135', 'CCI-000172', 'CCI-002884']\n tag nist: ['AU-3 (1)', 'AU-12 c', 'MA-4 (1) (a)']\n tag subsystems: ['audit', 'auditd', 'audit_rule']\n tag 'host'\n\n audit_command = '/usr/sbin/userhelper'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - audit config must be done on the host' do\n skip 'Control not applicable - audit config must be done on the host'\n end\n else\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include('privileged-passwd')\n end\n end\n end\nend\n", + "code": "control 'SV-219059' do\n title 'The Red Hat Enterprise Linux operating system must disable the graphical user interface automounter unless required.'\n desc 'Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity.'\n desc 'check', 'Note: If the operating system does not have a graphical user interface installed, this requirement is Not Applicable.\n\nVerify the operating system disables the ability to automount devices in a graphical user interface.\n\nNote: The example below is using the database \"local\" for the system, so the path is \"/etc/dconf/db/local.d\". This path must be modified if a database other than \"local\" is being used.\n\nCheck to see if automounter service is disabled with the following commands:\n# cat /etc/dconf/db/local.d/00-No-Automount\n\n[org/gnome/desktop/media-handling]\n\nautomount=false\n\nautomount-open=false\n\nautorun-never=true\n\nIf the output does not match the example above, this is a finding.\n\n# cat /etc/dconf/db/local.d/locks/00-No-Automount\n\n/org/gnome/desktop/media-handling/automount\n\n/org/gnome/desktop/media-handling/automount-open\n\n/org/gnome/desktop/media-handling/autorun-never\n\nIf the output does not match the example, this is a finding.'\n desc 'fix', 'Configure the graphical user interface to disable the ability to automount devices.\n\nNote: The example below is using the database \"local\" for the system, so the path is \"/etc/dconf/db/local.d\". This path must be modified if a database other than \"local\" is being used.\n\nCreate or edit the /etc/dconf/db/local.d/00-No-Automount file and add the following:\n\n[org/gnome/desktop/media-handling]\n\nautomount=false\n\nautomount-open=false\n\nautorun-never=true\n\nCreate or edit the /etc/dconf/db/local.d/locks/00-No-Automount file and add the following:\n/org/gnome/desktop/media-handling/automount\n\n/org/gnome/desktop/media-handling/automount-open\n\n/org/gnome/desktop/media-handling/autorun-never\n\nRun the following command to update the database:\n\n# dconf update'\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000114-GPOS-00059'\n tag satisfies: ['SRG-OS-000114-GPOS-00059', 'SRG-OS-000378-GPOS-00163', 'SRG-OS-000480-GPOS-00227']\n tag gid: 'V-219059'\n tag rid: 'SV-219059r854002_rule'\n tag stig_id: 'RHEL-07-020111'\n tag fix_id: 'F-36318r602663_fix'\n tag cci: ['CCI-000366', 'CCI-000778', 'CCI-001958']\n tag legacy: ['V-100023', 'SV-109127']\n tag nist: ['CM-6 b', 'IA-3']\n tag subsystems: ['gui', 'automount']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n elsif package('gnome-desktop3').installed?\n options = {\n assignment_regex: /^\\s*([^=]*?)\\s*=\\s*(.*?)\\s*$/\n }\n\n describe parse_config_file(input('automount_config'), options) do\n its('automount') { should cmp 'false' }\n its('automount-open') { should cmp 'false' }\n its('autorun-never') { should cmp 'true' }\n end\n describe file(input('automount_locks_config')) do\n its('content') { should match /automount$/ }\n its('content') { should match /automount-open$/ }\n its('content') { should match /autorun-never$/ }\n end\n\n else\n impact 0.0\n describe 'The system does not have GNOME installed' do\n skip \"The system does not have GNOME installed, this requirement is Not\n Applicable.\"\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204546.rb", + "ref": "./Red Hat 7 STIG/controls/SV-219059.rb", "line": 1 }, - "id": "SV-204546" + "id": "SV-219059" }, { - "title": "The Red Hat Enterprise Linux operating system must implement the Endpoint Security for Linux Threat\n Prevention tool.", - "desc": "Adding endpoint security tools can provide the capability to automatically take actions in response to\n malicious behavior, which can provide additional agility in reacting to network threats. These tools also often\n include a reporting capability to provide network awareness of the system, which may not otherwise exist in an\n organization's systems management regime.", + "title": "The Red Hat Enterprise Linux operating system must have cron logging implemented.", + "desc": "Cron logging can be used to trace the successful or unsuccessful execution of cron jobs. It can also be used\n to spot intrusions into the use of the cron facility by unauthorized and malicious users.", "descriptions": { - "default": "Adding endpoint security tools can provide the capability to automatically take actions in response to\n malicious behavior, which can provide additional agility in reacting to network threats. These tools also often\n include a reporting capability to provide network awareness of the system, which may not otherwise exist in an\n organization's systems management regime.", - "check": "Per OPORD 16-0080, the preferred endpoint security tool is McAfee Endpoint Security for Linux (ENSL)\n in conjunction with SELinux.\n Procedure:\n Check that the following package has been installed:\n # rpm -qa | grep -i mcafeetp\n If the \"mcafeetp\" package is not installed, this is a finding.\n Verify that the daemon is running:\n # ps -ef | grep -i mfetpd\n If the daemon is not running, this is a finding.", - "fix": "Install and enable the latest McAfee ENSLTP package." + "default": "Cron logging can be used to trace the successful or unsuccessful execution of cron jobs. It can also be used\n to spot intrusions into the use of the cron facility by unauthorized and malicious users.", + "check": "Verify that \"rsyslog\" is configured to log cron events.\n Check the configuration of \"/etc/rsyslog.conf\" or \"/etc/rsyslog.d/*.conf\" files for the cron facility with the\n following command:\n Note: If another logging package is used, substitute the utility configuration file for \"/etc/rsyslog.conf\" or\n \"/etc/rsyslog.d/*.conf\" files.\n # grep cron /etc/rsyslog.conf /etc/rsyslog.d/*.conf\n cron.* /var/log/cron\n If the command does not return a response, check for cron logging all facilities by inspecting the\n \"/etc/rsyslog.conf\" or \"/etc/rsyslog.d/*.conf\" files.\n Look for the following entry:\n *.* /var/log/messages\n If \"rsyslog\" is not logging messages for the cron facility or all facilities, this is a finding.", + "fix": "Configure \"rsyslog\" to log all cron messages by adding or updating the following line to\n \"/etc/rsyslog.conf\" or a configuration file in the /etc/rsyslog.d/ directory:\n cron.* /var/log/cron\n The rsyslog daemon must be restarted for the changes to take effect:\n $ sudo systemctl restart rsyslog.service" }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "V-92255", - "SV-102357" + "V-72051", + "SV-86675" ], "severity": "medium", "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-214800", - "rid": "SV-214800r854323_rule", - "stig_id": "RHEL-07-020019", - "fix_id": "F-36317r754750_fix", + "gid": "V-204489", + "rid": "SV-204489r744109_rule", + "stig_id": "RHEL-07-021100", + "fix_id": "F-4613r744108_fix", "cci": [ - "CCI-001263", "CCI-000366" ], "nist": [ - "SI-4 (5)", "CM-6 b" ], "subsystems": [ - "endpoint_security" + "cron", + "rsyslog" ], "host": null, "container": null }, - "code": "control 'SV-214800' do\n title 'The Red Hat Enterprise Linux operating system must implement the Endpoint Security for Linux Threat\n Prevention tool.'\n desc \"Adding endpoint security tools can provide the capability to automatically take actions in response to\n malicious behavior, which can provide additional agility in reacting to network threats. These tools also often\n include a reporting capability to provide network awareness of the system, which may not otherwise exist in an\n organization's systems management regime.\"\n desc 'check', 'Per OPORD 16-0080, the preferred endpoint security tool is McAfee Endpoint Security for Linux (ENSL)\n in conjunction with SELinux.\n Procedure:\n Check that the following package has been installed:\n # rpm -qa | grep -i mcafeetp\n If the \"mcafeetp\" package is not installed, this is a finding.\n Verify that the daemon is running:\n # ps -ef | grep -i mfetpd\n If the daemon is not running, this is a finding.'\n desc 'fix', 'Install and enable the latest McAfee ENSLTP package.'\n impact 0.5\n tag legacy: ['V-92255', 'SV-102357']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-214800'\n tag rid: 'SV-214800r854323_rule'\n tag stig_id: 'RHEL-07-020019'\n tag fix_id: 'F-36317r754750_fix'\n tag cci: ['CCI-001263', 'CCI-000366']\n tag nist: ['SI-4 (5)', 'CM-6 b']\n tag subsystems: ['endpoint_security']\n tag 'host'\n tag 'container'\n\n describe package('mcafeetp') do\n it { should be_installed }\n end\n describe service('mfetpd') do\n it { should be_installed }\n it { should be_enabled }\n it { should be_running }\n end\nend\n", + "code": "control 'SV-204489' do\n title 'The Red Hat Enterprise Linux operating system must have cron logging implemented.'\n desc 'Cron logging can be used to trace the successful or unsuccessful execution of cron jobs. It can also be used\n to spot intrusions into the use of the cron facility by unauthorized and malicious users.'\n desc 'check', 'Verify that \"rsyslog\" is configured to log cron events.\n Check the configuration of \"/etc/rsyslog.conf\" or \"/etc/rsyslog.d/*.conf\" files for the cron facility with the\n following command:\n Note: If another logging package is used, substitute the utility configuration file for \"/etc/rsyslog.conf\" or\n \"/etc/rsyslog.d/*.conf\" files.\n # grep cron /etc/rsyslog.conf /etc/rsyslog.d/*.conf\n cron.* /var/log/cron\n If the command does not return a response, check for cron logging all facilities by inspecting the\n \"/etc/rsyslog.conf\" or \"/etc/rsyslog.d/*.conf\" files.\n Look for the following entry:\n *.* /var/log/messages\n If \"rsyslog\" is not logging messages for the cron facility or all facilities, this is a finding.'\n desc 'fix', 'Configure \"rsyslog\" to log all cron messages by adding or updating the following line to\n \"/etc/rsyslog.conf\" or a configuration file in the /etc/rsyslog.d/ directory:\n cron.* /var/log/cron\n The rsyslog daemon must be restarted for the changes to take effect:\n $ sudo systemctl restart rsyslog.service'\n impact 0.5\n tag legacy: ['V-72051', 'SV-86675']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204489'\n tag rid: 'SV-204489r744109_rule'\n tag stig_id: 'RHEL-07-021100'\n tag fix_id: 'F-4613r744108_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['cron', 'rsyslog']\n tag 'host'\n tag 'container'\n\n log_pkg_paths = input('log_pkg_paths').join(' ')\n cron_log = command(\"grep cron #{log_pkg_paths}\").stdout.strip\n facilities_log = inspec.command(\"grep '/var/log/messages' #{log_pkg_paths}\").stdout.strip\n\n describe.one do\n describe 'cron' do\n it 'should be configured for logging in the logging utility config files' do\n expect(cron_log).to match(/:cron/), \"cron not found in #{log_pkg_paths}\"\n end\n end\n describe 'All facilities' do\n it 'should be configured for logging in the logging utility config files' do\n expect(facilities_log).to match(%r{^.+:\\*\\.\\*\\s+/var/log/messages}), \"cron not found in #{log_pkg_paths}\"\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-214800.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204489.rb", "line": 1 }, - "id": "SV-214800" + "id": "SV-204489" }, { - "title": "The Red Hat Enterprise Linux operating system must not have the Trivial File Transfer Protocol (TFTP)\n server package installed if not required for operational support.", - "desc": "If TFTP is required for operational support (such as the transmission of router configurations) its use must\n be documented with the Information System Security Officer (ISSO), restricted to only authorized personnel, and have\n access control rules established.", + "title": "The Red Hat Enterprise Linux operating system must not forward IPv6 source-routed packets.", + "desc": "Source-routed packets allow the source of the packet to suggest that routers forward the packet along a\n different path than configured on the router, which can be used to bypass network security measures. This\n requirement applies only to the forwarding of source-routed traffic, such as when IPv6 forwarding is enabled and the\n system is functioning as a router.", "descriptions": { - "default": "If TFTP is required for operational support (such as the transmission of router configurations) its use must\n be documented with the Information System Security Officer (ISSO), restricted to only authorized personnel, and have\n access control rules established.", - "check": "Verify a TFTP server has not been installed on the system.\n Check to see if a TFTP server has been installed with the following command:\n # yum list installed tftp-server\n tftp-server-0.49-9.el7.x86_64.rpm\n If TFTP is installed and the requirement for TFTP is not documented with the ISSO, this is a finding.", - "fix": "Remove the TFTP package from the system with the following command:\n # yum remove tftp-server" + "default": "Source-routed packets allow the source of the packet to suggest that routers forward the packet along a\n different path than configured on the router, which can be used to bypass network security measures. This\n requirement applies only to the forwarding of source-routed traffic, such as when IPv6 forwarding is enabled and the\n system is functioning as a router.", + "check": "If IPv6 is not enabled, the key will not exist, and this is Not Applicable.\n\nVerify the system does not accept IPv6 source-routed packets.\n\n # grep -r net.ipv6.conf.all.accept_source_route /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null\n net.ipv6.conf.all.accept_source_route = 0\n\nIf \"net.ipv6.conf.all.accept_source_route\" is not configured in the /etc/sysctl.conf file or in any of the other sysctl.d directories, is commented out or does not have a value of \"0\", this is a finding.\n\nCheck that the operating system implements the accept source route variable with the following command:\n\n # /sbin/sysctl -a | grep net.ipv6.conf.all.accept_source_route\n net.ipv6.conf.all.accept_source_route = 0\n\nIf the returned lines do not have a value of \"0\", this is a finding.\n\nIf conflicting results are returned, this is a finding.", + "fix": "Set the system to the required kernel parameter, if IPv6 is enabled, by\nadding the following line to \"/etc/sysctl.conf\" or a configuration file in\nthe /etc/sysctl.d/ directory (or modify the line to have the required value):\n\n net.ipv6.conf.all.accept_source_route = 0\n\n Issue the following command to make the changes take effect:\n\n # sysctl --system" }, - "impact": 0.7, + "impact": 0.5, "refs": [], "tags": { "legacy": [ - "SV-86925", - "V-72301" + "V-72319", + "SV-86943" ], - "severity": "high", + "severity": "medium", "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-204621", - "rid": "SV-204621r853996_rule", - "stig_id": "RHEL-07-040700", - "fix_id": "F-4745r89056_fix", + "gid": "V-204630", + "rid": "SV-204630r880827_rule", + "stig_id": "RHEL-07-040830", + "fix_id": "F-4754r880826_fix", "cci": [ - "CCI-000318", - "CCI-000368", - "CCI-001812", - "CCI-001813", - "CCI-001814" + "CCI-000366" ], "nist": [ - "CM-3 f", - "CM-6 c", - "CM-11 (2)", - "CM-5 (1)", - "CM-5 (1) (a)" + "CM-6 b" ], "subsystems": [ - "tftp" + "kernel_parameter", + "ipv6" ], "host": null, "container": null }, - "code": "control 'SV-204621' do\n title 'The Red Hat Enterprise Linux operating system must not have the Trivial File Transfer Protocol (TFTP)\n server package installed if not required for operational support.'\n desc 'If TFTP is required for operational support (such as the transmission of router configurations) its use must\n be documented with the Information System Security Officer (ISSO), restricted to only authorized personnel, and have\n access control rules established.'\n desc 'check', 'Verify a TFTP server has not been installed on the system.\n Check to see if a TFTP server has been installed with the following command:\n # yum list installed tftp-server\n tftp-server-0.49-9.el7.x86_64.rpm\n If TFTP is installed and the requirement for TFTP is not documented with the ISSO, this is a finding.'\n desc 'fix', 'Remove the TFTP package from the system with the following command:\n # yum remove tftp-server'\n impact 0.7\n tag legacy: ['SV-86925', 'V-72301']\n tag severity: 'high'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204621'\n tag rid: 'SV-204621r853996_rule'\n tag stig_id: 'RHEL-07-040700'\n tag fix_id: 'F-4745r89056_fix'\n tag cci: ['CCI-000318', 'CCI-000368', 'CCI-001812', 'CCI-001813', 'CCI-001814']\n tag nist: ['CM-3 f', 'CM-6 c', 'CM-11 (2)', 'CM-5 (1)', 'CM-5 (1) (a)']\n tag subsystems: ['tftp']\n tag 'host'\n tag 'container'\n\n describe package('tftp-server') do\n it { should_not be_installed }\n end\nend\n", + "code": "control 'SV-204630' do\n title 'The Red Hat Enterprise Linux operating system must not forward IPv6 source-routed packets.'\n desc 'Source-routed packets allow the source of the packet to suggest that routers forward the packet along a\n different path than configured on the router, which can be used to bypass network security measures. This\n requirement applies only to the forwarding of source-routed traffic, such as when IPv6 forwarding is enabled and the\n system is functioning as a router.'\n desc 'check', 'If IPv6 is not enabled, the key will not exist, and this is Not Applicable.\n\nVerify the system does not accept IPv6 source-routed packets.\n\n # grep -r net.ipv6.conf.all.accept_source_route /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null\n net.ipv6.conf.all.accept_source_route = 0\n\nIf \"net.ipv6.conf.all.accept_source_route\" is not configured in the /etc/sysctl.conf file or in any of the other sysctl.d directories, is commented out or does not have a value of \"0\", this is a finding.\n\nCheck that the operating system implements the accept source route variable with the following command:\n\n # /sbin/sysctl -a | grep net.ipv6.conf.all.accept_source_route\n net.ipv6.conf.all.accept_source_route = 0\n\nIf the returned lines do not have a value of \"0\", this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Set the system to the required kernel parameter, if IPv6 is enabled, by\nadding the following line to \"/etc/sysctl.conf\" or a configuration file in\nthe /etc/sysctl.d/ directory (or modify the line to have the required value):\n\n net.ipv6.conf.all.accept_source_route = 0\n\n Issue the following command to make the changes take effect:\n\n # sysctl --system'\n impact 0.5\n tag legacy: ['V-72319', 'SV-86943']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204630'\n tag rid: 'SV-204630r880827_rule'\n tag stig_id: 'RHEL-07-040830'\n tag fix_id: 'F-4754r880826_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['kernel_parameter', 'ipv6']\n tag 'host'\n tag 'container'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - Kernel config must be done on the host' do\n skip 'Control not applicable - Kernel config must be done on the host'\n end\n else\n accept_source_route = 0\n config_file_values = command('grep -r net.ipv6.conf.all.accept_source_route /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null')\n .stdout.strip.split(\"\\n\")\n .map { |file| parse_config(file).params }\n config_file_values_uncompliant = config_file_values.select { |entry| entry.values != [accept_source_route.to_s] }\n\n unless config_file_values_uncompliant.empty?\n describe 'All configuration files' do\n it \"should set accept_source_route to #{accept_source_route}, or not define it at all\" do\n fail_msg = \"Found incorrect configuration:\\n#{config_file_values_uncompliant.join(\"\\n\")}\"\n expect(config_file_values_uncompliant).to be_empty, fail_msg\n end\n end\n end\n\n describe.one do\n describe kernel_parameter('net.ipv6.conf.all.accept_source_route') do\n its('value') { should eq accept_source_route }\n end\n # If IPv6 is disabled in the kernel it will return NIL\n describe kernel_parameter('net.ipv6.conf.all.accept_source_route') do\n its('value') { should eq nil }\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204621.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204630.rb", "line": 1 }, - "id": "SV-204621" + "id": "SV-204630" }, { - "title": "The Red Hat Enterprise Linux operating system must prevent Internet Protocol version 4 (IPv4) Internet\n Control Message Protocol (ICMP) redirect messages from being accepted.", - "desc": "ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular\n destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message\n could result in a man-in-the-middle attack.", + "title": "The Red Hat Enterprise Linux operating system must implement certificate status checking for PKI\n authentication.", + "desc": "Using an authentication device, such as a CAC or token that is separate from the information system, ensures\n that even if the information system is compromised, that compromise will not affect credentials stored on the\n authentication device.\n Multifactor solutions that require devices separate from information systems gaining access include, for example,\n hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S.\n Government Personal Identity Verification card and the DoD Common Access Card.\n A privileged account is defined as an information system account with authorizations of a privileged user.\n Remote access is access to DoD nonpublic information systems by an authorized user (or an information system)\n communicating through an external, non-organization-controlled network. Remote access methods include, for example,\n dial-up, broadband, and wireless.\n This requirement only applies to components where this is specific to the function of the device or has the concept\n of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of\n configuring the device itself (management).", "descriptions": { - "default": "ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular\n destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message\n could result in a man-in-the-middle attack.", - "check": "Verify the system will not accept IPv4 ICMP redirect messages.\n\n # grep -r net.ipv4.conf.default.accept_redirects /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null\n\nIf \"net.ipv4.conf.default.accept_redirects\" is not configured in the /etc/sysctl.conf file or in any of the other sysctl.d directories, is commented out, or does not have a value of \"0\", this is a finding.\n\nCheck that the operating system implements the value of the \"accept_redirects\" variables with the following command:\n\n # /sbin/sysctl -a | grep net.ipv4.conf.default.accept_redirects\n net.ipv4.conf.default.accept_redirects = 0\n\nIf the returned line does not have a value of \"0\", this is a finding.\n\nIf conflicting results are returned, this is a finding.", - "fix": "Set the system to not accept IPv4 ICMP redirect messages by adding the\nfollowing line to \"/etc/sysctl.conf\" or a configuration file in the\n/etc/sysctl.d/ directory (or modify the line to have the required value):\n\n net.ipv4.conf.default.accept_redirects = 0\n\n Issue the following command to make the changes take effect:\n\n # sysctl --system" + "default": "Using an authentication device, such as a CAC or token that is separate from the information system, ensures\n that even if the information system is compromised, that compromise will not affect credentials stored on the\n authentication device.\n Multifactor solutions that require devices separate from information systems gaining access include, for example,\n hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S.\n Government Personal Identity Verification card and the DoD Common Access Card.\n A privileged account is defined as an information system account with authorizations of a privileged user.\n Remote access is access to DoD nonpublic information systems by an authorized user (or an information system)\n communicating through an external, non-organization-controlled network. Remote access methods include, for example,\n dial-up, broadband, and wireless.\n This requirement only applies to components where this is specific to the function of the device or has the concept\n of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of\n configuring the device itself (management).", + "check": "Verify the operating system implements certificate status checking for PKI\nauthentication.\n\n Check to see if Online Certificate Status Protocol (OCSP) is enabled on the\nsystem with the following command:\n\n # grep cert_policy /etc/pam_pkcs11/pam_pkcs11.conf | grep -v \"^#\"\n\n cert_policy = ca, ocsp_on, signature;\n cert_policy = ca, ocsp_on, signature;\n cert_policy = ca, ocsp_on, signature;\n\n There should be at least three lines returned.\n\n If \"ocsp_on\" is not present in all uncommented \"cert_policy\" lines in\n\"/etc/pam_pkcs11/pam_pkcs11.conf\", this is a finding.", + "fix": "Configure the operating system to do certificate status checking for PKI\nauthentication.\n\n Modify all of the \"cert_policy\" lines in\n\"/etc/pam_pkcs11/pam_pkcs11.conf\" to include \"ocsp_on\"." }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "SV-86913", - "V-72289" + "V-72433", + "SV-87057" ], "severity": "medium", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-204614", - "rid": "SV-204614r880812_rule", - "stig_id": "RHEL-07-040640", - "fix_id": "F-4738r880811_fix", + "gtitle": "SRG-OS-000375-GPOS-00160", + "satisfies": [ + "SRG-OS-000375-GPOS-00160", + "SRG-OS-000375-GPOS-00161", + "SRG-OS-000375-GPOS-00162" + ], + "gid": "V-204633", + "rid": "SV-204633r853999_rule", + "stig_id": "RHEL-07-041003", + "fix_id": "F-4757r89092_fix", "cci": [ - "CCI-000366" + "CCI-001948", + "CCI-001953", + "CCI-001954" ], "nist": [ - "CM-6 b" + "IA-2 (11)", + "IA-2 (12)", + "IA-2 (12)" ], "subsystems": [ - "kernel_parameter", - "ipv4" + "pam_pkcs11", + "pam", + "pkcs11" ], "host": null }, - "code": "control 'SV-204614' do\n title 'The Red Hat Enterprise Linux operating system must prevent Internet Protocol version 4 (IPv4) Internet\n Control Message Protocol (ICMP) redirect messages from being accepted.'\n desc \"ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular\n destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message\n could result in a man-in-the-middle attack.\"\n desc 'check', 'Verify the system will not accept IPv4 ICMP redirect messages.\n\n # grep -r net.ipv4.conf.default.accept_redirects /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null\n\nIf \"net.ipv4.conf.default.accept_redirects\" is not configured in the /etc/sysctl.conf file or in any of the other sysctl.d directories, is commented out, or does not have a value of \"0\", this is a finding.\n\nCheck that the operating system implements the value of the \"accept_redirects\" variables with the following command:\n\n # /sbin/sysctl -a | grep net.ipv4.conf.default.accept_redirects\n net.ipv4.conf.default.accept_redirects = 0\n\nIf the returned line does not have a value of \"0\", this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Set the system to not accept IPv4 ICMP redirect messages by adding the\nfollowing line to \"/etc/sysctl.conf\" or a configuration file in the\n/etc/sysctl.d/ directory (or modify the line to have the required value):\n\n net.ipv4.conf.default.accept_redirects = 0\n\n Issue the following command to make the changes take effect:\n\n # sysctl --system'\n impact 0.5\n tag legacy: ['SV-86913', 'V-72289']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204614'\n tag rid: 'SV-204614r880812_rule'\n tag stig_id: 'RHEL-07-040640'\n tag fix_id: 'F-4738r880811_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['kernel_parameter', 'ipv4']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - Kernel config must be done on the host' do\n skip 'Control not applicable - Kernel config must be done on the host'\n end\n else\n accept_redirects = 0\n\n config_file_values = command('grep -r net.ipv4.conf.default.accept_redirects /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null')\n .stdout.strip.split(\"\\n\")\n .map { |file| parse_config(file).params }\n config_file_values_uncompliant = config_file_values.select { |entry| entry.values != [accept_redirects.to_s] }\n\n unless config_file_values_uncompliant.empty?\n describe 'All configuration files' do\n it \"should set accept_redirects to #{accept_redirects}, or not define it at all\" do\n fail_msg = \"Found incorrect configuration:\\n#{config_file_values_uncompliant.join(\"\\n\")}\"\n expect(config_file_values_uncompliant).to be_empty, fail_msg\n end\n end\n end\n\n describe 'The runtime kernel parameter net.ipv4.conf.default.accept_redirects' do\n subject { kernel_parameter('net.ipv4.conf.default.accept_redirects') }\n its('value') { should eq accept_redirects }\n end\n end\nend\n", + "code": "control 'SV-204633' do\n title 'The Red Hat Enterprise Linux operating system must implement certificate status checking for PKI\n authentication.'\n desc \"Using an authentication device, such as a CAC or token that is separate from the information system, ensures\n that even if the information system is compromised, that compromise will not affect credentials stored on the\n authentication device.\n Multifactor solutions that require devices separate from information systems gaining access include, for example,\n hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S.\n Government Personal Identity Verification card and the #{input('org_name')[:acronym]} Common Access Card.\n A privileged account is defined as an information system account with authorizations of a privileged user.\n Remote access is access to #{input('org_name')[:acronym]} nonpublic information systems by an authorized user (or an information system)\n communicating through an external, non-organization-controlled network. Remote access methods include, for example,\n dial-up, broadband, and wireless.\n This requirement only applies to components where this is specific to the function of the device or has the concept\n of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of\n configuring the device itself (management).\"\n desc 'check', 'Verify the operating system implements certificate status checking for PKI\nauthentication.\n\n Check to see if Online Certificate Status Protocol (OCSP) is enabled on the\nsystem with the following command:\n\n # grep cert_policy /etc/pam_pkcs11/pam_pkcs11.conf | grep -v \"^#\"\n\n cert_policy = ca, ocsp_on, signature;\n cert_policy = ca, ocsp_on, signature;\n cert_policy = ca, ocsp_on, signature;\n\n There should be at least three lines returned.\n\n If \"ocsp_on\" is not present in all uncommented \"cert_policy\" lines in\n\"/etc/pam_pkcs11/pam_pkcs11.conf\", this is a finding.'\n desc 'fix', 'Configure the operating system to do certificate status checking for PKI\nauthentication.\n\n Modify all of the \"cert_policy\" lines in\n\"/etc/pam_pkcs11/pam_pkcs11.conf\" to include \"ocsp_on\".'\n impact 0.5\n tag legacy: ['V-72433', 'SV-87057']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000375-GPOS-00160'\n tag satisfies: ['SRG-OS-000375-GPOS-00160', 'SRG-OS-000375-GPOS-00161', 'SRG-OS-000375-GPOS-00162']\n tag gid: 'V-204633'\n tag rid: 'SV-204633r853999_rule'\n tag stig_id: 'RHEL-07-041003'\n tag fix_id: 'F-4757r89092_fix'\n tag cci: ['CCI-001948', 'CCI-001953', 'CCI-001954']\n tag nist: ['IA-2 (11)', 'IA-2 (12)', 'IA-2 (12)']\n tag subsystems: ['pam_pkcs11', 'pam', 'pkcs11']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n\n smart_card_status = input('smart_card_status')\n\n if smart_card_status.eql?('enabled')\n impact 0.5\n if (pam_file = file('/etc/pam_pkcs11/pam_pkcs11.conf')).exist?\n cert_policy_lines = if pam_file.content.nil?\n []\n else\n pam_file.content.lines.grep(/^(?!.+#).*cert_policy/i)\n end\n if cert_policy_lines.length < 3\n describe 'should contain at least 3 cert policy lines' do\n subject { cert_policy_lines.length }\n it { should >= 3 }\n end\n else\n describe 'each cert policy line should include oscp_on' do\n cert_policy_lines.each do |line|\n subject { line }\n it { should match(/ocsp_on/i) }\n end\n end\n end\n else\n describe pam_file do\n it { should exist }\n end\n end\n else\n impact 0.0\n describe 'The system is not smartcard enabled' do\n skip 'The system is not using Smartcards / PIVs to fulfil the MFA requirement, this control is Not Applicable.'\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204614.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204633.rb", "line": 1 }, - "id": "SV-204614" + "id": "SV-204633" }, { - "title": "The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new\n passwords are established, the new password must contain at least 1 lower-case character.", - "desc": "Use of a complex password helps to increase the time and resources required to compromise the password.\n Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing\n and brute-force attacks.\n Password complexity is one factor of several that determines how long it takes to crack a password. The more complex\n the password, the greater the number of possible combinations that need to be tested before the password is\n compromised.", + "title": "The Red Hat Enterprise Linux operating system must not have the telnet-server package installed.", + "desc": "It is detrimental for operating systems to provide, or install by default, functionality exceeding\n requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore\n may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n Operating systems are capable of providing a wide variety of functions and services. Some of the functions and\n services, provided by default, may not be necessary to support essential organizational operations (e.g., key\n missions, functions).\n Examples of non-essential capabilities include, but are not limited to, games, software packages, tools, and\n demonstration software not related to requirements or providing a wide array of functionality not required for every\n mission, but which cannot be disabled.", "descriptions": { - "default": "Use of a complex password helps to increase the time and resources required to compromise the password.\n Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing\n and brute-force attacks.\n Password complexity is one factor of several that determines how long it takes to crack a password. The more complex\n the password, the greater the number of possible combinations that need to be tested before the password is\n compromised.", - "check": "Note: The value to require a number of lower-case characters to be set is expressed as a negative\n number in '/etc/security/pwquality.conf'.\n Check the value for 'lcredit' in '/etc/security/pwquality.conf' with the following command:\n # grep lcredit /etc/security/pwquality.conf\n lcredit = -1\n If the value of 'lcredit' is not set to a negative value, this is a finding.", - "fix": "Configure the system to require at least 1 lower-case character when creating or changing a\n password.\n Add or modify the following line\n in '/etc/security/pwquality.conf':\n lcredit = -1" + "default": "It is detrimental for operating systems to provide, or install by default, functionality exceeding\n requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore\n may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n Operating systems are capable of providing a wide variety of functions and services. Some of the functions and\n services, provided by default, may not be necessary to support essential organizational operations (e.g., key\n missions, functions).\n Examples of non-essential capabilities include, but are not limited to, games, software packages, tools, and\n demonstration software not related to requirements or providing a wide array of functionality not required for every\n mission, but which cannot be disabled.", + "check": "Verify the operating system is configured to disable non-essential capabilities. The most secure way\n of ensuring a non-essential capability is disabled is to not have the capability installed.\n The telnet service provides an unencrypted remote access service that does not provide for the confidentiality and\n integrity of user passwords or the remote session.\n If a privileged user were to log on using this service, the privileged user password could be compromised.\n Check to see if the telnet-server package is installed with the following command:\n # yum list installed telnet-server\n If the telnet-server package is installed, this is a finding.", + "fix": "Configure the operating system to disable non-essential capabilities by removing the telnet-server\n package from the system with the following command:\n # yum remove telnet-server" }, - "impact": 0.5, + "impact": 0.7, "refs": [], "tags": { "legacy": [ - "SV-86529", - "V-71905" + "V-72077", + "SV-86701" ], - "severity": "medium", - "gtitle": "SRG-OS-000070-GPOS-00038", - "gid": "V-204408", - "rid": "SV-204408r603261_rule", - "stig_id": "RHEL-07-010130", - "fix_id": "F-4532r88417_fix", + "severity": "high", + "gtitle": "SRG-OS-000095-GPOS-00049", + "gid": "V-204502", + "rid": "SV-204502r603261_rule", + "stig_id": "RHEL-07-021710", + "fix_id": "F-4626r88699_fix", "cci": [ - "CCI-000193" + "CCI-000381" ], "nist": [ - "IA-5 (1) (a)" + "CM-7 a" ], "subsystems": [ - "pwquality", - "password" + "packages" ], "host": null, "container": null }, - "code": "control 'SV-204408' do\n title \"The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new\n passwords are established, the new password must contain at least #{input('min_lowercase_characters')} lower-case character.\"\n desc \"Use of a complex password helps to increase the time and resources required to compromise the password.\n Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing\n and brute-force attacks.\n Password complexity is one factor of several that determines how long it takes to crack a password. The more complex\n the password, the greater the number of possible combinations that need to be tested before the password is\n compromised.\"\n desc 'check', \"Note: The value to require a number of lower-case characters to be set is expressed as a negative\n number in '/etc/security/pwquality.conf'.\n Check the value for 'lcredit' in '/etc/security/pwquality.conf' with the following command:\n # grep lcredit /etc/security/pwquality.conf\n lcredit = -#{input('min_lowercase_characters')}\n If the value of 'lcredit' is not set to a negative value, this is a finding.\"\n desc 'fix', \"Configure the system to require at least #{input('min_lowercase_characters')} lower-case character when creating or changing a\n password.\n Add or modify the following line\n in '/etc/security/pwquality.conf':\n lcredit = -#{input('min_lowercase_characters')}\"\n impact 0.5\n tag legacy: ['SV-86529', 'V-71905']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000070-GPOS-00038'\n tag gid: 'V-204408'\n tag rid: 'SV-204408r603261_rule'\n tag stig_id: 'RHEL-07-010130'\n tag fix_id: 'F-4532r88417_fix'\n tag cci: ['CCI-000193']\n tag nist: ['IA-5 (1) (a)']\n tag subsystems: ['pwquality', 'password']\n tag 'host'\n tag 'container'\n\n describe parse_config_file('/etc/security/pwquality.conf') do\n its('lcredit') { should cmp <= -input('min_lowercase_characters')}\n its('lcredit') { should_not be_nil }\n end\nend\n", + "code": "control 'SV-204502' do\n title 'The Red Hat Enterprise Linux operating system must not have the telnet-server package installed.'\n desc 'It is detrimental for operating systems to provide, or install by default, functionality exceeding\n requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore\n may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n Operating systems are capable of providing a wide variety of functions and services. Some of the functions and\n services, provided by default, may not be necessary to support essential organizational operations (e.g., key\n missions, functions).\n Examples of non-essential capabilities include, but are not limited to, games, software packages, tools, and\n demonstration software not related to requirements or providing a wide array of functionality not required for every\n mission, but which cannot be disabled.'\n desc 'check', 'Verify the operating system is configured to disable non-essential capabilities. The most secure way\n of ensuring a non-essential capability is disabled is to not have the capability installed.\n The telnet service provides an unencrypted remote access service that does not provide for the confidentiality and\n integrity of user passwords or the remote session.\n If a privileged user were to log on using this service, the privileged user password could be compromised.\n Check to see if the telnet-server package is installed with the following command:\n # yum list installed telnet-server\n If the telnet-server package is installed, this is a finding.'\n desc 'fix', 'Configure the operating system to disable non-essential capabilities by removing the telnet-server\n package from the system with the following command:\n # yum remove telnet-server'\n impact 0.7\n tag legacy: ['V-72077', 'SV-86701']\n tag severity: 'high'\n tag gtitle: 'SRG-OS-000095-GPOS-00049'\n tag gid: 'V-204502'\n tag rid: 'SV-204502r603261_rule'\n tag stig_id: 'RHEL-07-021710'\n tag fix_id: 'F-4626r88699_fix'\n tag cci: ['CCI-000381']\n tag nist: ['CM-7 a']\n tag subsystems: ['packages']\n tag 'host'\n tag 'container'\n\n describe package('telnet-server') do\n it { should_not be_installed }\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204408.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204502.rb", "line": 1 }, - "id": "SV-204408" + "id": "SV-204502" }, { - "title": "The Red Hat Enterprise Linux operating system must use a separate file system for /tmp (or equivalent).", - "desc": "The use of separate file systems for different paths can protect the system from failures resulting from a\n file system becoming full or failing.", + "title": "The Red Hat Enterprise Linux operating system must be configured so that the SSH private host key files have mode 0640 or less permissive.", + "desc": "If an unauthorized user obtains the private SSH host key file, the host could be impersonated.", "descriptions": { - "default": "The use of separate file systems for different paths can protect the system from failures resulting from a\n file system becoming full or failing.", - "check": "Verify that a separate file system/partition has been created for \"/tmp\".\n Check that a file system/partition has been created for \"/tmp\" with the following command:\n # systemctl is-enabled tmp.mount\n enabled\n If the \"tmp.mount\" service is not enabled, check to see if \"/tmp\" is defined in the fstab with a device and mount\n point:\n # grep -i /tmp /etc/fstab\n UUID=a411dc99-f2a1-4c87-9e05-184977be8539 /tmp ext4 rw,relatime,discard,data=ordered,nosuid,noexec, 0 0\n If \"tmp.mount\" service is not enabled or the \"/tmp\" directory is not defined in the fstab with a device and mount\n point, this is a finding.", - "fix": "Start the \"tmp.mount\" service with the following command:\n # systemctl enable tmp.mount\n OR\n Edit the \"/etc/fstab\" file and ensure the \"/tmp\" directory is defined in the fstab with a device and mount point." + "default": "If an unauthorized user obtains the private SSH host key file, the host could be impersonated.", + "check": "Verify the SSH private host key files have mode \"0640\" or less permissive.\n\nThe following command will find all SSH private key files on the system and list their modes:\n\n # find / -name '*ssh_host*key' | xargs ls -lL\n\n -rw-r----- 1 root ssh_keys 112 Apr 1 11:59 ssh_host_dsa_key\n -rw-r----- 1 root ssh_keys 202 Apr 1 11:59 ssh_host_key\n -rw-r----- 1 root ssh_keys 352 Apr 1 11:59 ssh_host_rsa_key\n\nIf any file has a mode more permissive than \"0640\", this is a finding.", + "fix": "Configure the mode of SSH private host key files under \"/etc/ssh\" to \"0640\" with the following command:\n\n# chmod 0640 /path/to/file/ssh_host*key" }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { "legacy": [ - "SV-86689", - "V-72065" + "V-72257", + "SV-86881" ], - "severity": "low", + "severity": "medium", "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-204496", - "rid": "SV-204496r603261_rule", - "stig_id": "RHEL-07-021340", - "fix_id": "F-36309r602637_fix", + "gid": "V-204597", + "rid": "SV-204597r880743_rule", + "stig_id": "RHEL-07-040420", + "fix_id": "F-4721r880742_fix", "cci": [ "CCI-000366" ], @@ -5826,234 +5672,218 @@ "CM-6 b" ], "subsystems": [ - "file_system", - "tmp" + "ssh" ], "host": null }, - "code": "control 'SV-204496' do\n title 'The Red Hat Enterprise Linux operating system must use a separate file system for /tmp (or equivalent).'\n desc 'The use of separate file systems for different paths can protect the system from failures resulting from a\n file system becoming full or failing.'\n desc 'check', 'Verify that a separate file system/partition has been created for \"/tmp\".\n Check that a file system/partition has been created for \"/tmp\" with the following command:\n # systemctl is-enabled tmp.mount\n enabled\n If the \"tmp.mount\" service is not enabled, check to see if \"/tmp\" is defined in the fstab with a device and mount\n point:\n # grep -i /tmp /etc/fstab\n UUID=a411dc99-f2a1-4c87-9e05-184977be8539 /tmp ext4 rw,relatime,discard,data=ordered,nosuid,noexec, 0 0\n If \"tmp.mount\" service is not enabled or the \"/tmp\" directory is not defined in the fstab with a device and mount\n point, this is a finding.'\n desc 'fix', 'Start the \"tmp.mount\" service with the following command:\n # systemctl enable tmp.mount\n OR\n Edit the \"/etc/fstab\" file and ensure the \"/tmp\" directory is defined in the fstab with a device and mount point.'\n impact 0.3\n tag legacy: ['SV-86689', 'V-72065']\n tag severity: 'low'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204496'\n tag rid: 'SV-204496r603261_rule'\n tag stig_id: 'RHEL-07-021340'\n tag fix_id: 'F-36309r602637_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['file_system', 'tmp']\n tag 'host'\n\n describe.one do\n describe systemd_service('tmp.mount') do\n it { should be_enabled }\n end\n describe etc_fstab.where { mount_point == '/tmp' } do\n its('count') { should cmp 1 }\n it 'Should have a device name specified' do\n expect(subject.device_name[0]).to_not(be_empty)\n end\n end\n end\nend\n", + "code": "control 'SV-204597' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that the SSH private host key files have mode 0640 or less permissive.'\n desc 'If an unauthorized user obtains the private SSH host key file, the host could be impersonated.'\n desc 'check', %q(Verify the SSH private host key files have mode \"0640\" or less permissive.\n\nThe following command will find all SSH private key files on the system and list their modes:\n\n # find / -name '*ssh_host*key' | xargs ls -lL\n\n -rw-r----- 1 root ssh_keys 112 Apr 1 11:59 ssh_host_dsa_key\n -rw-r----- 1 root ssh_keys 202 Apr 1 11:59 ssh_host_key\n -rw-r----- 1 root ssh_keys 352 Apr 1 11:59 ssh_host_rsa_key\n\nIf any file has a mode more permissive than \"0640\", this is a finding.)\n desc 'fix', 'Configure the mode of SSH private host key files under \"/etc/ssh\" to \"0640\" with the following command:\n\n# chmod 0640 /path/to/file/ssh_host*key'\n impact 0.5\n tag legacy: ['V-72257', 'SV-86881']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204597'\n tag rid: 'SV-204597r880743_rule'\n tag stig_id: 'RHEL-07-040420'\n tag fix_id: 'F-4721r880742_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['ssh']\n tag 'host'\n\n if virtualization.system.eql?('docker') && !file('/etc/sysconfig/sshd').exist?\n impact 0.0\n describe 'Control not applicable - SSH is not installed within containerized RHEL' do\n skip 'Control not applicable - SSH is not installed within containerized RHEL'\n end\n else\n pub_files = command(\"find #{input('private_host_key_directories').join(' ')} -xdev -name '*ssh_host*key'\").stdout.split(\"\\n\")\n if !pub_files.nil? and !pub_files.empty?\n pub_files.each do |pubfile|\n describe file(pubfile) do\n it { should_not be_more_permissive_than(input('private_host_key_file_mode')) }\n end\n end\n else\n describe 'No public host key files found.' do\n subject { pub_files.nil? or pub_files.empty? }\n it { should eq true }\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204496.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204597.rb", "line": 1 }, - "id": "SV-204496" + "id": "SV-204597" }, { - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the semanage command.", - "desc": "Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.", + "title": "The Red Hat Enterprise Linux operating system must not allow accounts configured with blank or null\n passwords.", + "desc": "If an account has an empty password, anyone could log on and run commands with the privileges of that\n account. Accounts with empty passwords should never be used in operational environments.", "descriptions": { - "default": "Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.", - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"semanage\" command occur.\n\nCheck the file system rule in \"/etc/audit/audit.rules\" with the following command:\n\n$ sudo grep -w \"/usr/sbin/semanage\" /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change\n\nIf the command does not return any output, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"semanage\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change\n\nThe audit daemon must be restarted for the changes to take effect." + "default": "If an account has an empty password, anyone could log on and run commands with the privileges of that\n account. Accounts with empty passwords should never be used in operational environments.", + "check": "To verify that null passwords cannot be used, run the following command:\n # grep nullok /etc/pam.d/system-auth /etc/pam.d/password-auth\n If this produces any output, it may be possible to log on with accounts with empty passwords.\n If null passwords can be used, this is a finding.", + "fix": "If an account is configured for password authentication but does not have an assigned password, it may be possible to log on to the account without authenticating.\n\nRemove any instances of the \"nullok\" option in \"/etc/pam.d/system-auth\" and \"/etc/pam.d/password-auth\" to prevent logons with empty passwords.\n\nNote: Per requirement RHEL-07-010199, RHEL 7 must be configured to not overwrite custom authentication configuration settings while using the authconfig utility, otherwise manual changes to the listed files will be overwritten whenever the authconfig utility is used." }, - "impact": 0.5, + "impact": 0.7, "refs": [], "tags": { "legacy": [ - "SV-86759", - "V-72135" - ], - "severity": "medium", - "gtitle": "SRG-OS-000392-GPOS-00172", - "satisfies": [ - "SRG-OS-000392-GPOS-00172", - "SRG-OS-000463-GPOS-00207", - "SRG-OS-000465-GPOS-00209" + "V-71937", + "SV-86561" ], - "gid": "V-204536", - "rid": "SV-204536r861014_rule", - "stig_id": "RHEL-07-030560", - "fix_id": "F-4660r861013_fix", + "severity": "high", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-204424", + "rid": "SV-204424r880839_rule", + "stig_id": "RHEL-07-010290", + "fix_id": "F-4548r880838_fix", "cci": [ - "CCI-000172", - "CCI-002884" + "CCI-000366" ], "nist": [ - "AU-12 c", - "MA-4 (1) (a)" + "CM-6 b" ], "subsystems": [ - "audit", - "auditd", - "audit_rule" + "pam", + "password" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-204536' do\n title 'The Red Hat Enterprise Linux operating system must audit all uses of the semanage command.'\n desc 'Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.'\n desc 'check', 'Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"semanage\" command occur.\n\nCheck the file system rule in \"/etc/audit/audit.rules\" with the following command:\n\n$ sudo grep -w \"/usr/sbin/semanage\" /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change\n\nIf the command does not return any output, this is a finding.'\n desc 'fix', 'Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"semanage\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change\n\nThe audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n tag legacy: ['SV-86759', 'V-72135']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000392-GPOS-00172'\n tag satisfies: ['SRG-OS-000392-GPOS-00172', 'SRG-OS-000463-GPOS-00207', 'SRG-OS-000465-GPOS-00209']\n tag gid: 'V-204536'\n tag rid: 'SV-204536r861014_rule'\n tag stig_id: 'RHEL-07-030560'\n tag fix_id: 'F-4660r861013_fix'\n tag cci: ['CCI-000172', 'CCI-002884']\n tag nist: ['AU-12 c', 'MA-4 (1) (a)']\n tag subsystems: ['audit', 'auditd', 'audit_rule']\n tag 'host'\n\n audit_command = '/usr/sbin/semanage'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - audit config must be done on the host' do\n skip 'Control not applicable - audit config must be done on the host'\n end\n else\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include('privileged-priv_change')\n end\n end\n end\nend\n", + "code": "control 'SV-204424' do\n title 'The Red Hat Enterprise Linux operating system must not allow accounts configured with blank or null\n passwords.'\n desc 'If an account has an empty password, anyone could log on and run commands with the privileges of that\n account. Accounts with empty passwords should never be used in operational environments.'\n desc 'check', 'To verify that null passwords cannot be used, run the following command:\n # grep nullok /etc/pam.d/system-auth /etc/pam.d/password-auth\n If this produces any output, it may be possible to log on with accounts with empty passwords.\n If null passwords can be used, this is a finding.'\n desc 'fix', 'If an account is configured for password authentication but does not have an assigned password, it may be possible to log on to the account without authenticating.\n\nRemove any instances of the \"nullok\" option in \"/etc/pam.d/system-auth\" and \"/etc/pam.d/password-auth\" to prevent logons with empty passwords.\n\nNote: Per requirement RHEL-07-010199, RHEL 7 must be configured to not overwrite custom authentication configuration settings while using the authconfig utility, otherwise manual changes to the listed files will be overwritten whenever the authconfig utility is used.'\n impact 0.7\n tag legacy: ['V-71937', 'SV-86561']\n tag severity: 'high'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204424'\n tag rid: 'SV-204424r880839_rule'\n tag stig_id: 'RHEL-07-010290'\n tag fix_id: 'F-4548r880838_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['pam', 'password']\n tag 'host'\n tag 'container'\n\n describe pam('/etc/pam.d/system-auth') do\n its('lines') { should_not match_pam_rule('.* .* pam_unix.so nullok') }\n end\n describe pam('/etc/pam.d/password-auth') do\n its('lines') { should_not match_pam_rule('.* .* pam_unix.so nullok') }\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204536.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204424.rb", "line": 1 }, - "id": "SV-204536" + "id": "SV-204424" }, { - "title": "The Red Hat Enterprise Linux operating system must initiate a session lock for the screensaver after a\n period of inactivity for graphical user interfaces.", - "desc": "A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate\n physical vicinity of the information system but does not log out because of the temporary nature of the absence.\n Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity,\n operating systems need to be able to identify when a user's session has idled and take action to initiate the\n session lock.\n The session lock is implemented at the point where session activity can be determined and/or controlled.", + "title": "Network interfaces configured on the Red Hat Enterprise Linux operating system must not be in promiscuous\n mode.", + "desc": "Network interfaces in promiscuous mode allow for the capture of all network traffic visible to the system.\n If unauthorized individuals can access these applications, it may allow then to collect information such as logon\n IDs, passwords, and key exchanges between systems.\n If the system is being used to perform a network troubleshooting function, the use of these tools must be documented\n with the Information System Security Officer (ISSO) and restricted to only authorized personnel.", "descriptions": { - "default": "A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate\n physical vicinity of the information system but does not log out because of the temporary nature of the absence.\n Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity,\n operating systems need to be able to identify when a user's session has idled and take action to initiate the\n session lock.\n The session lock is implemented at the point where session activity can be determined and/or controlled.", - "check": "Verify the operating system initiates a session lock after a 15-minute period of inactivity for graphical user interfaces.\n\nNote: If the system does not have a GNOME installed, this requirement is Not Applicable.\n\nCheck for the session lock settings with the following commands:\n\n # grep -i idle-activation-enabled /etc/dconf/db/local.d/*\n idle-activation-enabled=true\n \nIf \"idle-activation-enabled\" is not set to \"true\", this is a finding.", - "fix": "Configure the operating system to initiate a session lock after a 15-minute period of inactivity for\n graphical user interfaces.\n Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following\n command:\n # touch /etc/dconf/db/local.d/00-screensaver\n Add the setting to enable screensaver locking after 15 minutes of inactivity:\n [org/gnome/desktop/screensaver]\n idle-activation-enabled=true\n Update the system databases:\n # dconf update\n Users must log out and back in again before the system-wide settings take effect." + "default": "Network interfaces in promiscuous mode allow for the capture of all network traffic visible to the system.\n If unauthorized individuals can access these applications, it may allow then to collect information such as logon\n IDs, passwords, and key exchanges between systems.\n If the system is being used to perform a network troubleshooting function, the use of these tools must be documented\n with the Information System Security Officer (ISSO) and restricted to only authorized personnel.", + "check": "Verify network interfaces are not in promiscuous mode unless approved by the ISSO and documented.\n Check for the status with the following command:\n # ip link | grep -i promisc\n If network interfaces are found on the system in promiscuous mode and their use has not been approved by the ISSO\n and documented, this is a finding.", + "fix": "Configure network interfaces to turn off promiscuous mode unless approved by the ISSO and documented.\n Set the promiscuous mode of an interface to off with the following command:\n #ip link set dev multicast off promisc off" }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { "legacy": [ - "V-71899", - "SV-86523" + "V-72295", + "SV-86919" ], "severity": "medium", - "gtitle": "SRG-OS-000029-GPOS-00010", - "gid": "V-204402", - "rid": "SV-204402r880782_rule", - "stig_id": "RHEL-07-010100", - "fix_id": "F-4526r880781_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-204618", + "rid": "SV-204618r603261_rule", + "stig_id": "RHEL-07-040670", + "fix_id": "F-4742r89047_fix", "cci": [ - "CCI-000057" + "CCI-000366" ], "nist": [ - "AC-11 a" + "CM-6 b" ], "subsystems": [ - "gui", - "session", - "lock" + "network", + "ip_link" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-204402' do\n title 'The Red Hat Enterprise Linux operating system must initiate a session lock for the screensaver after a\n period of inactivity for graphical user interfaces.'\n desc \"A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate\n physical vicinity of the information system but does not log out because of the temporary nature of the absence.\n Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity,\n operating systems need to be able to identify when a user's session has idled and take action to initiate the\n session lock.\n The session lock is implemented at the point where session activity can be determined and/or controlled.\"\n desc 'check', \"Verify the operating system initiates a session lock after a #{input('system_activity_timeout')/60}-minute period of inactivity for graphical user interfaces.\n\nNote: If the system does not have a GNOME installed, this requirement is Not Applicable.\n\nCheck for the session lock settings with the following commands:\n\n # grep -i idle-activation-enabled /etc/dconf/db/local.d/*\n idle-activation-enabled=true\n \nIf \\\"idle-activation-enabled\\\" is not set to \\\"true\\\", this is a finding.\"\n desc 'fix', \"Configure the operating system to initiate a session lock after a #{input('system_activity_timeout')/60}-minute period of inactivity for\n graphical user interfaces.\n Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following\n command:\n # touch /etc/dconf/db/local.d/00-screensaver\n Add the setting to enable screensaver locking after #{input('system_activity_timeout')/60} minutes of inactivity:\n [org/gnome/desktop/screensaver]\n idle-activation-enabled=true\n Update the system databases:\n # dconf update\n Users must log out and back in again before the system-wide settings take effect.\"\n impact 0.5\n tag legacy: ['V-71899', 'SV-86523']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000029-GPOS-00010'\n tag gid: 'V-204402'\n tag rid: 'SV-204402r880782_rule'\n tag stig_id: 'RHEL-07-010100'\n tag fix_id: 'F-4526r880781_fix'\n tag cci: ['CCI-000057']\n tag nist: ['AC-11 a']\n tag subsystems: ['gui', 'session', 'lock']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n elsif package('gnome-desktop3').installed?\n\n describe command('gsettings get org.gnome.desktop.screensaver idle-activation-enabled') do\n its('stdout.strip') { should cmp 'true' }\n end\n else\n impact 0.0\n describe 'The system does not have GNOME installed' do\n skip \"The system does not have GNOME installed, this requirement is Not\n Applicable.\"\n end\n end\nend\n", + "code": "control 'SV-204618' do\n title 'Network interfaces configured on the Red Hat Enterprise Linux operating system must not be in promiscuous\n mode.'\n desc 'Network interfaces in promiscuous mode allow for the capture of all network traffic visible to the system.\n If unauthorized individuals can access these applications, it may allow then to collect information such as logon\n IDs, passwords, and key exchanges between systems.\n If the system is being used to perform a network troubleshooting function, the use of these tools must be documented\n with the Information System Security Officer (ISSO) and restricted to only authorized personnel.'\n desc 'check', 'Verify network interfaces are not in promiscuous mode unless approved by the ISSO and documented.\n Check for the status with the following command:\n # ip link | grep -i promisc\n If network interfaces are found on the system in promiscuous mode and their use has not been approved by the ISSO\n and documented, this is a finding.'\n desc 'fix', 'Configure network interfaces to turn off promiscuous mode unless approved by the ISSO and documented.\n Set the promiscuous mode of an interface to off with the following command:\n #ip link set dev multicast off promisc off'\n impact 0.5\n tag legacy: ['V-72295', 'SV-86919']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204618'\n tag rid: 'SV-204618r603261_rule'\n tag stig_id: 'RHEL-07-040670'\n tag fix_id: 'F-4742r89047_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['network', 'ip_link']\n tag 'host'\n tag 'container'\n\n describe command('ip link | grep -i promisc') do\n its('stdout.strip') { should match(/^$/) }\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204402.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204618.rb", "line": 1 }, - "id": "SV-204402" + "id": "SV-204618" }, { - "title": "The Red Hat Enterprise Linux operating system must display the Standard Mandatory DoD Notice and Consent\n Banner immediately prior to, or as part of, remote access logon prompts.", - "desc": "Display of a standardized and approved use notification before granting access to the publicly accessible\n operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws,\n Executive Orders, directives, policies, regulations, standards, and guidance.\n System use notifications are required only for access via logon interfaces with human users and are not required\n when such human interfaces do not exist.\n The banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating\n systems that can accommodate banners of 1300 characters:\n \"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"", + "title": "The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon is configured to\n only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.", + "desc": "DoD information systems are required to use FIPS 140-2 approved cryptographic hash functions. The only SSHv2\n hash algorithm meeting this requirement is SHA.\n The system will attempt to use the first hash presented by the client that matches the server list. Listing the\n values \"strongest to weakest\" is a method to ensure the use of the strongest hash available to secure the SSH\n connection.", "descriptions": { - "default": "Display of a standardized and approved use notification before granting access to the publicly accessible\n operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws,\n Executive Orders, directives, policies, regulations, standards, and guidance.\n System use notifications are required only for access via logon interfaces with human users and are not required\n when such human interfaces do not exist.\n The banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating\n systems that can accommodate banners of 1300 characters:\n \"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"", - "check": "Verify any publicly accessible connection to the operating system displays the Standard Mandatory\n DoD Notice and Consent Banner before granting access to the system.\n Check for the location of the banner file being used with the following command:\n # grep -i banner /etc/ssh/sshd_config\n banner /etc/issue\n This command will return the banner keyword and the name of the file that contains the ssh banner (in this case\n \"/etc/issue\").\n If the line is commented out, this is a finding.\n View the file specified by the banner keyword to check that it matches the text of the Standard Mandatory DoD Notice\n and Consent Banner:\n \"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n If the system does not display a graphical logon banner or the banner does not match the Standard Mandatory DoD\n Notice and Consent Banner, this is a finding.\n If the text in the file does not match the Standard Mandatory DoD Notice and Consent Banner, this is a finding.", - "fix": "Configure the operating system to display the Standard Mandatory DoD Notice and Consent Banner before\n granting access to the system via the ssh.\n Edit the \"/etc/ssh/sshd_config\" file to uncomment the banner keyword and configure it to point to a file that will\n contain the logon banner (this file may be named differently or be in a different location if using a version of SSH\n that is provided by a third-party vendor). An example configuration line is:\n banner /etc/issue\n Either create the file containing the banner or replace the text in the file with the Standard Mandatory DoD Notice\n and Consent Banner. The DoD required text is:\n \"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n The SSH service must be restarted for changes to take effect." + "default": "DoD information systems are required to use FIPS 140-2 approved cryptographic hash functions. The only SSHv2\n hash algorithm meeting this requirement is SHA.\n The system will attempt to use the first hash presented by the client that matches the server list. Listing the\n values \"strongest to weakest\" is a method to ensure the use of the strongest hash available to secure the SSH\n connection.", + "check": "Verify the SSH daemon is configured to only use MACs employing FIPS 140-2-approved hashes.\n Note: If RHEL-07-021350 is a finding, this is automatically a finding as the system cannot implement FIPS\n 140-2-approved cryptographic algorithms and hashes.\n Check that the SSH daemon is configured to only use MACs employing FIPS 140-2-approved hashes with the following\n command:\n # grep -i macs /etc/ssh/sshd_config\n MACs hmac-sha2-512,hmac-sha2-256\n If any hashes other than \"hmac-sha2-512\" or \"hmac-sha2-256\" are listed, the order differs from the example above,\n they are missing, or the returned line is commented out, this is a finding.", + "fix": "Edit the \"/etc/ssh/sshd_config\" file to uncomment or add the line for the \"MACs\" keyword and set its\n value to \"hmac-sha2-512\" and/or \"hmac-sha2-256\" (this file may be named differently or be in a different location if\n using a version of SSH that is provided by a third-party vendor):\n MACs hmac-sha2-512,hmac-sha2-256\n The SSH service must be restarted for changes to take effect." }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "V-72225", - "SV-86849" + "SV-86877", + "V-72253" ], "severity": "medium", - "gtitle": "SRG-OS-000023-GPOS-00006", - "satisfies": [ - "SRG-OS-000023-GPOS-00006", - "SRG-OS-000024-GPOS-00007", - "SRG-OS-000228-GPOS-00088" - ], - "gid": "V-204580", - "rid": "SV-204580r603261_rule", - "stig_id": "RHEL-07-040170", - "fix_id": "F-4704r297486_fix", + "gtitle": "SRG-OS-000250-GPOS-00093", + "gid": "V-204595", + "rid": "SV-204595r877394_rule", + "stig_id": "RHEL-07-040400", + "fix_id": "F-4719r622309_fix", "cci": [ - "CCI-000048", - "CCI-000050", - "CCI-001384", - "CCI-001385", - "CCI-001386", - "CCI-001387", - "CCI-001388" + "CCI-001453" ], "nist": [ - "AC-8 a", - "AC-8 b", - "AC-8 c 1", - "AC-8 c 2", - "AC-8 c 2", - "AC-8 c 3" + "AC-17 (2)" ], "subsystems": [ - "ssh", - "banner" + "ssh" ], "host": null }, - "code": "control 'SV-204580' do\n title \"The Red Hat Enterprise Linux operating system must display the Standard Mandatory #{input('org_name')[:acronym]} Notice and Consent\n Banner immediately prior to, or as part of, remote access logon prompts.\"\n desc \"Display of a standardized and approved use notification before granting access to the publicly accessible\n operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws,\n Executive Orders, directives, policies, regulations, standards, and guidance.\n System use notifications are required only for access via logon interfaces with human users and are not required\n when such human interfaces do not exist.\n The banner must be formatted in accordance with applicable #{input('org_name')[:acronym]} policy. Use the following verbiage for operating\n systems that can accommodate banners of 1300 characters:\n \\\"#{input('banner_message_text_ral')}\\\" \"\n desc 'check', \"Verify any publicly accessible connection to the operating system displays the Standard Mandatory\n #{input('org_name')[:acronym]} Notice and Consent Banner before granting access to the system.\n Check for the location of the banner file being used with the following command:\n # grep -i banner /etc/ssh/sshd_config\n banner /etc/issue\n This command will return the banner keyword and the name of the file that contains the ssh banner (in this case\n \\\"/etc/issue\\\").\n If the line is commented out, this is a finding.\n View the file specified by the banner keyword to check that it matches the text of the Standard Mandatory #{input('org_name')[:acronym]} Notice\n and Consent Banner:\n \\\"#{input('banner_message_text_ral')}\\\"\n If the system does not display a graphical logon banner or the banner does not match the Standard Mandatory #{input('org_name')[:acronym]}\n Notice and Consent Banner, this is a finding.\n If the text in the file does not match the Standard Mandatory #{input('org_name')[:acronym]} Notice and Consent Banner, this is a finding.\"\n desc 'fix', \"Configure the operating system to display the Standard Mandatory #{input('org_name')[:acronym]} Notice and Consent Banner before\n granting access to the system via the ssh.\n Edit the \\\"/etc/ssh/sshd_config\\\" file to uncomment the banner keyword and configure it to point to a file that will\n contain the logon banner (this file may be named differently or be in a different location if using a version of SSH\n that is provided by a third-party vendor). An example configuration line is:\n banner /etc/issue\n Either create the file containing the banner or replace the text in the file with the Standard Mandatory #{input('org_name')[:acronym]} Notice\n and Consent Banner. The #{input('org_name')[:acronym]} required text is:\n \\\"#{input('banner_message_text_ral')}\\\"\n The SSH service must be restarted for changes to take effect.\"\n impact 0.5\n tag legacy: ['V-72225', 'SV-86849']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000023-GPOS-00006'\n tag satisfies: ['SRG-OS-000023-GPOS-00006', 'SRG-OS-000024-GPOS-00007', 'SRG-OS-000228-GPOS-00088']\n tag gid: 'V-204580'\n tag rid: 'SV-204580r603261_rule'\n tag stig_id: 'RHEL-07-040170'\n tag fix_id: 'F-4704r297486_fix'\n tag cci: ['CCI-000048', 'CCI-000050', 'CCI-001384', 'CCI-001385', 'CCI-001386', 'CCI-001387', 'CCI-001388']\n tag nist: ['AC-8 a', 'AC-8 b', 'AC-8 c 1', 'AC-8 c 2', 'AC-8 c 2', 'AC-8 c 3']\n tag subsystems: ['ssh', 'banner']\n tag 'host'\n\n if virtualization.system.eql?('docker') && !file('/etc/sysconfig/sshd').exist?\n impact 0.0\n describe 'Control not applicable - SSH is not installed within containerized RHEL' do\n skip 'Control not applicable - SSH is not installed within containerized RHEL'\n end\n else\n\n banner_message_text_ral = input('banner_message_text_ral')\n banner_message_text_ral_limited = input('banner_message_text_ral_limited')\n\n # When Banner is commented, not found, disabled, or the specified file does not exist, this is a finding.\n banner_files = [sshd_config.banner].flatten\n\n banner_files.each do |banner_file|\n # Banner property is commented out.\n if banner_file.nil?\n describe 'The SSHD Banner is not set' do\n subject { banner_file.nil? }\n it { should be false }\n end\n end\n\n # Banner property is set to \"none\"\n if !banner_file.nil? && !banner_file.match(/none/i).nil?\n describe 'The SSHD Banner is disabled' do\n subject { banner_file.match(/none/i).nil? }\n it { should be true }\n end\n end\n\n # Banner property provides a path to a file, however, it does not exist.\n if !banner_file.nil? && banner_file.match(/none/i).nil? && !file(banner_file).exist?\n describe 'The SSHD Banner is set, but, the file does not exist' do\n subject { file(banner_file).exist? }\n it { should be true }\n end\n end\n\n # Banner property provides a path to a file and it exists.\n unless !banner_file.nil? && banner_file.match(/none/i).nil? && file(banner_file).exist?\n next\n end\n\n describe.one do\n banner = file(banner_file).content.gsub(/[\\r\\n\\s]/, '')\n clean_banner = banner_message_text_ral.gsub(/[\\r\\n\\s]/, '')\n clean_banner_limited = banner_message_text_ral_limited.gsub(/[\\r\\n\\s]/,\n '')\n\n describe 'The SSHD Banner is set to the standard banner and has the correct text' do\n subject { banner }\n it { should cmp clean_banner }\n end\n\n describe 'The SSHD Banner is set to the standard limited banner and has the correct text' do\n subject { banner }\n it { should cmp clean_banner_limited }\n end\n end\n end\n end\nend\n", + "code": "control 'SV-204595' do\n title \"The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon is configured to\n only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.\"\n desc \"#{input('org_name')[:acronym]} information systems are required to use FIPS 140-2 approved cryptographic hash functions. The only SSHv2\n hash algorithm meeting this requirement is SHA.\n The system will attempt to use the first hash presented by the client that matches the server list. Listing the\n values \\\"strongest to weakest\\\" is a method to ensure the use of the strongest hash available to secure the SSH\n connection.\"\n desc 'check', \"Verify the SSH daemon is configured to only use MACs employing FIPS 140-2-approved hashes.\n Note: If RHEL-07-021350 is a finding, this is automatically a finding as the system cannot implement FIPS\n 140-2-approved cryptographic algorithms and hashes.\n Check that the SSH daemon is configured to only use MACs employing FIPS 140-2-approved hashes with the following\n command:\n # grep -i macs /etc/ssh/sshd_config\n MACs hmac-sha2-512,hmac-sha2-256\n If any hashes other than \\\"hmac-sha2-512\\\" or \\\"hmac-sha2-256\\\" are listed, the order differs from the example above,\n they are missing, or the returned line is commented out, this is a finding.\"\n desc 'fix', \"Edit the \\\"/etc/ssh/sshd_config\\\" file to uncomment or add the line for the \\\"MACs\\\" keyword and set its\n value to \\\"hmac-sha2-512\\\" and/or \\\"hmac-sha2-256\\\" (this file may be named differently or be in a different location if\n using a version of SSH that is provided by a third-party vendor):\n MACs hmac-sha2-512,hmac-sha2-256\n The SSH service must be restarted for changes to take effect.\"\n impact 0.5\n tag legacy: ['SV-86877', 'V-72253']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000250-GPOS-00093'\n tag gid: 'V-204595'\n tag rid: 'SV-204595r877394_rule'\n tag stig_id: 'RHEL-07-040400'\n tag fix_id: 'F-4719r622309_fix'\n tag cci: ['CCI-001453']\n tag nist: ['AC-17 (2)']\n tag subsystems: ['ssh']\n tag 'host'\n\n if virtualization.system.eql?('docker') && !file('/etc/sysconfig/sshd').exist?\n impact 0.0\n describe 'Control not applicable - SSH is not installed within containerized RHEL' do\n skip 'Control not applicable - SSH is not installed within containerized RHEL'\n end\n else\n\n macs = sshd_config.params('macs')\n if macs.nil?\n # fail fast\n describe 'The `sshd_config` setting for `MACs`' do\n subject { macs }\n it 'should be explicitly set and not commented out' do\n expect(subject).not_to be_nil\n end\n end\n else\n describe 'The list of MACs enabled on the system' do\n subject { macs }\n it { should cmp 'hmac-sha2-512,hmac-sha2-256' }\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204580.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204595.rb", "line": 1 }, - "id": "SV-204580" + "id": "SV-204595" }, { - "title": "The Red Hat Enterprise Linux operating system must disable Kernel core dumps unless needed.", - "desc": "Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps\n may consume a considerable amount of disk space and may result in denial of service by exhausting the available\n space on the target file system partition.", + "title": "The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not permit\n Generic Security Service Application Program Interface (GSSAPI) authentication unless needed.", + "desc": "GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing\n GSSAPI authentication through SSH exposes the system's GSSAPI to remote hosts, increasing the attack surface of the\n system. GSSAPI authentication must be disabled unless needed.", "descriptions": { - "default": "Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps\n may consume a considerable amount of disk space and may result in denial of service by exhausting the available\n space on the target file system partition.", - "check": "Verify that kernel core dumps are disabled unless needed.\n Check the status of the \"kdump\" service with the following command:\n # systemctl status kdump.service\n kdump.service - Crash recovery kernel arming\n Loaded: loaded (/usr/lib/systemd/system/kdump.service; enabled)\n Active: active (exited) since Wed 2015-08-26 13:08:09 EDT; 43min ago\n Main PID: 1130 (code=exited, status=0/SUCCESS)\n kernel arming.\n If the \"kdump\" service is active, ask the System Administrator if the use of the service is required and documented\n with the Information System Security Officer (ISSO).\n If the service is active and is not documented, this is a finding.", - "fix": "If kernel core dumps are not required, disable the \"kdump\" service with the following command:\n # systemctl disable kdump.service\n If kernel core dumps are required, document the need with the ISSO." + "default": "GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing\n GSSAPI authentication through SSH exposes the system's GSSAPI to remote hosts, increasing the attack surface of the\n system. GSSAPI authentication must be disabled unless needed.", + "check": "Verify the SSH daemon does not permit GSSAPI authentication unless approved.\n Check that the SSH daemon does not permit GSSAPI authentication with the following command:\n # grep -i gssapiauth /etc/ssh/sshd_config\n GSSAPIAuthentication no\n If the \"GSSAPIAuthentication\" keyword is missing, is set to \"yes\" and is not documented with the Information System\n Security Officer (ISSO), or the returned line is commented out, this is a finding.", + "fix": "Uncomment the \"GSSAPIAuthentication\" keyword in \"/etc/ssh/sshd_config\" (this file may be named\n differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and\n set the value to \"no\":\n GSSAPIAuthentication no\n The SSH service must be restarted for changes to take effect.\n If GSSAPI authentication is required, it must be documented, to include the location of the configuration file, with\n the ISSO." }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "SV-86681", - "V-72057" + "V-72259", + "SV-86883" ], "severity": "medium", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-204492", - "rid": "SV-204492r603261_rule", - "stig_id": "RHEL-07-021300", - "fix_id": "F-4616r88669_fix", + "gtitle": "SRG-OS-000364-GPOS-00151", + "gid": "V-204598", + "rid": "SV-204598r853993_rule", + "stig_id": "RHEL-07-040430", + "fix_id": "F-4722r88987_fix", "cci": [ - "CCI-000366" + "CCI-000318", + "CCI-000368", + "CCI-001812", + "CCI-001813", + "CCI-001814" ], "nist": [ - "CM-6 b" + "CM-3 f", + "CM-6 c", + "CM-11 (2)", + "CM-5 (1)", + "CM-5 (1) (a)" ], "subsystems": [ - "kdump", - "kernel" + "ssh" ], "host": null }, - "code": "control 'SV-204492' do\n title 'The Red Hat Enterprise Linux operating system must disable Kernel core dumps unless needed.'\n desc 'Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps\n may consume a considerable amount of disk space and may result in denial of service by exhausting the available\n space on the target file system partition.'\n desc 'check', 'Verify that kernel core dumps are disabled unless needed.\n Check the status of the \"kdump\" service with the following command:\n # systemctl status kdump.service\n kdump.service - Crash recovery kernel arming\n Loaded: loaded (/usr/lib/systemd/system/kdump.service; enabled)\n Active: active (exited) since Wed 2015-08-26 13:08:09 EDT; 43min ago\n Main PID: 1130 (code=exited, status=0/SUCCESS)\n kernel arming.\n If the \"kdump\" service is active, ask the System Administrator if the use of the service is required and documented\n with the Information System Security Officer (ISSO).\n If the service is active and is not documented, this is a finding.'\n desc 'fix', 'If kernel core dumps are not required, disable the \"kdump\" service with the following command:\n # systemctl disable kdump.service\n If kernel core dumps are required, document the need with the ISSO.'\n impact 0.5\n tag legacy: ['SV-86681', 'V-72057']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204492'\n tag rid: 'SV-204492r603261_rule'\n tag stig_id: 'RHEL-07-021300'\n tag fix_id: 'F-4616r88669_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['kdump', 'kernel']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - Kernel config must be done on the host' do\n skip 'Control not applicable - Kernel config must be done on the host'\n end\n else\n describe systemd_service('kdump.service') do\n it { should_not be_running }\n end\n end\nend\n", + "code": "control 'SV-204598' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not permit\n Generic Security Service Application Program Interface (GSSAPI) authentication unless needed.'\n desc \"GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing\n GSSAPI authentication through SSH exposes the system's GSSAPI to remote hosts, increasing the attack surface of the\n system. GSSAPI authentication must be disabled unless needed.\"\n desc 'check', 'Verify the SSH daemon does not permit GSSAPI authentication unless approved.\n Check that the SSH daemon does not permit GSSAPI authentication with the following command:\n # grep -i gssapiauth /etc/ssh/sshd_config\n GSSAPIAuthentication no\n If the \"GSSAPIAuthentication\" keyword is missing, is set to \"yes\" and is not documented with the Information System\n Security Officer (ISSO), or the returned line is commented out, this is a finding.'\n desc 'fix', 'Uncomment the \"GSSAPIAuthentication\" keyword in \"/etc/ssh/sshd_config\" (this file may be named\n differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and\n set the value to \"no\":\n GSSAPIAuthentication no\n The SSH service must be restarted for changes to take effect.\n If GSSAPI authentication is required, it must be documented, to include the location of the configuration file, with\n the ISSO.'\n impact 0.5\n tag legacy: ['V-72259', 'SV-86883']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000364-GPOS-00151'\n tag gid: 'V-204598'\n tag rid: 'SV-204598r853993_rule'\n tag stig_id: 'RHEL-07-040430'\n tag fix_id: 'F-4722r88987_fix'\n tag cci: ['CCI-000318', 'CCI-000368', 'CCI-001812', 'CCI-001813', 'CCI-001814']\n tag nist: ['CM-3 f', 'CM-6 c', 'CM-11 (2)', 'CM-5 (1)', 'CM-5 (1) (a)']\n tag subsystems: ['ssh']\n tag 'host'\n\n if virtualization.system.eql?('docker') && !file('/etc/sysconfig/sshd').exist?\n impact 0.0\n describe 'Control not applicable - SSH is not installed within containerized RHEL' do\n skip 'Control not applicable - SSH is not installed within containerized RHEL'\n end\n elsif input('gssapi_approved')\n describe sshd_config do\n its('GSSAPIAuthentication') { should cmp 'no' }\n end\n else\n impact 0.0\n describe 'GSSAPI authentication is not approved' do\n skip 'GSSAPI authentication is not approved, this control is Not Applicable.'\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204492.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204598.rb", "line": 1 }, - "id": "SV-204492" + "id": "SV-204598" }, { - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the chcon command.", - "desc": "Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.", + "title": "The Red Hat Enterprise Linux operating system must audit all uses of the chage command.", + "desc": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough\n information.\n At a minimum, the organization must audit the full-text recording of privileged password commands. The organization\n must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of\n compromise.\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.", "descriptions": { - "default": "Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.", - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"chcon\" command occur.\n\nCheck the file system rule in \"/etc/audit/audit.rules\" with the following command:\n\n$ sudo grep -w \"/usr/bin/chcon\" /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change\n\nIf the command does not return any output, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"chcon\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change\n\nThe audit daemon must be restarted for the changes to take effect." + "default": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough\n information.\n At a minimum, the organization must audit the full-text recording of privileged password commands. The organization\n must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of\n compromise.\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.", + "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"chage\" command occur.\n\nCheck the file system rule in \"/etc/audit/audit.rules\" with the following command:\n\n$ sudo grep -w \"/usr/bin/chage\" /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd\n\nIf the command does not return any output, this is a finding.", + "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"chage\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd\n\nThe audit daemon must be restarted for the changes to take effect." }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "V-72139", - "SV-86763" + "SV-86779", + "V-72155" ], "severity": "medium", - "gtitle": "SRG-OS-000392-GPOS-00172", + "gtitle": "SRG-OS-000042-GPOS-00020", "satisfies": [ + "SRG-OS-000042-GPOS-00020", "SRG-OS-000392-GPOS-00172", - "SRG-OS-000463-GPOS-00207", - "SRG-OS-000465-GPOS-00209" + "SRG-OS-000471-GPOS-00215" ], - "gid": "V-204538", - "rid": "SV-204538r861020_rule", - "stig_id": "RHEL-07-030580", - "fix_id": "F-4662r861019_fix", + "gid": "V-204545", + "rid": "SV-204545r861035_rule", + "stig_id": "RHEL-07-030660", + "fix_id": "F-4669r861034_fix", "cci": [ + "CCI-000135", "CCI-000172", "CCI-002884" ], "nist": [ + "AU-3 (1)", "AU-12 c", "MA-4 (1) (a)" ], @@ -6064,34 +5894,73 @@ ], "host": null }, - "code": "control 'SV-204538' do\n title 'The Red Hat Enterprise Linux operating system must audit all uses of the chcon command.'\n desc 'Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.'\n desc 'check', 'Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"chcon\" command occur.\n\nCheck the file system rule in \"/etc/audit/audit.rules\" with the following command:\n\n$ sudo grep -w \"/usr/bin/chcon\" /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change\n\nIf the command does not return any output, this is a finding.'\n desc 'fix', 'Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"chcon\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change\n\nThe audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n tag legacy: ['V-72139', 'SV-86763']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000392-GPOS-00172'\n tag satisfies: ['SRG-OS-000392-GPOS-00172', 'SRG-OS-000463-GPOS-00207', 'SRG-OS-000465-GPOS-00209']\n tag gid: 'V-204538'\n tag rid: 'SV-204538r861020_rule'\n tag stig_id: 'RHEL-07-030580'\n tag fix_id: 'F-4662r861019_fix'\n tag cci: ['CCI-000172', 'CCI-002884']\n tag nist: ['AU-12 c', 'MA-4 (1) (a)']\n tag subsystems: ['audit', 'auditd', 'audit_rule']\n tag 'host'\n\n audit_command = '/usr/bin/chcon'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - audit config must be done on the host' do\n skip 'Control not applicable - audit config must be done on the host'\n end\n else\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include('privileged-priv_change')\n end\n end\n end\nend\n", + "code": "control 'SV-204545' do\n title 'The Red Hat Enterprise Linux operating system must audit all uses of the chage command.'\n desc 'Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough\n information.\n At a minimum, the organization must audit the full-text recording of privileged password commands. The organization\n must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of\n compromise.\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.'\n desc 'check', 'Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"chage\" command occur.\n\nCheck the file system rule in \"/etc/audit/audit.rules\" with the following command:\n\n$ sudo grep -w \"/usr/bin/chage\" /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd\n\nIf the command does not return any output, this is a finding.'\n desc 'fix', 'Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"chage\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd\n\nThe audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n tag legacy: ['SV-86779', 'V-72155']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000042-GPOS-00020'\n tag satisfies: ['SRG-OS-000042-GPOS-00020', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000471-GPOS-00215']\n tag gid: 'V-204545'\n tag rid: 'SV-204545r861035_rule'\n tag stig_id: 'RHEL-07-030660'\n tag fix_id: 'F-4669r861034_fix'\n tag cci: ['CCI-000135', 'CCI-000172', 'CCI-002884']\n tag nist: ['AU-3 (1)', 'AU-12 c', 'MA-4 (1) (a)']\n tag subsystems: ['audit', 'auditd', 'audit_rule']\n tag 'host'\n\n audit_command = '/usr/bin/chage'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - audit config must be done on the host' do\n skip 'Control not applicable - audit config must be done on the host'\n end\n else\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include('privileged-passwd')\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204538.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204545.rb", "line": 1 }, - "id": "SV-204538" + "id": "SV-204545" }, { - "title": "The Red Hat Enterprise Linux operating system must be configured so that the file integrity tool is\n configured to verify Access Control Lists (ACLs).", - "desc": "ACLs can provide permissions beyond those permitted through the file mode and must be verified by file\n integrity tools.", + "title": "The Red Hat Enterprise Linux operating system must prevent a user from overriding the session idle-delay\n setting for the graphical user interface.", + "desc": "A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate\n physical vicinity of the information system but does not log out because of the temporary nature of the absence.\n Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity,\n operating systems need to be able to identify when a user's session has idled and take action to initiate the\n session lock.\n The session lock is implemented at the point where session activity can be determined and/or controlled.", "descriptions": { - "default": "ACLs can provide permissions beyond those permitted through the file mode and must be verified by file\n integrity tools.", - "check": "Verify the file integrity tool is configured to verify ACLs.\n\nNote: AIDE is highly configurable at install time. These commands assume the \"aide.conf\" file is under the \"/etc\" directory.\n\nUse the following command to determine if the file is in another location:\n\n # find / -name aide.conf\n\nCheck the \"aide.conf\" file to determine if the \"acl\" rule has been added to the rule list being applied to the files and directories selection lists.\n\nAn example rule that includes the \"acl\" rule is below:\n\n All= p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux\n /bin All # apply the custom rule to the files in bin\n /sbin All # apply the same custom rule to the files in sbin\n\nIf the \"acl\" rule is not being used on all uncommented selection lines in the \"/etc/aide.conf\" file, or ACLs are not being checked by another file integrity tool, this is a finding.", - "fix": "Configure the file integrity tool to check file and directory ACLs.\n If AIDE is installed, ensure the \"acl\" rule is present on all uncommented file and directory selection lists." + "default": "A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate\n physical vicinity of the information system but does not log out because of the temporary nature of the absence.\n Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity,\n operating systems need to be able to identify when a user's session has idled and take action to initiate the\n session lock.\n The session lock is implemented at the point where session activity can be determined and/or controlled.", + "check": "Verify the operating system prevents a user from overriding session idle delay after a 15-minute period of inactivity for graphical user interfaces.\n\nNote: If the system does not have GNOME installed, this requirement is Not Applicable.\n\nDetermine which profile the system database is using with the following command:\n # grep system-db /etc/dconf/profile/user\n system-db:local\n\nCheck for the session idle delay setting with the following command:\n\nNote: The example below is using the database \"local\" for the system, so the path is \"/etc/dconf/db/local.d\". This path must be modified if a database other than \"local\" is being used.\n\n # grep -i idle-delay /etc/dconf/db/local.d/locks/*\n /org/gnome/desktop/session/idle-delay\n\nIf the command does not return a result, this is a finding.", + "fix": "Configure the operating system to prevent a user from overriding a session lock after a 15-minute\n period of inactivity for graphical user interfaces.\n Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following\n command:\n Note: The example below is using the database \"local\" for the system, so if the system is using another database in\n /etc/dconf/profile/user, the file should be created under the appropriate subdirectory.\n # touch /etc/dconf/db/local.d/locks/session\n Add the setting to lock the session idle delay:\n /org/gnome/desktop/session/idle-delay" + }, + "impact": 0, + "refs": [], + "tags": { + "legacy": [ + "V-73157", + "SV-87809" + ], + "severity": "medium", + "gtitle": "SRG-OS-000029-GPOS-00010", + "gid": "V-204400", + "rid": "SV-204400r880776_rule", + "stig_id": "RHEL-07-010082", + "fix_id": "F-4524r880775_fix", + "cci": [ + "CCI-000057" + ], + "nist": [ + "AC-11 a" + ], + "subsystems": [ + "gui" + ], + "host": null + }, + "code": "control 'SV-204400' do\n title 'The Red Hat Enterprise Linux operating system must prevent a user from overriding the session idle-delay\n setting for the graphical user interface.'\n desc \"A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate\n physical vicinity of the information system but does not log out because of the temporary nature of the absence.\n Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity,\n operating systems need to be able to identify when a user's session has idled and take action to initiate the\n session lock.\n The session lock is implemented at the point where session activity can be determined and/or controlled.\"\n desc 'check', \"Verify the operating system prevents a user from overriding session idle delay after a #{input('system_activity_timeout')/60}-minute period of inactivity for graphical user interfaces.\n\nNote: If the system does not have GNOME installed, this requirement is Not Applicable.\n\nDetermine which profile the system database is using with the following command:\n # grep system-db /etc/dconf/profile/user\n system-db:local\n\nCheck for the session idle delay setting with the following command:\n\nNote: The example below is using the database \\\"local\\\" for the system, so the path is \\\"/etc/dconf/db/local.d\\\". This path must be modified if a database other than \\\"local\\\" is being used.\n\n # grep -i idle-delay /etc/dconf/db/local.d/locks/*\n /org/gnome/desktop/session/idle-delay\n\nIf the command does not return a result, this is a finding.\"\n desc 'fix', \"Configure the operating system to prevent a user from overriding a session lock after a #{input('system_activity_timeout')/60}-minute\n period of inactivity for graphical user interfaces.\n Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following\n command:\n Note: The example below is using the database \\\"local\\\" for the system, so if the system is using another database in\n /etc/dconf/profile/user, the file should be created under the appropriate subdirectory.\n # touch /etc/dconf/db/local.d/locks/session\n Add the setting to lock the session idle delay:\n /org/gnome/desktop/session/idle-delay\"\n impact 0.5\n tag legacy: ['V-73157', 'SV-87809']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000029-GPOS-00010'\n tag gid: 'V-204400'\n tag rid: 'SV-204400r880776_rule'\n tag stig_id: 'RHEL-07-010082'\n tag fix_id: 'F-4524r880775_fix'\n tag cci: ['CCI-000057']\n tag nist: ['AC-11 a']\n tag subsystems: ['gui']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n elsif package('gnome-desktop3').installed?\n\n describe command('gsettings writable org.gnome.desktop.session idle-delay') do\n its('stdout.strip') { should cmp 'false' }\n end\n else\n impact 0.0\n describe 'The GNOME desktop is not installed' do\n skip 'The GNOME desktop is not installed, this control is Not Applicable.'\n end\n end\nend\n", + "source_location": { + "ref": "./Red Hat 7 STIG/controls/SV-204400.rb", + "line": 1 + }, + "id": "SV-204400" + }, + { + "title": "The Red Hat Enterprise Linux operating system must be configured so that the file integrity tool is\n configured to verify extended attributes.", + "desc": "Extended attributes in file systems are used to contain arbitrary data and file metadata with security\n implications.", + "descriptions": { + "default": "Extended attributes in file systems are used to contain arbitrary data and file metadata with security\n implications.", + "check": "Verify the file integrity tool is configured to verify extended attributes.\n\nNote: AIDE is highly configurable at install time. These commands assume the \"aide.conf\" file is under the \"/etc\" directory.\n\nUse the following command to determine if the file is in another location:\n # find / -name aide.conf\n\nCheck the \"aide.conf\" file to determine if the \"xattrs\" rule has been added to the rule list being applied to the files and directories selection lists.\n\nAn example rule that includes the \"xattrs\" rule follows:\n\n All= p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux\n /bin All # apply the custom rule to the files in bin\n /sbin All # apply the same custom rule to the files in sbin\n\nIf the \"xattrs\" rule is not being used on all uncommented selection lines in the \"/etc/aide.conf\" file, or extended attributes are not being checked by another file integrity tool, this is a finding.", + "fix": "Configure the file integrity tool to check file and directory extended attributes.\n If AIDE is installed, ensure the \"xattrs\" rule is present on all uncommented file and directory selection lists." }, "impact": 0.3, "refs": [], "tags": { "legacy": [ - "SV-86693", - "V-72069" + "SV-86695", + "V-72071" ], "severity": "low", "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-204498", - "rid": "SV-204498r880856_rule", - "stig_id": "RHEL-07-021600", - "fix_id": "F-4622r88687_fix", + "gid": "V-204499", + "rid": "SV-204499r880858_rule", + "stig_id": "RHEL-07-021610", + "fix_id": "F-4623r88690_fix", "cci": [ "CCI-000366" ], @@ -6104,601 +5973,579 @@ "host": null, "container": null }, - "code": "control 'SV-204498' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that the file integrity tool is\n configured to verify Access Control Lists (ACLs).'\n desc 'ACLs can provide permissions beyond those permitted through the file mode and must be verified by file\n integrity tools.'\n desc 'check', 'Verify the file integrity tool is configured to verify ACLs.\n\nNote: AIDE is highly configurable at install time. These commands assume the \"aide.conf\" file is under the \"/etc\" directory.\n\nUse the following command to determine if the file is in another location:\n\n # find / -name aide.conf\n\nCheck the \"aide.conf\" file to determine if the \"acl\" rule has been added to the rule list being applied to the files and directories selection lists.\n\nAn example rule that includes the \"acl\" rule is below:\n\n All= p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux\n /bin All # apply the custom rule to the files in bin\n /sbin All # apply the same custom rule to the files in sbin\n\nIf the \"acl\" rule is not being used on all uncommented selection lines in the \"/etc/aide.conf\" file, or ACLs are not being checked by another file integrity tool, this is a finding.'\n desc 'fix', 'Configure the file integrity tool to check file and directory ACLs.\n If AIDE is installed, ensure the \"acl\" rule is present on all uncommented file and directory selection lists.'\n impact 0.3\n tag legacy: ['SV-86693', 'V-72069']\n tag severity: 'low'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204498'\n tag rid: 'SV-204498r880856_rule'\n tag stig_id: 'RHEL-07-021600'\n tag fix_id: 'F-4622r88687_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['file_integrity_tool']\n tag 'host'\n tag 'container'\n\n file_integrity_tool = input('file_integrity_tool')\n aide_conf_file_path = input('aide_conf_path')\n\n if file_integrity_tool == 'aide'\n if aide_conf(aide_conf_file_path).exist?\n findings = []\n aide_conf.where { !selection_line.start_with? '!' }.entries.each do |selection|\n unless selection.rules.include? 'acl'\n findings.append(selection.selection_line)\n end\n end\n\n describe \"List of monitored files/directories without 'acl' rule\" do\n subject { findings }\n it { should be_empty }\n end\n else\n describe \"AIDE configuration file at: #{aide_conf_file_path}\" do\n subject { aide_conf(aide_conf_file_path) }\n it { should exist }\n end\n end\n else\n describe 'Need manual review of file integrity tool' do\n skip 'A manual review of the file integrity tool is required to ensure that it verifies ACLs.'\n end\n end\nend\n", + "code": "control 'SV-204499' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that the file integrity tool is\n configured to verify extended attributes.'\n desc 'Extended attributes in file systems are used to contain arbitrary data and file metadata with security\n implications.'\n desc 'check', 'Verify the file integrity tool is configured to verify extended attributes.\n\nNote: AIDE is highly configurable at install time. These commands assume the \"aide.conf\" file is under the \"/etc\" directory.\n\nUse the following command to determine if the file is in another location:\n # find / -name aide.conf\n\nCheck the \"aide.conf\" file to determine if the \"xattrs\" rule has been added to the rule list being applied to the files and directories selection lists.\n\nAn example rule that includes the \"xattrs\" rule follows:\n\n All= p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux\n /bin All # apply the custom rule to the files in bin\n /sbin All # apply the same custom rule to the files in sbin\n\nIf the \"xattrs\" rule is not being used on all uncommented selection lines in the \"/etc/aide.conf\" file, or extended attributes are not being checked by another file integrity tool, this is a finding.'\n desc 'fix', 'Configure the file integrity tool to check file and directory extended attributes.\n If AIDE is installed, ensure the \"xattrs\" rule is present on all uncommented file and directory selection lists.'\n impact 0.3\n tag legacy: ['SV-86695', 'V-72071']\n tag severity: 'low'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204499'\n tag rid: 'SV-204499r880858_rule'\n tag stig_id: 'RHEL-07-021610'\n tag fix_id: 'F-4623r88690_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['file_integrity_tool']\n tag 'host'\n tag 'container'\n\n file_integrity_tool = input('file_integrity_tool')\n aide_conf_file_path = input('aide_conf_path')\n\n if file_integrity_tool == 'aide'\n if aide_conf(aide_conf_file_path).exist?\n findings = []\n aide_conf.where { !selection_line.start_with? '!' }.entries.each do |selection|\n unless selection.rules.include? 'xattrs'\n findings.append(selection.selection_line)\n end\n end\n\n describe \"List of monitored files/directories without 'xattrs' rule\" do\n subject { findings }\n it { should be_empty }\n end\n else\n describe \"AIDE configuration file at: #{aide_conf_file_path}\" do\n subject { aide_conf(aide_conf_file_path) }\n it { should exist }\n end\n end\n else\n describe 'Need manual review of file integrity tool' do\n skip 'A manual review of the file integrity tool is required to ensure that it verifies ACLs.'\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204498.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204499.rb", "line": 1 }, - "id": "SV-204498" + "id": "SV-204499" }, { - "title": "The Red Hat Enterprise Linux 7 operating system must implement DoD-approved encryption to protect the\n confidentiality of SSH connections.", - "desc": "Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and\n therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised.\n Operating systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to\n cryptographic modules.\n FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize\n authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general\n purpose computing system.\n The system will attempt to use the first cipher presented by the client that matches the server list. Listing the\n values \"strongest to weakest\" is a method to ensure the use of the strongest cipher available to secure the SSH\n connection.", + "title": "Red Hat Enterprise Linux operating systems version 7.2 or newer booted with United Extensible Firmware Interface (UEFI) must have a unique name for the grub superusers account when booting into single-user mode and maintenance.", + "desc": "If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.\nThe GRUB 2 superuser account is an account of last resort. Establishing a unique username for this account hardens the boot loader against brute force attacks. Due to the nature of the superuser account database being distinct from the OS account database, this allows the use of a username that is not among those within the OS account database. Examples of non-unique superusers names are root, superuser, unlock, etc.", "descriptions": { - "default": "Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and\n therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised.\n Operating systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to\n cryptographic modules.\n FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize\n authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general\n purpose computing system.\n The system will attempt to use the first cipher presented by the client that matches the server list. Listing the\n values \"strongest to weakest\" is a method to ensure the use of the strongest cipher available to secure the SSH\n connection.", - "check": "Verify the operating system uses mechanisms meeting the requirements of applicable federal laws,\n Executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic\n module.\n The location of the \"sshd_config\" file may vary if a different daemon is in use.\n Inspect the \"Ciphers\" configuration with the following command:\n # grep -i ciphers /etc/ssh/sshd_config\n Ciphers aes256-ctr,aes192-ctr,aes128-ctr\n If any ciphers other than \"aes256-ctr\", \"aes192-ctr\", or \"aes128-ctr\" are listed, the order differs from the example\n above, the \"Ciphers\" keyword is missing, or the returned line is commented out, this is a finding.", - "fix": "Configure SSH to use FIPS 140-2 approved cryptographic algorithms.\n Add the following line (or modify the line to have the required value) to the \"/etc/ssh/sshd_config\" file (this file\n may be named differently or be in a different location if using a version of SSH that is provided by a third-party\n vendor).\n Ciphers aes256-ctr,aes192-ctr,aes128-ctr\n The SSH service must be restarted for changes to take effect." + "default": "If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.\nThe GRUB 2 superuser account is an account of last resort. Establishing a unique username for this account hardens the boot loader against brute force attacks. Due to the nature of the superuser account database being distinct from the OS account database, this allows the use of a username that is not among those within the OS account database. Examples of non-unique superusers names are root, superuser, unlock, etc.", + "check": "For systems that use BIOS, this is Not Applicable.\n\nFor systems that are running a version of RHEL prior to 7.2, this is Not Applicable.\n\nVerify that a unique name is set as the \"superusers\" account:\n\n$ sudo grep -iw \"superusers\" /boot/efi/EFI/redhat/grub.cfg\n set superusers=\"[someuniquestringhere]\"\n export superusers\n\nIf \"superusers\" is identical to any OS account name or is missing a name, this is a finding.", + "fix": "Configure the system to have a unique name for the grub superusers account.\n\nEdit the /etc/grub.d/01_users file and add or modify the following lines:\n\nset superusers=\"[someuniquestringhere]\"\nexport superusers\npassword_pbkdf2 [someuniquestringhere] ${GRUB2_PASSWORD}\n\nGenerate a new grub.cfg file with the following command:\n\n$ sudo grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg" }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { - "legacy": [ - "V-72221", - "SV-86845" - ], "severity": "medium", - "gtitle": "SRG-OS-000033-GPOS-00014", - "satisfies": [ - "SRG-OS-000033-GPOS-00014", - "SRG-OS-000120-GPOS-00061", - "SRG-OS-000125-GPOS-00065", - "SRG-OS-000250-GPOS-00093", - "SRG-OS-000393-GPOS-00173" - ], - "gid": "V-204578", - "rid": "SV-204578r877398_rule", - "stig_id": "RHEL-07-040110", - "fix_id": "F-4702r622306_fix", + "gtitle": "SRG-OS-000080-GPOS-00048", + "satisfies": null, + "gid": "V-244558", + "rid": "SV-244558r833187_rule", + "stig_id": "RHEL-07-010492", + "fix_id": "F-47790r833186_fix", "cci": [ - "CCI-000068", - "CCI-000366", - "CCI-000803" + "CCI-000213" ], + "legacy": [], "nist": [ - "AC-17 (2)", - "CM-6 b", - "IA-7" + "AC-3" ], "subsystems": [ - "ssh" + "grub" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-204578' do\n title \"The Red Hat Enterprise Linux 7 operating system must implement #{input('org_name')[:acronym]}-approved encryption to protect the\n confidentiality of SSH connections.\"\n desc \"Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and\n therefore cannot be relied upon to provide confidentiality or integrity, and #{input('org_name')[:acronym]} data may be compromised.\n Operating systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to\n cryptographic modules.\n FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize\n authentication that meets #{input('org_name')[:acronym]} requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general\n purpose computing system.\n The system will attempt to use the first cipher presented by the client that matches the server list. Listing the\n values \\\"strongest to weakest\\\" is a method to ensure the use of the strongest cipher available to secure the SSH\n connection.\"\n desc 'check', 'Verify the operating system uses mechanisms meeting the requirements of applicable federal laws,\n Executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic\n module.\n The location of the \"sshd_config\" file may vary if a different daemon is in use.\n Inspect the \"Ciphers\" configuration with the following command:\n # grep -i ciphers /etc/ssh/sshd_config\n Ciphers aes256-ctr,aes192-ctr,aes128-ctr\n If any ciphers other than \"aes256-ctr\", \"aes192-ctr\", or \"aes128-ctr\" are listed, the order differs from the example\n above, the \"Ciphers\" keyword is missing, or the returned line is commented out, this is a finding.'\n desc 'fix', 'Configure SSH to use FIPS 140-2 approved cryptographic algorithms.\n Add the following line (or modify the line to have the required value) to the \"/etc/ssh/sshd_config\" file (this file\n may be named differently or be in a different location if using a version of SSH that is provided by a third-party\n vendor).\n Ciphers aes256-ctr,aes192-ctr,aes128-ctr\n The SSH service must be restarted for changes to take effect.'\n impact 0.5\n tag legacy: ['V-72221', 'SV-86845']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000033-GPOS-00014'\n tag satisfies: ['SRG-OS-000033-GPOS-00014', 'SRG-OS-000120-GPOS-00061', 'SRG-OS-000125-GPOS-00065', 'SRG-OS-000250-GPOS-00093', 'SRG-OS-000393-GPOS-00173']\n tag gid: 'V-204578'\n tag rid: 'SV-204578r877398_rule'\n tag stig_id: 'RHEL-07-040110'\n tag fix_id: 'F-4702r622306_fix'\n tag cci: ['CCI-000068', 'CCI-000366', 'CCI-000803']\n tag nist: ['AC-17 (2)', 'CM-6 b', 'IA-7']\n tag subsystems: ['ssh']\n tag 'host'\n\n if virtualization.system.eql?('docker') && !file('/etc/sysconfig/sshd').exist?\n impact 0.0\n describe 'Control not applicable - SSH is not installed within containerized RHEL' do\n skip 'Control not applicable - SSH is not installed within containerized RHEL'\n end\n else\n ciphers_array = sshd_config.params('ciphers')\n\n ciphers_array = ciphers_array.first.split(',') unless ciphers_array.nil?\n\n describe 'List of encryption algortihms used for SSH connections' do\n subject { ciphers_array }\n it { should_not be_nil }\n it { should eq ['aes256-ctr', 'aes192-ctr', 'aes128-ctr'] }\n end\n end\nend\n", + "code": "control 'SV-244558' do\n title 'Red Hat Enterprise Linux operating systems version 7.2 or newer booted with United Extensible Firmware Interface (UEFI) must have a unique name for the grub superusers account when booting into single-user mode and maintenance.'\n desc 'If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.\nThe GRUB 2 superuser account is an account of last resort. Establishing a unique username for this account hardens the boot loader against brute force attacks. Due to the nature of the superuser account database being distinct from the OS account database, this allows the use of a username that is not among those within the OS account database. Examples of non-unique superusers names are root, superuser, unlock, etc.'\n desc 'check', 'For systems that use BIOS, this is Not Applicable.\n\nFor systems that are running a version of RHEL prior to 7.2, this is Not Applicable.\n\nVerify that a unique name is set as the \"superusers\" account:\n\n$ sudo grep -iw \"superusers\" /boot/efi/EFI/redhat/grub.cfg\n set superusers=\"[someuniquestringhere]\"\n export superusers\n\nIf \"superusers\" is identical to any OS account name or is missing a name, this is a finding.'\n desc 'fix', 'Configure the system to have a unique name for the grub superusers account.\n\nEdit the /etc/grub.d/01_users file and add or modify the following lines:\n\nset superusers=\"[someuniquestringhere]\"\nexport superusers\npassword_pbkdf2 [someuniquestringhere] ${GRUB2_PASSWORD}\n\nGenerate a new grub.cfg file with the following command:\n\n$ sudo grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg'\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000080-GPOS-00048'\n tag satisfies: nil\n tag gid: 'V-244558'\n tag rid: 'SV-244558r833187_rule'\n tag stig_id: 'RHEL-07-010492'\n tag fix_id: 'F-47790r833186_fix'\n tag cci: ['CCI-000213']\n tag legacy: []\n tag nist: ['AC-3']\n tag subsystems: ['grub']\n tag 'host'\n tag 'container'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n elsif file('/sys/firmware/efi').exist?\n if os[:release] >= '7.2'\n describe parse_config_file(input('grub_uefi_main_cfg')) do\n its('set superusers') { should exist }\n its('set superusers') { should_not be_in users.usernames }\n end\n else\n impact 0.0\n describe 'System running version of RHEL prior to 7.2' do\n skip 'The System is running an outdated version of RHEL, this control is Not Applicable.'\n end\n end\n else\n impact 0.0\n describe 'System running BIOS' do\n skip 'The System is running BIOS, this control is Not Applicable.'\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204578.rb", + "ref": "./Red Hat 7 STIG/controls/SV-244558.rb", "line": 1 }, - "id": "SV-204578" + "id": "SV-244558" }, { - "title": "The Red Hat Enterprise Linux operating system must enable an application firewall, if available.", - "desc": "Firewalls protect computers from network attacks by blocking or limiting access to open network ports.\n Application firewalls limit which applications are allowed to communicate over the network.", + "title": "The Red Hat Enterprise Linux operating system must be configured so that passwords for new users are\n restricted to a 24 hours/1 day minimum lifetime.", + "desc": "Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password\n reuse or history enforcement requirement. If users are allowed to immediately and continually change their password,\n the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding\n password reuse.", "descriptions": { - "default": "Firewalls protect computers from network attacks by blocking or limiting access to open network ports.\n Application firewalls limit which applications are allowed to communicate over the network.", - "check": "Verify the operating system enabled an application firewall.\n Check to see if \"firewalld\" is installed with the following command:\n # yum list installed firewalld\n firewalld-0.3.9-11.el7.noarch.rpm\n If the \"firewalld\" package is not installed, ask the System Administrator if another firewall application (such as\n iptables) is installed.\n If an application firewall is not installed, this is a finding.\n Check to see if the firewall is loaded and active with the following command:\n # systemctl status firewalld\n firewalld.service - firewalld - dynamic firewall daemon\n Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)\n Active: active (running) since Tue 2014-06-17 11:14:49 CEST; 5 days ago\n If \"firewalld\" does not show a status of \"loaded\" and \"active\", this is a finding.\n Check the state of the firewall:\n # firewall-cmd --state\n running\n If \"firewalld\" does not show a state of \"running\", this is a finding.", - "fix": "Ensure the operating system's application firewall is enabled.\n Install the \"firewalld\" package, if it is not on the system, with the following command:\n # yum install firewalld\n Start the firewall via \"systemctl\" with the following command:\n # systemctl start firewalld" + "default": "Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password\n reuse or history enforcement requirement. If users are allowed to immediately and continually change their password,\n the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding\n password reuse.", + "check": "Verify the operating system enforces 24 hours/1 day as the minimum password lifetime for new user\n accounts.\n Check for the value of \"PASS_MIN_DAYS\" in \"/etc/login.defs\" with the following command:\n # grep -i pass_min_days /etc/login.defs\n PASS_MIN_DAYS 1\n If the \"PASS_MIN_DAYS\" parameter value is not \"1\" or greater, or is commented out, this is a finding.", + "fix": "Configure the operating system to enforce 24 hours/1 day as the minimum password lifetime.\n Add the following line in \"/etc/login.defs\" (or modify the line to have the required value):\n PASS_MIN_DAYS 1" }, "impact": 0.5, "refs": [], "tags": { - "legacy": [ - "SV-86897", - "V-72273" + "legacy": [ + "V-71925", + "SV-86549" ], "severity": "medium", - "gtitle": "SRG-OS-000480-GPOS-00227", - "satisfies": [ - "SRG-OS-000480-GPOS-00227", - "SRG-OS-000480-GPOS-00231", - "SRG-OS-000480-GPOS-00232" - ], - "gid": "V-204604", - "rid": "SV-204604r603261_rule", - "stig_id": "RHEL-07-040520", - "fix_id": "F-4728r89005_fix", + "gtitle": "SRG-OS-000075-GPOS-00043", + "gid": "V-204418", + "rid": "SV-204418r603261_rule", + "stig_id": "RHEL-07-010230", + "fix_id": "F-4542r88447_fix", "cci": [ - "CCI-000366" + "CCI-000198" ], "nist": [ - "CM-6 b" + "IA-5 (1) (d)" ], "subsystems": [ - "firewalld", - "iptables" - ], - "host": null, - "container": null + "login_defs", + "password" + ] }, - "code": "control 'SV-204604' do\n title 'The Red Hat Enterprise Linux operating system must enable an application firewall, if available.'\n desc 'Firewalls protect computers from network attacks by blocking or limiting access to open network ports.\n Application firewalls limit which applications are allowed to communicate over the network.'\n desc 'check', 'Verify the operating system enabled an application firewall.\n Check to see if \"firewalld\" is installed with the following command:\n # yum list installed firewalld\n firewalld-0.3.9-11.el7.noarch.rpm\n If the \"firewalld\" package is not installed, ask the System Administrator if another firewall application (such as\n iptables) is installed.\n If an application firewall is not installed, this is a finding.\n Check to see if the firewall is loaded and active with the following command:\n # systemctl status firewalld\n firewalld.service - firewalld - dynamic firewall daemon\n Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)\n Active: active (running) since Tue 2014-06-17 11:14:49 CEST; 5 days ago\n If \"firewalld\" does not show a status of \"loaded\" and \"active\", this is a finding.\n Check the state of the firewall:\n # firewall-cmd --state\n running\n If \"firewalld\" does not show a state of \"running\", this is a finding.'\n desc 'fix', %q(Ensure the operating system's application firewall is enabled.\n Install the \"firewalld\" package, if it is not on the system, with the following command:\n # yum install firewalld\n Start the firewall via \"systemctl\" with the following command:\n # systemctl start firewalld)\n impact 0.5\n tag legacy: ['SV-86897', 'V-72273']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag satisfies: ['SRG-OS-000480-GPOS-00227', 'SRG-OS-000480-GPOS-00231', 'SRG-OS-000480-GPOS-00232']\n tag gid: 'V-204604'\n tag rid: 'SV-204604r603261_rule'\n tag stig_id: 'RHEL-07-040520'\n tag fix_id: 'F-4728r89005_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['firewalld', 'iptables']\n tag 'host'\n tag 'container'\n\n describe.one do\n describe package('firewalld') do\n it { should be_installed }\n end\n describe package('iptables') do\n it { should be_installed }\n end\n if input('firewall_application_package') != ''\n describe package(input('firewall_application_package')) do\n it { should be_installed }\n end\n end\n end\n describe.one do\n describe systemd_service('firewalld.service') do\n it { should be_running }\n end\n describe systemd_service('iptables.service') do\n it { should be_running }\n end\n if input('firewall_application_service') != ''\n describe systemd_service(input('firewall_application_service')) do\n it { should be_running }\n end\n end\n end\nend\n", + "code": "control 'SV-204418' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that passwords for new users are\n restricted to a 24 hours/1 day minimum lifetime.'\n desc \"Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password\n reuse or history enforcement requirement. If users are allowed to immediately and continually change their password,\n the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding\n password reuse.\"\n desc 'check', 'Verify the operating system enforces 24 hours/1 day as the minimum password lifetime for new user\n accounts.\n Check for the value of \"PASS_MIN_DAYS\" in \"/etc/login.defs\" with the following command:\n # grep -i pass_min_days /etc/login.defs\n PASS_MIN_DAYS 1\n If the \"PASS_MIN_DAYS\" parameter value is not \"1\" or greater, or is commented out, this is a finding.'\n desc 'fix', 'Configure the operating system to enforce 24 hours/1 day as the minimum password lifetime.\n Add the following line in \"/etc/login.defs\" (or modify the line to have the required value):\n PASS_MIN_DAYS 1'\n impact 0.5\n tag legacy: ['V-71925', 'SV-86549']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000075-GPOS-00043'\n tag gid: 'V-204418'\n tag rid: 'SV-204418r603261_rule'\n tag stig_id: 'RHEL-07-010230'\n tag fix_id: 'F-4542r88447_fix'\n tag cci: ['CCI-000198']\n tag nist: ['IA-5 (1) (d)']\n tag subsystems: ['login_defs', 'password']\n\n describe login_defs do\n its('PASS_MIN_DAYS') { should cmp >= 1 }\n its('PASS_MIN_DAYS') { should_not be_nil }\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204604.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204418.rb", "line": 1 }, - "id": "SV-204604" + "id": "SV-204418" }, { - "title": "The Red Hat Enterprise Linux operating system must implement multifactor authentication for access to\n privileged accounts via pluggable authentication modules (PAM).", - "desc": "Using an authentication device, such as a CAC or token that is separate from the information system, ensures\n that even if the information system is compromised, that compromise will not affect credentials stored on the\n authentication device.\n Multifactor solutions that require devices separate from information systems gaining access include, for example,\n hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S.\n Government Personal Identity Verification card and the DoD Common Access Card.\n A privileged account is defined as an information system account with authorizations of a privileged user.\n Remote access is access to DoD nonpublic information systems by an authorized user (or an information system)\n communicating through an external, non-organization-controlled network. Remote access methods include, for example,\n dial-up, broadband, and wireless.\n This requirement only applies to components where this is specific to the function of the device or has the concept\n of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of\n configuring the device itself (management).", + "title": "The Red Hat Enterprise Linux operating system must prevent files with the setuid and setgid bit set from\n being executed on file systems that are used with removable media.", + "desc": "The \"nosuid\" mount option causes the system to not execute \"setuid\" and \"setgid\" files with owner\n privileges. This option must be used for mounting any file system not containing approved \"setuid\" and \"setguid\"\n files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain\n unauthorized administrative access.", "descriptions": { - "default": "Using an authentication device, such as a CAC or token that is separate from the information system, ensures\n that even if the information system is compromised, that compromise will not affect credentials stored on the\n authentication device.\n Multifactor solutions that require devices separate from information systems gaining access include, for example,\n hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S.\n Government Personal Identity Verification card and the DoD Common Access Card.\n A privileged account is defined as an information system account with authorizations of a privileged user.\n Remote access is access to DoD nonpublic information systems by an authorized user (or an information system)\n communicating through an external, non-organization-controlled network. Remote access methods include, for example,\n dial-up, broadband, and wireless.\n This requirement only applies to components where this is specific to the function of the device or has the concept\n of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of\n configuring the device itself (management).", - "check": "Verify the operating system implements multifactor authentication for remote access to privileged\n accounts via pluggable authentication modules (PAM).\n Check the \"/etc/sssd/sssd.conf\" file for the authentication services that are being used with the following command:\n # grep services /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf\n services = nss, pam\n If the \"pam\" service is not present on all \"services\" lines, this is a finding.", - "fix": "Configure the operating system to implement multifactor authentication for remote access to privileged\n accounts via pluggable authentication modules (PAM).\n Modify all of the services lines in \"/etc/sssd/sssd.conf\" or in configuration files found under \"/etc/sssd/conf.d\"\n to include pam." + "default": "The \"nosuid\" mount option causes the system to not execute \"setuid\" and \"setgid\" files with owner\n privileges. This option must be used for mounting any file system not containing approved \"setuid\" and \"setguid\"\n files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain\n unauthorized administrative access.", + "check": "Verify file systems that are used for removable media are mounted with the \"nosuid\" option.\n Check the file systems that are mounted at boot time with the following command:\n # more /etc/fstab\n UUID=2bc871e4-e2a3-4f29-9ece-3be60c835222 /mnt/usbflash vfat noauto,owner,ro,nosuid 0 0\n If a file system found in \"/etc/fstab\" refers to removable media and it does not have the \"nosuid\" option set, this\n is a finding.", + "fix": "Configure the \"/etc/fstab\" to use the \"nosuid\" option on file systems that are associated with\n removable media." }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { "legacy": [ - "V-72427", - "SV-87051" + "SV-86667", + "V-72043" ], "severity": "medium", - "gtitle": "SRG-OS-000375-GPOS-00160", - "satisfies": [ - "SRG-OS-000375-GPOS-00160", - "SRG-OS-000375-GPOS-00161", - "SRG-OS-000375-GPOS-00162" - ], - "gid": "V-204632", - "rid": "SV-204632r853998_rule", - "stig_id": "RHEL-07-041002", - "fix_id": "F-4756r89089_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-204481", + "rid": "SV-204481r603261_rule", + "stig_id": "RHEL-07-021010", + "fix_id": "F-4605r88636_fix", "cci": [ - "CCI-001948", - "CCI-001953", - "CCI-001954" + "CCI-000366" ], "nist": [ - "IA-2 (11)", - "IA-2 (12)", - "IA-2 (12)" + "CM-6 b" ], "subsystems": [ - "sssd" + "file_system", + "removable_media" ], "host": null }, - "code": "control 'SV-204632' do\n title 'The Red Hat Enterprise Linux operating system must implement multifactor authentication for access to\n privileged accounts via pluggable authentication modules (PAM).'\n desc \"Using an authentication device, such as a CAC or token that is separate from the information system, ensures\n that even if the information system is compromised, that compromise will not affect credentials stored on the\n authentication device.\n Multifactor solutions that require devices separate from information systems gaining access include, for example,\n hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S.\n Government Personal Identity Verification card and the #{input('org_name')[:acronym]} Common Access Card.\n A privileged account is defined as an information system account with authorizations of a privileged user.\n Remote access is access to #{input('org_name')[:acronym]} nonpublic information systems by an authorized user (or an information system)\n communicating through an external, non-organization-controlled network. Remote access methods include, for example,\n dial-up, broadband, and wireless.\n This requirement only applies to components where this is specific to the function of the device or has the concept\n of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of\n configuring the device itself (management).\"\n desc 'check', 'Verify the operating system implements multifactor authentication for remote access to privileged\n accounts via pluggable authentication modules (PAM).\n Check the \"/etc/sssd/sssd.conf\" file for the authentication services that are being used with the following command:\n # grep services /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf\n services = nss, pam\n If the \"pam\" service is not present on all \"services\" lines, this is a finding.'\n desc 'fix', 'Configure the operating system to implement multifactor authentication for remote access to privileged\n accounts via pluggable authentication modules (PAM).\n Modify all of the services lines in \"/etc/sssd/sssd.conf\" or in configuration files found under \"/etc/sssd/conf.d\"\n to include pam.'\n impact 0.5\n tag legacy: ['V-72427', 'SV-87051']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000375-GPOS-00160'\n tag satisfies: ['SRG-OS-000375-GPOS-00160', 'SRG-OS-000375-GPOS-00161', 'SRG-OS-000375-GPOS-00162']\n tag gid: 'V-204632'\n tag rid: 'SV-204632r853998_rule'\n tag stig_id: 'RHEL-07-041002'\n tag fix_id: 'F-4756r89089_fix'\n tag cci: ['CCI-001948', 'CCI-001953', 'CCI-001954']\n tag nist: ['IA-2 (11)', 'IA-2 (12)', 'IA-2 (12)']\n tag subsystems: ['sssd']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n elsif package('sssd').installed?\n if !(sssd_files = command('find /etc/sssd -name *.conf').stdout.split(\"\\n\")).empty?\n sssd_files.each do |file|\n next unless package('sssd').installed?\n\n describe.one do\n if package('sssd').installed?\n describe parse_config_file(file) do\n its('services') { should include 'pam' }\n end\n end\n if package('sssd').installed?\n describe command(\"grep -i -E 'services(\\s)*=(\\s)*(.+*)pam' #{file}\") do\n its('stdout.strip') { should include 'pam' }\n end\n end\n end\n end\n else\n describe 'The set of SSSD configuration files' do\n subject { sssd_files.to_a }\n it { should_not be_empty }\n end\n end\n else\n impact 0.0\n describe 'The SSSD Package is not installed on the system' do\n skip 'This control is Not Appliciable without the SSSD Package installed.'\n end\n end\nend\n", + "code": "control 'SV-204481' do\n title 'The Red Hat Enterprise Linux operating system must prevent files with the setuid and setgid bit set from\n being executed on file systems that are used with removable media.'\n desc 'The \"nosuid\" mount option causes the system to not execute \"setuid\" and \"setgid\" files with owner\n privileges. This option must be used for mounting any file system not containing approved \"setuid\" and \"setguid\"\n files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain\n unauthorized administrative access.'\n desc 'check', 'Verify file systems that are used for removable media are mounted with the \"nosuid\" option.\n Check the file systems that are mounted at boot time with the following command:\n # more /etc/fstab\n UUID=2bc871e4-e2a3-4f29-9ece-3be60c835222 /mnt/usbflash vfat noauto,owner,ro,nosuid 0 0\n If a file system found in \"/etc/fstab\" refers to removable media and it does not have the \"nosuid\" option set, this\n is a finding.'\n desc 'fix', 'Configure the \"/etc/fstab\" to use the \"nosuid\" option on file systems that are associated with\n removable media.'\n impact 0.5\n tag legacy: ['SV-86667', 'V-72043']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204481'\n tag rid: 'SV-204481r603261_rule'\n tag stig_id: 'RHEL-07-021010'\n tag fix_id: 'F-4605r88636_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['file_system', 'removable_media']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n non_removable_media_fs = input('non_removable_media_fs')\n\n file_systems = etc_fstab.params\n if !file_systems.nil? and !file_systems.empty?\n file_systems.each do |file_sys_line|\n if !non_removable_media_fs.to_s.include?(file_sys_line['file_system_type'])\n describe file_sys_line['mount_options'] do\n it { should include 'nosuid' }\n end\n else\n describe \"File system \\\"#{file_sys_line['file_system_type']}\\\" does not correspond to removable media.\" do\n subject do\n non_removable_media_fs.to_s.include?(file_sys_line['file_system_type'])\n end\n it { should eq true }\n end\n end\n end\n else\n describe 'No file systems were found.' do\n subject { file_systems.nil? }\n it { should eq true }\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204632.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204481.rb", "line": 1 }, - "id": "SV-204632" + "id": "SV-204481" }, { - "title": "The Red Hat Enterprise Linux operating system must not allow an unattended or automatic logon to the system\n via a graphical user interface.", - "desc": "Failure to restrict system access to authenticated users negatively impacts operating system security.", + "title": "Red Hat Enterprise Linux operating systems version 7.2 or newer with a Basic Input/Output System (BIOS)\n must require authentication upon booting into single-user and maintenance modes.", + "desc": "If the system does not require valid authentication before it boots into single-user or maintenance mode,\n anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2\n is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make\n modifications to the boot menu.", "descriptions": { - "default": "Failure to restrict system access to authenticated users negatively impacts operating system security.", - "check": "Verify the operating system does not allow an unattended or automatic logon to the system via a\n graphical user interface.\n Note: If the system does not have GNOME installed, this requirement is Not Applicable.\n Check for the value of the \"AutomaticLoginEnable\" in the \"/etc/gdm/custom.conf\" file with the following command:\n # grep -i automaticloginenable /etc/gdm/custom.conf\n AutomaticLoginEnable=false\n If the value of \"AutomaticLoginEnable\" is not set to \"false\", this is a finding.", - "fix": "Configure the operating system to not allow an unattended or automatic logon to the system via a\n graphical user interface.\n Note: If the system does not have GNOME installed, this requirement is Not Applicable.\n Add or edit the line for the \"AutomaticLoginEnable\" parameter in the [daemon] section of the \"/etc/gdm/custom.conf\"\n file to \"false\":\n [daemon]\n AutomaticLoginEnable=false" + "default": "If the system does not require valid authentication before it boots into single-user or maintenance mode,\n anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2\n is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make\n modifications to the boot menu.", + "check": "For systems that use UEFI, this is Not Applicable.\n For systems that are running a version of RHEL prior to 7.2, this is Not Applicable.\n Check to see if an encrypted grub superusers password is set. On systems that use a BIOS, use the following command:\n $ sudo grep -iw grub2_password /boot/grub2/user.cfg\n GRUB2_PASSWORD=grub.pbkdf2.sha512.[password_hash]\n If the grub superusers password does not begin with \"grub.pbkdf2.sha512\", this is a finding.", + "fix": "Configure the system to encrypt the boot password for the grub superusers account with the\n grub2-setpassword command, which creates/overwrites the /boot/grub2/user.cfg file.\n Generate an encrypted grub2 password for the grub superusers account with the following command:\n $ sudo grub2-setpassword\n Enter password:\n Confirm password:" }, - "impact": 0, + "impact": 0.7, "refs": [], "tags": { "legacy": [ - "V-71953", - "SV-86577" + "SV-95717", + "V-81005" ], "severity": "high", - "gtitle": "SRG-OS-000480-GPOS-00229", - "gid": "V-204432", - "rid": "SV-204432r877377_rule", - "stig_id": "RHEL-07-010440", - "fix_id": "F-4556r88489_fix", + "gtitle": "SRG-OS-000080-GPOS-00048", + "gid": "V-204438", + "rid": "SV-204438r744095_rule", + "stig_id": "RHEL-07-010482", + "fix_id": "F-4562r744094_fix", "cci": [ - "CCI-000366" + "CCI-000213" ], "nist": [ - "CM-6 b" + "AC-3" ], "subsystems": [ - "gdm" + "boot", + "bios" ], "host": null }, - "code": "control 'SV-204432' do\n title 'The Red Hat Enterprise Linux operating system must not allow an unattended or automatic logon to the system\n via a graphical user interface.'\n desc 'Failure to restrict system access to authenticated users negatively impacts operating system security.'\n desc 'check', 'Verify the operating system does not allow an unattended or automatic logon to the system via a\n graphical user interface.\n Note: If the system does not have GNOME installed, this requirement is Not Applicable.\n Check for the value of the \"AutomaticLoginEnable\" in the \"/etc/gdm/custom.conf\" file with the following command:\n # grep -i automaticloginenable /etc/gdm/custom.conf\n AutomaticLoginEnable=false\n If the value of \"AutomaticLoginEnable\" is not set to \"false\", this is a finding.'\n desc 'fix', 'Configure the operating system to not allow an unattended or automatic logon to the system via a\n graphical user interface.\n Note: If the system does not have GNOME installed, this requirement is Not Applicable.\n Add or edit the line for the \"AutomaticLoginEnable\" parameter in the [daemon] section of the \"/etc/gdm/custom.conf\"\n file to \"false\":\n [daemon]\n AutomaticLoginEnable=false'\n impact 0.7\n tag legacy: ['V-71953', 'SV-86577']\n tag severity: 'high'\n tag gtitle: 'SRG-OS-000480-GPOS-00229'\n tag gid: 'V-204432'\n tag rid: 'SV-204432r877377_rule'\n tag stig_id: 'RHEL-07-010440'\n tag fix_id: 'F-4556r88489_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['gdm']\n tag 'host'\n\n custom_conf = '/etc/gdm/custom.conf'\n\n if package('gdm').installed?\n if (f = file(custom_conf)).exist?\n describe ini(custom_conf) do\n its('daemon.AutomaticLoginEnable') { cmp false }\n end\n else\n describe f do\n it { should exist }\n end\n end\n else\n impact 0.0\n describe 'The system does not have GDM installed' do\n skip 'The system does not have GDM installed, this requirement is Not Applicable.'\n end\n end\nend\n", + "code": "control 'SV-204438' do\n title 'Red Hat Enterprise Linux operating systems version 7.2 or newer with a Basic Input/Output System (BIOS)\n must require authentication upon booting into single-user and maintenance modes.'\n desc 'If the system does not require valid authentication before it boots into single-user or maintenance mode,\n anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2\n is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make\n modifications to the boot menu.'\n desc 'check', 'For systems that use UEFI, this is Not Applicable.\n For systems that are running a version of RHEL prior to 7.2, this is Not Applicable.\n Check to see if an encrypted grub superusers password is set. On systems that use a BIOS, use the following command:\n $ sudo grep -iw grub2_password /boot/grub2/user.cfg\n GRUB2_PASSWORD=grub.pbkdf2.sha512.[password_hash]\n If the grub superusers password does not begin with \"grub.pbkdf2.sha512\", this is a finding.'\n desc 'fix', 'Configure the system to encrypt the boot password for the grub superusers account with the\n grub2-setpassword command, which creates/overwrites the /boot/grub2/user.cfg file.\n Generate an encrypted grub2 password for the grub superusers account with the following command:\n $ sudo grub2-setpassword\n Enter password:\n Confirm password:'\n impact 0.7\n tag legacy: ['SV-95717', 'V-81005']\n tag severity: 'high'\n tag gtitle: 'SRG-OS-000080-GPOS-00048'\n tag gid: 'V-204438'\n tag rid: 'SV-204438r744095_rule'\n tag stig_id: 'RHEL-07-010482'\n tag fix_id: 'F-4562r744094_fix'\n tag cci: ['CCI-000213']\n tag nist: ['AC-3']\n tag subsystems: ['boot', 'bios']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n elsif file('/sys/firmware/efi').exist?\n impact 0.0\n describe 'System running UEFI' do\n skip 'The System is running UEFI, this control is Not Applicable.'\n end\n elsif os[:release] >= '7.2'\n impact 0.7\n input('grub_user_boot_files').each do |grub_user_file|\n describe parse_config_file(grub_user_file) do\n its('GRUB2_PASSWORD') { should include 'grub.pbkdf2.sha512' }\n end\n end\n else\n impact 0.0\n describe 'System running version of RHEL prior to 7.2' do\n skip 'The System is running an outdated version of RHEL, this control is Not Applicable.'\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204432.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204438.rb", "line": 1 }, - "id": "SV-204432" + "id": "SV-204438" }, { - "title": "The Red Hat Enterprise Linux operating system must not have a graphical display manager installed unless\n approved.", - "desc": "Internet services that are not required for system or application processes must not be active to decrease\n the attack surface of the system. Graphical display managers have a long history of security vulnerabilities and\n must not be used unless approved and documented.", + "title": "The Red Hat Enterprise Linux operating system must audit all uses of the chown, fchown, fchownat, and\n lchown syscalls.", + "desc": "Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the\n system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect\n performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining\n syscalls into one rule whenever possible.", "descriptions": { - "default": "Internet services that are not required for system or application processes must not be active to decrease\n the attack surface of the system. Graphical display managers have a long history of security vulnerabilities and\n must not be used unless approved and documented.", - "check": "Verify the system is configured to boot to the command line:\n $ systemctl get-default\n multi-user.target\n If the system default target is not set to \"multi-user.target\" and the Information System Security Officer (ISSO)\n lacks a documented requirement for a graphical user interface, this is a finding.\n Verify a graphical user interface is not installed:\n $ rpm -qa | grep xorg | grep server\n Ask the System Administrator if use of a graphical user interface is an operational requirement.\n If the use of a graphical user interface on the system is not documented with the ISSO, this is a finding.", - "fix": "Document the requirement for a graphical user interface with the ISSO or reinstall the operating\n system without the graphical user interface. If reinstallation is not feasible, then continue with the following\n procedure:\n Open an SSH session and enter the following commands:\n $ sudo systemctl set-default multi-user.target\n $ sudo yum remove xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-utils\n A reboot is required for the changes to take effect." + "default": "Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the\n system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect\n performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining\n syscalls into one rule whenever possible.", + "check": "Verify the operating system generates audit records upon successful/unsuccessful attempts to use the\n \"chown\", \"fchown\", \"fchownat\", and \"lchown\" syscalls.\n Check the file system rules in \"/etc/audit/audit.rules\" with the following commands:\n # grep chown /etc/audit/audit.rules\n -a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod\n -a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod\n If both the \"b32\" and \"b64\" audit rules are not defined for the \"chown\", \"fchown\", \"fchownat\", and \"lchown\"\n syscalls, this is a finding.", + "fix": "Add or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod\n\n-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod\n\nThe audit daemon must be restarted for the changes to take effect." }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "SV-86931", - "V-72307" + "SV-86721", + "V-72097" ], "severity": "medium", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-204624", - "rid": "SV-204624r646847_rule", - "stig_id": "RHEL-07-040730", - "fix_id": "F-36316r646846_fix", + "gtitle": "SRG-OS-000064-GPOS-00033", + "satisfies": [ + "SRG-OS-000064-GPOS-00033", + "SRG-OS-000392-GPOS-00172", + "SRG-OS-000458-GPOS-00203", + "SRG-OS-000474-GPOS-00219" + ], + "gid": "V-204517", + "rid": "SV-204517r809570_rule", + "stig_id": "RHEL-07-030370", + "fix_id": "F-4641r809192_fix", "cci": [ - "CCI-000366" + "CCI-000126", + "CCI-000172" ], "nist": [ - "CM-6 b" + "AU-2 d", + "AU-12 c", + "AU-2 c" ], "subsystems": [ - "gui" + "audit", + "auditd", + "audit_rule" ], "host": null }, - "code": "control 'SV-204624' do\n title 'The Red Hat Enterprise Linux operating system must not have a graphical display manager installed unless\n approved.'\n desc 'Internet services that are not required for system or application processes must not be active to decrease\n the attack surface of the system. Graphical display managers have a long history of security vulnerabilities and\n must not be used unless approved and documented.'\n desc 'check', 'Verify the system is configured to boot to the command line:\n $ systemctl get-default\n multi-user.target\n If the system default target is not set to \"multi-user.target\" and the Information System Security Officer (ISSO)\n lacks a documented requirement for a graphical user interface, this is a finding.\n Verify a graphical user interface is not installed:\n $ rpm -qa | grep xorg | grep server\n Ask the System Administrator if use of a graphical user interface is an operational requirement.\n If the use of a graphical user interface on the system is not documented with the ISSO, this is a finding.'\n desc 'fix', 'Document the requirement for a graphical user interface with the ISSO or reinstall the operating\n system without the graphical user interface. If reinstallation is not feasible, then continue with the following\n procedure:\n Open an SSH session and enter the following commands:\n $ sudo systemctl set-default multi-user.target\n $ sudo yum remove xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-utils\n A reboot is required for the changes to take effect.'\n impact 0.5\n tag legacy: ['SV-86931', 'V-72307']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204624'\n tag rid: 'SV-204624r646847_rule'\n tag stig_id: 'RHEL-07-040730'\n tag fix_id: 'F-36316r646846_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['gui']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n elsif input('x11_enabled')\n describe 'System default target' do\n subject { command('systemctl get-default').stdout.strip }\n it { should eq 'multi-user.target' }\n end\n\n describe 'No GUI packages should be installed' do\n subject { packages(/xorg.*server/) }\n its('statuses') { should_not cmp 'installed' }\n end\n else\n describe 'GUI permitted' do\n skip 'Not applicable -- GUI packages are allowed to be installed on this system'\n end\n end\nend\n", + "code": "control 'SV-204517' do\n title 'The Red Hat Enterprise Linux operating system must audit all uses of the chown, fchown, fchownat, and\n lchown syscalls.'\n desc 'Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the\n system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect\n performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining\n syscalls into one rule whenever possible.'\n desc 'check', 'Verify the operating system generates audit records upon successful/unsuccessful attempts to use the\n \"chown\", \"fchown\", \"fchownat\", and \"lchown\" syscalls.\n Check the file system rules in \"/etc/audit/audit.rules\" with the following commands:\n # grep chown /etc/audit/audit.rules\n -a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod\n -a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod\n If both the \"b32\" and \"b64\" audit rules are not defined for the \"chown\", \"fchown\", \"fchownat\", and \"lchown\"\n syscalls, this is a finding.'\n desc 'fix', 'Add or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod\n\n-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod\n\nThe audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n tag legacy: ['SV-86721', 'V-72097']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000064-GPOS-00033'\n tag satisfies: ['SRG-OS-000064-GPOS-00033', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000458-GPOS-00203', 'SRG-OS-000474-GPOS-00219']\n tag gid: 'V-204517'\n tag rid: 'SV-204517r809570_rule'\n tag stig_id: 'RHEL-07-030370'\n tag fix_id: 'F-4641r809192_fix'\n tag cci: ['CCI-000126', 'CCI-000172']\n tag nist: ['AU-2 d', 'AU-12 c', 'AU-2 c']\n tag subsystems: ['audit', 'auditd', 'audit_rule']\n tag 'host'\n\n audit_syscalls = ['chown', 'fchown', 'fchownat', 'lchown']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - audit config must be done on the host' do\n skip 'Control not applicable - audit config must be done on the host'\n end\n else\n describe 'Syscall' do\n audit_syscalls.each do |audit_syscall|\n it \"#{audit_syscall} is audited properly\" do\n audit_rule = auditd.syscall(audit_syscall)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n if os.arch.match(/64/)\n expect(audit_rule.arch.uniq).to include('b32', 'b64')\n else\n expect(audit_rule.arch.uniq).to cmp 'b32'\n end\n expect(audit_rule.fields.flatten).to include('auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include('perm_mod')\n end\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204624.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204517.rb", "line": 1 }, - "id": "SV-204624" + "id": "SV-204517" }, { - "title": "The Red Hat Enterprise Linux operating system must be configured so that passwords are restricted to a 24\n hours/1 day minimum lifetime.", - "desc": "Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password\n reuse or history enforcement requirement. If users are allowed to immediately and continually change their password,\n the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding\n password reuse.", + "title": "The Red Hat Enterprise Linux operating system must be a vendor supported release.", + "desc": "An operating system release is considered \"supported\" if the vendor continues to provide security patches\n for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the\n system software.\n Red Hat offers the Extended Update Support (EUS) Add-On to a Red Hat Enterprise Linux subscription, for a fee, for\n those customers who wish to standardize on a specific minor release for an extended period. RHEL 7.7 marks the final\n minor release that EUS will be available, while 7.9 is the final minor release overall.", "descriptions": { - "default": "Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password\n reuse or history enforcement requirement. If users are allowed to immediately and continually change their password,\n the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding\n password reuse.", - "check": "Check whether the minimum time period between password changes for each user account is one day or\n greater.\n # awk -F: '$4 < 1 {print $1 \" \" $4}' /etc/shadow\n If any results are returned that are not associated with a system account, this is a finding.", - "fix": "Configure non-compliant accounts to enforce a 24 hours/1 day minimum password lifetime:\n # chage -m 1 [user]" + "default": "An operating system release is considered \"supported\" if the vendor continues to provide security patches\n for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the\n system software.\n Red Hat offers the Extended Update Support (EUS) Add-On to a Red Hat Enterprise Linux subscription, for a fee, for\n those customers who wish to standardize on a specific minor release for an extended period. RHEL 7.7 marks the final\n minor release that EUS will be available, while 7.9 is the final minor release overall.", + "check": "Verify the version of the operating system is vendor supported.\n Check the version of the operating system with the following command:\n # cat /etc/redhat-release\n Red Hat Enterprise Linux Server release 7.9 (Maipo)\n Current End of Extended Update Support for RHEL 7.6 is 31 May 2021.\n Current End of Extended Update Support for RHEL 7.7 is 30 August 2021.\n Current End of Maintenance Support for RHEL 7.9 is 30 June 2024.\n If the release is not supported by the vendor, this is a finding.", + "fix": "Upgrade to a supported version of the operating system." }, - "impact": 0.5, + "impact": 0.7, "refs": [], "tags": { "legacy": [ - "SV-86551", - "V-71927" + "SV-86621", + "V-71997" ], - "severity": "medium", - "gtitle": "SRG-OS-000075-GPOS-00043", - "gid": "V-204419", - "rid": "SV-204419r603261_rule", - "stig_id": "RHEL-07-010240", - "fix_id": "F-4543r88450_fix", + "severity": "high", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-204458", + "rid": "SV-204458r744100_rule", + "stig_id": "RHEL-07-020250", + "fix_id": "F-4582r462547_fix", "cci": [ - "CCI-000198" + "CCI-000366" ], "nist": [ - "IA-5 (1) (d)" + "CM-6 b" ], "subsystems": [ - "password", - "/etc/shadow" + "redhat_release" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-204419' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that passwords are restricted to a 24\n hours/1 day minimum lifetime.'\n desc \"Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password\n reuse or history enforcement requirement. If users are allowed to immediately and continually change their password,\n the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding\n password reuse.\"\n desc 'check', %q(Check whether the minimum time period between password changes for each user account is one day or\n greater.\n # awk -F: '$4 < 1 {print $1 \" \" $4}' /etc/shadow\n If any results are returned that are not associated with a system account, this is a finding.)\n desc 'fix', 'Configure non-compliant accounts to enforce a 24 hours/1 day minimum password lifetime:\n # chage -m 1 [user]'\n impact 0.5\n tag legacy: ['SV-86551', 'V-71927']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000075-GPOS-00043'\n tag gid: 'V-204419'\n tag rid: 'SV-204419r603261_rule'\n tag stig_id: 'RHEL-07-010240'\n tag fix_id: 'F-4543r88450_fix'\n tag cci: ['CCI-000198']\n tag nist: ['IA-5 (1) (d)']\n tag subsystems: ['password', '/etc/shadow']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n\n shadow.users.each do |user|\n # filtering on non-system accounts (uid >= 1000)\n next unless user(user).uid >= 1000\n\n describe shadow.users(user) do\n its('min_days.first') { should cmp input('min_password_lifetime') }\n end\n end\n end\nend\n", + "code": "control 'SV-204458' do\n title 'The Red Hat Enterprise Linux operating system must be a vendor supported release.'\n desc 'An operating system release is considered \"supported\" if the vendor continues to provide security patches\n for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the\n system software.\n Red Hat offers the Extended Update Support (EUS) Add-On to a Red Hat Enterprise Linux subscription, for a fee, for\n those customers who wish to standardize on a specific minor release for an extended period. RHEL 7.7 marks the final\n minor release that EUS will be available, while 7.9 is the final minor release overall.'\n desc 'check', 'Verify the version of the operating system is vendor supported.\n Check the version of the operating system with the following command:\n # cat /etc/redhat-release\n Red Hat Enterprise Linux Server release 7.9 (Maipo)\n Current End of Extended Update Support for RHEL 7.6 is 31 May 2021.\n Current End of Extended Update Support for RHEL 7.7 is 30 August 2021.\n Current End of Maintenance Support for RHEL 7.9 is 30 June 2024.\n If the release is not supported by the vendor, this is a finding.'\n desc 'fix', 'Upgrade to a supported version of the operating system.'\n impact 0.7\n tag legacy: ['SV-86621', 'V-71997']\n tag severity: 'high'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204458'\n tag rid: 'SV-204458r744100_rule'\n tag stig_id: 'RHEL-07-020250'\n tag fix_id: 'F-4582r462547_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['redhat_release']\n tag 'host'\n tag 'container'\n\n release = os.release\n if !release.match(/^7\\.[6789]/)\n describe \"RHEL #{release}\" do\n it 'is not a supported release' do\n supported_releases = ['7.6', '7.7', '7.8', '7.9']\n fail_msg = \"It should be one of the following supported releases: #{supported_releases}\"\n expect(release).to be_between(7.6, 7.9), fail_msg\n end\n end\n else\n EOMS_DATE = case release\n when /^7\\.6/\n '31 May 2021'\n when /^7\\.7/\n '30 August 2021'\n when /^7\\.8/\n '30 June 2024'\n when /^7\\.9/\n '30 June 2024'\n end\n\n describe \"The release \\\"#{release}\\\" must still be within the support window, ending #{EOMS_DATE}\" do\n subject { Date.today <= Date.parse(EOMS_DATE) }\n it { should be true }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204419.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204458.rb", "line": 1 }, - "id": "SV-204419" + "id": "SV-204458" }, { - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the unlink, unlinkat, rename,\n renameat, and rmdir syscalls.", - "desc": "If the system is not configured to audit certain activities and write them to an audit log, it is more\n difficult to detect and track system compromises and damages incurred during a system compromise.\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the\n system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect\n performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining\n syscalls into one rule whenever possible.", + "title": "The Red Hat Enterprise Linux operating system must be configured so that all files and directories have a\n valid owner.", + "desc": "Unowned files and directories may be unintentionally inherited if a user is assigned the same User\n Identifier \"UID\" as the UID of the un-owned files.", "descriptions": { - "default": "If the system is not configured to audit certain activities and write them to an audit log, it is more\n difficult to detect and track system compromises and damages incurred during a system compromise.\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the\n system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect\n performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining\n syscalls into one rule whenever possible.", - "check": "Verify the operating system generates audit records upon successful/unsuccessful attempts to use the\n \"unlink\", \"unlinkat\", \"rename\", \"renameat\", and \"rmdir\" syscalls.\n Check the file system rules in \"/etc/audit/audit.rules\" with the following commands:\n # grep 'unlink\\|rename\\|rmdir' /etc/audit/audit.rules\n -a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=unset -k delete\n -a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=unset -k delete\n If both the \"b32\" and \"b64\" audit rules are not defined for the \"unlink\", \"unlinkat\", \"rename\", \"renameat\", and\n \"rmdir\" syscalls, this is a finding.", - "fix": "Configure the operating system to generate audit records upon successful/unsuccessful attempts to use\n the \"unlink\", \"unlinkat\", \"rename\", \"renameat\", and \"rmdir\" syscalls.\n Add the following rules in \"/etc/audit/rules.d/audit.rules\":\n -a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=unset -k delete\n -a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=unset -k delete\n The audit daemon must be restarted for the changes to take effect." + "default": "Unowned files and directories may be unintentionally inherited if a user is assigned the same User\n Identifier \"UID\" as the UID of the un-owned files.", + "check": "Verify all files and directories on the system have a valid owner.\n Check the owner of all files and directories with the following command:\n Note: The value after -fstype must be replaced with the filesystem type. XFS is used as an example.\n # find / -fstype xfs -nouser\n If any files on the system do not have an assigned owner, this is a finding.", + "fix": "Either remove all files and directories from the system that do not have a valid user, or assign a\n valid user to all unowned files and directories on the system with the \"chown\" command:\n # chown " }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "V-72205", - "SV-86829" + "SV-86631", + "V-72007" ], "severity": "medium", - "gtitle": "SRG-OS-000466-GPOS-00210", - "satisfies": [ - "SRG-OS-000466-GPOS-00210", - "SRG-OS-000467-GPOS-00211", - "SRG-OS-000468-GPOS-00212", - "SRG-OS-000392-GPOS-00172" - ], - "gid": "V-204572", - "rid": "SV-204572r853985_rule", - "stig_id": "RHEL-07-030910", - "fix_id": "F-4696r853984_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-204463", + "rid": "SV-204463r853897_rule", + "stig_id": "RHEL-07-020320", + "fix_id": "F-4587r88582_fix", "cci": [ - "CCI-000172", - "CCI-002884" + "CCI-002165" ], "nist": [ - "AU-12 c", - "MA-4 (1) (a)" + "AC-3 (4)" ], "subsystems": [ - "audit", - "auditd", - "audit_rule" + "file_system", + "users", + "files" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-204572' do\n title 'The Red Hat Enterprise Linux operating system must audit all uses of the unlink, unlinkat, rename,\n renameat, and rmdir syscalls.'\n desc 'If the system is not configured to audit certain activities and write them to an audit log, it is more\n difficult to detect and track system compromises and damages incurred during a system compromise.\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the\n system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect\n performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining\n syscalls into one rule whenever possible.'\n desc 'check', %q(Verify the operating system generates audit records upon successful/unsuccessful attempts to use the\n \"unlink\", \"unlinkat\", \"rename\", \"renameat\", and \"rmdir\" syscalls.\n Check the file system rules in \"/etc/audit/audit.rules\" with the following commands:\n # grep 'unlink\\|rename\\|rmdir' /etc/audit/audit.rules\n -a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=unset -k delete\n -a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=unset -k delete\n If both the \"b32\" and \"b64\" audit rules are not defined for the \"unlink\", \"unlinkat\", \"rename\", \"renameat\", and\n \"rmdir\" syscalls, this is a finding.)\n desc 'fix', 'Configure the operating system to generate audit records upon successful/unsuccessful attempts to use\n the \"unlink\", \"unlinkat\", \"rename\", \"renameat\", and \"rmdir\" syscalls.\n Add the following rules in \"/etc/audit/rules.d/audit.rules\":\n -a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=unset -k delete\n -a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=unset -k delete\n The audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n tag legacy: ['V-72205', 'SV-86829']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000466-GPOS-00210'\n tag satisfies: ['SRG-OS-000466-GPOS-00210', 'SRG-OS-000467-GPOS-00211', 'SRG-OS-000468-GPOS-00212', 'SRG-OS-000392-GPOS-00172']\n tag gid: 'V-204572'\n tag rid: 'SV-204572r853985_rule'\n tag stig_id: 'RHEL-07-030910'\n tag fix_id: 'F-4696r853984_fix'\n tag cci: ['CCI-000172', 'CCI-002884']\n tag nist: ['AU-12 c', 'MA-4 (1) (a)']\n tag subsystems: ['audit', 'auditd', 'audit_rule']\n tag 'host'\n\n audit_syscalls = ['unlink', 'unlinkat', 'rename', 'renameat', 'rmdir']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - audit config must be done on the host' do\n skip 'Control not applicable - audit config must be done on the host'\n end\n else\n describe 'Syscall' do\n audit_syscalls.each do |audit_syscall|\n it \"#{audit_syscall} is audited properly\" do\n audit_rule = auditd.syscall(audit_syscall)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n if os.arch.match(/64/)\n expect(audit_rule.arch.uniq).to include('b32', 'b64')\n else\n expect(audit_rule.arch.uniq).to cmp 'b32'\n end\n expect(audit_rule.fields.flatten).to include('auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include('delete')\n end\n end\n end\n end\nend\n", + "code": "control 'SV-204463' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that all files and directories have a\n valid owner.'\n desc 'Unowned files and directories may be unintentionally inherited if a user is assigned the same User\n Identifier \"UID\" as the UID of the un-owned files.'\n desc 'check', 'Verify all files and directories on the system have a valid owner.\n Check the owner of all files and directories with the following command:\n Note: The value after -fstype must be replaced with the filesystem type. XFS is used as an example.\n # find / -fstype xfs -nouser\n If any files on the system do not have an assigned owner, this is a finding.'\n desc 'fix', 'Either remove all files and directories from the system that do not have a valid user, or assign a\n valid user to all unowned files and directories on the system with the \"chown\" command:\n # chown '\n impact 0.5\n tag legacy: ['SV-86631', 'V-72007']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204463'\n tag rid: 'SV-204463r853897_rule'\n tag stig_id: 'RHEL-07-020320'\n tag fix_id: 'F-4587r88582_fix'\n tag cci: ['CCI-002165']\n tag nist: ['AC-3 (4)']\n tag subsystems: ['file_system', 'users', 'files']\n tag 'host'\n tag 'container'\n\n command('grep -v \"nodev\" /proc/filesystems | awk \\'NF{ print $NF }\\'')\n .stdout.strip.split(\"\\n\").each do |fs|\n describe command(\"find / -xdev -xautofs -fstype #{fs} -nouser\") do\n its('stdout.strip') { should be_empty }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204572.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204463.rb", "line": 1 }, - "id": "SV-204572" + "id": "SV-204463" }, { - "title": "The Red Hat Enterprise Linux operating system must not have the ypserv package installed.", - "desc": "Removing the \"ypserv\" package decreases the risk of the accidental (or intentional) activation of NIS or\n NIS+ services.", + "title": "The Red Hat Enterprise Linux operating system must, for networked systems, synchronize clocks with a server\n that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, a time server\n designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS).", + "desc": "Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis.\n Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis\n and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate.\n Synchronizing internal information system clocks provides uniformity of time stamps for information systems with\n multiple system clocks and systems connected over a network.\n Organizations should consider endpoints that may not have regular access to the authoritative time server (e.g.,\n mobile, teleworking, and tactical endpoints).", "descriptions": { - "default": "Removing the \"ypserv\" package decreases the risk of the accidental (or intentional) activation of NIS or\n NIS+ services.", - "check": "The NIS service provides an unencrypted authentication service that does not provide for the\n confidentiality and integrity of user passwords or the remote session.\n Check to see if the \"ypserve\" package is installed with the following command:\n # yum list installed ypserv\n If the \"ypserv\" package is installed, this is a finding.", - "fix": "Configure the operating system to disable non-essential capabilities by removing the \"ypserv\" package\n from the system with the following command:\n # yum remove ypserv" + "default": "Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis.\n Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis\n and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate.\n Synchronizing internal information system clocks provides uniformity of time stamps for information systems with\n multiple system clocks and systems connected over a network.\n Organizations should consider endpoints that may not have regular access to the authoritative time server (e.g.,\n mobile, teleworking, and tactical endpoints).", + "check": "Check to see if NTP is running in continuous mode:\n # ps -ef | grep ntp\n If NTP is not running, check to see if \"chronyd\" is running in continuous mode:\n # ps -ef | grep chronyd\n If NTP or \"chronyd\" is not running, this is a finding.\n If the NTP process is found, then check the \"ntp.conf\" file for the \"maxpoll\" option setting:\n # grep maxpoll /etc/ntp.conf\n server 0.rhel.pool.ntp.org iburst maxpoll 16\n If the \"maxpoll\" option is set to a number greater than 16 or the line is commented out, this is a finding.\n If the file does not exist, check the \"/etc/cron.daily\" subdirectory for a crontab file controlling the execution of\n the \"ntpd -q\" command.\n # grep -i \"ntpd -q\" /etc/cron.daily/*\n # ls -al /etc/cron.* | grep ntp\n ntp\n If a crontab file does not exist in the \"/etc/cron.daily\" that executes the \"ntpd -q\" command, this is a finding.\n If the \"chronyd\" process is found, then check the \"chrony.conf\" file for the \"maxpoll\" option setting:\n # grep maxpoll /etc/chrony.conf\n server 0.rhel.pool.ntp.org iburst maxpoll 16\n If the option is not set or the line is commented out, this is a finding.", + "fix": "Edit the \"/etc/ntp.conf\" or \"/etc/chrony.conf\" file and add or update an entry to define \"maxpoll\" to\n \"16\" as follows:\n server 0.rhel.pool.ntp.org iburst maxpoll 16\n If NTP was running and \"maxpoll\" was updated, the NTP service must be restarted:\n # systemctl restart ntpd\n If NTP was not running, it must be started:\n # systemctl start ntpd\n If \"chronyd\" was running and \"maxpoll\" was updated, the service must be restarted:\n # systemctl restart chronyd.service\n If \"chronyd\" was not running, it must be started:\n # systemctl start chronyd.service" }, - "impact": 0.7, + "impact": 0.5, "refs": [], "tags": { "legacy": [ - "V-71969", - "SV-86593" + "V-72269", + "SV-86893" ], - "severity": "high", - "gtitle": "SRG-OS-000095-GPOS-00049", - "gid": "V-204443", - "rid": "SV-204443r603261_rule", - "stig_id": "RHEL-07-020010", - "fix_id": "F-4567r88522_fix", + "severity": "medium", + "gtitle": "SRG-OS-000355-GPOS-00143", + "satisfies": [ + "SRG-OS-000355-GPOS-00143", + "SRG-OS-000356-GPOS-00144" + ], + "gid": "V-204603", + "rid": "SV-204603r877038_rule", + "stig_id": "RHEL-07-040500", + "fix_id": "F-4727r809210_fix", "cci": [ - "CCI-000381" + "CCI-001891", + "CCI-002046" ], "nist": [ - "CM-7 a" + "AU-8 (1) (a)", + "AU-8 (1) (b)" ], "subsystems": [ - "packages" + "ntp" ], "host": null, "container": null }, - "code": "control 'SV-204443' do\n title 'The Red Hat Enterprise Linux operating system must not have the ypserv package installed.'\n desc 'Removing the \"ypserv\" package decreases the risk of the accidental (or intentional) activation of NIS or\n NIS+ services.'\n desc 'check', 'The NIS service provides an unencrypted authentication service that does not provide for the\n confidentiality and integrity of user passwords or the remote session.\n Check to see if the \"ypserve\" package is installed with the following command:\n # yum list installed ypserv\n If the \"ypserv\" package is installed, this is a finding.'\n desc 'fix', 'Configure the operating system to disable non-essential capabilities by removing the \"ypserv\" package\n from the system with the following command:\n # yum remove ypserv'\n impact 0.7\n tag legacy: ['V-71969', 'SV-86593']\n tag severity: 'high'\n tag gtitle: 'SRG-OS-000095-GPOS-00049'\n tag gid: 'V-204443'\n tag rid: 'SV-204443r603261_rule'\n tag stig_id: 'RHEL-07-020010'\n tag fix_id: 'F-4567r88522_fix'\n tag cci: ['CCI-000381']\n tag nist: ['CM-7 a']\n tag subsystems: ['packages']\n tag 'host'\n tag 'container'\n\n describe package('ypserv') do\n it { should_not be_installed }\n end\nend\n", + "code": "control 'SV-204603' do\n title \"The Red Hat Enterprise Linux operating system must, for networked systems, synchronize clocks with a server\n that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, a time server\n designated for the appropriate #{input('org_name')[:acronym]} network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS).\"\n desc 'Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis.\n Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis\n and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate.\n Synchronizing internal information system clocks provides uniformity of time stamps for information systems with\n multiple system clocks and systems connected over a network.\n Organizations should consider endpoints that may not have regular access to the authoritative time server (e.g.,\n mobile, teleworking, and tactical endpoints).'\n desc 'check', 'Check to see if NTP is running in continuous mode:\n # ps -ef | grep ntp\n If NTP is not running, check to see if \"chronyd\" is running in continuous mode:\n # ps -ef | grep chronyd\n If NTP or \"chronyd\" is not running, this is a finding.\n If the NTP process is found, then check the \"ntp.conf\" file for the \"maxpoll\" option setting:\n # grep maxpoll /etc/ntp.conf\n server 0.rhel.pool.ntp.org iburst maxpoll 16\n If the \"maxpoll\" option is set to a number greater than 16 or the line is commented out, this is a finding.\n If the file does not exist, check the \"/etc/cron.daily\" subdirectory for a crontab file controlling the execution of\n the \"ntpd -q\" command.\n # grep -i \"ntpd -q\" /etc/cron.daily/*\n # ls -al /etc/cron.* | grep ntp\n ntp\n If a crontab file does not exist in the \"/etc/cron.daily\" that executes the \"ntpd -q\" command, this is a finding.\n If the \"chronyd\" process is found, then check the \"chrony.conf\" file for the \"maxpoll\" option setting:\n # grep maxpoll /etc/chrony.conf\n server 0.rhel.pool.ntp.org iburst maxpoll 16\n If the option is not set or the line is commented out, this is a finding.'\n desc 'fix', 'Edit the \"/etc/ntp.conf\" or \"/etc/chrony.conf\" file and add or update an entry to define \"maxpoll\" to\n \"16\" as follows:\n server 0.rhel.pool.ntp.org iburst maxpoll 16\n If NTP was running and \"maxpoll\" was updated, the NTP service must be restarted:\n # systemctl restart ntpd\n If NTP was not running, it must be started:\n # systemctl start ntpd\n If \"chronyd\" was running and \"maxpoll\" was updated, the service must be restarted:\n # systemctl restart chronyd.service\n If \"chronyd\" was not running, it must be started:\n # systemctl start chronyd.service'\n impact 0.5\n tag legacy: ['V-72269', 'SV-86893']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000355-GPOS-00143'\n tag satisfies: ['SRG-OS-000355-GPOS-00143', 'SRG-OS-000356-GPOS-00144']\n tag gid: 'V-204603'\n tag rid: 'SV-204603r877038_rule'\n tag stig_id: 'RHEL-07-040500'\n tag fix_id: 'F-4727r809210_fix'\n tag cci: ['CCI-001891', 'CCI-002046']\n tag nist: ['AU-8 (1) (a)', 'AU-8 (1) (b)']\n tag subsystems: ['ntp']\n tag 'host'\n tag 'container'\n\n # Either ntpd or chronyd should be running\n describe.one do\n [service('ntpd'), service('chronyd')].each do |time_service|\n describe time_service do\n it { should be_running }\n it { should be_enabled }\n it { should be_installed }\n end\n end\n end\n\n if service('ntpd').installed?\n time_service = service('ntpd')\n time_sources = ntp_conf('/etc/ntp.conf').server\n max_poll_values = time_sources.map do |val|\n if val.match?(/.*maxpoll.*/)\n val.gsub(/.*maxpoll\\s+(\\d+)(\\s+.*|$)/,\n '\\1').to_i\n else\n 99\n end\n end\n ntpdate_crons = command('grep -l \"ntpd -q\" /etc/cron.daily/*').stdout.strip.lines\n\n describe 'ntpd time sources list' do\n subject { time_sources }\n it { should_not be_empty }\n end\n\n describe.one do\n # Case where maxpoll empty\n describe \"Daily cron jobs for 'ntpd -q'\" do\n subject { ntpdate_crons }\n it { should_not be_empty }\n end\n # All time sources must contain valid maxpoll entries\n describe 'ntpd maxpoll values (99=maxpoll absent)' do\n subject { max_poll_values }\n it { should all be <= input('maxpoll') }\n end\n end\n end\n\n if service('chronyd').installed?\n time_service = service('chronyd')\n time_sources = ntp_conf('/etc/chrony.conf').server\n max_poll_values = time_sources.map do |val|\n if val.match?(/.*maxpoll.*/)\n val.gsub(/.*maxpoll\\s+(\\d+)(\\s+.*|$)/,\n '\\1').to_i\n else\n 99\n end\n end\n\n describe 'chronyd time sources list' do\n subject { time_sources }\n it { should_not be_empty }\n end\n\n # All time sources must contain valid maxpoll entries\n describe 'chronyd maxpoll values (99=maxpoll absent)' do\n subject { max_poll_values }\n it { should all be <= input('maxpoll') }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204443.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204603.rb", "line": 1 }, - "id": "SV-204443" + "id": "SV-204603" }, { - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the setsebool command.", - "desc": "Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.", + "title": "The Red Hat Enterprise Linux operating system must prevent Internet Protocol version 4 (IPv4) Internet\n Control Message Protocol (ICMP) redirect messages from being accepted.", + "desc": "ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular\n destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message\n could result in a man-in-the-middle attack.", "descriptions": { - "default": "Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.", - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"setsebool\" command occur.\n\nCheck the file system rule in \"/etc/audit/audit.rules\" with the following command:\n\n$ sudo grep -w \"/usr/sbin/setsebool\" /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change\n\nIf the command does not return any output, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"setsebool\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change\n\nThe audit daemon must be restarted for the changes to take effect." + "default": "ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular\n destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message\n could result in a man-in-the-middle attack.", + "check": "Verify the system will not accept IPv4 ICMP redirect messages.\n\n # grep -r net.ipv4.conf.default.accept_redirects /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null\n\nIf \"net.ipv4.conf.default.accept_redirects\" is not configured in the /etc/sysctl.conf file or in any of the other sysctl.d directories, is commented out, or does not have a value of \"0\", this is a finding.\n\nCheck that the operating system implements the value of the \"accept_redirects\" variables with the following command:\n\n # /sbin/sysctl -a | grep net.ipv4.conf.default.accept_redirects\n net.ipv4.conf.default.accept_redirects = 0\n\nIf the returned line does not have a value of \"0\", this is a finding.\n\nIf conflicting results are returned, this is a finding.", + "fix": "Set the system to not accept IPv4 ICMP redirect messages by adding the\nfollowing line to \"/etc/sysctl.conf\" or a configuration file in the\n/etc/sysctl.d/ directory (or modify the line to have the required value):\n\n net.ipv4.conf.default.accept_redirects = 0\n\n Issue the following command to make the changes take effect:\n\n # sysctl --system" }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "V-72137", - "SV-86761" + "SV-86913", + "V-72289" ], "severity": "medium", - "gtitle": "SRG-OS-000392-GPOS-00172", - "satisfies": [ - "SRG-OS-000392-GPOS-00172", - "SRG-OS-000463-GPOS-00207", - "SRG-OS-000465-GPOS-00209" - ], - "gid": "V-204537", - "rid": "SV-204537r861017_rule", - "stig_id": "RHEL-07-030570", - "fix_id": "F-4661r861016_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-204614", + "rid": "SV-204614r880812_rule", + "stig_id": "RHEL-07-040640", + "fix_id": "F-4738r880811_fix", "cci": [ - "CCI-000172", - "CCI-002884" + "CCI-000366" ], "nist": [ - "AU-12 c", - "MA-4 (1) (a)" + "CM-6 b" ], "subsystems": [ - "audit", - "auditd", - "audit_rule" + "kernel_parameter", + "ipv4" ], "host": null }, - "code": "control 'SV-204537' do\n title 'The Red Hat Enterprise Linux operating system must audit all uses of the setsebool command.'\n desc 'Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.'\n desc 'check', 'Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"setsebool\" command occur.\n\nCheck the file system rule in \"/etc/audit/audit.rules\" with the following command:\n\n$ sudo grep -w \"/usr/sbin/setsebool\" /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change\n\nIf the command does not return any output, this is a finding.'\n desc 'fix', 'Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"setsebool\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change\n\nThe audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n tag legacy: ['V-72137', 'SV-86761']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000392-GPOS-00172'\n tag satisfies: ['SRG-OS-000392-GPOS-00172', 'SRG-OS-000463-GPOS-00207', 'SRG-OS-000465-GPOS-00209']\n tag gid: 'V-204537'\n tag rid: 'SV-204537r861017_rule'\n tag stig_id: 'RHEL-07-030570'\n tag fix_id: 'F-4661r861016_fix'\n tag cci: ['CCI-000172', 'CCI-002884']\n tag nist: ['AU-12 c', 'MA-4 (1) (a)']\n tag subsystems: ['audit', 'auditd', 'audit_rule']\n tag 'host'\n\n audit_command = '/usr/sbin/setsebool'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - audit config must be done on the host' do\n skip 'Control not applicable - audit config must be done on the host'\n end\n else\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include('privileged-priv_change')\n end\n end\n end\nend\n", + "code": "control 'SV-204614' do\n title 'The Red Hat Enterprise Linux operating system must prevent Internet Protocol version 4 (IPv4) Internet\n Control Message Protocol (ICMP) redirect messages from being accepted.'\n desc \"ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular\n destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message\n could result in a man-in-the-middle attack.\"\n desc 'check', 'Verify the system will not accept IPv4 ICMP redirect messages.\n\n # grep -r net.ipv4.conf.default.accept_redirects /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null\n\nIf \"net.ipv4.conf.default.accept_redirects\" is not configured in the /etc/sysctl.conf file or in any of the other sysctl.d directories, is commented out, or does not have a value of \"0\", this is a finding.\n\nCheck that the operating system implements the value of the \"accept_redirects\" variables with the following command:\n\n # /sbin/sysctl -a | grep net.ipv4.conf.default.accept_redirects\n net.ipv4.conf.default.accept_redirects = 0\n\nIf the returned line does not have a value of \"0\", this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Set the system to not accept IPv4 ICMP redirect messages by adding the\nfollowing line to \"/etc/sysctl.conf\" or a configuration file in the\n/etc/sysctl.d/ directory (or modify the line to have the required value):\n\n net.ipv4.conf.default.accept_redirects = 0\n\n Issue the following command to make the changes take effect:\n\n # sysctl --system'\n impact 0.5\n tag legacy: ['SV-86913', 'V-72289']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204614'\n tag rid: 'SV-204614r880812_rule'\n tag stig_id: 'RHEL-07-040640'\n tag fix_id: 'F-4738r880811_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['kernel_parameter', 'ipv4']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - Kernel config must be done on the host' do\n skip 'Control not applicable - Kernel config must be done on the host'\n end\n else\n accept_redirects = 0\n\n config_file_values = command('grep -r net.ipv4.conf.default.accept_redirects /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null')\n .stdout.strip.split(\"\\n\")\n .map { |file| parse_config(file).params }\n config_file_values_uncompliant = config_file_values.select { |entry| entry.values != [accept_redirects.to_s] }\n\n unless config_file_values_uncompliant.empty?\n describe 'All configuration files' do\n it \"should set accept_redirects to #{accept_redirects}, or not define it at all\" do\n fail_msg = \"Found incorrect configuration:\\n#{config_file_values_uncompliant.join(\"\\n\")}\"\n expect(config_file_values_uncompliant).to be_empty, fail_msg\n end\n end\n end\n\n describe 'The runtime kernel parameter net.ipv4.conf.default.accept_redirects' do\n subject { kernel_parameter('net.ipv4.conf.default.accept_redirects') }\n its('value') { should eq accept_redirects }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204537.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204614.rb", "line": 1 }, - "id": "SV-204537" + "id": "SV-204614" }, { - "title": "The Red Hat Enterprise Linux operating system must be configured so that the cron.allow file, if it exists,\n is group-owned by root.", - "desc": "If the group owner of the \"cron.allow\" file is not set to root, sensitive information could be viewed or\n edited by unauthorized users.", + "title": "The Red Hat Enterprise Linux operating system must audit all uses of the kmod command.", + "desc": "Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.", "descriptions": { - "default": "If the group owner of the \"cron.allow\" file is not set to root, sensitive information could be viewed or\n edited by unauthorized users.", - "check": "Verify that the \"cron.allow\" file is group-owned by root.\n Check the group owner of the \"cron.allow\" file with the following command:\n # ls -al /etc/cron.allow\n -rw------- 1 root root 6 Mar 5 2011 /etc/cron.allow\n If the \"cron.allow\" file exists and has a group owner other than root, this is a finding.", - "fix": "Set the group owner on the \"/etc/cron.allow\" file to root with the\nfollowing command:\n\n # chgrp root /etc/cron.allow" + "default": "Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.", + "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"kmod\" command occur.\n\nCheck the auditing rules in \"/etc/audit/audit.rules\" with the following command:\n\n$ sudo grep \"/usr/bin/kmod\" /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k modules\n\nIf the command does not return any output, this is a finding.", + "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"kmod\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k modules\n\nThe audit daemon must be restarted for the changes to take effect." }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "SV-86679", - "V-72055" + "SV-86815", + "V-72191" ], "severity": "medium", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-204491", - "rid": "SV-204491r603261_rule", - "stig_id": "RHEL-07-021120", - "fix_id": "F-4615r88666_fix", + "gtitle": "SRG-OS-000471-GPOS-00216", + "satisfies": [ + "SRG-OS-000471-GPOS-00216", + "SRG-OS-000477-GPOS-00222" + ], + "gid": "V-204563", + "rid": "SV-204563r858498_rule", + "stig_id": "RHEL-07-030840", + "fix_id": "F-4687r858497_fix", "cci": [ - "CCI-000366" + "CCI-000172" ], "nist": [ - "CM-6 b" + "AU-12 c" ], "subsystems": [ - "cron" + "audit", + "auditd", + "audit_rule" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-204491' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that the cron.allow file, if it exists,\n is group-owned by root.'\n desc 'If the group owner of the \"cron.allow\" file is not set to root, sensitive information could be viewed or\n edited by unauthorized users.'\n desc 'check', 'Verify that the \"cron.allow\" file is group-owned by root.\n Check the group owner of the \"cron.allow\" file with the following command:\n # ls -al /etc/cron.allow\n -rw------- 1 root root 6 Mar 5 2011 /etc/cron.allow\n If the \"cron.allow\" file exists and has a group owner other than root, this is a finding.'\n desc 'fix', 'Set the group owner on the \"/etc/cron.allow\" file to root with the\nfollowing command:\n\n # chgrp root /etc/cron.allow'\n impact 0.5\n tag legacy: ['SV-86679', 'V-72055']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204491'\n tag rid: 'SV-204491r603261_rule'\n tag stig_id: 'RHEL-07-021120'\n tag fix_id: 'F-4615r88666_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['cron']\n tag 'host'\n tag 'container'\n\n describe.one do\n # case where file doesn't exist\n describe file('/etc/cron.allow') do\n it { should_not exist }\n end\n # case where file exists\n describe file('/etc/cron.allow') do\n its('group') { should eq 'root' }\n end\n end\nend\n", + "code": "control 'SV-204563' do\n title 'The Red Hat Enterprise Linux operating system must audit all uses of the kmod command.'\n desc 'Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.'\n desc 'check', 'Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"kmod\" command occur.\n\nCheck the auditing rules in \"/etc/audit/audit.rules\" with the following command:\n\n$ sudo grep \"/usr/bin/kmod\" /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k modules\n\nIf the command does not return any output, this is a finding.'\n desc 'fix', 'Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"kmod\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k modules\n\nThe audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n tag legacy: ['SV-86815', 'V-72191']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000471-GPOS-00216'\n tag satisfies: ['SRG-OS-000471-GPOS-00216', 'SRG-OS-000477-GPOS-00222']\n tag gid: 'V-204563'\n tag rid: 'SV-204563r858498_rule'\n tag stig_id: 'RHEL-07-030840'\n tag fix_id: 'F-4687r858497_fix'\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag subsystems: ['audit', 'auditd', 'audit_rule']\n tag 'host'\n\n audit_command = '/usr/bin/kmod'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - audit config must be done on the host' do\n skip 'Control not applicable - audit config must be done on the host'\n end\n else\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1')\n expect(audit_rule.key).to cmp 'modules'\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204491.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204563.rb", "line": 1 }, - "id": "SV-204491" + "id": "SV-204563" }, { - "title": "The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny\n system access to specific hosts and services.", - "desc": "If the systems access control program is not configured with appropriate rules for allowing and denying\n access to system network resources, services may be accessible to unauthorized hosts.", + "title": "The Red Hat Enterprise Linux operating system must not have the ypserv package installed.", + "desc": "Removing the \"ypserv\" package decreases the risk of the accidental (or intentional) activation of NIS or\n NIS+ services.", "descriptions": { - "default": "If the systems access control program is not configured with appropriate rules for allowing and denying\n access to system network resources, services may be accessible to unauthorized hosts.", - "check": "If the \"firewalld\" package is not installed, ask the System Administrator (SA) if another firewall\n application (such as iptables) is installed. If an application firewall is not installed, this is a finding.\n Verify the system's access control program is configured to grant or deny system access to specific hosts.\n Check to see if \"firewalld\" is active with the following command:\n # systemctl status firewalld\n firewalld.service - firewalld - dynamic firewall daemon\n Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)\n Active: active (running) since Sun 2014-04-20 14:06:46 BST; 30s ago\n If \"firewalld\" is active, check to see if it is configured to grant or deny access to specific hosts or services\n with the following commands:\n # firewall-cmd --get-default-zone\n public\n # firewall-cmd --list-all --zone=public\n public (active)\n target: default\n icmp-block-inversion: no\n interfaces: eth0\n sources:\n services: mdns ssh\n ports:\n protocols:\n masquerade: no\n forward-ports:\n icmp-blocks:\n If \"firewalld\" is not active, determine whether \"tcpwrappers\" is being used by checking whether the \"hosts.allow\"\n and \"hosts.deny\" files are empty with the following commands:\n # ls -al /etc/hosts.allow\n rw-r----- 1 root root 9 Aug 2 23:13 /etc/hosts.allow\n # ls -al /etc/hosts.deny\n -rw-r----- 1 root root 9 Apr 9 2007 /etc/hosts.deny\n If \"firewalld\" and \"tcpwrappers\" are not installed, configured, and active, ask the SA if another access control\n program (such as iptables) is installed and active. Ask the SA to show that the running configuration grants or\n denies access to specific hosts or services.\n If \"firewalld\" is active and is not configured to grant access to specific hosts or \"tcpwrappers\" is not configured\n to grant or deny access to specific hosts, this is a finding.", - "fix": "If \"firewalld\" is installed and active on the system, configure rules for allowing specific services\n and hosts.\n If \"firewalld\" is not \"active\", enable \"tcpwrappers\" by configuring \"/etc/hosts.allow\" and \"/etc/hosts.deny\" to\n allow or deny access to specific hosts." + "default": "Removing the \"ypserv\" package decreases the risk of the accidental (or intentional) activation of NIS or\n NIS+ services.", + "check": "The NIS service provides an unencrypted authentication service that does not provide for the\n confidentiality and integrity of user passwords or the remote session.\n Check to see if the \"ypserve\" package is installed with the following command:\n # yum list installed ypserv\n If the \"ypserv\" package is installed, this is a finding.", + "fix": "Configure the operating system to disable non-essential capabilities by removing the \"ypserv\" package\n from the system with the following command:\n # yum remove ypserv" }, - "impact": 0.5, + "impact": 0.7, "refs": [], "tags": { "legacy": [ - "SV-86939", - "V-72315" + "V-71969", + "SV-86593" ], - "severity": "medium", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-204628", - "rid": "SV-204628r603261_rule", - "stig_id": "RHEL-07-040810", - "fix_id": "F-4752r89077_fix", + "severity": "high", + "gtitle": "SRG-OS-000095-GPOS-00049", + "gid": "V-204443", + "rid": "SV-204443r603261_rule", + "stig_id": "RHEL-07-020010", + "fix_id": "F-4567r88522_fix", "cci": [ - "CCI-000366" + "CCI-000381" ], "nist": [ - "CM-6 b" + "CM-7 a" ], "subsystems": [ - "iptables", - "firewall" + "packages" ], "host": null, "container": null }, - "code": "control 'SV-204628' do\n title 'The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny\n system access to specific hosts and services.'\n desc 'If the systems access control program is not configured with appropriate rules for allowing and denying\n access to system network resources, services may be accessible to unauthorized hosts.'\n desc 'check', %q(If the \"firewalld\" package is not installed, ask the System Administrator (SA) if another firewall\n application (such as iptables) is installed. If an application firewall is not installed, this is a finding.\n Verify the system's access control program is configured to grant or deny system access to specific hosts.\n Check to see if \"firewalld\" is active with the following command:\n # systemctl status firewalld\n firewalld.service - firewalld - dynamic firewall daemon\n Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)\n Active: active (running) since Sun 2014-04-20 14:06:46 BST; 30s ago\n If \"firewalld\" is active, check to see if it is configured to grant or deny access to specific hosts or services\n with the following commands:\n # firewall-cmd --get-default-zone\n public\n # firewall-cmd --list-all --zone=public\n public (active)\n target: default\n icmp-block-inversion: no\n interfaces: eth0\n sources:\n services: mdns ssh\n ports:\n protocols:\n masquerade: no\n forward-ports:\n icmp-blocks:\n If \"firewalld\" is not active, determine whether \"tcpwrappers\" is being used by checking whether the \"hosts.allow\"\n and \"hosts.deny\" files are empty with the following commands:\n # ls -al /etc/hosts.allow\n rw-r----- 1 root root 9 Aug 2 23:13 /etc/hosts.allow\n # ls -al /etc/hosts.deny\n -rw-r----- 1 root root 9 Apr 9 2007 /etc/hosts.deny\n If \"firewalld\" and \"tcpwrappers\" are not installed, configured, and active, ask the SA if another access control\n program (such as iptables) is installed and active. Ask the SA to show that the running configuration grants or\n denies access to specific hosts or services.\n If \"firewalld\" is active and is not configured to grant access to specific hosts or \"tcpwrappers\" is not configured\n to grant or deny access to specific hosts, this is a finding.)\n desc 'fix', 'If \"firewalld\" is installed and active on the system, configure rules for allowing specific services\n and hosts.\n If \"firewalld\" is not \"active\", enable \"tcpwrappers\" by configuring \"/etc/hosts.allow\" and \"/etc/hosts.deny\" to\n allow or deny access to specific hosts.'\n impact 0.5\n tag legacy: ['SV-86939', 'V-72315']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204628'\n tag rid: 'SV-204628r603261_rule'\n tag stig_id: 'RHEL-07-040810'\n tag fix_id: 'F-4752r89077_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['iptables', 'firewall']\n tag 'host'\n tag 'container'\n\n if input('firewall_application_package') != ''\n describe 'Manual review of third-party firewall needed' do\n skip \"A manual review of firewall application \\'#{input('firewall_application_package')}\\' is needed to determine if it is properly configured\"\n end\n else\n\n firewalld_services = input('firewalld_services')\n firewalld_hosts_allow = input('firewalld_hosts_allow')\n firewalld_hosts_deny = input('firewalld_hosts_deny')\n firewalld_ports_allow = input('firewalld_ports_allow')\n firewalld_ports_deny = input('firewalld_ports_deny')\n tcpwrappers_allow = input('tcpwrappers_allow')\n tcpwrappers_deny = input('tcpwrappers_deny')\n iptable_rules = input('iptables_rules')\n\n if service('firewalld').running?\n @default_zone = firewalld.default_zone\n\n describe firewalld.where { zone = @default_zone } do\n its('services') { should be_in firewalld_services }\n end\n\n describe firewalld do\n firewalld_hosts_allow.each do |rule|\n it { should have_rule_enabled(rule) }\n end\n firewalld_hosts_deny.each do |rule|\n it { should_not have_rule_enabled(rule) }\n end\n firewalld_ports_allow.each do |port|\n it { should have_port_enabled_in_zone(port) }\n end\n firewalld_ports_deny.each do |port|\n it { should_not have_port_enabled_in_zone(port) }\n end\n end\n elsif service('iptables').running?\n describe iptables do\n iptable_rules.each do |rule|\n it { should have_rule(rule) }\n end\n end\n else\n describe package('tcp_wrappers') do\n it { should be_installed }\n end\n tcpwrappers_allow.each do |rule|\n describe etc_hosts_allow.where { daemon == rule['daemon'] } do\n its('client_list') { should be rule['client_list'] }\n its('options') { should be rule['options'] }\n end\n end\n tcpwrappers_deny.each do |rule|\n describe etc_hosts_deny.where { daemon == rule['daemon'] } do\n its('client_list') { should be rule['client_list'] }\n its('options') { should be rule['options'] }\n end\n end\n end\n end\nend\n", + "code": "control 'SV-204443' do\n title 'The Red Hat Enterprise Linux operating system must not have the ypserv package installed.'\n desc 'Removing the \"ypserv\" package decreases the risk of the accidental (or intentional) activation of NIS or\n NIS+ services.'\n desc 'check', 'The NIS service provides an unencrypted authentication service that does not provide for the\n confidentiality and integrity of user passwords or the remote session.\n Check to see if the \"ypserve\" package is installed with the following command:\n # yum list installed ypserv\n If the \"ypserv\" package is installed, this is a finding.'\n desc 'fix', 'Configure the operating system to disable non-essential capabilities by removing the \"ypserv\" package\n from the system with the following command:\n # yum remove ypserv'\n impact 0.7\n tag legacy: ['V-71969', 'SV-86593']\n tag severity: 'high'\n tag gtitle: 'SRG-OS-000095-GPOS-00049'\n tag gid: 'V-204443'\n tag rid: 'SV-204443r603261_rule'\n tag stig_id: 'RHEL-07-020010'\n tag fix_id: 'F-4567r88522_fix'\n tag cci: ['CCI-000381']\n tag nist: ['CM-7 a']\n tag subsystems: ['packages']\n tag 'host'\n tag 'container'\n\n describe package('ypserv') do\n it { should_not be_installed }\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204628.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204443.rb", "line": 1 }, - "id": "SV-204628" + "id": "SV-204443" }, { - "title": "The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow\n authentication using an empty password.", - "desc": "Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will\n require a password, even in the event of misconfiguration elsewhere.", + "title": "The Red Hat Enterprise Linux operating system must initiate an action to notify the System Administrator\n (SA) and Information System Security Officer ISSO, at a minimum, when allocated audit record storage volume reaches\n 75% of the repository maximum audit record storage capacity.", + "desc": "If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they\n are unable to plan for audit record storage capacity expansion.", "descriptions": { - "default": "Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will\n require a password, even in the event of misconfiguration elsewhere.", - "check": "To determine how the SSH daemon's \"PermitEmptyPasswords\" option is set, run the following command:\n # grep -i PermitEmptyPasswords /etc/ssh/sshd_config\n PermitEmptyPasswords no\n If no line, a commented line, or a line indicating the value \"no\" is returned, the required value is set.\n If the required value is not set, this is a finding.", - "fix": "To explicitly disallow remote logon from accounts with empty passwords, add or correct the following\n line in \"/etc/ssh/sshd_config\":\n PermitEmptyPasswords no\n The SSH service must be restarted for changes to take effect. Any accounts with empty passwords should be disabled\n immediately, and PAM configuration should prevent users from being able to assign themselves empty passwords." + "default": "If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they\n are unable to plan for audit record storage capacity expansion.", + "check": "Verify the operating system initiates an action to notify the SA and ISSO (at a minimum) when\n allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.\n Check the system configuration to determine the partition the audit records are being written to with the following\n command:\n $ sudo grep -iw log_file /etc/audit/auditd.conf\n log_file = /var/log/audit/audit.log\n Determine what the threshold is for the system to take action when 75 percent of the repository maximum audit record\n storage capacity is reached:\n $ sudo grep -iw space_left /etc/audit/auditd.conf\n space_left = 25%\n If the value of the \"space_left\" keyword is not set to 25 percent of the total partition size, this is a finding.", + "fix": "Configure the operating system to initiate an action to notify the SA and ISSO (at a minimum) when\n allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.\n Set the value of the \"space_left\" keyword in \"/etc/audit/auditd.conf\" to 25 percent of the partition size.\n space_left = 25%\n Reload the auditd daemon to apply changes made to the \"/etc/audit/auditd.conf\" file." }, - "impact": 0.7, + "impact": 0.5, "refs": [], "tags": { "legacy": [ - "SV-86563", - "V-71939" + "V-72089", + "SV-86713" ], - "severity": "high", - "gtitle": "SRG-OS-000106-GPOS-00053", - "gid": "V-204425", - "rid": "SV-204425r603261_rule", - "stig_id": "RHEL-07-010300", - "fix_id": "F-4549r88468_fix", + "severity": "medium", + "gtitle": "SRG-OS-000343-GPOS-00134", + "gid": "V-204513", + "rid": "SV-204513r877389_rule", + "stig_id": "RHEL-07-030330", + "fix_id": "F-4637r744111_fix", "cci": [ - "CCI-000766" + "CCI-001855" ], "nist": [ - "IA-2 (2)" + "AU-5 (1)" ], "subsystems": [ - "ssh" + "audit", + "auditd" ], "host": null }, - "code": "control 'SV-204425' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow\n authentication using an empty password.'\n desc 'Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will\n require a password, even in the event of misconfiguration elsewhere.'\n desc 'check', %q(To determine how the SSH daemon's \"PermitEmptyPasswords\" option is set, run the following command:\n # grep -i PermitEmptyPasswords /etc/ssh/sshd_config\n PermitEmptyPasswords no\n If no line, a commented line, or a line indicating the value \"no\" is returned, the required value is set.\n If the required value is not set, this is a finding.)\n desc 'fix', 'To explicitly disallow remote logon from accounts with empty passwords, add or correct the following\n line in \"/etc/ssh/sshd_config\":\n PermitEmptyPasswords no\n The SSH service must be restarted for changes to take effect. Any accounts with empty passwords should be disabled\n immediately, and PAM configuration should prevent users from being able to assign themselves empty passwords.'\n impact 0.7\n tag legacy: ['SV-86563', 'V-71939']\n tag severity: 'high'\n tag gtitle: 'SRG-OS-000106-GPOS-00053'\n tag gid: 'V-204425'\n tag rid: 'SV-204425r603261_rule'\n tag stig_id: 'RHEL-07-010300'\n tag fix_id: 'F-4549r88468_fix'\n tag cci: ['CCI-000766']\n tag nist: ['IA-2 (2)']\n tag subsystems: ['ssh']\n tag 'host'\n\n if virtualization.system.eql?('docker') && !file('/etc/sysconfig/sshd').exist?\n impact 0.0\n describe 'Control not applicable - SSH is not installed within containerized RHEL' do\n skip 'Control not applicable - SSH is not installed within containerized RHEL'\n end\n else\n describe.one do\n describe sshd_config do\n its('PermitEmptyPasswords') { should eq 'no' }\n end\n describe sshd_config do\n its('PermitEmptyPasswords') { should be_nil }\n end\n end\n end\nend\n", + "code": "control 'SV-204513' do\n title \"The Red Hat Enterprise Linux operating system must initiate an action to notify the System Administrator\n (SA) and Information System Security Officer ISSO, at a minimum, when allocated audit record storage volume reaches\n #{input('storage_volume')}% of the repository maximum audit record storage capacity.\"\n desc \"If security personnel are not notified immediately when storage volume reaches #{input('storage_volume')} percent utilization, they\n are unable to plan for audit record storage capacity expansion.\"\n desc 'check', \"Verify the operating system initiates an action to notify the SA and ISSO (at a minimum) when\n allocated audit record storage volume reaches #{input('storage_volume')} percent of the repository maximum audit record storage capacity.\n Check the system configuration to determine the partition the audit records are being written to with the following\n command:\n $ sudo grep -iw log_file /etc/audit/auditd.conf\n log_file = /var/log/audit/audit.log\n Determine what the threshold is for the system to take action when #{input('storage_volume')} percent of the repository maximum audit record\n storage capacity is reached:\n $ sudo grep -iw space_left /etc/audit/auditd.conf\n space_left = #{input('min_space_left')}%\n If the value of the \\\"space_left\\\" keyword is not set to #{input('min_space_left')} percent of the total partition size, this is a finding.\"\n desc 'fix', \"Configure the operating system to initiate an action to notify the SA and ISSO (at a minimum) when\n allocated audit record storage volume reaches #{input('storage_volume')} percent of the repository maximum audit record storage capacity.\n Set the value of the \\\"space_left\\\" keyword in \\\"/etc/audit/auditd.conf\\\" to #{input('min_space_left')} percent of the partition size.\n space_left = #{input('min_space_left')}%\n Reload the auditd daemon to apply changes made to the \\\"/etc/audit/auditd.conf\\\" file.\"\n impact 0.5\n tag legacy: ['V-72089', 'SV-86713']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000343-GPOS-00134'\n tag gid: 'V-204513'\n tag rid: 'SV-204513r877389_rule'\n tag stig_id: 'RHEL-07-030330'\n tag fix_id: 'F-4637r744111_fix'\n tag cci: ['CCI-001855']\n tag nist: ['AU-5 (1)']\n tag subsystems: ['audit', 'auditd']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - audit config must be done on the host' do\n skip 'Control not applicable - audit config must be done on the host'\n end\n else\n describe auditd_conf do\n its('space_left') { should cmp >= input('min_space_left') }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204425.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204513.rb", "line": 1 }, - "id": "SV-204425" + "id": "SV-204513" }, { - "title": "The Red Hat Enterprise Linux operating system must not allow removable media to be used as the boot loader\n unless approved.", - "desc": "Malicious users with removable boot media can gain access to a system configured to use removable media as\n the boot loader. If removable media is designed to be used as the boot loader, the requirement must be documented\n with the Information System Security Officer (ISSO).", + "title": "The Red Hat Enterprise Linux operating system must be configured so that all network connections associated\n with SSH traffic terminate after a period of inactivity.", + "desc": "Terminating an idle SSH session within a short time period reduces the window of opportunity for\n unauthorized personnel to take control of a management session enabled on the console or console port that has been\n left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the\n managed network element.\n Terminating network connections associated with communications sessions includes, for example, de-allocating\n associated TCP/IP address/port pairs at the operating system level and de-allocating networking assignments at the\n application level if multiple application sessions are using a single operating system-level network connection.\n This does not mean that the operating system terminates all sessions or network access; it only ends the inactive\n session and releases the resources associated with that session.", "descriptions": { - "default": "Malicious users with removable boot media can gain access to a system configured to use removable media as\n the boot loader. If removable media is designed to be used as the boot loader, the requirement must be documented\n with the Information System Security Officer (ISSO).", - "check": "Verify the system is not configured to use a boot loader on removable media.\n\nNote: GRUB 2 reads its configuration from the \"/boot/grub2/grub.cfg\" file on traditional BIOS-based machines and from the \"/boot/efi/EFI/redhat/grub.cfg\" file on UEFI machines.\n\nCheck for the existence of alternate boot loader configuration files with the following command:\n\n# find / -name grub.cfg\n/boot/grub2/grub.cfg\n\nIf a \"grub.cfg\" is found in any subdirectories other than \"/boot/grub2\" and \"/boot/efi/EFI/redhat\", ask the System Administrator if there is documentation signed by the ISSO to approve the use of removable media as a boot loader.\n\nCheck that the grub configuration file has the set root command in each menu entry with the following commands:\n\n# grep -cw menuentry /boot/grub2/grub.cfg\n1\n# grep 'set root' /boot/grub2/grub.cfg\nset root=(hd0,1)\n\nIf the system is using an alternate boot loader on removable media, and documentation does not exist approving the alternate configuration, this is a finding.", - "fix": "Remove alternate methods of booting the system from removable media or document the configuration to\n boot from removable media with the ISSO." + "default": "Terminating an idle SSH session within a short time period reduces the window of opportunity for\n unauthorized personnel to take control of a management session enabled on the console or console port that has been\n left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the\n managed network element.\n Terminating network connections associated with communications sessions includes, for example, de-allocating\n associated TCP/IP address/port pairs at the operating system level and de-allocating networking assignments at the\n application level if multiple application sessions are using a single operating system-level network connection.\n This does not mean that the operating system terminates all sessions or network access; it only ends the inactive\n session and releases the resources associated with that session.", + "check": "Verify the operating system automatically terminates a user session after inactivity time-outs have\n expired.\n Check for the value of the \"ClientAliveCountMax\" keyword with the following command:\n # grep -i clientalivecount /etc/ssh/sshd_config\n ClientAliveCountMax 0\n If \"ClientAliveCountMax\" is not set to \"0\", this is a finding.", + "fix": "Configure the operating system to terminate automatically a user session after inactivity time-outs\n have expired or at shutdown.\n Add the following line (or modify the line to have the required value) to the \"/etc/ssh/sshd_config\" file (this file\n may be named differently or be in a different location if using a version of SSH that is provided by a third-party\n vendor):\n ClientAliveCountMax 0\n The SSH service must be restarted for changes to take effect." }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "SV-86699", - "V-72075" + "SV-86865", + "V-72241" ], "severity": "medium", - "gtitle": "SRG-OS-000364-GPOS-00151", - "gid": "V-204501", - "rid": "SV-204501r861008_rule", - "stig_id": "RHEL-07-021700", - "fix_id": "F-4625r88696_fix", + "gtitle": "SRG-OS-000163-GPOS-00072", + "satisfies": [ + "SRG-OS-000163-GPOS-00072", + "SRG-OS-000279-GPOS-00109" + ], + "gid": "V-204589", + "rid": "SV-204589r853992_rule", + "stig_id": "RHEL-07-040340", + "fix_id": "F-4713r88960_fix", "cci": [ - "CCI-000318", - "CCI-000368", - "CCI-001812", - "CCI-001813", - "CCI-001814" + "CCI-001133", + "CCI-002361" ], "nist": [ - "CM-3 f", - "CM-6 c", - "CM-11 (2)", - "CM-5 (1)", - "CM-5 (1) (a)" + "SC-10", + "AC-12" ], "subsystems": [ - "grub", - "removable_media" + "ssh" ], "host": null }, - "code": "control 'SV-204501' do\n title 'The Red Hat Enterprise Linux operating system must not allow removable media to be used as the boot loader\n unless approved.'\n desc 'Malicious users with removable boot media can gain access to a system configured to use removable media as\n the boot loader. If removable media is designed to be used as the boot loader, the requirement must be documented\n with the Information System Security Officer (ISSO).'\n desc 'check', %q(Verify the system is not configured to use a boot loader on removable media.\n\nNote: GRUB 2 reads its configuration from the \"/boot/grub2/grub.cfg\" file on traditional BIOS-based machines and from the \"/boot/efi/EFI/redhat/grub.cfg\" file on UEFI machines.\n\nCheck for the existence of alternate boot loader configuration files with the following command:\n\n# find / -name grub.cfg\n/boot/grub2/grub.cfg\n\nIf a \"grub.cfg\" is found in any subdirectories other than \"/boot/grub2\" and \"/boot/efi/EFI/redhat\", ask the System Administrator if there is documentation signed by the ISSO to approve the use of removable media as a boot loader.\n\nCheck that the grub configuration file has the set root command in each menu entry with the following commands:\n\n# grep -cw menuentry /boot/grub2/grub.cfg\n1\n# grep 'set root' /boot/grub2/grub.cfg\nset root=(hd0,1)\n\nIf the system is using an alternate boot loader on removable media, and documentation does not exist approving the alternate configuration, this is a finding.)\n desc 'fix', 'Remove alternate methods of booting the system from removable media or document the configuration to\n boot from removable media with the ISSO.'\n impact 0.5\n tag legacy: ['SV-86699', 'V-72075']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000364-GPOS-00151'\n tag gid: 'V-204501'\n tag rid: 'SV-204501r861008_rule'\n tag stig_id: 'RHEL-07-021700'\n tag fix_id: 'F-4625r88696_fix'\n tag cci: ['CCI-000318', 'CCI-000368', 'CCI-001812', 'CCI-001813', 'CCI-001814']\n tag nist: ['CM-3 f', 'CM-6 c', 'CM-11 (2)', 'CM-5 (1)', 'CM-5 (1) (a)']\n tag subsystems: ['grub', 'removable_media']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n roots = command('grubby --info=ALL | grep \"^root=\" | sed \"s/^root=//g\"')\n .stdout.strip.split(\"\\n\")\n\n blocks = roots.map do |root|\n root_file = file(root)\n root_file.symlink? ? root_file.link_path : root_file.path\n end\n\n blocks.each do |block|\n block_file = file(block)\n describe block_file do\n it { should exist }\n its('path') { should match %r{^/dev/} }\n end\n\n next unless block_file.exist? and block_file.path.match? %r{^/dev/}\n\n removable = ['/sys/block', block.sub(%r{^/dev/}, ''),\n 'removable'].join('/')\n describe file(removable) do\n it { should exist }\n its('content.strip') { should eq '0' }\n end\n end\n end\nend\n", + "code": "control 'SV-204589' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that all network connections associated\n with SSH traffic terminate after a period of inactivity.'\n desc 'Terminating an idle SSH session within a short time period reduces the window of opportunity for\n unauthorized personnel to take control of a management session enabled on the console or console port that has been\n left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the\n managed network element.\n Terminating network connections associated with communications sessions includes, for example, de-allocating\n associated TCP/IP address/port pairs at the operating system level and de-allocating networking assignments at the\n application level if multiple application sessions are using a single operating system-level network connection.\n This does not mean that the operating system terminates all sessions or network access; it only ends the inactive\n session and releases the resources associated with that session.'\n desc 'check', 'Verify the operating system automatically terminates a user session after inactivity time-outs have\n expired.\n Check for the value of the \"ClientAliveCountMax\" keyword with the following command:\n # grep -i clientalivecount /etc/ssh/sshd_config\n ClientAliveCountMax 0\n If \"ClientAliveCountMax\" is not set to \"0\", this is a finding.'\n desc 'fix', 'Configure the operating system to terminate automatically a user session after inactivity time-outs\n have expired or at shutdown.\n Add the following line (or modify the line to have the required value) to the \"/etc/ssh/sshd_config\" file (this file\n may be named differently or be in a different location if using a version of SSH that is provided by a third-party\n vendor):\n ClientAliveCountMax 0\n The SSH service must be restarted for changes to take effect.'\n impact 0.5\n tag legacy: ['SV-86865', 'V-72241']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000163-GPOS-00072'\n tag satisfies: ['SRG-OS-000163-GPOS-00072', 'SRG-OS-000279-GPOS-00109']\n tag gid: 'V-204589'\n tag rid: 'SV-204589r853992_rule'\n tag stig_id: 'RHEL-07-040340'\n tag fix_id: 'F-4713r88960_fix'\n tag cci: ['CCI-001133', 'CCI-002361']\n tag nist: ['SC-10', 'AC-12']\n tag subsystems: ['ssh']\n tag 'host'\n\n if virtualization.system.eql?('docker') && !file('/etc/sysconfig/sshd').exist?\n impact 0.0\n describe 'Control not applicable - SSH is not installed within containerized RHEL' do\n skip 'Control not applicable - SSH is not installed within containerized RHEL'\n end\n elsif os.release.to_f >= 7.4\n impact 0.0\n describe \"The release is #{os.release}\" do\n skip 'The release is newer than 7.4; this control is Not Applicable.'\n end\n else\n describe sshd_config do\n its('ClientAliveCountMax') { should cmp '0' }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204501.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204589.rb", "line": 1 }, - "id": "SV-204501" + "id": "SV-204589" }, { - "title": "The Red Hat Enterprise Linux operating system must not allow users to override SSH environment variables.", - "desc": "Failure to restrict system access to authenticated users negatively impacts operating system security.", + "title": "The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon uses privilege\n separation.", + "desc": "SSH daemon privilege separation causes the SSH process to drop root privileges when not needed, which would\n decrease the impact of software vulnerabilities in the unprivileged section.", "descriptions": { - "default": "Failure to restrict system access to authenticated users negatively impacts operating system security.", - "check": "Verify the operating system does not allow users to override environment variables to the SSH\n daemon.\n Check for the value of the \"PermitUserEnvironment\" keyword with the following command:\n # grep -i permituserenvironment /etc/ssh/sshd_config\n PermitUserEnvironment no\n If the \"PermitUserEnvironment\" keyword is not set to \"no\", is missing, or is commented out, this is a finding.", - "fix": "Configure the operating system to not allow users to override environment variables to the SSH daemon.\n Edit the \"/etc/ssh/sshd_config\" file to uncomment or add the line for \"PermitUserEnvironment\" keyword and set the\n value to \"no\":\n PermitUserEnvironment no\n The SSH service must be restarted for changes to take effect." + "default": "SSH daemon privilege separation causes the SSH process to drop root privileges when not needed, which would\n decrease the impact of software vulnerabilities in the unprivileged section.", + "check": "Verify the SSH daemon performs privilege separation.\n Check that the SSH daemon performs privilege separation with the following command:\n # grep -i usepriv /etc/ssh/sshd_config\n UsePrivilegeSeparation sandbox\n If the \"UsePrivilegeSeparation\" keyword is set to \"no\", is missing, or the returned line is commented out, this is a\n finding.", + "fix": "Uncomment the \"UsePrivilegeSeparation\" keyword in \"/etc/ssh/sshd_config\" (this file may be named\n differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and\n set the value to \"sandbox\" or \"yes\":\n UsePrivilegeSeparation sandbox\n The SSH service must be restarted for changes to take effect." }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "SV-86581", - "V-71957" + "SV-86889", + "V-72265" ], "severity": "medium", - "gtitle": "SRG-OS-000480-GPOS-00229", - "gid": "V-204434", - "rid": "SV-204434r877377_rule", - "stig_id": "RHEL-07-010460", - "fix_id": "F-4558r88495_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-204601", + "rid": "SV-204601r603261_rule", + "stig_id": "RHEL-07-040460", + "fix_id": "F-4725r88996_fix", "cci": [ "CCI-000366" ], @@ -6710,516 +6557,530 @@ ], "host": null }, - "code": "control 'SV-204434' do\n title 'The Red Hat Enterprise Linux operating system must not allow users to override SSH environment variables.'\n desc 'Failure to restrict system access to authenticated users negatively impacts operating system security.'\n desc 'check', 'Verify the operating system does not allow users to override environment variables to the SSH\n daemon.\n Check for the value of the \"PermitUserEnvironment\" keyword with the following command:\n # grep -i permituserenvironment /etc/ssh/sshd_config\n PermitUserEnvironment no\n If the \"PermitUserEnvironment\" keyword is not set to \"no\", is missing, or is commented out, this is a finding.'\n desc 'fix', 'Configure the operating system to not allow users to override environment variables to the SSH daemon.\n Edit the \"/etc/ssh/sshd_config\" file to uncomment or add the line for \"PermitUserEnvironment\" keyword and set the\n value to \"no\":\n PermitUserEnvironment no\n The SSH service must be restarted for changes to take effect.'\n impact 0.5\n tag legacy: ['SV-86581', 'V-71957']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00229'\n tag gid: 'V-204434'\n tag rid: 'SV-204434r877377_rule'\n tag stig_id: 'RHEL-07-010460'\n tag fix_id: 'F-4558r88495_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['ssh']\n tag 'host'\n\n if virtualization.system.eql?('docker') && !file('/etc/sysconfig/sshd').exist?\n impact 0.0\n describe 'Control not applicable - SSH is not installed within containerized RHEL' do\n skip 'Control not applicable - SSH is not installed within containerized RHEL'\n end\n else\n describe sshd_config do\n its('PermitUserEnvironment') { should eq 'no' }\n end\n end\nend\n", + "code": "control 'SV-204601' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon uses privilege\n separation.'\n desc 'SSH daemon privilege separation causes the SSH process to drop root privileges when not needed, which would\n decrease the impact of software vulnerabilities in the unprivileged section.'\n desc 'check', 'Verify the SSH daemon performs privilege separation.\n Check that the SSH daemon performs privilege separation with the following command:\n # grep -i usepriv /etc/ssh/sshd_config\n UsePrivilegeSeparation sandbox\n If the \"UsePrivilegeSeparation\" keyword is set to \"no\", is missing, or the returned line is commented out, this is a\n finding.'\n desc 'fix', 'Uncomment the \"UsePrivilegeSeparation\" keyword in \"/etc/ssh/sshd_config\" (this file may be named\n differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and\n set the value to \"sandbox\" or \"yes\":\n UsePrivilegeSeparation sandbox\n The SSH service must be restarted for changes to take effect.'\n impact 0.5\n tag legacy: ['SV-86889', 'V-72265']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204601'\n tag rid: 'SV-204601r603261_rule'\n tag stig_id: 'RHEL-07-040460'\n tag fix_id: 'F-4725r88996_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['ssh']\n tag 'host'\n\n if virtualization.system.eql?('docker') && !file('/etc/sysconfig/sshd').exist?\n impact 0.0\n describe 'Control not applicable - SSH is not installed within containerized RHEL' do\n skip 'Control not applicable - SSH is not installed within containerized RHEL'\n end\n else\n describe.one do\n describe sshd_config do\n its('UsePrivilegeSeparation') { should cmp 'sandbox' }\n end\n describe sshd_config do\n its('UsePrivilegeSeparation') { should cmp 'yes' }\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204434.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204601.rb", "line": 1 }, - "id": "SV-204434" + "id": "SV-204601" }, { - "title": "The Red Hat Enterprise Linux operating system must be configured to disable USB mass storage.", - "desc": "USB mass storage permits easy introduction of unknown devices, thereby facilitating malicious activity.", + "title": "The Red Hat Enterprise Linux operating system must have the required packages for multifactor\n authentication installed.", + "desc": "Using an authentication device, such as a CAC or token that is separate from the information system, ensures\n that even if the information system is compromised, that compromise will not affect credentials stored on the\n authentication device.\n Multifactor solutions that require devices separate from information systems gaining access include, for example,\n hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S.\n Government Personal Identity Verification card and the DoD Common Access Card.\n A privileged account is defined as an information system account with authorizations of a privileged user.\n Remote access is access to DoD nonpublic information systems by an authorized user (or an information system)\n communicating through an external, non-organization-controlled network. Remote access methods include, for example,\n dial-up, broadband, and wireless.\n This requirement only applies to components where this is specific to the function of the device or has the concept\n of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of\n configuring the device itself (management).", "descriptions": { - "default": "USB mass storage permits easy introduction of unknown devices, thereby facilitating malicious activity.", - "check": "Verify the operating system disables the ability to load the USB Storage kernel module.\n # grep -r usb-storage /etc/modprobe.d/* | grep -i \"/bin/true\" | grep -v \"^#\"\n install usb-storage /bin/true\n If the command does not return any output, or the line is commented out, and use of USB Storage is not documented\n with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.\n Verify the operating system disables the ability to use USB mass storage devices.\n Check to see if USB mass storage is disabled with the following command:\n # grep usb-storage /etc/modprobe.d/* | grep -i \"blacklist\" | grep -v \"^#\"\n blacklist usb-storage\n If the command does not return any output or the output is not \"blacklist usb-storage\", and use of USB storage\n devices is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is\n a finding.", - "fix": "Configure the operating system to disable the ability to use the USB Storage kernel module.\n Create a file under \"/etc/modprobe.d\" with the following command:\n # touch /etc/modprobe.d/usb-storage.conf\n Add the following line to the created file:\n install usb-storage /bin/true\n Configure the operating system to disable the ability to use USB mass storage devices.\n # vi /etc/modprobe.d/blacklist.conf\n Add or update the line:\n blacklist usb-storage" + "default": "Using an authentication device, such as a CAC or token that is separate from the information system, ensures\n that even if the information system is compromised, that compromise will not affect credentials stored on the\n authentication device.\n Multifactor solutions that require devices separate from information systems gaining access include, for example,\n hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S.\n Government Personal Identity Verification card and the DoD Common Access Card.\n A privileged account is defined as an information system account with authorizations of a privileged user.\n Remote access is access to DoD nonpublic information systems by an authorized user (or an information system)\n communicating through an external, non-organization-controlled network. Remote access methods include, for example,\n dial-up, broadband, and wireless.\n This requirement only applies to components where this is specific to the function of the device or has the concept\n of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of\n configuring the device itself (management).", + "check": "Verify the operating system has the packages required for multifactor authentication installed.\n Check for the presence of the packages required to support multifactor authentication with the following commands:\n # yum list installed pam_pkcs11\n pam_pkcs11-0.6.2-14.el7.noarch.rpm\n If the \"pam_pkcs11\" package is not installed, this is a finding.", + "fix": "Configure the operating system to implement multifactor authentication by installing the required packages.\n\nInstall the pam_pkcs11 package with the following command:\n\n# yum install pam_pkcs11" }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "SV-86607", - "V-71983" + "SV-87041", + "V-72417" ], "severity": "medium", - "gtitle": "SRG-OS-000114-GPOS-00059", + "gtitle": "SRG-OS-000375-GPOS-00160", "satisfies": [ - "SRG-OS-000114-GPOS-00059", - "SRG-OS-000378-GPOS-00163", - "SRG-OS-000480-GPOS-00227" + "SRG-OS-000375-GPOS-00160", + "SRG-OS-000375-GPOS-00161", + "SRG-OS-000375-GPOS-00162" ], - "gid": "V-204449", - "rid": "SV-204449r853891_rule", - "stig_id": "RHEL-07-020100", - "fix_id": "F-4573r462538_fix", + "gid": "V-204631", + "rid": "SV-204631r853997_rule", + "stig_id": "RHEL-07-041001", + "fix_id": "F-4755r462473_fix", "cci": [ - "CCI-000366", - "CCI-000778", - "CCI-001958" + "CCI-001948", + "CCI-001953", + "CCI-001954" ], "nist": [ - "CM-6 b", - "IA-3", - "IA-3" + "IA-2 (11)", + "IA-2 (12)", + "IA-2 (12)" ], "subsystems": [ - "usb", - "kernel_module" + "MFA", + "smartcard" ], "host": null }, - "code": "control 'SV-204449' do\n title 'The Red Hat Enterprise Linux operating system must be configured to disable USB mass storage.'\n desc 'USB mass storage permits easy introduction of unknown devices, thereby facilitating malicious activity.'\n desc 'check', 'Verify the operating system disables the ability to load the USB Storage kernel module.\n # grep -r usb-storage /etc/modprobe.d/* | grep -i \"/bin/true\" | grep -v \"^#\"\n install usb-storage /bin/true\n If the command does not return any output, or the line is commented out, and use of USB Storage is not documented\n with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.\n Verify the operating system disables the ability to use USB mass storage devices.\n Check to see if USB mass storage is disabled with the following command:\n # grep usb-storage /etc/modprobe.d/* | grep -i \"blacklist\" | grep -v \"^#\"\n blacklist usb-storage\n If the command does not return any output or the output is not \"blacklist usb-storage\", and use of USB storage\n devices is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is\n a finding.'\n desc 'fix', 'Configure the operating system to disable the ability to use the USB Storage kernel module.\n Create a file under \"/etc/modprobe.d\" with the following command:\n # touch /etc/modprobe.d/usb-storage.conf\n Add the following line to the created file:\n install usb-storage /bin/true\n Configure the operating system to disable the ability to use USB mass storage devices.\n # vi /etc/modprobe.d/blacklist.conf\n Add or update the line:\n blacklist usb-storage'\n impact 0.5\n tag legacy: ['SV-86607', 'V-71983']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000114-GPOS-00059'\n tag satisfies: ['SRG-OS-000114-GPOS-00059', 'SRG-OS-000378-GPOS-00163', 'SRG-OS-000480-GPOS-00227']\n tag gid: 'V-204449'\n tag rid: 'SV-204449r853891_rule'\n tag stig_id: 'RHEL-07-020100'\n tag fix_id: 'F-4573r462538_fix'\n tag cci: ['CCI-000366', 'CCI-000778', 'CCI-001958']\n tag nist: ['CM-6 b', 'IA-3', 'IA-3']\n tag subsystems: ['usb', 'kernel_module']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - Kernel config must be done on the host' do\n skip 'Control not applicable - Kernel config must be done on the host'\n end\n else\n describe kernel_module('usb_storage') do\n it { should_not be_loaded }\n it { should be_blacklisted }\n end\n end\nend\n", + "code": "control 'SV-204631' do\n title 'The Red Hat Enterprise Linux operating system must have the required packages for multifactor\n authentication installed.'\n desc \"Using an authentication device, such as a CAC or token that is separate from the information system, ensures\n that even if the information system is compromised, that compromise will not affect credentials stored on the\n authentication device.\n Multifactor solutions that require devices separate from information systems gaining access include, for example,\n hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S.\n Government Personal Identity Verification card and the #{input('org_name')[:acronym]} Common Access Card.\n A privileged account is defined as an information system account with authorizations of a privileged user.\n Remote access is access to #{input('org_name')[:acronym]} nonpublic information systems by an authorized user (or an information system)\n communicating through an external, non-organization-controlled network. Remote access methods include, for example,\n dial-up, broadband, and wireless.\n This requirement only applies to components where this is specific to the function of the device or has the concept\n of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of\n configuring the device itself (management).\"\n desc 'check', 'Verify the operating system has the packages required for multifactor authentication installed.\n Check for the presence of the packages required to support multifactor authentication with the following commands:\n # yum list installed pam_pkcs11\n pam_pkcs11-0.6.2-14.el7.noarch.rpm\n If the \"pam_pkcs11\" package is not installed, this is a finding.'\n desc 'fix', 'Configure the operating system to implement multifactor authentication by installing the required packages.\n\nInstall the pam_pkcs11 package with the following command:\n\n# yum install pam_pkcs11'\n impact 0.5\n tag legacy: ['SV-87041', 'V-72417']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000375-GPOS-00160'\n tag satisfies: ['SRG-OS-000375-GPOS-00160', 'SRG-OS-000375-GPOS-00161', 'SRG-OS-000375-GPOS-00162']\n tag gid: 'V-204631'\n tag rid: 'SV-204631r853997_rule'\n tag stig_id: 'RHEL-07-041001'\n tag fix_id: 'F-4755r462473_fix'\n tag cci: ['CCI-001948', 'CCI-001953', 'CCI-001954']\n tag nist: ['IA-2 (11)', 'IA-2 (12)', 'IA-2 (12)']\n tag subsystems: ['MFA', 'smartcard']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n\n mfa_pkg_list = input('mfa_pkg_list')\n smart_card_status = input('smart_card_status')\n\n if smart_card_status.eql?('disabled')\n impact 0.5\n describe 'The system is not smartcard enabled thus this control is Not Applicable' do\n skip 'The system is not using Smartcards / PIVs to fulfill the MFA requirement, this control is Not Applicable.'\n end\n elsif mfa_pkg_list.empty?\n describe 'The required Smartcard packages have not been defined, please define them in your `inputs`' do\n subject { mfa_pkg_list }\n it { should_not be_empty }\n end\n else\n mfa_pkg_list.each do |pkg|\n describe \"As required for MFA, the package '#{pkg}'\" do\n subject { package(pkg.to_s) }\n it { should be_installed }\n end\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204449.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204631.rb", "line": 1 }, - "id": "SV-204449" + "id": "SV-204631" }, { - "title": "The Red Hat Enterprise Linux operating system must limit the number of concurrent sessions to 10 for all\n accounts and/or account types.", - "desc": "Operating system management includes the ability to control the number of users and user sessions that\n utilize an operating system. Limiting the number of allowed users and sessions per user is helpful in reducing the\n risks related to DoS attacks.\n This requirement addresses concurrent sessions for information system accounts and does not address concurrent\n sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined\n based on mission needs and the operational environment for each system.", + "title": "The Red Hat Enterprise Linux operating system must prevent the installation of software, patches, service\n packs, device drivers, or operating system components of local packages without verification they have been\n digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved\n by the organization.", + "desc": "Changes to any software components can have significant effects on the overall security of the operating\n system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted\n vendor.\n Accordingly, patches, service packs, device drivers, or operating system components must be signed with a\n certificate recognized and approved by the organization.\n Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade\n received from a vendor. This verifies the software has not been tampered with and that it has been provided by a\n trusted vendor. Self-signed certificates are disallowed by this requirement. The operating system should not have to\n verify the software again. This requirement does not mandate DoD certificates for this purpose; however, the\n certificate used to verify the software must be from an approved CA.", "descriptions": { - "default": "Operating system management includes the ability to control the number of users and user sessions that\n utilize an operating system. Limiting the number of allowed users and sessions per user is helpful in reducing the\n risks related to DoS attacks.\n This requirement addresses concurrent sessions for information system accounts and does not address concurrent\n sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined\n based on mission needs and the operational environment for each system.", - "check": "Verify the operating system limits the number of concurrent sessions to '10' for all accounts and/or\n account types by issuing the following command:\n # grep \"maxlogins\" /etc/security/limits.conf /etc/security/limits.d/*.conf\n * hard maxlogins 10\n This can be set as a global domain (with the * wildcard) but may be set differently for multiple domains.\n If the \"maxlogins\" item is missing, commented out, or the value is not set to '10' or less for all domains that have\n the \"maxlogins\" item assigned, this is a finding.", - "fix": "Configure the operating system to limit the number of concurrent sessions to '10' for all accounts\n and/or account types.\n Add the following line to the top of the /etc/security/limits.conf or in a \".conf\" file defined in\n /etc/security/limits.d/ :\n * hard maxlogins 10" + "default": "Changes to any software components can have significant effects on the overall security of the operating\n system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted\n vendor.\n Accordingly, patches, service packs, device drivers, or operating system components must be signed with a\n certificate recognized and approved by the organization.\n Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade\n received from a vendor. This verifies the software has not been tampered with and that it has been provided by a\n trusted vendor. Self-signed certificates are disallowed by this requirement. The operating system should not have to\n verify the software again. This requirement does not mandate DoD certificates for this purpose; however, the\n certificate used to verify the software must be from an approved CA.", + "check": "Verify the operating system prevents the installation of patches, service packs, device drivers, or\n operating system components of local packages without verification that they have been digitally signed using a\n certificate that is recognized and approved by the organization.\n Check that yum verifies the signature of local packages prior to install with the following command:\n # grep localpkg_gpgcheck /etc/yum.conf\n localpkg_gpgcheck=1\n If \"localpkg_gpgcheck\" is not set to \"1\", or if options are missing or commented out, ask the System Administrator\n how the signatures of local packages and other operating system components are verified.\n If there is no process to validate the signatures of local packages that is approved by the organization, this is a\n finding.", + "fix": "Configure the operating system to verify the signature of local packages prior to install by setting\n the following option in the \"/etc/yum.conf\" file:\n localpkg_gpgcheck=1" }, - "impact": 0.3, + "impact": 0.7, "refs": [], "tags": { "legacy": [ - "V-72217", - "SV-86841" + "V-71979", + "SV-86603" ], - "severity": "low", - "gtitle": "SRG-OS-000027-GPOS-00008", - "gid": "V-204576", - "rid": "SV-204576r877399_rule", - "stig_id": "RHEL-07-040000", - "fix_id": "F-4700r88921_fix", + "severity": "high", + "gtitle": "SRG-OS-000366-GPOS-00153", + "gid": "V-204448", + "rid": "SV-204448r877463_rule", + "stig_id": "RHEL-07-020060", + "fix_id": "F-4572r88537_fix", "cci": [ - "CCI-000054" + "CCI-001749" ], "nist": [ - "AC-10" + "CM-5 (3)" ], "subsystems": [ - "session" + "yum" ], "host": null, "container": null }, - "code": "control 'SV-204576' do\n title \"The Red Hat Enterprise Linux operating system must limit the number of concurrent sessions to #{input('maxlogins_limit')} for all\n accounts and/or account types.\"\n desc \"Operating system management includes the ability to control the number of users and user sessions that\n utilize an operating system. Limiting the number of allowed users and sessions per user is helpful in reducing the\n risks related to DoS attacks.\n This requirement addresses concurrent sessions for information system accounts and does not address concurrent\n sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined\n based on mission needs and the operational environment for each system.\"\n desc 'check', \"Verify the operating system limits the number of concurrent sessions to '#{input('maxlogins_limit')}' for all accounts and/or\n account types by issuing the following command:\n # grep \\\"maxlogins\\\" /etc/security/limits.conf /etc/security/limits.d/*.conf\n * hard maxlogins #{input('maxlogins_limit')}\n This can be set as a global domain (with the * wildcard) but may be set differently for multiple domains.\n If the \\\"maxlogins\\\" item is missing, commented out, or the value is not set to '#{input('maxlogins_limit')}' or less for all domains that have\n the \\\"maxlogins\\\" item assigned, this is a finding.\"\n desc 'fix', \"Configure the operating system to limit the number of concurrent sessions to '#{input('maxlogins_limit')}' for all accounts\n and/or account types.\n Add the following line to the top of the /etc/security/limits.conf or in a \\\".conf\\\" file defined in\n /etc/security/limits.d/ :\n * hard maxlogins #{input('maxlogins_limit')}\"\n impact 0.3\n tag legacy: ['V-72217', 'SV-86841']\n tag severity: 'low'\n tag gtitle: 'SRG-OS-000027-GPOS-00008'\n tag gid: 'V-204576'\n tag rid: 'SV-204576r877399_rule'\n tag stig_id: 'RHEL-07-040000'\n tag fix_id: 'F-4700r88921_fix'\n tag cci: ['CCI-000054']\n tag nist: ['AC-10']\n tag subsystems: ['session']\n tag 'host'\n tag 'container'\n\n maxlogins_limit = input('maxlogins_limit')\n\n # Collect any files under limits.d if they exist\n limits_files = directory('/etc/security/limits.d').exist? ? command('ls /etc/security/limits.d/*.conf').stdout.strip.lines : []\n # Add limits.conf to the list\n limits_files.push('/etc/security/limits.conf')\n compliant_files = []\n noncompliant_files = []\n\n limits_files.each do |limits_file|\n # Get any universal limits from each file\n local_limits = limits_conf(limits_file).*\n # If we got an array (results) check further\n next unless local_limits.is_a?(Array)\n\n local_limits.each do |temp_limit|\n # For each result check if it is a 'hard' limit for 'maxlogins'\n if temp_limit.include?('hard') && temp_limit.include?('maxlogins')\n # If the limit is correct, push to compliant files\n if temp_limit[-1].to_i <= maxlogins_limit\n compliant_files.push(limits_file)\n # Otherwise add to noncompliant files\n else\n noncompliant_files.push(limits_file)\n end\n end\n end\n end\n\n # It is required that at least 1 file contain compliant configuration\n describe \"Files configuring maxlogins less than or equal to #{maxlogins_limit}\" do\n subject { compliant_files.length }\n it { should be_positive }\n end\n\n # No files should set 'hard' 'maxlogins' to any noncompliant value\n describe \"Files configuring maxlogins greater than #{maxlogins_limit}\" do\n subject { noncompliant_files }\n it { should cmp [] }\n end\nend\n", + "code": "control 'SV-204448' do\n title \"The Red Hat Enterprise Linux operating system must prevent the installation of software, patches, service\n packs, device drivers, or operating system components of local packages without verification they have been\n digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved\n by the organization.\"\n desc \"Changes to any software components can have significant effects on the overall security of the operating\n system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted\n vendor.\n Accordingly, patches, service packs, device drivers, or operating system components must be signed with a\n certificate recognized and approved by the organization.\n Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade\n received from a vendor. This verifies the software has not been tampered with and that it has been provided by a\n trusted vendor. Self-signed certificates are disallowed by this requirement. The operating system should not have to\n verify the software again. This requirement does not mandate #{input('org_name')[:acronym]} certificates for this purpose; however, the\n certificate used to verify the software must be from an approved CA.\"\n desc 'check', \"Verify the operating system prevents the installation of patches, service packs, device drivers, or\n operating system components of local packages without verification that they have been digitally signed using a\n certificate that is recognized and approved by the organization.\n Check that yum verifies the signature of local packages prior to install with the following command:\n # grep localpkg_gpgcheck /etc/yum.conf\n localpkg_gpgcheck=1\n If \\\"localpkg_gpgcheck\\\" is not set to \\\"1\\\", or if options are missing or commented out, ask the System Administrator\n how the signatures of local packages and other operating system components are verified.\n If there is no process to validate the signatures of local packages that is approved by the organization, this is a\n finding.\"\n desc 'fix', \"Configure the operating system to verify the signature of local packages prior to install by setting\n the following option in the \\\"/etc/yum.conf\\\" file:\n localpkg_gpgcheck=1\"\n impact 0.7\n tag legacy: ['V-71979', 'SV-86603']\n tag severity: 'high'\n tag gtitle: 'SRG-OS-000366-GPOS-00153'\n tag gid: 'V-204448'\n tag rid: 'SV-204448r877463_rule'\n tag stig_id: 'RHEL-07-020060'\n tag fix_id: 'F-4572r88537_fix'\n tag cci: ['CCI-001749']\n tag nist: ['CM-5 (3)']\n tag subsystems: ['yum']\n tag 'host'\n tag 'container'\n\n yum_conf = '/etc/yum.conf'\n\n if (f = file(yum_conf)).exist?\n describe ini(yum_conf) do\n its('main.localpkg_gpgcheck') { cmp 1 }\n end\n else\n describe f do\n it { should exist }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204576.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204448.rb", "line": 1 }, - "id": "SV-204576" + "id": "SV-204448" }, { - "title": "The Red Hat Enterprise Linux operating system must be a vendor supported release.", - "desc": "An operating system release is considered \"supported\" if the vendor continues to provide security patches\n for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the\n system software.\n Red Hat offers the Extended Update Support (EUS) Add-On to a Red Hat Enterprise Linux subscription, for a fee, for\n those customers who wish to standardize on a specific minor release for an extended period. RHEL 7.7 marks the final\n minor release that EUS will be available, while 7.9 is the final minor release overall.", + "title": "The Red Hat Enterprise Linux operating system must uniquely identify and must authenticate users using\n multifactor authentication via a graphical user logon.", + "desc": "To assure accountability and prevent unauthenticated access, users must be identified and authenticated to\n prevent potential misuse and compromise of the system.\n Multifactor solutions that require devices separate from information systems gaining access include, for example,\n hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S.\n Government Personal Identity Verification card and the DoD Common Access Card.", "descriptions": { - "default": "An operating system release is considered \"supported\" if the vendor continues to provide security patches\n for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the\n system software.\n Red Hat offers the Extended Update Support (EUS) Add-On to a Red Hat Enterprise Linux subscription, for a fee, for\n those customers who wish to standardize on a specific minor release for an extended period. RHEL 7.7 marks the final\n minor release that EUS will be available, while 7.9 is the final minor release overall.", - "check": "Verify the version of the operating system is vendor supported.\n Check the version of the operating system with the following command:\n # cat /etc/redhat-release\n Red Hat Enterprise Linux Server release 7.9 (Maipo)\n Current End of Extended Update Support for RHEL 7.6 is 31 May 2021.\n Current End of Extended Update Support for RHEL 7.7 is 30 August 2021.\n Current End of Maintenance Support for RHEL 7.9 is 30 June 2024.\n If the release is not supported by the vendor, this is a finding.", - "fix": "Upgrade to a supported version of the operating system." + "default": "To assure accountability and prevent unauthenticated access, users must be identified and authenticated to\n prevent potential misuse and compromise of the system.\n Multifactor solutions that require devices separate from information systems gaining access include, for example,\n hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S.\n Government Personal Identity Verification card and the DoD Common Access Card.", + "check": "Verify the operating system uniquely identifies and authenticates users using multifactor\n authentication via a graphical user logon.\n Note: If the system does not have GNOME installed, this requirement is Not Applicable.\n Determine which profile the system database is using with the following command:\n # grep system-db /etc/dconf/profile/user\n system-db:local\n Note: The example is using the database local for the system, so the path is \"/etc/dconf/db/local.d\". This path must\n be modified if a database other than local is being used.\n # grep enable-smartcard-authentication /etc/dconf/db/local.d/*\n enable-smartcard-authentication=true\n If \"enable-smartcard-authentication\" is set to \"false\" or the keyword is missing, this is a finding.", + "fix": "Configure the operating system to uniquely identify and authenticate users using multifactor\n authentication via a graphical user logon.\n Note: If the system does not have GNOME installed, this requirement is Not Applicable.\n Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following\n command:\n Note: The example is using the database local for the system, so if the system is using another database in\n \"/etc/dconf/profile/user\", the file should be created under the appropriate subdirectory.\n # touch /etc/dconf/db/local.d/00-defaults\n Edit \"[org/gnome/login-screen]\" and add or update the following line:\n enable-smartcard-authentication=true\n Update the system databases:\n # dconf update" }, - "impact": 0.7, + "impact": 0, "refs": [], "tags": { "legacy": [ - "SV-86621", - "V-71997" + "V-77819", + "SV-92515" ], - "severity": "high", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-204458", - "rid": "SV-204458r744100_rule", - "stig_id": "RHEL-07-020250", - "fix_id": "F-4582r462547_fix", + "severity": "medium", + "gtitle": "SRG-OS-000375-GPOS-00160", + "satisfies": [ + "SRG-OS-000375-GPOS-00161", + "SRG-OS-000375-GPOS-00162" + ], + "gid": "V-204397", + "rid": "SV-204397r853879_rule", + "stig_id": "RHEL-07-010061", + "fix_id": "F-4521r88384_fix", "cci": [ - "CCI-000366" + "CCI-001948", + "CCI-001953", + "CCI-001954" ], "nist": [ - "CM-6 b" + "IA-2 (11)", + "IA-2 (12)", + "IA-2 (12)" ], "subsystems": [ - "redhat_release" + "gui" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-204458' do\n title 'The Red Hat Enterprise Linux operating system must be a vendor supported release.'\n desc 'An operating system release is considered \"supported\" if the vendor continues to provide security patches\n for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the\n system software.\n Red Hat offers the Extended Update Support (EUS) Add-On to a Red Hat Enterprise Linux subscription, for a fee, for\n those customers who wish to standardize on a specific minor release for an extended period. RHEL 7.7 marks the final\n minor release that EUS will be available, while 7.9 is the final minor release overall.'\n desc 'check', 'Verify the version of the operating system is vendor supported.\n Check the version of the operating system with the following command:\n # cat /etc/redhat-release\n Red Hat Enterprise Linux Server release 7.9 (Maipo)\n Current End of Extended Update Support for RHEL 7.6 is 31 May 2021.\n Current End of Extended Update Support for RHEL 7.7 is 30 August 2021.\n Current End of Maintenance Support for RHEL 7.9 is 30 June 2024.\n If the release is not supported by the vendor, this is a finding.'\n desc 'fix', 'Upgrade to a supported version of the operating system.'\n impact 0.7\n tag legacy: ['SV-86621', 'V-71997']\n tag severity: 'high'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204458'\n tag rid: 'SV-204458r744100_rule'\n tag stig_id: 'RHEL-07-020250'\n tag fix_id: 'F-4582r462547_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['redhat_release']\n tag 'host'\n tag 'container'\n\n release = os.release\n if !release.match(/^7\\.[6789]/)\n describe \"RHEL #{release}\" do\n it 'is not a supported release' do\n supported_releases = ['7.6', '7.7', '7.8', '7.9']\n fail_msg = \"It should be one of the following supported releases: #{supported_releases}\"\n expect(release).to be_between(7.6, 7.9), fail_msg\n end\n end\n else\n EOMS_DATE = case release\n when /^7\\.6/\n '31 May 2021'\n when /^7\\.7/\n '30 August 2021'\n when /^7\\.8/\n '30 June 2024'\n when /^7\\.9/\n '30 June 2024'\n end\n\n describe \"The release \\\"#{release}\\\" must still be within the support window, ending #{EOMS_DATE}\" do\n subject { Date.today <= Date.parse(EOMS_DATE) }\n it { should be true }\n end\n end\nend\n", + "code": "control 'SV-204397' do\n title 'The Red Hat Enterprise Linux operating system must uniquely identify and must authenticate users using\n multifactor authentication via a graphical user logon.'\n desc \"To assure accountability and prevent unauthenticated access, users must be identified and authenticated to\n prevent potential misuse and compromise of the system.\n Multifactor solutions that require devices separate from information systems gaining access include, for example,\n hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S.\n Government Personal Identity Verification card and the #{input('org_name')[:acronym]} Common Access Card.\"\n desc 'check', 'Verify the operating system uniquely identifies and authenticates users using multifactor\n authentication via a graphical user logon.\n Note: If the system does not have GNOME installed, this requirement is Not Applicable.\n Determine which profile the system database is using with the following command:\n # grep system-db /etc/dconf/profile/user\n system-db:local\n Note: The example is using the database local for the system, so the path is \"/etc/dconf/db/local.d\". This path must\n be modified if a database other than local is being used.\n # grep enable-smartcard-authentication /etc/dconf/db/local.d/*\n enable-smartcard-authentication=true\n If \"enable-smartcard-authentication\" is set to \"false\" or the keyword is missing, this is a finding.'\n desc 'fix', 'Configure the operating system to uniquely identify and authenticate users using multifactor\n authentication via a graphical user logon.\n Note: If the system does not have GNOME installed, this requirement is Not Applicable.\n Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following\n command:\n Note: The example is using the database local for the system, so if the system is using another database in\n \"/etc/dconf/profile/user\", the file should be created under the appropriate subdirectory.\n # touch /etc/dconf/db/local.d/00-defaults\n Edit \"[org/gnome/login-screen]\" and add or update the following line:\n enable-smartcard-authentication=true\n Update the system databases:\n # dconf update'\n impact 0.5\n tag legacy: ['V-77819', 'SV-92515']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000375-GPOS-00160'\n tag satisfies: ['SRG-OS-000375-GPOS-00161', 'SRG-OS-000375-GPOS-00162']\n tag gid: 'V-204397'\n tag rid: 'SV-204397r853879_rule'\n tag stig_id: 'RHEL-07-010061'\n tag fix_id: 'F-4521r88384_fix'\n tag cci: ['CCI-001948', 'CCI-001953', 'CCI-001954']\n tag nist: ['IA-2 (11)', 'IA-2 (12)', 'IA-2 (12)']\n tag subsystems: ['gui']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n else\n\n multifactor_enabled = input('multifactor_enabled')\n dconf_user = input('dconf_user')\n\n if package('gnome-desktop3').installed? && (package('pcsc-lite').installed? || package('esc').installed?)\n impact 0.5\n if !dconf_user.nil? && command('whoami').stdout.strip == 'root'\n describe command(\"sudo -u #{dconf_user} dconf read /org/gnome/login-screen/enable-smartcard-authentication\") do\n its('stdout.strip') { should eq multifactor_enabled.to_s }\n end\n else\n describe command('dconf read /org/gnome/login-screen/enable-smartcard-authentication') do\n its('stdout.strip') { should eq multifactor_enabled.to_s }\n end\n end\n else\n impact 0.0\n unless package('gnome-desktop3').installed?\n describe 'The GNOME desktop is not installed' do\n skip 'The GNOME desktop is not installed, this control is Not Applicable.'\n end\n end\n\n unless package('pcsc-lite').installed?\n describe 'The pcsc-lite package is not installed' do\n skip 'The pcsc-lite package is not installed, this control is Not Applicable.'\n end\n end\n unless package('esc').installed?\n describe 'The esc package is not installed' do\n skip 'The esc package is not installed, this control is Not Applicable.'\n end\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204458.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204397.rb", "line": 1 }, - "id": "SV-204458" + "id": "SV-204397" }, { - "title": "The Red Hat Enterprise Linux operating system must be configured to prohibit or restrict the use of\n functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Component\n Local Service Assessment (PPSM CLSA) and vulnerability assessments.", - "desc": "In order to prevent unauthorized connection of devices, unauthorized transfer of information, or\n unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict\n unused or unnecessary physical and logical ports/protocols on information systems.\n Operating systems are capable of providing a wide variety of functions and services. Some of the functions and\n services provided by default may not be necessary to support essential organizational operations. Additionally, it\n is sometimes convenient to provide multiple services from a single component (e.g., VPN and IPS); however, doing so\n increases risk over limiting the services provided by any one component.\n To support the requirements and principles of least functionality, the operating system must support the\n organizational requirements, providing only essential capabilities and limiting the use of ports, protocols, and/or\n services to only those required, authorized, and approved to conduct official business or to address authorized\n quality of life issues.", + "title": "The Red Hat Enterprise Linux operating system must label all off-loaded audit logs before sending them to\n the central log server.", + "desc": "Information stored in one location is vulnerable to accidental or incidental deletion or alteration.\n Off-loading is a common process in information systems with limited audit storage capacity.\n One method of off-loading audit logs in Red Hat Enterprise Linux is with the use of the audisp-remote dameon. When\n audit logs are not labeled before they are sent to a central log server, the audit data will not be able to be\n analyzed and tied back to the correct system.", "descriptions": { - "default": "In order to prevent unauthorized connection of devices, unauthorized transfer of information, or\n unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict\n unused or unnecessary physical and logical ports/protocols on information systems.\n Operating systems are capable of providing a wide variety of functions and services. Some of the functions and\n services provided by default may not be necessary to support essential organizational operations. Additionally, it\n is sometimes convenient to provide multiple services from a single component (e.g., VPN and IPS); however, doing so\n increases risk over limiting the services provided by any one component.\n To support the requirements and principles of least functionality, the operating system must support the\n organizational requirements, providing only essential capabilities and limiting the use of ports, protocols, and/or\n services to only those required, authorized, and approved to conduct official business or to address authorized\n quality of life issues.", - "check": "Inspect the firewall configuration and running services to verify that it is configured to prohibit\n or restrict the use of functions, ports, protocols, and/or services that are unnecessary or prohibited.\n Check which services are currently active with the following command:\n # firewall-cmd --list-all\n public (default, active)\n interfaces: enp0s3\n sources:\n services: dhcpv6-client dns http https ldaps rpc-bind ssh\n ports:\n masquerade: no\n forward-ports:\n icmp-blocks:\n rich rules:\n Ask the System Administrator for the site or program PPSM CLSA. Verify the services allowed by the firewall match\n the PPSM CLSA.\n If there are additional ports, protocols, or services that are not in the PPSM CLSA, or there are ports, protocols,\n or services that are prohibited by the PPSM Category Assurance List (CAL), this is a finding.", - "fix": "Update the host's firewall settings and/or running services to comply with the PPSM CLSA for the site\n or program and the PPSM CAL." + "default": "Information stored in one location is vulnerable to accidental or incidental deletion or alteration.\n Off-loading is a common process in information systems with limited audit storage capacity.\n One method of off-loading audit logs in Red Hat Enterprise Linux is with the use of the audisp-remote dameon. When\n audit logs are not labeled before they are sent to a central log server, the audit data will not be able to be\n analyzed and tied back to the correct system.", + "check": "Verify the audisp daemon is configured to label all off-loaded audit logs:\n # grep \"name_format\" /etc/audisp/audispd.conf\n name_format = hostname\n If the \"name_format\" option is not \"hostname\", \"fqd\", or \"numeric\", or the line is commented out, ask the System\n Administrator to indicate how the audit logs are off-loaded to a different system or storage media, and to indicate\n if the logs are labeled appropriately.\n If there is no evidence that the system is configured to off-load audit logs to a different system or storage media,\n or if the configuration does not appropriately label logs before they are off-loaded, this is a finding.", + "fix": "Edit the /etc/audisp/audispd.conf file and add or update the \"name_format\" option:\n name_format = hostname\n The audit daemon must be restarted for changes to take effect:\n # service auditd restart" }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "V-72219", - "SV-86843" + "SV-95733", + "V-81021" ], "severity": "medium", - "gtitle": "SRG-OS-000096-GPOS-00050", + "gtitle": "SRG-OS-000342-GPOS-00133", "satisfies": [ - "SRG-OS-000096-GPOS-00050", - "SRG-OS-000297-GPOS-00115" + "SRG-OS-000342-GPOS-00133", + "SRG-OS-000479-GPOS-00224" ], - "gid": "V-204577", - "rid": "SV-204577r861069_rule", - "stig_id": "RHEL-07-040100", - "fix_id": "F-4701r88924_fix", + "gid": "V-204508", + "rid": "SV-204508r877390_rule", + "stig_id": "RHEL-07-030211", + "fix_id": "F-36313r602649_fix", + "cci": [ + "CCI-001851" + ], + "nist": [ + "AU-4 (1)" + ], + "subsystems": [ + "audit", + "audisp" + ], + "host": null + }, + "code": "control 'SV-204508' do\n title 'The Red Hat Enterprise Linux operating system must label all off-loaded audit logs before sending them to\n the central log server.'\n desc 'Information stored in one location is vulnerable to accidental or incidental deletion or alteration.\n Off-loading is a common process in information systems with limited audit storage capacity.\n One method of off-loading audit logs in Red Hat Enterprise Linux is with the use of the audisp-remote dameon. When\n audit logs are not labeled before they are sent to a central log server, the audit data will not be able to be\n analyzed and tied back to the correct system.'\n desc 'check', 'Verify the audisp daemon is configured to label all off-loaded audit logs:\n # grep \"name_format\" /etc/audisp/audispd.conf\n name_format = hostname\n If the \"name_format\" option is not \"hostname\", \"fqd\", or \"numeric\", or the line is commented out, ask the System\n Administrator to indicate how the audit logs are off-loaded to a different system or storage media, and to indicate\n if the logs are labeled appropriately.\n If there is no evidence that the system is configured to off-load audit logs to a different system or storage media,\n or if the configuration does not appropriately label logs before they are off-loaded, this is a finding.'\n desc 'fix', 'Edit the /etc/audisp/audispd.conf file and add or update the \"name_format\" option:\n name_format = hostname\n The audit daemon must be restarted for changes to take effect:\n # service auditd restart'\n impact 0.5\n tag legacy: ['SV-95733', 'V-81021']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000342-GPOS-00133'\n tag satisfies: ['SRG-OS-000342-GPOS-00133', 'SRG-OS-000479-GPOS-00224']\n tag gid: 'V-204508'\n tag rid: 'SV-204508r877390_rule'\n tag stig_id: 'RHEL-07-030211'\n tag fix_id: 'F-36313r602649_fix'\n tag cci: ['CCI-001851']\n tag nist: ['AU-4 (1)']\n tag subsystems: ['audit', 'audisp']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - audit config must be done on the host' do\n skip 'Control not applicable - audit config must be done on the host'\n end\n elsif file('/etc/audisp/audispd.conf').exist?\n\n describe parse_config_file('/etc/audisp/audispd.conf') do\n its('name_format') { should match(/^hostname$|^fqd$|^numeric$/i) }\n end\n else\n describe \"File '/etc/audisp/audispd.conf' cannot be found. This test cannot be checked in a automated fashion and you must check it manually\" do\n skip \"File '/etc/audisp/audispd.conf' cannot be found. This check must be performed manually\"\n end\n end\nend\n", + "source_location": { + "ref": "./Red Hat 7 STIG/controls/SV-204508.rb", + "line": 1 + }, + "id": "SV-204508" + }, + { + "title": "The Red Hat Enterprise Linux operating system must not contain shosts.equiv files.", + "desc": "The shosts.equiv files are used to configure host-based authentication for the system via SSH. Host-based\n authentication is not sufficient for preventing unauthorized access to the system, as it does not require\n interactive identification and authentication of a connection request, or for the use of two-factor authentication.", + "descriptions": { + "default": "The shosts.equiv files are used to configure host-based authentication for the system via SSH. Host-based\n authentication is not sufficient for preventing unauthorized access to the system, as it does not require\n interactive identification and authentication of a connection request, or for the use of two-factor authentication.", + "check": "Verify there are no \"shosts.equiv\" files on the system.\n Check the system for the existence of these files with the following command:\n # find / -name shosts.equiv\n If any \"shosts.equiv\" files are found on the system, this is a finding.", + "fix": "Remove any found \"shosts.equiv\" files from the system.\n # rm /[path]/[to]/[file]/shosts.equiv" + }, + "impact": 0.7, + "refs": [], + "tags": { + "legacy": [ + "SV-86903", + "V-72279" + ], + "severity": "high", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-204607", + "rid": "SV-204607r603261_rule", + "stig_id": "RHEL-07-040550", + "fix_id": "F-4731r89014_fix", "cci": [ - "CCI-000382", - "CCI-002314" + "CCI-000366" ], "nist": [ - "CM-7 b", - "AC-17 (1)" + "CM-6 b" ], "subsystems": [ - "firewall", - "manual" + "ssh" ], "host": null, "container": null }, - "code": "control 'SV-204577' do\n title 'The Red Hat Enterprise Linux operating system must be configured to prohibit or restrict the use of\n functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Component\n Local Service Assessment (PPSM CLSA) and vulnerability assessments.'\n desc 'In order to prevent unauthorized connection of devices, unauthorized transfer of information, or\n unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict\n unused or unnecessary physical and logical ports/protocols on information systems.\n Operating systems are capable of providing a wide variety of functions and services. Some of the functions and\n services provided by default may not be necessary to support essential organizational operations. Additionally, it\n is sometimes convenient to provide multiple services from a single component (e.g., VPN and IPS); however, doing so\n increases risk over limiting the services provided by any one component.\n To support the requirements and principles of least functionality, the operating system must support the\n organizational requirements, providing only essential capabilities and limiting the use of ports, protocols, and/or\n services to only those required, authorized, and approved to conduct official business or to address authorized\n quality of life issues.'\n desc 'check', 'Inspect the firewall configuration and running services to verify that it is configured to prohibit\n or restrict the use of functions, ports, protocols, and/or services that are unnecessary or prohibited.\n Check which services are currently active with the following command:\n # firewall-cmd --list-all\n public (default, active)\n interfaces: enp0s3\n sources:\n services: dhcpv6-client dns http https ldaps rpc-bind ssh\n ports:\n masquerade: no\n forward-ports:\n icmp-blocks:\n rich rules:\n Ask the System Administrator for the site or program PPSM CLSA. Verify the services allowed by the firewall match\n the PPSM CLSA.\n If there are additional ports, protocols, or services that are not in the PPSM CLSA, or there are ports, protocols,\n or services that are prohibited by the PPSM Category Assurance List (CAL), this is a finding.'\n desc 'fix', \"Update the host's firewall settings and/or running services to comply with the PPSM CLSA for the site\n or program and the PPSM CAL.\"\n impact 0.5\n tag legacy: ['V-72219', 'SV-86843']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000096-GPOS-00050'\n tag satisfies: ['SRG-OS-000096-GPOS-00050', 'SRG-OS-000297-GPOS-00115']\n tag gid: 'V-204577'\n tag rid: 'SV-204577r861069_rule'\n tag stig_id: 'RHEL-07-040100'\n tag fix_id: 'F-4701r88924_fix'\n tag cci: ['CCI-000382', 'CCI-002314']\n tag nist: ['CM-7 b', 'AC-17 (1)']\n tag subsystems: ['firewall', 'manual']\n tag 'host'\n tag 'container'\n\n if input('firewall_application_package') != ''\n describe 'Manual review of third-party firewall needed' do\n skip \"A manual review of firewall application \\'#{input('firewall_application_package')}\\' is needed to determine if it is properly configured\"\n end\n else\n\n firewalld_services_deny = input('firewalld_services_deny')\n firewalld_hosts_deny = input('firewalld_hosts_deny')\n firewalld_ports_deny = input('firewalld_ports_deny')\n firewalld_zones = input('firewalld_zones')\n iptables_rules = input('iptables_rules')\n\n if service('firewalld').running?\n\n # Check that the rules specified in 'firewalld_host_deny' are not enabled\n describe firewalld do\n firewalld_hosts_deny.each do |rule|\n it { should_not have_rule_enabled(rule) }\n end\n end\n\n # Check to make sure zones are specified\n if firewalld_zones.empty?\n describe \"Firewalld zones are not specified. Check 'firewalld_zones' input.\" do\n subject { firewalld_zones.empty? }\n it { should be false }\n end\n end\n\n # Check that the services specified in 'firewalld_services_deny' and\n # ports specified in 'firewalld_ports_deny' are not enabled\n firewalld_zones.each do |zone|\n if firewalld.has_zone?(zone)\n zone_services = firewalld_services_deny[zone.to_sym]\n zone_ports = firewalld_ports_deny[zone.to_sym]\n\n if !zone_services.nil?\n describe firewalld do\n zone_services.each do |serv|\n it { should_not have_service_enabled_in_zone(serv, zone) }\n end\n end\n else\n describe \"Services for zone '#{zone}' are not specified. Check 'firewalld_services_deny' input.\" do\n subject { zone_services.nil? }\n it { should be false }\n end\n end\n\n if !zone_ports.nil?\n describe firewalld do\n zone_ports.each do |port|\n it { should_not have_port_enabled_in_zone(port, zone) }\n end\n end\n else\n describe \"Ports for zone '#{zone}' are not specified. Check 'firewalld_ports_deny' input.\" do\n subject { zone_ports.nil? }\n it { should be false }\n end\n end\n else\n describe \"Firewalld zone '#{zone}' exists\" do\n subject { firewalld.has_zone?(zone) }\n it { should be true }\n end\n end\n end\n elsif service('iptables').running?\n describe iptables do\n iptables_rules.each do |rule|\n it { should have_rule(rule) }\n end\n end\n else\n describe 'An application firewall is running' do\n subject { service('firewalld').running? || service('iptables').running? }\n it { should eq true }\n end\n end\n end\nend\n", + "code": "control 'SV-204607' do\n title 'The Red Hat Enterprise Linux operating system must not contain shosts.equiv files.'\n desc 'The shosts.equiv files are used to configure host-based authentication for the system via SSH. Host-based\n authentication is not sufficient for preventing unauthorized access to the system, as it does not require\n interactive identification and authentication of a connection request, or for the use of two-factor authentication.'\n desc 'check', 'Verify there are no \"shosts.equiv\" files on the system.\n Check the system for the existence of these files with the following command:\n # find / -name shosts.equiv\n If any \"shosts.equiv\" files are found on the system, this is a finding.'\n desc 'fix', 'Remove any found \"shosts.equiv\" files from the system.\n # rm /[path]/[to]/[file]/shosts.equiv'\n impact 0.7\n tag legacy: ['SV-86903', 'V-72279']\n tag severity: 'high'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204607'\n tag rid: 'SV-204607r603261_rule'\n tag stig_id: 'RHEL-07-040550'\n tag fix_id: 'F-4731r89014_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['ssh']\n tag 'host'\n tag 'container'\n\n if virtualization.system.eql?('docker') && !file('/etc/sysconfig/sshd').exist?\n impact 0.0\n describe 'Control not applicable - SSH is not installed within containerized RHEL' do\n skip 'Control not applicable - SSH is not installed within containerized RHEL'\n end\n else\n describe command('find / -xdev -xautofs -name shosts.equiv') do\n its('stdout.strip') { should be_empty }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204577.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204607.rb", "line": 1 }, - "id": "SV-204577" + "id": "SV-204607" }, { - "title": "The Red Hat Enterprise Linux operating system must be configured so that all world-writable directories are owned by root, sys, bin, or an application user.", - "desc": "If a world-writable directory is not owned by root, sys, bin, or an application User Identifier (UID), unauthorized users may be able to modify files created by others.\n\nThe only authorized public directories are those temporary directories supplied with the system or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system and by users for temporary file storage, (e.g., /tmp), and for directories requiring global read/write access.", + "title": "The Red Hat Enterprise Linux operating system must be configured so that the x86 Ctrl-Alt-Delete key\n sequence is disabled in the Graphical User Interface.", + "desc": "A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the system. If\n accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term\n loss of availability of systems due to unintentional reboot. In the graphical environment, risk of unintentional\n reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.", "descriptions": { - "default": "If a world-writable directory is not owned by root, sys, bin, or an application User Identifier (UID), unauthorized users may be able to modify files created by others.\n\nThe only authorized public directories are those temporary directories supplied with the system or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system and by users for temporary file storage, (e.g., /tmp), and for directories requiring global read/write access.", - "check": "The following command will discover and print world-writable directories that are not owned by a system account, assuming only system accounts have a UID lower than 1000. Run it once for each local partition [PART]:\n\n# find [PART] -xdev -type d -perm -0002 -uid +999 -print\n\nIf there is output, this is a finding.", - "fix": "All directories in local partitions which are world-writable should be owned by root or another system account. If any world-writable directories are not owned by a system account, this should be investigated. Following this, the files should be deleted or assigned to an appropriate group." + "default": "A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the system. If\n accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term\n loss of availability of systems due to unintentional reboot. In the graphical environment, risk of unintentional\n reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.", + "check": "Note: If the operating system does not have a graphical user interface installed, this requirement\n is Not Applicable.\n Verify the operating system is not configured to reboot the system when Ctrl-Alt-Delete is pressed.\n Check that the ctrl-alt-del.target is masked and not active in the graphical user interface with the following\n command:\n # grep logout /etc/dconf/db/local.d/*\n logout=''\n If \"logout\" is not set to use two single quotations, or is missing, this is a finding.", + "fix": "Configure the system to disable the Ctrl-Alt-Delete sequence for the graphical user interface with the\n following command:\n # touch /etc/dconf/db/local.d/00-disable-CAD\n Add the setting to disable the Ctrl-Alt-Delete sequence for the graphical user interface:\n [org/gnome/settings-daemon/plugins/media-keys]\n logout=''" }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { - "severity": "medium", + "legacy": [ + "V-94843", + "SV-104673" + ], + "severity": "high", "gtitle": "SRG-OS-000480-GPOS-00227", - "satisfies": null, - "gid": "V-228563", - "rid": "SV-228563r744119_rule", - "stig_id": "RHEL-07-021031", - "fix_id": "F-19547r377220_fix", + "gid": "V-204456", + "rid": "SV-204456r603261_rule", + "stig_id": "RHEL-07-020231", + "fix_id": "F-4580r590041_fix", "cci": [ "CCI-000366" ], - "legacy": [], "nist": [ "CM-6 b" ], "subsystems": [ - "world_writable", - "ww_dirs" + "gui", + "general" ], "host": null }, - "code": "control 'SV-228563' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that all world-writable directories are owned by root, sys, bin, or an application user.'\n desc 'If a world-writable directory is not owned by root, sys, bin, or an application User Identifier (UID), unauthorized users may be able to modify files created by others.\n\nThe only authorized public directories are those temporary directories supplied with the system or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system and by users for temporary file storage, (e.g., /tmp), and for directories requiring global read/write access.'\n desc 'check', 'The following command will discover and print world-writable directories that are not owned by a system account, assuming only system accounts have a UID lower than 1000. Run it once for each local partition [PART]:\n\n# find [PART] -xdev -type d -perm -0002 -uid +999 -print\n\nIf there is output, this is a finding.'\n desc 'fix', 'All directories in local partitions which are world-writable should be owned by root or another system account. If any world-writable directories are not owned by a system account, this should be investigated. Following this, the files should be deleted or assigned to an appropriate group.'\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag satisfies: nil\n tag gid: 'V-228563'\n tag rid: 'SV-228563r744119_rule'\n tag stig_id: 'RHEL-07-021031'\n tag fix_id: 'F-19547r377220_fix'\n tag cci: ['CCI-000366']\n tag legacy: []\n tag nist: ['CM-6 b']\n tag subsystems: ['world_writable', 'ww_dirs']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n ww_dirs = Set[]\n partitions = etc_fstab.params.map { |partition| partition['mount_point'] }.uniq\n partitions.each do |part|\n cmd = \"find #{part} -xdev -type d -perm -0002 -uid +999 -print\"\n ww_dirs += command(cmd).stdout.split(\"\\n\")\n end\n\n describe 'List of world-writeable directories which are not owned by system accounts across all partitions' do\n subject { ww_dirs.to_a }\n it { should be_empty }\n end\n end\nend\n", + "code": "control 'SV-204456' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that the x86 Ctrl-Alt-Delete key\n sequence is disabled in the Graphical User Interface.'\n desc 'A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the system. If\n accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term\n loss of availability of systems due to unintentional reboot. In the graphical environment, risk of unintentional\n reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.'\n desc 'check', %q(Note: If the operating system does not have a graphical user interface installed, this requirement\n is Not Applicable.\n Verify the operating system is not configured to reboot the system when Ctrl-Alt-Delete is pressed.\n Check that the ctrl-alt-del.target is masked and not active in the graphical user interface with the following\n command:\n # grep logout /etc/dconf/db/local.d/*\n logout=''\n If \"logout\" is not set to use two single quotations, or is missing, this is a finding.)\n desc 'fix', \"Configure the system to disable the Ctrl-Alt-Delete sequence for the graphical user interface with the\n following command:\n # touch /etc/dconf/db/local.d/00-disable-CAD\n Add the setting to disable the Ctrl-Alt-Delete sequence for the graphical user interface:\n [org/gnome/settings-daemon/plugins/media-keys]\n logout=''\"\n impact 0.7\n tag legacy: ['V-94843', 'SV-104673']\n tag severity: 'high'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204456'\n tag rid: 'SV-204456r603261_rule'\n tag stig_id: 'RHEL-07-020231'\n tag fix_id: 'F-4580r590041_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['gui', 'general']\n tag 'host'\n\n if package('gnome-settings-daemon').installed?\n describe command('gsettings get org.gnome.settings-daemon.media-keys logout') do\n its('stdout.strip') { should cmp \"''\" }\n end\n else\n impact 0.0\n describe 'The system does not have GNOME installed' do\n skip \"The system does not have GNOME installed, this requirement is Not\n Applicable.\"\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-228563.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204456.rb", "line": 1 }, - "id": "SV-228563" + "id": "SV-204456" }, { - "title": "The Red Hat Enterprise Linux operating system must use a file integrity tool to verify correct operation of all security functions.", - "desc": "Without verification of the security functions, security functions may not operate correctly, and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters.\n\nThis requirement applies to the Red Hat Enterprise Linux operating system performing security function verification/testing and/or systems and environments that require this functionality.", + "title": "The Red Hat Enterprise Linux operating system must disable account identifiers (individuals, groups, roles,\n and devices) if the password expires.", + "desc": "Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive\n identifier and potentially obtain undetected access to the system. Owners of inactive accounts will not notice if\n unauthorized access to their user account has been obtained.\n Operating systems need to track periods of inactivity and disable application identifiers after 35 days of\n inactivity.", "descriptions": { - "default": "Without verification of the security functions, security functions may not operate correctly, and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters.\n\nThis requirement applies to the Red Hat Enterprise Linux operating system performing security function verification/testing and/or systems and environments that require this functionality.", - "check": "Verify that Advanced Intrusion Detection Environment (AIDE) is installed and verifies the correct operation of all security functions.\n\nCheck that the AIDE package is installed with the following command:\n $ sudo rpm -q aide\n\n aide-0.15.1-13.el7.x86_64\n\nIf AIDE is not installed, ask the System Administrator how file integrity checks are performed on the system.\n\nIf there is no application installed to perform integrity checks, this is a finding.\n\nIf AIDE is installed, check if it has been initialized with the following command:\n $ sudo /usr/sbin/aide --check\n\nIf the output is \"Couldn't open file /var/lib/aide/aide.db.gz for reading\", this is a finding.", - "fix": "Install AIDE, initialize it, and perform a manual check.\n\nInstall AIDE:\n $ sudo yum install aide\n\nInitialize it:\n $ sudo /usr/sbin/aide --init\n\n AIDE, version 0.15.1\n ### AIDE database at /var/lib/aide/aide.db.new.gz initialized.\n\nThe new database will need to be renamed to be read by AIDE:\n $ sudo mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz\n\nPerform a manual check:\n $ sudo /usr/sbin/aide --check\n\n AIDE, version 0.15.1\n ### All files match AIDE database. Looks okay!\n\nDone." + "default": "Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive\n identifier and potentially obtain undetected access to the system. Owners of inactive accounts will not notice if\n unauthorized access to their user account has been obtained.\n Operating systems need to track periods of inactivity and disable application identifiers after 35 days of\n inactivity.", + "check": "If passwords are not being used for authentication, this is Not Applicable.\n Verify the operating system disables account identifiers (individuals, groups, roles, and devices) after the\n password expires with the following command:\n # grep -i inactive /etc/default/useradd\n INACTIVE=35\n If \"INACTIVE\" is set to \"-1\", a value greater than '35', is commented out, or is not defined, this is a finding.", + "fix": "Configure the operating system to disable account identifiers (individuals, groups, roles, and\n devices) 35 days after the password expires.\n Add the following line to \"/etc/default/useradd\" (or modify the line to have the required value):\n INACTIVE=35\n DoD recommendation is 35 days, but a lower value is acceptable. The value \"-1\" will disable this feature, and \"0\"\n will disable the account immediately after the password expires." }, "impact": 0.5, "refs": [], "tags": { + "legacy": [ + "SV-86565", + "V-71941" + ], "severity": "medium", - "gtitle": "SRG-OS-000445-GPOS-00199", - "satisfies": null, - "gid": "V-251705", - "rid": "SV-251705r880854_rule", - "stig_id": "RHEL-07-020029", - "fix_id": "F-55096r880853_fix", + "gtitle": "SRG-OS-000118-GPOS-00060", + "gid": "V-204426", + "rid": "SV-204426r809190_rule", + "stig_id": "RHEL-07-010310", + "fix_id": "F-4550r809189_fix", "cci": [ - "CCI-002696" + "CCI-000795" ], - "legacy": [], "nist": [ - "SI-6 a" + "IA-4 e" ], "subsystems": [ - "file_integrity_tool" + "user" ], "host": null, "container": null }, - "code": "control 'SV-251705' do\n title 'The Red Hat Enterprise Linux operating system must use a file integrity tool to verify correct operation of all security functions.'\n desc 'Without verification of the security functions, security functions may not operate correctly, and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters.\n\nThis requirement applies to the Red Hat Enterprise Linux operating system performing security function verification/testing and/or systems and environments that require this functionality.'\n desc 'check', %q(Verify that Advanced Intrusion Detection Environment (AIDE) is installed and verifies the correct operation of all security functions.\n\nCheck that the AIDE package is installed with the following command:\n $ sudo rpm -q aide\n\n aide-0.15.1-13.el7.x86_64\n\nIf AIDE is not installed, ask the System Administrator how file integrity checks are performed on the system.\n\nIf there is no application installed to perform integrity checks, this is a finding.\n\nIf AIDE is installed, check if it has been initialized with the following command:\n $ sudo /usr/sbin/aide --check\n\nIf the output is \"Couldn't open file /var/lib/aide/aide.db.gz for reading\", this is a finding.)\n desc 'fix', 'Install AIDE, initialize it, and perform a manual check.\n\nInstall AIDE:\n $ sudo yum install aide\n\nInitialize it:\n $ sudo /usr/sbin/aide --init\n\n AIDE, version 0.15.1\n ### AIDE database at /var/lib/aide/aide.db.new.gz initialized.\n\nThe new database will need to be renamed to be read by AIDE:\n $ sudo mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz\n\nPerform a manual check:\n $ sudo /usr/sbin/aide --check\n\n AIDE, version 0.15.1\n ### All files match AIDE database. Looks okay!\n\nDone.'\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000445-GPOS-00199'\n tag satisfies: nil\n tag gid: 'V-251705'\n tag rid: 'SV-251705r880854_rule'\n tag stig_id: 'RHEL-07-020029'\n tag fix_id: 'F-55096r880853_fix'\n tag cci: ['CCI-002696']\n tag legacy: []\n tag nist: ['SI-6 a']\n tag subsystems: ['file_integrity_tool']\n tag 'host'\n tag 'container'\n\n tool = input('file_integrity_tool')\n\n if tool == 'aide'\n describe package('aide') do\n it { should be_installed }\n end\n\n aide_initialization = command('sudo /usr/sbin/aide --check').stdout.strip\n\n describe \"File integrity tool #{tool} should be initialized\" do\n subject { aide_initialization }\n it { should_not match /Couldn't\\sopen\\sfile/ }\n end\n else\n describe \"Manually review that #{tool} is installed and configured to perform file integrity checks\" do\n skip \"Manually review that #{tool} is installed and configured to perform file integrity checks\"\n end\n end\nend\n", + "code": "control 'SV-204426' do\n title 'The Red Hat Enterprise Linux operating system must disable account identifiers (individuals, groups, roles,\n and devices) if the password expires.'\n desc \"Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive\n identifier and potentially obtain undetected access to the system. Owners of inactive accounts will not notice if\n unauthorized access to their user account has been obtained.\n Operating systems need to track periods of inactivity and disable application identifiers after #{input('days_of_inactivity')} days of\n inactivity.\"\n desc 'check', \"If passwords are not being used for authentication, this is Not Applicable.\n Verify the operating system disables account identifiers (individuals, groups, roles, and devices) after the\n password expires with the following command:\n # grep -i inactive /etc/default/useradd\n INACTIVE=#{input('days_of_inactivity')}\n If \\\"INACTIVE\\\" is set to \\\"-1\\\", a value greater than '#{input('days_of_inactivity')}', is commented out, or is not defined, this is a finding.\"\n desc 'fix', \"Configure the operating system to disable account identifiers (individuals, groups, roles, and\n devices) #{input('days_of_inactivity')} days after the password expires.\n Add the following line to \\\"/etc/default/useradd\\\" (or modify the line to have the required value):\n INACTIVE=#{input('days_of_inactivity')}\n #{input('org_name')[:acronym]} recommendation is #{input('days_of_inactivity')} days, but a lower value is acceptable. The value \\\"-1\\\" will disable this feature, and \\\"0\\\"\n will disable the account immediately after the password expires.\"\n impact 0.5\n tag legacy: ['SV-86565', 'V-71941']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000118-GPOS-00060'\n tag gid: 'V-204426'\n tag rid: 'SV-204426r809190_rule'\n tag stig_id: 'RHEL-07-010310'\n tag fix_id: 'F-4550r809189_fix'\n tag cci: ['CCI-000795']\n tag nist: ['IA-4 e']\n tag subsystems: ['user']\n tag 'host'\n tag 'container'\n\n if command(\"grep 'pam_unix.so' /etc/pam.d/system-auth | grep 'auth ' | grep 'optional'\").stdout.empty? && command(\"grep 'pam_permit.so' /etc/pam.d/system-auth | grep 'auth ' | grep 'required'\").stdout.empty?\n describe parse_config_file('/etc/default/useradd') do\n its('INACTIVE') { should cmp <= input('days_of_inactivity') }\n its('INACTIVE') { should_not cmp -1 }\n its('INACTIVE') { should_not be_nil }\n end\n else\n impact 0.0\n describe 'The system is not using password for authentication' do\n skip 'The system is not using password for authentication, this control is Not Applicable.'\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-251705.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204426.rb", "line": 1 }, - "id": "SV-251705" + "id": "SV-204426" }, { - "title": "The Red Hat Enterprise Linux operating system must be configured so that the PAM system service is\n configured to store only encrypted representations of passwords.", - "desc": "Passwords need to be protected at all times, and encryption is the standard method for protecting passwords.\n If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords\n encrypted with a weak algorithm are no more protected than if they are kept in plain text.", + "title": "The Red Hat Enterprise Linux operating system must use a separate file system for the system audit data\n path.", + "desc": "The use of separate file systems for different paths can protect the system from failures resulting from a\n file system becoming full or failing.", "descriptions": { - "default": "Passwords need to be protected at all times, and encryption is the standard method for protecting passwords.\n If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords\n encrypted with a weak algorithm are no more protected than if they are kept in plain text.", - "check": "Verify the PAM system service is configured to store only encrypted representations of passwords.\n The strength of encryption that must be used to hash passwords for all accounts is SHA512.\n Check that the system is configured to create SHA512 hashed passwords with the following command:\n # grep password /etc/pam.d/system-auth /etc/pam.d/password-auth\n Outcome should look like following:\n /etc/pam.d/system-auth-ac:password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok\n /etc/pam.d/password-auth:password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok\n If the \"/etc/pam.d/system-auth\" and \"/etc/pam.d/password-auth\" configuration files allow for password hashes other\n than SHA512 to be used, this is a finding.", - "fix": "Configure the operating system to store only SHA512 encrypted representations of passwords.\n\nAdd the following line in \"/etc/pam.d/system-auth\":\n pam_unix.so sha512 shadow try_first_pass use_authtok\n\nAdd the following line in \"/etc/pam.d/password-auth\":\n pam_unix.so sha512 shadow try_first_pass use_authtok\n\nNote: Per requirement RHEL-07-010199, RHEL 7 must be configured to not overwrite custom authentication configuration settings while using the authconfig utility, otherwise manual changes to the listed files will be overwritten whenever the authconfig utility is used." + "default": "The use of separate file systems for different paths can protect the system from failures resulting from a\n file system becoming full or failing.", + "check": "Determine if the operating system is configured to have the \"/var/log/audit\" path is on a separate\n file system.\n # grep /var/log/audit /etc/fstab\n If no result is returned, or the operating system is not configured to have \"/var/log/audit\" on a separate file\n system, this is a finding.\n Verify that \"/var/log/audit\" is mounted on a separate file system:\n # mount | grep \"/var/log/audit\"\n If no result is returned, or \"/var/log/audit\" is not on a separate file system, this is a finding.", + "fix": "Migrate the system audit data path onto a separate file system." }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { "legacy": [ - "V-71919", - "SV-86543" + "SV-86687", + "V-72063" ], - "severity": "medium", - "gtitle": "SRG-OS-000073-GPOS-00041", - "gid": "V-204415", - "rid": "SV-204415r880833_rule", - "stig_id": "RHEL-07-010200", - "fix_id": "F-4539r880832_fix", + "severity": "low", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-204495", + "rid": "SV-204495r603261_rule", + "stig_id": "RHEL-07-021330", + "fix_id": "F-4619r88678_fix", "cci": [ - "CCI-000196" + "CCI-000366" ], "nist": [ - "IA-5 (1) (c)" + "CM-6 b" ], "subsystems": [ - "pam", - "password" + "file_system", + "audit" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-204415' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that the PAM system service is\n configured to store only encrypted representations of passwords.'\n desc 'Passwords need to be protected at all times, and encryption is the standard method for protecting passwords.\n If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords\n encrypted with a weak algorithm are no more protected than if they are kept in plain text.'\n desc 'check', 'Verify the PAM system service is configured to store only encrypted representations of passwords.\n The strength of encryption that must be used to hash passwords for all accounts is SHA512.\n Check that the system is configured to create SHA512 hashed passwords with the following command:\n # grep password /etc/pam.d/system-auth /etc/pam.d/password-auth\n Outcome should look like following:\n /etc/pam.d/system-auth-ac:password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok\n /etc/pam.d/password-auth:password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok\n If the \"/etc/pam.d/system-auth\" and \"/etc/pam.d/password-auth\" configuration files allow for password hashes other\n than SHA512 to be used, this is a finding.'\n desc 'fix', 'Configure the operating system to store only SHA512 encrypted representations of passwords.\n\nAdd the following line in \"/etc/pam.d/system-auth\":\n pam_unix.so sha512 shadow try_first_pass use_authtok\n\nAdd the following line in \"/etc/pam.d/password-auth\":\n pam_unix.so sha512 shadow try_first_pass use_authtok\n\nNote: Per requirement RHEL-07-010199, RHEL 7 must be configured to not overwrite custom authentication configuration settings while using the authconfig utility, otherwise manual changes to the listed files will be overwritten whenever the authconfig utility is used.'\n impact 0.5\n tag legacy: ['V-71919', 'SV-86543']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000073-GPOS-00041'\n tag gid: 'V-204415'\n tag rid: 'SV-204415r880833_rule'\n tag stig_id: 'RHEL-07-010200'\n tag fix_id: 'F-4539r880832_fix'\n tag cci: ['CCI-000196']\n tag nist: ['IA-5 (1) (c)']\n tag subsystems: ['pam', 'password']\n tag 'host'\n tag 'container'\n\n describe pam('/etc/pam.d/password-auth') do\n its('lines') { should match_pam_rule('password sufficient pam_unix.so sha512') }\n its('lines') { should_not match_pam_rule('password .* pam_unix.so (md5|bigcrypt|sha256|blowfish)') }\n end\n describe pam('/etc/pam.d/system-auth') do\n its('lines') { should match_pam_rule('password sufficient pam_unix.so sha512') }\n its('lines') { should_not match_pam_rule('password .* pam_unix.so (md5|bigcrypt|sha256|blowfish)') }\n end\nend\n", + "code": "control 'SV-204495' do\n title 'The Red Hat Enterprise Linux operating system must use a separate file system for the system audit data\n path.'\n desc 'The use of separate file systems for different paths can protect the system from failures resulting from a\n file system becoming full or failing.'\n desc 'check', 'Determine if the operating system is configured to have the \"/var/log/audit\" path is on a separate\n file system.\n # grep /var/log/audit /etc/fstab\n If no result is returned, or the operating system is not configured to have \"/var/log/audit\" on a separate file\n system, this is a finding.\n Verify that \"/var/log/audit\" is mounted on a separate file system:\n # mount | grep \"/var/log/audit\"\n If no result is returned, or \"/var/log/audit\" is not on a separate file system, this is a finding.'\n desc 'fix', 'Migrate the system audit data path onto a separate file system.'\n impact 0.3\n tag legacy: ['SV-86687', 'V-72063']\n tag severity: 'low'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204495'\n tag rid: 'SV-204495r603261_rule'\n tag stig_id: 'RHEL-07-021330'\n tag fix_id: 'F-4619r88678_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['file_system', 'audit']\n tag 'host'\n\n audit_data_path = command(\"dirname #{auditd_conf.log_file}\").stdout.strip\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n else\n describe etc_fstab.where { mount_point == audit_data_path } do\n it { should exist }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204415.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204495.rb", "line": 1 }, - "id": "SV-204415" + "id": "SV-204495" }, { - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the creat, open, openat,\n open_by_handle_at, truncate, and ftruncate syscalls.", - "desc": "Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the\n system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect\n performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining\n syscalls into one rule whenever possible.", + "title": "The Red Hat Enterprise Linux operating system must define default permissions for all authenticated users\n in such a way that the user can only read and modify their own files.", + "desc": "Setting the most restrictive default permissions ensures that when new accounts are created, they do not\n have unnecessary access.", "descriptions": { - "default": "Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the\n system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect\n performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining\n syscalls into one rule whenever possible.", - "check": "Verify the operating system generates audit records upon successful/unsuccessful attempts to use the\n \"creat\", \"open\", \"openat\", \"open_by_handle_at\", \"truncate\", and \"ftruncate\" syscalls.\n Check the file system rules in \"/etc/audit/audit.rules\" with the following commands:\n # grep 'open\\|truncate\\|creat' /etc/audit/audit.rules\n -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F\n auid!=unset -k access\n -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000\n -F auid!=unset -k access\n -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F\n auid!=unset -k access\n -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000\n -F auid!=unset -k access\n If both the \"b32\" and \"b64\" audit rules are not defined for the \"creat\", \"open\", \"openat\", \"open_by_handle_at\",\n \"truncate\", and \"ftruncate\" syscalls, this is a finding.\n If the output does not produce rules containing \"-F exit=-EPERM\", this is a finding.\n If the output does not produce rules containing \"-F exit=-EACCES\", this is a finding.", - "fix": "Configure the operating system to generate audit records upon successful/unsuccessful attempts to use\n the \"creat\", \"open\", \"openat\", \"open_by_handle_at\", \"truncate\", and \"ftruncate\" syscalls.\n Add or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F\n auid!=unset -k access\n -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000\n -F auid!=unset -k access\n -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F\n auid!=unset -k access\n -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000\n -F auid!=unset -k access\n The audit daemon must be restarted for the changes to take effect." + "default": "Setting the most restrictive default permissions ensures that when new accounts are created, they do not\n have unnecessary access.", + "check": "Verify the operating system defines default permissions for all authenticated users in such a way\n that the user can only read and modify their own files.\n Check for the value of the \"UMASK\" parameter in \"/etc/login.defs\" file with the following command:\n Note: If the value of the \"UMASK\" parameter is set to \"000\" in \"/etc/login.defs\" file, the Severity is raised to a\n CAT I.\n # grep -i umask /etc/login.defs\n UMASK 077\n If the value for the \"UMASK\" parameter is not \"077\", or the \"UMASK\" parameter is missing or is commented out, this\n is a finding.", + "fix": "Configure the operating system to define default permissions for all authenticated users in such a way\n that the user can only read and modify their own files.\n Add or edit the line for the \"UMASK\" parameter in \"/etc/login.defs\" file to \"077\":\n UMASK 077" }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "SV-86749", - "V-72125" + "SV-86619", + "V-71995" ], "severity": "medium", - "gtitle": "SRG-OS-000064-GPOS-00033", - "satisfies": [ - "SRG-OS-000064-GPOS-00033", - "SRG-OS-000458-GPOS-00203", - "SRG-OS-000461-GPOS-00205", - "SRG-OS-000392-GPOS-00172" - ], - "gid": "V-204531", - "rid": "SV-204531r853917_rule", - "stig_id": "RHEL-07-030510", - "fix_id": "F-4655r853916_fix", + "gtitle": "SRG-OS-000480-GPOS-00228", + "gid": "V-204457", + "rid": "SV-204457r603261_rule", + "stig_id": "RHEL-07-020240", + "fix_id": "F-4581r88564_fix", "cci": [ - "CCI-000172", - "CCI-002884" + "CCI-000366" ], "nist": [ - "AU-12 c", - "MA-4 (1) (a)" + "CM-6 b" ], "subsystems": [ - "audit", - "auditd", - "audit_rule" + "login_defs" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-204531' do\n title 'The Red Hat Enterprise Linux operating system must audit all uses of the creat, open, openat,\n open_by_handle_at, truncate, and ftruncate syscalls.'\n desc 'Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the\n system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect\n performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining\n syscalls into one rule whenever possible.'\n desc 'check', %q(Verify the operating system generates audit records upon successful/unsuccessful attempts to use the\n \"creat\", \"open\", \"openat\", \"open_by_handle_at\", \"truncate\", and \"ftruncate\" syscalls.\n Check the file system rules in \"/etc/audit/audit.rules\" with the following commands:\n # grep 'open\\|truncate\\|creat' /etc/audit/audit.rules\n -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F\n auid!=unset -k access\n -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000\n -F auid!=unset -k access\n -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F\n auid!=unset -k access\n -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000\n -F auid!=unset -k access\n If both the \"b32\" and \"b64\" audit rules are not defined for the \"creat\", \"open\", \"openat\", \"open_by_handle_at\",\n \"truncate\", and \"ftruncate\" syscalls, this is a finding.\n If the output does not produce rules containing \"-F exit=-EPERM\", this is a finding.\n If the output does not produce rules containing \"-F exit=-EACCES\", this is a finding.)\n desc 'fix', 'Configure the operating system to generate audit records upon successful/unsuccessful attempts to use\n the \"creat\", \"open\", \"openat\", \"open_by_handle_at\", \"truncate\", and \"ftruncate\" syscalls.\n Add or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F\n auid!=unset -k access\n -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000\n -F auid!=unset -k access\n -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F\n auid!=unset -k access\n -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000\n -F auid!=unset -k access\n The audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n tag legacy: ['SV-86749', 'V-72125']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000064-GPOS-00033'\n tag satisfies: ['SRG-OS-000064-GPOS-00033', 'SRG-OS-000458-GPOS-00203', 'SRG-OS-000461-GPOS-00205', 'SRG-OS-000392-GPOS-00172']\n tag gid: 'V-204531'\n tag rid: 'SV-204531r853917_rule'\n tag stig_id: 'RHEL-07-030510'\n tag fix_id: 'F-4655r853916_fix'\n tag cci: ['CCI-000172', 'CCI-002884']\n tag nist: ['AU-12 c', 'MA-4 (1) (a)']\n tag subsystems: ['audit', 'auditd', 'audit_rule']\n tag 'host'\n\n audit_syscalls = ['creat', 'open', 'openat', 'open_by_handle_at', 'truncate', 'ftruncate']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - audit config must be done on the host' do\n skip 'Control not applicable - audit config must be done on the host'\n end\n else\n describe 'Syscall' do\n audit_syscalls.each do |audit_syscall|\n it \"#{audit_syscall} is audited properly\" do\n audit_rule = auditd.syscall(audit_syscall)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n if os.arch.match(/64/)\n expect(audit_rule.arch.uniq).to include('b32', 'b64')\n else\n expect(audit_rule.arch.uniq).to cmp 'b32'\n end\n expect(audit_rule.fields.flatten).to include('auid>=1000', 'auid!=-1', 'exit=-EACCES', 'exit=-EPERM')\n expect(audit_rule.key.uniq).to include('access')\n end\n end\n end\n end\nend\n", + "code": "control 'SV-204457' do\n title 'The Red Hat Enterprise Linux operating system must define default permissions for all authenticated users\n in such a way that the user can only read and modify their own files.'\n desc 'Setting the most restrictive default permissions ensures that when new accounts are created, they do not\n have unnecessary access.'\n desc 'check', 'Verify the operating system defines default permissions for all authenticated users in such a way\n that the user can only read and modify their own files.\n Check for the value of the \"UMASK\" parameter in \"/etc/login.defs\" file with the following command:\n Note: If the value of the \"UMASK\" parameter is set to \"000\" in \"/etc/login.defs\" file, the Severity is raised to a\n CAT I.\n # grep -i umask /etc/login.defs\n UMASK 077\n If the value for the \"UMASK\" parameter is not \"077\", or the \"UMASK\" parameter is missing or is commented out, this\n is a finding.'\n desc 'fix', 'Configure the operating system to define default permissions for all authenticated users in such a way\n that the user can only read and modify their own files.\n Add or edit the line for the \"UMASK\" parameter in \"/etc/login.defs\" file to \"077\":\n UMASK 077'\n impact 0.5\n tag legacy: ['SV-86619', 'V-71995']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00228'\n tag gid: 'V-204457'\n tag rid: 'SV-204457r603261_rule'\n tag stig_id: 'RHEL-07-020240'\n tag fix_id: 'F-4581r88564_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['login_defs']\n tag 'host'\n tag 'container'\n\n if login_defs.read_params['UMASK'].eql?('000')\n impact 0.5\n else\n impact 0.5\n end\n describe login_defs do\n its('UMASK') { should eq '077' }\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204531.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204457.rb", "line": 1 }, - "id": "SV-204531" + "id": "SV-204457" }, { - "title": "The Red Hat Enterprise Linux operating system must not forward IPv6 source-routed packets.", - "desc": "Source-routed packets allow the source of the packet to suggest that routers forward the packet along a\n different path than configured on the router, which can be used to bypass network security measures. This\n requirement applies only to the forwarding of source-routed traffic, such as when IPv6 forwarding is enabled and the\n system is functioning as a router.", + "title": "The Red Hat Enterprise Linux operating system must restrict privilege elevation to authorized personnel.", + "desc": "The sudo command allows a user to execute programs with elevated (administrator) privileges. It prompts the user for their password and confirms your request to execute a command by checking a file, called sudoers. If the \"sudoers\" file is not configured correctly, any user defined on the system can initiate privileged actions on the target system.", "descriptions": { - "default": "Source-routed packets allow the source of the packet to suggest that routers forward the packet along a\n different path than configured on the router, which can be used to bypass network security measures. This\n requirement applies only to the forwarding of source-routed traffic, such as when IPv6 forwarding is enabled and the\n system is functioning as a router.", - "check": "If IPv6 is not enabled, the key will not exist, and this is Not Applicable.\n\nVerify the system does not accept IPv6 source-routed packets.\n\n # grep -r net.ipv6.conf.all.accept_source_route /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null\n net.ipv6.conf.all.accept_source_route = 0\n\nIf \"net.ipv6.conf.all.accept_source_route\" is not configured in the /etc/sysctl.conf file or in any of the other sysctl.d directories, is commented out or does not have a value of \"0\", this is a finding.\n\nCheck that the operating system implements the accept source route variable with the following command:\n\n # /sbin/sysctl -a | grep net.ipv6.conf.all.accept_source_route\n net.ipv6.conf.all.accept_source_route = 0\n\nIf the returned lines do not have a value of \"0\", this is a finding.\n\nIf conflicting results are returned, this is a finding.", - "fix": "Set the system to the required kernel parameter, if IPv6 is enabled, by\nadding the following line to \"/etc/sysctl.conf\" or a configuration file in\nthe /etc/sysctl.d/ directory (or modify the line to have the required value):\n\n net.ipv6.conf.all.accept_source_route = 0\n\n Issue the following command to make the changes take effect:\n\n # sysctl --system" + "default": "The sudo command allows a user to execute programs with elevated (administrator) privileges. It prompts the user for their password and confirms your request to execute a command by checking a file, called sudoers. If the \"sudoers\" file is not configured correctly, any user defined on the system can initiate privileged actions on the target system.", + "check": "Verify the \"sudoers\" file restricts sudo access to authorized personnel.\n$ sudo grep -iw 'ALL' /etc/sudoers /etc/sudoers.d/*\n\nIf the either of the following entries are returned, this is a finding:\nALL ALL=(ALL) ALL\nALL ALL=(ALL:ALL) ALL", + "fix": "Remove the following entries from the sudoers file:\nALL ALL=(ALL) ALL\nALL ALL=(ALL:ALL) ALL" }, "impact": 0.5, "refs": [], "tags": { - "legacy": [ - "V-72319", - "SV-86943" - ], "severity": "medium", "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-204630", - "rid": "SV-204630r880827_rule", - "stig_id": "RHEL-07-040830", - "fix_id": "F-4754r880826_fix", + "satisfies": null, + "gid": "V-237633", + "rid": "SV-237633r646850_rule", + "stig_id": "RHEL-07-010341", + "fix_id": "F-40815r646849_fix", "cci": [ "CCI-000366" ], + "legacy": [], "nist": [ "CM-6 b" ], "subsystems": [ - "kernel_parameter", - "ipv6" + "sudo" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-204630' do\n title 'The Red Hat Enterprise Linux operating system must not forward IPv6 source-routed packets.'\n desc 'Source-routed packets allow the source of the packet to suggest that routers forward the packet along a\n different path than configured on the router, which can be used to bypass network security measures. This\n requirement applies only to the forwarding of source-routed traffic, such as when IPv6 forwarding is enabled and the\n system is functioning as a router.'\n desc 'check', 'If IPv6 is not enabled, the key will not exist, and this is Not Applicable.\n\nVerify the system does not accept IPv6 source-routed packets.\n\n # grep -r net.ipv6.conf.all.accept_source_route /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null\n net.ipv6.conf.all.accept_source_route = 0\n\nIf \"net.ipv6.conf.all.accept_source_route\" is not configured in the /etc/sysctl.conf file or in any of the other sysctl.d directories, is commented out or does not have a value of \"0\", this is a finding.\n\nCheck that the operating system implements the accept source route variable with the following command:\n\n # /sbin/sysctl -a | grep net.ipv6.conf.all.accept_source_route\n net.ipv6.conf.all.accept_source_route = 0\n\nIf the returned lines do not have a value of \"0\", this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Set the system to the required kernel parameter, if IPv6 is enabled, by\nadding the following line to \"/etc/sysctl.conf\" or a configuration file in\nthe /etc/sysctl.d/ directory (or modify the line to have the required value):\n\n net.ipv6.conf.all.accept_source_route = 0\n\n Issue the following command to make the changes take effect:\n\n # sysctl --system'\n impact 0.5\n tag legacy: ['V-72319', 'SV-86943']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204630'\n tag rid: 'SV-204630r880827_rule'\n tag stig_id: 'RHEL-07-040830'\n tag fix_id: 'F-4754r880826_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['kernel_parameter', 'ipv6']\n tag 'host'\n tag 'container'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - Kernel config must be done on the host' do\n skip 'Control not applicable - Kernel config must be done on the host'\n end\n else\n accept_source_route = 0\n config_file_values = command('grep -r net.ipv6.conf.all.accept_source_route /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null')\n .stdout.strip.split(\"\\n\")\n .map { |file| parse_config(file).params }\n config_file_values_uncompliant = config_file_values.select { |entry| entry.values != [accept_source_route.to_s] }\n\n unless config_file_values_uncompliant.empty?\n describe 'All configuration files' do\n it \"should set accept_source_route to #{accept_source_route}, or not define it at all\" do\n fail_msg = \"Found incorrect configuration:\\n#{config_file_values_uncompliant.join(\"\\n\")}\"\n expect(config_file_values_uncompliant).to be_empty, fail_msg\n end\n end\n end\n\n describe.one do\n describe kernel_parameter('net.ipv6.conf.all.accept_source_route') do\n its('value') { should eq accept_source_route }\n end\n # If IPv6 is disabled in the kernel it will return NIL\n describe kernel_parameter('net.ipv6.conf.all.accept_source_route') do\n its('value') { should eq nil }\n end\n end\n end\nend\n", + "code": "control 'SV-237633' do\n title 'The Red Hat Enterprise Linux operating system must restrict privilege elevation to authorized personnel.'\n desc 'The sudo command allows a user to execute programs with elevated (administrator) privileges. It prompts the user for their password and confirms your request to execute a command by checking a file, called sudoers. If the \"sudoers\" file is not configured correctly, any user defined on the system can initiate privileged actions on the target system.'\n desc 'check', %q(Verify the \"sudoers\" file restricts sudo access to authorized personnel.\n$ sudo grep -iw 'ALL' /etc/sudoers /etc/sudoers.d/*\n\nIf the either of the following entries are returned, this is a finding:\nALL ALL=(ALL) ALL\nALL ALL=(ALL:ALL) ALL)\n desc 'fix', 'Remove the following entries from the sudoers file:\nALL ALL=(ALL) ALL\nALL ALL=(ALL:ALL) ALL'\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag satisfies: nil\n tag gid: 'V-237633'\n tag rid: 'SV-237633r646850_rule'\n tag stig_id: 'RHEL-07-010341'\n tag fix_id: 'F-40815r646849_fix'\n tag cci: ['CCI-000366']\n tag legacy: []\n tag nist: ['CM-6 b']\n tag subsystems: ['sudo']\n tag 'host'\n\n if virtualization.system.eql?('docker') && !command('sudo').exist?\n impact 0.0\n describe 'Control not applicable within a container without sudo enabled' do\n skip 'Control not applicable within a container without sudo enabled'\n end\n else\n sudoers = command(\"grep -iw 'ALL' /etc/sudoers /etc/sudoers.d/*\").stdout\n describe 'Sudoers file' do\n it 'should restrict access to privilege escalation' do\n expect(sudoers).not_to match(/ALL\\s+ALL=\\(ALL[:ALL]?\\)\\s+ALL/)\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204630.rb", + "ref": "./Red Hat 7 STIG/controls/SV-237633.rb", "line": 1 }, - "id": "SV-204630" + "id": "SV-237633" }, { - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the sudoers file and all files in the\n /etc/sudoers.d/ directory.", - "desc": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough\n information.\n At a minimum, the organization must audit the full-text recording of privileged access commands. The organization\n must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of\n compromise.", - "descriptions": { - "default": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough\n information.\n At a minimum, the organization must audit the full-text recording of privileged access commands. The organization\n must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of\n compromise.", - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to access\n the \"/etc/sudoers\" file and files in the \"/etc/sudoers.d/\" directory.\n Check for modification of the following files being audited by performing the following commands to check the file\n system rules in \"/etc/audit/audit.rules\":\n # grep -i \"/etc/sudoers\" /etc/audit/audit.rules\n -w /etc/sudoers -p wa -k privileged-actions\n # grep -i \"/etc/sudoers.d/\" /etc/audit/audit.rules\n -w /etc/sudoers.d/ -p wa -k privileged-actions\n If the commands do not return output that match the examples, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to\n access the \"/etc/sudoers\" file and files in the \"/etc/sudoers.d/\" directory.\n Add or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n -w /etc/sudoers -p wa -k privileged-actions\n -w /etc/sudoers.d/ -p wa -k privileged-actions\n The audit daemon must be restarted for the changes to take effect." - }, - "impact": 0.5, - "refs": [], - "tags": { - "legacy": [ - "V-72163", - "SV-86787" - ], - "severity": "medium", - "gtitle": "SRG-OS-000037-GPOS-00015", - "satisfies": [ - "SRG-OS-000037-GPOS-00015", - "SRG-OS-000042-GPOS-00020", - "SRG-OS-000392-GPOS-00172", - "SRG-OS-000462-GPOS-00206", - "SRG-OS-000471-GPOS-00215" - ], - "gid": "V-204549", - "rid": "SV-204549r853953_rule", - "stig_id": "RHEL-07-030700", - "fix_id": "F-4673r88840_fix", + "title": "The Red Hat Enterprise Linux operating system must confine SELinux users to roles that conform to least privilege.", + "desc": "Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges.\n\nPrivileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users.", + "descriptions": { + "default": "Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges.\n\nPrivileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users.", + "check": "Note: Per OPORD 16-0080, the preferred endpoint security tool is Endpoint Security for Linux (ENSL) in conjunction with SELinux.\n\nVerify the operating system confines SELinux users to roles that conform to least privilege.\n\nCheck the SELinux User list to SELinux Roles mapping by using the following command:\n\n$ sudo semanage user -l\nSELinuxUser LabelingPrefix MLS/MCSLevel MLS/MCSRange SELinuxRoles\nguest_u user s0 s0 guest_r\nroot user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r\nstaff_u user s0 s0-s0:c0.c1023 staff_r sysadm_r\nsysadm_u user s0 s0-s0:c0.c1023 sysadm_r\nsystem_u user s0 s0-s0:c0.c1023 system_r unconfined_r\nunconfined_u user s0 s0-s0:c0.c1023 system_r unconfined_r\nuser_u user s0 s0 user_r\nxguest_u user s0 s0 xguest_r\n\nIf the output differs from the above example, ask the SA to demonstrate how the SELinux User mappings are exercising least privilege. If deviations from the example are not documented with the ISSO and do not demonstrate least privilege, this is a finding.", + "fix": "Configure the operating system to confine SELinux users to roles that conform to least privilege.\n\nUse the following command to map the \"staff_u\" SELinux user to the \"staff_r\" and \"sysadm_r\" roles:\n\n$ sudo semanage user -m staff_u -R staff_r -R sysadm_r\n\nUse the following command to map the \"user_u\" SELinux user to the \"user_r\" role:\n\n$ sudo semanage -m user_u -R user_r" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium", + "gtitle": "SRG-OS-000324-GPOS-00125", + "satisfies": null, + "gid": "V-250312", + "rid": "SV-250312r877392_rule", + "stig_id": "RHEL-07-020021", + "fix_id": "F-53700r792842_fix", "cci": [ - "CCI-000130", - "CCI-000135", - "CCI-000172", - "CCI-002884" + "CCI-002165", + "CCI-002235" ], + "legacy": [], "nist": [ - "AU-3", - "AU-3 (1)", - "AU-12 c", - "MA-4 (1) (a)", - "AU-3 a" + "AC-3 (4)", + "AC-6 (10)" ], "subsystems": [ - "audit", - "auditd", - "audit_rule" + "selinux" ], "host": null }, - "code": "control 'SV-204549' do\n title 'The Red Hat Enterprise Linux operating system must audit all uses of the sudoers file and all files in the\n /etc/sudoers.d/ directory.'\n desc 'Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough\n information.\n At a minimum, the organization must audit the full-text recording of privileged access commands. The organization\n must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of\n compromise.'\n desc 'check', 'Verify the operating system generates audit records when successful/unsuccessful attempts to access\n the \"/etc/sudoers\" file and files in the \"/etc/sudoers.d/\" directory.\n Check for modification of the following files being audited by performing the following commands to check the file\n system rules in \"/etc/audit/audit.rules\":\n # grep -i \"/etc/sudoers\" /etc/audit/audit.rules\n -w /etc/sudoers -p wa -k privileged-actions\n # grep -i \"/etc/sudoers.d/\" /etc/audit/audit.rules\n -w /etc/sudoers.d/ -p wa -k privileged-actions\n If the commands do not return output that match the examples, this is a finding.'\n desc 'fix', 'Configure the operating system to generate audit records when successful/unsuccessful attempts to\n access the \"/etc/sudoers\" file and files in the \"/etc/sudoers.d/\" directory.\n Add or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n -w /etc/sudoers -p wa -k privileged-actions\n -w /etc/sudoers.d/ -p wa -k privileged-actions\n The audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n tag legacy: ['V-72163', 'SV-86787']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000037-GPOS-00015'\n tag satisfies: ['SRG-OS-000037-GPOS-00015', 'SRG-OS-000042-GPOS-00020', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000471-GPOS-00215']\n tag gid: 'V-204549'\n tag rid: 'SV-204549r853953_rule'\n tag stig_id: 'RHEL-07-030700'\n tag fix_id: 'F-4673r88840_fix'\n tag cci: ['CCI-000130', 'CCI-000135', 'CCI-000172', 'CCI-002884']\n tag nist: ['AU-3', 'AU-3 (1)', 'AU-12 c', 'MA-4 (1) (a)', 'AU-3 a']\n tag subsystems: ['audit', 'auditd', 'audit_rule']\n tag 'host'\n\n audit_commands = ['/etc/sudoers', '/etc/sudoers.d/']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - audit config must be done on the host' do\n skip 'Control not applicable - audit config must be done on the host'\n end\n else\n describe 'Command' do\n audit_commands.each do |audit_command|\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.key).to cmp 'privileged-actions'\n expect(audit_rule.permissions.flatten).to include('w', 'a')\n end\n end\n end\n end\nend\n", + "code": "control 'SV-250312' do\n title 'The Red Hat Enterprise Linux operating system must confine SELinux users to roles that conform to least privilege.'\n desc 'Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges.\n\nPrivileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users.'\n desc 'check', 'Note: Per OPORD 16-0080, the preferred endpoint security tool is Endpoint Security for Linux (ENSL) in conjunction with SELinux.\n\nVerify the operating system confines SELinux users to roles that conform to least privilege.\n\nCheck the SELinux User list to SELinux Roles mapping by using the following command:\n\n$ sudo semanage user -l\nSELinuxUser LabelingPrefix MLS/MCSLevel MLS/MCSRange SELinuxRoles\nguest_u user s0 s0 guest_r\nroot user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r\nstaff_u user s0 s0-s0:c0.c1023 staff_r sysadm_r\nsysadm_u user s0 s0-s0:c0.c1023 sysadm_r\nsystem_u user s0 s0-s0:c0.c1023 system_r unconfined_r\nunconfined_u user s0 s0-s0:c0.c1023 system_r unconfined_r\nuser_u user s0 s0 user_r\nxguest_u user s0 s0 xguest_r\n\nIf the output differs from the above example, ask the SA to demonstrate how the SELinux User mappings are exercising least privilege. If deviations from the example are not documented with the ISSO and do not demonstrate least privilege, this is a finding.'\n desc 'fix', 'Configure the operating system to confine SELinux users to roles that conform to least privilege.\n\nUse the following command to map the \"staff_u\" SELinux user to the \"staff_r\" and \"sysadm_r\" roles:\n\n$ sudo semanage user -m staff_u -R staff_r -R sysadm_r\n\nUse the following command to map the \"user_u\" SELinux user to the \"user_r\" role:\n\n$ sudo semanage -m user_u -R user_r'\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000324-GPOS-00125'\n tag satisfies: nil\n tag gid: 'V-250312'\n tag rid: 'SV-250312r877392_rule'\n tag stig_id: 'RHEL-07-020021'\n tag fix_id: 'F-53700r792842_fix'\n tag cci: ['CCI-002165', 'CCI-002235']\n tag legacy: []\n tag nist: ['AC-3 (4)', 'AC-6 (10)']\n tag subsystems: ['selinux']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container -- kernel config' do\n skip 'Control not applicable within a container -- kernel config'\n end\n else\n\n expected_mapping = {\n 'staff_u' => ['staff_r', 'sysadm_r'],\n 'user_u' => ['user_r']\n }\n\n selinux_users = command('semanage user -l').stdout.strip\n\n describe 'SELinux user-role mappings' do\n expected_mapping.keys.each do |user|\n staff_user_mapping = selinux_users.match(/^#{user}.+\\d+\\s+(?.*)$/)\n staff_user_roles = staff_user_mapping['roles'].split.to_set unless staff_user_mapping.nil?\n\n it \"should set SELinux user \\'#{user}\\' to only have roles: #{expected_mapping[user].join(' ')}\" do\n expect(staff_user_mapping).not_to be_nil, \"No user \\'#{user}\\'found\"\n expect(staff_user_roles).to eq expected_mapping[user].to_set\n end\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204549.rb", + "ref": "./Red Hat 7 STIG/controls/SV-250312.rb", "line": 1 }, - "id": "SV-204549" + "id": "SV-250312" }, { - "title": "The Red Hat Enterprise Linux operating system must take appropriate action when the remote logging buffer\n is full.", - "desc": "Information stored in one location is vulnerable to accidental or incidental deletion or alteration.\n Off-loading is a common process in information systems with limited audit storage capacity.\n One method of off-loading audit logs in Red Hat Enterprise Linux is with the use of the audisp-remote dameon. When\n the remote buffer is full, audit logs will not be collected and sent to the central log server.", + "title": "The Red Hat Enterprise Linux operating system must not forward Internet Protocol version 4 (IPv4)\n source-routed packets.", + "desc": "Source-routed packets allow the source of the packet to suggest that routers forward the packet along a\n different path than configured on the router, which can be used to bypass network security measures. This\n requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is enabled and the\n system is functioning as a router.", "descriptions": { - "default": "Information stored in one location is vulnerable to accidental or incidental deletion or alteration.\n Off-loading is a common process in information systems with limited audit storage capacity.\n One method of off-loading audit logs in Red Hat Enterprise Linux is with the use of the audisp-remote dameon. When\n the remote buffer is full, audit logs will not be collected and sent to the central log server.", - "check": "Verify the audisp daemon is configured to take an appropriate action when the internal queue is\n full:\n # grep \"overflow_action\" /etc/audisp/audispd.conf\n overflow_action = syslog\n If the \"overflow_action\" option is not \"syslog\", \"single\", or \"halt\", or the line is commented out, ask the System\n Administrator to indicate how the audit logs are off-loaded to a different system or storage media, and to indicate\n what action that system takes when the internal queue is full.\n If there is no evidence the system is configured to off-load audit logs to a different system or storage media or,\n if the configuration does not take appropriate action when the internal queue is full, this is a finding.", - "fix": "Edit the /etc/audisp/audispd.conf file and add or update the \"overflow_action\" option:\n overflow_action = syslog\n The audit daemon must be restarted for changes to take effect:\n # service auditd restart" + "default": "Source-routed packets allow the source of the packet to suggest that routers forward the packet along a\n different path than configured on the router, which can be used to bypass network security measures. This\n requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is enabled and the\n system is functioning as a router.", + "check": "Verify the system does not accept IPv4 source-routed packets.\n\n # grep -r net.ipv4.conf.all.accept_source_route /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null\n net.ipv4.conf.all.accept_source_route = 0\n\nIf \"net.ipv4.conf.all.accept_source_route\" is not configured in the /etc/sysctl.conf file or in any of the other sysctl.d directories, is commented out, or does not have a value of \"0\", this is a finding.\n\nCheck that the operating system implements the accept source route variable with the following command:\n\n # /sbin/sysctl -a | grep net.ipv4.conf.all.accept_source_route\n net.ipv4.conf.all.accept_source_route = 0\n\nIf the returned line does not have a value of \"0\", this is a finding.\n\nIf conflicting results are returned, this is a finding.", + "fix": "Set the system to the required kernel parameter by adding the following\nline to \"/etc/sysctl.conf\" or a configuration file in the /etc/sysctl.d/\ndirectory (or modify the line to have the required value):\n\n net.ipv4.conf.all.accept_source_route = 0\n\n Issue the following command to make the changes take effect:\n\n # sysctl -system" }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "V-81019", - "SV-95731" + "V-72283", + "SV-86907" ], "severity": "medium", - "gtitle": "SRG-OS-000342-GPOS-00133", - "satisfies": [ - "SRG-OS-000342-GPOS-00133", - "SRG-OS-000479-GPOS-00224" - ], - "gid": "V-204507", - "rid": "SV-204507r877390_rule", - "stig_id": "RHEL-07-030210", - "fix_id": "F-36312r602646_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-204609", + "rid": "SV-204609r880797_rule", + "stig_id": "RHEL-07-040610", + "fix_id": "F-4733r880796_fix", "cci": [ - "CCI-001851" + "CCI-000366" ], "nist": [ - "AU-4 (1)" + "CM-6 b" ], "subsystems": [ - "audit", - "audisp" + "kernel_parameter", + "ipv4" ], "host": null }, - "code": "control 'SV-204507' do\n title 'The Red Hat Enterprise Linux operating system must take appropriate action when the remote logging buffer\n is full.'\n desc 'Information stored in one location is vulnerable to accidental or incidental deletion or alteration.\n Off-loading is a common process in information systems with limited audit storage capacity.\n One method of off-loading audit logs in Red Hat Enterprise Linux is with the use of the audisp-remote dameon. When\n the remote buffer is full, audit logs will not be collected and sent to the central log server.'\n desc 'check', 'Verify the audisp daemon is configured to take an appropriate action when the internal queue is\n full:\n # grep \"overflow_action\" /etc/audisp/audispd.conf\n overflow_action = syslog\n If the \"overflow_action\" option is not \"syslog\", \"single\", or \"halt\", or the line is commented out, ask the System\n Administrator to indicate how the audit logs are off-loaded to a different system or storage media, and to indicate\n what action that system takes when the internal queue is full.\n If there is no evidence the system is configured to off-load audit logs to a different system or storage media or,\n if the configuration does not take appropriate action when the internal queue is full, this is a finding.'\n desc 'fix', 'Edit the /etc/audisp/audispd.conf file and add or update the \"overflow_action\" option:\n overflow_action = syslog\n The audit daemon must be restarted for changes to take effect:\n # service auditd restart'\n impact 0.5\n tag legacy: ['V-81019', 'SV-95731']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000342-GPOS-00133'\n tag satisfies: ['SRG-OS-000342-GPOS-00133', 'SRG-OS-000479-GPOS-00224']\n tag gid: 'V-204507'\n tag rid: 'SV-204507r877390_rule'\n tag stig_id: 'RHEL-07-030210'\n tag fix_id: 'F-36312r602646_fix'\n tag cci: ['CCI-001851']\n tag nist: ['AU-4 (1)']\n tag subsystems: ['audit', 'audisp']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - audit config must be done on the host' do\n skip 'Control not applicable - audit config must be done on the host'\n end\n elsif file('/etc/audisp/audispd.conf').exist?\n describe parse_config_file('/etc/audisp/audispd.conf') do\n its('overflow_action') { should match(/syslog$|single$|halt$/i) }\n end\n else\n describe \"File '/etc/audisp/audispd.conf' cannot be found. This test cannot be checked in a automated fashion and you must check it manually\" do\n skip \"File '/etc/audisp/audispd.conf' cannot be found. This check must be performed manually\"\n end\n end\nend\n", + "code": "control 'SV-204609' do\n title 'The Red Hat Enterprise Linux operating system must not forward Internet Protocol version 4 (IPv4)\n source-routed packets.'\n desc 'Source-routed packets allow the source of the packet to suggest that routers forward the packet along a\n different path than configured on the router, which can be used to bypass network security measures. This\n requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is enabled and the\n system is functioning as a router.'\n desc 'check', 'Verify the system does not accept IPv4 source-routed packets.\n\n # grep -r net.ipv4.conf.all.accept_source_route /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null\n net.ipv4.conf.all.accept_source_route = 0\n\nIf \"net.ipv4.conf.all.accept_source_route\" is not configured in the /etc/sysctl.conf file or in any of the other sysctl.d directories, is commented out, or does not have a value of \"0\", this is a finding.\n\nCheck that the operating system implements the accept source route variable with the following command:\n\n # /sbin/sysctl -a | grep net.ipv4.conf.all.accept_source_route\n net.ipv4.conf.all.accept_source_route = 0\n\nIf the returned line does not have a value of \"0\", this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Set the system to the required kernel parameter by adding the following\nline to \"/etc/sysctl.conf\" or a configuration file in the /etc/sysctl.d/\ndirectory (or modify the line to have the required value):\n\n net.ipv4.conf.all.accept_source_route = 0\n\n Issue the following command to make the changes take effect:\n\n # sysctl -system'\n impact 0.5\n tag legacy: ['V-72283', 'SV-86907']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204609'\n tag rid: 'SV-204609r880797_rule'\n tag stig_id: 'RHEL-07-040610'\n tag fix_id: 'F-4733r880796_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['kernel_parameter', 'ipv4']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - Kernel config must be done on the host' do\n skip 'Control not applicable - Kernel config must be done on the host'\n end\n else\n accept_source_route = 0\n config_file_values = command('grep -r net.ipv4.conf.all.accept_source_route /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null')\n .stdout.strip.split(\"\\n\")\n .map { |file| parse_config(file).params }\n config_file_values_uncompliant = config_file_values.select { |entry| entry.values != [accept_source_route.to_s] }\n\n unless config_file_values_uncompliant.empty?\n describe 'All configuration files' do\n it \"should set accept_source_route to #{accept_source_route}, or not define it at all\" do\n fail_msg = \"Found incorrect configuration:\\n#{config_file_values_uncompliant.join(\"\\n\")}\"\n expect(config_file_values_uncompliant).to be_empty, fail_msg\n end\n end\n end\n\n describe 'The runtime kernel parameter net.ipv4.conf.all.accept_source_route' do\n subject { kernel_parameter('net.ipv4.conf.all.accept_source_route') }\n its('value') { should eq accept_source_route }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204507.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204609.rb", "line": 1 }, - "id": "SV-204507" + "id": "SV-204609" }, { - "title": "The Red Hat Enterprise Linux operating system must not be performing packet forwarding unless the system is\n a router.", - "desc": "Routing protocol daemons are typically used on routers to exchange network topology information with other\n routers. If this software is used when not required, system network information may be unnecessarily transmitted\n across the network.", + "title": "The Red Hat Enterprise Linux operating system must not forward Internet Protocol version 4 (IPv4)\n source-routed packets by default.", + "desc": "Source-routed packets allow the source of the packet to suggest that routers forward the packet along a\n different path than configured on the router, which can be used to bypass network security measures. This\n requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is enabled and the\n system is functioning as a router.", "descriptions": { - "default": "Routing protocol daemons are typically used on routers to exchange network topology information with other\n routers. If this software is used when not required, system network information may be unnecessarily transmitted\n across the network.", - "check": "Verify the system is not performing packet forwarding, unless the system is a router.\n\n # grep -r net.ipv4.ip_forward /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null\n net.ipv4.ip_forward = 0\n\nIf \"net.ipv4.ip_forward\" is not configured in the /etc/sysctl.conf file or in any of the other sysctl.d directories, is commented out, or does not have a value of \"0\", this is a finding.\n\nCheck that the operating system does not implement IP forwarding using the following command:\n\n # /sbin/sysctl -a | grep net.ipv4.ip_forward\n net.ipv4.ip_forward = 0\n\nIf IP forwarding value is \"1\" and the system is hosting any application, database, or web servers, this is a finding.\n\nIf conflicting results are returned, this is a finding.", - "fix": "Set the system to the required kernel parameter by adding the following\nline to \"/etc/sysctl.conf\" or a configuration file in the /etc/sysctl.d/\ndirectory (or modify the line to have the required value):\n\n net.ipv4.ip_forward = 0\n\n Issue the following command to make the changes take effect:\n\n # sysctl --system" + "default": "Source-routed packets allow the source of the packet to suggest that routers forward the packet along a\n different path than configured on the router, which can be used to bypass network security measures. This\n requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is enabled and the\n system is functioning as a router.", + "check": "Verify the system does not accept IPv4 source-routed packets by default.\n\n # grep -r net.ipv4.conf.default.accept_source_route /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null\n net.ipv4.conf.default.accept_source_route = 0\n\nIf \"net.ipv4.conf.default.accept_source_route\" is not configured in the /etc/sysctl.conf file or in any of the other sysctl.d directories, is commented out, or does not have a value of \"0\", this is a finding.\n\nCheck that the operating system implements the accept source route variable with the following command:\n\n # /sbin/sysctl -a | grep net.ipv4.conf.default.accept_source_route\n net.ipv4.conf.default.accept_source_route = 0\n\nIf the returned line does not have a value of \"0\", this is a finding.\n\nIf conflicting results are returned, this is a finding.", + "fix": "Set the system to the required kernel parameter by adding the following\nline to \"/etc/sysctl.conf\" or a configuration file in the /etc/sysctl.d/\ndirectory (or modify the line to have the required value):\n\n net.ipv4.conf.default.accept_source_route = 0\n\n Issue the following command to make the changes take effect:\n\n # sysctl --system" }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "SV-86933", - "V-72309" + "V-72285", + "SV-86909" ], "severity": "medium", "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-204625", - "rid": "SV-204625r880824_rule", - "stig_id": "RHEL-07-040740", - "fix_id": "F-4749r880823_fix", + "gid": "V-204612", + "rid": "SV-204612r880806_rule", + "stig_id": "RHEL-07-040620", + "fix_id": "F-4736r880805_fix", "cci": [ "CCI-000366" ], @@ -7227,706 +7088,701 @@ "CM-6 b" ], "subsystems": [ - "kernel_parameter" + "kernel_parameter", + "ipv4" ], "host": null }, - "code": "control 'SV-204625' do\n title 'The Red Hat Enterprise Linux operating system must not be performing packet forwarding unless the system is\n a router.'\n desc 'Routing protocol daemons are typically used on routers to exchange network topology information with other\n routers. If this software is used when not required, system network information may be unnecessarily transmitted\n across the network.'\n desc 'check', 'Verify the system is not performing packet forwarding, unless the system is a router.\n\n # grep -r net.ipv4.ip_forward /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null\n net.ipv4.ip_forward = 0\n\nIf \"net.ipv4.ip_forward\" is not configured in the /etc/sysctl.conf file or in any of the other sysctl.d directories, is commented out, or does not have a value of \"0\", this is a finding.\n\nCheck that the operating system does not implement IP forwarding using the following command:\n\n # /sbin/sysctl -a | grep net.ipv4.ip_forward\n net.ipv4.ip_forward = 0\n\nIf IP forwarding value is \"1\" and the system is hosting any application, database, or web servers, this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Set the system to the required kernel parameter by adding the following\nline to \"/etc/sysctl.conf\" or a configuration file in the /etc/sysctl.d/\ndirectory (or modify the line to have the required value):\n\n net.ipv4.ip_forward = 0\n\n Issue the following command to make the changes take effect:\n\n # sysctl --system'\n impact 0.5\n tag legacy: ['SV-86933', 'V-72309']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204625'\n tag rid: 'SV-204625r880824_rule'\n tag stig_id: 'RHEL-07-040740'\n tag fix_id: 'F-4749r880823_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['kernel_parameter']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - Kernel config must be done on the host' do\n skip 'Control not applicable - Kernel config must be done on the host'\n end\n else\n ip_forward = 0\n config_file_values = command('grep -r net.ipv4.ip_forward /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null')\n .stdout.strip.split(\"\\n\")\n .map { |file| parse_config(file).params }\n config_file_values_uncompliant = config_file_values.select { |entry| entry.values != [ip_forward.to_s] }\n\n unless config_file_values_uncompliant.empty?\n describe 'All configuration files' do\n it \"should set ip_forward to #{ip_forward}, or not define it at all\" do\n fail_msg = \"Found incorrect configuration:\\n#{config_file_values_uncompliant.join(\"\\n\")}\"\n expect(config_file_values_uncompliant).to be_empty, fail_msg\n end\n end\n end\n\n describe 'The runtime kernel parameter net.ipv4.ip_forward' do\n subject { kernel_parameter('net.ipv4.ip_forward') }\n its('value') { should eq ip_forward }\n end\n end\nend\n", + "code": "control 'SV-204612' do\n title 'The Red Hat Enterprise Linux operating system must not forward Internet Protocol version 4 (IPv4)\n source-routed packets by default.'\n desc 'Source-routed packets allow the source of the packet to suggest that routers forward the packet along a\n different path than configured on the router, which can be used to bypass network security measures. This\n requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is enabled and the\n system is functioning as a router.'\n desc 'check', 'Verify the system does not accept IPv4 source-routed packets by default.\n\n # grep -r net.ipv4.conf.default.accept_source_route /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null\n net.ipv4.conf.default.accept_source_route = 0\n\nIf \"net.ipv4.conf.default.accept_source_route\" is not configured in the /etc/sysctl.conf file or in any of the other sysctl.d directories, is commented out, or does not have a value of \"0\", this is a finding.\n\nCheck that the operating system implements the accept source route variable with the following command:\n\n # /sbin/sysctl -a | grep net.ipv4.conf.default.accept_source_route\n net.ipv4.conf.default.accept_source_route = 0\n\nIf the returned line does not have a value of \"0\", this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Set the system to the required kernel parameter by adding the following\nline to \"/etc/sysctl.conf\" or a configuration file in the /etc/sysctl.d/\ndirectory (or modify the line to have the required value):\n\n net.ipv4.conf.default.accept_source_route = 0\n\n Issue the following command to make the changes take effect:\n\n # sysctl --system'\n impact 0.5\n tag legacy: ['V-72285', 'SV-86909']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204612'\n tag rid: 'SV-204612r880806_rule'\n tag stig_id: 'RHEL-07-040620'\n tag fix_id: 'F-4736r880805_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['kernel_parameter', 'ipv4']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - Kernel config must be done on the host' do\n skip 'Control not applicable - Kernel config must be done on the host'\n end\n else\n accept_source_route = 0\n\n config_file_values = command('grep -r net.ipv4.conf.default.accept_source_route /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null')\n .stdout.strip.split(\"\\n\")\n .map { |file| parse_config(file).params }\n config_file_values_uncompliant = config_file_values.select { |entry| entry.values != [accept_source_route.to_s] }\n\n unless config_file_values_uncompliant.empty?\n describe 'All configuration files' do\n it \"should set accept_source_route to #{accept_source_route}, or not define it at all\" do\n fail_msg = \"Found incorrect configuration:\\n#{config_file_values_uncompliant.join(\"\\n\")}\"\n expect(config_file_values_uncompliant).to be_empty, fail_msg\n end\n end\n end\n\n describe 'The runtime kernel parameter net.ipv4.conf.default.accept_source_route' do\n subject { kernel_parameter('net.ipv4.conf.default.accept_source_route') }\n its('value') { should eq accept_source_route }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204625.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204612.rb", "line": 1 }, - "id": "SV-204625" + "id": "SV-204612" }, { - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the postqueue command.", - "desc": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough\n information.\n At a minimum, the organization must audit the full-text recording of privileged postfix commands. The organization\n must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of\n compromise.\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.", + "title": "The Red Hat Enterprise Linux operating system must immediately notify the System Administrator (SA) and\n Information System Security Officer (ISSO) (at a minimum) when the threshold for the repository maximum audit record\n storage capacity is reached.", + "desc": "If security personnel are not notified immediately when the threshold for the repository maximum audit\n record storage capacity is reached, they are unable to expand the audit record storage capacity before records are\n lost.", "descriptions": { - "default": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough\n information.\n At a minimum, the organization must audit the full-text recording of privileged postfix commands. The organization\n must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of\n compromise.\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.", - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"postqueue\" command occur.\n\nCheck that the following system call is being audited by performing the following command to check the file system rules in \"/etc/audit/audit.rules\":\n\n$ sudo grep -w \"/usr/sbin/postqueue\" /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -k privileged-postfix\n\nIf the command does not return any output, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"postqueue\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -k privileged-postfix\n\nThe audit daemon must be restarted for the changes to take effect." + "default": "If security personnel are not notified immediately when the threshold for the repository maximum audit\n record storage capacity is reached, they are unable to expand the audit record storage capacity before records are\n lost.", + "check": "Verify the operating system immediately notifies the SA and ISSO (at a minimum) via email when the\n threshold for the repository maximum audit record storage capacity is reached.\n Check what account the operating system emails when the threshold for the repository maximum audit record storage\n capacity is reached with the following command:\n # grep -i action_mail_acct /etc/audit/auditd.conf\n action_mail_acct = root\n If the value of the \"action_mail_acct\" keyword is not set to \"root\" and other accounts for security personnel, this\n is a finding.", + "fix": "Configure the operating system to immediately notify the SA and ISSO (at a minimum) when the threshold\n for the repository maximum audit record storage capacity is reached.\n Uncomment or edit the \"action_mail_acct\" keyword in \"/etc/audit/auditd.conf\" and set it to root and any other\n accounts associated with security personnel.\n action_mail_acct = root" }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "SV-86801", - "V-72177" + "V-72093", + "SV-86717" ], "severity": "medium", - "gtitle": "SRG-OS-000042-GPOS-00020", - "satisfies": [ - "SRG-OS-000042-GPOS-00020", - "SRG-OS-000392-GPOS-00172" - ], - "gid": "V-204555", - "rid": "SV-204555r861062_rule", - "stig_id": "RHEL-07-030770", - "fix_id": "F-4679r861061_fix", + "gtitle": "SRG-OS-000343-GPOS-00134", + "gid": "V-204515", + "rid": "SV-204515r877389_rule", + "stig_id": "RHEL-07-030350", + "fix_id": "F-4639r88738_fix", "cci": [ - "CCI-000135", - "CCI-002884" + "CCI-001855" ], "nist": [ - "AU-3 (1)", - "MA-4 (1) (a)" + "AU-5 (1)" ], "subsystems": [ "audit", - "auditd", - "audit_rule" + "auditd" ], "host": null }, - "code": "control 'SV-204555' do\n title 'The Red Hat Enterprise Linux operating system must audit all uses of the postqueue command.'\n desc 'Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough\n information.\n At a minimum, the organization must audit the full-text recording of privileged postfix commands. The organization\n must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of\n compromise.\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.'\n desc 'check', 'Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"postqueue\" command occur.\n\nCheck that the following system call is being audited by performing the following command to check the file system rules in \"/etc/audit/audit.rules\":\n\n$ sudo grep -w \"/usr/sbin/postqueue\" /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -k privileged-postfix\n\nIf the command does not return any output, this is a finding.'\n desc 'fix', 'Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"postqueue\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -k privileged-postfix\n\nThe audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n tag legacy: ['SV-86801', 'V-72177']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000042-GPOS-00020'\n tag satisfies: ['SRG-OS-000042-GPOS-00020', 'SRG-OS-000392-GPOS-00172']\n tag gid: 'V-204555'\n tag rid: 'SV-204555r861062_rule'\n tag stig_id: 'RHEL-07-030770'\n tag fix_id: 'F-4679r861061_fix'\n tag cci: ['CCI-000135', 'CCI-002884']\n tag nist: ['AU-3 (1)', 'MA-4 (1) (a)']\n tag subsystems: ['audit', 'auditd', 'audit_rule']\n tag 'host'\n\n audit_command = '/usr/sbin/postqueue'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - audit config must be done on the host' do\n skip 'Control not applicable - audit config must be done on the host'\n end\n else\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include('privileged-postfix')\n end\n end\n end\nend\n", + "code": "control 'SV-204515' do\n title 'The Red Hat Enterprise Linux operating system must immediately notify the System Administrator (SA) and\n Information System Security Officer (ISSO) (at a minimum) when the threshold for the repository maximum audit record\n storage capacity is reached.'\n desc 'If security personnel are not notified immediately when the threshold for the repository maximum audit\n record storage capacity is reached, they are unable to expand the audit record storage capacity before records are\n lost.'\n desc 'check', 'Verify the operating system immediately notifies the SA and ISSO (at a minimum) via email when the\n threshold for the repository maximum audit record storage capacity is reached.\n Check what account the operating system emails when the threshold for the repository maximum audit record storage\n capacity is reached with the following command:\n # grep -i action_mail_acct /etc/audit/auditd.conf\n action_mail_acct = root\n If the value of the \"action_mail_acct\" keyword is not set to \"root\" and other accounts for security personnel, this\n is a finding.'\n desc 'fix', 'Configure the operating system to immediately notify the SA and ISSO (at a minimum) when the threshold\n for the repository maximum audit record storage capacity is reached.\n Uncomment or edit the \"action_mail_acct\" keyword in \"/etc/audit/auditd.conf\" and set it to root and any other\n accounts associated with security personnel.\n action_mail_acct = root'\n impact 0.5\n tag legacy: ['V-72093', 'SV-86717']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000343-GPOS-00134'\n tag gid: 'V-204515'\n tag rid: 'SV-204515r877389_rule'\n tag stig_id: 'RHEL-07-030350'\n tag fix_id: 'F-4639r88738_fix'\n tag cci: ['CCI-001855']\n tag nist: ['AU-5 (1)']\n tag subsystems: ['audit', 'auditd']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - audit config must be done on the host' do\n skip 'Control not applicable - audit config must be done on the host'\n end\n else\n describe auditd_conf do\n its('action_mail_acct') { should cmp 'root' }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204555.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204515.rb", "line": 1 }, - "id": "SV-204555" + "id": "SV-204515" }, { - "title": "The Red Hat Enterprise Linux operating system must initiate a session lock for graphical user interfaces\n when the screensaver is activated.", - "desc": "A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate\n physical vicinity of the information system but does not log out because of the temporary nature of the absence.\n Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity,\n operating systems need to be able to identify when a user's session has idled and take action to initiate the\n session lock.\n The session lock is implemented at the point where session activity can be determined and/or controlled.", + "title": "The Red Hat Enterprise Linux operating system must audit all uses of the pam_timestamp_check command.", + "desc": "Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.", "descriptions": { - "default": "A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate\n physical vicinity of the information system but does not log out because of the temporary nature of the absence.\n Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity,\n operating systems need to be able to identify when a user's session has idled and take action to initiate the\n session lock.\n The session lock is implemented at the point where session activity can be determined and/or controlled.", - "check": "Verify the operating system initiates a session lock a for graphical user interfaces when the screensaver is activated.\n\nNote: If the system does not have GNOME installed, this requirement is Not Applicable.\n\nIf GNOME is installed, check to see a session lock occurs when the screensaver is activated with the following command:\n\n # grep -i lock-delay /etc/dconf/db/local.d/*\n lock-delay=uint32 5\n\nIf the \"lock-delay\" setting is missing, or is not set to \"5\" or less, this is a finding.", - "fix": "Configure the operating system to initiate a session lock for graphical user interfaces when a\n screensaver is activated.\n Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following\n command:\n # touch /etc/dconf/db/local.d/00-screensaver\n Add the setting to enable session locking when a screensaver is activated:\n [org/gnome/desktop/screensaver]\n lock-delay=uint32 5\n The \"uint32\" must be included along with the integer key values as shown.\n Update the system databases:\n # dconf update\n Users must log out and back in again before the system-wide settings take effect." + "default": "Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.", + "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"pam_timestamp_check\" command occur.\n\nCheck the auditing rules in \"/etc/audit/audit.rules\" with the following command:\n\n$ sudo grep -w \"/usr/sbin/pam_timestamp_check\" /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -k privileged-pam\n\nIf the command does not return any output, this is a finding.", + "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"pam_timestamp_check\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -k privileged-pam\n\nThe audit daemon must be restarted for the changes to take effect." }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { "legacy": [ - "V-71901", - "SV-86525" + "V-72185", + "SV-86809" ], "severity": "medium", - "gtitle": "SRG-OS-000029-GPOS-00010", - "gid": "V-204404", - "rid": "SV-204404r880788_rule", - "stig_id": "RHEL-07-010110", - "fix_id": "F-4528r880787_fix", + "gtitle": "SRG-OS-000471-GPOS-00215", + "gid": "V-204558", + "rid": "SV-204558r833166_rule", + "stig_id": "RHEL-07-030810", + "fix_id": "F-4682r833165_fix", "cci": [ - "CCI-000057" + "CCI-000172" ], "nist": [ - "AC-11 a" + "AU-12 c" ], "subsystems": [ - "gui", - "screensaver", - "lock", - "session" + "audit", + "auditd", + "audit_rule" ], "host": null }, - "code": "control 'SV-204404' do\n title 'The Red Hat Enterprise Linux operating system must initiate a session lock for graphical user interfaces\n when the screensaver is activated.'\n desc \"A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate\n physical vicinity of the information system but does not log out because of the temporary nature of the absence.\n Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity,\n operating systems need to be able to identify when a user's session has idled and take action to initiate the\n session lock.\n The session lock is implemented at the point where session activity can be determined and/or controlled.\"\n desc 'check', 'Verify the operating system initiates a session lock a for graphical user interfaces when the screensaver is activated.\n\nNote: If the system does not have GNOME installed, this requirement is Not Applicable.\n\nIf GNOME is installed, check to see a session lock occurs when the screensaver is activated with the following command:\n\n # grep -i lock-delay /etc/dconf/db/local.d/*\n lock-delay=uint32 5\n\nIf the \"lock-delay\" setting is missing, or is not set to \"5\" or less, this is a finding.'\n desc 'fix', 'Configure the operating system to initiate a session lock for graphical user interfaces when a\n screensaver is activated.\n Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following\n command:\n # touch /etc/dconf/db/local.d/00-screensaver\n Add the setting to enable session locking when a screensaver is activated:\n [org/gnome/desktop/screensaver]\n lock-delay=uint32 5\n The \"uint32\" must be included along with the integer key values as shown.\n Update the system databases:\n # dconf update\n Users must log out and back in again before the system-wide settings take effect.'\n impact 0.5\n tag legacy: ['V-71901', 'SV-86525']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000029-GPOS-00010'\n tag gid: 'V-204404'\n tag rid: 'SV-204404r880788_rule'\n tag stig_id: 'RHEL-07-010110'\n tag fix_id: 'F-4528r880787_fix'\n tag cci: ['CCI-000057']\n tag nist: ['AC-11 a']\n tag subsystems: ['gui', 'screensaver', 'lock', 'session']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n elsif package('gnome-desktop3').installed?\n\n describe command(\"gsettings get org.gnome.desktop.screensaver lock-delay | cut -d ' ' -f2\") do\n its('stdout.strip') { should cmp <= input('lock_delay') }\n end\n else\n impact 0.0\n describe 'The system does not have GNOME installed' do\n skip \"The system does not have GNOME installed, this requirement is Not\n Applicable.\"\n end\n end\nend\n", + "code": "control 'SV-204558' do\n title 'The Red Hat Enterprise Linux operating system must audit all uses of the pam_timestamp_check command.'\n desc 'Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.'\n desc 'check', 'Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"pam_timestamp_check\" command occur.\n\nCheck the auditing rules in \"/etc/audit/audit.rules\" with the following command:\n\n$ sudo grep -w \"/usr/sbin/pam_timestamp_check\" /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -k privileged-pam\n\nIf the command does not return any output, this is a finding.'\n desc 'fix', 'Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"pam_timestamp_check\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -k privileged-pam\n\nThe audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n tag legacy: ['V-72185', 'SV-86809']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000471-GPOS-00215'\n tag gid: 'V-204558'\n tag rid: 'SV-204558r833166_rule'\n tag stig_id: 'RHEL-07-030810'\n tag fix_id: 'F-4682r833165_fix'\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag subsystems: ['audit', 'auditd', 'audit_rule']\n tag 'host'\n\n audit_command = '/usr/sbin/pam_timestamp_check'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - audit config must be done on the host' do\n skip 'Control not applicable - audit config must be done on the host'\n end\n else\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include('privileged-pam')\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204404.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204558.rb", "line": 1 }, - "id": "SV-204404" + "id": "SV-204558" }, { - "title": "The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon performs strict\n mode checking of home directory configuration files.", - "desc": "If other users have access to modify user-specific SSH configuration files, they may be able to log on to\n the system as another user.", + "title": "The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new\n passwords are established, the new password must contain at least 1 special character.", + "desc": "Use of a complex password helps to increase the time and resources required to compromise the password.\n Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing\n and brute-force attacks.\n Password complexity is one factor of several that determines how long it takes to crack a password. The more complex\n the password, the greater the number of possible combinations that need to be tested before the password is\n compromised.", "descriptions": { - "default": "If other users have access to modify user-specific SSH configuration files, they may be able to log on to\n the system as another user.", - "check": "Verify the SSH daemon performs strict mode checking of home directory configuration files.\n The location of the \"sshd_config\" file may vary if a different daemon is in use.\n Inspect the \"sshd_config\" file with the following command:\n # grep -i strictmodes /etc/ssh/sshd_config\n StrictModes yes\n If \"StrictModes\" is set to \"no\", is missing, or the returned line is commented out, this is a finding.", - "fix": "Uncomment the \"StrictModes\" keyword in \"/etc/ssh/sshd_config\" (this file may be named differently or\n be in a different location if using a version of SSH that is provided by a third-party vendor) and set the value to\n \"yes\":\n StrictModes yes\n The SSH service must be restarted for changes to take effect." + "default": "Use of a complex password helps to increase the time and resources required to compromise the password.\n Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing\n and brute-force attacks.\n Password complexity is one factor of several that determines how long it takes to crack a password. The more complex\n the password, the greater the number of possible combinations that need to be tested before the password is\n compromised.", + "check": "Verify the operating system enforces password complexity by requiring that at least 1 special\n character be used.\n Note: The value to require a number of special characters to be set is expressed as a negative number in\n \"/etc/security/pwquality.conf\".\n Check the value for \"ocredit\" in \"/etc/security/pwquality.conf\" with the following command:\n # grep ocredit /etc/security/pwquality.conf\n ocredit=-1\n If the value of \"ocredit\" is not set to a negative value, this is a finding.", + "fix": "Configure the operating system to enforce password complexity by requiring that at least 1 special\n character be used by setting the \"ocredit\" option.\n Add the following line to \"/etc/security/pwquality.conf\" (or modify the line to have the required value):\n ocredit = -1" }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "SV-86887", - "V-72263" + "SV-86533", + "V-71909" ], "severity": "medium", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-204600", - "rid": "SV-204600r603261_rule", - "stig_id": "RHEL-07-040450", - "fix_id": "F-4724r88993_fix", + "gtitle": "SRG-OS-000266-GPOS-00101", + "gid": "V-204410", + "rid": "SV-204410r603261_rule", + "stig_id": "RHEL-07-010150", + "fix_id": "F-4534r88423_fix", "cci": [ - "CCI-000366" + "CCI-001619" ], "nist": [ - "CM-6 b" + "IA-5 (1) (a)" ], "subsystems": [ - "ssh" + "pwquality", + "password" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-204600' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon performs strict\n mode checking of home directory configuration files.'\n desc 'If other users have access to modify user-specific SSH configuration files, they may be able to log on to\n the system as another user.'\n desc 'check', 'Verify the SSH daemon performs strict mode checking of home directory configuration files.\n The location of the \"sshd_config\" file may vary if a different daemon is in use.\n Inspect the \"sshd_config\" file with the following command:\n # grep -i strictmodes /etc/ssh/sshd_config\n StrictModes yes\n If \"StrictModes\" is set to \"no\", is missing, or the returned line is commented out, this is a finding.'\n desc 'fix', 'Uncomment the \"StrictModes\" keyword in \"/etc/ssh/sshd_config\" (this file may be named differently or\n be in a different location if using a version of SSH that is provided by a third-party vendor) and set the value to\n \"yes\":\n StrictModes yes\n The SSH service must be restarted for changes to take effect.'\n impact 0.5\n tag legacy: ['SV-86887', 'V-72263']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204600'\n tag rid: 'SV-204600r603261_rule'\n tag stig_id: 'RHEL-07-040450'\n tag fix_id: 'F-4724r88993_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['ssh']\n tag 'host'\n\n if virtualization.system.eql?('docker') && !file('/etc/sysconfig/sshd').exist?\n impact 0.0\n describe 'Control not applicable - SSH is not installed within containerized RHEL' do\n skip 'Control not applicable - SSH is not installed within containerized RHEL'\n end\n else\n describe sshd_config do\n its('StrictModes') { should cmp 'yes' }\n end\n end\nend\n", + "code": "control 'SV-204410' do\n title \"The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new\n passwords are established, the new password must contain at least #{input('min_special_characters')} special character.\"\n desc 'Use of a complex password helps to increase the time and resources required to compromise the password.\n Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing\n and brute-force attacks.\n Password complexity is one factor of several that determines how long it takes to crack a password. The more complex\n the password, the greater the number of possible combinations that need to be tested before the password is\n compromised.'\n desc 'check', \"Verify the operating system enforces password complexity by requiring that at least #{input('min_special_characters')} special\n character be used.\n Note: The value to require a number of special characters to be set is expressed as a negative number in\n \\\"/etc/security/pwquality.conf\\\".\n Check the value for \\\"ocredit\\\" in \\\"/etc/security/pwquality.conf\\\" with the following command:\n # grep ocredit /etc/security/pwquality.conf\n ocredit=-#{input('min_special_characters')}\n If the value of \\\"ocredit\\\" is not set to a negative value, this is a finding.\"\n desc 'fix', \"Configure the operating system to enforce password complexity by requiring that at least #{input('min_special_characters')} special\n character be used by setting the \\\"ocredit\\\" option.\n Add the following line to \\\"/etc/security/pwquality.conf\\\" (or modify the line to have the required value):\n ocredit = -#{input('min_special_characters')}\"\n impact 0.5\n tag legacy: ['SV-86533', 'V-71909']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000266-GPOS-00101'\n tag gid: 'V-204410'\n tag rid: 'SV-204410r603261_rule'\n tag stig_id: 'RHEL-07-010150'\n tag fix_id: 'F-4534r88423_fix'\n tag cci: ['CCI-001619']\n tag nist: ['IA-5 (1) (a)']\n tag subsystems: ['pwquality', 'password']\n tag 'host'\n tag 'container'\n\n describe parse_config_file('/etc/security/pwquality.conf') do\n its('ocredit') { should cmp <= -input('min_special_characters') }\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204600.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204410.rb", "line": 1 }, - "id": "SV-204600" + "id": "SV-204410" }, { - "title": "The Red Hat Enterprise Linux operating system must define default permissions for all authenticated users\n in such a way that the user can only read and modify their own files.", - "desc": "Setting the most restrictive default permissions ensures that when new accounts are created, they do not\n have unnecessary access.", + "title": "The Red Hat Enterprise Linux operating system must not allow privileged accounts to utilize SSH.", + "desc": "Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges.\n\nPrivileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users.", "descriptions": { - "default": "Setting the most restrictive default permissions ensures that when new accounts are created, they do not\n have unnecessary access.", - "check": "Verify the operating system defines default permissions for all authenticated users in such a way\n that the user can only read and modify their own files.\n Check for the value of the \"UMASK\" parameter in \"/etc/login.defs\" file with the following command:\n Note: If the value of the \"UMASK\" parameter is set to \"000\" in \"/etc/login.defs\" file, the Severity is raised to a\n CAT I.\n # grep -i umask /etc/login.defs\n UMASK 077\n If the value for the \"UMASK\" parameter is not \"077\", or the \"UMASK\" parameter is missing or is commented out, this\n is a finding.", - "fix": "Configure the operating system to define default permissions for all authenticated users in such a way\n that the user can only read and modify their own files.\n Add or edit the line for the \"UMASK\" parameter in \"/etc/login.defs\" file to \"077\":\n UMASK 077" + "default": "Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges.\n\nPrivileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users.", + "check": "Note: Per OPORD 16-0080, the preferred endpoint security tool is Endpoint Security for Linux (ENSL) in conjunction with SELinux.\n\nVerify the operating system prevents privileged accounts from utilizing SSH.\nCheck the SELinux ssh_sysadm_login boolean with the following command:\n\n$ sudo getsebool ssh_sysadm_login\nssh_sysadm_login --> off\n\nIf the \"ssh_sysadm_login\" boolean is not \"off\" and is not documented with the ISSO as an operational requirement, this is a finding.", + "fix": "Configure the operating system to prevent privileged accounts from utilizing SSH.\nUse the following command to set the \"ssh_sysadm_login\" boolean to \"off\":\n\n$ sudo setsebool -P ssh_sysadm_login off\n\nNote: SELinux confined users mapped to sysadm_u are not allowed to login to the system over SSH, by default. If this is a required function, it can be configured by setting the ssh_sysadm_login SELinux boolean to \"on\" with the following command:\n\n$ sudo setsebool -P ssh_sysadm_login on\n\nThis must be documented with the ISSO as an operational requirement." }, "impact": 0.5, - "refs": [], - "tags": { - "legacy": [ - "SV-86619", - "V-71995" - ], + "refs": [], + "tags": { "severity": "medium", - "gtitle": "SRG-OS-000480-GPOS-00228", - "gid": "V-204457", - "rid": "SV-204457r603261_rule", - "stig_id": "RHEL-07-020240", - "fix_id": "F-4581r88564_fix", + "gtitle": "SRG-OS-000324-GPOS-00125", + "satisfies": null, + "gid": "V-250313", + "rid": "SV-250313r877392_rule", + "stig_id": "RHEL-07-020022", + "fix_id": "F-53701r792845_fix", "cci": [ - "CCI-000366" + "CCI-002165", + "CCI-002235" ], + "legacy": [], "nist": [ - "CM-6 b" + "AC-3 (4)", + "AC-6 (10)" ], "subsystems": [ - "login_defs" + "ssh" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-204457' do\n title 'The Red Hat Enterprise Linux operating system must define default permissions for all authenticated users\n in such a way that the user can only read and modify their own files.'\n desc 'Setting the most restrictive default permissions ensures that when new accounts are created, they do not\n have unnecessary access.'\n desc 'check', 'Verify the operating system defines default permissions for all authenticated users in such a way\n that the user can only read and modify their own files.\n Check for the value of the \"UMASK\" parameter in \"/etc/login.defs\" file with the following command:\n Note: If the value of the \"UMASK\" parameter is set to \"000\" in \"/etc/login.defs\" file, the Severity is raised to a\n CAT I.\n # grep -i umask /etc/login.defs\n UMASK 077\n If the value for the \"UMASK\" parameter is not \"077\", or the \"UMASK\" parameter is missing or is commented out, this\n is a finding.'\n desc 'fix', 'Configure the operating system to define default permissions for all authenticated users in such a way\n that the user can only read and modify their own files.\n Add or edit the line for the \"UMASK\" parameter in \"/etc/login.defs\" file to \"077\":\n UMASK 077'\n impact 0.5\n tag legacy: ['SV-86619', 'V-71995']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00228'\n tag gid: 'V-204457'\n tag rid: 'SV-204457r603261_rule'\n tag stig_id: 'RHEL-07-020240'\n tag fix_id: 'F-4581r88564_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['login_defs']\n tag 'host'\n tag 'container'\n\n if login_defs.read_params['UMASK'].eql?('000')\n impact 0.5\n else\n impact 0.5\n end\n describe login_defs do\n its('UMASK') { should eq '077' }\n end\nend\n", + "code": "control 'SV-250313' do\n title 'The Red Hat Enterprise Linux operating system must not allow privileged accounts to utilize SSH.'\n desc 'Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges.\n\nPrivileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users.'\n desc 'check', 'Note: Per OPORD 16-0080, the preferred endpoint security tool is Endpoint Security for Linux (ENSL) in conjunction with SELinux.\n\nVerify the operating system prevents privileged accounts from utilizing SSH.\nCheck the SELinux ssh_sysadm_login boolean with the following command:\n\n$ sudo getsebool ssh_sysadm_login\nssh_sysadm_login --> off\n\nIf the \"ssh_sysadm_login\" boolean is not \"off\" and is not documented with the ISSO as an operational requirement, this is a finding.'\n desc 'fix', 'Configure the operating system to prevent privileged accounts from utilizing SSH.\nUse the following command to set the \"ssh_sysadm_login\" boolean to \"off\":\n\n$ sudo setsebool -P ssh_sysadm_login off\n\nNote: SELinux confined users mapped to sysadm_u are not allowed to login to the system over SSH, by default. If this is a required function, it can be configured by setting the ssh_sysadm_login SELinux boolean to \"on\" with the following command:\n\n$ sudo setsebool -P ssh_sysadm_login on\n\nThis must be documented with the ISSO as an operational requirement.'\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000324-GPOS-00125'\n tag satisfies: nil\n tag gid: 'V-250313'\n tag rid: 'SV-250313r877392_rule'\n tag stig_id: 'RHEL-07-020022'\n tag fix_id: 'F-53701r792845_fix'\n tag cci: ['CCI-002165', 'CCI-002235']\n tag legacy: []\n tag nist: ['AC-3 (4)', 'AC-6 (10)']\n tag subsystems: ['ssh']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container -- kernel config' do\n skip 'Control not applicable within a container -- kernel config'\n end\n else\n describe command('getsebool ssh_sysadm_login').stdout.strip do\n it { should eq 'ssh_sysadm_login --> off' }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204457.rb", + "ref": "./Red Hat 7 STIG/controls/SV-250313.rb", "line": 1 }, - "id": "SV-204457" + "id": "SV-250313" }, { - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the crontab command.", - "desc": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough\n information.\n At a minimum, the organization must audit the full-text recording of privileged commands. The organization must\n maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.", + "title": "The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed a\n minimum of four character classes must be changed.", + "desc": "Use of a complex password helps to increase the time and resources required to compromise the password.\n Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing\n and brute-force attacks.\n Password complexity is one factor of several that determines how long it takes to crack a password. The more complex\n the password, the greater the number of possible combinations that need to be tested before the password is\n compromised.", "descriptions": { - "default": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough\n information.\n At a minimum, the organization must audit the full-text recording of privileged commands. The organization must\n maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.", - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"crontab\" command occur.\n\nCheck that the following system call is being audited by performing the following command to check the file system rules in \"/etc/audit/audit.rules\":\n\n$ sudo grep -w \"/usr/bin/crontab\" /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -k privileged-cron\n\nIf the command does not return any output, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"crontab\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -k privileged-cron\n\nThe audit daemon must be restarted for the changes to take effect." + "default": "Use of a complex password helps to increase the time and resources required to compromise the password.\n Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing\n and brute-force attacks.\n Password complexity is one factor of several that determines how long it takes to crack a password. The more complex\n the password, the greater the number of possible combinations that need to be tested before the password is\n compromised.", + "check": "The \"minclass\" option sets the minimum number of required classes of characters for the new password\n (digits, upper-case, lower-case, others).\n Check for the value of the \"minclass\" option in \"/etc/security/pwquality.conf\" with the following command:\n # grep minclass /etc/security/pwquality.conf\n minclass = 4\n If the value of \"minclass\" is set to less than \"4\", this is a finding.", + "fix": "Configure the operating system to require the change of at least four character classes when passwords\n are changed by setting the \"minclass\" option.\n Add the following line to \"/etc/security/pwquality.conf conf\" (or modify the line to have the required value):\n minclass = 4" }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "SV-86807", - "V-72183" + "V-71913", + "SV-86537" ], "severity": "medium", - "gtitle": "SRG-OS-000042-GPOS-00020", - "satisfies": [ - "SRG-OS-000042-GPOS-00020", - "SRG-OS-000392-GPOS-00172", - "SRG-OS-000471-GPOS-00215" - ], - "gid": "V-204557", - "rid": "SV-204557r861068_rule", - "stig_id": "RHEL-07-030800", - "fix_id": "F-4681r861067_fix", + "gtitle": "SRG-OS-000072-GPOS-00040", + "gid": "V-204412", + "rid": "SV-204412r603261_rule", + "stig_id": "RHEL-07-010170", + "fix_id": "F-4536r88429_fix", "cci": [ - "CCI-000135", - "CCI-000172", - "CCI-002884" + "CCI-000195" ], "nist": [ - "AU-3 (1)", - "AU-12 c", - "MA-4 (1) (a)" + "IA-5 (1) (b)" ], "subsystems": [ - "audit", - "auditd", - "audit_rule" + "pwquality", + "password" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-204557' do\n title 'The Red Hat Enterprise Linux operating system must audit all uses of the crontab command.'\n desc 'Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough\n information.\n At a minimum, the organization must audit the full-text recording of privileged commands. The organization must\n maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.'\n desc 'check', 'Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"crontab\" command occur.\n\nCheck that the following system call is being audited by performing the following command to check the file system rules in \"/etc/audit/audit.rules\":\n\n$ sudo grep -w \"/usr/bin/crontab\" /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -k privileged-cron\n\nIf the command does not return any output, this is a finding.'\n desc 'fix', 'Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"crontab\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -k privileged-cron\n\nThe audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n tag legacy: ['SV-86807', 'V-72183']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000042-GPOS-00020'\n tag satisfies: ['SRG-OS-000042-GPOS-00020', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000471-GPOS-00215']\n tag gid: 'V-204557'\n tag rid: 'SV-204557r861068_rule'\n tag stig_id: 'RHEL-07-030800'\n tag fix_id: 'F-4681r861067_fix'\n tag cci: ['CCI-000135', 'CCI-000172', 'CCI-002884']\n tag nist: ['AU-3 (1)', 'AU-12 c', 'MA-4 (1) (a)']\n tag subsystems: ['audit', 'auditd', 'audit_rule']\n tag 'host'\n\n audit_command = '/usr/bin/crontab'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - audit config must be done on the host' do\n skip 'Control not applicable - audit config must be done on the host'\n end\n else\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include('privileged-cron')\n end\n end\n end\nend\n", + "code": "control 'SV-204412' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed a\n minimum of four character classes must be changed.'\n desc 'Use of a complex password helps to increase the time and resources required to compromise the password.\n Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing\n and brute-force attacks.\n Password complexity is one factor of several that determines how long it takes to crack a password. The more complex\n the password, the greater the number of possible combinations that need to be tested before the password is\n compromised.'\n desc 'check', 'The \"minclass\" option sets the minimum number of required classes of characters for the new password\n (digits, upper-case, lower-case, others).\n Check for the value of the \"minclass\" option in \"/etc/security/pwquality.conf\" with the following command:\n # grep minclass /etc/security/pwquality.conf\n minclass = 4\n If the value of \"minclass\" is set to less than \"4\", this is a finding.'\n desc 'fix', 'Configure the operating system to require the change of at least four character classes when passwords\n are changed by setting the \"minclass\" option.\n Add the following line to \"/etc/security/pwquality.conf conf\" (or modify the line to have the required value):\n minclass = 4'\n impact 0.5\n tag legacy: ['V-71913', 'SV-86537']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000072-GPOS-00040'\n tag gid: 'V-204412'\n tag rid: 'SV-204412r603261_rule'\n tag stig_id: 'RHEL-07-010170'\n tag fix_id: 'F-4536r88429_fix'\n tag cci: ['CCI-000195']\n tag nist: ['IA-5 (1) (b)']\n tag subsystems: ['pwquality', 'password']\n tag 'host'\n tag 'container'\n\n describe parse_config_file('/etc/security/pwquality.conf') do\n its('minclass') { should cmp >= input('minclass') }\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204557.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204412.rb", "line": 1 }, - "id": "SV-204557" + "id": "SV-204412" }, { - "title": "The Red Hat Enterprise Linux operating system must initiate a screensaver after a 15-minute period of\n inactivity for graphical user interfaces.", - "desc": "A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate\n physical vicinity of the information system but does not log out because of the temporary nature of the absence.\n Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity,\n operating systems need to be able to identify when a user's session has idled and take action to initiate the\n session lock.\n The session lock is implemented at the point where session activity can be determined and/or controlled.", + "title": "The Red Hat Enterprise Linux operating system must require authentication upon booting into single-user and\n maintenance modes.", + "desc": "If the system does not require valid root authentication before it boots into single-user or maintenance\n mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system.", "descriptions": { - "default": "A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate\n physical vicinity of the information system but does not log out because of the temporary nature of the absence.\n Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity,\n operating systems need to be able to identify when a user's session has idled and take action to initiate the\n session lock.\n The session lock is implemented at the point where session activity can be determined and/or controlled.", - "check": "Verify the operating system initiates a screensaver after a 15-minute period of inactivity for graphical user interfaces.\n\nNote: If the system does not have GNOME installed, this requirement is Not Applicable.\n\nCheck to see if GNOME is configured to display a screensaver after a 15 minute delay with the following command:\n\n # grep -i idle-delay /etc/dconf/db/local.d/*\n idle-delay=uint32 900\n\nIf the \"idle-delay\" setting is missing or is not set to \"900\" or less, this is a finding.", - "fix": "Configure the operating system to initiate a screensaver after a 15-minute period of inactivity for\n graphical user interfaces.\n Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following\n command:\n # touch /etc/dconf/db/local.d/00-screensaver\n Edit /etc/dconf/db/local.d/00-screensaver and add or update the following lines:\n [org/gnome/desktop/session]\n # Set the lock time out to 900 seconds before the session is considered idle\n idle-delay=uint32 900\n You must include the \"uint32\" along with the integer key values as shown.\n Update the system databases:\n # dconf update\n Users must log out and back in again before the system-wide settings take effect." + "default": "If the system does not require valid root authentication before it boots into single-user or maintenance\n mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system.", + "check": "Verify the operating system must require authentication upon booting into single-user and\n maintenance modes.\n Check that the operating system requires authentication upon booting into single-user mode with the following\n command:\n # grep -i execstart /usr/lib/systemd/system/rescue.service | grep -i sulogin\n ExecStart=-/bin/sh -c \"/usr/sbin/sulogin; /usr/bin/systemctl --fail --no-block default\"\n If \"ExecStart\" does not have \"/usr/sbin/sulogin\" as an option, this is a finding.", + "fix": "Configure the operating system to require authentication upon booting into single-user and maintenance\n modes.\n Add or modify the \"ExecStart\" line in \"/usr/lib/systemd/system/rescue.service\" to include \"/usr/sbin/sulogin\":\n ExecStart=-/bin/sh -c \"/usr/sbin/sulogin; /usr/bin/systemctl --fail --no-block default\"" }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { "legacy": [ - "V-71893", - "SV-86517" + "V-77823", + "SV-92519" ], "severity": "medium", - "gtitle": "SRG-OS-000029-GPOS-00010", - "gid": "V-204398", - "rid": "SV-204398r880770_rule", - "stig_id": "RHEL-07-010070", - "fix_id": "F-4522r880769_fix", + "gtitle": "SRG-OS-000080-GPOS-00048", + "gid": "V-204437", + "rid": "SV-204437r603261_rule", + "stig_id": "RHEL-07-010481", + "fix_id": "F-4561r88504_fix", "cci": [ - "CCI-000057" + "CCI-000213" ], "nist": [ - "AC-11 a" + "AC-3" ], "subsystems": [ - "gui", - "screensaver", - "session", - "lock" + "root", + "sulogin" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-204398' do\n title \"The Red Hat Enterprise Linux operating system must initiate a screensaver after a #{input('system_activity_timeout')/60}-minute period of\n inactivity for graphical user interfaces.\"\n desc \"A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate\n physical vicinity of the information system but does not log out because of the temporary nature of the absence.\n Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity,\n operating systems need to be able to identify when a user's session has idled and take action to initiate the\n session lock.\n The session lock is implemented at the point where session activity can be determined and/or controlled.\"\n desc 'check', \"Verify the operating system initiates a screensaver after a #{input('system_activity_timeout')/60}-minute period of inactivity for graphical user interfaces.\n\nNote: If the system does not have GNOME installed, this requirement is Not Applicable.\n\nCheck to see if GNOME is configured to display a screensaver after a #{input('system_activity_timeout')/60} minute delay with the following command:\n\n # grep -i idle-delay /etc/dconf/db/local.d/*\n idle-delay=uint32 #{input('system_activity_timeout')}\n\nIf the \\\"idle-delay\\\" setting is missing or is not set to \\\"#{input('system_activity_timeout')}\\\" or less, this is a finding.\"\n desc 'fix', \"Configure the operating system to initiate a screensaver after a #{input('system_activity_timeout')/60}-minute period of inactivity for\n graphical user interfaces.\n Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following\n command:\n # touch /etc/dconf/db/local.d/00-screensaver\n Edit /etc/dconf/db/local.d/00-screensaver and add or update the following lines:\n [org/gnome/desktop/session]\n # Set the lock time out to #{input('system_activity_timeout')} seconds before the session is considered idle\n idle-delay=uint32 #{input('system_activity_timeout')}\n You must include the \\\"uint32\\\" along with the integer key values as shown.\n Update the system databases:\n # dconf update\n Users must log out and back in again before the system-wide settings take effect.\"\n impact 0.5\n tag legacy: ['V-71893', 'SV-86517']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000029-GPOS-00010'\n tag gid: 'V-204398'\n tag rid: 'SV-204398r880770_rule'\n tag stig_id: 'RHEL-07-010070'\n tag fix_id: 'F-4522r880769_fix'\n tag cci: ['CCI-000057']\n tag nist: ['AC-11 a']\n tag subsystems: ['gui', 'screensaver', 'session', 'lock']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n elsif package('gnome-desktop3').installed?\n\n describe command(\"gsettings get org.gnome.desktop.session idle-delay | cut -d ' ' -f2\") do\n its('stdout.strip') { should cmp <= input('system_activity_timeout') }\n end\n else\n impact 0.0\n describe 'The system does not have GNOME installed' do\n skip \"The system does not have GNOME installed, this requirement is Not\n Applicable.\"\n end\n end\nend\n", + "code": "control 'SV-204437' do\n title 'The Red Hat Enterprise Linux operating system must require authentication upon booting into single-user and\n maintenance modes.'\n desc 'If the system does not require valid root authentication before it boots into single-user or maintenance\n mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system.'\n desc 'check', 'Verify the operating system must require authentication upon booting into single-user and\n maintenance modes.\n Check that the operating system requires authentication upon booting into single-user mode with the following\n command:\n # grep -i execstart /usr/lib/systemd/system/rescue.service | grep -i sulogin\n ExecStart=-/bin/sh -c \"/usr/sbin/sulogin; /usr/bin/systemctl --fail --no-block default\"\n If \"ExecStart\" does not have \"/usr/sbin/sulogin\" as an option, this is a finding.'\n desc 'fix', 'Configure the operating system to require authentication upon booting into single-user and maintenance\n modes.\n Add or modify the \"ExecStart\" line in \"/usr/lib/systemd/system/rescue.service\" to include \"/usr/sbin/sulogin\":\n ExecStart=-/bin/sh -c \"/usr/sbin/sulogin; /usr/bin/systemctl --fail --no-block default\"'\n impact 0.5\n tag legacy: ['V-77823', 'SV-92519']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000080-GPOS-00048'\n tag gid: 'V-204437'\n tag rid: 'SV-204437r603261_rule'\n tag stig_id: 'RHEL-07-010481'\n tag fix_id: 'F-4561r88504_fix'\n tag cci: ['CCI-000213']\n tag nist: ['AC-3']\n tag subsystems: ['root', 'sulogin']\n tag 'host'\n tag 'container'\n\n describe command('grep -i execstart /usr/lib/systemd/system/rescue.service') do\n its('stdout.strip') { should match %r{/usr/sbin/sulogin} }\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204398.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204437.rb", "line": 1 }, - "id": "SV-204398" + "id": "SV-204437" }, { - "title": "The Red Hat Enterprise Linux operating system must not have accounts configured with blank or null passwords.", - "desc": "If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.", + "title": "The Red Hat Enterprise Linux operating system must send rsyslog output to a log aggregation server.", + "desc": "Sending rsyslog output to another system ensures that the logs cannot be removed or modified in the event\n that the system is compromised or has a hardware failure.", "descriptions": { - "default": "If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.", - "check": "Check the \"/etc/shadow\" file for blank passwords with the following command:\n\n$ sudo awk -F: '!$2 {print $1}' /etc/shadow\n\nIf the command returns any results, this is a finding.", - "fix": "Configure all accounts on the system to have a password or lock the account with the following commands:\n\nPerform a password reset:\n$ sudo passwd [username]\nLock an account:\n$ sudo passwd -l [username]" + "default": "Sending rsyslog output to another system ensures that the logs cannot be removed or modified in the event\n that the system is compromised or has a hardware failure.", + "check": "Verify \"rsyslog\" is configured to send all messages to a log aggregation server.\n Check the configuration of \"rsyslog\" with the following command:\n Note: If another logging package is used, substitute the utility configuration file for \"/etc/rsyslog.conf\".\n # grep @ /etc/rsyslog.conf /etc/rsyslog.d/*.conf\n *.* @@logagg.site.mil\n If there are no lines in the \"/etc/rsyslog.conf\" or \"/etc/rsyslog.d/*.conf\" files that contain the \"@\" or \"@@\"\n symbol(s), and the lines with the correct symbol(s) to send output to another system do not cover all \"rsyslog\"\n output, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or media.\n If the lines are commented out or there is no evidence that the audit logs are being sent to another system, this is\n a finding.", + "fix": "Modify the \"/etc/rsyslog.conf\" or an \"/etc/rsyslog.d/*.conf\" file to contain a configuration line to\n send all \"rsyslog\" output to a log aggregation system:\n *.* @@" }, - "impact": 0.7, + "impact": 0.5, "refs": [], "tags": { - "severity": "high", + "legacy": [ + "SV-86833", + "V-72209" + ], + "severity": "medium", "gtitle": "SRG-OS-000480-GPOS-00227", - "satisfies": null, - "gid": "V-251702", - "rid": "SV-251702r809220_rule", - "stig_id": "RHEL-07-010291", - "fix_id": "F-55093r809219_fix", + "gid": "V-204574", + "rid": "SV-204574r603261_rule", + "stig_id": "RHEL-07-031000", + "fix_id": "F-4698r88915_fix", "cci": [ "CCI-000366" ], - "legacy": [], "nist": [ "CM-6 b" ], "subsystems": [ - "password", - "/etc/shadow" + "rsyslog" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-251702' do\n title 'The Red Hat Enterprise Linux operating system must not have accounts configured with blank or null passwords.'\n desc 'If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.'\n desc 'check', %q(Check the \"/etc/shadow\" file for blank passwords with the following command:\n\n$ sudo awk -F: '!$2 {print $1}' /etc/shadow\n\nIf the command returns any results, this is a finding.)\n desc 'fix', 'Configure all accounts on the system to have a password or lock the account with the following commands:\n\nPerform a password reset:\n$ sudo passwd [username]\nLock an account:\n$ sudo passwd -l [username]'\n impact 0.7\n tag severity: 'high'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag satisfies: nil\n tag gid: 'V-251702'\n tag rid: 'SV-251702r809220_rule'\n tag stig_id: 'RHEL-07-010291'\n tag fix_id: 'F-55093r809219_fix'\n tag cci: ['CCI-000366']\n tag legacy: []\n tag nist: ['CM-6 b']\n tag subsystems: ['password', '/etc/shadow']\n tag 'host'\n tag 'container'\n\n empty_pw_users = shadow.where { password == '' }.users\n\n describe 'Passwords in /etc/shadow' do\n it 'should not be empty' do\n message = \"Users with empty passwords: #{empty_pw_users.join(', ')}\"\n expect(empty_pw_users).to be_empty, message\n end\n end\nend\n", + "code": "control 'SV-204574' do\n title 'The Red Hat Enterprise Linux operating system must send rsyslog output to a log aggregation server.'\n desc 'Sending rsyslog output to another system ensures that the logs cannot be removed or modified in the event\n that the system is compromised or has a hardware failure.'\n desc 'check', 'Verify \"rsyslog\" is configured to send all messages to a log aggregation server.\n Check the configuration of \"rsyslog\" with the following command:\n Note: If another logging package is used, substitute the utility configuration file for \"/etc/rsyslog.conf\".\n # grep @ /etc/rsyslog.conf /etc/rsyslog.d/*.conf\n *.* @@logagg.site.mil\n If there are no lines in the \"/etc/rsyslog.conf\" or \"/etc/rsyslog.d/*.conf\" files that contain the \"@\" or \"@@\"\n symbol(s), and the lines with the correct symbol(s) to send output to another system do not cover all \"rsyslog\"\n output, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or media.\n If the lines are commented out or there is no evidence that the audit logs are being sent to another system, this is\n a finding.'\n desc 'fix', 'Modify the \"/etc/rsyslog.conf\" or an \"/etc/rsyslog.d/*.conf\" file to contain a configuration line to\n send all \"rsyslog\" output to a log aggregation system:\n *.* @@'\n impact 0.5\n tag legacy: ['SV-86833', 'V-72209']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204574'\n tag rid: 'SV-204574r603261_rule'\n tag stig_id: 'RHEL-07-031000'\n tag fix_id: 'F-4698r88915_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['rsyslog']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n elsif input('alternate_logs')\n describe 'An alternate logging system is used. This test cannot be checked in a automated fashion and you must check it manually' do\n skip 'An alternate logging system is used. This check must be performed manually'\n end\n else\n describe command(\"grep @ #{input('log_pkg_paths').join(' ')} | grep -v \\\"^#\\\"\") do\n its('stdout.strip') { should_not be_empty }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-251702.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204574.rb", "line": 1 }, - "id": "SV-251702" + "id": "SV-204574" }, { - "title": "The Red Hat Enterprise Linux operating system must shut down upon audit processing failure, unless\n availability is an overriding concern. If availability is a concern, the system must alert the designated staff\n (System Administrator [SA] and Information System Security Officer [ISSO] at a minimum) in the event of an audit\n processing failure.", - "desc": "It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit\n logs as required. Without this notification, the security personnel may be unaware of an impending failure of the\n audit capability, and system operation may be adversely affected.\n Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit\n storage capacity being reached or exceeded.\n This requirement applies to each audit data storage repository (i.e., distinct information system component where\n audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage\n repositories combined), or both.", + "title": "The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home\n directories are group-owned by the home directory owners primary group.", + "desc": "If the Group Identifier (GID) of a local interactive user's home directory is not the same as the primary\n GID of the user, this would allow unauthorized access to the user's files, and users that share the same group may\n not be able to access files that they legitimately should.", "descriptions": { - "default": "It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit\n logs as required. Without this notification, the security personnel may be unaware of an impending failure of the\n audit capability, and system operation may be adversely affected.\n Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit\n storage capacity being reached or exceeded.\n This requirement applies to each audit data storage repository (i.e., distinct information system component where\n audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage\n repositories combined), or both.", - "check": "Confirm the audit configuration regarding how auditing processing failures are handled.\n\nCheck to see what level \"auditctl\" is set to with following command:\n\n # auditctl -s | grep -i \"fail\"\n failure 2\n\nNote: If the value of \"failure\" is set to \"2\", the system is configured to panic (shut down) in the event of an auditing failure. If the value of \"failure\" is set to \"1\", the system will not shut down and instead will record the audit failure in the kernel log. If the system is configured as per requirement RHEL-07-031000, the kernel log will be sent to a log aggregation server and generate an alert.\n\nIf the \"failure\" setting is set to any value other than \"1\" or \"2\", this is a finding.\n\nIf the \"failure\" setting is not set, this should be upgraded to a CAT I finding.\n\nIf the \"failure\" setting is set to \"1\" but the availability concern is not documented or there is no monitoring of the kernel log, this should be downgraded to a CAT III finding.", - "fix": "Configure the operating system to shut down in the event of an audit processing failure.\n Add or correct the option to shut down the operating system with the following command:\n # auditctl -f 2\n Edit the \"/etc/audit/rules.d/audit.rules\" file and add the following line:\n -f 2\n If availability has been determined to be more important, and this decision is documented with the ISSO, configure\n the operating system to notify system administration staff and ISSO staff in the event of an audit processing\n failure with the following command:\n # auditctl -f 1\n Edit the \"/etc/audit/rules.d/audit.rules\" file and add the following line:\n -f 1\n Kernel log monitoring must also be configured to properly alert designated staff.\n The audit daemon must be restarted for the changes to take effect." + "default": "If the Group Identifier (GID) of a local interactive user's home directory is not the same as the primary\n GID of the user, this would allow unauthorized access to the user's files, and users that share the same group may\n not be able to access files that they legitimately should.", + "check": "Verify the assigned home directory of all local interactive users is group-owned by that user's primary GID.\n\nCheck the home directory assignment for all local interactive users on the system with the following command:\n\n # ls -ld $(awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}' /etc/passwd)\n -rwxr-x--- 1 smithj users 13 Apr 1 04:20 /home/smithj\n\nCheck the user's primary group with the following command:\n\n # grep $(grep smithj /etc/passwd | awk -F: '{print $4}') /etc/group\n users:x:250:smithj,marinc,chongt\n\nIf the user home directory referenced in \"/etc/passwd\" is not group-owned by that user's primary GID, this is a finding.", + "fix": "Change the group owner of a local interactive user's home directory to the group found in\n \"/etc/passwd\". To change the group owner of a local interactive user's home directory, use the following command:\n Note: The example will be for the user \"smithj\", who has a home directory of \"/home/smithj\", and has a primary group\n of users.\n # chgrp users /home/smithj" }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "V-72081", - "SV-86705" + "SV-86645", + "V-72021" ], "severity": "medium", - "gtitle": "SRG-OS-000046-GPOS-00022", - "satisfies": [ - "SRG-OS-000046-GPOS-00022", - "SRG-OS-000047-GPOS-00023" - ], - "gid": "V-204504", - "rid": "SV-204504r880761_rule", - "stig_id": "RHEL-07-030010", - "fix_id": "F-4628r880760_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-204470", + "rid": "SV-204470r880764_rule", + "stig_id": "RHEL-07-020650", + "fix_id": "F-4594r880763_fix", "cci": [ - "CCI-000139" + "CCI-000366" ], "nist": [ - "AU-5 a" + "CM-6 b" ], "subsystems": [ - "audit", - "auditd" + "home_dirs" ], "host": null }, - "code": "control 'SV-204504' do\n title 'The Red Hat Enterprise Linux operating system must shut down upon audit processing failure, unless\n availability is an overriding concern. If availability is a concern, the system must alert the designated staff\n (System Administrator [SA] and Information System Security Officer [ISSO] at a minimum) in the event of an audit\n processing failure.'\n desc 'It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit\n logs as required. Without this notification, the security personnel may be unaware of an impending failure of the\n audit capability, and system operation may be adversely affected.\n Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit\n storage capacity being reached or exceeded.\n This requirement applies to each audit data storage repository (i.e., distinct information system component where\n audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage\n repositories combined), or both.'\n desc 'check', 'Confirm the audit configuration regarding how auditing processing failures are handled.\n\nCheck to see what level \"auditctl\" is set to with following command:\n\n # auditctl -s | grep -i \"fail\"\n failure 2\n\nNote: If the value of \"failure\" is set to \"2\", the system is configured to panic (shut down) in the event of an auditing failure. If the value of \"failure\" is set to \"1\", the system will not shut down and instead will record the audit failure in the kernel log. If the system is configured as per requirement RHEL-07-031000, the kernel log will be sent to a log aggregation server and generate an alert.\n\nIf the \"failure\" setting is set to any value other than \"1\" or \"2\", this is a finding.\n\nIf the \"failure\" setting is not set, this should be upgraded to a CAT I finding.\n\nIf the \"failure\" setting is set to \"1\" but the availability concern is not documented or there is no monitoring of the kernel log, this should be downgraded to a CAT III finding.'\n desc 'fix', 'Configure the operating system to shut down in the event of an audit processing failure.\n Add or correct the option to shut down the operating system with the following command:\n # auditctl -f 2\n Edit the \"/etc/audit/rules.d/audit.rules\" file and add the following line:\n -f 2\n If availability has been determined to be more important, and this decision is documented with the ISSO, configure\n the operating system to notify system administration staff and ISSO staff in the event of an audit processing\n failure with the following command:\n # auditctl -f 1\n Edit the \"/etc/audit/rules.d/audit.rules\" file and add the following line:\n -f 1\n Kernel log monitoring must also be configured to properly alert designated staff.\n The audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n tag legacy: ['V-72081', 'SV-86705']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000046-GPOS-00022'\n tag satisfies: ['SRG-OS-000046-GPOS-00022', 'SRG-OS-000047-GPOS-00023']\n tag gid: 'V-204504'\n tag rid: 'SV-204504r880761_rule'\n tag stig_id: 'RHEL-07-030010'\n tag fix_id: 'F-4628r880760_fix'\n tag cci: ['CCI-000139']\n tag nist: ['AU-5 a']\n tag subsystems: ['audit', 'auditd']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - Kernel config must be done on the host' do\n skip 'Control not applicable - Kernel config must be done on the host'\n end\n else\n monitor_kernel_log = input('monitor_kernel_log')\n\n if auditd.status['failure'].nil?\n impact 0.5\n elsif auditd.status['failure'].match?(/^1$/) && !monitor_kernel_log\n impact 0.3\n end\n\n if !monitor_kernel_log\n describe auditd.status['failure'] do\n it { should match(/^2$/) }\n end\n else\n describe auditd.status['failure'] do\n it { should match(/^(1|2)$/) }\n end\n end\n end\nend\n", + "code": "control 'SV-204470' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home\n directories are group-owned by the home directory owners primary group.'\n desc \"If the Group Identifier (GID) of a local interactive user's home directory is not the same as the primary\n GID of the user, this would allow unauthorized access to the user's files, and users that share the same group may\n not be able to access files that they legitimately should.\"\n desc 'check', %q(Verify the assigned home directory of all local interactive users is group-owned by that user's primary GID.\n\nCheck the home directory assignment for all local interactive users on the system with the following command:\n\n # ls -ld $(awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}' /etc/passwd)\n -rwxr-x--- 1 smithj users 13 Apr 1 04:20 /home/smithj\n\nCheck the user's primary group with the following command:\n\n # grep $(grep smithj /etc/passwd | awk -F: '{print $4}') /etc/group\n users:x:250:smithj,marinc,chongt\n\nIf the user home directory referenced in \"/etc/passwd\" is not group-owned by that user's primary GID, this is a finding.)\n desc 'fix', %q(Change the group owner of a local interactive user's home directory to the group found in\n \"/etc/passwd\". To change the group owner of a local interactive user's home directory, use the following command:\n Note: The example will be for the user \"smithj\", who has a home directory of \"/home/smithj\", and has a primary group\n of users.\n # chgrp users /home/smithj)\n impact 0.5\n tag legacy: ['SV-86645', 'V-72021']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204470'\n tag rid: 'SV-204470r880764_rule'\n tag stig_id: 'RHEL-07-020650'\n tag fix_id: 'F-4594r880763_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['home_dirs']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n\n exempt_home_users = input('exempt_home_users')\n non_interactive_shells = input('non_interactive_shells')\n\n ignore_shells = non_interactive_shells.join('|')\n\n uid_min = login_defs.read_params['UID_MIN'].to_i\n uid_min = 1000 if uid_min.nil?\n\n findings = Set[]\n users.where do\n !shell.match(ignore_shells) && (uid >= uid_min || uid == 0)\n end.entries.each do |user_info|\n next if exempt_home_users.include?(user_info.username.to_s)\n\n findings += command(\"find #{user_info.home} -maxdepth 0 -not -gid #{user_info.gid}\").stdout.split(\"\\n\")\n end\n describe \"Home directories that are not group-owned by the user's primary GID\" do\n subject { findings.to_a }\n it { should be_empty }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204504.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204470.rb", "line": 1 }, - "id": "SV-204504" + "id": "SV-204470" }, { - "title": "Red Hat Enterprise Linux operating systems version 7.2 or newer booted with United Extensible Firmware Interface (UEFI) must have a unique name for the grub superusers account when booting into single-user mode and maintenance.", - "desc": "If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.\nThe GRUB 2 superuser account is an account of last resort. Establishing a unique username for this account hardens the boot loader against brute force attacks. Due to the nature of the superuser account database being distinct from the OS account database, this allows the use of a username that is not among those within the OS account database. Examples of non-unique superusers names are root, superuser, unlock, etc.", + "title": "The Red Hat Enterprise Linux operating system must be configured so that the cron.allow file, if it exists,\n is owned by root.", + "desc": "If the owner of the \"cron.allow\" file is not set to root, the possibility exists for an unauthorized user to\n view or to edit sensitive information.", "descriptions": { - "default": "If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.\nThe GRUB 2 superuser account is an account of last resort. Establishing a unique username for this account hardens the boot loader against brute force attacks. Due to the nature of the superuser account database being distinct from the OS account database, this allows the use of a username that is not among those within the OS account database. Examples of non-unique superusers names are root, superuser, unlock, etc.", - "check": "For systems that use BIOS, this is Not Applicable.\n\nFor systems that are running a version of RHEL prior to 7.2, this is Not Applicable.\n\nVerify that a unique name is set as the \"superusers\" account:\n\n$ sudo grep -iw \"superusers\" /boot/efi/EFI/redhat/grub.cfg\n set superusers=\"[someuniquestringhere]\"\n export superusers\n\nIf \"superusers\" is identical to any OS account name or is missing a name, this is a finding.", - "fix": "Configure the system to have a unique name for the grub superusers account.\n\nEdit the /etc/grub.d/01_users file and add or modify the following lines:\n\nset superusers=\"[someuniquestringhere]\"\nexport superusers\npassword_pbkdf2 [someuniquestringhere] ${GRUB2_PASSWORD}\n\nGenerate a new grub.cfg file with the following command:\n\n$ sudo grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg" + "default": "If the owner of the \"cron.allow\" file is not set to root, the possibility exists for an unauthorized user to\n view or to edit sensitive information.", + "check": "Verify that the \"cron.allow\" file is owned by root.\n Check the owner of the \"cron.allow\" file with the following command:\n # ls -al /etc/cron.allow\n -rw------- 1 root root 6 Mar 5 2011 /etc/cron.allow\n If the \"cron.allow\" file exists and has an owner other than root, this is a finding.", + "fix": "Set the owner on the \"/etc/cron.allow\" file to root with the following\ncommand:\n\n # chown root /etc/cron.allow" }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { + "legacy": [ + "V-72053", + "SV-86677" + ], "severity": "medium", - "gtitle": "SRG-OS-000080-GPOS-00048", - "satisfies": null, - "gid": "V-244558", - "rid": "SV-244558r833187_rule", - "stig_id": "RHEL-07-010492", - "fix_id": "F-47790r833186_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-204490", + "rid": "SV-204490r603261_rule", + "stig_id": "RHEL-07-021110", + "fix_id": "F-4614r88663_fix", "cci": [ - "CCI-000213" + "CCI-000366" ], - "legacy": [], "nist": [ - "AC-3" + "CM-6 b" ], "subsystems": [ - "grub" + "cron" ], "host": null, "container": null }, - "code": "control 'SV-244558' do\n title 'Red Hat Enterprise Linux operating systems version 7.2 or newer booted with United Extensible Firmware Interface (UEFI) must have a unique name for the grub superusers account when booting into single-user mode and maintenance.'\n desc 'If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.\nThe GRUB 2 superuser account is an account of last resort. Establishing a unique username for this account hardens the boot loader against brute force attacks. Due to the nature of the superuser account database being distinct from the OS account database, this allows the use of a username that is not among those within the OS account database. Examples of non-unique superusers names are root, superuser, unlock, etc.'\n desc 'check', 'For systems that use BIOS, this is Not Applicable.\n\nFor systems that are running a version of RHEL prior to 7.2, this is Not Applicable.\n\nVerify that a unique name is set as the \"superusers\" account:\n\n$ sudo grep -iw \"superusers\" /boot/efi/EFI/redhat/grub.cfg\n set superusers=\"[someuniquestringhere]\"\n export superusers\n\nIf \"superusers\" is identical to any OS account name or is missing a name, this is a finding.'\n desc 'fix', 'Configure the system to have a unique name for the grub superusers account.\n\nEdit the /etc/grub.d/01_users file and add or modify the following lines:\n\nset superusers=\"[someuniquestringhere]\"\nexport superusers\npassword_pbkdf2 [someuniquestringhere] ${GRUB2_PASSWORD}\n\nGenerate a new grub.cfg file with the following command:\n\n$ sudo grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg'\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000080-GPOS-00048'\n tag satisfies: nil\n tag gid: 'V-244558'\n tag rid: 'SV-244558r833187_rule'\n tag stig_id: 'RHEL-07-010492'\n tag fix_id: 'F-47790r833186_fix'\n tag cci: ['CCI-000213']\n tag legacy: []\n tag nist: ['AC-3']\n tag subsystems: ['grub']\n tag 'host'\n tag 'container'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n elsif file('/sys/firmware/efi').exist?\n if os[:release] >= '7.2'\n describe parse_config_file(input('grub_uefi_main_cfg')) do\n its('set superusers') { should exist }\n its('set superusers') { should_not be_in users.usernames }\n end\n else\n impact 0.0\n describe 'System running version of RHEL prior to 7.2' do\n skip 'The System is running an outdated version of RHEL, this control is Not Applicable.'\n end\n end\n else\n impact 0.0\n describe 'System running BIOS' do\n skip 'The System is running BIOS, this control is Not Applicable.'\n end\n end\nend\n", + "code": "control 'SV-204490' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that the cron.allow file, if it exists,\n is owned by root.'\n desc 'If the owner of the \"cron.allow\" file is not set to root, the possibility exists for an unauthorized user to\n view or to edit sensitive information.'\n desc 'check', 'Verify that the \"cron.allow\" file is owned by root.\n Check the owner of the \"cron.allow\" file with the following command:\n # ls -al /etc/cron.allow\n -rw------- 1 root root 6 Mar 5 2011 /etc/cron.allow\n If the \"cron.allow\" file exists and has an owner other than root, this is a finding.'\n desc 'fix', 'Set the owner on the \"/etc/cron.allow\" file to root with the following\ncommand:\n\n # chown root /etc/cron.allow'\n impact 0.5\n tag legacy: ['V-72053', 'SV-86677']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204490'\n tag rid: 'SV-204490r603261_rule'\n tag stig_id: 'RHEL-07-021110'\n tag fix_id: 'F-4614r88663_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['cron']\n tag 'host'\n tag 'container'\n\n describe.one do\n # case where file doesn't exist\n describe file('/etc/cron.allow') do\n it { should_not exist }\n end\n # case where file exists\n describe file('/etc/cron.allow') do\n it { should be_owned_by 'root' }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-244558.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204490.rb", "line": 1 }, - "id": "SV-244558" + "id": "SV-204490" }, { - "title": "The Red Hat Enterprise Linux operating system must use a file integrity tool that is configured to use FIPS\n 140-2 approved cryptographic hashes for validating file contents and directories.", - "desc": "File integrity tools use cryptographic hashes for verifying file contents and directories have not been\n altered. These hashes must be FIPS 140-2 approved cryptographic hashes.\n Red Hat Enterprise Linux operating system installation media ships with an optional file integrity tool called\n Advanced Intrusion Detection Environment (AIDE). AIDE is highly configurable at install time. This requirement\n assumes the \"aide.conf\" file is under the \"/etc\" directory.", - "descriptions": { - "default": "File integrity tools use cryptographic hashes for verifying file contents and directories have not been\n altered. These hashes must be FIPS 140-2 approved cryptographic hashes.\n Red Hat Enterprise Linux operating system installation media ships with an optional file integrity tool called\n Advanced Intrusion Detection Environment (AIDE). AIDE is highly configurable at install time. This requirement\n assumes the \"aide.conf\" file is under the \"/etc\" directory.", - "check": "Verify the file integrity tool is configured to use FIPS 140-2-approved cryptographic hashes for validating file contents and directories.\n\nNote: AIDE is highly configurable at install time. These commands assume the \"aide.conf\" file is under the \"/etc\" directory.\n\nUse the following command to determine if the file is in another location:\n\n # find / -name aide.conf\n\nCheck the \"aide.conf\" file to determine if the \"sha512\" rule has been added to the rule list being applied to the files and directories selection lists. Exclude any log files, or files expected to change frequently, to reduce unnecessary notifications.\n\nAn example rule that includes the \"sha512\" rule follows:\n\n All=p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux\n /bin All # apply the custom rule to the files in bin\n /sbin All # apply the same custom rule to the files in sbin\n\nIf the \"sha512\" rule is not being used on all uncommented selection lines in the \"/etc/aide.conf\" file, or another file integrity tool is not using FIPS 140-2-approved cryptographic hashes for validating file contents and directories, this is a finding.", - "fix": "Configure the file integrity tool to use FIPS 140-2 cryptographic hashes for validating file and\n directory contents.\n If AIDE is installed, ensure the \"sha512\" rule is present on all uncommented file and directory selection lists.\n Exclude any log files, or files expected to change frequently, to reduce unnecessary notifications." + "title": "The Red Hat Enterprise Linux operating system must audit all uses of the semanage command.", + "desc": "Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.", + "descriptions": { + "default": "Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.", + "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"semanage\" command occur.\n\nCheck the file system rule in \"/etc/audit/audit.rules\" with the following command:\n\n$ sudo grep -w \"/usr/sbin/semanage\" /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change\n\nIf the command does not return any output, this is a finding.", + "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"semanage\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change\n\nThe audit daemon must be restarted for the changes to take effect." }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "SV-86697", - "V-72073" + "SV-86759", + "V-72135" ], "severity": "medium", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-204500", - "rid": "SV-204500r880860_rule", - "stig_id": "RHEL-07-021620", - "fix_id": "F-4624r792830_fix", + "gtitle": "SRG-OS-000392-GPOS-00172", + "satisfies": [ + "SRG-OS-000392-GPOS-00172", + "SRG-OS-000463-GPOS-00207", + "SRG-OS-000465-GPOS-00209" + ], + "gid": "V-204536", + "rid": "SV-204536r861014_rule", + "stig_id": "RHEL-07-030560", + "fix_id": "F-4660r861013_fix", "cci": [ - "CCI-000366" + "CCI-000172", + "CCI-002884" ], "nist": [ - "CM-6 b" + "AU-12 c", + "MA-4 (1) (a)" ], "subsystems": [ - "file_integrity_tool" + "audit", + "auditd", + "audit_rule" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-204500' do\n title 'The Red Hat Enterprise Linux operating system must use a file integrity tool that is configured to use FIPS\n 140-2 approved cryptographic hashes for validating file contents and directories.'\n desc 'File integrity tools use cryptographic hashes for verifying file contents and directories have not been\n altered. These hashes must be FIPS 140-2 approved cryptographic hashes.\n Red Hat Enterprise Linux operating system installation media ships with an optional file integrity tool called\n Advanced Intrusion Detection Environment (AIDE). AIDE is highly configurable at install time. This requirement\n assumes the \"aide.conf\" file is under the \"/etc\" directory.'\n desc 'check', 'Verify the file integrity tool is configured to use FIPS 140-2-approved cryptographic hashes for validating file contents and directories.\n\nNote: AIDE is highly configurable at install time. These commands assume the \"aide.conf\" file is under the \"/etc\" directory.\n\nUse the following command to determine if the file is in another location:\n\n # find / -name aide.conf\n\nCheck the \"aide.conf\" file to determine if the \"sha512\" rule has been added to the rule list being applied to the files and directories selection lists. Exclude any log files, or files expected to change frequently, to reduce unnecessary notifications.\n\nAn example rule that includes the \"sha512\" rule follows:\n\n All=p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux\n /bin All # apply the custom rule to the files in bin\n /sbin All # apply the same custom rule to the files in sbin\n\nIf the \"sha512\" rule is not being used on all uncommented selection lines in the \"/etc/aide.conf\" file, or another file integrity tool is not using FIPS 140-2-approved cryptographic hashes for validating file contents and directories, this is a finding.'\n desc 'fix', 'Configure the file integrity tool to use FIPS 140-2 cryptographic hashes for validating file and\n directory contents.\n If AIDE is installed, ensure the \"sha512\" rule is present on all uncommented file and directory selection lists.\n Exclude any log files, or files expected to change frequently, to reduce unnecessary notifications.'\n impact 0.5\n tag legacy: ['SV-86697', 'V-72073']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204500'\n tag rid: 'SV-204500r880860_rule'\n tag stig_id: 'RHEL-07-021620'\n tag fix_id: 'F-4624r792830_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['file_integrity_tool']\n tag 'host'\n tag 'container'\n\n file_integrity_tool = input('file_integrity_tool')\n aide_conf_file_path = input('aide_conf_path')\n\n if file_integrity_tool == 'aide'\n if aide_conf(aide_conf_file_path).exist?\n exclude_patterns = input('aide_exclude_patterns')\n\n findings = aide_conf.where do\n !selection_line.start_with?('!') && !exclude_patterns.include?(selection_line) && !rules.include?('sha512')\n end\n\n describe \"List of monitored files/directories without 'sha512' rule\" do\n subject { findings.selection_lines }\n it { should be_empty }\n end\n else\n describe \"AIDE configuration file at: #{aide_conf_file_path}\" do\n subject { aide_conf(aide_conf_file_path) }\n it { should exist }\n end\n end\n else\n describe 'Need manual review of file integrity tool' do\n skip 'A manual review of the file integrity tool is required to ensure that it verifies ACLs.'\n end\n end\nend\n", + "code": "control 'SV-204536' do\n title 'The Red Hat Enterprise Linux operating system must audit all uses of the semanage command.'\n desc 'Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.'\n desc 'check', 'Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"semanage\" command occur.\n\nCheck the file system rule in \"/etc/audit/audit.rules\" with the following command:\n\n$ sudo grep -w \"/usr/sbin/semanage\" /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change\n\nIf the command does not return any output, this is a finding.'\n desc 'fix', 'Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"semanage\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change\n\nThe audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n tag legacy: ['SV-86759', 'V-72135']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000392-GPOS-00172'\n tag satisfies: ['SRG-OS-000392-GPOS-00172', 'SRG-OS-000463-GPOS-00207', 'SRG-OS-000465-GPOS-00209']\n tag gid: 'V-204536'\n tag rid: 'SV-204536r861014_rule'\n tag stig_id: 'RHEL-07-030560'\n tag fix_id: 'F-4660r861013_fix'\n tag cci: ['CCI-000172', 'CCI-002884']\n tag nist: ['AU-12 c', 'MA-4 (1) (a)']\n tag subsystems: ['audit', 'auditd', 'audit_rule']\n tag 'host'\n\n audit_command = '/usr/sbin/semanage'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - audit config must be done on the host' do\n skip 'Control not applicable - audit config must be done on the host'\n end\n else\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include('privileged-priv_change')\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204500.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204536.rb", "line": 1 }, - "id": "SV-204500" + "id": "SV-204536" }, { - "title": "The Red Hat Enterprise Linux operating system must not forward Internet Protocol version 4 (IPv4)\n source-routed packets.", - "desc": "Source-routed packets allow the source of the packet to suggest that routers forward the packet along a\n different path than configured on the router, which can be used to bypass network security measures. This\n requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is enabled and the\n system is functioning as a router.", + "title": "The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow\n authentication using an empty password.", + "desc": "Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will\n require a password, even in the event of misconfiguration elsewhere.", "descriptions": { - "default": "Source-routed packets allow the source of the packet to suggest that routers forward the packet along a\n different path than configured on the router, which can be used to bypass network security measures. This\n requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is enabled and the\n system is functioning as a router.", - "check": "Verify the system does not accept IPv4 source-routed packets.\n\n # grep -r net.ipv4.conf.all.accept_source_route /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null\n net.ipv4.conf.all.accept_source_route = 0\n\nIf \"net.ipv4.conf.all.accept_source_route\" is not configured in the /etc/sysctl.conf file or in any of the other sysctl.d directories, is commented out, or does not have a value of \"0\", this is a finding.\n\nCheck that the operating system implements the accept source route variable with the following command:\n\n # /sbin/sysctl -a | grep net.ipv4.conf.all.accept_source_route\n net.ipv4.conf.all.accept_source_route = 0\n\nIf the returned line does not have a value of \"0\", this is a finding.\n\nIf conflicting results are returned, this is a finding.", - "fix": "Set the system to the required kernel parameter by adding the following\nline to \"/etc/sysctl.conf\" or a configuration file in the /etc/sysctl.d/\ndirectory (or modify the line to have the required value):\n\n net.ipv4.conf.all.accept_source_route = 0\n\n Issue the following command to make the changes take effect:\n\n # sysctl -system" + "default": "Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will\n require a password, even in the event of misconfiguration elsewhere.", + "check": "To determine how the SSH daemon's \"PermitEmptyPasswords\" option is set, run the following command:\n # grep -i PermitEmptyPasswords /etc/ssh/sshd_config\n PermitEmptyPasswords no\n If no line, a commented line, or a line indicating the value \"no\" is returned, the required value is set.\n If the required value is not set, this is a finding.", + "fix": "To explicitly disallow remote logon from accounts with empty passwords, add or correct the following\n line in \"/etc/ssh/sshd_config\":\n PermitEmptyPasswords no\n The SSH service must be restarted for changes to take effect. Any accounts with empty passwords should be disabled\n immediately, and PAM configuration should prevent users from being able to assign themselves empty passwords." }, - "impact": 0.5, + "impact": 0.7, "refs": [], "tags": { "legacy": [ - "V-72283", - "SV-86907" + "SV-86563", + "V-71939" ], - "severity": "medium", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-204609", - "rid": "SV-204609r880797_rule", - "stig_id": "RHEL-07-040610", - "fix_id": "F-4733r880796_fix", + "severity": "high", + "gtitle": "SRG-OS-000106-GPOS-00053", + "gid": "V-204425", + "rid": "SV-204425r603261_rule", + "stig_id": "RHEL-07-010300", + "fix_id": "F-4549r88468_fix", "cci": [ - "CCI-000366" + "CCI-000766" ], "nist": [ - "CM-6 b" + "IA-2 (2)" ], "subsystems": [ - "kernel_parameter", - "ipv4" + "ssh" ], "host": null }, - "code": "control 'SV-204609' do\n title 'The Red Hat Enterprise Linux operating system must not forward Internet Protocol version 4 (IPv4)\n source-routed packets.'\n desc 'Source-routed packets allow the source of the packet to suggest that routers forward the packet along a\n different path than configured on the router, which can be used to bypass network security measures. This\n requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is enabled and the\n system is functioning as a router.'\n desc 'check', 'Verify the system does not accept IPv4 source-routed packets.\n\n # grep -r net.ipv4.conf.all.accept_source_route /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null\n net.ipv4.conf.all.accept_source_route = 0\n\nIf \"net.ipv4.conf.all.accept_source_route\" is not configured in the /etc/sysctl.conf file or in any of the other sysctl.d directories, is commented out, or does not have a value of \"0\", this is a finding.\n\nCheck that the operating system implements the accept source route variable with the following command:\n\n # /sbin/sysctl -a | grep net.ipv4.conf.all.accept_source_route\n net.ipv4.conf.all.accept_source_route = 0\n\nIf the returned line does not have a value of \"0\", this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Set the system to the required kernel parameter by adding the following\nline to \"/etc/sysctl.conf\" or a configuration file in the /etc/sysctl.d/\ndirectory (or modify the line to have the required value):\n\n net.ipv4.conf.all.accept_source_route = 0\n\n Issue the following command to make the changes take effect:\n\n # sysctl -system'\n impact 0.5\n tag legacy: ['V-72283', 'SV-86907']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204609'\n tag rid: 'SV-204609r880797_rule'\n tag stig_id: 'RHEL-07-040610'\n tag fix_id: 'F-4733r880796_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['kernel_parameter', 'ipv4']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - Kernel config must be done on the host' do\n skip 'Control not applicable - Kernel config must be done on the host'\n end\n else\n accept_source_route = 0\n config_file_values = command('grep -r net.ipv4.conf.all.accept_source_route /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null')\n .stdout.strip.split(\"\\n\")\n .map { |file| parse_config(file).params }\n config_file_values_uncompliant = config_file_values.select { |entry| entry.values != [accept_source_route.to_s] }\n\n unless config_file_values_uncompliant.empty?\n describe 'All configuration files' do\n it \"should set accept_source_route to #{accept_source_route}, or not define it at all\" do\n fail_msg = \"Found incorrect configuration:\\n#{config_file_values_uncompliant.join(\"\\n\")}\"\n expect(config_file_values_uncompliant).to be_empty, fail_msg\n end\n end\n end\n\n describe 'The runtime kernel parameter net.ipv4.conf.all.accept_source_route' do\n subject { kernel_parameter('net.ipv4.conf.all.accept_source_route') }\n its('value') { should eq accept_source_route }\n end\n end\nend\n", + "code": "control 'SV-204425' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow\n authentication using an empty password.'\n desc 'Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will\n require a password, even in the event of misconfiguration elsewhere.'\n desc 'check', %q(To determine how the SSH daemon's \"PermitEmptyPasswords\" option is set, run the following command:\n # grep -i PermitEmptyPasswords /etc/ssh/sshd_config\n PermitEmptyPasswords no\n If no line, a commented line, or a line indicating the value \"no\" is returned, the required value is set.\n If the required value is not set, this is a finding.)\n desc 'fix', 'To explicitly disallow remote logon from accounts with empty passwords, add or correct the following\n line in \"/etc/ssh/sshd_config\":\n PermitEmptyPasswords no\n The SSH service must be restarted for changes to take effect. Any accounts with empty passwords should be disabled\n immediately, and PAM configuration should prevent users from being able to assign themselves empty passwords.'\n impact 0.7\n tag legacy: ['SV-86563', 'V-71939']\n tag severity: 'high'\n tag gtitle: 'SRG-OS-000106-GPOS-00053'\n tag gid: 'V-204425'\n tag rid: 'SV-204425r603261_rule'\n tag stig_id: 'RHEL-07-010300'\n tag fix_id: 'F-4549r88468_fix'\n tag cci: ['CCI-000766']\n tag nist: ['IA-2 (2)']\n tag subsystems: ['ssh']\n tag 'host'\n\n if virtualization.system.eql?('docker') && !file('/etc/sysconfig/sshd').exist?\n impact 0.0\n describe 'Control not applicable - SSH is not installed within containerized RHEL' do\n skip 'Control not applicable - SSH is not installed within containerized RHEL'\n end\n else\n describe.one do\n describe sshd_config do\n its('PermitEmptyPasswords') { should eq 'no' }\n end\n describe sshd_config do\n its('PermitEmptyPasswords') { should be_nil }\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204609.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204425.rb", "line": 1 }, - "id": "SV-204609" + "id": "SV-204425" }, { - "title": "The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home\n directories are group-owned by the home directory owners primary group.", - "desc": "If the Group Identifier (GID) of a local interactive user's home directory is not the same as the primary\n GID of the user, this would allow unauthorized access to the user's files, and users that share the same group may\n not be able to access files that they legitimately should.", + "title": "The Red Hat Enterprise Linux operating system must implement multifactor authentication for access to\n privileged accounts via pluggable authentication modules (PAM).", + "desc": "Using an authentication device, such as a CAC or token that is separate from the information system, ensures\n that even if the information system is compromised, that compromise will not affect credentials stored on the\n authentication device.\n Multifactor solutions that require devices separate from information systems gaining access include, for example,\n hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S.\n Government Personal Identity Verification card and the DoD Common Access Card.\n A privileged account is defined as an information system account with authorizations of a privileged user.\n Remote access is access to DoD nonpublic information systems by an authorized user (or an information system)\n communicating through an external, non-organization-controlled network. Remote access methods include, for example,\n dial-up, broadband, and wireless.\n This requirement only applies to components where this is specific to the function of the device or has the concept\n of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of\n configuring the device itself (management).", "descriptions": { - "default": "If the Group Identifier (GID) of a local interactive user's home directory is not the same as the primary\n GID of the user, this would allow unauthorized access to the user's files, and users that share the same group may\n not be able to access files that they legitimately should.", - "check": "Verify the assigned home directory of all local interactive users is group-owned by that user's primary GID.\n\nCheck the home directory assignment for all local interactive users on the system with the following command:\n\n # ls -ld $(awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}' /etc/passwd)\n -rwxr-x--- 1 smithj users 13 Apr 1 04:20 /home/smithj\n\nCheck the user's primary group with the following command:\n\n # grep $(grep smithj /etc/passwd | awk -F: '{print $4}') /etc/group\n users:x:250:smithj,marinc,chongt\n\nIf the user home directory referenced in \"/etc/passwd\" is not group-owned by that user's primary GID, this is a finding.", - "fix": "Change the group owner of a local interactive user's home directory to the group found in\n \"/etc/passwd\". To change the group owner of a local interactive user's home directory, use the following command:\n Note: The example will be for the user \"smithj\", who has a home directory of \"/home/smithj\", and has a primary group\n of users.\n # chgrp users /home/smithj" + "default": "Using an authentication device, such as a CAC or token that is separate from the information system, ensures\n that even if the information system is compromised, that compromise will not affect credentials stored on the\n authentication device.\n Multifactor solutions that require devices separate from information systems gaining access include, for example,\n hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S.\n Government Personal Identity Verification card and the DoD Common Access Card.\n A privileged account is defined as an information system account with authorizations of a privileged user.\n Remote access is access to DoD nonpublic information systems by an authorized user (or an information system)\n communicating through an external, non-organization-controlled network. Remote access methods include, for example,\n dial-up, broadband, and wireless.\n This requirement only applies to components where this is specific to the function of the device or has the concept\n of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of\n configuring the device itself (management).", + "check": "Verify the operating system implements multifactor authentication for remote access to privileged\n accounts via pluggable authentication modules (PAM).\n Check the \"/etc/sssd/sssd.conf\" file for the authentication services that are being used with the following command:\n # grep services /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf\n services = nss, pam\n If the \"pam\" service is not present on all \"services\" lines, this is a finding.", + "fix": "Configure the operating system to implement multifactor authentication for remote access to privileged\n accounts via pluggable authentication modules (PAM).\n Modify all of the services lines in \"/etc/sssd/sssd.conf\" or in configuration files found under \"/etc/sssd/conf.d\"\n to include pam." }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { "legacy": [ - "SV-86645", - "V-72021" + "V-72427", + "SV-87051" ], "severity": "medium", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-204470", - "rid": "SV-204470r880764_rule", - "stig_id": "RHEL-07-020650", - "fix_id": "F-4594r880763_fix", + "gtitle": "SRG-OS-000375-GPOS-00160", + "satisfies": [ + "SRG-OS-000375-GPOS-00160", + "SRG-OS-000375-GPOS-00161", + "SRG-OS-000375-GPOS-00162" + ], + "gid": "V-204632", + "rid": "SV-204632r853998_rule", + "stig_id": "RHEL-07-041002", + "fix_id": "F-4756r89089_fix", "cci": [ - "CCI-000366" + "CCI-001948", + "CCI-001953", + "CCI-001954" ], "nist": [ - "CM-6 b" + "IA-2 (11)", + "IA-2 (12)", + "IA-2 (12)" ], "subsystems": [ - "home_dirs" + "sssd" ], "host": null }, - "code": "control 'SV-204470' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home\n directories are group-owned by the home directory owners primary group.'\n desc \"If the Group Identifier (GID) of a local interactive user's home directory is not the same as the primary\n GID of the user, this would allow unauthorized access to the user's files, and users that share the same group may\n not be able to access files that they legitimately should.\"\n desc 'check', %q(Verify the assigned home directory of all local interactive users is group-owned by that user's primary GID.\n\nCheck the home directory assignment for all local interactive users on the system with the following command:\n\n # ls -ld $(awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}' /etc/passwd)\n -rwxr-x--- 1 smithj users 13 Apr 1 04:20 /home/smithj\n\nCheck the user's primary group with the following command:\n\n # grep $(grep smithj /etc/passwd | awk -F: '{print $4}') /etc/group\n users:x:250:smithj,marinc,chongt\n\nIf the user home directory referenced in \"/etc/passwd\" is not group-owned by that user's primary GID, this is a finding.)\n desc 'fix', %q(Change the group owner of a local interactive user's home directory to the group found in\n \"/etc/passwd\". To change the group owner of a local interactive user's home directory, use the following command:\n Note: The example will be for the user \"smithj\", who has a home directory of \"/home/smithj\", and has a primary group\n of users.\n # chgrp users /home/smithj)\n impact 0.5\n tag legacy: ['SV-86645', 'V-72021']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204470'\n tag rid: 'SV-204470r880764_rule'\n tag stig_id: 'RHEL-07-020650'\n tag fix_id: 'F-4594r880763_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['home_dirs']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n\n exempt_home_users = input('exempt_home_users')\n non_interactive_shells = input('non_interactive_shells')\n\n ignore_shells = non_interactive_shells.join('|')\n\n uid_min = login_defs.read_params['UID_MIN'].to_i\n uid_min = 1000 if uid_min.nil?\n\n findings = Set[]\n users.where do\n !shell.match(ignore_shells) && (uid >= uid_min || uid == 0)\n end.entries.each do |user_info|\n next if exempt_home_users.include?(user_info.username.to_s)\n\n findings += command(\"find #{user_info.home} -maxdepth 0 -not -gid #{user_info.gid}\").stdout.split(\"\\n\")\n end\n describe \"Home directories that are not group-owned by the user's primary GID\" do\n subject { findings.to_a }\n it { should be_empty }\n end\n end\nend\n", + "code": "control 'SV-204632' do\n title 'The Red Hat Enterprise Linux operating system must implement multifactor authentication for access to\n privileged accounts via pluggable authentication modules (PAM).'\n desc \"Using an authentication device, such as a CAC or token that is separate from the information system, ensures\n that even if the information system is compromised, that compromise will not affect credentials stored on the\n authentication device.\n Multifactor solutions that require devices separate from information systems gaining access include, for example,\n hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S.\n Government Personal Identity Verification card and the #{input('org_name')[:acronym]} Common Access Card.\n A privileged account is defined as an information system account with authorizations of a privileged user.\n Remote access is access to #{input('org_name')[:acronym]} nonpublic information systems by an authorized user (or an information system)\n communicating through an external, non-organization-controlled network. Remote access methods include, for example,\n dial-up, broadband, and wireless.\n This requirement only applies to components where this is specific to the function of the device or has the concept\n of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of\n configuring the device itself (management).\"\n desc 'check', 'Verify the operating system implements multifactor authentication for remote access to privileged\n accounts via pluggable authentication modules (PAM).\n Check the \"/etc/sssd/sssd.conf\" file for the authentication services that are being used with the following command:\n # grep services /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf\n services = nss, pam\n If the \"pam\" service is not present on all \"services\" lines, this is a finding.'\n desc 'fix', 'Configure the operating system to implement multifactor authentication for remote access to privileged\n accounts via pluggable authentication modules (PAM).\n Modify all of the services lines in \"/etc/sssd/sssd.conf\" or in configuration files found under \"/etc/sssd/conf.d\"\n to include pam.'\n impact 0.5\n tag legacy: ['V-72427', 'SV-87051']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000375-GPOS-00160'\n tag satisfies: ['SRG-OS-000375-GPOS-00160', 'SRG-OS-000375-GPOS-00161', 'SRG-OS-000375-GPOS-00162']\n tag gid: 'V-204632'\n tag rid: 'SV-204632r853998_rule'\n tag stig_id: 'RHEL-07-041002'\n tag fix_id: 'F-4756r89089_fix'\n tag cci: ['CCI-001948', 'CCI-001953', 'CCI-001954']\n tag nist: ['IA-2 (11)', 'IA-2 (12)', 'IA-2 (12)']\n tag subsystems: ['sssd']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n elsif package('sssd').installed?\n if !(sssd_files = command('find /etc/sssd -name *.conf').stdout.split(\"\\n\")).empty?\n sssd_files.each do |file|\n next unless package('sssd').installed?\n\n describe.one do\n if package('sssd').installed?\n describe parse_config_file(file) do\n its('services') { should include 'pam' }\n end\n end\n if package('sssd').installed?\n describe command(\"grep -i -E 'services(\\s)*=(\\s)*(.+*)pam' #{file}\") do\n its('stdout.strip') { should include 'pam' }\n end\n end\n end\n end\n else\n describe 'The set of SSSD configuration files' do\n subject { sssd_files.to_a }\n it { should_not be_empty }\n end\n end\n else\n impact 0.0\n describe 'The SSSD Package is not installed on the system' do\n skip 'This control is Not Appliciable without the SSSD Package installed.'\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204470.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204632.rb", "line": 1 }, - "id": "SV-204470" + "id": "SV-204632" }, { - "title": "The Red Hat Enterprise Linux operating system must not have unauthorized IP tunnels configured.", - "desc": "IP tunneling mechanisms can be used to bypass network filtering. If tunneling is required, it must be\n documented with the Information System Security Officer (ISSO).", + "title": "The Red Hat Enterprise Linux operating system must audit all uses of the su command.", + "desc": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough\n information.\n At a minimum, the organization must audit the full-text recording of privileged access commands. The organization\n must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of\n compromise.\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.", "descriptions": { - "default": "IP tunneling mechanisms can be used to bypass network filtering. If tunneling is required, it must be\n documented with the Information System Security Officer (ISSO).", - "check": "Verify the system does not have unauthorized IP tunnels configured.\n Check to see if \"libreswan\" is installed with the following command:\n # yum list installed libreswan\n libreswan.x86-64 3.20-5.el7_4\n If \"libreswan\" is installed, check to see if the \"IPsec\" service is active with the following command:\n # systemctl status ipsec\n ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec\n Loaded: loaded (/usr/lib/systemd/system/ipsec.service; disabled)\n Active: inactive (dead)\n If the \"IPsec\" service is active, check to see if any tunnels are configured in \"/etc/ipsec.conf\" and\n \"/etc/ipsec.d/\" with the following commands:\n # grep -iw conn /etc/ipsec.conf /etc/ipsec.d/*.conf\n If there are indications that a \"conn\" parameter is configured for a tunnel, ask the System Administrator if the\n tunnel is documented with the ISSO.\n If \"libreswan\" is installed, \"IPsec\" is active, and an undocumented tunnel is active, this is a finding.", - "fix": "Remove all unapproved tunnels from the system, or document them with the ISSO." + "default": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough\n information.\n At a minimum, the organization must audit the full-text recording of privileged access commands. The organization\n must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of\n compromise.\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.", + "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"su\" command occur.\n\nCheck that the following system call is being audited by performing the following command to check the file system rules in \"/etc/audit/audit.rules\":\n\n$ sudo grep -w \"/usr/bin/su\" /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change\n\nIf the command does not return any output, this is a finding.", + "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"su\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change\n\nThe audit daemon must be restarted for the changes to take effect." }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { "legacy": [ - "V-72317", - "SV-86941" + "SV-86783", + "V-72159" ], "severity": "medium", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-204629", - "rid": "SV-204629r603261_rule", - "stig_id": "RHEL-07-040820", - "fix_id": "F-4753r89080_fix", + "gtitle": "SRG-OS-000037-GPOS-00015", + "satisfies": [ + "SRG-OS-000037-GPOS-00015", + "SRG-OS-000042-GPOS-00020", + "SRG-OS-000392-GPOS-00172", + "SRG-OS-000462-GPOS-00206", + "SRG-OS-000471-GPOS-00215" + ], + "gid": "V-204547", + "rid": "SV-204547r861041_rule", + "stig_id": "RHEL-07-030680", + "fix_id": "F-4671r861040_fix", "cci": [ - "CCI-000366" + "CCI-000130", + "CCI-000135", + "CCI-000172", + "CCI-002884" ], "nist": [ - "CM-6 b" + "AU-3", + "AU-3 (1)", + "AU-12 c", + "MA-4 (1) (a)", + "AU-3 a" ], "subsystems": [ - "libreswan", - "ipsec" + "audit", + "auditd", + "audit_rule" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-204629' do\n title 'The Red Hat Enterprise Linux operating system must not have unauthorized IP tunnels configured.'\n desc 'IP tunneling mechanisms can be used to bypass network filtering. If tunneling is required, it must be\n documented with the Information System Security Officer (ISSO).'\n desc 'check', 'Verify the system does not have unauthorized IP tunnels configured.\n Check to see if \"libreswan\" is installed with the following command:\n # yum list installed libreswan\n libreswan.x86-64 3.20-5.el7_4\n If \"libreswan\" is installed, check to see if the \"IPsec\" service is active with the following command:\n # systemctl status ipsec\n ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec\n Loaded: loaded (/usr/lib/systemd/system/ipsec.service; disabled)\n Active: inactive (dead)\n If the \"IPsec\" service is active, check to see if any tunnels are configured in \"/etc/ipsec.conf\" and\n \"/etc/ipsec.d/\" with the following commands:\n # grep -iw conn /etc/ipsec.conf /etc/ipsec.d/*.conf\n If there are indications that a \"conn\" parameter is configured for a tunnel, ask the System Administrator if the\n tunnel is documented with the ISSO.\n If \"libreswan\" is installed, \"IPsec\" is active, and an undocumented tunnel is active, this is a finding.'\n desc 'fix', 'Remove all unapproved tunnels from the system, or document them with the ISSO.'\n impact 0.5\n tag legacy: ['V-72317', 'SV-86941']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204629'\n tag rid: 'SV-204629r603261_rule'\n tag stig_id: 'RHEL-07-040820'\n tag fix_id: 'F-4753r89080_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['libreswan', 'ipsec']\n tag 'host'\n tag 'container'\n\n approved_tunnels = input('approved_tunnels')\n\n if package('libreswan').installed? && service('ipsec.service').running?\n impact 0.5\n processed = []\n to_process = ['/etc/ipsec.conf']\n\n until to_process.empty?\n in_process = to_process.pop\n next if processed.include? in_process\n\n processed.push in_process\n\n to_process.concat(\n command(\"grep -E '^\\\\s*include\\\\s+' #{in_process} | sed 's/^[[:space:]]*include[[:space:]]*//g'\")\n .stdout.strip.split(/\\s*\\n+\\s*/)\n .map do |f|\n if f.start_with?('/')\n f\n else\n File.join(\n File.dirname(in_process), f\n )\n end\n end\n .map do |f|\n dir = f.sub(%r{[^/]*[*?\\[].*$}, '') # gets the longest ancestor path which doesn't contain wildcards\n command(\"find #{dir} -wholename '#{f}'\").stdout.strip.split(\"\\n\")\n end\n .flatten\n .select do |f|\n file(f).file?\n end\n )\n end\n\n conn_grep = processed.map do |conf|\n command(\"grep -E '^\\\\s*conn\\\\s+' #{conf}\")\n .stdout.strip.split(/\\s*\\n\\s*/)\n end.flatten\n\n describe conn_grep do\n it { should all(be_in(approved_tunnels)) }\n end\n else\n impact 0.0\n describe \"The system does not have libreswan installed or the ipsec.service isn't running\" do\n skip \"The system does not have libreswan installed or the ipsec.service isn't running, this requirement is Not Applicable.\"\n end\n end\nend\n", + "code": "control 'SV-204547' do\n title 'The Red Hat Enterprise Linux operating system must audit all uses of the su command.'\n desc 'Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough\n information.\n At a minimum, the organization must audit the full-text recording of privileged access commands. The organization\n must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of\n compromise.\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.'\n desc 'check', 'Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"su\" command occur.\n\nCheck that the following system call is being audited by performing the following command to check the file system rules in \"/etc/audit/audit.rules\":\n\n$ sudo grep -w \"/usr/bin/su\" /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change\n\nIf the command does not return any output, this is a finding.'\n desc 'fix', 'Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"su\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change\n\nThe audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n tag legacy: ['SV-86783', 'V-72159']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000037-GPOS-00015'\n tag satisfies: ['SRG-OS-000037-GPOS-00015', 'SRG-OS-000042-GPOS-00020', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000471-GPOS-00215']\n tag gid: 'V-204547'\n tag rid: 'SV-204547r861041_rule'\n tag stig_id: 'RHEL-07-030680'\n tag fix_id: 'F-4671r861040_fix'\n tag cci: ['CCI-000130', 'CCI-000135', 'CCI-000172', 'CCI-002884']\n tag nist: ['AU-3', 'AU-3 (1)', 'AU-12 c', 'MA-4 (1) (a)', 'AU-3 a']\n tag subsystems: ['audit', 'auditd', 'audit_rule']\n tag 'host'\n\n audit_command = '/usr/bin/su'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - audit config must be done on the host' do\n skip 'Control not applicable - audit config must be done on the host'\n end\n else\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include('privileged-priv_change')\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204629.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204547.rb", "line": 1 }, - "id": "SV-204629" + "id": "SV-204547" }, { - "title": "The Red Hat Enterprise Linux operating system must be configured so that the Datagram Congestion Control\n Protocol (DCCP) kernel module is disabled unless required.", - "desc": "Disabling DCCP protects the system against exploitation of any flaws in the protocol implementation.", + "title": "The Red Hat Enterprise Linux operating system must not have unnecessary accounts.", + "desc": "Accounts providing no operational purpose provide additional opportunities for system compromise.\n Unnecessary accounts include user accounts for individuals not requiring access to the system and application\n accounts for applications not installed on the system.", "descriptions": { - "default": "Disabling DCCP protects the system against exploitation of any flaws in the protocol implementation.", - "check": "Verify the operating system disables the ability to load the DCCP kernel module.\n # grep -r dccp /etc/modprobe.d/* | grep -i \"/bin/true\" | grep -v \"^#\"\n install dccp /bin/true\n If the command does not return any output, or the line is commented out, and use of DCCP is not documented with the\n Information System Security Officer (ISSO) as an operational requirement, this is a finding.\n Verify the operating system disables the ability to use the DCCP kernel module.\n Check to see if the DCCP kernel module is disabled with the following command:\n # grep -i dccp /etc/modprobe.d/* | grep -i \"blacklist\" | grep -v \"^#\"\n blacklist dccp\n If the command does not return any output or the output is not \"blacklist dccp\", and use of the dccp kernel module\n is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a\n finding.", - "fix": "Configure the operating system to disable the ability to use the DCCP kernel module.\n Create a file under \"/etc/modprobe.d\" with the following command:\n # touch /etc/modprobe.d/dccp.conf\n Add the following line to the created file:\n install dccp /bin/true\n Ensure that the DCCP module is blacklisted:\n # vi /etc/modprobe.d/blacklist.conf\n Add or update the line:\n blacklist dccp" + "default": "Accounts providing no operational purpose provide additional opportunities for system compromise.\n Unnecessary accounts include user accounts for individuals not requiring access to the system and application\n accounts for applications not installed on the system.", + "check": "Verify all accounts on the system are assigned to an active system, application, or user account.\n Obtain the list of authorized system accounts from the Information System Security Officer (ISSO).\n Check the system accounts on the system with the following command:\n # more /etc/passwd\n root:x:0:0:root:/root:/bin/bash\n bin:x:1:1:bin:/bin:/sbin/nologin\n daemon:x:2:2:daemon:/sbin:/sbin/nologin\n sync:x:5:0:sync:/sbin:/bin/sync\n shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown\n halt:x:7:0:halt:/sbin:/sbin/halt\n games:x:12:100:games:/usr/games:/sbin/nologin\n gopher:x:13:30:gopher:/var/gopher:/sbin/nologin\n Accounts such as \"games\" and \"gopher\" are not authorized accounts as they do not support authorized system\n functions.\n If the accounts on the system do not match the provided documentation, or accounts that do not support an authorized\n system function are present, this is a finding.", + "fix": "Configure the system so all accounts on the system are assigned to an active system, application, or\n user account.\n Remove accounts that do not support approved system activities or that allow for a normal user to perform\n administrative-level actions.\n Document all authorized accounts on the system." }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "V-77821", - "SV-92517" + "SV-86625", + "V-72001" ], "severity": "medium", - "gtitle": "SRG-OS-000378-GPOS-00163", - "gid": "V-204450", - "rid": "SV-204450r853892_rule", - "stig_id": "RHEL-07-020101", - "fix_id": "F-4574r88543_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-204460", + "rid": "SV-204460r603261_rule", + "stig_id": "RHEL-07-020270", + "fix_id": "F-4584r88573_fix", "cci": [ - "CCI-001958" + "CCI-000366" ], "nist": [ - "IA-3" + "CM-6 b" ], "subsystems": [ - "dccp", - "kernel_module" + "accounts" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-204450' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that the Datagram Congestion Control\n Protocol (DCCP) kernel module is disabled unless required.'\n desc 'Disabling DCCP protects the system against exploitation of any flaws in the protocol implementation.'\n desc 'check', 'Verify the operating system disables the ability to load the DCCP kernel module.\n # grep -r dccp /etc/modprobe.d/* | grep -i \"/bin/true\" | grep -v \"^#\"\n install dccp /bin/true\n If the command does not return any output, or the line is commented out, and use of DCCP is not documented with the\n Information System Security Officer (ISSO) as an operational requirement, this is a finding.\n Verify the operating system disables the ability to use the DCCP kernel module.\n Check to see if the DCCP kernel module is disabled with the following command:\n # grep -i dccp /etc/modprobe.d/* | grep -i \"blacklist\" | grep -v \"^#\"\n blacklist dccp\n If the command does not return any output or the output is not \"blacklist dccp\", and use of the dccp kernel module\n is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a\n finding.'\n desc 'fix', 'Configure the operating system to disable the ability to use the DCCP kernel module.\n Create a file under \"/etc/modprobe.d\" with the following command:\n # touch /etc/modprobe.d/dccp.conf\n Add the following line to the created file:\n install dccp /bin/true\n Ensure that the DCCP module is blacklisted:\n # vi /etc/modprobe.d/blacklist.conf\n Add or update the line:\n blacklist dccp'\n impact 0.5\n tag legacy: ['V-77821', 'SV-92517']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000378-GPOS-00163'\n tag gid: 'V-204450'\n tag rid: 'SV-204450r853892_rule'\n tag stig_id: 'RHEL-07-020101'\n tag fix_id: 'F-4574r88543_fix'\n tag cci: ['CCI-001958']\n tag nist: ['IA-3']\n tag subsystems: ['dccp', 'kernel_module']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - Kernel config must be done on the host' do\n skip 'Control not applicable - Kernel config must be done on the host'\n end\n else\n\n describe kernel_module('dccp') do\n it { should_not be_loaded }\n it { should be_blacklisted }\n end\n end\nend\n", + "code": "control 'SV-204460' do\n title 'The Red Hat Enterprise Linux operating system must not have unnecessary accounts.'\n desc 'Accounts providing no operational purpose provide additional opportunities for system compromise.\n Unnecessary accounts include user accounts for individuals not requiring access to the system and application\n accounts for applications not installed on the system.'\n desc 'check', 'Verify all accounts on the system are assigned to an active system, application, or user account.\n Obtain the list of authorized system accounts from the Information System Security Officer (ISSO).\n Check the system accounts on the system with the following command:\n # more /etc/passwd\n root:x:0:0:root:/root:/bin/bash\n bin:x:1:1:bin:/bin:/sbin/nologin\n daemon:x:2:2:daemon:/sbin:/sbin/nologin\n sync:x:5:0:sync:/sbin:/bin/sync\n shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown\n halt:x:7:0:halt:/sbin:/sbin/halt\n games:x:12:100:games:/usr/games:/sbin/nologin\n gopher:x:13:30:gopher:/var/gopher:/sbin/nologin\n Accounts such as \"games\" and \"gopher\" are not authorized accounts as they do not support authorized system\n functions.\n If the accounts on the system do not match the provided documentation, or accounts that do not support an authorized\n system function are present, this is a finding.'\n desc 'fix', 'Configure the system so all accounts on the system are assigned to an active system, application, or\n user account.\n Remove accounts that do not support approved system activities or that allow for a normal user to perform\n administrative-level actions.\n Document all authorized accounts on the system.'\n impact 0.5\n tag legacy: ['SV-86625', 'V-72001']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204460'\n tag rid: 'SV-204460r603261_rule'\n tag stig_id: 'RHEL-07-020270'\n tag fix_id: 'F-4584r88573_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['accounts']\n tag 'host'\n tag 'container'\n\n known_system_accounts = input('known_system_accounts')\n user_accounts = input('user_accounts')\n\n allowed_accounts = (known_system_accounts + user_accounts).uniq\n describe 'All user accounts' do\n it 'are known system accounts or known user accounts' do\n fail_msg = \"Accounts not part of the known account lists: #{(passwd.users - allowed_accounts).join(', ')}\"\n expect(passwd.users).to all(be_in allowed_accounts), fail_msg\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204450.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204460.rb", "line": 1 }, - "id": "SV-204450" + "id": "SV-204460" }, { - "title": "The Red Hat Enterprise Linux operating system must display the date and time of the last successful account\n logon upon an SSH logon.", - "desc": "Providing users with feedback on when account accesses via SSH last occurred facilitates user recognition\n and reporting of unauthorized account use.", + "title": "The Red Hat Enterprise Linux operating system must be configured so that the SSH public host key files have\n mode 0644 or less permissive.", + "desc": "If a public host key file is modified by an unauthorized user, the SSH service may be compromised.", "descriptions": { - "default": "Providing users with feedback on when account accesses via SSH last occurred facilitates user recognition\n and reporting of unauthorized account use.", - "check": "Verify SSH provides users with feedback on when account accesses last occurred.\n Check that \"PrintLastLog\" keyword in the sshd daemon configuration file is used and set to \"yes\" with the following\n command:\n # grep -i printlastlog /etc/ssh/sshd_config\n PrintLastLog yes\n If the \"PrintLastLog\" keyword is set to \"no\", is missing, or is commented out, this is a finding.", - "fix": "Configure SSH to provide users with feedback on when account accesses last occurred by setting the\n required configuration options in \"/etc/pam.d/sshd\" or in the \"sshd_config\" file used by the system\n (\"/etc/ssh/sshd_config\" will be used in the example) (this file may be named differently or be in a different\n location if using a version of SSH that is provided by a third-party vendor).\n Modify the \"PrintLastLog\" line in \"/etc/ssh/sshd_config\" to match the following:\n PrintLastLog yes\n The SSH service must be restarted for changes to \"sshd_config\" to take effect." + "default": "If a public host key file is modified by an unauthorized user, the SSH service may be compromised.", + "check": "Verify the SSH public host key files have mode \"0644\" or less permissive.\n Note: SSH public key files may be found in other directories on the system depending on the installation.\n The following command will find all SSH public key files on the system:\n # find /etc/ssh -name '*.pub' -exec ls -lL {} \\;\n -rw-r--r-- 1 root root 618 Nov 28 06:43 ssh_host_dsa_key.pub\n -rw-r--r-- 1 root root 347 Nov 28 06:43 ssh_host_key.pub\n -rw-r--r-- 1 root root 238 Nov 28 06:43 ssh_host_rsa_key.pub\n If any file has a mode more permissive than \"0644\", this is a finding.", + "fix": "Note: SSH public key files may be found in other directories on the system depending on the\n installation.\n Change the mode of public host key files under \"/etc/ssh\" to \"0644\" with the following command:\n # chmod 0644 /etc/ssh/*.key.pub" }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "V-72245", - "SV-86869" + "V-72255", + "SV-86879" ], "severity": "medium", "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-204591", - "rid": "SV-204591r858477_rule", - "stig_id": "RHEL-07-040360", - "fix_id": "F-4715r88966_fix", + "gid": "V-204596", + "rid": "SV-204596r603261_rule", + "stig_id": "RHEL-07-040410", + "fix_id": "F-4720r88981_fix", "cci": [ - "CCI-000366", - "CCI-000052" + "CCI-000366" ], - "nist": [ - "CM-6 b", - "AC-9" + "nist": [ + "CM-6 b" ], "subsystems": [ - "pam", - "ssh", - "lastlog" + "ssh" ], "host": null }, - "code": "control 'SV-204591' do\n title 'The Red Hat Enterprise Linux operating system must display the date and time of the last successful account\n logon upon an SSH logon.'\n desc 'Providing users with feedback on when account accesses via SSH last occurred facilitates user recognition\n and reporting of unauthorized account use.'\n desc 'check', 'Verify SSH provides users with feedback on when account accesses last occurred.\n Check that \"PrintLastLog\" keyword in the sshd daemon configuration file is used and set to \"yes\" with the following\n command:\n # grep -i printlastlog /etc/ssh/sshd_config\n PrintLastLog yes\n If the \"PrintLastLog\" keyword is set to \"no\", is missing, or is commented out, this is a finding.'\n desc 'fix', 'Configure SSH to provide users with feedback on when account accesses last occurred by setting the\n required configuration options in \"/etc/pam.d/sshd\" or in the \"sshd_config\" file used by the system\n (\"/etc/ssh/sshd_config\" will be used in the example) (this file may be named differently or be in a different\n location if using a version of SSH that is provided by a third-party vendor).\n Modify the \"PrintLastLog\" line in \"/etc/ssh/sshd_config\" to match the following:\n PrintLastLog yes\n The SSH service must be restarted for changes to \"sshd_config\" to take effect.'\n impact 0.5\n tag legacy: ['V-72245', 'SV-86869']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204591'\n tag rid: 'SV-204591r858477_rule'\n tag stig_id: 'RHEL-07-040360'\n tag fix_id: 'F-4715r88966_fix'\n tag cci: ['CCI-000366', 'CCI-000052']\n tag nist: ['CM-6 b', 'AC-9']\n tag subsystems: ['pam', 'ssh', 'lastlog']\n tag 'host'\n\n if virtualization.system.eql?('docker') && !file('/etc/sysconfig/sshd').exist?\n impact 0.0\n describe 'Control not applicable - SSH is not installed within containerized RHEL' do\n skip 'Control not applicable - SSH is not installed within containerized RHEL'\n end\n elsif sshd_config.params['printlastlog'] == ['yes']\n\n describe sshd_config do\n its('PrintLastLog') { should cmp 'yes' }\n end\n else\n describe pam('/etc/pam.d/sshd') do\n its('lines') do\n should match_pam_rule('session required pam_lastlog.so showfailed')\n end\n its('lines') do\n should_not match_pam_rule('session required pam_lastlog.so showfailed silent')\n end\n end\n end\nend\n", + "code": "control 'SV-204596' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that the SSH public host key files have\n mode 0644 or less permissive.'\n desc 'If a public host key file is modified by an unauthorized user, the SSH service may be compromised.'\n desc 'check', %q(Verify the SSH public host key files have mode \"0644\" or less permissive.\n Note: SSH public key files may be found in other directories on the system depending on the installation.\n The following command will find all SSH public key files on the system:\n # find /etc/ssh -name '*.pub' -exec ls -lL {} \\;\n -rw-r--r-- 1 root root 618 Nov 28 06:43 ssh_host_dsa_key.pub\n -rw-r--r-- 1 root root 347 Nov 28 06:43 ssh_host_key.pub\n -rw-r--r-- 1 root root 238 Nov 28 06:43 ssh_host_rsa_key.pub\n If any file has a mode more permissive than \"0644\", this is a finding.)\n desc 'fix', 'Note: SSH public key files may be found in other directories on the system depending on the\n installation.\n Change the mode of public host key files under \"/etc/ssh\" to \"0644\" with the following command:\n # chmod 0644 /etc/ssh/*.key.pub'\n impact 0.5\n tag legacy: ['V-72255', 'SV-86879']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204596'\n tag rid: 'SV-204596r603261_rule'\n tag stig_id: 'RHEL-07-040410'\n tag fix_id: 'F-4720r88981_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['ssh']\n tag 'host'\n\n if virtualization.system.eql?('docker') && !file('/etc/sysconfig/sshd').exist?\n impact 0.0\n describe 'Control not applicable - SSH is not installed within containerized RHEL' do\n skip 'Control not applicable - SSH is not installed within containerized RHEL'\n end\n else\n pub_files = command(\"find #{input('public_host_key_directories').join(' ')} -xdev -name '*.pub'\").stdout.split(\"\\n\")\n if !pub_files.nil? and !pub_files.empty?\n pub_files.each do |pubfile|\n describe file(pubfile) do\n it { should_not be_more_permissive_than(input('public_host_key_file_mode')) }\n end\n end\n else\n describe 'No public host key files found.' do\n subject { pub_files.nil? or pub_files.empty? }\n it { should eq true }\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204591.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204596.rb", "line": 1 }, - "id": "SV-204591" + "id": "SV-204596" }, { - "title": "The Red Hat Enterprise Linux operating system must be configured so that all networked systems have SSH\n installed.", - "desc": "Without protection of the transmitted information, confidentiality and integrity may be compromised because\n unprotected communications can be intercepted and either read or altered.\n This requirement applies to both internal and external networks and all types of information system components from\n which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers,\n scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are\n exposed to the possibility of interception and modification.\n Protecting the confidentiality and integrity of organizational information can be accomplished by physical means\n (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If\n physical means of protection are employed, logical means (cryptography) do not have to be employed, and vice versa.", + "title": "The Red Hat Enterprise Linux operating system must prevent a user from overriding the screensaver\n lock-delay setting for the graphical user interface.", + "desc": "A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate\n physical vicinity of the information system but does not log out because of the temporary nature of the absence.\n Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity,\n operating systems need to be able to identify when a user's session has idled and take action to initiate the\n session lock.\n The session lock is implemented at the point where session activity can be determined and/or controlled.", "descriptions": { - "default": "Without protection of the transmitted information, confidentiality and integrity may be compromised because\n unprotected communications can be intercepted and either read or altered.\n This requirement applies to both internal and external networks and all types of information system components from\n which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers,\n scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are\n exposed to the possibility of interception and modification.\n Protecting the confidentiality and integrity of organizational information can be accomplished by physical means\n (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If\n physical means of protection are employed, logical means (cryptography) do not have to be employed, and vice versa.", - "check": "Check to see if sshd is installed with the following command:\n # yum list installed \\*ssh\\*\n libssh2.x86_64 1.4.3-8.el7 @anaconda/7.1\n openssh.x86_64 6.6.1p1-11.el7 @anaconda/7.1\n openssh-server.x86_64 6.6.1p1-11.el7 @anaconda/7.1\n If the \"SSH server\" package is not installed, this is a finding.", - "fix": "Install SSH packages onto the host with the following commands:\n # yum install openssh-server.x86_64" + "default": "A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate\n physical vicinity of the information system but does not log out because of the temporary nature of the absence.\n Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity,\n operating systems need to be able to identify when a user's session has idled and take action to initiate the\n session lock.\n The session lock is implemented at the point where session activity can be determined and/or controlled.", + "check": "Verify the operating system prevents a user from overriding a screensaver lock after a 15-minute period of inactivity for graphical user interfaces.\n\nNote: If the system does not have GNOME installed, this requirement is Not Applicable.\n\nDetermine which profile the system database is using with the following command:\n # grep system-db /etc/dconf/profile/user\n system-db:local\n\nCheck for the lock delay setting with the following command:\n\nNote: The example below is using the database \"local\" for the system, so the path is \"/etc/dconf/db/local.d\". This path must be modified if a database other than \"local\" is being used.\n\n # grep -i lock-delay /etc/dconf/db/local.d/locks/*\n /org/gnome/desktop/screensaver/lock-delay\n\nIf the command does not return a result, this is a finding.", + "fix": "Configure the operating system to prevent a user from overriding a screensaver lock after a 15-minute\n period of inactivity for graphical user interfaces.\n Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following\n command:\n Note: The example below is using the database \"local\" for the system, so if the system is using another database in\n \"/etc/dconf/profile/user\", the file should be created under the appropriate subdirectory.\n # touch /etc/dconf/db/local.d/locks/session\n Add the setting to lock the screensaver lock delay:\n /org/gnome/desktop/screensaver/lock-delay" }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { "legacy": [ - "SV-86857", - "V-72233" + "V-73155", + "SV-87807" ], "severity": "medium", - "gtitle": "SRG-OS-000423-GPOS-00187", - "satisfies": [ - "SRG-OS-000423-GPOS-00187", - "SRG-OS-000424-GPOS-00188", - "SRG-OS-000425-GPOS-00189", - "SRG-OS-000426-GPOS-00190" - ], - "gid": "V-204585", - "rid": "SV-204585r853989_rule", - "stig_id": "RHEL-07-040300", - "fix_id": "F-4709r88948_fix", + "gtitle": "SRG-OS-000029-GPOS-00010", + "gid": "V-204399", + "rid": "SV-204399r880773_rule", + "stig_id": "RHEL-07-010081", + "fix_id": "F-4523r880772_fix", "cci": [ - "CCI-002418", - "CCI-002420", - "CCI-002421", - "CCI-002422" + "CCI-000057" ], "nist": [ - "SC-8", - "SC-8 (2)", - "SC-8 (1)", - "SC-8 (2)" + "AC-11 a" ], "subsystems": [ - "ssh" + "gui" ], "host": null }, - "code": "control 'SV-204585' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that all networked systems have SSH\n installed.'\n desc 'Without protection of the transmitted information, confidentiality and integrity may be compromised because\n unprotected communications can be intercepted and either read or altered.\n This requirement applies to both internal and external networks and all types of information system components from\n which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers,\n scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are\n exposed to the possibility of interception and modification.\n Protecting the confidentiality and integrity of organizational information can be accomplished by physical means\n (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If\n physical means of protection are employed, logical means (cryptography) do not have to be employed, and vice versa.'\n desc 'check', 'Check to see if sshd is installed with the following command:\n # yum list installed \\\\*ssh\\\\*\n libssh2.x86_64 1.4.3-8.el7 @anaconda/7.1\n openssh.x86_64 6.6.1p1-11.el7 @anaconda/7.1\n openssh-server.x86_64 6.6.1p1-11.el7 @anaconda/7.1\n If the \"SSH server\" package is not installed, this is a finding.'\n desc 'fix', 'Install SSH packages onto the host with the following commands:\n # yum install openssh-server.x86_64'\n impact 0.5\n tag legacy: ['SV-86857', 'V-72233']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000423-GPOS-00187'\n tag satisfies: ['SRG-OS-000423-GPOS-00187', 'SRG-OS-000424-GPOS-00188', 'SRG-OS-000425-GPOS-00189', 'SRG-OS-000426-GPOS-00190']\n tag gid: 'V-204585'\n tag rid: 'SV-204585r853989_rule'\n tag stig_id: 'RHEL-07-040300'\n tag fix_id: 'F-4709r88948_fix'\n tag cci: ['CCI-002418', 'CCI-002420', 'CCI-002421', 'CCI-002422']\n tag nist: ['SC-8', 'SC-8 (2)', 'SC-8 (1)', 'SC-8 (2)']\n tag subsystems: ['ssh']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - SSH is not installed within containerized RHEL' do\n skip 'Control not applicable - SSH is not installed within containerized RHEL'\n end\n else\n describe package('openssh-server') do\n it { should be_installed }\n end\n describe package('openssh-clients') do\n it { should be_installed }\n end\n end\nend\n", + "code": "control 'SV-204399' do\n title 'The Red Hat Enterprise Linux operating system must prevent a user from overriding the screensaver\n lock-delay setting for the graphical user interface.'\n desc \"A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate\n physical vicinity of the information system but does not log out because of the temporary nature of the absence.\n Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity,\n operating systems need to be able to identify when a user's session has idled and take action to initiate the\n session lock.\n The session lock is implemented at the point where session activity can be determined and/or controlled.\"\n desc 'check', \"Verify the operating system prevents a user from overriding a screensaver lock after a #{input('system_activity_timeout')/60}-minute period of inactivity for graphical user interfaces.\n\nNote: If the system does not have GNOME installed, this requirement is Not Applicable.\n\nDetermine which profile the system database is using with the following command:\n # grep system-db /etc/dconf/profile/user\n system-db:local\n\nCheck for the lock delay setting with the following command:\n\nNote: The example below is using the database \\\"local\\\" for the system, so the path is \\\"/etc/dconf/db/local.d\\\". This path must be modified if a database other than \\\"local\\\" is being used.\n\n # grep -i lock-delay /etc/dconf/db/local.d/locks/*\n /org/gnome/desktop/screensaver/lock-delay\n\nIf the command does not return a result, this is a finding.\"\n desc 'fix', \"Configure the operating system to prevent a user from overriding a screensaver lock after a #{input('system_activity_timeout')/60}-minute\n period of inactivity for graphical user interfaces.\n Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following\n command:\n Note: The example below is using the database \\\"local\\\" for the system, so if the system is using another database in\n \\\"/etc/dconf/profile/user\\\", the file should be created under the appropriate subdirectory.\n # touch /etc/dconf/db/local.d/locks/session\n Add the setting to lock the screensaver lock delay:\n /org/gnome/desktop/screensaver/lock-delay\"\n impact 0.5\n tag legacy: ['V-73155', 'SV-87807']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000029-GPOS-00010'\n tag gid: 'V-204399'\n tag rid: 'SV-204399r880773_rule'\n tag stig_id: 'RHEL-07-010081'\n tag fix_id: 'F-4523r880772_fix'\n tag cci: ['CCI-000057']\n tag nist: ['AC-11 a']\n tag subsystems: ['gui']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n elsif package('gnome-desktop3').installed?\n\n describe command('gsettings writable org.gnome.desktop.screensaver lock-delay') do\n its('stdout.strip') { should cmp 'false' }\n end\n else\n impact 0.0\n describe 'The GNOME desktop is not installed' do\n skip 'The GNOME desktop is not installed, this control is Not Applicable.'\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204585.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204399.rb", "line": 1 }, - "id": "SV-204585" + "id": "SV-204399" }, { - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the kmod command.", - "desc": "Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.", + "title": "The Red Hat Enterprise Linux operating system must audit all uses of the delete_module syscall.", + "desc": "Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).", "descriptions": { - "default": "Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.", - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"kmod\" command occur.\n\nCheck the auditing rules in \"/etc/audit/audit.rules\" with the following command:\n\n$ sudo grep \"/usr/bin/kmod\" /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k modules\n\nIf the command does not return any output, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"kmod\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k modules\n\nThe audit daemon must be restarted for the changes to take effect." + "default": "Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).", + "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"delete_module\" syscall occur.\n\nCheck the auditing rules in \"/etc/audit/audit.rules\" with the following command:\n\n$ sudo grep -w \"delete_module\" /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=unset -k module-change\n\n-a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=unset -k module-change\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"delete_module\" syscall, this is a finding.", + "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"delete_module\" syscall occur.\n\nAdd or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=unset -k module-change\n\n-a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=unset -k module-change\n\nThe audit daemon must be restarted for the changes to take effect." }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "SV-86815", - "V-72191" + "V-72189", + "SV-86813" ], "severity": "medium", "gtitle": "SRG-OS-000471-GPOS-00216", @@ -7934,10 +7790,10 @@ "SRG-OS-000471-GPOS-00216", "SRG-OS-000477-GPOS-00222" ], - "gid": "V-204563", - "rid": "SV-204563r858498_rule", - "stig_id": "RHEL-07-030840", - "fix_id": "F-4687r858497_fix", + "gid": "V-204562", + "rid": "SV-204562r833175_rule", + "stig_id": "RHEL-07-030830", + "fix_id": "F-4686r833174_fix", "cci": [ "CCI-000172" ], @@ -7951,925 +7807,910 @@ ], "host": null }, - "code": "control 'SV-204563' do\n title 'The Red Hat Enterprise Linux operating system must audit all uses of the kmod command.'\n desc 'Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.'\n desc 'check', 'Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"kmod\" command occur.\n\nCheck the auditing rules in \"/etc/audit/audit.rules\" with the following command:\n\n$ sudo grep \"/usr/bin/kmod\" /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k modules\n\nIf the command does not return any output, this is a finding.'\n desc 'fix', 'Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"kmod\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k modules\n\nThe audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n tag legacy: ['SV-86815', 'V-72191']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000471-GPOS-00216'\n tag satisfies: ['SRG-OS-000471-GPOS-00216', 'SRG-OS-000477-GPOS-00222']\n tag gid: 'V-204563'\n tag rid: 'SV-204563r858498_rule'\n tag stig_id: 'RHEL-07-030840'\n tag fix_id: 'F-4687r858497_fix'\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag subsystems: ['audit', 'auditd', 'audit_rule']\n tag 'host'\n\n audit_command = '/usr/bin/kmod'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - audit config must be done on the host' do\n skip 'Control not applicable - audit config must be done on the host'\n end\n else\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1')\n expect(audit_rule.key).to cmp 'modules'\n end\n end\n end\nend\n", + "code": "control 'SV-204562' do\n title 'The Red Hat Enterprise Linux operating system must audit all uses of the delete_module syscall.'\n desc 'Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).'\n desc 'check', 'Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"delete_module\" syscall occur.\n\nCheck the auditing rules in \"/etc/audit/audit.rules\" with the following command:\n\n$ sudo grep -w \"delete_module\" /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=unset -k module-change\n\n-a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=unset -k module-change\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"delete_module\" syscall, this is a finding.'\n desc 'fix', 'Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"delete_module\" syscall occur.\n\nAdd or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=unset -k module-change\n\n-a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=unset -k module-change\n\nThe audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n tag legacy: ['V-72189', 'SV-86813']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000471-GPOS-00216'\n tag satisfies: ['SRG-OS-000471-GPOS-00216', 'SRG-OS-000477-GPOS-00222']\n tag gid: 'V-204562'\n tag rid: 'SV-204562r833175_rule'\n tag stig_id: 'RHEL-07-030830'\n tag fix_id: 'F-4686r833174_fix'\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag subsystems: ['audit', 'auditd', 'audit_rule']\n tag 'host'\n\n audit_syscalls = ['delete_module']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - audit config must be done on the host' do\n skip 'Control not applicable - audit config must be done on the host'\n end\n else\n describe 'Syscall' do\n audit_syscalls.each do |audit_syscall|\n it \"#{audit_syscall} is audited properly\" do\n audit_rule = auditd.syscall(audit_syscall)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n if os.arch.match(/64/)\n expect(audit_rule.arch.uniq).to include('b32', 'b64')\n else\n expect(audit_rule.arch.uniq).to cmp 'b32'\n end\n expect(audit_rule.fields.flatten).to include('auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include('module-change')\n end\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204563.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204562.rb", "line": 1 }, - "id": "SV-204563" + "id": "SV-204562" }, { - "title": "The Red Hat Enterprise Linux operating system must be configured so that all local initialization files for\n interactive users are owned by the home directory user or root.", - "desc": "Local initialization files are used to configure the user's shell environment upon logon. Malicious\n modification of these files could compromise accounts upon logon.", + "title": "The Red Hat Enterprise Linux operating system must elevate the SELinux context when an administrator calls the sudo command.", + "desc": "Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges.\n\nPrivileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users.", "descriptions": { - "default": "Local initialization files are used to configure the user's shell environment upon logon. Malicious\n modification of these files could compromise accounts upon logon.", - "check": "Verify the local initialization files of all local interactive users are owned by that user.\n Check the home directory assignment for all non-privileged users on the system with the following command:\n Note: The example will be for the smithj user, who has a home directory of \"/home/smithj\".\n # awk -F: '($3>=1000)&&($7 !~ /nologin/){print $1, $3, $6}' /etc/passwd\n smithj 1000 /home/smithj\n Note: This may miss interactive users that have been assigned a privileged User Identifier (UID). Evidence of\n interactive use may be obtained from a number of log files containing system logon information.\n Check the owner of all local interactive user's initialization files with the following command:\n # ls -al /home/smithj/.[^.]* | more\n -rwxr-xr-x 1 smithj users 896 Mar 10 2011 .profile\n -rwxr-xr-x 1 smithj users 497 Jan 6 2007 .login\n -rwxr-xr-x 1 smithj users 886 Jan 6 2007 .something\n If all local interactive user's initialization files are not owned by that user or root, this is a finding.", - "fix": "Set the owner of the local initialization files for interactive users to\neither the directory owner or root with the following command:\n\n Note: The example will be for the smithj user, who has a home directory of\n\"/home/smithj\".\n\n # chown smithj /home/smithj/.[^.]*" + "default": "Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges.\n\nPrivileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users.", + "check": "Verify the operating system elevates the SELinux context when an administrator calls the sudo command with the following command:\n\nThis command must be ran as root:\n# grep -r sysadm_r /etc/sudoers /etc/sudoers.d\n%wheel ALL=(ALL) TYPE=sysadm_t ROLE=sysadm_r ALL\n\nIf conflicting results are returned, this is a finding.\n\nIf a designated sudoers administrator group or account(s) is not configured to elevate the SELinux type and role to \"sysadm_t\" and \"sysadm_r\" with the use of the sudo command, this is a finding.", + "fix": "Configure the operating system to elevate the SELinux context when an administrator calls the sudo command.\nEdit a file in the /etc/sudoers.d directory with the following command:\n$ sudo visudo -f /etc/sudoers.d/\n\nUse the following example to build the in the /etc/sudoers.d directory to allow any administrator belonging to a designated sudoers admin group to elevate their SELinux context with the use of the sudo command:\n%wheel ALL=(ALL) TYPE=sysadm_t ROLE=sysadm_r ALL\n\nRemove any configurations that conflict with the above from the following locations:\n/etc/sudoers\n/etc/sudoers.d/" }, "impact": 0.5, "refs": [], "tags": { - "legacy": [ - "V-72029", - "SV-86653" - ], "severity": "medium", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-204474", - "rid": "SV-204474r603834_rule", - "stig_id": "RHEL-07-020690", - "fix_id": "F-4598r462464_fix", + "gtitle": "SRG-OS-000324-GPOS-00125", + "satisfies": null, + "gid": "V-250314", + "rid": "SV-250314r877392_rule", + "stig_id": "RHEL-07-020023", + "fix_id": "F-53702r858494_fix", "cci": [ - "CCI-000366" + "CCI-002165", + "CCI-002235" ], + "legacy": [], "nist": [ - "CM-6 b" + "AC-3 (4)", + "AC-6 (10)" ], "subsystems": [ - "init_files" + "selinux" ], "host": null }, - "code": "control 'SV-204474' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that all local initialization files for\n interactive users are owned by the home directory user or root.'\n desc \"Local initialization files are used to configure the user's shell environment upon logon. Malicious\n modification of these files could compromise accounts upon logon.\"\n desc 'check', %q(Verify the local initialization files of all local interactive users are owned by that user.\n Check the home directory assignment for all non-privileged users on the system with the following command:\n Note: The example will be for the smithj user, who has a home directory of \"/home/smithj\".\n # awk -F: '($3>=1000)&&($7 !~ /nologin/){print $1, $3, $6}' /etc/passwd\n smithj 1000 /home/smithj\n Note: This may miss interactive users that have been assigned a privileged User Identifier (UID). Evidence of\n interactive use may be obtained from a number of log files containing system logon information.\n Check the owner of all local interactive user's initialization files with the following command:\n # ls -al /home/smithj/.[^.]* | more\n -rwxr-xr-x 1 smithj users 896 Mar 10 2011 .profile\n -rwxr-xr-x 1 smithj users 497 Jan 6 2007 .login\n -rwxr-xr-x 1 smithj users 886 Jan 6 2007 .something\n If all local interactive user's initialization files are not owned by that user or root, this is a finding.)\n desc 'fix', 'Set the owner of the local initialization files for interactive users to\neither the directory owner or root with the following command:\n\n Note: The example will be for the smithj user, who has a home directory of\n\"/home/smithj\".\n\n # chown smithj /home/smithj/.[^.]*'\n impact 0.5\n tag legacy: ['V-72029', 'SV-86653']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204474'\n tag rid: 'SV-204474r603834_rule'\n tag stig_id: 'RHEL-07-020690'\n tag fix_id: 'F-4598r462464_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['init_files']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n\n exempt_home_users = input('exempt_home_users')\n non_interactive_shells = input('non_interactive_shells')\n\n ignore_shells = non_interactive_shells.join('|')\n\n findings = Set[]\n users.where do\n !shell.match(ignore_shells) && (uid >= 1000 || uid == 0)\n end.entries.each do |user_info|\n next if exempt_home_users.include?(user_info.username.to_s)\n\n findings += command(\"find #{user_info.home} -name '.*' -not -user #{user_info.username} -a -not -user root\").stdout.split(\"\\n\")\n end\n describe 'Files and Directories not owned by the user or root of the parent home directory' do\n subject { findings.to_a }\n it { should be_empty }\n end\n end\nend\n", + "code": "control 'SV-250314' do\n title 'The Red Hat Enterprise Linux operating system must elevate the SELinux context when an administrator calls the sudo command.'\n desc 'Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges.\n\nPrivileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users.'\n desc 'check', 'Verify the operating system elevates the SELinux context when an administrator calls the sudo command with the following command:\n\nThis command must be ran as root:\n# grep -r sysadm_r /etc/sudoers /etc/sudoers.d\n%wheel ALL=(ALL) TYPE=sysadm_t ROLE=sysadm_r ALL\n\nIf conflicting results are returned, this is a finding.\n\nIf a designated sudoers administrator group or account(s) is not configured to elevate the SELinux type and role to \"sysadm_t\" and \"sysadm_r\" with the use of the sudo command, this is a finding.'\n desc 'fix', 'Configure the operating system to elevate the SELinux context when an administrator calls the sudo command.\nEdit a file in the /etc/sudoers.d directory with the following command:\n$ sudo visudo -f /etc/sudoers.d/\n\nUse the following example to build the in the /etc/sudoers.d directory to allow any administrator belonging to a designated sudoers admin group to elevate their SELinux context with the use of the sudo command:\n%wheel ALL=(ALL) TYPE=sysadm_t ROLE=sysadm_r ALL\n\nRemove any configurations that conflict with the above from the following locations:\n/etc/sudoers\n/etc/sudoers.d/'\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000324-GPOS-00125'\n tag satisfies: nil\n tag gid: 'V-250314'\n tag rid: 'SV-250314r877392_rule'\n tag stig_id: 'RHEL-07-020023'\n tag fix_id: 'F-53702r858494_fix'\n tag cci: ['CCI-002165', 'CCI-002235']\n tag legacy: []\n tag nist: ['AC-3 (4)', 'AC-6 (10)']\n tag subsystems: ['selinux']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container -- kernel config' do\n skip 'Control not applicable within a container -- kernel config'\n end\n else\n describe command('grep -r sysadm_r /etc/sudoers /etc/sudoers.d').stdout.strip do\n it { should match /TYPE=sysadm_t\\s+ROLE=sysadm_r/ }\n it { should_not match /\\n/ }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204474.rb", + "ref": "./Red Hat 7 STIG/controls/SV-250314.rb", "line": 1 }, - "id": "SV-204474" + "id": "SV-250314" }, { - "title": "The Red Hat Enterprise Linux operating system must not have a File Transfer Protocol (FTP) server package\n installed unless needed.", - "desc": "The FTP service provides an unencrypted remote access that does not provide for the confidentiality and\n integrity of user passwords or the remote session. If a privileged user were to log on using this service, the\n privileged user password could be compromised. SSH or other encrypted file transfer methods must be used in place of\n this service.", + "title": "The Red Hat Enterprise Linux operating system must be configured so that passwords for new users are\n restricted to a 60-day maximum lifetime.", + "desc": "Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed\n periodically. If the operating system does not limit the lifetime of passwords and force users to change their\n passwords, there is the risk that the operating system passwords could be compromised.", "descriptions": { - "default": "The FTP service provides an unencrypted remote access that does not provide for the confidentiality and\n integrity of user passwords or the remote session. If a privileged user were to log on using this service, the\n privileged user password could be compromised. SSH or other encrypted file transfer methods must be used in place of\n this service.", - "check": "Verify an FTP server has not been installed on the system.\n Check to see if an FTP server has been installed with the following commands:\n # yum list installed vsftpd\n vsftpd-3.0.2.el7.x86_64.rpm\n If \"vsftpd\" is installed and is not documented with the Information System Security Officer (ISSO) as an operational\n requirement, this is a finding.", - "fix": "Document the \"vsftpd\" package with the ISSO as an operational requirement or remove it from the system\n with the following command:\n # yum remove vsftpd" + "default": "Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed\n periodically. If the operating system does not limit the lifetime of passwords and force users to change their\n passwords, there is the risk that the operating system passwords could be compromised.", + "check": "If passwords are not being used for authentication, this is Not Applicable.\n Verify the operating system enforces a 60-day maximum password lifetime restriction for new user accounts.\n Check for the value of \"PASS_MAX_DAYS\" in \"/etc/login.defs\" with the following command:\n # grep -i pass_max_days /etc/login.defs\n PASS_MAX_DAYS 60\n If the \"PASS_MAX_DAYS\" parameter value is not 60 or less, or is commented out, this is a finding.", + "fix": "Configure the operating system to enforce a 60-day maximum password lifetime restriction.\n Add the following line in \"/etc/login.defs\" (or modify the line to have the required value):\n PASS_MAX_DAYS 60" }, - "impact": 0.7, + "impact": 0.5, "refs": [], "tags": { "legacy": [ - "SV-86923", - "V-72299" + "V-71929", + "SV-86553" ], - "severity": "high", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-204620", - "rid": "SV-204620r603261_rule", - "stig_id": "RHEL-07-040690", - "fix_id": "F-4744r89053_fix", + "severity": "medium", + "gtitle": "SRG-OS-000076-GPOS-00044", + "gid": "V-204420", + "rid": "SV-204420r603261_rule", + "stig_id": "RHEL-07-010250", + "fix_id": "F-4544r88453_fix", "cci": [ - "CCI-000366" + "CCI-000199" ], "nist": [ - "CM-6 b" + "IA-5 (1) (d)" ], "subsystems": [ - "vsftpd" + "login_defs", + "password" ], "host": null, "container": null }, - "code": "control 'SV-204620' do\n title 'The Red Hat Enterprise Linux operating system must not have a File Transfer Protocol (FTP) server package\n installed unless needed.'\n desc 'The FTP service provides an unencrypted remote access that does not provide for the confidentiality and\n integrity of user passwords or the remote session. If a privileged user were to log on using this service, the\n privileged user password could be compromised. SSH or other encrypted file transfer methods must be used in place of\n this service.'\n desc 'check', 'Verify an FTP server has not been installed on the system.\n Check to see if an FTP server has been installed with the following commands:\n # yum list installed vsftpd\n vsftpd-3.0.2.el7.x86_64.rpm\n If \"vsftpd\" is installed and is not documented with the Information System Security Officer (ISSO) as an operational\n requirement, this is a finding.'\n desc 'fix', 'Document the \"vsftpd\" package with the ISSO as an operational requirement or remove it from the system\n with the following command:\n # yum remove vsftpd'\n impact 0.7\n tag legacy: ['SV-86923', 'V-72299']\n tag severity: 'high'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204620'\n tag rid: 'SV-204620r603261_rule'\n tag stig_id: 'RHEL-07-040690'\n tag fix_id: 'F-4744r89053_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['vsftpd']\n tag 'host'\n tag 'container'\n\n describe.one do\n describe package('vsftpd') do\n it { should_not be_installed }\n end\n describe parse_config_file('/etc/vsftpd/vsftpd.conf') do\n its('ssl_enable') { should cmp 'YES' }\n its('force_anon_data_ssl') { should cmp 'YES' }\n its('force_anon_logins_ssl') { should cmp 'YES' }\n its('force_local_data_ssl') { should cmp 'YES' }\n its('force_local_logins_ssl') { should cmp 'YES' }\n end\n end\nend\n", + "code": "control 'SV-204420' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that passwords for new users are\n restricted to a 60-day maximum lifetime.'\n desc 'Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed\n periodically. If the operating system does not limit the lifetime of passwords and force users to change their\n passwords, there is the risk that the operating system passwords could be compromised.'\n desc 'check', 'If passwords are not being used for authentication, this is Not Applicable.\n Verify the operating system enforces a 60-day maximum password lifetime restriction for new user accounts.\n Check for the value of \"PASS_MAX_DAYS\" in \"/etc/login.defs\" with the following command:\n # grep -i pass_max_days /etc/login.defs\n PASS_MAX_DAYS 60\n If the \"PASS_MAX_DAYS\" parameter value is not 60 or less, or is commented out, this is a finding.'\n desc 'fix', 'Configure the operating system to enforce a 60-day maximum password lifetime restriction.\n Add the following line in \"/etc/login.defs\" (or modify the line to have the required value):\n PASS_MAX_DAYS 60'\n impact 0.5\n tag legacy: ['V-71929', 'SV-86553']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000076-GPOS-00044'\n tag gid: 'V-204420'\n tag rid: 'SV-204420r603261_rule'\n tag stig_id: 'RHEL-07-010250'\n tag fix_id: 'F-4544r88453_fix'\n tag cci: ['CCI-000199']\n tag nist: ['IA-5 (1) (d)']\n tag subsystems: ['login_defs', 'password']\n tag 'host'\n tag 'container'\n\n if command(\"grep 'pam_unix.so' /etc/pam.d/system-auth | grep 'auth ' | grep 'optional'\").stdout.empty? && command(\"grep 'pam_permit.so' /etc/pam.d/system-auth | grep 'auth ' | grep 'required'\").stdout.empty?\n describe login_defs do\n its('PASS_MAX_DAYS') { should cmp <= input('pass_max_days') }\n its('PASS_MAX_DAYS') { should_not be_nil }\n end\n else\n impact 0.0\n describe 'The system is not using password for authentication' do\n skip 'The system is not using password for authentication, this control is Not Applicable.'\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204620.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204420.rb", "line": 1 }, - "id": "SV-204620" + "id": "SV-204420" }, { - "title": "Network interfaces configured on the Red Hat Enterprise Linux operating system must not be in promiscuous\n mode.", - "desc": "Network interfaces in promiscuous mode allow for the capture of all network traffic visible to the system.\n If unauthorized individuals can access these applications, it may allow then to collect information such as logon\n IDs, passwords, and key exchanges between systems.\n If the system is being used to perform a network troubleshooting function, the use of these tools must be documented\n with the Information System Security Officer (ISSO) and restricted to only authorized personnel.", + "title": "The Red Hat Enterprise Linux operating system must be configured to disable USB mass storage.", + "desc": "USB mass storage permits easy introduction of unknown devices, thereby facilitating malicious activity.", "descriptions": { - "default": "Network interfaces in promiscuous mode allow for the capture of all network traffic visible to the system.\n If unauthorized individuals can access these applications, it may allow then to collect information such as logon\n IDs, passwords, and key exchanges between systems.\n If the system is being used to perform a network troubleshooting function, the use of these tools must be documented\n with the Information System Security Officer (ISSO) and restricted to only authorized personnel.", - "check": "Verify network interfaces are not in promiscuous mode unless approved by the ISSO and documented.\n Check for the status with the following command:\n # ip link | grep -i promisc\n If network interfaces are found on the system in promiscuous mode and their use has not been approved by the ISSO\n and documented, this is a finding.", - "fix": "Configure network interfaces to turn off promiscuous mode unless approved by the ISSO and documented.\n Set the promiscuous mode of an interface to off with the following command:\n #ip link set dev multicast off promisc off" + "default": "USB mass storage permits easy introduction of unknown devices, thereby facilitating malicious activity.", + "check": "Verify the operating system disables the ability to load the USB Storage kernel module.\n # grep -r usb-storage /etc/modprobe.d/* | grep -i \"/bin/true\" | grep -v \"^#\"\n install usb-storage /bin/true\n If the command does not return any output, or the line is commented out, and use of USB Storage is not documented\n with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.\n Verify the operating system disables the ability to use USB mass storage devices.\n Check to see if USB mass storage is disabled with the following command:\n # grep usb-storage /etc/modprobe.d/* | grep -i \"blacklist\" | grep -v \"^#\"\n blacklist usb-storage\n If the command does not return any output or the output is not \"blacklist usb-storage\", and use of USB storage\n devices is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is\n a finding.", + "fix": "Configure the operating system to disable the ability to use the USB Storage kernel module.\n Create a file under \"/etc/modprobe.d\" with the following command:\n # touch /etc/modprobe.d/usb-storage.conf\n Add the following line to the created file:\n install usb-storage /bin/true\n Configure the operating system to disable the ability to use USB mass storage devices.\n # vi /etc/modprobe.d/blacklist.conf\n Add or update the line:\n blacklist usb-storage" }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "V-72295", - "SV-86919" + "SV-86607", + "V-71983" ], "severity": "medium", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-204618", - "rid": "SV-204618r603261_rule", - "stig_id": "RHEL-07-040670", - "fix_id": "F-4742r89047_fix", + "gtitle": "SRG-OS-000114-GPOS-00059", + "satisfies": [ + "SRG-OS-000114-GPOS-00059", + "SRG-OS-000378-GPOS-00163", + "SRG-OS-000480-GPOS-00227" + ], + "gid": "V-204449", + "rid": "SV-204449r853891_rule", + "stig_id": "RHEL-07-020100", + "fix_id": "F-4573r462538_fix", "cci": [ - "CCI-000366" + "CCI-000366", + "CCI-000778", + "CCI-001958" ], "nist": [ - "CM-6 b" + "CM-6 b", + "IA-3", + "IA-3" ], "subsystems": [ - "network", - "ip_link" + "usb", + "kernel_module" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-204618' do\n title 'Network interfaces configured on the Red Hat Enterprise Linux operating system must not be in promiscuous\n mode.'\n desc 'Network interfaces in promiscuous mode allow for the capture of all network traffic visible to the system.\n If unauthorized individuals can access these applications, it may allow then to collect information such as logon\n IDs, passwords, and key exchanges between systems.\n If the system is being used to perform a network troubleshooting function, the use of these tools must be documented\n with the Information System Security Officer (ISSO) and restricted to only authorized personnel.'\n desc 'check', 'Verify network interfaces are not in promiscuous mode unless approved by the ISSO and documented.\n Check for the status with the following command:\n # ip link | grep -i promisc\n If network interfaces are found on the system in promiscuous mode and their use has not been approved by the ISSO\n and documented, this is a finding.'\n desc 'fix', 'Configure network interfaces to turn off promiscuous mode unless approved by the ISSO and documented.\n Set the promiscuous mode of an interface to off with the following command:\n #ip link set dev multicast off promisc off'\n impact 0.5\n tag legacy: ['V-72295', 'SV-86919']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204618'\n tag rid: 'SV-204618r603261_rule'\n tag stig_id: 'RHEL-07-040670'\n tag fix_id: 'F-4742r89047_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['network', 'ip_link']\n tag 'host'\n tag 'container'\n\n describe command('ip link | grep -i promisc') do\n its('stdout.strip') { should match(/^$/) }\n end\nend\n", + "code": "control 'SV-204449' do\n title 'The Red Hat Enterprise Linux operating system must be configured to disable USB mass storage.'\n desc 'USB mass storage permits easy introduction of unknown devices, thereby facilitating malicious activity.'\n desc 'check', 'Verify the operating system disables the ability to load the USB Storage kernel module.\n # grep -r usb-storage /etc/modprobe.d/* | grep -i \"/bin/true\" | grep -v \"^#\"\n install usb-storage /bin/true\n If the command does not return any output, or the line is commented out, and use of USB Storage is not documented\n with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.\n Verify the operating system disables the ability to use USB mass storage devices.\n Check to see if USB mass storage is disabled with the following command:\n # grep usb-storage /etc/modprobe.d/* | grep -i \"blacklist\" | grep -v \"^#\"\n blacklist usb-storage\n If the command does not return any output or the output is not \"blacklist usb-storage\", and use of USB storage\n devices is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is\n a finding.'\n desc 'fix', 'Configure the operating system to disable the ability to use the USB Storage kernel module.\n Create a file under \"/etc/modprobe.d\" with the following command:\n # touch /etc/modprobe.d/usb-storage.conf\n Add the following line to the created file:\n install usb-storage /bin/true\n Configure the operating system to disable the ability to use USB mass storage devices.\n # vi /etc/modprobe.d/blacklist.conf\n Add or update the line:\n blacklist usb-storage'\n impact 0.5\n tag legacy: ['SV-86607', 'V-71983']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000114-GPOS-00059'\n tag satisfies: ['SRG-OS-000114-GPOS-00059', 'SRG-OS-000378-GPOS-00163', 'SRG-OS-000480-GPOS-00227']\n tag gid: 'V-204449'\n tag rid: 'SV-204449r853891_rule'\n tag stig_id: 'RHEL-07-020100'\n tag fix_id: 'F-4573r462538_fix'\n tag cci: ['CCI-000366', 'CCI-000778', 'CCI-001958']\n tag nist: ['CM-6 b', 'IA-3', 'IA-3']\n tag subsystems: ['usb', 'kernel_module']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - Kernel config must be done on the host' do\n skip 'Control not applicable - Kernel config must be done on the host'\n end\n else\n describe kernel_module('usb_storage') do\n it { should_not be_loaded }\n it { should be_blacklisted }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204618.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204449.rb", "line": 1 }, - "id": "SV-204618" + "id": "SV-204449" }, { - "title": "The Red Hat Enterprise Linux operating system must send rsyslog output to a log aggregation server.", - "desc": "Sending rsyslog output to another system ensures that the logs cannot be removed or modified in the event\n that the system is compromised or has a hardware failure.", + "title": "The Red Hat Enterprise Linux operating system must enable SELinux.", + "desc": "Without verification of the security functions, security functions may not operate correctly and the failure\n may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system\n responsible for enforcing the system security policy and supporting the isolation of code and data on which the\n protection is based. Security functionality includes, but is not limited to, establishing system accounts,\n configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting\n intrusion detection parameters.\n This requirement applies to operating systems performing security function verification/testing and/or systems and\n environments that require this functionality.", "descriptions": { - "default": "Sending rsyslog output to another system ensures that the logs cannot be removed or modified in the event\n that the system is compromised or has a hardware failure.", - "check": "Verify \"rsyslog\" is configured to send all messages to a log aggregation server.\n Check the configuration of \"rsyslog\" with the following command:\n Note: If another logging package is used, substitute the utility configuration file for \"/etc/rsyslog.conf\".\n # grep @ /etc/rsyslog.conf /etc/rsyslog.d/*.conf\n *.* @@logagg.site.mil\n If there are no lines in the \"/etc/rsyslog.conf\" or \"/etc/rsyslog.d/*.conf\" files that contain the \"@\" or \"@@\"\n symbol(s), and the lines with the correct symbol(s) to send output to another system do not cover all \"rsyslog\"\n output, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or media.\n If the lines are commented out or there is no evidence that the audit logs are being sent to another system, this is\n a finding.", - "fix": "Modify the \"/etc/rsyslog.conf\" or an \"/etc/rsyslog.d/*.conf\" file to contain a configuration line to\n send all \"rsyslog\" output to a log aggregation system:\n *.* @@" + "default": "Without verification of the security functions, security functions may not operate correctly and the failure\n may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system\n responsible for enforcing the system security policy and supporting the isolation of code and data on which the\n protection is based. Security functionality includes, but is not limited to, establishing system accounts,\n configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting\n intrusion detection parameters.\n This requirement applies to operating systems performing security function verification/testing and/or systems and\n environments that require this functionality.", + "check": "Per OPORD 16-0080, the preferred endpoint security tool is Endpoint Security for Linux (ENSL) in\n conjunction with SELinux.\n Verify the operating system verifies correct operation of all security functions.\n Check if \"SELinux\" is active and in \"Enforcing\" mode with the following command:\n # getenforce\n Enforcing\n If \"SELinux\" is not active and not in \"Enforcing\" mode, this is a finding.", + "fix": "Configure the operating system to verify correct operation of all security functions.\n Set the \"SELinux\" status and the \"Enforcing\" mode by modifying the \"/etc/selinux/config\" file to have the following\n line:\n SELINUX=enforcing\n A reboot is required for the changes to take effect." }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "SV-86833", - "V-72209" + "V-71989", + "SV-86613" ], "severity": "medium", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-204574", - "rid": "SV-204574r603261_rule", - "stig_id": "RHEL-07-031000", - "fix_id": "F-4698r88915_fix", + "gtitle": "SRG-OS-000445-GPOS-00199", + "gid": "V-204453", + "rid": "SV-204453r853895_rule", + "stig_id": "RHEL-07-020210", + "fix_id": "F-36306r602628_fix", "cci": [ - "CCI-000366" + "CCI-002165", + "CCI-002696" ], "nist": [ - "CM-6 b" + "AC-3 (4)", + "SI-6 a" ], "subsystems": [ - "rsyslog" + "selinux" ], "host": null }, - "code": "control 'SV-204574' do\n title 'The Red Hat Enterprise Linux operating system must send rsyslog output to a log aggregation server.'\n desc 'Sending rsyslog output to another system ensures that the logs cannot be removed or modified in the event\n that the system is compromised or has a hardware failure.'\n desc 'check', 'Verify \"rsyslog\" is configured to send all messages to a log aggregation server.\n Check the configuration of \"rsyslog\" with the following command:\n Note: If another logging package is used, substitute the utility configuration file for \"/etc/rsyslog.conf\".\n # grep @ /etc/rsyslog.conf /etc/rsyslog.d/*.conf\n *.* @@logagg.site.mil\n If there are no lines in the \"/etc/rsyslog.conf\" or \"/etc/rsyslog.d/*.conf\" files that contain the \"@\" or \"@@\"\n symbol(s), and the lines with the correct symbol(s) to send output to another system do not cover all \"rsyslog\"\n output, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or media.\n If the lines are commented out or there is no evidence that the audit logs are being sent to another system, this is\n a finding.'\n desc 'fix', 'Modify the \"/etc/rsyslog.conf\" or an \"/etc/rsyslog.d/*.conf\" file to contain a configuration line to\n send all \"rsyslog\" output to a log aggregation system:\n *.* @@'\n impact 0.5\n tag legacy: ['SV-86833', 'V-72209']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204574'\n tag rid: 'SV-204574r603261_rule'\n tag stig_id: 'RHEL-07-031000'\n tag fix_id: 'F-4698r88915_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['rsyslog']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n elsif input('alternate_logs')\n describe 'An alternate logging system is used. This test cannot be checked in a automated fashion and you must check it manually' do\n skip 'An alternate logging system is used. This check must be performed manually'\n end\n else\n describe command(\"grep @ #{input('log_pkg_paths').join(' ')} | grep -v \\\"^#\\\"\") do\n its('stdout.strip') { should_not be_empty }\n end\n end\nend\n", + "code": "control 'SV-204453' do\n title 'The Red Hat Enterprise Linux operating system must enable SELinux.'\n desc 'Without verification of the security functions, security functions may not operate correctly and the failure\n may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system\n responsible for enforcing the system security policy and supporting the isolation of code and data on which the\n protection is based. Security functionality includes, but is not limited to, establishing system accounts,\n configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting\n intrusion detection parameters.\n This requirement applies to operating systems performing security function verification/testing and/or systems and\n environments that require this functionality.'\n desc 'check', 'Per OPORD 16-0080, the preferred endpoint security tool is Endpoint Security for Linux (ENSL) in\n conjunction with SELinux.\n Verify the operating system verifies correct operation of all security functions.\n Check if \"SELinux\" is active and in \"Enforcing\" mode with the following command:\n # getenforce\n Enforcing\n If \"SELinux\" is not active and not in \"Enforcing\" mode, this is a finding.'\n desc 'fix', 'Configure the operating system to verify correct operation of all security functions.\n Set the \"SELinux\" status and the \"Enforcing\" mode by modifying the \"/etc/selinux/config\" file to have the following\n line:\n SELINUX=enforcing\n A reboot is required for the changes to take effect.'\n impact 0.5\n tag legacy: ['V-71989', 'SV-86613']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000445-GPOS-00199'\n tag gid: 'V-204453'\n tag rid: 'SV-204453r853895_rule'\n tag stig_id: 'RHEL-07-020210'\n tag fix_id: 'F-36306r602628_fix'\n tag cci: ['CCI-002165', 'CCI-002696']\n tag nist: ['AC-3 (4)', 'SI-6 a']\n tag subsystems: ['selinux']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - SELinux settings must be handled on host' do\n skip 'Control not applicable - SELinux settings must be handled on host'\n end\n else\n describe command('getenforce') do\n its('stdout.strip') { should eq 'Enforcing' }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204574.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204453.rb", "line": 1 }, - "id": "SV-204574" + "id": "SV-204453" }, { - "title": "The Red Hat Enterprise Linux operating system must prevent a user from overriding the screensaver\n lock-delay setting for the graphical user interface.", - "desc": "A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate\n physical vicinity of the information system but does not log out because of the temporary nature of the absence.\n Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity,\n operating systems need to be able to identify when a user's session has idled and take action to initiate the\n session lock.\n The session lock is implemented at the point where session activity can be determined and/or controlled.", + "title": "The Red Hat Enterprise Linux operating system must be configured so that all local initialization files for\n interactive users are owned by the home directory user or root.", + "desc": "Local initialization files are used to configure the user's shell environment upon logon. Malicious\n modification of these files could compromise accounts upon logon.", "descriptions": { - "default": "A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate\n physical vicinity of the information system but does not log out because of the temporary nature of the absence.\n Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity,\n operating systems need to be able to identify when a user's session has idled and take action to initiate the\n session lock.\n The session lock is implemented at the point where session activity can be determined and/or controlled.", - "check": "Verify the operating system prevents a user from overriding a screensaver lock after a 15-minute period of inactivity for graphical user interfaces.\n\nNote: If the system does not have GNOME installed, this requirement is Not Applicable.\n\nDetermine which profile the system database is using with the following command:\n # grep system-db /etc/dconf/profile/user\n system-db:local\n\nCheck for the lock delay setting with the following command:\n\nNote: The example below is using the database \"local\" for the system, so the path is \"/etc/dconf/db/local.d\". This path must be modified if a database other than \"local\" is being used.\n\n # grep -i lock-delay /etc/dconf/db/local.d/locks/*\n /org/gnome/desktop/screensaver/lock-delay\n\nIf the command does not return a result, this is a finding.", - "fix": "Configure the operating system to prevent a user from overriding a screensaver lock after a 15-minute\n period of inactivity for graphical user interfaces.\n Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following\n command:\n Note: The example below is using the database \"local\" for the system, so if the system is using another database in\n \"/etc/dconf/profile/user\", the file should be created under the appropriate subdirectory.\n # touch /etc/dconf/db/local.d/locks/session\n Add the setting to lock the screensaver lock delay:\n /org/gnome/desktop/screensaver/lock-delay" + "default": "Local initialization files are used to configure the user's shell environment upon logon. Malicious\n modification of these files could compromise accounts upon logon.", + "check": "Verify the local initialization files of all local interactive users are owned by that user.\n Check the home directory assignment for all non-privileged users on the system with the following command:\n Note: The example will be for the smithj user, who has a home directory of \"/home/smithj\".\n # awk -F: '($3>=1000)&&($7 !~ /nologin/){print $1, $3, $6}' /etc/passwd\n smithj 1000 /home/smithj\n Note: This may miss interactive users that have been assigned a privileged User Identifier (UID). Evidence of\n interactive use may be obtained from a number of log files containing system logon information.\n Check the owner of all local interactive user's initialization files with the following command:\n # ls -al /home/smithj/.[^.]* | more\n -rwxr-xr-x 1 smithj users 896 Mar 10 2011 .profile\n -rwxr-xr-x 1 smithj users 497 Jan 6 2007 .login\n -rwxr-xr-x 1 smithj users 886 Jan 6 2007 .something\n If all local interactive user's initialization files are not owned by that user or root, this is a finding.", + "fix": "Set the owner of the local initialization files for interactive users to\neither the directory owner or root with the following command:\n\n Note: The example will be for the smithj user, who has a home directory of\n\"/home/smithj\".\n\n # chown smithj /home/smithj/.[^.]*" }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { "legacy": [ - "V-73155", - "SV-87807" + "V-72029", + "SV-86653" ], "severity": "medium", - "gtitle": "SRG-OS-000029-GPOS-00010", - "gid": "V-204399", - "rid": "SV-204399r880773_rule", - "stig_id": "RHEL-07-010081", - "fix_id": "F-4523r880772_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-204474", + "rid": "SV-204474r603834_rule", + "stig_id": "RHEL-07-020690", + "fix_id": "F-4598r462464_fix", "cci": [ - "CCI-000057" + "CCI-000366" ], "nist": [ - "AC-11 a" + "CM-6 b" ], "subsystems": [ - "gui" + "init_files" ], "host": null }, - "code": "control 'SV-204399' do\n title 'The Red Hat Enterprise Linux operating system must prevent a user from overriding the screensaver\n lock-delay setting for the graphical user interface.'\n desc \"A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate\n physical vicinity of the information system but does not log out because of the temporary nature of the absence.\n Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity,\n operating systems need to be able to identify when a user's session has idled and take action to initiate the\n session lock.\n The session lock is implemented at the point where session activity can be determined and/or controlled.\"\n desc 'check', \"Verify the operating system prevents a user from overriding a screensaver lock after a #{input('system_activity_timeout')/60}-minute period of inactivity for graphical user interfaces.\n\nNote: If the system does not have GNOME installed, this requirement is Not Applicable.\n\nDetermine which profile the system database is using with the following command:\n # grep system-db /etc/dconf/profile/user\n system-db:local\n\nCheck for the lock delay setting with the following command:\n\nNote: The example below is using the database \\\"local\\\" for the system, so the path is \\\"/etc/dconf/db/local.d\\\". This path must be modified if a database other than \\\"local\\\" is being used.\n\n # grep -i lock-delay /etc/dconf/db/local.d/locks/*\n /org/gnome/desktop/screensaver/lock-delay\n\nIf the command does not return a result, this is a finding.\"\n desc 'fix', \"Configure the operating system to prevent a user from overriding a screensaver lock after a #{input('system_activity_timeout')/60}-minute\n period of inactivity for graphical user interfaces.\n Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following\n command:\n Note: The example below is using the database \\\"local\\\" for the system, so if the system is using another database in\n \\\"/etc/dconf/profile/user\\\", the file should be created under the appropriate subdirectory.\n # touch /etc/dconf/db/local.d/locks/session\n Add the setting to lock the screensaver lock delay:\n /org/gnome/desktop/screensaver/lock-delay\"\n impact 0.5\n tag legacy: ['V-73155', 'SV-87807']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000029-GPOS-00010'\n tag gid: 'V-204399'\n tag rid: 'SV-204399r880773_rule'\n tag stig_id: 'RHEL-07-010081'\n tag fix_id: 'F-4523r880772_fix'\n tag cci: ['CCI-000057']\n tag nist: ['AC-11 a']\n tag subsystems: ['gui']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n elsif package('gnome-desktop3').installed?\n\n describe command('gsettings writable org.gnome.desktop.screensaver lock-delay') do\n its('stdout.strip') { should cmp 'false' }\n end\n else\n impact 0.0\n describe 'The GNOME desktop is not installed' do\n skip 'The GNOME desktop is not installed, this control is Not Applicable.'\n end\n end\nend\n", + "code": "control 'SV-204474' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that all local initialization files for\n interactive users are owned by the home directory user or root.'\n desc \"Local initialization files are used to configure the user's shell environment upon logon. Malicious\n modification of these files could compromise accounts upon logon.\"\n desc 'check', %q(Verify the local initialization files of all local interactive users are owned by that user.\n Check the home directory assignment for all non-privileged users on the system with the following command:\n Note: The example will be for the smithj user, who has a home directory of \"/home/smithj\".\n # awk -F: '($3>=1000)&&($7 !~ /nologin/){print $1, $3, $6}' /etc/passwd\n smithj 1000 /home/smithj\n Note: This may miss interactive users that have been assigned a privileged User Identifier (UID). Evidence of\n interactive use may be obtained from a number of log files containing system logon information.\n Check the owner of all local interactive user's initialization files with the following command:\n # ls -al /home/smithj/.[^.]* | more\n -rwxr-xr-x 1 smithj users 896 Mar 10 2011 .profile\n -rwxr-xr-x 1 smithj users 497 Jan 6 2007 .login\n -rwxr-xr-x 1 smithj users 886 Jan 6 2007 .something\n If all local interactive user's initialization files are not owned by that user or root, this is a finding.)\n desc 'fix', 'Set the owner of the local initialization files for interactive users to\neither the directory owner or root with the following command:\n\n Note: The example will be for the smithj user, who has a home directory of\n\"/home/smithj\".\n\n # chown smithj /home/smithj/.[^.]*'\n impact 0.5\n tag legacy: ['V-72029', 'SV-86653']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204474'\n tag rid: 'SV-204474r603834_rule'\n tag stig_id: 'RHEL-07-020690'\n tag fix_id: 'F-4598r462464_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['init_files']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n\n exempt_home_users = input('exempt_home_users')\n non_interactive_shells = input('non_interactive_shells')\n\n ignore_shells = non_interactive_shells.join('|')\n\n findings = Set[]\n users.where do\n !shell.match(ignore_shells) && (uid >= 1000 || uid == 0)\n end.entries.each do |user_info|\n next if exempt_home_users.include?(user_info.username.to_s)\n\n findings += command(\"find #{user_info.home} -name '.*' -not -user #{user_info.username} -a -not -user root\").stdout.split(\"\\n\")\n end\n describe 'Files and Directories not owned by the user or root of the parent home directory' do\n subject { findings.to_a }\n it { should be_empty }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204399.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204474.rb", "line": 1 }, - "id": "SV-204399" + "id": "SV-204474" }, { - "title": "The Red Hat Enterprise Linux operating system must initiate an action to notify the System Administrator\n (SA) and Information System Security Officer ISSO, at a minimum, when allocated audit record storage volume reaches\n 75% of the repository maximum audit record storage capacity.", - "desc": "If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they\n are unable to plan for audit record storage capacity expansion.", + "title": "The Red Hat Enterprise Linux operating system must be configured so that the file permissions, ownership,\n and group membership of system files and commands match the vendor values.", + "desc": "Discretionary access control is weakened if a user or group has access permissions to system files and\n directories greater than the default.", "descriptions": { - "default": "If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they\n are unable to plan for audit record storage capacity expansion.", - "check": "Verify the operating system initiates an action to notify the SA and ISSO (at a minimum) when\n allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.\n Check the system configuration to determine the partition the audit records are being written to with the following\n command:\n $ sudo grep -iw log_file /etc/audit/auditd.conf\n log_file = /var/log/audit/audit.log\n Determine what the threshold is for the system to take action when 75 percent of the repository maximum audit record\n storage capacity is reached:\n $ sudo grep -iw space_left /etc/audit/auditd.conf\n space_left = 25%\n If the value of the \"space_left\" keyword is not set to 25 percent of the total partition size, this is a finding.", - "fix": "Configure the operating system to initiate an action to notify the SA and ISSO (at a minimum) when\n allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.\n Set the value of the \"space_left\" keyword in \"/etc/audit/auditd.conf\" to 25 percent of the partition size.\n space_left = 25%\n Reload the auditd daemon to apply changes made to the \"/etc/audit/auditd.conf\" file." + "default": "Discretionary access control is weakened if a user or group has access permissions to system files and\n directories greater than the default.", + "check": "Verify the file permissions, ownership, and group membership of system files and commands match the vendor values.\n\nCheck the default file permissions, ownership, and group membership of system files and commands with the following command:\n\n # for i in `rpm -Va | grep -E '^.{1}M|^.{5}U|^.{6}G' | cut -d \" \" -f 4,5`;do for j in `rpm -qf $i`;do rpm -ql $j --dump | cut -d \" \" -f 1,5,6,7 | grep $i;done;done\n\n /var/log/gdm 040755 root root\n /etc/audisp/audisp-remote.conf 0100640 root root\n /usr/bin/passwd 0104755 root root\n\nFor each file returned, verify the current permissions, ownership, and group membership:\n # ls -la \n\n -rw-------. 1 root root 2017 Nov 1 10:03 /etc/audisp/audisp-remote.conf\n\nIf the file is more permissive than the default permissions, this is a finding.\n\nIf the file is not owned by the default owner and is not documented with the Information System Security Officer (ISSO), this is a finding.\n\nIf the file is not a member of the default group and is not documented with the Information System Security Officer (ISSO), this is a finding.", + "fix": "Run the following command to determine which package owns the file:\n\n # rpm -qf \n\n Reset the user and group ownership of files within a package with the\nfollowing command:\n\n #rpm --setugids \n\n\n Reset the permissions of files within a package with the following command:\n\n #rpm --setperms " }, - "impact": 0.5, + "impact": 0.7, "refs": [], "tags": { "legacy": [ - "V-72089", - "SV-86713" + "V-71849", + "SV-86473" ], - "severity": "medium", - "gtitle": "SRG-OS-000343-GPOS-00134", - "gid": "V-204513", - "rid": "SV-204513r877389_rule", - "stig_id": "RHEL-07-030330", - "fix_id": "F-4637r744111_fix", + "severity": "high", + "gtitle": "SRG-OS-000257-GPOS-00098", + "satisfies": [ + "SRG-OS-000257-GPOS-00098", + "SRG-OS-000278-GPOS-00108" + ], + "gid": "V-204392", + "rid": "SV-204392r880752_rule", + "stig_id": "RHEL-07-010010", + "fix_id": "F-36302r880751_fix", "cci": [ - "CCI-001855" + "CCI-001494", + "CCI-001496", + "CCI-002165", + "CCI-002235" ], "nist": [ - "AU-5 (1)" + "AU-9", + "AU-9 (3)", + "AC-3 (4)", + "AC-6 (10)" ], "subsystems": [ - "audit", - "auditd" + "permissions", + "package", + "rpm" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-204513' do\n title \"The Red Hat Enterprise Linux operating system must initiate an action to notify the System Administrator\n (SA) and Information System Security Officer ISSO, at a minimum, when allocated audit record storage volume reaches\n #{input('storage_volume')}% of the repository maximum audit record storage capacity.\"\n desc \"If security personnel are not notified immediately when storage volume reaches #{input('storage_volume')} percent utilization, they\n are unable to plan for audit record storage capacity expansion.\"\n desc 'check', \"Verify the operating system initiates an action to notify the SA and ISSO (at a minimum) when\n allocated audit record storage volume reaches #{input('storage_volume')} percent of the repository maximum audit record storage capacity.\n Check the system configuration to determine the partition the audit records are being written to with the following\n command:\n $ sudo grep -iw log_file /etc/audit/auditd.conf\n log_file = /var/log/audit/audit.log\n Determine what the threshold is for the system to take action when #{input('storage_volume')} percent of the repository maximum audit record\n storage capacity is reached:\n $ sudo grep -iw space_left /etc/audit/auditd.conf\n space_left = #{input('min_space_left')}%\n If the value of the \\\"space_left\\\" keyword is not set to #{input('min_space_left')} percent of the total partition size, this is a finding.\"\n desc 'fix', \"Configure the operating system to initiate an action to notify the SA and ISSO (at a minimum) when\n allocated audit record storage volume reaches #{input('storage_volume')} percent of the repository maximum audit record storage capacity.\n Set the value of the \\\"space_left\\\" keyword in \\\"/etc/audit/auditd.conf\\\" to #{input('min_space_left')} percent of the partition size.\n space_left = #{input('min_space_left')}%\n Reload the auditd daemon to apply changes made to the \\\"/etc/audit/auditd.conf\\\" file.\"\n impact 0.5\n tag legacy: ['V-72089', 'SV-86713']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000343-GPOS-00134'\n tag gid: 'V-204513'\n tag rid: 'SV-204513r877389_rule'\n tag stig_id: 'RHEL-07-030330'\n tag fix_id: 'F-4637r744111_fix'\n tag cci: ['CCI-001855']\n tag nist: ['AU-5 (1)']\n tag subsystems: ['audit', 'auditd']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - audit config must be done on the host' do\n skip 'Control not applicable - audit config must be done on the host'\n end\n else\n describe auditd_conf do\n its('space_left') { should cmp >= input('min_space_left') }\n end\n end\nend\n", + "code": "control 'SV-204392' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that the file permissions, ownership,\n and group membership of system files and commands match the vendor values.'\n desc 'Discretionary access control is weakened if a user or group has access permissions to system files and\n directories greater than the default.'\n desc 'check', %q(Verify the file permissions, ownership, and group membership of system files and commands match the vendor values.\n\nCheck the default file permissions, ownership, and group membership of system files and commands with the following command:\n\n # for i in `rpm -Va | grep -E '^.{1}M|^.{5}U|^.{6}G' | cut -d \" \" -f 4,5`;do for j in `rpm -qf $i`;do rpm -ql $j --dump | cut -d \" \" -f 1,5,6,7 | grep $i;done;done\n\n /var/log/gdm 040755 root root\n /etc/audisp/audisp-remote.conf 0100640 root root\n /usr/bin/passwd 0104755 root root\n\nFor each file returned, verify the current permissions, ownership, and group membership:\n # ls -la \n\n -rw-------. 1 root root 2017 Nov 1 10:03 /etc/audisp/audisp-remote.conf\n\nIf the file is more permissive than the default permissions, this is a finding.\n\nIf the file is not owned by the default owner and is not documented with the Information System Security Officer (ISSO), this is a finding.\n\nIf the file is not a member of the default group and is not documented with the Information System Security Officer (ISSO), this is a finding.)\n desc 'fix', 'Run the following command to determine which package owns the file:\n\n # rpm -qf \n\n Reset the user and group ownership of files within a package with the\nfollowing command:\n\n #rpm --setugids \n\n\n Reset the permissions of files within a package with the following command:\n\n #rpm --setperms '\n impact 0.7\n tag legacy: ['V-71849', 'SV-86473']\n tag severity: 'high'\n tag gtitle: 'SRG-OS-000257-GPOS-00098'\n tag satisfies: ['SRG-OS-000257-GPOS-00098', 'SRG-OS-000278-GPOS-00108']\n tag gid: 'V-204392'\n tag rid: 'SV-204392r880752_rule'\n tag stig_id: 'RHEL-07-010010'\n tag fix_id: 'F-36302r880751_fix'\n tag cci: ['CCI-001494', 'CCI-001496', 'CCI-002165', 'CCI-002235']\n tag nist: ['AU-9', 'AU-9 (3)', 'AC-3 (4)', 'AC-6 (10)']\n tag subsystems: ['permissions', 'package', 'rpm']\n tag 'host'\n tag 'container'\n\n if input('disable_slow_controls')\n describe \"This control consistently takes a long time to run and has been disabled\n using the disable_slow_controls attribute.\" do\n skip \"This control consistently takes a long time to run and has been disabled\n using the disable_slow_controls attribute. You must enable this control for a\n full accredidation for production.\"\n end\n else\n\n allowlist = input('rpm_verify_perms_except')\n\n misconfigured_packages = command('rpm -Va').stdout.split(\"\\n\")\n .select { |package| package[0..7].match(/M|U|G/) }\n .map { |package| package.match(/\\S+$/)[0] }\n\n if misconfigured_packages.empty?\n describe 'The list of rpm packages with permissions changed from the vendor values' do\n subject { misconfigured_packages }\n it { should be_empty }\n end\n else\n describe 'The list of rpm packages with permissions changed from the vendor values' do\n fail_msg = \"Files that have been modified from vendor-approved permissions but are not in the allowlist: #{(misconfigured_packages - allowlist).join(', ')}\"\n it 'should all appear in the allowlist' do\n expect(misconfigured_packages).to all(be_in allowlist), fail_msg\n end\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204513.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204392.rb", "line": 1 }, - "id": "SV-204513" + "id": "SV-204392" }, { - "title": "The Red Hat Enterprise Linux operating system must not have the rsh-server package installed.", - "desc": "It is detrimental for operating systems to provide, or install by default, functionality exceeding\n requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore\n may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n Operating systems are capable of providing a wide variety of functions and services. Some of the functions and\n services, provided by default, may not be necessary to support essential organizational operations (e.g., key\n missions, functions).\n The rsh-server service provides an unencrypted remote access service that does not provide for the confidentiality\n and integrity of user passwords or the remote session and has very weak authentication.\n If a privileged user were to log on using this service, the privileged user password could be compromised.", + "title": "The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new\n passwords are established, the new password must contain at least 1 lower-case character.", + "desc": "Use of a complex password helps to increase the time and resources required to compromise the password.\n Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing\n and brute-force attacks.\n Password complexity is one factor of several that determines how long it takes to crack a password. The more complex\n the password, the greater the number of possible combinations that need to be tested before the password is\n compromised.", "descriptions": { - "default": "It is detrimental for operating systems to provide, or install by default, functionality exceeding\n requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore\n may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n Operating systems are capable of providing a wide variety of functions and services. Some of the functions and\n services, provided by default, may not be necessary to support essential organizational operations (e.g., key\n missions, functions).\n The rsh-server service provides an unencrypted remote access service that does not provide for the confidentiality\n and integrity of user passwords or the remote session and has very weak authentication.\n If a privileged user were to log on using this service, the privileged user password could be compromised.", - "check": "Check to see if the rsh-server package is installed with the following command:\n # yum list installed rsh-server\n If the rsh-server package is installed, this is a finding.", - "fix": "Configure the operating system to disable non-essential capabilities by removing the rsh-server\n package from the system with the following command:\n # yum remove rsh-server" + "default": "Use of a complex password helps to increase the time and resources required to compromise the password.\n Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing\n and brute-force attacks.\n Password complexity is one factor of several that determines how long it takes to crack a password. The more complex\n the password, the greater the number of possible combinations that need to be tested before the password is\n compromised.", + "check": "Note: The value to require a number of lower-case characters to be set is expressed as a negative\n number in '/etc/security/pwquality.conf'.\n Check the value for 'lcredit' in '/etc/security/pwquality.conf' with the following command:\n # grep lcredit /etc/security/pwquality.conf\n lcredit = -1\n If the value of 'lcredit' is not set to a negative value, this is a finding.", + "fix": "Configure the system to require at least 1 lower-case character when creating or changing a\n password.\n Add or modify the following line\n in '/etc/security/pwquality.conf':\n lcredit = -1" }, - "impact": 0.7, + "impact": 0.5, "refs": [], "tags": { "legacy": [ - "V-71967", - "SV-86591" + "SV-86529", + "V-71905" ], - "severity": "high", - "gtitle": "SRG-OS-000095-GPOS-00049", - "gid": "V-204442", - "rid": "SV-204442r603261_rule", - "stig_id": "RHEL-07-020000", - "fix_id": "F-4566r88519_fix", + "severity": "medium", + "gtitle": "SRG-OS-000070-GPOS-00038", + "gid": "V-204408", + "rid": "SV-204408r603261_rule", + "stig_id": "RHEL-07-010130", + "fix_id": "F-4532r88417_fix", "cci": [ - "CCI-000381" + "CCI-000193" ], "nist": [ - "CM-7 a" + "IA-5 (1) (a)" ], "subsystems": [ - "packages" + "pwquality", + "password" ], "host": null, "container": null }, - "code": "control 'SV-204442' do\n title 'The Red Hat Enterprise Linux operating system must not have the rsh-server package installed.'\n desc 'It is detrimental for operating systems to provide, or install by default, functionality exceeding\n requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore\n may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n Operating systems are capable of providing a wide variety of functions and services. Some of the functions and\n services, provided by default, may not be necessary to support essential organizational operations (e.g., key\n missions, functions).\n The rsh-server service provides an unencrypted remote access service that does not provide for the confidentiality\n and integrity of user passwords or the remote session and has very weak authentication.\n If a privileged user were to log on using this service, the privileged user password could be compromised.'\n desc 'check', 'Check to see if the rsh-server package is installed with the following command:\n # yum list installed rsh-server\n If the rsh-server package is installed, this is a finding.'\n desc 'fix', 'Configure the operating system to disable non-essential capabilities by removing the rsh-server\n package from the system with the following command:\n # yum remove rsh-server'\n impact 0.7\n tag legacy: ['V-71967', 'SV-86591']\n tag severity: 'high'\n tag gtitle: 'SRG-OS-000095-GPOS-00049'\n tag gid: 'V-204442'\n tag rid: 'SV-204442r603261_rule'\n tag stig_id: 'RHEL-07-020000'\n tag fix_id: 'F-4566r88519_fix'\n tag cci: ['CCI-000381']\n tag nist: ['CM-7 a']\n tag subsystems: ['packages']\n tag 'host'\n tag 'container'\n\n describe package('rsh-server') do\n it { should_not be_installed }\n end\nend\n", + "code": "control 'SV-204408' do\n title \"The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new\n passwords are established, the new password must contain at least #{input('min_lowercase_characters')} lower-case character.\"\n desc \"Use of a complex password helps to increase the time and resources required to compromise the password.\n Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing\n and brute-force attacks.\n Password complexity is one factor of several that determines how long it takes to crack a password. The more complex\n the password, the greater the number of possible combinations that need to be tested before the password is\n compromised.\"\n desc 'check', \"Note: The value to require a number of lower-case characters to be set is expressed as a negative\n number in '/etc/security/pwquality.conf'.\n Check the value for 'lcredit' in '/etc/security/pwquality.conf' with the following command:\n # grep lcredit /etc/security/pwquality.conf\n lcredit = -#{input('min_lowercase_characters')}\n If the value of 'lcredit' is not set to a negative value, this is a finding.\"\n desc 'fix', \"Configure the system to require at least #{input('min_lowercase_characters')} lower-case character when creating or changing a\n password.\n Add or modify the following line\n in '/etc/security/pwquality.conf':\n lcredit = -#{input('min_lowercase_characters')}\"\n impact 0.5\n tag legacy: ['SV-86529', 'V-71905']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000070-GPOS-00038'\n tag gid: 'V-204408'\n tag rid: 'SV-204408r603261_rule'\n tag stig_id: 'RHEL-07-010130'\n tag fix_id: 'F-4532r88417_fix'\n tag cci: ['CCI-000193']\n tag nist: ['IA-5 (1) (a)']\n tag subsystems: ['pwquality', 'password']\n tag 'host'\n tag 'container'\n\n describe parse_config_file('/etc/security/pwquality.conf') do\n its('lcredit') { should cmp <= -input('min_lowercase_characters')}\n its('lcredit') { should_not be_nil }\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204442.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204408.rb", "line": 1 }, - "id": "SV-204442" + "id": "SV-204408" }, { - "title": "The Red Hat Enterprise Linux operating system must generate audit records for all account creations,\n modifications, disabling, and termination events that affect /etc/shadow.", - "desc": "Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).", + "title": "The Red Hat Enterprise Linux operating system must protect audit information from unauthorized read, modification, or deletion.", + "desc": "If audit information were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve.\n\nTo ensure the veracity of audit information, the operating system must protect audit information from unauthorized modification.\n\nAudit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit information system activity.", "descriptions": { - "default": "Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).", - "check": "Verify the operating system must generate audit records for all account creations, modifications,\n disabling, and termination events that affect /etc/shadow.\n Check the auditing rules in \"/etc/audit/audit.rules\" with the following command:\n # grep /etc/shadow /etc/audit/audit.rules\n -w /etc/shadow -p wa -k identity\n If the command does not return a line, or the line is commented out, this is a finding.", - "fix": "Configure the operating system to generate audit records for all account creations, modifications,\n disabling, and termination events that affect /etc/shadow.\n Add or update the following file system rule in \"/etc/audit/rules.d/audit.rules\":\n -w /etc/shadow -p wa -k identity\n The audit daemon must be restarted for the changes to take effect." + "default": "If audit information were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve.\n\nTo ensure the veracity of audit information, the operating system must protect audit information from unauthorized modification.\n\nAudit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit information system activity.", + "check": "Verify the operating system audit records have proper permissions and ownership.\n\nList the full permissions and ownership of the audit log files with the following command.\n\n# ls -la /var/log/audit\ntotal 4512\ndrwx------. 2 root root 23 Apr 25 16:53 .\ndrwxr-xr-x. 17 root root 4096 Aug 9 13:09 ..\n-rw-------. 1 root root 8675309 Aug 9 12:54 audit.log\n\nAudit logs must be mode 0600 or less permissive.\nIf any are more permissive, this is a finding.\n\nThe owner and group owner of all audit log files must both be \"root\". If any other owner or group owner is listed, this is a finding.", + "fix": "Change the mode of the audit log files with the following command:\n\n# chmod 0600 [audit_file]\n\nChange the owner and group owner of the audit log files with the following command:\n\n# chown root:root [audit_file]" }, "impact": 0.5, "refs": [], "tags": { - "legacy": [ - "SV-87823", - "V-73171" - ], "severity": "medium", - "gtitle": "SRG-OS-000004-GPOS-00004", - "gid": "V-204567", - "rid": "SV-204567r853981_rule", - "stig_id": "RHEL-07-030873", - "fix_id": "F-4691r88894_fix", + "gtitle": "SRG-OS-000057-GPOS-00027", + "satisfies": [ + "SRG-OS-000057-GPOS-00027", + "SRG-OS-000058-GPOS-00028", + "SRG-OS-000059-GPOS-00029", + "SRG-OS-000206-GPOS-00084" + ], + "gid": "V-228564", + "rid": "SV-228564r606407_rule", + "stig_id": "RHEL-07-910055", + "fix_id": "F-23603r419770_fix", "cci": [ - "CCI-000018", - "CCI-000172", - "CCI-001403", - "CCI-002130" + "CCI-000162", + "CCI-000163", + "CCI-000164", + "CCI-001314" ], + "legacy": [], "nist": [ - "AC-2 (4)", - "AU-12 c", - "AC-2 (4)", - "AC-2 (4)" + "AU-9", + "SI-11 c", + "AU-9 a", + "SI-11 b" ], "subsystems": [ - "audit", - "auditd", - "audit_rule" + "audit" ], "host": null }, - "code": "control 'SV-204567' do\n title 'The Red Hat Enterprise Linux operating system must generate audit records for all account creations,\n modifications, disabling, and termination events that affect /etc/shadow.'\n desc 'Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).'\n desc 'check', 'Verify the operating system must generate audit records for all account creations, modifications,\n disabling, and termination events that affect /etc/shadow.\n Check the auditing rules in \"/etc/audit/audit.rules\" with the following command:\n # grep /etc/shadow /etc/audit/audit.rules\n -w /etc/shadow -p wa -k identity\n If the command does not return a line, or the line is commented out, this is a finding.'\n desc 'fix', 'Configure the operating system to generate audit records for all account creations, modifications,\n disabling, and termination events that affect /etc/shadow.\n Add or update the following file system rule in \"/etc/audit/rules.d/audit.rules\":\n -w /etc/shadow -p wa -k identity\n The audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n tag legacy: ['SV-87823', 'V-73171']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000004-GPOS-00004'\n tag gid: 'V-204567'\n tag rid: 'SV-204567r853981_rule'\n tag stig_id: 'RHEL-07-030873'\n tag fix_id: 'F-4691r88894_fix'\n tag cci: ['CCI-000018', 'CCI-000172', 'CCI-001403', 'CCI-002130']\n tag nist: ['AC-2 (4)', 'AU-12 c', 'AC-2 (4)', 'AC-2 (4)']\n tag subsystems: ['audit', 'auditd', 'audit_rule']\n tag 'host'\n\n audit_command = '/etc/shadow'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - audit config must be done on the host' do\n skip 'Control not applicable - audit config must be done on the host'\n end\n else\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.key).to cmp 'identity'\n expect(audit_rule.permissions.flatten).to include('w', 'a')\n end\n end\n end\nend\n", + "code": "control 'SV-228564' do\n title 'The Red Hat Enterprise Linux operating system must protect audit information from unauthorized read, modification, or deletion.'\n desc 'If audit information were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve.\n\nTo ensure the veracity of audit information, the operating system must protect audit information from unauthorized modification.\n\nAudit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit information system activity.'\n desc 'check', 'Verify the operating system audit records have proper permissions and ownership.\n\nList the full permissions and ownership of the audit log files with the following command.\n\n# ls -la /var/log/audit\ntotal 4512\ndrwx------. 2 root root 23 Apr 25 16:53 .\ndrwxr-xr-x. 17 root root 4096 Aug 9 13:09 ..\n-rw-------. 1 root root 8675309 Aug 9 12:54 audit.log\n\nAudit logs must be mode 0600 or less permissive.\nIf any are more permissive, this is a finding.\n\nThe owner and group owner of all audit log files must both be \"root\". If any other owner or group owner is listed, this is a finding.'\n desc 'fix', 'Change the mode of the audit log files with the following command:\n\n# chmod 0600 [audit_file]\n\nChange the owner and group owner of the audit log files with the following command:\n\n# chown root:root [audit_file]'\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000057-GPOS-00027'\n tag satisfies: ['SRG-OS-000057-GPOS-00027', 'SRG-OS-000058-GPOS-00028', 'SRG-OS-000059-GPOS-00029', 'SRG-OS-000206-GPOS-00084']\n tag gid: 'V-228564'\n tag rid: 'SV-228564r606407_rule'\n tag stig_id: 'RHEL-07-910055'\n tag fix_id: 'F-23603r419770_fix'\n tag cci: ['CCI-000162', 'CCI-000163', 'CCI-000164', 'CCI-001314']\n tag legacy: []\n tag nist: ['AU-9', 'SI-11 c', 'AU-9 a', 'SI-11 b']\n tag subsystems: ['audit']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - audit config must be done on the host' do\n skip 'Control not applicable - audit config must be done on the host'\n end\n else\n describe file(auditd_conf.log_file) do\n it { should_not be_more_permissive_than(input('max_audit_file_mode')) }\n its('group') { should cmp 'root' }\n its('owner') { should cmp 'root' }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204567.rb", + "ref": "./Red Hat 7 STIG/controls/SV-228564.rb", "line": 1 }, - "id": "SV-204567" + "id": "SV-228564" }, { - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the chmod, fchmod, and fchmodat\n syscalls.", - "desc": "Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the\n system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect\n performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining\n syscalls into one rule whenever possible.", + "title": "Red Hat Enterprise Linux operating systems version 7.2 or newer booted with a BIOS must have a unique name for the grub superusers account when booting into single-user and maintenance modes.", + "desc": "If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.\nThe GRUB 2 superuser account is an account of last resort. Establishing a unique username for this account hardens the boot loader against brute force attacks. Due to the nature of the superuser account database being distinct from the OS account database, this allows the use of a username that is not among those within the OS account database. Examples of non-unique superusers names are root, superuser, unlock, etc.", "descriptions": { - "default": "Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the\n system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect\n performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining\n syscalls into one rule whenever possible.", - "check": "Verify the operating system generates audit records upon successful/unsuccessful attempts to use the\n \"chmod\", \"fchmod\", and \"fchmodat\" syscalls.\n Check the file system rules in \"/etc/audit/audit.rules\" with the following command:\n # grep chmod /etc/audit/audit.rules\n -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod\n -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod\n If both the \"b32\" and \"b64\" audit rules are not defined for the \"chmod\", \"fchmod\", and \"fchmodat\" syscalls, this is\n a finding.", - "fix": "Configure the operating system to generate audit records upon successful/unsuccessful attempts to use\n the \"chmod\", \"fchmod\", and \"fchmodat\" syscalls.\n Add or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod\n -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod\n The audit daemon must be restarted for the changes to take effect." + "default": "If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.\nThe GRUB 2 superuser account is an account of last resort. Establishing a unique username for this account hardens the boot loader against brute force attacks. Due to the nature of the superuser account database being distinct from the OS account database, this allows the use of a username that is not among those within the OS account database. Examples of non-unique superusers names are root, superuser, unlock, etc.", + "check": "For systems that use UEFI, this is Not Applicable.\n\nFor systems that are running a version of RHEL prior to 7.2, this is Not Applicable.\n\nVerify that a unique name is set as the \"superusers\" account:\n\n# grep -iw \"superusers\" /boot/grub2/grub.cfg\n set superusers=\"[someuniquestringhere]\"\n export superusers\n\nIf \"superusers\" is identical to any OS account name or is missing a name, this is a finding.", + "fix": "Configure the system to have a unique name for the grub superusers account.\n\nEdit the /etc/grub.d/01_users file and add or modify the following lines:\n\nset superusers=\"[someuniquestringhere]\"\nexport superusers\npassword_pbkdf2 [someuniquestringhere] ${GRUB2_PASSWORD}\n\nGenerate a new grub.cfg file with the following command:\n\n$ sudo grub2-mkconfig -o /boot/grub2/grub.cfg" }, "impact": 0.5, "refs": [], "tags": { - "legacy": [ - "SV-86729", - "V-72105" - ], "severity": "medium", - "gtitle": "SRG-OS-000458-GPOS-00203", - "satisfies": [ - "SRG-OS-000458-GPOS-00203", - "SRG-OS-000392-GPOS-00172", - "SRG-OS-000064-GPOS-00033" - ], - "gid": "V-204521", - "rid": "SV-204521r809772_rule", - "stig_id": "RHEL-07-030410", - "fix_id": "F-4645r809771_fix", + "gtitle": "SRG-OS-000080-GPOS-00048", + "satisfies": null, + "gid": "V-244557", + "rid": "SV-244557r833185_rule", + "stig_id": "RHEL-07-010483", + "fix_id": "F-47789r833184_fix", "cci": [ - "CCI-000172" + "CCI-000213" ], + "legacy": [], "nist": [ - "AU-12 c" + "AC-3" ], "subsystems": [ - "audit", - "auditd", - "audit_rule" + "grub" ], "host": null }, - "code": "control 'SV-204521' do\n title 'The Red Hat Enterprise Linux operating system must audit all uses of the chmod, fchmod, and fchmodat\n syscalls.'\n desc 'Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the\n system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect\n performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining\n syscalls into one rule whenever possible.'\n desc 'check', 'Verify the operating system generates audit records upon successful/unsuccessful attempts to use the\n \"chmod\", \"fchmod\", and \"fchmodat\" syscalls.\n Check the file system rules in \"/etc/audit/audit.rules\" with the following command:\n # grep chmod /etc/audit/audit.rules\n -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod\n -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod\n If both the \"b32\" and \"b64\" audit rules are not defined for the \"chmod\", \"fchmod\", and \"fchmodat\" syscalls, this is\n a finding.'\n desc 'fix', 'Configure the operating system to generate audit records upon successful/unsuccessful attempts to use\n the \"chmod\", \"fchmod\", and \"fchmodat\" syscalls.\n Add or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod\n -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod\n The audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n tag legacy: ['SV-86729', 'V-72105']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000458-GPOS-00203'\n tag satisfies: ['SRG-OS-000458-GPOS-00203', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000064-GPOS-00033']\n tag gid: 'V-204521'\n tag rid: 'SV-204521r809772_rule'\n tag stig_id: 'RHEL-07-030410'\n tag fix_id: 'F-4645r809771_fix'\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag subsystems: ['audit', 'auditd', 'audit_rule']\n tag 'host'\n\n audit_syscalls = ['chmod', 'fchmod', 'fchmodat']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - audit config must be done on the host' do\n skip 'Control not applicable - audit config must be done on the host'\n end\n else\n describe 'Syscall' do\n audit_syscalls.each do |audit_syscall|\n it \"#{audit_syscall} is audited properly\" do\n audit_rule = auditd.syscall(audit_syscall)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n if os.arch.match(/64/)\n expect(audit_rule.arch.uniq).to include('b32', 'b64')\n else\n expect(audit_rule.arch.uniq).to cmp 'b32'\n end\n expect(audit_rule.fields.flatten).to include('auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include('perm_mod')\n end\n end\n end\n end\nend\n", + "code": "control 'SV-244557' do\n title 'Red Hat Enterprise Linux operating systems version 7.2 or newer booted with a BIOS must have a unique name for the grub superusers account when booting into single-user and maintenance modes.'\n desc 'If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.\nThe GRUB 2 superuser account is an account of last resort. Establishing a unique username for this account hardens the boot loader against brute force attacks. Due to the nature of the superuser account database being distinct from the OS account database, this allows the use of a username that is not among those within the OS account database. Examples of non-unique superusers names are root, superuser, unlock, etc.'\n desc 'check', 'For systems that use UEFI, this is Not Applicable.\n\nFor systems that are running a version of RHEL prior to 7.2, this is Not Applicable.\n\nVerify that a unique name is set as the \"superusers\" account:\n\n# grep -iw \"superusers\" /boot/grub2/grub.cfg\n set superusers=\"[someuniquestringhere]\"\n export superusers\n\nIf \"superusers\" is identical to any OS account name or is missing a name, this is a finding.'\n desc 'fix', 'Configure the system to have a unique name for the grub superusers account.\n\nEdit the /etc/grub.d/01_users file and add or modify the following lines:\n\nset superusers=\"[someuniquestringhere]\"\nexport superusers\npassword_pbkdf2 [someuniquestringhere] ${GRUB2_PASSWORD}\n\nGenerate a new grub.cfg file with the following command:\n\n$ sudo grub2-mkconfig -o /boot/grub2/grub.cfg'\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000080-GPOS-00048'\n tag satisfies: nil\n tag gid: 'V-244557'\n tag rid: 'SV-244557r833185_rule'\n tag stig_id: 'RHEL-07-010483'\n tag fix_id: 'F-47789r833184_fix'\n tag cci: ['CCI-000213']\n tag legacy: []\n tag nist: ['AC-3']\n tag subsystems: ['grub']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n elsif file('/sys/firmware/efi').exist?\n impact 0.0\n describe 'System running UEFI' do\n skip 'The System is running UEFI, this control is Not Applicable.'\n end\n elsif os[:release] >= '7.2'\n options = {\n assignment_regex: /^\\s*(.*)=\\\"?([^\\\"]+)\\\"?$/\n }\n\n describe parse_config_file(input('grub_main_cfg'), options) do\n its('set superusers') { should_not be nil }\n its('set superusers') { should_not be_in users.usernames }\n end\n\n else\n impact 0.0\n describe 'System running version of RHEL prior to 7.2' do\n skip 'The System is running an outdated version of RHEL, this control is Not Applicable.'\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204521.rb", + "ref": "./Red Hat 7 STIG/controls/SV-244557.rb", "line": 1 }, - "id": "SV-204521" + "id": "SV-244557" }, { - "title": "The Red Hat Enterprise Linux operating system must prevent a user from overriding the screensaver\n idle-activation-enabled setting for the graphical user interface.", - "desc": "A session lock is a temporary action taken when a user stops work and moves away from the immediate physical\n vicinity of the information system but does not want to log out because of the temporary nature of the absence.\n The session lock is implemented at the point where session activity can be determined.\n The ability to enable/disable a session lock is given to the user by default. Disabling the user's ability to\n disengage the graphical user interface session lock provides the assurance that all sessions will lock after the\n specified period of time.", + "title": "The Red Hat Enterprise Linux operating system must be configured so that all world-writable directories are owned by root, sys, bin, or an application user.", + "desc": "If a world-writable directory is not owned by root, sys, bin, or an application User Identifier (UID), unauthorized users may be able to modify files created by others.\n\nThe only authorized public directories are those temporary directories supplied with the system or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system and by users for temporary file storage, (e.g., /tmp), and for directories requiring global read/write access.", "descriptions": { - "default": "A session lock is a temporary action taken when a user stops work and moves away from the immediate physical\n vicinity of the information system but does not want to log out because of the temporary nature of the absence.\n The session lock is implemented at the point where session activity can be determined.\n The ability to enable/disable a session lock is given to the user by default. Disabling the user's ability to\n disengage the graphical user interface session lock provides the assurance that all sessions will lock after the\n specified period of time.", - "check": "Verify the operating system prevents a user from overriding the screensaver idle-activation-enabled setting for the graphical user interface.\n\nNote: If the system does not have GNOME installed, this requirement is Not Applicable.\n\nDetermine which profile the system database is using with the following command:\n # grep system-db /etc/dconf/profile/user\n\n system-db:local\n\nCheck for the idle-activation-enabled setting with the following command:\n\nNote: The example below is using the database \"local\" for the system, so the path is \"/etc/dconf/db/local.d\". This path must be modified if a database other than \"local\" is being used.\n\n # grep -i idle-activation-enabled /etc/dconf/db/local.d/locks/*\n\n /org/gnome/desktop/screensaver/idle-activation-enabled\n\nIf the command does not return a result, this is a finding.", - "fix": "Configure the operating system to prevent a user from overriding a screensaver lock after a 15-minute\n period of inactivity for graphical user interfaces.\n Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following\n command:\n Note: The example below is using the database \"local\" for the system, so if the system is using another database in\n \"/etc/dconf/profile/user\", the file should be created under the appropriate subdirectory.\n # touch /etc/dconf/db/local.d/locks/session\n Add the setting to lock the screensaver idle-activation-enabled setting:\n /org/gnome/desktop/screensaver/idle-activation-enabled" + "default": "If a world-writable directory is not owned by root, sys, bin, or an application User Identifier (UID), unauthorized users may be able to modify files created by others.\n\nThe only authorized public directories are those temporary directories supplied with the system or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system and by users for temporary file storage, (e.g., /tmp), and for directories requiring global read/write access.", + "check": "The following command will discover and print world-writable directories that are not owned by a system account, assuming only system accounts have a UID lower than 1000. Run it once for each local partition [PART]:\n\n# find [PART] -xdev -type d -perm -0002 -uid +999 -print\n\nIf there is output, this is a finding.", + "fix": "All directories in local partitions which are world-writable should be owned by root or another system account. If any world-writable directories are not owned by a system account, this should be investigated. Following this, the files should be deleted or assigned to an appropriate group." }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { - "legacy": [ - "V-78997", - "SV-93703" - ], "severity": "medium", - "gtitle": "SRG-OS-000029-GPOS-00010", - "gid": "V-204403", - "rid": "SV-204403r880785_rule", - "stig_id": "RHEL-07-010101", - "fix_id": "F-4527r880784_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "satisfies": null, + "gid": "V-228563", + "rid": "SV-228563r744119_rule", + "stig_id": "RHEL-07-021031", + "fix_id": "F-19547r377220_fix", "cci": [ - "CCI-000057" + "CCI-000366" ], + "legacy": [], "nist": [ - "AC-11 a" + "CM-6 b" ], "subsystems": [ - "gui" + "world_writable", + "ww_dirs" ], "host": null }, - "code": "control 'SV-204403' do\n title 'The Red Hat Enterprise Linux operating system must prevent a user from overriding the screensaver\n idle-activation-enabled setting for the graphical user interface.'\n desc \"A session lock is a temporary action taken when a user stops work and moves away from the immediate physical\n vicinity of the information system but does not want to log out because of the temporary nature of the absence.\n The session lock is implemented at the point where session activity can be determined.\n The ability to enable/disable a session lock is given to the user by default. Disabling the user's ability to\n disengage the graphical user interface session lock provides the assurance that all sessions will lock after the\n specified period of time.\"\n desc 'check', 'Verify the operating system prevents a user from overriding the screensaver idle-activation-enabled setting for the graphical user interface.\n\nNote: If the system does not have GNOME installed, this requirement is Not Applicable.\n\nDetermine which profile the system database is using with the following command:\n # grep system-db /etc/dconf/profile/user\n\n system-db:local\n\nCheck for the idle-activation-enabled setting with the following command:\n\nNote: The example below is using the database \"local\" for the system, so the path is \"/etc/dconf/db/local.d\". This path must be modified if a database other than \"local\" is being used.\n\n # grep -i idle-activation-enabled /etc/dconf/db/local.d/locks/*\n\n /org/gnome/desktop/screensaver/idle-activation-enabled\n\nIf the command does not return a result, this is a finding.'\n desc 'fix', \"Configure the operating system to prevent a user from overriding a screensaver lock after a #{input('system_activity_timeout')/60}-minute\n period of inactivity for graphical user interfaces.\n Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following\n command:\n Note: The example below is using the database \\\"local\\\" for the system, so if the system is using another database in\n \\\"/etc/dconf/profile/user\\\", the file should be created under the appropriate subdirectory.\n # touch /etc/dconf/db/local.d/locks/session\n Add the setting to lock the screensaver idle-activation-enabled setting:\n /org/gnome/desktop/screensaver/idle-activation-enabled\"\n impact 0.5\n tag legacy: ['V-78997', 'SV-93703']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000029-GPOS-00010'\n tag gid: 'V-204403'\n tag rid: 'SV-204403r880785_rule'\n tag stig_id: 'RHEL-07-010101'\n tag fix_id: 'F-4527r880784_fix'\n tag cci: ['CCI-000057']\n tag nist: ['AC-11 a']\n tag subsystems: ['gui']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n else\n\n if package('gnome-desktop3').installed?\n impact 0.5\n else\n impact 0.0\n end\n\n if package('gnome-desktop3').installed?\n describe command('gsettings writable org.gnome.desktop.screensaver idle-activation-enabled') do\n its('stdout.strip') { should cmp 'false' }\n end\n end\n\n unless package('gnome-desktop3').installed?\n describe 'The GNOME desktop is not installed' do\n skip 'The GNOME desktop is not installed, this control is Not Applicable.'\n end\n end\n end\nend\n", + "code": "control 'SV-228563' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that all world-writable directories are owned by root, sys, bin, or an application user.'\n desc 'If a world-writable directory is not owned by root, sys, bin, or an application User Identifier (UID), unauthorized users may be able to modify files created by others.\n\nThe only authorized public directories are those temporary directories supplied with the system or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system and by users for temporary file storage, (e.g., /tmp), and for directories requiring global read/write access.'\n desc 'check', 'The following command will discover and print world-writable directories that are not owned by a system account, assuming only system accounts have a UID lower than 1000. Run it once for each local partition [PART]:\n\n# find [PART] -xdev -type d -perm -0002 -uid +999 -print\n\nIf there is output, this is a finding.'\n desc 'fix', 'All directories in local partitions which are world-writable should be owned by root or another system account. If any world-writable directories are not owned by a system account, this should be investigated. Following this, the files should be deleted or assigned to an appropriate group.'\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag satisfies: nil\n tag gid: 'V-228563'\n tag rid: 'SV-228563r744119_rule'\n tag stig_id: 'RHEL-07-021031'\n tag fix_id: 'F-19547r377220_fix'\n tag cci: ['CCI-000366']\n tag legacy: []\n tag nist: ['CM-6 b']\n tag subsystems: ['world_writable', 'ww_dirs']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n ww_dirs = Set[]\n partitions = etc_fstab.params.map { |partition| partition['mount_point'] }.uniq\n partitions.each do |part|\n cmd = \"find #{part} -xdev -type d -perm -0002 -uid +999 -print\"\n ww_dirs += command(cmd).stdout.split(\"\\n\")\n end\n\n describe 'List of world-writeable directories which are not owned by system accounts across all partitions' do\n subject { ww_dirs.to_a }\n it { should be_empty }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204403.rb", + "ref": "./Red Hat 7 STIG/controls/SV-228563.rb", "line": 1 }, - "id": "SV-204403" + "id": "SV-228563" }, { - "title": "The Red Hat Enterprise Linux operating system must be configured so that all network connections associated\n with SSH traffic are terminated at the end of the session or after 10 minutes of inactivity, except to fulfill\n documented and validated mission requirements.", - "desc": "Terminating an idle SSH session within a short time period reduces the window of opportunity for\n unauthorized personnel to take control of a management session enabled on the console or console port that has been\n left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the\n managed network element.\n Terminating network connections associated with communications sessions includes, for example, de-allocating\n associated TCP/IP address/port pairs at the operating system level and de-allocating networking assignments at the\n application level if multiple application sessions are using a single operating system-level network connection.\n This does not mean that the operating system terminates all sessions or network access; it only ends the inactive\n session and releases the resources associated with that session.", + "title": "For Red Hat Enterprise Linux operating systems using DNS resolution, at least two name servers must be\n configured.", + "desc": "To provide availability for name resolution services, multiple redundant name servers are mandated. A\n failure in name resolution could lead to the failure of security functions requiring name resolution, which may\n include time synchronization, centralized authentication, and remote system logging.", "descriptions": { - "default": "Terminating an idle SSH session within a short time period reduces the window of opportunity for\n unauthorized personnel to take control of a management session enabled on the console or console port that has been\n left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the\n managed network element.\n Terminating network connections associated with communications sessions includes, for example, de-allocating\n associated TCP/IP address/port pairs at the operating system level and de-allocating networking assignments at the\n application level if multiple application sessions are using a single operating system-level network connection.\n This does not mean that the operating system terminates all sessions or network access; it only ends the inactive\n session and releases the resources associated with that session.", - "check": "Verify the operating system automatically terminates a user session after inactivity time-outs have\n expired.\n Check for the value of the \"ClientAliveInterval\" keyword with the following command:\n # grep -iw clientaliveinterval /etc/ssh/sshd_config\n ClientAliveInterval 600\n If \"ClientAliveInterval\" is not configured, commented out, or has a value of \"0\", this is a finding.\n If \"ClientAliveInterval\" has a value that is greater than \"600\" and is not documented with the Information System\n Security Officer (ISSO) as an operational requirement, this is a finding.", - "fix": "Configure the operating system to automatically terminate a user session after inactivity time-outs\n have expired or at shutdown.\n Add the following line (or modify the line to have the required value) to the \"/etc/ssh/sshd_config\" file (this file\n may be named differently or be in a different location if using a version of SSH that is provided by a third-party\n vendor):\n ClientAliveInterval 600\n The SSH service must be restarted for changes to take effect." + "default": "To provide availability for name resolution services, multiple redundant name servers are mandated. A\n failure in name resolution could lead to the failure of security functions requiring name resolution, which may\n include time synchronization, centralized authentication, and remote system logging.", + "check": "Determine whether the system is using local or DNS name resolution with the following command:\n # grep hosts /etc/nsswitch.conf\n hosts: files dns\n If the DNS entry is missing from the host's line in the \"/etc/nsswitch.conf\" file, the \"/etc/resolv.conf\" file must\n be empty.\n Verify the \"/etc/resolv.conf\" file is empty with the following command:\n # ls -al /etc/resolv.conf\n -rw-r--r-- 1 root root 0 Aug 19 08:31 resolv.conf\n If local host authentication is being used and the \"/etc/resolv.conf\" file is not empty, this is a finding.\n If the DNS entry is found on the host's line of the \"/etc/nsswitch.conf\" file, verify the operating system is\n configured to use two or more name servers for DNS resolution.\n Determine the name servers used by the system with the following command:\n # grep nameserver /etc/resolv.conf\n nameserver 192.168.1.2\n nameserver 192.168.1.3\n If less than two lines are returned that are not commented out, this is a finding.\n Verify that the \"/etc/resolv.conf\" file is immutable with the following command:\n # sudo lsattr /etc/resolv.conf\n ----i----------- /etc/resolv.conf\n If the file is mutable and has not been documented with the Information System Security Officer (ISSO), this is a\n finding.", + "fix": "Configure the operating system to use two or more name servers for DNS resolution.\n Edit the \"/etc/resolv.conf\" file to uncomment or add the two or more \"nameserver\" option lines with the IP address\n of local authoritative name servers. If local host resolution is being performed, the \"/etc/resolv.conf\" file must\n be empty. An empty \"/etc/resolv.conf\" file can be created as follows:\n # echo -n > /etc/resolv.conf\n And then make the file immutable with the following command:\n # chattr +i /etc/resolv.conf\n If the \"/etc/resolv.conf\" file must be mutable, the required configuration must be documented with the Information\n System Security Officer (ISSO) and the file must be verified by the system file integrity tool." }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { "legacy": [ - "V-72237", - "SV-86861" - ], - "severity": "medium", - "gtitle": "SRG-OS-000163-GPOS-00072", - "satisfies": [ - "SRG-OS-000163-GPOS-00072", - "SRG-OS-000279-GPOS-00109" + "SV-86905", + "V-72281" ], - "gid": "V-204587", - "rid": "SV-204587r861072_rule", - "stig_id": "RHEL-07-040320", - "fix_id": "F-4711r88954_fix", + "severity": "low", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-204608", + "rid": "SV-204608r603261_rule", + "stig_id": "RHEL-07-040600", + "fix_id": "F-4732r89017_fix", "cci": [ - "CCI-001133", - "CCI-002361" + "CCI-000366" ], "nist": [ - "SC-10", - "AC-12" + "CM-6 b" ], "subsystems": [ - "ssh" + "dns", + "resolv" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-204587' do\n title \"The Red Hat Enterprise Linux operating system must be configured so that all network connections associated\n with SSH traffic are terminated at the end of the session or after #{input('client_alive_interval')/60} minutes of inactivity, except to fulfill\n documented and validated mission requirements.\"\n desc 'Terminating an idle SSH session within a short time period reduces the window of opportunity for\n unauthorized personnel to take control of a management session enabled on the console or console port that has been\n left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the\n managed network element.\n Terminating network connections associated with communications sessions includes, for example, de-allocating\n associated TCP/IP address/port pairs at the operating system level and de-allocating networking assignments at the\n application level if multiple application sessions are using a single operating system-level network connection.\n This does not mean that the operating system terminates all sessions or network access; it only ends the inactive\n session and releases the resources associated with that session.'\n desc 'check', \"Verify the operating system automatically terminates a user session after inactivity time-outs have\n expired.\n Check for the value of the \\\"ClientAliveInterval\\\" keyword with the following command:\n # grep -iw clientaliveinterval /etc/ssh/sshd_config\n ClientAliveInterval #{input('client_alive_interval')}\n If \\\"ClientAliveInterval\\\" is not configured, commented out, or has a value of \\\"0\\\", this is a finding.\n If \\\"ClientAliveInterval\\\" has a value that is greater than \\\"#{input('client_alive_interval')}\\\" and is not documented with the Information System\n Security Officer (ISSO) as an operational requirement, this is a finding.\"\n desc 'fix', \"Configure the operating system to automatically terminate a user session after inactivity time-outs\n have expired or at shutdown.\n Add the following line (or modify the line to have the required value) to the \\\"/etc/ssh/sshd_config\\\" file (this file\n may be named differently or be in a different location if using a version of SSH that is provided by a third-party\n vendor):\n ClientAliveInterval #{input('client_alive_interval')}\n The SSH service must be restarted for changes to take effect.\"\n impact 0.5\n tag legacy: ['V-72237', 'SV-86861']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000163-GPOS-00072'\n tag satisfies: ['SRG-OS-000163-GPOS-00072', 'SRG-OS-000279-GPOS-00109']\n tag gid: 'V-204587'\n tag rid: 'SV-204587r861072_rule'\n tag stig_id: 'RHEL-07-040320'\n tag fix_id: 'F-4711r88954_fix'\n tag cci: ['CCI-001133', 'CCI-002361']\n tag nist: ['SC-10', 'AC-12']\n tag subsystems: ['ssh']\n tag 'host'\n\n if virtualization.system.eql?('docker') && !file('/etc/sysconfig/sshd').exist?\n impact 0.0\n describe 'Control not applicable - SSH is not installed within containerized RHEL' do\n skip 'Control not applicable - SSH is not installed within containerized RHEL'\n end\n else\n # This may show slightly confusing results when a ClientAliveInterValue is not\n # specified. Specifically, because the value will be nil and when you try to\n # convert it to an integer using to_i it will convert it to 0 and pass the\n # <= client_alive_interval check. However, the control as a whole will still fail.\n describe sshd_config do\n its('ClientAliveInterval') { should be_between(1, input('client_alive_interval')) }\n its('ClientAliveInterval') { should_not eq nil }\n end\n end\nend\n", + "code": "control 'SV-204608' do\n title 'For Red Hat Enterprise Linux operating systems using DNS resolution, at least two name servers must be\n configured.'\n desc 'To provide availability for name resolution services, multiple redundant name servers are mandated. A\n failure in name resolution could lead to the failure of security functions requiring name resolution, which may\n include time synchronization, centralized authentication, and remote system logging.'\n desc 'check', %q(Determine whether the system is using local or DNS name resolution with the following command:\n # grep hosts /etc/nsswitch.conf\n hosts: files dns\n If the DNS entry is missing from the host's line in the \"/etc/nsswitch.conf\" file, the \"/etc/resolv.conf\" file must\n be empty.\n Verify the \"/etc/resolv.conf\" file is empty with the following command:\n # ls -al /etc/resolv.conf\n -rw-r--r-- 1 root root 0 Aug 19 08:31 resolv.conf\n If local host authentication is being used and the \"/etc/resolv.conf\" file is not empty, this is a finding.\n If the DNS entry is found on the host's line of the \"/etc/nsswitch.conf\" file, verify the operating system is\n configured to use two or more name servers for DNS resolution.\n Determine the name servers used by the system with the following command:\n # grep nameserver /etc/resolv.conf\n nameserver 192.168.1.2\n nameserver 192.168.1.3\n If less than two lines are returned that are not commented out, this is a finding.\n Verify that the \"/etc/resolv.conf\" file is immutable with the following command:\n # sudo lsattr /etc/resolv.conf\n ----i----------- /etc/resolv.conf\n If the file is mutable and has not been documented with the Information System Security Officer (ISSO), this is a\n finding.)\n desc 'fix', 'Configure the operating system to use two or more name servers for DNS resolution.\n Edit the \"/etc/resolv.conf\" file to uncomment or add the two or more \"nameserver\" option lines with the IP address\n of local authoritative name servers. If local host resolution is being performed, the \"/etc/resolv.conf\" file must\n be empty. An empty \"/etc/resolv.conf\" file can be created as follows:\n # echo -n > /etc/resolv.conf\n And then make the file immutable with the following command:\n # chattr +i /etc/resolv.conf\n If the \"/etc/resolv.conf\" file must be mutable, the required configuration must be documented with the Information\n System Security Officer (ISSO) and the file must be verified by the system file integrity tool.'\n impact 0.3\n tag legacy: ['SV-86905', 'V-72281']\n tag severity: 'low'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204608'\n tag rid: 'SV-204608r603261_rule'\n tag stig_id: 'RHEL-07-040600'\n tag fix_id: 'F-4732r89017_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['dns', 'resolv']\n tag 'host'\n tag 'container'\n\n dns_in_host_line = parse_config_file('/etc/nsswitch.conf',\n {\n comment_char: '#',\n assignment_regex: /^\\s*([^:]*?)\\s*:\\s*(.*?)\\s*$/\n }).params['hosts'].include?('dns')\n\n unless dns_in_host_line\n describe 'If `local` resolution is being used, a `hosts` entry in /etc/nsswitch.conf having `dns`' do\n subject { dns_in_host_line }\n it { should be false }\n end\n end\n\n unless dns_in_host_line\n describe 'If `local` resoultion is being used, the /etc/resolv.conf file should' do\n subject do\n parse_config_file('/etc/resolv.conf', { comment_char: '#' }).params\n end\n it { should be_empty }\n end\n end\n\n nameservers = parse_config_file('/etc/resolv.conf',\n { comment_char: '#' }).params.keys.grep(/nameserver/)\n\n if dns_in_host_line\n describe \"The system's nameservers: #{nameservers}\" do\n subject { nameservers }\n it { should_not be nil }\n end\n end\n\n if dns_in_host_line\n describe 'The number of nameservers' do\n subject { nameservers.count }\n it { should cmp >= 2 }\n end\n end\n\n describe '/etc/resolv.conf should be immutable -- file attributes' do\n subject { command('lsattr /etc/resolve.conf').stdout }\n it { should match /i/ }\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204587.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204608.rb", "line": 1 }, - "id": "SV-204587" + "id": "SV-204608" }, { - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the ssh-keysign command.", - "desc": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough\n information.\n At a minimum, the organization must audit the full-text recording of privileged ssh commands. The organization must\n maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.", + "title": "The Red Hat Enterprise Linux operating system must not have a graphical display manager installed unless\n approved.", + "desc": "Internet services that are not required for system or application processes must not be active to decrease\n the attack surface of the system. Graphical display managers have a long history of security vulnerabilities and\n must not be used unless approved and documented.", "descriptions": { - "default": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough\n information.\n At a minimum, the organization must audit the full-text recording of privileged ssh commands. The organization must\n maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.", - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"ssh-keysign\" command occur.\n\nCheck that the following system call is being audited by performing the following command to check the file system rules in \"/etc/audit/audit.rules\":\n\n$ sudo grep -w \"/usr/libexec/openssh/ssh-keysign\" /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh\n\nIf the command does not return any output, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"ssh-keysign\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh\n\nThe audit daemon must be restarted for the changes to take effect." + "default": "Internet services that are not required for system or application processes must not be active to decrease\n the attack surface of the system. Graphical display managers have a long history of security vulnerabilities and\n must not be used unless approved and documented.", + "check": "Verify the system is configured to boot to the command line:\n $ systemctl get-default\n multi-user.target\n If the system default target is not set to \"multi-user.target\" and the Information System Security Officer (ISSO)\n lacks a documented requirement for a graphical user interface, this is a finding.\n Verify a graphical user interface is not installed:\n $ rpm -qa | grep xorg | grep server\n Ask the System Administrator if use of a graphical user interface is an operational requirement.\n If the use of a graphical user interface on the system is not documented with the ISSO, this is a finding.", + "fix": "Document the requirement for a graphical user interface with the ISSO or reinstall the operating\n system without the graphical user interface. If reinstallation is not feasible, then continue with the following\n procedure:\n Open an SSH session and enter the following commands:\n $ sudo systemctl set-default multi-user.target\n $ sudo yum remove xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-utils\n A reboot is required for the changes to take effect." }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "SV-86803", - "V-72179" + "SV-86931", + "V-72307" ], "severity": "medium", - "gtitle": "SRG-OS-000042-GPOS-00020", - "satisfies": [ - "SRG-OS-000042-GPOS-00020", - "SRG-OS-000392-GPOS-00172", - "SRG-OS-000471-GPOS-00215" - ], - "gid": "V-204556", - "rid": "SV-204556r861065_rule", - "stig_id": "RHEL-07-030780", - "fix_id": "F-4680r861064_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-204624", + "rid": "SV-204624r646847_rule", + "stig_id": "RHEL-07-040730", + "fix_id": "F-36316r646846_fix", "cci": [ - "CCI-000135", - "CCI-000172", - "CCI-002884" + "CCI-000366" ], "nist": [ - "AU-3 (1)", - "AU-12 c", - "MA-4 (1) (a)" + "CM-6 b" ], "subsystems": [ - "audit", - "auditd", - "audit_rule" + "gui" ], "host": null }, - "code": "control 'SV-204556' do\n title 'The Red Hat Enterprise Linux operating system must audit all uses of the ssh-keysign command.'\n desc 'Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough\n information.\n At a minimum, the organization must audit the full-text recording of privileged ssh commands. The organization must\n maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.'\n desc 'check', 'Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"ssh-keysign\" command occur.\n\nCheck that the following system call is being audited by performing the following command to check the file system rules in \"/etc/audit/audit.rules\":\n\n$ sudo grep -w \"/usr/libexec/openssh/ssh-keysign\" /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh\n\nIf the command does not return any output, this is a finding.'\n desc 'fix', 'Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"ssh-keysign\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh\n\nThe audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n tag legacy: ['SV-86803', 'V-72179']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000042-GPOS-00020'\n tag satisfies: ['SRG-OS-000042-GPOS-00020', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000471-GPOS-00215']\n tag gid: 'V-204556'\n tag rid: 'SV-204556r861065_rule'\n tag stig_id: 'RHEL-07-030780'\n tag fix_id: 'F-4680r861064_fix'\n tag cci: ['CCI-000135', 'CCI-000172', 'CCI-002884']\n tag nist: ['AU-3 (1)', 'AU-12 c', 'MA-4 (1) (a)']\n tag subsystems: ['audit', 'auditd', 'audit_rule']\n tag 'host'\n\n audit_command = '/usr/libexec/openssh/ssh-keysign'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - audit config must be done on the host' do\n skip 'Control not applicable - audit config must be done on the host'\n end\n else\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include('privileged-ssh')\n end\n end\n end\nend\n", + "code": "control 'SV-204624' do\n title 'The Red Hat Enterprise Linux operating system must not have a graphical display manager installed unless\n approved.'\n desc 'Internet services that are not required for system or application processes must not be active to decrease\n the attack surface of the system. Graphical display managers have a long history of security vulnerabilities and\n must not be used unless approved and documented.'\n desc 'check', 'Verify the system is configured to boot to the command line:\n $ systemctl get-default\n multi-user.target\n If the system default target is not set to \"multi-user.target\" and the Information System Security Officer (ISSO)\n lacks a documented requirement for a graphical user interface, this is a finding.\n Verify a graphical user interface is not installed:\n $ rpm -qa | grep xorg | grep server\n Ask the System Administrator if use of a graphical user interface is an operational requirement.\n If the use of a graphical user interface on the system is not documented with the ISSO, this is a finding.'\n desc 'fix', 'Document the requirement for a graphical user interface with the ISSO or reinstall the operating\n system without the graphical user interface. If reinstallation is not feasible, then continue with the following\n procedure:\n Open an SSH session and enter the following commands:\n $ sudo systemctl set-default multi-user.target\n $ sudo yum remove xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-utils\n A reboot is required for the changes to take effect.'\n impact 0.5\n tag legacy: ['SV-86931', 'V-72307']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204624'\n tag rid: 'SV-204624r646847_rule'\n tag stig_id: 'RHEL-07-040730'\n tag fix_id: 'F-36316r646846_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['gui']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n elsif input('x11_enabled')\n describe 'System default target' do\n subject { command('systemctl get-default').stdout.strip }\n it { should eq 'multi-user.target' }\n end\n\n describe 'No GUI packages should be installed' do\n subject { packages(/xorg.*server/) }\n its('statuses') { should_not cmp 'installed' }\n end\n else\n describe 'GUI permitted' do\n skip 'Not applicable -- GUI packages are allowed to be installed on this system'\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204556.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204624.rb", "line": 1 }, - "id": "SV-204556" + "id": "SV-204624" }, { - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the sudo command.", - "desc": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough\n information.\n At a minimum, the organization must audit the full-text recording of privileged access commands. The organization\n must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of\n compromise.\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.", + "title": "The Red Hat Enterprise Linux operating system must take appropriate action when the remote logging buffer\n is full.", + "desc": "Information stored in one location is vulnerable to accidental or incidental deletion or alteration.\n Off-loading is a common process in information systems with limited audit storage capacity.\n One method of off-loading audit logs in Red Hat Enterprise Linux is with the use of the audisp-remote dameon. When\n the remote buffer is full, audit logs will not be collected and sent to the central log server.", "descriptions": { - "default": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough\n information.\n At a minimum, the organization must audit the full-text recording of privileged access commands. The organization\n must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of\n compromise.\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.", - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"sudo\" command occur.\n\nCheck that the following system call is being audited by performing the following command to check the file system rules in \"/etc/audit/audit.rules\":\n\n$ sudo grep -w \"/usr/bin/sudo\" /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change\n\nIf the command does not return any output, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"sudo\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change\n\nThe audit daemon must be restarted for the changes to take effect." + "default": "Information stored in one location is vulnerable to accidental or incidental deletion or alteration.\n Off-loading is a common process in information systems with limited audit storage capacity.\n One method of off-loading audit logs in Red Hat Enterprise Linux is with the use of the audisp-remote dameon. When\n the remote buffer is full, audit logs will not be collected and sent to the central log server.", + "check": "Verify the audisp daemon is configured to take an appropriate action when the internal queue is\n full:\n # grep \"overflow_action\" /etc/audisp/audispd.conf\n overflow_action = syslog\n If the \"overflow_action\" option is not \"syslog\", \"single\", or \"halt\", or the line is commented out, ask the System\n Administrator to indicate how the audit logs are off-loaded to a different system or storage media, and to indicate\n what action that system takes when the internal queue is full.\n If there is no evidence the system is configured to off-load audit logs to a different system or storage media or,\n if the configuration does not take appropriate action when the internal queue is full, this is a finding.", + "fix": "Edit the /etc/audisp/audispd.conf file and add or update the \"overflow_action\" option:\n overflow_action = syslog\n The audit daemon must be restarted for changes to take effect:\n # service auditd restart" }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "V-72161", - "SV-86785" + "V-81019", + "SV-95731" ], "severity": "medium", - "gtitle": "SRG-OS-000037-GPOS-00015", + "gtitle": "SRG-OS-000342-GPOS-00133", "satisfies": [ - "SRG-OS-000037-GPOS-00015", - "SRG-OS-000042-GPOS-00020", - "SRG-OS-000392-GPOS-00172", - "SRG-OS-000462-GPOS-00206", - "SRG-OS-000471-GPOS-00215" + "SRG-OS-000342-GPOS-00133", + "SRG-OS-000479-GPOS-00224" ], - "gid": "V-204548", - "rid": "SV-204548r861044_rule", - "stig_id": "RHEL-07-030690", - "fix_id": "F-4672r861043_fix", + "gid": "V-204507", + "rid": "SV-204507r877390_rule", + "stig_id": "RHEL-07-030210", + "fix_id": "F-36312r602646_fix", "cci": [ - "CCI-000130", - "CCI-000135", - "CCI-000172", - "CCI-002884" + "CCI-001851" ], "nist": [ - "AU-3", - "AU-3 (1)", - "AU-12 c", - "MA-4 (1) (a)", - "AU-3 a" + "AU-4 (1)" ], "subsystems": [ "audit", - "auditd", - "audit_rule" + "audisp" ], "host": null }, - "code": "control 'SV-204548' do\n title 'The Red Hat Enterprise Linux operating system must audit all uses of the sudo command.'\n desc 'Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough\n information.\n At a minimum, the organization must audit the full-text recording of privileged access commands. The organization\n must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of\n compromise.\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.'\n desc 'check', 'Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"sudo\" command occur.\n\nCheck that the following system call is being audited by performing the following command to check the file system rules in \"/etc/audit/audit.rules\":\n\n$ sudo grep -w \"/usr/bin/sudo\" /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change\n\nIf the command does not return any output, this is a finding.'\n desc 'fix', 'Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"sudo\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change\n\nThe audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n tag legacy: ['V-72161', 'SV-86785']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000037-GPOS-00015'\n tag satisfies: ['SRG-OS-000037-GPOS-00015', 'SRG-OS-000042-GPOS-00020', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000471-GPOS-00215']\n tag gid: 'V-204548'\n tag rid: 'SV-204548r861044_rule'\n tag stig_id: 'RHEL-07-030690'\n tag fix_id: 'F-4672r861043_fix'\n tag cci: ['CCI-000130', 'CCI-000135', 'CCI-000172', 'CCI-002884']\n tag nist: ['AU-3', 'AU-3 (1)', 'AU-12 c', 'MA-4 (1) (a)', 'AU-3 a']\n tag subsystems: ['audit', 'auditd', 'audit_rule']\n tag 'host'\n\n audit_command = '/usr/bin/sudo'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - audit config must be done on the host' do\n skip 'Control not applicable - audit config must be done on the host'\n end\n else\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include('privileged-priv_change')\n end\n end\n end\nend\n", + "code": "control 'SV-204507' do\n title 'The Red Hat Enterprise Linux operating system must take appropriate action when the remote logging buffer\n is full.'\n desc 'Information stored in one location is vulnerable to accidental or incidental deletion or alteration.\n Off-loading is a common process in information systems with limited audit storage capacity.\n One method of off-loading audit logs in Red Hat Enterprise Linux is with the use of the audisp-remote dameon. When\n the remote buffer is full, audit logs will not be collected and sent to the central log server.'\n desc 'check', 'Verify the audisp daemon is configured to take an appropriate action when the internal queue is\n full:\n # grep \"overflow_action\" /etc/audisp/audispd.conf\n overflow_action = syslog\n If the \"overflow_action\" option is not \"syslog\", \"single\", or \"halt\", or the line is commented out, ask the System\n Administrator to indicate how the audit logs are off-loaded to a different system or storage media, and to indicate\n what action that system takes when the internal queue is full.\n If there is no evidence the system is configured to off-load audit logs to a different system or storage media or,\n if the configuration does not take appropriate action when the internal queue is full, this is a finding.'\n desc 'fix', 'Edit the /etc/audisp/audispd.conf file and add or update the \"overflow_action\" option:\n overflow_action = syslog\n The audit daemon must be restarted for changes to take effect:\n # service auditd restart'\n impact 0.5\n tag legacy: ['V-81019', 'SV-95731']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000342-GPOS-00133'\n tag satisfies: ['SRG-OS-000342-GPOS-00133', 'SRG-OS-000479-GPOS-00224']\n tag gid: 'V-204507'\n tag rid: 'SV-204507r877390_rule'\n tag stig_id: 'RHEL-07-030210'\n tag fix_id: 'F-36312r602646_fix'\n tag cci: ['CCI-001851']\n tag nist: ['AU-4 (1)']\n tag subsystems: ['audit', 'audisp']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - audit config must be done on the host' do\n skip 'Control not applicable - audit config must be done on the host'\n end\n elsif file('/etc/audisp/audispd.conf').exist?\n describe parse_config_file('/etc/audisp/audispd.conf') do\n its('overflow_action') { should match(/syslog$|single$|halt$/i) }\n end\n else\n describe \"File '/etc/audisp/audispd.conf' cannot be found. This test cannot be checked in a automated fashion and you must check it manually\" do\n skip \"File '/etc/audisp/audispd.conf' cannot be found. This check must be performed manually\"\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204548.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204507.rb", "line": 1 }, - "id": "SV-204548" + "id": "SV-204507" }, { - "title": "The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed a\n minimum of eight of the total number of characters must be changed.", - "desc": "Use of a complex password helps to increase the time and resources required to compromise the password.\n Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing\n and brute-force attacks.\n Password complexity is one factor of several that determines how long it takes to crack a password. The more complex\n the password, the greater the number of possible combinations that need to be tested before the password is\n compromised.", + "title": "The Red Hat Enterprise Linux operating system must lock the associated account after 3 unsuccessful\n root logon attempts are made within a 15-minute period.", + "desc": "By limiting the number of failed logon attempts, the risk of unauthorized system access via user password\n guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account.", "descriptions": { - "default": "Use of a complex password helps to increase the time and resources required to compromise the password.\n Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing\n and brute-force attacks.\n Password complexity is one factor of several that determines how long it takes to crack a password. The more complex\n the password, the greater the number of possible combinations that need to be tested before the password is\n compromised.", - "check": "The \"difok\" option sets the number of characters in a password that must not be present in the old\n password.\n Check for the value of the \"difok\" option in \"/etc/security/pwquality.conf\" with the following command:\n # grep difok /etc/security/pwquality.conf\n difok = 8\n If the value of \"difok\" is set to less than \"8\", this is a finding.", - "fix": "Configure the operating system to require the change of at least eight of the total number of\n characters when passwords are changed by setting the \"difok\" option.\n Add the following line to \"/etc/security/pwquality.conf\" (or modify the line to have the required value):\n difok = 8" + "default": "By limiting the number of failed logon attempts, the risk of unauthorized system access via user password\n guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account.", + "check": "Verify the operating system automatically locks the root account, for a minimum of 15 minutes, when\n 3 unsuccessful logon attempts in 15 minutes are made.\n # grep pam_faillock.so /etc/pam.d/password-auth\n auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900\n auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900\n account required pam_faillock.so\n If the \"even_deny_root\" setting is not defined on both lines with the \"pam_faillock.so\" module, is commented out, or\n is missing from a line, this is a finding.\n # grep pam_faillock.so /etc/pam.d/system-auth\n auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900\n auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900\n account required pam_faillock.so\n If the \"even_deny_root\" setting is not defined on both lines with the \"pam_faillock.so\" module, is commented out, or\n is missing from a line, this is a finding.", + "fix": "Configure the operating system to automatically lock the root account, for a minimum of 15 minutes, when 3 unsuccessful logon attempts in 15 minutes are made.\n\nModify the first 3 lines of the auth section and the first line of the account section of the \"/etc/pam.d/system-auth\" and \"/etc/pam.d/password-auth\" files to match the following lines:\n\nauth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900\nauth sufficient pam_unix.so try_first_pass\nauth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900\naccount required pam_faillock.so\n\nNote: Per requirement RHEL-07-010199, RHEL 7 must be configured to not overwrite custom authentication configuration settings while using the authconfig utility, otherwise manual changes to the listed files will be overwritten whenever the authconfig utility is used." }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "V-71911", - "SV-86535" + "V-71945", + "SV-86569" ], "severity": "medium", - "gtitle": "SRG-OS-000072-GPOS-00040", - "gid": "V-204411", - "rid": "SV-204411r603261_rule", - "stig_id": "RHEL-07-010160", - "fix_id": "F-4535r88426_fix", + "gtitle": "SRG-OS-000329-GPOS-00128", + "satisfies": [ + "SRG-OS-000329-GPOS-00128", + "SRG-OS-000021-GPOS-00005" + ], + "gid": "V-204428", + "rid": "SV-204428r880845_rule", + "stig_id": "RHEL-07-010330", + "fix_id": "F-4552r880844_fix", "cci": [ - "CCI-000195" + "CCI-002238" ], "nist": [ - "IA-5 (1) (b)" + "AC-7 b" ], "subsystems": [ - "pwquality", - "password" + "pam" ], "host": null, "container": null }, - "code": "control 'SV-204411' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed a\n minimum of eight of the total number of characters must be changed.'\n desc 'Use of a complex password helps to increase the time and resources required to compromise the password.\n Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing\n and brute-force attacks.\n Password complexity is one factor of several that determines how long it takes to crack a password. The more complex\n the password, the greater the number of possible combinations that need to be tested before the password is\n compromised.'\n desc 'check', 'The \"difok\" option sets the number of characters in a password that must not be present in the old\n password.\n Check for the value of the \"difok\" option in \"/etc/security/pwquality.conf\" with the following command:\n # grep difok /etc/security/pwquality.conf\n difok = 8\n If the value of \"difok\" is set to less than \"8\", this is a finding.'\n desc 'fix', 'Configure the operating system to require the change of at least eight of the total number of\n characters when passwords are changed by setting the \"difok\" option.\n Add the following line to \"/etc/security/pwquality.conf\" (or modify the line to have the required value):\n difok = 8'\n impact 0.5\n tag legacy: ['V-71911', 'SV-86535']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000072-GPOS-00040'\n tag gid: 'V-204411'\n tag rid: 'SV-204411r603261_rule'\n tag stig_id: 'RHEL-07-010160'\n tag fix_id: 'F-4535r88426_fix'\n tag cci: ['CCI-000195']\n tag nist: ['IA-5 (1) (b)']\n tag subsystems: ['pwquality', 'password']\n tag 'host'\n tag 'container'\n\n describe parse_config_file('/etc/security/pwquality.conf') do\n its('difok') { should cmp >= input('difok') }\n end\nend\n", + "code": "control 'SV-204428' do\n title \"The Red Hat Enterprise Linux operating system must lock the associated account after #{input('unsuccessful_attempts')} unsuccessful\n root logon attempts are made within a #{input('fail_interval')/60}-minute period.\"\n desc 'By limiting the number of failed logon attempts, the risk of unauthorized system access via user password\n guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account.'\n desc 'check', \"Verify the operating system automatically locks the root account, for a minimum of #{input('lockout_time')/60} minutes, when\n #{input('unsuccessful_attempts')} unsuccessful logon attempts in #{input('fail_interval')/60} minutes are made.\n # grep pam_faillock.so /etc/pam.d/password-auth\n auth required pam_faillock.so preauth silent audit deny=#{input('unsuccessful_attempts')} even_deny_root fail_interval=#{input('fail_interval')} unlock_time=#{input('lockout_time')}\n auth [default=die] pam_faillock.so authfail audit deny=#{input('unsuccessful_attempts')} even_deny_root fail_interval=#{input('fail_interval')} unlock_time=#{input('lockout_time')}\n account required pam_faillock.so\n If the \\\"even_deny_root\\\" setting is not defined on both lines with the \\\"pam_faillock.so\\\" module, is commented out, or\n is missing from a line, this is a finding.\n # grep pam_faillock.so /etc/pam.d/system-auth\n auth required pam_faillock.so preauth silent audit deny=#{input('unsuccessful_attempts')} even_deny_root fail_interval=#{input('fail_interval')} unlock_time=#{input('lockout_time')}\n auth [default=die] pam_faillock.so authfail audit deny=#{input('unsuccessful_attempts')} even_deny_root fail_interval=#{input('fail_interval')} unlock_time=#{input('lockout_time')}\n account required pam_faillock.so\n If the \\\"even_deny_root\\\" setting is not defined on both lines with the \\\"pam_faillock.so\\\" module, is commented out, or\n is missing from a line, this is a finding.\"\n desc 'fix', \"Configure the operating system to automatically lock the root account, for a minimum of #{input('lockout_time')/60} minutes, when #{input('unsuccessful_attempts')} unsuccessful logon attempts in #{input('fail_interval')/60} minutes are made.\n\nModify the first #{input('unsuccessful_attempts')} lines of the auth section and the first line of the account section of the \\\"/etc/pam.d/system-auth\\\" and \\\"/etc/pam.d/password-auth\\\" files to match the following lines:\n\nauth required pam_faillock.so preauth silent audit deny=#{input('unsuccessful_attempts')} even_deny_root fail_interval=#{input('fail_interval')} unlock_time=#{input('lockout_time')}\nauth sufficient pam_unix.so try_first_pass\nauth [default=die] pam_faillock.so authfail audit deny=#{input('unsuccessful_attempts')} even_deny_root fail_interval=#{input('fail_interval')} unlock_time=#{input('lockout_time')}\naccount required pam_faillock.so\n\nNote: Per requirement RHEL-07-010199, RHEL 7 must be configured to not overwrite custom authentication configuration settings while using the authconfig utility, otherwise manual changes to the listed files will be overwritten whenever the authconfig utility is used.\"\n impact 0.5\n tag legacy: ['V-71945', 'SV-86569']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000329-GPOS-00128'\n tag satisfies: ['SRG-OS-000329-GPOS-00128', 'SRG-OS-000021-GPOS-00005']\n tag gid: 'V-204428'\n tag rid: 'SV-204428r880845_rule'\n tag stig_id: 'RHEL-07-010330'\n tag fix_id: 'F-4552r880844_fix'\n tag cci: ['CCI-002238']\n tag nist: ['AC-7 b']\n tag subsystems: ['pam']\n tag 'host'\n tag 'container'\n\n describe pam('/etc/pam.d/password-auth') do\n its('lines') do\n should match_pam_rule('auth .* pam_faillock.so preauth even_deny_root')\n end\n its('lines') do\n should match_pam_rule('auth .* pam_faillock.so authfail even_deny_root')\n end\n end\n describe pam('/etc/pam.d/system-auth') do\n its('lines') do\n should match_pam_rule('auth .* pam_faillock.so preauth even_deny_root')\n end\n its('lines') do\n should match_pam_rule('auth .* pam_faillock.so authfail even_deny_root')\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204411.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204428.rb", "line": 1 }, - "id": "SV-204411" + "id": "SV-204428" }, { - "title": "The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow\n compression or only allows compression after successful authentication.", - "desc": "If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression\n software could result in compromise of the system from an unauthenticated connection, potentially with root\n privileges.", + "title": "The Red Hat Enterprise Linux operating system must mount /dev/shm with secure options.", + "desc": "The \"noexec\" mount option causes the system to not execute binary files. This option must be used for\n mounting any file system not containing approved binary files as they may be incompatible. Executing files from\n untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative\n access.\n The \"nodev\" mount option causes the system to not interpret character or block special devices. Executing character\n or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain\n unauthorized administrative access.\n The \"nosuid\" mount option causes the system to not execute \"setuid\" and \"setgid\" files with owner privileges. This\n option must be used for mounting any file system not containing approved \"setuid\" and \"setguid\" files. Executing\n files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized\n administrative access.", "descriptions": { - "default": "If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression\n software could result in compromise of the system from an unauthenticated connection, potentially with root\n privileges.", - "check": "Note: For RHEL 7.4 and above, this requirement is not applicable.\n\nVerify the SSH daemon performs compression after a user successfully authenticates.\n\nCheck that the SSH daemon performs compression after a user successfully authenticates with the following command:\n\n # grep -i compression /etc/ssh/sshd_config\n Compression delayed\n\nIf the \"Compression\" keyword is set to \"yes\", is missing, or the returned line is commented out, this is a finding.", - "fix": "Uncomment the \"Compression\" keyword in \"/etc/ssh/sshd_config\" (this file may be named differently or\n be in a different location if using a version of SSH that is provided by a third-party vendor) on the system and set\n the value to \"delayed\" or \"no\":\n Compression no\n The SSH service must be restarted for changes to take effect." + "default": "The \"noexec\" mount option causes the system to not execute binary files. This option must be used for\n mounting any file system not containing approved binary files as they may be incompatible. Executing files from\n untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative\n access.\n The \"nodev\" mount option causes the system to not interpret character or block special devices. Executing character\n or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain\n unauthorized administrative access.\n The \"nosuid\" mount option causes the system to not execute \"setuid\" and \"setgid\" files with owner privileges. This\n option must be used for mounting any file system not containing approved \"setuid\" and \"setguid\" files. Executing\n files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized\n administrative access.", + "check": "Verify that the \"nodev\",\"nosuid\", and \"noexec\" options are configured for /dev/shm:\n # cat /etc/fstab | grep /dev/shm\n tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0\n If results are returned and the \"nodev\", \"nosuid\", or \"noexec\" options are missing, this is a finding.\n Verify \"/dev/shm\" is mounted with the \"nodev\", \"nosuid\", and \"noexec\" options:\n # mount | grep /dev/shm\n tmpfs on /dev/shm type tmpfs (rw,nodev,nosuid,noexec,seclabel)\n If /dev/shm is mounted without secure options \"nodev\", \"nosuid\", and \"noexec\", this is a finding.", + "fix": "Configure the system so that /dev/shm is mounted with the \"nodev\", \"nosuid\", and \"noexec\" options by\n adding /modifying the /etc/fstab with the following line:\n tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0" }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { "legacy": [ - "SV-86891", - "V-72267" + "SV-95725", + "V-81013" ], - "severity": "medium", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-204602", - "rid": "SV-204602r880758_rule", - "stig_id": "RHEL-07-040470", - "fix_id": "F-4726r880757_fix", + "severity": "low", + "gtitle": "SRG-OS-000368-GPOS-00154", + "gid": "V-204486", + "rid": "SV-204486r853900_rule", + "stig_id": "RHEL-07-021024", + "fix_id": "F-4610r462553_fix", "cci": [ - "CCI-000366" + "CCI-001764" ], "nist": [ - "CM-6 b" + "CM-7 (2)" ], "subsystems": [ - "ssh" + "etc_fstab", + "mount" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-204602' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow\n compression or only allows compression after successful authentication.'\n desc 'If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression\n software could result in compromise of the system from an unauthenticated connection, potentially with root\n privileges.'\n desc 'check', 'Note: For RHEL 7.4 and above, this requirement is not applicable.\n\nVerify the SSH daemon performs compression after a user successfully authenticates.\n\nCheck that the SSH daemon performs compression after a user successfully authenticates with the following command:\n\n # grep -i compression /etc/ssh/sshd_config\n Compression delayed\n\nIf the \"Compression\" keyword is set to \"yes\", is missing, or the returned line is commented out, this is a finding.'\n desc 'fix', 'Uncomment the \"Compression\" keyword in \"/etc/ssh/sshd_config\" (this file may be named differently or\n be in a different location if using a version of SSH that is provided by a third-party vendor) on the system and set\n the value to \"delayed\" or \"no\":\n Compression no\n The SSH service must be restarted for changes to take effect.'\n impact 0.5\n tag legacy: ['SV-86891', 'V-72267']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204602'\n tag rid: 'SV-204602r880758_rule'\n tag stig_id: 'RHEL-07-040470'\n tag fix_id: 'F-4726r880757_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['ssh']\n tag 'host'\n\n if virtualization.system.eql?('docker') && !file('/etc/sysconfig/sshd').exist?\n impact 0.0\n describe 'Control not applicable - SSH is not installed within containerized RHEL' do\n skip 'Control not applicable - SSH is not installed within containerized RHEL'\n end\n\n elsif os.release.to_f >= 7.4\n impact 0.0\n describe \"The release is #{os.release}\" do\n skip 'For RHEL 7.4 and above, this requirement is not applicable.'\n end\n\n else\n\n describe.one do\n describe sshd_config do\n its('Compression') { should cmp 'delayed' }\n end\n describe sshd_config do\n its('Compression') { should cmp 'no' }\n end\n end\n end\nend\n", + "code": "control 'SV-204486' do\n title 'The Red Hat Enterprise Linux operating system must mount /dev/shm with secure options.'\n desc 'The \"noexec\" mount option causes the system to not execute binary files. This option must be used for\n mounting any file system not containing approved binary files as they may be incompatible. Executing files from\n untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative\n access.\n The \"nodev\" mount option causes the system to not interpret character or block special devices. Executing character\n or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain\n unauthorized administrative access.\n The \"nosuid\" mount option causes the system to not execute \"setuid\" and \"setgid\" files with owner privileges. This\n option must be used for mounting any file system not containing approved \"setuid\" and \"setguid\" files. Executing\n files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized\n administrative access.'\n desc 'check', 'Verify that the \"nodev\",\"nosuid\", and \"noexec\" options are configured for /dev/shm:\n # cat /etc/fstab | grep /dev/shm\n tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0\n If results are returned and the \"nodev\", \"nosuid\", or \"noexec\" options are missing, this is a finding.\n Verify \"/dev/shm\" is mounted with the \"nodev\", \"nosuid\", and \"noexec\" options:\n # mount | grep /dev/shm\n tmpfs on /dev/shm type tmpfs (rw,nodev,nosuid,noexec,seclabel)\n If /dev/shm is mounted without secure options \"nodev\", \"nosuid\", and \"noexec\", this is a finding.'\n desc 'fix', 'Configure the system so that /dev/shm is mounted with the \"nodev\", \"nosuid\", and \"noexec\" options by\n adding /modifying the /etc/fstab with the following line:\n tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0'\n impact 0.3\n tag legacy: ['SV-95725', 'V-81013']\n tag severity: 'low'\n tag gtitle: 'SRG-OS-000368-GPOS-00154'\n tag gid: 'V-204486'\n tag rid: 'SV-204486r853900_rule'\n tag stig_id: 'RHEL-07-021024'\n tag fix_id: 'F-4610r462553_fix'\n tag cci: ['CCI-001764']\n tag nist: ['CM-7 (2)']\n tag subsystems: ['etc_fstab', 'mount']\n tag 'host'\n tag 'container'\n\n if mount('/dev/shm').mounted?\n\n mount_file = etc_fstab.where { mount_point == '/dev/shm' }\n mount_command = mount('/dev/shm').file.mounted.stdout\n .match(/\\((.*)\\)/)[1].split(',')\n\n describe.one do\n describe '/etc/fstab mount options for /dev/shm' do\n subject { mount_file }\n its('mount_options.flatten') { should include 'nodev' }\n its('mount_options.flatten') { should include 'nosuid' }\n its('mount_options.flatten') { should include 'noexec' }\n end\n describe '/etc/fstab mount options for /dev/shm' do\n subject { mount_file }\n it { should_not exist }\n end\n end\n describe 'mount command options for /dev/shm' do\n subject { mount_command }\n it { should include 'nodev' }\n it { should include 'nosuid' }\n it { should include 'noexec' }\n end\n else\n describe mount('/dev/shm') do\n it { should_not be_mounted }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204602.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204486.rb", "line": 1 }, - "id": "SV-204602" + "id": "SV-204486" }, { - "title": "The Red Hat Enterprise Linux operating system must restrict privilege elevation to authorized personnel.", - "desc": "The sudo command allows a user to execute programs with elevated (administrator) privileges. It prompts the user for their password and confirms your request to execute a command by checking a file, called sudoers. If the \"sudoers\" file is not configured correctly, any user defined on the system can initiate privileged actions on the target system.", + "title": "The Red Hat Enterprise Linux operating system must not contain .shosts files.", + "desc": "The .shosts files are used to configure host-based authentication for individual users or the system via\n SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not\n require interactive identification and authentication of a connection request, or for the use of two-factor\n authentication.", "descriptions": { - "default": "The sudo command allows a user to execute programs with elevated (administrator) privileges. It prompts the user for their password and confirms your request to execute a command by checking a file, called sudoers. If the \"sudoers\" file is not configured correctly, any user defined on the system can initiate privileged actions on the target system.", - "check": "Verify the \"sudoers\" file restricts sudo access to authorized personnel.\n$ sudo grep -iw 'ALL' /etc/sudoers /etc/sudoers.d/*\n\nIf the either of the following entries are returned, this is a finding:\nALL ALL=(ALL) ALL\nALL ALL=(ALL:ALL) ALL", - "fix": "Remove the following entries from the sudoers file:\nALL ALL=(ALL) ALL\nALL ALL=(ALL:ALL) ALL" + "default": "The .shosts files are used to configure host-based authentication for individual users or the system via\n SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not\n require interactive identification and authentication of a connection request, or for the use of two-factor\n authentication.", + "check": "Verify there are no \".shosts\" files on the system.\n Check the system for the existence of these files with the following command:\n # find / -name '*.shosts'\n If any \".shosts\" files are found on the system, this is a finding.", + "fix": "Remove any found \".shosts\" files from the system.\n # rm /[path]/[to]/[file]/.shosts" }, - "impact": 0.5, + "impact": 0.7, "refs": [], "tags": { - "severity": "medium", + "legacy": [ + "SV-86901", + "V-72277" + ], + "severity": "high", "gtitle": "SRG-OS-000480-GPOS-00227", - "satisfies": null, - "gid": "V-237633", - "rid": "SV-237633r646850_rule", - "stig_id": "RHEL-07-010341", - "fix_id": "F-40815r646849_fix", + "gid": "V-204606", + "rid": "SV-204606r603261_rule", + "stig_id": "RHEL-07-040540", + "fix_id": "F-4730r89011_fix", "cci": [ "CCI-000366" ], - "legacy": [], "nist": [ "CM-6 b" ], "subsystems": [ - "sudo" + "ssh" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-237633' do\n title 'The Red Hat Enterprise Linux operating system must restrict privilege elevation to authorized personnel.'\n desc 'The sudo command allows a user to execute programs with elevated (administrator) privileges. It prompts the user for their password and confirms your request to execute a command by checking a file, called sudoers. If the \"sudoers\" file is not configured correctly, any user defined on the system can initiate privileged actions on the target system.'\n desc 'check', %q(Verify the \"sudoers\" file restricts sudo access to authorized personnel.\n$ sudo grep -iw 'ALL' /etc/sudoers /etc/sudoers.d/*\n\nIf the either of the following entries are returned, this is a finding:\nALL ALL=(ALL) ALL\nALL ALL=(ALL:ALL) ALL)\n desc 'fix', 'Remove the following entries from the sudoers file:\nALL ALL=(ALL) ALL\nALL ALL=(ALL:ALL) ALL'\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag satisfies: nil\n tag gid: 'V-237633'\n tag rid: 'SV-237633r646850_rule'\n tag stig_id: 'RHEL-07-010341'\n tag fix_id: 'F-40815r646849_fix'\n tag cci: ['CCI-000366']\n tag legacy: []\n tag nist: ['CM-6 b']\n tag subsystems: ['sudo']\n tag 'host'\n\n if virtualization.system.eql?('docker') && !command('sudo').exist?\n impact 0.0\n describe 'Control not applicable within a container without sudo enabled' do\n skip 'Control not applicable within a container without sudo enabled'\n end\n else\n sudoers = command(\"grep -iw 'ALL' /etc/sudoers /etc/sudoers.d/*\").stdout\n describe 'Sudoers file' do\n it 'should restrict access to privilege escalation' do\n expect(sudoers).not_to match(/ALL\\s+ALL=\\(ALL[:ALL]?\\)\\s+ALL/)\n end\n end\n end\nend\n", + "code": "control 'SV-204606' do\n title 'The Red Hat Enterprise Linux operating system must not contain .shosts files.'\n desc 'The .shosts files are used to configure host-based authentication for individual users or the system via\n SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not\n require interactive identification and authentication of a connection request, or for the use of two-factor\n authentication.'\n desc 'check', %q(Verify there are no \".shosts\" files on the system.\n Check the system for the existence of these files with the following command:\n # find / -name '*.shosts'\n If any \".shosts\" files are found on the system, this is a finding.)\n desc 'fix', 'Remove any found \".shosts\" files from the system.\n # rm /[path]/[to]/[file]/.shosts'\n impact 0.7\n tag legacy: ['SV-86901', 'V-72277']\n tag severity: 'high'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204606'\n tag rid: 'SV-204606r603261_rule'\n tag stig_id: 'RHEL-07-040540'\n tag fix_id: 'F-4730r89011_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['ssh']\n tag 'host'\n tag 'container'\n\n if virtualization.system.eql?('docker') && !file('/etc/sysconfig/sshd').exist?\n impact 0.0\n describe 'Control not applicable - SSH is not installed within containerized RHEL' do\n skip 'Control not applicable - SSH is not installed within containerized RHEL'\n end\n else\n describe command(\"find / -xdev -xautofs -name '*.shosts'\") do\n its('stdout.strip') { should be_empty }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-237633.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204606.rb", "line": 1 }, - "id": "SV-237633" + "id": "SV-204606" }, { - "title": "The Red Hat Enterprise Linux operating system must be configured so that all wireless network adapters are\n disabled.", - "desc": "The use of wireless networking can introduce many different attack vectors into the organization's network.\n Common attack vectors such as malicious association and ad hoc networks will allow an attacker to spoof a wireless\n access point (AP), allowing validated systems to connect to the malicious AP and enabling the attacker to monitor\n and record network traffic. These malicious APs can also serve to create a man-in-the-middle attack or be used to\n create a denial of service to valid network resources.", + "title": "The Red Hat Enterprise Linux operating system must be configured so that all local interactive user\n accounts, upon creation, are assigned a home directory.", + "desc": "If local interactive users are not assigned a valid home directory, there is no place for the storage and\n control of files they should own.", "descriptions": { - "default": "The use of wireless networking can introduce many different attack vectors into the organization's network.\n Common attack vectors such as malicious association and ad hoc networks will allow an attacker to spoof a wireless\n access point (AP), allowing validated systems to connect to the malicious AP and enabling the attacker to monitor\n and record network traffic. These malicious APs can also serve to create a man-in-the-middle attack or be used to\n create a denial of service to valid network resources.", - "check": "Verify that there are no wireless interfaces configured on the system.\n This is N/A for systems that do not have wireless network adapters.\n Check for the presence of active wireless interfaces with the following command:\n # nmcli device\n DEVICE TYPE STATE\n eth0 ethernet connected\n wlp3s0 wifi disconnected\n lo loopback unmanaged\n If a wireless interface is configured and its use on the system is not documented with the Information System\n Security Officer (ISSO), this is a finding.", - "fix": "Configure the system to disable all wireless network interfaces with the following command:\n #nmcli radio wifi off" + "default": "If local interactive users are not assigned a valid home directory, there is no place for the storage and\n control of files they should own.", + "check": "Verify all local interactive users on the system are assigned a home directory upon creation.\n Check to see if the system is configured to create home directories for local interactive users with the following\n command:\n # grep -i create_home /etc/login.defs\n CREATE_HOME yes\n If the value for \"CREATE_HOME\" parameter is not set to \"yes\", the line is missing, or the line is commented out,\n this is a finding.", + "fix": "Configure the operating system to assign home directories to all new local interactive users by\n setting the \"CREATE_HOME\" parameter in \"/etc/login.defs\" to \"yes\" as follows.\n CREATE_HOME yes" }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "V-73177", - "SV-87829" + "V-72013", + "SV-86637" ], "severity": "medium", - "gtitle": "SRG-OS-000424-GPOS-00188", - "gid": "V-204634", - "rid": "SV-204634r877465_rule", - "stig_id": "RHEL-07-041010", - "fix_id": "F-4758r89095_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-204466", + "rid": "SV-204466r603261_rule", + "stig_id": "RHEL-07-020610", + "fix_id": "F-4590r88591_fix", "cci": [ - "CCI-001443", - "CCI-001444", - "CCI-002418" + "CCI-000366" ], "nist": [ - "AC-18 (1)", - "AC-18 (1)", - "SC-8" + "CM-6 b" ], "subsystems": [ - "network", - "wifi", - "nmcli" + "login_defs" ], "host": null, "container": null }, - "code": "control 'SV-204634' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that all wireless network adapters are\n disabled.'\n desc \"The use of wireless networking can introduce many different attack vectors into the organization's network.\n Common attack vectors such as malicious association and ad hoc networks will allow an attacker to spoof a wireless\n access point (AP), allowing validated systems to connect to the malicious AP and enabling the attacker to monitor\n and record network traffic. These malicious APs can also serve to create a man-in-the-middle attack or be used to\n create a denial of service to valid network resources.\"\n desc 'check', 'Verify that there are no wireless interfaces configured on the system.\n This is N/A for systems that do not have wireless network adapters.\n Check for the presence of active wireless interfaces with the following command:\n # nmcli device\n DEVICE TYPE STATE\n eth0 ethernet connected\n wlp3s0 wifi disconnected\n lo loopback unmanaged\n If a wireless interface is configured and its use on the system is not documented with the Information System\n Security Officer (ISSO), this is a finding.'\n desc 'fix', 'Configure the system to disable all wireless network interfaces with the following command:\n #nmcli radio wifi off'\n impact 0.5\n tag legacy: ['V-73177', 'SV-87829']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000424-GPOS-00188'\n tag gid: 'V-204634'\n tag rid: 'SV-204634r877465_rule'\n tag stig_id: 'RHEL-07-041010'\n tag fix_id: 'F-4758r89095_fix'\n tag cci: ['CCI-001443', 'CCI-001444', 'CCI-002418']\n tag nist: ['AC-18 (1)', 'AC-18 (1)', 'SC-8']\n tag subsystems: ['network', 'wifi', 'nmcli']\n tag 'host'\n tag 'container'\n\n describe command('nmcli device') do\n its('stdout.strip') { should_not match(/wifi connected/) }\n end\nend\n", + "code": "control 'SV-204466' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that all local interactive user\n accounts, upon creation, are assigned a home directory.'\n desc 'If local interactive users are not assigned a valid home directory, there is no place for the storage and\n control of files they should own.'\n desc 'check', 'Verify all local interactive users on the system are assigned a home directory upon creation.\n Check to see if the system is configured to create home directories for local interactive users with the following\n command:\n # grep -i create_home /etc/login.defs\n CREATE_HOME yes\n If the value for \"CREATE_HOME\" parameter is not set to \"yes\", the line is missing, or the line is commented out,\n this is a finding.'\n desc 'fix', 'Configure the operating system to assign home directories to all new local interactive users by\n setting the \"CREATE_HOME\" parameter in \"/etc/login.defs\" to \"yes\" as follows.\n CREATE_HOME yes'\n impact 0.5\n tag legacy: ['V-72013', 'SV-86637']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204466'\n tag rid: 'SV-204466r603261_rule'\n tag stig_id: 'RHEL-07-020610'\n tag fix_id: 'F-4590r88591_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['login_defs']\n tag 'host'\n tag 'container'\n\n describe login_defs do\n its('CREATE_HOME') { should eq 'yes' }\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204634.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204466.rb", "line": 1 }, - "id": "SV-204634" + "id": "SV-204466" }, { - "title": "The Red Hat Enterprise Linux operating system must prevent a user from overriding the session idle-delay\n setting for the graphical user interface.", - "desc": "A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate\n physical vicinity of the information system but does not log out because of the temporary nature of the absence.\n Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity,\n operating systems need to be able to identify when a user's session has idled and take action to initiate the\n session lock.\n The session lock is implemented at the point where session activity can be determined and/or controlled.", + "title": "The Red Hat Enterprise Linux operating system must be configured so that a file integrity tool verifies the\n baseline operating system configuration at least weekly.", + "desc": "Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security.\n\nDetecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information System Security Manager (ISSM)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.", "descriptions": { - "default": "A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate\n physical vicinity of the information system but does not log out because of the temporary nature of the absence.\n Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity,\n operating systems need to be able to identify when a user's session has idled and take action to initiate the\n session lock.\n The session lock is implemented at the point where session activity can be determined and/or controlled.", - "check": "Verify the operating system prevents a user from overriding session idle delay after a 15-minute period of inactivity for graphical user interfaces.\n\nNote: If the system does not have GNOME installed, this requirement is Not Applicable.\n\nDetermine which profile the system database is using with the following command:\n # grep system-db /etc/dconf/profile/user\n system-db:local\n\nCheck for the session idle delay setting with the following command:\n\nNote: The example below is using the database \"local\" for the system, so the path is \"/etc/dconf/db/local.d\". This path must be modified if a database other than \"local\" is being used.\n\n # grep -i idle-delay /etc/dconf/db/local.d/locks/*\n /org/gnome/desktop/session/idle-delay\n\nIf the command does not return a result, this is a finding.", - "fix": "Configure the operating system to prevent a user from overriding a session lock after a 15-minute\n period of inactivity for graphical user interfaces.\n Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following\n command:\n Note: The example below is using the database \"local\" for the system, so if the system is using another database in\n /etc/dconf/profile/user, the file should be created under the appropriate subdirectory.\n # touch /etc/dconf/db/local.d/locks/session\n Add the setting to lock the session idle delay:\n /org/gnome/desktop/session/idle-delay" + "default": "Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security.\n\nDetecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information System Security Manager (ISSM)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.", + "check": "Verify the operating system routinely checks the baseline configuration for unauthorized changes.\n\nNote: A file integrity tool other than Advanced Intrusion Detection Environment (AIDE) may be used, but the tool must be executed at least once per week.\n\nCheck for the presence of a cron job running daily or weekly on the system that executes AIDE daily to scan for changes to the system baseline. The command used in the example will use a daily occurrence.\n\nCheck the cron directories for a script file controlling the execution of the file integrity application. For example, if AIDE is installed on the system, use the following command:\n\n # ls -al /etc/cron.* | grep aide\n -rwxr-xr-x 1 root root 602 Mar 6 20:02 aide\n\n # grep aide /etc/crontab /var/spool/cron/root\n /etc/crontab: 30 04 * * * root /usr/sbin/aide --check\n /var/spool/cron/root: 30 04 * * * /usr/sbin/aide --check\n\nIf the file integrity application does not exist, or a script file controlling the execution of the file integrity application does not exist, this is a finding.", + "fix": "Configure the file integrity tool to run automatically on the system at least weekly. The following example output is generic. It will set cron to run AIDE daily, but other file integrity tools may be used:\n\n # more /etc/cron.daily/aide\n #!/bin/bash\n\n /usr/sbin/aide --check | /var/spool/mail -s \"$HOSTNAME - Daily aide integrity check run\" root@sysname.mil" }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { "legacy": [ - "V-73157", - "SV-87809" + "SV-86597", + "V-71973" ], "severity": "medium", - "gtitle": "SRG-OS-000029-GPOS-00010", - "gid": "V-204400", - "rid": "SV-204400r880776_rule", - "stig_id": "RHEL-07-010082", - "fix_id": "F-4524r880775_fix", + "gtitle": "SRG-OS-000363-GPOS-00150", + "gid": "V-204445", + "rid": "SV-204445r880848_rule", + "stig_id": "RHEL-07-020030", + "fix_id": "F-36304r880847_fix", "cci": [ - "CCI-000057" + "CCI-001744" ], "nist": [ - "AC-11 a" + "CM-3 (5)" ], "subsystems": [ - "gui" + "file_integrity_tool" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-204400' do\n title 'The Red Hat Enterprise Linux operating system must prevent a user from overriding the session idle-delay\n setting for the graphical user interface.'\n desc \"A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate\n physical vicinity of the information system but does not log out because of the temporary nature of the absence.\n Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity,\n operating systems need to be able to identify when a user's session has idled and take action to initiate the\n session lock.\n The session lock is implemented at the point where session activity can be determined and/or controlled.\"\n desc 'check', \"Verify the operating system prevents a user from overriding session idle delay after a #{input('system_activity_timeout')/60}-minute period of inactivity for graphical user interfaces.\n\nNote: If the system does not have GNOME installed, this requirement is Not Applicable.\n\nDetermine which profile the system database is using with the following command:\n # grep system-db /etc/dconf/profile/user\n system-db:local\n\nCheck for the session idle delay setting with the following command:\n\nNote: The example below is using the database \\\"local\\\" for the system, so the path is \\\"/etc/dconf/db/local.d\\\". This path must be modified if a database other than \\\"local\\\" is being used.\n\n # grep -i idle-delay /etc/dconf/db/local.d/locks/*\n /org/gnome/desktop/session/idle-delay\n\nIf the command does not return a result, this is a finding.\"\n desc 'fix', \"Configure the operating system to prevent a user from overriding a session lock after a #{input('system_activity_timeout')/60}-minute\n period of inactivity for graphical user interfaces.\n Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following\n command:\n Note: The example below is using the database \\\"local\\\" for the system, so if the system is using another database in\n /etc/dconf/profile/user, the file should be created under the appropriate subdirectory.\n # touch /etc/dconf/db/local.d/locks/session\n Add the setting to lock the session idle delay:\n /org/gnome/desktop/session/idle-delay\"\n impact 0.5\n tag legacy: ['V-73157', 'SV-87809']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000029-GPOS-00010'\n tag gid: 'V-204400'\n tag rid: 'SV-204400r880776_rule'\n tag stig_id: 'RHEL-07-010082'\n tag fix_id: 'F-4524r880775_fix'\n tag cci: ['CCI-000057']\n tag nist: ['AC-11 a']\n tag subsystems: ['gui']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n elsif package('gnome-desktop3').installed?\n\n describe command('gsettings writable org.gnome.desktop.session idle-delay') do\n its('stdout.strip') { should cmp 'false' }\n end\n else\n impact 0.0\n describe 'The GNOME desktop is not installed' do\n skip 'The GNOME desktop is not installed, this control is Not Applicable.'\n end\n end\nend\n", + "code": "control 'SV-204445' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that a file integrity tool verifies the\n baseline operating system configuration at least weekly.'\n desc \"Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security.\n\nDetecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information System Security Manager (ISSM)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.\"\n desc 'check', 'Verify the operating system routinely checks the baseline configuration for unauthorized changes.\n\nNote: A file integrity tool other than Advanced Intrusion Detection Environment (AIDE) may be used, but the tool must be executed at least once per week.\n\nCheck for the presence of a cron job running daily or weekly on the system that executes AIDE daily to scan for changes to the system baseline. The command used in the example will use a daily occurrence.\n\nCheck the cron directories for a script file controlling the execution of the file integrity application. For example, if AIDE is installed on the system, use the following command:\n\n # ls -al /etc/cron.* | grep aide\n -rwxr-xr-x 1 root root 602 Mar 6 20:02 aide\n\n # grep aide /etc/crontab /var/spool/cron/root\n /etc/crontab: 30 04 * * * root /usr/sbin/aide --check\n /var/spool/cron/root: 30 04 * * * /usr/sbin/aide --check\n\nIf the file integrity application does not exist, or a script file controlling the execution of the file integrity application does not exist, this is a finding.'\n desc 'fix', 'Configure the file integrity tool to run automatically on the system at least weekly. The following example output is generic. It will set cron to run AIDE daily, but other file integrity tools may be used:\n\n # more /etc/cron.daily/aide\n #!/bin/bash\n\n /usr/sbin/aide --check | /var/spool/mail -s \"$HOSTNAME - Daily aide integrity check run\" root@sysname.mil'\n impact 0.5\n tag legacy: ['SV-86597', 'V-71973']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000363-GPOS-00150'\n tag gid: 'V-204445'\n tag rid: 'SV-204445r880848_rule'\n tag stig_id: 'RHEL-07-020030'\n tag fix_id: 'F-36304r880847_fix'\n tag cci: ['CCI-001744']\n tag nist: ['CM-3 (5)']\n tag subsystems: ['file_integrity_tool']\n tag 'host'\n tag 'container'\n\n file_integrity_tool = input('file_integrity_tool')\n file_integrity_interval = input('file_integrity_interval')\n\n if file_integrity_tool == 'aide'\n if file_integrity_interval == 'monthly'\n describe.one do\n describe file(\"/etc/cron.daily/#{file_integrity_tool}\") do\n it { should exist }\n end\n describe file(\"/etc/cron.weekly/#{file_integrity_tool}\") do\n it { should exist }\n end\n describe file(\"/etc/cron.monthly/#{file_integrity_tool}\") do\n it { should exist }\n end\n if file(\"/etc/cron.d/#{file_integrity_tool}\").exist?\n describe crontab(path: \"/etc/cron.d/#{file_integrity_tool}\") do\n its('months') { should cmp '*' }\n its('weekdays') { should cmp '*' }\n end\n describe crontab(path: \"/etc/cron.d/#{file_integrity_tool}\") do\n its('days') { should cmp '*' }\n its('months') { should cmp '*' }\n end\n end\n describe crontab('root').where {\n command =~ /#{file_integrity_tool}/\n } do\n its('months') { should cmp '*' }\n its('weekdays') { should cmp '*' }\n end\n describe crontab('root').where {\n command =~ /#{file_integrity_tool}/\n } do\n its('days') { should cmp '*' }\n its('months') { should cmp '*' }\n end\n end\n elsif file_integrity_interval == 'weekly'\n describe.one do\n describe file(\"/etc/cron.daily/#{file_integrity_tool}\") do\n it { should exist }\n end\n describe file(\"/etc/cron.weekly/#{file_integrity_tool}\") do\n it { should exist }\n end\n if file(\"/etc/cron.d/#{file_integrity_tool}\").exist?\n describe crontab(path: \"/etc/cron.d/#{file_integrity_tool}\") do\n its('days') { should cmp '*' }\n its('months') { should cmp '*' }\n end\n end\n describe crontab('root').where {\n command =~ /#{file_integrity_tool}/\n } do\n its('days') { should cmp '*' }\n its('months') { should cmp '*' }\n end\n end\n elsif file_integrity_interval == 'daily'\n describe.one do\n describe file(\"/etc/cron.daily/#{file_integrity_tool}\") do\n it { should exist }\n end\n if file(\"/etc/cron.d/#{file_integrity_tool}\").exist?\n describe crontab(path: \"/etc/cron.d/#{file_integrity_tool}\") do\n its('days') { should cmp '*' }\n its('months') { should cmp '*' }\n its('weekdays') { should cmp '*' }\n end\n end\n describe crontab('root').where {\n command =~ /#{file_integrity_tool}/\n } do\n its('days') { should cmp '*' }\n its('months') { should cmp '*' }\n its('weekdays') { should cmp '*' }\n end\n end\n end\n else\n describe 'Need manual review of file integrity tool' do\n skip 'A manual review of the file integrity tool is required to ensure that it verifies the baseline operating system configuration at least weekly.'\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204400.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204445.rb", "line": 1 }, - "id": "SV-204400" + "id": "SV-204445" }, { - "title": "The Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of\n Lightweight Directory Access Protocol (LDAP) communications.", - "desc": "Without cryptographic integrity protections, information can be altered by unauthorized users without\n detection.\n Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash\n functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while\n maintaining the confidentiality of the key used to generate the hash.", + "title": "The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home\n directories are owned by their respective users.", + "desc": "If a local interactive user does not own their home directory, unauthorized users could access or modify the\n user's files, and the users may not be able to access their own files.", "descriptions": { - "default": "Without cryptographic integrity protections, information can be altered by unauthorized users without\n detection.\n Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash\n functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while\n maintaining the confidentiality of the key used to generate the hash.", - "check": "If LDAP is not being utilized, this requirement is Not Applicable.\n Verify the operating system implements cryptography to protect the integrity of remote LDAP access sessions.\n To determine if LDAP is being used for authentication, use the following command:\n # systemctl status sssd.service\n sssd.service - System Security Services Daemon\n Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: disabled)\n Active: active (running) since Wed 2018-06-27 10:58:11 EST; 1h 50min ago\n If the \"sssd.service\" is \"active\", then LDAP is being used.\n Determine the \"id_provider\" that the LDAP is currently using:\n # grep -i \"id_provider\" /etc/sssd/sssd.conf\n id_provider = ad\n If \"id_provider\" is set to \"ad\", this is Not Applicable.\n Check the path to the X.509 certificate for peer authentication with the following command:\n # grep -i tls_cacert /etc/sssd/sssd.conf\n ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt\n Verify the \"ldap_tls_cacert\" option points to a file that contains the trusted CA certificate.\n If this file does not exist, or the option is commented out or missing, this is a finding.", - "fix": "Configure the operating system to implement cryptography to protect the integrity of LDAP remote\n access sessions.\n Add or modify the following line in \"/etc/sssd/sssd.conf\":\n ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt" + "default": "If a local interactive user does not own their home directory, unauthorized users could access or modify the\n user's files, and the users may not be able to access their own files.", + "check": "Verify the assigned home directory of all local interactive users on the system exists.\n Check the home directory assignment for all local interactive users on the system with the following command:\n # ls -ld $(awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}' /etc/passwd)\n -rwxr-x--- 1 smithj users 18 Mar 5 17:06 /home/smithj\n If any home directories referenced in \"/etc/passwd\" are not owned by the interactive user, this is a finding.", + "fix": "Change the owner of a local interactive user's home directories to that owner. To change the owner of\n a local interactive user's home directory, use the following command:\n Note: The example will be for the user smithj, who has a home directory of \"/home/smithj\".\n # chown smithj /home/smithj" }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { "legacy": [ - "SV-86855", - "V-72231" + "SV-86643", + "V-72019" ], "severity": "medium", - "gtitle": "SRG-OS-000250-GPOS-00093", - "gid": "V-204583", - "rid": "SV-204583r877394_rule", - "stig_id": "RHEL-07-040200", - "fix_id": "F-4707r88942_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-204469", + "rid": "SV-204469r603830_rule", + "stig_id": "RHEL-07-020640", + "fix_id": "F-4593r88600_fix", "cci": [ - "CCI-001453" + "CCI-000366" ], "nist": [ - "AC-17 (2)" + "CM-6 b" ], "subsystems": [ - "sssd", - "ldap" + "home_dirs" ], "host": null }, - "code": "control 'SV-204583' do\n title 'The Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of\n Lightweight Directory Access Protocol (LDAP) communications.'\n desc 'Without cryptographic integrity protections, information can be altered by unauthorized users without\n detection.\n Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash\n functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while\n maintaining the confidentiality of the key used to generate the hash.'\n desc 'check', 'If LDAP is not being utilized, this requirement is Not Applicable.\n Verify the operating system implements cryptography to protect the integrity of remote LDAP access sessions.\n To determine if LDAP is being used for authentication, use the following command:\n # systemctl status sssd.service\n sssd.service - System Security Services Daemon\n Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: disabled)\n Active: active (running) since Wed 2018-06-27 10:58:11 EST; 1h 50min ago\n If the \"sssd.service\" is \"active\", then LDAP is being used.\n Determine the \"id_provider\" that the LDAP is currently using:\n # grep -i \"id_provider\" /etc/sssd/sssd.conf\n id_provider = ad\n If \"id_provider\" is set to \"ad\", this is Not Applicable.\n Check the path to the X.509 certificate for peer authentication with the following command:\n # grep -i tls_cacert /etc/sssd/sssd.conf\n ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt\n Verify the \"ldap_tls_cacert\" option points to a file that contains the trusted CA certificate.\n If this file does not exist, or the option is commented out or missing, this is a finding.'\n desc 'fix', 'Configure the operating system to implement cryptography to protect the integrity of LDAP remote\n access sessions.\n Add or modify the following line in \"/etc/sssd/sssd.conf\":\n ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt'\n impact 0.5\n tag legacy: ['SV-86855', 'V-72231']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000250-GPOS-00093'\n tag gid: 'V-204583'\n tag rid: 'SV-204583r877394_rule'\n tag stig_id: 'RHEL-07-040200'\n tag fix_id: 'F-4707r88942_fix'\n tag cci: ['CCI-001453']\n tag nist: ['AC-17 (2)']\n tag subsystems: ['sssd', 'ldap']\n tag 'host'\n\n if virtualization.system.eql?('docker') && !file('/etc/sysconfig/sshd').exist?\n impact 0.0\n describe 'Control not applicable - SSH is not installed within containerized RHEL' do\n skip 'Control not applicable - SSH is not installed within containerized RHEL'\n end\n else\n\n sssd_id_ldap_enabled = (package('sssd').installed? and\n !command('grep \"^\\s*id_provider\\s*=\\s*ldap\" /etc/sssd/sssd.conf').stdout.strip.empty?)\n\n sssd_ldap_enabled = (package('sssd').installed? and\n !command('grep \"^\\s*[a-z]*_provider\\s*=\\s*ldap\" /etc/sssd/sssd.conf').stdout.strip.empty?)\n\n pam_ldap_enabled = !command('grep \"^[^#]*pam_ldap\\.so\" /etc/pam.d/*').stdout.strip.empty?\n\n unless sssd_id_ldap_enabled or sssd_ldap_enabled or pam_ldap_enabled\n impact 0.0\n describe 'LDAP not enabled' do\n skip 'LDAP not enabled using any known mechanisms, this control is Not Applicable.'\n end\n end\n\n if sssd_id_ldap_enabled\n ldap_id_use_start_tls = command('grep ldap_id_use_start_tls /etc/sssd/sssd.conf')\n describe ldap_id_use_start_tls do\n its('stdout.strip') do\n should match(/^ldap_id_use_start_tls\\s*=\\s*true$/)\n end\n end\n\n ldap_id_use_start_tls.stdout.strip.each_line do |line|\n describe line do\n it { should match(/^ldap_id_use_start_tls\\s*=\\s*true$/) }\n end\n end\n end\n\n if sssd_ldap_enabled\n ldap_tls_cacert = command('grep -i ldap_tls_cacert /etc/sssd/sssd.conf')\n .stdout.strip.scan(/^ldap_tls_cacert\\s*=\\s*(.*)/).last\n\n describe 'ldap_tls_cacert' do\n subject { ldap_tls_cacert }\n it { should_not eq nil }\n end\n\n unless ldap_tls_cacert.nil?\n describe file(ldap_tls_cacert.last) do\n it { should exist }\n it { should be_file }\n end\n end\n end\n\n if pam_ldap_enabled\n tls_cacertfile = command('grep -i tls_cacertfile /etc/pam_ldap.conf')\n .stdout.strip.scan(/^tls_cacertfile\\s+(.*)/).last\n\n describe 'tls_cacertfile' do\n subject { tls_cacertfile }\n it { should_not eq nil }\n end\n\n unless tls_cacertfile.nil?\n describe file(tls_cacertfile.last) do\n it { should exist }\n it { should be_file }\n end\n end\n end\n end\nend\n", + "code": "control 'SV-204469' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home\n directories are owned by their respective users.'\n desc \"If a local interactive user does not own their home directory, unauthorized users could access or modify the\n user's files, and the users may not be able to access their own files.\"\n desc 'check', %q(Verify the assigned home directory of all local interactive users on the system exists.\n Check the home directory assignment for all local interactive users on the system with the following command:\n # ls -ld $(awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}' /etc/passwd)\n -rwxr-x--- 1 smithj users 18 Mar 5 17:06 /home/smithj\n If any home directories referenced in \"/etc/passwd\" are not owned by the interactive user, this is a finding.)\n desc 'fix', %q(Change the owner of a local interactive user's home directories to that owner. To change the owner of\n a local interactive user's home directory, use the following command:\n Note: The example will be for the user smithj, who has a home directory of \"/home/smithj\".\n # chown smithj /home/smithj)\n impact 0.5\n tag legacy: ['SV-86643', 'V-72019']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204469'\n tag rid: 'SV-204469r603830_rule'\n tag stig_id: 'RHEL-07-020640'\n tag fix_id: 'F-4593r88600_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['home_dirs']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n exempt_home_users = input('exempt_home_users')\n non_interactive_shells = input('non_interactive_shells')\n\n ignore_shells = non_interactive_shells.join('|')\n\n uid_min = login_defs.read_params['UID_MIN'].to_i\n uid_min = 1000 if uid_min.nil?\n\n findings = Set[]\n users.where do\n !shell.match(ignore_shells) && (uid >= uid_min || uid == 0)\n end.entries.each do |user_info|\n next if exempt_home_users.include?(user_info.username.to_s)\n\n describe directory(user_info.home) do\n it { should exist }\n its('owner') { should eq user_info.username }\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204583.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204469.rb", "line": 1 }, - "id": "SV-204583" + "id": "SV-204469" }, { - "title": "The Red Hat Enterprise Linux operating system must protect audit information from unauthorized read, modification, or deletion.", - "desc": "If audit information were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve.\n\nTo ensure the veracity of audit information, the operating system must protect audit information from unauthorized modification.\n\nAudit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit information system activity.", + "title": "The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed the\n number of repeating consecutive characters must not be more than three characters.", + "desc": "Use of a complex password helps to increase the time and resources required to compromise the password.\n Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing\n and brute-force attacks.\n Password complexity is one factor of several that determines how long it takes to crack a password. The more complex\n the password, the greater the number of possible combinations that need to be tested before the password is\n compromised.", "descriptions": { - "default": "If audit information were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve.\n\nTo ensure the veracity of audit information, the operating system must protect audit information from unauthorized modification.\n\nAudit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit information system activity.", - "check": "Verify the operating system audit records have proper permissions and ownership.\n\nList the full permissions and ownership of the audit log files with the following command.\n\n# ls -la /var/log/audit\ntotal 4512\ndrwx------. 2 root root 23 Apr 25 16:53 .\ndrwxr-xr-x. 17 root root 4096 Aug 9 13:09 ..\n-rw-------. 1 root root 8675309 Aug 9 12:54 audit.log\n\nAudit logs must be mode 0600 or less permissive.\nIf any are more permissive, this is a finding.\n\nThe owner and group owner of all audit log files must both be \"root\". If any other owner or group owner is listed, this is a finding.", - "fix": "Change the mode of the audit log files with the following command:\n\n# chmod 0600 [audit_file]\n\nChange the owner and group owner of the audit log files with the following command:\n\n# chown root:root [audit_file]" + "default": "Use of a complex password helps to increase the time and resources required to compromise the password.\n Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing\n and brute-force attacks.\n Password complexity is one factor of several that determines how long it takes to crack a password. The more complex\n the password, the greater the number of possible combinations that need to be tested before the password is\n compromised.", + "check": "The \"maxrepeat\" option sets the maximum number of allowed same consecutive characters in a new\n password.\n Check for the value of the \"maxrepeat\" option in \"/etc/security/pwquality.conf\" with the following command:\n # grep maxrepeat /etc/security/pwquality.conf\n maxrepeat = 3\n If the value of \"maxrepeat\" is set to more than \"3\", this is a finding.", + "fix": "Configure the operating system to require the change of the number of repeating consecutive characters\n when passwords are changed by setting the \"maxrepeat\" option.\n Add the following line to \"/etc/security/pwquality.conf conf\" (or modify the line to have the required value):\n maxrepeat = 3" }, "impact": 0.5, "refs": [], "tags": { - "severity": "medium", - "gtitle": "SRG-OS-000057-GPOS-00027", - "satisfies": [ - "SRG-OS-000057-GPOS-00027", - "SRG-OS-000058-GPOS-00028", - "SRG-OS-000059-GPOS-00029", - "SRG-OS-000206-GPOS-00084" + "legacy": [ + "SV-86539", + "V-71915" ], - "gid": "V-228564", - "rid": "SV-228564r606407_rule", - "stig_id": "RHEL-07-910055", - "fix_id": "F-23603r419770_fix", + "severity": "medium", + "gtitle": "SRG-OS-000072-GPOS-00040", + "gid": "V-204413", + "rid": "SV-204413r603261_rule", + "stig_id": "RHEL-07-010180", + "fix_id": "F-4537r88432_fix", "cci": [ - "CCI-000162", - "CCI-000163", - "CCI-000164", - "CCI-001314" + "CCI-000195" ], - "legacy": [], "nist": [ - "AU-9", - "SI-11 c", - "AU-9 a", - "SI-11 b" + "IA-5 (1) (b)" ], "subsystems": [ - "audit" + "pwquality", + "password" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-228564' do\n title 'The Red Hat Enterprise Linux operating system must protect audit information from unauthorized read, modification, or deletion.'\n desc 'If audit information were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve.\n\nTo ensure the veracity of audit information, the operating system must protect audit information from unauthorized modification.\n\nAudit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit information system activity.'\n desc 'check', 'Verify the operating system audit records have proper permissions and ownership.\n\nList the full permissions and ownership of the audit log files with the following command.\n\n# ls -la /var/log/audit\ntotal 4512\ndrwx------. 2 root root 23 Apr 25 16:53 .\ndrwxr-xr-x. 17 root root 4096 Aug 9 13:09 ..\n-rw-------. 1 root root 8675309 Aug 9 12:54 audit.log\n\nAudit logs must be mode 0600 or less permissive.\nIf any are more permissive, this is a finding.\n\nThe owner and group owner of all audit log files must both be \"root\". If any other owner or group owner is listed, this is a finding.'\n desc 'fix', 'Change the mode of the audit log files with the following command:\n\n# chmod 0600 [audit_file]\n\nChange the owner and group owner of the audit log files with the following command:\n\n# chown root:root [audit_file]'\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000057-GPOS-00027'\n tag satisfies: ['SRG-OS-000057-GPOS-00027', 'SRG-OS-000058-GPOS-00028', 'SRG-OS-000059-GPOS-00029', 'SRG-OS-000206-GPOS-00084']\n tag gid: 'V-228564'\n tag rid: 'SV-228564r606407_rule'\n tag stig_id: 'RHEL-07-910055'\n tag fix_id: 'F-23603r419770_fix'\n tag cci: ['CCI-000162', 'CCI-000163', 'CCI-000164', 'CCI-001314']\n tag legacy: []\n tag nist: ['AU-9', 'SI-11 c', 'AU-9 a', 'SI-11 b']\n tag subsystems: ['audit']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - audit config must be done on the host' do\n skip 'Control not applicable - audit config must be done on the host'\n end\n else\n describe file(auditd_conf.log_file) do\n it { should_not be_more_permissive_than(input('max_audit_file_mode')) }\n its('group') { should cmp 'root' }\n its('owner') { should cmp 'root' }\n end\n end\nend\n", + "code": "control 'SV-204413' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed the\n number of repeating consecutive characters must not be more than three characters.'\n desc 'Use of a complex password helps to increase the time and resources required to compromise the password.\n Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing\n and brute-force attacks.\n Password complexity is one factor of several that determines how long it takes to crack a password. The more complex\n the password, the greater the number of possible combinations that need to be tested before the password is\n compromised.'\n desc 'check', 'The \"maxrepeat\" option sets the maximum number of allowed same consecutive characters in a new\n password.\n Check for the value of the \"maxrepeat\" option in \"/etc/security/pwquality.conf\" with the following command:\n # grep maxrepeat /etc/security/pwquality.conf\n maxrepeat = 3\n If the value of \"maxrepeat\" is set to more than \"3\", this is a finding.'\n desc 'fix', 'Configure the operating system to require the change of the number of repeating consecutive characters\n when passwords are changed by setting the \"maxrepeat\" option.\n Add the following line to \"/etc/security/pwquality.conf conf\" (or modify the line to have the required value):\n maxrepeat = 3'\n impact 0.5\n tag legacy: ['SV-86539', 'V-71915']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000072-GPOS-00040'\n tag gid: 'V-204413'\n tag rid: 'SV-204413r603261_rule'\n tag stig_id: 'RHEL-07-010180'\n tag fix_id: 'F-4537r88432_fix'\n tag cci: ['CCI-000195']\n tag nist: ['IA-5 (1) (b)']\n tag subsystems: ['pwquality', 'password']\n tag 'host'\n tag 'container'\n\n describe parse_config_file('/etc/security/pwquality.conf') do\n its('maxrepeat') { should cmp <= input('passwd_repeats') }\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-228564.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204413.rb", "line": 1 }, - "id": "SV-228564" + "id": "SV-204413" }, { - "title": "The Red Hat Enterprise Linux operating system must be configured so that user and group account\n administration utilities are configured to store only encrypted representations of passwords.", - "desc": "Passwords need to be protected at all times, and encryption is the standard method for protecting passwords.\n If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords\n encrypted with a weak algorithm are no more protected than if they are kept in plain text.", + "title": "The Red Hat Enterprise Linux operating system must initiate a session lock for graphical user interfaces\n when the screensaver is activated.", + "desc": "A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate\n physical vicinity of the information system but does not log out because of the temporary nature of the absence.\n Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity,\n operating systems need to be able to identify when a user's session has idled and take action to initiate the\n session lock.\n The session lock is implemented at the point where session activity can be determined and/or controlled.", "descriptions": { - "default": "Passwords need to be protected at all times, and encryption is the standard method for protecting passwords.\n If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords\n encrypted with a weak algorithm are no more protected than if they are kept in plain text.", - "check": "Verify the user and group account administration utilities are configured to store only encrypted\n representations of passwords. The strength of encryption that must be used to hash passwords for all accounts is\n \"SHA512\".\n Check that the system is configured to create \"SHA512\" hashed passwords with the following command:\n # grep -i sha512 /etc/libuser.conf\n crypt_style = sha512\n If the \"crypt_style\" variable is not set to \"sha512\", is not in the defaults section, is commented out, or does not\n exist, this is a finding.", - "fix": "Configure the operating system to store only SHA512 encrypted representations of passwords.\n Add or update the following line in \"/etc/libuser.conf\" in the [defaults] section:\n crypt_style = sha512" + "default": "A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate\n physical vicinity of the information system but does not log out because of the temporary nature of the absence.\n Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity,\n operating systems need to be able to identify when a user's session has idled and take action to initiate the\n session lock.\n The session lock is implemented at the point where session activity can be determined and/or controlled.", + "check": "Verify the operating system initiates a session lock a for graphical user interfaces when the screensaver is activated.\n\nNote: If the system does not have GNOME installed, this requirement is Not Applicable.\n\nIf GNOME is installed, check to see a session lock occurs when the screensaver is activated with the following command:\n\n # grep -i lock-delay /etc/dconf/db/local.d/*\n lock-delay=uint32 5\n\nIf the \"lock-delay\" setting is missing, or is not set to \"5\" or less, this is a finding.", + "fix": "Configure the operating system to initiate a session lock for graphical user interfaces when a\n screensaver is activated.\n Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following\n command:\n # touch /etc/dconf/db/local.d/00-screensaver\n Add the setting to enable session locking when a screensaver is activated:\n [org/gnome/desktop/screensaver]\n lock-delay=uint32 5\n The \"uint32\" must be included along with the integer key values as shown.\n Update the system databases:\n # dconf update\n Users must log out and back in again before the system-wide settings take effect." }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { "legacy": [ - "V-71923", - "SV-86547" + "V-71901", + "SV-86525" ], "severity": "medium", - "gtitle": "SRG-OS-000073-GPOS-00041", - "gid": "V-204417", - "rid": "SV-204417r877397_rule", - "stig_id": "RHEL-07-010220", - "fix_id": "F-4541r88444_fix", + "gtitle": "SRG-OS-000029-GPOS-00010", + "gid": "V-204404", + "rid": "SV-204404r880788_rule", + "stig_id": "RHEL-07-010110", + "fix_id": "F-4528r880787_fix", "cci": [ - "CCI-000196" + "CCI-000057" ], "nist": [ - "IA-5 (1) (c)" + "AC-11 a" ], "subsystems": [ - "libuser_conf", - "password" + "gui", + "screensaver", + "lock", + "session" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-204417' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that user and group account\n administration utilities are configured to store only encrypted representations of passwords.'\n desc 'Passwords need to be protected at all times, and encryption is the standard method for protecting passwords.\n If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords\n encrypted with a weak algorithm are no more protected than if they are kept in plain text.'\n desc 'check', 'Verify the user and group account administration utilities are configured to store only encrypted\n representations of passwords. The strength of encryption that must be used to hash passwords for all accounts is\n \"SHA512\".\n Check that the system is configured to create \"SHA512\" hashed passwords with the following command:\n # grep -i sha512 /etc/libuser.conf\n crypt_style = sha512\n If the \"crypt_style\" variable is not set to \"sha512\", is not in the defaults section, is commented out, or does not\n exist, this is a finding.'\n desc 'fix', 'Configure the operating system to store only SHA512 encrypted representations of passwords.\n Add or update the following line in \"/etc/libuser.conf\" in the [defaults] section:\n crypt_style = sha512'\n impact 0.5\n tag legacy: ['V-71923', 'SV-86547']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000073-GPOS-00041'\n tag gid: 'V-204417'\n tag rid: 'SV-204417r877397_rule'\n tag stig_id: 'RHEL-07-010220'\n tag fix_id: 'F-4541r88444_fix'\n tag cci: ['CCI-000196']\n tag nist: ['IA-5 (1) (c)']\n tag subsystems: ['libuser_conf', 'password']\n tag 'host'\n tag 'container'\n\n describe command('cat /etc/libuser.conf | grep -i sha512') do\n its('stdout.strip') { should match(/^crypt_style = sha512$/) }\n end\nend\n", + "code": "control 'SV-204404' do\n title 'The Red Hat Enterprise Linux operating system must initiate a session lock for graphical user interfaces\n when the screensaver is activated.'\n desc \"A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate\n physical vicinity of the information system but does not log out because of the temporary nature of the absence.\n Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity,\n operating systems need to be able to identify when a user's session has idled and take action to initiate the\n session lock.\n The session lock is implemented at the point where session activity can be determined and/or controlled.\"\n desc 'check', 'Verify the operating system initiates a session lock a for graphical user interfaces when the screensaver is activated.\n\nNote: If the system does not have GNOME installed, this requirement is Not Applicable.\n\nIf GNOME is installed, check to see a session lock occurs when the screensaver is activated with the following command:\n\n # grep -i lock-delay /etc/dconf/db/local.d/*\n lock-delay=uint32 5\n\nIf the \"lock-delay\" setting is missing, or is not set to \"5\" or less, this is a finding.'\n desc 'fix', 'Configure the operating system to initiate a session lock for graphical user interfaces when a\n screensaver is activated.\n Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following\n command:\n # touch /etc/dconf/db/local.d/00-screensaver\n Add the setting to enable session locking when a screensaver is activated:\n [org/gnome/desktop/screensaver]\n lock-delay=uint32 5\n The \"uint32\" must be included along with the integer key values as shown.\n Update the system databases:\n # dconf update\n Users must log out and back in again before the system-wide settings take effect.'\n impact 0.5\n tag legacy: ['V-71901', 'SV-86525']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000029-GPOS-00010'\n tag gid: 'V-204404'\n tag rid: 'SV-204404r880788_rule'\n tag stig_id: 'RHEL-07-010110'\n tag fix_id: 'F-4528r880787_fix'\n tag cci: ['CCI-000057']\n tag nist: ['AC-11 a']\n tag subsystems: ['gui', 'screensaver', 'lock', 'session']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n elsif package('gnome-desktop3').installed?\n\n describe command(\"gsettings get org.gnome.desktop.screensaver lock-delay | cut -d ' ' -f2\") do\n its('stdout.strip') { should cmp <= input('lock_delay') }\n end\n else\n impact 0.0\n describe 'The system does not have GNOME installed' do\n skip \"The system does not have GNOME installed, this requirement is Not\n Applicable.\"\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204417.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204404.rb", "line": 1 }, - "id": "SV-204417" + "id": "SV-204404" }, { - "title": "The Red Hat Enterprise Linux operating system must be configured so that the root account must be the only\n account having unrestricted access to the system.", - "desc": "If an account other than root also has a User Identifier (UID) of \"0\", it has root authority, giving that\n account unrestricted access to the entire operating system. Multiple accounts with a UID of \"0\" afford an\n opportunity for potential intruders to guess a password for a privileged account.", + "title": "The Red Hat Enterprise Linux operating system must not have a File Transfer Protocol (FTP) server package\n installed unless needed.", + "desc": "The FTP service provides an unencrypted remote access that does not provide for the confidentiality and\n integrity of user passwords or the remote session. If a privileged user were to log on using this service, the\n privileged user password could be compromised. SSH or other encrypted file transfer methods must be used in place of\n this service.", "descriptions": { - "default": "If an account other than root also has a User Identifier (UID) of \"0\", it has root authority, giving that\n account unrestricted access to the entire operating system. Multiple accounts with a UID of \"0\" afford an\n opportunity for potential intruders to guess a password for a privileged account.", - "check": "Check the system for duplicate UID \"0\" assignments with the following command:\n # awk -F: '$3 == 0 {print $1}' /etc/passwd\n If any accounts other than root have a UID of \"0\", this is a finding.", - "fix": "Change the UID of any account on the system, other than root, that has a UID of \"0\".\n If the account is associated with system commands or applications, the UID should be changed to one greater than \"0\"\n but less than \"1000\". Otherwise, assign a UID of greater than \"1000\" that has not already been assigned." + "default": "The FTP service provides an unencrypted remote access that does not provide for the confidentiality and\n integrity of user passwords or the remote session. If a privileged user were to log on using this service, the\n privileged user password could be compromised. SSH or other encrypted file transfer methods must be used in place of\n this service.", + "check": "Verify an FTP server has not been installed on the system.\n Check to see if an FTP server has been installed with the following commands:\n # yum list installed vsftpd\n vsftpd-3.0.2.el7.x86_64.rpm\n If \"vsftpd\" is installed and is not documented with the Information System Security Officer (ISSO) as an operational\n requirement, this is a finding.", + "fix": "Document the \"vsftpd\" package with the ISSO as an operational requirement or remove it from the system\n with the following command:\n # yum remove vsftpd" }, "impact": 0.7, "refs": [], "tags": { "legacy": [ - "SV-86629", - "V-72005" + "SV-86923", + "V-72299" ], "severity": "high", "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-204462", - "rid": "SV-204462r603261_rule", - "stig_id": "RHEL-07-020310", - "fix_id": "F-4586r88579_fix", + "gid": "V-204620", + "rid": "SV-204620r603261_rule", + "stig_id": "RHEL-07-040690", + "fix_id": "F-4744r89053_fix", "cci": [ "CCI-000366" ], @@ -8877,251 +8718,276 @@ "CM-6 b" ], "subsystems": [ - "accounts" + "vsftpd" ], "host": null, "container": null }, - "code": "control 'SV-204462' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that the root account must be the only\n account having unrestricted access to the system.'\n desc 'If an account other than root also has a User Identifier (UID) of \"0\", it has root authority, giving that\n account unrestricted access to the entire operating system. Multiple accounts with a UID of \"0\" afford an\n opportunity for potential intruders to guess a password for a privileged account.'\n desc 'check', %q(Check the system for duplicate UID \"0\" assignments with the following command:\n # awk -F: '$3 == 0 {print $1}' /etc/passwd\n If any accounts other than root have a UID of \"0\", this is a finding.)\n desc 'fix', 'Change the UID of any account on the system, other than root, that has a UID of \"0\".\n If the account is associated with system commands or applications, the UID should be changed to one greater than \"0\"\n but less than \"1000\". Otherwise, assign a UID of greater than \"1000\" that has not already been assigned.'\n impact 0.7\n tag legacy: ['SV-86629', 'V-72005']\n tag severity: 'high'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204462'\n tag rid: 'SV-204462r603261_rule'\n tag stig_id: 'RHEL-07-020310'\n tag fix_id: 'F-4586r88579_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['accounts']\n tag 'host'\n tag 'container'\n\n describe passwd.uids(0) do\n its('users') { should cmp 'root' }\n its('entries.length') { should eq 1 }\n end\nend\n", + "code": "control 'SV-204620' do\n title 'The Red Hat Enterprise Linux operating system must not have a File Transfer Protocol (FTP) server package\n installed unless needed.'\n desc 'The FTP service provides an unencrypted remote access that does not provide for the confidentiality and\n integrity of user passwords or the remote session. If a privileged user were to log on using this service, the\n privileged user password could be compromised. SSH or other encrypted file transfer methods must be used in place of\n this service.'\n desc 'check', 'Verify an FTP server has not been installed on the system.\n Check to see if an FTP server has been installed with the following commands:\n # yum list installed vsftpd\n vsftpd-3.0.2.el7.x86_64.rpm\n If \"vsftpd\" is installed and is not documented with the Information System Security Officer (ISSO) as an operational\n requirement, this is a finding.'\n desc 'fix', 'Document the \"vsftpd\" package with the ISSO as an operational requirement or remove it from the system\n with the following command:\n # yum remove vsftpd'\n impact 0.7\n tag legacy: ['SV-86923', 'V-72299']\n tag severity: 'high'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204620'\n tag rid: 'SV-204620r603261_rule'\n tag stig_id: 'RHEL-07-040690'\n tag fix_id: 'F-4744r89053_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['vsftpd']\n tag 'host'\n tag 'container'\n\n describe.one do\n describe package('vsftpd') do\n it { should_not be_installed }\n end\n describe parse_config_file('/etc/vsftpd/vsftpd.conf') do\n its('ssl_enable') { should cmp 'YES' }\n its('force_anon_data_ssl') { should cmp 'YES' }\n its('force_anon_logins_ssl') { should cmp 'YES' }\n its('force_local_data_ssl') { should cmp 'YES' }\n its('force_local_logins_ssl') { should cmp 'YES' }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204462.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204620.rb", "line": 1 }, - "id": "SV-204462" + "id": "SV-204620" }, { - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the init_module and finit_module\n syscalls.", - "desc": "Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).\n The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the\n system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect\n performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining\n syscalls into one rule whenever possible.", + "title": "The Red Hat Enterprise Linux operating system must be configured to prohibit or restrict the use of\n functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Component\n Local Service Assessment (PPSM CLSA) and vulnerability assessments.", + "desc": "In order to prevent unauthorized connection of devices, unauthorized transfer of information, or\n unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict\n unused or unnecessary physical and logical ports/protocols on information systems.\n Operating systems are capable of providing a wide variety of functions and services. Some of the functions and\n services provided by default may not be necessary to support essential organizational operations. Additionally, it\n is sometimes convenient to provide multiple services from a single component (e.g., VPN and IPS); however, doing so\n increases risk over limiting the services provided by any one component.\n To support the requirements and principles of least functionality, the operating system must support the\n organizational requirements, providing only essential capabilities and limiting the use of ports, protocols, and/or\n services to only those required, authorized, and approved to conduct official business or to address authorized\n quality of life issues.", "descriptions": { - "default": "Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).\n The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the\n system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect\n performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining\n syscalls into one rule whenever possible.", - "check": "Verify the operating system generates audit records upon successful/unsuccessful attempts to use the \"init_module\" and \"finit_module\" syscalls.\n\nCheck the auditing rules in \"/etc/audit/audit.rules\" with the following command:\n\n$ sudo grep init_module /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k modulechange\n\n-a always,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k modulechange\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"init_module\" and \"finit_module\" syscalls, this is a finding.", - "fix": "Configure the operating system to generate audit records upon successful/unsuccessful attempts to use the \"init_module\" and \"finit_module\" syscalls.\n\nAdd or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k modulechange\n\n-a always,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k modulechange\n\nThe audit daemon must be restarted for the changes to take effect." + "default": "In order to prevent unauthorized connection of devices, unauthorized transfer of information, or\n unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict\n unused or unnecessary physical and logical ports/protocols on information systems.\n Operating systems are capable of providing a wide variety of functions and services. Some of the functions and\n services provided by default may not be necessary to support essential organizational operations. Additionally, it\n is sometimes convenient to provide multiple services from a single component (e.g., VPN and IPS); however, doing so\n increases risk over limiting the services provided by any one component.\n To support the requirements and principles of least functionality, the operating system must support the\n organizational requirements, providing only essential capabilities and limiting the use of ports, protocols, and/or\n services to only those required, authorized, and approved to conduct official business or to address authorized\n quality of life issues.", + "check": "Inspect the firewall configuration and running services to verify that it is configured to prohibit\n or restrict the use of functions, ports, protocols, and/or services that are unnecessary or prohibited.\n Check which services are currently active with the following command:\n # firewall-cmd --list-all\n public (default, active)\n interfaces: enp0s3\n sources:\n services: dhcpv6-client dns http https ldaps rpc-bind ssh\n ports:\n masquerade: no\n forward-ports:\n icmp-blocks:\n rich rules:\n Ask the System Administrator for the site or program PPSM CLSA. Verify the services allowed by the firewall match\n the PPSM CLSA.\n If there are additional ports, protocols, or services that are not in the PPSM CLSA, or there are ports, protocols,\n or services that are prohibited by the PPSM Category Assurance List (CAL), this is a finding.", + "fix": "Update the host's firewall settings and/or running services to comply with the PPSM CLSA for the site\n or program and the PPSM CAL." }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "V-72187", - "SV-86811" + "V-72219", + "SV-86843" ], "severity": "medium", - "gtitle": "SRG-OS-000471-GPOS-00216", + "gtitle": "SRG-OS-000096-GPOS-00050", "satisfies": [ - "SRG-OS-000471-GPOS-00216", - "SRG-OS-000477-GPOS-00222" + "SRG-OS-000096-GPOS-00050", + "SRG-OS-000297-GPOS-00115" ], - "gid": "V-204560", - "rid": "SV-204560r833172_rule", - "stig_id": "RHEL-07-030820", - "fix_id": "F-4684r833171_fix", + "gid": "V-204577", + "rid": "SV-204577r861069_rule", + "stig_id": "RHEL-07-040100", + "fix_id": "F-4701r88924_fix", "cci": [ - "CCI-000172" + "CCI-000382", + "CCI-002314" ], "nist": [ - "AU-12 c" + "CM-7 b", + "AC-17 (1)" ], "subsystems": [ - "audit", - "auditd", - "audit_rule" + "firewall", + "manual" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-204560' do\n title 'The Red Hat Enterprise Linux operating system must audit all uses of the init_module and finit_module\n syscalls.'\n desc 'Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).\n The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the\n system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect\n performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining\n syscalls into one rule whenever possible.'\n desc 'check', 'Verify the operating system generates audit records upon successful/unsuccessful attempts to use the \"init_module\" and \"finit_module\" syscalls.\n\nCheck the auditing rules in \"/etc/audit/audit.rules\" with the following command:\n\n$ sudo grep init_module /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k modulechange\n\n-a always,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k modulechange\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"init_module\" and \"finit_module\" syscalls, this is a finding.'\n desc 'fix', 'Configure the operating system to generate audit records upon successful/unsuccessful attempts to use the \"init_module\" and \"finit_module\" syscalls.\n\nAdd or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k modulechange\n\n-a always,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k modulechange\n\nThe audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n tag legacy: ['V-72187', 'SV-86811']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000471-GPOS-00216'\n tag satisfies: ['SRG-OS-000471-GPOS-00216', 'SRG-OS-000477-GPOS-00222']\n tag gid: 'V-204560'\n tag rid: 'SV-204560r833172_rule'\n tag stig_id: 'RHEL-07-030820'\n tag fix_id: 'F-4684r833171_fix'\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag subsystems: ['audit', 'auditd', 'audit_rule']\n tag 'host'\n\n audit_syscalls = ['init_module', 'finit_module']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - audit config must be done on the host' do\n skip 'Control not applicable - audit config must be done on the host'\n end\n else\n describe 'Syscall' do\n audit_syscalls.each do |audit_syscall|\n it \"#{audit_syscall} is audited properly\" do\n audit_rule = auditd.syscall(audit_syscall)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n if os.arch.match(/64/)\n expect(audit_rule.arch.uniq).to include('b32', 'b64')\n else\n expect(audit_rule.arch.uniq).to cmp 'b32'\n end\n expect(audit_rule.fields.flatten).to include('auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include('modulechange')\n end\n end\n end\n end\nend\n", + "code": "control 'SV-204577' do\n title 'The Red Hat Enterprise Linux operating system must be configured to prohibit or restrict the use of\n functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Component\n Local Service Assessment (PPSM CLSA) and vulnerability assessments.'\n desc 'In order to prevent unauthorized connection of devices, unauthorized transfer of information, or\n unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict\n unused or unnecessary physical and logical ports/protocols on information systems.\n Operating systems are capable of providing a wide variety of functions and services. Some of the functions and\n services provided by default may not be necessary to support essential organizational operations. Additionally, it\n is sometimes convenient to provide multiple services from a single component (e.g., VPN and IPS); however, doing so\n increases risk over limiting the services provided by any one component.\n To support the requirements and principles of least functionality, the operating system must support the\n organizational requirements, providing only essential capabilities and limiting the use of ports, protocols, and/or\n services to only those required, authorized, and approved to conduct official business or to address authorized\n quality of life issues.'\n desc 'check', 'Inspect the firewall configuration and running services to verify that it is configured to prohibit\n or restrict the use of functions, ports, protocols, and/or services that are unnecessary or prohibited.\n Check which services are currently active with the following command:\n # firewall-cmd --list-all\n public (default, active)\n interfaces: enp0s3\n sources:\n services: dhcpv6-client dns http https ldaps rpc-bind ssh\n ports:\n masquerade: no\n forward-ports:\n icmp-blocks:\n rich rules:\n Ask the System Administrator for the site or program PPSM CLSA. Verify the services allowed by the firewall match\n the PPSM CLSA.\n If there are additional ports, protocols, or services that are not in the PPSM CLSA, or there are ports, protocols,\n or services that are prohibited by the PPSM Category Assurance List (CAL), this is a finding.'\n desc 'fix', \"Update the host's firewall settings and/or running services to comply with the PPSM CLSA for the site\n or program and the PPSM CAL.\"\n impact 0.5\n tag legacy: ['V-72219', 'SV-86843']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000096-GPOS-00050'\n tag satisfies: ['SRG-OS-000096-GPOS-00050', 'SRG-OS-000297-GPOS-00115']\n tag gid: 'V-204577'\n tag rid: 'SV-204577r861069_rule'\n tag stig_id: 'RHEL-07-040100'\n tag fix_id: 'F-4701r88924_fix'\n tag cci: ['CCI-000382', 'CCI-002314']\n tag nist: ['CM-7 b', 'AC-17 (1)']\n tag subsystems: ['firewall', 'manual']\n tag 'host'\n tag 'container'\n\n if input('firewall_application_package') != ''\n describe 'Manual review of third-party firewall needed' do\n skip \"A manual review of firewall application \\'#{input('firewall_application_package')}\\' is needed to determine if it is properly configured\"\n end\n else\n\n firewalld_services_deny = input('firewalld_services_deny')\n firewalld_hosts_deny = input('firewalld_hosts_deny')\n firewalld_ports_deny = input('firewalld_ports_deny')\n firewalld_zones = input('firewalld_zones')\n iptables_rules = input('iptables_rules')\n\n if service('firewalld').running?\n\n # Check that the rules specified in 'firewalld_host_deny' are not enabled\n describe firewalld do\n firewalld_hosts_deny.each do |rule|\n it { should_not have_rule_enabled(rule) }\n end\n end\n\n # Check to make sure zones are specified\n if firewalld_zones.empty?\n describe \"Firewalld zones are not specified. Check 'firewalld_zones' input.\" do\n subject { firewalld_zones.empty? }\n it { should be false }\n end\n end\n\n # Check that the services specified in 'firewalld_services_deny' and\n # ports specified in 'firewalld_ports_deny' are not enabled\n firewalld_zones.each do |zone|\n if firewalld.has_zone?(zone)\n zone_services = firewalld_services_deny[zone.to_sym]\n zone_ports = firewalld_ports_deny[zone.to_sym]\n\n if !zone_services.nil?\n describe firewalld do\n zone_services.each do |serv|\n it { should_not have_service_enabled_in_zone(serv, zone) }\n end\n end\n else\n describe \"Services for zone '#{zone}' are not specified. Check 'firewalld_services_deny' input.\" do\n subject { zone_services.nil? }\n it { should be false }\n end\n end\n\n if !zone_ports.nil?\n describe firewalld do\n zone_ports.each do |port|\n it { should_not have_port_enabled_in_zone(port, zone) }\n end\n end\n else\n describe \"Ports for zone '#{zone}' are not specified. Check 'firewalld_ports_deny' input.\" do\n subject { zone_ports.nil? }\n it { should be false }\n end\n end\n else\n describe \"Firewalld zone '#{zone}' exists\" do\n subject { firewalld.has_zone?(zone) }\n it { should be true }\n end\n end\n end\n elsif service('iptables').running?\n describe iptables do\n iptables_rules.each do |rule|\n it { should have_rule(rule) }\n end\n end\n else\n describe 'An application firewall is running' do\n subject { service('firewalld').running? || service('iptables').running? }\n it { should eq true }\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204560.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204577.rb", "line": 1 }, - "id": "SV-204560" + "id": "SV-204577" }, { - "title": "The Red Hat Enterprise Linux operating system must be configured so that the delay between logon prompts\n following a failed console logon attempt is at least four seconds.", - "desc": "Configuring the operating system to implement organization-wide security implementation guides and security\n checklists verifies compliance with federal standards and establishes a common security baseline across DoD that\n reflects the most restrictive security posture consistent with operational requirements.\n Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components\n of the system that affect the security posture and/or functionality of the system. Security-related parameters are\n those parameters impacting the security state of the system, including the parameters required to satisfy other\n security control requirements. Security-related parameters include, for example, registry settings; account, file,\n and directory permission settings; and settings for functions, ports, protocols, services, and remote connections.", + "title": "The Red Hat Enterprise Linux operating system must audit all uses of the sudoers file and all files in the\n /etc/sudoers.d/ directory.", + "desc": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough\n information.\n At a minimum, the organization must audit the full-text recording of privileged access commands. The organization\n must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of\n compromise.", "descriptions": { - "default": "Configuring the operating system to implement organization-wide security implementation guides and security\n checklists verifies compliance with federal standards and establishes a common security baseline across DoD that\n reflects the most restrictive security posture consistent with operational requirements.\n Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components\n of the system that affect the security posture and/or functionality of the system. Security-related parameters are\n those parameters impacting the security state of the system, including the parameters required to satisfy other\n security control requirements. Security-related parameters include, for example, registry settings; account, file,\n and directory permission settings; and settings for functions, ports, protocols, services, and remote connections.", - "check": "Verify the operating system enforces a delay of at least four seconds between console logon prompts\n following a failed logon attempt.\n Check the value of the \"fail_delay\" parameter in the \"/etc/login.defs\" file with the following command:\n # grep -i fail_delay /etc/login.defs\n FAIL_DELAY 4\n If the value of \"FAIL_DELAY\" is not set to \"4\" or greater, or the line is commented out, this is a finding.", - "fix": "Configure the operating system to enforce a delay of at least four seconds between logon prompts\n following a failed console logon attempt.\n Modify the \"/etc/login.defs\" file to set the \"FAIL_DELAY\" parameter to \"4\" or greater:\n FAIL_DELAY 4" + "default": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough\n information.\n At a minimum, the organization must audit the full-text recording of privileged access commands. The organization\n must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of\n compromise.", + "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to access\n the \"/etc/sudoers\" file and files in the \"/etc/sudoers.d/\" directory.\n Check for modification of the following files being audited by performing the following commands to check the file\n system rules in \"/etc/audit/audit.rules\":\n # grep -i \"/etc/sudoers\" /etc/audit/audit.rules\n -w /etc/sudoers -p wa -k privileged-actions\n # grep -i \"/etc/sudoers.d/\" /etc/audit/audit.rules\n -w /etc/sudoers.d/ -p wa -k privileged-actions\n If the commands do not return output that match the examples, this is a finding.", + "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to\n access the \"/etc/sudoers\" file and files in the \"/etc/sudoers.d/\" directory.\n Add or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n -w /etc/sudoers -p wa -k privileged-actions\n -w /etc/sudoers.d/ -p wa -k privileged-actions\n The audit daemon must be restarted for the changes to take effect." }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "SV-86575", - "V-71951" + "V-72163", + "SV-86787" ], "severity": "medium", - "gtitle": "SRG-OS-000480-GPOS-00226", - "gid": "V-204431", - "rid": "SV-204431r603261_rule", - "stig_id": "RHEL-07-010430", - "fix_id": "F-4555r88486_fix", + "gtitle": "SRG-OS-000037-GPOS-00015", + "satisfies": [ + "SRG-OS-000037-GPOS-00015", + "SRG-OS-000042-GPOS-00020", + "SRG-OS-000392-GPOS-00172", + "SRG-OS-000462-GPOS-00206", + "SRG-OS-000471-GPOS-00215" + ], + "gid": "V-204549", + "rid": "SV-204549r853953_rule", + "stig_id": "RHEL-07-030700", + "fix_id": "F-4673r88840_fix", "cci": [ - "CCI-000366" + "CCI-000130", + "CCI-000135", + "CCI-000172", + "CCI-002884" ], "nist": [ - "CM-6 b" + "AU-3", + "AU-3 (1)", + "AU-12 c", + "MA-4 (1) (a)", + "AU-3 a" ], "subsystems": [ - "login_defs" + "audit", + "auditd", + "audit_rule" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-204431' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that the delay between logon prompts\n following a failed console logon attempt is at least four seconds.'\n desc \"Configuring the operating system to implement organization-wide security implementation guides and security\n checklists verifies compliance with federal standards and establishes a common security baseline across #{input('org_name')[:acronym]} that\n reflects the most restrictive security posture consistent with operational requirements.\n Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components\n of the system that affect the security posture and/or functionality of the system. Security-related parameters are\n those parameters impacting the security state of the system, including the parameters required to satisfy other\n security control requirements. Security-related parameters include, for example, registry settings; account, file,\n and directory permission settings; and settings for functions, ports, protocols, services, and remote connections.\"\n desc 'check', 'Verify the operating system enforces a delay of at least four seconds between console logon prompts\n following a failed logon attempt.\n Check the value of the \"fail_delay\" parameter in the \"/etc/login.defs\" file with the following command:\n # grep -i fail_delay /etc/login.defs\n FAIL_DELAY 4\n If the value of \"FAIL_DELAY\" is not set to \"4\" or greater, or the line is commented out, this is a finding.'\n desc 'fix', 'Configure the operating system to enforce a delay of at least four seconds between logon prompts\n following a failed console logon attempt.\n Modify the \"/etc/login.defs\" file to set the \"FAIL_DELAY\" parameter to \"4\" or greater:\n FAIL_DELAY 4'\n impact 0.5\n tag legacy: ['SV-86575', 'V-71951']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00226'\n tag gid: 'V-204431'\n tag rid: 'SV-204431r603261_rule'\n tag stig_id: 'RHEL-07-010430'\n tag fix_id: 'F-4555r88486_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['login_defs']\n tag 'host'\n tag 'container'\n\n describe login_defs do\n its('FAIL_DELAY') { should cmp >= input('fail_delay') }\n its('FAIL_DELAY') { should_not be_nil }\n end\nend\n", + "code": "control 'SV-204549' do\n title 'The Red Hat Enterprise Linux operating system must audit all uses of the sudoers file and all files in the\n /etc/sudoers.d/ directory.'\n desc 'Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough\n information.\n At a minimum, the organization must audit the full-text recording of privileged access commands. The organization\n must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of\n compromise.'\n desc 'check', 'Verify the operating system generates audit records when successful/unsuccessful attempts to access\n the \"/etc/sudoers\" file and files in the \"/etc/sudoers.d/\" directory.\n Check for modification of the following files being audited by performing the following commands to check the file\n system rules in \"/etc/audit/audit.rules\":\n # grep -i \"/etc/sudoers\" /etc/audit/audit.rules\n -w /etc/sudoers -p wa -k privileged-actions\n # grep -i \"/etc/sudoers.d/\" /etc/audit/audit.rules\n -w /etc/sudoers.d/ -p wa -k privileged-actions\n If the commands do not return output that match the examples, this is a finding.'\n desc 'fix', 'Configure the operating system to generate audit records when successful/unsuccessful attempts to\n access the \"/etc/sudoers\" file and files in the \"/etc/sudoers.d/\" directory.\n Add or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n -w /etc/sudoers -p wa -k privileged-actions\n -w /etc/sudoers.d/ -p wa -k privileged-actions\n The audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n tag legacy: ['V-72163', 'SV-86787']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000037-GPOS-00015'\n tag satisfies: ['SRG-OS-000037-GPOS-00015', 'SRG-OS-000042-GPOS-00020', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000471-GPOS-00215']\n tag gid: 'V-204549'\n tag rid: 'SV-204549r853953_rule'\n tag stig_id: 'RHEL-07-030700'\n tag fix_id: 'F-4673r88840_fix'\n tag cci: ['CCI-000130', 'CCI-000135', 'CCI-000172', 'CCI-002884']\n tag nist: ['AU-3', 'AU-3 (1)', 'AU-12 c', 'MA-4 (1) (a)', 'AU-3 a']\n tag subsystems: ['audit', 'auditd', 'audit_rule']\n tag 'host'\n\n audit_commands = ['/etc/sudoers', '/etc/sudoers.d/']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - audit config must be done on the host' do\n skip 'Control not applicable - audit config must be done on the host'\n end\n else\n describe 'Command' do\n audit_commands.each do |audit_command|\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.key).to cmp 'privileged-actions'\n expect(audit_rule.permissions.flatten).to include('w', 'a')\n end\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204431.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204549.rb", "line": 1 }, - "id": "SV-204431" + "id": "SV-204549" }, { - "title": "The Red Hat Enterprise Linux operating system must be configured so that all Group Identifiers (GIDs)\n referenced in the /etc/passwd file are defined in the /etc/group file.", - "desc": "If a user is assigned the GID of a group not existing on the system, and a group with the GID is\n subsequently created, the user may have unintended rights to any files associated with the group.", + "title": "The Red Hat Enterprise Linux operating system must be configured so that all local initialization files\n have mode 0740 or less permissive.", + "desc": "Local initialization files are used to configure the user's shell environment upon logon. Malicious\n modification of these files could compromise accounts upon logon.", "descriptions": { - "default": "If a user is assigned the GID of a group not existing on the system, and a group with the GID is\n subsequently created, the user may have unintended rights to any files associated with the group.", - "check": "Verify all GIDs referenced in the \"/etc/passwd\" file are defined in the \"/etc/group\" file.\n Check that all referenced GIDs exist with the following command:\n # pwck -r\n If GIDs referenced in \"/etc/passwd\" file are returned as not defined in \"/etc/group\" file, this is a finding.", - "fix": "Configure the system to define all GIDs found in the \"/etc/passwd\" file by modifying the \"/etc/group\"\n file to add any non-existent group referenced in the \"/etc/passwd\" file, or change the GIDs referenced in the\n \"/etc/passwd\" file to a group that exists in \"/etc/group\"." + "default": "Local initialization files are used to configure the user's shell environment upon logon. Malicious\n modification of these files could compromise accounts upon logon.", + "check": "Verify that all local initialization files have a mode of \"0740\" or less permissive.\n Check the mode on all local initialization files with the following command:\n Note: The example will be for the \"smithj\" user, who has a home directory of \"/home/smithj\".\n # ls -al /home/smithj/.[^.]* | more\n -rwxr----- 1 smithj users 896 Mar 10 2011 .profile\n -rwxr----- 1 smithj users 497 Jan 6 2007 .login\n -rwxr----- 1 smithj users 886 Jan 6 2007 .something\n If any local initialization files have a mode more permissive than \"0740\", this is a finding.", + "fix": "Set the mode of the local initialization files to \"0740\" with the\nfollowing command:\n\n Note: The example will be for the \"smithj\" user, who has a home directory\nof \"/home/smithj\".\n\n # chmod 0740 /home/smithj/.[^.]*" }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { "legacy": [ - "V-72003", - "SV-86627" + "SV-86657", + "V-72033" ], - "severity": "low", - "gtitle": "SRG-OS-000104-GPOS-00051", - "gid": "V-204461", - "rid": "SV-204461r603261_rule", - "stig_id": "RHEL-07-020300", - "fix_id": "F-4585r88576_fix", + "severity": "medium", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-204476", + "rid": "SV-204476r603261_rule", + "stig_id": "RHEL-07-020710", + "fix_id": "F-4600r88621_fix", "cci": [ - "CCI-000764" + "CCI-000366" ], "nist": [ - "IA-2" + "CM-6 b" ], "subsystems": [ - "accounts" + "init_files" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-204461' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that all Group Identifiers (GIDs)\n referenced in the /etc/passwd file are defined in the /etc/group file.'\n desc 'If a user is assigned the GID of a group not existing on the system, and a group with the GID is\n subsequently created, the user may have unintended rights to any files associated with the group.'\n desc 'check', 'Verify all GIDs referenced in the \"/etc/passwd\" file are defined in the \"/etc/group\" file.\n Check that all referenced GIDs exist with the following command:\n # pwck -r\n If GIDs referenced in \"/etc/passwd\" file are returned as not defined in \"/etc/group\" file, this is a finding.'\n desc 'fix', 'Configure the system to define all GIDs found in the \"/etc/passwd\" file by modifying the \"/etc/group\"\n file to add any non-existent group referenced in the \"/etc/passwd\" file, or change the GIDs referenced in the\n \"/etc/passwd\" file to a group that exists in \"/etc/group\".'\n impact 0.3\n tag legacy: ['V-72003', 'SV-86627']\n tag severity: 'low'\n tag gtitle: 'SRG-OS-000104-GPOS-00051'\n tag gid: 'V-204461'\n tag rid: 'SV-204461r603261_rule'\n tag stig_id: 'RHEL-07-020300'\n tag fix_id: 'F-4585r88576_fix'\n tag cci: ['CCI-000764']\n tag nist: ['IA-2']\n tag subsystems: ['accounts']\n tag 'host'\n tag 'container'\n\n describe 'All group identifiers in /etc/passwd' do\n it 'should be defined in /etc/groups' do\n expect(passwd.gids.map { |gid| gid.to_i }).to all(be_in etc_group.gids),\n \"missing gids: #{passwd.gids.select { |gid| !etc_group.gids.include?(gid.to_i) }}\"\n end\n end\nend\n", + "code": "control 'SV-204476' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that all local initialization files\n have mode 0740 or less permissive.'\n desc \"Local initialization files are used to configure the user's shell environment upon logon. Malicious\n modification of these files could compromise accounts upon logon.\"\n desc 'check', 'Verify that all local initialization files have a mode of \"0740\" or less permissive.\n Check the mode on all local initialization files with the following command:\n Note: The example will be for the \"smithj\" user, who has a home directory of \"/home/smithj\".\n # ls -al /home/smithj/.[^.]* | more\n -rwxr----- 1 smithj users 896 Mar 10 2011 .profile\n -rwxr----- 1 smithj users 497 Jan 6 2007 .login\n -rwxr----- 1 smithj users 886 Jan 6 2007 .something\n If any local initialization files have a mode more permissive than \"0740\", this is a finding.'\n desc 'fix', 'Set the mode of the local initialization files to \"0740\" with the\nfollowing command:\n\n Note: The example will be for the \"smithj\" user, who has a home directory\nof \"/home/smithj\".\n\n # chmod 0740 /home/smithj/.[^.]*'\n impact 0.5\n tag legacy: ['SV-86657', 'V-72033']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204476'\n tag rid: 'SV-204476r603261_rule'\n tag stig_id: 'RHEL-07-020710'\n tag fix_id: 'F-4600r88621_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['init_files']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n\n exempt_home_users = input('exempt_home_users')\n non_interactive_shells = input('non_interactive_shells')\n\n ignore_shells = non_interactive_shells.join('|')\n\n findings = Set[]\n users.where do\n !shell.match(ignore_shells) && (uid >= 1000 || uid == 0)\n end.entries.each do |user_info|\n findings += command(\"find #{user_info.home} -xdev -maxdepth 1 -name '.*' -type f -perm -#{input('init_files_mode')}\").stdout.split(\"\\n\")\n end\n describe findings do\n it { should be_empty }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204461.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204476.rb", "line": 1 }, - "id": "SV-204461" + "id": "SV-204476" }, { - "title": "The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not permit\n Generic Security Service Application Program Interface (GSSAPI) authentication unless needed.", - "desc": "GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing\n GSSAPI authentication through SSH exposes the system's GSSAPI to remote hosts, increasing the attack surface of the\n system. GSSAPI authentication must be disabled unless needed.", + "title": "The Red Hat Enterprise Linux operating system must be configured so that the PAM system service is\n configured to store only encrypted representations of passwords.", + "desc": "Passwords need to be protected at all times, and encryption is the standard method for protecting passwords.\n If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords\n encrypted with a weak algorithm are no more protected than if they are kept in plain text.", "descriptions": { - "default": "GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing\n GSSAPI authentication through SSH exposes the system's GSSAPI to remote hosts, increasing the attack surface of the\n system. GSSAPI authentication must be disabled unless needed.", - "check": "Verify the SSH daemon does not permit GSSAPI authentication unless approved.\n Check that the SSH daemon does not permit GSSAPI authentication with the following command:\n # grep -i gssapiauth /etc/ssh/sshd_config\n GSSAPIAuthentication no\n If the \"GSSAPIAuthentication\" keyword is missing, is set to \"yes\" and is not documented with the Information System\n Security Officer (ISSO), or the returned line is commented out, this is a finding.", - "fix": "Uncomment the \"GSSAPIAuthentication\" keyword in \"/etc/ssh/sshd_config\" (this file may be named\n differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and\n set the value to \"no\":\n GSSAPIAuthentication no\n The SSH service must be restarted for changes to take effect.\n If GSSAPI authentication is required, it must be documented, to include the location of the configuration file, with\n the ISSO." + "default": "Passwords need to be protected at all times, and encryption is the standard method for protecting passwords.\n If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords\n encrypted with a weak algorithm are no more protected than if they are kept in plain text.", + "check": "Verify the PAM system service is configured to store only encrypted representations of passwords.\n The strength of encryption that must be used to hash passwords for all accounts is SHA512.\n Check that the system is configured to create SHA512 hashed passwords with the following command:\n # grep password /etc/pam.d/system-auth /etc/pam.d/password-auth\n Outcome should look like following:\n /etc/pam.d/system-auth-ac:password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok\n /etc/pam.d/password-auth:password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok\n If the \"/etc/pam.d/system-auth\" and \"/etc/pam.d/password-auth\" configuration files allow for password hashes other\n than SHA512 to be used, this is a finding.", + "fix": "Configure the operating system to store only SHA512 encrypted representations of passwords.\n\nAdd the following line in \"/etc/pam.d/system-auth\":\n pam_unix.so sha512 shadow try_first_pass use_authtok\n\nAdd the following line in \"/etc/pam.d/password-auth\":\n pam_unix.so sha512 shadow try_first_pass use_authtok\n\nNote: Per requirement RHEL-07-010199, RHEL 7 must be configured to not overwrite custom authentication configuration settings while using the authconfig utility, otherwise manual changes to the listed files will be overwritten whenever the authconfig utility is used." }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "V-72259", - "SV-86883" + "V-71919", + "SV-86543" ], "severity": "medium", - "gtitle": "SRG-OS-000364-GPOS-00151", - "gid": "V-204598", - "rid": "SV-204598r853993_rule", - "stig_id": "RHEL-07-040430", - "fix_id": "F-4722r88987_fix", + "gtitle": "SRG-OS-000073-GPOS-00041", + "gid": "V-204415", + "rid": "SV-204415r880833_rule", + "stig_id": "RHEL-07-010200", + "fix_id": "F-4539r880832_fix", "cci": [ - "CCI-000318", - "CCI-000368", - "CCI-001812", - "CCI-001813", - "CCI-001814" + "CCI-000196" ], "nist": [ - "CM-3 f", - "CM-6 c", - "CM-11 (2)", - "CM-5 (1)", - "CM-5 (1) (a)" + "IA-5 (1) (c)" ], "subsystems": [ - "ssh" + "pam", + "password" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-204598' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not permit\n Generic Security Service Application Program Interface (GSSAPI) authentication unless needed.'\n desc \"GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing\n GSSAPI authentication through SSH exposes the system's GSSAPI to remote hosts, increasing the attack surface of the\n system. GSSAPI authentication must be disabled unless needed.\"\n desc 'check', 'Verify the SSH daemon does not permit GSSAPI authentication unless approved.\n Check that the SSH daemon does not permit GSSAPI authentication with the following command:\n # grep -i gssapiauth /etc/ssh/sshd_config\n GSSAPIAuthentication no\n If the \"GSSAPIAuthentication\" keyword is missing, is set to \"yes\" and is not documented with the Information System\n Security Officer (ISSO), or the returned line is commented out, this is a finding.'\n desc 'fix', 'Uncomment the \"GSSAPIAuthentication\" keyword in \"/etc/ssh/sshd_config\" (this file may be named\n differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and\n set the value to \"no\":\n GSSAPIAuthentication no\n The SSH service must be restarted for changes to take effect.\n If GSSAPI authentication is required, it must be documented, to include the location of the configuration file, with\n the ISSO.'\n impact 0.5\n tag legacy: ['V-72259', 'SV-86883']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000364-GPOS-00151'\n tag gid: 'V-204598'\n tag rid: 'SV-204598r853993_rule'\n tag stig_id: 'RHEL-07-040430'\n tag fix_id: 'F-4722r88987_fix'\n tag cci: ['CCI-000318', 'CCI-000368', 'CCI-001812', 'CCI-001813', 'CCI-001814']\n tag nist: ['CM-3 f', 'CM-6 c', 'CM-11 (2)', 'CM-5 (1)', 'CM-5 (1) (a)']\n tag subsystems: ['ssh']\n tag 'host'\n\n if virtualization.system.eql?('docker') && !file('/etc/sysconfig/sshd').exist?\n impact 0.0\n describe 'Control not applicable - SSH is not installed within containerized RHEL' do\n skip 'Control not applicable - SSH is not installed within containerized RHEL'\n end\n elsif input('gssapi_approved')\n describe sshd_config do\n its('GSSAPIAuthentication') { should cmp 'no' }\n end\n else\n impact 0.0\n describe 'GSSAPI authentication is not approved' do\n skip 'GSSAPI authentication is not approved, this control is Not Applicable.'\n end\n end\nend\n", + "code": "control 'SV-204415' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that the PAM system service is\n configured to store only encrypted representations of passwords.'\n desc 'Passwords need to be protected at all times, and encryption is the standard method for protecting passwords.\n If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords\n encrypted with a weak algorithm are no more protected than if they are kept in plain text.'\n desc 'check', 'Verify the PAM system service is configured to store only encrypted representations of passwords.\n The strength of encryption that must be used to hash passwords for all accounts is SHA512.\n Check that the system is configured to create SHA512 hashed passwords with the following command:\n # grep password /etc/pam.d/system-auth /etc/pam.d/password-auth\n Outcome should look like following:\n /etc/pam.d/system-auth-ac:password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok\n /etc/pam.d/password-auth:password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok\n If the \"/etc/pam.d/system-auth\" and \"/etc/pam.d/password-auth\" configuration files allow for password hashes other\n than SHA512 to be used, this is a finding.'\n desc 'fix', 'Configure the operating system to store only SHA512 encrypted representations of passwords.\n\nAdd the following line in \"/etc/pam.d/system-auth\":\n pam_unix.so sha512 shadow try_first_pass use_authtok\n\nAdd the following line in \"/etc/pam.d/password-auth\":\n pam_unix.so sha512 shadow try_first_pass use_authtok\n\nNote: Per requirement RHEL-07-010199, RHEL 7 must be configured to not overwrite custom authentication configuration settings while using the authconfig utility, otherwise manual changes to the listed files will be overwritten whenever the authconfig utility is used.'\n impact 0.5\n tag legacy: ['V-71919', 'SV-86543']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000073-GPOS-00041'\n tag gid: 'V-204415'\n tag rid: 'SV-204415r880833_rule'\n tag stig_id: 'RHEL-07-010200'\n tag fix_id: 'F-4539r880832_fix'\n tag cci: ['CCI-000196']\n tag nist: ['IA-5 (1) (c)']\n tag subsystems: ['pam', 'password']\n tag 'host'\n tag 'container'\n\n describe pam('/etc/pam.d/password-auth') do\n its('lines') { should match_pam_rule('password sufficient pam_unix.so sha512') }\n its('lines') { should_not match_pam_rule('password .* pam_unix.so (md5|bigcrypt|sha256|blowfish)') }\n end\n describe pam('/etc/pam.d/system-auth') do\n its('lines') { should match_pam_rule('password sufficient pam_unix.so sha512') }\n its('lines') { should_not match_pam_rule('password .* pam_unix.so (md5|bigcrypt|sha256|blowfish)') }\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204598.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204415.rb", "line": 1 }, - "id": "SV-204598" + "id": "SV-204415" }, { - "title": "The Red Hat Enterprise Linux operating system must be configured to prevent unrestricted mail relaying.", - "desc": "If unrestricted mail relaying is permitted, unauthorized senders could use this host as a mail relay for the\n purpose of sending spam or other unauthorized activity.", + "title": "The Red Hat Enterprise Linux operating system must audit all uses of the newgrp command.", + "desc": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough\n information.\n At a minimum, the organization must audit the full-text recording of privileged access commands. The organization\n must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of\n compromise.\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.", "descriptions": { - "default": "If unrestricted mail relaying is permitted, unauthorized senders could use this host as a mail relay for the\n purpose of sending spam or other unauthorized activity.", - "check": "Verify the system is configured to prevent unrestricted mail relaying.\n Determine if \"postfix\" is installed with the following commands:\n # yum list installed postfix\n postfix-2.6.6-6.el7.x86_64.rpm\n If postfix is not installed, this is Not Applicable.\n If postfix is installed, determine if it is configured to reject connections from unknown or untrusted networks with\n the following command:\n # postconf -n smtpd_client_restrictions\n smtpd_client_restrictions = permit_mynetworks, reject\n If the \"smtpd_client_restrictions\" parameter contains any entries other than \"permit_mynetworks\" and \"reject\", this\n is a finding.", - "fix": "If \"postfix\" is installed, modify the \"/etc/postfix/main.cf\" file to restrict client connections to\n the local network with the following command:\n # postconf -e 'smtpd_client_restrictions = permit_mynetworks,reject'" + "default": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough\n information.\n At a minimum, the organization must audit the full-text recording of privileged access commands. The organization\n must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of\n compromise.\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.", + "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"newgrp\" command occur.\n\nCheck that the following system call is being audited by performing the following command to check the file system rules in \"/etc/audit/audit.rules\":\n\n$ sudo grep -w \"/usr/bin/newgrp\" /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change\n\nIf the command does not return any output, this is a finding.", + "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"newgrp\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change\n\nThe audit daemon must be restarted for the changes to take effect." }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "SV-86921", - "V-72297" + "V-72165", + "SV-86789" ], "severity": "medium", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-204619", - "rid": "SV-204619r603261_rule", - "stig_id": "RHEL-07-040680", - "fix_id": "F-4743r89050_fix", + "gtitle": "SRG-OS-000037-GPOS-00015", + "satisfies": [ + "SRG-OS-000037-GPOS-00015", + "SRG-OS-000042-GPOS-00020", + "SRG-OS-000392-GPOS-00172", + "SRG-OS-000462-GPOS-00206", + "SRG-OS-000471-GPOS-00215" + ], + "gid": "V-204550", + "rid": "SV-204550r861047_rule", + "stig_id": "RHEL-07-030710", + "fix_id": "F-4674r861046_fix", "cci": [ - "CCI-000366" + "CCI-000130", + "CCI-000135", + "CCI-000172", + "CCI-002884" ], "nist": [ - "CM-6 b" + "AU-3", + "AU-3 (1)", + "AU-12 c", + "MA-4 (1) (a)", + "AU-3 a" ], "subsystems": [ - "postfix" + "audit", + "auditd", + "audit_rule" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-204619' do\n title 'The Red Hat Enterprise Linux operating system must be configured to prevent unrestricted mail relaying.'\n desc 'If unrestricted mail relaying is permitted, unauthorized senders could use this host as a mail relay for the\n purpose of sending spam or other unauthorized activity.'\n desc 'check', 'Verify the system is configured to prevent unrestricted mail relaying.\n Determine if \"postfix\" is installed with the following commands:\n # yum list installed postfix\n postfix-2.6.6-6.el7.x86_64.rpm\n If postfix is not installed, this is Not Applicable.\n If postfix is installed, determine if it is configured to reject connections from unknown or untrusted networks with\n the following command:\n # postconf -n smtpd_client_restrictions\n smtpd_client_restrictions = permit_mynetworks, reject\n If the \"smtpd_client_restrictions\" parameter contains any entries other than \"permit_mynetworks\" and \"reject\", this\n is a finding.'\n desc 'fix', %q(If \"postfix\" is installed, modify the \"/etc/postfix/main.cf\" file to restrict client connections to\n the local network with the following command:\n # postconf -e 'smtpd_client_restrictions = permit_mynetworks,reject')\n impact 0.5\n tag legacy: ['SV-86921', 'V-72297']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204619'\n tag rid: 'SV-204619r603261_rule'\n tag stig_id: 'RHEL-07-040680'\n tag fix_id: 'F-4743r89050_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['postfix']\n tag 'host'\n tag 'container'\n\n if package('postfix').installed?\n options = { assignment_regex: /^\\s*([^=]*?)\\s*=\\s*(.*?)\\s*$/ }\n\n if defined? parse_config_file('/etc/postfix/main.cf', options).params['smtpd_client_restrictions']\n pf_config = parse_config_file('/etc/postfix/main.cf', options).params['smtpd_client_restrictions'].split(',')\n end\n\n describe 'Postfix config setting smptd_client_restrictions' do\n it \"should be set to 'permit_mynetworks', 'reject', or both\" do\n expect(pf_config).to all satisfy { |x| ['permit_mynetworks', 'reject'].include?(x) }\n end\n end\n else\n describe 'The `postfix` package is not installed' do\n skip 'The `postfix` package is not installed, this control is Not Applicable'\n end\n end\nend\n", + "code": "control 'SV-204550' do\n title 'The Red Hat Enterprise Linux operating system must audit all uses of the newgrp command.'\n desc 'Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough\n information.\n At a minimum, the organization must audit the full-text recording of privileged access commands. The organization\n must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of\n compromise.\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.'\n desc 'check', 'Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"newgrp\" command occur.\n\nCheck that the following system call is being audited by performing the following command to check the file system rules in \"/etc/audit/audit.rules\":\n\n$ sudo grep -w \"/usr/bin/newgrp\" /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change\n\nIf the command does not return any output, this is a finding.'\n desc 'fix', 'Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"newgrp\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change\n\nThe audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n tag legacy: ['V-72165', 'SV-86789']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000037-GPOS-00015'\n tag satisfies: ['SRG-OS-000037-GPOS-00015', 'SRG-OS-000042-GPOS-00020', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000471-GPOS-00215']\n tag gid: 'V-204550'\n tag rid: 'SV-204550r861047_rule'\n tag stig_id: 'RHEL-07-030710'\n tag fix_id: 'F-4674r861046_fix'\n tag cci: ['CCI-000130', 'CCI-000135', 'CCI-000172', 'CCI-002884']\n tag nist: ['AU-3', 'AU-3 (1)', 'AU-12 c', 'MA-4 (1) (a)', 'AU-3 a']\n tag subsystems: ['audit', 'auditd', 'audit_rule']\n tag 'host'\n\n audit_command = '/usr/bin/newgrp'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - audit config must be done on the host' do\n skip 'Control not applicable - audit config must be done on the host'\n end\n else\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include('privileged-priv_change')\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204619.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204550.rb", "line": 1 }, - "id": "SV-204619" + "id": "SV-204550" }, { - "title": "The Red Hat Enterprise Linux operating system must ignore Internet Protocol version 4 (IPv4) Internet\n Control Message Protocol (ICMP) redirect messages.", - "desc": "ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular\n destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message\n could result in a man-in-the-middle attack.", + "title": "The Red Hat Enterprise Linux operating system must be configured so that the Network File System (NFS) is\n configured to use RPCSEC_GSS.", + "desc": "When an NFS server is configured to use RPCSEC_SYS, a selected userid and groupid are used to handle\n requests from the remote user. The userid and groupid could mistakenly or maliciously be set incorrectly. The\n RPCSEC_GSS method of authentication uses certificates on the server and client systems to more securely authenticate\n the remote mount request.", "descriptions": { - "default": "ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular\n destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message\n could result in a man-in-the-middle attack.", - "check": "Verify the system ignores IPv4 ICMP redirect messages.\n\n # grep -r net.ipv4.conf.all.accept_redirects /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null\n\nIf \"net.ipv4.conf.all.accept_redirects\" is not configured in the /etc/sysctl.conf file or in any of the other sysctl.d directories, is commented out, or does not have a value of \"0\", this is a finding.\n\nCheck that the operating system implements the \"accept_redirects\" variables with the following command:\n\n # /sbin/sysctl -a | grep net.ipv4.conf.all.accept_redirects\n net.ipv4.conf.all.accept_redirects = 0\n\nIf the returned line does not have a value of \"0\", this is a finding.\n\nIf conflicting results are returned, this is a finding.", - "fix": "Set the system to ignore IPv4 ICMP redirect messages by adding the\nfollowing line to \"/etc/sysctl.conf\" or a configuration file in the\n/etc/sysctl.d/ directory (or modify the line to have the required value):\n\n net.ipv4.conf.all.accept_redirects = 0\n\n Issue the following command to make the changes take effect:\n\n # sysctl --system" + "default": "When an NFS server is configured to use RPCSEC_SYS, a selected userid and groupid are used to handle\n requests from the remote user. The userid and groupid could mistakenly or maliciously be set incorrectly. The\n RPCSEC_GSS method of authentication uses certificates on the server and client systems to more securely authenticate\n the remote mount request.", + "check": "Verify \"AUTH_GSS\" is being used to authenticate NFS mounts.\n To check if the system is importing an NFS file system, look for any entries in the \"/etc/fstab\" file that have a\n file system type of \"nfs\" with the following command:\n # cat /etc/fstab | grep nfs\n 192.168.21.5:/mnt/export /data1 nfs4 rw,sync ,soft,sec=krb5:krb5i:krb5p\n If the system is mounting file systems via NFS and has the sec option without the \"krb5:krb5i:krb5p\" settings, the\n \"sec\" option has the \"sys\" setting, or the \"sec\" option is missing, this is a finding.", + "fix": "Update the \"/etc/fstab\" file so the option \"sec\" is defined for each NFS mounted file system and the\n \"sec\" option does not have the \"sys\" setting.\n Ensure the \"sec\" option is defined as \"krb5:krb5i:krb5p\"." }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "SV-87827", - "V-73175" + "SV-86935", + "V-72311" ], "severity": "medium", "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-204615", - "rid": "SV-204615r880815_rule", - "stig_id": "RHEL-07-040641", - "fix_id": "F-4739r880814_fix", + "gid": "V-204626", + "rid": "SV-204626r603261_rule", + "stig_id": "RHEL-07-040750", + "fix_id": "F-4750r89071_fix", "cci": [ "CCI-000366" ], @@ -9129,304 +8995,350 @@ "CM-6 b" ], "subsystems": [ - "kernel_parameter", - "ipv4" + "nfs", + "etc_fstab" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-204615' do\n title 'The Red Hat Enterprise Linux operating system must ignore Internet Protocol version 4 (IPv4) Internet\n Control Message Protocol (ICMP) redirect messages.'\n desc \"ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular\n destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message\n could result in a man-in-the-middle attack.\"\n desc 'check', 'Verify the system ignores IPv4 ICMP redirect messages.\n\n # grep -r net.ipv4.conf.all.accept_redirects /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null\n\nIf \"net.ipv4.conf.all.accept_redirects\" is not configured in the /etc/sysctl.conf file or in any of the other sysctl.d directories, is commented out, or does not have a value of \"0\", this is a finding.\n\nCheck that the operating system implements the \"accept_redirects\" variables with the following command:\n\n # /sbin/sysctl -a | grep net.ipv4.conf.all.accept_redirects\n net.ipv4.conf.all.accept_redirects = 0\n\nIf the returned line does not have a value of \"0\", this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Set the system to ignore IPv4 ICMP redirect messages by adding the\nfollowing line to \"/etc/sysctl.conf\" or a configuration file in the\n/etc/sysctl.d/ directory (or modify the line to have the required value):\n\n net.ipv4.conf.all.accept_redirects = 0\n\n Issue the following command to make the changes take effect:\n\n # sysctl --system'\n impact 0.5\n tag legacy: ['SV-87827', 'V-73175']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204615'\n tag rid: 'SV-204615r880815_rule'\n tag stig_id: 'RHEL-07-040641'\n tag fix_id: 'F-4739r880814_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['kernel_parameter', 'ipv4']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - Kernel config must be done on the host' do\n skip 'Control not applicable - Kernel config must be done on the host'\n end\n else\n accept_redirects = 0\n config_file_values = command('grep -r net.ipv4.conf.all.accept_redirects /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null')\n .stdout.strip.split(\"\\n\")\n .map { |file| parse_config(file).params }\n config_file_values_uncompliant = config_file_values.select { |entry| entry.values != [accept_redirects.to_s] }\n\n unless config_file_values_uncompliant.empty?\n describe 'All configuration files' do\n it \"should set accept_redirects to #{accept_redirects}, or not define it at all\" do\n fail_msg = \"Found incorrect configuration:\\n#{config_file_values_uncompliant.join(\"\\n\")}\"\n expect(config_file_values_uncompliant).to be_empty, fail_msg\n end\n end\n end\n\n describe 'The runtime kernel parameter net.ipv4.conf.all.accept_redirects' do\n subject { kernel_parameter('net.ipv4.conf.all.accept_redirects') }\n its('value') { should eq accept_redirects }\n end\n end\nend\n", + "code": "control 'SV-204626' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that the Network File System (NFS) is\n configured to use RPCSEC_GSS.'\n desc 'When an NFS server is configured to use RPCSEC_SYS, a selected userid and groupid are used to handle\n requests from the remote user. The userid and groupid could mistakenly or maliciously be set incorrectly. The\n RPCSEC_GSS method of authentication uses certificates on the server and client systems to more securely authenticate\n the remote mount request.'\n desc 'check', 'Verify \"AUTH_GSS\" is being used to authenticate NFS mounts.\n To check if the system is importing an NFS file system, look for any entries in the \"/etc/fstab\" file that have a\n file system type of \"nfs\" with the following command:\n # cat /etc/fstab | grep nfs\n 192.168.21.5:/mnt/export /data1 nfs4 rw,sync ,soft,sec=krb5:krb5i:krb5p\n If the system is mounting file systems via NFS and has the sec option without the \"krb5:krb5i:krb5p\" settings, the\n \"sec\" option has the \"sys\" setting, or the \"sec\" option is missing, this is a finding.'\n desc 'fix', 'Update the \"/etc/fstab\" file so the option \"sec\" is defined for each NFS mounted file system and the\n \"sec\" option does not have the \"sys\" setting.\n Ensure the \"sec\" option is defined as \"krb5:krb5i:krb5p\".'\n impact 0.5\n tag legacy: ['SV-86935', 'V-72311']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204626'\n tag rid: 'SV-204626r603261_rule'\n tag stig_id: 'RHEL-07-040750'\n tag fix_id: 'F-4750r89071_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['nfs', 'etc_fstab']\n tag 'host'\n tag 'container'\n\n nfs_systems = etc_fstab.nfs_file_systems.entries\n if !nfs_systems.nil? and !nfs_systems.empty?\n nfs_systems.each do |file_system|\n describe file_system do\n its('mount_options') { should include 'sec=krb5:krb5i:krb5p' }\n end\n end\n else\n describe 'No NFS file systems were found.' do\n subject { nfs_systems.nil? or nfs_systems.empty? }\n it { should eq true }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204615.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204626.rb", "line": 1 }, - "id": "SV-204615" + "id": "SV-204626" }, { - "title": "The Red Hat Enterprise Linux operating system SSH daemon must prevent remote hosts from connecting to the proxy display.", - "desc": "When X11 forwarding is enabled, there may be additional exposure to the server and client displays if the sshd proxy display is configured to listen on the wildcard address. By default, sshd binds the forwarding server to the loopback address and sets the hostname part of the DIPSLAY environment variable to localhost. This prevents remote hosts from connecting to the proxy display.", + "title": "The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not permit\n Kerberos authentication unless needed.", + "desc": "Kerberos authentication for SSH is often implemented using Generic Security Service Application Program\n Interface (GSSAPI). If Kerberos is enabled through SSH, the SSH daemon provides a means of access to the system's\n Kerberos implementation. Vulnerabilities in the system's Kerberos implementation may then be subject to\n exploitation. To reduce the attack surface of the system, the Kerberos authentication mechanism within SSH must be\n disabled for systems not using this capability.", "descriptions": { - "default": "When X11 forwarding is enabled, there may be additional exposure to the server and client displays if the sshd proxy display is configured to listen on the wildcard address. By default, sshd binds the forwarding server to the loopback address and sets the hostname part of the DIPSLAY environment variable to localhost. This prevents remote hosts from connecting to the proxy display.", - "check": "Verify the SSH daemon prevents remote hosts from connecting to the proxy display.\n\nCheck the SSH X11UseLocalhost setting with the following command:\n\n# sudo grep -i x11uselocalhost /etc/ssh/sshd_config\nX11UseLocalhost yes\n\nIf the \"X11UseLocalhost\" keyword is set to \"no\", is missing, or is commented out, this is a finding.", - "fix": "Configure the SSH daemon to prevent remote hosts from connecting to the proxy display.\n\nEdit the \"/etc/ssh/sshd_config\" file to uncomment or add the line for the \"X11UseLocalhost\" keyword and set its value to \"yes\" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor):\n\nX11UseLocalhost yes" + "default": "Kerberos authentication for SSH is often implemented using Generic Security Service Application Program\n Interface (GSSAPI). If Kerberos is enabled through SSH, the SSH daemon provides a means of access to the system's\n Kerberos implementation. Vulnerabilities in the system's Kerberos implementation may then be subject to\n exploitation. To reduce the attack surface of the system, the Kerberos authentication mechanism within SSH must be\n disabled for systems not using this capability.", + "check": "Verify the SSH daemon does not permit Kerberos to authenticate passwords unless approved.\n Check that the SSH daemon does not permit Kerberos to authenticate passwords with the following command:\n # grep -i kerberosauth /etc/ssh/sshd_config\n KerberosAuthentication no\n If the \"KerberosAuthentication\" keyword is missing, or is set to \"yes\" and is not documented with the Information\n System Security Officer (ISSO), or the returned line is commented out, this is a finding.", + "fix": "Uncomment the \"KerberosAuthentication\" keyword in \"/etc/ssh/sshd_config\" (this file may be named\n differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and\n set the value to \"no\":\n KerberosAuthentication no\n The SSH service must be restarted for changes to take effect.\n If Kerberos authentication is required, it must be documented, to include the location of the configuration file,\n with the ISSO." }, "impact": 0.5, "refs": [], "tags": { + "legacy": [ + "V-72261", + "SV-86885" + ], "severity": "medium", - "gtitle": "SRG-OS-000480-GPOS-00227", - "satisfies": null, - "gid": "V-233307", - "rid": "SV-233307r603301_rule", - "stig_id": "RHEL-07-040711", - "fix_id": "F-36466r622234_fix", + "gtitle": "SRG-OS-000364-GPOS-00151", + "gid": "V-204599", + "rid": "SV-204599r853994_rule", + "stig_id": "RHEL-07-040440", + "fix_id": "F-4723r88990_fix", "cci": [ - "CCI-000366" + "CCI-000318", + "CCI-000368", + "CCI-001812", + "CCI-001813", + "CCI-001814" ], - "legacy": [], "nist": [ - "CM-6 b" + "CM-3 f", + "CM-6 c", + "CM-11 (2)", + "CM-5 (1)", + "CM-5 (1) (a)" ], "subsystems": [ "ssh" ], "host": null }, - "code": "control 'SV-233307' do\n title 'The Red Hat Enterprise Linux operating system SSH daemon must prevent remote hosts from connecting to the proxy display.'\n desc 'When X11 forwarding is enabled, there may be additional exposure to the server and client displays if the sshd proxy display is configured to listen on the wildcard address. By default, sshd binds the forwarding server to the loopback address and sets the hostname part of the DIPSLAY environment variable to localhost. This prevents remote hosts from connecting to the proxy display.'\n desc 'check', 'Verify the SSH daemon prevents remote hosts from connecting to the proxy display.\n\nCheck the SSH X11UseLocalhost setting with the following command:\n\n# sudo grep -i x11uselocalhost /etc/ssh/sshd_config\nX11UseLocalhost yes\n\nIf the \"X11UseLocalhost\" keyword is set to \"no\", is missing, or is commented out, this is a finding.'\n desc 'fix', 'Configure the SSH daemon to prevent remote hosts from connecting to the proxy display.\n\nEdit the \"/etc/ssh/sshd_config\" file to uncomment or add the line for the \"X11UseLocalhost\" keyword and set its value to \"yes\" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor):\n\nX11UseLocalhost yes'\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag satisfies: nil\n tag gid: 'V-233307'\n tag rid: 'SV-233307r603301_rule'\n tag stig_id: 'RHEL-07-040711'\n tag fix_id: 'F-36466r622234_fix'\n tag cci: ['CCI-000366']\n tag legacy: []\n tag nist: ['CM-6 b']\n tag subsystems: ['ssh']\n tag 'host'\n\n if virtualization.system.eql?('docker') && !file('/etc/sysconfig/sshd').exist?\n impact 0.0\n describe 'Control not applicable - SSH is not installed within containerized RHEL' do\n skip 'Control not applicable - SSH is not installed within containerized RHEL'\n end\n else\n describe sshd_config do\n its('X11UseLocalhost') { should eq 'yes' }\n end\n end\nend\n", + "code": "control 'SV-204599' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not permit\n Kerberos authentication unless needed.'\n desc \"Kerberos authentication for SSH is often implemented using Generic Security Service Application Program\n Interface (GSSAPI). If Kerberos is enabled through SSH, the SSH daemon provides a means of access to the system's\n Kerberos implementation. Vulnerabilities in the system's Kerberos implementation may then be subject to\n exploitation. To reduce the attack surface of the system, the Kerberos authentication mechanism within SSH must be\n disabled for systems not using this capability.\"\n desc 'check', 'Verify the SSH daemon does not permit Kerberos to authenticate passwords unless approved.\n Check that the SSH daemon does not permit Kerberos to authenticate passwords with the following command:\n # grep -i kerberosauth /etc/ssh/sshd_config\n KerberosAuthentication no\n If the \"KerberosAuthentication\" keyword is missing, or is set to \"yes\" and is not documented with the Information\n System Security Officer (ISSO), or the returned line is commented out, this is a finding.'\n desc 'fix', 'Uncomment the \"KerberosAuthentication\" keyword in \"/etc/ssh/sshd_config\" (this file may be named\n differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and\n set the value to \"no\":\n KerberosAuthentication no\n The SSH service must be restarted for changes to take effect.\n If Kerberos authentication is required, it must be documented, to include the location of the configuration file,\n with the ISSO.'\n impact 0.5\n tag legacy: ['V-72261', 'SV-86885']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000364-GPOS-00151'\n tag gid: 'V-204599'\n tag rid: 'SV-204599r853994_rule'\n tag stig_id: 'RHEL-07-040440'\n tag fix_id: 'F-4723r88990_fix'\n tag cci: ['CCI-000318', 'CCI-000368', 'CCI-001812', 'CCI-001813', 'CCI-001814']\n tag nist: ['CM-3 f', 'CM-6 c', 'CM-11 (2)', 'CM-5 (1)', 'CM-5 (1) (a)']\n tag subsystems: ['ssh']\n tag 'host'\n\n if virtualization.system.eql?('docker') && !file('/etc/sysconfig/sshd').exist?\n impact 0.0\n describe 'Control not applicable - SSH is not installed within containerized RHEL' do\n skip 'Control not applicable - SSH is not installed within containerized RHEL'\n end\n else\n describe sshd_config do\n its('KerberosAuthentication') { should cmp 'no' }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-233307.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204599.rb", "line": 1 }, - "id": "SV-233307" + "id": "SV-204599" }, { - "title": "The Red Hat Enterprise Linux operating system must enable the SELinux targeted policy.", - "desc": "Without verification of the security functions, security functions may not operate correctly and the failure\n may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system\n responsible for enforcing the system security policy and supporting the isolation of code and data on which the\n protection is based. Security functionality includes, but is not limited to, establishing system accounts,\n configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting\n intrusion detection parameters.\n This requirement applies to operating systems performing security function verification/testing and/or systems and\n environments that require this functionality.", + "title": "The Red Hat Enterprise Linux operating system must limit the number of concurrent sessions to 10 for all\n accounts and/or account types.", + "desc": "Operating system management includes the ability to control the number of users and user sessions that\n utilize an operating system. Limiting the number of allowed users and sessions per user is helpful in reducing the\n risks related to DoS attacks.\n This requirement addresses concurrent sessions for information system accounts and does not address concurrent\n sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined\n based on mission needs and the operational environment for each system.", "descriptions": { - "default": "Without verification of the security functions, security functions may not operate correctly and the failure\n may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system\n responsible for enforcing the system security policy and supporting the isolation of code and data on which the\n protection is based. Security functionality includes, but is not limited to, establishing system accounts,\n configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting\n intrusion detection parameters.\n This requirement applies to operating systems performing security function verification/testing and/or systems and\n environments that require this functionality.", - "check": "Per OPORD 16-0080, the preferred endpoint security tool is Endpoint Security for Linux (ENSL) in\n conjunction with SELinux.\n Verify the operating system verifies correct operation of all security functions.\n Check if \"SELinux\" is active and is enforcing the targeted policy with the following command:\n # sestatus\n SELinux status: enabled\n SELinuxfs mount: /selinux\n SELinux root directory: /etc/selinux\n Loaded policy name: targeted\n Current mode: enforcing\n Mode from config file: enforcing\n Policy MLS status: enabled\n Policy deny_unknown status: allowed\n Max kernel policy version: 28\n If the \"Loaded policy name\" is not set to \"targeted\", this is a finding.\n Verify that the /etc/selinux/config file is configured to the \"SELINUXTYPE\" to \"targeted\":\n # grep -i \"selinuxtype\" /etc/selinux/config | grep -v '^#'\n SELINUXTYPE = targeted\n If no results are returned or \"SELINUXTYPE\" is not set to \"targeted\", this is a finding.", - "fix": "Configure the operating system to verify correct operation of all security functions.\n Set the \"SELinuxtype\" to the \"targeted\" policy by modifying the \"/etc/selinux/config\" file to have the following\n line:\n SELINUXTYPE=targeted\n A reboot is required for the changes to take effect." + "default": "Operating system management includes the ability to control the number of users and user sessions that\n utilize an operating system. Limiting the number of allowed users and sessions per user is helpful in reducing the\n risks related to DoS attacks.\n This requirement addresses concurrent sessions for information system accounts and does not address concurrent\n sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined\n based on mission needs and the operational environment for each system.", + "check": "Verify the operating system limits the number of concurrent sessions to '10' for all accounts and/or\n account types by issuing the following command:\n # grep \"maxlogins\" /etc/security/limits.conf /etc/security/limits.d/*.conf\n * hard maxlogins 10\n This can be set as a global domain (with the * wildcard) but may be set differently for multiple domains.\n If the \"maxlogins\" item is missing, commented out, or the value is not set to '10' or less for all domains that have\n the \"maxlogins\" item assigned, this is a finding.", + "fix": "Configure the operating system to limit the number of concurrent sessions to '10' for all accounts\n and/or account types.\n Add the following line to the top of the /etc/security/limits.conf or in a \".conf\" file defined in\n /etc/security/limits.d/ :\n * hard maxlogins 10" }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { "legacy": [ - "V-71991", - "SV-86615" + "V-72217", + "SV-86841" ], - "severity": "medium", - "gtitle": "SRG-OS-000445-GPOS-00199", - "gid": "V-204454", - "rid": "SV-204454r853896_rule", - "stig_id": "RHEL-07-020220", - "fix_id": "F-36307r602631_fix", + "severity": "low", + "gtitle": "SRG-OS-000027-GPOS-00008", + "gid": "V-204576", + "rid": "SV-204576r877399_rule", + "stig_id": "RHEL-07-040000", + "fix_id": "F-4700r88921_fix", "cci": [ - "CCI-002165", - "CCI-002696" + "CCI-000054" ], "nist": [ - "AC-3 (4)", - "SI-6 a" + "AC-10" ], "subsystems": [ - "selinux" + "session" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-204454' do\n title 'The Red Hat Enterprise Linux operating system must enable the SELinux targeted policy.'\n desc 'Without verification of the security functions, security functions may not operate correctly and the failure\n may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system\n responsible for enforcing the system security policy and supporting the isolation of code and data on which the\n protection is based. Security functionality includes, but is not limited to, establishing system accounts,\n configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting\n intrusion detection parameters.\n This requirement applies to operating systems performing security function verification/testing and/or systems and\n environments that require this functionality.'\n desc 'check', %q(Per OPORD 16-0080, the preferred endpoint security tool is Endpoint Security for Linux (ENSL) in\n conjunction with SELinux.\n Verify the operating system verifies correct operation of all security functions.\n Check if \"SELinux\" is active and is enforcing the targeted policy with the following command:\n # sestatus\n SELinux status: enabled\n SELinuxfs mount: /selinux\n SELinux root directory: /etc/selinux\n Loaded policy name: targeted\n Current mode: enforcing\n Mode from config file: enforcing\n Policy MLS status: enabled\n Policy deny_unknown status: allowed\n Max kernel policy version: 28\n If the \"Loaded policy name\" is not set to \"targeted\", this is a finding.\n Verify that the /etc/selinux/config file is configured to the \"SELINUXTYPE\" to \"targeted\":\n # grep -i \"selinuxtype\" /etc/selinux/config | grep -v '^#'\n SELINUXTYPE = targeted\n If no results are returned or \"SELINUXTYPE\" is not set to \"targeted\", this is a finding.)\n desc 'fix', 'Configure the operating system to verify correct operation of all security functions.\n Set the \"SELinuxtype\" to the \"targeted\" policy by modifying the \"/etc/selinux/config\" file to have the following\n line:\n SELINUXTYPE=targeted\n A reboot is required for the changes to take effect.'\n impact 0.5\n tag legacy: ['V-71991', 'SV-86615']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000445-GPOS-00199'\n tag gid: 'V-204454'\n tag rid: 'SV-204454r853896_rule'\n tag stig_id: 'RHEL-07-020220'\n tag fix_id: 'F-36307r602631_fix'\n tag cci: ['CCI-002165', 'CCI-002696']\n tag nist: ['AC-3 (4)', 'SI-6 a']\n tag subsystems: ['selinux']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - SELinux settings must be handled on host' do\n skip 'Control not applicable - SELinux settings must be handled on host'\n end\n else\n describe command('sestatus') do\n its('stdout') { should match(/^Loaded\\spolicy\\sname:\\s+targeted\\n?$/) }\n end\n describe parse_config_file('/etc/selinux/config') do\n its('SELINUXTYPE') { should eq 'targeted' }\n end\n end\nend\n", + "code": "control 'SV-204576' do\n title \"The Red Hat Enterprise Linux operating system must limit the number of concurrent sessions to #{input('maxlogins_limit')} for all\n accounts and/or account types.\"\n desc \"Operating system management includes the ability to control the number of users and user sessions that\n utilize an operating system. Limiting the number of allowed users and sessions per user is helpful in reducing the\n risks related to DoS attacks.\n This requirement addresses concurrent sessions for information system accounts and does not address concurrent\n sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined\n based on mission needs and the operational environment for each system.\"\n desc 'check', \"Verify the operating system limits the number of concurrent sessions to '#{input('maxlogins_limit')}' for all accounts and/or\n account types by issuing the following command:\n # grep \\\"maxlogins\\\" /etc/security/limits.conf /etc/security/limits.d/*.conf\n * hard maxlogins #{input('maxlogins_limit')}\n This can be set as a global domain (with the * wildcard) but may be set differently for multiple domains.\n If the \\\"maxlogins\\\" item is missing, commented out, or the value is not set to '#{input('maxlogins_limit')}' or less for all domains that have\n the \\\"maxlogins\\\" item assigned, this is a finding.\"\n desc 'fix', \"Configure the operating system to limit the number of concurrent sessions to '#{input('maxlogins_limit')}' for all accounts\n and/or account types.\n Add the following line to the top of the /etc/security/limits.conf or in a \\\".conf\\\" file defined in\n /etc/security/limits.d/ :\n * hard maxlogins #{input('maxlogins_limit')}\"\n impact 0.3\n tag legacy: ['V-72217', 'SV-86841']\n tag severity: 'low'\n tag gtitle: 'SRG-OS-000027-GPOS-00008'\n tag gid: 'V-204576'\n tag rid: 'SV-204576r877399_rule'\n tag stig_id: 'RHEL-07-040000'\n tag fix_id: 'F-4700r88921_fix'\n tag cci: ['CCI-000054']\n tag nist: ['AC-10']\n tag subsystems: ['session']\n tag 'host'\n tag 'container'\n\n maxlogins_limit = input('maxlogins_limit')\n\n # Collect any files under limits.d if they exist\n limits_files = directory('/etc/security/limits.d').exist? ? command('ls /etc/security/limits.d/*.conf').stdout.strip.lines : []\n # Add limits.conf to the list\n limits_files.push('/etc/security/limits.conf')\n compliant_files = []\n noncompliant_files = []\n\n limits_files.each do |limits_file|\n # Get any universal limits from each file\n local_limits = limits_conf(limits_file).*\n # If we got an array (results) check further\n next unless local_limits.is_a?(Array)\n\n local_limits.each do |temp_limit|\n # For each result check if it is a 'hard' limit for 'maxlogins'\n if temp_limit.include?('hard') && temp_limit.include?('maxlogins')\n # If the limit is correct, push to compliant files\n if temp_limit[-1].to_i <= maxlogins_limit\n compliant_files.push(limits_file)\n # Otherwise add to noncompliant files\n else\n noncompliant_files.push(limits_file)\n end\n end\n end\n end\n\n # It is required that at least 1 file contain compliant configuration\n describe \"Files configuring maxlogins less than or equal to #{maxlogins_limit}\" do\n subject { compliant_files.length }\n it { should be_positive }\n end\n\n # No files should set 'hard' 'maxlogins' to any noncompliant value\n describe \"Files configuring maxlogins greater than #{maxlogins_limit}\" do\n subject { noncompliant_files }\n it { should cmp [] }\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204454.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204576.rb", "line": 1 }, - "id": "SV-204454" + "id": "SV-204576" }, { - "title": "The Red Hat Enterprise Linux operating system must not contain shosts.equiv files.", - "desc": "The shosts.equiv files are used to configure host-based authentication for the system via SSH. Host-based\n authentication is not sufficient for preventing unauthorized access to the system, as it does not require\n interactive identification and authentication of a connection request, or for the use of two-factor authentication.", + "title": "The Red Hat Enterprise Linux operating system must display the Standard Mandatory DoD Notice and Consent\n Banner immediately prior to, or as part of, remote access logon prompts.", + "desc": "Display of a standardized and approved use notification before granting access to the publicly accessible\n operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws,\n Executive Orders, directives, policies, regulations, standards, and guidance.\n System use notifications are required only for access via logon interfaces with human users and are not required\n when such human interfaces do not exist.\n The banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating\n systems that can accommodate banners of 1300 characters:\n \"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"", "descriptions": { - "default": "The shosts.equiv files are used to configure host-based authentication for the system via SSH. Host-based\n authentication is not sufficient for preventing unauthorized access to the system, as it does not require\n interactive identification and authentication of a connection request, or for the use of two-factor authentication.", - "check": "Verify there are no \"shosts.equiv\" files on the system.\n Check the system for the existence of these files with the following command:\n # find / -name shosts.equiv\n If any \"shosts.equiv\" files are found on the system, this is a finding.", - "fix": "Remove any found \"shosts.equiv\" files from the system.\n # rm /[path]/[to]/[file]/shosts.equiv" + "default": "Display of a standardized and approved use notification before granting access to the publicly accessible\n operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws,\n Executive Orders, directives, policies, regulations, standards, and guidance.\n System use notifications are required only for access via logon interfaces with human users and are not required\n when such human interfaces do not exist.\n The banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating\n systems that can accommodate banners of 1300 characters:\n \"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"", + "check": "Verify any publicly accessible connection to the operating system displays the Standard Mandatory\n DoD Notice and Consent Banner before granting access to the system.\n Check for the location of the banner file being used with the following command:\n # grep -i banner /etc/ssh/sshd_config\n banner /etc/issue\n This command will return the banner keyword and the name of the file that contains the ssh banner (in this case\n \"/etc/issue\").\n If the line is commented out, this is a finding.\n View the file specified by the banner keyword to check that it matches the text of the Standard Mandatory DoD Notice\n and Consent Banner:\n \"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n If the system does not display a graphical logon banner or the banner does not match the Standard Mandatory DoD\n Notice and Consent Banner, this is a finding.\n If the text in the file does not match the Standard Mandatory DoD Notice and Consent Banner, this is a finding.", + "fix": "Configure the operating system to display the Standard Mandatory DoD Notice and Consent Banner before\n granting access to the system via the ssh.\n Edit the \"/etc/ssh/sshd_config\" file to uncomment the banner keyword and configure it to point to a file that will\n contain the logon banner (this file may be named differently or be in a different location if using a version of SSH\n that is provided by a third-party vendor). An example configuration line is:\n banner /etc/issue\n Either create the file containing the banner or replace the text in the file with the Standard Mandatory DoD Notice\n and Consent Banner. The DoD required text is:\n \"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n The SSH service must be restarted for changes to take effect." }, - "impact": 0.7, + "impact": 0.5, "refs": [], "tags": { "legacy": [ - "SV-86903", - "V-72279" + "V-72225", + "SV-86849" ], - "severity": "high", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-204607", - "rid": "SV-204607r603261_rule", - "stig_id": "RHEL-07-040550", - "fix_id": "F-4731r89014_fix", + "severity": "medium", + "gtitle": "SRG-OS-000023-GPOS-00006", + "satisfies": [ + "SRG-OS-000023-GPOS-00006", + "SRG-OS-000024-GPOS-00007", + "SRG-OS-000228-GPOS-00088" + ], + "gid": "V-204580", + "rid": "SV-204580r603261_rule", + "stig_id": "RHEL-07-040170", + "fix_id": "F-4704r297486_fix", "cci": [ - "CCI-000366" + "CCI-000048", + "CCI-000050", + "CCI-001384", + "CCI-001385", + "CCI-001386", + "CCI-001387", + "CCI-001388" ], "nist": [ - "CM-6 b" + "AC-8 a", + "AC-8 b", + "AC-8 c 1", + "AC-8 c 2", + "AC-8 c 2", + "AC-8 c 3" ], "subsystems": [ - "ssh" + "ssh", + "banner" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-204607' do\n title 'The Red Hat Enterprise Linux operating system must not contain shosts.equiv files.'\n desc 'The shosts.equiv files are used to configure host-based authentication for the system via SSH. Host-based\n authentication is not sufficient for preventing unauthorized access to the system, as it does not require\n interactive identification and authentication of a connection request, or for the use of two-factor authentication.'\n desc 'check', 'Verify there are no \"shosts.equiv\" files on the system.\n Check the system for the existence of these files with the following command:\n # find / -name shosts.equiv\n If any \"shosts.equiv\" files are found on the system, this is a finding.'\n desc 'fix', 'Remove any found \"shosts.equiv\" files from the system.\n # rm /[path]/[to]/[file]/shosts.equiv'\n impact 0.7\n tag legacy: ['SV-86903', 'V-72279']\n tag severity: 'high'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204607'\n tag rid: 'SV-204607r603261_rule'\n tag stig_id: 'RHEL-07-040550'\n tag fix_id: 'F-4731r89014_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['ssh']\n tag 'host'\n tag 'container'\n\n if virtualization.system.eql?('docker') && !file('/etc/sysconfig/sshd').exist?\n impact 0.0\n describe 'Control not applicable - SSH is not installed within containerized RHEL' do\n skip 'Control not applicable - SSH is not installed within containerized RHEL'\n end\n else\n describe command('find / -xdev -xautofs -name shosts.equiv') do\n its('stdout.strip') { should be_empty }\n end\n end\nend\n", + "code": "control 'SV-204580' do\n title \"The Red Hat Enterprise Linux operating system must display the Standard Mandatory #{input('org_name')[:acronym]} Notice and Consent\n Banner immediately prior to, or as part of, remote access logon prompts.\"\n desc \"Display of a standardized and approved use notification before granting access to the publicly accessible\n operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws,\n Executive Orders, directives, policies, regulations, standards, and guidance.\n System use notifications are required only for access via logon interfaces with human users and are not required\n when such human interfaces do not exist.\n The banner must be formatted in accordance with applicable #{input('org_name')[:acronym]} policy. Use the following verbiage for operating\n systems that can accommodate banners of 1300 characters:\n \\\"#{input('banner_message_text_ral')}\\\" \"\n desc 'check', \"Verify any publicly accessible connection to the operating system displays the Standard Mandatory\n #{input('org_name')[:acronym]} Notice and Consent Banner before granting access to the system.\n Check for the location of the banner file being used with the following command:\n # grep -i banner /etc/ssh/sshd_config\n banner /etc/issue\n This command will return the banner keyword and the name of the file that contains the ssh banner (in this case\n \\\"/etc/issue\\\").\n If the line is commented out, this is a finding.\n View the file specified by the banner keyword to check that it matches the text of the Standard Mandatory #{input('org_name')[:acronym]} Notice\n and Consent Banner:\n \\\"#{input('banner_message_text_ral')}\\\"\n If the system does not display a graphical logon banner or the banner does not match the Standard Mandatory #{input('org_name')[:acronym]}\n Notice and Consent Banner, this is a finding.\n If the text in the file does not match the Standard Mandatory #{input('org_name')[:acronym]} Notice and Consent Banner, this is a finding.\"\n desc 'fix', \"Configure the operating system to display the Standard Mandatory #{input('org_name')[:acronym]} Notice and Consent Banner before\n granting access to the system via the ssh.\n Edit the \\\"/etc/ssh/sshd_config\\\" file to uncomment the banner keyword and configure it to point to a file that will\n contain the logon banner (this file may be named differently or be in a different location if using a version of SSH\n that is provided by a third-party vendor). An example configuration line is:\n banner /etc/issue\n Either create the file containing the banner or replace the text in the file with the Standard Mandatory #{input('org_name')[:acronym]} Notice\n and Consent Banner. The #{input('org_name')[:acronym]} required text is:\n \\\"#{input('banner_message_text_ral')}\\\"\n The SSH service must be restarted for changes to take effect.\"\n impact 0.5\n tag legacy: ['V-72225', 'SV-86849']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000023-GPOS-00006'\n tag satisfies: ['SRG-OS-000023-GPOS-00006', 'SRG-OS-000024-GPOS-00007', 'SRG-OS-000228-GPOS-00088']\n tag gid: 'V-204580'\n tag rid: 'SV-204580r603261_rule'\n tag stig_id: 'RHEL-07-040170'\n tag fix_id: 'F-4704r297486_fix'\n tag cci: ['CCI-000048', 'CCI-000050', 'CCI-001384', 'CCI-001385', 'CCI-001386', 'CCI-001387', 'CCI-001388']\n tag nist: ['AC-8 a', 'AC-8 b', 'AC-8 c 1', 'AC-8 c 2', 'AC-8 c 2', 'AC-8 c 3']\n tag subsystems: ['ssh', 'banner']\n tag 'host'\n\n if virtualization.system.eql?('docker') && !file('/etc/sysconfig/sshd').exist?\n impact 0.0\n describe 'Control not applicable - SSH is not installed within containerized RHEL' do\n skip 'Control not applicable - SSH is not installed within containerized RHEL'\n end\n else\n\n banner_message_text_ral = input('banner_message_text_ral')\n banner_message_text_ral_limited = input('banner_message_text_ral_limited')\n\n # When Banner is commented, not found, disabled, or the specified file does not exist, this is a finding.\n banner_files = [sshd_config.banner].flatten\n\n banner_files.each do |banner_file|\n # Banner property is commented out.\n if banner_file.nil?\n describe 'The SSHD Banner is not set' do\n subject { banner_file.nil? }\n it { should be false }\n end\n end\n\n # Banner property is set to \"none\"\n if !banner_file.nil? && !banner_file.match(/none/i).nil?\n describe 'The SSHD Banner is disabled' do\n subject { banner_file.match(/none/i).nil? }\n it { should be true }\n end\n end\n\n # Banner property provides a path to a file, however, it does not exist.\n if !banner_file.nil? && banner_file.match(/none/i).nil? && !file(banner_file).exist?\n describe 'The SSHD Banner is set, but, the file does not exist' do\n subject { file(banner_file).exist? }\n it { should be true }\n end\n end\n\n # Banner property provides a path to a file and it exists.\n unless !banner_file.nil? && banner_file.match(/none/i).nil? && file(banner_file).exist?\n next\n end\n\n describe.one do\n banner = file(banner_file).content.gsub(/[\\r\\n\\s]/, '')\n clean_banner = banner_message_text_ral.gsub(/[\\r\\n\\s]/, '')\n clean_banner_limited = banner_message_text_ral_limited.gsub(/[\\r\\n\\s]/,\n '')\n\n describe 'The SSHD Banner is set to the standard banner and has the correct text' do\n subject { banner }\n it { should cmp clean_banner }\n end\n\n describe 'The SSHD Banner is set to the standard limited banner and has the correct text' do\n subject { banner }\n it { should cmp clean_banner_limited }\n end\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204607.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204580.rb", "line": 1 }, - "id": "SV-204607" + "id": "SV-204580" }, { - "title": "The Red Hat Enterprise Linux operating system must off-load audit records onto a different system or media\n from the system being audited.", - "desc": "Information stored in one location is vulnerable to accidental or incidental deletion or alteration.\n Off-loading is a common process in information systems with limited audit storage capacity.", + "title": "The Red Hat Enterprise Linux operating system must not allow removable media to be used as the boot loader\n unless approved.", + "desc": "Malicious users with removable boot media can gain access to a system configured to use removable media as\n the boot loader. If removable media is designed to be used as the boot loader, the requirement must be documented\n with the Information System Security Officer (ISSO).", "descriptions": { - "default": "Information stored in one location is vulnerable to accidental or incidental deletion or alteration.\n Off-loading is a common process in information systems with limited audit storage capacity.", - "check": "Verify the operating system off-loads audit records onto a different system or media from the system\n being audited.\n To determine the remote server that the records are being sent to, use the following command:\n # grep -i remote_server /etc/audisp/audisp-remote.conf\n remote_server = 10.0.21.1\n If a remote server is not configured, or the line is commented out, ask the System Administrator to indicate how the\n audit logs are off-loaded to a different system or media.\n If there is no evidence that the audit logs are being off-loaded to another system or media, this is a finding.", - "fix": "Configure the operating system to off-load audit records onto a different system or media from the\n system being audited.\n Set the remote server option in \"/etc/audisp/audisp-remote.conf\" with the IP address of the log aggregation server." + "default": "Malicious users with removable boot media can gain access to a system configured to use removable media as\n the boot loader. If removable media is designed to be used as the boot loader, the requirement must be documented\n with the Information System Security Officer (ISSO).", + "check": "Verify the system is not configured to use a boot loader on removable media.\n\nNote: GRUB 2 reads its configuration from the \"/boot/grub2/grub.cfg\" file on traditional BIOS-based machines and from the \"/boot/efi/EFI/redhat/grub.cfg\" file on UEFI machines.\n\nCheck for the existence of alternate boot loader configuration files with the following command:\n\n# find / -name grub.cfg\n/boot/grub2/grub.cfg\n\nIf a \"grub.cfg\" is found in any subdirectories other than \"/boot/grub2\" and \"/boot/efi/EFI/redhat\", ask the System Administrator if there is documentation signed by the ISSO to approve the use of removable media as a boot loader.\n\nCheck that the grub configuration file has the set root command in each menu entry with the following commands:\n\n# grep -cw menuentry /boot/grub2/grub.cfg\n1\n# grep 'set root' /boot/grub2/grub.cfg\nset root=(hd0,1)\n\nIf the system is using an alternate boot loader on removable media, and documentation does not exist approving the alternate configuration, this is a finding.", + "fix": "Remove alternate methods of booting the system from removable media or document the configuration to\n boot from removable media with the ISSO." }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "V-72083", - "SV-86707" + "SV-86699", + "V-72075" ], "severity": "medium", - "gtitle": "SRG-OS-000342-GPOS-00133", - "satisfies": [ - "SRG-OS-000342-GPOS-00133", - "SRG-OS-000479-GPOS-00224" - ], - "gid": "V-204509", - "rid": "SV-204509r877390_rule", - "stig_id": "RHEL-07-030300", - "fix_id": "F-4633r88720_fix", + "gtitle": "SRG-OS-000364-GPOS-00151", + "gid": "V-204501", + "rid": "SV-204501r861008_rule", + "stig_id": "RHEL-07-021700", + "fix_id": "F-4625r88696_fix", "cci": [ - "CCI-001851" + "CCI-000318", + "CCI-000368", + "CCI-001812", + "CCI-001813", + "CCI-001814" ], "nist": [ - "AU-4 (1)" + "CM-3 f", + "CM-6 c", + "CM-11 (2)", + "CM-5 (1)", + "CM-5 (1) (a)" ], "subsystems": [ - "audit", - "audisp" + "grub", + "removable_media" ], "host": null }, - "code": "control 'SV-204509' do\n title 'The Red Hat Enterprise Linux operating system must off-load audit records onto a different system or media\n from the system being audited.'\n desc 'Information stored in one location is vulnerable to accidental or incidental deletion or alteration.\n Off-loading is a common process in information systems with limited audit storage capacity.'\n desc 'check', 'Verify the operating system off-loads audit records onto a different system or media from the system\n being audited.\n To determine the remote server that the records are being sent to, use the following command:\n # grep -i remote_server /etc/audisp/audisp-remote.conf\n remote_server = 10.0.21.1\n If a remote server is not configured, or the line is commented out, ask the System Administrator to indicate how the\n audit logs are off-loaded to a different system or media.\n If there is no evidence that the audit logs are being off-loaded to another system or media, this is a finding.'\n desc 'fix', 'Configure the operating system to off-load audit records onto a different system or media from the\n system being audited.\n Set the remote server option in \"/etc/audisp/audisp-remote.conf\" with the IP address of the log aggregation server.'\n impact 0.5\n tag legacy: ['V-72083', 'SV-86707']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000342-GPOS-00133'\n tag satisfies: ['SRG-OS-000342-GPOS-00133', 'SRG-OS-000479-GPOS-00224']\n tag gid: 'V-204509'\n tag rid: 'SV-204509r877390_rule'\n tag stig_id: 'RHEL-07-030300'\n tag fix_id: 'F-4633r88720_fix'\n tag cci: ['CCI-001851']\n tag nist: ['AU-4 (1)']\n tag subsystems: ['audit', 'audisp']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - audit config must be done on the host' do\n skip 'Control not applicable - audit config must be done on the host'\n end\n elsif file('/etc/audisp/audisp-remote.conf').exist?\n if input('audit_remote_server')\n describe parse_config_file('/etc/audisp/audisp-remote.conf') do\n its('remote_server'.to_s) { should cmp input('audit_remote_server') }\n end\n else\n describe parse_config_file('/etc/audisp/audisp-remote.conf') do\n its('remote_server'.to_s) { should match(/^\\S+$/) }\n its('remote_server'.to_s) do\n should_not be_in ['localhost', '127.0.0.1']\n end\n end\n end\n else\n describe \"File '/etc/audisp/audisp-remote.conf' cannot be found. This test cannot be checked in a automated fashion and you must check it manually\" do\n skip \"File '/etc/audisp/audisp-remote.conf' cannot be found. This check must be performed manually\"\n end\n end\nend\n", + "code": "control 'SV-204501' do\n title 'The Red Hat Enterprise Linux operating system must not allow removable media to be used as the boot loader\n unless approved.'\n desc 'Malicious users with removable boot media can gain access to a system configured to use removable media as\n the boot loader. If removable media is designed to be used as the boot loader, the requirement must be documented\n with the Information System Security Officer (ISSO).'\n desc 'check', %q(Verify the system is not configured to use a boot loader on removable media.\n\nNote: GRUB 2 reads its configuration from the \"/boot/grub2/grub.cfg\" file on traditional BIOS-based machines and from the \"/boot/efi/EFI/redhat/grub.cfg\" file on UEFI machines.\n\nCheck for the existence of alternate boot loader configuration files with the following command:\n\n# find / -name grub.cfg\n/boot/grub2/grub.cfg\n\nIf a \"grub.cfg\" is found in any subdirectories other than \"/boot/grub2\" and \"/boot/efi/EFI/redhat\", ask the System Administrator if there is documentation signed by the ISSO to approve the use of removable media as a boot loader.\n\nCheck that the grub configuration file has the set root command in each menu entry with the following commands:\n\n# grep -cw menuentry /boot/grub2/grub.cfg\n1\n# grep 'set root' /boot/grub2/grub.cfg\nset root=(hd0,1)\n\nIf the system is using an alternate boot loader on removable media, and documentation does not exist approving the alternate configuration, this is a finding.)\n desc 'fix', 'Remove alternate methods of booting the system from removable media or document the configuration to\n boot from removable media with the ISSO.'\n impact 0.5\n tag legacy: ['SV-86699', 'V-72075']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000364-GPOS-00151'\n tag gid: 'V-204501'\n tag rid: 'SV-204501r861008_rule'\n tag stig_id: 'RHEL-07-021700'\n tag fix_id: 'F-4625r88696_fix'\n tag cci: ['CCI-000318', 'CCI-000368', 'CCI-001812', 'CCI-001813', 'CCI-001814']\n tag nist: ['CM-3 f', 'CM-6 c', 'CM-11 (2)', 'CM-5 (1)', 'CM-5 (1) (a)']\n tag subsystems: ['grub', 'removable_media']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n roots = command('grubby --info=ALL | grep \"^root=\" | sed \"s/^root=//g\"')\n .stdout.strip.split(\"\\n\")\n\n blocks = roots.map do |root|\n root_file = file(root)\n root_file.symlink? ? root_file.link_path : root_file.path\n end\n\n blocks.each do |block|\n block_file = file(block)\n describe block_file do\n it { should exist }\n its('path') { should match %r{^/dev/} }\n end\n\n next unless block_file.exist? and block_file.path.match? %r{^/dev/}\n\n removable = ['/sys/block', block.sub(%r{^/dev/}, ''),\n 'removable'].join('/')\n describe file(removable) do\n it { should exist }\n its('content.strip') { should eq '0' }\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204509.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204501.rb", "line": 1 }, - "id": "SV-204509" + "id": "SV-204501" }, { - "title": "The Red Hat Enterprise Linux operating system must be configured so that all files and directories\n contained in local interactive user home directories have a mode of 0750 or less permissive.", - "desc": "If a local interactive user files have excessive permissions, unintended users may be able to access or\n modify them.", + "title": "The Red Hat Enterprise Linux operating system must be configured so that all networked systems use SSH for\n confidentiality and integrity of transmitted and received information as well as information during preparation for\n transmission.", + "desc": "Without protection of the transmitted information, confidentiality and integrity may be compromised because\n unprotected communications can be intercepted and either read or altered.\n This requirement applies to both internal and external networks and all types of information system components from\n which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers,\n scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are\n exposed to the possibility of interception and modification.\n Protecting the confidentiality and integrity of organizational information can be accomplished by physical means\n (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If\n physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice\n versa.", "descriptions": { - "default": "If a local interactive user files have excessive permissions, unintended users may be able to access or\n modify them.", - "check": "Verify all files and directories contained in a local interactive user home directory, excluding\n local initialization files, have a mode of \"0750\".\n Check the mode of all non-initialization files in a local interactive user home directory with the following\n command:\n Files that begin with a \".\" are excluded from this requirement.\n Note: The example will be for the user \"smithj\", who has a home directory of \"/home/smithj\".\n # ls -lLR /home/smithj\n -rwxr-x--- 1 smithj smithj 18 Mar 5 17:06 file1\n -rwxr----- 1 smithj smithj 193 Mar 5 17:06 file2\n -rw-r-x--- 1 smithj smithj 231 Mar 5 17:06 file3\n If any files are found with a mode more permissive than \"0750\", this is a finding.", - "fix": "Set the mode on files and directories in the local interactive user home\ndirectory with the following command:\n\n Note: The example will be for the user smithj, who has a home directory of\n\"/home/smithj\" and is a member of the users group.\n\n # chmod 0750 /home/smithj/" + "default": "Without protection of the transmitted information, confidentiality and integrity may be compromised because\n unprotected communications can be intercepted and either read or altered.\n This requirement applies to both internal and external networks and all types of information system components from\n which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers,\n scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are\n exposed to the possibility of interception and modification.\n Protecting the confidentiality and integrity of organizational information can be accomplished by physical means\n (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If\n physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice\n versa.", + "check": "Verify SSH is loaded and active with the following command:\n # systemctl status sshd\n sshd.service - OpenSSH server daemon\n Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled)\n Active: active (running) since Tue 2015-11-17 15:17:22 EST; 4 weeks 0 days ago\n Main PID: 1348 (sshd)\n CGroup: /system.slice/sshd.service\n 1053 /usr/sbin/sshd -D\n If \"sshd\" does not show a status of \"active\" and \"running\", this is a finding.", + "fix": "Configure the SSH service to automatically start after reboot with the following command:\n # systemctl enable sshd.service" }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "V-72027", - "SV-86651" + "SV-86859", + "V-72235" ], "severity": "medium", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-204473", - "rid": "SV-204473r603261_rule", - "stig_id": "RHEL-07-020680", - "fix_id": "F-4597r88612_fix", + "gtitle": "SRG-OS-000423-GPOS-00187", + "satisfies": [ + "SRG-OS-000423-GPOS-00187", + "SRG-OS-000423-GPOS-00188", + "SRG-OS-000423-GPOS-00189", + "SRG-OS-000423-GPOS-00190", + "SRG-OS-000424-GPOS-00188", + "SRG-OS-000425-GPOS-00189", + "SRG-OS-000426-GPOS-00190" + ], + "gid": "V-204586", + "rid": "SV-204586r861071_rule", + "stig_id": "RHEL-07-040310", + "fix_id": "F-4710r88951_fix", "cci": [ - "CCI-000366" + "CCI-002418", + "CCI-002420", + "CCI-002421", + "CCI-002422" ], "nist": [ - "CM-6 b" + "SC-8", + "SC-8 (2)", + "SC-8 (1)", + "SC-8 (2)" ], "subsystems": [ - "home_dirs" + "ssh" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-204473' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that all files and directories\n contained in local interactive user home directories have a mode of 0750 or less permissive.'\n desc 'If a local interactive user files have excessive permissions, unintended users may be able to access or\n modify them.'\n desc 'check', 'Verify all files and directories contained in a local interactive user home directory, excluding\n local initialization files, have a mode of \"0750\".\n Check the mode of all non-initialization files in a local interactive user home directory with the following\n command:\n Files that begin with a \".\" are excluded from this requirement.\n Note: The example will be for the user \"smithj\", who has a home directory of \"/home/smithj\".\n # ls -lLR /home/smithj\n -rwxr-x--- 1 smithj smithj 18 Mar 5 17:06 file1\n -rwxr----- 1 smithj smithj 193 Mar 5 17:06 file2\n -rw-r-x--- 1 smithj smithj 231 Mar 5 17:06 file3\n If any files are found with a mode more permissive than \"0750\", this is a finding.'\n desc 'fix', 'Set the mode on files and directories in the local interactive user home\ndirectory with the following command:\n\n Note: The example will be for the user smithj, who has a home directory of\n\"/home/smithj\" and is a member of the users group.\n\n # chmod 0750 /home/smithj/'\n impact 0.5\n tag legacy: ['V-72027', 'SV-86651']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204473'\n tag rid: 'SV-204473r603261_rule'\n tag stig_id: 'RHEL-07-020680'\n tag fix_id: 'F-4597r88612_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['home_dirs']\n tag 'host'\n tag 'container'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n\n exempt_home_users = input('exempt_home_users')\n non_interactive_shells = input('non_interactive_shells')\n\n ignore_shells = non_interactive_shells.join('|')\n\n findings = Set[]\n users.where do\n !shell.match(ignore_shells) && (uid >= 1000 || uid == 0)\n end.entries.each do |user_info|\n next if exempt_home_users.include?(user_info.username.to_s)\n\n findings += command(\"find #{user_info.home} -xdev ! -name '.*' -perm -#{input('home_dir_files_mode')} ! -type l\").stdout.split(\"\\n\")\n end\n describe 'Home directories with excessive permissions' do\n subject { findings.to_a }\n it { should be_empty }\n end\n end\nend\n", + "code": "control 'SV-204586' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that all networked systems use SSH for\n confidentiality and integrity of transmitted and received information as well as information during preparation for\n transmission.'\n desc 'Without protection of the transmitted information, confidentiality and integrity may be compromised because\n unprotected communications can be intercepted and either read or altered.\n This requirement applies to both internal and external networks and all types of information system components from\n which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers,\n scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are\n exposed to the possibility of interception and modification.\n Protecting the confidentiality and integrity of organizational information can be accomplished by physical means\n (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If\n physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice\n versa.'\n desc 'check', 'Verify SSH is loaded and active with the following command:\n # systemctl status sshd\n sshd.service - OpenSSH server daemon\n Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled)\n Active: active (running) since Tue 2015-11-17 15:17:22 EST; 4 weeks 0 days ago\n Main PID: 1348 (sshd)\n CGroup: /system.slice/sshd.service\n 1053 /usr/sbin/sshd -D\n If \"sshd\" does not show a status of \"active\" and \"running\", this is a finding.'\n desc 'fix', 'Configure the SSH service to automatically start after reboot with the following command:\n # systemctl enable sshd.service'\n impact 0.5\n tag legacy: ['SV-86859', 'V-72235']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000423-GPOS-00187'\n tag satisfies: ['SRG-OS-000423-GPOS-00187', 'SRG-OS-000423-GPOS-00188', 'SRG-OS-000423-GPOS-00189', 'SRG-OS-000423-GPOS-00190', 'SRG-OS-000424-GPOS-00188', 'SRG-OS-000425-GPOS-00189', 'SRG-OS-000426-GPOS-00190']\n tag gid: 'V-204586'\n tag rid: 'SV-204586r861071_rule'\n tag stig_id: 'RHEL-07-040310'\n tag fix_id: 'F-4710r88951_fix'\n tag cci: ['CCI-002418', 'CCI-002420', 'CCI-002421', 'CCI-002422']\n tag nist: ['SC-8', 'SC-8 (2)', 'SC-8 (1)', 'SC-8 (2)']\n tag subsystems: ['ssh']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - SSH is not installed within containerized RHEL' do\n skip 'Control not applicable - SSH is not installed within containerized RHEL'\n end\n else\n describe systemd_service('sshd.service') do\n it { should be_running }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204473.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204586.rb", "line": 1 }, - "id": "SV-204473" + "id": "SV-204586" }, { - "title": "The Red Hat Enterprise Linux operating system must be configured so that users must re-authenticate for\n privilege escalation.", - "desc": "Without re-authentication, users may access resources or perform tasks for which they do not have\n authorization.\n When operating systems provide the capability to escalate a functional capability, it is critical the user\n reauthenticate.", + "title": "The Red Hat Enterprise Linux operating system must audit all uses of the passwd command.", + "desc": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough\n information.\n At a minimum, the organization must audit the full-text recording of privileged password commands. The organization\n must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of\n compromise.\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.", "descriptions": { - "default": "Without re-authentication, users may access resources or perform tasks for which they do not have\n authorization.\n When operating systems provide the capability to escalate a functional capability, it is critical the user\n reauthenticate.", - "check": "Verify the operating system requires users to reauthenticate for privilege escalation.\n Check the configuration of the \"/etc/sudoers\" and \"/etc/sudoers.d/*\" files with the following command:\n # grep -i authenticate /etc/sudoers /etc/sudoers.d/*\n If any uncommented line is found with a \"!authenticate\" tag, this is a finding.", - "fix": "Configure the operating system to require users to reauthenticate for privilege escalation.\n Check the configuration of the \"/etc/sudoers\" file with the following command:\n # visudo\n Remove any occurrences of \"!authenticate\" tags in the file.\n Check the configuration of the \"/etc/sudoers.d/*\" files with the following command:\n # grep -i authenticate /etc/sudoers /etc/sudoers.d/*\n Remove any occurrences of \"!authenticate\" tags in the file(s)." + "default": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough\n information.\n At a minimum, the organization must audit the full-text recording of privileged password commands. The organization\n must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of\n compromise.\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.", + "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"passwd\" command occur.\n\nCheck the file system rule in \"/etc/audit/audit.rules\" with the following command:\n\n$ sudo grep -w \"/usr/bin/passwd\" /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd\n\nIf the command does not return any output, this is a finding.", + "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"passwd\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd\n\nThe audit daemon must be restarted for the changes to take effect." }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "V-71949", - "SV-86573" + "SV-86773", + "V-72149" ], "severity": "medium", - "gtitle": "SRG-OS-000373-GPOS-00156", + "gtitle": "SRG-OS-000042-GPOS-00020", "satisfies": [ - "SRG-OS-000373-GPOS-00156", - "SRG-OS-000373-GPOS-00157", - "SRG-OS-000373-GPOS-00158" + "SRG-OS-000042-GPOS-00020", + "SRG-OS-000392-GPOS-00172", + "SRG-OS-000471-GPOS-00215" ], - "gid": "V-204430", - "rid": "SV-204430r853885_rule", - "stig_id": "RHEL-07-010350", - "fix_id": "F-4554r88483_fix", + "gid": "V-204542", + "rid": "SV-204542r861026_rule", + "stig_id": "RHEL-07-030630", + "fix_id": "F-4666r861025_fix", "cci": [ - "CCI-002038" + "CCI-000135", + "CCI-000172", + "CCI-002884" ], "nist": [ - "IA-11" + "AU-3 (1)", + "AU-12 c", + "MA-4 (1) (a)" ], "subsystems": [ - "sudo" + "audit", + "auditd", + "audit_rule" ], "host": null }, - "code": "control 'SV-204430' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that users must re-authenticate for\n privilege escalation.'\n desc 'Without re-authentication, users may access resources or perform tasks for which they do not have\n authorization.\n When operating systems provide the capability to escalate a functional capability, it is critical the user\n reauthenticate.'\n desc 'check', 'Verify the operating system requires users to reauthenticate for privilege escalation.\n Check the configuration of the \"/etc/sudoers\" and \"/etc/sudoers.d/*\" files with the following command:\n # grep -i authenticate /etc/sudoers /etc/sudoers.d/*\n If any uncommented line is found with a \"!authenticate\" tag, this is a finding.'\n desc 'fix', 'Configure the operating system to require users to reauthenticate for privilege escalation.\n Check the configuration of the \"/etc/sudoers\" file with the following command:\n # visudo\n Remove any occurrences of \"!authenticate\" tags in the file.\n Check the configuration of the \"/etc/sudoers.d/*\" files with the following command:\n # grep -i authenticate /etc/sudoers /etc/sudoers.d/*\n Remove any occurrences of \"!authenticate\" tags in the file(s).'\n impact 0.5\n tag legacy: ['V-71949', 'SV-86573']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000373-GPOS-00156'\n tag satisfies: ['SRG-OS-000373-GPOS-00156', 'SRG-OS-000373-GPOS-00157', 'SRG-OS-000373-GPOS-00158']\n tag gid: 'V-204430'\n tag rid: 'SV-204430r853885_rule'\n tag stig_id: 'RHEL-07-010350'\n tag fix_id: 'F-4554r88483_fix'\n tag cci: ['CCI-002038']\n tag nist: ['IA-11']\n tag subsystems: ['sudo']\n tag 'host'\n\n if virtualization.system.eql?('docker') && !command('sudo').exist?\n impact 0.0\n describe 'Control not applicable within a container without sudo enabled' do\n skip 'Control not applicable within a container without sudo enabled'\n end\n else\n describe command('grep -ir authenticate /etc/sudoers /etc/sudoers.d/*') do\n its('stdout') { should_not match(/!authenticate/) }\n end\n end\nend\n", + "code": "control 'SV-204542' do\n title 'The Red Hat Enterprise Linux operating system must audit all uses of the passwd command.'\n desc 'Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough\n information.\n At a minimum, the organization must audit the full-text recording of privileged password commands. The organization\n must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of\n compromise.\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.'\n desc 'check', 'Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"passwd\" command occur.\n\nCheck the file system rule in \"/etc/audit/audit.rules\" with the following command:\n\n$ sudo grep -w \"/usr/bin/passwd\" /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd\n\nIf the command does not return any output, this is a finding.'\n desc 'fix', 'Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"passwd\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd\n\nThe audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n tag legacy: ['SV-86773', 'V-72149']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000042-GPOS-00020'\n tag satisfies: ['SRG-OS-000042-GPOS-00020', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000471-GPOS-00215']\n tag gid: 'V-204542'\n tag rid: 'SV-204542r861026_rule'\n tag stig_id: 'RHEL-07-030630'\n tag fix_id: 'F-4666r861025_fix'\n tag cci: ['CCI-000135', 'CCI-000172', 'CCI-002884']\n tag nist: ['AU-3 (1)', 'AU-12 c', 'MA-4 (1) (a)']\n tag subsystems: ['audit', 'auditd', 'audit_rule']\n tag 'host'\n\n audit_command = '/usr/bin/passwd'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - audit config must be done on the host' do\n skip 'Control not applicable - audit config must be done on the host'\n end\n else\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include('privileged-passwd')\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204430.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204542.rb", "line": 1 }, - "id": "SV-204430" + "id": "SV-204542" }, { - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the su command.", - "desc": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough\n information.\n At a minimum, the organization must audit the full-text recording of privileged access commands. The organization\n must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of\n compromise.\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.", + "title": "The Red Hat Enterprise Linux operating system must generate audit records for all successful account access\n events.", + "desc": "Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).", "descriptions": { - "default": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough\n information.\n At a minimum, the organization must audit the full-text recording of privileged access commands. The organization\n must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of\n compromise.\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.", - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"su\" command occur.\n\nCheck that the following system call is being audited by performing the following command to check the file system rules in \"/etc/audit/audit.rules\":\n\n$ sudo grep -w \"/usr/bin/su\" /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change\n\nIf the command does not return any output, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"su\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change\n\nThe audit daemon must be restarted for the changes to take effect." + "default": "Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).", + "check": "Verify the operating system generates audit records when successful account access events occur.\n Check the file system rules in \"/etc/audit/audit.rules\" with the following commands:\n # grep -i /var/log/lastlog /etc/audit/audit.rules\n -w /var/log/lastlog -p wa -k logins\n If the command does not return any output, this is a finding.", + "fix": "Configure the operating system to generate audit records when successful account access events occur.\n Add or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n -w /var/log/lastlog -p wa -k logins\n The audit daemon must be restarted for the changes to take effect." }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "SV-86783", - "V-72159" + "V-72147", + "SV-86771" ], "severity": "medium", - "gtitle": "SRG-OS-000037-GPOS-00015", + "gtitle": "SRG-OS-000392-GPOS-00172", "satisfies": [ - "SRG-OS-000037-GPOS-00015", - "SRG-OS-000042-GPOS-00020", "SRG-OS-000392-GPOS-00172", - "SRG-OS-000462-GPOS-00206", - "SRG-OS-000471-GPOS-00215" + "SRG-OS-000470-GPOS-00214", + "SRG-OS-000473-GPOS-00218" ], - "gid": "V-204547", - "rid": "SV-204547r861041_rule", - "stig_id": "RHEL-07-030680", - "fix_id": "F-4671r861040_fix", + "gid": "V-204541", + "rid": "SV-204541r853931_rule", + "stig_id": "RHEL-07-030620", + "fix_id": "F-4665r88816_fix", "cci": [ - "CCI-000130", - "CCI-000135", + "CCI-000126", "CCI-000172", "CCI-002884" ], "nist": [ - "AU-3", - "AU-3 (1)", + "AU-2 d", "AU-12 c", "MA-4 (1) (a)", - "AU-3 a" + "AU-2 c" ], "subsystems": [ "audit", @@ -9435,469 +9347,484 @@ ], "host": null }, - "code": "control 'SV-204547' do\n title 'The Red Hat Enterprise Linux operating system must audit all uses of the su command.'\n desc 'Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough\n information.\n At a minimum, the organization must audit the full-text recording of privileged access commands. The organization\n must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of\n compromise.\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.'\n desc 'check', 'Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"su\" command occur.\n\nCheck that the following system call is being audited by performing the following command to check the file system rules in \"/etc/audit/audit.rules\":\n\n$ sudo grep -w \"/usr/bin/su\" /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change\n\nIf the command does not return any output, this is a finding.'\n desc 'fix', 'Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"su\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change\n\nThe audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n tag legacy: ['SV-86783', 'V-72159']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000037-GPOS-00015'\n tag satisfies: ['SRG-OS-000037-GPOS-00015', 'SRG-OS-000042-GPOS-00020', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000471-GPOS-00215']\n tag gid: 'V-204547'\n tag rid: 'SV-204547r861041_rule'\n tag stig_id: 'RHEL-07-030680'\n tag fix_id: 'F-4671r861040_fix'\n tag cci: ['CCI-000130', 'CCI-000135', 'CCI-000172', 'CCI-002884']\n tag nist: ['AU-3', 'AU-3 (1)', 'AU-12 c', 'MA-4 (1) (a)', 'AU-3 a']\n tag subsystems: ['audit', 'auditd', 'audit_rule']\n tag 'host'\n\n audit_command = '/usr/bin/su'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - audit config must be done on the host' do\n skip 'Control not applicable - audit config must be done on the host'\n end\n else\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include('privileged-priv_change')\n end\n end\n end\nend\n", + "code": "control 'SV-204541' do\n title 'The Red Hat Enterprise Linux operating system must generate audit records for all successful account access\n events.'\n desc 'Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).'\n desc 'check', 'Verify the operating system generates audit records when successful account access events occur.\n Check the file system rules in \"/etc/audit/audit.rules\" with the following commands:\n # grep -i /var/log/lastlog /etc/audit/audit.rules\n -w /var/log/lastlog -p wa -k logins\n If the command does not return any output, this is a finding.'\n desc 'fix', 'Configure the operating system to generate audit records when successful account access events occur.\n Add or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n -w /var/log/lastlog -p wa -k logins\n The audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n tag legacy: ['V-72147', 'SV-86771']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000392-GPOS-00172'\n tag satisfies: ['SRG-OS-000392-GPOS-00172', 'SRG-OS-000470-GPOS-00214', 'SRG-OS-000473-GPOS-00218']\n tag gid: 'V-204541'\n tag rid: 'SV-204541r853931_rule'\n tag stig_id: 'RHEL-07-030620'\n tag fix_id: 'F-4665r88816_fix'\n tag cci: ['CCI-000126', 'CCI-000172', 'CCI-002884']\n tag nist: ['AU-2 d', 'AU-12 c', 'MA-4 (1) (a)', 'AU-2 c']\n tag subsystems: ['audit', 'auditd', 'audit_rule']\n tag 'host'\n\n audit_command = '/var/log/lastlog'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - audit config must be done on the host' do\n skip 'Control not applicable - audit config must be done on the host'\n end\n else\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.key).to cmp 'logins'\n expect(audit_rule.permissions.flatten).to include('w', 'a')\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204547.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204541.rb", "line": 1 }, - "id": "SV-204547" + "id": "SV-204541" }, { - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the delete_module syscall.", - "desc": "Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).", + "title": "The Red Hat Enterprise Linux operating system must be configured so that all world-writable directories are\n group-owned by root, sys, bin, or an application group.", + "desc": "If a world-writable directory is not group-owned by root, sys, bin, or an application Group Identifier\n (GID), unauthorized users may be able to modify files created by others.\n The only authorized public directories are those temporary directories supplied with the system or those designed to\n be temporary file repositories. The setting is normally reserved for directories used by the system and by users for\n temporary file storage, (e.g., /tmp), and for directories requiring global read/write access.", "descriptions": { - "default": "Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).", - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"delete_module\" syscall occur.\n\nCheck the auditing rules in \"/etc/audit/audit.rules\" with the following command:\n\n$ sudo grep -w \"delete_module\" /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=unset -k module-change\n\n-a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=unset -k module-change\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"delete_module\" syscall, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"delete_module\" syscall occur.\n\nAdd or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=unset -k module-change\n\n-a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=unset -k module-change\n\nThe audit daemon must be restarted for the changes to take effect." + "default": "If a world-writable directory is not group-owned by root, sys, bin, or an application Group Identifier\n (GID), unauthorized users may be able to modify files created by others.\n The only authorized public directories are those temporary directories supplied with the system or those designed to\n be temporary file repositories. The setting is normally reserved for directories used by the system and by users for\n temporary file storage, (e.g., /tmp), and for directories requiring global read/write access.", + "check": "The following command will discover and print world-writable directories that are not group-owned by\n a system account, assuming only system accounts have a GID lower than 1000. Run it once for each local partition\n [PART]:\n # find [PART] -xdev -type d -perm -0002 -gid +999 -print\n If there is output, this is a finding.", + "fix": "All directories in local partitions which are world-writable should be group-owned by root or another\n system account. If any world-writable directories are not group-owned by a system account, this should be\n investigated. Following this, the directories should be deleted or assigned to an appropriate group." }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "V-72189", - "SV-86813" + "V-72047", + "SV-86671" ], "severity": "medium", - "gtitle": "SRG-OS-000471-GPOS-00216", - "satisfies": [ - "SRG-OS-000471-GPOS-00216", - "SRG-OS-000477-GPOS-00222" - ], - "gid": "V-204562", - "rid": "SV-204562r833175_rule", - "stig_id": "RHEL-07-030830", - "fix_id": "F-4686r833174_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-204487", + "rid": "SV-204487r744106_rule", + "stig_id": "RHEL-07-021030", + "fix_id": "F-36308r602634_fix", "cci": [ - "CCI-000172" + "CCI-000366" ], "nist": [ - "AU-12 c" + "CM-6 b" ], "subsystems": [ - "audit", - "auditd", - "audit_rule" + "world_writable", + "ww_dirs" ], "host": null }, - "code": "control 'SV-204562' do\n title 'The Red Hat Enterprise Linux operating system must audit all uses of the delete_module syscall.'\n desc 'Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).'\n desc 'check', 'Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"delete_module\" syscall occur.\n\nCheck the auditing rules in \"/etc/audit/audit.rules\" with the following command:\n\n$ sudo grep -w \"delete_module\" /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=unset -k module-change\n\n-a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=unset -k module-change\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"delete_module\" syscall, this is a finding.'\n desc 'fix', 'Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"delete_module\" syscall occur.\n\nAdd or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=unset -k module-change\n\n-a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=unset -k module-change\n\nThe audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n tag legacy: ['V-72189', 'SV-86813']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000471-GPOS-00216'\n tag satisfies: ['SRG-OS-000471-GPOS-00216', 'SRG-OS-000477-GPOS-00222']\n tag gid: 'V-204562'\n tag rid: 'SV-204562r833175_rule'\n tag stig_id: 'RHEL-07-030830'\n tag fix_id: 'F-4686r833174_fix'\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag subsystems: ['audit', 'auditd', 'audit_rule']\n tag 'host'\n\n audit_syscalls = ['delete_module']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - audit config must be done on the host' do\n skip 'Control not applicable - audit config must be done on the host'\n end\n else\n describe 'Syscall' do\n audit_syscalls.each do |audit_syscall|\n it \"#{audit_syscall} is audited properly\" do\n audit_rule = auditd.syscall(audit_syscall)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n if os.arch.match(/64/)\n expect(audit_rule.arch.uniq).to include('b32', 'b64')\n else\n expect(audit_rule.arch.uniq).to cmp 'b32'\n end\n expect(audit_rule.fields.flatten).to include('auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include('module-change')\n end\n end\n end\n end\nend\n", + "code": "control 'SV-204487' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that all world-writable directories are\n group-owned by root, sys, bin, or an application group.'\n desc 'If a world-writable directory is not group-owned by root, sys, bin, or an application Group Identifier\n (GID), unauthorized users may be able to modify files created by others.\n The only authorized public directories are those temporary directories supplied with the system or those designed to\n be temporary file repositories. The setting is normally reserved for directories used by the system and by users for\n temporary file storage, (e.g., /tmp), and for directories requiring global read/write access.'\n desc 'check', 'The following command will discover and print world-writable directories that are not group-owned by\n a system account, assuming only system accounts have a GID lower than 1000. Run it once for each local partition\n [PART]:\n # find [PART] -xdev -type d -perm -0002 -gid +999 -print\n If there is output, this is a finding.'\n desc 'fix', 'All directories in local partitions which are world-writable should be group-owned by root or another\n system account. If any world-writable directories are not group-owned by a system account, this should be\n investigated. Following this, the directories should be deleted or assigned to an appropriate group.'\n impact 0.5\n tag legacy: ['V-72047', 'SV-86671']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204487'\n tag rid: 'SV-204487r744106_rule'\n tag stig_id: 'RHEL-07-021030'\n tag fix_id: 'F-36308r602634_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['world_writable', 'ww_dirs']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n\n ww_dirs = Set[]\n partitions = etc_fstab.params.map do |partition|\n partition['mount_point']\n end.uniq\n partitions.each do |part|\n cmd = \"find #{part} -xdev -type d -perm -0002 -gid +999 -print\"\n ww_dirs += command(cmd).stdout.split(\"\\n\")\n end\n describe 'List of world-writeable directories not group-owned by a system account' do\n it 'should be empty' do\n expect(ww_dirs).to be_empty, \"Found world-writeable dirs not group-owned by system account: #{ww_dirs.to_a.join(', ')}\"\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204562.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204487.rb", "line": 1 }, - "id": "SV-204562" + "id": "SV-204487" }, { - "title": "The Red Hat Enterprise Linux operating system must encrypt the transfer of audit records off-loaded onto a\n different system or media from the system being audited.", - "desc": "Information stored in one location is vulnerable to accidental or incidental deletion or alteration.\n Off-loading is a common process in information systems with limited audit storage capacity.", + "title": "The Red Hat Enterprise Linux operating system must be configured so that passwords are restricted to a 24\n hours/1 day minimum lifetime.", + "desc": "Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password\n reuse or history enforcement requirement. If users are allowed to immediately and continually change their password,\n the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding\n password reuse.", "descriptions": { - "default": "Information stored in one location is vulnerable to accidental or incidental deletion or alteration.\n Off-loading is a common process in information systems with limited audit storage capacity.", - "check": "Verify the operating system encrypts audit records off-loaded onto a different system or media from\n the system being audited.\n To determine if the transfer is encrypted, use the following command:\n # grep -i enable_krb5 /etc/audisp/audisp-remote.conf\n enable_krb5 = yes\n If the value of the \"enable_krb5\" option is not set to \"yes\" or the line is commented out, ask the System\n Administrator to indicate how the audit logs are off-loaded to a different system or media.\n If there is no evidence that the transfer of the audit logs being off-loaded to another system or media is\n encrypted, this is a finding.", - "fix": "Configure the operating system to encrypt the transfer of off-loaded audit records onto a different\n system or media from the system being audited.\n Uncomment the \"enable_krb5\" option in \"/etc/audisp/audisp-remote.conf\" and set it with the following line:\n enable_krb5 = yes" + "default": "Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password\n reuse or history enforcement requirement. If users are allowed to immediately and continually change their password,\n the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding\n password reuse.", + "check": "Check whether the minimum time period between password changes for each user account is one day or\n greater.\n # awk -F: '$4 < 1 {print $1 \" \" $4}' /etc/shadow\n If any results are returned that are not associated with a system account, this is a finding.", + "fix": "Configure non-compliant accounts to enforce a 24 hours/1 day minimum password lifetime:\n # chage -m 1 [user]" }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "V-72085", - "SV-86709" + "SV-86551", + "V-71927" ], "severity": "medium", - "gtitle": "SRG-OS-000342-GPOS-00133", - "satisfies": [ - "SRG-OS-000342-GPOS-00133", - "SRG-OS-000479-GPOS-00224" + "gtitle": "SRG-OS-000075-GPOS-00043", + "gid": "V-204419", + "rid": "SV-204419r603261_rule", + "stig_id": "RHEL-07-010240", + "fix_id": "F-4543r88450_fix", + "cci": [ + "CCI-000198" ], - "gid": "V-204510", - "rid": "SV-204510r877390_rule", - "stig_id": "RHEL-07-030310", - "fix_id": "F-4634r88723_fix", + "nist": [ + "IA-5 (1) (d)" + ], + "subsystems": [ + "password", + "/etc/shadow" + ], + "host": null + }, + "code": "control 'SV-204419' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that passwords are restricted to a 24\n hours/1 day minimum lifetime.'\n desc \"Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password\n reuse or history enforcement requirement. If users are allowed to immediately and continually change their password,\n the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding\n password reuse.\"\n desc 'check', %q(Check whether the minimum time period between password changes for each user account is one day or\n greater.\n # awk -F: '$4 < 1 {print $1 \" \" $4}' /etc/shadow\n If any results are returned that are not associated with a system account, this is a finding.)\n desc 'fix', 'Configure non-compliant accounts to enforce a 24 hours/1 day minimum password lifetime:\n # chage -m 1 [user]'\n impact 0.5\n tag legacy: ['SV-86551', 'V-71927']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000075-GPOS-00043'\n tag gid: 'V-204419'\n tag rid: 'SV-204419r603261_rule'\n tag stig_id: 'RHEL-07-010240'\n tag fix_id: 'F-4543r88450_fix'\n tag cci: ['CCI-000198']\n tag nist: ['IA-5 (1) (d)']\n tag subsystems: ['password', '/etc/shadow']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n\n shadow.users.each do |user|\n # filtering on non-system accounts (uid >= 1000)\n next unless user(user).uid >= 1000\n\n describe shadow.users(user) do\n its('min_days.first') { should cmp input('min_password_lifetime') }\n end\n end\n end\nend\n", + "source_location": { + "ref": "./Red Hat 7 STIG/controls/SV-204419.rb", + "line": 1 + }, + "id": "SV-204419" + }, + { + "title": "The Red Hat Enterprise Linux operating system must not permit direct logons to the root account using\n remote access via SSH.", + "desc": "Even though the communications channel may be encrypted, an additional layer of security is gained by\n extending the policy of not logging on directly as root. In addition, logging on with a user-specific account\n provides individual accountability of actions performed on the system.", + "descriptions": { + "default": "Even though the communications channel may be encrypted, an additional layer of security is gained by\n extending the policy of not logging on directly as root. In addition, logging on with a user-specific account\n provides individual accountability of actions performed on the system.", + "check": "Verify remote access using SSH prevents users from logging on directly as root.\n Check that SSH prevents users from logging on directly as root with the following command:\n # grep -i permitrootlogin /etc/ssh/sshd_config\n PermitRootLogin no\n If the \"PermitRootLogin\" keyword is set to \"yes\", is missing, or is commented out, this is a finding.", + "fix": "Configure SSH to stop users from logging on remotely as the root user.\n Edit the appropriate \"/etc/ssh/sshd_config\" file to uncomment or add the line for the \"PermitRootLogin\" keyword and\n set its value to \"no\" (this file may be named differently or be in a different location if using a version of SSH\n that is provided by a third-party vendor):\n PermitRootLogin no\n The SSH service must be restarted for changes to take effect." + }, + "impact": 0.5, + "refs": [], + "tags": { + "legacy": [ + "V-72247", + "SV-86871" + ], + "severity": "medium", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-204592", + "rid": "SV-204592r603261_rule", + "stig_id": "RHEL-07-040370", + "fix_id": "F-4716r88969_fix", "cci": [ - "CCI-001851" + "CCI-000366" ], "nist": [ - "AU-4 (1)" + "CM-6 b" ], "subsystems": [ - "audit", - "audisp" + "ssh" ], "host": null }, - "code": "control 'SV-204510' do\n title 'The Red Hat Enterprise Linux operating system must encrypt the transfer of audit records off-loaded onto a\n different system or media from the system being audited.'\n desc 'Information stored in one location is vulnerable to accidental or incidental deletion or alteration.\n Off-loading is a common process in information systems with limited audit storage capacity.'\n desc 'check', 'Verify the operating system encrypts audit records off-loaded onto a different system or media from\n the system being audited.\n To determine if the transfer is encrypted, use the following command:\n # grep -i enable_krb5 /etc/audisp/audisp-remote.conf\n enable_krb5 = yes\n If the value of the \"enable_krb5\" option is not set to \"yes\" or the line is commented out, ask the System\n Administrator to indicate how the audit logs are off-loaded to a different system or media.\n If there is no evidence that the transfer of the audit logs being off-loaded to another system or media is\n encrypted, this is a finding.'\n desc 'fix', 'Configure the operating system to encrypt the transfer of off-loaded audit records onto a different\n system or media from the system being audited.\n Uncomment the \"enable_krb5\" option in \"/etc/audisp/audisp-remote.conf\" and set it with the following line:\n enable_krb5 = yes'\n impact 0.5\n tag legacy: ['V-72085', 'SV-86709']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000342-GPOS-00133'\n tag satisfies: ['SRG-OS-000342-GPOS-00133', 'SRG-OS-000479-GPOS-00224']\n tag gid: 'V-204510'\n tag rid: 'SV-204510r877390_rule'\n tag stig_id: 'RHEL-07-030310'\n tag fix_id: 'F-4634r88723_fix'\n tag cci: ['CCI-001851']\n tag nist: ['AU-4 (1)']\n tag subsystems: ['audit', 'audisp']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - audit config must be done on the host' do\n skip 'Control not applicable - audit config must be done on the host'\n end\n else\n describe parse_config_file('/etc/audisp/audisp-remote.conf') do\n its('enable_krb5'.to_s) { should cmp 'yes' }\n end\n end\nend\n", + "code": "control 'SV-204592' do\n title 'The Red Hat Enterprise Linux operating system must not permit direct logons to the root account using\n remote access via SSH.'\n desc 'Even though the communications channel may be encrypted, an additional layer of security is gained by\n extending the policy of not logging on directly as root. In addition, logging on with a user-specific account\n provides individual accountability of actions performed on the system.'\n desc 'check', 'Verify remote access using SSH prevents users from logging on directly as root.\n Check that SSH prevents users from logging on directly as root with the following command:\n # grep -i permitrootlogin /etc/ssh/sshd_config\n PermitRootLogin no\n If the \"PermitRootLogin\" keyword is set to \"yes\", is missing, or is commented out, this is a finding.'\n desc 'fix', 'Configure SSH to stop users from logging on remotely as the root user.\n Edit the appropriate \"/etc/ssh/sshd_config\" file to uncomment or add the line for the \"PermitRootLogin\" keyword and\n set its value to \"no\" (this file may be named differently or be in a different location if using a version of SSH\n that is provided by a third-party vendor):\n PermitRootLogin no\n The SSH service must be restarted for changes to take effect.'\n impact 0.5\n tag legacy: ['V-72247', 'SV-86871']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204592'\n tag rid: 'SV-204592r603261_rule'\n tag stig_id: 'RHEL-07-040370'\n tag fix_id: 'F-4716r88969_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['ssh']\n tag 'host'\n\n if virtualization.system.eql?('docker') && !file('/etc/sysconfig/sshd').exist?\n impact 0.0\n describe 'Control not applicable - SSH is not installed within containerized RHEL' do\n skip 'Control not applicable - SSH is not installed within containerized RHEL'\n end\n else\n describe sshd_config do\n its('PermitRootLogin') { should cmp 'no' }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204510.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204592.rb", "line": 1 }, - "id": "SV-204510" + "id": "SV-204592" }, { - "title": "The Red Hat Enterprise Linux operating system must be configured so that a separate file system is used for\n user home directories (such as /home or an equivalent).", - "desc": "The use of separate file systems for different paths can protect the system from failures resulting from a\n file system becoming full or failing.", + "title": "The Red Hat Enterprise Linux operating system must have the screen package installed.", + "desc": "A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.\n\nThe screen and tmux packages allow for a session lock to be implemented and configured.", "descriptions": { - "default": "The use of separate file systems for different paths can protect the system from failures resulting from a\n file system becoming full or failing.", - "check": "Verify that a separate file system/partition has been created for non-privileged local interactive\n user home directories.\n Check the home directory assignment for all non-privileged users (those with a UID of 1000 or greater) on the system\n with the following command:\n # awk -F: '($3>=1000)&&($7 !~ /nologin/){print $1, $3, $6, $7}' /etc/passwd\n adamsj 1000 /home/adamsj /bin/bash\n jacksonm 1001 /home/jacksonm /bin/bash\n smithj 1002 /home/smithj /bin/bash\n The output of the command will give the directory/partition that contains the home directories for the\n non-privileged users on the system (in this example, /home) and users' shell. All accounts with a valid shell (such\n as /bin/bash) are considered interactive users.\n Check that a file system/partition has been created for the non-privileged interactive users with the following\n command:\n Note: The partition of /home is used in the example.\n # grep /home /etc/fstab\n UUID=333ada18 /home ext4 noatime,nobarrier,nodev 1 2\n If a separate entry for the file system/partition that contains the non-privileged interactive users' home\n directories does not exist, this is a finding.", - "fix": "Migrate the \"/home\" directory onto a separate file system/partition." + "default": "A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.\n\nThe screen and tmux packages allow for a session lock to be implemented and configured.", + "check": "Verify the operating system has the screen package installed.\n\nCheck to see if the screen package is installed with the following command:\n\n # yum list installed screen\n screen-4.3.1-3-x86_64.rpm\n\nIf the screen package is not installed, check to see if the tmux package is installed with the following command:\n\n # yum list installed tmux\n tmux-1.8-4.el7.x86_64.rpm\n\nIf either the screen package or the tmux package is not installed, this is a finding.", + "fix": "Install the screen package to allow the initiation of a session lock after a 15-minute period of inactivity.\n\nInstall the screen program (if it is not on the system) with the following command:\n\n # yum install screen\n\nOR\n\nInstall the tmux program (if it is not on the system) with the following command:\n\n # yum install tmux" }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { - "legacy": [ - "SV-86683", - "V-72059" - ], - "severity": "low", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-204493", - "rid": "SV-204493r603840_rule", - "stig_id": "RHEL-07-021310", - "fix_id": "F-4617r88672_fix", + "check_id": "C-59603r880777_chk", + "severity": "medium", + "gid": "V-255926", + "rid": "SV-255926r880779_rule", + "stig_id": "RHEL-07-010090", + "gtitle": "SRG-OS-000029-GPOS-00010", + "fix_id": "F-59546r880778_fix", + "documentable": null, "cci": [ - "CCI-000366" + "CCI-000057" ], "nist": [ - "CM-6 b" - ], - "subsystems": [ - "home_dirs", - "file_system" - ], - "host": null + "AC-11 a" + ] }, - "code": "control 'SV-204493' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that a separate file system is used for\n user home directories (such as /home or an equivalent).'\n desc 'The use of separate file systems for different paths can protect the system from failures resulting from a\n file system becoming full or failing.'\n desc 'check', \"Verify that a separate file system/partition has been created for non-privileged local interactive\n user home directories.\n Check the home directory assignment for all non-privileged users (those with a UID of 1000 or greater) on the system\n with the following command:\n # awk -F: '($3>=1000)&&($7 !~ /nologin/){print $1, $3, $6, $7}' /etc/passwd\n adamsj 1000 /home/adamsj /bin/bash\n jacksonm 1001 /home/jacksonm /bin/bash\n smithj 1002 /home/smithj /bin/bash\n The output of the command will give the directory/partition that contains the home directories for the\n non-privileged users on the system (in this example, /home) and users' shell. All accounts with a valid shell (such\n as /bin/bash) are considered interactive users.\n Check that a file system/partition has been created for the non-privileged interactive users with the following\n command:\n Note: The partition of /home is used in the example.\n # grep /home /etc/fstab\n UUID=333ada18 /home ext4 noatime,nobarrier,nodev 1 2\n If a separate entry for the file system/partition that contains the non-privileged interactive users' home\n directories does not exist, this is a finding.\"\n desc 'fix', 'Migrate the \"/home\" directory onto a separate file system/partition.'\n impact 0.3\n tag legacy: ['SV-86683', 'V-72059']\n tag severity: 'low'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204493'\n tag rid: 'SV-204493r603840_rule'\n tag stig_id: 'RHEL-07-021310'\n tag fix_id: 'F-4617r88672_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['home_dirs', 'file_system']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n\n exempt_home_users = input('exempt_home_users')\n non_interactive_shells = input('non_interactive_shells')\n\n ignore_shells = non_interactive_shells.join('|')\n\n uid_min = login_defs.read_params['UID_MIN'].to_i\n uid_min = 1000 if uid_min.nil?\n\n # excluding root because its home directory is usually \"/root\" (mountpoint \"/\")\n users.where do\n !shell.match(ignore_shells) && (uid >= uid_min)\n end.entries.each do |user_info|\n next if exempt_home_users.include?(user_info.username.to_s)\n\n home_mount = command(%(df #{user_info.home} --output=target | tail -1)).stdout.strip\n describe user_info.username do\n context 'with mountpoint' do\n context home_mount do\n it { should_not be_empty }\n it { should_not match(%r{^/$}) }\n end\n end\n end\n end\n end\nend\n", + "code": "control 'SV-255926' do\n title 'The Red Hat Enterprise Linux operating system must have the screen package installed.'\n desc \"A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.\n\nThe screen and tmux packages allow for a session lock to be implemented and configured.\"\n desc 'check', 'Verify the operating system has the screen package installed.\n\nCheck to see if the screen package is installed with the following command:\n\n # yum list installed screen\n screen-4.3.1-3-x86_64.rpm\n\nIf the screen package is not installed, check to see if the tmux package is installed with the following command:\n\n # yum list installed tmux\n tmux-1.8-4.el7.x86_64.rpm\n\nIf either the screen package or the tmux package is not installed, this is a finding.'\n desc 'fix', \"Install the screen package to allow the initiation of a session lock after a #{input('system_activity_timeout')/60}-minute period of inactivity.\n\nInstall the screen program (if it is not on the system) with the following command:\n\n # yum install screen\n\nOR\n\nInstall the tmux program (if it is not on the system) with the following command:\n\n # yum install tmux\"\n impact 0.5\n tag check_id: 'C-59603r880777_chk'\n tag severity: 'medium'\n tag gid: 'V-255926'\n tag rid: 'SV-255926r880779_rule'\n tag stig_id: 'RHEL-07-010090'\n tag gtitle: 'SRG-OS-000029-GPOS-00010'\n tag fix_id: 'F-59546r880778_fix'\n tag 'documentable'\n tag cci: ['CCI-000057']\n tag nist: ['AC-11 a']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n else\n describe.one do\n describe package('screen') do\n it { should be_installed }\n end\n describe package('tmux') do\n it { should be_installed }\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204493.rb", + "ref": "./Red Hat 7 STIG/controls/SV-255926.rb", "line": 1 }, - "id": "SV-204493" + "id": "SV-255926" }, { - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the create_module syscall.", - "desc": "Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).", + "title": "The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home\n directories have mode 0750 or less permissive.", + "desc": "Excessive permissions on local interactive user home directories may allow unauthorized access to user files\n by other users.", "descriptions": { - "default": "Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).", - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"create_module\" syscall occur.\n\nCheck the auditing rules in \"/etc/audit/audit.rules\" with the following command:\n\n$ sudo grep -w \"create_module\" /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S create_module -F auid>=1000 -F auid!=unset -k module-change\n\n-a always,exit -F arch=b64 -S create_module -F auid>=1000 -F auid!=unset -k module-change\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"create_module\" syscall, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"create_module\" syscall occur.\n\nAdd or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S create_module -F auid>=1000 -F auid!=unset -k module-change\n\n-a always,exit -F arch=b64 -S create_module -F auid>=1000 -F auid!=unset -k module-change\n\nThe audit daemon must be restarted for the changes to take effect." + "default": "Excessive permissions on local interactive user home directories may allow unauthorized access to user files\n by other users.", + "check": "Verify the assigned home directory of all local interactive users has a mode of \"0750\" or less\n permissive.\n Check the home directory assignment for all non-privileged users on the system with the following command:\n Note: This may miss interactive users that have been assigned a privileged User Identifier (UID). Evidence of\n interactive use may be obtained from a number of log files containing system logon information.\n # ls -ld $(awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}' /etc/passwd)\n -rwxr-x--- 1 smithj users 18 Mar 5 17:06 /home/smithj\n If home directories referenced in \"/etc/passwd\" do not have a mode of \"0750\" or less permissive, this is a finding.", + "fix": "Change the mode of interactive user's home directories to \"0750\". To change the mode of a local\n interactive user's home directory, use the following command:\n Note: The example will be for the user \"smithj\".\n # chmod 0750 /home/smithj" }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "V-78999", - "SV-93705" + "SV-86641", + "V-72017" ], "severity": "medium", - "gtitle": "SRG-OS-000471-GPOS-00216", - "satisfies": [ - "SRG-OS-000471-GPOS-00216", - "SRG-OS-000477-GPOS-00222" - ], - "gid": "V-204559", - "rid": "SV-204559r833169_rule", - "stig_id": "RHEL-07-030819", - "fix_id": "F-4683r833168_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-204468", + "rid": "SV-204468r603828_rule", + "stig_id": "RHEL-07-020630", + "fix_id": "F-4592r88597_fix", "cci": [ - "CCI-000172" + "CCI-000366" ], "nist": [ - "AU-12 c" + "CM-6 b" ], "subsystems": [ - "audit", - "auditd", - "audit_rule" + "home_dirs" ], "host": null }, - "code": "control 'SV-204559' do\n title 'The Red Hat Enterprise Linux operating system must audit all uses of the create_module syscall.'\n desc 'Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).'\n desc 'check', 'Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"create_module\" syscall occur.\n\nCheck the auditing rules in \"/etc/audit/audit.rules\" with the following command:\n\n$ sudo grep -w \"create_module\" /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S create_module -F auid>=1000 -F auid!=unset -k module-change\n\n-a always,exit -F arch=b64 -S create_module -F auid>=1000 -F auid!=unset -k module-change\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"create_module\" syscall, this is a finding.'\n desc 'fix', 'Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"create_module\" syscall occur.\n\nAdd or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S create_module -F auid>=1000 -F auid!=unset -k module-change\n\n-a always,exit -F arch=b64 -S create_module -F auid>=1000 -F auid!=unset -k module-change\n\nThe audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n tag legacy: ['V-78999', 'SV-93705']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000471-GPOS-00216'\n tag satisfies: ['SRG-OS-000471-GPOS-00216', 'SRG-OS-000477-GPOS-00222']\n tag gid: 'V-204559'\n tag rid: 'SV-204559r833169_rule'\n tag stig_id: 'RHEL-07-030819'\n tag fix_id: 'F-4683r833168_fix'\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag subsystems: ['audit', 'auditd', 'audit_rule']\n tag 'host'\n\n audit_syscalls = ['create_module']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - audit config must be done on the host' do\n skip 'Control not applicable - audit config must be done on the host'\n end\n else\n describe 'Syscall' do\n audit_syscalls.each do |audit_syscall|\n it \"#{audit_syscall} is audited properly\" do\n audit_rule = auditd.syscall(audit_syscall)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n if os.arch.match(/64/)\n expect(audit_rule.arch.uniq).to include('b32', 'b64')\n else\n expect(audit_rule.arch.uniq).to cmp 'b32'\n end\n expect(audit_rule.fields.flatten).to include('auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include('module-change')\n end\n end\n end\n end\nend\n", + "code": "control 'SV-204468' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home\n directories have mode 0750 or less permissive.'\n desc 'Excessive permissions on local interactive user home directories may allow unauthorized access to user files\n by other users.'\n desc 'check', %q(Verify the assigned home directory of all local interactive users has a mode of \"0750\" or less\n permissive.\n Check the home directory assignment for all non-privileged users on the system with the following command:\n Note: This may miss interactive users that have been assigned a privileged User Identifier (UID). Evidence of\n interactive use may be obtained from a number of log files containing system logon information.\n # ls -ld $(awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}' /etc/passwd)\n -rwxr-x--- 1 smithj users 18 Mar 5 17:06 /home/smithj\n If home directories referenced in \"/etc/passwd\" do not have a mode of \"0750\" or less permissive, this is a finding.)\n desc 'fix', %q(Change the mode of interactive user's home directories to \"0750\". To change the mode of a local\n interactive user's home directory, use the following command:\n Note: The example will be for the user \"smithj\".\n # chmod 0750 /home/smithj)\n impact 0.5\n tag legacy: ['SV-86641', 'V-72017']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204468'\n tag rid: 'SV-204468r603828_rule'\n tag stig_id: 'RHEL-07-020630'\n tag fix_id: 'F-4592r88597_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['home_dirs']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n\n exempt_home_users = input('exempt_home_users')\n non_interactive_shells = input('non_interactive_shells')\n\n ignore_shells = non_interactive_shells.join('|')\n\n uid_min = login_defs.read_params['UID_MIN'].to_i\n uid_min = 1000 if uid_min.nil?\n\n findings = Set[]\n users.where do\n !shell.match(ignore_shells) && (uid >= uid_min || uid == 0)\n end.entries.each do |user_info|\n next if exempt_home_users.include?(user_info.username.to_s)\n\n findings += command(\"find #{user_info.home} -maxdepth 0 -perm -#{input('home_dir_mode')}\").stdout.split(\"\\n\")\n end\n describe 'Home directories with excessive permissions' do\n subject { findings.to_a }\n it { should be_empty }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204559.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204468.rb", "line": 1 }, - "id": "SV-204559" + "id": "SV-204468" }, { - "title": "The Red Hat Enterprise Linux operating system must prevent files with the setuid and setgid bit set from\n being executed on file systems that are used with removable media.", - "desc": "The \"nosuid\" mount option causes the system to not execute \"setuid\" and \"setgid\" files with owner\n privileges. This option must be used for mounting any file system not containing approved \"setuid\" and \"setguid\"\n files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain\n unauthorized administrative access.", + "title": "The Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of\n Lightweight Directory Access Protocol (LDAP) communications.", + "desc": "Without cryptographic integrity protections, information can be altered by unauthorized users without\n detection.\n Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash\n functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while\n maintaining the confidentiality of the key used to generate the hash.", "descriptions": { - "default": "The \"nosuid\" mount option causes the system to not execute \"setuid\" and \"setgid\" files with owner\n privileges. This option must be used for mounting any file system not containing approved \"setuid\" and \"setguid\"\n files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain\n unauthorized administrative access.", - "check": "Verify file systems that are used for removable media are mounted with the \"nosuid\" option.\n Check the file systems that are mounted at boot time with the following command:\n # more /etc/fstab\n UUID=2bc871e4-e2a3-4f29-9ece-3be60c835222 /mnt/usbflash vfat noauto,owner,ro,nosuid 0 0\n If a file system found in \"/etc/fstab\" refers to removable media and it does not have the \"nosuid\" option set, this\n is a finding.", - "fix": "Configure the \"/etc/fstab\" to use the \"nosuid\" option on file systems that are associated with\n removable media." + "default": "Without cryptographic integrity protections, information can be altered by unauthorized users without\n detection.\n Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash\n functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while\n maintaining the confidentiality of the key used to generate the hash.", + "check": "If LDAP is not being utilized, this requirement is Not Applicable.\n Verify the operating system implements cryptography to protect the integrity of remote LDAP access sessions.\n To determine if LDAP is being used for authentication, use the following command:\n # systemctl status sssd.service\n sssd.service - System Security Services Daemon\n Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: disabled)\n Active: active (running) since Wed 2018-06-27 10:58:11 EST; 1h 50min ago\n If the \"sssd.service\" is \"active\", then LDAP is being used.\n Determine the \"id_provider\" the LDAP is currently using:\n # grep -i \"id_provider\" /etc/sssd/sssd.conf\n id_provider = ad\n If \"id_provider\" is set to \"ad\", this is Not Applicable.\n Verify the sssd service is configured to require the use of certificates:\n # grep -i tls_reqcert /etc/sssd/sssd.conf\n ldap_tls_reqcert = demand\n If the \"ldap_tls_reqcert\" setting is missing, commented out, or does not exist, this is a finding.\n If the \"ldap_tls_reqcert\" setting is not set to \"demand\" or \"hard\", this is a finding.", + "fix": "Configure the operating system to implement cryptography to protect the integrity of LDAP remote\n access sessions.\n Add or modify the following line in \"/etc/sssd/sssd.conf\":\n ldap_tls_reqcert = demand" }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { "legacy": [ - "SV-86667", - "V-72043" + "V-72229", + "SV-86853" ], "severity": "medium", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-204481", - "rid": "SV-204481r603261_rule", - "stig_id": "RHEL-07-021010", - "fix_id": "F-4605r88636_fix", + "gtitle": "SRG-OS-000250-GPOS-00093", + "gid": "V-204582", + "rid": "SV-204582r877394_rule", + "stig_id": "RHEL-07-040190", + "fix_id": "F-4706r88939_fix", "cci": [ - "CCI-000366" + "CCI-001453" ], "nist": [ - "CM-6 b" + "AC-17 (2)" ], "subsystems": [ - "file_system", - "removable_media" + "sssd", + "ldap" ], "host": null }, - "code": "control 'SV-204481' do\n title 'The Red Hat Enterprise Linux operating system must prevent files with the setuid and setgid bit set from\n being executed on file systems that are used with removable media.'\n desc 'The \"nosuid\" mount option causes the system to not execute \"setuid\" and \"setgid\" files with owner\n privileges. This option must be used for mounting any file system not containing approved \"setuid\" and \"setguid\"\n files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain\n unauthorized administrative access.'\n desc 'check', 'Verify file systems that are used for removable media are mounted with the \"nosuid\" option.\n Check the file systems that are mounted at boot time with the following command:\n # more /etc/fstab\n UUID=2bc871e4-e2a3-4f29-9ece-3be60c835222 /mnt/usbflash vfat noauto,owner,ro,nosuid 0 0\n If a file system found in \"/etc/fstab\" refers to removable media and it does not have the \"nosuid\" option set, this\n is a finding.'\n desc 'fix', 'Configure the \"/etc/fstab\" to use the \"nosuid\" option on file systems that are associated with\n removable media.'\n impact 0.5\n tag legacy: ['SV-86667', 'V-72043']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204481'\n tag rid: 'SV-204481r603261_rule'\n tag stig_id: 'RHEL-07-021010'\n tag fix_id: 'F-4605r88636_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['file_system', 'removable_media']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n non_removable_media_fs = input('non_removable_media_fs')\n\n file_systems = etc_fstab.params\n if !file_systems.nil? and !file_systems.empty?\n file_systems.each do |file_sys_line|\n if !non_removable_media_fs.to_s.include?(file_sys_line['file_system_type'])\n describe file_sys_line['mount_options'] do\n it { should include 'nosuid' }\n end\n else\n describe \"File system \\\"#{file_sys_line['file_system_type']}\\\" does not correspond to removable media.\" do\n subject do\n non_removable_media_fs.to_s.include?(file_sys_line['file_system_type'])\n end\n it { should eq true }\n end\n end\n end\n else\n describe 'No file systems were found.' do\n subject { file_systems.nil? }\n it { should eq true }\n end\n end\n end\nend\n", + "code": "control 'SV-204582' do\n title 'The Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of\n Lightweight Directory Access Protocol (LDAP) communications.'\n desc 'Without cryptographic integrity protections, information can be altered by unauthorized users without\n detection.\n Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash\n functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while\n maintaining the confidentiality of the key used to generate the hash.'\n desc 'check', 'If LDAP is not being utilized, this requirement is Not Applicable.\n Verify the operating system implements cryptography to protect the integrity of remote LDAP access sessions.\n To determine if LDAP is being used for authentication, use the following command:\n # systemctl status sssd.service\n sssd.service - System Security Services Daemon\n Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: disabled)\n Active: active (running) since Wed 2018-06-27 10:58:11 EST; 1h 50min ago\n If the \"sssd.service\" is \"active\", then LDAP is being used.\n Determine the \"id_provider\" the LDAP is currently using:\n # grep -i \"id_provider\" /etc/sssd/sssd.conf\n id_provider = ad\n If \"id_provider\" is set to \"ad\", this is Not Applicable.\n Verify the sssd service is configured to require the use of certificates:\n # grep -i tls_reqcert /etc/sssd/sssd.conf\n ldap_tls_reqcert = demand\n If the \"ldap_tls_reqcert\" setting is missing, commented out, or does not exist, this is a finding.\n If the \"ldap_tls_reqcert\" setting is not set to \"demand\" or \"hard\", this is a finding.'\n desc 'fix', 'Configure the operating system to implement cryptography to protect the integrity of LDAP remote\n access sessions.\n Add or modify the following line in \"/etc/sssd/sssd.conf\":\n ldap_tls_reqcert = demand'\n impact 0.5\n tag legacy: ['V-72229', 'SV-86853']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000250-GPOS-00093'\n tag gid: 'V-204582'\n tag rid: 'SV-204582r877394_rule'\n tag stig_id: 'RHEL-07-040190'\n tag fix_id: 'F-4706r88939_fix'\n tag cci: ['CCI-001453']\n tag nist: ['AC-17 (2)']\n tag subsystems: ['sssd', 'ldap']\n tag 'host'\n\n if virtualization.system.eql?('docker') && !file('/etc/sysconfig/sshd').exist?\n impact 0.0\n describe 'Control not applicable - SSH is not installed within containerized RHEL' do\n skip 'Control not applicable - SSH is not installed within containerized RHEL'\n end\n else\n\n sssd_id_ldap_enabled = (package('sssd').installed? and\n !command('grep \"^\\s*id_provider\\s*=\\s*ldap\" /etc/sssd/sssd.conf').stdout.strip.empty?)\n\n sssd_ldap_enabled = (package('sssd').installed? and\n !command('grep \"^\\s*[a-z]*_provider\\s*=\\s*ldap\" /etc/sssd/sssd.conf').stdout.strip.empty?)\n\n pam_ldap_enabled = !command('grep \"^[^#]*pam_ldap\\.so\" /etc/pam.d/*').stdout.strip.empty?\n\n unless sssd_id_ldap_enabled or sssd_ldap_enabled or pam_ldap_enabled\n impact 0.0\n describe 'LDAP not enabled' do\n skip 'LDAP not enabled using any known mechanisms, this control is Not Applicable.'\n end\n end\n\n if sssd_id_ldap_enabled\n ldap_id_use_start_tls = command('grep ldap_id_use_start_tls /etc/sssd/sssd.conf')\n describe ldap_id_use_start_tls do\n its('stdout.strip') do\n should match(/^ldap_id_use_start_tls\\s*=\\s*true$/)\n end\n end\n\n ldap_id_use_start_tls.stdout.strip.each_line do |line|\n describe line do\n it { should match(/^ldap_id_use_start_tls\\s*=\\s*true$/) }\n end\n end\n end\n\n if sssd_ldap_enabled\n ldap_tls_cacertdir = command('grep -i ldap_tls_cacertdir /etc/sssd/sssd.conf')\n .stdout.strip.scan(/^ldap_tls_cacertdir\\s*=\\s*(.*)/).last\n\n describe 'ldap_tls_cacertdir' do\n subject { ldap_tls_cacertdir }\n it { should_not eq nil }\n end\n\n unless ldap_tls_cacertdir.nil?\n describe file(ldap_tls_cacertdir.last) do\n it { should exist }\n it { should be_directory }\n end\n end\n end\n\n if pam_ldap_enabled\n tls_cacertdir = command('grep -i tls_cacertdir /etc/pam_ldap.conf')\n .stdout.strip.scan(/^tls_cacertdir\\s+(.*)/).last\n\n describe 'tls_cacertdir' do\n subject { tls_cacertdir }\n it { should_not eq nil }\n end\n\n unless tls_cacertdir.nil?\n describe file(tls_cacertdir.last) do\n it { should exist }\n it { should be_directory }\n end\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204481.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204582.rb", "line": 1 }, - "id": "SV-204481" + "id": "SV-204582" }, { - "title": "The Red Hat Enterprise Linux operating system must have cron logging implemented.", - "desc": "Cron logging can be used to trace the successful or unsuccessful execution of cron jobs. It can also be used\n to spot intrusions into the use of the cron facility by unauthorized and malicious users.", + "title": "The Red Hat Enterprise Linux operating system must off-load audit records onto a different system or media\n from the system being audited.", + "desc": "Information stored in one location is vulnerable to accidental or incidental deletion or alteration.\n Off-loading is a common process in information systems with limited audit storage capacity.", "descriptions": { - "default": "Cron logging can be used to trace the successful or unsuccessful execution of cron jobs. It can also be used\n to spot intrusions into the use of the cron facility by unauthorized and malicious users.", - "check": "Verify that \"rsyslog\" is configured to log cron events.\n Check the configuration of \"/etc/rsyslog.conf\" or \"/etc/rsyslog.d/*.conf\" files for the cron facility with the\n following command:\n Note: If another logging package is used, substitute the utility configuration file for \"/etc/rsyslog.conf\" or\n \"/etc/rsyslog.d/*.conf\" files.\n # grep cron /etc/rsyslog.conf /etc/rsyslog.d/*.conf\n cron.* /var/log/cron\n If the command does not return a response, check for cron logging all facilities by inspecting the\n \"/etc/rsyslog.conf\" or \"/etc/rsyslog.d/*.conf\" files.\n Look for the following entry:\n *.* /var/log/messages\n If \"rsyslog\" is not logging messages for the cron facility or all facilities, this is a finding.", - "fix": "Configure \"rsyslog\" to log all cron messages by adding or updating the following line to\n \"/etc/rsyslog.conf\" or a configuration file in the /etc/rsyslog.d/ directory:\n cron.* /var/log/cron\n The rsyslog daemon must be restarted for the changes to take effect:\n $ sudo systemctl restart rsyslog.service" + "default": "Information stored in one location is vulnerable to accidental or incidental deletion or alteration.\n Off-loading is a common process in information systems with limited audit storage capacity.", + "check": "Verify the operating system off-loads audit records onto a different system or media from the system\n being audited.\n To determine the remote server that the records are being sent to, use the following command:\n # grep -i remote_server /etc/audisp/audisp-remote.conf\n remote_server = 10.0.21.1\n If a remote server is not configured, or the line is commented out, ask the System Administrator to indicate how the\n audit logs are off-loaded to a different system or media.\n If there is no evidence that the audit logs are being off-loaded to another system or media, this is a finding.", + "fix": "Configure the operating system to off-load audit records onto a different system or media from the\n system being audited.\n Set the remote server option in \"/etc/audisp/audisp-remote.conf\" with the IP address of the log aggregation server." }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "V-72051", - "SV-86675" + "V-72083", + "SV-86707" ], "severity": "medium", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-204489", - "rid": "SV-204489r744109_rule", - "stig_id": "RHEL-07-021100", - "fix_id": "F-4613r744108_fix", + "gtitle": "SRG-OS-000342-GPOS-00133", + "satisfies": [ + "SRG-OS-000342-GPOS-00133", + "SRG-OS-000479-GPOS-00224" + ], + "gid": "V-204509", + "rid": "SV-204509r877390_rule", + "stig_id": "RHEL-07-030300", + "fix_id": "F-4633r88720_fix", "cci": [ - "CCI-000366" + "CCI-001851" ], "nist": [ - "CM-6 b" + "AU-4 (1)" ], "subsystems": [ - "cron", - "rsyslog" + "audit", + "audisp" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-204489' do\n title 'The Red Hat Enterprise Linux operating system must have cron logging implemented.'\n desc 'Cron logging can be used to trace the successful or unsuccessful execution of cron jobs. It can also be used\n to spot intrusions into the use of the cron facility by unauthorized and malicious users.'\n desc 'check', 'Verify that \"rsyslog\" is configured to log cron events.\n Check the configuration of \"/etc/rsyslog.conf\" or \"/etc/rsyslog.d/*.conf\" files for the cron facility with the\n following command:\n Note: If another logging package is used, substitute the utility configuration file for \"/etc/rsyslog.conf\" or\n \"/etc/rsyslog.d/*.conf\" files.\n # grep cron /etc/rsyslog.conf /etc/rsyslog.d/*.conf\n cron.* /var/log/cron\n If the command does not return a response, check for cron logging all facilities by inspecting the\n \"/etc/rsyslog.conf\" or \"/etc/rsyslog.d/*.conf\" files.\n Look for the following entry:\n *.* /var/log/messages\n If \"rsyslog\" is not logging messages for the cron facility or all facilities, this is a finding.'\n desc 'fix', 'Configure \"rsyslog\" to log all cron messages by adding or updating the following line to\n \"/etc/rsyslog.conf\" or a configuration file in the /etc/rsyslog.d/ directory:\n cron.* /var/log/cron\n The rsyslog daemon must be restarted for the changes to take effect:\n $ sudo systemctl restart rsyslog.service'\n impact 0.5\n tag legacy: ['V-72051', 'SV-86675']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204489'\n tag rid: 'SV-204489r744109_rule'\n tag stig_id: 'RHEL-07-021100'\n tag fix_id: 'F-4613r744108_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['cron', 'rsyslog']\n tag 'host'\n tag 'container'\n\n log_pkg_paths = input('log_pkg_paths').join(' ')\n cron_log = command(\"grep cron #{log_pkg_paths}\").stdout.strip\n facilities_log = inspec.command(\"grep '/var/log/messages' #{log_pkg_paths}\").stdout.strip\n\n describe.one do\n describe 'cron' do\n it 'should be configured for logging in the logging utility config files' do\n expect(cron_log).to match(/:cron/), \"cron not found in #{log_pkg_paths}\"\n end\n end\n describe 'All facilities' do\n it 'should be configured for logging in the logging utility config files' do\n expect(facilities_log).to match(%r{^.+:\\*\\.\\*\\s+/var/log/messages}), \"cron not found in #{log_pkg_paths}\"\n end\n end\n end\nend\n", + "code": "control 'SV-204509' do\n title 'The Red Hat Enterprise Linux operating system must off-load audit records onto a different system or media\n from the system being audited.'\n desc 'Information stored in one location is vulnerable to accidental or incidental deletion or alteration.\n Off-loading is a common process in information systems with limited audit storage capacity.'\n desc 'check', 'Verify the operating system off-loads audit records onto a different system or media from the system\n being audited.\n To determine the remote server that the records are being sent to, use the following command:\n # grep -i remote_server /etc/audisp/audisp-remote.conf\n remote_server = 10.0.21.1\n If a remote server is not configured, or the line is commented out, ask the System Administrator to indicate how the\n audit logs are off-loaded to a different system or media.\n If there is no evidence that the audit logs are being off-loaded to another system or media, this is a finding.'\n desc 'fix', 'Configure the operating system to off-load audit records onto a different system or media from the\n system being audited.\n Set the remote server option in \"/etc/audisp/audisp-remote.conf\" with the IP address of the log aggregation server.'\n impact 0.5\n tag legacy: ['V-72083', 'SV-86707']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000342-GPOS-00133'\n tag satisfies: ['SRG-OS-000342-GPOS-00133', 'SRG-OS-000479-GPOS-00224']\n tag gid: 'V-204509'\n tag rid: 'SV-204509r877390_rule'\n tag stig_id: 'RHEL-07-030300'\n tag fix_id: 'F-4633r88720_fix'\n tag cci: ['CCI-001851']\n tag nist: ['AU-4 (1)']\n tag subsystems: ['audit', 'audisp']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - audit config must be done on the host' do\n skip 'Control not applicable - audit config must be done on the host'\n end\n elsif file('/etc/audisp/audisp-remote.conf').exist?\n if input('audit_remote_server')\n describe parse_config_file('/etc/audisp/audisp-remote.conf') do\n its('remote_server'.to_s) { should cmp input('audit_remote_server') }\n end\n else\n describe parse_config_file('/etc/audisp/audisp-remote.conf') do\n its('remote_server'.to_s) { should match(/^\\S+$/) }\n its('remote_server'.to_s) do\n should_not be_in ['localhost', '127.0.0.1']\n end\n end\n end\n else\n describe \"File '/etc/audisp/audisp-remote.conf' cannot be found. This test cannot be checked in a automated fashion and you must check it manually\" do\n skip \"File '/etc/audisp/audisp-remote.conf' cannot be found. This check must be performed manually\"\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204489.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204509.rb", "line": 1 }, - "id": "SV-204489" + "id": "SV-204509" }, { - "title": "The Red Hat Enterprise Linux operating system must be configured so that passwords for new users are\n restricted to a 24 hours/1 day minimum lifetime.", - "desc": "Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password\n reuse or history enforcement requirement. If users are allowed to immediately and continually change their password,\n the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding\n password reuse.", + "title": "The Red Hat Enterprise Linux operating system must be configured so that designated personnel are notified\n if baseline configurations are changed in an unauthorized manner.", + "desc": "Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security.\n\nDetecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information System Security Manager (ISSM)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.", "descriptions": { - "default": "Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password\n reuse or history enforcement requirement. If users are allowed to immediately and continually change their password,\n the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding\n password reuse.", - "check": "Verify the operating system enforces 24 hours/1 day as the minimum password lifetime for new user\n accounts.\n Check for the value of \"PASS_MIN_DAYS\" in \"/etc/login.defs\" with the following command:\n # grep -i pass_min_days /etc/login.defs\n PASS_MIN_DAYS 1\n If the \"PASS_MIN_DAYS\" parameter value is not \"1\" or greater, or is commented out, this is a finding.", - "fix": "Configure the operating system to enforce 24 hours/1 day as the minimum password lifetime.\n Add the following line in \"/etc/login.defs\" (or modify the line to have the required value):\n PASS_MIN_DAYS 1" + "default": "Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security.\n\nDetecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information System Security Manager (ISSM)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.", + "check": "Verify the operating system notifies designated personnel if baseline configurations are changed in an unauthorized manner.\n\nNote: A file integrity tool other than Advanced Intrusion Detection Environment (AIDE) may be used, but the tool must be executed and notify specified individuals via email or an alert.\n\nCheck for the presence of a cron job running routinely on the system that executes AIDE to scan for changes to the system baseline. The commands used in the example will use a daily occurrence.\n\nCheck the cron directories for a \"crontab\" script file controlling the execution of the file integrity application. For example, if AIDE is installed on the system, use the following command:\n\n # ls -al /etc/cron.* | grep aide\n -rwxr-xr-x 1 root root 602 Mar 6 20:02 aide\n\n # grep aide /etc/crontab /var/spool/cron/root\n /etc/crontab: 30 04 * * * root /usr/sbin/aide --check\n /var/spool/cron/root: 30 04 * * * /usr/sbin/aide --check\n\nAIDE does not have a configuration that will send a notification, so the cron job uses the mail application on the system to email the results of the file integrity run as in the following example:\n\n # more /etc/cron.daily/aide\n #!/bin/bash\n\n /usr/sbin/aide --check | /var/spool/mail -s \"$HOSTNAME - Daily aide integrity check run\" root@sysname.mil\n\nIf the file integrity application does not notify designated personnel of changes, this is a finding.", + "fix": "Configure the operating system to notify designated personnel if baseline configurations are changed in an unauthorized manner. The AIDE tool can be configured to email designated personnel with the use of the cron system.\n\nThe following example output is generic. It will set cron to run AIDE daily and to send email at the completion of the analysis.\n\n # more /etc/cron.daily/aide\n\n /usr/sbin/aide --check | /var/spool/mail -s \"$HOSTNAME - Daily aide integrity check run\" root@sysname.mil" }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "V-71925", - "SV-86549" + "V-71975", + "SV-86599" ], "severity": "medium", - "gtitle": "SRG-OS-000075-GPOS-00043", - "gid": "V-204418", - "rid": "SV-204418r603261_rule", - "stig_id": "RHEL-07-010230", - "fix_id": "F-4542r88447_fix", + "gtitle": "SRG-OS-000363-GPOS-00150", + "gid": "V-204446", + "rid": "SV-204446r880851_rule", + "stig_id": "RHEL-07-020040", + "fix_id": "F-36305r880850_fix", "cci": [ - "CCI-000198" + "CCI-001744" ], "nist": [ - "IA-5 (1) (d)" + "CM-3 (5)" ], "subsystems": [ - "login_defs", - "password" - ] + "file_integrity_tool" + ], + "host": null, + "container": null }, - "code": "control 'SV-204418' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that passwords for new users are\n restricted to a 24 hours/1 day minimum lifetime.'\n desc \"Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password\n reuse or history enforcement requirement. If users are allowed to immediately and continually change their password,\n the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding\n password reuse.\"\n desc 'check', 'Verify the operating system enforces 24 hours/1 day as the minimum password lifetime for new user\n accounts.\n Check for the value of \"PASS_MIN_DAYS\" in \"/etc/login.defs\" with the following command:\n # grep -i pass_min_days /etc/login.defs\n PASS_MIN_DAYS 1\n If the \"PASS_MIN_DAYS\" parameter value is not \"1\" or greater, or is commented out, this is a finding.'\n desc 'fix', 'Configure the operating system to enforce 24 hours/1 day as the minimum password lifetime.\n Add the following line in \"/etc/login.defs\" (or modify the line to have the required value):\n PASS_MIN_DAYS 1'\n impact 0.5\n tag legacy: ['V-71925', 'SV-86549']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000075-GPOS-00043'\n tag gid: 'V-204418'\n tag rid: 'SV-204418r603261_rule'\n tag stig_id: 'RHEL-07-010230'\n tag fix_id: 'F-4542r88447_fix'\n tag cci: ['CCI-000198']\n tag nist: ['IA-5 (1) (d)']\n tag subsystems: ['login_defs', 'password']\n\n describe login_defs do\n its('PASS_MIN_DAYS') { should cmp >= 1 }\n its('PASS_MIN_DAYS') { should_not be_nil }\n end\nend\n", + "code": "control 'SV-204446' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that designated personnel are notified\n if baseline configurations are changed in an unauthorized manner.'\n desc \"Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security.\n\nDetecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information System Security Manager (ISSM)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.\"\n desc 'check', 'Verify the operating system notifies designated personnel if baseline configurations are changed in an unauthorized manner.\n\nNote: A file integrity tool other than Advanced Intrusion Detection Environment (AIDE) may be used, but the tool must be executed and notify specified individuals via email or an alert.\n\nCheck for the presence of a cron job running routinely on the system that executes AIDE to scan for changes to the system baseline. The commands used in the example will use a daily occurrence.\n\nCheck the cron directories for a \"crontab\" script file controlling the execution of the file integrity application. For example, if AIDE is installed on the system, use the following command:\n\n # ls -al /etc/cron.* | grep aide\n -rwxr-xr-x 1 root root 602 Mar 6 20:02 aide\n\n # grep aide /etc/crontab /var/spool/cron/root\n /etc/crontab: 30 04 * * * root /usr/sbin/aide --check\n /var/spool/cron/root: 30 04 * * * /usr/sbin/aide --check\n\nAIDE does not have a configuration that will send a notification, so the cron job uses the mail application on the system to email the results of the file integrity run as in the following example:\n\n # more /etc/cron.daily/aide\n #!/bin/bash\n\n /usr/sbin/aide --check | /var/spool/mail -s \"$HOSTNAME - Daily aide integrity check run\" root@sysname.mil\n\nIf the file integrity application does not notify designated personnel of changes, this is a finding.'\n desc 'fix', 'Configure the operating system to notify designated personnel if baseline configurations are changed in an unauthorized manner. The AIDE tool can be configured to email designated personnel with the use of the cron system.\n\nThe following example output is generic. It will set cron to run AIDE daily and to send email at the completion of the analysis.\n\n # more /etc/cron.daily/aide\n\n /usr/sbin/aide --check | /var/spool/mail -s \"$HOSTNAME - Daily aide integrity check run\" root@sysname.mil'\n impact 0.5\n tag legacy: ['V-71975', 'SV-86599']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000363-GPOS-00150'\n tag gid: 'V-204446'\n tag rid: 'SV-204446r880851_rule'\n tag stig_id: 'RHEL-07-020040'\n tag fix_id: 'F-36305r880850_fix'\n tag cci: ['CCI-001744']\n tag nist: ['CM-3 (5)']\n tag subsystems: ['file_integrity_tool']\n tag 'host'\n tag 'container'\n\n file_integrity_tool = input('file_integrity_tool')\n\n describe.one do\n describe file(\"/etc/cron.daily/#{file_integrity_tool}\") do\n its('content') { should match %r{/var/spool/mail} }\n end\n describe file(\"/etc/cron.weekly/#{file_integrity_tool}\") do\n its('content') { should match %r{/var/spool/mail} }\n end\n describe crontab('root').where {\n command =~ /#{file_integrity_tool}/\n } do\n its('commands.flatten') { should include(match %r{/var/spool/mail}) }\n end\n if file(\"/etc/cron.d/#{file_integrity_tool}\").exist?\n describe crontab(path: \"/etc/cron.d/#{file_integrity_tool}\") do\n its('commands') { should include(match %r{/var/spool/mail}) }\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204418.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204446.rb", "line": 1 }, - "id": "SV-204418" + "id": "SV-204446" }, { - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the chown, fchown, fchownat, and\n lchown syscalls.", - "desc": "Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the\n system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect\n performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining\n syscalls into one rule whenever possible.", + "title": "The Red Hat Enterprise Linux operating system must display the approved Standard Mandatory DoD Notice and\n Consent Banner before granting local or remote access to the system via a graphical user logon.", + "desc": "Display of a standardized and approved use notification before granting access to the operating system\n ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive\n Orders, directives, policies, regulations, standards, and guidance.\n System use notifications are required only for access via logon interfaces with human users and are not required\n when such human interfaces do not exist.\n The banner must be formatted in accordance with applicable DoD policy.\n \"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"", "descriptions": { - "default": "Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the\n system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect\n performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining\n syscalls into one rule whenever possible.", - "check": "Verify the operating system generates audit records upon successful/unsuccessful attempts to use the\n \"chown\", \"fchown\", \"fchownat\", and \"lchown\" syscalls.\n Check the file system rules in \"/etc/audit/audit.rules\" with the following commands:\n # grep chown /etc/audit/audit.rules\n -a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod\n -a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod\n If both the \"b32\" and \"b64\" audit rules are not defined for the \"chown\", \"fchown\", \"fchownat\", and \"lchown\"\n syscalls, this is a finding.", - "fix": "Add or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod\n\n-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod\n\nThe audit daemon must be restarted for the changes to take effect." + "default": "Display of a standardized and approved use notification before granting access to the operating system\n ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive\n Orders, directives, policies, regulations, standards, and guidance.\n System use notifications are required only for access via logon interfaces with human users and are not required\n when such human interfaces do not exist.\n The banner must be formatted in accordance with applicable DoD policy.\n \"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"", + "check": "Verify the operating system displays the approved Standard Mandatory DoD Notice and Consent Banner\n before granting access to the operating system via a graphical user logon.\n Note: If the system does not have a Graphical User Interface installed, this requirement is Not Applicable.\n Check that the operating system displays the exact approved Standard Mandatory DoD Notice and Consent Banner text\n with the command:\n # grep banner-message-text /etc/dconf/db/local.d/*\n banner-message-text='You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.'\n Note: The \"\\n \" characters are for formatting only. They will not be displayed on the Graphical User Interface.\n If the banner does not match the approved Standard Mandatory DoD Notice and Consent Banner, this is a finding.", + "fix": "Configure the operating system to display the approved Standard Mandatory DoD Notice and Consent\n Banner before granting access to the system.\n Note: If the system does not have a Graphical User Interface installed, this requirement is Not Applicable.\n Create a database to contain the system-wide graphical user logon settings (if it does not already exist) with the\n following command:\n # touch /etc/dconf/db/local.d/01-banner-message\n Add the following line to the [org/gnome/login-screen] section of the \"/etc/dconf/db/local.d/01-banner-message\":\n [org/gnome/login-screen]\n banner-message-enable=true\n banner-message-text='You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.'\n Note: The \"\\n \" characters are for formatting only. They will not be displayed on the Graphical User Interface.\n Run the following command to update the database:\n # dconf update" }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { "legacy": [ - "SV-86721", - "V-72097" + "V-71861", + "SV-86485" ], "severity": "medium", - "gtitle": "SRG-OS-000064-GPOS-00033", + "gtitle": "SRG-OS-000023-GPOS-00006", "satisfies": [ - "SRG-OS-000064-GPOS-00033", - "SRG-OS-000392-GPOS-00172", - "SRG-OS-000458-GPOS-00203", - "SRG-OS-000474-GPOS-00219" + "SRG-OS-000023-GPOS-00006", + "SRG-OS-000024-GPOS-00007", + "SRG-OS-000228-GPOS-00088" ], - "gid": "V-204517", - "rid": "SV-204517r809570_rule", - "stig_id": "RHEL-07-030370", - "fix_id": "F-4641r809192_fix", + "gid": "V-204394", + "rid": "SV-204394r603261_rule", + "stig_id": "RHEL-07-010040", + "fix_id": "F-4518r297479_fix", "cci": [ - "CCI-000126", - "CCI-000172" + "CCI-000048" ], "nist": [ - "AU-2 d", - "AU-12 c", - "AU-2 c" + "AC-8 a" ], "subsystems": [ - "audit", - "auditd", - "audit_rule" + "gdm" ], "host": null }, - "code": "control 'SV-204517' do\n title 'The Red Hat Enterprise Linux operating system must audit all uses of the chown, fchown, fchownat, and\n lchown syscalls.'\n desc 'Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the\n system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect\n performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining\n syscalls into one rule whenever possible.'\n desc 'check', 'Verify the operating system generates audit records upon successful/unsuccessful attempts to use the\n \"chown\", \"fchown\", \"fchownat\", and \"lchown\" syscalls.\n Check the file system rules in \"/etc/audit/audit.rules\" with the following commands:\n # grep chown /etc/audit/audit.rules\n -a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod\n -a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod\n If both the \"b32\" and \"b64\" audit rules are not defined for the \"chown\", \"fchown\", \"fchownat\", and \"lchown\"\n syscalls, this is a finding.'\n desc 'fix', 'Add or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod\n\n-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod\n\nThe audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n tag legacy: ['SV-86721', 'V-72097']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000064-GPOS-00033'\n tag satisfies: ['SRG-OS-000064-GPOS-00033', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000458-GPOS-00203', 'SRG-OS-000474-GPOS-00219']\n tag gid: 'V-204517'\n tag rid: 'SV-204517r809570_rule'\n tag stig_id: 'RHEL-07-030370'\n tag fix_id: 'F-4641r809192_fix'\n tag cci: ['CCI-000126', 'CCI-000172']\n tag nist: ['AU-2 d', 'AU-12 c', 'AU-2 c']\n tag subsystems: ['audit', 'auditd', 'audit_rule']\n tag 'host'\n\n audit_syscalls = ['chown', 'fchown', 'fchownat', 'lchown']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - audit config must be done on the host' do\n skip 'Control not applicable - audit config must be done on the host'\n end\n else\n describe 'Syscall' do\n audit_syscalls.each do |audit_syscall|\n it \"#{audit_syscall} is audited properly\" do\n audit_rule = auditd.syscall(audit_syscall)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n if os.arch.match(/64/)\n expect(audit_rule.arch.uniq).to include('b32', 'b64')\n else\n expect(audit_rule.arch.uniq).to cmp 'b32'\n end\n expect(audit_rule.fields.flatten).to include('auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include('perm_mod')\n end\n end\n end\n end\nend\n", + "code": "control 'SV-204394' do\n title \"The Red Hat Enterprise Linux operating system must display the approved Standard Mandatory #{input('org_name')[:acronym]} Notice and\n Consent Banner before granting local or remote access to the system via a graphical user logon.\"\n desc \"Display of a standardized and approved use notification before granting access to the operating system\n ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive\n Orders, directives, policies, regulations, standards, and guidance.\n System use notifications are required only for access via logon interfaces with human users and are not required\n when such human interfaces do not exist.\n The banner must be formatted in accordance with applicable #{input('org_name')[:acronym]} policy.\n \\\"#{input('banner_message_text_gui')}\\\" \"\n desc 'check', \"Verify the operating system displays the approved Standard Mandatory #{input('org_name')[:acronym]} Notice and Consent Banner\n before granting access to the operating system via a graphical user logon.\n Note: If the system does not have a Graphical User Interface installed, this requirement is Not Applicable.\n Check that the operating system displays the exact approved Standard Mandatory #{input('org_name')[:acronym]} Notice and Consent Banner text\n with the command:\n # grep banner-message-text /etc/dconf/db/local.d/*\n banner-message-text='#{input('banner_message_text_gui')}'\n Note: The \\\"\\\\n \\\" characters are for formatting only. They will not be displayed on the Graphical User Interface.\n If the banner does not match the approved Standard Mandatory #{input('org_name')[:acronym]} Notice and Consent Banner, this is a finding.\"\n desc 'fix', \"Configure the operating system to display the approved Standard Mandatory #{input('org_name')[:acronym]} Notice and Consent\n Banner before granting access to the system.\n Note: If the system does not have a Graphical User Interface installed, this requirement is Not Applicable.\n Create a database to contain the system-wide graphical user logon settings (if it does not already exist) with the\n following command:\n # touch /etc/dconf/db/local.d/01-banner-message\n Add the following line to the [org/gnome/login-screen] section of the \\\"/etc/dconf/db/local.d/01-banner-message\\\":\n [org/gnome/login-screen]\n banner-message-enable=true\n banner-message-text='#{input('banner_message_text_gui')}'\n Note: The \\\"\\\\n \\\" characters are for formatting only. They will not be displayed on the Graphical User Interface.\n Run the following command to update the database:\n # dconf update\"\n impact 0.5\n tag legacy: ['V-71861', 'SV-86485']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000023-GPOS-00006'\n tag satisfies: ['SRG-OS-000023-GPOS-00006', 'SRG-OS-000024-GPOS-00007', 'SRG-OS-000228-GPOS-00088']\n tag gid: 'V-204394'\n tag rid: 'SV-204394r603261_rule'\n tag stig_id: 'RHEL-07-010040'\n tag fix_id: 'F-4518r297479_fix'\n tag cci: ['CCI-000048']\n tag nist: ['AC-8 a']\n tag subsystems: ['gdm']\n tag 'host'\n\n if package('gnome-desktop3').installed?\n # Get all files that have the banner-message-text specified.\n banner_files =\n command('grep -l banner-message-text /etc/dconf/db/local.d/*').stdout.split(\"\\n\")\n # If there are no banner files then this is a finding.\n banner_missing = banner_files.empty?\n if banner_missing\n describe 'If no files specify the banner text then this is a finding' do\n subject { banner_missing }\n it { should be false }\n end\n end\n # If there are banner files then check them to make sure they have the correct text.\n banner_files.each do |banner_file|\n banner_message =\n parse_config_file(banner_file).params('org/gnome/login-screen', 'banner-message-text').gsub(\n /[\\r\\n\\s]/, ''\n )\n # dconf expects the banner-message-text to be quoted so remove leading and trailing quote.\n # See https://developer.gnome.org/dconf/unstable/dconf-tool.html which states:\n # VALUE arguments must be in GVariant format, so e.g. a string must include\n # explicit quotes: \"'foo'\". This format is also used when printing out values.\n if banner_message.start_with?('\"') || banner_message.start_with?('\\'')\n banner_message = banner_message[1, banner_message.length]\n end\n if banner_message.end_with?('\"') || banner_message.end_with?('\\'')\n banner_message = banner_message.chop\n end\n banner_message.gsub!('\\\\n', '')\n foo = input('banner_message_text_gui')\n foo2 = input('banner_message_text_gui_limited')\n describe.one do\n describe banner_message do\n it { should cmp foo.gsub(/[\\r\\n\\s]/, '') }\n end\n describe banner_message do\n it { should cmp foo2.gsub(/[\\r\\n\\s]/, '') }\n end\n end\n end\n else\n impact 0.0\n describe 'The system does not have GNOME installed' do\n skip \"The system does not have GNOME installed, this requirement is Not\n Applicable.\"\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204517.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204394.rb", "line": 1 }, - "id": "SV-204517" + "id": "SV-204394" }, { - "title": "The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed the\n number of repeating characters of the same character class must not be more than four characters.", - "desc": "Use of a complex password helps to increase the time and resources required to compromise the password.\n Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing\n and brute-force attacks.\n Password complexity is one factor of several that determines how long it takes to crack a password. The more complex\n the password, the greater the number of possible combinations that need to be tested before the password is\n compromised.", + "title": "The Red Hat Enterprise Linux operating system must use the invoking user's password for privilege escalation when using \"sudo\".", + "desc": "The sudoers security policy requires that users authenticate themselves before they can use sudo. When sudoers requires authentication, it validates the invoking user's credentials. If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt the invoking user for the \"root\" user password.\nFor more information on each of the listed configurations, reference the sudoers(5) manual page.", "descriptions": { - "default": "Use of a complex password helps to increase the time and resources required to compromise the password.\n Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing\n and brute-force attacks.\n Password complexity is one factor of several that determines how long it takes to crack a password. The more complex\n the password, the greater the number of possible combinations that need to be tested before the password is\n compromised.", - "check": "The \"maxclassrepeat\" option sets the maximum number of allowed same consecutive characters in the\n same class in the new password.\n Check for the value of the \"maxclassrepeat\" option in \"/etc/security/pwquality.conf\" with the following command:\n $ sudo grep maxclassrepeat /etc/security/pwquality.conf\n maxclassrepeat = 4\n If the value of \"maxclassrepeat\" is set to \"0\", more than \"4\" or is commented out, this is a finding.", - "fix": "Configure the operating system to require the change of the number of repeating characters of the same\n character class when passwords are changed by setting the \"maxclassrepeat\" option.\n Add the following line to \"/etc/security/pwquality.conf\" conf (or modify the line to have the required value):\n maxclassrepeat = 4" + "default": "The sudoers security policy requires that users authenticate themselves before they can use sudo. When sudoers requires authentication, it validates the invoking user's credentials. If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt the invoking user for the \"root\" user password.\nFor more information on each of the listed configurations, reference the sudoers(5) manual page.", + "check": "Verify that the sudoers security policy is configured to use the invoking user's password for privilege escalation.\n\n $ sudo grep -Eir '(rootpw|targetpw|runaspw)' /etc/sudoers /etc/sudoers.d* | grep -v '#'\n\n /etc/sudoers:Defaults !targetpw\n /etc/sudoers:Defaults !rootpw\n /etc/sudoers:Defaults !runaspw\n\nIf conflicting results are returned, this is a finding.\nIf \"Defaults !targetpw\" is not defined, this is a finding.\nIf \"Defaults !rootpw\" is not defined, this is a finding.\nIf \"Defaults !runaspw\" is not defined, this is a finding.", + "fix": "Define the following in the Defaults section of the /etc/sudoers file or a configuration file in the /etc/sudoers.d/ directory:\n Defaults !targetpw\n Defaults !rootpw\n Defaults !runaspw\n\nRemove any configurations that conflict with the above from the following locations:\n /etc/sudoers\n /etc/sudoers.d/" }, "impact": 0.5, "refs": [], "tags": { - "legacy": [ - "SV-86541", - "V-71917" - ], "severity": "medium", - "gtitle": "SRG-OS-000072-GPOS-00040", - "gid": "V-204414", - "rid": "SV-204414r809186_rule", - "stig_id": "RHEL-07-010190", - "fix_id": "F-4538r88435_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "satisfies": null, + "gid": "V-237634", + "rid": "SV-237634r880755_rule", + "stig_id": "RHEL-07-010342", + "fix_id": "F-40816r880754_fix", "cci": [ - "CCI-000195" + "CCI-002227" ], + "legacy": [], "nist": [ - "IA-5 (1) (b)" + "AC-6 (5)" ], "subsystems": [ - "pwquality", - "password" + "sudo" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-204414' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed the\n number of repeating characters of the same character class must not be more than four characters.'\n desc 'Use of a complex password helps to increase the time and resources required to compromise the password.\n Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing\n and brute-force attacks.\n Password complexity is one factor of several that determines how long it takes to crack a password. The more complex\n the password, the greater the number of possible combinations that need to be tested before the password is\n compromised.'\n desc 'check', 'The \"maxclassrepeat\" option sets the maximum number of allowed same consecutive characters in the\n same class in the new password.\n Check for the value of the \"maxclassrepeat\" option in \"/etc/security/pwquality.conf\" with the following command:\n $ sudo grep maxclassrepeat /etc/security/pwquality.conf\n maxclassrepeat = 4\n If the value of \"maxclassrepeat\" is set to \"0\", more than \"4\" or is commented out, this is a finding.'\n desc 'fix', 'Configure the operating system to require the change of the number of repeating characters of the same\n character class when passwords are changed by setting the \"maxclassrepeat\" option.\n Add the following line to \"/etc/security/pwquality.conf\" conf (or modify the line to have the required value):\n maxclassrepeat = 4'\n impact 0.5\n tag legacy: ['SV-86541', 'V-71917']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000072-GPOS-00040'\n tag gid: 'V-204414'\n tag rid: 'SV-204414r809186_rule'\n tag stig_id: 'RHEL-07-010190'\n tag fix_id: 'F-4538r88435_fix'\n tag cci: ['CCI-000195']\n tag nist: ['IA-5 (1) (b)']\n tag subsystems: ['pwquality', 'password']\n tag 'host'\n tag 'container'\n\n describe parse_config_file('/etc/security/pwquality.conf') do\n its('maxclassrepeat') { should_not cmp > input('max_classrepeat') }\n its('maxclassrepeat') { should_not cmp <= 0 }\n its('maxclassrepeat') { should_not be_nil }\n end\nend\n", + "code": "control 'SV-237634' do\n title %q(The Red Hat Enterprise Linux operating system must use the invoking user's password for privilege escalation when using \"sudo\".)\n desc %q(The sudoers security policy requires that users authenticate themselves before they can use sudo. When sudoers requires authentication, it validates the invoking user's credentials. If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt the invoking user for the \"root\" user password.\nFor more information on each of the listed configurations, reference the sudoers(5) manual page.)\n desc 'check', %q(Verify that the sudoers security policy is configured to use the invoking user's password for privilege escalation.\n\n $ sudo grep -Eir '(rootpw|targetpw|runaspw)' /etc/sudoers /etc/sudoers.d* | grep -v '#'\n\n /etc/sudoers:Defaults !targetpw\n /etc/sudoers:Defaults !rootpw\n /etc/sudoers:Defaults !runaspw\n\nIf conflicting results are returned, this is a finding.\nIf \"Defaults !targetpw\" is not defined, this is a finding.\nIf \"Defaults !rootpw\" is not defined, this is a finding.\nIf \"Defaults !runaspw\" is not defined, this is a finding.)\n desc 'fix', 'Define the following in the Defaults section of the /etc/sudoers file or a configuration file in the /etc/sudoers.d/ directory:\n Defaults !targetpw\n Defaults !rootpw\n Defaults !runaspw\n\nRemove any configurations that conflict with the above from the following locations:\n /etc/sudoers\n /etc/sudoers.d/'\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag satisfies: nil\n tag gid: 'V-237634'\n tag rid: 'SV-237634r880755_rule'\n tag stig_id: 'RHEL-07-010342'\n tag fix_id: 'F-40816r880754_fix'\n tag cci: ['CCI-002227']\n tag legacy: []\n tag nist: ['AC-6 (5)']\n tag subsystems: ['sudo']\n tag 'host'\n\n if virtualization.system.eql?('docker') && !command('sudo').exist?\n impact 0.0\n describe 'Control not applicable within a container without sudo enabled' do\n skip 'Control not applicable within a container without sudo enabled'\n end\n else\n sudoers_settings = command(\"grep -Eir '(rootpw|targetpw|runaspw)' /etc/sudoers /etc/sudoers.d | grep -v '#'\").stdout.strip\n\n target_match = sudoers_settings.scan(/^([^:]+):Defaults\\s+!targetpw$/).flatten\n root_match = sudoers_settings.scan(/^([^:]+):Defaults\\s+!rootpw$/).flatten\n runas_match = sudoers_settings.scan(/^([^:]+):Defaults\\s+!runaspw$/).flatten\n\n target_match_file = target_match.empty? ? nil : target_match.first\n\n describe '!targetpw flag' do\n it 'should be set' do\n expect(target_match).not_to be_empty\n end\n it 'should be set in exactly one file' do\n expect(target_match.count).to cmp 1\n end\n end\n\n describe '!rootpw flag' do\n it 'should be set' do\n expect(root_match).not_to be_empty\n end\n it 'should be set in the same file as targetpw' do\n expect(root_match.first).to cmp target_match_file\n end\n it 'should be set in exactly one file' do\n expect(root_match.count).to cmp 1\n end\n end\n\n describe '!runaspw flag' do\n it 'should be set' do\n expect(runas_match).not_to be_empty\n end\n it 'should be set in the same file as targetpw' do\n expect(runas_match.first).to cmp target_match_file\n end\n it 'should be set in exactly one file' do\n expect(runas_match.count).to cmp 1\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204414.rb", + "ref": "./Red Hat 7 STIG/controls/SV-237634.rb", "line": 1 }, - "id": "SV-204414" + "id": "SV-237634" }, { - "title": "The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow\n authentication using known hosts authentication.", - "desc": "Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will\n require a password, even in the event of misconfiguration elsewhere.", + "title": "The Red Hat Enterprise Linux operating system must initiate a screensaver after a 15-minute period of\n inactivity for graphical user interfaces.", + "desc": "A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate\n physical vicinity of the information system but does not log out because of the temporary nature of the absence.\n Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity,\n operating systems need to be able to identify when a user's session has idled and take action to initiate the\n session lock.\n The session lock is implemented at the point where session activity can be determined and/or controlled.", "descriptions": { - "default": "Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will\n require a password, even in the event of misconfiguration elsewhere.", - "check": "Verify the SSH daemon does not allow authentication using known hosts authentication.\n To determine how the SSH daemon's \"IgnoreUserKnownHosts\" option is set, run the following command:\n # grep -i IgnoreUserKnownHosts /etc/ssh/sshd_config\n IgnoreUserKnownHosts yes\n If the value is returned as \"no\", the returned line is commented out, or no output is returned, this is a finding.", - "fix": "Configure the SSH daemon to not allow authentication using known hosts authentication.\n Add the following line in \"/etc/ssh/sshd_config\", or uncomment the line and set the value to \"yes\":\n IgnoreUserKnownHosts yes\n The SSH service must be restarted for changes to take effect." + "default": "A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate\n physical vicinity of the information system but does not log out because of the temporary nature of the absence.\n Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity,\n operating systems need to be able to identify when a user's session has idled and take action to initiate the\n session lock.\n The session lock is implemented at the point where session activity can be determined and/or controlled.", + "check": "Verify the operating system initiates a screensaver after a 15-minute period of inactivity for graphical user interfaces.\n\nNote: If the system does not have GNOME installed, this requirement is Not Applicable.\n\nCheck to see if GNOME is configured to display a screensaver after a 15 minute delay with the following command:\n\n # grep -i idle-delay /etc/dconf/db/local.d/*\n idle-delay=uint32 900\n\nIf the \"idle-delay\" setting is missing or is not set to \"900\" or less, this is a finding.", + "fix": "Configure the operating system to initiate a screensaver after a 15-minute period of inactivity for\n graphical user interfaces.\n Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following\n command:\n # touch /etc/dconf/db/local.d/00-screensaver\n Edit /etc/dconf/db/local.d/00-screensaver and add or update the following lines:\n [org/gnome/desktop/session]\n # Set the lock time out to 900 seconds before the session is considered idle\n idle-delay=uint32 900\n You must include the \"uint32\" along with the integer key values as shown.\n Update the system databases:\n # dconf update\n Users must log out and back in again before the system-wide settings take effect." }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { "legacy": [ - "V-72249", - "SV-86873" + "V-71893", + "SV-86517" ], "severity": "medium", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-204593", - "rid": "SV-204593r603261_rule", - "stig_id": "RHEL-07-040380", - "fix_id": "F-4717r88972_fix", + "gtitle": "SRG-OS-000029-GPOS-00010", + "gid": "V-204398", + "rid": "SV-204398r880770_rule", + "stig_id": "RHEL-07-010070", + "fix_id": "F-4522r880769_fix", "cci": [ - "CCI-000366" + "CCI-000057" ], "nist": [ - "CM-6 b" + "AC-11 a" ], "subsystems": [ - "ssh" + "gui", + "screensaver", + "session", + "lock" ], "host": null }, - "code": "control 'SV-204593' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow\n authentication using known hosts authentication.'\n desc 'Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will\n require a password, even in the event of misconfiguration elsewhere.'\n desc 'check', %q(Verify the SSH daemon does not allow authentication using known hosts authentication.\n To determine how the SSH daemon's \"IgnoreUserKnownHosts\" option is set, run the following command:\n # grep -i IgnoreUserKnownHosts /etc/ssh/sshd_config\n IgnoreUserKnownHosts yes\n If the value is returned as \"no\", the returned line is commented out, or no output is returned, this is a finding.)\n desc 'fix', 'Configure the SSH daemon to not allow authentication using known hosts authentication.\n Add the following line in \"/etc/ssh/sshd_config\", or uncomment the line and set the value to \"yes\":\n IgnoreUserKnownHosts yes\n The SSH service must be restarted for changes to take effect.'\n impact 0.5\n tag legacy: ['V-72249', 'SV-86873']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204593'\n tag rid: 'SV-204593r603261_rule'\n tag stig_id: 'RHEL-07-040380'\n tag fix_id: 'F-4717r88972_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['ssh']\n tag 'host'\n\n if virtualization.system.eql?('docker') && !file('/etc/sysconfig/sshd').exist?\n impact 0.0\n describe 'Control not applicable - SSH is not installed within containerized RHEL' do\n skip 'Control not applicable - SSH is not installed within containerized RHEL'\n end\n else\n describe sshd_config do\n its('IgnoreUserKnownHosts') { should cmp 'yes' }\n end\n end\nend\n", + "code": "control 'SV-204398' do\n title \"The Red Hat Enterprise Linux operating system must initiate a screensaver after a #{input('system_activity_timeout')/60}-minute period of\n inactivity for graphical user interfaces.\"\n desc \"A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate\n physical vicinity of the information system but does not log out because of the temporary nature of the absence.\n Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity,\n operating systems need to be able to identify when a user's session has idled and take action to initiate the\n session lock.\n The session lock is implemented at the point where session activity can be determined and/or controlled.\"\n desc 'check', \"Verify the operating system initiates a screensaver after a #{input('system_activity_timeout')/60}-minute period of inactivity for graphical user interfaces.\n\nNote: If the system does not have GNOME installed, this requirement is Not Applicable.\n\nCheck to see if GNOME is configured to display a screensaver after a #{input('system_activity_timeout')/60} minute delay with the following command:\n\n # grep -i idle-delay /etc/dconf/db/local.d/*\n idle-delay=uint32 #{input('system_activity_timeout')}\n\nIf the \\\"idle-delay\\\" setting is missing or is not set to \\\"#{input('system_activity_timeout')}\\\" or less, this is a finding.\"\n desc 'fix', \"Configure the operating system to initiate a screensaver after a #{input('system_activity_timeout')/60}-minute period of inactivity for\n graphical user interfaces.\n Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following\n command:\n # touch /etc/dconf/db/local.d/00-screensaver\n Edit /etc/dconf/db/local.d/00-screensaver and add or update the following lines:\n [org/gnome/desktop/session]\n # Set the lock time out to #{input('system_activity_timeout')} seconds before the session is considered idle\n idle-delay=uint32 #{input('system_activity_timeout')}\n You must include the \\\"uint32\\\" along with the integer key values as shown.\n Update the system databases:\n # dconf update\n Users must log out and back in again before the system-wide settings take effect.\"\n impact 0.5\n tag legacy: ['V-71893', 'SV-86517']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000029-GPOS-00010'\n tag gid: 'V-204398'\n tag rid: 'SV-204398r880770_rule'\n tag stig_id: 'RHEL-07-010070'\n tag fix_id: 'F-4522r880769_fix'\n tag cci: ['CCI-000057']\n tag nist: ['AC-11 a']\n tag subsystems: ['gui', 'screensaver', 'session', 'lock']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n elsif package('gnome-desktop3').installed?\n\n describe command(\"gsettings get org.gnome.desktop.session idle-delay | cut -d ' ' -f2\") do\n its('stdout.strip') { should cmp <= input('system_activity_timeout') }\n end\n else\n impact 0.0\n describe 'The system does not have GNOME installed' do\n skip \"The system does not have GNOME installed, this requirement is Not\n Applicable.\"\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204593.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204398.rb", "line": 1 }, - "id": "SV-204593" + "id": "SV-204398" }, { - "title": "The Red Hat Enterprise Linux operating system must generate audit records for all account creations,\n modifications, disabling, and termination events that affect /etc/group.", - "desc": "Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).", + "title": "The Red Hat Enterprise Linux operating system must audit all uses of the chcon command.", + "desc": "Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.", "descriptions": { - "default": "Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).", - "check": "Verify the operating system must generate audit records for all account creations, modifications,\n disabling, and termination events that affect \"/etc/group\".\n Check the auditing rules in \"/etc/audit/audit.rules\" with the following command:\n # grep /etc/group /etc/audit/audit.rules\n -w /etc/group -p wa -k identity\n If the command does not return a line, or the line is commented out, this is a finding.", - "fix": "Configure the operating system to generate audit records for all account creations, modifications,\n disabling, and termination events that affect \"/etc/group\".\n Add or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n -w /etc/group -p wa -k identity\n The audit daemon must be restarted for the changes to take effect." + "default": "Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.", + "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"chcon\" command occur.\n\nCheck the file system rule in \"/etc/audit/audit.rules\" with the following command:\n\n$ sudo grep -w \"/usr/bin/chcon\" /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change\n\nIf the command does not return any output, this is a finding.", + "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"chcon\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change\n\nThe audit daemon must be restarted for the changes to take effect." }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "SV-87817", - "V-73165" + "V-72139", + "SV-86763" ], "severity": "medium", - "gtitle": "SRG-OS-000004-GPOS-00004", - "gid": "V-204565", - "rid": "SV-204565r853979_rule", - "stig_id": "RHEL-07-030871", - "fix_id": "F-4689r88888_fix", + "gtitle": "SRG-OS-000392-GPOS-00172", + "satisfies": [ + "SRG-OS-000392-GPOS-00172", + "SRG-OS-000463-GPOS-00207", + "SRG-OS-000465-GPOS-00209" + ], + "gid": "V-204538", + "rid": "SV-204538r861020_rule", + "stig_id": "RHEL-07-030580", + "fix_id": "F-4662r861019_fix", "cci": [ - "CCI-000018", "CCI-000172", - "CCI-001403", - "CCI-002130" + "CCI-002884" ], "nist": [ - "AC-2 (4)", "AU-12 c", - "AC-2 (4)", - "AC-2 (4)" + "MA-4 (1) (a)" ], "subsystems": [ "audit", @@ -9906,34 +9833,34 @@ ], "host": null }, - "code": "control 'SV-204565' do\n title 'The Red Hat Enterprise Linux operating system must generate audit records for all account creations,\n modifications, disabling, and termination events that affect /etc/group.'\n desc 'Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).'\n desc 'check', 'Verify the operating system must generate audit records for all account creations, modifications,\n disabling, and termination events that affect \"/etc/group\".\n Check the auditing rules in \"/etc/audit/audit.rules\" with the following command:\n # grep /etc/group /etc/audit/audit.rules\n -w /etc/group -p wa -k identity\n If the command does not return a line, or the line is commented out, this is a finding.'\n desc 'fix', 'Configure the operating system to generate audit records for all account creations, modifications,\n disabling, and termination events that affect \"/etc/group\".\n Add or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n -w /etc/group -p wa -k identity\n The audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n tag legacy: ['SV-87817', 'V-73165']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000004-GPOS-00004'\n tag gid: 'V-204565'\n tag rid: 'SV-204565r853979_rule'\n tag stig_id: 'RHEL-07-030871'\n tag fix_id: 'F-4689r88888_fix'\n tag cci: ['CCI-000018', 'CCI-000172', 'CCI-001403', 'CCI-002130']\n tag nist: ['AC-2 (4)', 'AU-12 c', 'AC-2 (4)', 'AC-2 (4)']\n tag subsystems: ['audit', 'auditd', 'audit_rule']\n tag 'host'\n\n audit_command = '/etc/group'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - audit config must be done on the host' do\n skip 'Control not applicable - audit config must be done on the host'\n end\n else\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.key).to cmp 'identity'\n expect(audit_rule.permissions.flatten).to include('w', 'a')\n end\n end\n end\nend\n", + "code": "control 'SV-204538' do\n title 'The Red Hat Enterprise Linux operating system must audit all uses of the chcon command.'\n desc 'Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.'\n desc 'check', 'Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"chcon\" command occur.\n\nCheck the file system rule in \"/etc/audit/audit.rules\" with the following command:\n\n$ sudo grep -w \"/usr/bin/chcon\" /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change\n\nIf the command does not return any output, this is a finding.'\n desc 'fix', 'Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"chcon\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change\n\nThe audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n tag legacy: ['V-72139', 'SV-86763']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000392-GPOS-00172'\n tag satisfies: ['SRG-OS-000392-GPOS-00172', 'SRG-OS-000463-GPOS-00207', 'SRG-OS-000465-GPOS-00209']\n tag gid: 'V-204538'\n tag rid: 'SV-204538r861020_rule'\n tag stig_id: 'RHEL-07-030580'\n tag fix_id: 'F-4662r861019_fix'\n tag cci: ['CCI-000172', 'CCI-002884']\n tag nist: ['AU-12 c', 'MA-4 (1) (a)']\n tag subsystems: ['audit', 'auditd', 'audit_rule']\n tag 'host'\n\n audit_command = '/usr/bin/chcon'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - audit config must be done on the host' do\n skip 'Control not applicable - audit config must be done on the host'\n end\n else\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include('privileged-priv_change')\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204565.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204538.rb", "line": 1 }, - "id": "SV-204565" + "id": "SV-204538" }, { - "title": "The Red Hat Enterprise Linux operating system must not allow accounts configured with blank or null\n passwords.", - "desc": "If an account has an empty password, anyone could log on and run commands with the privileges of that\n account. Accounts with empty passwords should never be used in operational environments.", + "title": "The Red Hat Enterprise Linux operating system must be configured so that the x86 Ctrl-Alt-Delete key\n sequence is disabled on the command line.", + "desc": "A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the system. If\n accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term\n loss of availability of systems due to unintentional reboot. In the GNOME graphical environment, risk of\n unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any\n action is taken.", "descriptions": { - "default": "If an account has an empty password, anyone could log on and run commands with the privileges of that\n account. Accounts with empty passwords should never be used in operational environments.", - "check": "To verify that null passwords cannot be used, run the following command:\n # grep nullok /etc/pam.d/system-auth /etc/pam.d/password-auth\n If this produces any output, it may be possible to log on with accounts with empty passwords.\n If null passwords can be used, this is a finding.", - "fix": "If an account is configured for password authentication but does not have an assigned password, it may be possible to log on to the account without authenticating.\n\nRemove any instances of the \"nullok\" option in \"/etc/pam.d/system-auth\" and \"/etc/pam.d/password-auth\" to prevent logons with empty passwords.\n\nNote: Per requirement RHEL-07-010199, RHEL 7 must be configured to not overwrite custom authentication configuration settings while using the authconfig utility, otherwise manual changes to the listed files will be overwritten whenever the authconfig utility is used." + "default": "A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the system. If\n accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term\n loss of availability of systems due to unintentional reboot. In the GNOME graphical environment, risk of\n unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any\n action is taken.", + "check": "Verify the operating system is not configured to reboot the system when Ctrl-Alt-Delete is pressed.\n\nCheck that the ctrl-alt-del.target is masked and not active with the following command:\n\n$ sudo systemctl status ctrl-alt-del.target\n\nctrl-alt-del.target\nLoaded: masked (/dev/null; bad)\nActive: inactive (dead)\n\nIf the ctrl-alt-del.target is not masked, this is a finding.\n\nIf the ctrl-alt-del.target is active, this is a finding.", + "fix": "Configure the system to disable the Ctrl-Alt-Delete sequence for the command line with the following commands:\n\n$ sudo systemctl disable ctrl-alt-del.target\n\n$ sudo systemctl mask ctrl-alt-del.target" }, "impact": 0.7, "refs": [], "tags": { "legacy": [ - "V-71937", - "SV-86561" + "SV-86617", + "V-71993" ], "severity": "high", "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-204424", - "rid": "SV-204424r880839_rule", - "stig_id": "RHEL-07-010290", - "fix_id": "F-4548r880838_fix", + "gid": "V-204455", + "rid": "SV-204455r833106_rule", + "stig_id": "RHEL-07-020230", + "fix_id": "F-4579r833105_fix", "cci": [ "CCI-000366" ], @@ -9941,85 +9868,123 @@ "CM-6 b" ], "subsystems": [ - "pam", - "password" + "gui", + "general" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-204424' do\n title 'The Red Hat Enterprise Linux operating system must not allow accounts configured with blank or null\n passwords.'\n desc 'If an account has an empty password, anyone could log on and run commands with the privileges of that\n account. Accounts with empty passwords should never be used in operational environments.'\n desc 'check', 'To verify that null passwords cannot be used, run the following command:\n # grep nullok /etc/pam.d/system-auth /etc/pam.d/password-auth\n If this produces any output, it may be possible to log on with accounts with empty passwords.\n If null passwords can be used, this is a finding.'\n desc 'fix', 'If an account is configured for password authentication but does not have an assigned password, it may be possible to log on to the account without authenticating.\n\nRemove any instances of the \"nullok\" option in \"/etc/pam.d/system-auth\" and \"/etc/pam.d/password-auth\" to prevent logons with empty passwords.\n\nNote: Per requirement RHEL-07-010199, RHEL 7 must be configured to not overwrite custom authentication configuration settings while using the authconfig utility, otherwise manual changes to the listed files will be overwritten whenever the authconfig utility is used.'\n impact 0.7\n tag legacy: ['V-71937', 'SV-86561']\n tag severity: 'high'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204424'\n tag rid: 'SV-204424r880839_rule'\n tag stig_id: 'RHEL-07-010290'\n tag fix_id: 'F-4548r880838_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['pam', 'password']\n tag 'host'\n tag 'container'\n\n describe pam('/etc/pam.d/system-auth') do\n its('lines') { should_not match_pam_rule('.* .* pam_unix.so nullok') }\n end\n describe pam('/etc/pam.d/password-auth') do\n its('lines') { should_not match_pam_rule('.* .* pam_unix.so nullok') }\n end\nend\n", + "code": "control 'SV-204455' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that the x86 Ctrl-Alt-Delete key\n sequence is disabled on the command line.'\n desc 'A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the system. If\n accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term\n loss of availability of systems due to unintentional reboot. In the GNOME graphical environment, risk of\n unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any\n action is taken.'\n desc 'check', 'Verify the operating system is not configured to reboot the system when Ctrl-Alt-Delete is pressed.\n\nCheck that the ctrl-alt-del.target is masked and not active with the following command:\n\n$ sudo systemctl status ctrl-alt-del.target\n\nctrl-alt-del.target\nLoaded: masked (/dev/null; bad)\nActive: inactive (dead)\n\nIf the ctrl-alt-del.target is not masked, this is a finding.\n\nIf the ctrl-alt-del.target is active, this is a finding.'\n desc 'fix', 'Configure the system to disable the Ctrl-Alt-Delete sequence for the command line with the following commands:\n\n$ sudo systemctl disable ctrl-alt-del.target\n\n$ sudo systemctl mask ctrl-alt-del.target'\n impact 0.7\n tag legacy: ['SV-86617', 'V-71993']\n tag severity: 'high'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204455'\n tag rid: 'SV-204455r833106_rule'\n tag stig_id: 'RHEL-07-020230'\n tag fix_id: 'F-4579r833105_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['gui', 'general']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n service_load_state = systemd_service('ctrl-alt-del.target').params.LoadState\n service_active_state = systemd_service('ctrl-alt-del.target').params.ActiveState\n\n describe 'ctrl-alt-del.target' do\n it 'should be masked' do\n expect(service_load_state).to cmp('masked')\n end\n end\n\n describe 'ctrl-alt-del.target' do\n it 'should be inactive' do\n expect(service_active_state).to cmp('inactive')\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204424.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204455.rb", "line": 1 }, - "id": "SV-204424" + "id": "SV-204455" }, { - "title": "The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon is configured to\n only use the SSHv2 protocol.", - "desc": "SSHv1 is an insecure implementation of the SSH protocol and has many well-known vulnerability exploits.\n Exploits of the SSH daemon could provide immediate root access to the system.", + "title": "The Red Hat Enterprise Linux operating system must be configured so that remote X connections are disabled\n except to fulfill documented and validated mission requirements.", + "desc": "The security risk of using X11 forwarding is that the client's X11 display server may be exposed to attack\n when the SSH client requests forwarding. A system administrator may have a stance in which they want to protect\n clients that may expose themselves to attack by unwittingly requesting X11 forwarding, which can warrant a ''no''\n setting.\n X11 forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host\n (for the user's X11 authorization database) can access the local X11 display through the forwarded connection. An\n attacker may then be able to perform activities such as keystroke monitoring if the ForwardX11Trusted option is also\n enabled.\n If X11 services are not required for the system's intended function, they should be disabled or restricted as\n appropriate to the system’s needs.", "descriptions": { - "default": "SSHv1 is an insecure implementation of the SSH protocol and has many well-known vulnerability exploits.\n Exploits of the SSH daemon could provide immediate root access to the system.", - "check": "Check the version of the operating system with the following command:\n # cat /etc/redhat-release\n If the release is 7.4 or newer this requirement is Not Applicable.\n Verify the SSH daemon is configured to only use the SSHv2 protocol.\n Check that the SSH daemon is configured to only use the SSHv2 protocol with the following command:\n # grep -i protocol /etc/ssh/sshd_config\n Protocol 2\n #Protocol 1,2\n If any protocol line other than \"Protocol 2\" is uncommented, this is a finding.", - "fix": "Remove all Protocol lines that reference version \"1\" in \"/etc/ssh/sshd_config\" (this file may be named\n differently or be in a different location if using a version of SSH that is provided by a third-party vendor). The\n \"Protocol\" line must be as follows:\n Protocol 2\n The SSH service must be restarted for changes to take effect." + "default": "The security risk of using X11 forwarding is that the client's X11 display server may be exposed to attack\n when the SSH client requests forwarding. A system administrator may have a stance in which they want to protect\n clients that may expose themselves to attack by unwittingly requesting X11 forwarding, which can warrant a ''no''\n setting.\n X11 forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host\n (for the user's X11 authorization database) can access the local X11 display through the forwarded connection. An\n attacker may then be able to perform activities such as keystroke monitoring if the ForwardX11Trusted option is also\n enabled.\n If X11 services are not required for the system's intended function, they should be disabled or restricted as\n appropriate to the system’s needs.", + "check": "Determine if X11Forwarding is disabled with the following command:\n # grep -i x11forwarding /etc/ssh/sshd_config | grep -v \"^#\"\n X11Forwarding no\n If the \"X11Forwarding\" keyword is set to \"yes\" and is not documented with the Information System Security Officer\n (ISSO) as an operational requirement or is missing, this is a finding.", + "fix": "Edit the \"/etc/ssh/sshd_config\" file to uncomment or add the line for the \"X11Forwarding\" keyword and\n set its value to \"no\" (this file may be named differently or be in a different location if using a version of SSH\n that is provided by a third-party vendor):\n X11Forwarding no\n The SSH service must be restarted for changes to take effect:\n # systemctl restart sshd" }, - "impact": 0.7, + "impact": 0.5, "refs": [], "tags": { "legacy": [ - "SV-86875", - "V-72251" + "SV-86927", + "V-72303" ], - "severity": "high", - "gtitle": "SRG-OS-000074-GPOS-00042", + "severity": "medium", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-204622", + "rid": "SV-204622r603849_rule", + "stig_id": "RHEL-07-040710", + "fix_id": "F-4746r622312_fix", + "cci": [ + "CCI-000366" + ], + "nist": [ + "CM-6 b" + ], + "subsystems": [ + "ssh" + ], + "host": null + }, + "code": "control 'SV-204622' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that remote X connections are disabled\n except to fulfill documented and validated mission requirements.'\n desc \"The security risk of using X11 forwarding is that the client's X11 display server may be exposed to attack\n when the SSH client requests forwarding. A system administrator may have a stance in which they want to protect\n clients that may expose themselves to attack by unwittingly requesting X11 forwarding, which can warrant a ''no''\n setting.\n X11 forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host\n (for the user's X11 authorization database) can access the local X11 display through the forwarded connection. An\n attacker may then be able to perform activities such as keystroke monitoring if the ForwardX11Trusted option is also\n enabled.\n If X11 services are not required for the system's intended function, they should be disabled or restricted as\n appropriate to the system’s needs.\"\n desc 'check', 'Determine if X11Forwarding is disabled with the following command:\n # grep -i x11forwarding /etc/ssh/sshd_config | grep -v \"^#\"\n X11Forwarding no\n If the \"X11Forwarding\" keyword is set to \"yes\" and is not documented with the Information System Security Officer\n (ISSO) as an operational requirement or is missing, this is a finding.'\n desc 'fix', 'Edit the \"/etc/ssh/sshd_config\" file to uncomment or add the line for the \"X11Forwarding\" keyword and\n set its value to \"no\" (this file may be named differently or be in a different location if using a version of SSH\n that is provided by a third-party vendor):\n X11Forwarding no\n The SSH service must be restarted for changes to take effect:\n # systemctl restart sshd'\n impact 0.5\n tag legacy: ['SV-86927', 'V-72303']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204622'\n tag rid: 'SV-204622r603849_rule'\n tag stig_id: 'RHEL-07-040710'\n tag fix_id: 'F-4746r622312_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['ssh']\n tag 'host'\n\n if virtualization.system.eql?('docker') && !file('/etc/sysconfig/sshd').exist?\n impact 0.0\n describe 'Control not applicable - SSH is not installed within containerized RHEL' do\n skip 'Control not applicable - SSH is not installed within containerized RHEL'\n end\n else\n describe sshd_config do\n its('X11Forwarding') { should cmp 'no' }\n end\n end\nend\n", + "source_location": { + "ref": "./Red Hat 7 STIG/controls/SV-204622.rb", + "line": 1 + }, + "id": "SV-204622" + }, + { + "title": "The Red Hat Enterprise Linux operating system must be configured so that all network connections associated\n with SSH traffic are terminated at the end of the session or after 10 minutes of inactivity, except to fulfill\n documented and validated mission requirements.", + "desc": "Terminating an idle SSH session within a short time period reduces the window of opportunity for\n unauthorized personnel to take control of a management session enabled on the console or console port that has been\n left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the\n managed network element.\n Terminating network connections associated with communications sessions includes, for example, de-allocating\n associated TCP/IP address/port pairs at the operating system level and de-allocating networking assignments at the\n application level if multiple application sessions are using a single operating system-level network connection.\n This does not mean that the operating system terminates all sessions or network access; it only ends the inactive\n session and releases the resources associated with that session.", + "descriptions": { + "default": "Terminating an idle SSH session within a short time period reduces the window of opportunity for\n unauthorized personnel to take control of a management session enabled on the console or console port that has been\n left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the\n managed network element.\n Terminating network connections associated with communications sessions includes, for example, de-allocating\n associated TCP/IP address/port pairs at the operating system level and de-allocating networking assignments at the\n application level if multiple application sessions are using a single operating system-level network connection.\n This does not mean that the operating system terminates all sessions or network access; it only ends the inactive\n session and releases the resources associated with that session.", + "check": "Verify the operating system automatically terminates a user session after inactivity time-outs have\n expired.\n Check for the value of the \"ClientAliveInterval\" keyword with the following command:\n # grep -iw clientaliveinterval /etc/ssh/sshd_config\n ClientAliveInterval 600\n If \"ClientAliveInterval\" is not configured, commented out, or has a value of \"0\", this is a finding.\n If \"ClientAliveInterval\" has a value that is greater than \"600\" and is not documented with the Information System\n Security Officer (ISSO) as an operational requirement, this is a finding.", + "fix": "Configure the operating system to automatically terminate a user session after inactivity time-outs\n have expired or at shutdown.\n Add the following line (or modify the line to have the required value) to the \"/etc/ssh/sshd_config\" file (this file\n may be named differently or be in a different location if using a version of SSH that is provided by a third-party\n vendor):\n ClientAliveInterval 600\n The SSH service must be restarted for changes to take effect." + }, + "impact": 0.5, + "refs": [], + "tags": { + "legacy": [ + "V-72237", + "SV-86861" + ], + "severity": "medium", + "gtitle": "SRG-OS-000163-GPOS-00072", "satisfies": [ - "SRG-OS-000074-GPOS-00042", - "SRG-OS-000480-GPOS-00227" + "SRG-OS-000163-GPOS-00072", + "SRG-OS-000279-GPOS-00109" ], - "gid": "V-204594", - "rid": "SV-204594r877396_rule", - "stig_id": "RHEL-07-040390", - "fix_id": "F-4718r88975_fix", + "gid": "V-204587", + "rid": "SV-204587r861072_rule", + "stig_id": "RHEL-07-040320", + "fix_id": "F-4711r88954_fix", "cci": [ - "CCI-000197", - "CCI-000366" + "CCI-001133", + "CCI-002361" ], "nist": [ - "IA-5 (1) (c)", - "CM-6 b" + "SC-10", + "AC-12" ], "subsystems": [ "ssh" ], "host": null }, - "code": "control 'SV-204594' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon is configured to\n only use the SSHv2 protocol.'\n desc 'SSHv1 is an insecure implementation of the SSH protocol and has many well-known vulnerability exploits.\n Exploits of the SSH daemon could provide immediate root access to the system.'\n desc 'check', 'Check the version of the operating system with the following command:\n # cat /etc/redhat-release\n If the release is 7.4 or newer this requirement is Not Applicable.\n Verify the SSH daemon is configured to only use the SSHv2 protocol.\n Check that the SSH daemon is configured to only use the SSHv2 protocol with the following command:\n # grep -i protocol /etc/ssh/sshd_config\n Protocol 2\n #Protocol 1,2\n If any protocol line other than \"Protocol 2\" is uncommented, this is a finding.'\n desc 'fix', 'Remove all Protocol lines that reference version \"1\" in \"/etc/ssh/sshd_config\" (this file may be named\n differently or be in a different location if using a version of SSH that is provided by a third-party vendor). The\n \"Protocol\" line must be as follows:\n Protocol 2\n The SSH service must be restarted for changes to take effect.'\n impact 0.7\n tag legacy: ['SV-86875', 'V-72251']\n tag severity: 'high'\n tag gtitle: 'SRG-OS-000074-GPOS-00042'\n tag satisfies: ['SRG-OS-000074-GPOS-00042', 'SRG-OS-000480-GPOS-00227']\n tag gid: 'V-204594'\n tag rid: 'SV-204594r877396_rule'\n tag stig_id: 'RHEL-07-040390'\n tag fix_id: 'F-4718r88975_fix'\n tag cci: ['CCI-000197', 'CCI-000366']\n tag nist: ['IA-5 (1) (c)', 'CM-6 b']\n tag subsystems: ['ssh']\n tag 'host'\n\n if virtualization.system.eql?('docker') && !file('/etc/sysconfig/sshd').exist?\n impact 0.0\n describe 'Control not applicable - SSH is not installed within containerized RHEL' do\n skip 'Control not applicable - SSH is not installed within containerized RHEL'\n end\n elsif os.release.to_f >= 7.4\n\n impact 0.0\n describe \"The release is #{os.release}\" do\n skip 'The release is newer than 7.4; this control is Not Applicable.'\n end\n else\n describe sshd_config do\n its('Protocol') { should cmp '2' }\n end\n end\nend\n", + "code": "control 'SV-204587' do\n title \"The Red Hat Enterprise Linux operating system must be configured so that all network connections associated\n with SSH traffic are terminated at the end of the session or after #{input('client_alive_interval')/60} minutes of inactivity, except to fulfill\n documented and validated mission requirements.\"\n desc 'Terminating an idle SSH session within a short time period reduces the window of opportunity for\n unauthorized personnel to take control of a management session enabled on the console or console port that has been\n left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the\n managed network element.\n Terminating network connections associated with communications sessions includes, for example, de-allocating\n associated TCP/IP address/port pairs at the operating system level and de-allocating networking assignments at the\n application level if multiple application sessions are using a single operating system-level network connection.\n This does not mean that the operating system terminates all sessions or network access; it only ends the inactive\n session and releases the resources associated with that session.'\n desc 'check', \"Verify the operating system automatically terminates a user session after inactivity time-outs have\n expired.\n Check for the value of the \\\"ClientAliveInterval\\\" keyword with the following command:\n # grep -iw clientaliveinterval /etc/ssh/sshd_config\n ClientAliveInterval #{input('client_alive_interval')}\n If \\\"ClientAliveInterval\\\" is not configured, commented out, or has a value of \\\"0\\\", this is a finding.\n If \\\"ClientAliveInterval\\\" has a value that is greater than \\\"#{input('client_alive_interval')}\\\" and is not documented with the Information System\n Security Officer (ISSO) as an operational requirement, this is a finding.\"\n desc 'fix', \"Configure the operating system to automatically terminate a user session after inactivity time-outs\n have expired or at shutdown.\n Add the following line (or modify the line to have the required value) to the \\\"/etc/ssh/sshd_config\\\" file (this file\n may be named differently or be in a different location if using a version of SSH that is provided by a third-party\n vendor):\n ClientAliveInterval #{input('client_alive_interval')}\n The SSH service must be restarted for changes to take effect.\"\n impact 0.5\n tag legacy: ['V-72237', 'SV-86861']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000163-GPOS-00072'\n tag satisfies: ['SRG-OS-000163-GPOS-00072', 'SRG-OS-000279-GPOS-00109']\n tag gid: 'V-204587'\n tag rid: 'SV-204587r861072_rule'\n tag stig_id: 'RHEL-07-040320'\n tag fix_id: 'F-4711r88954_fix'\n tag cci: ['CCI-001133', 'CCI-002361']\n tag nist: ['SC-10', 'AC-12']\n tag subsystems: ['ssh']\n tag 'host'\n\n if virtualization.system.eql?('docker') && !file('/etc/sysconfig/sshd').exist?\n impact 0.0\n describe 'Control not applicable - SSH is not installed within containerized RHEL' do\n skip 'Control not applicable - SSH is not installed within containerized RHEL'\n end\n else\n # This may show slightly confusing results when a ClientAliveInterValue is not\n # specified. Specifically, because the value will be nil and when you try to\n # convert it to an integer using to_i it will convert it to 0 and pass the\n # <= client_alive_interval check. However, the control as a whole will still fail.\n describe sshd_config do\n its('ClientAliveInterval') { should be_between(1, input('client_alive_interval')) }\n its('ClientAliveInterval') { should_not eq nil }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204594.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204587.rb", "line": 1 }, - "id": "SV-204594" + "id": "SV-204587" }, { - "title": "The Red Hat Enterprise Linux operating system security patches and updates must be installed and up to\n date.", - "desc": "Timely patching is critical for maintaining the operational availability, confidentiality, and integrity of\n information technology (IT) systems. However, failure to keep operating system and application software patched is a\n common mistake made by IT professionals. New patches are released daily, and it is often difficult for even\n experienced System Administrators to keep abreast of all the new patches. When new weaknesses in an operating system\n exist, patches are usually made available by the vendor to resolve the problems. If the most recent security patches\n and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The\n lack of prompt attention to patching could result in a system compromise.", + "title": "The Red Hat Enterprise Linux operating system must be configured so that all files and directories\n contained in local interactive user home directories are group-owned by a group of which the home directory owner is\n a member.", + "desc": "If a local interactive user's files are group-owned by a group of which the user is not a member, unintended\n users may be able to access them.", "descriptions": { - "default": "Timely patching is critical for maintaining the operational availability, confidentiality, and integrity of\n information technology (IT) systems. However, failure to keep operating system and application software patched is a\n common mistake made by IT professionals. New patches are released daily, and it is often difficult for even\n experienced System Administrators to keep abreast of all the new patches. When new weaknesses in an operating system\n exist, patches are usually made available by the vendor to resolve the problems. If the most recent security patches\n and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The\n lack of prompt attention to patching could result in a system compromise.", - "check": "Verify the operating system security patches and updates are installed and up to date. Updates are required to be applied with a frequency determined by the site or Program Management Office (PMO).\n\nObtain the list of available package security updates from Red Hat. The URL for updates is https://rhn.redhat.com/errata/. It is important to note that updates provided by Red Hat may not be present on the system if the underlying packages are not installed.\n\nCheck that the available package security updates have been installed on the system with the following command:\n\n# yum history list | more\nLoaded plugins: langpacks, product-id, subscription-manager\nID | Command line | Date and time | Action(s) | Altered\n-------------------------------------------------------------------------------\n 70 | install aide | 2016-05-05 10:58 | Install | 1\n 69 | update -y | 2016-05-04 14:34 | Update | 18 EE\n 68 | install vlc | 2016-04-21 17:12 | Install | 21\n 67 | update -y | 2016-04-21 17:04 | Update | 7 EE\n 66 | update -y | 2016-04-15 16:47 | E, I, U | 84 EE\n\nIf package updates have not been performed on the system within the timeframe that the site/program documentation requires, this is a finding.\n\nTypical update frequency may be overridden by Information Assurance Vulnerability Alert (IAVA) notifications from CYBERCOM.\n\nIf the operating system is in non-compliance with the Information Assurance Vulnerability Management (IAVM) process, this is a finding.", - "fix": "Install the operating system patches or updated packages available from Red Hat within 30 days or\n sooner as local policy dictates." + "default": "If a local interactive user's files are group-owned by a group of which the user is not a member, unintended\n users may be able to access them.", + "check": "Verify all files and directories in a local interactive user home directory are group-owned by a\n group the user is a member of.\n Check the group owner of all files and directories in a local interactive user's home directory with the following\n command:\n Note: The example will be for the user \"smithj\", who has a home directory of \"/home/smithj\".\n # ls -lLR ///\n -rw-r--r-- 1 smithj smithj 18 Mar 5 17:06 file1\n -rw-r--r-- 1 smithj smithj 193 Mar 5 17:06 file2\n -rw-r--r-- 1 smithj sa 231 Mar 5 17:06 file3\n If any files are found with an owner different than the group home directory user, check to see if the user is a\n member of that group with the following command:\n # grep smithj /etc/group\n sa:x:100:juan,shelley,bob,smithj\n smithj:x:521:smithj\n If the user is not a member of a group that group owns file(s) in a local interactive user's home directory, this is\n a finding.", + "fix": "Change the group of a local interactive user's files and directories to a group that the interactive\n user is a member of. To change the group owner of a local interactive user's files and directories, use the\n following command:\n Note: The example will be for the user smithj, who has a home directory of \"/home/smithj\" and is a member of the\n users group.\n # chgrp users /home/smithj/" }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "SV-86623", - "V-71999" + "V-72025", + "SV-86649" ], "severity": "medium", "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-204459", - "rid": "SV-204459r603261_rule", - "stig_id": "RHEL-07-020260", - "fix_id": "F-4583r88570_fix", + "gid": "V-204472", + "rid": "SV-204472r603261_rule", + "stig_id": "RHEL-07-020670", + "fix_id": "F-4596r88609_fix", "cci": [ "CCI-000366" ], @@ -10027,119 +9992,139 @@ "CM-6 b" ], "subsystems": [ - "packages" + "home_dirs" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-204459' do\n title 'The Red Hat Enterprise Linux operating system security patches and updates must be installed and up to\n date.'\n desc 'Timely patching is critical for maintaining the operational availability, confidentiality, and integrity of\n information technology (IT) systems. However, failure to keep operating system and application software patched is a\n common mistake made by IT professionals. New patches are released daily, and it is often difficult for even\n experienced System Administrators to keep abreast of all the new patches. When new weaknesses in an operating system\n exist, patches are usually made available by the vendor to resolve the problems. If the most recent security patches\n and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The\n lack of prompt attention to patching could result in a system compromise.'\n desc 'check', 'Verify the operating system security patches and updates are installed and up to date. Updates are required to be applied with a frequency determined by the site or Program Management Office (PMO).\n\nObtain the list of available package security updates from Red Hat. The URL for updates is https://rhn.redhat.com/errata/. It is important to note that updates provided by Red Hat may not be present on the system if the underlying packages are not installed.\n\nCheck that the available package security updates have been installed on the system with the following command:\n\n# yum history list | more\nLoaded plugins: langpacks, product-id, subscription-manager\nID | Command line | Date and time | Action(s) | Altered\n-------------------------------------------------------------------------------\n 70 | install aide | 2016-05-05 10:58 | Install | 1\n 69 | update -y | 2016-05-04 14:34 | Update | 18 EE\n 68 | install vlc | 2016-04-21 17:12 | Install | 21\n 67 | update -y | 2016-04-21 17:04 | Update | 7 EE\n 66 | update -y | 2016-04-15 16:47 | E, I, U | 84 EE\n\nIf package updates have not been performed on the system within the timeframe that the site/program documentation requires, this is a finding.\n\nTypical update frequency may be overridden by Information Assurance Vulnerability Alert (IAVA) notifications from CYBERCOM.\n\nIf the operating system is in non-compliance with the Information Assurance Vulnerability Management (IAVM) process, this is a finding.'\n desc 'fix', 'Install the operating system patches or updated packages available from Red Hat within 30 days or\n sooner as local policy dictates.'\n impact 0.5\n tag legacy: ['SV-86623', 'V-71999']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204459'\n tag rid: 'SV-204459r603261_rule'\n tag stig_id: 'RHEL-07-020260'\n tag fix_id: 'F-4583r88570_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['packages']\n tag 'host'\n tag 'container'\n\n if input('disconnected_system')\n describe \"The system is set to a `disconnected` state and you must validate\n the state of the system packages manually\" do\n skip \"The system is set to a `disconnected` state and you must validate\n the state of the system packages manually, or through another process, if you\n have an established update and patch process, please set this control as\n `Not Applicable` with a `caevat` via an overlay.\"\n end\n else\n updates = linux_update.updates\n package_names = updates.map { |h| h['name'] }\n\n describe.one do\n describe 'List of out-of-date packages' do\n subject { package_names }\n it { should be_empty }\n end\n\n updates.each do |update|\n describe package(update['name']) do\n its('version') { should eq update['version'] }\n end\n end\n end\n end\nend\n", + "code": "control 'SV-204472' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that all files and directories\n contained in local interactive user home directories are group-owned by a group of which the home directory owner is\n a member.'\n desc \"If a local interactive user's files are group-owned by a group of which the user is not a member, unintended\n users may be able to access them.\"\n desc 'check', %q(Verify all files and directories in a local interactive user home directory are group-owned by a\n group the user is a member of.\n Check the group owner of all files and directories in a local interactive user's home directory with the following\n command:\n Note: The example will be for the user \"smithj\", who has a home directory of \"/home/smithj\".\n # ls -lLR ///\n -rw-r--r-- 1 smithj smithj 18 Mar 5 17:06 file1\n -rw-r--r-- 1 smithj smithj 193 Mar 5 17:06 file2\n -rw-r--r-- 1 smithj sa 231 Mar 5 17:06 file3\n If any files are found with an owner different than the group home directory user, check to see if the user is a\n member of that group with the following command:\n # grep smithj /etc/group\n sa:x:100:juan,shelley,bob,smithj\n smithj:x:521:smithj\n If the user is not a member of a group that group owns file(s) in a local interactive user's home directory, this is\n a finding.)\n desc 'fix', %q(Change the group of a local interactive user's files and directories to a group that the interactive\n user is a member of. To change the group owner of a local interactive user's files and directories, use the\n following command:\n Note: The example will be for the user smithj, who has a home directory of \"/home/smithj\" and is a member of the\n users group.\n # chgrp users /home/smithj/)\n impact 0.5\n tag legacy: ['V-72025', 'SV-86649']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204472'\n tag rid: 'SV-204472r603261_rule'\n tag stig_id: 'RHEL-07-020670'\n tag fix_id: 'F-4596r88609_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['home_dirs']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n\n exempt_home_users = input('exempt_home_users')\n non_interactive_shells = input('non_interactive_shells')\n\n ignore_shells = non_interactive_shells.join('|')\n\n uid_min = login_defs.read_params['UID_MIN'].to_i\n uid_min = 1000 if uid_min.nil?\n\n findings = Set[]\n users.where do\n !shell.match(ignore_shells) && (uid >= uid_min || uid == 0)\n end.entries.each do |user_info|\n next if exempt_home_users.include?(user_info.username.to_s)\n\n find_args = ''\n user_info.groups.each do |curr_group|\n # some key files and secure dirs (like .ssh) are group owned 'root'\n find_args += \"-not -group #{curr_group} -o root\"\n end\n findings += command(\"find #{user_info.home} -xdev -xautofs #{find_args}\").stdout.split(\"\\n\")\n end\n describe \"Home directory files with incorrect group ownership or not 'root' owned\" do\n subject { findings.to_a }\n it { should be_empty }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204459.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204472.rb", "line": 1 }, - "id": "SV-204459" + "id": "SV-204472" }, { - "title": "The Red Hat Enterprise Linux operating system must confine SELinux users to roles that conform to least privilege.", - "desc": "Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges.\n\nPrivileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users.", + "title": "The Red Hat Enterprise Linux operating system must be configured so that all networked systems have SSH\n installed.", + "desc": "Without protection of the transmitted information, confidentiality and integrity may be compromised because\n unprotected communications can be intercepted and either read or altered.\n This requirement applies to both internal and external networks and all types of information system components from\n which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers,\n scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are\n exposed to the possibility of interception and modification.\n Protecting the confidentiality and integrity of organizational information can be accomplished by physical means\n (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If\n physical means of protection are employed, logical means (cryptography) do not have to be employed, and vice versa.", "descriptions": { - "default": "Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges.\n\nPrivileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users.", - "check": "Note: Per OPORD 16-0080, the preferred endpoint security tool is Endpoint Security for Linux (ENSL) in conjunction with SELinux.\n\nVerify the operating system confines SELinux users to roles that conform to least privilege.\n\nCheck the SELinux User list to SELinux Roles mapping by using the following command:\n\n$ sudo semanage user -l\nSELinuxUser LabelingPrefix MLS/MCSLevel MLS/MCSRange SELinuxRoles\nguest_u user s0 s0 guest_r\nroot user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r\nstaff_u user s0 s0-s0:c0.c1023 staff_r sysadm_r\nsysadm_u user s0 s0-s0:c0.c1023 sysadm_r\nsystem_u user s0 s0-s0:c0.c1023 system_r unconfined_r\nunconfined_u user s0 s0-s0:c0.c1023 system_r unconfined_r\nuser_u user s0 s0 user_r\nxguest_u user s0 s0 xguest_r\n\nIf the output differs from the above example, ask the SA to demonstrate how the SELinux User mappings are exercising least privilege. If deviations from the example are not documented with the ISSO and do not demonstrate least privilege, this is a finding.", - "fix": "Configure the operating system to confine SELinux users to roles that conform to least privilege.\n\nUse the following command to map the \"staff_u\" SELinux user to the \"staff_r\" and \"sysadm_r\" roles:\n\n$ sudo semanage user -m staff_u -R staff_r -R sysadm_r\n\nUse the following command to map the \"user_u\" SELinux user to the \"user_r\" role:\n\n$ sudo semanage -m user_u -R user_r" + "default": "Without protection of the transmitted information, confidentiality and integrity may be compromised because\n unprotected communications can be intercepted and either read or altered.\n This requirement applies to both internal and external networks and all types of information system components from\n which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers,\n scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are\n exposed to the possibility of interception and modification.\n Protecting the confidentiality and integrity of organizational information can be accomplished by physical means\n (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If\n physical means of protection are employed, logical means (cryptography) do not have to be employed, and vice versa.", + "check": "Check to see if sshd is installed with the following command:\n # yum list installed \\*ssh\\*\n libssh2.x86_64 1.4.3-8.el7 @anaconda/7.1\n openssh.x86_64 6.6.1p1-11.el7 @anaconda/7.1\n openssh-server.x86_64 6.6.1p1-11.el7 @anaconda/7.1\n If the \"SSH server\" package is not installed, this is a finding.", + "fix": "Install SSH packages onto the host with the following commands:\n # yum install openssh-server.x86_64" }, "impact": 0.5, "refs": [], "tags": { + "legacy": [ + "SV-86857", + "V-72233" + ], "severity": "medium", - "gtitle": "SRG-OS-000324-GPOS-00125", - "satisfies": null, - "gid": "V-250312", - "rid": "SV-250312r877392_rule", - "stig_id": "RHEL-07-020021", - "fix_id": "F-53700r792842_fix", + "gtitle": "SRG-OS-000423-GPOS-00187", + "satisfies": [ + "SRG-OS-000423-GPOS-00187", + "SRG-OS-000424-GPOS-00188", + "SRG-OS-000425-GPOS-00189", + "SRG-OS-000426-GPOS-00190" + ], + "gid": "V-204585", + "rid": "SV-204585r853989_rule", + "stig_id": "RHEL-07-040300", + "fix_id": "F-4709r88948_fix", "cci": [ - "CCI-002165", - "CCI-002235" + "CCI-002418", + "CCI-002420", + "CCI-002421", + "CCI-002422" ], - "legacy": [], "nist": [ - "AC-3 (4)", - "AC-6 (10)" + "SC-8", + "SC-8 (2)", + "SC-8 (1)", + "SC-8 (2)" ], "subsystems": [ - "selinux" + "ssh" ], "host": null }, - "code": "control 'SV-250312' do\n title 'The Red Hat Enterprise Linux operating system must confine SELinux users to roles that conform to least privilege.'\n desc 'Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges.\n\nPrivileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users.'\n desc 'check', 'Note: Per OPORD 16-0080, the preferred endpoint security tool is Endpoint Security for Linux (ENSL) in conjunction with SELinux.\n\nVerify the operating system confines SELinux users to roles that conform to least privilege.\n\nCheck the SELinux User list to SELinux Roles mapping by using the following command:\n\n$ sudo semanage user -l\nSELinuxUser LabelingPrefix MLS/MCSLevel MLS/MCSRange SELinuxRoles\nguest_u user s0 s0 guest_r\nroot user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r\nstaff_u user s0 s0-s0:c0.c1023 staff_r sysadm_r\nsysadm_u user s0 s0-s0:c0.c1023 sysadm_r\nsystem_u user s0 s0-s0:c0.c1023 system_r unconfined_r\nunconfined_u user s0 s0-s0:c0.c1023 system_r unconfined_r\nuser_u user s0 s0 user_r\nxguest_u user s0 s0 xguest_r\n\nIf the output differs from the above example, ask the SA to demonstrate how the SELinux User mappings are exercising least privilege. If deviations from the example are not documented with the ISSO and do not demonstrate least privilege, this is a finding.'\n desc 'fix', 'Configure the operating system to confine SELinux users to roles that conform to least privilege.\n\nUse the following command to map the \"staff_u\" SELinux user to the \"staff_r\" and \"sysadm_r\" roles:\n\n$ sudo semanage user -m staff_u -R staff_r -R sysadm_r\n\nUse the following command to map the \"user_u\" SELinux user to the \"user_r\" role:\n\n$ sudo semanage -m user_u -R user_r'\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000324-GPOS-00125'\n tag satisfies: nil\n tag gid: 'V-250312'\n tag rid: 'SV-250312r877392_rule'\n tag stig_id: 'RHEL-07-020021'\n tag fix_id: 'F-53700r792842_fix'\n tag cci: ['CCI-002165', 'CCI-002235']\n tag legacy: []\n tag nist: ['AC-3 (4)', 'AC-6 (10)']\n tag subsystems: ['selinux']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container -- kernel config' do\n skip 'Control not applicable within a container -- kernel config'\n end\n else\n\n expected_mapping = {\n 'staff_u' => ['staff_r', 'sysadm_r'],\n 'user_u' => ['user_r']\n }\n\n selinux_users = command('semanage user -l').stdout.strip\n\n describe 'SELinux user-role mappings' do\n expected_mapping.keys.each do |user|\n staff_user_mapping = selinux_users.match(/^#{user}.+\\d+\\s+(?.*)$/)\n staff_user_roles = staff_user_mapping['roles'].split.to_set unless staff_user_mapping.nil?\n\n it \"should set SELinux user \\'#{user}\\' to only have roles: #{expected_mapping[user].join(' ')}\" do\n expect(staff_user_mapping).not_to be_nil, \"No user \\'#{user}\\'found\"\n expect(staff_user_roles).to eq expected_mapping[user].to_set\n end\n end\n end\n end\nend\n", + "code": "control 'SV-204585' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that all networked systems have SSH\n installed.'\n desc 'Without protection of the transmitted information, confidentiality and integrity may be compromised because\n unprotected communications can be intercepted and either read or altered.\n This requirement applies to both internal and external networks and all types of information system components from\n which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers,\n scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are\n exposed to the possibility of interception and modification.\n Protecting the confidentiality and integrity of organizational information can be accomplished by physical means\n (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If\n physical means of protection are employed, logical means (cryptography) do not have to be employed, and vice versa.'\n desc 'check', 'Check to see if sshd is installed with the following command:\n # yum list installed \\\\*ssh\\\\*\n libssh2.x86_64 1.4.3-8.el7 @anaconda/7.1\n openssh.x86_64 6.6.1p1-11.el7 @anaconda/7.1\n openssh-server.x86_64 6.6.1p1-11.el7 @anaconda/7.1\n If the \"SSH server\" package is not installed, this is a finding.'\n desc 'fix', 'Install SSH packages onto the host with the following commands:\n # yum install openssh-server.x86_64'\n impact 0.5\n tag legacy: ['SV-86857', 'V-72233']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000423-GPOS-00187'\n tag satisfies: ['SRG-OS-000423-GPOS-00187', 'SRG-OS-000424-GPOS-00188', 'SRG-OS-000425-GPOS-00189', 'SRG-OS-000426-GPOS-00190']\n tag gid: 'V-204585'\n tag rid: 'SV-204585r853989_rule'\n tag stig_id: 'RHEL-07-040300'\n tag fix_id: 'F-4709r88948_fix'\n tag cci: ['CCI-002418', 'CCI-002420', 'CCI-002421', 'CCI-002422']\n tag nist: ['SC-8', 'SC-8 (2)', 'SC-8 (1)', 'SC-8 (2)']\n tag subsystems: ['ssh']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - SSH is not installed within containerized RHEL' do\n skip 'Control not applicable - SSH is not installed within containerized RHEL'\n end\n else\n describe package('openssh-server') do\n it { should be_installed }\n end\n describe package('openssh-clients') do\n it { should be_installed }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-250312.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204585.rb", "line": 1 }, - "id": "SV-250312" + "id": "SV-204585" }, { - "title": "The Red Hat Enterprise Linux operating system must be configured so that the Network File System (NFS) is\n configured to use RPCSEC_GSS.", - "desc": "When an NFS server is configured to use RPCSEC_SYS, a selected userid and groupid are used to handle\n requests from the remote user. The userid and groupid could mistakenly or maliciously be set incorrectly. The\n RPCSEC_GSS method of authentication uses certificates on the server and client systems to more securely authenticate\n the remote mount request.", + "title": "The Red Hat Enterprise Linux operating system must audit all uses of the ssh-keysign command.", + "desc": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough\n information.\n At a minimum, the organization must audit the full-text recording of privileged ssh commands. The organization must\n maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.", "descriptions": { - "default": "When an NFS server is configured to use RPCSEC_SYS, a selected userid and groupid are used to handle\n requests from the remote user. The userid and groupid could mistakenly or maliciously be set incorrectly. The\n RPCSEC_GSS method of authentication uses certificates on the server and client systems to more securely authenticate\n the remote mount request.", - "check": "Verify \"AUTH_GSS\" is being used to authenticate NFS mounts.\n To check if the system is importing an NFS file system, look for any entries in the \"/etc/fstab\" file that have a\n file system type of \"nfs\" with the following command:\n # cat /etc/fstab | grep nfs\n 192.168.21.5:/mnt/export /data1 nfs4 rw,sync ,soft,sec=krb5:krb5i:krb5p\n If the system is mounting file systems via NFS and has the sec option without the \"krb5:krb5i:krb5p\" settings, the\n \"sec\" option has the \"sys\" setting, or the \"sec\" option is missing, this is a finding.", - "fix": "Update the \"/etc/fstab\" file so the option \"sec\" is defined for each NFS mounted file system and the\n \"sec\" option does not have the \"sys\" setting.\n Ensure the \"sec\" option is defined as \"krb5:krb5i:krb5p\"." + "default": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough\n information.\n At a minimum, the organization must audit the full-text recording of privileged ssh commands. The organization must\n maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.", + "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"ssh-keysign\" command occur.\n\nCheck that the following system call is being audited by performing the following command to check the file system rules in \"/etc/audit/audit.rules\":\n\n$ sudo grep -w \"/usr/libexec/openssh/ssh-keysign\" /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh\n\nIf the command does not return any output, this is a finding.", + "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"ssh-keysign\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh\n\nThe audit daemon must be restarted for the changes to take effect." }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "SV-86935", - "V-72311" + "SV-86803", + "V-72179" ], "severity": "medium", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-204626", - "rid": "SV-204626r603261_rule", - "stig_id": "RHEL-07-040750", - "fix_id": "F-4750r89071_fix", + "gtitle": "SRG-OS-000042-GPOS-00020", + "satisfies": [ + "SRG-OS-000042-GPOS-00020", + "SRG-OS-000392-GPOS-00172", + "SRG-OS-000471-GPOS-00215" + ], + "gid": "V-204556", + "rid": "SV-204556r861065_rule", + "stig_id": "RHEL-07-030780", + "fix_id": "F-4680r861064_fix", "cci": [ - "CCI-000366" + "CCI-000135", + "CCI-000172", + "CCI-002884" ], "nist": [ - "CM-6 b" + "AU-3 (1)", + "AU-12 c", + "MA-4 (1) (a)" ], "subsystems": [ - "nfs", - "etc_fstab" + "audit", + "auditd", + "audit_rule" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-204626' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that the Network File System (NFS) is\n configured to use RPCSEC_GSS.'\n desc 'When an NFS server is configured to use RPCSEC_SYS, a selected userid and groupid are used to handle\n requests from the remote user. The userid and groupid could mistakenly or maliciously be set incorrectly. The\n RPCSEC_GSS method of authentication uses certificates on the server and client systems to more securely authenticate\n the remote mount request.'\n desc 'check', 'Verify \"AUTH_GSS\" is being used to authenticate NFS mounts.\n To check if the system is importing an NFS file system, look for any entries in the \"/etc/fstab\" file that have a\n file system type of \"nfs\" with the following command:\n # cat /etc/fstab | grep nfs\n 192.168.21.5:/mnt/export /data1 nfs4 rw,sync ,soft,sec=krb5:krb5i:krb5p\n If the system is mounting file systems via NFS and has the sec option without the \"krb5:krb5i:krb5p\" settings, the\n \"sec\" option has the \"sys\" setting, or the \"sec\" option is missing, this is a finding.'\n desc 'fix', 'Update the \"/etc/fstab\" file so the option \"sec\" is defined for each NFS mounted file system and the\n \"sec\" option does not have the \"sys\" setting.\n Ensure the \"sec\" option is defined as \"krb5:krb5i:krb5p\".'\n impact 0.5\n tag legacy: ['SV-86935', 'V-72311']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204626'\n tag rid: 'SV-204626r603261_rule'\n tag stig_id: 'RHEL-07-040750'\n tag fix_id: 'F-4750r89071_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['nfs', 'etc_fstab']\n tag 'host'\n tag 'container'\n\n nfs_systems = etc_fstab.nfs_file_systems.entries\n if !nfs_systems.nil? and !nfs_systems.empty?\n nfs_systems.each do |file_system|\n describe file_system do\n its('mount_options') { should include 'sec=krb5:krb5i:krb5p' }\n end\n end\n else\n describe 'No NFS file systems were found.' do\n subject { nfs_systems.nil? or nfs_systems.empty? }\n it { should eq true }\n end\n end\nend\n", + "code": "control 'SV-204556' do\n title 'The Red Hat Enterprise Linux operating system must audit all uses of the ssh-keysign command.'\n desc 'Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough\n information.\n At a minimum, the organization must audit the full-text recording of privileged ssh commands. The organization must\n maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user\n sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals\n 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.'\n desc 'check', 'Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"ssh-keysign\" command occur.\n\nCheck that the following system call is being audited by performing the following command to check the file system rules in \"/etc/audit/audit.rules\":\n\n$ sudo grep -w \"/usr/libexec/openssh/ssh-keysign\" /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh\n\nIf the command does not return any output, this is a finding.'\n desc 'fix', 'Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"ssh-keysign\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh\n\nThe audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n tag legacy: ['SV-86803', 'V-72179']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000042-GPOS-00020'\n tag satisfies: ['SRG-OS-000042-GPOS-00020', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000471-GPOS-00215']\n tag gid: 'V-204556'\n tag rid: 'SV-204556r861065_rule'\n tag stig_id: 'RHEL-07-030780'\n tag fix_id: 'F-4680r861064_fix'\n tag cci: ['CCI-000135', 'CCI-000172', 'CCI-002884']\n tag nist: ['AU-3 (1)', 'AU-12 c', 'MA-4 (1) (a)']\n tag subsystems: ['audit', 'auditd', 'audit_rule']\n tag 'host'\n\n audit_command = '/usr/libexec/openssh/ssh-keysign'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - audit config must be done on the host' do\n skip 'Control not applicable - audit config must be done on the host'\n end\n else\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include('privileged-ssh')\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204626.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204556.rb", "line": 1 }, - "id": "SV-204626" + "id": "SV-204556" }, { - "title": "The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow\n authentication using rhosts authentication.", - "desc": "Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will\n require a password, even in the event of misconfiguration elsewhere.", + "title": "The Red Hat Enterprise Linux operating system must prevent files with the setuid and setgid bit set from\n being executed on file systems that are being imported via Network File System (NFS).", + "desc": "The \"nosuid\" mount option causes the system to not execute \"setuid\" and \"setgid\" files with owner\n privileges. This option must be used for mounting any file system not containing approved \"setuid\" and \"setguid\"\n files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain\n unauthorized administrative access.", "descriptions": { - "default": "Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will\n require a password, even in the event of misconfiguration elsewhere.", - "check": "Verify the SSH daemon does not allow authentication using known hosts authentication.\n To determine how the SSH daemon's \"IgnoreRhosts\" option is set, run the following command:\n # grep -i IgnoreRhosts /etc/ssh/sshd_config\n IgnoreRhosts yes\n If the value is returned as \"no\", the returned line is commented out, or no output is returned, this is a finding.", - "fix": "Configure the SSH daemon to not allow authentication using known hosts authentication.\n Add the following line in \"/etc/ssh/sshd_config\", or uncomment the line and set the value to \"yes\":\n IgnoreRhosts yes" + "default": "The \"nosuid\" mount option causes the system to not execute \"setuid\" and \"setgid\" files with owner\n privileges. This option must be used for mounting any file system not containing approved \"setuid\" and \"setguid\"\n files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain\n unauthorized administrative access.", + "check": "Verify file systems that are being NFS imported are configured with the \"nosuid\" option.\n Find the file system(s) that contain the directories being exported with the following command:\n # more /etc/fstab | grep nfs\n UUID=e06097bb-cfcd-437b-9e4d-a691f5662a7d /store nfs rw,nosuid 0 0\n If a file system found in \"/etc/fstab\" refers to NFS and it does not have the \"nosuid\" option set, this is a\n finding.\n Verify the NFS is mounted with the \"nosuid\" option:\n # mount | grep nfs | grep nosuid\n If no results are returned, this is a finding.", + "fix": "Configure the \"/etc/fstab\" to use the \"nosuid\" option on file systems that are being imported via\n NFS." }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "V-72243", - "SV-86867" + "SV-86669", + "V-72045" ], "severity": "medium", "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-204590", - "rid": "SV-204590r603261_rule", - "stig_id": "RHEL-07-040350", - "fix_id": "F-4714r88963_fix", + "gid": "V-204482", + "rid": "SV-204482r603261_rule", + "stig_id": "RHEL-07-021020", + "fix_id": "F-4606r88639_fix", "cci": [ "CCI-000366" ], @@ -10147,38 +10132,39 @@ "CM-6 b" ], "subsystems": [ - "ssh" + "etc_fstab" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-204590' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow\n authentication using rhosts authentication.'\n desc 'Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will\n require a password, even in the event of misconfiguration elsewhere.'\n desc 'check', %q(Verify the SSH daemon does not allow authentication using known hosts authentication.\n To determine how the SSH daemon's \"IgnoreRhosts\" option is set, run the following command:\n # grep -i IgnoreRhosts /etc/ssh/sshd_config\n IgnoreRhosts yes\n If the value is returned as \"no\", the returned line is commented out, or no output is returned, this is a finding.)\n desc 'fix', 'Configure the SSH daemon to not allow authentication using known hosts authentication.\n Add the following line in \"/etc/ssh/sshd_config\", or uncomment the line and set the value to \"yes\":\n IgnoreRhosts yes'\n impact 0.5\n tag legacy: ['V-72243', 'SV-86867']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204590'\n tag rid: 'SV-204590r603261_rule'\n tag stig_id: 'RHEL-07-040350'\n tag fix_id: 'F-4714r88963_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['ssh']\n tag 'host'\n\n if virtualization.system.eql?('docker') && !file('/etc/sysconfig/sshd').exist?\n impact 0.0\n describe 'Control not applicable - SSH is not installed within containerized RHEL' do\n skip 'Control not applicable - SSH is not installed within containerized RHEL'\n end\n else\n describe sshd_config do\n its('IgnoreRhosts') { should cmp 'yes' }\n end\n end\nend\n", + "code": "control 'SV-204482' do\n title 'The Red Hat Enterprise Linux operating system must prevent files with the setuid and setgid bit set from\n being executed on file systems that are being imported via Network File System (NFS).'\n desc 'The \"nosuid\" mount option causes the system to not execute \"setuid\" and \"setgid\" files with owner\n privileges. This option must be used for mounting any file system not containing approved \"setuid\" and \"setguid\"\n files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain\n unauthorized administrative access.'\n desc 'check', 'Verify file systems that are being NFS imported are configured with the \"nosuid\" option.\n Find the file system(s) that contain the directories being exported with the following command:\n # more /etc/fstab | grep nfs\n UUID=e06097bb-cfcd-437b-9e4d-a691f5662a7d /store nfs rw,nosuid 0 0\n If a file system found in \"/etc/fstab\" refers to NFS and it does not have the \"nosuid\" option set, this is a\n finding.\n Verify the NFS is mounted with the \"nosuid\" option:\n # mount | grep nfs | grep nosuid\n If no results are returned, this is a finding.'\n desc 'fix', 'Configure the \"/etc/fstab\" to use the \"nosuid\" option on file systems that are being imported via\n NFS.'\n impact 0.5\n tag legacy: ['SV-86669', 'V-72045']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204482'\n tag rid: 'SV-204482r603261_rule'\n tag stig_id: 'RHEL-07-021020'\n tag fix_id: 'F-4606r88639_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['etc_fstab']\n tag 'host'\n tag 'container'\n\n nfs_systems = etc_fstab.nfs_file_systems.entries\n\n if !nfs_systems.nil? && !nfs_systems.empty?\n nfs_systems.each do |nfs_system|\n describe \"Network File System mounted on #{nfs_system['mount_point']}\" do\n subject { nfs_system }\n its('mount_options') { should include 'nosuid' }\n end\n end\n else\n describe 'No NFS file systems were found' do\n subject { nfs_systems.nil? || nfs_systems.empty? }\n it { should eq true }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204590.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204482.rb", "line": 1 }, - "id": "SV-204590" + "id": "SV-204482" }, { - "title": "The Red Hat Enterprise Linux operating system must implement virtual address space randomization.", - "desc": "Address space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of\n attack code he or she has introduced into a process's address space during an attempt at exploitation. Additionally,\n ASLR also makes it more difficult for an attacker to know the location of existing code in order to repurpose it\n using return-oriented programming (ROP) techniques.", + "title": "The Red Hat Enterprise Linux operating system must be configured so that if the Trivial File Transfer\n Protocol (TFTP) server is required, the TFTP daemon is configured to operate in secure mode.", + "desc": "Restricting TFTP to a specific directory prevents remote users from copying, transferring, or overwriting\n system files.", "descriptions": { - "default": "Address space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of\n attack code he or she has introduced into a process's address space during an attempt at exploitation. Additionally,\n ASLR also makes it more difficult for an attacker to know the location of existing code in order to repurpose it\n using return-oriented programming (ROP) techniques.", - "check": "Verify the operating system implements virtual address space randomization.\n\n # grep -r kernel.randomize_va_space /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null\n kernel.randomize_va_space = 2\n\nIf \"kernel.randomize_va_space\" is not configured in the /etc/sysctl.conf file or or in any of the other sysctl.d directories, is commented out or does not have a value of \"2\", this is a finding.\n\nCheck that the operating system implements virtual address space randomization with the following command:\n\n # /sbin/sysctl -a | grep kernel.randomize_va_space\n kernel.randomize_va_space = 2\n\nIf \"kernel.randomize_va_space\" does not have a value of \"2\", this is a finding.\n\nIf conflicting results are returned, this is a finding.", - "fix": "Configure the operating system implement virtual address space randomization.\n Set the system to the required kernel parameter by adding the following line to \"/etc/sysctl.conf\" or a config file\n in the /etc/sysctl.d/ directory (or modify the line to have the required value):\n kernel.randomize_va_space = 2\n Issue the following command to make the changes take effect:\n # sysctl --system" + "default": "Restricting TFTP to a specific directory prevents remote users from copying, transferring, or overwriting\n system files.", + "check": "Verify the TFTP daemon is configured to operate in secure mode.\n Check to see if a TFTP server has been installed with the following commands:\n # yum list installed tftp-server\n tftp-server.x86_64 x.x-x.el7 rhel-7-server-rpms\n If a TFTP server is not installed, this is Not Applicable.\n If a TFTP server is installed, check for the server arguments with the following command:\n # grep server_args /etc/xinetd.d/tftp\n server_args = -s /var/lib/tftpboot\n If the \"server_args\" line does not have a \"-s\" option and a subdirectory is not assigned, this is a finding.", + "fix": "Configure the TFTP daemon to operate in secure mode by adding the following line to\n \"/etc/xinetd.d/tftp\" (or modify the line to have the required value):\n server_args = -s /var/lib/tftpboot" }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { "legacy": [ - "SV-92521", - "V-77825" + "SV-86929", + "V-72305" ], "severity": "medium", "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-204584", - "rid": "SV-204584r880794_rule", - "stig_id": "RHEL-07-040201", - "fix_id": "F-4708r880793_fix", + "gid": "V-204623", + "rid": "SV-204623r603261_rule", + "stig_id": "RHEL-07-040720", + "fix_id": "F-4747r89062_fix", "cci": [ "CCI-000366" ], @@ -10186,1150 +10172,1164 @@ "CM-6 b" ], "subsystems": [ - "aslr", - "kernel_parameter" + "tftp" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-204584' do\n title 'The Red Hat Enterprise Linux operating system must implement virtual address space randomization.'\n desc \"Address space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of\n attack code he or she has introduced into a process's address space during an attempt at exploitation. Additionally,\n ASLR also makes it more difficult for an attacker to know the location of existing code in order to repurpose it\n using return-oriented programming (ROP) techniques.\"\n desc 'check', 'Verify the operating system implements virtual address space randomization.\n\n # grep -r kernel.randomize_va_space /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null\n kernel.randomize_va_space = 2\n\nIf \"kernel.randomize_va_space\" is not configured in the /etc/sysctl.conf file or or in any of the other sysctl.d directories, is commented out or does not have a value of \"2\", this is a finding.\n\nCheck that the operating system implements virtual address space randomization with the following command:\n\n # /sbin/sysctl -a | grep kernel.randomize_va_space\n kernel.randomize_va_space = 2\n\nIf \"kernel.randomize_va_space\" does not have a value of \"2\", this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure the operating system implement virtual address space randomization.\n Set the system to the required kernel parameter by adding the following line to \"/etc/sysctl.conf\" or a config file\n in the /etc/sysctl.d/ directory (or modify the line to have the required value):\n kernel.randomize_va_space = 2\n Issue the following command to make the changes take effect:\n # sysctl --system'\n impact 0.5\n tag legacy: ['SV-92521', 'V-77825']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204584'\n tag rid: 'SV-204584r880794_rule'\n tag stig_id: 'RHEL-07-040201'\n tag fix_id: 'F-4708r880793_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['aslr', 'kernel_parameter']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - Kernel config must be done on the host' do\n skip 'Control not applicable - Kernel config must be done on the host'\n end\n else\n randomize_va_space = input('randomize_va_space')\n config_file_values = command('grep -r kernel.randomize_va_space /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null')\n .stdout.strip.split(\"\\n\")\n .map { |file| parse_config(file).params }\n config_file_values_uncompliant = config_file_values.select { |entry| entry.values != [randomize_va_space.to_s] }\n\n unless config_file_values_uncompliant.empty?\n describe 'All configuration files' do\n it \"should set randomize_va_space to #{randomize_va_space}, or not define it at all\" do\n fail_msg = \"Found incorrect configuration:\\n#{config_file_values_uncompliant.join(\"\\n\")}\"\n expect(config_file_values_uncompliant).to be_empty, fail_msg\n end\n end\n end\n\n describe 'The runtime kernel parameter kernel.randomize_va_space' do\n subject { kernel_parameter('kernel.randomize_va_space') }\n its('value') { should eq randomize_va_space }\n end\n end\nend\n", + "code": "control 'SV-204623' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that if the Trivial File Transfer\n Protocol (TFTP) server is required, the TFTP daemon is configured to operate in secure mode.'\n desc 'Restricting TFTP to a specific directory prevents remote users from copying, transferring, or overwriting\n system files.'\n desc 'check', 'Verify the TFTP daemon is configured to operate in secure mode.\n Check to see if a TFTP server has been installed with the following commands:\n # yum list installed tftp-server\n tftp-server.x86_64 x.x-x.el7 rhel-7-server-rpms\n If a TFTP server is not installed, this is Not Applicable.\n If a TFTP server is installed, check for the server arguments with the following command:\n # grep server_args /etc/xinetd.d/tftp\n server_args = -s /var/lib/tftpboot\n If the \"server_args\" line does not have a \"-s\" option and a subdirectory is not assigned, this is a finding.'\n desc 'fix', 'Configure the TFTP daemon to operate in secure mode by adding the following line to\n \"/etc/xinetd.d/tftp\" (or modify the line to have the required value):\n server_args = -s /var/lib/tftpboot'\n impact 0.5\n tag legacy: ['SV-86929', 'V-72305']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204623'\n tag rid: 'SV-204623r603261_rule'\n tag stig_id: 'RHEL-07-040720'\n tag fix_id: 'F-4747r89062_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['tftp']\n tag 'host'\n tag 'container'\n\n if package('tftp-server').installed?\n impact 0.5\n describe command('grep server_args /etc/xinetd.d/tftp') do\n its('stdout.strip') do\n should match %r{^\\s*server_args\\s+=\\s+(-s|--secure)\\s(/\\S+)$}\n end\n end\n else\n impact 0.0\n describe 'The TFTP package is not installed' do\n skip 'If a TFTP server is not installed, this is Not Applicable.'\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204584.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204623.rb", "line": 1 }, - "id": "SV-204584" + "id": "SV-204623" }, { - "title": "The Red Hat Enterprise Linux operating system must be configured so that all files and directories have a\n valid group owner.", - "desc": "Files without a valid group owner may be unintentionally inherited if a group is assigned the same Group\n Identifier (GID) as the GID of the files without a valid group owner.", + "title": "The Red Hat Enterprise Linux operating system must not respond to Internet Protocol version 4 (IPv4)\n Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.", + "desc": "Responding to broadcast (ICMP) echoes facilitates network mapping and provides a vector for amplification\n attacks.", "descriptions": { - "default": "Files without a valid group owner may be unintentionally inherited if a group is assigned the same Group\n Identifier (GID) as the GID of the files without a valid group owner.", - "check": "Verify all files and directories on the system have a valid group.\n Check the owner of all files and directories with the following command:\n Note: The value after -fstype must be replaced with the filesystem type. XFS is used as an example.\n # find / -fstype xfs -nogroup\n If any files on the system do not have an assigned group, this is a finding.", - "fix": "Either remove all files and directories from the system that do not have a valid group, or assign a\n valid group to all files and directories on the system with the \"chgrp\" command:\n # chgrp " + "default": "Responding to broadcast (ICMP) echoes facilitates network mapping and provides a vector for amplification\n attacks.", + "check": "Verify the system does not respond to IPv4 ICMP echoes sent to a broadcast address.\n\n # grep -r net.ipv4.icmp_echo_ignore_broadcasts /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null\n\nIf \"net.ipv4.icmp_echo_ignore_broadcasts\" is not configured in the /etc/sysctl.conf file or in any of the other sysctl.d directories, is commented out, or does not have a value of \"1\", this is a finding.\n\nCheck that the operating system implements the \"icmp_echo_ignore_broadcasts\" variable with the following command:\n\n # /sbin/sysctl -a | grep net.ipv4.icmp_echo_ignore_broadcasts\n net.ipv4.icmp_echo_ignore_broadcasts = 1\n\nIf the returned line does not have a value of \"1\", this is a finding.\n\nIf conflicting results are returned, this is a finding.", + "fix": "Set the system to the required kernel parameter by adding the following\nline to \"/etc/sysctl.conf\" or a configuration file in the /etc/sysctl.d/\ndirectory (or modify the line to have the required value):\n\n net.ipv4.icmp_echo_ignore_broadcasts = 1\n\n Issue the following command to make the changes take effect:\n\n # sysctl --system" }, "impact": 0.5, "refs": [], "tags": { "legacy": [ - "V-72009", - "SV-86633" + "V-72287", + "SV-86911" ], "severity": "medium", "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-204464", - "rid": "SV-204464r853898_rule", - "stig_id": "RHEL-07-020330", - "fix_id": "F-4588r88585_fix", + "gid": "V-204613", + "rid": "SV-204613r880809_rule", + "stig_id": "RHEL-07-040630", + "fix_id": "F-4737r880808_fix", "cci": [ - "CCI-002165" + "CCI-000366" ], "nist": [ - "AC-3 (4)" + "CM-6 b" ], "subsystems": [ - "file_system", - "groups", - "files" - ], - "host": null, - "container": null + "kernel_parameter", + "ipv4" + ], + "host": null }, - "code": "control 'SV-204464' do\n title 'The Red Hat Enterprise Linux operating system must be configured so that all files and directories have a\n valid group owner.'\n desc 'Files without a valid group owner may be unintentionally inherited if a group is assigned the same Group\n Identifier (GID) as the GID of the files without a valid group owner.'\n desc 'check', 'Verify all files and directories on the system have a valid group.\n Check the owner of all files and directories with the following command:\n Note: The value after -fstype must be replaced with the filesystem type. XFS is used as an example.\n # find / -fstype xfs -nogroup\n If any files on the system do not have an assigned group, this is a finding.'\n desc 'fix', 'Either remove all files and directories from the system that do not have a valid group, or assign a\n valid group to all files and directories on the system with the \"chgrp\" command:\n # chgrp '\n impact 0.5\n tag legacy: ['V-72009', 'SV-86633']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204464'\n tag rid: 'SV-204464r853898_rule'\n tag stig_id: 'RHEL-07-020330'\n tag fix_id: 'F-4588r88585_fix'\n tag cci: ['CCI-002165']\n tag nist: ['AC-3 (4)']\n tag subsystems: ['file_system', 'groups', 'files']\n tag 'host'\n tag 'container'\n\n command('grep -v \"nodev\" /proc/filesystems | awk \\'NF{ print $NF }\\'')\n .stdout.strip.split(\"\\n\").each do |fs|\n describe command(\"find / -xdev -xautofs -fstype #{fs} -nogroup\") do\n its('stdout.strip') { should be_empty }\n end\n end\nend\n", + "code": "control 'SV-204613' do\n title 'The Red Hat Enterprise Linux operating system must not respond to Internet Protocol version 4 (IPv4)\n Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.'\n desc 'Responding to broadcast (ICMP) echoes facilitates network mapping and provides a vector for amplification\n attacks.'\n desc 'check', 'Verify the system does not respond to IPv4 ICMP echoes sent to a broadcast address.\n\n # grep -r net.ipv4.icmp_echo_ignore_broadcasts /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null\n\nIf \"net.ipv4.icmp_echo_ignore_broadcasts\" is not configured in the /etc/sysctl.conf file or in any of the other sysctl.d directories, is commented out, or does not have a value of \"1\", this is a finding.\n\nCheck that the operating system implements the \"icmp_echo_ignore_broadcasts\" variable with the following command:\n\n # /sbin/sysctl -a | grep net.ipv4.icmp_echo_ignore_broadcasts\n net.ipv4.icmp_echo_ignore_broadcasts = 1\n\nIf the returned line does not have a value of \"1\", this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Set the system to the required kernel parameter by adding the following\nline to \"/etc/sysctl.conf\" or a configuration file in the /etc/sysctl.d/\ndirectory (or modify the line to have the required value):\n\n net.ipv4.icmp_echo_ignore_broadcasts = 1\n\n Issue the following command to make the changes take effect:\n\n # sysctl --system'\n impact 0.5\n tag legacy: ['V-72287', 'SV-86911']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-204613'\n tag rid: 'SV-204613r880809_rule'\n tag stig_id: 'RHEL-07-040630'\n tag fix_id: 'F-4737r880808_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['kernel_parameter', 'ipv4']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - Kernel config must be done on the host' do\n skip 'Control not applicable - Kernel config must be done on the host'\n end\n else\n icmp_echo_ignore_broadcasts = 1\n\n config_file_values = command('grep -r net.ipv4.icmp_echo_ignore_broadcasts /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null')\n .stdout.strip.split(\"\\n\")\n .map { |file| parse_config(file).params }\n config_file_values_uncompliant = config_file_values.select { |entry| entry.values != [icmp_echo_ignore_broadcasts.to_s] }\n\n unless config_file_values_uncompliant.empty?\n describe 'All configuration files' do\n it \"should set icmp_echo_ignore_broadcasts to #{icmp_echo_ignore_broadcasts}, or not define it at all\" do\n fail_msg = \"Found incorrect configuration:\\n#{config_file_values_uncompliant.join(\"\\n\")}\"\n expect(config_file_values_uncompliant).to be_empty, fail_msg\n end\n end\n end\n\n describe 'The runtime kernel parameter net.ipv4.icmp_echo_ignore_broadcasts' do\n subject { kernel_parameter('net.ipv4.icmp_echo_ignore_broadcasts') }\n its('value') { should eq icmp_echo_ignore_broadcasts }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204464.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204613.rb", "line": 1 }, - "id": "SV-204464" + "id": "SV-204613" }, { - "title": "The Red Hat Enterprise Linux operating system must not allow an unrestricted logon to the system.", - "desc": "Failure to restrict system access to authenticated users negatively impacts operating system security.", + "title": "The Red Hat Enterprise Linux operating system must generate audit records for all account creations,\n modifications, disabling, and termination events that affect /etc/passwd.", + "desc": "Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).", "descriptions": { - "default": "Failure to restrict system access to authenticated users negatively impacts operating system security.", - "check": "Verify the operating system does not allow an unrestricted logon to the system via a graphical user\n interface.\n Note: If the system does not have GNOME installed, this requirement is Not Applicable.\n Check for the value of the \"TimedLoginEnable\" parameter in \"/etc/gdm/custom.conf\" file with the following command:\n # grep -i timedloginenable /etc/gdm/custom.conf\n TimedLoginEnable=false\n If the value of \"TimedLoginEnable\" is not set to \"false\", this is a finding.", - "fix": "Configure the operating system to not allow an unrestricted account to log on to the system via a\n graphical user interface.\n Note: If the system does not have GNOME installed, this requirement is Not Applicable.\n Add or edit the line for the \"TimedLoginEnable\" parameter in the [daemon] section of the \"/etc/gdm/custom.conf\" file\n to \"false\":\n [daemon]\n TimedLoginEnable=false" + "default": "Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).", + "check": "Verify the operating system must generate audit records for all account creations, modifications,\n disabling, and termination events that affect \"/etc/passwd\".\n Check the auditing rules in \"/etc/audit/audit.rules\" with the following command:\n # grep /etc/passwd /etc/audit/audit.rules\n -w /etc/passwd -p wa -k identity\n If the command does not return a line, or the line is commented out, this is a finding.", + "fix": "Configure the operating system to generate audit records for all account creations, modifications,\n disabling, and termination events that affect \"/etc/passwd\".\n Add or update the following rule \"/etc/audit/rules.d/audit.rules\":\n -w /etc/passwd -p wa -k identity\n The audit daemon must be restarted for the changes to take effect." }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { "legacy": [ - "V-71955", - "SV-86579" + "SV-86821", + "V-72197" ], - "severity": "high", - "gtitle": "SRG-OS-000480-GPOS-00229", - "gid": "V-204433", - "rid": "SV-204433r877377_rule", - "stig_id": "RHEL-07-010450", - "fix_id": "F-4557r88492_fix", + "severity": "medium", + "gtitle": "SRG-OS-000004-GPOS-00004", + "satisfies": [ + "SRG-OS-000004-GPOS-00004", + "SRG-OS-000239-GPOS-00089", + "SRG-OS-000240-GPOS-00090", + "SRG-OS-000241-GPOS-00091", + "SRG-OS-000303-GPOS-00120", + "SRG-OS-000476-GPOS-00221" + ], + "gid": "V-204564", + "rid": "SV-204564r853978_rule", + "stig_id": "RHEL-07-030870", + "fix_id": "F-4688r88885_fix", "cci": [ - "CCI-000366" + "CCI-000018", + "CCI-000172", + "CCI-001403", + "CCI-002130" ], "nist": [ - "CM-6 b" + "AC-2 (4)", + "AU-12 c", + "AC-2 (4)", + "AC-2 (4)" ], "subsystems": [ - "gdm" + "audit", + "auditd", + "audit_rule" ], "host": null }, - "code": "control 'SV-204433' do\n title 'The Red Hat Enterprise Linux operating system must not allow an unrestricted logon to the system.'\n desc 'Failure to restrict system access to authenticated users negatively impacts operating system security.'\n desc 'check', 'Verify the operating system does not allow an unrestricted logon to the system via a graphical user\n interface.\n Note: If the system does not have GNOME installed, this requirement is Not Applicable.\n Check for the value of the \"TimedLoginEnable\" parameter in \"/etc/gdm/custom.conf\" file with the following command:\n # grep -i timedloginenable /etc/gdm/custom.conf\n TimedLoginEnable=false\n If the value of \"TimedLoginEnable\" is not set to \"false\", this is a finding.'\n desc 'fix', 'Configure the operating system to not allow an unrestricted account to log on to the system via a\n graphical user interface.\n Note: If the system does not have GNOME installed, this requirement is Not Applicable.\n Add or edit the line for the \"TimedLoginEnable\" parameter in the [daemon] section of the \"/etc/gdm/custom.conf\" file\n to \"false\":\n [daemon]\n TimedLoginEnable=false'\n impact 0.7\n tag legacy: ['V-71955', 'SV-86579']\n tag severity: 'high'\n tag gtitle: 'SRG-OS-000480-GPOS-00229'\n tag gid: 'V-204433'\n tag rid: 'SV-204433r877377_rule'\n tag stig_id: 'RHEL-07-010450'\n tag fix_id: 'F-4557r88492_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag subsystems: ['gdm']\n tag 'host'\n\n custom_conf = '/etc/gdm/custom.conf'\n\n if package('gdm').installed?\n impact 0.7\n if (f = file(custom_conf)).exist?\n describe ini(custom_conf) do\n its('daemon.TimedLoginEnable') { cmp false }\n end\n else\n describe f do\n it { should exist }\n end\n end\n else\n impact 0.0\n describe 'The system does not have GDM installed' do\n skip 'The system does not have GDM installed, this requirement is Not Applicable.'\n end\n end\nend\n", + "code": "control 'SV-204564' do\n title 'The Red Hat Enterprise Linux operating system must generate audit records for all account creations,\n modifications, disabling, and termination events that affect /etc/passwd.'\n desc 'Without generating audit records that are specific to the security and mission needs of the organization, it\n would be difficult to establish, correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n Audit records can be generated from various components within the information system (e.g., module or policy\n filter).'\n desc 'check', 'Verify the operating system must generate audit records for all account creations, modifications,\n disabling, and termination events that affect \"/etc/passwd\".\n Check the auditing rules in \"/etc/audit/audit.rules\" with the following command:\n # grep /etc/passwd /etc/audit/audit.rules\n -w /etc/passwd -p wa -k identity\n If the command does not return a line, or the line is commented out, this is a finding.'\n desc 'fix', 'Configure the operating system to generate audit records for all account creations, modifications,\n disabling, and termination events that affect \"/etc/passwd\".\n Add or update the following rule \"/etc/audit/rules.d/audit.rules\":\n -w /etc/passwd -p wa -k identity\n The audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n tag legacy: ['SV-86821', 'V-72197']\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000004-GPOS-00004'\n tag satisfies: ['SRG-OS-000004-GPOS-00004', 'SRG-OS-000239-GPOS-00089', 'SRG-OS-000240-GPOS-00090', 'SRG-OS-000241-GPOS-00091', 'SRG-OS-000303-GPOS-00120', 'SRG-OS-000476-GPOS-00221']\n tag gid: 'V-204564'\n tag rid: 'SV-204564r853978_rule'\n tag stig_id: 'RHEL-07-030870'\n tag fix_id: 'F-4688r88885_fix'\n tag cci: ['CCI-000018', 'CCI-000172', 'CCI-001403', 'CCI-002130']\n tag nist: ['AC-2 (4)', 'AU-12 c', 'AC-2 (4)', 'AC-2 (4)']\n tag subsystems: ['audit', 'auditd', 'audit_rule']\n tag 'host'\n\n audit_command = '/etc/passwd'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable - audit config must be done on the host' do\n skip 'Control not applicable - audit config must be done on the host'\n end\n else\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.key).to cmp 'identity'\n expect(audit_rule.permissions.flatten).to include('w', 'a')\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 7 STIG/controls/SV-204433.rb", + "ref": "./Red Hat 7 STIG/controls/SV-204564.rb", "line": 1 }, - "id": "SV-204433" + "id": "SV-204564" } ], "groups": [ { "title": null, "controls": [ - "SV-255926" + "SV-204492" ], - "id": "controls/SV-255926.rb" + "id": "controls/SV-204492.rb" }, { "title": null, "controls": [ - "SV-204466" + "SV-204619" ], - "id": "controls/SV-204466.rb" + "id": "controls/SV-204619.rb" }, { "title": null, "controls": [ - "SV-204553" + "SV-204544" ], - "id": "controls/SV-204553.rb" + "id": "controls/SV-204544.rb" }, { "title": null, "controls": [ - "SV-204608" + "SV-233307" ], - "id": "controls/SV-204608.rb" + "id": "controls/SV-233307.rb" }, { "title": null, "controls": [ - "SV-204423" + "SV-214800" ], - "id": "controls/SV-204423.rb" + "id": "controls/SV-214800.rb" }, { "title": null, "controls": [ - "SV-204494" + "SV-204500" ], - "id": "controls/SV-204494.rb" + "id": "controls/SV-204500.rb" }, { "title": null, "controls": [ - "SV-204575" + "SV-204539" ], - "id": "controls/SV-204575.rb" + "id": "controls/SV-204539.rb" }, { "title": null, "controls": [ - "SV-204412" + "SV-204483" ], - "id": "controls/SV-204412.rb" + "id": "controls/SV-204483.rb" }, { "title": null, "controls": [ - "SV-204606" + "SV-204407" ], - "id": "controls/SV-204606.rb" + "id": "controls/SV-204407.rb" }, { "title": null, "controls": [ - "SV-204460" + "SV-204477" ], - "id": "controls/SV-204460.rb" + "id": "controls/SV-204477.rb" }, { "title": null, "controls": [ - "SV-204488" + "SV-204634" ], - "id": "controls/SV-204488.rb" + "id": "controls/SV-204634.rb" }, { "title": null, "controls": [ - "SV-204502" + "SV-204440" ], - "id": "controls/SV-204502.rb" + "id": "controls/SV-204440.rb" }, { "title": null, "controls": [ - "SV-204545" + "SV-204471" ], - "id": "controls/SV-204545.rb" + "id": "controls/SV-204471.rb" }, { "title": null, "controls": [ - "SV-204446" + "SV-214937" ], - "id": "controls/SV-204446.rb" + "id": "controls/SV-214937.rb" }, { "title": null, "controls": [ - "SV-204429" + "SV-204531" ], - "id": "controls/SV-204429.rb" + "id": "controls/SV-204531.rb" }, { "title": null, "controls": [ - "SV-204595" + "SV-204406" ], - "id": "controls/SV-204595.rb" + "id": "controls/SV-204406.rb" }, { "title": null, "controls": [ - "SV-204499" + "SV-204480" ], - "id": "controls/SV-204499.rb" + "id": "controls/SV-204480.rb" }, { "title": null, "controls": [ - "SV-204539" + "SV-204521" ], - "id": "controls/SV-204539.rb" + "id": "controls/SV-204521.rb" }, { "title": null, "controls": [ - "SV-204552" + "SV-204625" ], - "id": "controls/SV-204552.rb" + "id": "controls/SV-204625.rb" }, { "title": null, "controls": [ - "SV-204405" + "SV-204591" ], - "id": "controls/SV-204405.rb" + "id": "controls/SV-204591.rb" }, { "title": null, "controls": [ - "SV-204448" + "SV-204496" ], - "id": "controls/SV-204448.rb" + "id": "controls/SV-204496.rb" }, { "title": null, "controls": [ - "SV-214799" + "SV-204478" ], - "id": "controls/SV-214799.rb" + "id": "controls/SV-204478.rb" }, { "title": null, "controls": [ - "SV-204397" + "SV-237635" ], - "id": "controls/SV-204397.rb" + "id": "controls/SV-237635.rb" }, { "title": null, "controls": [ - "SV-204543" + "SV-204405" ], - "id": "controls/SV-204543.rb" + "id": "controls/SV-204405.rb" }, { "title": null, "controls": [ - "SV-214937" + "SV-204444" ], - "id": "controls/SV-214937.rb" + "id": "controls/SV-204444.rb" }, { "title": null, "controls": [ - "SV-204617" + "SV-204567" ], - "id": "controls/SV-204617.rb" + "id": "controls/SV-204567.rb" }, { "title": null, "controls": [ - "SV-204627" + "SV-204621" ], - "id": "controls/SV-204627.rb" + "id": "controls/SV-204621.rb" }, { "title": null, "controls": [ - "SV-204394" + "SV-255925" ], - "id": "controls/SV-204394.rb" + "id": "controls/SV-255925.rb" }, { "title": null, "controls": [ - "SV-204508" + "SV-204578" ], - "id": "controls/SV-204508.rb" + "id": "controls/SV-204578.rb" }, { "title": null, "controls": [ - "SV-204579" + "SV-204552" ], - "id": "controls/SV-204579.rb" + "id": "controls/SV-204552.rb" }, { "title": null, "controls": [ - "SV-204592" + "SV-204611" ], - "id": "controls/SV-204592.rb" + "id": "controls/SV-204611.rb" }, { "title": null, "controls": [ - "SV-204453" + "SV-204554" ], - "id": "controls/SV-204453.rb" + "id": "controls/SV-204554.rb" }, { "title": null, "controls": [ - "SV-204486" + "SV-204447" ], - "id": "controls/SV-204486.rb" + "id": "controls/SV-204447.rb" }, { "title": null, "controls": [ - "SV-204421" + "SV-204434" ], - "id": "controls/SV-204421.rb" + "id": "controls/SV-204434.rb" }, { "title": null, "controls": [ - "SV-204435" + "SV-204450" ], - "id": "controls/SV-204435.rb" + "id": "controls/SV-204450.rb" }, { "title": null, "controls": [ - "SV-204452" + "SV-251704" ], - "id": "controls/SV-204452.rb" + "id": "controls/SV-251704.rb" }, { "title": null, "controls": [ - "SV-244557" + "SV-204414" ], - "id": "controls/SV-244557.rb" + "id": "controls/SV-204414.rb" }, { "title": null, "controls": [ - "SV-204633" + "SV-204583" ], - "id": "controls/SV-204633.rb" + "id": "controls/SV-204583.rb" }, { "title": null, "controls": [ - "SV-204550" + "SV-251703" ], - "id": "controls/SV-204550.rb" + "id": "controls/SV-251703.rb" }, { "title": null, "controls": [ - "SV-251703" + "SV-204454" ], - "id": "controls/SV-251703.rb" + "id": "controls/SV-204454.rb" }, { "title": null, "controls": [ - "SV-204416" + "SV-204568" ], - "id": "controls/SV-204416.rb" + "id": "controls/SV-204568.rb" }, { "title": null, "controls": [ - "SV-219059" + "SV-204516" ], - "id": "controls/SV-219059.rb" + "id": "controls/SV-204516.rb" }, { "title": null, "controls": [ - "SV-204413" + "SV-204594" ], - "id": "controls/SV-204413.rb" + "id": "controls/SV-204594.rb" }, { "title": null, "controls": [ - "SV-204544" + "SV-204475" ], - "id": "controls/SV-204544.rb" + "id": "controls/SV-204475.rb" }, { "title": null, "controls": [ - "SV-204437" + "SV-204435" ], - "id": "controls/SV-204437.rb" + "id": "controls/SV-204435.rb" }, { "title": null, "controls": [ - "SV-204516" + "SV-204393" ], - "id": "controls/SV-204516.rb" + "id": "controls/SV-204393.rb" }, { "title": null, "controls": [ - "SV-204463" + "SV-204421" ], - "id": "controls/SV-204463.rb" + "id": "controls/SV-204421.rb" }, { "title": null, "controls": [ - "SV-204490" + "SV-204543" ], - "id": "controls/SV-204490.rb" + "id": "controls/SV-204543.rb" }, { "title": null, "controls": [ - "SV-204616" + "SV-204514" ], - "id": "controls/SV-204616.rb" + "id": "controls/SV-204514.rb" }, { "title": null, "controls": [ - "SV-204445" + "SV-204557" ], - "id": "controls/SV-204445.rb" + "id": "controls/SV-204557.rb" }, { "title": null, "controls": [ - "SV-204476" + "SV-204409" ], - "id": "controls/SV-204476.rb" + "id": "controls/SV-204409.rb" }, { "title": null, "controls": [ - "SV-255927" + "SV-204604" ], - "id": "controls/SV-255927.rb" + "id": "controls/SV-204604.rb" }, { "title": null, "controls": [ - "SV-237635" + "SV-204431" ], - "id": "controls/SV-237635.rb" + "id": "controls/SV-204431.rb" }, { "title": null, "controls": [ - "SV-204623" + "SV-204430" ], - "id": "controls/SV-204623.rb" + "id": "controls/SV-204430.rb" }, { "title": null, "controls": [ - "SV-204420" + "SV-204579" ], - "id": "controls/SV-204420.rb" + "id": "controls/SV-204579.rb" }, { "title": null, "controls": [ - "SV-204541" + "SV-204605" ], - "id": "controls/SV-204541.rb" + "id": "controls/SV-204605.rb" }, { "title": null, "controls": [ - "SV-204422" + "SV-204504" ], - "id": "controls/SV-204422.rb" + "id": "controls/SV-204504.rb" }, { "title": null, "controls": [ - "SV-204597" + "SV-204590" ], - "id": "controls/SV-204597.rb" + "id": "controls/SV-204590.rb" }, { "title": null, "controls": [ - "SV-204514" + "SV-204411" ], - "id": "controls/SV-204514.rb" + "id": "controls/SV-204411.rb" }, { "title": null, "controls": [ - "SV-204554" + "SV-204546" ], - "id": "controls/SV-204554.rb" + "id": "controls/SV-204546.rb" }, { "title": null, "controls": [ - "SV-204568" + "SV-204462" ], - "id": "controls/SV-204568.rb" + "id": "controls/SV-204462.rb" }, { "title": null, "controls": [ - "SV-204475" + "SV-204584" ], - "id": "controls/SV-204475.rb" + "id": "controls/SV-204584.rb" }, { "title": null, "controls": [ - "SV-204599" + "SV-204602" ], - "id": "controls/SV-204599.rb" + "id": "controls/SV-204602.rb" }, { "title": null, "controls": [ - "SV-204631" + "SV-204479" ], - "id": "controls/SV-204631.rb" + "id": "controls/SV-204479.rb" }, { "title": null, "controls": [ - "SV-204610" + "SV-204588" ], - "id": "controls/SV-204610.rb" + "id": "controls/SV-204588.rb" }, { "title": null, "controls": [ - "SV-204503" + "SV-204473" ], - "id": "controls/SV-204503.rb" + "id": "controls/SV-204473.rb" }, { "title": null, "controls": [ - "SV-204589" + "SV-204427" ], - "id": "controls/SV-204589.rb" + "id": "controls/SV-204427.rb" }, { "title": null, "controls": [ - "SV-204428" + "SV-204615" ], - "id": "controls/SV-204428.rb" + "id": "controls/SV-204615.rb" }, { "title": null, "controls": [ - "SV-204409" + "SV-204559" ], - "id": "controls/SV-204409.rb" + "id": "controls/SV-204559.rb" }, { "title": null, "controls": [ - "SV-204605" + "SV-204616" ], - "id": "controls/SV-204605.rb" + "id": "controls/SV-204616.rb" }, { "title": null, "controls": [ - "SV-204612" + "SV-204510" ], - "id": "controls/SV-204612.rb" + "id": "controls/SV-204510.rb" }, { "title": null, "controls": [ - "SV-204497" + "SV-204629" ], - "id": "controls/SV-204497.rb" + "id": "controls/SV-204629.rb" }, { "title": null, "controls": [ - "SV-204438" + "SV-204461" ], - "id": "controls/SV-204438.rb" + "id": "controls/SV-204461.rb" }, { "title": null, "controls": [ - "SV-204482" + "SV-204491" ], - "id": "controls/SV-204482.rb" + "id": "controls/SV-204491.rb" }, { "title": null, "controls": [ - "SV-255928" + "SV-204403" ], - "id": "controls/SV-255928.rb" + "id": "controls/SV-204403.rb" }, { "title": null, "controls": [ - "SV-204515" + "SV-204396" ], - "id": "controls/SV-204515.rb" + "id": "controls/SV-204396.rb" }, { "title": null, "controls": [ - "SV-204426" + "SV-204617" ], - "id": "controls/SV-204426.rb" + "id": "controls/SV-204617.rb" }, { "title": null, "controls": [ - "SV-204477" + "SV-204560" ], - "id": "controls/SV-204477.rb" + "id": "controls/SV-204560.rb" }, { "title": null, "controls": [ - "SV-204410" + "SV-251705" ], - "id": "controls/SV-204410.rb" + "id": "controls/SV-251705.rb" }, { "title": null, "controls": [ - "SV-204540" + "SV-204548" ], - "id": "controls/SV-204540.rb" + "id": "controls/SV-204548.rb" }, { "title": null, "controls": [ - "SV-204427" + "SV-214801" ], - "id": "controls/SV-204427.rb" + "id": "controls/SV-214801.rb" }, { "title": null, "controls": [ - "SV-204511" + "SV-204524" ], - "id": "controls/SV-204511.rb" + "id": "controls/SV-204524.rb" }, { "title": null, "controls": [ - "SV-214801" + "SV-204422" ], - "id": "controls/SV-214801.rb" + "id": "controls/SV-204422.rb" }, { "title": null, "controls": [ - "SV-204451" + "SV-204402" ], - "id": "controls/SV-204451.rb" + "id": "controls/SV-204402.rb" }, { "title": null, "controls": [ - "SV-204603" + "SV-204429" ], - "id": "controls/SV-204603.rb" + "id": "controls/SV-204429.rb" }, { "title": null, "controls": [ - "SV-204596" + "SV-204416" ], - "id": "controls/SV-204596.rb" + "id": "controls/SV-204416.rb" }, { "title": null, "controls": [ - "SV-204441" + "SV-204593" ], - "id": "controls/SV-204441.rb" + "id": "controls/SV-204593.rb" }, { "title": null, "controls": [ - "SV-204472" + "SV-204494" ], - "id": "controls/SV-204472.rb" + "id": "controls/SV-204494.rb" }, { "title": null, "controls": [ - "SV-204613" + "SV-204628" ], - "id": "controls/SV-204613.rb" + "id": "controls/SV-204628.rb" }, { "title": null, "controls": [ - "SV-204478" + "SV-204600" ], - "id": "controls/SV-204478.rb" + "id": "controls/SV-204600.rb" }, { "title": null, "controls": [ - "SV-204622" + "SV-204572" ], - "id": "controls/SV-204622.rb" + "id": "controls/SV-204572.rb" }, { "title": null, "controls": [ - "SV-254523" + "SV-204493" ], - "id": "controls/SV-254523.rb" + "id": "controls/SV-204493.rb" }, { "title": null, "controls": [ - "SV-237634" + "SV-204488" ], - "id": "controls/SV-237634.rb" + "id": "controls/SV-204488.rb" }, { "title": null, "controls": [ - "SV-204512" + "SV-204432" ], - "id": "controls/SV-204512.rb" + "id": "controls/SV-204432.rb" }, { "title": null, "controls": [ - "SV-204456" + "SV-204565" ], - "id": "controls/SV-204456.rb" + "id": "controls/SV-204565.rb" }, { "title": null, "controls": [ - "SV-204524" + "SV-204423" ], - "id": "controls/SV-204524.rb" + "id": "controls/SV-204423.rb" }, { "title": null, "controls": [ - "SV-204395" + "SV-204610" ], - "id": "controls/SV-204395.rb" + "id": "controls/SV-204610.rb" }, { "title": null, "controls": [ - "SV-250313" + "SV-204540" ], - "id": "controls/SV-250313.rb" + "id": "controls/SV-204540.rb" }, { "title": null, "controls": [ - "SV-204566" + "SV-204417" ], - "id": "controls/SV-204566.rb" + "id": "controls/SV-204417.rb" }, { "title": null, "controls": [ - "SV-204506" + "SV-204467" ], - "id": "controls/SV-204506.rb" + "id": "controls/SV-204467.rb" }, { "title": null, "controls": [ - "SV-204588" + "SV-204452" ], - "id": "controls/SV-204588.rb" + "id": "controls/SV-204452.rb" }, { "title": null, "controls": [ - "SV-204396" + "SV-204566" ], - "id": "controls/SV-204396.rb" + "id": "controls/SV-204566.rb" }, { "title": null, "controls": [ - "SV-204564" + "SV-204498" ], - "id": "controls/SV-204564.rb" + "id": "controls/SV-204498.rb" }, { "title": null, "controls": [ - "SV-204393" + "SV-204506" ], - "id": "controls/SV-204393.rb" + "id": "controls/SV-204506.rb" }, { "title": null, "controls": [ - "SV-204483" + "SV-204553" ], - "id": "controls/SV-204483.rb" + "id": "controls/SV-204553.rb" }, { "title": null, "controls": [ - "SV-204551" + "SV-254523" ], - "id": "controls/SV-204551.rb" + "id": "controls/SV-254523.rb" }, { "title": null, "controls": [ - "SV-204495" + "SV-204511" ], - "id": "controls/SV-204495.rb" + "id": "controls/SV-204511.rb" }, { "title": null, "controls": [ - "SV-204487" + "SV-204555" ], - "id": "controls/SV-204487.rb" + "id": "controls/SV-204555.rb" }, { "title": null, "controls": [ - "SV-204455" + "SV-204551" ], - "id": "controls/SV-204455.rb" + "id": "controls/SV-204551.rb" }, { "title": null, "controls": [ - "SV-204440" + "SV-204441" ], - "id": "controls/SV-204440.rb" + "id": "controls/SV-204441.rb" }, { "title": null, "controls": [ - "SV-204586" + "SV-204581" ], - "id": "controls/SV-204586.rb" + "id": "controls/SV-204581.rb" }, { "title": null, "controls": [ - "SV-204467" + "SV-204627" ], - "id": "controls/SV-204467.rb" + "id": "controls/SV-204627.rb" }, { "title": null, "controls": [ - "SV-204479" + "SV-204575" ], - "id": "controls/SV-204479.rb" + "id": "controls/SV-204575.rb" }, { "title": null, "controls": [ - "SV-255925" + "SV-204395" ], - "id": "controls/SV-255925.rb" + "id": "controls/SV-204395.rb" }, { "title": null, "controls": [ - "SV-204406" + "SV-204503" ], - "id": "controls/SV-204406.rb" + "id": "controls/SV-204503.rb" }, { "title": null, "controls": [ - "SV-204447" + "SV-204464" ], - "id": "controls/SV-204447.rb" + "id": "controls/SV-204464.rb" }, { "title": null, "controls": [ - "SV-204581" + "SV-204433" ], - "id": "controls/SV-204581.rb" + "id": "controls/SV-204433.rb" }, { "title": null, "controls": [ - "SV-204558" + "SV-204537" ], - "id": "controls/SV-204558.rb" + "id": "controls/SV-204537.rb" }, { "title": null, "controls": [ - "SV-204407" + "SV-251702" ], - "id": "controls/SV-204407.rb" + "id": "controls/SV-251702.rb" }, { "title": null, "controls": [ - "SV-204611" + "SV-204442" ], - "id": "controls/SV-204611.rb" + "id": "controls/SV-204442.rb" }, { "title": null, "controls": [ - "SV-204582" + "SV-204497" ], - "id": "controls/SV-204582.rb" + "id": "controls/SV-204497.rb" }, { "title": null, "controls": [ - "SV-204469" + "SV-255928" ], - "id": "controls/SV-204469.rb" + "id": "controls/SV-255928.rb" }, { "title": null, "controls": [ - "SV-204542" + "SV-255927" ], - "id": "controls/SV-204542.rb" + "id": "controls/SV-255927.rb" }, { "title": null, "controls": [ - "SV-204480" + "SV-204451" ], - "id": "controls/SV-204480.rb" + "id": "controls/SV-204451.rb" }, { "title": null, "controls": [ - "SV-204471" + "SV-214799" ], - "id": "controls/SV-204471.rb" + "id": "controls/SV-214799.rb" }, { "title": null, "controls": [ - "SV-204444" + "SV-204459" ], - "id": "controls/SV-204444.rb" + "id": "controls/SV-204459.rb" }, { "title": null, "controls": [ - "SV-204468" + "SV-204512" ], - "id": "controls/SV-204468.rb" + "id": "controls/SV-204512.rb" }, { "title": null, "controls": [ - "SV-204392" + "SV-219059" ], - "id": "controls/SV-204392.rb" + "id": "controls/SV-219059.rb" }, { "title": null, "controls": [ - "SV-251704" + "SV-204489" ], - "id": "controls/SV-251704.rb" + "id": "controls/SV-204489.rb" }, { "title": null, "controls": [ - "SV-250314" + "SV-204630" ], - "id": "controls/SV-250314.rb" + "id": "controls/SV-204630.rb" }, { "title": null, "controls": [ - "SV-204601" + "SV-204633" ], - "id": "controls/SV-204601.rb" + "id": "controls/SV-204633.rb" }, { "title": null, "controls": [ - "SV-204546" + "SV-204502" ], - "id": "controls/SV-204546.rb" + "id": "controls/SV-204502.rb" }, { "title": null, "controls": [ - "SV-214800" + "SV-204597" ], - "id": "controls/SV-214800.rb" + "id": "controls/SV-204597.rb" }, { "title": null, "controls": [ - "SV-204621" + "SV-204424" ], - "id": "controls/SV-204621.rb" + "id": "controls/SV-204424.rb" }, { "title": null, "controls": [ - "SV-204614" + "SV-204618" ], - "id": "controls/SV-204614.rb" + "id": "controls/SV-204618.rb" }, { "title": null, "controls": [ - "SV-204408" + "SV-204595" ], - "id": "controls/SV-204408.rb" + "id": "controls/SV-204595.rb" }, { "title": null, "controls": [ - "SV-204496" + "SV-204598" ], - "id": "controls/SV-204496.rb" + "id": "controls/SV-204598.rb" }, { "title": null, "controls": [ - "SV-204536" + "SV-204545" ], - "id": "controls/SV-204536.rb" + "id": "controls/SV-204545.rb" }, { "title": null, "controls": [ - "SV-204402" + "SV-204400" ], - "id": "controls/SV-204402.rb" + "id": "controls/SV-204400.rb" }, { "title": null, "controls": [ - "SV-204580" + "SV-204499" ], - "id": "controls/SV-204580.rb" + "id": "controls/SV-204499.rb" }, { "title": null, "controls": [ - "SV-204492" + "SV-244558" ], - "id": "controls/SV-204492.rb" + "id": "controls/SV-244558.rb" }, { "title": null, "controls": [ - "SV-204538" + "SV-204418" ], - "id": "controls/SV-204538.rb" + "id": "controls/SV-204418.rb" }, { "title": null, "controls": [ - "SV-204498" + "SV-204481" ], - "id": "controls/SV-204498.rb" + "id": "controls/SV-204481.rb" }, { "title": null, "controls": [ - "SV-204578" + "SV-204438" ], - "id": "controls/SV-204578.rb" + "id": "controls/SV-204438.rb" }, { "title": null, "controls": [ - "SV-204604" + "SV-204517" ], - "id": "controls/SV-204604.rb" + "id": "controls/SV-204517.rb" }, { "title": null, "controls": [ - "SV-204632" + "SV-204458" ], - "id": "controls/SV-204632.rb" + "id": "controls/SV-204458.rb" }, { "title": null, "controls": [ - "SV-204432" + "SV-204463" ], - "id": "controls/SV-204432.rb" + "id": "controls/SV-204463.rb" }, { "title": null, "controls": [ - "SV-204624" + "SV-204603" ], - "id": "controls/SV-204624.rb" + "id": "controls/SV-204603.rb" }, { "title": null, "controls": [ - "SV-204419" + "SV-204614" ], - "id": "controls/SV-204419.rb" + "id": "controls/SV-204614.rb" }, { "title": null, "controls": [ - "SV-204572" + "SV-204563" ], - "id": "controls/SV-204572.rb" + "id": "controls/SV-204563.rb" }, { "title": null, @@ -11341,632 +11341,632 @@ { "title": null, "controls": [ - "SV-204537" + "SV-204513" ], - "id": "controls/SV-204537.rb" + "id": "controls/SV-204513.rb" }, { "title": null, "controls": [ - "SV-204491" + "SV-204589" ], - "id": "controls/SV-204491.rb" + "id": "controls/SV-204589.rb" }, { "title": null, "controls": [ - "SV-204628" + "SV-204601" ], - "id": "controls/SV-204628.rb" + "id": "controls/SV-204601.rb" }, { "title": null, "controls": [ - "SV-204425" + "SV-204631" ], - "id": "controls/SV-204425.rb" + "id": "controls/SV-204631.rb" }, { "title": null, "controls": [ - "SV-204501" + "SV-204448" ], - "id": "controls/SV-204501.rb" + "id": "controls/SV-204448.rb" }, { "title": null, "controls": [ - "SV-204434" + "SV-204397" ], - "id": "controls/SV-204434.rb" + "id": "controls/SV-204397.rb" }, { "title": null, "controls": [ - "SV-204449" + "SV-204508" ], - "id": "controls/SV-204449.rb" + "id": "controls/SV-204508.rb" }, { "title": null, "controls": [ - "SV-204576" + "SV-204607" ], - "id": "controls/SV-204576.rb" + "id": "controls/SV-204607.rb" }, { "title": null, "controls": [ - "SV-204458" + "SV-204456" ], - "id": "controls/SV-204458.rb" + "id": "controls/SV-204456.rb" }, { "title": null, "controls": [ - "SV-204577" + "SV-204426" ], - "id": "controls/SV-204577.rb" + "id": "controls/SV-204426.rb" }, { "title": null, "controls": [ - "SV-228563" + "SV-204495" ], - "id": "controls/SV-228563.rb" + "id": "controls/SV-204495.rb" }, { "title": null, "controls": [ - "SV-251705" + "SV-204457" ], - "id": "controls/SV-251705.rb" + "id": "controls/SV-204457.rb" }, { "title": null, "controls": [ - "SV-204415" + "SV-237633" ], - "id": "controls/SV-204415.rb" + "id": "controls/SV-237633.rb" }, { "title": null, "controls": [ - "SV-204531" + "SV-250312" ], - "id": "controls/SV-204531.rb" + "id": "controls/SV-250312.rb" }, { "title": null, "controls": [ - "SV-204630" + "SV-204609" ], - "id": "controls/SV-204630.rb" + "id": "controls/SV-204609.rb" }, { "title": null, "controls": [ - "SV-204549" + "SV-204612" ], - "id": "controls/SV-204549.rb" + "id": "controls/SV-204612.rb" }, { "title": null, "controls": [ - "SV-204507" + "SV-204515" ], - "id": "controls/SV-204507.rb" + "id": "controls/SV-204515.rb" }, { "title": null, "controls": [ - "SV-204625" + "SV-204558" ], - "id": "controls/SV-204625.rb" + "id": "controls/SV-204558.rb" }, { "title": null, "controls": [ - "SV-204555" + "SV-204410" ], - "id": "controls/SV-204555.rb" + "id": "controls/SV-204410.rb" }, { "title": null, "controls": [ - "SV-204404" + "SV-250313" ], - "id": "controls/SV-204404.rb" + "id": "controls/SV-250313.rb" }, { "title": null, "controls": [ - "SV-204600" + "SV-204412" ], - "id": "controls/SV-204600.rb" + "id": "controls/SV-204412.rb" }, { "title": null, "controls": [ - "SV-204457" + "SV-204437" ], - "id": "controls/SV-204457.rb" + "id": "controls/SV-204437.rb" }, { "title": null, "controls": [ - "SV-204557" + "SV-204574" ], - "id": "controls/SV-204557.rb" + "id": "controls/SV-204574.rb" }, { "title": null, "controls": [ - "SV-204398" + "SV-204470" ], - "id": "controls/SV-204398.rb" + "id": "controls/SV-204470.rb" }, { "title": null, "controls": [ - "SV-251702" + "SV-204490" ], - "id": "controls/SV-251702.rb" + "id": "controls/SV-204490.rb" }, { "title": null, "controls": [ - "SV-204504" + "SV-204536" ], - "id": "controls/SV-204504.rb" + "id": "controls/SV-204536.rb" }, { "title": null, "controls": [ - "SV-244558" + "SV-204425" ], - "id": "controls/SV-244558.rb" + "id": "controls/SV-204425.rb" }, { "title": null, "controls": [ - "SV-204500" + "SV-204632" ], - "id": "controls/SV-204500.rb" + "id": "controls/SV-204632.rb" }, { "title": null, "controls": [ - "SV-204609" + "SV-204547" ], - "id": "controls/SV-204609.rb" + "id": "controls/SV-204547.rb" }, { "title": null, "controls": [ - "SV-204470" + "SV-204460" ], - "id": "controls/SV-204470.rb" + "id": "controls/SV-204460.rb" }, { "title": null, "controls": [ - "SV-204629" + "SV-204596" ], - "id": "controls/SV-204629.rb" + "id": "controls/SV-204596.rb" }, { "title": null, "controls": [ - "SV-204450" + "SV-204399" ], - "id": "controls/SV-204450.rb" + "id": "controls/SV-204399.rb" }, { "title": null, "controls": [ - "SV-204591" + "SV-204562" ], - "id": "controls/SV-204591.rb" + "id": "controls/SV-204562.rb" }, { "title": null, "controls": [ - "SV-204585" + "SV-250314" ], - "id": "controls/SV-204585.rb" + "id": "controls/SV-250314.rb" }, { "title": null, "controls": [ - "SV-204563" + "SV-204420" ], - "id": "controls/SV-204563.rb" + "id": "controls/SV-204420.rb" }, { "title": null, "controls": [ - "SV-204474" + "SV-204449" ], - "id": "controls/SV-204474.rb" + "id": "controls/SV-204449.rb" }, { "title": null, "controls": [ - "SV-204620" + "SV-204453" ], - "id": "controls/SV-204620.rb" + "id": "controls/SV-204453.rb" }, { "title": null, "controls": [ - "SV-204618" + "SV-204474" ], - "id": "controls/SV-204618.rb" + "id": "controls/SV-204474.rb" }, { "title": null, "controls": [ - "SV-204574" + "SV-204392" ], - "id": "controls/SV-204574.rb" + "id": "controls/SV-204392.rb" }, { "title": null, "controls": [ - "SV-204399" + "SV-204408" ], - "id": "controls/SV-204399.rb" + "id": "controls/SV-204408.rb" }, { "title": null, "controls": [ - "SV-204513" + "SV-228564" ], - "id": "controls/SV-204513.rb" + "id": "controls/SV-228564.rb" }, { "title": null, "controls": [ - "SV-204442" + "SV-244557" ], - "id": "controls/SV-204442.rb" + "id": "controls/SV-244557.rb" }, { "title": null, "controls": [ - "SV-204567" + "SV-228563" ], - "id": "controls/SV-204567.rb" + "id": "controls/SV-228563.rb" }, { "title": null, "controls": [ - "SV-204521" + "SV-204608" ], - "id": "controls/SV-204521.rb" + "id": "controls/SV-204608.rb" }, { "title": null, "controls": [ - "SV-204403" + "SV-204624" ], - "id": "controls/SV-204403.rb" + "id": "controls/SV-204624.rb" }, { "title": null, "controls": [ - "SV-204587" + "SV-204507" ], - "id": "controls/SV-204587.rb" + "id": "controls/SV-204507.rb" }, { "title": null, "controls": [ - "SV-204556" + "SV-204428" ], - "id": "controls/SV-204556.rb" + "id": "controls/SV-204428.rb" }, { "title": null, "controls": [ - "SV-204548" + "SV-204486" ], - "id": "controls/SV-204548.rb" + "id": "controls/SV-204486.rb" }, { "title": null, "controls": [ - "SV-204411" + "SV-204606" ], - "id": "controls/SV-204411.rb" + "id": "controls/SV-204606.rb" }, { "title": null, "controls": [ - "SV-204602" + "SV-204466" ], - "id": "controls/SV-204602.rb" + "id": "controls/SV-204466.rb" }, { "title": null, "controls": [ - "SV-237633" + "SV-204445" ], - "id": "controls/SV-237633.rb" + "id": "controls/SV-204445.rb" }, { "title": null, "controls": [ - "SV-204634" + "SV-204469" ], - "id": "controls/SV-204634.rb" + "id": "controls/SV-204469.rb" }, { "title": null, "controls": [ - "SV-204400" + "SV-204413" ], - "id": "controls/SV-204400.rb" + "id": "controls/SV-204413.rb" }, { "title": null, "controls": [ - "SV-204583" + "SV-204404" ], - "id": "controls/SV-204583.rb" + "id": "controls/SV-204404.rb" }, { "title": null, "controls": [ - "SV-228564" + "SV-204620" ], - "id": "controls/SV-228564.rb" + "id": "controls/SV-204620.rb" }, { "title": null, "controls": [ - "SV-204417" + "SV-204577" ], - "id": "controls/SV-204417.rb" + "id": "controls/SV-204577.rb" }, { "title": null, "controls": [ - "SV-204462" + "SV-204549" ], - "id": "controls/SV-204462.rb" + "id": "controls/SV-204549.rb" }, { "title": null, "controls": [ - "SV-204560" + "SV-204476" ], - "id": "controls/SV-204560.rb" + "id": "controls/SV-204476.rb" }, { "title": null, "controls": [ - "SV-204431" + "SV-204415" ], - "id": "controls/SV-204431.rb" + "id": "controls/SV-204415.rb" }, { "title": null, "controls": [ - "SV-204461" + "SV-204550" ], - "id": "controls/SV-204461.rb" + "id": "controls/SV-204550.rb" }, { "title": null, "controls": [ - "SV-204598" + "SV-204626" ], - "id": "controls/SV-204598.rb" + "id": "controls/SV-204626.rb" }, { "title": null, "controls": [ - "SV-204619" + "SV-204599" ], - "id": "controls/SV-204619.rb" + "id": "controls/SV-204599.rb" }, { "title": null, "controls": [ - "SV-204615" + "SV-204576" ], - "id": "controls/SV-204615.rb" + "id": "controls/SV-204576.rb" }, { "title": null, "controls": [ - "SV-233307" + "SV-204580" ], - "id": "controls/SV-233307.rb" + "id": "controls/SV-204580.rb" }, { "title": null, "controls": [ - "SV-204454" + "SV-204501" ], - "id": "controls/SV-204454.rb" + "id": "controls/SV-204501.rb" }, { "title": null, "controls": [ - "SV-204607" + "SV-204586" ], - "id": "controls/SV-204607.rb" + "id": "controls/SV-204586.rb" }, { "title": null, "controls": [ - "SV-204509" + "SV-204542" ], - "id": "controls/SV-204509.rb" + "id": "controls/SV-204542.rb" }, { "title": null, "controls": [ - "SV-204473" + "SV-204541" ], - "id": "controls/SV-204473.rb" + "id": "controls/SV-204541.rb" }, { "title": null, "controls": [ - "SV-204430" + "SV-204487" ], - "id": "controls/SV-204430.rb" + "id": "controls/SV-204487.rb" }, { "title": null, "controls": [ - "SV-204547" + "SV-204419" ], - "id": "controls/SV-204547.rb" + "id": "controls/SV-204419.rb" }, { "title": null, "controls": [ - "SV-204562" + "SV-204592" ], - "id": "controls/SV-204562.rb" + "id": "controls/SV-204592.rb" }, { "title": null, "controls": [ - "SV-204510" + "SV-255926" ], - "id": "controls/SV-204510.rb" + "id": "controls/SV-255926.rb" }, { "title": null, "controls": [ - "SV-204493" + "SV-204468" ], - "id": "controls/SV-204493.rb" + "id": "controls/SV-204468.rb" }, { "title": null, "controls": [ - "SV-204559" + "SV-204582" ], - "id": "controls/SV-204559.rb" + "id": "controls/SV-204582.rb" }, { "title": null, "controls": [ - "SV-204481" + "SV-204509" ], - "id": "controls/SV-204481.rb" + "id": "controls/SV-204509.rb" }, { "title": null, "controls": [ - "SV-204489" + "SV-204446" ], - "id": "controls/SV-204489.rb" + "id": "controls/SV-204446.rb" }, { "title": null, "controls": [ - "SV-204418" + "SV-204394" ], - "id": "controls/SV-204418.rb" + "id": "controls/SV-204394.rb" }, { "title": null, "controls": [ - "SV-204517" + "SV-237634" ], - "id": "controls/SV-204517.rb" + "id": "controls/SV-237634.rb" }, { "title": null, "controls": [ - "SV-204414" + "SV-204398" ], - "id": "controls/SV-204414.rb" + "id": "controls/SV-204398.rb" }, { "title": null, "controls": [ - "SV-204593" + "SV-204538" ], - "id": "controls/SV-204593.rb" + "id": "controls/SV-204538.rb" }, { "title": null, "controls": [ - "SV-204565" + "SV-204455" ], - "id": "controls/SV-204565.rb" + "id": "controls/SV-204455.rb" }, { "title": null, "controls": [ - "SV-204424" + "SV-204622" ], - "id": "controls/SV-204424.rb" + "id": "controls/SV-204622.rb" }, { "title": null, "controls": [ - "SV-204594" + "SV-204587" ], - "id": "controls/SV-204594.rb" + "id": "controls/SV-204587.rb" }, { "title": null, "controls": [ - "SV-204459" + "SV-204472" ], - "id": "controls/SV-204459.rb" + "id": "controls/SV-204472.rb" }, { "title": null, "controls": [ - "SV-250312" + "SV-204585" ], - "id": "controls/SV-250312.rb" + "id": "controls/SV-204585.rb" }, { "title": null, "controls": [ - "SV-204626" + "SV-204556" ], - "id": "controls/SV-204626.rb" + "id": "controls/SV-204556.rb" }, { "title": null, "controls": [ - "SV-204590" + "SV-204482" ], - "id": "controls/SV-204590.rb" + "id": "controls/SV-204482.rb" }, { "title": null, "controls": [ - "SV-204584" + "SV-204623" ], - "id": "controls/SV-204584.rb" + "id": "controls/SV-204623.rb" }, { "title": null, "controls": [ - "SV-204464" + "SV-204613" ], - "id": "controls/SV-204464.rb" + "id": "controls/SV-204613.rb" }, { "title": null, "controls": [ - "SV-204433" + "SV-204564" ], - "id": "controls/SV-204433.rb" + "id": "controls/SV-204564.rb" } ], "sha256": "5d0ff8e89dc579ca8dfc30d6c7bc4be2ea7f0ac58d214f83e80a1ee8c0a3d899", diff --git a/src/assets/data/baselineProfiles/redhat-enterprise-linux-8-stig-baseline.json b/src/assets/data/baselineProfiles/redhat-enterprise-linux-8-stig-baseline.json index b6007c21..321e0b38 100644 --- a/src/assets/data/baselineProfiles/redhat-enterprise-linux-8-stig-baseline.json +++ b/src/assets/data/baselineProfiles/redhat-enterprise-linux-8-stig-baseline.json @@ -20,12 +20,12 @@ "inputs": [], "controls": [ { - "title": "A separate RHEL 8 filesystem must be used for user home directories\n(such as /home or an equivalent).", - "desc": "The use of separate file systems for different paths can protect the\nsystem from failures resulting from a file system becoming full or failing.", + "title": "The RHEL 8 operating system must implement DoD-approved encryption to\nprotect the confidentiality of SSH server connections.", + "desc": "Without cryptographic integrity protections, information can be\naltered by unauthorized users without detection.\n\n Remote access (e.g., RDP) is access to DoD nonpublic information systems by\nan authorized user (or an information system) communicating through an\nexternal, non-organization-controlled network. Remote access methods include,\nfor example, dial-up, broadband, and wireless.\n\n Cryptographic mechanisms used for protecting the integrity of information\ninclude, for example, signed hash functions using asymmetric cryptography\nenabling distribution of the public key to verify the hash information while\nmaintaining the confidentiality of the secret key used to generate the hash.\n\n RHEL 8 incorporates system-wide crypto policies by default. The SSH\nconfiguration file has no effect on the ciphers, MACs, or algorithms unless\nspecifically defined in the /etc/sysconfig/sshd file. The employed algorithms\ncan be viewed in the /etc/crypto-policies/back-ends/opensshserver.config file.\n\n The system will attempt to use the first hash presented by the client that\nmatches the server list. Listing the values \"strongest to weakest\" is a\nmethod to ensure the use of the strongest hash available to secure the SSH\nconnection.", "descriptions": { - "default": "The use of separate file systems for different paths can protect the\nsystem from failures resulting from a file system becoming full or failing.", - "check": "Verify that a separate file system has been created for non-privileged local interactive user home directories.\n\n Check the home directory assignment for all non-privileged users, users with a User Identifier (UID) greater than 1000, on the system with the following command:\n\n $ sudo awk -F: '($3>=1000)&&($7 !~ /nologin/){print $1,$3,$6}' /etc/passwd\n\n doej 1001 /home/doej\n publicj 1002 /home/publicj\n smithj 1003 /home/smithj\n\nThe output of the command will give the directory/partition that contains the home directories for the non-privileged users on the system (in this example, \"/home\") and users’ shell. All accounts with a valid shell (such as /bin/bash) are considered interactive users.\n\nCheck that a file system/partition has been created for the nonprivileged interactive users with the following command:\n\nNote: The partition of \"/home\" is used in the example.\n\n $ sudo grep /home /etc/fstab\n\n /dev/mapper/... /home xfs defaults,noexec,nosuid,nodev 0 0\n\nIf a separate entry for the file system/partition containing the nonprivileged interactive user home directories does not exist, this is a finding.", - "fix": "Migrate the \"/home\" directory onto a separate file system." + "default": "Without cryptographic integrity protections, information can be\naltered by unauthorized users without detection.\n\n Remote access (e.g., RDP) is access to DoD nonpublic information systems by\nan authorized user (or an information system) communicating through an\nexternal, non-organization-controlled network. Remote access methods include,\nfor example, dial-up, broadband, and wireless.\n\n Cryptographic mechanisms used for protecting the integrity of information\ninclude, for example, signed hash functions using asymmetric cryptography\nenabling distribution of the public key to verify the hash information while\nmaintaining the confidentiality of the secret key used to generate the hash.\n\n RHEL 8 incorporates system-wide crypto policies by default. The SSH\nconfiguration file has no effect on the ciphers, MACs, or algorithms unless\nspecifically defined in the /etc/sysconfig/sshd file. The employed algorithms\ncan be viewed in the /etc/crypto-policies/back-ends/opensshserver.config file.\n\n The system will attempt to use the first hash presented by the client that\nmatches the server list. Listing the values \"strongest to weakest\" is a\nmethod to ensure the use of the strongest hash available to secure the SSH\nconnection.", + "check": "Verify the SSH server is configured to use only ciphers employing FIPS 140-2-approved algorithms with the following command:\n\n $ sudo grep -i ciphers /etc/crypto-policies/back-ends/opensshserver.config\n\n CRYPTO_POLICY='-oCiphers=aes256-ctr,aes192-ctr,aes128-ctr,aes256-gcm@openssh.com,aes128-gcm@openssh.com'\n\nIf the cipher entries in the \"opensshserver.config\" file have any ciphers other than shown here, the order differs from the example above, or they are missing or commented out, this is a finding.", + "fix": "Configure the RHEL 8 SSH server to use only ciphers employing FIPS 140-2-approved algorithms by updating the \"/etc/crypto-policies/back-ends/opensshserver.config\" file with the following line:\n\n-oCiphers=aes256-ctr,aes192-ctr,aes128-ctr,aes256-gcm@openssh.com,aes128-gcm@openssh.com\n\nA reboot is required for the changes to take effect." }, "impact": 0.5, "refs": [ @@ -35,33 +35,40 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-230328", - "rid": "SV-230328r902723_rule", - "stig_id": "RHEL-08-010800", - "fix_id": "F-32972r902722_fix", + "gtitle": "SRG-OS-000250-GPOS-00093", + "satisfies": [ + "SRG-OS-000250-GPOS-00093", + "SRG-OS-000393-GPOS-00173", + "SRG-OS-000394-GPOS-00174", + "SRG-OS-000125-GPOS-00065" + ], + "gid": "V-230252", + "rid": "SV-230252r917873_rule", + "stig_id": "RHEL-08-010291", + "fix_id": "F-32896r917872_fix", "cci": [ - "CCI-000366" + "CCI-001453" ], "nist": [ - "CM-6 b" + "AC-17 (2)" ], - "host": null + "host": null, + "container-conditional": null }, - "code": "control 'SV-230328' do\n title 'A separate RHEL 8 filesystem must be used for user home directories\n(such as /home or an equivalent).'\n desc 'The use of separate file systems for different paths can protect the\nsystem from failures resulting from a file system becoming full or failing.'\n desc 'check', %q(Verify that a separate file system has been created for non-privileged local interactive user home directories.\n\n Check the home directory assignment for all non-privileged users, users with a User Identifier (UID) greater than 1000, on the system with the following command:\n\n $ sudo awk -F: '($3>=1000)&&($7 !~ /nologin/){print $1,$3,$6}' /etc/passwd\n\n doej 1001 /home/doej\n publicj 1002 /home/publicj\n smithj 1003 /home/smithj\n\nThe output of the command will give the directory/partition that contains the home directories for the non-privileged users on the system (in this example, \"/home\") and users’ shell. All accounts with a valid shell (such as /bin/bash) are considered interactive users.\n\nCheck that a file system/partition has been created for the nonprivileged interactive users with the following command:\n\nNote: The partition of \"/home\" is used in the example.\n\n $ sudo grep /home /etc/fstab\n\n /dev/mapper/... /home xfs defaults,noexec,nosuid,nodev 0 0\n\nIf a separate entry for the file system/partition containing the nonprivileged interactive user home directories does not exist, this is a finding.)\n desc 'fix', 'Migrate the \"/home\" directory onto a separate file system.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230328'\n tag rid: 'SV-230328r902723_rule'\n tag stig_id: 'RHEL-08-010800'\n tag fix_id: 'F-32972r902722_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This requirement is Not Applicable inside a container, the containers host manages the containers filesystems') {\n !virtualization.system.eql?('docker')\n }\n\n ignore_shells = input('non_interactive_shells').join('|')\n homes = users.where { uid >= 1000 && !shell.match(ignore_shells) }.homes\n root_device = etc_fstab.where { mount_point == '/' }.device_name\n\n if input('seperate_filesystem_exempt')\n impact 0.0\n describe 'This system is not required to have sperate filesystems for each mount point' do\n skip 'The system is managing filesystems and space via other mechanisms; this requirement is Not Applicable'\n end\n else\n homes.each do |home|\n pn_parent = Pathname.new(home).parent.to_s\n home_device = etc_fstab.where { mount_point == pn_parent }.device_name\n\n describe \"The '#{pn_parent}' mount point\" do\n subject { home_device }\n\n it 'is not on the same partition as the root partition' do\n is_expected.not_to equal(root_device)\n end\n\n it 'has its own partition' do\n is_expected.not_to be_empty\n end\n end\n end\n end\nend\n", + "code": "control 'SV-230252' do\n title 'The RHEL 8 operating system must implement DoD-approved encryption to\nprotect the confidentiality of SSH server connections.'\n desc 'Without cryptographic integrity protections, information can be\naltered by unauthorized users without detection.\n\n Remote access (e.g., RDP) is access to DoD nonpublic information systems by\nan authorized user (or an information system) communicating through an\nexternal, non-organization-controlled network. Remote access methods include,\nfor example, dial-up, broadband, and wireless.\n\n Cryptographic mechanisms used for protecting the integrity of information\ninclude, for example, signed hash functions using asymmetric cryptography\nenabling distribution of the public key to verify the hash information while\nmaintaining the confidentiality of the secret key used to generate the hash.\n\n RHEL 8 incorporates system-wide crypto policies by default. The SSH\nconfiguration file has no effect on the ciphers, MACs, or algorithms unless\nspecifically defined in the /etc/sysconfig/sshd file. The employed algorithms\ncan be viewed in the /etc/crypto-policies/back-ends/opensshserver.config file.\n\n The system will attempt to use the first hash presented by the client that\nmatches the server list. Listing the values \"strongest to weakest\" is a\nmethod to ensure the use of the strongest hash available to secure the SSH\nconnection.'\n desc 'check', %q(Verify the SSH server is configured to use only ciphers employing FIPS 140-2-approved algorithms with the following command:\n\n $ sudo grep -i ciphers /etc/crypto-policies/back-ends/opensshserver.config\n\n CRYPTO_POLICY='-oCiphers=aes256-ctr,aes192-ctr,aes128-ctr,aes256-gcm@openssh.com,aes128-gcm@openssh.com'\n\nIf the cipher entries in the \"opensshserver.config\" file have any ciphers other than shown here, the order differs from the example above, or they are missing or commented out, this is a finding.)\n desc 'fix', 'Configure the RHEL 8 SSH server to use only ciphers employing FIPS 140-2-approved algorithms by updating the \"/etc/crypto-policies/back-ends/opensshserver.config\" file with the following line:\n\n-oCiphers=aes256-ctr,aes192-ctr,aes128-ctr,aes256-gcm@openssh.com,aes128-gcm@openssh.com\n\nA reboot is required for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000250-GPOS-00093'\n tag satisfies: ['SRG-OS-000250-GPOS-00093', 'SRG-OS-000393-GPOS-00173', 'SRG-OS-000394-GPOS-00174', 'SRG-OS-000125-GPOS-00065']\n tag gid: 'V-230252'\n tag rid: 'SV-230252r917873_rule'\n tag stig_id: 'RHEL-08-010291'\n tag fix_id: 'F-32896r917872_fix'\n tag cci: ['CCI-001453']\n tag nist: ['AC-17 (2)']\n tag 'host'\n tag 'container-conditional'\n\n only_if('Control not applicable - SSH is not installed within containerized RHEL', impact: 0.0) {\n !(virtualization.system.eql?('docker') && !file('/etc/sysconfig/sshd').exist?)\n }\n\n describe parse_config_file('/etc/crypto-policies/back-ends/opensshserver.config') do\n its('CRYPTO_POLICY') { should_not be_nil }\n end\n\n crypto_policy = parse_config_file('/etc/crypto-policies/back-ends/opensshserver.config')['CRYPTO_POLICY']\n\n unless crypto_policy.nil?\n describe parse_config(crypto_policy.gsub(/\\s|'/, \"\\n\")) do\n its('-oCiphers') { should cmp 'aes256-ctr,aes192-ctr,aes128-ctr,aes256-gcm@openssh.com,aes128-gcm@openssh.com' }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230328.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230252.rb", "line": 1 }, - "id": "SV-230328" + "id": "SV-230252" }, { - "title": "RHEL 8 must disable kernel dumps unless needed.", - "desc": "Kernel core dumps may contain the full contents of system memory at\nthe time of the crash. Kernel core dumps may consume a considerable amount of\ndisk space and may result in denial of service by exhausting the available\nspace on the target file system partition.\n\n RHEL 8 installation media presents the option to enable or disable the\nkdump service at the time of system installation.", + "title": "RHEL 8 must not have the sendmail package installed.", + "desc": "It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n Operating systems are capable of providing a wide variety of functions and\nservices. Some of the functions and services, provided by default, may not be\nnecessary to support essential organizational operations (e.g., key missions,\nfunctions).\n\n Examples of non-essential capabilities include, but are not limited to,\ngames, software packages, tools, and demonstration software not related to\nrequirements or providing a wide array of functionality not required for every\nmission, but which cannot be disabled.\n\n Verify the operating system is configured to disable non-essential\ncapabilities. The most secure way of ensuring a non-essential capability is\ndisabled is to not have the capability installed.", "descriptions": { - "default": "Kernel core dumps may contain the full contents of system memory at\nthe time of the crash. Kernel core dumps may consume a considerable amount of\ndisk space and may result in denial of service by exhausting the available\nspace on the target file system partition.\n\n RHEL 8 installation media presents the option to enable or disable the\nkdump service at the time of system installation.", - "check": "Verify that kernel core dumps are disabled unless needed with the following\ncommand:\n\n $ sudo systemctl status kdump.service\n\n kdump.service - Crash recovery kernel arming\n Loaded: loaded (/usr/lib/systemd/system/kdump.service; enabled; vendor\npreset: enabled)\n Active: active (exited) since Mon 2020-05-04 16:08:09 EDT; 3min ago\n Main PID: 1130 (code=exited, status=0/SUCCESS)\n\n If the \"kdump\" service is active, ask the System Administrator if the use\nof the service is required and documented with the Information System Security\nOfficer (ISSO).\n\n If the service is active and is not documented, this is a finding.", - "fix": "If kernel core dumps are not required, disable the \"kdump\" service with\nthe following command:\n\n # systemctl disable kdump.service\n\n If kernel core dumps are required, document the need with the ISSO." + "default": "It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n Operating systems are capable of providing a wide variety of functions and\nservices. Some of the functions and services, provided by default, may not be\nnecessary to support essential organizational operations (e.g., key missions,\nfunctions).\n\n Examples of non-essential capabilities include, but are not limited to,\ngames, software packages, tools, and demonstration software not related to\nrequirements or providing a wide array of functionality not required for every\nmission, but which cannot be disabled.\n\n Verify the operating system is configured to disable non-essential\ncapabilities. The most secure way of ensuring a non-essential capability is\ndisabled is to not have the capability installed.", + "check": "Check to see if the sendmail package is installed with the following\ncommand:\n\n $ sudo yum list installed sendmail\n\n If the sendmail package is installed, this is a finding.", + "fix": "Configure the operating system to disable non-essential capabilities by\nremoving the sendmail package from the system with the following command:\n\n $ sudo yum remove sendmail" }, "impact": 0.5, "refs": [ @@ -71,33 +78,34 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-230310", - "rid": "SV-230310r627750_rule", - "stig_id": "RHEL-08-010670", - "fix_id": "F-32954r567677_fix", + "gtitle": "SRG-OS-000095-GPOS-00049", + "gid": "V-230489", + "rid": "SV-230489r627750_rule", + "stig_id": "RHEL-08-040002", + "fix_id": "F-33133r568214_fix", "cci": [ - "CCI-000366" + "CCI-000381" ], "nist": [ - "CM-6 b" + "CM-7 a" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-230310' do\n title 'RHEL 8 must disable kernel dumps unless needed.'\n desc 'Kernel core dumps may contain the full contents of system memory at\nthe time of the crash. Kernel core dumps may consume a considerable amount of\ndisk space and may result in denial of service by exhausting the available\nspace on the target file system partition.\n\n RHEL 8 installation media presents the option to enable or disable the\nkdump service at the time of system installation.'\n desc 'check', 'Verify that kernel core dumps are disabled unless needed with the following\ncommand:\n\n $ sudo systemctl status kdump.service\n\n kdump.service - Crash recovery kernel arming\n Loaded: loaded (/usr/lib/systemd/system/kdump.service; enabled; vendor\npreset: enabled)\n Active: active (exited) since Mon 2020-05-04 16:08:09 EDT; 3min ago\n Main PID: 1130 (code=exited, status=0/SUCCESS)\n\n If the \"kdump\" service is active, ask the System Administrator if the use\nof the service is required and documented with the Information System Security\nOfficer (ISSO).\n\n If the service is active and is not documented, this is a finding.'\n desc 'fix', 'If kernel core dumps are not required, disable the \"kdump\" service with\nthe following command:\n\n # systemctl disable kdump.service\n\n If kernel core dumps are required, document the need with the ISSO.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230310'\n tag rid: 'SV-230310r627750_rule'\n tag stig_id: 'RHEL-08-010670'\n tag fix_id: 'F-32954r567677_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n kernel_dump = input('kernel_dump_expected_value')\n\n if kernel_dump == '|/bin/false'\n describe systemd_service('kdump.service') do\n it { should_not be_running }\n end\n else\n describe systemd_service('kdump.service') do\n it { should be_running }\n end\n end\nend\n", + "code": "control 'SV-230489' do\n title 'RHEL 8 must not have the sendmail package installed.'\n desc 'It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n Operating systems are capable of providing a wide variety of functions and\nservices. Some of the functions and services, provided by default, may not be\nnecessary to support essential organizational operations (e.g., key missions,\nfunctions).\n\n Examples of non-essential capabilities include, but are not limited to,\ngames, software packages, tools, and demonstration software not related to\nrequirements or providing a wide array of functionality not required for every\nmission, but which cannot be disabled.\n\n Verify the operating system is configured to disable non-essential\ncapabilities. The most secure way of ensuring a non-essential capability is\ndisabled is to not have the capability installed.'\n desc 'check', 'Check to see if the sendmail package is installed with the following\ncommand:\n\n $ sudo yum list installed sendmail\n\n If the sendmail package is installed, this is a finding.'\n desc 'fix', 'Configure the operating system to disable non-essential capabilities by\nremoving the sendmail package from the system with the following command:\n\n $ sudo yum remove sendmail'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000095-GPOS-00049'\n tag gid: 'V-230489'\n tag rid: 'SV-230489r627750_rule'\n tag stig_id: 'RHEL-08-040002'\n tag fix_id: 'F-33133r568214_fix'\n tag cci: ['CCI-000381']\n tag nist: ['CM-7 a']\n tag 'host'\n tag 'container'\n\n describe package('sendmail') do\n it { should_not be_installed }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230310.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230489.rb", "line": 1 }, - "id": "SV-230310" + "id": "SV-230489" }, { - "title": "RHEL 8 must log user name information when unsuccessful logon attempts\noccur.", - "desc": "By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as\nbrute-force attacks, is reduced. Limits are imposed by locking the account.\n\n In RHEL 8.2 the \"/etc/security/faillock.conf\" file was incorporated to\ncentralize the configuration of the pam_faillock.so module. Also introduced is\na \"local_users_only\" option that will only track failed user authentication\nattempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP,\netc.) users to allow the centralized platform to solely manage user lockout.\n\n From \"faillock.conf\" man pages: Note that the default directory that\n\"pam_faillock\" uses is usually cleared on system boot so the access will be\nreenabled after system reboot. If that is undesirable a different tally\ndirectory must be set with the \"dir\" option.", + "title": "Successful/unsuccessful uses of the chage command in RHEL 8 must\ngenerate an audit record.", + "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"chage\" command is\nused to change or view user password expiry information.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", "descriptions": { - "default": "By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as\nbrute-force attacks, is reduced. Limits are imposed by locking the account.\n\n In RHEL 8.2 the \"/etc/security/faillock.conf\" file was incorporated to\ncentralize the configuration of the pam_faillock.so module. Also introduced is\na \"local_users_only\" option that will only track failed user authentication\nattempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP,\netc.) users to allow the centralized platform to solely manage user lockout.\n\n From \"faillock.conf\" man pages: Note that the default directory that\n\"pam_faillock\" uses is usually cleared on system boot so the access will be\nreenabled after system reboot. If that is undesirable a different tally\ndirectory must be set with the \"dir\" option.", - "check": "Note: This check applies to RHEL versions 8.2 or newer, if the system is\nRHEL version 8.0 or 8.1, this check is not applicable.\n\n Verify the \"/etc/security/faillock.conf\" file is configured to log user\nname information when unsuccessful logon attempts occur:\n\n $ sudo grep audit /etc/security/faillock.conf\n\n audit\n\n If the \"audit\" option is not set, is missing or commented out, this is a\nfinding.", - "fix": "Configure the operating system to log user name information when\nunsuccessful logon attempts occur.\n\n Add/Modify the \"/etc/security/faillock.conf\" file to match the following\nline:\n\n audit" + "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"chage\" command is\nused to change or view user password expiry information.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", + "check": "Verify that an audit event is generated for any successful/unsuccessful use\nof the \"chage\" command by performing the following command to check the file\nsystem rules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w chage /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-chage\n\n If the command does not return a line, or the line is commented out, this\nis a finding.", + "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful uses of the \"chage\" command by adding or updating the\nfollowing rule in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-chage\n\n The audit daemon must be restarted for the changes to take effect." }, "impact": 0.5, "refs": [ @@ -107,38 +115,43 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000021-GPOS-00005", + "gtitle": "SRG-OS-000062-GPOS-00031", "satisfies": [ - "SRG-OS-000021-GPOS-00005", - "SRG-OS-000329-GPOS-00128" + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000037-GPOS-00015", + "SRG-OS-000042-GPOS-00020", + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000392-GPOS-00172", + "SRG-OS-000462-GPOS-00206", + "SRG-OS-000468-GPOS-00212", + "SRG-OS-000471-GPOS-00215" ], - "gid": "V-230343", - "rid": "SV-230343r743981_rule", - "stig_id": "RHEL-08-020021", - "fix_id": "F-32987r743980_fix", + "gid": "V-230418", + "rid": "SV-230418r627750_rule", + "stig_id": "RHEL-08-030250", + "fix_id": "F-33062r568001_fix", "cci": [ - "CCI-000044" + "CCI-000169" ], "nist": [ - "AC-7 a" + "AU-12 a" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-230343' do\n title 'RHEL 8 must log user name information when unsuccessful logon attempts\noccur.'\n desc 'By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as\nbrute-force attacks, is reduced. Limits are imposed by locking the account.\n\n In RHEL 8.2 the \"/etc/security/faillock.conf\" file was incorporated to\ncentralize the configuration of the pam_faillock.so module. Also introduced is\na \"local_users_only\" option that will only track failed user authentication\nattempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP,\netc.) users to allow the centralized platform to solely manage user lockout.\n\n From \"faillock.conf\" man pages: Note that the default directory that\n\"pam_faillock\" uses is usually cleared on system boot so the access will be\nreenabled after system reboot. If that is undesirable a different tally\ndirectory must be set with the \"dir\" option.'\n desc 'check', 'Note: This check applies to RHEL versions 8.2 or newer, if the system is\nRHEL version 8.0 or 8.1, this check is not applicable.\n\n Verify the \"/etc/security/faillock.conf\" file is configured to log user\nname information when unsuccessful logon attempts occur:\n\n $ sudo grep audit /etc/security/faillock.conf\n\n audit\n\n If the \"audit\" option is not set, is missing or commented out, this is a\nfinding.'\n desc 'fix', 'Configure the operating system to log user name information when\nunsuccessful logon attempts occur.\n\n Add/Modify the \"/etc/security/faillock.conf\" file to match the following\nline:\n\n audit'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000021-GPOS-00005'\n tag satisfies: ['SRG-OS-000021-GPOS-00005', 'SRG-OS-000329-GPOS-00128']\n tag gid: 'V-230343'\n tag rid: 'SV-230343r743981_rule'\n tag stig_id: 'RHEL-08-020021'\n tag fix_id: 'F-32987r743980_fix'\n tag cci: ['CCI-000044']\n tag nist: ['AC-7 a']\n tag 'host'\n tag 'container'\n\n only_if('This check applies to RHEL versions 8.2 or newer, if the system is RHEL version 8.0 or 8.1, this check is not applicable.', impact: 0.0) {\n (os.release.to_f) >= 8.2\n }\n\n describe parse_config_file('/etc/security/faillock.conf') do\n its('audit') { should_not be_nil }\n end\nend\n", + "code": "control 'SV-230418' do\n title 'Successful/unsuccessful uses of the chage command in RHEL 8 must\ngenerate an audit record.'\n desc 'Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"chage\" command is\nused to change or view user password expiry information.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.'\n desc 'check', 'Verify that an audit event is generated for any successful/unsuccessful use\nof the \"chage\" command by performing the following command to check the file\nsystem rules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w chage /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-chage\n\n If the command does not return a line, or the line is commented out, this\nis a finding.'\n desc 'fix', 'Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful uses of the \"chage\" command by adding or updating the\nfollowing rule in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-chage\n\n The audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000062-GPOS-00031'\n tag satisfies: ['SRG-OS-000062-GPOS-00031', 'SRG-OS-000037-GPOS-00015', 'SRG-OS-000042-GPOS-00020', 'SRG-OS-000062-GPOS-00031', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000468-GPOS-00212', 'SRG-OS-000471-GPOS-00215']\n tag gid: 'V-230418'\n tag rid: 'SV-230418r627750_rule'\n tag stig_id: 'RHEL-08-030250'\n tag fix_id: 'F-33062r568001_fix'\n tag cci: ['CCI-000169']\n tag nist: ['AU-12 a']\n tag 'host'\n\n audit_command = '/usr/bin/chage'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include(input('audit_rule_keynames').merge(input('audit_rule_keynames_overrides'))[audit_command])\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230343.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230418.rb", "line": 1 }, - "id": "SV-230343" + "id": "SV-230418" }, { - "title": "RHEL 8 must mount /tmp with the noexec option.", - "desc": "The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n The \"noexec\" mount option causes the system to not execute binary files.\nThis option must be used for mounting any file system not containing approved\nbinary files, as they may be incompatible. Executing files from untrusted file\nsystems increases the opportunity for unprivileged users to attain unauthorized\nadministrative access.\n\n The \"nodev\" mount option causes the system to not interpret character or\nblock special devices. Executing character or block special devices from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.\n\n The \"nosuid\" mount option causes the system to not execute \"setuid\" and\n\"setgid\" files with owner privileges. This option must be used for mounting\nany file system not containing approved \"setuid\" and \"setguid\" files.\nExecuting files from untrusted file systems increases the opportunity for\nunprivileged users to attain unauthorized administrative access.", + "title": "RHEL 8 must prevent a user from overriding the screensaver\nlock-enabled setting for the graphical user interface.", + "desc": "A session time-out lock is a temporary action taken when a user stops\nwork and moves away from the immediate physical vicinity of the information\nsystem but does not log out because of the temporary nature of the absence.\nRather than relying on the user to manually lock their operating system session\nprior to vacating the vicinity, operating systems need to be able to identify\nwhen a user's session has idled and take action to initiate the session lock.\n\n The session lock is implemented at the point where session activity can be\ndetermined and/or controlled.\n\n Implementing session settings will have little value if a user is able to\nmanipulate these settings from the defaults prescribed in the other\nrequirements of this implementation guide.\n\n Locking these settings from non-privileged users is crucial to maintaining\na protected baseline.", "descriptions": { - "default": "The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n The \"noexec\" mount option causes the system to not execute binary files.\nThis option must be used for mounting any file system not containing approved\nbinary files, as they may be incompatible. Executing files from untrusted file\nsystems increases the opportunity for unprivileged users to attain unauthorized\nadministrative access.\n\n The \"nodev\" mount option causes the system to not interpret character or\nblock special devices. Executing character or block special devices from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.\n\n The \"nosuid\" mount option causes the system to not execute \"setuid\" and\n\"setgid\" files with owner privileges. This option must be used for mounting\nany file system not containing approved \"setuid\" and \"setguid\" files.\nExecuting files from untrusted file systems increases the opportunity for\nunprivileged users to attain unauthorized administrative access.", - "check": "Verify \"/tmp\" is mounted with the \"noexec\" option:\n\n $ sudo mount | grep /tmp\n\n /dev/mapper/rhel-tmp on /tmp type xfs (rw,nodev,nosuid,noexec,seclabel)\n\n Verify that the \"noexec\" option is configured for /tmp:\n\n $ sudo cat /etc/fstab | grep /tmp\n\n /dev/mapper/rhel-tmp /tmp xfs defaults,nodev,nosuid,noexec 0 0\n\n If results are returned and the \"noexec\" option is missing, or if /tmp is\nmounted without the \"noexec\" option, this is a finding.", - "fix": "Configure the system so that /tmp is mounted with the \"noexec\" option by\nadding /modifying the /etc/fstab with the following line:\n\n /dev/mapper/rhel-tmp /tmp xfs defaults,nodev,nosuid,noexec 0 0" + "default": "A session time-out lock is a temporary action taken when a user stops\nwork and moves away from the immediate physical vicinity of the information\nsystem but does not log out because of the temporary nature of the absence.\nRather than relying on the user to manually lock their operating system session\nprior to vacating the vicinity, operating systems need to be able to identify\nwhen a user's session has idled and take action to initiate the session lock.\n\n The session lock is implemented at the point where session activity can be\ndetermined and/or controlled.\n\n Implementing session settings will have little value if a user is able to\nmanipulate these settings from the defaults prescribed in the other\nrequirements of this implementation guide.\n\n Locking these settings from non-privileged users is crucial to maintaining\na protected baseline.", + "check": "Verify the operating system prevents a user from overriding settings for\ngraphical user interfaces.\n\n Note: This requirement assumes the use of the RHEL 8 default graphical user\ninterface, Gnome Shell. If the system does not have any graphical user\ninterface installed, this requirement is Not Applicable.\n\n Determine which profile the system database is using with the following\ncommand:\n\n $ sudo grep system-db /etc/dconf/profile/user\n\n system-db:local\n\n Check that graphical settings are locked from non-privileged user\nmodification with the following command:\n\n Note: The example below is using the database \"local\" for the system, so\nthe path is \"/etc/dconf/db/local.d\". This path must be modified if a database\nother than \"local\" is being used.\n\n $ sudo grep -i lock-enabled /etc/dconf/db/local.d/locks/*\n\n /org/gnome/desktop/screensaver/lock-enabled\n\n If the command does not return at least the example result, this is a\nfinding.", + "fix": "Configure the operating system to prevent a user from overriding settings\nfor graphical user interfaces.\n\n Create a database to contain the system-wide screensaver settings (if it\ndoes not already exist) with the following command:\n\n Note: The example below is using the database \"local\" for the system, so\nif the system is using another database in \"/etc/dconf/profile/user\", the\nfile should be created under the appropriate subdirectory.\n\n $ sudo touch /etc/dconf/db/local.d/locks/session\n\n Add the following setting to prevent non-privileged users from modifying it:\n\n /org/gnome/desktop/screensaver/lock-enabled" }, "impact": 0.5, "refs": [ @@ -148,33 +161,38 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000368-GPOS-00154", - "gid": "V-230513", - "rid": "SV-230513r854054_rule", - "stig_id": "RHEL-08-040125", - "fix_id": "F-33157r568286_fix", + "gtitle": "SRG-OS-000029-GPOS-00010", + "satisfies": [ + "SRG-OS-000029-GPOS-00010", + "SRG-OS-000031-GPOS-00012", + "SRG-OS-000480-GPOS-00227" + ], + "gid": "V-244539", + "rid": "SV-244539r743866_rule", + "stig_id": "RHEL-08-020082", + "fix_id": "F-47771r743865_fix", "cci": [ - "CCI-001764" + "CCI-000057" ], "nist": [ - "CM-7 (2)" + "AC-11 a" ], "host": null }, - "code": "control 'SV-230513' do\n title 'RHEL 8 must mount /tmp with the noexec option.'\n desc 'The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n The \"noexec\" mount option causes the system to not execute binary files.\nThis option must be used for mounting any file system not containing approved\nbinary files, as they may be incompatible. Executing files from untrusted file\nsystems increases the opportunity for unprivileged users to attain unauthorized\nadministrative access.\n\n The \"nodev\" mount option causes the system to not interpret character or\nblock special devices. Executing character or block special devices from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.\n\n The \"nosuid\" mount option causes the system to not execute \"setuid\" and\n\"setgid\" files with owner privileges. This option must be used for mounting\nany file system not containing approved \"setuid\" and \"setguid\" files.\nExecuting files from untrusted file systems increases the opportunity for\nunprivileged users to attain unauthorized administrative access.'\n desc 'check', 'Verify \"/tmp\" is mounted with the \"noexec\" option:\n\n $ sudo mount | grep /tmp\n\n /dev/mapper/rhel-tmp on /tmp type xfs (rw,nodev,nosuid,noexec,seclabel)\n\n Verify that the \"noexec\" option is configured for /tmp:\n\n $ sudo cat /etc/fstab | grep /tmp\n\n /dev/mapper/rhel-tmp /tmp xfs defaults,nodev,nosuid,noexec 0 0\n\n If results are returned and the \"noexec\" option is missing, or if /tmp is\nmounted without the \"noexec\" option, this is a finding.'\n desc 'fix', 'Configure the system so that /tmp is mounted with the \"noexec\" option by\nadding /modifying the /etc/fstab with the following line:\n\n /dev/mapper/rhel-tmp /tmp xfs defaults,nodev,nosuid,noexec 0 0'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000368-GPOS-00154'\n tag gid: 'V-230513'\n tag rid: 'SV-230513r854054_rule'\n tag stig_id: 'RHEL-08-040125'\n tag fix_id: 'F-33157r568286_fix'\n tag cci: ['CCI-001764']\n tag nist: ['CM-7 (2)']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n path = '/tmp'\n option = 'noexec'\n mount_option_enabled = input('mount_tmp_options')[option]\n\n if mount_option_enabled\n describe mount(path) do\n its('options') { should include option }\n end\n\n describe etc_fstab.where { mount_point == path } do\n its('mount_options.flatten') { should include option }\n end\n else\n describe mount(path) do\n its('options') { should_not include option }\n end\n\n describe etc_fstab.where { mount_point == path } do\n its('mount_options.flatten') { should_not include option }\n end\n end\nend\n", + "code": "control 'SV-244539' do\n title 'RHEL 8 must prevent a user from overriding the screensaver\nlock-enabled setting for the graphical user interface.'\n desc \"A session time-out lock is a temporary action taken when a user stops\nwork and moves away from the immediate physical vicinity of the information\nsystem but does not log out because of the temporary nature of the absence.\nRather than relying on the user to manually lock their operating system session\nprior to vacating the vicinity, operating systems need to be able to identify\nwhen a user's session has idled and take action to initiate the session lock.\n\n The session lock is implemented at the point where session activity can be\ndetermined and/or controlled.\n\n Implementing session settings will have little value if a user is able to\nmanipulate these settings from the defaults prescribed in the other\nrequirements of this implementation guide.\n\n Locking these settings from non-privileged users is crucial to maintaining\na protected baseline.\"\n desc 'check', 'Verify the operating system prevents a user from overriding settings for\ngraphical user interfaces.\n\n Note: This requirement assumes the use of the RHEL 8 default graphical user\ninterface, Gnome Shell. If the system does not have any graphical user\ninterface installed, this requirement is Not Applicable.\n\n Determine which profile the system database is using with the following\ncommand:\n\n $ sudo grep system-db /etc/dconf/profile/user\n\n system-db:local\n\n Check that graphical settings are locked from non-privileged user\nmodification with the following command:\n\n Note: The example below is using the database \"local\" for the system, so\nthe path is \"/etc/dconf/db/local.d\". This path must be modified if a database\nother than \"local\" is being used.\n\n $ sudo grep -i lock-enabled /etc/dconf/db/local.d/locks/*\n\n /org/gnome/desktop/screensaver/lock-enabled\n\n If the command does not return at least the example result, this is a\nfinding.'\n desc 'fix', 'Configure the operating system to prevent a user from overriding settings\nfor graphical user interfaces.\n\n Create a database to contain the system-wide screensaver settings (if it\ndoes not already exist) with the following command:\n\n Note: The example below is using the database \"local\" for the system, so\nif the system is using another database in \"/etc/dconf/profile/user\", the\nfile should be created under the appropriate subdirectory.\n\n $ sudo touch /etc/dconf/db/local.d/locks/session\n\n Add the following setting to prevent non-privileged users from modifying it:\n\n /org/gnome/desktop/screensaver/lock-enabled'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000029-GPOS-00010'\n tag satisfies: ['SRG-OS-000029-GPOS-00010', 'SRG-OS-000031-GPOS-00012', 'SRG-OS-000480-GPOS-00227']\n tag gid: 'V-244539'\n tag rid: 'SV-244539r743866_rule'\n tag stig_id: 'RHEL-08-020082'\n tag fix_id: 'F-47771r743865_fix'\n tag cci: ['CCI-000057']\n tag nist: ['AC-11 a']\n tag 'host'\n\n only_if('This requirement is Not Applicable in the container', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n if !package('gnome-desktop3').installed?\n impact 0.0\n describe 'The GNOME desktop is not installed, this control is Not Applicable.' do\n skip 'The GNOME desktop is not installed, this control is Not Applicable.'\n end\n else\n describe command('grep -i lock-enabled /etc/dconf/db/local.d/locks/*') do\n its('stdout.split') { should include '/org/gnome/desktop/screensaver/lock-enabled' }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230513.rb", + "ref": "./Red Hat 8 STIG/controls/SV-244539.rb", "line": 1 }, - "id": "SV-230513" + "id": "SV-244539" }, { - "title": "RHEL 8 must display the date and time of the last successful account\nlogon upon an SSH logon.", - "desc": "Providing users with feedback on when account accesses via SSH last\noccurred facilitates user recognition and reporting of unauthorized account\nuse.", + "title": "RHEL 8, for PKI-based authentication, must validate certificates by\nconstructing a certification path (which includes status information) to an\naccepted trust anchor.", + "desc": "Without path validation, an informed trust decision by the relying\nparty cannot be made when presented with any certificate not already explicitly\ntrusted.\n\n A trust anchor is an authoritative entity represented via a public key and\nassociated data. It is used in the context of public key infrastructures, X.509\ndigital certificates, and DNSSEC.\n\n When there is a chain of trust, usually the top entity to be trusted\nbecomes the trust anchor; it can be, for example, a Certification Authority\n(CA). A certification path starts with the subject certificate and proceeds\nthrough a number of intermediate certificates up to a trusted root certificate,\ntypically issued by a trusted CA.\n\n This requirement verifies that a certification path to an accepted trust\nanchor is used for certificate validation and that the path includes status\ninformation. Path validation is necessary for a relying party to make an\ninformed trust decision when presented with any certificate not already\nexplicitly trusted. Status information for certification paths includes\ncertificate revocation lists or online certificate status protocol responses.\nValidation of the certificate status information is out of scope for this\nrequirement.", "descriptions": { - "default": "Providing users with feedback on when account accesses via SSH last\noccurred facilitates user recognition and reporting of unauthorized account\nuse.", - "check": "Verify SSH provides users with feedback on when account accesses last occurred with the following command:\n\n$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\\r' | tr '\\n' ' ' | xargs sudo grep -iH '^\\s*printlastlog'\n\nPrintLastLog yes\n\nIf the \"PrintLastLog\" keyword is set to \"no\", is missing, or is commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.", - "fix": "Configure SSH to provide users with feedback on when account accesses last\noccurred by setting the required configuration options in \"/etc/pam.d/sshd\"\nor in the \"sshd_config\" file used by the system (\"/etc/ssh/sshd_config\"\nwill be used in the example) (this file may be named differently or be in a\ndifferent location if using a version of SSH that is provided by a third-party\nvendor).\n\n Modify the \"PrintLastLog\" line in \"/etc/ssh/sshd_config\" to match the\nfollowing:\n\n PrintLastLog yes\n\n The SSH service must be restarted for changes to \"sshd_config\" to take\neffect." + "default": "Without path validation, an informed trust decision by the relying\nparty cannot be made when presented with any certificate not already explicitly\ntrusted.\n\n A trust anchor is an authoritative entity represented via a public key and\nassociated data. It is used in the context of public key infrastructures, X.509\ndigital certificates, and DNSSEC.\n\n When there is a chain of trust, usually the top entity to be trusted\nbecomes the trust anchor; it can be, for example, a Certification Authority\n(CA). A certification path starts with the subject certificate and proceeds\nthrough a number of intermediate certificates up to a trusted root certificate,\ntypically issued by a trusted CA.\n\n This requirement verifies that a certification path to an accepted trust\nanchor is used for certificate validation and that the path includes status\ninformation. Path validation is necessary for a relying party to make an\ninformed trust decision when presented with any certificate not already\nexplicitly trusted. Status information for certification paths includes\ncertificate revocation lists or online certificate status protocol responses.\nValidation of the certificate status information is out of scope for this\nrequirement.", + "check": "Verify RHEL 8 for PKI-based authentication has valid certificates by constructing a certification path (which includes status information) to an accepted trust anchor.\n\nNote: If the System Administrator demonstrates the use of an approved alternate multifactor authentication method, this requirement is not applicable.\n\nCheck that the system has a valid DoD root CA installed with the following command:\n\n$ sudo openssl x509 -text -in /etc/sssd/pki/sssd_auth_ca_db.pem\n\nCertificate:\n Data:\n Version: 3 (0x2)\n Serial Number: 1 (0x1)\n Signature Algorithm: sha256WithRSAEncryption\n Issuer: C = US, O = U.S. Government, OU = DoD, OU = PKI, CN = DoD Root CA 3\n Validity\n Not Before: Mar 20 18:46:41 2012 GMT\n Not After : Dec 30 18:46:41 2029 GMT\n Subject: C = US, O = U.S. Government, OU = DoD, OU = PKI, CN = DoD Root CA 3\n Subject Public Key Info:\n Public Key Algorithm: rsaEncryption\n\nIf the root ca file is not a DoD-issued certificate with a valid date and installed in the /etc/sssd/pki/sssd_auth_ca_db.pem location, this is a finding.", + "fix": "Configure RHEL 8, for PKI-based authentication, to validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.\n\nObtain a valid copy of the DoD root CA file from the PKI CA certificate bundle at cyber.mil and copy into the following file:\n\n/etc/sssd/pki/sssd_auth_ca_db.pem" }, "impact": 0.5, "refs": [ @@ -184,36 +202,39 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-230382", - "rid": "SV-230382r951614_rule", - "stig_id": "RHEL-08-020350", - "fix_id": "F-33026r567893_fix", + "gtitle": "SRG-OS-000066-GPOS-00034", + "satisfies": [ + "SRG-OS-000066-GPOS-00034", + "SRG-OS-000384-GPOS-00167" + ], + "gid": "V-230229", + "rid": "SV-230229r858739_rule", + "stig_id": "RHEL-08-010090", + "fix_id": "F-32873r809269_fix", "cci": [ - "CCI-000366", - "CCI-000052" + "CCI-000185" ], "nist": [ - "CM-6 b", - "AC-9" + "IA-5 (2) (a)", + "IA-5 (2) (b) (1)" ], "host": null, - "container-conditional": null + "container": null }, - "code": "control 'SV-230382' do\n title 'RHEL 8 must display the date and time of the last successful account\nlogon upon an SSH logon.'\n desc 'Providing users with feedback on when account accesses via SSH last\noccurred facilitates user recognition and reporting of unauthorized account\nuse.'\n desc 'check', %q(Verify SSH provides users with feedback on when account accesses last occurred with the following command:\n\n$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\\r' | tr '\\n' ' ' | xargs sudo grep -iH '^\\s*printlastlog'\n\nPrintLastLog yes\n\nIf the \"PrintLastLog\" keyword is set to \"no\", is missing, or is commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.)\n desc 'fix', 'Configure SSH to provide users with feedback on when account accesses last\noccurred by setting the required configuration options in \"/etc/pam.d/sshd\"\nor in the \"sshd_config\" file used by the system (\"/etc/ssh/sshd_config\"\nwill be used in the example) (this file may be named differently or be in a\ndifferent location if using a version of SSH that is provided by a third-party\nvendor).\n\n Modify the \"PrintLastLog\" line in \"/etc/ssh/sshd_config\" to match the\nfollowing:\n\n PrintLastLog yes\n\n The SSH service must be restarted for changes to \"sshd_config\" to take\neffect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230382'\n tag rid: 'SV-230382r951614_rule'\n tag stig_id: 'RHEL-08-020350'\n tag fix_id: 'F-33026r567893_fix'\n tag cci: ['CCI-000366', 'CCI-000052']\n tag nist: ['CM-6 b', 'AC-9']\n tag 'host'\n tag 'container-conditional'\n\n if virtualization.system.eql?('docker') && !file('/etc/ssh/sshd_config').exist?\n impact 0.0\n describe 'Control not applicable - SSH is not installed within containerized RHEL' do\n skip 'Control not applicable - SSH is not installed within containerized RHEL'\n end\n else\n describe sshd_active_config do\n its('PrintLastLog') { should cmp 'yes' }\n end\n end\nend\n", + "code": "control 'SV-230229' do\n title 'RHEL 8, for PKI-based authentication, must validate certificates by\nconstructing a certification path (which includes status information) to an\naccepted trust anchor.'\n desc 'Without path validation, an informed trust decision by the relying\nparty cannot be made when presented with any certificate not already explicitly\ntrusted.\n\n A trust anchor is an authoritative entity represented via a public key and\nassociated data. It is used in the context of public key infrastructures, X.509\ndigital certificates, and DNSSEC.\n\n When there is a chain of trust, usually the top entity to be trusted\nbecomes the trust anchor; it can be, for example, a Certification Authority\n(CA). A certification path starts with the subject certificate and proceeds\nthrough a number of intermediate certificates up to a trusted root certificate,\ntypically issued by a trusted CA.\n\n This requirement verifies that a certification path to an accepted trust\nanchor is used for certificate validation and that the path includes status\ninformation. Path validation is necessary for a relying party to make an\ninformed trust decision when presented with any certificate not already\nexplicitly trusted. Status information for certification paths includes\ncertificate revocation lists or online certificate status protocol responses.\nValidation of the certificate status information is out of scope for this\nrequirement.'\n desc 'check', 'Verify RHEL 8 for PKI-based authentication has valid certificates by constructing a certification path (which includes status information) to an accepted trust anchor.\n\nNote: If the System Administrator demonstrates the use of an approved alternate multifactor authentication method, this requirement is not applicable.\n\nCheck that the system has a valid DoD root CA installed with the following command:\n\n$ sudo openssl x509 -text -in /etc/sssd/pki/sssd_auth_ca_db.pem\n\nCertificate:\n Data:\n Version: 3 (0x2)\n Serial Number: 1 (0x1)\n Signature Algorithm: sha256WithRSAEncryption\n Issuer: C = US, O = U.S. Government, OU = DoD, OU = PKI, CN = DoD Root CA 3\n Validity\n Not Before: Mar 20 18:46:41 2012 GMT\n Not After : Dec 30 18:46:41 2029 GMT\n Subject: C = US, O = U.S. Government, OU = DoD, OU = PKI, CN = DoD Root CA 3\n Subject Public Key Info:\n Public Key Algorithm: rsaEncryption\n\nIf the root ca file is not a DoD-issued certificate with a valid date and installed in the /etc/sssd/pki/sssd_auth_ca_db.pem location, this is a finding.'\n desc 'fix', 'Configure RHEL 8, for PKI-based authentication, to validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.\n\nObtain a valid copy of the DoD root CA file from the PKI CA certificate bundle at cyber.mil and copy into the following file:\n\n/etc/sssd/pki/sssd_auth_ca_db.pem'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000066-GPOS-00034'\n tag satisfies: ['SRG-OS-000066-GPOS-00034', 'SRG-OS-000384-GPOS-00167']\n tag gid: 'V-230229'\n tag rid: 'SV-230229r858739_rule'\n tag stig_id: 'RHEL-08-010090'\n tag fix_id: 'F-32873r809269_fix'\n tag cci: ['CCI-000185']\n tag nist: ['IA-5 (2) (a)', 'IA-5 (2) (b) (1)']\n tag 'host'\n tag 'container'\n\n only_if('If the System Administrator demonstrates the use of an approved alternate multifactor authentication method, this requirement is not applicable.', impact: 0.0) {\n !input('smart_card_enabled')\n }\n\n root_ca_file = input('root_ca_file')\n describe file(root_ca_file) do\n it { should exist }\n end\n\n describe 'Ensure the RootCA is a DoD-issued certificate with a valid date' do\n if file(root_ca_file).exist?\n subject { x509_certificate(root_ca_file) }\n it 'has the correct issuer_dn' do\n expect(subject.issuer_dn).to match('/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DoD Root CA 3')\n end\n it 'has the correct subject_dn' do\n expect(subject.subject_dn).to match('/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DoD Root CA 3')\n end\n it 'is valid' do\n expect(subject.validity_in_days).to be > 0\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230382.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230229.rb", "line": 1 }, - "id": "SV-230382" + "id": "SV-230229" }, { - "title": "A sticky bit must be set on all RHEL 8 public directories to prevent\nunauthorized and unintended information transferred via shared system\nresources.", - "desc": "Preventing unauthorized information transfers mitigates the risk of\ninformation, including encrypted representations of information, produced by\nthe actions of prior users/roles (or the actions of processes acting on behalf\nof prior users/roles) from being available to any current users/roles (or\ncurrent processes) that obtain access to shared system resources (e.g.,\nregisters, main memory, hard disks) after those resources have been released\nback to information systems. The control of information in shared resources is\nalso commonly referred to as object reuse and residual information protection.\n\n This requirement generally applies to the design of an information\ntechnology product, but it can also apply to the configuration of particular\ninformation system components that are, or use, such products. This can be\nverified by acceptance/validation processes in DoD or other government agencies.\n\n There may be shared resources with configurable protections (e.g., files in\nstorage) that may be assessed on specific information system components.", + "title": "RHEL 8 must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages.", + "desc": "ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf", "descriptions": { - "default": "Preventing unauthorized information transfers mitigates the risk of\ninformation, including encrypted representations of information, produced by\nthe actions of prior users/roles (or the actions of processes acting on behalf\nof prior users/roles) from being available to any current users/roles (or\ncurrent processes) that obtain access to shared system resources (e.g.,\nregisters, main memory, hard disks) after those resources have been released\nback to information systems. The control of information in shared resources is\nalso commonly referred to as object reuse and residual information protection.\n\n This requirement generally applies to the design of an information\ntechnology product, but it can also apply to the configuration of particular\ninformation system components that are, or use, such products. This can be\nverified by acceptance/validation processes in DoD or other government agencies.\n\n There may be shared resources with configurable protections (e.g., files in\nstorage) that may be assessed on specific information system components.", - "check": "Verify that all world-writable directories have the sticky bit set.\n\nCheck to see that all world-writable directories have the sticky bit set by running the following command:\n\n$ sudo find / -type d \\( -perm -0002 -a ! -perm -1000 \\) -print 2>/dev/null\n\ndrwxrwxrwt 7 root root 4096 Jul 26 11:19 /tmp\n\nIf any of the returned directories are world-writable and do not have the sticky bit set, this is a finding.", - "fix": "Configure all world-writable directories to have the sticky bit set to\nprevent unauthorized and unintended information transferred via shared system\nresources.\n\n Set the sticky bit on all world-writable directories using the command,\nreplace \"[World-Writable Directory]\" with any directory path missing the\nsticky bit:\n\n $ sudo chmod 1777 [World-Writable Directory]" + "default": "ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf", + "check": "Verify RHEL 8 ignores IPv4 ICMP redirect messages.\n\nCheck the value of the \"accept_redirects\" variables with the following command:\n\n$ sudo sysctl net.ipv4.conf.all.accept_redirects\n\nnet.ipv4.conf.all.accept_redirects = 0\n\nIf the returned line does not have a value of \"0\", a line is not returned, or the line is commented out, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r net.ipv4.conf.all.accept_redirects /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: net.ipv4.conf.all.accept_redirects = 0\n\nIf \"net.ipv4.conf.all.accept_redirects\" is not set to \"0\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.", + "fix": "Configure RHEL 8 to ignore IPv4 ICMP redirect messages.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nnet.ipv4.conf.all.accept_redirects = 0\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system" }, "impact": 0.5, "refs": [ @@ -223,75 +244,76 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000138-GPOS-00069", - "gid": "V-230243", - "rid": "SV-230243r792857_rule", - "stig_id": "RHEL-08-010190", - "fix_id": "F-32887r567476_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-244553", + "rid": "SV-244553r858818_rule", + "stig_id": "RHEL-08-040279", + "fix_id": "F-47785r858817_fix", "cci": [ - "CCI-001090" + "CCI-000366" ], "nist": [ - "SC-4" + "CM-6 b" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-230243' do\n title 'A sticky bit must be set on all RHEL 8 public directories to prevent\nunauthorized and unintended information transferred via shared system\nresources.'\n desc 'Preventing unauthorized information transfers mitigates the risk of\ninformation, including encrypted representations of information, produced by\nthe actions of prior users/roles (or the actions of processes acting on behalf\nof prior users/roles) from being available to any current users/roles (or\ncurrent processes) that obtain access to shared system resources (e.g.,\nregisters, main memory, hard disks) after those resources have been released\nback to information systems. The control of information in shared resources is\nalso commonly referred to as object reuse and residual information protection.\n\n This requirement generally applies to the design of an information\ntechnology product, but it can also apply to the configuration of particular\ninformation system components that are, or use, such products. This can be\nverified by acceptance/validation processes in DoD or other government agencies.\n\n There may be shared resources with configurable protections (e.g., files in\nstorage) that may be assessed on specific information system components.'\n desc 'check', 'Verify that all world-writable directories have the sticky bit set.\n\nCheck to see that all world-writable directories have the sticky bit set by running the following command:\n\n$ sudo find / -type d \\\\( -perm -0002 -a ! -perm -1000 \\\\) -print 2>/dev/null\n\ndrwxrwxrwt 7 root root 4096 Jul 26 11:19 /tmp\n\nIf any of the returned directories are world-writable and do not have the sticky bit set, this is a finding.'\n desc 'fix', 'Configure all world-writable directories to have the sticky bit set to\nprevent unauthorized and unintended information transferred via shared system\nresources.\n\n Set the sticky bit on all world-writable directories using the command,\nreplace \"[World-Writable Directory]\" with any directory path missing the\nsticky bit:\n\n $ sudo chmod 1777 [World-Writable Directory]'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000138-GPOS-00069'\n tag gid: 'V-230243'\n tag rid: 'SV-230243r792857_rule'\n tag stig_id: 'RHEL-08-010190'\n tag fix_id: 'F-32887r567476_fix'\n tag cci: ['CCI-001090']\n tag nist: ['SC-4']\n tag 'host'\n tag 'container'\n\n partitions = etc_fstab.params.map { |partition| partition['mount_point'] }.uniq\n\n ww_dirs = command(\"find #{partitions} -type d \\\\( -perm -0002 -a ! -perm -1000 \\\\) -print 2>/dev/null\").stdout.split(\"\\n\")\n\n if ww_dirs.empty?\n describe 'List of world-writable directories on the target' do\n subject { ww_dirs }\n it { should be_empty }\n end\n else\n non_sticky_ww_dirs = ww_dirs.reject { |dir| file(dir).sticky? }\n describe 'All world-writeable directories' do\n it 'should have the sticky bit set' do\n fail_msg = \"Public directories without sticky bit:\\n\\t- #{non_sticky_ww_dirs.join(\"\\n\\t- \")}\"\n expect(non_sticky_ww_dirs).to be_empty, fail_msg\n end\n end\n end\nend\n", + "code": "control 'SV-244553' do\n title 'RHEL 8 must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages.'\n desc \"ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\"\n desc 'check', 'Verify RHEL 8 ignores IPv4 ICMP redirect messages.\n\nCheck the value of the \"accept_redirects\" variables with the following command:\n\n$ sudo sysctl net.ipv4.conf.all.accept_redirects\n\nnet.ipv4.conf.all.accept_redirects = 0\n\nIf the returned line does not have a value of \"0\", a line is not returned, or the line is commented out, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r net.ipv4.conf.all.accept_redirects /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: net.ipv4.conf.all.accept_redirects = 0\n\nIf \"net.ipv4.conf.all.accept_redirects\" is not set to \"0\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to ignore IPv4 ICMP redirect messages.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nnet.ipv4.conf.all.accept_redirects = 0\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-244553'\n tag rid: 'SV-244553r858818_rule'\n tag stig_id: 'RHEL-08-040279'\n tag fix_id: 'F-47785r858817_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This system is acting as a router on the network, this control is Not Applicable', impact: 0.0) {\n !input('network_router')\n }\n\n # Define the kernel parameter to be checked\n parameter = 'net.ipv4.conf.all.accept_redirects'\n action = 'IPv4 redirect messages'\n value = 0\n\n # Get the current value of the kernel parameter\n current_value = kernel_parameter(parameter)\n\n # Check if the system is a Docker container\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n elsif input('ipv4_enabled') == false\n impact 0.0\n describe 'IPv4 is disabled on the system, this requirement is Not Applicable.' do\n skip 'IPv4 is disabled on the system, this requirement is Not Applicable.'\n end\n else\n\n describe kernel_parameter(parameter) do\n it 'is disabled in sysctl -a' do\n expect(current_value.value).to cmp value\n expect(current_value.value).not_to be_nil\n end\n end\n\n # Get the list of sysctl configuration files\n sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ')\n\n # Search for the kernel parameter in the configuration files\n search_results = command(\"grep -r ^#{parameter} #{sysctl_config_files} {} \\;\").stdout.split(\"\\n\")\n\n # Parse the search results into a hash\n config_values = search_results.each_with_object({}) do |item, results|\n file, setting = item.split(':')\n file = 'grep did not return filename' if file.empty?\n\n results[file] ||= []\n results[file] << setting.split('=').last\n end\n\n uniq_config_values = config_values.values.flatten.map(&:strip).map(&:to_i).uniq\n\n # Check the configuration files\n describe 'Configuration files' do\n if search_results.empty?\n it \"do not explicitly set the `#{parameter}` parameter\" do\n expect(config_values).not_to be_empty, \"Add the line `#{parameter}=#{value}` to a file in the `/etc/sysctl.d/` directory\"\n end\n else\n it \"do not have conflicting settings for #{action}\" do\n expect(uniq_config_values.count).to eq(1), \"Expected one unique configuration, but got #{config_values}\"\n end\n it \"set the parameter to the right value for #{action}\" do\n expect(config_values.values.flatten.all? { |v| v.to_i.eql?(value) }).to be true\n end\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230243.rb", + "ref": "./Red Hat 8 STIG/controls/SV-244553.rb", "line": 1 }, - "id": "SV-230243" + "id": "SV-244553" }, { - "title": "All RHEL 8 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection.", - "desc": "RHEL 8 systems handling data requiring \"data at rest\" protections\n must employ cryptographic mechanisms to prevent unauthorized disclosure and\n modification of the information at rest.\n\n Selection of a cryptographic mechanism is based on the need to protect the\nintegrity of organizational information. The strength of the mechanism is\ncommensurate with the security category and/or classification of the\ninformation. Organizations have the flexibility to either encrypt all\ninformation on storage devices (i.e., full disk encryption) or encrypt specific\ndata structures (e.g., files, records, or fields).", + "title": "RHEL 8 must implement NIST FIPS-validated cryptography for the following: To provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.", + "desc": "Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.\n\nRHEL 8 utilizes GRUB 2 as the default bootloader. Note that GRUB 2 command-line parameters are defined in the \"kernelopts\" variable of the /boot/grub2/grubenv file for all kernel boot entries. The command \"fips-mode-setup\" modifies the \"kernelopts\" variable, which in turn updates all kernel boot entries.\n\nThe fips=1 kernel option needs to be added to the kernel command line during system installation so that key generation is done with FIPS-approved algorithms and continuous monitoring tests in place. Users must also ensure the system has plenty of entropy during the installation process by moving the mouse around, or if no mouse is available, ensuring that many keystrokes are typed. The recommended amount of keystrokes is 256 and more. Less than 256 keystrokes may generate a nonunique key.", "descriptions": { - "default": "RHEL 8 systems handling data requiring \"data at rest\" protections\n must employ cryptographic mechanisms to prevent unauthorized disclosure and\n modification of the information at rest.\n\n Selection of a cryptographic mechanism is based on the need to protect the\nintegrity of organizational information. The strength of the mechanism is\ncommensurate with the security category and/or classification of the\ninformation. Organizations have the flexibility to either encrypt all\ninformation on storage devices (i.e., full disk encryption) or encrypt specific\ndata structures (e.g., files, records, or fields).", - "check": "Verify RHEL 8 prevents unauthorized disclosure or modification of all information requiring at-rest protection by using disk encryption.\n\nIf there is a documented and approved reason for not having data-at-rest encryption at the operating system level, such as encryption provided by a hypervisor or a disk storage array in a virtualized environment, this requirement is not applicable.\n\nVerify all system partitions are encrypted with the following command:\n\n $ sudo blkid\n\n /dev/mapper/rhel-root: UUID=\"67b7d7fe-de60-6fd0-befb-e6748cf97743\" TYPE=\"crypto_LUKS\"\n\nEvery persistent disk partition present must be of type \"crypto_LUKS\". If any partitions other than the boot partition or pseudo file systems (such as /proc or /sys) are not type \"crypto_LUKS\", ask the administrator to indicate how the partitions are encrypted.\n\nIf there is no evidence that these partitions are encrypted, this is a finding.", - "fix": "Configure RHEL 8 to prevent unauthorized modification of all information at\nrest by using disk encryption.\n\n Encrypting a partition in an already installed system is more difficult,\n because existing partitions will need to be resized and changed. To encrypt an\n entire partition, dedicate a partition for encryption in the partition layout." + "default": "Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.\n\nRHEL 8 utilizes GRUB 2 as the default bootloader. Note that GRUB 2 command-line parameters are defined in the \"kernelopts\" variable of the /boot/grub2/grubenv file for all kernel boot entries. The command \"fips-mode-setup\" modifies the \"kernelopts\" variable, which in turn updates all kernel boot entries.\n\nThe fips=1 kernel option needs to be added to the kernel command line during system installation so that key generation is done with FIPS-approved algorithms and continuous monitoring tests in place. Users must also ensure the system has plenty of entropy during the installation process by moving the mouse around, or if no mouse is available, ensuring that many keystrokes are typed. The recommended amount of keystrokes is 256 and more. Less than 256 keystrokes may generate a nonunique key.", + "check": "Verify the operating system implements DOD-approved encryption to protect the confidentiality of remote access sessions.\n\nCheck to see if FIPS mode is enabled with the following command:\n\n $ fips-mode-setup --check\n FIPS mode is enabled\n\nIf FIPS mode is \"enabled\", check to see if the kernel boot parameter is configured for FIPS mode with the following command:\n\n $ sudo grub2-editenv list | grep fips\n kernelopts=root=/dev/mapper/rhel-root ro crashkernel=auto resume=/dev/mapper/rhel-swap rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet fips=1 boot=UUID=8d171156-cd61-421c-ba41-1c021ac29e82\n\nIf the kernel boot parameter is configured to use FIPS mode, check to see if the system is in FIPS mode with the following command:\n\n $ sudo cat /proc/sys/crypto/fips_enabled\n 1\n\nIf FIPS mode is not \"on\", the kernel boot parameter is not configured for FIPS mode, or the system does not have a value of \"1\" for \"fips_enabled\" in \"/proc/sys/crypto\", this is a finding.", + "fix": "Configure the operating system to implement DOD-approved encryption by following the steps below:\n\nTo enable strict FIPS compliance, the fips=1 kernel option needs to be added to the kernel boot parameters during system installation so key generation is done with FIPS-approved algorithms and continuous monitoring tests in place.\n\nEnable FIPS mode after installation (not strict FIPS-compliant) with the following command:\n\n $ sudo fips-mode-setup --enable\n\nReboot the system for the changes to take effect." }, - "impact": 0.5, + "impact": 0.7, "refs": [ { "ref": "DPMS Target Red Hat Enterprise Linux 8" } ], "tags": { - "severity": "medium", - "gtitle": "SRG-OS-000185-GPOS-00079", + "severity": "high", + "gtitle": "SRG-OS-000033-GPOS-00014", "satisfies": [ - "SRG-OS-000185-GPOS-00079", - "SRG-OS-000404-GPOS-00183", - "SRG-OS-000405-GPOS-00184" + "SRG-OS-000033-GPOS-00014", + "SRG-OS-000125-GPOS-00065", + "SRG-OS-000396-GPOS-00176", + "SRG-OS-000423-GPOS-00187", + "SRG-OS-000478-GPOS-00223" ], - "gid": "V-230224", - "rid": "SV-230224r917864_rule", - "stig_id": "RHEL-08-010030", - "fix_id": "F-32868r567419_fix", + "gid": "V-230223", + "rid": "SV-230223r928585_rule", + "stig_id": "RHEL-08-010020", + "fix_id": "F-32867r928584_fix", "cci": [ - "CCI-001199" + "CCI-000068" ], "nist": [ - "SC-28" + "AC-17 (2)" ], "host": null }, - "code": "control 'SV-230224' do\n title 'All RHEL 8 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection.'\n desc 'RHEL 8 systems handling data requiring \"data at rest\" protections\n must employ cryptographic mechanisms to prevent unauthorized disclosure and\n modification of the information at rest.\n\n Selection of a cryptographic mechanism is based on the need to protect the\nintegrity of organizational information. The strength of the mechanism is\ncommensurate with the security category and/or classification of the\ninformation. Organizations have the flexibility to either encrypt all\ninformation on storage devices (i.e., full disk encryption) or encrypt specific\ndata structures (e.g., files, records, or fields).'\n desc 'check', 'Verify RHEL 8 prevents unauthorized disclosure or modification of all information requiring at-rest protection by using disk encryption.\n\nIf there is a documented and approved reason for not having data-at-rest encryption at the operating system level, such as encryption provided by a hypervisor or a disk storage array in a virtualized environment, this requirement is not applicable.\n\nVerify all system partitions are encrypted with the following command:\n\n $ sudo blkid\n\n /dev/mapper/rhel-root: UUID=\"67b7d7fe-de60-6fd0-befb-e6748cf97743\" TYPE=\"crypto_LUKS\"\n\nEvery persistent disk partition present must be of type \"crypto_LUKS\". If any partitions other than the boot partition or pseudo file systems (such as /proc or /sys) are not type \"crypto_LUKS\", ask the administrator to indicate how the partitions are encrypted.\n\nIf there is no evidence that these partitions are encrypted, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to prevent unauthorized modification of all information at\nrest by using disk encryption.\n\n Encrypting a partition in an already installed system is more difficult,\n because existing partitions will need to be resized and changed. To encrypt an\n entire partition, dedicate a partition for encryption in the partition layout.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000185-GPOS-00079'\n tag satisfies: ['SRG-OS-000185-GPOS-00079', 'SRG-OS-000404-GPOS-00183', 'SRG-OS-000405-GPOS-00184']\n tag gid: 'V-230224'\n tag rid: 'SV-230224r917864_rule'\n tag stig_id: 'RHEL-08-010030'\n tag fix_id: 'F-32868r567419_fix'\n tag cci: ['CCI-001199']\n tag nist: ['SC-28']\n tag 'host'\n\n all_args = command('blkid').stdout.strip.split(\"\\n\").map { |s| s.sub(/^\"(.*)\"$/, '\\1') }\n\n def describe_and_skip(message)\n describe message do\n skip message\n end\n end\n\n # TODO: This should really have a resource\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe_and_skip('Disk Encryption and Data At Rest Implementation is handled on the Container Host')\n elsif input('data_at_rest_exempt') == true\n impact 0.0\n describe_and_skip('Data At Rest Requirements have been set to Not Applicabe by the `data_at_rest_exempt` input.')\n elsif all_args.empty?\n # TODO: Determine if this is an NA vs and NR or even a pass\n describe_and_skip('Command blkid did not return and non-psuedo block devices.')\n else\n all_args.each do |args|\n describe args do\n it { should match(/\\bcrypto_LUKS\\b/) }\n end\n end\n end\nend\n", + "code": "control 'SV-230223' do\n title 'RHEL 8 must implement NIST FIPS-validated cryptography for the following: To provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.'\n desc 'Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.\n\nRHEL 8 utilizes GRUB 2 as the default bootloader. Note that GRUB 2 command-line parameters are defined in the \"kernelopts\" variable of the /boot/grub2/grubenv file for all kernel boot entries. The command \"fips-mode-setup\" modifies the \"kernelopts\" variable, which in turn updates all kernel boot entries.\n\nThe fips=1 kernel option needs to be added to the kernel command line during system installation so that key generation is done with FIPS-approved algorithms and continuous monitoring tests in place. Users must also ensure the system has plenty of entropy during the installation process by moving the mouse around, or if no mouse is available, ensuring that many keystrokes are typed. The recommended amount of keystrokes is 256 and more. Less than 256 keystrokes may generate a nonunique key.'\n desc 'check', 'Verify the operating system implements DOD-approved encryption to protect the confidentiality of remote access sessions.\n\nCheck to see if FIPS mode is enabled with the following command:\n\n $ fips-mode-setup --check\n FIPS mode is enabled\n\nIf FIPS mode is \"enabled\", check to see if the kernel boot parameter is configured for FIPS mode with the following command:\n\n $ sudo grub2-editenv list | grep fips\n kernelopts=root=/dev/mapper/rhel-root ro crashkernel=auto resume=/dev/mapper/rhel-swap rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet fips=1 boot=UUID=8d171156-cd61-421c-ba41-1c021ac29e82\n\nIf the kernel boot parameter is configured to use FIPS mode, check to see if the system is in FIPS mode with the following command:\n\n $ sudo cat /proc/sys/crypto/fips_enabled\n 1\n\nIf FIPS mode is not \"on\", the kernel boot parameter is not configured for FIPS mode, or the system does not have a value of \"1\" for \"fips_enabled\" in \"/proc/sys/crypto\", this is a finding.'\n desc 'fix', 'Configure the operating system to implement DOD-approved encryption by following the steps below:\n\nTo enable strict FIPS compliance, the fips=1 kernel option needs to be added to the kernel boot parameters during system installation so key generation is done with FIPS-approved algorithms and continuous monitoring tests in place.\n\nEnable FIPS mode after installation (not strict FIPS-compliant) with the following command:\n\n $ sudo fips-mode-setup --enable\n\nReboot the system for the changes to take effect.'\n impact 0.7\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'high'\n tag gtitle: 'SRG-OS-000033-GPOS-00014'\n tag satisfies: ['SRG-OS-000033-GPOS-00014', 'SRG-OS-000125-GPOS-00065', 'SRG-OS-000396-GPOS-00176', 'SRG-OS-000423-GPOS-00187', 'SRG-OS-000478-GPOS-00223']\n tag gid: 'V-230223'\n tag rid: 'SV-230223r928585_rule'\n tag stig_id: 'RHEL-08-010020'\n tag fix_id: 'F-32867r928584_fix'\n tag cci: ['CCI-000068']\n tag nist: ['AC-17 (2)']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable in a container' do\n skip 'The host OS controls the FIPS mode settings. The host OS should also be scanned with the applicable OS validation profile.'\n end\n elsif input('use_fips') == false\n impact 0.0\n describe 'This control is Not Applicable as FIPS is not required for this system' do\n skip 'This control is Not Applicable as FIPS is not required for this system'\n end\n else\n describe command('fips-mode-setup --check') do\n its('stdout.strip') { should match(/FIPS mode is enabled/) }\n end\n\n grub_config = command('grub2-editenv - list').stdout\n\n describe parse_config(grub_config) do\n its('kernelopts') { should match(/fips=1/) }\n end\n\n describe file('/proc/sys/crypto/fips_enabled') do\n its('content.strip') { should cmp '1' }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230224.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230223.rb", "line": 1 }, - "id": "SV-230224" + "id": "SV-230223" }, { - "title": "RHEL 8 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a ssh logon.", - "desc": "Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.\n\nSystem use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist.\n\nThe banner must be formatted in accordance with applicable DOD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n\nUse the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user agreem't.\"", + "title": "RHEL 8 must disable kernel dumps unless needed.", + "desc": "Kernel core dumps may contain the full contents of system memory at\nthe time of the crash. Kernel core dumps may consume a considerable amount of\ndisk space and may result in denial of service by exhausting the available\nspace on the target file system partition.\n\n RHEL 8 installation media presents the option to enable or disable the\nkdump service at the time of system installation.", "descriptions": { - "default": "Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.\n\nSystem use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist.\n\nThe banner must be formatted in accordance with applicable DOD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n\nUse the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user agreem't.\"", - "check": "Verify any publicly accessible connection to the operating system displays the Standard Mandatory DOD Notice and Consent Banner before granting access to the system.\n\nCheck for the location of the banner file being used with the following command:\n\n$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\\r' | tr '\\n' ' ' | xargs sudo grep -iH '^\\s*banner'\n\nbanner /etc/issue\n\nThis command will return the banner keyword and the name of the file that contains the ssh banner (in this case \"/etc/issue\").\n\nIf the line is commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.\n\nView the file specified by the banner keyword to check that it matches the text of the Standard Mandatory DOD Notice and Consent Banner:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n\nIf the system does not display a graphical logon banner or the banner does not match the Standard Mandatory DOD Notice and Consent Banner, this is a finding.\n\nIf the text in the file does not match the Standard Mandatory DOD Notice and Consent Banner, this is a finding.", - "fix": "Configure the operating system to display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system via the ssh.\n\nEdit the \"/etc/ssh/sshd_config\" file to uncomment the banner keyword and configure it to point to a file that will contain the logon banner (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor). An example configuration line is:\n\nbanner /etc/issue\n\nEither create the file containing the banner or replace the text in the file with the Standard Mandatory DOD Notice and Consent Banner. The DOD-required text is:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n\nThe SSH service must be restarted for changes to take effect." + "default": "Kernel core dumps may contain the full contents of system memory at\nthe time of the crash. Kernel core dumps may consume a considerable amount of\ndisk space and may result in denial of service by exhausting the available\nspace on the target file system partition.\n\n RHEL 8 installation media presents the option to enable or disable the\nkdump service at the time of system installation.", + "check": "Verify that kernel core dumps are disabled unless needed with the following\ncommand:\n\n $ sudo systemctl status kdump.service\n\n kdump.service - Crash recovery kernel arming\n Loaded: loaded (/usr/lib/systemd/system/kdump.service; enabled; vendor\npreset: enabled)\n Active: active (exited) since Mon 2020-05-04 16:08:09 EDT; 3min ago\n Main PID: 1130 (code=exited, status=0/SUCCESS)\n\n If the \"kdump\" service is active, ask the System Administrator if the use\nof the service is required and documented with the Information System Security\nOfficer (ISSO).\n\n If the service is active and is not documented, this is a finding.", + "fix": "If kernel core dumps are not required, disable the \"kdump\" service with\nthe following command:\n\n # systemctl disable kdump.service\n\n If kernel core dumps are required, document the need with the ISSO." }, "impact": 0.5, "refs": [ @@ -301,38 +323,33 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000023-GPOS-00006", - "satisfies": [ - "SRG-OS-000023-GPOS-00006", - "SRG-OS-000228-GPOS-00088" - ], - "gid": "V-230225", - "rid": "SV-230225r951590_rule", - "stig_id": "RHEL-08-010040", - "fix_id": "F-32869r951589_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-230310", + "rid": "SV-230310r627750_rule", + "stig_id": "RHEL-08-010670", + "fix_id": "F-32954r567677_fix", "cci": [ - "CCI-000048" + "CCI-000366" ], "nist": [ - "AC-8 a" + "CM-6 b" ], - "host": null, - "container-conditional": null + "host": null }, - "code": "control 'SV-230225' do\n title 'RHEL 8 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a ssh logon.'\n desc %q(Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.\n\nSystem use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist.\n\nThe banner must be formatted in accordance with applicable DOD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n\nUse the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user agreem't.\")\n desc 'check', %q(Verify any publicly accessible connection to the operating system displays the Standard Mandatory DOD Notice and Consent Banner before granting access to the system.\n\nCheck for the location of the banner file being used with the following command:\n\n$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\\r' | tr '\\n' ' ' | xargs sudo grep -iH '^\\s*banner'\n\nbanner /etc/issue\n\nThis command will return the banner keyword and the name of the file that contains the ssh banner (in this case \"/etc/issue\").\n\nIf the line is commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.\n\nView the file specified by the banner keyword to check that it matches the text of the Standard Mandatory DOD Notice and Consent Banner:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n\nIf the system does not display a graphical logon banner or the banner does not match the Standard Mandatory DOD Notice and Consent Banner, this is a finding.\n\nIf the text in the file does not match the Standard Mandatory DOD Notice and Consent Banner, this is a finding.)\n desc 'fix', 'Configure the operating system to display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system via the ssh.\n\nEdit the \"/etc/ssh/sshd_config\" file to uncomment the banner keyword and configure it to point to a file that will contain the logon banner (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor). An example configuration line is:\n\nbanner /etc/issue\n\nEither create the file containing the banner or replace the text in the file with the Standard Mandatory DOD Notice and Consent Banner. The DOD-required text is:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n\nThe SSH service must be restarted for changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000023-GPOS-00006'\n tag satisfies: ['SRG-OS-000023-GPOS-00006', 'SRG-OS-000228-GPOS-00088']\n tag gid: 'V-230225'\n tag rid: 'SV-230225r951590_rule'\n tag stig_id: 'RHEL-08-010040'\n tag fix_id: 'F-32869r951589_fix'\n tag cci: ['CCI-000048']\n tag nist: ['AC-8 a']\n tag 'host'\n tag 'container-conditional'\n\n only_if('Control not applicable - SSH is not installed within containerized RHEL', impact: 0.0) {\n !virtualization.system.eql?('docker') || file('/etc/ssh/sshd_config').exist?\n }\n\n # When Banner is commented, not found, disabled, or the specified file does not exist, this is a finding.\n banner_file = sshd_active_config.banner\n\n # Banner property is commented out.\n if banner_file.nil?\n describe 'The SSHD Banner is not set' do\n subject { banner_file.nil? }\n it { should be false }\n end\n end\n\n # Banner property is set to \"none\"\n if !banner_file.nil? && !banner_file.match(/none/i).nil?\n describe 'The SSHD Banner is disabled' do\n subject { banner_file.match(/none/i).nil? }\n it { should be true }\n end\n end\n\n # Banner property provides a path to a file, however, it does not exist.\n if !banner_file.nil? && banner_file.match(/none/i).nil? && !file(banner_file).exist?\n describe 'The SSHD Banner is set, but, the file does not exist' do\n subject { file(banner_file).exist? }\n it { should be true }\n end\n end\n\n # Banner property provides a path to a file and it exists.\n next unless !banner_file.nil? && banner_file.match(/none/i).nil? && file(banner_file).exist?\n\n banner = file(banner_file).content.gsub(/[\\r\\n\\s]/, '')\n expected_banner = input('banner_message_text_ral').gsub(/[\\r\\n\\s]/, '')\n\n describe 'The SSHD Banner' do\n it 'is set to the standard banner and has the correct text' do\n expect(banner).to eq(expected_banner), 'Banner does not match expected text'\n end\n end\nend\n", + "code": "control 'SV-230310' do\n title 'RHEL 8 must disable kernel dumps unless needed.'\n desc 'Kernel core dumps may contain the full contents of system memory at\nthe time of the crash. Kernel core dumps may consume a considerable amount of\ndisk space and may result in denial of service by exhausting the available\nspace on the target file system partition.\n\n RHEL 8 installation media presents the option to enable or disable the\nkdump service at the time of system installation.'\n desc 'check', 'Verify that kernel core dumps are disabled unless needed with the following\ncommand:\n\n $ sudo systemctl status kdump.service\n\n kdump.service - Crash recovery kernel arming\n Loaded: loaded (/usr/lib/systemd/system/kdump.service; enabled; vendor\npreset: enabled)\n Active: active (exited) since Mon 2020-05-04 16:08:09 EDT; 3min ago\n Main PID: 1130 (code=exited, status=0/SUCCESS)\n\n If the \"kdump\" service is active, ask the System Administrator if the use\nof the service is required and documented with the Information System Security\nOfficer (ISSO).\n\n If the service is active and is not documented, this is a finding.'\n desc 'fix', 'If kernel core dumps are not required, disable the \"kdump\" service with\nthe following command:\n\n # systemctl disable kdump.service\n\n If kernel core dumps are required, document the need with the ISSO.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230310'\n tag rid: 'SV-230310r627750_rule'\n tag stig_id: 'RHEL-08-010670'\n tag fix_id: 'F-32954r567677_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n kernel_dump = input('kernel_dump_expected_value')\n\n if kernel_dump == '|/bin/false'\n describe systemd_service('kdump.service') do\n it { should_not be_running }\n end\n else\n describe systemd_service('kdump.service') do\n it { should be_running }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230225.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230310.rb", "line": 1 }, - "id": "SV-230225" + "id": "SV-230310" }, { - "title": "RHEL 8 must automatically lock an account when three unsuccessful\nlogon attempts occur during a 15-minute time period.", - "desc": "By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as\nbrute-force attacks, is reduced. Limits are imposed by locking the account.\n\n RHEL 8 can utilize the \"pam_faillock.so\" for this purpose. Note that\nmanual changes to the listed files may be overwritten by the \"authselect\"\nprogram.\n\n From \"Pam_Faillock\" man pages: Note that the default directory that\n\"pam_faillock\" uses is usually cleared on system boot so the access will be\nreenabled after system reboot. If that is undesirable a different tally\ndirectory must be set with the \"dir\" option.", + "title": "RHEL 8 must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/gshadow.", + "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", "descriptions": { - "default": "By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as\nbrute-force attacks, is reduced. Limits are imposed by locking the account.\n\n RHEL 8 can utilize the \"pam_faillock.so\" for this purpose. Note that\nmanual changes to the listed files may be overwritten by the \"authselect\"\nprogram.\n\n From \"Pam_Faillock\" man pages: Note that the default directory that\n\"pam_faillock\" uses is usually cleared on system boot so the access will be\nreenabled after system reboot. If that is undesirable a different tally\ndirectory must be set with the \"dir\" option.", - "check": "Check that the system locks an account after three unsuccessful logon\nattempts within a period of 15 minutes with the following commands:\n\n Note: If the System Administrator demonstrates the use of an approved\ncentralized account management method that locks an account after three\nunsuccessful logon attempts within a period of 15 minutes, this requirement is\nnot applicable.\n\n Note: This check applies to RHEL versions 8.0 and 8.1, if the system is\nRHEL version 8.2 or newer, this check is not applicable.\n\n $ sudo grep pam_faillock.so /etc/pam.d/password-auth\n\n auth required pam_faillock.so preauth dir=/var/log/faillock silent audit\ndeny=3 even_deny_root fail_interval=900 unlock_time=0\n auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0\n account required pam_faillock.so\n\n If the \"fail_interval\" option is not set to \"900\" or less (but not\n\"0\") on the \"preauth\" lines with the \"pam_faillock.so\" module, or is\nmissing from this line, this is a finding.\n\n $ sudo grep pam_faillock.so /etc/pam.d/system-auth\n\n auth required pam_faillock.so preauth dir=/var/log/faillock silent audit\ndeny=3 even_deny_root fail_interval=900 unlock_time=0\n auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0\n account required pam_faillock.so\n\n If the \"fail_interval\" option is not set to \"900\" or less (but not\n\"0\") on the \"preauth\" lines with the \"pam_faillock.so\" module, or is\nmissing from this line, this is a finding.", - "fix": "Configure the operating system to lock an account when three unsuccessful\nlogon attempts occur in 15 minutes.\n\n Add/Modify the appropriate sections of the \"/etc/pam.d/system-auth\" and\n\"/etc/pam.d/password-auth\" files to match the following lines:\n\n auth required pam_faillock.so preauth dir=/var/log/faillock silent audit\ndeny=3 even_deny_root fail_interval=900 unlock_time=0\n auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0\n account required pam_faillock.so\n\n The \"sssd\" service must be restarted for the changes to take effect. To\nrestart the \"sssd\" service, run the following command:\n\n $ sudo systemctl restart sssd.service" + "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "check": "Verify RHEL 8 generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/gshadow\".\n\n Check the auditing rules in \"/etc/audit/audit.rules\" with the following\ncommand:\n\n $ sudo grep /etc/gshadow /etc/audit/audit.rules\n\n -w /etc/gshadow -p wa -k identity\n\n If the command does not return a line, or the line is commented out, this\nis a finding.", + "fix": "Configure RHEL 8 to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/gshadow\".\n\n Add or update the following file system rule to\n\"/etc/audit/rules.d/audit.rules\":\n\n -w /etc/gshadow -p wa -k identity\n\n The audit daemon must be restarted for the changes to take effect." }, "impact": 0.5, "refs": [ @@ -342,38 +359,52 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000021-GPOS-00005", + "gtitle": "SRG-OS-000062-GPOS-00031", "satisfies": [ - "SRG-OS-000021-GPOS-00005", - "SRG-OS-000329-GPOS-00128" + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000004-GPOS-00004", + "SRG-OS-000037-GPOS-00015", + "SRG-OS-000042-GPOS-00020", + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000304-GPOS-00121", + "SRG-OS-000392-GPOS-00172", + "SRG-OS-000462-GPOS-00206", + "SRG-OS-000470-GPOS-00214", + "SRG-OS-000471-GPOS-00215", + "SRG-OS-000239-GPOS-00089", + "SRG-OS-000240-GPOS-00090", + "SRG-OS-000241-GPOS-00091", + "SRG-OS-000303-GPOS-00120", + "SRG-OS-000304-GPOS-00121", + "SRG-OS-000466-GPOS-00210", + "SRG-OS-000476-GPOS-00221" ], - "gid": "V-230334", - "rid": "SV-230334r627750_rule", - "stig_id": "RHEL-08-020012", - "fix_id": "F-32978r567749_fix", + "gid": "V-230407", + "rid": "SV-230407r627750_rule", + "stig_id": "RHEL-08-030160", + "fix_id": "F-33051r567968_fix", "cci": [ - "CCI-000044" + "CCI-000169" ], "nist": [ - "AC-7 a" + "AU-12 a" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-230334' do\n title 'RHEL 8 must automatically lock an account when three unsuccessful\nlogon attempts occur during a 15-minute time period.'\n desc 'By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as\nbrute-force attacks, is reduced. Limits are imposed by locking the account.\n\n RHEL 8 can utilize the \"pam_faillock.so\" for this purpose. Note that\nmanual changes to the listed files may be overwritten by the \"authselect\"\nprogram.\n\n From \"Pam_Faillock\" man pages: Note that the default directory that\n\"pam_faillock\" uses is usually cleared on system boot so the access will be\nreenabled after system reboot. If that is undesirable a different tally\ndirectory must be set with the \"dir\" option.'\n desc 'check', 'Check that the system locks an account after three unsuccessful logon\nattempts within a period of 15 minutes with the following commands:\n\n Note: If the System Administrator demonstrates the use of an approved\ncentralized account management method that locks an account after three\nunsuccessful logon attempts within a period of 15 minutes, this requirement is\nnot applicable.\n\n Note: This check applies to RHEL versions 8.0 and 8.1, if the system is\nRHEL version 8.2 or newer, this check is not applicable.\n\n $ sudo grep pam_faillock.so /etc/pam.d/password-auth\n\n auth required pam_faillock.so preauth dir=/var/log/faillock silent audit\ndeny=3 even_deny_root fail_interval=900 unlock_time=0\n auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0\n account required pam_faillock.so\n\n If the \"fail_interval\" option is not set to \"900\" or less (but not\n\"0\") on the \"preauth\" lines with the \"pam_faillock.so\" module, or is\nmissing from this line, this is a finding.\n\n $ sudo grep pam_faillock.so /etc/pam.d/system-auth\n\n auth required pam_faillock.so preauth dir=/var/log/faillock silent audit\ndeny=3 even_deny_root fail_interval=900 unlock_time=0\n auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0\n account required pam_faillock.so\n\n If the \"fail_interval\" option is not set to \"900\" or less (but not\n\"0\") on the \"preauth\" lines with the \"pam_faillock.so\" module, or is\nmissing from this line, this is a finding.'\n desc 'fix', 'Configure the operating system to lock an account when three unsuccessful\nlogon attempts occur in 15 minutes.\n\n Add/Modify the appropriate sections of the \"/etc/pam.d/system-auth\" and\n\"/etc/pam.d/password-auth\" files to match the following lines:\n\n auth required pam_faillock.so preauth dir=/var/log/faillock silent audit\ndeny=3 even_deny_root fail_interval=900 unlock_time=0\n auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0\n account required pam_faillock.so\n\n The \"sssd\" service must be restarted for the changes to take effect. To\nrestart the \"sssd\" service, run the following command:\n\n $ sudo systemctl restart sssd.service'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000021-GPOS-00005'\n tag satisfies: ['SRG-OS-000021-GPOS-00005', 'SRG-OS-000329-GPOS-00128']\n tag gid: 'V-230334'\n tag rid: 'SV-230334r627750_rule'\n tag stig_id: 'RHEL-08-020012'\n tag fix_id: 'F-32978r567749_fix'\n tag cci: ['CCI-000044']\n tag nist: ['AC-7 a']\n tag 'host'\n tag 'container'\n\n only_if('This check applies to RHEL version 8.1 and earlier. If the system is RHEL version 8.2 or newer, this check is Not Applicable.', impact: 0.0) {\n (os.release.to_f) < 8.2\n }\n\n pam_auth_files = input('pam_auth_files')\n\n describe pam(pam_auth_files['password-auth']) do\n its('lines') {\n should match_pam_rule('auth [default=die]|required pam_faillock.so preauth').all_with_integer_arg('fail_interval',\n '<=', input('fail_interval'))\n }\n end\n\n describe pam(pam_auth_files['system-auth']) do\n its('lines') {\n should match_pam_rule('auth [default=die]|required pam_faillock.so preauth').all_with_integer_arg('fail_interval',\n '<=', input('fail_interval'))\n }\n end\nend\n", + "code": "control 'SV-230407' do\n title 'RHEL 8 must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/gshadow.'\n desc 'Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).'\n desc 'check', 'Verify RHEL 8 generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/gshadow\".\n\n Check the auditing rules in \"/etc/audit/audit.rules\" with the following\ncommand:\n\n $ sudo grep /etc/gshadow /etc/audit/audit.rules\n\n -w /etc/gshadow -p wa -k identity\n\n If the command does not return a line, or the line is commented out, this\nis a finding.'\n desc 'fix', 'Configure RHEL 8 to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/gshadow\".\n\n Add or update the following file system rule to\n\"/etc/audit/rules.d/audit.rules\":\n\n -w /etc/gshadow -p wa -k identity\n\n The audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000062-GPOS-00031'\n tag satisfies: ['SRG-OS-000062-GPOS-00031', 'SRG-OS-000004-GPOS-00004', 'SRG-OS-000037-GPOS-00015', 'SRG-OS-000042-GPOS-00020', 'SRG-OS-000062-GPOS-00031', 'SRG-OS-000304-GPOS-00121', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000470-GPOS-00214', 'SRG-OS-000471-GPOS-00215', 'SRG-OS-000239-GPOS-00089', 'SRG-OS-000240-GPOS-00090', 'SRG-OS-000241-GPOS-00091', 'SRG-OS-000303-GPOS-00120', 'SRG-OS-000304-GPOS-00121', 'SRG-OS-000466-GPOS-00210', 'SRG-OS-000476-GPOS-00221']\n tag gid: 'V-230407'\n tag rid: 'SV-230407r627750_rule'\n tag stig_id: 'RHEL-08-030160'\n tag fix_id: 'F-33051r567968_fix'\n tag cci: ['CCI-000169']\n tag nist: ['AU-12 a']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n audit_command = '/etc/gshadow'\n\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.permissions.flatten).to include('w', 'a')\n expect(audit_rule.key.uniq).to include(input('audit_rule_keynames').merge(input('audit_rule_keynames_overrides'))[audit_command])\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230334.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230407.rb", "line": 1 }, - "id": "SV-230334" + "id": "SV-230407" }, { - "title": "RHEL 8 must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages.", - "desc": "ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf", + "title": "RHEL 8 operating systems booted with a BIOS must require a unique superusers name upon booting into single-user and maintenance modes.", + "desc": "If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 8 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.\n\nThe GRUB 2 superuser account is an account of last resort. Establishing a unique username for this account hardens the boot loader against brute force attacks. Due to the nature of the superuser account database being distinct from the OS account database, this allows the use of a username that is not among those within the OS account database. Examples of non-unique superusers names are root, superuser, unlock, etc.", "descriptions": { - "default": "ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf", - "check": "Verify RHEL 8 ignores IPv4 ICMP redirect messages.\n\nCheck the value of the \"accept_redirects\" variables with the following command:\n\n$ sudo sysctl net.ipv4.conf.all.accept_redirects\n\nnet.ipv4.conf.all.accept_redirects = 0\n\nIf the returned line does not have a value of \"0\", a line is not returned, or the line is commented out, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r net.ipv4.conf.all.accept_redirects /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: net.ipv4.conf.all.accept_redirects = 0\n\nIf \"net.ipv4.conf.all.accept_redirects\" is not set to \"0\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.", - "fix": "Configure RHEL 8 to ignore IPv4 ICMP redirect messages.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nnet.ipv4.conf.all.accept_redirects = 0\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system" + "default": "If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 8 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.\n\nThe GRUB 2 superuser account is an account of last resort. Establishing a unique username for this account hardens the boot loader against brute force attacks. Due to the nature of the superuser account database being distinct from the OS account database, this allows the use of a username that is not among those within the OS account database. Examples of non-unique superusers names are root, superuser, unlock, etc.", + "check": "For systems that use UEFI, this is Not Applicable.\n\nVerify that a unique name is set as the \"superusers\" account:\n\n$ sudo grep -iw \"superusers\" /boot/grub2/grub.cfg\nset superusers=\"[someuniquestringhere]\"\nexport superusers\n\nIf \"superusers\" is identical to any OS account name or is missing a name, this is a finding.", + "fix": "Configure the system to have a unique name for the grub superusers account.\n\nEdit the /etc/grub.d/01_users file and add or modify the following lines:\n\nset superusers=\"[someuniquestringhere]\"\nexport superusers\npassword_pbkdf2 [someuniquestringhere] ${GRUB2_PASSWORD}\n\nGenerate a new grub.cfg file with the following command:\n\n$ sudo grub2-mkconfig -o /boot/grub2/grub.cfg" }, "impact": 0.5, "refs": [ @@ -383,143 +414,142 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-244553", - "rid": "SV-244553r858818_rule", - "stig_id": "RHEL-08-040279", - "fix_id": "F-47785r858817_fix", + "gtitle": "SRG-OS-000080-GPOS-00048", + "gid": "V-244522", + "rid": "SV-244522r792984_rule", + "stig_id": "RHEL-08-010149", + "fix_id": "F-47754r743814_fix", "cci": [ - "CCI-000366" + "CCI-000213" ], "nist": [ - "CM-6 b" + "AC-3" ], "host": null }, - "code": "control 'SV-244553' do\n title 'RHEL 8 must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages.'\n desc \"ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\"\n desc 'check', 'Verify RHEL 8 ignores IPv4 ICMP redirect messages.\n\nCheck the value of the \"accept_redirects\" variables with the following command:\n\n$ sudo sysctl net.ipv4.conf.all.accept_redirects\n\nnet.ipv4.conf.all.accept_redirects = 0\n\nIf the returned line does not have a value of \"0\", a line is not returned, or the line is commented out, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r net.ipv4.conf.all.accept_redirects /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: net.ipv4.conf.all.accept_redirects = 0\n\nIf \"net.ipv4.conf.all.accept_redirects\" is not set to \"0\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to ignore IPv4 ICMP redirect messages.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nnet.ipv4.conf.all.accept_redirects = 0\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-244553'\n tag rid: 'SV-244553r858818_rule'\n tag stig_id: 'RHEL-08-040279'\n tag fix_id: 'F-47785r858817_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This system is acting as a router on the network, this control is Not Applicable', impact: 0.0) {\n !input('network_router')\n }\n\n # Define the kernel parameter to be checked\n parameter = 'net.ipv4.conf.all.accept_redirects'\n action = 'IPv4 redirect messages'\n value = 0\n\n # Get the current value of the kernel parameter\n current_value = kernel_parameter(parameter)\n\n # Check if the system is a Docker container\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n elsif input('ipv4_enabled') == false\n impact 0.0\n describe 'IPv4 is disabled on the system, this requirement is Not Applicable.' do\n skip 'IPv4 is disabled on the system, this requirement is Not Applicable.'\n end\n else\n\n describe kernel_parameter(parameter) do\n it 'is disabled in sysctl -a' do\n expect(current_value.value).to cmp value\n expect(current_value.value).not_to be_nil\n end\n end\n\n # Get the list of sysctl configuration files\n sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ')\n\n # Search for the kernel parameter in the configuration files\n search_results = command(\"grep -r ^#{parameter} #{sysctl_config_files} {} \\;\").stdout.split(\"\\n\")\n\n # Parse the search results into a hash\n config_values = search_results.each_with_object({}) do |item, results|\n file, setting = item.split(':')\n file = 'grep did not return filename' if file.empty?\n\n results[file] ||= []\n results[file] << setting.split('=').last\n end\n\n uniq_config_values = config_values.values.flatten.map(&:strip).map(&:to_i).uniq\n\n # Check the configuration files\n describe 'Configuration files' do\n if search_results.empty?\n it \"do not explicitly set the `#{parameter}` parameter\" do\n expect(config_values).not_to be_empty, \"Add the line `#{parameter}=#{value}` to a file in the `/etc/sysctl.d/` directory\"\n end\n else\n it \"do not have conflicting settings for #{action}\" do\n expect(uniq_config_values.count).to eq(1), \"Expected one unique configuration, but got #{config_values}\"\n end\n it \"set the parameter to the right value for #{action}\" do\n expect(config_values.values.flatten.all? { |v| v.to_i.eql?(value) }).to be true\n end\n end\n end\n end\nend\n", + "code": "control 'SV-244522' do\n title 'RHEL 8 operating systems booted with a BIOS must require a unique superusers name upon booting into single-user and maintenance modes.'\n desc 'If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 8 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.\n\nThe GRUB 2 superuser account is an account of last resort. Establishing a unique username for this account hardens the boot loader against brute force attacks. Due to the nature of the superuser account database being distinct from the OS account database, this allows the use of a username that is not among those within the OS account database. Examples of non-unique superusers names are root, superuser, unlock, etc.'\n desc 'check', 'For systems that use UEFI, this is Not Applicable.\n\nVerify that a unique name is set as the \"superusers\" account:\n\n$ sudo grep -iw \"superusers\" /boot/grub2/grub.cfg\nset superusers=\"[someuniquestringhere]\"\nexport superusers\n\nIf \"superusers\" is identical to any OS account name or is missing a name, this is a finding.'\n desc 'fix', 'Configure the system to have a unique name for the grub superusers account.\n\nEdit the /etc/grub.d/01_users file and add or modify the following lines:\n\nset superusers=\"[someuniquestringhere]\"\nexport superusers\npassword_pbkdf2 [someuniquestringhere] ${GRUB2_PASSWORD}\n\nGenerate a new grub.cfg file with the following command:\n\n$ sudo grub2-mkconfig -o /boot/grub2/grub.cfg'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000080-GPOS-00048'\n tag gid: 'V-244522'\n tag rid: 'SV-244522r792984_rule'\n tag stig_id: 'RHEL-08-010149'\n tag fix_id: 'F-47754r743814_fix'\n tag cci: ['CCI-000213']\n tag nist: ['AC-3']\n tag 'host'\n\n only_if('This requirement is Not Applicable in the container', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n if file('/sys/firmware/efi').exist?\n impact 0.0\n describe 'System running UEFI' do\n skip 'The System is running UEFI, this control is Not Applicable.'\n end\n else\n describe parse_config_file(input('grub_main_cfg')) do\n its('set superusers') { should_not be_empty }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-244553.rb", + "ref": "./Red Hat 8 STIG/controls/SV-244522.rb", "line": 1 }, - "id": "SV-244553" + "id": "SV-244522" }, { - "title": "RHEL 8 must be a vendor-supported release.", - "desc": "An operating system release is considered \"supported\" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software.\n\n Red Hat offers the Extended Update Support (EUS) add-on to a Red Hat Enterprise Linux subscription, for a fee, for those customers who wish to standardize on a specific minor release for an extended period. The RHEL 8 minor releases eligible for EUS are 8.1, 8.2, 8.4, 8.6, and 8.8. Each RHEL 8 EUS stream is available for 24 months from the availability of the minor release. RHEL 8.10 will be the final minor release overall. For more details on the Red Hat Enterprise Linux Life Cycle visit https://access.redhat.com/support/policy/updates/errata/.\n\n Note: The life-cycle time spans and dates are subject to adjustment.", + "title": "RHEL 8 must implement non-executable data to protect its memory from\nunauthorized code execution.", + "desc": "Some adversaries launch attacks with the intent of executing code in\nnon-executable regions of memory or in memory locations that are prohibited.\nSecurity safeguards employed to protect memory include, for example, data\nexecution prevention and address space layout randomization. Data execution\nprevention safeguards can be either hardware-enforced or software-enforced with\nhardware providing the greater strength of mechanism.\n\n Examples of attacks are buffer overflow attacks.", "descriptions": { - "default": "An operating system release is considered \"supported\" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software.\n\n Red Hat offers the Extended Update Support (EUS) add-on to a Red Hat Enterprise Linux subscription, for a fee, for those customers who wish to standardize on a specific minor release for an extended period. The RHEL 8 minor releases eligible for EUS are 8.1, 8.2, 8.4, 8.6, and 8.8. Each RHEL 8 EUS stream is available for 24 months from the availability of the minor release. RHEL 8.10 will be the final minor release overall. For more details on the Red Hat Enterprise Linux Life Cycle visit https://access.redhat.com/support/policy/updates/errata/.\n\n Note: The life-cycle time spans and dates are subject to adjustment.", - "check": "Verify the version of the operating system is vendor supported.\n\nNote: The lifecycle time spans and dates are subject to adjustment.\n\nCheck the version of the operating system with the following command:\n\n$ sudo cat /etc/redhat-release\n\nRed Hat Enterprise Linux Server release 8.6 (Ootpa)\n\nCurrent End of Extended Update Support for RHEL 8.1 is 30 November 2021.\n\nCurrent End of Extended Update Support for RHEL 8.2 is 30 April 2022.\n\nCurrent End of Extended Update Support for RHEL 8.4 is 31 May 2023.\n\nCurrent End of Maintenance Support for RHEL 8.5 is 31 May 2022.\n\nCurrent End of Extended Update Support for RHEL 8.6 is 31 May 2024.\n\nCurrent End of Maintenance Support for RHEL 8.7 is 31 May 2023.\n\nCurrent End of Extended Update Support for RHEL 8.8 is 31 May 2025.\n\nCurrent End of Maintenance Support for RHEL 8.9 is 31 May 2024.\n\nCurrent End of Maintenance Support for RHEL 8.10 is 31 May 2029.\n\nIf the release is not supported by the vendor, this is a finding.", - "fix": "Upgrade to a supported version of RHEL 8." + "default": "Some adversaries launch attacks with the intent of executing code in\nnon-executable regions of memory or in memory locations that are prohibited.\nSecurity safeguards employed to protect memory include, for example, data\nexecution prevention and address space layout randomization. Data execution\nprevention safeguards can be either hardware-enforced or software-enforced with\nhardware providing the greater strength of mechanism.\n\n Examples of attacks are buffer overflow attacks.", + "check": "Verify the NX (no-execution) bit flag is set on the system.\n\n Check that the no-execution bit flag is set with the following commands:\n\n $ sudo dmesg | grep NX\n\n [ 0.000000] NX (Execute Disable) protection: active\n\n If \"dmesg\" does not show \"NX (Execute Disable) protection\" active,\ncheck the cpuinfo settings with the following command:\n\n $ sudo less /proc/cpuinfo | grep -i flags\n flags : fpu vme de pse tsc ms nx rdtscp lm constant_tsc\n\n If \"flags\" does not contain the \"nx\" flag, this is a finding.", + "fix": "The NX bit execute protection must be enabled in the system\nBIOS." }, - "impact": 0.7, + "impact": 0.5, "refs": [ { "ref": "DPMS Target Red Hat Enterprise Linux 8" } ], "tags": { - "severity": "high", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-230221", - "rid": "SV-230221r858734_rule", - "stig_id": "RHEL-08-010000", - "fix_id": "F-32865r567410_fix", + "severity": "medium", + "gtitle": "SRG-OS-000433-GPOS-00192", + "gid": "V-230276", + "rid": "SV-230276r854031_rule", + "stig_id": "RHEL-08-010420", + "fix_id": "F-32920r567575_fix", "cci": [ - "CCI-000366" + "CCI-002824" ], "nist": [ - "CM-6 b" + "SI-16" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-230221' do\n title 'RHEL 8 must be a vendor-supported release.'\n desc 'An operating system release is considered \"supported\" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software.\n\n Red Hat offers the Extended Update Support (EUS) add-on to a Red Hat Enterprise Linux subscription, for a fee, for those customers who wish to standardize on a specific minor release for an extended period. The RHEL 8 minor releases eligible for EUS are 8.1, 8.2, 8.4, 8.6, and 8.8. Each RHEL 8 EUS stream is available for 24 months from the availability of the minor release. RHEL 8.10 will be the final minor release overall. For more details on the Red Hat Enterprise Linux Life Cycle visit https://access.redhat.com/support/policy/updates/errata/.\n\n Note: The life-cycle time spans and dates are subject to adjustment.'\n desc 'check', 'Verify the version of the operating system is vendor supported.\n\nNote: The lifecycle time spans and dates are subject to adjustment.\n\nCheck the version of the operating system with the following command:\n\n$ sudo cat /etc/redhat-release\n\nRed Hat Enterprise Linux Server release 8.6 (Ootpa)\n\nCurrent End of Extended Update Support for RHEL 8.1 is 30 November 2021.\n\nCurrent End of Extended Update Support for RHEL 8.2 is 30 April 2022.\n\nCurrent End of Extended Update Support for RHEL 8.4 is 31 May 2023.\n\nCurrent End of Maintenance Support for RHEL 8.5 is 31 May 2022.\n\nCurrent End of Extended Update Support for RHEL 8.6 is 31 May 2024.\n\nCurrent End of Maintenance Support for RHEL 8.7 is 31 May 2023.\n\nCurrent End of Extended Update Support for RHEL 8.8 is 31 May 2025.\n\nCurrent End of Maintenance Support for RHEL 8.9 is 31 May 2024.\n\nCurrent End of Maintenance Support for RHEL 8.10 is 31 May 2029.\n\nIf the release is not supported by the vendor, this is a finding.'\n desc 'fix', 'Upgrade to a supported version of RHEL 8.'\n impact 0.7\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'high'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230221'\n tag rid: 'SV-230221r858734_rule'\n tag stig_id: 'RHEL-08-010000'\n tag fix_id: 'F-32865r567410_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n tag 'container'\n\n release = os.release\n\n EOMS_DATE = {\n /^8\\.1/ => '30 November 2021',\n /^8\\.2/ => '30 April 2022',\n /^8\\.3/ => '30 April 2021',\n /^8\\.4/ => '31 May 2023',\n /^8\\.5/ => '31 May 2022',\n /^8\\.6/ => '31 May 2024',\n /^8\\.7/ => '31 May 2023',\n /^8\\.8/ => '31 May 2025',\n /^8\\.9/ => '31 May 2024',\n /^8\\.10/ => '31 May 2029'\n }.find { |k, _v| k.match(release) }&.last\n\n describe \"The release \\\"#{release}\\\" is still be within the support window\" do\n it \"ending on #{EOMS_DATE}\" do\n expect(Date.today).to be <= Date.parse(EOMS_DATE)\n end\n end\nend\n", + "code": "control 'SV-230276' do\n title 'RHEL 8 must implement non-executable data to protect its memory from\nunauthorized code execution.'\n desc 'Some adversaries launch attacks with the intent of executing code in\nnon-executable regions of memory or in memory locations that are prohibited.\nSecurity safeguards employed to protect memory include, for example, data\nexecution prevention and address space layout randomization. Data execution\nprevention safeguards can be either hardware-enforced or software-enforced with\nhardware providing the greater strength of mechanism.\n\n Examples of attacks are buffer overflow attacks.'\n desc 'check', 'Verify the NX (no-execution) bit flag is set on the system.\n\n Check that the no-execution bit flag is set with the following commands:\n\n $ sudo dmesg | grep NX\n\n [ 0.000000] NX (Execute Disable) protection: active\n\n If \"dmesg\" does not show \"NX (Execute Disable) protection\" active,\ncheck the cpuinfo settings with the following command:\n\n $ sudo less /proc/cpuinfo | grep -i flags\n flags : fpu vme de pse tsc ms nx rdtscp lm constant_tsc\n\n If \"flags\" does not contain the \"nx\" flag, this is a finding.'\n desc 'fix', 'The NX bit execute protection must be enabled in the system\nBIOS.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000433-GPOS-00192'\n tag gid: 'V-230276'\n tag rid: 'SV-230276r854031_rule'\n tag stig_id: 'RHEL-08-010420'\n tag fix_id: 'F-32920r567575_fix'\n tag cci: ['CCI-002824']\n tag nist: ['SI-16']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n options = {\n assignment_regex: /^\\s*([^:]*?)\\s*:\\s*(.*?)\\s*$/\n }\n\n dmesg_nx_conf = command('dmesg | grep NX').stdout.match(/:\\s+(\\S+)$/).captures.first\n cpuinfo_flags = parse_config_file('/proc/cpuinfo', options).flags.split\n\n describe.one do\n describe 'The no-execution bit flag' do\n it 'should be set in kernel messages' do\n expect(dmesg_nx_conf).to eq('active'), \"dmesg does not show NX protection set to 'active'\"\n end\n end\n describe 'The no-execution bit flag' do\n it 'should be set in CPU info' do\n expect(cpuinfo_flags).to include('nx'), \"'nx' flag not set in /proc/cpuinfo flags\"\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230221.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230276.rb", "line": 1 }, - "id": "SV-230221" + "id": "SV-230276" }, { - "title": "RHEL 8 must not send Internet Control Message Protocol (ICMP)\nredirects.", - "desc": "ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.\n\nThere are notable differences between Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6). There is only a directive to disable sending of IPv4 redirected packets. Refer to RFC4294 for an explanation of \"IPv6 Node Requirements\", which resulted in this difference between IPv4 and IPv6.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf", + "title": "There must be no .shosts files on the RHEL 8 operating system.", + "desc": "The \".shosts\" files are used to configure host-based authentication\nfor individual users or the system via SSH. Host-based authentication is not\nsufficient for preventing unauthorized access to the system, as it does not\nrequire interactive identification and authentication of a connection request,\nor for the use of two-factor authentication.", "descriptions": { - "default": "ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.\n\nThere are notable differences between Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6). There is only a directive to disable sending of IPv4 redirected packets. Refer to RFC4294 for an explanation of \"IPv6 Node Requirements\", which resulted in this difference between IPv4 and IPv6.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf", - "check": "Verify RHEL 8 does not IPv4 ICMP redirect messages.\n\nCheck the value of the \"all send_redirects\" variables with the following command:\n\n$ sudo sysctl net.ipv4.conf.all.send_redirects\n\nnet.ipv4.conf.all.send_redirects = 0\n\nIf the returned line does not have a value of \"0\", or a line is not returned, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r net.ipv4.conf.all.send_redirects /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: net.ipv4.conf.all.send_redirects = 0\n\nIf \"net.ipv4.conf.all.send_redirects\" is not set to \"0\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.", - "fix": "Configure RHEL 8 to not allow interfaces to perform IPv4 ICMP redirects.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nnet.ipv4.conf.all.send_redirects=0\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system" + "default": "The \".shosts\" files are used to configure host-based authentication\nfor individual users or the system via SSH. Host-based authentication is not\nsufficient for preventing unauthorized access to the system, as it does not\nrequire interactive identification and authentication of a connection request,\nor for the use of two-factor authentication.", + "check": "Verify there are no \".shosts\" files on RHEL 8 with the following command:\n\n$ sudo find / -name '*.shosts'\n\nIf any \".shosts\" files are found, this is a finding.", + "fix": "Remove any found \".shosts\" files from the system.\n\n$ sudo rm /[path]/[to]/[file]/.shosts" }, - "impact": 0.5, + "impact": 0.7, "refs": [ { "ref": "DPMS Target Red Hat Enterprise Linux 8" } ], "tags": { - "severity": "medium", + "severity": "high", "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-230536", - "rid": "SV-230536r858795_rule", - "stig_id": "RHEL-08-040220", - "fix_id": "F-33180r858794_fix", + "gid": "V-230284", + "rid": "SV-230284r627750_rule", + "stig_id": "RHEL-08-010470", + "fix_id": "F-32928r567599_fix", "cci": [ "CCI-000366" ], "nist": [ "CM-6 b" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-230536' do\n title 'RHEL 8 must not send Internet Control Message Protocol (ICMP)\nredirects.'\n desc %q(ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.\n\nThere are notable differences between Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6). There is only a directive to disable sending of IPv4 redirected packets. Refer to RFC4294 for an explanation of \"IPv6 Node Requirements\", which resulted in this difference between IPv4 and IPv6.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf)\n desc 'check', 'Verify RHEL 8 does not IPv4 ICMP redirect messages.\n\nCheck the value of the \"all send_redirects\" variables with the following command:\n\n$ sudo sysctl net.ipv4.conf.all.send_redirects\n\nnet.ipv4.conf.all.send_redirects = 0\n\nIf the returned line does not have a value of \"0\", or a line is not returned, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r net.ipv4.conf.all.send_redirects /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: net.ipv4.conf.all.send_redirects = 0\n\nIf \"net.ipv4.conf.all.send_redirects\" is not set to \"0\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to not allow interfaces to perform IPv4 ICMP redirects.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nnet.ipv4.conf.all.send_redirects=0\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230536'\n tag rid: 'SV-230536r858795_rule'\n tag stig_id: 'RHEL-08-040220'\n tag fix_id: 'F-33180r858794_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This system is acting as a router on the network, this control is Not Applicable', impact: 0.0) {\n !input('network_router')\n }\n\n # Define the kernel parameter to be checked\n parameter = 'net.ipv4.conf.all.send_redirects'\n action = 'IPv4 redirects'\n value = 0\n\n # Get the current value of the kernel parameter\n current_value = kernel_parameter(parameter)\n\n # Check if the system is a Docker container\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n elsif input('ipv4_enabled') == false\n impact 0.0\n describe 'IPv4 is disabled on the system, this requirement is Not Applicable.' do\n skip 'IPv4 is disabled on the system, this requirement is Not Applicable.'\n end\n else\n\n describe kernel_parameter(parameter) do\n it 'is disabled in sysctl -a' do\n expect(current_value.value).to cmp value\n expect(current_value.value).not_to be_nil\n end\n end\n\n # Get the list of sysctl configuration files\n sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ')\n\n # Search for the kernel parameter in the configuration files\n search_results = command(\"grep -r ^#{parameter} #{sysctl_config_files} {} \\;\").stdout.split(\"\\n\")\n\n # Parse the search results into a hash\n config_values = search_results.each_with_object({}) do |item, results|\n file, setting = item.split(':')\n file = 'grep did not return filename' if file.empty?\n\n results[file] ||= []\n results[file] << setting.split('=').last\n end\n\n uniq_config_values = config_values.values.flatten.map(&:strip).map(&:to_i).uniq\n\n # Check the configuration files\n describe 'Configuration files' do\n if search_results.empty?\n it \"do not explicitly set the `#{parameter}` parameter\" do\n expect(config_values).not_to be_empty, \"Add the line `#{parameter}=#{value}` to a file in the `/etc/sysctl.d/` directory\"\n end\n else\n it \"do not have conflicting settings for #{action}\" do\n expect(uniq_config_values.count).to eq(1), \"Expected one unique configuration, but got #{config_values}\"\n end\n it \"set the parameter to the right value for #{action}\" do\n expect(config_values.values.flatten.all? { |v| v.to_i.eql?(value) }).to be true\n end\n end\n end\n end\nend\n", + "code": "control 'SV-230284' do\n title 'There must be no .shosts files on the RHEL 8 operating system.'\n desc 'The \".shosts\" files are used to configure host-based authentication\nfor individual users or the system via SSH. Host-based authentication is not\nsufficient for preventing unauthorized access to the system, as it does not\nrequire interactive identification and authentication of a connection request,\nor for the use of two-factor authentication.'\n desc 'check', %q(Verify there are no \".shosts\" files on RHEL 8 with the following command:\n\n$ sudo find / -name '*.shosts'\n\nIf any \".shosts\" files are found, this is a finding.)\n desc 'fix', 'Remove any found \".shosts\" files from the system.\n\n$ sudo rm /[path]/[to]/[file]/.shosts'\n impact 0.7\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'high'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230284'\n tag rid: 'SV-230284r627750_rule'\n tag stig_id: 'RHEL-08-010470'\n tag fix_id: 'F-32928r567599_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n tag 'container'\n\n shosts_files = command('find / -xdev -xautofs -name .shosts').stdout.strip.split(\"\\n\")\n\n describe 'The RHEL8 filesystem' do\n it 'should not have any .shosts files present' do\n expect(shosts_files).to be_empty, \"Discovered .shosts files:\\n\\t- #{shosts_files.join(\"\\n\\t- \")}\"\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230536.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230284.rb", "line": 1 }, - "id": "SV-230536" + "id": "SV-230284" }, { - "title": "The RHEL 8 SSH daemon must not allow GSSAPI authentication, except to fulfill documented and validated mission requirements.", - "desc": "Configuring this setting for the SSH daemon provides additional\nassurance that remote logon via SSH will require a password, even in the event\nof misconfiguration elsewhere.", + "title": "RHEL 8 must use a separate file system for the system audit data path.", + "desc": "The use of separate file systems for different paths can protect the\nsystem from failures resulting from a file system becoming full or failing.", "descriptions": { - "default": "Configuring this setting for the SSH daemon provides additional\nassurance that remote logon via SSH will require a password, even in the event\nof misconfiguration elsewhere.", - "check": "Verify the SSH daemon does not allow GSSAPI authentication with the following command:\n\n$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\\r' | tr '\\n' ' ' | xargs sudo grep -iH '^\\s*gssapiauthentication'\n\nGSSAPIAuthentication no\n\nIf the value is returned as \"yes\", the returned line is commented out, no output is returned, or has not been documented with the information system security officer (ISSO), this is a finding.\n\nIf conflicting results are returned, this is a finding.", - "fix": "Configure the SSH daemon to not allow GSSAPI authentication.\n\n Add the following line in \"/etc/ssh/sshd_config\", or uncomment the line\nand set the value to \"no\":\n\n GSSAPIAuthentication no\n\n The SSH daemon must be restarted for the changes to take effect. To restart\nthe SSH daemon, run the following command:\n\n $ sudo systemctl restart sshd.service" + "default": "The use of separate file systems for different paths can protect the\nsystem from failures resulting from a file system becoming full or failing.", + "check": "Verify that a separate file system/partition has been created for the\nsystem audit data path with the following command:\n\n Note: /var/log/audit is used as the example as it is a common location.\n\n $ sudo grep /var/log/audit /etc/fstab\n\n UUID=3645951a /var/log/audit xfs defaults 1 2\n\n If an entry for \"/var/log/audit\" does not exist, ask the System\nAdministrator if the system audit logs are being written to a different file\nsystem/partition on the system, then grep for that file system/partition.\n\n If a separate file system/partition does not exist for the system audit\ndata path, this is a finding.", + "fix": "Migrate the system audit data path onto a separate file system." }, - "impact": 0.5, + "impact": 0.3, "refs": [ { "ref": "DPMS Target Red Hat Enterprise Linux 8" } ], "tags": { - "severity": "medium", + "severity": "low", "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-244528", - "rid": "SV-244528r952106_rule", - "stig_id": "RHEL-08-010522", - "fix_id": "F-47760r743832_fix", + "gid": "V-230294", + "rid": "SV-230294r627750_rule", + "stig_id": "RHEL-08-010542", + "fix_id": "F-32938r567629_fix", "cci": [ "CCI-000366" ], "nist": [ "CM-6 b" ], - "host": null, - "container-conditional": null + "host": null }, - "code": "control 'SV-244528' do\n title 'The RHEL 8 SSH daemon must not allow GSSAPI authentication, except to fulfill documented and validated mission requirements.'\n desc 'Configuring this setting for the SSH daemon provides additional\nassurance that remote logon via SSH will require a password, even in the event\nof misconfiguration elsewhere.'\n desc 'check', %q(Verify the SSH daemon does not allow GSSAPI authentication with the following command:\n\n$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\\r' | tr '\\n' ' ' | xargs sudo grep -iH '^\\s*gssapiauthentication'\n\nGSSAPIAuthentication no\n\nIf the value is returned as \"yes\", the returned line is commented out, no output is returned, or has not been documented with the information system security officer (ISSO), this is a finding.\n\nIf conflicting results are returned, this is a finding.)\n desc 'fix', 'Configure the SSH daemon to not allow GSSAPI authentication.\n\n Add the following line in \"/etc/ssh/sshd_config\", or uncomment the line\nand set the value to \"no\":\n\n GSSAPIAuthentication no\n\n The SSH daemon must be restarted for the changes to take effect. To restart\nthe SSH daemon, run the following command:\n\n $ sudo systemctl restart sshd.service'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-244528'\n tag rid: 'SV-244528r952106_rule'\n tag stig_id: 'RHEL-08-010522'\n tag fix_id: 'F-47760r743832_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n tag 'container-conditional'\n\n setting = 'GSSAPIAuthentication'\n gssapi_authentication = input('sshd_config_values')\n value = gssapi_authentication[setting]\n\n if virtualization.system.eql?('docker')\n describe 'In a container Environment' do\n if package('openssh-server').installed?\n it 'the OpenSSH Server should be installed when allowed in Docker environment' do\n expect(input('allow_container_openssh_server')).to eq(true), 'OpenSSH Server is installed but not approved for the Docker environment'\n end\n else\n it 'the OpenSSH Server is not installed' do\n skip 'This requirement is not applicable as the OpenSSH Server is not installed in the Docker environment.'\n end\n end\n end\n else\n describe 'The OpenSSH Server configuration' do\n it \"has the correct #{setting} configuration\" do\n expect(sshd_active_config.params[setting.downcase]).to cmp(value), \"The #{setting} setting in the SSHD config is not correct. Please ensure it set to '#{value}'.\"\n end\n end\n end\nend\n", + "code": "control 'SV-230294' do\n title 'RHEL 8 must use a separate file system for the system audit data path.'\n desc 'The use of separate file systems for different paths can protect the\nsystem from failures resulting from a file system becoming full or failing.'\n desc 'check', 'Verify that a separate file system/partition has been created for the\nsystem audit data path with the following command:\n\n Note: /var/log/audit is used as the example as it is a common location.\n\n $ sudo grep /var/log/audit /etc/fstab\n\n UUID=3645951a /var/log/audit xfs defaults 1 2\n\n If an entry for \"/var/log/audit\" does not exist, ask the System\nAdministrator if the system audit logs are being written to a different file\nsystem/partition on the system, then grep for that file system/partition.\n\n If a separate file system/partition does not exist for the system audit\ndata path, this is a finding.'\n desc 'fix', 'Migrate the system audit data path onto a separate file system.'\n impact 0.3\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'low'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230294'\n tag rid: 'SV-230294r627750_rule'\n tag stig_id: 'RHEL-08-010542'\n tag fix_id: 'F-32938r567629_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n audit_data_path = command(\"dirname #{auditd_conf.log_file}\").stdout.strip\n\n describe mount(audit_data_path) do\n it { should be_mounted }\n end\n\n describe etc_fstab.where { mount_point == audit_data_path } do\n it { should exist }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-244528.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230294.rb", "line": 1 }, - "id": "SV-244528" + "id": "SV-230294" }, { - "title": "The RHEL 8 operating system must implement DoD-approved TLS encryption\nin the GnuTLS package.", - "desc": "Without cryptographic integrity protections, information can be\naltered by unauthorized users without detection.\n\n Transport Layer Security (TLS) encryption is a required security setting as\na number of known vulnerabilities have been reported against Secure Sockets\nLayer (SSL) and earlier versions of TLS. Encryption of private information is\nessential to ensuring data confidentiality. If private information is not\nencrypted, it can be intercepted and easily read by an unauthorized party. SQL\nServer must use a minimum of FIPS 140-2-approved TLS version 1.2, and all\nnon-FIPS-approved SSL and TLS versions must be disabled. NIST SP 800-52\nspecifies the preferred configurations for government systems.\n\n Cryptographic mechanisms used for protecting the integrity of information\ninclude, for example, signed hash functions using asymmetric cryptography\nenabling distribution of the public key to verify the hash information while\nmaintaining the confidentiality of the secret key used to generate the hash.\n\n The GnuTLS library offers an API to access secure communications protocols.\n SSLv2 is not available in the GnuTLS library. The RHEL 8 system-wide crypto\npolicy defines employed algorithms in the\n/etc/crypto-policies/back-ends/gnutls.config file.", + "title": "RHEL 8 must automatically lock command line user sessions after 15\nminutes of inactivity.", + "desc": "Terminating an idle session within a short time period reduces the\nwindow of opportunity for unauthorized personnel to take control of a\nmanagement session enabled on the console or console port that has been left\nunattended. In addition, quickly terminating an idle session will also free up\nresources committed by the managed network element.\n\n Terminating network connections associated with communications sessions\nincludes, for example, de-allocating associated TCP/IP address/port pairs at\nthe operating system level and de-allocating networking assignments at the\napplication level if multiple application sessions are using a single operating\nsystem-level network connection. This does not mean the operating system\nterminates all sessions or network access; it only ends the inactive session\nand releases the resources associated with that session.", "descriptions": { - "default": "Without cryptographic integrity protections, information can be\naltered by unauthorized users without detection.\n\n Transport Layer Security (TLS) encryption is a required security setting as\na number of known vulnerabilities have been reported against Secure Sockets\nLayer (SSL) and earlier versions of TLS. Encryption of private information is\nessential to ensuring data confidentiality. If private information is not\nencrypted, it can be intercepted and easily read by an unauthorized party. SQL\nServer must use a minimum of FIPS 140-2-approved TLS version 1.2, and all\nnon-FIPS-approved SSL and TLS versions must be disabled. NIST SP 800-52\nspecifies the preferred configurations for government systems.\n\n Cryptographic mechanisms used for protecting the integrity of information\ninclude, for example, signed hash functions using asymmetric cryptography\nenabling distribution of the public key to verify the hash information while\nmaintaining the confidentiality of the secret key used to generate the hash.\n\n The GnuTLS library offers an API to access secure communications protocols.\n SSLv2 is not available in the GnuTLS library. The RHEL 8 system-wide crypto\npolicy defines employed algorithms in the\n/etc/crypto-policies/back-ends/gnutls.config file.", - "check": "Verify the GnuTLS library is configured to only allow DoD-approved SSL/TLS Versions:\n\n$ sudo grep -io +vers.* /etc/crypto-policies/back-ends/gnutls.config\n\n+VERS-ALL:-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0:+COMP-NULL:%PROFILE_MEDIUM\n\nIf the \"gnutls.config\" does not list \"-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0\" to disable unapproved SSL/TLS versions, this is a finding.", - "fix": "Configure the RHEL 8 GnuTLS library to use only DoD-approved encryption by\nadding the following line to \"/etc/crypto-policies/back-ends/gnutls.config\":\n\n +VERS-ALL:-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0\n\n A reboot is required for the changes to take effect." + "default": "Terminating an idle session within a short time period reduces the\nwindow of opportunity for unauthorized personnel to take control of a\nmanagement session enabled on the console or console port that has been left\nunattended. In addition, quickly terminating an idle session will also free up\nresources committed by the managed network element.\n\n Terminating network connections associated with communications sessions\nincludes, for example, de-allocating associated TCP/IP address/port pairs at\nthe operating system level and de-allocating networking assignments at the\napplication level if multiple application sessions are using a single operating\nsystem-level network connection. This does not mean the operating system\nterminates all sessions or network access; it only ends the inactive session\nand releases the resources associated with that session.", + "check": "Verify the operating system initiates a session lock after 15 minutes of\ninactivity.\n\n Check the value of the system inactivity timeout with the following command:\n\n $ sudo grep -i lock-after-time /etc/tmux.conf\n\n set -g lock-after-time 900\n\n If \"lock-after-time\" is not set to \"900\" or less in the global tmux\nconfiguration file to enforce session lock after inactivity, this is a finding.", + "fix": "Configure the operating system to enforce session lock after a period of 15\nminutes of inactivity by adding the following line to the \"/etc/tmux.conf\"\nglobal configuration file:\n\n set -g lock-after-time 900" }, "impact": 0.5, "refs": [ @@ -529,38 +559,37 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000250-GPOS-00093", + "gtitle": "SRG-OS-000029-GPOS-00010", "satisfies": [ - "SRG-OS-000250-GPOS-00093", - "SRG-OS-000423-GPOS-00187" + "SRG-OS-000029-GPOS-00010", + "SRG-OS-000031-GPOS-00012" ], - "gid": "V-230256", - "rid": "SV-230256r877394_rule", - "stig_id": "RHEL-08-010295", - "fix_id": "F-32900r567515_fix", + "gid": "V-230353", + "rid": "SV-230353r627750_rule", + "stig_id": "RHEL-08-020070", + "fix_id": "F-32997r567806_fix", "cci": [ - "CCI-001453" + "CCI-000057" ], "nist": [ - "AC-17 (2)" + "AC-11 a" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-230256' do\n title 'The RHEL 8 operating system must implement DoD-approved TLS encryption\nin the GnuTLS package.'\n desc 'Without cryptographic integrity protections, information can be\naltered by unauthorized users without detection.\n\n Transport Layer Security (TLS) encryption is a required security setting as\na number of known vulnerabilities have been reported against Secure Sockets\nLayer (SSL) and earlier versions of TLS. Encryption of private information is\nessential to ensuring data confidentiality. If private information is not\nencrypted, it can be intercepted and easily read by an unauthorized party. SQL\nServer must use a minimum of FIPS 140-2-approved TLS version 1.2, and all\nnon-FIPS-approved SSL and TLS versions must be disabled. NIST SP 800-52\nspecifies the preferred configurations for government systems.\n\n Cryptographic mechanisms used for protecting the integrity of information\ninclude, for example, signed hash functions using asymmetric cryptography\nenabling distribution of the public key to verify the hash information while\nmaintaining the confidentiality of the secret key used to generate the hash.\n\n The GnuTLS library offers an API to access secure communications protocols.\n SSLv2 is not available in the GnuTLS library. The RHEL 8 system-wide crypto\npolicy defines employed algorithms in the\n/etc/crypto-policies/back-ends/gnutls.config file.'\n desc 'check', 'Verify the GnuTLS library is configured to only allow DoD-approved SSL/TLS Versions:\n\n$ sudo grep -io +vers.* /etc/crypto-policies/back-ends/gnutls.config\n\n+VERS-ALL:-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0:+COMP-NULL:%PROFILE_MEDIUM\n\nIf the \"gnutls.config\" does not list \"-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0\" to disable unapproved SSL/TLS versions, this is a finding.'\n desc 'fix', 'Configure the RHEL 8 GnuTLS library to use only DoD-approved encryption by\nadding the following line to \"/etc/crypto-policies/back-ends/gnutls.config\":\n\n +VERS-ALL:-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0\n\n A reboot is required for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000250-GPOS-00093'\n tag satisfies: ['SRG-OS-000250-GPOS-00093', 'SRG-OS-000423-GPOS-00187']\n tag gid: 'V-230256'\n tag rid: 'SV-230256r877394_rule'\n tag stig_id: 'RHEL-08-010295'\n tag fix_id: 'F-32900r567515_fix'\n tag cci: ['CCI-001453']\n tag nist: ['AC-17 (2)']\n tag 'host'\n tag 'container'\n\n gnutls = file('/etc/crypto-policies/back-ends/gnutls.config').content.upcase.strip.split(':')\n unapproved_versions = input('unapproved_ssl_tls_versions').map(&:upcase)\n failing_versions = unapproved_versions - gnutls\n\n describe 'GnuTLS' do\n it 'should disable unapproved SSL/TLS versions' do\n expect(failing_versions).to be_empty, \"GnuTLS should not allow:\\n\\t- #{failing_versions.join(\"\\n\\t- \")}\"\n end\n end\nend\n", + "code": "control 'SV-230353' do\n title 'RHEL 8 must automatically lock command line user sessions after 15\nminutes of inactivity.'\n desc 'Terminating an idle session within a short time period reduces the\nwindow of opportunity for unauthorized personnel to take control of a\nmanagement session enabled on the console or console port that has been left\nunattended. In addition, quickly terminating an idle session will also free up\nresources committed by the managed network element.\n\n Terminating network connections associated with communications sessions\nincludes, for example, de-allocating associated TCP/IP address/port pairs at\nthe operating system level and de-allocating networking assignments at the\napplication level if multiple application sessions are using a single operating\nsystem-level network connection. This does not mean the operating system\nterminates all sessions or network access; it only ends the inactive session\nand releases the resources associated with that session.'\n desc 'check', 'Verify the operating system initiates a session lock after 15 minutes of\ninactivity.\n\n Check the value of the system inactivity timeout with the following command:\n\n $ sudo grep -i lock-after-time /etc/tmux.conf\n\n set -g lock-after-time 900\n\n If \"lock-after-time\" is not set to \"900\" or less in the global tmux\nconfiguration file to enforce session lock after inactivity, this is a finding.'\n desc 'fix', 'Configure the operating system to enforce session lock after a period of 15\nminutes of inactivity by adding the following line to the \"/etc/tmux.conf\"\nglobal configuration file:\n\n set -g lock-after-time 900'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000029-GPOS-00010'\n tag satisfies: ['SRG-OS-000029-GPOS-00010', 'SRG-OS-000031-GPOS-00012']\n tag gid: 'V-230353'\n tag rid: 'SV-230353r627750_rule'\n tag stig_id: 'RHEL-08-020070'\n tag fix_id: 'F-32997r567806_fix'\n tag cci: ['CCI-000057']\n tag nist: ['AC-11 a']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n timeout = command('grep -i lock-after-time /etc/tmux.conf').stdout.strip.match(/lock-after-time\\s+(?\\d+)/)\n expected_timeout = input('system_activity_timeout')\n\n describe 'tmux settings' do\n it 'should set lock-after-time' do\n expect(timeout).to_not be_nil, 'lock-after-time not set'\n end\n unless timeout.nil?\n it \"should lock the session after #{expected_timeout} seconds\" do\n expect(timeout['timeout'].to_i).to cmp <= expected_timeout\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230256.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230353.rb", "line": 1 }, - "id": "SV-230256" + "id": "SV-230353" }, { - "title": "RHEL 8 operating systems booted with United Extensible Firmware\nInterface (UEFI) must require a unique superusers name upon booting into\nsingle-user mode and maintenance.", - "desc": "If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 8 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.\n\nThe GRUB 2 superuser account is an account of last resort. Establishing a unique username for this account hardens the boot loader against brute force attacks. Due to the nature of the superuser account database being distinct from the OS account database, this allows the use of a username that is not among those within the OS account database. Examples of non-unique superusers names are root, superuser, unlock, etc.", + "title": "RHEL 8 must require the maximum number of repeating characters of the\nsame character class be limited to four when passwords are changed.", + "desc": "Use of a complex password helps to increase the time and resources\nrequired to compromise the password. Password complexity, or strength, is a\nmeasure of the effectiveness of a password in resisting attempts at guessing\nand brute-force attacks.\n\n Password complexity is one factor of several that determines how long it\ntakes to crack a password. The more complex the password, the greater the\nnumber of possible combinations that need to be tested before the password is\ncompromised.\n\n RHEL 8 utilizes \"pwquality\" as a mechanism to enforce password\ncomplexity. The \"maxclassrepeat\" option sets the maximum number of allowed\nsame consecutive characters in the same class in the new password.", "descriptions": { - "default": "If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 8 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.\n\nThe GRUB 2 superuser account is an account of last resort. Establishing a unique username for this account hardens the boot loader against brute force attacks. Due to the nature of the superuser account database being distinct from the OS account database, this allows the use of a username that is not among those within the OS account database. Examples of non-unique superusers names are root, superuser, unlock, etc.", - "check": "For systems that use BIOS, this is Not Applicable.\n\nVerify that a unique name is set as the \"superusers\" account:\n\n$ sudo grep -iw \"superusers\" /boot/efi/EFI/redhat/grub.cfg\nset superusers=\"[someuniquestringhere]\"\nexport superusers\n\nIf \"superusers\" is identical to any OS account name or is missing a name, this is a finding.", - "fix": "Configure the system to have a unique name for the grub superusers account.\n\nEdit the /etc/grub.d/01_users file and add or modify the following lines:\n\nset superusers=\"[someuniquestringhere]\"\nexport superusers\npassword_pbkdf2 [someuniquestringhere] ${GRUB2_PASSWORD}\n\nGenerate a new grub.cfg file with the following command:\n\n$ sudo grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg" + "default": "Use of a complex password helps to increase the time and resources\nrequired to compromise the password. Password complexity, or strength, is a\nmeasure of the effectiveness of a password in resisting attempts at guessing\nand brute-force attacks.\n\n Password complexity is one factor of several that determines how long it\ntakes to crack a password. The more complex the password, the greater the\nnumber of possible combinations that need to be tested before the password is\ncompromised.\n\n RHEL 8 utilizes \"pwquality\" as a mechanism to enforce password\ncomplexity. The \"maxclassrepeat\" option sets the maximum number of allowed\nsame consecutive characters in the same class in the new password.", + "check": "Check for the value of the \"maxclassrepeat\" option with the following command:\n\n$ sudo grep -r maxclassrepeat /etc/security/pwquality.conf*\n\n/etc/security/pwquality.conf:maxclassrepeat = 4\n\nIf the value of \"maxclassrepeat\" is set to \"0\", more than \"4\" or is commented out, this is a finding.\nIf conflicting results are returned, this is a finding.", + "fix": "Configure the operating system to require the change of the number of repeating characters of the same character class when passwords are changed by setting the \"maxclassrepeat\" option.\n\nAdd the following line to \"/etc/security/pwquality.conf\" conf (or modify the line to have the required value):\n\nmaxclassrepeat = 4\n\nRemove any configurations that conflict with the above value." }, "impact": 0.5, "refs": [ @@ -570,33 +599,34 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000080-GPOS-00048", - "gid": "V-244521", - "rid": "SV-244521r792982_rule", - "stig_id": "RHEL-08-010141", - "fix_id": "F-47753r743811_fix", + "gtitle": "SRG-OS-000072-GPOS-00040", + "gid": "V-230360", + "rid": "SV-230360r858777_rule", + "stig_id": "RHEL-08-020140", + "fix_id": "F-33004r858776_fix", "cci": [ - "CCI-000213" + "CCI-000195" ], "nist": [ - "AC-3" + "IA-5 (1) (b)" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-244521' do\n title 'RHEL 8 operating systems booted with United Extensible Firmware\nInterface (UEFI) must require a unique superusers name upon booting into\nsingle-user mode and maintenance.'\n desc 'If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 8 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.\n\nThe GRUB 2 superuser account is an account of last resort. Establishing a unique username for this account hardens the boot loader against brute force attacks. Due to the nature of the superuser account database being distinct from the OS account database, this allows the use of a username that is not among those within the OS account database. Examples of non-unique superusers names are root, superuser, unlock, etc.'\n desc 'check', 'For systems that use BIOS, this is Not Applicable.\n\nVerify that a unique name is set as the \"superusers\" account:\n\n$ sudo grep -iw \"superusers\" /boot/efi/EFI/redhat/grub.cfg\nset superusers=\"[someuniquestringhere]\"\nexport superusers\n\nIf \"superusers\" is identical to any OS account name or is missing a name, this is a finding.'\n desc 'fix', 'Configure the system to have a unique name for the grub superusers account.\n\nEdit the /etc/grub.d/01_users file and add or modify the following lines:\n\nset superusers=\"[someuniquestringhere]\"\nexport superusers\npassword_pbkdf2 [someuniquestringhere] ${GRUB2_PASSWORD}\n\nGenerate a new grub.cfg file with the following command:\n\n$ sudo grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000080-GPOS-00048'\n tag gid: 'V-244521'\n tag rid: 'SV-244521r792982_rule'\n tag stig_id: 'RHEL-08-010141'\n tag fix_id: 'F-47753r743811_fix'\n tag cci: ['CCI-000213']\n tag nist: ['AC-3']\n tag 'host'\n\n only_if('This requirement is Not Applicable in the container', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n if file('/sys/firmware/efi').exist?\n describe parse_config_file(input('grub_uefi_main_cfg')) do\n its('set superusers') { should cmp '\"root\"' }\n end\n else\n impact 0.0\n describe 'System running BIOS' do\n skip 'The System is running BIOS, this control is Not Applicable.'\n end\n end\nend\n", + "code": "control 'SV-230360' do\n title 'RHEL 8 must require the maximum number of repeating characters of the\nsame character class be limited to four when passwords are changed.'\n desc 'Use of a complex password helps to increase the time and resources\nrequired to compromise the password. Password complexity, or strength, is a\nmeasure of the effectiveness of a password in resisting attempts at guessing\nand brute-force attacks.\n\n Password complexity is one factor of several that determines how long it\ntakes to crack a password. The more complex the password, the greater the\nnumber of possible combinations that need to be tested before the password is\ncompromised.\n\n RHEL 8 utilizes \"pwquality\" as a mechanism to enforce password\ncomplexity. The \"maxclassrepeat\" option sets the maximum number of allowed\nsame consecutive characters in the same class in the new password.'\n desc 'check', 'Check for the value of the \"maxclassrepeat\" option with the following command:\n\n$ sudo grep -r maxclassrepeat /etc/security/pwquality.conf*\n\n/etc/security/pwquality.conf:maxclassrepeat = 4\n\nIf the value of \"maxclassrepeat\" is set to \"0\", more than \"4\" or is commented out, this is a finding.\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure the operating system to require the change of the number of repeating characters of the same character class when passwords are changed by setting the \"maxclassrepeat\" option.\n\nAdd the following line to \"/etc/security/pwquality.conf\" conf (or modify the line to have the required value):\n\nmaxclassrepeat = 4\n\nRemove any configurations that conflict with the above value.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000072-GPOS-00040'\n tag gid: 'V-230360'\n tag rid: 'SV-230360r858777_rule'\n tag stig_id: 'RHEL-08-020140'\n tag fix_id: 'F-33004r858776_fix'\n tag cci: ['CCI-000195']\n tag nist: ['IA-5 (1) (b)']\n tag 'host'\n tag 'container'\n\n value = input('maxclassrepeat')\n setting = 'maxclassrepeat'\n\n describe 'pwquality.conf settings' do\n let(:config) { parse_config_file('/etc/security/pwquality.conf', multiple_values: true) }\n let(:setting_value) { config.params[setting].is_a?(Integer) ? [config.params[setting]] : Array(config.params[setting]) }\n\n it \"has `#{setting}` set\" do\n expect(setting_value).not_to be_empty, \"#{setting} is not set in pwquality.conf\"\n end\n\n it \"only sets `#{setting}` once\" do\n expect(setting_value.length).to eq(1), \"#{setting} is commented or set more than once in pwquality.conf\"\n end\n\n it \"does not set `#{setting}` to more than #{value}\" do\n expect(setting_value.first.to_i).to be <= value.to_i, \"#{setting} is set to a value greater than #{value} in pwquality.conf\"\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-244521.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230360.rb", "line": 1 }, - "id": "SV-244521" + "id": "SV-230360" }, { - "title": "RHEL 8 must be configured to prohibit or restrict the use of\nfunctions, ports, protocols, and/or services, as defined in the Ports,\nProtocols, and Services Management (PPSM) Category Assignments List (CAL) and\nvulnerability assessments.", - "desc": "To prevent unauthorized connection of devices, unauthorized transfer\nof information, or unauthorized tunneling (i.e., embedding of data types within\ndata types), organizations must disable or restrict unused or unnecessary\nphysical and logical ports/protocols on information systems.\n\n Operating systems are capable of providing a wide variety of functions and\nservices. Some of the functions and services provided by default may not be\nnecessary to support essential organizational operations. Additionally, it is\nsometimes convenient to provide multiple services from a single component\n(e.g., VPN and IPS); however, doing so increases risk over limiting the\nservices provided by any one component.\n\n To support the requirements and principles of least functionality, the\noperating system must support the organizational requirements, providing only\nessential capabilities and limiting the use of ports, protocols, and/or\nservices to only those required, authorized, and approved to conduct official\nbusiness or to address authorized quality-of-life issues.", + "title": "All RHEL 8 local interactive user home directories defined in the\n/etc/passwd file must exist.", + "desc": "If a local interactive user has a home directory defined that does not\nexist, the user may be given access to the \"/\" directory as the current\nworking directory upon logon. This could create a denial of service because the\nuser would not be able to access their logon configuration files, and it may\ngive them visibility to system files they normally would not be able to access.", "descriptions": { - "default": "To prevent unauthorized connection of devices, unauthorized transfer\nof information, or unauthorized tunneling (i.e., embedding of data types within\ndata types), organizations must disable or restrict unused or unnecessary\nphysical and logical ports/protocols on information systems.\n\n Operating systems are capable of providing a wide variety of functions and\nservices. Some of the functions and services provided by default may not be\nnecessary to support essential organizational operations. Additionally, it is\nsometimes convenient to provide multiple services from a single component\n(e.g., VPN and IPS); however, doing so increases risk over limiting the\nservices provided by any one component.\n\n To support the requirements and principles of least functionality, the\noperating system must support the organizational requirements, providing only\nessential capabilities and limiting the use of ports, protocols, and/or\nservices to only those required, authorized, and approved to conduct official\nbusiness or to address authorized quality-of-life issues.", - "check": "Inspect the firewall configuration and running services to verify it is\nconfigured to prohibit or restrict the use of functions, ports, protocols,\nand/or services that are unnecessary or prohibited.\n\n Check which services are currently active with the following command:\n\n $ sudo firewall-cmd --list-all-zones\n\n custom (active)\n target: DROP\n icmp-block-inversion: no\n interfaces: ens33\n sources:\n services: dhcpv6-client dns http https ldaps rpc-bind ssh\n ports:\n masquerade: no\n forward-ports:\n icmp-blocks:\n rich rules:\n\n Ask the System Administrator for the site or program Ports, Protocols, and\nServices Management Component Local Service Assessment (PPSM CLSA). Verify the\nservices allowed by the firewall match the PPSM CLSA.\n\n If there are additional ports, protocols, or services that are not in the\nPPSM CLSA, or there are ports, protocols, or services that are prohibited by\nthe PPSM Category Assurance List (CAL), this is a finding.", - "fix": "Update the host's firewall settings and/or running services to\ncomply with the PPSM Component Local Service Assessment (CLSA) for the site or\nprogram and the PPSM CAL." + "default": "If a local interactive user has a home directory defined that does not\nexist, the user may be given access to the \"/\" directory as the current\nworking directory upon logon. This could create a denial of service because the\nuser would not be able to access their logon configuration files, and it may\ngive them visibility to system files they normally would not be able to access.", + "check": "Verify the assigned home directory of all local interactive users on RHEL 8\nexists with the following command:\n\n $ sudo ls -ld $(awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}'\n/etc/passwd)\n\n drwxr-xr-x 2 smithj admin 4096 Jun 5 12:41 smithj\n\n Note: This may miss interactive users that have been assigned a privileged\nUser ID (UID). Evidence of interactive use may be obtained from a number of log\nfiles containing system logon information.\n\n Check that all referenced home directories exist with the following command:\n\n $ sudo pwck -r\n\n user 'smithj': directory '/home/smithj' does not exist\n\n If any home directories referenced in \"/etc/passwd\" are returned as not\ndefined, this is a finding.", + "fix": "Create home directories to all local interactive users that currently do\nnot have a home directory assigned. Use the following commands to create the\nuser home directory assigned in \"/etc/ passwd\":\n\n Note: The example will be for the user smithj, who has a home directory of\n\"/home/smithj\", a UID of \"smithj\", and a Group Identifier (GID) of \"users\nassigned\" in \"/etc/passwd\".\n\n $ sudo mkdir /home/smithj\n $ sudo chown smithj /home/smithj\n $ sudo chgrp users /home/smithj\n $ sudo chmod 0750 /home/smithj" }, "impact": 0.5, "refs": [ @@ -606,69 +636,69 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000096-GPOS-00050", - "gid": "V-230500", - "rid": "SV-230500r627750_rule", - "stig_id": "RHEL-08-040030", - "fix_id": "F-33144r568247_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-230323", + "rid": "SV-230323r627750_rule", + "stig_id": "RHEL-08-010750", + "fix_id": "F-32967r567716_fix", "cci": [ - "CCI-000382" + "CCI-000366" ], "nist": [ - "CM-7 b" + "CM-6 b" ], "host": null }, - "code": "control 'SV-230500' do\n title 'RHEL 8 must be configured to prohibit or restrict the use of\nfunctions, ports, protocols, and/or services, as defined in the Ports,\nProtocols, and Services Management (PPSM) Category Assignments List (CAL) and\nvulnerability assessments.'\n desc 'To prevent unauthorized connection of devices, unauthorized transfer\nof information, or unauthorized tunneling (i.e., embedding of data types within\ndata types), organizations must disable or restrict unused or unnecessary\nphysical and logical ports/protocols on information systems.\n\n Operating systems are capable of providing a wide variety of functions and\nservices. Some of the functions and services provided by default may not be\nnecessary to support essential organizational operations. Additionally, it is\nsometimes convenient to provide multiple services from a single component\n(e.g., VPN and IPS); however, doing so increases risk over limiting the\nservices provided by any one component.\n\n To support the requirements and principles of least functionality, the\noperating system must support the organizational requirements, providing only\nessential capabilities and limiting the use of ports, protocols, and/or\nservices to only those required, authorized, and approved to conduct official\nbusiness or to address authorized quality-of-life issues.'\n desc 'check', 'Inspect the firewall configuration and running services to verify it is\nconfigured to prohibit or restrict the use of functions, ports, protocols,\nand/or services that are unnecessary or prohibited.\n\n Check which services are currently active with the following command:\n\n $ sudo firewall-cmd --list-all-zones\n\n custom (active)\n target: DROP\n icmp-block-inversion: no\n interfaces: ens33\n sources:\n services: dhcpv6-client dns http https ldaps rpc-bind ssh\n ports:\n masquerade: no\n forward-ports:\n icmp-blocks:\n rich rules:\n\n Ask the System Administrator for the site or program Ports, Protocols, and\nServices Management Component Local Service Assessment (PPSM CLSA). Verify the\nservices allowed by the firewall match the PPSM CLSA.\n\n If there are additional ports, protocols, or services that are not in the\nPPSM CLSA, or there are ports, protocols, or services that are prohibited by\nthe PPSM Category Assurance List (CAL), this is a finding.'\n desc 'fix', \"Update the host's firewall settings and/or running services to\ncomply with the PPSM Component Local Service Assessment (CLSA) for the site or\nprogram and the PPSM CAL.\"\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000096-GPOS-00050'\n tag gid: 'V-230500'\n tag rid: 'SV-230500r627750_rule'\n tag stig_id: 'RHEL-08-040030'\n tag fix_id: 'F-33144r568247_fix'\n tag cci: ['CCI-000382']\n tag nist: ['CM-7 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n firewalld_properties = input('firewalld_properties')\n\n describe firewalld do\n it { should be_running }\n end\n describe firewalld do\n its('ports') { should cmp [firewalld_properties['ports']] }\n its('protocols') { should cmp [firewalld_properties['protocols']] }\n its('services') { should cmp [firewalld_properties['services']] }\n end\nend\n", + "code": "control 'SV-230323' do\n title 'All RHEL 8 local interactive user home directories defined in the\n/etc/passwd file must exist.'\n desc 'If a local interactive user has a home directory defined that does not\nexist, the user may be given access to the \"/\" directory as the current\nworking directory upon logon. This could create a denial of service because the\nuser would not be able to access their logon configuration files, and it may\ngive them visibility to system files they normally would not be able to access.'\n desc 'check', %q(Verify the assigned home directory of all local interactive users on RHEL 8\nexists with the following command:\n\n $ sudo ls -ld $(awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}'\n/etc/passwd)\n\n drwxr-xr-x 2 smithj admin 4096 Jun 5 12:41 smithj\n\n Note: This may miss interactive users that have been assigned a privileged\nUser ID (UID). Evidence of interactive use may be obtained from a number of log\nfiles containing system logon information.\n\n Check that all referenced home directories exist with the following command:\n\n $ sudo pwck -r\n\n user 'smithj': directory '/home/smithj' does not exist\n\n If any home directories referenced in \"/etc/passwd\" are returned as not\ndefined, this is a finding.)\n desc 'fix', 'Create home directories to all local interactive users that currently do\nnot have a home directory assigned. Use the following commands to create the\nuser home directory assigned in \"/etc/ passwd\":\n\n Note: The example will be for the user smithj, who has a home directory of\n\"/home/smithj\", a UID of \"smithj\", and a Group Identifier (GID) of \"users\nassigned\" in \"/etc/passwd\".\n\n $ sudo mkdir /home/smithj\n $ sudo chown smithj /home/smithj\n $ sudo chgrp users /home/smithj\n $ sudo chmod 0750 /home/smithj'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230323'\n tag rid: 'SV-230323r627750_rule'\n tag stig_id: 'RHEL-08-010750'\n tag fix_id: 'F-32967r567716_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n exempt_home_users = input('exempt_home_users')\n uid_min = login_defs.read_params['UID_MIN'].to_i\n uid_min = 1000 if uid_min.nil?\n\n iuser_entries = passwd.where { uid.to_i >= uid_min && shell !~ /nologin/ && !exempt_home_users.include?(user) }\n\n if !iuser_entries.users.nil? && !iuser_entries.users.empty?\n failing_homedirs = iuser_entries.homes.reject { |home|\n file(home).exist?\n }\n describe 'All non-exempt interactive user account home directories on the system' do\n it 'should exist' do\n expect(failing_homedirs).to be_empty, \"Failing home directories:\\n\\t- #{failing_homedirs.join(\"\\n\\t- \")}\"\n end\n end\n else\n describe 'No non-exempt interactive user accounts' do\n it 'were detected on the system' do\n expect(true).to eq(true)\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230500.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230323.rb", "line": 1 }, - "id": "SV-230500" + "id": "SV-230323" }, { - "title": "RHEL 8 must mount /var/log with the noexec option.", - "desc": "The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n The \"noexec\" mount option causes the system to not execute binary files.\nThis option must be used for mounting any file system not containing approved\nbinary files, as they may be incompatible. Executing files from untrusted file\nsystems increases the opportunity for unprivileged users to attain unauthorized\nadministrative access.\n\n The \"nodev\" mount option causes the system to not interpret character or\nblock special devices. Executing character or block special devices from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.\n\n The \"nosuid\" mount option causes the system to not execute \"setuid\" and\n\"setgid\" files with owner privileges. This option must be used for mounting\nany file system not containing approved \"setuid\" and \"setguid\" files.\nExecuting files from untrusted file systems increases the opportunity for\nunprivileged users to attain unauthorized administrative access.", + "title": "RHEL 8 must restrict access to the kernel message buffer.", + "desc": "Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection.\n\nThis requirement generally applies to the design of an information technology product, but it can also apply to the configuration of particular information system components that are, or use, such products. This can be verified by acceptance/validation processes in DoD or other government agencies.\n\nThere may be shared resources with configurable protections (e.g., files in storage) that may be assessed on specific information system components.\n\nRestricting access to the kernel message buffer limits access to only root. This prevents attackers from gaining additional system information as a non-privileged user.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf", "descriptions": { - "default": "The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n The \"noexec\" mount option causes the system to not execute binary files.\nThis option must be used for mounting any file system not containing approved\nbinary files, as they may be incompatible. Executing files from untrusted file\nsystems increases the opportunity for unprivileged users to attain unauthorized\nadministrative access.\n\n The \"nodev\" mount option causes the system to not interpret character or\nblock special devices. Executing character or block special devices from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.\n\n The \"nosuid\" mount option causes the system to not execute \"setuid\" and\n\"setgid\" files with owner privileges. This option must be used for mounting\nany file system not containing approved \"setuid\" and \"setguid\" files.\nExecuting files from untrusted file systems increases the opportunity for\nunprivileged users to attain unauthorized administrative access.", - "check": "Verify \"/var/log\" is mounted with the \"noexec\" option:\n\n $ sudo mount | grep /var/log\n\n /dev/mapper/rhel-var-log on /var/log type xfs\n(rw,nodev,nosuid,noexec,seclabel)\n\n Verify that the \"noexec\" option is configured for /var/log:\n\n $ sudo cat /etc/fstab | grep /var/log\n\n /dev/mapper/rhel-var-log /var/log xfs defaults,nodev,nosuid,noexec 0 0\n\n If results are returned and the \"noexec\" option is missing, or if\n/var/log is mounted without the \"noexec\" option, this is a finding.", - "fix": "Configure the system so that /var/log is mounted with the \"noexec\" option\nby adding /modifying the /etc/fstab with the following line:\n\n /dev/mapper/rhel-var-log /var/log xfs defaults,nodev,nosuid,noexec 0 0" + "default": "Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection.\n\nThis requirement generally applies to the design of an information technology product, but it can also apply to the configuration of particular information system components that are, or use, such products. This can be verified by acceptance/validation processes in DoD or other government agencies.\n\nThere may be shared resources with configurable protections (e.g., files in storage) that may be assessed on specific information system components.\n\nRestricting access to the kernel message buffer limits access to only root. This prevents attackers from gaining additional system information as a non-privileged user.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf", + "check": "Verify the operating system is configured to restrict access to the kernel message buffer with the following commands:\n\nCheck the status of the kernel.dmesg_restrict kernel parameter.\n\n$ sudo sysctl kernel.dmesg_restrict\n\nkernel.dmesg_restrict = 1\n\nIf \"kernel.dmesg_restrict\" is not set to \"1\" or is missing, this is a finding.\n\nCheck that the configuration files are present to enable this kernel parameter.\n\n$ sudo grep -r kernel.dmesg_restrict /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf:kernel.dmesg_restrict = 1\n\nIf \"kernel.dmesg_restrict\" is not set to \"1\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.", + "fix": "Configure the operating system to restrict access to the kernel message buffer.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nkernel.dmesg_restrict = 1\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system" }, - "impact": 0.5, + "impact": 0.3, "refs": [ { "ref": "DPMS Target Red Hat Enterprise Linux 8" } ], "tags": { - "severity": "medium", - "gtitle": "SRG-OS-000368-GPOS-00154", - "gid": "V-230516", - "rid": "SV-230516r854057_rule", - "stig_id": "RHEL-08-040128", - "fix_id": "F-33160r568295_fix", + "severity": "low", + "gtitle": "SRG-OS-000138-GPOS-00069", + "gid": "V-230269", + "rid": "SV-230269r858756_rule", + "stig_id": "RHEL-08-010375", + "fix_id": "F-32913r858755_fix", "cci": [ - "CCI-001764" + "CCI-001090" ], "nist": [ - "CM-7 (2)" + "SC-4" ], "host": null }, - "code": "control 'SV-230516' do\n title 'RHEL 8 must mount /var/log with the noexec option.'\n desc 'The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n The \"noexec\" mount option causes the system to not execute binary files.\nThis option must be used for mounting any file system not containing approved\nbinary files, as they may be incompatible. Executing files from untrusted file\nsystems increases the opportunity for unprivileged users to attain unauthorized\nadministrative access.\n\n The \"nodev\" mount option causes the system to not interpret character or\nblock special devices. Executing character or block special devices from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.\n\n The \"nosuid\" mount option causes the system to not execute \"setuid\" and\n\"setgid\" files with owner privileges. This option must be used for mounting\nany file system not containing approved \"setuid\" and \"setguid\" files.\nExecuting files from untrusted file systems increases the opportunity for\nunprivileged users to attain unauthorized administrative access.'\n desc 'check', 'Verify \"/var/log\" is mounted with the \"noexec\" option:\n\n $ sudo mount | grep /var/log\n\n /dev/mapper/rhel-var-log on /var/log type xfs\n(rw,nodev,nosuid,noexec,seclabel)\n\n Verify that the \"noexec\" option is configured for /var/log:\n\n $ sudo cat /etc/fstab | grep /var/log\n\n /dev/mapper/rhel-var-log /var/log xfs defaults,nodev,nosuid,noexec 0 0\n\n If results are returned and the \"noexec\" option is missing, or if\n/var/log is mounted without the \"noexec\" option, this is a finding.'\n desc 'fix', 'Configure the system so that /var/log is mounted with the \"noexec\" option\nby adding /modifying the /etc/fstab with the following line:\n\n /dev/mapper/rhel-var-log /var/log xfs defaults,nodev,nosuid,noexec 0 0'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000368-GPOS-00154'\n tag gid: 'V-230516'\n tag rid: 'SV-230516r854057_rule'\n tag stig_id: 'RHEL-08-040128'\n tag fix_id: 'F-33160r568295_fix'\n tag cci: ['CCI-001764']\n tag nist: ['CM-7 (2)']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n path = '/var/log'\n option = 'noexec'\n\n describe mount(path) do\n its('options') { should include option }\n end\n\n describe etc_fstab.where { mount_point == path } do\n its('mount_options.flatten') { should include option }\n end\nend\n", + "code": "control 'SV-230269' do\n title 'RHEL 8 must restrict access to the kernel message buffer.'\n desc 'Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection.\n\nThis requirement generally applies to the design of an information technology product, but it can also apply to the configuration of particular information system components that are, or use, such products. This can be verified by acceptance/validation processes in DoD or other government agencies.\n\nThere may be shared resources with configurable protections (e.g., files in storage) that may be assessed on specific information system components.\n\nRestricting access to the kernel message buffer limits access to only root. This prevents attackers from gaining additional system information as a non-privileged user.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf'\n desc 'check', 'Verify the operating system is configured to restrict access to the kernel message buffer with the following commands:\n\nCheck the status of the kernel.dmesg_restrict kernel parameter.\n\n$ sudo sysctl kernel.dmesg_restrict\n\nkernel.dmesg_restrict = 1\n\nIf \"kernel.dmesg_restrict\" is not set to \"1\" or is missing, this is a finding.\n\nCheck that the configuration files are present to enable this kernel parameter.\n\n$ sudo grep -r kernel.dmesg_restrict /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf:kernel.dmesg_restrict = 1\n\nIf \"kernel.dmesg_restrict\" is not set to \"1\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure the operating system to restrict access to the kernel message buffer.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nkernel.dmesg_restrict = 1\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system'\n impact 0.3\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'low'\n tag gtitle: 'SRG-OS-000138-GPOS-00069'\n tag gid: 'V-230269'\n tag rid: 'SV-230269r858756_rule'\n tag stig_id: 'RHEL-08-010375'\n tag fix_id: 'F-32913r858755_fix'\n tag cci: ['CCI-001090']\n tag nist: ['SC-4']\n tag 'host'\n\n only_if('Control not applicable within a container', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n action = 'kernel.dmesg_restrict'\n\n describe kernel_parameter(action) do\n its('value') { should eq 1 }\n end\n\n search_result = command(\"grep -r ^#{action} #{input('sysctl_conf_files').join(' ')}\").stdout.strip\n\n correct_result = search_result.lines.any? { |line| line.match(/#{action}\\s*=\\s*1$/) }\n incorrect_results = search_result.lines.map(&:strip).select { |line| line.match(/#{action}\\s*=\\s*[^1]$/) }\n\n describe 'Kernel config files' do\n it \"should configure '#{action}'\" do\n expect(correct_result).to eq(true), 'No config file was found that correctly sets this action'\n end\n unless incorrect_results.nil?\n it 'should not have incorrect or conflicting setting(s) in the config files' do\n expect(incorrect_results).to be_empty, \"Incorrect or conflicting setting(s) found:\\n\\t- #{incorrect_results.join(\"\\n\\t- \")}\"\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230516.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230269.rb", "line": 1 }, - "id": "SV-230516" + "id": "SV-230269" }, { - "title": "RHEL 8 must use a Linux Security Module configured to enforce limits\non system services.", - "desc": "Without verification of the security functions, security functions may\nnot operate correctly and the failure may go unnoticed. Security function is\ndefined as the hardware, software, and/or firmware of the information system\nresponsible for enforcing the system security policy and supporting the\nisolation of code and data on which the protection is based. Security\nfunctionality includes, but is not limited to, establishing system accounts,\nconfiguring access authorizations (i.e., permissions, privileges), setting\nevents to be audited, and setting intrusion detection parameters.\n\n This requirement applies to operating systems performing security function\nverification/testing and/or systems and environments that require this\nfunctionality.", + "title": "RHEL 8 must disable access to network bpf syscall from unprivileged\nprocesses.", + "desc": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf", "descriptions": { - "default": "Without verification of the security functions, security functions may\nnot operate correctly and the failure may go unnoticed. Security function is\ndefined as the hardware, software, and/or firmware of the information system\nresponsible for enforcing the system security policy and supporting the\nisolation of code and data on which the protection is based. Security\nfunctionality includes, but is not limited to, establishing system accounts,\nconfiguring access authorizations (i.e., permissions, privileges), setting\nevents to be audited, and setting intrusion detection parameters.\n\n This requirement applies to operating systems performing security function\nverification/testing and/or systems and environments that require this\nfunctionality.", - "check": "Verify the operating system verifies correct operation of all security\nfunctions.\n\n Check if \"SELinux\" is active and in \"Enforcing\" mode with the following\ncommand:\n\n $ sudo getenforce\n Enforcing\n\n If \"SELinux\" is not active and not in \"Enforcing\" mode, this is a\nfinding.", - "fix": "Configure the operating system to verify correct operation of all security\nfunctions.\n\n Set the \"SELinux\" status and the \"Enforcing\" mode by modifying the\n\"/etc/selinux/config\" file to have the following line:\n\n SELINUX=enforcing\n\n A reboot is required for the changes to take effect." + "default": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf", + "check": "Verify RHEL 8 prevents privilege escalation thru the kernel by disabling access to the bpf syscall with the following commands:\n\n$ sudo sysctl kernel.unprivileged_bpf_disabled\n\nkernel.unprivileged_bpf_disabled = 1\n\nIf the returned line does not have a value of \"1\", or a line is not returned, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r kernel.unprivileged_bpf_disabled /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: kernel.unprivileged_bpf_disabled = 1\n\nIf \"kernel.unprivileged_bpf_disabled\" is not set to \"1\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.", + "fix": "Configure RHEL 8 to prevent privilege escalation thru the kernel by disabling access to the bpf syscall by adding the following line to a file, in the \"/etc/sysctl.d\" directory:\n\nkernel.unprivileged_bpf_disabled = 1\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nThe system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:\n\n$ sudo sysctl --system" }, "impact": 0.5, "refs": [ @@ -678,33 +708,33 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000134-GPOS-00068", - "gid": "V-230240", - "rid": "SV-230240r627750_rule", - "stig_id": "RHEL-08-010170", - "fix_id": "F-32884r567467_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-230545", + "rid": "SV-230545r858822_rule", + "stig_id": "RHEL-08-040281", + "fix_id": "F-33189r858821_fix", "cci": [ - "CCI-001084" + "CCI-000366" ], "nist": [ - "SC-3" + "CM-6 b" ], "host": null }, - "code": "control 'SV-230240' do\n title 'RHEL 8 must use a Linux Security Module configured to enforce limits\non system services.'\n desc 'Without verification of the security functions, security functions may\nnot operate correctly and the failure may go unnoticed. Security function is\ndefined as the hardware, software, and/or firmware of the information system\nresponsible for enforcing the system security policy and supporting the\nisolation of code and data on which the protection is based. Security\nfunctionality includes, but is not limited to, establishing system accounts,\nconfiguring access authorizations (i.e., permissions, privileges), setting\nevents to be audited, and setting intrusion detection parameters.\n\n This requirement applies to operating systems performing security function\nverification/testing and/or systems and environments that require this\nfunctionality.'\n desc 'check', 'Verify the operating system verifies correct operation of all security\nfunctions.\n\n Check if \"SELinux\" is active and in \"Enforcing\" mode with the following\ncommand:\n\n $ sudo getenforce\n Enforcing\n\n If \"SELinux\" is not active and not in \"Enforcing\" mode, this is a\nfinding.'\n desc 'fix', 'Configure the operating system to verify correct operation of all security\nfunctions.\n\n Set the \"SELinux\" status and the \"Enforcing\" mode by modifying the\n\"/etc/selinux/config\" file to have the following line:\n\n SELINUX=enforcing\n\n A reboot is required for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000134-GPOS-00068'\n tag gid: 'V-230240'\n tag rid: 'SV-230240r627750_rule'\n tag stig_id: 'RHEL-08-010170'\n tag fix_id: 'F-32884r567467_fix'\n tag cci: ['CCI-001084']\n tag nist: ['SC-3']\n tag 'host'\n\n only_if('Control not applicable within a container', impact: 0.0) do\n !virtualization.system.eql?('docker')\n end\n\n describe selinux do\n it { should be_enforcing }\n end\nend\n", + "code": "control 'SV-230545' do\n title 'RHEL 8 must disable access to network bpf syscall from unprivileged\nprocesses.'\n desc 'It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf'\n desc 'check', 'Verify RHEL 8 prevents privilege escalation thru the kernel by disabling access to the bpf syscall with the following commands:\n\n$ sudo sysctl kernel.unprivileged_bpf_disabled\n\nkernel.unprivileged_bpf_disabled = 1\n\nIf the returned line does not have a value of \"1\", or a line is not returned, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r kernel.unprivileged_bpf_disabled /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: kernel.unprivileged_bpf_disabled = 1\n\nIf \"kernel.unprivileged_bpf_disabled\" is not set to \"1\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to prevent privilege escalation thru the kernel by disabling access to the bpf syscall by adding the following line to a file, in the \"/etc/sysctl.d\" directory:\n\nkernel.unprivileged_bpf_disabled = 1\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nThe system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:\n\n$ sudo sysctl --system'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230545'\n tag rid: 'SV-230545r858822_rule'\n tag stig_id: 'RHEL-08-040281'\n tag fix_id: 'F-33189r858821_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This system is acting as a router on the network, this control is Not Applicable', impact: 0.0) {\n !input('network_router')\n }\n\n # Define the kernel parameter to be checked\n parameter = 'kernel.unprivileged_bpf_disabled'\n action = 'bpf syscall from unprivileged processes'\n value = 1\n\n # Get the current value of the kernel parameter\n current_value = kernel_parameter(parameter)\n\n # Check if the system is a Docker container\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n else\n\n describe kernel_parameter(parameter) do\n it 'is disabled in sysctl -a' do\n expect(current_value.value).to cmp value\n expect(current_value.value).not_to be_nil\n end\n end\n\n # Get the list of sysctl configuration files\n sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ')\n\n # Search for the kernel parameter in the configuration files\n search_results = command(\"grep -r ^#{parameter} #{sysctl_config_files} {} \\;\").stdout.split(\"\\n\")\n\n # Parse the search results into a hash\n config_values = search_results.each_with_object({}) do |item, results|\n file, setting = item.split(':')\n file = 'grep did not return filename' if file.empty?\n\n results[file] ||= []\n results[file] << setting.split('=').last\n end\n\n uniq_config_values = config_values.values.flatten.map(&:strip).map(&:to_i).uniq\n\n # Check the configuration files\n describe 'Configuration files' do\n if search_results.empty?\n it \"do not explicitly set the `#{parameter}` parameter\" do\n expect(config_values).not_to be_empty, \"Add the line `#{parameter}=#{value}` to a file in the `/etc/sysctl.d/` directory\"\n end\n else\n it \"do not have conflicting settings for #{action}\" do\n expect(uniq_config_values.count).to eq(1), \"Expected one unique configuration, but got #{config_values}\"\n end\n it \"set the parameter to the right value for #{action}\" do\n expect(config_values.values.flatten.all? { |v| v.to_i.eql?(value) }).to be true\n end\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230240.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230545.rb", "line": 1 }, - "id": "SV-230240" + "id": "SV-230545" }, { - "title": "RHEL 8 must log user name information when unsuccessful logon attempts\noccur.", - "desc": "By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as\nbrute-force attacks, is reduced. Limits are imposed by locking the account.\n\n RHEL 8 can utilize the \"pam_faillock.so\" for this purpose. Note that\nmanual changes to the listed files may be overwritten by the \"authselect\"\nprogram.\n\n From \"Pam_Faillock\" man pages: Note that the default directory that\n\"pam_faillock\" uses is usually cleared on system boot so the access will be\nreenabled after system reboot. If that is undesirable a different tally\ndirectory must be set with the \"dir\" option.\n\n In RHEL 8.2 the \"/etc/security/faillock.conf\" file was incorporated to\ncentralize the configuration of the pam_faillock.so module. Also introduced is\na \"local_users_only\" option that will only track failed user authentication\nattempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP,\netc.) users to allow the centralized platform to solely manage user lockout.", + "title": "RHEL 8 must allow only the Information System Security Manager (ISSM)\n(or individuals or roles appointed by the ISSM) to select which auditable\nevents are to be audited.", + "desc": "Without the capability to restrict the roles and individuals that can\nselect which events are audited, unauthorized personnel may be able to prevent\nthe auditing of critical events. Misconfigured audits may degrade the system's\nperformance by overwhelming the audit log. Misconfigured audits may also make\nit more difficult to establish, correlate, and investigate the events relating\nto an incident or identify those responsible for one.", "descriptions": { - "default": "By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as\nbrute-force attacks, is reduced. Limits are imposed by locking the account.\n\n RHEL 8 can utilize the \"pam_faillock.so\" for this purpose. Note that\nmanual changes to the listed files may be overwritten by the \"authselect\"\nprogram.\n\n From \"Pam_Faillock\" man pages: Note that the default directory that\n\"pam_faillock\" uses is usually cleared on system boot so the access will be\nreenabled after system reboot. If that is undesirable a different tally\ndirectory must be set with the \"dir\" option.\n\n In RHEL 8.2 the \"/etc/security/faillock.conf\" file was incorporated to\ncentralize the configuration of the pam_faillock.so module. Also introduced is\na \"local_users_only\" option that will only track failed user authentication\nattempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP,\netc.) users to allow the centralized platform to solely manage user lockout.", - "check": "Check that the system logs user name information when unsuccessful logon\nattempts occur with the following commands:\n\n If the system is RHEL version 8.2 or newer, this check is not applicable.\n\n Note: If the System Administrator demonstrates the use of an approved\ncentralized account management method that locks an account after three\nunsuccessful logon attempts within a period of 15 minutes, this requirement is\nnot applicable.\n\n $ sudo grep pam_faillock.so /etc/pam.d/password-auth\n\n auth required pam_faillock.so preauth dir=/var/log/faillock silent audit\ndeny=3 even_deny_root fail_interval=900 unlock_time=0\n auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0\n account required pam_faillock.so\n\n If the \"audit\" option is missing from the \"preauth\" line with the\n\"pam_faillock.so\" module, this is a finding.\n\n $ sudo grep pam_faillock.so /etc/pam.d/system-auth\n\n auth required pam_faillock.so preauth dir=/var/log/faillock silent audit\ndeny=3 even_deny_root fail_interval=900 unlock_time=0\n auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0\n account required pam_faillock.so\n\n If the \"audit\" option is missing from the \"preauth\" line with the\n\"pam_faillock.so\" module, this is a finding.", - "fix": "Configure the operating system to log user name information when\nunsuccessful logon attempts occur.\n\n Add/Modify the appropriate sections of the \"/etc/pam.d/system-auth\" and\n\"/etc/pam.d/password-auth\" files to match the following lines:\n\n auth required pam_faillock.so preauth dir=/var/log/faillock silent audit\ndeny=3 even_deny_root fail_interval=900 unlock_time=0\n auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0\n account required pam_faillock.so\n\n The \"sssd\" service must be restarted for the changes to take effect. To\nrestart the \"sssd\" service, run the following command:\n\n $ sudo systemctl restart sssd.service" + "default": "Without the capability to restrict the roles and individuals that can\nselect which events are audited, unauthorized personnel may be able to prevent\nthe auditing of critical events. Misconfigured audits may degrade the system's\nperformance by overwhelming the audit log. Misconfigured audits may also make\nit more difficult to establish, correlate, and investigate the events relating\nto an incident or identify those responsible for one.", + "check": "Verify that the files in directory \"/etc/audit/rules.d/\" and\n\"/etc/audit/auditd.conf\" file have a mode of \"0640\" or less permissive by\nusing the following commands:\n\n $ sudo ls -al /etc/audit/rules.d/*.rules\n\n -rw-r----- 1 root root 1280 Feb 16 17:09 audit.rules\n\n $ sudo ls -l /etc/audit/auditd.conf\n\n -rw-r----- 1 root root 621 Sep 22 17:19 auditd.conf\n\n If the files in the \"/etc/audit/rules.d/\" directory or the\n\"/etc/audit/auditd.conf\" file have a mode more permissive than \"0640\", this\nis a finding.", + "fix": "Configure the files in directory \"/etc/audit/rules.d/\" and the\n\"/etc/audit/auditd.conf\" file to have a mode of \"0640\" with the following\ncommands:\n\n $ sudo chmod 0640 /etc/audit/rules.d/audit.rules\n $ sudo chmod 0640 /etc/audit/rules.d/[customrulesfile].rules\n $ sudo chmod 0640 /etc/audit/auditd.conf" }, "impact": 0.5, "refs": [ @@ -714,36 +744,33 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000021-GPOS-00005", - "satisfies": [ - "SRG-OS-000021-GPOS-00005", - "SRG-OS-000329-GPOS-00128" - ], - "gid": "V-230342", - "rid": "SV-230342r646872_rule", - "stig_id": "RHEL-08-020020", - "fix_id": "F-32986r567773_fix", + "gtitle": "SRG-OS-000063-GPOS-00032", + "gid": "V-230471", + "rid": "SV-230471r627750_rule", + "stig_id": "RHEL-08-030610", + "fix_id": "F-33115r568160_fix", "cci": [ - "CCI-000044" + "CCI-000171" ], "nist": [ - "AC-7 a" - ] + "AU-12 b" + ], + "host": null }, - "code": "control 'SV-230342' do\n title 'RHEL 8 must log user name information when unsuccessful logon attempts\noccur.'\n desc 'By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as\nbrute-force attacks, is reduced. Limits are imposed by locking the account.\n\n RHEL 8 can utilize the \"pam_faillock.so\" for this purpose. Note that\nmanual changes to the listed files may be overwritten by the \"authselect\"\nprogram.\n\n From \"Pam_Faillock\" man pages: Note that the default directory that\n\"pam_faillock\" uses is usually cleared on system boot so the access will be\nreenabled after system reboot. If that is undesirable a different tally\ndirectory must be set with the \"dir\" option.\n\n In RHEL 8.2 the \"/etc/security/faillock.conf\" file was incorporated to\ncentralize the configuration of the pam_faillock.so module. Also introduced is\na \"local_users_only\" option that will only track failed user authentication\nattempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP,\netc.) users to allow the centralized platform to solely manage user lockout.'\n desc 'check', 'Check that the system logs user name information when unsuccessful logon\nattempts occur with the following commands:\n\n If the system is RHEL version 8.2 or newer, this check is not applicable.\n\n Note: If the System Administrator demonstrates the use of an approved\ncentralized account management method that locks an account after three\nunsuccessful logon attempts within a period of 15 minutes, this requirement is\nnot applicable.\n\n $ sudo grep pam_faillock.so /etc/pam.d/password-auth\n\n auth required pam_faillock.so preauth dir=/var/log/faillock silent audit\ndeny=3 even_deny_root fail_interval=900 unlock_time=0\n auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0\n account required pam_faillock.so\n\n If the \"audit\" option is missing from the \"preauth\" line with the\n\"pam_faillock.so\" module, this is a finding.\n\n $ sudo grep pam_faillock.so /etc/pam.d/system-auth\n\n auth required pam_faillock.so preauth dir=/var/log/faillock silent audit\ndeny=3 even_deny_root fail_interval=900 unlock_time=0\n auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0\n account required pam_faillock.so\n\n If the \"audit\" option is missing from the \"preauth\" line with the\n\"pam_faillock.so\" module, this is a finding.'\n desc 'fix', 'Configure the operating system to log user name information when\nunsuccessful logon attempts occur.\n\n Add/Modify the appropriate sections of the \"/etc/pam.d/system-auth\" and\n\"/etc/pam.d/password-auth\" files to match the following lines:\n\n auth required pam_faillock.so preauth dir=/var/log/faillock silent audit\ndeny=3 even_deny_root fail_interval=900 unlock_time=0\n auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0\n account required pam_faillock.so\n\n The \"sssd\" service must be restarted for the changes to take effect. To\nrestart the \"sssd\" service, run the following command:\n\n $ sudo systemctl restart sssd.service'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000021-GPOS-00005'\n tag satisfies: ['SRG-OS-000021-GPOS-00005', 'SRG-OS-000329-GPOS-00128']\n tag gid: 'V-230342'\n tag rid: 'SV-230342r646872_rule'\n tag stig_id: 'RHEL-08-020020'\n tag fix_id: 'F-32986r567773_fix'\n tag cci: ['CCI-000044']\n tag nist: ['AC-7 a']\n\n only_if('If the system is RHEL version 8.2 or newer, this check is not applicable.', impact: 0.0) {\n (os.release.to_f) < 8.2\n }\n\n pam_auth_files = input('pam_auth_files')\n\n describe pam(pam_auth_files['password-auth']) do\n its('lines') {\n should match_pam_rule('auth [default=die]|required pam_faillock.so preauth').all_with_args('audit')\n }\n end\n describe pam(pam_auth_files['system-auth']) do\n its('lines') {\n should match_pam_rule('auth [default=die]|required pam_faillock.so preauth').all_with_args('audit')\n }\n end\nend\n", + "code": "control 'SV-230471' do\n title 'RHEL 8 must allow only the Information System Security Manager (ISSM)\n(or individuals or roles appointed by the ISSM) to select which auditable\nevents are to be audited.'\n desc \"Without the capability to restrict the roles and individuals that can\nselect which events are audited, unauthorized personnel may be able to prevent\nthe auditing of critical events. Misconfigured audits may degrade the system's\nperformance by overwhelming the audit log. Misconfigured audits may also make\nit more difficult to establish, correlate, and investigate the events relating\nto an incident or identify those responsible for one.\"\n desc 'check', 'Verify that the files in directory \"/etc/audit/rules.d/\" and\n\"/etc/audit/auditd.conf\" file have a mode of \"0640\" or less permissive by\nusing the following commands:\n\n $ sudo ls -al /etc/audit/rules.d/*.rules\n\n -rw-r----- 1 root root 1280 Feb 16 17:09 audit.rules\n\n $ sudo ls -l /etc/audit/auditd.conf\n\n -rw-r----- 1 root root 621 Sep 22 17:19 auditd.conf\n\n If the files in the \"/etc/audit/rules.d/\" directory or the\n\"/etc/audit/auditd.conf\" file have a mode more permissive than \"0640\", this\nis a finding.'\n desc 'fix', 'Configure the files in directory \"/etc/audit/rules.d/\" and the\n\"/etc/audit/auditd.conf\" file to have a mode of \"0640\" with the following\ncommands:\n\n $ sudo chmod 0640 /etc/audit/rules.d/audit.rules\n $ sudo chmod 0640 /etc/audit/rules.d/[customrulesfile].rules\n $ sudo chmod 0640 /etc/audit/auditd.conf'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000063-GPOS-00032'\n tag gid: 'V-230471'\n tag rid: 'SV-230471r627750_rule'\n tag stig_id: 'RHEL-08-030610'\n tag fix_id: 'F-33115r568160_fix'\n tag cci: ['CCI-000171']\n tag nist: ['AU-12 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n rules_files = bash('ls -d /etc/audit/rules.d/*.rules').stdout.strip.split.append('/etc/audit/auditd.conf')\n\n failing_files = rules_files.select { |rf| file(rf).more_permissive_than?(input('audit_conf_mode')) }\n\n describe 'Audit configuration files' do\n it \"should be no more permissive than '#{input('audit_conf_mode')}'\" do\n expect(failing_files).to be_empty, \"Failing files:\\n\\t- #{failing_files.join(\"\\n\\t- \")}\"\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230342.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230471.rb", "line": 1 }, - "id": "SV-230342" + "id": "SV-230471" }, { - "title": "RHEL 8 must ensure account lockouts persist.", - "desc": "By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as\nbrute-force attacks, is reduced. Limits are imposed by locking the account.\n\n In RHEL 8.2 the \"/etc/security/faillock.conf\" file was incorporated to\ncentralize the configuration of the pam_faillock.so module. Also introduced is\na \"local_users_only\" option that will only track failed user authentication\nattempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP,\netc.) users to allow the centralized platform to solely manage user lockout.\n\n From \"faillock.conf\" man pages: Note that the default directory that\n\"pam_faillock\" uses is usually cleared on system boot so the access will be\nreenabled after system reboot. If that is undesirable a different tally\ndirectory must be set with the \"dir\" option.", + "title": "The RHEL 8 pam_unix.so module must be configured in the system-auth\nfile to use a FIPS 140-2 approved cryptographic hashing algorithm for system\nauthentication.", + "desc": "Unapproved mechanisms that are used for authentication to the\ncryptographic module are not verified and therefore cannot be relied upon to\nprovide confidentiality or integrity, and DoD data may be compromised.\n\n RHEL 8 systems utilizing encryption are required to use FIPS-compliant\nmechanisms for authenticating to cryptographic modules.\n\n FIPS 140-2 is the current standard for validating that mechanisms used to\naccess cryptographic modules utilize authentication that meets DoD\nrequirements. This allows for Security Levels 1, 2, 3, or 4 for use on a\ngeneral-purpose computing system.", "descriptions": { - "default": "By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as\nbrute-force attacks, is reduced. Limits are imposed by locking the account.\n\n In RHEL 8.2 the \"/etc/security/faillock.conf\" file was incorporated to\ncentralize the configuration of the pam_faillock.so module. Also introduced is\na \"local_users_only\" option that will only track failed user authentication\nattempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP,\netc.) users to allow the centralized platform to solely manage user lockout.\n\n From \"faillock.conf\" man pages: Note that the default directory that\n\"pam_faillock\" uses is usually cleared on system boot so the access will be\nreenabled after system reboot. If that is undesirable a different tally\ndirectory must be set with the \"dir\" option.", - "check": "Note: This check applies to RHEL versions 8.2 or newer. If the system is\nRHEL version 8.0 or 8.1, this check is not applicable.\n\n Verify the \"/etc/security/faillock.conf\" file is configured use a\nnon-default faillock directory to ensure contents persist after reboot:\n\n $ sudo grep 'dir =' /etc/security/faillock.conf\n\n dir = /var/log/faillock\n\n If the \"dir\" option is not set to a non-default documented tally log\ndirectory, is missing or commented out, this is a finding.", - "fix": "Configure the operating system maintain the contents of the faillock\ndirectory after a reboot.\n\n Add/Modify the \"/etc/security/faillock.conf\" file to match the following\nline:\n\n dir = /var/log/faillock" + "default": "Unapproved mechanisms that are used for authentication to the\ncryptographic module are not verified and therefore cannot be relied upon to\nprovide confidentiality or integrity, and DoD data may be compromised.\n\n RHEL 8 systems utilizing encryption are required to use FIPS-compliant\nmechanisms for authenticating to cryptographic modules.\n\n FIPS 140-2 is the current standard for validating that mechanisms used to\naccess cryptographic modules utilize authentication that meets DoD\nrequirements. This allows for Security Levels 1, 2, 3, or 4 for use on a\ngeneral-purpose computing system.", + "check": "Verify that pam_unix.so module is configured to use sha512.\n\nCheck that pam_unix.so module is configured to use sha512 in /etc/pam.d/system-auth with the following command:\n\n$ sudo grep password /etc/pam.d/system-auth | grep pam_unix\n\npassword sufficient pam_unix.so sha512\n\nIf \"sha512\" is missing, or is commented out, this is a finding.", + "fix": "Configure RHEL 8 to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.\n\nEdit/modify the following line in the \"/etc/pam.d/system-auth\" file to include the sha512 option for pam_unix.so:\n\npassword sufficient pam_unix.so sha512" }, "impact": 0.5, "refs": [ @@ -753,38 +780,34 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000021-GPOS-00005", - "satisfies": [ - "SRG-OS-000021-GPOS-00005", - "SRG-OS-000329-GPOS-00128" - ], - "gid": "V-230339", - "rid": "SV-230339r743975_rule", - "stig_id": "RHEL-08-020017", - "fix_id": "F-32983r743974_fix", + "gtitle": "SRG-OS-000120-GPOS-00061", + "gid": "V-244524", + "rid": "SV-244524r809331_rule", + "stig_id": "RHEL-08-010159", + "fix_id": "F-47756r809330_fix", "cci": [ - "CCI-000044" + "CCI-000803" ], "nist": [ - "AC-7 a" + "IA-7" ], "host": null, "container": null }, - "code": "control 'SV-230339' do\n title 'RHEL 8 must ensure account lockouts persist.'\n desc 'By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as\nbrute-force attacks, is reduced. Limits are imposed by locking the account.\n\n In RHEL 8.2 the \"/etc/security/faillock.conf\" file was incorporated to\ncentralize the configuration of the pam_faillock.so module. Also introduced is\na \"local_users_only\" option that will only track failed user authentication\nattempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP,\netc.) users to allow the centralized platform to solely manage user lockout.\n\n From \"faillock.conf\" man pages: Note that the default directory that\n\"pam_faillock\" uses is usually cleared on system boot so the access will be\nreenabled after system reboot. If that is undesirable a different tally\ndirectory must be set with the \"dir\" option.'\n desc 'check', %q(Note: This check applies to RHEL versions 8.2 or newer. If the system is\nRHEL version 8.0 or 8.1, this check is not applicable.\n\n Verify the \"/etc/security/faillock.conf\" file is configured use a\nnon-default faillock directory to ensure contents persist after reboot:\n\n $ sudo grep 'dir =' /etc/security/faillock.conf\n\n dir = /var/log/faillock\n\n If the \"dir\" option is not set to a non-default documented tally log\ndirectory, is missing or commented out, this is a finding.)\n desc 'fix', 'Configure the operating system maintain the contents of the faillock\ndirectory after a reboot.\n\n Add/Modify the \"/etc/security/faillock.conf\" file to match the following\nline:\n\n dir = /var/log/faillock'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000021-GPOS-00005'\n tag satisfies: ['SRG-OS-000021-GPOS-00005', 'SRG-OS-000329-GPOS-00128']\n tag gid: 'V-230339'\n tag rid: 'SV-230339r743975_rule'\n tag stig_id: 'RHEL-08-020017'\n tag fix_id: 'F-32983r743974_fix'\n tag cci: ['CCI-000044']\n tag nist: ['AC-7 a']\n tag 'host'\n tag 'container'\n\n only_if('This check applies to RHEL versions 8.2 or newer. If the system is RHEL version 8.0 or 8.1, this check is not applicable.', impact: 0.0) {\n (os.release.to_f) >= 8.2\n }\n\n describe parse_config_file('/etc/security/faillock.conf') do\n its('dir') { should cmp input('log_directory') }\n end\nend\n", + "code": "control 'SV-244524' do\n title 'The RHEL 8 pam_unix.so module must be configured in the system-auth\nfile to use a FIPS 140-2 approved cryptographic hashing algorithm for system\nauthentication.'\n desc 'Unapproved mechanisms that are used for authentication to the\ncryptographic module are not verified and therefore cannot be relied upon to\nprovide confidentiality or integrity, and DoD data may be compromised.\n\n RHEL 8 systems utilizing encryption are required to use FIPS-compliant\nmechanisms for authenticating to cryptographic modules.\n\n FIPS 140-2 is the current standard for validating that mechanisms used to\naccess cryptographic modules utilize authentication that meets DoD\nrequirements. This allows for Security Levels 1, 2, 3, or 4 for use on a\ngeneral-purpose computing system.'\n desc 'check', 'Verify that pam_unix.so module is configured to use sha512.\n\nCheck that pam_unix.so module is configured to use sha512 in /etc/pam.d/system-auth with the following command:\n\n$ sudo grep password /etc/pam.d/system-auth | grep pam_unix\n\npassword sufficient pam_unix.so sha512\n\nIf \"sha512\" is missing, or is commented out, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.\n\nEdit/modify the following line in the \"/etc/pam.d/system-auth\" file to include the sha512 option for pam_unix.so:\n\npassword sufficient pam_unix.so sha512'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000120-GPOS-00061'\n tag gid: 'V-244524'\n tag rid: 'SV-244524r809331_rule'\n tag stig_id: 'RHEL-08-010159'\n tag fix_id: 'F-47756r809330_fix'\n tag cci: ['CCI-000803']\n tag nist: ['IA-7']\n tag 'host'\n tag 'container'\n\n pam_auth_files = input('pam_auth_files')\n\n describe pam(pam_auth_files['system-auth']) do\n its('lines') { should match_pam_rule('password sufficient pam_unix.so sha512') }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230339.rb", + "ref": "./Red Hat 8 STIG/controls/SV-244524.rb", "line": 1 }, - "id": "SV-230339" + "id": "SV-244524" }, { - "title": "RHEL 8 systems, version 8.4 and above, must ensure the password complexity module is configured for three retries or less.", - "desc": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. \"pwquality\" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system.\n\nRHEL 8 utilizes \"pwquality\" as a mechanism to enforce password complexity. This is set in both:\n/etc/pam.d/password-auth\n/etc/pam.d/system-auth\nBy limiting the number of attempts to meet the pwquality module complexity requirements before returning with an error, the system will audit abnormal attempts at password changes.", + "title": "RHEL 8 must be configured so that all files and directories contained\nin local interactive user home directories are group-owned by a group of which\nthe home directory owner is a member.", + "desc": "If a local interactive user's files are group-owned by a group of\nwhich the user is not a member, unintended users may be able to access them.", "descriptions": { - "default": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. \"pwquality\" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system.\n\nRHEL 8 utilizes \"pwquality\" as a mechanism to enforce password complexity. This is set in both:\n/etc/pam.d/password-auth\n/etc/pam.d/system-auth\nBy limiting the number of attempts to meet the pwquality module complexity requirements before returning with an error, the system will audit abnormal attempts at password changes.", - "check": "Note: This requirement applies to RHEL versions 8.4 or newer. If the system is RHEL below version 8.4, this requirement is not applicable.\n\nVerify the operating system is configured to limit the \"pwquality\" retry option to 3.\n\nCheck for the use of the \"pwquality\" retry option with the following command:\n\n$ sudo grep -r retry /etc/security/pwquality.conf*\n\n/etc/security/pwquality.conf:retry = 3\n\nIf the value of \"retry\" is set to \"0\" or greater than \"3\", is commented out or missing, this is a finding.\n\nIf conflicting results are returned, this is a finding.\n\nCheck for the use of the \"pwquality\" retry option in the system-auth and password-auth files with the following command:\n\n$ sudo grep pwquality /etc/pam.d/system-auth /etc/pam.d/password-auth | grep retry\n\nIf the command returns any results, this is a finding.", - "fix": "Configure the operating system to limit the \"pwquality\" retry option to 3.\n\nAdd the following line to the \"/etc/security/pwquality.conf\" file(or modify the line to have the required value):\n\nretry = 3\n\nRemove any configurations that conflict with the above value." + "default": "If a local interactive user's files are group-owned by a group of\nwhich the user is not a member, unintended users may be able to access them.", + "check": "Verify all files and directories in a local interactive user home directory\nare group-owned by a group that the user is a member.\n\n Check the group owner of all files and directories in a local interactive\nuser's home directory with the following command:\n\n Note: The example will be for the user \"smithj\", who has a home directory\nof \"/home/smithj\".\n\n $ sudo ls -lLR ///\n -rw-r--r-- 1 smithj smithj 18 Mar 5 17:06 file1\n -rw-r--r-- 1 smithj smithj 193 Mar 5 17:06 file2\n -rw-r--r-- 1 smithj sa 231 Mar 5 17:06 file3\n\n If any files found with a group-owner different from the home directory\nuser private group, check to see if the user is a member of that group with the\nfollowing command:\n\n $ sudo grep smithj /etc/group\n sa:x:100:juan,shelley,bob,smithj\n smithj:x:521:smithj\n\n If any files or directories are group owned by a group that the directory\nowner is not a member of, this is a finding.", + "fix": "Change the group of a local interactive user's files and directories to a\ngroup that the interactive user is a member. To change the group owner of a\nlocal interactive user's files and directories, use the following command:\n\n Note: The example will be for the user smithj, who has a home directory of\n\"/home/smithj\" and is a member of the users group.\n\n $ sudo chgrp smithj /home/smithj/" }, "impact": 0.5, "refs": [ @@ -793,14 +816,12 @@ } ], "tags": { - "check_id": "C-55153r858735_chk", "severity": "medium", - "gid": "V-251716", - "rid": "SV-251716r858737_rule", - "stig_id": "RHEL-08-020104", "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-55107r858736_fix", - "documentable": null, + "gid": "V-244532", + "rid": "SV-244532r743845_rule", + "stig_id": "RHEL-08-010741", + "fix_id": "F-47764r743844_fix", "cci": [ "CCI-000366" ], @@ -810,20 +831,20 @@ "host": null, "container": null }, - "code": "control 'SV-251716' do\n title 'RHEL 8 systems, version 8.4 and above, must ensure the password complexity module is configured for three retries or less.'\n desc 'Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. \"pwquality\" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system.\n\nRHEL 8 utilizes \"pwquality\" as a mechanism to enforce password complexity. This is set in both:\n/etc/pam.d/password-auth\n/etc/pam.d/system-auth\nBy limiting the number of attempts to meet the pwquality module complexity requirements before returning with an error, the system will audit abnormal attempts at password changes.'\n desc 'check', 'Note: This requirement applies to RHEL versions 8.4 or newer. If the system is RHEL below version 8.4, this requirement is not applicable.\n\nVerify the operating system is configured to limit the \"pwquality\" retry option to 3.\n\nCheck for the use of the \"pwquality\" retry option with the following command:\n\n$ sudo grep -r retry /etc/security/pwquality.conf*\n\n/etc/security/pwquality.conf:retry = 3\n\nIf the value of \"retry\" is set to \"0\" or greater than \"3\", is commented out or missing, this is a finding.\n\nIf conflicting results are returned, this is a finding.\n\nCheck for the use of the \"pwquality\" retry option in the system-auth and password-auth files with the following command:\n\n$ sudo grep pwquality /etc/pam.d/system-auth /etc/pam.d/password-auth | grep retry\n\nIf the command returns any results, this is a finding.'\n desc 'fix', 'Configure the operating system to limit the \"pwquality\" retry option to 3.\n\nAdd the following line to the \"/etc/security/pwquality.conf\" file(or modify the line to have the required value):\n\nretry = 3\n\nRemove any configurations that conflict with the above value.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag check_id: 'C-55153r858735_chk'\n tag severity: 'medium'\n tag gid: 'V-251716'\n tag rid: 'SV-251716r858737_rule'\n tag stig_id: 'RHEL-08-020104'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag fix_id: 'F-55107r858736_fix'\n tag 'documentable'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n tag 'container'\n\n only_if('This requirement only applies to RHEL 8 versions above 8.4', impact: 0.0) {\n os.release.to_f >= 8.4\n }\n\n describe 'System pwquality setting' do\n subject { parse_config(command('grep -rh retry /etc/security/pwquality.conf*').stdout.strip) }\n its('retry') { should cmp >= input('min_retry') }\n end\nend\n", + "code": "control 'SV-244532' do\n title 'RHEL 8 must be configured so that all files and directories contained\nin local interactive user home directories are group-owned by a group of which\nthe home directory owner is a member.'\n desc \"If a local interactive user's files are group-owned by a group of\nwhich the user is not a member, unintended users may be able to access them.\"\n desc 'check', %q(Verify all files and directories in a local interactive user home directory\nare group-owned by a group that the user is a member.\n\n Check the group owner of all files and directories in a local interactive\nuser's home directory with the following command:\n\n Note: The example will be for the user \"smithj\", who has a home directory\nof \"/home/smithj\".\n\n $ sudo ls -lLR ///\n -rw-r--r-- 1 smithj smithj 18 Mar 5 17:06 file1\n -rw-r--r-- 1 smithj smithj 193 Mar 5 17:06 file2\n -rw-r--r-- 1 smithj sa 231 Mar 5 17:06 file3\n\n If any files found with a group-owner different from the home directory\nuser private group, check to see if the user is a member of that group with the\nfollowing command:\n\n $ sudo grep smithj /etc/group\n sa:x:100:juan,shelley,bob,smithj\n smithj:x:521:smithj\n\n If any files or directories are group owned by a group that the directory\nowner is not a member of, this is a finding.)\n desc 'fix', %q(Change the group of a local interactive user's files and directories to a\ngroup that the interactive user is a member. To change the group owner of a\nlocal interactive user's files and directories, use the following command:\n\n Note: The example will be for the user smithj, who has a home directory of\n\"/home/smithj\" and is a member of the users group.\n\n $ sudo chgrp smithj /home/smithj/)\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-244532'\n tag rid: 'SV-244532r743845_rule'\n tag stig_id: 'RHEL-08-010741'\n tag fix_id: 'F-47764r743844_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n tag 'container'\n\n ignore_shells = input('non_interactive_shells').join('|')\n exempt_home_users = input('exempt_home_users').join('|')\n\n findings = Set[]\n users.where { !username.match(exempt_home_users) && !shell.match(ignore_shells) && (uid >= 1000 || uid.zero?) }.entries.each do |user_info|\n findings += command(\"find #{user_info.home} -xdev -not -gid #{user_info.gid}\").stdout.split(\"\\n\")\n end\n describe 'All files in the users home directory' do\n it 'are expected to be owned by the user' do\n expect(findings).to be_empty, \"Some files in the users home directory are not owned by the user. Please ensure all files are owned by thier user. Findings:\\n\\t- #{findings.join(\"\\n\\t- \")}\"\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-251716.rb", + "ref": "./Red Hat 8 STIG/controls/SV-244532.rb", "line": 1 }, - "id": "SV-251716" + "id": "SV-244532" }, { - "title": "RHEL 8 systems below version 8.2 must configure SELinux context type to allow the use of a non-default faillock tally directory.", - "desc": "By limiting the number of failed logon attempts, the risk of\n unauthorized system access via user password guessing, otherwise known as\n brute-force attacks, is reduced. Limits are imposed by locking the account.\n\n From \"Pam_Faillock\" man pages: Note that the default directory that\n \"pam_faillock\" uses is usually cleared on system boot so the access will be\n reenabled after system reboot. If that is undesirable, a different tally\n directory must be set with the \"dir\" option.\n\n SELinux, enforcing a targeted policy, will require any non-default tally\n directory's security context type to match the default directory's security\n context type. Without updating the security context type, the pam_faillock\n module will not write failed login attempts to the non-default tally directory.", + "title": "RHEL 8 must log user name information when unsuccessful logon attempts\noccur.", + "desc": "By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as\nbrute-force attacks, is reduced. Limits are imposed by locking the account.\n\n RHEL 8 can utilize the \"pam_faillock.so\" for this purpose. Note that\nmanual changes to the listed files may be overwritten by the \"authselect\"\nprogram.\n\n From \"Pam_Faillock\" man pages: Note that the default directory that\n\"pam_faillock\" uses is usually cleared on system boot so the access will be\nreenabled after system reboot. If that is undesirable a different tally\ndirectory must be set with the \"dir\" option.\n\n In RHEL 8.2 the \"/etc/security/faillock.conf\" file was incorporated to\ncentralize the configuration of the pam_faillock.so module. Also introduced is\na \"local_users_only\" option that will only track failed user authentication\nattempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP,\netc.) users to allow the centralized platform to solely manage user lockout.", "descriptions": { - "default": "By limiting the number of failed logon attempts, the risk of\n unauthorized system access via user password guessing, otherwise known as\n brute-force attacks, is reduced. Limits are imposed by locking the account.\n\n From \"Pam_Faillock\" man pages: Note that the default directory that\n \"pam_faillock\" uses is usually cleared on system boot so the access will be\n reenabled after system reboot. If that is undesirable, a different tally\n directory must be set with the \"dir\" option.\n\n SELinux, enforcing a targeted policy, will require any non-default tally\n directory's security context type to match the default directory's security\n context type. Without updating the security context type, the pam_faillock\n module will not write failed login attempts to the non-default tally directory.", - "check": "If the system does not have SELinux enabled and enforcing a\n targeted policy, or if the pam_faillock module is not configured for use,\n this requirement is not applicable.\n\n Note: This check applies to RHEL versions 8.0 and 8.1. If the system is RHEL\n version 8.2 or newer, this check is not applicable.\n\n Verify the location of the non-default tally directory for the pam_faillock\n module with the following command:\n\n $ sudo grep -w dir /etc/pam.d/password-auth\n\n auth required pam_faillock.so preauth dir=/var/log/faillock\n auth required pam_faillock.so authfail dir=/var/log/faillock\n\n Check the security context type of the non-default tally directory with the\n following command:\n\n $ sudo ls -Zd /var/log/faillock\n\n unconfined_u:object_r:faillog_t:s0 /var/log/faillock\n\n If the security context type of the non-default tally directory is not\n \"faillog_t\", this is a finding.", - "fix": "Configure RHEL 8 to allow the use of a non-default faillock\n tally directory while SELinux enforces a targeted policy.\n\n Update the /etc/selinux/targeted/contexts/files/file_contexts.local with\n \"faillog_t\" context type for the non-default faillock tally directory with\n the following command:\n\n $ sudo semanage fcontext -a -t faillog_t \"/var/log/faillock(/.*)?\"\n\n Next, update the context type of the non-default faillock directory/\n subdirectories and files with the following command:\n\n $ sudo restorecon -R -v /var/log/faillock" + "default": "By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as\nbrute-force attacks, is reduced. Limits are imposed by locking the account.\n\n RHEL 8 can utilize the \"pam_faillock.so\" for this purpose. Note that\nmanual changes to the listed files may be overwritten by the \"authselect\"\nprogram.\n\n From \"Pam_Faillock\" man pages: Note that the default directory that\n\"pam_faillock\" uses is usually cleared on system boot so the access will be\nreenabled after system reboot. If that is undesirable a different tally\ndirectory must be set with the \"dir\" option.\n\n In RHEL 8.2 the \"/etc/security/faillock.conf\" file was incorporated to\ncentralize the configuration of the pam_faillock.so module. Also introduced is\na \"local_users_only\" option that will only track failed user authentication\nattempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP,\netc.) users to allow the centralized platform to solely manage user lockout.", + "check": "Check that the system logs user name information when unsuccessful logon\nattempts occur with the following commands:\n\n If the system is RHEL version 8.2 or newer, this check is not applicable.\n\n Note: If the System Administrator demonstrates the use of an approved\ncentralized account management method that locks an account after three\nunsuccessful logon attempts within a period of 15 minutes, this requirement is\nnot applicable.\n\n $ sudo grep pam_faillock.so /etc/pam.d/password-auth\n\n auth required pam_faillock.so preauth dir=/var/log/faillock silent audit\ndeny=3 even_deny_root fail_interval=900 unlock_time=0\n auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0\n account required pam_faillock.so\n\n If the \"audit\" option is missing from the \"preauth\" line with the\n\"pam_faillock.so\" module, this is a finding.\n\n $ sudo grep pam_faillock.so /etc/pam.d/system-auth\n\n auth required pam_faillock.so preauth dir=/var/log/faillock silent audit\ndeny=3 even_deny_root fail_interval=900 unlock_time=0\n auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0\n account required pam_faillock.so\n\n If the \"audit\" option is missing from the \"preauth\" line with the\n\"pam_faillock.so\" module, this is a finding.", + "fix": "Configure the operating system to log user name information when\nunsuccessful logon attempts occur.\n\n Add/Modify the appropriate sections of the \"/etc/pam.d/system-auth\" and\n\"/etc/pam.d/password-auth\" files to match the following lines:\n\n auth required pam_faillock.so preauth dir=/var/log/faillock silent audit\ndeny=3 even_deny_root fail_interval=900 unlock_time=0\n auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0\n account required pam_faillock.so\n\n The \"sssd\" service must be restarted for the changes to take effect. To\nrestart the \"sssd\" service, run the following command:\n\n $ sudo systemctl restart sssd.service" }, "impact": 0.5, "refs": [ @@ -832,39 +853,37 @@ } ], "tags": { - "check_id": "C-53750r793003_chk", "severity": "medium", - "gid": "V-250316", - "rid": "SV-250316r854080_rule", - "stig_id": "RHEL-08-020028", "gtitle": "SRG-OS-000021-GPOS-00005", - "fix_id": "F-53704r793004_fix", - "documentable": null, - "cci": [ - "CCI-000044", - "CCI-002238" + "satisfies": [ + "SRG-OS-000021-GPOS-00005", + "SRG-OS-000329-GPOS-00128" ], - "nist": [ - "AC-7 a", - "AC-7 b" + "gid": "V-230342", + "rid": "SV-230342r646872_rule", + "stig_id": "RHEL-08-020020", + "fix_id": "F-32986r567773_fix", + "cci": [ + "CCI-000044" ], - "host": null, - "container": null + "nist": [ + "AC-7 a" + ] }, - "code": "control 'SV-250316' do\n title 'RHEL 8 systems below version 8.2 must configure SELinux context type to allow the use of a non-default faillock tally directory.'\n desc %q(By limiting the number of failed logon attempts, the risk of\n unauthorized system access via user password guessing, otherwise known as\n brute-force attacks, is reduced. Limits are imposed by locking the account.\n\n From \"Pam_Faillock\" man pages: Note that the default directory that\n \"pam_faillock\" uses is usually cleared on system boot so the access will be\n reenabled after system reboot. If that is undesirable, a different tally\n directory must be set with the \"dir\" option.\n\n SELinux, enforcing a targeted policy, will require any non-default tally\n directory's security context type to match the default directory's security\n context type. Without updating the security context type, the pam_faillock\n module will not write failed login attempts to the non-default tally directory.)\n desc 'check', 'If the system does not have SELinux enabled and enforcing a\n targeted policy, or if the pam_faillock module is not configured for use,\n this requirement is not applicable.\n\n Note: This check applies to RHEL versions 8.0 and 8.1. If the system is RHEL\n version 8.2 or newer, this check is not applicable.\n\n Verify the location of the non-default tally directory for the pam_faillock\n module with the following command:\n\n $ sudo grep -w dir /etc/pam.d/password-auth\n\n auth required pam_faillock.so preauth dir=/var/log/faillock\n auth required pam_faillock.so authfail dir=/var/log/faillock\n\n Check the security context type of the non-default tally directory with the\n following command:\n\n $ sudo ls -Zd /var/log/faillock\n\n unconfined_u:object_r:faillog_t:s0 /var/log/faillock\n\n If the security context type of the non-default tally directory is not\n \"faillog_t\", this is a finding.'\n desc 'fix', 'Configure RHEL 8 to allow the use of a non-default faillock\n tally directory while SELinux enforces a targeted policy.\n\n Update the /etc/selinux/targeted/contexts/files/file_contexts.local with\n \"faillog_t\" context type for the non-default faillock tally directory with\n the following command:\n\n $ sudo semanage fcontext -a -t faillog_t \"/var/log/faillock(/.*)?\"\n\n Next, update the context type of the non-default faillock directory/\n subdirectories and files with the following command:\n\n $ sudo restorecon -R -v /var/log/faillock'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag check_id: 'C-53750r793003_chk'\n tag severity: 'medium'\n tag gid: 'V-250316'\n tag rid: 'SV-250316r854080_rule'\n tag stig_id: 'RHEL-08-020028'\n tag gtitle: 'SRG-OS-000021-GPOS-00005'\n tag fix_id: 'F-53704r793004_fix'\n tag 'documentable'\n tag cci: ['CCI-000044', 'CCI-002238']\n tag nist: ['AC-7 a', 'AC-7 b']\n tag 'host'\n tag 'container'\n\n only_if('This check applies to RHEL versions 8.0 and 8.1. If the system is RHEL version 8.2 or newer, this check is Not Applicable.', impact: 0.0) {\n os.release.to_f < 8.2\n }\n\n describe selinux do\n it { should be_installed }\n it { should be_enforcing }\n it { should_not be_disabled }\n end\n\n # TODO: refactor this with the pam resource\n describe file('/etc/pam.d/password-auth') do\n its('content') {\n should match(/auth\\s+required\\s+pam_faillock.so preauth\n dir=#{input('non_default_tally_dir')}/)\n }\n its('content') {\n should match(/auth\\s+required\\s+pam_faillock.so authfail\n dir=#{input('non_default_tally_dir')}/)\n }\n end\n\n faillock_tally = input('faillock_tally')\n\n describe \"The selected non-default tally directory for PAM: #{input('non_default_tally_dir')}\" do\n subject { file(input('non_default_tally_dir')) }\n its('selinux_label') { should match(/#{faillock_tally}/) }\n end\nend\n", + "code": "control 'SV-230342' do\n title 'RHEL 8 must log user name information when unsuccessful logon attempts\noccur.'\n desc 'By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as\nbrute-force attacks, is reduced. Limits are imposed by locking the account.\n\n RHEL 8 can utilize the \"pam_faillock.so\" for this purpose. Note that\nmanual changes to the listed files may be overwritten by the \"authselect\"\nprogram.\n\n From \"Pam_Faillock\" man pages: Note that the default directory that\n\"pam_faillock\" uses is usually cleared on system boot so the access will be\nreenabled after system reboot. If that is undesirable a different tally\ndirectory must be set with the \"dir\" option.\n\n In RHEL 8.2 the \"/etc/security/faillock.conf\" file was incorporated to\ncentralize the configuration of the pam_faillock.so module. Also introduced is\na \"local_users_only\" option that will only track failed user authentication\nattempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP,\netc.) users to allow the centralized platform to solely manage user lockout.'\n desc 'check', 'Check that the system logs user name information when unsuccessful logon\nattempts occur with the following commands:\n\n If the system is RHEL version 8.2 or newer, this check is not applicable.\n\n Note: If the System Administrator demonstrates the use of an approved\ncentralized account management method that locks an account after three\nunsuccessful logon attempts within a period of 15 minutes, this requirement is\nnot applicable.\n\n $ sudo grep pam_faillock.so /etc/pam.d/password-auth\n\n auth required pam_faillock.so preauth dir=/var/log/faillock silent audit\ndeny=3 even_deny_root fail_interval=900 unlock_time=0\n auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0\n account required pam_faillock.so\n\n If the \"audit\" option is missing from the \"preauth\" line with the\n\"pam_faillock.so\" module, this is a finding.\n\n $ sudo grep pam_faillock.so /etc/pam.d/system-auth\n\n auth required pam_faillock.so preauth dir=/var/log/faillock silent audit\ndeny=3 even_deny_root fail_interval=900 unlock_time=0\n auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0\n account required pam_faillock.so\n\n If the \"audit\" option is missing from the \"preauth\" line with the\n\"pam_faillock.so\" module, this is a finding.'\n desc 'fix', 'Configure the operating system to log user name information when\nunsuccessful logon attempts occur.\n\n Add/Modify the appropriate sections of the \"/etc/pam.d/system-auth\" and\n\"/etc/pam.d/password-auth\" files to match the following lines:\n\n auth required pam_faillock.so preauth dir=/var/log/faillock silent audit\ndeny=3 even_deny_root fail_interval=900 unlock_time=0\n auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0\n account required pam_faillock.so\n\n The \"sssd\" service must be restarted for the changes to take effect. To\nrestart the \"sssd\" service, run the following command:\n\n $ sudo systemctl restart sssd.service'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000021-GPOS-00005'\n tag satisfies: ['SRG-OS-000021-GPOS-00005', 'SRG-OS-000329-GPOS-00128']\n tag gid: 'V-230342'\n tag rid: 'SV-230342r646872_rule'\n tag stig_id: 'RHEL-08-020020'\n tag fix_id: 'F-32986r567773_fix'\n tag cci: ['CCI-000044']\n tag nist: ['AC-7 a']\n\n only_if('If the system is RHEL version 8.2 or newer, this check is not applicable.', impact: 0.0) {\n (os.release.to_f) < 8.2\n }\n\n pam_auth_files = input('pam_auth_files')\n\n describe pam(pam_auth_files['password-auth']) do\n its('lines') {\n should match_pam_rule('auth [default=die]|required pam_faillock.so preauth').all_with_args('audit')\n }\n end\n describe pam(pam_auth_files['system-auth']) do\n its('lines') {\n should match_pam_rule('auth [default=die]|required pam_faillock.so preauth').all_with_args('audit')\n }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-250316.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230342.rb", "line": 1 }, - "id": "SV-250316" + "id": "SV-230342" }, { - "title": "RHEL 8 must enable kernel parameters to enforce discretionary access control on hardlinks.", - "desc": "Discretionary Access Control (DAC) is based on the notion that individual users are \"owners\" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions.\n\n When discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. A subject that is constrained in its operation by Mandatory Access Control policies is still able to operate under the less rigorous constraints of this requirement. Thus, while Mandatory Access Control imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, this requirement permits the subject to pass the information to any subject at the same sensitivity level. The policy is bounded by the information system boundary. Once the information is passed outside the control of the information system, additional means may be required to ensure the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control.\n\n By enabling the fs.protected_hardlinks kernel parameter, users can no longer create soft or hard links to files they do not own. Disallowing such hardlinks mitigate vulnerabilities based on insecure file system accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of open() or creat().\n\n The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n\n /etc/sysctl.d/*.conf\n /run/sysctl.d/*.conf\n /usr/local/lib/sysctl.d/*.conf\n /usr/lib/sysctl.d/*.conf\n /lib/sysctl.d/*.conf\n /etc/sysctl.conf", + "title": "RHEL 8 must enforce a delay of at least four seconds between logon\nprompts following a failed logon attempt.", + "desc": "Configuring the operating system to implement organization-wide\nsecurity implementation guides and security checklists verifies compliance with\nfederal standards and establishes a common security baseline across the DoD\nthat reflects the most restrictive security posture consistent with operational\nrequirements.\n\n Configuration settings are the set of parameters that can be changed in\nhardware, software, or firmware components of the system that affect the\nsecurity posture and/or functionality of the system. Security-related\nparameters are those parameters impacting the security state of the system,\nincluding the parameters required to satisfy other security control\nrequirements. Security-related parameters include, for example, registry\nsettings; account, file, and directory permission settings; and settings for\nfunctions, ports, protocols, services, and remote connections.", "descriptions": { - "default": "Discretionary Access Control (DAC) is based on the notion that individual users are \"owners\" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions.\n\n When discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. A subject that is constrained in its operation by Mandatory Access Control policies is still able to operate under the less rigorous constraints of this requirement. Thus, while Mandatory Access Control imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, this requirement permits the subject to pass the information to any subject at the same sensitivity level. The policy is bounded by the information system boundary. Once the information is passed outside the control of the information system, additional means may be required to ensure the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control.\n\n By enabling the fs.protected_hardlinks kernel parameter, users can no longer create soft or hard links to files they do not own. Disallowing such hardlinks mitigate vulnerabilities based on insecure file system accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of open() or creat().\n\n The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n\n /etc/sysctl.d/*.conf\n /run/sysctl.d/*.conf\n /usr/local/lib/sysctl.d/*.conf\n /usr/lib/sysctl.d/*.conf\n /lib/sysctl.d/*.conf\n /etc/sysctl.conf", - "check": "Verify the operating system is configured to enable DAC on hardlinks with the following commands:\n\n Check the status of the fs.protected_hardlinks kernel parameter.\n\n $ sudo sysctl fs.protected_hardlinks\n\n fs.protected_hardlinks = 1\n\n If \"fs.protected_hardlinks\" is not set to \"1\" or is missing, this is a finding.\n\n Check that the configuration files are present to enable this kernel parameter.\n\n $ sudo grep -r fs.protected_hardlinks /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n /etc/sysctl.d/99-sysctl.conf:fs.protected_hardlinks = 1\n\n If \"fs.protected_hardlinks\" is not set to \"1\", is missing or commented out, this is a finding.\n\n If conflicting results are returned, this is a finding.", - "fix": "Configure the operating system to enable DAC on hardlinks.\n\n Add or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\n fs.protected_hardlinks = 1\n\n Remove any configurations that conflict with the above from the following locations:\n /run/sysctl.d/*.conf\n /usr/local/lib/sysctl.d/*.conf\n /usr/lib/sysctl.d/*.conf\n /lib/sysctl.d/*.conf\n /etc/sysctl.conf\n /etc/sysctl.d/*.conf\n\n Load settings from all system configuration files with the following command:\n\n $ sudo sysctl --system" + "default": "Configuring the operating system to implement organization-wide\nsecurity implementation guides and security checklists verifies compliance with\nfederal standards and establishes a common security baseline across the DoD\nthat reflects the most restrictive security posture consistent with operational\nrequirements.\n\n Configuration settings are the set of parameters that can be changed in\nhardware, software, or firmware components of the system that affect the\nsecurity posture and/or functionality of the system. Security-related\nparameters are those parameters impacting the security state of the system,\nincluding the parameters required to satisfy other security control\nrequirements. Security-related parameters include, for example, registry\nsettings; account, file, and directory permission settings; and settings for\nfunctions, ports, protocols, services, and remote connections.", + "check": "Verify the operating system enforces a delay of at least four seconds\nbetween console logon prompts following a failed logon attempt with the\nfollowing command:\n\n $ sudo grep -i fail_delay /etc/login.defs\n\n FAIL_DELAY 4\n\n If the value of \"FAIL_DELAY\" is not set to \"4\" or greater, or the line\nis commented out, this is a finding.", + "fix": "Configure the operating system to enforce a delay of at least four seconds\nbetween logon prompts following a failed console logon attempt.\n\n Modify the \"/etc/login.defs\" file to set the \"FAIL_DELAY\" parameter to\n\"4\" or greater:\n\n FAIL_DELAY 4" }, "impact": 0.5, "refs": [ @@ -874,39 +893,34 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000312-GPOS-00122", - "satisfies": [ - "SRG-OS-000312-GPOS-00122", - "SRG-OS-000312-GPOS-00123", - "SRG-OS-000312-GPOS-00124", - "SRG-OS-000324-GPOS-00125" - ], - "gid": "V-230268", - "rid": "SV-230268r858754_rule", - "stig_id": "RHEL-08-010374", - "fix_id": "F-32912r858753_fix", + "gtitle": "SRG-OS-000480-GPOS-00226", + "gid": "V-230378", + "rid": "SV-230378r627750_rule", + "stig_id": "RHEL-08-020310", + "fix_id": "F-33022r567881_fix", "cci": [ - "CCI-002165" + "CCI-000366" ], "nist": [ - "AC-3 (4)" + "CM-6 b" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-230268' do\n title 'RHEL 8 must enable kernel parameters to enforce discretionary access control on hardlinks.'\n desc 'Discretionary Access Control (DAC) is based on the notion that individual users are \"owners\" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions.\n\n When discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. A subject that is constrained in its operation by Mandatory Access Control policies is still able to operate under the less rigorous constraints of this requirement. Thus, while Mandatory Access Control imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, this requirement permits the subject to pass the information to any subject at the same sensitivity level. The policy is bounded by the information system boundary. Once the information is passed outside the control of the information system, additional means may be required to ensure the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control.\n\n By enabling the fs.protected_hardlinks kernel parameter, users can no longer create soft or hard links to files they do not own. Disallowing such hardlinks mitigate vulnerabilities based on insecure file system accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of open() or creat().\n\n The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n\n /etc/sysctl.d/*.conf\n /run/sysctl.d/*.conf\n /usr/local/lib/sysctl.d/*.conf\n /usr/lib/sysctl.d/*.conf\n /lib/sysctl.d/*.conf\n /etc/sysctl.conf'\n desc 'check', 'Verify the operating system is configured to enable DAC on hardlinks with the following commands:\n\n Check the status of the fs.protected_hardlinks kernel parameter.\n\n $ sudo sysctl fs.protected_hardlinks\n\n fs.protected_hardlinks = 1\n\n If \"fs.protected_hardlinks\" is not set to \"1\" or is missing, this is a finding.\n\n Check that the configuration files are present to enable this kernel parameter.\n\n $ sudo grep -r fs.protected_hardlinks /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n /etc/sysctl.d/99-sysctl.conf:fs.protected_hardlinks = 1\n\n If \"fs.protected_hardlinks\" is not set to \"1\", is missing or commented out, this is a finding.\n\n If conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure the operating system to enable DAC on hardlinks.\n\n Add or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\n fs.protected_hardlinks = 1\n\n Remove any configurations that conflict with the above from the following locations:\n /run/sysctl.d/*.conf\n /usr/local/lib/sysctl.d/*.conf\n /usr/lib/sysctl.d/*.conf\n /lib/sysctl.d/*.conf\n /etc/sysctl.conf\n /etc/sysctl.d/*.conf\n\n Load settings from all system configuration files with the following command:\n\n $ sudo sysctl --system'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000312-GPOS-00122'\n tag satisfies: ['SRG-OS-000312-GPOS-00122', 'SRG-OS-000312-GPOS-00123', 'SRG-OS-000312-GPOS-00124', 'SRG-OS-000324-GPOS-00125']\n tag gid: 'V-230268'\n tag rid: 'SV-230268r858754_rule'\n tag stig_id: 'RHEL-08-010374'\n tag fix_id: 'F-32912r858753_fix'\n tag cci: ['CCI-002165']\n tag nist: ['AC-3 (4)']\n tag 'host'\n\n only_if('Control not applicable within a container', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n action = 'fs.protected_hardlinks'\n\n describe kernel_parameter(action) do\n its('value') { should eq 1 }\n end\n\n search_result = command(\"grep -r ^#{action} #{input('sysctl_conf_files').join(' ')}\").stdout.strip\n\n correct_result = search_result.lines.any? { |line| line.match(/#{action}\\s*=\\s*1$/) }\n incorrect_results = search_result.lines.map(&:strip).select { |line| line.match(/#{action}\\s*=\\s*[^1]$/) }\n\n describe 'Kernel config files' do\n it \"should configure '#{action}'\" do\n expect(correct_result).to eq(true), 'No config file was found that correctly sets this action'\n end\n unless incorrect_results.nil?\n it 'should not have incorrect or conflicting setting(s) in the config files' do\n expect(incorrect_results).to be_empty, \"Incorrect or conflicting setting(s) found:\\n\\t- #{incorrect_results.join(\"\\n\\t- \")}\"\n end\n end\n end\nend\n", + "code": "control 'SV-230378' do\n title 'RHEL 8 must enforce a delay of at least four seconds between logon\nprompts following a failed logon attempt.'\n desc 'Configuring the operating system to implement organization-wide\nsecurity implementation guides and security checklists verifies compliance with\nfederal standards and establishes a common security baseline across the DoD\nthat reflects the most restrictive security posture consistent with operational\nrequirements.\n\n Configuration settings are the set of parameters that can be changed in\nhardware, software, or firmware components of the system that affect the\nsecurity posture and/or functionality of the system. Security-related\nparameters are those parameters impacting the security state of the system,\nincluding the parameters required to satisfy other security control\nrequirements. Security-related parameters include, for example, registry\nsettings; account, file, and directory permission settings; and settings for\nfunctions, ports, protocols, services, and remote connections.'\n desc 'check', 'Verify the operating system enforces a delay of at least four seconds\nbetween console logon prompts following a failed logon attempt with the\nfollowing command:\n\n $ sudo grep -i fail_delay /etc/login.defs\n\n FAIL_DELAY 4\n\n If the value of \"FAIL_DELAY\" is not set to \"4\" or greater, or the line\nis commented out, this is a finding.'\n desc 'fix', 'Configure the operating system to enforce a delay of at least four seconds\nbetween logon prompts following a failed console logon attempt.\n\n Modify the \"/etc/login.defs\" file to set the \"FAIL_DELAY\" parameter to\n\"4\" or greater:\n\n FAIL_DELAY 4'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00226'\n tag gid: 'V-230378'\n tag rid: 'SV-230378r627750_rule'\n tag stig_id: 'RHEL-08-020310'\n tag fix_id: 'F-33022r567881_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n tag 'container'\n\n describe login_defs do\n its('FAIL_DELAY.to_i') { should cmp >= input('login_prompt_delay') }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230268.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230378.rb", "line": 1 }, - "id": "SV-230268" + "id": "SV-230378" }, { - "title": "RHEL 8 must use a separate file system for /var/tmp.", - "desc": "The use of separate file systems for different paths can protect the\nsystem from failures resulting from a file system becoming full or failing.", + "title": "RHEL 8 must ensure cryptographic verification of vendor software packages.", + "desc": "Cryptographic verification of vendor software packages ensures that all software packages are obtained from a valid source and protects against spoofing that could lead to installation of malware on the system. Red Hat cryptographically signs all software packages, which includes updates, with a GPG key to verify that they are valid.", "descriptions": { - "default": "The use of separate file systems for different paths can protect the\nsystem from failures resulting from a file system becoming full or failing.", - "check": "Verify that a separate file system has been created for \"/var/tmp\".\n\nCheck that a file system has been created for \"/var/tmp\" with the following command:\n\n $ sudo grep /var/tmp /etc/fstab\n\n /dev/mapper/... /var/tmp xfs defaults,nodev,noexec,nosuid 0 0\n\nIf a separate entry for \"/var/tmp\" is not in use, this is a finding.", - "fix": "Migrate the \"/var/tmp\" path onto a separate file system." + "default": "Cryptographic verification of vendor software packages ensures that all software packages are obtained from a valid source and protects against spoofing that could lead to installation of malware on the system. Red Hat cryptographically signs all software packages, which includes updates, with a GPG key to verify that they are valid.", + "check": "Confirm Red Hat package-signing keys are installed on the system and verify their fingerprints match vendor values.\n\nNote: For RHEL 8 software packages, Red Hat uses GPG keys labeled \"release key 2\" and \"auxiliary key 2\". The keys are defined in key file \"/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release\" by default.\n\nList Red Hat GPG keys installed on the system:\n\n $ sudo rpm -q --queryformat \"%{SUMMARY}\\n\" gpg-pubkey | grep -i \"red hat\"\n\n gpg(Red Hat, Inc. (release key 2) )\n gpg(Red Hat, Inc. (auxiliary key) )\n\nIf Red Hat GPG keys \"release key 2\" and \"auxiliary key 2\" are not installed, this is a finding.\n\nNote: The \"auxiliary key 2\" appears as \"auxiliary key\" on a RHEL 8 system.\n\nList key fingerprints of installed Red Hat GPG keys:\n\n $ sudo gpg -q --keyid-format short --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release\n\nIf key file \"/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release\" is missing, this is a finding.\n\nExample output:\n\n pub rsa4096/FD431D51 2009-10-22 [SC]\n Key fingerprint = 567E 347A D004 4ADE 55BA 8A5F 199E 2F91 FD43 1D51\n uid Red Hat, Inc. (release key 2) \n pub rsa4096/D4082792 2018-06-27 [SC]\n Key fingerprint = 6A6A A7C9 7C88 90AE C6AE BFE2 F76F 66C3 D408 2792\n uid Red Hat, Inc. (auxiliary key) \n sub rsa4096/1B5584D3 2018-06-27 [E]\n\nCompare key fingerprints of installed Red Hat GPG keys with fingerprints listed for RHEL 8 on Red Hat \"Product Signing Keys\" webpage at https://access.redhat.com/security/team/key.\n\nIf key fingerprints do not match, this is a finding.", + "fix": "Install Red Hat package-signing keys on the system and verify their fingerprints match vendor values.\n\nInsert RHEL 8 installation disc or attach RHEL 8 installation image to the system. Mount the disc or image to make the contents accessible inside the system.\n\nAssuming the mounted location is \"/media/cdrom\", use the following command to copy Red Hat GPG key file onto the system:\n\n $ sudo cp /media/cdrom/RPM-GPG-KEY-redhat-release /etc/pki/rpm-gpg/\n\nImport Red Hat GPG keys from key file into system keyring:\n\n $ sudo rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release\n\nUsing the steps listed in the Check Text, confirm the newly imported keys show as installed on the system and verify their fingerprints match vendor values." }, "impact": 0.5, "refs": [ @@ -915,34 +929,37 @@ } ], "tags": { + "check_id": "C-60651r902750_chk", "severity": "medium", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-244529", - "rid": "SV-244529r902737_rule", - "stig_id": "RHEL-08-010544", - "fix_id": "F-47761r743835_fix", + "gid": "V-256973", + "rid": "SV-256973r902752_rule", + "stig_id": "RHEL-08-010019", + "gtitle": "SRG-OS-000366-GPOS-00153", + "fix_id": "F-60593r902751_fix", + "documentable": null, "cci": [ - "CCI-000366" + "CCI-001749" ], "nist": [ - "CM-6 b" + "CM-5 (3)" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-244529' do\n title 'RHEL 8 must use a separate file system for /var/tmp.'\n desc 'The use of separate file systems for different paths can protect the\nsystem from failures resulting from a file system becoming full or failing.'\n desc 'check', 'Verify that a separate file system has been created for \"/var/tmp\".\n\nCheck that a file system has been created for \"/var/tmp\" with the following command:\n\n $ sudo grep /var/tmp /etc/fstab\n\n /dev/mapper/... /var/tmp xfs defaults,nodev,noexec,nosuid 0 0\n\nIf a separate entry for \"/var/tmp\" is not in use, this is a finding.'\n desc 'fix', 'Migrate the \"/var/tmp\" path onto a separate file system.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-244529'\n tag rid: 'SV-244529r902737_rule'\n tag stig_id: 'RHEL-08-010544'\n tag fix_id: 'F-47761r743835_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This requirement is Not Applicable in the container', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe etc_fstab.where { mount_point == '/var/tmp' } do\n it { should exist }\n end\nend\n", + "code": "control 'SV-256973' do\n title 'RHEL 8 must ensure cryptographic verification of vendor software packages.'\n desc 'Cryptographic verification of vendor software packages ensures that all software packages are obtained from a valid source and protects against spoofing that could lead to installation of malware on the system. Red Hat cryptographically signs all software packages, which includes updates, with a GPG key to verify that they are valid.'\n desc 'check', 'Confirm Red Hat package-signing keys are installed on the system and verify their fingerprints match vendor values.\n\nNote: For RHEL 8 software packages, Red Hat uses GPG keys labeled \"release key 2\" and \"auxiliary key 2\". The keys are defined in key file \"/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release\" by default.\n\nList Red Hat GPG keys installed on the system:\n\n $ sudo rpm -q --queryformat \"%{SUMMARY}\\\\n\" gpg-pubkey | grep -i \"red hat\"\n\n gpg(Red Hat, Inc. (release key 2) )\n gpg(Red Hat, Inc. (auxiliary key) )\n\nIf Red Hat GPG keys \"release key 2\" and \"auxiliary key 2\" are not installed, this is a finding.\n\nNote: The \"auxiliary key 2\" appears as \"auxiliary key\" on a RHEL 8 system.\n\nList key fingerprints of installed Red Hat GPG keys:\n\n $ sudo gpg -q --keyid-format short --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release\n\nIf key file \"/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release\" is missing, this is a finding.\n\nExample output:\n\n pub rsa4096/FD431D51 2009-10-22 [SC]\n Key fingerprint = 567E 347A D004 4ADE 55BA 8A5F 199E 2F91 FD43 1D51\n uid Red Hat, Inc. (release key 2) \n pub rsa4096/D4082792 2018-06-27 [SC]\n Key fingerprint = 6A6A A7C9 7C88 90AE C6AE BFE2 F76F 66C3 D408 2792\n uid Red Hat, Inc. (auxiliary key) \n sub rsa4096/1B5584D3 2018-06-27 [E]\n\nCompare key fingerprints of installed Red Hat GPG keys with fingerprints listed for RHEL 8 on Red Hat \"Product Signing Keys\" webpage at https://access.redhat.com/security/team/key.\n\nIf key fingerprints do not match, this is a finding.'\n desc 'fix', 'Install Red Hat package-signing keys on the system and verify their fingerprints match vendor values.\n\nInsert RHEL 8 installation disc or attach RHEL 8 installation image to the system. Mount the disc or image to make the contents accessible inside the system.\n\nAssuming the mounted location is \"/media/cdrom\", use the following command to copy Red Hat GPG key file onto the system:\n\n $ sudo cp /media/cdrom/RPM-GPG-KEY-redhat-release /etc/pki/rpm-gpg/\n\nImport Red Hat GPG keys from key file into system keyring:\n\n $ sudo rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release\n\nUsing the steps listed in the Check Text, confirm the newly imported keys show as installed on the system and verify their fingerprints match vendor values.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag check_id: 'C-60651r902750_chk'\n tag severity: 'medium'\n tag gid: 'V-256973'\n tag rid: 'SV-256973r902752_rule'\n tag stig_id: 'RHEL-08-010019'\n tag gtitle: 'SRG-OS-000366-GPOS-00153'\n tag fix_id: 'F-60593r902751_fix'\n tag 'documentable'\n tag cci: ['CCI-001749']\n tag nist: ['CM-5 (3)']\n tag 'host'\n tag 'container'\n\n rpm_gpg_file = input('rpm_gpg_file')\n rpm_gpg_keys = input('rpm_gpg_keys')\n\n describe file(rpm_gpg_file) do\n it { should exist }\n end\n rpm_gpg_keys.each do |k, v|\n describe command('rpm -q --queryformat \"%{SUMMARY}\\\\n\" gpg-pubkey | grep -i \"red hat\"') do\n its('stdout') { should include k.to_s }\n end\n next unless file(rpm_gpg_file).exist?\n\n describe command(\"gpg -q --keyid-format short --with-fingerprint #{rpm_gpg_file}\") do\n its('stdout') { should include v }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-244529.rb", + "ref": "./Red Hat 8 STIG/controls/SV-256973.rb", "line": 1 }, - "id": "SV-244529" + "id": "SV-256973" }, { - "title": "RHEL 8 operating systems booted with a BIOS must require a unique superusers name upon booting into single-user and maintenance modes.", - "desc": "If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 8 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.\n\nThe GRUB 2 superuser account is an account of last resort. Establishing a unique username for this account hardens the boot loader against brute force attacks. Due to the nature of the superuser account database being distinct from the OS account database, this allows the use of a username that is not among those within the OS account database. Examples of non-unique superusers names are root, superuser, unlock, etc.", + "title": "RHEL 8 must mount /var/log with the nodev option.", + "desc": "The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n The \"noexec\" mount option causes the system to not execute binary files.\nThis option must be used for mounting any file system not containing approved\nbinary files, as they may be incompatible. Executing files from untrusted file\nsystems increases the opportunity for unprivileged users to attain unauthorized\nadministrative access.\n\n The \"nodev\" mount option causes the system to not interpret character or\nblock special devices. Executing character or block special devices from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.\n\n The \"nosuid\" mount option causes the system to not execute \"setuid\" and\n\"setgid\" files with owner privileges. This option must be used for mounting\nany file system not containing approved \"setuid\" and \"setguid\" files.\nExecuting files from untrusted file systems increases the opportunity for\nunprivileged users to attain unauthorized administrative access.", "descriptions": { - "default": "If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 8 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.\n\nThe GRUB 2 superuser account is an account of last resort. Establishing a unique username for this account hardens the boot loader against brute force attacks. Due to the nature of the superuser account database being distinct from the OS account database, this allows the use of a username that is not among those within the OS account database. Examples of non-unique superusers names are root, superuser, unlock, etc.", - "check": "For systems that use UEFI, this is Not Applicable.\n\nVerify that a unique name is set as the \"superusers\" account:\n\n$ sudo grep -iw \"superusers\" /boot/grub2/grub.cfg\nset superusers=\"[someuniquestringhere]\"\nexport superusers\n\nIf \"superusers\" is identical to any OS account name or is missing a name, this is a finding.", - "fix": "Configure the system to have a unique name for the grub superusers account.\n\nEdit the /etc/grub.d/01_users file and add or modify the following lines:\n\nset superusers=\"[someuniquestringhere]\"\nexport superusers\npassword_pbkdf2 [someuniquestringhere] ${GRUB2_PASSWORD}\n\nGenerate a new grub.cfg file with the following command:\n\n$ sudo grub2-mkconfig -o /boot/grub2/grub.cfg" + "default": "The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n The \"noexec\" mount option causes the system to not execute binary files.\nThis option must be used for mounting any file system not containing approved\nbinary files, as they may be incompatible. Executing files from untrusted file\nsystems increases the opportunity for unprivileged users to attain unauthorized\nadministrative access.\n\n The \"nodev\" mount option causes the system to not interpret character or\nblock special devices. Executing character or block special devices from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.\n\n The \"nosuid\" mount option causes the system to not execute \"setuid\" and\n\"setgid\" files with owner privileges. This option must be used for mounting\nany file system not containing approved \"setuid\" and \"setguid\" files.\nExecuting files from untrusted file systems increases the opportunity for\nunprivileged users to attain unauthorized administrative access.", + "check": "Verify \"/var/log\" is mounted with the \"nodev\" option:\n\n $ sudo mount | grep /var/log\n\n /dev/mapper/rhel-var-log on /var/log type xfs\n(rw,nodev,nosuid,noexec,seclabel)\n\n Verify that the \"nodev\" option is configured for /var/log:\n\n $ sudo cat /etc/fstab | grep /var/log\n\n /dev/mapper/rhel-var-log /var/log xfs defaults,nodev,nosuid,noexec 0 0\n\n If results are returned and the \"nodev\" option is missing, or if /var/log\nis mounted without the \"nodev\" option, this is a finding.", + "fix": "Configure the system so that /var/log is mounted with the \"nodev\" option\nby adding /modifying the /etc/fstab with the following line:\n\n /dev/mapper/rhel-var-log /var/log xfs defaults,nodev,nosuid,noexec 0 0" }, "impact": 0.5, "refs": [ @@ -952,33 +969,33 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000080-GPOS-00048", - "gid": "V-244522", - "rid": "SV-244522r792984_rule", - "stig_id": "RHEL-08-010149", - "fix_id": "F-47754r743814_fix", + "gtitle": "SRG-OS-000368-GPOS-00154", + "gid": "V-230514", + "rid": "SV-230514r854055_rule", + "stig_id": "RHEL-08-040126", + "fix_id": "F-33158r568289_fix", "cci": [ - "CCI-000213" + "CCI-001764" ], "nist": [ - "AC-3" + "CM-7 (2)" ], "host": null }, - "code": "control 'SV-244522' do\n title 'RHEL 8 operating systems booted with a BIOS must require a unique superusers name upon booting into single-user and maintenance modes.'\n desc 'If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 8 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.\n\nThe GRUB 2 superuser account is an account of last resort. Establishing a unique username for this account hardens the boot loader against brute force attacks. Due to the nature of the superuser account database being distinct from the OS account database, this allows the use of a username that is not among those within the OS account database. Examples of non-unique superusers names are root, superuser, unlock, etc.'\n desc 'check', 'For systems that use UEFI, this is Not Applicable.\n\nVerify that a unique name is set as the \"superusers\" account:\n\n$ sudo grep -iw \"superusers\" /boot/grub2/grub.cfg\nset superusers=\"[someuniquestringhere]\"\nexport superusers\n\nIf \"superusers\" is identical to any OS account name or is missing a name, this is a finding.'\n desc 'fix', 'Configure the system to have a unique name for the grub superusers account.\n\nEdit the /etc/grub.d/01_users file and add or modify the following lines:\n\nset superusers=\"[someuniquestringhere]\"\nexport superusers\npassword_pbkdf2 [someuniquestringhere] ${GRUB2_PASSWORD}\n\nGenerate a new grub.cfg file with the following command:\n\n$ sudo grub2-mkconfig -o /boot/grub2/grub.cfg'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000080-GPOS-00048'\n tag gid: 'V-244522'\n tag rid: 'SV-244522r792984_rule'\n tag stig_id: 'RHEL-08-010149'\n tag fix_id: 'F-47754r743814_fix'\n tag cci: ['CCI-000213']\n tag nist: ['AC-3']\n tag 'host'\n\n only_if('This requirement is Not Applicable in the container', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n if file('/sys/firmware/efi').exist?\n impact 0.0\n describe 'System running UEFI' do\n skip 'The System is running UEFI, this control is Not Applicable.'\n end\n else\n describe parse_config_file(input('grub_main_cfg')) do\n its('set superusers') { should_not be_empty }\n end\n end\nend\n", + "code": "control 'SV-230514' do\n title 'RHEL 8 must mount /var/log with the nodev option.'\n desc 'The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n The \"noexec\" mount option causes the system to not execute binary files.\nThis option must be used for mounting any file system not containing approved\nbinary files, as they may be incompatible. Executing files from untrusted file\nsystems increases the opportunity for unprivileged users to attain unauthorized\nadministrative access.\n\n The \"nodev\" mount option causes the system to not interpret character or\nblock special devices. Executing character or block special devices from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.\n\n The \"nosuid\" mount option causes the system to not execute \"setuid\" and\n\"setgid\" files with owner privileges. This option must be used for mounting\nany file system not containing approved \"setuid\" and \"setguid\" files.\nExecuting files from untrusted file systems increases the opportunity for\nunprivileged users to attain unauthorized administrative access.'\n desc 'check', 'Verify \"/var/log\" is mounted with the \"nodev\" option:\n\n $ sudo mount | grep /var/log\n\n /dev/mapper/rhel-var-log on /var/log type xfs\n(rw,nodev,nosuid,noexec,seclabel)\n\n Verify that the \"nodev\" option is configured for /var/log:\n\n $ sudo cat /etc/fstab | grep /var/log\n\n /dev/mapper/rhel-var-log /var/log xfs defaults,nodev,nosuid,noexec 0 0\n\n If results are returned and the \"nodev\" option is missing, or if /var/log\nis mounted without the \"nodev\" option, this is a finding.'\n desc 'fix', 'Configure the system so that /var/log is mounted with the \"nodev\" option\nby adding /modifying the /etc/fstab with the following line:\n\n /dev/mapper/rhel-var-log /var/log xfs defaults,nodev,nosuid,noexec 0 0'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000368-GPOS-00154'\n tag gid: 'V-230514'\n tag rid: 'SV-230514r854055_rule'\n tag stig_id: 'RHEL-08-040126'\n tag fix_id: 'F-33158r568289_fix'\n tag cci: ['CCI-001764']\n tag nist: ['CM-7 (2)']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n path = '/var/log'\n option = 'nodev'\n\n describe mount(path) do\n its('options') { should include option }\n end\n\n describe etc_fstab.where { mount_point == path } do\n its('mount_options.flatten') { should include option }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-244522.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230514.rb", "line": 1 }, - "id": "SV-244522" + "id": "SV-230514" }, { - "title": "RHEL 8 must configure the use of the pam_faillock.so module in the\n/etc/pam.d/system-auth file.", - "desc": "By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as\nbrute-force attacks, is reduced. Limits are imposed by locking the account.\n\n In RHEL 8.2 the \"/etc/security/faillock.conf\" file was incorporated to\ncentralize the configuration of the pam_faillock.so module. Also introduced is\na \"local_users_only\" option that will only track failed user authentication\nattempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP,\netc.) users to allow the centralized platform to solely manage user lockout.\n\n From \"faillock.conf\" man pages: Note that the default directory that\n\"pam_faillock\" uses is usually cleared on system boot so the access will be\nreenabled after system reboot. If that is undesirable a different tally\ndirectory must be set with the \"dir\" option.\n The preauth argument must be used when the module is called before the\nmodules which ask for the user credentials such as the password.", + "title": "Successful/unsuccessful uses of the ssh-agent in RHEL 8 must generate\nan audit record.", + "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"ssh-agent\" is a\nprogram to hold private keys used for public key authentication.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", "descriptions": { - "default": "By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as\nbrute-force attacks, is reduced. Limits are imposed by locking the account.\n\n In RHEL 8.2 the \"/etc/security/faillock.conf\" file was incorporated to\ncentralize the configuration of the pam_faillock.so module. Also introduced is\na \"local_users_only\" option that will only track failed user authentication\nattempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP,\netc.) users to allow the centralized platform to solely manage user lockout.\n\n From \"faillock.conf\" man pages: Note that the default directory that\n\"pam_faillock\" uses is usually cleared on system boot so the access will be\nreenabled after system reboot. If that is undesirable a different tally\ndirectory must be set with the \"dir\" option.\n The preauth argument must be used when the module is called before the\nmodules which ask for the user credentials such as the password.", - "check": "Note: This check applies to RHEL versions 8.2 or newer, if the system is\nRHEL version 8.0 or 8.1, this check is not applicable.\n\n Verify the pam_faillock.so module is present in the\n\"/etc/pam.d/system-auth\" file:\n\n $ sudo grep pam_faillock.so /etc/pam.d/system-auth\n\n auth required pam_faillock.so\npreauth\n auth required pam_faillock.so\nauthfail\n account required pam_faillock.so\n If the pam_faillock.so module is not present in the\n\"/etc/pam.d/system-auth\" file with the \"preauth\" line listed before\npam_unix.so, this is a finding.", - "fix": "Configure the operating system to include the use of the pam_faillock.so\nmodule in the /etc/pam.d/system-auth file.\n\n Add/Modify the appropriate sections of the \"/etc/pam.d/system-auth\" file\nto match the following lines:\n Note: The \"preauth\" line must be listed before pam_unix.so.\n\n auth required pam_faillock.so preauth\n auth required pam_faillock.so authfail\n account required pam_faillock.so" + "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"ssh-agent\" is a\nprogram to hold private keys used for public key authentication.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", + "check": "Verify RHEL 8 generates an audit record when successful/unsuccessful\nattempts to use the \"ssh-agent\" by performing the following command to check\nthe file system rules in \"/etc/audit/audit.rules\":\n\n $ sudo grep ssh-agent /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-ssh\n\n If the command does not return a line, or the line is commented out, this\nis a finding.", + "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \"ssh-agent\" by adding or updating the\nfollowing rule in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-ssh\n\n The audit daemon must be restarted for the changes to take effect." }, "impact": 0.5, "refs": [ @@ -988,74 +1005,82 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000021-GPOS-00005", + "gtitle": "SRG-OS-000062-GPOS-00031", "satisfies": [ - "SRG-OS-000021-GPOS-00005", - "SRG-OS-000329-GPOS-00128" + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000037-GPOS-00015", + "SRG-OS-000042-GPOS-00020", + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000392-GPOS-00172", + "SRG-OS-000462-GPOS-00206", + "SRG-OS-000471-GPOS-00215" ], - "gid": "V-244533", - "rid": "SV-244533r743848_rule", - "stig_id": "RHEL-08-020025", - "fix_id": "F-47765r743847_fix", + "gid": "V-230421", + "rid": "SV-230421r627750_rule", + "stig_id": "RHEL-08-030280", + "fix_id": "F-33065r568010_fix", "cci": [ - "CCI-000044" + "CCI-000169" ], "nist": [ - "AC-7 a" + "AU-12 a" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-244533' do\n title 'RHEL 8 must configure the use of the pam_faillock.so module in the\n/etc/pam.d/system-auth file.'\n desc 'By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as\nbrute-force attacks, is reduced. Limits are imposed by locking the account.\n\n In RHEL 8.2 the \"/etc/security/faillock.conf\" file was incorporated to\ncentralize the configuration of the pam_faillock.so module. Also introduced is\na \"local_users_only\" option that will only track failed user authentication\nattempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP,\netc.) users to allow the centralized platform to solely manage user lockout.\n\n From \"faillock.conf\" man pages: Note that the default directory that\n\"pam_faillock\" uses is usually cleared on system boot so the access will be\nreenabled after system reboot. If that is undesirable a different tally\ndirectory must be set with the \"dir\" option.\n The preauth argument must be used when the module is called before the\nmodules which ask for the user credentials such as the password.'\n desc 'check', 'Note: This check applies to RHEL versions 8.2 or newer, if the system is\nRHEL version 8.0 or 8.1, this check is not applicable.\n\n Verify the pam_faillock.so module is present in the\n\"/etc/pam.d/system-auth\" file:\n\n $ sudo grep pam_faillock.so /etc/pam.d/system-auth\n\n auth required pam_faillock.so\npreauth\n auth required pam_faillock.so\nauthfail\n account required pam_faillock.so\n If the pam_faillock.so module is not present in the\n\"/etc/pam.d/system-auth\" file with the \"preauth\" line listed before\npam_unix.so, this is a finding.'\n desc 'fix', 'Configure the operating system to include the use of the pam_faillock.so\nmodule in the /etc/pam.d/system-auth file.\n\n Add/Modify the appropriate sections of the \"/etc/pam.d/system-auth\" file\nto match the following lines:\n Note: The \"preauth\" line must be listed before pam_unix.so.\n\n auth required pam_faillock.so preauth\n auth required pam_faillock.so authfail\n account required pam_faillock.so'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000021-GPOS-00005'\n tag satisfies: ['SRG-OS-000021-GPOS-00005', 'SRG-OS-000329-GPOS-00128']\n tag gid: 'V-244533'\n tag rid: 'SV-244533r743848_rule'\n tag stig_id: 'RHEL-08-020025'\n tag fix_id: 'F-47765r743847_fix'\n tag cci: ['CCI-000044']\n tag nist: ['AC-7 a']\n tag 'host'\n tag 'container'\n\n only_if('This check applies to RHEL versions 8.2 or newer, if the system is RHEL version 8.0 or 8.1, this check is not applicable.', impact: 0.0) {\n (os.release.to_f) >= 8.2\n }\n\n pam_auth_files = input('pam_auth_files')\n\n describe pam(pam_auth_files['system-auth']) do\n its('lines') { should match_pam_rule('auth required pam_faillock.so preauth') }\n its('lines') { should match_pam_rule('auth required pam_faillock.so authfail') }\n its('lines') { should match_pam_rule('account required pam_faillock.so') }\n end\nend\n", + "code": "control 'SV-230421' do\n title 'Successful/unsuccessful uses of the ssh-agent in RHEL 8 must generate\nan audit record.'\n desc 'Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"ssh-agent\" is a\nprogram to hold private keys used for public key authentication.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.'\n desc 'check', 'Verify RHEL 8 generates an audit record when successful/unsuccessful\nattempts to use the \"ssh-agent\" by performing the following command to check\nthe file system rules in \"/etc/audit/audit.rules\":\n\n $ sudo grep ssh-agent /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-ssh\n\n If the command does not return a line, or the line is commented out, this\nis a finding.'\n desc 'fix', 'Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \"ssh-agent\" by adding or updating the\nfollowing rule in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-ssh\n\n The audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000062-GPOS-00031'\n tag satisfies: ['SRG-OS-000062-GPOS-00031', 'SRG-OS-000037-GPOS-00015', 'SRG-OS-000042-GPOS-00020', 'SRG-OS-000062-GPOS-00031', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000471-GPOS-00215']\n tag gid: 'V-230421'\n tag rid: 'SV-230421r627750_rule'\n tag stig_id: 'RHEL-08-030280'\n tag fix_id: 'F-33065r568010_fix'\n tag cci: ['CCI-000169']\n tag nist: ['AU-12 a']\n tag 'host'\n\n audit_command = '/usr/bin/ssh-agent'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include(input('audit_rule_keynames').merge(input('audit_rule_keynames_overrides'))[audit_command])\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-244533.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230421.rb", "line": 1 }, - "id": "SV-244533" + "id": "SV-230421" }, { - "title": "RHEL 8 must use the invoking user's password for privilege escalation\nwhen using \"sudo\".", - "desc": "The sudoers security policy requires that users authenticate\nthemselves before they can use sudo. When sudoers requires authentication, it\nvalidates the invoking user's credentials. If the rootpw, targetpw, or runaspw\nflags are defined and not disabled, by default the operating system will prompt\nthe invoking user for the \"root\" user password.\n For more information on each of the listed configurations, reference the\nsudoers(5) manual page.", + "title": "RHEL 8 must prevent users from disabling session control mechanisms.", + "desc": "A session lock is a temporary action taken when a user stops work and\nmoves away from the immediate physical vicinity of the information system but\ndoes not want to log out because of the temporary nature of the absence.\n\n The session lock is implemented at the point where session activity can be\ndetermined. Rather than be forced to wait for a period of time to expire before\nthe user session can be locked, RHEL 8 needs to provide users with the ability\nto manually invoke a session lock so users can secure their session if it is\nnecessary to temporarily vacate the immediate physical vicinity.\n\n Tmux is a terminal multiplexer that enables a number of terminals to be\ncreated, accessed, and controlled from a single screen. Red Hat endorses tmux\nas the recommended session controlling package.", "descriptions": { - "default": "The sudoers security policy requires that users authenticate\nthemselves before they can use sudo. When sudoers requires authentication, it\nvalidates the invoking user's credentials. If the rootpw, targetpw, or runaspw\nflags are defined and not disabled, by default the operating system will prompt\nthe invoking user for the \"root\" user password.\n For more information on each of the listed configurations, reference the\nsudoers(5) manual page.", - "check": "Verify that the sudoers security policy is configured to use the invoking user's password for privilege escalation.\n\n $ sudo grep -Eir '(rootpw|targetpw|runaspw)' /etc/sudoers /etc/sudoers.d* | grep -v '#'\n\n /etc/sudoers:Defaults !targetpw\n /etc/sudoers:Defaults !rootpw\n /etc/sudoers:Defaults !runaspw\n\nIf conflicting results are returned, this is a finding.\nIf \"Defaults !targetpw\" is not defined, this is a finding.\nIf \"Defaults !rootpw\" is not defined, this is a finding.\nIf \"Defaults !runaspw\" is not defined, this is a finding.", - "fix": "Define the following in the Defaults section of the /etc/sudoers file or a configuration file in the /etc/sudoers.d/ directory:\n Defaults !targetpw\n Defaults !rootpw\n Defaults !runaspw\n\nRemove any configurations that conflict with the above from the following locations:\n /etc/sudoers\n /etc/sudoers.d/" + "default": "A session lock is a temporary action taken when a user stops work and\nmoves away from the immediate physical vicinity of the information system but\ndoes not want to log out because of the temporary nature of the absence.\n\n The session lock is implemented at the point where session activity can be\ndetermined. Rather than be forced to wait for a period of time to expire before\nthe user session can be locked, RHEL 8 needs to provide users with the ability\nto manually invoke a session lock so users can secure their session if it is\nnecessary to temporarily vacate the immediate physical vicinity.\n\n Tmux is a terminal multiplexer that enables a number of terminals to be\ncreated, accessed, and controlled from a single screen. Red Hat endorses tmux\nas the recommended session controlling package.", + "check": "Verify the operating system prevents users from disabling the tmux terminal\nmultiplexer with the following command:\n\n $ sudo grep -i tmux /etc/shells\n\n If any output is produced, this is a finding.", + "fix": "Configure the operating system to prevent users from disabling\nthe tmux terminal multiplexer by editing the \"/etc/shells\" configuration file\nto remove any instances of tmux." }, - "impact": 0.5, + "impact": 0.3, "refs": [ { "ref": "DPMS Target Red Hat Enterprise Linux 8" } ], "tags": { - "severity": "medium", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-237642", - "rid": "SV-237642r880727_rule", - "stig_id": "RHEL-08-010383", - "fix_id": "F-40824r880726_fix", + "severity": "low", + "gtitle": "SRG-OS-000028-GPOS-00009", + "satisfies": [ + "SRG-OS-000028-GPOS-00009", + "SRG-OS-000030-GPOS-00011" + ], + "gid": "V-230350", + "rid": "SV-230350r627750_rule", + "stig_id": "RHEL-08-020042", + "fix_id": "F-32994r567797_fix", "cci": [ - "CCI-002227" + "CCI-000056" ], "nist": [ - "AC-6 (5)" + "AC-11 b" ], "host": null }, - "code": "control 'SV-237642' do\n title %q(RHEL 8 must use the invoking user's password for privilege escalation\nwhen using \"sudo\".)\n desc %q(The sudoers security policy requires that users authenticate\nthemselves before they can use sudo. When sudoers requires authentication, it\nvalidates the invoking user's credentials. If the rootpw, targetpw, or runaspw\nflags are defined and not disabled, by default the operating system will prompt\nthe invoking user for the \"root\" user password.\n For more information on each of the listed configurations, reference the\nsudoers(5) manual page.)\n desc 'check', %q(Verify that the sudoers security policy is configured to use the invoking user's password for privilege escalation.\n\n $ sudo grep -Eir '(rootpw|targetpw|runaspw)' /etc/sudoers /etc/sudoers.d* | grep -v '#'\n\n /etc/sudoers:Defaults !targetpw\n /etc/sudoers:Defaults !rootpw\n /etc/sudoers:Defaults !runaspw\n\nIf conflicting results are returned, this is a finding.\nIf \"Defaults !targetpw\" is not defined, this is a finding.\nIf \"Defaults !rootpw\" is not defined, this is a finding.\nIf \"Defaults !runaspw\" is not defined, this is a finding.)\n desc 'fix', 'Define the following in the Defaults section of the /etc/sudoers file or a configuration file in the /etc/sudoers.d/ directory:\n Defaults !targetpw\n Defaults !rootpw\n Defaults !runaspw\n\nRemove any configurations that conflict with the above from the following locations:\n /etc/sudoers\n /etc/sudoers.d/'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-237642'\n tag rid: 'SV-237642r880727_rule'\n tag stig_id: 'RHEL-08-010383'\n tag fix_id: 'F-40824r880726_fix'\n tag cci: ['CCI-002227']\n tag nist: ['AC-6 (5)']\n tag 'host'\n\n only_if('This control is Not Applicable to containers without sudo installed', impact: 0.0) {\n !(virtualization.system.eql?('docker') && !command('sudo').exist?)\n }\n\n settings = sudoers(input('sudoers_config_files').join(' ')).settings['Defaults']\n\n describe 'Sudoers file(s) settings' do\n it 'should set !targetpw' do\n expect(settings).to include('!targetpw'), 'Sudoers file(s) do not set !targetpw'\n expect(settings).not_to include('targetpw'), 'Sudoers file(s) set targetpw'\n end\n it 'should set !rootpw' do\n expect(settings).to include('!rootpw'), 'Sudoers file(s) do not set !rootpw'\n expect(settings).not_to include('rootpw'), 'Sudoers file(s) set rootpw'\n end\n it 'should set !runaspw' do\n expect(settings).to include('!runaspw'), 'Sudoers file(s) do not set !runaspw'\n expect(settings).not_to include('runaspw'), 'Sudoers file(s) set runaspw'\n end\n end\nend\n", + "code": "control 'SV-230350' do\n title 'RHEL 8 must prevent users from disabling session control mechanisms.'\n desc 'A session lock is a temporary action taken when a user stops work and\nmoves away from the immediate physical vicinity of the information system but\ndoes not want to log out because of the temporary nature of the absence.\n\n The session lock is implemented at the point where session activity can be\ndetermined. Rather than be forced to wait for a period of time to expire before\nthe user session can be locked, RHEL 8 needs to provide users with the ability\nto manually invoke a session lock so users can secure their session if it is\nnecessary to temporarily vacate the immediate physical vicinity.\n\n Tmux is a terminal multiplexer that enables a number of terminals to be\ncreated, accessed, and controlled from a single screen. Red Hat endorses tmux\nas the recommended session controlling package.'\n desc 'check', 'Verify the operating system prevents users from disabling the tmux terminal\nmultiplexer with the following command:\n\n $ sudo grep -i tmux /etc/shells\n\n If any output is produced, this is a finding.'\n desc 'fix', 'Configure the operating system to prevent users from disabling\nthe tmux terminal multiplexer by editing the \"/etc/shells\" configuration file\nto remove any instances of tmux.'\n impact 0.3\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'low'\n tag gtitle: 'SRG-OS-000028-GPOS-00009'\n tag satisfies: ['SRG-OS-000028-GPOS-00009', 'SRG-OS-000030-GPOS-00011']\n tag gid: 'V-230350'\n tag rid: 'SV-230350r627750_rule'\n tag stig_id: 'RHEL-08-020042'\n tag fix_id: 'F-32994r567797_fix'\n tag cci: ['CCI-000056']\n tag nist: ['AC-11 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n describe command('grep -i tmux /etc/shells') do\n its('stdout.strip') { should be_empty }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-237642.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230350.rb", "line": 1 }, - "id": "SV-237642" + "id": "SV-230350" }, { - "title": "RHEL 8 must map the authenticated identity to the user or group\naccount for PKI-based authentication.", - "desc": "Without mapping the certificate used to authenticate to the user\naccount, the ability to determine the identity of the individual user or group\nwill not be available for forensic analysis.\n\n There are various methods of mapping certificates to user/group accounts\nfor RHEL 8. For the purposes of this requirement, the check and fix will\naccount for Active Directory mapping. Some of the other possible methods\ninclude joining the system to a domain and utilizing a Red Hat idM server, or a\nlocal system mapping, where the system is not part of a domain.", + "title": "Successful/unsuccessful uses of the crontab command in RHEL 8 must\ngenerate an audit record.", + "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"crontab\" command is\nused to maintain crontab files for individual users. Crontab is the program\nused to install, remove, or list the tables used to drive the cron daemon. This\nis similar to the task scheduler used in other operating systems.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", "descriptions": { - "default": "Without mapping the certificate used to authenticate to the user\naccount, the ability to determine the identity of the individual user or group\nwill not be available for forensic analysis.\n\n There are various methods of mapping certificates to user/group accounts\nfor RHEL 8. For the purposes of this requirement, the check and fix will\naccount for Active Directory mapping. Some of the other possible methods\ninclude joining the system to a domain and utilizing a Red Hat idM server, or a\nlocal system mapping, where the system is not part of a domain.", - "check": "Verify the certificate of the user or group is mapped to the corresponding user or group in the \"sssd.conf\" file with the following command:\n\nNote: If the System Administrator demonstrates the use of an approved alternate multifactor authentication method, this requirement is not applicable.\n\n$ sudo cat /etc/sssd/sssd.conf\n\n[sssd]\nconfig_file_version = 2\nservices = pam, sudo, ssh\ndomains = testing.test\n\n[pam]\npam_cert_auth = True\n\n[domain/testing.test]\nid_provider = ldap\n\n[certmap/testing.test/rule_name]\nmatchrule =.*EDIPI@mil\nmaprule = (userCertificate;binary={cert!bin})\ndomains = testing.test\n\nIf the certmap section does not exist, ask the System Administrator to indicate how certificates are mapped to accounts. If there is no evidence of certificate mapping, this is a finding.", - "fix": "Configure the operating system to map the authenticated identity to the user or group account by adding or modifying the certmap section of the \"/etc/sssd/sssd.conf file based on the following example:\n\n[certmap/testing.test/rule_name]\nmatchrule =.*EDIPI@mil\nmaprule = (userCertificate;binary={cert!bin})\ndomains = testing.test\n\nThe \"sssd\" service must be restarted for the changes to take effect. To restart the \"sssd\" service, run the following command:\n\n$ sudo systemctl restart sssd.service" + "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"crontab\" command is\nused to maintain crontab files for individual users. Crontab is the program\nused to install, remove, or list the tables used to drive the cron daemon. This\nis similar to the task scheduler used in other operating systems.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", + "check": "Verify that an audit event is generated for any successful/unsuccessful use\nof the \"crontab\" command by performing the following command to check the\nfile system rules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w crontab /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-crontab\n\n If the command does not return a line, or the line is commented out, this\nis a finding.", + "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful uses of the \"crontab\" command by adding or updating\nthe following rule in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-crontab\n\n The audit daemon must be restarted for the changes to take effect." }, "impact": 0.5, "refs": [ @@ -1065,34 +1090,42 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000068-GPOS-00036", - "gid": "V-230355", - "rid": "SV-230355r858743_rule", - "stig_id": "RHEL-08-020090", - "fix_id": "F-32999r818835_fix", + "gtitle": "SRG-OS-000062-GPOS-00031", + "satisfies": [ + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000037-GPOS-00015", + "SRG-OS-000042-GPOS-00020", + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000392-GPOS-00172", + "SRG-OS-000462-GPOS-00206", + "SRG-OS-000471-GPOS-00215" + ], + "gid": "V-230447", + "rid": "SV-230447r627750_rule", + "stig_id": "RHEL-08-030400", + "fix_id": "F-33091r568088_fix", "cci": [ - "CCI-000187" + "CCI-000169" ], "nist": [ - "IA-5 (2) (c)", - "IA-5 (2) (a) (2)" + "AU-12 a" ], "host": null }, - "code": "control 'SV-230355' do\n title 'RHEL 8 must map the authenticated identity to the user or group\naccount for PKI-based authentication.'\n desc 'Without mapping the certificate used to authenticate to the user\naccount, the ability to determine the identity of the individual user or group\nwill not be available for forensic analysis.\n\n There are various methods of mapping certificates to user/group accounts\nfor RHEL 8. For the purposes of this requirement, the check and fix will\naccount for Active Directory mapping. Some of the other possible methods\ninclude joining the system to a domain and utilizing a Red Hat idM server, or a\nlocal system mapping, where the system is not part of a domain.'\n desc 'check', 'Verify the certificate of the user or group is mapped to the corresponding user or group in the \"sssd.conf\" file with the following command:\n\nNote: If the System Administrator demonstrates the use of an approved alternate multifactor authentication method, this requirement is not applicable.\n\n$ sudo cat /etc/sssd/sssd.conf\n\n[sssd]\nconfig_file_version = 2\nservices = pam, sudo, ssh\ndomains = testing.test\n\n[pam]\npam_cert_auth = True\n\n[domain/testing.test]\nid_provider = ldap\n\n[certmap/testing.test/rule_name]\nmatchrule =.*EDIPI@mil\nmaprule = (userCertificate;binary={cert!bin})\ndomains = testing.test\n\nIf the certmap section does not exist, ask the System Administrator to indicate how certificates are mapped to accounts. If there is no evidence of certificate mapping, this is a finding.'\n desc 'fix', 'Configure the operating system to map the authenticated identity to the user or group account by adding or modifying the certmap section of the \"/etc/sssd/sssd.conf file based on the following example:\n\n[certmap/testing.test/rule_name]\nmatchrule =.*EDIPI@mil\nmaprule = (userCertificate;binary={cert!bin})\ndomains = testing.test\n\nThe \"sssd\" service must be restarted for the changes to take effect. To restart the \"sssd\" service, run the following command:\n\n$ sudo systemctl restart sssd.service'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000068-GPOS-00036'\n tag gid: 'V-230355'\n tag rid: 'SV-230355r858743_rule'\n tag stig_id: 'RHEL-08-020090'\n tag fix_id: 'F-32999r818835_fix'\n tag cci: ['CCI-000187']\n tag nist: ['IA-5 (2) (c)', 'IA-5 (2) (a) (2)']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe file('/etc/sssd/sssd.conf') do\n it { should exist }\n its('content') { should match(/^\\s*\\[certmap.*\\]\\s*$/) }\n end\nend\n", + "code": "control 'SV-230447' do\n title 'Successful/unsuccessful uses of the crontab command in RHEL 8 must\ngenerate an audit record.'\n desc 'Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"crontab\" command is\nused to maintain crontab files for individual users. Crontab is the program\nused to install, remove, or list the tables used to drive the cron daemon. This\nis similar to the task scheduler used in other operating systems.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.'\n desc 'check', 'Verify that an audit event is generated for any successful/unsuccessful use\nof the \"crontab\" command by performing the following command to check the\nfile system rules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w crontab /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-crontab\n\n If the command does not return a line, or the line is commented out, this\nis a finding.'\n desc 'fix', 'Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful uses of the \"crontab\" command by adding or updating\nthe following rule in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-crontab\n\n The audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000062-GPOS-00031'\n tag satisfies: ['SRG-OS-000062-GPOS-00031', 'SRG-OS-000037-GPOS-00015', 'SRG-OS-000042-GPOS-00020', 'SRG-OS-000062-GPOS-00031', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000471-GPOS-00215']\n tag gid: 'V-230447'\n tag rid: 'SV-230447r627750_rule'\n tag stig_id: 'RHEL-08-030400'\n tag fix_id: 'F-33091r568088_fix'\n tag cci: ['CCI-000169']\n tag nist: ['AU-12 a']\n tag 'host'\n\n audit_command = '/usr/bin/crontab'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include(input('audit_rule_keynames').merge(input('audit_rule_keynames_overrides'))[audit_command])\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230355.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230447.rb", "line": 1 }, - "id": "SV-230355" + "id": "SV-230447" }, { - "title": "RHEL 8 must automatically lock an account until the locked account is\nreleased by an administrator when three unsuccessful logon attempts occur\nduring a 15-minute time period.", - "desc": "By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as\nbrute-force attacks, is reduced. Limits are imposed by locking the account.\n\n In RHEL 8.2 the \"/etc/security/faillock.conf\" file was incorporated to\ncentralize the configuration of the pam_faillock.so module. Also introduced is\na \"local_users_only\" option that will only track failed user authentication\nattempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP,\netc.) users to allow the centralized platform to solely manage user lockout.\n\n From \"faillock.conf\" man pages: Note that the default directory that\n\"pam_faillock\" uses is usually cleared on system boot so the access will be\nreenabled after system reboot. If that is undesirable a different tally\ndirectory must be set with the \"dir\" option.", + "title": "RHEL 8 must enforce password complexity by requiring that at least one\nlower-case character be used.", + "desc": "Use of a complex password helps to increase the time and resources\nrequired to compromise the password. Password complexity, or strength, is a\nmeasure of the effectiveness of a password in resisting attempts at guessing\nand brute-force attacks.\n\n Password complexity is one factor of several that determines how long it\ntakes to crack a password. The more complex the password, the greater the\nnumber of possible combinations that need to be tested before the password is\ncompromised.\n\n RHEL 8 utilizes pwquality as a mechanism to enforce password complexity.\nNote that in order to require lower-case characters without degrading the\n\"minlen\" value, the credit value must be expressed as a negative number in\n\"/etc/security/pwquality.conf\".", "descriptions": { - "default": "By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as\nbrute-force attacks, is reduced. Limits are imposed by locking the account.\n\n In RHEL 8.2 the \"/etc/security/faillock.conf\" file was incorporated to\ncentralize the configuration of the pam_faillock.so module. Also introduced is\na \"local_users_only\" option that will only track failed user authentication\nattempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP,\netc.) users to allow the centralized platform to solely manage user lockout.\n\n From \"faillock.conf\" man pages: Note that the default directory that\n\"pam_faillock\" uses is usually cleared on system boot so the access will be\nreenabled after system reboot. If that is undesirable a different tally\ndirectory must be set with the \"dir\" option.", - "check": "Note: This check applies to RHEL versions 8.2 or newer, if the system is\nRHEL version 8.0 or 8.1, this check is not applicable.\n\n Verify the \"/etc/security/faillock.conf\" file is configured to lock an\naccount until released by an administrator after three unsuccessful logon\nattempts:\n\n $ sudo grep 'unlock_time =' /etc/security/faillock.conf\n\n unlock_time = 0\n\n If the \"unlock_time\" option is not set to \"0\", is missing or commented\nout, this is a finding.", - "fix": "Configure the operating system to lock an account until released by an\nadministrator when three unsuccessful logon attempts occur in 15 minutes.\n\n Add/Modify the \"/etc/security/faillock.conf\" file to match the following\nline:\n\n unlock_time = 0" + "default": "Use of a complex password helps to increase the time and resources\nrequired to compromise the password. Password complexity, or strength, is a\nmeasure of the effectiveness of a password in resisting attempts at guessing\nand brute-force attacks.\n\n Password complexity is one factor of several that determines how long it\ntakes to crack a password. The more complex the password, the greater the\nnumber of possible combinations that need to be tested before the password is\ncompromised.\n\n RHEL 8 utilizes pwquality as a mechanism to enforce password complexity.\nNote that in order to require lower-case characters without degrading the\n\"minlen\" value, the credit value must be expressed as a negative number in\n\"/etc/security/pwquality.conf\".", + "check": "Verify the value for \"lcredit\" with the following command:\n\n$ sudo grep -r lcredit /etc/security/pwquality.conf*\n\n/etc/security/pwquality.conf:lcredit = -1\n\nIf the value of \"lcredit\" is a positive number or is commented out, this is a finding.\nIf conflicting results are returned, this is a finding.", + "fix": "Configure the operating system to enforce password complexity by requiring that at least one lower-case character be used by setting the \"lcredit\" option.\n\nAdd the following line to /etc/security/pwquality.conf (or modify the line to have the required value):\n\nlcredit = -1\n\nRemove any configurations that conflict with the above value." }, "impact": 0.5, "refs": [ @@ -1102,38 +1135,34 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000021-GPOS-00005", - "satisfies": [ - "SRG-OS-000021-GPOS-00005", - "SRG-OS-000329-GPOS-00128" - ], - "gid": "V-230337", - "rid": "SV-230337r743972_rule", - "stig_id": "RHEL-08-020015", - "fix_id": "F-32981r743971_fix", + "gtitle": "SRG-OS-000070-GPOS-00038", + "gid": "V-230358", + "rid": "SV-230358r858773_rule", + "stig_id": "RHEL-08-020120", + "fix_id": "F-33002r858772_fix", "cci": [ - "CCI-000044" + "CCI-000193" ], "nist": [ - "AC-7 a" + "IA-5 (1) (a)" ], "host": null, "container": null }, - "code": "control 'SV-230337' do\n title 'RHEL 8 must automatically lock an account until the locked account is\nreleased by an administrator when three unsuccessful logon attempts occur\nduring a 15-minute time period.'\n desc 'By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as\nbrute-force attacks, is reduced. Limits are imposed by locking the account.\n\n In RHEL 8.2 the \"/etc/security/faillock.conf\" file was incorporated to\ncentralize the configuration of the pam_faillock.so module. Also introduced is\na \"local_users_only\" option that will only track failed user authentication\nattempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP,\netc.) users to allow the centralized platform to solely manage user lockout.\n\n From \"faillock.conf\" man pages: Note that the default directory that\n\"pam_faillock\" uses is usually cleared on system boot so the access will be\nreenabled after system reboot. If that is undesirable a different tally\ndirectory must be set with the \"dir\" option.'\n desc 'check', %q(Note: This check applies to RHEL versions 8.2 or newer, if the system is\nRHEL version 8.0 or 8.1, this check is not applicable.\n\n Verify the \"/etc/security/faillock.conf\" file is configured to lock an\naccount until released by an administrator after three unsuccessful logon\nattempts:\n\n $ sudo grep 'unlock_time =' /etc/security/faillock.conf\n\n unlock_time = 0\n\n If the \"unlock_time\" option is not set to \"0\", is missing or commented\nout, this is a finding.)\n desc 'fix', 'Configure the operating system to lock an account until released by an\nadministrator when three unsuccessful logon attempts occur in 15 minutes.\n\n Add/Modify the \"/etc/security/faillock.conf\" file to match the following\nline:\n\n unlock_time = 0'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000021-GPOS-00005'\n tag satisfies: ['SRG-OS-000021-GPOS-00005', 'SRG-OS-000329-GPOS-00128']\n tag gid: 'V-230337'\n tag rid: 'SV-230337r743972_rule'\n tag stig_id: 'RHEL-08-020015'\n tag fix_id: 'F-32981r743971_fix'\n tag cci: ['CCI-000044']\n tag nist: ['AC-7 a']\n tag 'host'\n tag 'container'\n\n only_if('This check applies to RHEL versions 8.2 or newer, if the system is RHEL version 8.0 or 8.1, this check is not applicable.', impact: 0.0) {\n (os.release.to_f) >= 8.2\n }\n\n describe parse_config_file('/etc/security/faillock.conf') do\n its('unlock_time') { should cmp >= input('lockout_time') }\n end\nend\n", + "code": "control 'SV-230358' do\n title 'RHEL 8 must enforce password complexity by requiring that at least one\nlower-case character be used.'\n desc 'Use of a complex password helps to increase the time and resources\nrequired to compromise the password. Password complexity, or strength, is a\nmeasure of the effectiveness of a password in resisting attempts at guessing\nand brute-force attacks.\n\n Password complexity is one factor of several that determines how long it\ntakes to crack a password. The more complex the password, the greater the\nnumber of possible combinations that need to be tested before the password is\ncompromised.\n\n RHEL 8 utilizes pwquality as a mechanism to enforce password complexity.\nNote that in order to require lower-case characters without degrading the\n\"minlen\" value, the credit value must be expressed as a negative number in\n\"/etc/security/pwquality.conf\".'\n desc 'check', 'Verify the value for \"lcredit\" with the following command:\n\n$ sudo grep -r lcredit /etc/security/pwquality.conf*\n\n/etc/security/pwquality.conf:lcredit = -1\n\nIf the value of \"lcredit\" is a positive number or is commented out, this is a finding.\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure the operating system to enforce password complexity by requiring that at least one lower-case character be used by setting the \"lcredit\" option.\n\nAdd the following line to /etc/security/pwquality.conf (or modify the line to have the required value):\n\nlcredit = -1\n\nRemove any configurations that conflict with the above value.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000070-GPOS-00038'\n tag gid: 'V-230358'\n tag rid: 'SV-230358r858773_rule'\n tag stig_id: 'RHEL-08-020120'\n tag fix_id: 'F-33002r858772_fix'\n tag cci: ['CCI-000193']\n tag nist: ['IA-5 (1) (a)']\n tag 'host'\n tag 'container'\n\n describe 'pwquality.conf settings' do\n let(:config) { parse_config_file('/etc/security/pwquality.conf', multiple_values: true) }\n let(:setting) { 'lcredit' }\n let(:value) { Array(config.params[setting]) }\n\n it 'has `lcredit` set' do\n expect(value).not_to be_empty, 'lcredit is not set in pwquality.conf'\n end\n\n it 'only sets `lcredit` once' do\n expect(value.length).to eq(1), 'lcredit is commented or set more than once in pwquality.conf'\n end\n\n it 'does not set `lcredit` to a positive value' do\n expect(value.first.to_i).to be < 0, 'lcredit is not set to a negative value in pwquality.conf'\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230337.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230358.rb", "line": 1 }, - "id": "SV-230337" + "id": "SV-230358" }, { - "title": "RHEL 8 audit log directory must have a mode of 0700 or less permissive\nto prevent unauthorized read access.", - "desc": "Unauthorized disclosure of audit records can reveal system and\nconfiguration data to attackers, thus compromising its confidentiality.\n\n Audit information includes all information (e.g., audit records, audit\nsettings, audit reports) needed to successfully audit RHEL 8 system activity.", + "title": "RHEL 8 must include root when automatically locking an account until\nthe locked account is released by an administrator when three unsuccessful\nlogon attempts occur during a 15-minute time period.", + "desc": "By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as\nbrute-force attacks, is reduced. Limits are imposed by locking the account.\n\n In RHEL 8.2 the \"/etc/security/faillock.conf\" file was incorporated to\ncentralize the configuration of the pam_faillock.so module. Also introduced is\na \"local_users_only\" option that will only track failed user authentication\nattempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP,\netc.) users to allow the centralized platform to solely manage user lockout.\n\n From \"faillock.conf\" man pages: Note that the default directory that\n\"pam_faillock\" uses is usually cleared on system boot so the access will be\nreenabled after system reboot. If that is undesirable a different tally\ndirectory must be set with the \"dir\" option.", "descriptions": { - "default": "Unauthorized disclosure of audit records can reveal system and\nconfiguration data to attackers, thus compromising its confidentiality.\n\n Audit information includes all information (e.g., audit records, audit\nsettings, audit reports) needed to successfully audit RHEL 8 system activity.", - "check": "Verify the audit log directories have a mode of \"0700\" or less permissive\nby first determining where the audit logs are stored with the following command:\n\n $ sudo grep -iw log_file /etc/audit/auditd.conf\n\n log_file = /var/log/audit/audit.log\n\n Using the location of the audit log, determine the directory where the\naudit logs are stored (ex: \"/var/log/audit\"). Run the following command to\ndetermine the permissions for the audit log folder:\n\n $ sudo stat -c \"%a %n\" /var/log/audit\n\n 700 /var/log/audit\n\n If the audit log directory has a mode more permissive than \"0700\", this\nis a finding.", - "fix": "Configure the audit log directory to be protected from unauthorized read\naccess by setting the correct permissive mode with the following command:\n\n $ sudo chmod 0700 [audit_log_directory]\n\n Replace \"[audit_log_directory]\" to the correct audit log directory path,\nby default this location is \"/var/log/audit\"." + "default": "By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as\nbrute-force attacks, is reduced. Limits are imposed by locking the account.\n\n In RHEL 8.2 the \"/etc/security/faillock.conf\" file was incorporated to\ncentralize the configuration of the pam_faillock.so module. Also introduced is\na \"local_users_only\" option that will only track failed user authentication\nattempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP,\netc.) users to allow the centralized platform to solely manage user lockout.\n\n From \"faillock.conf\" man pages: Note that the default directory that\n\"pam_faillock\" uses is usually cleared on system boot so the access will be\nreenabled after system reboot. If that is undesirable a different tally\ndirectory must be set with the \"dir\" option.", + "check": "Note: This check applies to RHEL versions 8.2 or newer, if the system is\nRHEL version 8.0 or 8.1, this check is not applicable.\n\n Verify the \"/etc/security/faillock.conf\" file is configured to log user\nname information when unsuccessful logon attempts occur:\n\n $ sudo grep even_deny_root /etc/security/faillock.conf\n\n even_deny_root\n\n If the \"even_deny_root\" option is not set, is missing or commented out,\nthis is a finding.", + "fix": "Configure the operating system to include root when locking an account\nafter three unsuccessful logon attempts occur in 15 minutes.\n\n Add/Modify the \"/etc/security/faillock.conf\" file to match the following\nline:\n\n even_deny_root" }, "impact": 0.5, "refs": [ @@ -1143,39 +1172,38 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000057-GPOS-00027", + "gtitle": "SRG-OS-000021-GPOS-00005", "satisfies": [ - "SRG-OS-000057-GPOS-00027", - "SRG-OS-000058-GPOS-00028", - "SRG-OS-000059-GPOS-00029" + "SRG-OS-000021-GPOS-00005", + "SRG-OS-000329-GPOS-00128" ], - "gid": "V-230401", - "rid": "SV-230401r627750_rule", - "stig_id": "RHEL-08-030120", - "fix_id": "F-33045r567950_fix", + "gid": "V-230345", + "rid": "SV-230345r743984_rule", + "stig_id": "RHEL-08-020023", + "fix_id": "F-32989r743983_fix", "cci": [ - "CCI-000162" + "CCI-000044" ], "nist": [ - "AU-9", - "AU-9 a" + "AC-7 a" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-230401' do\n title 'RHEL 8 audit log directory must have a mode of 0700 or less permissive\nto prevent unauthorized read access.'\n desc 'Unauthorized disclosure of audit records can reveal system and\nconfiguration data to attackers, thus compromising its confidentiality.\n\n Audit information includes all information (e.g., audit records, audit\nsettings, audit reports) needed to successfully audit RHEL 8 system activity.'\n desc 'check', 'Verify the audit log directories have a mode of \"0700\" or less permissive\nby first determining where the audit logs are stored with the following command:\n\n $ sudo grep -iw log_file /etc/audit/auditd.conf\n\n log_file = /var/log/audit/audit.log\n\n Using the location of the audit log, determine the directory where the\naudit logs are stored (ex: \"/var/log/audit\"). Run the following command to\ndetermine the permissions for the audit log folder:\n\n $ sudo stat -c \"%a %n\" /var/log/audit\n\n 700 /var/log/audit\n\n If the audit log directory has a mode more permissive than \"0700\", this\nis a finding.'\n desc 'fix', 'Configure the audit log directory to be protected from unauthorized read\naccess by setting the correct permissive mode with the following command:\n\n $ sudo chmod 0700 [audit_log_directory]\n\n Replace \"[audit_log_directory]\" to the correct audit log directory path,\nby default this location is \"/var/log/audit\".'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000057-GPOS-00027'\n tag satisfies: ['SRG-OS-000057-GPOS-00027', 'SRG-OS-000058-GPOS-00028', 'SRG-OS-000059-GPOS-00029']\n tag gid: 'V-230401'\n tag rid: 'SV-230401r627750_rule'\n tag stig_id: 'RHEL-08-030120'\n tag fix_id: 'F-33045r567950_fix'\n tag cci: ['CCI-000162']\n tag nist: ['AU-9', 'AU-9 a']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n log_dir = command(\"dirname #{auditd_conf('/etc/audit/auditd.conf').log_file}\").stdout.strip\n\n describe directory(log_dir) do\n it { should_not be_more_permissive_than('0700') }\n end\nend\n", + "code": "control 'SV-230345' do\n title 'RHEL 8 must include root when automatically locking an account until\nthe locked account is released by an administrator when three unsuccessful\nlogon attempts occur during a 15-minute time period.'\n desc 'By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as\nbrute-force attacks, is reduced. Limits are imposed by locking the account.\n\n In RHEL 8.2 the \"/etc/security/faillock.conf\" file was incorporated to\ncentralize the configuration of the pam_faillock.so module. Also introduced is\na \"local_users_only\" option that will only track failed user authentication\nattempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP,\netc.) users to allow the centralized platform to solely manage user lockout.\n\n From \"faillock.conf\" man pages: Note that the default directory that\n\"pam_faillock\" uses is usually cleared on system boot so the access will be\nreenabled after system reboot. If that is undesirable a different tally\ndirectory must be set with the \"dir\" option.'\n desc 'check', 'Note: This check applies to RHEL versions 8.2 or newer, if the system is\nRHEL version 8.0 or 8.1, this check is not applicable.\n\n Verify the \"/etc/security/faillock.conf\" file is configured to log user\nname information when unsuccessful logon attempts occur:\n\n $ sudo grep even_deny_root /etc/security/faillock.conf\n\n even_deny_root\n\n If the \"even_deny_root\" option is not set, is missing or commented out,\nthis is a finding.'\n desc 'fix', 'Configure the operating system to include root when locking an account\nafter three unsuccessful logon attempts occur in 15 minutes.\n\n Add/Modify the \"/etc/security/faillock.conf\" file to match the following\nline:\n\n even_deny_root'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000021-GPOS-00005'\n tag satisfies: ['SRG-OS-000021-GPOS-00005', 'SRG-OS-000329-GPOS-00128']\n tag gid: 'V-230345'\n tag rid: 'SV-230345r743984_rule'\n tag stig_id: 'RHEL-08-020023'\n tag fix_id: 'F-32989r743983_fix'\n tag cci: ['CCI-000044']\n tag nist: ['AC-7 a']\n tag 'host'\n tag 'container'\n\n only_if('This check applies to RHEL versions 8.2 or newer, if the system is RHEL version 8.0 or 8.1, this check is not applicable.', impact: 0.0) {\n (os.release.to_f) >= 8.2\n }\n\n describe parse_config_file('/etc/security/faillock.conf') do\n its('even_deny_root') { should_not be_nil }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230401.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230345.rb", "line": 1 }, - "id": "SV-230401" + "id": "SV-230345" }, { - "title": "The krb5-workstation package must not be installed on RHEL 8.", - "desc": "Unapproved mechanisms that are used for authentication to the\ncryptographic module are not verified and therefore cannot be relied upon to\nprovide confidentiality or integrity, and DoD data may be compromised.\n\n RHEL 8 systems utilizing encryption are required to use FIPS-compliant\nmechanisms for authenticating to cryptographic modules.\n\n Currently, Kerberos does not utilize FIPS 140-2 cryptography.\n\n FIPS 140-2 is the current standard for validating that mechanisms used to\naccess cryptographic modules utilize authentication that meets DoD\nrequirements. This allows for Security Levels 1, 2, 3, or 4 for use on a\ngeneral-purpose computing system.", + "title": "RHEL 8 must enable the USBGuard.", + "desc": "Without authenticating devices, unidentified or unknown devices may be\nintroduced, thereby facilitating malicious activity.\n\n Peripherals include, but are not limited to, such devices as flash drives,\nexternal storage, and printers.\n\n A new feature that RHEL 8 provides is the USBGuard software framework. The\nUSBguard-daemon is the main component of the USBGuard software framework. It\nruns as a service in the background and enforces the USB device authorization\npolicy for all USB devices. The policy is defined by a set of rules using a\nrule language described in the usbguard-rules.conf file. The policy and the\nauthorization state of USB devices can be modified during runtime using the\nusbguard tool.\n\n The System Administrator (SA) must work with the site Information System\nSecurity Officer (ISSO) to determine a list of authorized peripherals and\nestablish rules within the USBGuard software framework to allow only authorized\ndevices.", "descriptions": { - "default": "Unapproved mechanisms that are used for authentication to the\ncryptographic module are not verified and therefore cannot be relied upon to\nprovide confidentiality or integrity, and DoD data may be compromised.\n\n RHEL 8 systems utilizing encryption are required to use FIPS-compliant\nmechanisms for authenticating to cryptographic modules.\n\n Currently, Kerberos does not utilize FIPS 140-2 cryptography.\n\n FIPS 140-2 is the current standard for validating that mechanisms used to\naccess cryptographic modules utilize authentication that meets DoD\nrequirements. This allows for Security Levels 1, 2, 3, or 4 for use on a\ngeneral-purpose computing system.", - "check": "Verify the krb5-workstation package has not been installed on the system\nwith the following commands:\n\n If the system is a server or is utilizing\nkrb5-workstation-1.17-18.el8.x86_64 or newer, this is Not Applicable.\n\n $ sudo yum list installed krb5-workstation\n\n krb5-workstation.x86_64\n1.17-9.el8 repository\n\n If the krb5-workstation package is installed and is not documented with the\nInformation System Security Officer (ISSO) as an operational requirement, this\nis a finding.", - "fix": "Document the krb5-workstation package with the ISSO as an operational\nrequirement or remove it from the system with the following command:\n\n $ sudo yum remove krb5-workstation" + "default": "Without authenticating devices, unidentified or unknown devices may be\nintroduced, thereby facilitating malicious activity.\n\n Peripherals include, but are not limited to, such devices as flash drives,\nexternal storage, and printers.\n\n A new feature that RHEL 8 provides is the USBGuard software framework. The\nUSBguard-daemon is the main component of the USBGuard software framework. It\nruns as a service in the background and enforces the USB device authorization\npolicy for all USB devices. The policy is defined by a set of rules using a\nrule language described in the usbguard-rules.conf file. The policy and the\nauthorization state of USB devices can be modified during runtime using the\nusbguard tool.\n\n The System Administrator (SA) must work with the site Information System\nSecurity Officer (ISSO) to determine a list of authorized peripherals and\nestablish rules within the USBGuard software framework to allow only authorized\ndevices.", + "check": "Verify the operating system has enabled the use of the USBGuard with the\nfollowing command:\n\n $ sudo systemctl status usbguard.service\n\n usbguard.service - USBGuard daemon\n Loaded: loaded (/usr/lib/systemd/system/usbguard.service; enabled; vendor\npreset: disabled)\n Active: active (running)\n\n If the usbguard.service is not enabled and active, ask the SA to indicate\nhow unauthorized peripherals are being blocked.\n If there is no evidence that unauthorized peripherals are being blocked\nbefore establishing a connection, this is a finding.", + "fix": "Configure the operating system to enable the blocking of unauthorized\nperipherals with the following commands:\n\n $ sudo systemctl enable usbguard.service\n\n $ sudo systemctl start usbguard.service\n\n Note: Enabling and starting usbguard without properly configuring it for an\nindividual system will immediately prevent any access over a usb device such as\na keyboard or mouse" }, "impact": 0.5, "refs": [ @@ -1185,34 +1213,33 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000120-GPOS-00061", - "gid": "V-230239", - "rid": "SV-230239r646864_rule", - "stig_id": "RHEL-08-010162", - "fix_id": "F-32883r567464_fix", + "gtitle": "SRG-OS-000378-GPOS-00163", + "gid": "V-244548", + "rid": "SV-244548r854077_rule", + "stig_id": "RHEL-08-040141", + "fix_id": "F-47780r743892_fix", "cci": [ - "CCI-000803" + "CCI-001958" ], "nist": [ - "IA-7" + "IA-3" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-230239' do\n title 'The krb5-workstation package must not be installed on RHEL 8.'\n desc 'Unapproved mechanisms that are used for authentication to the\ncryptographic module are not verified and therefore cannot be relied upon to\nprovide confidentiality or integrity, and DoD data may be compromised.\n\n RHEL 8 systems utilizing encryption are required to use FIPS-compliant\nmechanisms for authenticating to cryptographic modules.\n\n Currently, Kerberos does not utilize FIPS 140-2 cryptography.\n\n FIPS 140-2 is the current standard for validating that mechanisms used to\naccess cryptographic modules utilize authentication that meets DoD\nrequirements. This allows for Security Levels 1, 2, 3, or 4 for use on a\ngeneral-purpose computing system.'\n desc 'check', 'Verify the krb5-workstation package has not been installed on the system\nwith the following commands:\n\n If the system is a server or is utilizing\nkrb5-workstation-1.17-18.el8.x86_64 or newer, this is Not Applicable.\n\n $ sudo yum list installed krb5-workstation\n\n krb5-workstation.x86_64\n1.17-9.el8 repository\n\n If the krb5-workstation package is installed and is not documented with the\nInformation System Security Officer (ISSO) as an operational requirement, this\nis a finding.'\n desc 'fix', 'Document the krb5-workstation package with the ISSO as an operational\nrequirement or remove it from the system with the following command:\n\n $ sudo yum remove krb5-workstation'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000120-GPOS-00061'\n tag gid: 'V-230239'\n tag rid: 'SV-230239r646864_rule'\n tag stig_id: 'RHEL-08-010162'\n tag fix_id: 'F-32883r567464_fix'\n tag cci: ['CCI-000803']\n tag nist: ['IA-7']\n tag 'host'\n tag 'container'\n\n krb5_workstation = package('krb5-workstation')\n\n if krb5_workstation.installed? && krb5_workstation.version >= '1.17-18.el8'\n impact 0.0\n describe 'N/A' do\n skip 'Kerberos installation is at version 1.17-18.el8 or greater; this control is Not Applicable'\n end\n else\n describe krb5_workstation do\n it { should_not be_installed }\n end\n end\nend\n", + "code": "control 'SV-244548' do\n title 'RHEL 8 must enable the USBGuard.'\n desc 'Without authenticating devices, unidentified or unknown devices may be\nintroduced, thereby facilitating malicious activity.\n\n Peripherals include, but are not limited to, such devices as flash drives,\nexternal storage, and printers.\n\n A new feature that RHEL 8 provides is the USBGuard software framework. The\nUSBguard-daemon is the main component of the USBGuard software framework. It\nruns as a service in the background and enforces the USB device authorization\npolicy for all USB devices. The policy is defined by a set of rules using a\nrule language described in the usbguard-rules.conf file. The policy and the\nauthorization state of USB devices can be modified during runtime using the\nusbguard tool.\n\n The System Administrator (SA) must work with the site Information System\nSecurity Officer (ISSO) to determine a list of authorized peripherals and\nestablish rules within the USBGuard software framework to allow only authorized\ndevices.'\n desc 'check', 'Verify the operating system has enabled the use of the USBGuard with the\nfollowing command:\n\n $ sudo systemctl status usbguard.service\n\n usbguard.service - USBGuard daemon\n Loaded: loaded (/usr/lib/systemd/system/usbguard.service; enabled; vendor\npreset: disabled)\n Active: active (running)\n\n If the usbguard.service is not enabled and active, ask the SA to indicate\nhow unauthorized peripherals are being blocked.\n If there is no evidence that unauthorized peripherals are being blocked\nbefore establishing a connection, this is a finding.'\n desc 'fix', 'Configure the operating system to enable the blocking of unauthorized\nperipherals with the following commands:\n\n $ sudo systemctl enable usbguard.service\n\n $ sudo systemctl start usbguard.service\n\n Note: Enabling and starting usbguard without properly configuring it for an\nindividual system will immediately prevent any access over a usb device such as\na keyboard or mouse'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000378-GPOS-00163'\n tag gid: 'V-244548'\n tag rid: 'SV-244548r854077_rule'\n tag stig_id: 'RHEL-08-040141'\n tag fix_id: 'F-47780r743892_fix'\n tag cci: ['CCI-001958']\n tag nist: ['IA-3']\n tag 'host'\n\n only_if('This requirement does not apply to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n peripherals_service = input('peripherals_service')\n\n describe service(peripherals_service) do\n it \"is expected to be running. \\n\\tPlease ensure to configure the service to ensure your devices function as expected.\" do\n expect(subject.running?).to be(true), \"The #{peripherals_service} service is not running\"\n end\n it \"is expected to be enabled. \\n\\tPlease ensure to configure the service to ensure your devices function as expected.\" do\n expect(subject.enabled?).to be(true), \"The #{peripherals_service} service is not enabled\"\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230239.rb", + "ref": "./Red Hat 8 STIG/controls/SV-244548.rb", "line": 1 }, - "id": "SV-230239" + "id": "SV-244548" }, { - "title": "RHEL 8 must clear the page allocator to prevent use-after-free\nattacks.", - "desc": "Some adversaries launch attacks with the intent of executing code in\nnon-executable regions of memory or in memory locations that are prohibited.\nSecurity safeguards employed to protect memory include, for example, data\nexecution prevention and address space layout randomization. Data execution\nprevention safeguards can be either hardware-enforced or software-enforced with\nhardware providing the greater strength of mechanism.\n\n Poisoning writes an arbitrary value to freed pages, so any modification or\nreference to that page after being freed or before being initialized will be\ndetected and prevented. This prevents many types of use-after-free\nvulnerabilities at little performance cost. Also prevents leak of data and\ndetection of corrupted memory.", + "title": "RHEL 8 audit log directory must be group-owned by root to prevent\nunauthorized read access.", + "desc": "Unauthorized disclosure of audit records can reveal system and\nconfiguration data to attackers, thus compromising its confidentiality.\n\n Audit information includes all information (e.g., audit records, audit\nsettings, audit reports) needed to successfully audit RHEL 8 activity.", "descriptions": { - "default": "Some adversaries launch attacks with the intent of executing code in\nnon-executable regions of memory or in memory locations that are prohibited.\nSecurity safeguards employed to protect memory include, for example, data\nexecution prevention and address space layout randomization. Data execution\nprevention safeguards can be either hardware-enforced or software-enforced with\nhardware providing the greater strength of mechanism.\n\n Poisoning writes an arbitrary value to freed pages, so any modification or\nreference to that page after being freed or before being initialized will be\ndetected and prevented. This prevents many types of use-after-free\nvulnerabilities at little performance cost. Also prevents leak of data and\ndetection of corrupted memory.", - "check": "Verify that GRUB 2 is configured to enable page poisoning to mitigate use-after-free vulnerabilities with the following commands:\n\nCheck that the current GRUB 2 configuration has page poisoning enabled:\n\n$ sudo grub2-editenv list | grep page_poison\n\nkernelopts=root=/dev/mapper/rhel-root ro crashkernel=auto resume=/dev/mapper/rhel-swap rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet fips=1 page_poison=1 vsyscall=none audit=1 audit_backlog_limit=8192 boot=UUID=8d171156-cd61-421c-ba41-1c021ac29e82\n\nIf \"page_poison\" is not set to \"1\" or is missing, this is a finding.\n\nCheck that page poisoning is enabled by default to persist in kernel updates:\n\n$ sudo grep page_poison /etc/default/grub\n\nGRUB_CMDLINE_LINUX=\"page_poison=1\"\n\nIf \"page_poison\" is not set to \"1\", is missing or commented out, this is a finding.", - "fix": "Configure RHEL 8 to enable page poisoning with the following commands:\n\n $ sudo grubby --update-kernel=ALL --args=\"page_poison=1\"\n\n Add or modify the following line in \"/etc/default/grub\" to ensure the\nconfiguration survives kernel updates:\n\n GRUB_CMDLINE_LINUX=\"page_poison=1\"" + "default": "Unauthorized disclosure of audit records can reveal system and\nconfiguration data to attackers, thus compromising its confidentiality.\n\n Audit information includes all information (e.g., audit records, audit\nsettings, audit reports) needed to successfully audit RHEL 8 activity.", + "check": "Verify the audit log directory is group-owned by \"root\" to prevent\nunauthorized read access.\n\n Determine where the audit logs are stored with the following command:\n\n $ sudo grep -iw log_file /etc/audit/auditd.conf\n\n log_file = /var/log/audit/audit.log\n\n Determine the group owner of the audit log directory by using the output of\nthe above command (ex: \"/var/log/audit/\"). Run the following command with the\ncorrect audit log directory path:\n\n $ sudo ls -ld /var/log/audit\n\n drw------- 2 root root 23 Jun 11 11:56 /var/log/audit\n\n If the audit log directory is not group-owned by \"root\", this is a\nfinding.", + "fix": "Configure the audit log to be protected from unauthorized read access by\nsetting the correct group-owner as \"root\" with the following command:\n\n $ sudo chgrp root [audit_log_directory]\n\n Replace \"[audit_log_directory]\" with the correct audit log directory\npath, by default this location is usually \"/var/log/audit\"." }, "impact": 0.5, "refs": [ @@ -1222,37 +1249,39 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000134-GPOS-00068", + "gtitle": "SRG-OS-000057-GPOS-00027", "satisfies": [ - "SRG-OS-000134-GPOS-00068", - "SRG-OS-000433-GPOS-00192" + "SRG-OS-000057-GPOS-00027", + "SRG-OS-000058-GPOS-00028", + "SRG-OS-000059-GPOS-00029" ], - "gid": "V-230277", - "rid": "SV-230277r792884_rule", - "stig_id": "RHEL-08-010421", - "fix_id": "F-32921r567578_fix", + "gid": "V-230400", + "rid": "SV-230400r627750_rule", + "stig_id": "RHEL-08-030110", + "fix_id": "F-33044r567947_fix", "cci": [ - "CCI-001084" + "CCI-000162" ], "nist": [ - "SC-3" + "AU-9", + "AU-9 a" ], "host": null }, - "code": "control 'SV-230277' do\n title 'RHEL 8 must clear the page allocator to prevent use-after-free\nattacks.'\n desc 'Some adversaries launch attacks with the intent of executing code in\nnon-executable regions of memory or in memory locations that are prohibited.\nSecurity safeguards employed to protect memory include, for example, data\nexecution prevention and address space layout randomization. Data execution\nprevention safeguards can be either hardware-enforced or software-enforced with\nhardware providing the greater strength of mechanism.\n\n Poisoning writes an arbitrary value to freed pages, so any modification or\nreference to that page after being freed or before being initialized will be\ndetected and prevented. This prevents many types of use-after-free\nvulnerabilities at little performance cost. Also prevents leak of data and\ndetection of corrupted memory.'\n desc 'check', 'Verify that GRUB 2 is configured to enable page poisoning to mitigate use-after-free vulnerabilities with the following commands:\n\nCheck that the current GRUB 2 configuration has page poisoning enabled:\n\n$ sudo grub2-editenv list | grep page_poison\n\nkernelopts=root=/dev/mapper/rhel-root ro crashkernel=auto resume=/dev/mapper/rhel-swap rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet fips=1 page_poison=1 vsyscall=none audit=1 audit_backlog_limit=8192 boot=UUID=8d171156-cd61-421c-ba41-1c021ac29e82\n\nIf \"page_poison\" is not set to \"1\" or is missing, this is a finding.\n\nCheck that page poisoning is enabled by default to persist in kernel updates:\n\n$ sudo grep page_poison /etc/default/grub\n\nGRUB_CMDLINE_LINUX=\"page_poison=1\"\n\nIf \"page_poison\" is not set to \"1\", is missing or commented out, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to enable page poisoning with the following commands:\n\n $ sudo grubby --update-kernel=ALL --args=\"page_poison=1\"\n\n Add or modify the following line in \"/etc/default/grub\" to ensure the\nconfiguration survives kernel updates:\n\n GRUB_CMDLINE_LINUX=\"page_poison=1\"'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000134-GPOS-00068'\n tag satisfies: ['SRG-OS-000134-GPOS-00068', 'SRG-OS-000433-GPOS-00192']\n tag gid: 'V-230277'\n tag rid: 'SV-230277r792884_rule'\n tag stig_id: 'RHEL-08-010421'\n tag fix_id: 'F-32921r567578_fix'\n tag cci: ['CCI-001084']\n tag nist: ['SC-3']\n tag 'host'\n\n grub_stdout = command('grub2-editenv - list').stdout\n setting = /page_poison\\s*=\\s*1/\n\n describe 'GRUB config' do\n it 'should enable page poisoning' do\n expect(parse_config(grub_stdout)['kernelopts']).to match(setting), 'Current GRUB configuration does not disable this setting'\n expect(parse_config_file('/etc/default/grub')['GRUB_CMDLINE_LINUX']).to match(setting), 'Setting not configured to persist between kernel updates'\n end\n end\nend\n", + "code": "control 'SV-230400' do\n title 'RHEL 8 audit log directory must be group-owned by root to prevent\nunauthorized read access.'\n desc 'Unauthorized disclosure of audit records can reveal system and\nconfiguration data to attackers, thus compromising its confidentiality.\n\n Audit information includes all information (e.g., audit records, audit\nsettings, audit reports) needed to successfully audit RHEL 8 activity.'\n desc 'check', 'Verify the audit log directory is group-owned by \"root\" to prevent\nunauthorized read access.\n\n Determine where the audit logs are stored with the following command:\n\n $ sudo grep -iw log_file /etc/audit/auditd.conf\n\n log_file = /var/log/audit/audit.log\n\n Determine the group owner of the audit log directory by using the output of\nthe above command (ex: \"/var/log/audit/\"). Run the following command with the\ncorrect audit log directory path:\n\n $ sudo ls -ld /var/log/audit\n\n drw------- 2 root root 23 Jun 11 11:56 /var/log/audit\n\n If the audit log directory is not group-owned by \"root\", this is a\nfinding.'\n desc 'fix', 'Configure the audit log to be protected from unauthorized read access by\nsetting the correct group-owner as \"root\" with the following command:\n\n $ sudo chgrp root [audit_log_directory]\n\n Replace \"[audit_log_directory]\" with the correct audit log directory\npath, by default this location is usually \"/var/log/audit\".'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000057-GPOS-00027'\n tag satisfies: ['SRG-OS-000057-GPOS-00027', 'SRG-OS-000058-GPOS-00028', 'SRG-OS-000059-GPOS-00029']\n tag gid: 'V-230400'\n tag rid: 'SV-230400r627750_rule'\n tag stig_id: 'RHEL-08-030110'\n tag fix_id: 'F-33044r567947_fix'\n tag cci: ['CCI-000162']\n tag nist: ['AU-9', 'AU-9 a']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n describe directory(auditd_conf('/etc/audit/auditd.conf').log_file.split('/')[0..-2].join('/')) do\n its('group') { should be_in input('var_log_audit_group') }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230277.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230400.rb", "line": 1 }, - "id": "SV-230277" + "id": "SV-230400" }, { - "title": "RHEL 8 must enable kernel parameters to enforce discretionary access\ncontrol on symlinks.", - "desc": "Discretionary Access Control (DAC) is based on the notion that individual users are \"owners\" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions.\n\nWhen discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. A subject that is constrained in its operation by Mandatory Access Control policies is still able to operate under the less rigorous constraints of this requirement. Thus, while Mandatory Access Control imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, this requirement permits the subject to pass the information to any subject at the same sensitivity level. The policy is bounded by the information system boundary. Once the information is passed outside the control of the information system, additional means may be required to ensure the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control.\n\nBy enabling the fs.protected_symlinks kernel parameter, symbolic links are permitted to be followed only when outside a sticky world-writable directory, or when the UID of the link and follower match, or when the directory owner matches the symlink's owner. Disallowing such symlinks helps mitigate vulnerabilities based on insecure file system accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of open() or creat().\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf", + "title": "RHEL 8 must have the packages required for offloading audit logs\ninstalled.", + "desc": "Information stored in one location is vulnerable to accidental or\nincidental deletion or alteration.\n\n Off-loading is a common process in information systems with limited audit\nstorage capacity.\n\n RHEL 8 installation media provides \"rsyslogd\". \"rsyslogd\" is a system\nutility providing support for message logging. Support for both internet and\nUNIX domain sockets enables this utility to support both local and remote\nlogging. Couple this utility with \"gnutls\" (which is a secure communications\nlibrary implementing the SSL, TLS and DTLS protocols), and you have a method to\nsecurely encrypt and off-load auditing.\n\n Rsyslog provides three ways to forward message: the traditional UDP\ntransport, which is extremely lossy but standard; the plain TCP based\ntransport, which loses messages only during certain situations but is widely\navailable; and the RELP transport, which does not lose messages but is\ncurrently available only as part of the rsyslogd 3.15.0 and above.\n Examples of each configuration:\n UDP *.* @remotesystemname\n TCP *.* @@remotesystemname\n RELP *.* :omrelp:remotesystemname:2514\n Note that a port number was given as there is no standard port for RELP.", "descriptions": { - "default": "Discretionary Access Control (DAC) is based on the notion that individual users are \"owners\" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions.\n\nWhen discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. A subject that is constrained in its operation by Mandatory Access Control policies is still able to operate under the less rigorous constraints of this requirement. Thus, while Mandatory Access Control imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, this requirement permits the subject to pass the information to any subject at the same sensitivity level. The policy is bounded by the information system boundary. Once the information is passed outside the control of the information system, additional means may be required to ensure the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control.\n\nBy enabling the fs.protected_symlinks kernel parameter, symbolic links are permitted to be followed only when outside a sticky world-writable directory, or when the UID of the link and follower match, or when the directory owner matches the symlink's owner. Disallowing such symlinks helps mitigate vulnerabilities based on insecure file system accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of open() or creat().\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf", - "check": "Verify the operating system is configured to enable DAC on symlinks with the following commands:\n\nCheck the status of the fs.protected_symlinks kernel parameter.\n\n$ sudo sysctl fs.protected_symlinks\n\nfs.protected_symlinks = 1\n\nIf \"fs.protected_symlinks\" is not set to \"1\" or is missing, this is a finding.\n\nCheck that the configuration files are present to enable this kernel parameter.\n\n$ sudo grep -r fs.protected_symlinks /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf:fs.protected_symlinks = 1\n\nIf \"fs.protected_symlinks\" is not set to \"1\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.", - "fix": "Configure the operating system to enable DAC on symlinks.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nfs.protected_symlinks = 1\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system" + "default": "Information stored in one location is vulnerable to accidental or\nincidental deletion or alteration.\n\n Off-loading is a common process in information systems with limited audit\nstorage capacity.\n\n RHEL 8 installation media provides \"rsyslogd\". \"rsyslogd\" is a system\nutility providing support for message logging. Support for both internet and\nUNIX domain sockets enables this utility to support both local and remote\nlogging. Couple this utility with \"gnutls\" (which is a secure communications\nlibrary implementing the SSL, TLS and DTLS protocols), and you have a method to\nsecurely encrypt and off-load auditing.\n\n Rsyslog provides three ways to forward message: the traditional UDP\ntransport, which is extremely lossy but standard; the plain TCP based\ntransport, which loses messages only during certain situations but is widely\navailable; and the RELP transport, which does not lose messages but is\ncurrently available only as part of the rsyslogd 3.15.0 and above.\n Examples of each configuration:\n UDP *.* @remotesystemname\n TCP *.* @@remotesystemname\n RELP *.* :omrelp:remotesystemname:2514\n Note that a port number was given as there is no standard port for RELP.", + "check": "Verify the operating system has the packages required for offloading audit\nlogs installed with the following commands:\n\n $ sudo yum list installed rsyslog\n\n rsyslog.x86_64 8.1911.0-3.el8 @AppStream\n\n If the \"rsyslog\" package is not installed, ask the administrator to\nindicate how audit logs are being offloaded and what packages are installed to\nsupport it. If there is no evidence of audit logs being offloaded, this is a\nfinding.", + "fix": "Configure the operating system to offload audit logs by installing the\nrequired packages with the following command:\n\n $ sudo yum install rsyslog" }, "impact": 0.5, "refs": [ @@ -1262,78 +1291,71 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000312-GPOS-00122", - "satisfies": [ - "SRG-OS-000312-GPOS-00122", - "SRG-OS-000312-GPOS-00123", - "SRG-OS-000312-GPOS-00124", - "SRG-OS-000324-GPOS-00125" - ], - "gid": "V-230267", - "rid": "SV-230267r858751_rule", - "stig_id": "RHEL-08-010373", - "fix_id": "F-32911r858750_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-230477", + "rid": "SV-230477r627750_rule", + "stig_id": "RHEL-08-030670", + "fix_id": "F-33121r568178_fix", "cci": [ - "CCI-002165" + "CCI-000366" ], "nist": [ - "AC-3 (4)" + "CM-6 b" ], "host": null }, - "code": "control 'SV-230267' do\n title 'RHEL 8 must enable kernel parameters to enforce discretionary access\ncontrol on symlinks.'\n desc %q(Discretionary Access Control (DAC) is based on the notion that individual users are \"owners\" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions.\n\nWhen discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. A subject that is constrained in its operation by Mandatory Access Control policies is still able to operate under the less rigorous constraints of this requirement. Thus, while Mandatory Access Control imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, this requirement permits the subject to pass the information to any subject at the same sensitivity level. The policy is bounded by the information system boundary. Once the information is passed outside the control of the information system, additional means may be required to ensure the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control.\n\nBy enabling the fs.protected_symlinks kernel parameter, symbolic links are permitted to be followed only when outside a sticky world-writable directory, or when the UID of the link and follower match, or when the directory owner matches the symlink's owner. Disallowing such symlinks helps mitigate vulnerabilities based on insecure file system accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of open() or creat().\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf)\n desc 'check', 'Verify the operating system is configured to enable DAC on symlinks with the following commands:\n\nCheck the status of the fs.protected_symlinks kernel parameter.\n\n$ sudo sysctl fs.protected_symlinks\n\nfs.protected_symlinks = 1\n\nIf \"fs.protected_symlinks\" is not set to \"1\" or is missing, this is a finding.\n\nCheck that the configuration files are present to enable this kernel parameter.\n\n$ sudo grep -r fs.protected_symlinks /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf:fs.protected_symlinks = 1\n\nIf \"fs.protected_symlinks\" is not set to \"1\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure the operating system to enable DAC on symlinks.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nfs.protected_symlinks = 1\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000312-GPOS-00122'\n tag satisfies: ['SRG-OS-000312-GPOS-00122', 'SRG-OS-000312-GPOS-00123', 'SRG-OS-000312-GPOS-00124', 'SRG-OS-000324-GPOS-00125']\n tag gid: 'V-230267'\n tag rid: 'SV-230267r858751_rule'\n tag stig_id: 'RHEL-08-010373'\n tag fix_id: 'F-32911r858750_fix'\n tag cci: ['CCI-002165']\n tag nist: ['AC-3 (4)']\n tag 'host'\n\n only_if('Control not applicable within a container', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n action = 'fs.protected_symlinks'\n\n describe kernel_parameter(action) do\n its('value') { should eq 1 }\n end\n\n search_result = command(\"grep -r ^#{action} #{input('sysctl_conf_files').join(' ')}\").stdout.strip\n\n correct_result = search_result.lines.any? { |line| line.match(/#{action}\\s*=\\s*1$/) }\n incorrect_results = search_result.lines.map(&:strip).select { |line| line.match(/#{action}\\s*=\\s*[^1]$/) }\n\n describe 'Kernel config files' do\n it \"should configure '#{action}'\" do\n expect(correct_result).to eq(true), 'No config file was found that correctly sets this action'\n end\n unless incorrect_results.nil?\n it 'should not have incorrect or conflicting setting(s) in the config files' do\n expect(incorrect_results).to be_empty, \"Incorrect or conflicting setting(s) found:\\n\\t- #{incorrect_results.join(\"\\n\\t- \")}\"\n end\n end\n end\nend\n", + "code": "control 'SV-230477' do\n title 'RHEL 8 must have the packages required for offloading audit logs\ninstalled.'\n desc 'Information stored in one location is vulnerable to accidental or\nincidental deletion or alteration.\n\n Off-loading is a common process in information systems with limited audit\nstorage capacity.\n\n RHEL 8 installation media provides \"rsyslogd\". \"rsyslogd\" is a system\nutility providing support for message logging. Support for both internet and\nUNIX domain sockets enables this utility to support both local and remote\nlogging. Couple this utility with \"gnutls\" (which is a secure communications\nlibrary implementing the SSL, TLS and DTLS protocols), and you have a method to\nsecurely encrypt and off-load auditing.\n\n Rsyslog provides three ways to forward message: the traditional UDP\ntransport, which is extremely lossy but standard; the plain TCP based\ntransport, which loses messages only during certain situations but is widely\navailable; and the RELP transport, which does not lose messages but is\ncurrently available only as part of the rsyslogd 3.15.0 and above.\n Examples of each configuration:\n UDP *.* @remotesystemname\n TCP *.* @@remotesystemname\n RELP *.* :omrelp:remotesystemname:2514\n Note that a port number was given as there is no standard port for RELP.'\n desc 'check', 'Verify the operating system has the packages required for offloading audit\nlogs installed with the following commands:\n\n $ sudo yum list installed rsyslog\n\n rsyslog.x86_64 8.1911.0-3.el8 @AppStream\n\n If the \"rsyslog\" package is not installed, ask the administrator to\nindicate how audit logs are being offloaded and what packages are installed to\nsupport it. If there is no evidence of audit logs being offloaded, this is a\nfinding.'\n desc 'fix', 'Configure the operating system to offload audit logs by installing the\nrequired packages with the following command:\n\n $ sudo yum install rsyslog'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230477'\n tag rid: 'SV-230477r627750_rule'\n tag stig_id: 'RHEL-08-030670'\n tag fix_id: 'F-33121r568178_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n if input('alternative_logging_method') != ''\n describe 'manual check' do\n skip 'Manual check required. Ask the administrator to indicate how logging is done for this system.'\n end\n else\n describe package('rsyslog') do\n it { should be_installed }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230267.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230477.rb", "line": 1 }, - "id": "SV-230267" + "id": "SV-230477" }, { - "title": "RHEL 8 must enforce password complexity by requiring that at least one\nlower-case character be used.", - "desc": "Use of a complex password helps to increase the time and resources\nrequired to compromise the password. Password complexity, or strength, is a\nmeasure of the effectiveness of a password in resisting attempts at guessing\nand brute-force attacks.\n\n Password complexity is one factor of several that determines how long it\ntakes to crack a password. The more complex the password, the greater the\nnumber of possible combinations that need to be tested before the password is\ncompromised.\n\n RHEL 8 utilizes pwquality as a mechanism to enforce password complexity.\nNote that in order to require lower-case characters without degrading the\n\"minlen\" value, the credit value must be expressed as a negative number in\n\"/etc/security/pwquality.conf\".", + "title": "RHEL 8 must disable the controller area network (CAN) protocol.", + "desc": "It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n Failing to disconnect unused protocols can result in a system compromise.\n\n The Controller Area Network (CAN) is a serial communications protocol,\nwhich was initially developed for automotive and is now also used in marine,\nindustrial, and medical applications. Disabling CAN protects the system against\nexploitation of any flaws in its implementation.", "descriptions": { - "default": "Use of a complex password helps to increase the time and resources\nrequired to compromise the password. Password complexity, or strength, is a\nmeasure of the effectiveness of a password in resisting attempts at guessing\nand brute-force attacks.\n\n Password complexity is one factor of several that determines how long it\ntakes to crack a password. The more complex the password, the greater the\nnumber of possible combinations that need to be tested before the password is\ncompromised.\n\n RHEL 8 utilizes pwquality as a mechanism to enforce password complexity.\nNote that in order to require lower-case characters without degrading the\n\"minlen\" value, the credit value must be expressed as a negative number in\n\"/etc/security/pwquality.conf\".", - "check": "Verify the value for \"lcredit\" with the following command:\n\n$ sudo grep -r lcredit /etc/security/pwquality.conf*\n\n/etc/security/pwquality.conf:lcredit = -1\n\nIf the value of \"lcredit\" is a positive number or is commented out, this is a finding.\nIf conflicting results are returned, this is a finding.", - "fix": "Configure the operating system to enforce password complexity by requiring that at least one lower-case character be used by setting the \"lcredit\" option.\n\nAdd the following line to /etc/security/pwquality.conf (or modify the line to have the required value):\n\nlcredit = -1\n\nRemove any configurations that conflict with the above value." + "default": "It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n Failing to disconnect unused protocols can result in a system compromise.\n\n The Controller Area Network (CAN) is a serial communications protocol,\nwhich was initially developed for automotive and is now also used in marine,\nindustrial, and medical applications. Disabling CAN protects the system against\nexploitation of any flaws in its implementation.", + "check": "Verify the operating system disables the ability to load the CAN protocol kernel module.\n\n $ sudo grep -r can /etc/modprobe.d/* | grep \"/bin/false\"\n install can /bin/false\n\nIf the command does not return any output, or the line is commented out, and use of the CAN protocol is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.\n\nVerify the operating system disables the ability to use the CAN protocol.\n\nCheck to see if the CAN protocol is disabled with the following command:\n\n $ sudo grep -r can /etc/modprobe.d/* | grep \"blacklist\"\n blacklist can\n\nIf the command does not return any output or the output is not \"blacklist can\", and use of the CAN protocol is not documented with the ISSO as an operational requirement, this is a finding.", + "fix": "Configure the operating system to disable the ability to use the CAN protocol kernel module.\n\nAdd or update the following lines in the file \"/etc/modprobe.d/blacklist.conf\":\n\n install can /bin/false\n blacklist can\n\nReboot the system for the settings to take effect." }, - "impact": 0.5, + "impact": 0.3, "refs": [ { "ref": "DPMS Target Red Hat Enterprise Linux 8" } ], "tags": { - "severity": "medium", - "gtitle": "SRG-OS-000070-GPOS-00038", - "gid": "V-230358", - "rid": "SV-230358r858773_rule", - "stig_id": "RHEL-08-020120", - "fix_id": "F-33002r858772_fix", + "severity": "low", + "gtitle": "SRG-OS-000095-GPOS-00049", + "gid": "V-230495", + "rid": "SV-230495r942921_rule", + "stig_id": "RHEL-08-040022", + "fix_id": "F-33139r942920_fix", "cci": [ - "CCI-000193" + "CCI-000381" ], "nist": [ - "IA-5 (1) (a)" + "CM-7 a" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-230358' do\n title 'RHEL 8 must enforce password complexity by requiring that at least one\nlower-case character be used.'\n desc 'Use of a complex password helps to increase the time and resources\nrequired to compromise the password. Password complexity, or strength, is a\nmeasure of the effectiveness of a password in resisting attempts at guessing\nand brute-force attacks.\n\n Password complexity is one factor of several that determines how long it\ntakes to crack a password. The more complex the password, the greater the\nnumber of possible combinations that need to be tested before the password is\ncompromised.\n\n RHEL 8 utilizes pwquality as a mechanism to enforce password complexity.\nNote that in order to require lower-case characters without degrading the\n\"minlen\" value, the credit value must be expressed as a negative number in\n\"/etc/security/pwquality.conf\".'\n desc 'check', 'Verify the value for \"lcredit\" with the following command:\n\n$ sudo grep -r lcredit /etc/security/pwquality.conf*\n\n/etc/security/pwquality.conf:lcredit = -1\n\nIf the value of \"lcredit\" is a positive number or is commented out, this is a finding.\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure the operating system to enforce password complexity by requiring that at least one lower-case character be used by setting the \"lcredit\" option.\n\nAdd the following line to /etc/security/pwquality.conf (or modify the line to have the required value):\n\nlcredit = -1\n\nRemove any configurations that conflict with the above value.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000070-GPOS-00038'\n tag gid: 'V-230358'\n tag rid: 'SV-230358r858773_rule'\n tag stig_id: 'RHEL-08-020120'\n tag fix_id: 'F-33002r858772_fix'\n tag cci: ['CCI-000193']\n tag nist: ['IA-5 (1) (a)']\n tag 'host'\n tag 'container'\n\n describe 'pwquality.conf settings' do\n let(:config) { parse_config_file('/etc/security/pwquality.conf', multiple_values: true) }\n let(:setting) { 'lcredit' }\n let(:value) { Array(config.params[setting]) }\n\n it 'has `lcredit` set' do\n expect(value).not_to be_empty, 'lcredit is not set in pwquality.conf'\n end\n\n it 'only sets `lcredit` once' do\n expect(value.length).to eq(1), 'lcredit is commented or set more than once in pwquality.conf'\n end\n\n it 'does not set `lcredit` to a positive value' do\n expect(value.first.to_i).to be < 0, 'lcredit is not set to a negative value in pwquality.conf'\n end\n end\nend\n", + "code": "control 'SV-230495' do\n title 'RHEL 8 must disable the controller area network (CAN) protocol.'\n desc 'It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n Failing to disconnect unused protocols can result in a system compromise.\n\n The Controller Area Network (CAN) is a serial communications protocol,\nwhich was initially developed for automotive and is now also used in marine,\nindustrial, and medical applications. Disabling CAN protects the system against\nexploitation of any flaws in its implementation.'\n desc 'check', 'Verify the operating system disables the ability to load the CAN protocol kernel module.\n\n $ sudo grep -r can /etc/modprobe.d/* | grep \"/bin/false\"\n install can /bin/false\n\nIf the command does not return any output, or the line is commented out, and use of the CAN protocol is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.\n\nVerify the operating system disables the ability to use the CAN protocol.\n\nCheck to see if the CAN protocol is disabled with the following command:\n\n $ sudo grep -r can /etc/modprobe.d/* | grep \"blacklist\"\n blacklist can\n\nIf the command does not return any output or the output is not \"blacklist can\", and use of the CAN protocol is not documented with the ISSO as an operational requirement, this is a finding.'\n desc 'fix', 'Configure the operating system to disable the ability to use the CAN protocol kernel module.\n\nAdd or update the following lines in the file \"/etc/modprobe.d/blacklist.conf\":\n\n install can /bin/false\n blacklist can\n\nReboot the system for the settings to take effect.'\n impact 0.3\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'low'\n tag gtitle: 'SRG-OS-000095-GPOS-00049'\n tag gid: 'V-230495'\n tag rid: 'SV-230495r942921_rule'\n tag stig_id: 'RHEL-08-040022'\n tag fix_id: 'F-33139r942920_fix'\n tag cci: ['CCI-000381']\n tag nist: ['CM-7 a']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe kernel_module('can') do\n it { should be_disabled }\n it { should be_blacklisted }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230358.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230495.rb", "line": 1 }, - "id": "SV-230358" + "id": "SV-230495" }, { - "title": "All RHEL 8 local interactive users must have a home directory assigned\nin the /etc/passwd file.", - "desc": "If local interactive users are not assigned a valid home directory,\nthere is no place for the storage and control of files they should own.", + "title": "RHEL 8 must be configured to prevent unrestricted mail relaying.", + "desc": "If unrestricted mail relaying is permitted, unauthorized senders could\nuse this host as a mail relay for the purpose of sending spam or other\nunauthorized activity.", "descriptions": { - "default": "If local interactive users are not assigned a valid home directory,\nthere is no place for the storage and control of files they should own.", - "check": "Verify local interactive users on RHEL 8 have a home directory assigned\nwith the following command:\n\n $ sudo pwck -r\n\n user 'lp': directory '/var/spool/lpd' does not exist\n user 'news': directory '/var/spool/news' does not exist\n user 'uucp': directory '/var/spool/uucp' does not exist\n user 'www-data': directory '/var/www' does not exist\n\n Ask the System Administrator (SA) if any users found without home\ndirectories are local interactive users. If the SA is unable to provide a\nresponse, check for users with a User Identifier (UID) of 1000 or greater with\nthe following command:\n\n $ sudo awk -F: '($3>=1000)&&($7 !~ /nologin/){print $1, $3, $6}' /etc/passwd\n\n If any interactive users do not have a home directory assigned, this is a\nfinding.", - "fix": "Assign home directories to all local interactive users on RHEL\n8 that currently do not have a home directory assigned." + "default": "If unrestricted mail relaying is permitted, unauthorized senders could\nuse this host as a mail relay for the purpose of sending spam or other\nunauthorized activity.", + "check": "Verify the system is configured to prevent unrestricted mail relaying.\n\n Determine if \"postfix\" is installed with the following commands:\n\n $ sudo yum list installed postfix\n\n postfix.x86_64 2:3.3.1-9.el8\n\n If postfix is not installed, this is Not Applicable.\n\n If postfix is installed, determine if it is configured to reject\nconnections from unknown or untrusted networks with the following command:\n\n $ sudo postconf -n smtpd_client_restrictions\n\n smtpd_client_restrictions = permit_mynetworks, reject\n\n If the \"smtpd_client_restrictions\" parameter contains any entries other\nthan \"permit_mynetworks\" and \"reject\", this is a finding.", + "fix": "If \"postfix\" is installed, modify the \"/etc/postfix/main.cf\" file to\nrestrict client connections to the local network with the following command:\n\n $ sudo postconf -e 'smtpd_client_restrictions = permit_mynetworks,reject'" }, - "impact": 0.5, + "impact": 0, "refs": [ { "ref": "DPMS Target Red Hat Enterprise Linux 8" @@ -1342,32 +1364,33 @@ "tags": { "severity": "medium", "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-230320", - "rid": "SV-230320r627750_rule", - "stig_id": "RHEL-08-010720", - "fix_id": "F-32964r567707_fix", + "gid": "V-230550", + "rid": "SV-230550r627750_rule", + "stig_id": "RHEL-08-040290", + "fix_id": "F-33194r568397_fix", "cci": [ "CCI-000366" ], "nist": [ "CM-6 b" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-230320' do\n title 'All RHEL 8 local interactive users must have a home directory assigned\nin the /etc/passwd file.'\n desc 'If local interactive users are not assigned a valid home directory,\nthere is no place for the storage and control of files they should own.'\n desc 'check', \"Verify local interactive users on RHEL 8 have a home directory assigned\nwith the following command:\n\n $ sudo pwck -r\n\n user 'lp': directory '/var/spool/lpd' does not exist\n user 'news': directory '/var/spool/news' does not exist\n user 'uucp': directory '/var/spool/uucp' does not exist\n user 'www-data': directory '/var/www' does not exist\n\n Ask the System Administrator (SA) if any users found without home\ndirectories are local interactive users. If the SA is unable to provide a\nresponse, check for users with a User Identifier (UID) of 1000 or greater with\nthe following command:\n\n $ sudo awk -F: '($3>=1000)&&($7 !~ /nologin/){print $1, $3, $6}' /etc/passwd\n\n If any interactive users do not have a home directory assigned, this is a\nfinding.\"\n desc 'fix', 'Assign home directories to all local interactive users on RHEL\n8 that currently do not have a home directory assigned.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230320'\n tag rid: 'SV-230320r627750_rule'\n tag stig_id: 'RHEL-08-010720'\n tag fix_id: 'F-32964r567707_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n exempt_users = input('exempt_home_users')\n ignore_shells = input('non_interactive_shells').join('|')\n actvite_users_without_homedir = users.where { !shell.match(ignore_shells) && home.nil? }.entries\n\n # only_if(\"This control is Not Applicable since no 'non-exempt' users were found\", impact: 0.0) { !active_home.empty? }\n\n describe 'All non-exempt users' do\n it 'have an assinded home directory that exists' do\n failure_message = \"The following users do not have an assigned home directory: #{actvite_users_without_homedir.join(', ')}\"\n expect(actvite_users_without_homedir).to be_empty, failure_message\n end\n end\n describe 'Note: `exempt_home_users` skipped user' do\n exempt_users.each do |u|\n next if exempt_users.empty?\n\n it u.to_s do\n expect(user(u).username).to be_truthy.or be_nil\n end\n end\n end\nend\n", + "code": "control 'SV-230550' do\n title 'RHEL 8 must be configured to prevent unrestricted mail relaying.'\n desc 'If unrestricted mail relaying is permitted, unauthorized senders could\nuse this host as a mail relay for the purpose of sending spam or other\nunauthorized activity.'\n desc 'check', 'Verify the system is configured to prevent unrestricted mail relaying.\n\n Determine if \"postfix\" is installed with the following commands:\n\n $ sudo yum list installed postfix\n\n postfix.x86_64 2:3.3.1-9.el8\n\n If postfix is not installed, this is Not Applicable.\n\n If postfix is installed, determine if it is configured to reject\nconnections from unknown or untrusted networks with the following command:\n\n $ sudo postconf -n smtpd_client_restrictions\n\n smtpd_client_restrictions = permit_mynetworks, reject\n\n If the \"smtpd_client_restrictions\" parameter contains any entries other\nthan \"permit_mynetworks\" and \"reject\", this is a finding.'\n desc 'fix', %q(If \"postfix\" is installed, modify the \"/etc/postfix/main.cf\" file to\nrestrict client connections to the local network with the following command:\n\n $ sudo postconf -e 'smtpd_client_restrictions = permit_mynetworks,reject')\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230550'\n tag rid: 'SV-230550r627750_rule'\n tag stig_id: 'RHEL-08-040290'\n tag fix_id: 'F-33194r568397_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n tag 'container'\n\n if package('postfix').installed?\n describe command('postconf -n smtpd_client_restrictions') do\n its('stdout.strip') {\n should match(/^smtpd_client_restrictions\\s+=\\s+(permit_mynetworks|reject)($|(,\\s*(permit_mynetworks|reject)\\s*$))/i)\n }\n end\n else\n impact 0.0\n describe 'The `postfix` package is not installed' do\n skip 'The `postfix` package is not installed, this control is Not Applicable'\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230320.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230550.rb", "line": 1 }, - "id": "SV-230320" + "id": "SV-230550" }, { - "title": "RHEL 8 must require users to provide a password for privilege\nescalation.", - "desc": "Without reauthentication, users may access resources or perform tasks\nfor which they do not have authorization.\n\n When operating systems provide the capability to escalate a functional\ncapability, it is critical the user reauthenticate.", + "title": "The RHEL 8 pam_unix.so module must be configured in the password-auth\nfile to use a FIPS 140-2 approved cryptographic hashing algorithm for system\nauthentication.", + "desc": "Unapproved mechanisms that are used for authentication to the\ncryptographic module are not verified and therefore cannot be relied upon to\nprovide confidentiality or integrity, and DoD data may be compromised.\n\n RHEL 8 systems utilizing encryption are required to use FIPS-compliant\nmechanisms for authenticating to cryptographic modules.\n\n FIPS 140-2 is the current standard for validating that mechanisms used to\naccess cryptographic modules utilize authentication that meets DoD\nrequirements. This allows for Security Levels 1, 2, 3, or 4 for use on a\ngeneral-purpose computing system.", "descriptions": { - "default": "Without reauthentication, users may access resources or perform tasks\nfor which they do not have authorization.\n\n When operating systems provide the capability to escalate a functional\ncapability, it is critical the user reauthenticate.", - "check": "Verify that \"/etc/sudoers\" has no occurrences of \"NOPASSWD\".\n\n Check that the \"/etc/sudoers\" file has no occurrences of \"NOPASSWD\" by\nrunning the following command:\n\n $ sudo grep -i nopasswd /etc/sudoers /etc/sudoers.d/*\n\n %admin ALL=(ALL) NOPASSWD: ALL\n\n If any occurrences of \"NOPASSWD\" are returned from the command and have\nnot been documented with the ISSO as an organizationally defined administrative\ngroup utilizing MFA, this is a finding.", - "fix": "Remove any occurrence of \"NOPASSWD\" found in \"/etc/sudoers\"\nfile or files in the \"/etc/sudoers.d\" directory." + "default": "Unapproved mechanisms that are used for authentication to the\ncryptographic module are not verified and therefore cannot be relied upon to\nprovide confidentiality or integrity, and DoD data may be compromised.\n\n RHEL 8 systems utilizing encryption are required to use FIPS-compliant\nmechanisms for authenticating to cryptographic modules.\n\n FIPS 140-2 is the current standard for validating that mechanisms used to\naccess cryptographic modules utilize authentication that meets DoD\nrequirements. This allows for Security Levels 1, 2, 3, or 4 for use on a\ngeneral-purpose computing system.", + "check": "Verify that the pam_unix.so module is configured to use sha512.\n\nCheck that the pam_unix.so module is configured to use sha512 in /etc/pam.d/password-auth with the following command:\n\n$ sudo grep password /etc/pam.d/password-auth | grep pam_unix\n\npassword sufficient pam_unix.so sha512\n\nIf \"sha512\" is missing, or is commented out, this is a finding.", + "fix": "Configure RHEL 8 to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.\n\nEdit/modify the following line in the \"/etc/pam.d/password-auth\" file to include the sha512 option for pam_unix.so:\n\npassword sufficient pam_unix.so sha512" }, "impact": 0.5, "refs": [ @@ -1377,113 +1400,107 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000373-GPOS-00156", - "satisfies": [ - "SRG-OS-000373-GPOS-00156", - "SRG-OS-000373-GPOS-00157", - "SRG-OS-000373-GPOS-00158" - ], - "gid": "V-230271", - "rid": "SV-230271r854026_rule", - "stig_id": "RHEL-08-010380", - "fix_id": "F-32915r854025_fix", + "gtitle": "SRG-OS-000120-GPOS-00061", + "gid": "V-230237", + "rid": "SV-230237r809276_rule", + "stig_id": "RHEL-08-010160", + "fix_id": "F-32881r809275_fix", "cci": [ - "CCI-002038" + "CCI-000803" ], "nist": [ - "IA-11" + "IA-7" ], "host": null, - "container-conditional": null + "container": null }, - "code": "control 'SV-230271' do\n title 'RHEL 8 must require users to provide a password for privilege\nescalation.'\n desc 'Without reauthentication, users may access resources or perform tasks\nfor which they do not have authorization.\n\n When operating systems provide the capability to escalate a functional\ncapability, it is critical the user reauthenticate.'\n desc 'check', 'Verify that \"/etc/sudoers\" has no occurrences of \"NOPASSWD\".\n\n Check that the \"/etc/sudoers\" file has no occurrences of \"NOPASSWD\" by\nrunning the following command:\n\n $ sudo grep -i nopasswd /etc/sudoers /etc/sudoers.d/*\n\n %admin ALL=(ALL) NOPASSWD: ALL\n\n If any occurrences of \"NOPASSWD\" are returned from the command and have\nnot been documented with the ISSO as an organizationally defined administrative\ngroup utilizing MFA, this is a finding.'\n desc 'fix', 'Remove any occurrence of \"NOPASSWD\" found in \"/etc/sudoers\"\nfile or files in the \"/etc/sudoers.d\" directory.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000373-GPOS-00156'\n tag satisfies: ['SRG-OS-000373-GPOS-00156', 'SRG-OS-000373-GPOS-00157', 'SRG-OS-000373-GPOS-00158']\n tag gid: 'V-230271'\n tag rid: 'SV-230271r854026_rule'\n tag stig_id: 'RHEL-08-010380'\n tag fix_id: 'F-32915r854025_fix'\n tag cci: ['CCI-002038']\n tag nist: ['IA-11']\n tag 'host'\n tag 'container-conditional'\n\n only_if('Control not applicable within a container without sudo installed', impact: 0.0) {\n !(virtualization.system.eql?('docker') && !command('sudo').exist?)\n }\n\n # TODO: figure out why this .where throws an exception if we don't explicitly filter out nils via 'tags.nil?'\n # ergo shouldn't the filtertable be handling that kind of nil-checking for us?\n failing_results = sudoers(input('sudoers_config_files').join(' ')).rules.where { tags.nil? && (tags || '').include?('NOPASSWD') }\n\n failing_results = failing_results.where { !input('passwordless_admins').include?(users) } if input('passwordless_admins').nil?\n\n describe 'Sudoers' do\n it 'should not include any (non-exempt) users with NOPASSWD set' do\n expect(failing_results.users).to be_empty, \"NOPASSWD settings found for users:\\n\\t- #{failing_results.users.join(\"\\n\\t- \")}\"\n end\n end\nend\n", + "code": "control 'SV-230237' do\n title 'The RHEL 8 pam_unix.so module must be configured in the password-auth\nfile to use a FIPS 140-2 approved cryptographic hashing algorithm for system\nauthentication.'\n desc 'Unapproved mechanisms that are used for authentication to the\ncryptographic module are not verified and therefore cannot be relied upon to\nprovide confidentiality or integrity, and DoD data may be compromised.\n\n RHEL 8 systems utilizing encryption are required to use FIPS-compliant\nmechanisms for authenticating to cryptographic modules.\n\n FIPS 140-2 is the current standard for validating that mechanisms used to\naccess cryptographic modules utilize authentication that meets DoD\nrequirements. This allows for Security Levels 1, 2, 3, or 4 for use on a\ngeneral-purpose computing system.'\n desc 'check', 'Verify that the pam_unix.so module is configured to use sha512.\n\nCheck that the pam_unix.so module is configured to use sha512 in /etc/pam.d/password-auth with the following command:\n\n$ sudo grep password /etc/pam.d/password-auth | grep pam_unix\n\npassword sufficient pam_unix.so sha512\n\nIf \"sha512\" is missing, or is commented out, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.\n\nEdit/modify the following line in the \"/etc/pam.d/password-auth\" file to include the sha512 option for pam_unix.so:\n\npassword sufficient pam_unix.so sha512'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000120-GPOS-00061'\n tag gid: 'V-230237'\n tag rid: 'SV-230237r809276_rule'\n tag stig_id: 'RHEL-08-010160'\n tag fix_id: 'F-32881r809275_fix'\n tag cci: ['CCI-000803']\n tag nist: ['IA-7']\n tag 'host'\n tag 'container'\n\n pam_auth_files = input('pam_auth_files')\n\n describe pam(pam_auth_files['password-auth']) do\n its('lines') { should match_pam_rule('.* .* pam_unix.so sha512') }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230271.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230237.rb", "line": 1 }, - "id": "SV-230271" + "id": "SV-230237" }, { - "title": "RHEL 8 must require the change of at least four character classes when passwords are changed.", - "desc": "Use of a complex password helps to increase the time and resources\nrequired to compromise the password. Password complexity, or strength, is a\nmeasure of the effectiveness of a password in resisting attempts at guessing\nand brute-force attacks.\n\n Password complexity is one factor of several that determines how long it\ntakes to crack a password. The more complex the password, the greater the\nnumber of possible combinations that need to be tested before the password is\ncompromised.\n\n RHEL 8 utilizes \"pwquality\" as a mechanism to enforce password\ncomplexity. The \"minclass\" option sets the minimum number of required classes\nof characters for the new password (digits, uppercase, lowercase, others).", + "title": "The root account must be the only account having unrestricted access\nto the RHEL 8 system.", + "desc": "If an account other than root also has a User Identifier (UID) of\n\"0\", it has root authority, giving that account unrestricted access to the\nentire operating system. Multiple accounts with a UID of \"0\" afford an\nopportunity for potential intruders to guess a password for a privileged\naccount.", "descriptions": { - "default": "Use of a complex password helps to increase the time and resources\nrequired to compromise the password. Password complexity, or strength, is a\nmeasure of the effectiveness of a password in resisting attempts at guessing\nand brute-force attacks.\n\n Password complexity is one factor of several that determines how long it\ntakes to crack a password. The more complex the password, the greater the\nnumber of possible combinations that need to be tested before the password is\ncompromised.\n\n RHEL 8 utilizes \"pwquality\" as a mechanism to enforce password\ncomplexity. The \"minclass\" option sets the minimum number of required classes\nof characters for the new password (digits, uppercase, lowercase, others).", - "check": "Verify the value of the \"minclass\" option with the following command:\n\n$ sudo grep -r minclass /etc/security/pwquality.conf*\n\n/etc/security/pwquality.conf:minclass = 4\n\nIf the value of \"minclass\" is set to less than \"4\" or is commented out, this is a finding.\nIf conflicting results are returned, this is a finding.", - "fix": "Configure the operating system to require the change of at least four character classes when passwords are changed by setting the \"minclass\" option.\n\nAdd the following line to \"/etc/security/pwquality.conf conf\" (or modify the line to have the required value):\n\nminclass = 4\n\nRemove any configurations that conflict with the above value." + "default": "If an account other than root also has a User Identifier (UID) of\n\"0\", it has root authority, giving that account unrestricted access to the\nentire operating system. Multiple accounts with a UID of \"0\" afford an\nopportunity for potential intruders to guess a password for a privileged\naccount.", + "check": "Check the system for duplicate UID \"0\" assignments with the following\ncommand:\n\n $ sudo awk -F: '$3 == 0 {print $1}' /etc/passwd\n\n If any accounts other than root have a UID of \"0\", this is a finding.", + "fix": "Change the UID of any account on the system, other than root, that has a\nUID of \"0\".\n\n If the account is associated with system commands or applications, the UID\nshould be changed to one greater than \"0\" but less than \"1000\". Otherwise,\nassign a UID of greater than \"1000\" that has not already been assigned." }, - "impact": 0.5, + "impact": 0.7, "refs": [ { "ref": "DPMS Target Red Hat Enterprise Linux 8" } ], "tags": { - "severity": "medium", - "gtitle": "SRG-OS-000072-GPOS-00040", - "gid": "V-230362", - "rid": "SV-230362r858781_rule", - "stig_id": "RHEL-08-020160", - "fix_id": "F-33006r858780_fix", + "severity": "high", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-230534", + "rid": "SV-230534r627750_rule", + "stig_id": "RHEL-08-040200", + "fix_id": "F-33178r568349_fix", "cci": [ - "CCI-000195" + "CCI-000366" ], "nist": [ - "IA-5 (1) (b)" + "CM-6 b" ], "host": null, "container": null }, - "code": "control 'SV-230362' do\n title 'RHEL 8 must require the change of at least four character classes when passwords are changed.'\n desc 'Use of a complex password helps to increase the time and resources\nrequired to compromise the password. Password complexity, or strength, is a\nmeasure of the effectiveness of a password in resisting attempts at guessing\nand brute-force attacks.\n\n Password complexity is one factor of several that determines how long it\ntakes to crack a password. The more complex the password, the greater the\nnumber of possible combinations that need to be tested before the password is\ncompromised.\n\n RHEL 8 utilizes \"pwquality\" as a mechanism to enforce password\ncomplexity. The \"minclass\" option sets the minimum number of required classes\nof characters for the new password (digits, uppercase, lowercase, others).'\n desc 'check', 'Verify the value of the \"minclass\" option with the following command:\n\n$ sudo grep -r minclass /etc/security/pwquality.conf*\n\n/etc/security/pwquality.conf:minclass = 4\n\nIf the value of \"minclass\" is set to less than \"4\" or is commented out, this is a finding.\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure the operating system to require the change of at least four character classes when passwords are changed by setting the \"minclass\" option.\n\nAdd the following line to \"/etc/security/pwquality.conf conf\" (or modify the line to have the required value):\n\nminclass = 4\n\nRemove any configurations that conflict with the above value.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000072-GPOS-00040'\n tag gid: 'V-230362'\n tag rid: 'SV-230362r858781_rule'\n tag stig_id: 'RHEL-08-020160'\n tag fix_id: 'F-33006r858780_fix'\n tag cci: ['CCI-000195']\n tag nist: ['IA-5 (1) (b)']\n tag 'host'\n tag 'container'\n\n value = input('minclass')\n setting = 'minclass'\n\n describe 'pwquality.conf settings' do\n let(:config) { parse_config_file('/etc/security/pwquality.conf', multiple_values: true) }\n let(:setting_value) { config.params[setting].is_a?(Integer) ? [config.params[setting]] : Array(config.params[setting]) }\n\n it \"has `#{setting}` set\" do\n expect(setting_value).not_to be_empty, \"#{setting} is not set in pwquality.conf\"\n end\n\n it \"only sets `#{setting}` once\" do\n expect(setting_value.length).to eq(1), \"#{setting} is commented or set more than once in pwquality.conf\"\n end\n\n it \"does not set `#{setting}` to more than #{value}\" do\n expect(setting_value.first.to_i).to be <= value.to_i, \"#{setting} is set to a value greater than #{value} in pwquality.conf\"\n end\n end\nend\n", + "code": "control 'SV-230534' do\n title 'The root account must be the only account having unrestricted access\nto the RHEL 8 system.'\n desc 'If an account other than root also has a User Identifier (UID) of\n\"0\", it has root authority, giving that account unrestricted access to the\nentire operating system. Multiple accounts with a UID of \"0\" afford an\nopportunity for potential intruders to guess a password for a privileged\naccount.'\n desc 'check', %q(Check the system for duplicate UID \"0\" assignments with the following\ncommand:\n\n $ sudo awk -F: '$3 == 0 {print $1}' /etc/passwd\n\n If any accounts other than root have a UID of \"0\", this is a finding.)\n desc 'fix', 'Change the UID of any account on the system, other than root, that has a\nUID of \"0\".\n\n If the account is associated with system commands or applications, the UID\nshould be changed to one greater than \"0\" but less than \"1000\". Otherwise,\nassign a UID of greater than \"1000\" that has not already been assigned.'\n impact 0.7\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'high'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230534'\n tag rid: 'SV-230534r627750_rule'\n tag stig_id: 'RHEL-08-040200'\n tag fix_id: 'F-33178r568349_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n tag 'container'\n\n describe passwd.uids(0) do\n its('users') { should cmp 'root' }\n its('entries.length') { should eq 1 }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230362.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230534.rb", "line": 1 }, - "id": "SV-230362" + "id": "SV-230534" }, { - "title": "RHEL 8 must not have the sendmail package installed.", - "desc": "It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n Operating systems are capable of providing a wide variety of functions and\nservices. Some of the functions and services, provided by default, may not be\nnecessary to support essential organizational operations (e.g., key missions,\nfunctions).\n\n Examples of non-essential capabilities include, but are not limited to,\ngames, software packages, tools, and demonstration software not related to\nrequirements or providing a wide array of functionality not required for every\nmission, but which cannot be disabled.\n\n Verify the operating system is configured to disable non-essential\ncapabilities. The most secure way of ensuring a non-essential capability is\ndisabled is to not have the capability installed.", + "title": "The systemd Ctrl-Alt-Delete burst key sequence in RHEL 8 must be\ndisabled.", + "desc": "A locally logged-on user who presses Ctrl-Alt-Delete when at the\nconsole can reboot the system. If accidentally pressed, as could happen in the\ncase of a mixed OS environment, this can create the risk of short-term loss of\navailability of systems due to unintentional reboot. In a graphical user\nenvironment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is\nreduced because the user will be prompted before any action is taken.", "descriptions": { - "default": "It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n Operating systems are capable of providing a wide variety of functions and\nservices. Some of the functions and services, provided by default, may not be\nnecessary to support essential organizational operations (e.g., key missions,\nfunctions).\n\n Examples of non-essential capabilities include, but are not limited to,\ngames, software packages, tools, and demonstration software not related to\nrequirements or providing a wide array of functionality not required for every\nmission, but which cannot be disabled.\n\n Verify the operating system is configured to disable non-essential\ncapabilities. The most secure way of ensuring a non-essential capability is\ndisabled is to not have the capability installed.", - "check": "Check to see if the sendmail package is installed with the following\ncommand:\n\n $ sudo yum list installed sendmail\n\n If the sendmail package is installed, this is a finding.", - "fix": "Configure the operating system to disable non-essential capabilities by\nremoving the sendmail package from the system with the following command:\n\n $ sudo yum remove sendmail" + "default": "A locally logged-on user who presses Ctrl-Alt-Delete when at the\nconsole can reboot the system. If accidentally pressed, as could happen in the\ncase of a mixed OS environment, this can create the risk of short-term loss of\navailability of systems due to unintentional reboot. In a graphical user\nenvironment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is\nreduced because the user will be prompted before any action is taken.", + "check": "Verify RHEL 8 is not configured to reboot the system when Ctrl-Alt-Delete\nis pressed seven times within two seconds with the following command:\n\n $ sudo grep -i ctrl /etc/systemd/system.conf\n\n CtrlAltDelBurstAction=none\n\n If the \"CtrlAltDelBurstAction\" is not set to \"none\", commented out, or\nis missing, this is a finding.", + "fix": "Configure the system to disable the CtrlAltDelBurstAction by added or\nmodifying the following line in the \"/etc/systemd/system.conf\" configuration\nfile:\n\n CtrlAltDelBurstAction=none\n\n Reload the daemon for this change to take effect.\n\n $ sudo systemctl daemon-reload" }, - "impact": 0.5, + "impact": 0.7, "refs": [ { "ref": "DPMS Target Red Hat Enterprise Linux 8" } ], "tags": { - "severity": "medium", - "gtitle": "SRG-OS-000095-GPOS-00049", - "gid": "V-230489", - "rid": "SV-230489r627750_rule", - "stig_id": "RHEL-08-040002", - "fix_id": "F-33133r568214_fix", + "severity": "high", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-230531", + "rid": "SV-230531r627750_rule", + "stig_id": "RHEL-08-040172", + "fix_id": "F-33175r619890_fix", "cci": [ - "CCI-000381" + "CCI-000366" ], "nist": [ - "CM-7 a" + "CM-6 b" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-230489' do\n title 'RHEL 8 must not have the sendmail package installed.'\n desc 'It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n Operating systems are capable of providing a wide variety of functions and\nservices. Some of the functions and services, provided by default, may not be\nnecessary to support essential organizational operations (e.g., key missions,\nfunctions).\n\n Examples of non-essential capabilities include, but are not limited to,\ngames, software packages, tools, and demonstration software not related to\nrequirements or providing a wide array of functionality not required for every\nmission, but which cannot be disabled.\n\n Verify the operating system is configured to disable non-essential\ncapabilities. The most secure way of ensuring a non-essential capability is\ndisabled is to not have the capability installed.'\n desc 'check', 'Check to see if the sendmail package is installed with the following\ncommand:\n\n $ sudo yum list installed sendmail\n\n If the sendmail package is installed, this is a finding.'\n desc 'fix', 'Configure the operating system to disable non-essential capabilities by\nremoving the sendmail package from the system with the following command:\n\n $ sudo yum remove sendmail'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000095-GPOS-00049'\n tag gid: 'V-230489'\n tag rid: 'SV-230489r627750_rule'\n tag stig_id: 'RHEL-08-040002'\n tag fix_id: 'F-33133r568214_fix'\n tag cci: ['CCI-000381']\n tag nist: ['CM-7 a']\n tag 'host'\n tag 'container'\n\n describe package('sendmail') do\n it { should_not be_installed }\n end\nend\n", + "code": "control 'SV-230531' do\n title 'The systemd Ctrl-Alt-Delete burst key sequence in RHEL 8 must be\ndisabled.'\n desc 'A locally logged-on user who presses Ctrl-Alt-Delete when at the\nconsole can reboot the system. If accidentally pressed, as could happen in the\ncase of a mixed OS environment, this can create the risk of short-term loss of\navailability of systems due to unintentional reboot. In a graphical user\nenvironment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is\nreduced because the user will be prompted before any action is taken.'\n desc 'check', 'Verify RHEL 8 is not configured to reboot the system when Ctrl-Alt-Delete\nis pressed seven times within two seconds with the following command:\n\n $ sudo grep -i ctrl /etc/systemd/system.conf\n\n CtrlAltDelBurstAction=none\n\n If the \"CtrlAltDelBurstAction\" is not set to \"none\", commented out, or\nis missing, this is a finding.'\n desc 'fix', 'Configure the system to disable the CtrlAltDelBurstAction by added or\nmodifying the following line in the \"/etc/systemd/system.conf\" configuration\nfile:\n\n CtrlAltDelBurstAction=none\n\n Reload the daemon for this change to take effect.\n\n $ sudo systemctl daemon-reload'\n impact 0.7\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'high'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230531'\n tag rid: 'SV-230531r627750_rule'\n tag stig_id: 'RHEL-08-040172'\n tag fix_id: 'F-33175r619890_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe parse_config_file('/etc/systemd/system.conf') do\n its('Manager') { should include('CtrlAltDelBurstAction' => 'none') }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230489.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230531.rb", "line": 1 }, - "id": "SV-230489" + "id": "SV-230531" }, { - "title": "RHEL 8 must ensure session control is automatically started at shell\ninitialization.", - "desc": "Tmux is a terminal multiplexer that enables a number of terminals to be created, accessed, and controlled from a single screen. Red Hat endorses tmux as the recommended session controlling package.", + "title": "The tuned package must not be installed unless mission essential on\nRHEL 8.", + "desc": "It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n Operating systems are capable of providing a wide variety of functions and\nservices. Some of the functions and services, provided by default, may not be\nnecessary to support essential organizational operations (e.g., key missions,\nfunctions).\n\n The tuned package contains a daemon that tunes the system settings\ndynamically. It does so by monitoring the usage of several system components\nperiodically. Based on that information, components will then be put into lower\nor higher power savings modes to adapt to the current usage. The tuned package\nis not needed for normal OS operations.", "descriptions": { - "default": "Tmux is a terminal multiplexer that enables a number of terminals to be created, accessed, and controlled from a single screen. Red Hat endorses tmux as the recommended session controlling package.", - "check": "Verify the operating system shell initialization file is configured to start each shell with the tmux terminal multiplexer with the following commands:\n\nDetermine if tmux is currently running:\n $ sudo ps all | grep tmux | grep -v grep\n\nIf the command does not produce output, this is a finding.\n\nDetermine the location of the tmux script:\n $ sudo grep -r tmux /etc/bashrc /etc/profile.d\n\n /etc/profile.d/tmux.sh: case \"$name\" in (sshd|login) tmux ;; esac\n\nReview the tmux script by using the following example:\n $ sudo cat /etc/profile.d/tmux.sh\n\nif [ \"$PS1\" ]; then\nparent=$(ps -o ppid= -p $$)\nname=$(ps -o comm= -p $parent)\ncase \"$name\" in (sshd|login) tmux ;; esac\nfi\n\nIf \"tmux\" is not configured as the example above, is commented out, or is missing, this is a finding.", - "fix": "Configure the operating system to initialize the tmux terminal multiplexer as each shell is called by adding the following lines to a custom.sh shell script in the /etc/profile.d/ directory:\n\nif [ \"$PS1\" ]; then\nparent=$(ps -o ppid= -p $$)\nname=$(ps -o comm= -p $parent)\ncase \"$name\" in (sshd|login) tmux ;; esac\nfi\n\nThis setting will take effect at next logon." + "default": "It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n Operating systems are capable of providing a wide variety of functions and\nservices. Some of the functions and services, provided by default, may not be\nnecessary to support essential organizational operations (e.g., key missions,\nfunctions).\n\n The tuned package contains a daemon that tunes the system settings\ndynamically. It does so by monitoring the usage of several system components\nperiodically. Based on that information, components will then be put into lower\nor higher power savings modes to adapt to the current usage. The tuned package\nis not needed for normal OS operations.", + "check": "Verify the tuned package has not been installed on the system with the\nfollowing commands:\n\n $ sudo yum list installed tuned\n\n tuned.noarch\n2.12.0-3.el8 @anaconda\n\n If the tuned package is installed and is not documented with the\nInformation System Security Officer (ISSO) as an operational requirement, this\nis a finding.", + "fix": "Document the tuned package with the ISSO as an operational requirement or\nremove it from the system with the following command:\n\n $ sudo yum remove tuned" }, "impact": 0.5, "refs": [ @@ -1493,73 +1510,71 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000028-GPOS-00009", - "satisfies": [ - "SRG-OS-000028-GPOS-00009", - "SRG-OS-000030-GPOS-00011" - ], - "gid": "V-230349", - "rid": "SV-230349r917920_rule", - "stig_id": "RHEL-08-020041", - "fix_id": "F-32993r880735_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-230561", + "rid": "SV-230561r627750_rule", + "stig_id": "RHEL-08-040390", + "fix_id": "F-33205r568430_fix", "cci": [ - "CCI-000056" + "CCI-000366" ], "nist": [ - "AC-11 b" + "CM-6 b" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-230349' do\n title 'RHEL 8 must ensure session control is automatically started at shell\ninitialization.'\n desc 'Tmux is a terminal multiplexer that enables a number of terminals to be created, accessed, and controlled from a single screen. Red Hat endorses tmux as the recommended session controlling package.'\n desc 'check', 'Verify the operating system shell initialization file is configured to start each shell with the tmux terminal multiplexer with the following commands:\n\nDetermine if tmux is currently running:\n $ sudo ps all | grep tmux | grep -v grep\n\nIf the command does not produce output, this is a finding.\n\nDetermine the location of the tmux script:\n $ sudo grep -r tmux /etc/bashrc /etc/profile.d\n\n /etc/profile.d/tmux.sh: case \"$name\" in (sshd|login) tmux ;; esac\n\nReview the tmux script by using the following example:\n $ sudo cat /etc/profile.d/tmux.sh\n\nif [ \"$PS1\" ]; then\nparent=$(ps -o ppid= -p $$)\nname=$(ps -o comm= -p $parent)\ncase \"$name\" in (sshd|login) tmux ;; esac\nfi\n\nIf \"tmux\" is not configured as the example above, is commented out, or is missing, this is a finding.'\n desc 'fix', 'Configure the operating system to initialize the tmux terminal multiplexer as each shell is called by adding the following lines to a custom.sh shell script in the /etc/profile.d/ directory:\n\nif [ \"$PS1\" ]; then\nparent=$(ps -o ppid= -p $$)\nname=$(ps -o comm= -p $parent)\ncase \"$name\" in (sshd|login) tmux ;; esac\nfi\n\nThis setting will take effect at next logon.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000028-GPOS-00009'\n tag satisfies: ['SRG-OS-000028-GPOS-00009', 'SRG-OS-000030-GPOS-00011']\n tag gid: 'V-230349'\n tag rid: 'SV-230349r917920_rule'\n tag stig_id: 'RHEL-08-020041'\n tag fix_id: 'F-32993r880735_fix'\n tag cci: ['CCI-000056']\n tag nist: ['AC-11 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n tmux_running = command('ps all | grep tmux | grep -v grep').stdout.strip\n\n describe 'tmux' do\n it 'should be running' do\n expect(tmux_running).to_not be_empty, 'tmux is not running'\n end\n end\n\n if tmux_running.nil?\n\n # compare the tmux config with the expected multiline string the same way we do the banner checks\n # i.e. strip out all whitespace and compare the strings\n\n expected_config = \"if [ \\\"$PS1\\\" ]; then\\nparent=$(ps -o ppid= -p $$)\\nname=$(ps -o comm= -p $parent)\\ncase \\\"$name\\\" in (sshd|login) tmux ;; esac\\nfi\".content.gsub(/[\\r\\n\\s]/, '')\n\n tmux_script = command('grep -r tmux /etc/bashrc /etc/profile.d').stdout.strip.match(/^(?\\S+):/)['path']\n tmux_config = file(tmux_script).content.gsub(/[\\r\\n\\s]/, '')\n\n describe 'tmux' do\n it 'should be configured as expected' do\n expect(tmux_config).to match(/#{expected_config}/), 'tmux config does not match expected script'\n end\n end\n end\nend\n", + "code": "control 'SV-230561' do\n title 'The tuned package must not be installed unless mission essential on\nRHEL 8.'\n desc 'It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n Operating systems are capable of providing a wide variety of functions and\nservices. Some of the functions and services, provided by default, may not be\nnecessary to support essential organizational operations (e.g., key missions,\nfunctions).\n\n The tuned package contains a daemon that tunes the system settings\ndynamically. It does so by monitoring the usage of several system components\nperiodically. Based on that information, components will then be put into lower\nor higher power savings modes to adapt to the current usage. The tuned package\nis not needed for normal OS operations.'\n desc 'check', 'Verify the tuned package has not been installed on the system with the\nfollowing commands:\n\n $ sudo yum list installed tuned\n\n tuned.noarch\n2.12.0-3.el8 @anaconda\n\n If the tuned package is installed and is not documented with the\nInformation System Security Officer (ISSO) as an operational requirement, this\nis a finding.'\n desc 'fix', 'Document the tuned package with the ISSO as an operational requirement or\nremove it from the system with the following command:\n\n $ sudo yum remove tuned'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230561'\n tag rid: 'SV-230561r627750_rule'\n tag stig_id: 'RHEL-08-040390'\n tag fix_id: 'F-33205r568430_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n tag 'container'\n\n if input('tuned_required')\n describe package('tuned') do\n it { should be_installed }\n end\n else\n describe package('tuned') do\n it { should_not be_installed }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230349.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230561.rb", "line": 1 }, - "id": "SV-230349" + "id": "SV-230561" }, { - "title": "RHEL 8 must prevent IPv4 Internet Control Message Protocol (ICMP)\nredirect messages from being accepted.", - "desc": "ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf", + "title": "RHEL 8 must be a vendor-supported release.", + "desc": "An operating system release is considered \"supported\" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software.\n\n Red Hat offers the Extended Update Support (EUS) add-on to a Red Hat Enterprise Linux subscription, for a fee, for those customers who wish to standardize on a specific minor release for an extended period. The RHEL 8 minor releases eligible for EUS are 8.1, 8.2, 8.4, 8.6, and 8.8. Each RHEL 8 EUS stream is available for 24 months from the availability of the minor release. RHEL 8.10 will be the final minor release overall. For more details on the Red Hat Enterprise Linux Life Cycle visit https://access.redhat.com/support/policy/updates/errata/.\n\n Note: The life-cycle time spans and dates are subject to adjustment.", "descriptions": { - "default": "ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf", - "check": "Verify RHEL 8 will not accept IPv4 ICMP redirect messages.\n\nCheck the value of the default \"accept_redirects\" variables with the following command:\n\n$ sudo sysctl net.ipv4.conf.default.accept_redirects\n\nnet.ipv4.conf.default.accept_redirects = 0\n\nIf the returned line does not have a value of \"0\", a line is not returned, or the line is commented out, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r net.ipv4.conf.default.accept_redirects /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: net.ipv4.conf.default.accept_redirects = 0\n\nIf \"net.ipv4.conf.default.accept_redirects\" is not set to \"0\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.", - "fix": "Configure RHEL 8 to prevent IPv4 ICMP redirect messages from being accepted.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nnet.ipv4.conf.default.accept_redirects = 0\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system" + "default": "An operating system release is considered \"supported\" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software.\n\n Red Hat offers the Extended Update Support (EUS) add-on to a Red Hat Enterprise Linux subscription, for a fee, for those customers who wish to standardize on a specific minor release for an extended period. The RHEL 8 minor releases eligible for EUS are 8.1, 8.2, 8.4, 8.6, and 8.8. Each RHEL 8 EUS stream is available for 24 months from the availability of the minor release. RHEL 8.10 will be the final minor release overall. For more details on the Red Hat Enterprise Linux Life Cycle visit https://access.redhat.com/support/policy/updates/errata/.\n\n Note: The life-cycle time spans and dates are subject to adjustment.", + "check": "Verify the version of the operating system is vendor supported.\n\nNote: The lifecycle time spans and dates are subject to adjustment.\n\nCheck the version of the operating system with the following command:\n\n$ sudo cat /etc/redhat-release\n\nRed Hat Enterprise Linux Server release 8.6 (Ootpa)\n\nCurrent End of Extended Update Support for RHEL 8.1 is 30 November 2021.\n\nCurrent End of Extended Update Support for RHEL 8.2 is 30 April 2022.\n\nCurrent End of Extended Update Support for RHEL 8.4 is 31 May 2023.\n\nCurrent End of Maintenance Support for RHEL 8.5 is 31 May 2022.\n\nCurrent End of Extended Update Support for RHEL 8.6 is 31 May 2024.\n\nCurrent End of Maintenance Support for RHEL 8.7 is 31 May 2023.\n\nCurrent End of Extended Update Support for RHEL 8.8 is 31 May 2025.\n\nCurrent End of Maintenance Support for RHEL 8.9 is 31 May 2024.\n\nCurrent End of Maintenance Support for RHEL 8.10 is 31 May 2029.\n\nIf the release is not supported by the vendor, this is a finding.", + "fix": "Upgrade to a supported version of RHEL 8." }, - "impact": 0.5, + "impact": 0.7, "refs": [ { "ref": "DPMS Target Red Hat Enterprise Linux 8" } ], "tags": { - "severity": "medium", + "severity": "high", "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-244550", - "rid": "SV-244550r858791_rule", - "stig_id": "RHEL-08-040209", - "fix_id": "F-47782r858790_fix", + "gid": "V-230221", + "rid": "SV-230221r858734_rule", + "stig_id": "RHEL-08-010000", + "fix_id": "F-32865r567410_fix", "cci": [ "CCI-000366" ], "nist": [ "CM-6 b" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-244550' do\n title 'RHEL 8 must prevent IPv4 Internet Control Message Protocol (ICMP)\nredirect messages from being accepted.'\n desc \"ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\"\n desc 'check', 'Verify RHEL 8 will not accept IPv4 ICMP redirect messages.\n\nCheck the value of the default \"accept_redirects\" variables with the following command:\n\n$ sudo sysctl net.ipv4.conf.default.accept_redirects\n\nnet.ipv4.conf.default.accept_redirects = 0\n\nIf the returned line does not have a value of \"0\", a line is not returned, or the line is commented out, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r net.ipv4.conf.default.accept_redirects /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: net.ipv4.conf.default.accept_redirects = 0\n\nIf \"net.ipv4.conf.default.accept_redirects\" is not set to \"0\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to prevent IPv4 ICMP redirect messages from being accepted.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nnet.ipv4.conf.default.accept_redirects = 0\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-244550'\n tag rid: 'SV-244550r858791_rule'\n tag stig_id: 'RHEL-08-040209'\n tag fix_id: 'F-47782r858790_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This system is acting as a router on the network, this control is Not Applicable', impact: 0.0) {\n !input('network_router')\n }\n\n # Define the kernel parameter to be checked\n parameter = 'net.ipv4.conf.default.accept_redirects'\n action = 'accepting IPv4 redirects'\n value = 0\n\n # Get the current value of the kernel parameter\n current_value = kernel_parameter(parameter)\n\n # Check if the system is a Docker container\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n elsif input('ipv4_enabled') == false\n impact 0.0\n describe 'IPv4 is disabled on the system, this requirement is Not Applicable.' do\n skip 'IPv4 is disabled on the system, this requirement is Not Applicable.'\n end\n else\n\n describe kernel_parameter(parameter) do\n it 'is disabled in sysctl -a' do\n expect(current_value.value).to cmp value\n expect(current_value.value).not_to be_nil\n end\n end\n\n # Get the list of sysctl configuration files\n sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ')\n\n # Search for the kernel parameter in the configuration files\n search_results = command(\"grep -r ^#{parameter} #{sysctl_config_files} {} \\;\").stdout.split(\"\\n\")\n\n # Parse the search results into a hash\n config_values = search_results.each_with_object({}) do |item, results|\n file, setting = item.split(':')\n file = 'grep did not return filename' if file.empty?\n\n results[file] ||= []\n results[file] << setting.split('=').last\n end\n\n uniq_config_values = config_values.values.flatten.map(&:strip).map(&:to_i).uniq\n\n # Check the configuration files\n describe 'Configuration files' do\n if search_results.empty?\n it \"do not explicitly set the `#{parameter}` parameter\" do\n expect(config_values).not_to be_empty, \"Add the line `#{parameter}=#{value}` to a file in the `/etc/sysctl.d/` directory\"\n end\n else\n it \"do not have conflicting settings for #{action}\" do\n expect(uniq_config_values.count).to eq(1), \"Expected one unique configuration, but got #{config_values}\"\n end\n it \"set the parameter to the right value for #{action}\" do\n expect(config_values.values.flatten.all? { |v| v.to_i.eql?(value) }).to be true\n end\n end\n end\n end\nend\n", + "code": "control 'SV-230221' do\n title 'RHEL 8 must be a vendor-supported release.'\n desc 'An operating system release is considered \"supported\" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software.\n\n Red Hat offers the Extended Update Support (EUS) add-on to a Red Hat Enterprise Linux subscription, for a fee, for those customers who wish to standardize on a specific minor release for an extended period. The RHEL 8 minor releases eligible for EUS are 8.1, 8.2, 8.4, 8.6, and 8.8. Each RHEL 8 EUS stream is available for 24 months from the availability of the minor release. RHEL 8.10 will be the final minor release overall. For more details on the Red Hat Enterprise Linux Life Cycle visit https://access.redhat.com/support/policy/updates/errata/.\n\n Note: The life-cycle time spans and dates are subject to adjustment.'\n desc 'check', 'Verify the version of the operating system is vendor supported.\n\nNote: The lifecycle time spans and dates are subject to adjustment.\n\nCheck the version of the operating system with the following command:\n\n$ sudo cat /etc/redhat-release\n\nRed Hat Enterprise Linux Server release 8.6 (Ootpa)\n\nCurrent End of Extended Update Support for RHEL 8.1 is 30 November 2021.\n\nCurrent End of Extended Update Support for RHEL 8.2 is 30 April 2022.\n\nCurrent End of Extended Update Support for RHEL 8.4 is 31 May 2023.\n\nCurrent End of Maintenance Support for RHEL 8.5 is 31 May 2022.\n\nCurrent End of Extended Update Support for RHEL 8.6 is 31 May 2024.\n\nCurrent End of Maintenance Support for RHEL 8.7 is 31 May 2023.\n\nCurrent End of Extended Update Support for RHEL 8.8 is 31 May 2025.\n\nCurrent End of Maintenance Support for RHEL 8.9 is 31 May 2024.\n\nCurrent End of Maintenance Support for RHEL 8.10 is 31 May 2029.\n\nIf the release is not supported by the vendor, this is a finding.'\n desc 'fix', 'Upgrade to a supported version of RHEL 8.'\n impact 0.7\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'high'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230221'\n tag rid: 'SV-230221r858734_rule'\n tag stig_id: 'RHEL-08-010000'\n tag fix_id: 'F-32865r567410_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n tag 'container'\n\n release = os.release\n\n EOMS_DATE = {\n /^8\\.1/ => '30 November 2021',\n /^8\\.2/ => '30 April 2022',\n /^8\\.3/ => '30 April 2021',\n /^8\\.4/ => '31 May 2023',\n /^8\\.5/ => '31 May 2022',\n /^8\\.6/ => '31 May 2024',\n /^8\\.7/ => '31 May 2023',\n /^8\\.8/ => '31 May 2025',\n /^8\\.9/ => '31 May 2024',\n /^8\\.10/ => '31 May 2029'\n }.find { |k, _v| k.match(release) }&.last\n\n describe \"The release \\\"#{release}\\\" is still be within the support window\" do\n it \"ending on #{EOMS_DATE}\" do\n expect(Date.today).to be <= Date.parse(EOMS_DATE)\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-244550.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230221.rb", "line": 1 }, - "id": "SV-244550" + "id": "SV-230221" }, { - "title": "RHEL 8 operating systems booted with a BIOS must require\nauthentication upon booting into single-user and maintenance modes.", + "title": "RHEL 8 operating systems booted with United Extensible Firmware\nInterface (UEFI) must require authentication upon booting into single-user mode\nand maintenance.", "desc": "If the system does not require valid authentication before it boots\ninto single-user or maintenance mode, anyone who invokes single-user or\nmaintenance mode is granted privileged access to all files on the system. GRUB\n2 is the default boot loader for RHEL 8 and is designed to require a password\nto boot into single-user mode or make modifications to the boot menu.", "descriptions": { "default": "If the system does not require valid authentication before it boots\ninto single-user or maintenance mode, anyone who invokes single-user or\nmaintenance mode is granted privileged access to all files on the system. GRUB\n2 is the default boot loader for RHEL 8 and is designed to require a password\nto boot into single-user mode or make modifications to the boot menu.", - "check": "For systems that use UEFI, this is Not Applicable.\n\n Check to see if an encrypted grub superusers password is set. On systems\nthat use a BIOS, use the following command:\n\n $ sudo grep -iw grub2_password /boot/grub2/user.cfg\n\n GRUB2_PASSWORD=grub.pbkdf2.sha512.[password_hash]\n\n If the grub superusers password does not begin with \"grub.pbkdf2.sha512\",\nthis is a finding.", - "fix": "Configure the system to require a grub bootloader password for the grub\nsuperusers account with the grub2-setpassword command, which creates/overwrites\nthe /boot/grub2/user.cfg file.\n\n Generate an encrypted grub2 password for the grub superusers account with\nthe following command:\n\n $ sudo grub2-setpassword\n Enter password:\n Confirm password:" + "check": "For systems that use BIOS, this is Not Applicable.\n\n Check to see if an encrypted grub superusers password is set. On systems\nthat use UEFI, use the following command:\n\n $ sudo grep -iw grub2_password /boot/efi/EFI/redhat/user.cfg\n\n GRUB2_PASSWORD=grub.pbkdf2.sha512.[password_hash]\n\n If the grub superusers password does not begin with \"grub.pbkdf2.sha512\",\nthis is a finding.", + "fix": "Configure the system to require a grub bootloader password for the grub\nsuperusers account with the grub2-setpassword command, which creates/overwrites\nthe /boot/efi/EFI/redhat/user.cfg file.\n\n Generate an encrypted grub2 password for the grub superusers account with\nthe following command:\n\n $ sudo grub2-setpassword\n Enter password:\n Confirm password:" }, "impact": 0.7, "refs": [ @@ -1570,10 +1585,10 @@ "tags": { "severity": "high", "gtitle": "SRG-OS-000080-GPOS-00048", - "gid": "V-230235", - "rid": "SV-230235r743925_rule", - "stig_id": "RHEL-08-010150", - "fix_id": "F-32879r743924_fix", + "gid": "V-230234", + "rid": "SV-230234r743922_rule", + "stig_id": "RHEL-08-010140", + "fix_id": "F-32878r743921_fix", "cci": [ "CCI-000213" ], @@ -1582,56 +1597,59 @@ ], "host": null }, - "code": "control 'SV-230235' do\n title 'RHEL 8 operating systems booted with a BIOS must require\nauthentication upon booting into single-user and maintenance modes.'\n desc 'If the system does not require valid authentication before it boots\ninto single-user or maintenance mode, anyone who invokes single-user or\nmaintenance mode is granted privileged access to all files on the system. GRUB\n2 is the default boot loader for RHEL 8 and is designed to require a password\nto boot into single-user mode or make modifications to the boot menu.'\n desc 'check', 'For systems that use UEFI, this is Not Applicable.\n\n Check to see if an encrypted grub superusers password is set. On systems\nthat use a BIOS, use the following command:\n\n $ sudo grep -iw grub2_password /boot/grub2/user.cfg\n\n GRUB2_PASSWORD=grub.pbkdf2.sha512.[password_hash]\n\n If the grub superusers password does not begin with \"grub.pbkdf2.sha512\",\nthis is a finding.'\n desc 'fix', 'Configure the system to require a grub bootloader password for the grub\nsuperusers account with the grub2-setpassword command, which creates/overwrites\nthe /boot/grub2/user.cfg file.\n\n Generate an encrypted grub2 password for the grub superusers account with\nthe following command:\n\n $ sudo grub2-setpassword\n Enter password:\n Confirm password:'\n impact 0.7\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'high'\n tag gtitle: 'SRG-OS-000080-GPOS-00048'\n tag gid: 'V-230235'\n tag rid: 'SV-230235r743925_rule'\n tag stig_id: 'RHEL-08-010150'\n tag fix_id: 'F-32879r743924_fix'\n tag cci: ['CCI-000213']\n tag nist: ['AC-3']\n tag 'host'\n\n only_if('Control not applicable within a container without sudo enabled', impact: 0.0) do\n !virtualization.system.eql?('docker')\n end\n\n if file('/sys/firmware/efi').exist?\n impact 0.0\n describe 'System running UEFI' do\n skip 'The System is running UEFI, this control is Not Applicable.'\n end\n else\n input('grub_user_boot_files').each do |grub_user_file|\n describe parse_config_file(grub_user_file) do\n its('GRUB2_PASSWORD') { should include 'grub.pbkdf2.sha512' }\n end\n end\n end\nend\n", + "code": "control 'SV-230234' do\n title 'RHEL 8 operating systems booted with United Extensible Firmware\nInterface (UEFI) must require authentication upon booting into single-user mode\nand maintenance.'\n desc 'If the system does not require valid authentication before it boots\ninto single-user or maintenance mode, anyone who invokes single-user or\nmaintenance mode is granted privileged access to all files on the system. GRUB\n2 is the default boot loader for RHEL 8 and is designed to require a password\nto boot into single-user mode or make modifications to the boot menu.'\n desc 'check', 'For systems that use BIOS, this is Not Applicable.\n\n Check to see if an encrypted grub superusers password is set. On systems\nthat use UEFI, use the following command:\n\n $ sudo grep -iw grub2_password /boot/efi/EFI/redhat/user.cfg\n\n GRUB2_PASSWORD=grub.pbkdf2.sha512.[password_hash]\n\n If the grub superusers password does not begin with \"grub.pbkdf2.sha512\",\nthis is a finding.'\n desc 'fix', 'Configure the system to require a grub bootloader password for the grub\nsuperusers account with the grub2-setpassword command, which creates/overwrites\nthe /boot/efi/EFI/redhat/user.cfg file.\n\n Generate an encrypted grub2 password for the grub superusers account with\nthe following command:\n\n $ sudo grub2-setpassword\n Enter password:\n Confirm password:'\n impact 0.7\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'high'\n tag gtitle: 'SRG-OS-000080-GPOS-00048'\n tag gid: 'V-230234'\n tag rid: 'SV-230234r743922_rule'\n tag stig_id: 'RHEL-08-010140'\n tag fix_id: 'F-32878r743921_fix'\n tag cci: ['CCI-000213']\n tag nist: ['AC-3']\n tag 'host'\n\n only_if('Control not applicable within a container without sudo enabled', impact: 0.0) do\n !virtualization.system.eql?('docker')\n end\n\n if file('/sys/firmware/efi').exist?\n input('grub_uefi_user_boot_files').each do |grub_user_file|\n describe parse_config_file(grub_user_file) do\n its('GRUB2_PASSWORD') { should include 'grub.pbkdf2.sha512' }\n end\n end\n else\n impact 0.0\n describe 'System running BIOS' do\n skip 'The System is running BIOS, this control is Not Applicable.'\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230235.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230234.rb", "line": 1 }, - "id": "SV-230235" + "id": "SV-230234" }, { - "title": "RHEL 8 must resolve audit information before writing to disk.", - "desc": "Without establishing what type of events occurred, the source of\nevents, where events occurred, and the outcome of events, it would be difficult\nto establish, correlate, and investigate the events leading up to an outage or\nattack.\n\n Audit record content that may be necessary to satisfy this requirement\nincludes, for example, time stamps, source and destination addresses,\nuser/process identifiers, event descriptions, success/fail indications,\nfilenames involved, and access control or flow control rules invoked.\n\n Enriched logging aids in making sense of who, what, and when events occur\non a system. Without this, determining root cause of an event will be much\nmore difficult.", + "title": "RHEL 8 must prevent nonprivileged users from executing privileged functions, including disabling, circumventing, or altering implemented security safeguards/countermeasures.", + "desc": "Preventing nonprivileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges.\n\nPrivileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Nonprivileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from nonprivileged users.", "descriptions": { - "default": "Without establishing what type of events occurred, the source of\nevents, where events occurred, and the outcome of events, it would be difficult\nto establish, correlate, and investigate the events leading up to an outage or\nattack.\n\n Audit record content that may be necessary to satisfy this requirement\nincludes, for example, time stamps, source and destination addresses,\nuser/process identifiers, event descriptions, success/fail indications,\nfilenames involved, and access control or flow control rules invoked.\n\n Enriched logging aids in making sense of who, what, and when events occur\non a system. Without this, determining root cause of an event will be much\nmore difficult.", - "check": "Verify the RHEL 8 Audit Daemon is configured to resolve audit information\nbefore writing to disk, with the following command:\n\n $ sudo grep \"log_format\" /etc/audit/auditd.conf\n\n log_format = ENRICHED\n\n If the \"log_format\" option is not \"ENRICHED\", or the line is commented\nout, this is a finding.", - "fix": "Edit the /etc/audit/auditd.conf file and add or update the \"log_format\"\noption:\n\n log_format = ENRICHED\n\n The audit daemon must be restarted for changes to take effect." + "default": "Preventing nonprivileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges.\n\nPrivileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Nonprivileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from nonprivileged users.", + "check": "Verify the operating system prevents nonprivileged users from executing privileged functions, including disabling, circumventing, or altering implemented security safeguards/countermeasures.\n\nObtain a list of authorized users (other than system administrator and guest accounts) for the system.\n\nCheck the list against the system by using the following command:\n\n $ sudo semanage login -l | more\n\n Login Name SELinux User MLS/MCS Range Service\n\n __default__ user_u s0-s0:c0.c1023 *\n root unconfined_u s0-s0:c0.c1023 *\n system_u system_u s0-s0:c0.c1023 *\n joe staff_u s0-s0:c0.c1023 *\n\nAll administrators must be mapped to the \"sysadm_u\", \"staff_u\", or an appropriately tailored confined role as defined by the organization.\n\nAll authorized nonadministrative users must be mapped to the \"user_u\" role.\n\nIf they are not mapped in this way, this is a finding.", + "fix": "Configure RHEL 8 to prevent nonprivileged users from executing privileged functions, including disabling, circumventing, or altering implemented security safeguards/countermeasures.\n\nUse the following command to map a new user to the \"sysadm_u\" role:\n\n $ sudo semanage login -a -s sysadm_u \n\nUse the following command to map an existing user to the \"sysadm_u\" role:\n\n $ sudo semanage login -m -s sysadm_u \n\nUse the following command to map a new user to the \"staff_u\" role:\n\n $ sudo semanage login -a -s staff_u \n\nUse the following command to map an existing user to the \"staff_u\" role:\n\n $ sudo semanage login -m -s staff_u \n\nUse the following command to map a new user to the \"user_u\" role:\n\n $ sudo semanage login -a -s user_u \n\nUse the following command to map an existing user to the \"user_u\" role:\n\n $ sudo semanage login -m -s user_u \n\nNote: SELinux confined users mapped to sysadm_u are not allowed to log in to the system over SSH, by default. If this is a required function, it can be configured by setting the ssh_sysadm_login SELinux boolean to \"on\" with the following command:\n\n $ sudo setsebool -P ssh_sysadm_login on\n\nThis must be documented with the information system security officer (ISSO) as an operational requirement." }, - "impact": 0.3, + "impact": 0.5, "refs": [ { "ref": "DPMS Target Red Hat Enterprise Linux 8" } ], "tags": { - "severity": "low", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-230395", - "rid": "SV-230395r627750_rule", - "stig_id": "RHEL-08-030063", - "fix_id": "F-33039r567932_fix", + "check_id": "C-58004r928594_chk", + "severity": "medium", + "gid": "V-254520", + "rid": "SV-254520r928805_rule", + "stig_id": "RHEL-08-040400", + "gtitle": "SRG-OS-000324-GPOS-00125", + "fix_id": "F-57953r928805_fix", + "documentable": null, "cci": [ - "CCI-000366" + "CCI-002265" ], "nist": [ - "CM-6 b" + "AC-16 b" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-230395' do\n title 'RHEL 8 must resolve audit information before writing to disk.'\n desc 'Without establishing what type of events occurred, the source of\nevents, where events occurred, and the outcome of events, it would be difficult\nto establish, correlate, and investigate the events leading up to an outage or\nattack.\n\n Audit record content that may be necessary to satisfy this requirement\nincludes, for example, time stamps, source and destination addresses,\nuser/process identifiers, event descriptions, success/fail indications,\nfilenames involved, and access control or flow control rules invoked.\n\n Enriched logging aids in making sense of who, what, and when events occur\non a system. Without this, determining root cause of an event will be much\nmore difficult.'\n desc 'check', 'Verify the RHEL 8 Audit Daemon is configured to resolve audit information\nbefore writing to disk, with the following command:\n\n $ sudo grep \"log_format\" /etc/audit/auditd.conf\n\n log_format = ENRICHED\n\n If the \"log_format\" option is not \"ENRICHED\", or the line is commented\nout, this is a finding.'\n desc 'fix', 'Edit the /etc/audit/auditd.conf file and add or update the \"log_format\"\noption:\n\n log_format = ENRICHED\n\n The audit daemon must be restarted for changes to take effect.'\n impact 0.3\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'low'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230395'\n tag rid: 'SV-230395r627750_rule'\n tag stig_id: 'RHEL-08-030063'\n tag fix_id: 'F-33039r567932_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n describe parse_config_file('/etc/audit/auditd.conf') do\n its('log_format') { should eq 'ENRICHED' }\n end\nend\n", + "code": "control 'SV-254520' do\n title 'RHEL 8 must prevent nonprivileged users from executing privileged functions, including disabling, circumventing, or altering implemented security safeguards/countermeasures.'\n desc 'Preventing nonprivileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges.\n\nPrivileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Nonprivileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from nonprivileged users.'\n desc 'check', 'Verify the operating system prevents nonprivileged users from executing privileged functions, including disabling, circumventing, or altering implemented security safeguards/countermeasures.\n\nObtain a list of authorized users (other than system administrator and guest accounts) for the system.\n\nCheck the list against the system by using the following command:\n\n $ sudo semanage login -l | more\n\n Login Name SELinux User MLS/MCS Range Service\n\n __default__ user_u s0-s0:c0.c1023 *\n root unconfined_u s0-s0:c0.c1023 *\n system_u system_u s0-s0:c0.c1023 *\n joe staff_u s0-s0:c0.c1023 *\n\nAll administrators must be mapped to the \"sysadm_u\", \"staff_u\", or an appropriately tailored confined role as defined by the organization.\n\nAll authorized nonadministrative users must be mapped to the \"user_u\" role.\n\nIf they are not mapped in this way, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to prevent nonprivileged users from executing privileged functions, including disabling, circumventing, or altering implemented security safeguards/countermeasures.\n\nUse the following command to map a new user to the \"sysadm_u\" role:\n\n $ sudo semanage login -a -s sysadm_u \n\nUse the following command to map an existing user to the \"sysadm_u\" role:\n\n $ sudo semanage login -m -s sysadm_u \n\nUse the following command to map a new user to the \"staff_u\" role:\n\n $ sudo semanage login -a -s staff_u \n\nUse the following command to map an existing user to the \"staff_u\" role:\n\n $ sudo semanage login -m -s staff_u \n\nUse the following command to map a new user to the \"user_u\" role:\n\n $ sudo semanage login -a -s user_u \n\nUse the following command to map an existing user to the \"user_u\" role:\n\n $ sudo semanage login -m -s user_u \n\nNote: SELinux confined users mapped to sysadm_u are not allowed to log in to the system over SSH, by default. If this is a required function, it can be configured by setting the ssh_sysadm_login SELinux boolean to \"on\" with the following command:\n\n $ sudo setsebool -P ssh_sysadm_login on\n\nThis must be documented with the information system security officer (ISSO) as an operational requirement.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag check_id: 'C-58004r928594_chk'\n tag severity: 'medium'\n tag gid: 'V-254520'\n tag rid: 'SV-254520r928805_rule'\n tag stig_id: 'RHEL-08-040400'\n tag gtitle: 'SRG-OS-000324-GPOS-00125'\n tag fix_id: 'F-57953r928805_fix'\n tag 'documentable'\n tag cci: ['CCI-002265']\n tag nist: ['AC-16 b']\n tag 'host'\n tag 'container'\n\n se_login = command('semanage login -ln').stdout.lines.map(&:strip)\n allowed_admin_selinux_roles = input('allowed_admin_selinux_roles')\n allowed_non_admin_selinux_roles = input('allowed_non_admin_selinux_roles')\n\n users = {}\n se_login.each_with_object({}) do |line, users|\n login_name, selinux_user = line.split[0..1]\n users[login_name] = selinux_user\n end\n\n misconfigured_admins = users.select { |login_name, selinux_user|\n input('administrator_users').include?(login_name) &&\n !allowed_admin_selinux_roles.include?(selinux_user)\n }\n\n misconfigured_non_admins = users.select { |login_name, selinux_user|\n !input('administrator_users').include?(login_name) &&\n !allowed_non_admin_selinux_roles.include?(selinux_user)\n }\n\n describe 'All administrators' do\n it \"must be mapped to the an appropriate role (allowed admin roles: #{allowed_admin_selinux_roles.join(', ')})\" do\n expect(misconfigured_admins.keys).to be_empty, \"Misconfigured admins:\\n\\t- #{misconfigured_admins.keys.join(\"\\n\\t- \")}\"\n end\n end\n\n describe 'All non-administrator users' do\n it \"must be mapped to the an appropriate role (allowed non-admin user roles: #{allowed_non_admin_selinux_roles.join(', ')})\" do\n expect(misconfigured_non_admins.keys).to be_empty, \"Misconfigured non-admin users:\\n\\t- #{misconfigured_non_admins.keys.join(\"\\n\\t- \")}\"\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230395.rb", + "ref": "./Red Hat 8 STIG/controls/SV-254520.rb", "line": 1 }, - "id": "SV-230395" + "id": "SV-254520" }, { - "title": "RHEL 8 must prevent files with the setuid and setgid bit set from\nbeing executed on file systems that are imported via Network File System (NFS).", - "desc": "The \"nosuid\" mount option causes the system not to execute\n\"setuid\" and \"setgid\" files with owner privileges. This option must be used\nfor mounting any file system not containing approved \"setuid\" and \"setguid\"\nfiles. Executing files from untrusted file systems increases the opportunity\nfor unprivileged users to attain unauthorized administrative access.", + "title": "RHEL 8 library directories must be group-owned by root or a system account.", + "desc": "If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.", "descriptions": { - "default": "The \"nosuid\" mount option causes the system not to execute\n\"setuid\" and \"setgid\" files with owner privileges. This option must be used\nfor mounting any file system not containing approved \"setuid\" and \"setguid\"\nfiles. Executing files from untrusted file systems increases the opportunity\nfor unprivileged users to attain unauthorized administrative access.", - "check": "Verify that file systems being imported via NFS are mounted with the\n\"nosuid\" option with the following command:\n\n $ sudo grep nfs /etc/fstab | grep nosuid\n\n UUID=e06097bb-cfcd-437b-9e4d-a691f5662a7d /store nfs rw,nosuid,nodev,noexec\n0 0\n\n If a file system found in \"/etc/fstab\" refers to NFS and it does not have\nthe \"nosuid\" option set, this is a finding.", - "fix": "Configure the \"/etc/fstab\" to use the \"nosuid\" option on\nfile systems that are being imported via NFS." + "default": "If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.", + "check": "Verify the system-wide shared library directories are group-owned\n by \"root\" with the following command:\n\n $ sudo find /lib /lib64 /usr/lib /usr/lib64 ! -group root -type d -exec stat -c \"%n %G\" '{}' \\;\n\n If any system-wide shared library directory is returned and is not group-owned\n by a required system account, this is a finding.", + "fix": "Configure the system-wide shared library directories (/lib, /lib64, /usr/lib and /usr/lib64) to be protected from unauthorized access. Run the following command, replacing \"[DIRECTORY]\" with any library directory not group-owned by \"root\". $ sudo chgrp root [DIRECTORY]" }, "impact": 0.5, "refs": [ @@ -1640,34 +1658,37 @@ } ], "tags": { + "check_id": "C-55146r810013_chk", "severity": "medium", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-230308", - "rid": "SV-230308r627750_rule", - "stig_id": "RHEL-08-010650", - "fix_id": "F-32952r567671_fix", + "gid": "V-251709", + "rid": "SV-251709r810014_rule", + "stig_id": "RHEL-08-010351", + "gtitle": "SRG-OS-000259-GPOS-00100", + "fix_id": "F-55100r809350_fix", + "documentable": null, "cci": [ - "CCI-000366" + "CCI-001499" ], "nist": [ - "CM-6 b" + "CM-5 (6)" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-230308' do\n title 'RHEL 8 must prevent files with the setuid and setgid bit set from\nbeing executed on file systems that are imported via Network File System (NFS).'\n desc 'The \"nosuid\" mount option causes the system not to execute\n\"setuid\" and \"setgid\" files with owner privileges. This option must be used\nfor mounting any file system not containing approved \"setuid\" and \"setguid\"\nfiles. Executing files from untrusted file systems increases the opportunity\nfor unprivileged users to attain unauthorized administrative access.'\n desc 'check', 'Verify that file systems being imported via NFS are mounted with the\n\"nosuid\" option with the following command:\n\n $ sudo grep nfs /etc/fstab | grep nosuid\n\n UUID=e06097bb-cfcd-437b-9e4d-a691f5662a7d /store nfs rw,nosuid,nodev,noexec\n0 0\n\n If a file system found in \"/etc/fstab\" refers to NFS and it does not have\nthe \"nosuid\" option set, this is a finding.'\n desc 'fix', 'Configure the \"/etc/fstab\" to use the \"nosuid\" option on\nfile systems that are being imported via NFS.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230308'\n tag rid: 'SV-230308r627750_rule'\n tag stig_id: 'RHEL-08-010650'\n tag fix_id: 'F-32952r567671_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n option = 'nosuid'\n nfs_file_systems = etc_fstab.nfs_file_systems.params\n failing_mounts = nfs_file_systems.reject { |mnt| mnt['mount_options'].include?(option) }\n\n if nfs_file_systems.empty?\n describe 'No NFS' do\n it 'is mounted' do\n expect(nfs_file_systems).to be_empty\n end\n end\n else\n describe 'Any mounted Network File System (NFS)' do\n it \"should have '#{option}' set\" do\n expect(failing_mounts).to be_empty, \"NFS without '#{option}' set:\\n\\t- #{failing_mounts.join(\"\\n\\t- \")}\"\n end\n end\n end\nend\n", + "code": "control 'SV-251709' do\n title 'RHEL 8 library directories must be group-owned by root or a system account.'\n desc 'If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.'\n desc 'check', %q(Verify the system-wide shared library directories are group-owned\n by \"root\" with the following command:\n\n $ sudo find /lib /lib64 /usr/lib /usr/lib64 ! -group root -type d -exec stat -c \"%n %G\" '{}' \\;\n\n If any system-wide shared library directory is returned and is not group-owned\n by a required system account, this is a finding.)\n desc 'fix', 'Configure the system-wide shared library directories (/lib, /lib64, /usr/lib and /usr/lib64) to be protected from unauthorized access. Run the following command, replacing \"[DIRECTORY]\" with any library directory not group-owned by \"root\". $ sudo chgrp root [DIRECTORY]'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag check_id: 'C-55146r810013_chk'\n tag severity: 'medium'\n tag gid: 'V-251709'\n tag rid: 'SV-251709r810014_rule'\n tag stig_id: 'RHEL-08-010351'\n tag gtitle: 'SRG-OS-000259-GPOS-00100'\n tag fix_id: 'F-55100r809350_fix'\n tag 'documentable'\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n tag 'host'\n tag 'container'\n\n non_root_owned_libs = input('system_libraries').filter { |lib|\n !input('required_system_accounts').include?(file(lib).group)\n }\n\n describe 'System libraries' do\n it 'should be owned by a required system account' do\n fail_msg = \"Libs not group-owned by a system account:\\n\\t- #{non_root_owned_libs.join(\"\\n\\t- \")}\"\n expect(non_root_owned_libs).to be_empty, fail_msg\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230308.rb", + "ref": "./Red Hat 8 STIG/controls/SV-251709.rb", "line": 1 }, - "id": "SV-230308" + "id": "SV-251709" }, { - "title": "The RHEL 8 /var/log directory must have mode 0755 or less permissive.", - "desc": "Only authorized personnel should be aware of errors and the details of\nthe errors. Error messages are an indicator of an organization's operational\nstate or can identify the RHEL 8 system or platform. Additionally, Personally\nIdentifiable Information (PII) and operational information must not be revealed\nthrough error messages to unauthorized personnel or their designated\nrepresentatives.\n\n The structure and content of error messages must be carefully considered by\nthe organization and development team. The extent to which the information\nsystem is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.", + "title": "The RHEL 8 System Administrator (SA) and Information System Security\nOfficer (ISSO) (at a minimum) must be alerted of an audit processing failure\nevent.", + "desc": "It is critical for the appropriate personnel to be aware if a system\nis at risk of failing to process audit logs as required. Without this\nnotification, the security personnel may be unaware of an impending failure of\nthe audit capability, and system operation may be adversely affected.\n\n Audit processing failures include software/hardware errors, failures in the\naudit capturing mechanisms, and audit storage capacity being reached or\nexceeded.\n\n This requirement applies to each audit data storage repository (i.e.,\ndistinct information system component where audit records are stored), the\ncentralized audit storage capacity of organizations (i.e., all audit data\nstorage repositories combined), or both.", "descriptions": { - "default": "Only authorized personnel should be aware of errors and the details of\nthe errors. Error messages are an indicator of an organization's operational\nstate or can identify the RHEL 8 system or platform. Additionally, Personally\nIdentifiable Information (PII) and operational information must not be revealed\nthrough error messages to unauthorized personnel or their designated\nrepresentatives.\n\n The structure and content of error messages must be carefully considered by\nthe organization and development team. The extent to which the information\nsystem is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.", - "check": "Verify that the \"/var/log\" directory has a mode of \"0755\" or less with\nthe following command:\n\n $ sudo stat -c \"%a %n\" /var/log\n\n 755\n\n If a value of \"0755\" or less permissive is not returned, this is a\nfinding.", - "fix": "Change the permissions of the directory \"/var/log\" to \"0755\" by running\nthe following command:\n\n $ sudo chmod 0755 /var/log" + "default": "It is critical for the appropriate personnel to be aware if a system\nis at risk of failing to process audit logs as required. Without this\nnotification, the security personnel may be unaware of an impending failure of\nthe audit capability, and system operation may be adversely affected.\n\n Audit processing failures include software/hardware errors, failures in the\naudit capturing mechanisms, and audit storage capacity being reached or\nexceeded.\n\n This requirement applies to each audit data storage repository (i.e.,\ndistinct information system component where audit records are stored), the\ncentralized audit storage capacity of organizations (i.e., all audit data\nstorage repositories combined), or both.", + "check": "Verify that the SA and ISSO (at a minimum) are notified in the event of an\naudit processing failure.\n\n Check that RHEL 8 notifies the SA and ISSO (at a minimum) in the event of\nan audit processing failure with the following command:\n\n $ sudo grep action_mail_acct /etc/audit/auditd.conf\n\n action_mail_acct = root\n\n If the value of the \"action_mail_acct\" keyword is not set to \"root\"\nand/or other accounts for security personnel, the \"action_mail_acct\" keyword\nis missing, or the retuned line is commented out, ask the system administrator\nto indicate how they and the ISSO are notified of an audit process failure. If\nthere is no evidence of the proper personnel being notified of an audit\nprocessing failure, this is a finding.", + "fix": "Configure \"auditd\" service to notify the SA and ISSO in the event of an\naudit processing failure.\n\n Edit the following line in \"/etc/audit/auditd.conf\" to ensure that\nadministrators are notified via email for those situations:\n\n action_mail_acct = root" }, "impact": 0.5, "refs": [ @@ -1677,34 +1698,33 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000206-GPOS-00084", - "gid": "V-230248", - "rid": "SV-230248r627750_rule", - "stig_id": "RHEL-08-010240", - "fix_id": "F-32892r567491_fix", + "gtitle": "SRG-OS-000046-GPOS-00022", + "gid": "V-230388", + "rid": "SV-230388r627750_rule", + "stig_id": "RHEL-08-030020", + "fix_id": "F-33032r567911_fix", "cci": [ - "CCI-001314" + "CCI-000139" ], "nist": [ - "SI-11 b" + "AU-5 a" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-230248' do\n title 'The RHEL 8 /var/log directory must have mode 0755 or less permissive.'\n desc \"Only authorized personnel should be aware of errors and the details of\nthe errors. Error messages are an indicator of an organization's operational\nstate or can identify the RHEL 8 system or platform. Additionally, Personally\nIdentifiable Information (PII) and operational information must not be revealed\nthrough error messages to unauthorized personnel or their designated\nrepresentatives.\n\n The structure and content of error messages must be carefully considered by\nthe organization and development team. The extent to which the information\nsystem is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.\"\n desc 'check', 'Verify that the \"/var/log\" directory has a mode of \"0755\" or less with\nthe following command:\n\n $ sudo stat -c \"%a %n\" /var/log\n\n 755\n\n If a value of \"0755\" or less permissive is not returned, this is a\nfinding.'\n desc 'fix', 'Change the permissions of the directory \"/var/log\" to \"0755\" by running\nthe following command:\n\n $ sudo chmod 0755 /var/log'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000206-GPOS-00084'\n tag gid: 'V-230248'\n tag rid: 'SV-230248r627750_rule'\n tag stig_id: 'RHEL-08-010240'\n tag fix_id: 'F-32892r567491_fix'\n tag cci: ['CCI-001314']\n tag nist: ['SI-11 b']\n tag 'host'\n tag 'container'\n\n describe directory('/var/log') do\n it { should exist }\n it { should_not be_more_permissive_than('0755') }\n end\nend\n", + "code": "control 'SV-230388' do\n title 'The RHEL 8 System Administrator (SA) and Information System Security\nOfficer (ISSO) (at a minimum) must be alerted of an audit processing failure\nevent.'\n desc 'It is critical for the appropriate personnel to be aware if a system\nis at risk of failing to process audit logs as required. Without this\nnotification, the security personnel may be unaware of an impending failure of\nthe audit capability, and system operation may be adversely affected.\n\n Audit processing failures include software/hardware errors, failures in the\naudit capturing mechanisms, and audit storage capacity being reached or\nexceeded.\n\n This requirement applies to each audit data storage repository (i.e.,\ndistinct information system component where audit records are stored), the\ncentralized audit storage capacity of organizations (i.e., all audit data\nstorage repositories combined), or both.'\n desc 'check', 'Verify that the SA and ISSO (at a minimum) are notified in the event of an\naudit processing failure.\n\n Check that RHEL 8 notifies the SA and ISSO (at a minimum) in the event of\nan audit processing failure with the following command:\n\n $ sudo grep action_mail_acct /etc/audit/auditd.conf\n\n action_mail_acct = root\n\n If the value of the \"action_mail_acct\" keyword is not set to \"root\"\nand/or other accounts for security personnel, the \"action_mail_acct\" keyword\nis missing, or the retuned line is commented out, ask the system administrator\nto indicate how they and the ISSO are notified of an audit process failure. If\nthere is no evidence of the proper personnel being notified of an audit\nprocessing failure, this is a finding.'\n desc 'fix', 'Configure \"auditd\" service to notify the SA and ISSO in the event of an\naudit processing failure.\n\n Edit the following line in \"/etc/audit/auditd.conf\" to ensure that\nadministrators are notified via email for those situations:\n\n action_mail_acct = root'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000046-GPOS-00022'\n tag gid: 'V-230388'\n tag rid: 'SV-230388r627750_rule'\n tag stig_id: 'RHEL-08-030020'\n tag fix_id: 'F-33032r567911_fix'\n tag cci: ['CCI-000139']\n tag nist: ['AU-5 a']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n describe auditd_conf do\n its('action_mail_acct') { should cmp 'root' }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230248.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230388.rb", "line": 1 }, - "id": "SV-230248" + "id": "SV-230388" }, { - "title": "RHEL 8 must disable acquiring, saving, and processing core dumps.", - "desc": "It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n A core dump includes a memory image taken at the time the operating system\nterminates an application. The memory image could contain sensitive data and is\ngenerally useful only for developers trying to debug problems.\n\n When the kernel invokes systemd-coredumpt to handle a core dump, it runs in\nprivileged mode, and will connect to the socket created by the\nsystemd-coredump.socket unit. This, in turn, will spawn an unprivileged\nsystemd-coredump@.service instance to process the core dump.", + "title": "RHEL 8 must prohibit the use of cached authentications after one day.", + "desc": "If cached authentication information is out-of-date, the validity of\nthe authentication information may be questionable.\n\nRHEL 8 includes multiple options for configuring authentication, but this\nrequirement will be focus on the System Security Services Daemon (SSSD). By\ndefault sssd does not cache credentials.", "descriptions": { - "default": "It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n A core dump includes a memory image taken at the time the operating system\nterminates an application. The memory image could contain sensitive data and is\ngenerally useful only for developers trying to debug problems.\n\n When the kernel invokes systemd-coredumpt to handle a core dump, it runs in\nprivileged mode, and will connect to the socket created by the\nsystemd-coredump.socket unit. This, in turn, will spawn an unprivileged\nsystemd-coredump@.service instance to process the core dump.", - "check": "Verify RHEL 8 is not configured to acquire, save, or process core dumps with the following command:\n\n$ sudo systemctl status systemd-coredump.socket\n\nsystemd-coredump.socket\nLoaded: masked (Reason: Unit systemd-coredump.socket is masked.)\nActive: inactive (dead)\n\nIf the \"systemd-coredump.socket\" is loaded and not masked and the need for core dumps is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.", - "fix": "Configure the system to disable the systemd-coredump.socket with the following commands:\n\n$ sudo systemctl disable --now systemd-coredump.socket\n\n$ sudo systemctl mask systemd-coredump.socket\n\nCreated symlink /etc/systemd/system/systemd-coredump.socket -> /dev/null\n\nReload the daemon for this change to take effect.\n\n$ sudo systemctl daemon-reload" + "default": "If cached authentication information is out-of-date, the validity of\nthe authentication information may be questionable.\n\nRHEL 8 includes multiple options for configuring authentication, but this\nrequirement will be focus on the System Security Services Daemon (SSSD). By\ndefault sssd does not cache credentials.", + "check": "Verify that the SSSD prohibits the use of cached authentications after one day.\n\nNote: If smart card authentication is not being used on the system this item is Not Applicable.\n\nCheck that SSSD allows cached authentications with the following command:\n\n $ sudo grep -ir cache_credentials /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf\n cache_credentials = true\n\nIf \"cache_credentials\" is set to \"false\" or missing from the configuration file, this is not a finding and no further checks are required.\n\nIf \"cache_credentials\" is set to \"true\", check that SSSD prohibits the use of cached authentications after one day with the following command:\n\n $ sudo grep -ir offline_credentials_expiration /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf\n offline_credentials_expiration = 1\n\nIf \"offline_credentials_expiration\" is not set to a value of \"1\", this is a finding.", + "fix": "Configure the SSSD to prohibit the use of cached authentications\nafter one day.\n\nAdd or change the following line in \"/etc/sssd/sssd.conf\" just below the\nline \"[pam]\".\n\noffline_credentials_expiration = 1" }, "impact": 0.5, "refs": [ @@ -1714,34 +1734,33 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-230312", - "rid": "SV-230312r833308_rule", - "stig_id": "RHEL-08-010672", - "fix_id": "F-32956r833307_fix", + "gtitle": "SRG-OS-000383-GPOS-00166", + "gid": "V-230376", + "rid": "SV-230376r942948_rule", + "stig_id": "RHEL-08-020290", + "fix_id": "F-33020r942947_fix", "cci": [ - "CCI-000366" + "CCI-002007" ], - "legacy": [], "nist": [ - "CM-6 b" + "IA-5 (13)" ], "host": null }, - "code": "control 'SV-230312' do\n title 'RHEL 8 must disable acquiring, saving, and processing core dumps.'\n desc 'It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n A core dump includes a memory image taken at the time the operating system\nterminates an application. The memory image could contain sensitive data and is\ngenerally useful only for developers trying to debug problems.\n\n When the kernel invokes systemd-coredumpt to handle a core dump, it runs in\nprivileged mode, and will connect to the socket created by the\nsystemd-coredump.socket unit. This, in turn, will spawn an unprivileged\nsystemd-coredump@.service instance to process the core dump.'\n desc 'check', 'Verify RHEL 8 is not configured to acquire, save, or process core dumps with the following command:\n\n$ sudo systemctl status systemd-coredump.socket\n\nsystemd-coredump.socket\nLoaded: masked (Reason: Unit systemd-coredump.socket is masked.)\nActive: inactive (dead)\n\nIf the \"systemd-coredump.socket\" is loaded and not masked and the need for core dumps is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.'\n desc 'fix', 'Configure the system to disable the systemd-coredump.socket with the following commands:\n\n$ sudo systemctl disable --now systemd-coredump.socket\n\n$ sudo systemctl mask systemd-coredump.socket\n\nCreated symlink /etc/systemd/system/systemd-coredump.socket -> /dev/null\n\nReload the daemon for this change to take effect.\n\n$ sudo systemctl daemon-reload'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230312'\n tag rid: 'SV-230312r833308_rule'\n tag stig_id: 'RHEL-08-010672'\n tag fix_id: 'F-32956r833307_fix'\n tag cci: ['CCI-000366']\n tag legacy: []\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n s = systemd_service('systemd-coredump.socket')\n\n describe.one do\n describe s do\n its('params.LoadState') { should eq 'masked' }\n end\n describe s do\n its('params.LoadState') { should eq 'not-found' }\n end\n end\nend\n", + "code": "control 'SV-230376' do\n title 'RHEL 8 must prohibit the use of cached authentications after one day.'\n desc 'If cached authentication information is out-of-date, the validity of\nthe authentication information may be questionable.\n\nRHEL 8 includes multiple options for configuring authentication, but this\nrequirement will be focus on the System Security Services Daemon (SSSD). By\ndefault sssd does not cache credentials.'\n desc 'check', 'Verify that the SSSD prohibits the use of cached authentications after one day.\n\nNote: If smart card authentication is not being used on the system this item is Not Applicable.\n\nCheck that SSSD allows cached authentications with the following command:\n\n $ sudo grep -ir cache_credentials /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf\n cache_credentials = true\n\nIf \"cache_credentials\" is set to \"false\" or missing from the configuration file, this is not a finding and no further checks are required.\n\nIf \"cache_credentials\" is set to \"true\", check that SSSD prohibits the use of cached authentications after one day with the following command:\n\n $ sudo grep -ir offline_credentials_expiration /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf\n offline_credentials_expiration = 1\n\nIf \"offline_credentials_expiration\" is not set to a value of \"1\", this is a finding.'\n desc 'fix', 'Configure the SSSD to prohibit the use of cached authentications\nafter one day.\n\nAdd or change the following line in \"/etc/sssd/sssd.conf\" just below the\nline \"[pam]\".\n\noffline_credentials_expiration = 1'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000383-GPOS-00166'\n tag gid: 'V-230376'\n tag rid: 'SV-230376r942948_rule'\n tag stig_id: 'RHEL-08-020290'\n tag fix_id: 'F-33020r942947_fix'\n tag cci: ['CCI-002007']\n tag nist: ['IA-5 (13)']\n tag 'host'\n\n sssd_config = parse_config_file('/etc/sssd/sssd.conf')\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n if input('smart_card_enabled')\n impact 0.0\n describe 'The system is not utilizing smart card authentication' do\n skip 'The system is not utilizing smart card authentication, this control\n is Not Applicable.'\n end\n else\n describe.one do\n describe 'Cache credentials enabled' do\n subject { sssd_config.content }\n it { should_not match(/cache_credentials\\s*=\\s*true/) }\n end\n describe 'Offline credentials expiration' do\n subject { sssd_config }\n its('pam.offline_credentials_expiration') { should cmp '1' }\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230312.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230376.rb", "line": 1 }, - "id": "SV-230312" + "id": "SV-230376" }, { - "title": "RHEL 8 must prevent code from being executed on file systems that are\nimported via Network File System (NFS).", - "desc": "The \"noexec\" mount option causes the system not to execute binary\nfiles. This option must be used for mounting any file system not containing\napproved binary as they may be incompatible. Executing files from untrusted\nfile systems increases the opportunity for unprivileged users to attain\nunauthorized administrative access.", + "title": "All RHEL 8 local files and directories must have a valid owner.", + "desc": "Unowned files and directories may be unintentionally inherited if a\nuser is assigned the same User Identifier \"UID\" as the UID of the un-owned\nfiles.", "descriptions": { - "default": "The \"noexec\" mount option causes the system not to execute binary\nfiles. This option must be used for mounting any file system not containing\napproved binary as they may be incompatible. Executing files from untrusted\nfile systems increases the opportunity for unprivileged users to attain\nunauthorized administrative access.", - "check": "Verify that file systems being imported via NFS are mounted with the\n\"noexec\" option with the following command:\n\n $ sudo grep nfs /etc/fstab | grep noexec\n\n UUID=e06097bb-cfcd-437b-9e4d-a691f5662a7d /store nfs rw,nosuid,nodev,noexec\n0 0\n\n If a file system found in \"/etc/fstab\" refers to NFS and it does not have\nthe \"noexec\" option set, this is a finding.", - "fix": "Configure the \"/etc/fstab\" to use the \"noexec\" option on\nfile systems that are being imported via NFS." + "default": "Unowned files and directories may be unintentionally inherited if a\nuser is assigned the same User Identifier \"UID\" as the UID of the un-owned\nfiles.", + "check": "Verify all local files and directories on RHEL 8 have a valid owner with\nthe following command:\n\n Note: The value after -fstype must be replaced with the filesystem type.\nXFS is used as an example.\n\n $ sudo find / -fstype xfs -nouser\n\n If any files on the system do not have an assigned owner, this is a finding.\n\n Note: Command may produce error messages from the /proc and /sys\ndirectories.", + "fix": "Either remove all files and directories from the system that do not have a\nvalid user, or assign a valid user to all unowned files and directories on RHEL\n8 with the \"chown\" command:\n\n $ sudo chown " }, "impact": 0.5, "refs": [ @@ -1752,32 +1771,33 @@ "tags": { "severity": "medium", "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-230306", - "rid": "SV-230306r627750_rule", - "stig_id": "RHEL-08-010630", - "fix_id": "F-32950r567665_fix", + "gid": "V-230326", + "rid": "SV-230326r627750_rule", + "stig_id": "RHEL-08-010780", + "fix_id": "F-32970r567725_fix", "cci": [ "CCI-000366" ], "nist": [ "CM-6 b" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-230306' do\n title 'RHEL 8 must prevent code from being executed on file systems that are\nimported via Network File System (NFS).'\n desc 'The \"noexec\" mount option causes the system not to execute binary\nfiles. This option must be used for mounting any file system not containing\napproved binary as they may be incompatible. Executing files from untrusted\nfile systems increases the opportunity for unprivileged users to attain\nunauthorized administrative access.'\n desc 'check', 'Verify that file systems being imported via NFS are mounted with the\n\"noexec\" option with the following command:\n\n $ sudo grep nfs /etc/fstab | grep noexec\n\n UUID=e06097bb-cfcd-437b-9e4d-a691f5662a7d /store nfs rw,nosuid,nodev,noexec\n0 0\n\n If a file system found in \"/etc/fstab\" refers to NFS and it does not have\nthe \"noexec\" option set, this is a finding.'\n desc 'fix', 'Configure the \"/etc/fstab\" to use the \"noexec\" option on\nfile systems that are being imported via NFS.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230306'\n tag rid: 'SV-230306r627750_rule'\n tag stig_id: 'RHEL-08-010630'\n tag fix_id: 'F-32950r567665_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n option = 'noexec'\n nfs_file_systems = etc_fstab.nfs_file_systems.params\n failing_mounts = nfs_file_systems.reject { |mnt| mnt['mount_options'].include?(option) }\n\n if nfs_file_systems.empty?\n describe 'No NFS' do\n it 'is mounted' do\n expect(nfs_file_systems).to be_empty\n end\n end\n else\n describe 'Any mounted Network File System (NFS)' do\n it \"should have '#{option}' set\" do\n expect(failing_mounts).to be_empty, \"NFS without '#{option}' set:\\n\\t- #{failing_mounts.join(\"\\n\\t- \")}\"\n end\n end\n end\nend\n", + "code": "control 'SV-230326' do\n title 'All RHEL 8 local files and directories must have a valid owner.'\n desc 'Unowned files and directories may be unintentionally inherited if a\nuser is assigned the same User Identifier \"UID\" as the UID of the un-owned\nfiles.'\n desc 'check', 'Verify all local files and directories on RHEL 8 have a valid owner with\nthe following command:\n\n Note: The value after -fstype must be replaced with the filesystem type.\nXFS is used as an example.\n\n $ sudo find / -fstype xfs -nouser\n\n If any files on the system do not have an assigned owner, this is a finding.\n\n Note: Command may produce error messages from the /proc and /sys\ndirectories.'\n desc 'fix', 'Either remove all files and directories from the system that do not have a\nvalid user, or assign a valid user to all unowned files and directories on RHEL\n8 with the \"chown\" command:\n\n $ sudo chown '\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230326'\n tag rid: 'SV-230326r627750_rule'\n tag stig_id: 'RHEL-08-010780'\n tag fix_id: 'F-32970r567725_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n tag 'container'\n\n if input('disable_slow_controls')\n describe 'This control consistently takes a long to run and has been disabled using the disable_slow_controls attribute.' do\n skip 'This control consistently takes a long to run and has been disabled using the disable_slow_controls attribute. You must enable this control for a full accredidation for production.'\n end\n else\n\n failing_files = Set[]\n\n command('grep -v \"nodev\" /proc/filesystems | awk \\'NF{ print $NF }\\'')\n .stdout.strip.split(\"\\n\").each do |fs|\n failing_files += command(\"find / -xdev -xautofs -fstype #{fs} -nouser\").stdout.strip.split(\"\\n\")\n end\n\n describe 'All files on RHEL 8' do\n it 'should have an owner' do\n expect(failing_files).to be_empty, \"Files with no owner:\\n\\t- #{failing_files.join(\"\\n\\t- \")}\"\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230306.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230326.rb", "line": 1 }, - "id": "SV-230306" + "id": "SV-230326" }, { - "title": "RHEL 8 must disable core dump backtraces.", - "desc": "It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n A core dump includes a memory image taken at the time the operating system\nterminates an application. The memory image could contain sensitive data and is\ngenerally useful only for developers trying to debug problems.", + "title": "RHEL 8 must enable the SELinux targeted policy.", + "desc": "Without verification of the security functions, security functions may\nnot operate correctly and the failure may go unnoticed. Security function is\ndefined as the hardware, software, and/or firmware of the information system\nresponsible for enforcing the system security policy and supporting the\nisolation of code and data on which the protection is based. Security\nfunctionality includes, but is not limited to, establishing system accounts,\nconfiguring access authorizations (i.e., permissions, privileges), setting\nevents to be audited, and setting intrusion detection parameters.\n\n This requirement applies to operating systems performing security function\nverification/testing and/or systems and environments that require this\nfunctionality.", "descriptions": { - "default": "It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n A core dump includes a memory image taken at the time the operating system\nterminates an application. The memory image could contain sensitive data and is\ngenerally useful only for developers trying to debug problems.", - "check": "Verify the operating system disables core dump backtraces by issuing the\nfollowing command:\n\n $ sudo grep -i ProcessSizeMax /etc/systemd/coredump.conf\n\n ProcessSizeMax=0\n\n If the \"ProcessSizeMax\" item is missing, commented out, or the value is\nanything other than \"0\" and the need for core dumps is not documented with\nthe Information System Security Officer (ISSO) as an operational requirement\nfor all domains that have the \"core\" item assigned, this is a finding.", - "fix": "Configure the operating system to disable core dump backtraces.\n\nAdd or modify the following line in /etc/systemd/coredump.conf:\n\nProcessSizeMax=0" + "default": "Without verification of the security functions, security functions may\nnot operate correctly and the failure may go unnoticed. Security function is\ndefined as the hardware, software, and/or firmware of the information system\nresponsible for enforcing the system security policy and supporting the\nisolation of code and data on which the protection is based. Security\nfunctionality includes, but is not limited to, establishing system accounts,\nconfiguring access authorizations (i.e., permissions, privileges), setting\nevents to be audited, and setting intrusion detection parameters.\n\n This requirement applies to operating systems performing security function\nverification/testing and/or systems and environments that require this\nfunctionality.", + "check": "Ensure the operating system verifies correct operation of all security\nfunctions.\n\n Check if \"SELinux\" is active and is enforcing the targeted policy with\nthe following command:\n\n $ sudo sestatus\n\n SELinux status: enabled\n SELinuxfs mount: /sys/fs/selinux\n SELinux root directory: /etc/selinux\n Loaded policy name: targeted\n Current mode: enforcing\n Mode from config file: enforcing\n Policy MLS status: enabled\n Policy deny_unknown status: allowed\n Memory protection checking: actual (secure)\n Max kernel policy version: 31\n\n If the \"Loaded policy name\" is not set to \"targeted\", this is a finding.\n\n Verify that the /etc/selinux/config file is configured to the\n\"SELINUXTYPE\" to \"targeted\":\n\n $ sudo grep -i \"selinuxtype\" /etc/selinux/config | grep -v '^#'\n\n SELINUXTYPE = targeted\n\n If no results are returned or \"SELINUXTYPE\" is not set to \"targeted\",\nthis is a finding.", + "fix": "Configure the operating system to verify correct operation of all security\nfunctions.\n\n Set the \"SELinuxtype\" to the \"targeted\" policy by modifying the\n\"/etc/selinux/config\" file to have the following line:\n\n SELINUXTYPE=targeted\n\n A reboot is required for the changes to take effect." }, "impact": 0.5, "refs": [ @@ -1787,34 +1807,33 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-230315", - "rid": "SV-230315r627750_rule", - "stig_id": "RHEL-08-010675", - "fix_id": "F-32959r567692_fix", + "gtitle": "SRG-OS-000445-GPOS-00199", + "gid": "V-230282", + "rid": "SV-230282r854035_rule", + "stig_id": "RHEL-08-010450", + "fix_id": "F-32926r567593_fix", "cci": [ - "CCI-000366" + "CCI-002696" ], - "legacy": [], "nist": [ - "CM-6 b" + "SI-6 a" ], "host": null }, - "code": "control 'SV-230315' do\n title 'RHEL 8 must disable core dump backtraces.'\n desc 'It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n A core dump includes a memory image taken at the time the operating system\nterminates an application. The memory image could contain sensitive data and is\ngenerally useful only for developers trying to debug problems.'\n desc 'check', 'Verify the operating system disables core dump backtraces by issuing the\nfollowing command:\n\n $ sudo grep -i ProcessSizeMax /etc/systemd/coredump.conf\n\n ProcessSizeMax=0\n\n If the \"ProcessSizeMax\" item is missing, commented out, or the value is\nanything other than \"0\" and the need for core dumps is not documented with\nthe Information System Security Officer (ISSO) as an operational requirement\nfor all domains that have the \"core\" item assigned, this is a finding.'\n desc 'fix', 'Configure the operating system to disable core dump backtraces.\n\nAdd or modify the following line in /etc/systemd/coredump.conf:\n\nProcessSizeMax=0'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230315'\n tag rid: 'SV-230315r627750_rule'\n tag stig_id: 'RHEL-08-010675'\n tag fix_id: 'F-32959r567692_fix'\n tag cci: ['CCI-000366']\n tag legacy: []\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe parse_config_file('/etc/systemd/coredump.conf') do\n its('Coredump.ProcessSizeMax') { should cmp '0' }\n end\nend\n", + "code": "control 'SV-230282' do\n title 'RHEL 8 must enable the SELinux targeted policy.'\n desc 'Without verification of the security functions, security functions may\nnot operate correctly and the failure may go unnoticed. Security function is\ndefined as the hardware, software, and/or firmware of the information system\nresponsible for enforcing the system security policy and supporting the\nisolation of code and data on which the protection is based. Security\nfunctionality includes, but is not limited to, establishing system accounts,\nconfiguring access authorizations (i.e., permissions, privileges), setting\nevents to be audited, and setting intrusion detection parameters.\n\n This requirement applies to operating systems performing security function\nverification/testing and/or systems and environments that require this\nfunctionality.'\n desc 'check', %q(Ensure the operating system verifies correct operation of all security\nfunctions.\n\n Check if \"SELinux\" is active and is enforcing the targeted policy with\nthe following command:\n\n $ sudo sestatus\n\n SELinux status: enabled\n SELinuxfs mount: /sys/fs/selinux\n SELinux root directory: /etc/selinux\n Loaded policy name: targeted\n Current mode: enforcing\n Mode from config file: enforcing\n Policy MLS status: enabled\n Policy deny_unknown status: allowed\n Memory protection checking: actual (secure)\n Max kernel policy version: 31\n\n If the \"Loaded policy name\" is not set to \"targeted\", this is a finding.\n\n Verify that the /etc/selinux/config file is configured to the\n\"SELINUXTYPE\" to \"targeted\":\n\n $ sudo grep -i \"selinuxtype\" /etc/selinux/config | grep -v '^#'\n\n SELINUXTYPE = targeted\n\n If no results are returned or \"SELINUXTYPE\" is not set to \"targeted\",\nthis is a finding.)\n desc 'fix', 'Configure the operating system to verify correct operation of all security\nfunctions.\n\n Set the \"SELinuxtype\" to the \"targeted\" policy by modifying the\n\"/etc/selinux/config\" file to have the following line:\n\n SELINUXTYPE=targeted\n\n A reboot is required for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000445-GPOS-00199'\n tag gid: 'V-230282'\n tag rid: 'SV-230282r854035_rule'\n tag stig_id: 'RHEL-08-010450'\n tag fix_id: 'F-32926r567593_fix'\n tag cci: ['CCI-002696']\n tag nist: ['SI-6 a']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe selinux do\n it { should_not be_disabled }\n it { should be_enforcing }\n its('policy') { should eq 'targeted' }\n end\n\n describe parse_config_file('/etc/selinux/config') do\n its('SELINUXTYPE') { should eq 'targeted' }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230315.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230282.rb", "line": 1 }, - "id": "SV-230315" + "id": "SV-230282" }, { - "title": "The RHEL 8 audit records must be off-loaded onto a different system or\nstorage media from the system being audited.", - "desc": "Information stored in one location is vulnerable to accidental or\nincidental deletion or alteration.\n\n Off-loading is a common process in information systems with limited audit\nstorage capacity.\n\n RHEL 8 installation media provides \"rsyslogd\". \"rsyslogd\" is a system\nutility providing support for message logging. Support for both internet and\nUNIX domain sockets enables this utility to support both local and remote\nlogging. Couple this utility with \"gnutls\" (which is a secure communications\nlibrary implementing the SSL, TLS and DTLS protocols), and you have a method to\nsecurely encrypt and off-load auditing.\n\n Rsyslog provides three ways to forward message: the traditional UDP\ntransport, which is extremely lossy but standard; the plain TCP based\ntransport, which loses messages only during certain situations but is widely\navailable; and the RELP transport, which does not lose messages but is\ncurrently available only as part of the rsyslogd 3.15.0 and above.\n Examples of each configuration:\n UDP *.* @remotesystemname\n TCP *.* @@remotesystemname\n RELP *.* :omrelp:remotesystemname:2514\n Note that a port number was given as there is no standard port for RELP.", + "title": "RHEL 8 vendor packaged system security patches and updates must be installed and up to date.", + "desc": "Timely patching is critical for maintaining the operational\n availability, confidentiality, and integrity of information technology (IT)\n systems. However, failure to keep operating system and application software\n patched is a common mistake made by IT professionals. New patches are released\n daily, and it is often difficult for even experienced System Administrators to\n keep abreast of all the new patches. When new weaknesses in an operating system\n exist, patches are usually made available by the vendor to resolve the\n problems. If the most recent security patches and updates are not installed,\n unauthorized users may take advantage of weaknesses in the unpatched software.\n The lack of prompt attention to patching could result in a system compromise.", "descriptions": { - "default": "Information stored in one location is vulnerable to accidental or\nincidental deletion or alteration.\n\n Off-loading is a common process in information systems with limited audit\nstorage capacity.\n\n RHEL 8 installation media provides \"rsyslogd\". \"rsyslogd\" is a system\nutility providing support for message logging. Support for both internet and\nUNIX domain sockets enables this utility to support both local and remote\nlogging. Couple this utility with \"gnutls\" (which is a secure communications\nlibrary implementing the SSL, TLS and DTLS protocols), and you have a method to\nsecurely encrypt and off-load auditing.\n\n Rsyslog provides three ways to forward message: the traditional UDP\ntransport, which is extremely lossy but standard; the plain TCP based\ntransport, which loses messages only during certain situations but is widely\navailable; and the RELP transport, which does not lose messages but is\ncurrently available only as part of the rsyslogd 3.15.0 and above.\n Examples of each configuration:\n UDP *.* @remotesystemname\n TCP *.* @@remotesystemname\n RELP *.* :omrelp:remotesystemname:2514\n Note that a port number was given as there is no standard port for RELP.", - "check": "Verify the audit system offloads audit records onto a different system or media from the system being audited with the following command:\n\n $ sudo grep @@ /etc/rsyslog.conf /etc/rsyslog.d/*.conf\n\n /etc/rsyslog.conf:*.* @@[logaggregationserver.example.mil]:[port]\n\nIf a remote server is not configured, or the line is commented out, ask the system administrator to indicate how the audit logs are offloaded to a different system or media.\n\nIf there is no evidence that the audit logs are being offloaded to another system or media, this is a finding.", - "fix": "Configure the operating system to offload audit records onto a different system or media from the system being audited by specifying the remote logging server in \"/etc/rsyslog.conf\" or \"/etc/rsyslog.d/[customfile].conf\" with the name or IP address of the log aggregation server.\n\nFor UDP:\n *.* @[logaggregationserver.example.mil]:[port]\n\nFor TCP:\n *.* @@[logaggregationserver.example.mil]:[port]" + "default": "Timely patching is critical for maintaining the operational\n availability, confidentiality, and integrity of information technology (IT)\n systems. However, failure to keep operating system and application software\n patched is a common mistake made by IT professionals. New patches are released\n daily, and it is often difficult for even experienced System Administrators to\n keep abreast of all the new patches. When new weaknesses in an operating system\n exist, patches are usually made available by the vendor to resolve the\n problems. If the most recent security patches and updates are not installed,\n unauthorized users may take advantage of weaknesses in the unpatched software.\n The lack of prompt attention to patching could result in a system compromise.", + "check": "Verify the operating system security patches and updates are installed and\n up to date. Updates are required to be applied with a frequency determined by\n the site or Program Management Office (PMO).\n\n Obtain the list of available package security updates from Red Hat. The URL\n for updates is https://rhn.redhat.com/errata/. It is important to note that\n updates provided by Red Hat may not be present on the system if the underlying\n packages are not installed.\n\n Check that the available package security updates have been installed on\n the system with the following command:\n\n $ sudo yum history list | more\n\n Loaded plugins: langpacks, product-id, subscription-manager\n ID | Command line | Date and time | Action(s) | Altered\n\n -------------------------------------------------------------------------------\n 70 | install aide | 2020-03-05 10:58 | Install | 1\n 69 | update -y | 2020-03-04 14:34 | Update | 18 EE\n 68 | install vlc | 2020-02-21 17:12 | Install | 21\n 67 | update -y | 2020-02-21 17:04 | Update | 7 EE\n\n If package updates have not been performed on the system within the\n timeframe the site/program documentation requires, this is a finding.\n\n Typical update frequency may be overridden by Information Assurance\n Vulnerability Alert (IAVA) notifications from CYBERCOM.\n\n If the operating system is in non-compliance with the Information Assurance\n Vulnerability Management (IAVM) process, this is a finding.", + "fix": "Install the operating system patches or updated packages\n available from Red Hat within 30 days or sooner as local policy dictates." }, "impact": 0.5, "refs": [ @@ -1824,37 +1843,34 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000342-GPOS-00133", - "satisfies": [ - "SRG-OS-000342-GPOS-00133", - "SRG-OS-000479-GPOS-00224" - ], - "gid": "V-230479", - "rid": "SV-230479r917883_rule", - "stig_id": "RHEL-08-030690", - "fix_id": "F-33123r917882_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-230222", + "rid": "SV-230222r627750_rule", + "stig_id": "RHEL-08-010010", + "fix_id": "F-32866r567413_fix", "cci": [ - "CCI-001851" + "CCI-000366" ], "nist": [ - "AU-4 (1)" + "CM-6 b" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-230479' do\n title 'The RHEL 8 audit records must be off-loaded onto a different system or\nstorage media from the system being audited.'\n desc 'Information stored in one location is vulnerable to accidental or\nincidental deletion or alteration.\n\n Off-loading is a common process in information systems with limited audit\nstorage capacity.\n\n RHEL 8 installation media provides \"rsyslogd\". \"rsyslogd\" is a system\nutility providing support for message logging. Support for both internet and\nUNIX domain sockets enables this utility to support both local and remote\nlogging. Couple this utility with \"gnutls\" (which is a secure communications\nlibrary implementing the SSL, TLS and DTLS protocols), and you have a method to\nsecurely encrypt and off-load auditing.\n\n Rsyslog provides three ways to forward message: the traditional UDP\ntransport, which is extremely lossy but standard; the plain TCP based\ntransport, which loses messages only during certain situations but is widely\navailable; and the RELP transport, which does not lose messages but is\ncurrently available only as part of the rsyslogd 3.15.0 and above.\n Examples of each configuration:\n UDP *.* @remotesystemname\n TCP *.* @@remotesystemname\n RELP *.* :omrelp:remotesystemname:2514\n Note that a port number was given as there is no standard port for RELP.'\n desc 'check', 'Verify the audit system offloads audit records onto a different system or media from the system being audited with the following command:\n\n $ sudo grep @@ /etc/rsyslog.conf /etc/rsyslog.d/*.conf\n\n /etc/rsyslog.conf:*.* @@[logaggregationserver.example.mil]:[port]\n\nIf a remote server is not configured, or the line is commented out, ask the system administrator to indicate how the audit logs are offloaded to a different system or media.\n\nIf there is no evidence that the audit logs are being offloaded to another system or media, this is a finding.'\n desc 'fix', 'Configure the operating system to offload audit records onto a different system or media from the system being audited by specifying the remote logging server in \"/etc/rsyslog.conf\" or \"/etc/rsyslog.d/[customfile].conf\" with the name or IP address of the log aggregation server.\n\nFor UDP:\n *.* @[logaggregationserver.example.mil]:[port]\n\nFor TCP:\n *.* @@[logaggregationserver.example.mil]:[port]'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000342-GPOS-00133'\n tag satisfies: ['SRG-OS-000342-GPOS-00133', 'SRG-OS-000479-GPOS-00224']\n tag gid: 'V-230479'\n tag rid: 'SV-230479r917883_rule'\n tag stig_id: 'RHEL-08-030690'\n tag fix_id: 'F-33123r917882_fix'\n tag cci: ['CCI-001851']\n tag nist: ['AU-4 (1)']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n if input('alternative_logging_method') != ''\n describe 'manual check' do\n skip 'Manual check required. Ask the administrator to indicate how logging is done for this system.'\n end\n else\n describe command(\"grep @@ #{input('logging_conf_files').join(' ')}\") do\n its('stdout') { should match(/^[^#]*:\\*\\.\\*\\s*@@[a-z.0-9]*:?[0-9]*?/) }\n end\n end\nend\n", + "code": "control 'SV-230222' do\n title 'RHEL 8 vendor packaged system security patches and updates must be installed and up to date.'\n desc 'Timely patching is critical for maintaining the operational\n availability, confidentiality, and integrity of information technology (IT)\n systems. However, failure to keep operating system and application software\n patched is a common mistake made by IT professionals. New patches are released\n daily, and it is often difficult for even experienced System Administrators to\n keep abreast of all the new patches. When new weaknesses in an operating system\n exist, patches are usually made available by the vendor to resolve the\n problems. If the most recent security patches and updates are not installed,\n unauthorized users may take advantage of weaknesses in the unpatched software.\n The lack of prompt attention to patching could result in a system compromise.'\n desc 'check', 'Verify the operating system security patches and updates are installed and\n up to date. Updates are required to be applied with a frequency determined by\n the site or Program Management Office (PMO).\n\n Obtain the list of available package security updates from Red Hat. The URL\n for updates is https://rhn.redhat.com/errata/. It is important to note that\n updates provided by Red Hat may not be present on the system if the underlying\n packages are not installed.\n\n Check that the available package security updates have been installed on\n the system with the following command:\n\n $ sudo yum history list | more\n\n Loaded plugins: langpacks, product-id, subscription-manager\n ID | Command line | Date and time | Action(s) | Altered\n\n -------------------------------------------------------------------------------\n 70 | install aide | 2020-03-05 10:58 | Install | 1\n 69 | update -y | 2020-03-04 14:34 | Update | 18 EE\n 68 | install vlc | 2020-02-21 17:12 | Install | 21\n 67 | update -y | 2020-02-21 17:04 | Update | 7 EE\n\n If package updates have not been performed on the system within the\n timeframe the site/program documentation requires, this is a finding.\n\n Typical update frequency may be overridden by Information Assurance\n Vulnerability Alert (IAVA) notifications from CYBERCOM.\n\n If the operating system is in non-compliance with the Information Assurance\n Vulnerability Management (IAVM) process, this is a finding.'\n desc 'fix', 'Install the operating system patches or updated packages\n available from Red Hat within 30 days or sooner as local policy dictates.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230222'\n tag rid: 'SV-230222r627750_rule'\n tag stig_id: 'RHEL-08-010010'\n tag fix_id: 'F-32866r567413_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n tag 'container'\n\n only_if(\"This control takes a long time to execute so it has been disabled through 'slow_controls'\") {\n !input('disable_slow_controls')\n }\n\n if input('disconnected_system')\n describe 'The system is set to a `disconnected` state and you must validate the state of the system packages manually' do\n skip 'The system is set to a `disconnected` state and you must validate the state of the system packages manually'\n end\n else\n updates = linux_update.updates\n package_names = updates.map { |h| h['name'] }\n\n describe.one do\n describe 'List of out-of-date packages' do\n subject { package_names }\n it { should be_empty }\n end\n updates.each do |update|\n describe package(update['name']) do\n its('version') { should eq update['version'] }\n end\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230479.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230222.rb", "line": 1 }, - "id": "SV-230479" + "id": "SV-230222" }, { - "title": "Successful/unsuccessful uses of the chacl command in RHEL 8 must\ngenerate an audit record.", - "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"chacl\" command is\nused to change the access control list of a file or directory.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", + "title": "RHEL 8 must prevent system messages from being presented when three\nunsuccessful logon attempts occur.", + "desc": "By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as\nbrute-force attacks, is reduced. Limits are imposed by locking the account.\n\n RHEL 8 can utilize the \"pam_faillock.so\" for this purpose. Note that\nmanual changes to the listed files may be overwritten by the \"authselect\"\nprogram.\n\n From \"Pam_Faillock\" man pages: Note that the default directory that\n\"pam_faillock\" uses is usually cleared on system boot so the access will be\nreenabled after system reboot. If that is undesirable a different tally\ndirectory must be set with the \"dir\" option.", "descriptions": { - "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"chacl\" command is\nused to change the access control list of a file or directory.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", - "check": "Verify RHEL 8 generates an audit record when successful/unsuccessful\nattempts to use the \"chacl\" command by performing the following command to\ncheck the file system rules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w chacl /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F\nauid!=unset -k perm_mod\n\n If the command does not return a line, or the line is commented out, this\nis a finding.", - "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \"chacl\" command by adding or updating the\nfollowing rule in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F\nauid!=unset -k perm_mod\n\n The audit daemon must be restarted for the changes to take effect." + "default": "By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as\nbrute-force attacks, is reduced. Limits are imposed by locking the account.\n\n RHEL 8 can utilize the \"pam_faillock.so\" for this purpose. Note that\nmanual changes to the listed files may be overwritten by the \"authselect\"\nprogram.\n\n From \"Pam_Faillock\" man pages: Note that the default directory that\n\"pam_faillock\" uses is usually cleared on system boot so the access will be\nreenabled after system reboot. If that is undesirable a different tally\ndirectory must be set with the \"dir\" option.", + "check": "Check that the system prevents informative messages from being presented to\nthe user pertaining to logon information with the following commands:\n\n Note: If the System Administrator demonstrates the use of an approved\ncentralized account management method that locks an account after three\nunsuccessful logon attempts within a period of 15 minutes, this requirement is\nnot applicable.\n\n Note: This check applies to RHEL versions 8.0 and 8.1, if the system is\nRHEL version 8.2 or newer, this check is not applicable.\n\n $ sudo grep pam_faillock.so /etc/pam.d/password-auth\n\n auth required pam_faillock.so preauth dir=/var/log/faillock silent audit\ndeny=3 even_deny_root fail_interval=900 unlock_time=0\n auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0\n account required pam_faillock.so\n\n If the \"silent\" option is missing from the \"preauth\" line with the\n\"pam_faillock.so\" module, this is a finding.\n\n $ sudo grep pam_faillock.so /etc/pam.d/system-auth\n\n auth required pam_faillock.so preauth dir=/var/log/faillock silent audit\ndeny=3 even_deny_root fail_interval=900 unlock_time=0\n auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0\n account required pam_faillock.so\n\n If the \"silent\" option is missing from the \"preauth\" line with the\n\"pam_faillock.so\" module, this is a finding.", + "fix": "Configure the operating system to prevent informative messages from being\npresented at logon attempts.\n\n Add/Modify the appropriate sections of the \"/etc/pam.d/system-auth\" and\n\"/etc/pam.d/password-auth\" files to match the following lines:\n\n auth required pam_faillock.so preauth dir=/var/log/faillock silent audit\ndeny=3 even_deny_root fail_interval=900 unlock_time=0\n auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0\n account required pam_faillock.so\n\n The \"sssd\" service must be restarted for the changes to take effect. To\nrestart the \"sssd\" service, run the following command:\n\n $ sudo systemctl restart sssd.service" }, "impact": 0.5, "refs": [ @@ -1864,43 +1880,38 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000062-GPOS-00031", + "gtitle": "SRG-OS-000021-GPOS-00005", "satisfies": [ - "SRG-OS-000062-GPOS-00031", - "SRG-OS-000037-GPOS-00015", - "SRG-OS-000042-GPOS-00020", - "SRG-OS-000062-GPOS-00031", - "SRG-OS-000392-GPOS-00172", - "SRG-OS-000462-GPOS-00206", - "SRG-OS-000471-GPOS-00215", - "SRG-OS-000466-GPOS-00210" + "SRG-OS-000021-GPOS-00005", + "SRG-OS-000329-GPOS-00128" ], - "gid": "V-230464", - "rid": "SV-230464r627750_rule", - "stig_id": "RHEL-08-030570", - "fix_id": "F-33108r568139_fix", + "gid": "V-230340", + "rid": "SV-230340r627750_rule", + "stig_id": "RHEL-08-020018", + "fix_id": "F-32984r567767_fix", "cci": [ - "CCI-000169" + "CCI-000044" ], "nist": [ - "AU-12 a" + "AC-7 a" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-230464' do\n title 'Successful/unsuccessful uses of the chacl command in RHEL 8 must\ngenerate an audit record.'\n desc 'Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"chacl\" command is\nused to change the access control list of a file or directory.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.'\n desc 'check', 'Verify RHEL 8 generates an audit record when successful/unsuccessful\nattempts to use the \"chacl\" command by performing the following command to\ncheck the file system rules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w chacl /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F\nauid!=unset -k perm_mod\n\n If the command does not return a line, or the line is commented out, this\nis a finding.'\n desc 'fix', 'Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \"chacl\" command by adding or updating the\nfollowing rule in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F\nauid!=unset -k perm_mod\n\n The audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000062-GPOS-00031'\n tag satisfies: ['SRG-OS-000062-GPOS-00031', 'SRG-OS-000037-GPOS-00015', 'SRG-OS-000042-GPOS-00020', 'SRG-OS-000062-GPOS-00031', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000471-GPOS-00215', 'SRG-OS-000466-GPOS-00210']\n tag gid: 'V-230464'\n tag rid: 'SV-230464r627750_rule'\n tag stig_id: 'RHEL-08-030570'\n tag fix_id: 'F-33108r568139_fix'\n tag cci: ['CCI-000169']\n tag nist: ['AU-12 a']\n tag 'host'\n\n audit_command = '/usr/bin/chacl'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include(input('audit_rule_keynames').merge(input('audit_rule_keynames_overrides'))[audit_command])\n end\n end\nend\n", + "code": "control 'SV-230340' do\n title 'RHEL 8 must prevent system messages from being presented when three\nunsuccessful logon attempts occur.'\n desc 'By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as\nbrute-force attacks, is reduced. Limits are imposed by locking the account.\n\n RHEL 8 can utilize the \"pam_faillock.so\" for this purpose. Note that\nmanual changes to the listed files may be overwritten by the \"authselect\"\nprogram.\n\n From \"Pam_Faillock\" man pages: Note that the default directory that\n\"pam_faillock\" uses is usually cleared on system boot so the access will be\nreenabled after system reboot. If that is undesirable a different tally\ndirectory must be set with the \"dir\" option.'\n desc 'check', 'Check that the system prevents informative messages from being presented to\nthe user pertaining to logon information with the following commands:\n\n Note: If the System Administrator demonstrates the use of an approved\ncentralized account management method that locks an account after three\nunsuccessful logon attempts within a period of 15 minutes, this requirement is\nnot applicable.\n\n Note: This check applies to RHEL versions 8.0 and 8.1, if the system is\nRHEL version 8.2 or newer, this check is not applicable.\n\n $ sudo grep pam_faillock.so /etc/pam.d/password-auth\n\n auth required pam_faillock.so preauth dir=/var/log/faillock silent audit\ndeny=3 even_deny_root fail_interval=900 unlock_time=0\n auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0\n account required pam_faillock.so\n\n If the \"silent\" option is missing from the \"preauth\" line with the\n\"pam_faillock.so\" module, this is a finding.\n\n $ sudo grep pam_faillock.so /etc/pam.d/system-auth\n\n auth required pam_faillock.so preauth dir=/var/log/faillock silent audit\ndeny=3 even_deny_root fail_interval=900 unlock_time=0\n auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0\n account required pam_faillock.so\n\n If the \"silent\" option is missing from the \"preauth\" line with the\n\"pam_faillock.so\" module, this is a finding.'\n desc 'fix', 'Configure the operating system to prevent informative messages from being\npresented at logon attempts.\n\n Add/Modify the appropriate sections of the \"/etc/pam.d/system-auth\" and\n\"/etc/pam.d/password-auth\" files to match the following lines:\n\n auth required pam_faillock.so preauth dir=/var/log/faillock silent audit\ndeny=3 even_deny_root fail_interval=900 unlock_time=0\n auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0\n account required pam_faillock.so\n\n The \"sssd\" service must be restarted for the changes to take effect. To\nrestart the \"sssd\" service, run the following command:\n\n $ sudo systemctl restart sssd.service'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000021-GPOS-00005'\n tag satisfies: ['SRG-OS-000021-GPOS-00005', 'SRG-OS-000329-GPOS-00128']\n tag gid: 'V-230340'\n tag rid: 'SV-230340r627750_rule'\n tag stig_id: 'RHEL-08-020018'\n tag fix_id: 'F-32984r567767_fix'\n tag cci: ['CCI-000044']\n tag nist: ['AC-7 a']\n tag 'host'\n tag 'container'\n\n only_if('This check applies to RHEL versions 8.0 and 8.1, if the system is RHEL version 8.2 or newer, this check is not applicable.', impact: 0.0) {\n (os.release.to_f) < 8.2\n }\n\n pam_auth_files = input('pam_auth_files')\n\n describe pam(pam_auth_files['password-auth']) do\n its('lines') {\n should match_pam_rule('auth [default=die]|required pam_faillock.so preauth').all_with_args('silent')\n }\n end\n describe pam(pam_auth_files['system-auth']) do\n its('lines') {\n should match_pam_rule('auth [default=die]|required pam_faillock.so preauth').all_with_args('silent')\n }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230464.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230340.rb", "line": 1 }, - "id": "SV-230464" + "id": "SV-230340" }, { - "title": "RHEL 8 must display the Standard Mandatory DoD Notice and Consent\nBanner before granting local or remote access to the system via a graphical\nuser logon.", - "desc": "Display of a standardized and approved use notification before\ngranting access to the operating system ensures privacy and security\nnotification verbiage used is consistent with applicable federal laws,\nExecutive Orders, directives, policies, regulations, standards, and guidance.\n\n System use notifications are required only for access via logon interfaces\nwith human users and are not required when such human interfaces do not exist.\n\n The banner must be formatted in accordance with applicable DoD policy. Use\nthe following verbiage for operating systems that can accommodate banners of\n1300 characters:\n\n \"You are accessing a U.S. Government (USG) Information System (IS) that is\nprovided for USG-authorized use only.\n\n By using this IS (which includes any device attached to this IS), you\nconsent to the following conditions:\n\n -The USG routinely intercepts and monitors communications on this IS for\npurposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct (PM), law enforcement\n(LE), and counterintelligence (CI) investigations.\n\n -At any time, the USG may inspect and seize data stored on this IS.\n\n -Communications using, or data stored on, this IS are not private, are\nsubject to routine monitoring, interception, and search, and may be disclosed\nor used for any USG-authorized purpose.\n\n -This IS includes security measures (e.g., authentication and access\ncontrols) to protect USG interests--not for your personal benefit or privacy.\n\n -Notwithstanding the above, using this IS does not constitute consent to\nPM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services\nby attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User\nAgreement for details.\"", + "title": "RHEL 8 must prevent files with the setuid and setgid bit set from\nbeing executed on file systems that are used with removable media.", + "desc": "The \"nosuid\" mount option causes the system not to execute\n\"setuid\" and \"setgid\" files with owner privileges. This option must be used\nfor mounting any file system not containing approved \"setuid\" and \"setguid\"\nfiles. Executing files from untrusted file systems increases the opportunity\nfor unprivileged users to attain unauthorized administrative access.", "descriptions": { - "default": "Display of a standardized and approved use notification before\ngranting access to the operating system ensures privacy and security\nnotification verbiage used is consistent with applicable federal laws,\nExecutive Orders, directives, policies, regulations, standards, and guidance.\n\n System use notifications are required only for access via logon interfaces\nwith human users and are not required when such human interfaces do not exist.\n\n The banner must be formatted in accordance with applicable DoD policy. Use\nthe following verbiage for operating systems that can accommodate banners of\n1300 characters:\n\n \"You are accessing a U.S. Government (USG) Information System (IS) that is\nprovided for USG-authorized use only.\n\n By using this IS (which includes any device attached to this IS), you\nconsent to the following conditions:\n\n -The USG routinely intercepts and monitors communications on this IS for\npurposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct (PM), law enforcement\n(LE), and counterintelligence (CI) investigations.\n\n -At any time, the USG may inspect and seize data stored on this IS.\n\n -Communications using, or data stored on, this IS are not private, are\nsubject to routine monitoring, interception, and search, and may be disclosed\nor used for any USG-authorized purpose.\n\n -This IS includes security measures (e.g., authentication and access\ncontrols) to protect USG interests--not for your personal benefit or privacy.\n\n -Notwithstanding the above, using this IS does not constitute consent to\nPM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services\nby attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User\nAgreement for details.\"", - "check": "Verify RHEL 8 displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the operating system via a graphical user logon.\n\nNote: This requirement assumes the use of the RHEL 8 default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable.\n\nCheck that the operating system displays the exact Standard Mandatory DoD Notice and Consent Banner text with the command:\n\n$ sudo grep banner-message-text /etc/dconf/db/local.d/*\n\nbanner-message-text=\n'You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\\n-At any time, the USG may inspect and seize data stored on this IS.\\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. '\n\nNote: The \"\\n \" characters are for formatting only. They will not be displayed on the graphical interface.\n\nIf the banner does not match the Standard Mandatory DoD Notice and Consent Banner exactly, this is a finding.", - "fix": "Configure the operating system to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.\n\nNote: If the system does not have a graphical user interface installed, this requirement is Not Applicable.\n\nAdd the following lines to the [org/gnome/login-screen] section of the \"/etc/dconf/db/local.d/01-banner-message\":\n\nbanner-message-text='You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\\n-At any time, the USG may inspect and seize data stored on this IS.\\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. '\n\nNote: The \"\\n \" characters are for formatting only. They will not be displayed on the graphical interface.\n\nRun the following command to update the database:\n\n $ sudo dconf update" + "default": "The \"nosuid\" mount option causes the system not to execute\n\"setuid\" and \"setgid\" files with owner privileges. This option must be used\nfor mounting any file system not containing approved \"setuid\" and \"setguid\"\nfiles. Executing files from untrusted file systems increases the opportunity\nfor unprivileged users to attain unauthorized administrative access.", + "check": "Verify file systems that are used for removable media are mounted with the\n\"nosuid\" option with the following command:\n\n $ sudo more /etc/fstab\n\n UUID=2bc871e4-e2a3-4f29-9ece-3be60c835222 /mnt/usbflash vfat\nnoauto,owner,ro,nosuid,nodev,noexec 0 0\n\n If a file system found in \"/etc/fstab\" refers to removable media and it\ndoes not have the \"nosuid\" option set, this is a finding.", + "fix": "Configure the \"/etc/fstab\" to use the \"nosuid\" option on\nfile systems that are associated with removable media." }, "impact": 0.5, "refs": [ @@ -1910,38 +1921,33 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000023-GPOS-00006", - "satisfies": [ - "SRG-OS-000023-GPOS-00006", - "SRG-OS-000228-GPOS-00088" - ], - "gid": "V-230226", - "rid": "SV-230226r743916_rule", - "stig_id": "RHEL-08-010050", - "fix_id": "F-32870r743915_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-230305", + "rid": "SV-230305r627750_rule", + "stig_id": "RHEL-08-010620", + "fix_id": "F-32949r567662_fix", "cci": [ - "CCI-000048" + "CCI-000366" ], "nist": [ - "AC-8 a" + "CM-6 b" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-230226' do\n title 'RHEL 8 must display the Standard Mandatory DoD Notice and Consent\nBanner before granting local or remote access to the system via a graphical\nuser logon.'\n desc 'Display of a standardized and approved use notification before\ngranting access to the operating system ensures privacy and security\nnotification verbiage used is consistent with applicable federal laws,\nExecutive Orders, directives, policies, regulations, standards, and guidance.\n\n System use notifications are required only for access via logon interfaces\nwith human users and are not required when such human interfaces do not exist.\n\n The banner must be formatted in accordance with applicable DoD policy. Use\nthe following verbiage for operating systems that can accommodate banners of\n1300 characters:\n\n \"You are accessing a U.S. Government (USG) Information System (IS) that is\nprovided for USG-authorized use only.\n\n By using this IS (which includes any device attached to this IS), you\nconsent to the following conditions:\n\n -The USG routinely intercepts and monitors communications on this IS for\npurposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct (PM), law enforcement\n(LE), and counterintelligence (CI) investigations.\n\n -At any time, the USG may inspect and seize data stored on this IS.\n\n -Communications using, or data stored on, this IS are not private, are\nsubject to routine monitoring, interception, and search, and may be disclosed\nor used for any USG-authorized purpose.\n\n -This IS includes security measures (e.g., authentication and access\ncontrols) to protect USG interests--not for your personal benefit or privacy.\n\n -Notwithstanding the above, using this IS does not constitute consent to\nPM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services\nby attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User\nAgreement for details.\"'\n desc 'check', %q(Verify RHEL 8 displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the operating system via a graphical user logon.\n\nNote: This requirement assumes the use of the RHEL 8 default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable.\n\nCheck that the operating system displays the exact Standard Mandatory DoD Notice and Consent Banner text with the command:\n\n$ sudo grep banner-message-text /etc/dconf/db/local.d/*\n\nbanner-message-text=\n'You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\\n-At any time, the USG may inspect and seize data stored on this IS.\\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. '\n\nNote: The \"\\n \" characters are for formatting only. They will not be displayed on the graphical interface.\n\nIf the banner does not match the Standard Mandatory DoD Notice and Consent Banner exactly, this is a finding.)\n desc 'fix', %q(Configure the operating system to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.\n\nNote: If the system does not have a graphical user interface installed, this requirement is Not Applicable.\n\nAdd the following lines to the [org/gnome/login-screen] section of the \"/etc/dconf/db/local.d/01-banner-message\":\n\nbanner-message-text='You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\\n-At any time, the USG may inspect and seize data stored on this IS.\\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. '\n\nNote: The \"\\n \" characters are for formatting only. They will not be displayed on the graphical interface.\n\nRun the following command to update the database:\n\n $ sudo dconf update)\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000023-GPOS-00006'\n tag satisfies: ['SRG-OS-000023-GPOS-00006', 'SRG-OS-000228-GPOS-00088']\n tag gid: 'V-230226'\n tag rid: 'SV-230226r743916_rule'\n tag stig_id: 'RHEL-08-010050'\n tag fix_id: 'F-32870r743915_fix'\n tag cci: ['CCI-000048']\n tag nist: ['AC-8 a']\n tag 'host'\n tag 'container'\n\n only_if(\"The system does not have GNOME installed; this requirement is Not\n Applicable.\", impact: 0.0) { package('gnome-desktop3').installed? }\n\n banner_message_db = input('banner_message_db')\n\n banner = command(\"grep ^banner-message-text /etc/dconf/db/#{banner_message_db}.d/*\").stdout.gsub(/[\\r\\n\\s]/, '')\n expected_banner = input('banner_message_text_gui').gsub(/[\\r\\n\\s]/, '')\n\n describe 'The GUI Banner ' do\n it 'is set to the standard banner and has the correct text' do\n expect(banner).to eq(expected_banner), 'Banner does not match expected text'\n end\n end\nend\n", + "code": "control 'SV-230305' do\n title 'RHEL 8 must prevent files with the setuid and setgid bit set from\nbeing executed on file systems that are used with removable media.'\n desc 'The \"nosuid\" mount option causes the system not to execute\n\"setuid\" and \"setgid\" files with owner privileges. This option must be used\nfor mounting any file system not containing approved \"setuid\" and \"setguid\"\nfiles. Executing files from untrusted file systems increases the opportunity\nfor unprivileged users to attain unauthorized administrative access.'\n desc 'check', 'Verify file systems that are used for removable media are mounted with the\n\"nosuid\" option with the following command:\n\n $ sudo more /etc/fstab\n\n UUID=2bc871e4-e2a3-4f29-9ece-3be60c835222 /mnt/usbflash vfat\nnoauto,owner,ro,nosuid,nodev,noexec 0 0\n\n If a file system found in \"/etc/fstab\" refers to removable media and it\ndoes not have the \"nosuid\" option set, this is a finding.'\n desc 'fix', 'Configure the \"/etc/fstab\" to use the \"nosuid\" option on\nfile systems that are associated with removable media.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230305'\n tag rid: 'SV-230305r627750_rule'\n tag stig_id: 'RHEL-08-010620'\n tag fix_id: 'F-32949r567662_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n option = 'nosuid'\n file_systems = etc_fstab.params\n non_removable_media = input('non_removable_media_fs')\n mounted_removeable_media = file_systems.reject { |mnt| non_removable_media.include?(mnt['mount_point']) }\n failing_mounts = mounted_removeable_media.reject { |mnt| mnt['mount_options'].include?(option) }\n\n # be very explicit about why this one was a finding since we do not know which mounts are removeable media without the user telling us\n rem_media_msg = \"NOTE: Some mounted devices are not indicated to be non-removable media (you may need to update the 'non_removable_media_fs' input to check if these are truly subject to this requirement)\\n\"\n\n # there should either be no mounted removable media (which should be a requirement anyway), OR\n # all removeable media should be mounted with nosuid\n if mounted_removeable_media.empty?\n describe 'No removeable media' do\n it 'are mounted' do\n expect(mounted_removeable_media).to be_empty\n end\n end\n else\n describe 'Any mounted removeable media' do\n it \"should have '#{option}' set\" do\n expect(failing_mounts).to be_empty, \"#{rem_media_msg}\\nRemoveable media without '#{option}' set:\\n\\t- #{failing_mounts.join(\"\\n\\t- \")}\"\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230226.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230305.rb", "line": 1 }, - "id": "SV-230226" + "id": "SV-230305" }, { - "title": "For RHEL 8 systems using Domain Name Servers (DNS) resolution, at\nleast two name servers must be configured.", - "desc": "To provide availability for name resolution services, multiple\nredundant name servers are mandated. A failure in name resolution could lead to\nthe failure of security functions requiring name resolution, which may include\ntime synchronization, centralized authentication, and remote system logging.", + "title": "The debug-shell systemd service must be disabled on RHEL 8.", + "desc": "The debug-shell requires no authentication and provides root\nprivileges to anyone who has physical access to the machine. While this\nfeature is disabled by default, masking it adds an additional layer of\nassurance that it will not be enabled via a dependency in systemd. This also\nprevents attackers with physical access from trivially bypassing security on\nthe machine through valid troubleshooting configurations and gaining root\naccess when the system is rebooted.", "descriptions": { - "default": "To provide availability for name resolution services, multiple\nredundant name servers are mandated. A failure in name resolution could lead to\nthe failure of security functions requiring name resolution, which may include\ntime synchronization, centralized authentication, and remote system logging.", - "check": "Determine whether the system is using local or DNS name resolution with the\nfollowing command:\n\n $ sudo grep hosts /etc/nsswitch.conf\n\n hosts: files dns\n\n If the DNS entry is missing from the host's line in the\n\"/etc/nsswitch.conf\" file, the \"/etc/resolv.conf\" file must be empty.\n\n Verify the \"/etc/resolv.conf\" file is empty with the following command:\n\n $ sudo ls -al /etc/resolv.conf\n\n -rw-r--r-- 1 root root 0 Aug 19 08:31 resolv.conf\n\n If local host authentication is being used and the \"/etc/resolv.conf\"\nfile is not empty, this is a finding.\n\n If the DNS entry is found on the host's line of the \"/etc/nsswitch.conf\"\nfile, verify the operating system is configured to use two or more name servers\nfor DNS resolution.\n\n Determine the name servers used by the system with the following command:\n\n $ sudo grep nameserver /etc/resolv.conf\n\n nameserver 192.168.1.2\n nameserver 192.168.1.3\n\n If less than two lines are returned that are not commented out, this is a\nfinding.", - "fix": "Configure the operating system to use two or more name servers for DNS\nresolution.\n\n By default, \"NetworkManager\" on RHEL 8 dynamically updates the\n/etc/resolv.conf file with the DNS settings from active \"NetworkManager\"\nconnection profiles. However, this feature can be disabled to allow manual\nconfigurations.\n\n If manually configuring DNS, edit the \"/etc/resolv.conf\" file to\nuncomment or add the two or more \"nameserver\" option lines with the IP\naddress of local authoritative name servers. If local host resolution is being\nperformed, the \"/etc/resolv.conf\" file must be empty. An empty\n\"/etc/resolv.conf\" file can be created as follows:\n\n $ sudo echo -n > /etc/resolv.conf" + "default": "The debug-shell requires no authentication and provides root\nprivileges to anyone who has physical access to the machine. While this\nfeature is disabled by default, masking it adds an additional layer of\nassurance that it will not be enabled via a dependency in systemd. This also\nprevents attackers with physical access from trivially bypassing security on\nthe machine through valid troubleshooting configurations and gaining root\naccess when the system is rebooted.", + "check": "Verify RHEL 8 is configured to mask the debug-shell systemd service with\nthe following command:\n\n $ sudo systemctl status debug-shell.service\n\n debug-shell.service\n Loaded: masked (Reason: Unit debug-shell.service is masked.)\n Active: inactive (dead)\n\n If the \"debug-shell.service\" is loaded and not masked, this is a finding.", + "fix": "Configure the system to mask the debug-shell systemd service with the\nfollowing command:\n\n $ sudo systemctl mask debug-shell.service\n\n Created symlink /etc/systemd/system/debug-shell.service -> /dev/null\n\n Reload the daemon to take effect.\n\n $ sudo systemctl daemon-reload" }, "impact": 0.5, "refs": [ @@ -1952,33 +1958,32 @@ "tags": { "severity": "medium", "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-230316", - "rid": "SV-230316r627750_rule", - "stig_id": "RHEL-08-010680", - "fix_id": "F-32960r567695_fix", + "gid": "V-230532", + "rid": "SV-230532r627750_rule", + "stig_id": "RHEL-08-040180", + "fix_id": "F-33176r619892_fix", "cci": [ "CCI-000366" ], "nist": [ "CM-6 b" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-230316' do\n title 'For RHEL 8 systems using Domain Name Servers (DNS) resolution, at\nleast two name servers must be configured.'\n desc 'To provide availability for name resolution services, multiple\nredundant name servers are mandated. A failure in name resolution could lead to\nthe failure of security functions requiring name resolution, which may include\ntime synchronization, centralized authentication, and remote system logging.'\n desc 'check', %q(Determine whether the system is using local or DNS name resolution with the\nfollowing command:\n\n $ sudo grep hosts /etc/nsswitch.conf\n\n hosts: files dns\n\n If the DNS entry is missing from the host's line in the\n\"/etc/nsswitch.conf\" file, the \"/etc/resolv.conf\" file must be empty.\n\n Verify the \"/etc/resolv.conf\" file is empty with the following command:\n\n $ sudo ls -al /etc/resolv.conf\n\n -rw-r--r-- 1 root root 0 Aug 19 08:31 resolv.conf\n\n If local host authentication is being used and the \"/etc/resolv.conf\"\nfile is not empty, this is a finding.\n\n If the DNS entry is found on the host's line of the \"/etc/nsswitch.conf\"\nfile, verify the operating system is configured to use two or more name servers\nfor DNS resolution.\n\n Determine the name servers used by the system with the following command:\n\n $ sudo grep nameserver /etc/resolv.conf\n\n nameserver 192.168.1.2\n nameserver 192.168.1.3\n\n If less than two lines are returned that are not commented out, this is a\nfinding.)\n desc 'fix', 'Configure the operating system to use two or more name servers for DNS\nresolution.\n\n By default, \"NetworkManager\" on RHEL 8 dynamically updates the\n/etc/resolv.conf file with the DNS settings from active \"NetworkManager\"\nconnection profiles. However, this feature can be disabled to allow manual\nconfigurations.\n\n If manually configuring DNS, edit the \"/etc/resolv.conf\" file to\nuncomment or add the two or more \"nameserver\" option lines with the IP\naddress of local authoritative name servers. If local host resolution is being\nperformed, the \"/etc/resolv.conf\" file must be empty. An empty\n\"/etc/resolv.conf\" file can be created as follows:\n\n $ sudo echo -n > /etc/resolv.conf'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230316'\n tag rid: 'SV-230316r627750_rule'\n tag stig_id: 'RHEL-08-010680'\n tag fix_id: 'F-32960r567695_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n tag 'container'\n\n dns_in_host_line = parse_config_file('/etc/nsswitch.conf',\n comment_char: '#',\n assignment_regex: /^\\s*([^:]*?)\\s*:\\s*(.*?)\\s*$/).params['hosts'].include?('dns')\n\n unless dns_in_host_line\n describe 'If `local` resolution is being used, a `hosts` entry in /etc/nsswitch.conf having `dns`' do\n subject { dns_in_host_line }\n it { should be false }\n end\n end\n\n unless dns_in_host_line\n describe 'If `local` resoultion is being used, the /etc/resolv.conf file should' do\n subject { parse_config_file('/etc/resolv.conf', comment_char: '#').params }\n it { should be_empty }\n end\n end\n\n nameservers = parse_config_file('/etc/resolv.conf',\n comment_char: '#').params.keys.grep(/nameserver/)\n\n if dns_in_host_line\n describe \"The system's nameservers: #{nameservers}\" do\n subject { nameservers }\n it { should_not be nil }\n end\n end\n\n if dns_in_host_line\n describe 'The number of nameservers' do\n subject { nameservers.count }\n it { should cmp >= 2 }\n end\n end\nend\n", + "code": "control 'SV-230532' do\n title 'The debug-shell systemd service must be disabled on RHEL 8.'\n desc 'The debug-shell requires no authentication and provides root\nprivileges to anyone who has physical access to the machine. While this\nfeature is disabled by default, masking it adds an additional layer of\nassurance that it will not be enabled via a dependency in systemd. This also\nprevents attackers with physical access from trivially bypassing security on\nthe machine through valid troubleshooting configurations and gaining root\naccess when the system is rebooted.'\n desc 'check', 'Verify RHEL 8 is configured to mask the debug-shell systemd service with\nthe following command:\n\n $ sudo systemctl status debug-shell.service\n\n debug-shell.service\n Loaded: masked (Reason: Unit debug-shell.service is masked.)\n Active: inactive (dead)\n\n If the \"debug-shell.service\" is loaded and not masked, this is a finding.'\n desc 'fix', 'Configure the system to mask the debug-shell systemd service with the\nfollowing command:\n\n $ sudo systemctl mask debug-shell.service\n\n Created symlink /etc/systemd/system/debug-shell.service -> /dev/null\n\n Reload the daemon to take effect.\n\n $ sudo systemctl daemon-reload'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230532'\n tag rid: 'SV-230532r627750_rule'\n tag stig_id: 'RHEL-08-040180'\n tag fix_id: 'F-33176r619892_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n d = systemd_service('debug-shell.service')\n\n describe.one do\n describe d do\n its('params.LoadState') { should eq 'masked' }\n end\n describe d do\n its('params.LoadState') { should eq 'not-found' }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230316.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230532.rb", "line": 1 }, - "id": "SV-230316" + "id": "SV-230532" }, { - "title": "RHEL 8 must accept Personal Identity Verification (PIV) credentials.", - "desc": "The use of PIV credentials facilitates standardization and reduces the\n risk of unauthorized access.\n\n The DoD has mandated the use of the Common Access Card (CAC) to support\n identity management and personal authentication for systems covered under\n Homeland Security Presidential Directive (HSPD) 12, as well as making the CAC a\n primary component of layered protection for national security systems.", - "descriptions": { - "default": "The use of PIV credentials facilitates standardization and reduces the\n risk of unauthorized access.\n\n The DoD has mandated the use of the Common Access Card (CAC) to support\n identity management and personal authentication for systems covered under\n Homeland Security Presidential Directive (HSPD) 12, as well as making the CAC a\n primary component of layered protection for national security systems.", - "check": "Verify RHEL 8 accepts PIV credentials.\n\n Check that the \"opensc\" package is installed on the system with the\n following command:\n\n $ sudo yum list installed opensc\n\n opensc.x86_64 0.19.0-5.el8 @anaconda\n\n Check that \"opensc\" accepts PIV cards with the following command:\n\n $ sudo opensc-tool --list-drivers | grep -i piv\n\n PIV-II Personal Identity Verification Card\n\n If the \"opensc\" package is not installed and the \"opensc-tool\" driver\n list does not include \"PIV-II\", this is a finding.", - "fix": "Configure RHEL 8 to accept PIV credentials.\n\n Install the \"opensc\" package using the following command:\n\n $ sudo yum install opensc" + "title": "RHEL 8 SSH server must be configured to use only FIPS-validated key exchange algorithms.", + "desc": "Without cryptographic integrity protections provided by FIPS-validated cryptographic algorithms, information can be viewed and altered by unauthorized users without detection.\n\nRHEL 8 incorporates system-wide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/opensshserver.config file.\n\nThe system will attempt to use the first algorithm presented by the client that matches the server list. Listing the values \"strongest to weakest\" is a method to ensure the use of the strongest algorithm available to secure the SSH connection.", + "descriptions": { + "default": "Without cryptographic integrity protections provided by FIPS-validated cryptographic algorithms, information can be viewed and altered by unauthorized users without detection.\n\nRHEL 8 incorporates system-wide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/opensshserver.config file.\n\nThe system will attempt to use the first algorithm presented by the client that matches the server list. Listing the values \"strongest to weakest\" is a method to ensure the use of the strongest algorithm available to secure the SSH connection.", + "check": "Verify that the SSH server is configured to use only FIPS-validated key exchange algorithms:\n\n $ sudo grep -i kexalgorithms /etc/crypto-policies/back-ends/opensshserver.config\n\n CRYPTO_POLICY='-oKexAlgorithms=ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512'\n\nIf the entries following \"KexAlgorithms\" have any algorithms defined other than \"ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512\", appear in different order than shown, or are missing or commented out, this is a finding.", + "fix": "Configure the SSH server to use only FIPS-validated key exchange algorithms by adding or modifying the following line in \"/etc/crypto-policies/back-ends/opensshserver.config\":\n\n-oKexAlgorithms=ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512\n\nA reboot is required for the changes to take effect." }, "impact": 0.5, "refs": [ @@ -1987,34 +1992,37 @@ } ], "tags": { + "check_id": "C-59601r917887_chk", "severity": "medium", - "gtitle": "SRG-OS-000376-GPOS-00161", - "gid": "V-230275", - "rid": "SV-230275r854030_rule", - "stig_id": "RHEL-08-010410", - "fix_id": "F-32919r567572_fix", + "gid": "V-255924", + "rid": "SV-255924r917888_rule", + "stig_id": "RHEL-08-040342", + "gtitle": "SRG-OS-000250-GPOS-00093", + "fix_id": "F-59544r880732_fix", + "documentable": null, "cci": [ - "CCI-001953" + "CCI-001453" ], "nist": [ - "IA-2 (12)" + "AC-17 (2)" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-230275' do\n title 'RHEL 8 must accept Personal Identity Verification (PIV) credentials.'\n desc 'The use of PIV credentials facilitates standardization and reduces the\n risk of unauthorized access.\n\n The DoD has mandated the use of the Common Access Card (CAC) to support\n identity management and personal authentication for systems covered under\n Homeland Security Presidential Directive (HSPD) 12, as well as making the CAC a\n primary component of layered protection for national security systems.'\n desc 'check', 'Verify RHEL 8 accepts PIV credentials.\n\n Check that the \"opensc\" package is installed on the system with the\n following command:\n\n $ sudo yum list installed opensc\n\n opensc.x86_64 0.19.0-5.el8 @anaconda\n\n Check that \"opensc\" accepts PIV cards with the following command:\n\n $ sudo opensc-tool --list-drivers | grep -i piv\n\n PIV-II Personal Identity Verification Card\n\n If the \"opensc\" package is not installed and the \"opensc-tool\" driver\n list does not include \"PIV-II\", this is a finding.'\n desc 'fix', 'Configure RHEL 8 to accept PIV credentials.\n\n Install the \"opensc\" package using the following command:\n\n $ sudo yum install opensc'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000376-GPOS-00161'\n tag gid: 'V-230275'\n tag rid: 'SV-230275r854030_rule'\n tag stig_id: 'RHEL-08-010410'\n tag fix_id: 'F-32919r567572_fix'\n tag cci: ['CCI-001953']\n tag nist: ['IA-2 (12)']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n if input('smart_card_enabled')\n\n describe package('opensc') do\n it { should be_installed }\n end\n\n options = { assignment_regex: /^\\s*(\\S+)\\s+(.*)$/ }\n opensc = command('opensc-tool --list-drivers').stdout\n opensc_conf = parse_config(opensc, options)\n\n piv_driver = input('piv_driver')\n\n describe 'OpenSC drivers' do\n it \"should include '#{piv_driver}'\" do\n expect(opensc_conf.params.keys).to include(piv_driver), \"Missing '#{piv_driver}' in OpenSC driver list\"\n end\n end\n else\n impact 0.0\n describe 'The system is not utilizing smart card authentication' do\n skip 'The system is not utilizing smart card authentication, this control is Not Applicable.'\n end\n end\nend\n", + "code": "control 'SV-255924' do\n title 'RHEL 8 SSH server must be configured to use only FIPS-validated key exchange algorithms.'\n desc 'Without cryptographic integrity protections provided by FIPS-validated cryptographic algorithms, information can be viewed and altered by unauthorized users without detection.\n\nRHEL 8 incorporates system-wide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/opensshserver.config file.\n\nThe system will attempt to use the first algorithm presented by the client that matches the server list. Listing the values \"strongest to weakest\" is a method to ensure the use of the strongest algorithm available to secure the SSH connection.'\n desc 'check', %q(Verify that the SSH server is configured to use only FIPS-validated key exchange algorithms:\n\n $ sudo grep -i kexalgorithms /etc/crypto-policies/back-ends/opensshserver.config\n\n CRYPTO_POLICY='-oKexAlgorithms=ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512'\n\nIf the entries following \"KexAlgorithms\" have any algorithms defined other than \"ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512\", appear in different order than shown, or are missing or commented out, this is a finding.)\n desc 'fix', 'Configure the SSH server to use only FIPS-validated key exchange algorithms by adding or modifying the following line in \"/etc/crypto-policies/back-ends/opensshserver.config\":\n\n-oKexAlgorithms=ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512\n\nA reboot is required for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag check_id: 'C-59601r917887_chk'\n tag severity: 'medium'\n tag gid: 'V-255924'\n tag rid: 'SV-255924r917888_rule'\n tag stig_id: 'RHEL-08-040342'\n tag gtitle: 'SRG-OS-000250-GPOS-00093'\n tag fix_id: 'F-59544r880732_fix'\n tag 'documentable'\n tag cci: ['CCI-001453']\n tag nist: ['AC-17 (2)']\n tag 'host'\n tag 'container'\n\n describe parse_config_file('/etc/crypto-policies/back-ends/opensshserver.config') do\n its('CRYPTO_POLICY') { should include '-oKexAlgorithms=ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512' }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230275.rb", + "ref": "./Red Hat 8 STIG/controls/SV-255924.rb", "line": 1 }, - "id": "SV-230275" + "id": "SV-255924" }, { - "title": "RHEL 8 must enforce a delay of at least four seconds between logon\nprompts following a failed logon attempt.", - "desc": "Configuring the operating system to implement organization-wide\nsecurity implementation guides and security checklists verifies compliance with\nfederal standards and establishes a common security baseline across the DoD\nthat reflects the most restrictive security posture consistent with operational\nrequirements.\n\n Configuration settings are the set of parameters that can be changed in\nhardware, software, or firmware components of the system that affect the\nsecurity posture and/or functionality of the system. Security-related\nparameters are those parameters impacting the security state of the system,\nincluding the parameters required to satisfy other security control\nrequirements. Security-related parameters include, for example, registry\nsettings; account, file, and directory permission settings; and settings for\nfunctions, ports, protocols, services, and remote connections.", + "title": "RHEL 8 must mount /dev/shm with the noexec option.", + "desc": "The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n The \"noexec\" mount option causes the system to not execute binary files.\nThis option must be used for mounting any file system not containing approved\nbinary files, as they may be incompatible. Executing files from untrusted file\nsystems increases the opportunity for unprivileged users to attain unauthorized\nadministrative access.\n\n The \"nodev\" mount option causes the system to not interpret character or\nblock special devices. Executing character or block special devices from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.\n\n The \"nosuid\" mount option causes the system to not execute \"setuid\" and\n\"setgid\" files with owner privileges. This option must be used for mounting\nany file system not containing approved \"setuid\" and \"setguid\" files.\nExecuting files from untrusted file systems increases the opportunity for\nunprivileged users to attain unauthorized administrative access.", "descriptions": { - "default": "Configuring the operating system to implement organization-wide\nsecurity implementation guides and security checklists verifies compliance with\nfederal standards and establishes a common security baseline across the DoD\nthat reflects the most restrictive security posture consistent with operational\nrequirements.\n\n Configuration settings are the set of parameters that can be changed in\nhardware, software, or firmware components of the system that affect the\nsecurity posture and/or functionality of the system. Security-related\nparameters are those parameters impacting the security state of the system,\nincluding the parameters required to satisfy other security control\nrequirements. Security-related parameters include, for example, registry\nsettings; account, file, and directory permission settings; and settings for\nfunctions, ports, protocols, services, and remote connections.", - "check": "Verify the operating system enforces a delay of at least four seconds\nbetween console logon prompts following a failed logon attempt with the\nfollowing command:\n\n $ sudo grep -i fail_delay /etc/login.defs\n\n FAIL_DELAY 4\n\n If the value of \"FAIL_DELAY\" is not set to \"4\" or greater, or the line\nis commented out, this is a finding.", - "fix": "Configure the operating system to enforce a delay of at least four seconds\nbetween logon prompts following a failed console logon attempt.\n\n Modify the \"/etc/login.defs\" file to set the \"FAIL_DELAY\" parameter to\n\"4\" or greater:\n\n FAIL_DELAY 4" + "default": "The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n The \"noexec\" mount option causes the system to not execute binary files.\nThis option must be used for mounting any file system not containing approved\nbinary files, as they may be incompatible. Executing files from untrusted file\nsystems increases the opportunity for unprivileged users to attain unauthorized\nadministrative access.\n\n The \"nodev\" mount option causes the system to not interpret character or\nblock special devices. Executing character or block special devices from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.\n\n The \"nosuid\" mount option causes the system to not execute \"setuid\" and\n\"setgid\" files with owner privileges. This option must be used for mounting\nany file system not containing approved \"setuid\" and \"setguid\" files.\nExecuting files from untrusted file systems increases the opportunity for\nunprivileged users to attain unauthorized administrative access.", + "check": "Verify \"/dev/shm\" is mounted with the \"noexec\" option:\n\n $ sudo mount | grep /dev/shm\n\n tmpfs on /dev/shm type tmpfs (rw,nodev,nosuid,noexec,seclabel)\n\n Verify that the \"noexec\" options is configured for /dev/shm:\n\n $ sudo cat /etc/fstab | grep /dev/shm\n\n tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0\n\n If results are returned and the \"noexec\" option is missing, or if\n/dev/shm is mounted without the \"noexec\" option, this is a finding.", + "fix": "Configure the system so that /dev/shm is mounted with the \"noexec\" option\nby adding /modifying the /etc/fstab with the following line:\n\n tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0" }, "impact": 0.5, "refs": [ @@ -2024,34 +2032,33 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000480-GPOS-00226", - "gid": "V-230378", - "rid": "SV-230378r627750_rule", - "stig_id": "RHEL-08-020310", - "fix_id": "F-33022r567881_fix", + "gtitle": "SRG-OS-000368-GPOS-00154", + "gid": "V-230510", + "rid": "SV-230510r854051_rule", + "stig_id": "RHEL-08-040122", + "fix_id": "F-33154r568277_fix", "cci": [ - "CCI-000366" + "CCI-001764" ], "nist": [ - "CM-6 b" + "CM-7 (2)" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-230378' do\n title 'RHEL 8 must enforce a delay of at least four seconds between logon\nprompts following a failed logon attempt.'\n desc 'Configuring the operating system to implement organization-wide\nsecurity implementation guides and security checklists verifies compliance with\nfederal standards and establishes a common security baseline across the DoD\nthat reflects the most restrictive security posture consistent with operational\nrequirements.\n\n Configuration settings are the set of parameters that can be changed in\nhardware, software, or firmware components of the system that affect the\nsecurity posture and/or functionality of the system. Security-related\nparameters are those parameters impacting the security state of the system,\nincluding the parameters required to satisfy other security control\nrequirements. Security-related parameters include, for example, registry\nsettings; account, file, and directory permission settings; and settings for\nfunctions, ports, protocols, services, and remote connections.'\n desc 'check', 'Verify the operating system enforces a delay of at least four seconds\nbetween console logon prompts following a failed logon attempt with the\nfollowing command:\n\n $ sudo grep -i fail_delay /etc/login.defs\n\n FAIL_DELAY 4\n\n If the value of \"FAIL_DELAY\" is not set to \"4\" or greater, or the line\nis commented out, this is a finding.'\n desc 'fix', 'Configure the operating system to enforce a delay of at least four seconds\nbetween logon prompts following a failed console logon attempt.\n\n Modify the \"/etc/login.defs\" file to set the \"FAIL_DELAY\" parameter to\n\"4\" or greater:\n\n FAIL_DELAY 4'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00226'\n tag gid: 'V-230378'\n tag rid: 'SV-230378r627750_rule'\n tag stig_id: 'RHEL-08-020310'\n tag fix_id: 'F-33022r567881_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n tag 'container'\n\n describe login_defs do\n its('FAIL_DELAY.to_i') { should cmp >= input('login_prompt_delay') }\n end\nend\n", + "code": "control 'SV-230510' do\n title 'RHEL 8 must mount /dev/shm with the noexec option.'\n desc 'The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n The \"noexec\" mount option causes the system to not execute binary files.\nThis option must be used for mounting any file system not containing approved\nbinary files, as they may be incompatible. Executing files from untrusted file\nsystems increases the opportunity for unprivileged users to attain unauthorized\nadministrative access.\n\n The \"nodev\" mount option causes the system to not interpret character or\nblock special devices. Executing character or block special devices from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.\n\n The \"nosuid\" mount option causes the system to not execute \"setuid\" and\n\"setgid\" files with owner privileges. This option must be used for mounting\nany file system not containing approved \"setuid\" and \"setguid\" files.\nExecuting files from untrusted file systems increases the opportunity for\nunprivileged users to attain unauthorized administrative access.'\n desc 'check', 'Verify \"/dev/shm\" is mounted with the \"noexec\" option:\n\n $ sudo mount | grep /dev/shm\n\n tmpfs on /dev/shm type tmpfs (rw,nodev,nosuid,noexec,seclabel)\n\n Verify that the \"noexec\" options is configured for /dev/shm:\n\n $ sudo cat /etc/fstab | grep /dev/shm\n\n tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0\n\n If results are returned and the \"noexec\" option is missing, or if\n/dev/shm is mounted without the \"noexec\" option, this is a finding.'\n desc 'fix', 'Configure the system so that /dev/shm is mounted with the \"noexec\" option\nby adding /modifying the /etc/fstab with the following line:\n\n tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000368-GPOS-00154'\n tag gid: 'V-230510'\n tag rid: 'SV-230510r854051_rule'\n tag stig_id: 'RHEL-08-040122'\n tag fix_id: 'F-33154r568277_fix'\n tag cci: ['CCI-001764']\n tag nist: ['CM-7 (2)']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n path = '/dev/shm'\n option = 'noexec'\n\n describe mount(path) do\n its('options') { should include option }\n end\n\n describe etc_fstab.where { mount_point == path } do\n its('mount_options.flatten') { should include option }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230378.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230510.rb", "line": 1 }, - "id": "SV-230378" + "id": "SV-230510" }, { - "title": "RHEL 8, for PKI-based authentication, must validate certificates by\nconstructing a certification path (which includes status information) to an\naccepted trust anchor.", - "desc": "Without path validation, an informed trust decision by the relying\nparty cannot be made when presented with any certificate not already explicitly\ntrusted.\n\n A trust anchor is an authoritative entity represented via a public key and\nassociated data. It is used in the context of public key infrastructures, X.509\ndigital certificates, and DNSSEC.\n\n When there is a chain of trust, usually the top entity to be trusted\nbecomes the trust anchor; it can be, for example, a Certification Authority\n(CA). A certification path starts with the subject certificate and proceeds\nthrough a number of intermediate certificates up to a trusted root certificate,\ntypically issued by a trusted CA.\n\n This requirement verifies that a certification path to an accepted trust\nanchor is used for certificate validation and that the path includes status\ninformation. Path validation is necessary for a relying party to make an\ninformed trust decision when presented with any certificate not already\nexplicitly trusted. Status information for certification paths includes\ncertificate revocation lists or online certificate status protocol responses.\nValidation of the certificate status information is out of scope for this\nrequirement.", + "title": "RHEL 8 library directories must have mode 755 or less permissive.", + "desc": "If RHEL 8 were to allow any user to make changes to software libraries,\n then those changes might be implemented without undergoing the appropriate\n testing and approvals that are part of a robust change management process.\n\n This requirement applies to RHEL 8 with software libraries that are accessible\n and configurable, as in the case of interpreted languages. Software libraries\n also include privileged programs that execute with escalated privileges. Only\n qualified and authorized individuals will be allowed to obtain access to\n information system components for purposes of initiating changes, including\n upgrades and modifications.", "descriptions": { - "default": "Without path validation, an informed trust decision by the relying\nparty cannot be made when presented with any certificate not already explicitly\ntrusted.\n\n A trust anchor is an authoritative entity represented via a public key and\nassociated data. It is used in the context of public key infrastructures, X.509\ndigital certificates, and DNSSEC.\n\n When there is a chain of trust, usually the top entity to be trusted\nbecomes the trust anchor; it can be, for example, a Certification Authority\n(CA). A certification path starts with the subject certificate and proceeds\nthrough a number of intermediate certificates up to a trusted root certificate,\ntypically issued by a trusted CA.\n\n This requirement verifies that a certification path to an accepted trust\nanchor is used for certificate validation and that the path includes status\ninformation. Path validation is necessary for a relying party to make an\ninformed trust decision when presented with any certificate not already\nexplicitly trusted. Status information for certification paths includes\ncertificate revocation lists or online certificate status protocol responses.\nValidation of the certificate status information is out of scope for this\nrequirement.", - "check": "Verify RHEL 8 for PKI-based authentication has valid certificates by constructing a certification path (which includes status information) to an accepted trust anchor.\n\nNote: If the System Administrator demonstrates the use of an approved alternate multifactor authentication method, this requirement is not applicable.\n\nCheck that the system has a valid DoD root CA installed with the following command:\n\n$ sudo openssl x509 -text -in /etc/sssd/pki/sssd_auth_ca_db.pem\n\nCertificate:\n Data:\n Version: 3 (0x2)\n Serial Number: 1 (0x1)\n Signature Algorithm: sha256WithRSAEncryption\n Issuer: C = US, O = U.S. Government, OU = DoD, OU = PKI, CN = DoD Root CA 3\n Validity\n Not Before: Mar 20 18:46:41 2012 GMT\n Not After : Dec 30 18:46:41 2029 GMT\n Subject: C = US, O = U.S. Government, OU = DoD, OU = PKI, CN = DoD Root CA 3\n Subject Public Key Info:\n Public Key Algorithm: rsaEncryption\n\nIf the root ca file is not a DoD-issued certificate with a valid date and installed in the /etc/sssd/pki/sssd_auth_ca_db.pem location, this is a finding.", - "fix": "Configure RHEL 8, for PKI-based authentication, to validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.\n\nObtain a valid copy of the DoD root CA file from the PKI CA certificate bundle at cyber.mil and copy into the following file:\n\n/etc/sssd/pki/sssd_auth_ca_db.pem" + "default": "If RHEL 8 were to allow any user to make changes to software libraries,\n then those changes might be implemented without undergoing the appropriate\n testing and approvals that are part of a robust change management process.\n\n This requirement applies to RHEL 8 with software libraries that are accessible\n and configurable, as in the case of interpreted languages. Software libraries\n also include privileged programs that execute with escalated privileges. Only\n qualified and authorized individuals will be allowed to obtain access to\n information system components for purposes of initiating changes, including\n upgrades and modifications.", + "check": "Verify the system-wide shared library directories within \"/lib\",\n \"/lib64\", \"/usr/lib\" and \"/usr/lib64\" have mode \"755\" or less permissive with\n the following command:\n\n $ sudo find /lib /lib64 /usr/lib /usr/lib64 -perm /022 -type d -exec stat -c \"%n %a\" '{}' \\;\n\n If any system-wide shared library directories are found to be group-writable\n or world-writable, this is a finding.", + "fix": "Configure the library directories to be protected from unauthorized\n access. Run the following command, replacing \"[DIRECTORY]\" with any library\n directory with a mode more permissive than 755.\n\n $ sudo chmod 755 [DIRECTORY]" }, "impact": 0.5, "refs": [ @@ -2061,39 +2068,33 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000066-GPOS-00034", - "satisfies": [ - "SRG-OS-000066-GPOS-00034", - "SRG-OS-000384-GPOS-00167" - ], - "gid": "V-230229", - "rid": "SV-230229r858739_rule", - "stig_id": "RHEL-08-010090", - "fix_id": "F-32873r809269_fix", + "gtitle": "SRG-OS-000259-GPOS-00100", + "gid": "V-251707", + "rid": "SV-251707r809345_rule", + "stig_id": "RHEL-08-010331", + "fix_id": "F-55098r809344_fix", "cci": [ - "CCI-000185" + "CCI-001499" ], "nist": [ - "IA-5 (2) (a)", - "IA-5 (2) (b) (1)" + "CM-5 (6)" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-230229' do\n title 'RHEL 8, for PKI-based authentication, must validate certificates by\nconstructing a certification path (which includes status information) to an\naccepted trust anchor.'\n desc 'Without path validation, an informed trust decision by the relying\nparty cannot be made when presented with any certificate not already explicitly\ntrusted.\n\n A trust anchor is an authoritative entity represented via a public key and\nassociated data. It is used in the context of public key infrastructures, X.509\ndigital certificates, and DNSSEC.\n\n When there is a chain of trust, usually the top entity to be trusted\nbecomes the trust anchor; it can be, for example, a Certification Authority\n(CA). A certification path starts with the subject certificate and proceeds\nthrough a number of intermediate certificates up to a trusted root certificate,\ntypically issued by a trusted CA.\n\n This requirement verifies that a certification path to an accepted trust\nanchor is used for certificate validation and that the path includes status\ninformation. Path validation is necessary for a relying party to make an\ninformed trust decision when presented with any certificate not already\nexplicitly trusted. Status information for certification paths includes\ncertificate revocation lists or online certificate status protocol responses.\nValidation of the certificate status information is out of scope for this\nrequirement.'\n desc 'check', 'Verify RHEL 8 for PKI-based authentication has valid certificates by constructing a certification path (which includes status information) to an accepted trust anchor.\n\nNote: If the System Administrator demonstrates the use of an approved alternate multifactor authentication method, this requirement is not applicable.\n\nCheck that the system has a valid DoD root CA installed with the following command:\n\n$ sudo openssl x509 -text -in /etc/sssd/pki/sssd_auth_ca_db.pem\n\nCertificate:\n Data:\n Version: 3 (0x2)\n Serial Number: 1 (0x1)\n Signature Algorithm: sha256WithRSAEncryption\n Issuer: C = US, O = U.S. Government, OU = DoD, OU = PKI, CN = DoD Root CA 3\n Validity\n Not Before: Mar 20 18:46:41 2012 GMT\n Not After : Dec 30 18:46:41 2029 GMT\n Subject: C = US, O = U.S. Government, OU = DoD, OU = PKI, CN = DoD Root CA 3\n Subject Public Key Info:\n Public Key Algorithm: rsaEncryption\n\nIf the root ca file is not a DoD-issued certificate with a valid date and installed in the /etc/sssd/pki/sssd_auth_ca_db.pem location, this is a finding.'\n desc 'fix', 'Configure RHEL 8, for PKI-based authentication, to validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.\n\nObtain a valid copy of the DoD root CA file from the PKI CA certificate bundle at cyber.mil and copy into the following file:\n\n/etc/sssd/pki/sssd_auth_ca_db.pem'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000066-GPOS-00034'\n tag satisfies: ['SRG-OS-000066-GPOS-00034', 'SRG-OS-000384-GPOS-00167']\n tag gid: 'V-230229'\n tag rid: 'SV-230229r858739_rule'\n tag stig_id: 'RHEL-08-010090'\n tag fix_id: 'F-32873r809269_fix'\n tag cci: ['CCI-000185']\n tag nist: ['IA-5 (2) (a)', 'IA-5 (2) (b) (1)']\n tag 'host'\n tag 'container'\n\n only_if('If the System Administrator demonstrates the use of an approved alternate multifactor authentication method, this requirement is not applicable.', impact: 0.0) {\n !input('smart_card_enabled')\n }\n\n root_ca_file = input('root_ca_file')\n describe file(root_ca_file) do\n it { should exist }\n end\n\n describe 'Ensure the RootCA is a DoD-issued certificate with a valid date' do\n if file(root_ca_file).exist?\n subject { x509_certificate(root_ca_file) }\n it 'has the correct issuer_dn' do\n expect(subject.issuer_dn).to match('/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DoD Root CA 3')\n end\n it 'has the correct subject_dn' do\n expect(subject.subject_dn).to match('/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DoD Root CA 3')\n end\n it 'is valid' do\n expect(subject.validity_in_days).to be > 0\n end\n end\n end\nend\n", + "code": "control 'SV-251707' do\n title 'RHEL 8 library directories must have mode 755 or less permissive.'\n desc 'If RHEL 8 were to allow any user to make changes to software libraries,\n then those changes might be implemented without undergoing the appropriate\n testing and approvals that are part of a robust change management process.\n\n This requirement applies to RHEL 8 with software libraries that are accessible\n and configurable, as in the case of interpreted languages. Software libraries\n also include privileged programs that execute with escalated privileges. Only\n qualified and authorized individuals will be allowed to obtain access to\n information system components for purposes of initiating changes, including\n upgrades and modifications.'\n desc 'check', %q(Verify the system-wide shared library directories within \"/lib\",\n \"/lib64\", \"/usr/lib\" and \"/usr/lib64\" have mode \"755\" or less permissive with\n the following command:\n\n $ sudo find /lib /lib64 /usr/lib /usr/lib64 -perm /022 -type d -exec stat -c \"%n %a\" '{}' \\;\n\n If any system-wide shared library directories are found to be group-writable\n or world-writable, this is a finding.)\n desc 'fix', 'Configure the library directories to be protected from unauthorized\n access. Run the following command, replacing \"[DIRECTORY]\" with any library\n directory with a mode more permissive than 755.\n\n $ sudo chmod 755 [DIRECTORY]'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000259-GPOS-00100'\n tag gid: 'V-251707'\n tag rid: 'SV-251707r809345_rule'\n tag stig_id: 'RHEL-08-010331'\n tag fix_id: 'F-55098r809344_fix'\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n permissions_for_libs = input('permissions_for_libs')\n\n overly_permissive_libs = input('system_libraries').select { |lib|\n file(lib).more_permissive_than?(permissions_for_libs)\n }\n\n describe 'System libraries' do\n it \"should not have permissions set higher than #{permissions_for_libs}\" do\n fail_msg = \"Overly permissive system libraries:\\n\\t- #{overly_permissive_libs.join(\"\\n\\t- \")}\"\n expect(overly_permissive_libs).to be_empty, fail_msg\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230229.rb", + "ref": "./Red Hat 8 STIG/controls/SV-251707.rb", "line": 1 }, - "id": "SV-230229" + "id": "SV-251707" }, { - "title": "Successful/unsuccessful uses of the setfacl command in RHEL 8 must\ngenerate an audit record.", - "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"setfacl\" command is\nused to set file access control lists.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", + "title": "RHEL 8 must automatically lock an account when three unsuccessful\nlogon attempts occur.", + "desc": "By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as\nbrute-force attacks, is reduced. Limits are imposed by locking the account.\n\n In RHEL 8.2 the \"/etc/security/faillock.conf\" file was incorporated to\ncentralize the configuration of the pam_faillock.so module. Also introduced is\na \"local_users_only\" option that will only track failed user authentication\nattempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP,\netc.) users to allow the centralized platform to solely manage user lockout.\n\n From \"faillock.conf\" man pages: Note that the default directory that\n\"pam_faillock\" uses is usually cleared on system boot so the access will be\nreenabled after system reboot. If that is undesirable a different tally\ndirectory must be set with the \"dir\" option.", "descriptions": { - "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"setfacl\" command is\nused to set file access control lists.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", - "check": "Verify RHEL 8 generates an audit record when successful/unsuccessful\nattempts to use the \"setfacl\" command by performing the following command to\ncheck the file system rules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w setfacl /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F\nauid!=unset -k perm_mod\n\n If the command does not return a line, or the line is commented out, this\nis a finding.", - "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \"setfacl\" command by adding or updating\nthe following rule in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F\nauid!=unset -k perm_mod\n\n The audit daemon must be restarted for the changes to take effect." + "default": "By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as\nbrute-force attacks, is reduced. Limits are imposed by locking the account.\n\n In RHEL 8.2 the \"/etc/security/faillock.conf\" file was incorporated to\ncentralize the configuration of the pam_faillock.so module. Also introduced is\na \"local_users_only\" option that will only track failed user authentication\nattempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP,\netc.) users to allow the centralized platform to solely manage user lockout.\n\n From \"faillock.conf\" man pages: Note that the default directory that\n\"pam_faillock\" uses is usually cleared on system boot so the access will be\nreenabled after system reboot. If that is undesirable a different tally\ndirectory must be set with the \"dir\" option.", + "check": "Note: This check applies to RHEL versions 8.2 or newer, if the system is\nRHEL version 8.0 or 8.1, this check is not applicable.\n\n Verify the \"/etc/security/faillock.conf\" file is configured to lock an\naccount after three unsuccessful logon attempts:\n\n $ sudo grep 'deny =' /etc/security/faillock.conf\n\n deny = 3\n\n If the \"deny\" option is not set to \"3\" or less (but not \"0\"), is\nmissing or commented out, this is a finding.", + "fix": "Configure the operating system to lock an account when three unsuccessful\nlogon attempts occur.\n\n Add/Modify the \"/etc/security/faillock.conf\" file to match the following\nline:\n\n deny = 3" }, "impact": 0.5, "refs": [ @@ -2103,42 +2104,38 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000062-GPOS-00031", + "gtitle": "SRG-OS-000021-GPOS-00005", "satisfies": [ - "SRG-OS-000062-GPOS-00031", - "SRG-OS-000037-GPOS-00015", - "SRG-OS-000042-GPOS-00020", - "SRG-OS-000062-GPOS-00031", - "SRG-OS-000392-GPOS-00172", - "SRG-OS-000462-GPOS-00206", - "SRG-OS-000471-GPOS-00215" + "SRG-OS-000021-GPOS-00005", + "SRG-OS-000329-GPOS-00128" ], - "gid": "V-230435", - "rid": "SV-230435r627750_rule", - "stig_id": "RHEL-08-030330", - "fix_id": "F-33079r568052_fix", + "gid": "V-230333", + "rid": "SV-230333r743966_rule", + "stig_id": "RHEL-08-020011", + "fix_id": "F-32977r743965_fix", "cci": [ - "CCI-000169" + "CCI-000044" ], "nist": [ - "AU-12 a" + "AC-7 a" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-230435' do\n title 'Successful/unsuccessful uses of the setfacl command in RHEL 8 must\ngenerate an audit record.'\n desc 'Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"setfacl\" command is\nused to set file access control lists.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.'\n desc 'check', 'Verify RHEL 8 generates an audit record when successful/unsuccessful\nattempts to use the \"setfacl\" command by performing the following command to\ncheck the file system rules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w setfacl /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F\nauid!=unset -k perm_mod\n\n If the command does not return a line, or the line is commented out, this\nis a finding.'\n desc 'fix', 'Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \"setfacl\" command by adding or updating\nthe following rule in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F\nauid!=unset -k perm_mod\n\n The audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000062-GPOS-00031'\n tag satisfies: ['SRG-OS-000062-GPOS-00031', 'SRG-OS-000037-GPOS-00015', 'SRG-OS-000042-GPOS-00020', 'SRG-OS-000062-GPOS-00031', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000471-GPOS-00215']\n tag gid: 'V-230435'\n tag rid: 'SV-230435r627750_rule'\n tag stig_id: 'RHEL-08-030330'\n tag fix_id: 'F-33079r568052_fix'\n tag cci: ['CCI-000169']\n tag nist: ['AU-12 a']\n tag 'host'\n\n audit_command = '/usr/bin/setfacl'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include(input('audit_rule_keynames').merge(input('audit_rule_keynames_overrides'))[audit_command])\n end\n end\nend\n", + "code": "control 'SV-230333' do\n title 'RHEL 8 must automatically lock an account when three unsuccessful\nlogon attempts occur.'\n desc 'By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as\nbrute-force attacks, is reduced. Limits are imposed by locking the account.\n\n In RHEL 8.2 the \"/etc/security/faillock.conf\" file was incorporated to\ncentralize the configuration of the pam_faillock.so module. Also introduced is\na \"local_users_only\" option that will only track failed user authentication\nattempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP,\netc.) users to allow the centralized platform to solely manage user lockout.\n\n From \"faillock.conf\" man pages: Note that the default directory that\n\"pam_faillock\" uses is usually cleared on system boot so the access will be\nreenabled after system reboot. If that is undesirable a different tally\ndirectory must be set with the \"dir\" option.'\n desc 'check', %q(Note: This check applies to RHEL versions 8.2 or newer, if the system is\nRHEL version 8.0 or 8.1, this check is not applicable.\n\n Verify the \"/etc/security/faillock.conf\" file is configured to lock an\naccount after three unsuccessful logon attempts:\n\n $ sudo grep 'deny =' /etc/security/faillock.conf\n\n deny = 3\n\n If the \"deny\" option is not set to \"3\" or less (but not \"0\"), is\nmissing or commented out, this is a finding.)\n desc 'fix', 'Configure the operating system to lock an account when three unsuccessful\nlogon attempts occur.\n\n Add/Modify the \"/etc/security/faillock.conf\" file to match the following\nline:\n\n deny = 3'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000021-GPOS-00005'\n tag satisfies: ['SRG-OS-000021-GPOS-00005', 'SRG-OS-000329-GPOS-00128']\n tag gid: 'V-230333'\n tag rid: 'SV-230333r743966_rule'\n tag stig_id: 'RHEL-08-020011'\n tag fix_id: 'F-32977r743965_fix'\n tag cci: ['CCI-000044']\n tag nist: ['AC-7 a']\n tag 'host'\n tag 'container'\n\n only_if('This check applies to RHEL version 8.2 and later. If the system is not RHEL version 8.2 or newer, this check is Not Applicable.', impact: 0.0) {\n (os.release.to_f) >= 8.2\n }\n\n describe parse_config_file('/etc/security/faillock.conf') do\n its('deny') { should cmp <= input('unsuccessful_attempts') }\n its('deny') { should_not cmp 0 }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230435.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230333.rb", "line": 1 }, - "id": "SV-230435" + "id": "SV-230333" }, { - "title": "RHEL 8 must define default permissions for logon and non-logon shells.", - "desc": "The umask controls the default access mode assigned to newly created\nfiles. A umask of 077 limits new files to mode 600 or less permissive. Although\numask can be represented as a four-digit number, the first digit representing\nspecial access modes is typically ignored or required to be \"0\". This\nrequirement applies to the globally configured system defaults and the local\ninteractive user defaults for each account on the system.", + "title": "RHEL 8 must label all off-loaded audit logs before sending them to the\ncentral log server.", + "desc": "Without establishing what type of events occurred, the source of\nevents, where events occurred, and the outcome of events, it would be difficult\nto establish, correlate, and investigate the events leading up to an outage or\nattack.\n\n Audit record content that may be necessary to satisfy this requirement\nincludes, for example, time stamps, source and destination addresses,\nuser/process identifiers, event descriptions, success/fail indications,\nfilenames involved, and access control or flow control rules invoked.\n\n Enriched logging is needed to determine who, what, and when events occur on\na system. Without this, determining root cause of an event will be much more\ndifficult.\n\n When audit logs are not labeled before they are sent to a central log\nserver, the audit data will not be able to be analyzed and tied back to the\ncorrect system.", "descriptions": { - "default": "The umask controls the default access mode assigned to newly created\nfiles. A umask of 077 limits new files to mode 600 or less permissive. Although\numask can be represented as a four-digit number, the first digit representing\nspecial access modes is typically ignored or required to be \"0\". This\nrequirement applies to the globally configured system defaults and the local\ninteractive user defaults for each account on the system.", - "check": "Verify that the umask default for installed shells is \"077\".\n\nCheck for the value of the \"UMASK\" parameter in the \"/etc/bashrc\", \"/etc/csh.cshrc\" and \"/etc/profile\" files with the following command:\n\nNote: If the value of the \"UMASK\" parameter is set to \"000\" in the \"/etc/bashrc\" the \"/etc/csh.cshrc\" or the \"/etc/profile\" files, the Severity is raised to a CAT I.\n\n# grep -i umask /etc/bashrc /etc/csh.cshrc /etc/profile\n\n/etc/bashrc: umask 077\n/etc/bashrc: umask 077\n/etc/csh.cshrc: umask 077\n/etc/csh.cshrc: umask 077\n/etc/profile: umask 077\n/etc/profile: umask 077\n\nIf the value for the \"UMASK\" parameter is not \"077\", or the \"UMASK\" parameter is missing or is commented out, this is a finding.", - "fix": "Configure the operating system to define default permissions for all authenticated users in such a way that the user can only read and modify their own files.\n\nAdd or edit the lines for the \"UMASK\" parameter in the \"/etc/bashrc\", \"/etc/csh.cshrc\" and \"/etc/profile\"files to \"077\":\n\nUMASK 077" + "default": "Without establishing what type of events occurred, the source of\nevents, where events occurred, and the outcome of events, it would be difficult\nto establish, correlate, and investigate the events leading up to an outage or\nattack.\n\n Audit record content that may be necessary to satisfy this requirement\nincludes, for example, time stamps, source and destination addresses,\nuser/process identifiers, event descriptions, success/fail indications,\nfilenames involved, and access control or flow control rules invoked.\n\n Enriched logging is needed to determine who, what, and when events occur on\na system. Without this, determining root cause of an event will be much more\ndifficult.\n\n When audit logs are not labeled before they are sent to a central log\nserver, the audit data will not be able to be analyzed and tied back to the\ncorrect system.", + "check": "Verify the RHEL 8 Audit Daemon is configured to label all off-loaded audit\nlogs, with the following command:\n\n $ sudo grep \"name_format\" /etc/audit/auditd.conf\n\n name_format = hostname\n\n If the \"name_format\" option is not \"hostname\", \"fqd\", or \"numeric\",\nor the line is commented out, this is a finding.", + "fix": "Edit the /etc/audit/auditd.conf file and add or update the \"name_format\"\noption:\n\n name_format = hostname\n\n The audit daemon must be restarted for changes to take effect." }, "impact": 0.5, "refs": [ @@ -2148,70 +2145,70 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-230385", - "rid": "SV-230385r792902_rule", - "stig_id": "RHEL-08-020353", - "fix_id": "F-33029r792901_fix", + "gtitle": "SRG-OS-000342-GPOS-00133", + "gid": "V-230394", + "rid": "SV-230394r877390_rule", + "stig_id": "RHEL-08-030062", + "fix_id": "F-33038r567929_fix", "cci": [ - "CCI-000366" + "CCI-001851" ], "nist": [ - "CM-6 b" + "AU-4 (1)" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-230385' do\n title 'RHEL 8 must define default permissions for logon and non-logon shells.'\n desc 'The umask controls the default access mode assigned to newly created\nfiles. A umask of 077 limits new files to mode 600 or less permissive. Although\numask can be represented as a four-digit number, the first digit representing\nspecial access modes is typically ignored or required to be \"0\". This\nrequirement applies to the globally configured system defaults and the local\ninteractive user defaults for each account on the system.'\n desc 'check', 'Verify that the umask default for installed shells is \"077\".\n\nCheck for the value of the \"UMASK\" parameter in the \"/etc/bashrc\", \"/etc/csh.cshrc\" and \"/etc/profile\" files with the following command:\n\nNote: If the value of the \"UMASK\" parameter is set to \"000\" in the \"/etc/bashrc\" the \"/etc/csh.cshrc\" or the \"/etc/profile\" files, the Severity is raised to a CAT I.\n\n# grep -i umask /etc/bashrc /etc/csh.cshrc /etc/profile\n\n/etc/bashrc: umask 077\n/etc/bashrc: umask 077\n/etc/csh.cshrc: umask 077\n/etc/csh.cshrc: umask 077\n/etc/profile: umask 077\n/etc/profile: umask 077\n\nIf the value for the \"UMASK\" parameter is not \"077\", or the \"UMASK\" parameter is missing or is commented out, this is a finding.'\n desc 'fix', 'Configure the operating system to define default permissions for all authenticated users in such a way that the user can only read and modify their own files.\n\nAdd or edit the lines for the \"UMASK\" parameter in the \"/etc/bashrc\", \"/etc/csh.cshrc\" and \"/etc/profile\"files to \"077\":\n\nUMASK 077'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230385'\n tag rid: 'SV-230385r792902_rule'\n tag stig_id: 'RHEL-08-020353'\n tag fix_id: 'F-33029r792901_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n tag 'container'\n\n umask_regexp = /umask\\s*(?\\d\\d\\d)/\n\n bashrc_umask = file('/etc/bashrc').content.match(umask_regexp)[:umask_code]\n cshrc_umask = file('/etc/csh.cshrc').content.match(umask_regexp)[:umask_code]\n profile_umask = file('/etc/profile').content.match(umask_regexp)[:umask_code]\n\n if bashrc_umask == '000' || cshrc_umask == '000'\n impact 0.7\n tag severity: 'high'\n end\n\n describe 'umask value defined in /etc/bashrc' do\n subject { bashrc_umask }\n it { should cmp input('permissions_for_shells')['bashrc_umask'] }\n end\n describe 'umask value defined in /etc/csh.cshrc' do\n subject { cshrc_umask }\n it { should cmp input('permissions_for_shells')['cshrc_umask'] }\n end\n describe 'umask value defined in /etc/profile' do\n subject { profile_umask }\n it { should cmp input('permissions_for_shells')['profile_umask'] }\n end\nend\n", + "code": "control 'SV-230394' do\n title 'RHEL 8 must label all off-loaded audit logs before sending them to the\ncentral log server.'\n desc 'Without establishing what type of events occurred, the source of\nevents, where events occurred, and the outcome of events, it would be difficult\nto establish, correlate, and investigate the events leading up to an outage or\nattack.\n\n Audit record content that may be necessary to satisfy this requirement\nincludes, for example, time stamps, source and destination addresses,\nuser/process identifiers, event descriptions, success/fail indications,\nfilenames involved, and access control or flow control rules invoked.\n\n Enriched logging is needed to determine who, what, and when events occur on\na system. Without this, determining root cause of an event will be much more\ndifficult.\n\n When audit logs are not labeled before they are sent to a central log\nserver, the audit data will not be able to be analyzed and tied back to the\ncorrect system.'\n desc 'check', 'Verify the RHEL 8 Audit Daemon is configured to label all off-loaded audit\nlogs, with the following command:\n\n $ sudo grep \"name_format\" /etc/audit/auditd.conf\n\n name_format = hostname\n\n If the \"name_format\" option is not \"hostname\", \"fqd\", or \"numeric\",\nor the line is commented out, this is a finding.'\n desc 'fix', 'Edit the /etc/audit/auditd.conf file and add or update the \"name_format\"\noption:\n\n name_format = hostname\n\n The audit daemon must be restarted for changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000342-GPOS-00133'\n tag gid: 'V-230394'\n tag rid: 'SV-230394r877390_rule'\n tag stig_id: 'RHEL-08-030062'\n tag fix_id: 'F-33038r567929_fix'\n tag cci: ['CCI-001851']\n tag nist: ['AU-4 (1)']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n describe parse_config_file('/etc/audit/auditd.conf') do\n its('name_format') { should match(/^hostname$|^fqd$|^numeric$/i) }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230385.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230394.rb", "line": 1 }, - "id": "SV-230385" + "id": "SV-230394" }, { - "title": "RHEL 8 must use a separate file system for /var/log.", - "desc": "The use of separate file systems for different paths can protect the\nsystem from failures resulting from a file system becoming full or failing.", + "title": "RHEL 8 user account passwords must be configured so that existing\npasswords are restricted to a 60-day maximum lifetime.", + "desc": "Any password, no matter how complex, can eventually be cracked.\nTherefore, passwords need to be changed periodically. If RHEL 8 does not limit\nthe lifetime of passwords and force users to change their passwords, there is\nthe risk that RHEL 8 passwords could be compromised.", "descriptions": { - "default": "The use of separate file systems for different paths can protect the\nsystem from failures resulting from a file system becoming full or failing.", - "check": "Verify that a separate file system has been created for \"/var/log\".\n\nCheck that a file system has been created for \"/var/log\" with the following command:\n\n $ sudo grep /var/log /etc/fstab\n\n /dev/mapper/... /var/log xfs defaults,nodev,noexec,nosuid 0 0\n\nIf a separate entry for \"/var/log\" is not in use, this is a finding.", - "fix": "Migrate the \"/var/log\" path onto a separate file system." + "default": "Any password, no matter how complex, can eventually be cracked.\nTherefore, passwords need to be changed periodically. If RHEL 8 does not limit\nthe lifetime of passwords and force users to change their passwords, there is\nthe risk that RHEL 8 passwords could be compromised.", + "check": "Check whether the maximum time period for existing passwords is restricted\nto 60 days with the following commands:\n\n $ sudo awk -F: '$5 > 60 {print $1 \" \" $5}' /etc/shadow\n\n $ sudo awk -F: '$5 <= 0 {print $1 \" \" $5}' /etc/shadow\n\n If any results are returned that are not associated with a system account,\nthis is a finding.", + "fix": "Configure non-compliant accounts to enforce a 60-day maximum password\nlifetime restriction.\n\n $ sudo chage -M 60 [user]" }, - "impact": 0.3, + "impact": 0.5, "refs": [ { "ref": "DPMS Target Red Hat Enterprise Linux 8" } ], "tags": { - "severity": "low", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-230293", - "rid": "SV-230293r902720_rule", - "stig_id": "RHEL-08-010541", - "fix_id": "F-32937r567626_fix", + "severity": "medium", + "gtitle": "SRG-OS-000076-GPOS-00044", + "gid": "V-230367", + "rid": "SV-230367r627750_rule", + "stig_id": "RHEL-08-020210", + "fix_id": "F-33011r567848_fix", "cci": [ - "CCI-000366" + "CCI-000199" ], "nist": [ - "CM-6 b" + "IA-5 (1) (d)" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-230293' do\n title 'RHEL 8 must use a separate file system for /var/log.'\n desc 'The use of separate file systems for different paths can protect the\nsystem from failures resulting from a file system becoming full or failing.'\n desc 'check', 'Verify that a separate file system has been created for \"/var/log\".\n\nCheck that a file system has been created for \"/var/log\" with the following command:\n\n $ sudo grep /var/log /etc/fstab\n\n /dev/mapper/... /var/log xfs defaults,nodev,noexec,nosuid 0 0\n\nIf a separate entry for \"/var/log\" is not in use, this is a finding.'\n desc 'fix', 'Migrate the \"/var/log\" path onto a separate file system.'\n impact 0.3\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'low'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230293'\n tag rid: 'SV-230293r902720_rule'\n tag stig_id: 'RHEL-08-010541'\n tag fix_id: 'F-32937r567626_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe mount('/var/log') do\n it { should be_mounted }\n end\n\n describe etc_fstab.where { mount_point == '/var/log' } do\n it { should exist }\n end\nend\n", + "code": "control 'SV-230367' do\n title 'RHEL 8 user account passwords must be configured so that existing\npasswords are restricted to a 60-day maximum lifetime.'\n desc 'Any password, no matter how complex, can eventually be cracked.\nTherefore, passwords need to be changed periodically. If RHEL 8 does not limit\nthe lifetime of passwords and force users to change their passwords, there is\nthe risk that RHEL 8 passwords could be compromised.'\n desc 'check', %q(Check whether the maximum time period for existing passwords is restricted\nto 60 days with the following commands:\n\n $ sudo awk -F: '$5 > 60 {print $1 \" \" $5}' /etc/shadow\n\n $ sudo awk -F: '$5 <= 0 {print $1 \" \" $5}' /etc/shadow\n\n If any results are returned that are not associated with a system account,\nthis is a finding.)\n desc 'fix', 'Configure non-compliant accounts to enforce a 60-day maximum password\nlifetime restriction.\n\n $ sudo chage -M 60 [user]'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000076-GPOS-00044'\n tag gid: 'V-230367'\n tag rid: 'SV-230367r627750_rule'\n tag stig_id: 'RHEL-08-020210'\n tag fix_id: 'F-33011r567848_fix'\n tag cci: ['CCI-000199']\n tag nist: ['IA-5 (1) (d)']\n tag 'host'\n tag 'container'\n\n value = input('pass_max_days')\n\n bad_users = users.where { uid >= 1000 }.where { value > 60 or maxdays.negative? }.usernames\n in_scope_users = bad_users - input('exempt_home_users')\n\n describe 'Users are not be able' do\n it \"to retain passwords for more then #{value} day(s)\" do\n failure_message = \"The following users can update their password more then every #{value} day(s): #{in_scope_users.join(', ')}\"\n expect(in_scope_users).to be_empty, failure_message\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230293.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230367.rb", "line": 1 }, - "id": "SV-230293" + "id": "SV-230367" }, { - "title": "All RHEL 8 world-writable directories must be owned by root, sys, bin,\nor an application user.", - "desc": "If a world-writable directory is not owned by root, sys, bin, or an\napplication User Identifier (UID), unauthorized users may be able to modify\nfiles created by others.\n\n The only authorized public directories are those temporary directories\nsupplied with the system or those designed to be temporary file repositories.\nThe setting is normally reserved for directories used by the system and by\nusers for temporary file storage, (e.g., /tmp), and for directories requiring\nglobal read/write access.", + "title": "RHEL 8 must be configured in the password-auth file to prohibit password reuse for a minimum of five generations.", + "desc": "Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to reuse their password consecutively when that password has exceeded its defined lifetime, the end result is a password that is not changed per policy requirements.\n\n RHEL 8 uses \"pwhistory\" consecutively as a mechanism to prohibit password reuse. This is set in both:\n/etc/pam.d/password-auth\n/etc/pam.d/system-auth.\n\nNote that manual changes to the listed files may be overwritten by the \"authselect\" program.", "descriptions": { - "default": "If a world-writable directory is not owned by root, sys, bin, or an\napplication User Identifier (UID), unauthorized users may be able to modify\nfiles created by others.\n\n The only authorized public directories are those temporary directories\nsupplied with the system or those designed to be temporary file repositories.\nThe setting is normally reserved for directories used by the system and by\nusers for temporary file storage, (e.g., /tmp), and for directories requiring\nglobal read/write access.", - "check": "The following command will discover and print world-writable directories\nthat are not owned by a system account, given the assumption that only system\naccounts have a uid lower than 1000. Run it once for each local partition\n[PART]:\n\n $ sudo find [PART] -xdev -type d -perm -0002 -uid +999 -print\n\n If there is output, this is a finding.", - "fix": "All directories in local partitions which are world-writable\nshould be owned by root or another system account. If any world-writable\ndirectories are not owned by a system account, this should be investigated.\nFollowing this, the files should be deleted or assigned to an appropriate\ngroup." + "default": "Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to reuse their password consecutively when that password has exceeded its defined lifetime, the end result is a password that is not changed per policy requirements.\n\n RHEL 8 uses \"pwhistory\" consecutively as a mechanism to prohibit password reuse. This is set in both:\n/etc/pam.d/password-auth\n/etc/pam.d/system-auth.\n\nNote that manual changes to the listed files may be overwritten by the \"authselect\" program.", + "check": "Verify the operating system is configured in the password-auth file to prohibit password reuse for a minimum of five generations.\n\nCheck for the value of the \"remember\" argument in \"/etc/pam.d/password-auth\" with the following command:\n\n $ sudo grep -i remember /etc/pam.d/password-auth\n\n password requisite pam_pwhistory.so use_authtok remember=5 retry=3\n\nIf the line containing \"pam_pwhistory.so\" does not have the \"remember\" module argument set, is commented out, or the value of the \"remember\" module argument is set to less than \"5\", this is a finding.", + "fix": "Configure the operating system in the password-auth file to prohibit password reuse for a minimum of five generations.\n\nAdd the following line in \"/etc/pam.d/password-auth\" (or modify the line to have the required value):\n\n password requisite pam_pwhistory.so use_authtok remember=5 retry=3" }, "impact": 0.5, "refs": [ @@ -2221,36 +2218,36 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-230318", - "rid": "SV-230318r743960_rule", - "stig_id": "RHEL-08-010700", - "fix_id": "F-32962r567701_fix", + "gtitle": "SRG-OS-000077-GPOS-00045", + "gid": "V-230368", + "rid": "SV-230368r902759_rule", + "stig_id": "RHEL-08-020220", + "fix_id": "F-33012r902757_fix", "cci": [ - "CCI-000366" + "CCI-000200" ], "nist": [ - "CM-6 b" + "IA-5 (1) (e)" ], "host": null, "container": null }, - "code": "control 'SV-230318' do\n title 'All RHEL 8 world-writable directories must be owned by root, sys, bin,\nor an application user.'\n desc 'If a world-writable directory is not owned by root, sys, bin, or an\napplication User Identifier (UID), unauthorized users may be able to modify\nfiles created by others.\n\n The only authorized public directories are those temporary directories\nsupplied with the system or those designed to be temporary file repositories.\nThe setting is normally reserved for directories used by the system and by\nusers for temporary file storage, (e.g., /tmp), and for directories requiring\nglobal read/write access.'\n desc 'check', 'The following command will discover and print world-writable directories\nthat are not owned by a system account, given the assumption that only system\naccounts have a uid lower than 1000. Run it once for each local partition\n[PART]:\n\n $ sudo find [PART] -xdev -type d -perm -0002 -uid +999 -print\n\n If there is output, this is a finding.'\n desc 'fix', 'All directories in local partitions which are world-writable\nshould be owned by root or another system account. If any world-writable\ndirectories are not owned by a system account, this should be investigated.\nFollowing this, the files should be deleted or assigned to an appropriate\ngroup.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230318'\n tag rid: 'SV-230318r743960_rule'\n tag stig_id: 'RHEL-08-010700'\n tag fix_id: 'F-32962r567701_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n tag 'container'\n\n if input('disable_slow_controls')\n describe 'This control consistently takes a long to run and has been disabled using the disable_slow_controls attribute.' do\n skip 'This control consistently takes a long to run and has been disabled using the disable_slow_controls attribute. You must enable this control for a full accredidation for production.'\n end\n else\n\n partitions = etc_fstab.params.map { |partition| partition['mount_point'] }.uniq\n\n cmd = \"find #{partitions.join(' ')} -xdev -type d -perm -0002 -uid +999 -print\"\n failing_dirs = command(cmd).stdout.split(\"\\n\").uniq\n\n describe 'Any world-writeable directories' do\n it 'should be owned by system accounts' do\n expect(failing_dirs).to be_empty, \"Failing directories:\\n\\t- #{failing_dirs.join(\"\\n\\t- \")}\"\n end\n end\n end\nend\n", + "code": "control 'SV-230368' do\n title 'RHEL 8 must be configured in the password-auth file to prohibit password reuse for a minimum of five generations.'\n desc 'Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to reuse their password consecutively when that password has exceeded its defined lifetime, the end result is a password that is not changed per policy requirements.\n\n RHEL 8 uses \"pwhistory\" consecutively as a mechanism to prohibit password reuse. This is set in both:\n/etc/pam.d/password-auth\n/etc/pam.d/system-auth.\n\nNote that manual changes to the listed files may be overwritten by the \"authselect\" program.'\n desc 'check', 'Verify the operating system is configured in the password-auth file to prohibit password reuse for a minimum of five generations.\n\nCheck for the value of the \"remember\" argument in \"/etc/pam.d/password-auth\" with the following command:\n\n $ sudo grep -i remember /etc/pam.d/password-auth\n\n password requisite pam_pwhistory.so use_authtok remember=5 retry=3\n\nIf the line containing \"pam_pwhistory.so\" does not have the \"remember\" module argument set, is commented out, or the value of the \"remember\" module argument is set to less than \"5\", this is a finding.'\n desc 'fix', 'Configure the operating system in the password-auth file to prohibit password reuse for a minimum of five generations.\n\nAdd the following line in \"/etc/pam.d/password-auth\" (or modify the line to have the required value):\n\n password requisite pam_pwhistory.so use_authtok remember=5 retry=3'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000077-GPOS-00045'\n tag gid: 'V-230368'\n tag rid: 'SV-230368r902759_rule'\n tag stig_id: 'RHEL-08-020220'\n tag fix_id: 'F-33012r902757_fix'\n tag cci: ['CCI-000200']\n tag nist: ['IA-5 (1) (e)']\n tag 'host'\n tag 'container'\n\n pam_auth_files = input('pam_auth_files')\n\n describe pam(pam_auth_files['password-auth']) do\n its('lines') { should match_pam_rule('password (required|requisite|sufficient) pam_pwhistory.so').any_with_integer_arg('remember', '>=', input('min_reuse_generations')) }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230318.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230368.rb", "line": 1 }, - "id": "SV-230318" + "id": "SV-230368" }, { - "title": "Successful/unsuccessful modifications to the lastlog file in RHEL 8\nmust generate an audit record.", - "desc": "Without the capability to generate audit records, it would be\ndifficult to establish, correlate, and investigate the events relating to an\nincident or identify those responsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n The list of audited events is the set of events for which audits are to be\ngenerated. This set of events is typically a subset of the list of all events\nfor which the system is capable of generating audit records.\n\n DoD has defined the list of events for which RHEL 8 will provide an audit\nrecord generation capability as the following:\n\n 1) Successful and unsuccessful attempts to access, modify, or delete\nprivileges, security objects, security levels, or categories of information\n(e.g., classification levels);\n\n 2) Access actions, such as successful and unsuccessful logon attempts,\nprivileged activities or other system-level access, starting and ending time\nfor user access to the system, concurrent logons from different workstations,\nsuccessful and unsuccessful accesses to objects, all program initiations, and\nall direct access to the information system;\n\n 3) All account creations, modifications, disabling, and terminations; and\n\n 4) All kernel module load, unload, and restart actions.", + "title": "RHEL 8 must require the maximum number of repeating characters be\nlimited to three when passwords are changed.", + "desc": "Use of a complex password helps to increase the time and resources\nrequired to compromise the password. Password complexity, or strength, is a\nmeasure of the effectiveness of a password in resisting attempts at guessing\nand brute-force attacks.\n\n Password complexity is one factor of several that determines how long it\ntakes to crack a password. The more complex the password, the greater the\nnumber of possible combinations that need to be tested before the password is\ncompromised.\n\n RHEL 8 utilizes \"pwquality\" as a mechanism to enforce password\ncomplexity. The \"maxrepeat\" option sets the maximum number of allowed same\nconsecutive characters in a new password.", "descriptions": { - "default": "Without the capability to generate audit records, it would be\ndifficult to establish, correlate, and investigate the events relating to an\nincident or identify those responsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n The list of audited events is the set of events for which audits are to be\ngenerated. This set of events is typically a subset of the list of all events\nfor which the system is capable of generating audit records.\n\n DoD has defined the list of events for which RHEL 8 will provide an audit\nrecord generation capability as the following:\n\n 1) Successful and unsuccessful attempts to access, modify, or delete\nprivileges, security objects, security levels, or categories of information\n(e.g., classification levels);\n\n 2) Access actions, such as successful and unsuccessful logon attempts,\nprivileged activities or other system-level access, starting and ending time\nfor user access to the system, concurrent logons from different workstations,\nsuccessful and unsuccessful accesses to objects, all program initiations, and\nall direct access to the information system;\n\n 3) All account creations, modifications, disabling, and terminations; and\n\n 4) All kernel module load, unload, and restart actions.", - "check": "Verify RHEL 8 generates an audit record when successful/unsuccessful\nmodifications to the \"lastlog\" file by performing the following command to\ncheck the file system rules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w lastlog /etc/audit/audit.rules\n\n -w /var/log/lastlog -p wa -k logins\n\n If the command does not return a line, or the line is commented out, this\nis a finding.", - "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful modifications to the \"lastlog\" file by adding or\nupdating the following rules in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -w /var/log/lastlog -p wa -k logins\n\n The audit daemon must be restarted for the changes to take effect." - }, - "impact": 0.5, + "default": "Use of a complex password helps to increase the time and resources\nrequired to compromise the password. Password complexity, or strength, is a\nmeasure of the effectiveness of a password in resisting attempts at guessing\nand brute-force attacks.\n\n Password complexity is one factor of several that determines how long it\ntakes to crack a password. The more complex the password, the greater the\nnumber of possible combinations that need to be tested before the password is\ncompromised.\n\n RHEL 8 utilizes \"pwquality\" as a mechanism to enforce password\ncomplexity. The \"maxrepeat\" option sets the maximum number of allowed same\nconsecutive characters in a new password.", + "check": "Check for the value of the \"maxrepeat\" option with the following command:\n\n$ sudo grep -r maxrepeat /etc/security/pwquality.conf*\n\n/etc/security/pwquality.conf:maxrepeat = 3\n\nIf the value of \"maxrepeat\" is set to more than \"3\" or is commented out, this is a finding.\nIf conflicting results are returned, this is a finding.", + "fix": "Configure the operating system to require the change of the number of repeating consecutive characters when passwords are changed by setting the \"maxrepeat\" option.\n\nAdd the following line to \"/etc/security/pwquality.conf conf\" (or modify the line to have the required value):\n\nmaxrepeat = 3\n\nRemove any configurations that conflict with the above value." + }, + "impact": 0.5, "refs": [ { "ref": "DPMS Target Red Hat Enterprise Linux 8" @@ -2258,43 +2255,34 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000062-GPOS-00031", - "satisfies": [ - "SRG-OS-000062-GPOS-00031", - "SRG-OS-000037-GPOS-00015", - "SRG-OS-000042-GPOS-00020", - "SRG-OS-000062-GPOS-00031", - "SRG-OS-000392-GPOS-00172", - "SRG-OS-000462-GPOS-00206", - "SRG-OS-000471-GPOS-00215", - "SRG-OS-000473-GPOS-00218" - ], - "gid": "V-230467", - "rid": "SV-230467r627750_rule", - "stig_id": "RHEL-08-030600", - "fix_id": "F-33111r568148_fix", + "gtitle": "SRG-OS-000072-GPOS-00040", + "gid": "V-230361", + "rid": "SV-230361r858779_rule", + "stig_id": "RHEL-08-020150", + "fix_id": "F-33005r858778_fix", "cci": [ - "CCI-000169" + "CCI-000195" ], "nist": [ - "AU-12 a" + "IA-5 (1) (b)" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-230467' do\n title 'Successful/unsuccessful modifications to the lastlog file in RHEL 8\nmust generate an audit record.'\n desc 'Without the capability to generate audit records, it would be\ndifficult to establish, correlate, and investigate the events relating to an\nincident or identify those responsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n The list of audited events is the set of events for which audits are to be\ngenerated. This set of events is typically a subset of the list of all events\nfor which the system is capable of generating audit records.\n\n DoD has defined the list of events for which RHEL 8 will provide an audit\nrecord generation capability as the following:\n\n 1) Successful and unsuccessful attempts to access, modify, or delete\nprivileges, security objects, security levels, or categories of information\n(e.g., classification levels);\n\n 2) Access actions, such as successful and unsuccessful logon attempts,\nprivileged activities or other system-level access, starting and ending time\nfor user access to the system, concurrent logons from different workstations,\nsuccessful and unsuccessful accesses to objects, all program initiations, and\nall direct access to the information system;\n\n 3) All account creations, modifications, disabling, and terminations; and\n\n 4) All kernel module load, unload, and restart actions.'\n desc 'check', 'Verify RHEL 8 generates an audit record when successful/unsuccessful\nmodifications to the \"lastlog\" file by performing the following command to\ncheck the file system rules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w lastlog /etc/audit/audit.rules\n\n -w /var/log/lastlog -p wa -k logins\n\n If the command does not return a line, or the line is commented out, this\nis a finding.'\n desc 'fix', 'Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful modifications to the \"lastlog\" file by adding or\nupdating the following rules in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -w /var/log/lastlog -p wa -k logins\n\n The audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000062-GPOS-00031'\n tag satisfies: ['SRG-OS-000062-GPOS-00031', 'SRG-OS-000037-GPOS-00015', 'SRG-OS-000042-GPOS-00020', 'SRG-OS-000062-GPOS-00031', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000471-GPOS-00215', 'SRG-OS-000473-GPOS-00218']\n tag gid: 'V-230467'\n tag rid: 'SV-230467r627750_rule'\n tag stig_id: 'RHEL-08-030600'\n tag fix_id: 'F-33111r568148_fix'\n tag cci: ['CCI-000169']\n tag nist: ['AU-12 a']\n tag 'host'\n\n audit_command = '/var/log/lastlog'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.permissions.flatten).to include('w', 'a')\n expect(audit_rule.key.uniq).to include(input('audit_rule_keynames').merge(input('audit_rule_keynames_overrides'))[audit_command])\n end\n end\nend\n", + "code": "control 'SV-230361' do\n title 'RHEL 8 must require the maximum number of repeating characters be\nlimited to three when passwords are changed.'\n desc 'Use of a complex password helps to increase the time and resources\nrequired to compromise the password. Password complexity, or strength, is a\nmeasure of the effectiveness of a password in resisting attempts at guessing\nand brute-force attacks.\n\n Password complexity is one factor of several that determines how long it\ntakes to crack a password. The more complex the password, the greater the\nnumber of possible combinations that need to be tested before the password is\ncompromised.\n\n RHEL 8 utilizes \"pwquality\" as a mechanism to enforce password\ncomplexity. The \"maxrepeat\" option sets the maximum number of allowed same\nconsecutive characters in a new password.'\n desc 'check', 'Check for the value of the \"maxrepeat\" option with the following command:\n\n$ sudo grep -r maxrepeat /etc/security/pwquality.conf*\n\n/etc/security/pwquality.conf:maxrepeat = 3\n\nIf the value of \"maxrepeat\" is set to more than \"3\" or is commented out, this is a finding.\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure the operating system to require the change of the number of repeating consecutive characters when passwords are changed by setting the \"maxrepeat\" option.\n\nAdd the following line to \"/etc/security/pwquality.conf conf\" (or modify the line to have the required value):\n\nmaxrepeat = 3\n\nRemove any configurations that conflict with the above value.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000072-GPOS-00040'\n tag gid: 'V-230361'\n tag rid: 'SV-230361r858779_rule'\n tag stig_id: 'RHEL-08-020150'\n tag fix_id: 'F-33005r858778_fix'\n tag cci: ['CCI-000195']\n tag nist: ['IA-5 (1) (b)']\n tag 'host'\n tag 'container'\n\n value = input('maxrepeat')\n setting = 'maxrepeat'\n\n describe 'pwquality.conf settings' do\n let(:config) { parse_config_file('/etc/security/pwquality.conf', multiple_values: true) }\n let(:setting_value) { config.params[setting].is_a?(Integer) ? [config.params[setting]] : Array(config.params[setting]) }\n\n it \"has `#{setting}` set\" do\n expect(setting_value).not_to be_empty, \"#{setting} is not set in pwquality.conf\"\n end\n\n it \"only sets `#{setting}` once\" do\n expect(setting_value.length).to eq(1), \"#{setting} is commented or set more than once in pwquality.conf\"\n end\n\n it \"does not set `#{setting}` to more than #{value}\" do\n expect(setting_value.first.to_i).to be <= value.to_i, \"#{setting} is set to a value greater than #{value} in pwquality.conf\"\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230467.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230361.rb", "line": 1 }, - "id": "SV-230467" + "id": "SV-230361" }, { - "title": "RHEL 8 must ensure the password complexity module is enabled in the system-auth file.", - "desc": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. \"pwquality\" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system.\n\nRHEL 8 uses \"pwquality\" as a mechanism to enforce password complexity. This is set in both:\n/etc/pam.d/password-auth\n/etc/pam.d/system-auth", + "title": "RHEL 8 must automatically lock an account when three unsuccessful\nlogon attempts occur.", + "desc": "By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as\nbrute-force attacks, is reduced. Limits are imposed by locking the account.\n\n RHEL 8 can utilize the \"pam_faillock.so\" for this purpose. Note that\nmanual changes to the listed files may be overwritten by the \"authselect\"\nprogram.\n\n From \"Pam_Faillock\" man pages: Note that the default directory that\n\"pam_faillock\" uses is usually cleared on system boot so the access will be\nreenabled after system reboot. If that is undesirable a different tally\ndirectory must be set with the \"dir\" option.", "descriptions": { - "default": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. \"pwquality\" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system.\n\nRHEL 8 uses \"pwquality\" as a mechanism to enforce password complexity. This is set in both:\n/etc/pam.d/password-auth\n/etc/pam.d/system-auth", - "check": "Verify the operating system uses \"pwquality\" to enforce the password complexity rules.\n\nCheck for the use of \"pwquality\" in the system-auth file with the following command:\n\n $ sudo cat /etc/pam.d/system-auth | grep pam_pwquality\n\n password requisite pam_pwquality.so\n\nIf the command does not return a line containing the value \"pam_pwquality.so\" as shown, or the line is commented out, this is a finding.", - "fix": "Configure the operating system to use \"pwquality\" to enforce password complexity rules.\n\nAdd the following line to the \"/etc/pam.d/system-auth\" file (or modify the line to have the required value):\n\n password requisite pam_pwquality.so" + "default": "By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as\nbrute-force attacks, is reduced. Limits are imposed by locking the account.\n\n RHEL 8 can utilize the \"pam_faillock.so\" for this purpose. Note that\nmanual changes to the listed files may be overwritten by the \"authselect\"\nprogram.\n\n From \"Pam_Faillock\" man pages: Note that the default directory that\n\"pam_faillock\" uses is usually cleared on system boot so the access will be\nreenabled after system reboot. If that is undesirable a different tally\ndirectory must be set with the \"dir\" option.", + "check": "Check that the system locks an account after three unsuccessful logon\nattempts with the following commands:\n\n Note: If the System Administrator demonstrates the use of an approved\ncentralized account management method that locks an account after three\nunsuccessful logon attempts within a period of 15 minutes, this requirement is\nnot applicable.\n\n Note: This check applies to RHEL versions 8.0 and 8.1, if the system is\nRHEL version 8.2 or newer, this check is not applicable.\n\n $ sudo grep pam_faillock.so /etc/pam.d/password-auth\n\n auth required pam_faillock.so preauth dir=/var/log/faillock silent audit\ndeny=3 even_deny_root fail_interval=900 unlock_time=0\n auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0\n account required pam_faillock.so\n\n If the \"deny\" option is not set to \"3\" or less (but not \"0\") on the\n\"preauth\" line with the \"pam_faillock.so\" module, or is missing from this\nline, this is a finding.\n\n If any line referencing the \"pam_faillock.so\" module is commented out,\nthis is a finding.\n\n $ sudo grep pam_faillock.so /etc/pam.d/system-auth\n\n auth required pam_faillock.so preauth dir=/var/log/faillock silent audit\ndeny=3 even_deny_root fail_interval=900 unlock_time=0\n auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0\n account required pam_faillock.so\n\n If the \"deny\" option is not set to \"3\" or less (but not \"0\") on the\n\"preauth\" line with the \"pam_faillock.so\" module, or is missing from this\nline, this is a finding.\n\n If any line referencing the \"pam_faillock.so\" module is commented out,\nthis is a finding.", + "fix": "Configure the operating system to lock an account when three unsuccessful\nlogon attempts occur.\n\n Add/Modify the appropriate sections of the \"/etc/pam.d/system-auth\" and\n\"/etc/pam.d/password-auth\" files to match the following lines:\n\n auth required pam_faillock.so preauth dir=/var/log/faillock silent audit\ndeny=3 even_deny_root fail_interval=900 unlock_time=0\n auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0\n account required pam_faillock.so\n\n The \"sssd\" service must be restarted for the changes to take effect. To\nrestart the \"sssd\" service, run the following command:\n\n $ sudo systemctl restart sssd.service" }, "impact": 0.5, "refs": [ @@ -2303,37 +2291,39 @@ } ], "tags": { - "check_id": "C-55150r902738_chk", "severity": "medium", - "gid": "V-251713", - "rid": "SV-251713r902740_rule", - "stig_id": "RHEL-08-020101", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-55104r902739_fix", - "documentable": null, + "gtitle": "SRG-OS-000021-GPOS-00005", + "satisfies": [ + "SRG-OS-000021-GPOS-00005", + "SRG-OS-000329-GPOS-00128" + ], + "gid": "V-230332", + "rid": "SV-230332r627750_rule", + "stig_id": "RHEL-08-020010", + "fix_id": "F-32976r567743_fix", "cci": [ - "CCI-000366" + "CCI-000044" ], "nist": [ - "CM-6 b" + "AC-7 a" ], "host": null, "container": null }, - "code": "control 'SV-251713' do\n title 'RHEL 8 must ensure the password complexity module is enabled in the system-auth file.'\n desc 'Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. \"pwquality\" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system.\n\nRHEL 8 uses \"pwquality\" as a mechanism to enforce password complexity. This is set in both:\n/etc/pam.d/password-auth\n/etc/pam.d/system-auth'\n desc 'check', 'Verify the operating system uses \"pwquality\" to enforce the password complexity rules.\n\nCheck for the use of \"pwquality\" in the system-auth file with the following command:\n\n $ sudo cat /etc/pam.d/system-auth | grep pam_pwquality\n\n password requisite pam_pwquality.so\n\nIf the command does not return a line containing the value \"pam_pwquality.so\" as shown, or the line is commented out, this is a finding.'\n desc 'fix', 'Configure the operating system to use \"pwquality\" to enforce password complexity rules.\n\nAdd the following line to the \"/etc/pam.d/system-auth\" file (or modify the line to have the required value):\n\n password requisite pam_pwquality.so'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag check_id: 'C-55150r902738_chk'\n tag severity: 'medium'\n tag gid: 'V-251713'\n tag rid: 'SV-251713r902740_rule'\n tag stig_id: 'RHEL-08-020101'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag fix_id: 'F-55104r902739_fix'\n tag 'documentable'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n tag 'container'\n\n pam_auth_files = input('pam_auth_files')\n\n [pam_auth_files['password-auth'], pam_auth_files['system-auth']].each do |path|\n describe pam(path) do\n its('lines') { should match_pam_rule('.* .* pam_pwquality.so') }\n end\n end\nend\n", + "code": "control 'SV-230332' do\n title 'RHEL 8 must automatically lock an account when three unsuccessful\nlogon attempts occur.'\n desc 'By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as\nbrute-force attacks, is reduced. Limits are imposed by locking the account.\n\n RHEL 8 can utilize the \"pam_faillock.so\" for this purpose. Note that\nmanual changes to the listed files may be overwritten by the \"authselect\"\nprogram.\n\n From \"Pam_Faillock\" man pages: Note that the default directory that\n\"pam_faillock\" uses is usually cleared on system boot so the access will be\nreenabled after system reboot. If that is undesirable a different tally\ndirectory must be set with the \"dir\" option.'\n desc 'check', 'Check that the system locks an account after three unsuccessful logon\nattempts with the following commands:\n\n Note: If the System Administrator demonstrates the use of an approved\ncentralized account management method that locks an account after three\nunsuccessful logon attempts within a period of 15 minutes, this requirement is\nnot applicable.\n\n Note: This check applies to RHEL versions 8.0 and 8.1, if the system is\nRHEL version 8.2 or newer, this check is not applicable.\n\n $ sudo grep pam_faillock.so /etc/pam.d/password-auth\n\n auth required pam_faillock.so preauth dir=/var/log/faillock silent audit\ndeny=3 even_deny_root fail_interval=900 unlock_time=0\n auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0\n account required pam_faillock.so\n\n If the \"deny\" option is not set to \"3\" or less (but not \"0\") on the\n\"preauth\" line with the \"pam_faillock.so\" module, or is missing from this\nline, this is a finding.\n\n If any line referencing the \"pam_faillock.so\" module is commented out,\nthis is a finding.\n\n $ sudo grep pam_faillock.so /etc/pam.d/system-auth\n\n auth required pam_faillock.so preauth dir=/var/log/faillock silent audit\ndeny=3 even_deny_root fail_interval=900 unlock_time=0\n auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0\n account required pam_faillock.so\n\n If the \"deny\" option is not set to \"3\" or less (but not \"0\") on the\n\"preauth\" line with the \"pam_faillock.so\" module, or is missing from this\nline, this is a finding.\n\n If any line referencing the \"pam_faillock.so\" module is commented out,\nthis is a finding.'\n desc 'fix', 'Configure the operating system to lock an account when three unsuccessful\nlogon attempts occur.\n\n Add/Modify the appropriate sections of the \"/etc/pam.d/system-auth\" and\n\"/etc/pam.d/password-auth\" files to match the following lines:\n\n auth required pam_faillock.so preauth dir=/var/log/faillock silent audit\ndeny=3 even_deny_root fail_interval=900 unlock_time=0\n auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0\n account required pam_faillock.so\n\n The \"sssd\" service must be restarted for the changes to take effect. To\nrestart the \"sssd\" service, run the following command:\n\n $ sudo systemctl restart sssd.service'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000021-GPOS-00005'\n tag satisfies: ['SRG-OS-000021-GPOS-00005', 'SRG-OS-000329-GPOS-00128']\n tag gid: 'V-230332'\n tag rid: 'SV-230332r627750_rule'\n tag stig_id: 'RHEL-08-020010'\n tag fix_id: 'F-32976r567743_fix'\n tag cci: ['CCI-000044']\n tag nist: ['AC-7 a']\n tag 'host'\n tag 'container'\n\n unsuccessful_attempts = input('unsuccessful_attempts')\n pam_auth_files = input('pam_auth_files')\n\n only_if('This system uses Centralized Account Management to manage this requirement', impact: 0.0) {\n !input('central_account_management')\n }\n\n if os.release.to_f >= 8.2\n impact 0.0\n describe 'This requirement only applies to RHEL 8 version(s) 8.0 and 8.1' do\n skip \"Currently on release #{os.release}, this control is Not Applicable.\"\n end\n else\n [\n pam_auth_files['password-auth'],\n pam_auth_files['system-auth']\n ].each do |path|\n describe pam(path) do\n its('lines') {\n should match_pam_rule('auth [default=die]|required pam_faillock.so preauth').all_with_integer_arg('deny',\n '<=', unsuccessful_attempts)\n }\n its('lines') {\n should match_pam_rule('auth [default=die]|required pam_faillock.so preauth').all_with_integer_arg('deny',\n '>=', 0)\n }\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-251713.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230332.rb", "line": 1 }, - "id": "SV-251713" + "id": "SV-230332" }, { - "title": "RHEL 8 must have the tmux package installed.", - "desc": "A session lock is a temporary action taken when a user stops work and\nmoves away from the immediate physical vicinity of the information system but\ndoes not want to log out because of the temporary nature of the absence.\n The session lock is implemented at the point where session activity can be\ndetermined. Rather than be forced to wait for a period of time to expire before\nthe user session can be locked, RHEL 8 needs to provide users with the ability\nto manually invoke a session lock so users can secure their session if it is\nnecessary to temporarily vacate the immediate physical vicinity.\n Tmux is a terminal multiplexer that enables a number of terminals to be\ncreated, accessed, and controlled from a single screen. Red Hat endorses tmux\nas the recommended session controlling package.", + "title": "The RHEL 8 Information System Security Officer (ISSO) and System\nAdministrator (SA) (at a minimum) must have mail aliases to be notified of an\naudit processing failure.", + "desc": "It is critical for the appropriate personnel to be aware if a system\nis at risk of failing to process audit logs as required. Without this\nnotification, the security personnel may be unaware of an impending failure of\nthe audit capability, and system operation may be adversely affected.\n\n Audit processing failures include software/hardware errors, failures in the\naudit capturing mechanisms, and audit storage capacity being reached or\nexceeded.\n\n This requirement applies to each audit data storage repository (i.e.,\ndistinct information system component where audit records are stored), the\ncentralized audit storage capacity of organizations (i.e., all audit data\nstorage repositories combined), or both.", "descriptions": { - "default": "A session lock is a temporary action taken when a user stops work and\nmoves away from the immediate physical vicinity of the information system but\ndoes not want to log out because of the temporary nature of the absence.\n The session lock is implemented at the point where session activity can be\ndetermined. Rather than be forced to wait for a period of time to expire before\nthe user session can be locked, RHEL 8 needs to provide users with the ability\nto manually invoke a session lock so users can secure their session if it is\nnecessary to temporarily vacate the immediate physical vicinity.\n Tmux is a terminal multiplexer that enables a number of terminals to be\ncreated, accessed, and controlled from a single screen. Red Hat endorses tmux\nas the recommended session controlling package.", - "check": "Verify RHEL 8 has the \"tmux\" package installed, by running the following\ncommand:\n\n $ sudo yum list installed tmux\n\n tmux.x86.64 2.7-1.el8\n@repository\n\n If \"tmux\" is not installed, this is a finding.", - "fix": "Configure the operating system to enable a user to initiate a session lock\nvia tmux.\n\n Install the \"tmux\" package, if it is not already installed, by running\nthe following command:\n\n $ sudo yum install tmux" + "default": "It is critical for the appropriate personnel to be aware if a system\nis at risk of failing to process audit logs as required. Without this\nnotification, the security personnel may be unaware of an impending failure of\nthe audit capability, and system operation may be adversely affected.\n\n Audit processing failures include software/hardware errors, failures in the\naudit capturing mechanisms, and audit storage capacity being reached or\nexceeded.\n\n This requirement applies to each audit data storage repository (i.e.,\ndistinct information system component where audit records are stored), the\ncentralized audit storage capacity of organizations (i.e., all audit data\nstorage repositories combined), or both.", + "check": "Verify that the administrators are notified in the event of an audit\nprocessing failure.\n\n Check that the \"/etc/aliases\" file has a defined value for \"root\".\n\n $ sudo grep \"postmaster:\\s*root$\" /etc/aliases\n\n If the command does not return a line, or the line is commented out, ask\nthe system administrator to indicate how they and the ISSO are notified of an\naudit process failure. If there is no evidence of the proper personnel being\nnotified of an audit processing failure, this is a finding.", + "fix": "Configure RHEL 8 to notify administrators in the event of an audit\nprocessing failure.\n\n Add/update the following line in \"/etc/aliases\":\n\n postmaster: root" }, "impact": 0.5, "refs": [ @@ -2343,74 +2333,70 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000028-GPOS-00009", - "satisfies": [ - "SRG-OS-000028-GPOS-00009", - "SRG-OS-000030-GPOS-00011" - ], - "gid": "V-244537", - "rid": "SV-244537r743860_rule", - "stig_id": "RHEL-08-020039", - "fix_id": "F-47769r743859_fix", + "gtitle": "SRG-OS-000046-GPOS-00022", + "gid": "V-230389", + "rid": "SV-230389r627750_rule", + "stig_id": "RHEL-08-030030", + "fix_id": "F-33033r567914_fix", "cci": [ - "CCI-000056" + "CCI-000139" ], "nist": [ - "AC-11 b" + "AU-5 a" ], "host": null }, - "code": "control 'SV-244537' do\n title 'RHEL 8 must have the tmux package installed.'\n desc 'A session lock is a temporary action taken when a user stops work and\nmoves away from the immediate physical vicinity of the information system but\ndoes not want to log out because of the temporary nature of the absence.\n The session lock is implemented at the point where session activity can be\ndetermined. Rather than be forced to wait for a period of time to expire before\nthe user session can be locked, RHEL 8 needs to provide users with the ability\nto manually invoke a session lock so users can secure their session if it is\nnecessary to temporarily vacate the immediate physical vicinity.\n Tmux is a terminal multiplexer that enables a number of terminals to be\ncreated, accessed, and controlled from a single screen. Red Hat endorses tmux\nas the recommended session controlling package.'\n desc 'check', 'Verify RHEL 8 has the \"tmux\" package installed, by running the following\ncommand:\n\n $ sudo yum list installed tmux\n\n tmux.x86.64 2.7-1.el8\n@repository\n\n If \"tmux\" is not installed, this is a finding.'\n desc 'fix', 'Configure the operating system to enable a user to initiate a session lock\nvia tmux.\n\n Install the \"tmux\" package, if it is not already installed, by running\nthe following command:\n\n $ sudo yum install tmux'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000028-GPOS-00009'\n tag satisfies: ['SRG-OS-000028-GPOS-00009', 'SRG-OS-000030-GPOS-00011']\n tag gid: 'V-244537'\n tag rid: 'SV-244537r743860_rule'\n tag stig_id: 'RHEL-08-020039'\n tag fix_id: 'F-47769r743859_fix'\n tag cci: ['CCI-000056']\n tag nist: ['AC-11 b']\n tag 'host'\n\n only_if('This requirement is Not Applicable in the container', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe package('tmux') do\n it { should be_installed }\n end\nend\n", + "code": "control 'SV-230389' do\n title 'The RHEL 8 Information System Security Officer (ISSO) and System\nAdministrator (SA) (at a minimum) must have mail aliases to be notified of an\naudit processing failure.'\n desc 'It is critical for the appropriate personnel to be aware if a system\nis at risk of failing to process audit logs as required. Without this\nnotification, the security personnel may be unaware of an impending failure of\nthe audit capability, and system operation may be adversely affected.\n\n Audit processing failures include software/hardware errors, failures in the\naudit capturing mechanisms, and audit storage capacity being reached or\nexceeded.\n\n This requirement applies to each audit data storage repository (i.e.,\ndistinct information system component where audit records are stored), the\ncentralized audit storage capacity of organizations (i.e., all audit data\nstorage repositories combined), or both.'\n desc 'check', 'Verify that the administrators are notified in the event of an audit\nprocessing failure.\n\n Check that the \"/etc/aliases\" file has a defined value for \"root\".\n\n $ sudo grep \"postmaster:\\\\s*root$\" /etc/aliases\n\n If the command does not return a line, or the line is commented out, ask\nthe system administrator to indicate how they and the ISSO are notified of an\naudit process failure. If there is no evidence of the proper personnel being\nnotified of an audit processing failure, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to notify administrators in the event of an audit\nprocessing failure.\n\n Add/update the following line in \"/etc/aliases\":\n\n postmaster: root'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000046-GPOS-00022'\n tag gid: 'V-230389'\n tag rid: 'SV-230389r627750_rule'\n tag stig_id: 'RHEL-08-030030'\n tag fix_id: 'F-33033r567914_fix'\n tag cci: ['CCI-000139']\n tag nist: ['AU-5 a']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n alternative_logging = input('alternative_logging')\n\n if alternative_logging == true\n describe 'Alternative logging' do\n it 'should handle sysadmin and ISSO notification' do\n expect(alternative_logging).to eq(true)\n end\n end\n else\n describe command('grep \"postmaster:\\s*root$\" /etc/aliases') do\n its('stdout.strip') { should match(/postmaster:\\s*root/) }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-244537.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230389.rb", "line": 1 }, - "id": "SV-244537" + "id": "SV-230389" }, { - "title": "RHEL 8 must not have the telnet-server package installed.", - "desc": "It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n Operating systems are capable of providing a wide variety of functions and\nservices. Some of the functions and services, provided by default, may not be\nnecessary to support essential organizational operations (e.g., key missions,\nfunctions).\n\n Examples of non-essential capabilities include, but are not limited to,\ngames, software packages, tools, and demonstration software not related to\nrequirements or providing a wide array of functionality not required for every\nmission, but which cannot be disabled.\n\n Verify the operating system is configured to disable non-essential\ncapabilities. The most secure way of ensuring a non-essential capability is\ndisabled is to not have the capability installed.\n\n The telnet service provides an unencrypted remote access service that does\nnot provide for the confidentiality and integrity of user passwords or the\nremote session.\n\n If a privileged user were to log on using this service, the privileged user\npassword could be compromised.", + "title": "RHEL 8 must ensure the SSH server uses strong entropy.", + "desc": "The most important characteristic of a random number generator is its\nrandomness, namely its ability to deliver random numbers that are impossible to\npredict. Entropy in computer security is associated with the unpredictability\nof a source of randomness. The random source with high entropy tends to\nachieve a uniform distribution of random values. Random number generators are\none of the most important building blocks of cryptosystems.\n\n The SSH implementation in RHEL8 uses the OPENSSL library, which does not\nuse high-entropy sources by default. By using the SSH_USE_STRONG_RNG\nenvironment variable the OPENSSL random generator is reseeded from /dev/random.\n This setting is not recommended on computers without the hardware random\ngenerator because insufficient entropy causes the connection to be blocked\nuntil enough entropy is available.", "descriptions": { - "default": "It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n Operating systems are capable of providing a wide variety of functions and\nservices. Some of the functions and services, provided by default, may not be\nnecessary to support essential organizational operations (e.g., key missions,\nfunctions).\n\n Examples of non-essential capabilities include, but are not limited to,\ngames, software packages, tools, and demonstration software not related to\nrequirements or providing a wide array of functionality not required for every\nmission, but which cannot be disabled.\n\n Verify the operating system is configured to disable non-essential\ncapabilities. The most secure way of ensuring a non-essential capability is\ndisabled is to not have the capability installed.\n\n The telnet service provides an unencrypted remote access service that does\nnot provide for the confidentiality and integrity of user passwords or the\nremote session.\n\n If a privileged user were to log on using this service, the privileged user\npassword could be compromised.", - "check": "Check to see if the telnet-server package is installed with the following\ncommand:\n\n $ sudo yum list installed telnet-server\n\n If the telnet-server package is installed, this is a finding.", - "fix": "Configure the operating system to disable non-essential capabilities by\nremoving the telnet-server package from the system with the following command:\n\n $ sudo yum remove telnet-server" + "default": "The most important characteristic of a random number generator is its\nrandomness, namely its ability to deliver random numbers that are impossible to\npredict. Entropy in computer security is associated with the unpredictability\nof a source of randomness. The random source with high entropy tends to\nachieve a uniform distribution of random values. Random number generators are\none of the most important building blocks of cryptosystems.\n\n The SSH implementation in RHEL8 uses the OPENSSL library, which does not\nuse high-entropy sources by default. By using the SSH_USE_STRONG_RNG\nenvironment variable the OPENSSL random generator is reseeded from /dev/random.\n This setting is not recommended on computers without the hardware random\ngenerator because insufficient entropy causes the connection to be blocked\nuntil enough entropy is available.", + "check": "Verify the operating system SSH server uses strong entropy with the\nfollowing command:\n\n Note: If the operating system is RHEL versions 8.0 or 8.1, this requirement\nis not applicable.\n\n $ sudo grep -i ssh_use_strong_rng /etc/sysconfig/sshd\n\n SSH_USE_STRONG_RNG=32\n\n If the \"SSH_USE_STRONG_RNG\" line does not equal \"32\", is commented out\nor missing, this is a finding.", + "fix": "Configure the operating system SSH server to use strong entropy.\n\nAdd or modify the following line in the \"/etc/sysconfig/sshd\" file.\n\nSSH_USE_STRONG_RNG=32\n\nThe SSH service must be restarted for changes to take effect." }, - "impact": 0.7, + "impact": 0.3, "refs": [ { "ref": "DPMS Target Red Hat Enterprise Linux 8" } ], "tags": { - "severity": "high", - "gtitle": "SRG-OS-000095-GPOS-00049", - "gid": "V-230487", - "rid": "SV-230487r627750_rule", - "stig_id": "RHEL-08-040000", - "fix_id": "F-33131r568208_fix", + "severity": "low", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-230253", + "rid": "SV-230253r627750_rule", + "stig_id": "RHEL-08-010292", + "fix_id": "F-32897r567506_fix", "cci": [ - "CCI-000381" + "CCI-000366" ], "nist": [ - "CM-7 a" + "CM-6 b" ], "host": null, - "container": null + "container-conditional": null }, - "code": "control 'SV-230487' do\n title 'RHEL 8 must not have the telnet-server package installed.'\n desc 'It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n Operating systems are capable of providing a wide variety of functions and\nservices. Some of the functions and services, provided by default, may not be\nnecessary to support essential organizational operations (e.g., key missions,\nfunctions).\n\n Examples of non-essential capabilities include, but are not limited to,\ngames, software packages, tools, and demonstration software not related to\nrequirements or providing a wide array of functionality not required for every\nmission, but which cannot be disabled.\n\n Verify the operating system is configured to disable non-essential\ncapabilities. The most secure way of ensuring a non-essential capability is\ndisabled is to not have the capability installed.\n\n The telnet service provides an unencrypted remote access service that does\nnot provide for the confidentiality and integrity of user passwords or the\nremote session.\n\n If a privileged user were to log on using this service, the privileged user\npassword could be compromised.'\n desc 'check', 'Check to see if the telnet-server package is installed with the following\ncommand:\n\n $ sudo yum list installed telnet-server\n\n If the telnet-server package is installed, this is a finding.'\n desc 'fix', 'Configure the operating system to disable non-essential capabilities by\nremoving the telnet-server package from the system with the following command:\n\n $ sudo yum remove telnet-server'\n impact 0.7\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'high'\n tag gtitle: 'SRG-OS-000095-GPOS-00049'\n tag gid: 'V-230487'\n tag rid: 'SV-230487r627750_rule'\n tag stig_id: 'RHEL-08-040000'\n tag fix_id: 'F-33131r568208_fix'\n tag cci: ['CCI-000381']\n tag nist: ['CM-7 a']\n tag 'host'\n tag 'container'\n\n describe package('telnet-server') do\n it { should_not be_installed }\n end\nend\n", + "code": "control 'SV-230253' do\n title 'RHEL 8 must ensure the SSH server uses strong entropy.'\n desc 'The most important characteristic of a random number generator is its\nrandomness, namely its ability to deliver random numbers that are impossible to\npredict. Entropy in computer security is associated with the unpredictability\nof a source of randomness. The random source with high entropy tends to\nachieve a uniform distribution of random values. Random number generators are\none of the most important building blocks of cryptosystems.\n\n The SSH implementation in RHEL8 uses the OPENSSL library, which does not\nuse high-entropy sources by default. By using the SSH_USE_STRONG_RNG\nenvironment variable the OPENSSL random generator is reseeded from /dev/random.\n This setting is not recommended on computers without the hardware random\ngenerator because insufficient entropy causes the connection to be blocked\nuntil enough entropy is available.'\n desc 'check', 'Verify the operating system SSH server uses strong entropy with the\nfollowing command:\n\n Note: If the operating system is RHEL versions 8.0 or 8.1, this requirement\nis not applicable.\n\n $ sudo grep -i ssh_use_strong_rng /etc/sysconfig/sshd\n\n SSH_USE_STRONG_RNG=32\n\n If the \"SSH_USE_STRONG_RNG\" line does not equal \"32\", is commented out\nor missing, this is a finding.'\n desc 'fix', 'Configure the operating system SSH server to use strong entropy.\n\nAdd or modify the following line in the \"/etc/sysconfig/sshd\" file.\n\nSSH_USE_STRONG_RNG=32\n\nThe SSH service must be restarted for changes to take effect.'\n impact 0.3\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'low'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230253'\n tag rid: 'SV-230253r627750_rule'\n tag stig_id: 'RHEL-08-010292'\n tag fix_id: 'F-32897r567506_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n tag 'container-conditional'\n\n only_if('Control not applicable - SSH is not installed within containerized RHEL', impact: 0.0) {\n !(virtualization.system.eql?('docker') && !file('/etc/sysconfig/sshd').exist?)\n }\n\n describe parse_config_file('/etc/sysconfig/sshd') do\n its('SSH_USE_STRONG_RNG') { should cmp 32 }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230487.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230253.rb", "line": 1 }, - "id": "SV-230487" + "id": "SV-230253" }, { - "title": "All RHEL 8 local initialization files must have mode 0740 or less\npermissive.", - "desc": "Local initialization files are used to configure the user's shell\nenvironment upon logon. Malicious modification of these files could compromise\naccounts upon logon.", + "title": "RHEL 8 must restrict privilege elevation to authorized personnel.", + "desc": "The sudo command allows a user to execute programs with elevated\n(administrator) privileges. It prompts the user for their password and confirms\nyour request to execute a command by checking a file, called sudoers. If the\n\"sudoers\" file is not configured correctly, any user defined on the system\ncan initiate privileged actions on the target system.", "descriptions": { - "default": "Local initialization files are used to configure the user's shell\nenvironment upon logon. Malicious modification of these files could compromise\naccounts upon logon.", - "check": "Verify that all local initialization files have a mode of \"0740\" or less permissive with the following command:\n\nNote: The example will be for the \"smithj\" user, who has a home directory of \"/home/smithj\".\n\n $ sudo ls -al /home/smithj/.[^.]* | more\n\n -rw-------. 1 smithj users 2984 Apr 27 19:02 .bash_history\n -rw-r--r--. 1 smithj users 18 Aug 21 2019 .bash_logout\n -rw-r--r--. 1 smithj users 193 Aug 21 2019 .bash_profile\n\nIf any local initialization files have a mode more permissive than \"0740\", this is a finding.", - "fix": "Set the mode of the local initialization files to \"0740\" with the\nfollowing command:\n\n Note: The example will be for the smithj user, who has a home directory of\n\"/home/smithj\".\n\n $ sudo chmod 0740 /home/smithj/." + "default": "The sudo command allows a user to execute programs with elevated\n(administrator) privileges. It prompts the user for their password and confirms\nyour request to execute a command by checking a file, called sudoers. If the\n\"sudoers\" file is not configured correctly, any user defined on the system\ncan initiate privileged actions on the target system.", + "check": "Verify the \"sudoers\" file restricts sudo access to authorized personnel.\n$ sudo grep -iw 'ALL' /etc/sudoers /etc/sudoers.d/*\n\nIf the either of the following entries are returned, this is a finding:\nALL ALL=(ALL) ALL\nALL ALL=(ALL:ALL) ALL", + "fix": "Remove the following entries from the sudoers file:\nALL ALL=(ALL) ALL\nALL ALL=(ALL:ALL) ALL" }, "impact": 0.5, "refs": [ @@ -2421,10 +2407,10 @@ "tags": { "severity": "medium", "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-230325", - "rid": "SV-230325r917879_rule", - "stig_id": "RHEL-08-010770", - "fix_id": "F-32969r917878_fix", + "gid": "V-237641", + "rid": "SV-237641r646893_rule", + "stig_id": "RHEL-08-010382", + "fix_id": "F-40823r646892_fix", "cci": [ "CCI-000366" ], @@ -2433,20 +2419,20 @@ ], "host": null }, - "code": "control 'SV-230325' do\n title 'All RHEL 8 local initialization files must have mode 0740 or less\npermissive.'\n desc \"Local initialization files are used to configure the user's shell\nenvironment upon logon. Malicious modification of these files could compromise\naccounts upon logon.\"\n desc 'check', 'Verify that all local initialization files have a mode of \"0740\" or less permissive with the following command:\n\nNote: The example will be for the \"smithj\" user, who has a home directory of \"/home/smithj\".\n\n $ sudo ls -al /home/smithj/.[^.]* | more\n\n -rw-------. 1 smithj users 2984 Apr 27 19:02 .bash_history\n -rw-r--r--. 1 smithj users 18 Aug 21 2019 .bash_logout\n -rw-r--r--. 1 smithj users 193 Aug 21 2019 .bash_profile\n\nIf any local initialization files have a mode more permissive than \"0740\", this is a finding.'\n desc 'fix', 'Set the mode of the local initialization files to \"0740\" with the\nfollowing command:\n\n Note: The example will be for the smithj user, who has a home directory of\n\"/home/smithj\".\n\n $ sudo chmod 0740 /home/smithj/.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230325'\n tag rid: 'SV-230325r917879_rule'\n tag stig_id: 'RHEL-08-010770'\n tag fix_id: 'F-32969r917878_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n ignore_shells = input('non_interactive_shells').join('|')\n\n homedirs = users.where { !shell.match(ignore_shells) && (uid >= 1000 || uid.zero?) }.homes\n ifiles = command(\"find #{homedirs.join(' ')} -xdev -maxdepth 1 -name '.*' -type f\").stdout.split(\"\\n\")\n\n expected_mode = input('initialization_file_mode')\n failing_files = ifiles.select { |ifile| file(ifile).more_permissive_than?(expected_mode) }\n\n describe 'All RHEL 8 local initialization files' do\n it \"must have mode '#{expected_mode}' or less permissive\" do\n expect(failing_files).to be_empty, \"Failing files:\\n\\t- #{failing_files.join(\"\\n\\t- \")}\"\n end\n end\nend\n", + "code": "control 'SV-237641' do\n title 'RHEL 8 must restrict privilege elevation to authorized personnel.'\n desc 'The sudo command allows a user to execute programs with elevated\n(administrator) privileges. It prompts the user for their password and confirms\nyour request to execute a command by checking a file, called sudoers. If the\n\"sudoers\" file is not configured correctly, any user defined on the system\ncan initiate privileged actions on the target system.'\n desc 'check', %q(Verify the \"sudoers\" file restricts sudo access to authorized personnel.\n$ sudo grep -iw 'ALL' /etc/sudoers /etc/sudoers.d/*\n\nIf the either of the following entries are returned, this is a finding:\nALL ALL=(ALL) ALL\nALL ALL=(ALL:ALL) ALL)\n desc 'fix', 'Remove the following entries from the sudoers file:\nALL ALL=(ALL) ALL\nALL ALL=(ALL:ALL) ALL'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-237641'\n tag rid: 'SV-237641r646893_rule'\n tag stig_id: 'RHEL-08-010382'\n tag fix_id: 'F-40823r646892_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers without sudo installed', impact: 0.0) {\n !(virtualization.system.eql?('docker') && !command('sudo').exist?)\n }\n\n bad_sudoers_rules = sudoers(input('sudoers_config_files').join(' ')).rules.where {\n users == 'ALL' &&\n hosts == 'ALL' &&\n run_as.start_with?('ALL') &&\n commands == 'ALL'\n }\n\n describe 'Sudoers file(s)' do\n it 'should not contain any unrestricted sudo rules' do\n expect(bad_sudoers_rules.entries).to be_empty, \"Unrestricted sudo rules found; check sudoers file(s):\\n\\t- #{input('sudoers_config_files').join(\"\\n\\t- \")}\"\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230325.rb", + "ref": "./Red Hat 8 STIG/controls/SV-237641.rb", "line": 1 }, - "id": "SV-230325" + "id": "SV-237641" }, { - "title": "RHEL 8 audit tools must be owned by root.", - "desc": "Protecting audit information also includes identifying and protecting\nthe tools used to view and manipulate log data. Therefore, protecting audit\ntools is necessary to prevent unauthorized operation on audit information.\n\n RHEL 8 systems providing tools to interface with audit information will\nleverage user permissions and roles identifying the user accessing the tools,\nand the corresponding rights the user enjoys, to make access decisions\nregarding the access to audit tools.\n\n Audit tools include, but are not limited to, vendor-provided and open\nsource audit tools needed to successfully view and manipulate audit information\nsystem activity and records. Audit tools include custom queries and report\ngenerators.", + "title": "Successful/unsuccessful uses of the chmod, fchmod, and fchmodat system calls in RHEL 8 must generate an audit record.", + "desc": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"chmod\" system call changes the file mode bits of each given file according to mode, which can be either a symbolic representation of changes to make, or an octal number representing the bit pattern for the new mode bits.\n\nThe \"fchmod\" system call is used to change permissions of a file.\nThe \"fchmodat\" system call is used to change permissions of a file relative to a directory file descriptor.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nThe system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. Performance can be helped, however, by combining syscalls into one rule whenever possible.", "descriptions": { - "default": "Protecting audit information also includes identifying and protecting\nthe tools used to view and manipulate log data. Therefore, protecting audit\ntools is necessary to prevent unauthorized operation on audit information.\n\n RHEL 8 systems providing tools to interface with audit information will\nleverage user permissions and roles identifying the user accessing the tools,\nand the corresponding rights the user enjoys, to make access decisions\nregarding the access to audit tools.\n\n Audit tools include, but are not limited to, vendor-provided and open\nsource audit tools needed to successfully view and manipulate audit information\nsystem activity and records. Audit tools include custom queries and report\ngenerators.", - "check": "Verify the audit tools are owned by \"root\" to prevent any unauthorized\naccess, deletion, or modification.\n\n Check the owner of each audit tool by running the following command:\n\n $ sudo stat -c \"%U %n\" /sbin/auditctl /sbin/aureport /sbin/ausearch\n/sbin/autrace /sbin/auditd /sbin/rsyslogd /sbin/augenrules\n\n root /sbin/auditctl\n root /sbin/aureport\n root /sbin/ausearch\n root /sbin/autrace\n root /sbin/auditd\n root /sbin/rsyslogd\n root /sbin/augenrules\n\n If any of the audit tools are not owned by \"root\", this is a finding.", - "fix": "Configure the audit tools to be owned by \"root\", by running the following\ncommand:\n\n $ sudo chown root [audit_tool]\n\n Replace \"[audit_tool]\" with each audit tool not owned by \"root\"." + "default": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"chmod\" system call changes the file mode bits of each given file according to mode, which can be either a symbolic representation of changes to make, or an octal number representing the bit pattern for the new mode bits.\n\nThe \"fchmod\" system call is used to change permissions of a file.\nThe \"fchmodat\" system call is used to change permissions of a file relative to a directory file descriptor.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nThe system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. Performance can be helped, however, by combining syscalls into one rule whenever possible.", + "check": "Verify RHEL 8 generates an audit record upon successful/unsuccessful attempts to use the \"chmod\", \"fchmod\", and \"fchmodat\" syscalls by using the following command to check the file system rules in \"/etc/audit/audit.rules\":\n\n$ sudo grep chmod /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod\n-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod\n\nIf the command does not return an audit rule for \"chmod\", \"fchmod\", and \"fchmodat\", or any of the lines returned are commented out, this is a finding.", + "fix": "Configure the audit system to generate an audit event for any successful/unsuccessful use of the \"chmod\", \"fchmod\", and \"fchmodat\" syscalls by adding or updating the following line to \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod\n-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod\n\nThe audit daemon must be restarted for the changes to take effect." }, "impact": 0.5, "refs": [ @@ -2456,39 +2442,43 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000256-GPOS-00097", + "gtitle": "SRG-OS-000062-GPOS-00031", "satisfies": [ - "SRG-OS-000256-GPOS-00097", - "SRG-OS-000257-GPOS-00098", - "SRG-OS-000258-GPOS-00099" + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000037-GPOS-00015", + "SRG-OS-000042-GPOS-00020", + "SRG-OS-000392-GPOS-00172", + "SRG-OS-000462-GPOS-00206", + "SRG-OS-000471-GPOS-00215", + "SRG-OS-000064-GPOS-00033", + "SRG-OS-000466-GPOS-00210" ], - "gid": "V-230473", - "rid": "SV-230473r744008_rule", - "stig_id": "RHEL-08-030630", - "fix_id": "F-33117r568166_fix", + "gid": "V-230456", + "rid": "SV-230456r810462_rule", + "stig_id": "RHEL-08-030490", + "fix_id": "F-33100r809310_fix", "cci": [ - "CCI-001493" + "CCI-000169" ], "nist": [ - "AU-9", - "AU-9 a" + "AU-12 a" ], "host": null }, - "code": "control 'SV-230473' do\n title 'RHEL 8 audit tools must be owned by root.'\n desc 'Protecting audit information also includes identifying and protecting\nthe tools used to view and manipulate log data. Therefore, protecting audit\ntools is necessary to prevent unauthorized operation on audit information.\n\n RHEL 8 systems providing tools to interface with audit information will\nleverage user permissions and roles identifying the user accessing the tools,\nand the corresponding rights the user enjoys, to make access decisions\nregarding the access to audit tools.\n\n Audit tools include, but are not limited to, vendor-provided and open\nsource audit tools needed to successfully view and manipulate audit information\nsystem activity and records. Audit tools include custom queries and report\ngenerators.'\n desc 'check', 'Verify the audit tools are owned by \"root\" to prevent any unauthorized\naccess, deletion, or modification.\n\n Check the owner of each audit tool by running the following command:\n\n $ sudo stat -c \"%U %n\" /sbin/auditctl /sbin/aureport /sbin/ausearch\n/sbin/autrace /sbin/auditd /sbin/rsyslogd /sbin/augenrules\n\n root /sbin/auditctl\n root /sbin/aureport\n root /sbin/ausearch\n root /sbin/autrace\n root /sbin/auditd\n root /sbin/rsyslogd\n root /sbin/augenrules\n\n If any of the audit tools are not owned by \"root\", this is a finding.'\n desc 'fix', 'Configure the audit tools to be owned by \"root\", by running the following\ncommand:\n\n $ sudo chown root [audit_tool]\n\n Replace \"[audit_tool]\" with each audit tool not owned by \"root\".'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000256-GPOS-00097'\n tag satisfies: ['SRG-OS-000256-GPOS-00097', 'SRG-OS-000257-GPOS-00098', 'SRG-OS-000258-GPOS-00099']\n tag gid: 'V-230473'\n tag rid: 'SV-230473r744008_rule'\n tag stig_id: 'RHEL-08-030630'\n tag fix_id: 'F-33117r568166_fix'\n tag cci: ['CCI-001493']\n tag nist: ['AU-9', 'AU-9 a']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n audit_tools = ['/sbin/auditctl', '/sbin/aureport', '/sbin/ausearch', '/sbin/autrace', '/sbin/auditd', '/sbin/rsyslogd', '/sbin/augenrules']\n\n failing_tools = audit_tools.reject { |at| file(at).owned_by?('root') }\n\n describe 'Audit executables' do\n it 'should be owned by root' do\n expect(failing_tools).to be_empty, \"Failing tools:\\n\\t- #{failing_tools.join(\"\\n\\t- \")}\"\n end\n end\nend\n", + "code": "control 'SV-230456' do\n title 'Successful/unsuccessful uses of the chmod, fchmod, and fchmodat system calls in RHEL 8 must generate an audit record.'\n desc 'Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"chmod\" system call changes the file mode bits of each given file according to mode, which can be either a symbolic representation of changes to make, or an octal number representing the bit pattern for the new mode bits.\n\nThe \"fchmod\" system call is used to change permissions of a file.\nThe \"fchmodat\" system call is used to change permissions of a file relative to a directory file descriptor.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nThe system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. Performance can be helped, however, by combining syscalls into one rule whenever possible.'\n desc 'check', 'Verify RHEL 8 generates an audit record upon successful/unsuccessful attempts to use the \"chmod\", \"fchmod\", and \"fchmodat\" syscalls by using the following command to check the file system rules in \"/etc/audit/audit.rules\":\n\n$ sudo grep chmod /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod\n-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod\n\nIf the command does not return an audit rule for \"chmod\", \"fchmod\", and \"fchmodat\", or any of the lines returned are commented out, this is a finding.'\n desc 'fix', 'Configure the audit system to generate an audit event for any successful/unsuccessful use of the \"chmod\", \"fchmod\", and \"fchmodat\" syscalls by adding or updating the following line to \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod\n-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod\n\nThe audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000062-GPOS-00031'\n tag satisfies: ['SRG-OS-000062-GPOS-00031', 'SRG-OS-000037-GPOS-00015', 'SRG-OS-000042-GPOS-00020', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000471-GPOS-00215', 'SRG-OS-000064-GPOS-00033', 'SRG-OS-000466-GPOS-00210']\n tag gid: 'V-230456'\n tag rid: 'SV-230456r810462_rule'\n tag stig_id: 'RHEL-08-030490'\n tag fix_id: 'F-33100r809310_fix'\n tag cci: ['CCI-000169']\n tag nist: ['AU-12 a']\n tag 'host'\n\n audit_syscalls = ['chmod', 'fchmod', 'fchmodat']\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe 'Syscall' do\n audit_syscalls.each do |audit_syscall|\n it \"#{audit_syscall} is audited properly\" do\n audit_rule = auditd.syscall(audit_syscall)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n if os.arch.match(/64/)\n expect(audit_rule.arch.uniq).to include('b32', 'b64')\n else\n expect(audit_rule.arch.uniq).to cmp 'b32'\n end\n expect(audit_rule.fields.flatten).to include('auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include(input('audit_rule_keynames').merge(input('audit_rule_keynames_overrides'))[audit_syscall])\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230473.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230456.rb", "line": 1 }, - "id": "SV-230473" + "id": "SV-230456" }, { - "title": "RHEL 8 must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/group.", - "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "title": "RHEL 8 network interfaces must not be in promiscuous mode.", + "desc": "Network interfaces in promiscuous mode allow for the capture of all\nnetwork traffic visible to the system. If unauthorized individuals can access\nthese applications, it may allow them to collect information such as logon IDs,\npasswords, and key exchanges between systems.\n\n If the system is being used to perform a network troubleshooting function,\nthe use of these tools must be documented with the Information System Security\nOfficer (ISSO) and restricted to only authorized personnel.", "descriptions": { - "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", - "check": "Verify RHEL 8 generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/group\".\n\n Check the auditing rules in \"/etc/audit/audit.rules\" with the following\ncommand:\n\n $ sudo grep /etc/group /etc/audit/audit.rules\n\n -w /etc/group -p wa -k identity\n\n If the command does not return a line, or the line is commented out, this\nis a finding.", - "fix": "Configure RHEL 8 to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/group\".\n\n Add or update the following file system rule to\n\"/etc/audit/rules.d/audit.rules\":\n\n -w /etc/group -p wa -k identity\n\n The audit daemon must be restarted for the changes to take effect." + "default": "Network interfaces in promiscuous mode allow for the capture of all\nnetwork traffic visible to the system. If unauthorized individuals can access\nthese applications, it may allow them to collect information such as logon IDs,\npasswords, and key exchanges between systems.\n\n If the system is being used to perform a network troubleshooting function,\nthe use of these tools must be documented with the Information System Security\nOfficer (ISSO) and restricted to only authorized personnel.", + "check": "Verify network interfaces are not in promiscuous mode unless approved by\nthe ISSO and documented.\n\n Check for the status with the following command:\n\n $ sudo ip link | grep -i promisc\n\n If network interfaces are found on the system in promiscuous mode and their\nuse has not been approved by the ISSO and documented, this is a finding.", + "fix": "Configure network interfaces to turn off promiscuous mode unless approved\nby the ISSO and documented.\n\n Set the promiscuous mode of an interface to off with the following command:\n\n $ sudo ip link set dev multicast off promisc off" }, "impact": 0.5, "refs": [ @@ -2498,55 +2488,35 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000062-GPOS-00031", - "satisfies": [ - "SRG-OS-000062-GPOS-00031", - "SRG-OS-000004-GPOS-00004", - "SRG-OS-000037-GPOS-00015", - "SRG-OS-000042-GPOS-00020", - "SRG-OS-000062-GPOS-00031", - "SRG-OS-000304-GPOS-00121", - "SRG-OS-000392-GPOS-00172", - "SRG-OS-000462-GPOS-00206", - "SRG-OS-000470-GPOS-00214", - "SRG-OS-000471-GPOS-00215", - "SRG-OS-000239-GPOS-00089", - "SRG-OS-000240-GPOS-00090", - "SRG-OS-000241-GPOS-00091", - "SRG-OS-000303-GPOS-00120", - "SRG-OS-000304-GPOS-00121", - "CCI-002884", - "SRG-OS-000466-GPOS-00210", - "SRG-OS-000476-GPOS-00221" - ], - "gid": "V-230408", - "rid": "SV-230408r627750_rule", - "stig_id": "RHEL-08-030170", - "fix_id": "F-33052r567971_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-230554", + "rid": "SV-230554r627750_rule", + "stig_id": "RHEL-08-040330", + "fix_id": "F-33198r568409_fix", "cci": [ - "CCI-000169" + "CCI-000366" ], "nist": [ - "AU-12 a" + "CM-6 b" ], "host": null }, - "code": "control 'SV-230408' do\n title 'RHEL 8 must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/group.'\n desc 'Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).'\n desc 'check', 'Verify RHEL 8 generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/group\".\n\n Check the auditing rules in \"/etc/audit/audit.rules\" with the following\ncommand:\n\n $ sudo grep /etc/group /etc/audit/audit.rules\n\n -w /etc/group -p wa -k identity\n\n If the command does not return a line, or the line is commented out, this\nis a finding.'\n desc 'fix', 'Configure RHEL 8 to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/group\".\n\n Add or update the following file system rule to\n\"/etc/audit/rules.d/audit.rules\":\n\n -w /etc/group -p wa -k identity\n\n The audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000062-GPOS-00031'\n tag satisfies: ['SRG-OS-000062-GPOS-00031', 'SRG-OS-000004-GPOS-00004', 'SRG-OS-000037-GPOS-00015', 'SRG-OS-000042-GPOS-00020', 'SRG-OS-000062-GPOS-00031', 'SRG-OS-000304-GPOS-00121', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000470-GPOS-00214', 'SRG-OS-000471-GPOS-00215', 'SRG-OS-000239-GPOS-00089', 'SRG-OS-000240-GPOS-00090', 'SRG-OS-000241-GPOS-00091', 'SRG-OS-000303-GPOS-00120', 'SRG-OS-000304-GPOS-00121', 'CCI-002884', 'SRG-OS-000466-GPOS-00210', 'SRG-OS-000476-GPOS-00221']\n tag gid: 'V-230408'\n tag rid: 'SV-230408r627750_rule'\n tag stig_id: 'RHEL-08-030170'\n tag fix_id: 'F-33052r567971_fix'\n tag cci: ['CCI-000169']\n tag nist: ['AU-12 a']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n audit_command = '/etc/group'\n\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.permissions.flatten).to include('w', 'a')\n expect(audit_rule.key.uniq).to include(input('audit_rule_keynames').merge(input('audit_rule_keynames_overrides'))[audit_command])\n end\n end\nend\n", + "code": "control 'SV-230554' do\n title 'RHEL 8 network interfaces must not be in promiscuous mode.'\n desc 'Network interfaces in promiscuous mode allow for the capture of all\nnetwork traffic visible to the system. If unauthorized individuals can access\nthese applications, it may allow them to collect information such as logon IDs,\npasswords, and key exchanges between systems.\n\n If the system is being used to perform a network troubleshooting function,\nthe use of these tools must be documented with the Information System Security\nOfficer (ISSO) and restricted to only authorized personnel.'\n desc 'check', 'Verify network interfaces are not in promiscuous mode unless approved by\nthe ISSO and documented.\n\n Check for the status with the following command:\n\n $ sudo ip link | grep -i promisc\n\n If network interfaces are found on the system in promiscuous mode and their\nuse has not been approved by the ISSO and documented, this is a finding.'\n desc 'fix', 'Configure network interfaces to turn off promiscuous mode unless approved\nby the ISSO and documented.\n\n Set the promiscuous mode of an interface to off with the following command:\n\n $ sudo ip link set dev multicast off promisc off'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230554'\n tag rid: 'SV-230554r627750_rule'\n tag stig_id: 'RHEL-08-040330'\n tag fix_id: 'F-33198r568409_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n if input('promiscuous_mode_permitted')\n describe command('ip link | grep -i promisc') do\n its('stdout.strip') { should_not match(/^$/) }\n end\n else\n describe command('ip link | grep -i promisc') do\n its('stdout.strip') { should match(/^$/) }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230408.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230554.rb", "line": 1 }, - "id": "SV-230408" + "id": "SV-230554" }, { - "title": "If the Trivial File Transfer Protocol (TFTP) server is required, the\nRHEL 8 TFTP daemon must be configured to operate in secure mode.", - "desc": "Restricting TFTP to a specific directory prevents remote users from\ncopying, transferring, or overwriting system files.", + "title": "A RHEL 8 firewall must employ a deny-all, allow-by-exception policy\nfor allowing connections to other systems.", + "desc": "Failure to restrict network connectivity only to authorized systems\npermits inbound connections from malicious systems. It also permits outbound\nconnections that may facilitate exfiltration of DoD data.\n\n RHEL 8 incorporates the \"firewalld\" daemon, which allows for many\ndifferent configurations. One of these configurations is zones. Zones can be\nutilized to a deny-all, allow-by-exception approach. The default \"drop\" zone\nwill drop all incoming network packets unless it is explicitly allowed by the\nconfiguration file or is related to an outgoing network connection.", "descriptions": { - "default": "Restricting TFTP to a specific directory prevents remote users from\ncopying, transferring, or overwriting system files.", - "check": "Verify the TFTP daemon is configured to operate in secure mode with the\nfollowing commands:\n\n $ sudo yum list installed tftp-server\n\n tftp-server.x86_64 x.x-x.el8\n\n If a TFTP server is not installed, this is Not Applicable.\n\n If a TFTP server is installed, check for the server arguments with the\nfollowing command:\n\n $ sudo grep server_args /etc/xinetd.d/tftp\n\n server_args = -s /var/lib/tftpboot\n\n If the \"server_args\" line does not have a \"-s\" option, and a\nsubdirectory is not assigned, this is a finding.", - "fix": "Configure the TFTP daemon to operate in secure mode by adding the following\nline to \"/etc/xinetd.d/tftp\" (or modify the line to have the required value):\n\n server_args = -s /var/lib/tftpboot" + "default": "Failure to restrict network connectivity only to authorized systems\npermits inbound connections from malicious systems. It also permits outbound\nconnections that may facilitate exfiltration of DoD data.\n\n RHEL 8 incorporates the \"firewalld\" daemon, which allows for many\ndifferent configurations. One of these configurations is zones. Zones can be\nutilized to a deny-all, allow-by-exception approach. The default \"drop\" zone\nwill drop all incoming network packets unless it is explicitly allowed by the\nconfiguration file or is related to an outgoing network connection.", + "check": "Verify \"firewalld\" is configured to employ a deny-all, allow-by-exception policy for allowing connections to other systems with the following commands:\n\n $ sudo firewall-cmd --state\n running\n\n $ sudo firewall-cmd --get-active-zones\n [custom]\n interfaces: ens33\n\n $ sudo firewall-cmd --info-zone=[custom] | grep target\n target: DROP\n\nIf no zones are active on the RHEL 8 interfaces or if the target is set to a different option other than \"DROP\", this is a finding.\n\nIf the \"firewalld\" package is not installed, ask the System Administrator if an alternate firewall (such as iptables) is installed and in use, and how is it configured to employ a deny-all, allow-by-exception policy.\n\nIf the alternate firewall is not configured to employ a deny-all, allow-by-exception policy, this is a finding.\n\nIf no firewall is installed, this is a finding.", + "fix": "Configure the \"firewalld\" daemon to employ a deny-all, allow-by-exception with the following commands:\n\n$ sudo firewall-cmd --permanent --new-zone=[custom]\n\n$ sudo cp /usr/lib/firewalld/zones/drop.xml /etc/firewalld/zones/[custom].xml\n\nThis will provide a clean configuration file to work with that employs a deny-all approach. Note: Add the exceptions that are required for mission functionality and update the short title in the xml file to match the [custom] zone name.\n\nReload the firewall rules to make the new [custom] zone available to load:\n$ sudo firewall-cmd --reload\n\nSet the default zone to the new [custom] zone:\n$ sudo firewall-cmd --set-default-zone=[custom]\n\nNote: This is a runtime and permanent change.\nAdd any interfaces to the new [custom] zone:\n$ sudo firewall-cmd --permanent --zone=[custom] --change-interface=ens33\n\nReload the firewall rules for changes to take effect:\n$ sudo firewall-cmd --reload" }, - "impact": 0, + "impact": 0.5, "refs": [ { "ref": "DPMS Target Red Hat Enterprise Linux 8" @@ -2554,34 +2524,34 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-230557", - "rid": "SV-230557r627750_rule", - "stig_id": "RHEL-08-040350", - "fix_id": "F-33201r568418_fix", + "gtitle": "SRG-OS-000297-GPOS-00115", + "gid": "V-230504", + "rid": "SV-230504r942942_rule", + "stig_id": "RHEL-08-040090", + "fix_id": "F-33148r942941_fix", "cci": [ - "CCI-000366" + "CCI-002314" ], + "legacy": [], "nist": [ - "CM-6 b" + "AC-17 (1)" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-230557' do\n title 'If the Trivial File Transfer Protocol (TFTP) server is required, the\nRHEL 8 TFTP daemon must be configured to operate in secure mode.'\n desc 'Restricting TFTP to a specific directory prevents remote users from\ncopying, transferring, or overwriting system files.'\n desc 'check', 'Verify the TFTP daemon is configured to operate in secure mode with the\nfollowing commands:\n\n $ sudo yum list installed tftp-server\n\n tftp-server.x86_64 x.x-x.el8\n\n If a TFTP server is not installed, this is Not Applicable.\n\n If a TFTP server is installed, check for the server arguments with the\nfollowing command:\n\n $ sudo grep server_args /etc/xinetd.d/tftp\n\n server_args = -s /var/lib/tftpboot\n\n If the \"server_args\" line does not have a \"-s\" option, and a\nsubdirectory is not assigned, this is a finding.'\n desc 'fix', 'Configure the TFTP daemon to operate in secure mode by adding the following\nline to \"/etc/xinetd.d/tftp\" (or modify the line to have the required value):\n\n server_args = -s /var/lib/tftpboot'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230557'\n tag rid: 'SV-230557r627750_rule'\n tag stig_id: 'RHEL-08-040350'\n tag fix_id: 'F-33201r568418_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n tag 'container'\n\n if package('tftp-server').installed?\n impact 0.5\n describe command('grep server_args /etc/xinetd.d/tftp') do\n its('stdout.strip') { should match %r{^\\s*server_args\\s+=\\s+(-s|--secure)\\s(/\\S+)$} }\n end\n else\n impact 0.0\n describe 'The TFTP package is not installed' do\n skip 'If a TFTP server is not installed, this is Not Applicable.'\n end\n end\nend\n", + "code": "control 'SV-230504' do\n title 'A RHEL 8 firewall must employ a deny-all, allow-by-exception policy\nfor allowing connections to other systems.'\n desc 'Failure to restrict network connectivity only to authorized systems\npermits inbound connections from malicious systems. It also permits outbound\nconnections that may facilitate exfiltration of DoD data.\n\n RHEL 8 incorporates the \"firewalld\" daemon, which allows for many\ndifferent configurations. One of these configurations is zones. Zones can be\nutilized to a deny-all, allow-by-exception approach. The default \"drop\" zone\nwill drop all incoming network packets unless it is explicitly allowed by the\nconfiguration file or is related to an outgoing network connection.'\n desc 'check', 'Verify \"firewalld\" is configured to employ a deny-all, allow-by-exception policy for allowing connections to other systems with the following commands:\n\n $ sudo firewall-cmd --state\n running\n\n $ sudo firewall-cmd --get-active-zones\n [custom]\n interfaces: ens33\n\n $ sudo firewall-cmd --info-zone=[custom] | grep target\n target: DROP\n\nIf no zones are active on the RHEL 8 interfaces or if the target is set to a different option other than \"DROP\", this is a finding.\n\nIf the \"firewalld\" package is not installed, ask the System Administrator if an alternate firewall (such as iptables) is installed and in use, and how is it configured to employ a deny-all, allow-by-exception policy.\n\nIf the alternate firewall is not configured to employ a deny-all, allow-by-exception policy, this is a finding.\n\nIf no firewall is installed, this is a finding.'\n desc 'fix', 'Configure the \"firewalld\" daemon to employ a deny-all, allow-by-exception with the following commands:\n\n$ sudo firewall-cmd --permanent --new-zone=[custom]\n\n$ sudo cp /usr/lib/firewalld/zones/drop.xml /etc/firewalld/zones/[custom].xml\n\nThis will provide a clean configuration file to work with that employs a deny-all approach. Note: Add the exceptions that are required for mission functionality and update the short title in the xml file to match the [custom] zone name.\n\nReload the firewall rules to make the new [custom] zone available to load:\n$ sudo firewall-cmd --reload\n\nSet the default zone to the new [custom] zone:\n$ sudo firewall-cmd --set-default-zone=[custom]\n\nNote: This is a runtime and permanent change.\nAdd any interfaces to the new [custom] zone:\n$ sudo firewall-cmd --permanent --zone=[custom] --change-interface=ens33\n\nReload the firewall rules for changes to take effect:\n$ sudo firewall-cmd --reload'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000297-GPOS-00115'\n tag gid: 'V-230504'\n tag rid: 'SV-230504r942942_rule'\n tag stig_id: 'RHEL-08-040090'\n tag fix_id: 'F-33148r942941_fix'\n tag cci: ['CCI-002314']\n tag legacy: []\n tag nist: ['AC-17 (1)']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n if input('external_firewall') == false\n\n describe service('firewalld') do\n it { should be_running }\n end\n\n describe firewalld do\n its('zone') { should_not be_empty }\n end\n\n failing_zones = firewalld.zone.reject { |fz| firewalld.zone(fz).target == 'DROP' }\n\n describe 'All firewall zones' do\n it 'should be configured to drop all incoming network packets unless explicitly accepted' do\n expect(failing_zones).to be_empty, \"Failing zones:\\n\\t- #{failing_zones.join(\"\\n\\t- \")}\"\n end\n end\n else\n describe 'Manual' do\n skip 'Inputs indicate this system is using a firewall tool other than the default firewalld; review the configuration of this tool to ensure it employs a deny-all, allow-by-exception policy for allowing connections to other systems.'\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230557.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230504.rb", "line": 1 }, - "id": "SV-230557" + "id": "SV-230504" }, { - "title": "A firewall must be installed on RHEL 8.", - "desc": "\"Firewalld\" provides an easy and effective way to block/limit remote\naccess to the system via ports, services, and protocols.\n\n Remote access services, such as those providing remote access to network\ndevices and information systems, which lack automated control capabilities,\nincrease risk and make remote user access management difficult at best.\n\n Remote access is access to DoD nonpublic information systems by an\nauthorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\n RHEL 8 functionality (e.g., RDP) must be capable of taking enforcement\naction if the audit reveals unauthorized activity. Automated control of remote\naccess sessions allows organizations to ensure ongoing compliance with remote\naccess policies by enforcing connection rules of remote access applications on\na variety of information system components (e.g., servers, workstations,\nnotebook computers, smartphones, and tablets).", + "title": "Successful/unsuccessful uses of the chcon command in RHEL 8 must\ngenerate an audit record.", + "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"chcon\" command is\nused to change file SELinux security context.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", "descriptions": { - "default": "\"Firewalld\" provides an easy and effective way to block/limit remote\naccess to the system via ports, services, and protocols.\n\n Remote access services, such as those providing remote access to network\ndevices and information systems, which lack automated control capabilities,\nincrease risk and make remote user access management difficult at best.\n\n Remote access is access to DoD nonpublic information systems by an\nauthorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\n RHEL 8 functionality (e.g., RDP) must be capable of taking enforcement\naction if the audit reveals unauthorized activity. Automated control of remote\naccess sessions allows organizations to ensure ongoing compliance with remote\naccess policies by enforcing connection rules of remote access applications on\na variety of information system components (e.g., servers, workstations,\nnotebook computers, smartphones, and tablets).", - "check": "Verify that \"firewalld\" is installed with the following commands:\n\n $ sudo yum list installed firewalld\n\n firewalld.noarch 0.7.0-5.el8\n\n If the \"firewalld\" package is not installed, ask the System Administrator\nif another firewall is installed. If no firewall is installed this is a finding.", - "fix": "Install \"firewalld\" with the following command:\n\n$ sudo yum install firewalld.noarch" + "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"chcon\" command is\nused to change file SELinux security context.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", + "check": "Verify RHEL 8 generates an audit record when successful/unsuccessful\nattempts to use the \"chcon\" command by performing the following command to\ncheck the file system rules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w chcon /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F\nauid!=unset -k perm_mod\n\n If the command does not return a line, or the line is commented out, this\nis a finding.", + "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \"chcon\" command by adding or updating the\nfollowing rule in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F\nauid!=unset -k perm_mod\n\n The audit daemon must be restarted for the changes to take effect." }, "impact": 0.5, "refs": [ @@ -2591,33 +2561,43 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000297-GPOS-00115", - "gid": "V-230505", - "rid": "SV-230505r854048_rule", - "stig_id": "RHEL-08-040100", - "fix_id": "F-33149r744019_fix", + "gtitle": "SRG-OS-000062-GPOS-00031", + "satisfies": [ + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000037-GPOS-00015", + "SRG-OS-000042-GPOS-00020", + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000392-GPOS-00172", + "SRG-OS-000462-GPOS-00206", + "SRG-OS-000468-GPOS-00212", + "SRG-OS-000471-GPOS-00215" + ], + "gid": "V-230419", + "rid": "SV-230419r627750_rule", + "stig_id": "RHEL-08-030260", + "fix_id": "F-33063r568004_fix", "cci": [ - "CCI-002314" + "CCI-000169" ], "nist": [ - "AC-17 (1)" + "AU-12 a" ], "host": null }, - "code": "control 'SV-230505' do\n title 'A firewall must be installed on RHEL 8.'\n desc '\"Firewalld\" provides an easy and effective way to block/limit remote\naccess to the system via ports, services, and protocols.\n\n Remote access services, such as those providing remote access to network\ndevices and information systems, which lack automated control capabilities,\nincrease risk and make remote user access management difficult at best.\n\n Remote access is access to DoD nonpublic information systems by an\nauthorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\n RHEL 8 functionality (e.g., RDP) must be capable of taking enforcement\naction if the audit reveals unauthorized activity. Automated control of remote\naccess sessions allows organizations to ensure ongoing compliance with remote\naccess policies by enforcing connection rules of remote access applications on\na variety of information system components (e.g., servers, workstations,\nnotebook computers, smartphones, and tablets).'\n desc 'check', 'Verify that \"firewalld\" is installed with the following commands:\n\n $ sudo yum list installed firewalld\n\n firewalld.noarch 0.7.0-5.el8\n\n If the \"firewalld\" package is not installed, ask the System Administrator\nif another firewall is installed. If no firewall is installed this is a finding.'\n desc 'fix', 'Install \"firewalld\" with the following command:\n\n$ sudo yum install firewalld.noarch'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000297-GPOS-00115'\n tag gid: 'V-230505'\n tag rid: 'SV-230505r854048_rule'\n tag stig_id: 'RHEL-08-040100'\n tag fix_id: 'F-33149r744019_fix'\n tag cci: ['CCI-002314']\n tag nist: ['AC-17 (1)']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n alternate_firewall_tool = input('alternate_firewall_tool')\n\n if alternate_firewall_tool != ''\n describe package(alternate_firewall_tool) do\n it { should be_installed }\n end\n else\n describe package('firewalld') do\n it { should be_installed }\n end\n end\nend\n", + "code": "control 'SV-230419' do\n title 'Successful/unsuccessful uses of the chcon command in RHEL 8 must\ngenerate an audit record.'\n desc 'Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"chcon\" command is\nused to change file SELinux security context.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.'\n desc 'check', 'Verify RHEL 8 generates an audit record when successful/unsuccessful\nattempts to use the \"chcon\" command by performing the following command to\ncheck the file system rules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w chcon /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F\nauid!=unset -k perm_mod\n\n If the command does not return a line, or the line is commented out, this\nis a finding.'\n desc 'fix', 'Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \"chcon\" command by adding or updating the\nfollowing rule in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F\nauid!=unset -k perm_mod\n\n The audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000062-GPOS-00031'\n tag satisfies: ['SRG-OS-000062-GPOS-00031', 'SRG-OS-000037-GPOS-00015', 'SRG-OS-000042-GPOS-00020', 'SRG-OS-000062-GPOS-00031', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000468-GPOS-00212', 'SRG-OS-000471-GPOS-00215']\n tag gid: 'V-230419'\n tag rid: 'SV-230419r627750_rule'\n tag stig_id: 'RHEL-08-030260'\n tag fix_id: 'F-33063r568004_fix'\n tag cci: ['CCI-000169']\n tag nist: ['AU-12 a']\n tag 'host'\n\n audit_command = '/usr/bin/chcon'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include(input('audit_rule_keynames').merge(input('audit_rule_keynames_overrides'))[audit_command])\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230505.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230419.rb", "line": 1 }, - "id": "SV-230505" + "id": "SV-230419" }, { - "title": "RHEL 8 must require re-authentication when using the \"sudo\" command.", - "desc": "Without re-authentication, users may access resources or perform tasks\nfor which they do not have authorization.\n\n When operating systems provide the capability to escalate a functional\ncapability, it is critical the organization requires the user to\nre-authenticate when using the \"sudo\" command.\n\n If the value is set to an integer less than 0, the user's time stamp will\nnot expire and the user will not have to re-authenticate for privileged actions\nuntil the user's session is terminated.", + "title": "RHEL 8 audit log directory must be owned by root to prevent\nunauthorized read access.", + "desc": "Unauthorized disclosure of audit records can reveal system and\nconfiguration data to attackers, thus compromising its confidentiality.\n\n Audit information includes all information (e.g., audit records, audit\nsettings, audit reports) needed to successfully audit RHEL 8 activity.", "descriptions": { - "default": "Without re-authentication, users may access resources or perform tasks\nfor which they do not have authorization.\n\n When operating systems provide the capability to escalate a functional\ncapability, it is critical the organization requires the user to\nre-authenticate when using the \"sudo\" command.\n\n If the value is set to an integer less than 0, the user's time stamp will\nnot expire and the user will not have to re-authenticate for privileged actions\nuntil the user's session is terminated.", - "check": "Verify the operating system requires re-authentication when using the \"sudo\" command to elevate privileges.\n\n$ sudo grep -ir 'timestamp_timeout' /etc/sudoers /etc/sudoers.d\n/etc/sudoers:Defaults timestamp_timeout=0\n\nIf conflicting results are returned, this is a finding.\n\nIf \"timestamp_timeout\" is set to a negative number, is commented out, or no results are returned, this is a finding.", - "fix": "Configure the \"sudo\" command to require re-authentication.\nEdit the /etc/sudoers file:\n$ sudo visudo\n\nAdd or modify the following line:\nDefaults timestamp_timeout=[value]\nNote: The \"[value]\" must be a number that is greater than or equal to \"0\".\n\nRemove any duplicate or conflicting lines from /etc/sudoers and /etc/sudoers.d/ files." + "default": "Unauthorized disclosure of audit records can reveal system and\nconfiguration data to attackers, thus compromising its confidentiality.\n\n Audit information includes all information (e.g., audit records, audit\nsettings, audit reports) needed to successfully audit RHEL 8 activity.", + "check": "Verify the audit log directory is owned by \"root\" to prevent unauthorized\nread access.\n\n Determine where the audit logs are stored with the following command:\n\n $ sudo grep -iw log_file /etc/audit/auditd.conf\n\n log_file = /var/log/audit/audit.log\n\n Determine the owner of the audit log directory by using the output of the\nabove command (ex: \"/var/log/audit/\"). Run the following command with the\ncorrect audit log directory path:\n\n $ sudo ls -ld /var/log/audit\n\n drw------- 2 root root 23 Jun 11 11:56 /var/log/audit\n\n If the audit log directory is not owned by \"root\", this is a finding.", + "fix": "Configure the audit log to be protected from unauthorized read access, by\nsetting the correct owner as \"root\" with the following command:\n\n $ sudo chown root [audit_log_directory]\n\n Replace \"[audit_log_directory]\" with the correct audit log directory\npath, by default this location is usually \"/var/log/audit\"." }, "impact": 0.5, "refs": [ @@ -2627,34 +2607,39 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000373-GPOS-00156", - "gid": "V-237643", - "rid": "SV-237643r861088_rule", - "stig_id": "RHEL-08-010384", - "fix_id": "F-40825r858763_fix", + "gtitle": "SRG-OS-000057-GPOS-00027", + "satisfies": [ + "SRG-OS-000057-GPOS-00027", + "SRG-OS-000058-GPOS-00028", + "SRG-OS-000059-GPOS-00029" + ], + "gid": "V-230399", + "rid": "SV-230399r627750_rule", + "stig_id": "RHEL-08-030100", + "fix_id": "F-33043r567944_fix", "cci": [ - "CCI-002038" + "CCI-000162" ], "nist": [ - "IA-11" + "AU-9", + "AU-9 a" ], - "host": null, - "container-conditional": null + "host": null }, - "code": "control 'SV-237643' do\n title 'RHEL 8 must require re-authentication when using the \"sudo\" command.'\n desc %q(Without re-authentication, users may access resources or perform tasks\nfor which they do not have authorization.\n\n When operating systems provide the capability to escalate a functional\ncapability, it is critical the organization requires the user to\nre-authenticate when using the \"sudo\" command.\n\n If the value is set to an integer less than 0, the user's time stamp will\nnot expire and the user will not have to re-authenticate for privileged actions\nuntil the user's session is terminated.)\n desc 'check', %q(Verify the operating system requires re-authentication when using the \"sudo\" command to elevate privileges.\n\n$ sudo grep -ir 'timestamp_timeout' /etc/sudoers /etc/sudoers.d\n/etc/sudoers:Defaults timestamp_timeout=0\n\nIf conflicting results are returned, this is a finding.\n\nIf \"timestamp_timeout\" is set to a negative number, is commented out, or no results are returned, this is a finding.)\n desc 'fix', 'Configure the \"sudo\" command to require re-authentication.\nEdit the /etc/sudoers file:\n$ sudo visudo\n\nAdd or modify the following line:\nDefaults timestamp_timeout=[value]\nNote: The \"[value]\" must be a number that is greater than or equal to \"0\".\n\nRemove any duplicate or conflicting lines from /etc/sudoers and /etc/sudoers.d/ files.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000373-GPOS-00156'\n tag gid: 'V-237643'\n tag rid: 'SV-237643r861088_rule'\n tag stig_id: 'RHEL-08-010384'\n tag fix_id: 'F-40825r858763_fix'\n tag cci: ['CCI-002038']\n tag nist: ['IA-11']\n tag 'host'\n tag 'container-conditional'\n\n only_if('This requirement is Not Applicable in a container with no sudo installed', impact: 0.0) {\n !(virtualization.system.eql?('docker') && !command('sudo').exist?)\n }\n\n setting = 'timestamp_timeout'\n setting_value = sudoers(input('sudoers_config_files')).settings.Defaults[setting]\n\n describe 'Sudoers configuration' do\n it \"should should set #{setting} to a non-negative number, exactly once\" do\n expect(setting_value).to_not be_nil, \"#{setting} not found inside sudoers config file(s)\"\n expect(setting_value.count).to eq(1), \"#{setting} set #{setting_value.count} times inside sudoers config file(s)\"\n expect(setting_value.first.to_i).to be >= 0\n end\n end\nend\n", + "code": "control 'SV-230399' do\n title 'RHEL 8 audit log directory must be owned by root to prevent\nunauthorized read access.'\n desc 'Unauthorized disclosure of audit records can reveal system and\nconfiguration data to attackers, thus compromising its confidentiality.\n\n Audit information includes all information (e.g., audit records, audit\nsettings, audit reports) needed to successfully audit RHEL 8 activity.'\n desc 'check', 'Verify the audit log directory is owned by \"root\" to prevent unauthorized\nread access.\n\n Determine where the audit logs are stored with the following command:\n\n $ sudo grep -iw log_file /etc/audit/auditd.conf\n\n log_file = /var/log/audit/audit.log\n\n Determine the owner of the audit log directory by using the output of the\nabove command (ex: \"/var/log/audit/\"). Run the following command with the\ncorrect audit log directory path:\n\n $ sudo ls -ld /var/log/audit\n\n drw------- 2 root root 23 Jun 11 11:56 /var/log/audit\n\n If the audit log directory is not owned by \"root\", this is a finding.'\n desc 'fix', 'Configure the audit log to be protected from unauthorized read access, by\nsetting the correct owner as \"root\" with the following command:\n\n $ sudo chown root [audit_log_directory]\n\n Replace \"[audit_log_directory]\" with the correct audit log directory\npath, by default this location is usually \"/var/log/audit\".'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000057-GPOS-00027'\n tag satisfies: ['SRG-OS-000057-GPOS-00027', 'SRG-OS-000058-GPOS-00028', 'SRG-OS-000059-GPOS-00029']\n tag gid: 'V-230399'\n tag rid: 'SV-230399r627750_rule'\n tag stig_id: 'RHEL-08-030100'\n tag fix_id: 'F-33043r567944_fix'\n tag cci: ['CCI-000162']\n tag nist: ['AU-9', 'AU-9 a']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n log_dir = auditd_conf('/etc/audit/auditd.conf').log_file.split('/')[0..-2].join('/')\n describe directory(log_dir) do\n its('owner') { should eq 'root' }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-237643.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230399.rb", "line": 1 }, - "id": "SV-237643" + "id": "SV-230399" }, { - "title": "RHEL 8 must prevent system messages from being presented when three\nunsuccessful logon attempts occur.", - "desc": "By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as\nbrute-force attacks, is reduced. Limits are imposed by locking the account.\n\n RHEL 8 can utilize the \"pam_faillock.so\" for this purpose. Note that\nmanual changes to the listed files may be overwritten by the \"authselect\"\nprogram.\n\n From \"Pam_Faillock\" man pages: Note that the default directory that\n\"pam_faillock\" uses is usually cleared on system boot so the access will be\nreenabled after system reboot. If that is undesirable a different tally\ndirectory must be set with the \"dir\" option.", + "title": "All RHEL 8 remote access methods must be monitored.", + "desc": "Remote access services, such as those providing remote access to network devices and information systems, which lack automated monitoring capabilities, increase risk and make remote user access management difficult at best.\n\nRemote access is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.\n\nAutomated monitoring of remote access sessions allows organizations to detect cyber attacks and ensure ongoing compliance with remote access policies by auditing connection activities of remote access capabilities, such as Remote Desktop Protocol (RDP), on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets).", "descriptions": { - "default": "By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as\nbrute-force attacks, is reduced. Limits are imposed by locking the account.\n\n RHEL 8 can utilize the \"pam_faillock.so\" for this purpose. Note that\nmanual changes to the listed files may be overwritten by the \"authselect\"\nprogram.\n\n From \"Pam_Faillock\" man pages: Note that the default directory that\n\"pam_faillock\" uses is usually cleared on system boot so the access will be\nreenabled after system reboot. If that is undesirable a different tally\ndirectory must be set with the \"dir\" option.", - "check": "Check that the system prevents informative messages from being presented to\nthe user pertaining to logon information with the following commands:\n\n Note: If the System Administrator demonstrates the use of an approved\ncentralized account management method that locks an account after three\nunsuccessful logon attempts within a period of 15 minutes, this requirement is\nnot applicable.\n\n Note: This check applies to RHEL versions 8.0 and 8.1, if the system is\nRHEL version 8.2 or newer, this check is not applicable.\n\n $ sudo grep pam_faillock.so /etc/pam.d/password-auth\n\n auth required pam_faillock.so preauth dir=/var/log/faillock silent audit\ndeny=3 even_deny_root fail_interval=900 unlock_time=0\n auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0\n account required pam_faillock.so\n\n If the \"silent\" option is missing from the \"preauth\" line with the\n\"pam_faillock.so\" module, this is a finding.\n\n $ sudo grep pam_faillock.so /etc/pam.d/system-auth\n\n auth required pam_faillock.so preauth dir=/var/log/faillock silent audit\ndeny=3 even_deny_root fail_interval=900 unlock_time=0\n auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0\n account required pam_faillock.so\n\n If the \"silent\" option is missing from the \"preauth\" line with the\n\"pam_faillock.so\" module, this is a finding.", - "fix": "Configure the operating system to prevent informative messages from being\npresented at logon attempts.\n\n Add/Modify the appropriate sections of the \"/etc/pam.d/system-auth\" and\n\"/etc/pam.d/password-auth\" files to match the following lines:\n\n auth required pam_faillock.so preauth dir=/var/log/faillock silent audit\ndeny=3 even_deny_root fail_interval=900 unlock_time=0\n auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0\n account required pam_faillock.so\n\n The \"sssd\" service must be restarted for the changes to take effect. To\nrestart the \"sssd\" service, run the following command:\n\n $ sudo systemctl restart sssd.service" + "default": "Remote access services, such as those providing remote access to network devices and information systems, which lack automated monitoring capabilities, increase risk and make remote user access management difficult at best.\n\nRemote access is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.\n\nAutomated monitoring of remote access sessions allows organizations to detect cyber attacks and ensure ongoing compliance with remote access policies by auditing connection activities of remote access capabilities, such as Remote Desktop Protocol (RDP), on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets).", + "check": "Verify that RHEL 8 monitors all remote access methods.\n\nCheck that remote access methods are being logged by running the following command:\n\n$ sudo grep -E '(auth\\.\\*|authpriv\\.\\*|daemon\\.\\*)' /etc/rsyslog.conf /etc/rsyslog.d/*.conf\n\nauth.*;authpriv.*;daemon.* /var/log/secure\n\nIf \"auth.*\", \"authpriv.*\" or \"daemon.*\" are not configured to be logged, this is a finding.", + "fix": "Configure RHEL 8 to monitor all remote access methods by installing rsyslog\nwith the following command:\n\n $ sudo yum install rsyslog\n\n Then add or update the following lines to the \"/etc/rsyslog.conf\" file:\n\n auth.*;authpriv.*;daemon.* /var/log/secure\n\n The \"rsyslog\" service must be restarted for the changes to take effect.\nTo restart the \"rsyslog\" service, run the following command:\n\n $ sudo systemctl restart rsyslog.service" }, "impact": 0.5, "refs": [ @@ -2664,78 +2649,71 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000021-GPOS-00005", - "satisfies": [ - "SRG-OS-000021-GPOS-00005", - "SRG-OS-000329-GPOS-00128" - ], - "gid": "V-230340", - "rid": "SV-230340r627750_rule", - "stig_id": "RHEL-08-020018", - "fix_id": "F-32984r567767_fix", + "gtitle": "SRG-OS-000032-GPOS-00013", + "gid": "V-230228", + "rid": "SV-230228r951592_rule", + "stig_id": "RHEL-08-010070", + "fix_id": "F-32872r567431_fix", "cci": [ - "CCI-000044" + "CCI-000067" ], "nist": [ - "AC-7 a" + "AC-17 (1)" ], "host": null, - "container": null + "container-conditional": null }, - "code": "control 'SV-230340' do\n title 'RHEL 8 must prevent system messages from being presented when three\nunsuccessful logon attempts occur.'\n desc 'By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as\nbrute-force attacks, is reduced. Limits are imposed by locking the account.\n\n RHEL 8 can utilize the \"pam_faillock.so\" for this purpose. Note that\nmanual changes to the listed files may be overwritten by the \"authselect\"\nprogram.\n\n From \"Pam_Faillock\" man pages: Note that the default directory that\n\"pam_faillock\" uses is usually cleared on system boot so the access will be\nreenabled after system reboot. If that is undesirable a different tally\ndirectory must be set with the \"dir\" option.'\n desc 'check', 'Check that the system prevents informative messages from being presented to\nthe user pertaining to logon information with the following commands:\n\n Note: If the System Administrator demonstrates the use of an approved\ncentralized account management method that locks an account after three\nunsuccessful logon attempts within a period of 15 minutes, this requirement is\nnot applicable.\n\n Note: This check applies to RHEL versions 8.0 and 8.1, if the system is\nRHEL version 8.2 or newer, this check is not applicable.\n\n $ sudo grep pam_faillock.so /etc/pam.d/password-auth\n\n auth required pam_faillock.so preauth dir=/var/log/faillock silent audit\ndeny=3 even_deny_root fail_interval=900 unlock_time=0\n auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0\n account required pam_faillock.so\n\n If the \"silent\" option is missing from the \"preauth\" line with the\n\"pam_faillock.so\" module, this is a finding.\n\n $ sudo grep pam_faillock.so /etc/pam.d/system-auth\n\n auth required pam_faillock.so preauth dir=/var/log/faillock silent audit\ndeny=3 even_deny_root fail_interval=900 unlock_time=0\n auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0\n account required pam_faillock.so\n\n If the \"silent\" option is missing from the \"preauth\" line with the\n\"pam_faillock.so\" module, this is a finding.'\n desc 'fix', 'Configure the operating system to prevent informative messages from being\npresented at logon attempts.\n\n Add/Modify the appropriate sections of the \"/etc/pam.d/system-auth\" and\n\"/etc/pam.d/password-auth\" files to match the following lines:\n\n auth required pam_faillock.so preauth dir=/var/log/faillock silent audit\ndeny=3 even_deny_root fail_interval=900 unlock_time=0\n auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0\n account required pam_faillock.so\n\n The \"sssd\" service must be restarted for the changes to take effect. To\nrestart the \"sssd\" service, run the following command:\n\n $ sudo systemctl restart sssd.service'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000021-GPOS-00005'\n tag satisfies: ['SRG-OS-000021-GPOS-00005', 'SRG-OS-000329-GPOS-00128']\n tag gid: 'V-230340'\n tag rid: 'SV-230340r627750_rule'\n tag stig_id: 'RHEL-08-020018'\n tag fix_id: 'F-32984r567767_fix'\n tag cci: ['CCI-000044']\n tag nist: ['AC-7 a']\n tag 'host'\n tag 'container'\n\n only_if('This check applies to RHEL versions 8.0 and 8.1, if the system is RHEL version 8.2 or newer, this check is not applicable.', impact: 0.0) {\n (os.release.to_f) < 8.2\n }\n\n pam_auth_files = input('pam_auth_files')\n\n describe pam(pam_auth_files['password-auth']) do\n its('lines') {\n should match_pam_rule('auth [default=die]|required pam_faillock.so preauth').all_with_args('silent')\n }\n end\n describe pam(pam_auth_files['system-auth']) do\n its('lines') {\n should match_pam_rule('auth [default=die]|required pam_faillock.so preauth').all_with_args('silent')\n }\n end\nend\n", + "code": "control 'SV-230228' do\n title 'All RHEL 8 remote access methods must be monitored.'\n desc 'Remote access services, such as those providing remote access to network devices and information systems, which lack automated monitoring capabilities, increase risk and make remote user access management difficult at best.\n\nRemote access is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.\n\nAutomated monitoring of remote access sessions allows organizations to detect cyber attacks and ensure ongoing compliance with remote access policies by auditing connection activities of remote access capabilities, such as Remote Desktop Protocol (RDP), on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets).'\n desc 'check', %q(Verify that RHEL 8 monitors all remote access methods.\n\nCheck that remote access methods are being logged by running the following command:\n\n$ sudo grep -E '(auth\\.\\*|authpriv\\.\\*|daemon\\.\\*)' /etc/rsyslog.conf /etc/rsyslog.d/*.conf\n\nauth.*;authpriv.*;daemon.* /var/log/secure\n\nIf \"auth.*\", \"authpriv.*\" or \"daemon.*\" are not configured to be logged, this is a finding.)\n desc 'fix', 'Configure RHEL 8 to monitor all remote access methods by installing rsyslog\nwith the following command:\n\n $ sudo yum install rsyslog\n\n Then add or update the following lines to the \"/etc/rsyslog.conf\" file:\n\n auth.*;authpriv.*;daemon.* /var/log/secure\n\n The \"rsyslog\" service must be restarted for the changes to take effect.\nTo restart the \"rsyslog\" service, run the following command:\n\n $ sudo systemctl restart rsyslog.service'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000032-GPOS-00013'\n tag gid: 'V-230228'\n tag rid: 'SV-230228r951592_rule'\n tag stig_id: 'RHEL-08-010070'\n tag fix_id: 'F-32872r567431_fix'\n tag cci: ['CCI-000067']\n tag nist: ['AC-17 (1)']\n tag 'host'\n tag 'container-conditional'\n\n only_if('Control not applicable; remote access not configured within containerized RHEL', impact: 0.0) {\n !(virtualization.system.eql?('docker') && !file('/etc/ssh/sshd_config').exist?)\n }\n\n rsyslog = file('/etc/rsyslog.conf')\n\n describe rsyslog do\n it { should exist }\n end\n\n if rsyslog.exist?\n auth_pattern = %r{^\\s*[a-z.;*]*auth(,[a-z,]+)*\\.\\*\\s*/*}\n authpriv_pattern = %r{^\\s*[a-z.;*]*authpriv(,[a-z,]+)*\\.\\*\\s*/*}\n daemon_pattern = %r{^\\s*[a-z.;*]*daemon(,[a-z,]+)*\\.\\*\\s*/*}\n\n rsyslog_conf = command('grep -E \\'(auth.*|authpriv.*|daemon.*)\\' /etc/rsyslog.conf /etc/rsyslog.d/*.conf')\n\n describe 'Logged remote access methods' do\n it 'should include auth.*' do\n expect(rsyslog_conf.stdout).to match(auth_pattern), 'auth.* not configured for logging'\n end\n it 'should include authpriv.*' do\n expect(rsyslog_conf.stdout).to match(authpriv_pattern), 'authpriv.* not configured for logging'\n end\n it 'should include daemon.*' do\n expect(rsyslog_conf.stdout).to match(daemon_pattern), 'daemon.* not configured for logging'\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230340.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230228.rb", "line": 1 }, - "id": "SV-230340" + "id": "SV-230228" }, { - "title": "RHEL 8 must prevent users from disabling session control mechanisms.", - "desc": "A session lock is a temporary action taken when a user stops work and\nmoves away from the immediate physical vicinity of the information system but\ndoes not want to log out because of the temporary nature of the absence.\n\n The session lock is implemented at the point where session activity can be\ndetermined. Rather than be forced to wait for a period of time to expire before\nthe user session can be locked, RHEL 8 needs to provide users with the ability\nto manually invoke a session lock so users can secure their session if it is\nnecessary to temporarily vacate the immediate physical vicinity.\n\n Tmux is a terminal multiplexer that enables a number of terminals to be\ncreated, accessed, and controlled from a single screen. Red Hat endorses tmux\nas the recommended session controlling package.", + "title": "RHEL 8 library files must be group-owned by root or a system account.", + "desc": "If RHEL 8 were to allow any user to make changes to software\nlibraries, then those changes might be implemented without undergoing the\nappropriate testing and approvals that are part of a robust change management\nprocess.\n\n This requirement applies to RHEL 8 with software libraries that are\naccessible and configurable, as in the case of interpreted languages. Software\nlibraries also include privileged programs that execute with escalated\nprivileges. Only qualified and authorized individuals will be allowed to obtain\naccess to information system components for purposes of initiating changes,\nincluding upgrades and modifications.", "descriptions": { - "default": "A session lock is a temporary action taken when a user stops work and\nmoves away from the immediate physical vicinity of the information system but\ndoes not want to log out because of the temporary nature of the absence.\n\n The session lock is implemented at the point where session activity can be\ndetermined. Rather than be forced to wait for a period of time to expire before\nthe user session can be locked, RHEL 8 needs to provide users with the ability\nto manually invoke a session lock so users can secure their session if it is\nnecessary to temporarily vacate the immediate physical vicinity.\n\n Tmux is a terminal multiplexer that enables a number of terminals to be\ncreated, accessed, and controlled from a single screen. Red Hat endorses tmux\nas the recommended session controlling package.", - "check": "Verify the operating system prevents users from disabling the tmux terminal\nmultiplexer with the following command:\n\n $ sudo grep -i tmux /etc/shells\n\n If any output is produced, this is a finding.", - "fix": "Configure the operating system to prevent users from disabling\nthe tmux terminal multiplexer by editing the \"/etc/shells\" configuration file\nto remove any instances of tmux." + "default": "If RHEL 8 were to allow any user to make changes to software\nlibraries, then those changes might be implemented without undergoing the\nappropriate testing and approvals that are part of a robust change management\nprocess.\n\n This requirement applies to RHEL 8 with software libraries that are\naccessible and configurable, as in the case of interpreted languages. Software\nlibraries also include privileged programs that execute with escalated\nprivileges. Only qualified and authorized individuals will be allowed to obtain\naccess to information system components for purposes of initiating changes,\nincluding upgrades and modifications.", + "check": "Verify the system-wide shared library files are group-owned by \"root\"\nwith the following command:\n\n $ sudo find -L /lib /lib64 /usr/lib /usr/lib64 ! -group root -exec ls -l {}\n\\;\n\n If any system wide shared library file is returned and is not group-owned\nby a required system account, this is a finding.", + "fix": "Configure the system-wide shared library files (/lib, /lib64, /usr/lib and\n/usr/lib64) to be protected from unauthorized access.\n\n Run the following command, replacing \"[FILE]\" with any library file not\ngroup-owned by \"root\".\n\n $ sudo chgrp root [FILE]" }, - "impact": 0.3, + "impact": 0.5, "refs": [ { "ref": "DPMS Target Red Hat Enterprise Linux 8" } ], "tags": { - "severity": "low", - "gtitle": "SRG-OS-000028-GPOS-00009", - "satisfies": [ - "SRG-OS-000028-GPOS-00009", - "SRG-OS-000030-GPOS-00011" - ], - "gid": "V-230350", - "rid": "SV-230350r627750_rule", - "stig_id": "RHEL-08-020042", - "fix_id": "F-32994r567797_fix", + "severity": "medium", + "gtitle": "SRG-OS-000259-GPOS-00100", + "gid": "V-230262", + "rid": "SV-230262r627750_rule", + "stig_id": "RHEL-08-010350", + "fix_id": "F-32906r567533_fix", "cci": [ - "CCI-000056" + "CCI-001499" ], "nist": [ - "AC-11 b" + "CM-5 (6)" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-230350' do\n title 'RHEL 8 must prevent users from disabling session control mechanisms.'\n desc 'A session lock is a temporary action taken when a user stops work and\nmoves away from the immediate physical vicinity of the information system but\ndoes not want to log out because of the temporary nature of the absence.\n\n The session lock is implemented at the point where session activity can be\ndetermined. Rather than be forced to wait for a period of time to expire before\nthe user session can be locked, RHEL 8 needs to provide users with the ability\nto manually invoke a session lock so users can secure their session if it is\nnecessary to temporarily vacate the immediate physical vicinity.\n\n Tmux is a terminal multiplexer that enables a number of terminals to be\ncreated, accessed, and controlled from a single screen. Red Hat endorses tmux\nas the recommended session controlling package.'\n desc 'check', 'Verify the operating system prevents users from disabling the tmux terminal\nmultiplexer with the following command:\n\n $ sudo grep -i tmux /etc/shells\n\n If any output is produced, this is a finding.'\n desc 'fix', 'Configure the operating system to prevent users from disabling\nthe tmux terminal multiplexer by editing the \"/etc/shells\" configuration file\nto remove any instances of tmux.'\n impact 0.3\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'low'\n tag gtitle: 'SRG-OS-000028-GPOS-00009'\n tag satisfies: ['SRG-OS-000028-GPOS-00009', 'SRG-OS-000030-GPOS-00011']\n tag gid: 'V-230350'\n tag rid: 'SV-230350r627750_rule'\n tag stig_id: 'RHEL-08-020042'\n tag fix_id: 'F-32994r567797_fix'\n tag cci: ['CCI-000056']\n tag nist: ['AC-11 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n describe command('grep -i tmux /etc/shells') do\n its('stdout.strip') { should be_empty }\n end\nend\n", + "code": "control 'SV-230262' do\n title 'RHEL 8 library files must be group-owned by root or a system account.'\n desc 'If RHEL 8 were to allow any user to make changes to software\nlibraries, then those changes might be implemented without undergoing the\nappropriate testing and approvals that are part of a robust change management\nprocess.\n\n This requirement applies to RHEL 8 with software libraries that are\naccessible and configurable, as in the case of interpreted languages. Software\nlibraries also include privileged programs that execute with escalated\nprivileges. Only qualified and authorized individuals will be allowed to obtain\naccess to information system components for purposes of initiating changes,\nincluding upgrades and modifications.'\n desc 'check', 'Verify the system-wide shared library files are group-owned by \"root\"\nwith the following command:\n\n $ sudo find -L /lib /lib64 /usr/lib /usr/lib64 ! -group root -exec ls -l {}\n\\\\;\n\n If any system wide shared library file is returned and is not group-owned\nby a required system account, this is a finding.'\n desc 'fix', 'Configure the system-wide shared library files (/lib, /lib64, /usr/lib and\n/usr/lib64) to be protected from unauthorized access.\n\n Run the following command, replacing \"[FILE]\" with any library file not\ngroup-owned by \"root\".\n\n $ sudo chgrp root [FILE]'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000259-GPOS-00100'\n tag gid: 'V-230262'\n tag rid: 'SV-230262r627750_rule'\n tag stig_id: 'RHEL-08-010350'\n tag fix_id: 'F-32906r567533_fix'\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n tag 'host'\n tag 'container'\n\n failing_files = command(\"find -L #{input('system_libraries').join(' ')} ! -group root -exec ls -d {} \\\\;\").stdout.split(\"\\n\")\n\n describe 'System libraries' do\n it 'should be group-owned by root' do\n expect(failing_files).to be_empty, \"Files not group-owned by root:\\n\\t- #{failing_files.join(\"\\n\\t- \")}\"\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230350.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230262.rb", "line": 1 }, - "id": "SV-230350" + "id": "SV-230262" }, { - "title": "RHEL 8 must notify the System Administrator (SA) and Information\nSystem Security Officer (ISSO) (at a minimum) when allocated audit record\nstorage volume 75 percent utilization.", - "desc": "If security personnel are not notified immediately when storage volume\nreaches 75 percent utilization, they are unable to plan for audit record\nstorage capacity expansion.", + "title": "RHEL 8 must mount /var/log with the nosuid option.", + "desc": "The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n The \"noexec\" mount option causes the system to not execute binary files.\nThis option must be used for mounting any file system not containing approved\nbinary files, as they may be incompatible. Executing files from untrusted file\nsystems increases the opportunity for unprivileged users to attain unauthorized\nadministrative access.\n\n The \"nodev\" mount option causes the system to not interpret character or\nblock special devices. Executing character or block special devices from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.\n\n The \"nosuid\" mount option causes the system to not execute \"setuid\" and\n\"setgid\" files with owner privileges. This option must be used for mounting\nany file system not containing approved \"setuid\" and \"setguid\" files.\nExecuting files from untrusted file systems increases the opportunity for\nunprivileged users to attain unauthorized administrative access.", "descriptions": { - "default": "If security personnel are not notified immediately when storage volume\nreaches 75 percent utilization, they are unable to plan for audit record\nstorage capacity expansion.", - "check": "Verify RHEL 8 notifies the SA and ISSO (at a minimum) when allocated audit\nrecord storage volume reaches 75 percent of the repository maximum audit record\nstorage capacity with the following command:\n\n $ sudo grep -w space_left_action /etc/audit/auditd.conf\n\n space_left_action = email\n\n If the value of the \"space_left_action\" is not set to \"email\", or if\nthe line is commented out, ask the System Administrator to indicate how the\nsystem is providing real-time alerts to the SA and ISSO.\n\n If there is no evidence that real-time alerts are configured on the system,\nthis is a finding.", - "fix": "Configure the operating system to initiate an action to notify the SA and\nISSO (at a minimum) when allocated audit record storage volume reaches 75\npercent of the repository maximum audit record storage capacity by\nadding/modifying the following line in the /etc/audit/auditd.conf file.\n\n space_left_action = email\n\n Note: Option names and values in the auditd.conf file are case insensitive." + "default": "The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n The \"noexec\" mount option causes the system to not execute binary files.\nThis option must be used for mounting any file system not containing approved\nbinary files, as they may be incompatible. Executing files from untrusted file\nsystems increases the opportunity for unprivileged users to attain unauthorized\nadministrative access.\n\n The \"nodev\" mount option causes the system to not interpret character or\nblock special devices. Executing character or block special devices from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.\n\n The \"nosuid\" mount option causes the system to not execute \"setuid\" and\n\"setgid\" files with owner privileges. This option must be used for mounting\nany file system not containing approved \"setuid\" and \"setguid\" files.\nExecuting files from untrusted file systems increases the opportunity for\nunprivileged users to attain unauthorized administrative access.", + "check": "Verify \"/var/log\" is mounted with the \"nosuid\" option:\n\n $ sudo mount | grep /var/log\n\n /dev/mapper/rhel-var-log on /var/log type xfs\n(rw,nodev,nosuid,noexec,seclabel)\n\n Verify that the \"nosuid\" option is configured for /var/log:\n\n $ sudo cat /etc/fstab | grep /var/log\n\n /dev/mapper/rhel-var-log /var/log xfs defaults,nodev,nosuid,noexec 0 0\n\n If results are returned and the \"nosuid\" option is missing, or if\n/var/log is mounted without the \"nosuid\" option, this is a finding.", + "fix": "Configure the system so that /var/log is mounted with the \"nosuid\" option\nby adding /modifying the /etc/fstab with the following line:\n\n /dev/mapper/rhel-var-log /var/log xfs defaults,nodev,nosuid,noexec 0 0" }, "impact": 0.5, "refs": [ @@ -2745,33 +2723,33 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000343-GPOS-00134", - "gid": "V-244543", - "rid": "SV-244543r877389_rule", - "stig_id": "RHEL-08-030731", - "fix_id": "F-47775r743877_fix", + "gtitle": "SRG-OS-000368-GPOS-00154", + "gid": "V-230515", + "rid": "SV-230515r854056_rule", + "stig_id": "RHEL-08-040127", + "fix_id": "F-33159r568292_fix", "cci": [ - "CCI-001855" + "CCI-001764" ], "nist": [ - "AU-5 (1)" + "CM-7 (2)" ], "host": null }, - "code": "control 'SV-244543' do\n title 'RHEL 8 must notify the System Administrator (SA) and Information\nSystem Security Officer (ISSO) (at a minimum) when allocated audit record\nstorage volume 75 percent utilization.'\n desc 'If security personnel are not notified immediately when storage volume\nreaches 75 percent utilization, they are unable to plan for audit record\nstorage capacity expansion.'\n desc 'check', 'Verify RHEL 8 notifies the SA and ISSO (at a minimum) when allocated audit\nrecord storage volume reaches 75 percent of the repository maximum audit record\nstorage capacity with the following command:\n\n $ sudo grep -w space_left_action /etc/audit/auditd.conf\n\n space_left_action = email\n\n If the value of the \"space_left_action\" is not set to \"email\", or if\nthe line is commented out, ask the System Administrator to indicate how the\nsystem is providing real-time alerts to the SA and ISSO.\n\n If there is no evidence that real-time alerts are configured on the system,\nthis is a finding.'\n desc 'fix', 'Configure the operating system to initiate an action to notify the SA and\nISSO (at a minimum) when allocated audit record storage volume reaches 75\npercent of the repository maximum audit record storage capacity by\nadding/modifying the following line in the /etc/audit/auditd.conf file.\n\n space_left_action = email\n\n Note: Option names and values in the auditd.conf file are case insensitive.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000343-GPOS-00134'\n tag gid: 'V-244543'\n tag rid: 'SV-244543r877389_rule'\n tag stig_id: 'RHEL-08-030731'\n tag fix_id: 'F-47775r743877_fix'\n tag cci: ['CCI-001855']\n tag nist: ['AU-5 (1)']\n tag 'host'\n\n alert_method = input('alert_method')\n\n only_if('This requirement is Not Applicable in the container', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe auditd_conf do\n its('space_left_action.downcase') { should cmp alert_method }\n end\nend\n", + "code": "control 'SV-230515' do\n title 'RHEL 8 must mount /var/log with the nosuid option.'\n desc 'The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n The \"noexec\" mount option causes the system to not execute binary files.\nThis option must be used for mounting any file system not containing approved\nbinary files, as they may be incompatible. Executing files from untrusted file\nsystems increases the opportunity for unprivileged users to attain unauthorized\nadministrative access.\n\n The \"nodev\" mount option causes the system to not interpret character or\nblock special devices. Executing character or block special devices from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.\n\n The \"nosuid\" mount option causes the system to not execute \"setuid\" and\n\"setgid\" files with owner privileges. This option must be used for mounting\nany file system not containing approved \"setuid\" and \"setguid\" files.\nExecuting files from untrusted file systems increases the opportunity for\nunprivileged users to attain unauthorized administrative access.'\n desc 'check', 'Verify \"/var/log\" is mounted with the \"nosuid\" option:\n\n $ sudo mount | grep /var/log\n\n /dev/mapper/rhel-var-log on /var/log type xfs\n(rw,nodev,nosuid,noexec,seclabel)\n\n Verify that the \"nosuid\" option is configured for /var/log:\n\n $ sudo cat /etc/fstab | grep /var/log\n\n /dev/mapper/rhel-var-log /var/log xfs defaults,nodev,nosuid,noexec 0 0\n\n If results are returned and the \"nosuid\" option is missing, or if\n/var/log is mounted without the \"nosuid\" option, this is a finding.'\n desc 'fix', 'Configure the system so that /var/log is mounted with the \"nosuid\" option\nby adding /modifying the /etc/fstab with the following line:\n\n /dev/mapper/rhel-var-log /var/log xfs defaults,nodev,nosuid,noexec 0 0'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000368-GPOS-00154'\n tag gid: 'V-230515'\n tag rid: 'SV-230515r854056_rule'\n tag stig_id: 'RHEL-08-040127'\n tag fix_id: 'F-33159r568292_fix'\n tag cci: ['CCI-001764']\n tag nist: ['CM-7 (2)']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n path = '/var/log'\n option = 'nosuid'\n\n describe mount(path) do\n its('options') { should include option }\n end\n\n describe etc_fstab.where { mount_point == path } do\n its('mount_options.flatten') { should include option }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-244543.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230515.rb", "line": 1 }, - "id": "SV-244543" + "id": "SV-230515" }, { - "title": "RHEL 8 library files must have mode 755 or less permissive.", - "desc": "If RHEL 8 were to allow any user to make changes to software\nlibraries, then those changes might be implemented without undergoing the\nappropriate testing and approvals that are part of a robust change management\nprocess.\n\n This requirement applies to RHEL 8 with software libraries that are\naccessible and configurable, as in the case of interpreted languages. Software\nlibraries also include privileged programs that execute with escalated\nprivileges. Only qualified and authorized individuals will be allowed to obtain\naccess to information system components for purposes of initiating changes,\nincluding upgrades and modifications.", + "title": "RHEL 8 must enforce password complexity by requiring that at least one\nnumeric character be used.", + "desc": "Use of a complex password helps to increase the time and resources\nrequired to compromise the password. Password complexity, or strength, is a\nmeasure of the effectiveness of a password in resisting attempts at guessing\nand brute-force attacks.\n\n Password complexity is one factor of several that determines how long it\ntakes to crack a password. The more complex the password, the greater the\nnumber of possible combinations that need to be tested before the password is\ncompromised.\n\n RHEL 8 utilizes \"pwquality\" as a mechanism to enforce password\ncomplexity. Note that in order to require numeric characters, without degrading\nthe minlen value, the credit value must be expressed as a negative number in\n\"/etc/security/pwquality.conf\".", "descriptions": { - "default": "If RHEL 8 were to allow any user to make changes to software\nlibraries, then those changes might be implemented without undergoing the\nappropriate testing and approvals that are part of a robust change management\nprocess.\n\n This requirement applies to RHEL 8 with software libraries that are\naccessible and configurable, as in the case of interpreted languages. Software\nlibraries also include privileged programs that execute with escalated\nprivileges. Only qualified and authorized individuals will be allowed to obtain\naccess to information system components for purposes of initiating changes,\nincluding upgrades and modifications.", - "check": "Verify the system-wide shared library files contained in the following directories have mode \"755\" or less permissive with the following command:\n\n$ sudo find -L /lib /lib64 /usr/lib /usr/lib64 -perm /022 -type f -exec ls -l {} \\;\n\nIf any system-wide shared library file is found to be group-writable or world-writable, this is a finding.", - "fix": "Configure the library files to be protected from unauthorized access. Run the following command, replacing \"[FILE]\" with any library file with a mode more permissive than 755.\n\n$ sudo chmod 755 [FILE]" + "default": "Use of a complex password helps to increase the time and resources\nrequired to compromise the password. Password complexity, or strength, is a\nmeasure of the effectiveness of a password in resisting attempts at guessing\nand brute-force attacks.\n\n Password complexity is one factor of several that determines how long it\ntakes to crack a password. The more complex the password, the greater the\nnumber of possible combinations that need to be tested before the password is\ncompromised.\n\n RHEL 8 utilizes \"pwquality\" as a mechanism to enforce password\ncomplexity. Note that in order to require numeric characters, without degrading\nthe minlen value, the credit value must be expressed as a negative number in\n\"/etc/security/pwquality.conf\".", + "check": "Verify the value for \"dcredit\" with the following command:\n\n$ sudo grep -r dcredit /etc/security/pwquality.conf*\n\n/etc/security/pwquality.conf:dcredit = -1\n\nIf the value of \"dcredit\" is a positive number or is commented out, this is a finding.\nIf conflicting results are returned, this is a finding.", + "fix": "Configure the operating system to enforce password complexity by requiring that at least one numeric character be used by setting the \"dcredit\" option.\n\nAdd the following line to /etc/security/pwquality.conf (or modify the line to have the required value):\n\ndcredit = -1\n\nRemove any configurations that conflict with the above value." }, "impact": 0.5, "refs": [ @@ -2781,71 +2759,80 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000259-GPOS-00100", - "gid": "V-230260", - "rid": "SV-230260r792867_rule", - "stig_id": "RHEL-08-010330", - "fix_id": "F-32904r792866_fix", + "gtitle": "SRG-OS-000071-GPOS-00039", + "gid": "V-230359", + "rid": "SV-230359r858775_rule", + "stig_id": "RHEL-08-020130", + "fix_id": "F-33003r858774_fix", "cci": [ - "CCI-001499" + "CCI-000194" ], "nist": [ - "CM-5 (6)" + "IA-5 (1) (a)" ], "host": null, "container": null }, - "code": "control 'SV-230260' do\n title 'RHEL 8 library files must have mode 755 or less permissive.'\n desc 'If RHEL 8 were to allow any user to make changes to software\nlibraries, then those changes might be implemented without undergoing the\nappropriate testing and approvals that are part of a robust change management\nprocess.\n\n This requirement applies to RHEL 8 with software libraries that are\naccessible and configurable, as in the case of interpreted languages. Software\nlibraries also include privileged programs that execute with escalated\nprivileges. Only qualified and authorized individuals will be allowed to obtain\naccess to information system components for purposes of initiating changes,\nincluding upgrades and modifications.'\n desc 'check', 'Verify the system-wide shared library files contained in the following directories have mode \"755\" or less permissive with the following command:\n\n$ sudo find -L /lib /lib64 /usr/lib /usr/lib64 -perm /022 -type f -exec ls -l {} \\\\;\n\nIf any system-wide shared library file is found to be group-writable or world-writable, this is a finding.'\n desc 'fix', 'Configure the library files to be protected from unauthorized access. Run the following command, replacing \"[FILE]\" with any library file with a mode more permissive than 755.\n\n$ sudo chmod 755 [FILE]'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000259-GPOS-00100'\n tag gid: 'V-230260'\n tag rid: 'SV-230260r792867_rule'\n tag stig_id: 'RHEL-08-010330'\n tag fix_id: 'F-32904r792866_fix'\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n tag 'host'\n tag 'container'\n\n failing_files = command(\"find -L #{input('system_libraries').join(' ')} -perm /0022 -type f -exec ls -d {} \\\\;\").stdout.split(\"\\n\")\n\n describe 'System libraries' do\n it \"should have mode '0755' or less permissive\" do\n expect(failing_files).to be_empty, \"Files with excessive permissions:\\n\\t- #{failing_files.join(\"\\n\\t- \")}\"\n end\n end\nend\n", + "code": "control 'SV-230359' do\n title 'RHEL 8 must enforce password complexity by requiring that at least one\nnumeric character be used.'\n desc 'Use of a complex password helps to increase the time and resources\nrequired to compromise the password. Password complexity, or strength, is a\nmeasure of the effectiveness of a password in resisting attempts at guessing\nand brute-force attacks.\n\n Password complexity is one factor of several that determines how long it\ntakes to crack a password. The more complex the password, the greater the\nnumber of possible combinations that need to be tested before the password is\ncompromised.\n\n RHEL 8 utilizes \"pwquality\" as a mechanism to enforce password\ncomplexity. Note that in order to require numeric characters, without degrading\nthe minlen value, the credit value must be expressed as a negative number in\n\"/etc/security/pwquality.conf\".'\n desc 'check', 'Verify the value for \"dcredit\" with the following command:\n\n$ sudo grep -r dcredit /etc/security/pwquality.conf*\n\n/etc/security/pwquality.conf:dcredit = -1\n\nIf the value of \"dcredit\" is a positive number or is commented out, this is a finding.\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure the operating system to enforce password complexity by requiring that at least one numeric character be used by setting the \"dcredit\" option.\n\nAdd the following line to /etc/security/pwquality.conf (or modify the line to have the required value):\n\ndcredit = -1\n\nRemove any configurations that conflict with the above value.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000071-GPOS-00039'\n tag gid: 'V-230359'\n tag rid: 'SV-230359r858775_rule'\n tag stig_id: 'RHEL-08-020130'\n tag fix_id: 'F-33003r858774_fix'\n tag cci: ['CCI-000194']\n tag nist: ['IA-5 (1) (a)']\n tag 'host'\n tag 'container'\n\n describe 'pwquality.conf settings' do\n let(:config) { parse_config_file('/etc/security/pwquality.conf', multiple_values: true) }\n let(:setting) { 'dcredit' }\n let(:value) { Array(config.params[setting]) }\n\n it 'has `dcredit` set' do\n expect(value).not_to be_empty, 'dcredit is not set in pwquality.conf'\n end\n\n it 'only sets `dcredit` once' do\n expect(value.length).to eq(1), 'dcredit is commented or set more than once in pwquality.conf'\n end\n\n it 'does not set `dcredit` to a positive value' do\n expect(value.first.to_i).to be < 0, 'dcredit is not set to a negative value in pwquality.conf'\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230260.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230359.rb", "line": 1 }, - "id": "SV-230260" + "id": "SV-230359" }, { - "title": "A RHEL 8 firewall must employ a deny-all, allow-by-exception policy\nfor allowing connections to other systems.", - "desc": "Failure to restrict network connectivity only to authorized systems\npermits inbound connections from malicious systems. It also permits outbound\nconnections that may facilitate exfiltration of DoD data.\n\n RHEL 8 incorporates the \"firewalld\" daemon, which allows for many\ndifferent configurations. One of these configurations is zones. Zones can be\nutilized to a deny-all, allow-by-exception approach. The default \"drop\" zone\nwill drop all incoming network packets unless it is explicitly allowed by the\nconfiguration file or is related to an outgoing network connection.", + "title": "RHEL 8 must enable auditing of processes that start prior to the audit\ndaemon.", + "desc": "Without the capability to generate audit records, it would be\ndifficult to establish, correlate, and investigate the events relating to an\nincident or identify those responsible for one.\n\n If auditing is enabled late in the startup process, the actions of some\nstartup processes may not be audited. Some audit systems also maintain state\ninformation only available if auditing is enabled before a given process is\ncreated.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n The list of audited events is the set of events for which audits are to be\ngenerated. This set of events is typically a subset of the list of all events\nfor which the system is capable of generating audit records.\n\n DoD has defined the list of events for which RHEL 8 will provide an audit\nrecord generation capability as the following:\n\n 1) Successful and unsuccessful attempts to access, modify, or delete\nprivileges, security objects, security levels, or categories of information\n(e.g., classification levels);\n\n 2) Access actions, such as successful and unsuccessful logon attempts,\nprivileged activities or other system-level access, starting and ending time\nfor user access to the system, concurrent logons from different workstations,\nsuccessful and unsuccessful accesses to objects, all program initiations, and\nall direct access to the information system;\n\n 3) All account creations, modifications, disabling, and terminations; and\n\n 4) All kernel module load, unload, and restart actions.", "descriptions": { - "default": "Failure to restrict network connectivity only to authorized systems\npermits inbound connections from malicious systems. It also permits outbound\nconnections that may facilitate exfiltration of DoD data.\n\n RHEL 8 incorporates the \"firewalld\" daemon, which allows for many\ndifferent configurations. One of these configurations is zones. Zones can be\nutilized to a deny-all, allow-by-exception approach. The default \"drop\" zone\nwill drop all incoming network packets unless it is explicitly allowed by the\nconfiguration file or is related to an outgoing network connection.", - "check": "Verify \"firewalld\" is configured to employ a deny-all, allow-by-exception policy for allowing connections to other systems with the following commands:\n\n $ sudo firewall-cmd --state\n running\n\n $ sudo firewall-cmd --get-active-zones\n [custom]\n interfaces: ens33\n\n $ sudo firewall-cmd --info-zone=[custom] | grep target\n target: DROP\n\nIf no zones are active on the RHEL 8 interfaces or if the target is set to a different option other than \"DROP\", this is a finding.\n\nIf the \"firewalld\" package is not installed, ask the System Administrator if an alternate firewall (such as iptables) is installed and in use, and how is it configured to employ a deny-all, allow-by-exception policy.\n\nIf the alternate firewall is not configured to employ a deny-all, allow-by-exception policy, this is a finding.\n\nIf no firewall is installed, this is a finding.", - "fix": "Configure the \"firewalld\" daemon to employ a deny-all, allow-by-exception with the following commands:\n\n$ sudo firewall-cmd --permanent --new-zone=[custom]\n\n$ sudo cp /usr/lib/firewalld/zones/drop.xml /etc/firewalld/zones/[custom].xml\n\nThis will provide a clean configuration file to work with that employs a deny-all approach. Note: Add the exceptions that are required for mission functionality and update the short title in the xml file to match the [custom] zone name.\n\nReload the firewall rules to make the new [custom] zone available to load:\n$ sudo firewall-cmd --reload\n\nSet the default zone to the new [custom] zone:\n$ sudo firewall-cmd --set-default-zone=[custom]\n\nNote: This is a runtime and permanent change.\nAdd any interfaces to the new [custom] zone:\n$ sudo firewall-cmd --permanent --zone=[custom] --change-interface=ens33\n\nReload the firewall rules for changes to take effect:\n$ sudo firewall-cmd --reload" + "default": "Without the capability to generate audit records, it would be\ndifficult to establish, correlate, and investigate the events relating to an\nincident or identify those responsible for one.\n\n If auditing is enabled late in the startup process, the actions of some\nstartup processes may not be audited. Some audit systems also maintain state\ninformation only available if auditing is enabled before a given process is\ncreated.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n The list of audited events is the set of events for which audits are to be\ngenerated. This set of events is typically a subset of the list of all events\nfor which the system is capable of generating audit records.\n\n DoD has defined the list of events for which RHEL 8 will provide an audit\nrecord generation capability as the following:\n\n 1) Successful and unsuccessful attempts to access, modify, or delete\nprivileges, security objects, security levels, or categories of information\n(e.g., classification levels);\n\n 2) Access actions, such as successful and unsuccessful logon attempts,\nprivileged activities or other system-level access, starting and ending time\nfor user access to the system, concurrent logons from different workstations,\nsuccessful and unsuccessful accesses to objects, all program initiations, and\nall direct access to the information system;\n\n 3) All account creations, modifications, disabling, and terminations; and\n\n 4) All kernel module load, unload, and restart actions.", + "check": "Verify RHEL 8 enables auditing of processes that start prior to the audit daemon with the following commands:\n\n$ sudo grub2-editenv list | grep audit\n\nkernelopts=root=/dev/mapper/rhel-root ro crashkernel=auto resume=/dev/mapper/rhel-swap rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet fips=1 audit=1 audit_backlog_limit=8192 boot=UUID=8d171156-cd61-421c-ba41-1c021ac29e82\n\nIf the \"audit\" entry does not equal \"1\", is missing, or the line is commented out, this is a finding.\n\nCheck that auditing is enabled by default to persist in kernel updates:\n\n$ sudo grep audit /etc/default/grub\n\nGRUB_CMDLINE_LINUX=\"audit=1\"\n\nIf \"audit\" is not set to \"1\", is missing or commented out, this is a finding.", + "fix": "Configure RHEL 8 to audit processes that start prior to the audit daemon\nwith the following command:\n\n $ sudo grubby --update-kernel=ALL --args=\"audit=1\"\n\n Add or modify the following line in \"/etc/default/grub\" to ensure the\nconfiguration survives kernel updates:\n\n GRUB_CMDLINE_LINUX=\"audit=1\"" }, - "impact": 0.5, + "impact": 0.3, "refs": [ { "ref": "DPMS Target Red Hat Enterprise Linux 8" } ], "tags": { - "severity": "medium", - "gtitle": "SRG-OS-000297-GPOS-00115", - "gid": "V-230504", - "rid": "SV-230504r942942_rule", - "stig_id": "RHEL-08-040090", - "fix_id": "F-33148r942941_fix", + "severity": "low", + "gtitle": "SRG-OS-000062-GPOS-00031", + "satisfies": [ + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000037-GPOS-00015", + "SRG-OS-000042-GPOS-00020", + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000392-GPOS-00172", + "SRG-OS-000462-GPOS-00206", + "SRG-OS-000471-GPOS-00215", + "SRG-OS-000473-GPOS-00218" + ], + "gid": "V-230468", + "rid": "SV-230468r792904_rule", + "stig_id": "RHEL-08-030601", + "fix_id": "F-33112r568151_fix", "cci": [ - "CCI-002314" + "CCI-000169" ], - "legacy": [], "nist": [ - "AC-17 (1)" + "AU-12 a" ], "host": null }, - "code": "control 'SV-230504' do\n title 'A RHEL 8 firewall must employ a deny-all, allow-by-exception policy\nfor allowing connections to other systems.'\n desc 'Failure to restrict network connectivity only to authorized systems\npermits inbound connections from malicious systems. It also permits outbound\nconnections that may facilitate exfiltration of DoD data.\n\n RHEL 8 incorporates the \"firewalld\" daemon, which allows for many\ndifferent configurations. One of these configurations is zones. Zones can be\nutilized to a deny-all, allow-by-exception approach. The default \"drop\" zone\nwill drop all incoming network packets unless it is explicitly allowed by the\nconfiguration file or is related to an outgoing network connection.'\n desc 'check', 'Verify \"firewalld\" is configured to employ a deny-all, allow-by-exception policy for allowing connections to other systems with the following commands:\n\n $ sudo firewall-cmd --state\n running\n\n $ sudo firewall-cmd --get-active-zones\n [custom]\n interfaces: ens33\n\n $ sudo firewall-cmd --info-zone=[custom] | grep target\n target: DROP\n\nIf no zones are active on the RHEL 8 interfaces or if the target is set to a different option other than \"DROP\", this is a finding.\n\nIf the \"firewalld\" package is not installed, ask the System Administrator if an alternate firewall (such as iptables) is installed and in use, and how is it configured to employ a deny-all, allow-by-exception policy.\n\nIf the alternate firewall is not configured to employ a deny-all, allow-by-exception policy, this is a finding.\n\nIf no firewall is installed, this is a finding.'\n desc 'fix', 'Configure the \"firewalld\" daemon to employ a deny-all, allow-by-exception with the following commands:\n\n$ sudo firewall-cmd --permanent --new-zone=[custom]\n\n$ sudo cp /usr/lib/firewalld/zones/drop.xml /etc/firewalld/zones/[custom].xml\n\nThis will provide a clean configuration file to work with that employs a deny-all approach. Note: Add the exceptions that are required for mission functionality and update the short title in the xml file to match the [custom] zone name.\n\nReload the firewall rules to make the new [custom] zone available to load:\n$ sudo firewall-cmd --reload\n\nSet the default zone to the new [custom] zone:\n$ sudo firewall-cmd --set-default-zone=[custom]\n\nNote: This is a runtime and permanent change.\nAdd any interfaces to the new [custom] zone:\n$ sudo firewall-cmd --permanent --zone=[custom] --change-interface=ens33\n\nReload the firewall rules for changes to take effect:\n$ sudo firewall-cmd --reload'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000297-GPOS-00115'\n tag gid: 'V-230504'\n tag rid: 'SV-230504r942942_rule'\n tag stig_id: 'RHEL-08-040090'\n tag fix_id: 'F-33148r942941_fix'\n tag cci: ['CCI-002314']\n tag legacy: []\n tag nist: ['AC-17 (1)']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n if input('external_firewall') == false\n\n describe service('firewalld') do\n it { should be_running }\n end\n\n describe firewalld do\n its('zone') { should_not be_empty }\n end\n\n failing_zones = firewalld.zone.reject { |fz| firewalld.zone(fz).target == 'DROP' }\n\n describe 'All firewall zones' do\n it 'should be configured to drop all incoming network packets unless explicitly accepted' do\n expect(failing_zones).to be_empty, \"Failing zones:\\n\\t- #{failing_zones.join(\"\\n\\t- \")}\"\n end\n end\n else\n describe 'Manual' do\n skip 'Inputs indicate this system is using a firewall tool other than the default firewalld; review the configuration of this tool to ensure it employs a deny-all, allow-by-exception policy for allowing connections to other systems.'\n end\n end\nend\n", + "code": "control 'SV-230468' do\n title 'RHEL 8 must enable auditing of processes that start prior to the audit\ndaemon.'\n desc 'Without the capability to generate audit records, it would be\ndifficult to establish, correlate, and investigate the events relating to an\nincident or identify those responsible for one.\n\n If auditing is enabled late in the startup process, the actions of some\nstartup processes may not be audited. Some audit systems also maintain state\ninformation only available if auditing is enabled before a given process is\ncreated.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n The list of audited events is the set of events for which audits are to be\ngenerated. This set of events is typically a subset of the list of all events\nfor which the system is capable of generating audit records.\n\n DoD has defined the list of events for which RHEL 8 will provide an audit\nrecord generation capability as the following:\n\n 1) Successful and unsuccessful attempts to access, modify, or delete\nprivileges, security objects, security levels, or categories of information\n(e.g., classification levels);\n\n 2) Access actions, such as successful and unsuccessful logon attempts,\nprivileged activities or other system-level access, starting and ending time\nfor user access to the system, concurrent logons from different workstations,\nsuccessful and unsuccessful accesses to objects, all program initiations, and\nall direct access to the information system;\n\n 3) All account creations, modifications, disabling, and terminations; and\n\n 4) All kernel module load, unload, and restart actions.'\n desc 'check', 'Verify RHEL 8 enables auditing of processes that start prior to the audit daemon with the following commands:\n\n$ sudo grub2-editenv list | grep audit\n\nkernelopts=root=/dev/mapper/rhel-root ro crashkernel=auto resume=/dev/mapper/rhel-swap rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet fips=1 audit=1 audit_backlog_limit=8192 boot=UUID=8d171156-cd61-421c-ba41-1c021ac29e82\n\nIf the \"audit\" entry does not equal \"1\", is missing, or the line is commented out, this is a finding.\n\nCheck that auditing is enabled by default to persist in kernel updates:\n\n$ sudo grep audit /etc/default/grub\n\nGRUB_CMDLINE_LINUX=\"audit=1\"\n\nIf \"audit\" is not set to \"1\", is missing or commented out, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to audit processes that start prior to the audit daemon\nwith the following command:\n\n $ sudo grubby --update-kernel=ALL --args=\"audit=1\"\n\n Add or modify the following line in \"/etc/default/grub\" to ensure the\nconfiguration survives kernel updates:\n\n GRUB_CMDLINE_LINUX=\"audit=1\"'\n impact 0.3\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'low'\n tag gtitle: 'SRG-OS-000062-GPOS-00031'\n tag satisfies: ['SRG-OS-000062-GPOS-00031', 'SRG-OS-000037-GPOS-00015', 'SRG-OS-000042-GPOS-00020', 'SRG-OS-000062-GPOS-00031', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000471-GPOS-00215', 'SRG-OS-000473-GPOS-00218']\n tag gid: 'V-230468'\n tag rid: 'SV-230468r792904_rule'\n tag stig_id: 'RHEL-08-030601'\n tag fix_id: 'F-33112r568151_fix'\n tag cci: ['CCI-000169']\n tag nist: ['AU-12 a']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n grub_config = command('grub2-editenv - list').stdout\n\n describe parse_config(grub_config) do\n its('kernelopts') { should match(/audit=1/) }\n end\n\n describe parse_config_file('/etc/default/grub') do\n its('GRUB_CMDLINE_LINUX') { should match(/audit=1/) }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230504.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230468.rb", "line": 1 }, - "id": "SV-230504" + "id": "SV-230468" }, { - "title": "RHEL 8 must prevent code from being executed on file systems that\ncontain user home directories.", - "desc": "The \"noexec\" mount option causes the system not to execute binary\nfiles. This option must be used for mounting any file system not containing\napproved binary files, as they may be incompatible. Executing files from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.", + "title": "Successful/unsuccessful uses of the ssh-keysign in RHEL 8 must\ngenerate an audit record.", + "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"ssh-keysign\" program\nis an SSH helper program for host-based authentication.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", "descriptions": { - "default": "The \"noexec\" mount option causes the system not to execute binary\nfiles. This option must be used for mounting any file system not containing\napproved binary files, as they may be incompatible. Executing files from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.", - "check": "Verify file systems that contain user home directories are mounted with the\n\"noexec\" option.\n\n Note: If a separate file system has not been created for the user home\ndirectories (user home directories are mounted under \"/\"), this is\nautomatically a finding as the \"noexec\" option cannot be used on the \"/\"\nsystem.\n\n Find the file system(s) that contain the user home directories with the\nfollowing command:\n\n $ sudo awk -F: '($3>=1000)&&($7 !~ /nologin/){print $1,$3,$6}' /etc/passwd\n\n smithj:1001: /home/smithj\n robinst:1002: /home/robinst\n\n Check the file systems that are mounted at boot time with the following\ncommand:\n\n $ sudo more /etc/fstab\n\n UUID=a411dc99-f2a1-4c87-9e05-184977be8539 /home ext4\nrw,relatime,discard,data=ordered,nosuid,nodev,noexec 0 2\n\n If a file system found in \"/etc/fstab\" refers to the user home directory\nfile system and it does not have the \"noexec\" option set, this is a finding.", - "fix": "Configure the \"/etc/fstab\" to use the \"noexec\" option on\nfile systems that contain user home directories for interactive users." + "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"ssh-keysign\" program\nis an SSH helper program for host-based authentication.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", + "check": "Verify RHEL 8 generates an audit record when successful/unsuccessful\nattempts to use the \"ssh-keysign\" by performing the following command to\ncheck the file system rules in \"/etc/audit/audit.rules\":\n\n $ sudo grep ssh-keysign /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F\nauid>=1000 -F auid!=unset -k privileged-ssh\n\n If the command does not return a line, or the line is commented out, this\nis a finding.", + "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \"ssh-keysign\" by adding or updating the\nfollowing rule in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F\nauid>=1000 -F auid!=unset -k privileged-ssh\n\n The audit daemon must be restarted for the changes to take effect." }, "impact": 0.5, "refs": [ @@ -2855,70 +2842,42 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-230302", - "rid": "SV-230302r627750_rule", - "stig_id": "RHEL-08-010590", - "fix_id": "F-32946r567653_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" + "gtitle": "SRG-OS-000062-GPOS-00031", + "satisfies": [ + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000037-GPOS-00015", + "SRG-OS-000042-GPOS-00020", + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000392-GPOS-00172", + "SRG-OS-000462-GPOS-00206", + "SRG-OS-000471-GPOS-00215" ], - "host": null - }, - "code": "control 'SV-230302' do\n title 'RHEL 8 must prevent code from being executed on file systems that\ncontain user home directories.'\n desc 'The \"noexec\" mount option causes the system not to execute binary\nfiles. This option must be used for mounting any file system not containing\napproved binary files, as they may be incompatible. Executing files from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.'\n desc 'check', %q(Verify file systems that contain user home directories are mounted with the\n\"noexec\" option.\n\n Note: If a separate file system has not been created for the user home\ndirectories (user home directories are mounted under \"/\"), this is\nautomatically a finding as the \"noexec\" option cannot be used on the \"/\"\nsystem.\n\n Find the file system(s) that contain the user home directories with the\nfollowing command:\n\n $ sudo awk -F: '($3>=1000)&&($7 !~ /nologin/){print $1,$3,$6}' /etc/passwd\n\n smithj:1001: /home/smithj\n robinst:1002: /home/robinst\n\n Check the file systems that are mounted at boot time with the following\ncommand:\n\n $ sudo more /etc/fstab\n\n UUID=a411dc99-f2a1-4c87-9e05-184977be8539 /home ext4\nrw,relatime,discard,data=ordered,nosuid,nodev,noexec 0 2\n\n If a file system found in \"/etc/fstab\" refers to the user home directory\nfile system and it does not have the \"noexec\" option set, this is a finding.)\n desc 'fix', 'Configure the \"/etc/fstab\" to use the \"noexec\" option on\nfile systems that contain user home directories for interactive users.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230302'\n tag rid: 'SV-230302r627750_rule'\n tag stig_id: 'RHEL-08-010590'\n tag fix_id: 'F-32946r567653_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n interactive_users = passwd.where {\n uid.to_i >= 1000 && shell !~ /nologin/\n }\n\n interactive_user_homedirs = interactive_users.homes.map { |home_path|\n home_path.match(%r{^(.*)/.*$}).captures.first\n }.uniq\n\n option = 'noexec'\n\n mounted_on_root = interactive_user_homedirs.select { |dir| dir == '/' }\n not_configured = interactive_user_homedirs.reject { |dir| etc_fstab.where { mount_point == dir }.configured? }\n option_not_set = interactive_user_homedirs.reject { |dir| etc_fstab.where { mount_point == dir }.mount_options.flatten.include?(option) }\n\n describe 'All interactive user home directories' do\n it \"should not be mounted under root ('/')\" do\n expect(mounted_on_root).to be_empty, \"Home directories mounted on root ('/'):\\n\\t- #{mounted_on_root.join(\"\\n\\t- \")}\"\n end\n it 'should be configured in /etc/fstab' do\n expect(not_configured).to be_empty, \"Unconfigured home directories:\\n\\t- #{not_configured.join(\"\\n\\t- \")}\"\n end\n if (option_not_set - not_configured).nil?\n it \"should have the '#{option}' mount option set\" do\n expect(option_not_set - not_configured).to be_empty, \"Mounted home directories without '#{option}' set:\\n\\t- #{not_configured.join(\"\\n\\t- \")}\"\n end\n end\n end\nend\n", - "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230302.rb", - "line": 1 - }, - "id": "SV-230302" - }, - { - "title": "YUM must remove all software components after updated versions have\nbeen installed on RHEL 8.", - "desc": "Previous versions of software components that are not removed from the\ninformation system after updates have been installed may be exploited by\nadversaries. Some information technology products may remove older versions of\nsoftware automatically from the information system.", - "descriptions": { - "default": "Previous versions of software components that are not removed from the\ninformation system after updates have been installed may be exploited by\nadversaries. Some information technology products may remove older versions of\nsoftware automatically from the information system.", - "check": "Verify the operating system removes all software components after updated\nversions have been installed.\n\n Check if YUM is configured to remove unneeded packages with the following\ncommand:\n\n $ sudo grep -i clean_requirements_on_remove /etc/dnf/dnf.conf\n\n clean_requirements_on_remove=True\n\n If \"clean_requirements_on_remove\" is not set to either \"1\", \"True\",\nor \"yes\", commented out, or is missing from \"/etc/dnf/dnf.conf\", this is a\nfinding.", - "fix": "Configure the operating system to remove all software components after\nupdated versions have been installed.\n\n Set the \"clean_requirements_on_remove\" option to \"True\" in the\n\"/etc/dnf/dnf.conf\" file:\n\n clean_requirements_on_remove=True" - }, - "impact": 0.3, - "refs": [ - { - "ref": "DPMS Target Red Hat Enterprise Linux 8" - } - ], - "tags": { - "severity": "low", - "gtitle": "SRG-OS-000437-GPOS-00194", - "gid": "V-230281", - "rid": "SV-230281r854034_rule", - "stig_id": "RHEL-08-010440", - "fix_id": "F-32925r567590_fix", + "gid": "V-230434", + "rid": "SV-230434r744002_rule", + "stig_id": "RHEL-08-030320", + "fix_id": "F-33078r744001_fix", "cci": [ - "CCI-002617" + "CCI-000169" ], "nist": [ - "SI-2 (6)" + "AU-12 a" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-230281' do\n title 'YUM must remove all software components after updated versions have\nbeen installed on RHEL 8.'\n desc 'Previous versions of software components that are not removed from the\ninformation system after updates have been installed may be exploited by\nadversaries. Some information technology products may remove older versions of\nsoftware automatically from the information system.'\n desc 'check', 'Verify the operating system removes all software components after updated\nversions have been installed.\n\n Check if YUM is configured to remove unneeded packages with the following\ncommand:\n\n $ sudo grep -i clean_requirements_on_remove /etc/dnf/dnf.conf\n\n clean_requirements_on_remove=True\n\n If \"clean_requirements_on_remove\" is not set to either \"1\", \"True\",\nor \"yes\", commented out, or is missing from \"/etc/dnf/dnf.conf\", this is a\nfinding.'\n desc 'fix', 'Configure the operating system to remove all software components after\nupdated versions have been installed.\n\n Set the \"clean_requirements_on_remove\" option to \"True\" in the\n\"/etc/dnf/dnf.conf\" file:\n\n clean_requirements_on_remove=True'\n impact 0.3\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'low'\n tag gtitle: 'SRG-OS-000437-GPOS-00194'\n tag gid: 'V-230281'\n tag rid: 'SV-230281r854034_rule'\n tag stig_id: 'RHEL-08-010440'\n tag fix_id: 'F-32925r567590_fix'\n tag cci: ['CCI-002617']\n tag nist: ['SI-2 (6)']\n tag 'host'\n tag 'container'\n\n describe parse_config_file('/etc/dnf/dnf.conf') do\n its('main.clean_requirements_on_remove') { should match(/1|True|yes/i) }\n end\nend\n", + "code": "control 'SV-230434' do\n title 'Successful/unsuccessful uses of the ssh-keysign in RHEL 8 must\ngenerate an audit record.'\n desc 'Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"ssh-keysign\" program\nis an SSH helper program for host-based authentication.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.'\n desc 'check', 'Verify RHEL 8 generates an audit record when successful/unsuccessful\nattempts to use the \"ssh-keysign\" by performing the following command to\ncheck the file system rules in \"/etc/audit/audit.rules\":\n\n $ sudo grep ssh-keysign /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F\nauid>=1000 -F auid!=unset -k privileged-ssh\n\n If the command does not return a line, or the line is commented out, this\nis a finding.'\n desc 'fix', 'Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \"ssh-keysign\" by adding or updating the\nfollowing rule in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F\nauid>=1000 -F auid!=unset -k privileged-ssh\n\n The audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000062-GPOS-00031'\n tag satisfies: ['SRG-OS-000062-GPOS-00031', 'SRG-OS-000037-GPOS-00015', 'SRG-OS-000042-GPOS-00020', 'SRG-OS-000062-GPOS-00031', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000471-GPOS-00215']\n tag gid: 'V-230434'\n tag rid: 'SV-230434r744002_rule'\n tag stig_id: 'RHEL-08-030320'\n tag fix_id: 'F-33078r744001_fix'\n tag cci: ['CCI-000169']\n tag nist: ['AU-12 a']\n tag 'host'\n\n audit_command = '/usr/libexec/openssh/ssh-keysign'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include(input('audit_rule_keynames').merge(input('audit_rule_keynames_overrides'))[audit_command])\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230281.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230434.rb", "line": 1 }, - "id": "SV-230281" + "id": "SV-230434" }, { - "title": "RHEL 8 must mount /dev/shm with the noexec option.", - "desc": "The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n The \"noexec\" mount option causes the system to not execute binary files.\nThis option must be used for mounting any file system not containing approved\nbinary files, as they may be incompatible. Executing files from untrusted file\nsystems increases the opportunity for unprivileged users to attain unauthorized\nadministrative access.\n\n The \"nodev\" mount option causes the system to not interpret character or\nblock special devices. Executing character or block special devices from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.\n\n The \"nosuid\" mount option causes the system to not execute \"setuid\" and\n\"setgid\" files with owner privileges. This option must be used for mounting\nany file system not containing approved \"setuid\" and \"setguid\" files.\nExecuting files from untrusted file systems increases the opportunity for\nunprivileged users to attain unauthorized administrative access.", + "title": "All RHEL 8 local interactive user home directory files must have mode\n0750 or less permissive.", + "desc": "Excessive permissions on local interactive user home directories may\nallow unauthorized access to user files by other users.", "descriptions": { - "default": "The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n The \"noexec\" mount option causes the system to not execute binary files.\nThis option must be used for mounting any file system not containing approved\nbinary files, as they may be incompatible. Executing files from untrusted file\nsystems increases the opportunity for unprivileged users to attain unauthorized\nadministrative access.\n\n The \"nodev\" mount option causes the system to not interpret character or\nblock special devices. Executing character or block special devices from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.\n\n The \"nosuid\" mount option causes the system to not execute \"setuid\" and\n\"setgid\" files with owner privileges. This option must be used for mounting\nany file system not containing approved \"setuid\" and \"setguid\" files.\nExecuting files from untrusted file systems increases the opportunity for\nunprivileged users to attain unauthorized administrative access.", - "check": "Verify \"/dev/shm\" is mounted with the \"noexec\" option:\n\n $ sudo mount | grep /dev/shm\n\n tmpfs on /dev/shm type tmpfs (rw,nodev,nosuid,noexec,seclabel)\n\n Verify that the \"noexec\" options is configured for /dev/shm:\n\n $ sudo cat /etc/fstab | grep /dev/shm\n\n tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0\n\n If results are returned and the \"noexec\" option is missing, or if\n/dev/shm is mounted without the \"noexec\" option, this is a finding.", - "fix": "Configure the system so that /dev/shm is mounted with the \"noexec\" option\nby adding /modifying the /etc/fstab with the following line:\n\n tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0" + "default": "Excessive permissions on local interactive user home directories may\nallow unauthorized access to user files by other users.", + "check": "Verify all files and directories contained in a local interactive user home\ndirectory, excluding local initialization files, have a mode of \"0750\".\n Files that begin with a \".\" are excluded from this requirement.\n\n Note: The example will be for the user \"smithj\", who has a home directory\nof \"/home/smithj\".\n\n $ sudo ls -lLR /home/smithj\n -rwxr-x--- 1 smithj smithj 18 Mar 5 17:06 file1\n -rwxr----- 1 smithj smithj 193 Mar 5 17:06 file2\n -rw-r-x--- 1 smithj smithj 231 Mar 5 17:06 file3\n\n If any files or directories are found with a mode more permissive than\n\"0750\", this is a finding.", + "fix": "Set the mode on files and directories in the local interactive user home\ndirectory with the following command:\n\n Note: The example will be for the user smithj, who has a home directory of\n\"/home/smithj\" and is a member of the users group.\n\n $ sudo chmod 0750 /home/smithj/" }, "impact": 0.5, "refs": [ @@ -2928,33 +2887,33 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000368-GPOS-00154", - "gid": "V-230510", - "rid": "SV-230510r854051_rule", - "stig_id": "RHEL-08-040122", - "fix_id": "F-33154r568277_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-244531", + "rid": "SV-244531r743842_rule", + "stig_id": "RHEL-08-010731", + "fix_id": "F-47763r743841_fix", "cci": [ - "CCI-001764" + "CCI-000366" ], "nist": [ - "CM-7 (2)" + "CM-6 b" ], "host": null }, - "code": "control 'SV-230510' do\n title 'RHEL 8 must mount /dev/shm with the noexec option.'\n desc 'The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n The \"noexec\" mount option causes the system to not execute binary files.\nThis option must be used for mounting any file system not containing approved\nbinary files, as they may be incompatible. Executing files from untrusted file\nsystems increases the opportunity for unprivileged users to attain unauthorized\nadministrative access.\n\n The \"nodev\" mount option causes the system to not interpret character or\nblock special devices. Executing character or block special devices from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.\n\n The \"nosuid\" mount option causes the system to not execute \"setuid\" and\n\"setgid\" files with owner privileges. This option must be used for mounting\nany file system not containing approved \"setuid\" and \"setguid\" files.\nExecuting files from untrusted file systems increases the opportunity for\nunprivileged users to attain unauthorized administrative access.'\n desc 'check', 'Verify \"/dev/shm\" is mounted with the \"noexec\" option:\n\n $ sudo mount | grep /dev/shm\n\n tmpfs on /dev/shm type tmpfs (rw,nodev,nosuid,noexec,seclabel)\n\n Verify that the \"noexec\" options is configured for /dev/shm:\n\n $ sudo cat /etc/fstab | grep /dev/shm\n\n tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0\n\n If results are returned and the \"noexec\" option is missing, or if\n/dev/shm is mounted without the \"noexec\" option, this is a finding.'\n desc 'fix', 'Configure the system so that /dev/shm is mounted with the \"noexec\" option\nby adding /modifying the /etc/fstab with the following line:\n\n tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000368-GPOS-00154'\n tag gid: 'V-230510'\n tag rid: 'SV-230510r854051_rule'\n tag stig_id: 'RHEL-08-040122'\n tag fix_id: 'F-33154r568277_fix'\n tag cci: ['CCI-001764']\n tag nist: ['CM-7 (2)']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n path = '/dev/shm'\n option = 'noexec'\n\n describe mount(path) do\n its('options') { should include option }\n end\n\n describe etc_fstab.where { mount_point == path } do\n its('mount_options.flatten') { should include option }\n end\nend\n", + "code": "control 'SV-244531' do\n title 'All RHEL 8 local interactive user home directory files must have mode\n0750 or less permissive.'\n desc 'Excessive permissions on local interactive user home directories may\nallow unauthorized access to user files by other users.'\n desc 'check', 'Verify all files and directories contained in a local interactive user home\ndirectory, excluding local initialization files, have a mode of \"0750\".\n Files that begin with a \".\" are excluded from this requirement.\n\n Note: The example will be for the user \"smithj\", who has a home directory\nof \"/home/smithj\".\n\n $ sudo ls -lLR /home/smithj\n -rwxr-x--- 1 smithj smithj 18 Mar 5 17:06 file1\n -rwxr----- 1 smithj smithj 193 Mar 5 17:06 file2\n -rw-r-x--- 1 smithj smithj 231 Mar 5 17:06 file3\n\n If any files or directories are found with a mode more permissive than\n\"0750\", this is a finding.'\n desc 'fix', 'Set the mode on files and directories in the local interactive user home\ndirectory with the following command:\n\n Note: The example will be for the user smithj, who has a home directory of\n\"/home/smithj\" and is a member of the users group.\n\n $ sudo chmod 0750 /home/smithj/'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-244531'\n tag rid: 'SV-244531r743842_rule'\n tag stig_id: 'RHEL-08-010731'\n tag fix_id: 'F-47763r743841_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if(\"This control takes a long time to execute so it has been disabled through 'slow_controls'\") {\n !input('disable_slow_controls')\n }\n\n ignore_shells = input('non_interactive_shells').join('|')\n exempt_home_users = input('exempt_home_users').join('|')\n\n findings = Set[]\n users.where { !username.match(exempt_home_users) && !shell.match(ignore_shells) && (uid >= 1000 || uid.zero?) }.entries.each do |user_info|\n findings += command(\"find #{user_info.home} -xdev -not -name '.*' -perm /027 -type f\").stdout.split(\"\\n\")\n end\n describe 'All files in the users home directory' do\n it 'are expected to have permissions 0750 or better' do\n expect(findings).to be_empty, 'Some files in the users home directory do not have correct permissions. Please ensure all files have permissions 0750 or better.'\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230510.rb", + "ref": "./Red Hat 8 STIG/controls/SV-244531.rb", "line": 1 }, - "id": "SV-230510" + "id": "SV-244531" }, { - "title": "RHEL 8 must configure the use of the pam_faillock.so module in the\n/etc/pam.d/password-auth file.", - "desc": "By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as\nbrute-force attacks, is reduced. Limits are imposed by locking the account.\n\n In RHEL 8.2 the \"/etc/security/faillock.conf\" file was incorporated to\ncentralize the configuration of the pam_faillock.so module. Also introduced is\na \"local_users_only\" option that will only track failed user authentication\nattempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP,\netc.) users to allow the centralized platform to solely manage user lockout.\n\n From \"faillock.conf\" man pages: Note that the default directory that\n\"pam_faillock\" uses is usually cleared on system boot so the access will be\nreenabled after system reboot. If that is undesirable a different tally\ndirectory must be set with the \"dir\" option.\n The preauth argument must be used when the module is called before the\nmodules which ask for the user credentials such as the password.", + "title": "RHEL 8 must define default permissions for logon and non-logon shells.", + "desc": "The umask controls the default access mode assigned to newly created\nfiles. A umask of 077 limits new files to mode 600 or less permissive. Although\numask can be represented as a four-digit number, the first digit representing\nspecial access modes is typically ignored or required to be \"0\". This\nrequirement applies to the globally configured system defaults and the local\ninteractive user defaults for each account on the system.", "descriptions": { - "default": "By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as\nbrute-force attacks, is reduced. Limits are imposed by locking the account.\n\n In RHEL 8.2 the \"/etc/security/faillock.conf\" file was incorporated to\ncentralize the configuration of the pam_faillock.so module. Also introduced is\na \"local_users_only\" option that will only track failed user authentication\nattempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP,\netc.) users to allow the centralized platform to solely manage user lockout.\n\n From \"faillock.conf\" man pages: Note that the default directory that\n\"pam_faillock\" uses is usually cleared on system boot so the access will be\nreenabled after system reboot. If that is undesirable a different tally\ndirectory must be set with the \"dir\" option.\n The preauth argument must be used when the module is called before the\nmodules which ask for the user credentials such as the password.", - "check": "Note: This check applies to RHEL versions 8.2 or newer, if the system is\nRHEL version 8.0 or 8.1, this check is not applicable.\n\n Verify the pam_faillock.so module is present in the\n\"/etc/pam.d/password-auth\" file:\n\n $ sudo grep pam_faillock.so /etc/pam.d/password-auth\n\n auth required pam_faillock.so\npreauth\n auth required pam_faillock.so\nauthfail\n account required pam_faillock.so\n\n If the pam_faillock.so module is not present in the\n\"/etc/pam.d/password-auth\" file with the \"preauth\" line listed before\npam_unix.so, this is a finding.", - "fix": "Configure the operating system to include the use of the pam_faillock.so\nmodule in the /etc/pam.d/password-auth file.\n\n Add/Modify the appropriate sections of the \"/etc/pam.d/password-auth\"\nfile to match the following lines:\n Note: The \"preauth\" line must be listed before pam_unix.so.\n\n auth required pam_faillock.so preauth\n auth required pam_faillock.so authfail\n account required pam_faillock.so" + "default": "The umask controls the default access mode assigned to newly created\nfiles. A umask of 077 limits new files to mode 600 or less permissive. Although\numask can be represented as a four-digit number, the first digit representing\nspecial access modes is typically ignored or required to be \"0\". This\nrequirement applies to the globally configured system defaults and the local\ninteractive user defaults for each account on the system.", + "check": "Verify that the umask default for installed shells is \"077\".\n\nCheck for the value of the \"UMASK\" parameter in the \"/etc/bashrc\", \"/etc/csh.cshrc\" and \"/etc/profile\" files with the following command:\n\nNote: If the value of the \"UMASK\" parameter is set to \"000\" in the \"/etc/bashrc\" the \"/etc/csh.cshrc\" or the \"/etc/profile\" files, the Severity is raised to a CAT I.\n\n# grep -i umask /etc/bashrc /etc/csh.cshrc /etc/profile\n\n/etc/bashrc: umask 077\n/etc/bashrc: umask 077\n/etc/csh.cshrc: umask 077\n/etc/csh.cshrc: umask 077\n/etc/profile: umask 077\n/etc/profile: umask 077\n\nIf the value for the \"UMASK\" parameter is not \"077\", or the \"UMASK\" parameter is missing or is commented out, this is a finding.", + "fix": "Configure the operating system to define default permissions for all authenticated users in such a way that the user can only read and modify their own files.\n\nAdd or edit the lines for the \"UMASK\" parameter in the \"/etc/bashrc\", \"/etc/csh.cshrc\" and \"/etc/profile\"files to \"077\":\n\nUMASK 077" }, "impact": 0.5, "refs": [ @@ -2964,38 +2923,34 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000021-GPOS-00005", - "satisfies": [ - "SRG-OS-000021-GPOS-00005", - "SRG-OS-000329-GPOS-00128" - ], - "gid": "V-244534", - "rid": "SV-244534r743851_rule", - "stig_id": "RHEL-08-020026", - "fix_id": "F-47766r743850_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-230385", + "rid": "SV-230385r792902_rule", + "stig_id": "RHEL-08-020353", + "fix_id": "F-33029r792901_fix", "cci": [ - "CCI-000044" + "CCI-000366" ], "nist": [ - "AC-7 a" + "CM-6 b" ], "host": null, "container": null }, - "code": "control 'SV-244534' do\n title 'RHEL 8 must configure the use of the pam_faillock.so module in the\n/etc/pam.d/password-auth file.'\n desc 'By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as\nbrute-force attacks, is reduced. Limits are imposed by locking the account.\n\n In RHEL 8.2 the \"/etc/security/faillock.conf\" file was incorporated to\ncentralize the configuration of the pam_faillock.so module. Also introduced is\na \"local_users_only\" option that will only track failed user authentication\nattempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP,\netc.) users to allow the centralized platform to solely manage user lockout.\n\n From \"faillock.conf\" man pages: Note that the default directory that\n\"pam_faillock\" uses is usually cleared on system boot so the access will be\nreenabled after system reboot. If that is undesirable a different tally\ndirectory must be set with the \"dir\" option.\n The preauth argument must be used when the module is called before the\nmodules which ask for the user credentials such as the password.'\n desc 'check', 'Note: This check applies to RHEL versions 8.2 or newer, if the system is\nRHEL version 8.0 or 8.1, this check is not applicable.\n\n Verify the pam_faillock.so module is present in the\n\"/etc/pam.d/password-auth\" file:\n\n $ sudo grep pam_faillock.so /etc/pam.d/password-auth\n\n auth required pam_faillock.so\npreauth\n auth required pam_faillock.so\nauthfail\n account required pam_faillock.so\n\n If the pam_faillock.so module is not present in the\n\"/etc/pam.d/password-auth\" file with the \"preauth\" line listed before\npam_unix.so, this is a finding.'\n desc 'fix', 'Configure the operating system to include the use of the pam_faillock.so\nmodule in the /etc/pam.d/password-auth file.\n\n Add/Modify the appropriate sections of the \"/etc/pam.d/password-auth\"\nfile to match the following lines:\n Note: The \"preauth\" line must be listed before pam_unix.so.\n\n auth required pam_faillock.so preauth\n auth required pam_faillock.so authfail\n account required pam_faillock.so'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000021-GPOS-00005'\n tag satisfies: ['SRG-OS-000021-GPOS-00005', 'SRG-OS-000329-GPOS-00128']\n tag gid: 'V-244534'\n tag rid: 'SV-244534r743851_rule'\n tag stig_id: 'RHEL-08-020026'\n tag fix_id: 'F-47766r743850_fix'\n tag cci: ['CCI-000044']\n tag nist: ['AC-7 a']\n tag 'host'\n tag 'container'\n\n only_if('This check applies to RHEL versions 8.2 or newer, if the system is RHEL version 8.0 or 8.1, this check is not applicable.', impact: 0.0) {\n (os.release.to_f) >= 8.2\n }\n\n describe pam('/etc/pam.d/password-auth') do\n its('lines') { should match_pam_rule('auth required pam_faillock.so preauth') }\n its('lines') { should match_pam_rule('auth required pam_faillock.so authfail') }\n its('lines') { should match_pam_rule('account required pam_faillock.so') }\n end\nend\n", + "code": "control 'SV-230385' do\n title 'RHEL 8 must define default permissions for logon and non-logon shells.'\n desc 'The umask controls the default access mode assigned to newly created\nfiles. A umask of 077 limits new files to mode 600 or less permissive. Although\numask can be represented as a four-digit number, the first digit representing\nspecial access modes is typically ignored or required to be \"0\". This\nrequirement applies to the globally configured system defaults and the local\ninteractive user defaults for each account on the system.'\n desc 'check', 'Verify that the umask default for installed shells is \"077\".\n\nCheck for the value of the \"UMASK\" parameter in the \"/etc/bashrc\", \"/etc/csh.cshrc\" and \"/etc/profile\" files with the following command:\n\nNote: If the value of the \"UMASK\" parameter is set to \"000\" in the \"/etc/bashrc\" the \"/etc/csh.cshrc\" or the \"/etc/profile\" files, the Severity is raised to a CAT I.\n\n# grep -i umask /etc/bashrc /etc/csh.cshrc /etc/profile\n\n/etc/bashrc: umask 077\n/etc/bashrc: umask 077\n/etc/csh.cshrc: umask 077\n/etc/csh.cshrc: umask 077\n/etc/profile: umask 077\n/etc/profile: umask 077\n\nIf the value for the \"UMASK\" parameter is not \"077\", or the \"UMASK\" parameter is missing or is commented out, this is a finding.'\n desc 'fix', 'Configure the operating system to define default permissions for all authenticated users in such a way that the user can only read and modify their own files.\n\nAdd or edit the lines for the \"UMASK\" parameter in the \"/etc/bashrc\", \"/etc/csh.cshrc\" and \"/etc/profile\"files to \"077\":\n\nUMASK 077'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230385'\n tag rid: 'SV-230385r792902_rule'\n tag stig_id: 'RHEL-08-020353'\n tag fix_id: 'F-33029r792901_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n tag 'container'\n\n umask_regexp = /umask\\s*(?\\d\\d\\d)/\n\n bashrc_umask = file('/etc/bashrc').content.match(umask_regexp)[:umask_code]\n cshrc_umask = file('/etc/csh.cshrc').content.match(umask_regexp)[:umask_code]\n profile_umask = file('/etc/profile').content.match(umask_regexp)[:umask_code]\n\n if bashrc_umask == '000' || cshrc_umask == '000'\n impact 0.7\n tag severity: 'high'\n end\n\n describe 'umask value defined in /etc/bashrc' do\n subject { bashrc_umask }\n it { should cmp input('permissions_for_shells')['bashrc_umask'] }\n end\n describe 'umask value defined in /etc/csh.cshrc' do\n subject { cshrc_umask }\n it { should cmp input('permissions_for_shells')['cshrc_umask'] }\n end\n describe 'umask value defined in /etc/profile' do\n subject { profile_umask }\n it { should cmp input('permissions_for_shells')['profile_umask'] }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-244534.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230385.rb", "line": 1 }, - "id": "SV-244534" + "id": "SV-230385" }, { - "title": "RHEL 8 must prevent files with the setuid and setgid bit set from\nbeing executed on file systems that contain user home directories.", - "desc": "The \"nosuid\" mount option causes the system not to execute\n\"setuid\" and \"setgid\" files with owner privileges. This option must be used\nfor mounting any file system not containing approved \"setuid\" and \"setguid\"\nfiles. Executing files from untrusted file systems increases the opportunity\nfor unprivileged users to attain unauthorized administrative access.", + "title": "RHEL 8 must use cryptographic mechanisms to protect the integrity of\naudit tools.", + "desc": "Protecting the integrity of the tools used for auditing purposes is a\ncritical step toward ensuring the integrity of audit information. Audit\ninformation includes all information (e.g., audit records, audit settings, and\naudit reports) needed to successfully audit information system activity.\n\n Audit tools include, but are not limited to, vendor-provided and open\nsource audit tools needed to successfully view and manipulate audit information\nsystem activity and records. Audit tools include custom queries and report\ngenerators.\n\n It is not uncommon for attackers to replace the audit tools or inject code\ninto the existing tools with the purpose of providing the capability to hide or\nerase system activity from the audit logs.\n\n To address this risk, audit tools must be cryptographically signed to\nprovide the capability to identify when the audit tools have been modified,\nmanipulated, or replaced. An example is a checksum hash of the file or files.", "descriptions": { - "default": "The \"nosuid\" mount option causes the system not to execute\n\"setuid\" and \"setgid\" files with owner privileges. This option must be used\nfor mounting any file system not containing approved \"setuid\" and \"setguid\"\nfiles. Executing files from untrusted file systems increases the opportunity\nfor unprivileged users to attain unauthorized administrative access.", - "check": "Verify file systems that contain user home directories are mounted with the\n\"nosuid\" option.\n\n Note: If a separate file system has not been created for the user home\ndirectories (user home directories are mounted under \"/\"), this is\nautomatically a finding as the \"nosuid\" option cannot be used on the \"/\"\nsystem.\n\n Find the file system(s) that contain the user home directories with the\nfollowing command:\n\n $ sudo awk -F: '($3>=1000)&&($7 !~ /nologin/){print $1,$3,$6}' /etc/passwd\n\n smithj:1001: /home/smithj\n robinst:1002: /home/robinst\n\n Check the file systems that are mounted at boot time with the following\ncommand:\n\n $ sudo more /etc/fstab\n\n UUID=a411dc99-f2a1-4c87-9e05-184977be8539 /home xfs\nrw,relatime,discard,data=ordered,nosuid,nodev,noexec 0 0\n\n If a file system found in \"/etc/fstab\" refers to the user home directory\nfile system and it does not have the \"nosuid\" option set, this is a finding.", - "fix": "Configure the \"/etc/fstab\" to use the \"nosuid\" option on\nfile systems that contain user home directories for interactive users." + "default": "Protecting the integrity of the tools used for auditing purposes is a\ncritical step toward ensuring the integrity of audit information. Audit\ninformation includes all information (e.g., audit records, audit settings, and\naudit reports) needed to successfully audit information system activity.\n\n Audit tools include, but are not limited to, vendor-provided and open\nsource audit tools needed to successfully view and manipulate audit information\nsystem activity and records. Audit tools include custom queries and report\ngenerators.\n\n It is not uncommon for attackers to replace the audit tools or inject code\ninto the existing tools with the purpose of providing the capability to hide or\nerase system activity from the audit logs.\n\n To address this risk, audit tools must be cryptographically signed to\nprovide the capability to identify when the audit tools have been modified,\nmanipulated, or replaced. An example is a checksum hash of the file or files.", + "check": "Verify that Advanced Intrusion Detection Environment (AIDE) is properly configured to use cryptographic mechanisms to protect the integrity of audit tools.\n\nIf AIDE is not installed, ask the System Administrator how file integrity checks are performed on the system.\n\nCheck the selection lines to ensure AIDE is configured to add/check with the following command:\n\n $ sudo grep -E '(\\/usr\\/sbin\\/(audit|au|rsys))' /etc/aide.conf\n\n /usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512\n /usr/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512\n /usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512\n /usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512\n /usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512\n /usr/sbin/rsyslogd p+i+n+u+g+s+b+acl+xattrs+sha512\n /usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512\n\nIf any of the audit tools listed above do not have an appropriate selection line, ask the system administrator to indicate what cryptographic mechanisms are being used to protect the integrity of the audit tools. If there is no evidence of integrity protection, this is a finding.", + "fix": "Add or update the following lines to \"/etc/aide.conf\", to protect the\nintegrity of the audit tools.\n\n # Audit Tools\n /usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512\n /usr/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512\n /usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512\n /usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512\n /usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512\n /usr/sbin/rsyslogd p+i+n+u+g+s+b+acl+xattrs+sha512\n /usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512" }, "impact": 0.5, "refs": [ @@ -3005,33 +2960,33 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-230299", - "rid": "SV-230299r627750_rule", - "stig_id": "RHEL-08-010570", - "fix_id": "F-32943r567644_fix", + "gtitle": "SRG-OS-000278-GPOS-00108", + "gid": "V-230475", + "rid": "SV-230475r880722_rule", + "stig_id": "RHEL-08-030650", + "fix_id": "F-33119r568172_fix", "cci": [ - "CCI-000366" + "CCI-001496" ], "nist": [ - "CM-6 b" + "AU-9 (3)" ], "host": null }, - "code": "control 'SV-230299' do\n title 'RHEL 8 must prevent files with the setuid and setgid bit set from\nbeing executed on file systems that contain user home directories.'\n desc 'The \"nosuid\" mount option causes the system not to execute\n\"setuid\" and \"setgid\" files with owner privileges. This option must be used\nfor mounting any file system not containing approved \"setuid\" and \"setguid\"\nfiles. Executing files from untrusted file systems increases the opportunity\nfor unprivileged users to attain unauthorized administrative access.'\n desc 'check', %q(Verify file systems that contain user home directories are mounted with the\n\"nosuid\" option.\n\n Note: If a separate file system has not been created for the user home\ndirectories (user home directories are mounted under \"/\"), this is\nautomatically a finding as the \"nosuid\" option cannot be used on the \"/\"\nsystem.\n\n Find the file system(s) that contain the user home directories with the\nfollowing command:\n\n $ sudo awk -F: '($3>=1000)&&($7 !~ /nologin/){print $1,$3,$6}' /etc/passwd\n\n smithj:1001: /home/smithj\n robinst:1002: /home/robinst\n\n Check the file systems that are mounted at boot time with the following\ncommand:\n\n $ sudo more /etc/fstab\n\n UUID=a411dc99-f2a1-4c87-9e05-184977be8539 /home xfs\nrw,relatime,discard,data=ordered,nosuid,nodev,noexec 0 0\n\n If a file system found in \"/etc/fstab\" refers to the user home directory\nfile system and it does not have the \"nosuid\" option set, this is a finding.)\n desc 'fix', 'Configure the \"/etc/fstab\" to use the \"nosuid\" option on\nfile systems that contain user home directories for interactive users.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230299'\n tag rid: 'SV-230299r627750_rule'\n tag stig_id: 'RHEL-08-010570'\n tag fix_id: 'F-32943r567644_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n interactive_users = passwd.where {\n uid.to_i >= 1000 && shell !~ /nologin/\n }\n\n interactive_user_homedirs = interactive_users.homes.map { |home_path|\n home_path.match(%r{^(.*)/.*$}).captures.first\n }.uniq\n\n option = 'nosuid'\n\n mounted_on_root = interactive_user_homedirs.select { |dir| dir == '/' }\n not_configured = interactive_user_homedirs.reject { |dir| etc_fstab.where { mount_point == dir }.configured? }\n option_not_set = interactive_user_homedirs.reject { |dir| etc_fstab.where { mount_point == dir }.mount_options.flatten.include?(option) }\n\n describe 'All interactive user home directories' do\n it \"should not be mounted under root ('/')\" do\n expect(mounted_on_root).to be_empty, \"Home directories mounted on root ('/'):\\n\\t- #{mounted_on_root.join(\"\\n\\t- \")}\"\n end\n it 'should be configured in /etc/fstab' do\n expect(not_configured).to be_empty, \"Unconfigured home directories:\\n\\t- #{not_configured.join(\"\\n\\t- \")}\"\n end\n if (option_not_set - not_configured).nil?\n it \"should have the '#{option}' mount option set\" do\n expect(option_not_set - not_configured).to be_empty, \"Mounted home directories without '#{option}' set:\\n\\t- #{not_configured.join(\"\\n\\t- \")}\"\n end\n end\n end\nend\n", + "code": "control 'SV-230475' do\n title 'RHEL 8 must use cryptographic mechanisms to protect the integrity of\naudit tools.'\n desc 'Protecting the integrity of the tools used for auditing purposes is a\ncritical step toward ensuring the integrity of audit information. Audit\ninformation includes all information (e.g., audit records, audit settings, and\naudit reports) needed to successfully audit information system activity.\n\n Audit tools include, but are not limited to, vendor-provided and open\nsource audit tools needed to successfully view and manipulate audit information\nsystem activity and records. Audit tools include custom queries and report\ngenerators.\n\n It is not uncommon for attackers to replace the audit tools or inject code\ninto the existing tools with the purpose of providing the capability to hide or\nerase system activity from the audit logs.\n\n To address this risk, audit tools must be cryptographically signed to\nprovide the capability to identify when the audit tools have been modified,\nmanipulated, or replaced. An example is a checksum hash of the file or files.'\n desc 'check', \"Verify that Advanced Intrusion Detection Environment (AIDE) is properly configured to use cryptographic mechanisms to protect the integrity of audit tools.\n\nIf AIDE is not installed, ask the System Administrator how file integrity checks are performed on the system.\n\nCheck the selection lines to ensure AIDE is configured to add/check with the following command:\n\n $ sudo grep -E '(\\\\/usr\\\\/sbin\\\\/(audit|au|rsys))' /etc/aide.conf\n\n /usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512\n /usr/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512\n /usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512\n /usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512\n /usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512\n /usr/sbin/rsyslogd p+i+n+u+g+s+b+acl+xattrs+sha512\n /usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512\n\nIf any of the audit tools listed above do not have an appropriate selection line, ask the system administrator to indicate what cryptographic mechanisms are being used to protect the integrity of the audit tools. If there is no evidence of integrity protection, this is a finding.\"\n desc 'fix', 'Add or update the following lines to \"/etc/aide.conf\", to protect the\nintegrity of the audit tools.\n\n # Audit Tools\n /usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512\n /usr/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512\n /usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512\n /usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512\n /usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512\n /usr/sbin/rsyslogd p+i+n+u+g+s+b+acl+xattrs+sha512\n /usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000278-GPOS-00108'\n tag gid: 'V-230475'\n tag rid: 'SV-230475r880722_rule'\n tag stig_id: 'RHEL-08-030650'\n tag fix_id: 'F-33119r568172_fix'\n tag cci: ['CCI-001496']\n tag nist: ['AU-9 (3)']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n audit_tools = %w[/usr/sbin/auditctl\n /usr/sbin/auditd\n /usr/sbin/ausearch\n /usr/sbin/aureport\n /usr/sbin/autrace\n /usr/sbin/rsyslogd\n /usr/sbin/augenrules]\n\n if package('aide').installed?\n audit_tools.each do |tool|\n describe \"selection_line: #{tool}\" do\n subject { aide_conf.where { selection_line.eql?(tool) } }\n its('rules.flatten') { should include 'p' }\n its('rules.flatten') { should include 'i' }\n its('rules.flatten') { should include 'n' }\n its('rules.flatten') { should include 'u' }\n its('rules.flatten') { should include 'g' }\n its('rules.flatten') { should include 's' }\n its('rules.flatten') { should include 'b' }\n its('rules.flatten') { should include 'acl' }\n its('rules.flatten') { should include 'xattrs' }\n its('rules.flatten') { should include 'sha512' }\n end\n end\n else\n describe 'The system is not utilizing Advanced Intrusion Detection Environment (AIDE)' do\n skip 'The system is not utilizing Advanced Intrusion Detection Environment (AIDE), manual review is required.'\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230299.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230475.rb", "line": 1 }, - "id": "SV-230299" + "id": "SV-230475" }, { - "title": "Successful/unsuccessful uses of the ssh-agent in RHEL 8 must generate\nan audit record.", - "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"ssh-agent\" is a\nprogram to hold private keys used for public key authentication.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", + "title": "The RHEL 8 audit system must be configured to audit any usage of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls.", + "desc": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n\"Setxattr\" is a system call used to set an extended attribute value.\n\"Fsetxattr\" is a system call used to set an extended attribute value. This is used to set extended attributes on a file.\n\"Lsetxattr\" is a system call used to set an extended attribute value. This is used to set extended attributes on a symbolic link.\n\"Removexattr\" is a system call that removes extended attributes.\n\"Fremovexattr\" is a system call that removes extended attributes. This is used for removal of extended attributes from a file.\n\"Lremovexattr\" is a system call that removes extended attributes. This is used for removal of extended attributes from symbolic links.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nThe system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible.", "descriptions": { - "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"ssh-agent\" is a\nprogram to hold private keys used for public key authentication.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", - "check": "Verify RHEL 8 generates an audit record when successful/unsuccessful\nattempts to use the \"ssh-agent\" by performing the following command to check\nthe file system rules in \"/etc/audit/audit.rules\":\n\n $ sudo grep ssh-agent /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-ssh\n\n If the command does not return a line, or the line is commented out, this\nis a finding.", - "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \"ssh-agent\" by adding or updating the\nfollowing rule in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-ssh\n\n The audit daemon must be restarted for the changes to take effect." + "default": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n\"Setxattr\" is a system call used to set an extended attribute value.\n\"Fsetxattr\" is a system call used to set an extended attribute value. This is used to set extended attributes on a file.\n\"Lsetxattr\" is a system call used to set an extended attribute value. This is used to set extended attributes on a symbolic link.\n\"Removexattr\" is a system call that removes extended attributes.\n\"Fremovexattr\" is a system call that removes extended attributes. This is used for removal of extended attributes from a file.\n\"Lremovexattr\" is a system call that removes extended attributes. This is used for removal of extended attributes from symbolic links.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nThe system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible.", + "check": "Verify if RHEL 8 is configured to audit the execution of the \"setxattr\", \"fsetxattr\", \"lsetxattr\", \"removexattr\", \"fremovexattr\", and \"lremovexattr\" system calls by running the following command:\n\n$ sudo grep xattr /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod\n-a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod\n\n-a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod\n\nIf the command does not return an audit rule for \"setxattr\", \"fsetxattr\", \"lsetxattr\", \"removexattr\", \"fremovexattr\", and \"lremovexattr\" or any of the lines returned are commented out, this is a finding.", + "fix": "Configure RHEL 8 to audit the execution of the \"setxattr\", \"fsetxattr\", \"lsetxattr\", \"removexattr\", \"fremovexattr\", and \"lremovexattr\" system calls by adding or updating the following lines to \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod\n-a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod\n\n-a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod\n\nThe audit daemon must be restarted for the changes to take effect." }, "impact": 0.5, "refs": [ @@ -3046,15 +3001,19 @@ "SRG-OS-000062-GPOS-00031", "SRG-OS-000037-GPOS-00015", "SRG-OS-000042-GPOS-00020", - "SRG-OS-000062-GPOS-00031", "SRG-OS-000392-GPOS-00172", + "SRG-OS-000458-GPOS-00203", "SRG-OS-000462-GPOS-00206", - "SRG-OS-000471-GPOS-00215" + "SRG-OS-000463-GPOS-00207", + "SRG-OS-000468-GPOS-00212", + "SRG-OS-000471-GPOS-00215", + "SRG-OS-000474-GPOS-00219", + "SRG-OS-000466-GPOS-00210" ], - "gid": "V-230421", - "rid": "SV-230421r627750_rule", - "stig_id": "RHEL-08-030280", - "fix_id": "F-33065r568010_fix", + "gid": "V-230413", + "rid": "SV-230413r810463_rule", + "stig_id": "RHEL-08-030200", + "fix_id": "F-33057r809294_fix", "cci": [ "CCI-000169" ], @@ -3063,22 +3022,22 @@ ], "host": null }, - "code": "control 'SV-230421' do\n title 'Successful/unsuccessful uses of the ssh-agent in RHEL 8 must generate\nan audit record.'\n desc 'Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"ssh-agent\" is a\nprogram to hold private keys used for public key authentication.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.'\n desc 'check', 'Verify RHEL 8 generates an audit record when successful/unsuccessful\nattempts to use the \"ssh-agent\" by performing the following command to check\nthe file system rules in \"/etc/audit/audit.rules\":\n\n $ sudo grep ssh-agent /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-ssh\n\n If the command does not return a line, or the line is commented out, this\nis a finding.'\n desc 'fix', 'Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \"ssh-agent\" by adding or updating the\nfollowing rule in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-ssh\n\n The audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000062-GPOS-00031'\n tag satisfies: ['SRG-OS-000062-GPOS-00031', 'SRG-OS-000037-GPOS-00015', 'SRG-OS-000042-GPOS-00020', 'SRG-OS-000062-GPOS-00031', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000471-GPOS-00215']\n tag gid: 'V-230421'\n tag rid: 'SV-230421r627750_rule'\n tag stig_id: 'RHEL-08-030280'\n tag fix_id: 'F-33065r568010_fix'\n tag cci: ['CCI-000169']\n tag nist: ['AU-12 a']\n tag 'host'\n\n audit_command = '/usr/bin/ssh-agent'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include(input('audit_rule_keynames').merge(input('audit_rule_keynames_overrides'))[audit_command])\n end\n end\nend\n", + "code": "control 'SV-230413' do\n title 'The RHEL 8 audit system must be configured to audit any usage of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls.'\n desc 'Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n\"Setxattr\" is a system call used to set an extended attribute value.\n\"Fsetxattr\" is a system call used to set an extended attribute value. This is used to set extended attributes on a file.\n\"Lsetxattr\" is a system call used to set an extended attribute value. This is used to set extended attributes on a symbolic link.\n\"Removexattr\" is a system call that removes extended attributes.\n\"Fremovexattr\" is a system call that removes extended attributes. This is used for removal of extended attributes from a file.\n\"Lremovexattr\" is a system call that removes extended attributes. This is used for removal of extended attributes from symbolic links.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nThe system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible.'\n desc 'check', 'Verify if RHEL 8 is configured to audit the execution of the \"setxattr\", \"fsetxattr\", \"lsetxattr\", \"removexattr\", \"fremovexattr\", and \"lremovexattr\" system calls by running the following command:\n\n$ sudo grep xattr /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod\n-a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod\n\n-a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod\n\nIf the command does not return an audit rule for \"setxattr\", \"fsetxattr\", \"lsetxattr\", \"removexattr\", \"fremovexattr\", and \"lremovexattr\" or any of the lines returned are commented out, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to audit the execution of the \"setxattr\", \"fsetxattr\", \"lsetxattr\", \"removexattr\", \"fremovexattr\", and \"lremovexattr\" system calls by adding or updating the following lines to \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod\n-a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod\n\n-a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod\n\nThe audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000062-GPOS-00031'\n tag satisfies: ['SRG-OS-000062-GPOS-00031', 'SRG-OS-000037-GPOS-00015', 'SRG-OS-000042-GPOS-00020', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000458-GPOS-00203', 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000463-GPOS-00207', 'SRG-OS-000468-GPOS-00212', 'SRG-OS-000471-GPOS-00215', 'SRG-OS-000474-GPOS-00219', 'SRG-OS-000466-GPOS-00210']\n tag gid: 'V-230413'\n tag rid: 'SV-230413r810463_rule'\n tag stig_id: 'RHEL-08-030200'\n tag fix_id: 'F-33057r809294_fix'\n tag cci: ['CCI-000169']\n tag nist: ['AU-12 a']\n tag 'host'\n\n audit_syscalls = ['setxattr', 'fsetxattr', 'lsetxattr', 'removexattr', 'fremovexattr', 'lremovexattr']\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe 'Syscall' do\n audit_syscalls.each do |audit_syscall|\n it \"#{audit_syscall} is audited properly\" do\n audit_rule = auditd.syscall(audit_syscall)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n if os.arch.match(/64/)\n expect(audit_rule.arch.uniq).to include('b32', 'b64')\n else\n expect(audit_rule.arch.uniq).to cmp 'b32'\n end\n expect(audit_rule.fields.flatten).to include('auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include(input('audit_rule_keynames').merge(input('audit_rule_keynames_overrides'))[audit_syscall])\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230421.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230413.rb", "line": 1 }, - "id": "SV-230421" + "id": "SV-230413" }, { - "title": "RHEL 8 must ignore IPv6 Internet Control Message Protocol (ICMP)\nredirect messages.", - "desc": "ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf", + "title": "The RHEL 8 operating system must implement DoD-approved TLS encryption\nin the GnuTLS package.", + "desc": "Without cryptographic integrity protections, information can be\naltered by unauthorized users without detection.\n\n Transport Layer Security (TLS) encryption is a required security setting as\na number of known vulnerabilities have been reported against Secure Sockets\nLayer (SSL) and earlier versions of TLS. Encryption of private information is\nessential to ensuring data confidentiality. If private information is not\nencrypted, it can be intercepted and easily read by an unauthorized party. SQL\nServer must use a minimum of FIPS 140-2-approved TLS version 1.2, and all\nnon-FIPS-approved SSL and TLS versions must be disabled. NIST SP 800-52\nspecifies the preferred configurations for government systems.\n\n Cryptographic mechanisms used for protecting the integrity of information\ninclude, for example, signed hash functions using asymmetric cryptography\nenabling distribution of the public key to verify the hash information while\nmaintaining the confidentiality of the secret key used to generate the hash.\n\n The GnuTLS library offers an API to access secure communications protocols.\n SSLv2 is not available in the GnuTLS library. The RHEL 8 system-wide crypto\npolicy defines employed algorithms in the\n/etc/crypto-policies/back-ends/gnutls.config file.", "descriptions": { - "default": "ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf", - "check": "Verify RHEL 8 ignores IPv6 ICMP redirect messages.\n\nNote: If IPv6 is disabled on the system, this requirement is Not Applicable.\n\nCheck the value of the \"accept_redirects\" variables with the following command:\n\n$ sudo sysctl net.ipv6.conf.all.accept_redirects\n\nnet.ipv6.conf.all.accept_redirects = 0\n\nIf the returned line does not have a value of \"0\", a line is not returned, or the line is commented out, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r net.ipv6.conf.all.accept_redirects /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: net.ipv6.conf.all.accept_redirects = 0\n\nIf \"net.ipv6.conf.all.accept_redirects\" is not set to \"0\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.", - "fix": "Configure RHEL 8 to ignore IPv6 ICMP redirect messages.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nnet.ipv6.conf.all.accept_redirects = 0\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system" - }, - "impact": 0.5, + "default": "Without cryptographic integrity protections, information can be\naltered by unauthorized users without detection.\n\n Transport Layer Security (TLS) encryption is a required security setting as\na number of known vulnerabilities have been reported against Secure Sockets\nLayer (SSL) and earlier versions of TLS. Encryption of private information is\nessential to ensuring data confidentiality. If private information is not\nencrypted, it can be intercepted and easily read by an unauthorized party. SQL\nServer must use a minimum of FIPS 140-2-approved TLS version 1.2, and all\nnon-FIPS-approved SSL and TLS versions must be disabled. NIST SP 800-52\nspecifies the preferred configurations for government systems.\n\n Cryptographic mechanisms used for protecting the integrity of information\ninclude, for example, signed hash functions using asymmetric cryptography\nenabling distribution of the public key to verify the hash information while\nmaintaining the confidentiality of the secret key used to generate the hash.\n\n The GnuTLS library offers an API to access secure communications protocols.\n SSLv2 is not available in the GnuTLS library. The RHEL 8 system-wide crypto\npolicy defines employed algorithms in the\n/etc/crypto-policies/back-ends/gnutls.config file.", + "check": "Verify the GnuTLS library is configured to only allow DoD-approved SSL/TLS Versions:\n\n$ sudo grep -io +vers.* /etc/crypto-policies/back-ends/gnutls.config\n\n+VERS-ALL:-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0:+COMP-NULL:%PROFILE_MEDIUM\n\nIf the \"gnutls.config\" does not list \"-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0\" to disable unapproved SSL/TLS versions, this is a finding.", + "fix": "Configure the RHEL 8 GnuTLS library to use only DoD-approved encryption by\nadding the following line to \"/etc/crypto-policies/back-ends/gnutls.config\":\n\n +VERS-ALL:-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0\n\n A reboot is required for the changes to take effect." + }, + "impact": 0.5, "refs": [ { "ref": "DPMS Target Red Hat Enterprise Linux 8" @@ -3086,33 +3045,38 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-230544", - "rid": "SV-230544r858820_rule", - "stig_id": "RHEL-08-040280", - "fix_id": "F-33188r858819_fix", + "gtitle": "SRG-OS-000250-GPOS-00093", + "satisfies": [ + "SRG-OS-000250-GPOS-00093", + "SRG-OS-000423-GPOS-00187" + ], + "gid": "V-230256", + "rid": "SV-230256r877394_rule", + "stig_id": "RHEL-08-010295", + "fix_id": "F-32900r567515_fix", "cci": [ - "CCI-000366" + "CCI-001453" ], "nist": [ - "CM-6 b" + "AC-17 (2)" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-230544' do\n title 'RHEL 8 must ignore IPv6 Internet Control Message Protocol (ICMP)\nredirect messages.'\n desc \"ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\"\n desc 'check', 'Verify RHEL 8 ignores IPv6 ICMP redirect messages.\n\nNote: If IPv6 is disabled on the system, this requirement is Not Applicable.\n\nCheck the value of the \"accept_redirects\" variables with the following command:\n\n$ sudo sysctl net.ipv6.conf.all.accept_redirects\n\nnet.ipv6.conf.all.accept_redirects = 0\n\nIf the returned line does not have a value of \"0\", a line is not returned, or the line is commented out, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r net.ipv6.conf.all.accept_redirects /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: net.ipv6.conf.all.accept_redirects = 0\n\nIf \"net.ipv6.conf.all.accept_redirects\" is not set to \"0\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to ignore IPv6 ICMP redirect messages.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nnet.ipv6.conf.all.accept_redirects = 0\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230544'\n tag rid: 'SV-230544r858820_rule'\n tag stig_id: 'RHEL-08-040280'\n tag fix_id: 'F-33188r858819_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This system is acting as a router on the network, this control is Not Applicable', impact: 0.0) {\n !input('network_router')\n }\n\n # Define the kernel parameter to be checked\n parameter = 'net.ipv6.conf.all.accept_redirect'\n action = 'accepting IPv6 redirects'\n value = 0\n\n # Get the current value of the kernel parameter\n current_value = kernel_parameter(parameter)\n\n # Check if the system is a Docker container\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n elsif input('ipv6_enabled') == false\n impact 0.0\n describe 'IPv6 is disabled on the system, this requirement is Not Applicable.' do\n skip 'IPv6 is disabled on the system, this requirement is Not Applicable.'\n end\n else\n\n describe kernel_parameter(parameter) do\n it 'is disabled in sysctl -a' do\n expect(current_value.value).to cmp value\n expect(current_value.value).not_to be_nil\n end\n end\n\n # Get the list of sysctl configuration files\n sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ')\n\n # Search for the kernel parameter in the configuration files\n search_results = command(\"grep -r ^#{parameter} #{sysctl_config_files} {} \\;\").stdout.split(\"\\n\")\n\n # Parse the search results into a hash\n config_values = search_results.each_with_object({}) do |item, results|\n file, setting = item.split(':')\n file = 'grep did not return filename' if file.empty?\n\n results[file] ||= []\n results[file] << setting.split('=').last\n end\n\n uniq_config_values = config_values.values.flatten.map(&:strip).map(&:to_i).uniq\n\n # Check the configuration files\n describe 'Configuration files' do\n if search_results.empty?\n it \"do not explicitly set the `#{parameter}` parameter\" do\n expect(config_values).not_to be_empty, \"Add the line `#{parameter}=#{value}` to a file in the `/etc/sysctl.d/` directory\"\n end\n else\n it \"do not have conflicting settings for #{action}\" do\n expect(uniq_config_values.count).to eq(1), \"Expected one unique configuration, but got #{config_values}\"\n end\n it \"set the parameter to the right value for #{action}\" do\n expect(config_values.values.flatten.all? { |v| v.to_i.eql?(value) }).to be true\n end\n end\n end\n end\nend\n", + "code": "control 'SV-230256' do\n title 'The RHEL 8 operating system must implement DoD-approved TLS encryption\nin the GnuTLS package.'\n desc 'Without cryptographic integrity protections, information can be\naltered by unauthorized users without detection.\n\n Transport Layer Security (TLS) encryption is a required security setting as\na number of known vulnerabilities have been reported against Secure Sockets\nLayer (SSL) and earlier versions of TLS. Encryption of private information is\nessential to ensuring data confidentiality. If private information is not\nencrypted, it can be intercepted and easily read by an unauthorized party. SQL\nServer must use a minimum of FIPS 140-2-approved TLS version 1.2, and all\nnon-FIPS-approved SSL and TLS versions must be disabled. NIST SP 800-52\nspecifies the preferred configurations for government systems.\n\n Cryptographic mechanisms used for protecting the integrity of information\ninclude, for example, signed hash functions using asymmetric cryptography\nenabling distribution of the public key to verify the hash information while\nmaintaining the confidentiality of the secret key used to generate the hash.\n\n The GnuTLS library offers an API to access secure communications protocols.\n SSLv2 is not available in the GnuTLS library. The RHEL 8 system-wide crypto\npolicy defines employed algorithms in the\n/etc/crypto-policies/back-ends/gnutls.config file.'\n desc 'check', 'Verify the GnuTLS library is configured to only allow DoD-approved SSL/TLS Versions:\n\n$ sudo grep -io +vers.* /etc/crypto-policies/back-ends/gnutls.config\n\n+VERS-ALL:-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0:+COMP-NULL:%PROFILE_MEDIUM\n\nIf the \"gnutls.config\" does not list \"-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0\" to disable unapproved SSL/TLS versions, this is a finding.'\n desc 'fix', 'Configure the RHEL 8 GnuTLS library to use only DoD-approved encryption by\nadding the following line to \"/etc/crypto-policies/back-ends/gnutls.config\":\n\n +VERS-ALL:-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0\n\n A reboot is required for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000250-GPOS-00093'\n tag satisfies: ['SRG-OS-000250-GPOS-00093', 'SRG-OS-000423-GPOS-00187']\n tag gid: 'V-230256'\n tag rid: 'SV-230256r877394_rule'\n tag stig_id: 'RHEL-08-010295'\n tag fix_id: 'F-32900r567515_fix'\n tag cci: ['CCI-001453']\n tag nist: ['AC-17 (2)']\n tag 'host'\n tag 'container'\n\n gnutls = file('/etc/crypto-policies/back-ends/gnutls.config').content.upcase.strip.split(':')\n unapproved_versions = input('unapproved_ssl_tls_versions').map(&:upcase)\n failing_versions = unapproved_versions - gnutls\n\n describe 'GnuTLS' do\n it 'should disable unapproved SSL/TLS versions' do\n expect(failing_versions).to be_empty, \"GnuTLS should not allow:\\n\\t- #{failing_versions.join(\"\\n\\t- \")}\"\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230544.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230256.rb", "line": 1 }, - "id": "SV-230544" + "id": "SV-230256" }, { - "title": "RHEL 8 must automatically lock an account when three unsuccessful\nlogon attempts occur.", - "desc": "By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as\nbrute-force attacks, is reduced. Limits are imposed by locking the account.\n\n In RHEL 8.2 the \"/etc/security/faillock.conf\" file was incorporated to\ncentralize the configuration of the pam_faillock.so module. Also introduced is\na \"local_users_only\" option that will only track failed user authentication\nattempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP,\netc.) users to allow the centralized platform to solely manage user lockout.\n\n From \"faillock.conf\" man pages: Note that the default directory that\n\"pam_faillock\" uses is usually cleared on system boot so the access will be\nreenabled after system reboot. If that is undesirable a different tally\ndirectory must be set with the \"dir\" option.", + "title": "Successful/unsuccessful uses of the usermod command in RHEL 8 must\ngenerate an audit record.", + "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"usermod\" command\nmodifies the system account files to reflect the changes that are specified on\nthe command line.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", "descriptions": { - "default": "By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as\nbrute-force attacks, is reduced. Limits are imposed by locking the account.\n\n In RHEL 8.2 the \"/etc/security/faillock.conf\" file was incorporated to\ncentralize the configuration of the pam_faillock.so module. Also introduced is\na \"local_users_only\" option that will only track failed user authentication\nattempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP,\netc.) users to allow the centralized platform to solely manage user lockout.\n\n From \"faillock.conf\" man pages: Note that the default directory that\n\"pam_faillock\" uses is usually cleared on system boot so the access will be\nreenabled after system reboot. If that is undesirable a different tally\ndirectory must be set with the \"dir\" option.", - "check": "Note: This check applies to RHEL versions 8.2 or newer, if the system is\nRHEL version 8.0 or 8.1, this check is not applicable.\n\n Verify the \"/etc/security/faillock.conf\" file is configured to lock an\naccount after three unsuccessful logon attempts:\n\n $ sudo grep 'deny =' /etc/security/faillock.conf\n\n deny = 3\n\n If the \"deny\" option is not set to \"3\" or less (but not \"0\"), is\nmissing or commented out, this is a finding.", - "fix": "Configure the operating system to lock an account when three unsuccessful\nlogon attempts occur.\n\n Add/Modify the \"/etc/security/faillock.conf\" file to match the following\nline:\n\n deny = 3" + "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"usermod\" command\nmodifies the system account files to reflect the changes that are specified on\nthe command line.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", + "check": "Verify that an audit event is generated for any successful/unsuccessful use\nof the \"usermod\" command by performing the following command to check the\nfile system rules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w usermod /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-usermod\n\n If the command does not return a line, or the line is commented out, this\nis a finding.", + "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful uses of the \"usermod\" command by adding or updating\nthe following rule in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-usermod\n\n The audit daemon must be restarted for the changes to take effect." }, "impact": 0.5, "refs": [ @@ -3122,38 +3086,43 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000021-GPOS-00005", + "gtitle": "SRG-OS-000062-GPOS-00031", "satisfies": [ - "SRG-OS-000021-GPOS-00005", - "SRG-OS-000329-GPOS-00128" + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000037-GPOS-00015", + "SRG-OS-000042-GPOS-00020", + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000392-GPOS-00172", + "SRG-OS-000462-GPOS-00206", + "SRG-OS-000471-GPOS-00215", + "SRG-OS-000466-GPOS-00210" ], - "gid": "V-230333", - "rid": "SV-230333r743966_rule", - "stig_id": "RHEL-08-020011", - "fix_id": "F-32977r743965_fix", + "gid": "V-230463", + "rid": "SV-230463r627750_rule", + "stig_id": "RHEL-08-030560", + "fix_id": "F-33107r568136_fix", "cci": [ - "CCI-000044" + "CCI-000169" ], "nist": [ - "AC-7 a" + "AU-12 a" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-230333' do\n title 'RHEL 8 must automatically lock an account when three unsuccessful\nlogon attempts occur.'\n desc 'By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as\nbrute-force attacks, is reduced. Limits are imposed by locking the account.\n\n In RHEL 8.2 the \"/etc/security/faillock.conf\" file was incorporated to\ncentralize the configuration of the pam_faillock.so module. Also introduced is\na \"local_users_only\" option that will only track failed user authentication\nattempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP,\netc.) users to allow the centralized platform to solely manage user lockout.\n\n From \"faillock.conf\" man pages: Note that the default directory that\n\"pam_faillock\" uses is usually cleared on system boot so the access will be\nreenabled after system reboot. If that is undesirable a different tally\ndirectory must be set with the \"dir\" option.'\n desc 'check', %q(Note: This check applies to RHEL versions 8.2 or newer, if the system is\nRHEL version 8.0 or 8.1, this check is not applicable.\n\n Verify the \"/etc/security/faillock.conf\" file is configured to lock an\naccount after three unsuccessful logon attempts:\n\n $ sudo grep 'deny =' /etc/security/faillock.conf\n\n deny = 3\n\n If the \"deny\" option is not set to \"3\" or less (but not \"0\"), is\nmissing or commented out, this is a finding.)\n desc 'fix', 'Configure the operating system to lock an account when three unsuccessful\nlogon attempts occur.\n\n Add/Modify the \"/etc/security/faillock.conf\" file to match the following\nline:\n\n deny = 3'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000021-GPOS-00005'\n tag satisfies: ['SRG-OS-000021-GPOS-00005', 'SRG-OS-000329-GPOS-00128']\n tag gid: 'V-230333'\n tag rid: 'SV-230333r743966_rule'\n tag stig_id: 'RHEL-08-020011'\n tag fix_id: 'F-32977r743965_fix'\n tag cci: ['CCI-000044']\n tag nist: ['AC-7 a']\n tag 'host'\n tag 'container'\n\n only_if('This check applies to RHEL version 8.2 and later. If the system is not RHEL version 8.2 or newer, this check is Not Applicable.', impact: 0.0) {\n (os.release.to_f) >= 8.2\n }\n\n describe parse_config_file('/etc/security/faillock.conf') do\n its('deny') { should cmp <= input('unsuccessful_attempts') }\n its('deny') { should_not cmp 0 }\n end\nend\n", + "code": "control 'SV-230463' do\n title 'Successful/unsuccessful uses of the usermod command in RHEL 8 must\ngenerate an audit record.'\n desc 'Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"usermod\" command\nmodifies the system account files to reflect the changes that are specified on\nthe command line.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.'\n desc 'check', 'Verify that an audit event is generated for any successful/unsuccessful use\nof the \"usermod\" command by performing the following command to check the\nfile system rules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w usermod /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-usermod\n\n If the command does not return a line, or the line is commented out, this\nis a finding.'\n desc 'fix', 'Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful uses of the \"usermod\" command by adding or updating\nthe following rule in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-usermod\n\n The audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000062-GPOS-00031'\n tag satisfies: ['SRG-OS-000062-GPOS-00031', 'SRG-OS-000037-GPOS-00015', 'SRG-OS-000042-GPOS-00020', 'SRG-OS-000062-GPOS-00031', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000471-GPOS-00215', 'SRG-OS-000466-GPOS-00210']\n tag gid: 'V-230463'\n tag rid: 'SV-230463r627750_rule'\n tag stig_id: 'RHEL-08-030560'\n tag fix_id: 'F-33107r568136_fix'\n tag cci: ['CCI-000169']\n tag nist: ['AU-12 a']\n tag 'host'\n\n audit_command = '/usr/sbin/usermod'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include(input('audit_rule_keynames').merge(input('audit_rule_keynames_overrides'))[audit_command])\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230333.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230463.rb", "line": 1 }, - "id": "SV-230333" + "id": "SV-230463" }, { - "title": "RHEL 8 must ensure cryptographic verification of vendor software packages.", - "desc": "Cryptographic verification of vendor software packages ensures that all software packages are obtained from a valid source and protects against spoofing that could lead to installation of malware on the system. Red Hat cryptographically signs all software packages, which includes updates, with a GPG key to verify that they are valid.", + "title": "RHEL 8 must clear SLUB/SLAB objects to prevent use-after-free attacks.", + "desc": "Some adversaries launch attacks with the intent of executing code in nonexecutable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can be either hardware-enforced or software-enforced with hardware providing the greater strength of mechanism.\n\nPoisoning writes an arbitrary value to freed pages, so any modification or reference to that page after being freed or before being initialized will be detected and prevented. This prevents many types of use-after-free vulnerabilities at little performance cost. Also prevents leak of data and detection of corrupted memory.\n\nSLAB objects are blocks of physically-contiguous memory. SLUB is the unqueued SLAB allocator.", "descriptions": { - "default": "Cryptographic verification of vendor software packages ensures that all software packages are obtained from a valid source and protects against spoofing that could lead to installation of malware on the system. Red Hat cryptographically signs all software packages, which includes updates, with a GPG key to verify that they are valid.", - "check": "Confirm Red Hat package-signing keys are installed on the system and verify their fingerprints match vendor values.\n\nNote: For RHEL 8 software packages, Red Hat uses GPG keys labeled \"release key 2\" and \"auxiliary key 2\". The keys are defined in key file \"/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release\" by default.\n\nList Red Hat GPG keys installed on the system:\n\n $ sudo rpm -q --queryformat \"%{SUMMARY}\\n\" gpg-pubkey | grep -i \"red hat\"\n\n gpg(Red Hat, Inc. (release key 2) )\n gpg(Red Hat, Inc. (auxiliary key) )\n\nIf Red Hat GPG keys \"release key 2\" and \"auxiliary key 2\" are not installed, this is a finding.\n\nNote: The \"auxiliary key 2\" appears as \"auxiliary key\" on a RHEL 8 system.\n\nList key fingerprints of installed Red Hat GPG keys:\n\n $ sudo gpg -q --keyid-format short --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release\n\nIf key file \"/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release\" is missing, this is a finding.\n\nExample output:\n\n pub rsa4096/FD431D51 2009-10-22 [SC]\n Key fingerprint = 567E 347A D004 4ADE 55BA 8A5F 199E 2F91 FD43 1D51\n uid Red Hat, Inc. (release key 2) \n pub rsa4096/D4082792 2018-06-27 [SC]\n Key fingerprint = 6A6A A7C9 7C88 90AE C6AE BFE2 F76F 66C3 D408 2792\n uid Red Hat, Inc. (auxiliary key) \n sub rsa4096/1B5584D3 2018-06-27 [E]\n\nCompare key fingerprints of installed Red Hat GPG keys with fingerprints listed for RHEL 8 on Red Hat \"Product Signing Keys\" webpage at https://access.redhat.com/security/team/key.\n\nIf key fingerprints do not match, this is a finding.", - "fix": "Install Red Hat package-signing keys on the system and verify their fingerprints match vendor values.\n\nInsert RHEL 8 installation disc or attach RHEL 8 installation image to the system. Mount the disc or image to make the contents accessible inside the system.\n\nAssuming the mounted location is \"/media/cdrom\", use the following command to copy Red Hat GPG key file onto the system:\n\n $ sudo cp /media/cdrom/RPM-GPG-KEY-redhat-release /etc/pki/rpm-gpg/\n\nImport Red Hat GPG keys from key file into system keyring:\n\n $ sudo rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release\n\nUsing the steps listed in the Check Text, confirm the newly imported keys show as installed on the system and verify their fingerprints match vendor values." + "default": "Some adversaries launch attacks with the intent of executing code in nonexecutable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can be either hardware-enforced or software-enforced with hardware providing the greater strength of mechanism.\n\nPoisoning writes an arbitrary value to freed pages, so any modification or reference to that page after being freed or before being initialized will be detected and prevented. This prevents many types of use-after-free vulnerabilities at little performance cost. Also prevents leak of data and detection of corrupted memory.\n\nSLAB objects are blocks of physically-contiguous memory. SLUB is the unqueued SLAB allocator.", + "check": "Verify that GRUB 2 is configured to enable poisoning of SLUB/SLAB objects to mitigate use-after-free vulnerabilities with the following commands:\n\nCheck that the current GRUB 2 configuration has poisoning of SLUB/SLAB objects enabled:\n\n$ sudo grub2-editenv list | grep slub_debug\n\nkernelopts=root=/dev/mapper/rhel-root ro crashkernel=auto resume=/dev/mapper/rhel-swap rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet fips=1 slub_debug=P page_poison=1 vsyscall=none audit=1 audit_backlog_limit=8192 boot=UUID=8d171156-cd61-421c-ba41-1c021ac29e82\n\nIf \"slub_debug\" does not contain \"P\" or is missing, this is a finding.\n\nCheck that poisoning of SLUB/SLAB objects is enabled by default to persist in kernel updates:\n\n$ sudo grep slub_debug /etc/default/grub\n\nGRUB_CMDLINE_LINUX=\"slub_debug=P\"\n\nIf \"slub_debug\" does not contain \"P\", is missing, or is commented out, this is a finding.", + "fix": "Configure RHEL 8 to enable poisoning of SLUB/SLAB objects with the\nfollowing commands:\n\n $ sudo grubby --update-kernel=ALL --args=\"slub_debug=P\"\n\n Add or modify the following line in \"/etc/default/grub\" to ensure the\nconfiguration survives kernel updates:\n\n GRUB_CMDLINE_LINUX=\"slub_debug=P\"" }, "impact": 0.5, "refs": [ @@ -3162,37 +3131,38 @@ } ], "tags": { - "check_id": "C-60651r902750_chk", "severity": "medium", - "gid": "V-256973", - "rid": "SV-256973r902752_rule", - "stig_id": "RHEL-08-010019", - "gtitle": "SRG-OS-000366-GPOS-00153", - "fix_id": "F-60593r902751_fix", - "documentable": null, + "gtitle": "SRG-OS-000134-GPOS-00068", + "satisfies": [ + "SRG-OS-000134-GPOS-00068", + "SRG-OS-000433-GPOS-00192" + ], + "gid": "V-230279", + "rid": "SV-230279r951598_rule", + "stig_id": "RHEL-08-010423", + "fix_id": "F-32923r567584_fix", "cci": [ - "CCI-001749" + "CCI-001084" ], "nist": [ - "CM-5 (3)" + "SC-3" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-256973' do\n title 'RHEL 8 must ensure cryptographic verification of vendor software packages.'\n desc 'Cryptographic verification of vendor software packages ensures that all software packages are obtained from a valid source and protects against spoofing that could lead to installation of malware on the system. Red Hat cryptographically signs all software packages, which includes updates, with a GPG key to verify that they are valid.'\n desc 'check', 'Confirm Red Hat package-signing keys are installed on the system and verify their fingerprints match vendor values.\n\nNote: For RHEL 8 software packages, Red Hat uses GPG keys labeled \"release key 2\" and \"auxiliary key 2\". The keys are defined in key file \"/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release\" by default.\n\nList Red Hat GPG keys installed on the system:\n\n $ sudo rpm -q --queryformat \"%{SUMMARY}\\\\n\" gpg-pubkey | grep -i \"red hat\"\n\n gpg(Red Hat, Inc. (release key 2) )\n gpg(Red Hat, Inc. (auxiliary key) )\n\nIf Red Hat GPG keys \"release key 2\" and \"auxiliary key 2\" are not installed, this is a finding.\n\nNote: The \"auxiliary key 2\" appears as \"auxiliary key\" on a RHEL 8 system.\n\nList key fingerprints of installed Red Hat GPG keys:\n\n $ sudo gpg -q --keyid-format short --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release\n\nIf key file \"/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release\" is missing, this is a finding.\n\nExample output:\n\n pub rsa4096/FD431D51 2009-10-22 [SC]\n Key fingerprint = 567E 347A D004 4ADE 55BA 8A5F 199E 2F91 FD43 1D51\n uid Red Hat, Inc. (release key 2) \n pub rsa4096/D4082792 2018-06-27 [SC]\n Key fingerprint = 6A6A A7C9 7C88 90AE C6AE BFE2 F76F 66C3 D408 2792\n uid Red Hat, Inc. (auxiliary key) \n sub rsa4096/1B5584D3 2018-06-27 [E]\n\nCompare key fingerprints of installed Red Hat GPG keys with fingerprints listed for RHEL 8 on Red Hat \"Product Signing Keys\" webpage at https://access.redhat.com/security/team/key.\n\nIf key fingerprints do not match, this is a finding.'\n desc 'fix', 'Install Red Hat package-signing keys on the system and verify their fingerprints match vendor values.\n\nInsert RHEL 8 installation disc or attach RHEL 8 installation image to the system. Mount the disc or image to make the contents accessible inside the system.\n\nAssuming the mounted location is \"/media/cdrom\", use the following command to copy Red Hat GPG key file onto the system:\n\n $ sudo cp /media/cdrom/RPM-GPG-KEY-redhat-release /etc/pki/rpm-gpg/\n\nImport Red Hat GPG keys from key file into system keyring:\n\n $ sudo rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release\n\nUsing the steps listed in the Check Text, confirm the newly imported keys show as installed on the system and verify their fingerprints match vendor values.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag check_id: 'C-60651r902750_chk'\n tag severity: 'medium'\n tag gid: 'V-256973'\n tag rid: 'SV-256973r902752_rule'\n tag stig_id: 'RHEL-08-010019'\n tag gtitle: 'SRG-OS-000366-GPOS-00153'\n tag fix_id: 'F-60593r902751_fix'\n tag 'documentable'\n tag cci: ['CCI-001749']\n tag nist: ['CM-5 (3)']\n tag 'host'\n tag 'container'\n\n rpm_gpg_file = input('rpm_gpg_file')\n rpm_gpg_keys = input('rpm_gpg_keys')\n\n describe file(rpm_gpg_file) do\n it { should exist }\n end\n rpm_gpg_keys.each do |k, v|\n describe command('rpm -q --queryformat \"%{SUMMARY}\\\\n\" gpg-pubkey | grep -i \"red hat\"') do\n its('stdout') { should include k.to_s }\n end\n next unless file(rpm_gpg_file).exist?\n\n describe command(\"gpg -q --keyid-format short --with-fingerprint #{rpm_gpg_file}\") do\n its('stdout') { should include v }\n end\n end\nend\n", + "code": "control 'SV-230279' do\n title 'RHEL 8 must clear SLUB/SLAB objects to prevent use-after-free attacks.'\n desc 'Some adversaries launch attacks with the intent of executing code in nonexecutable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can be either hardware-enforced or software-enforced with hardware providing the greater strength of mechanism.\n\nPoisoning writes an arbitrary value to freed pages, so any modification or reference to that page after being freed or before being initialized will be detected and prevented. This prevents many types of use-after-free vulnerabilities at little performance cost. Also prevents leak of data and detection of corrupted memory.\n\nSLAB objects are blocks of physically-contiguous memory. SLUB is the unqueued SLAB allocator.'\n desc 'check', 'Verify that GRUB 2 is configured to enable poisoning of SLUB/SLAB objects to mitigate use-after-free vulnerabilities with the following commands:\n\nCheck that the current GRUB 2 configuration has poisoning of SLUB/SLAB objects enabled:\n\n$ sudo grub2-editenv list | grep slub_debug\n\nkernelopts=root=/dev/mapper/rhel-root ro crashkernel=auto resume=/dev/mapper/rhel-swap rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet fips=1 slub_debug=P page_poison=1 vsyscall=none audit=1 audit_backlog_limit=8192 boot=UUID=8d171156-cd61-421c-ba41-1c021ac29e82\n\nIf \"slub_debug\" does not contain \"P\" or is missing, this is a finding.\n\nCheck that poisoning of SLUB/SLAB objects is enabled by default to persist in kernel updates:\n\n$ sudo grep slub_debug /etc/default/grub\n\nGRUB_CMDLINE_LINUX=\"slub_debug=P\"\n\nIf \"slub_debug\" does not contain \"P\", is missing, or is commented out, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to enable poisoning of SLUB/SLAB objects with the\nfollowing commands:\n\n $ sudo grubby --update-kernel=ALL --args=\"slub_debug=P\"\n\n Add or modify the following line in \"/etc/default/grub\" to ensure the\nconfiguration survives kernel updates:\n\n GRUB_CMDLINE_LINUX=\"slub_debug=P\"'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000134-GPOS-00068'\n tag satisfies: ['SRG-OS-000134-GPOS-00068', 'SRG-OS-000433-GPOS-00192']\n tag gid: 'V-230279'\n tag rid: 'SV-230279r951598_rule'\n tag stig_id: 'RHEL-08-010423'\n tag fix_id: 'F-32923r567584_fix'\n tag cci: ['CCI-001084']\n tag nist: ['SC-3']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n grub_stdout = command('grub2-editenv - list').stdout\n setting = /slub_debug\\s*=\\s*.*P.*/\n\n describe 'GRUB config' do\n it 'should enable page poisoning' do\n expect(parse_config(grub_stdout)['kernelopts']).to match(setting), 'Current GRUB configuration does not disable this setting'\n expect(parse_config_file('/etc/default/grub')['GRUB_CMDLINE_LINUX']).to match(setting), 'Setting not configured to persist between kernel updates'\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-256973.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230279.rb", "line": 1 }, - "id": "SV-256973" + "id": "SV-230279" }, { - "title": "RHEL 8 must be configured to allow sending email notifications of unauthorized configuration changes to designated personnel.", - "desc": "Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security.\n\nDetecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's IMO/ISSO and SAs must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.", + "title": "RHEL 8 must log user name information when unsuccessful logon attempts\noccur.", + "desc": "By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as\nbrute-force attacks, is reduced. Limits are imposed by locking the account.\n\n In RHEL 8.2 the \"/etc/security/faillock.conf\" file was incorporated to\ncentralize the configuration of the pam_faillock.so module. Also introduced is\na \"local_users_only\" option that will only track failed user authentication\nattempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP,\netc.) users to allow the centralized platform to solely manage user lockout.\n\n From \"faillock.conf\" man pages: Note that the default directory that\n\"pam_faillock\" uses is usually cleared on system boot so the access will be\nreenabled after system reboot. If that is undesirable a different tally\ndirectory must be set with the \"dir\" option.", "descriptions": { - "default": "Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security.\n\nDetecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's IMO/ISSO and SAs must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.", - "check": "Verify that the operating system is configured to allow sending email notifications.\n\nNote: The \"mailx\" package provides the \"mail\" command that is used to send email messages.\n\nVerify that the \"mailx\" package is installed on the system:\n\n $ sudo yum list installed mailx\n\n mailx.x86_64 12.5-29.el8 @rhel-8-for-x86_64-baseos-rpm\n\nIf \"mailx\" package is not installed, this is a finding.", - "fix": "Install the \"mailx\" package on the system:\n\n $ sudo yum install mailx" + "default": "By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as\nbrute-force attacks, is reduced. Limits are imposed by locking the account.\n\n In RHEL 8.2 the \"/etc/security/faillock.conf\" file was incorporated to\ncentralize the configuration of the pam_faillock.so module. Also introduced is\na \"local_users_only\" option that will only track failed user authentication\nattempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP,\netc.) users to allow the centralized platform to solely manage user lockout.\n\n From \"faillock.conf\" man pages: Note that the default directory that\n\"pam_faillock\" uses is usually cleared on system boot so the access will be\nreenabled after system reboot. If that is undesirable a different tally\ndirectory must be set with the \"dir\" option.", + "check": "Note: This check applies to RHEL versions 8.2 or newer, if the system is\nRHEL version 8.0 or 8.1, this check is not applicable.\n\n Verify the \"/etc/security/faillock.conf\" file is configured to log user\nname information when unsuccessful logon attempts occur:\n\n $ sudo grep audit /etc/security/faillock.conf\n\n audit\n\n If the \"audit\" option is not set, is missing or commented out, this is a\nfinding.", + "fix": "Configure the operating system to log user name information when\nunsuccessful logon attempts occur.\n\n Add/Modify the \"/etc/security/faillock.conf\" file to match the following\nline:\n\n audit" }, "impact": 0.5, "refs": [ @@ -3201,37 +3171,39 @@ } ], "tags": { - "check_id": "C-60652r902753_chk", "severity": "medium", - "gid": "V-256974", - "rid": "SV-256974r902755_rule", - "stig_id": "RHEL-08-010358", - "gtitle": "SRG-OS-000363-GPOS-00150", - "fix_id": "F-60594r902754_fix", - "documentable": null, + "gtitle": "SRG-OS-000021-GPOS-00005", + "satisfies": [ + "SRG-OS-000021-GPOS-00005", + "SRG-OS-000329-GPOS-00128" + ], + "gid": "V-230343", + "rid": "SV-230343r743981_rule", + "stig_id": "RHEL-08-020021", + "fix_id": "F-32987r743980_fix", "cci": [ - "CCI-001744" + "CCI-000044" ], "nist": [ - "CM-3 (5)" + "AC-7 a" ], "host": null, "container": null }, - "code": "control 'SV-256974' do\n title 'RHEL 8 must be configured to allow sending email notifications of unauthorized configuration changes to designated personnel.'\n desc \"Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security.\n\nDetecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's IMO/ISSO and SAs must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.\"\n desc 'check', 'Verify that the operating system is configured to allow sending email notifications.\n\nNote: The \"mailx\" package provides the \"mail\" command that is used to send email messages.\n\nVerify that the \"mailx\" package is installed on the system:\n\n $ sudo yum list installed mailx\n\n mailx.x86_64 12.5-29.el8 @rhel-8-for-x86_64-baseos-rpm\n\nIf \"mailx\" package is not installed, this is a finding.'\n desc 'fix', 'Install the \"mailx\" package on the system:\n\n $ sudo yum install mailx'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag check_id: 'C-60652r902753_chk'\n tag severity: 'medium'\n tag gid: 'V-256974'\n tag rid: 'SV-256974r902755_rule'\n tag stig_id: 'RHEL-08-010358'\n tag gtitle: 'SRG-OS-000363-GPOS-00150'\n tag fix_id: 'F-60594r902754_fix'\n tag 'documentable'\n tag cci: ['CCI-001744']\n tag nist: ['CM-3 (5)']\n tag 'host'\n tag 'container'\n\n mail_package = input('mail_package')\n\n describe package(mail_package) do\n it { should be_installed }\n end\nend\n", + "code": "control 'SV-230343' do\n title 'RHEL 8 must log user name information when unsuccessful logon attempts\noccur.'\n desc 'By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as\nbrute-force attacks, is reduced. Limits are imposed by locking the account.\n\n In RHEL 8.2 the \"/etc/security/faillock.conf\" file was incorporated to\ncentralize the configuration of the pam_faillock.so module. Also introduced is\na \"local_users_only\" option that will only track failed user authentication\nattempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP,\netc.) users to allow the centralized platform to solely manage user lockout.\n\n From \"faillock.conf\" man pages: Note that the default directory that\n\"pam_faillock\" uses is usually cleared on system boot so the access will be\nreenabled after system reboot. If that is undesirable a different tally\ndirectory must be set with the \"dir\" option.'\n desc 'check', 'Note: This check applies to RHEL versions 8.2 or newer, if the system is\nRHEL version 8.0 or 8.1, this check is not applicable.\n\n Verify the \"/etc/security/faillock.conf\" file is configured to log user\nname information when unsuccessful logon attempts occur:\n\n $ sudo grep audit /etc/security/faillock.conf\n\n audit\n\n If the \"audit\" option is not set, is missing or commented out, this is a\nfinding.'\n desc 'fix', 'Configure the operating system to log user name information when\nunsuccessful logon attempts occur.\n\n Add/Modify the \"/etc/security/faillock.conf\" file to match the following\nline:\n\n audit'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000021-GPOS-00005'\n tag satisfies: ['SRG-OS-000021-GPOS-00005', 'SRG-OS-000329-GPOS-00128']\n tag gid: 'V-230343'\n tag rid: 'SV-230343r743981_rule'\n tag stig_id: 'RHEL-08-020021'\n tag fix_id: 'F-32987r743980_fix'\n tag cci: ['CCI-000044']\n tag nist: ['AC-7 a']\n tag 'host'\n tag 'container'\n\n only_if('This check applies to RHEL versions 8.2 or newer, if the system is RHEL version 8.0 or 8.1, this check is not applicable.', impact: 0.0) {\n (os.release.to_f) >= 8.2\n }\n\n describe parse_config_file('/etc/security/faillock.conf') do\n its('audit') { should_not be_nil }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-256974.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230343.rb", "line": 1 }, - "id": "SV-256974" + "id": "SV-230343" }, { - "title": "RHEL 8 must enable the SELinux targeted policy.", - "desc": "Without verification of the security functions, security functions may\nnot operate correctly and the failure may go unnoticed. Security function is\ndefined as the hardware, software, and/or firmware of the information system\nresponsible for enforcing the system security policy and supporting the\nisolation of code and data on which the protection is based. Security\nfunctionality includes, but is not limited to, establishing system accounts,\nconfiguring access authorizations (i.e., permissions, privileges), setting\nevents to be audited, and setting intrusion detection parameters.\n\n This requirement applies to operating systems performing security function\nverification/testing and/or systems and environments that require this\nfunctionality.", + "title": "RHEL 8 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a ssh logon.", + "desc": "Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.\n\nSystem use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist.\n\nThe banner must be formatted in accordance with applicable DOD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n\nUse the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user agreem't.\"", "descriptions": { - "default": "Without verification of the security functions, security functions may\nnot operate correctly and the failure may go unnoticed. Security function is\ndefined as the hardware, software, and/or firmware of the information system\nresponsible for enforcing the system security policy and supporting the\nisolation of code and data on which the protection is based. Security\nfunctionality includes, but is not limited to, establishing system accounts,\nconfiguring access authorizations (i.e., permissions, privileges), setting\nevents to be audited, and setting intrusion detection parameters.\n\n This requirement applies to operating systems performing security function\nverification/testing and/or systems and environments that require this\nfunctionality.", - "check": "Ensure the operating system verifies correct operation of all security\nfunctions.\n\n Check if \"SELinux\" is active and is enforcing the targeted policy with\nthe following command:\n\n $ sudo sestatus\n\n SELinux status: enabled\n SELinuxfs mount: /sys/fs/selinux\n SELinux root directory: /etc/selinux\n Loaded policy name: targeted\n Current mode: enforcing\n Mode from config file: enforcing\n Policy MLS status: enabled\n Policy deny_unknown status: allowed\n Memory protection checking: actual (secure)\n Max kernel policy version: 31\n\n If the \"Loaded policy name\" is not set to \"targeted\", this is a finding.\n\n Verify that the /etc/selinux/config file is configured to the\n\"SELINUXTYPE\" to \"targeted\":\n\n $ sudo grep -i \"selinuxtype\" /etc/selinux/config | grep -v '^#'\n\n SELINUXTYPE = targeted\n\n If no results are returned or \"SELINUXTYPE\" is not set to \"targeted\",\nthis is a finding.", - "fix": "Configure the operating system to verify correct operation of all security\nfunctions.\n\n Set the \"SELinuxtype\" to the \"targeted\" policy by modifying the\n\"/etc/selinux/config\" file to have the following line:\n\n SELINUXTYPE=targeted\n\n A reboot is required for the changes to take effect." + "default": "Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.\n\nSystem use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist.\n\nThe banner must be formatted in accordance with applicable DOD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n\nUse the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user agreem't.\"", + "check": "Verify any publicly accessible connection to the operating system displays the Standard Mandatory DOD Notice and Consent Banner before granting access to the system.\n\nCheck for the location of the banner file being used with the following command:\n\n$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\\r' | tr '\\n' ' ' | xargs sudo grep -iH '^\\s*banner'\n\nbanner /etc/issue\n\nThis command will return the banner keyword and the name of the file that contains the ssh banner (in this case \"/etc/issue\").\n\nIf the line is commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.\n\nView the file specified by the banner keyword to check that it matches the text of the Standard Mandatory DOD Notice and Consent Banner:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n\nIf the system does not display a graphical logon banner or the banner does not match the Standard Mandatory DOD Notice and Consent Banner, this is a finding.\n\nIf the text in the file does not match the Standard Mandatory DOD Notice and Consent Banner, this is a finding.", + "fix": "Configure the operating system to display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system via the ssh.\n\nEdit the \"/etc/ssh/sshd_config\" file to uncomment the banner keyword and configure it to point to a file that will contain the logon banner (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor). An example configuration line is:\n\nbanner /etc/issue\n\nEither create the file containing the banner or replace the text in the file with the Standard Mandatory DOD Notice and Consent Banner. The DOD-required text is:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n\nThe SSH service must be restarted for changes to take effect." }, "impact": 0.5, "refs": [ @@ -3241,33 +3213,38 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000445-GPOS-00199", - "gid": "V-230282", - "rid": "SV-230282r854035_rule", - "stig_id": "RHEL-08-010450", - "fix_id": "F-32926r567593_fix", + "gtitle": "SRG-OS-000023-GPOS-00006", + "satisfies": [ + "SRG-OS-000023-GPOS-00006", + "SRG-OS-000228-GPOS-00088" + ], + "gid": "V-230225", + "rid": "SV-230225r951590_rule", + "stig_id": "RHEL-08-010040", + "fix_id": "F-32869r951589_fix", "cci": [ - "CCI-002696" + "CCI-000048" ], "nist": [ - "SI-6 a" + "AC-8 a" ], - "host": null + "host": null, + "container-conditional": null }, - "code": "control 'SV-230282' do\n title 'RHEL 8 must enable the SELinux targeted policy.'\n desc 'Without verification of the security functions, security functions may\nnot operate correctly and the failure may go unnoticed. Security function is\ndefined as the hardware, software, and/or firmware of the information system\nresponsible for enforcing the system security policy and supporting the\nisolation of code and data on which the protection is based. Security\nfunctionality includes, but is not limited to, establishing system accounts,\nconfiguring access authorizations (i.e., permissions, privileges), setting\nevents to be audited, and setting intrusion detection parameters.\n\n This requirement applies to operating systems performing security function\nverification/testing and/or systems and environments that require this\nfunctionality.'\n desc 'check', %q(Ensure the operating system verifies correct operation of all security\nfunctions.\n\n Check if \"SELinux\" is active and is enforcing the targeted policy with\nthe following command:\n\n $ sudo sestatus\n\n SELinux status: enabled\n SELinuxfs mount: /sys/fs/selinux\n SELinux root directory: /etc/selinux\n Loaded policy name: targeted\n Current mode: enforcing\n Mode from config file: enforcing\n Policy MLS status: enabled\n Policy deny_unknown status: allowed\n Memory protection checking: actual (secure)\n Max kernel policy version: 31\n\n If the \"Loaded policy name\" is not set to \"targeted\", this is a finding.\n\n Verify that the /etc/selinux/config file is configured to the\n\"SELINUXTYPE\" to \"targeted\":\n\n $ sudo grep -i \"selinuxtype\" /etc/selinux/config | grep -v '^#'\n\n SELINUXTYPE = targeted\n\n If no results are returned or \"SELINUXTYPE\" is not set to \"targeted\",\nthis is a finding.)\n desc 'fix', 'Configure the operating system to verify correct operation of all security\nfunctions.\n\n Set the \"SELinuxtype\" to the \"targeted\" policy by modifying the\n\"/etc/selinux/config\" file to have the following line:\n\n SELINUXTYPE=targeted\n\n A reboot is required for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000445-GPOS-00199'\n tag gid: 'V-230282'\n tag rid: 'SV-230282r854035_rule'\n tag stig_id: 'RHEL-08-010450'\n tag fix_id: 'F-32926r567593_fix'\n tag cci: ['CCI-002696']\n tag nist: ['SI-6 a']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe selinux do\n it { should_not be_disabled }\n it { should be_enforcing }\n its('policy') { should eq 'targeted' }\n end\n\n describe parse_config_file('/etc/selinux/config') do\n its('SELINUXTYPE') { should eq 'targeted' }\n end\nend\n", + "code": "control 'SV-230225' do\n title 'RHEL 8 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a ssh logon.'\n desc %q(Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.\n\nSystem use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist.\n\nThe banner must be formatted in accordance with applicable DOD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n\nUse the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user agreem't.\")\n desc 'check', %q(Verify any publicly accessible connection to the operating system displays the Standard Mandatory DOD Notice and Consent Banner before granting access to the system.\n\nCheck for the location of the banner file being used with the following command:\n\n$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\\r' | tr '\\n' ' ' | xargs sudo grep -iH '^\\s*banner'\n\nbanner /etc/issue\n\nThis command will return the banner keyword and the name of the file that contains the ssh banner (in this case \"/etc/issue\").\n\nIf the line is commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.\n\nView the file specified by the banner keyword to check that it matches the text of the Standard Mandatory DOD Notice and Consent Banner:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n\nIf the system does not display a graphical logon banner or the banner does not match the Standard Mandatory DOD Notice and Consent Banner, this is a finding.\n\nIf the text in the file does not match the Standard Mandatory DOD Notice and Consent Banner, this is a finding.)\n desc 'fix', 'Configure the operating system to display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system via the ssh.\n\nEdit the \"/etc/ssh/sshd_config\" file to uncomment the banner keyword and configure it to point to a file that will contain the logon banner (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor). An example configuration line is:\n\nbanner /etc/issue\n\nEither create the file containing the banner or replace the text in the file with the Standard Mandatory DOD Notice and Consent Banner. The DOD-required text is:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n\nThe SSH service must be restarted for changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000023-GPOS-00006'\n tag satisfies: ['SRG-OS-000023-GPOS-00006', 'SRG-OS-000228-GPOS-00088']\n tag gid: 'V-230225'\n tag rid: 'SV-230225r951590_rule'\n tag stig_id: 'RHEL-08-010040'\n tag fix_id: 'F-32869r951589_fix'\n tag cci: ['CCI-000048']\n tag nist: ['AC-8 a']\n tag 'host'\n tag 'container-conditional'\n\n only_if('Control not applicable - SSH is not installed within containerized RHEL', impact: 0.0) {\n !virtualization.system.eql?('docker') || file('/etc/ssh/sshd_config').exist?\n }\n\n # When Banner is commented, not found, disabled, or the specified file does not exist, this is a finding.\n banner_file = sshd_active_config.banner\n\n # Banner property is commented out.\n if banner_file.nil?\n describe 'The SSHD Banner is not set' do\n subject { banner_file.nil? }\n it { should be false }\n end\n end\n\n # Banner property is set to \"none\"\n if !banner_file.nil? && !banner_file.match(/none/i).nil?\n describe 'The SSHD Banner is disabled' do\n subject { banner_file.match(/none/i).nil? }\n it { should be true }\n end\n end\n\n # Banner property provides a path to a file, however, it does not exist.\n if !banner_file.nil? && banner_file.match(/none/i).nil? && !file(banner_file).exist?\n describe 'The SSHD Banner is set, but, the file does not exist' do\n subject { file(banner_file).exist? }\n it { should be true }\n end\n end\n\n # Banner property provides a path to a file and it exists.\n next unless !banner_file.nil? && banner_file.match(/none/i).nil? && file(banner_file).exist?\n\n banner = file(banner_file).content.gsub(/[\\r\\n\\s]/, '')\n expected_banner = input('banner_message_text_ral').gsub(/[\\r\\n\\s]/, '')\n\n describe 'The SSHD Banner' do\n it 'is set to the standard banner and has the correct text' do\n expect(banner).to eq(expected_banner), 'Banner does not match expected text'\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230282.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230225.rb", "line": 1 }, - "id": "SV-230282" + "id": "SV-230225" }, { - "title": "Successful/unsuccessful uses of the chown, fchown, fchownat, and lchown system calls in RHEL 8 must generate an audit record.", - "desc": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"chown\" command is used to change file owner and group.\n\nThe \"fchown\" system call is used to change the ownership of a file referred to by the open file descriptor.\nThe \"fchownat\" system call is used to change ownership of a file relative to a directory file descriptor.\nThe \"lchown\" system call is used to change the ownership of the file specified by a path, which does not dereference symbolic links.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nThe system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible.", + "title": "RHEL 8 must enable a user session lock until that user re-establishes\naccess using established identification and authentication procedures for\ncommand line sessions.", + "desc": "A session lock is a temporary action taken when a user stops work and\nmoves away from the immediate physical vicinity of the information system but\ndoes not want to log out because of the temporary nature of the absence.\n\n The session lock is implemented at the point where session activity can be\ndetermined. Rather than be forced to wait for a period of time to expire before\nthe user session can be locked, RHEL 8 needs to provide users with the ability\nto manually invoke a session lock so users can secure their session if it is\nnecessary to temporarily vacate the immediate physical vicinity.\n\n Tmux is a terminal multiplexer that enables a number of terminals to be\ncreated, accessed, and controlled from a single screen. Red Hat endorses tmux\nas the recommended session controlling package.", "descriptions": { - "default": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"chown\" command is used to change file owner and group.\n\nThe \"fchown\" system call is used to change the ownership of a file referred to by the open file descriptor.\nThe \"fchownat\" system call is used to change ownership of a file relative to a directory file descriptor.\nThe \"lchown\" system call is used to change the ownership of the file specified by a path, which does not dereference symbolic links.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nThe system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible.", - "check": "Verify RHEL 8 generates an audit record upon successful/unsuccessful attempts to use the \"chown\", \"fchown\", \"fchownat\" and \"lchown\" system calls by using the following command to check the file system rules in \"/etc/audit/audit.rules\":\n\n$ sudo grep chown /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod\n-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod\n\nIf audit rules are not defined for \"chown\", \"fchown\", \"fchownat\", and \"lchown\" or any of the lines returned are commented out, this is a finding.", - "fix": "Configure the audit system to generate an audit event for any successful/unsuccessful use of the \"chown\", \"fchown\", \"fchownat\", and \"lchown\" system calls by adding or updating the following line to \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod\n-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod\n\nThe audit daemon must be restarted for the changes to take effect." + "default": "A session lock is a temporary action taken when a user stops work and\nmoves away from the immediate physical vicinity of the information system but\ndoes not want to log out because of the temporary nature of the absence.\n\n The session lock is implemented at the point where session activity can be\ndetermined. Rather than be forced to wait for a period of time to expire before\nthe user session can be locked, RHEL 8 needs to provide users with the ability\nto manually invoke a session lock so users can secure their session if it is\nnecessary to temporarily vacate the immediate physical vicinity.\n\n Tmux is a terminal multiplexer that enables a number of terminals to be\ncreated, accessed, and controlled from a single screen. Red Hat endorses tmux\nas the recommended session controlling package.", + "check": "Verify the operating system enables the user to manually initiate a session lock with the following command:\n\n $ sudo grep -Ei 'lock-command|lock-session' /etc/tmux.conf\n\n set -g lock-command vlock\n bind X lock-session\n\nIf the \"lock-command\" is not set and \"lock-session\" is not bound to a specific keyboard key in the global settings, this is a finding.", + "fix": "Configure the operating system to enable a user to manually initiate a session lock via tmux. This configuration binds the uppercase letter \"X\" to manually initiate a session lock after the prefix key \"Ctrl + b\" has been sent. The complete key sequence is thus \"Ctrl + b\" then \"Shift + x\" to lock tmux.\n\nCreate a global configuration file \"/etc/tmux.conf\" and add the following lines:\n\n set -g lock-command vlock\n bind X lock-session\n\nReload tmux configuration to take effect. This can be performed in tmux while it is running:\n\n $ tmux source-file /etc/tmux.conf" }, "impact": 0.5, "refs": [ @@ -3277,43 +3254,37 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000062-GPOS-00031", + "gtitle": "SRG-OS-000028-GPOS-00009", "satisfies": [ - "SRG-OS-000062-GPOS-00031", - "SRG-OS-000037-GPOS-00015", - "SRG-OS-000042-GPOS-00020", - "SRG-OS-000392-GPOS-00172", - "SRG-OS-000462-GPOS-00206", - "SRG-OS-000471-GPOS-00215", - "SRG-OS-000064-GPOS-00033", - "SRG-OS-000466-GPOS-00210" + "SRG-OS-000028-GPOS-00009", + "SRG-OS-000030-GPOS-00011" ], - "gid": "V-230455", - "rid": "SV-230455r810459_rule", - "stig_id": "RHEL-08-030480", - "fix_id": "F-33099r809307_fix", + "gid": "V-230348", + "rid": "SV-230348r902725_rule", + "stig_id": "RHEL-08-020040", + "fix_id": "F-32992r880719_fix", "cci": [ - "CCI-000169" + "CCI-000056" ], "nist": [ - "AU-12 a" + "AC-11 b" ], "host": null }, - "code": "control 'SV-230455' do\n title 'Successful/unsuccessful uses of the chown, fchown, fchownat, and lchown system calls in RHEL 8 must generate an audit record.'\n desc 'Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"chown\" command is used to change file owner and group.\n\nThe \"fchown\" system call is used to change the ownership of a file referred to by the open file descriptor.\nThe \"fchownat\" system call is used to change ownership of a file relative to a directory file descriptor.\nThe \"lchown\" system call is used to change the ownership of the file specified by a path, which does not dereference symbolic links.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nThe system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible.'\n desc 'check', 'Verify RHEL 8 generates an audit record upon successful/unsuccessful attempts to use the \"chown\", \"fchown\", \"fchownat\" and \"lchown\" system calls by using the following command to check the file system rules in \"/etc/audit/audit.rules\":\n\n$ sudo grep chown /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod\n-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod\n\nIf audit rules are not defined for \"chown\", \"fchown\", \"fchownat\", and \"lchown\" or any of the lines returned are commented out, this is a finding.'\n desc 'fix', 'Configure the audit system to generate an audit event for any successful/unsuccessful use of the \"chown\", \"fchown\", \"fchownat\", and \"lchown\" system calls by adding or updating the following line to \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod\n-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod\n\nThe audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000062-GPOS-00031'\n tag satisfies: ['SRG-OS-000062-GPOS-00031', 'SRG-OS-000037-GPOS-00015', 'SRG-OS-000042-GPOS-00020', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000471-GPOS-00215', 'SRG-OS-000064-GPOS-00033', 'SRG-OS-000466-GPOS-00210']\n tag gid: 'V-230455'\n tag rid: 'SV-230455r810459_rule'\n tag stig_id: 'RHEL-08-030480'\n tag fix_id: 'F-33099r809307_fix'\n tag cci: ['CCI-000169']\n tag nist: ['AU-12 a']\n tag 'host'\n\n audit_syscalls = ['chown']\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe 'Syscall' do\n audit_syscalls.each do |audit_syscall|\n it \"#{audit_syscall} is audited properly\" do\n audit_rule = auditd.syscall(audit_syscall)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n if os.arch.match(/64/)\n expect(audit_rule.arch.uniq).to include('b32', 'b64')\n else\n expect(audit_rule.arch.uniq).to cmp 'b32'\n end\n expect(audit_rule.fields.flatten).to include('auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include(input('audit_rule_keynames').merge(input('audit_rule_keynames_overrides'))[audit_syscall])\n end\n end\n end\nend\n", + "code": "control 'SV-230348' do\n title 'RHEL 8 must enable a user session lock until that user re-establishes\naccess using established identification and authentication procedures for\ncommand line sessions.'\n desc 'A session lock is a temporary action taken when a user stops work and\nmoves away from the immediate physical vicinity of the information system but\ndoes not want to log out because of the temporary nature of the absence.\n\n The session lock is implemented at the point where session activity can be\ndetermined. Rather than be forced to wait for a period of time to expire before\nthe user session can be locked, RHEL 8 needs to provide users with the ability\nto manually invoke a session lock so users can secure their session if it is\nnecessary to temporarily vacate the immediate physical vicinity.\n\n Tmux is a terminal multiplexer that enables a number of terminals to be\ncreated, accessed, and controlled from a single screen. Red Hat endorses tmux\nas the recommended session controlling package.'\n desc 'check', %q(Verify the operating system enables the user to manually initiate a session lock with the following command:\n\n $ sudo grep -Ei 'lock-command|lock-session' /etc/tmux.conf\n\n set -g lock-command vlock\n bind X lock-session\n\nIf the \"lock-command\" is not set and \"lock-session\" is not bound to a specific keyboard key in the global settings, this is a finding.)\n desc 'fix', 'Configure the operating system to enable a user to manually initiate a session lock via tmux. This configuration binds the uppercase letter \"X\" to manually initiate a session lock after the prefix key \"Ctrl + b\" has been sent. The complete key sequence is thus \"Ctrl + b\" then \"Shift + x\" to lock tmux.\n\nCreate a global configuration file \"/etc/tmux.conf\" and add the following lines:\n\n set -g lock-command vlock\n bind X lock-session\n\nReload tmux configuration to take effect. This can be performed in tmux while it is running:\n\n $ tmux source-file /etc/tmux.conf'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000028-GPOS-00009'\n tag satisfies: ['SRG-OS-000028-GPOS-00009', 'SRG-OS-000030-GPOS-00011']\n tag gid: 'V-230348'\n tag rid: 'SV-230348r902725_rule'\n tag stig_id: 'RHEL-08-020040'\n tag fix_id: 'F-32992r880719_fix'\n tag cci: ['CCI-000056']\n tag nist: ['AC-11 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n lock_command = command('grep -i lock-command /etc/tmux.conf').stdout.strip\n lock_session = command('grep -i lock-session /etc/tmux.conf').stdout.strip\n\n describe 'tmux settings' do\n it 'should set lock-command' do\n expect(lock_command).to match(/set -g lock-command vlock/)\n end\n it 'should bind a specific key to lock-session' do\n expect(lock_session).to match(/bind . lock-session/)\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230455.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230348.rb", "line": 1 }, - "id": "SV-230455" + "id": "SV-230348" }, { - "title": "RHEL 8 must be configured so that all network connections associated with SSH traffic terminate after becoming unresponsive.", - "desc": "Terminating an unresponsive SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element.\n\n Terminating network connections associated with communications sessions includes, for example, deallocating associated TCP/IP address/port pairs at the operating system level and deallocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean the operating system terminates all sessions or network access; it only ends the unresponsive session and releases the resources associated with that session.\n\n RHEL 8 uses /etc/ssh/sshd_config for configurations of OpenSSH. Within the sshd_config, the product of the values of \"ClientAliveInterval\" and \"ClientAliveCountMax\" is used to establish the inactivity threshold. The \"ClientAliveInterval\" is a timeout interval in seconds after which if no data has been received from the client, sshd will send a message through the encrypted channel to request a response from the client. The \"ClientAliveCountMax\" is the number of client alive messages that may be sent without sshd receiving any messages back from the client. If this threshold is met, sshd will disconnect the client. For more information on these settings and others, refer to the sshd_config man pages.", + "title": "RHEL 8 must prevent special devices on file systems that are used with\nremovable media.", + "desc": "The \"nodev\" mount option causes the system not to interpret\ncharacter or block special devices. Executing character or block special\ndevices from untrusted file systems increases the opportunity for unprivileged\nusers to attain unauthorized administrative access.", "descriptions": { - "default": "Terminating an unresponsive SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element.\n\n Terminating network connections associated with communications sessions includes, for example, deallocating associated TCP/IP address/port pairs at the operating system level and deallocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean the operating system terminates all sessions or network access; it only ends the unresponsive session and releases the resources associated with that session.\n\n RHEL 8 uses /etc/ssh/sshd_config for configurations of OpenSSH. Within the sshd_config, the product of the values of \"ClientAliveInterval\" and \"ClientAliveCountMax\" is used to establish the inactivity threshold. The \"ClientAliveInterval\" is a timeout interval in seconds after which if no data has been received from the client, sshd will send a message through the encrypted channel to request a response from the client. The \"ClientAliveCountMax\" is the number of client alive messages that may be sent without sshd receiving any messages back from the client. If this threshold is met, sshd will disconnect the client. For more information on these settings and others, refer to the sshd_config man pages.", - "check": "Verify the SSH server automatically terminates a user session after the SSH client has become unresponsive.\n\nCheck that the \"ClientAliveCountMax\" is set to \"1\" by performing the following command:\n\n$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\\r' | tr '\\n' ' ' | xargs sudo grep -iH '^\\s*clientalivecountmax'\n\nClientAliveCountMax 1\n\nIf \"ClientAliveCountMax\" do not exist, is not set to a value of \"1\" in \"/etc/ssh/sshd_config\", or is commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.", - "fix": "Note: This setting must be applied in conjunction with RHEL-08-010201 to function correctly.\n\n Configure the SSH server to terminate a user session automatically after the SSH client has become unresponsive.\n\n Modify or append the following lines in the \"/etc/ssh/sshd_config\" file:\n\n ClientAliveCountMax 1\n\n For the changes to take effect, the SSH daemon must be restarted:\n\n $ sudo systemctl restart sshd.service" + "default": "The \"nodev\" mount option causes the system not to interpret\ncharacter or block special devices. Executing character or block special\ndevices from untrusted file systems increases the opportunity for unprivileged\nusers to attain unauthorized administrative access.", + "check": "Verify file systems that are used for removable media are mounted with the\n\"nodev\" option with the following command:\n\n $ sudo more /etc/fstab\n\n UUID=2bc871e4-e2a3-4f29-9ece-3be60c835222 /mnt/usbflash vfat\nnoauto,owner,ro,nosuid,nodev,noexec 0 0\n\n If a file system found in \"/etc/fstab\" refers to removable media and it\ndoes not have the \"nodev\" option set, this is a finding.", + "fix": "Configure the \"/etc/fstab\" to use the \"nodev\" option on\nfile systems that are associated with removable media." }, "impact": 0.5, "refs": [ @@ -3323,39 +3294,33 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000163-GPOS-00072", - "satisfies": [ - "SRG-OS-000163-GPOS-00072", - "SRG-OS-000126-GPOS-00066", - "SRG-OS-000279-GPOS-00109" - ], - "gid": "V-230244", - "rid": "SV-230244r951594_rule", - "stig_id": "RHEL-08-010200", - "fix_id": "F-32888r917866_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-230303", + "rid": "SV-230303r627750_rule", + "stig_id": "RHEL-08-010600", + "fix_id": "F-32947r567656_fix", "cci": [ - "CCI-001133" + "CCI-000366" ], "nist": [ - "SC-10" + "CM-6 b" ], - "host": null, - "container-conditional": null + "host": null }, - "code": "control 'SV-230244' do\n title 'RHEL 8 must be configured so that all network connections associated with SSH traffic terminate after becoming unresponsive.'\n desc 'Terminating an unresponsive SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element.\n\n Terminating network connections associated with communications sessions includes, for example, deallocating associated TCP/IP address/port pairs at the operating system level and deallocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean the operating system terminates all sessions or network access; it only ends the unresponsive session and releases the resources associated with that session.\n\n RHEL 8 uses /etc/ssh/sshd_config for configurations of OpenSSH. Within the sshd_config, the product of the values of \"ClientAliveInterval\" and \"ClientAliveCountMax\" is used to establish the inactivity threshold. The \"ClientAliveInterval\" is a timeout interval in seconds after which if no data has been received from the client, sshd will send a message through the encrypted channel to request a response from the client. The \"ClientAliveCountMax\" is the number of client alive messages that may be sent without sshd receiving any messages back from the client. If this threshold is met, sshd will disconnect the client. For more information on these settings and others, refer to the sshd_config man pages.'\n desc 'check', %q(Verify the SSH server automatically terminates a user session after the SSH client has become unresponsive.\n\nCheck that the \"ClientAliveCountMax\" is set to \"1\" by performing the following command:\n\n$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\\r' | tr '\\n' ' ' | xargs sudo grep -iH '^\\s*clientalivecountmax'\n\nClientAliveCountMax 1\n\nIf \"ClientAliveCountMax\" do not exist, is not set to a value of \"1\" in \"/etc/ssh/sshd_config\", or is commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.)\n desc 'fix', 'Note: This setting must be applied in conjunction with RHEL-08-010201 to function correctly.\n\n Configure the SSH server to terminate a user session automatically after the SSH client has become unresponsive.\n\n Modify or append the following lines in the \"/etc/ssh/sshd_config\" file:\n\n ClientAliveCountMax 1\n\n For the changes to take effect, the SSH daemon must be restarted:\n\n $ sudo systemctl restart sshd.service'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000163-GPOS-00072'\n tag satisfies: ['SRG-OS-000163-GPOS-00072', 'SRG-OS-000126-GPOS-00066', 'SRG-OS-000279-GPOS-00109']\n tag gid: 'V-230244'\n tag rid: 'SV-230244r951594_rule'\n tag stig_id: 'RHEL-08-010200'\n tag fix_id: 'F-32888r917866_fix'\n tag cci: ['CCI-001133']\n tag nist: ['SC-10']\n tag 'host'\n tag 'container-conditional'\n\n only_if('SSH is not installed on the system this requirement is Not Applicable', impact: 0.0) {\n (service('sshd').enabled? || package('openssh-server').installed?)\n }\n\n client_alive_count = input('sshd_client_alive_count_max')\n\n if virtualization.system.eql?('docker') && !file('/etc/ssh/sshd_config').exist?\n impact 0.0\n describe 'skip' do\n skip 'SSH configuration does not apply inside containers. This control is Not Applicable.'\n end\n else\n describe 'SSH ClientAliveCountMax configuration' do\n it \"should be set to #{client_alive_count}\" do\n expect(sshd_active_config.ClientAliveCountMax).to(cmp(client_alive_count), \"SSH ClientAliveCountMax is commented out or not set to the expected value (#{client_alive_count})\")\n end\n end\n end\nend\n", + "code": "control 'SV-230303' do\n title 'RHEL 8 must prevent special devices on file systems that are used with\nremovable media.'\n desc 'The \"nodev\" mount option causes the system not to interpret\ncharacter or block special devices. Executing character or block special\ndevices from untrusted file systems increases the opportunity for unprivileged\nusers to attain unauthorized administrative access.'\n desc 'check', 'Verify file systems that are used for removable media are mounted with the\n\"nodev\" option with the following command:\n\n $ sudo more /etc/fstab\n\n UUID=2bc871e4-e2a3-4f29-9ece-3be60c835222 /mnt/usbflash vfat\nnoauto,owner,ro,nosuid,nodev,noexec 0 0\n\n If a file system found in \"/etc/fstab\" refers to removable media and it\ndoes not have the \"nodev\" option set, this is a finding.'\n desc 'fix', 'Configure the \"/etc/fstab\" to use the \"nodev\" option on\nfile systems that are associated with removable media.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230303'\n tag rid: 'SV-230303r627750_rule'\n tag stig_id: 'RHEL-08-010600'\n tag fix_id: 'F-32947r567656_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n option = 'nodev'\n file_systems = etc_fstab.params\n non_removable_media = input('non_removable_media_fs')\n mounted_removeable_media = file_systems.reject { |mnt| non_removable_media.include?(mnt['mount_point']) }\n failing_mounts = mounted_removeable_media.reject { |mnt| mnt['mount_options'].include?(option) }\n\n # be very explicit about why this one was a finding since we do not know which mounts are removeable media without the user telling us\n rem_media_msg = \"NOTE: Some mounted devices are not indicated to be non-removable media (you may need to update the 'non_removable_media_fs' input to check if these are truly subject to this requirement)\\n\"\n\n # there should either be no mounted removable media (which should be a requirement anyway), OR\n # all removeable media should be mounted with nodev\n if mounted_removeable_media.empty?\n describe 'No removeable media' do\n it 'are mounted' do\n expect(mounted_removeable_media).to be_empty\n end\n end\n else\n describe 'Any mounted removeable media' do\n it \"should have '#{option}' set\" do\n expect(failing_mounts).to be_empty, \"#{rem_media_msg}\\nRemoveable media without '#{option}' set:\\n\\t- #{failing_mounts.join(\"\\n\\t- \")}\"\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230244.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230303.rb", "line": 1 }, - "id": "SV-230244" + "id": "SV-230303" }, { - "title": "RHEL 8 must display the Standard Mandatory DoD Notice and Consent\nBanner before granting local or remote access to the system via a command line\nuser logon.", - "desc": "Display of a standardized and approved use notification before\ngranting access to the operating system ensures privacy and security\nnotification verbiage used is consistent with applicable federal laws,\nExecutive Orders, directives, policies, regulations, standards, and guidance.\n\n System use notifications are required only for access via logon interfaces\nwith human users and are not required when such human interfaces do not exist.\n\n The banner must be formatted in accordance with applicable DoD policy. Use\nthe following verbiage for operating systems that can accommodate banners of\n1300 characters:\n\n \"You are accessing a U.S. Government (USG) Information System (IS) that is\nprovided for USG-authorized use only.\n\n By using this IS (which includes any device attached to this IS), you\nconsent to the following conditions:\n\n -The USG routinely intercepts and monitors communications on this IS for\npurposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct (PM), law enforcement\n(LE), and counterintelligence (CI) investigations.\n\n -At any time, the USG may inspect and seize data stored on this IS.\n\n -Communications using, or data stored on, this IS are not private, are\nsubject to routine monitoring, interception, and search, and may be disclosed\nor used for any USG-authorized purpose.\n\n -This IS includes security measures (e.g., authentication and access\ncontrols) to protect USG interests--not for your personal benefit or privacy.\n\n -Notwithstanding the above, using this IS does not constitute consent to\nPM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services\nby attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User\nAgreement for details.\"", + "title": "RHEL 8 must configure the use of the pam_faillock.so module in the\n/etc/pam.d/password-auth file.", + "desc": "By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as\nbrute-force attacks, is reduced. Limits are imposed by locking the account.\n\n In RHEL 8.2 the \"/etc/security/faillock.conf\" file was incorporated to\ncentralize the configuration of the pam_faillock.so module. Also introduced is\na \"local_users_only\" option that will only track failed user authentication\nattempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP,\netc.) users to allow the centralized platform to solely manage user lockout.\n\n From \"faillock.conf\" man pages: Note that the default directory that\n\"pam_faillock\" uses is usually cleared on system boot so the access will be\nreenabled after system reboot. If that is undesirable a different tally\ndirectory must be set with the \"dir\" option.\n The preauth argument must be used when the module is called before the\nmodules which ask for the user credentials such as the password.", "descriptions": { - "default": "Display of a standardized and approved use notification before\ngranting access to the operating system ensures privacy and security\nnotification verbiage used is consistent with applicable federal laws,\nExecutive Orders, directives, policies, regulations, standards, and guidance.\n\n System use notifications are required only for access via logon interfaces\nwith human users and are not required when such human interfaces do not exist.\n\n The banner must be formatted in accordance with applicable DoD policy. Use\nthe following verbiage for operating systems that can accommodate banners of\n1300 characters:\n\n \"You are accessing a U.S. Government (USG) Information System (IS) that is\nprovided for USG-authorized use only.\n\n By using this IS (which includes any device attached to this IS), you\nconsent to the following conditions:\n\n -The USG routinely intercepts and monitors communications on this IS for\npurposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct (PM), law enforcement\n(LE), and counterintelligence (CI) investigations.\n\n -At any time, the USG may inspect and seize data stored on this IS.\n\n -Communications using, or data stored on, this IS are not private, are\nsubject to routine monitoring, interception, and search, and may be disclosed\nor used for any USG-authorized purpose.\n\n -This IS includes security measures (e.g., authentication and access\ncontrols) to protect USG interests--not for your personal benefit or privacy.\n\n -Notwithstanding the above, using this IS does not constitute consent to\nPM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services\nby attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User\nAgreement for details.\"", - "check": "Verify RHEL 8 displays the Standard Mandatory DoD Notice and Consent Banner\nbefore granting access to the operating system via a command line user logon.\n\n Check that RHEL 8 displays a banner at the command line login screen with\nthe following command:\n\n $ sudo cat /etc/issue\n\n If the banner is set correctly it will return the following text:\n\n “You are accessing a U.S. Government (USG) Information System (IS) that is\nprovided for USG-authorized use only.\n\n By using this IS (which includes any device attached to this IS), you\nconsent to the following conditions:\n\n -The USG routinely intercepts and monitors communications on this IS for\npurposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct (PM), law enforcement\n(LE), and counterintelligence (CI) investigations.\n\n -At any time, the USG may inspect and seize data stored on this IS.\n\n -Communications using, or data stored on, this IS are not private, are\nsubject to routine monitoring, interception, and search, and may be disclosed\nor used for any USG-authorized purpose.\n\n -This IS includes security measures (e.g., authentication and access\ncontrols) to protect USG interests--not for your personal benefit or privacy.\n\n -Notwithstanding the above, using this IS does not constitute consent to\nPM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services\nby attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User\nAgreement for details.”\n\n If the banner text does not match the Standard Mandatory DoD Notice and\nConsent Banner exactly, this is a finding.", - "fix": "Configure RHEL 8 to display the Standard Mandatory DoD Notice and Consent\nBanner before granting access to the system via command line logon.\n\n Edit the \"/etc/issue\" file to replace the default text with the Standard\nMandatory DoD Notice and Consent Banner. The DoD-required text is:\n\n \"You are accessing a U.S. Government (USG) Information System (IS) that is\nprovided for USG-authorized use only.\n\n By using this IS (which includes any device attached to this IS), you\nconsent to the following conditions:\n\n -The USG routinely intercepts and monitors communications on this IS for\npurposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct (PM), law enforcement\n(LE), and counterintelligence (CI) investigations.\n\n -At any time, the USG may inspect and seize data stored on this IS.\n\n -Communications using, or data stored on, this IS are not private, are\nsubject to routine monitoring, interception, and search, and may be disclosed\nor used for any USG-authorized purpose.\n\n -This IS includes security measures (e.g., authentication and access\ncontrols) to protect USG interests -- not for your personal benefit or privacy.\n\n -Notwithstanding the above, using this IS does not constitute consent to\nPM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services\nby attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User\nAgreement for details.\"" + "default": "By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as\nbrute-force attacks, is reduced. Limits are imposed by locking the account.\n\n In RHEL 8.2 the \"/etc/security/faillock.conf\" file was incorporated to\ncentralize the configuration of the pam_faillock.so module. Also introduced is\na \"local_users_only\" option that will only track failed user authentication\nattempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP,\netc.) users to allow the centralized platform to solely manage user lockout.\n\n From \"faillock.conf\" man pages: Note that the default directory that\n\"pam_faillock\" uses is usually cleared on system boot so the access will be\nreenabled after system reboot. If that is undesirable a different tally\ndirectory must be set with the \"dir\" option.\n The preauth argument must be used when the module is called before the\nmodules which ask for the user credentials such as the password.", + "check": "Note: This check applies to RHEL versions 8.2 or newer, if the system is\nRHEL version 8.0 or 8.1, this check is not applicable.\n\n Verify the pam_faillock.so module is present in the\n\"/etc/pam.d/password-auth\" file:\n\n $ sudo grep pam_faillock.so /etc/pam.d/password-auth\n\n auth required pam_faillock.so\npreauth\n auth required pam_faillock.so\nauthfail\n account required pam_faillock.so\n\n If the pam_faillock.so module is not present in the\n\"/etc/pam.d/password-auth\" file with the \"preauth\" line listed before\npam_unix.so, this is a finding.", + "fix": "Configure the operating system to include the use of the pam_faillock.so\nmodule in the /etc/pam.d/password-auth file.\n\n Add/Modify the appropriate sections of the \"/etc/pam.d/password-auth\"\nfile to match the following lines:\n Note: The \"preauth\" line must be listed before pam_unix.so.\n\n auth required pam_faillock.so preauth\n auth required pam_faillock.so authfail\n account required pam_faillock.so" }, "impact": 0.5, "refs": [ @@ -3365,37 +3330,38 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000023-GPOS-00006", + "gtitle": "SRG-OS-000021-GPOS-00005", "satisfies": [ - "SRG-OS-000023-GPOS-00006", - "SRG-OS-000228-GPOS-00088" + "SRG-OS-000021-GPOS-00005", + "SRG-OS-000329-GPOS-00128" ], - "gid": "V-230227", - "rid": "SV-230227r627750_rule", - "stig_id": "RHEL-08-010060", - "fix_id": "F-32871r567428_fix", + "gid": "V-244534", + "rid": "SV-244534r743851_rule", + "stig_id": "RHEL-08-020026", + "fix_id": "F-47766r743850_fix", "cci": [ - "CCI-000048" + "CCI-000044" ], "nist": [ - "AC-8 a" + "AC-7 a" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-230227' do\n title 'RHEL 8 must display the Standard Mandatory DoD Notice and Consent\nBanner before granting local or remote access to the system via a command line\nuser logon.'\n desc 'Display of a standardized and approved use notification before\ngranting access to the operating system ensures privacy and security\nnotification verbiage used is consistent with applicable federal laws,\nExecutive Orders, directives, policies, regulations, standards, and guidance.\n\n System use notifications are required only for access via logon interfaces\nwith human users and are not required when such human interfaces do not exist.\n\n The banner must be formatted in accordance with applicable DoD policy. Use\nthe following verbiage for operating systems that can accommodate banners of\n1300 characters:\n\n \"You are accessing a U.S. Government (USG) Information System (IS) that is\nprovided for USG-authorized use only.\n\n By using this IS (which includes any device attached to this IS), you\nconsent to the following conditions:\n\n -The USG routinely intercepts and monitors communications on this IS for\npurposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct (PM), law enforcement\n(LE), and counterintelligence (CI) investigations.\n\n -At any time, the USG may inspect and seize data stored on this IS.\n\n -Communications using, or data stored on, this IS are not private, are\nsubject to routine monitoring, interception, and search, and may be disclosed\nor used for any USG-authorized purpose.\n\n -This IS includes security measures (e.g., authentication and access\ncontrols) to protect USG interests--not for your personal benefit or privacy.\n\n -Notwithstanding the above, using this IS does not constitute consent to\nPM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services\nby attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User\nAgreement for details.\"'\n desc 'check', 'Verify RHEL 8 displays the Standard Mandatory DoD Notice and Consent Banner\nbefore granting access to the operating system via a command line user logon.\n\n Check that RHEL 8 displays a banner at the command line login screen with\nthe following command:\n\n $ sudo cat /etc/issue\n\n If the banner is set correctly it will return the following text:\n\n “You are accessing a U.S. Government (USG) Information System (IS) that is\nprovided for USG-authorized use only.\n\n By using this IS (which includes any device attached to this IS), you\nconsent to the following conditions:\n\n -The USG routinely intercepts and monitors communications on this IS for\npurposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct (PM), law enforcement\n(LE), and counterintelligence (CI) investigations.\n\n -At any time, the USG may inspect and seize data stored on this IS.\n\n -Communications using, or data stored on, this IS are not private, are\nsubject to routine monitoring, interception, and search, and may be disclosed\nor used for any USG-authorized purpose.\n\n -This IS includes security measures (e.g., authentication and access\ncontrols) to protect USG interests--not for your personal benefit or privacy.\n\n -Notwithstanding the above, using this IS does not constitute consent to\nPM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services\nby attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User\nAgreement for details.”\n\n If the banner text does not match the Standard Mandatory DoD Notice and\nConsent Banner exactly, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to display the Standard Mandatory DoD Notice and Consent\nBanner before granting access to the system via command line logon.\n\n Edit the \"/etc/issue\" file to replace the default text with the Standard\nMandatory DoD Notice and Consent Banner. The DoD-required text is:\n\n \"You are accessing a U.S. Government (USG) Information System (IS) that is\nprovided for USG-authorized use only.\n\n By using this IS (which includes any device attached to this IS), you\nconsent to the following conditions:\n\n -The USG routinely intercepts and monitors communications on this IS for\npurposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct (PM), law enforcement\n(LE), and counterintelligence (CI) investigations.\n\n -At any time, the USG may inspect and seize data stored on this IS.\n\n -Communications using, or data stored on, this IS are not private, are\nsubject to routine monitoring, interception, and search, and may be disclosed\nor used for any USG-authorized purpose.\n\n -This IS includes security measures (e.g., authentication and access\ncontrols) to protect USG interests -- not for your personal benefit or privacy.\n\n -Notwithstanding the above, using this IS does not constitute consent to\nPM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services\nby attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User\nAgreement for details.\"'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000023-GPOS-00006'\n tag satisfies: ['SRG-OS-000023-GPOS-00006', 'SRG-OS-000228-GPOS-00088']\n tag gid: 'V-230227'\n tag rid: 'SV-230227r627750_rule'\n tag stig_id: 'RHEL-08-010060'\n tag fix_id: 'F-32871r567428_fix'\n tag cci: ['CCI-000048']\n tag nist: ['AC-8 a']\n tag 'host'\n\n only_if('Control not applicable within a container', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n banner_file = file('/etc/issue')\n\n describe banner_file do\n it { should exist }\n end\n\n if banner_file.exist?\n\n banner = banner_file.content.gsub(/[\\r\\n\\s]/, '')\n expected_banner = input('banner_message_text_cli').gsub(/[\\r\\n\\s]/, '')\n\n describe 'The CLI Login Banner ' do\n it 'is set to the standard banner and has the correct text' do\n expect(banner).to eq(expected_banner), 'Banner does not match expected text'\n end\n end\n end\nend\n", + "code": "control 'SV-244534' do\n title 'RHEL 8 must configure the use of the pam_faillock.so module in the\n/etc/pam.d/password-auth file.'\n desc 'By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as\nbrute-force attacks, is reduced. Limits are imposed by locking the account.\n\n In RHEL 8.2 the \"/etc/security/faillock.conf\" file was incorporated to\ncentralize the configuration of the pam_faillock.so module. Also introduced is\na \"local_users_only\" option that will only track failed user authentication\nattempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP,\netc.) users to allow the centralized platform to solely manage user lockout.\n\n From \"faillock.conf\" man pages: Note that the default directory that\n\"pam_faillock\" uses is usually cleared on system boot so the access will be\nreenabled after system reboot. If that is undesirable a different tally\ndirectory must be set with the \"dir\" option.\n The preauth argument must be used when the module is called before the\nmodules which ask for the user credentials such as the password.'\n desc 'check', 'Note: This check applies to RHEL versions 8.2 or newer, if the system is\nRHEL version 8.0 or 8.1, this check is not applicable.\n\n Verify the pam_faillock.so module is present in the\n\"/etc/pam.d/password-auth\" file:\n\n $ sudo grep pam_faillock.so /etc/pam.d/password-auth\n\n auth required pam_faillock.so\npreauth\n auth required pam_faillock.so\nauthfail\n account required pam_faillock.so\n\n If the pam_faillock.so module is not present in the\n\"/etc/pam.d/password-auth\" file with the \"preauth\" line listed before\npam_unix.so, this is a finding.'\n desc 'fix', 'Configure the operating system to include the use of the pam_faillock.so\nmodule in the /etc/pam.d/password-auth file.\n\n Add/Modify the appropriate sections of the \"/etc/pam.d/password-auth\"\nfile to match the following lines:\n Note: The \"preauth\" line must be listed before pam_unix.so.\n\n auth required pam_faillock.so preauth\n auth required pam_faillock.so authfail\n account required pam_faillock.so'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000021-GPOS-00005'\n tag satisfies: ['SRG-OS-000021-GPOS-00005', 'SRG-OS-000329-GPOS-00128']\n tag gid: 'V-244534'\n tag rid: 'SV-244534r743851_rule'\n tag stig_id: 'RHEL-08-020026'\n tag fix_id: 'F-47766r743850_fix'\n tag cci: ['CCI-000044']\n tag nist: ['AC-7 a']\n tag 'host'\n tag 'container'\n\n only_if('This check applies to RHEL versions 8.2 or newer, if the system is RHEL version 8.0 or 8.1, this check is not applicable.', impact: 0.0) {\n (os.release.to_f) >= 8.2\n }\n\n describe pam('/etc/pam.d/password-auth') do\n its('lines') { should match_pam_rule('auth required pam_faillock.so preauth') }\n its('lines') { should match_pam_rule('auth required pam_faillock.so authfail') }\n its('lines') { should match_pam_rule('account required pam_faillock.so') }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230227.rb", + "ref": "./Red Hat 8 STIG/controls/SV-244534.rb", "line": 1 }, - "id": "SV-230227" + "id": "SV-244534" }, { - "title": "RHEL 8 vendor packaged system security patches and updates must be installed and up to date.", - "desc": "Timely patching is critical for maintaining the operational\n availability, confidentiality, and integrity of information technology (IT)\n systems. However, failure to keep operating system and application software\n patched is a common mistake made by IT professionals. New patches are released\n daily, and it is often difficult for even experienced System Administrators to\n keep abreast of all the new patches. When new weaknesses in an operating system\n exist, patches are usually made available by the vendor to resolve the\n problems. If the most recent security patches and updates are not installed,\n unauthorized users may take advantage of weaknesses in the unpatched software.\n The lack of prompt attention to patching could result in a system compromise.", + "title": "The RHEL 8 fapolicy module must be configured to employ a deny-all,\npermit-by-exception policy to allow the execution of authorized software\nprograms.", + "desc": "The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n Utilizing a whitelist provides a configuration management method for\nallowing the execution of only authorized software. Using only authorized\nsoftware decreases risk by limiting the number of potential vulnerabilities.\nVerification of whitelisted software occurs prior to execution or at system\nstartup.\n\n User home directories/folders may contain information of a sensitive\nnature. Non-privileged users should coordinate any sharing of information with\nan SA through shared resources.\n\n RHEL 8 ships with many optional packages. One such package is a file access\npolicy daemon called \"fapolicyd\". \"fapolicyd\" is a userspace daemon that\ndetermines access rights to files based on attributes of the process and file.\nIt can be used to either blacklist or whitelist processes or file access.\n\n Proceed with caution with enforcing the use of this daemon. Improper\nconfiguration may render the system non-functional. The \"fapolicyd\" API is\nnot namespace aware and can cause issues when launching or running containers.", "descriptions": { - "default": "Timely patching is critical for maintaining the operational\n availability, confidentiality, and integrity of information technology (IT)\n systems. However, failure to keep operating system and application software\n patched is a common mistake made by IT professionals. New patches are released\n daily, and it is often difficult for even experienced System Administrators to\n keep abreast of all the new patches. When new weaknesses in an operating system\n exist, patches are usually made available by the vendor to resolve the\n problems. If the most recent security patches and updates are not installed,\n unauthorized users may take advantage of weaknesses in the unpatched software.\n The lack of prompt attention to patching could result in a system compromise.", - "check": "Verify the operating system security patches and updates are installed and\n up to date. Updates are required to be applied with a frequency determined by\n the site or Program Management Office (PMO).\n\n Obtain the list of available package security updates from Red Hat. The URL\n for updates is https://rhn.redhat.com/errata/. It is important to note that\n updates provided by Red Hat may not be present on the system if the underlying\n packages are not installed.\n\n Check that the available package security updates have been installed on\n the system with the following command:\n\n $ sudo yum history list | more\n\n Loaded plugins: langpacks, product-id, subscription-manager\n ID | Command line | Date and time | Action(s) | Altered\n\n -------------------------------------------------------------------------------\n 70 | install aide | 2020-03-05 10:58 | Install | 1\n 69 | update -y | 2020-03-04 14:34 | Update | 18 EE\n 68 | install vlc | 2020-02-21 17:12 | Install | 21\n 67 | update -y | 2020-02-21 17:04 | Update | 7 EE\n\n If package updates have not been performed on the system within the\n timeframe the site/program documentation requires, this is a finding.\n\n Typical update frequency may be overridden by Information Assurance\n Vulnerability Alert (IAVA) notifications from CYBERCOM.\n\n If the operating system is in non-compliance with the Information Assurance\n Vulnerability Management (IAVM) process, this is a finding.", - "fix": "Install the operating system patches or updated packages\n available from Red Hat within 30 days or sooner as local policy dictates." + "default": "The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n Utilizing a whitelist provides a configuration management method for\nallowing the execution of only authorized software. Using only authorized\nsoftware decreases risk by limiting the number of potential vulnerabilities.\nVerification of whitelisted software occurs prior to execution or at system\nstartup.\n\n User home directories/folders may contain information of a sensitive\nnature. Non-privileged users should coordinate any sharing of information with\nan SA through shared resources.\n\n RHEL 8 ships with many optional packages. One such package is a file access\npolicy daemon called \"fapolicyd\". \"fapolicyd\" is a userspace daemon that\ndetermines access rights to files based on attributes of the process and file.\nIt can be used to either blacklist or whitelist processes or file access.\n\n Proceed with caution with enforcing the use of this daemon. Improper\nconfiguration may render the system non-functional. The \"fapolicyd\" API is\nnot namespace aware and can cause issues when launching or running containers.", + "check": "Verify the RHEL 8 \"fapolicyd\" employs a deny-all, permit-by-exception policy.\n\nCheck that \"fapolicyd\" is in enforcement mode with the following command:\n\n$ sudo grep permissive /etc/fapolicyd/fapolicyd.conf\n\npermissive = 0\n\nCheck that fapolicyd employs a deny-all policy on system mounts with the following commands:\n\nFor RHEL 8.4 systems and older:\n$ sudo tail /etc/fapolicyd/fapolicyd.rules\n\nFor RHEL 8.5 systems and newer:\n$ sudo tail /etc/fapolicyd/compiled.rules\n\nallow exe=/usr/bin/python3.7 : ftype=text/x-python\ndeny_audit perm=any pattern=ld_so : all\ndeny perm=any all : all\n\nIf fapolicyd is not running in enforcement mode with a deny-all, permit-by-exception policy, this is a finding.", + "fix": "Configure RHEL 8 to employ a deny-all, permit-by-exception application whitelisting policy with \"fapolicyd\".\n\nWith the \"fapolicyd\" installed and enabled, configure the daemon to function in permissive mode until the whitelist is built correctly to avoid system lockout. Do this by editing the \"/etc/fapolicyd/fapolicyd.conf\" file with the following line:\n\npermissive = 1\n\nFor RHEL 8.4 systems and older:\nBuild the whitelist in the \"/etc/fapolicyd/fapolicyd.rules\" file ensuring the last rule is \"deny perm=any all : all\".\n\nFor RHEL 8.5 systems and newer:\nBuild the whitelist in a file within the \"/etc/fapolicyd/rules.d\" directory ensuring the last rule is \"deny perm=any all : all\".\n\nOnce it is determined the whitelist is built correctly, set the fapolicyd to enforcing mode by editing the \"permissive\" line in the /etc/fapolicyd/fapolicyd.conf file.\n\npermissive = 0" }, "impact": 0.5, "refs": [ @@ -3405,34 +3371,37 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-230222", - "rid": "SV-230222r627750_rule", - "stig_id": "RHEL-08-010010", - "fix_id": "F-32866r567413_fix", + "gtitle": "SRG-OS-000368-GPOS-00154", + "satisfies": [ + "SRG-OS-000368-GPOS-00154", + "SRG-OS-000370-GPOS-00155", + "SRG-OS-000480-GPOS-00232" + ], + "gid": "V-244546", + "rid": "SV-244546r858730_rule", + "stig_id": "RHEL-08-040137", + "fix_id": "F-47778r858729_fix", "cci": [ - "CCI-000366" + "CCI-001764" ], "nist": [ - "CM-6 b" - ], - "host": null, - "container": null + "CM-7 (2)" + ] }, - "code": "control 'SV-230222' do\n title 'RHEL 8 vendor packaged system security patches and updates must be installed and up to date.'\n desc 'Timely patching is critical for maintaining the operational\n availability, confidentiality, and integrity of information technology (IT)\n systems. However, failure to keep operating system and application software\n patched is a common mistake made by IT professionals. New patches are released\n daily, and it is often difficult for even experienced System Administrators to\n keep abreast of all the new patches. When new weaknesses in an operating system\n exist, patches are usually made available by the vendor to resolve the\n problems. If the most recent security patches and updates are not installed,\n unauthorized users may take advantage of weaknesses in the unpatched software.\n The lack of prompt attention to patching could result in a system compromise.'\n desc 'check', 'Verify the operating system security patches and updates are installed and\n up to date. Updates are required to be applied with a frequency determined by\n the site or Program Management Office (PMO).\n\n Obtain the list of available package security updates from Red Hat. The URL\n for updates is https://rhn.redhat.com/errata/. It is important to note that\n updates provided by Red Hat may not be present on the system if the underlying\n packages are not installed.\n\n Check that the available package security updates have been installed on\n the system with the following command:\n\n $ sudo yum history list | more\n\n Loaded plugins: langpacks, product-id, subscription-manager\n ID | Command line | Date and time | Action(s) | Altered\n\n -------------------------------------------------------------------------------\n 70 | install aide | 2020-03-05 10:58 | Install | 1\n 69 | update -y | 2020-03-04 14:34 | Update | 18 EE\n 68 | install vlc | 2020-02-21 17:12 | Install | 21\n 67 | update -y | 2020-02-21 17:04 | Update | 7 EE\n\n If package updates have not been performed on the system within the\n timeframe the site/program documentation requires, this is a finding.\n\n Typical update frequency may be overridden by Information Assurance\n Vulnerability Alert (IAVA) notifications from CYBERCOM.\n\n If the operating system is in non-compliance with the Information Assurance\n Vulnerability Management (IAVM) process, this is a finding.'\n desc 'fix', 'Install the operating system patches or updated packages\n available from Red Hat within 30 days or sooner as local policy dictates.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230222'\n tag rid: 'SV-230222r627750_rule'\n tag stig_id: 'RHEL-08-010010'\n tag fix_id: 'F-32866r567413_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n tag 'container'\n\n only_if(\"This control takes a long time to execute so it has been disabled through 'slow_controls'\") {\n !input('disable_slow_controls')\n }\n\n if input('disconnected_system')\n describe 'The system is set to a `disconnected` state and you must validate the state of the system packages manually' do\n skip 'The system is set to a `disconnected` state and you must validate the state of the system packages manually'\n end\n else\n updates = linux_update.updates\n package_names = updates.map { |h| h['name'] }\n\n describe.one do\n describe 'List of out-of-date packages' do\n subject { package_names }\n it { should be_empty }\n end\n updates.each do |update|\n describe package(update['name']) do\n its('version') { should eq update['version'] }\n end\n end\n end\n end\nend\n", + "code": "control 'SV-244546' do\n title 'The RHEL 8 fapolicy module must be configured to employ a deny-all,\npermit-by-exception policy to allow the execution of authorized software\nprograms.'\n desc 'The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n Utilizing a whitelist provides a configuration management method for\nallowing the execution of only authorized software. Using only authorized\nsoftware decreases risk by limiting the number of potential vulnerabilities.\nVerification of whitelisted software occurs prior to execution or at system\nstartup.\n\n User home directories/folders may contain information of a sensitive\nnature. Non-privileged users should coordinate any sharing of information with\nan SA through shared resources.\n\n RHEL 8 ships with many optional packages. One such package is a file access\npolicy daemon called \"fapolicyd\". \"fapolicyd\" is a userspace daemon that\ndetermines access rights to files based on attributes of the process and file.\nIt can be used to either blacklist or whitelist processes or file access.\n\n Proceed with caution with enforcing the use of this daemon. Improper\nconfiguration may render the system non-functional. The \"fapolicyd\" API is\nnot namespace aware and can cause issues when launching or running containers.'\n desc 'check', 'Verify the RHEL 8 \"fapolicyd\" employs a deny-all, permit-by-exception policy.\n\nCheck that \"fapolicyd\" is in enforcement mode with the following command:\n\n$ sudo grep permissive /etc/fapolicyd/fapolicyd.conf\n\npermissive = 0\n\nCheck that fapolicyd employs a deny-all policy on system mounts with the following commands:\n\nFor RHEL 8.4 systems and older:\n$ sudo tail /etc/fapolicyd/fapolicyd.rules\n\nFor RHEL 8.5 systems and newer:\n$ sudo tail /etc/fapolicyd/compiled.rules\n\nallow exe=/usr/bin/python3.7 : ftype=text/x-python\ndeny_audit perm=any pattern=ld_so : all\ndeny perm=any all : all\n\nIf fapolicyd is not running in enforcement mode with a deny-all, permit-by-exception policy, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to employ a deny-all, permit-by-exception application whitelisting policy with \"fapolicyd\".\n\nWith the \"fapolicyd\" installed and enabled, configure the daemon to function in permissive mode until the whitelist is built correctly to avoid system lockout. Do this by editing the \"/etc/fapolicyd/fapolicyd.conf\" file with the following line:\n\npermissive = 1\n\nFor RHEL 8.4 systems and older:\nBuild the whitelist in the \"/etc/fapolicyd/fapolicyd.rules\" file ensuring the last rule is \"deny perm=any all : all\".\n\nFor RHEL 8.5 systems and newer:\nBuild the whitelist in a file within the \"/etc/fapolicyd/rules.d\" directory ensuring the last rule is \"deny perm=any all : all\".\n\nOnce it is determined the whitelist is built correctly, set the fapolicyd to enforcing mode by editing the \"permissive\" line in the /etc/fapolicyd/fapolicyd.conf file.\n\npermissive = 0'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000368-GPOS-00154'\n tag satisfies: ['SRG-OS-000368-GPOS-00154', 'SRG-OS-000370-GPOS-00155', 'SRG-OS-000480-GPOS-00232']\n tag gid: 'V-244546'\n tag rid: 'SV-244546r858730_rule'\n tag stig_id: 'RHEL-08-040137'\n tag fix_id: 'F-47778r858729_fix'\n tag cci: ['CCI-001764']\n tag nist: ['CM-7 (2)']\n\n # Check if the system is a Docker container or not using Fapolicyd\n if virtualization.system.eql?('docker') || !input('use_fapolicyd')\n impact 0.0\n describe 'Control not applicable' do\n skip 'The organization is not using the Fapolicyd service to manage firewall services, this control is Not Applicable' unless input('use_fapolicyd')\n skip 'Control not applicable within a container' if virtualization.system.eql?('docker')\n end\n else\n # Parse the fapolicyd configuration file\n fapolicyd_config = parse_config_file('/etc/fapolicyd/fapolicyd.conf')\n\n describe 'Fapolicyd configuration' do\n it 'permissive should not be commented out' do\n expect(fapolicyd_config.content).to match(/^permissive\\s*=\\s*0$/), 'permissive is commented out in the fapolicyd.conf file'\n end\n it 'should have permissive set to 0' do\n expect(fapolicyd_config.params['permissive']).to cmp '0'\n end\n end\n\n # Determine the rules file based on the OS release\n rules_file = os.release.to_f < 8.4 ? '/etc/fapolicyd/fapolicyd.rules' : '/etc/fapolicyd/compiled.rules'\n\n # Check if the rules file exists\n describe file(rules_file) do\n it { should exist }\n end\n\n # If the rules file exists, check the last rule\n if file(rules_file).exist?\n rules = file(rules_file).content.strip.split(\"\\n\")\n last_rule = rules.last\n\n describe 'Last rule in the rules file' do\n it { expect(last_rule).to cmp 'deny perm=any all : all' }\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230222.rb", + "ref": "./Red Hat 8 STIG/controls/SV-244546.rb", "line": 1 }, - "id": "SV-230222" + "id": "SV-244546" }, { - "title": "RHEL 8 must label all off-loaded audit logs before sending them to the\ncentral log server.", - "desc": "Without establishing what type of events occurred, the source of\nevents, where events occurred, and the outcome of events, it would be difficult\nto establish, correlate, and investigate the events leading up to an outage or\nattack.\n\n Audit record content that may be necessary to satisfy this requirement\nincludes, for example, time stamps, source and destination addresses,\nuser/process identifiers, event descriptions, success/fail indications,\nfilenames involved, and access control or flow control rules invoked.\n\n Enriched logging is needed to determine who, what, and when events occur on\na system. Without this, determining root cause of an event will be much more\ndifficult.\n\n When audit logs are not labeled before they are sent to a central log\nserver, the audit data will not be able to be analyzed and tied back to the\ncorrect system.", + "title": "For RHEL 8 systems using Domain Name Servers (DNS) resolution, at\nleast two name servers must be configured.", + "desc": "To provide availability for name resolution services, multiple\nredundant name servers are mandated. A failure in name resolution could lead to\nthe failure of security functions requiring name resolution, which may include\ntime synchronization, centralized authentication, and remote system logging.", "descriptions": { - "default": "Without establishing what type of events occurred, the source of\nevents, where events occurred, and the outcome of events, it would be difficult\nto establish, correlate, and investigate the events leading up to an outage or\nattack.\n\n Audit record content that may be necessary to satisfy this requirement\nincludes, for example, time stamps, source and destination addresses,\nuser/process identifiers, event descriptions, success/fail indications,\nfilenames involved, and access control or flow control rules invoked.\n\n Enriched logging is needed to determine who, what, and when events occur on\na system. Without this, determining root cause of an event will be much more\ndifficult.\n\n When audit logs are not labeled before they are sent to a central log\nserver, the audit data will not be able to be analyzed and tied back to the\ncorrect system.", - "check": "Verify the RHEL 8 Audit Daemon is configured to label all off-loaded audit\nlogs, with the following command:\n\n $ sudo grep \"name_format\" /etc/audit/auditd.conf\n\n name_format = hostname\n\n If the \"name_format\" option is not \"hostname\", \"fqd\", or \"numeric\",\nor the line is commented out, this is a finding.", - "fix": "Edit the /etc/audit/auditd.conf file and add or update the \"name_format\"\noption:\n\n name_format = hostname\n\n The audit daemon must be restarted for changes to take effect." + "default": "To provide availability for name resolution services, multiple\nredundant name servers are mandated. A failure in name resolution could lead to\nthe failure of security functions requiring name resolution, which may include\ntime synchronization, centralized authentication, and remote system logging.", + "check": "Determine whether the system is using local or DNS name resolution with the\nfollowing command:\n\n $ sudo grep hosts /etc/nsswitch.conf\n\n hosts: files dns\n\n If the DNS entry is missing from the host's line in the\n\"/etc/nsswitch.conf\" file, the \"/etc/resolv.conf\" file must be empty.\n\n Verify the \"/etc/resolv.conf\" file is empty with the following command:\n\n $ sudo ls -al /etc/resolv.conf\n\n -rw-r--r-- 1 root root 0 Aug 19 08:31 resolv.conf\n\n If local host authentication is being used and the \"/etc/resolv.conf\"\nfile is not empty, this is a finding.\n\n If the DNS entry is found on the host's line of the \"/etc/nsswitch.conf\"\nfile, verify the operating system is configured to use two or more name servers\nfor DNS resolution.\n\n Determine the name servers used by the system with the following command:\n\n $ sudo grep nameserver /etc/resolv.conf\n\n nameserver 192.168.1.2\n nameserver 192.168.1.3\n\n If less than two lines are returned that are not commented out, this is a\nfinding.", + "fix": "Configure the operating system to use two or more name servers for DNS\nresolution.\n\n By default, \"NetworkManager\" on RHEL 8 dynamically updates the\n/etc/resolv.conf file with the DNS settings from active \"NetworkManager\"\nconnection profiles. However, this feature can be disabled to allow manual\nconfigurations.\n\n If manually configuring DNS, edit the \"/etc/resolv.conf\" file to\nuncomment or add the two or more \"nameserver\" option lines with the IP\naddress of local authoritative name servers. If local host resolution is being\nperformed, the \"/etc/resolv.conf\" file must be empty. An empty\n\"/etc/resolv.conf\" file can be created as follows:\n\n $ sudo echo -n > /etc/resolv.conf" }, "impact": 0.5, "refs": [ @@ -3442,33 +3411,34 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000342-GPOS-00133", - "gid": "V-230394", - "rid": "SV-230394r877390_rule", - "stig_id": "RHEL-08-030062", - "fix_id": "F-33038r567929_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-230316", + "rid": "SV-230316r627750_rule", + "stig_id": "RHEL-08-010680", + "fix_id": "F-32960r567695_fix", "cci": [ - "CCI-001851" + "CCI-000366" ], "nist": [ - "AU-4 (1)" + "CM-6 b" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-230394' do\n title 'RHEL 8 must label all off-loaded audit logs before sending them to the\ncentral log server.'\n desc 'Without establishing what type of events occurred, the source of\nevents, where events occurred, and the outcome of events, it would be difficult\nto establish, correlate, and investigate the events leading up to an outage or\nattack.\n\n Audit record content that may be necessary to satisfy this requirement\nincludes, for example, time stamps, source and destination addresses,\nuser/process identifiers, event descriptions, success/fail indications,\nfilenames involved, and access control or flow control rules invoked.\n\n Enriched logging is needed to determine who, what, and when events occur on\na system. Without this, determining root cause of an event will be much more\ndifficult.\n\n When audit logs are not labeled before they are sent to a central log\nserver, the audit data will not be able to be analyzed and tied back to the\ncorrect system.'\n desc 'check', 'Verify the RHEL 8 Audit Daemon is configured to label all off-loaded audit\nlogs, with the following command:\n\n $ sudo grep \"name_format\" /etc/audit/auditd.conf\n\n name_format = hostname\n\n If the \"name_format\" option is not \"hostname\", \"fqd\", or \"numeric\",\nor the line is commented out, this is a finding.'\n desc 'fix', 'Edit the /etc/audit/auditd.conf file and add or update the \"name_format\"\noption:\n\n name_format = hostname\n\n The audit daemon must be restarted for changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000342-GPOS-00133'\n tag gid: 'V-230394'\n tag rid: 'SV-230394r877390_rule'\n tag stig_id: 'RHEL-08-030062'\n tag fix_id: 'F-33038r567929_fix'\n tag cci: ['CCI-001851']\n tag nist: ['AU-4 (1)']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n describe parse_config_file('/etc/audit/auditd.conf') do\n its('name_format') { should match(/^hostname$|^fqd$|^numeric$/i) }\n end\nend\n", + "code": "control 'SV-230316' do\n title 'For RHEL 8 systems using Domain Name Servers (DNS) resolution, at\nleast two name servers must be configured.'\n desc 'To provide availability for name resolution services, multiple\nredundant name servers are mandated. A failure in name resolution could lead to\nthe failure of security functions requiring name resolution, which may include\ntime synchronization, centralized authentication, and remote system logging.'\n desc 'check', %q(Determine whether the system is using local or DNS name resolution with the\nfollowing command:\n\n $ sudo grep hosts /etc/nsswitch.conf\n\n hosts: files dns\n\n If the DNS entry is missing from the host's line in the\n\"/etc/nsswitch.conf\" file, the \"/etc/resolv.conf\" file must be empty.\n\n Verify the \"/etc/resolv.conf\" file is empty with the following command:\n\n $ sudo ls -al /etc/resolv.conf\n\n -rw-r--r-- 1 root root 0 Aug 19 08:31 resolv.conf\n\n If local host authentication is being used and the \"/etc/resolv.conf\"\nfile is not empty, this is a finding.\n\n If the DNS entry is found on the host's line of the \"/etc/nsswitch.conf\"\nfile, verify the operating system is configured to use two or more name servers\nfor DNS resolution.\n\n Determine the name servers used by the system with the following command:\n\n $ sudo grep nameserver /etc/resolv.conf\n\n nameserver 192.168.1.2\n nameserver 192.168.1.3\n\n If less than two lines are returned that are not commented out, this is a\nfinding.)\n desc 'fix', 'Configure the operating system to use two or more name servers for DNS\nresolution.\n\n By default, \"NetworkManager\" on RHEL 8 dynamically updates the\n/etc/resolv.conf file with the DNS settings from active \"NetworkManager\"\nconnection profiles. However, this feature can be disabled to allow manual\nconfigurations.\n\n If manually configuring DNS, edit the \"/etc/resolv.conf\" file to\nuncomment or add the two or more \"nameserver\" option lines with the IP\naddress of local authoritative name servers. If local host resolution is being\nperformed, the \"/etc/resolv.conf\" file must be empty. An empty\n\"/etc/resolv.conf\" file can be created as follows:\n\n $ sudo echo -n > /etc/resolv.conf'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230316'\n tag rid: 'SV-230316r627750_rule'\n tag stig_id: 'RHEL-08-010680'\n tag fix_id: 'F-32960r567695_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n tag 'container'\n\n dns_in_host_line = parse_config_file('/etc/nsswitch.conf',\n comment_char: '#',\n assignment_regex: /^\\s*([^:]*?)\\s*:\\s*(.*?)\\s*$/).params['hosts'].include?('dns')\n\n unless dns_in_host_line\n describe 'If `local` resolution is being used, a `hosts` entry in /etc/nsswitch.conf having `dns`' do\n subject { dns_in_host_line }\n it { should be false }\n end\n end\n\n unless dns_in_host_line\n describe 'If `local` resoultion is being used, the /etc/resolv.conf file should' do\n subject { parse_config_file('/etc/resolv.conf', comment_char: '#').params }\n it { should be_empty }\n end\n end\n\n nameservers = parse_config_file('/etc/resolv.conf',\n comment_char: '#').params.keys.grep(/nameserver/)\n\n if dns_in_host_line\n describe \"The system's nameservers: #{nameservers}\" do\n subject { nameservers }\n it { should_not be nil }\n end\n end\n\n if dns_in_host_line\n describe 'The number of nameservers' do\n subject { nameservers.count }\n it { should cmp >= 2 }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230394.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230316.rb", "line": 1 }, - "id": "SV-230394" + "id": "SV-230316" }, { - "title": "RHEL 8 system commands must have mode 755 or less permissive.", - "desc": "If RHEL 8 were to allow any user to make changes to software\nlibraries, then those changes might be implemented without undergoing the\nappropriate testing and approvals that are part of a robust change management\nprocess.\n\n This requirement applies to RHEL 8 with software libraries that are\naccessible and configurable, as in the case of interpreted languages. Software\nlibraries also include privileged programs that execute with escalated\nprivileges. Only qualified and authorized individuals will be allowed to obtain\naccess to information system components for purposes of initiating changes,\nincluding upgrades and modifications.", + "title": "RHEL 8 must require users to reauthenticate for privilege escalation.", + "desc": "Without reauthentication, users may access resources or perform tasks\nfor which they do not have authorization.\n\n When operating systems provide the capability to escalate a functional\ncapability, it is critical the user reauthenticate.", "descriptions": { - "default": "If RHEL 8 were to allow any user to make changes to software\nlibraries, then those changes might be implemented without undergoing the\nappropriate testing and approvals that are part of a robust change management\nprocess.\n\n This requirement applies to RHEL 8 with software libraries that are\naccessible and configurable, as in the case of interpreted languages. Software\nlibraries also include privileged programs that execute with escalated\nprivileges. Only qualified and authorized individuals will be allowed to obtain\naccess to information system components for purposes of initiating changes,\nincluding upgrades and modifications.", - "check": "Verify the system commands contained in the following directories have mode \"755\" or less permissive with the following command:\n\n$ sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -exec ls -l {} \\;\n\nIf any system commands are found to be group-writable or world-writable, this is a finding.", - "fix": "Configure the system commands to be protected from unauthorized access.\n\nRun the following command, replacing \"[FILE]\" with any system command with a mode more permissive than \"755\".\n\n$ sudo chmod 755 [FILE]" + "default": "Without reauthentication, users may access resources or perform tasks\nfor which they do not have authorization.\n\n When operating systems provide the capability to escalate a functional\ncapability, it is critical the user reauthenticate.", + "check": "Verify that \"/etc/sudoers\" has no occurrences of \"!authenticate\".\n\n Check that the \"/etc/sudoers\" file has no occurrences of\n\"!authenticate\" by running the following command:\n\n $ sudo grep -i !authenticate /etc/sudoers /etc/sudoers.d/*\n\n If any occurrences of \"!authenticate\" return from the command, this is a\nfinding.", + "fix": "Remove any occurrence of \"!authenticate\" found in\n\"/etc/sudoers\" file or files in the \"/etc/sudoers.d\" directory." }, "impact": 0.5, "refs": [ @@ -3478,75 +3448,75 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000259-GPOS-00100", - "gid": "V-230257", - "rid": "SV-230257r792862_rule", - "stig_id": "RHEL-08-010300", - "fix_id": "F-32901r792861_fix", + "gtitle": "SRG-OS-000373-GPOS-00156", + "satisfies": [ + "SRG-OS-000373-GPOS-00156", + "SRG-OS-000373-GPOS-00157", + "SRG-OS-000373-GPOS-00158" + ], + "gid": "V-230272", + "rid": "SV-230272r854027_rule", + "stig_id": "RHEL-08-010381", + "fix_id": "F-32916r567563_fix", "cci": [ - "CCI-001499" + "CCI-002038" ], "nist": [ - "CM-5 (6)" + "IA-11" ], "host": null, - "container": null + "container-conditional": null }, - "code": "control 'SV-230257' do\n title 'RHEL 8 system commands must have mode 755 or less permissive.'\n desc 'If RHEL 8 were to allow any user to make changes to software\nlibraries, then those changes might be implemented without undergoing the\nappropriate testing and approvals that are part of a robust change management\nprocess.\n\n This requirement applies to RHEL 8 with software libraries that are\naccessible and configurable, as in the case of interpreted languages. Software\nlibraries also include privileged programs that execute with escalated\nprivileges. Only qualified and authorized individuals will be allowed to obtain\naccess to information system components for purposes of initiating changes,\nincluding upgrades and modifications.'\n desc 'check', 'Verify the system commands contained in the following directories have mode \"755\" or less permissive with the following command:\n\n$ sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -exec ls -l {} \\\\;\n\nIf any system commands are found to be group-writable or world-writable, this is a finding.'\n desc 'fix', 'Configure the system commands to be protected from unauthorized access.\n\nRun the following command, replacing \"[FILE]\" with any system command with a mode more permissive than \"755\".\n\n$ sudo chmod 755 [FILE]'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000259-GPOS-00100'\n tag gid: 'V-230257'\n tag rid: 'SV-230257r792862_rule'\n tag stig_id: 'RHEL-08-010300'\n tag fix_id: 'F-32901r792861_fix'\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n tag 'host'\n tag 'container'\n\n system_command_dirs = input('system_command_dirs').join(' ')\n\n failing_files = command(\"find -L #{system_command_dirs} -perm /0022 -exec ls -l '{}' \\\\;\").stdout.split(\"\\n\")\n\n # failing_files = command(\"find -L #{input('system_command_dirs').join(' ')} -perm /0022 -exec ls -d '{}'' \\\\;\").stdout.split(\"\\n\")\n\n describe 'System commands' do\n it \"should have mode '0755' or less permissive\" do\n expect(failing_files).to be_empty, \"Files with excessive permissions:\\n\\t- #{failing_files.join(\"\\n\\t- \")}\"\n end\n end\nend\n", + "code": "control 'SV-230272' do\n title 'RHEL 8 must require users to reauthenticate for privilege escalation.'\n desc 'Without reauthentication, users may access resources or perform tasks\nfor which they do not have authorization.\n\n When operating systems provide the capability to escalate a functional\ncapability, it is critical the user reauthenticate.'\n desc 'check', 'Verify that \"/etc/sudoers\" has no occurrences of \"!authenticate\".\n\n Check that the \"/etc/sudoers\" file has no occurrences of\n\"!authenticate\" by running the following command:\n\n $ sudo grep -i !authenticate /etc/sudoers /etc/sudoers.d/*\n\n If any occurrences of \"!authenticate\" return from the command, this is a\nfinding.'\n desc 'fix', 'Remove any occurrence of \"!authenticate\" found in\n\"/etc/sudoers\" file or files in the \"/etc/sudoers.d\" directory.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000373-GPOS-00156'\n tag satisfies: ['SRG-OS-000373-GPOS-00156', 'SRG-OS-000373-GPOS-00157', 'SRG-OS-000373-GPOS-00158']\n tag gid: 'V-230272'\n tag rid: 'SV-230272r854027_rule'\n tag stig_id: 'RHEL-08-010381'\n tag fix_id: 'F-32916r567563_fix'\n tag cci: ['CCI-002038']\n tag nist: ['IA-11']\n tag 'host'\n tag 'container-conditional'\n\n only_if('Control not applicable within a container without sudo installed', impact: 0.0) {\n !(virtualization.system.eql?('docker') && !command('sudo').exist?)\n }\n\n describe sudoers(input('sudoers_config_files')) do\n its('settings.Defaults') { should_not include '!authenticate' }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230257.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230272.rb", "line": 1 }, - "id": "SV-230257" + "id": "SV-230272" }, { - "title": "The RHEL 8 fapolicy module must be enabled.", - "desc": "The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n Utilizing a whitelist provides a configuration management method for\nallowing the execution of only authorized software. Using only authorized\nsoftware decreases risk by limiting the number of potential vulnerabilities.\nVerification of whitelisted software occurs prior to execution or at system\nstartup.\n\n User home directories/folders may contain information of a sensitive\nnature. Non-privileged users should coordinate any sharing of information with\nan SA through shared resources.\n\n RHEL 8 ships with many optional packages. One such package is a file access\npolicy daemon called \"fapolicyd\". \"fapolicyd\" is a userspace daemon that\ndetermines access rights to files based on attributes of the process and file.\nIt can be used to either blacklist or whitelist processes or file access.\n\n Proceed with caution with enforcing the use of this daemon. Improper\nconfiguration may render the system non-functional. The \"fapolicyd\" API is\nnot namespace aware and can cause issues when launching or running containers.", + "title": "RHEL 8 must use a separate file system for /var/log.", + "desc": "The use of separate file systems for different paths can protect the\nsystem from failures resulting from a file system becoming full or failing.", "descriptions": { - "default": "The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n Utilizing a whitelist provides a configuration management method for\nallowing the execution of only authorized software. Using only authorized\nsoftware decreases risk by limiting the number of potential vulnerabilities.\nVerification of whitelisted software occurs prior to execution or at system\nstartup.\n\n User home directories/folders may contain information of a sensitive\nnature. Non-privileged users should coordinate any sharing of information with\nan SA through shared resources.\n\n RHEL 8 ships with many optional packages. One such package is a file access\npolicy daemon called \"fapolicyd\". \"fapolicyd\" is a userspace daemon that\ndetermines access rights to files based on attributes of the process and file.\nIt can be used to either blacklist or whitelist processes or file access.\n\n Proceed with caution with enforcing the use of this daemon. Improper\nconfiguration may render the system non-functional. The \"fapolicyd\" API is\nnot namespace aware and can cause issues when launching or running containers.", - "check": "Verify the RHEL 8 \"fapolicyd\" is enabled and running with the following\ncommand:\n\n $ sudo systemctl status fapolicyd.service\n\n fapolicyd.service - File Access Policy Daemon\n Loaded: loaded (/usr/lib/systemd/system/fapolicyd.service; enabled; vendor\npreset: disabled)\n Active: active (running)\n\n If fapolicyd is not enabled and running, this is a finding.", - "fix": "Enable \"fapolicyd\" using the following command:\n\n$ sudo systemctl enable --now fapolicyd" + "default": "The use of separate file systems for different paths can protect the\nsystem from failures resulting from a file system becoming full or failing.", + "check": "Verify that a separate file system has been created for \"/var/log\".\n\nCheck that a file system has been created for \"/var/log\" with the following command:\n\n $ sudo grep /var/log /etc/fstab\n\n /dev/mapper/... /var/log xfs defaults,nodev,noexec,nosuid 0 0\n\nIf a separate entry for \"/var/log\" is not in use, this is a finding.", + "fix": "Migrate the \"/var/log\" path onto a separate file system." }, - "impact": 0.5, + "impact": 0.3, "refs": [ { "ref": "DPMS Target Red Hat Enterprise Linux 8" } ], "tags": { - "severity": "medium", - "gtitle": "SRG-OS-000368-GPOS-00154", - "satisfies": [ - "SRG-OS-000368-GPOS-00154", - "SRG-OS-000370-GPOS-00155", - "SRG-OS-000480-GPOS-00232" - ], - "gid": "V-244545", - "rid": "SV-244545r854074_rule", - "stig_id": "RHEL-08-040136", - "fix_id": "F-47777r743883_fix", + "severity": "low", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-230293", + "rid": "SV-230293r902720_rule", + "stig_id": "RHEL-08-010541", + "fix_id": "F-32937r567626_fix", "cci": [ - "CCI-001764" + "CCI-000366" ], "nist": [ - "CM-7 (2)" + "CM-6 b" ], "host": null }, - "code": "control 'SV-244545' do\n title 'The RHEL 8 fapolicy module must be enabled.'\n desc 'The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n Utilizing a whitelist provides a configuration management method for\nallowing the execution of only authorized software. Using only authorized\nsoftware decreases risk by limiting the number of potential vulnerabilities.\nVerification of whitelisted software occurs prior to execution or at system\nstartup.\n\n User home directories/folders may contain information of a sensitive\nnature. Non-privileged users should coordinate any sharing of information with\nan SA through shared resources.\n\n RHEL 8 ships with many optional packages. One such package is a file access\npolicy daemon called \"fapolicyd\". \"fapolicyd\" is a userspace daemon that\ndetermines access rights to files based on attributes of the process and file.\nIt can be used to either blacklist or whitelist processes or file access.\n\n Proceed with caution with enforcing the use of this daemon. Improper\nconfiguration may render the system non-functional. The \"fapolicyd\" API is\nnot namespace aware and can cause issues when launching or running containers.'\n desc 'check', 'Verify the RHEL 8 \"fapolicyd\" is enabled and running with the following\ncommand:\n\n $ sudo systemctl status fapolicyd.service\n\n fapolicyd.service - File Access Policy Daemon\n Loaded: loaded (/usr/lib/systemd/system/fapolicyd.service; enabled; vendor\npreset: disabled)\n Active: active (running)\n\n If fapolicyd is not enabled and running, this is a finding.'\n desc 'fix', 'Enable \"fapolicyd\" using the following command:\n\n$ sudo systemctl enable --now fapolicyd'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000368-GPOS-00154'\n tag satisfies: ['SRG-OS-000368-GPOS-00154', 'SRG-OS-000370-GPOS-00155', 'SRG-OS-000480-GPOS-00232']\n tag gid: 'V-244545'\n tag rid: 'SV-244545r854074_rule'\n tag stig_id: 'RHEL-08-040136'\n tag fix_id: 'F-47777r743883_fix'\n tag cci: ['CCI-001764']\n tag nist: ['CM-7 (2)']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'This requirement is Not Applicable in the container' do\n skip 'This requirement is Not Applicable in the container'\n end\n elsif !input('use_fapolicyd')\n impact 0.0\n describe 'The organization does not use the Fapolicyd service to manage firewall services' do\n skip 'The organization is not using the Fapolicyd service to manage firewall services, this control is Not Applicable'\n end\n else\n describe service('fapolicyd') do\n it { should be_enabled }\n it { should be_running }\n end\n end\nend\n", + "code": "control 'SV-230293' do\n title 'RHEL 8 must use a separate file system for /var/log.'\n desc 'The use of separate file systems for different paths can protect the\nsystem from failures resulting from a file system becoming full or failing.'\n desc 'check', 'Verify that a separate file system has been created for \"/var/log\".\n\nCheck that a file system has been created for \"/var/log\" with the following command:\n\n $ sudo grep /var/log /etc/fstab\n\n /dev/mapper/... /var/log xfs defaults,nodev,noexec,nosuid 0 0\n\nIf a separate entry for \"/var/log\" is not in use, this is a finding.'\n desc 'fix', 'Migrate the \"/var/log\" path onto a separate file system.'\n impact 0.3\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'low'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230293'\n tag rid: 'SV-230293r902720_rule'\n tag stig_id: 'RHEL-08-010541'\n tag fix_id: 'F-32937r567626_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe mount('/var/log') do\n it { should be_mounted }\n end\n\n describe etc_fstab.where { mount_point == '/var/log' } do\n it { should exist }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-244545.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230293.rb", "line": 1 }, - "id": "SV-244545" + "id": "SV-230293" }, { - "title": "RHEL 8 must automatically lock an account when three unsuccessful\nlogon attempts occur during a 15-minute time period.", - "desc": "By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as\nbrute-force attacks, is reduced. Limits are imposed by locking the account.\n\n In RHEL 8.2 the \"/etc/security/faillock.conf\" file was incorporated to\ncentralize the configuration of the pam_faillock.so module. Also introduced is\na \"local_users_only\" option that will only track failed user authentication\nattempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP,\netc.) users to allow the centralized platform to solely manage user lockout.\n\n From \"faillock.conf\" man pages: Note that the default directory that\n\"pam_faillock\" uses is usually cleared on system boot so the access will be\nreenabled after system reboot. If that is undesirable a different tally\ndirectory must be set with the \"dir\" option.", + "title": "RHEL 8 library directories must be owned by root.", + "desc": "If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.", "descriptions": { - "default": "By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as\nbrute-force attacks, is reduced. Limits are imposed by locking the account.\n\n In RHEL 8.2 the \"/etc/security/faillock.conf\" file was incorporated to\ncentralize the configuration of the pam_faillock.so module. Also introduced is\na \"local_users_only\" option that will only track failed user authentication\nattempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP,\netc.) users to allow the centralized platform to solely manage user lockout.\n\n From \"faillock.conf\" man pages: Note that the default directory that\n\"pam_faillock\" uses is usually cleared on system boot so the access will be\nreenabled after system reboot. If that is undesirable a different tally\ndirectory must be set with the \"dir\" option.", - "check": "Note: This check applies to RHEL versions 8.2 or newer, if the system is\nRHEL version 8.0 or 8.1, this check is not applicable.\n\n Verify the \"/etc/security/faillock.conf\" file is configured to lock an\naccount after three unsuccessful logon attempts within 15 minutes:\n\n $ sudo grep 'fail_interval =' /etc/security/faillock.conf\n\n fail_interval = 900\n\n If the \"fail_interval\" option is not set to \"900\" or more, is missing\nor commented out, this is a finding.", - "fix": "Configure the operating system to lock an account when three unsuccessful\nlogon attempts occur in 15 minutes.\n\n Add/Modify the \"/etc/security/faillock.conf\" file to match the following\nline:\n\n fail_interval = 900" + "default": "If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.", + "check": "Verify the system-wide shared library directories are owned by \"root\" with\nthe following command:\n\n$ sudo find /lib /lib64 /usr/lib /usr/lib64 ! -user root -type d -exec stat -c \"%n %U\" '{}' \\;\n\nIf any system-wide shared library directory is returned, this is a finding.", + "fix": "Configure the system-wide shared library directories within (/lib, /lib64, /usr/lib and /usr/lib64) to be protected from unauthorized access. Run the following command, replacing \"[DIRECTORY]\" with any library directory not owned by \"root\".\n\n $ sudo chown root [DIRECTORY]" }, "impact": 0.5, "refs": [ @@ -3555,39 +3525,37 @@ } ], "tags": { + "check_id": "C-55145r810011_chk", "severity": "medium", - "gtitle": "SRG-OS-000021-GPOS-00005", - "satisfies": [ - "SRG-OS-000021-GPOS-00005", - "SRG-OS-000329-GPOS-00128" - ], - "gid": "V-230335", - "rid": "SV-230335r743969_rule", - "stig_id": "RHEL-08-020013", - "fix_id": "F-32979r743968_fix", + "gid": "V-251708", + "rid": "SV-251708r810012_rule", + "stig_id": "RHEL-08-010341", + "gtitle": "SRG-OS-000259-GPOS-00100", + "fix_id": "F-55099r809347_fix", + "documentable": null, "cci": [ - "CCI-000044" + "CCI-001499" ], "nist": [ - "AC-7 a" + "CM-5 (6)" ], "host": null, "container": null }, - "code": "control 'SV-230335' do\n title 'RHEL 8 must automatically lock an account when three unsuccessful\nlogon attempts occur during a 15-minute time period.'\n desc 'By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as\nbrute-force attacks, is reduced. Limits are imposed by locking the account.\n\n In RHEL 8.2 the \"/etc/security/faillock.conf\" file was incorporated to\ncentralize the configuration of the pam_faillock.so module. Also introduced is\na \"local_users_only\" option that will only track failed user authentication\nattempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP,\netc.) users to allow the centralized platform to solely manage user lockout.\n\n From \"faillock.conf\" man pages: Note that the default directory that\n\"pam_faillock\" uses is usually cleared on system boot so the access will be\nreenabled after system reboot. If that is undesirable a different tally\ndirectory must be set with the \"dir\" option.'\n desc 'check', %q(Note: This check applies to RHEL versions 8.2 or newer, if the system is\nRHEL version 8.0 or 8.1, this check is not applicable.\n\n Verify the \"/etc/security/faillock.conf\" file is configured to lock an\naccount after three unsuccessful logon attempts within 15 minutes:\n\n $ sudo grep 'fail_interval =' /etc/security/faillock.conf\n\n fail_interval = 900\n\n If the \"fail_interval\" option is not set to \"900\" or more, is missing\nor commented out, this is a finding.)\n desc 'fix', 'Configure the operating system to lock an account when three unsuccessful\nlogon attempts occur in 15 minutes.\n\n Add/Modify the \"/etc/security/faillock.conf\" file to match the following\nline:\n\n fail_interval = 900'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000021-GPOS-00005'\n tag satisfies: ['SRG-OS-000021-GPOS-00005', 'SRG-OS-000329-GPOS-00128']\n tag gid: 'V-230335'\n tag rid: 'SV-230335r743969_rule'\n tag stig_id: 'RHEL-08-020013'\n tag fix_id: 'F-32979r743968_fix'\n tag cci: ['CCI-000044']\n tag nist: ['AC-7 a']\n tag 'host'\n tag 'container'\n\n only_if('This check applies to RHEL versions 8.2 or newer, if the system is RHEL version 8.0 or 8.1, this check is not applicable.', impact: 0.0) {\n (os.release.to_f) >= 8.2\n }\n\n describe parse_config_file(input('security_faillock_conf')) do\n its('fail_interval') { should cmp >= input('fail_interval') }\n end\nend\n", + "code": "control 'SV-251708' do\n title 'RHEL 8 library directories must be owned by root.'\n desc 'If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.'\n desc 'check', %q(Verify the system-wide shared library directories are owned by \"root\" with\nthe following command:\n\n$ sudo find /lib /lib64 /usr/lib /usr/lib64 ! -user root -type d -exec stat -c \"%n %U\" '{}' \\;\n\nIf any system-wide shared library directory is returned, this is a finding.)\n desc 'fix', 'Configure the system-wide shared library directories within (/lib, /lib64, /usr/lib and /usr/lib64) to be protected from unauthorized access. Run the following command, replacing \"[DIRECTORY]\" with any library directory not owned by \"root\".\n\n $ sudo chown root [DIRECTORY]'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag check_id: 'C-55145r810011_chk'\n tag severity: 'medium'\n tag gid: 'V-251708'\n tag rid: 'SV-251708r810012_rule'\n tag stig_id: 'RHEL-08-010341'\n tag gtitle: 'SRG-OS-000259-GPOS-00100'\n tag fix_id: 'F-55099r809347_fix'\n tag 'documentable'\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n tag 'host'\n tag 'container'\n\n non_root_owned_libs = input('system_libraries').reject { |lib| file(lib).owned_by?('root') }\n\n describe 'System libraries' do\n it 'should be owned by root' do\n fail_msg = \"Libs not owned by root:\\n\\t- #{non_root_owned_libs.join(\"\\n\\t- \")}\"\n expect(non_root_owned_libs).to be_empty, fail_msg\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230335.rb", + "ref": "./Red Hat 8 STIG/controls/SV-251708.rb", "line": 1 }, - "id": "SV-230335" + "id": "SV-251708" }, { - "title": "The RHEL 8 Information System Security Officer (ISSO) and System\nAdministrator (SA) (at a minimum) must have mail aliases to be notified of an\naudit processing failure.", - "desc": "It is critical for the appropriate personnel to be aware if a system\nis at risk of failing to process audit logs as required. Without this\nnotification, the security personnel may be unaware of an impending failure of\nthe audit capability, and system operation may be adversely affected.\n\n Audit processing failures include software/hardware errors, failures in the\naudit capturing mechanisms, and audit storage capacity being reached or\nexceeded.\n\n This requirement applies to each audit data storage repository (i.e.,\ndistinct information system component where audit records are stored), the\ncentralized audit storage capacity of organizations (i.e., all audit data\nstorage repositories combined), or both.", + "title": "Successful/unsuccessful uses of setfiles in RHEL 8 must generate an\naudit record.", + "desc": "Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged commands. The organization must maintain audit trails in sufficient\ndetail to reconstruct events to determine the cause and impact of compromise.\nThe \"setfiles\" command is primarily used to initialize the security context\nfields (extended attributes) on one or more filesystems (or parts of them).\nUsually it is initially run as part of the SELinux installation process (a step\ncommonly known as labeling).\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", "descriptions": { - "default": "It is critical for the appropriate personnel to be aware if a system\nis at risk of failing to process audit logs as required. Without this\nnotification, the security personnel may be unaware of an impending failure of\nthe audit capability, and system operation may be adversely affected.\n\n Audit processing failures include software/hardware errors, failures in the\naudit capturing mechanisms, and audit storage capacity being reached or\nexceeded.\n\n This requirement applies to each audit data storage repository (i.e.,\ndistinct information system component where audit records are stored), the\ncentralized audit storage capacity of organizations (i.e., all audit data\nstorage repositories combined), or both.", - "check": "Verify that the administrators are notified in the event of an audit\nprocessing failure.\n\n Check that the \"/etc/aliases\" file has a defined value for \"root\".\n\n $ sudo grep \"postmaster:\\s*root$\" /etc/aliases\n\n If the command does not return a line, or the line is commented out, ask\nthe system administrator to indicate how they and the ISSO are notified of an\naudit process failure. If there is no evidence of the proper personnel being\nnotified of an audit processing failure, this is a finding.", - "fix": "Configure RHEL 8 to notify administrators in the event of an audit\nprocessing failure.\n\n Add/update the following line in \"/etc/aliases\":\n\n postmaster: root" + "default": "Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged commands. The organization must maintain audit trails in sufficient\ndetail to reconstruct events to determine the cause and impact of compromise.\nThe \"setfiles\" command is primarily used to initialize the security context\nfields (extended attributes) on one or more filesystems (or parts of them).\nUsually it is initially run as part of the SELinux installation process (a step\ncommonly known as labeling).\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", + "check": "Verify that an audit event is generated for any successful/unsuccessful use\nof \"setfiles\" by performing the following command to check the file system\nrules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w \"setfiles\" /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-unix-update\n\n If the command does not return a line, or the line is commented out, this\nis a finding.", + "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful uses of the \"setfiles\" by adding or updating the\nfollowing rule in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-unix-update\n\n The audit daemon must be restarted for the changes to take effect." }, "impact": 0.5, "refs": [ @@ -3597,70 +3565,78 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000046-GPOS-00022", - "gid": "V-230389", - "rid": "SV-230389r627750_rule", - "stig_id": "RHEL-08-030030", - "fix_id": "F-33033r567914_fix", - "cci": [ - "CCI-000139" + "gtitle": "SRG-OS-000062-GPOS-00031", + "satisfies": [ + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000037-GPOS-00015", + "SRG-OS-000042-GPOS-00020", + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000392-GPOS-00172", + "SRG-OS-000462-GPOS-00206", + "SRG-OS-000471-GPOS-00215" + ], + "gid": "V-230430", + "rid": "SV-230430r627750_rule", + "stig_id": "RHEL-08-030314", + "fix_id": "F-33074r568037_fix", + "cci": [ + "CCI-000169" ], "nist": [ - "AU-5 a" + "AU-12 a" ], "host": null }, - "code": "control 'SV-230389' do\n title 'The RHEL 8 Information System Security Officer (ISSO) and System\nAdministrator (SA) (at a minimum) must have mail aliases to be notified of an\naudit processing failure.'\n desc 'It is critical for the appropriate personnel to be aware if a system\nis at risk of failing to process audit logs as required. Without this\nnotification, the security personnel may be unaware of an impending failure of\nthe audit capability, and system operation may be adversely affected.\n\n Audit processing failures include software/hardware errors, failures in the\naudit capturing mechanisms, and audit storage capacity being reached or\nexceeded.\n\n This requirement applies to each audit data storage repository (i.e.,\ndistinct information system component where audit records are stored), the\ncentralized audit storage capacity of organizations (i.e., all audit data\nstorage repositories combined), or both.'\n desc 'check', 'Verify that the administrators are notified in the event of an audit\nprocessing failure.\n\n Check that the \"/etc/aliases\" file has a defined value for \"root\".\n\n $ sudo grep \"postmaster:\\\\s*root$\" /etc/aliases\n\n If the command does not return a line, or the line is commented out, ask\nthe system administrator to indicate how they and the ISSO are notified of an\naudit process failure. If there is no evidence of the proper personnel being\nnotified of an audit processing failure, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to notify administrators in the event of an audit\nprocessing failure.\n\n Add/update the following line in \"/etc/aliases\":\n\n postmaster: root'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000046-GPOS-00022'\n tag gid: 'V-230389'\n tag rid: 'SV-230389r627750_rule'\n tag stig_id: 'RHEL-08-030030'\n tag fix_id: 'F-33033r567914_fix'\n tag cci: ['CCI-000139']\n tag nist: ['AU-5 a']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n alternative_logging = input('alternative_logging')\n\n if alternative_logging == true\n describe 'Alternative logging' do\n it 'should handle sysadmin and ISSO notification' do\n expect(alternative_logging).to eq(true)\n end\n end\n else\n describe command('grep \"postmaster:\\s*root$\" /etc/aliases') do\n its('stdout.strip') { should match(/postmaster:\\s*root/) }\n end\n end\nend\n", + "code": "control 'SV-230430' do\n title 'Successful/unsuccessful uses of setfiles in RHEL 8 must generate an\naudit record.'\n desc 'Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged commands. The organization must maintain audit trails in sufficient\ndetail to reconstruct events to determine the cause and impact of compromise.\nThe \"setfiles\" command is primarily used to initialize the security context\nfields (extended attributes) on one or more filesystems (or parts of them).\nUsually it is initially run as part of the SELinux installation process (a step\ncommonly known as labeling).\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.'\n desc 'check', 'Verify that an audit event is generated for any successful/unsuccessful use\nof \"setfiles\" by performing the following command to check the file system\nrules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w \"setfiles\" /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-unix-update\n\n If the command does not return a line, or the line is commented out, this\nis a finding.'\n desc 'fix', 'Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful uses of the \"setfiles\" by adding or updating the\nfollowing rule in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-unix-update\n\n The audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000062-GPOS-00031'\n tag satisfies: ['SRG-OS-000062-GPOS-00031', 'SRG-OS-000037-GPOS-00015', 'SRG-OS-000042-GPOS-00020', 'SRG-OS-000062-GPOS-00031', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000471-GPOS-00215']\n tag gid: 'V-230430'\n tag rid: 'SV-230430r627750_rule'\n tag stig_id: 'RHEL-08-030314'\n tag fix_id: 'F-33074r568037_fix'\n tag cci: ['CCI-000169']\n tag nist: ['AU-12 a']\n tag 'host'\n\n audit_command = '/usr/sbin/setfiles'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include(input('audit_rule_keynames').merge(input('audit_rule_keynames_overrides'))[audit_command])\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230389.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230430.rb", "line": 1 }, - "id": "SV-230389" + "id": "SV-230430" }, { - "title": "All RHEL 8 passwords must contain at least one special character.", - "desc": "Use of a complex password helps to increase the time and resources\nrequired to compromise the password. Password complexity, or strength, is a\nmeasure of the effectiveness of a password in resisting attempts at guessing\nand brute-force attacks.\n\n Password complexity is one factor of several that determines how long it\ntakes to crack a password. The more complex the password, the greater the\nnumber of possible combinations that need to be tested before the password is\ncompromised.\n\n RHEL 8 utilizes \"pwquality\" as a mechanism to enforce password\ncomplexity. Note that to require special characters without degrading the\n\"minlen\" value, the credit value must be expressed as a negative number in\n\"/etc/security/pwquality.conf\".", + "title": "The x86 Ctrl-Alt-Delete key sequence in RHEL 8 must be disabled if a\ngraphical user interface is installed.", + "desc": "A locally logged-on user, who presses Ctrl-Alt-Delete, when at the\nconsole, can reboot the system. If accidentally pressed, as could happen in the\ncase of a mixed OS environment, this can create the risk of short-term loss of\navailability of systems due to unintentional reboot. In a graphical user\nenvironment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is\nreduced because the user will be prompted before any action is taken.", "descriptions": { - "default": "Use of a complex password helps to increase the time and resources\nrequired to compromise the password. Password complexity, or strength, is a\nmeasure of the effectiveness of a password in resisting attempts at guessing\nand brute-force attacks.\n\n Password complexity is one factor of several that determines how long it\ntakes to crack a password. The more complex the password, the greater the\nnumber of possible combinations that need to be tested before the password is\ncompromised.\n\n RHEL 8 utilizes \"pwquality\" as a mechanism to enforce password\ncomplexity. Note that to require special characters without degrading the\n\"minlen\" value, the credit value must be expressed as a negative number in\n\"/etc/security/pwquality.conf\".", - "check": "Verify the value for \"ocredit\" with the following command:\n\n$ sudo grep -r ocredit /etc/security/pwquality.conf*\n\n/etc/security/pwquality.conf:ocredit = -1\n\nIf the value of \"ocredit\" is a positive number or is commented out, this is a finding.\nIf conflicting results are returned, this is a finding.", - "fix": "Configure the operating system to enforce password complexity by requiring that at least one special character be used by setting the \"ocredit\" option.\n\nAdd the following line to /etc/security/pwquality.conf (or modify the line to have the required value):\n\nocredit = -1\n\nRemove any configurations that conflict with the above value." + "default": "A locally logged-on user, who presses Ctrl-Alt-Delete, when at the\nconsole, can reboot the system. If accidentally pressed, as could happen in the\ncase of a mixed OS environment, this can create the risk of short-term loss of\navailability of systems due to unintentional reboot. In a graphical user\nenvironment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is\nreduced because the user will be prompted before any action is taken.", + "check": "Verify RHEL 8 is not configured to reboot the system when Ctrl-Alt-Delete\nis pressed when using a graphical user interface with the following command:\n\n This requirement assumes the use of the RHEL 8 default graphical user\ninterface, Gnome Shell. If the system does not have any graphical user\ninterface installed, this requirement is Not Applicable.\n\n $ sudo grep logout /etc/dconf/db/local.d/*\n\n logout=''\n\n If the \"logout\" key is bound to an action, is commented out, or is\nmissing, this is a finding.", + "fix": "Configure the system to disable the Ctrl-Alt-Delete sequence when using a\ngraphical user interface by creating or editing the\n/etc/dconf/db/local.d/00-disable-CAD file.\n\n Add the setting to disable the Ctrl-Alt-Delete sequence for a graphical\nuser interface:\n\n [org/gnome/settings-daemon/plugins/media-keys]\n logout=''\n\n Note: The value above is set to two single quotations.\n\n Then update the dconf settings:\n\n $ sudo dconf update" }, - "impact": 0.5, + "impact": 0.7, "refs": [ { "ref": "DPMS Target Red Hat Enterprise Linux 8" } ], "tags": { - "severity": "medium", - "gtitle": "SRG-OS-000266-GPOS-00101", - "gid": "V-230375", - "rid": "SV-230375r858787_rule", - "stig_id": "RHEL-08-020280", - "fix_id": "F-33019r858786_fix", + "severity": "high", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-230530", + "rid": "SV-230530r646883_rule", + "stig_id": "RHEL-08-040171", + "fix_id": "F-33174r568337_fix", "cci": [ - "CCI-001619" + "CCI-000366" ], "nist": [ - "IA-5 (1) (a)" + "CM-6 b" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-230375' do\n title 'All RHEL 8 passwords must contain at least one special character.'\n desc 'Use of a complex password helps to increase the time and resources\nrequired to compromise the password. Password complexity, or strength, is a\nmeasure of the effectiveness of a password in resisting attempts at guessing\nand brute-force attacks.\n\n Password complexity is one factor of several that determines how long it\ntakes to crack a password. The more complex the password, the greater the\nnumber of possible combinations that need to be tested before the password is\ncompromised.\n\n RHEL 8 utilizes \"pwquality\" as a mechanism to enforce password\ncomplexity. Note that to require special characters without degrading the\n\"minlen\" value, the credit value must be expressed as a negative number in\n\"/etc/security/pwquality.conf\".'\n desc 'check', 'Verify the value for \"ocredit\" with the following command:\n\n$ sudo grep -r ocredit /etc/security/pwquality.conf*\n\n/etc/security/pwquality.conf:ocredit = -1\n\nIf the value of \"ocredit\" is a positive number or is commented out, this is a finding.\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure the operating system to enforce password complexity by requiring that at least one special character be used by setting the \"ocredit\" option.\n\nAdd the following line to /etc/security/pwquality.conf (or modify the line to have the required value):\n\nocredit = -1\n\nRemove any configurations that conflict with the above value.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000266-GPOS-00101'\n tag gid: 'V-230375'\n tag rid: 'SV-230375r858787_rule'\n tag stig_id: 'RHEL-08-020280'\n tag fix_id: 'F-33019r858786_fix'\n tag cci: ['CCI-001619']\n tag nist: ['IA-5 (1) (a)']\n tag 'host'\n tag 'container'\n\n # value = input('ocredit')\n setting = 'ocredit'\n\n describe 'pwquality.conf settings' do\n let(:config) { parse_config_file('/etc/security/pwquality.conf', multiple_values: true) }\n let(:setting_value) { config.params[setting].is_a?(Integer) ? [config.params[setting]] : Array(config.params[setting]) }\n\n it \"has `#{setting}` set\" do\n expect(setting_value).not_to be_empty, \"#{setting} is not set in pwquality.conf\"\n end\n\n it \"only sets `#{setting}` once\" do\n expect(setting_value.length).to eq(1), \"#{setting} is commented or set more than once in pwquality.conf\"\n end\n\n it \"does not set `#{setting}` to a positive value\" do\n expect(setting_value.first.to_i).to be <= 0, \"#{setting} is set to a positive value in pwquality.conf\"\n end\n end\nend\n", + "code": "control 'SV-230530' do\n title 'The x86 Ctrl-Alt-Delete key sequence in RHEL 8 must be disabled if a\ngraphical user interface is installed.'\n desc 'A locally logged-on user, who presses Ctrl-Alt-Delete, when at the\nconsole, can reboot the system. If accidentally pressed, as could happen in the\ncase of a mixed OS environment, this can create the risk of short-term loss of\navailability of systems due to unintentional reboot. In a graphical user\nenvironment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is\nreduced because the user will be prompted before any action is taken.'\n desc 'check', %q(Verify RHEL 8 is not configured to reboot the system when Ctrl-Alt-Delete\nis pressed when using a graphical user interface with the following command:\n\n This requirement assumes the use of the RHEL 8 default graphical user\ninterface, Gnome Shell. If the system does not have any graphical user\ninterface installed, this requirement is Not Applicable.\n\n $ sudo grep logout /etc/dconf/db/local.d/*\n\n logout=''\n\n If the \"logout\" key is bound to an action, is commented out, or is\nmissing, this is a finding.)\n desc 'fix', \"Configure the system to disable the Ctrl-Alt-Delete sequence when using a\ngraphical user interface by creating or editing the\n/etc/dconf/db/local.d/00-disable-CAD file.\n\n Add the setting to disable the Ctrl-Alt-Delete sequence for a graphical\nuser interface:\n\n [org/gnome/settings-daemon/plugins/media-keys]\n logout=''\n\n Note: The value above is set to two single quotations.\n\n Then update the dconf settings:\n\n $ sudo dconf update\"\n impact 0.7\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'high'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230530'\n tag rid: 'SV-230530r646883_rule'\n tag stig_id: 'RHEL-08-040171'\n tag fix_id: 'F-33174r568337_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n if package('gnome-desktop3').installed?\n describe command('grep ^logout /etc/dconf/db/local.d/*') do\n its('stdout.strip') { should match(/logout=''/) }\n end\n else\n impact 0.0\n describe 'The system does not have GNOME installed' do\n skip \"The system does not have GNOME installed, this requirement is Not\n Applicable.\"\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230375.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230530.rb", "line": 1 }, - "id": "SV-230375" + "id": "SV-230530" }, { - "title": "RHEL 8 must mount /var/log with the nodev option.", - "desc": "The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n The \"noexec\" mount option causes the system to not execute binary files.\nThis option must be used for mounting any file system not containing approved\nbinary files, as they may be incompatible. Executing files from untrusted file\nsystems increases the opportunity for unprivileged users to attain unauthorized\nadministrative access.\n\n The \"nodev\" mount option causes the system to not interpret character or\nblock special devices. Executing character or block special devices from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.\n\n The \"nosuid\" mount option causes the system to not execute \"setuid\" and\n\"setgid\" files with owner privileges. This option must be used for mounting\nany file system not containing approved \"setuid\" and \"setguid\" files.\nExecuting files from untrusted file systems increases the opportunity for\nunprivileged users to attain unauthorized administrative access.", + "title": "RHEL 8 must prevent files with the setuid and setgid bit set from\nbeing executed on file systems that contain user home directories.", + "desc": "The \"nosuid\" mount option causes the system not to execute\n\"setuid\" and \"setgid\" files with owner privileges. This option must be used\nfor mounting any file system not containing approved \"setuid\" and \"setguid\"\nfiles. Executing files from untrusted file systems increases the opportunity\nfor unprivileged users to attain unauthorized administrative access.", "descriptions": { - "default": "The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n The \"noexec\" mount option causes the system to not execute binary files.\nThis option must be used for mounting any file system not containing approved\nbinary files, as they may be incompatible. Executing files from untrusted file\nsystems increases the opportunity for unprivileged users to attain unauthorized\nadministrative access.\n\n The \"nodev\" mount option causes the system to not interpret character or\nblock special devices. Executing character or block special devices from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.\n\n The \"nosuid\" mount option causes the system to not execute \"setuid\" and\n\"setgid\" files with owner privileges. This option must be used for mounting\nany file system not containing approved \"setuid\" and \"setguid\" files.\nExecuting files from untrusted file systems increases the opportunity for\nunprivileged users to attain unauthorized administrative access.", - "check": "Verify \"/var/log\" is mounted with the \"nodev\" option:\n\n $ sudo mount | grep /var/log\n\n /dev/mapper/rhel-var-log on /var/log type xfs\n(rw,nodev,nosuid,noexec,seclabel)\n\n Verify that the \"nodev\" option is configured for /var/log:\n\n $ sudo cat /etc/fstab | grep /var/log\n\n /dev/mapper/rhel-var-log /var/log xfs defaults,nodev,nosuid,noexec 0 0\n\n If results are returned and the \"nodev\" option is missing, or if /var/log\nis mounted without the \"nodev\" option, this is a finding.", - "fix": "Configure the system so that /var/log is mounted with the \"nodev\" option\nby adding /modifying the /etc/fstab with the following line:\n\n /dev/mapper/rhel-var-log /var/log xfs defaults,nodev,nosuid,noexec 0 0" + "default": "The \"nosuid\" mount option causes the system not to execute\n\"setuid\" and \"setgid\" files with owner privileges. This option must be used\nfor mounting any file system not containing approved \"setuid\" and \"setguid\"\nfiles. Executing files from untrusted file systems increases the opportunity\nfor unprivileged users to attain unauthorized administrative access.", + "check": "Verify file systems that contain user home directories are mounted with the\n\"nosuid\" option.\n\n Note: If a separate file system has not been created for the user home\ndirectories (user home directories are mounted under \"/\"), this is\nautomatically a finding as the \"nosuid\" option cannot be used on the \"/\"\nsystem.\n\n Find the file system(s) that contain the user home directories with the\nfollowing command:\n\n $ sudo awk -F: '($3>=1000)&&($7 !~ /nologin/){print $1,$3,$6}' /etc/passwd\n\n smithj:1001: /home/smithj\n robinst:1002: /home/robinst\n\n Check the file systems that are mounted at boot time with the following\ncommand:\n\n $ sudo more /etc/fstab\n\n UUID=a411dc99-f2a1-4c87-9e05-184977be8539 /home xfs\nrw,relatime,discard,data=ordered,nosuid,nodev,noexec 0 0\n\n If a file system found in \"/etc/fstab\" refers to the user home directory\nfile system and it does not have the \"nosuid\" option set, this is a finding.", + "fix": "Configure the \"/etc/fstab\" to use the \"nosuid\" option on\nfile systems that contain user home directories for interactive users." }, "impact": 0.5, "refs": [ @@ -3670,33 +3646,33 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000368-GPOS-00154", - "gid": "V-230514", - "rid": "SV-230514r854055_rule", - "stig_id": "RHEL-08-040126", - "fix_id": "F-33158r568289_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-230299", + "rid": "SV-230299r627750_rule", + "stig_id": "RHEL-08-010570", + "fix_id": "F-32943r567644_fix", "cci": [ - "CCI-001764" + "CCI-000366" ], "nist": [ - "CM-7 (2)" + "CM-6 b" ], "host": null }, - "code": "control 'SV-230514' do\n title 'RHEL 8 must mount /var/log with the nodev option.'\n desc 'The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n The \"noexec\" mount option causes the system to not execute binary files.\nThis option must be used for mounting any file system not containing approved\nbinary files, as they may be incompatible. Executing files from untrusted file\nsystems increases the opportunity for unprivileged users to attain unauthorized\nadministrative access.\n\n The \"nodev\" mount option causes the system to not interpret character or\nblock special devices. Executing character or block special devices from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.\n\n The \"nosuid\" mount option causes the system to not execute \"setuid\" and\n\"setgid\" files with owner privileges. This option must be used for mounting\nany file system not containing approved \"setuid\" and \"setguid\" files.\nExecuting files from untrusted file systems increases the opportunity for\nunprivileged users to attain unauthorized administrative access.'\n desc 'check', 'Verify \"/var/log\" is mounted with the \"nodev\" option:\n\n $ sudo mount | grep /var/log\n\n /dev/mapper/rhel-var-log on /var/log type xfs\n(rw,nodev,nosuid,noexec,seclabel)\n\n Verify that the \"nodev\" option is configured for /var/log:\n\n $ sudo cat /etc/fstab | grep /var/log\n\n /dev/mapper/rhel-var-log /var/log xfs defaults,nodev,nosuid,noexec 0 0\n\n If results are returned and the \"nodev\" option is missing, or if /var/log\nis mounted without the \"nodev\" option, this is a finding.'\n desc 'fix', 'Configure the system so that /var/log is mounted with the \"nodev\" option\nby adding /modifying the /etc/fstab with the following line:\n\n /dev/mapper/rhel-var-log /var/log xfs defaults,nodev,nosuid,noexec 0 0'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000368-GPOS-00154'\n tag gid: 'V-230514'\n tag rid: 'SV-230514r854055_rule'\n tag stig_id: 'RHEL-08-040126'\n tag fix_id: 'F-33158r568289_fix'\n tag cci: ['CCI-001764']\n tag nist: ['CM-7 (2)']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n path = '/var/log'\n option = 'nodev'\n\n describe mount(path) do\n its('options') { should include option }\n end\n\n describe etc_fstab.where { mount_point == path } do\n its('mount_options.flatten') { should include option }\n end\nend\n", + "code": "control 'SV-230299' do\n title 'RHEL 8 must prevent files with the setuid and setgid bit set from\nbeing executed on file systems that contain user home directories.'\n desc 'The \"nosuid\" mount option causes the system not to execute\n\"setuid\" and \"setgid\" files with owner privileges. This option must be used\nfor mounting any file system not containing approved \"setuid\" and \"setguid\"\nfiles. Executing files from untrusted file systems increases the opportunity\nfor unprivileged users to attain unauthorized administrative access.'\n desc 'check', %q(Verify file systems that contain user home directories are mounted with the\n\"nosuid\" option.\n\n Note: If a separate file system has not been created for the user home\ndirectories (user home directories are mounted under \"/\"), this is\nautomatically a finding as the \"nosuid\" option cannot be used on the \"/\"\nsystem.\n\n Find the file system(s) that contain the user home directories with the\nfollowing command:\n\n $ sudo awk -F: '($3>=1000)&&($7 !~ /nologin/){print $1,$3,$6}' /etc/passwd\n\n smithj:1001: /home/smithj\n robinst:1002: /home/robinst\n\n Check the file systems that are mounted at boot time with the following\ncommand:\n\n $ sudo more /etc/fstab\n\n UUID=a411dc99-f2a1-4c87-9e05-184977be8539 /home xfs\nrw,relatime,discard,data=ordered,nosuid,nodev,noexec 0 0\n\n If a file system found in \"/etc/fstab\" refers to the user home directory\nfile system and it does not have the \"nosuid\" option set, this is a finding.)\n desc 'fix', 'Configure the \"/etc/fstab\" to use the \"nosuid\" option on\nfile systems that contain user home directories for interactive users.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230299'\n tag rid: 'SV-230299r627750_rule'\n tag stig_id: 'RHEL-08-010570'\n tag fix_id: 'F-32943r567644_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n interactive_users = passwd.where {\n uid.to_i >= 1000 && shell !~ /nologin/\n }\n\n interactive_user_homedirs = interactive_users.homes.map { |home_path|\n home_path.match(%r{^(.*)/.*$}).captures.first\n }.uniq\n\n option = 'nosuid'\n\n mounted_on_root = interactive_user_homedirs.select { |dir| dir == '/' }\n not_configured = interactive_user_homedirs.reject { |dir| etc_fstab.where { mount_point == dir }.configured? }\n option_not_set = interactive_user_homedirs.reject { |dir| etc_fstab.where { mount_point == dir }.mount_options.flatten.include?(option) }\n\n describe 'All interactive user home directories' do\n it \"should not be mounted under root ('/')\" do\n expect(mounted_on_root).to be_empty, \"Home directories mounted on root ('/'):\\n\\t- #{mounted_on_root.join(\"\\n\\t- \")}\"\n end\n it 'should be configured in /etc/fstab' do\n expect(not_configured).to be_empty, \"Unconfigured home directories:\\n\\t- #{not_configured.join(\"\\n\\t- \")}\"\n end\n if (option_not_set - not_configured).nil?\n it \"should have the '#{option}' mount option set\" do\n expect(option_not_set - not_configured).to be_empty, \"Mounted home directories without '#{option}' set:\\n\\t- #{not_configured.join(\"\\n\\t- \")}\"\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230514.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230299.rb", "line": 1 }, - "id": "SV-230514" + "id": "SV-230299" }, { - "title": "The RHEL 8 operating system must use a file integrity tool to verify correct operation of all security functions.", - "desc": "Without verification of the security functions, security functions may not operate correctly, and the failure may go unnoticed.\n Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the\n system security policy and supporting the isolation of code and data on which the protection is based. Security functionality\n includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges),\n setting events to be audited, and setting intrusion detection parameters.\n\n This requirement applies to the RHEL 8 operating system performing security function verification/testing and/or systems and\n environments that require this functionality.", + "title": "RHEL 8 audit tools must be owned by root.", + "desc": "Protecting audit information also includes identifying and protecting\nthe tools used to view and manipulate log data. Therefore, protecting audit\ntools is necessary to prevent unauthorized operation on audit information.\n\n RHEL 8 systems providing tools to interface with audit information will\nleverage user permissions and roles identifying the user accessing the tools,\nand the corresponding rights the user enjoys, to make access decisions\nregarding the access to audit tools.\n\n Audit tools include, but are not limited to, vendor-provided and open\nsource audit tools needed to successfully view and manipulate audit information\nsystem activity and records. Audit tools include custom queries and report\ngenerators.", "descriptions": { - "default": "Without verification of the security functions, security functions may not operate correctly, and the failure may go unnoticed.\n Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the\n system security policy and supporting the isolation of code and data on which the protection is based. Security functionality\n includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges),\n setting events to be audited, and setting intrusion detection parameters.\n\n This requirement applies to the RHEL 8 operating system performing security function verification/testing and/or systems and\n environments that require this functionality.", - "check": "Verify that Advanced Intrusion Detection Environment (AIDE) is installed and verifies the correct operation of all\n security functions.\n\n Check that the AIDE package is installed with the following command:\n $ sudo rpm -q aide\n\n aide-0.16-14.el8_5.1.x86_64\n\n If AIDE is not installed, ask the System Administrator how file integrity checks are performed on the system.\n\n If there is no application installed to perform integrity checks, this is a finding.\n\n If AIDE is installed, check if it has been initialized with the following command:\n $ sudo /usr/sbin/aide --check\n\n If the output is \"Couldn't open file /var/lib/aide/aide.db.gz for reading\", this is a finding.", - "fix": "Install AIDE, initialize it, and perform a manual check.\n\n Install AIDE:\n $ sudo yum install aide\n\n Initialize it:\n $ sudo /usr/sbin/aide --init\n\n Example output:\n Number of entries: 48623\n\n ---------------------------------------------------\n The attributes of the (uncompressed) database(s):\n ---------------------------------------------------\n\n /var/lib/aide/aide.db.new.gz\n SHA1 : LTAVQ8tFJthsrf4m9gfRpnf1vyc=\n SHA256 : NJ9+uzRQKSwmLQ8A6IpKNvYjVKGbhSjt\n BeJBVcmOVrI=\n SHA512 : 7d8I/F6A1b07E4ZuGeilZjefRgJJ/F20\n eC2xoag1OsOVpctt3Mi7Jjjf3vFW4xoY\n 5mdS6/ImQpm0xtlTLOPeQQ==\n\n End timestamp: 2022-10-20 10:50:52 -0700 (run time: 0m 46s)\n\n The new database will need to be renamed to be read by AIDE:\n $ sudo mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz\n\n Perform a manual check:\n $ sudo /usr/sbin/aide --check\n\n Example output:\n Start timestamp: 2022-10-20 11:03:16 -0700 (AIDE 0.16)\n AIDE found differences between database and filesystem!!\n ...\n\n Done." + "default": "Protecting audit information also includes identifying and protecting\nthe tools used to view and manipulate log data. Therefore, protecting audit\ntools is necessary to prevent unauthorized operation on audit information.\n\n RHEL 8 systems providing tools to interface with audit information will\nleverage user permissions and roles identifying the user accessing the tools,\nand the corresponding rights the user enjoys, to make access decisions\nregarding the access to audit tools.\n\n Audit tools include, but are not limited to, vendor-provided and open\nsource audit tools needed to successfully view and manipulate audit information\nsystem activity and records. Audit tools include custom queries and report\ngenerators.", + "check": "Verify the audit tools are owned by \"root\" to prevent any unauthorized\naccess, deletion, or modification.\n\n Check the owner of each audit tool by running the following command:\n\n $ sudo stat -c \"%U %n\" /sbin/auditctl /sbin/aureport /sbin/ausearch\n/sbin/autrace /sbin/auditd /sbin/rsyslogd /sbin/augenrules\n\n root /sbin/auditctl\n root /sbin/aureport\n root /sbin/ausearch\n root /sbin/autrace\n root /sbin/auditd\n root /sbin/rsyslogd\n root /sbin/augenrules\n\n If any of the audit tools are not owned by \"root\", this is a finding.", + "fix": "Configure the audit tools to be owned by \"root\", by running the following\ncommand:\n\n $ sudo chown root [audit_tool]\n\n Replace \"[audit_tool]\" with each audit tool not owned by \"root\"." }, "impact": 0.5, "refs": [ @@ -3705,81 +3681,76 @@ } ], "tags": { - "check_id": "C-55147r880728_chk", "severity": "medium", - "gid": "V-251710", - "rid": "SV-251710r880730_rule", - "stig_id": "RHEL-08-010359", - "gtitle": "SRG-OS-000445-GPOS-00199", - "fix_id": "F-55101r880729_fix", - "documentable": null, + "gtitle": "SRG-OS-000256-GPOS-00097", + "satisfies": [ + "SRG-OS-000256-GPOS-00097", + "SRG-OS-000257-GPOS-00098", + "SRG-OS-000258-GPOS-00099" + ], + "gid": "V-230473", + "rid": "SV-230473r744008_rule", + "stig_id": "RHEL-08-030630", + "fix_id": "F-33117r568166_fix", "cci": [ - "CCI-002696" + "CCI-001493" ], "nist": [ - "SI-6 a" + "AU-9", + "AU-9 a" ], "host": null }, - "code": "control 'SV-251710' do\n title 'The RHEL 8 operating system must use a file integrity tool to verify correct operation of all security functions.'\n desc 'Without verification of the security functions, security functions may not operate correctly, and the failure may go unnoticed.\n Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the\n system security policy and supporting the isolation of code and data on which the protection is based. Security functionality\n includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges),\n setting events to be audited, and setting intrusion detection parameters.\n\n This requirement applies to the RHEL 8 operating system performing security function verification/testing and/or systems and\n environments that require this functionality.'\n desc 'check', %q(Verify that Advanced Intrusion Detection Environment (AIDE) is installed and verifies the correct operation of all\n security functions.\n\n Check that the AIDE package is installed with the following command:\n $ sudo rpm -q aide\n\n aide-0.16-14.el8_5.1.x86_64\n\n If AIDE is not installed, ask the System Administrator how file integrity checks are performed on the system.\n\n If there is no application installed to perform integrity checks, this is a finding.\n\n If AIDE is installed, check if it has been initialized with the following command:\n $ sudo /usr/sbin/aide --check\n\n If the output is \"Couldn't open file /var/lib/aide/aide.db.gz for reading\", this is a finding.)\n desc 'fix', 'Install AIDE, initialize it, and perform a manual check.\n\n Install AIDE:\n $ sudo yum install aide\n\n Initialize it:\n $ sudo /usr/sbin/aide --init\n\n Example output:\n Number of entries: 48623\n\n ---------------------------------------------------\n The attributes of the (uncompressed) database(s):\n ---------------------------------------------------\n\n /var/lib/aide/aide.db.new.gz\n SHA1 : LTAVQ8tFJthsrf4m9gfRpnf1vyc=\n SHA256 : NJ9+uzRQKSwmLQ8A6IpKNvYjVKGbhSjt\n BeJBVcmOVrI=\n SHA512 : 7d8I/F6A1b07E4ZuGeilZjefRgJJ/F20\n eC2xoag1OsOVpctt3Mi7Jjjf3vFW4xoY\n 5mdS6/ImQpm0xtlTLOPeQQ==\n\n End timestamp: 2022-10-20 10:50:52 -0700 (run time: 0m 46s)\n\n The new database will need to be renamed to be read by AIDE:\n $ sudo mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz\n\n Perform a manual check:\n $ sudo /usr/sbin/aide --check\n\n Example output:\n Start timestamp: 2022-10-20 11:03:16 -0700 (AIDE 0.16)\n AIDE found differences between database and filesystem!!\n ...\n\n Done.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag check_id: 'C-55147r880728_chk'\n tag severity: 'medium'\n tag gid: 'V-251710'\n tag rid: 'SV-251710r880730_rule'\n tag stig_id: 'RHEL-08-010359'\n tag gtitle: 'SRG-OS-000445-GPOS-00199'\n tag fix_id: 'F-55101r880729_fix'\n tag 'documentable'\n tag cci: ['CCI-002696']\n tag nist: ['SI-6 a']\n tag 'host'\n\n aide_check_fast = input('aide_check_fast') # Default to false if not specified\n\n file_integrity_tool = input('file_integrity_tool')\n\n only_if('Control not applicable within a container', impact: 0.0) do\n !virtualization.system.eql?('docker')\n end\n\n if file_integrity_tool == 'aide'\n if aide_check_fast\n describe file('/var/lib/aide/aide.db.gz') do\n it { should exist }\n end\n elsif !input('disable_slow_controls')\n describe command('/usr/sbin/aide --check') do\n its('stdout') { should_not include \"Couldn't open file\" }\n end\n else\n impact 0.0\n describe 'This control takes a long time to execute and has been disabled by slow_controls' do\n skip 'To enable checks, you can either set disable_slow_controls to false or set aide_check_fast to true'\n end\n end\n end\n\n describe package(file_integrity_tool) do\n it { should be_installed }\n end\nend\n", + "code": "control 'SV-230473' do\n title 'RHEL 8 audit tools must be owned by root.'\n desc 'Protecting audit information also includes identifying and protecting\nthe tools used to view and manipulate log data. Therefore, protecting audit\ntools is necessary to prevent unauthorized operation on audit information.\n\n RHEL 8 systems providing tools to interface with audit information will\nleverage user permissions and roles identifying the user accessing the tools,\nand the corresponding rights the user enjoys, to make access decisions\nregarding the access to audit tools.\n\n Audit tools include, but are not limited to, vendor-provided and open\nsource audit tools needed to successfully view and manipulate audit information\nsystem activity and records. Audit tools include custom queries and report\ngenerators.'\n desc 'check', 'Verify the audit tools are owned by \"root\" to prevent any unauthorized\naccess, deletion, or modification.\n\n Check the owner of each audit tool by running the following command:\n\n $ sudo stat -c \"%U %n\" /sbin/auditctl /sbin/aureport /sbin/ausearch\n/sbin/autrace /sbin/auditd /sbin/rsyslogd /sbin/augenrules\n\n root /sbin/auditctl\n root /sbin/aureport\n root /sbin/ausearch\n root /sbin/autrace\n root /sbin/auditd\n root /sbin/rsyslogd\n root /sbin/augenrules\n\n If any of the audit tools are not owned by \"root\", this is a finding.'\n desc 'fix', 'Configure the audit tools to be owned by \"root\", by running the following\ncommand:\n\n $ sudo chown root [audit_tool]\n\n Replace \"[audit_tool]\" with each audit tool not owned by \"root\".'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000256-GPOS-00097'\n tag satisfies: ['SRG-OS-000256-GPOS-00097', 'SRG-OS-000257-GPOS-00098', 'SRG-OS-000258-GPOS-00099']\n tag gid: 'V-230473'\n tag rid: 'SV-230473r744008_rule'\n tag stig_id: 'RHEL-08-030630'\n tag fix_id: 'F-33117r568166_fix'\n tag cci: ['CCI-001493']\n tag nist: ['AU-9', 'AU-9 a']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n audit_tools = ['/sbin/auditctl', '/sbin/aureport', '/sbin/ausearch', '/sbin/autrace', '/sbin/auditd', '/sbin/rsyslogd', '/sbin/augenrules']\n\n failing_tools = audit_tools.reject { |at| file(at).owned_by?('root') }\n\n describe 'Audit executables' do\n it 'should be owned by root' do\n expect(failing_tools).to be_empty, \"Failing tools:\\n\\t- #{failing_tools.join(\"\\n\\t- \")}\"\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-251710.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230473.rb", "line": 1 }, - "id": "SV-251710" + "id": "SV-230473" }, { - "title": "Successful/unsuccessful uses of the delete_module command in RHEL 8\nmust generate an audit record.", - "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"delete_module\"\ncommand is used to unload a kernel module.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", + "title": "RHEL 8 must allocate an audit_backlog_limit of sufficient size to\ncapture processes that start prior to the audit daemon.", + "desc": "Without the capability to generate audit records, it would be\ndifficult to establish, correlate, and investigate the events relating to an\nincident or identify those responsible for one.\n\n If auditing is enabled late in the startup process, the actions of some\nstartup processes may not be audited. Some audit systems also maintain state\ninformation only available if auditing is enabled before a given process is\ncreated.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n Allocating an audit_backlog_limit of sufficient size is critical in\nmaintaining a stable boot process. With an insufficient limit allocated, the\nsystem is susceptible to boot failures and crashes.", "descriptions": { - "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"delete_module\"\ncommand is used to unload a kernel module.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", - "check": "Verify RHEL 8 generates an audit record when successful/unsuccessful\nattempts to use the \"delete_module\" command by performing the following\ncommand to check the file system rules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w \"delete_module\" /etc/audit/audit.rules\n\n -a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=unset -k\nmodule_chng\n -a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=unset -k\nmodule_chng\n\n If the command does not return a line, or the line is commented out, this\nis a finding.", - "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \"delete_module\" command by adding or\nupdating the following rules in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=unset -k\nmodule_chng\n -a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=unset -k\nmodule_chng\n\n The audit daemon must be restarted for the changes to take effect." + "default": "Without the capability to generate audit records, it would be\ndifficult to establish, correlate, and investigate the events relating to an\nincident or identify those responsible for one.\n\n If auditing is enabled late in the startup process, the actions of some\nstartup processes may not be audited. Some audit systems also maintain state\ninformation only available if auditing is enabled before a given process is\ncreated.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n Allocating an audit_backlog_limit of sufficient size is critical in\nmaintaining a stable boot process. With an insufficient limit allocated, the\nsystem is susceptible to boot failures and crashes.", + "check": "Verify RHEL 8 allocates a sufficient audit_backlog_limit to capture processes that start prior to the audit daemon with the following commands:\n\n$ sudo grub2-editenv list | grep audit\n\nkernelopts=root=/dev/mapper/rhel-root ro crashkernel=auto resume=/dev/mapper/rhel-swap rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet fips=1 audit=1 audit_backlog_limit=8192 boot=UUID=8d171156-cd61-421c-ba41-1c021ac29e82\n\nIf the \"audit_backlog_limit\" entry does not equal \"8192\" or greater, is missing, or the line is commented out, this is a finding.\n\nCheck the audit_backlog_limit is set to persist in kernel updates:\n\n$ sudo grep audit /etc/default/grub\n\nGRUB_CMDLINE_LINUX=\"audit_backlog_limit=8192\"\n\nIf \"audit_backlog_limit\" is not set to \"8192\" or greater, is missing or commented out, this is a finding.", + "fix": "Configure RHEL 8 to allocate sufficient audit_backlog_limit to capture\nprocesses that start prior to the audit daemon with the following command:\n\n $ sudo grubby --update-kernel=ALL --args=\"audit_backlog_limit=8192\"\n\n Add or modify the following line in \"/etc/default/grub\" to ensure the\nconfiguration survives kernel updates:\n\n GRUB_CMDLINE_LINUX=\"audit_backlog_limit=8192\"" }, - "impact": 0.5, + "impact": 0.3, "refs": [ { "ref": "DPMS Target Red Hat Enterprise Linux 8" } ], "tags": { - "severity": "medium", - "gtitle": "SRG-OS-000062-GPOS-00031", - "satisfies": [ - "SRG-OS-000062-GPOS-00031", - "SRG-OS-000037-GPOS-00015", - "SRG-OS-000042-GPOS-00020", - "SRG-OS-000062-GPOS-00031", - "SRG-OS-000392-GPOS-00172", - "SRG-OS-000462-GPOS-00206", - "SRG-OS-000471-GPOS-00215" - ], - "gid": "V-230446", - "rid": "SV-230446r627750_rule", - "stig_id": "RHEL-08-030390", - "fix_id": "F-33090r568085_fix", + "severity": "low", + "gtitle": "SRG-OS-000341-GPOS-00132", + "gid": "V-230469", + "rid": "SV-230469r877391_rule", + "stig_id": "RHEL-08-030602", + "fix_id": "F-33113r568154_fix", "cci": [ - "CCI-000169" + "CCI-001849" ], "nist": [ - "AU-12 a" + "AU-4" ], "host": null }, - "code": "control 'SV-230446' do\n title 'Successful/unsuccessful uses of the delete_module command in RHEL 8\nmust generate an audit record.'\n desc 'Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"delete_module\"\ncommand is used to unload a kernel module.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.'\n desc 'check', 'Verify RHEL 8 generates an audit record when successful/unsuccessful\nattempts to use the \"delete_module\" command by performing the following\ncommand to check the file system rules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w \"delete_module\" /etc/audit/audit.rules\n\n -a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=unset -k\nmodule_chng\n -a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=unset -k\nmodule_chng\n\n If the command does not return a line, or the line is commented out, this\nis a finding.'\n desc 'fix', 'Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \"delete_module\" command by adding or\nupdating the following rules in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=unset -k\nmodule_chng\n -a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=unset -k\nmodule_chng\n\n The audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000062-GPOS-00031'\n tag satisfies: ['SRG-OS-000062-GPOS-00031', 'SRG-OS-000037-GPOS-00015', 'SRG-OS-000042-GPOS-00020', 'SRG-OS-000062-GPOS-00031', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000471-GPOS-00215']\n tag gid: 'V-230446'\n tag rid: 'SV-230446r627750_rule'\n tag stig_id: 'RHEL-08-030390'\n tag fix_id: 'F-33090r568085_fix'\n tag cci: ['CCI-000169']\n tag nist: ['AU-12 a']\n tag 'host'\n\n audit_syscalls = ['delete_module']\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe 'Syscall' do\n audit_syscalls.each do |audit_syscall|\n it \"#{audit_syscall} is audited properly\" do\n audit_rule = auditd.syscall(audit_syscall)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n if os.arch.match(/64/)\n expect(audit_rule.arch.uniq).to include('b32', 'b64')\n else\n expect(audit_rule.arch.uniq).to cmp 'b32'\n end\n expect(audit_rule.fields.flatten).to include('auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include(input('audit_rule_keynames').merge(input('audit_rule_keynames_overrides'))[audit_syscall])\n end\n end\n end\nend\n", + "code": "control 'SV-230469' do\n title 'RHEL 8 must allocate an audit_backlog_limit of sufficient size to\ncapture processes that start prior to the audit daemon.'\n desc 'Without the capability to generate audit records, it would be\ndifficult to establish, correlate, and investigate the events relating to an\nincident or identify those responsible for one.\n\n If auditing is enabled late in the startup process, the actions of some\nstartup processes may not be audited. Some audit systems also maintain state\ninformation only available if auditing is enabled before a given process is\ncreated.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n Allocating an audit_backlog_limit of sufficient size is critical in\nmaintaining a stable boot process. With an insufficient limit allocated, the\nsystem is susceptible to boot failures and crashes.'\n desc 'check', 'Verify RHEL 8 allocates a sufficient audit_backlog_limit to capture processes that start prior to the audit daemon with the following commands:\n\n$ sudo grub2-editenv list | grep audit\n\nkernelopts=root=/dev/mapper/rhel-root ro crashkernel=auto resume=/dev/mapper/rhel-swap rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet fips=1 audit=1 audit_backlog_limit=8192 boot=UUID=8d171156-cd61-421c-ba41-1c021ac29e82\n\nIf the \"audit_backlog_limit\" entry does not equal \"8192\" or greater, is missing, or the line is commented out, this is a finding.\n\nCheck the audit_backlog_limit is set to persist in kernel updates:\n\n$ sudo grep audit /etc/default/grub\n\nGRUB_CMDLINE_LINUX=\"audit_backlog_limit=8192\"\n\nIf \"audit_backlog_limit\" is not set to \"8192\" or greater, is missing or commented out, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to allocate sufficient audit_backlog_limit to capture\nprocesses that start prior to the audit daemon with the following command:\n\n $ sudo grubby --update-kernel=ALL --args=\"audit_backlog_limit=8192\"\n\n Add or modify the following line in \"/etc/default/grub\" to ensure the\nconfiguration survives kernel updates:\n\n GRUB_CMDLINE_LINUX=\"audit_backlog_limit=8192\"'\n impact 0.3\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'low'\n tag gtitle: 'SRG-OS-000341-GPOS-00132'\n tag gid: 'V-230469'\n tag rid: 'SV-230469r877391_rule'\n tag stig_id: 'RHEL-08-030602'\n tag fix_id: 'F-33113r568154_fix'\n tag cci: ['CCI-001849']\n tag nist: ['AU-4']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n grub_config = command('grub2-editenv - list').stdout\n kernelopts = parse_config(grub_config)['kernelopts'].strip.gsub(' ', \"\\n\")\n grub_cmdline_linux = parse_config_file('/etc/default/grub')['GRUB_CMDLINE_LINUX'].strip.gsub(' ', \"\\n\").gsub('\"',\n '')\n\n expected_backlog_limit = input('expected_backlog_limit')\n\n describe 'kernelopts' do\n subject { parse_config(kernelopts) }\n its('audit_backlog_limit') { should cmp >= expected_backlog_limit }\n end\n\n describe 'persistant kernelopts' do\n subject { parse_config(grub_cmdline_linux) }\n its('audit_backlog_limit') { should cmp >= expected_backlog_limit }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230446.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230469.rb", "line": 1 }, - "id": "SV-230446" + "id": "SV-230469" }, { - "title": "RHEL 8 audit log directory must be group-owned by root to prevent\nunauthorized read access.", - "desc": "Unauthorized disclosure of audit records can reveal system and\nconfiguration data to attackers, thus compromising its confidentiality.\n\n Audit information includes all information (e.g., audit records, audit\nsettings, audit reports) needed to successfully audit RHEL 8 activity.", + "title": "All RHEL 8 networked systems must have and implement SSH to protect\nthe confidentiality and integrity of transmitted and received information, as\nwell as information during preparation for transmission.", + "desc": "Without protection of the transmitted information, confidentiality and\nintegrity may be compromised because unprotected communications can be\nintercepted and either read or altered.\n\n This requirement applies to both internal and external networks and all\ntypes of information system components from which information can be\ntransmitted (e.g., servers, mobile devices, notebook computers, printers,\ncopiers, scanners, and facsimile machines). Communication paths outside the\nphysical protection of a controlled boundary are exposed to the possibility of\ninterception and modification.\n\n Protecting the confidentiality and integrity of organizational information\ncan be accomplished by physical means (e.g., employing physical distribution\nsystems) or by logical means (e.g., employing cryptographic techniques). If\nphysical means of protection are employed, then logical means (cryptography) do\nnot have to be employed, and vice versa.", "descriptions": { - "default": "Unauthorized disclosure of audit records can reveal system and\nconfiguration data to attackers, thus compromising its confidentiality.\n\n Audit information includes all information (e.g., audit records, audit\nsettings, audit reports) needed to successfully audit RHEL 8 activity.", - "check": "Verify the audit log directory is group-owned by \"root\" to prevent\nunauthorized read access.\n\n Determine where the audit logs are stored with the following command:\n\n $ sudo grep -iw log_file /etc/audit/auditd.conf\n\n log_file = /var/log/audit/audit.log\n\n Determine the group owner of the audit log directory by using the output of\nthe above command (ex: \"/var/log/audit/\"). Run the following command with the\ncorrect audit log directory path:\n\n $ sudo ls -ld /var/log/audit\n\n drw------- 2 root root 23 Jun 11 11:56 /var/log/audit\n\n If the audit log directory is not group-owned by \"root\", this is a\nfinding.", - "fix": "Configure the audit log to be protected from unauthorized read access by\nsetting the correct group-owner as \"root\" with the following command:\n\n $ sudo chgrp root [audit_log_directory]\n\n Replace \"[audit_log_directory]\" with the correct audit log directory\npath, by default this location is usually \"/var/log/audit\"." + "default": "Without protection of the transmitted information, confidentiality and\nintegrity may be compromised because unprotected communications can be\nintercepted and either read or altered.\n\n This requirement applies to both internal and external networks and all\ntypes of information system components from which information can be\ntransmitted (e.g., servers, mobile devices, notebook computers, printers,\ncopiers, scanners, and facsimile machines). Communication paths outside the\nphysical protection of a controlled boundary are exposed to the possibility of\ninterception and modification.\n\n Protecting the confidentiality and integrity of organizational information\ncan be accomplished by physical means (e.g., employing physical distribution\nsystems) or by logical means (e.g., employing cryptographic techniques). If\nphysical means of protection are employed, then logical means (cryptography) do\nnot have to be employed, and vice versa.", + "check": "Verify SSH is loaded and active with the following command:\n\n $ sudo systemctl status sshd\n\n sshd.service - OpenSSH server daemon\n Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled)\n Active: active (running) since Tue 2015-11-17 15:17:22 EST; 4 weeks 0 days\nago\n Main PID: 1348 (sshd)\n CGroup: /system.slice/sshd.service\n 1053 /usr/sbin/sshd -D\n\n If \"sshd\" does not show a status of \"active\" and \"running\", this is a\nfinding.", + "fix": "Configure the SSH service to automatically start after reboot with the\nfollowing command:\n\n $ sudo systemctl enable sshd.service" }, "impact": 0.5, "refs": [ @@ -3789,39 +3760,39 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000057-GPOS-00027", + "gtitle": "SRG-OS-000423-GPOS-00187", "satisfies": [ - "SRG-OS-000057-GPOS-00027", - "SRG-OS-000058-GPOS-00028", - "SRG-OS-000059-GPOS-00029" + "SRG-OS-000423-GPOS-00187", + "SRG-OS-000424-GPOS-00188", + "SRG-OS-000425-GPOS-00189", + "SRG-OS-000426-GPOS-00190" ], - "gid": "V-230400", - "rid": "SV-230400r627750_rule", - "stig_id": "RHEL-08-030110", - "fix_id": "F-33044r567947_fix", + "gid": "V-230526", + "rid": "SV-230526r916422_rule", + "stig_id": "RHEL-08-040160", + "fix_id": "F-33170r744031_fix", "cci": [ - "CCI-000162" + "CCI-002418" ], "nist": [ - "AU-9", - "AU-9 a" + "SC-8" ], "host": null }, - "code": "control 'SV-230400' do\n title 'RHEL 8 audit log directory must be group-owned by root to prevent\nunauthorized read access.'\n desc 'Unauthorized disclosure of audit records can reveal system and\nconfiguration data to attackers, thus compromising its confidentiality.\n\n Audit information includes all information (e.g., audit records, audit\nsettings, audit reports) needed to successfully audit RHEL 8 activity.'\n desc 'check', 'Verify the audit log directory is group-owned by \"root\" to prevent\nunauthorized read access.\n\n Determine where the audit logs are stored with the following command:\n\n $ sudo grep -iw log_file /etc/audit/auditd.conf\n\n log_file = /var/log/audit/audit.log\n\n Determine the group owner of the audit log directory by using the output of\nthe above command (ex: \"/var/log/audit/\"). Run the following command with the\ncorrect audit log directory path:\n\n $ sudo ls -ld /var/log/audit\n\n drw------- 2 root root 23 Jun 11 11:56 /var/log/audit\n\n If the audit log directory is not group-owned by \"root\", this is a\nfinding.'\n desc 'fix', 'Configure the audit log to be protected from unauthorized read access by\nsetting the correct group-owner as \"root\" with the following command:\n\n $ sudo chgrp root [audit_log_directory]\n\n Replace \"[audit_log_directory]\" with the correct audit log directory\npath, by default this location is usually \"/var/log/audit\".'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000057-GPOS-00027'\n tag satisfies: ['SRG-OS-000057-GPOS-00027', 'SRG-OS-000058-GPOS-00028', 'SRG-OS-000059-GPOS-00029']\n tag gid: 'V-230400'\n tag rid: 'SV-230400r627750_rule'\n tag stig_id: 'RHEL-08-030110'\n tag fix_id: 'F-33044r567947_fix'\n tag cci: ['CCI-000162']\n tag nist: ['AU-9', 'AU-9 a']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n describe directory(auditd_conf('/etc/audit/auditd.conf').log_file.split('/')[0..-2].join('/')) do\n its('group') { should be_in input('var_log_audit_group') }\n end\nend\n", + "code": "control 'SV-230526' do\n title 'All RHEL 8 networked systems must have and implement SSH to protect\nthe confidentiality and integrity of transmitted and received information, as\nwell as information during preparation for transmission.'\n desc 'Without protection of the transmitted information, confidentiality and\nintegrity may be compromised because unprotected communications can be\nintercepted and either read or altered.\n\n This requirement applies to both internal and external networks and all\ntypes of information system components from which information can be\ntransmitted (e.g., servers, mobile devices, notebook computers, printers,\ncopiers, scanners, and facsimile machines). Communication paths outside the\nphysical protection of a controlled boundary are exposed to the possibility of\ninterception and modification.\n\n Protecting the confidentiality and integrity of organizational information\ncan be accomplished by physical means (e.g., employing physical distribution\nsystems) or by logical means (e.g., employing cryptographic techniques). If\nphysical means of protection are employed, then logical means (cryptography) do\nnot have to be employed, and vice versa.'\n desc 'check', 'Verify SSH is loaded and active with the following command:\n\n $ sudo systemctl status sshd\n\n sshd.service - OpenSSH server daemon\n Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled)\n Active: active (running) since Tue 2015-11-17 15:17:22 EST; 4 weeks 0 days\nago\n Main PID: 1348 (sshd)\n CGroup: /system.slice/sshd.service\n 1053 /usr/sbin/sshd -D\n\n If \"sshd\" does not show a status of \"active\" and \"running\", this is a\nfinding.'\n desc 'fix', 'Configure the SSH service to automatically start after reboot with the\nfollowing command:\n\n $ sudo systemctl enable sshd.service'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000423-GPOS-00187'\n tag satisfies: ['SRG-OS-000423-GPOS-00187', 'SRG-OS-000424-GPOS-00188', 'SRG-OS-000425-GPOS-00189', 'SRG-OS-000426-GPOS-00190']\n tag gid: 'V-230526'\n tag rid: 'SV-230526r916422_rule'\n tag stig_id: 'RHEL-08-040160'\n tag fix_id: 'F-33170r744031_fix'\n tag cci: ['CCI-002418']\n tag nist: ['SC-8']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe systemd_service('sshd.service') do\n it { should be_running }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230400.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230526.rb", "line": 1 }, - "id": "SV-230400" + "id": "SV-230526" }, { - "title": "RHEL 8 must implement smart card logon for multifactor authentication\nfor access to interactive accounts.", - "desc": "Using an authentication device, such as a Common Access Card (CAC) or\ntoken that is separate from the information system, ensures that even if the\ninformation system is compromised, that compromise will not affect credentials\nstored on the authentication device.\n\n Multifactor solutions that require devices separate from information\nsystems gaining access include, for example, hardware tokens providing\ntime-based or challenge-response authenticators and smart cards such as the\nU.S. Government Personal Identity Verification card and the DoD CAC.\n\n There are various methods of implementing multifactor authentication for\nRHEL 8. Some methods include a local system multifactor account mapping or\njoining the system to a domain and utilizing a Red Hat idM server or Microsoft\nWindows Active Directory server. Any of these methods will require that the\nclient operating system handle the multifactor authentication correctly.", + "title": "RHEL 8 must mount /dev/shm with the nosuid option.", + "desc": "The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n The \"noexec\" mount option causes the system to not execute binary files.\nThis option must be used for mounting any file system not containing approved\nbinary files, as they may be incompatible. Executing files from untrusted file\nsystems increases the opportunity for unprivileged users to attain unauthorized\nadministrative access.\n The \"nodev\" mount option causes the system to not interpret character or\nblock special devices. Executing character or block special devices from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.\n The \"nosuid\" mount option causes the system to not execute \"setuid\" and\n\"setgid\" files with owner privileges. This option must be used for mounting\nany file system not containing approved \"setuid\" and \"setguid\" files.\nExecuting files from untrusted file systems increases the opportunity for\nunprivileged users to attain unauthorized administrative access.", "descriptions": { - "default": "Using an authentication device, such as a Common Access Card (CAC) or\ntoken that is separate from the information system, ensures that even if the\ninformation system is compromised, that compromise will not affect credentials\nstored on the authentication device.\n\n Multifactor solutions that require devices separate from information\nsystems gaining access include, for example, hardware tokens providing\ntime-based or challenge-response authenticators and smart cards such as the\nU.S. Government Personal Identity Verification card and the DoD CAC.\n\n There are various methods of implementing multifactor authentication for\nRHEL 8. Some methods include a local system multifactor account mapping or\njoining the system to a domain and utilizing a Red Hat idM server or Microsoft\nWindows Active Directory server. Any of these methods will require that the\nclient operating system handle the multifactor authentication correctly.", - "check": "Verify RHEL 8 uses multifactor authentication for local access to accounts.\n\nNote: If the System Administrator demonstrates the use of an approved alternate multifactor authentication method, this requirement is not applicable.\n\nCheck that the \"pam_cert_auth\" setting is set to \"true\" in the \"/etc/sssd/sssd.conf\" file.\n\nCheck that the \"try_cert_auth\" or \"require_cert_auth\" options are configured in both \"/etc/pam.d/system-auth\" and \"/etc/pam.d/smartcard-auth\" files with the following command:\n\n $ sudo grep -ir cert_auth /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf /etc/pam.d/*\n /etc/sssd/sssd.conf:pam_cert_auth = True\n /etc/pam.d/smartcard-auth:auth sufficient pam_sss.so try_cert_auth\n /etc/pam.d/system-auth:auth [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_sss.so try_cert_auth\n\nIf \"pam_cert_auth\" is not set to \"true\" in \"/etc/sssd/sssd.conf\", this is a finding.\n\nIf \"pam_sss.so\" is not set to \"try_cert_auth\" or \"require_cert_auth\" in both the \"/etc/pam.d/smartcard-auth\" and \"/etc/pam.d/system-auth\" files, this is a finding.", - "fix": "Configure RHEL 8 to use multifactor authentication for local access to\naccounts.\n\n Add or update the \"pam_cert_auth\" setting in the \"/etc/sssd/sssd.conf\"\nfile to match the following line:\n\n [pam]\n pam_cert_auth = True\n\n Add or update \"pam_sss.so\" with \"try_cert_auth\" or\n\"require_cert_auth\" in the \"/etc/pam.d/system-auth\" and\n\"/etc/pam.d/smartcard-auth\" files based on the following examples:\n\n /etc/pam.d/smartcard-auth:auth sufficient pam_sss.so try_cert_auth\n\n /etc/pam.d/system-auth:auth [success=done authinfo_unavail=ignore\nignore=ignore default=die] pam_sss.so try_cert_auth\n\n The \"sssd\" service must be restarted for the changes to take effect. To\nrestart the \"sssd\" service, run the following command:\n\n $ sudo systemctl restart sssd.service" + "default": "The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n The \"noexec\" mount option causes the system to not execute binary files.\nThis option must be used for mounting any file system not containing approved\nbinary files, as they may be incompatible. Executing files from untrusted file\nsystems increases the opportunity for unprivileged users to attain unauthorized\nadministrative access.\n The \"nodev\" mount option causes the system to not interpret character or\nblock special devices. Executing character or block special devices from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.\n The \"nosuid\" mount option causes the system to not execute \"setuid\" and\n\"setgid\" files with owner privileges. This option must be used for mounting\nany file system not containing approved \"setuid\" and \"setguid\" files.\nExecuting files from untrusted file systems increases the opportunity for\nunprivileged users to attain unauthorized administrative access.", + "check": "Verify \"/dev/shm\" is mounted with the \"nosuid\" option:\n\n $ sudo mount | grep /dev/shm\n\n tmpfs on /dev/shm type tmpfs (rw,nodev,nosuid,noexec,seclabel)\n\n Verify that the \"nosuid\" option is configured for /dev/shm:\n\n $ sudo cat /etc/fstab | grep /dev/shm\n\n tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0\n\n If results are returned and the \"nosuid\" option is missing, or if\n/dev/shm is mounted without the \"nosuid\" option, this is a finding.", + "fix": "Configure the system so that /dev/shm is mounted with the \"nosuid\"\noption by adding /modifying the /etc/fstab with the following line:\n\n tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0" }, "impact": 0.5, "refs": [ @@ -3831,39 +3802,33 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000105-GPOS-00052", - "satisfies": [ - "SRG-OS-000105-GPOS-00052", - "SRG-OS-000106-GPOS-00053", - "SRG-OS-000107-GPOS-00054", - "SRG-OS-000108-GPOS-00055" - ], - "gid": "V-230372", - "rid": "SV-230372r942945_rule", - "stig_id": "RHEL-08-020250", - "fix_id": "F-33016r942944_fix", + "gtitle": "SRG-OS-000368-GPOS-00154", + "gid": "V-230509", + "rid": "SV-230509r854050_rule", + "stig_id": "RHEL-08-040121", + "fix_id": "F-33153r568274_fix", "cci": [ - "CCI-000765" + "CCI-001764" ], "nist": [ - "IA-2 (1)" + "CM-7 (2)" ], "host": null }, - "code": "control 'SV-230372' do\n title 'RHEL 8 must implement smart card logon for multifactor authentication\nfor access to interactive accounts.'\n desc 'Using an authentication device, such as a Common Access Card (CAC) or\ntoken that is separate from the information system, ensures that even if the\ninformation system is compromised, that compromise will not affect credentials\nstored on the authentication device.\n\n Multifactor solutions that require devices separate from information\nsystems gaining access include, for example, hardware tokens providing\ntime-based or challenge-response authenticators and smart cards such as the\nU.S. Government Personal Identity Verification card and the DoD CAC.\n\n There are various methods of implementing multifactor authentication for\nRHEL 8. Some methods include a local system multifactor account mapping or\njoining the system to a domain and utilizing a Red Hat idM server or Microsoft\nWindows Active Directory server. Any of these methods will require that the\nclient operating system handle the multifactor authentication correctly.'\n desc 'check', 'Verify RHEL 8 uses multifactor authentication for local access to accounts.\n\nNote: If the System Administrator demonstrates the use of an approved alternate multifactor authentication method, this requirement is not applicable.\n\nCheck that the \"pam_cert_auth\" setting is set to \"true\" in the \"/etc/sssd/sssd.conf\" file.\n\nCheck that the \"try_cert_auth\" or \"require_cert_auth\" options are configured in both \"/etc/pam.d/system-auth\" and \"/etc/pam.d/smartcard-auth\" files with the following command:\n\n $ sudo grep -ir cert_auth /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf /etc/pam.d/*\n /etc/sssd/sssd.conf:pam_cert_auth = True\n /etc/pam.d/smartcard-auth:auth sufficient pam_sss.so try_cert_auth\n /etc/pam.d/system-auth:auth [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_sss.so try_cert_auth\n\nIf \"pam_cert_auth\" is not set to \"true\" in \"/etc/sssd/sssd.conf\", this is a finding.\n\nIf \"pam_sss.so\" is not set to \"try_cert_auth\" or \"require_cert_auth\" in both the \"/etc/pam.d/smartcard-auth\" and \"/etc/pam.d/system-auth\" files, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to use multifactor authentication for local access to\naccounts.\n\n Add or update the \"pam_cert_auth\" setting in the \"/etc/sssd/sssd.conf\"\nfile to match the following line:\n\n [pam]\n pam_cert_auth = True\n\n Add or update \"pam_sss.so\" with \"try_cert_auth\" or\n\"require_cert_auth\" in the \"/etc/pam.d/system-auth\" and\n\"/etc/pam.d/smartcard-auth\" files based on the following examples:\n\n /etc/pam.d/smartcard-auth:auth sufficient pam_sss.so try_cert_auth\n\n /etc/pam.d/system-auth:auth [success=done authinfo_unavail=ignore\nignore=ignore default=die] pam_sss.so try_cert_auth\n\n The \"sssd\" service must be restarted for the changes to take effect. To\nrestart the \"sssd\" service, run the following command:\n\n $ sudo systemctl restart sssd.service'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000105-GPOS-00052'\n tag satisfies: ['SRG-OS-000105-GPOS-00052', 'SRG-OS-000106-GPOS-00053', 'SRG-OS-000107-GPOS-00054', 'SRG-OS-000108-GPOS-00055']\n tag gid: 'V-230372'\n tag rid: 'SV-230372r942945_rule'\n tag stig_id: 'RHEL-08-020250'\n tag fix_id: 'F-33016r942944_fix'\n tag cci: ['CCI-000765']\n tag nist: ['IA-2 (1)']\n tag 'host'\n\n only_if('If the System Administrator demonstrates the use of an approved alternate multifactor authentication method, this requirement is not applicable.', impact: 0.0) {\n input('smart_card_enabled')\n }\n\n sssd_conf_files = input('sssd_conf_files')\n sssd_conf_contents = ini({ command: \"cat #{input('sssd_conf_files').join(' ')}\" })\n\n pam_auth_files = input('pam_auth_files')\n\n describe 'SSSD' do\n it 'should be installed and enabled' do\n expect(service('sssd')).to be_installed.and be_enabled\n expect(sssd_conf_contents.params).to_not be_empty, \"SSSD configuration files not found or have no content; files checked:\\n\\t- #{sssd_conf_files.join(\"\\n\\t- \")}\"\n end\n if sssd_conf_contents.params.nil?\n it 'should configure pam_cert_auth' do\n expect(sssd_conf_contents.sssd.pam_cert_auth).to eq(true)\n end\n end\n end\n\n [pam_auth_files['system-auth'], pam_auth_files['smartcard-auth']].each do |path|\n describe pam(path) do\n its('lines') { should match_pam_rule('.* .* pam_sss.so (try_cert_auth|require_cert_auth)') }\n end\n end\nend\n", + "code": "control 'SV-230509' do\n title 'RHEL 8 must mount /dev/shm with the nosuid option.'\n desc 'The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n The \"noexec\" mount option causes the system to not execute binary files.\nThis option must be used for mounting any file system not containing approved\nbinary files, as they may be incompatible. Executing files from untrusted file\nsystems increases the opportunity for unprivileged users to attain unauthorized\nadministrative access.\n The \"nodev\" mount option causes the system to not interpret character or\nblock special devices. Executing character or block special devices from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.\n The \"nosuid\" mount option causes the system to not execute \"setuid\" and\n\"setgid\" files with owner privileges. This option must be used for mounting\nany file system not containing approved \"setuid\" and \"setguid\" files.\nExecuting files from untrusted file systems increases the opportunity for\nunprivileged users to attain unauthorized administrative access.'\n desc 'check', 'Verify \"/dev/shm\" is mounted with the \"nosuid\" option:\n\n $ sudo mount | grep /dev/shm\n\n tmpfs on /dev/shm type tmpfs (rw,nodev,nosuid,noexec,seclabel)\n\n Verify that the \"nosuid\" option is configured for /dev/shm:\n\n $ sudo cat /etc/fstab | grep /dev/shm\n\n tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0\n\n If results are returned and the \"nosuid\" option is missing, or if\n/dev/shm is mounted without the \"nosuid\" option, this is a finding.'\n desc 'fix', 'Configure the system so that /dev/shm is mounted with the \"nosuid\"\noption by adding /modifying the /etc/fstab with the following line:\n\n tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000368-GPOS-00154'\n tag gid: 'V-230509'\n tag rid: 'SV-230509r854050_rule'\n tag stig_id: 'RHEL-08-040121'\n tag fix_id: 'F-33153r568274_fix'\n tag cci: ['CCI-001764']\n tag nist: ['CM-7 (2)']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n path = '/dev/shm'\n option = 'nosuid'\n\n describe mount(path) do\n its('options') { should include option }\n end\n\n describe etc_fstab.where { mount_point == path } do\n its('mount_options.flatten') { should include option }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230372.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230509.rb", "line": 1 }, - "id": "SV-230372" + "id": "SV-230509" }, { - "title": "All RHEL 8 local interactive user accounts must be assigned a home\ndirectory upon creation.", - "desc": "If local interactive users are not assigned a valid home directory,\nthere is no place for the storage and control of files they should own.", + "title": "RHEL 8 must disable core dumps for all users.", + "desc": "It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n A core dump includes a memory image taken at the time the operating system\nterminates an application. The memory image could contain sensitive data and is\ngenerally useful only for developers trying to debug problems.", "descriptions": { - "default": "If local interactive users are not assigned a valid home directory,\nthere is no place for the storage and control of files they should own.", - "check": "Verify all local interactive users on RHEL 8 are assigned a home directory\nupon creation with the following command:\n\n $ sudo grep -i create_home /etc/login.defs\n\n CREATE_HOME yes\n\n If the value for \"CREATE_HOME\" parameter is not set to \"yes\", the line\nis missing, or the line is commented out, this is a finding.", - "fix": "Configure RHEL 8 to assign home directories to all new local interactive\nusers by setting the \"CREATE_HOME\" parameter in \"/etc/login.defs\" to\n\"yes\" as follows.\n\n CREATE_HOME yes" + "default": "It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n A core dump includes a memory image taken at the time the operating system\nterminates an application. The memory image could contain sensitive data and is\ngenerally useful only for developers trying to debug problems.", + "check": "Verify the operating system disables core dumps for all users by issuing\nthe following command:\n\n $ sudo grep -r -s '^[^#].*core' /etc/security/limits.conf\n/etc/security/limits.d/*.conf\n\n * hard core 0\n\n This can be set as a global domain (with the * wildcard) but may be set\ndifferently for multiple domains.\n\n If the \"core\" item is missing, commented out, or the value is anything\nother than \"0\" and the need for core dumps is not documented with the\nInformation System Security Officer (ISSO) as an operational requirement for\nall domains that have the \"core\" item assigned, this is a finding.", + "fix": "Configure the operating system to disable core dumps for all users.\n\n Add the following line to the top of the /etc/security/limits.conf or in a\n\".conf\" file defined in /etc/security/limits.d/:\n\n * hard core 0" }, "impact": 0.5, "refs": [ @@ -3874,33 +3839,33 @@ "tags": { "severity": "medium", "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-230324", - "rid": "SV-230324r627750_rule", - "stig_id": "RHEL-08-010760", - "fix_id": "F-32968r567719_fix", + "gid": "V-230313", + "rid": "SV-230313r627750_rule", + "stig_id": "RHEL-08-010673", + "fix_id": "F-32957r619861_fix", "cci": [ "CCI-000366" ], + "legacy": [], "nist": [ "CM-6 b" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-230324' do\n title 'All RHEL 8 local interactive user accounts must be assigned a home\ndirectory upon creation.'\n desc 'If local interactive users are not assigned a valid home directory,\nthere is no place for the storage and control of files they should own.'\n desc 'check', 'Verify all local interactive users on RHEL 8 are assigned a home directory\nupon creation with the following command:\n\n $ sudo grep -i create_home /etc/login.defs\n\n CREATE_HOME yes\n\n If the value for \"CREATE_HOME\" parameter is not set to \"yes\", the line\nis missing, or the line is commented out, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to assign home directories to all new local interactive\nusers by setting the \"CREATE_HOME\" parameter in \"/etc/login.defs\" to\n\"yes\" as follows.\n\n CREATE_HOME yes'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230324'\n tag rid: 'SV-230324r627750_rule'\n tag stig_id: 'RHEL-08-010760'\n tag fix_id: 'F-32968r567719_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n tag 'container'\n\n describe login_defs do\n its('CREATE_HOME') { should eq 'yes' }\n end\nend\n", + "code": "control 'SV-230313' do\n title 'RHEL 8 must disable core dumps for all users.'\n desc 'It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n A core dump includes a memory image taken at the time the operating system\nterminates an application. The memory image could contain sensitive data and is\ngenerally useful only for developers trying to debug problems.'\n desc 'check', %q(Verify the operating system disables core dumps for all users by issuing\nthe following command:\n\n $ sudo grep -r -s '^[^#].*core' /etc/security/limits.conf\n/etc/security/limits.d/*.conf\n\n * hard core 0\n\n This can be set as a global domain (with the * wildcard) but may be set\ndifferently for multiple domains.\n\n If the \"core\" item is missing, commented out, or the value is anything\nother than \"0\" and the need for core dumps is not documented with the\nInformation System Security Officer (ISSO) as an operational requirement for\nall domains that have the \"core\" item assigned, this is a finding.)\n desc 'fix', 'Configure the operating system to disable core dumps for all users.\n\n Add the following line to the top of the /etc/security/limits.conf or in a\n\".conf\" file defined in /etc/security/limits.d/:\n\n * hard core 0'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230313'\n tag rid: 'SV-230313r627750_rule'\n tag stig_id: 'RHEL-08-010673'\n tag fix_id: 'F-32957r619861_fix'\n tag cci: ['CCI-000366']\n tag legacy: []\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n setting = 'core'\n expected_value = input('core_dump_expected_value')\n\n limits_files = command('ls /etc/security/limits.d/*.conf').stdout.strip.split\n limits_files.append('/etc/security/limits.conf')\n\n # make sure that at least one limits.conf file has the correct setting\n globally_set = limits_files.any? { |lf| !limits_conf(lf).read_params['*'].nil? && limits_conf(lf).read_params['*'].include?(['hard', setting.to_s, expected_value.to_s]) }\n\n # make sure that no limits.conf file has a value that contradicts the global set\n failing_files = limits_files.select { |lf|\n limits_conf(lf).read_params.values.flatten(1).any? { |l|\n l[1].eql?(setting) && !l[2].to_i.eql?(expected_value)\n }\n }\n describe 'Limits files' do\n it 'should disallow core dumps by default' do\n expect(globally_set).to eq(true), \"No correct global ('*') setting found\"\n end\n it 'should not have any conflicting settings' do\n expect(failing_files).to be_empty, \"Files with incorrect '#{setting}' settings:\\n\\t- #{failing_files.join(\"\\n\\t- \")}\"\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230324.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230313.rb", "line": 1 }, - "id": "SV-230324" + "id": "SV-230313" }, { - "title": "RHEL 8 must mount /var/log/audit with the noexec option.", - "desc": "The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n The \"noexec\" mount option causes the system to not execute binary files.\nThis option must be used for mounting any file system not containing approved\nbinary files, as they may be incompatible. Executing files from untrusted file\nsystems increases the opportunity for unprivileged users to attain unauthorized\nadministrative access.\n\n The \"nodev\" mount option causes the system to not interpret character or\nblock special devices. Executing character or block special devices from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.\n\n The \"nosuid\" mount option causes the system to not execute \"setuid\" and\n\"setgid\" files with owner privileges. This option must be used for mounting\nany file system not containing approved \"setuid\" and \"setguid\" files.\nExecuting files from untrusted file systems increases the opportunity for\nunprivileged users to attain unauthorized administrative access.", + "title": "RHEL 8 must use the invoking user's password for privilege escalation\nwhen using \"sudo\".", + "desc": "The sudoers security policy requires that users authenticate\nthemselves before they can use sudo. When sudoers requires authentication, it\nvalidates the invoking user's credentials. If the rootpw, targetpw, or runaspw\nflags are defined and not disabled, by default the operating system will prompt\nthe invoking user for the \"root\" user password.\n For more information on each of the listed configurations, reference the\nsudoers(5) manual page.", "descriptions": { - "default": "The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n The \"noexec\" mount option causes the system to not execute binary files.\nThis option must be used for mounting any file system not containing approved\nbinary files, as they may be incompatible. Executing files from untrusted file\nsystems increases the opportunity for unprivileged users to attain unauthorized\nadministrative access.\n\n The \"nodev\" mount option causes the system to not interpret character or\nblock special devices. Executing character or block special devices from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.\n\n The \"nosuid\" mount option causes the system to not execute \"setuid\" and\n\"setgid\" files with owner privileges. This option must be used for mounting\nany file system not containing approved \"setuid\" and \"setguid\" files.\nExecuting files from untrusted file systems increases the opportunity for\nunprivileged users to attain unauthorized administrative access.", - "check": "Verify \"/var/log/audit\" is mounted with the \"noexec\" option:\n\n $ sudo mount | grep /var/log/audit\n\n /dev/mapper/rhel-var-log-audit on /var/log/audit type xfs\n(rw,nodev,nosuid,noexec,seclabel)\n\n Verify that the \"noexec\" option is configured for /var/log/audit:\n\n $ sudo cat /etc/fstab | grep /var/log/audit\n\n /dev/mapper/rhel-var-log-audit /var/log/audit xfs\ndefaults,nodev,nosuid,noexec 0 0\n\n If results are returned and the \"noexec\" option is missing, or if\n/var/log/audit is mounted without the \"noexec\" option, this is a finding.", - "fix": "Configure the system so that /var/log/audit is mounted with the \"noexec\"\noption by adding /modifying the /etc/fstab with the following line:\n\n /dev/mapper/rhel-var-log-audit /var/log/audit xfs\ndefaults,nodev,nosuid,noexec 0 0" + "default": "The sudoers security policy requires that users authenticate\nthemselves before they can use sudo. When sudoers requires authentication, it\nvalidates the invoking user's credentials. If the rootpw, targetpw, or runaspw\nflags are defined and not disabled, by default the operating system will prompt\nthe invoking user for the \"root\" user password.\n For more information on each of the listed configurations, reference the\nsudoers(5) manual page.", + "check": "Verify that the sudoers security policy is configured to use the invoking user's password for privilege escalation.\n\n $ sudo grep -Eir '(rootpw|targetpw|runaspw)' /etc/sudoers /etc/sudoers.d* | grep -v '#'\n\n /etc/sudoers:Defaults !targetpw\n /etc/sudoers:Defaults !rootpw\n /etc/sudoers:Defaults !runaspw\n\nIf conflicting results are returned, this is a finding.\nIf \"Defaults !targetpw\" is not defined, this is a finding.\nIf \"Defaults !rootpw\" is not defined, this is a finding.\nIf \"Defaults !runaspw\" is not defined, this is a finding.", + "fix": "Define the following in the Defaults section of the /etc/sudoers file or a configuration file in the /etc/sudoers.d/ directory:\n Defaults !targetpw\n Defaults !rootpw\n Defaults !runaspw\n\nRemove any configurations that conflict with the above from the following locations:\n /etc/sudoers\n /etc/sudoers.d/" }, "impact": 0.5, "refs": [ @@ -3910,33 +3875,74 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000368-GPOS-00154", - "gid": "V-230519", - "rid": "SV-230519r854060_rule", - "stig_id": "RHEL-08-040131", - "fix_id": "F-33163r568304_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-237642", + "rid": "SV-237642r880727_rule", + "stig_id": "RHEL-08-010383", + "fix_id": "F-40824r880726_fix", "cci": [ - "CCI-001764" + "CCI-002227" ], "nist": [ - "CM-7 (2)" + "AC-6 (5)" ], "host": null }, - "code": "control 'SV-230519' do\n title 'RHEL 8 must mount /var/log/audit with the noexec option.'\n desc 'The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n The \"noexec\" mount option causes the system to not execute binary files.\nThis option must be used for mounting any file system not containing approved\nbinary files, as they may be incompatible. Executing files from untrusted file\nsystems increases the opportunity for unprivileged users to attain unauthorized\nadministrative access.\n\n The \"nodev\" mount option causes the system to not interpret character or\nblock special devices. Executing character or block special devices from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.\n\n The \"nosuid\" mount option causes the system to not execute \"setuid\" and\n\"setgid\" files with owner privileges. This option must be used for mounting\nany file system not containing approved \"setuid\" and \"setguid\" files.\nExecuting files from untrusted file systems increases the opportunity for\nunprivileged users to attain unauthorized administrative access.'\n desc 'check', 'Verify \"/var/log/audit\" is mounted with the \"noexec\" option:\n\n $ sudo mount | grep /var/log/audit\n\n /dev/mapper/rhel-var-log-audit on /var/log/audit type xfs\n(rw,nodev,nosuid,noexec,seclabel)\n\n Verify that the \"noexec\" option is configured for /var/log/audit:\n\n $ sudo cat /etc/fstab | grep /var/log/audit\n\n /dev/mapper/rhel-var-log-audit /var/log/audit xfs\ndefaults,nodev,nosuid,noexec 0 0\n\n If results are returned and the \"noexec\" option is missing, or if\n/var/log/audit is mounted without the \"noexec\" option, this is a finding.'\n desc 'fix', 'Configure the system so that /var/log/audit is mounted with the \"noexec\"\noption by adding /modifying the /etc/fstab with the following line:\n\n /dev/mapper/rhel-var-log-audit /var/log/audit xfs\ndefaults,nodev,nosuid,noexec 0 0'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000368-GPOS-00154'\n tag gid: 'V-230519'\n tag rid: 'SV-230519r854060_rule'\n tag stig_id: 'RHEL-08-040131'\n tag fix_id: 'F-33163r568304_fix'\n tag cci: ['CCI-001764']\n tag nist: ['CM-7 (2)']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n path = '/var/log/audit'\n option = 'noexec'\n\n describe mount(path) do\n its('options') { should include option }\n end\n\n describe etc_fstab.where { mount_point == path } do\n its('mount_options.flatten') { should include option }\n end\nend\n", + "code": "control 'SV-237642' do\n title %q(RHEL 8 must use the invoking user's password for privilege escalation\nwhen using \"sudo\".)\n desc %q(The sudoers security policy requires that users authenticate\nthemselves before they can use sudo. When sudoers requires authentication, it\nvalidates the invoking user's credentials. If the rootpw, targetpw, or runaspw\nflags are defined and not disabled, by default the operating system will prompt\nthe invoking user for the \"root\" user password.\n For more information on each of the listed configurations, reference the\nsudoers(5) manual page.)\n desc 'check', %q(Verify that the sudoers security policy is configured to use the invoking user's password for privilege escalation.\n\n $ sudo grep -Eir '(rootpw|targetpw|runaspw)' /etc/sudoers /etc/sudoers.d* | grep -v '#'\n\n /etc/sudoers:Defaults !targetpw\n /etc/sudoers:Defaults !rootpw\n /etc/sudoers:Defaults !runaspw\n\nIf conflicting results are returned, this is a finding.\nIf \"Defaults !targetpw\" is not defined, this is a finding.\nIf \"Defaults !rootpw\" is not defined, this is a finding.\nIf \"Defaults !runaspw\" is not defined, this is a finding.)\n desc 'fix', 'Define the following in the Defaults section of the /etc/sudoers file or a configuration file in the /etc/sudoers.d/ directory:\n Defaults !targetpw\n Defaults !rootpw\n Defaults !runaspw\n\nRemove any configurations that conflict with the above from the following locations:\n /etc/sudoers\n /etc/sudoers.d/'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-237642'\n tag rid: 'SV-237642r880727_rule'\n tag stig_id: 'RHEL-08-010383'\n tag fix_id: 'F-40824r880726_fix'\n tag cci: ['CCI-002227']\n tag nist: ['AC-6 (5)']\n tag 'host'\n\n only_if('This control is Not Applicable to containers without sudo installed', impact: 0.0) {\n !(virtualization.system.eql?('docker') && !command('sudo').exist?)\n }\n\n settings = sudoers(input('sudoers_config_files').join(' ')).settings['Defaults']\n\n describe 'Sudoers file(s) settings' do\n it 'should set !targetpw' do\n expect(settings).to include('!targetpw'), 'Sudoers file(s) do not set !targetpw'\n expect(settings).not_to include('targetpw'), 'Sudoers file(s) set targetpw'\n end\n it 'should set !rootpw' do\n expect(settings).to include('!rootpw'), 'Sudoers file(s) do not set !rootpw'\n expect(settings).not_to include('rootpw'), 'Sudoers file(s) set rootpw'\n end\n it 'should set !runaspw' do\n expect(settings).to include('!runaspw'), 'Sudoers file(s) do not set !runaspw'\n expect(settings).not_to include('runaspw'), 'Sudoers file(s) set runaspw'\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230519.rb", + "ref": "./Red Hat 8 STIG/controls/SV-237642.rb", "line": 1 }, - "id": "SV-230519" + "id": "SV-237642" }, { - "title": "Successful/unsuccessful uses of the su command in RHEL 8 must generate\nan audit record.", - "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"su\" command allows a\nuser to run commands with a substitute user and group ID.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", + "title": "RHEL 8 must include root when automatically locking an account until\nthe locked account is released by an administrator when three unsuccessful\nlogon attempts occur during a 15-minute time period.", + "desc": "By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as\nbrute-force attacks, is reduced. Limits are imposed by locking the account.\n\n RHEL 8 can utilize the \"pam_faillock.so\" for this purpose. Note that\nmanual changes to the listed files may be overwritten by the \"authselect\"\nprogram.\n\n From \"Pam_Faillock\" man pages: Note that the default directory that\n\"pam_faillock\" uses is usually cleared on system boot so the access will be\nreenabled after system reboot. If that is undesirable a different tally\ndirectory must be set with the \"dir\" option.\n\n In RHEL 8.2 the \"/etc/security/faillock.conf\" file was incorporated to\ncentralize the configuration of the pam_faillock.so module. Also introduced is\na \"local_users_only\" option that will only track failed user authentication\nattempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP,\netc.) users to allow the centralized platform to solely manage user lockout.", "descriptions": { - "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"su\" command allows a\nuser to run commands with a substitute user and group ID.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", - "check": "Verify RHEL 8 generates audit records when successful/unsuccessful attempts\nto use the \"su\" command by performing the following command to check the file\nsystem rules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w /usr/bin/su /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset\n-k privileged-priv_change\n\n If the command does not return a line, or the line is commented out, this\nis a finding.", - "fix": "Configure RHEL 8 to generate audit records when successful/unsuccessful\nattempts to use the \"su\" command occur by adding or updating the following\nrule in \"/etc/audit/rules.d/audit.rules\":\n\n -a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset\n-k privileged-priv_change\n\n The audit daemon must be restarted for the changes to take effect." + "default": "By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as\nbrute-force attacks, is reduced. Limits are imposed by locking the account.\n\n RHEL 8 can utilize the \"pam_faillock.so\" for this purpose. Note that\nmanual changes to the listed files may be overwritten by the \"authselect\"\nprogram.\n\n From \"Pam_Faillock\" man pages: Note that the default directory that\n\"pam_faillock\" uses is usually cleared on system boot so the access will be\nreenabled after system reboot. If that is undesirable a different tally\ndirectory must be set with the \"dir\" option.\n\n In RHEL 8.2 the \"/etc/security/faillock.conf\" file was incorporated to\ncentralize the configuration of the pam_faillock.so module. Also introduced is\na \"local_users_only\" option that will only track failed user authentication\nattempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP,\netc.) users to allow the centralized platform to solely manage user lockout.", + "check": "Check that the system includes the root account when locking an account\nafter three unsuccessful logon attempts within a period of 15 minutes with the\nfollowing commands:\n\n If the system is RHEL version 8.2 or newer, this check is not applicable.\n\n Note: If the System Administrator demonstrates the use of an approved\ncentralized account management method that locks an account after three\nunsuccessful logon attempts within a period of 15 minutes, this requirement is\nnot applicable.\n\n $ sudo grep pam_faillock.so /etc/pam.d/password-auth\n\n auth required pam_faillock.so preauth dir=/var/log/faillock silent audit\ndeny=3 even_deny_root fail_interval=900 unlock_time=0\n auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0\n account required pam_faillock.so\n\n If the \"even_deny_root\" option is missing from the \"preauth\" line with\nthe \"pam_faillock.so\" module, this is a finding.\n\n $ sudo grep pam_faillock.so /etc/pam.d/system-auth\n\n auth required pam_faillock.so preauth dir=/var/log/faillock silent audit\ndeny=3 even_deny_root fail_interval=900 unlock_time=0\n auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0\n account required pam_faillock.so\n\n If the \"even_deny_root\" option is missing from the \"preauth\" line with\nthe \"pam_faillock.so\" module, this is a finding.", + "fix": "Configure the operating system to include root when locking an account\nafter three unsuccessful logon attempts occur in 15 minutes.\n\n Add/Modify the appropriate sections of the \"/etc/pam.d/system-auth\" and\n\"/etc/pam.d/password-auth\" files to match the following lines:\n\n auth required pam_faillock.so preauth dir=/var/log/faillock silent audit\ndeny=3 even_deny_root fail_interval=900 unlock_time=0\n auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0\n account required pam_faillock.so\n\n The \"sssd\" service must be restarted for the changes to take effect. To\nrestart the \"sssd\" service, run the following command:\n\n $ sudo systemctl restart sssd.service" + }, + "impact": 0.5, + "refs": [ + { + "ref": "DPMS Target Red Hat Enterprise Linux 8" + } + ], + "tags": { + "severity": "medium", + "gtitle": "SRG-OS-000021-GPOS-00005", + "satisfies": [ + "SRG-OS-000021-GPOS-00005", + "SRG-OS-000329-GPOS-00128" + ], + "gid": "V-230344", + "rid": "SV-230344r646874_rule", + "stig_id": "RHEL-08-020022", + "fix_id": "F-32988r567779_fix", + "cci": [ + "CCI-000044" + ], + "nist": [ + "AC-7 a" + ], + "host": null, + "container": null + }, + "code": "control 'SV-230344' do\n title 'RHEL 8 must include root when automatically locking an account until\nthe locked account is released by an administrator when three unsuccessful\nlogon attempts occur during a 15-minute time period.'\n desc 'By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as\nbrute-force attacks, is reduced. Limits are imposed by locking the account.\n\n RHEL 8 can utilize the \"pam_faillock.so\" for this purpose. Note that\nmanual changes to the listed files may be overwritten by the \"authselect\"\nprogram.\n\n From \"Pam_Faillock\" man pages: Note that the default directory that\n\"pam_faillock\" uses is usually cleared on system boot so the access will be\nreenabled after system reboot. If that is undesirable a different tally\ndirectory must be set with the \"dir\" option.\n\n In RHEL 8.2 the \"/etc/security/faillock.conf\" file was incorporated to\ncentralize the configuration of the pam_faillock.so module. Also introduced is\na \"local_users_only\" option that will only track failed user authentication\nattempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP,\netc.) users to allow the centralized platform to solely manage user lockout.'\n desc 'check', 'Check that the system includes the root account when locking an account\nafter three unsuccessful logon attempts within a period of 15 minutes with the\nfollowing commands:\n\n If the system is RHEL version 8.2 or newer, this check is not applicable.\n\n Note: If the System Administrator demonstrates the use of an approved\ncentralized account management method that locks an account after three\nunsuccessful logon attempts within a period of 15 minutes, this requirement is\nnot applicable.\n\n $ sudo grep pam_faillock.so /etc/pam.d/password-auth\n\n auth required pam_faillock.so preauth dir=/var/log/faillock silent audit\ndeny=3 even_deny_root fail_interval=900 unlock_time=0\n auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0\n account required pam_faillock.so\n\n If the \"even_deny_root\" option is missing from the \"preauth\" line with\nthe \"pam_faillock.so\" module, this is a finding.\n\n $ sudo grep pam_faillock.so /etc/pam.d/system-auth\n\n auth required pam_faillock.so preauth dir=/var/log/faillock silent audit\ndeny=3 even_deny_root fail_interval=900 unlock_time=0\n auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0\n account required pam_faillock.so\n\n If the \"even_deny_root\" option is missing from the \"preauth\" line with\nthe \"pam_faillock.so\" module, this is a finding.'\n desc 'fix', 'Configure the operating system to include root when locking an account\nafter three unsuccessful logon attempts occur in 15 minutes.\n\n Add/Modify the appropriate sections of the \"/etc/pam.d/system-auth\" and\n\"/etc/pam.d/password-auth\" files to match the following lines:\n\n auth required pam_faillock.so preauth dir=/var/log/faillock silent audit\ndeny=3 even_deny_root fail_interval=900 unlock_time=0\n auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0\n account required pam_faillock.so\n\n The \"sssd\" service must be restarted for the changes to take effect. To\nrestart the \"sssd\" service, run the following command:\n\n $ sudo systemctl restart sssd.service'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000021-GPOS-00005'\n tag satisfies: ['SRG-OS-000021-GPOS-00005', 'SRG-OS-000329-GPOS-00128']\n tag gid: 'V-230344'\n tag rid: 'SV-230344r646874_rule'\n tag stig_id: 'RHEL-08-020022'\n tag fix_id: 'F-32988r567779_fix'\n tag cci: ['CCI-000044']\n tag nist: ['AC-7 a']\n tag 'host'\n tag 'container'\n\n only_if('If the system is RHEL version 8.2 or newer, this check is not applicable.', impact: 0.0) {\n (os.release.to_f) < 8.2\n }\n\n pam_auth_files = input('pam_auth_files')\n\n describe pam(pam_auth_files['password-auth']) do\n its('lines') {\n should match_pam_rule('auth [default=die]|required pam_faillock.so preauth').all_with_args('even_deny_root')\n }\n end\n describe pam(pam_auth_files['system-auth']) do\n its('lines') {\n should match_pam_rule('auth [default=die]|required pam_faillock.so preauth').all_with_args('even_deny_root')\n }\n end\nend\n", + "source_location": { + "ref": "./Red Hat 8 STIG/controls/SV-230344.rb", + "line": 1 + }, + "id": "SV-230344" + }, + { + "title": "Successful/unsuccessful uses of the truncate, ftruncate, creat, open, openat, and open_by_handle_at system calls in RHEL 8 must generate an audit record.", + "desc": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"truncate\" and \"ftruncate\" functions are used to truncate a file to a specified length.\n\nThe \"creat\" system call is used to open and possibly create a file or device.\nThe \"open\" system call opens a file specified by a pathname. If the specified file does not exist, it may optionally be created by \"open\".\nThe \"openat\" system call opens a file specified by a relative pathname.\nThe \"name_to_handle_at\" and \"open_by_handle_at\" system calls split the functionality of \"openat\" into two parts: \"name_to_handle_at\" returns an opaque handle that corresponds to a specified file; \"open_by_handle_at\" opens the file corresponding to a handle returned by a previous call to \"name_to_handle_at\" and returns an open file descriptor.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nThe system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible.", + "descriptions": { + "default": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"truncate\" and \"ftruncate\" functions are used to truncate a file to a specified length.\n\nThe \"creat\" system call is used to open and possibly create a file or device.\nThe \"open\" system call opens a file specified by a pathname. If the specified file does not exist, it may optionally be created by \"open\".\nThe \"openat\" system call opens a file specified by a relative pathname.\nThe \"name_to_handle_at\" and \"open_by_handle_at\" system calls split the functionality of \"openat\" into two parts: \"name_to_handle_at\" returns an opaque handle that corresponds to a specified file; \"open_by_handle_at\" opens the file corresponding to a handle returned by a previous call to \"name_to_handle_at\" and returns an open file descriptor.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nThe system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible.", + "check": "Verify RHEL 8 generates an audit record upon successful/unsuccessful attempts to use the \"truncate\", \"ftruncate\", \"creat\", \"open\", \"openat\", and \"open_by_handle_at\" system calls by using the following command to check the file system rules in \"/etc/audit/audit.rules\":\n\n$ sudo grep 'open\\|truncate\\|creat' /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access\n-a always,exit -F arch=b64 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access\n\n-a always,exit -F arch=b32 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access\n-a always,exit -F arch=b64 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access\n\nIf the output does not produce rules containing \"-F exit=-EPERM\", this is a finding.\nIf the output does not produce rules containing \"-F exit=-EACCES\", this is a finding.\nIf the command does not return an audit rule for \"truncate\", \"ftruncate\", \"creat\", \"open\", \"openat\", and \"open_by_handle_at\" or any of the lines returned are commented out, this is a finding.", + "fix": "Configure the audit system to generate an audit event for any successful/unsuccessful use of the \"truncate\", \"ftruncate\", \"creat\", \"open\", \"openat\", and \"open_by_handle_at\" system calls by adding or updating the following rules in the \"/etc/audit/rules.d/audit.rules\" file:\n\n-a always,exit -F arch=b32 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access\n-a always,exit -F arch=b64 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access\n\n-a always,exit -F arch=b32 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access\n-a always,exit -F arch=b64 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access\n\nThe audit daemon must be restarted for the changes to take effect." }, "impact": 0.5, "refs": [ @@ -3951,17 +3957,15 @@ "SRG-OS-000062-GPOS-00031", "SRG-OS-000037-GPOS-00015", "SRG-OS-000042-GPOS-00020", - "SRG-OS-000062-GPOS-00031", - "SRG-OS-000064-GPOS-0003", "SRG-OS-000392-GPOS-00172", "SRG-OS-000462-GPOS-00206", "SRG-OS-000471-GPOS-00215", - "SRG-OS-000466-GPOS-00210" + "SRG-OS-000064-GPOS-00033" ], - "gid": "V-230412", - "rid": "SV-230412r627750_rule", - "stig_id": "RHEL-08-030190", - "fix_id": "F-33056r567983_fix", + "gid": "V-230449", + "rid": "SV-230449r810455_rule", + "stig_id": "RHEL-08-030420", + "fix_id": "F-33093r809304_fix", "cci": [ "CCI-000169" ], @@ -3970,20 +3974,20 @@ ], "host": null }, - "code": "control 'SV-230412' do\n title 'Successful/unsuccessful uses of the su command in RHEL 8 must generate\nan audit record.'\n desc 'Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"su\" command allows a\nuser to run commands with a substitute user and group ID.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.'\n desc 'check', 'Verify RHEL 8 generates audit records when successful/unsuccessful attempts\nto use the \"su\" command by performing the following command to check the file\nsystem rules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w /usr/bin/su /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset\n-k privileged-priv_change\n\n If the command does not return a line, or the line is commented out, this\nis a finding.'\n desc 'fix', 'Configure RHEL 8 to generate audit records when successful/unsuccessful\nattempts to use the \"su\" command occur by adding or updating the following\nrule in \"/etc/audit/rules.d/audit.rules\":\n\n -a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset\n-k privileged-priv_change\n\n The audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000062-GPOS-00031'\n tag satisfies: ['SRG-OS-000062-GPOS-00031', 'SRG-OS-000037-GPOS-00015', 'SRG-OS-000042-GPOS-00020', 'SRG-OS-000062-GPOS-00031', 'SRG-OS-000064-GPOS-0003', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000471-GPOS-00215', 'SRG-OS-000466-GPOS-00210']\n tag gid: 'V-230412'\n tag rid: 'SV-230412r627750_rule'\n tag stig_id: 'RHEL-08-030190'\n tag fix_id: 'F-33056r567983_fix'\n tag cci: ['CCI-000169']\n tag nist: ['AU-12 a']\n tag 'host'\n\n audit_command = '/usr/bin/su'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include(input('audit_rule_keynames').merge(input('audit_rule_keynames_overrides'))[audit_command])\n end\n end\nend\n", + "code": "control 'SV-230449' do\n title 'Successful/unsuccessful uses of the truncate, ftruncate, creat, open, openat, and open_by_handle_at system calls in RHEL 8 must generate an audit record.'\n desc 'Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"truncate\" and \"ftruncate\" functions are used to truncate a file to a specified length.\n\nThe \"creat\" system call is used to open and possibly create a file or device.\nThe \"open\" system call opens a file specified by a pathname. If the specified file does not exist, it may optionally be created by \"open\".\nThe \"openat\" system call opens a file specified by a relative pathname.\nThe \"name_to_handle_at\" and \"open_by_handle_at\" system calls split the functionality of \"openat\" into two parts: \"name_to_handle_at\" returns an opaque handle that corresponds to a specified file; \"open_by_handle_at\" opens the file corresponding to a handle returned by a previous call to \"name_to_handle_at\" and returns an open file descriptor.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nThe system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible.'\n desc 'check', %q(Verify RHEL 8 generates an audit record upon successful/unsuccessful attempts to use the \"truncate\", \"ftruncate\", \"creat\", \"open\", \"openat\", and \"open_by_handle_at\" system calls by using the following command to check the file system rules in \"/etc/audit/audit.rules\":\n\n$ sudo grep 'open\\|truncate\\|creat' /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access\n-a always,exit -F arch=b64 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access\n\n-a always,exit -F arch=b32 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access\n-a always,exit -F arch=b64 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access\n\nIf the output does not produce rules containing \"-F exit=-EPERM\", this is a finding.\nIf the output does not produce rules containing \"-F exit=-EACCES\", this is a finding.\nIf the command does not return an audit rule for \"truncate\", \"ftruncate\", \"creat\", \"open\", \"openat\", and \"open_by_handle_at\" or any of the lines returned are commented out, this is a finding.)\n desc 'fix', 'Configure the audit system to generate an audit event for any successful/unsuccessful use of the \"truncate\", \"ftruncate\", \"creat\", \"open\", \"openat\", and \"open_by_handle_at\" system calls by adding or updating the following rules in the \"/etc/audit/rules.d/audit.rules\" file:\n\n-a always,exit -F arch=b32 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access\n-a always,exit -F arch=b64 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access\n\n-a always,exit -F arch=b32 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access\n-a always,exit -F arch=b64 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access\n\nThe audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000062-GPOS-00031'\n tag satisfies: ['SRG-OS-000062-GPOS-00031', 'SRG-OS-000037-GPOS-00015', 'SRG-OS-000042-GPOS-00020', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000471-GPOS-00215', 'SRG-OS-000064-GPOS-00033']\n tag gid: 'V-230449'\n tag rid: 'SV-230449r810455_rule'\n tag stig_id: 'RHEL-08-030420'\n tag fix_id: 'F-33093r809304_fix'\n tag cci: ['CCI-000169']\n tag nist: ['AU-12 a']\n tag 'host'\n\n audit_syscalls = ['truncate', 'ftruncate', 'creat', 'open', 'openat', 'open_by_handle_at']\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe 'Syscall' do\n audit_syscalls.each do |audit_syscall|\n it \"#{audit_syscall} is audited properly\" do\n audit_rule = auditd.syscall(audit_syscall)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n if os.arch.match(/64/)\n expect(audit_rule.arch.uniq).to include('b32', 'b64')\n else\n expect(audit_rule.arch.uniq).to cmp 'b32'\n end\n expect(audit_rule.fields.flatten).to include('auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include(input('audit_rule_keynames').merge(input('audit_rule_keynames_overrides'))[audit_syscall])\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230412.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230449.rb", "line": 1 }, - "id": "SV-230412" + "id": "SV-230449" }, { - "title": "The RHEL 8 audit system must audit local events.", - "desc": "Without establishing what type of events occurred, the source of\nevents, where events occurred, and the outcome of events, it would be difficult\nto establish, correlate, and investigate the events leading up to an outage or\nattack.\n\n Audit record content that may be necessary to satisfy this requirement\nincludes, for example, time stamps, source and destination addresses,\nuser/process identifiers, event descriptions, success/fail indications,\nfilenames involved, and access control or flow control rules invoked.", + "title": "A sticky bit must be set on all RHEL 8 public directories to prevent\nunauthorized and unintended information transferred via shared system\nresources.", + "desc": "Preventing unauthorized information transfers mitigates the risk of\ninformation, including encrypted representations of information, produced by\nthe actions of prior users/roles (or the actions of processes acting on behalf\nof prior users/roles) from being available to any current users/roles (or\ncurrent processes) that obtain access to shared system resources (e.g.,\nregisters, main memory, hard disks) after those resources have been released\nback to information systems. The control of information in shared resources is\nalso commonly referred to as object reuse and residual information protection.\n\n This requirement generally applies to the design of an information\ntechnology product, but it can also apply to the configuration of particular\ninformation system components that are, or use, such products. This can be\nverified by acceptance/validation processes in DoD or other government agencies.\n\n There may be shared resources with configurable protections (e.g., files in\nstorage) that may be assessed on specific information system components.", "descriptions": { - "default": "Without establishing what type of events occurred, the source of\nevents, where events occurred, and the outcome of events, it would be difficult\nto establish, correlate, and investigate the events leading up to an outage or\nattack.\n\n Audit record content that may be necessary to satisfy this requirement\nincludes, for example, time stamps, source and destination addresses,\nuser/process identifiers, event descriptions, success/fail indications,\nfilenames involved, and access control or flow control rules invoked.", - "check": "Verify the RHEL 8 Audit Daemon is configured to include local events, with\nthe following command:\n\n $ sudo grep local_events /etc/audit/auditd.conf\n\n local_events = yes\n\n If the value of the \"local_events\" option is not set to \"yes\", or the\nline is commented out, this is a finding.", - "fix": "Configure RHEL 8 to audit local events on the system.\n\nAdd or update the following line in \"/etc/audit/auditd.conf\" file:\n\nlocal_events = yes" + "default": "Preventing unauthorized information transfers mitigates the risk of\ninformation, including encrypted representations of information, produced by\nthe actions of prior users/roles (or the actions of processes acting on behalf\nof prior users/roles) from being available to any current users/roles (or\ncurrent processes) that obtain access to shared system resources (e.g.,\nregisters, main memory, hard disks) after those resources have been released\nback to information systems. The control of information in shared resources is\nalso commonly referred to as object reuse and residual information protection.\n\n This requirement generally applies to the design of an information\ntechnology product, but it can also apply to the configuration of particular\ninformation system components that are, or use, such products. This can be\nverified by acceptance/validation processes in DoD or other government agencies.\n\n There may be shared resources with configurable protections (e.g., files in\nstorage) that may be assessed on specific information system components.", + "check": "Verify that all world-writable directories have the sticky bit set.\n\nCheck to see that all world-writable directories have the sticky bit set by running the following command:\n\n$ sudo find / -type d \\( -perm -0002 -a ! -perm -1000 \\) -print 2>/dev/null\n\ndrwxrwxrwt 7 root root 4096 Jul 26 11:19 /tmp\n\nIf any of the returned directories are world-writable and do not have the sticky bit set, this is a finding.", + "fix": "Configure all world-writable directories to have the sticky bit set to\nprevent unauthorized and unintended information transferred via shared system\nresources.\n\n Set the sticky bit on all world-writable directories using the command,\nreplace \"[World-Writable Directory]\" with any directory path missing the\nsticky bit:\n\n $ sudo chmod 1777 [World-Writable Directory]" }, "impact": 0.5, "refs": [ @@ -3993,33 +3997,34 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-230393", - "rid": "SV-230393r627750_rule", - "stig_id": "RHEL-08-030061", - "fix_id": "F-33037r567926_fix", + "gtitle": "SRG-OS-000138-GPOS-00069", + "gid": "V-230243", + "rid": "SV-230243r792857_rule", + "stig_id": "RHEL-08-010190", + "fix_id": "F-32887r567476_fix", "cci": [ - "CCI-000366" + "CCI-001090" ], "nist": [ - "CM-6 b" + "SC-4" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-230393' do\n title 'The RHEL 8 audit system must audit local events.'\n desc 'Without establishing what type of events occurred, the source of\nevents, where events occurred, and the outcome of events, it would be difficult\nto establish, correlate, and investigate the events leading up to an outage or\nattack.\n\n Audit record content that may be necessary to satisfy this requirement\nincludes, for example, time stamps, source and destination addresses,\nuser/process identifiers, event descriptions, success/fail indications,\nfilenames involved, and access control or flow control rules invoked.'\n desc 'check', 'Verify the RHEL 8 Audit Daemon is configured to include local events, with\nthe following command:\n\n $ sudo grep local_events /etc/audit/auditd.conf\n\n local_events = yes\n\n If the value of the \"local_events\" option is not set to \"yes\", or the\nline is commented out, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to audit local events on the system.\n\nAdd or update the following line in \"/etc/audit/auditd.conf\" file:\n\nlocal_events = yes'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230393'\n tag rid: 'SV-230393r627750_rule'\n tag stig_id: 'RHEL-08-030061'\n tag fix_id: 'F-33037r567926_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n describe parse_config_file('/etc/audit/auditd.conf') do\n its('local_events') { should eq 'yes' }\n end\nend\n", + "code": "control 'SV-230243' do\n title 'A sticky bit must be set on all RHEL 8 public directories to prevent\nunauthorized and unintended information transferred via shared system\nresources.'\n desc 'Preventing unauthorized information transfers mitigates the risk of\ninformation, including encrypted representations of information, produced by\nthe actions of prior users/roles (or the actions of processes acting on behalf\nof prior users/roles) from being available to any current users/roles (or\ncurrent processes) that obtain access to shared system resources (e.g.,\nregisters, main memory, hard disks) after those resources have been released\nback to information systems. The control of information in shared resources is\nalso commonly referred to as object reuse and residual information protection.\n\n This requirement generally applies to the design of an information\ntechnology product, but it can also apply to the configuration of particular\ninformation system components that are, or use, such products. This can be\nverified by acceptance/validation processes in DoD or other government agencies.\n\n There may be shared resources with configurable protections (e.g., files in\nstorage) that may be assessed on specific information system components.'\n desc 'check', 'Verify that all world-writable directories have the sticky bit set.\n\nCheck to see that all world-writable directories have the sticky bit set by running the following command:\n\n$ sudo find / -type d \\\\( -perm -0002 -a ! -perm -1000 \\\\) -print 2>/dev/null\n\ndrwxrwxrwt 7 root root 4096 Jul 26 11:19 /tmp\n\nIf any of the returned directories are world-writable and do not have the sticky bit set, this is a finding.'\n desc 'fix', 'Configure all world-writable directories to have the sticky bit set to\nprevent unauthorized and unintended information transferred via shared system\nresources.\n\n Set the sticky bit on all world-writable directories using the command,\nreplace \"[World-Writable Directory]\" with any directory path missing the\nsticky bit:\n\n $ sudo chmod 1777 [World-Writable Directory]'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000138-GPOS-00069'\n tag gid: 'V-230243'\n tag rid: 'SV-230243r792857_rule'\n tag stig_id: 'RHEL-08-010190'\n tag fix_id: 'F-32887r567476_fix'\n tag cci: ['CCI-001090']\n tag nist: ['SC-4']\n tag 'host'\n tag 'container'\n\n partitions = etc_fstab.params.map { |partition| partition['mount_point'] }.uniq\n\n ww_dirs = command(\"find #{partitions} -type d \\\\( -perm -0002 -a ! -perm -1000 \\\\) -print 2>/dev/null\").stdout.split(\"\\n\")\n\n if ww_dirs.empty?\n describe 'List of world-writable directories on the target' do\n subject { ww_dirs }\n it { should be_empty }\n end\n else\n non_sticky_ww_dirs = ww_dirs.reject { |dir| file(dir).sticky? }\n describe 'All world-writeable directories' do\n it 'should have the sticky bit set' do\n fail_msg = \"Public directories without sticky bit:\\n\\t- #{non_sticky_ww_dirs.join(\"\\n\\t- \")}\"\n expect(non_sticky_ww_dirs).to be_empty, fail_msg\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230393.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230243.rb", "line": 1 }, - "id": "SV-230393" + "id": "SV-230243" }, { - "title": "Successful/unsuccessful uses of the init_module and finit_module system calls in RHEL 8 must generate an audit record.", - "desc": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"init_module\" and \"finit_module\" system calls are used to load a kernel module.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nThe system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible.", + "title": "RHEL 8 must take appropriate action when the internal event queue is\nfull.", + "desc": "Information stored in one location is vulnerable to accidental or\nincidental deletion or alteration.\n\n Off-loading is a common process in information systems with limited audit\nstorage capacity.\n\n RHEL 8 installation media provides \"rsyslogd\". \"rsyslogd\" is a system\nutility providing support for message logging. Support for both internet and\nUNIX domain sockets enables this utility to support both local and remote\nlogging. Couple this utility with \"gnutls\" (which is a secure communications\nlibrary implementing the SSL, TLS and DTLS protocols), and you have a method to\nsecurely encrypt and off-load auditing.", "descriptions": { - "default": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"init_module\" and \"finit_module\" system calls are used to load a kernel module.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nThe system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible.", - "check": "Verify RHEL 8 generates an audit record upon successful/unsuccessful attempts to use the \"init_module\" and \"finit_module\" system calls by using the following command to check the file system rules in \"/etc/audit/audit.rules\":\n\n$ sudo grep init_module /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k module_chng\n-a always,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k module_chng\n\nIf the command does not return an audit rule for \"init_module\" and \"finit_module\" or any of the lines returned are commented out, this is a finding.", - "fix": "Configure the audit system to generate an audit event for any successful/unsuccessful use of the \"init_module\" and \"finit_module\" system calls by adding or updating the following rules in the \"/etc/audit/rules.d/audit.rules\" file:\n\n-a always,exit -F arch=b32 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k module_chng\n-a always,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k module_chng\n\nThe audit daemon must be restarted for the changes to take effect." + "default": "Information stored in one location is vulnerable to accidental or\nincidental deletion or alteration.\n\n Off-loading is a common process in information systems with limited audit\nstorage capacity.\n\n RHEL 8 installation media provides \"rsyslogd\". \"rsyslogd\" is a system\nutility providing support for message logging. Support for both internet and\nUNIX domain sockets enables this utility to support both local and remote\nlogging. Couple this utility with \"gnutls\" (which is a secure communications\nlibrary implementing the SSL, TLS and DTLS protocols), and you have a method to\nsecurely encrypt and off-load auditing.", + "check": "Verify the audit system is configured to take an appropriate action when\nthe internal event queue is full:\n\n $ sudo grep -i overflow_action /etc/audit/auditd.conf\n\n overflow_action = syslog\n\n If the value of the \"overflow_action\" option is not set to \"syslog\",\n\"single\", \"halt\", or the line is commented out, ask the System\nAdministrator to indicate how the audit logs are off-loaded to a different\nsystem or media.\n\n If there is no evidence that the transfer of the audit logs being\noff-loaded to another system or media takes appropriate action if the internal\nevent queue becomes full, this is a finding.", + "fix": "Edit the /etc/audit/auditd.conf file and add or update the\n\"overflow_action\" option:\n\n overflow_action = syslog\n\n The audit daemon must be restarted for changes to take effect." }, "impact": 0.5, "refs": [ @@ -4029,41 +4034,37 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000062-GPOS-00031", + "gtitle": "SRG-OS-000342-GPOS-00133", "satisfies": [ - "SRG-OS-000062-GPOS-00031", - "SRG-OS-000037-GPOS-00015", - "SRG-OS-000042-GPOS-00020", - "SRG-OS-000392-GPOS-00172", - "SRG-OS-000462-GPOS-00206", - "SRG-OS-000471-GPOS-00215" + "SRG-OS-000342-GPOS-00133", + "SRG-OS-000479-GPOS-00224" ], - "gid": "V-230438", - "rid": "SV-230438r810464_rule", - "stig_id": "RHEL-08-030360", - "fix_id": "F-33082r810448_fix", + "gid": "V-230480", + "rid": "SV-230480r877390_rule", + "stig_id": "RHEL-08-030700", + "fix_id": "F-33124r568187_fix", "cci": [ - "CCI-000169" + "CCI-001851" ], "nist": [ - "AU-12 a" + "AU-4 (1)" ], "host": null }, - "code": "control 'SV-230438' do\n title 'Successful/unsuccessful uses of the init_module and finit_module system calls in RHEL 8 must generate an audit record.'\n desc 'Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"init_module\" and \"finit_module\" system calls are used to load a kernel module.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nThe system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible.'\n desc 'check', 'Verify RHEL 8 generates an audit record upon successful/unsuccessful attempts to use the \"init_module\" and \"finit_module\" system calls by using the following command to check the file system rules in \"/etc/audit/audit.rules\":\n\n$ sudo grep init_module /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k module_chng\n-a always,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k module_chng\n\nIf the command does not return an audit rule for \"init_module\" and \"finit_module\" or any of the lines returned are commented out, this is a finding.'\n desc 'fix', 'Configure the audit system to generate an audit event for any successful/unsuccessful use of the \"init_module\" and \"finit_module\" system calls by adding or updating the following rules in the \"/etc/audit/rules.d/audit.rules\" file:\n\n-a always,exit -F arch=b32 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k module_chng\n-a always,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k module_chng\n\nThe audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000062-GPOS-00031'\n tag satisfies: ['SRG-OS-000062-GPOS-00031', 'SRG-OS-000037-GPOS-00015', 'SRG-OS-000042-GPOS-00020', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000471-GPOS-00215']\n tag gid: 'V-230438'\n tag rid: 'SV-230438r810464_rule'\n tag stig_id: 'RHEL-08-030360'\n tag fix_id: 'F-33082r810448_fix'\n tag cci: ['CCI-000169']\n tag nist: ['AU-12 a']\n tag 'host'\n\n audit_syscalls = ['init_module', 'finit_module']\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe 'Syscall' do\n audit_syscalls.each do |audit_syscall|\n it \"#{audit_syscall} is audited properly\" do\n audit_rule = auditd.syscall(audit_syscall)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n if os.arch.match(/64/)\n expect(audit_rule.arch.uniq).to include('b32', 'b64')\n else\n expect(audit_rule.arch.uniq).to cmp 'b32'\n end\n expect(audit_rule.fields.flatten).to include('auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include(input('audit_rule_keynames').merge(input('audit_rule_keynames_overrides'))[audit_syscall])\n end\n end\n end\nend\n", + "code": "control 'SV-230480' do\n title 'RHEL 8 must take appropriate action when the internal event queue is\nfull.'\n desc 'Information stored in one location is vulnerable to accidental or\nincidental deletion or alteration.\n\n Off-loading is a common process in information systems with limited audit\nstorage capacity.\n\n RHEL 8 installation media provides \"rsyslogd\". \"rsyslogd\" is a system\nutility providing support for message logging. Support for both internet and\nUNIX domain sockets enables this utility to support both local and remote\nlogging. Couple this utility with \"gnutls\" (which is a secure communications\nlibrary implementing the SSL, TLS and DTLS protocols), and you have a method to\nsecurely encrypt and off-load auditing.'\n desc 'check', 'Verify the audit system is configured to take an appropriate action when\nthe internal event queue is full:\n\n $ sudo grep -i overflow_action /etc/audit/auditd.conf\n\n overflow_action = syslog\n\n If the value of the \"overflow_action\" option is not set to \"syslog\",\n\"single\", \"halt\", or the line is commented out, ask the System\nAdministrator to indicate how the audit logs are off-loaded to a different\nsystem or media.\n\n If there is no evidence that the transfer of the audit logs being\noff-loaded to another system or media takes appropriate action if the internal\nevent queue becomes full, this is a finding.'\n desc 'fix', 'Edit the /etc/audit/auditd.conf file and add or update the\n\"overflow_action\" option:\n\n overflow_action = syslog\n\n The audit daemon must be restarted for changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000342-GPOS-00133'\n tag satisfies: ['SRG-OS-000342-GPOS-00133', 'SRG-OS-000479-GPOS-00224']\n tag gid: 'V-230480'\n tag rid: 'SV-230480r877390_rule'\n tag stig_id: 'RHEL-08-030700'\n tag fix_id: 'F-33124r568187_fix'\n tag cci: ['CCI-001851']\n tag nist: ['AU-4 (1)']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n if input('alternative_logging_method') != ''\n describe 'manual check' do\n skip 'Manual check required. Ask the administrator to indicate how logging is done for this system.'\n end\n else\n describe parse_config_file('/etc/audit/auditd.conf') do\n its('overflow_action') { should match(/syslog$|single$|halt$/i) }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230438.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230480.rb", "line": 1 }, - "id": "SV-230438" + "id": "SV-230480" }, { - "title": "RHEL 8 must automatically lock an account until the locked account is\nreleased by an administrator when three unsuccessful logon attempts occur\nduring a 15-minute time period.", - "desc": "By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as\nbrute-force attacks, is reduced. Limits are imposed by locking the account.\n\n RHEL 8 can utilize the \"pam_faillock.so\" for this purpose. Note that\nmanual changes to the listed files may be overwritten by the \"authselect\"\nprogram.\n\n From \"Pam_Faillock\" man pages: Note that the default directory that\n\"pam_faillock\" uses is usually cleared on system boot so the access will be\nreenabled after system reboot. If that is undesirable a different tally\ndirectory must be set with the \"dir\" option.", + "title": "The RHEL 8 SSH daemon must not allow Kerberos authentication, except\nto fulfill documented and validated mission requirements.", + "desc": "Configuring these settings for the SSH daemon provides additional\nassurance that remote logon via SSH will not use unused methods of\nauthentication, even in the event of misconfiguration elsewhere.", "descriptions": { - "default": "By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as\nbrute-force attacks, is reduced. Limits are imposed by locking the account.\n\n RHEL 8 can utilize the \"pam_faillock.so\" for this purpose. Note that\nmanual changes to the listed files may be overwritten by the \"authselect\"\nprogram.\n\n From \"Pam_Faillock\" man pages: Note that the default directory that\n\"pam_faillock\" uses is usually cleared on system boot so the access will be\nreenabled after system reboot. If that is undesirable a different tally\ndirectory must be set with the \"dir\" option.", - "check": "Check that the system locks an account after three unsuccessful logon\nattempts within a period of 15 minutes until released by an administrator with\nthe following commands:\n\n Note: If the System Administrator demonstrates the use of an approved\ncentralized account management method that locks an account after three\nunsuccessful logon attempts within a period of 15 minutes, this requirement is\nnot applicable.\n\n Note: This check applies to RHEL versions 8.0 and 8.1, if the system is\nRHEL version 8.2 or newer, this check is not applicable.\n\n $ sudo grep pam_faillock.so /etc/pam.d/password-auth\n\n auth required pam_faillock.so preauth dir=/var/log/faillock silent audit\ndeny=3 even_deny_root fail_interval=900 unlock_time=0\n auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0\n account required pam_faillock.so\n\n If the \"unlock_time\" option is not set to \"0\" on the \"preauth\" and\n\"authfail\" lines with the \"pam_faillock.so\" module, or is missing from\nthese lines, this is a finding.\n\n $ sudo grep pam_faillock.so /etc/pam.d/system-auth\n\n auth required pam_faillock.so preauth dir=/var/log/faillock silent audit\ndeny=3 even_deny_root fail_interval=900 unlock_time=0\n auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0\n account required pam_faillock.so\n\n If the \"unlock_time\" option is not set to \"0\" on the \"preauth\" and\n\"authfail\" lines with the \"pam_faillock.so\" module, or is missing from\nthese lines, this is a finding.", - "fix": "Configure the operating system to lock an account until released by an\nadministrator when three unsuccessful logon attempts occur in 15 minutes.\n\n Add/Modify the appropriate sections of the \"/etc/pam.d/system-auth\" and\n\"/etc/pam.d/password-auth\" files to match the following lines:\n\n auth required pam_faillock.so preauth dir=/var/log/faillock silent audit\ndeny=3 even_deny_root fail_interval=900 unlock_time=0\n auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0\n account required pam_faillock.so\n\n The \"sssd\" service must be restarted for the changes to take effect. To\nrestart the \"sssd\" service, run the following command:\n\n $ sudo systemctl restart sssd.service" + "default": "Configuring these settings for the SSH daemon provides additional\nassurance that remote logon via SSH will not use unused methods of\nauthentication, even in the event of misconfiguration elsewhere.", + "check": "Verify the SSH daemon does not allow Kerberos authentication with the following command:\n\n$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\\r' | tr '\\n' ' ' | xargs sudo grep -iH '^\\s*kerberosauthentication'\n\nKerberosAuthentication no\n\nIf the value is returned as \"yes\", the returned line is commented out, no output is returned, or has not been documented with the information system security officer (ISSO), this is a finding.\n\nIf conflicting results are returned, this is a finding.", + "fix": "Configure the SSH daemon to not allow Kerberos authentication.\n\n Add the following line in \"/etc/ssh/sshd_config\", or uncomment the line\nand set the value to \"no\":\n\n KerberosAuthentication no\n\n The SSH daemon must be restarted for the changes to take effect. To restart\nthe SSH daemon, run the following command:\n\n $ sudo systemctl restart sshd.service" }, "impact": 0.5, "refs": [ @@ -4073,38 +4074,34 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000021-GPOS-00005", - "satisfies": [ - "SRG-OS-000021-GPOS-00005", - "SRG-OS-000329-GPOS-00128" - ], - "gid": "V-230336", - "rid": "SV-230336r627750_rule", - "stig_id": "RHEL-08-020014", - "fix_id": "F-32980r567755_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-230291", + "rid": "SV-230291r952105_rule", + "stig_id": "RHEL-08-010521", + "fix_id": "F-32935r743956_fix", "cci": [ - "CCI-000044" + "CCI-000366" ], "nist": [ - "AC-7 a" + "CM-6 b" ], "host": null, - "container": null + "container-conditional": null }, - "code": "control 'SV-230336' do\n title 'RHEL 8 must automatically lock an account until the locked account is\nreleased by an administrator when three unsuccessful logon attempts occur\nduring a 15-minute time period.'\n desc 'By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as\nbrute-force attacks, is reduced. Limits are imposed by locking the account.\n\n RHEL 8 can utilize the \"pam_faillock.so\" for this purpose. Note that\nmanual changes to the listed files may be overwritten by the \"authselect\"\nprogram.\n\n From \"Pam_Faillock\" man pages: Note that the default directory that\n\"pam_faillock\" uses is usually cleared on system boot so the access will be\nreenabled after system reboot. If that is undesirable a different tally\ndirectory must be set with the \"dir\" option.'\n desc 'check', 'Check that the system locks an account after three unsuccessful logon\nattempts within a period of 15 minutes until released by an administrator with\nthe following commands:\n\n Note: If the System Administrator demonstrates the use of an approved\ncentralized account management method that locks an account after three\nunsuccessful logon attempts within a period of 15 minutes, this requirement is\nnot applicable.\n\n Note: This check applies to RHEL versions 8.0 and 8.1, if the system is\nRHEL version 8.2 or newer, this check is not applicable.\n\n $ sudo grep pam_faillock.so /etc/pam.d/password-auth\n\n auth required pam_faillock.so preauth dir=/var/log/faillock silent audit\ndeny=3 even_deny_root fail_interval=900 unlock_time=0\n auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0\n account required pam_faillock.so\n\n If the \"unlock_time\" option is not set to \"0\" on the \"preauth\" and\n\"authfail\" lines with the \"pam_faillock.so\" module, or is missing from\nthese lines, this is a finding.\n\n $ sudo grep pam_faillock.so /etc/pam.d/system-auth\n\n auth required pam_faillock.so preauth dir=/var/log/faillock silent audit\ndeny=3 even_deny_root fail_interval=900 unlock_time=0\n auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0\n account required pam_faillock.so\n\n If the \"unlock_time\" option is not set to \"0\" on the \"preauth\" and\n\"authfail\" lines with the \"pam_faillock.so\" module, or is missing from\nthese lines, this is a finding.'\n desc 'fix', 'Configure the operating system to lock an account until released by an\nadministrator when three unsuccessful logon attempts occur in 15 minutes.\n\n Add/Modify the appropriate sections of the \"/etc/pam.d/system-auth\" and\n\"/etc/pam.d/password-auth\" files to match the following lines:\n\n auth required pam_faillock.so preauth dir=/var/log/faillock silent audit\ndeny=3 even_deny_root fail_interval=900 unlock_time=0\n auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0\n account required pam_faillock.so\n\n The \"sssd\" service must be restarted for the changes to take effect. To\nrestart the \"sssd\" service, run the following command:\n\n $ sudo systemctl restart sssd.service'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000021-GPOS-00005'\n tag satisfies: ['SRG-OS-000021-GPOS-00005', 'SRG-OS-000329-GPOS-00128']\n tag gid: 'V-230336'\n tag rid: 'SV-230336r627750_rule'\n tag stig_id: 'RHEL-08-020014'\n tag fix_id: 'F-32980r567755_fix'\n tag cci: ['CCI-000044']\n tag nist: ['AC-7 a']\n tag 'host'\n tag 'container'\n\n only_if('This check applies to RHEL version 8.1 and earlier. If the system is RHEL version 8.2 or newer, this check is Not Applicable.', impact: 0.0) {\n (os.release.to_f) < 8.2\n }\n\n pam_auth_files = input('pam_auth_files')\n\n describe pam(pam_auth_files['password-auth']) do\n its('lines') do\n should match_pam_rule('auth [default=die]|required pam_faillock.so').all_with_args('unlock_time=(0|never)').or \\\n (match_pam_rule('auth [default=die]|required pam_faillock.so').all_with_integer_arg('unlock_time', '<=',\n 604_800).and \\\n match_pam_rule('auth [default=die]|required pam_faillock.so').all_with_integer_arg('unlock_time', '>=',\n input('lockout_time')))\n end\n end\n describe pam(pam_auth_files['system-auth']) do\n its('lines') do\n should match_pam_rule('auth [default=die]|required pam_faillock.so').all_with_args('unlock_time=(0|never)').or \\\n (match_pam_rule('auth [default=die]|required pam_faillock.so').all_with_integer_arg('unlock_time', '<=',\n 604_800).and \\\n match_pam_rule('auth [default=die]|required pam_faillock.so').all_with_integer_arg('unlock_time', '>=',\n input('lockout_time')))\n end\n end\nend\n", + "code": "control 'SV-230291' do\n title 'The RHEL 8 SSH daemon must not allow Kerberos authentication, except\nto fulfill documented and validated mission requirements.'\n desc 'Configuring these settings for the SSH daemon provides additional\nassurance that remote logon via SSH will not use unused methods of\nauthentication, even in the event of misconfiguration elsewhere.'\n desc 'check', %q(Verify the SSH daemon does not allow Kerberos authentication with the following command:\n\n$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\\r' | tr '\\n' ' ' | xargs sudo grep -iH '^\\s*kerberosauthentication'\n\nKerberosAuthentication no\n\nIf the value is returned as \"yes\", the returned line is commented out, no output is returned, or has not been documented with the information system security officer (ISSO), this is a finding.\n\nIf conflicting results are returned, this is a finding.)\n desc 'fix', 'Configure the SSH daemon to not allow Kerberos authentication.\n\n Add the following line in \"/etc/ssh/sshd_config\", or uncomment the line\nand set the value to \"no\":\n\n KerberosAuthentication no\n\n The SSH daemon must be restarted for the changes to take effect. To restart\nthe SSH daemon, run the following command:\n\n $ sudo systemctl restart sshd.service'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230291'\n tag rid: 'SV-230291r952105_rule'\n tag stig_id: 'RHEL-08-010521'\n tag fix_id: 'F-32935r743956_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n tag 'container-conditional'\n\n only_if('This control is Not Applicable to containers without SSH installed', impact: 0.0) {\n !(virtualization.system.eql?('docker') && !directory('/etc/ssh').exist?)\n }\n\n describe sshd_active_config do\n its('KerberosAuthentication') { should cmp 'no' }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230336.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230291.rb", "line": 1 }, - "id": "SV-230336" + "id": "SV-230291" }, { - "title": "RHEL 8 must securely compare internal information system clocks at\nleast every 24 hours with a server synchronized to an authoritative time\nsource, such as the United States Naval Observatory (USNO) time servers, or a\ntime server designated for the appropriate DoD network (NIPRNet/SIPRNet),\nand/or the Global Positioning System (GPS).", - "desc": "Inaccurate time stamps make it more difficult to correlate events and\ncan lead to an inaccurate analysis. Determining the correct time a particular\nevent occurred on a system is critical when conducting forensic analysis and\ninvestigating system events. Sources outside the configured acceptable\nallowance (drift) may be inaccurate.\n\n Synchronizing internal information system clocks provides uniformity of\ntime stamps for information systems with multiple system clocks and systems\nconnected over a network.\n\n Organizations should consider endpoints that may not have regular access to\nthe authoritative time server (e.g., mobile, teleworking, and tactical\nendpoints).\n\n If time stamps are not consistently applied and there is no common time\nreference, it is difficult to perform forensic analysis.\n\n Time stamps generated by the operating system include date and time. Time\nis commonly expressed in Coordinated Universal Time (UTC), a modern\ncontinuation of Greenwich Mean Time (GMT), or local time with an offset from\nUTC.\n\n RHEL 8 utilizes the \"timedatectl\" command to view the status of the\n\"systemd-timesyncd.service\". The \"timedatectl\" status will display the\nlocal time, UTC, and the offset from UTC.\n\n Note that USNO offers authenticated NTP service to DoD and U.S. Government\nagencies operating on the NIPR and SIPR networks. Visit\nhttps://www.usno.navy.mil/USNO/time/ntp/dod-customers for more information.", + "title": "Cron logging must be implemented in RHEL 8.", + "desc": "Cron logging can be used to trace the successful or unsuccessful\nexecution of cron jobs. It can also be used to spot intrusions into the use of\nthe cron facility by unauthorized and malicious users.", "descriptions": { - "default": "Inaccurate time stamps make it more difficult to correlate events and\ncan lead to an inaccurate analysis. Determining the correct time a particular\nevent occurred on a system is critical when conducting forensic analysis and\ninvestigating system events. Sources outside the configured acceptable\nallowance (drift) may be inaccurate.\n\n Synchronizing internal information system clocks provides uniformity of\ntime stamps for information systems with multiple system clocks and systems\nconnected over a network.\n\n Organizations should consider endpoints that may not have regular access to\nthe authoritative time server (e.g., mobile, teleworking, and tactical\nendpoints).\n\n If time stamps are not consistently applied and there is no common time\nreference, it is difficult to perform forensic analysis.\n\n Time stamps generated by the operating system include date and time. Time\nis commonly expressed in Coordinated Universal Time (UTC), a modern\ncontinuation of Greenwich Mean Time (GMT), or local time with an offset from\nUTC.\n\n RHEL 8 utilizes the \"timedatectl\" command to view the status of the\n\"systemd-timesyncd.service\". The \"timedatectl\" status will display the\nlocal time, UTC, and the offset from UTC.\n\n Note that USNO offers authenticated NTP service to DoD and U.S. Government\nagencies operating on the NIPR and SIPR networks. Visit\nhttps://www.usno.navy.mil/USNO/time/ntp/dod-customers for more information.", - "check": "Verify RHEL 8 is securely comparing internal information system clocks at\nleast every 24 hours with an NTP server with the following commands:\n\n $ sudo grep maxpoll /etc/chrony.conf\n\n server 0.us.pool.ntp.mil iburst maxpoll 16\n\n If the \"maxpoll\" option is set to a number greater than 16 or the line is\ncommented out, this is a finding.\n\n Verify the \"chrony.conf\" file is configured to an authoritative DoD time\nsource by running the following command:\n\n $ sudo grep -i server /etc/chrony.conf\n server 0.us.pool.ntp.mil\n\n If the parameter \"server\" is not set or is not set to an authoritative\nDoD time source, this is a finding.", - "fix": "Configure the operating system to securely compare internal information\nsystem clocks at least every 24 hours with an NTP server by adding/modifying\nthe following line in the /etc/chrony.conf file.\n\n server [ntp.server.name] iburst maxpoll 16" + "default": "Cron logging can be used to trace the successful or unsuccessful\nexecution of cron jobs. It can also be used to spot intrusions into the use of\nthe cron facility by unauthorized and malicious users.", + "check": "Verify that \"rsyslog\" is configured to log cron events with the following\ncommand:\n\n Note: If another logging package is used, substitute the utility\nconfiguration file for \"/etc/rsyslog.conf\" or \"/etc/rsyslog.d/*.conf\" files.\n\n $ sudo grep -s cron /etc/rsyslog.conf /etc/rsyslog.d/*.conf\n\n /etc/rsyslog.conf:*.info;mail.none;authpriv.none;cron.none\n /var/log/messages\n /etc/rsyslog.conf:# Log cron stuff\n /etc/rsyslog.conf:cron.*\n /var/log/cron\n\n If the command does not return a response, check for cron logging all\nfacilities with the following command.\n\n $ sudo grep -s /var/log/messages /etc/rsyslog.conf /etc/rsyslog.d/*.conf\n\n /etc/rsyslog.conf:*.info;mail.none;authpriv.none;cron.none\n /var/log/messages\n\n If \"rsyslog\" is not logging messages for the cron facility or all\nfacilities, this is a finding.", + "fix": "Configure \"rsyslog\" to log all cron messages by adding or updating the\nfollowing line to \"/etc/rsyslog.conf\" or a configuration file in the\n/etc/rsyslog.d/ directory:\n\n cron.* /var/log/cron\n\n The rsyslog daemon must be restarted for the changes to take effect:\n $ sudo systemctl restart rsyslog.service" }, "impact": 0.5, "refs": [ @@ -4114,38 +4111,33 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000355-GPOS-00143", - "satisfies": [ - "SRG-OS-000355-GPOS-00143", - "SRG-OS-000356-GPOS-00144", - "SRG-OS-000359-GPOS-00146" - ], - "gid": "V-230484", - "rid": "SV-230484r877038_rule", - "stig_id": "RHEL-08-030740", - "fix_id": "F-33128r568199_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-230387", + "rid": "SV-230387r743996_rule", + "stig_id": "RHEL-08-030010", + "fix_id": "F-33031r743995_fix", "cci": [ - "CCI-001891" + "CCI-000366" ], "nist": [ - "AU-8 (1) (a)" + "CM-6 b" ], "host": null }, - "code": "control 'SV-230484' do\n title \"RHEL 8 must securely compare internal information system clocks at\nleast every 24 hours with a server synchronized to an authoritative time\nsource, such as the United States Naval Observatory (USNO) time servers, or a\ntime server designated for the appropriate DoD network (NIPRNet/SIPRNet),\nand/or the Global Positioning System (GPS).\"\n desc 'Inaccurate time stamps make it more difficult to correlate events and\ncan lead to an inaccurate analysis. Determining the correct time a particular\nevent occurred on a system is critical when conducting forensic analysis and\ninvestigating system events. Sources outside the configured acceptable\nallowance (drift) may be inaccurate.\n\n Synchronizing internal information system clocks provides uniformity of\ntime stamps for information systems with multiple system clocks and systems\nconnected over a network.\n\n Organizations should consider endpoints that may not have regular access to\nthe authoritative time server (e.g., mobile, teleworking, and tactical\nendpoints).\n\n If time stamps are not consistently applied and there is no common time\nreference, it is difficult to perform forensic analysis.\n\n Time stamps generated by the operating system include date and time. Time\nis commonly expressed in Coordinated Universal Time (UTC), a modern\ncontinuation of Greenwich Mean Time (GMT), or local time with an offset from\nUTC.\n\n RHEL 8 utilizes the \"timedatectl\" command to view the status of the\n\"systemd-timesyncd.service\". The \"timedatectl\" status will display the\nlocal time, UTC, and the offset from UTC.\n\n Note that USNO offers authenticated NTP service to DoD and U.S. Government\nagencies operating on the NIPR and SIPR networks. Visit\nhttps://www.usno.navy.mil/USNO/time/ntp/dod-customers for more information.'\n desc 'check', 'Verify RHEL 8 is securely comparing internal information system clocks at\nleast every 24 hours with an NTP server with the following commands:\n\n $ sudo grep maxpoll /etc/chrony.conf\n\n server 0.us.pool.ntp.mil iburst maxpoll 16\n\n If the \"maxpoll\" option is set to a number greater than 16 or the line is\ncommented out, this is a finding.\n\n Verify the \"chrony.conf\" file is configured to an authoritative DoD time\nsource by running the following command:\n\n $ sudo grep -i server /etc/chrony.conf\n server 0.us.pool.ntp.mil\n\n If the parameter \"server\" is not set or is not set to an authoritative\nDoD time source, this is a finding.'\n desc 'fix', \"Configure the operating system to securely compare internal information\nsystem clocks at least every 24 hours with an NTP server by adding/modifying\nthe following line in the /etc/chrony.conf file.\n\n server [ntp.server.name] iburst maxpoll 16\"\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000355-GPOS-00143'\n tag satisfies: ['SRG-OS-000355-GPOS-00143', 'SRG-OS-000356-GPOS-00144', 'SRG-OS-000359-GPOS-00146']\n tag gid: 'V-230484'\n tag rid: 'SV-230484r877038_rule'\n tag stig_id: 'RHEL-08-030740'\n tag fix_id: 'F-33128r568199_fix'\n tag cci: ['CCI-001891']\n tag nist: ['AU-8 (1) (a)']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n # No need to provide filepath\n time_sources = chrony_conf.server\n\n # Cover case when a single server is defined and resource returns a string and not an array\n time_sources = [time_sources] if time_sources.is_a? String\n\n unless time_sources.nil?\n max_poll_values = time_sources.map { |val|\n val.match?(/.*maxpoll.*/) ? val.gsub(/.*maxpoll\\s+(\\d+)(\\s+.*|$)/, '\\1').to_i : 10\n }\n end\n\n # Verify the \"chrony.conf\" file is configured to a time source by running the following command:\n describe chrony_conf do\n its('server') { should_not be_nil }\n end\n\n unless chrony_conf.server.nil?\n # If there is only one server and the resource returns a string, check if the server matches the input\n if chrony_conf.server.is_a? String\n describe chrony_conf do\n its('server') { should match input('authoritative_timeserver') }\n end\n end\n # Check if each server in the server array exists in the input\n if chrony_conf.server.is_a? Array\n chrony_conf.server.each do |server|\n describe server do\n it { should match input('authoritative_timeserver') }\n end\n end\n end\n\n # All time sources must contain valid maxpoll entries\n unless time_sources.nil?\n describe 'chronyd maxpoll values (99=maxpoll absent)' do\n subject { max_poll_values }\n it { should all be < 17 }\n end\n end\n end\nend\n", + "code": "control 'SV-230387' do\n title 'Cron logging must be implemented in RHEL 8.'\n desc 'Cron logging can be used to trace the successful or unsuccessful\nexecution of cron jobs. It can also be used to spot intrusions into the use of\nthe cron facility by unauthorized and malicious users.'\n desc 'check', 'Verify that \"rsyslog\" is configured to log cron events with the following\ncommand:\n\n Note: If another logging package is used, substitute the utility\nconfiguration file for \"/etc/rsyslog.conf\" or \"/etc/rsyslog.d/*.conf\" files.\n\n $ sudo grep -s cron /etc/rsyslog.conf /etc/rsyslog.d/*.conf\n\n /etc/rsyslog.conf:*.info;mail.none;authpriv.none;cron.none\n /var/log/messages\n /etc/rsyslog.conf:# Log cron stuff\n /etc/rsyslog.conf:cron.*\n /var/log/cron\n\n If the command does not return a response, check for cron logging all\nfacilities with the following command.\n\n $ sudo grep -s /var/log/messages /etc/rsyslog.conf /etc/rsyslog.d/*.conf\n\n /etc/rsyslog.conf:*.info;mail.none;authpriv.none;cron.none\n /var/log/messages\n\n If \"rsyslog\" is not logging messages for the cron facility or all\nfacilities, this is a finding.'\n desc 'fix', 'Configure \"rsyslog\" to log all cron messages by adding or updating the\nfollowing line to \"/etc/rsyslog.conf\" or a configuration file in the\n/etc/rsyslog.d/ directory:\n\n cron.* /var/log/cron\n\n The rsyslog daemon must be restarted for the changes to take effect:\n $ sudo systemctl restart rsyslog.service'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230387'\n tag rid: 'SV-230387r743996_rule'\n tag stig_id: 'RHEL-08-030010'\n tag fix_id: 'F-33031r743995_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n describe.one do\n describe command(\"grep -hsv \\\"^#\\\" #{input('logging_conf_files').join(' ')} | grep ^cron\") do\n its('stdout') { should match %r{cron\\.\\*\\s*/var/log/cron} }\n end\n describe command(\"grep -hsv \\\"^#\\\" #{input('logging_conf_files').join(' ')} | grep /var/log/messages\") do\n its('stdout') { should match %r{\\*.info;mail.none;authpriv.none;cron.none\\s*/var/log/messages} }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230484.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230387.rb", "line": 1 }, - "id": "SV-230484" + "id": "SV-230387" }, { - "title": "Successful/unsuccessful uses of the chmod, fchmod, and fchmodat system calls in RHEL 8 must generate an audit record.", - "desc": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"chmod\" system call changes the file mode bits of each given file according to mode, which can be either a symbolic representation of changes to make, or an octal number representing the bit pattern for the new mode bits.\n\nThe \"fchmod\" system call is used to change permissions of a file.\nThe \"fchmodat\" system call is used to change permissions of a file relative to a directory file descriptor.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nThe system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. Performance can be helped, however, by combining syscalls into one rule whenever possible.", + "title": "The graphical display manager must not be installed on RHEL 8 unless\napproved.", + "desc": "Internet services that are not required for system or application\nprocesses must not be active to decrease the attack surface of the system.\nGraphical display managers have a long history of security vulnerabilities and\nmust not be used, unless approved and documented.", "descriptions": { - "default": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"chmod\" system call changes the file mode bits of each given file according to mode, which can be either a symbolic representation of changes to make, or an octal number representing the bit pattern for the new mode bits.\n\nThe \"fchmod\" system call is used to change permissions of a file.\nThe \"fchmodat\" system call is used to change permissions of a file relative to a directory file descriptor.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nThe system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. Performance can be helped, however, by combining syscalls into one rule whenever possible.", - "check": "Verify RHEL 8 generates an audit record upon successful/unsuccessful attempts to use the \"chmod\", \"fchmod\", and \"fchmodat\" syscalls by using the following command to check the file system rules in \"/etc/audit/audit.rules\":\n\n$ sudo grep chmod /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod\n-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod\n\nIf the command does not return an audit rule for \"chmod\", \"fchmod\", and \"fchmodat\", or any of the lines returned are commented out, this is a finding.", - "fix": "Configure the audit system to generate an audit event for any successful/unsuccessful use of the \"chmod\", \"fchmod\", and \"fchmodat\" syscalls by adding or updating the following line to \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod\n-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod\n\nThe audit daemon must be restarted for the changes to take effect." + "default": "Internet services that are not required for system or application\nprocesses must not be active to decrease the attack surface of the system.\nGraphical display managers have a long history of security vulnerabilities and\nmust not be used, unless approved and documented.", + "check": "Verify that a graphical user interface is not installed:\n\n$ rpm -qa | grep xorg | grep server\n\nAsk the System Administrator if use of a graphical user interface is an operational requirement.\n\nIf the use of a graphical user interface on the system is not documented with the ISSO, this is a finding.", + "fix": "Document the requirement for a graphical user interface with the ISSO or reinstall the operating system without the graphical user interface. If reinstallation is not feasible, then continue with the following procedure:\n\nOpen an SSH session and enter the following commands:\n\n$ sudo yum remove xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-utils xorg-x11-server-Xwayland\n\nA reboot is required for the changes to take effect." }, "impact": 0.5, "refs": [ @@ -4155,43 +4147,34 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000062-GPOS-00031", - "satisfies": [ - "SRG-OS-000062-GPOS-00031", - "SRG-OS-000037-GPOS-00015", - "SRG-OS-000042-GPOS-00020", - "SRG-OS-000392-GPOS-00172", - "SRG-OS-000462-GPOS-00206", - "SRG-OS-000471-GPOS-00215", - "SRG-OS-000064-GPOS-00033", - "SRG-OS-000466-GPOS-00210" - ], - "gid": "V-230456", - "rid": "SV-230456r810462_rule", - "stig_id": "RHEL-08-030490", - "fix_id": "F-33100r809310_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-230553", + "rid": "SV-230553r809324_rule", + "stig_id": "RHEL-08-040320", + "fix_id": "F-33197r809323_fix", "cci": [ - "CCI-000169" + "CCI-000366" ], "nist": [ - "AU-12 a" + "CM-6 b" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-230456' do\n title 'Successful/unsuccessful uses of the chmod, fchmod, and fchmodat system calls in RHEL 8 must generate an audit record.'\n desc 'Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"chmod\" system call changes the file mode bits of each given file according to mode, which can be either a symbolic representation of changes to make, or an octal number representing the bit pattern for the new mode bits.\n\nThe \"fchmod\" system call is used to change permissions of a file.\nThe \"fchmodat\" system call is used to change permissions of a file relative to a directory file descriptor.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nThe system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. Performance can be helped, however, by combining syscalls into one rule whenever possible.'\n desc 'check', 'Verify RHEL 8 generates an audit record upon successful/unsuccessful attempts to use the \"chmod\", \"fchmod\", and \"fchmodat\" syscalls by using the following command to check the file system rules in \"/etc/audit/audit.rules\":\n\n$ sudo grep chmod /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod\n-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod\n\nIf the command does not return an audit rule for \"chmod\", \"fchmod\", and \"fchmodat\", or any of the lines returned are commented out, this is a finding.'\n desc 'fix', 'Configure the audit system to generate an audit event for any successful/unsuccessful use of the \"chmod\", \"fchmod\", and \"fchmodat\" syscalls by adding or updating the following line to \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod\n-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod\n\nThe audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000062-GPOS-00031'\n tag satisfies: ['SRG-OS-000062-GPOS-00031', 'SRG-OS-000037-GPOS-00015', 'SRG-OS-000042-GPOS-00020', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000471-GPOS-00215', 'SRG-OS-000064-GPOS-00033', 'SRG-OS-000466-GPOS-00210']\n tag gid: 'V-230456'\n tag rid: 'SV-230456r810462_rule'\n tag stig_id: 'RHEL-08-030490'\n tag fix_id: 'F-33100r809310_fix'\n tag cci: ['CCI-000169']\n tag nist: ['AU-12 a']\n tag 'host'\n\n audit_syscalls = ['chmod', 'fchmod', 'fchmodat']\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe 'Syscall' do\n audit_syscalls.each do |audit_syscall|\n it \"#{audit_syscall} is audited properly\" do\n audit_rule = auditd.syscall(audit_syscall)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n if os.arch.match(/64/)\n expect(audit_rule.arch.uniq).to include('b32', 'b64')\n else\n expect(audit_rule.arch.uniq).to cmp 'b32'\n end\n expect(audit_rule.fields.flatten).to include('auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include(input('audit_rule_keynames').merge(input('audit_rule_keynames_overrides'))[audit_syscall])\n end\n end\n end\nend\n", + "code": "control 'SV-230553' do\n title 'The graphical display manager must not be installed on RHEL 8 unless\napproved.'\n desc 'Internet services that are not required for system or application\nprocesses must not be active to decrease the attack surface of the system.\nGraphical display managers have a long history of security vulnerabilities and\nmust not be used, unless approved and documented.'\n desc 'check', 'Verify that a graphical user interface is not installed:\n\n$ rpm -qa | grep xorg | grep server\n\nAsk the System Administrator if use of a graphical user interface is an operational requirement.\n\nIf the use of a graphical user interface on the system is not documented with the ISSO, this is a finding.'\n desc 'fix', 'Document the requirement for a graphical user interface with the ISSO or reinstall the operating system without the graphical user interface. If reinstallation is not feasible, then continue with the following procedure:\n\nOpen an SSH session and enter the following commands:\n\n$ sudo yum remove xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-utils xorg-x11-server-Xwayland\n\nA reboot is required for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230553'\n tag rid: 'SV-230553r809324_rule'\n tag stig_id: 'RHEL-08-040320'\n tag fix_id: 'F-33197r809323_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n tag 'container'\n\n input('remove_xorg_x11_server_packages').each do |p|\n describe package(p) do\n it { should_not be_installed }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230456.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230553.rb", "line": 1 }, - "id": "SV-230456" + "id": "SV-230553" }, { - "title": "RHEL 8 must mount /var/log with the nosuid option.", - "desc": "The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n The \"noexec\" mount option causes the system to not execute binary files.\nThis option must be used for mounting any file system not containing approved\nbinary files, as they may be incompatible. Executing files from untrusted file\nsystems increases the opportunity for unprivileged users to attain unauthorized\nadministrative access.\n\n The \"nodev\" mount option causes the system to not interpret character or\nblock special devices. Executing character or block special devices from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.\n\n The \"nosuid\" mount option causes the system to not execute \"setuid\" and\n\"setgid\" files with owner privileges. This option must be used for mounting\nany file system not containing approved \"setuid\" and \"setguid\" files.\nExecuting files from untrusted file systems increases the opportunity for\nunprivileged users to attain unauthorized administrative access.", + "title": "RHEL 8 must not allow interfaces to perform Internet Control Message\nProtocol (ICMP) redirects by default.", + "desc": "ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.\n\nThere are notable differences between Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6). There is only a directive to disable sending of IPv4 redirected packets. Refer to RFC4294 for an explanation of \"IPv6 Node Requirements\", which resulted in this difference between IPv4 and IPv6.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf", "descriptions": { - "default": "The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n The \"noexec\" mount option causes the system to not execute binary files.\nThis option must be used for mounting any file system not containing approved\nbinary files, as they may be incompatible. Executing files from untrusted file\nsystems increases the opportunity for unprivileged users to attain unauthorized\nadministrative access.\n\n The \"nodev\" mount option causes the system to not interpret character or\nblock special devices. Executing character or block special devices from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.\n\n The \"nosuid\" mount option causes the system to not execute \"setuid\" and\n\"setgid\" files with owner privileges. This option must be used for mounting\nany file system not containing approved \"setuid\" and \"setguid\" files.\nExecuting files from untrusted file systems increases the opportunity for\nunprivileged users to attain unauthorized administrative access.", - "check": "Verify \"/var/log\" is mounted with the \"nosuid\" option:\n\n $ sudo mount | grep /var/log\n\n /dev/mapper/rhel-var-log on /var/log type xfs\n(rw,nodev,nosuid,noexec,seclabel)\n\n Verify that the \"nosuid\" option is configured for /var/log:\n\n $ sudo cat /etc/fstab | grep /var/log\n\n /dev/mapper/rhel-var-log /var/log xfs defaults,nodev,nosuid,noexec 0 0\n\n If results are returned and the \"nosuid\" option is missing, or if\n/var/log is mounted without the \"nosuid\" option, this is a finding.", - "fix": "Configure the system so that /var/log is mounted with the \"nosuid\" option\nby adding /modifying the /etc/fstab with the following line:\n\n /dev/mapper/rhel-var-log /var/log xfs defaults,nodev,nosuid,noexec 0 0" + "default": "ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.\n\nThere are notable differences between Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6). There is only a directive to disable sending of IPv4 redirected packets. Refer to RFC4294 for an explanation of \"IPv6 Node Requirements\", which resulted in this difference between IPv4 and IPv6.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf", + "check": "Verify RHEL 8 does not allow interfaces to perform Internet Protocol version 4 (IPv4) ICMP redirects by default.\n\nCheck the value of the \"default send_redirects\" variables with the following command:\n\n$ sudo sysctl net.ipv4.conf.default.send_redirects\n\nnet.ipv4.conf.default.send_redirects=0\n\nIf the returned line does not have a value of \"0\", or a line is not returned, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r net.ipv4.conf.default.send_redirects /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: net.ipv4.conf.default.send_redirects = 0\n\nIf \"net.ipv4.conf.default.send_redirects\" is not set to \"0\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.", + "fix": "Configure RHEL 8 to not allow interfaces to perform Internet Protocol version 4 (IPv4) ICMP redirects by default.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nnet.ipv4.conf.default.send_redirects = 0\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system" }, "impact": 0.5, "refs": [ @@ -4201,33 +4184,33 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000368-GPOS-00154", - "gid": "V-230515", - "rid": "SV-230515r854056_rule", - "stig_id": "RHEL-08-040127", - "fix_id": "F-33159r568292_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-230543", + "rid": "SV-230543r858816_rule", + "stig_id": "RHEL-08-040270", + "fix_id": "F-33187r858815_fix", "cci": [ - "CCI-001764" + "CCI-000366" ], "nist": [ - "CM-7 (2)" + "CM-6 b" ], "host": null }, - "code": "control 'SV-230515' do\n title 'RHEL 8 must mount /var/log with the nosuid option.'\n desc 'The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n The \"noexec\" mount option causes the system to not execute binary files.\nThis option must be used for mounting any file system not containing approved\nbinary files, as they may be incompatible. Executing files from untrusted file\nsystems increases the opportunity for unprivileged users to attain unauthorized\nadministrative access.\n\n The \"nodev\" mount option causes the system to not interpret character or\nblock special devices. Executing character or block special devices from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.\n\n The \"nosuid\" mount option causes the system to not execute \"setuid\" and\n\"setgid\" files with owner privileges. This option must be used for mounting\nany file system not containing approved \"setuid\" and \"setguid\" files.\nExecuting files from untrusted file systems increases the opportunity for\nunprivileged users to attain unauthorized administrative access.'\n desc 'check', 'Verify \"/var/log\" is mounted with the \"nosuid\" option:\n\n $ sudo mount | grep /var/log\n\n /dev/mapper/rhel-var-log on /var/log type xfs\n(rw,nodev,nosuid,noexec,seclabel)\n\n Verify that the \"nosuid\" option is configured for /var/log:\n\n $ sudo cat /etc/fstab | grep /var/log\n\n /dev/mapper/rhel-var-log /var/log xfs defaults,nodev,nosuid,noexec 0 0\n\n If results are returned and the \"nosuid\" option is missing, or if\n/var/log is mounted without the \"nosuid\" option, this is a finding.'\n desc 'fix', 'Configure the system so that /var/log is mounted with the \"nosuid\" option\nby adding /modifying the /etc/fstab with the following line:\n\n /dev/mapper/rhel-var-log /var/log xfs defaults,nodev,nosuid,noexec 0 0'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000368-GPOS-00154'\n tag gid: 'V-230515'\n tag rid: 'SV-230515r854056_rule'\n tag stig_id: 'RHEL-08-040127'\n tag fix_id: 'F-33159r568292_fix'\n tag cci: ['CCI-001764']\n tag nist: ['CM-7 (2)']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n path = '/var/log'\n option = 'nosuid'\n\n describe mount(path) do\n its('options') { should include option }\n end\n\n describe etc_fstab.where { mount_point == path } do\n its('mount_options.flatten') { should include option }\n end\nend\n", + "code": "control 'SV-230543' do\n title 'RHEL 8 must not allow interfaces to perform Internet Control Message\nProtocol (ICMP) redirects by default.'\n desc %q(ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.\n\nThere are notable differences between Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6). There is only a directive to disable sending of IPv4 redirected packets. Refer to RFC4294 for an explanation of \"IPv6 Node Requirements\", which resulted in this difference between IPv4 and IPv6.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf)\n desc 'check', 'Verify RHEL 8 does not allow interfaces to perform Internet Protocol version 4 (IPv4) ICMP redirects by default.\n\nCheck the value of the \"default send_redirects\" variables with the following command:\n\n$ sudo sysctl net.ipv4.conf.default.send_redirects\n\nnet.ipv4.conf.default.send_redirects=0\n\nIf the returned line does not have a value of \"0\", or a line is not returned, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r net.ipv4.conf.default.send_redirects /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: net.ipv4.conf.default.send_redirects = 0\n\nIf \"net.ipv4.conf.default.send_redirects\" is not set to \"0\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to not allow interfaces to perform Internet Protocol version 4 (IPv4) ICMP redirects by default.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nnet.ipv4.conf.default.send_redirects = 0\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230543'\n tag rid: 'SV-230543r858816_rule'\n tag stig_id: 'RHEL-08-040270'\n tag fix_id: 'F-33187r858815_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This system is acting as a router on the network, this control is Not Applicable', impact: 0.0) {\n !input('network_router')\n }\n\n # Define the kernel parameter to be checked\n parameter = 'net.ipv4.conf.default.send_redirects'\n action = 'IPv4 packet redirects for interfaces'\n value = 0\n\n # Get the current value of the kernel parameter\n current_value = kernel_parameter(parameter)\n\n # Check if the system is a Docker container\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n elsif input('ipv4_enabled') == false\n impact 0.0\n describe 'IPv4 is disabled on the system, this requirement is Not Applicable.' do\n skip 'IPv4 is disabled on the system, this requirement is Not Applicable.'\n end\n else\n\n describe kernel_parameter(parameter) do\n it 'is disabled in sysctl -a' do\n expect(current_value.value).to cmp value\n expect(current_value.value).not_to be_nil\n end\n end\n\n # Get the list of sysctl configuration files\n sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ')\n\n # Search for the kernel parameter in the configuration files\n search_results = command(\"grep -r ^#{parameter} #{sysctl_config_files} {} \\;\").stdout.split(\"\\n\")\n\n # Parse the search results into a hash\n config_values = search_results.each_with_object({}) do |item, results|\n file, setting = item.split(':')\n file = 'grep did not return filename' if file.empty?\n\n results[file] ||= []\n results[file] << setting.split('=').last\n end\n\n uniq_config_values = config_values.values.flatten.map(&:strip).map(&:to_i).uniq\n\n # Check the configuration files\n describe 'Configuration files' do\n if search_results.empty?\n it \"do not explicitly set the `#{parameter}` parameter\" do\n expect(config_values).not_to be_empty, \"Add the line `#{parameter}=#{value}` to a file in the `/etc/sysctl.d/` directory\"\n end\n else\n it \"do not have conflicting settings for #{action}\" do\n expect(uniq_config_values.count).to eq(1), \"Expected one unique configuration, but got #{config_values}\"\n end\n it \"set the parameter to the right value for #{action}\" do\n expect(config_values.values.flatten.all? { |v| v.to_i.eql?(value) }).to be true\n end\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230515.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230543.rb", "line": 1 }, - "id": "SV-230515" + "id": "SV-230543" }, { - "title": "RHEL 8 must prevent code from being executed on file systems that are\nused with removable media.", - "desc": "The \"noexec\" mount option causes the system not to execute binary\nfiles. This option must be used for mounting any file system not containing\napproved binary files, as they may be incompatible. Executing files from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.", + "title": "All RHEL 8 local initialization files must have mode 0740 or less\npermissive.", + "desc": "Local initialization files are used to configure the user's shell\nenvironment upon logon. Malicious modification of these files could compromise\naccounts upon logon.", "descriptions": { - "default": "The \"noexec\" mount option causes the system not to execute binary\nfiles. This option must be used for mounting any file system not containing\napproved binary files, as they may be incompatible. Executing files from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.", - "check": "Verify file systems that are used for removable media are mounted with the\n\"noexec\" option with the following command:\n\n $ sudo more /etc/fstab\n\n UUID=2bc871e4-e2a3-4f29-9ece-3be60c835222 /mnt/usbflash vfat\nnoauto,owner,ro,nosuid,nodev,noexec 0 0\n\n If a file system found in \"/etc/fstab\" refers to removable media and it\ndoes not have the \"noexec\" option set, this is a finding.", - "fix": "Configure the \"/etc/fstab\" to use the \"noexec\" option on\nfile systems that are associated with removable media." + "default": "Local initialization files are used to configure the user's shell\nenvironment upon logon. Malicious modification of these files could compromise\naccounts upon logon.", + "check": "Verify that all local initialization files have a mode of \"0740\" or less permissive with the following command:\n\nNote: The example will be for the \"smithj\" user, who has a home directory of \"/home/smithj\".\n\n $ sudo ls -al /home/smithj/.[^.]* | more\n\n -rw-------. 1 smithj users 2984 Apr 27 19:02 .bash_history\n -rw-r--r--. 1 smithj users 18 Aug 21 2019 .bash_logout\n -rw-r--r--. 1 smithj users 193 Aug 21 2019 .bash_profile\n\nIf any local initialization files have a mode more permissive than \"0740\", this is a finding.", + "fix": "Set the mode of the local initialization files to \"0740\" with the\nfollowing command:\n\n Note: The example will be for the smithj user, who has a home directory of\n\"/home/smithj\".\n\n $ sudo chmod 0740 /home/smithj/." }, "impact": 0.5, "refs": [ @@ -4238,10 +4221,10 @@ "tags": { "severity": "medium", "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-230304", - "rid": "SV-230304r627750_rule", - "stig_id": "RHEL-08-010610", - "fix_id": "F-32948r567659_fix", + "gid": "V-230325", + "rid": "SV-230325r917879_rule", + "stig_id": "RHEL-08-010770", + "fix_id": "F-32969r917878_fix", "cci": [ "CCI-000366" ], @@ -4250,20 +4233,20 @@ ], "host": null }, - "code": "control 'SV-230304' do\n title 'RHEL 8 must prevent code from being executed on file systems that are\nused with removable media.'\n desc 'The \"noexec\" mount option causes the system not to execute binary\nfiles. This option must be used for mounting any file system not containing\napproved binary files, as they may be incompatible. Executing files from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.'\n desc 'check', 'Verify file systems that are used for removable media are mounted with the\n\"noexec\" option with the following command:\n\n $ sudo more /etc/fstab\n\n UUID=2bc871e4-e2a3-4f29-9ece-3be60c835222 /mnt/usbflash vfat\nnoauto,owner,ro,nosuid,nodev,noexec 0 0\n\n If a file system found in \"/etc/fstab\" refers to removable media and it\ndoes not have the \"noexec\" option set, this is a finding.'\n desc 'fix', 'Configure the \"/etc/fstab\" to use the \"noexec\" option on\nfile systems that are associated with removable media.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230304'\n tag rid: 'SV-230304r627750_rule'\n tag stig_id: 'RHEL-08-010610'\n tag fix_id: 'F-32948r567659_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n option = 'noexec'\n file_systems = etc_fstab.params\n non_removable_media = input('non_removable_media_fs')\n mounted_removeable_media = file_systems.reject { |mnt| non_removable_media.include?(mnt['mount_point']) }\n failing_mounts = mounted_removeable_media.reject { |mnt| mnt['mount_options'].include?(option) }\n\n # be very explicit about why this one was a finding since we do not know which mounts are removeable media without the user telling us\n rem_media_msg = \"NOTE: Some mounted devices are not indicated to be non-removable media (you may need to update the 'non_removable_media_fs' input to check if these are truly subject to this requirement)\\n\"\n\n # there should either be no mounted removable media (which should be a requirement anyway), OR\n # all removeable media should be mounted with noexec\n if mounted_removeable_media.empty?\n describe 'No removeable media' do\n it 'are mounted' do\n expect(mounted_removeable_media).to be_empty\n end\n end\n else\n describe 'Any mounted removeable media' do\n it \"should have '#{option}' set\" do\n expect(failing_mounts).to be_empty, \"#{rem_media_msg}\\nRemoveable media without '#{option}' set:\\n\\t- #{failing_mounts.join(\"\\n\\t- \")}\"\n end\n end\n end\nend\n", + "code": "control 'SV-230325' do\n title 'All RHEL 8 local initialization files must have mode 0740 or less\npermissive.'\n desc \"Local initialization files are used to configure the user's shell\nenvironment upon logon. Malicious modification of these files could compromise\naccounts upon logon.\"\n desc 'check', 'Verify that all local initialization files have a mode of \"0740\" or less permissive with the following command:\n\nNote: The example will be for the \"smithj\" user, who has a home directory of \"/home/smithj\".\n\n $ sudo ls -al /home/smithj/.[^.]* | more\n\n -rw-------. 1 smithj users 2984 Apr 27 19:02 .bash_history\n -rw-r--r--. 1 smithj users 18 Aug 21 2019 .bash_logout\n -rw-r--r--. 1 smithj users 193 Aug 21 2019 .bash_profile\n\nIf any local initialization files have a mode more permissive than \"0740\", this is a finding.'\n desc 'fix', 'Set the mode of the local initialization files to \"0740\" with the\nfollowing command:\n\n Note: The example will be for the smithj user, who has a home directory of\n\"/home/smithj\".\n\n $ sudo chmod 0740 /home/smithj/.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230325'\n tag rid: 'SV-230325r917879_rule'\n tag stig_id: 'RHEL-08-010770'\n tag fix_id: 'F-32969r917878_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n ignore_shells = input('non_interactive_shells').join('|')\n\n homedirs = users.where { !shell.match(ignore_shells) && (uid >= 1000 || uid.zero?) }.homes\n ifiles = command(\"find #{homedirs.join(' ')} -xdev -maxdepth 1 -name '.*' -type f\").stdout.split(\"\\n\")\n\n expected_mode = input('initialization_file_mode')\n failing_files = ifiles.select { |ifile| file(ifile).more_permissive_than?(expected_mode) }\n\n describe 'All RHEL 8 local initialization files' do\n it \"must have mode '#{expected_mode}' or less permissive\" do\n expect(failing_files).to be_empty, \"Failing files:\\n\\t- #{failing_files.join(\"\\n\\t- \")}\"\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230304.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230325.rb", "line": 1 }, - "id": "SV-230304" + "id": "SV-230325" }, { - "title": "RHEL 8 must be configured so that all network connections associated with SSH traffic are terminated after 10 minutes of becoming unresponsive.", - "desc": "Terminating an unresponsive SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element.\n\nTerminating network connections associated with communications sessions includes, for example, deallocating associated TCP/IP address/port pairs at the operating system level and deallocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the unresponsive session and releases the resources associated with that session.\n\nRHEL 8 uses /etc/ssh/sshd_config for configurations of OpenSSH. Within the sshd_config, the product of the values of \"ClientAliveInterval\" and \"ClientAliveCountMax\" is used to establish the inactivity threshold. The \"ClientAliveInterval\" is a timeout interval in seconds after which if no data has been received from the client, sshd will send a message through the encrypted channel to request a response from the client. The \"ClientAliveCountMax\" is the number of client alive messages that may be sent without sshd receiving any messages back from the client. If this threshold is met, sshd will disconnect the client. For more information on these settings and others, refer to the sshd_config man pages.", + "title": "RHEL 8 systems, versions 8.2 and above, must configure SELinux context\n type to allow the use of a non-default faillock tally directory.", + "desc": "By limiting the number of failed logon attempts, the risk of\n unauthorized system access via user password guessing, otherwise known as\n brute-force attacks, is reduced. Limits are imposed by locking the account.\n\n From \"faillock.conf\" man pages: Note that the default directory that\n \"pam_faillock\" uses is usually cleared on system boot so the access will be\n re-enabled after system reboot. If that is undesirable, a different tally\n directory must be set with the \"dir\" option.\n\n SELinux, enforcing a targeted policy, will require any non-default tally\n directory's security context type to match the default directory's security\n context type. Without updating the security context type, the pam_faillock\n module will not write failed login attempts to the non-default tally directory.", "descriptions": { - "default": "Terminating an unresponsive SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element.\n\nTerminating network connections associated with communications sessions includes, for example, deallocating associated TCP/IP address/port pairs at the operating system level and deallocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the unresponsive session and releases the resources associated with that session.\n\nRHEL 8 uses /etc/ssh/sshd_config for configurations of OpenSSH. Within the sshd_config, the product of the values of \"ClientAliveInterval\" and \"ClientAliveCountMax\" is used to establish the inactivity threshold. The \"ClientAliveInterval\" is a timeout interval in seconds after which if no data has been received from the client, sshd will send a message through the encrypted channel to request a response from the client. The \"ClientAliveCountMax\" is the number of client alive messages that may be sent without sshd receiving any messages back from the client. If this threshold is met, sshd will disconnect the client. For more information on these settings and others, refer to the sshd_config man pages.", - "check": "Verify the SSH server automatically terminates a user session after the SSH client has been unresponsive for 10 minutes.\n\nCheck that the \"ClientAliveInterval\" variable is set to a value of \"600\" or less by performing the following command:\n\n$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\\r' | tr '\\n' ' ' | xargs sudo grep -iH '^\\s*clientaliveinterval'\n\nClientAliveInterval 600\n\nIf \"ClientAliveInterval\" does not exist, does not have a value of \"600\" or less in \"/etc/ssh/sshd_config\", or is commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.", - "fix": "Note: This setting must be applied in conjunction with RHEL-08-010200 to function correctly.\n\nConfigure the SSH server to terminate a user session automatically after the SSH client has been unresponsive for 10 minutes.\n\nModify or append the following lines in the \"/etc/ssh/sshd_config\" file:\n\n ClientAliveInterval 600\n\nFor the changes to take effect, the SSH daemon must be restarted.\n\n $ sudo systemctl restart sshd.service" + "default": "By limiting the number of failed logon attempts, the risk of\n unauthorized system access via user password guessing, otherwise known as\n brute-force attacks, is reduced. Limits are imposed by locking the account.\n\n From \"faillock.conf\" man pages: Note that the default directory that\n \"pam_faillock\" uses is usually cleared on system boot so the access will be\n re-enabled after system reboot. If that is undesirable, a different tally\n directory must be set with the \"dir\" option.\n\n SELinux, enforcing a targeted policy, will require any non-default tally\n directory's security context type to match the default directory's security\n context type. Without updating the security context type, the pam_faillock\n module will not write failed login attempts to the non-default tally directory.", + "check": "If the system does not have SELinux enabled and enforcing a\n targeted policy, or if the pam_faillock module is not configured for use,\n this requirement is not applicable.\n\n Note: This check applies to RHEL versions 8.2 or newer. If the system is\n RHEL version 8.0 or 8.1, this check is not applicable.\n\n Verify the location of the non-default tally directory for the pam_faillock\n module with the following command:\n\n $ sudo grep -w dir /etc/security/faillock.conf\n\n dir = /var/log/faillock\n\n Check the security context type of the non-default tally directory with the\n following command:\n\n $ sudo ls -Zd /var/log/faillock\n\n unconfined_u:object_r:faillog_t:s0 /var/log/faillock\n\n If the security context type of the non-default tally directory is not\n \"faillog_t\", this is a finding.", + "fix": "Configure RHEL 8 to allow the use of a non-default faillock tally\n directory while SELinux enforces a targeted policy.\n\n Create a non-default faillock tally directory (if it does not already exist)\n with the following example:\n\n $ sudo mkdir /var/log/faillock\n\n Update the /etc/selinux/targeted/contexts/files/file_contexts.local with\n \"faillog_t\" context type for the non-default faillock tally directory with\n the following command:\n\n $ sudo semanage fcontext -a -t faillog_t \"/var/log/faillock(/.*)?\"\n\n Next, update the context type of the non-default faillock directory/subdirectories\n and files with the following command:\n\n $ sudo restorecon -R -v /var/log/faillock" }, "impact": 0.5, "refs": [ @@ -4272,40 +4255,75 @@ } ], "tags": { + "check_id": "C-53749r793000_chk", "severity": "medium", - "gtitle": "SRG-OS-000163-GPOS-00072", - "satisfies": [ - "SRG-OS-000163-GPOS-00072", - "SRG-OS-000126-GPOS-00066", - "SRG-OS-000279-GPOS-00109" + "gid": "V-250315", + "rid": "SV-250315r854079_rule", + "stig_id": "RHEL-08-020027", + "gtitle": "SRG-OS-000021-GPOS-00005", + "fix_id": "F-53703r793001_fix", + "documentable": null, + "cci": [ + "CCI-000044", + "CCI-002238" ], - "gid": "V-244525", - "rid": "SV-244525r951596_rule", - "stig_id": "RHEL-08-010201", - "fix_id": "F-47757r917885_fix", + "nist": [ + "AC-7 a", + "AC-7 b" + ], + "host": null + }, + "code": "control 'SV-250315' do\n title 'RHEL 8 systems, versions 8.2 and above, must configure SELinux context\n type to allow the use of a non-default faillock tally directory.'\n desc %q(By limiting the number of failed logon attempts, the risk of\n unauthorized system access via user password guessing, otherwise known as\n brute-force attacks, is reduced. Limits are imposed by locking the account.\n\n From \"faillock.conf\" man pages: Note that the default directory that\n \"pam_faillock\" uses is usually cleared on system boot so the access will be\n re-enabled after system reboot. If that is undesirable, a different tally\n directory must be set with the \"dir\" option.\n\n SELinux, enforcing a targeted policy, will require any non-default tally\n directory's security context type to match the default directory's security\n context type. Without updating the security context type, the pam_faillock\n module will not write failed login attempts to the non-default tally directory.)\n desc 'check', 'If the system does not have SELinux enabled and enforcing a\n targeted policy, or if the pam_faillock module is not configured for use,\n this requirement is not applicable.\n\n Note: This check applies to RHEL versions 8.2 or newer. If the system is\n RHEL version 8.0 or 8.1, this check is not applicable.\n\n Verify the location of the non-default tally directory for the pam_faillock\n module with the following command:\n\n $ sudo grep -w dir /etc/security/faillock.conf\n\n dir = /var/log/faillock\n\n Check the security context type of the non-default tally directory with the\n following command:\n\n $ sudo ls -Zd /var/log/faillock\n\n unconfined_u:object_r:faillog_t:s0 /var/log/faillock\n\n If the security context type of the non-default tally directory is not\n \"faillog_t\", this is a finding.'\n desc 'fix', 'Configure RHEL 8 to allow the use of a non-default faillock tally\n directory while SELinux enforces a targeted policy.\n\n Create a non-default faillock tally directory (if it does not already exist)\n with the following example:\n\n $ sudo mkdir /var/log/faillock\n\n Update the /etc/selinux/targeted/contexts/files/file_contexts.local with\n \"faillog_t\" context type for the non-default faillock tally directory with\n the following command:\n\n $ sudo semanage fcontext -a -t faillog_t \"/var/log/faillock(/.*)?\"\n\n Next, update the context type of the non-default faillock directory/subdirectories\n and files with the following command:\n\n $ sudo restorecon -R -v /var/log/faillock'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag check_id: 'C-53749r793000_chk'\n tag severity: 'medium'\n tag gid: 'V-250315'\n tag rid: 'SV-250315r854079_rule'\n tag stig_id: 'RHEL-08-020027'\n tag gtitle: 'SRG-OS-000021-GPOS-00005'\n tag fix_id: 'F-53703r793001_fix'\n tag 'documentable'\n tag cci: ['CCI-000044', 'CCI-002238']\n tag nist: ['AC-7 a', 'AC-7 b']\n tag 'host'\n\n only_if('This check applies to RHEL version 8.2 and later. If the system is not RHEL version 8.2 or newer, this check is Not Applicable.', impact: 0.0) {\n (os.release.to_f) >= 8.2\n }\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable in a container' do\n skip 'SELinux controls Not Applicable in a container'\n end\n else\n\n describe selinux do\n it { should be_installed }\n it { should be_enforcing }\n it { should_not be_disabled }\n end\n\n describe parse_config_file('/etc/security/faillock.conf') do\n its('dir') { should cmp input('non_default_tally_dir') }\n end\n\n faillock_tally = input('faillock_tally')\n\n describe \"The selected non-default tally directory for PAM: #{input('non_default_tally_dir')}\" do\n subject { file(input('non_default_tally_dir')) }\n its('selinux_label') { should match(/#{faillock_tally}/) }\n end\n end\nend\n", + "source_location": { + "ref": "./Red Hat 8 STIG/controls/SV-250315.rb", + "line": 1 + }, + "id": "SV-250315" + }, + { + "title": "RHEL 8 must prevent system daemons from using Kerberos for\nauthentication.", + "desc": "Unapproved mechanisms that are used for authentication to the\ncryptographic module are not verified and therefore cannot be relied upon to\nprovide confidentiality or integrity, and DoD data may be compromised.\n\n RHEL 8 systems utilizing encryption are required to use FIPS-compliant\nmechanisms for authenticating to cryptographic modules.\n\n The key derivation function (KDF) in Kerberos is not FIPS compatible.\nEnsuring the system does not have any keytab files present prevents system\ndaemons from using Kerberos for authentication. A keytab is a file containing\npairs of Kerberos principals and encrypted keys.\n\n FIPS 140-2 is the current standard for validating that mechanisms used to\naccess cryptographic modules utilize authentication that meets DoD\nrequirements. This allows for Security Levels 1, 2, 3, or 4 for use on a\ngeneral-purpose computing system.", + "descriptions": { + "default": "Unapproved mechanisms that are used for authentication to the\ncryptographic module are not verified and therefore cannot be relied upon to\nprovide confidentiality or integrity, and DoD data may be compromised.\n\n RHEL 8 systems utilizing encryption are required to use FIPS-compliant\nmechanisms for authenticating to cryptographic modules.\n\n The key derivation function (KDF) in Kerberos is not FIPS compatible.\nEnsuring the system does not have any keytab files present prevents system\ndaemons from using Kerberos for authentication. A keytab is a file containing\npairs of Kerberos principals and encrypted keys.\n\n FIPS 140-2 is the current standard for validating that mechanisms used to\naccess cryptographic modules utilize authentication that meets DoD\nrequirements. This allows for Security Levels 1, 2, 3, or 4 for use on a\ngeneral-purpose computing system.", + "check": "Verify that RHEL 8 prevents system daemons from using Kerberos for\nauthentication.\n\n If the system is a server utilizing krb5-server-1.17-18.el8.x86_64 or\nnewer, this requirement is not applicable.\n If the system is a workstation utilizing\nkrb5-workstation-1.17-18.el8.x86_64 or newer, this requirement is not\napplicable.\n\n Check if there are available keytabs with the following command:\n\n $ sudo ls -al /etc/*.keytab\n\n If this command produces any file(s), this is a finding.", + "fix": "Configure RHEL 8 to prevent system daemons from using Kerberos for\nauthentication.\n\n Remove any files with the .keytab extension from the operating system." + }, + "impact": 0.5, + "refs": [ + { + "ref": "DPMS Target Red Hat Enterprise Linux 8" + } + ], + "tags": { + "severity": "medium", + "gtitle": "SRG-OS-000120-GPOS-00061", + "gid": "V-230238", + "rid": "SV-230238r646862_rule", + "stig_id": "RHEL-08-010161", + "fix_id": "F-32882r567461_fix", "cci": [ - "CCI-001133" + "CCI-000803" ], "nist": [ - "SC-10" + "IA-7" ], "host": null, - "container-conditional": null + "container": null }, - "code": "control 'SV-244525' do\n title 'RHEL 8 must be configured so that all network connections associated with SSH traffic are terminated after 10 minutes of becoming unresponsive.'\n desc 'Terminating an unresponsive SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element.\n\nTerminating network connections associated with communications sessions includes, for example, deallocating associated TCP/IP address/port pairs at the operating system level and deallocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the unresponsive session and releases the resources associated with that session.\n\nRHEL 8 uses /etc/ssh/sshd_config for configurations of OpenSSH. Within the sshd_config, the product of the values of \"ClientAliveInterval\" and \"ClientAliveCountMax\" is used to establish the inactivity threshold. The \"ClientAliveInterval\" is a timeout interval in seconds after which if no data has been received from the client, sshd will send a message through the encrypted channel to request a response from the client. The \"ClientAliveCountMax\" is the number of client alive messages that may be sent without sshd receiving any messages back from the client. If this threshold is met, sshd will disconnect the client. For more information on these settings and others, refer to the sshd_config man pages.'\n desc 'check', %q(Verify the SSH server automatically terminates a user session after the SSH client has been unresponsive for 10 minutes.\n\nCheck that the \"ClientAliveInterval\" variable is set to a value of \"600\" or less by performing the following command:\n\n$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\\r' | tr '\\n' ' ' | xargs sudo grep -iH '^\\s*clientaliveinterval'\n\nClientAliveInterval 600\n\nIf \"ClientAliveInterval\" does not exist, does not have a value of \"600\" or less in \"/etc/ssh/sshd_config\", or is commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.)\n desc 'fix', 'Note: This setting must be applied in conjunction with RHEL-08-010200 to function correctly.\n\nConfigure the SSH server to terminate a user session automatically after the SSH client has been unresponsive for 10 minutes.\n\nModify or append the following lines in the \"/etc/ssh/sshd_config\" file:\n\n ClientAliveInterval 600\n\nFor the changes to take effect, the SSH daemon must be restarted.\n\n $ sudo systemctl restart sshd.service'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000163-GPOS-00072'\n tag satisfies: ['SRG-OS-000163-GPOS-00072', 'SRG-OS-000126-GPOS-00066', 'SRG-OS-000279-GPOS-00109']\n tag gid: 'V-244525'\n tag rid: 'SV-244525r951596_rule'\n tag stig_id: 'RHEL-08-010201'\n tag fix_id: 'F-47757r917885_fix'\n tag cci: ['CCI-001133']\n tag nist: ['SC-10']\n tag 'host'\n tag 'container-conditional'\n\n setting = 'ClientAliveInterval'\n gssapi_authentication = input('sshd_config_values')\n value = gssapi_authentication[setting]\n openssh_present = package('openssh-server').installed?\n\n only_if('This requirement is Not Applicable in the container without open-ssh installed', impact: 0.0) {\n !(virtualization.system.eql?('docker') && !openssh_present)\n }\n\n if input('allow_container_openssh_server') == false\n describe 'In a container Environment' do\n it 'the OpenSSH Server should be installed only when allowed in a container environment' do\n expect(openssh_present).to eq(false), 'OpenSSH Server is installed but not approved for the container environment'\n end\n end\n else\n describe 'The OpenSSH Server configuration' do\n it \"has the correct #{setting} configuration\" do\n expect(sshd_active_config.params[setting.downcase]).to cmp(value), \"The #{setting} setting in the SSHD config is not correct. Please ensure it set to '#{value}'.\"\n end\n end\n end\nend\n", + "code": "control 'SV-230238' do\n title 'RHEL 8 must prevent system daemons from using Kerberos for\nauthentication.'\n desc 'Unapproved mechanisms that are used for authentication to the\ncryptographic module are not verified and therefore cannot be relied upon to\nprovide confidentiality or integrity, and DoD data may be compromised.\n\n RHEL 8 systems utilizing encryption are required to use FIPS-compliant\nmechanisms for authenticating to cryptographic modules.\n\n The key derivation function (KDF) in Kerberos is not FIPS compatible.\nEnsuring the system does not have any keytab files present prevents system\ndaemons from using Kerberos for authentication. A keytab is a file containing\npairs of Kerberos principals and encrypted keys.\n\n FIPS 140-2 is the current standard for validating that mechanisms used to\naccess cryptographic modules utilize authentication that meets DoD\nrequirements. This allows for Security Levels 1, 2, 3, or 4 for use on a\ngeneral-purpose computing system.'\n desc 'check', 'Verify that RHEL 8 prevents system daemons from using Kerberos for\nauthentication.\n\n If the system is a server utilizing krb5-server-1.17-18.el8.x86_64 or\nnewer, this requirement is not applicable.\n If the system is a workstation utilizing\nkrb5-workstation-1.17-18.el8.x86_64 or newer, this requirement is not\napplicable.\n\n Check if there are available keytabs with the following command:\n\n $ sudo ls -al /etc/*.keytab\n\n If this command produces any file(s), this is a finding.'\n desc 'fix', 'Configure RHEL 8 to prevent system daemons from using Kerberos for\nauthentication.\n\n Remove any files with the .keytab extension from the operating system.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000120-GPOS-00061'\n tag gid: 'V-230238'\n tag rid: 'SV-230238r646862_rule'\n tag stig_id: 'RHEL-08-010161'\n tag fix_id: 'F-32882r567461_fix'\n tag cci: ['CCI-000803']\n tag nist: ['IA-7']\n tag 'host'\n tag 'container'\n\n krb5_server = package('krb5-server')\n krb5_workstation = package('krb5-workstation')\n\n if (krb5_server.installed? && krb5_server.version >= '1.17-18.el8') || (krb5_workstation.installed? && krb5_workstation.version >= '1.17-18.el8')\n impact 0.0\n describe 'The system has krb5-workstation and server version 1.17-18 or higher' do\n skip 'The system has krb5-workstation and server version 1.17-18 or higner, this requirement is Not Applicable.'\n end\n else\n keytabs = command('ls /etc/*.keytab').stdout.split\n describe 'The system' do\n it 'should not have keytab files for Kerberos' do\n expect(keytabs).to be_empty, \"Keytab files:\\n\\t- #{keytabs.join(\"\\n\\t- \")}\"\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-244525.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230238.rb", "line": 1 }, - "id": "SV-244525" + "id": "SV-230238" }, { - "title": "RHEL 8 must not allow users to override SSH environment variables.", - "desc": "SSH environment options potentially allow users to bypass access\nrestriction in some configurations.", + "title": "RHEL 8 must automatically lock an account until the locked account is\nreleased by an administrator when three unsuccessful logon attempts occur\nduring a 15-minute time period.", + "desc": "By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as\nbrute-force attacks, is reduced. Limits are imposed by locking the account.\n\n RHEL 8 can utilize the \"pam_faillock.so\" for this purpose. Note that\nmanual changes to the listed files may be overwritten by the \"authselect\"\nprogram.\n\n From \"Pam_Faillock\" man pages: Note that the default directory that\n\"pam_faillock\" uses is usually cleared on system boot so the access will be\nreenabled after system reboot. If that is undesirable a different tally\ndirectory must be set with the \"dir\" option.", "descriptions": { - "default": "SSH environment options potentially allow users to bypass access\nrestriction in some configurations.", - "check": "Verify that unattended or automatic logon via ssh is disabled with the following command:\n\n$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\\r' | tr '\\n' ' ' | xargs sudo grep -iH '^\\s*permituserenvironment'\n\nPermitUserEnvironment no\n\nIf \"PermitUserEnvironment\" is set to \"yes\", is missing completely, or is commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.", - "fix": "Configure RHEL 8 to allow the SSH daemon to not allow unattended or\nautomatic logon to the system.\n\n Add or edit the following line in the \"/etc/ssh/sshd_config\" file:\n\n PermitUserEnvironment no\n\n The SSH daemon must be restarted for the changes to take effect. To restart\nthe SSH daemon, run the following command:\n\n $ sudo systemctl restart sshd.service" + "default": "By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as\nbrute-force attacks, is reduced. Limits are imposed by locking the account.\n\n RHEL 8 can utilize the \"pam_faillock.so\" for this purpose. Note that\nmanual changes to the listed files may be overwritten by the \"authselect\"\nprogram.\n\n From \"Pam_Faillock\" man pages: Note that the default directory that\n\"pam_faillock\" uses is usually cleared on system boot so the access will be\nreenabled after system reboot. If that is undesirable a different tally\ndirectory must be set with the \"dir\" option.", + "check": "Check that the system locks an account after three unsuccessful logon\nattempts within a period of 15 minutes until released by an administrator with\nthe following commands:\n\n Note: If the System Administrator demonstrates the use of an approved\ncentralized account management method that locks an account after three\nunsuccessful logon attempts within a period of 15 minutes, this requirement is\nnot applicable.\n\n Note: This check applies to RHEL versions 8.0 and 8.1, if the system is\nRHEL version 8.2 or newer, this check is not applicable.\n\n $ sudo grep pam_faillock.so /etc/pam.d/password-auth\n\n auth required pam_faillock.so preauth dir=/var/log/faillock silent audit\ndeny=3 even_deny_root fail_interval=900 unlock_time=0\n auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0\n account required pam_faillock.so\n\n If the \"unlock_time\" option is not set to \"0\" on the \"preauth\" and\n\"authfail\" lines with the \"pam_faillock.so\" module, or is missing from\nthese lines, this is a finding.\n\n $ sudo grep pam_faillock.so /etc/pam.d/system-auth\n\n auth required pam_faillock.so preauth dir=/var/log/faillock silent audit\ndeny=3 even_deny_root fail_interval=900 unlock_time=0\n auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0\n account required pam_faillock.so\n\n If the \"unlock_time\" option is not set to \"0\" on the \"preauth\" and\n\"authfail\" lines with the \"pam_faillock.so\" module, or is missing from\nthese lines, this is a finding.", + "fix": "Configure the operating system to lock an account until released by an\nadministrator when three unsuccessful logon attempts occur in 15 minutes.\n\n Add/Modify the appropriate sections of the \"/etc/pam.d/system-auth\" and\n\"/etc/pam.d/password-auth\" files to match the following lines:\n\n auth required pam_faillock.so preauth dir=/var/log/faillock silent audit\ndeny=3 even_deny_root fail_interval=900 unlock_time=0\n auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0\n account required pam_faillock.so\n\n The \"sssd\" service must be restarted for the changes to take effect. To\nrestart the \"sssd\" service, run the following command:\n\n $ sudo systemctl restart sssd.service" }, "impact": 0.5, "refs": [ @@ -4315,34 +4333,38 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000480-GPOS-00229", - "gid": "V-230330", - "rid": "SV-230330r951610_rule", - "stig_id": "RHEL-08-010830", - "fix_id": "F-32974r567737_fix", + "gtitle": "SRG-OS-000021-GPOS-00005", + "satisfies": [ + "SRG-OS-000021-GPOS-00005", + "SRG-OS-000329-GPOS-00128" + ], + "gid": "V-230336", + "rid": "SV-230336r627750_rule", + "stig_id": "RHEL-08-020014", + "fix_id": "F-32980r567755_fix", "cci": [ - "CCI-000366" + "CCI-000044" ], "nist": [ - "CM-6 b" + "AC-7 a" ], "host": null, - "container-conditional": null + "container": null }, - "code": "control 'SV-230330' do\n title 'RHEL 8 must not allow users to override SSH environment variables.'\n desc 'SSH environment options potentially allow users to bypass access\nrestriction in some configurations.'\n desc 'check', %q(Verify that unattended or automatic logon via ssh is disabled with the following command:\n\n$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\\r' | tr '\\n' ' ' | xargs sudo grep -iH '^\\s*permituserenvironment'\n\nPermitUserEnvironment no\n\nIf \"PermitUserEnvironment\" is set to \"yes\", is missing completely, or is commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.)\n desc 'fix', 'Configure RHEL 8 to allow the SSH daemon to not allow unattended or\nautomatic logon to the system.\n\n Add or edit the following line in the \"/etc/ssh/sshd_config\" file:\n\n PermitUserEnvironment no\n\n The SSH daemon must be restarted for the changes to take effect. To restart\nthe SSH daemon, run the following command:\n\n $ sudo systemctl restart sshd.service'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00229'\n tag gid: 'V-230330'\n tag rid: 'SV-230330r951610_rule'\n tag stig_id: 'RHEL-08-010830'\n tag fix_id: 'F-32974r567737_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n tag 'container-conditional'\n\n only_if('This requirement is Not Applicable inside a container, the containers host manages the containers filesystems') {\n !(virtualization.system.eql?('docker') && !file('/etc/ssh/sshd_config').exist?)\n }\n\n describe sshd_active_config do\n its('PermitUserEnvironment') { should eq 'no' }\n end\nend\n", + "code": "control 'SV-230336' do\n title 'RHEL 8 must automatically lock an account until the locked account is\nreleased by an administrator when three unsuccessful logon attempts occur\nduring a 15-minute time period.'\n desc 'By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as\nbrute-force attacks, is reduced. Limits are imposed by locking the account.\n\n RHEL 8 can utilize the \"pam_faillock.so\" for this purpose. Note that\nmanual changes to the listed files may be overwritten by the \"authselect\"\nprogram.\n\n From \"Pam_Faillock\" man pages: Note that the default directory that\n\"pam_faillock\" uses is usually cleared on system boot so the access will be\nreenabled after system reboot. If that is undesirable a different tally\ndirectory must be set with the \"dir\" option.'\n desc 'check', 'Check that the system locks an account after three unsuccessful logon\nattempts within a period of 15 minutes until released by an administrator with\nthe following commands:\n\n Note: If the System Administrator demonstrates the use of an approved\ncentralized account management method that locks an account after three\nunsuccessful logon attempts within a period of 15 minutes, this requirement is\nnot applicable.\n\n Note: This check applies to RHEL versions 8.0 and 8.1, if the system is\nRHEL version 8.2 or newer, this check is not applicable.\n\n $ sudo grep pam_faillock.so /etc/pam.d/password-auth\n\n auth required pam_faillock.so preauth dir=/var/log/faillock silent audit\ndeny=3 even_deny_root fail_interval=900 unlock_time=0\n auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0\n account required pam_faillock.so\n\n If the \"unlock_time\" option is not set to \"0\" on the \"preauth\" and\n\"authfail\" lines with the \"pam_faillock.so\" module, or is missing from\nthese lines, this is a finding.\n\n $ sudo grep pam_faillock.so /etc/pam.d/system-auth\n\n auth required pam_faillock.so preauth dir=/var/log/faillock silent audit\ndeny=3 even_deny_root fail_interval=900 unlock_time=0\n auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0\n account required pam_faillock.so\n\n If the \"unlock_time\" option is not set to \"0\" on the \"preauth\" and\n\"authfail\" lines with the \"pam_faillock.so\" module, or is missing from\nthese lines, this is a finding.'\n desc 'fix', 'Configure the operating system to lock an account until released by an\nadministrator when three unsuccessful logon attempts occur in 15 minutes.\n\n Add/Modify the appropriate sections of the \"/etc/pam.d/system-auth\" and\n\"/etc/pam.d/password-auth\" files to match the following lines:\n\n auth required pam_faillock.so preauth dir=/var/log/faillock silent audit\ndeny=3 even_deny_root fail_interval=900 unlock_time=0\n auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0\n account required pam_faillock.so\n\n The \"sssd\" service must be restarted for the changes to take effect. To\nrestart the \"sssd\" service, run the following command:\n\n $ sudo systemctl restart sssd.service'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000021-GPOS-00005'\n tag satisfies: ['SRG-OS-000021-GPOS-00005', 'SRG-OS-000329-GPOS-00128']\n tag gid: 'V-230336'\n tag rid: 'SV-230336r627750_rule'\n tag stig_id: 'RHEL-08-020014'\n tag fix_id: 'F-32980r567755_fix'\n tag cci: ['CCI-000044']\n tag nist: ['AC-7 a']\n tag 'host'\n tag 'container'\n\n only_if('This check applies to RHEL version 8.1 and earlier. If the system is RHEL version 8.2 or newer, this check is Not Applicable.', impact: 0.0) {\n (os.release.to_f) < 8.2\n }\n\n pam_auth_files = input('pam_auth_files')\n\n describe pam(pam_auth_files['password-auth']) do\n its('lines') do\n should match_pam_rule('auth [default=die]|required pam_faillock.so').all_with_args('unlock_time=(0|never)').or \\\n (match_pam_rule('auth [default=die]|required pam_faillock.so').all_with_integer_arg('unlock_time', '<=',\n 604_800).and \\\n match_pam_rule('auth [default=die]|required pam_faillock.so').all_with_integer_arg('unlock_time', '>=',\n input('lockout_time')))\n end\n end\n describe pam(pam_auth_files['system-auth']) do\n its('lines') do\n should match_pam_rule('auth [default=die]|required pam_faillock.so').all_with_args('unlock_time=(0|never)').or \\\n (match_pam_rule('auth [default=die]|required pam_faillock.so').all_with_integer_arg('unlock_time', '<=',\n 604_800).and \\\n match_pam_rule('auth [default=die]|required pam_faillock.so').all_with_integer_arg('unlock_time', '>=',\n input('lockout_time')))\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230330.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230336.rb", "line": 1 }, - "id": "SV-230330" + "id": "SV-230336" }, { - "title": "RHEL 8 must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/gshadow.", - "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "title": "Successful/unsuccessful uses of postdrop in RHEL 8 must generate an\naudit record.", + "desc": "Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged commands. The organization must maintain audit trails in sufficient\ndetail to reconstruct events to determine the cause and impact of compromise.\nThe \"postdrop\" command creates a file in the maildrop directory and copies\nits standard input to the file.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", "descriptions": { - "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", - "check": "Verify RHEL 8 generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/gshadow\".\n\n Check the auditing rules in \"/etc/audit/audit.rules\" with the following\ncommand:\n\n $ sudo grep /etc/gshadow /etc/audit/audit.rules\n\n -w /etc/gshadow -p wa -k identity\n\n If the command does not return a line, or the line is commented out, this\nis a finding.", - "fix": "Configure RHEL 8 to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/gshadow\".\n\n Add or update the following file system rule to\n\"/etc/audit/rules.d/audit.rules\":\n\n -w /etc/gshadow -p wa -k identity\n\n The audit daemon must be restarted for the changes to take effect." + "default": "Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged commands. The organization must maintain audit trails in sufficient\ndetail to reconstruct events to determine the cause and impact of compromise.\nThe \"postdrop\" command creates a file in the maildrop directory and copies\nits standard input to the file.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", + "check": "Verify that an audit event is generated for any successful/unsuccessful use\nof \"postdrop\" by performing the following command to check the file system\nrules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w \"postdrop\" /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-unix-update\n\n If the command does not return a line, or the line is commented out, this\nis a finding.", + "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful uses of the \"postdrop\" by adding or updating the\nfollowing rule in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-unix-update\n\n The audit daemon must be restarted for the changes to take effect." }, "impact": 0.5, "refs": [ @@ -4355,27 +4377,17 @@ "gtitle": "SRG-OS-000062-GPOS-00031", "satisfies": [ "SRG-OS-000062-GPOS-00031", - "SRG-OS-000004-GPOS-00004", "SRG-OS-000037-GPOS-00015", "SRG-OS-000042-GPOS-00020", "SRG-OS-000062-GPOS-00031", - "SRG-OS-000304-GPOS-00121", "SRG-OS-000392-GPOS-00172", "SRG-OS-000462-GPOS-00206", - "SRG-OS-000470-GPOS-00214", - "SRG-OS-000471-GPOS-00215", - "SRG-OS-000239-GPOS-00089", - "SRG-OS-000240-GPOS-00090", - "SRG-OS-000241-GPOS-00091", - "SRG-OS-000303-GPOS-00120", - "SRG-OS-000304-GPOS-00121", - "SRG-OS-000466-GPOS-00210", - "SRG-OS-000476-GPOS-00221" + "SRG-OS-000471-GPOS-00215" ], - "gid": "V-230407", - "rid": "SV-230407r627750_rule", - "stig_id": "RHEL-08-030160", - "fix_id": "F-33051r567968_fix", + "gid": "V-230427", + "rid": "SV-230427r627750_rule", + "stig_id": "RHEL-08-030311", + "fix_id": "F-33071r568028_fix", "cci": [ "CCI-000169" ], @@ -4384,34 +4396,34 @@ ], "host": null }, - "code": "control 'SV-230407' do\n title 'RHEL 8 must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/gshadow.'\n desc 'Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).'\n desc 'check', 'Verify RHEL 8 generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/gshadow\".\n\n Check the auditing rules in \"/etc/audit/audit.rules\" with the following\ncommand:\n\n $ sudo grep /etc/gshadow /etc/audit/audit.rules\n\n -w /etc/gshadow -p wa -k identity\n\n If the command does not return a line, or the line is commented out, this\nis a finding.'\n desc 'fix', 'Configure RHEL 8 to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/gshadow\".\n\n Add or update the following file system rule to\n\"/etc/audit/rules.d/audit.rules\":\n\n -w /etc/gshadow -p wa -k identity\n\n The audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000062-GPOS-00031'\n tag satisfies: ['SRG-OS-000062-GPOS-00031', 'SRG-OS-000004-GPOS-00004', 'SRG-OS-000037-GPOS-00015', 'SRG-OS-000042-GPOS-00020', 'SRG-OS-000062-GPOS-00031', 'SRG-OS-000304-GPOS-00121', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000470-GPOS-00214', 'SRG-OS-000471-GPOS-00215', 'SRG-OS-000239-GPOS-00089', 'SRG-OS-000240-GPOS-00090', 'SRG-OS-000241-GPOS-00091', 'SRG-OS-000303-GPOS-00120', 'SRG-OS-000304-GPOS-00121', 'SRG-OS-000466-GPOS-00210', 'SRG-OS-000476-GPOS-00221']\n tag gid: 'V-230407'\n tag rid: 'SV-230407r627750_rule'\n tag stig_id: 'RHEL-08-030160'\n tag fix_id: 'F-33051r567968_fix'\n tag cci: ['CCI-000169']\n tag nist: ['AU-12 a']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n audit_command = '/etc/gshadow'\n\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.permissions.flatten).to include('w', 'a')\n expect(audit_rule.key.uniq).to include(input('audit_rule_keynames').merge(input('audit_rule_keynames_overrides'))[audit_command])\n end\n end\nend\n", + "code": "control 'SV-230427' do\n title 'Successful/unsuccessful uses of postdrop in RHEL 8 must generate an\naudit record.'\n desc 'Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged commands. The organization must maintain audit trails in sufficient\ndetail to reconstruct events to determine the cause and impact of compromise.\nThe \"postdrop\" command creates a file in the maildrop directory and copies\nits standard input to the file.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.'\n desc 'check', 'Verify that an audit event is generated for any successful/unsuccessful use\nof \"postdrop\" by performing the following command to check the file system\nrules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w \"postdrop\" /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-unix-update\n\n If the command does not return a line, or the line is commented out, this\nis a finding.'\n desc 'fix', 'Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful uses of the \"postdrop\" by adding or updating the\nfollowing rule in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-unix-update\n\n The audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000062-GPOS-00031'\n tag satisfies: ['SRG-OS-000062-GPOS-00031', 'SRG-OS-000037-GPOS-00015', 'SRG-OS-000042-GPOS-00020', 'SRG-OS-000062-GPOS-00031', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000471-GPOS-00215']\n tag gid: 'V-230427'\n tag rid: 'SV-230427r627750_rule'\n tag stig_id: 'RHEL-08-030311'\n tag fix_id: 'F-33071r568028_fix'\n tag cci: ['CCI-000169']\n tag nist: ['AU-12 a']\n tag 'host'\n\n audit_command = '/usr/sbin/postdrop'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include(input('audit_rule_keynames').merge(input('audit_rule_keynames_overrides'))[audit_command])\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230407.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230427.rb", "line": 1 }, - "id": "SV-230407" + "id": "SV-230427" }, { - "title": "The x86 Ctrl-Alt-Delete key sequence in RHEL 8 must be disabled if a\ngraphical user interface is installed.", - "desc": "A locally logged-on user, who presses Ctrl-Alt-Delete, when at the\nconsole, can reboot the system. If accidentally pressed, as could happen in the\ncase of a mixed OS environment, this can create the risk of short-term loss of\navailability of systems due to unintentional reboot. In a graphical user\nenvironment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is\nreduced because the user will be prompted before any action is taken.", + "title": "RHEL 8 must disable the user list at logon for graphical user\ninterfaces.", + "desc": "Leaving the user list enabled is a security risk since it allows\nanyone with physical access to the system to enumerate known user accounts\nwithout authenticated access to the system.", "descriptions": { - "default": "A locally logged-on user, who presses Ctrl-Alt-Delete, when at the\nconsole, can reboot the system. If accidentally pressed, as could happen in the\ncase of a mixed OS environment, this can create the risk of short-term loss of\navailability of systems due to unintentional reboot. In a graphical user\nenvironment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is\nreduced because the user will be prompted before any action is taken.", - "check": "Verify RHEL 8 is not configured to reboot the system when Ctrl-Alt-Delete\nis pressed when using a graphical user interface with the following command:\n\n This requirement assumes the use of the RHEL 8 default graphical user\ninterface, Gnome Shell. If the system does not have any graphical user\ninterface installed, this requirement is Not Applicable.\n\n $ sudo grep logout /etc/dconf/db/local.d/*\n\n logout=''\n\n If the \"logout\" key is bound to an action, is commented out, or is\nmissing, this is a finding.", - "fix": "Configure the system to disable the Ctrl-Alt-Delete sequence when using a\ngraphical user interface by creating or editing the\n/etc/dconf/db/local.d/00-disable-CAD file.\n\n Add the setting to disable the Ctrl-Alt-Delete sequence for a graphical\nuser interface:\n\n [org/gnome/settings-daemon/plugins/media-keys]\n logout=''\n\n Note: The value above is set to two single quotations.\n\n Then update the dconf settings:\n\n $ sudo dconf update" + "default": "Leaving the user list enabled is a security risk since it allows\nanyone with physical access to the system to enumerate known user accounts\nwithout authenticated access to the system.", + "check": "Verify the operating system disables the user logon list for graphical user\ninterfaces with the following command:\n Note: This requirement assumes the use of the RHEL 8 default graphical user\ninterface, Gnome Shell. If the system does not have any graphical user\ninterface installed, this requirement is Not Applicable.\n\n $ sudo gsettings get org.gnome.login-screen disable-user-list\n true\n\n If the setting is \"false\", this is a finding.", + "fix": "Configure the operating system to disable the user list at logon for\ngraphical user interfaces.\n\n Create a database to contain the system-wide screensaver settings (if it\ndoes not already exist) with the following command:\n Note: The example below is using the database \"local\" for the system, so\nif the system is using another database in \"/etc/dconf/profile/user\", the\nfile should be created under the appropriate subdirectory.\n\n $ sudo touch /etc/dconf/db/local.d/02-login-screen\n\n [org/gnome/login-screen]\n disable-user-list=true\n\n Update the system databases:\n $ sudo dconf update" }, - "impact": 0.7, + "impact": 0.5, "refs": [ { "ref": "DPMS Target Red Hat Enterprise Linux 8" } ], "tags": { - "severity": "high", + "severity": "medium", "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-230530", - "rid": "SV-230530r646883_rule", - "stig_id": "RHEL-08-040171", - "fix_id": "F-33174r568337_fix", + "gid": "V-244536", + "rid": "SV-244536r743857_rule", + "stig_id": "RHEL-08-020032", + "fix_id": "F-47768r743856_fix", "cci": [ "CCI-000366" ], @@ -4420,20 +4432,20 @@ ], "host": null }, - "code": "control 'SV-230530' do\n title 'The x86 Ctrl-Alt-Delete key sequence in RHEL 8 must be disabled if a\ngraphical user interface is installed.'\n desc 'A locally logged-on user, who presses Ctrl-Alt-Delete, when at the\nconsole, can reboot the system. If accidentally pressed, as could happen in the\ncase of a mixed OS environment, this can create the risk of short-term loss of\navailability of systems due to unintentional reboot. In a graphical user\nenvironment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is\nreduced because the user will be prompted before any action is taken.'\n desc 'check', %q(Verify RHEL 8 is not configured to reboot the system when Ctrl-Alt-Delete\nis pressed when using a graphical user interface with the following command:\n\n This requirement assumes the use of the RHEL 8 default graphical user\ninterface, Gnome Shell. If the system does not have any graphical user\ninterface installed, this requirement is Not Applicable.\n\n $ sudo grep logout /etc/dconf/db/local.d/*\n\n logout=''\n\n If the \"logout\" key is bound to an action, is commented out, or is\nmissing, this is a finding.)\n desc 'fix', \"Configure the system to disable the Ctrl-Alt-Delete sequence when using a\ngraphical user interface by creating or editing the\n/etc/dconf/db/local.d/00-disable-CAD file.\n\n Add the setting to disable the Ctrl-Alt-Delete sequence for a graphical\nuser interface:\n\n [org/gnome/settings-daemon/plugins/media-keys]\n logout=''\n\n Note: The value above is set to two single quotations.\n\n Then update the dconf settings:\n\n $ sudo dconf update\"\n impact 0.7\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'high'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230530'\n tag rid: 'SV-230530r646883_rule'\n tag stig_id: 'RHEL-08-040171'\n tag fix_id: 'F-33174r568337_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n if package('gnome-desktop3').installed?\n describe command('grep ^logout /etc/dconf/db/local.d/*') do\n its('stdout.strip') { should match(/logout=''/) }\n end\n else\n impact 0.0\n describe 'The system does not have GNOME installed' do\n skip \"The system does not have GNOME installed, this requirement is Not\n Applicable.\"\n end\n end\nend\n", + "code": "control 'SV-244536' do\n title 'RHEL 8 must disable the user list at logon for graphical user\ninterfaces.'\n desc 'Leaving the user list enabled is a security risk since it allows\nanyone with physical access to the system to enumerate known user accounts\nwithout authenticated access to the system.'\n desc 'check', 'Verify the operating system disables the user logon list for graphical user\ninterfaces with the following command:\n Note: This requirement assumes the use of the RHEL 8 default graphical user\ninterface, Gnome Shell. If the system does not have any graphical user\ninterface installed, this requirement is Not Applicable.\n\n $ sudo gsettings get org.gnome.login-screen disable-user-list\n true\n\n If the setting is \"false\", this is a finding.'\n desc 'fix', 'Configure the operating system to disable the user list at logon for\ngraphical user interfaces.\n\n Create a database to contain the system-wide screensaver settings (if it\ndoes not already exist) with the following command:\n Note: The example below is using the database \"local\" for the system, so\nif the system is using another database in \"/etc/dconf/profile/user\", the\nfile should be created under the appropriate subdirectory.\n\n $ sudo touch /etc/dconf/db/local.d/02-login-screen\n\n [org/gnome/login-screen]\n disable-user-list=true\n\n Update the system databases:\n $ sudo dconf update'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-244536'\n tag rid: 'SV-244536r743857_rule'\n tag stig_id: 'RHEL-08-020032'\n tag fix_id: 'F-47768r743856_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This requirement is Not Applicable in the container', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n no_gui = command('ls /usr/share/xsessions/*').stderr.match?(/No such file or directory/)\n\n if no_gui\n impact 0.0\n describe 'The system does not have a GUI installed, this requirement is Not Applicable.' do\n skip 'A GUI desktop is not installed, this control is Not Applicable.'\n end\n else\n describe command('gsettings get org.gnome.login-screen disable-user-list') do\n its('stdout.strip') { should cmp 'true' }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230530.rb", + "ref": "./Red Hat 8 STIG/controls/SV-244536.rb", "line": 1 }, - "id": "SV-230530" + "id": "SV-244536" }, { - "title": "All RHEL 8 local interactive user home directories must have mode 0750\nor less permissive.", - "desc": "Excessive permissions on local interactive user home directories may\nallow unauthorized access to user files by other users.", + "title": "RHEL 8 must prevent system messages from being presented when three\nunsuccessful logon attempts occur.", + "desc": "By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as\nbrute-force attacks, is reduced. Limits are imposed by locking the account.\n\n In RHEL 8.2 the \"/etc/security/faillock.conf\" file was incorporated to\ncentralize the configuration of the pam_faillock.so module. Also introduced is\na \"local_users_only\" option that will only track failed user authentication\nattempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP,\netc.) users to allow the centralized platform to solely manage user lockout.\n\n From \"faillock.conf\" man pages: Note that the default directory that\n\"pam_faillock\" uses is usually cleared on system boot so the access will be\nreenabled after system reboot. If that is undesirable a different tally\ndirectory must be set with the \"dir\" option.", "descriptions": { - "default": "Excessive permissions on local interactive user home directories may\nallow unauthorized access to user files by other users.", - "check": "Verify the assigned home directory of all local interactive users has a\nmode of \"0750\" or less permissive with the following command:\n\n Note: This may miss interactive users that have been assigned a privileged\nUser Identifier (UID). Evidence of interactive use may be obtained from a\nnumber of log files containing system logon information.\n\n $ sudo ls -ld $(awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}'\n/etc/passwd)\n\n drwxr-x--- 2 smithj admin 4096 Jun 5 12:41 smithj\n\n If home directories referenced in \"/etc/passwd\" do not have a mode of\n\"0750\" or less permissive, this is a finding.", - "fix": "Change the mode of interactive user’s home directories to \"0750\". To\nchange the mode of a local interactive user’s home directory, use the following\ncommand:\n\n Note: The example will be for the user \"smithj\".\n\n $ sudo chmod 0750 /home/smithj" + "default": "By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as\nbrute-force attacks, is reduced. Limits are imposed by locking the account.\n\n In RHEL 8.2 the \"/etc/security/faillock.conf\" file was incorporated to\ncentralize the configuration of the pam_faillock.so module. Also introduced is\na \"local_users_only\" option that will only track failed user authentication\nattempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP,\netc.) users to allow the centralized platform to solely manage user lockout.\n\n From \"faillock.conf\" man pages: Note that the default directory that\n\"pam_faillock\" uses is usually cleared on system boot so the access will be\nreenabled after system reboot. If that is undesirable a different tally\ndirectory must be set with the \"dir\" option.", + "check": "Note: This check applies to RHEL versions 8.2 or newer, if the system is\nRHEL version 8.0 or 8.1, this check is not applicable.\n\n Verify the \"/etc/security/faillock.conf\" file is configured to prevent\ninformative messages from being presented at logon attempts:\n\n $ sudo grep silent /etc/security/faillock.conf\n\n silent\n\n If the \"silent\" option is not set, is missing or commented out, this is a\nfinding.", + "fix": "Configure the operating system to prevent informative messages from being\npresented at logon attempts.\n\n Add/Modify the \"/etc/security/faillock.conf\" file to match the following\nline:\n\n silent" }, "impact": 0.5, "refs": [ @@ -4443,33 +4455,38 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-230321", - "rid": "SV-230321r627750_rule", - "stig_id": "RHEL-08-010730", - "fix_id": "F-32965r567710_fix", + "gtitle": "SRG-OS-000021-GPOS-00005", + "satisfies": [ + "SRG-OS-000021-GPOS-00005", + "SRG-OS-000329-GPOS-00128" + ], + "gid": "V-230341", + "rid": "SV-230341r743978_rule", + "stig_id": "RHEL-08-020019", + "fix_id": "F-32985r743977_fix", "cci": [ - "CCI-000366" + "CCI-000044" ], "nist": [ - "CM-6 b" + "AC-7 a" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-230321' do\n title 'All RHEL 8 local interactive user home directories must have mode 0750\nor less permissive.'\n desc 'Excessive permissions on local interactive user home directories may\nallow unauthorized access to user files by other users.'\n desc 'check', %q(Verify the assigned home directory of all local interactive users has a\nmode of \"0750\" or less permissive with the following command:\n\n Note: This may miss interactive users that have been assigned a privileged\nUser Identifier (UID). Evidence of interactive use may be obtained from a\nnumber of log files containing system logon information.\n\n $ sudo ls -ld $(awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}'\n/etc/passwd)\n\n drwxr-x--- 2 smithj admin 4096 Jun 5 12:41 smithj\n\n If home directories referenced in \"/etc/passwd\" do not have a mode of\n\"0750\" or less permissive, this is a finding.)\n desc 'fix', 'Change the mode of interactive user’s home directories to \"0750\". To\nchange the mode of a local interactive user’s home directory, use the following\ncommand:\n\n Note: The example will be for the user \"smithj\".\n\n $ sudo chmod 0750 /home/smithj'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230321'\n tag rid: 'SV-230321r627750_rule'\n tag stig_id: 'RHEL-08-010730'\n tag fix_id: 'F-32965r567710_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n exempt_home_users = input('exempt_home_users')\n expected_mode = input('home_dir_mode')\n uid_min = login_defs.read_params['UID_MIN'].to_i\n uid_min = 1000 if uid_min.nil?\n\n iuser_entries = passwd.where { uid.to_i >= uid_min && shell !~ /nologin/ && !exempt_home_users.include?(user) }\n\n if !iuser_entries.users.nil? && !iuser_entries.users.empty?\n failing_homedirs = iuser_entries.homes.select { |home|\n file(home).more_permissive_than?(expected_mode)\n }\n describe 'All non-exempt interactive user account home directories on the system' do\n it \"should not be more permissive than '#{expected_mode}'\" do\n expect(failing_homedirs).to be_empty, \"Failing home directories:\\n\\t- #{failing_homedirs.join(\"\\n\\t- \")}\"\n end\n end\n else\n describe 'No non-exempt interactive user accounts' do\n it 'were detected on the system' do\n expect(true).to eq(true)\n end\n end\n end\nend\n", + "code": "control 'SV-230341' do\n title 'RHEL 8 must prevent system messages from being presented when three\nunsuccessful logon attempts occur.'\n desc 'By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as\nbrute-force attacks, is reduced. Limits are imposed by locking the account.\n\n In RHEL 8.2 the \"/etc/security/faillock.conf\" file was incorporated to\ncentralize the configuration of the pam_faillock.so module. Also introduced is\na \"local_users_only\" option that will only track failed user authentication\nattempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP,\netc.) users to allow the centralized platform to solely manage user lockout.\n\n From \"faillock.conf\" man pages: Note that the default directory that\n\"pam_faillock\" uses is usually cleared on system boot so the access will be\nreenabled after system reboot. If that is undesirable a different tally\ndirectory must be set with the \"dir\" option.'\n desc 'check', 'Note: This check applies to RHEL versions 8.2 or newer, if the system is\nRHEL version 8.0 or 8.1, this check is not applicable.\n\n Verify the \"/etc/security/faillock.conf\" file is configured to prevent\ninformative messages from being presented at logon attempts:\n\n $ sudo grep silent /etc/security/faillock.conf\n\n silent\n\n If the \"silent\" option is not set, is missing or commented out, this is a\nfinding.'\n desc 'fix', 'Configure the operating system to prevent informative messages from being\npresented at logon attempts.\n\n Add/Modify the \"/etc/security/faillock.conf\" file to match the following\nline:\n\n silent'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000021-GPOS-00005'\n tag satisfies: ['SRG-OS-000021-GPOS-00005', 'SRG-OS-000329-GPOS-00128']\n tag gid: 'V-230341'\n tag rid: 'SV-230341r743978_rule'\n tag stig_id: 'RHEL-08-020019'\n tag fix_id: 'F-32985r743977_fix'\n tag cci: ['CCI-000044']\n tag nist: ['AC-7 a']\n tag 'host'\n tag 'container'\n\n only_if('This check applies to RHEL versions 8.2 or newer, if the system is RHEL version 8.0 or 8.1, this check is not applicable.', impact: 0.0) {\n (os.release.to_f) >= 8.2\n }\n\n describe parse_config_file('/etc/security/faillock.conf') do\n its('silent') { should_not be_nil }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230321.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230341.rb", "line": 1 }, - "id": "SV-230321" + "id": "SV-230341" }, { - "title": "RHEL 8 must disable the kernel.core_pattern.", - "desc": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf", + "title": "RHEL 8 wireless network adapters must be disabled.", + "desc": "Without protection of communications with wireless peripherals,\nconfidentiality and integrity may be compromised because unprotected\ncommunications can be intercepted and either read, altered, or used to\ncompromise the RHEL 8 operating system.\n\n This requirement applies to wireless peripheral technologies (e.g.,\nwireless mice, keyboards, displays, etc.) used with RHEL 8 systems. Wireless\nperipherals (e.g., Wi-Fi/Bluetooth/IR Keyboards, Mice, and Pointing Devices and\nNear Field Communications [NFC]) present a unique challenge by creating an\nopen, unsecured port on a computer. Wireless peripherals must meet DoD\nrequirements for wireless data transmission and be approved for use by the\nAuthorizing Official (AO). Even though some wireless peripherals, such as mice\nand pointing devices, do not ordinarily carry information that need to be\nprotected, modification of communications with these wireless peripherals may\nbe used to compromise the RHEL 8 operating system. Communication paths outside\nthe physical protection of a controlled boundary are exposed to the possibility\nof interception and modification.\n\n Protecting the confidentiality and integrity of communications with\nwireless peripherals can be accomplished by physical means (e.g., employing\nphysical barriers to wireless radio frequencies) or by logical means (e.g.,\nemploying cryptographic techniques). If physical means of protection are\nemployed, then logical means (cryptography) do not have to be employed, and\nvice versa. If the wireless peripheral is only passing telemetry data,\nencryption of the data may not be required.", "descriptions": { - "default": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf", - "check": "Verify RHEL 8 disables storing core dumps with the following commands:\n\n$ sudo sysctl kernel.core_pattern\n\nkernel.core_pattern = |/bin/false\n\nIf the returned line does not have a value of \"|/bin/false\", or a line is not returned and the need for core dumps is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.\n\nCheck that the configuration files are present to enable this kernel parameter.\n\n$ sudo grep -r kernel.core_pattern /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf:kernel.core_pattern = |/bin/false\n\nIf \"kernel.core_pattern\" is not set to \"|/bin/false\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.", - "fix": "Configure RHEL 8 to disable storing core dumps.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nkernel.core_pattern = |/bin/false\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nThe system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:\n\n$ sudo sysctl --system" + "default": "Without protection of communications with wireless peripherals,\nconfidentiality and integrity may be compromised because unprotected\ncommunications can be intercepted and either read, altered, or used to\ncompromise the RHEL 8 operating system.\n\n This requirement applies to wireless peripheral technologies (e.g.,\nwireless mice, keyboards, displays, etc.) used with RHEL 8 systems. Wireless\nperipherals (e.g., Wi-Fi/Bluetooth/IR Keyboards, Mice, and Pointing Devices and\nNear Field Communications [NFC]) present a unique challenge by creating an\nopen, unsecured port on a computer. Wireless peripherals must meet DoD\nrequirements for wireless data transmission and be approved for use by the\nAuthorizing Official (AO). Even though some wireless peripherals, such as mice\nand pointing devices, do not ordinarily carry information that need to be\nprotected, modification of communications with these wireless peripherals may\nbe used to compromise the RHEL 8 operating system. Communication paths outside\nthe physical protection of a controlled boundary are exposed to the possibility\nof interception and modification.\n\n Protecting the confidentiality and integrity of communications with\nwireless peripherals can be accomplished by physical means (e.g., employing\nphysical barriers to wireless radio frequencies) or by logical means (e.g.,\nemploying cryptographic techniques). If physical means of protection are\nemployed, then logical means (cryptography) do not have to be employed, and\nvice versa. If the wireless peripheral is only passing telemetry data,\nencryption of the data may not be required.", + "check": "Verify there are no wireless interfaces configured on the system with the\nfollowing command:\n\n Note: This requirement is Not Applicable for systems that do not have\nphysical wireless network radios.\n\n $ sudo nmcli device status\n\n DEVICE TYPE STATE\nCONNECTION\n virbr0 bridge connected virbr0\n wlp7s0 wifi connected wifiSSID\n enp6s0 ethernet disconnected --\n p2p-dev-wlp7s0 wifi-p2p disconnected --\n lo loopback unmanaged --\n virbr0-nic tun unmanaged --\n\n If a wireless interface is configured and has not been documented and\napproved by the Information System Security Officer (ISSO), this is a finding.", + "fix": "Configure the system to disable all wireless network interfaces with the\nfollowing command:\n\n $ sudo nmcli radio all off" }, "impact": 0.5, "refs": [ @@ -4479,73 +4496,39 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-230311", - "rid": "SV-230311r858769_rule", - "stig_id": "RHEL-08-010671", - "fix_id": "F-32955r858768_fix", - "cci": [ - "CCI-000366" - ], - "legacy": [], - "nist": [ - "CM-6 b" + "gtitle": "SRG-OS-000299-GPOS-00117", + "satisfies": [ + "SRG-OS-000299-GPOS-00117", + "SRG-OS-000300-GPOS-00118", + "SRG-OS-000481-GPOS-000481" ], - "host": null - }, - "code": "control 'SV-230311' do\n title 'RHEL 8 must disable the kernel.core_pattern.'\n desc 'It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf'\n desc 'check', 'Verify RHEL 8 disables storing core dumps with the following commands:\n\n$ sudo sysctl kernel.core_pattern\n\nkernel.core_pattern = |/bin/false\n\nIf the returned line does not have a value of \"|/bin/false\", or a line is not returned and the need for core dumps is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.\n\nCheck that the configuration files are present to enable this kernel parameter.\n\n$ sudo grep -r kernel.core_pattern /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf:kernel.core_pattern = |/bin/false\n\nIf \"kernel.core_pattern\" is not set to \"|/bin/false\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to disable storing core dumps.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nkernel.core_pattern = |/bin/false\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nThe system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:\n\n$ sudo sysctl --system'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230311'\n tag rid: 'SV-230311r858769_rule'\n tag stig_id: 'RHEL-08-010671'\n tag fix_id: 'F-32955r858768_fix'\n tag cci: ['CCI-000366']\n tag legacy: []\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n kernel_setting = 'kernel.core_pattern'\n kernel_expected_value = input('kernel_dump_expected_value')\n\n describe kernel_parameter(kernel_setting) do\n its('value') { should eq kernel_expected_value }\n end\n\n k_conf_files = input('kernel_config_files')\n\n # make sure the setting is set somewhere\n k_conf = command(\"grep -r #{kernel_setting} #{k_conf_files.join(' ')}\").stdout.split(\"\\n\")\n\n # make sure it is set correctly\n failing_k_conf = k_conf.reject { |k| k.match(/#{kernel_parameter}\\s*=\\s*#{kernel_expected_value}/) }\n\n describe 'Kernel config files' do\n it \"should set '#{kernel_setting}' on startup\" do\n expect(k_conf).to_not be_empty, \"Setting not found in any of the following config files:\\n\\t- #{k_conf_files.join(\"\\n\\t- \")}\"\n expect(failing_k_conf).to be_empty, \"Incorrect or conflicting settings found:\\n\\t- #{failing_k_conf.join(\"\\n\\t- \")}\" if k_conf.nil?\n end\n end\nend\n", - "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230311.rb", - "line": 1 - }, - "id": "SV-230311" - }, - { - "title": "RHEL 8 must display the date and time of the last successful account\nlogon upon logon.", - "desc": "Providing users with feedback on when account accesses last occurred\nfacilitates user recognition and reporting of unauthorized account use.", - "descriptions": { - "default": "Providing users with feedback on when account accesses last occurred\nfacilitates user recognition and reporting of unauthorized account use.", - "check": "Verify users are provided with feedback on when account accesses last\noccurred with the following command:\n\n $ sudo grep pam_lastlog /etc/pam.d/postlogin\n\n session required pam_lastlog.so showfailed\n\n If \"pam_lastlog\" is missing from \"/etc/pam.d/postlogin\" file, or the\nsilent option is present, this is a finding.", - "fix": "Configure the operating system to provide users with feedback on when\naccount accesses last occurred by setting the required configuration options in\n\"/etc/pam.d/postlogin\".\n\n Add the following line to the top of \"/etc/pam.d/postlogin\":\n\n session required pam_lastlog.so showfailed" - }, - "impact": 0.3, - "refs": [ - { - "ref": "DPMS Target Red Hat Enterprise Linux 8" - } - ], - "tags": { - "severity": "low", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-230381", - "rid": "SV-230381r858726_rule", - "stig_id": "RHEL-08-020340", - "fix_id": "F-33025r567890_fix", + "gid": "V-230506", + "rid": "SV-230506r627750_rule", + "stig_id": "RHEL-08-040110", + "fix_id": "F-33150r568265_fix", "cci": [ - "CCI-000366", - "CCI-000052" + "CCI-001444" ], "nist": [ - "CM-6 b", - "AC-9" + "AC-18 (1)" ], "host": null, "container": null }, - "code": "control 'SV-230381' do\n title 'RHEL 8 must display the date and time of the last successful account\nlogon upon logon.'\n desc 'Providing users with feedback on when account accesses last occurred\nfacilitates user recognition and reporting of unauthorized account use.'\n desc 'check', 'Verify users are provided with feedback on when account accesses last\noccurred with the following command:\n\n $ sudo grep pam_lastlog /etc/pam.d/postlogin\n\n session required pam_lastlog.so showfailed\n\n If \"pam_lastlog\" is missing from \"/etc/pam.d/postlogin\" file, or the\nsilent option is present, this is a finding.'\n desc 'fix', 'Configure the operating system to provide users with feedback on when\naccount accesses last occurred by setting the required configuration options in\n\"/etc/pam.d/postlogin\".\n\n Add the following line to the top of \"/etc/pam.d/postlogin\":\n\n session required pam_lastlog.so showfailed'\n impact 0.3\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'low'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230381'\n tag rid: 'SV-230381r858726_rule'\n tag stig_id: 'RHEL-08-020340'\n tag fix_id: 'F-33025r567890_fix'\n tag cci: ['CCI-000366', 'CCI-000052']\n tag nist: ['CM-6 b', 'AC-9']\n tag 'host'\n tag 'container'\n\n describe pam('/etc/pam.d/postlogin') do\n its('lines') { should match_pam_rule('session .* pam_lastlog.so').all_with_args('showfailed') }\n its('lines') { should_not match_pam_rule('session .* pam_lastlog.so').all_without_args('silent') }\n end\nend\n", + "code": "control 'SV-230506' do\n title 'RHEL 8 wireless network adapters must be disabled.'\n desc 'Without protection of communications with wireless peripherals,\nconfidentiality and integrity may be compromised because unprotected\ncommunications can be intercepted and either read, altered, or used to\ncompromise the RHEL 8 operating system.\n\n This requirement applies to wireless peripheral technologies (e.g.,\nwireless mice, keyboards, displays, etc.) used with RHEL 8 systems. Wireless\nperipherals (e.g., Wi-Fi/Bluetooth/IR Keyboards, Mice, and Pointing Devices and\nNear Field Communications [NFC]) present a unique challenge by creating an\nopen, unsecured port on a computer. Wireless peripherals must meet DoD\nrequirements for wireless data transmission and be approved for use by the\nAuthorizing Official (AO). Even though some wireless peripherals, such as mice\nand pointing devices, do not ordinarily carry information that need to be\nprotected, modification of communications with these wireless peripherals may\nbe used to compromise the RHEL 8 operating system. Communication paths outside\nthe physical protection of a controlled boundary are exposed to the possibility\nof interception and modification.\n\n Protecting the confidentiality and integrity of communications with\nwireless peripherals can be accomplished by physical means (e.g., employing\nphysical barriers to wireless radio frequencies) or by logical means (e.g.,\nemploying cryptographic techniques). If physical means of protection are\nemployed, then logical means (cryptography) do not have to be employed, and\nvice versa. If the wireless peripheral is only passing telemetry data,\nencryption of the data may not be required.'\n desc 'check', 'Verify there are no wireless interfaces configured on the system with the\nfollowing command:\n\n Note: This requirement is Not Applicable for systems that do not have\nphysical wireless network radios.\n\n $ sudo nmcli device status\n\n DEVICE TYPE STATE\nCONNECTION\n virbr0 bridge connected virbr0\n wlp7s0 wifi connected wifiSSID\n enp6s0 ethernet disconnected --\n p2p-dev-wlp7s0 wifi-p2p disconnected --\n lo loopback unmanaged --\n virbr0-nic tun unmanaged --\n\n If a wireless interface is configured and has not been documented and\napproved by the Information System Security Officer (ISSO), this is a finding.'\n desc 'fix', 'Configure the system to disable all wireless network interfaces with the\nfollowing command:\n\n $ sudo nmcli radio all off'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000299-GPOS-00117'\n tag satisfies: ['SRG-OS-000299-GPOS-00117', 'SRG-OS-000300-GPOS-00118', 'SRG-OS-000481-GPOS-000481']\n tag gid: 'V-230506'\n tag rid: 'SV-230506r627750_rule'\n tag stig_id: 'RHEL-08-040110'\n tag fix_id: 'F-33150r568265_fix'\n tag cci: ['CCI-001444']\n tag nist: ['AC-18 (1)']\n tag 'host'\n tag 'container'\n\n if input('wifi_hardware')\n describe command('nmcli device') do\n its('stdout.strip') { should_not match(/wifi\\s*connected/) }\n end\n else\n impact 0.0\n describe 'Skip' do\n skip 'The system does not have a wireless network adapter, this control is Not Applicable.'\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230381.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230506.rb", "line": 1 }, - "id": "SV-230381" + "id": "SV-230506" }, { - "title": "RHEL 8 must disable storing core dumps.", - "desc": "It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n A core dump includes a memory image taken at the time the operating system\nterminates an application. The memory image could contain sensitive data and is\ngenerally useful only for developers trying to debug problems.", + "title": "RHEL 8 must display the Standard Mandatory DoD Notice and Consent\nBanner before granting local or remote access to the system via a command line\nuser logon.", + "desc": "Display of a standardized and approved use notification before\ngranting access to the operating system ensures privacy and security\nnotification verbiage used is consistent with applicable federal laws,\nExecutive Orders, directives, policies, regulations, standards, and guidance.\n\n System use notifications are required only for access via logon interfaces\nwith human users and are not required when such human interfaces do not exist.\n\n The banner must be formatted in accordance with applicable DoD policy. Use\nthe following verbiage for operating systems that can accommodate banners of\n1300 characters:\n\n \"You are accessing a U.S. Government (USG) Information System (IS) that is\nprovided for USG-authorized use only.\n\n By using this IS (which includes any device attached to this IS), you\nconsent to the following conditions:\n\n -The USG routinely intercepts and monitors communications on this IS for\npurposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct (PM), law enforcement\n(LE), and counterintelligence (CI) investigations.\n\n -At any time, the USG may inspect and seize data stored on this IS.\n\n -Communications using, or data stored on, this IS are not private, are\nsubject to routine monitoring, interception, and search, and may be disclosed\nor used for any USG-authorized purpose.\n\n -This IS includes security measures (e.g., authentication and access\ncontrols) to protect USG interests--not for your personal benefit or privacy.\n\n -Notwithstanding the above, using this IS does not constitute consent to\nPM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services\nby attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User\nAgreement for details.\"", "descriptions": { - "default": "It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n A core dump includes a memory image taken at the time the operating system\nterminates an application. The memory image could contain sensitive data and is\ngenerally useful only for developers trying to debug problems.", - "check": "Verify the operating system disables storing core dumps for all users by\nissuing the following command:\n\n $ sudo grep -i storage /etc/systemd/coredump.conf\n\n Storage=none\n\n If the \"Storage\" item is missing, commented out, or the value is anything\nother than \"none\" and the need for core dumps is not documented with the\nInformation System Security Officer (ISSO) as an operational requirement for\nall domains that have the \"core\" item assigned, this is a finding.", - "fix": "Configure the operating system to disable storing core dumps for all users.\n\nAdd or modify the following line in /etc/systemd/coredump.conf:\n\nStorage=none" + "default": "Display of a standardized and approved use notification before\ngranting access to the operating system ensures privacy and security\nnotification verbiage used is consistent with applicable federal laws,\nExecutive Orders, directives, policies, regulations, standards, and guidance.\n\n System use notifications are required only for access via logon interfaces\nwith human users and are not required when such human interfaces do not exist.\n\n The banner must be formatted in accordance with applicable DoD policy. Use\nthe following verbiage for operating systems that can accommodate banners of\n1300 characters:\n\n \"You are accessing a U.S. Government (USG) Information System (IS) that is\nprovided for USG-authorized use only.\n\n By using this IS (which includes any device attached to this IS), you\nconsent to the following conditions:\n\n -The USG routinely intercepts and monitors communications on this IS for\npurposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct (PM), law enforcement\n(LE), and counterintelligence (CI) investigations.\n\n -At any time, the USG may inspect and seize data stored on this IS.\n\n -Communications using, or data stored on, this IS are not private, are\nsubject to routine monitoring, interception, and search, and may be disclosed\nor used for any USG-authorized purpose.\n\n -This IS includes security measures (e.g., authentication and access\ncontrols) to protect USG interests--not for your personal benefit or privacy.\n\n -Notwithstanding the above, using this IS does not constitute consent to\nPM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services\nby attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User\nAgreement for details.\"", + "check": "Verify RHEL 8 displays the Standard Mandatory DoD Notice and Consent Banner\nbefore granting access to the operating system via a command line user logon.\n\n Check that RHEL 8 displays a banner at the command line login screen with\nthe following command:\n\n $ sudo cat /etc/issue\n\n If the banner is set correctly it will return the following text:\n\n “You are accessing a U.S. Government (USG) Information System (IS) that is\nprovided for USG-authorized use only.\n\n By using this IS (which includes any device attached to this IS), you\nconsent to the following conditions:\n\n -The USG routinely intercepts and monitors communications on this IS for\npurposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct (PM), law enforcement\n(LE), and counterintelligence (CI) investigations.\n\n -At any time, the USG may inspect and seize data stored on this IS.\n\n -Communications using, or data stored on, this IS are not private, are\nsubject to routine monitoring, interception, and search, and may be disclosed\nor used for any USG-authorized purpose.\n\n -This IS includes security measures (e.g., authentication and access\ncontrols) to protect USG interests--not for your personal benefit or privacy.\n\n -Notwithstanding the above, using this IS does not constitute consent to\nPM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services\nby attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User\nAgreement for details.”\n\n If the banner text does not match the Standard Mandatory DoD Notice and\nConsent Banner exactly, this is a finding.", + "fix": "Configure RHEL 8 to display the Standard Mandatory DoD Notice and Consent\nBanner before granting access to the system via command line logon.\n\n Edit the \"/etc/issue\" file to replace the default text with the Standard\nMandatory DoD Notice and Consent Banner. The DoD-required text is:\n\n \"You are accessing a U.S. Government (USG) Information System (IS) that is\nprovided for USG-authorized use only.\n\n By using this IS (which includes any device attached to this IS), you\nconsent to the following conditions:\n\n -The USG routinely intercepts and monitors communications on this IS for\npurposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct (PM), law enforcement\n(LE), and counterintelligence (CI) investigations.\n\n -At any time, the USG may inspect and seize data stored on this IS.\n\n -Communications using, or data stored on, this IS are not private, are\nsubject to routine monitoring, interception, and search, and may be disclosed\nor used for any USG-authorized purpose.\n\n -This IS includes security measures (e.g., authentication and access\ncontrols) to protect USG interests -- not for your personal benefit or privacy.\n\n -Notwithstanding the above, using this IS does not constitute consent to\nPM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services\nby attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User\nAgreement for details.\"" }, "impact": 0.5, "refs": [ @@ -4555,70 +4538,37 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-230314", - "rid": "SV-230314r627750_rule", - "stig_id": "RHEL-08-010674", - "fix_id": "F-32958r567689_fix", - "cci": [ - "CCI-000366" - ], - "legacy": [], - "nist": [ - "CM-6 b" + "gtitle": "SRG-OS-000023-GPOS-00006", + "satisfies": [ + "SRG-OS-000023-GPOS-00006", + "SRG-OS-000228-GPOS-00088" ], - "host": null - }, - "code": "control 'SV-230314' do\n title 'RHEL 8 must disable storing core dumps.'\n desc 'It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n A core dump includes a memory image taken at the time the operating system\nterminates an application. The memory image could contain sensitive data and is\ngenerally useful only for developers trying to debug problems.'\n desc 'check', 'Verify the operating system disables storing core dumps for all users by\nissuing the following command:\n\n $ sudo grep -i storage /etc/systemd/coredump.conf\n\n Storage=none\n\n If the \"Storage\" item is missing, commented out, or the value is anything\nother than \"none\" and the need for core dumps is not documented with the\nInformation System Security Officer (ISSO) as an operational requirement for\nall domains that have the \"core\" item assigned, this is a finding.'\n desc 'fix', 'Configure the operating system to disable storing core dumps for all users.\n\nAdd or modify the following line in /etc/systemd/coredump.conf:\n\nStorage=none'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230314'\n tag rid: 'SV-230314r627750_rule'\n tag stig_id: 'RHEL-08-010674'\n tag fix_id: 'F-32958r567689_fix'\n tag cci: ['CCI-000366']\n tag legacy: []\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe parse_config_file('/etc/systemd/coredump.conf') do\n its('Coredump.Storage') { should cmp 'none' }\n end\nend\n", - "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230314.rb", - "line": 1 - }, - "id": "SV-230314" - }, - { - "title": "All RHEL 8 local interactive user home directory files must have mode\n0750 or less permissive.", - "desc": "Excessive permissions on local interactive user home directories may\nallow unauthorized access to user files by other users.", - "descriptions": { - "default": "Excessive permissions on local interactive user home directories may\nallow unauthorized access to user files by other users.", - "check": "Verify all files and directories contained in a local interactive user home\ndirectory, excluding local initialization files, have a mode of \"0750\".\n Files that begin with a \".\" are excluded from this requirement.\n\n Note: The example will be for the user \"smithj\", who has a home directory\nof \"/home/smithj\".\n\n $ sudo ls -lLR /home/smithj\n -rwxr-x--- 1 smithj smithj 18 Mar 5 17:06 file1\n -rwxr----- 1 smithj smithj 193 Mar 5 17:06 file2\n -rw-r-x--- 1 smithj smithj 231 Mar 5 17:06 file3\n\n If any files or directories are found with a mode more permissive than\n\"0750\", this is a finding.", - "fix": "Set the mode on files and directories in the local interactive user home\ndirectory with the following command:\n\n Note: The example will be for the user smithj, who has a home directory of\n\"/home/smithj\" and is a member of the users group.\n\n $ sudo chmod 0750 /home/smithj/" - }, - "impact": 0.5, - "refs": [ - { - "ref": "DPMS Target Red Hat Enterprise Linux 8" - } - ], - "tags": { - "severity": "medium", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-244531", - "rid": "SV-244531r743842_rule", - "stig_id": "RHEL-08-010731", - "fix_id": "F-47763r743841_fix", + "gid": "V-230227", + "rid": "SV-230227r627750_rule", + "stig_id": "RHEL-08-010060", + "fix_id": "F-32871r567428_fix", "cci": [ - "CCI-000366" + "CCI-000048" ], "nist": [ - "CM-6 b" + "AC-8 a" ], "host": null }, - "code": "control 'SV-244531' do\n title 'All RHEL 8 local interactive user home directory files must have mode\n0750 or less permissive.'\n desc 'Excessive permissions on local interactive user home directories may\nallow unauthorized access to user files by other users.'\n desc 'check', 'Verify all files and directories contained in a local interactive user home\ndirectory, excluding local initialization files, have a mode of \"0750\".\n Files that begin with a \".\" are excluded from this requirement.\n\n Note: The example will be for the user \"smithj\", who has a home directory\nof \"/home/smithj\".\n\n $ sudo ls -lLR /home/smithj\n -rwxr-x--- 1 smithj smithj 18 Mar 5 17:06 file1\n -rwxr----- 1 smithj smithj 193 Mar 5 17:06 file2\n -rw-r-x--- 1 smithj smithj 231 Mar 5 17:06 file3\n\n If any files or directories are found with a mode more permissive than\n\"0750\", this is a finding.'\n desc 'fix', 'Set the mode on files and directories in the local interactive user home\ndirectory with the following command:\n\n Note: The example will be for the user smithj, who has a home directory of\n\"/home/smithj\" and is a member of the users group.\n\n $ sudo chmod 0750 /home/smithj/'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-244531'\n tag rid: 'SV-244531r743842_rule'\n tag stig_id: 'RHEL-08-010731'\n tag fix_id: 'F-47763r743841_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if(\"This control takes a long time to execute so it has been disabled through 'slow_controls'\") {\n !input('disable_slow_controls')\n }\n\n ignore_shells = input('non_interactive_shells').join('|')\n exempt_home_users = input('exempt_home_users').join('|')\n\n findings = Set[]\n users.where { !username.match(exempt_home_users) && !shell.match(ignore_shells) && (uid >= 1000 || uid.zero?) }.entries.each do |user_info|\n findings += command(\"find #{user_info.home} -xdev -not -name '.*' -perm /027 -type f\").stdout.split(\"\\n\")\n end\n describe 'All files in the users home directory' do\n it 'are expected to have permissions 0750 or better' do\n expect(findings).to be_empty, 'Some files in the users home directory do not have correct permissions. Please ensure all files have permissions 0750 or better.'\n end\n end\nend\n", + "code": "control 'SV-230227' do\n title 'RHEL 8 must display the Standard Mandatory DoD Notice and Consent\nBanner before granting local or remote access to the system via a command line\nuser logon.'\n desc 'Display of a standardized and approved use notification before\ngranting access to the operating system ensures privacy and security\nnotification verbiage used is consistent with applicable federal laws,\nExecutive Orders, directives, policies, regulations, standards, and guidance.\n\n System use notifications are required only for access via logon interfaces\nwith human users and are not required when such human interfaces do not exist.\n\n The banner must be formatted in accordance with applicable DoD policy. Use\nthe following verbiage for operating systems that can accommodate banners of\n1300 characters:\n\n \"You are accessing a U.S. Government (USG) Information System (IS) that is\nprovided for USG-authorized use only.\n\n By using this IS (which includes any device attached to this IS), you\nconsent to the following conditions:\n\n -The USG routinely intercepts and monitors communications on this IS for\npurposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct (PM), law enforcement\n(LE), and counterintelligence (CI) investigations.\n\n -At any time, the USG may inspect and seize data stored on this IS.\n\n -Communications using, or data stored on, this IS are not private, are\nsubject to routine monitoring, interception, and search, and may be disclosed\nor used for any USG-authorized purpose.\n\n -This IS includes security measures (e.g., authentication and access\ncontrols) to protect USG interests--not for your personal benefit or privacy.\n\n -Notwithstanding the above, using this IS does not constitute consent to\nPM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services\nby attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User\nAgreement for details.\"'\n desc 'check', 'Verify RHEL 8 displays the Standard Mandatory DoD Notice and Consent Banner\nbefore granting access to the operating system via a command line user logon.\n\n Check that RHEL 8 displays a banner at the command line login screen with\nthe following command:\n\n $ sudo cat /etc/issue\n\n If the banner is set correctly it will return the following text:\n\n “You are accessing a U.S. Government (USG) Information System (IS) that is\nprovided for USG-authorized use only.\n\n By using this IS (which includes any device attached to this IS), you\nconsent to the following conditions:\n\n -The USG routinely intercepts and monitors communications on this IS for\npurposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct (PM), law enforcement\n(LE), and counterintelligence (CI) investigations.\n\n -At any time, the USG may inspect and seize data stored on this IS.\n\n -Communications using, or data stored on, this IS are not private, are\nsubject to routine monitoring, interception, and search, and may be disclosed\nor used for any USG-authorized purpose.\n\n -This IS includes security measures (e.g., authentication and access\ncontrols) to protect USG interests--not for your personal benefit or privacy.\n\n -Notwithstanding the above, using this IS does not constitute consent to\nPM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services\nby attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User\nAgreement for details.”\n\n If the banner text does not match the Standard Mandatory DoD Notice and\nConsent Banner exactly, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to display the Standard Mandatory DoD Notice and Consent\nBanner before granting access to the system via command line logon.\n\n Edit the \"/etc/issue\" file to replace the default text with the Standard\nMandatory DoD Notice and Consent Banner. The DoD-required text is:\n\n \"You are accessing a U.S. Government (USG) Information System (IS) that is\nprovided for USG-authorized use only.\n\n By using this IS (which includes any device attached to this IS), you\nconsent to the following conditions:\n\n -The USG routinely intercepts and monitors communications on this IS for\npurposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct (PM), law enforcement\n(LE), and counterintelligence (CI) investigations.\n\n -At any time, the USG may inspect and seize data stored on this IS.\n\n -Communications using, or data stored on, this IS are not private, are\nsubject to routine monitoring, interception, and search, and may be disclosed\nor used for any USG-authorized purpose.\n\n -This IS includes security measures (e.g., authentication and access\ncontrols) to protect USG interests -- not for your personal benefit or privacy.\n\n -Notwithstanding the above, using this IS does not constitute consent to\nPM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services\nby attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User\nAgreement for details.\"'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000023-GPOS-00006'\n tag satisfies: ['SRG-OS-000023-GPOS-00006', 'SRG-OS-000228-GPOS-00088']\n tag gid: 'V-230227'\n tag rid: 'SV-230227r627750_rule'\n tag stig_id: 'RHEL-08-010060'\n tag fix_id: 'F-32871r567428_fix'\n tag cci: ['CCI-000048']\n tag nist: ['AC-8 a']\n tag 'host'\n\n only_if('Control not applicable within a container', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n banner_file = file('/etc/issue')\n\n describe banner_file do\n it { should exist }\n end\n\n if banner_file.exist?\n\n banner = banner_file.content.gsub(/[\\r\\n\\s]/, '')\n expected_banner = input('banner_message_text_cli').gsub(/[\\r\\n\\s]/, '')\n\n describe 'The CLI Login Banner ' do\n it 'is set to the standard banner and has the correct text' do\n expect(banner).to eq(expected_banner), 'Banner does not match expected text'\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-244531.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230227.rb", "line": 1 }, - "id": "SV-244531" + "id": "SV-230227" }, { - "title": "Successful/unsuccessful uses of the pam_timestamp_check command in\nRHEL 8 must generate an audit record.", - "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"pam_timestamp_check\"\ncommand is used to check if the default timestamp is valid.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", + "title": "RHEL 8 must clear the page allocator to prevent use-after-free\nattacks.", + "desc": "Some adversaries launch attacks with the intent of executing code in\nnon-executable regions of memory or in memory locations that are prohibited.\nSecurity safeguards employed to protect memory include, for example, data\nexecution prevention and address space layout randomization. Data execution\nprevention safeguards can be either hardware-enforced or software-enforced with\nhardware providing the greater strength of mechanism.\n\n Poisoning writes an arbitrary value to freed pages, so any modification or\nreference to that page after being freed or before being initialized will be\ndetected and prevented. This prevents many types of use-after-free\nvulnerabilities at little performance cost. Also prevents leak of data and\ndetection of corrupted memory.", "descriptions": { - "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"pam_timestamp_check\"\ncommand is used to check if the default timestamp is valid.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", - "check": "Verify that an audit event is generated for any successful/unsuccessful use\nof the \"pam_timestamp_check\" command by performing the following command to\ncheck the file system rules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w pam_timestamp_check /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F\nauid>=1000 -F auid!=unset -k privileged-pam_timestamp_check\n\n If the command does not return a line, or the line is commented out, this\nis a finding.", - "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful uses of the \"pam_timestamp_check\" command by adding\nor updating the following rule in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F\nauid>=1000 -F auid!=unset -k privileged-pam_timestamp_check\n\n The audit daemon must be restarted for the changes to take effect." + "default": "Some adversaries launch attacks with the intent of executing code in\nnon-executable regions of memory or in memory locations that are prohibited.\nSecurity safeguards employed to protect memory include, for example, data\nexecution prevention and address space layout randomization. Data execution\nprevention safeguards can be either hardware-enforced or software-enforced with\nhardware providing the greater strength of mechanism.\n\n Poisoning writes an arbitrary value to freed pages, so any modification or\nreference to that page after being freed or before being initialized will be\ndetected and prevented. This prevents many types of use-after-free\nvulnerabilities at little performance cost. Also prevents leak of data and\ndetection of corrupted memory.", + "check": "Verify that GRUB 2 is configured to enable page poisoning to mitigate use-after-free vulnerabilities with the following commands:\n\nCheck that the current GRUB 2 configuration has page poisoning enabled:\n\n$ sudo grub2-editenv list | grep page_poison\n\nkernelopts=root=/dev/mapper/rhel-root ro crashkernel=auto resume=/dev/mapper/rhel-swap rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet fips=1 page_poison=1 vsyscall=none audit=1 audit_backlog_limit=8192 boot=UUID=8d171156-cd61-421c-ba41-1c021ac29e82\n\nIf \"page_poison\" is not set to \"1\" or is missing, this is a finding.\n\nCheck that page poisoning is enabled by default to persist in kernel updates:\n\n$ sudo grep page_poison /etc/default/grub\n\nGRUB_CMDLINE_LINUX=\"page_poison=1\"\n\nIf \"page_poison\" is not set to \"1\", is missing or commented out, this is a finding.", + "fix": "Configure RHEL 8 to enable page poisoning with the following commands:\n\n $ sudo grubby --update-kernel=ALL --args=\"page_poison=1\"\n\n Add or modify the following line in \"/etc/default/grub\" to ensure the\nconfiguration survives kernel updates:\n\n GRUB_CMDLINE_LINUX=\"page_poison=1\"" }, "impact": 0.5, "refs": [ @@ -4628,42 +4578,37 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000062-GPOS-00031", + "gtitle": "SRG-OS-000134-GPOS-00068", "satisfies": [ - "SRG-OS-000062-GPOS-00031", - "SRG-OS-000037-GPOS-00015", - "SRG-OS-000042-GPOS-00020", - "SRG-OS-000062-GPOS-00031", - "SRG-OS-000392-GPOS-00172", - "SRG-OS-000462-GPOS-00206", - "SRG-OS-000471-GPOS-00215" + "SRG-OS-000134-GPOS-00068", + "SRG-OS-000433-GPOS-00192" ], - "gid": "V-230436", - "rid": "SV-230436r627750_rule", - "stig_id": "RHEL-08-030340", - "fix_id": "F-33080r568055_fix", + "gid": "V-230277", + "rid": "SV-230277r792884_rule", + "stig_id": "RHEL-08-010421", + "fix_id": "F-32921r567578_fix", "cci": [ - "CCI-000169" + "CCI-001084" ], "nist": [ - "AU-12 a" + "SC-3" ], "host": null }, - "code": "control 'SV-230436' do\n title 'Successful/unsuccessful uses of the pam_timestamp_check command in\nRHEL 8 must generate an audit record.'\n desc 'Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"pam_timestamp_check\"\ncommand is used to check if the default timestamp is valid.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.'\n desc 'check', 'Verify that an audit event is generated for any successful/unsuccessful use\nof the \"pam_timestamp_check\" command by performing the following command to\ncheck the file system rules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w pam_timestamp_check /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F\nauid>=1000 -F auid!=unset -k privileged-pam_timestamp_check\n\n If the command does not return a line, or the line is commented out, this\nis a finding.'\n desc 'fix', 'Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful uses of the \"pam_timestamp_check\" command by adding\nor updating the following rule in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F\nauid>=1000 -F auid!=unset -k privileged-pam_timestamp_check\n\n The audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000062-GPOS-00031'\n tag satisfies: ['SRG-OS-000062-GPOS-00031', 'SRG-OS-000037-GPOS-00015', 'SRG-OS-000042-GPOS-00020', 'SRG-OS-000062-GPOS-00031', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000471-GPOS-00215']\n tag gid: 'V-230436'\n tag rid: 'SV-230436r627750_rule'\n tag stig_id: 'RHEL-08-030340'\n tag fix_id: 'F-33080r568055_fix'\n tag cci: ['CCI-000169']\n tag nist: ['AU-12 a']\n tag 'host'\n\n audit_command = '/usr/sbin/pam_timestamp_check'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include(input('audit_rule_keynames').merge(input('audit_rule_keynames_overrides'))[audit_command])\n end\n end\nend\n", + "code": "control 'SV-230277' do\n title 'RHEL 8 must clear the page allocator to prevent use-after-free\nattacks.'\n desc 'Some adversaries launch attacks with the intent of executing code in\nnon-executable regions of memory or in memory locations that are prohibited.\nSecurity safeguards employed to protect memory include, for example, data\nexecution prevention and address space layout randomization. Data execution\nprevention safeguards can be either hardware-enforced or software-enforced with\nhardware providing the greater strength of mechanism.\n\n Poisoning writes an arbitrary value to freed pages, so any modification or\nreference to that page after being freed or before being initialized will be\ndetected and prevented. This prevents many types of use-after-free\nvulnerabilities at little performance cost. Also prevents leak of data and\ndetection of corrupted memory.'\n desc 'check', 'Verify that GRUB 2 is configured to enable page poisoning to mitigate use-after-free vulnerabilities with the following commands:\n\nCheck that the current GRUB 2 configuration has page poisoning enabled:\n\n$ sudo grub2-editenv list | grep page_poison\n\nkernelopts=root=/dev/mapper/rhel-root ro crashkernel=auto resume=/dev/mapper/rhel-swap rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet fips=1 page_poison=1 vsyscall=none audit=1 audit_backlog_limit=8192 boot=UUID=8d171156-cd61-421c-ba41-1c021ac29e82\n\nIf \"page_poison\" is not set to \"1\" or is missing, this is a finding.\n\nCheck that page poisoning is enabled by default to persist in kernel updates:\n\n$ sudo grep page_poison /etc/default/grub\n\nGRUB_CMDLINE_LINUX=\"page_poison=1\"\n\nIf \"page_poison\" is not set to \"1\", is missing or commented out, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to enable page poisoning with the following commands:\n\n $ sudo grubby --update-kernel=ALL --args=\"page_poison=1\"\n\n Add or modify the following line in \"/etc/default/grub\" to ensure the\nconfiguration survives kernel updates:\n\n GRUB_CMDLINE_LINUX=\"page_poison=1\"'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000134-GPOS-00068'\n tag satisfies: ['SRG-OS-000134-GPOS-00068', 'SRG-OS-000433-GPOS-00192']\n tag gid: 'V-230277'\n tag rid: 'SV-230277r792884_rule'\n tag stig_id: 'RHEL-08-010421'\n tag fix_id: 'F-32921r567578_fix'\n tag cci: ['CCI-001084']\n tag nist: ['SC-3']\n tag 'host'\n\n grub_stdout = command('grub2-editenv - list').stdout\n setting = /page_poison\\s*=\\s*1/\n\n describe 'GRUB config' do\n it 'should enable page poisoning' do\n expect(parse_config(grub_stdout)['kernelopts']).to match(setting), 'Current GRUB configuration does not disable this setting'\n expect(parse_config_file('/etc/default/grub')['GRUB_CMDLINE_LINUX']).to match(setting), 'Setting not configured to persist between kernel updates'\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230436.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230277.rb", "line": 1 }, - "id": "SV-230436" + "id": "SV-230277" }, { - "title": "Successful/unsuccessful uses of the unix_update in RHEL 8 must\ngenerate an audit record.", - "desc": "Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged commands. The organization must maintain audit trails in sufficient\ndetail to reconstruct events to determine the cause and impact of compromise.\n\"Unix_update\" is a helper program for the \"pam_unix\" module that updates\nthe password for a given user. It is not intended to be run directly from the\ncommand line and logs a security violation if done so.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", + "title": "Successful/unsuccessful uses of the umount command in RHEL 8 must\ngenerate an audit record.", + "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"umount\" command is\nused to unmount a filesystem.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", "descriptions": { - "default": "Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged commands. The organization must maintain audit trails in sufficient\ndetail to reconstruct events to determine the cause and impact of compromise.\n\"Unix_update\" is a helper program for the \"pam_unix\" module that updates\nthe password for a given user. It is not intended to be run directly from the\ncommand line and logs a security violation if done so.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", - "check": "Verify that an audit event is generated for any successful/unsuccessful use\nof the \"unix_update\" by performing the following command to check the file\nsystem rules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w \"unix_update\" /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-unix-update\n\n If the command does not return a line, or the line is commented out, this\nis a finding.", - "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful uses of the \"unix_update\" by adding or updating the\nfollowing rule in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-unix-update\n\n The audit daemon must be restarted for the changes to take effect." + "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"umount\" command is\nused to unmount a filesystem.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", + "check": "Verify that an audit event is generated for any successful/unsuccessful use\nof the \"umount\" command by performing the following command to check the file\nsystem rules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w /usr/bin/umount /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-mount\n\n If the command does not return a line, or the line is commented out, this\nis a finding.", + "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \"umount\" command by adding or updating the\nfollowing rules in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-mount\n\n The audit daemon must be restarted for the changes to take effect." }, "impact": 0.5, "refs": [ @@ -4683,10 +4628,10 @@ "SRG-OS-000462-GPOS-00206", "SRG-OS-000471-GPOS-00215" ], - "gid": "V-230426", - "rid": "SV-230426r627750_rule", - "stig_id": "RHEL-08-030310", - "fix_id": "F-33070r568025_fix", + "gid": "V-230424", + "rid": "SV-230424r627750_rule", + "stig_id": "RHEL-08-030301", + "fix_id": "F-33068r568019_fix", "cci": [ "CCI-000169" ], @@ -4695,12 +4640,12 @@ ], "host": null }, - "code": "control 'SV-230426' do\n title 'Successful/unsuccessful uses of the unix_update in RHEL 8 must\ngenerate an audit record.'\n desc 'Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged commands. The organization must maintain audit trails in sufficient\ndetail to reconstruct events to determine the cause and impact of compromise.\n\"Unix_update\" is a helper program for the \"pam_unix\" module that updates\nthe password for a given user. It is not intended to be run directly from the\ncommand line and logs a security violation if done so.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.'\n desc 'check', 'Verify that an audit event is generated for any successful/unsuccessful use\nof the \"unix_update\" by performing the following command to check the file\nsystem rules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w \"unix_update\" /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-unix-update\n\n If the command does not return a line, or the line is commented out, this\nis a finding.'\n desc 'fix', 'Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful uses of the \"unix_update\" by adding or updating the\nfollowing rule in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-unix-update\n\n The audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000062-GPOS-00031'\n tag satisfies: ['SRG-OS-000062-GPOS-00031', 'SRG-OS-000037-GPOS-00015', 'SRG-OS-000042-GPOS-00020', 'SRG-OS-000062-GPOS-00031', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000471-GPOS-00215']\n tag gid: 'V-230426'\n tag rid: 'SV-230426r627750_rule'\n tag stig_id: 'RHEL-08-030310'\n tag fix_id: 'F-33070r568025_fix'\n tag cci: ['CCI-000169']\n tag nist: ['AU-12 a']\n tag 'host'\n\n audit_command = '/usr/sbin/unix_update'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include(input('audit_rule_keynames').merge(input('audit_rule_keynames_overrides'))[audit_command])\n end\n end\nend\n", + "code": "control 'SV-230424' do\n title 'Successful/unsuccessful uses of the umount command in RHEL 8 must\ngenerate an audit record.'\n desc 'Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"umount\" command is\nused to unmount a filesystem.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.'\n desc 'check', 'Verify that an audit event is generated for any successful/unsuccessful use\nof the \"umount\" command by performing the following command to check the file\nsystem rules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w /usr/bin/umount /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-mount\n\n If the command does not return a line, or the line is commented out, this\nis a finding.'\n desc 'fix', 'Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \"umount\" command by adding or updating the\nfollowing rules in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-mount\n\n The audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000062-GPOS-00031'\n tag satisfies: ['SRG-OS-000062-GPOS-00031', 'SRG-OS-000037-GPOS-00015', 'SRG-OS-000042-GPOS-00020', 'SRG-OS-000062-GPOS-00031', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000471-GPOS-00215']\n tag gid: 'V-230424'\n tag rid: 'SV-230424r627750_rule'\n tag stig_id: 'RHEL-08-030301'\n tag fix_id: 'F-33068r568019_fix'\n tag cci: ['CCI-000169']\n tag nist: ['AU-12 a']\n tag 'host'\n\n audit_command = '/usr/bin/umount'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include(input('audit_rule_keynames').merge(input('audit_rule_keynames_overrides'))[audit_command])\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230426.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230424.rb", "line": 1 }, - "id": "SV-230426" + "id": "SV-230424" }, { "title": "RHEL 8 must be able to initiate directly a session lock for all\n connection types using smartcard when the smartcard is removed.", @@ -4743,62 +4688,65 @@ "id": "SV-230351" }, { - "title": "RHEL 8 must disable mounting of cramfs.", - "desc": "It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n Removing support for unneeded filesystem types reduces the local attack\nsurface of the server.\n\n Compressed ROM/RAM file system (or cramfs) is a read-only file system\ndesigned for simplicity and space-efficiency. It is mainly used in embedded\nand small-footprint systems.", + "title": "The RHEL 8 shadow password suite must be configured to use a sufficient number of hashing rounds.", + "desc": "The system must use a strong hashing algorithm to store the password.\nThe system must use a sufficient number of hashing rounds to ensure the\nrequired level of entropy.\n\n Passwords need to be protected at all times, and encryption is the standard\nmethod for protecting passwords. If passwords are not encrypted, they can be\nplainly read (i.e., clear text) and easily compromised.", "descriptions": { - "default": "It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n Removing support for unneeded filesystem types reduces the local attack\nsurface of the server.\n\n Compressed ROM/RAM file system (or cramfs) is a read-only file system\ndesigned for simplicity and space-efficiency. It is mainly used in embedded\nand small-footprint systems.", - "check": "Verify the operating system disables the ability to load the cramfs kernel module.\n\n $ sudo grep -r cramfs /etc/modprobe.d/* | grep \"/bin/false\"\n install cramfs /bin/false\n\nIf the command does not return any output, or the line is commented out, and use of the cramfs protocol is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.\n\nVerify the operating system disables the ability to use the cramfs kernel module.\n\nCheck to see if the cramfs kernel module is disabled with the following command:\n\n $ sudo grep -r cramfs /etc/modprobe.d/* | grep \"blacklist\"\n blacklist cramfs\n\nIf the command does not return any output or the output is not \"blacklist cramfs\", and use of the cramfs kernel module is not documented with the ISSO as an operational requirement, this is a finding.", - "fix": "Configure the operating system to disable the ability to use the cramfs kernel module.\n\nAdd or update the following lines in the file \"/etc/modprobe.d/blacklist.conf\":\n\n install cramfs /bin/false\n blacklist cramfs\n\nReboot the system for the settings to take effect." + "default": "The system must use a strong hashing algorithm to store the password.\nThe system must use a sufficient number of hashing rounds to ensure the\nrequired level of entropy.\n\n Passwords need to be protected at all times, and encryption is the standard\nmethod for protecting passwords. If passwords are not encrypted, they can be\nplainly read (i.e., clear text) and easily compromised.", + "check": "Check that a minimum number of hash rounds is configured by running the following command:\n\n $ sudo grep -E \"^SHA_CRYPT_\" /etc/login.defs\n\nIf only one of \"SHA_CRYPT_MIN_ROUNDS\" or \"SHA_CRYPT_MAX_ROUNDS\" is set, and this value is below \"5000\", this is a finding.\n\nIf both \"SHA_CRYPT_MIN_ROUNDS\" and \"SHA_CRYPT_MAX_ROUNDS\" are set, and the highest value for either is below \"5000\", this is a finding.", + "fix": "Configure RHEL 8 to encrypt all stored passwords with a strong cryptographic hash.\n\nEdit/modify the following line in the \"/etc/login.defs\" file and set \"SHA_CRYPT_MIN_ROUNDS\" to a value no lower than \"5000\":\n\nSHA_CRYPT_MIN_ROUNDS 5000" }, - "impact": 0.3, + "impact": 0.5, "refs": [ { "ref": "DPMS Target Red Hat Enterprise Linux 8" } ], "tags": { - "severity": "low", - "gtitle": "SRG-OS-000095-GPOS-00049", - "gid": "V-230498", - "rid": "SV-230498r942930_rule", - "stig_id": "RHEL-08-040025", - "fix_id": "F-33142r942929_fix", + "severity": "medium", + "gtitle": "SRG-OS-000073-GPOS-00041", + "gid": "V-230233", + "rid": "SV-230233r880705_rule", + "stig_id": "RHEL-08-010130", + "fix_id": "F-32877r809272_fix", "cci": [ - "CCI-000381" + "CCI-000196" ], "nist": [ - "CM-7 a" + "IA-5 (1) (c)" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-230498' do\n title 'RHEL 8 must disable mounting of cramfs.'\n desc 'It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n Removing support for unneeded filesystem types reduces the local attack\nsurface of the server.\n\n Compressed ROM/RAM file system (or cramfs) is a read-only file system\ndesigned for simplicity and space-efficiency. It is mainly used in embedded\nand small-footprint systems.'\n desc 'check', 'Verify the operating system disables the ability to load the cramfs kernel module.\n\n $ sudo grep -r cramfs /etc/modprobe.d/* | grep \"/bin/false\"\n install cramfs /bin/false\n\nIf the command does not return any output, or the line is commented out, and use of the cramfs protocol is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.\n\nVerify the operating system disables the ability to use the cramfs kernel module.\n\nCheck to see if the cramfs kernel module is disabled with the following command:\n\n $ sudo grep -r cramfs /etc/modprobe.d/* | grep \"blacklist\"\n blacklist cramfs\n\nIf the command does not return any output or the output is not \"blacklist cramfs\", and use of the cramfs kernel module is not documented with the ISSO as an operational requirement, this is a finding.'\n desc 'fix', 'Configure the operating system to disable the ability to use the cramfs kernel module.\n\nAdd or update the following lines in the file \"/etc/modprobe.d/blacklist.conf\":\n\n install cramfs /bin/false\n blacklist cramfs\n\nReboot the system for the settings to take effect.'\n impact 0.3\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'low'\n tag gtitle: 'SRG-OS-000095-GPOS-00049'\n tag gid: 'V-230498'\n tag rid: 'SV-230498r942930_rule'\n tag stig_id: 'RHEL-08-040025'\n tag fix_id: 'F-33142r942929_fix'\n tag cci: ['CCI-000381']\n tag nist: ['CM-7 a']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n describe kernel_module('cramfs') do\n it { should be_disabled }\n it { should be_blacklisted }\n end\nend\n", + "code": "control 'SV-230233' do\n title 'The RHEL 8 shadow password suite must be configured to use a sufficient number of hashing rounds.'\n desc 'The system must use a strong hashing algorithm to store the password.\nThe system must use a sufficient number of hashing rounds to ensure the\nrequired level of entropy.\n\n Passwords need to be protected at all times, and encryption is the standard\nmethod for protecting passwords. If passwords are not encrypted, they can be\nplainly read (i.e., clear text) and easily compromised.'\n desc 'check', 'Check that a minimum number of hash rounds is configured by running the following command:\n\n $ sudo grep -E \"^SHA_CRYPT_\" /etc/login.defs\n\nIf only one of \"SHA_CRYPT_MIN_ROUNDS\" or \"SHA_CRYPT_MAX_ROUNDS\" is set, and this value is below \"5000\", this is a finding.\n\nIf both \"SHA_CRYPT_MIN_ROUNDS\" and \"SHA_CRYPT_MAX_ROUNDS\" are set, and the highest value for either is below \"5000\", this is a finding.'\n desc 'fix', 'Configure RHEL 8 to encrypt all stored passwords with a strong cryptographic hash.\n\nEdit/modify the following line in the \"/etc/login.defs\" file and set \"SHA_CRYPT_MIN_ROUNDS\" to a value no lower than \"5000\":\n\nSHA_CRYPT_MIN_ROUNDS 5000'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000073-GPOS-00041'\n tag gid: 'V-230233'\n tag rid: 'SV-230233r880705_rule'\n tag stig_id: 'RHEL-08-010130'\n tag fix_id: 'F-32877r809272_fix'\n tag cci: ['CCI-000196']\n tag nist: ['IA-5 (1) (c)']\n tag 'host'\n tag 'container'\n\n min = input('sha_crypt_min_rounds')\n max = input('sha_crypt_max_rounds')\n\n describe.one do\n describe login_defs do\n its('SHA_CRYPT_MIN_ROUNDS') { should cmp >= min }\n end\n describe login_defs do\n its('SHA_CRYPT_MIN_ROUNDS') { should be_nil }\n end\n end\n describe.one do\n describe login_defs do\n its('SHA_CRYPT_MAX_ROUNDS') { should cmp >= max }\n end\n describe login_defs do\n its('SHA_CRYPT_MAX_ROUNDS') { should be_nil }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230498.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230233.rb", "line": 1 }, - "id": "SV-230498" + "id": "SV-230233" }, { - "title": "There must be no .shosts files on the RHEL 8 operating system.", - "desc": "The \".shosts\" files are used to configure host-based authentication\nfor individual users or the system via SSH. Host-based authentication is not\nsufficient for preventing unauthorized access to the system, as it does not\nrequire interactive identification and authentication of a connection request,\nor for the use of two-factor authentication.", + "title": "RHEL 8 systems, version 8.4 and above, must ensure the password complexity module is configured for three retries or less.", + "desc": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. \"pwquality\" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system.\n\nRHEL 8 utilizes \"pwquality\" as a mechanism to enforce password complexity. This is set in both:\n/etc/pam.d/password-auth\n/etc/pam.d/system-auth\nBy limiting the number of attempts to meet the pwquality module complexity requirements before returning with an error, the system will audit abnormal attempts at password changes.", "descriptions": { - "default": "The \".shosts\" files are used to configure host-based authentication\nfor individual users or the system via SSH. Host-based authentication is not\nsufficient for preventing unauthorized access to the system, as it does not\nrequire interactive identification and authentication of a connection request,\nor for the use of two-factor authentication.", - "check": "Verify there are no \".shosts\" files on RHEL 8 with the following command:\n\n$ sudo find / -name '*.shosts'\n\nIf any \".shosts\" files are found, this is a finding.", - "fix": "Remove any found \".shosts\" files from the system.\n\n$ sudo rm /[path]/[to]/[file]/.shosts" + "default": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. \"pwquality\" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system.\n\nRHEL 8 utilizes \"pwquality\" as a mechanism to enforce password complexity. This is set in both:\n/etc/pam.d/password-auth\n/etc/pam.d/system-auth\nBy limiting the number of attempts to meet the pwquality module complexity requirements before returning with an error, the system will audit abnormal attempts at password changes.", + "check": "Note: This requirement applies to RHEL versions 8.4 or newer. If the system is RHEL below version 8.4, this requirement is not applicable.\n\nVerify the operating system is configured to limit the \"pwquality\" retry option to 3.\n\nCheck for the use of the \"pwquality\" retry option with the following command:\n\n$ sudo grep -r retry /etc/security/pwquality.conf*\n\n/etc/security/pwquality.conf:retry = 3\n\nIf the value of \"retry\" is set to \"0\" or greater than \"3\", is commented out or missing, this is a finding.\n\nIf conflicting results are returned, this is a finding.\n\nCheck for the use of the \"pwquality\" retry option in the system-auth and password-auth files with the following command:\n\n$ sudo grep pwquality /etc/pam.d/system-auth /etc/pam.d/password-auth | grep retry\n\nIf the command returns any results, this is a finding.", + "fix": "Configure the operating system to limit the \"pwquality\" retry option to 3.\n\nAdd the following line to the \"/etc/security/pwquality.conf\" file(or modify the line to have the required value):\n\nretry = 3\n\nRemove any configurations that conflict with the above value." }, - "impact": 0.7, + "impact": 0.5, "refs": [ { "ref": "DPMS Target Red Hat Enterprise Linux 8" } ], "tags": { - "severity": "high", + "check_id": "C-55153r858735_chk", + "severity": "medium", + "gid": "V-251716", + "rid": "SV-251716r858737_rule", + "stig_id": "RHEL-08-020104", "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-230284", - "rid": "SV-230284r627750_rule", - "stig_id": "RHEL-08-010470", - "fix_id": "F-32928r567599_fix", + "fix_id": "F-55107r858736_fix", + "documentable": null, "cci": [ "CCI-000366" ], @@ -4808,20 +4756,20 @@ "host": null, "container": null }, - "code": "control 'SV-230284' do\n title 'There must be no .shosts files on the RHEL 8 operating system.'\n desc 'The \".shosts\" files are used to configure host-based authentication\nfor individual users or the system via SSH. Host-based authentication is not\nsufficient for preventing unauthorized access to the system, as it does not\nrequire interactive identification and authentication of a connection request,\nor for the use of two-factor authentication.'\n desc 'check', %q(Verify there are no \".shosts\" files on RHEL 8 with the following command:\n\n$ sudo find / -name '*.shosts'\n\nIf any \".shosts\" files are found, this is a finding.)\n desc 'fix', 'Remove any found \".shosts\" files from the system.\n\n$ sudo rm /[path]/[to]/[file]/.shosts'\n impact 0.7\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'high'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230284'\n tag rid: 'SV-230284r627750_rule'\n tag stig_id: 'RHEL-08-010470'\n tag fix_id: 'F-32928r567599_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n tag 'container'\n\n shosts_files = command('find / -xdev -xautofs -name .shosts').stdout.strip.split(\"\\n\")\n\n describe 'The RHEL8 filesystem' do\n it 'should not have any .shosts files present' do\n expect(shosts_files).to be_empty, \"Discovered .shosts files:\\n\\t- #{shosts_files.join(\"\\n\\t- \")}\"\n end\n end\nend\n", + "code": "control 'SV-251716' do\n title 'RHEL 8 systems, version 8.4 and above, must ensure the password complexity module is configured for three retries or less.'\n desc 'Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. \"pwquality\" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system.\n\nRHEL 8 utilizes \"pwquality\" as a mechanism to enforce password complexity. This is set in both:\n/etc/pam.d/password-auth\n/etc/pam.d/system-auth\nBy limiting the number of attempts to meet the pwquality module complexity requirements before returning with an error, the system will audit abnormal attempts at password changes.'\n desc 'check', 'Note: This requirement applies to RHEL versions 8.4 or newer. If the system is RHEL below version 8.4, this requirement is not applicable.\n\nVerify the operating system is configured to limit the \"pwquality\" retry option to 3.\n\nCheck for the use of the \"pwquality\" retry option with the following command:\n\n$ sudo grep -r retry /etc/security/pwquality.conf*\n\n/etc/security/pwquality.conf:retry = 3\n\nIf the value of \"retry\" is set to \"0\" or greater than \"3\", is commented out or missing, this is a finding.\n\nIf conflicting results are returned, this is a finding.\n\nCheck for the use of the \"pwquality\" retry option in the system-auth and password-auth files with the following command:\n\n$ sudo grep pwquality /etc/pam.d/system-auth /etc/pam.d/password-auth | grep retry\n\nIf the command returns any results, this is a finding.'\n desc 'fix', 'Configure the operating system to limit the \"pwquality\" retry option to 3.\n\nAdd the following line to the \"/etc/security/pwquality.conf\" file(or modify the line to have the required value):\n\nretry = 3\n\nRemove any configurations that conflict with the above value.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag check_id: 'C-55153r858735_chk'\n tag severity: 'medium'\n tag gid: 'V-251716'\n tag rid: 'SV-251716r858737_rule'\n tag stig_id: 'RHEL-08-020104'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag fix_id: 'F-55107r858736_fix'\n tag 'documentable'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n tag 'container'\n\n only_if('This requirement only applies to RHEL 8 versions above 8.4', impact: 0.0) {\n os.release.to_f >= 8.4\n }\n\n describe 'System pwquality setting' do\n subject { parse_config(command('grep -rh retry /etc/security/pwquality.conf*').stdout.strip) }\n its('retry') { should cmp >= input('min_retry') }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230284.rb", + "ref": "./Red Hat 8 STIG/controls/SV-251716.rb", "line": 1 }, - "id": "SV-230284" + "id": "SV-251716" }, { - "title": "RHEL 8 must include root when automatically locking an account until\nthe locked account is released by an administrator when three unsuccessful\nlogon attempts occur during a 15-minute time period.", - "desc": "By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as\nbrute-force attacks, is reduced. Limits are imposed by locking the account.\n\n RHEL 8 can utilize the \"pam_faillock.so\" for this purpose. Note that\nmanual changes to the listed files may be overwritten by the \"authselect\"\nprogram.\n\n From \"Pam_Faillock\" man pages: Note that the default directory that\n\"pam_faillock\" uses is usually cleared on system boot so the access will be\nreenabled after system reboot. If that is undesirable a different tally\ndirectory must be set with the \"dir\" option.\n\n In RHEL 8.2 the \"/etc/security/faillock.conf\" file was incorporated to\ncentralize the configuration of the pam_faillock.so module. Also introduced is\na \"local_users_only\" option that will only track failed user authentication\nattempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP,\netc.) users to allow the centralized platform to solely manage user lockout.", + "title": "Successful/unsuccessful uses of unix_chkpwd in RHEL 8 must generate an\naudit record.", + "desc": "Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged commands. The organization must maintain audit trails in sufficient\ndetail to reconstruct events to determine the cause and impact of compromise.\nThe \"unix_chkpwd\" command is a helper program for the pam_unix module that\nverifies the password of the current user. It also checks password and account\nexpiration dates in shadow. It is not intended to be run directly from the\ncommand line and logs a security violation if done so.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", "descriptions": { - "default": "By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as\nbrute-force attacks, is reduced. Limits are imposed by locking the account.\n\n RHEL 8 can utilize the \"pam_faillock.so\" for this purpose. Note that\nmanual changes to the listed files may be overwritten by the \"authselect\"\nprogram.\n\n From \"Pam_Faillock\" man pages: Note that the default directory that\n\"pam_faillock\" uses is usually cleared on system boot so the access will be\nreenabled after system reboot. If that is undesirable a different tally\ndirectory must be set with the \"dir\" option.\n\n In RHEL 8.2 the \"/etc/security/faillock.conf\" file was incorporated to\ncentralize the configuration of the pam_faillock.so module. Also introduced is\na \"local_users_only\" option that will only track failed user authentication\nattempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP,\netc.) users to allow the centralized platform to solely manage user lockout.", - "check": "Check that the system includes the root account when locking an account\nafter three unsuccessful logon attempts within a period of 15 minutes with the\nfollowing commands:\n\n If the system is RHEL version 8.2 or newer, this check is not applicable.\n\n Note: If the System Administrator demonstrates the use of an approved\ncentralized account management method that locks an account after three\nunsuccessful logon attempts within a period of 15 minutes, this requirement is\nnot applicable.\n\n $ sudo grep pam_faillock.so /etc/pam.d/password-auth\n\n auth required pam_faillock.so preauth dir=/var/log/faillock silent audit\ndeny=3 even_deny_root fail_interval=900 unlock_time=0\n auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0\n account required pam_faillock.so\n\n If the \"even_deny_root\" option is missing from the \"preauth\" line with\nthe \"pam_faillock.so\" module, this is a finding.\n\n $ sudo grep pam_faillock.so /etc/pam.d/system-auth\n\n auth required pam_faillock.so preauth dir=/var/log/faillock silent audit\ndeny=3 even_deny_root fail_interval=900 unlock_time=0\n auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0\n account required pam_faillock.so\n\n If the \"even_deny_root\" option is missing from the \"preauth\" line with\nthe \"pam_faillock.so\" module, this is a finding.", - "fix": "Configure the operating system to include root when locking an account\nafter three unsuccessful logon attempts occur in 15 minutes.\n\n Add/Modify the appropriate sections of the \"/etc/pam.d/system-auth\" and\n\"/etc/pam.d/password-auth\" files to match the following lines:\n\n auth required pam_faillock.so preauth dir=/var/log/faillock silent audit\ndeny=3 even_deny_root fail_interval=900 unlock_time=0\n auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0\n account required pam_faillock.so\n\n The \"sssd\" service must be restarted for the changes to take effect. To\nrestart the \"sssd\" service, run the following command:\n\n $ sudo systemctl restart sssd.service" + "default": "Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged commands. The organization must maintain audit trails in sufficient\ndetail to reconstruct events to determine the cause and impact of compromise.\nThe \"unix_chkpwd\" command is a helper program for the pam_unix module that\nverifies the password of the current user. It also checks password and account\nexpiration dates in shadow. It is not intended to be run directly from the\ncommand line and logs a security violation if done so.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", + "check": "Verify that an audit event is generated for any successful/unsuccessful use\nof \"unix_chkpwd\" by performing the following command to check the file system\nrules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w \"unix_chkpwd\" /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-unix-update\n\n If the command does not return a line, or the line is commented out, this\nis a finding.", + "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful uses of the \"unix_chkpwd\" by adding or updating the\nfollowing rule in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-unix-update\n\n The audit daemon must be restarted for the changes to take effect." }, "impact": 0.5, "refs": [ @@ -4831,38 +4779,42 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000021-GPOS-00005", + "gtitle": "SRG-OS-000062-GPOS-00031", "satisfies": [ - "SRG-OS-000021-GPOS-00005", - "SRG-OS-000329-GPOS-00128" + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000037-GPOS-00015", + "SRG-OS-000042-GPOS-00020", + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000392-GPOS-00172", + "SRG-OS-000462-GPOS-00206", + "SRG-OS-000471-GPOS-00215" ], - "gid": "V-230344", - "rid": "SV-230344r646874_rule", - "stig_id": "RHEL-08-020022", - "fix_id": "F-32988r567779_fix", + "gid": "V-230433", + "rid": "SV-230433r627750_rule", + "stig_id": "RHEL-08-030317", + "fix_id": "F-33077r568046_fix", "cci": [ - "CCI-000044" + "CCI-000169" ], "nist": [ - "AC-7 a" + "AU-12 a" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-230344' do\n title 'RHEL 8 must include root when automatically locking an account until\nthe locked account is released by an administrator when three unsuccessful\nlogon attempts occur during a 15-minute time period.'\n desc 'By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as\nbrute-force attacks, is reduced. Limits are imposed by locking the account.\n\n RHEL 8 can utilize the \"pam_faillock.so\" for this purpose. Note that\nmanual changes to the listed files may be overwritten by the \"authselect\"\nprogram.\n\n From \"Pam_Faillock\" man pages: Note that the default directory that\n\"pam_faillock\" uses is usually cleared on system boot so the access will be\nreenabled after system reboot. If that is undesirable a different tally\ndirectory must be set with the \"dir\" option.\n\n In RHEL 8.2 the \"/etc/security/faillock.conf\" file was incorporated to\ncentralize the configuration of the pam_faillock.so module. Also introduced is\na \"local_users_only\" option that will only track failed user authentication\nattempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP,\netc.) users to allow the centralized platform to solely manage user lockout.'\n desc 'check', 'Check that the system includes the root account when locking an account\nafter three unsuccessful logon attempts within a period of 15 minutes with the\nfollowing commands:\n\n If the system is RHEL version 8.2 or newer, this check is not applicable.\n\n Note: If the System Administrator demonstrates the use of an approved\ncentralized account management method that locks an account after three\nunsuccessful logon attempts within a period of 15 minutes, this requirement is\nnot applicable.\n\n $ sudo grep pam_faillock.so /etc/pam.d/password-auth\n\n auth required pam_faillock.so preauth dir=/var/log/faillock silent audit\ndeny=3 even_deny_root fail_interval=900 unlock_time=0\n auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0\n account required pam_faillock.so\n\n If the \"even_deny_root\" option is missing from the \"preauth\" line with\nthe \"pam_faillock.so\" module, this is a finding.\n\n $ sudo grep pam_faillock.so /etc/pam.d/system-auth\n\n auth required pam_faillock.so preauth dir=/var/log/faillock silent audit\ndeny=3 even_deny_root fail_interval=900 unlock_time=0\n auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0\n account required pam_faillock.so\n\n If the \"even_deny_root\" option is missing from the \"preauth\" line with\nthe \"pam_faillock.so\" module, this is a finding.'\n desc 'fix', 'Configure the operating system to include root when locking an account\nafter three unsuccessful logon attempts occur in 15 minutes.\n\n Add/Modify the appropriate sections of the \"/etc/pam.d/system-auth\" and\n\"/etc/pam.d/password-auth\" files to match the following lines:\n\n auth required pam_faillock.so preauth dir=/var/log/faillock silent audit\ndeny=3 even_deny_root fail_interval=900 unlock_time=0\n auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0\n account required pam_faillock.so\n\n The \"sssd\" service must be restarted for the changes to take effect. To\nrestart the \"sssd\" service, run the following command:\n\n $ sudo systemctl restart sssd.service'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000021-GPOS-00005'\n tag satisfies: ['SRG-OS-000021-GPOS-00005', 'SRG-OS-000329-GPOS-00128']\n tag gid: 'V-230344'\n tag rid: 'SV-230344r646874_rule'\n tag stig_id: 'RHEL-08-020022'\n tag fix_id: 'F-32988r567779_fix'\n tag cci: ['CCI-000044']\n tag nist: ['AC-7 a']\n tag 'host'\n tag 'container'\n\n only_if('If the system is RHEL version 8.2 or newer, this check is not applicable.', impact: 0.0) {\n (os.release.to_f) < 8.2\n }\n\n pam_auth_files = input('pam_auth_files')\n\n describe pam(pam_auth_files['password-auth']) do\n its('lines') {\n should match_pam_rule('auth [default=die]|required pam_faillock.so preauth').all_with_args('even_deny_root')\n }\n end\n describe pam(pam_auth_files['system-auth']) do\n its('lines') {\n should match_pam_rule('auth [default=die]|required pam_faillock.so preauth').all_with_args('even_deny_root')\n }\n end\nend\n", + "code": "control 'SV-230433' do\n title 'Successful/unsuccessful uses of unix_chkpwd in RHEL 8 must generate an\naudit record.'\n desc 'Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged commands. The organization must maintain audit trails in sufficient\ndetail to reconstruct events to determine the cause and impact of compromise.\nThe \"unix_chkpwd\" command is a helper program for the pam_unix module that\nverifies the password of the current user. It also checks password and account\nexpiration dates in shadow. It is not intended to be run directly from the\ncommand line and logs a security violation if done so.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.'\n desc 'check', 'Verify that an audit event is generated for any successful/unsuccessful use\nof \"unix_chkpwd\" by performing the following command to check the file system\nrules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w \"unix_chkpwd\" /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-unix-update\n\n If the command does not return a line, or the line is commented out, this\nis a finding.'\n desc 'fix', 'Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful uses of the \"unix_chkpwd\" by adding or updating the\nfollowing rule in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-unix-update\n\n The audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000062-GPOS-00031'\n tag satisfies: ['SRG-OS-000062-GPOS-00031', 'SRG-OS-000037-GPOS-00015', 'SRG-OS-000042-GPOS-00020', 'SRG-OS-000062-GPOS-00031', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000471-GPOS-00215']\n tag gid: 'V-230433'\n tag rid: 'SV-230433r627750_rule'\n tag stig_id: 'RHEL-08-030317'\n tag fix_id: 'F-33077r568046_fix'\n tag cci: ['CCI-000169']\n tag nist: ['AU-12 a']\n tag 'host'\n\n audit_command = '/usr/sbin/unix_chkpwd'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include(input('audit_rule_keynames').merge(input('audit_rule_keynames_overrides'))[audit_command])\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230344.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230433.rb", "line": 1 }, - "id": "SV-230344" + "id": "SV-230433" }, { - "title": "RHEL 8 library directories must be group-owned by root or a system account.", - "desc": "If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.", + "title": "Local RHEL 8 initialization files must not execute world-writable\nprograms.", + "desc": "If user start-up files execute world-writable programs, especially in\nunprotected directories, they could be maliciously modified to destroy user\nfiles or otherwise compromise the system at the user level. If the system is\ncompromised at the user level, it is easier to elevate privileges to eventually\ncompromise the system at the root and network level.", "descriptions": { - "default": "If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.", - "check": "Verify the system-wide shared library directories are group-owned\n by \"root\" with the following command:\n\n $ sudo find /lib /lib64 /usr/lib /usr/lib64 ! -group root -type d -exec stat -c \"%n %G\" '{}' \\;\n\n If any system-wide shared library directory is returned and is not group-owned\n by a required system account, this is a finding.", - "fix": "Configure the system-wide shared library directories (/lib, /lib64, /usr/lib and /usr/lib64) to be protected from unauthorized access. Run the following command, replacing \"[DIRECTORY]\" with any library directory not group-owned by \"root\". $ sudo chgrp root [DIRECTORY]" + "default": "If user start-up files execute world-writable programs, especially in\nunprotected directories, they could be maliciously modified to destroy user\nfiles or otherwise compromise the system at the user level. If the system is\ncompromised at the user level, it is easier to elevate privileges to eventually\ncompromise the system at the root and network level.", + "check": "Verify that local initialization files do not execute world-writable\nprograms.\n\n Check the system for world-writable files.\n\n The following command will discover and print world-writable files. Run it\nonce for each local partition [PART]:\n\n $ sudo find [PART] -xdev -type f -perm -0002 -print\n\n For all files listed, check for their presence in the local initialization\nfiles with the following commands:\n\n Note: The example will be for a system that is configured to create user\nhome directories in the \"/home\" directory.\n\n $ sudo grep /home/*/.*\n\n If any local initialization files are found to reference world-writable\nfiles, this is a finding.", + "fix": "Set the mode on files being executed by the local initialization files with\nthe following command:\n\n $ sudo chmod 0755 " }, "impact": 0.5, "refs": [ @@ -4871,37 +4823,34 @@ } ], "tags": { - "check_id": "C-55146r810013_chk", "severity": "medium", - "gid": "V-251709", - "rid": "SV-251709r810014_rule", - "stig_id": "RHEL-08-010351", - "gtitle": "SRG-OS-000259-GPOS-00100", - "fix_id": "F-55100r809350_fix", - "documentable": null, + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-230309", + "rid": "SV-230309r627750_rule", + "stig_id": "RHEL-08-010660", + "fix_id": "F-32953r567674_fix", "cci": [ - "CCI-001499" + "CCI-000366" ], "nist": [ - "CM-5 (6)" + "CM-6 b" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-251709' do\n title 'RHEL 8 library directories must be group-owned by root or a system account.'\n desc 'If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.'\n desc 'check', %q(Verify the system-wide shared library directories are group-owned\n by \"root\" with the following command:\n\n $ sudo find /lib /lib64 /usr/lib /usr/lib64 ! -group root -type d -exec stat -c \"%n %G\" '{}' \\;\n\n If any system-wide shared library directory is returned and is not group-owned\n by a required system account, this is a finding.)\n desc 'fix', 'Configure the system-wide shared library directories (/lib, /lib64, /usr/lib and /usr/lib64) to be protected from unauthorized access. Run the following command, replacing \"[DIRECTORY]\" with any library directory not group-owned by \"root\". $ sudo chgrp root [DIRECTORY]'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag check_id: 'C-55146r810013_chk'\n tag severity: 'medium'\n tag gid: 'V-251709'\n tag rid: 'SV-251709r810014_rule'\n tag stig_id: 'RHEL-08-010351'\n tag gtitle: 'SRG-OS-000259-GPOS-00100'\n tag fix_id: 'F-55100r809350_fix'\n tag 'documentable'\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n tag 'host'\n tag 'container'\n\n non_root_owned_libs = input('system_libraries').filter { |lib|\n !input('required_system_accounts').include?(file(lib).group)\n }\n\n describe 'System libraries' do\n it 'should be owned by a required system account' do\n fail_msg = \"Libs not group-owned by a system account:\\n\\t- #{non_root_owned_libs.join(\"\\n\\t- \")}\"\n expect(non_root_owned_libs).to be_empty, fail_msg\n end\n end\nend\n", + "code": "control 'SV-230309' do\n title 'Local RHEL 8 initialization files must not execute world-writable\nprograms.'\n desc 'If user start-up files execute world-writable programs, especially in\nunprotected directories, they could be maliciously modified to destroy user\nfiles or otherwise compromise the system at the user level. If the system is\ncompromised at the user level, it is easier to elevate privileges to eventually\ncompromise the system at the root and network level.'\n desc 'check', 'Verify that local initialization files do not execute world-writable\nprograms.\n\n Check the system for world-writable files.\n\n The following command will discover and print world-writable files. Run it\nonce for each local partition [PART]:\n\n $ sudo find [PART] -xdev -type f -perm -0002 -print\n\n For all files listed, check for their presence in the local initialization\nfiles with the following commands:\n\n Note: The example will be for a system that is configured to create user\nhome directories in the \"/home\" directory.\n\n $ sudo grep /home/*/.*\n\n If any local initialization files are found to reference world-writable\nfiles, this is a finding.'\n desc 'fix', 'Set the mode on files being executed by the local initialization files with\nthe following command:\n\n $ sudo chmod 0755 '\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230309'\n tag rid: 'SV-230309r627750_rule'\n tag stig_id: 'RHEL-08-010660'\n tag fix_id: 'F-32953r567674_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n if input('disable_slow_controls')\n describe 'This control consistently takes a long to run and has been disabled using the disable_slow_controls attribute.' do\n skip 'This control consistently takes a long to run and has been disabled using the disable_slow_controls attribute. You must enable this control for a full accredidation for production.'\n end\n else\n\n # get all world-writeable programs\n mount_points = etc_fstab.mount_point.join(' ')\n ww_programs = command(\"find #{mount_points} -xdev -type f -perm -0002 -print\").stdout.split.join('|')\n\n # get all homedirs\n interactive_users = passwd.where { uid.to_i >= 1000 && shell !~ /nologin/ }\n\n interactive_user_homedirs = interactive_users.homes.map { |home_path| home_path.match(%r{^(.*)/.*$}).captures.first }.uniq\n\n # get all init files (.*) in homedirs\n init_files = command(\"find #{interactive_user_homedirs.join(' ')} -xdev -maxdepth 2 -name '.*' ! -name '.bash_history' -type f\").stdout.split(\"\\n\")\n\n # check for ww programs in the init files\n init_files_invoking_ww = ww_programs.empty? ? [] : init_files.select { |i| file(i).content.lines.any? { |line| line.match(/^#{ww_programs}/) } }\n\n describe 'Interactive user initialization files' do\n it 'should not invoke world-writeable programs' do\n expect(init_files_invoking_ww).to be_empty, \"Failing init files:\\n\\t- #{init_files_invoking_ww.join(\"\\n\\t- \")}\"\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-251709.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230309.rb", "line": 1 }, - "id": "SV-251709" + "id": "SV-230309" }, { - "title": "The RHEL 8 SSH public host key files must have mode 0644 or less\npermissive.", - "desc": "If a public host key file is modified by an unauthorized user, the SSH\nservice may be compromised.", + "title": "Successful/unsuccessful uses of the passwd command in RHEL 8 must\ngenerate an audit record.", + "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"passwd\" command is\nused to change passwords for user accounts.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", "descriptions": { - "default": "If a public host key file is modified by an unauthorized user, the SSH\nservice may be compromised.", - "check": "Verify the SSH public host key files have mode \"0644\" or less permissive\nwith the following command:\n\n $ sudo ls -l /etc/ssh/*.pub\n\n -rw-r--r-- 1 root root 618 Nov 28 06:43 ssh_host_dsa_key.pub\n -rw-r--r-- 1 root root 347 Nov 28 06:43 ssh_host_key.pub\n -rw-r--r-- 1 root root 238 Nov 28 06:43 ssh_host_rsa_key.pub\n\n If any key.pub file has a mode more permissive than \"0644\", this is a\nfinding.\n\n Note: SSH public key files may be found in other directories on the system\ndepending on the installation.", - "fix": "Change the mode of public host key files under \"/etc/ssh\" to \"0644\"\nwith the following command:\n\n $ sudo chmod 0644 /etc/ssh/*key.pub\n\n The SSH daemon must be restarted for the changes to take effect. To restart\nthe SSH daemon, run the following command:\n\n $ sudo systemctl restart sshd.service" + "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"passwd\" command is\nused to change passwords for user accounts.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", + "check": "Verify that an audit event is generated for any successful/unsuccessful use\nof the \"passwd\" command by performing the following command to check the file\nsystem rules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w passwd /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-passwd\n\n If the command does not return a line, or the line is commented out, this\nis a finding.", + "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful uses of the \"passwd\" command by adding or updating\nthe following rule in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-passwd\n\n The audit daemon must be restarted for the changes to take effect." }, "impact": 0.5, "refs": [ @@ -4911,34 +4860,42 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-230286", - "rid": "SV-230286r627750_rule", - "stig_id": "RHEL-08-010480", - "fix_id": "F-32930r567605_fix", + "gtitle": "SRG-OS-000062-GPOS-00031", + "satisfies": [ + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000037-GPOS-00015", + "SRG-OS-000042-GPOS-00020", + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000392-GPOS-00172", + "SRG-OS-000462-GPOS-00206", + "SRG-OS-000471-GPOS-00215" + ], + "gid": "V-230422", + "rid": "SV-230422r627750_rule", + "stig_id": "RHEL-08-030290", + "fix_id": "F-33066r568013_fix", "cci": [ - "CCI-000366" + "CCI-000169" ], "nist": [ - "CM-6 b" + "AU-12 a" ], - "host": null, - "container-conditional": null + "host": null }, - "code": "control 'SV-230286' do\n title 'The RHEL 8 SSH public host key files must have mode 0644 or less\npermissive.'\n desc 'If a public host key file is modified by an unauthorized user, the SSH\nservice may be compromised.'\n desc 'check', 'Verify the SSH public host key files have mode \"0644\" or less permissive\nwith the following command:\n\n $ sudo ls -l /etc/ssh/*.pub\n\n -rw-r--r-- 1 root root 618 Nov 28 06:43 ssh_host_dsa_key.pub\n -rw-r--r-- 1 root root 347 Nov 28 06:43 ssh_host_key.pub\n -rw-r--r-- 1 root root 238 Nov 28 06:43 ssh_host_rsa_key.pub\n\n If any key.pub file has a mode more permissive than \"0644\", this is a\nfinding.\n\n Note: SSH public key files may be found in other directories on the system\ndepending on the installation.'\n desc 'fix', 'Change the mode of public host key files under \"/etc/ssh\" to \"0644\"\nwith the following command:\n\n $ sudo chmod 0644 /etc/ssh/*key.pub\n\n The SSH daemon must be restarted for the changes to take effect. To restart\nthe SSH daemon, run the following command:\n\n $ sudo systemctl restart sshd.service'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230286'\n tag rid: 'SV-230286r627750_rule'\n tag stig_id: 'RHEL-08-010480'\n tag fix_id: 'F-32930r567605_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n tag 'container-conditional'\n\n only_if('This control is Not Applicable to containers without SSH installed', impact: 0.0) {\n !(virtualization.system.eql?('docker') && !directory('/etc/ssh').exist?)\n }\n\n ssh_host_key_dirs = input('ssh_host_key_dirs').join(' ')\n pub_keys = command(\"find #{ssh_host_key_dirs} -xdev -name '*.pub'\").stdout.split(\"\\n\")\n mode = input('ssh_pub_key_mode')\n failing_keys = pub_keys.select { |key| file(key).more_permissive_than?(mode) }\n\n describe 'All SSH public keys on the filesystem' do\n it \"should be less permissive than #{mode}\" do\n expect(failing_keys).to be_empty, \"Failing keyfiles:\\n\\t- #{failing_keys.join(\"\\n\\t- \")}\"\n end\n end\nend\n", + "code": "control 'SV-230422' do\n title 'Successful/unsuccessful uses of the passwd command in RHEL 8 must\ngenerate an audit record.'\n desc 'Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"passwd\" command is\nused to change passwords for user accounts.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.'\n desc 'check', 'Verify that an audit event is generated for any successful/unsuccessful use\nof the \"passwd\" command by performing the following command to check the file\nsystem rules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w passwd /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-passwd\n\n If the command does not return a line, or the line is commented out, this\nis a finding.'\n desc 'fix', 'Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful uses of the \"passwd\" command by adding or updating\nthe following rule in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-passwd\n\n The audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000062-GPOS-00031'\n tag satisfies: ['SRG-OS-000062-GPOS-00031', 'SRG-OS-000037-GPOS-00015', 'SRG-OS-000042-GPOS-00020', 'SRG-OS-000062-GPOS-00031', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000471-GPOS-00215']\n tag gid: 'V-230422'\n tag rid: 'SV-230422r627750_rule'\n tag stig_id: 'RHEL-08-030290'\n tag fix_id: 'F-33066r568013_fix'\n tag cci: ['CCI-000169']\n tag nist: ['AU-12 a']\n tag 'host'\n\n audit_command = '/usr/bin/passwd'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include(input('audit_rule_keynames').merge(input('audit_rule_keynames_overrides'))[audit_command])\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230286.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230422.rb", "line": 1 }, - "id": "SV-230286" + "id": "SV-230422" }, { - "title": "RHEL 8 must require the change of at least 8 characters when passwords\nare changed.", - "desc": "Use of a complex password helps to increase the time and resources\nrequired to compromise the password. Password complexity, or strength, is a\nmeasure of the effectiveness of a password in resisting attempts at guessing\nand brute-force attacks.\n\n Password complexity is one factor of several that determines how long it\ntakes to crack a password. The more complex the password, the greater the\nnumber of possible combinations that need to be tested before the password is\ncompromised.\n\n RHEL 8 utilizes \"pwquality\" as a mechanism to enforce password\ncomplexity. The \"difok\" option sets the number of characters in a password\nthat must not be present in the old password.", + "title": "RHEL 8 must have the tmux package installed.", + "desc": "A session lock is a temporary action taken when a user stops work and\nmoves away from the immediate physical vicinity of the information system but\ndoes not want to log out because of the temporary nature of the absence.\n The session lock is implemented at the point where session activity can be\ndetermined. Rather than be forced to wait for a period of time to expire before\nthe user session can be locked, RHEL 8 needs to provide users with the ability\nto manually invoke a session lock so users can secure their session if it is\nnecessary to temporarily vacate the immediate physical vicinity.\n Tmux is a terminal multiplexer that enables a number of terminals to be\ncreated, accessed, and controlled from a single screen. Red Hat endorses tmux\nas the recommended session controlling package.", "descriptions": { - "default": "Use of a complex password helps to increase the time and resources\nrequired to compromise the password. Password complexity, or strength, is a\nmeasure of the effectiveness of a password in resisting attempts at guessing\nand brute-force attacks.\n\n Password complexity is one factor of several that determines how long it\ntakes to crack a password. The more complex the password, the greater the\nnumber of possible combinations that need to be tested before the password is\ncompromised.\n\n RHEL 8 utilizes \"pwquality\" as a mechanism to enforce password\ncomplexity. The \"difok\" option sets the number of characters in a password\nthat must not be present in the old password.", - "check": "Verify the value of the \"difok\" option with the following command:\n\n$ sudo grep -r difok /etc/security/pwquality.conf*\n\n/etc/security/pwquality.conf:difok = 8\n\nIf the value of \"difok\" is set to less than \"8\" or is commented out, this is a finding.\nIf conflicting results are returned, this is a finding.", - "fix": "Configure the operating system to require the change of at least eight of the total number of characters when passwords are changed by setting the \"difok\" option.\n\nAdd the following line to \"/etc/security/pwquality.conf\" (or modify the line to have the required value):\n\ndifok = 8\n\nRemove any configurations that conflict with the above value." + "default": "A session lock is a temporary action taken when a user stops work and\nmoves away from the immediate physical vicinity of the information system but\ndoes not want to log out because of the temporary nature of the absence.\n The session lock is implemented at the point where session activity can be\ndetermined. Rather than be forced to wait for a period of time to expire before\nthe user session can be locked, RHEL 8 needs to provide users with the ability\nto manually invoke a session lock so users can secure their session if it is\nnecessary to temporarily vacate the immediate physical vicinity.\n Tmux is a terminal multiplexer that enables a number of terminals to be\ncreated, accessed, and controlled from a single screen. Red Hat endorses tmux\nas the recommended session controlling package.", + "check": "Verify RHEL 8 has the \"tmux\" package installed, by running the following\ncommand:\n\n $ sudo yum list installed tmux\n\n tmux.x86.64 2.7-1.el8\n@repository\n\n If \"tmux\" is not installed, this is a finding.", + "fix": "Configure the operating system to enable a user to initiate a session lock\nvia tmux.\n\n Install the \"tmux\" package, if it is not already installed, by running\nthe following command:\n\n $ sudo yum install tmux" }, "impact": 0.5, "refs": [ @@ -4948,71 +4905,74 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000072-GPOS-00040", - "gid": "V-230363", - "rid": "SV-230363r858783_rule", - "stig_id": "RHEL-08-020170", - "fix_id": "F-33007r858782_fix", + "gtitle": "SRG-OS-000028-GPOS-00009", + "satisfies": [ + "SRG-OS-000028-GPOS-00009", + "SRG-OS-000030-GPOS-00011" + ], + "gid": "V-244537", + "rid": "SV-244537r743860_rule", + "stig_id": "RHEL-08-020039", + "fix_id": "F-47769r743859_fix", "cci": [ - "CCI-000195" + "CCI-000056" ], "nist": [ - "IA-5 (1) (b)" + "AC-11 b" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-230363' do\n title 'RHEL 8 must require the change of at least 8 characters when passwords\nare changed.'\n desc 'Use of a complex password helps to increase the time and resources\nrequired to compromise the password. Password complexity, or strength, is a\nmeasure of the effectiveness of a password in resisting attempts at guessing\nand brute-force attacks.\n\n Password complexity is one factor of several that determines how long it\ntakes to crack a password. The more complex the password, the greater the\nnumber of possible combinations that need to be tested before the password is\ncompromised.\n\n RHEL 8 utilizes \"pwquality\" as a mechanism to enforce password\ncomplexity. The \"difok\" option sets the number of characters in a password\nthat must not be present in the old password.'\n desc 'check', 'Verify the value of the \"difok\" option with the following command:\n\n$ sudo grep -r difok /etc/security/pwquality.conf*\n\n/etc/security/pwquality.conf:difok = 8\n\nIf the value of \"difok\" is set to less than \"8\" or is commented out, this is a finding.\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure the operating system to require the change of at least eight of the total number of characters when passwords are changed by setting the \"difok\" option.\n\nAdd the following line to \"/etc/security/pwquality.conf\" (or modify the line to have the required value):\n\ndifok = 8\n\nRemove any configurations that conflict with the above value.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000072-GPOS-00040'\n tag gid: 'V-230363'\n tag rid: 'SV-230363r858783_rule'\n tag stig_id: 'RHEL-08-020170'\n tag fix_id: 'F-33007r858782_fix'\n tag cci: ['CCI-000195']\n tag nist: ['IA-5 (1) (b)']\n tag 'host'\n tag 'container'\n\n value = input('difok')\n setting = 'difok'\n\n describe 'pwquality.conf settings' do\n let(:config) { parse_config_file('/etc/security/pwquality.conf', multiple_values: true) }\n let(:setting_value) { config.params[setting].is_a?(Integer) ? [config.params[setting]] : Array(config.params[setting]) }\n\n it \"has `#{setting}` set\" do\n expect(setting_value).not_to be_empty, \"#{setting} is not set in pwquality.conf\"\n end\n\n it \"only sets `#{setting}` once\" do\n expect(setting_value.length).to eq(1), \"#{setting} is commented or set more than once in pwquality.conf\"\n end\n\n it \"does not set `#{setting}` to more than #{value}\" do\n expect(setting_value.first.to_i).to be <= value.to_i, \"#{setting} is set to a value greater than #{value} in pwquality.conf\"\n end\n end\nend\n", + "code": "control 'SV-244537' do\n title 'RHEL 8 must have the tmux package installed.'\n desc 'A session lock is a temporary action taken when a user stops work and\nmoves away from the immediate physical vicinity of the information system but\ndoes not want to log out because of the temporary nature of the absence.\n The session lock is implemented at the point where session activity can be\ndetermined. Rather than be forced to wait for a period of time to expire before\nthe user session can be locked, RHEL 8 needs to provide users with the ability\nto manually invoke a session lock so users can secure their session if it is\nnecessary to temporarily vacate the immediate physical vicinity.\n Tmux is a terminal multiplexer that enables a number of terminals to be\ncreated, accessed, and controlled from a single screen. Red Hat endorses tmux\nas the recommended session controlling package.'\n desc 'check', 'Verify RHEL 8 has the \"tmux\" package installed, by running the following\ncommand:\n\n $ sudo yum list installed tmux\n\n tmux.x86.64 2.7-1.el8\n@repository\n\n If \"tmux\" is not installed, this is a finding.'\n desc 'fix', 'Configure the operating system to enable a user to initiate a session lock\nvia tmux.\n\n Install the \"tmux\" package, if it is not already installed, by running\nthe following command:\n\n $ sudo yum install tmux'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000028-GPOS-00009'\n tag satisfies: ['SRG-OS-000028-GPOS-00009', 'SRG-OS-000030-GPOS-00011']\n tag gid: 'V-244537'\n tag rid: 'SV-244537r743860_rule'\n tag stig_id: 'RHEL-08-020039'\n tag fix_id: 'F-47769r743859_fix'\n tag cci: ['CCI-000056']\n tag nist: ['AC-11 b']\n tag 'host'\n\n only_if('This requirement is Not Applicable in the container', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe package('tmux') do\n it { should be_installed }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230363.rb", + "ref": "./Red Hat 8 STIG/controls/SV-244537.rb", "line": 1 }, - "id": "SV-230363" + "id": "SV-244537" }, { - "title": "RHEL 8 library files must be owned by root.", - "desc": "If RHEL 8 were to allow any user to make changes to software\nlibraries, then those changes might be implemented without undergoing the\nappropriate testing and approvals that are part of a robust change management\nprocess.\n\n This requirement applies to RHEL 8 with software libraries that are\naccessible and configurable, as in the case of interpreted languages. Software\nlibraries also include privileged programs that execute with escalated\nprivileges. Only qualified and authorized individuals will be allowed to obtain\naccess to information system components for purposes of initiating changes,\nincluding upgrades and modifications.", + "title": "RHEL 8 must not have the telnet-server package installed.", + "desc": "It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n Operating systems are capable of providing a wide variety of functions and\nservices. Some of the functions and services, provided by default, may not be\nnecessary to support essential organizational operations (e.g., key missions,\nfunctions).\n\n Examples of non-essential capabilities include, but are not limited to,\ngames, software packages, tools, and demonstration software not related to\nrequirements or providing a wide array of functionality not required for every\nmission, but which cannot be disabled.\n\n Verify the operating system is configured to disable non-essential\ncapabilities. The most secure way of ensuring a non-essential capability is\ndisabled is to not have the capability installed.\n\n The telnet service provides an unencrypted remote access service that does\nnot provide for the confidentiality and integrity of user passwords or the\nremote session.\n\n If a privileged user were to log on using this service, the privileged user\npassword could be compromised.", "descriptions": { - "default": "If RHEL 8 were to allow any user to make changes to software\nlibraries, then those changes might be implemented without undergoing the\nappropriate testing and approvals that are part of a robust change management\nprocess.\n\n This requirement applies to RHEL 8 with software libraries that are\naccessible and configurable, as in the case of interpreted languages. Software\nlibraries also include privileged programs that execute with escalated\nprivileges. Only qualified and authorized individuals will be allowed to obtain\naccess to information system components for purposes of initiating changes,\nincluding upgrades and modifications.", - "check": "Verify the system-wide shared library files are owned by \"root\" with the\nfollowing command:\n\n $ sudo find -L /lib /lib64 /usr/lib /usr/lib64 ! -user root -exec ls -l {}\n\\;\n\n If any system wide shared library file is returned, this is a finding.", - "fix": "Configure the system-wide shared library files (/lib, /lib64, /usr/lib and\n/usr/lib64) to be protected from unauthorized access.\n\n Run the following command, replacing \"[FILE]\" with any library file not\nowned by \"root\".\n\n $ sudo chown root [FILE]" + "default": "It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n Operating systems are capable of providing a wide variety of functions and\nservices. Some of the functions and services, provided by default, may not be\nnecessary to support essential organizational operations (e.g., key missions,\nfunctions).\n\n Examples of non-essential capabilities include, but are not limited to,\ngames, software packages, tools, and demonstration software not related to\nrequirements or providing a wide array of functionality not required for every\nmission, but which cannot be disabled.\n\n Verify the operating system is configured to disable non-essential\ncapabilities. The most secure way of ensuring a non-essential capability is\ndisabled is to not have the capability installed.\n\n The telnet service provides an unencrypted remote access service that does\nnot provide for the confidentiality and integrity of user passwords or the\nremote session.\n\n If a privileged user were to log on using this service, the privileged user\npassword could be compromised.", + "check": "Check to see if the telnet-server package is installed with the following\ncommand:\n\n $ sudo yum list installed telnet-server\n\n If the telnet-server package is installed, this is a finding.", + "fix": "Configure the operating system to disable non-essential capabilities by\nremoving the telnet-server package from the system with the following command:\n\n $ sudo yum remove telnet-server" }, - "impact": 0.5, + "impact": 0.7, "refs": [ { "ref": "DPMS Target Red Hat Enterprise Linux 8" } ], "tags": { - "severity": "medium", - "gtitle": "SRG-OS-000259-GPOS-00100", - "gid": "V-230261", - "rid": "SV-230261r627750_rule", - "stig_id": "RHEL-08-010340", - "fix_id": "F-32905r567530_fix", + "severity": "high", + "gtitle": "SRG-OS-000095-GPOS-00049", + "gid": "V-230487", + "rid": "SV-230487r627750_rule", + "stig_id": "RHEL-08-040000", + "fix_id": "F-33131r568208_fix", "cci": [ - "CCI-001499" + "CCI-000381" ], "nist": [ - "CM-5 (6)" + "CM-7 a" ], "host": null, "container": null }, - "code": "control 'SV-230261' do\n title 'RHEL 8 library files must be owned by root.'\n desc 'If RHEL 8 were to allow any user to make changes to software\nlibraries, then those changes might be implemented without undergoing the\nappropriate testing and approvals that are part of a robust change management\nprocess.\n\n This requirement applies to RHEL 8 with software libraries that are\naccessible and configurable, as in the case of interpreted languages. Software\nlibraries also include privileged programs that execute with escalated\nprivileges. Only qualified and authorized individuals will be allowed to obtain\naccess to information system components for purposes of initiating changes,\nincluding upgrades and modifications.'\n desc 'check', 'Verify the system-wide shared library files are owned by \"root\" with the\nfollowing command:\n\n $ sudo find -L /lib /lib64 /usr/lib /usr/lib64 ! -user root -exec ls -l {}\n\\\\;\n\n If any system wide shared library file is returned, this is a finding.'\n desc 'fix', 'Configure the system-wide shared library files (/lib, /lib64, /usr/lib and\n/usr/lib64) to be protected from unauthorized access.\n\n Run the following command, replacing \"[FILE]\" with any library file not\nowned by \"root\".\n\n $ sudo chown root [FILE]'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000259-GPOS-00100'\n tag gid: 'V-230261'\n tag rid: 'SV-230261r627750_rule'\n tag stig_id: 'RHEL-08-010340'\n tag fix_id: 'F-32905r567530_fix'\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n tag 'host'\n tag 'container'\n\n failing_files = command(\"find -L #{input('system_libraries').join(' ')} ! -user root -exec ls -d {} \\\\;\").stdout.split(\"\\n\")\n\n describe 'System libraries' do\n it 'should be owned by root' do\n expect(failing_files).to be_empty, \"Files not owned by root:\\n\\t- #{failing_files.join(\"\\n\\t- \")}\"\n end\n end\nend\n", + "code": "control 'SV-230487' do\n title 'RHEL 8 must not have the telnet-server package installed.'\n desc 'It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n Operating systems are capable of providing a wide variety of functions and\nservices. Some of the functions and services, provided by default, may not be\nnecessary to support essential organizational operations (e.g., key missions,\nfunctions).\n\n Examples of non-essential capabilities include, but are not limited to,\ngames, software packages, tools, and demonstration software not related to\nrequirements or providing a wide array of functionality not required for every\nmission, but which cannot be disabled.\n\n Verify the operating system is configured to disable non-essential\ncapabilities. The most secure way of ensuring a non-essential capability is\ndisabled is to not have the capability installed.\n\n The telnet service provides an unencrypted remote access service that does\nnot provide for the confidentiality and integrity of user passwords or the\nremote session.\n\n If a privileged user were to log on using this service, the privileged user\npassword could be compromised.'\n desc 'check', 'Check to see if the telnet-server package is installed with the following\ncommand:\n\n $ sudo yum list installed telnet-server\n\n If the telnet-server package is installed, this is a finding.'\n desc 'fix', 'Configure the operating system to disable non-essential capabilities by\nremoving the telnet-server package from the system with the following command:\n\n $ sudo yum remove telnet-server'\n impact 0.7\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'high'\n tag gtitle: 'SRG-OS-000095-GPOS-00049'\n tag gid: 'V-230487'\n tag rid: 'SV-230487r627750_rule'\n tag stig_id: 'RHEL-08-040000'\n tag fix_id: 'F-33131r568208_fix'\n tag cci: ['CCI-000381']\n tag nist: ['CM-7 a']\n tag 'host'\n tag 'container'\n\n describe package('telnet-server') do\n it { should_not be_installed }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230261.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230487.rb", "line": 1 }, - "id": "SV-230261" + "id": "SV-230487" }, { - "title": "RHEL 8 must not forward IPv4 source-routed packets.", - "desc": "Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf", + "title": "RHEL 8 must enable kernel parameters to enforce discretionary access\ncontrol on symlinks.", + "desc": "Discretionary Access Control (DAC) is based on the notion that individual users are \"owners\" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions.\n\nWhen discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. A subject that is constrained in its operation by Mandatory Access Control policies is still able to operate under the less rigorous constraints of this requirement. Thus, while Mandatory Access Control imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, this requirement permits the subject to pass the information to any subject at the same sensitivity level. The policy is bounded by the information system boundary. Once the information is passed outside the control of the information system, additional means may be required to ensure the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control.\n\nBy enabling the fs.protected_symlinks kernel parameter, symbolic links are permitted to be followed only when outside a sticky world-writable directory, or when the UID of the link and follower match, or when the directory owner matches the symlink's owner. Disallowing such symlinks helps mitigate vulnerabilities based on insecure file system accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of open() or creat().\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf", "descriptions": { - "default": "Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf", - "check": "Verify RHEL 8 does not accept IPv4 source-routed packets.\n\nCheck the value of the accept source route variable with the following command:\n\n$ sudo sysctl net.ipv4.conf.all.accept_source_route\n\nnet.ipv4.conf.all.accept_source_route = 0\n\nIf the returned line does not have a value of \"0\", a line is not returned, or the line is commented out, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r net.ipv4.conf.all.accept_source_route /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: net.ipv4.conf.all.accept_source_route = 0\n\nIf \"net.ipv4.conf.all.accept_source_route\" is not set to \"0\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.", - "fix": "Configure RHEL 8 to not forward IPv4 source-routed packets.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nnet.ipv4.conf.all.accept_source_route=0\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system" + "default": "Discretionary Access Control (DAC) is based on the notion that individual users are \"owners\" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions.\n\nWhen discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. A subject that is constrained in its operation by Mandatory Access Control policies is still able to operate under the less rigorous constraints of this requirement. Thus, while Mandatory Access Control imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, this requirement permits the subject to pass the information to any subject at the same sensitivity level. The policy is bounded by the information system boundary. Once the information is passed outside the control of the information system, additional means may be required to ensure the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control.\n\nBy enabling the fs.protected_symlinks kernel parameter, symbolic links are permitted to be followed only when outside a sticky world-writable directory, or when the UID of the link and follower match, or when the directory owner matches the symlink's owner. Disallowing such symlinks helps mitigate vulnerabilities based on insecure file system accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of open() or creat().\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf", + "check": "Verify the operating system is configured to enable DAC on symlinks with the following commands:\n\nCheck the status of the fs.protected_symlinks kernel parameter.\n\n$ sudo sysctl fs.protected_symlinks\n\nfs.protected_symlinks = 1\n\nIf \"fs.protected_symlinks\" is not set to \"1\" or is missing, this is a finding.\n\nCheck that the configuration files are present to enable this kernel parameter.\n\n$ sudo grep -r fs.protected_symlinks /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf:fs.protected_symlinks = 1\n\nIf \"fs.protected_symlinks\" is not set to \"1\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.", + "fix": "Configure the operating system to enable DAC on symlinks.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nfs.protected_symlinks = 1\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system" }, "impact": 0.5, "refs": [ @@ -5022,33 +4982,39 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-244551", - "rid": "SV-244551r858799_rule", - "stig_id": "RHEL-08-040239", - "fix_id": "F-47783r858798_fix", + "gtitle": "SRG-OS-000312-GPOS-00122", + "satisfies": [ + "SRG-OS-000312-GPOS-00122", + "SRG-OS-000312-GPOS-00123", + "SRG-OS-000312-GPOS-00124", + "SRG-OS-000324-GPOS-00125" + ], + "gid": "V-230267", + "rid": "SV-230267r858751_rule", + "stig_id": "RHEL-08-010373", + "fix_id": "F-32911r858750_fix", "cci": [ - "CCI-000366" + "CCI-002165" ], "nist": [ - "CM-6 b" + "AC-3 (4)" ], "host": null }, - "code": "control 'SV-244551' do\n title 'RHEL 8 must not forward IPv4 source-routed packets.'\n desc 'Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf'\n desc 'check', 'Verify RHEL 8 does not accept IPv4 source-routed packets.\n\nCheck the value of the accept source route variable with the following command:\n\n$ sudo sysctl net.ipv4.conf.all.accept_source_route\n\nnet.ipv4.conf.all.accept_source_route = 0\n\nIf the returned line does not have a value of \"0\", a line is not returned, or the line is commented out, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r net.ipv4.conf.all.accept_source_route /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: net.ipv4.conf.all.accept_source_route = 0\n\nIf \"net.ipv4.conf.all.accept_source_route\" is not set to \"0\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to not forward IPv4 source-routed packets.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nnet.ipv4.conf.all.accept_source_route=0\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-244551'\n tag rid: 'SV-244551r858799_rule'\n tag stig_id: 'RHEL-08-040239'\n tag fix_id: 'F-47783r858798_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This system is acting as a router on the network, this control is Not Applicable', impact: 0.0) {\n !input('network_router')\n }\n\n # Define the kernel parameter to be checked\n parameter = 'net.ipv4.conf.all.accept_source_route'\n action = 'IPv4 source-routed packets'\n value = 0\n\n # Get the current value of the kernel parameter\n current_value = kernel_parameter(parameter)\n\n # Check if the system is a Docker container\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n elsif input('ipv4_enabled') == false\n impact 0.0\n describe 'IPv4 is disabled on the system, this requirement is Not Applicable.' do\n skip 'IPv4 is disabled on the system, this requirement is Not Applicable.'\n end\n else\n\n describe kernel_parameter(parameter) do\n it 'is disabled in sysctl -a' do\n expect(current_value.value).to cmp value\n expect(current_value.value).not_to be_nil\n end\n end\n\n # Get the list of sysctl configuration files\n sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ')\n\n # Search for the kernel parameter in the configuration files\n search_results = command(\"grep -r ^#{parameter} #{sysctl_config_files} {} \\;\").stdout.split(\"\\n\")\n\n # Parse the search results into a hash\n config_values = search_results.each_with_object({}) do |item, results|\n file, setting = item.split(':')\n file = 'grep did not return filename' if file.empty?\n\n results[file] ||= []\n results[file] << setting.split('=').last\n end\n\n uniq_config_values = config_values.values.flatten.map(&:strip).map(&:to_i).uniq\n\n # Check the configuration files\n describe 'Configuration files' do\n if search_results.empty?\n it \"do not explicitly set the `#{parameter}` parameter\" do\n expect(config_values).not_to be_empty, \"Add the line `#{parameter}=#{value}` to a file in the `/etc/sysctl.d/` directory\"\n end\n else\n it \"do not have conflicting settings for #{action}\" do\n expect(uniq_config_values.count).to eq(1), \"Expected one unique configuration, but got #{config_values}\"\n end\n it \"set the parameter to the right value for #{action}\" do\n expect(config_values.values.flatten.all? { |v| v.to_i.eql?(value) }).to be true\n end\n end\n end\n end\nend\n", + "code": "control 'SV-230267' do\n title 'RHEL 8 must enable kernel parameters to enforce discretionary access\ncontrol on symlinks.'\n desc %q(Discretionary Access Control (DAC) is based on the notion that individual users are \"owners\" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions.\n\nWhen discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. A subject that is constrained in its operation by Mandatory Access Control policies is still able to operate under the less rigorous constraints of this requirement. Thus, while Mandatory Access Control imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, this requirement permits the subject to pass the information to any subject at the same sensitivity level. The policy is bounded by the information system boundary. Once the information is passed outside the control of the information system, additional means may be required to ensure the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control.\n\nBy enabling the fs.protected_symlinks kernel parameter, symbolic links are permitted to be followed only when outside a sticky world-writable directory, or when the UID of the link and follower match, or when the directory owner matches the symlink's owner. Disallowing such symlinks helps mitigate vulnerabilities based on insecure file system accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of open() or creat().\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf)\n desc 'check', 'Verify the operating system is configured to enable DAC on symlinks with the following commands:\n\nCheck the status of the fs.protected_symlinks kernel parameter.\n\n$ sudo sysctl fs.protected_symlinks\n\nfs.protected_symlinks = 1\n\nIf \"fs.protected_symlinks\" is not set to \"1\" or is missing, this is a finding.\n\nCheck that the configuration files are present to enable this kernel parameter.\n\n$ sudo grep -r fs.protected_symlinks /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf:fs.protected_symlinks = 1\n\nIf \"fs.protected_symlinks\" is not set to \"1\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure the operating system to enable DAC on symlinks.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nfs.protected_symlinks = 1\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000312-GPOS-00122'\n tag satisfies: ['SRG-OS-000312-GPOS-00122', 'SRG-OS-000312-GPOS-00123', 'SRG-OS-000312-GPOS-00124', 'SRG-OS-000324-GPOS-00125']\n tag gid: 'V-230267'\n tag rid: 'SV-230267r858751_rule'\n tag stig_id: 'RHEL-08-010373'\n tag fix_id: 'F-32911r858750_fix'\n tag cci: ['CCI-002165']\n tag nist: ['AC-3 (4)']\n tag 'host'\n\n only_if('Control not applicable within a container', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n action = 'fs.protected_symlinks'\n\n describe kernel_parameter(action) do\n its('value') { should eq 1 }\n end\n\n search_result = command(\"grep -r ^#{action} #{input('sysctl_conf_files').join(' ')}\").stdout.strip\n\n correct_result = search_result.lines.any? { |line| line.match(/#{action}\\s*=\\s*1$/) }\n incorrect_results = search_result.lines.map(&:strip).select { |line| line.match(/#{action}\\s*=\\s*[^1]$/) }\n\n describe 'Kernel config files' do\n it \"should configure '#{action}'\" do\n expect(correct_result).to eq(true), 'No config file was found that correctly sets this action'\n end\n unless incorrect_results.nil?\n it 'should not have incorrect or conflicting setting(s) in the config files' do\n expect(incorrect_results).to be_empty, \"Incorrect or conflicting setting(s) found:\\n\\t- #{incorrect_results.join(\"\\n\\t- \")}\"\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-244551.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230267.rb", "line": 1 }, - "id": "SV-244551" + "id": "SV-230267" }, { - "title": "RHEL 8 audit system must protect auditing rules from unauthorized\nchange.", - "desc": "Unauthorized disclosure of audit records can reveal system and\nconfiguration data to attackers, thus compromising its confidentiality.\n\n Audit information includes all information (e.g., audit records, audit\nsettings, audit reports) needed to successfully audit RHEL 8 system activity.\n\n In immutable mode, unauthorized users cannot execute changes to the audit\nsystem to potentially hide malicious activity and then put the audit rules\nback. A system reboot would be noticeable and a system administrator could\nthen investigate the unauthorized changes.", + "title": "RHEL 8 must automatically lock an account when three unsuccessful\nlogon attempts occur during a 15-minute time period.", + "desc": "By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as\nbrute-force attacks, is reduced. Limits are imposed by locking the account.\n\n RHEL 8 can utilize the \"pam_faillock.so\" for this purpose. Note that\nmanual changes to the listed files may be overwritten by the \"authselect\"\nprogram.\n\n From \"Pam_Faillock\" man pages: Note that the default directory that\n\"pam_faillock\" uses is usually cleared on system boot so the access will be\nreenabled after system reboot. If that is undesirable a different tally\ndirectory must be set with the \"dir\" option.", "descriptions": { - "default": "Unauthorized disclosure of audit records can reveal system and\nconfiguration data to attackers, thus compromising its confidentiality.\n\n Audit information includes all information (e.g., audit records, audit\nsettings, audit reports) needed to successfully audit RHEL 8 system activity.\n\n In immutable mode, unauthorized users cannot execute changes to the audit\nsystem to potentially hide malicious activity and then put the audit rules\nback. A system reboot would be noticeable and a system administrator could\nthen investigate the unauthorized changes.", - "check": "Verify the audit system prevents unauthorized changes with the following\ncommand:\n\n $ sudo grep \"^\\s*[^#]\" /etc/audit/audit.rules | tail -1\n\n -e 2\n\n If the audit system is not set to be immutable by adding the \"-e 2\"\noption to the \"/etc/audit/audit.rules\", this is a finding.", - "fix": "Configure the audit system to set the audit rules to be immutable by adding\nthe following line to \"/etc/audit/rules.d/audit.rules\"\n\n -e 2\n\n Note: Once set, the system must be rebooted for auditing to be changed. It\nis recommended to add this option as the last step in securing the system." + "default": "By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as\nbrute-force attacks, is reduced. Limits are imposed by locking the account.\n\n RHEL 8 can utilize the \"pam_faillock.so\" for this purpose. Note that\nmanual changes to the listed files may be overwritten by the \"authselect\"\nprogram.\n\n From \"Pam_Faillock\" man pages: Note that the default directory that\n\"pam_faillock\" uses is usually cleared on system boot so the access will be\nreenabled after system reboot. If that is undesirable a different tally\ndirectory must be set with the \"dir\" option.", + "check": "Check that the system locks an account after three unsuccessful logon\nattempts within a period of 15 minutes with the following commands:\n\n Note: If the System Administrator demonstrates the use of an approved\ncentralized account management method that locks an account after three\nunsuccessful logon attempts within a period of 15 minutes, this requirement is\nnot applicable.\n\n Note: This check applies to RHEL versions 8.0 and 8.1, if the system is\nRHEL version 8.2 or newer, this check is not applicable.\n\n $ sudo grep pam_faillock.so /etc/pam.d/password-auth\n\n auth required pam_faillock.so preauth dir=/var/log/faillock silent audit\ndeny=3 even_deny_root fail_interval=900 unlock_time=0\n auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0\n account required pam_faillock.so\n\n If the \"fail_interval\" option is not set to \"900\" or less (but not\n\"0\") on the \"preauth\" lines with the \"pam_faillock.so\" module, or is\nmissing from this line, this is a finding.\n\n $ sudo grep pam_faillock.so /etc/pam.d/system-auth\n\n auth required pam_faillock.so preauth dir=/var/log/faillock silent audit\ndeny=3 even_deny_root fail_interval=900 unlock_time=0\n auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0\n account required pam_faillock.so\n\n If the \"fail_interval\" option is not set to \"900\" or less (but not\n\"0\") on the \"preauth\" lines with the \"pam_faillock.so\" module, or is\nmissing from this line, this is a finding.", + "fix": "Configure the operating system to lock an account when three unsuccessful\nlogon attempts occur in 15 minutes.\n\n Add/Modify the appropriate sections of the \"/etc/pam.d/system-auth\" and\n\"/etc/pam.d/password-auth\" files to match the following lines:\n\n auth required pam_faillock.so preauth dir=/var/log/faillock silent audit\ndeny=3 even_deny_root fail_interval=900 unlock_time=0\n auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0\n account required pam_faillock.so\n\n The \"sssd\" service must be restarted for the changes to take effect. To\nrestart the \"sssd\" service, run the following command:\n\n $ sudo systemctl restart sssd.service" }, "impact": 0.5, "refs": [ @@ -5058,39 +5024,38 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000057-GPOS-00027", + "gtitle": "SRG-OS-000021-GPOS-00005", "satisfies": [ - "SRG-OS-000057-GPOS-00027", - "SRG-OS-000058-GPOS-00028", - "SRG-OS-000059-GPOS-00029" + "SRG-OS-000021-GPOS-00005", + "SRG-OS-000329-GPOS-00128" ], - "gid": "V-230402", - "rid": "SV-230402r627750_rule", - "stig_id": "RHEL-08-030121", - "fix_id": "F-33046r567953_fix", + "gid": "V-230334", + "rid": "SV-230334r627750_rule", + "stig_id": "RHEL-08-020012", + "fix_id": "F-32978r567749_fix", "cci": [ - "CCI-000162" + "CCI-000044" ], "nist": [ - "AU-9", - "AU-9 a" + "AC-7 a" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-230402' do\n title 'RHEL 8 audit system must protect auditing rules from unauthorized\nchange.'\n desc 'Unauthorized disclosure of audit records can reveal system and\nconfiguration data to attackers, thus compromising its confidentiality.\n\n Audit information includes all information (e.g., audit records, audit\nsettings, audit reports) needed to successfully audit RHEL 8 system activity.\n\n In immutable mode, unauthorized users cannot execute changes to the audit\nsystem to potentially hide malicious activity and then put the audit rules\nback. A system reboot would be noticeable and a system administrator could\nthen investigate the unauthorized changes.'\n desc 'check', 'Verify the audit system prevents unauthorized changes with the following\ncommand:\n\n $ sudo grep \"^\\\\s*[^#]\" /etc/audit/audit.rules | tail -1\n\n -e 2\n\n If the audit system is not set to be immutable by adding the \"-e 2\"\noption to the \"/etc/audit/audit.rules\", this is a finding.'\n desc 'fix', 'Configure the audit system to set the audit rules to be immutable by adding\nthe following line to \"/etc/audit/rules.d/audit.rules\"\n\n -e 2\n\n Note: Once set, the system must be rebooted for auditing to be changed. It\nis recommended to add this option as the last step in securing the system.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000057-GPOS-00027'\n tag satisfies: ['SRG-OS-000057-GPOS-00027', 'SRG-OS-000058-GPOS-00028', 'SRG-OS-000059-GPOS-00029']\n tag gid: 'V-230402'\n tag rid: 'SV-230402r627750_rule'\n tag stig_id: 'RHEL-08-030121'\n tag fix_id: 'F-33046r567953_fix'\n tag cci: ['CCI-000162']\n tag nist: ['AU-9', 'AU-9 a']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n describe command('grep \"^\\s*[^#]\" /etc/audit/audit.rules | tail -1') do\n its('stdout.strip') { should cmp '-e 2' }\n end\nend\n", + "code": "control 'SV-230334' do\n title 'RHEL 8 must automatically lock an account when three unsuccessful\nlogon attempts occur during a 15-minute time period.'\n desc 'By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as\nbrute-force attacks, is reduced. Limits are imposed by locking the account.\n\n RHEL 8 can utilize the \"pam_faillock.so\" for this purpose. Note that\nmanual changes to the listed files may be overwritten by the \"authselect\"\nprogram.\n\n From \"Pam_Faillock\" man pages: Note that the default directory that\n\"pam_faillock\" uses is usually cleared on system boot so the access will be\nreenabled after system reboot. If that is undesirable a different tally\ndirectory must be set with the \"dir\" option.'\n desc 'check', 'Check that the system locks an account after three unsuccessful logon\nattempts within a period of 15 minutes with the following commands:\n\n Note: If the System Administrator demonstrates the use of an approved\ncentralized account management method that locks an account after three\nunsuccessful logon attempts within a period of 15 minutes, this requirement is\nnot applicable.\n\n Note: This check applies to RHEL versions 8.0 and 8.1, if the system is\nRHEL version 8.2 or newer, this check is not applicable.\n\n $ sudo grep pam_faillock.so /etc/pam.d/password-auth\n\n auth required pam_faillock.so preauth dir=/var/log/faillock silent audit\ndeny=3 even_deny_root fail_interval=900 unlock_time=0\n auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0\n account required pam_faillock.so\n\n If the \"fail_interval\" option is not set to \"900\" or less (but not\n\"0\") on the \"preauth\" lines with the \"pam_faillock.so\" module, or is\nmissing from this line, this is a finding.\n\n $ sudo grep pam_faillock.so /etc/pam.d/system-auth\n\n auth required pam_faillock.so preauth dir=/var/log/faillock silent audit\ndeny=3 even_deny_root fail_interval=900 unlock_time=0\n auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0\n account required pam_faillock.so\n\n If the \"fail_interval\" option is not set to \"900\" or less (but not\n\"0\") on the \"preauth\" lines with the \"pam_faillock.so\" module, or is\nmissing from this line, this is a finding.'\n desc 'fix', 'Configure the operating system to lock an account when three unsuccessful\nlogon attempts occur in 15 minutes.\n\n Add/Modify the appropriate sections of the \"/etc/pam.d/system-auth\" and\n\"/etc/pam.d/password-auth\" files to match the following lines:\n\n auth required pam_faillock.so preauth dir=/var/log/faillock silent audit\ndeny=3 even_deny_root fail_interval=900 unlock_time=0\n auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0\n account required pam_faillock.so\n\n The \"sssd\" service must be restarted for the changes to take effect. To\nrestart the \"sssd\" service, run the following command:\n\n $ sudo systemctl restart sssd.service'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000021-GPOS-00005'\n tag satisfies: ['SRG-OS-000021-GPOS-00005', 'SRG-OS-000329-GPOS-00128']\n tag gid: 'V-230334'\n tag rid: 'SV-230334r627750_rule'\n tag stig_id: 'RHEL-08-020012'\n tag fix_id: 'F-32978r567749_fix'\n tag cci: ['CCI-000044']\n tag nist: ['AC-7 a']\n tag 'host'\n tag 'container'\n\n only_if('This check applies to RHEL version 8.1 and earlier. If the system is RHEL version 8.2 or newer, this check is Not Applicable.', impact: 0.0) {\n (os.release.to_f) < 8.2\n }\n\n pam_auth_files = input('pam_auth_files')\n\n describe pam(pam_auth_files['password-auth']) do\n its('lines') {\n should match_pam_rule('auth [default=die]|required pam_faillock.so preauth').all_with_integer_arg('fail_interval',\n '<=', input('fail_interval'))\n }\n end\n\n describe pam(pam_auth_files['system-auth']) do\n its('lines') {\n should match_pam_rule('auth [default=die]|required pam_faillock.so preauth').all_with_integer_arg('fail_interval',\n '<=', input('fail_interval'))\n }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230402.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230334.rb", "line": 1 }, - "id": "SV-230402" + "id": "SV-230334" }, { - "title": "RHEL 8 must mount /var/tmp with the noexec option.", - "desc": "The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n The \"noexec\" mount option causes the system to not execute binary files.\nThis option must be used for mounting any file system not containing approved\nbinary files, as they may be incompatible. Executing files from untrusted file\nsystems increases the opportunity for unprivileged users to attain unauthorized\nadministrative access.\n\n The \"nodev\" mount option causes the system to not interpret character or\nblock special devices. Executing character or block special devices from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.\n\n The \"nosuid\" mount option causes the system to not execute \"setuid\" and\n\"setgid\" files with owner privileges. This option must be used for mounting\nany file system not containing approved \"setuid\" and \"setguid\" files.\nExecuting files from untrusted file systems increases the opportunity for\nunprivileged users to attain unauthorized administrative access.", + "title": "The RHEL 8 operating system must not be configured to bypass password requirements for privilege escalation.", + "desc": "Without re-authentication, users may access resources or perform tasks for which they do not have authorization.\n\nWhen operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate.", "descriptions": { - "default": "The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n The \"noexec\" mount option causes the system to not execute binary files.\nThis option must be used for mounting any file system not containing approved\nbinary files, as they may be incompatible. Executing files from untrusted file\nsystems increases the opportunity for unprivileged users to attain unauthorized\nadministrative access.\n\n The \"nodev\" mount option causes the system to not interpret character or\nblock special devices. Executing character or block special devices from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.\n\n The \"nosuid\" mount option causes the system to not execute \"setuid\" and\n\"setgid\" files with owner privileges. This option must be used for mounting\nany file system not containing approved \"setuid\" and \"setguid\" files.\nExecuting files from untrusted file systems increases the opportunity for\nunprivileged users to attain unauthorized administrative access.", - "check": "Verify \"/var/tmp\" is mounted with the \"noexec\" option:\n\n$ sudo mount | grep /var/tmp\n\n/dev/mapper/rhel-var-tmp on /var/tmp type xfs (rw,nodev,nosuid,noexec,seclabel)\n\nVerify that the \"noexec\" option is configured for /var/tmp:\n\n$ sudo cat /etc/fstab | grep /var/tmp\n\n/dev/mapper/rhel-var-tmp /var/tmp xfs defaults,nodev,nosuid,noexec 0 0\n\nIf results are returned and the \"noexec\" option is missing, or if /var/tmp is mounted without the \"noexec\" option, this is a finding.", - "fix": "Configure the system so that /var/tmp is mounted with the \"noexec\" option by adding /modifying the /etc/fstab with the following line:\n\n/dev/mapper/rhel-var-tmp /var/tmp xfs defaults,nodev,nosuid,noexec 0 0" + "default": "Without re-authentication, users may access resources or perform tasks for which they do not have authorization.\n\nWhen operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate.", + "check": "Verify the operating system is not be configured to bypass password requirements for privilege escalation.\n\nCheck the configuration of the \"/etc/pam.d/sudo\" file with the following command:\n\n$ sudo grep pam_succeed_if /etc/pam.d/sudo\n\nIf any occurrences of \"pam_succeed_if\" is returned from the command, this is a finding.", + "fix": "Configure the operating system to require users to supply a password for privilege escalation.\n\nCheck the configuration of the \"/etc/ pam.d/sudo\" file with the following command:\n$ sudo vi /etc/pam.d/sudo\n\nRemove any occurrences of \"pam_succeed_if\" in the file." }, "impact": 0.5, "refs": [ @@ -5099,34 +5064,42 @@ } ], "tags": { + "check_id": "C-55149r809358_chk", "severity": "medium", - "gtitle": "SRG-OS-000368-GPOS-00154", - "gid": "V-230522", - "rid": "SV-230522r854063_rule", - "stig_id": "RHEL-08-040134", - "fix_id": "F-33166r792932_fix", + "gid": "V-251712", + "rid": "SV-251712r854083_rule", + "stig_id": "RHEL-08-010385", + "gtitle": "SRG-OS-000373-GPOS-00156", + "fix_id": "F-55103r854082_fix", + "satisfies": [ + "SRG-OS-000373-GPOS-00156", + "SRG-OS-000373-GPOS-00157", + "SRG-OS-000373-GPOS-00158" + ], + "documentable": null, "cci": [ - "CCI-001764" + "CCI-002038" ], "nist": [ - "CM-7 (2)" + "IA-11" ], - "host": null + "host": null, + "container-conditional": null }, - "code": "control 'SV-230522' do\n title 'RHEL 8 must mount /var/tmp with the noexec option.'\n desc 'The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n The \"noexec\" mount option causes the system to not execute binary files.\nThis option must be used for mounting any file system not containing approved\nbinary files, as they may be incompatible. Executing files from untrusted file\nsystems increases the opportunity for unprivileged users to attain unauthorized\nadministrative access.\n\n The \"nodev\" mount option causes the system to not interpret character or\nblock special devices. Executing character or block special devices from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.\n\n The \"nosuid\" mount option causes the system to not execute \"setuid\" and\n\"setgid\" files with owner privileges. This option must be used for mounting\nany file system not containing approved \"setuid\" and \"setguid\" files.\nExecuting files from untrusted file systems increases the opportunity for\nunprivileged users to attain unauthorized administrative access.'\n desc 'check', 'Verify \"/var/tmp\" is mounted with the \"noexec\" option:\n\n$ sudo mount | grep /var/tmp\n\n/dev/mapper/rhel-var-tmp on /var/tmp type xfs (rw,nodev,nosuid,noexec,seclabel)\n\nVerify that the \"noexec\" option is configured for /var/tmp:\n\n$ sudo cat /etc/fstab | grep /var/tmp\n\n/dev/mapper/rhel-var-tmp /var/tmp xfs defaults,nodev,nosuid,noexec 0 0\n\nIf results are returned and the \"noexec\" option is missing, or if /var/tmp is mounted without the \"noexec\" option, this is a finding.'\n desc 'fix', 'Configure the system so that /var/tmp is mounted with the \"noexec\" option by adding /modifying the /etc/fstab with the following line:\n\n/dev/mapper/rhel-var-tmp /var/tmp xfs defaults,nodev,nosuid,noexec 0 0'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000368-GPOS-00154'\n tag gid: 'V-230522'\n tag rid: 'SV-230522r854063_rule'\n tag stig_id: 'RHEL-08-040134'\n tag fix_id: 'F-33166r792932_fix'\n tag cci: ['CCI-001764']\n tag nist: ['CM-7 (2)']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n path = '/var/tmp'\n option = 'noexec'\n\n describe mount(path) do\n its('options') { should include option }\n end\n\n describe etc_fstab.where { mount_point == path } do\n its('mount_options.flatten') { should include option }\n end\nend\n", + "code": "control 'SV-251712' do\n title 'The RHEL 8 operating system must not be configured to bypass password requirements for privilege escalation.'\n desc 'Without re-authentication, users may access resources or perform tasks for which they do not have authorization.\n\nWhen operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate.'\n desc 'check', 'Verify the operating system is not be configured to bypass password requirements for privilege escalation.\n\nCheck the configuration of the \"/etc/pam.d/sudo\" file with the following command:\n\n$ sudo grep pam_succeed_if /etc/pam.d/sudo\n\nIf any occurrences of \"pam_succeed_if\" is returned from the command, this is a finding.'\n desc 'fix', 'Configure the operating system to require users to supply a password for privilege escalation.\n\nCheck the configuration of the \"/etc/ pam.d/sudo\" file with the following command:\n$ sudo vi /etc/pam.d/sudo\n\nRemove any occurrences of \"pam_succeed_if\" in the file.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag check_id: 'C-55149r809358_chk'\n tag severity: 'medium'\n tag gid: 'V-251712'\n tag rid: 'SV-251712r854083_rule'\n tag stig_id: 'RHEL-08-010385'\n tag gtitle: 'SRG-OS-000373-GPOS-00156'\n tag fix_id: 'F-55103r854082_fix'\n tag satisfies: ['SRG-OS-000373-GPOS-00156', 'SRG-OS-000373-GPOS-00157', 'SRG-OS-000373-GPOS-00158']\n tag 'documentable'\n tag cci: ['CCI-002038']\n tag nist: ['IA-11']\n tag 'host'\n tag 'container-conditional'\n\n if virtualization.system.eql?('docker') && !command('sudo').exist?\n impact 0.0\n describe 'Control not applicable within a container without sudo enabled' do\n skip 'Control not applicable within a container without sudo enabled'\n end\n else\n describe parse_config_file('/etc/pam.d/sudo') do\n its('content') { should_not match(/pam_succeed_if/) }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230522.rb", + "ref": "./Red Hat 8 STIG/controls/SV-251712.rb", "line": 1 }, - "id": "SV-230522" + "id": "SV-251712" }, { - "title": "RHEL 8 must have the USBGuard installed.", - "desc": "Without authenticating devices, unidentified or unknown devices may be\nintroduced, thereby facilitating malicious activity.\n Peripherals include, but are not limited to, such devices as flash drives,\nexternal storage, and printers.\n A new feature that RHEL 8 provides is the USBGuard software framework. The\nUSBguard-daemon is the main component of the USBGuard software framework. It\nruns as a service in the background and enforces the USB device authorization\npolicy for all USB devices. The policy is defined by a set of rules using a\nrule language described in the usbguard-rules.conf file. The policy and the\nauthorization state of USB devices can be modified during runtime using the\nusbguard tool.\n\n The System Administrator (SA) must work with the site Information System\nSecurity Officer (ISSO) to determine a list of authorized peripherals and\nestablish rules within the USBGuard software framework to allow only authorized\ndevices.", + "title": "The RHEL 8 System must take appropriate action when an audit\nprocessing failure occurs.", + "desc": "It is critical for the appropriate personnel to be aware if a system\nis at risk of failing to process audit logs as required. Without this\nnotification, the security personnel may be unaware of an impending failure of\nthe audit capability, and system operation may be adversely affected.\n\n Audit processing failures include software/hardware errors, failures in the\naudit capturing mechanisms, and audit storage capacity being reached or\nexceeded.\n\n This requirement applies to each audit data storage repository (i.e.,\ndistinct information system component where audit records are stored), the\ncentralized audit storage capacity of organizations (i.e., all audit data\nstorage repositories combined), or both.", "descriptions": { - "default": "Without authenticating devices, unidentified or unknown devices may be\nintroduced, thereby facilitating malicious activity.\n Peripherals include, but are not limited to, such devices as flash drives,\nexternal storage, and printers.\n A new feature that RHEL 8 provides is the USBGuard software framework. The\nUSBguard-daemon is the main component of the USBGuard software framework. It\nruns as a service in the background and enforces the USB device authorization\npolicy for all USB devices. The policy is defined by a set of rules using a\nrule language described in the usbguard-rules.conf file. The policy and the\nauthorization state of USB devices can be modified during runtime using the\nusbguard tool.\n\n The System Administrator (SA) must work with the site Information System\nSecurity Officer (ISSO) to determine a list of authorized peripherals and\nestablish rules within the USBGuard software framework to allow only authorized\ndevices.", - "check": "Verify USBGuard is installed on the operating system with the following\ncommand:\n\n $ sudo yum list installed usbguard\n\n Installed Packages\n usbguard.x86_64 0.7.8-7.el8 @ol8_appstream\n\n If the USBGuard package is not installed, ask the SA to indicate how\nunauthorized peripherals are being blocked.\n If there is no evidence that unauthorized peripherals are being blocked\nbefore establishing a connection, this is a finding.", - "fix": "Install the USBGuard package with the following command:\n\n$ sudo yum install usbguard.x86_64" + "default": "It is critical for the appropriate personnel to be aware if a system\nis at risk of failing to process audit logs as required. Without this\nnotification, the security personnel may be unaware of an impending failure of\nthe audit capability, and system operation may be adversely affected.\n\n Audit processing failures include software/hardware errors, failures in the\naudit capturing mechanisms, and audit storage capacity being reached or\nexceeded.\n\n This requirement applies to each audit data storage repository (i.e.,\ndistinct information system component where audit records are stored), the\ncentralized audit storage capacity of organizations (i.e., all audit data\nstorage repositories combined), or both.", + "check": "Verify RHEL 8 takes the appropriate action when an audit processing failure\noccurs.\n\n Check that RHEL 8 takes the appropriate action when an audit processing\nfailure occurs with the following command:\n\n $ sudo grep disk_error_action /etc/audit/auditd.conf\n\n disk_error_action = HALT\n\n If the value of the \"disk_error_action\" option is not \"SYSLOG\",\n\"SINGLE\", or \"HALT\", or the line is commented out, ask the system\nadministrator to indicate how the system takes appropriate action when an audit\nprocess failure occurs. If there is no evidence of appropriate action, this is\na finding.", + "fix": "Configure RHEL 8 to shut down by default upon audit failure (unless\navailability is an overriding concern).\n\n Add or update the following line (depending on configuration\n\"disk_error_action\" can be set to \"SYSLOG\" or \"SINGLE\" depending on\nconfiguration) in \"/etc/audit/auditd.conf\" file:\n\n disk_error_action = HALT\n\n If availability has been determined to be more important, and this decision\nis documented with the ISSO, configure the operating system to notify system\nadministration staff and ISSO staff in the event of an audit processing failure\nby setting the \"disk_error_action\" to \"SYSLOG\"." }, "impact": 0.5, "refs": [ @@ -5136,33 +5109,33 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000378-GPOS-00163", - "gid": "V-244547", - "rid": "SV-244547r854076_rule", - "stig_id": "RHEL-08-040139", - "fix_id": "F-47779r743889_fix", + "gtitle": "SRG-OS-000047-GPOS-00023", + "gid": "V-230390", + "rid": "SV-230390r627750_rule", + "stig_id": "RHEL-08-030040", + "fix_id": "F-33034r567917_fix", "cci": [ - "CCI-001958" + "CCI-000140" ], "nist": [ - "IA-3" + "AU-5 b" ], "host": null }, - "code": "control 'SV-244547' do\n title 'RHEL 8 must have the USBGuard installed.'\n desc 'Without authenticating devices, unidentified or unknown devices may be\nintroduced, thereby facilitating malicious activity.\n Peripherals include, but are not limited to, such devices as flash drives,\nexternal storage, and printers.\n A new feature that RHEL 8 provides is the USBGuard software framework. The\nUSBguard-daemon is the main component of the USBGuard software framework. It\nruns as a service in the background and enforces the USB device authorization\npolicy for all USB devices. The policy is defined by a set of rules using a\nrule language described in the usbguard-rules.conf file. The policy and the\nauthorization state of USB devices can be modified during runtime using the\nusbguard tool.\n\n The System Administrator (SA) must work with the site Information System\nSecurity Officer (ISSO) to determine a list of authorized peripherals and\nestablish rules within the USBGuard software framework to allow only authorized\ndevices.'\n desc 'check', 'Verify USBGuard is installed on the operating system with the following\ncommand:\n\n $ sudo yum list installed usbguard\n\n Installed Packages\n usbguard.x86_64 0.7.8-7.el8 @ol8_appstream\n\n If the USBGuard package is not installed, ask the SA to indicate how\nunauthorized peripherals are being blocked.\n If there is no evidence that unauthorized peripherals are being blocked\nbefore establishing a connection, this is a finding.'\n desc 'fix', 'Install the USBGuard package with the following command:\n\n$ sudo yum install usbguard.x86_64'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000378-GPOS-00163'\n tag gid: 'V-244547'\n tag rid: 'SV-244547r854076_rule'\n tag stig_id: 'RHEL-08-040139'\n tag fix_id: 'F-47779r743889_fix'\n tag cci: ['CCI-001958']\n tag nist: ['IA-3']\n tag 'host'\n\n only_if('This requirement is Not Applicable in the container', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n peripherals_package = input('peripherals_package')\n\n describe package(peripherals_package) do\n it \"is expected to be installed. \\n\\tPlease ensure to configure the service to ensure your devices function as expected.\" do\n expect(subject.installed?).to be(true), \"The #{peripherals_package} package is not installed\"\n end\n end\nend\n", + "code": "control 'SV-230390' do\n title 'The RHEL 8 System must take appropriate action when an audit\nprocessing failure occurs.'\n desc 'It is critical for the appropriate personnel to be aware if a system\nis at risk of failing to process audit logs as required. Without this\nnotification, the security personnel may be unaware of an impending failure of\nthe audit capability, and system operation may be adversely affected.\n\n Audit processing failures include software/hardware errors, failures in the\naudit capturing mechanisms, and audit storage capacity being reached or\nexceeded.\n\n This requirement applies to each audit data storage repository (i.e.,\ndistinct information system component where audit records are stored), the\ncentralized audit storage capacity of organizations (i.e., all audit data\nstorage repositories combined), or both.'\n desc 'check', 'Verify RHEL 8 takes the appropriate action when an audit processing failure\noccurs.\n\n Check that RHEL 8 takes the appropriate action when an audit processing\nfailure occurs with the following command:\n\n $ sudo grep disk_error_action /etc/audit/auditd.conf\n\n disk_error_action = HALT\n\n If the value of the \"disk_error_action\" option is not \"SYSLOG\",\n\"SINGLE\", or \"HALT\", or the line is commented out, ask the system\nadministrator to indicate how the system takes appropriate action when an audit\nprocess failure occurs. If there is no evidence of appropriate action, this is\na finding.'\n desc 'fix', 'Configure RHEL 8 to shut down by default upon audit failure (unless\navailability is an overriding concern).\n\n Add or update the following line (depending on configuration\n\"disk_error_action\" can be set to \"SYSLOG\" or \"SINGLE\" depending on\nconfiguration) in \"/etc/audit/auditd.conf\" file:\n\n disk_error_action = HALT\n\n If availability has been determined to be more important, and this decision\nis documented with the ISSO, configure the operating system to notify system\nadministration staff and ISSO staff in the event of an audit processing failure\nby setting the \"disk_error_action\" to \"SYSLOG\".'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000047-GPOS-00023'\n tag gid: 'V-230390'\n tag rid: 'SV-230390r627750_rule'\n tag stig_id: 'RHEL-08-030040'\n tag fix_id: 'F-33034r567917_fix'\n tag cci: ['CCI-000140']\n tag nist: ['AU-5 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n disk_error_action = input('disk_error_action').map(&:upcase)\n\n describe auditd_conf do\n its('disk_error_action.upcase') { should be_in disk_error_action }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-244547.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230390.rb", "line": 1 }, - "id": "SV-244547" + "id": "SV-230390" }, { - "title": "RHEL 8 audit tools must have a mode of 0755 or less permissive.", - "desc": "Protecting audit information also includes identifying and protecting\nthe tools used to view and manipulate log data. Therefore, protecting audit\ntools is necessary to prevent unauthorized operation on audit information.\n\n RHEL 8 systems providing tools to interface with audit information will\nleverage user permissions and roles identifying the user accessing the tools,\nand the corresponding rights the user enjoys, to make access decisions\nregarding the access to audit tools.\n\n Audit tools include, but are not limited to, vendor-provided and open\nsource audit tools needed to successfully view and manipulate audit information\nsystem activity and records. Audit tools include custom queries and report\ngenerators.", + "title": "The RHEL 8 operating system must implement DoD-approved encryption in\nthe OpenSSL package.", + "desc": "Without cryptographic integrity protections, information can be\naltered by unauthorized users without detection.\n\n Remote access (e.g., RDP) is access to DoD nonpublic information systems by\nan authorized user (or an information system) communicating through an\nexternal, non-organization-controlled network. Remote access methods include,\nfor example, dial-up, broadband, and wireless.\n\n Cryptographic mechanisms used for protecting the integrity of information\ninclude, for example, signed hash functions using asymmetric cryptography\nenabling distribution of the public key to verify the hash information while\nmaintaining the confidentiality of the secret key used to generate the hash.\n\n RHEL 8 incorporates system-wide crypto policies by default. The employed\nalgorithms can be viewed in the /etc/crypto-policies/back-ends/openssl.config\nfile.", "descriptions": { - "default": "Protecting audit information also includes identifying and protecting\nthe tools used to view and manipulate log data. Therefore, protecting audit\ntools is necessary to prevent unauthorized operation on audit information.\n\n RHEL 8 systems providing tools to interface with audit information will\nleverage user permissions and roles identifying the user accessing the tools,\nand the corresponding rights the user enjoys, to make access decisions\nregarding the access to audit tools.\n\n Audit tools include, but are not limited to, vendor-provided and open\nsource audit tools needed to successfully view and manipulate audit information\nsystem activity and records. Audit tools include custom queries and report\ngenerators.", - "check": "Verify the audit tools are protected from unauthorized access, deletion, or\nmodification by checking the permissive mode.\n\n Check the octal permission of each audit tool by running the following\ncommand:\n\n $ sudo stat -c \"%a %n\" /sbin/auditctl /sbin/aureport /sbin/ausearch\n/sbin/autrace /sbin/auditd /sbin/rsyslogd /sbin/augenrules\n\n 755 /sbin/auditctl\n 755 /sbin/aureport\n 755 /sbin/ausearch\n 750 /sbin/autrace\n 755 /sbin/auditd\n 755 /sbin/rsyslogd\n 755 /sbin/augenrules\n\n If any of the audit tools has a mode more permissive than \"0755\", this is\na finding.", - "fix": "Configure the audit tools to be protected from unauthorized access by\nsetting the correct permissive mode using the following command:\n\n $ sudo chmod 0755 [audit_tool]\n\n Replace \"[audit_tool]\" with the audit tool that does not have the correct\npermissive mode." + "default": "Without cryptographic integrity protections, information can be\naltered by unauthorized users without detection.\n\n Remote access (e.g., RDP) is access to DoD nonpublic information systems by\nan authorized user (or an information system) communicating through an\nexternal, non-organization-controlled network. Remote access methods include,\nfor example, dial-up, broadband, and wireless.\n\n Cryptographic mechanisms used for protecting the integrity of information\ninclude, for example, signed hash functions using asymmetric cryptography\nenabling distribution of the public key to verify the hash information while\nmaintaining the confidentiality of the secret key used to generate the hash.\n\n RHEL 8 incorporates system-wide crypto policies by default. The employed\nalgorithms can be viewed in the /etc/crypto-policies/back-ends/openssl.config\nfile.", + "check": "Verify the OpenSSL library is configured to use only ciphers employing FIPS\n140-2-approved algorithms:\n\n Verify that system-wide crypto policies are in effect:\n\n $ sudo grep -i opensslcnf.config /etc/pki/tls/openssl.cnf\n\n .include /etc/crypto-policies/back-ends/opensslcnf.config\n\n If the \"opensslcnf.config\" is not defined in the\n\"/etc/pki/tls/openssl.cnf\" file, this is a finding.\n\n Verify which system-wide crypto policy is in use:\n\n $ sudo update-crypto-policies --show\n\n FIPS\n\n If the system-wide crypto policy is set to anything other than \"FIPS\",\nthis is a finding.", + "fix": "Configure the RHEL 8 OpenSSL library to use only ciphers employing FIPS\n140-2-approved algorithms with the following command:\n\n $ sudo fips-mode-setup --enable\n\n A reboot is required for the changes to take effect." }, "impact": 0.5, "refs": [ @@ -5172,34 +5145,40 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000256-GPOS-00097", - "gid": "V-230472", - "rid": "SV-230472r627750_rule", - "stig_id": "RHEL-08-030620", - "fix_id": "F-33116r568163_fix", + "gtitle": "SRG-OS-000250-GPOS-00093", + "satisfies": [ + "SRG-OS-000250-GPOS-00093", + "SRG-OS-000393-GPOS-00173", + "SRG-OS-000394-GPOS-00174", + "SRG-OS-000125-GPOS-00065" + ], + "gid": "V-230254", + "rid": "SV-230254r877394_rule", + "stig_id": "RHEL-08-010293", + "fix_id": "F-32898r567509_fix", "cci": [ - "CCI-001493" + "CCI-001453" ], "nist": [ - "AU-9", - "AU-9 a" + "AC-17 (2)" ], - "host": null + "host": null, + "container-conditional": null }, - "code": "control 'SV-230472' do\n title 'RHEL 8 audit tools must have a mode of 0755 or less permissive.'\n desc 'Protecting audit information also includes identifying and protecting\nthe tools used to view and manipulate log data. Therefore, protecting audit\ntools is necessary to prevent unauthorized operation on audit information.\n\n RHEL 8 systems providing tools to interface with audit information will\nleverage user permissions and roles identifying the user accessing the tools,\nand the corresponding rights the user enjoys, to make access decisions\nregarding the access to audit tools.\n\n Audit tools include, but are not limited to, vendor-provided and open\nsource audit tools needed to successfully view and manipulate audit information\nsystem activity and records. Audit tools include custom queries and report\ngenerators.'\n desc 'check', 'Verify the audit tools are protected from unauthorized access, deletion, or\nmodification by checking the permissive mode.\n\n Check the octal permission of each audit tool by running the following\ncommand:\n\n $ sudo stat -c \"%a %n\" /sbin/auditctl /sbin/aureport /sbin/ausearch\n/sbin/autrace /sbin/auditd /sbin/rsyslogd /sbin/augenrules\n\n 755 /sbin/auditctl\n 755 /sbin/aureport\n 755 /sbin/ausearch\n 750 /sbin/autrace\n 755 /sbin/auditd\n 755 /sbin/rsyslogd\n 755 /sbin/augenrules\n\n If any of the audit tools has a mode more permissive than \"0755\", this is\na finding.'\n desc 'fix', 'Configure the audit tools to be protected from unauthorized access by\nsetting the correct permissive mode using the following command:\n\n $ sudo chmod 0755 [audit_tool]\n\n Replace \"[audit_tool]\" with the audit tool that does not have the correct\npermissive mode.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000256-GPOS-00097'\n tag gid: 'V-230472'\n tag rid: 'SV-230472r627750_rule'\n tag stig_id: 'RHEL-08-030620'\n tag fix_id: 'F-33116r568163_fix'\n tag cci: ['CCI-001493']\n tag nist: ['AU-9', 'AU-9 a']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n audit_tools = ['/sbin/auditctl', '/sbin/aureport', '/sbin/ausearch', '/sbin/autrace', '/sbin/auditd', '/sbin/rsyslogd', '/sbin/augenrules']\n\n failing_tools = audit_tools.select { |at| file(at).more_permissive_than?(input('audit_tool_mode')) }\n\n describe 'Audit executables' do\n it \"should be no more permissive than '#{input('audit_tool_mode')}'\" do\n expect(failing_tools).to be_empty, \"Failing tools:\\n\\t- #{failing_tools.join(\"\\n\\t- \")}\"\n end\n end\nend\n", + "code": "control 'SV-230254' do\n title 'The RHEL 8 operating system must implement DoD-approved encryption in\nthe OpenSSL package.'\n desc 'Without cryptographic integrity protections, information can be\naltered by unauthorized users without detection.\n\n Remote access (e.g., RDP) is access to DoD nonpublic information systems by\nan authorized user (or an information system) communicating through an\nexternal, non-organization-controlled network. Remote access methods include,\nfor example, dial-up, broadband, and wireless.\n\n Cryptographic mechanisms used for protecting the integrity of information\ninclude, for example, signed hash functions using asymmetric cryptography\nenabling distribution of the public key to verify the hash information while\nmaintaining the confidentiality of the secret key used to generate the hash.\n\n RHEL 8 incorporates system-wide crypto policies by default. The employed\nalgorithms can be viewed in the /etc/crypto-policies/back-ends/openssl.config\nfile.'\n desc 'check', 'Verify the OpenSSL library is configured to use only ciphers employing FIPS\n140-2-approved algorithms:\n\n Verify that system-wide crypto policies are in effect:\n\n $ sudo grep -i opensslcnf.config /etc/pki/tls/openssl.cnf\n\n .include /etc/crypto-policies/back-ends/opensslcnf.config\n\n If the \"opensslcnf.config\" is not defined in the\n\"/etc/pki/tls/openssl.cnf\" file, this is a finding.\n\n Verify which system-wide crypto policy is in use:\n\n $ sudo update-crypto-policies --show\n\n FIPS\n\n If the system-wide crypto policy is set to anything other than \"FIPS\",\nthis is a finding.'\n desc 'fix', 'Configure the RHEL 8 OpenSSL library to use only ciphers employing FIPS\n140-2-approved algorithms with the following command:\n\n $ sudo fips-mode-setup --enable\n\n A reboot is required for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000250-GPOS-00093'\n tag satisfies: ['SRG-OS-000250-GPOS-00093', 'SRG-OS-000393-GPOS-00173', 'SRG-OS-000394-GPOS-00174', 'SRG-OS-000125-GPOS-00065']\n tag gid: 'V-230254'\n tag rid: 'SV-230254r877394_rule'\n tag stig_id: 'RHEL-08-010293'\n tag fix_id: 'F-32898r567509_fix'\n tag cci: ['CCI-001453']\n tag nist: ['AC-17 (2)']\n tag 'host'\n tag 'container-conditional'\n\n only_if(\"Checking the host's FIPS compliance can't be done within the container and should be reveiwed manually.\") {\n !(virtualization.system.eql?('docker') && !file('/etc/pki/tls/openssl.cnf').exist?)\n }\n\n describe 'A line in the OpenSSL config file' do\n subject { command('grep -i opensslcnf.config /etc/pki/tls/openssl.cnf').stdout.strip }\n it { should match(/^\\.include.*opensslcnf.config$/) }\n end\n\n describe 'System-wide crypto policy' do\n subject { command('update-crypto-policies --show').stdout.strip }\n it { should eq input('system_wide_crypto_policy') }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230472.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230254.rb", "line": 1 }, - "id": "SV-230472" + "id": "SV-230254" }, { - "title": "Successful/unsuccessful uses of unix_chkpwd in RHEL 8 must generate an\naudit record.", - "desc": "Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged commands. The organization must maintain audit trails in sufficient\ndetail to reconstruct events to determine the cause and impact of compromise.\nThe \"unix_chkpwd\" command is a helper program for the pam_unix module that\nverifies the password of the current user. It also checks password and account\nexpiration dates in shadow. It is not intended to be run directly from the\ncommand line and logs a security violation if done so.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", + "title": "Successful/unsuccessful uses of the unix_update in RHEL 8 must\ngenerate an audit record.", + "desc": "Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged commands. The organization must maintain audit trails in sufficient\ndetail to reconstruct events to determine the cause and impact of compromise.\n\"Unix_update\" is a helper program for the \"pam_unix\" module that updates\nthe password for a given user. It is not intended to be run directly from the\ncommand line and logs a security violation if done so.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", "descriptions": { - "default": "Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged commands. The organization must maintain audit trails in sufficient\ndetail to reconstruct events to determine the cause and impact of compromise.\nThe \"unix_chkpwd\" command is a helper program for the pam_unix module that\nverifies the password of the current user. It also checks password and account\nexpiration dates in shadow. It is not intended to be run directly from the\ncommand line and logs a security violation if done so.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", - "check": "Verify that an audit event is generated for any successful/unsuccessful use\nof \"unix_chkpwd\" by performing the following command to check the file system\nrules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w \"unix_chkpwd\" /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-unix-update\n\n If the command does not return a line, or the line is commented out, this\nis a finding.", - "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful uses of the \"unix_chkpwd\" by adding or updating the\nfollowing rule in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-unix-update\n\n The audit daemon must be restarted for the changes to take effect." + "default": "Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged commands. The organization must maintain audit trails in sufficient\ndetail to reconstruct events to determine the cause and impact of compromise.\n\"Unix_update\" is a helper program for the \"pam_unix\" module that updates\nthe password for a given user. It is not intended to be run directly from the\ncommand line and logs a security violation if done so.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", + "check": "Verify that an audit event is generated for any successful/unsuccessful use\nof the \"unix_update\" by performing the following command to check the file\nsystem rules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w \"unix_update\" /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-unix-update\n\n If the command does not return a line, or the line is commented out, this\nis a finding.", + "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful uses of the \"unix_update\" by adding or updating the\nfollowing rule in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-unix-update\n\n The audit daemon must be restarted for the changes to take effect." }, "impact": 0.5, "refs": [ @@ -5219,10 +5198,10 @@ "SRG-OS-000462-GPOS-00206", "SRG-OS-000471-GPOS-00215" ], - "gid": "V-230433", - "rid": "SV-230433r627750_rule", - "stig_id": "RHEL-08-030317", - "fix_id": "F-33077r568046_fix", + "gid": "V-230426", + "rid": "SV-230426r627750_rule", + "stig_id": "RHEL-08-030310", + "fix_id": "F-33070r568025_fix", "cci": [ "CCI-000169" ], @@ -5231,20 +5210,20 @@ ], "host": null }, - "code": "control 'SV-230433' do\n title 'Successful/unsuccessful uses of unix_chkpwd in RHEL 8 must generate an\naudit record.'\n desc 'Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged commands. The organization must maintain audit trails in sufficient\ndetail to reconstruct events to determine the cause and impact of compromise.\nThe \"unix_chkpwd\" command is a helper program for the pam_unix module that\nverifies the password of the current user. It also checks password and account\nexpiration dates in shadow. It is not intended to be run directly from the\ncommand line and logs a security violation if done so.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.'\n desc 'check', 'Verify that an audit event is generated for any successful/unsuccessful use\nof \"unix_chkpwd\" by performing the following command to check the file system\nrules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w \"unix_chkpwd\" /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-unix-update\n\n If the command does not return a line, or the line is commented out, this\nis a finding.'\n desc 'fix', 'Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful uses of the \"unix_chkpwd\" by adding or updating the\nfollowing rule in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-unix-update\n\n The audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000062-GPOS-00031'\n tag satisfies: ['SRG-OS-000062-GPOS-00031', 'SRG-OS-000037-GPOS-00015', 'SRG-OS-000042-GPOS-00020', 'SRG-OS-000062-GPOS-00031', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000471-GPOS-00215']\n tag gid: 'V-230433'\n tag rid: 'SV-230433r627750_rule'\n tag stig_id: 'RHEL-08-030317'\n tag fix_id: 'F-33077r568046_fix'\n tag cci: ['CCI-000169']\n tag nist: ['AU-12 a']\n tag 'host'\n\n audit_command = '/usr/sbin/unix_chkpwd'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include(input('audit_rule_keynames').merge(input('audit_rule_keynames_overrides'))[audit_command])\n end\n end\nend\n", + "code": "control 'SV-230426' do\n title 'Successful/unsuccessful uses of the unix_update in RHEL 8 must\ngenerate an audit record.'\n desc 'Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged commands. The organization must maintain audit trails in sufficient\ndetail to reconstruct events to determine the cause and impact of compromise.\n\"Unix_update\" is a helper program for the \"pam_unix\" module that updates\nthe password for a given user. It is not intended to be run directly from the\ncommand line and logs a security violation if done so.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.'\n desc 'check', 'Verify that an audit event is generated for any successful/unsuccessful use\nof the \"unix_update\" by performing the following command to check the file\nsystem rules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w \"unix_update\" /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-unix-update\n\n If the command does not return a line, or the line is commented out, this\nis a finding.'\n desc 'fix', 'Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful uses of the \"unix_update\" by adding or updating the\nfollowing rule in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-unix-update\n\n The audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000062-GPOS-00031'\n tag satisfies: ['SRG-OS-000062-GPOS-00031', 'SRG-OS-000037-GPOS-00015', 'SRG-OS-000042-GPOS-00020', 'SRG-OS-000062-GPOS-00031', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000471-GPOS-00215']\n tag gid: 'V-230426'\n tag rid: 'SV-230426r627750_rule'\n tag stig_id: 'RHEL-08-030310'\n tag fix_id: 'F-33070r568025_fix'\n tag cci: ['CCI-000169']\n tag nist: ['AU-12 a']\n tag 'host'\n\n audit_command = '/usr/sbin/unix_update'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include(input('audit_rule_keynames').merge(input('audit_rule_keynames_overrides'))[audit_command])\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230433.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230426.rb", "line": 1 }, - "id": "SV-230433" + "id": "SV-230426" }, { - "title": "The RHEL 8 pam_unix.so module must be configured in the system-auth\nfile to use a FIPS 140-2 approved cryptographic hashing algorithm for system\nauthentication.", - "desc": "Unapproved mechanisms that are used for authentication to the\ncryptographic module are not verified and therefore cannot be relied upon to\nprovide confidentiality or integrity, and DoD data may be compromised.\n\n RHEL 8 systems utilizing encryption are required to use FIPS-compliant\nmechanisms for authenticating to cryptographic modules.\n\n FIPS 140-2 is the current standard for validating that mechanisms used to\naccess cryptographic modules utilize authentication that meets DoD\nrequirements. This allows for Security Levels 1, 2, 3, or 4 for use on a\ngeneral-purpose computing system.", + "title": "RHEL 8 must be configured to prohibit or restrict the use of\nfunctions, ports, protocols, and/or services, as defined in the Ports,\nProtocols, and Services Management (PPSM) Category Assignments List (CAL) and\nvulnerability assessments.", + "desc": "To prevent unauthorized connection of devices, unauthorized transfer\nof information, or unauthorized tunneling (i.e., embedding of data types within\ndata types), organizations must disable or restrict unused or unnecessary\nphysical and logical ports/protocols on information systems.\n\n Operating systems are capable of providing a wide variety of functions and\nservices. Some of the functions and services provided by default may not be\nnecessary to support essential organizational operations. Additionally, it is\nsometimes convenient to provide multiple services from a single component\n(e.g., VPN and IPS); however, doing so increases risk over limiting the\nservices provided by any one component.\n\n To support the requirements and principles of least functionality, the\noperating system must support the organizational requirements, providing only\nessential capabilities and limiting the use of ports, protocols, and/or\nservices to only those required, authorized, and approved to conduct official\nbusiness or to address authorized quality-of-life issues.", "descriptions": { - "default": "Unapproved mechanisms that are used for authentication to the\ncryptographic module are not verified and therefore cannot be relied upon to\nprovide confidentiality or integrity, and DoD data may be compromised.\n\n RHEL 8 systems utilizing encryption are required to use FIPS-compliant\nmechanisms for authenticating to cryptographic modules.\n\n FIPS 140-2 is the current standard for validating that mechanisms used to\naccess cryptographic modules utilize authentication that meets DoD\nrequirements. This allows for Security Levels 1, 2, 3, or 4 for use on a\ngeneral-purpose computing system.", - "check": "Verify that pam_unix.so module is configured to use sha512.\n\nCheck that pam_unix.so module is configured to use sha512 in /etc/pam.d/system-auth with the following command:\n\n$ sudo grep password /etc/pam.d/system-auth | grep pam_unix\n\npassword sufficient pam_unix.so sha512\n\nIf \"sha512\" is missing, or is commented out, this is a finding.", - "fix": "Configure RHEL 8 to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.\n\nEdit/modify the following line in the \"/etc/pam.d/system-auth\" file to include the sha512 option for pam_unix.so:\n\npassword sufficient pam_unix.so sha512" + "default": "To prevent unauthorized connection of devices, unauthorized transfer\nof information, or unauthorized tunneling (i.e., embedding of data types within\ndata types), organizations must disable or restrict unused or unnecessary\nphysical and logical ports/protocols on information systems.\n\n Operating systems are capable of providing a wide variety of functions and\nservices. Some of the functions and services provided by default may not be\nnecessary to support essential organizational operations. Additionally, it is\nsometimes convenient to provide multiple services from a single component\n(e.g., VPN and IPS); however, doing so increases risk over limiting the\nservices provided by any one component.\n\n To support the requirements and principles of least functionality, the\noperating system must support the organizational requirements, providing only\nessential capabilities and limiting the use of ports, protocols, and/or\nservices to only those required, authorized, and approved to conduct official\nbusiness or to address authorized quality-of-life issues.", + "check": "Inspect the firewall configuration and running services to verify it is\nconfigured to prohibit or restrict the use of functions, ports, protocols,\nand/or services that are unnecessary or prohibited.\n\n Check which services are currently active with the following command:\n\n $ sudo firewall-cmd --list-all-zones\n\n custom (active)\n target: DROP\n icmp-block-inversion: no\n interfaces: ens33\n sources:\n services: dhcpv6-client dns http https ldaps rpc-bind ssh\n ports:\n masquerade: no\n forward-ports:\n icmp-blocks:\n rich rules:\n\n Ask the System Administrator for the site or program Ports, Protocols, and\nServices Management Component Local Service Assessment (PPSM CLSA). Verify the\nservices allowed by the firewall match the PPSM CLSA.\n\n If there are additional ports, protocols, or services that are not in the\nPPSM CLSA, or there are ports, protocols, or services that are prohibited by\nthe PPSM Category Assurance List (CAL), this is a finding.", + "fix": "Update the host's firewall settings and/or running services to\ncomply with the PPSM Component Local Service Assessment (CLSA) for the site or\nprogram and the PPSM CAL." }, "impact": 0.5, "refs": [ @@ -5254,34 +5233,33 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000120-GPOS-00061", - "gid": "V-244524", - "rid": "SV-244524r809331_rule", - "stig_id": "RHEL-08-010159", - "fix_id": "F-47756r809330_fix", + "gtitle": "SRG-OS-000096-GPOS-00050", + "gid": "V-230500", + "rid": "SV-230500r627750_rule", + "stig_id": "RHEL-08-040030", + "fix_id": "F-33144r568247_fix", "cci": [ - "CCI-000803" + "CCI-000382" ], "nist": [ - "IA-7" + "CM-7 b" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-244524' do\n title 'The RHEL 8 pam_unix.so module must be configured in the system-auth\nfile to use a FIPS 140-2 approved cryptographic hashing algorithm for system\nauthentication.'\n desc 'Unapproved mechanisms that are used for authentication to the\ncryptographic module are not verified and therefore cannot be relied upon to\nprovide confidentiality or integrity, and DoD data may be compromised.\n\n RHEL 8 systems utilizing encryption are required to use FIPS-compliant\nmechanisms for authenticating to cryptographic modules.\n\n FIPS 140-2 is the current standard for validating that mechanisms used to\naccess cryptographic modules utilize authentication that meets DoD\nrequirements. This allows for Security Levels 1, 2, 3, or 4 for use on a\ngeneral-purpose computing system.'\n desc 'check', 'Verify that pam_unix.so module is configured to use sha512.\n\nCheck that pam_unix.so module is configured to use sha512 in /etc/pam.d/system-auth with the following command:\n\n$ sudo grep password /etc/pam.d/system-auth | grep pam_unix\n\npassword sufficient pam_unix.so sha512\n\nIf \"sha512\" is missing, or is commented out, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.\n\nEdit/modify the following line in the \"/etc/pam.d/system-auth\" file to include the sha512 option for pam_unix.so:\n\npassword sufficient pam_unix.so sha512'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000120-GPOS-00061'\n tag gid: 'V-244524'\n tag rid: 'SV-244524r809331_rule'\n tag stig_id: 'RHEL-08-010159'\n tag fix_id: 'F-47756r809330_fix'\n tag cci: ['CCI-000803']\n tag nist: ['IA-7']\n tag 'host'\n tag 'container'\n\n pam_auth_files = input('pam_auth_files')\n\n describe pam(pam_auth_files['system-auth']) do\n its('lines') { should match_pam_rule('password sufficient pam_unix.so sha512') }\n end\nend\n", + "code": "control 'SV-230500' do\n title 'RHEL 8 must be configured to prohibit or restrict the use of\nfunctions, ports, protocols, and/or services, as defined in the Ports,\nProtocols, and Services Management (PPSM) Category Assignments List (CAL) and\nvulnerability assessments.'\n desc 'To prevent unauthorized connection of devices, unauthorized transfer\nof information, or unauthorized tunneling (i.e., embedding of data types within\ndata types), organizations must disable or restrict unused or unnecessary\nphysical and logical ports/protocols on information systems.\n\n Operating systems are capable of providing a wide variety of functions and\nservices. Some of the functions and services provided by default may not be\nnecessary to support essential organizational operations. Additionally, it is\nsometimes convenient to provide multiple services from a single component\n(e.g., VPN and IPS); however, doing so increases risk over limiting the\nservices provided by any one component.\n\n To support the requirements and principles of least functionality, the\noperating system must support the organizational requirements, providing only\nessential capabilities and limiting the use of ports, protocols, and/or\nservices to only those required, authorized, and approved to conduct official\nbusiness or to address authorized quality-of-life issues.'\n desc 'check', 'Inspect the firewall configuration and running services to verify it is\nconfigured to prohibit or restrict the use of functions, ports, protocols,\nand/or services that are unnecessary or prohibited.\n\n Check which services are currently active with the following command:\n\n $ sudo firewall-cmd --list-all-zones\n\n custom (active)\n target: DROP\n icmp-block-inversion: no\n interfaces: ens33\n sources:\n services: dhcpv6-client dns http https ldaps rpc-bind ssh\n ports:\n masquerade: no\n forward-ports:\n icmp-blocks:\n rich rules:\n\n Ask the System Administrator for the site or program Ports, Protocols, and\nServices Management Component Local Service Assessment (PPSM CLSA). Verify the\nservices allowed by the firewall match the PPSM CLSA.\n\n If there are additional ports, protocols, or services that are not in the\nPPSM CLSA, or there are ports, protocols, or services that are prohibited by\nthe PPSM Category Assurance List (CAL), this is a finding.'\n desc 'fix', \"Update the host's firewall settings and/or running services to\ncomply with the PPSM Component Local Service Assessment (CLSA) for the site or\nprogram and the PPSM CAL.\"\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000096-GPOS-00050'\n tag gid: 'V-230500'\n tag rid: 'SV-230500r627750_rule'\n tag stig_id: 'RHEL-08-040030'\n tag fix_id: 'F-33144r568247_fix'\n tag cci: ['CCI-000382']\n tag nist: ['CM-7 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n firewalld_properties = input('firewalld_properties')\n\n describe firewalld do\n it { should be_running }\n end\n describe firewalld do\n its('ports') { should cmp [firewalld_properties['ports']] }\n its('protocols') { should cmp [firewalld_properties['protocols']] }\n its('services') { should cmp [firewalld_properties['services']] }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-244524.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230500.rb", "line": 1 }, - "id": "SV-244524" + "id": "SV-230500" }, { - "title": "The RHEL 8 fapolicy module must be installed.", - "desc": "The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n Utilizing a whitelist provides a configuration management method for\nallowing the execution of only authorized software. Using only authorized\nsoftware decreases risk by limiting the number of potential vulnerabilities.\nVerification of whitelisted software occurs prior to execution or at system\nstartup.\n\n User home directories/folders may contain information of a sensitive\nnature. Non-privileged users should coordinate any sharing of information with\nan SA through shared resources.\n\n RHEL 8 ships with many optional packages. One such package is a file access\npolicy daemon called \"fapolicyd\". \"fapolicyd\" is a userspace daemon that\ndetermines access rights to files based on attributes of the process and file.\nIt can be used to either blacklist or whitelist processes or file access.\n\n Proceed with caution with enforcing the use of this daemon. Improper\nconfiguration may render the system non-functional. The \"fapolicyd\" API is\nnot namespace aware and can cause issues when launching or running containers.", + "title": "RHEL 8 must prevent the loading of a new kernel for later execution.", + "desc": "Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor.\n\nDisabling kexec_load prevents an unsigned kernel image (that could be a windows kernel or modified vulnerable kernel) from being loaded. Kexec can be used subvert the entire secureboot process and should be avoided at all costs especially since it can load unsigned kernel images.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf", "descriptions": { - "default": "The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n Utilizing a whitelist provides a configuration management method for\nallowing the execution of only authorized software. Using only authorized\nsoftware decreases risk by limiting the number of potential vulnerabilities.\nVerification of whitelisted software occurs prior to execution or at system\nstartup.\n\n User home directories/folders may contain information of a sensitive\nnature. Non-privileged users should coordinate any sharing of information with\nan SA through shared resources.\n\n RHEL 8 ships with many optional packages. One such package is a file access\npolicy daemon called \"fapolicyd\". \"fapolicyd\" is a userspace daemon that\ndetermines access rights to files based on attributes of the process and file.\nIt can be used to either blacklist or whitelist processes or file access.\n\n Proceed with caution with enforcing the use of this daemon. Improper\nconfiguration may render the system non-functional. The \"fapolicyd\" API is\nnot namespace aware and can cause issues when launching or running containers.", - "check": "Verify the RHEL 8 \"fapolicyd\" is installed.\n\nCheck that \"fapolicyd\" is installed with the following command:\n\n$ sudo yum list installed fapolicyd\n\nInstalled Packages\nfapolicyd.x86_64\n\nIf fapolicyd is not installed, this is a finding.", - "fix": "Install \"fapolicyd\" with the following command:\n\n$ sudo yum install fapolicyd.x86_64" + "default": "Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor.\n\nDisabling kexec_load prevents an unsigned kernel image (that could be a windows kernel or modified vulnerable kernel) from being loaded. Kexec can be used subvert the entire secureboot process and should be avoided at all costs especially since it can load unsigned kernel images.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf", + "check": "Verify the operating system is configured to disable kernel image loading with the following commands:\n\nCheck the status of the kernel.kexec_load_disabled kernel parameter.\n\n$ sudo sysctl kernel.kexec_load_disabled\n\nkernel.kexec_load_disabled = 1\n\nIf \"kernel.kexec_load_disabled\" is not set to \"1\" or is missing, this is a finding.\n\nCheck that the configuration files are present to enable this kernel parameter.\n\n$ sudo grep -r kernel.kexec_load_disabled /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf:kernel.kexec_load_disabled = 1\n\nIf \"kernel.kexec_load_disabled\" is not set to \"1\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.", + "fix": "Configure the operating system to disable kernel image loading.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nkernel.kexec_load_disabled = 1\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system" }, "impact": 0.5, "refs": [ @@ -5291,38 +5269,33 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000368-GPOS-00154", - "satisfies": [ - "SRG-OS-000368-GPOS-00154", - "SRG-OS-000370-GPOS-00155", - "SRG-OS-000480-GPOS-00232" - ], - "gid": "V-230523", - "rid": "SV-230523r854064_rule", - "stig_id": "RHEL-08-040135", - "fix_id": "F-33167r744022_fix", + "gtitle": "SRG-OS-000366-GPOS-00153", + "gid": "V-230266", + "rid": "SV-230266r877463_rule", + "stig_id": "RHEL-08-010372", + "fix_id": "F-32910r858747_fix", "cci": [ - "CCI-001764" + "CCI-001749" ], "nist": [ - "CM-7 (2)" + "CM-5 (3)" ], "host": null }, - "code": "control 'SV-230523' do\n title 'The RHEL 8 fapolicy module must be installed.'\n desc 'The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n Utilizing a whitelist provides a configuration management method for\nallowing the execution of only authorized software. Using only authorized\nsoftware decreases risk by limiting the number of potential vulnerabilities.\nVerification of whitelisted software occurs prior to execution or at system\nstartup.\n\n User home directories/folders may contain information of a sensitive\nnature. Non-privileged users should coordinate any sharing of information with\nan SA through shared resources.\n\n RHEL 8 ships with many optional packages. One such package is a file access\npolicy daemon called \"fapolicyd\". \"fapolicyd\" is a userspace daemon that\ndetermines access rights to files based on attributes of the process and file.\nIt can be used to either blacklist or whitelist processes or file access.\n\n Proceed with caution with enforcing the use of this daemon. Improper\nconfiguration may render the system non-functional. The \"fapolicyd\" API is\nnot namespace aware and can cause issues when launching or running containers.'\n desc 'check', 'Verify the RHEL 8 \"fapolicyd\" is installed.\n\nCheck that \"fapolicyd\" is installed with the following command:\n\n$ sudo yum list installed fapolicyd\n\nInstalled Packages\nfapolicyd.x86_64\n\nIf fapolicyd is not installed, this is a finding.'\n desc 'fix', 'Install \"fapolicyd\" with the following command:\n\n$ sudo yum install fapolicyd.x86_64'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000368-GPOS-00154'\n tag satisfies: ['SRG-OS-000368-GPOS-00154', 'SRG-OS-000370-GPOS-00155', 'SRG-OS-000480-GPOS-00232']\n tag gid: 'V-230523'\n tag rid: 'SV-230523r854064_rule'\n tag stig_id: 'RHEL-08-040135'\n tag fix_id: 'F-33167r744022_fix'\n tag cci: ['CCI-001764']\n tag nist: ['CM-7 (2)']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n if !input('use_fapolicyd')\n impact 0.0\n describe 'The organization is not using the Fapolicyd service to manage firewall servies, this control is Not Applicable' do\n skip 'The organization is not using the Fapolicyd service to manage firewall servies, this control is Not Applicable'\n end\n else\n describe package('fapolicyd') do\n it { should be_installed }\n end\n end\nend\n", + "code": "control 'SV-230266' do\n title 'RHEL 8 must prevent the loading of a new kernel for later execution.'\n desc 'Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor.\n\nDisabling kexec_load prevents an unsigned kernel image (that could be a windows kernel or modified vulnerable kernel) from being loaded. Kexec can be used subvert the entire secureboot process and should be avoided at all costs especially since it can load unsigned kernel images.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf'\n desc 'check', 'Verify the operating system is configured to disable kernel image loading with the following commands:\n\nCheck the status of the kernel.kexec_load_disabled kernel parameter.\n\n$ sudo sysctl kernel.kexec_load_disabled\n\nkernel.kexec_load_disabled = 1\n\nIf \"kernel.kexec_load_disabled\" is not set to \"1\" or is missing, this is a finding.\n\nCheck that the configuration files are present to enable this kernel parameter.\n\n$ sudo grep -r kernel.kexec_load_disabled /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf:kernel.kexec_load_disabled = 1\n\nIf \"kernel.kexec_load_disabled\" is not set to \"1\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure the operating system to disable kernel image loading.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nkernel.kexec_load_disabled = 1\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000366-GPOS-00153'\n tag gid: 'V-230266'\n tag rid: 'SV-230266r877463_rule'\n tag stig_id: 'RHEL-08-010372'\n tag fix_id: 'F-32910r858747_fix'\n tag cci: ['CCI-001749']\n tag nist: ['CM-5 (3)']\n tag 'host'\n\n only_if('Control not applicable within a container', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n action = 'kernel.kexec_load_disabled'\n\n describe kernel_parameter(action) do\n its('value') { should eq 1 }\n end\n\n search_result = command(\"grep -r ^#{action} #{input('sysctl_conf_files').join(' ')}\").stdout.strip\n\n correct_result = search_result.lines.any? { |line| line.match(/#{action}\\s*=\\s*1$/) }\n incorrect_results = search_result.lines.map(&:strip).select { |line| line.match(/#{action}\\s*=\\s*[^1]$/) }\n\n describe 'Kernel config files' do\n it \"should configure '#{action}'\" do\n expect(correct_result).to eq(true), 'No config file was found that correctly sets this action'\n end\n unless incorrect_results.nil?\n it 'should not have incorrect or conflicting setting(s) in the config files' do\n expect(incorrect_results).to be_empty, \"Incorrect or conflicting setting(s) found:\\n\\t- #{incorrect_results.join(\"\\n\\t- \")}\"\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230523.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230266.rb", "line": 1 }, - "id": "SV-230523" + "id": "SV-230266" }, { - "title": "RHEL 8 library directories must be owned by root.", - "desc": "If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.", + "title": "RHEL 8 must display the date and time of the last successful account\nlogon upon an SSH logon.", + "desc": "Providing users with feedback on when account accesses via SSH last\noccurred facilitates user recognition and reporting of unauthorized account\nuse.", "descriptions": { - "default": "If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.", - "check": "Verify the system-wide shared library directories are owned by \"root\" with\nthe following command:\n\n$ sudo find /lib /lib64 /usr/lib /usr/lib64 ! -user root -type d -exec stat -c \"%n %U\" '{}' \\;\n\nIf any system-wide shared library directory is returned, this is a finding.", - "fix": "Configure the system-wide shared library directories within (/lib, /lib64, /usr/lib and /usr/lib64) to be protected from unauthorized access. Run the following command, replacing \"[DIRECTORY]\" with any library directory not owned by \"root\".\n\n $ sudo chown root [DIRECTORY]" + "default": "Providing users with feedback on when account accesses via SSH last\noccurred facilitates user recognition and reporting of unauthorized account\nuse.", + "check": "Verify SSH provides users with feedback on when account accesses last occurred with the following command:\n\n$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\\r' | tr '\\n' ' ' | xargs sudo grep -iH '^\\s*printlastlog'\n\nPrintLastLog yes\n\nIf the \"PrintLastLog\" keyword is set to \"no\", is missing, or is commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.", + "fix": "Configure SSH to provide users with feedback on when account accesses last\noccurred by setting the required configuration options in \"/etc/pam.d/sshd\"\nor in the \"sshd_config\" file used by the system (\"/etc/ssh/sshd_config\"\nwill be used in the example) (this file may be named differently or be in a\ndifferent location if using a version of SSH that is provided by a third-party\nvendor).\n\n Modify the \"PrintLastLog\" line in \"/etc/ssh/sshd_config\" to match the\nfollowing:\n\n PrintLastLog yes\n\n The SSH service must be restarted for changes to \"sshd_config\" to take\neffect." }, "impact": 0.5, "refs": [ @@ -5331,37 +5304,37 @@ } ], "tags": { - "check_id": "C-55145r810011_chk", "severity": "medium", - "gid": "V-251708", - "rid": "SV-251708r810012_rule", - "stig_id": "RHEL-08-010341", - "gtitle": "SRG-OS-000259-GPOS-00100", - "fix_id": "F-55099r809347_fix", - "documentable": null, + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-230382", + "rid": "SV-230382r951614_rule", + "stig_id": "RHEL-08-020350", + "fix_id": "F-33026r567893_fix", "cci": [ - "CCI-001499" + "CCI-000366", + "CCI-000052" ], "nist": [ - "CM-5 (6)" + "CM-6 b", + "AC-9" ], "host": null, - "container": null + "container-conditional": null }, - "code": "control 'SV-251708' do\n title 'RHEL 8 library directories must be owned by root.'\n desc 'If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.'\n desc 'check', %q(Verify the system-wide shared library directories are owned by \"root\" with\nthe following command:\n\n$ sudo find /lib /lib64 /usr/lib /usr/lib64 ! -user root -type d -exec stat -c \"%n %U\" '{}' \\;\n\nIf any system-wide shared library directory is returned, this is a finding.)\n desc 'fix', 'Configure the system-wide shared library directories within (/lib, /lib64, /usr/lib and /usr/lib64) to be protected from unauthorized access. Run the following command, replacing \"[DIRECTORY]\" with any library directory not owned by \"root\".\n\n $ sudo chown root [DIRECTORY]'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag check_id: 'C-55145r810011_chk'\n tag severity: 'medium'\n tag gid: 'V-251708'\n tag rid: 'SV-251708r810012_rule'\n tag stig_id: 'RHEL-08-010341'\n tag gtitle: 'SRG-OS-000259-GPOS-00100'\n tag fix_id: 'F-55099r809347_fix'\n tag 'documentable'\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n tag 'host'\n tag 'container'\n\n non_root_owned_libs = input('system_libraries').reject { |lib| file(lib).owned_by?('root') }\n\n describe 'System libraries' do\n it 'should be owned by root' do\n fail_msg = \"Libs not owned by root:\\n\\t- #{non_root_owned_libs.join(\"\\n\\t- \")}\"\n expect(non_root_owned_libs).to be_empty, fail_msg\n end\n end\nend\n", + "code": "control 'SV-230382' do\n title 'RHEL 8 must display the date and time of the last successful account\nlogon upon an SSH logon.'\n desc 'Providing users with feedback on when account accesses via SSH last\noccurred facilitates user recognition and reporting of unauthorized account\nuse.'\n desc 'check', %q(Verify SSH provides users with feedback on when account accesses last occurred with the following command:\n\n$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\\r' | tr '\\n' ' ' | xargs sudo grep -iH '^\\s*printlastlog'\n\nPrintLastLog yes\n\nIf the \"PrintLastLog\" keyword is set to \"no\", is missing, or is commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.)\n desc 'fix', 'Configure SSH to provide users with feedback on when account accesses last\noccurred by setting the required configuration options in \"/etc/pam.d/sshd\"\nor in the \"sshd_config\" file used by the system (\"/etc/ssh/sshd_config\"\nwill be used in the example) (this file may be named differently or be in a\ndifferent location if using a version of SSH that is provided by a third-party\nvendor).\n\n Modify the \"PrintLastLog\" line in \"/etc/ssh/sshd_config\" to match the\nfollowing:\n\n PrintLastLog yes\n\n The SSH service must be restarted for changes to \"sshd_config\" to take\neffect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230382'\n tag rid: 'SV-230382r951614_rule'\n tag stig_id: 'RHEL-08-020350'\n tag fix_id: 'F-33026r567893_fix'\n tag cci: ['CCI-000366', 'CCI-000052']\n tag nist: ['CM-6 b', 'AC-9']\n tag 'host'\n tag 'container-conditional'\n\n if virtualization.system.eql?('docker') && !file('/etc/ssh/sshd_config').exist?\n impact 0.0\n describe 'Control not applicable - SSH is not installed within containerized RHEL' do\n skip 'Control not applicable - SSH is not installed within containerized RHEL'\n end\n else\n describe sshd_active_config do\n its('PrintLastLog') { should cmp 'yes' }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-251708.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230382.rb", "line": 1 }, - "id": "SV-251708" + "id": "SV-230382" }, { - "title": "All RHEL 8 local files and directories must have a valid group owner.", - "desc": "Files without a valid group owner may be unintentionally inherited if\na group is assigned the same Group Identifier (GID) as the GID of the files\nwithout a valid group owner.", + "title": "RHEL 8 must use a Linux Security Module configured to enforce limits\non system services.", + "desc": "Without verification of the security functions, security functions may\nnot operate correctly and the failure may go unnoticed. Security function is\ndefined as the hardware, software, and/or firmware of the information system\nresponsible for enforcing the system security policy and supporting the\nisolation of code and data on which the protection is based. Security\nfunctionality includes, but is not limited to, establishing system accounts,\nconfiguring access authorizations (i.e., permissions, privileges), setting\nevents to be audited, and setting intrusion detection parameters.\n\n This requirement applies to operating systems performing security function\nverification/testing and/or systems and environments that require this\nfunctionality.", "descriptions": { - "default": "Files without a valid group owner may be unintentionally inherited if\na group is assigned the same Group Identifier (GID) as the GID of the files\nwithout a valid group owner.", - "check": "Verify all local files and directories on RHEL 8 have a valid group with\nthe following command:\n\n Note: The value after -fstype must be replaced with the filesystem type.\nXFS is used as an example.\n\n $ sudo find / -fstype xfs -nogroup\n\n If any files on the system do not have an assigned group, this is a finding.\n\n Note: Command may produce error messages from the /proc and /sys\ndirectories.", - "fix": "Either remove all files and directories from RHEL 8 that do not have a\nvalid group, or assign a valid group to all files and directories on the system\nwith the \"chgrp\" command:\n\n $ sudo chgrp " + "default": "Without verification of the security functions, security functions may\nnot operate correctly and the failure may go unnoticed. Security function is\ndefined as the hardware, software, and/or firmware of the information system\nresponsible for enforcing the system security policy and supporting the\nisolation of code and data on which the protection is based. Security\nfunctionality includes, but is not limited to, establishing system accounts,\nconfiguring access authorizations (i.e., permissions, privileges), setting\nevents to be audited, and setting intrusion detection parameters.\n\n This requirement applies to operating systems performing security function\nverification/testing and/or systems and environments that require this\nfunctionality.", + "check": "Verify the operating system verifies correct operation of all security\nfunctions.\n\n Check if \"SELinux\" is active and in \"Enforcing\" mode with the following\ncommand:\n\n $ sudo getenforce\n Enforcing\n\n If \"SELinux\" is not active and not in \"Enforcing\" mode, this is a\nfinding.", + "fix": "Configure the operating system to verify correct operation of all security\nfunctions.\n\n Set the \"SELinux\" status and the \"Enforcing\" mode by modifying the\n\"/etc/selinux/config\" file to have the following line:\n\n SELINUX=enforcing\n\n A reboot is required for the changes to take effect." }, "impact": 0.5, "refs": [ @@ -5371,34 +5344,33 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-230327", - "rid": "SV-230327r627750_rule", - "stig_id": "RHEL-08-010790", - "fix_id": "F-32971r567728_fix", + "gtitle": "SRG-OS-000134-GPOS-00068", + "gid": "V-230240", + "rid": "SV-230240r627750_rule", + "stig_id": "RHEL-08-010170", + "fix_id": "F-32884r567467_fix", "cci": [ - "CCI-000366" + "CCI-001084" ], "nist": [ - "CM-6 b" + "SC-3" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-230327' do\n title 'All RHEL 8 local files and directories must have a valid group owner.'\n desc 'Files without a valid group owner may be unintentionally inherited if\na group is assigned the same Group Identifier (GID) as the GID of the files\nwithout a valid group owner.'\n desc 'check', 'Verify all local files and directories on RHEL 8 have a valid group with\nthe following command:\n\n Note: The value after -fstype must be replaced with the filesystem type.\nXFS is used as an example.\n\n $ sudo find / -fstype xfs -nogroup\n\n If any files on the system do not have an assigned group, this is a finding.\n\n Note: Command may produce error messages from the /proc and /sys\ndirectories.'\n desc 'fix', 'Either remove all files and directories from RHEL 8 that do not have a\nvalid group, or assign a valid group to all files and directories on the system\nwith the \"chgrp\" command:\n\n $ sudo chgrp '\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230327'\n tag rid: 'SV-230327r627750_rule'\n tag stig_id: 'RHEL-08-010790'\n tag fix_id: 'F-32971r567728_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n tag 'container'\n\n if input('disable_slow_controls')\n describe 'This control consistently takes a long to run and has been disabled using the disable_slow_controls attribute.' do\n skip 'This control consistently takes a long to run and has been disabled using the disable_slow_controls attribute. You must enable this control for a full accredidation for production.'\n end\n else\n\n failing_files = Set[]\n\n command('grep -v \"nodev\" /proc/filesystems | awk \\'NF{ print $NF }\\'')\n .stdout.strip.split(\"\\n\").each do |fs|\n failing_files += command(\"find / -xdev -xautofs -fstype #{fs} -nogroup\").stdout.strip.split(\"\\n\")\n end\n\n describe 'All files on RHEL 8' do\n it 'should have a group' do\n expect(failing_files).to be_empty, \"Files with no group:\\n\\t- #{failing_files.join(\"\\n\\t- \")}\"\n end\n end\n end\nend\n", + "code": "control 'SV-230240' do\n title 'RHEL 8 must use a Linux Security Module configured to enforce limits\non system services.'\n desc 'Without verification of the security functions, security functions may\nnot operate correctly and the failure may go unnoticed. Security function is\ndefined as the hardware, software, and/or firmware of the information system\nresponsible for enforcing the system security policy and supporting the\nisolation of code and data on which the protection is based. Security\nfunctionality includes, but is not limited to, establishing system accounts,\nconfiguring access authorizations (i.e., permissions, privileges), setting\nevents to be audited, and setting intrusion detection parameters.\n\n This requirement applies to operating systems performing security function\nverification/testing and/or systems and environments that require this\nfunctionality.'\n desc 'check', 'Verify the operating system verifies correct operation of all security\nfunctions.\n\n Check if \"SELinux\" is active and in \"Enforcing\" mode with the following\ncommand:\n\n $ sudo getenforce\n Enforcing\n\n If \"SELinux\" is not active and not in \"Enforcing\" mode, this is a\nfinding.'\n desc 'fix', 'Configure the operating system to verify correct operation of all security\nfunctions.\n\n Set the \"SELinux\" status and the \"Enforcing\" mode by modifying the\n\"/etc/selinux/config\" file to have the following line:\n\n SELINUX=enforcing\n\n A reboot is required for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000134-GPOS-00068'\n tag gid: 'V-230240'\n tag rid: 'SV-230240r627750_rule'\n tag stig_id: 'RHEL-08-010170'\n tag fix_id: 'F-32884r567467_fix'\n tag cci: ['CCI-001084']\n tag nist: ['SC-3']\n tag 'host'\n\n only_if('Control not applicable within a container', impact: 0.0) do\n !virtualization.system.eql?('docker')\n end\n\n describe selinux do\n it { should be_enforcing }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230327.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230240.rb", "line": 1 }, - "id": "SV-230327" + "id": "SV-230240" }, { - "title": "Successful/unsuccessful uses of the gpasswd command in RHEL 8 must\ngenerate an audit record.", - "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"gpasswd\" command is\nused to administer /etc/group and /etc/gshadow. Every group can have\nadministrators, members and a password.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", + "title": "RHEL 8 must encrypt the transfer of audit records off-loaded onto a\ndifferent system or media from the system being audited.", + "desc": "Information stored in one location is vulnerable to accidental or\nincidental deletion or alteration.\n\n Off-loading is a common process in information systems with limited audit\nstorage capacity.\n\n RHEL 8 installation media provides \"rsyslogd\". \"rsyslogd\" is a system\nutility providing support for message logging. Support for both internet and\nUNIX domain sockets enables this utility to support both local and remote\nlogging. Couple this utility with \"gnutls\" (which is a secure communications\nlibrary implementing the SSL, TLS and DTLS protocols), and you have a method to\nsecurely encrypt and off-load auditing.", "descriptions": { - "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"gpasswd\" command is\nused to administer /etc/group and /etc/gshadow. Every group can have\nadministrators, members and a password.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", - "check": "Verify that an audit event is generated for any successful/unsuccessful use\nof the \"gpasswd\" command by performing the following command to check the\nfile system rules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w gpasswd /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-gpasswd\n\n If the command does not return a line, or the line is commented out, this\nis a finding.", - "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful uses of the \"gpasswd\" command by adding or updating\nthe following rule in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-gpasswd\n\n The audit daemon must be restarted for the changes to take effect." + "default": "Information stored in one location is vulnerable to accidental or\nincidental deletion or alteration.\n\n Off-loading is a common process in information systems with limited audit\nstorage capacity.\n\n RHEL 8 installation media provides \"rsyslogd\". \"rsyslogd\" is a system\nutility providing support for message logging. Support for both internet and\nUNIX domain sockets enables this utility to support both local and remote\nlogging. Couple this utility with \"gnutls\" (which is a secure communications\nlibrary implementing the SSL, TLS and DTLS protocols), and you have a method to\nsecurely encrypt and off-load auditing.", + "check": "Verify the operating system encrypts audit records off-loaded onto a different system or media from the system being audited with the following commands:\n\n$ sudo grep -i '$DefaultNetstreamDriver' /etc/rsyslog.conf /etc/rsyslog.d/*.conf\n\n/etc/rsyslog.conf:$DefaultNetstreamDriver gtls\n\nIf the value of the \"$DefaultNetstreamDriver\" option is not set to \"gtls\" or the line is commented out, this is a finding.\n\n$ sudo grep -i '$ActionSendStreamDriverMode' /etc/rsyslog.conf /etc/rsyslog.d/*.conf\n\n/etc/rsyslog.conf:$ActionSendStreamDriverMode 1\n\nIf the value of the \"$ActionSendStreamDriverMode\" option is not set to \"1\" or the line is commented out, this is a finding.\n\nIf neither of the definitions above are set, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or media.\n\nIf there is no evidence that the transfer of the audit logs being off-loaded to another system or media is encrypted, this is a finding.", + "fix": "Configure the operating system to encrypt off-loaded audit records by\nsetting the following options in \"/etc/rsyslog.conf\" or\n\"/etc/rsyslog.d/[customfile].conf\":\n\n $DefaultNetstreamDriver gtls\n $ActionSendStreamDriverMode 1" }, "impact": 0.5, "refs": [ @@ -5408,42 +5380,37 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000062-GPOS-00031", + "gtitle": "SRG-OS-000342-GPOS-00133", "satisfies": [ - "SRG-OS-000062-GPOS-00031", - "SRG-OS-000037-GPOS-00015", - "SRG-OS-000042-GPOS-00020", - "SRG-OS-000062-GPOS-00031", - "SRG-OS-000392-GPOS-00172", - "SRG-OS-000462-GPOS-00206", - "SRG-OS-000471-GPOS-00215" + "SRG-OS-000342-GPOS-00133", + "SRG-OS-000479-GPOS-00224" ], - "gid": "V-230444", - "rid": "SV-230444r627750_rule", - "stig_id": "RHEL-08-030370", - "fix_id": "F-33088r568079_fix", + "gid": "V-230481", + "rid": "SV-230481r877390_rule", + "stig_id": "RHEL-08-030710", + "fix_id": "F-33125r568190_fix", "cci": [ - "CCI-000169" + "CCI-001851" ], "nist": [ - "AU-12 a" + "AU-4 (1)" ], "host": null }, - "code": "control 'SV-230444' do\n title 'Successful/unsuccessful uses of the gpasswd command in RHEL 8 must\ngenerate an audit record.'\n desc 'Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"gpasswd\" command is\nused to administer /etc/group and /etc/gshadow. Every group can have\nadministrators, members and a password.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.'\n desc 'check', 'Verify that an audit event is generated for any successful/unsuccessful use\nof the \"gpasswd\" command by performing the following command to check the\nfile system rules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w gpasswd /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-gpasswd\n\n If the command does not return a line, or the line is commented out, this\nis a finding.'\n desc 'fix', 'Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful uses of the \"gpasswd\" command by adding or updating\nthe following rule in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-gpasswd\n\n The audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000062-GPOS-00031'\n tag satisfies: ['SRG-OS-000062-GPOS-00031', 'SRG-OS-000037-GPOS-00015', 'SRG-OS-000042-GPOS-00020', 'SRG-OS-000062-GPOS-00031', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000471-GPOS-00215']\n tag gid: 'V-230444'\n tag rid: 'SV-230444r627750_rule'\n tag stig_id: 'RHEL-08-030370'\n tag fix_id: 'F-33088r568079_fix'\n tag cci: ['CCI-000169']\n tag nist: ['AU-12 a']\n tag 'host'\n\n audit_command = '/usr/bin/gpasswd'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include(input('audit_rule_keynames').merge(input('audit_rule_keynames_overrides'))[audit_command])\n end\n end\nend\n", + "code": "control 'SV-230481' do\n title 'RHEL 8 must encrypt the transfer of audit records off-loaded onto a\ndifferent system or media from the system being audited.'\n desc 'Information stored in one location is vulnerable to accidental or\nincidental deletion or alteration.\n\n Off-loading is a common process in information systems with limited audit\nstorage capacity.\n\n RHEL 8 installation media provides \"rsyslogd\". \"rsyslogd\" is a system\nutility providing support for message logging. Support for both internet and\nUNIX domain sockets enables this utility to support both local and remote\nlogging. Couple this utility with \"gnutls\" (which is a secure communications\nlibrary implementing the SSL, TLS and DTLS protocols), and you have a method to\nsecurely encrypt and off-load auditing.'\n desc 'check', %q(Verify the operating system encrypts audit records off-loaded onto a different system or media from the system being audited with the following commands:\n\n$ sudo grep -i '$DefaultNetstreamDriver' /etc/rsyslog.conf /etc/rsyslog.d/*.conf\n\n/etc/rsyslog.conf:$DefaultNetstreamDriver gtls\n\nIf the value of the \"$DefaultNetstreamDriver\" option is not set to \"gtls\" or the line is commented out, this is a finding.\n\n$ sudo grep -i '$ActionSendStreamDriverMode' /etc/rsyslog.conf /etc/rsyslog.d/*.conf\n\n/etc/rsyslog.conf:$ActionSendStreamDriverMode 1\n\nIf the value of the \"$ActionSendStreamDriverMode\" option is not set to \"1\" or the line is commented out, this is a finding.\n\nIf neither of the definitions above are set, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or media.\n\nIf there is no evidence that the transfer of the audit logs being off-loaded to another system or media is encrypted, this is a finding.)\n desc 'fix', 'Configure the operating system to encrypt off-loaded audit records by\nsetting the following options in \"/etc/rsyslog.conf\" or\n\"/etc/rsyslog.d/[customfile].conf\":\n\n $DefaultNetstreamDriver gtls\n $ActionSendStreamDriverMode 1'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000342-GPOS-00133'\n tag satisfies: ['SRG-OS-000342-GPOS-00133', 'SRG-OS-000479-GPOS-00224']\n tag gid: 'V-230481'\n tag rid: 'SV-230481r877390_rule'\n tag stig_id: 'RHEL-08-030710'\n tag fix_id: 'F-33125r568190_fix'\n tag cci: ['CCI-001851']\n tag nist: ['AU-4 (1)']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n if input('alternative_logging_method') != ''\n describe 'manual check' do\n skip 'Manual check required. Ask the administrator to indicate how logging is done for this system.'\n end\n else\n describe 'rsyslog configuration' do\n subject {\n command(\"grep -i '^\\$DefaultNetstreamDriver' #{input('logging_conf_files').join(' ')} | awk -F ':' '{ print $2 }'\").stdout\n }\n it { should match(/\\$DefaultNetstreamDriver\\s+gtls/) }\n end\n\n describe 'rsyslog configuration' do\n subject {\n command(\"grep -i '^\\$ActionSendStreamDriverMode' #{input('logging_conf_files').join(' ')} | awk -F ':' '{ print $2 }'\").stdout\n }\n it { should match(/\\$ActionSendStreamDriverMode\\s+1/) }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230444.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230481.rb", "line": 1 }, - "id": "SV-230444" + "id": "SV-230481" }, { - "title": "RHEL 8 audit tools must be group-owned by root.", - "desc": "Protecting audit information also includes identifying and protecting\nthe tools used to view and manipulate log data. Therefore, protecting audit\ntools is necessary to prevent unauthorized operation on audit information.\n\n RHEL 8 systems providing tools to interface with audit information will\nleverage user permissions and roles identifying the user accessing the tools,\nand the corresponding rights the user enjoys, to make access decisions\nregarding the access to audit tools.\n\n Audit tools include, but are not limited to, vendor-provided and open\nsource audit tools needed to successfully view and manipulate audit information\nsystem activity and records. Audit tools include custom queries and report\ngenerators.", + "title": "RHEL 8 must automatically lock an account until the locked account is\nreleased by an administrator when three unsuccessful logon attempts occur\nduring a 15-minute time period.", + "desc": "By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as\nbrute-force attacks, is reduced. Limits are imposed by locking the account.\n\n In RHEL 8.2 the \"/etc/security/faillock.conf\" file was incorporated to\ncentralize the configuration of the pam_faillock.so module. Also introduced is\na \"local_users_only\" option that will only track failed user authentication\nattempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP,\netc.) users to allow the centralized platform to solely manage user lockout.\n\n From \"faillock.conf\" man pages: Note that the default directory that\n\"pam_faillock\" uses is usually cleared on system boot so the access will be\nreenabled after system reboot. If that is undesirable a different tally\ndirectory must be set with the \"dir\" option.", "descriptions": { - "default": "Protecting audit information also includes identifying and protecting\nthe tools used to view and manipulate log data. Therefore, protecting audit\ntools is necessary to prevent unauthorized operation on audit information.\n\n RHEL 8 systems providing tools to interface with audit information will\nleverage user permissions and roles identifying the user accessing the tools,\nand the corresponding rights the user enjoys, to make access decisions\nregarding the access to audit tools.\n\n Audit tools include, but are not limited to, vendor-provided and open\nsource audit tools needed to successfully view and manipulate audit information\nsystem activity and records. Audit tools include custom queries and report\ngenerators.", - "check": "Verify the audit tools are group-owned by \"root\" to prevent any\nunauthorized access, deletion, or modification.\n\n Check the owner of each audit tool by running the following commands:\n\n $ sudo stat -c \"%G %n\" /sbin/auditctl /sbin/aureport /sbin/ausearch\n/sbin/autrace /sbin/auditd /sbin/rsyslogd /sbin/augenrules\n\n root /sbin/auditctl\n root /sbin/aureport\n root /sbin/ausearch\n root /sbin/autrace\n root /sbin/auditd\n root /sbin/rsyslogd\n root /sbin/augenrules\n\n If any of the audit tools are not group-owned by \"root\", this is a\nfinding.", - "fix": "Configure the audit tools to be group-owned by \"root\", by running the\nfollowing command:\n\n $ sudo chgrp root [audit_tool]\n\n Replace \"[audit_tool]\" with each audit tool not group-owned by \"root\"." + "default": "By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as\nbrute-force attacks, is reduced. Limits are imposed by locking the account.\n\n In RHEL 8.2 the \"/etc/security/faillock.conf\" file was incorporated to\ncentralize the configuration of the pam_faillock.so module. Also introduced is\na \"local_users_only\" option that will only track failed user authentication\nattempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP,\netc.) users to allow the centralized platform to solely manage user lockout.\n\n From \"faillock.conf\" man pages: Note that the default directory that\n\"pam_faillock\" uses is usually cleared on system boot so the access will be\nreenabled after system reboot. If that is undesirable a different tally\ndirectory must be set with the \"dir\" option.", + "check": "Note: This check applies to RHEL versions 8.2 or newer, if the system is\nRHEL version 8.0 or 8.1, this check is not applicable.\n\n Verify the \"/etc/security/faillock.conf\" file is configured to lock an\naccount until released by an administrator after three unsuccessful logon\nattempts:\n\n $ sudo grep 'unlock_time =' /etc/security/faillock.conf\n\n unlock_time = 0\n\n If the \"unlock_time\" option is not set to \"0\", is missing or commented\nout, this is a finding.", + "fix": "Configure the operating system to lock an account until released by an\nadministrator when three unsuccessful logon attempts occur in 15 minutes.\n\n Add/Modify the \"/etc/security/faillock.conf\" file to match the following\nline:\n\n unlock_time = 0" }, "impact": 0.5, "refs": [ @@ -5453,76 +5420,100 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000256-GPOS-00097", + "gtitle": "SRG-OS-000021-GPOS-00005", "satisfies": [ - "SRG-OS-000256-GPOS-00097", - "SRG-OS-000257-GPOS-00098", - "SRG-OS-000258-GPOS-00099" + "SRG-OS-000021-GPOS-00005", + "SRG-OS-000329-GPOS-00128" ], - "gid": "V-230474", - "rid": "SV-230474r627750_rule", - "stig_id": "RHEL-08-030640", - "fix_id": "F-33118r568169_fix", + "gid": "V-230337", + "rid": "SV-230337r743972_rule", + "stig_id": "RHEL-08-020015", + "fix_id": "F-32981r743971_fix", "cci": [ - "CCI-001493" + "CCI-000044" ], "nist": [ - "AU-9", - "AU-9 a" + "AC-7 a" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-230474' do\n title 'RHEL 8 audit tools must be group-owned by root.'\n desc 'Protecting audit information also includes identifying and protecting\nthe tools used to view and manipulate log data. Therefore, protecting audit\ntools is necessary to prevent unauthorized operation on audit information.\n\n RHEL 8 systems providing tools to interface with audit information will\nleverage user permissions and roles identifying the user accessing the tools,\nand the corresponding rights the user enjoys, to make access decisions\nregarding the access to audit tools.\n\n Audit tools include, but are not limited to, vendor-provided and open\nsource audit tools needed to successfully view and manipulate audit information\nsystem activity and records. Audit tools include custom queries and report\ngenerators.'\n desc 'check', 'Verify the audit tools are group-owned by \"root\" to prevent any\nunauthorized access, deletion, or modification.\n\n Check the owner of each audit tool by running the following commands:\n\n $ sudo stat -c \"%G %n\" /sbin/auditctl /sbin/aureport /sbin/ausearch\n/sbin/autrace /sbin/auditd /sbin/rsyslogd /sbin/augenrules\n\n root /sbin/auditctl\n root /sbin/aureport\n root /sbin/ausearch\n root /sbin/autrace\n root /sbin/auditd\n root /sbin/rsyslogd\n root /sbin/augenrules\n\n If any of the audit tools are not group-owned by \"root\", this is a\nfinding.'\n desc 'fix', 'Configure the audit tools to be group-owned by \"root\", by running the\nfollowing command:\n\n $ sudo chgrp root [audit_tool]\n\n Replace \"[audit_tool]\" with each audit tool not group-owned by \"root\".'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000256-GPOS-00097'\n tag satisfies: ['SRG-OS-000256-GPOS-00097', 'SRG-OS-000257-GPOS-00098', 'SRG-OS-000258-GPOS-00099']\n tag gid: 'V-230474'\n tag rid: 'SV-230474r627750_rule'\n tag stig_id: 'RHEL-08-030640'\n tag fix_id: 'F-33118r568169_fix'\n tag cci: ['CCI-001493']\n tag nist: ['AU-9', 'AU-9 a']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n audit_tools = ['/sbin/auditctl', '/sbin/aureport', '/sbin/ausearch', '/sbin/autrace', '/sbin/auditd', '/sbin/rsyslogd', '/sbin/augenrules']\n\n failing_tools = audit_tools.reject { |at| file(at).group == 'root' }\n\n describe 'Audit executables' do\n it 'should be group owned by root' do\n expect(failing_tools).to be_empty, \"Failing tools:\\n\\t- #{failing_tools.join(\"\\n\\t- \")}\"\n end\n end\nend\n", + "code": "control 'SV-230337' do\n title 'RHEL 8 must automatically lock an account until the locked account is\nreleased by an administrator when three unsuccessful logon attempts occur\nduring a 15-minute time period.'\n desc 'By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as\nbrute-force attacks, is reduced. Limits are imposed by locking the account.\n\n In RHEL 8.2 the \"/etc/security/faillock.conf\" file was incorporated to\ncentralize the configuration of the pam_faillock.so module. Also introduced is\na \"local_users_only\" option that will only track failed user authentication\nattempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP,\netc.) users to allow the centralized platform to solely manage user lockout.\n\n From \"faillock.conf\" man pages: Note that the default directory that\n\"pam_faillock\" uses is usually cleared on system boot so the access will be\nreenabled after system reboot. If that is undesirable a different tally\ndirectory must be set with the \"dir\" option.'\n desc 'check', %q(Note: This check applies to RHEL versions 8.2 or newer, if the system is\nRHEL version 8.0 or 8.1, this check is not applicable.\n\n Verify the \"/etc/security/faillock.conf\" file is configured to lock an\naccount until released by an administrator after three unsuccessful logon\nattempts:\n\n $ sudo grep 'unlock_time =' /etc/security/faillock.conf\n\n unlock_time = 0\n\n If the \"unlock_time\" option is not set to \"0\", is missing or commented\nout, this is a finding.)\n desc 'fix', 'Configure the operating system to lock an account until released by an\nadministrator when three unsuccessful logon attempts occur in 15 minutes.\n\n Add/Modify the \"/etc/security/faillock.conf\" file to match the following\nline:\n\n unlock_time = 0'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000021-GPOS-00005'\n tag satisfies: ['SRG-OS-000021-GPOS-00005', 'SRG-OS-000329-GPOS-00128']\n tag gid: 'V-230337'\n tag rid: 'SV-230337r743972_rule'\n tag stig_id: 'RHEL-08-020015'\n tag fix_id: 'F-32981r743971_fix'\n tag cci: ['CCI-000044']\n tag nist: ['AC-7 a']\n tag 'host'\n tag 'container'\n\n only_if('This check applies to RHEL versions 8.2 or newer, if the system is RHEL version 8.0 or 8.1, this check is not applicable.', impact: 0.0) {\n (os.release.to_f) >= 8.2\n }\n\n describe parse_config_file('/etc/security/faillock.conf') do\n its('unlock_time') { should cmp >= input('lockout_time') }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230474.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230337.rb", "line": 1 }, - "id": "SV-230474" + "id": "SV-230337" }, { - "title": "RHEL 8 must prevent the installation of software, patches, service\npacks, device drivers, or operating system components of local packages without\nverification they have been digitally signed using a certificate that is issued\nby a Certificate Authority (CA) that is recognized and approved by the\norganization.", - "desc": "Changes to any software components can have significant effects on the\noverall security of the operating system. This requirement ensures the software\nhas not been tampered with and that it has been provided by a trusted vendor.\n\n Accordingly, patches, service packs, device drivers, or operating system\ncomponents must be signed with a certificate recognized and approved by the\norganization.\n\n Verifying the authenticity of the software prior to installation validates\nthe integrity of the patch or upgrade received from a vendor. This verifies the\nsoftware has not been tampered with and that it has been provided by a trusted\nvendor. Self-signed certificates are disallowed by this requirement. The\noperating system should not have to verify the software again. This requirement\ndoes not mandate DoD certificates for this purpose; however, the certificate\nused to verify the software must be from an approved CA.", + "title": "The RHEL 8 audit package must be installed.", + "desc": "Without establishing what type of events occurred, the source of\nevents, where events occurred, and the outcome of events, it would be difficult\nto establish, correlate, and investigate the events leading up to an outage or\nattack.\n\n Audit record content that may be necessary to satisfy this requirement\nincludes, for example, time stamps, source and destination addresses,\nuser/process identifiers, event descriptions, success/fail indications,\nfilenames involved, and access control or flow control rules invoked.\n\n Associating event types with detected events in RHEL 8 audit logs provides\na means of investigating an attack, recognizing resource utilization or\ncapacity thresholds, or identifying an improperly configured RHEL 8 system.", "descriptions": { - "default": "Changes to any software components can have significant effects on the\noverall security of the operating system. This requirement ensures the software\nhas not been tampered with and that it has been provided by a trusted vendor.\n\n Accordingly, patches, service packs, device drivers, or operating system\ncomponents must be signed with a certificate recognized and approved by the\norganization.\n\n Verifying the authenticity of the software prior to installation validates\nthe integrity of the patch or upgrade received from a vendor. This verifies the\nsoftware has not been tampered with and that it has been provided by a trusted\nvendor. Self-signed certificates are disallowed by this requirement. The\noperating system should not have to verify the software again. This requirement\ndoes not mandate DoD certificates for this purpose; however, the certificate\nused to verify the software must be from an approved CA.", - "check": "Verify the operating system prevents the installation of patches, service\npacks, device drivers, or operating system components from a repository without\nverification that they have been digitally signed using a certificate that is\nrecognized and approved by the organization.\n\n Check if YUM is configured to perform a signature check on local packages\nwith the following command:\n\n $ sudo grep -i localpkg_gpgcheck /etc/dnf/dnf.conf\n\n localpkg_gpgcheck =True\n\n If \"localpkg_gpgcheck\" is not set to either \"1\", \"True\", or \"yes\",\ncommented out, or is missing from \"/etc/dnf/dnf.conf\", this is a finding.", - "fix": "Configure the operating system to remove all software components after\nupdated versions have been installed.\n\n Set the \"localpkg_gpgcheck\" option to \"True\" in the\n\"/etc/dnf/dnf.conf\" file:\n\n localpkg_gpgcheck=True" + "default": "Without establishing what type of events occurred, the source of\nevents, where events occurred, and the outcome of events, it would be difficult\nto establish, correlate, and investigate the events leading up to an outage or\nattack.\n\n Audit record content that may be necessary to satisfy this requirement\nincludes, for example, time stamps, source and destination addresses,\nuser/process identifiers, event descriptions, success/fail indications,\nfilenames involved, and access control or flow control rules invoked.\n\n Associating event types with detected events in RHEL 8 audit logs provides\na means of investigating an attack, recognizing resource utilization or\ncapacity thresholds, or identifying an improperly configured RHEL 8 system.", + "check": "Verify the audit service is configured to produce audit records.\n\nCheck that the audit service is installed with the following command:\n\n$ sudo yum list installed audit\n\nIf the \"audit\" package is not installed, this is a finding.", + "fix": "Configure the audit service to produce audit records containing the\ninformation needed to establish when (date and time) an event occurred.\n\n Install the audit service (if the audit service is not already installed)\nwith the following command:\n\n $ sudo yum install audit" }, - "impact": 0.7, + "impact": 0.5, "refs": [ { "ref": "DPMS Target Red Hat Enterprise Linux 8" } ], "tags": { - "severity": "high", - "gtitle": "SRG-OS-000366-GPOS-00153", - "gid": "V-230265", - "rid": "SV-230265r877463_rule", - "stig_id": "RHEL-08-010371", - "fix_id": "F-32909r567542_fix", + "severity": "medium", + "gtitle": "SRG-OS-000062-GPOS-00031", + "satisfies": [ + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000037-GPOS-00015", + "SRG-OS-000038-GPOS-00016", + "SRG-OS-000039-GPOS-00017", + "SRG-OS-000040-GPOS-00018", + "SRG-OS-000041-GPOS-00019", + "SRG-OS-000042-GPOS-00021", + "SRG-OS-000051-GPOS-00024", + "SRG-OS-000054-GPOS-00025", + "SRG-OS-000122-GPOS-00063", + "SRG-OS-000254-GPOS-00095", + "SRG-OS-000255-GPOS-00096", + "SRG-OS-000337-GPOS-00129", + "SRG-OS-000348-GPOS-00136", + "SRG-OS-000349-GPOS-00137", + "SRG-OS-000350-GPOS-00138", + "SRG-OS-000351-GPOS-00139", + "SRG-OS-000352-GPOS-00140", + "SRG-OS-000353-GPOS-00141", + "SRG-OS-000354-GPOS-00142", + "SRG-OS-000358-GPOS-00145", + "SRG-OS-000365-GPOS-00152", + "SRG-OS-000392-GPOS-00172", + "SRG-OS-000475-GPOS-00220" + ], + "gid": "V-230411", + "rid": "SV-230411r744000_rule", + "stig_id": "RHEL-08-030180", + "fix_id": "F-33055r646880_fix", "cci": [ - "CCI-001749" + "CCI-000169" ], "nist": [ - "CM-5 (3)" + "AU-12 a" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-230265' do\n title 'RHEL 8 must prevent the installation of software, patches, service\npacks, device drivers, or operating system components of local packages without\nverification they have been digitally signed using a certificate that is issued\nby a Certificate Authority (CA) that is recognized and approved by the\norganization.'\n desc 'Changes to any software components can have significant effects on the\noverall security of the operating system. This requirement ensures the software\nhas not been tampered with and that it has been provided by a trusted vendor.\n\n Accordingly, patches, service packs, device drivers, or operating system\ncomponents must be signed with a certificate recognized and approved by the\norganization.\n\n Verifying the authenticity of the software prior to installation validates\nthe integrity of the patch or upgrade received from a vendor. This verifies the\nsoftware has not been tampered with and that it has been provided by a trusted\nvendor. Self-signed certificates are disallowed by this requirement. The\noperating system should not have to verify the software again. This requirement\ndoes not mandate DoD certificates for this purpose; however, the certificate\nused to verify the software must be from an approved CA.'\n desc 'check', 'Verify the operating system prevents the installation of patches, service\npacks, device drivers, or operating system components from a repository without\nverification that they have been digitally signed using a certificate that is\nrecognized and approved by the organization.\n\n Check if YUM is configured to perform a signature check on local packages\nwith the following command:\n\n $ sudo grep -i localpkg_gpgcheck /etc/dnf/dnf.conf\n\n localpkg_gpgcheck =True\n\n If \"localpkg_gpgcheck\" is not set to either \"1\", \"True\", or \"yes\",\ncommented out, or is missing from \"/etc/dnf/dnf.conf\", this is a finding.'\n desc 'fix', 'Configure the operating system to remove all software components after\nupdated versions have been installed.\n\n Set the \"localpkg_gpgcheck\" option to \"True\" in the\n\"/etc/dnf/dnf.conf\" file:\n\n localpkg_gpgcheck=True'\n impact 0.7\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'high'\n tag gtitle: 'SRG-OS-000366-GPOS-00153'\n tag gid: 'V-230265'\n tag rid: 'SV-230265r877463_rule'\n tag stig_id: 'RHEL-08-010371'\n tag fix_id: 'F-32909r567542_fix'\n tag cci: ['CCI-001749']\n tag nist: ['CM-5 (3)']\n tag 'host'\n tag 'container'\n\n describe parse_config_file('/etc/dnf/dnf.conf') do\n its('main.localpkg_gpgcheck') { should match(/True|1|yes/i) }\n end\nend\n", + "code": "control 'SV-230411' do\n title 'The RHEL 8 audit package must be installed.'\n desc 'Without establishing what type of events occurred, the source of\nevents, where events occurred, and the outcome of events, it would be difficult\nto establish, correlate, and investigate the events leading up to an outage or\nattack.\n\n Audit record content that may be necessary to satisfy this requirement\nincludes, for example, time stamps, source and destination addresses,\nuser/process identifiers, event descriptions, success/fail indications,\nfilenames involved, and access control or flow control rules invoked.\n\n Associating event types with detected events in RHEL 8 audit logs provides\na means of investigating an attack, recognizing resource utilization or\ncapacity thresholds, or identifying an improperly configured RHEL 8 system.'\n desc 'check', 'Verify the audit service is configured to produce audit records.\n\nCheck that the audit service is installed with the following command:\n\n$ sudo yum list installed audit\n\nIf the \"audit\" package is not installed, this is a finding.'\n desc 'fix', 'Configure the audit service to produce audit records containing the\ninformation needed to establish when (date and time) an event occurred.\n\n Install the audit service (if the audit service is not already installed)\nwith the following command:\n\n $ sudo yum install audit'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000062-GPOS-00031'\n tag satisfies: ['SRG-OS-000062-GPOS-00031', 'SRG-OS-000037-GPOS-00015', 'SRG-OS-000038-GPOS-00016', 'SRG-OS-000039-GPOS-00017', 'SRG-OS-000040-GPOS-00018', 'SRG-OS-000041-GPOS-00019', 'SRG-OS-000042-GPOS-00021', 'SRG-OS-000051-GPOS-00024', 'SRG-OS-000054-GPOS-00025', 'SRG-OS-000122-GPOS-00063', 'SRG-OS-000254-GPOS-00095', 'SRG-OS-000255-GPOS-00096', 'SRG-OS-000337-GPOS-00129', 'SRG-OS-000348-GPOS-00136', 'SRG-OS-000349-GPOS-00137', 'SRG-OS-000350-GPOS-00138', 'SRG-OS-000351-GPOS-00139', 'SRG-OS-000352-GPOS-00140', 'SRG-OS-000353-GPOS-00141', 'SRG-OS-000354-GPOS-00142', 'SRG-OS-000358-GPOS-00145', 'SRG-OS-000365-GPOS-00152', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000475-GPOS-00220']\n tag gid: 'V-230411'\n tag rid: 'SV-230411r744000_rule'\n tag stig_id: 'RHEL-08-030180'\n tag fix_id: 'F-33055r646880_fix'\n tag cci: ['CCI-000169']\n tag nist: ['AU-12 a']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe package('audit') do\n it { should be_installed }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230265.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230411.rb", "line": 1 }, - "id": "SV-230265" + "id": "SV-230411" }, { - "title": "RHEL 8 passwords for new users or password changes must have a 24 hours/1 day minimum password lifetime restriction in /etc/login.defs.", - "desc": "Enforcing a minimum password lifetime helps to prevent repeated\npassword changes to defeat the password reuse or history enforcement\nrequirement. If users are allowed to immediately and continually change their\npassword, the password could be repeatedly changed in a short period of time to\ndefeat the organization's policy regarding password reuse.", + "title": "The RHEL 8 SSH private host key files must have mode 0640 or less permissive.", + "desc": "If an unauthorized user obtains the private SSH host key file, the\nhost could be impersonated.", "descriptions": { - "default": "Enforcing a minimum password lifetime helps to prevent repeated\npassword changes to defeat the password reuse or history enforcement\nrequirement. If users are allowed to immediately and continually change their\npassword, the password could be repeatedly changed in a short period of time to\ndefeat the organization's policy regarding password reuse.", - "check": "Verify the operating system enforces 24 hours/1 day as the minimum password\nlifetime for new user accounts.\n\n Check for the value of \"PASS_MIN_DAYS\" in \"/etc/login.defs\" with the\nfollowing command:\n\n $ sudo grep -i pass_min_days /etc/login.defs\n PASS_MIN_DAYS 1\n\n If the \"PASS_MIN_DAYS\" parameter value is not \"1\" or greater, or is\ncommented out, this is a finding.", - "fix": "Configure the operating system to enforce 24 hours/1 day as the minimum\npassword lifetime.\n\n Add the following line in \"/etc/login.defs\" (or modify the line to have\nthe required value):\n\n PASS_MIN_DAYS 1" + "default": "If an unauthorized user obtains the private SSH host key file, the\nhost could be impersonated.", + "check": "Verify the SSH private host key files have mode \"0640\" or less permissive with the following command:\n\n $ sudo ls -l /etc/ssh/ssh_host*key\n\n -rw-r----- 1 root ssh_keys 668 Nov 28 06:43 ssh_host_dsa_key\n -rw-r----- 1 root ssh_keys 582 Nov 28 06:43 ssh_host_key\n -rw-r----- 1 root ssh_keys 887 Nov 28 06:43 ssh_host_rsa_key\n\nIf any private host key file has a mode more permissive than \"0640\", this is a finding.", + "fix": "Configure the mode of SSH private host key files under \"/etc/ssh\" to \"0640\" with the following command:\n\n $ sudo chmod 0640 /etc/ssh/ssh_host*key\n\nThe SSH daemon must be restarted for the changes to take effect. To restart the SSH daemon, run the following command:\n\n $ sudo systemctl restart sshd.service" }, "impact": 0.5, "refs": [ @@ -5532,34 +5523,34 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000075-GPOS-00043", - "gid": "V-230365", - "rid": "SV-230365r858727_rule", - "stig_id": "RHEL-08-020190", - "fix_id": "F-33009r567842_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-230287", + "rid": "SV-230287r880714_rule", + "stig_id": "RHEL-08-010490", + "fix_id": "F-32931r880713_fix", "cci": [ - "CCI-000198" + "CCI-000366" ], "nist": [ - "IA-5 (1) (d)" + "CM-6 b" ], "host": null, - "container": null + "container-conditional": null }, - "code": "control 'SV-230365' do\n title 'RHEL 8 passwords for new users or password changes must have a 24 hours/1 day minimum password lifetime restriction in /etc/login.defs.'\n desc \"Enforcing a minimum password lifetime helps to prevent repeated\npassword changes to defeat the password reuse or history enforcement\nrequirement. If users are allowed to immediately and continually change their\npassword, the password could be repeatedly changed in a short period of time to\ndefeat the organization's policy regarding password reuse.\"\n desc 'check', 'Verify the operating system enforces 24 hours/1 day as the minimum password\nlifetime for new user accounts.\n\n Check for the value of \"PASS_MIN_DAYS\" in \"/etc/login.defs\" with the\nfollowing command:\n\n $ sudo grep -i pass_min_days /etc/login.defs\n PASS_MIN_DAYS 1\n\n If the \"PASS_MIN_DAYS\" parameter value is not \"1\" or greater, or is\ncommented out, this is a finding.'\n desc 'fix', 'Configure the operating system to enforce 24 hours/1 day as the minimum\npassword lifetime.\n\n Add the following line in \"/etc/login.defs\" (or modify the line to have\nthe required value):\n\n PASS_MIN_DAYS 1'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000075-GPOS-00043'\n tag gid: 'V-230365'\n tag rid: 'SV-230365r858727_rule'\n tag stig_id: 'RHEL-08-020190'\n tag fix_id: 'F-33009r567842_fix'\n tag cci: ['CCI-000198']\n tag nist: ['IA-5 (1) (d)']\n tag 'host'\n tag 'container'\n\n value = input('pass_min_days')\n setting = input_object('pass_min_days').name.upcase\n\n describe \"/etc/login.defs does not have `#{setting}` configured\" do\n let(:config) { login_defs.read_params[setting] }\n it \"greater than #{value} day\" do\n expect(config).to cmp <= value\n end\n end\nend\n", + "code": "control 'SV-230287' do\n title 'The RHEL 8 SSH private host key files must have mode 0640 or less permissive.'\n desc 'If an unauthorized user obtains the private SSH host key file, the\nhost could be impersonated.'\n desc 'check', 'Verify the SSH private host key files have mode \"0640\" or less permissive with the following command:\n\n $ sudo ls -l /etc/ssh/ssh_host*key\n\n -rw-r----- 1 root ssh_keys 668 Nov 28 06:43 ssh_host_dsa_key\n -rw-r----- 1 root ssh_keys 582 Nov 28 06:43 ssh_host_key\n -rw-r----- 1 root ssh_keys 887 Nov 28 06:43 ssh_host_rsa_key\n\nIf any private host key file has a mode more permissive than \"0640\", this is a finding.'\n desc 'fix', 'Configure the mode of SSH private host key files under \"/etc/ssh\" to \"0640\" with the following command:\n\n $ sudo chmod 0640 /etc/ssh/ssh_host*key\n\nThe SSH daemon must be restarted for the changes to take effect. To restart the SSH daemon, run the following command:\n\n $ sudo systemctl restart sshd.service'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230287'\n tag rid: 'SV-230287r880714_rule'\n tag stig_id: 'RHEL-08-010490'\n tag fix_id: 'F-32931r880713_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n tag 'container-conditional'\n\n only_if('This control is Not Applicable to containers without SSH installed', impact: 0.0) {\n !(virtualization.system.eql?('docker') && !directory('/etc/ssh').exist?)\n }\n\n ssh_host_key_dirs = input('ssh_host_key_dirs').join(' ')\n priv_keys = command(\"find #{ssh_host_key_dirs} -xdev -name '*.pem'\").stdout.split(\"\\n\")\n mode = input('ssh_private_key_mode')\n failing_keys = priv_keys.select { |key| file(key).more_permissive_than?(mode) }\n\n describe 'All SSH private keys on the filesystem' do\n it \"should be less permissive than #{mode}\" do\n expect(failing_keys).to be_empty, \"Failing keyfiles:\\n\\t- #{failing_keys.join(\"\\n\\t- \")}\"\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230365.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230287.rb", "line": 1 }, - "id": "SV-230365" + "id": "SV-230287" }, { - "title": "RHEL 8 must force a frequent session key renegotiation for SSH\nconnections to the server.", - "desc": "Without protection of the transmitted information, confidentiality and\nintegrity may be compromised because unprotected communications can be\nintercepted and either read or altered.\n\n This requirement applies to both internal and external networks and all\ntypes of information system components from which information can be\ntransmitted (e.g., servers, mobile devices, notebook computers, printers,\ncopiers, scanners, and facsimile machines). Communication paths outside the\nphysical protection of a controlled boundary are exposed to the possibility of\ninterception and modification.\n\n Protecting the confidentiality and integrity of organizational information\ncan be accomplished by physical means (e.g., employing physical distribution\nsystems) or by logical means (e.g., employing cryptographic techniques). If\nphysical means of protection are employed, then logical means (cryptography) do\nnot have to be employed, and vice versa.\n\n Session key regeneration limits the chances of a session key becoming\ncompromised.", + "title": "RHEL 8 must not forward IPv6 source-routed packets.", + "desc": "Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf", "descriptions": { - "default": "Without protection of the transmitted information, confidentiality and\nintegrity may be compromised because unprotected communications can be\nintercepted and either read or altered.\n\n This requirement applies to both internal and external networks and all\ntypes of information system components from which information can be\ntransmitted (e.g., servers, mobile devices, notebook computers, printers,\ncopiers, scanners, and facsimile machines). Communication paths outside the\nphysical protection of a controlled boundary are exposed to the possibility of\ninterception and modification.\n\n Protecting the confidentiality and integrity of organizational information\ncan be accomplished by physical means (e.g., employing physical distribution\nsystems) or by logical means (e.g., employing cryptographic techniques). If\nphysical means of protection are employed, then logical means (cryptography) do\nnot have to be employed, and vice versa.\n\n Session key regeneration limits the chances of a session key becoming\ncompromised.", - "check": "Verify the SSH server is configured to force frequent session key renegotiation with the following command:\n\n$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\\r' | tr '\\n' ' ' | xargs sudo grep -iH '^\\s*rekeylimit'\n\nRekeyLimit 1G 1h\n\nIf \"RekeyLimit\" does not have a maximum data amount and maximum time defined, is missing, or is commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.", - "fix": "Configure the system to force a frequent session key renegotiation for SSH\nconnections to the server by add or modifying the following line in the\n\"/etc/ssh/sshd_config\" file:\n\n RekeyLimit 1G 1h\n\n Restart the SSH daemon for the settings to take effect.\n\n $ sudo systemctl restart sshd.service" + "default": "Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf", + "check": "Verify RHEL 8 does not accept IPv6 source-routed packets.\n\nNote: If IPv6 is disabled on the system, this requirement is Not Applicable.\n\nCheck the value of the accept source route variable with the following command:\n\n$ sudo sysctl net.ipv6.conf.all.accept_source_route\n\nnet.ipv6.conf.all.accept_source_route = 0\n\nIf the returned line does not have a value of \"0\", a line is not returned, or the line is commented out, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r net.ipv6.conf.all.accept_source_route /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: net.ipv6.conf.all.accept_source_route = 0\n\nIf \"net.ipv6.conf.all.accept_source_route\" is not set to \"0\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.", + "fix": "Configure RHEL 8 to not forward IPv6 source-routed packets.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nnet.ipv6.conf.all.accept_source_route=0\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system" }, "impact": 0.5, "refs": [ @@ -5569,38 +5560,33 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000033-GPOS-00014", - "satisfies": [ - "SRG-OS-000033-GPOS-00014", - "SRG-OS-000420-GPOS-00186", - "SRG-OS-000424-GPOS-00188" - ], - "gid": "V-230527", - "rid": "SV-230527r951616_rule", - "stig_id": "RHEL-08-040161", - "fix_id": "F-33171r568328_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-230538", + "rid": "SV-230538r858801_rule", + "stig_id": "RHEL-08-040240", + "fix_id": "F-33182r858800_fix", "cci": [ - "CCI-000068" + "CCI-000366" ], "nist": [ - "AC-17 (2)" + "CM-6 b" ], "host": null }, - "code": "control 'SV-230527' do\n title 'RHEL 8 must force a frequent session key renegotiation for SSH\nconnections to the server.'\n desc 'Without protection of the transmitted information, confidentiality and\nintegrity may be compromised because unprotected communications can be\nintercepted and either read or altered.\n\n This requirement applies to both internal and external networks and all\ntypes of information system components from which information can be\ntransmitted (e.g., servers, mobile devices, notebook computers, printers,\ncopiers, scanners, and facsimile machines). Communication paths outside the\nphysical protection of a controlled boundary are exposed to the possibility of\ninterception and modification.\n\n Protecting the confidentiality and integrity of organizational information\ncan be accomplished by physical means (e.g., employing physical distribution\nsystems) or by logical means (e.g., employing cryptographic techniques). If\nphysical means of protection are employed, then logical means (cryptography) do\nnot have to be employed, and vice versa.\n\n Session key regeneration limits the chances of a session key becoming\ncompromised.'\n desc 'check', %q(Verify the SSH server is configured to force frequent session key renegotiation with the following command:\n\n$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\\r' | tr '\\n' ' ' | xargs sudo grep -iH '^\\s*rekeylimit'\n\nRekeyLimit 1G 1h\n\nIf \"RekeyLimit\" does not have a maximum data amount and maximum time defined, is missing, or is commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.)\n desc 'fix', 'Configure the system to force a frequent session key renegotiation for SSH\nconnections to the server by add or modifying the following line in the\n\"/etc/ssh/sshd_config\" file:\n\n RekeyLimit 1G 1h\n\n Restart the SSH daemon for the settings to take effect.\n\n $ sudo systemctl restart sshd.service'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000033-GPOS-00014'\n tag satisfies: ['SRG-OS-000033-GPOS-00014', 'SRG-OS-000420-GPOS-00186', 'SRG-OS-000424-GPOS-00188']\n tag gid: 'V-230527'\n tag rid: 'SV-230527r951616_rule'\n tag stig_id: 'RHEL-08-040161'\n tag fix_id: 'F-33171r568328_fix'\n tag cci: ['CCI-000068']\n tag nist: ['AC-17 (2)']\n tag 'host'\n\n only_if('This control is Not Applicable to containers without SSH enabled', impact: 0.0) {\n !(virtualization.system.eql?('docker') && !file('/etc/ssh/sshd_config').exist?)\n }\n\n describe sshd_active_config do\n its('RekeyLimit') { should cmp '1G 1h' }\n end\nend\n", + "code": "control 'SV-230538' do\n title 'RHEL 8 must not forward IPv6 source-routed packets.'\n desc 'Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf'\n desc 'check', 'Verify RHEL 8 does not accept IPv6 source-routed packets.\n\nNote: If IPv6 is disabled on the system, this requirement is Not Applicable.\n\nCheck the value of the accept source route variable with the following command:\n\n$ sudo sysctl net.ipv6.conf.all.accept_source_route\n\nnet.ipv6.conf.all.accept_source_route = 0\n\nIf the returned line does not have a value of \"0\", a line is not returned, or the line is commented out, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r net.ipv6.conf.all.accept_source_route /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: net.ipv6.conf.all.accept_source_route = 0\n\nIf \"net.ipv6.conf.all.accept_source_route\" is not set to \"0\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to not forward IPv6 source-routed packets.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nnet.ipv6.conf.all.accept_source_route=0\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230538'\n tag rid: 'SV-230538r858801_rule'\n tag stig_id: 'RHEL-08-040240'\n tag fix_id: 'F-33182r858800_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This system is acting as a router on the network, this control is Not Applicable', impact: 0.0) {\n !input('network_router')\n }\n\n # Define the kernel parameter to be checked\n parameter = 'net.ipv6.conf.all.accept_source_route'\n action = 'accepting IPv6 source-routed packets'\n value = 0\n\n # Get the current value of the kernel parameter\n current_value = kernel_parameter(parameter)\n\n # Check if the system is a Docker container\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n elsif input('ipv6_enabled') == false\n impact 0.0\n describe 'IPv6 is disabled on the system, this requirement is Not Applicable.' do\n skip 'IPv6 is disabled on the system, this requirement is Not Applicable.'\n end\n else\n\n describe kernel_parameter(parameter) do\n it 'is disabled in sysctl -a' do\n expect(current_value.value).to cmp value\n expect(current_value.value).not_to be_nil\n end\n end\n\n # Get the list of sysctl configuration files\n sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ')\n\n # Search for the kernel parameter in the configuration files\n search_results = command(\"grep -r ^#{parameter} #{sysctl_config_files} {} \\;\").stdout.split(\"\\n\")\n\n # Parse the search results into a hash\n config_values = search_results.each_with_object({}) do |item, results|\n file, setting = item.split(':')\n file = 'grep did not return filename' if file.empty?\n\n results[file] ||= []\n results[file] << setting.split('=').last\n end\n\n uniq_config_values = config_values.values.flatten.map(&:strip).map(&:to_i).uniq\n\n # Check the configuration files\n describe 'Configuration files' do\n if search_results.empty?\n it \"do not explicitly set the `#{parameter}` parameter\" do\n expect(config_values).not_to be_empty, \"Add the line `#{parameter}=#{value}` to a file in the `/etc/sysctl.d/` directory\"\n end\n else\n it \"do not have conflicting settings for #{action}\" do\n expect(uniq_config_values.count).to eq(1), \"Expected one unique configuration, but got #{config_values}\"\n end\n it \"set the parameter to the right value for #{action}\" do\n expect(config_values.values.flatten.all? { |v| v.to_i.eql?(value) }).to be true\n end\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230527.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230538.rb", "line": 1 }, - "id": "SV-230527" + "id": "SV-230538" }, { - "title": "The RHEL 8 operating system must implement DoD-approved encryption in\nthe OpenSSL package.", - "desc": "Without cryptographic integrity protections, information can be\naltered by unauthorized users without detection.\n\n Remote access (e.g., RDP) is access to DoD nonpublic information systems by\nan authorized user (or an information system) communicating through an\nexternal, non-organization-controlled network. Remote access methods include,\nfor example, dial-up, broadband, and wireless.\n\n Cryptographic mechanisms used for protecting the integrity of information\ninclude, for example, signed hash functions using asymmetric cryptography\nenabling distribution of the public key to verify the hash information while\nmaintaining the confidentiality of the secret key used to generate the hash.\n\n RHEL 8 incorporates system-wide crypto policies by default. The employed\nalgorithms can be viewed in the /etc/crypto-policies/back-ends/openssl.config\nfile.", + "title": "The RHEL 8 audit system must audit local events.", + "desc": "Without establishing what type of events occurred, the source of\nevents, where events occurred, and the outcome of events, it would be difficult\nto establish, correlate, and investigate the events leading up to an outage or\nattack.\n\n Audit record content that may be necessary to satisfy this requirement\nincludes, for example, time stamps, source and destination addresses,\nuser/process identifiers, event descriptions, success/fail indications,\nfilenames involved, and access control or flow control rules invoked.", "descriptions": { - "default": "Without cryptographic integrity protections, information can be\naltered by unauthorized users without detection.\n\n Remote access (e.g., RDP) is access to DoD nonpublic information systems by\nan authorized user (or an information system) communicating through an\nexternal, non-organization-controlled network. Remote access methods include,\nfor example, dial-up, broadband, and wireless.\n\n Cryptographic mechanisms used for protecting the integrity of information\ninclude, for example, signed hash functions using asymmetric cryptography\nenabling distribution of the public key to verify the hash information while\nmaintaining the confidentiality of the secret key used to generate the hash.\n\n RHEL 8 incorporates system-wide crypto policies by default. The employed\nalgorithms can be viewed in the /etc/crypto-policies/back-ends/openssl.config\nfile.", - "check": "Verify the OpenSSL library is configured to use only ciphers employing FIPS\n140-2-approved algorithms:\n\n Verify that system-wide crypto policies are in effect:\n\n $ sudo grep -i opensslcnf.config /etc/pki/tls/openssl.cnf\n\n .include /etc/crypto-policies/back-ends/opensslcnf.config\n\n If the \"opensslcnf.config\" is not defined in the\n\"/etc/pki/tls/openssl.cnf\" file, this is a finding.\n\n Verify which system-wide crypto policy is in use:\n\n $ sudo update-crypto-policies --show\n\n FIPS\n\n If the system-wide crypto policy is set to anything other than \"FIPS\",\nthis is a finding.", - "fix": "Configure the RHEL 8 OpenSSL library to use only ciphers employing FIPS\n140-2-approved algorithms with the following command:\n\n $ sudo fips-mode-setup --enable\n\n A reboot is required for the changes to take effect." + "default": "Without establishing what type of events occurred, the source of\nevents, where events occurred, and the outcome of events, it would be difficult\nto establish, correlate, and investigate the events leading up to an outage or\nattack.\n\n Audit record content that may be necessary to satisfy this requirement\nincludes, for example, time stamps, source and destination addresses,\nuser/process identifiers, event descriptions, success/fail indications,\nfilenames involved, and access control or flow control rules invoked.", + "check": "Verify the RHEL 8 Audit Daemon is configured to include local events, with\nthe following command:\n\n $ sudo grep local_events /etc/audit/auditd.conf\n\n local_events = yes\n\n If the value of the \"local_events\" option is not set to \"yes\", or the\nline is commented out, this is a finding.", + "fix": "Configure RHEL 8 to audit local events on the system.\n\nAdd or update the following line in \"/etc/audit/auditd.conf\" file:\n\nlocal_events = yes" }, "impact": 0.5, "refs": [ @@ -5610,77 +5596,69 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000250-GPOS-00093", - "satisfies": [ - "SRG-OS-000250-GPOS-00093", - "SRG-OS-000393-GPOS-00173", - "SRG-OS-000394-GPOS-00174", - "SRG-OS-000125-GPOS-00065" - ], - "gid": "V-230254", - "rid": "SV-230254r877394_rule", - "stig_id": "RHEL-08-010293", - "fix_id": "F-32898r567509_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-230393", + "rid": "SV-230393r627750_rule", + "stig_id": "RHEL-08-030061", + "fix_id": "F-33037r567926_fix", "cci": [ - "CCI-001453" + "CCI-000366" ], "nist": [ - "AC-17 (2)" + "CM-6 b" ], - "host": null, - "container-conditional": null + "host": null }, - "code": "control 'SV-230254' do\n title 'The RHEL 8 operating system must implement DoD-approved encryption in\nthe OpenSSL package.'\n desc 'Without cryptographic integrity protections, information can be\naltered by unauthorized users without detection.\n\n Remote access (e.g., RDP) is access to DoD nonpublic information systems by\nan authorized user (or an information system) communicating through an\nexternal, non-organization-controlled network. Remote access methods include,\nfor example, dial-up, broadband, and wireless.\n\n Cryptographic mechanisms used for protecting the integrity of information\ninclude, for example, signed hash functions using asymmetric cryptography\nenabling distribution of the public key to verify the hash information while\nmaintaining the confidentiality of the secret key used to generate the hash.\n\n RHEL 8 incorporates system-wide crypto policies by default. The employed\nalgorithms can be viewed in the /etc/crypto-policies/back-ends/openssl.config\nfile.'\n desc 'check', 'Verify the OpenSSL library is configured to use only ciphers employing FIPS\n140-2-approved algorithms:\n\n Verify that system-wide crypto policies are in effect:\n\n $ sudo grep -i opensslcnf.config /etc/pki/tls/openssl.cnf\n\n .include /etc/crypto-policies/back-ends/opensslcnf.config\n\n If the \"opensslcnf.config\" is not defined in the\n\"/etc/pki/tls/openssl.cnf\" file, this is a finding.\n\n Verify which system-wide crypto policy is in use:\n\n $ sudo update-crypto-policies --show\n\n FIPS\n\n If the system-wide crypto policy is set to anything other than \"FIPS\",\nthis is a finding.'\n desc 'fix', 'Configure the RHEL 8 OpenSSL library to use only ciphers employing FIPS\n140-2-approved algorithms with the following command:\n\n $ sudo fips-mode-setup --enable\n\n A reboot is required for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000250-GPOS-00093'\n tag satisfies: ['SRG-OS-000250-GPOS-00093', 'SRG-OS-000393-GPOS-00173', 'SRG-OS-000394-GPOS-00174', 'SRG-OS-000125-GPOS-00065']\n tag gid: 'V-230254'\n tag rid: 'SV-230254r877394_rule'\n tag stig_id: 'RHEL-08-010293'\n tag fix_id: 'F-32898r567509_fix'\n tag cci: ['CCI-001453']\n tag nist: ['AC-17 (2)']\n tag 'host'\n tag 'container-conditional'\n\n only_if(\"Checking the host's FIPS compliance can't be done within the container and should be reveiwed manually.\") {\n !(virtualization.system.eql?('docker') && !file('/etc/pki/tls/openssl.cnf').exist?)\n }\n\n describe 'A line in the OpenSSL config file' do\n subject { command('grep -i opensslcnf.config /etc/pki/tls/openssl.cnf').stdout.strip }\n it { should match(/^\\.include.*opensslcnf.config$/) }\n end\n\n describe 'System-wide crypto policy' do\n subject { command('update-crypto-policies --show').stdout.strip }\n it { should eq input('system_wide_crypto_policy') }\n end\nend\n", + "code": "control 'SV-230393' do\n title 'The RHEL 8 audit system must audit local events.'\n desc 'Without establishing what type of events occurred, the source of\nevents, where events occurred, and the outcome of events, it would be difficult\nto establish, correlate, and investigate the events leading up to an outage or\nattack.\n\n Audit record content that may be necessary to satisfy this requirement\nincludes, for example, time stamps, source and destination addresses,\nuser/process identifiers, event descriptions, success/fail indications,\nfilenames involved, and access control or flow control rules invoked.'\n desc 'check', 'Verify the RHEL 8 Audit Daemon is configured to include local events, with\nthe following command:\n\n $ sudo grep local_events /etc/audit/auditd.conf\n\n local_events = yes\n\n If the value of the \"local_events\" option is not set to \"yes\", or the\nline is commented out, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to audit local events on the system.\n\nAdd or update the following line in \"/etc/audit/auditd.conf\" file:\n\nlocal_events = yes'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230393'\n tag rid: 'SV-230393r627750_rule'\n tag stig_id: 'RHEL-08-030061'\n tag fix_id: 'F-33037r567926_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n describe parse_config_file('/etc/audit/auditd.conf') do\n its('local_events') { should eq 'yes' }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230254.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230393.rb", "line": 1 }, - "id": "SV-230254" + "id": "SV-230393" }, { - "title": "RHEL 8 must ensure the SSH server uses strong entropy.", - "desc": "The most important characteristic of a random number generator is its\nrandomness, namely its ability to deliver random numbers that are impossible to\npredict. Entropy in computer security is associated with the unpredictability\nof a source of randomness. The random source with high entropy tends to\nachieve a uniform distribution of random values. Random number generators are\none of the most important building blocks of cryptosystems.\n\n The SSH implementation in RHEL8 uses the OPENSSL library, which does not\nuse high-entropy sources by default. By using the SSH_USE_STRONG_RNG\nenvironment variable the OPENSSL random generator is reseeded from /dev/random.\n This setting is not recommended on computers without the hardware random\ngenerator because insufficient entropy causes the connection to be blocked\nuntil enough entropy is available.", + "title": "RHEL 8 must prevent IPv6 Internet Control Message Protocol (ICMP)\nredirect messages from being accepted.", + "desc": "ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf", "descriptions": { - "default": "The most important characteristic of a random number generator is its\nrandomness, namely its ability to deliver random numbers that are impossible to\npredict. Entropy in computer security is associated with the unpredictability\nof a source of randomness. The random source with high entropy tends to\nachieve a uniform distribution of random values. Random number generators are\none of the most important building blocks of cryptosystems.\n\n The SSH implementation in RHEL8 uses the OPENSSL library, which does not\nuse high-entropy sources by default. By using the SSH_USE_STRONG_RNG\nenvironment variable the OPENSSL random generator is reseeded from /dev/random.\n This setting is not recommended on computers without the hardware random\ngenerator because insufficient entropy causes the connection to be blocked\nuntil enough entropy is available.", - "check": "Verify the operating system SSH server uses strong entropy with the\nfollowing command:\n\n Note: If the operating system is RHEL versions 8.0 or 8.1, this requirement\nis not applicable.\n\n $ sudo grep -i ssh_use_strong_rng /etc/sysconfig/sshd\n\n SSH_USE_STRONG_RNG=32\n\n If the \"SSH_USE_STRONG_RNG\" line does not equal \"32\", is commented out\nor missing, this is a finding.", - "fix": "Configure the operating system SSH server to use strong entropy.\n\nAdd or modify the following line in the \"/etc/sysconfig/sshd\" file.\n\nSSH_USE_STRONG_RNG=32\n\nThe SSH service must be restarted for changes to take effect." + "default": "ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf", + "check": "Verify RHEL 8 will not accept IPv6 ICMP redirect messages.\n\nNote: If IPv6 is disabled on the system, this requirement is Not Applicable.\n\nCheck the value of the default \"accept_redirects\" variables with the following command:\n\n$ sudo sysctl net.ipv6.conf.default.accept_redirects\n\nnet.ipv6.conf.default.accept_redirects = 0\n\nIf the returned line does not have a value of \"0\", a line is not returned, or the line is commented out, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r net.ipv6.conf.default.accept_redirects /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: net.ipv6.conf.default.accept_redirects = 0\n\nIf \"net.ipv6.conf.default.accept_redirects\" is not set to \"0\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.", + "fix": "Configure RHEL 8 to prevent IPv6 ICMP redirect messages from being accepted.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nnet.ipv6.conf.default.accept_redirects = 0\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system" }, - "impact": 0.3, + "impact": 0.5, "refs": [ { "ref": "DPMS Target Red Hat Enterprise Linux 8" } ], "tags": { - "severity": "low", + "severity": "medium", "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-230253", - "rid": "SV-230253r627750_rule", - "stig_id": "RHEL-08-010292", - "fix_id": "F-32897r567506_fix", + "gid": "V-230535", + "rid": "SV-230535r858793_rule", + "stig_id": "RHEL-08-040210", + "fix_id": "F-33179r858792_fix", "cci": [ "CCI-000366" ], "nist": [ "CM-6 b" ], - "host": null, - "container-conditional": null + "host": null }, - "code": "control 'SV-230253' do\n title 'RHEL 8 must ensure the SSH server uses strong entropy.'\n desc 'The most important characteristic of a random number generator is its\nrandomness, namely its ability to deliver random numbers that are impossible to\npredict. Entropy in computer security is associated with the unpredictability\nof a source of randomness. The random source with high entropy tends to\nachieve a uniform distribution of random values. Random number generators are\none of the most important building blocks of cryptosystems.\n\n The SSH implementation in RHEL8 uses the OPENSSL library, which does not\nuse high-entropy sources by default. By using the SSH_USE_STRONG_RNG\nenvironment variable the OPENSSL random generator is reseeded from /dev/random.\n This setting is not recommended on computers without the hardware random\ngenerator because insufficient entropy causes the connection to be blocked\nuntil enough entropy is available.'\n desc 'check', 'Verify the operating system SSH server uses strong entropy with the\nfollowing command:\n\n Note: If the operating system is RHEL versions 8.0 or 8.1, this requirement\nis not applicable.\n\n $ sudo grep -i ssh_use_strong_rng /etc/sysconfig/sshd\n\n SSH_USE_STRONG_RNG=32\n\n If the \"SSH_USE_STRONG_RNG\" line does not equal \"32\", is commented out\nor missing, this is a finding.'\n desc 'fix', 'Configure the operating system SSH server to use strong entropy.\n\nAdd or modify the following line in the \"/etc/sysconfig/sshd\" file.\n\nSSH_USE_STRONG_RNG=32\n\nThe SSH service must be restarted for changes to take effect.'\n impact 0.3\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'low'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230253'\n tag rid: 'SV-230253r627750_rule'\n tag stig_id: 'RHEL-08-010292'\n tag fix_id: 'F-32897r567506_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n tag 'container-conditional'\n\n only_if('Control not applicable - SSH is not installed within containerized RHEL', impact: 0.0) {\n !(virtualization.system.eql?('docker') && !file('/etc/sysconfig/sshd').exist?)\n }\n\n describe parse_config_file('/etc/sysconfig/sshd') do\n its('SSH_USE_STRONG_RNG') { should cmp 32 }\n end\nend\n", + "code": "control 'SV-230535' do\n title 'RHEL 8 must prevent IPv6 Internet Control Message Protocol (ICMP)\nredirect messages from being accepted.'\n desc \"ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\"\n desc 'check', 'Verify RHEL 8 will not accept IPv6 ICMP redirect messages.\n\nNote: If IPv6 is disabled on the system, this requirement is Not Applicable.\n\nCheck the value of the default \"accept_redirects\" variables with the following command:\n\n$ sudo sysctl net.ipv6.conf.default.accept_redirects\n\nnet.ipv6.conf.default.accept_redirects = 0\n\nIf the returned line does not have a value of \"0\", a line is not returned, or the line is commented out, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r net.ipv6.conf.default.accept_redirects /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: net.ipv6.conf.default.accept_redirects = 0\n\nIf \"net.ipv6.conf.default.accept_redirects\" is not set to \"0\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to prevent IPv6 ICMP redirect messages from being accepted.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nnet.ipv6.conf.default.accept_redirects = 0\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230535'\n tag rid: 'SV-230535r858793_rule'\n tag stig_id: 'RHEL-08-040210'\n tag fix_id: 'F-33179r858792_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This system is acting as a router on the network, this control is Not Applicable', impact: 0.0) {\n !input('network_router')\n }\n\n # Define the kernel parameter to be checked\n parameter = 'net.ipv6.conf.default.accept_redirects'\n action = 'accepting IPv6 redirects'\n value = 0\n\n # Get the current value of the kernel parameter\n current_value = kernel_parameter(parameter)\n\n # Check if the system is a Docker container\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n elsif input('ipv6_enabled') == false\n impact 0.0\n describe 'IPv6 is disabled on the system, this requirement is Not Applicable.' do\n skip 'IPv6 is disabled on the system, this requirement is Not Applicable.'\n end\n else\n\n describe kernel_parameter(parameter) do\n it 'is disabled in sysctl -a' do\n expect(current_value.value).to cmp value\n expect(current_value.value).not_to be_nil\n end\n end\n\n # Get the list of sysctl configuration files\n sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ')\n\n # Search for the kernel parameter in the configuration files\n search_results = command(\"grep -r ^#{parameter} #{sysctl_config_files} {} \\;\").stdout.split(\"\\n\")\n\n # Parse the search results into a hash\n config_values = search_results.each_with_object({}) do |item, results|\n file, setting = item.split(':')\n file = 'grep did not return filename' if file.empty?\n\n results[file] ||= []\n results[file] << setting.split('=').last\n end\n\n uniq_config_values = config_values.values.flatten.map(&:strip).map(&:to_i).uniq\n\n # Check the configuration files\n describe 'Configuration files' do\n if search_results.empty?\n it \"do not explicitly set the `#{parameter}` parameter\" do\n expect(config_values).not_to be_empty, \"Add the line `#{parameter}=#{value}` to a file in the `/etc/sysctl.d/` directory\"\n end\n else\n it \"do not have conflicting settings for #{action}\" do\n expect(uniq_config_values.count).to eq(1), \"Expected one unique configuration, but got #{config_values}\"\n end\n it \"set the parameter to the right value for #{action}\" do\n expect(config_values.values.flatten.all? { |v| v.to_i.eql?(value) }).to be true\n end\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230253.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230535.rb", "line": 1 }, - "id": "SV-230253" + "id": "SV-230535" }, { - "title": "The iprutils package must not be installed unless mission essential on\nRHEL 8.", - "desc": "It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n Operating systems are capable of providing a wide variety of functions and\nservices. Some of the functions and services, provided by default, may not be\nnecessary to support essential organizational operations (e.g., key missions,\nfunctions).\n\n The iprutils package provides a suite of utilities to manage and configure\nSCSI devices supported by the ipr SCSI storage device driver.", + "title": "RHEL 8 operating systems must require authentication upon booting into\nemergency mode.", + "desc": "If the system does not require valid root authentication before it\nboots into emergency or rescue mode, anyone who invokes emergency or rescue\nmode is granted privileged access to all files on the system.", "descriptions": { - "default": "It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n Operating systems are capable of providing a wide variety of functions and\nservices. Some of the functions and services, provided by default, may not be\nnecessary to support essential organizational operations (e.g., key missions,\nfunctions).\n\n The iprutils package provides a suite of utilities to manage and configure\nSCSI devices supported by the ipr SCSI storage device driver.", - "check": "Verify the iprutils package has not been installed on the system with the\nfollowing commands:\n\n $ sudo yum list installed iprutils\n\n iprutils.x86_64\n2.4.18.1-1.el8 @anaconda\n\n If the iprutils package is installed and is not documented with the\nInformation System Security Officer (ISSO) as an operational requirement, this\nis a finding.", - "fix": "Document the iprutils package with the ISSO as an operational requirement\nor remove it from the system with the following command:\n\n $ sudo yum remove iprutils" + "default": "If the system does not require valid root authentication before it\nboots into emergency or rescue mode, anyone who invokes emergency or rescue\nmode is granted privileged access to all files on the system.", + "check": "Check to see if the system requires authentication for emergency mode with\nthe following command:\n\n $ sudo grep sulogin-shell /usr/lib/systemd/system/emergency.service\n\n ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency\n\n If the \"ExecStart\" line is configured for anything other than\n\"/usr/lib/systemd/systemd-sulogin-shell emergency\", commented out, or\nmissing, this is a finding.", + "fix": "Configure the system to require authentication upon booting into emergency\nmode by adding the following line to the\n\"/usr/lib/systemd/system/emergency.service\" file.\n\n ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency" }, "impact": 0.5, "refs": [ @@ -5690,70 +5668,79 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-230560", - "rid": "SV-230560r627750_rule", - "stig_id": "RHEL-08-040380", - "fix_id": "F-33204r568427_fix", + "gtitle": "SRG-OS-000080-GPOS-00048", + "gid": "V-244523", + "rid": "SV-244523r743818_rule", + "stig_id": "RHEL-08-010152", + "fix_id": "F-47755r743817_fix", "cci": [ - "CCI-000366" + "CCI-000213" ], "nist": [ - "CM-6 b" + "AC-3" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-230560' do\n title 'The iprutils package must not be installed unless mission essential on\nRHEL 8.'\n desc 'It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n Operating systems are capable of providing a wide variety of functions and\nservices. Some of the functions and services, provided by default, may not be\nnecessary to support essential organizational operations (e.g., key missions,\nfunctions).\n\n The iprutils package provides a suite of utilities to manage and configure\nSCSI devices supported by the ipr SCSI storage device driver.'\n desc 'check', 'Verify the iprutils package has not been installed on the system with the\nfollowing commands:\n\n $ sudo yum list installed iprutils\n\n iprutils.x86_64\n2.4.18.1-1.el8 @anaconda\n\n If the iprutils package is installed and is not documented with the\nInformation System Security Officer (ISSO) as an operational requirement, this\nis a finding.'\n desc 'fix', 'Document the iprutils package with the ISSO as an operational requirement\nor remove it from the system with the following command:\n\n $ sudo yum remove iprutils'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230560'\n tag rid: 'SV-230560r627750_rule'\n tag stig_id: 'RHEL-08-040380'\n tag fix_id: 'F-33204r568427_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n tag 'container'\n\n if input('iprutils_required')\n describe package('iprutils') do\n it { should be_installed }\n end\n else\n describe package('iprutils') do\n it { should_not be_installed }\n end\n end\nend\n", + "code": "control 'SV-244523' do\n title 'RHEL 8 operating systems must require authentication upon booting into\nemergency mode.'\n desc 'If the system does not require valid root authentication before it\nboots into emergency or rescue mode, anyone who invokes emergency or rescue\nmode is granted privileged access to all files on the system.'\n desc 'check', 'Check to see if the system requires authentication for emergency mode with\nthe following command:\n\n $ sudo grep sulogin-shell /usr/lib/systemd/system/emergency.service\n\n ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency\n\n If the \"ExecStart\" line is configured for anything other than\n\"/usr/lib/systemd/systemd-sulogin-shell emergency\", commented out, or\nmissing, this is a finding.'\n desc 'fix', 'Configure the system to require authentication upon booting into emergency\nmode by adding the following line to the\n\"/usr/lib/systemd/system/emergency.service\" file.\n\n ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000080-GPOS-00048'\n tag gid: 'V-244523'\n tag rid: 'SV-244523r743818_rule'\n tag stig_id: 'RHEL-08-010152'\n tag fix_id: 'F-47755r743817_fix'\n tag cci: ['CCI-000213']\n tag nist: ['AC-3']\n tag 'host'\n\n only_if('This requirement is Not Applicable in the container', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe service('emergency') do\n its('params.ExecStart') { should include '/usr/lib/systemd/systemd-sulogin-shell emergency' }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230560.rb", + "ref": "./Red Hat 8 STIG/controls/SV-244523.rb", "line": 1 }, - "id": "SV-230560" + "id": "SV-244523" }, { - "title": "RHEL 8 operating systems booted with United Extensible Firmware\nInterface (UEFI) must require authentication upon booting into single-user mode\nand maintenance.", - "desc": "If the system does not require valid authentication before it boots\ninto single-user or maintenance mode, anyone who invokes single-user or\nmaintenance mode is granted privileged access to all files on the system. GRUB\n2 is the default boot loader for RHEL 8 and is designed to require a password\nto boot into single-user mode or make modifications to the boot menu.", + "title": "Successful/unsuccessful modifications to the lastlog file in RHEL 8\nmust generate an audit record.", + "desc": "Without the capability to generate audit records, it would be\ndifficult to establish, correlate, and investigate the events relating to an\nincident or identify those responsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n The list of audited events is the set of events for which audits are to be\ngenerated. This set of events is typically a subset of the list of all events\nfor which the system is capable of generating audit records.\n\n DoD has defined the list of events for which RHEL 8 will provide an audit\nrecord generation capability as the following:\n\n 1) Successful and unsuccessful attempts to access, modify, or delete\nprivileges, security objects, security levels, or categories of information\n(e.g., classification levels);\n\n 2) Access actions, such as successful and unsuccessful logon attempts,\nprivileged activities or other system-level access, starting and ending time\nfor user access to the system, concurrent logons from different workstations,\nsuccessful and unsuccessful accesses to objects, all program initiations, and\nall direct access to the information system;\n\n 3) All account creations, modifications, disabling, and terminations; and\n\n 4) All kernel module load, unload, and restart actions.", "descriptions": { - "default": "If the system does not require valid authentication before it boots\ninto single-user or maintenance mode, anyone who invokes single-user or\nmaintenance mode is granted privileged access to all files on the system. GRUB\n2 is the default boot loader for RHEL 8 and is designed to require a password\nto boot into single-user mode or make modifications to the boot menu.", - "check": "For systems that use BIOS, this is Not Applicable.\n\n Check to see if an encrypted grub superusers password is set. On systems\nthat use UEFI, use the following command:\n\n $ sudo grep -iw grub2_password /boot/efi/EFI/redhat/user.cfg\n\n GRUB2_PASSWORD=grub.pbkdf2.sha512.[password_hash]\n\n If the grub superusers password does not begin with \"grub.pbkdf2.sha512\",\nthis is a finding.", - "fix": "Configure the system to require a grub bootloader password for the grub\nsuperusers account with the grub2-setpassword command, which creates/overwrites\nthe /boot/efi/EFI/redhat/user.cfg file.\n\n Generate an encrypted grub2 password for the grub superusers account with\nthe following command:\n\n $ sudo grub2-setpassword\n Enter password:\n Confirm password:" + "default": "Without the capability to generate audit records, it would be\ndifficult to establish, correlate, and investigate the events relating to an\nincident or identify those responsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n The list of audited events is the set of events for which audits are to be\ngenerated. This set of events is typically a subset of the list of all events\nfor which the system is capable of generating audit records.\n\n DoD has defined the list of events for which RHEL 8 will provide an audit\nrecord generation capability as the following:\n\n 1) Successful and unsuccessful attempts to access, modify, or delete\nprivileges, security objects, security levels, or categories of information\n(e.g., classification levels);\n\n 2) Access actions, such as successful and unsuccessful logon attempts,\nprivileged activities or other system-level access, starting and ending time\nfor user access to the system, concurrent logons from different workstations,\nsuccessful and unsuccessful accesses to objects, all program initiations, and\nall direct access to the information system;\n\n 3) All account creations, modifications, disabling, and terminations; and\n\n 4) All kernel module load, unload, and restart actions.", + "check": "Verify RHEL 8 generates an audit record when successful/unsuccessful\nmodifications to the \"lastlog\" file by performing the following command to\ncheck the file system rules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w lastlog /etc/audit/audit.rules\n\n -w /var/log/lastlog -p wa -k logins\n\n If the command does not return a line, or the line is commented out, this\nis a finding.", + "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful modifications to the \"lastlog\" file by adding or\nupdating the following rules in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -w /var/log/lastlog -p wa -k logins\n\n The audit daemon must be restarted for the changes to take effect." }, - "impact": 0.7, + "impact": 0.5, "refs": [ { "ref": "DPMS Target Red Hat Enterprise Linux 8" } ], "tags": { - "severity": "high", - "gtitle": "SRG-OS-000080-GPOS-00048", - "gid": "V-230234", - "rid": "SV-230234r743922_rule", - "stig_id": "RHEL-08-010140", - "fix_id": "F-32878r743921_fix", + "severity": "medium", + "gtitle": "SRG-OS-000062-GPOS-00031", + "satisfies": [ + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000037-GPOS-00015", + "SRG-OS-000042-GPOS-00020", + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000392-GPOS-00172", + "SRG-OS-000462-GPOS-00206", + "SRG-OS-000471-GPOS-00215", + "SRG-OS-000473-GPOS-00218" + ], + "gid": "V-230467", + "rid": "SV-230467r627750_rule", + "stig_id": "RHEL-08-030600", + "fix_id": "F-33111r568148_fix", "cci": [ - "CCI-000213" + "CCI-000169" ], "nist": [ - "AC-3" + "AU-12 a" ], "host": null }, - "code": "control 'SV-230234' do\n title 'RHEL 8 operating systems booted with United Extensible Firmware\nInterface (UEFI) must require authentication upon booting into single-user mode\nand maintenance.'\n desc 'If the system does not require valid authentication before it boots\ninto single-user or maintenance mode, anyone who invokes single-user or\nmaintenance mode is granted privileged access to all files on the system. GRUB\n2 is the default boot loader for RHEL 8 and is designed to require a password\nto boot into single-user mode or make modifications to the boot menu.'\n desc 'check', 'For systems that use BIOS, this is Not Applicable.\n\n Check to see if an encrypted grub superusers password is set. On systems\nthat use UEFI, use the following command:\n\n $ sudo grep -iw grub2_password /boot/efi/EFI/redhat/user.cfg\n\n GRUB2_PASSWORD=grub.pbkdf2.sha512.[password_hash]\n\n If the grub superusers password does not begin with \"grub.pbkdf2.sha512\",\nthis is a finding.'\n desc 'fix', 'Configure the system to require a grub bootloader password for the grub\nsuperusers account with the grub2-setpassword command, which creates/overwrites\nthe /boot/efi/EFI/redhat/user.cfg file.\n\n Generate an encrypted grub2 password for the grub superusers account with\nthe following command:\n\n $ sudo grub2-setpassword\n Enter password:\n Confirm password:'\n impact 0.7\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'high'\n tag gtitle: 'SRG-OS-000080-GPOS-00048'\n tag gid: 'V-230234'\n tag rid: 'SV-230234r743922_rule'\n tag stig_id: 'RHEL-08-010140'\n tag fix_id: 'F-32878r743921_fix'\n tag cci: ['CCI-000213']\n tag nist: ['AC-3']\n tag 'host'\n\n only_if('Control not applicable within a container without sudo enabled', impact: 0.0) do\n !virtualization.system.eql?('docker')\n end\n\n if file('/sys/firmware/efi').exist?\n input('grub_uefi_user_boot_files').each do |grub_user_file|\n describe parse_config_file(grub_user_file) do\n its('GRUB2_PASSWORD') { should include 'grub.pbkdf2.sha512' }\n end\n end\n else\n impact 0.0\n describe 'System running BIOS' do\n skip 'The System is running BIOS, this control is Not Applicable.'\n end\n end\nend\n", + "code": "control 'SV-230467' do\n title 'Successful/unsuccessful modifications to the lastlog file in RHEL 8\nmust generate an audit record.'\n desc 'Without the capability to generate audit records, it would be\ndifficult to establish, correlate, and investigate the events relating to an\nincident or identify those responsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n The list of audited events is the set of events for which audits are to be\ngenerated. This set of events is typically a subset of the list of all events\nfor which the system is capable of generating audit records.\n\n DoD has defined the list of events for which RHEL 8 will provide an audit\nrecord generation capability as the following:\n\n 1) Successful and unsuccessful attempts to access, modify, or delete\nprivileges, security objects, security levels, or categories of information\n(e.g., classification levels);\n\n 2) Access actions, such as successful and unsuccessful logon attempts,\nprivileged activities or other system-level access, starting and ending time\nfor user access to the system, concurrent logons from different workstations,\nsuccessful and unsuccessful accesses to objects, all program initiations, and\nall direct access to the information system;\n\n 3) All account creations, modifications, disabling, and terminations; and\n\n 4) All kernel module load, unload, and restart actions.'\n desc 'check', 'Verify RHEL 8 generates an audit record when successful/unsuccessful\nmodifications to the \"lastlog\" file by performing the following command to\ncheck the file system rules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w lastlog /etc/audit/audit.rules\n\n -w /var/log/lastlog -p wa -k logins\n\n If the command does not return a line, or the line is commented out, this\nis a finding.'\n desc 'fix', 'Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful modifications to the \"lastlog\" file by adding or\nupdating the following rules in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -w /var/log/lastlog -p wa -k logins\n\n The audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000062-GPOS-00031'\n tag satisfies: ['SRG-OS-000062-GPOS-00031', 'SRG-OS-000037-GPOS-00015', 'SRG-OS-000042-GPOS-00020', 'SRG-OS-000062-GPOS-00031', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000471-GPOS-00215', 'SRG-OS-000473-GPOS-00218']\n tag gid: 'V-230467'\n tag rid: 'SV-230467r627750_rule'\n tag stig_id: 'RHEL-08-030600'\n tag fix_id: 'F-33111r568148_fix'\n tag cci: ['CCI-000169']\n tag nist: ['AU-12 a']\n tag 'host'\n\n audit_command = '/var/log/lastlog'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.permissions.flatten).to include('w', 'a')\n expect(audit_rule.key.uniq).to include(input('audit_rule_keynames').merge(input('audit_rule_keynames_overrides'))[audit_command])\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230234.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230467.rb", "line": 1 }, - "id": "SV-230234" + "id": "SV-230467" }, { - "title": "All RHEL 8 local files and directories must have a valid owner.", - "desc": "Unowned files and directories may be unintentionally inherited if a\nuser is assigned the same User Identifier \"UID\" as the UID of the un-owned\nfiles.", + "title": "All RHEL 8 local interactive users must have a home directory assigned\nin the /etc/passwd file.", + "desc": "If local interactive users are not assigned a valid home directory,\nthere is no place for the storage and control of files they should own.", "descriptions": { - "default": "Unowned files and directories may be unintentionally inherited if a\nuser is assigned the same User Identifier \"UID\" as the UID of the un-owned\nfiles.", - "check": "Verify all local files and directories on RHEL 8 have a valid owner with\nthe following command:\n\n Note: The value after -fstype must be replaced with the filesystem type.\nXFS is used as an example.\n\n $ sudo find / -fstype xfs -nouser\n\n If any files on the system do not have an assigned owner, this is a finding.\n\n Note: Command may produce error messages from the /proc and /sys\ndirectories.", - "fix": "Either remove all files and directories from the system that do not have a\nvalid user, or assign a valid user to all unowned files and directories on RHEL\n8 with the \"chown\" command:\n\n $ sudo chown " + "default": "If local interactive users are not assigned a valid home directory,\nthere is no place for the storage and control of files they should own.", + "check": "Verify local interactive users on RHEL 8 have a home directory assigned\nwith the following command:\n\n $ sudo pwck -r\n\n user 'lp': directory '/var/spool/lpd' does not exist\n user 'news': directory '/var/spool/news' does not exist\n user 'uucp': directory '/var/spool/uucp' does not exist\n user 'www-data': directory '/var/www' does not exist\n\n Ask the System Administrator (SA) if any users found without home\ndirectories are local interactive users. If the SA is unable to provide a\nresponse, check for users with a User Identifier (UID) of 1000 or greater with\nthe following command:\n\n $ sudo awk -F: '($3>=1000)&&($7 !~ /nologin/){print $1, $3, $6}' /etc/passwd\n\n If any interactive users do not have a home directory assigned, this is a\nfinding.", + "fix": "Assign home directories to all local interactive users on RHEL\n8 that currently do not have a home directory assigned." }, "impact": 0.5, "refs": [ @@ -5764,33 +5751,32 @@ "tags": { "severity": "medium", "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-230326", - "rid": "SV-230326r627750_rule", - "stig_id": "RHEL-08-010780", - "fix_id": "F-32970r567725_fix", + "gid": "V-230320", + "rid": "SV-230320r627750_rule", + "stig_id": "RHEL-08-010720", + "fix_id": "F-32964r567707_fix", "cci": [ "CCI-000366" ], "nist": [ "CM-6 b" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-230326' do\n title 'All RHEL 8 local files and directories must have a valid owner.'\n desc 'Unowned files and directories may be unintentionally inherited if a\nuser is assigned the same User Identifier \"UID\" as the UID of the un-owned\nfiles.'\n desc 'check', 'Verify all local files and directories on RHEL 8 have a valid owner with\nthe following command:\n\n Note: The value after -fstype must be replaced with the filesystem type.\nXFS is used as an example.\n\n $ sudo find / -fstype xfs -nouser\n\n If any files on the system do not have an assigned owner, this is a finding.\n\n Note: Command may produce error messages from the /proc and /sys\ndirectories.'\n desc 'fix', 'Either remove all files and directories from the system that do not have a\nvalid user, or assign a valid user to all unowned files and directories on RHEL\n8 with the \"chown\" command:\n\n $ sudo chown '\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230326'\n tag rid: 'SV-230326r627750_rule'\n tag stig_id: 'RHEL-08-010780'\n tag fix_id: 'F-32970r567725_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n tag 'container'\n\n if input('disable_slow_controls')\n describe 'This control consistently takes a long to run and has been disabled using the disable_slow_controls attribute.' do\n skip 'This control consistently takes a long to run and has been disabled using the disable_slow_controls attribute. You must enable this control for a full accredidation for production.'\n end\n else\n\n failing_files = Set[]\n\n command('grep -v \"nodev\" /proc/filesystems | awk \\'NF{ print $NF }\\'')\n .stdout.strip.split(\"\\n\").each do |fs|\n failing_files += command(\"find / -xdev -xautofs -fstype #{fs} -nouser\").stdout.strip.split(\"\\n\")\n end\n\n describe 'All files on RHEL 8' do\n it 'should have an owner' do\n expect(failing_files).to be_empty, \"Files with no owner:\\n\\t- #{failing_files.join(\"\\n\\t- \")}\"\n end\n end\n end\nend\n", + "code": "control 'SV-230320' do\n title 'All RHEL 8 local interactive users must have a home directory assigned\nin the /etc/passwd file.'\n desc 'If local interactive users are not assigned a valid home directory,\nthere is no place for the storage and control of files they should own.'\n desc 'check', \"Verify local interactive users on RHEL 8 have a home directory assigned\nwith the following command:\n\n $ sudo pwck -r\n\n user 'lp': directory '/var/spool/lpd' does not exist\n user 'news': directory '/var/spool/news' does not exist\n user 'uucp': directory '/var/spool/uucp' does not exist\n user 'www-data': directory '/var/www' does not exist\n\n Ask the System Administrator (SA) if any users found without home\ndirectories are local interactive users. If the SA is unable to provide a\nresponse, check for users with a User Identifier (UID) of 1000 or greater with\nthe following command:\n\n $ sudo awk -F: '($3>=1000)&&($7 !~ /nologin/){print $1, $3, $6}' /etc/passwd\n\n If any interactive users do not have a home directory assigned, this is a\nfinding.\"\n desc 'fix', 'Assign home directories to all local interactive users on RHEL\n8 that currently do not have a home directory assigned.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230320'\n tag rid: 'SV-230320r627750_rule'\n tag stig_id: 'RHEL-08-010720'\n tag fix_id: 'F-32964r567707_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n exempt_users = input('exempt_home_users')\n ignore_shells = input('non_interactive_shells').join('|')\n actvite_users_without_homedir = users.where { !shell.match(ignore_shells) && home.nil? }.entries\n\n # only_if(\"This control is Not Applicable since no 'non-exempt' users were found\", impact: 0.0) { !active_home.empty? }\n\n describe 'All non-exempt users' do\n it 'have an assinded home directory that exists' do\n failure_message = \"The following users do not have an assigned home directory: #{actvite_users_without_homedir.join(', ')}\"\n expect(actvite_users_without_homedir).to be_empty, failure_message\n end\n end\n describe 'Note: `exempt_home_users` skipped user' do\n exempt_users.each do |u|\n next if exempt_users.empty?\n\n it u.to_s do\n expect(user(u).username).to be_truthy.or be_nil\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230326.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230320.rb", "line": 1 }, - "id": "SV-230326" + "id": "SV-230320" }, { - "title": "RHEL 8 user account passwords must be configured so that existing\npasswords are restricted to a 60-day maximum lifetime.", - "desc": "Any password, no matter how complex, can eventually be cracked.\nTherefore, passwords need to be changed periodically. If RHEL 8 does not limit\nthe lifetime of passwords and force users to change their passwords, there is\nthe risk that RHEL 8 passwords could be compromised.", + "title": "RHEL 8 must define default permissions for all authenticated users in\nsuch a way that the user can only read and modify their own files.", + "desc": "Setting the most restrictive default permissions ensures that when new\naccounts are created, they do not have unnecessary access.", "descriptions": { - "default": "Any password, no matter how complex, can eventually be cracked.\nTherefore, passwords need to be changed periodically. If RHEL 8 does not limit\nthe lifetime of passwords and force users to change their passwords, there is\nthe risk that RHEL 8 passwords could be compromised.", - "check": "Check whether the maximum time period for existing passwords is restricted\nto 60 days with the following commands:\n\n $ sudo awk -F: '$5 > 60 {print $1 \" \" $5}' /etc/shadow\n\n $ sudo awk -F: '$5 <= 0 {print $1 \" \" $5}' /etc/shadow\n\n If any results are returned that are not associated with a system account,\nthis is a finding.", - "fix": "Configure non-compliant accounts to enforce a 60-day maximum password\nlifetime restriction.\n\n $ sudo chage -M 60 [user]" + "default": "Setting the most restrictive default permissions ensures that when new\naccounts are created, they do not have unnecessary access.", + "check": "Verify the operating system defines default permissions for all\nauthenticated users in such a way that the user can only read and modify their\nown files.\n\n Check for the value of the \"UMASK\" parameter in \"/etc/login.defs\" file\nwith the following command:\n\n Note: If the value of the \"UMASK\" parameter is set to \"000\" in\n\"/etc/login.defs\" file, the Severity is raised to a CAT I.\n\n # grep -i umask /etc/login.defs\n\n UMASK 077\n\n If the value for the \"UMASK\" parameter is not \"077\", or the \"UMASK\"\nparameter is missing or is commented out, this is a finding.", + "fix": "Configure the operating system to define default permissions for all\nauthenticated users in such a way that the user can only read and modify their\nown files.\n\n Add or edit the line for the \"UMASK\" parameter in \"/etc/login.defs\"\nfile to \"077\":\n\n UMASK 077" }, "impact": 0.5, "refs": [ @@ -5800,34 +5786,34 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000076-GPOS-00044", - "gid": "V-230367", - "rid": "SV-230367r627750_rule", - "stig_id": "RHEL-08-020210", - "fix_id": "F-33011r567848_fix", + "gtitle": "SRG-OS-000480-GPOS-00228", + "gid": "V-230383", + "rid": "SV-230383r627750_rule", + "stig_id": "RHEL-08-020351", + "fix_id": "F-33027r567896_fix", "cci": [ - "CCI-000199" + "CCI-000366" ], "nist": [ - "IA-5 (1) (d)" + "CM-6 b" ], "host": null, "container": null }, - "code": "control 'SV-230367' do\n title 'RHEL 8 user account passwords must be configured so that existing\npasswords are restricted to a 60-day maximum lifetime.'\n desc 'Any password, no matter how complex, can eventually be cracked.\nTherefore, passwords need to be changed periodically. If RHEL 8 does not limit\nthe lifetime of passwords and force users to change their passwords, there is\nthe risk that RHEL 8 passwords could be compromised.'\n desc 'check', %q(Check whether the maximum time period for existing passwords is restricted\nto 60 days with the following commands:\n\n $ sudo awk -F: '$5 > 60 {print $1 \" \" $5}' /etc/shadow\n\n $ sudo awk -F: '$5 <= 0 {print $1 \" \" $5}' /etc/shadow\n\n If any results are returned that are not associated with a system account,\nthis is a finding.)\n desc 'fix', 'Configure non-compliant accounts to enforce a 60-day maximum password\nlifetime restriction.\n\n $ sudo chage -M 60 [user]'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000076-GPOS-00044'\n tag gid: 'V-230367'\n tag rid: 'SV-230367r627750_rule'\n tag stig_id: 'RHEL-08-020210'\n tag fix_id: 'F-33011r567848_fix'\n tag cci: ['CCI-000199']\n tag nist: ['IA-5 (1) (d)']\n tag 'host'\n tag 'container'\n\n value = input('pass_max_days')\n\n bad_users = users.where { uid >= 1000 }.where { value > 60 or maxdays.negative? }.usernames\n in_scope_users = bad_users - input('exempt_home_users')\n\n describe 'Users are not be able' do\n it \"to retain passwords for more then #{value} day(s)\" do\n failure_message = \"The following users can update their password more then every #{value} day(s): #{in_scope_users.join(', ')}\"\n expect(in_scope_users).to be_empty, failure_message\n end\n end\nend\n", + "code": "control 'SV-230383' do\n title 'RHEL 8 must define default permissions for all authenticated users in\nsuch a way that the user can only read and modify their own files.'\n desc 'Setting the most restrictive default permissions ensures that when new\naccounts are created, they do not have unnecessary access.'\n desc 'check', 'Verify the operating system defines default permissions for all\nauthenticated users in such a way that the user can only read and modify their\nown files.\n\n Check for the value of the \"UMASK\" parameter in \"/etc/login.defs\" file\nwith the following command:\n\n Note: If the value of the \"UMASK\" parameter is set to \"000\" in\n\"/etc/login.defs\" file, the Severity is raised to a CAT I.\n\n # grep -i umask /etc/login.defs\n\n UMASK 077\n\n If the value for the \"UMASK\" parameter is not \"077\", or the \"UMASK\"\nparameter is missing or is commented out, this is a finding.'\n desc 'fix', 'Configure the operating system to define default permissions for all\nauthenticated users in such a way that the user can only read and modify their\nown files.\n\n Add or edit the line for the \"UMASK\" parameter in \"/etc/login.defs\"\nfile to \"077\":\n\n UMASK 077'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00228'\n tag gid: 'V-230383'\n tag rid: 'SV-230383r627750_rule'\n tag stig_id: 'RHEL-08-020351'\n tag fix_id: 'F-33027r567896_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n tag 'container'\n\n permissions_for_shells = input('permissions_for_shells')\n\n describe login_defs do\n its('UMASK') { should cmp permissions_for_shells['default_umask'] }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230367.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230383.rb", "line": 1 }, - "id": "SV-230367" + "id": "SV-230383" }, { - "title": "RHEL 8 must automatically lock command line user sessions after 15\nminutes of inactivity.", - "desc": "Terminating an idle session within a short time period reduces the\nwindow of opportunity for unauthorized personnel to take control of a\nmanagement session enabled on the console or console port that has been left\nunattended. In addition, quickly terminating an idle session will also free up\nresources committed by the managed network element.\n\n Terminating network connections associated with communications sessions\nincludes, for example, de-allocating associated TCP/IP address/port pairs at\nthe operating system level and de-allocating networking assignments at the\napplication level if multiple application sessions are using a single operating\nsystem-level network connection. This does not mean the operating system\nterminates all sessions or network access; it only ends the inactive session\nand releases the resources associated with that session.", + "title": "All RHEL 8 local interactive user home directories must have mode 0750\nor less permissive.", + "desc": "Excessive permissions on local interactive user home directories may\nallow unauthorized access to user files by other users.", "descriptions": { - "default": "Terminating an idle session within a short time period reduces the\nwindow of opportunity for unauthorized personnel to take control of a\nmanagement session enabled on the console or console port that has been left\nunattended. In addition, quickly terminating an idle session will also free up\nresources committed by the managed network element.\n\n Terminating network connections associated with communications sessions\nincludes, for example, de-allocating associated TCP/IP address/port pairs at\nthe operating system level and de-allocating networking assignments at the\napplication level if multiple application sessions are using a single operating\nsystem-level network connection. This does not mean the operating system\nterminates all sessions or network access; it only ends the inactive session\nand releases the resources associated with that session.", - "check": "Verify the operating system initiates a session lock after 15 minutes of\ninactivity.\n\n Check the value of the system inactivity timeout with the following command:\n\n $ sudo grep -i lock-after-time /etc/tmux.conf\n\n set -g lock-after-time 900\n\n If \"lock-after-time\" is not set to \"900\" or less in the global tmux\nconfiguration file to enforce session lock after inactivity, this is a finding.", - "fix": "Configure the operating system to enforce session lock after a period of 15\nminutes of inactivity by adding the following line to the \"/etc/tmux.conf\"\nglobal configuration file:\n\n set -g lock-after-time 900" + "default": "Excessive permissions on local interactive user home directories may\nallow unauthorized access to user files by other users.", + "check": "Verify the assigned home directory of all local interactive users has a\nmode of \"0750\" or less permissive with the following command:\n\n Note: This may miss interactive users that have been assigned a privileged\nUser Identifier (UID). Evidence of interactive use may be obtained from a\nnumber of log files containing system logon information.\n\n $ sudo ls -ld $(awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}'\n/etc/passwd)\n\n drwxr-x--- 2 smithj admin 4096 Jun 5 12:41 smithj\n\n If home directories referenced in \"/etc/passwd\" do not have a mode of\n\"0750\" or less permissive, this is a finding.", + "fix": "Change the mode of interactive user’s home directories to \"0750\". To\nchange the mode of a local interactive user’s home directory, use the following\ncommand:\n\n Note: The example will be for the user \"smithj\".\n\n $ sudo chmod 0750 /home/smithj" }, "impact": 0.5, "refs": [ @@ -5837,37 +5823,33 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000029-GPOS-00010", - "satisfies": [ - "SRG-OS-000029-GPOS-00010", - "SRG-OS-000031-GPOS-00012" - ], - "gid": "V-230353", - "rid": "SV-230353r627750_rule", - "stig_id": "RHEL-08-020070", - "fix_id": "F-32997r567806_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-230321", + "rid": "SV-230321r627750_rule", + "stig_id": "RHEL-08-010730", + "fix_id": "F-32965r567710_fix", "cci": [ - "CCI-000057" + "CCI-000366" ], "nist": [ - "AC-11 a" + "CM-6 b" ], "host": null }, - "code": "control 'SV-230353' do\n title 'RHEL 8 must automatically lock command line user sessions after 15\nminutes of inactivity.'\n desc 'Terminating an idle session within a short time period reduces the\nwindow of opportunity for unauthorized personnel to take control of a\nmanagement session enabled on the console or console port that has been left\nunattended. In addition, quickly terminating an idle session will also free up\nresources committed by the managed network element.\n\n Terminating network connections associated with communications sessions\nincludes, for example, de-allocating associated TCP/IP address/port pairs at\nthe operating system level and de-allocating networking assignments at the\napplication level if multiple application sessions are using a single operating\nsystem-level network connection. This does not mean the operating system\nterminates all sessions or network access; it only ends the inactive session\nand releases the resources associated with that session.'\n desc 'check', 'Verify the operating system initiates a session lock after 15 minutes of\ninactivity.\n\n Check the value of the system inactivity timeout with the following command:\n\n $ sudo grep -i lock-after-time /etc/tmux.conf\n\n set -g lock-after-time 900\n\n If \"lock-after-time\" is not set to \"900\" or less in the global tmux\nconfiguration file to enforce session lock after inactivity, this is a finding.'\n desc 'fix', 'Configure the operating system to enforce session lock after a period of 15\nminutes of inactivity by adding the following line to the \"/etc/tmux.conf\"\nglobal configuration file:\n\n set -g lock-after-time 900'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000029-GPOS-00010'\n tag satisfies: ['SRG-OS-000029-GPOS-00010', 'SRG-OS-000031-GPOS-00012']\n tag gid: 'V-230353'\n tag rid: 'SV-230353r627750_rule'\n tag stig_id: 'RHEL-08-020070'\n tag fix_id: 'F-32997r567806_fix'\n tag cci: ['CCI-000057']\n tag nist: ['AC-11 a']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n timeout = command('grep -i lock-after-time /etc/tmux.conf').stdout.strip.match(/lock-after-time\\s+(?\\d+)/)\n expected_timeout = input('system_activity_timeout')\n\n describe 'tmux settings' do\n it 'should set lock-after-time' do\n expect(timeout).to_not be_nil, 'lock-after-time not set'\n end\n unless timeout.nil?\n it \"should lock the session after #{expected_timeout} seconds\" do\n expect(timeout['timeout'].to_i).to cmp <= expected_timeout\n end\n end\n end\nend\n", + "code": "control 'SV-230321' do\n title 'All RHEL 8 local interactive user home directories must have mode 0750\nor less permissive.'\n desc 'Excessive permissions on local interactive user home directories may\nallow unauthorized access to user files by other users.'\n desc 'check', %q(Verify the assigned home directory of all local interactive users has a\nmode of \"0750\" or less permissive with the following command:\n\n Note: This may miss interactive users that have been assigned a privileged\nUser Identifier (UID). Evidence of interactive use may be obtained from a\nnumber of log files containing system logon information.\n\n $ sudo ls -ld $(awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}'\n/etc/passwd)\n\n drwxr-x--- 2 smithj admin 4096 Jun 5 12:41 smithj\n\n If home directories referenced in \"/etc/passwd\" do not have a mode of\n\"0750\" or less permissive, this is a finding.)\n desc 'fix', 'Change the mode of interactive user’s home directories to \"0750\". To\nchange the mode of a local interactive user’s home directory, use the following\ncommand:\n\n Note: The example will be for the user \"smithj\".\n\n $ sudo chmod 0750 /home/smithj'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230321'\n tag rid: 'SV-230321r627750_rule'\n tag stig_id: 'RHEL-08-010730'\n tag fix_id: 'F-32965r567710_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n exempt_home_users = input('exempt_home_users')\n expected_mode = input('home_dir_mode')\n uid_min = login_defs.read_params['UID_MIN'].to_i\n uid_min = 1000 if uid_min.nil?\n\n iuser_entries = passwd.where { uid.to_i >= uid_min && shell !~ /nologin/ && !exempt_home_users.include?(user) }\n\n if !iuser_entries.users.nil? && !iuser_entries.users.empty?\n failing_homedirs = iuser_entries.homes.select { |home|\n file(home).more_permissive_than?(expected_mode)\n }\n describe 'All non-exempt interactive user account home directories on the system' do\n it \"should not be more permissive than '#{expected_mode}'\" do\n expect(failing_homedirs).to be_empty, \"Failing home directories:\\n\\t- #{failing_homedirs.join(\"\\n\\t- \")}\"\n end\n end\n else\n describe 'No non-exempt interactive user accounts' do\n it 'were detected on the system' do\n expect(true).to eq(true)\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230353.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230321.rb", "line": 1 }, - "id": "SV-230353" + "id": "SV-230321" }, { - "title": "RHEL 8 audit logs must be owned by root to prevent unauthorized read\naccess.", - "desc": "Only authorized personnel should be aware of errors and the details of\nthe errors. Error messages are an indicator of an organization's operational\nstate or can identify the RHEL 8 system or platform. Additionally, Personally\nIdentifiable Information (PII) and operational information must not be revealed\nthrough error messages to unauthorized personnel or their designated\nrepresentatives.\n\n The structure and content of error messages must be carefully considered by\nthe organization and development team. The extent to which the information\nsystem is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.", + "title": "RHEL 8 must not enable IPv6 packet forwarding unless the system is a router.", + "desc": "Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf", "descriptions": { - "default": "Only authorized personnel should be aware of errors and the details of\nthe errors. Error messages are an indicator of an organization's operational\nstate or can identify the RHEL 8 system or platform. Additionally, Personally\nIdentifiable Information (PII) and operational information must not be revealed\nthrough error messages to unauthorized personnel or their designated\nrepresentatives.\n\n The structure and content of error messages must be carefully considered by\nthe organization and development team. The extent to which the information\nsystem is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.", - "check": "Verify the audit logs are owned by \"root\". First, determine where the\naudit logs are stored with the following command:\n\n $ sudo grep -iw log_file /etc/audit/auditd.conf\n\n log_file = /var/log/audit/audit.log\n\n Using the location of the audit log file, determine if the audit log is\nowned by \"root\" using the following command:\n\n $ sudo ls -al /var/log/audit/audit.log\n\n rw------- 2 root root 23 Jun 11 11:56 /var/log/audit/audit.log\n\n If the audit log is not owned by \"root\", this is a finding.", - "fix": "Configure the audit log to be protected from unauthorized read access, by\nsetting the correct owner as \"root\" with the following command:\n\n $ sudo chown root [audit_log_file]\n\n Replace \"[audit_log_file]\" to the correct audit log path, by default this\nlocation is \"/var/log/audit/audit.log\"." + "default": "Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf", + "check": "Verify RHEL 8 is not performing IPv6 packet forwarding, unless the system is a router.\n\nNote: If IPv6 is disabled on the system, this requirement is Not Applicable.\n\nCheck that IPv6 forwarding is disabled using the following commands:\n\n$ sudo sysctl net.ipv6.conf.all.forwarding\n\nnet.ipv6.conf.all.forwarding = 0\n\nIf the IPv6 forwarding value is not \"0\" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r net.ipv6.conf.all.forwarding /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: net.ipv6.conf.all.forwarding = 0\n\nIf \"net.ipv6.conf.all.forwarding\" is not set to \"0\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.", + "fix": "Configure RHEL 8 to not allow IPv6 packet forwarding, unless the system is a router.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nnet.ipv6.conf.all.forwarding=0\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system" }, "impact": 0.5, "refs": [ @@ -5877,40 +5859,33 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000057-GPOS-00027", - "satisfies": [ - "SRG-OS-000057-GPOS-00027", - "SRG-OS-000058-GPOS-00028", - "SRG-OS-000059-GPOS-00029", - "SRG-OS-000206-GPOS-00084" - ], - "gid": "V-230397", - "rid": "SV-230397r627750_rule", - "stig_id": "RHEL-08-030080", - "fix_id": "F-33041r567938_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-230540", + "rid": "SV-230540r858810_rule", + "stig_id": "RHEL-08-040260", + "fix_id": "F-33184r858809_fix", "cci": [ - "CCI-000162" + "CCI-000366" ], "nist": [ - "AU-9", - "AU-9 a" + "CM-6 b" ], "host": null }, - "code": "control 'SV-230397' do\n title 'RHEL 8 audit logs must be owned by root to prevent unauthorized read\naccess.'\n desc \"Only authorized personnel should be aware of errors and the details of\nthe errors. Error messages are an indicator of an organization's operational\nstate or can identify the RHEL 8 system or platform. Additionally, Personally\nIdentifiable Information (PII) and operational information must not be revealed\nthrough error messages to unauthorized personnel or their designated\nrepresentatives.\n\n The structure and content of error messages must be carefully considered by\nthe organization and development team. The extent to which the information\nsystem is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.\"\n desc 'check', 'Verify the audit logs are owned by \"root\". First, determine where the\naudit logs are stored with the following command:\n\n $ sudo grep -iw log_file /etc/audit/auditd.conf\n\n log_file = /var/log/audit/audit.log\n\n Using the location of the audit log file, determine if the audit log is\nowned by \"root\" using the following command:\n\n $ sudo ls -al /var/log/audit/audit.log\n\n rw------- 2 root root 23 Jun 11 11:56 /var/log/audit/audit.log\n\n If the audit log is not owned by \"root\", this is a finding.'\n desc 'fix', 'Configure the audit log to be protected from unauthorized read access, by\nsetting the correct owner as \"root\" with the following command:\n\n $ sudo chown root [audit_log_file]\n\n Replace \"[audit_log_file]\" to the correct audit log path, by default this\nlocation is \"/var/log/audit/audit.log\".'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000057-GPOS-00027'\n tag satisfies: ['SRG-OS-000057-GPOS-00027', 'SRG-OS-000058-GPOS-00028', 'SRG-OS-000059-GPOS-00029', 'SRG-OS-000206-GPOS-00084']\n tag gid: 'V-230397'\n tag rid: 'SV-230397r627750_rule'\n tag stig_id: 'RHEL-08-030080'\n tag fix_id: 'F-33041r567938_fix'\n tag cci: ['CCI-000162']\n tag nist: ['AU-9', 'AU-9 a']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n log_file = auditd_conf('/etc/audit/auditd.conf').log_file\n\n describe file(log_file) do\n its('owner') { should eq 'root' }\n end\nend\n", + "code": "control 'SV-230540' do\n title 'RHEL 8 must not enable IPv6 packet forwarding unless the system is a router.'\n desc 'Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf'\n desc 'check', 'Verify RHEL 8 is not performing IPv6 packet forwarding, unless the system is a router.\n\nNote: If IPv6 is disabled on the system, this requirement is Not Applicable.\n\nCheck that IPv6 forwarding is disabled using the following commands:\n\n$ sudo sysctl net.ipv6.conf.all.forwarding\n\nnet.ipv6.conf.all.forwarding = 0\n\nIf the IPv6 forwarding value is not \"0\" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r net.ipv6.conf.all.forwarding /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: net.ipv6.conf.all.forwarding = 0\n\nIf \"net.ipv6.conf.all.forwarding\" is not set to \"0\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to not allow IPv6 packet forwarding, unless the system is a router.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nnet.ipv6.conf.all.forwarding=0\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230540'\n tag rid: 'SV-230540r858810_rule'\n tag stig_id: 'RHEL-08-040260'\n tag fix_id: 'F-33184r858809_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This system is acting as a router on the network, this control is Not Applicable', impact: 0.0) {\n !input('network_router')\n }\n\n # Define the kernel parameter to be checked\n parameter = 'net.ipv6.conf.all.forwarding'\n action = 'IPv6 packet forwarding'\n value = 0\n\n # Get the current value of the kernel parameter\n current_value = kernel_parameter(parameter)\n\n # Check if the system is a Docker container\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n elsif input('ipv6_enabled') == false\n impact 0.0\n describe 'IPv6 is disabled on the system, this requirement is Not Applicable.' do\n skip 'IPv6 is disabled on the system, this requirement is Not Applicable.'\n end\n else\n\n describe kernel_parameter(parameter) do\n it 'is disabled in sysctl -a' do\n expect(current_value.value).to cmp value\n expect(current_value.value).not_to be_nil\n end\n end\n\n # Get the list of sysctl configuration files\n sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ')\n\n # Search for the kernel parameter in the configuration files\n search_results = command(\"grep -r ^#{parameter} #{sysctl_config_files} {} \\;\").stdout.split(\"\\n\")\n\n # Parse the search results into a hash\n config_values = search_results.each_with_object({}) do |item, results|\n file, setting = item.split(':')\n file = 'grep did not return filename' if file.empty?\n\n results[file] ||= []\n results[file] << setting.split('=').last\n end\n\n uniq_config_values = config_values.values.flatten.map(&:strip).map(&:to_i).uniq\n\n # Check the configuration files\n describe 'Configuration files' do\n if search_results.empty?\n it \"do not explicitly set the `#{parameter}` parameter\" do\n expect(config_values).not_to be_empty, \"Add the line `#{parameter}=#{value}` to a file in the `/etc/sysctl.d/` directory\"\n end\n else\n it \"do not have conflicting settings for #{action}\" do\n expect(uniq_config_values.count).to eq(1), \"Expected one unique configuration, but got #{config_values}\"\n end\n it \"set the parameter to the right value for #{action}\" do\n expect(config_values.values.flatten.all? { |v| v.to_i.eql?(value) }).to be true\n end\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230397.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230540.rb", "line": 1 }, - "id": "SV-230397" + "id": "SV-230540" }, { - "title": "A firewall must be able to protect against or limit the effects of\nDenial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting\nmeasures on impacted network interfaces.", - "desc": "DoS is a condition when a resource is not available for legitimate\nusers. When this occurs, the organization either cannot accomplish its mission\nor must operate at degraded capacity.\n\n This requirement addresses the configuration of RHEL 8 to mitigate the\nimpact of DoS attacks that have occurred or are ongoing on system availability.\nFor each system, known and potential DoS attacks must be identified and\nsolutions for each type implemented. A variety of technologies exists to limit\nor, in some cases, eliminate the effects of DoS attacks (e.g., limiting\nprocesses or establishing memory partitions). Employing increased capacity and\nbandwidth, combined with service redundancy, may reduce the susceptibility to\nsome DoS attacks.\n\n Since version 0.6.0, \"firewalld\" has incorporated \"nftables\" as its\nbackend support. Utilizing the limit statement in \"nftables\" can help to\nmitigate DoS attacks.", + "title": "RHEL 8 must ensure account lockouts persist.", + "desc": "By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as\nbrute-force attacks, is reduced. Limits are imposed by locking the account.\n\n RHEL 8 can utilize the \"pam_faillock.so\" for this purpose. Note that\nmanual changes to the listed files may be overwritten by the \"authselect\"\nprogram.\n\n From \"Pam_Faillock\" man pages: Note that the default directory that\n\"pam_faillock\" uses is usually cleared on system boot so the access will be\nreenabled after system reboot. If that is undesirable a different tally\ndirectory must be set with the \"dir\" option.", "descriptions": { - "default": "DoS is a condition when a resource is not available for legitimate\nusers. When this occurs, the organization either cannot accomplish its mission\nor must operate at degraded capacity.\n\n This requirement addresses the configuration of RHEL 8 to mitigate the\nimpact of DoS attacks that have occurred or are ongoing on system availability.\nFor each system, known and potential DoS attacks must be identified and\nsolutions for each type implemented. A variety of technologies exists to limit\nor, in some cases, eliminate the effects of DoS attacks (e.g., limiting\nprocesses or establishing memory partitions). Employing increased capacity and\nbandwidth, combined with service redundancy, may reduce the susceptibility to\nsome DoS attacks.\n\n Since version 0.6.0, \"firewalld\" has incorporated \"nftables\" as its\nbackend support. Utilizing the limit statement in \"nftables\" can help to\nmitigate DoS attacks.", - "check": "Verify \"nftables\" is configured to allow rate limits on any connection to\nthe system with the following command:\n\n Verify \"firewalld\" has \"nftables\" set as the default backend:\n\n $ sudo grep -i firewallbackend /etc/firewalld/firewalld.conf\n\n # FirewallBackend\n FirewallBackend=nftables\n\n If the \"nftables\" is not set as the \"firewallbackend\" default, this is\na finding.", - "fix": "Configure \"nftables\" to be the default \"firewallbackend\" for \"firewalld\" by adding or editing the following line in \"/etc/firewalld/firewalld.conf\":\n\nFirewallBackend=nftables\n\nEstablish rate-limiting rules based on organization-defined types of DoS attacks on impacted network interfaces." + "default": "By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as\nbrute-force attacks, is reduced. Limits are imposed by locking the account.\n\n RHEL 8 can utilize the \"pam_faillock.so\" for this purpose. Note that\nmanual changes to the listed files may be overwritten by the \"authselect\"\nprogram.\n\n From \"Pam_Faillock\" man pages: Note that the default directory that\n\"pam_faillock\" uses is usually cleared on system boot so the access will be\nreenabled after system reboot. If that is undesirable a different tally\ndirectory must be set with the \"dir\" option.", + "check": "Check that the faillock directory contents persists after a reboot with the\nfollowing commands:\n\n Note: If the System Administrator demonstrates the use of an approved\ncentralized account management method that locks an account after three\nunsuccessful logon attempts within a period of 15 minutes, this requirement is\nnot applicable.\n\n Note: This check applies to RHEL versions 8.0 and 8.1, if the system is\nRHEL version 8.2 or newer, this check is not applicable.\n\n $ sudo grep pam_faillock.so /etc/pam.d/password-auth\n\n auth required pam_faillock.so preauth dir=/var/log/faillock silent audit\ndeny=3 even_deny_root fail_interval=900 unlock_time=0\n auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0\n account required pam_faillock.so\n\n If the \"dir\" option is not set to a non-default documented tally log\ndirectory on the \"preauth\" and \"authfail\" lines with the\n\"pam_faillock.so\" module, or is missing from these lines, this is a finding.\n\n $ sudo grep pam_faillock.so /etc/pam.d/system-auth\n\n auth required pam_faillock.so preauth dir=/var/log/faillock silent audit\ndeny=3 even_deny_root fail_interval=900 unlock_time=0\n auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0\n account required pam_faillock.so\n\n If the \"dir\" option is not set to a non-default documented tally log\ndirectory on the \"preauth\" and \"authfail\" lines with the\n\"pam_faillock.so\" module, or is missing from these lines, this is a finding.", + "fix": "Configure the operating system maintain the contents of the faillock\ndirectory after a reboot.\n\n Add/Modify the appropriate sections of the \"/etc/pam.d/system-auth\" and\n\"/etc/pam.d/password-auth\" files to match the following lines:\n\n Note: Using the default faillock directory of /var/run/faillock will result\nin the contents being cleared in the event of a reboot.\n\n auth required pam_faillock.so preauth dir=/var/log/faillock silent audit\ndeny=3 even_deny_root fail_interval=900 unlock_time=0\n auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0\n account required pam_faillock.so\n\n The \"sssd\" service must be restarted for the changes to take effect. To\nrestart the \"sssd\" service, run the following command:\n\n $ sudo systemctl restart sssd.service" }, "impact": 0.5, "refs": [ @@ -5920,34 +5895,38 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000420-GPOS-00186", - "gid": "V-230525", - "rid": "SV-230525r902735_rule", - "stig_id": "RHEL-08-040150", - "fix_id": "F-33169r902734_fix", + "gtitle": "SRG-OS-000021-GPOS-00005", + "satisfies": [ + "SRG-OS-000021-GPOS-00005", + "SRG-OS-000329-GPOS-00128" + ], + "gid": "V-230338", + "rid": "SV-230338r627750_rule", + "stig_id": "RHEL-08-020016", + "fix_id": "F-32982r567761_fix", "cci": [ - "CCI-002385" + "CCI-000044" ], "nist": [ - "SC-5", - "SC-5 a" + "AC-7 a" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-230525' do\n title 'A firewall must be able to protect against or limit the effects of\nDenial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting\nmeasures on impacted network interfaces.'\n desc 'DoS is a condition when a resource is not available for legitimate\nusers. When this occurs, the organization either cannot accomplish its mission\nor must operate at degraded capacity.\n\n This requirement addresses the configuration of RHEL 8 to mitigate the\nimpact of DoS attacks that have occurred or are ongoing on system availability.\nFor each system, known and potential DoS attacks must be identified and\nsolutions for each type implemented. A variety of technologies exists to limit\nor, in some cases, eliminate the effects of DoS attacks (e.g., limiting\nprocesses or establishing memory partitions). Employing increased capacity and\nbandwidth, combined with service redundancy, may reduce the susceptibility to\nsome DoS attacks.\n\n Since version 0.6.0, \"firewalld\" has incorporated \"nftables\" as its\nbackend support. Utilizing the limit statement in \"nftables\" can help to\nmitigate DoS attacks.'\n desc 'check', 'Verify \"nftables\" is configured to allow rate limits on any connection to\nthe system with the following command:\n\n Verify \"firewalld\" has \"nftables\" set as the default backend:\n\n $ sudo grep -i firewallbackend /etc/firewalld/firewalld.conf\n\n # FirewallBackend\n FirewallBackend=nftables\n\n If the \"nftables\" is not set as the \"firewallbackend\" default, this is\na finding.'\n desc 'fix', 'Configure \"nftables\" to be the default \"firewallbackend\" for \"firewalld\" by adding or editing the following line in \"/etc/firewalld/firewalld.conf\":\n\nFirewallBackend=nftables\n\nEstablish rate-limiting rules based on organization-defined types of DoS attacks on impacted network interfaces.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000420-GPOS-00186'\n tag gid: 'V-230525'\n tag rid: 'SV-230525r902735_rule'\n tag stig_id: 'RHEL-08-040150'\n tag fix_id: 'F-33169r902734_fix'\n tag cci: ['CCI-002385']\n tag nist: ['SC-5', 'SC-5 a']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe parse_config_file('/etc/firewalld/firewalld.conf') do\n its('FirewallBackend') { should eq 'nftables' }\n end\nend\n", + "code": "control 'SV-230338' do\n title 'RHEL 8 must ensure account lockouts persist.'\n desc 'By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as\nbrute-force attacks, is reduced. Limits are imposed by locking the account.\n\n RHEL 8 can utilize the \"pam_faillock.so\" for this purpose. Note that\nmanual changes to the listed files may be overwritten by the \"authselect\"\nprogram.\n\n From \"Pam_Faillock\" man pages: Note that the default directory that\n\"pam_faillock\" uses is usually cleared on system boot so the access will be\nreenabled after system reboot. If that is undesirable a different tally\ndirectory must be set with the \"dir\" option.'\n desc 'check', 'Check that the faillock directory contents persists after a reboot with the\nfollowing commands:\n\n Note: If the System Administrator demonstrates the use of an approved\ncentralized account management method that locks an account after three\nunsuccessful logon attempts within a period of 15 minutes, this requirement is\nnot applicable.\n\n Note: This check applies to RHEL versions 8.0 and 8.1, if the system is\nRHEL version 8.2 or newer, this check is not applicable.\n\n $ sudo grep pam_faillock.so /etc/pam.d/password-auth\n\n auth required pam_faillock.so preauth dir=/var/log/faillock silent audit\ndeny=3 even_deny_root fail_interval=900 unlock_time=0\n auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0\n account required pam_faillock.so\n\n If the \"dir\" option is not set to a non-default documented tally log\ndirectory on the \"preauth\" and \"authfail\" lines with the\n\"pam_faillock.so\" module, or is missing from these lines, this is a finding.\n\n $ sudo grep pam_faillock.so /etc/pam.d/system-auth\n\n auth required pam_faillock.so preauth dir=/var/log/faillock silent audit\ndeny=3 even_deny_root fail_interval=900 unlock_time=0\n auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0\n account required pam_faillock.so\n\n If the \"dir\" option is not set to a non-default documented tally log\ndirectory on the \"preauth\" and \"authfail\" lines with the\n\"pam_faillock.so\" module, or is missing from these lines, this is a finding.'\n desc 'fix', 'Configure the operating system maintain the contents of the faillock\ndirectory after a reboot.\n\n Add/Modify the appropriate sections of the \"/etc/pam.d/system-auth\" and\n\"/etc/pam.d/password-auth\" files to match the following lines:\n\n Note: Using the default faillock directory of /var/run/faillock will result\nin the contents being cleared in the event of a reboot.\n\n auth required pam_faillock.so preauth dir=/var/log/faillock silent audit\ndeny=3 even_deny_root fail_interval=900 unlock_time=0\n auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0\n account required pam_faillock.so\n\n The \"sssd\" service must be restarted for the changes to take effect. To\nrestart the \"sssd\" service, run the following command:\n\n $ sudo systemctl restart sssd.service'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000021-GPOS-00005'\n tag satisfies: ['SRG-OS-000021-GPOS-00005', 'SRG-OS-000329-GPOS-00128']\n tag gid: 'V-230338'\n tag rid: 'SV-230338r627750_rule'\n tag stig_id: 'RHEL-08-020016'\n tag fix_id: 'F-32982r567761_fix'\n tag cci: ['CCI-000044']\n tag nist: ['AC-7 a']\n tag 'host'\n tag 'container'\n\n only_if('This check applies to RHEL versions 8.0 and 8.1, if the system is RHEL version 8.2 or newer, this check is not applicable.', impact: 0.0) {\n (os.release.to_f) < 8.2\n }\n\n pam_auth_files = input('pam_auth_files')\n\n describe pam(pam_auth_files['password-auth']) do\n its('lines') {\n should match_pam_rule('auth [default=die]|required pam_faillock.so').all_with_args(\"dir=#{input('log_directory')}\")\n }\n end\n describe pam(pam_auth_files['system-auth']) do\n its('lines') {\n should match_pam_rule('auth [default=die]|required pam_faillock.so').all_with_args(\"dir=#{input('log_directory')}\")\n }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230525.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230338.rb", "line": 1 }, - "id": "SV-230525" + "id": "SV-230338" }, { - "title": "RHEL 8 must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/passwd.", - "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "title": "RHEL 8 must implement certificate status checking for multifactor authentication.", + "desc": "Using an authentication device, such as a DoD Common Access Card (CAC)\n or token that is separate from the information system, ensures that even if the\n information system is compromised, credentials stored on the authentication\n device will not be affected.\n\n Multifactor solutions that require devices separate from information\n systems gaining access include, for example, hardware tokens providing\n time-based or challenge-response authenticators and smart cards such as the\n U.S. Government Personal Identity Verification (PIV) card and the DoD CAC.\n\n RHEL 8 includes multiple options for configuring certificate status\nchecking, but for this requirement focuses on the System Security Services\nDaemon (SSSD). By default, sssd performs Online Certificate Status Protocol\n(OCSP) checking and certificate verification using a sha256 digest function.", "descriptions": { - "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", - "check": "Verify RHEL 8 generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/passwd\".\n\n Check the auditing rules in \"/etc/audit/audit.rules\" with the following\ncommand:\n\n $ sudo grep /etc/passwd /etc/audit/audit.rules\n\n -w /etc/passwd -p wa -k identity\n\n If the command does not return a line, or the line is commented out, this\nis a finding.", - "fix": "Configure RHEL 8 to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/passwd\".\n\n Add or update the following file system rule to\n\"/etc/audit/rules.d/audit.rules\":\n\n -w /etc/passwd -p wa -k identity\n\n The audit daemon must be restarted for the changes to take effect." + "default": "Using an authentication device, such as a DoD Common Access Card (CAC)\n or token that is separate from the information system, ensures that even if the\n information system is compromised, credentials stored on the authentication\n device will not be affected.\n\n Multifactor solutions that require devices separate from information\n systems gaining access include, for example, hardware tokens providing\n time-based or challenge-response authenticators and smart cards such as the\n U.S. Government Personal Identity Verification (PIV) card and the DoD CAC.\n\n RHEL 8 includes multiple options for configuring certificate status\nchecking, but for this requirement focuses on the System Security Services\nDaemon (SSSD). By default, sssd performs Online Certificate Status Protocol\n(OCSP) checking and certificate verification using a sha256 digest function.", + "check": "Verify the operating system implements certificate status checking for multifactor authentication.\n\nNote: If the System Administrator demonstrates the use of an approved alternate multifactor authentication method, this requirement is not applicable.\n\nCheck to see if Online Certificate Status Protocol (OCSP) is enabled and using the proper digest value on the system with the following command:\n\n$ sudo grep certificate_verification /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf | grep -v \"^#\"\n\ncertificate_verification = ocsp_dgst=sha1\n\nIf the certificate_verification line is missing from the [sssd] section, or is missing \"ocsp_dgst=sha1\", ask the administrator to indicate what type of multifactor authentication is being utilized and how the system implements certificate status checking. If there is no evidence of certificate status checking being used, this is a finding.", + "fix": "Configure the operating system to implement certificate status checking for multifactor authentication.\n\nReview the \"/etc/sssd/sssd.conf\" file to determine if the system is configured to prevent OCSP or certificate verification.\n\nAdd the following line to the [sssd] section of the \"/etc/sssd/sssd.conf\" file:\n\ncertificate_verification = ocsp_dgst=sha1\n\nThe \"sssd\" service must be restarted for the changes to take effect. To restart the \"sssd\" service, run the following command:\n\n$ sudo systemctl restart sssd.service" }, "impact": 0.5, "refs": [ @@ -5957,126 +5936,109 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000062-GPOS-00031", + "gtitle": "SRG-OS-000375-GPOS-00160", "satisfies": [ - "SRG-OS-000062-GPOS-00031", - "SRG-OS-000004-GPOS-00004", - "SRG-OS-000037-GPOS-00015", - "SRG-OS-000042-GPOS-00020", - "SRG-OS-000062-GPOS-00031", - "SRG-OS-000304-GPOS-00121", - "SRG-OS-000392-GPOS-00172", - "SRG-OS-000462-GPOS-00206", - "SRG-OS-000470-GPOS-00214", - "SRG-OS-000471-GPOS-00215", - "SRG-OS-000239-GPOS-00089", - "SRG-OS-000240-GPOS-00090", - "SRG-OS-000241-GPOS-00091", - "SRG-OS-000303-GPOS-00120", - "SRG-OS-000304-GPOS-00121", - "SRG-OS-000466-GPOS-00210", - "SRG-OS-000476-GPOS-00221" + "SRG-OS-000375-GPOS-00160", + "SRG-OS-000377-GPOS-00162" ], - "gid": "V-230406", - "rid": "SV-230406r627750_rule", - "stig_id": "RHEL-08-030150", - "fix_id": "F-33050r567965_fix", + "gid": "V-230274", + "rid": "SV-230274r858741_rule", + "stig_id": "RHEL-08-010400", + "fix_id": "F-32918r809280_fix", "cci": [ - "CCI-000169" + "CCI-001948" ], "nist": [ - "AU-12 a" + "IA-2 (11)" ], "host": null }, - "code": "control 'SV-230406' do\n title 'RHEL 8 must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/passwd.'\n desc 'Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).'\n desc 'check', 'Verify RHEL 8 generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/passwd\".\n\n Check the auditing rules in \"/etc/audit/audit.rules\" with the following\ncommand:\n\n $ sudo grep /etc/passwd /etc/audit/audit.rules\n\n -w /etc/passwd -p wa -k identity\n\n If the command does not return a line, or the line is commented out, this\nis a finding.'\n desc 'fix', 'Configure RHEL 8 to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/passwd\".\n\n Add or update the following file system rule to\n\"/etc/audit/rules.d/audit.rules\":\n\n -w /etc/passwd -p wa -k identity\n\n The audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000062-GPOS-00031'\n tag satisfies: ['SRG-OS-000062-GPOS-00031', 'SRG-OS-000004-GPOS-00004', 'SRG-OS-000037-GPOS-00015', 'SRG-OS-000042-GPOS-00020', 'SRG-OS-000062-GPOS-00031', 'SRG-OS-000304-GPOS-00121', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000470-GPOS-00214', 'SRG-OS-000471-GPOS-00215', 'SRG-OS-000239-GPOS-00089', 'SRG-OS-000240-GPOS-00090', 'SRG-OS-000241-GPOS-00091', 'SRG-OS-000303-GPOS-00120', 'SRG-OS-000304-GPOS-00121', 'SRG-OS-000466-GPOS-00210', 'SRG-OS-000476-GPOS-00221']\n tag gid: 'V-230406'\n tag rid: 'SV-230406r627750_rule'\n tag stig_id: 'RHEL-08-030150'\n tag fix_id: 'F-33050r567965_fix'\n tag cci: ['CCI-000169']\n tag nist: ['AU-12 a']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n audit_command = '/etc/passwd'\n\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.permissions.flatten).to include('w', 'a')\n expect(audit_rule.key.uniq).to include(input('audit_rule_keynames').merge(input('audit_rule_keynames_overrides'))[audit_command])\n end\n end\nend\n", + "code": "control 'SV-230274' do\n title 'RHEL 8 must implement certificate status checking for multifactor authentication.'\n desc 'Using an authentication device, such as a DoD Common Access Card (CAC)\n or token that is separate from the information system, ensures that even if the\n information system is compromised, credentials stored on the authentication\n device will not be affected.\n\n Multifactor solutions that require devices separate from information\n systems gaining access include, for example, hardware tokens providing\n time-based or challenge-response authenticators and smart cards such as the\n U.S. Government Personal Identity Verification (PIV) card and the DoD CAC.\n\n RHEL 8 includes multiple options for configuring certificate status\nchecking, but for this requirement focuses on the System Security Services\nDaemon (SSSD). By default, sssd performs Online Certificate Status Protocol\n(OCSP) checking and certificate verification using a sha256 digest function.'\n desc 'check', 'Verify the operating system implements certificate status checking for multifactor authentication.\n\nNote: If the System Administrator demonstrates the use of an approved alternate multifactor authentication method, this requirement is not applicable.\n\nCheck to see if Online Certificate Status Protocol (OCSP) is enabled and using the proper digest value on the system with the following command:\n\n$ sudo grep certificate_verification /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf | grep -v \"^#\"\n\ncertificate_verification = ocsp_dgst=sha1\n\nIf the certificate_verification line is missing from the [sssd] section, or is missing \"ocsp_dgst=sha1\", ask the administrator to indicate what type of multifactor authentication is being utilized and how the system implements certificate status checking. If there is no evidence of certificate status checking being used, this is a finding.'\n desc 'fix', 'Configure the operating system to implement certificate status checking for multifactor authentication.\n\nReview the \"/etc/sssd/sssd.conf\" file to determine if the system is configured to prevent OCSP or certificate verification.\n\nAdd the following line to the [sssd] section of the \"/etc/sssd/sssd.conf\" file:\n\ncertificate_verification = ocsp_dgst=sha1\n\nThe \"sssd\" service must be restarted for the changes to take effect. To restart the \"sssd\" service, run the following command:\n\n$ sudo systemctl restart sssd.service'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000375-GPOS-00160'\n tag satisfies: ['SRG-OS-000375-GPOS-00160', 'SRG-OS-000377-GPOS-00162']\n tag gid: 'V-230274'\n tag rid: 'SV-230274r858741_rule'\n tag stig_id: 'RHEL-08-010400'\n tag fix_id: 'F-32918r809280_fix'\n tag cci: ['CCI-001948']\n tag nist: ['IA-2 (11)']\n tag 'host'\n\n only_if('This requirement is Not Applicable inside the container', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n if input('alternate_mfa_method').nil?\n describe 'Manual Review' do\n skip \"Alternate MFA method selected:\\t\\nConsult with ISSO to determine that alternate MFA method is approved; manually review system to ensure alternate MFA method is functioning\"\n end\n else\n sssd_conf_files = input('sssd_conf_files')\n sssd_conf_contents = ini({ command: \"cat #{input('sssd_conf_files').join(' ')}\" })\n sssd_certificate_verification = input('sssd_certificate_verification')\n\n describe 'SSSD' do\n it 'should be installed and enabled' do\n expect(service('sssd')).to be_installed.and be_enabled\n expect(sssd_conf_contents.params).to_not be_empty, \"SSSD configuration files not found or have no content; files checked:\\n\\t- #{sssd_conf_files.join(\"\\n\\t- \")}\"\n end\n if sssd_conf_contents.params.nil?\n it \"should configure certificate_verification to be '#{sssd_certificate_verification}'\" do\n expect(sssd_conf_contents.sssd.certificate_verification).to eq(sssd_certificate_verification)\n end\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230406.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230274.rb", "line": 1 }, - "id": "SV-230406" + "id": "SV-230274" }, { - "title": "RHEL 8 account identifiers (individuals, groups, roles, and devices)\n must be disabled after 35 days of inactivity.", - "desc": "Inactive identifiers pose a risk to systems and applications because\n attackers may exploit an inactive identifier and potentially obtain undetected\n access to the system. Owners of inactive accounts will not notice if\n unauthorized access to their user account has been obtained.\n\n RHEL 8 needs to track periods of inactivity and disable application\n identifiers after 35 days of inactivity.", + "title": "The RHEL 8 file integrity tool must be configured to verify Access\nControl Lists (ACLs).", + "desc": "ACLs can provide permissions beyond those permitted through the file\nmode and must be verified by file integrity tools.\n\n RHEL 8 installation media come with a file integrity tool, Advanced\nIntrusion Detection Environment (AIDE).", "descriptions": { - "default": "Inactive identifiers pose a risk to systems and applications because\n attackers may exploit an inactive identifier and potentially obtain undetected\n access to the system. Owners of inactive accounts will not notice if\n unauthorized access to their user account has been obtained.\n\n RHEL 8 needs to track periods of inactivity and disable application\n identifiers after 35 days of inactivity.", - "check": "Verify the account identifiers (individuals, groups, roles, and devices)\n are disabled after 35 days of inactivity with the following command:\n\n Check the account inactivity value by performing the following command:\n\n $ sudo grep -i inactive /etc/default/useradd\n\n INACTIVE=35\n\n If \"INACTIVE\" is set to \"-1\", a value greater than \"35\", or is\n commented out, this is a finding.", - "fix": "Configure RHEL 8 to disable account identifiers after 35 days of inactivity\n after the password expiration.\n\n Run the following command to change the configuration for useradd:\n\n $ sudo useradd -D -f 35\n\n DoD recommendation is 35 days, but a lower value is acceptable. The value \"-1\" will\n disable this feature, and \"0\" will disable the account immediately after the\n password expires." + "default": "ACLs can provide permissions beyond those permitted through the file\nmode and must be verified by file integrity tools.\n\n RHEL 8 installation media come with a file integrity tool, Advanced\nIntrusion Detection Environment (AIDE).", + "check": "Verify the file integrity tool is configured to verify ACLs.\n\nNote: AIDE is highly configurable at install time. This requirement assumes the \"aide.conf\" file is under the \"/etc\" directory.\n\nIf AIDE is not installed, ask the System Administrator how file integrity checks are performed on the system.\n\nUse the following command to determine if the file is in a location other than \"/etc/aide/aide.conf\":\n\n $ sudo find / -name aide.conf\n\nCheck the \"aide.conf\" file to determine if the \"acl\" rule has been added to the rule list being applied to the files and directories selection lists with the following command:\n\n $ sudo grep -E \"[+]?acl\" /etc/aide.conf\n\n VarFile = OwnerMode+n+l+X+acl\n\nIf the \"acl\" rule is not being used on all selection lines in the \"/etc/aide.conf\" file, is commented out, or ACLs are not being checked by another file integrity tool, this is a finding.", + "fix": "Configure the file integrity tool to check file and directory ACLs.\n\n If AIDE is installed, ensure the \"acl\" rule is present on all file and\ndirectory selection lists." }, - "impact": 0.5, + "impact": 0.3, "refs": [ { "ref": "DPMS Target Red Hat Enterprise Linux 8" } ], "tags": { - "severity": "medium", - "gtitle": "SRG-OS-000118-GPOS-00060", - "gid": "V-230373", - "rid": "SV-230373r627750_rule", - "stig_id": "RHEL-08-020260", - "fix_id": "F-33017r567866_fix", + "severity": "low", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-230552", + "rid": "SV-230552r880724_rule", + "stig_id": "RHEL-08-040310", + "fix_id": "F-33196r568403_fix", "cci": [ - "CCI-000795" + "CCI-000366" ], "nist": [ - "IA-4 e" + "CM-6 b" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-230373' do\n title 'RHEL 8 account identifiers (individuals, groups, roles, and devices)\n must be disabled after 35 days of inactivity.'\n desc 'Inactive identifiers pose a risk to systems and applications because\n attackers may exploit an inactive identifier and potentially obtain undetected\n access to the system. Owners of inactive accounts will not notice if\n unauthorized access to their user account has been obtained.\n\n RHEL 8 needs to track periods of inactivity and disable application\n identifiers after 35 days of inactivity.'\n desc 'check', 'Verify the account identifiers (individuals, groups, roles, and devices)\n are disabled after 35 days of inactivity with the following command:\n\n Check the account inactivity value by performing the following command:\n\n $ sudo grep -i inactive /etc/default/useradd\n\n INACTIVE=35\n\n If \"INACTIVE\" is set to \"-1\", a value greater than \"35\", or is\n commented out, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to disable account identifiers after 35 days of inactivity\n after the password expiration.\n\n Run the following command to change the configuration for useradd:\n\n $ sudo useradd -D -f 35\n\n DoD recommendation is 35 days, but a lower value is acceptable. The value \"-1\" will\n disable this feature, and \"0\" will disable the account immediately after the\n password expires.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000118-GPOS-00060'\n tag gid: 'V-230373'\n tag rid: 'SV-230373r627750_rule'\n tag stig_id: 'RHEL-08-020260'\n tag fix_id: 'F-33017r567866_fix'\n tag cci: ['CCI-000795']\n tag nist: ['IA-4 e']\n tag 'host'\n tag 'container'\n\n days_of_inactivity = input('days_of_inactivity')\n\n describe 'Useradd configuration' do\n useradd_config = parse_config_file('/etc/default/useradd')\n\n context 'when INACTIVE is set' do\n it 'should exist' do\n expect(useradd_config.params).to include('INACTIVE')\n end\n\n it 'should not be nil' do\n expect(useradd_config.params['INACTIVE']).not_to be_nil\n end\n\n it 'should have INACTIVE greater than or equal to 0' do\n expect(useradd_config.params['INACTIVE'].to_i).to be >= 0\n end\n\n it 'should have INACTIVE less than or equal to days_of_inactivity' do\n expect(useradd_config.params['INACTIVE'].to_i).to be <= days_of_inactivity\n end\n\n it 'should not have INACTIVE equal to -1' do\n expect(useradd_config.params['INACTIVE']).not_to eq '-1'\n end\n end\n end\nend\n", + "code": "control 'SV-230552' do\n title 'The RHEL 8 file integrity tool must be configured to verify Access\nControl Lists (ACLs).'\n desc 'ACLs can provide permissions beyond those permitted through the file\nmode and must be verified by file integrity tools.\n\n RHEL 8 installation media come with a file integrity tool, Advanced\nIntrusion Detection Environment (AIDE).'\n desc 'check', 'Verify the file integrity tool is configured to verify ACLs.\n\nNote: AIDE is highly configurable at install time. This requirement assumes the \"aide.conf\" file is under the \"/etc\" directory.\n\nIf AIDE is not installed, ask the System Administrator how file integrity checks are performed on the system.\n\nUse the following command to determine if the file is in a location other than \"/etc/aide/aide.conf\":\n\n $ sudo find / -name aide.conf\n\nCheck the \"aide.conf\" file to determine if the \"acl\" rule has been added to the rule list being applied to the files and directories selection lists with the following command:\n\n $ sudo grep -E \"[+]?acl\" /etc/aide.conf\n\n VarFile = OwnerMode+n+l+X+acl\n\nIf the \"acl\" rule is not being used on all selection lines in the \"/etc/aide.conf\" file, is commented out, or ACLs are not being checked by another file integrity tool, this is a finding.'\n desc 'fix', 'Configure the file integrity tool to check file and directory ACLs.\n\n If AIDE is installed, ensure the \"acl\" rule is present on all file and\ndirectory selection lists.'\n impact 0.3\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'low'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230552'\n tag rid: 'SV-230552r880724_rule'\n tag stig_id: 'RHEL-08-040310'\n tag fix_id: 'F-33196r568403_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n describe package('aide') do\n it { should be_installed }\n end\n\n findings = []\n aide_conf.where { !selection_line.start_with? '!' }.entries.each do |selection|\n findings.append(selection.selection_line) unless selection.rules.include? 'acl'\n end\n\n describe \"List of monitored files/directories without 'acl' rule\" do\n subject { findings }\n it { should be_empty }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230373.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230552.rb", "line": 1 }, - "id": "SV-230373" + "id": "SV-230552" }, { - "title": "RHEL 8 must require the maximum number of repeating characters be\nlimited to three when passwords are changed.", - "desc": "Use of a complex password helps to increase the time and resources\nrequired to compromise the password. Password complexity, or strength, is a\nmeasure of the effectiveness of a password in resisting attempts at guessing\nand brute-force attacks.\n\n Password complexity is one factor of several that determines how long it\ntakes to crack a password. The more complex the password, the greater the\nnumber of possible combinations that need to be tested before the password is\ncompromised.\n\n RHEL 8 utilizes \"pwquality\" as a mechanism to enforce password\ncomplexity. The \"maxrepeat\" option sets the maximum number of allowed same\nconsecutive characters in a new password.", + "title": "RHEL 8 must disable the chrony daemon from acting as a server.", + "desc": "Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate.\n\nMinimizing the exposure of the server functionality of the chrony daemon diminishes the attack surface.\n\nRHEL 8 utilizes the \"timedatectl\" command to view the status of the \"systemd-timesyncd.service\". The \"timedatectl\" status will display the local time, UTC, and the offset from UTC.\n\nNote that USNO offers authenticated NTP service to DOD and U.S. Government agencies operating on the NIPR and SIPR networks. Visit https://www.usno.navy.mil/USNO/time/ntp/DOD-customers for more information.", "descriptions": { - "default": "Use of a complex password helps to increase the time and resources\nrequired to compromise the password. Password complexity, or strength, is a\nmeasure of the effectiveness of a password in resisting attempts at guessing\nand brute-force attacks.\n\n Password complexity is one factor of several that determines how long it\ntakes to crack a password. The more complex the password, the greater the\nnumber of possible combinations that need to be tested before the password is\ncompromised.\n\n RHEL 8 utilizes \"pwquality\" as a mechanism to enforce password\ncomplexity. The \"maxrepeat\" option sets the maximum number of allowed same\nconsecutive characters in a new password.", - "check": "Check for the value of the \"maxrepeat\" option with the following command:\n\n$ sudo grep -r maxrepeat /etc/security/pwquality.conf*\n\n/etc/security/pwquality.conf:maxrepeat = 3\n\nIf the value of \"maxrepeat\" is set to more than \"3\" or is commented out, this is a finding.\nIf conflicting results are returned, this is a finding.", - "fix": "Configure the operating system to require the change of the number of repeating consecutive characters when passwords are changed by setting the \"maxrepeat\" option.\n\nAdd the following line to \"/etc/security/pwquality.conf conf\" (or modify the line to have the required value):\n\nmaxrepeat = 3\n\nRemove any configurations that conflict with the above value." + "default": "Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate.\n\nMinimizing the exposure of the server functionality of the chrony daemon diminishes the attack surface.\n\nRHEL 8 utilizes the \"timedatectl\" command to view the status of the \"systemd-timesyncd.service\". The \"timedatectl\" status will display the local time, UTC, and the offset from UTC.\n\nNote that USNO offers authenticated NTP service to DOD and U.S. Government agencies operating on the NIPR and SIPR networks. Visit https://www.usno.navy.mil/USNO/time/ntp/DOD-customers for more information.", + "check": "Note: If the system is approved and documented by the information system security officer (ISSO) to function as an NTP time server, this requirement is Not Applicable.\n\nVerify RHEL 8 disables the chrony daemon from acting as a server with the following command:\n\n $ sudo grep -w 'port' /etc/chrony.conf\n port 0\n\nIf the \"port\" option is not set to \"0\", is commented out or missing, this is a finding.", + "fix": "Configure the operating system to disable the chrony daemon from acting as a server by adding or modifying the following line in the \"/etc/chrony.conf\" file:\n\n port 0" }, - "impact": 0.5, + "impact": 0.3, "refs": [ { "ref": "DPMS Target Red Hat Enterprise Linux 8" } ], "tags": { - "severity": "medium", - "gtitle": "SRG-OS-000072-GPOS-00040", - "gid": "V-230361", - "rid": "SV-230361r858779_rule", - "stig_id": "RHEL-08-020150", - "fix_id": "F-33005r858778_fix", + "severity": "low", + "gtitle": "SRG-OS-000095-GPOS-00049", + "gid": "V-230485", + "rid": "SV-230485r928590_rule", + "stig_id": "RHEL-08-030741", + "fix_id": "F-33129r928589_fix", "cci": [ - "CCI-000195" + "CCI-000381" ], "nist": [ - "IA-5 (1) (b)" + "CM-7 a" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-230361' do\n title 'RHEL 8 must require the maximum number of repeating characters be\nlimited to three when passwords are changed.'\n desc 'Use of a complex password helps to increase the time and resources\nrequired to compromise the password. Password complexity, or strength, is a\nmeasure of the effectiveness of a password in resisting attempts at guessing\nand brute-force attacks.\n\n Password complexity is one factor of several that determines how long it\ntakes to crack a password. The more complex the password, the greater the\nnumber of possible combinations that need to be tested before the password is\ncompromised.\n\n RHEL 8 utilizes \"pwquality\" as a mechanism to enforce password\ncomplexity. The \"maxrepeat\" option sets the maximum number of allowed same\nconsecutive characters in a new password.'\n desc 'check', 'Check for the value of the \"maxrepeat\" option with the following command:\n\n$ sudo grep -r maxrepeat /etc/security/pwquality.conf*\n\n/etc/security/pwquality.conf:maxrepeat = 3\n\nIf the value of \"maxrepeat\" is set to more than \"3\" or is commented out, this is a finding.\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure the operating system to require the change of the number of repeating consecutive characters when passwords are changed by setting the \"maxrepeat\" option.\n\nAdd the following line to \"/etc/security/pwquality.conf conf\" (or modify the line to have the required value):\n\nmaxrepeat = 3\n\nRemove any configurations that conflict with the above value.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000072-GPOS-00040'\n tag gid: 'V-230361'\n tag rid: 'SV-230361r858779_rule'\n tag stig_id: 'RHEL-08-020150'\n tag fix_id: 'F-33005r858778_fix'\n tag cci: ['CCI-000195']\n tag nist: ['IA-5 (1) (b)']\n tag 'host'\n tag 'container'\n\n value = input('maxrepeat')\n setting = 'maxrepeat'\n\n describe 'pwquality.conf settings' do\n let(:config) { parse_config_file('/etc/security/pwquality.conf', multiple_values: true) }\n let(:setting_value) { config.params[setting].is_a?(Integer) ? [config.params[setting]] : Array(config.params[setting]) }\n\n it \"has `#{setting}` set\" do\n expect(setting_value).not_to be_empty, \"#{setting} is not set in pwquality.conf\"\n end\n\n it \"only sets `#{setting}` once\" do\n expect(setting_value.length).to eq(1), \"#{setting} is commented or set more than once in pwquality.conf\"\n end\n\n it \"does not set `#{setting}` to more than #{value}\" do\n expect(setting_value.first.to_i).to be <= value.to_i, \"#{setting} is set to a value greater than #{value} in pwquality.conf\"\n end\n end\nend\n", + "code": "control 'SV-230485' do\n title 'RHEL 8 must disable the chrony daemon from acting as a server.'\n desc 'Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate.\n\nMinimizing the exposure of the server functionality of the chrony daemon diminishes the attack surface.\n\nRHEL 8 utilizes the \"timedatectl\" command to view the status of the \"systemd-timesyncd.service\". The \"timedatectl\" status will display the local time, UTC, and the offset from UTC.\n\nNote that USNO offers authenticated NTP service to DOD and U.S. Government agencies operating on the NIPR and SIPR networks. Visit https://www.usno.navy.mil/USNO/time/ntp/DOD-customers for more information.'\n desc 'check', %q(Note: If the system is approved and documented by the information system security officer (ISSO) to function as an NTP time server, this requirement is Not Applicable.\n\nVerify RHEL 8 disables the chrony daemon from acting as a server with the following command:\n\n $ sudo grep -w 'port' /etc/chrony.conf\n port 0\n\nIf the \"port\" option is not set to \"0\", is commented out or missing, this is a finding.)\n desc 'fix', 'Configure the operating system to disable the chrony daemon from acting as a server by adding or modifying the following line in the \"/etc/chrony.conf\" file:\n\n port 0'\n impact 0.3\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'low'\n tag gtitle: 'SRG-OS-000095-GPOS-00049'\n tag gid: 'V-230485'\n tag rid: 'SV-230485r928590_rule'\n tag stig_id: 'RHEL-08-030741'\n tag fix_id: 'F-33129r928589_fix'\n tag cci: ['CCI-000381']\n tag nist: ['CM-7 a']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !(virtualization.system.eql?('docker') && !file('/etc/chrony.conf').exist?)\n }\n\n chrony_conf = ntp_conf('/etc/chrony.conf')\n\n describe chrony_conf do\n its('port') { should cmp 0 }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230361.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230485.rb", "line": 1 }, - "id": "SV-230361" + "id": "SV-230485" }, { - "title": "RHEL 8 must terminate idle user sessions.", - "desc": "Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended.", + "title": "RHEL 8 audit logs must be group-owned by root to prevent unauthorized\nread access.", + "desc": "Unauthorized disclosure of audit records can reveal system and\nconfiguration data to attackers, thus compromising its confidentiality.\n\n Audit information includes all information (e.g., audit records, audit\nsettings, audit reports) needed to successfully audit RHEL 8 activity.", "descriptions": { - "default": "Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended.", - "check": "Verify that RHEL 8 logs out sessions that are idle for 15 minutes with the following command:\n\n $ sudo grep -i ^StopIdleSessionSec /etc/systemd/logind.conf\n\n StopIdleSessionSec=900\n\nIf \"StopIdleSessionSec\" is not configured to \"900\" seconds, this is a finding.", - "fix": "Configure RHEL 8 to log out idle sessions by editing the /etc/systemd/logind.conf file with the following line:\n\n StopIdleSessionSec=900\n\nThe \"logind\" service must be restarted for the changes to take effect. To restart the \"logind\" service, run the following command:\n\n $ sudo systemctl restart systemd-logind\n\nNote: To preserve running user programs such as tmux, uncomment and/or edit \"KillUserProccesses=no\" in \"/etc/systemd/logind.conf\"." + "default": "Unauthorized disclosure of audit records can reveal system and\nconfiguration data to attackers, thus compromising its confidentiality.\n\n Audit information includes all information (e.g., audit records, audit\nsettings, audit reports) needed to successfully audit RHEL 8 activity.", + "check": "Verify the audit logs are group-owned by \"root\". First determine where\nthe audit logs are stored with the following command:\n\n $ sudo grep -iw log_file /etc/audit/auditd.conf\n\n log_file = /var/log/audit/audit.log\n\n Using the location of the audit log file, determine if the audit log is\ngroup-owned by \"root\" using the following command:\n\n $ sudo ls -al /var/log/audit/audit.log\n\n rw------- 2 root root 23 Jun 11 11:56 /var/log/audit/audit.log\n\n If the audit log is not group-owned by \"root\", this is a finding.", + "fix": "Configure the audit log to be owned by root by configuring the log group in\nthe /etc/audit/auditd.conf file:\n\n log_group = root" }, "impact": 0.5, "refs": [ @@ -6085,115 +6047,121 @@ } ], "tags": { - "check_id": "C-60942r917889_chk", "severity": "medium", - "gid": "V-257258", - "rid": "SV-257258r942953_rule", - "stig_id": "RHEL-08-020035", - "gtitle": "SRG-OS-000163-GPOS-00072", - "fix_id": "F-60884r942952_fix", - "documentable": null, + "gtitle": "SRG-OS-000057-GPOS-00027", + "satisfies": [ + "SRG-OS-000057-GPOS-00027", + "SRG-OS-000058-GPOS-00028", + "SRG-OS-000059-GPOS-00029" + ], + "gid": "V-230398", + "rid": "SV-230398r627750_rule", + "stig_id": "RHEL-08-030090", + "fix_id": "F-33042r567941_fix", "cci": [ - "CCI-001133" + "CCI-000162" ], "nist": [ - "SC-10" + "AU-9", + "AU-9 a" ], - "container": null, "host": null }, - "code": "control 'SV-257258' do\n title 'RHEL 8 must terminate idle user sessions.'\n desc 'Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended.'\n desc 'check', 'Verify that RHEL 8 logs out sessions that are idle for 15 minutes with the following command:\n\n $ sudo grep -i ^StopIdleSessionSec /etc/systemd/logind.conf\n\n StopIdleSessionSec=900\n\nIf \"StopIdleSessionSec\" is not configured to \"900\" seconds, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to log out idle sessions by editing the /etc/systemd/logind.conf file with the following line:\n\n StopIdleSessionSec=900\n\nThe \"logind\" service must be restarted for the changes to take effect. To restart the \"logind\" service, run the following command:\n\n $ sudo systemctl restart systemd-logind\n\nNote: To preserve running user programs such as tmux, uncomment and/or edit \"KillUserProccesses=no\" in \"/etc/systemd/logind.conf\".'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag check_id: 'C-60942r917889_chk'\n tag severity: 'medium'\n tag gid: 'V-257258'\n tag rid: 'SV-257258r942953_rule'\n tag stig_id: 'RHEL-08-020035'\n tag gtitle: 'SRG-OS-000163-GPOS-00072'\n tag fix_id: 'F-60884r942952_fix'\n tag 'documentable'\n tag cci: ['CCI-001133']\n tag nist: ['SC-10']\n tag 'container'\n tag 'host'\n\n stop_idle_session_sec = input('stop_idle_session_sec')\n\n describe parse_config_file('/etc/systemd/logind.conf') do\n its('Login') { should include('StopIdleSessionSec' => stop_idle_session_sec.to_s) }\n end\nend\n", + "code": "control 'SV-230398' do\n title 'RHEL 8 audit logs must be group-owned by root to prevent unauthorized\nread access.'\n desc 'Unauthorized disclosure of audit records can reveal system and\nconfiguration data to attackers, thus compromising its confidentiality.\n\n Audit information includes all information (e.g., audit records, audit\nsettings, audit reports) needed to successfully audit RHEL 8 activity.'\n desc 'check', 'Verify the audit logs are group-owned by \"root\". First determine where\nthe audit logs are stored with the following command:\n\n $ sudo grep -iw log_file /etc/audit/auditd.conf\n\n log_file = /var/log/audit/audit.log\n\n Using the location of the audit log file, determine if the audit log is\ngroup-owned by \"root\" using the following command:\n\n $ sudo ls -al /var/log/audit/audit.log\n\n rw------- 2 root root 23 Jun 11 11:56 /var/log/audit/audit.log\n\n If the audit log is not group-owned by \"root\", this is a finding.'\n desc 'fix', 'Configure the audit log to be owned by root by configuring the log group in\nthe /etc/audit/auditd.conf file:\n\n log_group = root'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000057-GPOS-00027'\n tag satisfies: ['SRG-OS-000057-GPOS-00027', 'SRG-OS-000058-GPOS-00028', 'SRG-OS-000059-GPOS-00029']\n tag gid: 'V-230398'\n tag rid: 'SV-230398r627750_rule'\n tag stig_id: 'RHEL-08-030090'\n tag fix_id: 'F-33042r567941_fix'\n tag cci: ['CCI-000162']\n tag nist: ['AU-9', 'AU-9 a']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n describe file(auditd_conf('/etc/audit/auditd.conf').log_file) do\n its('group') { should be_in input('var_log_audit_group') }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-257258.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230398.rb", "line": 1 }, - "id": "SV-257258" + "id": "SV-230398" }, { - "title": "RHEL 8 must not have the rsh-server package installed.", - "desc": "It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n Operating systems are capable of providing a wide variety of functions and\nservices. Some of the functions and services, provided by default, may not be\nnecessary to support essential organizational operations (e.g., key missions,\nfunctions).\n\n The rsh-server service provides an unencrypted remote access service that\ndoes not provide for the confidentiality and integrity of user passwords or the\nremote session and has very weak authentication.\n\n If a privileged user were to log on using this service, the privileged user\npassword could be compromised.", + "title": "Successful/unsuccessful uses of the pam_timestamp_check command in\nRHEL 8 must generate an audit record.", + "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"pam_timestamp_check\"\ncommand is used to check if the default timestamp is valid.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", "descriptions": { - "default": "It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n Operating systems are capable of providing a wide variety of functions and\nservices. Some of the functions and services, provided by default, may not be\nnecessary to support essential organizational operations (e.g., key missions,\nfunctions).\n\n The rsh-server service provides an unencrypted remote access service that\ndoes not provide for the confidentiality and integrity of user passwords or the\nremote session and has very weak authentication.\n\n If a privileged user were to log on using this service, the privileged user\npassword could be compromised.", - "check": "Check to see if the rsh-server package is installed with the following\ncommand:\n\n $ sudo yum list installed rsh-server\n\n If the rsh-server package is installed, this is a finding.", - "fix": "Configure the operating system to disable non-essential capabilities by\nremoving the rsh-server package from the system with the following command:\n\n $ sudo yum remove rsh-server" + "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"pam_timestamp_check\"\ncommand is used to check if the default timestamp is valid.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", + "check": "Verify that an audit event is generated for any successful/unsuccessful use\nof the \"pam_timestamp_check\" command by performing the following command to\ncheck the file system rules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w pam_timestamp_check /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F\nauid>=1000 -F auid!=unset -k privileged-pam_timestamp_check\n\n If the command does not return a line, or the line is commented out, this\nis a finding.", + "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful uses of the \"pam_timestamp_check\" command by adding\nor updating the following rule in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F\nauid>=1000 -F auid!=unset -k privileged-pam_timestamp_check\n\n The audit daemon must be restarted for the changes to take effect." }, - "impact": 0.7, + "impact": 0.5, "refs": [ { "ref": "DPMS Target Red Hat Enterprise Linux 8" } ], "tags": { - "severity": "high", - "gtitle": "SRG-OS-000095-GPOS-00049", + "severity": "medium", + "gtitle": "SRG-OS-000062-GPOS-00031", "satisfies": [ - "SRG-OS-000095-GPOS-00049", - "SRG-OS-000074-GPOS-00042" + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000037-GPOS-00015", + "SRG-OS-000042-GPOS-00020", + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000392-GPOS-00172", + "SRG-OS-000462-GPOS-00206", + "SRG-OS-000471-GPOS-00215" ], - "gid": "V-230492", - "rid": "SV-230492r627750_rule", - "stig_id": "RHEL-08-040010", - "fix_id": "F-33136r568223_fix", + "gid": "V-230436", + "rid": "SV-230436r627750_rule", + "stig_id": "RHEL-08-030340", + "fix_id": "F-33080r568055_fix", "cci": [ - "CCI-000381" + "CCI-000169" ], "nist": [ - "CM-7 a" + "AU-12 a" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-230492' do\n title 'RHEL 8 must not have the rsh-server package installed.'\n desc 'It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n Operating systems are capable of providing a wide variety of functions and\nservices. Some of the functions and services, provided by default, may not be\nnecessary to support essential organizational operations (e.g., key missions,\nfunctions).\n\n The rsh-server service provides an unencrypted remote access service that\ndoes not provide for the confidentiality and integrity of user passwords or the\nremote session and has very weak authentication.\n\n If a privileged user were to log on using this service, the privileged user\npassword could be compromised.'\n desc 'check', 'Check to see if the rsh-server package is installed with the following\ncommand:\n\n $ sudo yum list installed rsh-server\n\n If the rsh-server package is installed, this is a finding.'\n desc 'fix', 'Configure the operating system to disable non-essential capabilities by\nremoving the rsh-server package from the system with the following command:\n\n $ sudo yum remove rsh-server'\n impact 0.7\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'high'\n tag gtitle: 'SRG-OS-000095-GPOS-00049'\n tag satisfies: ['SRG-OS-000095-GPOS-00049', 'SRG-OS-000074-GPOS-00042']\n tag gid: 'V-230492'\n tag rid: 'SV-230492r627750_rule'\n tag stig_id: 'RHEL-08-040010'\n tag fix_id: 'F-33136r568223_fix'\n tag cci: ['CCI-000381']\n tag nist: ['CM-7 a']\n tag 'host'\n tag 'container'\n\n describe package('rsh-server') do\n it { should_not be_installed }\n end\nend\n", + "code": "control 'SV-230436' do\n title 'Successful/unsuccessful uses of the pam_timestamp_check command in\nRHEL 8 must generate an audit record.'\n desc 'Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"pam_timestamp_check\"\ncommand is used to check if the default timestamp is valid.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.'\n desc 'check', 'Verify that an audit event is generated for any successful/unsuccessful use\nof the \"pam_timestamp_check\" command by performing the following command to\ncheck the file system rules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w pam_timestamp_check /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F\nauid>=1000 -F auid!=unset -k privileged-pam_timestamp_check\n\n If the command does not return a line, or the line is commented out, this\nis a finding.'\n desc 'fix', 'Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful uses of the \"pam_timestamp_check\" command by adding\nor updating the following rule in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F\nauid>=1000 -F auid!=unset -k privileged-pam_timestamp_check\n\n The audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000062-GPOS-00031'\n tag satisfies: ['SRG-OS-000062-GPOS-00031', 'SRG-OS-000037-GPOS-00015', 'SRG-OS-000042-GPOS-00020', 'SRG-OS-000062-GPOS-00031', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000471-GPOS-00215']\n tag gid: 'V-230436'\n tag rid: 'SV-230436r627750_rule'\n tag stig_id: 'RHEL-08-030340'\n tag fix_id: 'F-33080r568055_fix'\n tag cci: ['CCI-000169']\n tag nist: ['AU-12 a']\n tag 'host'\n\n audit_command = '/usr/sbin/pam_timestamp_check'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include(input('audit_rule_keynames').merge(input('audit_rule_keynames_overrides'))[audit_command])\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230492.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230436.rb", "line": 1 }, - "id": "SV-230492" + "id": "SV-230436" }, { - "title": "RHEL 8 must not have unnecessary accounts.", - "desc": "Accounts providing no operational purpose provide additional\nopportunities for system compromise. Unnecessary accounts include user accounts\nfor individuals not requiring access to the system and application accounts for\napplications not installed on the system.", + "title": "RHEL 8 must enable mitigations against processor-based\nvulnerabilities.", + "desc": "It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n Operating systems are capable of providing a wide variety of functions and\nservices. Some of the functions and services, provided by default, may not be\nnecessary to support essential organizational operations (e.g., key missions,\nfunctions).\n\n Examples of non-essential capabilities include, but are not limited to,\ngames, software packages, tools, and demonstration software not related to\nrequirements or providing a wide array of functionality not required for every\nmission, but which cannot be disabled.\n\n Verify the operating system is configured to disable non-essential\ncapabilities. The most secure way of ensuring a non-essential capability is\ndisabled is to not have the capability installed.\n\n Kernel page-table isolation is a kernel feature that mitigates the Meltdown\nsecurity vulnerability and hardens the kernel against attempts to bypass kernel\naddress space layout randomization (KASLR).", "descriptions": { - "default": "Accounts providing no operational purpose provide additional\nopportunities for system compromise. Unnecessary accounts include user accounts\nfor individuals not requiring access to the system and application accounts for\napplications not installed on the system.", - "check": "Verify all accounts on the system are assigned to an active system,\napplication, or user account.\n\n Obtain the list of authorized system accounts from the Information System\nSecurity Officer (ISSO).\n\n Check the system accounts on the system with the following command:\n\n $ sudo more /etc/passwd\n\n root:x:0:0:root:/root:/bin/bash\n bin:x:1:1:bin:/bin:/sbin/nologin\n daemon:x:2:2:daemon:/sbin:/sbin/nologin\n sync:x:5:0:sync:/sbin:/bin/sync\n shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown\n halt:x:7:0:halt:/sbin:/sbin/halt\n games:x:12:100:games:/usr/games:/sbin/nologin\n gopher:x:13:30:gopher:/var/gopher:/sbin/nologin\n\n Accounts such as \"games\" and \"gopher\" are not authorized accounts as\nthey do not support authorized system functions.\n\n If the accounts on the system do not match the provided documentation, or\naccounts that do not support an authorized system function are present, this is\na finding.", - "fix": "Configure the system so all accounts on the system are assigned to an\nactive system, application, or user account.\n\n Remove accounts that do not support approved system activities or that\nallow for a normal user to perform administrative-level actions.\n\n Document all authorized accounts on the system." + "default": "It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n Operating systems are capable of providing a wide variety of functions and\nservices. Some of the functions and services, provided by default, may not be\nnecessary to support essential organizational operations (e.g., key missions,\nfunctions).\n\n Examples of non-essential capabilities include, but are not limited to,\ngames, software packages, tools, and demonstration software not related to\nrequirements or providing a wide array of functionality not required for every\nmission, but which cannot be disabled.\n\n Verify the operating system is configured to disable non-essential\ncapabilities. The most secure way of ensuring a non-essential capability is\ndisabled is to not have the capability installed.\n\n Kernel page-table isolation is a kernel feature that mitigates the Meltdown\nsecurity vulnerability and hardens the kernel against attempts to bypass kernel\naddress space layout randomization (KASLR).", + "check": "Verify RHEL 8 enables kernel page-table isolation with the following commands:\n\n$ sudo grub2-editenv list | grep pti\n\nkernelopts=root=/dev/mapper/rhel-root ro crashkernel=auto resume=/dev/mapper/rhel-swap rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet fips=1 audit=1 audit_backlog_limit=8192 pti=on boot=UUID=8d171156-cd61-421c-ba41-1c021ac29e82\n\nIf the \"pti\" entry does not equal \"on\", is missing, or the line is commented out, this is a finding.\n\nCheck that kernel page-table isolation is enabled by default to persist in kernel updates:\n\n$ sudo grep pti /etc/default/grub\n\nGRUB_CMDLINE_LINUX=\"pti=on\"\n\nIf \"pti\" is not set to \"on\", is missing or commented out, this is a finding.", + "fix": "Configure RHEL 8 to enable kernel page-table isolation with the following\ncommand:\n\n $ sudo grubby --update-kernel=ALL --args=\"pti=on\"\n\n Add or modify the following line in \"/etc/default/grub\" to ensure the\nconfiguration survives kernel updates:\n\n GRUB_CMDLINE_LINUX=\"pti=on\"" }, - "impact": 0.5, + "impact": 0.3, "refs": [ { "ref": "DPMS Target Red Hat Enterprise Linux 8" } ], "tags": { - "severity": "medium", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-230379", - "rid": "SV-230379r627750_rule", - "stig_id": "RHEL-08-020320", - "fix_id": "F-33023r567884_fix", + "severity": "low", + "gtitle": "SRG-OS-000095-GPOS-00049", + "gid": "V-230491", + "rid": "SV-230491r818842_rule", + "stig_id": "RHEL-08-040004", + "fix_id": "F-33135r568220_fix", "cci": [ - "CCI-000366" + "CCI-000381" ], "nist": [ - "CM-6 b" + "CM-7 a" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-230379' do\n title 'RHEL 8 must not have unnecessary accounts.'\n desc 'Accounts providing no operational purpose provide additional\nopportunities for system compromise. Unnecessary accounts include user accounts\nfor individuals not requiring access to the system and application accounts for\napplications not installed on the system.'\n desc 'check', 'Verify all accounts on the system are assigned to an active system,\napplication, or user account.\n\n Obtain the list of authorized system accounts from the Information System\nSecurity Officer (ISSO).\n\n Check the system accounts on the system with the following command:\n\n $ sudo more /etc/passwd\n\n root:x:0:0:root:/root:/bin/bash\n bin:x:1:1:bin:/bin:/sbin/nologin\n daemon:x:2:2:daemon:/sbin:/sbin/nologin\n sync:x:5:0:sync:/sbin:/bin/sync\n shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown\n halt:x:7:0:halt:/sbin:/sbin/halt\n games:x:12:100:games:/usr/games:/sbin/nologin\n gopher:x:13:30:gopher:/var/gopher:/sbin/nologin\n\n Accounts such as \"games\" and \"gopher\" are not authorized accounts as\nthey do not support authorized system functions.\n\n If the accounts on the system do not match the provided documentation, or\naccounts that do not support an authorized system function are present, this is\na finding.'\n desc 'fix', 'Configure the system so all accounts on the system are assigned to an\nactive system, application, or user account.\n\n Remove accounts that do not support approved system activities or that\nallow for a normal user to perform administrative-level actions.\n\n Document all authorized accounts on the system.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230379'\n tag rid: 'SV-230379r627750_rule'\n tag stig_id: 'RHEL-08-020320'\n tag fix_id: 'F-33023r567884_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n tag 'container'\n\n failing_users = passwd.users.reject { |u| (input('known_system_accounts') + input('user_accounts')).uniq.include?(u) }\n\n describe 'All users' do\n it 'should have an explicit, authorized purpose (either a known user account or a required system account)' do\n expect(failing_users).to be_empty, \"Failing users:\\n\\t- #{failing_users.join(\"\\n\\t- \")}\"\n end\n end\nend\n", + "code": "control 'SV-230491' do\n title 'RHEL 8 must enable mitigations against processor-based\nvulnerabilities.'\n desc 'It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n Operating systems are capable of providing a wide variety of functions and\nservices. Some of the functions and services, provided by default, may not be\nnecessary to support essential organizational operations (e.g., key missions,\nfunctions).\n\n Examples of non-essential capabilities include, but are not limited to,\ngames, software packages, tools, and demonstration software not related to\nrequirements or providing a wide array of functionality not required for every\nmission, but which cannot be disabled.\n\n Verify the operating system is configured to disable non-essential\ncapabilities. The most secure way of ensuring a non-essential capability is\ndisabled is to not have the capability installed.\n\n Kernel page-table isolation is a kernel feature that mitigates the Meltdown\nsecurity vulnerability and hardens the kernel against attempts to bypass kernel\naddress space layout randomization (KASLR).'\n desc 'check', 'Verify RHEL 8 enables kernel page-table isolation with the following commands:\n\n$ sudo grub2-editenv list | grep pti\n\nkernelopts=root=/dev/mapper/rhel-root ro crashkernel=auto resume=/dev/mapper/rhel-swap rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet fips=1 audit=1 audit_backlog_limit=8192 pti=on boot=UUID=8d171156-cd61-421c-ba41-1c021ac29e82\n\nIf the \"pti\" entry does not equal \"on\", is missing, or the line is commented out, this is a finding.\n\nCheck that kernel page-table isolation is enabled by default to persist in kernel updates:\n\n$ sudo grep pti /etc/default/grub\n\nGRUB_CMDLINE_LINUX=\"pti=on\"\n\nIf \"pti\" is not set to \"on\", is missing or commented out, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to enable kernel page-table isolation with the following\ncommand:\n\n $ sudo grubby --update-kernel=ALL --args=\"pti=on\"\n\n Add or modify the following line in \"/etc/default/grub\" to ensure the\nconfiguration survives kernel updates:\n\n GRUB_CMDLINE_LINUX=\"pti=on\"'\n impact 0.3\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'low'\n tag gtitle: 'SRG-OS-000095-GPOS-00049'\n tag gid: 'V-230491'\n tag rid: 'SV-230491r818842_rule'\n tag stig_id: 'RHEL-08-040004'\n tag fix_id: 'F-33135r568220_fix'\n tag cci: ['CCI-000381']\n tag nist: ['CM-7 a']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n grub_stdout = command('grub2-editenv - list').stdout\n\n describe parse_config(grub_stdout) do\n its('kernelopts') { should match(/pti=on/) }\n end\n describe parse_config_file('/etc/default/grub') do\n its('GRUB_CMDLINE_LINUX') { should match(/pti=on/) }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230379.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230491.rb", "line": 1 }, - "id": "SV-230379" + "id": "SV-230491" }, { - "title": "The RHEL 8 operating system must implement DoD-approved encryption to\nprotect the confidentiality of SSH server connections.", - "desc": "Without cryptographic integrity protections, information can be\naltered by unauthorized users without detection.\n\n Remote access (e.g., RDP) is access to DoD nonpublic information systems by\nan authorized user (or an information system) communicating through an\nexternal, non-organization-controlled network. Remote access methods include,\nfor example, dial-up, broadband, and wireless.\n\n Cryptographic mechanisms used for protecting the integrity of information\ninclude, for example, signed hash functions using asymmetric cryptography\nenabling distribution of the public key to verify the hash information while\nmaintaining the confidentiality of the secret key used to generate the hash.\n\n RHEL 8 incorporates system-wide crypto policies by default. The SSH\nconfiguration file has no effect on the ciphers, MACs, or algorithms unless\nspecifically defined in the /etc/sysconfig/sshd file. The employed algorithms\ncan be viewed in the /etc/crypto-policies/back-ends/opensshserver.config file.\n\n The system will attempt to use the first hash presented by the client that\nmatches the server list. Listing the values \"strongest to weakest\" is a\nmethod to ensure the use of the strongest hash available to secure the SSH\nconnection.", + "title": "RHEL 8 must be configured to allow sending email notifications of unauthorized configuration changes to designated personnel.", + "desc": "Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security.\n\nDetecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's IMO/ISSO and SAs must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.", "descriptions": { - "default": "Without cryptographic integrity protections, information can be\naltered by unauthorized users without detection.\n\n Remote access (e.g., RDP) is access to DoD nonpublic information systems by\nan authorized user (or an information system) communicating through an\nexternal, non-organization-controlled network. Remote access methods include,\nfor example, dial-up, broadband, and wireless.\n\n Cryptographic mechanisms used for protecting the integrity of information\ninclude, for example, signed hash functions using asymmetric cryptography\nenabling distribution of the public key to verify the hash information while\nmaintaining the confidentiality of the secret key used to generate the hash.\n\n RHEL 8 incorporates system-wide crypto policies by default. The SSH\nconfiguration file has no effect on the ciphers, MACs, or algorithms unless\nspecifically defined in the /etc/sysconfig/sshd file. The employed algorithms\ncan be viewed in the /etc/crypto-policies/back-ends/opensshserver.config file.\n\n The system will attempt to use the first hash presented by the client that\nmatches the server list. Listing the values \"strongest to weakest\" is a\nmethod to ensure the use of the strongest hash available to secure the SSH\nconnection.", - "check": "Verify the SSH server is configured to use only ciphers employing FIPS 140-2-approved algorithms with the following command:\n\n $ sudo grep -i ciphers /etc/crypto-policies/back-ends/opensshserver.config\n\n CRYPTO_POLICY='-oCiphers=aes256-ctr,aes192-ctr,aes128-ctr,aes256-gcm@openssh.com,aes128-gcm@openssh.com'\n\nIf the cipher entries in the \"opensshserver.config\" file have any ciphers other than shown here, the order differs from the example above, or they are missing or commented out, this is a finding.", - "fix": "Configure the RHEL 8 SSH server to use only ciphers employing FIPS 140-2-approved algorithms by updating the \"/etc/crypto-policies/back-ends/opensshserver.config\" file with the following line:\n\n-oCiphers=aes256-ctr,aes192-ctr,aes128-ctr,aes256-gcm@openssh.com,aes128-gcm@openssh.com\n\nA reboot is required for the changes to take effect." + "default": "Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security.\n\nDetecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's IMO/ISSO and SAs must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.", + "check": "Verify that the operating system is configured to allow sending email notifications.\n\nNote: The \"mailx\" package provides the \"mail\" command that is used to send email messages.\n\nVerify that the \"mailx\" package is installed on the system:\n\n $ sudo yum list installed mailx\n\n mailx.x86_64 12.5-29.el8 @rhel-8-for-x86_64-baseos-rpm\n\nIf \"mailx\" package is not installed, this is a finding.", + "fix": "Install the \"mailx\" package on the system:\n\n $ sudo yum install mailx" }, "impact": 0.5, "refs": [ @@ -6202,118 +6170,109 @@ } ], "tags": { + "check_id": "C-60652r902753_chk", "severity": "medium", - "gtitle": "SRG-OS-000250-GPOS-00093", - "satisfies": [ - "SRG-OS-000250-GPOS-00093", - "SRG-OS-000393-GPOS-00173", - "SRG-OS-000394-GPOS-00174", - "SRG-OS-000125-GPOS-00065" - ], - "gid": "V-230252", - "rid": "SV-230252r917873_rule", - "stig_id": "RHEL-08-010291", - "fix_id": "F-32896r917872_fix", + "gid": "V-256974", + "rid": "SV-256974r902755_rule", + "stig_id": "RHEL-08-010358", + "gtitle": "SRG-OS-000363-GPOS-00150", + "fix_id": "F-60594r902754_fix", + "documentable": null, "cci": [ - "CCI-001453" + "CCI-001744" ], "nist": [ - "AC-17 (2)" + "CM-3 (5)" ], "host": null, - "container-conditional": null + "container": null }, - "code": "control 'SV-230252' do\n title 'The RHEL 8 operating system must implement DoD-approved encryption to\nprotect the confidentiality of SSH server connections.'\n desc 'Without cryptographic integrity protections, information can be\naltered by unauthorized users without detection.\n\n Remote access (e.g., RDP) is access to DoD nonpublic information systems by\nan authorized user (or an information system) communicating through an\nexternal, non-organization-controlled network. Remote access methods include,\nfor example, dial-up, broadband, and wireless.\n\n Cryptographic mechanisms used for protecting the integrity of information\ninclude, for example, signed hash functions using asymmetric cryptography\nenabling distribution of the public key to verify the hash information while\nmaintaining the confidentiality of the secret key used to generate the hash.\n\n RHEL 8 incorporates system-wide crypto policies by default. The SSH\nconfiguration file has no effect on the ciphers, MACs, or algorithms unless\nspecifically defined in the /etc/sysconfig/sshd file. The employed algorithms\ncan be viewed in the /etc/crypto-policies/back-ends/opensshserver.config file.\n\n The system will attempt to use the first hash presented by the client that\nmatches the server list. Listing the values \"strongest to weakest\" is a\nmethod to ensure the use of the strongest hash available to secure the SSH\nconnection.'\n desc 'check', %q(Verify the SSH server is configured to use only ciphers employing FIPS 140-2-approved algorithms with the following command:\n\n $ sudo grep -i ciphers /etc/crypto-policies/back-ends/opensshserver.config\n\n CRYPTO_POLICY='-oCiphers=aes256-ctr,aes192-ctr,aes128-ctr,aes256-gcm@openssh.com,aes128-gcm@openssh.com'\n\nIf the cipher entries in the \"opensshserver.config\" file have any ciphers other than shown here, the order differs from the example above, or they are missing or commented out, this is a finding.)\n desc 'fix', 'Configure the RHEL 8 SSH server to use only ciphers employing FIPS 140-2-approved algorithms by updating the \"/etc/crypto-policies/back-ends/opensshserver.config\" file with the following line:\n\n-oCiphers=aes256-ctr,aes192-ctr,aes128-ctr,aes256-gcm@openssh.com,aes128-gcm@openssh.com\n\nA reboot is required for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000250-GPOS-00093'\n tag satisfies: ['SRG-OS-000250-GPOS-00093', 'SRG-OS-000393-GPOS-00173', 'SRG-OS-000394-GPOS-00174', 'SRG-OS-000125-GPOS-00065']\n tag gid: 'V-230252'\n tag rid: 'SV-230252r917873_rule'\n tag stig_id: 'RHEL-08-010291'\n tag fix_id: 'F-32896r917872_fix'\n tag cci: ['CCI-001453']\n tag nist: ['AC-17 (2)']\n tag 'host'\n tag 'container-conditional'\n\n only_if('Control not applicable - SSH is not installed within containerized RHEL', impact: 0.0) {\n !(virtualization.system.eql?('docker') && !file('/etc/sysconfig/sshd').exist?)\n }\n\n describe parse_config_file('/etc/crypto-policies/back-ends/opensshserver.config') do\n its('CRYPTO_POLICY') { should_not be_nil }\n end\n\n crypto_policy = parse_config_file('/etc/crypto-policies/back-ends/opensshserver.config')['CRYPTO_POLICY']\n\n unless crypto_policy.nil?\n describe parse_config(crypto_policy.gsub(/\\s|'/, \"\\n\")) do\n its('-oCiphers') { should cmp 'aes256-ctr,aes192-ctr,aes128-ctr,aes256-gcm@openssh.com,aes128-gcm@openssh.com' }\n end\n end\nend\n", + "code": "control 'SV-256974' do\n title 'RHEL 8 must be configured to allow sending email notifications of unauthorized configuration changes to designated personnel.'\n desc \"Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security.\n\nDetecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's IMO/ISSO and SAs must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.\"\n desc 'check', 'Verify that the operating system is configured to allow sending email notifications.\n\nNote: The \"mailx\" package provides the \"mail\" command that is used to send email messages.\n\nVerify that the \"mailx\" package is installed on the system:\n\n $ sudo yum list installed mailx\n\n mailx.x86_64 12.5-29.el8 @rhel-8-for-x86_64-baseos-rpm\n\nIf \"mailx\" package is not installed, this is a finding.'\n desc 'fix', 'Install the \"mailx\" package on the system:\n\n $ sudo yum install mailx'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag check_id: 'C-60652r902753_chk'\n tag severity: 'medium'\n tag gid: 'V-256974'\n tag rid: 'SV-256974r902755_rule'\n tag stig_id: 'RHEL-08-010358'\n tag gtitle: 'SRG-OS-000363-GPOS-00150'\n tag fix_id: 'F-60594r902754_fix'\n tag 'documentable'\n tag cci: ['CCI-001744']\n tag nist: ['CM-3 (5)']\n tag 'host'\n tag 'container'\n\n mail_package = input('mail_package')\n\n describe package(mail_package) do\n it { should be_installed }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230252.rb", + "ref": "./Red Hat 8 STIG/controls/SV-256974.rb", "line": 1 }, - "id": "SV-230252" + "id": "SV-256974" }, { - "title": "RHEL 8 must take appropriate action when the internal event queue is\nfull.", - "desc": "Information stored in one location is vulnerable to accidental or\nincidental deletion or alteration.\n\n Off-loading is a common process in information systems with limited audit\nstorage capacity.\n\n RHEL 8 installation media provides \"rsyslogd\". \"rsyslogd\" is a system\nutility providing support for message logging. Support for both internet and\nUNIX domain sockets enables this utility to support both local and remote\nlogging. Couple this utility with \"gnutls\" (which is a secure communications\nlibrary implementing the SSL, TLS and DTLS protocols), and you have a method to\nsecurely encrypt and off-load auditing.", + "title": "RHEL 8 operating systems booted with a BIOS must require\nauthentication upon booting into single-user and maintenance modes.", + "desc": "If the system does not require valid authentication before it boots\ninto single-user or maintenance mode, anyone who invokes single-user or\nmaintenance mode is granted privileged access to all files on the system. GRUB\n2 is the default boot loader for RHEL 8 and is designed to require a password\nto boot into single-user mode or make modifications to the boot menu.", "descriptions": { - "default": "Information stored in one location is vulnerable to accidental or\nincidental deletion or alteration.\n\n Off-loading is a common process in information systems with limited audit\nstorage capacity.\n\n RHEL 8 installation media provides \"rsyslogd\". \"rsyslogd\" is a system\nutility providing support for message logging. Support for both internet and\nUNIX domain sockets enables this utility to support both local and remote\nlogging. Couple this utility with \"gnutls\" (which is a secure communications\nlibrary implementing the SSL, TLS and DTLS protocols), and you have a method to\nsecurely encrypt and off-load auditing.", - "check": "Verify the audit system is configured to take an appropriate action when\nthe internal event queue is full:\n\n $ sudo grep -i overflow_action /etc/audit/auditd.conf\n\n overflow_action = syslog\n\n If the value of the \"overflow_action\" option is not set to \"syslog\",\n\"single\", \"halt\", or the line is commented out, ask the System\nAdministrator to indicate how the audit logs are off-loaded to a different\nsystem or media.\n\n If there is no evidence that the transfer of the audit logs being\noff-loaded to another system or media takes appropriate action if the internal\nevent queue becomes full, this is a finding.", - "fix": "Edit the /etc/audit/auditd.conf file and add or update the\n\"overflow_action\" option:\n\n overflow_action = syslog\n\n The audit daemon must be restarted for changes to take effect." + "default": "If the system does not require valid authentication before it boots\ninto single-user or maintenance mode, anyone who invokes single-user or\nmaintenance mode is granted privileged access to all files on the system. GRUB\n2 is the default boot loader for RHEL 8 and is designed to require a password\nto boot into single-user mode or make modifications to the boot menu.", + "check": "For systems that use UEFI, this is Not Applicable.\n\n Check to see if an encrypted grub superusers password is set. On systems\nthat use a BIOS, use the following command:\n\n $ sudo grep -iw grub2_password /boot/grub2/user.cfg\n\n GRUB2_PASSWORD=grub.pbkdf2.sha512.[password_hash]\n\n If the grub superusers password does not begin with \"grub.pbkdf2.sha512\",\nthis is a finding.", + "fix": "Configure the system to require a grub bootloader password for the grub\nsuperusers account with the grub2-setpassword command, which creates/overwrites\nthe /boot/grub2/user.cfg file.\n\n Generate an encrypted grub2 password for the grub superusers account with\nthe following command:\n\n $ sudo grub2-setpassword\n Enter password:\n Confirm password:" }, - "impact": 0.5, + "impact": 0.7, "refs": [ { "ref": "DPMS Target Red Hat Enterprise Linux 8" } ], "tags": { - "severity": "medium", - "gtitle": "SRG-OS-000342-GPOS-00133", - "satisfies": [ - "SRG-OS-000342-GPOS-00133", - "SRG-OS-000479-GPOS-00224" - ], - "gid": "V-230480", - "rid": "SV-230480r877390_rule", - "stig_id": "RHEL-08-030700", - "fix_id": "F-33124r568187_fix", + "severity": "high", + "gtitle": "SRG-OS-000080-GPOS-00048", + "gid": "V-230235", + "rid": "SV-230235r743925_rule", + "stig_id": "RHEL-08-010150", + "fix_id": "F-32879r743924_fix", "cci": [ - "CCI-001851" + "CCI-000213" ], "nist": [ - "AU-4 (1)" + "AC-3" ], "host": null }, - "code": "control 'SV-230480' do\n title 'RHEL 8 must take appropriate action when the internal event queue is\nfull.'\n desc 'Information stored in one location is vulnerable to accidental or\nincidental deletion or alteration.\n\n Off-loading is a common process in information systems with limited audit\nstorage capacity.\n\n RHEL 8 installation media provides \"rsyslogd\". \"rsyslogd\" is a system\nutility providing support for message logging. Support for both internet and\nUNIX domain sockets enables this utility to support both local and remote\nlogging. Couple this utility with \"gnutls\" (which is a secure communications\nlibrary implementing the SSL, TLS and DTLS protocols), and you have a method to\nsecurely encrypt and off-load auditing.'\n desc 'check', 'Verify the audit system is configured to take an appropriate action when\nthe internal event queue is full:\n\n $ sudo grep -i overflow_action /etc/audit/auditd.conf\n\n overflow_action = syslog\n\n If the value of the \"overflow_action\" option is not set to \"syslog\",\n\"single\", \"halt\", or the line is commented out, ask the System\nAdministrator to indicate how the audit logs are off-loaded to a different\nsystem or media.\n\n If there is no evidence that the transfer of the audit logs being\noff-loaded to another system or media takes appropriate action if the internal\nevent queue becomes full, this is a finding.'\n desc 'fix', 'Edit the /etc/audit/auditd.conf file and add or update the\n\"overflow_action\" option:\n\n overflow_action = syslog\n\n The audit daemon must be restarted for changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000342-GPOS-00133'\n tag satisfies: ['SRG-OS-000342-GPOS-00133', 'SRG-OS-000479-GPOS-00224']\n tag gid: 'V-230480'\n tag rid: 'SV-230480r877390_rule'\n tag stig_id: 'RHEL-08-030700'\n tag fix_id: 'F-33124r568187_fix'\n tag cci: ['CCI-001851']\n tag nist: ['AU-4 (1)']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n if input('alternative_logging_method') != ''\n describe 'manual check' do\n skip 'Manual check required. Ask the administrator to indicate how logging is done for this system.'\n end\n else\n describe parse_config_file('/etc/audit/auditd.conf') do\n its('overflow_action') { should match(/syslog$|single$|halt$/i) }\n end\n end\nend\n", + "code": "control 'SV-230235' do\n title 'RHEL 8 operating systems booted with a BIOS must require\nauthentication upon booting into single-user and maintenance modes.'\n desc 'If the system does not require valid authentication before it boots\ninto single-user or maintenance mode, anyone who invokes single-user or\nmaintenance mode is granted privileged access to all files on the system. GRUB\n2 is the default boot loader for RHEL 8 and is designed to require a password\nto boot into single-user mode or make modifications to the boot menu.'\n desc 'check', 'For systems that use UEFI, this is Not Applicable.\n\n Check to see if an encrypted grub superusers password is set. On systems\nthat use a BIOS, use the following command:\n\n $ sudo grep -iw grub2_password /boot/grub2/user.cfg\n\n GRUB2_PASSWORD=grub.pbkdf2.sha512.[password_hash]\n\n If the grub superusers password does not begin with \"grub.pbkdf2.sha512\",\nthis is a finding.'\n desc 'fix', 'Configure the system to require a grub bootloader password for the grub\nsuperusers account with the grub2-setpassword command, which creates/overwrites\nthe /boot/grub2/user.cfg file.\n\n Generate an encrypted grub2 password for the grub superusers account with\nthe following command:\n\n $ sudo grub2-setpassword\n Enter password:\n Confirm password:'\n impact 0.7\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'high'\n tag gtitle: 'SRG-OS-000080-GPOS-00048'\n tag gid: 'V-230235'\n tag rid: 'SV-230235r743925_rule'\n tag stig_id: 'RHEL-08-010150'\n tag fix_id: 'F-32879r743924_fix'\n tag cci: ['CCI-000213']\n tag nist: ['AC-3']\n tag 'host'\n\n only_if('Control not applicable within a container without sudo enabled', impact: 0.0) do\n !virtualization.system.eql?('docker')\n end\n\n if file('/sys/firmware/efi').exist?\n impact 0.0\n describe 'System running UEFI' do\n skip 'The System is running UEFI, this control is Not Applicable.'\n end\n else\n input('grub_user_boot_files').each do |grub_user_file|\n describe parse_config_file(grub_user_file) do\n its('GRUB2_PASSWORD') { should include 'grub.pbkdf2.sha512' }\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230480.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230235.rb", "line": 1 }, - "id": "SV-230480" + "id": "SV-230235" }, { - "title": "RHEL 8 must be configured in the password-auth file to prohibit password reuse for a minimum of five generations.", - "desc": "Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to reuse their password consecutively when that password has exceeded its defined lifetime, the end result is a password that is not changed per policy requirements.\n\n RHEL 8 uses \"pwhistory\" consecutively as a mechanism to prohibit password reuse. This is set in both:\n/etc/pam.d/password-auth\n/etc/pam.d/system-auth.\n\nNote that manual changes to the listed files may be overwritten by the \"authselect\" program.", + "title": "RHEL 8 must disable the asynchronous transfer mode (ATM) protocol.", + "desc": "It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n Failing to disconnect unused protocols can result in a system compromise.\n\n The Asynchronous Transfer Mode (ATM) is a protocol operating on network,\ndata link, and physical layers, based on virtual circuits and virtual paths.\nDisabling ATM protects the system against exploitation of any laws in its\nimplementation.", "descriptions": { - "default": "Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to reuse their password consecutively when that password has exceeded its defined lifetime, the end result is a password that is not changed per policy requirements.\n\n RHEL 8 uses \"pwhistory\" consecutively as a mechanism to prohibit password reuse. This is set in both:\n/etc/pam.d/password-auth\n/etc/pam.d/system-auth.\n\nNote that manual changes to the listed files may be overwritten by the \"authselect\" program.", - "check": "Verify the operating system is configured in the password-auth file to prohibit password reuse for a minimum of five generations.\n\nCheck for the value of the \"remember\" argument in \"/etc/pam.d/password-auth\" with the following command:\n\n $ sudo grep -i remember /etc/pam.d/password-auth\n\n password requisite pam_pwhistory.so use_authtok remember=5 retry=3\n\nIf the line containing \"pam_pwhistory.so\" does not have the \"remember\" module argument set, is commented out, or the value of the \"remember\" module argument is set to less than \"5\", this is a finding.", - "fix": "Configure the operating system in the password-auth file to prohibit password reuse for a minimum of five generations.\n\nAdd the following line in \"/etc/pam.d/password-auth\" (or modify the line to have the required value):\n\n password requisite pam_pwhistory.so use_authtok remember=5 retry=3" + "default": "It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n Failing to disconnect unused protocols can result in a system compromise.\n\n The Asynchronous Transfer Mode (ATM) is a protocol operating on network,\ndata link, and physical layers, based on virtual circuits and virtual paths.\nDisabling ATM protects the system against exploitation of any laws in its\nimplementation.", + "check": "Verify the operating system disables the ability to load the ATM protocol kernel module.\n\n $ sudo grep -r atm /etc/modprobe.d/* | grep \"/bin/false\"\n install atm /bin/false\n\nIf the command does not return any output, or the line is commented out, and use of the ATM protocol is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.\n\nVerify the operating system disables the ability to use the ATM protocol.\n\nCheck to see if the ATM protocol is disabled with the following command:\n\n $ sudo grep -r atm /etc/modprobe.d/* | grep \"blacklist\"\n blacklist atm\n\nIf the command does not return any output or the output is not \"blacklist atm\", and use of the ATM protocol is not documented with the ISSO as an operational requirement, this is a finding.", + "fix": "Configure the operating system to disable the ability to use the ATM protocol kernel module.\n\nAdd or update the following lines in the file \"/etc/modprobe.d/blacklist.conf\":\n\n install atm /bin/false\n blacklist atm\n\nReboot the system for the settings to take effect." }, - "impact": 0.5, + "impact": 0.3, "refs": [ { "ref": "DPMS Target Red Hat Enterprise Linux 8" } ], "tags": { - "severity": "medium", - "gtitle": "SRG-OS-000077-GPOS-00045", - "gid": "V-230368", - "rid": "SV-230368r902759_rule", - "stig_id": "RHEL-08-020220", - "fix_id": "F-33012r902757_fix", + "severity": "low", + "gtitle": "SRG-OS-000095-GPOS-00049", + "gid": "V-230494", + "rid": "SV-230494r942918_rule", + "stig_id": "RHEL-08-040021", + "fix_id": "F-33138r942917_fix", "cci": [ - "CCI-000200" + "CCI-000381" ], "nist": [ - "IA-5 (1) (e)" + "CM-7 a" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-230368' do\n title 'RHEL 8 must be configured in the password-auth file to prohibit password reuse for a minimum of five generations.'\n desc 'Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to reuse their password consecutively when that password has exceeded its defined lifetime, the end result is a password that is not changed per policy requirements.\n\n RHEL 8 uses \"pwhistory\" consecutively as a mechanism to prohibit password reuse. This is set in both:\n/etc/pam.d/password-auth\n/etc/pam.d/system-auth.\n\nNote that manual changes to the listed files may be overwritten by the \"authselect\" program.'\n desc 'check', 'Verify the operating system is configured in the password-auth file to prohibit password reuse for a minimum of five generations.\n\nCheck for the value of the \"remember\" argument in \"/etc/pam.d/password-auth\" with the following command:\n\n $ sudo grep -i remember /etc/pam.d/password-auth\n\n password requisite pam_pwhistory.so use_authtok remember=5 retry=3\n\nIf the line containing \"pam_pwhistory.so\" does not have the \"remember\" module argument set, is commented out, or the value of the \"remember\" module argument is set to less than \"5\", this is a finding.'\n desc 'fix', 'Configure the operating system in the password-auth file to prohibit password reuse for a minimum of five generations.\n\nAdd the following line in \"/etc/pam.d/password-auth\" (or modify the line to have the required value):\n\n password requisite pam_pwhistory.so use_authtok remember=5 retry=3'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000077-GPOS-00045'\n tag gid: 'V-230368'\n tag rid: 'SV-230368r902759_rule'\n tag stig_id: 'RHEL-08-020220'\n tag fix_id: 'F-33012r902757_fix'\n tag cci: ['CCI-000200']\n tag nist: ['IA-5 (1) (e)']\n tag 'host'\n tag 'container'\n\n pam_auth_files = input('pam_auth_files')\n\n describe pam(pam_auth_files['password-auth']) do\n its('lines') { should match_pam_rule('password (required|requisite|sufficient) pam_pwhistory.so').any_with_integer_arg('remember', '>=', input('min_reuse_generations')) }\n end\nend\n", + "code": "control 'SV-230494' do\n title 'RHEL 8 must disable the asynchronous transfer mode (ATM) protocol.'\n desc 'It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n Failing to disconnect unused protocols can result in a system compromise.\n\n The Asynchronous Transfer Mode (ATM) is a protocol operating on network,\ndata link, and physical layers, based on virtual circuits and virtual paths.\nDisabling ATM protects the system against exploitation of any laws in its\nimplementation.'\n desc 'check', 'Verify the operating system disables the ability to load the ATM protocol kernel module.\n\n $ sudo grep -r atm /etc/modprobe.d/* | grep \"/bin/false\"\n install atm /bin/false\n\nIf the command does not return any output, or the line is commented out, and use of the ATM protocol is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.\n\nVerify the operating system disables the ability to use the ATM protocol.\n\nCheck to see if the ATM protocol is disabled with the following command:\n\n $ sudo grep -r atm /etc/modprobe.d/* | grep \"blacklist\"\n blacklist atm\n\nIf the command does not return any output or the output is not \"blacklist atm\", and use of the ATM protocol is not documented with the ISSO as an operational requirement, this is a finding.'\n desc 'fix', 'Configure the operating system to disable the ability to use the ATM protocol kernel module.\n\nAdd or update the following lines in the file \"/etc/modprobe.d/blacklist.conf\":\n\n install atm /bin/false\n blacklist atm\n\nReboot the system for the settings to take effect.'\n impact 0.3\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'low'\n tag gtitle: 'SRG-OS-000095-GPOS-00049'\n tag gid: 'V-230494'\n tag rid: 'SV-230494r942918_rule'\n tag stig_id: 'RHEL-08-040021'\n tag fix_id: 'F-33138r942917_fix'\n tag cci: ['CCI-000381']\n tag nist: ['CM-7 a']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe kernel_module('atm') do\n it { should be_disabled }\n it { should be_blacklisted }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230368.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230494.rb", "line": 1 }, - "id": "SV-230368" + "id": "SV-230494" }, { - "title": "RHEL 8 must mount /var/log/audit with the nodev option.", - "desc": "The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n The \"noexec\" mount option causes the system to not execute binary files.\nThis option must be used for mounting any file system not containing approved\nbinary files, as they may be incompatible. Executing files from untrusted file\nsystems increases the opportunity for unprivileged users to attain unauthorized\nadministrative access.\n\n The \"nodev\" mount option causes the system to not interpret character or\nblock special devices. Executing character or block special devices from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.\n\n The \"nosuid\" mount option causes the system to not execute \"setuid\" and\n\"setgid\" files with owner privileges. This option must be used for mounting\nany file system not containing approved \"setuid\" and \"setguid\" files.\nExecuting files from untrusted file systems increases the opportunity for\nunprivileged users to attain unauthorized administrative access.", + "title": "Successful/unsuccessful uses of the gpasswd command in RHEL 8 must\ngenerate an audit record.", + "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"gpasswd\" command is\nused to administer /etc/group and /etc/gshadow. Every group can have\nadministrators, members and a password.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", "descriptions": { - "default": "The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n The \"noexec\" mount option causes the system to not execute binary files.\nThis option must be used for mounting any file system not containing approved\nbinary files, as they may be incompatible. Executing files from untrusted file\nsystems increases the opportunity for unprivileged users to attain unauthorized\nadministrative access.\n\n The \"nodev\" mount option causes the system to not interpret character or\nblock special devices. Executing character or block special devices from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.\n\n The \"nosuid\" mount option causes the system to not execute \"setuid\" and\n\"setgid\" files with owner privileges. This option must be used for mounting\nany file system not containing approved \"setuid\" and \"setguid\" files.\nExecuting files from untrusted file systems increases the opportunity for\nunprivileged users to attain unauthorized administrative access.", - "check": "Verify \"/var/log/audit\" is mounted with the \"nodev\" option:\n\n $ sudo mount | grep /var/log/audit\n\n /dev/mapper/rhel-var-log-audit on /var/log/audit type xfs\n(rw,nodev,nosuid,noexec,seclabel)\n\n Verify that the \"nodev\" option is configured for /var/log/audit:\n\n $ sudo cat /etc/fstab | grep /var/log/audit\n\n /dev/mapper/rhel-var-log-audit /var/log/audit xfs\ndefaults,nodev,nosuid,noexec 0 0\n\n If results are returned and the \"nodev\" option is missing, or if\n/var/log/audit is mounted without the \"nodev\" option, this is a finding.", - "fix": "Configure the system so that /var/log/audit is mounted with the \"nodev\"\noption by adding /modifying the /etc/fstab with the following line:\n\n /dev/mapper/rhel-var-log-audit /var/log/audit xfs\ndefaults,nodev,nosuid,noexec 0 0" + "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"gpasswd\" command is\nused to administer /etc/group and /etc/gshadow. Every group can have\nadministrators, members and a password.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", + "check": "Verify that an audit event is generated for any successful/unsuccessful use\nof the \"gpasswd\" command by performing the following command to check the\nfile system rules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w gpasswd /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-gpasswd\n\n If the command does not return a line, or the line is commented out, this\nis a finding.", + "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful uses of the \"gpasswd\" command by adding or updating\nthe following rule in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-gpasswd\n\n The audit daemon must be restarted for the changes to take effect." }, "impact": 0.5, "refs": [ @@ -6323,33 +6282,42 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000368-GPOS-00154", - "gid": "V-230517", - "rid": "SV-230517r854058_rule", - "stig_id": "RHEL-08-040129", - "fix_id": "F-33161r568298_fix", + "gtitle": "SRG-OS-000062-GPOS-00031", + "satisfies": [ + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000037-GPOS-00015", + "SRG-OS-000042-GPOS-00020", + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000392-GPOS-00172", + "SRG-OS-000462-GPOS-00206", + "SRG-OS-000471-GPOS-00215" + ], + "gid": "V-230444", + "rid": "SV-230444r627750_rule", + "stig_id": "RHEL-08-030370", + "fix_id": "F-33088r568079_fix", "cci": [ - "CCI-001764" + "CCI-000169" ], "nist": [ - "CM-7 (2)" + "AU-12 a" ], "host": null }, - "code": "control 'SV-230517' do\n title 'RHEL 8 must mount /var/log/audit with the nodev option.'\n desc 'The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n The \"noexec\" mount option causes the system to not execute binary files.\nThis option must be used for mounting any file system not containing approved\nbinary files, as they may be incompatible. Executing files from untrusted file\nsystems increases the opportunity for unprivileged users to attain unauthorized\nadministrative access.\n\n The \"nodev\" mount option causes the system to not interpret character or\nblock special devices. Executing character or block special devices from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.\n\n The \"nosuid\" mount option causes the system to not execute \"setuid\" and\n\"setgid\" files with owner privileges. This option must be used for mounting\nany file system not containing approved \"setuid\" and \"setguid\" files.\nExecuting files from untrusted file systems increases the opportunity for\nunprivileged users to attain unauthorized administrative access.'\n desc 'check', 'Verify \"/var/log/audit\" is mounted with the \"nodev\" option:\n\n $ sudo mount | grep /var/log/audit\n\n /dev/mapper/rhel-var-log-audit on /var/log/audit type xfs\n(rw,nodev,nosuid,noexec,seclabel)\n\n Verify that the \"nodev\" option is configured for /var/log/audit:\n\n $ sudo cat /etc/fstab | grep /var/log/audit\n\n /dev/mapper/rhel-var-log-audit /var/log/audit xfs\ndefaults,nodev,nosuid,noexec 0 0\n\n If results are returned and the \"nodev\" option is missing, or if\n/var/log/audit is mounted without the \"nodev\" option, this is a finding.'\n desc 'fix', 'Configure the system so that /var/log/audit is mounted with the \"nodev\"\noption by adding /modifying the /etc/fstab with the following line:\n\n /dev/mapper/rhel-var-log-audit /var/log/audit xfs\ndefaults,nodev,nosuid,noexec 0 0'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000368-GPOS-00154'\n tag gid: 'V-230517'\n tag rid: 'SV-230517r854058_rule'\n tag stig_id: 'RHEL-08-040129'\n tag fix_id: 'F-33161r568298_fix'\n tag cci: ['CCI-001764']\n tag nist: ['CM-7 (2)']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n path = '/var/log/audit'\n option = 'nodev'\n\n describe mount(path) do\n its('options') { should include option }\n end\n\n describe etc_fstab.where { mount_point == path } do\n its('mount_options.flatten') { should include option }\n end\nend\n", + "code": "control 'SV-230444' do\n title 'Successful/unsuccessful uses of the gpasswd command in RHEL 8 must\ngenerate an audit record.'\n desc 'Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"gpasswd\" command is\nused to administer /etc/group and /etc/gshadow. Every group can have\nadministrators, members and a password.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.'\n desc 'check', 'Verify that an audit event is generated for any successful/unsuccessful use\nof the \"gpasswd\" command by performing the following command to check the\nfile system rules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w gpasswd /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-gpasswd\n\n If the command does not return a line, or the line is commented out, this\nis a finding.'\n desc 'fix', 'Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful uses of the \"gpasswd\" command by adding or updating\nthe following rule in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-gpasswd\n\n The audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000062-GPOS-00031'\n tag satisfies: ['SRG-OS-000062-GPOS-00031', 'SRG-OS-000037-GPOS-00015', 'SRG-OS-000042-GPOS-00020', 'SRG-OS-000062-GPOS-00031', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000471-GPOS-00215']\n tag gid: 'V-230444'\n tag rid: 'SV-230444r627750_rule'\n tag stig_id: 'RHEL-08-030370'\n tag fix_id: 'F-33088r568079_fix'\n tag cci: ['CCI-000169']\n tag nist: ['AU-12 a']\n tag 'host'\n\n audit_command = '/usr/bin/gpasswd'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include(input('audit_rule_keynames').merge(input('audit_rule_keynames_overrides'))[audit_command])\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230517.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230444.rb", "line": 1 }, - "id": "SV-230517" + "id": "SV-230444" }, { - "title": "The RHEL 8 SSH daemon must prevent remote hosts from connecting to the\nproxy display.", - "desc": "When X11 forwarding is enabled, there may be additional exposure to\nthe server and client displays if the sshd proxy display is configured to\nlisten on the wildcard address. By default, sshd binds the forwarding server\nto the loopback address and sets the hostname part of the DIPSLAY environment\nvariable to localhost. This prevents remote hosts from connecting to the proxy\ndisplay.", + "title": "RHEL 8 must initiate a session lock for graphical user interfaces when\nthe screensaver is activated.", + "desc": "A session time-out lock is a temporary action taken when a user stops\nwork and moves away from the immediate physical vicinity of the information\nsystem but does not log out because of the temporary nature of the absence.\nRather than relying on the user to manually lock their operating system session\nprior to vacating the vicinity, operating systems need to be able to identify\nwhen a user's session has idled and take action to initiate the session lock.\n\n The session lock is implemented at the point where session activity can be\ndetermined and/or controlled.", "descriptions": { - "default": "When X11 forwarding is enabled, there may be additional exposure to\nthe server and client displays if the sshd proxy display is configured to\nlisten on the wildcard address. By default, sshd binds the forwarding server\nto the loopback address and sets the hostname part of the DIPSLAY environment\nvariable to localhost. This prevents remote hosts from connecting to the proxy\ndisplay.", - "check": "Verify the SSH daemon prevents remote hosts from connecting to the proxy display.\n\nCheck the SSH X11UseLocalhost setting with the following command:\n\n$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\\r' | tr '\\n' ' ' | xargs sudo grep -iH '^\\s*x11uselocalhost'\n\nX11UseLocalhost yes\n\nIf the \"X11UseLocalhost\" keyword is set to \"no\", is missing, or is commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.", - "fix": "Configure the SSH daemon to prevent remote hosts from connecting to the\nproxy display.\n\n Edit the \"/etc/ssh/sshd_config\" file to uncomment or add the line for the\n\"X11UseLocalhost\" keyword and set its value to \"yes\" (this file may be\nnamed differently or be in a different location if using a version of SSH that\nis provided by a third-party vendor):\n\n X11UseLocalhost yes" + "default": "A session time-out lock is a temporary action taken when a user stops\nwork and moves away from the immediate physical vicinity of the information\nsystem but does not log out because of the temporary nature of the absence.\nRather than relying on the user to manually lock their operating system session\nprior to vacating the vicinity, operating systems need to be able to identify\nwhen a user's session has idled and take action to initiate the session lock.\n\n The session lock is implemented at the point where session activity can be\ndetermined and/or controlled.", + "check": "Verify the operating system initiates a session lock a for graphical user\ninterfaces when the screensaver is activated with the following command:\n\n Note: This requirement assumes the use of the RHEL 8 default graphical user\ninterface, Gnome Shell. If the system does not have any graphical user\ninterface installed, this requirement is Not Applicable.\n\n $ sudo gsettings get org.gnome.desktop.screensaver lock-delay\n\n uint32 5\n\n If the \"uint32\" setting is missing, or is not set to \"5\" or less, this\nis a finding.", + "fix": "Configure the operating system to initiate a session lock for graphical\nuser interfaces when a screensaver is activated.\n\n Create a database to contain the system-wide screensaver settings (if it\ndoes not already exist) with the following command:\n\n Note: The example below is using the database \"local\" for the system, so\nif the system is using another database in \"/etc/dconf/profile/user\", the\nfile should be created under the appropriate subdirectory.\n\n $ sudo touch /etc/dconf/db/local.d/00-screensaver\n\n [org/gnome/desktop/screensaver]\n lock-delay=uint32 5\n\n The \"uint32\" must be included along with the integer key values as shown.\n\n Update the system databases:\n\n $ sudo dconf update" }, "impact": 0.5, "refs": [ @@ -6359,34 +6327,38 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-230556", - "rid": "SV-230556r951620_rule", - "stig_id": "RHEL-08-040341", - "fix_id": "F-33200r568415_fix", - "cci": [ - "CCI-000366" - ], + "gtitle": "SRG-OS-000029-GPOS-00010", + "satisfies": [ + "SRG-OS-000029-GPOS-00010", + "SRG-OS-000031-GPOS-00012", + "SRG-OS-000480-GPOS-00227" + ], + "gid": "V-244535", + "rid": "SV-244535r743854_rule", + "stig_id": "RHEL-08-020031", + "fix_id": "F-47767r743853_fix", + "cci": [ + "CCI-000057" + ], "nist": [ - "CM-6 b" + "AC-11 a" ], - "host": null, - "container-conditional": null + "host": null }, - "code": "control 'SV-230556' do\n title 'The RHEL 8 SSH daemon must prevent remote hosts from connecting to the\nproxy display.'\n desc 'When X11 forwarding is enabled, there may be additional exposure to\nthe server and client displays if the sshd proxy display is configured to\nlisten on the wildcard address. By default, sshd binds the forwarding server\nto the loopback address and sets the hostname part of the DIPSLAY environment\nvariable to localhost. This prevents remote hosts from connecting to the proxy\ndisplay.'\n desc 'check', %q(Verify the SSH daemon prevents remote hosts from connecting to the proxy display.\n\nCheck the SSH X11UseLocalhost setting with the following command:\n\n$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\\r' | tr '\\n' ' ' | xargs sudo grep -iH '^\\s*x11uselocalhost'\n\nX11UseLocalhost yes\n\nIf the \"X11UseLocalhost\" keyword is set to \"no\", is missing, or is commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.)\n desc 'fix', 'Configure the SSH daemon to prevent remote hosts from connecting to the\nproxy display.\n\n Edit the \"/etc/ssh/sshd_config\" file to uncomment or add the line for the\n\"X11UseLocalhost\" keyword and set its value to \"yes\" (this file may be\nnamed differently or be in a different location if using a version of SSH that\nis provided by a third-party vendor):\n\n X11UseLocalhost yes'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230556'\n tag rid: 'SV-230556r951620_rule'\n tag stig_id: 'RHEL-08-040341'\n tag fix_id: 'F-33200r568415_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n tag 'container-conditional'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !(virtualization.system.eql?('docker') && !file('/etc/ssh/sshd_config').exist?)\n }\n\n describe sshd_active_config do\n its('X11UseLocalhost') { should cmp 'yes' }\n end\nend\n", + "code": "control 'SV-244535' do\n title 'RHEL 8 must initiate a session lock for graphical user interfaces when\nthe screensaver is activated.'\n desc \"A session time-out lock is a temporary action taken when a user stops\nwork and moves away from the immediate physical vicinity of the information\nsystem but does not log out because of the temporary nature of the absence.\nRather than relying on the user to manually lock their operating system session\nprior to vacating the vicinity, operating systems need to be able to identify\nwhen a user's session has idled and take action to initiate the session lock.\n\n The session lock is implemented at the point where session activity can be\ndetermined and/or controlled.\"\n desc 'check', 'Verify the operating system initiates a session lock a for graphical user\ninterfaces when the screensaver is activated with the following command:\n\n Note: This requirement assumes the use of the RHEL 8 default graphical user\ninterface, Gnome Shell. If the system does not have any graphical user\ninterface installed, this requirement is Not Applicable.\n\n $ sudo gsettings get org.gnome.desktop.screensaver lock-delay\n\n uint32 5\n\n If the \"uint32\" setting is missing, or is not set to \"5\" or less, this\nis a finding.'\n desc 'fix', 'Configure the operating system to initiate a session lock for graphical\nuser interfaces when a screensaver is activated.\n\n Create a database to contain the system-wide screensaver settings (if it\ndoes not already exist) with the following command:\n\n Note: The example below is using the database \"local\" for the system, so\nif the system is using another database in \"/etc/dconf/profile/user\", the\nfile should be created under the appropriate subdirectory.\n\n $ sudo touch /etc/dconf/db/local.d/00-screensaver\n\n [org/gnome/desktop/screensaver]\n lock-delay=uint32 5\n\n The \"uint32\" must be included along with the integer key values as shown.\n\n Update the system databases:\n\n $ sudo dconf update'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000029-GPOS-00010'\n tag satisfies: ['SRG-OS-000029-GPOS-00010', 'SRG-OS-000031-GPOS-00012', 'SRG-OS-000480-GPOS-00227']\n tag gid: 'V-244535'\n tag rid: 'SV-244535r743854_rule'\n tag stig_id: 'RHEL-08-020031'\n tag fix_id: 'F-47767r743853_fix'\n tag cci: ['CCI-000057']\n tag nist: ['AC-11 a']\n tag 'host'\n\n only_if('This requirement is Not Applicable in the container', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n no_gui = command('ls /usr/share/xsessions/*').stderr.match?(/No such file or directory/)\n\n if no_gui\n impact 0.0\n describe 'The system does not have a GUI Desktop is installed, this control is Not Applicable' do\n skip 'A GUI desktop is not installed, this control is Not Applicable.'\n end\n else\n describe command('gsettings get org.gnome.desktop.screensaver lock-delay') do\n its('stdout.strip') { should match(/uint32\\s[0-5]/) }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230556.rb", + "ref": "./Red Hat 8 STIG/controls/SV-244535.rb", "line": 1 }, - "id": "SV-230556" + "id": "SV-244535" }, { - "title": "RHEL 8 must mount /tmp with the nosuid option.", - "desc": "The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n The \"noexec\" mount option causes the system to not execute binary files.\nThis option must be used for mounting any file system not containing approved\nbinary files, as they may be incompatible. Executing files from untrusted file\nsystems increases the opportunity for unprivileged users to attain unauthorized\nadministrative access.\n The \"nodev\" mount option causes the system to not interpret character or\nblock special devices. Executing character or block special devices from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.\n The \"nosuid\" mount option causes the system to not execute \"setuid\" and\n\"setgid\" files with owner privileges. This option must be used for mounting\nany file system not containing approved \"setuid\" and \"setguid\" files.\nExecuting files from untrusted file systems increases the opportunity for\nunprivileged users to attain unauthorized administrative access.", + "title": "RHEL 8 must mount /var/log with the noexec option.", + "desc": "The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n The \"noexec\" mount option causes the system to not execute binary files.\nThis option must be used for mounting any file system not containing approved\nbinary files, as they may be incompatible. Executing files from untrusted file\nsystems increases the opportunity for unprivileged users to attain unauthorized\nadministrative access.\n\n The \"nodev\" mount option causes the system to not interpret character or\nblock special devices. Executing character or block special devices from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.\n\n The \"nosuid\" mount option causes the system to not execute \"setuid\" and\n\"setgid\" files with owner privileges. This option must be used for mounting\nany file system not containing approved \"setuid\" and \"setguid\" files.\nExecuting files from untrusted file systems increases the opportunity for\nunprivileged users to attain unauthorized administrative access.", "descriptions": { - "default": "The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n The \"noexec\" mount option causes the system to not execute binary files.\nThis option must be used for mounting any file system not containing approved\nbinary files, as they may be incompatible. Executing files from untrusted file\nsystems increases the opportunity for unprivileged users to attain unauthorized\nadministrative access.\n The \"nodev\" mount option causes the system to not interpret character or\nblock special devices. Executing character or block special devices from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.\n The \"nosuid\" mount option causes the system to not execute \"setuid\" and\n\"setgid\" files with owner privileges. This option must be used for mounting\nany file system not containing approved \"setuid\" and \"setguid\" files.\nExecuting files from untrusted file systems increases the opportunity for\nunprivileged users to attain unauthorized administrative access.", - "check": "Verify \"/tmp\" is mounted with the \"nosuid\" option:\n\n $ sudo mount | grep /tmp\n\n /dev/mapper/rhel-tmp on /tmp type xfs (rw,nodev,nosuid,noexec,seclabel)\n\n Verify that the \"nosuid\" option is configured for /tmp:\n\n $ sudo cat /etc/fstab | grep /tmp\n\n /dev/mapper/rhel-tmp /tmp xfs defaults,nodev,nosuid,noexec 0 0\n\n If results are returned and the \"nosuid\" option is missing, or if /tmp is\nmounted without the \"nosuid\" option, this is a finding.", - "fix": "Configure the system so that /tmp is mounted with the \"nosuid\" option by\nadding /modifying the /etc/fstab with the following line:\n\n /dev/mapper/rhel-tmp /tmp xfs defaults,nodev,nosuid,noexec 0 0" + "default": "The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n The \"noexec\" mount option causes the system to not execute binary files.\nThis option must be used for mounting any file system not containing approved\nbinary files, as they may be incompatible. Executing files from untrusted file\nsystems increases the opportunity for unprivileged users to attain unauthorized\nadministrative access.\n\n The \"nodev\" mount option causes the system to not interpret character or\nblock special devices. Executing character or block special devices from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.\n\n The \"nosuid\" mount option causes the system to not execute \"setuid\" and\n\"setgid\" files with owner privileges. This option must be used for mounting\nany file system not containing approved \"setuid\" and \"setguid\" files.\nExecuting files from untrusted file systems increases the opportunity for\nunprivileged users to attain unauthorized administrative access.", + "check": "Verify \"/var/log\" is mounted with the \"noexec\" option:\n\n $ sudo mount | grep /var/log\n\n /dev/mapper/rhel-var-log on /var/log type xfs\n(rw,nodev,nosuid,noexec,seclabel)\n\n Verify that the \"noexec\" option is configured for /var/log:\n\n $ sudo cat /etc/fstab | grep /var/log\n\n /dev/mapper/rhel-var-log /var/log xfs defaults,nodev,nosuid,noexec 0 0\n\n If results are returned and the \"noexec\" option is missing, or if\n/var/log is mounted without the \"noexec\" option, this is a finding.", + "fix": "Configure the system so that /var/log is mounted with the \"noexec\" option\nby adding /modifying the /etc/fstab with the following line:\n\n /dev/mapper/rhel-var-log /var/log xfs defaults,nodev,nosuid,noexec 0 0" }, "impact": 0.5, "refs": [ @@ -6397,10 +6369,10 @@ "tags": { "severity": "medium", "gtitle": "SRG-OS-000368-GPOS-00154", - "gid": "V-230512", - "rid": "SV-230512r854053_rule", - "stig_id": "RHEL-08-040124", - "fix_id": "F-33156r568283_fix", + "gid": "V-230516", + "rid": "SV-230516r854057_rule", + "stig_id": "RHEL-08-040128", + "fix_id": "F-33160r568295_fix", "cci": [ "CCI-001764" ], @@ -6409,20 +6381,20 @@ ], "host": null }, - "code": "control 'SV-230512' do\n title 'RHEL 8 must mount /tmp with the nosuid option.'\n desc 'The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n The \"noexec\" mount option causes the system to not execute binary files.\nThis option must be used for mounting any file system not containing approved\nbinary files, as they may be incompatible. Executing files from untrusted file\nsystems increases the opportunity for unprivileged users to attain unauthorized\nadministrative access.\n The \"nodev\" mount option causes the system to not interpret character or\nblock special devices. Executing character or block special devices from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.\n The \"nosuid\" mount option causes the system to not execute \"setuid\" and\n\"setgid\" files with owner privileges. This option must be used for mounting\nany file system not containing approved \"setuid\" and \"setguid\" files.\nExecuting files from untrusted file systems increases the opportunity for\nunprivileged users to attain unauthorized administrative access.'\n desc 'check', 'Verify \"/tmp\" is mounted with the \"nosuid\" option:\n\n $ sudo mount | grep /tmp\n\n /dev/mapper/rhel-tmp on /tmp type xfs (rw,nodev,nosuid,noexec,seclabel)\n\n Verify that the \"nosuid\" option is configured for /tmp:\n\n $ sudo cat /etc/fstab | grep /tmp\n\n /dev/mapper/rhel-tmp /tmp xfs defaults,nodev,nosuid,noexec 0 0\n\n If results are returned and the \"nosuid\" option is missing, or if /tmp is\nmounted without the \"nosuid\" option, this is a finding.'\n desc 'fix', 'Configure the system so that /tmp is mounted with the \"nosuid\" option by\nadding /modifying the /etc/fstab with the following line:\n\n /dev/mapper/rhel-tmp /tmp xfs defaults,nodev,nosuid,noexec 0 0'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000368-GPOS-00154'\n tag gid: 'V-230512'\n tag rid: 'SV-230512r854053_rule'\n tag stig_id: 'RHEL-08-040124'\n tag fix_id: 'F-33156r568283_fix'\n tag cci: ['CCI-001764']\n tag nist: ['CM-7 (2)']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n path = '/tmp'\n option = 'nosuid'\n mount_option_enabled = input('mount_tmp_options')[option]\n\n if mount_option_enabled\n describe mount(path) do\n its('options') { should include option }\n end\n\n describe etc_fstab.where { mount_point == path } do\n its('mount_options.flatten') { should include option }\n end\n else\n describe mount(path) do\n its('options') { should_not include option }\n end\n\n describe etc_fstab.where { mount_point == path } do\n its('mount_options.flatten') { should_not include option }\n end\n end\nend\n", + "code": "control 'SV-230516' do\n title 'RHEL 8 must mount /var/log with the noexec option.'\n desc 'The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n The \"noexec\" mount option causes the system to not execute binary files.\nThis option must be used for mounting any file system not containing approved\nbinary files, as they may be incompatible. Executing files from untrusted file\nsystems increases the opportunity for unprivileged users to attain unauthorized\nadministrative access.\n\n The \"nodev\" mount option causes the system to not interpret character or\nblock special devices. Executing character or block special devices from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.\n\n The \"nosuid\" mount option causes the system to not execute \"setuid\" and\n\"setgid\" files with owner privileges. This option must be used for mounting\nany file system not containing approved \"setuid\" and \"setguid\" files.\nExecuting files from untrusted file systems increases the opportunity for\nunprivileged users to attain unauthorized administrative access.'\n desc 'check', 'Verify \"/var/log\" is mounted with the \"noexec\" option:\n\n $ sudo mount | grep /var/log\n\n /dev/mapper/rhel-var-log on /var/log type xfs\n(rw,nodev,nosuid,noexec,seclabel)\n\n Verify that the \"noexec\" option is configured for /var/log:\n\n $ sudo cat /etc/fstab | grep /var/log\n\n /dev/mapper/rhel-var-log /var/log xfs defaults,nodev,nosuid,noexec 0 0\n\n If results are returned and the \"noexec\" option is missing, or if\n/var/log is mounted without the \"noexec\" option, this is a finding.'\n desc 'fix', 'Configure the system so that /var/log is mounted with the \"noexec\" option\nby adding /modifying the /etc/fstab with the following line:\n\n /dev/mapper/rhel-var-log /var/log xfs defaults,nodev,nosuid,noexec 0 0'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000368-GPOS-00154'\n tag gid: 'V-230516'\n tag rid: 'SV-230516r854057_rule'\n tag stig_id: 'RHEL-08-040128'\n tag fix_id: 'F-33160r568295_fix'\n tag cci: ['CCI-001764']\n tag nist: ['CM-7 (2)']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n path = '/var/log'\n option = 'noexec'\n\n describe mount(path) do\n its('options') { should include option }\n end\n\n describe etc_fstab.where { mount_point == path } do\n its('mount_options.flatten') { should include option }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230512.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230516.rb", "line": 1 }, - "id": "SV-230512" + "id": "SV-230516" }, { - "title": "Successful/unsuccessful uses of the chsh command in RHEL 8 must\ngenerate an audit record.", - "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"chsh\" command is\nused to change the login shell.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", + "title": "RHEL 8 must not forward IPv6 source-routed packets by default.", + "desc": "Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf", "descriptions": { - "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"chsh\" command is\nused to change the login shell.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", - "check": "Verify RHEL 8 generates an audit record when successful/unsuccessful\nattempts to use the \"chsh\" command by performing the following command to\ncheck the file system rules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w chsh /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset\n-k priv_cmd\n\n If the command does not return a line, or the line is commented out, this\nis a finding.", - "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \"chsh\" command by adding or updating the\nfollowing rule in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset\n-k priv_cmd\n\n The audit daemon must be restarted for the changes to take effect." + "default": "Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf", + "check": "Verify RHEL 8 does not accept IPv6 source-routed packets by default.\n\nNote: If IPv6 is disabled on the system, this requirement is Not Applicable.\n\nCheck the value of the accept source route variable with the following command:\n\n$ sudo sysctl net.ipv6.conf.default.accept_source_route\n\nnet.ipv6.conf.default.accept_source_route = 0\n\nIf the returned line does not have a value of \"0\", a line is not returned, or the line is commented out, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r net.ipv6.conf.default.accept_source_route /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: net.ipv6.conf.default.accept_source_route = 0\n\nIf \"net.ipv6.conf.default.accept_source_route\" is not set to \"0\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.", + "fix": "Configure RHEL 8 to not forward IPv6 source-routed packets by default.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nnet.ipv6.conf.default.accept_source_route=0\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system" }, "impact": 0.5, "refs": [ @@ -6432,42 +6404,33 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000062-GPOS-00031", - "satisfies": [ - "SRG-OS-000062-GPOS-00031", - "SRG-OS-000037-GPOS-00015", - "SRG-OS-000042-GPOS-00020", - "SRG-OS-000062-GPOS-00031", - "SRG-OS-000392-GPOS-00172", - "SRG-OS-000462-GPOS-00206", - "SRG-OS-000471-GPOS-00215" - ], - "gid": "V-230448", - "rid": "SV-230448r627750_rule", - "stig_id": "RHEL-08-030410", - "fix_id": "F-33092r568091_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-230539", + "rid": "SV-230539r861085_rule", + "stig_id": "RHEL-08-040250", + "fix_id": "F-33183r858805_fix", "cci": [ - "CCI-000169" + "CCI-000366" ], "nist": [ - "AU-12 a" + "CM-6 b" ], "host": null }, - "code": "control 'SV-230448' do\n title 'Successful/unsuccessful uses of the chsh command in RHEL 8 must\ngenerate an audit record.'\n desc 'Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"chsh\" command is\nused to change the login shell.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.'\n desc 'check', 'Verify RHEL 8 generates an audit record when successful/unsuccessful\nattempts to use the \"chsh\" command by performing the following command to\ncheck the file system rules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w chsh /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset\n-k priv_cmd\n\n If the command does not return a line, or the line is commented out, this\nis a finding.'\n desc 'fix', 'Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \"chsh\" command by adding or updating the\nfollowing rule in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset\n-k priv_cmd\n\n The audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000062-GPOS-00031'\n tag satisfies: ['SRG-OS-000062-GPOS-00031', 'SRG-OS-000037-GPOS-00015', 'SRG-OS-000042-GPOS-00020', 'SRG-OS-000062-GPOS-00031', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000471-GPOS-00215']\n tag gid: 'V-230448'\n tag rid: 'SV-230448r627750_rule'\n tag stig_id: 'RHEL-08-030410'\n tag fix_id: 'F-33092r568091_fix'\n tag cci: ['CCI-000169']\n tag nist: ['AU-12 a']\n tag 'host'\n\n audit_command = '/usr/bin/chsh'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include(input('audit_rule_keynames').merge(input('audit_rule_keynames_overrides'))[audit_command])\n end\n end\nend\n", + "code": "control 'SV-230539' do\n title 'RHEL 8 must not forward IPv6 source-routed packets by default.'\n desc 'Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf'\n desc 'check', 'Verify RHEL 8 does not accept IPv6 source-routed packets by default.\n\nNote: If IPv6 is disabled on the system, this requirement is Not Applicable.\n\nCheck the value of the accept source route variable with the following command:\n\n$ sudo sysctl net.ipv6.conf.default.accept_source_route\n\nnet.ipv6.conf.default.accept_source_route = 0\n\nIf the returned line does not have a value of \"0\", a line is not returned, or the line is commented out, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r net.ipv6.conf.default.accept_source_route /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: net.ipv6.conf.default.accept_source_route = 0\n\nIf \"net.ipv6.conf.default.accept_source_route\" is not set to \"0\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to not forward IPv6 source-routed packets by default.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nnet.ipv6.conf.default.accept_source_route=0\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230539'\n tag rid: 'SV-230539r861085_rule'\n tag stig_id: 'RHEL-08-040250'\n tag fix_id: 'F-33183r858805_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This system is acting as a router on the network, this control is Not Applicable', impact: 0.0) {\n !input('network_router')\n }\n\n # Define the kernel parameter to be checked\n parameter = 'net.ipv6.conf.default.accept_source_route'\n action = 'forwarding IPv6 source-routed packets'\n value = 0\n\n # Get the current value of the kernel parameter\n current_value = kernel_parameter(parameter)\n\n # Check if the system is a Docker container\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n elsif input('ipv6_enabled') == false\n impact 0.0\n describe 'IPv6 is disabled on the system, this requirement is Not Applicable.' do\n skip 'IPv6 is disabled on the system, this requirement is Not Applicable.'\n end\n else\n\n describe kernel_parameter(parameter) do\n it 'is disabled in sysctl -a' do\n expect(current_value.value).to cmp value\n expect(current_value.value).not_to be_nil\n end\n end\n\n # Get the list of sysctl configuration files\n sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ')\n\n # Search for the kernel parameter in the configuration files\n search_results = command(\"grep -r ^#{parameter} #{sysctl_config_files} {} \\;\").stdout.split(\"\\n\")\n\n # Parse the search results into a hash\n config_values = search_results.each_with_object({}) do |item, results|\n file, setting = item.split(':')\n file = 'grep did not return filename' if file.empty?\n\n results[file] ||= []\n results[file] << setting.split('=').last\n end\n\n uniq_config_values = config_values.values.flatten.map(&:strip).map(&:to_i).uniq\n\n # Check the configuration files\n describe 'Configuration files' do\n if search_results.empty?\n it \"do not explicitly set the `#{parameter}` parameter\" do\n expect(config_values).not_to be_empty, \"Add the line `#{parameter}=#{value}` to a file in the `/etc/sysctl.d/` directory\"\n end\n else\n it \"do not have conflicting settings for #{action}\" do\n expect(uniq_config_values.count).to eq(1), \"Expected one unique configuration, but got #{config_values}\"\n end\n it \"set the parameter to the right value for #{action}\" do\n expect(config_values.values.flatten.all? { |v| v.to_i.eql?(value) }).to be true\n end\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230448.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230539.rb", "line": 1 }, - "id": "SV-230448" + "id": "SV-230539" }, { - "title": "RHEL 8 wireless network adapters must be disabled.", - "desc": "Without protection of communications with wireless peripherals,\nconfidentiality and integrity may be compromised because unprotected\ncommunications can be intercepted and either read, altered, or used to\ncompromise the RHEL 8 operating system.\n\n This requirement applies to wireless peripheral technologies (e.g.,\nwireless mice, keyboards, displays, etc.) used with RHEL 8 systems. Wireless\nperipherals (e.g., Wi-Fi/Bluetooth/IR Keyboards, Mice, and Pointing Devices and\nNear Field Communications [NFC]) present a unique challenge by creating an\nopen, unsecured port on a computer. Wireless peripherals must meet DoD\nrequirements for wireless data transmission and be approved for use by the\nAuthorizing Official (AO). Even though some wireless peripherals, such as mice\nand pointing devices, do not ordinarily carry information that need to be\nprotected, modification of communications with these wireless peripherals may\nbe used to compromise the RHEL 8 operating system. Communication paths outside\nthe physical protection of a controlled boundary are exposed to the possibility\nof interception and modification.\n\n Protecting the confidentiality and integrity of communications with\nwireless peripherals can be accomplished by physical means (e.g., employing\nphysical barriers to wireless radio frequencies) or by logical means (e.g.,\nemploying cryptographic techniques). If physical means of protection are\nemployed, then logical means (cryptography) do not have to be employed, and\nvice versa. If the wireless peripheral is only passing telemetry data,\nencryption of the data may not be required.", + "title": "The graphical display manager must not be the default target on RHEL 8 unless approved.", + "desc": "Internet services that are not required for system or application processes must not be active to decrease the attack surface of the system. Graphical display managers have a long history of security vulnerabilities and must not be used, unless approved and documented.", "descriptions": { - "default": "Without protection of communications with wireless peripherals,\nconfidentiality and integrity may be compromised because unprotected\ncommunications can be intercepted and either read, altered, or used to\ncompromise the RHEL 8 operating system.\n\n This requirement applies to wireless peripheral technologies (e.g.,\nwireless mice, keyboards, displays, etc.) used with RHEL 8 systems. Wireless\nperipherals (e.g., Wi-Fi/Bluetooth/IR Keyboards, Mice, and Pointing Devices and\nNear Field Communications [NFC]) present a unique challenge by creating an\nopen, unsecured port on a computer. Wireless peripherals must meet DoD\nrequirements for wireless data transmission and be approved for use by the\nAuthorizing Official (AO). Even though some wireless peripherals, such as mice\nand pointing devices, do not ordinarily carry information that need to be\nprotected, modification of communications with these wireless peripherals may\nbe used to compromise the RHEL 8 operating system. Communication paths outside\nthe physical protection of a controlled boundary are exposed to the possibility\nof interception and modification.\n\n Protecting the confidentiality and integrity of communications with\nwireless peripherals can be accomplished by physical means (e.g., employing\nphysical barriers to wireless radio frequencies) or by logical means (e.g.,\nemploying cryptographic techniques). If physical means of protection are\nemployed, then logical means (cryptography) do not have to be employed, and\nvice versa. If the wireless peripheral is only passing telemetry data,\nencryption of the data may not be required.", - "check": "Verify there are no wireless interfaces configured on the system with the\nfollowing command:\n\n Note: This requirement is Not Applicable for systems that do not have\nphysical wireless network radios.\n\n $ sudo nmcli device status\n\n DEVICE TYPE STATE\nCONNECTION\n virbr0 bridge connected virbr0\n wlp7s0 wifi connected wifiSSID\n enp6s0 ethernet disconnected --\n p2p-dev-wlp7s0 wifi-p2p disconnected --\n lo loopback unmanaged --\n virbr0-nic tun unmanaged --\n\n If a wireless interface is configured and has not been documented and\napproved by the Information System Security Officer (ISSO), this is a finding.", - "fix": "Configure the system to disable all wireless network interfaces with the\nfollowing command:\n\n $ sudo nmcli radio all off" + "default": "Internet services that are not required for system or application processes must not be active to decrease the attack surface of the system. Graphical display managers have a long history of security vulnerabilities and must not be used, unless approved and documented.", + "check": "Verify that the system is configured to boot to the command line:\n\n$ systemctl get-default\nmulti-user.target\n\nIf the system default target is not set to \"multi-user.target\" and the Information System Security Officer (ISSO) lacks a documented requirement for a graphical user interface, this is a finding.", + "fix": "Document the requirement for a graphical user interface with the ISSO or reinstall the operating system without the graphical user interface. If reinstallation is not feasible, then continue with the following procedure:\n\nOpen an SSH session and enter the following commands:\n\n$ sudo systemctl set-default multi-user.target\n\nA reboot is required for the changes to take effect." }, "impact": 0.5, "refs": [ @@ -6476,40 +6439,36 @@ } ], "tags": { + "check_id": "C-55155r809376_chk", "severity": "medium", - "gtitle": "SRG-OS-000299-GPOS-00117", - "satisfies": [ - "SRG-OS-000299-GPOS-00117", - "SRG-OS-000300-GPOS-00118", - "SRG-OS-000481-GPOS-000481" - ], - "gid": "V-230506", - "rid": "SV-230506r627750_rule", - "stig_id": "RHEL-08-040110", - "fix_id": "F-33150r568265_fix", + "gid": "V-251718", + "rid": "SV-251718r809378_rule", + "stig_id": "RHEL-08-040321", + "gtitle": "SRG-OS-000480-GPOS-00227", + "fix_id": "F-55109r809377_fix", + "documentable": null, "cci": [ - "CCI-001444" + "CCI-000366" ], "nist": [ - "AC-18 (1)" + "CM-6 b" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-230506' do\n title 'RHEL 8 wireless network adapters must be disabled.'\n desc 'Without protection of communications with wireless peripherals,\nconfidentiality and integrity may be compromised because unprotected\ncommunications can be intercepted and either read, altered, or used to\ncompromise the RHEL 8 operating system.\n\n This requirement applies to wireless peripheral technologies (e.g.,\nwireless mice, keyboards, displays, etc.) used with RHEL 8 systems. Wireless\nperipherals (e.g., Wi-Fi/Bluetooth/IR Keyboards, Mice, and Pointing Devices and\nNear Field Communications [NFC]) present a unique challenge by creating an\nopen, unsecured port on a computer. Wireless peripherals must meet DoD\nrequirements for wireless data transmission and be approved for use by the\nAuthorizing Official (AO). Even though some wireless peripherals, such as mice\nand pointing devices, do not ordinarily carry information that need to be\nprotected, modification of communications with these wireless peripherals may\nbe used to compromise the RHEL 8 operating system. Communication paths outside\nthe physical protection of a controlled boundary are exposed to the possibility\nof interception and modification.\n\n Protecting the confidentiality and integrity of communications with\nwireless peripherals can be accomplished by physical means (e.g., employing\nphysical barriers to wireless radio frequencies) or by logical means (e.g.,\nemploying cryptographic techniques). If physical means of protection are\nemployed, then logical means (cryptography) do not have to be employed, and\nvice versa. If the wireless peripheral is only passing telemetry data,\nencryption of the data may not be required.'\n desc 'check', 'Verify there are no wireless interfaces configured on the system with the\nfollowing command:\n\n Note: This requirement is Not Applicable for systems that do not have\nphysical wireless network radios.\n\n $ sudo nmcli device status\n\n DEVICE TYPE STATE\nCONNECTION\n virbr0 bridge connected virbr0\n wlp7s0 wifi connected wifiSSID\n enp6s0 ethernet disconnected --\n p2p-dev-wlp7s0 wifi-p2p disconnected --\n lo loopback unmanaged --\n virbr0-nic tun unmanaged --\n\n If a wireless interface is configured and has not been documented and\napproved by the Information System Security Officer (ISSO), this is a finding.'\n desc 'fix', 'Configure the system to disable all wireless network interfaces with the\nfollowing command:\n\n $ sudo nmcli radio all off'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000299-GPOS-00117'\n tag satisfies: ['SRG-OS-000299-GPOS-00117', 'SRG-OS-000300-GPOS-00118', 'SRG-OS-000481-GPOS-000481']\n tag gid: 'V-230506'\n tag rid: 'SV-230506r627750_rule'\n tag stig_id: 'RHEL-08-040110'\n tag fix_id: 'F-33150r568265_fix'\n tag cci: ['CCI-001444']\n tag nist: ['AC-18 (1)']\n tag 'host'\n tag 'container'\n\n if input('wifi_hardware')\n describe command('nmcli device') do\n its('stdout.strip') { should_not match(/wifi\\s*connected/) }\n end\n else\n impact 0.0\n describe 'Skip' do\n skip 'The system does not have a wireless network adapter, this control is Not Applicable.'\n end\n end\nend\n", + "code": "control 'SV-251718' do\n title 'The graphical display manager must not be the default target on RHEL 8 unless approved.'\n desc 'Internet services that are not required for system or application processes must not be active to decrease the attack surface of the system. Graphical display managers have a long history of security vulnerabilities and must not be used, unless approved and documented.'\n desc 'check', 'Verify that the system is configured to boot to the command line:\n\n$ systemctl get-default\nmulti-user.target\n\nIf the system default target is not set to \"multi-user.target\" and the Information System Security Officer (ISSO) lacks a documented requirement for a graphical user interface, this is a finding.'\n desc 'fix', 'Document the requirement for a graphical user interface with the ISSO or reinstall the operating system without the graphical user interface. If reinstallation is not feasible, then continue with the following procedure:\n\nOpen an SSH session and enter the following commands:\n\n$ sudo systemctl set-default multi-user.target\n\nA reboot is required for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag check_id: 'C-55155r809376_chk'\n tag severity: 'medium'\n tag gid: 'V-251718'\n tag rid: 'SV-251718r809378_rule'\n tag stig_id: 'RHEL-08-040321'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag fix_id: 'F-55109r809377_fix'\n tag 'documentable'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This requirement is Not Applicable inside the container', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n if input('gui_required')\n impact 0.0\n describe 'skip' do\n skip 'A GUI is indicated as a requirement for this system. This control is Not Applicable.'\n end\n else\n get_default = command('systemctl get-default').stdout.strip\n\n describe get_default do\n it { should cmp 'multi-user.target' }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230506.rb", + "ref": "./Red Hat 8 STIG/controls/SV-251718.rb", "line": 1 }, - "id": "SV-230506" + "id": "SV-251718" }, { - "title": "RHEL 8 systems, versions 8.2 and above, must configure SELinux context\n type to allow the use of a non-default faillock tally directory.", - "desc": "By limiting the number of failed logon attempts, the risk of\n unauthorized system access via user password guessing, otherwise known as\n brute-force attacks, is reduced. Limits are imposed by locking the account.\n\n From \"faillock.conf\" man pages: Note that the default directory that\n \"pam_faillock\" uses is usually cleared on system boot so the access will be\n re-enabled after system reboot. If that is undesirable, a different tally\n directory must be set with the \"dir\" option.\n\n SELinux, enforcing a targeted policy, will require any non-default tally\n directory's security context type to match the default directory's security\n context type. Without updating the security context type, the pam_faillock\n module will not write failed login attempts to the non-default tally directory.", + "title": "RHEL 8 must use reverse path filtering on all IPv4 interfaces.", + "desc": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf", "descriptions": { - "default": "By limiting the number of failed logon attempts, the risk of\n unauthorized system access via user password guessing, otherwise known as\n brute-force attacks, is reduced. Limits are imposed by locking the account.\n\n From \"faillock.conf\" man pages: Note that the default directory that\n \"pam_faillock\" uses is usually cleared on system boot so the access will be\n re-enabled after system reboot. If that is undesirable, a different tally\n directory must be set with the \"dir\" option.\n\n SELinux, enforcing a targeted policy, will require any non-default tally\n directory's security context type to match the default directory's security\n context type. Without updating the security context type, the pam_faillock\n module will not write failed login attempts to the non-default tally directory.", - "check": "If the system does not have SELinux enabled and enforcing a\n targeted policy, or if the pam_faillock module is not configured for use,\n this requirement is not applicable.\n\n Note: This check applies to RHEL versions 8.2 or newer. If the system is\n RHEL version 8.0 or 8.1, this check is not applicable.\n\n Verify the location of the non-default tally directory for the pam_faillock\n module with the following command:\n\n $ sudo grep -w dir /etc/security/faillock.conf\n\n dir = /var/log/faillock\n\n Check the security context type of the non-default tally directory with the\n following command:\n\n $ sudo ls -Zd /var/log/faillock\n\n unconfined_u:object_r:faillog_t:s0 /var/log/faillock\n\n If the security context type of the non-default tally directory is not\n \"faillog_t\", this is a finding.", - "fix": "Configure RHEL 8 to allow the use of a non-default faillock tally\n directory while SELinux enforces a targeted policy.\n\n Create a non-default faillock tally directory (if it does not already exist)\n with the following example:\n\n $ sudo mkdir /var/log/faillock\n\n Update the /etc/selinux/targeted/contexts/files/file_contexts.local with\n \"faillog_t\" context type for the non-default faillock tally directory with\n the following command:\n\n $ sudo semanage fcontext -a -t faillog_t \"/var/log/faillock(/.*)?\"\n\n Next, update the context type of the non-default faillock directory/subdirectories\n and files with the following command:\n\n $ sudo restorecon -R -v /var/log/faillock" + "default": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf", + "check": "Verify RHEL 8 uses reverse path filtering on all IPv4 interfaces with the following commands:\n\n$ sudo sysctl net.ipv4.conf.all.rp_filter\n\nnet.ipv4.conf.all.rp_filter = 1\n\nIf the returned line does not have a value of \"1\" or \"2\", or a line is not returned, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r net.ipv4.conf.all.rp_filter /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: net.ipv4.conf.all.rp_filter = 1\n\nIf \"net.ipv4.conf.all.rp_filter\" is not set to \"1\" or \"2\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.", + "fix": "Configure RHEL 8 to use reverse path filtering on all IPv4 interfaces by adding the following line to a file, in the \"/etc/sysctl.d\" directory:\n\nnet.ipv4.conf.all.rp_filter = 1\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nThe system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:\n\n$ sudo sysctl --system" }, "impact": 0.5, "refs": [ @@ -6518,38 +6477,34 @@ } ], "tags": { - "check_id": "C-53749r793000_chk", "severity": "medium", - "gid": "V-250315", - "rid": "SV-250315r854079_rule", - "stig_id": "RHEL-08-020027", - "gtitle": "SRG-OS-000021-GPOS-00005", - "fix_id": "F-53703r793001_fix", - "documentable": null, + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-230549", + "rid": "SV-230549r858830_rule", + "stig_id": "RHEL-08-040285", + "fix_id": "F-33193r858829_fix", "cci": [ - "CCI-000044", - "CCI-002238" + "CCI-000366" ], "nist": [ - "AC-7 a", - "AC-7 b" + "CM-6 b" ], "host": null }, - "code": "control 'SV-250315' do\n title 'RHEL 8 systems, versions 8.2 and above, must configure SELinux context\n type to allow the use of a non-default faillock tally directory.'\n desc %q(By limiting the number of failed logon attempts, the risk of\n unauthorized system access via user password guessing, otherwise known as\n brute-force attacks, is reduced. Limits are imposed by locking the account.\n\n From \"faillock.conf\" man pages: Note that the default directory that\n \"pam_faillock\" uses is usually cleared on system boot so the access will be\n re-enabled after system reboot. If that is undesirable, a different tally\n directory must be set with the \"dir\" option.\n\n SELinux, enforcing a targeted policy, will require any non-default tally\n directory's security context type to match the default directory's security\n context type. Without updating the security context type, the pam_faillock\n module will not write failed login attempts to the non-default tally directory.)\n desc 'check', 'If the system does not have SELinux enabled and enforcing a\n targeted policy, or if the pam_faillock module is not configured for use,\n this requirement is not applicable.\n\n Note: This check applies to RHEL versions 8.2 or newer. If the system is\n RHEL version 8.0 or 8.1, this check is not applicable.\n\n Verify the location of the non-default tally directory for the pam_faillock\n module with the following command:\n\n $ sudo grep -w dir /etc/security/faillock.conf\n\n dir = /var/log/faillock\n\n Check the security context type of the non-default tally directory with the\n following command:\n\n $ sudo ls -Zd /var/log/faillock\n\n unconfined_u:object_r:faillog_t:s0 /var/log/faillock\n\n If the security context type of the non-default tally directory is not\n \"faillog_t\", this is a finding.'\n desc 'fix', 'Configure RHEL 8 to allow the use of a non-default faillock tally\n directory while SELinux enforces a targeted policy.\n\n Create a non-default faillock tally directory (if it does not already exist)\n with the following example:\n\n $ sudo mkdir /var/log/faillock\n\n Update the /etc/selinux/targeted/contexts/files/file_contexts.local with\n \"faillog_t\" context type for the non-default faillock tally directory with\n the following command:\n\n $ sudo semanage fcontext -a -t faillog_t \"/var/log/faillock(/.*)?\"\n\n Next, update the context type of the non-default faillock directory/subdirectories\n and files with the following command:\n\n $ sudo restorecon -R -v /var/log/faillock'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag check_id: 'C-53749r793000_chk'\n tag severity: 'medium'\n tag gid: 'V-250315'\n tag rid: 'SV-250315r854079_rule'\n tag stig_id: 'RHEL-08-020027'\n tag gtitle: 'SRG-OS-000021-GPOS-00005'\n tag fix_id: 'F-53703r793001_fix'\n tag 'documentable'\n tag cci: ['CCI-000044', 'CCI-002238']\n tag nist: ['AC-7 a', 'AC-7 b']\n tag 'host'\n\n only_if('This check applies to RHEL version 8.2 and later. If the system is not RHEL version 8.2 or newer, this check is Not Applicable.', impact: 0.0) {\n (os.release.to_f) >= 8.2\n }\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable in a container' do\n skip 'SELinux controls Not Applicable in a container'\n end\n else\n\n describe selinux do\n it { should be_installed }\n it { should be_enforcing }\n it { should_not be_disabled }\n end\n\n describe parse_config_file('/etc/security/faillock.conf') do\n its('dir') { should cmp input('non_default_tally_dir') }\n end\n\n faillock_tally = input('faillock_tally')\n\n describe \"The selected non-default tally directory for PAM: #{input('non_default_tally_dir')}\" do\n subject { file(input('non_default_tally_dir')) }\n its('selinux_label') { should match(/#{faillock_tally}/) }\n end\n end\nend\n", + "code": "control 'SV-230549' do\n title 'RHEL 8 must use reverse path filtering on all IPv4 interfaces.'\n desc 'It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf'\n desc 'check', 'Verify RHEL 8 uses reverse path filtering on all IPv4 interfaces with the following commands:\n\n$ sudo sysctl net.ipv4.conf.all.rp_filter\n\nnet.ipv4.conf.all.rp_filter = 1\n\nIf the returned line does not have a value of \"1\" or \"2\", or a line is not returned, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r net.ipv4.conf.all.rp_filter /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: net.ipv4.conf.all.rp_filter = 1\n\nIf \"net.ipv4.conf.all.rp_filter\" is not set to \"1\" or \"2\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to use reverse path filtering on all IPv4 interfaces by adding the following line to a file, in the \"/etc/sysctl.d\" directory:\n\nnet.ipv4.conf.all.rp_filter = 1\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nThe system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:\n\n$ sudo sysctl --system'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230549'\n tag rid: 'SV-230549r858830_rule'\n tag stig_id: 'RHEL-08-040285'\n tag fix_id: 'F-33193r858829_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This system is acting as a router on the network, this control is Not Applicable', impact: 0.0) {\n !input('network_router')\n }\n\n # Define the kernel parameter to be checked\n parameter = 'net.ipv4.conf.all.rp_filter'\n action = 'IPv4 reverse path filtering'\n value = 1\n\n # Get the current value of the kernel parameter\n current_value = kernel_parameter(parameter)\n\n # Check if the system is a Docker container\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n elsif input('ipv4_enabled') == false\n impact 0.0\n describe 'IPv4 is disabled on the system, this requirement is Not Applicable.' do\n skip 'IPv4 is disabled on the system, this requirement is Not Applicable.'\n end\n else\n\n describe kernel_parameter(parameter) do\n it 'is disabled in sysctl -a' do\n expect(current_value.value).to cmp value\n expect(current_value.value).not_to be_nil\n end\n end\n\n # Get the list of sysctl configuration files\n sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ')\n\n # Search for the kernel parameter in the configuration files\n search_results = command(\"grep -r ^#{parameter} #{sysctl_config_files} {} \\;\").stdout.split(\"\\n\")\n\n # Parse the search results into a hash\n config_values = search_results.each_with_object({}) do |item, results|\n file, setting = item.split(':')\n file = 'grep did not return filename' if file.empty?\n\n results[file] ||= []\n results[file] << setting.split('=').last\n end\n\n uniq_config_values = config_values.values.flatten.map(&:strip).map(&:to_i).uniq\n\n # Check the configuration files\n describe 'Configuration files' do\n if search_results.empty?\n it \"do not explicitly set the `#{parameter}` parameter\" do\n expect(config_values).not_to be_empty, \"Add the line `#{parameter}=#{value}` to a file in the `/etc/sysctl.d/` directory\"\n end\n else\n it \"do not have conflicting settings for #{action}\" do\n expect(uniq_config_values.count).to eq(1), \"Expected one unique configuration, but got #{config_values}\"\n end\n it \"set the parameter to the right value for #{action}\" do\n expect(config_values.values.flatten.all? { |v| v.to_i.eql?(value) }).to be true\n end\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-250315.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230549.rb", "line": 1 }, - "id": "SV-250315" + "id": "SV-230549" }, { - "title": "RHEL 8 must prevent system daemons from using Kerberos for\nauthentication.", - "desc": "Unapproved mechanisms that are used for authentication to the\ncryptographic module are not verified and therefore cannot be relied upon to\nprovide confidentiality or integrity, and DoD data may be compromised.\n\n RHEL 8 systems utilizing encryption are required to use FIPS-compliant\nmechanisms for authenticating to cryptographic modules.\n\n The key derivation function (KDF) in Kerberos is not FIPS compatible.\nEnsuring the system does not have any keytab files present prevents system\ndaemons from using Kerberos for authentication. A keytab is a file containing\npairs of Kerberos principals and encrypted keys.\n\n FIPS 140-2 is the current standard for validating that mechanisms used to\naccess cryptographic modules utilize authentication that meets DoD\nrequirements. This allows for Security Levels 1, 2, 3, or 4 for use on a\ngeneral-purpose computing system.", + "title": "RHEL 8 must have the packages required for encrypting offloaded audit\nlogs installed.", + "desc": "Information stored in one location is vulnerable to accidental or\nincidental deletion or alteration.\n\n Off-loading is a common process in information systems with limited audit\nstorage capacity.\n\n RHEL 8 installation media provides \"rsyslogd\". \"rsyslogd\" is a system\nutility providing support for message logging. Support for both internet and\nUNIX domain sockets enables this utility to support both local and remote\nlogging. Couple this utility with \"rsyslog-gnutls\" (which is a secure\ncommunications library implementing the SSL, TLS and DTLS protocols), and you\nhave a method to securely encrypt and off-load auditing.\n\n Rsyslog provides three ways to forward message: the traditional UDP\ntransport, which is extremely lossy but standard; the plain TCP based\ntransport, which loses messages only during certain situations but is widely\navailable; and the RELP transport, which does not lose messages but is\ncurrently available only as part of the rsyslogd 3.15.0 and above.\n Examples of each configuration:\n UDP *.* @remotesystemname\n TCP *.* @@remotesystemname\n RELP *.* :omrelp:remotesystemname:2514\n Note that a port number was given as there is no standard port for RELP.", "descriptions": { - "default": "Unapproved mechanisms that are used for authentication to the\ncryptographic module are not verified and therefore cannot be relied upon to\nprovide confidentiality or integrity, and DoD data may be compromised.\n\n RHEL 8 systems utilizing encryption are required to use FIPS-compliant\nmechanisms for authenticating to cryptographic modules.\n\n The key derivation function (KDF) in Kerberos is not FIPS compatible.\nEnsuring the system does not have any keytab files present prevents system\ndaemons from using Kerberos for authentication. A keytab is a file containing\npairs of Kerberos principals and encrypted keys.\n\n FIPS 140-2 is the current standard for validating that mechanisms used to\naccess cryptographic modules utilize authentication that meets DoD\nrequirements. This allows for Security Levels 1, 2, 3, or 4 for use on a\ngeneral-purpose computing system.", - "check": "Verify that RHEL 8 prevents system daemons from using Kerberos for\nauthentication.\n\n If the system is a server utilizing krb5-server-1.17-18.el8.x86_64 or\nnewer, this requirement is not applicable.\n If the system is a workstation utilizing\nkrb5-workstation-1.17-18.el8.x86_64 or newer, this requirement is not\napplicable.\n\n Check if there are available keytabs with the following command:\n\n $ sudo ls -al /etc/*.keytab\n\n If this command produces any file(s), this is a finding.", - "fix": "Configure RHEL 8 to prevent system daemons from using Kerberos for\nauthentication.\n\n Remove any files with the .keytab extension from the operating system." + "default": "Information stored in one location is vulnerable to accidental or\nincidental deletion or alteration.\n\n Off-loading is a common process in information systems with limited audit\nstorage capacity.\n\n RHEL 8 installation media provides \"rsyslogd\". \"rsyslogd\" is a system\nutility providing support for message logging. Support for both internet and\nUNIX domain sockets enables this utility to support both local and remote\nlogging. Couple this utility with \"rsyslog-gnutls\" (which is a secure\ncommunications library implementing the SSL, TLS and DTLS protocols), and you\nhave a method to securely encrypt and off-load auditing.\n\n Rsyslog provides three ways to forward message: the traditional UDP\ntransport, which is extremely lossy but standard; the plain TCP based\ntransport, which loses messages only during certain situations but is widely\navailable; and the RELP transport, which does not lose messages but is\ncurrently available only as part of the rsyslogd 3.15.0 and above.\n Examples of each configuration:\n UDP *.* @remotesystemname\n TCP *.* @@remotesystemname\n RELP *.* :omrelp:remotesystemname:2514\n Note that a port number was given as there is no standard port for RELP.", + "check": "Verify the operating system has the packages required for encrypting\noffloaded audit logs installed with the following commands:\n\n $ sudo yum list installed rsyslog-gnutls\n\n rsyslog-gnutls.x86_64 8.1911.0-3.el8 @AppStream\n\n If the \"rsyslog-gnutls\" package is not installed, ask the administrator\nto indicate how audit logs are being encrypted during offloading and what\npackages are installed to support it. If there is no evidence of audit logs\nbeing encrypted during offloading, this is a finding.", + "fix": "Configure the operating system to encrypt offloaded audit logs by\ninstalling the required packages with the following command:\n\n $ sudo yum install rsyslog-gnutls" }, "impact": 0.5, "refs": [ @@ -6559,34 +6514,33 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000120-GPOS-00061", - "gid": "V-230238", - "rid": "SV-230238r646862_rule", - "stig_id": "RHEL-08-010161", - "fix_id": "F-32882r567461_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-230478", + "rid": "SV-230478r744011_rule", + "stig_id": "RHEL-08-030680", + "fix_id": "F-33122r744010_fix", "cci": [ - "CCI-000803" + "CCI-000366" ], "nist": [ - "IA-7" + "CM-6 b" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-230238' do\n title 'RHEL 8 must prevent system daemons from using Kerberos for\nauthentication.'\n desc 'Unapproved mechanisms that are used for authentication to the\ncryptographic module are not verified and therefore cannot be relied upon to\nprovide confidentiality or integrity, and DoD data may be compromised.\n\n RHEL 8 systems utilizing encryption are required to use FIPS-compliant\nmechanisms for authenticating to cryptographic modules.\n\n The key derivation function (KDF) in Kerberos is not FIPS compatible.\nEnsuring the system does not have any keytab files present prevents system\ndaemons from using Kerberos for authentication. A keytab is a file containing\npairs of Kerberos principals and encrypted keys.\n\n FIPS 140-2 is the current standard for validating that mechanisms used to\naccess cryptographic modules utilize authentication that meets DoD\nrequirements. This allows for Security Levels 1, 2, 3, or 4 for use on a\ngeneral-purpose computing system.'\n desc 'check', 'Verify that RHEL 8 prevents system daemons from using Kerberos for\nauthentication.\n\n If the system is a server utilizing krb5-server-1.17-18.el8.x86_64 or\nnewer, this requirement is not applicable.\n If the system is a workstation utilizing\nkrb5-workstation-1.17-18.el8.x86_64 or newer, this requirement is not\napplicable.\n\n Check if there are available keytabs with the following command:\n\n $ sudo ls -al /etc/*.keytab\n\n If this command produces any file(s), this is a finding.'\n desc 'fix', 'Configure RHEL 8 to prevent system daemons from using Kerberos for\nauthentication.\n\n Remove any files with the .keytab extension from the operating system.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000120-GPOS-00061'\n tag gid: 'V-230238'\n tag rid: 'SV-230238r646862_rule'\n tag stig_id: 'RHEL-08-010161'\n tag fix_id: 'F-32882r567461_fix'\n tag cci: ['CCI-000803']\n tag nist: ['IA-7']\n tag 'host'\n tag 'container'\n\n krb5_server = package('krb5-server')\n krb5_workstation = package('krb5-workstation')\n\n if (krb5_server.installed? && krb5_server.version >= '1.17-18.el8') || (krb5_workstation.installed? && krb5_workstation.version >= '1.17-18.el8')\n impact 0.0\n describe 'The system has krb5-workstation and server version 1.17-18 or higher' do\n skip 'The system has krb5-workstation and server version 1.17-18 or higner, this requirement is Not Applicable.'\n end\n else\n keytabs = command('ls /etc/*.keytab').stdout.split\n describe 'The system' do\n it 'should not have keytab files for Kerberos' do\n expect(keytabs).to be_empty, \"Keytab files:\\n\\t- #{keytabs.join(\"\\n\\t- \")}\"\n end\n end\n end\nend\n", + "code": "control 'SV-230478' do\n title 'RHEL 8 must have the packages required for encrypting offloaded audit\nlogs installed.'\n desc 'Information stored in one location is vulnerable to accidental or\nincidental deletion or alteration.\n\n Off-loading is a common process in information systems with limited audit\nstorage capacity.\n\n RHEL 8 installation media provides \"rsyslogd\". \"rsyslogd\" is a system\nutility providing support for message logging. Support for both internet and\nUNIX domain sockets enables this utility to support both local and remote\nlogging. Couple this utility with \"rsyslog-gnutls\" (which is a secure\ncommunications library implementing the SSL, TLS and DTLS protocols), and you\nhave a method to securely encrypt and off-load auditing.\n\n Rsyslog provides three ways to forward message: the traditional UDP\ntransport, which is extremely lossy but standard; the plain TCP based\ntransport, which loses messages only during certain situations but is widely\navailable; and the RELP transport, which does not lose messages but is\ncurrently available only as part of the rsyslogd 3.15.0 and above.\n Examples of each configuration:\n UDP *.* @remotesystemname\n TCP *.* @@remotesystemname\n RELP *.* :omrelp:remotesystemname:2514\n Note that a port number was given as there is no standard port for RELP.'\n desc 'check', 'Verify the operating system has the packages required for encrypting\noffloaded audit logs installed with the following commands:\n\n $ sudo yum list installed rsyslog-gnutls\n\n rsyslog-gnutls.x86_64 8.1911.0-3.el8 @AppStream\n\n If the \"rsyslog-gnutls\" package is not installed, ask the administrator\nto indicate how audit logs are being encrypted during offloading and what\npackages are installed to support it. If there is no evidence of audit logs\nbeing encrypted during offloading, this is a finding.'\n desc 'fix', 'Configure the operating system to encrypt offloaded audit logs by\ninstalling the required packages with the following command:\n\n $ sudo yum install rsyslog-gnutls'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230478'\n tag rid: 'SV-230478r744011_rule'\n tag stig_id: 'RHEL-08-030680'\n tag fix_id: 'F-33122r744010_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n if input('alternative_logging_method') != ''\n describe 'manual check' do\n skip 'Manual check required. Ask the administrator to indicate how logging is done for this system.'\n end\n else\n describe package('rsyslog-gnutls') do\n it { should be_installed }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230238.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230478.rb", "line": 1 }, - "id": "SV-230238" + "id": "SV-230478" }, { - "title": "The RHEL 8 pam_unix.so module must be configured in the password-auth\nfile to use a FIPS 140-2 approved cryptographic hashing algorithm for system\nauthentication.", - "desc": "Unapproved mechanisms that are used for authentication to the\ncryptographic module are not verified and therefore cannot be relied upon to\nprovide confidentiality or integrity, and DoD data may be compromised.\n\n RHEL 8 systems utilizing encryption are required to use FIPS-compliant\nmechanisms for authenticating to cryptographic modules.\n\n FIPS 140-2 is the current standard for validating that mechanisms used to\naccess cryptographic modules utilize authentication that meets DoD\nrequirements. This allows for Security Levels 1, 2, 3, or 4 for use on a\ngeneral-purpose computing system.", + "title": "RHEL 8 must encrypt all stored passwords with a FIPS 140-2 approved\ncryptographic hashing algorithm.", + "desc": "Passwords need to be protected at all times, and encryption is the\nstandard method for protecting passwords. If passwords are not encrypted, they\ncan be plainly read (i.e., clear text) and easily compromised.\n\n Unapproved mechanisms that are used for authentication to the cryptographic\nmodule are not verified and therefore cannot be relied upon to provide\nconfidentiality or integrity, and DoD data may be compromised.\n\n FIPS 140-2 is the current standard for validating that mechanisms used to\naccess cryptographic modules utilize authentication that meets DoD requirements.", "descriptions": { - "default": "Unapproved mechanisms that are used for authentication to the\ncryptographic module are not verified and therefore cannot be relied upon to\nprovide confidentiality or integrity, and DoD data may be compromised.\n\n RHEL 8 systems utilizing encryption are required to use FIPS-compliant\nmechanisms for authenticating to cryptographic modules.\n\n FIPS 140-2 is the current standard for validating that mechanisms used to\naccess cryptographic modules utilize authentication that meets DoD\nrequirements. This allows for Security Levels 1, 2, 3, or 4 for use on a\ngeneral-purpose computing system.", - "check": "Verify that the pam_unix.so module is configured to use sha512.\n\nCheck that the pam_unix.so module is configured to use sha512 in /etc/pam.d/password-auth with the following command:\n\n$ sudo grep password /etc/pam.d/password-auth | grep pam_unix\n\npassword sufficient pam_unix.so sha512\n\nIf \"sha512\" is missing, or is commented out, this is a finding.", - "fix": "Configure RHEL 8 to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.\n\nEdit/modify the following line in the \"/etc/pam.d/password-auth\" file to include the sha512 option for pam_unix.so:\n\npassword sufficient pam_unix.so sha512" + "default": "Passwords need to be protected at all times, and encryption is the\nstandard method for protecting passwords. If passwords are not encrypted, they\ncan be plainly read (i.e., clear text) and easily compromised.\n\n Unapproved mechanisms that are used for authentication to the cryptographic\nmodule are not verified and therefore cannot be relied upon to provide\nconfidentiality or integrity, and DoD data may be compromised.\n\n FIPS 140-2 is the current standard for validating that mechanisms used to\naccess cryptographic modules utilize authentication that meets DoD requirements.", + "check": "Verify that the shadow password suite configuration is set to encrypt\npassword with a FIPS 140-2 approved cryptographic hashing algorithm.\n\n Check the hashing algorithm that is being used to hash passwords with the\nfollowing command:\n\n $ sudo grep -i crypt /etc/login.defs\n\n ENCRYPT_METHOD SHA512\n\n If \"ENCRYPT_METHOD\" does not equal SHA512 or greater, this is a finding.", + "fix": "Configure RHEL 8 to encrypt all stored passwords.\n\n Edit/Modify the following line in the \"/etc/login.defs\" file and set\n\"[ENCRYPT_METHOD]\" to SHA512.\n\n ENCRYPT_METHOD SHA512" }, "impact": 0.5, "refs": [ @@ -6596,34 +6550,34 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000120-GPOS-00061", - "gid": "V-230237", - "rid": "SV-230237r809276_rule", - "stig_id": "RHEL-08-010160", - "fix_id": "F-32881r809275_fix", + "gtitle": "SRG-OS-000073-GPOS-00041", + "gid": "V-230231", + "rid": "SV-230231r877397_rule", + "stig_id": "RHEL-08-010110", + "fix_id": "F-32875r567440_fix", "cci": [ - "CCI-000803" + "CCI-000196" ], "nist": [ - "IA-7" + "IA-5 (1) (c)" ], "host": null, "container": null }, - "code": "control 'SV-230237' do\n title 'The RHEL 8 pam_unix.so module must be configured in the password-auth\nfile to use a FIPS 140-2 approved cryptographic hashing algorithm for system\nauthentication.'\n desc 'Unapproved mechanisms that are used for authentication to the\ncryptographic module are not verified and therefore cannot be relied upon to\nprovide confidentiality or integrity, and DoD data may be compromised.\n\n RHEL 8 systems utilizing encryption are required to use FIPS-compliant\nmechanisms for authenticating to cryptographic modules.\n\n FIPS 140-2 is the current standard for validating that mechanisms used to\naccess cryptographic modules utilize authentication that meets DoD\nrequirements. This allows for Security Levels 1, 2, 3, or 4 for use on a\ngeneral-purpose computing system.'\n desc 'check', 'Verify that the pam_unix.so module is configured to use sha512.\n\nCheck that the pam_unix.so module is configured to use sha512 in /etc/pam.d/password-auth with the following command:\n\n$ sudo grep password /etc/pam.d/password-auth | grep pam_unix\n\npassword sufficient pam_unix.so sha512\n\nIf \"sha512\" is missing, or is commented out, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.\n\nEdit/modify the following line in the \"/etc/pam.d/password-auth\" file to include the sha512 option for pam_unix.so:\n\npassword sufficient pam_unix.so sha512'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000120-GPOS-00061'\n tag gid: 'V-230237'\n tag rid: 'SV-230237r809276_rule'\n tag stig_id: 'RHEL-08-010160'\n tag fix_id: 'F-32881r809275_fix'\n tag cci: ['CCI-000803']\n tag nist: ['IA-7']\n tag 'host'\n tag 'container'\n\n pam_auth_files = input('pam_auth_files')\n\n describe pam(pam_auth_files['password-auth']) do\n its('lines') { should match_pam_rule('.* .* pam_unix.so sha512') }\n end\nend\n", + "code": "control 'SV-230231' do\n title 'RHEL 8 must encrypt all stored passwords with a FIPS 140-2 approved\ncryptographic hashing algorithm.'\n desc 'Passwords need to be protected at all times, and encryption is the\nstandard method for protecting passwords. If passwords are not encrypted, they\ncan be plainly read (i.e., clear text) and easily compromised.\n\n Unapproved mechanisms that are used for authentication to the cryptographic\nmodule are not verified and therefore cannot be relied upon to provide\nconfidentiality or integrity, and DoD data may be compromised.\n\n FIPS 140-2 is the current standard for validating that mechanisms used to\naccess cryptographic modules utilize authentication that meets DoD requirements.'\n desc 'check', 'Verify that the shadow password suite configuration is set to encrypt\npassword with a FIPS 140-2 approved cryptographic hashing algorithm.\n\n Check the hashing algorithm that is being used to hash passwords with the\nfollowing command:\n\n $ sudo grep -i crypt /etc/login.defs\n\n ENCRYPT_METHOD SHA512\n\n If \"ENCRYPT_METHOD\" does not equal SHA512 or greater, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to encrypt all stored passwords.\n\n Edit/Modify the following line in the \"/etc/login.defs\" file and set\n\"[ENCRYPT_METHOD]\" to SHA512.\n\n ENCRYPT_METHOD SHA512'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000073-GPOS-00041'\n tag gid: 'V-230231'\n tag rid: 'SV-230231r877397_rule'\n tag stig_id: 'RHEL-08-010110'\n tag fix_id: 'F-32875r567440_fix'\n tag cci: ['CCI-000196']\n tag nist: ['IA-5 (1) (c)']\n tag 'host'\n tag 'container'\n\n describe login_defs do\n its('ENCRYPT_METHOD') { should cmp 'SHA512' }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230237.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230231.rb", "line": 1 }, - "id": "SV-230237" + "id": "SV-230231" }, { - "title": "RHEL 8 must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/sudoers.d/.", - "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "title": "RHEL 8 must not permit direct logons to the root account using remote\naccess via SSH.", + "desc": "Even though the communications channel may be encrypted, an additional\nlayer of security is gained by extending the policy of not logging on directly\nas root. In addition, logging on with a user-specific account provides\nindividual accountability of actions performed on the system.", "descriptions": { - "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", - "check": "Verify RHEL 8 generates audit records for all account creations,\nmodifications, disabling, and termination events that affect\n\"/etc/sudoers.d/\".\n\n Check the auditing rules in \"/etc/audit/audit.rules\" with the following\ncommand:\n\n $ sudo grep /etc/sudoers.d/ /etc/audit/audit.rules\n\n -w /etc/sudoers.d/ -p wa -k identity\n\n If the command does not return a line, or the line is commented out, this\nis a finding.", - "fix": "Configure RHEL 8 to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect\n\"/etc/sudoers.d/\".\n\n Add or update the following file system rule to\n\"/etc/audit/rules.d/audit.rules\":\n\n -w /etc/sudoers.d/ -p wa -k identity\n\n The audit daemon must be restarted for the changes to take effect." + "default": "Even though the communications channel may be encrypted, an additional\nlayer of security is gained by extending the policy of not logging on directly\nas root. In addition, logging on with a user-specific account provides\nindividual accountability of actions performed on the system.", + "check": "Verify remote access using SSH prevents users from logging on directly as \"root\".\n\nCheck that SSH prevents users from logging on directly as \"root\" with the following command:\n\n$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\\r' | tr '\\n' ' ' | xargs sudo grep -iH '^\\s*permitrootlogin'\n\nPermitRootLogin no\n\nIf the \"PermitRootLogin\" keyword is set to \"yes\", is missing, or is commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.", + "fix": "Configure RHEL 8 to stop users from logging on remotely as the \"root\"\nuser via SSH.\n\n Edit the appropriate \"/etc/ssh/sshd_config\" file to uncomment or add the\nline for the \"PermitRootLogin\" keyword and set its value to \"no\":\n\n PermitRootLogin no\n\n The SSH daemon must be restarted for the changes to take effect. To restart\nthe SSH daemon, run the following command:\n\n $ sudo systemctl restart sshd.service" }, "impact": 0.5, "refs": [ @@ -6633,92 +6587,34 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000062-GPOS-00031", - "satisfies": [ - "SRG-OS-000062-GPOS-00031", - "SRG-OS-000004-GPOS-00004", - "SRG-OS-000037-GPOS-00015", - "SRG-OS-000042-GPOS-00020", - "SRG-OS-000062-GPOS-00031", - "SRG-OS-000304-GPOS-00121", - "SRG-OS-000392-GPOS-00172", - "SRG-OS-000462-GPOS-00206", - "SRG-OS-000470-GPOS-00214", - "SRG-OS-000471-GPOS-00215", - "SRG-OS-000239-GPOS-00089", - "SRG-OS-000240-GPOS-00090", - "SRG-OS-000241-GPOS-00091", - "SRG-OS-000303-GPOS-00120", - "SRG-OS-000304-GPOS-00121", - "CCI-002884", - "SRG-OS-000466-GPOS-00210", - "SRG-OS-000476-GPOS-00221" - ], - "gid": "V-230410", - "rid": "SV-230410r627750_rule", - "stig_id": "RHEL-08-030172", - "fix_id": "F-33054r567977_fix", - "cci": [ - "CCI-000169" - ], - "nist": [ - "AU-12 a" - ], - "host": null - }, - "code": "control 'SV-230410' do\n title 'RHEL 8 must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/sudoers.d/.'\n desc 'Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).'\n desc 'check', 'Verify RHEL 8 generates audit records for all account creations,\nmodifications, disabling, and termination events that affect\n\"/etc/sudoers.d/\".\n\n Check the auditing rules in \"/etc/audit/audit.rules\" with the following\ncommand:\n\n $ sudo grep /etc/sudoers.d/ /etc/audit/audit.rules\n\n -w /etc/sudoers.d/ -p wa -k identity\n\n If the command does not return a line, or the line is commented out, this\nis a finding.'\n desc 'fix', 'Configure RHEL 8 to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect\n\"/etc/sudoers.d/\".\n\n Add or update the following file system rule to\n\"/etc/audit/rules.d/audit.rules\":\n\n -w /etc/sudoers.d/ -p wa -k identity\n\n The audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000062-GPOS-00031'\n tag satisfies: ['SRG-OS-000062-GPOS-00031', 'SRG-OS-000004-GPOS-00004', 'SRG-OS-000037-GPOS-00015', 'SRG-OS-000042-GPOS-00020', 'SRG-OS-000062-GPOS-00031', 'SRG-OS-000304-GPOS-00121', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000470-GPOS-00214', 'SRG-OS-000471-GPOS-00215', 'SRG-OS-000239-GPOS-00089', 'SRG-OS-000240-GPOS-00090', 'SRG-OS-000241-GPOS-00091', 'SRG-OS-000303-GPOS-00120', 'SRG-OS-000304-GPOS-00121', 'CCI-002884', 'SRG-OS-000466-GPOS-00210', 'SRG-OS-000476-GPOS-00221']\n tag gid: 'V-230410'\n tag rid: 'SV-230410r627750_rule'\n tag stig_id: 'RHEL-08-030172'\n tag fix_id: 'F-33054r567977_fix'\n tag cci: ['CCI-000169']\n tag nist: ['AU-12 a']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n audit_command = '/etc/sudoers.d'\n\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.permissions.flatten).to include('w', 'a')\n expect(audit_rule.key.uniq).to include(input('audit_rule_keynames').merge(input('audit_rule_keynames_overrides'))[audit_command])\n end\n end\nend\n", - "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230410.rb", - "line": 1 - }, - "id": "SV-230410" - }, - { - "title": "RHEL 8 systems below version 8.4 must ensure the password complexity module in the password-auth file is configured for three retries or less.", - "desc": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. \"pwquality\" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system.\n\nRHEL 8 uses \"pwquality\" as a mechanism to enforce password complexity. This is set in both:\n/etc/pam.d/password-auth\n/etc/pam.d/system-auth\n\nBy limiting the number of attempts to meet the pwquality module complexity requirements before returning with an error, the system will audit abnormal attempts at password changes.", - "descriptions": { - "default": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. \"pwquality\" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system.\n\nRHEL 8 uses \"pwquality\" as a mechanism to enforce password complexity. This is set in both:\n/etc/pam.d/password-auth\n/etc/pam.d/system-auth\n\nBy limiting the number of attempts to meet the pwquality module complexity requirements before returning with an error, the system will audit abnormal attempts at password changes.", - "check": "Note: This requirement applies to RHEL versions 8.0 through 8.3. If the system is RHEL version 8.4 or newer, this requirement is not applicable.\n\nVerify the operating system is configured to limit the \"pwquality\" retry option to 3.\n\nCheck for the use of the \"pwquality\" retry option in the password-auth file with the following command:\n\n $ sudo cat /etc/pam.d/password-auth | grep pam_pwquality\n\n password requisite pam_pwquality.so retry=3\n\nIf the value of \"retry\" is set to \"0\" or greater than \"3\", this is a finding.", - "fix": "Configure the operating system to limit the \"pwquality\" retry option to 3.\n\nAdd the following line to the \"/etc/pam.d/password-auth\" file (or modify the line to have the required value):\n\n password requisite pam_pwquality.so retry=3" - }, - "impact": 0.5, - "refs": [ - { - "ref": "DPMS Target Red Hat Enterprise Linux 8" - } - ], - "tags": { - "check_id": "C-55152r902744_chk", - "severity": "medium", - "gid": "V-251715", - "rid": "SV-251715r902746_rule", - "stig_id": "RHEL-08-020103", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-55106r902745_fix", - "documentable": null, + "gtitle": "SRG-OS-000109-GPOS-00056", + "gid": "V-230296", + "rid": "SV-230296r951608_rule", + "stig_id": "RHEL-08-010550", + "fix_id": "F-32940r567635_fix", "cci": [ - "CCI-000366" + "CCI-000770" ], "nist": [ - "CM-6 b" + "IA-2 (5)" ], "host": null, - "container": null + "container-conditional": null }, - "code": "control 'SV-251715' do\n title 'RHEL 8 systems below version 8.4 must ensure the password complexity module in the password-auth file is configured for three retries or less.'\n desc 'Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. \"pwquality\" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system.\n\nRHEL 8 uses \"pwquality\" as a mechanism to enforce password complexity. This is set in both:\n/etc/pam.d/password-auth\n/etc/pam.d/system-auth\n\nBy limiting the number of attempts to meet the pwquality module complexity requirements before returning with an error, the system will audit abnormal attempts at password changes.'\n desc 'check', 'Note: This requirement applies to RHEL versions 8.0 through 8.3. If the system is RHEL version 8.4 or newer, this requirement is not applicable.\n\nVerify the operating system is configured to limit the \"pwquality\" retry option to 3.\n\nCheck for the use of the \"pwquality\" retry option in the password-auth file with the following command:\n\n $ sudo cat /etc/pam.d/password-auth | grep pam_pwquality\n\n password requisite pam_pwquality.so retry=3\n\nIf the value of \"retry\" is set to \"0\" or greater than \"3\", this is a finding.'\n desc 'fix', 'Configure the operating system to limit the \"pwquality\" retry option to 3.\n\nAdd the following line to the \"/etc/pam.d/password-auth\" file (or modify the line to have the required value):\n\n password requisite pam_pwquality.so retry=3'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag check_id: 'C-55152r902744_chk'\n tag severity: 'medium'\n tag gid: 'V-251715'\n tag rid: 'SV-251715r902746_rule'\n tag stig_id: 'RHEL-08-020103'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag fix_id: 'F-55106r902745_fix'\n tag 'documentable'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n tag 'container'\n\n only_if('This requirement only applies to RHEL 8 versions below 8.4', impact: 0.0) {\n os.release.to_f < 8.4\n }\n\n pam_auth_files = input('pam_auth_files')\n\n describe pam(pam_auth_files['password-auth']) do\n its('lines') { should match_pam_rule('.* .* pam_pwquality.so').any_with_integer_arg('retry', '>=', input('min_retry')) }\n end\nend\n", + "code": "control 'SV-230296' do\n title 'RHEL 8 must not permit direct logons to the root account using remote\naccess via SSH.'\n desc 'Even though the communications channel may be encrypted, an additional\nlayer of security is gained by extending the policy of not logging on directly\nas root. In addition, logging on with a user-specific account provides\nindividual accountability of actions performed on the system.'\n desc 'check', %q(Verify remote access using SSH prevents users from logging on directly as \"root\".\n\nCheck that SSH prevents users from logging on directly as \"root\" with the following command:\n\n$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\\r' | tr '\\n' ' ' | xargs sudo grep -iH '^\\s*permitrootlogin'\n\nPermitRootLogin no\n\nIf the \"PermitRootLogin\" keyword is set to \"yes\", is missing, or is commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.)\n desc 'fix', 'Configure RHEL 8 to stop users from logging on remotely as the \"root\"\nuser via SSH.\n\n Edit the appropriate \"/etc/ssh/sshd_config\" file to uncomment or add the\nline for the \"PermitRootLogin\" keyword and set its value to \"no\":\n\n PermitRootLogin no\n\n The SSH daemon must be restarted for the changes to take effect. To restart\nthe SSH daemon, run the following command:\n\n $ sudo systemctl restart sshd.service'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000109-GPOS-00056'\n tag gid: 'V-230296'\n tag rid: 'SV-230296r951608_rule'\n tag stig_id: 'RHEL-08-010550'\n tag fix_id: 'F-32940r567635_fix'\n tag cci: ['CCI-000770']\n tag nist: ['IA-2 (5)']\n tag 'host'\n tag 'container-conditional'\n\n only_if('This control is Not Applicable to containers without SSH installed', impact: 0.0) {\n !(virtualization.system.eql?('docker') && !directory('/etc/ssh').exist?)\n }\n\n describe sshd_active_config do\n its('PermitRootLogin') { should cmp input('permit_root_login') }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-251715.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230296.rb", "line": 1 }, - "id": "SV-251715" + "id": "SV-230296" }, { - "title": "RHEL 8 must prevent special devices on file systems that are imported\nvia Network File System (NFS).", - "desc": "The \"nodev\" mount option causes the system to not interpret\ncharacter or block special devices. Executing character or block special\ndevices from untrusted file systems increases the opportunity for unprivileged\nusers to attain unauthorized administrative access.", + "title": "RHEL 8 must prevent code from being executed on file systems that\ncontain user home directories.", + "desc": "The \"noexec\" mount option causes the system not to execute binary\nfiles. This option must be used for mounting any file system not containing\napproved binary files, as they may be incompatible. Executing files from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.", "descriptions": { - "default": "The \"nodev\" mount option causes the system to not interpret\ncharacter or block special devices. Executing character or block special\ndevices from untrusted file systems increases the opportunity for unprivileged\nusers to attain unauthorized administrative access.", - "check": "Verify file systems that are being NFS-imported are mounted with the\n\"nodev\" option with the following command:\n\n $ sudo grep nfs /etc/fstab | grep nodev\n\n UUID=e06097bb-cfcd-437b-9e4d-a691f5662a7d /store nfs rw,nosuid,nodev,noexec\n0 0\n\n If a file system found in \"/etc/fstab\" refers to NFS and it does not have\nthe \"nodev\" option set, this is a finding.", - "fix": "Configure the \"/etc/fstab\" to use the \"nodev\" option on\nfile systems that are being imported via NFS." + "default": "The \"noexec\" mount option causes the system not to execute binary\nfiles. This option must be used for mounting any file system not containing\napproved binary files, as they may be incompatible. Executing files from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.", + "check": "Verify file systems that contain user home directories are mounted with the\n\"noexec\" option.\n\n Note: If a separate file system has not been created for the user home\ndirectories (user home directories are mounted under \"/\"), this is\nautomatically a finding as the \"noexec\" option cannot be used on the \"/\"\nsystem.\n\n Find the file system(s) that contain the user home directories with the\nfollowing command:\n\n $ sudo awk -F: '($3>=1000)&&($7 !~ /nologin/){print $1,$3,$6}' /etc/passwd\n\n smithj:1001: /home/smithj\n robinst:1002: /home/robinst\n\n Check the file systems that are mounted at boot time with the following\ncommand:\n\n $ sudo more /etc/fstab\n\n UUID=a411dc99-f2a1-4c87-9e05-184977be8539 /home ext4\nrw,relatime,discard,data=ordered,nosuid,nodev,noexec 0 2\n\n If a file system found in \"/etc/fstab\" refers to the user home directory\nfile system and it does not have the \"noexec\" option set, this is a finding.", + "fix": "Configure the \"/etc/fstab\" to use the \"noexec\" option on\nfile systems that contain user home directories for interactive users." }, "impact": 0.5, "refs": [ @@ -6729,10 +6625,10 @@ "tags": { "severity": "medium", "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-230307", - "rid": "SV-230307r627750_rule", - "stig_id": "RHEL-08-010640", - "fix_id": "F-32951r567668_fix", + "gid": "V-230302", + "rid": "SV-230302r627750_rule", + "stig_id": "RHEL-08-010590", + "fix_id": "F-32946r567653_fix", "cci": [ "CCI-000366" ], @@ -6741,20 +6637,20 @@ ], "host": null }, - "code": "control 'SV-230307' do\n title 'RHEL 8 must prevent special devices on file systems that are imported\nvia Network File System (NFS).'\n desc 'The \"nodev\" mount option causes the system to not interpret\ncharacter or block special devices. Executing character or block special\ndevices from untrusted file systems increases the opportunity for unprivileged\nusers to attain unauthorized administrative access.'\n desc 'check', 'Verify file systems that are being NFS-imported are mounted with the\n\"nodev\" option with the following command:\n\n $ sudo grep nfs /etc/fstab | grep nodev\n\n UUID=e06097bb-cfcd-437b-9e4d-a691f5662a7d /store nfs rw,nosuid,nodev,noexec\n0 0\n\n If a file system found in \"/etc/fstab\" refers to NFS and it does not have\nthe \"nodev\" option set, this is a finding.'\n desc 'fix', 'Configure the \"/etc/fstab\" to use the \"nodev\" option on\nfile systems that are being imported via NFS.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230307'\n tag rid: 'SV-230307r627750_rule'\n tag stig_id: 'RHEL-08-010640'\n tag fix_id: 'F-32951r567668_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n option = 'nodev'\n nfs_file_systems = etc_fstab.nfs_file_systems.params\n failing_mounts = nfs_file_systems.reject { |mnt| mnt['mount_options'].include?(option) }\n\n if nfs_file_systems.empty?\n describe 'No NFS' do\n it 'is mounted' do\n expect(nfs_file_systems).to be_empty\n end\n end\n else\n describe 'Any mounted Network File System (NFS)' do\n it \"should have '#{option}' set\" do\n expect(failing_mounts).to be_empty, \"NFS without '#{option}' set:\\n\\t- #{failing_mounts.join(\"\\n\\t- \")}\"\n end\n end\n end\nend\n", + "code": "control 'SV-230302' do\n title 'RHEL 8 must prevent code from being executed on file systems that\ncontain user home directories.'\n desc 'The \"noexec\" mount option causes the system not to execute binary\nfiles. This option must be used for mounting any file system not containing\napproved binary files, as they may be incompatible. Executing files from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.'\n desc 'check', %q(Verify file systems that contain user home directories are mounted with the\n\"noexec\" option.\n\n Note: If a separate file system has not been created for the user home\ndirectories (user home directories are mounted under \"/\"), this is\nautomatically a finding as the \"noexec\" option cannot be used on the \"/\"\nsystem.\n\n Find the file system(s) that contain the user home directories with the\nfollowing command:\n\n $ sudo awk -F: '($3>=1000)&&($7 !~ /nologin/){print $1,$3,$6}' /etc/passwd\n\n smithj:1001: /home/smithj\n robinst:1002: /home/robinst\n\n Check the file systems that are mounted at boot time with the following\ncommand:\n\n $ sudo more /etc/fstab\n\n UUID=a411dc99-f2a1-4c87-9e05-184977be8539 /home ext4\nrw,relatime,discard,data=ordered,nosuid,nodev,noexec 0 2\n\n If a file system found in \"/etc/fstab\" refers to the user home directory\nfile system and it does not have the \"noexec\" option set, this is a finding.)\n desc 'fix', 'Configure the \"/etc/fstab\" to use the \"noexec\" option on\nfile systems that contain user home directories for interactive users.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230302'\n tag rid: 'SV-230302r627750_rule'\n tag stig_id: 'RHEL-08-010590'\n tag fix_id: 'F-32946r567653_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n interactive_users = passwd.where {\n uid.to_i >= 1000 && shell !~ /nologin/\n }\n\n interactive_user_homedirs = interactive_users.homes.map { |home_path|\n home_path.match(%r{^(.*)/.*$}).captures.first\n }.uniq\n\n option = 'noexec'\n\n mounted_on_root = interactive_user_homedirs.select { |dir| dir == '/' }\n not_configured = interactive_user_homedirs.reject { |dir| etc_fstab.where { mount_point == dir }.configured? }\n option_not_set = interactive_user_homedirs.reject { |dir| etc_fstab.where { mount_point == dir }.mount_options.flatten.include?(option) }\n\n describe 'All interactive user home directories' do\n it \"should not be mounted under root ('/')\" do\n expect(mounted_on_root).to be_empty, \"Home directories mounted on root ('/'):\\n\\t- #{mounted_on_root.join(\"\\n\\t- \")}\"\n end\n it 'should be configured in /etc/fstab' do\n expect(not_configured).to be_empty, \"Unconfigured home directories:\\n\\t- #{not_configured.join(\"\\n\\t- \")}\"\n end\n if (option_not_set - not_configured).nil?\n it \"should have the '#{option}' mount option set\" do\n expect(option_not_set - not_configured).to be_empty, \"Mounted home directories without '#{option}' set:\\n\\t- #{not_configured.join(\"\\n\\t- \")}\"\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230307.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230302.rb", "line": 1 }, - "id": "SV-230307" + "id": "SV-230302" }, { - "title": "RHEL 8 audit logs must be group-owned by root to prevent unauthorized\nread access.", - "desc": "Unauthorized disclosure of audit records can reveal system and\nconfiguration data to attackers, thus compromising its confidentiality.\n\n Audit information includes all information (e.g., audit records, audit\nsettings, audit reports) needed to successfully audit RHEL 8 activity.", + "title": "RHEL 8 audit system must protect auditing rules from unauthorized\nchange.", + "desc": "Unauthorized disclosure of audit records can reveal system and\nconfiguration data to attackers, thus compromising its confidentiality.\n\n Audit information includes all information (e.g., audit records, audit\nsettings, audit reports) needed to successfully audit RHEL 8 system activity.\n\n In immutable mode, unauthorized users cannot execute changes to the audit\nsystem to potentially hide malicious activity and then put the audit rules\nback. A system reboot would be noticeable and a system administrator could\nthen investigate the unauthorized changes.", "descriptions": { - "default": "Unauthorized disclosure of audit records can reveal system and\nconfiguration data to attackers, thus compromising its confidentiality.\n\n Audit information includes all information (e.g., audit records, audit\nsettings, audit reports) needed to successfully audit RHEL 8 activity.", - "check": "Verify the audit logs are group-owned by \"root\". First determine where\nthe audit logs are stored with the following command:\n\n $ sudo grep -iw log_file /etc/audit/auditd.conf\n\n log_file = /var/log/audit/audit.log\n\n Using the location of the audit log file, determine if the audit log is\ngroup-owned by \"root\" using the following command:\n\n $ sudo ls -al /var/log/audit/audit.log\n\n rw------- 2 root root 23 Jun 11 11:56 /var/log/audit/audit.log\n\n If the audit log is not group-owned by \"root\", this is a finding.", - "fix": "Configure the audit log to be owned by root by configuring the log group in\nthe /etc/audit/auditd.conf file:\n\n log_group = root" + "default": "Unauthorized disclosure of audit records can reveal system and\nconfiguration data to attackers, thus compromising its confidentiality.\n\n Audit information includes all information (e.g., audit records, audit\nsettings, audit reports) needed to successfully audit RHEL 8 system activity.\n\n In immutable mode, unauthorized users cannot execute changes to the audit\nsystem to potentially hide malicious activity and then put the audit rules\nback. A system reboot would be noticeable and a system administrator could\nthen investigate the unauthorized changes.", + "check": "Verify the audit system prevents unauthorized changes with the following\ncommand:\n\n $ sudo grep \"^\\s*[^#]\" /etc/audit/audit.rules | tail -1\n\n -e 2\n\n If the audit system is not set to be immutable by adding the \"-e 2\"\noption to the \"/etc/audit/audit.rules\", this is a finding.", + "fix": "Configure the audit system to set the audit rules to be immutable by adding\nthe following line to \"/etc/audit/rules.d/audit.rules\"\n\n -e 2\n\n Note: Once set, the system must be rebooted for auditing to be changed. It\nis recommended to add this option as the last step in securing the system." }, "impact": 0.5, "refs": [ @@ -6770,10 +6666,10 @@ "SRG-OS-000058-GPOS-00028", "SRG-OS-000059-GPOS-00029" ], - "gid": "V-230398", - "rid": "SV-230398r627750_rule", - "stig_id": "RHEL-08-030090", - "fix_id": "F-33042r567941_fix", + "gid": "V-230402", + "rid": "SV-230402r627750_rule", + "stig_id": "RHEL-08-030121", + "fix_id": "F-33046r567953_fix", "cci": [ "CCI-000162" ], @@ -6783,66 +6679,56 @@ ], "host": null }, - "code": "control 'SV-230398' do\n title 'RHEL 8 audit logs must be group-owned by root to prevent unauthorized\nread access.'\n desc 'Unauthorized disclosure of audit records can reveal system and\nconfiguration data to attackers, thus compromising its confidentiality.\n\n Audit information includes all information (e.g., audit records, audit\nsettings, audit reports) needed to successfully audit RHEL 8 activity.'\n desc 'check', 'Verify the audit logs are group-owned by \"root\". First determine where\nthe audit logs are stored with the following command:\n\n $ sudo grep -iw log_file /etc/audit/auditd.conf\n\n log_file = /var/log/audit/audit.log\n\n Using the location of the audit log file, determine if the audit log is\ngroup-owned by \"root\" using the following command:\n\n $ sudo ls -al /var/log/audit/audit.log\n\n rw------- 2 root root 23 Jun 11 11:56 /var/log/audit/audit.log\n\n If the audit log is not group-owned by \"root\", this is a finding.'\n desc 'fix', 'Configure the audit log to be owned by root by configuring the log group in\nthe /etc/audit/auditd.conf file:\n\n log_group = root'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000057-GPOS-00027'\n tag satisfies: ['SRG-OS-000057-GPOS-00027', 'SRG-OS-000058-GPOS-00028', 'SRG-OS-000059-GPOS-00029']\n tag gid: 'V-230398'\n tag rid: 'SV-230398r627750_rule'\n tag stig_id: 'RHEL-08-030090'\n tag fix_id: 'F-33042r567941_fix'\n tag cci: ['CCI-000162']\n tag nist: ['AU-9', 'AU-9 a']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n describe file(auditd_conf('/etc/audit/auditd.conf').log_file) do\n its('group') { should be_in input('var_log_audit_group') }\n end\nend\n", + "code": "control 'SV-230402' do\n title 'RHEL 8 audit system must protect auditing rules from unauthorized\nchange.'\n desc 'Unauthorized disclosure of audit records can reveal system and\nconfiguration data to attackers, thus compromising its confidentiality.\n\n Audit information includes all information (e.g., audit records, audit\nsettings, audit reports) needed to successfully audit RHEL 8 system activity.\n\n In immutable mode, unauthorized users cannot execute changes to the audit\nsystem to potentially hide malicious activity and then put the audit rules\nback. A system reboot would be noticeable and a system administrator could\nthen investigate the unauthorized changes.'\n desc 'check', 'Verify the audit system prevents unauthorized changes with the following\ncommand:\n\n $ sudo grep \"^\\\\s*[^#]\" /etc/audit/audit.rules | tail -1\n\n -e 2\n\n If the audit system is not set to be immutable by adding the \"-e 2\"\noption to the \"/etc/audit/audit.rules\", this is a finding.'\n desc 'fix', 'Configure the audit system to set the audit rules to be immutable by adding\nthe following line to \"/etc/audit/rules.d/audit.rules\"\n\n -e 2\n\n Note: Once set, the system must be rebooted for auditing to be changed. It\nis recommended to add this option as the last step in securing the system.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000057-GPOS-00027'\n tag satisfies: ['SRG-OS-000057-GPOS-00027', 'SRG-OS-000058-GPOS-00028', 'SRG-OS-000059-GPOS-00029']\n tag gid: 'V-230402'\n tag rid: 'SV-230402r627750_rule'\n tag stig_id: 'RHEL-08-030121'\n tag fix_id: 'F-33046r567953_fix'\n tag cci: ['CCI-000162']\n tag nist: ['AU-9', 'AU-9 a']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n describe command('grep \"^\\s*[^#]\" /etc/audit/audit.rules | tail -1') do\n its('stdout.strip') { should cmp '-e 2' }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230398.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230402.rb", "line": 1 }, - "id": "SV-230398" + "id": "SV-230402" }, { - "title": "RHEL 8 must enable auditing of processes that start prior to the audit\ndaemon.", - "desc": "Without the capability to generate audit records, it would be\ndifficult to establish, correlate, and investigate the events relating to an\nincident or identify those responsible for one.\n\n If auditing is enabled late in the startup process, the actions of some\nstartup processes may not be audited. Some audit systems also maintain state\ninformation only available if auditing is enabled before a given process is\ncreated.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n The list of audited events is the set of events for which audits are to be\ngenerated. This set of events is typically a subset of the list of all events\nfor which the system is capable of generating audit records.\n\n DoD has defined the list of events for which RHEL 8 will provide an audit\nrecord generation capability as the following:\n\n 1) Successful and unsuccessful attempts to access, modify, or delete\nprivileges, security objects, security levels, or categories of information\n(e.g., classification levels);\n\n 2) Access actions, such as successful and unsuccessful logon attempts,\nprivileged activities or other system-level access, starting and ending time\nfor user access to the system, concurrent logons from different workstations,\nsuccessful and unsuccessful accesses to objects, all program initiations, and\nall direct access to the information system;\n\n 3) All account creations, modifications, disabling, and terminations; and\n\n 4) All kernel module load, unload, and restart actions.", + "title": "RHEL 8 must prevent IPv4 Internet Control Message Protocol (ICMP)\nredirect messages from being accepted.", + "desc": "ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf", "descriptions": { - "default": "Without the capability to generate audit records, it would be\ndifficult to establish, correlate, and investigate the events relating to an\nincident or identify those responsible for one.\n\n If auditing is enabled late in the startup process, the actions of some\nstartup processes may not be audited. Some audit systems also maintain state\ninformation only available if auditing is enabled before a given process is\ncreated.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n The list of audited events is the set of events for which audits are to be\ngenerated. This set of events is typically a subset of the list of all events\nfor which the system is capable of generating audit records.\n\n DoD has defined the list of events for which RHEL 8 will provide an audit\nrecord generation capability as the following:\n\n 1) Successful and unsuccessful attempts to access, modify, or delete\nprivileges, security objects, security levels, or categories of information\n(e.g., classification levels);\n\n 2) Access actions, such as successful and unsuccessful logon attempts,\nprivileged activities or other system-level access, starting and ending time\nfor user access to the system, concurrent logons from different workstations,\nsuccessful and unsuccessful accesses to objects, all program initiations, and\nall direct access to the information system;\n\n 3) All account creations, modifications, disabling, and terminations; and\n\n 4) All kernel module load, unload, and restart actions.", - "check": "Verify RHEL 8 enables auditing of processes that start prior to the audit daemon with the following commands:\n\n$ sudo grub2-editenv list | grep audit\n\nkernelopts=root=/dev/mapper/rhel-root ro crashkernel=auto resume=/dev/mapper/rhel-swap rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet fips=1 audit=1 audit_backlog_limit=8192 boot=UUID=8d171156-cd61-421c-ba41-1c021ac29e82\n\nIf the \"audit\" entry does not equal \"1\", is missing, or the line is commented out, this is a finding.\n\nCheck that auditing is enabled by default to persist in kernel updates:\n\n$ sudo grep audit /etc/default/grub\n\nGRUB_CMDLINE_LINUX=\"audit=1\"\n\nIf \"audit\" is not set to \"1\", is missing or commented out, this is a finding.", - "fix": "Configure RHEL 8 to audit processes that start prior to the audit daemon\nwith the following command:\n\n $ sudo grubby --update-kernel=ALL --args=\"audit=1\"\n\n Add or modify the following line in \"/etc/default/grub\" to ensure the\nconfiguration survives kernel updates:\n\n GRUB_CMDLINE_LINUX=\"audit=1\"" + "default": "ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf", + "check": "Verify RHEL 8 will not accept IPv4 ICMP redirect messages.\n\nCheck the value of the default \"accept_redirects\" variables with the following command:\n\n$ sudo sysctl net.ipv4.conf.default.accept_redirects\n\nnet.ipv4.conf.default.accept_redirects = 0\n\nIf the returned line does not have a value of \"0\", a line is not returned, or the line is commented out, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r net.ipv4.conf.default.accept_redirects /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: net.ipv4.conf.default.accept_redirects = 0\n\nIf \"net.ipv4.conf.default.accept_redirects\" is not set to \"0\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.", + "fix": "Configure RHEL 8 to prevent IPv4 ICMP redirect messages from being accepted.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nnet.ipv4.conf.default.accept_redirects = 0\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system" }, - "impact": 0.3, + "impact": 0.5, "refs": [ { "ref": "DPMS Target Red Hat Enterprise Linux 8" } ], "tags": { - "severity": "low", - "gtitle": "SRG-OS-000062-GPOS-00031", - "satisfies": [ - "SRG-OS-000062-GPOS-00031", - "SRG-OS-000037-GPOS-00015", - "SRG-OS-000042-GPOS-00020", - "SRG-OS-000062-GPOS-00031", - "SRG-OS-000392-GPOS-00172", - "SRG-OS-000462-GPOS-00206", - "SRG-OS-000471-GPOS-00215", - "SRG-OS-000473-GPOS-00218" - ], - "gid": "V-230468", - "rid": "SV-230468r792904_rule", - "stig_id": "RHEL-08-030601", - "fix_id": "F-33112r568151_fix", + "severity": "medium", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-244550", + "rid": "SV-244550r858791_rule", + "stig_id": "RHEL-08-040209", + "fix_id": "F-47782r858790_fix", "cci": [ - "CCI-000169" + "CCI-000366" ], "nist": [ - "AU-12 a" + "CM-6 b" ], "host": null }, - "code": "control 'SV-230468' do\n title 'RHEL 8 must enable auditing of processes that start prior to the audit\ndaemon.'\n desc 'Without the capability to generate audit records, it would be\ndifficult to establish, correlate, and investigate the events relating to an\nincident or identify those responsible for one.\n\n If auditing is enabled late in the startup process, the actions of some\nstartup processes may not be audited. Some audit systems also maintain state\ninformation only available if auditing is enabled before a given process is\ncreated.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n The list of audited events is the set of events for which audits are to be\ngenerated. This set of events is typically a subset of the list of all events\nfor which the system is capable of generating audit records.\n\n DoD has defined the list of events for which RHEL 8 will provide an audit\nrecord generation capability as the following:\n\n 1) Successful and unsuccessful attempts to access, modify, or delete\nprivileges, security objects, security levels, or categories of information\n(e.g., classification levels);\n\n 2) Access actions, such as successful and unsuccessful logon attempts,\nprivileged activities or other system-level access, starting and ending time\nfor user access to the system, concurrent logons from different workstations,\nsuccessful and unsuccessful accesses to objects, all program initiations, and\nall direct access to the information system;\n\n 3) All account creations, modifications, disabling, and terminations; and\n\n 4) All kernel module load, unload, and restart actions.'\n desc 'check', 'Verify RHEL 8 enables auditing of processes that start prior to the audit daemon with the following commands:\n\n$ sudo grub2-editenv list | grep audit\n\nkernelopts=root=/dev/mapper/rhel-root ro crashkernel=auto resume=/dev/mapper/rhel-swap rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet fips=1 audit=1 audit_backlog_limit=8192 boot=UUID=8d171156-cd61-421c-ba41-1c021ac29e82\n\nIf the \"audit\" entry does not equal \"1\", is missing, or the line is commented out, this is a finding.\n\nCheck that auditing is enabled by default to persist in kernel updates:\n\n$ sudo grep audit /etc/default/grub\n\nGRUB_CMDLINE_LINUX=\"audit=1\"\n\nIf \"audit\" is not set to \"1\", is missing or commented out, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to audit processes that start prior to the audit daemon\nwith the following command:\n\n $ sudo grubby --update-kernel=ALL --args=\"audit=1\"\n\n Add or modify the following line in \"/etc/default/grub\" to ensure the\nconfiguration survives kernel updates:\n\n GRUB_CMDLINE_LINUX=\"audit=1\"'\n impact 0.3\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'low'\n tag gtitle: 'SRG-OS-000062-GPOS-00031'\n tag satisfies: ['SRG-OS-000062-GPOS-00031', 'SRG-OS-000037-GPOS-00015', 'SRG-OS-000042-GPOS-00020', 'SRG-OS-000062-GPOS-00031', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000471-GPOS-00215', 'SRG-OS-000473-GPOS-00218']\n tag gid: 'V-230468'\n tag rid: 'SV-230468r792904_rule'\n tag stig_id: 'RHEL-08-030601'\n tag fix_id: 'F-33112r568151_fix'\n tag cci: ['CCI-000169']\n tag nist: ['AU-12 a']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n grub_config = command('grub2-editenv - list').stdout\n\n describe parse_config(grub_config) do\n its('kernelopts') { should match(/audit=1/) }\n end\n\n describe parse_config_file('/etc/default/grub') do\n its('GRUB_CMDLINE_LINUX') { should match(/audit=1/) }\n end\nend\n", + "code": "control 'SV-244550' do\n title 'RHEL 8 must prevent IPv4 Internet Control Message Protocol (ICMP)\nredirect messages from being accepted.'\n desc \"ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\"\n desc 'check', 'Verify RHEL 8 will not accept IPv4 ICMP redirect messages.\n\nCheck the value of the default \"accept_redirects\" variables with the following command:\n\n$ sudo sysctl net.ipv4.conf.default.accept_redirects\n\nnet.ipv4.conf.default.accept_redirects = 0\n\nIf the returned line does not have a value of \"0\", a line is not returned, or the line is commented out, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r net.ipv4.conf.default.accept_redirects /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: net.ipv4.conf.default.accept_redirects = 0\n\nIf \"net.ipv4.conf.default.accept_redirects\" is not set to \"0\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to prevent IPv4 ICMP redirect messages from being accepted.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nnet.ipv4.conf.default.accept_redirects = 0\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-244550'\n tag rid: 'SV-244550r858791_rule'\n tag stig_id: 'RHEL-08-040209'\n tag fix_id: 'F-47782r858790_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This system is acting as a router on the network, this control is Not Applicable', impact: 0.0) {\n !input('network_router')\n }\n\n # Define the kernel parameter to be checked\n parameter = 'net.ipv4.conf.default.accept_redirects'\n action = 'accepting IPv4 redirects'\n value = 0\n\n # Get the current value of the kernel parameter\n current_value = kernel_parameter(parameter)\n\n # Check if the system is a Docker container\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n elsif input('ipv4_enabled') == false\n impact 0.0\n describe 'IPv4 is disabled on the system, this requirement is Not Applicable.' do\n skip 'IPv4 is disabled on the system, this requirement is Not Applicable.'\n end\n else\n\n describe kernel_parameter(parameter) do\n it 'is disabled in sysctl -a' do\n expect(current_value.value).to cmp value\n expect(current_value.value).not_to be_nil\n end\n end\n\n # Get the list of sysctl configuration files\n sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ')\n\n # Search for the kernel parameter in the configuration files\n search_results = command(\"grep -r ^#{parameter} #{sysctl_config_files} {} \\;\").stdout.split(\"\\n\")\n\n # Parse the search results into a hash\n config_values = search_results.each_with_object({}) do |item, results|\n file, setting = item.split(':')\n file = 'grep did not return filename' if file.empty?\n\n results[file] ||= []\n results[file] << setting.split('=').last\n end\n\n uniq_config_values = config_values.values.flatten.map(&:strip).map(&:to_i).uniq\n\n # Check the configuration files\n describe 'Configuration files' do\n if search_results.empty?\n it \"do not explicitly set the `#{parameter}` parameter\" do\n expect(config_values).not_to be_empty, \"Add the line `#{parameter}=#{value}` to a file in the `/etc/sysctl.d/` directory\"\n end\n else\n it \"do not have conflicting settings for #{action}\" do\n expect(uniq_config_values.count).to eq(1), \"Expected one unique configuration, but got #{config_values}\"\n end\n it \"set the parameter to the right value for #{action}\" do\n expect(config_values.values.flatten.all? { |v| v.to_i.eql?(value) }).to be true\n end\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230468.rb", + "ref": "./Red Hat 8 STIG/controls/SV-244550.rb", "line": 1 }, - "id": "SV-230468" + "id": "SV-244550" }, { - "title": "RHEL 8 must enforce password complexity by requiring that at least one\nnumeric character be used.", - "desc": "Use of a complex password helps to increase the time and resources\nrequired to compromise the password. Password complexity, or strength, is a\nmeasure of the effectiveness of a password in resisting attempts at guessing\nand brute-force attacks.\n\n Password complexity is one factor of several that determines how long it\ntakes to crack a password. The more complex the password, the greater the\nnumber of possible combinations that need to be tested before the password is\ncompromised.\n\n RHEL 8 utilizes \"pwquality\" as a mechanism to enforce password\ncomplexity. Note that in order to require numeric characters, without degrading\nthe minlen value, the credit value must be expressed as a negative number in\n\"/etc/security/pwquality.conf\".", + "title": "The RHEL 8 /var/log directory must be owned by root.", + "desc": "Only authorized personnel should be aware of errors and the details of\nthe errors. Error messages are an indicator of an organization's operational\nstate or can identify the RHEL 8 system or platform. Additionally, Personally\nIdentifiable Information (PII) and operational information must not be revealed\nthrough error messages to unauthorized personnel or their designated\nrepresentatives.\n\n The structure and content of error messages must be carefully considered by\nthe organization and development team. The extent to which the information\nsystem is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.", "descriptions": { - "default": "Use of a complex password helps to increase the time and resources\nrequired to compromise the password. Password complexity, or strength, is a\nmeasure of the effectiveness of a password in resisting attempts at guessing\nand brute-force attacks.\n\n Password complexity is one factor of several that determines how long it\ntakes to crack a password. The more complex the password, the greater the\nnumber of possible combinations that need to be tested before the password is\ncompromised.\n\n RHEL 8 utilizes \"pwquality\" as a mechanism to enforce password\ncomplexity. Note that in order to require numeric characters, without degrading\nthe minlen value, the credit value must be expressed as a negative number in\n\"/etc/security/pwquality.conf\".", - "check": "Verify the value for \"dcredit\" with the following command:\n\n$ sudo grep -r dcredit /etc/security/pwquality.conf*\n\n/etc/security/pwquality.conf:dcredit = -1\n\nIf the value of \"dcredit\" is a positive number or is commented out, this is a finding.\nIf conflicting results are returned, this is a finding.", - "fix": "Configure the operating system to enforce password complexity by requiring that at least one numeric character be used by setting the \"dcredit\" option.\n\nAdd the following line to /etc/security/pwquality.conf (or modify the line to have the required value):\n\ndcredit = -1\n\nRemove any configurations that conflict with the above value." + "default": "Only authorized personnel should be aware of errors and the details of\nthe errors. Error messages are an indicator of an organization's operational\nstate or can identify the RHEL 8 system or platform. Additionally, Personally\nIdentifiable Information (PII) and operational information must not be revealed\nthrough error messages to unauthorized personnel or their designated\nrepresentatives.\n\n The structure and content of error messages must be carefully considered by\nthe organization and development team. The extent to which the information\nsystem is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.", + "check": "Verify the /var/log directory is owned by root with the following command:\n\n$ sudo stat -c \"%U\" /var/log\n\nroot\n\nIf \"root\" is not returned as a result, this is a finding.", + "fix": "Change the owner of the directory /var/log to root by running the following\ncommand:\n\n $ sudo chown root /var/log" }, "impact": 0.5, "refs": [ @@ -6852,34 +6738,34 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000071-GPOS-00039", - "gid": "V-230359", - "rid": "SV-230359r858775_rule", - "stig_id": "RHEL-08-020130", - "fix_id": "F-33003r858774_fix", + "gtitle": "SRG-OS-000206-GPOS-00084", + "gid": "V-230249", + "rid": "SV-230249r627750_rule", + "stig_id": "RHEL-08-010250", + "fix_id": "F-32893r567494_fix", "cci": [ - "CCI-000194" + "CCI-001314" ], "nist": [ - "IA-5 (1) (a)" + "SI-11 b" ], "host": null, "container": null }, - "code": "control 'SV-230359' do\n title 'RHEL 8 must enforce password complexity by requiring that at least one\nnumeric character be used.'\n desc 'Use of a complex password helps to increase the time and resources\nrequired to compromise the password. Password complexity, or strength, is a\nmeasure of the effectiveness of a password in resisting attempts at guessing\nand brute-force attacks.\n\n Password complexity is one factor of several that determines how long it\ntakes to crack a password. The more complex the password, the greater the\nnumber of possible combinations that need to be tested before the password is\ncompromised.\n\n RHEL 8 utilizes \"pwquality\" as a mechanism to enforce password\ncomplexity. Note that in order to require numeric characters, without degrading\nthe minlen value, the credit value must be expressed as a negative number in\n\"/etc/security/pwquality.conf\".'\n desc 'check', 'Verify the value for \"dcredit\" with the following command:\n\n$ sudo grep -r dcredit /etc/security/pwquality.conf*\n\n/etc/security/pwquality.conf:dcredit = -1\n\nIf the value of \"dcredit\" is a positive number or is commented out, this is a finding.\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure the operating system to enforce password complexity by requiring that at least one numeric character be used by setting the \"dcredit\" option.\n\nAdd the following line to /etc/security/pwquality.conf (or modify the line to have the required value):\n\ndcredit = -1\n\nRemove any configurations that conflict with the above value.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000071-GPOS-00039'\n tag gid: 'V-230359'\n tag rid: 'SV-230359r858775_rule'\n tag stig_id: 'RHEL-08-020130'\n tag fix_id: 'F-33003r858774_fix'\n tag cci: ['CCI-000194']\n tag nist: ['IA-5 (1) (a)']\n tag 'host'\n tag 'container'\n\n describe 'pwquality.conf settings' do\n let(:config) { parse_config_file('/etc/security/pwquality.conf', multiple_values: true) }\n let(:setting) { 'dcredit' }\n let(:value) { Array(config.params[setting]) }\n\n it 'has `dcredit` set' do\n expect(value).not_to be_empty, 'dcredit is not set in pwquality.conf'\n end\n\n it 'only sets `dcredit` once' do\n expect(value.length).to eq(1), 'dcredit is commented or set more than once in pwquality.conf'\n end\n\n it 'does not set `dcredit` to a positive value' do\n expect(value.first.to_i).to be < 0, 'dcredit is not set to a negative value in pwquality.conf'\n end\n end\nend\n", + "code": "control 'SV-230249' do\n title 'The RHEL 8 /var/log directory must be owned by root.'\n desc \"Only authorized personnel should be aware of errors and the details of\nthe errors. Error messages are an indicator of an organization's operational\nstate or can identify the RHEL 8 system or platform. Additionally, Personally\nIdentifiable Information (PII) and operational information must not be revealed\nthrough error messages to unauthorized personnel or their designated\nrepresentatives.\n\n The structure and content of error messages must be carefully considered by\nthe organization and development team. The extent to which the information\nsystem is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.\"\n desc 'check', 'Verify the /var/log directory is owned by root with the following command:\n\n$ sudo stat -c \"%U\" /var/log\n\nroot\n\nIf \"root\" is not returned as a result, this is a finding.'\n desc 'fix', 'Change the owner of the directory /var/log to root by running the following\ncommand:\n\n $ sudo chown root /var/log'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000206-GPOS-00084'\n tag gid: 'V-230249'\n tag rid: 'SV-230249r627750_rule'\n tag stig_id: 'RHEL-08-010250'\n tag fix_id: 'F-32893r567494_fix'\n tag cci: ['CCI-001314']\n tag nist: ['SI-11 b']\n tag 'host'\n tag 'container'\n\n describe directory('/var/log') do\n it { should exist }\n it { should be_owned_by 'root' }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230359.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230249.rb", "line": 1 }, - "id": "SV-230359" + "id": "SV-230249" }, { - "title": "RHEL 8 must restrict usage of ptrace to descendant processes.", - "desc": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf", + "title": "RHEL 8 must mount /var/log/audit with the nosuid option.", + "desc": "The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n The \"noexec\" mount option causes the system to not execute binary files.\nThis option must be used for mounting any file system not containing approved\nbinary files, as they may be incompatible. Executing files from untrusted file\nsystems increases the opportunity for unprivileged users to attain unauthorized\nadministrative access.\n\n The \"nodev\" mount option causes the system to not interpret character or\nblock special devices. Executing character or block special devices from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.\n\n The \"nosuid\" mount option causes the system to not execute \"setuid\" and\n\"setgid\" files with owner privileges. This option must be used for mounting\nany file system not containing approved \"setuid\" and \"setguid\" files.\nExecuting files from untrusted file systems increases the opportunity for\nunprivileged users to attain unauthorized administrative access.", "descriptions": { - "default": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf", - "check": "Verify RHEL 8 restricts usage of ptrace to descendant processes with the following commands:\n\n$ sudo sysctl kernel.yama.ptrace_scope\n\nkernel.yama.ptrace_scope = 1\n\nIf the returned line does not have a value of \"1\", or a line is not returned, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r kernel.yama.ptrace_scope /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: kernel.yama.ptrace_scope = 1\n\nIf \"kernel.yama.ptrace_scope\" is not set to \"1\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.", - "fix": "Configure RHEL 8 to restrict usage of ptrace to descendant processes by adding the following line to a file, in the \"/etc/sysctl.d\" directory:\n\nkernel.yama.ptrace_scope = 1\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nThe system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:\n\n$ sudo sysctl --system" + "default": "The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n The \"noexec\" mount option causes the system to not execute binary files.\nThis option must be used for mounting any file system not containing approved\nbinary files, as they may be incompatible. Executing files from untrusted file\nsystems increases the opportunity for unprivileged users to attain unauthorized\nadministrative access.\n\n The \"nodev\" mount option causes the system to not interpret character or\nblock special devices. Executing character or block special devices from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.\n\n The \"nosuid\" mount option causes the system to not execute \"setuid\" and\n\"setgid\" files with owner privileges. This option must be used for mounting\nany file system not containing approved \"setuid\" and \"setguid\" files.\nExecuting files from untrusted file systems increases the opportunity for\nunprivileged users to attain unauthorized administrative access.", + "check": "Verify \"/var/log/audit\" is mounted with the \"nosuid\" option:\n\n $ sudo mount | grep /var/log/audit\n\n /dev/mapper/rhel-var-log-audit on /var/log/audit type xfs\n(rw,nodev,nosuid,noexec,seclabel)\n\n Verify that the \"nosuid\" option is configured for /var/log/audit:\n\n $ sudo cat /etc/fstab | grep /var/log/audit\n\n /dev/mapper/rhel-var-log-audit /var/log/audit xfs\ndefaults,nodev,nosuid,noexec 0 0\n\n If results are returned and the \"nosuid\" option is missing, or if\n/var/log/audit is mounted without the \"nosuid\" option, this is a finding.", + "fix": "Configure the system so that /var/log/audit is mounted with the \"nosuid\"\noption by adding /modifying the /etc/fstab with the following line:\n\n /dev/mapper/rhel-var-log-audit /var/log/audit xfs\ndefaults,nodev,nosuid,noexec 0 0" }, "impact": 0.5, "refs": [ @@ -6889,33 +6775,33 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-230546", - "rid": "SV-230546r858824_rule", - "stig_id": "RHEL-08-040282", - "fix_id": "F-33190r858823_fix", + "gtitle": "SRG-OS-000368-GPOS-00154", + "gid": "V-230518", + "rid": "SV-230518r854059_rule", + "stig_id": "RHEL-08-040130", + "fix_id": "F-33162r568301_fix", "cci": [ - "CCI-000366" + "CCI-001764" ], "nist": [ - "CM-6 b" + "CM-7 (2)" ], "host": null }, - "code": "control 'SV-230546' do\n title 'RHEL 8 must restrict usage of ptrace to descendant processes.'\n desc 'It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf'\n desc 'check', 'Verify RHEL 8 restricts usage of ptrace to descendant processes with the following commands:\n\n$ sudo sysctl kernel.yama.ptrace_scope\n\nkernel.yama.ptrace_scope = 1\n\nIf the returned line does not have a value of \"1\", or a line is not returned, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r kernel.yama.ptrace_scope /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: kernel.yama.ptrace_scope = 1\n\nIf \"kernel.yama.ptrace_scope\" is not set to \"1\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to restrict usage of ptrace to descendant processes by adding the following line to a file, in the \"/etc/sysctl.d\" directory:\n\nkernel.yama.ptrace_scope = 1\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nThe system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:\n\n$ sudo sysctl --system'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230546'\n tag rid: 'SV-230546r858824_rule'\n tag stig_id: 'RHEL-08-040282'\n tag fix_id: 'F-33190r858823_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This system is acting as a router on the network, this control is Not Applicable', impact: 0.0) {\n !input('network_router')\n }\n\n # Define the kernel parameter to be checked\n parameter = 'kernel.yama.ptrace_scope'\n action = 'usage of ptrace'\n value = 1\n\n # Get the current value of the kernel parameter\n current_value = kernel_parameter(parameter)\n\n # Check if the system is a Docker container\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n else\n\n describe kernel_parameter(parameter) do\n it 'is disabled in sysctl -a' do\n expect(current_value.value).to cmp value\n expect(current_value.value).not_to be_nil\n end\n end\n\n # Get the list of sysctl configuration files\n sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ')\n\n # Search for the kernel parameter in the configuration files\n search_results = command(\"grep -r ^#{parameter} #{sysctl_config_files} {} \\;\").stdout.split(\"\\n\")\n\n # Parse the search results into a hash\n config_values = search_results.each_with_object({}) do |item, results|\n file, setting = item.split(':')\n file = 'grep did not return filename' if file.empty?\n\n results[file] ||= []\n results[file] << setting.split('=').last\n end\n\n uniq_config_values = config_values.values.flatten.map(&:strip).map(&:to_i).uniq\n\n # Check the configuration files\n describe 'Configuration files' do\n if search_results.empty?\n it \"do not explicitly set the `#{parameter}` parameter\" do\n expect(config_values).not_to be_empty, \"Add the line `#{parameter}=#{value}` to a file in the `/etc/sysctl.d/` directory\"\n end\n else\n it \"do not have conflicting settings for #{action}\" do\n expect(uniq_config_values.count).to eq(1), \"Expected one unique configuration, but got #{config_values}\"\n end\n it \"set the parameter to the right value for #{action}\" do\n expect(config_values.values.flatten.all? { |v| v.to_i.eql?(value) }).to be true\n end\n end\n end\n end\nend\n", + "code": "control 'SV-230518' do\n title 'RHEL 8 must mount /var/log/audit with the nosuid option.'\n desc 'The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n The \"noexec\" mount option causes the system to not execute binary files.\nThis option must be used for mounting any file system not containing approved\nbinary files, as they may be incompatible. Executing files from untrusted file\nsystems increases the opportunity for unprivileged users to attain unauthorized\nadministrative access.\n\n The \"nodev\" mount option causes the system to not interpret character or\nblock special devices. Executing character or block special devices from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.\n\n The \"nosuid\" mount option causes the system to not execute \"setuid\" and\n\"setgid\" files with owner privileges. This option must be used for mounting\nany file system not containing approved \"setuid\" and \"setguid\" files.\nExecuting files from untrusted file systems increases the opportunity for\nunprivileged users to attain unauthorized administrative access.'\n desc 'check', 'Verify \"/var/log/audit\" is mounted with the \"nosuid\" option:\n\n $ sudo mount | grep /var/log/audit\n\n /dev/mapper/rhel-var-log-audit on /var/log/audit type xfs\n(rw,nodev,nosuid,noexec,seclabel)\n\n Verify that the \"nosuid\" option is configured for /var/log/audit:\n\n $ sudo cat /etc/fstab | grep /var/log/audit\n\n /dev/mapper/rhel-var-log-audit /var/log/audit xfs\ndefaults,nodev,nosuid,noexec 0 0\n\n If results are returned and the \"nosuid\" option is missing, or if\n/var/log/audit is mounted without the \"nosuid\" option, this is a finding.'\n desc 'fix', 'Configure the system so that /var/log/audit is mounted with the \"nosuid\"\noption by adding /modifying the /etc/fstab with the following line:\n\n /dev/mapper/rhel-var-log-audit /var/log/audit xfs\ndefaults,nodev,nosuid,noexec 0 0'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000368-GPOS-00154'\n tag gid: 'V-230518'\n tag rid: 'SV-230518r854059_rule'\n tag stig_id: 'RHEL-08-040130'\n tag fix_id: 'F-33162r568301_fix'\n tag cci: ['CCI-001764']\n tag nist: ['CM-7 (2)']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n path = '/var/log/audit'\n option = 'nosuid'\n\n describe mount(path) do\n its('options') { should include option }\n end\n\n describe etc_fstab.where { mount_point == path } do\n its('mount_options.flatten') { should include option }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230546.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230518.rb", "line": 1 }, - "id": "SV-230546" + "id": "SV-230518" }, { - "title": "RHEL 8 must mount /dev/shm with the nodev option.", - "desc": "The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n The \"noexec\" mount option causes the system to not execute binary files.\nThis option must be used for mounting any file system not containing approved\nbinary files, as they may be incompatible. Executing files from untrusted file\nsystems increases the opportunity for unprivileged users to attain unauthorized\nadministrative access.\n\n The \"nodev\" mount option causes the system to not interpret character or\nblock special devices. Executing character or block special devices from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.\n\n The \"nosuid\" mount option causes the system to not execute \"setuid\" and\n\"setgid\" files with owner privileges. This option must be used for mounting\nany file system not containing approved \"setuid\" and \"setguid\" files.\nExecuting files from untrusted file systems increases the opportunity for\nunprivileged users to attain unauthorized administrative access.", + "title": "RHEL 8 passwords must have a 24 hours/1 day minimum password lifetime\nrestriction in /etc/shadow.", + "desc": "Enforcing a minimum password lifetime helps to prevent repeated\npassword changes to defeat the password reuse or history enforcement\nrequirement. If users are allowed to immediately and continually change their\npassword, the password could be repeatedly changed in a short period of time to\ndefeat the organization's policy regarding password reuse.", "descriptions": { - "default": "The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n The \"noexec\" mount option causes the system to not execute binary files.\nThis option must be used for mounting any file system not containing approved\nbinary files, as they may be incompatible. Executing files from untrusted file\nsystems increases the opportunity for unprivileged users to attain unauthorized\nadministrative access.\n\n The \"nodev\" mount option causes the system to not interpret character or\nblock special devices. Executing character or block special devices from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.\n\n The \"nosuid\" mount option causes the system to not execute \"setuid\" and\n\"setgid\" files with owner privileges. This option must be used for mounting\nany file system not containing approved \"setuid\" and \"setguid\" files.\nExecuting files from untrusted file systems increases the opportunity for\nunprivileged users to attain unauthorized administrative access.", - "check": "Verify \"/dev/shm\" is mounted with the \"nodev\" option:\n\n $ sudo mount | grep /dev/shm\n\n tmpfs on /dev/shm type tmpfs (rw,nodev,nosuid,noexec,seclabel)\n\n Verify that the \"nodev\"option is configured for /dev/shm:\n\n $ sudo cat /etc/fstab | grep /dev/shm\n\n tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0\n\n If results are returned and the \"nodev\" option is missing, or if /dev/shm\nis mounted without the \"nodev\" option, this is a finding.", - "fix": "Configure the system so that /dev/shm is mounted with the \"nodev\" option\nby adding /modifying the /etc/fstab with the following line:\n\n tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0" + "default": "Enforcing a minimum password lifetime helps to prevent repeated\npassword changes to defeat the password reuse or history enforcement\nrequirement. If users are allowed to immediately and continually change their\npassword, the password could be repeatedly changed in a short period of time to\ndefeat the organization's policy regarding password reuse.", + "check": "Check whether the minimum time period between password changes for each\nuser account is one day or greater.\n\n $ sudo awk -F: '$4 < 1 {print $1 \" \" $4}' /etc/shadow\n\n If any results are returned that are not associated with a system account,\nthis is a finding.", + "fix": "Configure non-compliant accounts to enforce a 24 hours/1 day minimum\npassword lifetime:\n\n $ sudo chage -m 1 [user]" }, "impact": 0.5, "refs": [ @@ -6925,33 +6811,34 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000368-GPOS-00154", - "gid": "V-230508", - "rid": "SV-230508r854049_rule", - "stig_id": "RHEL-08-040120", - "fix_id": "F-33152r568271_fix", + "gtitle": "SRG-OS-000075-GPOS-00043", + "gid": "V-230364", + "rid": "SV-230364r627750_rule", + "stig_id": "RHEL-08-020180", + "fix_id": "F-33008r567839_fix", "cci": [ - "CCI-001764" + "CCI-000198" ], "nist": [ - "CM-7 (2)" + "IA-5 (1) (d)" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-230508' do\n title 'RHEL 8 must mount /dev/shm with the nodev option.'\n desc 'The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n The \"noexec\" mount option causes the system to not execute binary files.\nThis option must be used for mounting any file system not containing approved\nbinary files, as they may be incompatible. Executing files from untrusted file\nsystems increases the opportunity for unprivileged users to attain unauthorized\nadministrative access.\n\n The \"nodev\" mount option causes the system to not interpret character or\nblock special devices. Executing character or block special devices from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.\n\n The \"nosuid\" mount option causes the system to not execute \"setuid\" and\n\"setgid\" files with owner privileges. This option must be used for mounting\nany file system not containing approved \"setuid\" and \"setguid\" files.\nExecuting files from untrusted file systems increases the opportunity for\nunprivileged users to attain unauthorized administrative access.'\n desc 'check', 'Verify \"/dev/shm\" is mounted with the \"nodev\" option:\n\n $ sudo mount | grep /dev/shm\n\n tmpfs on /dev/shm type tmpfs (rw,nodev,nosuid,noexec,seclabel)\n\n Verify that the \"nodev\"option is configured for /dev/shm:\n\n $ sudo cat /etc/fstab | grep /dev/shm\n\n tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0\n\n If results are returned and the \"nodev\" option is missing, or if /dev/shm\nis mounted without the \"nodev\" option, this is a finding.'\n desc 'fix', 'Configure the system so that /dev/shm is mounted with the \"nodev\" option\nby adding /modifying the /etc/fstab with the following line:\n\n tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000368-GPOS-00154'\n tag gid: 'V-230508'\n tag rid: 'SV-230508r854049_rule'\n tag stig_id: 'RHEL-08-040120'\n tag fix_id: 'F-33152r568271_fix'\n tag cci: ['CCI-001764']\n tag nist: ['CM-7 (2)']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n path = '/dev/shm'\n option = 'nodev'\n\n describe mount(path) do\n its('options') { should include option }\n end\n\n describe etc_fstab.where { mount_point == path } do\n its('mount_options.flatten') { should include option }\n end\nend\n", + "code": "control 'SV-230364' do\n title 'RHEL 8 passwords must have a 24 hours/1 day minimum password lifetime\nrestriction in /etc/shadow.'\n desc \"Enforcing a minimum password lifetime helps to prevent repeated\npassword changes to defeat the password reuse or history enforcement\nrequirement. If users are allowed to immediately and continually change their\npassword, the password could be repeatedly changed in a short period of time to\ndefeat the organization's policy regarding password reuse.\"\n desc 'check', %q(Check whether the minimum time period between password changes for each\nuser account is one day or greater.\n\n $ sudo awk -F: '$4 < 1 {print $1 \" \" $4}' /etc/shadow\n\n If any results are returned that are not associated with a system account,\nthis is a finding.)\n desc 'fix', 'Configure non-compliant accounts to enforce a 24 hours/1 day minimum\npassword lifetime:\n\n $ sudo chage -m 1 [user]'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000075-GPOS-00043'\n tag gid: 'V-230364'\n tag rid: 'SV-230364r627750_rule'\n tag stig_id: 'RHEL-08-020180'\n tag fix_id: 'F-33008r567839_fix'\n tag cci: ['CCI-000198']\n tag nist: ['IA-5 (1) (d)']\n tag 'host'\n tag 'container'\n\n # TODO: add inputs for a frequecny\n\n bad_users = users.where { uid >= 1000 }.where { mindays < 1 }.usernames\n in_scope_users = bad_users - input('exempt_home_users')\n\n describe 'Users should not' do\n it 'be able to change their password more then once a 24 hour period' do\n failure_message = \"The following users can update their password more then once a day: #{in_scope_users.join(', ')}\"\n expect(in_scope_users).to be_empty, failure_message\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230508.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230364.rb", "line": 1 }, - "id": "SV-230508" + "id": "SV-230364" }, { - "title": "All RHEL 8 local interactive user home directories defined in the\n/etc/passwd file must exist.", - "desc": "If a local interactive user has a home directory defined that does not\nexist, the user may be given access to the \"/\" directory as the current\nworking directory upon logon. This could create a denial of service because the\nuser would not be able to access their logon configuration files, and it may\ngive them visibility to system files they normally would not be able to access.", + "title": "RHEL 8 must ensure the password complexity module is enabled in the password-auth file.", + "desc": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. \"pwquality\" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system.\n\nRHEL 8 utilizes \"pwquality\" as a mechanism to enforce password complexity. This is set in both:\n/etc/pam.d/password-auth\n/etc/pam.d/system-auth", "descriptions": { - "default": "If a local interactive user has a home directory defined that does not\nexist, the user may be given access to the \"/\" directory as the current\nworking directory upon logon. This could create a denial of service because the\nuser would not be able to access their logon configuration files, and it may\ngive them visibility to system files they normally would not be able to access.", - "check": "Verify the assigned home directory of all local interactive users on RHEL 8\nexists with the following command:\n\n $ sudo ls -ld $(awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}'\n/etc/passwd)\n\n drwxr-xr-x 2 smithj admin 4096 Jun 5 12:41 smithj\n\n Note: This may miss interactive users that have been assigned a privileged\nUser ID (UID). Evidence of interactive use may be obtained from a number of log\nfiles containing system logon information.\n\n Check that all referenced home directories exist with the following command:\n\n $ sudo pwck -r\n\n user 'smithj': directory '/home/smithj' does not exist\n\n If any home directories referenced in \"/etc/passwd\" are returned as not\ndefined, this is a finding.", - "fix": "Create home directories to all local interactive users that currently do\nnot have a home directory assigned. Use the following commands to create the\nuser home directory assigned in \"/etc/ passwd\":\n\n Note: The example will be for the user smithj, who has a home directory of\n\"/home/smithj\", a UID of \"smithj\", and a Group Identifier (GID) of \"users\nassigned\" in \"/etc/passwd\".\n\n $ sudo mkdir /home/smithj\n $ sudo chown smithj /home/smithj\n $ sudo chgrp users /home/smithj\n $ sudo chmod 0750 /home/smithj" + "default": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. \"pwquality\" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system.\n\nRHEL 8 utilizes \"pwquality\" as a mechanism to enforce password complexity. This is set in both:\n/etc/pam.d/password-auth\n/etc/pam.d/system-auth", + "check": "Verify the operating system uses \"pwquality\" to enforce the password complexity rules.\n\nCheck for the use of \"pwquality\" in the password-auth file with the following command:\n\n $ sudo cat /etc/pam.d/password-auth | grep pam_pwquality\n\n password requisite pam_pwquality.so\n\nIf the command does not return a line containing the value \"pam_pwquality.so\" as shown, or the line is commented out, this is a finding.", + "fix": "Configure the operating system to use \"pwquality\" to enforce password complexity rules.\n\nAdd the following line to the \"/etc/pam.d/password-auth\" file (or modify the line to have the required value):\n\n password requisite pam_pwquality.so" }, "impact": 0.5, "refs": [ @@ -6961,69 +6848,71 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-230323", - "rid": "SV-230323r627750_rule", - "stig_id": "RHEL-08-010750", - "fix_id": "F-32967r567716_fix", + "gtitle": "SRG-OS-000069-GPOS-00037", + "gid": "V-230356", + "rid": "SV-230356r902728_rule", + "stig_id": "RHEL-08-020100", + "fix_id": "F-33000r902727_fix", "cci": [ + "CCI-000192", "CCI-000366" ], "nist": [ + "IA-5 (1) (a)", "CM-6 b" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-230323' do\n title 'All RHEL 8 local interactive user home directories defined in the\n/etc/passwd file must exist.'\n desc 'If a local interactive user has a home directory defined that does not\nexist, the user may be given access to the \"/\" directory as the current\nworking directory upon logon. This could create a denial of service because the\nuser would not be able to access their logon configuration files, and it may\ngive them visibility to system files they normally would not be able to access.'\n desc 'check', %q(Verify the assigned home directory of all local interactive users on RHEL 8\nexists with the following command:\n\n $ sudo ls -ld $(awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}'\n/etc/passwd)\n\n drwxr-xr-x 2 smithj admin 4096 Jun 5 12:41 smithj\n\n Note: This may miss interactive users that have been assigned a privileged\nUser ID (UID). Evidence of interactive use may be obtained from a number of log\nfiles containing system logon information.\n\n Check that all referenced home directories exist with the following command:\n\n $ sudo pwck -r\n\n user 'smithj': directory '/home/smithj' does not exist\n\n If any home directories referenced in \"/etc/passwd\" are returned as not\ndefined, this is a finding.)\n desc 'fix', 'Create home directories to all local interactive users that currently do\nnot have a home directory assigned. Use the following commands to create the\nuser home directory assigned in \"/etc/ passwd\":\n\n Note: The example will be for the user smithj, who has a home directory of\n\"/home/smithj\", a UID of \"smithj\", and a Group Identifier (GID) of \"users\nassigned\" in \"/etc/passwd\".\n\n $ sudo mkdir /home/smithj\n $ sudo chown smithj /home/smithj\n $ sudo chgrp users /home/smithj\n $ sudo chmod 0750 /home/smithj'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230323'\n tag rid: 'SV-230323r627750_rule'\n tag stig_id: 'RHEL-08-010750'\n tag fix_id: 'F-32967r567716_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n exempt_home_users = input('exempt_home_users')\n uid_min = login_defs.read_params['UID_MIN'].to_i\n uid_min = 1000 if uid_min.nil?\n\n iuser_entries = passwd.where { uid.to_i >= uid_min && shell !~ /nologin/ && !exempt_home_users.include?(user) }\n\n if !iuser_entries.users.nil? && !iuser_entries.users.empty?\n failing_homedirs = iuser_entries.homes.reject { |home|\n file(home).exist?\n }\n describe 'All non-exempt interactive user account home directories on the system' do\n it 'should exist' do\n expect(failing_homedirs).to be_empty, \"Failing home directories:\\n\\t- #{failing_homedirs.join(\"\\n\\t- \")}\"\n end\n end\n else\n describe 'No non-exempt interactive user accounts' do\n it 'were detected on the system' do\n expect(true).to eq(true)\n end\n end\n end\nend\n", + "code": "control 'SV-230356' do\n title 'RHEL 8 must ensure the password complexity module is enabled in the password-auth file.'\n desc 'Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. \"pwquality\" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system.\n\nRHEL 8 utilizes \"pwquality\" as a mechanism to enforce password complexity. This is set in both:\n/etc/pam.d/password-auth\n/etc/pam.d/system-auth'\n desc 'check', 'Verify the operating system uses \"pwquality\" to enforce the password complexity rules.\n\nCheck for the use of \"pwquality\" in the password-auth file with the following command:\n\n $ sudo cat /etc/pam.d/password-auth | grep pam_pwquality\n\n password requisite pam_pwquality.so\n\nIf the command does not return a line containing the value \"pam_pwquality.so\" as shown, or the line is commented out, this is a finding.'\n desc 'fix', 'Configure the operating system to use \"pwquality\" to enforce password complexity rules.\n\nAdd the following line to the \"/etc/pam.d/password-auth\" file (or modify the line to have the required value):\n\n password requisite pam_pwquality.so'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000069-GPOS-00037'\n tag gid: 'V-230356'\n tag rid: 'SV-230356r902728_rule'\n tag stig_id: 'RHEL-08-020100'\n tag fix_id: 'F-33000r902727_fix'\n tag cci: ['CCI-000192', 'CCI-000366']\n tag nist: ['IA-5 (1) (a)', 'CM-6 b']\n tag 'host'\n tag 'container'\n\n pam_auth_files = input('pam_auth_files')\n\n describe pam(pam_auth_files['password-auth']) do\n its('lines') { should match_pam_rule('password (required|requisite) pam_pwquality.so') }\n end\n describe pam(pam_auth_files['system-auth']) do\n its('lines') { should match_pam_rule('password (required|requisite) pam_pwquality.so') }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230323.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230356.rb", "line": 1 }, - "id": "SV-230323" + "id": "SV-230356" }, { - "title": "RHEL 8 must have the packages required for multifactor authentication\n installed.", - "desc": "Using an authentication device, such as a DoD Common Access Card (CAC)\n or token that is separate from the information system, ensures that even if the\n information system is compromised, credentials stored on the authentication\n device will not be affected.\n\n Multifactor solutions that require devices separate from information\n systems gaining access include, for example, hardware tokens providing\n time-based or challenge-response authenticators and smart cards such as the\n U.S. Government Personal Identity Verification (PIV) card and the DoD CAC.\n\n A privileged account is defined as an information system account with\n authorizations of a privileged user.\n\n Remote access is access to DoD nonpublic information systems by an\n authorized user (or an information system) communicating through an external,\n non-organization-controlled network. Remote access methods include, for\n example, dial-up, broadband, and wireless.\n\n This requirement only applies to components where this is specific to the\n function of the device or has the concept of an organizational user (e.g., VPN,\n proxy capability). This does not apply to authentication for the purpose of\n configuring the device itself (management).", + "title": "RHEL 8 must not allow blank or null passwords in the system-auth file.", + "desc": "If an account has an empty password, anyone could log on and run\ncommands with the privileges of that account. Accounts with empty passwords\nshould never be used in operational environments.", "descriptions": { - "default": "Using an authentication device, such as a DoD Common Access Card (CAC)\n or token that is separate from the information system, ensures that even if the\n information system is compromised, credentials stored on the authentication\n device will not be affected.\n\n Multifactor solutions that require devices separate from information\n systems gaining access include, for example, hardware tokens providing\n time-based or challenge-response authenticators and smart cards such as the\n U.S. Government Personal Identity Verification (PIV) card and the DoD CAC.\n\n A privileged account is defined as an information system account with\n authorizations of a privileged user.\n\n Remote access is access to DoD nonpublic information systems by an\n authorized user (or an information system) communicating through an external,\n non-organization-controlled network. Remote access methods include, for\n example, dial-up, broadband, and wireless.\n\n This requirement only applies to components where this is specific to the\n function of the device or has the concept of an organizational user (e.g., VPN,\n proxy capability). This does not apply to authentication for the purpose of\n configuring the device itself (management).", - "check": "Verify the operating system has the packages required for multifactor\n authentication installed with the following commands:\n\n $ sudo yum list installed openssl-pkcs11\n\n openssl-pkcs11.x86_64 0.4.8-2.el8 @anaconda\n\n If the \"openssl-pkcs11\" package is not installed, ask the administrator\n to indicate what type of multifactor authentication is being utilized and what\n packages are installed to support it. If there is no evidence of multifactor\n authentication being used, this is a finding.", - "fix": "Configure the operating system to implement multifactor authentication by\n installing the required package with the following command:\n\n $ sudo yum install openssl-pkcs11" + "default": "If an account has an empty password, anyone could log on and run\ncommands with the privileges of that account. Accounts with empty passwords\nshould never be used in operational environments.", + "check": "To verify that null passwords cannot be used, run the following command:\n\n$ sudo grep -i nullok /etc/pam.d/system-auth\n\nIf output is produced, this is a finding.", + "fix": "Remove any instances of the \"nullok\" option in the\n\"/etc/pam.d/system-auth\" file to prevent logons with empty passwords.\n\n Note: Manual changes to the listed file may be overwritten by the\n\"authselect\" program." }, - "impact": 0.5, + "impact": 0.7, "refs": [ { "ref": "DPMS Target Red Hat Enterprise Linux 8" } ], "tags": { - "severity": "medium", - "gtitle": "SRG-OS-000375-GPOS-00160", - "gid": "V-230273", - "rid": "SV-230273r854028_rule", - "stig_id": "RHEL-08-010390", - "fix_id": "F-32917r743942_fix", + "severity": "high", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-244540", + "rid": "SV-244540r743869_rule", + "stig_id": "RHEL-08-020331", + "fix_id": "F-47772r743868_fix", "cci": [ - "CCI-001948" + "CCI-000366" ], "nist": [ - "IA-2 (11)" - ], - "host": null + "CM-6 b" + ] }, - "code": "control 'SV-230273' do\n title 'RHEL 8 must have the packages required for multifactor authentication\n installed.'\n desc 'Using an authentication device, such as a DoD Common Access Card (CAC)\n or token that is separate from the information system, ensures that even if the\n information system is compromised, credentials stored on the authentication\n device will not be affected.\n\n Multifactor solutions that require devices separate from information\n systems gaining access include, for example, hardware tokens providing\n time-based or challenge-response authenticators and smart cards such as the\n U.S. Government Personal Identity Verification (PIV) card and the DoD CAC.\n\n A privileged account is defined as an information system account with\n authorizations of a privileged user.\n\n Remote access is access to DoD nonpublic information systems by an\n authorized user (or an information system) communicating through an external,\n non-organization-controlled network. Remote access methods include, for\n example, dial-up, broadband, and wireless.\n\n This requirement only applies to components where this is specific to the\n function of the device or has the concept of an organizational user (e.g., VPN,\n proxy capability). This does not apply to authentication for the purpose of\n configuring the device itself (management).'\n desc 'check', 'Verify the operating system has the packages required for multifactor\n authentication installed with the following commands:\n\n $ sudo yum list installed openssl-pkcs11\n\n openssl-pkcs11.x86_64 0.4.8-2.el8 @anaconda\n\n If the \"openssl-pkcs11\" package is not installed, ask the administrator\n to indicate what type of multifactor authentication is being utilized and what\n packages are installed to support it. If there is no evidence of multifactor\n authentication being used, this is a finding.'\n desc 'fix', 'Configure the operating system to implement multifactor authentication by\n installing the required package with the following command:\n\n $ sudo yum install openssl-pkcs11'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000375-GPOS-00160'\n tag gid: 'V-230273'\n tag rid: 'SV-230273r854028_rule'\n tag stig_id: 'RHEL-08-010390'\n tag fix_id: 'F-32917r743942_fix'\n tag cci: ['CCI-001948']\n tag nist: ['IA-2 (11)']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n if input('smart_card_enabled')\n describe package('openssl-pkcs11') do\n it { should be_installed }\n end\n else\n impact 0.0\n describe 'The system is not smartcard enabled thus this control is Not Applicable' do\n skip 'The system is not using Smartcards / PIVs to fulfil the MFA requirement, this control is Not Applicable.'\n end\n end\nend\n", + "code": "control 'SV-244540' do\n title 'RHEL 8 must not allow blank or null passwords in the system-auth file.'\n desc 'If an account has an empty password, anyone could log on and run\ncommands with the privileges of that account. Accounts with empty passwords\nshould never be used in operational environments.'\n desc 'check', 'To verify that null passwords cannot be used, run the following command:\n\n$ sudo grep -i nullok /etc/pam.d/system-auth\n\nIf output is produced, this is a finding.'\n desc 'fix', 'Remove any instances of the \"nullok\" option in the\n\"/etc/pam.d/system-auth\" file to prevent logons with empty passwords.\n\n Note: Manual changes to the listed file may be overwritten by the\n\"authselect\" program.'\n impact 0.7\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'high'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-244540'\n tag rid: 'SV-244540r743869_rule'\n tag stig_id: 'RHEL-08-020331'\n tag fix_id: 'F-47772r743868_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n pam_auth_files = input('pam_auth_files')\n file_list = pam_auth_files.values.join(' ')\n bad_entries = command(\"grep -i nullok #{file_list}\").stdout.lines.map(&:strip)\n\n describe 'The system should be configureed' do\n subject { command(\"grep -i nullok #{file_list}\") }\n it 'to not allow null passwords' do\n expect(subject.stdout.strip).to be_empty, \"The system is configured to allow null passwords. Please remove any instances of the `nullok` option from auth files: \\n\\t- #{bad_entries.join(\"\\n\\t- \")}\"\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230273.rb", + "ref": "./Red Hat 8 STIG/controls/SV-244540.rb", "line": 1 }, - "id": "SV-230273" + "id": "SV-244540" }, { - "title": "The RHEL 8 operating system must implement DoD-approved TLS encryption\nin the OpenSSL package.", - "desc": "Without cryptographic integrity protections, information can be\naltered by unauthorized users without detection.\n\n Remote access (e.g., RDP) is access to DoD nonpublic information systems by\nan authorized user (or an information system) communicating through an\nexternal, non-organization-controlled network. Remote access methods include,\nfor example, dial-up, broadband, and wireless.\n\n Cryptographic mechanisms used for protecting the integrity of information\ninclude, for example, signed hash functions using asymmetric cryptography\nenabling distribution of the public key to verify the hash information while\nmaintaining the confidentiality of the secret key used to generate the hash.\n\n RHEL 8 incorporates system-wide crypto policies by default. The employed\nalgorithms can be viewed in the /etc/crypto-policies/back-ends/openssl.config\nfile.", + "title": "RHEL 8 system commands must have mode 755 or less permissive.", + "desc": "If RHEL 8 were to allow any user to make changes to software\nlibraries, then those changes might be implemented without undergoing the\nappropriate testing and approvals that are part of a robust change management\nprocess.\n\n This requirement applies to RHEL 8 with software libraries that are\naccessible and configurable, as in the case of interpreted languages. Software\nlibraries also include privileged programs that execute with escalated\nprivileges. Only qualified and authorized individuals will be allowed to obtain\naccess to information system components for purposes of initiating changes,\nincluding upgrades and modifications.", "descriptions": { - "default": "Without cryptographic integrity protections, information can be\naltered by unauthorized users without detection.\n\n Remote access (e.g., RDP) is access to DoD nonpublic information systems by\nan authorized user (or an information system) communicating through an\nexternal, non-organization-controlled network. Remote access methods include,\nfor example, dial-up, broadband, and wireless.\n\n Cryptographic mechanisms used for protecting the integrity of information\ninclude, for example, signed hash functions using asymmetric cryptography\nenabling distribution of the public key to verify the hash information while\nmaintaining the confidentiality of the secret key used to generate the hash.\n\n RHEL 8 incorporates system-wide crypto policies by default. The employed\nalgorithms can be viewed in the /etc/crypto-policies/back-ends/openssl.config\nfile.", - "check": "Verify the OpenSSL library is configured to use only DoD-approved TLS encryption:\n\nFor versions prior to crypto-policies-20210617-1.gitc776d3e.el8.noarch:\n\n$ sudo grep -i MinProtocol /etc/crypto-policies/back-ends/opensslcnf.config\n\nMinProtocol = TLSv1.2\n\nIf the \"MinProtocol\" is set to anything older than \"TLSv1.2\", this is a finding.\n\nFor version crypto-policies-20210617-1.gitc776d3e.el8.noarch and newer:\n\n$ sudo grep -i MinProtocol /etc/crypto-policies/back-ends/opensslcnf.config\n\nTLS.MinProtocol = TLSv1.2\nDTLS.MinProtocol = DTLSv1.2\n\nIf the \"TLS.MinProtocol\" is set to anything older than \"TLSv1.2\" or the \"DTLS.MinProtocol\" is set to anything older than DTLSv1.2, this is a finding.", - "fix": "Configure the RHEL 8 OpenSSL library to use only DoD-approved TLS encryption by editing the following line in the \"/etc/crypto-policies/back-ends/opensslcnf.config\" file:\n\nFor versions prior to crypto-policies-20210617-1.gitc776d3e.el8.noarch:\nMinProtocol = TLSv1.2\n\nFor version crypto-policies-20210617-1.gitc776d3e.el8.noarch and newer:\nTLS.MinProtocol = TLSv1.2\nDTLS.MinProtocol = DTLSv1.2\nA reboot is required for the changes to take effect." + "default": "If RHEL 8 were to allow any user to make changes to software\nlibraries, then those changes might be implemented without undergoing the\nappropriate testing and approvals that are part of a robust change management\nprocess.\n\n This requirement applies to RHEL 8 with software libraries that are\naccessible and configurable, as in the case of interpreted languages. Software\nlibraries also include privileged programs that execute with escalated\nprivileges. Only qualified and authorized individuals will be allowed to obtain\naccess to information system components for purposes of initiating changes,\nincluding upgrades and modifications.", + "check": "Verify the system commands contained in the following directories have mode \"755\" or less permissive with the following command:\n\n$ sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -exec ls -l {} \\;\n\nIf any system commands are found to be group-writable or world-writable, this is a finding.", + "fix": "Configure the system commands to be protected from unauthorized access.\n\nRun the following command, replacing \"[FILE]\" with any system command with a mode more permissive than \"755\".\n\n$ sudo chmod 755 [FILE]" }, "impact": 0.5, "refs": [ @@ -7033,40 +6922,34 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000250-GPOS-00093", - "satisfies": [ - "SRG-OS-000250-GPOS-00093", - "SRG-OS-000393-GPOS-00173", - "SRG-OS-000394-GPOS-00174", - "SRG-OS-000125-GPOS-00065" - ], - "gid": "V-230255", - "rid": "SV-230255r877394_rule", - "stig_id": "RHEL-08-010294", - "fix_id": "F-32899r809381_fix", + "gtitle": "SRG-OS-000259-GPOS-00100", + "gid": "V-230257", + "rid": "SV-230257r792862_rule", + "stig_id": "RHEL-08-010300", + "fix_id": "F-32901r792861_fix", "cci": [ - "CCI-001453" + "CCI-001499" ], "nist": [ - "AC-17 (2)" + "CM-5 (6)" ], "host": null, "container": null }, - "code": "control 'SV-230255' do\n title 'The RHEL 8 operating system must implement DoD-approved TLS encryption\nin the OpenSSL package.'\n desc 'Without cryptographic integrity protections, information can be\naltered by unauthorized users without detection.\n\n Remote access (e.g., RDP) is access to DoD nonpublic information systems by\nan authorized user (or an information system) communicating through an\nexternal, non-organization-controlled network. Remote access methods include,\nfor example, dial-up, broadband, and wireless.\n\n Cryptographic mechanisms used for protecting the integrity of information\ninclude, for example, signed hash functions using asymmetric cryptography\nenabling distribution of the public key to verify the hash information while\nmaintaining the confidentiality of the secret key used to generate the hash.\n\n RHEL 8 incorporates system-wide crypto policies by default. The employed\nalgorithms can be viewed in the /etc/crypto-policies/back-ends/openssl.config\nfile.'\n desc 'check', 'Verify the OpenSSL library is configured to use only DoD-approved TLS encryption:\n\nFor versions prior to crypto-policies-20210617-1.gitc776d3e.el8.noarch:\n\n$ sudo grep -i MinProtocol /etc/crypto-policies/back-ends/opensslcnf.config\n\nMinProtocol = TLSv1.2\n\nIf the \"MinProtocol\" is set to anything older than \"TLSv1.2\", this is a finding.\n\nFor version crypto-policies-20210617-1.gitc776d3e.el8.noarch and newer:\n\n$ sudo grep -i MinProtocol /etc/crypto-policies/back-ends/opensslcnf.config\n\nTLS.MinProtocol = TLSv1.2\nDTLS.MinProtocol = DTLSv1.2\n\nIf the \"TLS.MinProtocol\" is set to anything older than \"TLSv1.2\" or the \"DTLS.MinProtocol\" is set to anything older than DTLSv1.2, this is a finding.'\n desc 'fix', 'Configure the RHEL 8 OpenSSL library to use only DoD-approved TLS encryption by editing the following line in the \"/etc/crypto-policies/back-ends/opensslcnf.config\" file:\n\nFor versions prior to crypto-policies-20210617-1.gitc776d3e.el8.noarch:\nMinProtocol = TLSv1.2\n\nFor version crypto-policies-20210617-1.gitc776d3e.el8.noarch and newer:\nTLS.MinProtocol = TLSv1.2\nDTLS.MinProtocol = DTLSv1.2\nA reboot is required for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000250-GPOS-00093'\n tag satisfies: ['SRG-OS-000250-GPOS-00093', 'SRG-OS-000393-GPOS-00173', 'SRG-OS-000394-GPOS-00174', 'SRG-OS-000125-GPOS-00065']\n tag gid: 'V-230255'\n tag rid: 'SV-230255r877394_rule'\n tag stig_id: 'RHEL-08-010294'\n tag fix_id: 'F-32899r809381_fix'\n tag cci: ['CCI-001453']\n tag nist: ['AC-17 (2)']\n tag 'host'\n tag 'container'\n\n crypto_policies = package('crypto-policies')\n\n if crypto_policies.version < '20210617-1.gitc776d3e.el8.noarch'\n describe parse_config_file('/etc/crypto-policies/back-ends/opensslcnf.config') do\n its('MinProtocol') { should be_in ['TLSv1.2', 'TLSv1.3'] }\n end\n else\n describe parse_config_file('/etc/crypto-policies/back-ends/opensslcnf.config') do\n its(['TLS.MinProtocol']) { should be_in ['TLSv1.2', 'TLSv1.3'] }\n its(['DTLS.MinProtocol']) { should be_in ['DTLSv1.2', 'DTLSv1.3'] }\n end\n end\nend\n", + "code": "control 'SV-230257' do\n title 'RHEL 8 system commands must have mode 755 or less permissive.'\n desc 'If RHEL 8 were to allow any user to make changes to software\nlibraries, then those changes might be implemented without undergoing the\nappropriate testing and approvals that are part of a robust change management\nprocess.\n\n This requirement applies to RHEL 8 with software libraries that are\naccessible and configurable, as in the case of interpreted languages. Software\nlibraries also include privileged programs that execute with escalated\nprivileges. Only qualified and authorized individuals will be allowed to obtain\naccess to information system components for purposes of initiating changes,\nincluding upgrades and modifications.'\n desc 'check', 'Verify the system commands contained in the following directories have mode \"755\" or less permissive with the following command:\n\n$ sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -exec ls -l {} \\\\;\n\nIf any system commands are found to be group-writable or world-writable, this is a finding.'\n desc 'fix', 'Configure the system commands to be protected from unauthorized access.\n\nRun the following command, replacing \"[FILE]\" with any system command with a mode more permissive than \"755\".\n\n$ sudo chmod 755 [FILE]'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000259-GPOS-00100'\n tag gid: 'V-230257'\n tag rid: 'SV-230257r792862_rule'\n tag stig_id: 'RHEL-08-010300'\n tag fix_id: 'F-32901r792861_fix'\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n tag 'host'\n tag 'container'\n\n system_command_dirs = input('system_command_dirs').join(' ')\n\n failing_files = command(\"find -L #{system_command_dirs} -perm /0022 -exec ls -l '{}' \\\\;\").stdout.split(\"\\n\")\n\n # failing_files = command(\"find -L #{input('system_command_dirs').join(' ')} -perm /0022 -exec ls -d '{}'' \\\\;\").stdout.split(\"\\n\")\n\n describe 'System commands' do\n it \"should have mode '0755' or less permissive\" do\n expect(failing_files).to be_empty, \"Files with excessive permissions:\\n\\t- #{failing_files.join(\"\\n\\t- \")}\"\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230255.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230257.rb", "line": 1 }, - "id": "SV-230255" + "id": "SV-230257" }, { - "title": "RHEL 8 must mount /var/tmp with the nosuid option.", - "desc": "The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n The \"noexec\" mount option causes the system to not execute binary files.\nThis option must be used for mounting any file system not containing approved\nbinary files, as they may be incompatible. Executing files from untrusted file\nsystems increases the opportunity for unprivileged users to attain unauthorized\nadministrative access.\n\n The \"nodev\" mount option causes the system to not interpret character or\nblock special devices. Executing character or block special devices from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.\n\n The \"nosuid\" mount option causes the system to not execute \"setuid\" and\n\"setgid\" files with owner privileges. This option must be used for mounting\nany file system not containing approved \"setuid\" and \"setguid\" files.\nExecuting files from untrusted file systems increases the opportunity for\nunprivileged users to attain unauthorized administrative access.", + "title": "Successful/unsuccessful uses of semanage in RHEL 8 must generate an\naudit record.", + "desc": "Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged commands. The organization must maintain audit trails in sufficient\ndetail to reconstruct events to determine the cause and impact of compromise.\nThe \"semanage\" command is used to configure certain elements of SELinux\npolicy without requiring modification to or recompilation from policy sources.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", "descriptions": { - "default": "The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n The \"noexec\" mount option causes the system to not execute binary files.\nThis option must be used for mounting any file system not containing approved\nbinary files, as they may be incompatible. Executing files from untrusted file\nsystems increases the opportunity for unprivileged users to attain unauthorized\nadministrative access.\n\n The \"nodev\" mount option causes the system to not interpret character or\nblock special devices. Executing character or block special devices from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.\n\n The \"nosuid\" mount option causes the system to not execute \"setuid\" and\n\"setgid\" files with owner privileges. This option must be used for mounting\nany file system not containing approved \"setuid\" and \"setguid\" files.\nExecuting files from untrusted file systems increases the opportunity for\nunprivileged users to attain unauthorized administrative access.", - "check": "Verify \"/var/tmp\" is mounted with the \"nosuid\" option:\n\n$ sudo mount | grep /var/tmp\n\n/dev/mapper/rhel-var-tmp on /var/tmp type xfs (rw,nodev,nosuid,noexec,seclabel)\n\nVerify that the \"nosuid\" option is configured for /var/tmp:\n\n$ sudo cat /etc/fstab | grep /var/tmp\n\n/dev/mapper/rhel-var-tmp /var/tmp xfs defaults,nodev,nosuid,noexec 0 0\n\nIf results are returned and the \"nosuid\" option is missing, or if /var/tmp is mounted without the \"nosuid\" option, this is a finding.", - "fix": "Configure the system so that /var/tmp is mounted with the \"nosuid\" option by adding /modifying the /etc/fstab with the following line:\n\n/dev/mapper/rhel-var-tmp /var/tmp xfs defaults,nodev,nosuid,noexec 0 0" + "default": "Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged commands. The organization must maintain audit trails in sufficient\ndetail to reconstruct events to determine the cause and impact of compromise.\nThe \"semanage\" command is used to configure certain elements of SELinux\npolicy without requiring modification to or recompilation from policy sources.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", + "check": "Verify that an audit event is generated for any successful/unsuccessful use\nof \"semanage\" by performing the following command to check the file system\nrules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w \"semanage\" /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-unix-update\n\n If the command does not return a line, or the line is commented out, this\nis a finding.", + "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful uses of the \"semanage\" by adding or updating the\nfollowing rule in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-unix-update\n\n The audit daemon must be restarted for the changes to take effect." }, "impact": 0.5, "refs": [ @@ -7076,33 +6959,42 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000368-GPOS-00154", - "gid": "V-230521", - "rid": "SV-230521r854062_rule", - "stig_id": "RHEL-08-040133", - "fix_id": "F-33165r792929_fix", + "gtitle": "SRG-OS-000062-GPOS-00031", + "satisfies": [ + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000037-GPOS-00015", + "SRG-OS-000042-GPOS-00020", + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000392-GPOS-00172", + "SRG-OS-000462-GPOS-00206", + "SRG-OS-000471-GPOS-00215" + ], + "gid": "V-230429", + "rid": "SV-230429r627750_rule", + "stig_id": "RHEL-08-030313", + "fix_id": "F-33073r568034_fix", "cci": [ - "CCI-001764" + "CCI-000169" ], "nist": [ - "CM-7 (2)" + "AU-12 a" ], "host": null }, - "code": "control 'SV-230521' do\n title 'RHEL 8 must mount /var/tmp with the nosuid option.'\n desc 'The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n The \"noexec\" mount option causes the system to not execute binary files.\nThis option must be used for mounting any file system not containing approved\nbinary files, as they may be incompatible. Executing files from untrusted file\nsystems increases the opportunity for unprivileged users to attain unauthorized\nadministrative access.\n\n The \"nodev\" mount option causes the system to not interpret character or\nblock special devices. Executing character or block special devices from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.\n\n The \"nosuid\" mount option causes the system to not execute \"setuid\" and\n\"setgid\" files with owner privileges. This option must be used for mounting\nany file system not containing approved \"setuid\" and \"setguid\" files.\nExecuting files from untrusted file systems increases the opportunity for\nunprivileged users to attain unauthorized administrative access.'\n desc 'check', 'Verify \"/var/tmp\" is mounted with the \"nosuid\" option:\n\n$ sudo mount | grep /var/tmp\n\n/dev/mapper/rhel-var-tmp on /var/tmp type xfs (rw,nodev,nosuid,noexec,seclabel)\n\nVerify that the \"nosuid\" option is configured for /var/tmp:\n\n$ sudo cat /etc/fstab | grep /var/tmp\n\n/dev/mapper/rhel-var-tmp /var/tmp xfs defaults,nodev,nosuid,noexec 0 0\n\nIf results are returned and the \"nosuid\" option is missing, or if /var/tmp is mounted without the \"nosuid\" option, this is a finding.'\n desc 'fix', 'Configure the system so that /var/tmp is mounted with the \"nosuid\" option by adding /modifying the /etc/fstab with the following line:\n\n/dev/mapper/rhel-var-tmp /var/tmp xfs defaults,nodev,nosuid,noexec 0 0'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000368-GPOS-00154'\n tag gid: 'V-230521'\n tag rid: 'SV-230521r854062_rule'\n tag stig_id: 'RHEL-08-040133'\n tag fix_id: 'F-33165r792929_fix'\n tag cci: ['CCI-001764']\n tag nist: ['CM-7 (2)']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n path = '/var/tmp'\n option = 'nosuid'\n\n describe mount(path) do\n its('options') { should include option }\n end\n\n describe etc_fstab.where { mount_point == path } do\n its('mount_options.flatten') { should include option }\n end\nend\n", + "code": "control 'SV-230429' do\n title 'Successful/unsuccessful uses of semanage in RHEL 8 must generate an\naudit record.'\n desc 'Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged commands. The organization must maintain audit trails in sufficient\ndetail to reconstruct events to determine the cause and impact of compromise.\nThe \"semanage\" command is used to configure certain elements of SELinux\npolicy without requiring modification to or recompilation from policy sources.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.'\n desc 'check', 'Verify that an audit event is generated for any successful/unsuccessful use\nof \"semanage\" by performing the following command to check the file system\nrules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w \"semanage\" /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-unix-update\n\n If the command does not return a line, or the line is commented out, this\nis a finding.'\n desc 'fix', 'Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful uses of the \"semanage\" by adding or updating the\nfollowing rule in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-unix-update\n\n The audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000062-GPOS-00031'\n tag satisfies: ['SRG-OS-000062-GPOS-00031', 'SRG-OS-000037-GPOS-00015', 'SRG-OS-000042-GPOS-00020', 'SRG-OS-000062-GPOS-00031', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000471-GPOS-00215']\n tag gid: 'V-230429'\n tag rid: 'SV-230429r627750_rule'\n tag stig_id: 'RHEL-08-030313'\n tag fix_id: 'F-33073r568034_fix'\n tag cci: ['CCI-000169']\n tag nist: ['AU-12 a']\n tag 'host'\n\n audit_command = '/usr/sbin/semanage'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include(input('audit_rule_keynames').merge(input('audit_rule_keynames_overrides'))[audit_command])\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230521.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230429.rb", "line": 1 }, - "id": "SV-230521" + "id": "SV-230429" }, { - "title": "Successful/unsuccessful modifications to the faillock log file in RHEL\n8 must generate an audit record.", - "desc": "Without the capability to generate audit records, it would be\ndifficult to establish, correlate, and investigate the events relating to an\nincident or identify those responsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n The list of audited events is the set of events for which audits are to be\ngenerated. This set of events is typically a subset of the list of all events\nfor which the system is capable of generating audit records.\n\n DoD has defined the list of events for which RHEL 8 will provide an audit\nrecord generation capability as the following:\n\n 1) Successful and unsuccessful attempts to access, modify, or delete\nprivileges, security objects, security levels, or categories of information\n(e.g., classification levels);\n\n 2) Access actions, such as successful and unsuccessful logon attempts,\nprivileged activities or other system-level access, starting and ending time\nfor user access to the system, concurrent logons from different workstations,\nsuccessful and unsuccessful accesses to objects, all program initiations, and\nall direct access to the information system;\n\n 3) All account creations, modifications, disabling, and terminations; and\n\n 4) All kernel module load, unload, and restart actions.\n\n From \"Pam_Faillock man\" pages: Note the default directory that\npam_faillock uses is usually cleared on system boot so the access will be\nreenabled after system reboot. If that is undesirable a different tally\ndirectory must be set with the \"dir\" option.", + "title": "RHEL 8 operating systems booted with United Extensible Firmware\nInterface (UEFI) must require a unique superusers name upon booting into\nsingle-user mode and maintenance.", + "desc": "If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 8 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.\n\nThe GRUB 2 superuser account is an account of last resort. Establishing a unique username for this account hardens the boot loader against brute force attacks. Due to the nature of the superuser account database being distinct from the OS account database, this allows the use of a username that is not among those within the OS account database. Examples of non-unique superusers names are root, superuser, unlock, etc.", "descriptions": { - "default": "Without the capability to generate audit records, it would be\ndifficult to establish, correlate, and investigate the events relating to an\nincident or identify those responsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n The list of audited events is the set of events for which audits are to be\ngenerated. This set of events is typically a subset of the list of all events\nfor which the system is capable of generating audit records.\n\n DoD has defined the list of events for which RHEL 8 will provide an audit\nrecord generation capability as the following:\n\n 1) Successful and unsuccessful attempts to access, modify, or delete\nprivileges, security objects, security levels, or categories of information\n(e.g., classification levels);\n\n 2) Access actions, such as successful and unsuccessful logon attempts,\nprivileged activities or other system-level access, starting and ending time\nfor user access to the system, concurrent logons from different workstations,\nsuccessful and unsuccessful accesses to objects, all program initiations, and\nall direct access to the information system;\n\n 3) All account creations, modifications, disabling, and terminations; and\n\n 4) All kernel module load, unload, and restart actions.\n\n From \"Pam_Faillock man\" pages: Note the default directory that\npam_faillock uses is usually cleared on system boot so the access will be\nreenabled after system reboot. If that is undesirable a different tally\ndirectory must be set with the \"dir\" option.", - "check": "Verify RHEL 8 generates an audit record when successful/unsuccessful\nmodifications to the \"faillock\" file occur. First, determine where the\nfaillock tallies are stored with the following commands:\n\n For RHEL versions 8.0 and 8.1:\n\n $ sudo grep -i pam_faillock.so /etc/pam.d/system-auth\n\n auth required pam_faillock.so preauth dir=/var/log/faillock\nsilent deny=3 fail_interval=900 even_deny_root\n\n For RHEL versions 8.2 and newer:\n\n $ sudo grep dir /etc/security/faillock.conf\n\n dir=/var/log/faillock\n\n Using the location of the faillock log file, check that the following calls\nare being audited by performing the following command to check the file system\nrules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w faillock /etc/audit/audit.rules\n\n -w /var/log/faillock -p wa -k logins\n\n If the command does not return a line, or the line is commented out, this\nis a finding.", - "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful modifications to the \"faillock\" file by adding or\nupdating the following rules in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -w /var/log/faillock -p wa -k logins\n\n The audit daemon must be restarted for the changes to take effect." + "default": "If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 8 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.\n\nThe GRUB 2 superuser account is an account of last resort. Establishing a unique username for this account hardens the boot loader against brute force attacks. Due to the nature of the superuser account database being distinct from the OS account database, this allows the use of a username that is not among those within the OS account database. Examples of non-unique superusers names are root, superuser, unlock, etc.", + "check": "For systems that use BIOS, this is Not Applicable.\n\nVerify that a unique name is set as the \"superusers\" account:\n\n$ sudo grep -iw \"superusers\" /boot/efi/EFI/redhat/grub.cfg\nset superusers=\"[someuniquestringhere]\"\nexport superusers\n\nIf \"superusers\" is identical to any OS account name or is missing a name, this is a finding.", + "fix": "Configure the system to have a unique name for the grub superusers account.\n\nEdit the /etc/grub.d/01_users file and add or modify the following lines:\n\nset superusers=\"[someuniquestringhere]\"\nexport superusers\npassword_pbkdf2 [someuniquestringhere] ${GRUB2_PASSWORD}\n\nGenerate a new grub.cfg file with the following command:\n\n$ sudo grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg" }, "impact": 0.5, "refs": [ @@ -7112,43 +7004,33 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000062-GPOS-00031", - "satisfies": [ - "SRG-OS-000062-GPOS-00031", - "SRG-OS-000037-GPOS-00015", - "SRG-OS-000042-GPOS-00020", - "SRG-OS-000062-GPOS-00031", - "SRG-OS-000392-GPOS-00172", - "SRG-OS-000462-GPOS-00206", - "SRG-OS-000471-GPOS-00215", - "SRG-OS-000473-GPOS-00218" - ], - "gid": "V-230466", - "rid": "SV-230466r627750_rule", - "stig_id": "RHEL-08-030590", - "fix_id": "F-33110r568145_fix", + "gtitle": "SRG-OS-000080-GPOS-00048", + "gid": "V-244521", + "rid": "SV-244521r792982_rule", + "stig_id": "RHEL-08-010141", + "fix_id": "F-47753r743811_fix", "cci": [ - "CCI-000169" + "CCI-000213" ], "nist": [ - "AU-12 a" + "AC-3" ], "host": null }, - "code": "control 'SV-230466' do\n title 'Successful/unsuccessful modifications to the faillock log file in RHEL\n8 must generate an audit record.'\n desc 'Without the capability to generate audit records, it would be\ndifficult to establish, correlate, and investigate the events relating to an\nincident or identify those responsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n The list of audited events is the set of events for which audits are to be\ngenerated. This set of events is typically a subset of the list of all events\nfor which the system is capable of generating audit records.\n\n DoD has defined the list of events for which RHEL 8 will provide an audit\nrecord generation capability as the following:\n\n 1) Successful and unsuccessful attempts to access, modify, or delete\nprivileges, security objects, security levels, or categories of information\n(e.g., classification levels);\n\n 2) Access actions, such as successful and unsuccessful logon attempts,\nprivileged activities or other system-level access, starting and ending time\nfor user access to the system, concurrent logons from different workstations,\nsuccessful and unsuccessful accesses to objects, all program initiations, and\nall direct access to the information system;\n\n 3) All account creations, modifications, disabling, and terminations; and\n\n 4) All kernel module load, unload, and restart actions.\n\n From \"Pam_Faillock man\" pages: Note the default directory that\npam_faillock uses is usually cleared on system boot so the access will be\nreenabled after system reboot. If that is undesirable a different tally\ndirectory must be set with the \"dir\" option.'\n desc 'check', 'Verify RHEL 8 generates an audit record when successful/unsuccessful\nmodifications to the \"faillock\" file occur. First, determine where the\nfaillock tallies are stored with the following commands:\n\n For RHEL versions 8.0 and 8.1:\n\n $ sudo grep -i pam_faillock.so /etc/pam.d/system-auth\n\n auth required pam_faillock.so preauth dir=/var/log/faillock\nsilent deny=3 fail_interval=900 even_deny_root\n\n For RHEL versions 8.2 and newer:\n\n $ sudo grep dir /etc/security/faillock.conf\n\n dir=/var/log/faillock\n\n Using the location of the faillock log file, check that the following calls\nare being audited by performing the following command to check the file system\nrules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w faillock /etc/audit/audit.rules\n\n -w /var/log/faillock -p wa -k logins\n\n If the command does not return a line, or the line is commented out, this\nis a finding.'\n desc 'fix', 'Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful modifications to the \"faillock\" file by adding or\nupdating the following rules in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -w /var/log/faillock -p wa -k logins\n\n The audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000062-GPOS-00031'\n tag satisfies: ['SRG-OS-000062-GPOS-00031', 'SRG-OS-000037-GPOS-00015', 'SRG-OS-000042-GPOS-00020', 'SRG-OS-000062-GPOS-00031', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000471-GPOS-00215', 'SRG-OS-000473-GPOS-00218']\n tag gid: 'V-230466'\n tag rid: 'SV-230466r627750_rule'\n tag stig_id: 'RHEL-08-030590'\n tag fix_id: 'F-33110r568145_fix'\n tag cci: ['CCI-000169']\n tag nist: ['AU-12 a']\n tag 'host'\n\n if os.release.to_f < 8.2\n m = /dir=(?\\S*)/\n s = command('grep -i pam_faillock.so /etc/pam.d/system-auth').stdout\n dir_match = m.match(s)\n audit_command = (dir_match[:dir] if dir_match)\n else\n audit_command = parse_config_file('/etc/security/faillock.conf').params('dir')\n end\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.permissions.flatten).to include('w', 'a')\n expect(audit_rule.key.uniq).to include(input('audit_rule_keynames').merge(input('audit_rule_keynames_overrides'))[audit_command])\n end\n end\nend\n", + "code": "control 'SV-244521' do\n title 'RHEL 8 operating systems booted with United Extensible Firmware\nInterface (UEFI) must require a unique superusers name upon booting into\nsingle-user mode and maintenance.'\n desc 'If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 8 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.\n\nThe GRUB 2 superuser account is an account of last resort. Establishing a unique username for this account hardens the boot loader against brute force attacks. Due to the nature of the superuser account database being distinct from the OS account database, this allows the use of a username that is not among those within the OS account database. Examples of non-unique superusers names are root, superuser, unlock, etc.'\n desc 'check', 'For systems that use BIOS, this is Not Applicable.\n\nVerify that a unique name is set as the \"superusers\" account:\n\n$ sudo grep -iw \"superusers\" /boot/efi/EFI/redhat/grub.cfg\nset superusers=\"[someuniquestringhere]\"\nexport superusers\n\nIf \"superusers\" is identical to any OS account name or is missing a name, this is a finding.'\n desc 'fix', 'Configure the system to have a unique name for the grub superusers account.\n\nEdit the /etc/grub.d/01_users file and add or modify the following lines:\n\nset superusers=\"[someuniquestringhere]\"\nexport superusers\npassword_pbkdf2 [someuniquestringhere] ${GRUB2_PASSWORD}\n\nGenerate a new grub.cfg file with the following command:\n\n$ sudo grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000080-GPOS-00048'\n tag gid: 'V-244521'\n tag rid: 'SV-244521r792982_rule'\n tag stig_id: 'RHEL-08-010141'\n tag fix_id: 'F-47753r743811_fix'\n tag cci: ['CCI-000213']\n tag nist: ['AC-3']\n tag 'host'\n\n only_if('This requirement is Not Applicable in the container', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n if file('/sys/firmware/efi').exist?\n describe parse_config_file(input('grub_uefi_main_cfg')) do\n its('set superusers') { should cmp '\"root\"' }\n end\n else\n impact 0.0\n describe 'System running BIOS' do\n skip 'The System is running BIOS, this control is Not Applicable.'\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230466.rb", + "ref": "./Red Hat 8 STIG/controls/SV-244521.rb", "line": 1 }, - "id": "SV-230466" + "id": "SV-244521" }, { - "title": "RHEL 8 must disable the stream control transmission protocol (SCTP).", - "desc": "It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n Failing to disconnect unused protocols can result in a system compromise.\n\n The Stream Control Transmission Protocol (SCTP) is a transport layer\nprotocol, designed to support the idea of message-oriented communication, with\nseveral streams of messages within one connection. Disabling SCTP protects the\nsystem against exploitation of any flaws in its implementation.", + "title": "RHEL 8 must disable mounting of cramfs.", + "desc": "It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n Removing support for unneeded filesystem types reduces the local attack\nsurface of the server.\n\n Compressed ROM/RAM file system (or cramfs) is a read-only file system\ndesigned for simplicity and space-efficiency. It is mainly used in embedded\nand small-footprint systems.", "descriptions": { - "default": "It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n Failing to disconnect unused protocols can result in a system compromise.\n\n The Stream Control Transmission Protocol (SCTP) is a transport layer\nprotocol, designed to support the idea of message-oriented communication, with\nseveral streams of messages within one connection. Disabling SCTP protects the\nsystem against exploitation of any flaws in its implementation.", - "check": "Verify the operating system disables the ability to load the SCTP kernel module.\n\n $ sudo grep -r sctp /etc/modprobe.d/* | grep \"/bin/false\"\n install sctp /bin/false\n\nIf the command does not return any output, or the line is commented out, and use of the SCTP is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.\n\nVerify the operating system disables the ability to use the SCTP.\n\nCheck to see if the SCTP is disabled with the following command:\n\n $ sudo grep -r sctp /etc/modprobe.d/* | grep \"blacklist\"\n blacklist sctp\n\nIf the command does not return any output or the output is not \"blacklist sctp\", and use of the SCTP is not documented with the ISSO as an operational requirement, this is a finding.", - "fix": "Configure the operating system to disable the ability to use the SCTP kernel module.\n\nAdd or update the following lines in the file \"/etc/modprobe.d/blacklist.conf\":\n\n install sctp /bin/false\n blacklist sctp\n\nReboot the system for the settings to take effect." + "default": "It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n Removing support for unneeded filesystem types reduces the local attack\nsurface of the server.\n\n Compressed ROM/RAM file system (or cramfs) is a read-only file system\ndesigned for simplicity and space-efficiency. It is mainly used in embedded\nand small-footprint systems.", + "check": "Verify the operating system disables the ability to load the cramfs kernel module.\n\n $ sudo grep -r cramfs /etc/modprobe.d/* | grep \"/bin/false\"\n install cramfs /bin/false\n\nIf the command does not return any output, or the line is commented out, and use of the cramfs protocol is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.\n\nVerify the operating system disables the ability to use the cramfs kernel module.\n\nCheck to see if the cramfs kernel module is disabled with the following command:\n\n $ sudo grep -r cramfs /etc/modprobe.d/* | grep \"blacklist\"\n blacklist cramfs\n\nIf the command does not return any output or the output is not \"blacklist cramfs\", and use of the cramfs kernel module is not documented with the ISSO as an operational requirement, this is a finding.", + "fix": "Configure the operating system to disable the ability to use the cramfs kernel module.\n\nAdd or update the following lines in the file \"/etc/modprobe.d/blacklist.conf\":\n\n install cramfs /bin/false\n blacklist cramfs\n\nReboot the system for the settings to take effect." }, "impact": 0.3, "refs": [ @@ -7159,10 +7041,10 @@ "tags": { "severity": "low", "gtitle": "SRG-OS-000095-GPOS-00049", - "gid": "V-230496", - "rid": "SV-230496r942924_rule", - "stig_id": "RHEL-08-040023", - "fix_id": "F-33140r942923_fix", + "gid": "V-230498", + "rid": "SV-230498r942930_rule", + "stig_id": "RHEL-08-040025", + "fix_id": "F-33142r942929_fix", "cci": [ "CCI-000381" ], @@ -7171,12 +7053,68 @@ ], "host": null }, - "code": "control 'SV-230496' do\n title 'RHEL 8 must disable the stream control transmission protocol (SCTP).'\n desc 'It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n Failing to disconnect unused protocols can result in a system compromise.\n\n The Stream Control Transmission Protocol (SCTP) is a transport layer\nprotocol, designed to support the idea of message-oriented communication, with\nseveral streams of messages within one connection. Disabling SCTP protects the\nsystem against exploitation of any flaws in its implementation.'\n desc 'check', 'Verify the operating system disables the ability to load the SCTP kernel module.\n\n $ sudo grep -r sctp /etc/modprobe.d/* | grep \"/bin/false\"\n install sctp /bin/false\n\nIf the command does not return any output, or the line is commented out, and use of the SCTP is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.\n\nVerify the operating system disables the ability to use the SCTP.\n\nCheck to see if the SCTP is disabled with the following command:\n\n $ sudo grep -r sctp /etc/modprobe.d/* | grep \"blacklist\"\n blacklist sctp\n\nIf the command does not return any output or the output is not \"blacklist sctp\", and use of the SCTP is not documented with the ISSO as an operational requirement, this is a finding.'\n desc 'fix', 'Configure the operating system to disable the ability to use the SCTP kernel module.\n\nAdd or update the following lines in the file \"/etc/modprobe.d/blacklist.conf\":\n\n install sctp /bin/false\n blacklist sctp\n\nReboot the system for the settings to take effect.'\n impact 0.3\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'low'\n tag gtitle: 'SRG-OS-000095-GPOS-00049'\n tag gid: 'V-230496'\n tag rid: 'SV-230496r942924_rule'\n tag stig_id: 'RHEL-08-040023'\n tag fix_id: 'F-33140r942923_fix'\n tag cci: ['CCI-000381']\n tag nist: ['CM-7 a']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n describe kernel_module('sctp') do\n it { should be_disabled }\n it { should be_blacklisted }\n end\nend\n", + "code": "control 'SV-230498' do\n title 'RHEL 8 must disable mounting of cramfs.'\n desc 'It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n Removing support for unneeded filesystem types reduces the local attack\nsurface of the server.\n\n Compressed ROM/RAM file system (or cramfs) is a read-only file system\ndesigned for simplicity and space-efficiency. It is mainly used in embedded\nand small-footprint systems.'\n desc 'check', 'Verify the operating system disables the ability to load the cramfs kernel module.\n\n $ sudo grep -r cramfs /etc/modprobe.d/* | grep \"/bin/false\"\n install cramfs /bin/false\n\nIf the command does not return any output, or the line is commented out, and use of the cramfs protocol is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.\n\nVerify the operating system disables the ability to use the cramfs kernel module.\n\nCheck to see if the cramfs kernel module is disabled with the following command:\n\n $ sudo grep -r cramfs /etc/modprobe.d/* | grep \"blacklist\"\n blacklist cramfs\n\nIf the command does not return any output or the output is not \"blacklist cramfs\", and use of the cramfs kernel module is not documented with the ISSO as an operational requirement, this is a finding.'\n desc 'fix', 'Configure the operating system to disable the ability to use the cramfs kernel module.\n\nAdd or update the following lines in the file \"/etc/modprobe.d/blacklist.conf\":\n\n install cramfs /bin/false\n blacklist cramfs\n\nReboot the system for the settings to take effect.'\n impact 0.3\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'low'\n tag gtitle: 'SRG-OS-000095-GPOS-00049'\n tag gid: 'V-230498'\n tag rid: 'SV-230498r942930_rule'\n tag stig_id: 'RHEL-08-040025'\n tag fix_id: 'F-33142r942929_fix'\n tag cci: ['CCI-000381']\n tag nist: ['CM-7 a']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n describe kernel_module('cramfs') do\n it { should be_disabled }\n it { should be_blacklisted }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230496.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230498.rb", "line": 1 }, - "id": "SV-230496" + "id": "SV-230498" + }, + { + "title": "RHEL 8 must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/group.", + "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "descriptions": { + "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "check": "Verify RHEL 8 generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/group\".\n\n Check the auditing rules in \"/etc/audit/audit.rules\" with the following\ncommand:\n\n $ sudo grep /etc/group /etc/audit/audit.rules\n\n -w /etc/group -p wa -k identity\n\n If the command does not return a line, or the line is commented out, this\nis a finding.", + "fix": "Configure RHEL 8 to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/group\".\n\n Add or update the following file system rule to\n\"/etc/audit/rules.d/audit.rules\":\n\n -w /etc/group -p wa -k identity\n\n The audit daemon must be restarted for the changes to take effect." + }, + "impact": 0.5, + "refs": [ + { + "ref": "DPMS Target Red Hat Enterprise Linux 8" + } + ], + "tags": { + "severity": "medium", + "gtitle": "SRG-OS-000062-GPOS-00031", + "satisfies": [ + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000004-GPOS-00004", + "SRG-OS-000037-GPOS-00015", + "SRG-OS-000042-GPOS-00020", + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000304-GPOS-00121", + "SRG-OS-000392-GPOS-00172", + "SRG-OS-000462-GPOS-00206", + "SRG-OS-000470-GPOS-00214", + "SRG-OS-000471-GPOS-00215", + "SRG-OS-000239-GPOS-00089", + "SRG-OS-000240-GPOS-00090", + "SRG-OS-000241-GPOS-00091", + "SRG-OS-000303-GPOS-00120", + "SRG-OS-000304-GPOS-00121", + "CCI-002884", + "SRG-OS-000466-GPOS-00210", + "SRG-OS-000476-GPOS-00221" + ], + "gid": "V-230408", + "rid": "SV-230408r627750_rule", + "stig_id": "RHEL-08-030170", + "fix_id": "F-33052r567971_fix", + "cci": [ + "CCI-000169" + ], + "nist": [ + "AU-12 a" + ], + "host": null + }, + "code": "control 'SV-230408' do\n title 'RHEL 8 must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/group.'\n desc 'Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).'\n desc 'check', 'Verify RHEL 8 generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/group\".\n\n Check the auditing rules in \"/etc/audit/audit.rules\" with the following\ncommand:\n\n $ sudo grep /etc/group /etc/audit/audit.rules\n\n -w /etc/group -p wa -k identity\n\n If the command does not return a line, or the line is commented out, this\nis a finding.'\n desc 'fix', 'Configure RHEL 8 to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/group\".\n\n Add or update the following file system rule to\n\"/etc/audit/rules.d/audit.rules\":\n\n -w /etc/group -p wa -k identity\n\n The audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000062-GPOS-00031'\n tag satisfies: ['SRG-OS-000062-GPOS-00031', 'SRG-OS-000004-GPOS-00004', 'SRG-OS-000037-GPOS-00015', 'SRG-OS-000042-GPOS-00020', 'SRG-OS-000062-GPOS-00031', 'SRG-OS-000304-GPOS-00121', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000470-GPOS-00214', 'SRG-OS-000471-GPOS-00215', 'SRG-OS-000239-GPOS-00089', 'SRG-OS-000240-GPOS-00090', 'SRG-OS-000241-GPOS-00091', 'SRG-OS-000303-GPOS-00120', 'SRG-OS-000304-GPOS-00121', 'CCI-002884', 'SRG-OS-000466-GPOS-00210', 'SRG-OS-000476-GPOS-00221']\n tag gid: 'V-230408'\n tag rid: 'SV-230408r627750_rule'\n tag stig_id: 'RHEL-08-030170'\n tag fix_id: 'F-33052r567971_fix'\n tag cci: ['CCI-000169']\n tag nist: ['AU-12 a']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n audit_command = '/etc/group'\n\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.permissions.flatten).to include('w', 'a')\n expect(audit_rule.key.uniq).to include(input('audit_rule_keynames').merge(input('audit_rule_keynames_overrides'))[audit_command])\n end\n end\nend\n", + "source_location": { + "ref": "./Red Hat 8 STIG/controls/SV-230408.rb", + "line": 1 + }, + "id": "SV-230408" }, { "title": "RHEL 8 temporary user accounts must be provisioned with an expiration\ntime of 72 hours or less.", @@ -7216,12 +7154,12 @@ "id": "SV-230331" }, { - "title": "Successful/unsuccessful uses of the rename, unlink, rmdir, renameat, and unlinkat system calls in RHEL 8 must generate an audit record.", - "desc": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"rename\" system call will rename the specified files by replacing the first occurrence of expression in their name by replacement.\n\nThe \"unlink\" system call deletes a name from the filesystem. If that name was the last link to a file and no processes have the file open, the file is deleted and the space it was using is made available for reuse.\nThe \"rmdir\" system call removes empty directories.\nThe \"renameat\" system call renames a file, moving it between directories if required.\nThe \"unlinkat\" system call operates in exactly the same way as either \"unlink\" or \"rmdir\" except for the differences described in the manual page.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nThe system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. Performance can be helped, however, by combining syscalls into one rule whenever possible.", + "title": "RHEL 8 must ensure the password complexity module is enabled in the system-auth file.", + "desc": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. \"pwquality\" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system.\n\nRHEL 8 uses \"pwquality\" as a mechanism to enforce password complexity. This is set in both:\n/etc/pam.d/password-auth\n/etc/pam.d/system-auth", "descriptions": { - "default": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"rename\" system call will rename the specified files by replacing the first occurrence of expression in their name by replacement.\n\nThe \"unlink\" system call deletes a name from the filesystem. If that name was the last link to a file and no processes have the file open, the file is deleted and the space it was using is made available for reuse.\nThe \"rmdir\" system call removes empty directories.\nThe \"renameat\" system call renames a file, moving it between directories if required.\nThe \"unlinkat\" system call operates in exactly the same way as either \"unlink\" or \"rmdir\" except for the differences described in the manual page.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nThe system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. Performance can be helped, however, by combining syscalls into one rule whenever possible.", - "check": "Verify RHEL 8 generates an audit record upon successful/unsuccessful attempts to use the \"rename\", \"unlink\", \"rmdir\", \"renameat\", and \"unlinkat\" system calls by using the following command to check the file system rules in \"/etc/audit/audit.rules\":\n\n$ sudo grep 'rename\\|unlink\\|rmdir' /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S rename,unlink,rmdir,renameat,unlinkat -F auid>=1000 -F auid!=unset -k delete\n-a always,exit -F arch=b64 -S rename,unlink,rmdir,renameat,unlinkat -F auid>=1000 -F auid!=unset -k delete\n\nIf the command does not return an audit rule for \"rename\", \"unlink\", \"rmdir\", \"renameat\", and \"unlinkat\" or any of the lines returned are commented out, this is a finding.", - "fix": "Configure the audit system to generate an audit event for any successful/unsuccessful use of the \"rename\", \"unlink\", \"rmdir\", \"renameat\", and \"unlinkat\" system calls by adding or updating the following rules in the \"/etc/audit/rules.d/audit.rules\" file:\n\n-a always,exit -F arch=b32 -S rename,unlink,rmdir,renameat,unlinkat -F auid>=1000 -F auid!=unset -k delete\n-a always,exit -F arch=b64 -S rename,unlink,rmdir,renameat,unlinkat -F auid>=1000 -F auid!=unset -k delete\n\nThe audit daemon must be restarted for the changes to take effect." + "default": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. \"pwquality\" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system.\n\nRHEL 8 uses \"pwquality\" as a mechanism to enforce password complexity. This is set in both:\n/etc/pam.d/password-auth\n/etc/pam.d/system-auth", + "check": "Verify the operating system uses \"pwquality\" to enforce the password complexity rules.\n\nCheck for the use of \"pwquality\" in the system-auth file with the following command:\n\n $ sudo cat /etc/pam.d/system-auth | grep pam_pwquality\n\n password requisite pam_pwquality.so\n\nIf the command does not return a line containing the value \"pam_pwquality.so\" as shown, or the line is commented out, this is a finding.", + "fix": "Configure the operating system to use \"pwquality\" to enforce password complexity rules.\n\nAdd the following line to the \"/etc/pam.d/system-auth\" file (or modify the line to have the required value):\n\n password requisite pam_pwquality.so" }, "impact": 0.5, "refs": [ @@ -7230,42 +7168,37 @@ } ], "tags": { + "check_id": "C-55150r902738_chk", "severity": "medium", - "gtitle": "SRG-OS-000062-GPOS-00031", - "satisfies": [ - "SRG-OS-000062-GPOS-00031", - "SRG-OS-000037-GPOS-00015", - "SRG-OS-000042-GPOS-00020", - "SRG-OS-000392-GPOS-00172", - "SRG-OS-000462-GPOS-00206", - "SRG-OS-000471-GPOS-00215" - ], - "gid": "V-230439", - "rid": "SV-230439r810465_rule", - "stig_id": "RHEL-08-030361", - "fix_id": "F-33083r809301_fix", + "gid": "V-251713", + "rid": "SV-251713r902740_rule", + "stig_id": "RHEL-08-020101", + "gtitle": "SRG-OS-000480-GPOS-00227", + "fix_id": "F-55104r902739_fix", + "documentable": null, "cci": [ - "CCI-000169" + "CCI-000366" ], "nist": [ - "AU-12 a" + "CM-6 b" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-230439' do\n title 'Successful/unsuccessful uses of the rename, unlink, rmdir, renameat, and unlinkat system calls in RHEL 8 must generate an audit record.'\n desc 'Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"rename\" system call will rename the specified files by replacing the first occurrence of expression in their name by replacement.\n\nThe \"unlink\" system call deletes a name from the filesystem. If that name was the last link to a file and no processes have the file open, the file is deleted and the space it was using is made available for reuse.\nThe \"rmdir\" system call removes empty directories.\nThe \"renameat\" system call renames a file, moving it between directories if required.\nThe \"unlinkat\" system call operates in exactly the same way as either \"unlink\" or \"rmdir\" except for the differences described in the manual page.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nThe system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. Performance can be helped, however, by combining syscalls into one rule whenever possible.'\n desc 'check', %q(Verify RHEL 8 generates an audit record upon successful/unsuccessful attempts to use the \"rename\", \"unlink\", \"rmdir\", \"renameat\", and \"unlinkat\" system calls by using the following command to check the file system rules in \"/etc/audit/audit.rules\":\n\n$ sudo grep 'rename\\|unlink\\|rmdir' /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S rename,unlink,rmdir,renameat,unlinkat -F auid>=1000 -F auid!=unset -k delete\n-a always,exit -F arch=b64 -S rename,unlink,rmdir,renameat,unlinkat -F auid>=1000 -F auid!=unset -k delete\n\nIf the command does not return an audit rule for \"rename\", \"unlink\", \"rmdir\", \"renameat\", and \"unlinkat\" or any of the lines returned are commented out, this is a finding.)\n desc 'fix', 'Configure the audit system to generate an audit event for any successful/unsuccessful use of the \"rename\", \"unlink\", \"rmdir\", \"renameat\", and \"unlinkat\" system calls by adding or updating the following rules in the \"/etc/audit/rules.d/audit.rules\" file:\n\n-a always,exit -F arch=b32 -S rename,unlink,rmdir,renameat,unlinkat -F auid>=1000 -F auid!=unset -k delete\n-a always,exit -F arch=b64 -S rename,unlink,rmdir,renameat,unlinkat -F auid>=1000 -F auid!=unset -k delete\n\nThe audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000062-GPOS-00031'\n tag satisfies: ['SRG-OS-000062-GPOS-00031', 'SRG-OS-000037-GPOS-00015', 'SRG-OS-000042-GPOS-00020', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000471-GPOS-00215']\n tag gid: 'V-230439'\n tag rid: 'SV-230439r810465_rule'\n tag stig_id: 'RHEL-08-030361'\n tag fix_id: 'F-33083r809301_fix'\n tag cci: ['CCI-000169']\n tag nist: ['AU-12 a']\n tag 'host'\n\n audit_syscalls = ['rename', 'unlink', 'rmdir', 'renameat', 'unlinkat']\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe 'Syscall' do\n audit_syscalls.each do |audit_syscall|\n it \"#{audit_syscall} is audited properly\" do\n audit_rule = auditd.syscall(audit_syscall)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n if os.arch.match(/64/)\n expect(audit_rule.arch.uniq).to include('b32', 'b64')\n else\n expect(audit_rule.arch.uniq).to cmp 'b32'\n end\n expect(audit_rule.fields.flatten).to include('auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include(input('audit_rule_keynames').merge(input('audit_rule_keynames_overrides'))[audit_syscall])\n end\n end\n end\nend\n", + "code": "control 'SV-251713' do\n title 'RHEL 8 must ensure the password complexity module is enabled in the system-auth file.'\n desc 'Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. \"pwquality\" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system.\n\nRHEL 8 uses \"pwquality\" as a mechanism to enforce password complexity. This is set in both:\n/etc/pam.d/password-auth\n/etc/pam.d/system-auth'\n desc 'check', 'Verify the operating system uses \"pwquality\" to enforce the password complexity rules.\n\nCheck for the use of \"pwquality\" in the system-auth file with the following command:\n\n $ sudo cat /etc/pam.d/system-auth | grep pam_pwquality\n\n password requisite pam_pwquality.so\n\nIf the command does not return a line containing the value \"pam_pwquality.so\" as shown, or the line is commented out, this is a finding.'\n desc 'fix', 'Configure the operating system to use \"pwquality\" to enforce password complexity rules.\n\nAdd the following line to the \"/etc/pam.d/system-auth\" file (or modify the line to have the required value):\n\n password requisite pam_pwquality.so'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag check_id: 'C-55150r902738_chk'\n tag severity: 'medium'\n tag gid: 'V-251713'\n tag rid: 'SV-251713r902740_rule'\n tag stig_id: 'RHEL-08-020101'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag fix_id: 'F-55104r902739_fix'\n tag 'documentable'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n tag 'container'\n\n pam_auth_files = input('pam_auth_files')\n\n [pam_auth_files['password-auth'], pam_auth_files['system-auth']].each do |path|\n describe pam(path) do\n its('lines') { should match_pam_rule('.* .* pam_pwquality.so') }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230439.rb", + "ref": "./Red Hat 8 STIG/controls/SV-251713.rb", "line": 1 }, - "id": "SV-230439" + "id": "SV-251713" }, { - "title": "RHEL 8 must be configured to disable USB mass storage.", - "desc": "USB mass storage permits easy introduction of unknown devices, thereby\nfacilitating malicious activity.", + "title": "Successful/unsuccessful uses of the sudo command in RHEL 8 must\ngenerate an audit record.", + "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"sudo\" command allows\na permitted user to execute a command as the superuser or another user, as\nspecified by the security policy.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", "descriptions": { - "default": "USB mass storage permits easy introduction of unknown devices, thereby\nfacilitating malicious activity.", - "check": "Verify the operating system disables the ability to load the USB Storage kernel module.\n\n $ sudo grep -r usb-storage /etc/modprobe.d/* | grep -i \"/bin/false\"\n install usb-storage /bin/false\n\nIf the command does not return any output, or the line is commented out, and use of USB Storage is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.\n\nVerify the operating system disables the ability to use USB mass storage devices.\n\nCheck to see if USB mass storage is disabled with the following command:\n\n $ sudo grep usb-storage /etc/modprobe.d/* | grep -i \"blacklist\"\n blacklist usb-storage\n\nIf the command does not return any output or the output is not \"blacklist usb-storage\" and use of USB storage devices is not documented with the ISSO as an operational requirement, this is a finding.", - "fix": "Configure the operating system to disable the ability to use the USB Storage kernel module and the ability to use USB mass storage devices.\n\nAdd or update the following lines in the file \"/etc/modprobe.d/blacklist.conf\":\n\n install usb-storage /bin/false\n blacklist usb-storage\n\nReboot the system for the settings to take effect." + "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"sudo\" command allows\na permitted user to execute a command as the superuser or another user, as\nspecified by the security policy.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", + "check": "Verify that an audit event is generated for any successful/unsuccessful use\nof the \"sudo\" command by performing the following command to check the file\nsystem rules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w sudo /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset\n-k priv_cmd\n\n If the command does not return a line, or the line is commented out, this\nis a finding.", + "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \"sudo\" command by adding or updating the\nfollowing rule in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset\n-k priv_cmd\n\n The audit daemon must be restarted for the changes to take effect." }, "impact": 0.5, "refs": [ @@ -7275,39 +7208,45 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000114-GPOS-00059", + "gtitle": "SRG-OS-000062-GPOS-00031", "satisfies": [ - "SRG-OS-000114-GPOS-00059", - "SRG-OS-000378-GPOS-00163" + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000037-GPOS-00015", + "SRG-OS-000042-GPOS-00020", + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000392-GPOS-00172", + "SRG-OS-000462-GPOS-00206", + "SRG-OS-000471-GPOS-00215", + "SRG-OS-000466-GPOS-00210" ], - "gid": "V-230503", - "rid": "SV-230503r942936_rule", - "stig_id": "RHEL-08-040080", - "fix_id": "F-33147r942935_fix", + "gid": "V-230462", + "rid": "SV-230462r627750_rule", + "stig_id": "RHEL-08-030550", + "fix_id": "F-33106r568133_fix", "cci": [ - "CCI-000778" + "CCI-000169" ], "nist": [ - "IA-3" + "AU-12 a" ], "host": null }, - "code": "control 'SV-230503' do\n title 'RHEL 8 must be configured to disable USB mass storage.'\n desc 'USB mass storage permits easy introduction of unknown devices, thereby\nfacilitating malicious activity.'\n desc 'check', 'Verify the operating system disables the ability to load the USB Storage kernel module.\n\n $ sudo grep -r usb-storage /etc/modprobe.d/* | grep -i \"/bin/false\"\n install usb-storage /bin/false\n\nIf the command does not return any output, or the line is commented out, and use of USB Storage is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.\n\nVerify the operating system disables the ability to use USB mass storage devices.\n\nCheck to see if USB mass storage is disabled with the following command:\n\n $ sudo grep usb-storage /etc/modprobe.d/* | grep -i \"blacklist\"\n blacklist usb-storage\n\nIf the command does not return any output or the output is not \"blacklist usb-storage\" and use of USB storage devices is not documented with the ISSO as an operational requirement, this is a finding.'\n desc 'fix', 'Configure the operating system to disable the ability to use the USB Storage kernel module and the ability to use USB mass storage devices.\n\nAdd or update the following lines in the file \"/etc/modprobe.d/blacklist.conf\":\n\n install usb-storage /bin/false\n blacklist usb-storage\n\nReboot the system for the settings to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000114-GPOS-00059'\n tag satisfies: ['SRG-OS-000114-GPOS-00059', 'SRG-OS-000378-GPOS-00163']\n tag gid: 'V-230503'\n tag rid: 'SV-230503r942936_rule'\n tag stig_id: 'RHEL-08-040080'\n tag fix_id: 'F-33147r942935_fix'\n tag cci: ['CCI-000778']\n tag nist: ['IA-3']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n if input('usb_storage_required') == true\n describe kernel_module('usb_storage') do\n it { should_not be_disabled }\n it { should_not be_blacklisted }\n end\n else\n describe kernel_module('usb_storage') do\n it { should be_disabled }\n it { should be_blacklisted }\n end\n end\nend\n", + "code": "control 'SV-230462' do\n title 'Successful/unsuccessful uses of the sudo command in RHEL 8 must\ngenerate an audit record.'\n desc 'Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"sudo\" command allows\na permitted user to execute a command as the superuser or another user, as\nspecified by the security policy.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.'\n desc 'check', 'Verify that an audit event is generated for any successful/unsuccessful use\nof the \"sudo\" command by performing the following command to check the file\nsystem rules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w sudo /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset\n-k priv_cmd\n\n If the command does not return a line, or the line is commented out, this\nis a finding.'\n desc 'fix', 'Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \"sudo\" command by adding or updating the\nfollowing rule in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset\n-k priv_cmd\n\n The audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000062-GPOS-00031'\n tag satisfies: ['SRG-OS-000062-GPOS-00031', 'SRG-OS-000037-GPOS-00015', 'SRG-OS-000042-GPOS-00020', 'SRG-OS-000062-GPOS-00031', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000471-GPOS-00215', 'SRG-OS-000466-GPOS-00210']\n tag gid: 'V-230462'\n tag rid: 'SV-230462r627750_rule'\n tag stig_id: 'RHEL-08-030550'\n tag fix_id: 'F-33106r568133_fix'\n tag cci: ['CCI-000169']\n tag nist: ['AU-12 a']\n tag 'host'\n\n audit_command = '/usr/bin/sudo'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include(input('audit_rule_keynames').merge(input('audit_rule_keynames_overrides'))[audit_command])\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230503.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230462.rb", "line": 1 }, - "id": "SV-230503" + "id": "SV-230462" }, { - "title": "RHEL 8 must be configured to prevent unrestricted mail relaying.", - "desc": "If unrestricted mail relaying is permitted, unauthorized senders could\nuse this host as a mail relay for the purpose of sending spam or other\nunauthorized activity.", + "title": "RHEL 8 account identifiers (individuals, groups, roles, and devices)\n must be disabled after 35 days of inactivity.", + "desc": "Inactive identifiers pose a risk to systems and applications because\n attackers may exploit an inactive identifier and potentially obtain undetected\n access to the system. Owners of inactive accounts will not notice if\n unauthorized access to their user account has been obtained.\n\n RHEL 8 needs to track periods of inactivity and disable application\n identifiers after 35 days of inactivity.", "descriptions": { - "default": "If unrestricted mail relaying is permitted, unauthorized senders could\nuse this host as a mail relay for the purpose of sending spam or other\nunauthorized activity.", - "check": "Verify the system is configured to prevent unrestricted mail relaying.\n\n Determine if \"postfix\" is installed with the following commands:\n\n $ sudo yum list installed postfix\n\n postfix.x86_64 2:3.3.1-9.el8\n\n If postfix is not installed, this is Not Applicable.\n\n If postfix is installed, determine if it is configured to reject\nconnections from unknown or untrusted networks with the following command:\n\n $ sudo postconf -n smtpd_client_restrictions\n\n smtpd_client_restrictions = permit_mynetworks, reject\n\n If the \"smtpd_client_restrictions\" parameter contains any entries other\nthan \"permit_mynetworks\" and \"reject\", this is a finding.", - "fix": "If \"postfix\" is installed, modify the \"/etc/postfix/main.cf\" file to\nrestrict client connections to the local network with the following command:\n\n $ sudo postconf -e 'smtpd_client_restrictions = permit_mynetworks,reject'" + "default": "Inactive identifiers pose a risk to systems and applications because\n attackers may exploit an inactive identifier and potentially obtain undetected\n access to the system. Owners of inactive accounts will not notice if\n unauthorized access to their user account has been obtained.\n\n RHEL 8 needs to track periods of inactivity and disable application\n identifiers after 35 days of inactivity.", + "check": "Verify the account identifiers (individuals, groups, roles, and devices)\n are disabled after 35 days of inactivity with the following command:\n\n Check the account inactivity value by performing the following command:\n\n $ sudo grep -i inactive /etc/default/useradd\n\n INACTIVE=35\n\n If \"INACTIVE\" is set to \"-1\", a value greater than \"35\", or is\n commented out, this is a finding.", + "fix": "Configure RHEL 8 to disable account identifiers after 35 days of inactivity\n after the password expiration.\n\n Run the following command to change the configuration for useradd:\n\n $ sudo useradd -D -f 35\n\n DoD recommendation is 35 days, but a lower value is acceptable. The value \"-1\" will\n disable this feature, and \"0\" will disable the account immediately after the\n password expires." }, - "impact": 0, + "impact": 0.5, "refs": [ { "ref": "DPMS Target Red Hat Enterprise Linux 8" @@ -7315,34 +7254,34 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-230550", - "rid": "SV-230550r627750_rule", - "stig_id": "RHEL-08-040290", - "fix_id": "F-33194r568397_fix", + "gtitle": "SRG-OS-000118-GPOS-00060", + "gid": "V-230373", + "rid": "SV-230373r627750_rule", + "stig_id": "RHEL-08-020260", + "fix_id": "F-33017r567866_fix", "cci": [ - "CCI-000366" + "CCI-000795" ], "nist": [ - "CM-6 b" + "IA-4 e" ], "host": null, "container": null }, - "code": "control 'SV-230550' do\n title 'RHEL 8 must be configured to prevent unrestricted mail relaying.'\n desc 'If unrestricted mail relaying is permitted, unauthorized senders could\nuse this host as a mail relay for the purpose of sending spam or other\nunauthorized activity.'\n desc 'check', 'Verify the system is configured to prevent unrestricted mail relaying.\n\n Determine if \"postfix\" is installed with the following commands:\n\n $ sudo yum list installed postfix\n\n postfix.x86_64 2:3.3.1-9.el8\n\n If postfix is not installed, this is Not Applicable.\n\n If postfix is installed, determine if it is configured to reject\nconnections from unknown or untrusted networks with the following command:\n\n $ sudo postconf -n smtpd_client_restrictions\n\n smtpd_client_restrictions = permit_mynetworks, reject\n\n If the \"smtpd_client_restrictions\" parameter contains any entries other\nthan \"permit_mynetworks\" and \"reject\", this is a finding.'\n desc 'fix', %q(If \"postfix\" is installed, modify the \"/etc/postfix/main.cf\" file to\nrestrict client connections to the local network with the following command:\n\n $ sudo postconf -e 'smtpd_client_restrictions = permit_mynetworks,reject')\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230550'\n tag rid: 'SV-230550r627750_rule'\n tag stig_id: 'RHEL-08-040290'\n tag fix_id: 'F-33194r568397_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n tag 'container'\n\n if package('postfix').installed?\n describe command('postconf -n smtpd_client_restrictions') do\n its('stdout.strip') {\n should match(/^smtpd_client_restrictions\\s+=\\s+(permit_mynetworks|reject)($|(,\\s*(permit_mynetworks|reject)\\s*$))/i)\n }\n end\n else\n impact 0.0\n describe 'The `postfix` package is not installed' do\n skip 'The `postfix` package is not installed, this control is Not Applicable'\n end\n end\nend\n", + "code": "control 'SV-230373' do\n title 'RHEL 8 account identifiers (individuals, groups, roles, and devices)\n must be disabled after 35 days of inactivity.'\n desc 'Inactive identifiers pose a risk to systems and applications because\n attackers may exploit an inactive identifier and potentially obtain undetected\n access to the system. Owners of inactive accounts will not notice if\n unauthorized access to their user account has been obtained.\n\n RHEL 8 needs to track periods of inactivity and disable application\n identifiers after 35 days of inactivity.'\n desc 'check', 'Verify the account identifiers (individuals, groups, roles, and devices)\n are disabled after 35 days of inactivity with the following command:\n\n Check the account inactivity value by performing the following command:\n\n $ sudo grep -i inactive /etc/default/useradd\n\n INACTIVE=35\n\n If \"INACTIVE\" is set to \"-1\", a value greater than \"35\", or is\n commented out, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to disable account identifiers after 35 days of inactivity\n after the password expiration.\n\n Run the following command to change the configuration for useradd:\n\n $ sudo useradd -D -f 35\n\n DoD recommendation is 35 days, but a lower value is acceptable. The value \"-1\" will\n disable this feature, and \"0\" will disable the account immediately after the\n password expires.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000118-GPOS-00060'\n tag gid: 'V-230373'\n tag rid: 'SV-230373r627750_rule'\n tag stig_id: 'RHEL-08-020260'\n tag fix_id: 'F-33017r567866_fix'\n tag cci: ['CCI-000795']\n tag nist: ['IA-4 e']\n tag 'host'\n tag 'container'\n\n days_of_inactivity = input('days_of_inactivity')\n\n describe 'Useradd configuration' do\n useradd_config = parse_config_file('/etc/default/useradd')\n\n context 'when INACTIVE is set' do\n it 'should exist' do\n expect(useradd_config.params).to include('INACTIVE')\n end\n\n it 'should not be nil' do\n expect(useradd_config.params['INACTIVE']).not_to be_nil\n end\n\n it 'should have INACTIVE greater than or equal to 0' do\n expect(useradd_config.params['INACTIVE'].to_i).to be >= 0\n end\n\n it 'should have INACTIVE less than or equal to days_of_inactivity' do\n expect(useradd_config.params['INACTIVE'].to_i).to be <= days_of_inactivity\n end\n\n it 'should not have INACTIVE equal to -1' do\n expect(useradd_config.params['INACTIVE']).not_to eq '-1'\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230550.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230373.rb", "line": 1 }, - "id": "SV-230550" + "id": "SV-230373" }, { - "title": "RHEL 8 must restrict exposed kernel pointer addresses access.", - "desc": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf", + "title": "The RHEL 8 SSH daemon must not allow GSSAPI authentication, except to fulfill documented and validated mission requirements.", + "desc": "Configuring this setting for the SSH daemon provides additional\nassurance that remote logon via SSH will require a password, even in the event\nof misconfiguration elsewhere.", "descriptions": { - "default": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf", - "check": "Verify RHEL 8 restricts exposed kernel pointer addresses access with the following commands:\n\n$ sudo sysctl kernel.kptr_restrict\n\nkernel.kptr_restrict = 1\n\nIf the returned line does not have a value of \"1\" or \"2\", or a line is not returned, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r kernel.kptr_restrict /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: kernel.kptr_restrict = 1\n\nIf \"kernel.kptr_restrict\" is not set to \"1\" or \"2\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.", - "fix": "Configure RHEL 8 to restrict exposed kernel pointer addresses access by adding the following line to a file, in the \"/etc/sysctl.d\" directory:\n\nkernel.kptr_restrict = 1\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nThe system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:\n\n$ sudo sysctl --system" + "default": "Configuring this setting for the SSH daemon provides additional\nassurance that remote logon via SSH will require a password, even in the event\nof misconfiguration elsewhere.", + "check": "Verify the SSH daemon does not allow GSSAPI authentication with the following command:\n\n$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\\r' | tr '\\n' ' ' | xargs sudo grep -iH '^\\s*gssapiauthentication'\n\nGSSAPIAuthentication no\n\nIf the value is returned as \"yes\", the returned line is commented out, no output is returned, or has not been documented with the information system security officer (ISSO), this is a finding.\n\nIf conflicting results are returned, this is a finding.", + "fix": "Configure the SSH daemon to not allow GSSAPI authentication.\n\n Add the following line in \"/etc/ssh/sshd_config\", or uncomment the line\nand set the value to \"no\":\n\n GSSAPIAuthentication no\n\n The SSH daemon must be restarted for the changes to take effect. To restart\nthe SSH daemon, run the following command:\n\n $ sudo systemctl restart sshd.service" }, "impact": 0.5, "refs": [ @@ -7353,32 +7292,33 @@ "tags": { "severity": "medium", "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-230547", - "rid": "SV-230547r858826_rule", - "stig_id": "RHEL-08-040283", - "fix_id": "F-33191r858825_fix", + "gid": "V-244528", + "rid": "SV-244528r952106_rule", + "stig_id": "RHEL-08-010522", + "fix_id": "F-47760r743832_fix", "cci": [ "CCI-000366" ], "nist": [ "CM-6 b" ], - "host": null + "host": null, + "container-conditional": null }, - "code": "control 'SV-230547' do\n title 'RHEL 8 must restrict exposed kernel pointer addresses access.'\n desc 'It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf'\n desc 'check', 'Verify RHEL 8 restricts exposed kernel pointer addresses access with the following commands:\n\n$ sudo sysctl kernel.kptr_restrict\n\nkernel.kptr_restrict = 1\n\nIf the returned line does not have a value of \"1\" or \"2\", or a line is not returned, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r kernel.kptr_restrict /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: kernel.kptr_restrict = 1\n\nIf \"kernel.kptr_restrict\" is not set to \"1\" or \"2\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to restrict exposed kernel pointer addresses access by adding the following line to a file, in the \"/etc/sysctl.d\" directory:\n\nkernel.kptr_restrict = 1\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nThe system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:\n\n$ sudo sysctl --system'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230547'\n tag rid: 'SV-230547r858826_rule'\n tag stig_id: 'RHEL-08-040283'\n tag fix_id: 'F-33191r858825_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This system is acting as a router on the network, this control is Not Applicable', impact: 0.0) {\n !input('network_router')\n }\n\n # Define the kernel parameter to be checked\n parameter = 'kernel.kptr_restrict'\n action = 'kernel pointer addresses'\n value = 1\n\n # Get the current value of the kernel parameter\n current_value = kernel_parameter(parameter)\n\n # Check if the system is a Docker container\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n else\n\n describe kernel_parameter(parameter) do\n it 'is disabled in sysctl -a' do\n expect(current_value.value).to cmp value\n expect(current_value.value).not_to be_nil\n end\n end\n\n # Get the list of sysctl configuration files\n sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ')\n\n # Search for the kernel parameter in the configuration files\n search_results = command(\"grep -r ^#{parameter} #{sysctl_config_files} {} \\;\").stdout.split(\"\\n\")\n\n # Parse the search results into a hash\n config_values = search_results.each_with_object({}) do |item, results|\n file, setting = item.split(':')\n file = 'grep did not return filename' if file.empty?\n\n results[file] ||= []\n results[file] << setting.split('=').last\n end\n\n uniq_config_values = config_values.values.flatten.map(&:strip).map(&:to_i).uniq\n\n # Check the configuration files\n describe 'Configuration files' do\n if search_results.empty?\n it \"do not explicitly set the `#{parameter}` parameter\" do\n expect(config_values).not_to be_empty, \"Add the line `#{parameter}=#{value}` to a file in the `/etc/sysctl.d/` directory\"\n end\n else\n it \"do not have conflicting settings for #{action}\" do\n expect(uniq_config_values.count).to eq(1), \"Expected one unique configuration, but got #{config_values}\"\n end\n it \"set the parameter to the right value for #{action}\" do\n expect(config_values.values.flatten.all? { |v| v.to_i.eql?(value) }).to be true\n end\n end\n end\n end\nend\n", + "code": "control 'SV-244528' do\n title 'The RHEL 8 SSH daemon must not allow GSSAPI authentication, except to fulfill documented and validated mission requirements.'\n desc 'Configuring this setting for the SSH daemon provides additional\nassurance that remote logon via SSH will require a password, even in the event\nof misconfiguration elsewhere.'\n desc 'check', %q(Verify the SSH daemon does not allow GSSAPI authentication with the following command:\n\n$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\\r' | tr '\\n' ' ' | xargs sudo grep -iH '^\\s*gssapiauthentication'\n\nGSSAPIAuthentication no\n\nIf the value is returned as \"yes\", the returned line is commented out, no output is returned, or has not been documented with the information system security officer (ISSO), this is a finding.\n\nIf conflicting results are returned, this is a finding.)\n desc 'fix', 'Configure the SSH daemon to not allow GSSAPI authentication.\n\n Add the following line in \"/etc/ssh/sshd_config\", or uncomment the line\nand set the value to \"no\":\n\n GSSAPIAuthentication no\n\n The SSH daemon must be restarted for the changes to take effect. To restart\nthe SSH daemon, run the following command:\n\n $ sudo systemctl restart sshd.service'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-244528'\n tag rid: 'SV-244528r952106_rule'\n tag stig_id: 'RHEL-08-010522'\n tag fix_id: 'F-47760r743832_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n tag 'container-conditional'\n\n setting = 'GSSAPIAuthentication'\n gssapi_authentication = input('sshd_config_values')\n value = gssapi_authentication[setting]\n\n if virtualization.system.eql?('docker')\n describe 'In a container Environment' do\n if package('openssh-server').installed?\n it 'the OpenSSH Server should be installed when allowed in Docker environment' do\n expect(input('allow_container_openssh_server')).to eq(true), 'OpenSSH Server is installed but not approved for the Docker environment'\n end\n else\n it 'the OpenSSH Server is not installed' do\n skip 'This requirement is not applicable as the OpenSSH Server is not installed in the Docker environment.'\n end\n end\n end\n else\n describe 'The OpenSSH Server configuration' do\n it \"has the correct #{setting} configuration\" do\n expect(sshd_active_config.params[setting.downcase]).to cmp(value), \"The #{setting} setting in the SSHD config is not correct. Please ensure it set to '#{value}'.\"\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230547.rb", + "ref": "./Red Hat 8 STIG/controls/SV-244528.rb", "line": 1 }, - "id": "SV-230547" + "id": "SV-244528" }, { - "title": "RHEL 8 must restrict privilege elevation to authorized personnel.", - "desc": "The sudo command allows a user to execute programs with elevated\n(administrator) privileges. It prompts the user for their password and confirms\nyour request to execute a command by checking a file, called sudoers. If the\n\"sudoers\" file is not configured correctly, any user defined on the system\ncan initiate privileged actions on the target system.", + "title": "RHEL 8 operating systems must require authentication upon booting into\nrescue mode.", + "desc": "If the system does not require valid root authentication before it\nboots into emergency or rescue mode, anyone who invokes emergency or rescue\nmode is granted privileged access to all files on the system.", "descriptions": { - "default": "The sudo command allows a user to execute programs with elevated\n(administrator) privileges. It prompts the user for their password and confirms\nyour request to execute a command by checking a file, called sudoers. If the\n\"sudoers\" file is not configured correctly, any user defined on the system\ncan initiate privileged actions on the target system.", - "check": "Verify the \"sudoers\" file restricts sudo access to authorized personnel.\n$ sudo grep -iw 'ALL' /etc/sudoers /etc/sudoers.d/*\n\nIf the either of the following entries are returned, this is a finding:\nALL ALL=(ALL) ALL\nALL ALL=(ALL:ALL) ALL", - "fix": "Remove the following entries from the sudoers file:\nALL ALL=(ALL) ALL\nALL ALL=(ALL:ALL) ALL" + "default": "If the system does not require valid root authentication before it\nboots into emergency or rescue mode, anyone who invokes emergency or rescue\nmode is granted privileged access to all files on the system.", + "check": "Check to see if the system requires authentication for rescue mode with the\nfollowing command:\n\n $ sudo grep sulogin-shell /usr/lib/systemd/system/rescue.service\n\n ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue\n\n If the \"ExecStart\" line is configured for anything other than\n\"/usr/lib/systemd/systemd-sulogin-shell rescue\", commented out, or missing,\nthis is a finding.", + "fix": "Configure the system to require authentication upon booting into rescue\nmode by adding the following line to the\n\"/usr/lib/systemd/system/rescue.service\" file.\n\n ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue" }, "impact": 0.5, "refs": [ @@ -7388,33 +7328,33 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-237641", - "rid": "SV-237641r646893_rule", - "stig_id": "RHEL-08-010382", - "fix_id": "F-40823r646892_fix", + "gtitle": "SRG-OS-000080-GPOS-00048", + "gid": "V-230236", + "rid": "SV-230236r743928_rule", + "stig_id": "RHEL-08-010151", + "fix_id": "F-32880r743927_fix", "cci": [ - "CCI-000366" + "CCI-000213" ], "nist": [ - "CM-6 b" + "AC-3" ], "host": null }, - "code": "control 'SV-237641' do\n title 'RHEL 8 must restrict privilege elevation to authorized personnel.'\n desc 'The sudo command allows a user to execute programs with elevated\n(administrator) privileges. It prompts the user for their password and confirms\nyour request to execute a command by checking a file, called sudoers. If the\n\"sudoers\" file is not configured correctly, any user defined on the system\ncan initiate privileged actions on the target system.'\n desc 'check', %q(Verify the \"sudoers\" file restricts sudo access to authorized personnel.\n$ sudo grep -iw 'ALL' /etc/sudoers /etc/sudoers.d/*\n\nIf the either of the following entries are returned, this is a finding:\nALL ALL=(ALL) ALL\nALL ALL=(ALL:ALL) ALL)\n desc 'fix', 'Remove the following entries from the sudoers file:\nALL ALL=(ALL) ALL\nALL ALL=(ALL:ALL) ALL'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-237641'\n tag rid: 'SV-237641r646893_rule'\n tag stig_id: 'RHEL-08-010382'\n tag fix_id: 'F-40823r646892_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers without sudo installed', impact: 0.0) {\n !(virtualization.system.eql?('docker') && !command('sudo').exist?)\n }\n\n bad_sudoers_rules = sudoers(input('sudoers_config_files').join(' ')).rules.where {\n users == 'ALL' &&\n hosts == 'ALL' &&\n run_as.start_with?('ALL') &&\n commands == 'ALL'\n }\n\n describe 'Sudoers file(s)' do\n it 'should not contain any unrestricted sudo rules' do\n expect(bad_sudoers_rules.entries).to be_empty, \"Unrestricted sudo rules found; check sudoers file(s):\\n\\t- #{input('sudoers_config_files').join(\"\\n\\t- \")}\"\n end\n end\nend\n", + "code": "control 'SV-230236' do\n title 'RHEL 8 operating systems must require authentication upon booting into\nrescue mode.'\n desc 'If the system does not require valid root authentication before it\nboots into emergency or rescue mode, anyone who invokes emergency or rescue\nmode is granted privileged access to all files on the system.'\n desc 'check', 'Check to see if the system requires authentication for rescue mode with the\nfollowing command:\n\n $ sudo grep sulogin-shell /usr/lib/systemd/system/rescue.service\n\n ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue\n\n If the \"ExecStart\" line is configured for anything other than\n\"/usr/lib/systemd/systemd-sulogin-shell rescue\", commented out, or missing,\nthis is a finding.'\n desc 'fix', 'Configure the system to require authentication upon booting into rescue\nmode by adding the following line to the\n\"/usr/lib/systemd/system/rescue.service\" file.\n\n ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000080-GPOS-00048'\n tag gid: 'V-230236'\n tag rid: 'SV-230236r743928_rule'\n tag stig_id: 'RHEL-08-010151'\n tag fix_id: 'F-32880r743927_fix'\n tag cci: ['CCI-000213']\n tag nist: ['AC-3']\n tag 'host'\n\n only_if('Control not applicable within a container without sudo enabled', impact: 0.0) do\n !virtualization.system.eql?('docker')\n end\n describe service('rescue') do\n its('params.ExecStart') { should include '/usr/lib/systemd/systemd-sulogin-shell rescue' }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-237641.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230236.rb", "line": 1 }, - "id": "SV-237641" + "id": "SV-230236" }, { - "title": "RHEL 8 network interfaces must not be in promiscuous mode.", - "desc": "Network interfaces in promiscuous mode allow for the capture of all\nnetwork traffic visible to the system. If unauthorized individuals can access\nthese applications, it may allow them to collect information such as logon IDs,\npasswords, and key exchanges between systems.\n\n If the system is being used to perform a network troubleshooting function,\nthe use of these tools must be documented with the Information System Security\nOfficer (ISSO) and restricted to only authorized personnel.", + "title": "The krb5-server package must not be installed on RHEL 8.", + "desc": "Unapproved mechanisms that are used for authentication to the\ncryptographic module are not verified and therefore cannot be relied upon to\nprovide confidentiality or integrity, and DoD data may be compromised.\n\n RHEL 8 systems utilizing encryption are required to use FIPS-compliant\nmechanisms for authenticating to cryptographic modules.\n\n Currently, Kerberos does not utilize FIPS 140-2 cryptography.\n\n FIPS 140-2 is the current standard for validating that mechanisms used to\naccess cryptographic modules utilize authentication that meets DoD\nrequirements. This allows for Security Levels 1, 2, 3, or 4 for use on a\ngeneral-purpose computing system.", "descriptions": { - "default": "Network interfaces in promiscuous mode allow for the capture of all\nnetwork traffic visible to the system. If unauthorized individuals can access\nthese applications, it may allow them to collect information such as logon IDs,\npasswords, and key exchanges between systems.\n\n If the system is being used to perform a network troubleshooting function,\nthe use of these tools must be documented with the Information System Security\nOfficer (ISSO) and restricted to only authorized personnel.", - "check": "Verify network interfaces are not in promiscuous mode unless approved by\nthe ISSO and documented.\n\n Check for the status with the following command:\n\n $ sudo ip link | grep -i promisc\n\n If network interfaces are found on the system in promiscuous mode and their\nuse has not been approved by the ISSO and documented, this is a finding.", - "fix": "Configure network interfaces to turn off promiscuous mode unless approved\nby the ISSO and documented.\n\n Set the promiscuous mode of an interface to off with the following command:\n\n $ sudo ip link set dev multicast off promisc off" + "default": "Unapproved mechanisms that are used for authentication to the\ncryptographic module are not verified and therefore cannot be relied upon to\nprovide confidentiality or integrity, and DoD data may be compromised.\n\n RHEL 8 systems utilizing encryption are required to use FIPS-compliant\nmechanisms for authenticating to cryptographic modules.\n\n Currently, Kerberos does not utilize FIPS 140-2 cryptography.\n\n FIPS 140-2 is the current standard for validating that mechanisms used to\naccess cryptographic modules utilize authentication that meets DoD\nrequirements. This allows for Security Levels 1, 2, 3, or 4 for use on a\ngeneral-purpose computing system.", + "check": "Verify the krb5-server package has not been installed on the system with\nthe following commands:\n\n If the system is a workstation or is utilizing\nkrb5-server-1.17-18.el8.x86_64 or newer, this is Not Applicable\n\n $ sudo yum list installed krb5-server\n\n krb5-server.x86_64 1.17-9.el8 repository\n\n If the krb5-server package is installed and is not documented with the\nInformation System Security Officer (ISSO) as an operational requirement, this\nis a finding.", + "fix": "Document the krb5-server package with the ISSO as an operational\nrequirement or remove it from the system with the following command:\n\n $ sudo yum remove krb5-server" }, "impact": 0.5, "refs": [ @@ -7424,33 +7364,34 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-230554", - "rid": "SV-230554r627750_rule", - "stig_id": "RHEL-08-040330", - "fix_id": "F-33198r568409_fix", + "gtitle": "SRG-OS-000120-GPOS-00061", + "gid": "V-237640", + "rid": "SV-237640r646890_rule", + "stig_id": "RHEL-08-010163", + "fix_id": "F-40822r646889_fix", "cci": [ - "CCI-000366" + "CCI-000803" ], "nist": [ - "CM-6 b" + "IA-7" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-230554' do\n title 'RHEL 8 network interfaces must not be in promiscuous mode.'\n desc 'Network interfaces in promiscuous mode allow for the capture of all\nnetwork traffic visible to the system. If unauthorized individuals can access\nthese applications, it may allow them to collect information such as logon IDs,\npasswords, and key exchanges between systems.\n\n If the system is being used to perform a network troubleshooting function,\nthe use of these tools must be documented with the Information System Security\nOfficer (ISSO) and restricted to only authorized personnel.'\n desc 'check', 'Verify network interfaces are not in promiscuous mode unless approved by\nthe ISSO and documented.\n\n Check for the status with the following command:\n\n $ sudo ip link | grep -i promisc\n\n If network interfaces are found on the system in promiscuous mode and their\nuse has not been approved by the ISSO and documented, this is a finding.'\n desc 'fix', 'Configure network interfaces to turn off promiscuous mode unless approved\nby the ISSO and documented.\n\n Set the promiscuous mode of an interface to off with the following command:\n\n $ sudo ip link set dev multicast off promisc off'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230554'\n tag rid: 'SV-230554r627750_rule'\n tag stig_id: 'RHEL-08-040330'\n tag fix_id: 'F-33198r568409_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n if input('promiscuous_mode_permitted')\n describe command('ip link | grep -i promisc') do\n its('stdout.strip') { should_not match(/^$/) }\n end\n else\n describe command('ip link | grep -i promisc') do\n its('stdout.strip') { should match(/^$/) }\n end\n end\nend\n", + "code": "control 'SV-237640' do\n title 'The krb5-server package must not be installed on RHEL 8.'\n desc 'Unapproved mechanisms that are used for authentication to the\ncryptographic module are not verified and therefore cannot be relied upon to\nprovide confidentiality or integrity, and DoD data may be compromised.\n\n RHEL 8 systems utilizing encryption are required to use FIPS-compliant\nmechanisms for authenticating to cryptographic modules.\n\n Currently, Kerberos does not utilize FIPS 140-2 cryptography.\n\n FIPS 140-2 is the current standard for validating that mechanisms used to\naccess cryptographic modules utilize authentication that meets DoD\nrequirements. This allows for Security Levels 1, 2, 3, or 4 for use on a\ngeneral-purpose computing system.'\n desc 'check', 'Verify the krb5-server package has not been installed on the system with\nthe following commands:\n\n If the system is a workstation or is utilizing\nkrb5-server-1.17-18.el8.x86_64 or newer, this is Not Applicable\n\n $ sudo yum list installed krb5-server\n\n krb5-server.x86_64 1.17-9.el8 repository\n\n If the krb5-server package is installed and is not documented with the\nInformation System Security Officer (ISSO) as an operational requirement, this\nis a finding.'\n desc 'fix', 'Document the krb5-server package with the ISSO as an operational\nrequirement or remove it from the system with the following command:\n\n $ sudo yum remove krb5-server'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000120-GPOS-00061'\n tag gid: 'V-237640'\n tag rid: 'SV-237640r646890_rule'\n tag stig_id: 'RHEL-08-010163'\n tag fix_id: 'F-40822r646889_fix'\n tag cci: ['CCI-000803']\n tag nist: ['IA-7']\n tag 'host'\n tag 'container'\n\n kerb = package('krb5-server')\n\n if (kerb.installed? && kerb.version >= '1.17-9.el8') || input('system_is_workstation')\n impact 0.0\n describe 'N/A' do\n skip 'The system is a workstation or is utilizing krb5-server-1.17-9.el8 or newer; control is Not Applicable.'\n end\n elsif input('kerberos_required')\n describe package('krb5-server') do\n it { should be_installed }\n end\n else\n describe package('krb5-server') do\n it { should_not be_installed }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230554.rb", + "ref": "./Red Hat 8 STIG/controls/SV-237640.rb", "line": 1 }, - "id": "SV-230554" + "id": "SV-237640" }, { - "title": "The debug-shell systemd service must be disabled on RHEL 8.", - "desc": "The debug-shell requires no authentication and provides root\nprivileges to anyone who has physical access to the machine. While this\nfeature is disabled by default, masking it adds an additional layer of\nassurance that it will not be enabled via a dependency in systemd. This also\nprevents attackers with physical access from trivially bypassing security on\nthe machine through valid troubleshooting configurations and gaining root\naccess when the system is rebooted.", + "title": "Successful/unsuccessful uses of the init_module and finit_module system calls in RHEL 8 must generate an audit record.", + "desc": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"init_module\" and \"finit_module\" system calls are used to load a kernel module.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nThe system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible.", "descriptions": { - "default": "The debug-shell requires no authentication and provides root\nprivileges to anyone who has physical access to the machine. While this\nfeature is disabled by default, masking it adds an additional layer of\nassurance that it will not be enabled via a dependency in systemd. This also\nprevents attackers with physical access from trivially bypassing security on\nthe machine through valid troubleshooting configurations and gaining root\naccess when the system is rebooted.", - "check": "Verify RHEL 8 is configured to mask the debug-shell systemd service with\nthe following command:\n\n $ sudo systemctl status debug-shell.service\n\n debug-shell.service\n Loaded: masked (Reason: Unit debug-shell.service is masked.)\n Active: inactive (dead)\n\n If the \"debug-shell.service\" is loaded and not masked, this is a finding.", - "fix": "Configure the system to mask the debug-shell systemd service with the\nfollowing command:\n\n $ sudo systemctl mask debug-shell.service\n\n Created symlink /etc/systemd/system/debug-shell.service -> /dev/null\n\n Reload the daemon to take effect.\n\n $ sudo systemctl daemon-reload" + "default": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"init_module\" and \"finit_module\" system calls are used to load a kernel module.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nThe system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible.", + "check": "Verify RHEL 8 generates an audit record upon successful/unsuccessful attempts to use the \"init_module\" and \"finit_module\" system calls by using the following command to check the file system rules in \"/etc/audit/audit.rules\":\n\n$ sudo grep init_module /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k module_chng\n-a always,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k module_chng\n\nIf the command does not return an audit rule for \"init_module\" and \"finit_module\" or any of the lines returned are commented out, this is a finding.", + "fix": "Configure the audit system to generate an audit event for any successful/unsuccessful use of the \"init_module\" and \"finit_module\" system calls by adding or updating the following rules in the \"/etc/audit/rules.d/audit.rules\" file:\n\n-a always,exit -F arch=b32 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k module_chng\n-a always,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k module_chng\n\nThe audit daemon must be restarted for the changes to take effect." }, "impact": 0.5, "refs": [ @@ -7460,33 +7401,41 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-230532", - "rid": "SV-230532r627750_rule", - "stig_id": "RHEL-08-040180", - "fix_id": "F-33176r619892_fix", + "gtitle": "SRG-OS-000062-GPOS-00031", + "satisfies": [ + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000037-GPOS-00015", + "SRG-OS-000042-GPOS-00020", + "SRG-OS-000392-GPOS-00172", + "SRG-OS-000462-GPOS-00206", + "SRG-OS-000471-GPOS-00215" + ], + "gid": "V-230438", + "rid": "SV-230438r810464_rule", + "stig_id": "RHEL-08-030360", + "fix_id": "F-33082r810448_fix", "cci": [ - "CCI-000366" + "CCI-000169" ], "nist": [ - "CM-6 b" + "AU-12 a" ], "host": null }, - "code": "control 'SV-230532' do\n title 'The debug-shell systemd service must be disabled on RHEL 8.'\n desc 'The debug-shell requires no authentication and provides root\nprivileges to anyone who has physical access to the machine. While this\nfeature is disabled by default, masking it adds an additional layer of\nassurance that it will not be enabled via a dependency in systemd. This also\nprevents attackers with physical access from trivially bypassing security on\nthe machine through valid troubleshooting configurations and gaining root\naccess when the system is rebooted.'\n desc 'check', 'Verify RHEL 8 is configured to mask the debug-shell systemd service with\nthe following command:\n\n $ sudo systemctl status debug-shell.service\n\n debug-shell.service\n Loaded: masked (Reason: Unit debug-shell.service is masked.)\n Active: inactive (dead)\n\n If the \"debug-shell.service\" is loaded and not masked, this is a finding.'\n desc 'fix', 'Configure the system to mask the debug-shell systemd service with the\nfollowing command:\n\n $ sudo systemctl mask debug-shell.service\n\n Created symlink /etc/systemd/system/debug-shell.service -> /dev/null\n\n Reload the daemon to take effect.\n\n $ sudo systemctl daemon-reload'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230532'\n tag rid: 'SV-230532r627750_rule'\n tag stig_id: 'RHEL-08-040180'\n tag fix_id: 'F-33176r619892_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n d = systemd_service('debug-shell.service')\n\n describe.one do\n describe d do\n its('params.LoadState') { should eq 'masked' }\n end\n describe d do\n its('params.LoadState') { should eq 'not-found' }\n end\n end\nend\n", + "code": "control 'SV-230438' do\n title 'Successful/unsuccessful uses of the init_module and finit_module system calls in RHEL 8 must generate an audit record.'\n desc 'Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"init_module\" and \"finit_module\" system calls are used to load a kernel module.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nThe system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible.'\n desc 'check', 'Verify RHEL 8 generates an audit record upon successful/unsuccessful attempts to use the \"init_module\" and \"finit_module\" system calls by using the following command to check the file system rules in \"/etc/audit/audit.rules\":\n\n$ sudo grep init_module /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k module_chng\n-a always,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k module_chng\n\nIf the command does not return an audit rule for \"init_module\" and \"finit_module\" or any of the lines returned are commented out, this is a finding.'\n desc 'fix', 'Configure the audit system to generate an audit event for any successful/unsuccessful use of the \"init_module\" and \"finit_module\" system calls by adding or updating the following rules in the \"/etc/audit/rules.d/audit.rules\" file:\n\n-a always,exit -F arch=b32 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k module_chng\n-a always,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k module_chng\n\nThe audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000062-GPOS-00031'\n tag satisfies: ['SRG-OS-000062-GPOS-00031', 'SRG-OS-000037-GPOS-00015', 'SRG-OS-000042-GPOS-00020', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000471-GPOS-00215']\n tag gid: 'V-230438'\n tag rid: 'SV-230438r810464_rule'\n tag stig_id: 'RHEL-08-030360'\n tag fix_id: 'F-33082r810448_fix'\n tag cci: ['CCI-000169']\n tag nist: ['AU-12 a']\n tag 'host'\n\n audit_syscalls = ['init_module', 'finit_module']\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe 'Syscall' do\n audit_syscalls.each do |audit_syscall|\n it \"#{audit_syscall} is audited properly\" do\n audit_rule = auditd.syscall(audit_syscall)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n if os.arch.match(/64/)\n expect(audit_rule.arch.uniq).to include('b32', 'b64')\n else\n expect(audit_rule.arch.uniq).to cmp 'b32'\n end\n expect(audit_rule.fields.flatten).to include('auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include(input('audit_rule_keynames').merge(input('audit_rule_keynames_overrides'))[audit_syscall])\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230532.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230438.rb", "line": 1 }, - "id": "SV-230532" + "id": "SV-230438" }, { - "title": "RHEL 8 must prevent nonprivileged users from executing privileged functions, including disabling, circumventing, or altering implemented security safeguards/countermeasures.", - "desc": "Preventing nonprivileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges.\n\nPrivileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Nonprivileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from nonprivileged users.", + "title": "The RHEL 8 operating system must implement the Endpoint Security for\nLinux Threat Prevention tool.", + "desc": "Adding endpoint security tools can provide the capability to\nautomatically take actions in response to malicious behavior, which can provide\nadditional agility in reacting to network threats. These tools also often\ninclude a reporting capability to provide network awareness of the system,\nwhich may not otherwise exist in an organization's systems management regime.", "descriptions": { - "default": "Preventing nonprivileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges.\n\nPrivileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Nonprivileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from nonprivileged users.", - "check": "Verify the operating system prevents nonprivileged users from executing privileged functions, including disabling, circumventing, or altering implemented security safeguards/countermeasures.\n\nObtain a list of authorized users (other than system administrator and guest accounts) for the system.\n\nCheck the list against the system by using the following command:\n\n $ sudo semanage login -l | more\n\n Login Name SELinux User MLS/MCS Range Service\n\n __default__ user_u s0-s0:c0.c1023 *\n root unconfined_u s0-s0:c0.c1023 *\n system_u system_u s0-s0:c0.c1023 *\n joe staff_u s0-s0:c0.c1023 *\n\nAll administrators must be mapped to the \"sysadm_u\", \"staff_u\", or an appropriately tailored confined role as defined by the organization.\n\nAll authorized nonadministrative users must be mapped to the \"user_u\" role.\n\nIf they are not mapped in this way, this is a finding.", - "fix": "Configure RHEL 8 to prevent nonprivileged users from executing privileged functions, including disabling, circumventing, or altering implemented security safeguards/countermeasures.\n\nUse the following command to map a new user to the \"sysadm_u\" role:\n\n $ sudo semanage login -a -s sysadm_u \n\nUse the following command to map an existing user to the \"sysadm_u\" role:\n\n $ sudo semanage login -m -s sysadm_u \n\nUse the following command to map a new user to the \"staff_u\" role:\n\n $ sudo semanage login -a -s staff_u \n\nUse the following command to map an existing user to the \"staff_u\" role:\n\n $ sudo semanage login -m -s staff_u \n\nUse the following command to map a new user to the \"user_u\" role:\n\n $ sudo semanage login -a -s user_u \n\nUse the following command to map an existing user to the \"user_u\" role:\n\n $ sudo semanage login -m -s user_u \n\nNote: SELinux confined users mapped to sysadm_u are not allowed to log in to the system over SSH, by default. If this is a required function, it can be configured by setting the ssh_sysadm_login SELinux boolean to \"on\" with the following command:\n\n $ sudo setsebool -P ssh_sysadm_login on\n\nThis must be documented with the information system security officer (ISSO) as an operational requirement." + "default": "Adding endpoint security tools can provide the capability to\nautomatically take actions in response to malicious behavior, which can provide\nadditional agility in reacting to network threats. These tools also often\ninclude a reporting capability to provide network awareness of the system,\nwhich may not otherwise exist in an organization's systems management regime.", + "check": "Check that the following package has been installed:\n\n $ sudo rpm -qa | grep -i mcafeetp\n\nIf the \"mcafeetp\" package is not installed, this is a finding.\n\nVerify that the daemon is running:\n\n $ sudo ps -ef | grep -i mfetpd\n\nIf the daemon is not running, this is a finding.", + "fix": "Install and enable the latest Trellix ENSLTP package." }, "impact": 0.5, "refs": [ @@ -7495,37 +7444,34 @@ } ], "tags": { - "check_id": "C-58004r928594_chk", "severity": "medium", - "gid": "V-254520", - "rid": "SV-254520r928805_rule", - "stig_id": "RHEL-08-040400", - "gtitle": "SRG-OS-000324-GPOS-00125", - "fix_id": "F-57953r928805_fix", - "documentable": null, - "cci": [ - "CCI-002265" + "gtitle": "SRG-OS-000191-GPOS-00080", + "gid": "V-245540", + "rid": "SV-245540r942951_rule", + "stig_id": "RHEL-08-010001", + "fix_id": "F-48770r942950_fix", + "cci": [ + "CCI-001233" ], "nist": [ - "AC-16 b" + "SI-2 (2)" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-254520' do\n title 'RHEL 8 must prevent nonprivileged users from executing privileged functions, including disabling, circumventing, or altering implemented security safeguards/countermeasures.'\n desc 'Preventing nonprivileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges.\n\nPrivileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Nonprivileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from nonprivileged users.'\n desc 'check', 'Verify the operating system prevents nonprivileged users from executing privileged functions, including disabling, circumventing, or altering implemented security safeguards/countermeasures.\n\nObtain a list of authorized users (other than system administrator and guest accounts) for the system.\n\nCheck the list against the system by using the following command:\n\n $ sudo semanage login -l | more\n\n Login Name SELinux User MLS/MCS Range Service\n\n __default__ user_u s0-s0:c0.c1023 *\n root unconfined_u s0-s0:c0.c1023 *\n system_u system_u s0-s0:c0.c1023 *\n joe staff_u s0-s0:c0.c1023 *\n\nAll administrators must be mapped to the \"sysadm_u\", \"staff_u\", or an appropriately tailored confined role as defined by the organization.\n\nAll authorized nonadministrative users must be mapped to the \"user_u\" role.\n\nIf they are not mapped in this way, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to prevent nonprivileged users from executing privileged functions, including disabling, circumventing, or altering implemented security safeguards/countermeasures.\n\nUse the following command to map a new user to the \"sysadm_u\" role:\n\n $ sudo semanage login -a -s sysadm_u \n\nUse the following command to map an existing user to the \"sysadm_u\" role:\n\n $ sudo semanage login -m -s sysadm_u \n\nUse the following command to map a new user to the \"staff_u\" role:\n\n $ sudo semanage login -a -s staff_u \n\nUse the following command to map an existing user to the \"staff_u\" role:\n\n $ sudo semanage login -m -s staff_u \n\nUse the following command to map a new user to the \"user_u\" role:\n\n $ sudo semanage login -a -s user_u \n\nUse the following command to map an existing user to the \"user_u\" role:\n\n $ sudo semanage login -m -s user_u \n\nNote: SELinux confined users mapped to sysadm_u are not allowed to log in to the system over SSH, by default. If this is a required function, it can be configured by setting the ssh_sysadm_login SELinux boolean to \"on\" with the following command:\n\n $ sudo setsebool -P ssh_sysadm_login on\n\nThis must be documented with the information system security officer (ISSO) as an operational requirement.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag check_id: 'C-58004r928594_chk'\n tag severity: 'medium'\n tag gid: 'V-254520'\n tag rid: 'SV-254520r928805_rule'\n tag stig_id: 'RHEL-08-040400'\n tag gtitle: 'SRG-OS-000324-GPOS-00125'\n tag fix_id: 'F-57953r928805_fix'\n tag 'documentable'\n tag cci: ['CCI-002265']\n tag nist: ['AC-16 b']\n tag 'host'\n tag 'container'\n\n se_login = command('semanage login -ln').stdout.lines.map(&:strip)\n allowed_admin_selinux_roles = input('allowed_admin_selinux_roles')\n allowed_non_admin_selinux_roles = input('allowed_non_admin_selinux_roles')\n\n users = {}\n se_login.each_with_object({}) do |line, users|\n login_name, selinux_user = line.split[0..1]\n users[login_name] = selinux_user\n end\n\n misconfigured_admins = users.select { |login_name, selinux_user|\n input('administrator_users').include?(login_name) &&\n !allowed_admin_selinux_roles.include?(selinux_user)\n }\n\n misconfigured_non_admins = users.select { |login_name, selinux_user|\n !input('administrator_users').include?(login_name) &&\n !allowed_non_admin_selinux_roles.include?(selinux_user)\n }\n\n describe 'All administrators' do\n it \"must be mapped to the an appropriate role (allowed admin roles: #{allowed_admin_selinux_roles.join(', ')})\" do\n expect(misconfigured_admins.keys).to be_empty, \"Misconfigured admins:\\n\\t- #{misconfigured_admins.keys.join(\"\\n\\t- \")}\"\n end\n end\n\n describe 'All non-administrator users' do\n it \"must be mapped to the an appropriate role (allowed non-admin user roles: #{allowed_non_admin_selinux_roles.join(', ')})\" do\n expect(misconfigured_non_admins.keys).to be_empty, \"Misconfigured non-admin users:\\n\\t- #{misconfigured_non_admins.keys.join(\"\\n\\t- \")}\"\n end\n end\nend\n", + "code": "control 'SV-245540' do\n title 'The RHEL 8 operating system must implement the Endpoint Security for\nLinux Threat Prevention tool.'\n desc \"Adding endpoint security tools can provide the capability to\nautomatically take actions in response to malicious behavior, which can provide\nadditional agility in reacting to network threats. These tools also often\ninclude a reporting capability to provide network awareness of the system,\nwhich may not otherwise exist in an organization's systems management regime.\"\n desc 'check', 'Check that the following package has been installed:\n\n $ sudo rpm -qa | grep -i mcafeetp\n\nIf the \"mcafeetp\" package is not installed, this is a finding.\n\nVerify that the daemon is running:\n\n $ sudo ps -ef | grep -i mfetpd\n\nIf the daemon is not running, this is a finding.'\n desc 'fix', 'Install and enable the latest Trellix ENSLTP package.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000191-GPOS-00080'\n tag gid: 'V-245540'\n tag rid: 'SV-245540r942951_rule'\n tag stig_id: 'RHEL-08-010001'\n tag fix_id: 'F-48770r942950_fix'\n tag cci: ['CCI-001233']\n tag nist: ['SI-2 (2)']\n tag 'host'\n\n only_if('Control not applicable within a container', impact: 0.0) do\n !virtualization.system.eql?('docker')\n end\n\n if input('skip_endpoint_security_tool')\n impact 0.0\n describe 'Implementing the Endpoint Security for Linux Threat Prevention tool is not applicable by agreement with the approval authority of the organization.' do\n skip 'Implementing the Endpoint Security for Linux Threat Prevention tool is not applicable by agreement with the approval authority of the organization.'\n end\n else\n linux_threat_prevention_package = input('linux_threat_prevention_package')\n linux_threat_prevention_service = input('linux_threat_prevention_service')\n describe package(linux_threat_prevention_package) do\n it { should be_installed }\n end\n\n describe processes(linux_threat_prevention_service) do\n it { should exist }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-254520.rb", + "ref": "./Red Hat 8 STIG/controls/SV-245540.rb", "line": 1 }, - "id": "SV-254520" + "id": "SV-245540" }, { - "title": "Cron logging must be implemented in RHEL 8.", - "desc": "Cron logging can be used to trace the successful or unsuccessful\nexecution of cron jobs. It can also be used to spot intrusions into the use of\nthe cron facility by unauthorized and malicious users.", + "title": "RHEL 8 must force a frequent session key renegotiation for SSH\nconnections to the server.", + "desc": "Without protection of the transmitted information, confidentiality and\nintegrity may be compromised because unprotected communications can be\nintercepted and either read or altered.\n\n This requirement applies to both internal and external networks and all\ntypes of information system components from which information can be\ntransmitted (e.g., servers, mobile devices, notebook computers, printers,\ncopiers, scanners, and facsimile machines). Communication paths outside the\nphysical protection of a controlled boundary are exposed to the possibility of\ninterception and modification.\n\n Protecting the confidentiality and integrity of organizational information\ncan be accomplished by physical means (e.g., employing physical distribution\nsystems) or by logical means (e.g., employing cryptographic techniques). If\nphysical means of protection are employed, then logical means (cryptography) do\nnot have to be employed, and vice versa.\n\n Session key regeneration limits the chances of a session key becoming\ncompromised.", "descriptions": { - "default": "Cron logging can be used to trace the successful or unsuccessful\nexecution of cron jobs. It can also be used to spot intrusions into the use of\nthe cron facility by unauthorized and malicious users.", - "check": "Verify that \"rsyslog\" is configured to log cron events with the following\ncommand:\n\n Note: If another logging package is used, substitute the utility\nconfiguration file for \"/etc/rsyslog.conf\" or \"/etc/rsyslog.d/*.conf\" files.\n\n $ sudo grep -s cron /etc/rsyslog.conf /etc/rsyslog.d/*.conf\n\n /etc/rsyslog.conf:*.info;mail.none;authpriv.none;cron.none\n /var/log/messages\n /etc/rsyslog.conf:# Log cron stuff\n /etc/rsyslog.conf:cron.*\n /var/log/cron\n\n If the command does not return a response, check for cron logging all\nfacilities with the following command.\n\n $ sudo grep -s /var/log/messages /etc/rsyslog.conf /etc/rsyslog.d/*.conf\n\n /etc/rsyslog.conf:*.info;mail.none;authpriv.none;cron.none\n /var/log/messages\n\n If \"rsyslog\" is not logging messages for the cron facility or all\nfacilities, this is a finding.", - "fix": "Configure \"rsyslog\" to log all cron messages by adding or updating the\nfollowing line to \"/etc/rsyslog.conf\" or a configuration file in the\n/etc/rsyslog.d/ directory:\n\n cron.* /var/log/cron\n\n The rsyslog daemon must be restarted for the changes to take effect:\n $ sudo systemctl restart rsyslog.service" + "default": "Without protection of the transmitted information, confidentiality and\nintegrity may be compromised because unprotected communications can be\nintercepted and either read or altered.\n\n This requirement applies to both internal and external networks and all\ntypes of information system components from which information can be\ntransmitted (e.g., servers, mobile devices, notebook computers, printers,\ncopiers, scanners, and facsimile machines). Communication paths outside the\nphysical protection of a controlled boundary are exposed to the possibility of\ninterception and modification.\n\n Protecting the confidentiality and integrity of organizational information\ncan be accomplished by physical means (e.g., employing physical distribution\nsystems) or by logical means (e.g., employing cryptographic techniques). If\nphysical means of protection are employed, then logical means (cryptography) do\nnot have to be employed, and vice versa.\n\n Session key regeneration limits the chances of a session key becoming\ncompromised.", + "check": "Verify the SSH server is configured to force frequent session key renegotiation with the following command:\n\n$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\\r' | tr '\\n' ' ' | xargs sudo grep -iH '^\\s*rekeylimit'\n\nRekeyLimit 1G 1h\n\nIf \"RekeyLimit\" does not have a maximum data amount and maximum time defined, is missing, or is commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.", + "fix": "Configure the system to force a frequent session key renegotiation for SSH\nconnections to the server by add or modifying the following line in the\n\"/etc/ssh/sshd_config\" file:\n\n RekeyLimit 1G 1h\n\n Restart the SSH daemon for the settings to take effect.\n\n $ sudo systemctl restart sshd.service" }, "impact": 0.5, "refs": [ @@ -7535,33 +7481,38 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-230387", - "rid": "SV-230387r743996_rule", - "stig_id": "RHEL-08-030010", - "fix_id": "F-33031r743995_fix", + "gtitle": "SRG-OS-000033-GPOS-00014", + "satisfies": [ + "SRG-OS-000033-GPOS-00014", + "SRG-OS-000420-GPOS-00186", + "SRG-OS-000424-GPOS-00188" + ], + "gid": "V-230527", + "rid": "SV-230527r951616_rule", + "stig_id": "RHEL-08-040161", + "fix_id": "F-33171r568328_fix", "cci": [ - "CCI-000366" + "CCI-000068" ], "nist": [ - "CM-6 b" + "AC-17 (2)" ], "host": null }, - "code": "control 'SV-230387' do\n title 'Cron logging must be implemented in RHEL 8.'\n desc 'Cron logging can be used to trace the successful or unsuccessful\nexecution of cron jobs. It can also be used to spot intrusions into the use of\nthe cron facility by unauthorized and malicious users.'\n desc 'check', 'Verify that \"rsyslog\" is configured to log cron events with the following\ncommand:\n\n Note: If another logging package is used, substitute the utility\nconfiguration file for \"/etc/rsyslog.conf\" or \"/etc/rsyslog.d/*.conf\" files.\n\n $ sudo grep -s cron /etc/rsyslog.conf /etc/rsyslog.d/*.conf\n\n /etc/rsyslog.conf:*.info;mail.none;authpriv.none;cron.none\n /var/log/messages\n /etc/rsyslog.conf:# Log cron stuff\n /etc/rsyslog.conf:cron.*\n /var/log/cron\n\n If the command does not return a response, check for cron logging all\nfacilities with the following command.\n\n $ sudo grep -s /var/log/messages /etc/rsyslog.conf /etc/rsyslog.d/*.conf\n\n /etc/rsyslog.conf:*.info;mail.none;authpriv.none;cron.none\n /var/log/messages\n\n If \"rsyslog\" is not logging messages for the cron facility or all\nfacilities, this is a finding.'\n desc 'fix', 'Configure \"rsyslog\" to log all cron messages by adding or updating the\nfollowing line to \"/etc/rsyslog.conf\" or a configuration file in the\n/etc/rsyslog.d/ directory:\n\n cron.* /var/log/cron\n\n The rsyslog daemon must be restarted for the changes to take effect:\n $ sudo systemctl restart rsyslog.service'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230387'\n tag rid: 'SV-230387r743996_rule'\n tag stig_id: 'RHEL-08-030010'\n tag fix_id: 'F-33031r743995_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n describe.one do\n describe command(\"grep -hsv \\\"^#\\\" #{input('logging_conf_files').join(' ')} | grep ^cron\") do\n its('stdout') { should match %r{cron\\.\\*\\s*/var/log/cron} }\n end\n describe command(\"grep -hsv \\\"^#\\\" #{input('logging_conf_files').join(' ')} | grep /var/log/messages\") do\n its('stdout') { should match %r{\\*.info;mail.none;authpriv.none;cron.none\\s*/var/log/messages} }\n end\n end\nend\n", + "code": "control 'SV-230527' do\n title 'RHEL 8 must force a frequent session key renegotiation for SSH\nconnections to the server.'\n desc 'Without protection of the transmitted information, confidentiality and\nintegrity may be compromised because unprotected communications can be\nintercepted and either read or altered.\n\n This requirement applies to both internal and external networks and all\ntypes of information system components from which information can be\ntransmitted (e.g., servers, mobile devices, notebook computers, printers,\ncopiers, scanners, and facsimile machines). Communication paths outside the\nphysical protection of a controlled boundary are exposed to the possibility of\ninterception and modification.\n\n Protecting the confidentiality and integrity of organizational information\ncan be accomplished by physical means (e.g., employing physical distribution\nsystems) or by logical means (e.g., employing cryptographic techniques). If\nphysical means of protection are employed, then logical means (cryptography) do\nnot have to be employed, and vice versa.\n\n Session key regeneration limits the chances of a session key becoming\ncompromised.'\n desc 'check', %q(Verify the SSH server is configured to force frequent session key renegotiation with the following command:\n\n$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\\r' | tr '\\n' ' ' | xargs sudo grep -iH '^\\s*rekeylimit'\n\nRekeyLimit 1G 1h\n\nIf \"RekeyLimit\" does not have a maximum data amount and maximum time defined, is missing, or is commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.)\n desc 'fix', 'Configure the system to force a frequent session key renegotiation for SSH\nconnections to the server by add or modifying the following line in the\n\"/etc/ssh/sshd_config\" file:\n\n RekeyLimit 1G 1h\n\n Restart the SSH daemon for the settings to take effect.\n\n $ sudo systemctl restart sshd.service'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000033-GPOS-00014'\n tag satisfies: ['SRG-OS-000033-GPOS-00014', 'SRG-OS-000420-GPOS-00186', 'SRG-OS-000424-GPOS-00188']\n tag gid: 'V-230527'\n tag rid: 'SV-230527r951616_rule'\n tag stig_id: 'RHEL-08-040161'\n tag fix_id: 'F-33171r568328_fix'\n tag cci: ['CCI-000068']\n tag nist: ['AC-17 (2)']\n tag 'host'\n\n only_if('This control is Not Applicable to containers without SSH enabled', impact: 0.0) {\n !(virtualization.system.eql?('docker') && !file('/etc/ssh/sshd_config').exist?)\n }\n\n describe sshd_active_config do\n its('RekeyLimit') { should cmp '1G 1h' }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230387.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230527.rb", "line": 1 }, - "id": "SV-230387" + "id": "SV-230527" }, { - "title": "The RHEL 8 audit system must take appropriate action when the audit\nstorage volume is full.", - "desc": "It is critical that when RHEL 8 is at risk of failing to process audit\nlogs as required, it takes action to mitigate the failure. Audit processing\nfailures include software/hardware errors; failures in the audit capturing\nmechanisms; and audit storage capacity being reached or exceeded. Responses to\naudit failure depend upon the nature of the failure mode.\n\n When availability is an overriding concern, other approved actions in\nresponse to an audit failure are as follows:\n\n 1) If the failure was caused by the lack of audit record storage capacity,\nRHEL 8 must continue generating audit records if possible (automatically\nrestarting the audit service if necessary) and overwriting the oldest audit\nrecords in a first-in-first-out manner.\n\n 2) If audit records are sent to a centralized collection server and\ncommunication with this server is lost or the server fails, RHEL 8 must queue\naudit records locally until communication is restored or until the audit\nrecords are retrieved manually. Upon restoration of the connection to the\ncentralized collection server, action should be taken to synchronize the local\naudit data with the collection server.", + "title": "RHEL 8 library files must be owned by root.", + "desc": "If RHEL 8 were to allow any user to make changes to software\nlibraries, then those changes might be implemented without undergoing the\nappropriate testing and approvals that are part of a robust change management\nprocess.\n\n This requirement applies to RHEL 8 with software libraries that are\naccessible and configurable, as in the case of interpreted languages. Software\nlibraries also include privileged programs that execute with escalated\nprivileges. Only qualified and authorized individuals will be allowed to obtain\naccess to information system components for purposes of initiating changes,\nincluding upgrades and modifications.", "descriptions": { - "default": "It is critical that when RHEL 8 is at risk of failing to process audit\nlogs as required, it takes action to mitigate the failure. Audit processing\nfailures include software/hardware errors; failures in the audit capturing\nmechanisms; and audit storage capacity being reached or exceeded. Responses to\naudit failure depend upon the nature of the failure mode.\n\n When availability is an overriding concern, other approved actions in\nresponse to an audit failure are as follows:\n\n 1) If the failure was caused by the lack of audit record storage capacity,\nRHEL 8 must continue generating audit records if possible (automatically\nrestarting the audit service if necessary) and overwriting the oldest audit\nrecords in a first-in-first-out manner.\n\n 2) If audit records are sent to a centralized collection server and\ncommunication with this server is lost or the server fails, RHEL 8 must queue\naudit records locally until communication is restored or until the audit\nrecords are retrieved manually. Upon restoration of the connection to the\ncentralized collection server, action should be taken to synchronize the local\naudit data with the collection server.", - "check": "Verify RHEL 8 takes the appropriate action when the audit storage volume is\nfull.\n\n Check that RHEL 8 takes the appropriate action when the audit storage\nvolume is full with the following command:\n\n $ sudo grep disk_full_action /etc/audit/auditd.conf\n\n disk_full_action = HALT\n\n If the value of the \"disk_full_action\" option is not \"SYSLOG\",\n\"SINGLE\", or \"HALT\", or the line is commented out, ask the system\nadministrator to indicate how the system takes appropriate action when an audit\nstorage volume is full. If there is no evidence of appropriate action, this is\na finding.", - "fix": "Configure RHEL 8 to shut down by default upon audit failure (unless\navailability is an overriding concern).\n\n Add or update the following line (depending on configuration\n\"disk_full_action\" can be set to \"SYSLOG\" or \"SINGLE\" depending on\nconfiguration) in \"/etc/audit/auditd.conf\" file:\n\n disk_full_action = HALT\n\n If availability has been determined to be more important, and this decision\nis documented with the ISSO, configure the operating system to notify system\nadministration staff and ISSO staff in the event of an audit processing failure\nby setting the \"disk_full_action\" to \"SYSLOG\"." + "default": "If RHEL 8 were to allow any user to make changes to software\nlibraries, then those changes might be implemented without undergoing the\nappropriate testing and approvals that are part of a robust change management\nprocess.\n\n This requirement applies to RHEL 8 with software libraries that are\naccessible and configurable, as in the case of interpreted languages. Software\nlibraries also include privileged programs that execute with escalated\nprivileges. Only qualified and authorized individuals will be allowed to obtain\naccess to information system components for purposes of initiating changes,\nincluding upgrades and modifications.", + "check": "Verify the system-wide shared library files are owned by \"root\" with the\nfollowing command:\n\n $ sudo find -L /lib /lib64 /usr/lib /usr/lib64 ! -user root -exec ls -l {}\n\\;\n\n If any system wide shared library file is returned, this is a finding.", + "fix": "Configure the system-wide shared library files (/lib, /lib64, /usr/lib and\n/usr/lib64) to be protected from unauthorized access.\n\n Run the following command, replacing \"[FILE]\" with any library file not\nowned by \"root\".\n\n $ sudo chown root [FILE]" }, "impact": 0.5, "refs": [ @@ -7571,33 +7522,34 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000047-GPOS-00023", - "gid": "V-230392", - "rid": "SV-230392r627750_rule", - "stig_id": "RHEL-08-030060", - "fix_id": "F-33036r567923_fix", + "gtitle": "SRG-OS-000259-GPOS-00100", + "gid": "V-230261", + "rid": "SV-230261r627750_rule", + "stig_id": "RHEL-08-010340", + "fix_id": "F-32905r567530_fix", "cci": [ - "CCI-000140" + "CCI-001499" ], "nist": [ - "AU-5 b" + "CM-5 (6)" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-230392' do\n title 'The RHEL 8 audit system must take appropriate action when the audit\nstorage volume is full.'\n desc 'It is critical that when RHEL 8 is at risk of failing to process audit\nlogs as required, it takes action to mitigate the failure. Audit processing\nfailures include software/hardware errors; failures in the audit capturing\nmechanisms; and audit storage capacity being reached or exceeded. Responses to\naudit failure depend upon the nature of the failure mode.\n\n When availability is an overriding concern, other approved actions in\nresponse to an audit failure are as follows:\n\n 1) If the failure was caused by the lack of audit record storage capacity,\nRHEL 8 must continue generating audit records if possible (automatically\nrestarting the audit service if necessary) and overwriting the oldest audit\nrecords in a first-in-first-out manner.\n\n 2) If audit records are sent to a centralized collection server and\ncommunication with this server is lost or the server fails, RHEL 8 must queue\naudit records locally until communication is restored or until the audit\nrecords are retrieved manually. Upon restoration of the connection to the\ncentralized collection server, action should be taken to synchronize the local\naudit data with the collection server.'\n desc 'check', 'Verify RHEL 8 takes the appropriate action when the audit storage volume is\nfull.\n\n Check that RHEL 8 takes the appropriate action when the audit storage\nvolume is full with the following command:\n\n $ sudo grep disk_full_action /etc/audit/auditd.conf\n\n disk_full_action = HALT\n\n If the value of the \"disk_full_action\" option is not \"SYSLOG\",\n\"SINGLE\", or \"HALT\", or the line is commented out, ask the system\nadministrator to indicate how the system takes appropriate action when an audit\nstorage volume is full. If there is no evidence of appropriate action, this is\na finding.'\n desc 'fix', 'Configure RHEL 8 to shut down by default upon audit failure (unless\navailability is an overriding concern).\n\n Add or update the following line (depending on configuration\n\"disk_full_action\" can be set to \"SYSLOG\" or \"SINGLE\" depending on\nconfiguration) in \"/etc/audit/auditd.conf\" file:\n\n disk_full_action = HALT\n\n If availability has been determined to be more important, and this decision\nis documented with the ISSO, configure the operating system to notify system\nadministration staff and ISSO staff in the event of an audit processing failure\nby setting the \"disk_full_action\" to \"SYSLOG\".'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000047-GPOS-00023'\n tag gid: 'V-230392'\n tag rid: 'SV-230392r627750_rule'\n tag stig_id: 'RHEL-08-030060'\n tag fix_id: 'F-33036r567923_fix'\n tag cci: ['CCI-000140']\n tag nist: ['AU-5 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n disk_full_action = input('disk_full_action').map(&:upcase)\n\n describe auditd_conf do\n its('disk_full_action.upcase') { should be_in disk_full_action }\n end\nend\n", + "code": "control 'SV-230261' do\n title 'RHEL 8 library files must be owned by root.'\n desc 'If RHEL 8 were to allow any user to make changes to software\nlibraries, then those changes might be implemented without undergoing the\nappropriate testing and approvals that are part of a robust change management\nprocess.\n\n This requirement applies to RHEL 8 with software libraries that are\naccessible and configurable, as in the case of interpreted languages. Software\nlibraries also include privileged programs that execute with escalated\nprivileges. Only qualified and authorized individuals will be allowed to obtain\naccess to information system components for purposes of initiating changes,\nincluding upgrades and modifications.'\n desc 'check', 'Verify the system-wide shared library files are owned by \"root\" with the\nfollowing command:\n\n $ sudo find -L /lib /lib64 /usr/lib /usr/lib64 ! -user root -exec ls -l {}\n\\\\;\n\n If any system wide shared library file is returned, this is a finding.'\n desc 'fix', 'Configure the system-wide shared library files (/lib, /lib64, /usr/lib and\n/usr/lib64) to be protected from unauthorized access.\n\n Run the following command, replacing \"[FILE]\" with any library file not\nowned by \"root\".\n\n $ sudo chown root [FILE]'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000259-GPOS-00100'\n tag gid: 'V-230261'\n tag rid: 'SV-230261r627750_rule'\n tag stig_id: 'RHEL-08-010340'\n tag fix_id: 'F-32905r567530_fix'\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n tag 'host'\n tag 'container'\n\n failing_files = command(\"find -L #{input('system_libraries').join(' ')} ! -user root -exec ls -d {} \\\\;\").stdout.split(\"\\n\")\n\n describe 'System libraries' do\n it 'should be owned by root' do\n expect(failing_files).to be_empty, \"Files not owned by root:\\n\\t- #{failing_files.join(\"\\n\\t- \")}\"\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230392.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230261.rb", "line": 1 }, - "id": "SV-230392" + "id": "SV-230261" }, { - "title": "Successful/unsuccessful uses of postqueue in RHEL 8 must generate an\naudit record.", - "desc": "Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged commands. The organization must maintain audit trails in sufficient\ndetail to reconstruct events to determine the cause and impact of compromise.\nThe \"postqueue\" command implements the Postfix user interface for queue\nmanagement.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", + "title": "Successful/unsuccessful uses of the mount command in RHEL 8 must\ngenerate an audit record.", + "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"mount\" command is\nused to mount a filesystem.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", "descriptions": { - "default": "Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged commands. The organization must maintain audit trails in sufficient\ndetail to reconstruct events to determine the cause and impact of compromise.\nThe \"postqueue\" command implements the Postfix user interface for queue\nmanagement.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", - "check": "Verify that an audit event is generated for any successful/unsuccessful use\nof \"postqueue\" by performing the following command to check the file system\nrules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w \"postqueue\" /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-unix-update\n\n If the command does not return a line, or the line is commented out, this\nis a finding.", - "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful uses of the \"postqueue\" by adding or updating the\nfollowing rule in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-unix-update\n\n The audit daemon must be restarted for the changes to take effect." + "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"mount\" command is\nused to mount a filesystem.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", + "check": "Verify that an audit event is generated for any successful/unsuccessful use\nof the \"mount\" command by performing the following command to check the file\nsystem rules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w /usr/bin/mount /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-mount\n\n If the command does not return a line, or the line is commented out, this\nis a finding.", + "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \"mount\" command by adding or updating the\nfollowing rules in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-mount\n\n The audit daemon must be restarted for the changes to take effect." }, "impact": 0.5, "refs": [ @@ -7617,10 +7569,10 @@ "SRG-OS-000462-GPOS-00206", "SRG-OS-000471-GPOS-00215" ], - "gid": "V-230428", - "rid": "SV-230428r627750_rule", - "stig_id": "RHEL-08-030312", - "fix_id": "F-33072r568031_fix", + "gid": "V-230423", + "rid": "SV-230423r627750_rule", + "stig_id": "RHEL-08-030300", + "fix_id": "F-33067r568016_fix", "cci": [ "CCI-000169" ], @@ -7629,20 +7581,20 @@ ], "host": null }, - "code": "control 'SV-230428' do\n title 'Successful/unsuccessful uses of postqueue in RHEL 8 must generate an\naudit record.'\n desc 'Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged commands. The organization must maintain audit trails in sufficient\ndetail to reconstruct events to determine the cause and impact of compromise.\nThe \"postqueue\" command implements the Postfix user interface for queue\nmanagement.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.'\n desc 'check', 'Verify that an audit event is generated for any successful/unsuccessful use\nof \"postqueue\" by performing the following command to check the file system\nrules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w \"postqueue\" /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-unix-update\n\n If the command does not return a line, or the line is commented out, this\nis a finding.'\n desc 'fix', 'Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful uses of the \"postqueue\" by adding or updating the\nfollowing rule in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-unix-update\n\n The audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000062-GPOS-00031'\n tag satisfies: ['SRG-OS-000062-GPOS-00031', 'SRG-OS-000037-GPOS-00015', 'SRG-OS-000042-GPOS-00020', 'SRG-OS-000062-GPOS-00031', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000471-GPOS-00215']\n tag gid: 'V-230428'\n tag rid: 'SV-230428r627750_rule'\n tag stig_id: 'RHEL-08-030312'\n tag fix_id: 'F-33072r568031_fix'\n tag cci: ['CCI-000169']\n tag nist: ['AU-12 a']\n tag 'host'\n\n audit_command = '/usr/sbin/postqueue'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include(input('audit_rule_keynames').merge(input('audit_rule_keynames_overrides'))[audit_command])\n end\n end\nend\n", + "code": "control 'SV-230423' do\n title 'Successful/unsuccessful uses of the mount command in RHEL 8 must\ngenerate an audit record.'\n desc 'Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"mount\" command is\nused to mount a filesystem.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.'\n desc 'check', 'Verify that an audit event is generated for any successful/unsuccessful use\nof the \"mount\" command by performing the following command to check the file\nsystem rules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w /usr/bin/mount /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-mount\n\n If the command does not return a line, or the line is commented out, this\nis a finding.'\n desc 'fix', 'Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \"mount\" command by adding or updating the\nfollowing rules in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-mount\n\n The audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000062-GPOS-00031'\n tag satisfies: ['SRG-OS-000062-GPOS-00031', 'SRG-OS-000037-GPOS-00015', 'SRG-OS-000042-GPOS-00020', 'SRG-OS-000062-GPOS-00031', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000471-GPOS-00215']\n tag gid: 'V-230423'\n tag rid: 'SV-230423r627750_rule'\n tag stig_id: 'RHEL-08-030300'\n tag fix_id: 'F-33067r568016_fix'\n tag cci: ['CCI-000169']\n tag nist: ['AU-12 a']\n tag 'host'\n\n audit_command = '/usr/bin/mount'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include(input('audit_rule_keynames').merge(input('audit_rule_keynames_overrides'))[audit_command])\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230428.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230423.rb", "line": 1 }, - "id": "SV-230428" + "id": "SV-230423" }, { - "title": "RHEL 8 must not allow interfaces to perform Internet Control Message\nProtocol (ICMP) redirects by default.", - "desc": "ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.\n\nThere are notable differences between Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6). There is only a directive to disable sending of IPv4 redirected packets. Refer to RFC4294 for an explanation of \"IPv6 Node Requirements\", which resulted in this difference between IPv4 and IPv6.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf", + "title": "The RHEL 8 audit records must be off-loaded onto a different system or\nstorage media from the system being audited.", + "desc": "Information stored in one location is vulnerable to accidental or\nincidental deletion or alteration.\n\n Off-loading is a common process in information systems with limited audit\nstorage capacity.\n\n RHEL 8 installation media provides \"rsyslogd\". \"rsyslogd\" is a system\nutility providing support for message logging. Support for both internet and\nUNIX domain sockets enables this utility to support both local and remote\nlogging. Couple this utility with \"gnutls\" (which is a secure communications\nlibrary implementing the SSL, TLS and DTLS protocols), and you have a method to\nsecurely encrypt and off-load auditing.\n\n Rsyslog provides three ways to forward message: the traditional UDP\ntransport, which is extremely lossy but standard; the plain TCP based\ntransport, which loses messages only during certain situations but is widely\navailable; and the RELP transport, which does not lose messages but is\ncurrently available only as part of the rsyslogd 3.15.0 and above.\n Examples of each configuration:\n UDP *.* @remotesystemname\n TCP *.* @@remotesystemname\n RELP *.* :omrelp:remotesystemname:2514\n Note that a port number was given as there is no standard port for RELP.", "descriptions": { - "default": "ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.\n\nThere are notable differences between Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6). There is only a directive to disable sending of IPv4 redirected packets. Refer to RFC4294 for an explanation of \"IPv6 Node Requirements\", which resulted in this difference between IPv4 and IPv6.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf", - "check": "Verify RHEL 8 does not allow interfaces to perform Internet Protocol version 4 (IPv4) ICMP redirects by default.\n\nCheck the value of the \"default send_redirects\" variables with the following command:\n\n$ sudo sysctl net.ipv4.conf.default.send_redirects\n\nnet.ipv4.conf.default.send_redirects=0\n\nIf the returned line does not have a value of \"0\", or a line is not returned, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r net.ipv4.conf.default.send_redirects /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: net.ipv4.conf.default.send_redirects = 0\n\nIf \"net.ipv4.conf.default.send_redirects\" is not set to \"0\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.", - "fix": "Configure RHEL 8 to not allow interfaces to perform Internet Protocol version 4 (IPv4) ICMP redirects by default.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nnet.ipv4.conf.default.send_redirects = 0\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system" + "default": "Information stored in one location is vulnerable to accidental or\nincidental deletion or alteration.\n\n Off-loading is a common process in information systems with limited audit\nstorage capacity.\n\n RHEL 8 installation media provides \"rsyslogd\". \"rsyslogd\" is a system\nutility providing support for message logging. Support for both internet and\nUNIX domain sockets enables this utility to support both local and remote\nlogging. Couple this utility with \"gnutls\" (which is a secure communications\nlibrary implementing the SSL, TLS and DTLS protocols), and you have a method to\nsecurely encrypt and off-load auditing.\n\n Rsyslog provides three ways to forward message: the traditional UDP\ntransport, which is extremely lossy but standard; the plain TCP based\ntransport, which loses messages only during certain situations but is widely\navailable; and the RELP transport, which does not lose messages but is\ncurrently available only as part of the rsyslogd 3.15.0 and above.\n Examples of each configuration:\n UDP *.* @remotesystemname\n TCP *.* @@remotesystemname\n RELP *.* :omrelp:remotesystemname:2514\n Note that a port number was given as there is no standard port for RELP.", + "check": "Verify the audit system offloads audit records onto a different system or media from the system being audited with the following command:\n\n $ sudo grep @@ /etc/rsyslog.conf /etc/rsyslog.d/*.conf\n\n /etc/rsyslog.conf:*.* @@[logaggregationserver.example.mil]:[port]\n\nIf a remote server is not configured, or the line is commented out, ask the system administrator to indicate how the audit logs are offloaded to a different system or media.\n\nIf there is no evidence that the audit logs are being offloaded to another system or media, this is a finding.", + "fix": "Configure the operating system to offload audit records onto a different system or media from the system being audited by specifying the remote logging server in \"/etc/rsyslog.conf\" or \"/etc/rsyslog.d/[customfile].conf\" with the name or IP address of the log aggregation server.\n\nFor UDP:\n *.* @[logaggregationserver.example.mil]:[port]\n\nFor TCP:\n *.* @@[logaggregationserver.example.mil]:[port]" }, "impact": 0.5, "refs": [ @@ -7652,33 +7604,37 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-230543", - "rid": "SV-230543r858816_rule", - "stig_id": "RHEL-08-040270", - "fix_id": "F-33187r858815_fix", + "gtitle": "SRG-OS-000342-GPOS-00133", + "satisfies": [ + "SRG-OS-000342-GPOS-00133", + "SRG-OS-000479-GPOS-00224" + ], + "gid": "V-230479", + "rid": "SV-230479r917883_rule", + "stig_id": "RHEL-08-030690", + "fix_id": "F-33123r917882_fix", "cci": [ - "CCI-000366" + "CCI-001851" ], "nist": [ - "CM-6 b" + "AU-4 (1)" ], "host": null }, - "code": "control 'SV-230543' do\n title 'RHEL 8 must not allow interfaces to perform Internet Control Message\nProtocol (ICMP) redirects by default.'\n desc %q(ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.\n\nThere are notable differences between Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6). There is only a directive to disable sending of IPv4 redirected packets. Refer to RFC4294 for an explanation of \"IPv6 Node Requirements\", which resulted in this difference between IPv4 and IPv6.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf)\n desc 'check', 'Verify RHEL 8 does not allow interfaces to perform Internet Protocol version 4 (IPv4) ICMP redirects by default.\n\nCheck the value of the \"default send_redirects\" variables with the following command:\n\n$ sudo sysctl net.ipv4.conf.default.send_redirects\n\nnet.ipv4.conf.default.send_redirects=0\n\nIf the returned line does not have a value of \"0\", or a line is not returned, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r net.ipv4.conf.default.send_redirects /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: net.ipv4.conf.default.send_redirects = 0\n\nIf \"net.ipv4.conf.default.send_redirects\" is not set to \"0\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to not allow interfaces to perform Internet Protocol version 4 (IPv4) ICMP redirects by default.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nnet.ipv4.conf.default.send_redirects = 0\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230543'\n tag rid: 'SV-230543r858816_rule'\n tag stig_id: 'RHEL-08-040270'\n tag fix_id: 'F-33187r858815_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This system is acting as a router on the network, this control is Not Applicable', impact: 0.0) {\n !input('network_router')\n }\n\n # Define the kernel parameter to be checked\n parameter = 'net.ipv4.conf.default.send_redirects'\n action = 'IPv4 packet redirects for interfaces'\n value = 0\n\n # Get the current value of the kernel parameter\n current_value = kernel_parameter(parameter)\n\n # Check if the system is a Docker container\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n elsif input('ipv4_enabled') == false\n impact 0.0\n describe 'IPv4 is disabled on the system, this requirement is Not Applicable.' do\n skip 'IPv4 is disabled on the system, this requirement is Not Applicable.'\n end\n else\n\n describe kernel_parameter(parameter) do\n it 'is disabled in sysctl -a' do\n expect(current_value.value).to cmp value\n expect(current_value.value).not_to be_nil\n end\n end\n\n # Get the list of sysctl configuration files\n sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ')\n\n # Search for the kernel parameter in the configuration files\n search_results = command(\"grep -r ^#{parameter} #{sysctl_config_files} {} \\;\").stdout.split(\"\\n\")\n\n # Parse the search results into a hash\n config_values = search_results.each_with_object({}) do |item, results|\n file, setting = item.split(':')\n file = 'grep did not return filename' if file.empty?\n\n results[file] ||= []\n results[file] << setting.split('=').last\n end\n\n uniq_config_values = config_values.values.flatten.map(&:strip).map(&:to_i).uniq\n\n # Check the configuration files\n describe 'Configuration files' do\n if search_results.empty?\n it \"do not explicitly set the `#{parameter}` parameter\" do\n expect(config_values).not_to be_empty, \"Add the line `#{parameter}=#{value}` to a file in the `/etc/sysctl.d/` directory\"\n end\n else\n it \"do not have conflicting settings for #{action}\" do\n expect(uniq_config_values.count).to eq(1), \"Expected one unique configuration, but got #{config_values}\"\n end\n it \"set the parameter to the right value for #{action}\" do\n expect(config_values.values.flatten.all? { |v| v.to_i.eql?(value) }).to be true\n end\n end\n end\n end\nend\n", + "code": "control 'SV-230479' do\n title 'The RHEL 8 audit records must be off-loaded onto a different system or\nstorage media from the system being audited.'\n desc 'Information stored in one location is vulnerable to accidental or\nincidental deletion or alteration.\n\n Off-loading is a common process in information systems with limited audit\nstorage capacity.\n\n RHEL 8 installation media provides \"rsyslogd\". \"rsyslogd\" is a system\nutility providing support for message logging. Support for both internet and\nUNIX domain sockets enables this utility to support both local and remote\nlogging. Couple this utility with \"gnutls\" (which is a secure communications\nlibrary implementing the SSL, TLS and DTLS protocols), and you have a method to\nsecurely encrypt and off-load auditing.\n\n Rsyslog provides three ways to forward message: the traditional UDP\ntransport, which is extremely lossy but standard; the plain TCP based\ntransport, which loses messages only during certain situations but is widely\navailable; and the RELP transport, which does not lose messages but is\ncurrently available only as part of the rsyslogd 3.15.0 and above.\n Examples of each configuration:\n UDP *.* @remotesystemname\n TCP *.* @@remotesystemname\n RELP *.* :omrelp:remotesystemname:2514\n Note that a port number was given as there is no standard port for RELP.'\n desc 'check', 'Verify the audit system offloads audit records onto a different system or media from the system being audited with the following command:\n\n $ sudo grep @@ /etc/rsyslog.conf /etc/rsyslog.d/*.conf\n\n /etc/rsyslog.conf:*.* @@[logaggregationserver.example.mil]:[port]\n\nIf a remote server is not configured, or the line is commented out, ask the system administrator to indicate how the audit logs are offloaded to a different system or media.\n\nIf there is no evidence that the audit logs are being offloaded to another system or media, this is a finding.'\n desc 'fix', 'Configure the operating system to offload audit records onto a different system or media from the system being audited by specifying the remote logging server in \"/etc/rsyslog.conf\" or \"/etc/rsyslog.d/[customfile].conf\" with the name or IP address of the log aggregation server.\n\nFor UDP:\n *.* @[logaggregationserver.example.mil]:[port]\n\nFor TCP:\n *.* @@[logaggregationserver.example.mil]:[port]'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000342-GPOS-00133'\n tag satisfies: ['SRG-OS-000342-GPOS-00133', 'SRG-OS-000479-GPOS-00224']\n tag gid: 'V-230479'\n tag rid: 'SV-230479r917883_rule'\n tag stig_id: 'RHEL-08-030690'\n tag fix_id: 'F-33123r917882_fix'\n tag cci: ['CCI-001851']\n tag nist: ['AU-4 (1)']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n if input('alternative_logging_method') != ''\n describe 'manual check' do\n skip 'Manual check required. Ask the administrator to indicate how logging is done for this system.'\n end\n else\n describe command(\"grep @@ #{input('logging_conf_files').join(' ')}\") do\n its('stdout') { should match(/^[^#]*:\\*\\.\\*\\s*@@[a-z.0-9]*:?[0-9]*?/) }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230543.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230479.rb", "line": 1 }, - "id": "SV-230543" + "id": "SV-230479" }, { - "title": "Successful/unsuccessful uses of setfiles in RHEL 8 must generate an\naudit record.", - "desc": "Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged commands. The organization must maintain audit trails in sufficient\ndetail to reconstruct events to determine the cause and impact of compromise.\nThe \"setfiles\" command is primarily used to initialize the security context\nfields (extended attributes) on one or more filesystems (or parts of them).\nUsually it is initially run as part of the SELinux installation process (a step\ncommonly known as labeling).\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", + "title": "RHEL 8 library files must have mode 755 or less permissive.", + "desc": "If RHEL 8 were to allow any user to make changes to software\nlibraries, then those changes might be implemented without undergoing the\nappropriate testing and approvals that are part of a robust change management\nprocess.\n\n This requirement applies to RHEL 8 with software libraries that are\naccessible and configurable, as in the case of interpreted languages. Software\nlibraries also include privileged programs that execute with escalated\nprivileges. Only qualified and authorized individuals will be allowed to obtain\naccess to information system components for purposes of initiating changes,\nincluding upgrades and modifications.", "descriptions": { - "default": "Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged commands. The organization must maintain audit trails in sufficient\ndetail to reconstruct events to determine the cause and impact of compromise.\nThe \"setfiles\" command is primarily used to initialize the security context\nfields (extended attributes) on one or more filesystems (or parts of them).\nUsually it is initially run as part of the SELinux installation process (a step\ncommonly known as labeling).\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", - "check": "Verify that an audit event is generated for any successful/unsuccessful use\nof \"setfiles\" by performing the following command to check the file system\nrules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w \"setfiles\" /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-unix-update\n\n If the command does not return a line, or the line is commented out, this\nis a finding.", - "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful uses of the \"setfiles\" by adding or updating the\nfollowing rule in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-unix-update\n\n The audit daemon must be restarted for the changes to take effect." + "default": "If RHEL 8 were to allow any user to make changes to software\nlibraries, then those changes might be implemented without undergoing the\nappropriate testing and approvals that are part of a robust change management\nprocess.\n\n This requirement applies to RHEL 8 with software libraries that are\naccessible and configurable, as in the case of interpreted languages. Software\nlibraries also include privileged programs that execute with escalated\nprivileges. Only qualified and authorized individuals will be allowed to obtain\naccess to information system components for purposes of initiating changes,\nincluding upgrades and modifications.", + "check": "Verify the system-wide shared library files contained in the following directories have mode \"755\" or less permissive with the following command:\n\n$ sudo find -L /lib /lib64 /usr/lib /usr/lib64 -perm /022 -type f -exec ls -l {} \\;\n\nIf any system-wide shared library file is found to be group-writable or world-writable, this is a finding.", + "fix": "Configure the library files to be protected from unauthorized access. Run the following command, replacing \"[FILE]\" with any library file with a mode more permissive than 755.\n\n$ sudo chmod 755 [FILE]" }, "impact": 0.5, "refs": [ @@ -7688,84 +7644,70 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000062-GPOS-00031", - "satisfies": [ - "SRG-OS-000062-GPOS-00031", - "SRG-OS-000037-GPOS-00015", - "SRG-OS-000042-GPOS-00020", - "SRG-OS-000062-GPOS-00031", - "SRG-OS-000392-GPOS-00172", - "SRG-OS-000462-GPOS-00206", - "SRG-OS-000471-GPOS-00215" - ], - "gid": "V-230430", - "rid": "SV-230430r627750_rule", - "stig_id": "RHEL-08-030314", - "fix_id": "F-33074r568037_fix", + "gtitle": "SRG-OS-000259-GPOS-00100", + "gid": "V-230260", + "rid": "SV-230260r792867_rule", + "stig_id": "RHEL-08-010330", + "fix_id": "F-32904r792866_fix", "cci": [ - "CCI-000169" + "CCI-001499" ], "nist": [ - "AU-12 a" + "CM-5 (6)" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-230430' do\n title 'Successful/unsuccessful uses of setfiles in RHEL 8 must generate an\naudit record.'\n desc 'Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged commands. The organization must maintain audit trails in sufficient\ndetail to reconstruct events to determine the cause and impact of compromise.\nThe \"setfiles\" command is primarily used to initialize the security context\nfields (extended attributes) on one or more filesystems (or parts of them).\nUsually it is initially run as part of the SELinux installation process (a step\ncommonly known as labeling).\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.'\n desc 'check', 'Verify that an audit event is generated for any successful/unsuccessful use\nof \"setfiles\" by performing the following command to check the file system\nrules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w \"setfiles\" /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-unix-update\n\n If the command does not return a line, or the line is commented out, this\nis a finding.'\n desc 'fix', 'Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful uses of the \"setfiles\" by adding or updating the\nfollowing rule in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-unix-update\n\n The audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000062-GPOS-00031'\n tag satisfies: ['SRG-OS-000062-GPOS-00031', 'SRG-OS-000037-GPOS-00015', 'SRG-OS-000042-GPOS-00020', 'SRG-OS-000062-GPOS-00031', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000471-GPOS-00215']\n tag gid: 'V-230430'\n tag rid: 'SV-230430r627750_rule'\n tag stig_id: 'RHEL-08-030314'\n tag fix_id: 'F-33074r568037_fix'\n tag cci: ['CCI-000169']\n tag nist: ['AU-12 a']\n tag 'host'\n\n audit_command = '/usr/sbin/setfiles'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include(input('audit_rule_keynames').merge(input('audit_rule_keynames_overrides'))[audit_command])\n end\n end\nend\n", + "code": "control 'SV-230260' do\n title 'RHEL 8 library files must have mode 755 or less permissive.'\n desc 'If RHEL 8 were to allow any user to make changes to software\nlibraries, then those changes might be implemented without undergoing the\nappropriate testing and approvals that are part of a robust change management\nprocess.\n\n This requirement applies to RHEL 8 with software libraries that are\naccessible and configurable, as in the case of interpreted languages. Software\nlibraries also include privileged programs that execute with escalated\nprivileges. Only qualified and authorized individuals will be allowed to obtain\naccess to information system components for purposes of initiating changes,\nincluding upgrades and modifications.'\n desc 'check', 'Verify the system-wide shared library files contained in the following directories have mode \"755\" or less permissive with the following command:\n\n$ sudo find -L /lib /lib64 /usr/lib /usr/lib64 -perm /022 -type f -exec ls -l {} \\\\;\n\nIf any system-wide shared library file is found to be group-writable or world-writable, this is a finding.'\n desc 'fix', 'Configure the library files to be protected from unauthorized access. Run the following command, replacing \"[FILE]\" with any library file with a mode more permissive than 755.\n\n$ sudo chmod 755 [FILE]'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000259-GPOS-00100'\n tag gid: 'V-230260'\n tag rid: 'SV-230260r792867_rule'\n tag stig_id: 'RHEL-08-010330'\n tag fix_id: 'F-32904r792866_fix'\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n tag 'host'\n tag 'container'\n\n failing_files = command(\"find -L #{input('system_libraries').join(' ')} -perm /0022 -type f -exec ls -d {} \\\\;\").stdout.split(\"\\n\")\n\n describe 'System libraries' do\n it \"should have mode '0755' or less permissive\" do\n expect(failing_files).to be_empty, \"Files with excessive permissions:\\n\\t- #{failing_files.join(\"\\n\\t- \")}\"\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230430.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230260.rb", "line": 1 }, - "id": "SV-230430" + "id": "SV-230260" }, { - "title": "RHEL 8 audit log directory must be owned by root to prevent\nunauthorized read access.", - "desc": "Unauthorized disclosure of audit records can reveal system and\nconfiguration data to attackers, thus compromising its confidentiality.\n\n Audit information includes all information (e.g., audit records, audit\nsettings, audit reports) needed to successfully audit RHEL 8 activity.", + "title": "Unattended or automatic logon via the RHEL 8 graphical user interface\nmust not be allowed.", + "desc": "Failure to restrict system access to authenticated users negatively\nimpacts operating system security.", "descriptions": { - "default": "Unauthorized disclosure of audit records can reveal system and\nconfiguration data to attackers, thus compromising its confidentiality.\n\n Audit information includes all information (e.g., audit records, audit\nsettings, audit reports) needed to successfully audit RHEL 8 activity.", - "check": "Verify the audit log directory is owned by \"root\" to prevent unauthorized\nread access.\n\n Determine where the audit logs are stored with the following command:\n\n $ sudo grep -iw log_file /etc/audit/auditd.conf\n\n log_file = /var/log/audit/audit.log\n\n Determine the owner of the audit log directory by using the output of the\nabove command (ex: \"/var/log/audit/\"). Run the following command with the\ncorrect audit log directory path:\n\n $ sudo ls -ld /var/log/audit\n\n drw------- 2 root root 23 Jun 11 11:56 /var/log/audit\n\n If the audit log directory is not owned by \"root\", this is a finding.", - "fix": "Configure the audit log to be protected from unauthorized read access, by\nsetting the correct owner as \"root\" with the following command:\n\n $ sudo chown root [audit_log_directory]\n\n Replace \"[audit_log_directory]\" with the correct audit log directory\npath, by default this location is usually \"/var/log/audit\"." + "default": "Failure to restrict system access to authenticated users negatively\nimpacts operating system security.", + "check": "Verify the operating system does not allow an unattended or automatic logon\nto the system via a graphical user interface.\n\n Note: This requirement assumes the use of the RHEL 8 default graphical user\ninterface, Gnome Shell. If the system does not have any graphical user\ninterface installed, this requirement is Not Applicable.\n\n Check for the value of the \"AutomaticLoginEnable\" in the\n\"/etc/gdm/custom.conf\" file with the following command:\n\n $ sudo grep -i automaticloginenable /etc/gdm/custom.conf\n\n AutomaticLoginEnable=false\n\n If the value of \"AutomaticLoginEnable\" is not set to \"false\", this is a\nfinding.", + "fix": "Configure the operating system to not allow an unattended or automatic\nlogon to the system via a graphical user interface.\n\n Add or edit the line for the \"AutomaticLoginEnable\" parameter in the\n[daemon] section of the \"/etc/gdm/custom.conf\" file to \"false\":\n\n [daemon]\n AutomaticLoginEnable=false" }, - "impact": 0.5, + "impact": 0, "refs": [ { "ref": "DPMS Target Red Hat Enterprise Linux 8" } ], "tags": { - "severity": "medium", - "gtitle": "SRG-OS-000057-GPOS-00027", - "satisfies": [ - "SRG-OS-000057-GPOS-00027", - "SRG-OS-000058-GPOS-00028", - "SRG-OS-000059-GPOS-00029" - ], - "gid": "V-230399", - "rid": "SV-230399r627750_rule", - "stig_id": "RHEL-08-030100", - "fix_id": "F-33043r567944_fix", + "severity": "high", + "gtitle": "SRG-OS-000480-GPOS-00229", + "gid": "V-230329", + "rid": "SV-230329r877377_rule", + "stig_id": "RHEL-08-010820", + "fix_id": "F-32973r567734_fix", "cci": [ - "CCI-000162" + "CCI-000366" ], "nist": [ - "AU-9", - "AU-9 a" + "CM-6 b" ], "host": null }, - "code": "control 'SV-230399' do\n title 'RHEL 8 audit log directory must be owned by root to prevent\nunauthorized read access.'\n desc 'Unauthorized disclosure of audit records can reveal system and\nconfiguration data to attackers, thus compromising its confidentiality.\n\n Audit information includes all information (e.g., audit records, audit\nsettings, audit reports) needed to successfully audit RHEL 8 activity.'\n desc 'check', 'Verify the audit log directory is owned by \"root\" to prevent unauthorized\nread access.\n\n Determine where the audit logs are stored with the following command:\n\n $ sudo grep -iw log_file /etc/audit/auditd.conf\n\n log_file = /var/log/audit/audit.log\n\n Determine the owner of the audit log directory by using the output of the\nabove command (ex: \"/var/log/audit/\"). Run the following command with the\ncorrect audit log directory path:\n\n $ sudo ls -ld /var/log/audit\n\n drw------- 2 root root 23 Jun 11 11:56 /var/log/audit\n\n If the audit log directory is not owned by \"root\", this is a finding.'\n desc 'fix', 'Configure the audit log to be protected from unauthorized read access, by\nsetting the correct owner as \"root\" with the following command:\n\n $ sudo chown root [audit_log_directory]\n\n Replace \"[audit_log_directory]\" with the correct audit log directory\npath, by default this location is usually \"/var/log/audit\".'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000057-GPOS-00027'\n tag satisfies: ['SRG-OS-000057-GPOS-00027', 'SRG-OS-000058-GPOS-00028', 'SRG-OS-000059-GPOS-00029']\n tag gid: 'V-230399'\n tag rid: 'SV-230399r627750_rule'\n tag stig_id: 'RHEL-08-030100'\n tag fix_id: 'F-33043r567944_fix'\n tag cci: ['CCI-000162']\n tag nist: ['AU-9', 'AU-9 a']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n log_dir = auditd_conf('/etc/audit/auditd.conf').log_file.split('/')[0..-2].join('/')\n describe directory(log_dir) do\n its('owner') { should eq 'root' }\n end\nend\n", + "code": "control 'SV-230329' do\n title 'Unattended or automatic logon via the RHEL 8 graphical user interface\nmust not be allowed.'\n desc 'Failure to restrict system access to authenticated users negatively\nimpacts operating system security.'\n desc 'check', 'Verify the operating system does not allow an unattended or automatic logon\nto the system via a graphical user interface.\n\n Note: This requirement assumes the use of the RHEL 8 default graphical user\ninterface, Gnome Shell. If the system does not have any graphical user\ninterface installed, this requirement is Not Applicable.\n\n Check for the value of the \"AutomaticLoginEnable\" in the\n\"/etc/gdm/custom.conf\" file with the following command:\n\n $ sudo grep -i automaticloginenable /etc/gdm/custom.conf\n\n AutomaticLoginEnable=false\n\n If the value of \"AutomaticLoginEnable\" is not set to \"false\", this is a\nfinding.'\n desc 'fix', 'Configure the operating system to not allow an unattended or automatic\nlogon to the system via a graphical user interface.\n\n Add or edit the line for the \"AutomaticLoginEnable\" parameter in the\n[daemon] section of the \"/etc/gdm/custom.conf\" file to \"false\":\n\n [daemon]\n AutomaticLoginEnable=false'\n impact 0.7\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'high'\n tag gtitle: 'SRG-OS-000480-GPOS-00229'\n tag gid: 'V-230329'\n tag rid: 'SV-230329r877377_rule'\n tag stig_id: 'RHEL-08-010820'\n tag fix_id: 'F-32973r567734_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This requirement is Not Applicable inside a container, the containers host manages the containers filesystems') {\n !virtualization.system.eql?('docker')\n }\n\n custom_conf = '/etc/gdm/custom.conf'\n\n if package('gnome-desktop3').installed?\n if (f = file(custom_conf)).exist?\n describe parse_config_file(custom_conf) do\n its('daemon.AutomaticLoginEnable') { cmp false }\n end\n else\n describe f do\n it { should exist }\n end\n end\n else\n impact 0.0\n describe 'The system does not have GDM installed' do\n skip 'The system does not have GDM installed, this requirement is Not Applicable.'\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230399.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230329.rb", "line": 1 }, - "id": "SV-230399" + "id": "SV-230329" }, { - "title": "RHEL 8 must mount /tmp with the nodev option.", - "desc": "The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n The \"noexec\" mount option causes the system to not execute binary files.\nThis option must be used for mounting any file system not containing approved\nbinary files, as they may be incompatible. Executing files from untrusted file\nsystems increases the opportunity for unprivileged users to attain unauthorized\nadministrative access.\n\n The \"nodev\" mount option causes the system to not interpret character or\nblock special devices. Executing character or block special devices from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.\n\n The \"nosuid\" mount option causes the system to not execute \"setuid\" and\n\"setgid\" files with owner privileges. This option must be used for mounting\nany file system not containing approved \"setuid\" and \"setguid\" files.\nExecuting files from untrusted file systems increases the opportunity for\nunprivileged users to attain unauthorized administrative access.", + "title": "RHEL 8 must configure the use of the pam_faillock.so module in the\n/etc/pam.d/system-auth file.", + "desc": "By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as\nbrute-force attacks, is reduced. Limits are imposed by locking the account.\n\n In RHEL 8.2 the \"/etc/security/faillock.conf\" file was incorporated to\ncentralize the configuration of the pam_faillock.so module. Also introduced is\na \"local_users_only\" option that will only track failed user authentication\nattempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP,\netc.) users to allow the centralized platform to solely manage user lockout.\n\n From \"faillock.conf\" man pages: Note that the default directory that\n\"pam_faillock\" uses is usually cleared on system boot so the access will be\nreenabled after system reboot. If that is undesirable a different tally\ndirectory must be set with the \"dir\" option.\n The preauth argument must be used when the module is called before the\nmodules which ask for the user credentials such as the password.", "descriptions": { - "default": "The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n The \"noexec\" mount option causes the system to not execute binary files.\nThis option must be used for mounting any file system not containing approved\nbinary files, as they may be incompatible. Executing files from untrusted file\nsystems increases the opportunity for unprivileged users to attain unauthorized\nadministrative access.\n\n The \"nodev\" mount option causes the system to not interpret character or\nblock special devices. Executing character or block special devices from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.\n\n The \"nosuid\" mount option causes the system to not execute \"setuid\" and\n\"setgid\" files with owner privileges. This option must be used for mounting\nany file system not containing approved \"setuid\" and \"setguid\" files.\nExecuting files from untrusted file systems increases the opportunity for\nunprivileged users to attain unauthorized administrative access.", - "check": "Verify \"/tmp\" is mounted with the \"nodev\" option:\n\n $ sudo mount | grep /tmp\n\n /dev/mapper/rhel-tmp on /tmp type xfs (rw,nodev,nosuid,noexec,seclabel)\n\n Verify that the \"nodev\" option is configured for /tmp:\n\n $ sudo cat /etc/fstab | grep /tmp\n\n /dev/mapper/rhel-tmp /tmp xfs defaults,nodev,nosuid,noexec 0 0\n\n If results are returned and the \"nodev\" option is missing, or if /tmp is\nmounted without the \"nodev\" option, this is a finding.", - "fix": "Configure the system so that /tmp is mounted with the \"nodev\" option by\nadding /modifying the /etc/fstab with the following line:\n\n /dev/mapper/rhel-tmp /tmp xfs defaults,nodev,nosuid,noexec 0 0" + "default": "By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as\nbrute-force attacks, is reduced. Limits are imposed by locking the account.\n\n In RHEL 8.2 the \"/etc/security/faillock.conf\" file was incorporated to\ncentralize the configuration of the pam_faillock.so module. Also introduced is\na \"local_users_only\" option that will only track failed user authentication\nattempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP,\netc.) users to allow the centralized platform to solely manage user lockout.\n\n From \"faillock.conf\" man pages: Note that the default directory that\n\"pam_faillock\" uses is usually cleared on system boot so the access will be\nreenabled after system reboot. If that is undesirable a different tally\ndirectory must be set with the \"dir\" option.\n The preauth argument must be used when the module is called before the\nmodules which ask for the user credentials such as the password.", + "check": "Note: This check applies to RHEL versions 8.2 or newer, if the system is\nRHEL version 8.0 or 8.1, this check is not applicable.\n\n Verify the pam_faillock.so module is present in the\n\"/etc/pam.d/system-auth\" file:\n\n $ sudo grep pam_faillock.so /etc/pam.d/system-auth\n\n auth required pam_faillock.so\npreauth\n auth required pam_faillock.so\nauthfail\n account required pam_faillock.so\n If the pam_faillock.so module is not present in the\n\"/etc/pam.d/system-auth\" file with the \"preauth\" line listed before\npam_unix.so, this is a finding.", + "fix": "Configure the operating system to include the use of the pam_faillock.so\nmodule in the /etc/pam.d/system-auth file.\n\n Add/Modify the appropriate sections of the \"/etc/pam.d/system-auth\" file\nto match the following lines:\n Note: The \"preauth\" line must be listed before pam_unix.so.\n\n auth required pam_faillock.so preauth\n auth required pam_faillock.so authfail\n account required pam_faillock.so" }, "impact": 0.5, "refs": [ @@ -7775,33 +7717,38 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000368-GPOS-00154", - "gid": "V-230511", - "rid": "SV-230511r854052_rule", - "stig_id": "RHEL-08-040123", - "fix_id": "F-33155r568280_fix", + "gtitle": "SRG-OS-000021-GPOS-00005", + "satisfies": [ + "SRG-OS-000021-GPOS-00005", + "SRG-OS-000329-GPOS-00128" + ], + "gid": "V-244533", + "rid": "SV-244533r743848_rule", + "stig_id": "RHEL-08-020025", + "fix_id": "F-47765r743847_fix", "cci": [ - "CCI-001764" + "CCI-000044" ], "nist": [ - "CM-7 (2)" + "AC-7 a" ], - "host": null - }, - "code": "control 'SV-230511' do\n title 'RHEL 8 must mount /tmp with the nodev option.'\n desc 'The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n The \"noexec\" mount option causes the system to not execute binary files.\nThis option must be used for mounting any file system not containing approved\nbinary files, as they may be incompatible. Executing files from untrusted file\nsystems increases the opportunity for unprivileged users to attain unauthorized\nadministrative access.\n\n The \"nodev\" mount option causes the system to not interpret character or\nblock special devices. Executing character or block special devices from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.\n\n The \"nosuid\" mount option causes the system to not execute \"setuid\" and\n\"setgid\" files with owner privileges. This option must be used for mounting\nany file system not containing approved \"setuid\" and \"setguid\" files.\nExecuting files from untrusted file systems increases the opportunity for\nunprivileged users to attain unauthorized administrative access.'\n desc 'check', 'Verify \"/tmp\" is mounted with the \"nodev\" option:\n\n $ sudo mount | grep /tmp\n\n /dev/mapper/rhel-tmp on /tmp type xfs (rw,nodev,nosuid,noexec,seclabel)\n\n Verify that the \"nodev\" option is configured for /tmp:\n\n $ sudo cat /etc/fstab | grep /tmp\n\n /dev/mapper/rhel-tmp /tmp xfs defaults,nodev,nosuid,noexec 0 0\n\n If results are returned and the \"nodev\" option is missing, or if /tmp is\nmounted without the \"nodev\" option, this is a finding.'\n desc 'fix', 'Configure the system so that /tmp is mounted with the \"nodev\" option by\nadding /modifying the /etc/fstab with the following line:\n\n /dev/mapper/rhel-tmp /tmp xfs defaults,nodev,nosuid,noexec 0 0'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000368-GPOS-00154'\n tag gid: 'V-230511'\n tag rid: 'SV-230511r854052_rule'\n tag stig_id: 'RHEL-08-040123'\n tag fix_id: 'F-33155r568280_fix'\n tag cci: ['CCI-001764']\n tag nist: ['CM-7 (2)']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n path = '/tmp'\n option = 'nodev'\n mount_option_enabled = input('mount_tmp_options')[option]\n\n if mount_option_enabled\n describe mount(path) do\n its('options') { should include option }\n end\n\n describe etc_fstab.where { mount_point == path } do\n its('mount_options.flatten') { should include option }\n end\n else\n describe mount(path) do\n its('options') { should_not include option }\n end\n\n describe etc_fstab.where { mount_point == path } do\n its('mount_options.flatten') { should_not include option }\n end\n end\nend\n", + "host": null, + "container": null + }, + "code": "control 'SV-244533' do\n title 'RHEL 8 must configure the use of the pam_faillock.so module in the\n/etc/pam.d/system-auth file.'\n desc 'By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as\nbrute-force attacks, is reduced. Limits are imposed by locking the account.\n\n In RHEL 8.2 the \"/etc/security/faillock.conf\" file was incorporated to\ncentralize the configuration of the pam_faillock.so module. Also introduced is\na \"local_users_only\" option that will only track failed user authentication\nattempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP,\netc.) users to allow the centralized platform to solely manage user lockout.\n\n From \"faillock.conf\" man pages: Note that the default directory that\n\"pam_faillock\" uses is usually cleared on system boot so the access will be\nreenabled after system reboot. If that is undesirable a different tally\ndirectory must be set with the \"dir\" option.\n The preauth argument must be used when the module is called before the\nmodules which ask for the user credentials such as the password.'\n desc 'check', 'Note: This check applies to RHEL versions 8.2 or newer, if the system is\nRHEL version 8.0 or 8.1, this check is not applicable.\n\n Verify the pam_faillock.so module is present in the\n\"/etc/pam.d/system-auth\" file:\n\n $ sudo grep pam_faillock.so /etc/pam.d/system-auth\n\n auth required pam_faillock.so\npreauth\n auth required pam_faillock.so\nauthfail\n account required pam_faillock.so\n If the pam_faillock.so module is not present in the\n\"/etc/pam.d/system-auth\" file with the \"preauth\" line listed before\npam_unix.so, this is a finding.'\n desc 'fix', 'Configure the operating system to include the use of the pam_faillock.so\nmodule in the /etc/pam.d/system-auth file.\n\n Add/Modify the appropriate sections of the \"/etc/pam.d/system-auth\" file\nto match the following lines:\n Note: The \"preauth\" line must be listed before pam_unix.so.\n\n auth required pam_faillock.so preauth\n auth required pam_faillock.so authfail\n account required pam_faillock.so'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000021-GPOS-00005'\n tag satisfies: ['SRG-OS-000021-GPOS-00005', 'SRG-OS-000329-GPOS-00128']\n tag gid: 'V-244533'\n tag rid: 'SV-244533r743848_rule'\n tag stig_id: 'RHEL-08-020025'\n tag fix_id: 'F-47765r743847_fix'\n tag cci: ['CCI-000044']\n tag nist: ['AC-7 a']\n tag 'host'\n tag 'container'\n\n only_if('This check applies to RHEL versions 8.2 or newer, if the system is RHEL version 8.0 or 8.1, this check is not applicable.', impact: 0.0) {\n (os.release.to_f) >= 8.2\n }\n\n pam_auth_files = input('pam_auth_files')\n\n describe pam(pam_auth_files['system-auth']) do\n its('lines') { should match_pam_rule('auth required pam_faillock.so preauth') }\n its('lines') { should match_pam_rule('auth required pam_faillock.so authfail') }\n its('lines') { should match_pam_rule('account required pam_faillock.so') }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230511.rb", + "ref": "./Red Hat 8 STIG/controls/SV-244533.rb", "line": 1 }, - "id": "SV-230511" + "id": "SV-244533" }, { - "title": "The rsyslog service must be running in RHEL 8.", - "desc": "Configuring RHEL 8 to implement organization-wide security\nimplementation guides and security checklists ensures compliance with federal\nstandards and establishes a common security baseline across the DoD that\nreflects the most restrictive security posture consistent with operational\nrequirements.\n\n Configuration settings are the set of parameters that can be changed in\nhardware, software, or firmware components of the system that affect the\nsecurity posture and/or functionality of the system. Security-related\nparameters are those parameters impacting the security state of the system,\nincluding the parameters required to satisfy other security control\nrequirements. Security-related parameters include, for example: registry\nsettings; account, file, directory permission settings; and settings for\nfunctions, ports, protocols, services, and remote connections.", + "title": "Successful/unsuccessful uses of the chsh command in RHEL 8 must\ngenerate an audit record.", + "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"chsh\" command is\nused to change the login shell.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", "descriptions": { - "default": "Configuring RHEL 8 to implement organization-wide security\nimplementation guides and security checklists ensures compliance with federal\nstandards and establishes a common security baseline across the DoD that\nreflects the most restrictive security posture consistent with operational\nrequirements.\n\n Configuration settings are the set of parameters that can be changed in\nhardware, software, or firmware components of the system that affect the\nsecurity posture and/or functionality of the system. Security-related\nparameters are those parameters impacting the security state of the system,\nincluding the parameters required to satisfy other security control\nrequirements. Security-related parameters include, for example: registry\nsettings; account, file, directory permission settings; and settings for\nfunctions, ports, protocols, services, and remote connections.", - "check": "Verify the rsyslog service is enabled and active with the following\ncommands:\n\n $ sudo systemctl is-enabled rsyslog\n\n enabled\n\n $ sudo systemctl is-active rsyslog\n\n active\n\n If the service is not \"enabled\" and \"active\" this is a finding.", - "fix": "Start the auditd service, and enable the rsyslog service with the following\ncommands:\n\n $ sudo systemctl start rsyslog.service\n\n $ sudo systemctl enable rsyslog.service" + "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"chsh\" command is\nused to change the login shell.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", + "check": "Verify RHEL 8 generates an audit record when successful/unsuccessful\nattempts to use the \"chsh\" command by performing the following command to\ncheck the file system rules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w chsh /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset\n-k priv_cmd\n\n If the command does not return a line, or the line is commented out, this\nis a finding.", + "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \"chsh\" command by adding or updating the\nfollowing rule in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset\n-k priv_cmd\n\n The audit daemon must be restarted for the changes to take effect." }, "impact": 0.5, "refs": [ @@ -7811,69 +7758,79 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-230298", - "rid": "SV-230298r627750_rule", - "stig_id": "RHEL-08-010561", - "fix_id": "F-32942r567641_fix", + "gtitle": "SRG-OS-000062-GPOS-00031", + "satisfies": [ + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000037-GPOS-00015", + "SRG-OS-000042-GPOS-00020", + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000392-GPOS-00172", + "SRG-OS-000462-GPOS-00206", + "SRG-OS-000471-GPOS-00215" + ], + "gid": "V-230448", + "rid": "SV-230448r627750_rule", + "stig_id": "RHEL-08-030410", + "fix_id": "F-33092r568091_fix", "cci": [ - "CCI-000366" + "CCI-000169" ], "nist": [ - "CM-6 b" + "AU-12 a" ], "host": null }, - "code": "control 'SV-230298' do\n title 'The rsyslog service must be running in RHEL 8.'\n desc 'Configuring RHEL 8 to implement organization-wide security\nimplementation guides and security checklists ensures compliance with federal\nstandards and establishes a common security baseline across the DoD that\nreflects the most restrictive security posture consistent with operational\nrequirements.\n\n Configuration settings are the set of parameters that can be changed in\nhardware, software, or firmware components of the system that affect the\nsecurity posture and/or functionality of the system. Security-related\nparameters are those parameters impacting the security state of the system,\nincluding the parameters required to satisfy other security control\nrequirements. Security-related parameters include, for example: registry\nsettings; account, file, directory permission settings; and settings for\nfunctions, ports, protocols, services, and remote connections.'\n desc 'check', 'Verify the rsyslog service is enabled and active with the following\ncommands:\n\n $ sudo systemctl is-enabled rsyslog\n\n enabled\n\n $ sudo systemctl is-active rsyslog\n\n active\n\n If the service is not \"enabled\" and \"active\" this is a finding.'\n desc 'fix', 'Start the auditd service, and enable the rsyslog service with the following\ncommands:\n\n $ sudo systemctl start rsyslog.service\n\n $ sudo systemctl enable rsyslog.service'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230298'\n tag rid: 'SV-230298r627750_rule'\n tag stig_id: 'RHEL-08-010561'\n tag fix_id: 'F-32942r567641_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe service('rsyslog') do\n it { should be_enabled }\n it { should be_running }\n end\nend\n", + "code": "control 'SV-230448' do\n title 'Successful/unsuccessful uses of the chsh command in RHEL 8 must\ngenerate an audit record.'\n desc 'Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"chsh\" command is\nused to change the login shell.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.'\n desc 'check', 'Verify RHEL 8 generates an audit record when successful/unsuccessful\nattempts to use the \"chsh\" command by performing the following command to\ncheck the file system rules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w chsh /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset\n-k priv_cmd\n\n If the command does not return a line, or the line is commented out, this\nis a finding.'\n desc 'fix', 'Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \"chsh\" command by adding or updating the\nfollowing rule in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset\n-k priv_cmd\n\n The audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000062-GPOS-00031'\n tag satisfies: ['SRG-OS-000062-GPOS-00031', 'SRG-OS-000037-GPOS-00015', 'SRG-OS-000042-GPOS-00020', 'SRG-OS-000062-GPOS-00031', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000471-GPOS-00215']\n tag gid: 'V-230448'\n tag rid: 'SV-230448r627750_rule'\n tag stig_id: 'RHEL-08-030410'\n tag fix_id: 'F-33092r568091_fix'\n tag cci: ['CCI-000169']\n tag nist: ['AU-12 a']\n tag 'host'\n\n audit_command = '/usr/bin/chsh'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include(input('audit_rule_keynames').merge(input('audit_rule_keynames_overrides'))[audit_command])\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230298.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230448.rb", "line": 1 }, - "id": "SV-230298" + "id": "SV-230448" }, { - "title": "RHEL 8 must disable the transparent inter-process communication (TIPC)\nprotocol.", - "desc": "It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n Failing to disconnect unused protocols can result in a system compromise.\n\n The Transparent Inter-Process Communication (TIPC) protocol is designed to\nprovide communications between nodes in a cluster. Disabling TIPC protects the\nsystem against exploitation of any flaws in its implementation.", + "title": "If the Trivial File Transfer Protocol (TFTP) server is required, the\nRHEL 8 TFTP daemon must be configured to operate in secure mode.", + "desc": "Restricting TFTP to a specific directory prevents remote users from\ncopying, transferring, or overwriting system files.", "descriptions": { - "default": "It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n Failing to disconnect unused protocols can result in a system compromise.\n\n The Transparent Inter-Process Communication (TIPC) protocol is designed to\nprovide communications between nodes in a cluster. Disabling TIPC protects the\nsystem against exploitation of any flaws in its implementation.", - "check": "Verify the operating system disables the ability to load the TIPC protocol kernel module.\n\n $ sudo grep -r tipc /etc/modprobe.d/* | grep \"/bin/false\"\n install tipc /bin/false\n\nIf the command does not return any output, or the line is commented out, and use of the TIPC protocol is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.\n\nVerify the operating system disables the ability to use the TIPC protocol.\n\nCheck to see if the TIPC protocol is disabled with the following command:\n\n $ sudo grep -r tipc /etc/modprobe.d/* | grep \"blacklist\"\n blacklist tipc\n\nIf the command does not return any output or the output is not \"blacklist tipc\", and use of the TIPC protocol is not documented with the ISSO as an operational requirement, this is a finding.", - "fix": "Configure the operating system to disable the ability to use the TIPC protocol kernel module.\n\nAdd or update the following lines in the file \"/etc/modprobe.d/blacklist.conf\":\n\n install tipc /bin/false\n blacklist tipc\n\nReboot the system for the settings to take effect." + "default": "Restricting TFTP to a specific directory prevents remote users from\ncopying, transferring, or overwriting system files.", + "check": "Verify the TFTP daemon is configured to operate in secure mode with the\nfollowing commands:\n\n $ sudo yum list installed tftp-server\n\n tftp-server.x86_64 x.x-x.el8\n\n If a TFTP server is not installed, this is Not Applicable.\n\n If a TFTP server is installed, check for the server arguments with the\nfollowing command:\n\n $ sudo grep server_args /etc/xinetd.d/tftp\n\n server_args = -s /var/lib/tftpboot\n\n If the \"server_args\" line does not have a \"-s\" option, and a\nsubdirectory is not assigned, this is a finding.", + "fix": "Configure the TFTP daemon to operate in secure mode by adding the following\nline to \"/etc/xinetd.d/tftp\" (or modify the line to have the required value):\n\n server_args = -s /var/lib/tftpboot" }, - "impact": 0.3, + "impact": 0, "refs": [ { "ref": "DPMS Target Red Hat Enterprise Linux 8" } ], "tags": { - "severity": "low", - "gtitle": "SRG-OS-000095-GPOS-00049", - "gid": "V-230497", - "rid": "SV-230497r942927_rule", - "stig_id": "RHEL-08-040024", - "fix_id": "F-33141r942926_fix", + "severity": "medium", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-230557", + "rid": "SV-230557r627750_rule", + "stig_id": "RHEL-08-040350", + "fix_id": "F-33201r568418_fix", "cci": [ - "CCI-000381" + "CCI-000366" ], "nist": [ - "CM-7 a" + "CM-6 b" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-230497' do\n title 'RHEL 8 must disable the transparent inter-process communication (TIPC)\nprotocol.'\n desc 'It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n Failing to disconnect unused protocols can result in a system compromise.\n\n The Transparent Inter-Process Communication (TIPC) protocol is designed to\nprovide communications between nodes in a cluster. Disabling TIPC protects the\nsystem against exploitation of any flaws in its implementation.'\n desc 'check', 'Verify the operating system disables the ability to load the TIPC protocol kernel module.\n\n $ sudo grep -r tipc /etc/modprobe.d/* | grep \"/bin/false\"\n install tipc /bin/false\n\nIf the command does not return any output, or the line is commented out, and use of the TIPC protocol is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.\n\nVerify the operating system disables the ability to use the TIPC protocol.\n\nCheck to see if the TIPC protocol is disabled with the following command:\n\n $ sudo grep -r tipc /etc/modprobe.d/* | grep \"blacklist\"\n blacklist tipc\n\nIf the command does not return any output or the output is not \"blacklist tipc\", and use of the TIPC protocol is not documented with the ISSO as an operational requirement, this is a finding.'\n desc 'fix', 'Configure the operating system to disable the ability to use the TIPC protocol kernel module.\n\nAdd or update the following lines in the file \"/etc/modprobe.d/blacklist.conf\":\n\n install tipc /bin/false\n blacklist tipc\n\nReboot the system for the settings to take effect.'\n impact 0.3\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'low'\n tag gtitle: 'SRG-OS-000095-GPOS-00049'\n tag gid: 'V-230497'\n tag rid: 'SV-230497r942927_rule'\n tag stig_id: 'RHEL-08-040024'\n tag fix_id: 'F-33141r942926_fix'\n tag cci: ['CCI-000381']\n tag nist: ['CM-7 a']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe kernel_module('tipc') do\n it { should be_disabled }\n it { should be_blacklisted }\n end\nend\n", + "code": "control 'SV-230557' do\n title 'If the Trivial File Transfer Protocol (TFTP) server is required, the\nRHEL 8 TFTP daemon must be configured to operate in secure mode.'\n desc 'Restricting TFTP to a specific directory prevents remote users from\ncopying, transferring, or overwriting system files.'\n desc 'check', 'Verify the TFTP daemon is configured to operate in secure mode with the\nfollowing commands:\n\n $ sudo yum list installed tftp-server\n\n tftp-server.x86_64 x.x-x.el8\n\n If a TFTP server is not installed, this is Not Applicable.\n\n If a TFTP server is installed, check for the server arguments with the\nfollowing command:\n\n $ sudo grep server_args /etc/xinetd.d/tftp\n\n server_args = -s /var/lib/tftpboot\n\n If the \"server_args\" line does not have a \"-s\" option, and a\nsubdirectory is not assigned, this is a finding.'\n desc 'fix', 'Configure the TFTP daemon to operate in secure mode by adding the following\nline to \"/etc/xinetd.d/tftp\" (or modify the line to have the required value):\n\n server_args = -s /var/lib/tftpboot'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230557'\n tag rid: 'SV-230557r627750_rule'\n tag stig_id: 'RHEL-08-040350'\n tag fix_id: 'F-33201r568418_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n tag 'container'\n\n if package('tftp-server').installed?\n impact 0.5\n describe command('grep server_args /etc/xinetd.d/tftp') do\n its('stdout.strip') { should match %r{^\\s*server_args\\s+=\\s+(-s|--secure)\\s(/\\S+)$} }\n end\n else\n impact 0.0\n describe 'The TFTP package is not installed' do\n skip 'If a TFTP server is not installed, this is Not Applicable.'\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230497.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230557.rb", "line": 1 }, - "id": "SV-230497" + "id": "SV-230557" }, { - "title": "RHEL 8 must clear SLUB/SLAB objects to prevent use-after-free attacks.", - "desc": "Some adversaries launch attacks with the intent of executing code in nonexecutable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can be either hardware-enforced or software-enforced with hardware providing the greater strength of mechanism.\n\nPoisoning writes an arbitrary value to freed pages, so any modification or reference to that page after being freed or before being initialized will be detected and prevented. This prevents many types of use-after-free vulnerabilities at little performance cost. Also prevents leak of data and detection of corrupted memory.\n\nSLAB objects are blocks of physically-contiguous memory. SLUB is the unqueued SLAB allocator.", + "title": "RHEL 8 must enable a user session lock until that user re-establishes\naccess using established identification and authentication procedures for\ngraphical user sessions.", + "desc": "A session lock is a temporary action taken when a user stops work and\nmoves away from the immediate physical vicinity of the information system but\ndoes not want to log out because of the temporary nature of the absence.\n\n The session lock is implemented at the point where session activity can be\ndetermined.\n\n Regardless of where the session lock is determined and implemented, once\ninvoked, the session lock must remain in place until the user reauthenticates.\nNo other activity aside from reauthentication must unlock the system.", "descriptions": { - "default": "Some adversaries launch attacks with the intent of executing code in nonexecutable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can be either hardware-enforced or software-enforced with hardware providing the greater strength of mechanism.\n\nPoisoning writes an arbitrary value to freed pages, so any modification or reference to that page after being freed or before being initialized will be detected and prevented. This prevents many types of use-after-free vulnerabilities at little performance cost. Also prevents leak of data and detection of corrupted memory.\n\nSLAB objects are blocks of physically-contiguous memory. SLUB is the unqueued SLAB allocator.", - "check": "Verify that GRUB 2 is configured to enable poisoning of SLUB/SLAB objects to mitigate use-after-free vulnerabilities with the following commands:\n\nCheck that the current GRUB 2 configuration has poisoning of SLUB/SLAB objects enabled:\n\n$ sudo grub2-editenv list | grep slub_debug\n\nkernelopts=root=/dev/mapper/rhel-root ro crashkernel=auto resume=/dev/mapper/rhel-swap rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet fips=1 slub_debug=P page_poison=1 vsyscall=none audit=1 audit_backlog_limit=8192 boot=UUID=8d171156-cd61-421c-ba41-1c021ac29e82\n\nIf \"slub_debug\" does not contain \"P\" or is missing, this is a finding.\n\nCheck that poisoning of SLUB/SLAB objects is enabled by default to persist in kernel updates:\n\n$ sudo grep slub_debug /etc/default/grub\n\nGRUB_CMDLINE_LINUX=\"slub_debug=P\"\n\nIf \"slub_debug\" does not contain \"P\", is missing, or is commented out, this is a finding.", - "fix": "Configure RHEL 8 to enable poisoning of SLUB/SLAB objects with the\nfollowing commands:\n\n $ sudo grubby --update-kernel=ALL --args=\"slub_debug=P\"\n\n Add or modify the following line in \"/etc/default/grub\" to ensure the\nconfiguration survives kernel updates:\n\n GRUB_CMDLINE_LINUX=\"slub_debug=P\"" + "default": "A session lock is a temporary action taken when a user stops work and\nmoves away from the immediate physical vicinity of the information system but\ndoes not want to log out because of the temporary nature of the absence.\n\n The session lock is implemented at the point where session activity can be\ndetermined.\n\n Regardless of where the session lock is determined and implemented, once\ninvoked, the session lock must remain in place until the user reauthenticates.\nNo other activity aside from reauthentication must unlock the system.", + "check": "Verify the operating system enables a user's session lock until that user\nre-establishes access using established identification and authentication\nprocedures with the following command:\n\n $ sudo gsettings get org.gnome.desktop.screensaver lock-enabled\n\n true\n\n If the setting is \"false\", this is a finding.\n\n Note: This requirement assumes the use of the RHEL 8 default graphical user\ninterface, Gnome Shell. If the system does not have any graphical user\ninterface installed, this requirement is Not Applicable.", + "fix": "Configure the operating system to enable a user's session lock until that\nuser re-establishes access using established identification and authentication\nprocedures.\n\n Create a database to contain the system-wide screensaver settings (if it\ndoes not already exist) with the following example:\n\n $ sudo vi /etc/dconf/db/local.d/00-screensaver\n\n Edit the \"[org/gnome/desktop/screensaver]\" section of the database file\nand add or update the following lines:\n\n # Set this to true to lock the screen when the screensaver activates\n lock-enabled=true\n\n Update the system databases:\n\n $ sudo dconf update" }, "impact": 0.5, "refs": [ @@ -7883,72 +7840,80 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000134-GPOS-00068", + "gtitle": "SRG-OS-000028-GPOS-00009", "satisfies": [ - "SRG-OS-000134-GPOS-00068", - "SRG-OS-000433-GPOS-00192" + "SRG-OS-000028-GPOS-00009", + "SRG-OS-000030-GPOS-00011" ], - "gid": "V-230279", - "rid": "SV-230279r951598_rule", - "stig_id": "RHEL-08-010423", - "fix_id": "F-32923r567584_fix", + "gid": "V-230347", + "rid": "SV-230347r627750_rule", + "stig_id": "RHEL-08-020030", + "fix_id": "F-32991r567788_fix", "cci": [ - "CCI-001084" + "CCI-000056" ], "nist": [ - "SC-3" + "AC-11 b" ], "host": null }, - "code": "control 'SV-230279' do\n title 'RHEL 8 must clear SLUB/SLAB objects to prevent use-after-free attacks.'\n desc 'Some adversaries launch attacks with the intent of executing code in nonexecutable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can be either hardware-enforced or software-enforced with hardware providing the greater strength of mechanism.\n\nPoisoning writes an arbitrary value to freed pages, so any modification or reference to that page after being freed or before being initialized will be detected and prevented. This prevents many types of use-after-free vulnerabilities at little performance cost. Also prevents leak of data and detection of corrupted memory.\n\nSLAB objects are blocks of physically-contiguous memory. SLUB is the unqueued SLAB allocator.'\n desc 'check', 'Verify that GRUB 2 is configured to enable poisoning of SLUB/SLAB objects to mitigate use-after-free vulnerabilities with the following commands:\n\nCheck that the current GRUB 2 configuration has poisoning of SLUB/SLAB objects enabled:\n\n$ sudo grub2-editenv list | grep slub_debug\n\nkernelopts=root=/dev/mapper/rhel-root ro crashkernel=auto resume=/dev/mapper/rhel-swap rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet fips=1 slub_debug=P page_poison=1 vsyscall=none audit=1 audit_backlog_limit=8192 boot=UUID=8d171156-cd61-421c-ba41-1c021ac29e82\n\nIf \"slub_debug\" does not contain \"P\" or is missing, this is a finding.\n\nCheck that poisoning of SLUB/SLAB objects is enabled by default to persist in kernel updates:\n\n$ sudo grep slub_debug /etc/default/grub\n\nGRUB_CMDLINE_LINUX=\"slub_debug=P\"\n\nIf \"slub_debug\" does not contain \"P\", is missing, or is commented out, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to enable poisoning of SLUB/SLAB objects with the\nfollowing commands:\n\n $ sudo grubby --update-kernel=ALL --args=\"slub_debug=P\"\n\n Add or modify the following line in \"/etc/default/grub\" to ensure the\nconfiguration survives kernel updates:\n\n GRUB_CMDLINE_LINUX=\"slub_debug=P\"'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000134-GPOS-00068'\n tag satisfies: ['SRG-OS-000134-GPOS-00068', 'SRG-OS-000433-GPOS-00192']\n tag gid: 'V-230279'\n tag rid: 'SV-230279r951598_rule'\n tag stig_id: 'RHEL-08-010423'\n tag fix_id: 'F-32923r567584_fix'\n tag cci: ['CCI-001084']\n tag nist: ['SC-3']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n grub_stdout = command('grub2-editenv - list').stdout\n setting = /slub_debug\\s*=\\s*.*P.*/\n\n describe 'GRUB config' do\n it 'should enable page poisoning' do\n expect(parse_config(grub_stdout)['kernelopts']).to match(setting), 'Current GRUB configuration does not disable this setting'\n expect(parse_config_file('/etc/default/grub')['GRUB_CMDLINE_LINUX']).to match(setting), 'Setting not configured to persist between kernel updates'\n end\n end\nend\n", + "code": "control 'SV-230347' do\n title 'RHEL 8 must enable a user session lock until that user re-establishes\naccess using established identification and authentication procedures for\ngraphical user sessions.'\n desc 'A session lock is a temporary action taken when a user stops work and\nmoves away from the immediate physical vicinity of the information system but\ndoes not want to log out because of the temporary nature of the absence.\n\n The session lock is implemented at the point where session activity can be\ndetermined.\n\n Regardless of where the session lock is determined and implemented, once\ninvoked, the session lock must remain in place until the user reauthenticates.\nNo other activity aside from reauthentication must unlock the system.'\n desc 'check', %q(Verify the operating system enables a user's session lock until that user\nre-establishes access using established identification and authentication\nprocedures with the following command:\n\n $ sudo gsettings get org.gnome.desktop.screensaver lock-enabled\n\n true\n\n If the setting is \"false\", this is a finding.\n\n Note: This requirement assumes the use of the RHEL 8 default graphical user\ninterface, Gnome Shell. If the system does not have any graphical user\ninterface installed, this requirement is Not Applicable.)\n desc 'fix', %q(Configure the operating system to enable a user's session lock until that\nuser re-establishes access using established identification and authentication\nprocedures.\n\n Create a database to contain the system-wide screensaver settings (if it\ndoes not already exist) with the following example:\n\n $ sudo vi /etc/dconf/db/local.d/00-screensaver\n\n Edit the \"[org/gnome/desktop/screensaver]\" section of the database file\nand add or update the following lines:\n\n # Set this to true to lock the screen when the screensaver activates\n lock-enabled=true\n\n Update the system databases:\n\n $ sudo dconf update)\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000028-GPOS-00009'\n tag satisfies: ['SRG-OS-000028-GPOS-00009', 'SRG-OS-000030-GPOS-00011']\n tag gid: 'V-230347'\n tag rid: 'SV-230347r627750_rule'\n tag stig_id: 'RHEL-08-020030'\n tag fix_id: 'F-32991r567788_fix'\n tag cci: ['CCI-000056']\n tag nist: ['AC-11 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n if package('gnome-desktop3').installed?\n describe command('gsettings get org.gnome.desktop.screensaver lock-enabled') do\n its('stdout.strip') { should cmp 'true' }\n end\n else\n impact 0.0\n describe 'The system does not have GNOME installed' do\n skip \"The system does not have GNOME installed, this requirement is Not\n Applicable.\"\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230279.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230347.rb", "line": 1 }, - "id": "SV-230279" + "id": "SV-230347" }, { - "title": "RHEL 8 must not allow blank or null passwords in the password-auth\nfile.", - "desc": "If an account has an empty password, anyone could log on and run\ncommands with the privileges of that account. Accounts with empty passwords\nshould never be used in operational environments.", + "title": "The RHEL 8 operating system must implement DoD-approved TLS encryption\nin the OpenSSL package.", + "desc": "Without cryptographic integrity protections, information can be\naltered by unauthorized users without detection.\n\n Remote access (e.g., RDP) is access to DoD nonpublic information systems by\nan authorized user (or an information system) communicating through an\nexternal, non-organization-controlled network. Remote access methods include,\nfor example, dial-up, broadband, and wireless.\n\n Cryptographic mechanisms used for protecting the integrity of information\ninclude, for example, signed hash functions using asymmetric cryptography\nenabling distribution of the public key to verify the hash information while\nmaintaining the confidentiality of the secret key used to generate the hash.\n\n RHEL 8 incorporates system-wide crypto policies by default. The employed\nalgorithms can be viewed in the /etc/crypto-policies/back-ends/openssl.config\nfile.", "descriptions": { - "default": "If an account has an empty password, anyone could log on and run\ncommands with the privileges of that account. Accounts with empty passwords\nshould never be used in operational environments.", - "check": "To verify that null passwords cannot be used, run the following command:\n\n$ sudo grep -i nullok /etc/pam.d/password-auth\n\nIf output is produced, this is a finding.", - "fix": "Remove any instances of the \"nullok\" option in the\n\"/etc/pam.d/password-auth\" file to prevent logons with empty passwords.\n\n Note: Manual changes to the listed file may be overwritten by the\n\"authselect\" program." + "default": "Without cryptographic integrity protections, information can be\naltered by unauthorized users without detection.\n\n Remote access (e.g., RDP) is access to DoD nonpublic information systems by\nan authorized user (or an information system) communicating through an\nexternal, non-organization-controlled network. Remote access methods include,\nfor example, dial-up, broadband, and wireless.\n\n Cryptographic mechanisms used for protecting the integrity of information\ninclude, for example, signed hash functions using asymmetric cryptography\nenabling distribution of the public key to verify the hash information while\nmaintaining the confidentiality of the secret key used to generate the hash.\n\n RHEL 8 incorporates system-wide crypto policies by default. The employed\nalgorithms can be viewed in the /etc/crypto-policies/back-ends/openssl.config\nfile.", + "check": "Verify the OpenSSL library is configured to use only DoD-approved TLS encryption:\n\nFor versions prior to crypto-policies-20210617-1.gitc776d3e.el8.noarch:\n\n$ sudo grep -i MinProtocol /etc/crypto-policies/back-ends/opensslcnf.config\n\nMinProtocol = TLSv1.2\n\nIf the \"MinProtocol\" is set to anything older than \"TLSv1.2\", this is a finding.\n\nFor version crypto-policies-20210617-1.gitc776d3e.el8.noarch and newer:\n\n$ sudo grep -i MinProtocol /etc/crypto-policies/back-ends/opensslcnf.config\n\nTLS.MinProtocol = TLSv1.2\nDTLS.MinProtocol = DTLSv1.2\n\nIf the \"TLS.MinProtocol\" is set to anything older than \"TLSv1.2\" or the \"DTLS.MinProtocol\" is set to anything older than DTLSv1.2, this is a finding.", + "fix": "Configure the RHEL 8 OpenSSL library to use only DoD-approved TLS encryption by editing the following line in the \"/etc/crypto-policies/back-ends/opensslcnf.config\" file:\n\nFor versions prior to crypto-policies-20210617-1.gitc776d3e.el8.noarch:\nMinProtocol = TLSv1.2\n\nFor version crypto-policies-20210617-1.gitc776d3e.el8.noarch and newer:\nTLS.MinProtocol = TLSv1.2\nDTLS.MinProtocol = DTLSv1.2\nA reboot is required for the changes to take effect." }, - "impact": 0.7, + "impact": 0.5, "refs": [ { "ref": "DPMS Target Red Hat Enterprise Linux 8" } ], "tags": { - "severity": "high", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-244541", - "rid": "SV-244541r743872_rule", - "stig_id": "RHEL-08-020332", - "fix_id": "F-47773r743871_fix", + "severity": "medium", + "gtitle": "SRG-OS-000250-GPOS-00093", + "satisfies": [ + "SRG-OS-000250-GPOS-00093", + "SRG-OS-000393-GPOS-00173", + "SRG-OS-000394-GPOS-00174", + "SRG-OS-000125-GPOS-00065" + ], + "gid": "V-230255", + "rid": "SV-230255r877394_rule", + "stig_id": "RHEL-08-010294", + "fix_id": "F-32899r809381_fix", "cci": [ - "CCI-000366" + "CCI-001453" ], "nist": [ - "CM-6 b" - ] + "AC-17 (2)" + ], + "host": null, + "container": null }, - "code": "control 'SV-244541' do\n title 'RHEL 8 must not allow blank or null passwords in the password-auth\nfile.'\n desc 'If an account has an empty password, anyone could log on and run\ncommands with the privileges of that account. Accounts with empty passwords\nshould never be used in operational environments.'\n desc 'check', 'To verify that null passwords cannot be used, run the following command:\n\n$ sudo grep -i nullok /etc/pam.d/password-auth\n\nIf output is produced, this is a finding.'\n desc 'fix', 'Remove any instances of the \"nullok\" option in the\n\"/etc/pam.d/password-auth\" file to prevent logons with empty passwords.\n\n Note: Manual changes to the listed file may be overwritten by the\n\"authselect\" program.'\n impact 0.7\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'high'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-244541'\n tag rid: 'SV-244541r743872_rule'\n tag stig_id: 'RHEL-08-020332'\n tag fix_id: 'F-47773r743871_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n pam_auth_files = input('pam_auth_files')\n file_list = pam_auth_files.values.join(' ')\n bad_entries = command(\"grep -i nullok #{file_list}\").stdout.lines.collect { |line| line.split.join(' ') }\n\n describe 'The system is configureed' do\n subject { command(\"grep -i nullok #{file_list}\") }\n it 'to not allow null passwords' do\n expect(subject.stdout.strip).to be_empty, \"The system is configured to allow null passwords. Please remove any instances of the `nullok` option from: \\n\\t- #{bad_entries.join(\"\\n\\t- \")}\"\n end\n end\nend\n", + "code": "control 'SV-230255' do\n title 'The RHEL 8 operating system must implement DoD-approved TLS encryption\nin the OpenSSL package.'\n desc 'Without cryptographic integrity protections, information can be\naltered by unauthorized users without detection.\n\n Remote access (e.g., RDP) is access to DoD nonpublic information systems by\nan authorized user (or an information system) communicating through an\nexternal, non-organization-controlled network. Remote access methods include,\nfor example, dial-up, broadband, and wireless.\n\n Cryptographic mechanisms used for protecting the integrity of information\ninclude, for example, signed hash functions using asymmetric cryptography\nenabling distribution of the public key to verify the hash information while\nmaintaining the confidentiality of the secret key used to generate the hash.\n\n RHEL 8 incorporates system-wide crypto policies by default. The employed\nalgorithms can be viewed in the /etc/crypto-policies/back-ends/openssl.config\nfile.'\n desc 'check', 'Verify the OpenSSL library is configured to use only DoD-approved TLS encryption:\n\nFor versions prior to crypto-policies-20210617-1.gitc776d3e.el8.noarch:\n\n$ sudo grep -i MinProtocol /etc/crypto-policies/back-ends/opensslcnf.config\n\nMinProtocol = TLSv1.2\n\nIf the \"MinProtocol\" is set to anything older than \"TLSv1.2\", this is a finding.\n\nFor version crypto-policies-20210617-1.gitc776d3e.el8.noarch and newer:\n\n$ sudo grep -i MinProtocol /etc/crypto-policies/back-ends/opensslcnf.config\n\nTLS.MinProtocol = TLSv1.2\nDTLS.MinProtocol = DTLSv1.2\n\nIf the \"TLS.MinProtocol\" is set to anything older than \"TLSv1.2\" or the \"DTLS.MinProtocol\" is set to anything older than DTLSv1.2, this is a finding.'\n desc 'fix', 'Configure the RHEL 8 OpenSSL library to use only DoD-approved TLS encryption by editing the following line in the \"/etc/crypto-policies/back-ends/opensslcnf.config\" file:\n\nFor versions prior to crypto-policies-20210617-1.gitc776d3e.el8.noarch:\nMinProtocol = TLSv1.2\n\nFor version crypto-policies-20210617-1.gitc776d3e.el8.noarch and newer:\nTLS.MinProtocol = TLSv1.2\nDTLS.MinProtocol = DTLSv1.2\nA reboot is required for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000250-GPOS-00093'\n tag satisfies: ['SRG-OS-000250-GPOS-00093', 'SRG-OS-000393-GPOS-00173', 'SRG-OS-000394-GPOS-00174', 'SRG-OS-000125-GPOS-00065']\n tag gid: 'V-230255'\n tag rid: 'SV-230255r877394_rule'\n tag stig_id: 'RHEL-08-010294'\n tag fix_id: 'F-32899r809381_fix'\n tag cci: ['CCI-001453']\n tag nist: ['AC-17 (2)']\n tag 'host'\n tag 'container'\n\n crypto_policies = package('crypto-policies')\n\n if crypto_policies.version < '20210617-1.gitc776d3e.el8.noarch'\n describe parse_config_file('/etc/crypto-policies/back-ends/opensslcnf.config') do\n its('MinProtocol') { should be_in ['TLSv1.2', 'TLSv1.3'] }\n end\n else\n describe parse_config_file('/etc/crypto-policies/back-ends/opensslcnf.config') do\n its(['TLS.MinProtocol']) { should be_in ['TLSv1.2', 'TLSv1.3'] }\n its(['DTLS.MinProtocol']) { should be_in ['DTLSv1.2', 'DTLSv1.3'] }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-244541.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230255.rb", "line": 1 }, - "id": "SV-244541" + "id": "SV-230255" }, { - "title": "RHEL 8 must have the packages required for encrypting offloaded audit\nlogs installed.", - "desc": "Information stored in one location is vulnerable to accidental or\nincidental deletion or alteration.\n\n Off-loading is a common process in information systems with limited audit\nstorage capacity.\n\n RHEL 8 installation media provides \"rsyslogd\". \"rsyslogd\" is a system\nutility providing support for message logging. Support for both internet and\nUNIX domain sockets enables this utility to support both local and remote\nlogging. Couple this utility with \"rsyslog-gnutls\" (which is a secure\ncommunications library implementing the SSL, TLS and DTLS protocols), and you\nhave a method to securely encrypt and off-load auditing.\n\n Rsyslog provides three ways to forward message: the traditional UDP\ntransport, which is extremely lossy but standard; the plain TCP based\ntransport, which loses messages only during certain situations but is widely\navailable; and the RELP transport, which does not lose messages but is\ncurrently available only as part of the rsyslogd 3.15.0 and above.\n Examples of each configuration:\n UDP *.* @remotesystemname\n TCP *.* @@remotesystemname\n RELP *.* :omrelp:remotesystemname:2514\n Note that a port number was given as there is no standard port for RELP.", + "title": "RHEL 8 must automatically lock graphical user sessions after 15\nminutes of inactivity.", + "desc": "A session lock is a temporary action taken when a user stops work and\nmoves away from the immediate physical vicinity of the information system but\ndoes not want to log out because of the temporary nature of the absence.\n\n The session lock is implemented at the point where session activity can be\ndetermined. Rather than be forced to wait for a period of time to expire before\nthe user session can be locked, RHEL 8 needs to provide users with the ability\nto manually invoke a session lock so users can secure their session if it is\nnecessary to temporarily vacate the immediate physical vicinity.", "descriptions": { - "default": "Information stored in one location is vulnerable to accidental or\nincidental deletion or alteration.\n\n Off-loading is a common process in information systems with limited audit\nstorage capacity.\n\n RHEL 8 installation media provides \"rsyslogd\". \"rsyslogd\" is a system\nutility providing support for message logging. Support for both internet and\nUNIX domain sockets enables this utility to support both local and remote\nlogging. Couple this utility with \"rsyslog-gnutls\" (which is a secure\ncommunications library implementing the SSL, TLS and DTLS protocols), and you\nhave a method to securely encrypt and off-load auditing.\n\n Rsyslog provides three ways to forward message: the traditional UDP\ntransport, which is extremely lossy but standard; the plain TCP based\ntransport, which loses messages only during certain situations but is widely\navailable; and the RELP transport, which does not lose messages but is\ncurrently available only as part of the rsyslogd 3.15.0 and above.\n Examples of each configuration:\n UDP *.* @remotesystemname\n TCP *.* @@remotesystemname\n RELP *.* :omrelp:remotesystemname:2514\n Note that a port number was given as there is no standard port for RELP.", - "check": "Verify the operating system has the packages required for encrypting\noffloaded audit logs installed with the following commands:\n\n $ sudo yum list installed rsyslog-gnutls\n\n rsyslog-gnutls.x86_64 8.1911.0-3.el8 @AppStream\n\n If the \"rsyslog-gnutls\" package is not installed, ask the administrator\nto indicate how audit logs are being encrypted during offloading and what\npackages are installed to support it. If there is no evidence of audit logs\nbeing encrypted during offloading, this is a finding.", - "fix": "Configure the operating system to encrypt offloaded audit logs by\ninstalling the required packages with the following command:\n\n $ sudo yum install rsyslog-gnutls" + "default": "A session lock is a temporary action taken when a user stops work and\nmoves away from the immediate physical vicinity of the information system but\ndoes not want to log out because of the temporary nature of the absence.\n\n The session lock is implemented at the point where session activity can be\ndetermined. Rather than be forced to wait for a period of time to expire before\nthe user session can be locked, RHEL 8 needs to provide users with the ability\nto manually invoke a session lock so users can secure their session if it is\nnecessary to temporarily vacate the immediate physical vicinity.", + "check": "Verify the operating system initiates a session lock after a 15-minute\nperiod of inactivity for graphical user interfaces with the following commands:\n\n This requirement assumes the use of the RHEL 8 default graphical user\ninterface, Gnome Shell. If the system does not have any graphical user\ninterface installed, this requirement is Not Applicable.\n\n $ sudo gsettings get org.gnome.desktop.session idle-delay\n\n uint32 900\n\n If \"idle-delay\" is set to \"0\" or a value greater than \"900\", this is\na finding.", + "fix": "Configure the operating system to initiate a screensaver after a 15-minute\nperiod of inactivity for graphical user interfaces.\n\n Create a database to contain the system-wide screensaver settings (if it\ndoes not already exist) with the following command:\n\n $ sudo touch /etc/dconf/db/local.d/00-screensaver\n\n Edit /etc/dconf/db/local.d/00-screensaver and add or update the following\nlines:\n\n [org/gnome/desktop/session]\n # Set the lock time out to 900 seconds before the session is considered idle\n idle-delay=uint32 900\n\n Update the system databases:\n\n $ sudo dconf update" }, "impact": 0.5, "refs": [ @@ -7958,33 +7923,37 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-230478", - "rid": "SV-230478r744011_rule", - "stig_id": "RHEL-08-030680", - "fix_id": "F-33122r744010_fix", + "gtitle": "SRG-OS-000029-GPOS-00010", + "satisfies": [ + "SRG-OS-000029-GPOS-00010", + "SRG-OS-000031-GPOS-00012" + ], + "gid": "V-230352", + "rid": "SV-230352r646876_rule", + "stig_id": "RHEL-08-020060", + "fix_id": "F-32996r567803_fix", "cci": [ - "CCI-000366" + "CCI-000057" ], "nist": [ - "CM-6 b" + "AC-11 a" ], "host": null }, - "code": "control 'SV-230478' do\n title 'RHEL 8 must have the packages required for encrypting offloaded audit\nlogs installed.'\n desc 'Information stored in one location is vulnerable to accidental or\nincidental deletion or alteration.\n\n Off-loading is a common process in information systems with limited audit\nstorage capacity.\n\n RHEL 8 installation media provides \"rsyslogd\". \"rsyslogd\" is a system\nutility providing support for message logging. Support for both internet and\nUNIX domain sockets enables this utility to support both local and remote\nlogging. Couple this utility with \"rsyslog-gnutls\" (which is a secure\ncommunications library implementing the SSL, TLS and DTLS protocols), and you\nhave a method to securely encrypt and off-load auditing.\n\n Rsyslog provides three ways to forward message: the traditional UDP\ntransport, which is extremely lossy but standard; the plain TCP based\ntransport, which loses messages only during certain situations but is widely\navailable; and the RELP transport, which does not lose messages but is\ncurrently available only as part of the rsyslogd 3.15.0 and above.\n Examples of each configuration:\n UDP *.* @remotesystemname\n TCP *.* @@remotesystemname\n RELP *.* :omrelp:remotesystemname:2514\n Note that a port number was given as there is no standard port for RELP.'\n desc 'check', 'Verify the operating system has the packages required for encrypting\noffloaded audit logs installed with the following commands:\n\n $ sudo yum list installed rsyslog-gnutls\n\n rsyslog-gnutls.x86_64 8.1911.0-3.el8 @AppStream\n\n If the \"rsyslog-gnutls\" package is not installed, ask the administrator\nto indicate how audit logs are being encrypted during offloading and what\npackages are installed to support it. If there is no evidence of audit logs\nbeing encrypted during offloading, this is a finding.'\n desc 'fix', 'Configure the operating system to encrypt offloaded audit logs by\ninstalling the required packages with the following command:\n\n $ sudo yum install rsyslog-gnutls'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230478'\n tag rid: 'SV-230478r744011_rule'\n tag stig_id: 'RHEL-08-030680'\n tag fix_id: 'F-33122r744010_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n if input('alternative_logging_method') != ''\n describe 'manual check' do\n skip 'Manual check required. Ask the administrator to indicate how logging is done for this system.'\n end\n else\n describe package('rsyslog-gnutls') do\n it { should be_installed }\n end\n end\nend\n", + "code": "control 'SV-230352' do\n title 'RHEL 8 must automatically lock graphical user sessions after 15\nminutes of inactivity.'\n desc 'A session lock is a temporary action taken when a user stops work and\nmoves away from the immediate physical vicinity of the information system but\ndoes not want to log out because of the temporary nature of the absence.\n\n The session lock is implemented at the point where session activity can be\ndetermined. Rather than be forced to wait for a period of time to expire before\nthe user session can be locked, RHEL 8 needs to provide users with the ability\nto manually invoke a session lock so users can secure their session if it is\nnecessary to temporarily vacate the immediate physical vicinity.'\n desc 'check', 'Verify the operating system initiates a session lock after a 15-minute\nperiod of inactivity for graphical user interfaces with the following commands:\n\n This requirement assumes the use of the RHEL 8 default graphical user\ninterface, Gnome Shell. If the system does not have any graphical user\ninterface installed, this requirement is Not Applicable.\n\n $ sudo gsettings get org.gnome.desktop.session idle-delay\n\n uint32 900\n\n If \"idle-delay\" is set to \"0\" or a value greater than \"900\", this is\na finding.'\n desc 'fix', 'Configure the operating system to initiate a screensaver after a 15-minute\nperiod of inactivity for graphical user interfaces.\n\n Create a database to contain the system-wide screensaver settings (if it\ndoes not already exist) with the following command:\n\n $ sudo touch /etc/dconf/db/local.d/00-screensaver\n\n Edit /etc/dconf/db/local.d/00-screensaver and add or update the following\nlines:\n\n [org/gnome/desktop/session]\n # Set the lock time out to 900 seconds before the session is considered idle\n idle-delay=uint32 900\n\n Update the system databases:\n\n $ sudo dconf update'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000029-GPOS-00010'\n tag satisfies: ['SRG-OS-000029-GPOS-00010', 'SRG-OS-000031-GPOS-00012']\n tag gid: 'V-230352'\n tag rid: 'SV-230352r646876_rule'\n tag stig_id: 'RHEL-08-020060'\n tag fix_id: 'F-32996r567803_fix'\n tag cci: ['CCI-000057']\n tag nist: ['AC-11 a']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n if package('gnome-desktop3').installed?\n describe command(\"gsettings get org.gnome.desktop.session idle-delay | cut -d ' ' -f2\") do\n its('stdout.strip') { should cmp <= input('system_inactivity_timeout') }\n end\n else\n impact 0.0\n describe 'The system does not have GNOME installed' do\n skip \"The system does not have GNOME installed, this requirement is Not\n Applicable.\"\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230478.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230352.rb", "line": 1 }, - "id": "SV-230478" + "id": "SV-230352" }, { - "title": "RHEL 8 must have the packages required for offloading audit logs\ninstalled.", - "desc": "Information stored in one location is vulnerable to accidental or\nincidental deletion or alteration.\n\n Off-loading is a common process in information systems with limited audit\nstorage capacity.\n\n RHEL 8 installation media provides \"rsyslogd\". \"rsyslogd\" is a system\nutility providing support for message logging. Support for both internet and\nUNIX domain sockets enables this utility to support both local and remote\nlogging. Couple this utility with \"gnutls\" (which is a secure communications\nlibrary implementing the SSL, TLS and DTLS protocols), and you have a method to\nsecurely encrypt and off-load auditing.\n\n Rsyslog provides three ways to forward message: the traditional UDP\ntransport, which is extremely lossy but standard; the plain TCP based\ntransport, which loses messages only during certain situations but is widely\navailable; and the RELP transport, which does not lose messages but is\ncurrently available only as part of the rsyslogd 3.15.0 and above.\n Examples of each configuration:\n UDP *.* @remotesystemname\n TCP *.* @@remotesystemname\n RELP *.* :omrelp:remotesystemname:2514\n Note that a port number was given as there is no standard port for RELP.", + "title": "RHEL 8 must mount /var/tmp with the nosuid option.", + "desc": "The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n The \"noexec\" mount option causes the system to not execute binary files.\nThis option must be used for mounting any file system not containing approved\nbinary files, as they may be incompatible. Executing files from untrusted file\nsystems increases the opportunity for unprivileged users to attain unauthorized\nadministrative access.\n\n The \"nodev\" mount option causes the system to not interpret character or\nblock special devices. Executing character or block special devices from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.\n\n The \"nosuid\" mount option causes the system to not execute \"setuid\" and\n\"setgid\" files with owner privileges. This option must be used for mounting\nany file system not containing approved \"setuid\" and \"setguid\" files.\nExecuting files from untrusted file systems increases the opportunity for\nunprivileged users to attain unauthorized administrative access.", "descriptions": { - "default": "Information stored in one location is vulnerable to accidental or\nincidental deletion or alteration.\n\n Off-loading is a common process in information systems with limited audit\nstorage capacity.\n\n RHEL 8 installation media provides \"rsyslogd\". \"rsyslogd\" is a system\nutility providing support for message logging. Support for both internet and\nUNIX domain sockets enables this utility to support both local and remote\nlogging. Couple this utility with \"gnutls\" (which is a secure communications\nlibrary implementing the SSL, TLS and DTLS protocols), and you have a method to\nsecurely encrypt and off-load auditing.\n\n Rsyslog provides three ways to forward message: the traditional UDP\ntransport, which is extremely lossy but standard; the plain TCP based\ntransport, which loses messages only during certain situations but is widely\navailable; and the RELP transport, which does not lose messages but is\ncurrently available only as part of the rsyslogd 3.15.0 and above.\n Examples of each configuration:\n UDP *.* @remotesystemname\n TCP *.* @@remotesystemname\n RELP *.* :omrelp:remotesystemname:2514\n Note that a port number was given as there is no standard port for RELP.", - "check": "Verify the operating system has the packages required for offloading audit\nlogs installed with the following commands:\n\n $ sudo yum list installed rsyslog\n\n rsyslog.x86_64 8.1911.0-3.el8 @AppStream\n\n If the \"rsyslog\" package is not installed, ask the administrator to\nindicate how audit logs are being offloaded and what packages are installed to\nsupport it. If there is no evidence of audit logs being offloaded, this is a\nfinding.", - "fix": "Configure the operating system to offload audit logs by installing the\nrequired packages with the following command:\n\n $ sudo yum install rsyslog" + "default": "The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n The \"noexec\" mount option causes the system to not execute binary files.\nThis option must be used for mounting any file system not containing approved\nbinary files, as they may be incompatible. Executing files from untrusted file\nsystems increases the opportunity for unprivileged users to attain unauthorized\nadministrative access.\n\n The \"nodev\" mount option causes the system to not interpret character or\nblock special devices. Executing character or block special devices from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.\n\n The \"nosuid\" mount option causes the system to not execute \"setuid\" and\n\"setgid\" files with owner privileges. This option must be used for mounting\nany file system not containing approved \"setuid\" and \"setguid\" files.\nExecuting files from untrusted file systems increases the opportunity for\nunprivileged users to attain unauthorized administrative access.", + "check": "Verify \"/var/tmp\" is mounted with the \"nosuid\" option:\n\n$ sudo mount | grep /var/tmp\n\n/dev/mapper/rhel-var-tmp on /var/tmp type xfs (rw,nodev,nosuid,noexec,seclabel)\n\nVerify that the \"nosuid\" option is configured for /var/tmp:\n\n$ sudo cat /etc/fstab | grep /var/tmp\n\n/dev/mapper/rhel-var-tmp /var/tmp xfs defaults,nodev,nosuid,noexec 0 0\n\nIf results are returned and the \"nosuid\" option is missing, or if /var/tmp is mounted without the \"nosuid\" option, this is a finding.", + "fix": "Configure the system so that /var/tmp is mounted with the \"nosuid\" option by adding /modifying the /etc/fstab with the following line:\n\n/dev/mapper/rhel-var-tmp /var/tmp xfs defaults,nodev,nosuid,noexec 0 0" }, "impact": 0.5, "refs": [ @@ -7994,33 +7963,33 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-230477", - "rid": "SV-230477r627750_rule", - "stig_id": "RHEL-08-030670", - "fix_id": "F-33121r568178_fix", + "gtitle": "SRG-OS-000368-GPOS-00154", + "gid": "V-230521", + "rid": "SV-230521r854062_rule", + "stig_id": "RHEL-08-040133", + "fix_id": "F-33165r792929_fix", "cci": [ - "CCI-000366" + "CCI-001764" ], "nist": [ - "CM-6 b" + "CM-7 (2)" ], "host": null }, - "code": "control 'SV-230477' do\n title 'RHEL 8 must have the packages required for offloading audit logs\ninstalled.'\n desc 'Information stored in one location is vulnerable to accidental or\nincidental deletion or alteration.\n\n Off-loading is a common process in information systems with limited audit\nstorage capacity.\n\n RHEL 8 installation media provides \"rsyslogd\". \"rsyslogd\" is a system\nutility providing support for message logging. Support for both internet and\nUNIX domain sockets enables this utility to support both local and remote\nlogging. Couple this utility with \"gnutls\" (which is a secure communications\nlibrary implementing the SSL, TLS and DTLS protocols), and you have a method to\nsecurely encrypt and off-load auditing.\n\n Rsyslog provides three ways to forward message: the traditional UDP\ntransport, which is extremely lossy but standard; the plain TCP based\ntransport, which loses messages only during certain situations but is widely\navailable; and the RELP transport, which does not lose messages but is\ncurrently available only as part of the rsyslogd 3.15.0 and above.\n Examples of each configuration:\n UDP *.* @remotesystemname\n TCP *.* @@remotesystemname\n RELP *.* :omrelp:remotesystemname:2514\n Note that a port number was given as there is no standard port for RELP.'\n desc 'check', 'Verify the operating system has the packages required for offloading audit\nlogs installed with the following commands:\n\n $ sudo yum list installed rsyslog\n\n rsyslog.x86_64 8.1911.0-3.el8 @AppStream\n\n If the \"rsyslog\" package is not installed, ask the administrator to\nindicate how audit logs are being offloaded and what packages are installed to\nsupport it. If there is no evidence of audit logs being offloaded, this is a\nfinding.'\n desc 'fix', 'Configure the operating system to offload audit logs by installing the\nrequired packages with the following command:\n\n $ sudo yum install rsyslog'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230477'\n tag rid: 'SV-230477r627750_rule'\n tag stig_id: 'RHEL-08-030670'\n tag fix_id: 'F-33121r568178_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n if input('alternative_logging_method') != ''\n describe 'manual check' do\n skip 'Manual check required. Ask the administrator to indicate how logging is done for this system.'\n end\n else\n describe package('rsyslog') do\n it { should be_installed }\n end\n end\nend\n", + "code": "control 'SV-230521' do\n title 'RHEL 8 must mount /var/tmp with the nosuid option.'\n desc 'The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n The \"noexec\" mount option causes the system to not execute binary files.\nThis option must be used for mounting any file system not containing approved\nbinary files, as they may be incompatible. Executing files from untrusted file\nsystems increases the opportunity for unprivileged users to attain unauthorized\nadministrative access.\n\n The \"nodev\" mount option causes the system to not interpret character or\nblock special devices. Executing character or block special devices from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.\n\n The \"nosuid\" mount option causes the system to not execute \"setuid\" and\n\"setgid\" files with owner privileges. This option must be used for mounting\nany file system not containing approved \"setuid\" and \"setguid\" files.\nExecuting files from untrusted file systems increases the opportunity for\nunprivileged users to attain unauthorized administrative access.'\n desc 'check', 'Verify \"/var/tmp\" is mounted with the \"nosuid\" option:\n\n$ sudo mount | grep /var/tmp\n\n/dev/mapper/rhel-var-tmp on /var/tmp type xfs (rw,nodev,nosuid,noexec,seclabel)\n\nVerify that the \"nosuid\" option is configured for /var/tmp:\n\n$ sudo cat /etc/fstab | grep /var/tmp\n\n/dev/mapper/rhel-var-tmp /var/tmp xfs defaults,nodev,nosuid,noexec 0 0\n\nIf results are returned and the \"nosuid\" option is missing, or if /var/tmp is mounted without the \"nosuid\" option, this is a finding.'\n desc 'fix', 'Configure the system so that /var/tmp is mounted with the \"nosuid\" option by adding /modifying the /etc/fstab with the following line:\n\n/dev/mapper/rhel-var-tmp /var/tmp xfs defaults,nodev,nosuid,noexec 0 0'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000368-GPOS-00154'\n tag gid: 'V-230521'\n tag rid: 'SV-230521r854062_rule'\n tag stig_id: 'RHEL-08-040133'\n tag fix_id: 'F-33165r792929_fix'\n tag cci: ['CCI-001764']\n tag nist: ['CM-7 (2)']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n path = '/var/tmp'\n option = 'nosuid'\n\n describe mount(path) do\n its('options') { should include option }\n end\n\n describe etc_fstab.where { mount_point == path } do\n its('mount_options.flatten') { should include option }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230477.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230521.rb", "line": 1 }, - "id": "SV-230477" + "id": "SV-230521" }, { - "title": "The RHEL 8 /var/log directory must be group-owned by root.", - "desc": "Only authorized personnel should be aware of errors and the details of\nthe errors. Error messages are an indicator of an organization's operational\nstate or can identify the RHEL 8 system or platform. Additionally, Personally\nIdentifiable Information (PII) and operational information must not be revealed\nthrough error messages to unauthorized personnel or their designated\nrepresentatives.\n\n The structure and content of error messages must be carefully considered by\nthe organization and development team. The extent to which the information\nsystem is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.", + "title": "A separate RHEL 8 filesystem must be used for user home directories\n(such as /home or an equivalent).", + "desc": "The use of separate file systems for different paths can protect the\nsystem from failures resulting from a file system becoming full or failing.", "descriptions": { - "default": "Only authorized personnel should be aware of errors and the details of\nthe errors. Error messages are an indicator of an organization's operational\nstate or can identify the RHEL 8 system or platform. Additionally, Personally\nIdentifiable Information (PII) and operational information must not be revealed\nthrough error messages to unauthorized personnel or their designated\nrepresentatives.\n\n The structure and content of error messages must be carefully considered by\nthe organization and development team. The extent to which the information\nsystem is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.", - "check": "Verify the \"/var/log\" directory is group-owned by root with the following\ncommand:\n\n $ sudo stat -c \"%G\" /var/log\n\n root\n\n If \"root\" is not returned as a result, this is a finding.", - "fix": "Change the group of the directory \"/var/log\" to \"root\" by running the\nfollowing command:\n\n $ sudo chgrp root /var/log" + "default": "The use of separate file systems for different paths can protect the\nsystem from failures resulting from a file system becoming full or failing.", + "check": "Verify that a separate file system has been created for non-privileged local interactive user home directories.\n\n Check the home directory assignment for all non-privileged users, users with a User Identifier (UID) greater than 1000, on the system with the following command:\n\n $ sudo awk -F: '($3>=1000)&&($7 !~ /nologin/){print $1,$3,$6}' /etc/passwd\n\n doej 1001 /home/doej\n publicj 1002 /home/publicj\n smithj 1003 /home/smithj\n\nThe output of the command will give the directory/partition that contains the home directories for the non-privileged users on the system (in this example, \"/home\") and users’ shell. All accounts with a valid shell (such as /bin/bash) are considered interactive users.\n\nCheck that a file system/partition has been created for the nonprivileged interactive users with the following command:\n\nNote: The partition of \"/home\" is used in the example.\n\n $ sudo grep /home /etc/fstab\n\n /dev/mapper/... /home xfs defaults,noexec,nosuid,nodev 0 0\n\nIf a separate entry for the file system/partition containing the nonprivileged interactive user home directories does not exist, this is a finding.", + "fix": "Migrate the \"/home\" directory onto a separate file system." }, "impact": 0.5, "refs": [ @@ -8030,34 +7999,33 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000206-GPOS-00084", - "gid": "V-230250", - "rid": "SV-230250r627750_rule", - "stig_id": "RHEL-08-010260", - "fix_id": "F-32894r567497_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-230328", + "rid": "SV-230328r902723_rule", + "stig_id": "RHEL-08-010800", + "fix_id": "F-32972r902722_fix", "cci": [ - "CCI-001314" + "CCI-000366" ], "nist": [ - "SI-11 b" + "CM-6 b" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-230250' do\n title 'The RHEL 8 /var/log directory must be group-owned by root.'\n desc \"Only authorized personnel should be aware of errors and the details of\nthe errors. Error messages are an indicator of an organization's operational\nstate or can identify the RHEL 8 system or platform. Additionally, Personally\nIdentifiable Information (PII) and operational information must not be revealed\nthrough error messages to unauthorized personnel or their designated\nrepresentatives.\n\n The structure and content of error messages must be carefully considered by\nthe organization and development team. The extent to which the information\nsystem is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.\"\n desc 'check', 'Verify the \"/var/log\" directory is group-owned by root with the following\ncommand:\n\n $ sudo stat -c \"%G\" /var/log\n\n root\n\n If \"root\" is not returned as a result, this is a finding.'\n desc 'fix', 'Change the group of the directory \"/var/log\" to \"root\" by running the\nfollowing command:\n\n $ sudo chgrp root /var/log'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000206-GPOS-00084'\n tag gid: 'V-230250'\n tag rid: 'SV-230250r627750_rule'\n tag stig_id: 'RHEL-08-010260'\n tag fix_id: 'F-32894r567497_fix'\n tag cci: ['CCI-001314']\n tag nist: ['SI-11 b']\n tag 'host'\n tag 'container'\n\n describe directory('/var/log') do\n it { should exist }\n its('group') { should eq 'root' }\n end\nend\n", + "code": "control 'SV-230328' do\n title 'A separate RHEL 8 filesystem must be used for user home directories\n(such as /home or an equivalent).'\n desc 'The use of separate file systems for different paths can protect the\nsystem from failures resulting from a file system becoming full or failing.'\n desc 'check', %q(Verify that a separate file system has been created for non-privileged local interactive user home directories.\n\n Check the home directory assignment for all non-privileged users, users with a User Identifier (UID) greater than 1000, on the system with the following command:\n\n $ sudo awk -F: '($3>=1000)&&($7 !~ /nologin/){print $1,$3,$6}' /etc/passwd\n\n doej 1001 /home/doej\n publicj 1002 /home/publicj\n smithj 1003 /home/smithj\n\nThe output of the command will give the directory/partition that contains the home directories for the non-privileged users on the system (in this example, \"/home\") and users’ shell. All accounts with a valid shell (such as /bin/bash) are considered interactive users.\n\nCheck that a file system/partition has been created for the nonprivileged interactive users with the following command:\n\nNote: The partition of \"/home\" is used in the example.\n\n $ sudo grep /home /etc/fstab\n\n /dev/mapper/... /home xfs defaults,noexec,nosuid,nodev 0 0\n\nIf a separate entry for the file system/partition containing the nonprivileged interactive user home directories does not exist, this is a finding.)\n desc 'fix', 'Migrate the \"/home\" directory onto a separate file system.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230328'\n tag rid: 'SV-230328r902723_rule'\n tag stig_id: 'RHEL-08-010800'\n tag fix_id: 'F-32972r902722_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This requirement is Not Applicable inside a container, the containers host manages the containers filesystems') {\n !virtualization.system.eql?('docker')\n }\n\n ignore_shells = input('non_interactive_shells').join('|')\n homes = users.where { uid >= 1000 && !shell.match(ignore_shells) }.homes\n root_device = etc_fstab.where { mount_point == '/' }.device_name\n\n if input('seperate_filesystem_exempt')\n impact 0.0\n describe 'This system is not required to have sperate filesystems for each mount point' do\n skip 'The system is managing filesystems and space via other mechanisms; this requirement is Not Applicable'\n end\n else\n homes.each do |home|\n pn_parent = Pathname.new(home).parent.to_s\n home_device = etc_fstab.where { mount_point == pn_parent }.device_name\n\n describe \"The '#{pn_parent}' mount point\" do\n subject { home_device }\n\n it 'is not on the same partition as the root partition' do\n is_expected.not_to equal(root_device)\n end\n\n it 'has its own partition' do\n is_expected.not_to be_empty\n end\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230250.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230328.rb", "line": 1 }, - "id": "SV-230250" + "id": "SV-230328" }, { - "title": "Successful/unsuccessful uses of setsebool in RHEL 8 must generate an\naudit record.", - "desc": "Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged commands. The organization must maintain audit trails in sufficient\ndetail to reconstruct events to determine the cause and impact of compromise.\nThe \"setsebool\" command sets the current state of a particular SELinux\nboolean or a list of booleans to a given value.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", + "title": "RHEL 8 must have the USBGuard installed.", + "desc": "Without authenticating devices, unidentified or unknown devices may be\nintroduced, thereby facilitating malicious activity.\n Peripherals include, but are not limited to, such devices as flash drives,\nexternal storage, and printers.\n A new feature that RHEL 8 provides is the USBGuard software framework. The\nUSBguard-daemon is the main component of the USBGuard software framework. It\nruns as a service in the background and enforces the USB device authorization\npolicy for all USB devices. The policy is defined by a set of rules using a\nrule language described in the usbguard-rules.conf file. The policy and the\nauthorization state of USB devices can be modified during runtime using the\nusbguard tool.\n\n The System Administrator (SA) must work with the site Information System\nSecurity Officer (ISSO) to determine a list of authorized peripherals and\nestablish rules within the USBGuard software framework to allow only authorized\ndevices.", "descriptions": { - "default": "Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged commands. The organization must maintain audit trails in sufficient\ndetail to reconstruct events to determine the cause and impact of compromise.\nThe \"setsebool\" command sets the current state of a particular SELinux\nboolean or a list of booleans to a given value.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", - "check": "Verify that an audit event is generated for any successful/unsuccessful use\nof \"setsebool\" by performing the following command to check the file system\nrules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w \"setsebool\" /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-unix-update\n\n If the command does not return a line, or the line is commented out, this\nis a finding.", - "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful uses of the \"setsebool\" by adding or updating the\nfollowing rule in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-unix-update\n\n The audit daemon must be restarted for the changes to take effect." + "default": "Without authenticating devices, unidentified or unknown devices may be\nintroduced, thereby facilitating malicious activity.\n Peripherals include, but are not limited to, such devices as flash drives,\nexternal storage, and printers.\n A new feature that RHEL 8 provides is the USBGuard software framework. The\nUSBguard-daemon is the main component of the USBGuard software framework. It\nruns as a service in the background and enforces the USB device authorization\npolicy for all USB devices. The policy is defined by a set of rules using a\nrule language described in the usbguard-rules.conf file. The policy and the\nauthorization state of USB devices can be modified during runtime using the\nusbguard tool.\n\n The System Administrator (SA) must work with the site Information System\nSecurity Officer (ISSO) to determine a list of authorized peripherals and\nestablish rules within the USBGuard software framework to allow only authorized\ndevices.", + "check": "Verify USBGuard is installed on the operating system with the following\ncommand:\n\n $ sudo yum list installed usbguard\n\n Installed Packages\n usbguard.x86_64 0.7.8-7.el8 @ol8_appstream\n\n If the USBGuard package is not installed, ask the SA to indicate how\nunauthorized peripherals are being blocked.\n If there is no evidence that unauthorized peripherals are being blocked\nbefore establishing a connection, this is a finding.", + "fix": "Install the USBGuard package with the following command:\n\n$ sudo yum install usbguard.x86_64" }, "impact": 0.5, "refs": [ @@ -8067,42 +8035,33 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000062-GPOS-00031", - "satisfies": [ - "SRG-OS-000062-GPOS-00031", - "SRG-OS-000037-GPOS-00015", - "SRG-OS-000042-GPOS-00020", - "SRG-OS-000062-GPOS-00031", - "SRG-OS-000392-GPOS-00172", - "SRG-OS-000462-GPOS-00206", - "SRG-OS-000471-GPOS-00215" - ], - "gid": "V-230432", - "rid": "SV-230432r627750_rule", - "stig_id": "RHEL-08-030316", - "fix_id": "F-33076r568043_fix", + "gtitle": "SRG-OS-000378-GPOS-00163", + "gid": "V-244547", + "rid": "SV-244547r854076_rule", + "stig_id": "RHEL-08-040139", + "fix_id": "F-47779r743889_fix", "cci": [ - "CCI-000169" + "CCI-001958" ], "nist": [ - "AU-12 a" + "IA-3" ], "host": null }, - "code": "control 'SV-230432' do\n title 'Successful/unsuccessful uses of setsebool in RHEL 8 must generate an\naudit record.'\n desc 'Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged commands. The organization must maintain audit trails in sufficient\ndetail to reconstruct events to determine the cause and impact of compromise.\nThe \"setsebool\" command sets the current state of a particular SELinux\nboolean or a list of booleans to a given value.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.'\n desc 'check', 'Verify that an audit event is generated for any successful/unsuccessful use\nof \"setsebool\" by performing the following command to check the file system\nrules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w \"setsebool\" /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-unix-update\n\n If the command does not return a line, or the line is commented out, this\nis a finding.'\n desc 'fix', 'Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful uses of the \"setsebool\" by adding or updating the\nfollowing rule in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-unix-update\n\n The audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000062-GPOS-00031'\n tag satisfies: ['SRG-OS-000062-GPOS-00031', 'SRG-OS-000037-GPOS-00015', 'SRG-OS-000042-GPOS-00020', 'SRG-OS-000062-GPOS-00031', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000471-GPOS-00215']\n tag gid: 'V-230432'\n tag rid: 'SV-230432r627750_rule'\n tag stig_id: 'RHEL-08-030316'\n tag fix_id: 'F-33076r568043_fix'\n tag cci: ['CCI-000169']\n tag nist: ['AU-12 a']\n tag 'host'\n\n audit_command = '/usr/sbin/setsebool'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include(input('audit_rule_keynames').merge(input('audit_rule_keynames_overrides'))[audit_command])\n end\n end\nend\n", + "code": "control 'SV-244547' do\n title 'RHEL 8 must have the USBGuard installed.'\n desc 'Without authenticating devices, unidentified or unknown devices may be\nintroduced, thereby facilitating malicious activity.\n Peripherals include, but are not limited to, such devices as flash drives,\nexternal storage, and printers.\n A new feature that RHEL 8 provides is the USBGuard software framework. The\nUSBguard-daemon is the main component of the USBGuard software framework. It\nruns as a service in the background and enforces the USB device authorization\npolicy for all USB devices. The policy is defined by a set of rules using a\nrule language described in the usbguard-rules.conf file. The policy and the\nauthorization state of USB devices can be modified during runtime using the\nusbguard tool.\n\n The System Administrator (SA) must work with the site Information System\nSecurity Officer (ISSO) to determine a list of authorized peripherals and\nestablish rules within the USBGuard software framework to allow only authorized\ndevices.'\n desc 'check', 'Verify USBGuard is installed on the operating system with the following\ncommand:\n\n $ sudo yum list installed usbguard\n\n Installed Packages\n usbguard.x86_64 0.7.8-7.el8 @ol8_appstream\n\n If the USBGuard package is not installed, ask the SA to indicate how\nunauthorized peripherals are being blocked.\n If there is no evidence that unauthorized peripherals are being blocked\nbefore establishing a connection, this is a finding.'\n desc 'fix', 'Install the USBGuard package with the following command:\n\n$ sudo yum install usbguard.x86_64'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000378-GPOS-00163'\n tag gid: 'V-244547'\n tag rid: 'SV-244547r854076_rule'\n tag stig_id: 'RHEL-08-040139'\n tag fix_id: 'F-47779r743889_fix'\n tag cci: ['CCI-001958']\n tag nist: ['IA-3']\n tag 'host'\n\n only_if('This requirement is Not Applicable in the container', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n peripherals_package = input('peripherals_package')\n\n describe package(peripherals_package) do\n it \"is expected to be installed. \\n\\tPlease ensure to configure the service to ensure your devices function as expected.\" do\n expect(subject.installed?).to be(true), \"The #{peripherals_package} package is not installed\"\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230432.rb", + "ref": "./Red Hat 8 STIG/controls/SV-244547.rb", "line": 1 }, - "id": "SV-230432" + "id": "SV-244547" }, { - "title": "Successful/unsuccessful uses of the usermod command in RHEL 8 must\ngenerate an audit record.", - "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"usermod\" command\nmodifies the system account files to reflect the changes that are specified on\nthe command line.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", + "title": "The RHEL 8 SSH daemon must not allow authentication using known host’s\nauthentication.", + "desc": "Configuring this setting for the SSH daemon provides additional\nassurance that remote logon via SSH will require a password, even in the event\nof misconfiguration elsewhere.", "descriptions": { - "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"usermod\" command\nmodifies the system account files to reflect the changes that are specified on\nthe command line.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", - "check": "Verify that an audit event is generated for any successful/unsuccessful use\nof the \"usermod\" command by performing the following command to check the\nfile system rules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w usermod /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-usermod\n\n If the command does not return a line, or the line is commented out, this\nis a finding.", - "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful uses of the \"usermod\" command by adding or updating\nthe following rule in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-usermod\n\n The audit daemon must be restarted for the changes to take effect." + "default": "Configuring this setting for the SSH daemon provides additional\nassurance that remote logon via SSH will require a password, even in the event\nof misconfiguration elsewhere.", + "check": "Verify the SSH daemon does not allow authentication using known host’s authentication with the following command:\n\n$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\\r' | tr '\\n' ' ' | xargs sudo grep -iH '^\\s*ignoreuserknownhosts'\n\nIgnoreUserKnownHosts yes\n\nIf the value is returned as \"no\", the returned line is commented out, or no output is returned, this is a finding.\n\nIf conflicting results are returned, this is a finding.", + "fix": "Configure the SSH daemon to not allow authentication using known host’s\nauthentication.\n\n Add the following line in \"/etc/ssh/sshd_config\", or uncomment the line\nand set the value to \"yes\":\n\n IgnoreUserKnownHosts yes\n\n The SSH daemon must be restarted for the changes to take effect. To restart\nthe SSH daemon, run the following command:\n\n $ sudo systemctl restart sshd.service" }, "impact": 0.5, "refs": [ @@ -8112,43 +8071,34 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000062-GPOS-00031", - "satisfies": [ - "SRG-OS-000062-GPOS-00031", - "SRG-OS-000037-GPOS-00015", - "SRG-OS-000042-GPOS-00020", - "SRG-OS-000062-GPOS-00031", - "SRG-OS-000392-GPOS-00172", - "SRG-OS-000462-GPOS-00206", - "SRG-OS-000471-GPOS-00215", - "SRG-OS-000466-GPOS-00210" - ], - "gid": "V-230463", - "rid": "SV-230463r627750_rule", - "stig_id": "RHEL-08-030560", - "fix_id": "F-33107r568136_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-230290", + "rid": "SV-230290r951602_rule", + "stig_id": "RHEL-08-010520", + "fix_id": "F-32934r567617_fix", "cci": [ - "CCI-000169" + "CCI-000366" ], "nist": [ - "AU-12 a" + "CM-6 b" ], - "host": null + "host": null, + "container-conditional": null }, - "code": "control 'SV-230463' do\n title 'Successful/unsuccessful uses of the usermod command in RHEL 8 must\ngenerate an audit record.'\n desc 'Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"usermod\" command\nmodifies the system account files to reflect the changes that are specified on\nthe command line.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.'\n desc 'check', 'Verify that an audit event is generated for any successful/unsuccessful use\nof the \"usermod\" command by performing the following command to check the\nfile system rules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w usermod /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-usermod\n\n If the command does not return a line, or the line is commented out, this\nis a finding.'\n desc 'fix', 'Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful uses of the \"usermod\" command by adding or updating\nthe following rule in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-usermod\n\n The audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000062-GPOS-00031'\n tag satisfies: ['SRG-OS-000062-GPOS-00031', 'SRG-OS-000037-GPOS-00015', 'SRG-OS-000042-GPOS-00020', 'SRG-OS-000062-GPOS-00031', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000471-GPOS-00215', 'SRG-OS-000466-GPOS-00210']\n tag gid: 'V-230463'\n tag rid: 'SV-230463r627750_rule'\n tag stig_id: 'RHEL-08-030560'\n tag fix_id: 'F-33107r568136_fix'\n tag cci: ['CCI-000169']\n tag nist: ['AU-12 a']\n tag 'host'\n\n audit_command = '/usr/sbin/usermod'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include(input('audit_rule_keynames').merge(input('audit_rule_keynames_overrides'))[audit_command])\n end\n end\nend\n", + "code": "control 'SV-230290' do\n title 'The RHEL 8 SSH daemon must not allow authentication using known host’s\nauthentication.'\n desc 'Configuring this setting for the SSH daemon provides additional\nassurance that remote logon via SSH will require a password, even in the event\nof misconfiguration elsewhere.'\n desc 'check', %q(Verify the SSH daemon does not allow authentication using known host’s authentication with the following command:\n\n$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\\r' | tr '\\n' ' ' | xargs sudo grep -iH '^\\s*ignoreuserknownhosts'\n\nIgnoreUserKnownHosts yes\n\nIf the value is returned as \"no\", the returned line is commented out, or no output is returned, this is a finding.\n\nIf conflicting results are returned, this is a finding.)\n desc 'fix', 'Configure the SSH daemon to not allow authentication using known host’s\nauthentication.\n\n Add the following line in \"/etc/ssh/sshd_config\", or uncomment the line\nand set the value to \"yes\":\n\n IgnoreUserKnownHosts yes\n\n The SSH daemon must be restarted for the changes to take effect. To restart\nthe SSH daemon, run the following command:\n\n $ sudo systemctl restart sshd.service'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230290'\n tag rid: 'SV-230290r951602_rule'\n tag stig_id: 'RHEL-08-010520'\n tag fix_id: 'F-32934r567617_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n tag 'container-conditional'\n\n only_if('This control is Not Applicable to containers without SSH installed', impact: 0.0) {\n !(virtualization.system.eql?('docker') && !directory('/etc/ssh').exist?)\n }\n\n describe sshd_active_config do\n its('IgnoreUserKnownHosts') { should cmp 'yes' }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230463.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230290.rb", "line": 1 }, - "id": "SV-230463" + "id": "SV-230290" }, { - "title": "RHEL 8 user account passwords must have a 60-day maximum password\nlifetime restriction.", - "desc": "Any password, no matter how complex, can eventually be cracked.\nTherefore, passwords need to be changed periodically. If RHEL 8 does not limit\nthe lifetime of passwords and force users to change their passwords, there is\nthe risk that RHEL 8 passwords could be compromised.", + "title": "The RHEL 8 audit system must take appropriate action when the audit\nstorage volume is full.", + "desc": "It is critical that when RHEL 8 is at risk of failing to process audit\nlogs as required, it takes action to mitigate the failure. Audit processing\nfailures include software/hardware errors; failures in the audit capturing\nmechanisms; and audit storage capacity being reached or exceeded. Responses to\naudit failure depend upon the nature of the failure mode.\n\n When availability is an overriding concern, other approved actions in\nresponse to an audit failure are as follows:\n\n 1) If the failure was caused by the lack of audit record storage capacity,\nRHEL 8 must continue generating audit records if possible (automatically\nrestarting the audit service if necessary) and overwriting the oldest audit\nrecords in a first-in-first-out manner.\n\n 2) If audit records are sent to a centralized collection server and\ncommunication with this server is lost or the server fails, RHEL 8 must queue\naudit records locally until communication is restored or until the audit\nrecords are retrieved manually. Upon restoration of the connection to the\ncentralized collection server, action should be taken to synchronize the local\naudit data with the collection server.", "descriptions": { - "default": "Any password, no matter how complex, can eventually be cracked.\nTherefore, passwords need to be changed periodically. If RHEL 8 does not limit\nthe lifetime of passwords and force users to change their passwords, there is\nthe risk that RHEL 8 passwords could be compromised.", - "check": "Verify that RHEL 8 enforces a 60-day maximum password lifetime for new user\naccounts by running the following command:\n\n $ sudo grep -i pass_max_days /etc/login.defs\n PASS_MAX_DAYS 60\n\n If the \"PASS_MAX_DAYS\" parameter value is greater than \"60\", or\ncommented out, this is a finding.", - "fix": "Configure RHEL 8 to enforce a 60-day maximum password lifetime.\n\nAdd, or modify the following line in the \"/etc/login.defs\" file:\n\nPASS_MAX_DAYS 60" + "default": "It is critical that when RHEL 8 is at risk of failing to process audit\nlogs as required, it takes action to mitigate the failure. Audit processing\nfailures include software/hardware errors; failures in the audit capturing\nmechanisms; and audit storage capacity being reached or exceeded. Responses to\naudit failure depend upon the nature of the failure mode.\n\n When availability is an overriding concern, other approved actions in\nresponse to an audit failure are as follows:\n\n 1) If the failure was caused by the lack of audit record storage capacity,\nRHEL 8 must continue generating audit records if possible (automatically\nrestarting the audit service if necessary) and overwriting the oldest audit\nrecords in a first-in-first-out manner.\n\n 2) If audit records are sent to a centralized collection server and\ncommunication with this server is lost or the server fails, RHEL 8 must queue\naudit records locally until communication is restored or until the audit\nrecords are retrieved manually. Upon restoration of the connection to the\ncentralized collection server, action should be taken to synchronize the local\naudit data with the collection server.", + "check": "Verify RHEL 8 takes the appropriate action when the audit storage volume is\nfull.\n\n Check that RHEL 8 takes the appropriate action when the audit storage\nvolume is full with the following command:\n\n $ sudo grep disk_full_action /etc/audit/auditd.conf\n\n disk_full_action = HALT\n\n If the value of the \"disk_full_action\" option is not \"SYSLOG\",\n\"SINGLE\", or \"HALT\", or the line is commented out, ask the system\nadministrator to indicate how the system takes appropriate action when an audit\nstorage volume is full. If there is no evidence of appropriate action, this is\na finding.", + "fix": "Configure RHEL 8 to shut down by default upon audit failure (unless\navailability is an overriding concern).\n\n Add or update the following line (depending on configuration\n\"disk_full_action\" can be set to \"SYSLOG\" or \"SINGLE\" depending on\nconfiguration) in \"/etc/audit/auditd.conf\" file:\n\n disk_full_action = HALT\n\n If availability has been determined to be more important, and this decision\nis documented with the ISSO, configure the operating system to notify system\nadministration staff and ISSO staff in the event of an audit processing failure\nby setting the \"disk_full_action\" to \"SYSLOG\"." }, "impact": 0.5, "refs": [ @@ -8158,70 +8108,75 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000076-GPOS-00044", - "gid": "V-230366", - "rid": "SV-230366r646878_rule", - "stig_id": "RHEL-08-020200", - "fix_id": "F-33010r567845_fix", + "gtitle": "SRG-OS-000047-GPOS-00023", + "gid": "V-230392", + "rid": "SV-230392r627750_rule", + "stig_id": "RHEL-08-030060", + "fix_id": "F-33036r567923_fix", "cci": [ - "CCI-000199" + "CCI-000140" ], "nist": [ - "IA-5 (1) (d)" + "AU-5 b" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-230366' do\n title 'RHEL 8 user account passwords must have a 60-day maximum password\nlifetime restriction.'\n desc 'Any password, no matter how complex, can eventually be cracked.\nTherefore, passwords need to be changed periodically. If RHEL 8 does not limit\nthe lifetime of passwords and force users to change their passwords, there is\nthe risk that RHEL 8 passwords could be compromised.'\n desc 'check', 'Verify that RHEL 8 enforces a 60-day maximum password lifetime for new user\naccounts by running the following command:\n\n $ sudo grep -i pass_max_days /etc/login.defs\n PASS_MAX_DAYS 60\n\n If the \"PASS_MAX_DAYS\" parameter value is greater than \"60\", or\ncommented out, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to enforce a 60-day maximum password lifetime.\n\nAdd, or modify the following line in the \"/etc/login.defs\" file:\n\nPASS_MAX_DAYS 60'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000076-GPOS-00044'\n tag gid: 'V-230366'\n tag rid: 'SV-230366r646878_rule'\n tag stig_id: 'RHEL-08-020200'\n tag fix_id: 'F-33010r567845_fix'\n tag cci: ['CCI-000199']\n tag nist: ['IA-5 (1) (d)']\n tag 'host'\n tag 'container'\n\n value = input('pass_max_days')\n setting = input_object('pass_max_days').name.upcase\n\n describe \"/etc/login.defs does not have `#{setting}` configured\" do\n let(:config) { login_defs.read_params[setting] }\n it \"greater than #{value} day\" do\n expect(config).to cmp <= value\n end\n end\nend\n", + "code": "control 'SV-230392' do\n title 'The RHEL 8 audit system must take appropriate action when the audit\nstorage volume is full.'\n desc 'It is critical that when RHEL 8 is at risk of failing to process audit\nlogs as required, it takes action to mitigate the failure. Audit processing\nfailures include software/hardware errors; failures in the audit capturing\nmechanisms; and audit storage capacity being reached or exceeded. Responses to\naudit failure depend upon the nature of the failure mode.\n\n When availability is an overriding concern, other approved actions in\nresponse to an audit failure are as follows:\n\n 1) If the failure was caused by the lack of audit record storage capacity,\nRHEL 8 must continue generating audit records if possible (automatically\nrestarting the audit service if necessary) and overwriting the oldest audit\nrecords in a first-in-first-out manner.\n\n 2) If audit records are sent to a centralized collection server and\ncommunication with this server is lost or the server fails, RHEL 8 must queue\naudit records locally until communication is restored or until the audit\nrecords are retrieved manually. Upon restoration of the connection to the\ncentralized collection server, action should be taken to synchronize the local\naudit data with the collection server.'\n desc 'check', 'Verify RHEL 8 takes the appropriate action when the audit storage volume is\nfull.\n\n Check that RHEL 8 takes the appropriate action when the audit storage\nvolume is full with the following command:\n\n $ sudo grep disk_full_action /etc/audit/auditd.conf\n\n disk_full_action = HALT\n\n If the value of the \"disk_full_action\" option is not \"SYSLOG\",\n\"SINGLE\", or \"HALT\", or the line is commented out, ask the system\nadministrator to indicate how the system takes appropriate action when an audit\nstorage volume is full. If there is no evidence of appropriate action, this is\na finding.'\n desc 'fix', 'Configure RHEL 8 to shut down by default upon audit failure (unless\navailability is an overriding concern).\n\n Add or update the following line (depending on configuration\n\"disk_full_action\" can be set to \"SYSLOG\" or \"SINGLE\" depending on\nconfiguration) in \"/etc/audit/auditd.conf\" file:\n\n disk_full_action = HALT\n\n If availability has been determined to be more important, and this decision\nis documented with the ISSO, configure the operating system to notify system\nadministration staff and ISSO staff in the event of an audit processing failure\nby setting the \"disk_full_action\" to \"SYSLOG\".'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000047-GPOS-00023'\n tag gid: 'V-230392'\n tag rid: 'SV-230392r627750_rule'\n tag stig_id: 'RHEL-08-030060'\n tag fix_id: 'F-33036r567923_fix'\n tag cci: ['CCI-000140']\n tag nist: ['AU-5 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n disk_full_action = input('disk_full_action').map(&:upcase)\n\n describe auditd_conf do\n its('disk_full_action.upcase') { should be_in disk_full_action }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230366.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230392.rb", "line": 1 }, - "id": "SV-230366" + "id": "SV-230392" }, { - "title": "RHEL 8 must allocate an audit_backlog_limit of sufficient size to\ncapture processes that start prior to the audit daemon.", - "desc": "Without the capability to generate audit records, it would be\ndifficult to establish, correlate, and investigate the events relating to an\nincident or identify those responsible for one.\n\n If auditing is enabled late in the startup process, the actions of some\nstartup processes may not be audited. Some audit systems also maintain state\ninformation only available if auditing is enabled before a given process is\ncreated.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n Allocating an audit_backlog_limit of sufficient size is critical in\nmaintaining a stable boot process. With an insufficient limit allocated, the\nsystem is susceptible to boot failures and crashes.", + "title": "RHEL 8 must be configured so that all network connections associated with SSH traffic are terminated after 10 minutes of becoming unresponsive.", + "desc": "Terminating an unresponsive SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element.\n\nTerminating network connections associated with communications sessions includes, for example, deallocating associated TCP/IP address/port pairs at the operating system level and deallocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the unresponsive session and releases the resources associated with that session.\n\nRHEL 8 uses /etc/ssh/sshd_config for configurations of OpenSSH. Within the sshd_config, the product of the values of \"ClientAliveInterval\" and \"ClientAliveCountMax\" is used to establish the inactivity threshold. The \"ClientAliveInterval\" is a timeout interval in seconds after which if no data has been received from the client, sshd will send a message through the encrypted channel to request a response from the client. The \"ClientAliveCountMax\" is the number of client alive messages that may be sent without sshd receiving any messages back from the client. If this threshold is met, sshd will disconnect the client. For more information on these settings and others, refer to the sshd_config man pages.", "descriptions": { - "default": "Without the capability to generate audit records, it would be\ndifficult to establish, correlate, and investigate the events relating to an\nincident or identify those responsible for one.\n\n If auditing is enabled late in the startup process, the actions of some\nstartup processes may not be audited. Some audit systems also maintain state\ninformation only available if auditing is enabled before a given process is\ncreated.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n Allocating an audit_backlog_limit of sufficient size is critical in\nmaintaining a stable boot process. With an insufficient limit allocated, the\nsystem is susceptible to boot failures and crashes.", - "check": "Verify RHEL 8 allocates a sufficient audit_backlog_limit to capture processes that start prior to the audit daemon with the following commands:\n\n$ sudo grub2-editenv list | grep audit\n\nkernelopts=root=/dev/mapper/rhel-root ro crashkernel=auto resume=/dev/mapper/rhel-swap rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet fips=1 audit=1 audit_backlog_limit=8192 boot=UUID=8d171156-cd61-421c-ba41-1c021ac29e82\n\nIf the \"audit_backlog_limit\" entry does not equal \"8192\" or greater, is missing, or the line is commented out, this is a finding.\n\nCheck the audit_backlog_limit is set to persist in kernel updates:\n\n$ sudo grep audit /etc/default/grub\n\nGRUB_CMDLINE_LINUX=\"audit_backlog_limit=8192\"\n\nIf \"audit_backlog_limit\" is not set to \"8192\" or greater, is missing or commented out, this is a finding.", - "fix": "Configure RHEL 8 to allocate sufficient audit_backlog_limit to capture\nprocesses that start prior to the audit daemon with the following command:\n\n $ sudo grubby --update-kernel=ALL --args=\"audit_backlog_limit=8192\"\n\n Add or modify the following line in \"/etc/default/grub\" to ensure the\nconfiguration survives kernel updates:\n\n GRUB_CMDLINE_LINUX=\"audit_backlog_limit=8192\"" + "default": "Terminating an unresponsive SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element.\n\nTerminating network connections associated with communications sessions includes, for example, deallocating associated TCP/IP address/port pairs at the operating system level and deallocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the unresponsive session and releases the resources associated with that session.\n\nRHEL 8 uses /etc/ssh/sshd_config for configurations of OpenSSH. Within the sshd_config, the product of the values of \"ClientAliveInterval\" and \"ClientAliveCountMax\" is used to establish the inactivity threshold. The \"ClientAliveInterval\" is a timeout interval in seconds after which if no data has been received from the client, sshd will send a message through the encrypted channel to request a response from the client. The \"ClientAliveCountMax\" is the number of client alive messages that may be sent without sshd receiving any messages back from the client. If this threshold is met, sshd will disconnect the client. For more information on these settings and others, refer to the sshd_config man pages.", + "check": "Verify the SSH server automatically terminates a user session after the SSH client has been unresponsive for 10 minutes.\n\nCheck that the \"ClientAliveInterval\" variable is set to a value of \"600\" or less by performing the following command:\n\n$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\\r' | tr '\\n' ' ' | xargs sudo grep -iH '^\\s*clientaliveinterval'\n\nClientAliveInterval 600\n\nIf \"ClientAliveInterval\" does not exist, does not have a value of \"600\" or less in \"/etc/ssh/sshd_config\", or is commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.", + "fix": "Note: This setting must be applied in conjunction with RHEL-08-010200 to function correctly.\n\nConfigure the SSH server to terminate a user session automatically after the SSH client has been unresponsive for 10 minutes.\n\nModify or append the following lines in the \"/etc/ssh/sshd_config\" file:\n\n ClientAliveInterval 600\n\nFor the changes to take effect, the SSH daemon must be restarted.\n\n $ sudo systemctl restart sshd.service" }, - "impact": 0.3, + "impact": 0.5, "refs": [ { "ref": "DPMS Target Red Hat Enterprise Linux 8" } ], "tags": { - "severity": "low", - "gtitle": "SRG-OS-000341-GPOS-00132", - "gid": "V-230469", - "rid": "SV-230469r877391_rule", - "stig_id": "RHEL-08-030602", - "fix_id": "F-33113r568154_fix", + "severity": "medium", + "gtitle": "SRG-OS-000163-GPOS-00072", + "satisfies": [ + "SRG-OS-000163-GPOS-00072", + "SRG-OS-000126-GPOS-00066", + "SRG-OS-000279-GPOS-00109" + ], + "gid": "V-244525", + "rid": "SV-244525r951596_rule", + "stig_id": "RHEL-08-010201", + "fix_id": "F-47757r917885_fix", "cci": [ - "CCI-001849" + "CCI-001133" ], "nist": [ - "AU-4" + "SC-10" ], - "host": null + "host": null, + "container-conditional": null }, - "code": "control 'SV-230469' do\n title 'RHEL 8 must allocate an audit_backlog_limit of sufficient size to\ncapture processes that start prior to the audit daemon.'\n desc 'Without the capability to generate audit records, it would be\ndifficult to establish, correlate, and investigate the events relating to an\nincident or identify those responsible for one.\n\n If auditing is enabled late in the startup process, the actions of some\nstartup processes may not be audited. Some audit systems also maintain state\ninformation only available if auditing is enabled before a given process is\ncreated.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n Allocating an audit_backlog_limit of sufficient size is critical in\nmaintaining a stable boot process. With an insufficient limit allocated, the\nsystem is susceptible to boot failures and crashes.'\n desc 'check', 'Verify RHEL 8 allocates a sufficient audit_backlog_limit to capture processes that start prior to the audit daemon with the following commands:\n\n$ sudo grub2-editenv list | grep audit\n\nkernelopts=root=/dev/mapper/rhel-root ro crashkernel=auto resume=/dev/mapper/rhel-swap rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet fips=1 audit=1 audit_backlog_limit=8192 boot=UUID=8d171156-cd61-421c-ba41-1c021ac29e82\n\nIf the \"audit_backlog_limit\" entry does not equal \"8192\" or greater, is missing, or the line is commented out, this is a finding.\n\nCheck the audit_backlog_limit is set to persist in kernel updates:\n\n$ sudo grep audit /etc/default/grub\n\nGRUB_CMDLINE_LINUX=\"audit_backlog_limit=8192\"\n\nIf \"audit_backlog_limit\" is not set to \"8192\" or greater, is missing or commented out, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to allocate sufficient audit_backlog_limit to capture\nprocesses that start prior to the audit daemon with the following command:\n\n $ sudo grubby --update-kernel=ALL --args=\"audit_backlog_limit=8192\"\n\n Add or modify the following line in \"/etc/default/grub\" to ensure the\nconfiguration survives kernel updates:\n\n GRUB_CMDLINE_LINUX=\"audit_backlog_limit=8192\"'\n impact 0.3\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'low'\n tag gtitle: 'SRG-OS-000341-GPOS-00132'\n tag gid: 'V-230469'\n tag rid: 'SV-230469r877391_rule'\n tag stig_id: 'RHEL-08-030602'\n tag fix_id: 'F-33113r568154_fix'\n tag cci: ['CCI-001849']\n tag nist: ['AU-4']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n grub_config = command('grub2-editenv - list').stdout\n kernelopts = parse_config(grub_config)['kernelopts'].strip.gsub(' ', \"\\n\")\n grub_cmdline_linux = parse_config_file('/etc/default/grub')['GRUB_CMDLINE_LINUX'].strip.gsub(' ', \"\\n\").gsub('\"',\n '')\n\n expected_backlog_limit = input('expected_backlog_limit')\n\n describe 'kernelopts' do\n subject { parse_config(kernelopts) }\n its('audit_backlog_limit') { should cmp >= expected_backlog_limit }\n end\n\n describe 'persistant kernelopts' do\n subject { parse_config(grub_cmdline_linux) }\n its('audit_backlog_limit') { should cmp >= expected_backlog_limit }\n end\nend\n", + "code": "control 'SV-244525' do\n title 'RHEL 8 must be configured so that all network connections associated with SSH traffic are terminated after 10 minutes of becoming unresponsive.'\n desc 'Terminating an unresponsive SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element.\n\nTerminating network connections associated with communications sessions includes, for example, deallocating associated TCP/IP address/port pairs at the operating system level and deallocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the unresponsive session and releases the resources associated with that session.\n\nRHEL 8 uses /etc/ssh/sshd_config for configurations of OpenSSH. Within the sshd_config, the product of the values of \"ClientAliveInterval\" and \"ClientAliveCountMax\" is used to establish the inactivity threshold. The \"ClientAliveInterval\" is a timeout interval in seconds after which if no data has been received from the client, sshd will send a message through the encrypted channel to request a response from the client. The \"ClientAliveCountMax\" is the number of client alive messages that may be sent without sshd receiving any messages back from the client. If this threshold is met, sshd will disconnect the client. For more information on these settings and others, refer to the sshd_config man pages.'\n desc 'check', %q(Verify the SSH server automatically terminates a user session after the SSH client has been unresponsive for 10 minutes.\n\nCheck that the \"ClientAliveInterval\" variable is set to a value of \"600\" or less by performing the following command:\n\n$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\\r' | tr '\\n' ' ' | xargs sudo grep -iH '^\\s*clientaliveinterval'\n\nClientAliveInterval 600\n\nIf \"ClientAliveInterval\" does not exist, does not have a value of \"600\" or less in \"/etc/ssh/sshd_config\", or is commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.)\n desc 'fix', 'Note: This setting must be applied in conjunction with RHEL-08-010200 to function correctly.\n\nConfigure the SSH server to terminate a user session automatically after the SSH client has been unresponsive for 10 minutes.\n\nModify or append the following lines in the \"/etc/ssh/sshd_config\" file:\n\n ClientAliveInterval 600\n\nFor the changes to take effect, the SSH daemon must be restarted.\n\n $ sudo systemctl restart sshd.service'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000163-GPOS-00072'\n tag satisfies: ['SRG-OS-000163-GPOS-00072', 'SRG-OS-000126-GPOS-00066', 'SRG-OS-000279-GPOS-00109']\n tag gid: 'V-244525'\n tag rid: 'SV-244525r951596_rule'\n tag stig_id: 'RHEL-08-010201'\n tag fix_id: 'F-47757r917885_fix'\n tag cci: ['CCI-001133']\n tag nist: ['SC-10']\n tag 'host'\n tag 'container-conditional'\n\n setting = 'ClientAliveInterval'\n gssapi_authentication = input('sshd_config_values')\n value = gssapi_authentication[setting]\n openssh_present = package('openssh-server').installed?\n\n only_if('This requirement is Not Applicable in the container without open-ssh installed', impact: 0.0) {\n !(virtualization.system.eql?('docker') && !openssh_present)\n }\n\n if input('allow_container_openssh_server') == false\n describe 'In a container Environment' do\n it 'the OpenSSH Server should be installed only when allowed in a container environment' do\n expect(openssh_present).to eq(false), 'OpenSSH Server is installed but not approved for the container environment'\n end\n end\n else\n describe 'The OpenSSH Server configuration' do\n it \"has the correct #{setting} configuration\" do\n expect(sshd_active_config.params[setting.downcase]).to cmp(value), \"The #{setting} setting in the SSHD config is not correct. Please ensure it set to '#{value}'.\"\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230469.rb", + "ref": "./Red Hat 8 STIG/controls/SV-244525.rb", "line": 1 }, - "id": "SV-230469" + "id": "SV-244525" }, { - "title": "RHEL 8 must allow only the Information System Security Manager (ISSM)\n(or individuals or roles appointed by the ISSM) to select which auditable\nevents are to be audited.", - "desc": "Without the capability to restrict the roles and individuals that can\nselect which events are audited, unauthorized personnel may be able to prevent\nthe auditing of critical events. Misconfigured audits may degrade the system's\nperformance by overwhelming the audit log. Misconfigured audits may also make\nit more difficult to establish, correlate, and investigate the events relating\nto an incident or identify those responsible for one.", + "title": "RHEL 8 must authenticate the remote logging server for off-loading\naudit logs.", + "desc": "Information stored in one location is vulnerable to accidental or\nincidental deletion or alteration.\n\n Off-loading is a common process in information systems with limited audit\nstorage capacity.\n\n RHEL 8 installation media provides \"rsyslogd\". \"rsyslogd\" is a system\nutility providing support for message logging. Support for both internet and\nUNIX domain sockets enables this utility to support both local and remote\nlogging. Couple this utility with \"gnutls\" (which is a secure communications\nlibrary implementing the SSL, TLS and DTLS protocols), and you have a method to\nsecurely encrypt and off-load auditing.\n\n \"Rsyslog\" supported authentication modes include:\n anon - anonymous authentication\n x509/fingerprint - certificate fingerprint authentication\n x509/certvalid - certificate validation only\n x509/name - certificate validation and subject name authentication.", "descriptions": { - "default": "Without the capability to restrict the roles and individuals that can\nselect which events are audited, unauthorized personnel may be able to prevent\nthe auditing of critical events. Misconfigured audits may degrade the system's\nperformance by overwhelming the audit log. Misconfigured audits may also make\nit more difficult to establish, correlate, and investigate the events relating\nto an incident or identify those responsible for one.", - "check": "Verify that the files in directory \"/etc/audit/rules.d/\" and\n\"/etc/audit/auditd.conf\" file have a mode of \"0640\" or less permissive by\nusing the following commands:\n\n $ sudo ls -al /etc/audit/rules.d/*.rules\n\n -rw-r----- 1 root root 1280 Feb 16 17:09 audit.rules\n\n $ sudo ls -l /etc/audit/auditd.conf\n\n -rw-r----- 1 root root 621 Sep 22 17:19 auditd.conf\n\n If the files in the \"/etc/audit/rules.d/\" directory or the\n\"/etc/audit/auditd.conf\" file have a mode more permissive than \"0640\", this\nis a finding.", - "fix": "Configure the files in directory \"/etc/audit/rules.d/\" and the\n\"/etc/audit/auditd.conf\" file to have a mode of \"0640\" with the following\ncommands:\n\n $ sudo chmod 0640 /etc/audit/rules.d/audit.rules\n $ sudo chmod 0640 /etc/audit/rules.d/[customrulesfile].rules\n $ sudo chmod 0640 /etc/audit/auditd.conf" + "default": "Information stored in one location is vulnerable to accidental or\nincidental deletion or alteration.\n\n Off-loading is a common process in information systems with limited audit\nstorage capacity.\n\n RHEL 8 installation media provides \"rsyslogd\". \"rsyslogd\" is a system\nutility providing support for message logging. Support for both internet and\nUNIX domain sockets enables this utility to support both local and remote\nlogging. Couple this utility with \"gnutls\" (which is a secure communications\nlibrary implementing the SSL, TLS and DTLS protocols), and you have a method to\nsecurely encrypt and off-load auditing.\n\n \"Rsyslog\" supported authentication modes include:\n anon - anonymous authentication\n x509/fingerprint - certificate fingerprint authentication\n x509/certvalid - certificate validation only\n x509/name - certificate validation and subject name authentication.", + "check": "Verify the operating system authenticates the remote logging server for\noff-loading audit logs with the following command:\n\n $ sudo grep -i '$ActionSendStreamDriverAuthMode' /etc/rsyslog.conf\n/etc/rsyslog.d/*.conf\n\n /etc/rsyslog.conf:$ActionSendStreamDriverAuthMode x509/name\n\n If the value of the \"$ActionSendStreamDriverAuthMode\" option is not set\nto \"x509/name\" or the line is commented out, ask the System Administrator to\nindicate how the audit logs are off-loaded to a different system or media.\n\n If there is no evidence that the transfer of the audit logs being\noff-loaded to another system or media is encrypted, this is a finding.", + "fix": "Configure the operating system to authenticate the remote logging server\nfor off-loading audit logs by setting the following option in\n\"/etc/rsyslog.conf\" or \"/etc/rsyslog.d/[customfile].conf\":\n\n $ActionSendStreamDriverAuthMode x509/name" }, "impact": 0.5, "refs": [ @@ -8231,33 +8186,37 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000063-GPOS-00032", - "gid": "V-230471", - "rid": "SV-230471r627750_rule", - "stig_id": "RHEL-08-030610", - "fix_id": "F-33115r568160_fix", + "gtitle": "SRG-OS-000342-GPOS-00133", + "satisfies": [ + "SRG-OS-000342-GPOS-00133", + "SRG-OS-000479-GPOS-00224" + ], + "gid": "V-230482", + "rid": "SV-230482r877390_rule", + "stig_id": "RHEL-08-030720", + "fix_id": "F-33126r568193_fix", "cci": [ - "CCI-000171" + "CCI-001851" ], "nist": [ - "AU-12 b" + "AU-4 (1)" ], "host": null }, - "code": "control 'SV-230471' do\n title 'RHEL 8 must allow only the Information System Security Manager (ISSM)\n(or individuals or roles appointed by the ISSM) to select which auditable\nevents are to be audited.'\n desc \"Without the capability to restrict the roles and individuals that can\nselect which events are audited, unauthorized personnel may be able to prevent\nthe auditing of critical events. Misconfigured audits may degrade the system's\nperformance by overwhelming the audit log. Misconfigured audits may also make\nit more difficult to establish, correlate, and investigate the events relating\nto an incident or identify those responsible for one.\"\n desc 'check', 'Verify that the files in directory \"/etc/audit/rules.d/\" and\n\"/etc/audit/auditd.conf\" file have a mode of \"0640\" or less permissive by\nusing the following commands:\n\n $ sudo ls -al /etc/audit/rules.d/*.rules\n\n -rw-r----- 1 root root 1280 Feb 16 17:09 audit.rules\n\n $ sudo ls -l /etc/audit/auditd.conf\n\n -rw-r----- 1 root root 621 Sep 22 17:19 auditd.conf\n\n If the files in the \"/etc/audit/rules.d/\" directory or the\n\"/etc/audit/auditd.conf\" file have a mode more permissive than \"0640\", this\nis a finding.'\n desc 'fix', 'Configure the files in directory \"/etc/audit/rules.d/\" and the\n\"/etc/audit/auditd.conf\" file to have a mode of \"0640\" with the following\ncommands:\n\n $ sudo chmod 0640 /etc/audit/rules.d/audit.rules\n $ sudo chmod 0640 /etc/audit/rules.d/[customrulesfile].rules\n $ sudo chmod 0640 /etc/audit/auditd.conf'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000063-GPOS-00032'\n tag gid: 'V-230471'\n tag rid: 'SV-230471r627750_rule'\n tag stig_id: 'RHEL-08-030610'\n tag fix_id: 'F-33115r568160_fix'\n tag cci: ['CCI-000171']\n tag nist: ['AU-12 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n rules_files = bash('ls -d /etc/audit/rules.d/*.rules').stdout.strip.split.append('/etc/audit/auditd.conf')\n\n failing_files = rules_files.select { |rf| file(rf).more_permissive_than?(input('audit_conf_mode')) }\n\n describe 'Audit configuration files' do\n it \"should be no more permissive than '#{input('audit_conf_mode')}'\" do\n expect(failing_files).to be_empty, \"Failing files:\\n\\t- #{failing_files.join(\"\\n\\t- \")}\"\n end\n end\nend\n", + "code": "control 'SV-230482' do\n title 'RHEL 8 must authenticate the remote logging server for off-loading\naudit logs.'\n desc 'Information stored in one location is vulnerable to accidental or\nincidental deletion or alteration.\n\n Off-loading is a common process in information systems with limited audit\nstorage capacity.\n\n RHEL 8 installation media provides \"rsyslogd\". \"rsyslogd\" is a system\nutility providing support for message logging. Support for both internet and\nUNIX domain sockets enables this utility to support both local and remote\nlogging. Couple this utility with \"gnutls\" (which is a secure communications\nlibrary implementing the SSL, TLS and DTLS protocols), and you have a method to\nsecurely encrypt and off-load auditing.\n\n \"Rsyslog\" supported authentication modes include:\n anon - anonymous authentication\n x509/fingerprint - certificate fingerprint authentication\n x509/certvalid - certificate validation only\n x509/name - certificate validation and subject name authentication.'\n desc 'check', %q(Verify the operating system authenticates the remote logging server for\noff-loading audit logs with the following command:\n\n $ sudo grep -i '$ActionSendStreamDriverAuthMode' /etc/rsyslog.conf\n/etc/rsyslog.d/*.conf\n\n /etc/rsyslog.conf:$ActionSendStreamDriverAuthMode x509/name\n\n If the value of the \"$ActionSendStreamDriverAuthMode\" option is not set\nto \"x509/name\" or the line is commented out, ask the System Administrator to\nindicate how the audit logs are off-loaded to a different system or media.\n\n If there is no evidence that the transfer of the audit logs being\noff-loaded to another system or media is encrypted, this is a finding.)\n desc 'fix', 'Configure the operating system to authenticate the remote logging server\nfor off-loading audit logs by setting the following option in\n\"/etc/rsyslog.conf\" or \"/etc/rsyslog.d/[customfile].conf\":\n\n $ActionSendStreamDriverAuthMode x509/name'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000342-GPOS-00133'\n tag satisfies: ['SRG-OS-000342-GPOS-00133', 'SRG-OS-000479-GPOS-00224']\n tag gid: 'V-230482'\n tag rid: 'SV-230482r877390_rule'\n tag stig_id: 'RHEL-08-030720'\n tag fix_id: 'F-33126r568193_fix'\n tag cci: ['CCI-001851']\n tag nist: ['AU-4 (1)']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n if input('alternative_logging_method') != ''\n describe 'manual check' do\n skip 'Manual check required. Ask the administrator to indicate how logging is done for this system.'\n end\n else\n describe 'rsyslog configuration' do\n subject {\n command(\"grep -i '^\\$ActionSendStreamDriverAuthMode' #{input('logging_conf_files').join(' ')} | awk -F ':' '{ print $2 }'\").stdout\n }\n it { should match %r{\\$ActionSendStreamDriverAuthMode\\s+x509/name} }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230471.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230482.rb", "line": 1 }, - "id": "SV-230471" + "id": "SV-230482" }, { - "title": "All RHEL 8 local interactive user home directories must be group-owned\nby the home directory owner’s primary group.", - "desc": "If the Group Identifier (GID) of a local interactive user’s home\ndirectory is not the same as the primary GID of the user, this would allow\nunauthorized access to the user’s files, and users that share the same group\nmay not be able to access files that they legitimately should.", + "title": "RHEL 8 must prevent a user from overriding the session idle-delay\nsetting for the graphical user interface.", + "desc": "A session time-out lock is a temporary action taken when a user stops\nwork and moves away from the immediate physical vicinity of the information\nsystem but does not log out because of the temporary nature of the absence.\nRather than relying on the user to manually lock their operating system session\nprior to vacating the vicinity, operating systems need to be able to identify\nwhen a user's session has idled and take action to initiate the session lock.\n\n The session lock is implemented at the point where session activity can be\ndetermined and/or controlled.\n\n Implementing session settings will have little value if a user is able to\nmanipulate these settings from the defaults prescribed in the other\nrequirements of this implementation guide.\n\n Locking these settings from non-privileged users is crucial to maintaining\na protected baseline.", "descriptions": { - "default": "If the Group Identifier (GID) of a local interactive user’s home\ndirectory is not the same as the primary GID of the user, this would allow\nunauthorized access to the user’s files, and users that share the same group\nmay not be able to access files that they legitimately should.", - "check": "Verify the assigned home directory of all local interactive users is group-owned by that user’s primary GID with the following command:\n\nNote: This may miss local interactive users that have been assigned a privileged UID. Evidence of interactive use may be obtained from a number of log files containing system logon information. The returned directory \"/home/smithj\" is used as an example.\n\n $ sudo ls -ld $(awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}' /etc/passwd)\n\n drwxr-x--- 2 smithj admin 4096 Jun 5 12:41 smithj\n\nCheck the user's primary group with the following command:\n\n $ sudo grep $(grep smithj /etc/passwd | awk -F: '{print $4}') /etc/group\n\n admin:x:250:smithj,jonesj,jacksons\n\nIf the user home directory referenced in \"/etc/passwd\" is not group-owned by that user’s primary GID, this is a finding.", - "fix": "Change the group owner of a local interactive user’s home directory to the\ngroup found in \"/etc/passwd\". To change the group owner of a local\ninteractive user’s home directory, use the following command:\n\n Note: The example will be for the user \"smithj\", who has a home directory\nof \"/home/smithj\", and has a primary group of users.\n\n $ sudo chgrp users /home/smithj" + "default": "A session time-out lock is a temporary action taken when a user stops\nwork and moves away from the immediate physical vicinity of the information\nsystem but does not log out because of the temporary nature of the absence.\nRather than relying on the user to manually lock their operating system session\nprior to vacating the vicinity, operating systems need to be able to identify\nwhen a user's session has idled and take action to initiate the session lock.\n\n The session lock is implemented at the point where session activity can be\ndetermined and/or controlled.\n\n Implementing session settings will have little value if a user is able to\nmanipulate these settings from the defaults prescribed in the other\nrequirements of this implementation guide.\n\n Locking these settings from non-privileged users is crucial to maintaining\na protected baseline.", + "check": "Verify the operating system prevents a user from overriding settings for\ngraphical user interfaces.\n\n Note: This requirement assumes the use of the RHEL 8 default graphical user\ninterface, Gnome Shell. If the system does not have any graphical user\ninterface installed, this requirement is Not Applicable.\n\n Determine which profile the system database is using with the following\ncommand:\n\n $ sudo grep system-db /etc/dconf/profile/user\n\n system-db:local\n\n Check that graphical settings are locked from non-privileged user\nmodification with the following command:\n\n Note: The example below is using the database \"local\" for the system, so\nthe path is \"/etc/dconf/db/local.d\". This path must be modified if a database\nother than \"local\" is being used.\n\n $ sudo grep -i idle /etc/dconf/db/local.d/locks/*\n\n /org/gnome/desktop/session/idle-delay\n\n If the command does not return at least the example result, this is a\nfinding.", + "fix": "Configure the operating system to prevent a user from overriding settings\nfor graphical user interfaces.\n\n Create a database to contain the system-wide screensaver settings (if it\ndoes not already exist) with the following command:\n\n Note: The example below is using the database \"local\" for the system, so\nif the system is using another database in \"/etc/dconf/profile/user\", the\nfile should be created under the appropriate subdirectory.\n\n $ sudo touch /etc/dconf/db/local.d/locks/session\n\n Add the following setting to prevent non-privileged users from modifying it:\n\n /org/gnome/desktop/session/idle-delay" }, "impact": 0.5, "refs": [ @@ -8267,69 +8226,75 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-230322", - "rid": "SV-230322r880717_rule", - "stig_id": "RHEL-08-010740", - "fix_id": "F-32966r880716_fix", + "gtitle": "SRG-OS-000029-GPOS-00010", + "satisfies": [ + "SRG-OS-000029-GPOS-00010", + "SRG-OS-000031-GPOS-00012", + "SRG-OS-000480-GPOS-00227" + ], + "gid": "V-244538", + "rid": "SV-244538r743863_rule", + "stig_id": "RHEL-08-020081", + "fix_id": "F-47770r743862_fix", "cci": [ - "CCI-000366" + "CCI-000057" ], "nist": [ - "CM-6 b" + "AC-11 a" ], "host": null }, - "code": "control 'SV-230322' do\n title 'All RHEL 8 local interactive user home directories must be group-owned\nby the home directory owner’s primary group.'\n desc 'If the Group Identifier (GID) of a local interactive user’s home\ndirectory is not the same as the primary GID of the user, this would allow\nunauthorized access to the user’s files, and users that share the same group\nmay not be able to access files that they legitimately should.'\n desc 'check', %q(Verify the assigned home directory of all local interactive users is group-owned by that user’s primary GID with the following command:\n\nNote: This may miss local interactive users that have been assigned a privileged UID. Evidence of interactive use may be obtained from a number of log files containing system logon information. The returned directory \"/home/smithj\" is used as an example.\n\n $ sudo ls -ld $(awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}' /etc/passwd)\n\n drwxr-x--- 2 smithj admin 4096 Jun 5 12:41 smithj\n\nCheck the user's primary group with the following command:\n\n $ sudo grep $(grep smithj /etc/passwd | awk -F: '{print $4}') /etc/group\n\n admin:x:250:smithj,jonesj,jacksons\n\nIf the user home directory referenced in \"/etc/passwd\" is not group-owned by that user’s primary GID, this is a finding.)\n desc 'fix', 'Change the group owner of a local interactive user’s home directory to the\ngroup found in \"/etc/passwd\". To change the group owner of a local\ninteractive user’s home directory, use the following command:\n\n Note: The example will be for the user \"smithj\", who has a home directory\nof \"/home/smithj\", and has a primary group of users.\n\n $ sudo chgrp users /home/smithj'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230322'\n tag rid: 'SV-230322r880717_rule'\n tag stig_id: 'RHEL-08-010740'\n tag fix_id: 'F-32966r880716_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n exempt_home_users = input('exempt_home_users')\n uid_min = login_defs.read_params['UID_MIN'].to_i\n uid_min = 1000 if uid_min.nil?\n\n iuser_entries = passwd.where { uid.to_i >= uid_min && shell !~ /nologin/ && !exempt_home_users.include?(user) }\n\n if !iuser_entries.users.nil? && !iuser_entries.users.empty?\n failing_iusers = iuser_entries.entries.reject { |iu|\n file(iu['home']).gid == iu.gid.to_i\n }\n failing_homedirs = failing_iusers.map { |iu| iu['home'] }\n\n describe 'All non-exempt interactive user account home directories on the system' do\n it 'should be group-owned by the group of the user they are associated with' do\n expect(failing_homedirs).to be_empty, \"Failing home directories:\\n\\t- #{failing_homedirs.join(\"\\n\\t- \")}\"\n end\n end\n else\n describe 'No non-exempt interactive user accounts' do\n it 'were detected on the system' do\n expect(true).to eq(true)\n end\n end\n end\nend\n", + "code": "control 'SV-244538' do\n title 'RHEL 8 must prevent a user from overriding the session idle-delay\nsetting for the graphical user interface.'\n desc \"A session time-out lock is a temporary action taken when a user stops\nwork and moves away from the immediate physical vicinity of the information\nsystem but does not log out because of the temporary nature of the absence.\nRather than relying on the user to manually lock their operating system session\nprior to vacating the vicinity, operating systems need to be able to identify\nwhen a user's session has idled and take action to initiate the session lock.\n\n The session lock is implemented at the point where session activity can be\ndetermined and/or controlled.\n\n Implementing session settings will have little value if a user is able to\nmanipulate these settings from the defaults prescribed in the other\nrequirements of this implementation guide.\n\n Locking these settings from non-privileged users is crucial to maintaining\na protected baseline.\"\n desc 'check', 'Verify the operating system prevents a user from overriding settings for\ngraphical user interfaces.\n\n Note: This requirement assumes the use of the RHEL 8 default graphical user\ninterface, Gnome Shell. If the system does not have any graphical user\ninterface installed, this requirement is Not Applicable.\n\n Determine which profile the system database is using with the following\ncommand:\n\n $ sudo grep system-db /etc/dconf/profile/user\n\n system-db:local\n\n Check that graphical settings are locked from non-privileged user\nmodification with the following command:\n\n Note: The example below is using the database \"local\" for the system, so\nthe path is \"/etc/dconf/db/local.d\". This path must be modified if a database\nother than \"local\" is being used.\n\n $ sudo grep -i idle /etc/dconf/db/local.d/locks/*\n\n /org/gnome/desktop/session/idle-delay\n\n If the command does not return at least the example result, this is a\nfinding.'\n desc 'fix', 'Configure the operating system to prevent a user from overriding settings\nfor graphical user interfaces.\n\n Create a database to contain the system-wide screensaver settings (if it\ndoes not already exist) with the following command:\n\n Note: The example below is using the database \"local\" for the system, so\nif the system is using another database in \"/etc/dconf/profile/user\", the\nfile should be created under the appropriate subdirectory.\n\n $ sudo touch /etc/dconf/db/local.d/locks/session\n\n Add the following setting to prevent non-privileged users from modifying it:\n\n /org/gnome/desktop/session/idle-delay'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000029-GPOS-00010'\n tag satisfies: ['SRG-OS-000029-GPOS-00010', 'SRG-OS-000031-GPOS-00012', 'SRG-OS-000480-GPOS-00227']\n tag gid: 'V-244538'\n tag rid: 'SV-244538r743863_rule'\n tag stig_id: 'RHEL-08-020081'\n tag fix_id: 'F-47770r743862_fix'\n tag cci: ['CCI-000057']\n tag nist: ['AC-11 a']\n tag 'host'\n\n only_if('This requirement is Not Applicable in the container', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n no_gui = command('ls /usr/share/xsessions/*').stderr.match?(/No such file or directory/)\n\n if no_gui\n impact 0.0\n describe 'The system does not have a GUI Desktop is installed, this control is Not Applicable' do\n skip 'A GUI desktop is not installed, this control is Not Applicable.'\n end\n else\n describe command('grep -i idle /etc/dconf/db/local.d/locks/*') do\n it 'checks if idle delay is set' do\n expect(subject.stdout.split).to include('/org/gnome/desktop/session/idle-delay'), 'The idle delay is not set. Please ensure it is set.'\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230322.rb", + "ref": "./Red Hat 8 STIG/controls/SV-244538.rb", "line": 1 }, - "id": "SV-230322" + "id": "SV-244538" }, { - "title": "The RHEL 8 file integrity tool must be configured to verify extended\nattributes.", - "desc": "Extended attributes in file systems are used to contain arbitrary data\nand file metadata with security implications.\n\n RHEL 8 installation media come with a file integrity tool, Advanced\nIntrusion Detection Environment (AIDE).", + "title": "There must be no shosts.equiv files on the RHEL 8 operating system.", + "desc": "The \"shosts.equiv\" files are used to configure host-based\nauthentication for the system via SSH. Host-based authentication is not\nsufficient for preventing unauthorized access to the system, as it does not\nrequire interactive identification and authentication of a connection request,\nor for the use of two-factor authentication.", "descriptions": { - "default": "Extended attributes in file systems are used to contain arbitrary data\nand file metadata with security implications.\n\n RHEL 8 installation media come with a file integrity tool, Advanced\nIntrusion Detection Environment (AIDE).", - "check": "Verify the file integrity tool is configured to verify extended attributes.\n\n If AIDE is not installed, ask the System Administrator how file integrity\nchecks are performed on the system.\n\n Note: AIDE is highly configurable at install time. This requirement assumes\nthe \"aide.conf\" file is under the \"/etc\" directory.\n\n Use the following command to determine if the file is in another location:\n\n $ sudo find / -name aide.conf\n\n Check the \"aide.conf\" file to determine if the \"xattrs\" rule has been\nadded to the rule list being applied to the files and directories selection\nlists.\n\n An example rule that includes the \"xattrs\" rule follows:\n\n All= p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux\n /bin All # apply the custom rule to the files in bin\n /sbin All # apply the same custom rule to the files in sbin\n\n If the \"xattrs\" rule is not being used on all uncommented selection lines\nin the \"/etc/aide.conf\" file, or extended attributes are not being checked by\nanother file integrity tool, this is a finding.", - "fix": "Configure the file integrity tool to check file and directory extended\nattributes.\n\n If AIDE is installed, ensure the \"xattrs\" rule is present on all\nuncommented file and directory selection lists." + "default": "The \"shosts.equiv\" files are used to configure host-based\nauthentication for the system via SSH. Host-based authentication is not\nsufficient for preventing unauthorized access to the system, as it does not\nrequire interactive identification and authentication of a connection request,\nor for the use of two-factor authentication.", + "check": "Verify there are no \"shosts.equiv\" files on RHEL 8 with the following\ncommand:\n\n $ sudo find / -name shosts.equiv\n\n If a \"shosts.equiv\" file is found, this is a finding.", + "fix": "Remove any found \"shosts.equiv\" files from the system.\n\n$ sudo rm /etc/ssh/shosts.equiv" }, - "impact": 0.3, + "impact": 0.7, "refs": [ { "ref": "DPMS Target Red Hat Enterprise Linux 8" } ], "tags": { - "severity": "low", + "severity": "high", "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-230551", - "rid": "SV-230551r627750_rule", - "stig_id": "RHEL-08-040300", - "fix_id": "F-33195r568400_fix", + "gid": "V-230283", + "rid": "SV-230283r627750_rule", + "stig_id": "RHEL-08-010460", + "fix_id": "F-32927r567596_fix", "cci": [ "CCI-000366" ], "nist": [ "CM-6 b" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-230551' do\n title 'The RHEL 8 file integrity tool must be configured to verify extended\nattributes.'\n desc 'Extended attributes in file systems are used to contain arbitrary data\nand file metadata with security implications.\n\n RHEL 8 installation media come with a file integrity tool, Advanced\nIntrusion Detection Environment (AIDE).'\n desc 'check', 'Verify the file integrity tool is configured to verify extended attributes.\n\n If AIDE is not installed, ask the System Administrator how file integrity\nchecks are performed on the system.\n\n Note: AIDE is highly configurable at install time. This requirement assumes\nthe \"aide.conf\" file is under the \"/etc\" directory.\n\n Use the following command to determine if the file is in another location:\n\n $ sudo find / -name aide.conf\n\n Check the \"aide.conf\" file to determine if the \"xattrs\" rule has been\nadded to the rule list being applied to the files and directories selection\nlists.\n\n An example rule that includes the \"xattrs\" rule follows:\n\n All= p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux\n /bin All # apply the custom rule to the files in bin\n /sbin All # apply the same custom rule to the files in sbin\n\n If the \"xattrs\" rule is not being used on all uncommented selection lines\nin the \"/etc/aide.conf\" file, or extended attributes are not being checked by\nanother file integrity tool, this is a finding.'\n desc 'fix', 'Configure the file integrity tool to check file and directory extended\nattributes.\n\n If AIDE is installed, ensure the \"xattrs\" rule is present on all\nuncommented file and directory selection lists.'\n impact 0.3\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'low'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230551'\n tag rid: 'SV-230551r627750_rule'\n tag stig_id: 'RHEL-08-040300'\n tag fix_id: 'F-33195r568400_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n describe package('aide') do\n it { should be_installed }\n end\n\n findings = []\n aide_conf.where { !selection_line.start_with? '!' }.entries.each do |selection|\n findings.append(selection.selection_line) unless selection.rules.include? 'xattrs'\n end\n\n describe \"List of monitored files/directories without 'xattrs' rule\" do\n subject { findings }\n it { should be_empty }\n end\nend\n", + "code": "control 'SV-230283' do\n title 'There must be no shosts.equiv files on the RHEL 8 operating system.'\n desc 'The \"shosts.equiv\" files are used to configure host-based\nauthentication for the system via SSH. Host-based authentication is not\nsufficient for preventing unauthorized access to the system, as it does not\nrequire interactive identification and authentication of a connection request,\nor for the use of two-factor authentication.'\n desc 'check', 'Verify there are no \"shosts.equiv\" files on RHEL 8 with the following\ncommand:\n\n $ sudo find / -name shosts.equiv\n\n If a \"shosts.equiv\" file is found, this is a finding.'\n desc 'fix', 'Remove any found \"shosts.equiv\" files from the system.\n\n$ sudo rm /etc/ssh/shosts.equiv'\n impact 0.7\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'high'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230283'\n tag rid: 'SV-230283r627750_rule'\n tag stig_id: 'RHEL-08-010460'\n tag fix_id: 'F-32927r567596_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n tag 'container'\n\n shosts_files = command('find / -xdev -xautofs -name shosts.equiv').stdout.strip.split(\"\\n\")\n\n describe 'The RHEL8 filesystem' do\n it 'should not have any shosts.equiv files present' do\n expect(shosts_files).to be_empty, \"Discovered shosts files:\\n\\t- #{shosts_files.join(\"\\n\\t- \")}\"\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230551.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230283.rb", "line": 1 }, - "id": "SV-230551" + "id": "SV-230283" }, { - "title": "The RHEL 8 SSH private host key files must have mode 0640 or less permissive.", - "desc": "If an unauthorized user obtains the private SSH host key file, the\nhost could be impersonated.", + "title": "The RHEL 8 SSH daemon must prevent remote hosts from connecting to the\nproxy display.", + "desc": "When X11 forwarding is enabled, there may be additional exposure to\nthe server and client displays if the sshd proxy display is configured to\nlisten on the wildcard address. By default, sshd binds the forwarding server\nto the loopback address and sets the hostname part of the DIPSLAY environment\nvariable to localhost. This prevents remote hosts from connecting to the proxy\ndisplay.", "descriptions": { - "default": "If an unauthorized user obtains the private SSH host key file, the\nhost could be impersonated.", - "check": "Verify the SSH private host key files have mode \"0640\" or less permissive with the following command:\n\n $ sudo ls -l /etc/ssh/ssh_host*key\n\n -rw-r----- 1 root ssh_keys 668 Nov 28 06:43 ssh_host_dsa_key\n -rw-r----- 1 root ssh_keys 582 Nov 28 06:43 ssh_host_key\n -rw-r----- 1 root ssh_keys 887 Nov 28 06:43 ssh_host_rsa_key\n\nIf any private host key file has a mode more permissive than \"0640\", this is a finding.", - "fix": "Configure the mode of SSH private host key files under \"/etc/ssh\" to \"0640\" with the following command:\n\n $ sudo chmod 0640 /etc/ssh/ssh_host*key\n\nThe SSH daemon must be restarted for the changes to take effect. To restart the SSH daemon, run the following command:\n\n $ sudo systemctl restart sshd.service" + "default": "When X11 forwarding is enabled, there may be additional exposure to\nthe server and client displays if the sshd proxy display is configured to\nlisten on the wildcard address. By default, sshd binds the forwarding server\nto the loopback address and sets the hostname part of the DIPSLAY environment\nvariable to localhost. This prevents remote hosts from connecting to the proxy\ndisplay.", + "check": "Verify the SSH daemon prevents remote hosts from connecting to the proxy display.\n\nCheck the SSH X11UseLocalhost setting with the following command:\n\n$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\\r' | tr '\\n' ' ' | xargs sudo grep -iH '^\\s*x11uselocalhost'\n\nX11UseLocalhost yes\n\nIf the \"X11UseLocalhost\" keyword is set to \"no\", is missing, or is commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.", + "fix": "Configure the SSH daemon to prevent remote hosts from connecting to the\nproxy display.\n\n Edit the \"/etc/ssh/sshd_config\" file to uncomment or add the line for the\n\"X11UseLocalhost\" keyword and set its value to \"yes\" (this file may be\nnamed differently or be in a different location if using a version of SSH that\nis provided by a third-party vendor):\n\n X11UseLocalhost yes" }, "impact": 0.5, "refs": [ @@ -8340,10 +8305,10 @@ "tags": { "severity": "medium", "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-230287", - "rid": "SV-230287r880714_rule", - "stig_id": "RHEL-08-010490", - "fix_id": "F-32931r880713_fix", + "gid": "V-230556", + "rid": "SV-230556r951620_rule", + "stig_id": "RHEL-08-040341", + "fix_id": "F-33200r568415_fix", "cci": [ "CCI-000366" ], @@ -8353,20 +8318,20 @@ "host": null, "container-conditional": null }, - "code": "control 'SV-230287' do\n title 'The RHEL 8 SSH private host key files must have mode 0640 or less permissive.'\n desc 'If an unauthorized user obtains the private SSH host key file, the\nhost could be impersonated.'\n desc 'check', 'Verify the SSH private host key files have mode \"0640\" or less permissive with the following command:\n\n $ sudo ls -l /etc/ssh/ssh_host*key\n\n -rw-r----- 1 root ssh_keys 668 Nov 28 06:43 ssh_host_dsa_key\n -rw-r----- 1 root ssh_keys 582 Nov 28 06:43 ssh_host_key\n -rw-r----- 1 root ssh_keys 887 Nov 28 06:43 ssh_host_rsa_key\n\nIf any private host key file has a mode more permissive than \"0640\", this is a finding.'\n desc 'fix', 'Configure the mode of SSH private host key files under \"/etc/ssh\" to \"0640\" with the following command:\n\n $ sudo chmod 0640 /etc/ssh/ssh_host*key\n\nThe SSH daemon must be restarted for the changes to take effect. To restart the SSH daemon, run the following command:\n\n $ sudo systemctl restart sshd.service'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230287'\n tag rid: 'SV-230287r880714_rule'\n tag stig_id: 'RHEL-08-010490'\n tag fix_id: 'F-32931r880713_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n tag 'container-conditional'\n\n only_if('This control is Not Applicable to containers without SSH installed', impact: 0.0) {\n !(virtualization.system.eql?('docker') && !directory('/etc/ssh').exist?)\n }\n\n ssh_host_key_dirs = input('ssh_host_key_dirs').join(' ')\n priv_keys = command(\"find #{ssh_host_key_dirs} -xdev -name '*.pem'\").stdout.split(\"\\n\")\n mode = input('ssh_private_key_mode')\n failing_keys = priv_keys.select { |key| file(key).more_permissive_than?(mode) }\n\n describe 'All SSH private keys on the filesystem' do\n it \"should be less permissive than #{mode}\" do\n expect(failing_keys).to be_empty, \"Failing keyfiles:\\n\\t- #{failing_keys.join(\"\\n\\t- \")}\"\n end\n end\nend\n", + "code": "control 'SV-230556' do\n title 'The RHEL 8 SSH daemon must prevent remote hosts from connecting to the\nproxy display.'\n desc 'When X11 forwarding is enabled, there may be additional exposure to\nthe server and client displays if the sshd proxy display is configured to\nlisten on the wildcard address. By default, sshd binds the forwarding server\nto the loopback address and sets the hostname part of the DIPSLAY environment\nvariable to localhost. This prevents remote hosts from connecting to the proxy\ndisplay.'\n desc 'check', %q(Verify the SSH daemon prevents remote hosts from connecting to the proxy display.\n\nCheck the SSH X11UseLocalhost setting with the following command:\n\n$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\\r' | tr '\\n' ' ' | xargs sudo grep -iH '^\\s*x11uselocalhost'\n\nX11UseLocalhost yes\n\nIf the \"X11UseLocalhost\" keyword is set to \"no\", is missing, or is commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.)\n desc 'fix', 'Configure the SSH daemon to prevent remote hosts from connecting to the\nproxy display.\n\n Edit the \"/etc/ssh/sshd_config\" file to uncomment or add the line for the\n\"X11UseLocalhost\" keyword and set its value to \"yes\" (this file may be\nnamed differently or be in a different location if using a version of SSH that\nis provided by a third-party vendor):\n\n X11UseLocalhost yes'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230556'\n tag rid: 'SV-230556r951620_rule'\n tag stig_id: 'RHEL-08-040341'\n tag fix_id: 'F-33200r568415_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n tag 'container-conditional'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !(virtualization.system.eql?('docker') && !file('/etc/ssh/sshd_config').exist?)\n }\n\n describe sshd_active_config do\n its('X11UseLocalhost') { should cmp 'yes' }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230287.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230556.rb", "line": 1 }, - "id": "SV-230287" + "id": "SV-230556" }, { - "title": "RHEL 8 must prevent files with the setuid and setgid bit set from\nbeing executed on the /boot/efi directory.", - "desc": "The \"nosuid\" mount option causes the system not to execute\n\"setuid\" and \"setgid\" files with owner privileges. This option must be used\nfor mounting any file system not containing approved \"setuid\" and \"setguid\"\nfiles. Executing files from untrusted file systems increases the opportunity\nfor unprivileged users to attain unauthorized administrative access.", + "title": "RHEL 8 systems below version 8.4 must ensure the password complexity module in the password-auth file is configured for three retries or less.", + "desc": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. \"pwquality\" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system.\n\nRHEL 8 uses \"pwquality\" as a mechanism to enforce password complexity. This is set in both:\n/etc/pam.d/password-auth\n/etc/pam.d/system-auth\n\nBy limiting the number of attempts to meet the pwquality module complexity requirements before returning with an error, the system will audit abnormal attempts at password changes.", "descriptions": { - "default": "The \"nosuid\" mount option causes the system not to execute\n\"setuid\" and \"setgid\" files with owner privileges. This option must be used\nfor mounting any file system not containing approved \"setuid\" and \"setguid\"\nfiles. Executing files from untrusted file systems increases the opportunity\nfor unprivileged users to attain unauthorized administrative access.", - "check": "For systems that use BIOS, this is Not Applicable.\n\nVerify the /boot/efi directory is mounted with the \"nosuid\" option with the following command:\n\n$ sudo mount | grep '\\s/boot/efi\\s'\n\n/dev/sda1 on /boot/efi type vfat (rw,nosuid,relatime,fmask=0077,dmask=0077,codepage=437,iocharset=ascii,shortname=winnt,errors=remount-ro)\n\nIf the /boot/efi file system does not have the \"nosuid\" option set, this is a finding.", - "fix": "Configure the \"/etc/fstab\" to use the \"nosuid\" option on\nthe /boot/efi directory." + "default": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. \"pwquality\" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system.\n\nRHEL 8 uses \"pwquality\" as a mechanism to enforce password complexity. This is set in both:\n/etc/pam.d/password-auth\n/etc/pam.d/system-auth\n\nBy limiting the number of attempts to meet the pwquality module complexity requirements before returning with an error, the system will audit abnormal attempts at password changes.", + "check": "Note: This requirement applies to RHEL versions 8.0 through 8.3. If the system is RHEL version 8.4 or newer, this requirement is not applicable.\n\nVerify the operating system is configured to limit the \"pwquality\" retry option to 3.\n\nCheck for the use of the \"pwquality\" retry option in the password-auth file with the following command:\n\n $ sudo cat /etc/pam.d/password-auth | grep pam_pwquality\n\n password requisite pam_pwquality.so retry=3\n\nIf the value of \"retry\" is set to \"0\" or greater than \"3\", this is a finding.", + "fix": "Configure the operating system to limit the \"pwquality\" retry option to 3.\n\nAdd the following line to the \"/etc/pam.d/password-auth\" file (or modify the line to have the required value):\n\n password requisite pam_pwquality.so retry=3" }, "impact": 0.5, "refs": [ @@ -8375,34 +8340,37 @@ } ], "tags": { + "check_id": "C-55152r902744_chk", "severity": "medium", + "gid": "V-251715", + "rid": "SV-251715r902746_rule", + "stig_id": "RHEL-08-020103", "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-244530", - "rid": "SV-244530r809336_rule", - "stig_id": "RHEL-08-010572", - "fix_id": "F-47762r743838_fix", + "fix_id": "F-55106r902745_fix", + "documentable": null, "cci": [ "CCI-000366" ], "nist": [ "CM-6 b" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-244530' do\n title 'RHEL 8 must prevent files with the setuid and setgid bit set from\nbeing executed on the /boot/efi directory.'\n desc 'The \"nosuid\" mount option causes the system not to execute\n\"setuid\" and \"setgid\" files with owner privileges. This option must be used\nfor mounting any file system not containing approved \"setuid\" and \"setguid\"\nfiles. Executing files from untrusted file systems increases the opportunity\nfor unprivileged users to attain unauthorized administrative access.'\n desc 'check', %q(For systems that use BIOS, this is Not Applicable.\n\nVerify the /boot/efi directory is mounted with the \"nosuid\" option with the following command:\n\n$ sudo mount | grep '\\s/boot/efi\\s'\n\n/dev/sda1 on /boot/efi type vfat (rw,nosuid,relatime,fmask=0077,dmask=0077,codepage=437,iocharset=ascii,shortname=winnt,errors=remount-ro)\n\nIf the /boot/efi file system does not have the \"nosuid\" option set, this is a finding.)\n desc 'fix', 'Configure the \"/etc/fstab\" to use the \"nosuid\" option on\nthe /boot/efi directory.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-244530'\n tag rid: 'SV-244530r809336_rule'\n tag stig_id: 'RHEL-08-010572'\n tag fix_id: 'F-47762r743838_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This requirement is Not Applicable in the container', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n if file('/sys/firmware/efi').exist?\n describe mount('/boot/efi') do\n it { should be_mounted }\n its('options') { should include 'nosuid' }\n end\n else\n impact 0.0\n describe 'System running BIOS' do\n skip 'The System is running a BIOS, this control is Not Applicable.'\n end\n end\nend\n", + "code": "control 'SV-251715' do\n title 'RHEL 8 systems below version 8.4 must ensure the password complexity module in the password-auth file is configured for three retries or less.'\n desc 'Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. \"pwquality\" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system.\n\nRHEL 8 uses \"pwquality\" as a mechanism to enforce password complexity. This is set in both:\n/etc/pam.d/password-auth\n/etc/pam.d/system-auth\n\nBy limiting the number of attempts to meet the pwquality module complexity requirements before returning with an error, the system will audit abnormal attempts at password changes.'\n desc 'check', 'Note: This requirement applies to RHEL versions 8.0 through 8.3. If the system is RHEL version 8.4 or newer, this requirement is not applicable.\n\nVerify the operating system is configured to limit the \"pwquality\" retry option to 3.\n\nCheck for the use of the \"pwquality\" retry option in the password-auth file with the following command:\n\n $ sudo cat /etc/pam.d/password-auth | grep pam_pwquality\n\n password requisite pam_pwquality.so retry=3\n\nIf the value of \"retry\" is set to \"0\" or greater than \"3\", this is a finding.'\n desc 'fix', 'Configure the operating system to limit the \"pwquality\" retry option to 3.\n\nAdd the following line to the \"/etc/pam.d/password-auth\" file (or modify the line to have the required value):\n\n password requisite pam_pwquality.so retry=3'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag check_id: 'C-55152r902744_chk'\n tag severity: 'medium'\n tag gid: 'V-251715'\n tag rid: 'SV-251715r902746_rule'\n tag stig_id: 'RHEL-08-020103'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag fix_id: 'F-55106r902745_fix'\n tag 'documentable'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n tag 'container'\n\n only_if('This requirement only applies to RHEL 8 versions below 8.4', impact: 0.0) {\n os.release.to_f < 8.4\n }\n\n pam_auth_files = input('pam_auth_files')\n\n describe pam(pam_auth_files['password-auth']) do\n its('lines') { should match_pam_rule('.* .* pam_pwquality.so').any_with_integer_arg('retry', '>=', input('min_retry')) }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-244530.rb", + "ref": "./Red Hat 8 STIG/controls/SV-251715.rb", "line": 1 }, - "id": "SV-244530" + "id": "SV-251715" }, { - "title": "Successful/unsuccessful uses of the truncate, ftruncate, creat, open, openat, and open_by_handle_at system calls in RHEL 8 must generate an audit record.", - "desc": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"truncate\" and \"ftruncate\" functions are used to truncate a file to a specified length.\n\nThe \"creat\" system call is used to open and possibly create a file or device.\nThe \"open\" system call opens a file specified by a pathname. If the specified file does not exist, it may optionally be created by \"open\".\nThe \"openat\" system call opens a file specified by a relative pathname.\nThe \"name_to_handle_at\" and \"open_by_handle_at\" system calls split the functionality of \"openat\" into two parts: \"name_to_handle_at\" returns an opaque handle that corresponds to a specified file; \"open_by_handle_at\" opens the file corresponding to a handle returned by a previous call to \"name_to_handle_at\" and returns an open file descriptor.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nThe system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible.", + "title": "RHEL 8 must disable virtual syscalls.", + "desc": "Syscalls are special routines in the Linux kernel, which userspace\napplications ask to do privileged tasks. Invoking a system call is an\nexpensive operation because the processor must interrupt the currently\nexecuting task and switch context to kernel mode and then back to userspace\nafter the system call completes. Virtual Syscalls map into user space a page\nthat contains some variables and the implementation of some system calls. This\nallows the system calls to be executed in userspace to alleviate the context\nswitching expense.\n\n Virtual Syscalls provide an opportunity of attack for a user who has\ncontrol of the return instruction pointer. Disabling vsyscalls help to prevent\nreturn oriented programming (ROP) attacks via buffer overflows and overruns. If\nthe system intends to run containers based on RHEL 6 components, then virtual\nsyscalls will need enabled so the components function properly.", "descriptions": { - "default": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"truncate\" and \"ftruncate\" functions are used to truncate a file to a specified length.\n\nThe \"creat\" system call is used to open and possibly create a file or device.\nThe \"open\" system call opens a file specified by a pathname. If the specified file does not exist, it may optionally be created by \"open\".\nThe \"openat\" system call opens a file specified by a relative pathname.\nThe \"name_to_handle_at\" and \"open_by_handle_at\" system calls split the functionality of \"openat\" into two parts: \"name_to_handle_at\" returns an opaque handle that corresponds to a specified file; \"open_by_handle_at\" opens the file corresponding to a handle returned by a previous call to \"name_to_handle_at\" and returns an open file descriptor.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nThe system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible.", - "check": "Verify RHEL 8 generates an audit record upon successful/unsuccessful attempts to use the \"truncate\", \"ftruncate\", \"creat\", \"open\", \"openat\", and \"open_by_handle_at\" system calls by using the following command to check the file system rules in \"/etc/audit/audit.rules\":\n\n$ sudo grep 'open\\|truncate\\|creat' /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access\n-a always,exit -F arch=b64 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access\n\n-a always,exit -F arch=b32 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access\n-a always,exit -F arch=b64 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access\n\nIf the output does not produce rules containing \"-F exit=-EPERM\", this is a finding.\nIf the output does not produce rules containing \"-F exit=-EACCES\", this is a finding.\nIf the command does not return an audit rule for \"truncate\", \"ftruncate\", \"creat\", \"open\", \"openat\", and \"open_by_handle_at\" or any of the lines returned are commented out, this is a finding.", - "fix": "Configure the audit system to generate an audit event for any successful/unsuccessful use of the \"truncate\", \"ftruncate\", \"creat\", \"open\", \"openat\", and \"open_by_handle_at\" system calls by adding or updating the following rules in the \"/etc/audit/rules.d/audit.rules\" file:\n\n-a always,exit -F arch=b32 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access\n-a always,exit -F arch=b64 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access\n\n-a always,exit -F arch=b32 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access\n-a always,exit -F arch=b64 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access\n\nThe audit daemon must be restarted for the changes to take effect." + "default": "Syscalls are special routines in the Linux kernel, which userspace\napplications ask to do privileged tasks. Invoking a system call is an\nexpensive operation because the processor must interrupt the currently\nexecuting task and switch context to kernel mode and then back to userspace\nafter the system call completes. Virtual Syscalls map into user space a page\nthat contains some variables and the implementation of some system calls. This\nallows the system calls to be executed in userspace to alleviate the context\nswitching expense.\n\n Virtual Syscalls provide an opportunity of attack for a user who has\ncontrol of the return instruction pointer. Disabling vsyscalls help to prevent\nreturn oriented programming (ROP) attacks via buffer overflows and overruns. If\nthe system intends to run containers based on RHEL 6 components, then virtual\nsyscalls will need enabled so the components function properly.", + "check": "Verify that GRUB 2 is configured to disable vsyscalls with the following commands:\n\nCheck that the current GRUB 2 configuration disables vsyscalls:\n\n$ sudo grub2-editenv list | grep vsyscall\n\nkernelopts=root=/dev/mapper/rhel-root ro crashkernel=auto resume=/dev/mapper/rhel-swap rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet fips=1 page_poison=1 vsyscall=none audit=1 audit_backlog_limit=8192 boot=UUID=8d171156-cd61-421c-ba41-1c021ac29e82\n\nIf \"vsyscall\" is not set to \"none\" or is missing, this is a finding.\n\nCheck that vsyscalls are disabled by default to persist in kernel updates:\n\n$ sudo grep vsyscall /etc/default/grub\n\nGRUB_CMDLINE_LINUX=\"vsyscall=none\"\n\nIf \"vsyscall\" is not set to \"none\", is missing or commented out and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.", + "fix": "Document the use of vsyscalls with the ISSO as an operational requirement\nor disable them with the following command:\n\n $ sudo grubby --update-kernel=ALL --args=\"vsyscall=none\"\n\n Add or modify the following line in \"/etc/default/grub\" to ensure the\nconfiguration survives kernel updates:\n\n GRUB_CMDLINE_LINUX=\"vsyscall=none\"" }, "impact": 0.5, "refs": [ @@ -8412,42 +8380,37 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000062-GPOS-00031", + "gtitle": "SRG-OS-000134-GPOS-00068", "satisfies": [ - "SRG-OS-000062-GPOS-00031", - "SRG-OS-000037-GPOS-00015", - "SRG-OS-000042-GPOS-00020", - "SRG-OS-000392-GPOS-00172", - "SRG-OS-000462-GPOS-00206", - "SRG-OS-000471-GPOS-00215", - "SRG-OS-000064-GPOS-00033" + "SRG-OS-000134-GPOS-00068", + "SRG-OS-000433-GPOS-00192" ], - "gid": "V-230449", - "rid": "SV-230449r810455_rule", - "stig_id": "RHEL-08-030420", - "fix_id": "F-33093r809304_fix", + "gid": "V-230278", + "rid": "SV-230278r792886_rule", + "stig_id": "RHEL-08-010422", + "fix_id": "F-32922r743947_fix", "cci": [ - "CCI-000169" + "CCI-001084" ], "nist": [ - "AU-12 a" + "SC-3" ], "host": null }, - "code": "control 'SV-230449' do\n title 'Successful/unsuccessful uses of the truncate, ftruncate, creat, open, openat, and open_by_handle_at system calls in RHEL 8 must generate an audit record.'\n desc 'Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"truncate\" and \"ftruncate\" functions are used to truncate a file to a specified length.\n\nThe \"creat\" system call is used to open and possibly create a file or device.\nThe \"open\" system call opens a file specified by a pathname. If the specified file does not exist, it may optionally be created by \"open\".\nThe \"openat\" system call opens a file specified by a relative pathname.\nThe \"name_to_handle_at\" and \"open_by_handle_at\" system calls split the functionality of \"openat\" into two parts: \"name_to_handle_at\" returns an opaque handle that corresponds to a specified file; \"open_by_handle_at\" opens the file corresponding to a handle returned by a previous call to \"name_to_handle_at\" and returns an open file descriptor.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nThe system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible.'\n desc 'check', %q(Verify RHEL 8 generates an audit record upon successful/unsuccessful attempts to use the \"truncate\", \"ftruncate\", \"creat\", \"open\", \"openat\", and \"open_by_handle_at\" system calls by using the following command to check the file system rules in \"/etc/audit/audit.rules\":\n\n$ sudo grep 'open\\|truncate\\|creat' /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access\n-a always,exit -F arch=b64 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access\n\n-a always,exit -F arch=b32 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access\n-a always,exit -F arch=b64 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access\n\nIf the output does not produce rules containing \"-F exit=-EPERM\", this is a finding.\nIf the output does not produce rules containing \"-F exit=-EACCES\", this is a finding.\nIf the command does not return an audit rule for \"truncate\", \"ftruncate\", \"creat\", \"open\", \"openat\", and \"open_by_handle_at\" or any of the lines returned are commented out, this is a finding.)\n desc 'fix', 'Configure the audit system to generate an audit event for any successful/unsuccessful use of the \"truncate\", \"ftruncate\", \"creat\", \"open\", \"openat\", and \"open_by_handle_at\" system calls by adding or updating the following rules in the \"/etc/audit/rules.d/audit.rules\" file:\n\n-a always,exit -F arch=b32 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access\n-a always,exit -F arch=b64 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access\n\n-a always,exit -F arch=b32 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access\n-a always,exit -F arch=b64 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access\n\nThe audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000062-GPOS-00031'\n tag satisfies: ['SRG-OS-000062-GPOS-00031', 'SRG-OS-000037-GPOS-00015', 'SRG-OS-000042-GPOS-00020', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000471-GPOS-00215', 'SRG-OS-000064-GPOS-00033']\n tag gid: 'V-230449'\n tag rid: 'SV-230449r810455_rule'\n tag stig_id: 'RHEL-08-030420'\n tag fix_id: 'F-33093r809304_fix'\n tag cci: ['CCI-000169']\n tag nist: ['AU-12 a']\n tag 'host'\n\n audit_syscalls = ['truncate', 'ftruncate', 'creat', 'open', 'openat', 'open_by_handle_at']\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe 'Syscall' do\n audit_syscalls.each do |audit_syscall|\n it \"#{audit_syscall} is audited properly\" do\n audit_rule = auditd.syscall(audit_syscall)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n if os.arch.match(/64/)\n expect(audit_rule.arch.uniq).to include('b32', 'b64')\n else\n expect(audit_rule.arch.uniq).to cmp 'b32'\n end\n expect(audit_rule.fields.flatten).to include('auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include(input('audit_rule_keynames').merge(input('audit_rule_keynames_overrides'))[audit_syscall])\n end\n end\n end\nend\n", + "code": "control 'SV-230278' do\n title 'RHEL 8 must disable virtual syscalls.'\n desc 'Syscalls are special routines in the Linux kernel, which userspace\napplications ask to do privileged tasks. Invoking a system call is an\nexpensive operation because the processor must interrupt the currently\nexecuting task and switch context to kernel mode and then back to userspace\nafter the system call completes. Virtual Syscalls map into user space a page\nthat contains some variables and the implementation of some system calls. This\nallows the system calls to be executed in userspace to alleviate the context\nswitching expense.\n\n Virtual Syscalls provide an opportunity of attack for a user who has\ncontrol of the return instruction pointer. Disabling vsyscalls help to prevent\nreturn oriented programming (ROP) attacks via buffer overflows and overruns. If\nthe system intends to run containers based on RHEL 6 components, then virtual\nsyscalls will need enabled so the components function properly.'\n desc 'check', 'Verify that GRUB 2 is configured to disable vsyscalls with the following commands:\n\nCheck that the current GRUB 2 configuration disables vsyscalls:\n\n$ sudo grub2-editenv list | grep vsyscall\n\nkernelopts=root=/dev/mapper/rhel-root ro crashkernel=auto resume=/dev/mapper/rhel-swap rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet fips=1 page_poison=1 vsyscall=none audit=1 audit_backlog_limit=8192 boot=UUID=8d171156-cd61-421c-ba41-1c021ac29e82\n\nIf \"vsyscall\" is not set to \"none\" or is missing, this is a finding.\n\nCheck that vsyscalls are disabled by default to persist in kernel updates:\n\n$ sudo grep vsyscall /etc/default/grub\n\nGRUB_CMDLINE_LINUX=\"vsyscall=none\"\n\nIf \"vsyscall\" is not set to \"none\", is missing or commented out and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.'\n desc 'fix', 'Document the use of vsyscalls with the ISSO as an operational requirement\nor disable them with the following command:\n\n $ sudo grubby --update-kernel=ALL --args=\"vsyscall=none\"\n\n Add or modify the following line in \"/etc/default/grub\" to ensure the\nconfiguration survives kernel updates:\n\n GRUB_CMDLINE_LINUX=\"vsyscall=none\"'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000134-GPOS-00068'\n tag satisfies: ['SRG-OS-000134-GPOS-00068', 'SRG-OS-000433-GPOS-00192']\n tag gid: 'V-230278'\n tag rid: 'SV-230278r792886_rule'\n tag stig_id: 'RHEL-08-010422'\n tag fix_id: 'F-32922r743947_fix'\n tag cci: ['CCI-001084']\n tag nist: ['SC-3']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n grub_stdout = command('grub2-editenv - list').stdout\n setting = /vsyscall\\s*=\\s*none/\n\n describe 'GRUB config' do\n it 'should enable page poisoning' do\n expect(parse_config(grub_stdout)['kernelopts']).to match(setting), 'Current GRUB configuration does not disable this setting'\n expect(parse_config_file('/etc/default/grub')['GRUB_CMDLINE_LINUX']).to match(setting), 'Setting not configured to persist between kernel updates'\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230449.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230278.rb", "line": 1 }, - "id": "SV-230449" + "id": "SV-230278" }, { - "title": "The graphical display manager must not be installed on RHEL 8 unless\napproved.", - "desc": "Internet services that are not required for system or application\nprocesses must not be active to decrease the attack surface of the system.\nGraphical display managers have a long history of security vulnerabilities and\nmust not be used, unless approved and documented.", + "title": "RHEL 8 user account passwords must have a 60-day maximum password\nlifetime restriction.", + "desc": "Any password, no matter how complex, can eventually be cracked.\nTherefore, passwords need to be changed periodically. If RHEL 8 does not limit\nthe lifetime of passwords and force users to change their passwords, there is\nthe risk that RHEL 8 passwords could be compromised.", "descriptions": { - "default": "Internet services that are not required for system or application\nprocesses must not be active to decrease the attack surface of the system.\nGraphical display managers have a long history of security vulnerabilities and\nmust not be used, unless approved and documented.", - "check": "Verify that a graphical user interface is not installed:\n\n$ rpm -qa | grep xorg | grep server\n\nAsk the System Administrator if use of a graphical user interface is an operational requirement.\n\nIf the use of a graphical user interface on the system is not documented with the ISSO, this is a finding.", - "fix": "Document the requirement for a graphical user interface with the ISSO or reinstall the operating system without the graphical user interface. If reinstallation is not feasible, then continue with the following procedure:\n\nOpen an SSH session and enter the following commands:\n\n$ sudo yum remove xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-utils xorg-x11-server-Xwayland\n\nA reboot is required for the changes to take effect." + "default": "Any password, no matter how complex, can eventually be cracked.\nTherefore, passwords need to be changed periodically. If RHEL 8 does not limit\nthe lifetime of passwords and force users to change their passwords, there is\nthe risk that RHEL 8 passwords could be compromised.", + "check": "Verify that RHEL 8 enforces a 60-day maximum password lifetime for new user\naccounts by running the following command:\n\n $ sudo grep -i pass_max_days /etc/login.defs\n PASS_MAX_DAYS 60\n\n If the \"PASS_MAX_DAYS\" parameter value is greater than \"60\", or\ncommented out, this is a finding.", + "fix": "Configure RHEL 8 to enforce a 60-day maximum password lifetime.\n\nAdd, or modify the following line in the \"/etc/login.defs\" file:\n\nPASS_MAX_DAYS 60" }, "impact": 0.5, "refs": [ @@ -8457,74 +8420,71 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-230553", - "rid": "SV-230553r809324_rule", - "stig_id": "RHEL-08-040320", - "fix_id": "F-33197r809323_fix", + "gtitle": "SRG-OS-000076-GPOS-00044", + "gid": "V-230366", + "rid": "SV-230366r646878_rule", + "stig_id": "RHEL-08-020200", + "fix_id": "F-33010r567845_fix", "cci": [ - "CCI-000366" + "CCI-000199" ], "nist": [ - "CM-6 b" + "IA-5 (1) (d)" ], "host": null, "container": null }, - "code": "control 'SV-230553' do\n title 'The graphical display manager must not be installed on RHEL 8 unless\napproved.'\n desc 'Internet services that are not required for system or application\nprocesses must not be active to decrease the attack surface of the system.\nGraphical display managers have a long history of security vulnerabilities and\nmust not be used, unless approved and documented.'\n desc 'check', 'Verify that a graphical user interface is not installed:\n\n$ rpm -qa | grep xorg | grep server\n\nAsk the System Administrator if use of a graphical user interface is an operational requirement.\n\nIf the use of a graphical user interface on the system is not documented with the ISSO, this is a finding.'\n desc 'fix', 'Document the requirement for a graphical user interface with the ISSO or reinstall the operating system without the graphical user interface. If reinstallation is not feasible, then continue with the following procedure:\n\nOpen an SSH session and enter the following commands:\n\n$ sudo yum remove xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-utils xorg-x11-server-Xwayland\n\nA reboot is required for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230553'\n tag rid: 'SV-230553r809324_rule'\n tag stig_id: 'RHEL-08-040320'\n tag fix_id: 'F-33197r809323_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n tag 'container'\n\n input('remove_xorg_x11_server_packages').each do |p|\n describe package(p) do\n it { should_not be_installed }\n end\n end\nend\n", + "code": "control 'SV-230366' do\n title 'RHEL 8 user account passwords must have a 60-day maximum password\nlifetime restriction.'\n desc 'Any password, no matter how complex, can eventually be cracked.\nTherefore, passwords need to be changed periodically. If RHEL 8 does not limit\nthe lifetime of passwords and force users to change their passwords, there is\nthe risk that RHEL 8 passwords could be compromised.'\n desc 'check', 'Verify that RHEL 8 enforces a 60-day maximum password lifetime for new user\naccounts by running the following command:\n\n $ sudo grep -i pass_max_days /etc/login.defs\n PASS_MAX_DAYS 60\n\n If the \"PASS_MAX_DAYS\" parameter value is greater than \"60\", or\ncommented out, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to enforce a 60-day maximum password lifetime.\n\nAdd, or modify the following line in the \"/etc/login.defs\" file:\n\nPASS_MAX_DAYS 60'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000076-GPOS-00044'\n tag gid: 'V-230366'\n tag rid: 'SV-230366r646878_rule'\n tag stig_id: 'RHEL-08-020200'\n tag fix_id: 'F-33010r567845_fix'\n tag cci: ['CCI-000199']\n tag nist: ['IA-5 (1) (d)']\n tag 'host'\n tag 'container'\n\n value = input('pass_max_days')\n setting = input_object('pass_max_days').name.upcase\n\n describe \"/etc/login.defs does not have `#{setting}` configured\" do\n let(:config) { login_defs.read_params[setting] }\n it \"greater than #{value} day\" do\n expect(config).to cmp <= value\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230553.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230366.rb", "line": 1 }, - "id": "SV-230553" + "id": "SV-230366" }, { - "title": "RHEL 8 must enable Linux audit logging for the USBGuard daemon.", - "desc": "Without the capability to generate audit records, it would be\ndifficult to establish, correlate, and investigate the events relating to an\nincident or identify those responsible for one.\n\n If auditing is enabled late in the startup process, the actions of some\nstartup processes may not be audited. Some audit systems also maintain state\ninformation only available if auditing is enabled before a given process is\ncreated.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n The list of audited events is the set of events for which audits are to be\ngenerated. This set of events is typically a subset of the list of all events\nfor which the system is capable of generating audit records.\n\n DoD has defined the list of events for which RHEL 8 will provide an audit\nrecord generation capability as the following:\n\n 1) Successful and unsuccessful attempts to access, modify, or delete\nprivileges, security objects, security levels, or categories of information\n(e.g., classification levels);\n\n 2) Access actions, such as successful and unsuccessful logon attempts,\nprivileged activities or other system-level access, starting and ending time\nfor user access to the system, concurrent logons from different workstations,\nsuccessful and unsuccessful accesses to objects, all program initiations, and\nall direct access to the information system;\n\n 3) All account creations, modifications, disabling, and terminations; and\n\n 4) All kernel module load, unload, and restart actions.", + "title": "RHEL 8 system commands must be owned by root.", + "desc": "If RHEL 8 were to allow any user to make changes to software\nlibraries, then those changes might be implemented without undergoing the\nappropriate testing and approvals that are part of a robust change management\nprocess.\n\n This requirement applies to RHEL 8 with software libraries that are\naccessible and configurable, as in the case of interpreted languages. Software\nlibraries also include privileged programs that execute with escalated\nprivileges. Only qualified and authorized individuals will be allowed to obtain\naccess to information system components for purposes of initiating changes,\nincluding upgrades and modifications.", "descriptions": { - "default": "Without the capability to generate audit records, it would be\ndifficult to establish, correlate, and investigate the events relating to an\nincident or identify those responsible for one.\n\n If auditing is enabled late in the startup process, the actions of some\nstartup processes may not be audited. Some audit systems also maintain state\ninformation only available if auditing is enabled before a given process is\ncreated.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n The list of audited events is the set of events for which audits are to be\ngenerated. This set of events is typically a subset of the list of all events\nfor which the system is capable of generating audit records.\n\n DoD has defined the list of events for which RHEL 8 will provide an audit\nrecord generation capability as the following:\n\n 1) Successful and unsuccessful attempts to access, modify, or delete\nprivileges, security objects, security levels, or categories of information\n(e.g., classification levels);\n\n 2) Access actions, such as successful and unsuccessful logon attempts,\nprivileged activities or other system-level access, starting and ending time\nfor user access to the system, concurrent logons from different workstations,\nsuccessful and unsuccessful accesses to objects, all program initiations, and\nall direct access to the information system;\n\n 3) All account creations, modifications, disabling, and terminations; and\n\n 4) All kernel module load, unload, and restart actions.", - "check": "Verify RHEL 8 enables Linux audit logging of the USBGuard daemon with the\nfollowing commands:\n\n Note: If the USBGuard daemon is not installed and enabled, this requirement\nis not applicable.\n\n $ sudo grep -i auditbackend /etc/usbguard/usbguard-daemon.conf\n\n AuditBackend=LinuxAudit\n\n If the \"AuditBackend\" entry does not equal \"LinuxAudit\", is missing, or\nthe line is commented out, this is a finding.", - "fix": "Configure RHEL 8 to enable Linux audit logging of the USBGuard daemon by\nadding or modifying the following line in\n\"/etc/usbguard/usbguard-daemon.conf\":\n\n AuditBackend=LinuxAudit" + "default": "If RHEL 8 were to allow any user to make changes to software\nlibraries, then those changes might be implemented without undergoing the\nappropriate testing and approvals that are part of a robust change management\nprocess.\n\n This requirement applies to RHEL 8 with software libraries that are\naccessible and configurable, as in the case of interpreted languages. Software\nlibraries also include privileged programs that execute with escalated\nprivileges. Only qualified and authorized individuals will be allowed to obtain\naccess to information system components for purposes of initiating changes,\nincluding upgrades and modifications.", + "check": "Verify the system commands contained in the following directories are owned\nby \"root\" with the following command:\n\n $ sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin\n! -user root -exec ls -l {} \\;\n\n If any system commands are returned, this is a finding.", + "fix": "Configure the system commands to be protected from unauthorized access.\n\n Run the following command, replacing \"[FILE]\" with any system command\nfile not owned by \"root\".\n\n $ sudo chown root [FILE]" }, - "impact": 0.3, + "impact": 0.5, "refs": [ { "ref": "DPMS Target Red Hat Enterprise Linux 8" } ], "tags": { - "severity": "low", - "gtitle": "SRG-OS-000062-GPOS-00031", - "satisfies": [ - "SRG-OS-000062-GPOS-00031", - "SRG-OS-000471-GPOS-00215" - ], - "gid": "V-230470", - "rid": "SV-230470r744006_rule", - "stig_id": "RHEL-08-030603", - "fix_id": "F-33114r744005_fix", + "severity": "medium", + "gtitle": "SRG-OS-000259-GPOS-00100", + "gid": "V-230258", + "rid": "SV-230258r627750_rule", + "stig_id": "RHEL-08-010310", + "fix_id": "F-32902r567521_fix", "cci": [ - "CCI-000169" + "CCI-001499" ], "nist": [ - "AU-12 a" + "CM-5 (6)" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-230470' do\n title 'RHEL 8 must enable Linux audit logging for the USBGuard daemon.'\n desc 'Without the capability to generate audit records, it would be\ndifficult to establish, correlate, and investigate the events relating to an\nincident or identify those responsible for one.\n\n If auditing is enabled late in the startup process, the actions of some\nstartup processes may not be audited. Some audit systems also maintain state\ninformation only available if auditing is enabled before a given process is\ncreated.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n The list of audited events is the set of events for which audits are to be\ngenerated. This set of events is typically a subset of the list of all events\nfor which the system is capable of generating audit records.\n\n DoD has defined the list of events for which RHEL 8 will provide an audit\nrecord generation capability as the following:\n\n 1) Successful and unsuccessful attempts to access, modify, or delete\nprivileges, security objects, security levels, or categories of information\n(e.g., classification levels);\n\n 2) Access actions, such as successful and unsuccessful logon attempts,\nprivileged activities or other system-level access, starting and ending time\nfor user access to the system, concurrent logons from different workstations,\nsuccessful and unsuccessful accesses to objects, all program initiations, and\nall direct access to the information system;\n\n 3) All account creations, modifications, disabling, and terminations; and\n\n 4) All kernel module load, unload, and restart actions.'\n desc 'check', 'Verify RHEL 8 enables Linux audit logging of the USBGuard daemon with the\nfollowing commands:\n\n Note: If the USBGuard daemon is not installed and enabled, this requirement\nis not applicable.\n\n $ sudo grep -i auditbackend /etc/usbguard/usbguard-daemon.conf\n\n AuditBackend=LinuxAudit\n\n If the \"AuditBackend\" entry does not equal \"LinuxAudit\", is missing, or\nthe line is commented out, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to enable Linux audit logging of the USBGuard daemon by\nadding or modifying the following line in\n\"/etc/usbguard/usbguard-daemon.conf\":\n\n AuditBackend=LinuxAudit'\n impact 0.3\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'low'\n tag gtitle: 'SRG-OS-000062-GPOS-00031'\n tag satisfies: ['SRG-OS-000062-GPOS-00031', 'SRG-OS-000471-GPOS-00215']\n tag gid: 'V-230470'\n tag rid: 'SV-230470r744006_rule'\n tag stig_id: 'RHEL-08-030603'\n tag fix_id: 'F-33114r744005_fix'\n tag cci: ['CCI-000169']\n tag nist: ['AU-12 a']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe parse_config_file('/etc/usbguard/usbguard-daemon.conf') do\n its('AuditBackend') { should cmp 'LinuxAudit' }\n end\nend\n", + "code": "control 'SV-230258' do\n title 'RHEL 8 system commands must be owned by root.'\n desc 'If RHEL 8 were to allow any user to make changes to software\nlibraries, then those changes might be implemented without undergoing the\nappropriate testing and approvals that are part of a robust change management\nprocess.\n\n This requirement applies to RHEL 8 with software libraries that are\naccessible and configurable, as in the case of interpreted languages. Software\nlibraries also include privileged programs that execute with escalated\nprivileges. Only qualified and authorized individuals will be allowed to obtain\naccess to information system components for purposes of initiating changes,\nincluding upgrades and modifications.'\n desc 'check', 'Verify the system commands contained in the following directories are owned\nby \"root\" with the following command:\n\n $ sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin\n! -user root -exec ls -l {} \\\\;\n\n If any system commands are returned, this is a finding.'\n desc 'fix', 'Configure the system commands to be protected from unauthorized access.\n\n Run the following command, replacing \"[FILE]\" with any system command\nfile not owned by \"root\".\n\n $ sudo chown root [FILE]'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000259-GPOS-00100'\n tag gid: 'V-230258'\n tag rid: 'SV-230258r627750_rule'\n tag stig_id: 'RHEL-08-010310'\n tag fix_id: 'F-32902r567521_fix'\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n tag 'host'\n tag 'container'\n\n failing_files = command(\"find -L #{input('system_command_dirs').join(' ')} ! -user root -exec ls -d {} \\\\;\").stdout.split(\"\\n\")\n\n describe 'System commands' do\n it 'should be owned by root' do\n expect(failing_files).to be_empty, \"Files not owned by root:\\n\\t- #{failing_files.join(\"\\n\\t- \")}\"\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230470.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230258.rb", "line": 1 }, - "id": "SV-230470" + "id": "SV-230258" }, { - "title": "RHEL 8 must mount /var/tmp with the nodev option.", - "desc": "The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n The \"noexec\" mount option causes the system to not execute binary files.\nThis option must be used for mounting any file system not containing approved\nbinary files, as they may be incompatible. Executing files from untrusted file\nsystems increases the opportunity for unprivileged users to attain unauthorized\nadministrative access.\n\n The \"nodev\" mount option causes the system to not interpret character or\nblock special devices. Executing character or block special devices from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.\n\n The \"nosuid\" mount option causes the system to not execute \"setuid\" and\n\"setgid\" files with owner privileges. This option must be used for mounting\nany file system not containing approved \"setuid\" and \"setguid\" files.\nExecuting files from untrusted file systems increases the opportunity for\nunprivileged users to attain unauthorized administrative access.", + "title": "The krb5-workstation package must not be installed on RHEL 8.", + "desc": "Unapproved mechanisms that are used for authentication to the\ncryptographic module are not verified and therefore cannot be relied upon to\nprovide confidentiality or integrity, and DoD data may be compromised.\n\n RHEL 8 systems utilizing encryption are required to use FIPS-compliant\nmechanisms for authenticating to cryptographic modules.\n\n Currently, Kerberos does not utilize FIPS 140-2 cryptography.\n\n FIPS 140-2 is the current standard for validating that mechanisms used to\naccess cryptographic modules utilize authentication that meets DoD\nrequirements. This allows for Security Levels 1, 2, 3, or 4 for use on a\ngeneral-purpose computing system.", "descriptions": { - "default": "The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n The \"noexec\" mount option causes the system to not execute binary files.\nThis option must be used for mounting any file system not containing approved\nbinary files, as they may be incompatible. Executing files from untrusted file\nsystems increases the opportunity for unprivileged users to attain unauthorized\nadministrative access.\n\n The \"nodev\" mount option causes the system to not interpret character or\nblock special devices. Executing character or block special devices from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.\n\n The \"nosuid\" mount option causes the system to not execute \"setuid\" and\n\"setgid\" files with owner privileges. This option must be used for mounting\nany file system not containing approved \"setuid\" and \"setguid\" files.\nExecuting files from untrusted file systems increases the opportunity for\nunprivileged users to attain unauthorized administrative access.", - "check": "Verify \"/var/tmp\" is mounted with the \"nodev\" option:\n\n$ sudo mount | grep /var/tmp\n\n/dev/mapper/rhel-var-tmp on /var/tmp type xfs (rw,nodev,nosuid,noexec,seclabel)\n\nVerify that the \"nodev\" option is configured for /var/tmp:\n\n$ sudo cat /etc/fstab | grep /var/tmp\n\n/dev/mapper/rhel-var-tmp /var/tmp xfs defaults,nodev,nosuid,noexec 0 0\n\nIf results are returned and the \"nodev\" option is missing, or if /var/tmp is mounted without the \"nodev\" option, this is a finding.", - "fix": "Configure the system so that /var/tmp is mounted with the \"nodev\" option by adding /modifying the /etc/fstab with the following line:\n\n/dev/mapper/rhel-var-tmp /var/tmp xfs defaults,nodev,nosuid,noexec 0 0" + "default": "Unapproved mechanisms that are used for authentication to the\ncryptographic module are not verified and therefore cannot be relied upon to\nprovide confidentiality or integrity, and DoD data may be compromised.\n\n RHEL 8 systems utilizing encryption are required to use FIPS-compliant\nmechanisms for authenticating to cryptographic modules.\n\n Currently, Kerberos does not utilize FIPS 140-2 cryptography.\n\n FIPS 140-2 is the current standard for validating that mechanisms used to\naccess cryptographic modules utilize authentication that meets DoD\nrequirements. This allows for Security Levels 1, 2, 3, or 4 for use on a\ngeneral-purpose computing system.", + "check": "Verify the krb5-workstation package has not been installed on the system\nwith the following commands:\n\n If the system is a server or is utilizing\nkrb5-workstation-1.17-18.el8.x86_64 or newer, this is Not Applicable.\n\n $ sudo yum list installed krb5-workstation\n\n krb5-workstation.x86_64\n1.17-9.el8 repository\n\n If the krb5-workstation package is installed and is not documented with the\nInformation System Security Officer (ISSO) as an operational requirement, this\nis a finding.", + "fix": "Document the krb5-workstation package with the ISSO as an operational\nrequirement or remove it from the system with the following command:\n\n $ sudo yum remove krb5-workstation" }, "impact": 0.5, "refs": [ @@ -8534,33 +8494,34 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000368-GPOS-00154", - "gid": "V-230520", - "rid": "SV-230520r854061_rule", - "stig_id": "RHEL-08-040132", - "fix_id": "F-33164r792926_fix", + "gtitle": "SRG-OS-000120-GPOS-00061", + "gid": "V-230239", + "rid": "SV-230239r646864_rule", + "stig_id": "RHEL-08-010162", + "fix_id": "F-32883r567464_fix", "cci": [ - "CCI-001764" + "CCI-000803" ], "nist": [ - "CM-7 (2)" + "IA-7" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-230520' do\n title 'RHEL 8 must mount /var/tmp with the nodev option.'\n desc 'The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n The \"noexec\" mount option causes the system to not execute binary files.\nThis option must be used for mounting any file system not containing approved\nbinary files, as they may be incompatible. Executing files from untrusted file\nsystems increases the opportunity for unprivileged users to attain unauthorized\nadministrative access.\n\n The \"nodev\" mount option causes the system to not interpret character or\nblock special devices. Executing character or block special devices from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.\n\n The \"nosuid\" mount option causes the system to not execute \"setuid\" and\n\"setgid\" files with owner privileges. This option must be used for mounting\nany file system not containing approved \"setuid\" and \"setguid\" files.\nExecuting files from untrusted file systems increases the opportunity for\nunprivileged users to attain unauthorized administrative access.'\n desc 'check', 'Verify \"/var/tmp\" is mounted with the \"nodev\" option:\n\n$ sudo mount | grep /var/tmp\n\n/dev/mapper/rhel-var-tmp on /var/tmp type xfs (rw,nodev,nosuid,noexec,seclabel)\n\nVerify that the \"nodev\" option is configured for /var/tmp:\n\n$ sudo cat /etc/fstab | grep /var/tmp\n\n/dev/mapper/rhel-var-tmp /var/tmp xfs defaults,nodev,nosuid,noexec 0 0\n\nIf results are returned and the \"nodev\" option is missing, or if /var/tmp is mounted without the \"nodev\" option, this is a finding.'\n desc 'fix', 'Configure the system so that /var/tmp is mounted with the \"nodev\" option by adding /modifying the /etc/fstab with the following line:\n\n/dev/mapper/rhel-var-tmp /var/tmp xfs defaults,nodev,nosuid,noexec 0 0'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000368-GPOS-00154'\n tag gid: 'V-230520'\n tag rid: 'SV-230520r854061_rule'\n tag stig_id: 'RHEL-08-040132'\n tag fix_id: 'F-33164r792926_fix'\n tag cci: ['CCI-001764']\n tag nist: ['CM-7 (2)']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n path = '/var/tmp'\n option = 'nodev'\n\n describe mount(path) do\n its('options') { should include option }\n end\n\n describe etc_fstab.where { mount_point == path } do\n its('mount_options.flatten') { should include option }\n end\nend\n", + "code": "control 'SV-230239' do\n title 'The krb5-workstation package must not be installed on RHEL 8.'\n desc 'Unapproved mechanisms that are used for authentication to the\ncryptographic module are not verified and therefore cannot be relied upon to\nprovide confidentiality or integrity, and DoD data may be compromised.\n\n RHEL 8 systems utilizing encryption are required to use FIPS-compliant\nmechanisms for authenticating to cryptographic modules.\n\n Currently, Kerberos does not utilize FIPS 140-2 cryptography.\n\n FIPS 140-2 is the current standard for validating that mechanisms used to\naccess cryptographic modules utilize authentication that meets DoD\nrequirements. This allows for Security Levels 1, 2, 3, or 4 for use on a\ngeneral-purpose computing system.'\n desc 'check', 'Verify the krb5-workstation package has not been installed on the system\nwith the following commands:\n\n If the system is a server or is utilizing\nkrb5-workstation-1.17-18.el8.x86_64 or newer, this is Not Applicable.\n\n $ sudo yum list installed krb5-workstation\n\n krb5-workstation.x86_64\n1.17-9.el8 repository\n\n If the krb5-workstation package is installed and is not documented with the\nInformation System Security Officer (ISSO) as an operational requirement, this\nis a finding.'\n desc 'fix', 'Document the krb5-workstation package with the ISSO as an operational\nrequirement or remove it from the system with the following command:\n\n $ sudo yum remove krb5-workstation'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000120-GPOS-00061'\n tag gid: 'V-230239'\n tag rid: 'SV-230239r646864_rule'\n tag stig_id: 'RHEL-08-010162'\n tag fix_id: 'F-32883r567464_fix'\n tag cci: ['CCI-000803']\n tag nist: ['IA-7']\n tag 'host'\n tag 'container'\n\n krb5_workstation = package('krb5-workstation')\n\n if krb5_workstation.installed? && krb5_workstation.version >= '1.17-18.el8'\n impact 0.0\n describe 'N/A' do\n skip 'Kerberos installation is at version 1.17-18.el8 or greater; this control is Not Applicable'\n end\n else\n describe krb5_workstation do\n it { should_not be_installed }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230520.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230239.rb", "line": 1 }, - "id": "SV-230520" + "id": "SV-230239" }, { - "title": "RHEL 8 must not forward IPv6 source-routed packets.", - "desc": "Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf", + "title": "Successful/unsuccessful uses of the newgrp command in RHEL 8 must\ngenerate an audit record.", + "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"newgrp\" command is\nused to change the current group ID during a login session.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", "descriptions": { - "default": "Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf", - "check": "Verify RHEL 8 does not accept IPv6 source-routed packets.\n\nNote: If IPv6 is disabled on the system, this requirement is Not Applicable.\n\nCheck the value of the accept source route variable with the following command:\n\n$ sudo sysctl net.ipv6.conf.all.accept_source_route\n\nnet.ipv6.conf.all.accept_source_route = 0\n\nIf the returned line does not have a value of \"0\", a line is not returned, or the line is commented out, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r net.ipv6.conf.all.accept_source_route /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: net.ipv6.conf.all.accept_source_route = 0\n\nIf \"net.ipv6.conf.all.accept_source_route\" is not set to \"0\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.", - "fix": "Configure RHEL 8 to not forward IPv6 source-routed packets.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nnet.ipv6.conf.all.accept_source_route=0\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system" + "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"newgrp\" command is\nused to change the current group ID during a login session.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", + "check": "Verify RHEL 8 generates an audit record when successful/unsuccessful\nattempts to use the \"newgrp\" command by performing the following command to\ncheck the file system rules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w newgrp /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F\nauid!=unset -k priv_cmd\n\n If the command does not return a line, or the line is commented out, this\nis a finding.", + "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \"newgrp\" command by adding or updating the\nfollowing rule in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F\nauid!=unset -k priv_cmd\n\n The audit daemon must be restarted for the changes to take effect." }, "impact": 0.5, "refs": [ @@ -8570,48 +8531,93 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-230538", - "rid": "SV-230538r858801_rule", - "stig_id": "RHEL-08-040240", - "fix_id": "F-33182r858800_fix", + "gtitle": "SRG-OS-000062-GPOS-00031", + "satisfies": [ + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000037-GPOS-00015", + "SRG-OS-000042-GPOS-00020", + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000392-GPOS-00172", + "SRG-OS-000462-GPOS-00206", + "SRG-OS-000471-GPOS-00215" + ], + "gid": "V-230437", + "rid": "SV-230437r627750_rule", + "stig_id": "RHEL-08-030350", + "fix_id": "F-33081r568058_fix", "cci": [ - "CCI-000366" + "CCI-000169" ], "nist": [ - "CM-6 b" + "AU-12 a" ], "host": null }, - "code": "control 'SV-230538' do\n title 'RHEL 8 must not forward IPv6 source-routed packets.'\n desc 'Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf'\n desc 'check', 'Verify RHEL 8 does not accept IPv6 source-routed packets.\n\nNote: If IPv6 is disabled on the system, this requirement is Not Applicable.\n\nCheck the value of the accept source route variable with the following command:\n\n$ sudo sysctl net.ipv6.conf.all.accept_source_route\n\nnet.ipv6.conf.all.accept_source_route = 0\n\nIf the returned line does not have a value of \"0\", a line is not returned, or the line is commented out, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r net.ipv6.conf.all.accept_source_route /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: net.ipv6.conf.all.accept_source_route = 0\n\nIf \"net.ipv6.conf.all.accept_source_route\" is not set to \"0\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to not forward IPv6 source-routed packets.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nnet.ipv6.conf.all.accept_source_route=0\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230538'\n tag rid: 'SV-230538r858801_rule'\n tag stig_id: 'RHEL-08-040240'\n tag fix_id: 'F-33182r858800_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This system is acting as a router on the network, this control is Not Applicable', impact: 0.0) {\n !input('network_router')\n }\n\n # Define the kernel parameter to be checked\n parameter = 'net.ipv6.conf.all.accept_source_route'\n action = 'accepting IPv6 source-routed packets'\n value = 0\n\n # Get the current value of the kernel parameter\n current_value = kernel_parameter(parameter)\n\n # Check if the system is a Docker container\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n elsif input('ipv6_enabled') == false\n impact 0.0\n describe 'IPv6 is disabled on the system, this requirement is Not Applicable.' do\n skip 'IPv6 is disabled on the system, this requirement is Not Applicable.'\n end\n else\n\n describe kernel_parameter(parameter) do\n it 'is disabled in sysctl -a' do\n expect(current_value.value).to cmp value\n expect(current_value.value).not_to be_nil\n end\n end\n\n # Get the list of sysctl configuration files\n sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ')\n\n # Search for the kernel parameter in the configuration files\n search_results = command(\"grep -r ^#{parameter} #{sysctl_config_files} {} \\;\").stdout.split(\"\\n\")\n\n # Parse the search results into a hash\n config_values = search_results.each_with_object({}) do |item, results|\n file, setting = item.split(':')\n file = 'grep did not return filename' if file.empty?\n\n results[file] ||= []\n results[file] << setting.split('=').last\n end\n\n uniq_config_values = config_values.values.flatten.map(&:strip).map(&:to_i).uniq\n\n # Check the configuration files\n describe 'Configuration files' do\n if search_results.empty?\n it \"do not explicitly set the `#{parameter}` parameter\" do\n expect(config_values).not_to be_empty, \"Add the line `#{parameter}=#{value}` to a file in the `/etc/sysctl.d/` directory\"\n end\n else\n it \"do not have conflicting settings for #{action}\" do\n expect(uniq_config_values.count).to eq(1), \"Expected one unique configuration, but got #{config_values}\"\n end\n it \"set the parameter to the right value for #{action}\" do\n expect(config_values.values.flatten.all? { |v| v.to_i.eql?(value) }).to be true\n end\n end\n end\n end\nend\n", + "code": "control 'SV-230437' do\n title 'Successful/unsuccessful uses of the newgrp command in RHEL 8 must\ngenerate an audit record.'\n desc 'Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"newgrp\" command is\nused to change the current group ID during a login session.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.'\n desc 'check', 'Verify RHEL 8 generates an audit record when successful/unsuccessful\nattempts to use the \"newgrp\" command by performing the following command to\ncheck the file system rules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w newgrp /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F\nauid!=unset -k priv_cmd\n\n If the command does not return a line, or the line is commented out, this\nis a finding.'\n desc 'fix', 'Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \"newgrp\" command by adding or updating the\nfollowing rule in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F\nauid!=unset -k priv_cmd\n\n The audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000062-GPOS-00031'\n tag satisfies: ['SRG-OS-000062-GPOS-00031', 'SRG-OS-000037-GPOS-00015', 'SRG-OS-000042-GPOS-00020', 'SRG-OS-000062-GPOS-00031', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000471-GPOS-00215']\n tag gid: 'V-230437'\n tag rid: 'SV-230437r627750_rule'\n tag stig_id: 'RHEL-08-030350'\n tag fix_id: 'F-33081r568058_fix'\n tag cci: ['CCI-000169']\n tag nist: ['AU-12 a']\n tag 'host'\n\n audit_command = '/usr/bin/newgrp'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include(input('audit_rule_keynames').merge(input('audit_rule_keynames_overrides'))[audit_command])\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230538.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230437.rb", "line": 1 }, - "id": "SV-230538" + "id": "SV-230437" }, { - "title": "RHEL 8 must specify the default \"include\" directory for the /etc/sudoers file.", - "desc": "The \"sudo\" command allows authorized users to run programs (including shells) as other users,\n system users, and root. The \"/etc/sudoers\" file is used to configure authorized \"sudo\" users as\n well as the programs they are allowed to run. Some configuration options in the \"/etc/sudoers\"\n file allow configured users to run programs without re-authenticating. Use of these configuration\n options makes it easier for one compromised account to be used to compromise other accounts.\n\n It is possible to include other sudoers files from within the sudoers file currently being parsed\n using the #include and #includedir directives. When sudo reaches this line it will suspend\n processing of the current file (/etc/sudoers) and switch to the specified file/directory. Once the\n end of the included file(s) is reached, the rest of /etc/sudoers will be processed. Files that are\n included may themselves include other files. A hard limit of 128 nested include files is enforced\n to prevent include file loops.", + "title": "RHEL 8 must have the packages required to use the hardware random\nnumber generator entropy gatherer service.", + "desc": "The most important characteristic of a random number generator is its\nrandomness, namely its ability to deliver random numbers that are impossible to\npredict. Entropy in computer security is associated with the unpredictability\nof a source of randomness. The random source with high entropy tends to\nachieve a uniform distribution of random values. Random number generators are\none of the most important building blocks of cryptosystems.\n\n The rngd service feeds random data from hardware device to kernel random\ndevice. Quality (non-predictable) random number generation is important for\nseveral security functions (i.e., ciphers).", "descriptions": { - "default": "The \"sudo\" command allows authorized users to run programs (including shells) as other users,\n system users, and root. The \"/etc/sudoers\" file is used to configure authorized \"sudo\" users as\n well as the programs they are allowed to run. Some configuration options in the \"/etc/sudoers\"\n file allow configured users to run programs without re-authenticating. Use of these configuration\n options makes it easier for one compromised account to be used to compromise other accounts.\n\n It is possible to include other sudoers files from within the sudoers file currently being parsed\n using the #include and #includedir directives. When sudo reaches this line it will suspend\n processing of the current file (/etc/sudoers) and switch to the specified file/directory. Once the\n end of the included file(s) is reached, the rest of /etc/sudoers will be processed. Files that are\n included may themselves include other files. A hard limit of 128 nested include files is enforced\n to prevent include file loops.", - "check": "Note: If the \"include\" and \"includedir\" directives are not present in the /etc/sudoers\n file, this requirement is not applicable.\n\n Verify the operating system specifies only the default \"include\" directory for the /etc/sudoers\n file with the following command:\n\n $ sudo grep include /etc/sudoers\n\n #includedir /etc/sudoers.d\n\n If the results are not \"/etc/sudoers.d\" or additional files or directories are specified, this is\n a finding.\n\n Verify the operating system does not have nested \"include\" files or directories within the\n /etc/sudoers.d directory with the following command:\n\n $ sudo grep -r include /etc/sudoers.d\n\n If results are returned, this is a finding.", - "fix": "Configure the /etc/sudoers file to only include the /etc/sudoers.d directory.\n\n Edit the /etc/sudoers file with the following command:\n\n $ sudo visudo\n\n Add or modify the following line:\n #includedir /etc/sudoers.d" + "default": "The most important characteristic of a random number generator is its\nrandomness, namely its ability to deliver random numbers that are impossible to\npredict. Entropy in computer security is associated with the unpredictability\nof a source of randomness. The random source with high entropy tends to\nachieve a uniform distribution of random values. Random number generators are\none of the most important building blocks of cryptosystems.\n\n The rngd service feeds random data from hardware device to kernel random\ndevice. Quality (non-predictable) random number generation is important for\nseveral security functions (i.e., ciphers).", + "check": "Check that RHEL 8 has the packages required to enabled the hardware random\nnumber generator entropy gatherer service with the following command:\n\n $ sudo yum list installed rng-tools\n\n rng-tools.x86_64 6.8-3.el8\n@anaconda\n\n If the \"rng-tools\" package is not installed, this is a finding.", + "fix": "Install the packages required to enabled the hardware random number\ngenerator entropy gatherer service with the following command:\n\n $ sudo yum install rng-tools" }, - "impact": 0.5, + "impact": 0.3, "refs": [ { "ref": "DPMS Target Red Hat Enterprise Linux 8" } ], "tags": { - "check_id": "C-55148r833384_chk", - "severity": "medium", - "gid": "V-251711", - "rid": "SV-251711r833385_rule", - "stig_id": "RHEL-08-010379", + "severity": "low", "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-55102r809356_fix", + "gid": "V-244527", + "rid": "SV-244527r743830_rule", + "stig_id": "RHEL-08-010472", + "fix_id": "F-47759r743829_fix", + "cci": [ + "CCI-000366" + ], + "nist": [ + "CM-6 b" + ], + "host": null + }, + "code": "control 'SV-244527' do\n title 'RHEL 8 must have the packages required to use the hardware random\nnumber generator entropy gatherer service.'\n desc 'The most important characteristic of a random number generator is its\nrandomness, namely its ability to deliver random numbers that are impossible to\npredict. Entropy in computer security is associated with the unpredictability\nof a source of randomness. The random source with high entropy tends to\nachieve a uniform distribution of random values. Random number generators are\none of the most important building blocks of cryptosystems.\n\n The rngd service feeds random data from hardware device to kernel random\ndevice. Quality (non-predictable) random number generation is important for\nseveral security functions (i.e., ciphers).'\n desc 'check', 'Check that RHEL 8 has the packages required to enabled the hardware random\nnumber generator entropy gatherer service with the following command:\n\n $ sudo yum list installed rng-tools\n\n rng-tools.x86_64 6.8-3.el8\n@anaconda\n\n If the \"rng-tools\" package is not installed, this is a finding.'\n desc 'fix', 'Install the packages required to enabled the hardware random number\ngenerator entropy gatherer service with the following command:\n\n $ sudo yum install rng-tools'\n impact 0.3\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'low'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-244527'\n tag rid: 'SV-244527r743830_rule'\n tag stig_id: 'RHEL-08-010472'\n tag fix_id: 'F-47759r743829_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This requirement is Not Applicable in the container', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe package('rng-tools') do\n it { should be_installed }\n end\nend\n", + "source_location": { + "ref": "./Red Hat 8 STIG/controls/SV-244527.rb", + "line": 1 + }, + "id": "SV-244527" + }, + { + "title": "The RHEL 8 operating system must not have accounts configured with blank or null passwords.", + "desc": "If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.", + "descriptions": { + "default": "If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.", + "check": "Check the \"/etc/shadow\" file for blank passwords with the following command:\n\n$ sudo awk -F: '!$2 {print $1}' /etc/shadow\n\nIf the command returns any results, this is a finding.", + "fix": "Configure all accounts on the system to have a password or lock the account\nwith the following commands:\n\nPerform a password reset:\n$ sudo passwd [username]\n\nLock an account:\n$ sudo passwd -l [username]" + }, + "impact": 0.7, + "refs": [ + { + "ref": "DPMS Target Red Hat Enterprise Linux 8" + } + ], + "tags": { + "check_id": "C-55143r809340_chk", + "severity": "high", + "gid": "V-251706", + "rid": "SV-251706r809342_rule", + "stig_id": "RHEL-08-010121", + "gtitle": "SRG-OS-000480-GPOS-00227", + "fix_id": "F-55097r809341_fix", "documentable": null, "cci": [ "CCI-000366" @@ -8620,22 +8626,22 @@ "CM-6 b" ], "host": null, - "container-conditional": null + "container": null }, - "code": "control 'SV-251711' do\n title 'RHEL 8 must specify the default \"include\" directory for the /etc/sudoers file.'\n desc 'The \"sudo\" command allows authorized users to run programs (including shells) as other users,\n system users, and root. The \"/etc/sudoers\" file is used to configure authorized \"sudo\" users as\n well as the programs they are allowed to run. Some configuration options in the \"/etc/sudoers\"\n file allow configured users to run programs without re-authenticating. Use of these configuration\n options makes it easier for one compromised account to be used to compromise other accounts.\n\n It is possible to include other sudoers files from within the sudoers file currently being parsed\n using the #include and #includedir directives. When sudo reaches this line it will suspend\n processing of the current file (/etc/sudoers) and switch to the specified file/directory. Once the\n end of the included file(s) is reached, the rest of /etc/sudoers will be processed. Files that are\n included may themselves include other files. A hard limit of 128 nested include files is enforced\n to prevent include file loops.'\n desc 'check', 'Note: If the \"include\" and \"includedir\" directives are not present in the /etc/sudoers\n file, this requirement is not applicable.\n\n Verify the operating system specifies only the default \"include\" directory for the /etc/sudoers\n file with the following command:\n\n $ sudo grep include /etc/sudoers\n\n #includedir /etc/sudoers.d\n\n If the results are not \"/etc/sudoers.d\" or additional files or directories are specified, this is\n a finding.\n\n Verify the operating system does not have nested \"include\" files or directories within the\n /etc/sudoers.d directory with the following command:\n\n $ sudo grep -r include /etc/sudoers.d\n\n If results are returned, this is a finding.'\n desc 'fix', 'Configure the /etc/sudoers file to only include the /etc/sudoers.d directory.\n\n Edit the /etc/sudoers file with the following command:\n\n $ sudo visudo\n\n Add or modify the following line:\n #includedir /etc/sudoers.d'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag check_id: 'C-55148r833384_chk'\n tag severity: 'medium'\n tag gid: 'V-251711'\n tag rid: 'SV-251711r833385_rule'\n tag stig_id: 'RHEL-08-010379'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag fix_id: 'F-55102r809356_fix'\n tag 'documentable'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n tag 'container-conditional'\n\n only_if('Control not applicable within a container without sudo enabled', impact: 0.0) do\n virtualization.system.eql?('docker') && !command('sudo').exist?\n end\n\n if command('grep include /etc/sudoers').stdout.empty?\n impact 0.0\n describe 'This requirement is not applicable as \"include\" and \"includedir\" directives are not present in the /etc/sudoers file' do\n skip 'This requirement is not applicable as \"include\" and \"includedir\" directives are not present in the /etc/sudoers file'\n end\n else\n describe 'Only the default \"include\" directory for /etc/sudoers file should be specified' do\n subject { command('grep include /etc/sudoers').stdout.strip }\n it { should match %r{#includedir\\s*/etc/sudoers.d\\s*$} }\n end\n\n describe 'Nested \"include\" files or directories within /etc/sudoers.d directory should not exist' do\n subject { command('grep -r include /etc/sudoers.d').stdout }\n it { should be_empty }\n end\n end\nend\n", + "code": "control 'SV-251706' do\n title 'The RHEL 8 operating system must not have accounts configured with blank or null passwords.'\n desc 'If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.'\n desc 'check', %q(Check the \"/etc/shadow\" file for blank passwords with the following command:\n\n$ sudo awk -F: '!$2 {print $1}' /etc/shadow\n\nIf the command returns any results, this is a finding.)\n desc 'fix', 'Configure all accounts on the system to have a password or lock the account\nwith the following commands:\n\nPerform a password reset:\n$ sudo passwd [username]\n\nLock an account:\n$ sudo passwd -l [username]'\n impact 0.7\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag check_id: 'C-55143r809340_chk'\n tag severity: 'high'\n tag gid: 'V-251706'\n tag rid: 'SV-251706r809342_rule'\n tag stig_id: 'RHEL-08-010121'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag fix_id: 'F-55097r809341_fix'\n tag 'documentable'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n tag 'container'\n\n users_with_blank_passwords = shadow.where { password.nil? || password.empty? }.users - input('users_allowed_blank_passwords')\n\n describe 'All users' do\n it 'should have a password set' do\n fail_msg = \"Users with blank passwords:\\n\\t- #{users_with_blank_passwords.join(\"\\n\\t- \")}\"\n expect(users_with_blank_passwords).to be_empty, fail_msg\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-251711.rb", + "ref": "./Red Hat 8 STIG/controls/SV-251706.rb", "line": 1 }, - "id": "SV-251711" + "id": "SV-251706" }, { - "title": "RHEL 8 must enable hardening for the Berkeley Packet Filter\nJust-in-time compiler.", - "desc": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nEnabling hardening for the Berkeley Packet Filter (BPF) Just-in-time (JIT) compiler aids in mitigating JIT spraying attacks. Setting the value to \"2\" enables JIT hardening for all users.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf", + "title": "RHEL 8 must securely compare internal information system clocks at\nleast every 24 hours with a server synchronized to an authoritative time\nsource, such as the United States Naval Observatory (USNO) time servers, or a\ntime server designated for the appropriate DoD network (NIPRNet/SIPRNet),\nand/or the Global Positioning System (GPS).", + "desc": "Inaccurate time stamps make it more difficult to correlate events and\ncan lead to an inaccurate analysis. Determining the correct time a particular\nevent occurred on a system is critical when conducting forensic analysis and\ninvestigating system events. Sources outside the configured acceptable\nallowance (drift) may be inaccurate.\n\n Synchronizing internal information system clocks provides uniformity of\ntime stamps for information systems with multiple system clocks and systems\nconnected over a network.\n\n Organizations should consider endpoints that may not have regular access to\nthe authoritative time server (e.g., mobile, teleworking, and tactical\nendpoints).\n\n If time stamps are not consistently applied and there is no common time\nreference, it is difficult to perform forensic analysis.\n\n Time stamps generated by the operating system include date and time. Time\nis commonly expressed in Coordinated Universal Time (UTC), a modern\ncontinuation of Greenwich Mean Time (GMT), or local time with an offset from\nUTC.\n\n RHEL 8 utilizes the \"timedatectl\" command to view the status of the\n\"systemd-timesyncd.service\". The \"timedatectl\" status will display the\nlocal time, UTC, and the offset from UTC.\n\n Note that USNO offers authenticated NTP service to DoD and U.S. Government\nagencies operating on the NIPR and SIPR networks. Visit\nhttps://www.usno.navy.mil/USNO/time/ntp/dod-customers for more information.", "descriptions": { - "default": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nEnabling hardening for the Berkeley Packet Filter (BPF) Just-in-time (JIT) compiler aids in mitigating JIT spraying attacks. Setting the value to \"2\" enables JIT hardening for all users.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf", - "check": "Verify RHEL 8 enables hardening for the BPF JIT with the following commands:\n\n$ sudo sysctl net.core.bpf_jit_harden\n\nnet.core.bpf_jit_harden = 2\n\nIf the returned line does not have a value of \"2\", or a line is not returned, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r net.core.bpf_jit_harden /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: net.core.bpf_jit_harden = 2\n\nIf \"net.core.bpf_jit_harden\" is not set to \"2\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.", - "fix": "Configure RHEL 8 to enable hardening for the BPF JIT compiler by adding the following line to a file, in the \"/etc/sysctl.d\" directory:\n\nnet.core.bpf_jit_harden = 2\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nThe system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:\n\n$ sudo sysctl --system" + "default": "Inaccurate time stamps make it more difficult to correlate events and\ncan lead to an inaccurate analysis. Determining the correct time a particular\nevent occurred on a system is critical when conducting forensic analysis and\ninvestigating system events. Sources outside the configured acceptable\nallowance (drift) may be inaccurate.\n\n Synchronizing internal information system clocks provides uniformity of\ntime stamps for information systems with multiple system clocks and systems\nconnected over a network.\n\n Organizations should consider endpoints that may not have regular access to\nthe authoritative time server (e.g., mobile, teleworking, and tactical\nendpoints).\n\n If time stamps are not consistently applied and there is no common time\nreference, it is difficult to perform forensic analysis.\n\n Time stamps generated by the operating system include date and time. Time\nis commonly expressed in Coordinated Universal Time (UTC), a modern\ncontinuation of Greenwich Mean Time (GMT), or local time with an offset from\nUTC.\n\n RHEL 8 utilizes the \"timedatectl\" command to view the status of the\n\"systemd-timesyncd.service\". The \"timedatectl\" status will display the\nlocal time, UTC, and the offset from UTC.\n\n Note that USNO offers authenticated NTP service to DoD and U.S. Government\nagencies operating on the NIPR and SIPR networks. Visit\nhttps://www.usno.navy.mil/USNO/time/ntp/dod-customers for more information.", + "check": "Verify RHEL 8 is securely comparing internal information system clocks at\nleast every 24 hours with an NTP server with the following commands:\n\n $ sudo grep maxpoll /etc/chrony.conf\n\n server 0.us.pool.ntp.mil iburst maxpoll 16\n\n If the \"maxpoll\" option is set to a number greater than 16 or the line is\ncommented out, this is a finding.\n\n Verify the \"chrony.conf\" file is configured to an authoritative DoD time\nsource by running the following command:\n\n $ sudo grep -i server /etc/chrony.conf\n server 0.us.pool.ntp.mil\n\n If the parameter \"server\" is not set or is not set to an authoritative\nDoD time source, this is a finding.", + "fix": "Configure the operating system to securely compare internal information\nsystem clocks at least every 24 hours with an NTP server by adding/modifying\nthe following line in the /etc/chrony.conf file.\n\n server [ntp.server.name] iburst maxpoll 16" }, "impact": 0.5, "refs": [ @@ -8645,47 +8651,52 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-244554", - "rid": "SV-244554r858832_rule", - "stig_id": "RHEL-08-040286", - "fix_id": "F-47786r858831_fix", + "gtitle": "SRG-OS-000355-GPOS-00143", + "satisfies": [ + "SRG-OS-000355-GPOS-00143", + "SRG-OS-000356-GPOS-00144", + "SRG-OS-000359-GPOS-00146" + ], + "gid": "V-230484", + "rid": "SV-230484r877038_rule", + "stig_id": "RHEL-08-030740", + "fix_id": "F-33128r568199_fix", "cci": [ - "CCI-000366" + "CCI-001891" ], "nist": [ - "CM-6 b" + "AU-8 (1) (a)" ], "host": null }, - "code": "control 'SV-244554' do\n title 'RHEL 8 must enable hardening for the Berkeley Packet Filter\nJust-in-time compiler.'\n desc 'It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nEnabling hardening for the Berkeley Packet Filter (BPF) Just-in-time (JIT) compiler aids in mitigating JIT spraying attacks. Setting the value to \"2\" enables JIT hardening for all users.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf'\n desc 'check', 'Verify RHEL 8 enables hardening for the BPF JIT with the following commands:\n\n$ sudo sysctl net.core.bpf_jit_harden\n\nnet.core.bpf_jit_harden = 2\n\nIf the returned line does not have a value of \"2\", or a line is not returned, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r net.core.bpf_jit_harden /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: net.core.bpf_jit_harden = 2\n\nIf \"net.core.bpf_jit_harden\" is not set to \"2\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to enable hardening for the BPF JIT compiler by adding the following line to a file, in the \"/etc/sysctl.d\" directory:\n\nnet.core.bpf_jit_harden = 2\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nThe system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:\n\n$ sudo sysctl --system'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-244554'\n tag rid: 'SV-244554r858832_rule'\n tag stig_id: 'RHEL-08-040286'\n tag fix_id: 'F-47786r858831_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This system is acting as a router on the network, this control is Not Applicable', impact: 0.0) {\n !input('network_router')\n }\n\n # Define the kernel parameter to be checked\n parameter = 'net.core.bpf_jit_harden'\n action = 'BPF JIT compiler'\n value = 2\n\n # Get the current value of the kernel parameter\n current_value = kernel_parameter(parameter)\n\n # Check if the system is a Docker container\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n else\n\n describe kernel_parameter(parameter) do\n it 'is disabled in sysctl -a' do\n expect(current_value.value).to cmp value\n expect(current_value.value).not_to be_nil\n end\n end\n\n # Get the list of sysctl configuration files\n sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ')\n\n # Search for the kernel parameter in the configuration files\n search_results = command(\"grep -r ^#{parameter} #{sysctl_config_files} {} \\;\").stdout.split(\"\\n\")\n\n # Parse the search results into a hash\n config_values = search_results.each_with_object({}) do |item, results|\n file, setting = item.split(':')\n file = 'grep did not return filename' if file.empty?\n\n results[file] ||= []\n results[file] << setting.split('=').last\n end\n\n uniq_config_values = config_values.values.flatten.map(&:strip).map(&:to_i).uniq\n\n # Check the configuration files\n describe 'Configuration files' do\n if search_results.empty?\n it \"do not explicitly set the `#{parameter}` parameter\" do\n expect(config_values).not_to be_empty, \"Add the line `#{parameter}=#{value}` to a file in the `/etc/sysctl.d/` directory\"\n end\n else\n it \"do not have conflicting settings for #{action}\" do\n expect(uniq_config_values.count).to eq(1), \"Expected one unique configuration, but got #{config_values}\"\n end\n it \"set the parameter to the right value for #{action}\" do\n expect(config_values.values.flatten.all? { |v| v.to_i.eql?(value) }).to be true\n end\n end\n end\n end\nend\n", + "code": "control 'SV-230484' do\n title \"RHEL 8 must securely compare internal information system clocks at\nleast every 24 hours with a server synchronized to an authoritative time\nsource, such as the United States Naval Observatory (USNO) time servers, or a\ntime server designated for the appropriate DoD network (NIPRNet/SIPRNet),\nand/or the Global Positioning System (GPS).\"\n desc 'Inaccurate time stamps make it more difficult to correlate events and\ncan lead to an inaccurate analysis. Determining the correct time a particular\nevent occurred on a system is critical when conducting forensic analysis and\ninvestigating system events. Sources outside the configured acceptable\nallowance (drift) may be inaccurate.\n\n Synchronizing internal information system clocks provides uniformity of\ntime stamps for information systems with multiple system clocks and systems\nconnected over a network.\n\n Organizations should consider endpoints that may not have regular access to\nthe authoritative time server (e.g., mobile, teleworking, and tactical\nendpoints).\n\n If time stamps are not consistently applied and there is no common time\nreference, it is difficult to perform forensic analysis.\n\n Time stamps generated by the operating system include date and time. Time\nis commonly expressed in Coordinated Universal Time (UTC), a modern\ncontinuation of Greenwich Mean Time (GMT), or local time with an offset from\nUTC.\n\n RHEL 8 utilizes the \"timedatectl\" command to view the status of the\n\"systemd-timesyncd.service\". The \"timedatectl\" status will display the\nlocal time, UTC, and the offset from UTC.\n\n Note that USNO offers authenticated NTP service to DoD and U.S. Government\nagencies operating on the NIPR and SIPR networks. Visit\nhttps://www.usno.navy.mil/USNO/time/ntp/dod-customers for more information.'\n desc 'check', 'Verify RHEL 8 is securely comparing internal information system clocks at\nleast every 24 hours with an NTP server with the following commands:\n\n $ sudo grep maxpoll /etc/chrony.conf\n\n server 0.us.pool.ntp.mil iburst maxpoll 16\n\n If the \"maxpoll\" option is set to a number greater than 16 or the line is\ncommented out, this is a finding.\n\n Verify the \"chrony.conf\" file is configured to an authoritative DoD time\nsource by running the following command:\n\n $ sudo grep -i server /etc/chrony.conf\n server 0.us.pool.ntp.mil\n\n If the parameter \"server\" is not set or is not set to an authoritative\nDoD time source, this is a finding.'\n desc 'fix', \"Configure the operating system to securely compare internal information\nsystem clocks at least every 24 hours with an NTP server by adding/modifying\nthe following line in the /etc/chrony.conf file.\n\n server [ntp.server.name] iburst maxpoll 16\"\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000355-GPOS-00143'\n tag satisfies: ['SRG-OS-000355-GPOS-00143', 'SRG-OS-000356-GPOS-00144', 'SRG-OS-000359-GPOS-00146']\n tag gid: 'V-230484'\n tag rid: 'SV-230484r877038_rule'\n tag stig_id: 'RHEL-08-030740'\n tag fix_id: 'F-33128r568199_fix'\n tag cci: ['CCI-001891']\n tag nist: ['AU-8 (1) (a)']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n # No need to provide filepath\n time_sources = chrony_conf.server\n\n # Cover case when a single server is defined and resource returns a string and not an array\n time_sources = [time_sources] if time_sources.is_a? String\n\n unless time_sources.nil?\n max_poll_values = time_sources.map { |val|\n val.match?(/.*maxpoll.*/) ? val.gsub(/.*maxpoll\\s+(\\d+)(\\s+.*|$)/, '\\1').to_i : 10\n }\n end\n\n # Verify the \"chrony.conf\" file is configured to a time source by running the following command:\n describe chrony_conf do\n its('server') { should_not be_nil }\n end\n\n unless chrony_conf.server.nil?\n # If there is only one server and the resource returns a string, check if the server matches the input\n if chrony_conf.server.is_a? String\n describe chrony_conf do\n its('server') { should match input('authoritative_timeserver') }\n end\n end\n # Check if each server in the server array exists in the input\n if chrony_conf.server.is_a? Array\n chrony_conf.server.each do |server|\n describe server do\n it { should match input('authoritative_timeserver') }\n end\n end\n end\n\n # All time sources must contain valid maxpoll entries\n unless time_sources.nil?\n describe 'chronyd maxpoll values (99=maxpoll absent)' do\n subject { max_poll_values }\n it { should all be < 17 }\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-244554.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230484.rb", "line": 1 }, - "id": "SV-244554" + "id": "SV-230484" }, { - "title": "The RHEL 8 file integrity tool must be configured to verify Access\nControl Lists (ACLs).", - "desc": "ACLs can provide permissions beyond those permitted through the file\nmode and must be verified by file integrity tools.\n\n RHEL 8 installation media come with a file integrity tool, Advanced\nIntrusion Detection Environment (AIDE).", + "title": "RHEL 8 must prevent files with the setuid and setgid bit set from\nbeing executed on the /boot/efi directory.", + "desc": "The \"nosuid\" mount option causes the system not to execute\n\"setuid\" and \"setgid\" files with owner privileges. This option must be used\nfor mounting any file system not containing approved \"setuid\" and \"setguid\"\nfiles. Executing files from untrusted file systems increases the opportunity\nfor unprivileged users to attain unauthorized administrative access.", "descriptions": { - "default": "ACLs can provide permissions beyond those permitted through the file\nmode and must be verified by file integrity tools.\n\n RHEL 8 installation media come with a file integrity tool, Advanced\nIntrusion Detection Environment (AIDE).", - "check": "Verify the file integrity tool is configured to verify ACLs.\n\nNote: AIDE is highly configurable at install time. This requirement assumes the \"aide.conf\" file is under the \"/etc\" directory.\n\nIf AIDE is not installed, ask the System Administrator how file integrity checks are performed on the system.\n\nUse the following command to determine if the file is in a location other than \"/etc/aide/aide.conf\":\n\n $ sudo find / -name aide.conf\n\nCheck the \"aide.conf\" file to determine if the \"acl\" rule has been added to the rule list being applied to the files and directories selection lists with the following command:\n\n $ sudo grep -E \"[+]?acl\" /etc/aide.conf\n\n VarFile = OwnerMode+n+l+X+acl\n\nIf the \"acl\" rule is not being used on all selection lines in the \"/etc/aide.conf\" file, is commented out, or ACLs are not being checked by another file integrity tool, this is a finding.", - "fix": "Configure the file integrity tool to check file and directory ACLs.\n\n If AIDE is installed, ensure the \"acl\" rule is present on all file and\ndirectory selection lists." + "default": "The \"nosuid\" mount option causes the system not to execute\n\"setuid\" and \"setgid\" files with owner privileges. This option must be used\nfor mounting any file system not containing approved \"setuid\" and \"setguid\"\nfiles. Executing files from untrusted file systems increases the opportunity\nfor unprivileged users to attain unauthorized administrative access.", + "check": "For systems that use BIOS, this is Not Applicable.\n\nVerify the /boot/efi directory is mounted with the \"nosuid\" option with the following command:\n\n$ sudo mount | grep '\\s/boot/efi\\s'\n\n/dev/sda1 on /boot/efi type vfat (rw,nosuid,relatime,fmask=0077,dmask=0077,codepage=437,iocharset=ascii,shortname=winnt,errors=remount-ro)\n\nIf the /boot/efi file system does not have the \"nosuid\" option set, this is a finding.", + "fix": "Configure the \"/etc/fstab\" to use the \"nosuid\" option on\nthe /boot/efi directory." }, - "impact": 0.3, + "impact": 0.5, "refs": [ { "ref": "DPMS Target Red Hat Enterprise Linux 8" } ], "tags": { - "severity": "low", + "severity": "medium", "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-230552", - "rid": "SV-230552r880724_rule", - "stig_id": "RHEL-08-040310", - "fix_id": "F-33196r568403_fix", + "gid": "V-244530", + "rid": "SV-244530r809336_rule", + "stig_id": "RHEL-08-010572", + "fix_id": "F-47762r743838_fix", "cci": [ "CCI-000366" ], @@ -8694,20 +8705,20 @@ ], "host": null }, - "code": "control 'SV-230552' do\n title 'The RHEL 8 file integrity tool must be configured to verify Access\nControl Lists (ACLs).'\n desc 'ACLs can provide permissions beyond those permitted through the file\nmode and must be verified by file integrity tools.\n\n RHEL 8 installation media come with a file integrity tool, Advanced\nIntrusion Detection Environment (AIDE).'\n desc 'check', 'Verify the file integrity tool is configured to verify ACLs.\n\nNote: AIDE is highly configurable at install time. This requirement assumes the \"aide.conf\" file is under the \"/etc\" directory.\n\nIf AIDE is not installed, ask the System Administrator how file integrity checks are performed on the system.\n\nUse the following command to determine if the file is in a location other than \"/etc/aide/aide.conf\":\n\n $ sudo find / -name aide.conf\n\nCheck the \"aide.conf\" file to determine if the \"acl\" rule has been added to the rule list being applied to the files and directories selection lists with the following command:\n\n $ sudo grep -E \"[+]?acl\" /etc/aide.conf\n\n VarFile = OwnerMode+n+l+X+acl\n\nIf the \"acl\" rule is not being used on all selection lines in the \"/etc/aide.conf\" file, is commented out, or ACLs are not being checked by another file integrity tool, this is a finding.'\n desc 'fix', 'Configure the file integrity tool to check file and directory ACLs.\n\n If AIDE is installed, ensure the \"acl\" rule is present on all file and\ndirectory selection lists.'\n impact 0.3\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'low'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230552'\n tag rid: 'SV-230552r880724_rule'\n tag stig_id: 'RHEL-08-040310'\n tag fix_id: 'F-33196r568403_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n describe package('aide') do\n it { should be_installed }\n end\n\n findings = []\n aide_conf.where { !selection_line.start_with? '!' }.entries.each do |selection|\n findings.append(selection.selection_line) unless selection.rules.include? 'acl'\n end\n\n describe \"List of monitored files/directories without 'acl' rule\" do\n subject { findings }\n it { should be_empty }\n end\nend\n", + "code": "control 'SV-244530' do\n title 'RHEL 8 must prevent files with the setuid and setgid bit set from\nbeing executed on the /boot/efi directory.'\n desc 'The \"nosuid\" mount option causes the system not to execute\n\"setuid\" and \"setgid\" files with owner privileges. This option must be used\nfor mounting any file system not containing approved \"setuid\" and \"setguid\"\nfiles. Executing files from untrusted file systems increases the opportunity\nfor unprivileged users to attain unauthorized administrative access.'\n desc 'check', %q(For systems that use BIOS, this is Not Applicable.\n\nVerify the /boot/efi directory is mounted with the \"nosuid\" option with the following command:\n\n$ sudo mount | grep '\\s/boot/efi\\s'\n\n/dev/sda1 on /boot/efi type vfat (rw,nosuid,relatime,fmask=0077,dmask=0077,codepage=437,iocharset=ascii,shortname=winnt,errors=remount-ro)\n\nIf the /boot/efi file system does not have the \"nosuid\" option set, this is a finding.)\n desc 'fix', 'Configure the \"/etc/fstab\" to use the \"nosuid\" option on\nthe /boot/efi directory.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-244530'\n tag rid: 'SV-244530r809336_rule'\n tag stig_id: 'RHEL-08-010572'\n tag fix_id: 'F-47762r743838_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This requirement is Not Applicable in the container', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n if file('/sys/firmware/efi').exist?\n describe mount('/boot/efi') do\n it { should be_mounted }\n its('options') { should include 'nosuid' }\n end\n else\n impact 0.0\n describe 'System running BIOS' do\n skip 'The System is running a BIOS, this control is Not Applicable.'\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230552.rb", + "ref": "./Red Hat 8 STIG/controls/SV-244530.rb", "line": 1 }, - "id": "SV-230552" + "id": "SV-244530" }, { - "title": "Successful/unsuccessful uses of the kmod command in RHEL 8 must\ngenerate an audit record.", - "desc": "Without the capability to generate audit records, it would be\ndifficult to establish, correlate, and investigate the events relating to an\nincident or identify those responsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"kmod\" command is\nused to control Linux Kernel modules.\n\n The list of audited events is the set of events for which audits are to be\ngenerated. This set of events is typically a subset of the list of all events\nfor which the system is capable of generating audit records.\n\n DoD has defined the list of events for which RHEL 8 will provide an audit\nrecord generation capability as the following:\n\n 1) Successful and unsuccessful attempts to access, modify, or delete\nprivileges, security objects, security levels, or categories of information\n(e.g., classification levels);\n\n 2) Access actions, such as successful and unsuccessful logon attempts,\nprivileged activities or other system-level access, starting and ending time\nfor user access to the system, concurrent logons from different workstations,\nsuccessful and unsuccessful accesses to objects, all program initiations, and\nall direct access to the information system;\n\n 3) All account creations, modifications, disabling, and terminations; and\n\n 4) All kernel module load, unload, and restart actions.", + "title": "All RHEL 8 networked systems must have SSH installed.", + "desc": "Without protection of the transmitted information, confidentiality and\nintegrity may be compromised because unprotected communications can be\nintercepted and either read or altered.\n\n This requirement applies to both internal and external networks and all\ntypes of information system components from which information can be\ntransmitted (e.g., servers, mobile devices, notebook computers, printers,\ncopiers, scanners, and facsimile machines). Communication paths outside the\nphysical protection of a controlled boundary are exposed to the possibility of\ninterception and modification.\n\n Protecting the confidentiality and integrity of organizational information\ncan be accomplished by physical means (e.g., employing physical distribution\nsystems) or by logical means (e.g., employing cryptographic techniques). If\nphysical means of protection are employed, then logical means (cryptography) do\nnot have to be employed, and vice versa.", "descriptions": { - "default": "Without the capability to generate audit records, it would be\ndifficult to establish, correlate, and investigate the events relating to an\nincident or identify those responsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"kmod\" command is\nused to control Linux Kernel modules.\n\n The list of audited events is the set of events for which audits are to be\ngenerated. This set of events is typically a subset of the list of all events\nfor which the system is capable of generating audit records.\n\n DoD has defined the list of events for which RHEL 8 will provide an audit\nrecord generation capability as the following:\n\n 1) Successful and unsuccessful attempts to access, modify, or delete\nprivileges, security objects, security levels, or categories of information\n(e.g., classification levels);\n\n 2) Access actions, such as successful and unsuccessful logon attempts,\nprivileged activities or other system-level access, starting and ending time\nfor user access to the system, concurrent logons from different workstations,\nsuccessful and unsuccessful accesses to objects, all program initiations, and\nall direct access to the information system;\n\n 3) All account creations, modifications, disabling, and terminations; and\n\n 4) All kernel module load, unload, and restart actions.", - "check": "Verify if RHEL 8 is configured to audit the execution of the module\nmanagement program \"kmod\", by running the following command:\n\n $ sudo grep \"/usr/bin/kmod\" /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset\n-k modules\n\n If the command does not return a line, or the line is commented out, this\nis a finding.", - "fix": "Configure RHEL 8 to audit the execution of the module management program\n\"kmod\" by adding or updating the following line to\n\"/etc/audit/rules.d/audit.rules\":\n\n -a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset\n-k modules\n\n The audit daemon must be restarted for the changes to take effect." + "default": "Without protection of the transmitted information, confidentiality and\nintegrity may be compromised because unprotected communications can be\nintercepted and either read or altered.\n\n This requirement applies to both internal and external networks and all\ntypes of information system components from which information can be\ntransmitted (e.g., servers, mobile devices, notebook computers, printers,\ncopiers, scanners, and facsimile machines). Communication paths outside the\nphysical protection of a controlled boundary are exposed to the possibility of\ninterception and modification.\n\n Protecting the confidentiality and integrity of organizational information\ncan be accomplished by physical means (e.g., employing physical distribution\nsystems) or by logical means (e.g., employing cryptographic techniques). If\nphysical means of protection are employed, then logical means (cryptography) do\nnot have to be employed, and vice versa.", + "check": "Verify SSH is installed with the following command:\n\n$ sudo yum list installed openssh-server\n\nopenssh-server.x86_64 8.0p1-5.el8 @anaconda\n\nIf the \"SSH server\" package is not installed, this is a finding.", + "fix": "Install SSH packages onto the host with the following command:\n\n$ sudo yum install openssh-server.x86_64" }, "impact": 0.5, "refs": [ @@ -8717,44 +8728,40 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000062-GPOS-00031", + "gtitle": "SRG-OS-000423-GPOS-00187", "satisfies": [ - "SRG-OS-000062-GPOS-00031", - "SRG-OS-000037-GPOS-00015", - "SRG-OS-000042-GPOS-00020", - "SRG-OS-000062-GPOS-00031", - "SRG-OS-000392-GPOS-00172", - "SRG-OS-000462-GPOS-00206", - "SRG-OS-000471-GPOS-00215", - "SRG-OS-000471-GPOS-00216", - "SRG-OS-000477-GPOS-00222" + "SRG-OS-000423-GPOS-00187", + "SRG-OS-000424-GPOS-00188", + "SRG-OS-000425-GPOS-00189", + "SRG-OS-000426-GPOS-00190" ], - "gid": "V-230465", - "rid": "SV-230465r627750_rule", - "stig_id": "RHEL-08-030580", - "fix_id": "F-33109r568142_fix", + "gid": "V-244549", + "rid": "SV-244549r916422_rule", + "stig_id": "RHEL-08-040159", + "fix_id": "F-47781r743895_fix", "cci": [ - "CCI-000169" + "CCI-002418" ], "nist": [ - "AU-12 a" + "SC-8" ], - "host": null + "host": null, + "container-conditional": null }, - "code": "control 'SV-230465' do\n title 'Successful/unsuccessful uses of the kmod command in RHEL 8 must\ngenerate an audit record.'\n desc 'Without the capability to generate audit records, it would be\ndifficult to establish, correlate, and investigate the events relating to an\nincident or identify those responsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"kmod\" command is\nused to control Linux Kernel modules.\n\n The list of audited events is the set of events for which audits are to be\ngenerated. This set of events is typically a subset of the list of all events\nfor which the system is capable of generating audit records.\n\n DoD has defined the list of events for which RHEL 8 will provide an audit\nrecord generation capability as the following:\n\n 1) Successful and unsuccessful attempts to access, modify, or delete\nprivileges, security objects, security levels, or categories of information\n(e.g., classification levels);\n\n 2) Access actions, such as successful and unsuccessful logon attempts,\nprivileged activities or other system-level access, starting and ending time\nfor user access to the system, concurrent logons from different workstations,\nsuccessful and unsuccessful accesses to objects, all program initiations, and\nall direct access to the information system;\n\n 3) All account creations, modifications, disabling, and terminations; and\n\n 4) All kernel module load, unload, and restart actions.'\n desc 'check', 'Verify if RHEL 8 is configured to audit the execution of the module\nmanagement program \"kmod\", by running the following command:\n\n $ sudo grep \"/usr/bin/kmod\" /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset\n-k modules\n\n If the command does not return a line, or the line is commented out, this\nis a finding.'\n desc 'fix', 'Configure RHEL 8 to audit the execution of the module management program\n\"kmod\" by adding or updating the following line to\n\"/etc/audit/rules.d/audit.rules\":\n\n -a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset\n-k modules\n\n The audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000062-GPOS-00031'\n tag satisfies: ['SRG-OS-000062-GPOS-00031', 'SRG-OS-000037-GPOS-00015', 'SRG-OS-000042-GPOS-00020', 'SRG-OS-000062-GPOS-00031', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000471-GPOS-00215', 'SRG-OS-000471-GPOS-00216', 'SRG-OS-000477-GPOS-00222']\n tag gid: 'V-230465'\n tag rid: 'SV-230465r627750_rule'\n tag stig_id: 'RHEL-08-030580'\n tag fix_id: 'F-33109r568142_fix'\n tag cci: ['CCI-000169']\n tag nist: ['AU-12 a']\n tag 'host'\n\n audit_command = '/usr/bin/kmod'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include(input('audit_rule_keynames').merge(input('audit_rule_keynames_overrides'))[audit_command])\n end\n end\nend\n", + "code": "control 'SV-244549' do\n title 'All RHEL 8 networked systems must have SSH installed.'\n desc 'Without protection of the transmitted information, confidentiality and\nintegrity may be compromised because unprotected communications can be\nintercepted and either read or altered.\n\n This requirement applies to both internal and external networks and all\ntypes of information system components from which information can be\ntransmitted (e.g., servers, mobile devices, notebook computers, printers,\ncopiers, scanners, and facsimile machines). Communication paths outside the\nphysical protection of a controlled boundary are exposed to the possibility of\ninterception and modification.\n\n Protecting the confidentiality and integrity of organizational information\ncan be accomplished by physical means (e.g., employing physical distribution\nsystems) or by logical means (e.g., employing cryptographic techniques). If\nphysical means of protection are employed, then logical means (cryptography) do\nnot have to be employed, and vice versa.'\n desc 'check', 'Verify SSH is installed with the following command:\n\n$ sudo yum list installed openssh-server\n\nopenssh-server.x86_64 8.0p1-5.el8 @anaconda\n\nIf the \"SSH server\" package is not installed, this is a finding.'\n desc 'fix', 'Install SSH packages onto the host with the following command:\n\n$ sudo yum install openssh-server.x86_64'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000423-GPOS-00187'\n tag satisfies: ['SRG-OS-000423-GPOS-00187', 'SRG-OS-000424-GPOS-00188', 'SRG-OS-000425-GPOS-00189', 'SRG-OS-000426-GPOS-00190']\n tag gid: 'V-244549'\n tag rid: 'SV-244549r916422_rule'\n tag stig_id: 'RHEL-08-040159'\n tag fix_id: 'F-47781r743895_fix'\n tag cci: ['CCI-002418']\n tag nist: ['SC-8']\n tag 'host'\n tag 'container-conditional'\n\n openssh_present = package('openssh-server').installed?\n\n only_if('This requirement is Not Applicable in the container without open-ssh installed', impact: 0.0) {\n !(virtualization.system.eql?('docker') && !openssh_present)\n }\n\n if input('allow_container_openssh_server') == false\n describe 'In a container Environment' do\n it 'the OpenSSH Server should be installed only when allowed in a container environment' do\n expect(openssh_present).to eq(false), 'OpenSSH Server is installed but not approved for the container environment'\n end\n end\n else\n describe 'In a machine environment' do\n it 'the OpenSSH Server should be installed' do\n expect(package('openssh-server').installed?).to eq(true), 'the OpenSSH Server is not installed'\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230465.rb", + "ref": "./Red Hat 8 STIG/controls/SV-244549.rb", "line": 1 }, - "id": "SV-230465" + "id": "SV-244549" }, { - "title": "Successful/unsuccessful uses of the chage command in RHEL 8 must\ngenerate an audit record.", - "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"chage\" command is\nused to change or view user password expiry information.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", + "title": "RHEL 8 audit tools must be group-owned by root.", + "desc": "Protecting audit information also includes identifying and protecting\nthe tools used to view and manipulate log data. Therefore, protecting audit\ntools is necessary to prevent unauthorized operation on audit information.\n\n RHEL 8 systems providing tools to interface with audit information will\nleverage user permissions and roles identifying the user accessing the tools,\nand the corresponding rights the user enjoys, to make access decisions\nregarding the access to audit tools.\n\n Audit tools include, but are not limited to, vendor-provided and open\nsource audit tools needed to successfully view and manipulate audit information\nsystem activity and records. Audit tools include custom queries and report\ngenerators.", "descriptions": { - "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"chage\" command is\nused to change or view user password expiry information.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", - "check": "Verify that an audit event is generated for any successful/unsuccessful use\nof the \"chage\" command by performing the following command to check the file\nsystem rules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w chage /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-chage\n\n If the command does not return a line, or the line is commented out, this\nis a finding.", - "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful uses of the \"chage\" command by adding or updating the\nfollowing rule in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-chage\n\n The audit daemon must be restarted for the changes to take effect." + "default": "Protecting audit information also includes identifying and protecting\nthe tools used to view and manipulate log data. Therefore, protecting audit\ntools is necessary to prevent unauthorized operation on audit information.\n\n RHEL 8 systems providing tools to interface with audit information will\nleverage user permissions and roles identifying the user accessing the tools,\nand the corresponding rights the user enjoys, to make access decisions\nregarding the access to audit tools.\n\n Audit tools include, but are not limited to, vendor-provided and open\nsource audit tools needed to successfully view and manipulate audit information\nsystem activity and records. Audit tools include custom queries and report\ngenerators.", + "check": "Verify the audit tools are group-owned by \"root\" to prevent any\nunauthorized access, deletion, or modification.\n\n Check the owner of each audit tool by running the following commands:\n\n $ sudo stat -c \"%G %n\" /sbin/auditctl /sbin/aureport /sbin/ausearch\n/sbin/autrace /sbin/auditd /sbin/rsyslogd /sbin/augenrules\n\n root /sbin/auditctl\n root /sbin/aureport\n root /sbin/ausearch\n root /sbin/autrace\n root /sbin/auditd\n root /sbin/rsyslogd\n root /sbin/augenrules\n\n If any of the audit tools are not group-owned by \"root\", this is a\nfinding.", + "fix": "Configure the audit tools to be group-owned by \"root\", by running the\nfollowing command:\n\n $ sudo chgrp root [audit_tool]\n\n Replace \"[audit_tool]\" with each audit tool not group-owned by \"root\"." }, "impact": 0.5, "refs": [ @@ -8764,43 +8771,39 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000062-GPOS-00031", + "gtitle": "SRG-OS-000256-GPOS-00097", "satisfies": [ - "SRG-OS-000062-GPOS-00031", - "SRG-OS-000037-GPOS-00015", - "SRG-OS-000042-GPOS-00020", - "SRG-OS-000062-GPOS-00031", - "SRG-OS-000392-GPOS-00172", - "SRG-OS-000462-GPOS-00206", - "SRG-OS-000468-GPOS-00212", - "SRG-OS-000471-GPOS-00215" + "SRG-OS-000256-GPOS-00097", + "SRG-OS-000257-GPOS-00098", + "SRG-OS-000258-GPOS-00099" ], - "gid": "V-230418", - "rid": "SV-230418r627750_rule", - "stig_id": "RHEL-08-030250", - "fix_id": "F-33062r568001_fix", + "gid": "V-230474", + "rid": "SV-230474r627750_rule", + "stig_id": "RHEL-08-030640", + "fix_id": "F-33118r568169_fix", "cci": [ - "CCI-000169" + "CCI-001493" ], "nist": [ - "AU-12 a" + "AU-9", + "AU-9 a" ], "host": null }, - "code": "control 'SV-230418' do\n title 'Successful/unsuccessful uses of the chage command in RHEL 8 must\ngenerate an audit record.'\n desc 'Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"chage\" command is\nused to change or view user password expiry information.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.'\n desc 'check', 'Verify that an audit event is generated for any successful/unsuccessful use\nof the \"chage\" command by performing the following command to check the file\nsystem rules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w chage /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-chage\n\n If the command does not return a line, or the line is commented out, this\nis a finding.'\n desc 'fix', 'Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful uses of the \"chage\" command by adding or updating the\nfollowing rule in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-chage\n\n The audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000062-GPOS-00031'\n tag satisfies: ['SRG-OS-000062-GPOS-00031', 'SRG-OS-000037-GPOS-00015', 'SRG-OS-000042-GPOS-00020', 'SRG-OS-000062-GPOS-00031', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000468-GPOS-00212', 'SRG-OS-000471-GPOS-00215']\n tag gid: 'V-230418'\n tag rid: 'SV-230418r627750_rule'\n tag stig_id: 'RHEL-08-030250'\n tag fix_id: 'F-33062r568001_fix'\n tag cci: ['CCI-000169']\n tag nist: ['AU-12 a']\n tag 'host'\n\n audit_command = '/usr/bin/chage'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include(input('audit_rule_keynames').merge(input('audit_rule_keynames_overrides'))[audit_command])\n end\n end\nend\n", + "code": "control 'SV-230474' do\n title 'RHEL 8 audit tools must be group-owned by root.'\n desc 'Protecting audit information also includes identifying and protecting\nthe tools used to view and manipulate log data. Therefore, protecting audit\ntools is necessary to prevent unauthorized operation on audit information.\n\n RHEL 8 systems providing tools to interface with audit information will\nleverage user permissions and roles identifying the user accessing the tools,\nand the corresponding rights the user enjoys, to make access decisions\nregarding the access to audit tools.\n\n Audit tools include, but are not limited to, vendor-provided and open\nsource audit tools needed to successfully view and manipulate audit information\nsystem activity and records. Audit tools include custom queries and report\ngenerators.'\n desc 'check', 'Verify the audit tools are group-owned by \"root\" to prevent any\nunauthorized access, deletion, or modification.\n\n Check the owner of each audit tool by running the following commands:\n\n $ sudo stat -c \"%G %n\" /sbin/auditctl /sbin/aureport /sbin/ausearch\n/sbin/autrace /sbin/auditd /sbin/rsyslogd /sbin/augenrules\n\n root /sbin/auditctl\n root /sbin/aureport\n root /sbin/ausearch\n root /sbin/autrace\n root /sbin/auditd\n root /sbin/rsyslogd\n root /sbin/augenrules\n\n If any of the audit tools are not group-owned by \"root\", this is a\nfinding.'\n desc 'fix', 'Configure the audit tools to be group-owned by \"root\", by running the\nfollowing command:\n\n $ sudo chgrp root [audit_tool]\n\n Replace \"[audit_tool]\" with each audit tool not group-owned by \"root\".'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000256-GPOS-00097'\n tag satisfies: ['SRG-OS-000256-GPOS-00097', 'SRG-OS-000257-GPOS-00098', 'SRG-OS-000258-GPOS-00099']\n tag gid: 'V-230474'\n tag rid: 'SV-230474r627750_rule'\n tag stig_id: 'RHEL-08-030640'\n tag fix_id: 'F-33118r568169_fix'\n tag cci: ['CCI-001493']\n tag nist: ['AU-9', 'AU-9 a']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n audit_tools = ['/sbin/auditctl', '/sbin/aureport', '/sbin/ausearch', '/sbin/autrace', '/sbin/auditd', '/sbin/rsyslogd', '/sbin/augenrules']\n\n failing_tools = audit_tools.reject { |at| file(at).group == 'root' }\n\n describe 'Audit executables' do\n it 'should be group owned by root' do\n expect(failing_tools).to be_empty, \"Failing tools:\\n\\t- #{failing_tools.join(\"\\n\\t- \")}\"\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230418.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230474.rb", "line": 1 }, - "id": "SV-230418" + "id": "SV-230474" }, { - "title": "RHEL 8 must take action when allocated audit record storage volume\n reaches 75 percent of the repository maximum audit record storage capacity.", - "desc": "If security personnel are not notified immediately when storage volume\n reaches 75 percent utilization, they are unable to plan for audit record\n storage capacity expansion.", + "title": "RHEL 8 must not respond to Internet Control Message Protocol (ICMP)\nechoes sent to a broadcast address.", + "desc": "Responding to broadcast ICMP echoes facilitates network mapping and provides a vector for amplification attacks.\n\nThere are notable differences between Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6). IPv6 does not implement the same method of broadcast as IPv4. Instead, IPv6 uses multicast addressing to the all-hosts multicast group. Refer to RFC4294 for an explanation of \"IPv6 Node Requirements\", which resulted in this difference between IPv4 and IPv6.\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf", "descriptions": { - "default": "If security personnel are not notified immediately when storage volume\n reaches 75 percent utilization, they are unable to plan for audit record\n storage capacity expansion.", - "check": "Verify RHEL 8 takes action when allocated audit record storage\n volume reaches 75 percent of the repository maximum audit record storage\n capacity with the following commands:\n\n $ sudo grep -w space_left /etc/audit/auditd.conf\n\n space_left = 25%\n\n If the value of the \"space_left\" keyword is not set to \"25%\" or if the\n line is commented out, ask the System Administrator to indicate how the system\n is providing real-time alerts to the SA and ISSO.\n\n If there is no evidence that real-time alerts are configured on the system,\n this is a finding.", - "fix": "Configure the operating system to initiate an action to notify the\n SA and ISSO (at a minimum) when allocated audit record storage volume reaches\n 75 percent of the repository maximum audit record storage capacity by\n adding/modifying the following line in the /etc/audit/auditd.conf file.\n\n space_left = 25%\n\n Note: Option names and values in the auditd.conf file are case insensitive." + "default": "Responding to broadcast ICMP echoes facilitates network mapping and provides a vector for amplification attacks.\n\nThere are notable differences between Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6). IPv6 does not implement the same method of broadcast as IPv4. Instead, IPv6 uses multicast addressing to the all-hosts multicast group. Refer to RFC4294 for an explanation of \"IPv6 Node Requirements\", which resulted in this difference between IPv4 and IPv6.\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf", + "check": "Verify RHEL 8 does not respond to ICMP echoes sent to a broadcast address.\n\nCheck the value of the \"icmp_echo_ignore_broadcasts\" variable with the following command:\n\n$ sudo sysctl net.ipv4.icmp_echo_ignore_broadcasts\n\nnet.ipv4.icmp_echo_ignore_broadcasts = 1\n\nIf the returned line does not have a value of \"1\", a line is not returned, or the retuned line is commented out, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r net.ipv4.icmp_echo_ignore_broadcasts /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: net.ipv4.icmp_echo_ignore_broadcasts = 1\n\nIf \"net.ipv4.icmp_echo_ignore_broadcasts\" is not set to \"1\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.", + "fix": "Configure RHEL 8 to not respond to IPv4 ICMP echoes sent to a broadcast address.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nnet.ipv4.icmp_echo_ignore_broadcasts=1\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system" }, "impact": 0.5, "refs": [ @@ -8810,33 +8813,33 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000343-GPOS-00134", - "gid": "V-230483", - "rid": "SV-230483r877389_rule", - "stig_id": "RHEL-08-030730", - "fix_id": "F-33127r744013_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-230537", + "rid": "SV-230537r858797_rule", + "stig_id": "RHEL-08-040230", + "fix_id": "F-33181r858796_fix", "cci": [ - "CCI-001855" + "CCI-000366" ], "nist": [ - "AU-5 (1)" + "CM-6 b" ], "host": null }, - "code": "control 'SV-230483' do\n title 'RHEL 8 must take action when allocated audit record storage volume\n reaches 75 percent of the repository maximum audit record storage capacity.'\n desc 'If security personnel are not notified immediately when storage volume\n reaches 75 percent utilization, they are unable to plan for audit record\n storage capacity expansion.'\n desc 'check', 'Verify RHEL 8 takes action when allocated audit record storage\n volume reaches 75 percent of the repository maximum audit record storage\n capacity with the following commands:\n\n $ sudo grep -w space_left /etc/audit/auditd.conf\n\n space_left = 25%\n\n If the value of the \"space_left\" keyword is not set to \"25%\" or if the\n line is commented out, ask the System Administrator to indicate how the system\n is providing real-time alerts to the SA and ISSO.\n\n If there is no evidence that real-time alerts are configured on the system,\n this is a finding.'\n desc 'fix', 'Configure the operating system to initiate an action to notify the\n SA and ISSO (at a minimum) when allocated audit record storage volume reaches\n 75 percent of the repository maximum audit record storage capacity by\n adding/modifying the following line in the /etc/audit/auditd.conf file.\n\n space_left = 25%\n\n Note: Option names and values in the auditd.conf file are case insensitive.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000343-GPOS-00134'\n tag gid: 'V-230483'\n tag rid: 'SV-230483r877389_rule'\n tag stig_id: 'RHEL-08-030730'\n tag fix_id: 'F-33127r744013_fix'\n tag cci: ['CCI-001855']\n tag nist: ['AU-5 (1)']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n if input('alternative_logging_method') != ''\n describe 'manual check' do\n skip 'Manual check required. Ask the administrator to indicate how logging is done for this system.'\n end\n else\n describe auditd_conf do\n its('space_left.to_i') { should cmp >= input('audit_storage_threshold') }\n end\n end\nend\n", + "code": "control 'SV-230537' do\n title 'RHEL 8 must not respond to Internet Control Message Protocol (ICMP)\nechoes sent to a broadcast address.'\n desc 'Responding to broadcast ICMP echoes facilitates network mapping and provides a vector for amplification attacks.\n\nThere are notable differences between Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6). IPv6 does not implement the same method of broadcast as IPv4. Instead, IPv6 uses multicast addressing to the all-hosts multicast group. Refer to RFC4294 for an explanation of \"IPv6 Node Requirements\", which resulted in this difference between IPv4 and IPv6.\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf'\n desc 'check', 'Verify RHEL 8 does not respond to ICMP echoes sent to a broadcast address.\n\nCheck the value of the \"icmp_echo_ignore_broadcasts\" variable with the following command:\n\n$ sudo sysctl net.ipv4.icmp_echo_ignore_broadcasts\n\nnet.ipv4.icmp_echo_ignore_broadcasts = 1\n\nIf the returned line does not have a value of \"1\", a line is not returned, or the retuned line is commented out, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r net.ipv4.icmp_echo_ignore_broadcasts /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: net.ipv4.icmp_echo_ignore_broadcasts = 1\n\nIf \"net.ipv4.icmp_echo_ignore_broadcasts\" is not set to \"1\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to not respond to IPv4 ICMP echoes sent to a broadcast address.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nnet.ipv4.icmp_echo_ignore_broadcasts=1\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230537'\n tag rid: 'SV-230537r858797_rule'\n tag stig_id: 'RHEL-08-040230'\n tag fix_id: 'F-33181r858796_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This system is acting as a router on the network, this control is Not Applicable', impact: 0.0) {\n !input('network_router')\n }\n\n # Define the kernel parameter to be checked\n parameter = 'net.ipv4.icmp_echo_ignore_broadcasts'\n action = 'IPv4 broadcasts'\n value = 1\n\n # Get the current value of the kernel parameter\n current_value = kernel_parameter(parameter)\n\n # Check if the system is a Docker container\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n elsif input('ipv4_enabled') == false\n impact 0.0\n describe 'IPv4 is disabled on the system, this requirement is Not Applicable.' do\n skip 'IPv4 is disabled on the system, this requirement is Not Applicable.'\n end\n else\n\n describe kernel_parameter(parameter) do\n it 'is disabled in sysctl -a' do\n expect(current_value.value).to cmp value\n expect(current_value.value).not_to be_nil\n end\n end\n\n # Get the list of sysctl configuration files\n sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ')\n\n # Search for the kernel parameter in the configuration files\n search_results = command(\"grep -r ^#{parameter} #{sysctl_config_files} {} \\;\").stdout.split(\"\\n\")\n\n # Parse the search results into a hash\n config_values = search_results.each_with_object({}) do |item, results|\n file, setting = item.split(':')\n file = 'grep did not return filename' if file.empty?\n\n results[file] ||= []\n results[file] << setting.split('=').last\n end\n\n uniq_config_values = config_values.values.flatten.map(&:strip).map(&:to_i).uniq\n\n # Check the configuration files\n describe 'Configuration files' do\n if search_results.empty?\n it \"do not explicitly set the `#{parameter}` parameter\" do\n expect(config_values).not_to be_empty, \"Add the line `#{parameter}=#{value}` to a file in the `/etc/sysctl.d/` directory\"\n end\n else\n it \"do not have conflicting settings for #{action}\" do\n expect(uniq_config_values.count).to eq(1), \"Expected one unique configuration, but got #{config_values}\"\n end\n it \"set the parameter to the right value for #{action}\" do\n expect(config_values.values.flatten.all? { |v| v.to_i.eql?(value) }).to be true\n end\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230483.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230537.rb", "line": 1 }, - "id": "SV-230483" + "id": "SV-230537" }, { - "title": "RHEL 8 audit records must contain information to establish what type\nof events occurred, the source of events, where events occurred, and the\noutcome of events.", - "desc": "Without establishing what type of events occurred, the source of\nevents, where events occurred, and the outcome of events, it would be difficult\nto establish, correlate, and investigate the events leading up to an outage or\nattack.\n\n Audit record content that may be necessary to satisfy this requirement\nincludes, for example, time stamps, source and destination addresses,\nuser/process identifiers, event descriptions, success/fail indications,\nfilenames involved, and access control or flow control rules invoked.\n\n Associating event types with detected events in RHEL 8 audit logs provides\na means of investigating an attack, recognizing resource utilization or\ncapacity thresholds, or identifying an improperly configured RHEL 8 system.", + "title": "RHEL 8 audit logs must have a mode of 0600 or less permissive to\nprevent unauthorized read access.", + "desc": "Only authorized personnel should be aware of errors and the details of\nthe errors. Error messages are an indicator of an organization's operational\nstate or can identify the RHEL 8 system or platform. Additionally, Personally\nIdentifiable Information (PII) and operational information must not be revealed\nthrough error messages to unauthorized personnel or their designated\nrepresentatives.\n\n The structure and content of error messages must be carefully considered by\nthe organization and development team. The extent to which the information\nsystem is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.", "descriptions": { - "default": "Without establishing what type of events occurred, the source of\nevents, where events occurred, and the outcome of events, it would be difficult\nto establish, correlate, and investigate the events leading up to an outage or\nattack.\n\n Audit record content that may be necessary to satisfy this requirement\nincludes, for example, time stamps, source and destination addresses,\nuser/process identifiers, event descriptions, success/fail indications,\nfilenames involved, and access control or flow control rules invoked.\n\n Associating event types with detected events in RHEL 8 audit logs provides\na means of investigating an attack, recognizing resource utilization or\ncapacity thresholds, or identifying an improperly configured RHEL 8 system.", - "check": "Verify the audit service is configured to produce audit records with the following command:\n\n$ sudo systemctl status auditd.service\n\nauditd.service - Security Auditing Service\nLoaded:loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled)\nActive: active (running) since Tues 2020-12-11 12:56:56 EST; 4 weeks 0 days ago\n\nIf the audit service is not \"active\" and \"running\", this is a finding.", - "fix": "Configure the audit service to produce audit records containing the\ninformation needed to establish when (date and time) an event occurred with the\nfollowing commands:\n\n $ sudo systemctl enable auditd.service\n\n $ sudo systemctl start auditd.service" + "default": "Only authorized personnel should be aware of errors and the details of\nthe errors. Error messages are an indicator of an organization's operational\nstate or can identify the RHEL 8 system or platform. Additionally, Personally\nIdentifiable Information (PII) and operational information must not be revealed\nthrough error messages to unauthorized personnel or their designated\nrepresentatives.\n\n The structure and content of error messages must be carefully considered by\nthe organization and development team. The extent to which the information\nsystem is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.", + "check": "Verify the audit logs have a mode of \"0600\" or less permissive.\n\n First, determine where the audit logs are stored with the following command:\n\n $ sudo grep -iw log_file /etc/audit/auditd.conf\n\n log_file = /var/log/audit/audit.log\n\n Using the location of the audit log file, check if the audit log has a mode\nof \"0600\" or less permissive with the following command:\n\n $ sudo stat -c \"%a %n\" /var/log/audit/audit.log\n\n 600 /var/log/audit/audit.log\n\n If the audit log has a mode more permissive than \"0600\", this is a\nfinding.", + "fix": "Configure the audit log to be protected from unauthorized read access by setting the correct permissive mode with the following command:\n\n$ sudo chmod 0600 /var/log/audit/audit.log" }, "impact": 0.5, "refs": [ @@ -8846,69 +8849,7 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000062-GPOS-00031", - "satisfies": [ - "SRG-OS-000062-GPOS-00031", - "SRG-OS-000037-GPOS-00015", - "SRG-OS-000038-GPOS-00016", - "SRG-OS-000039-GPOS-00017", - "SRG-OS-000040-GPOS-00018", - "SRG-OS-000041-GPOS-00019", - "SRG-OS-000042-GPOS-00021", - "SRG-OS-000051-GPOS-00024", - "SRG-OS-000054-GPOS-00025", - "SRG-OS-000122-GPOS-00063", - "SRG-OS-000254-GPOS-00095", - "SRG-OS-000255-GPOS-00096", - "SRG-OS-000337-GPOS-00129", - "SRG-OS-000348-GPOS-00136", - "SRG-OS-000349-GPOS-00137", - "SRG-OS-000350-GPOS-00138", - "SRG-OS-000351-GPOS-00139", - "SRG-OS-000352-GPOS-00140", - "SRG-OS-000353-GPOS-00141", - "SRG-OS-000354-GPOS-00142", - "SRG-OS-000358-GPOS-00145", - "SRG-OS-000365-GPOS-00152", - "SRG-OS-000392-GPOS-00172", - "SRG-OS-000475-GPOS-00220" - ], - "gid": "V-244542", - "rid": "SV-244542r818838_rule", - "stig_id": "RHEL-08-030181", - "fix_id": "F-47774r743874_fix", - "cci": [ - "CCI-000169" - ], - "nist": [ - "AU-12 a" - ], - "host": null - }, - "code": "control 'SV-244542' do\n title 'RHEL 8 audit records must contain information to establish what type\nof events occurred, the source of events, where events occurred, and the\noutcome of events.'\n desc 'Without establishing what type of events occurred, the source of\nevents, where events occurred, and the outcome of events, it would be difficult\nto establish, correlate, and investigate the events leading up to an outage or\nattack.\n\n Audit record content that may be necessary to satisfy this requirement\nincludes, for example, time stamps, source and destination addresses,\nuser/process identifiers, event descriptions, success/fail indications,\nfilenames involved, and access control or flow control rules invoked.\n\n Associating event types with detected events in RHEL 8 audit logs provides\na means of investigating an attack, recognizing resource utilization or\ncapacity thresholds, or identifying an improperly configured RHEL 8 system.'\n desc 'check', 'Verify the audit service is configured to produce audit records with the following command:\n\n$ sudo systemctl status auditd.service\n\nauditd.service - Security Auditing Service\nLoaded:loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled)\nActive: active (running) since Tues 2020-12-11 12:56:56 EST; 4 weeks 0 days ago\n\nIf the audit service is not \"active\" and \"running\", this is a finding.'\n desc 'fix', 'Configure the audit service to produce audit records containing the\ninformation needed to establish when (date and time) an event occurred with the\nfollowing commands:\n\n $ sudo systemctl enable auditd.service\n\n $ sudo systemctl start auditd.service'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000062-GPOS-00031'\n tag satisfies: ['SRG-OS-000062-GPOS-00031', 'SRG-OS-000037-GPOS-00015', 'SRG-OS-000038-GPOS-00016', 'SRG-OS-000039-GPOS-00017', 'SRG-OS-000040-GPOS-00018', 'SRG-OS-000041-GPOS-00019', 'SRG-OS-000042-GPOS-00021', 'SRG-OS-000051-GPOS-00024', 'SRG-OS-000054-GPOS-00025', 'SRG-OS-000122-GPOS-00063', 'SRG-OS-000254-GPOS-00095', 'SRG-OS-000255-GPOS-00096', 'SRG-OS-000337-GPOS-00129', 'SRG-OS-000348-GPOS-00136', 'SRG-OS-000349-GPOS-00137', 'SRG-OS-000350-GPOS-00138', 'SRG-OS-000351-GPOS-00139', 'SRG-OS-000352-GPOS-00140', 'SRG-OS-000353-GPOS-00141', 'SRG-OS-000354-GPOS-00142', 'SRG-OS-000358-GPOS-00145', 'SRG-OS-000365-GPOS-00152', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000475-GPOS-00220']\n tag gid: 'V-244542'\n tag rid: 'SV-244542r818838_rule'\n tag stig_id: 'RHEL-08-030181'\n tag fix_id: 'F-47774r743874_fix'\n tag cci: ['CCI-000169']\n tag nist: ['AU-12 a']\n tag 'host'\n\n only_if('This requirement is Not Applicable in the container', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe service('auditd') do\n it { should be_enabled }\n it { should be_running }\n end\nend\n", - "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-244542.rb", - "line": 1 - }, - "id": "SV-244542" - }, - { - "title": "RHEL 8 audit logs must have a mode of 0600 or less permissive to\nprevent unauthorized read access.", - "desc": "Only authorized personnel should be aware of errors and the details of\nthe errors. Error messages are an indicator of an organization's operational\nstate or can identify the RHEL 8 system or platform. Additionally, Personally\nIdentifiable Information (PII) and operational information must not be revealed\nthrough error messages to unauthorized personnel or their designated\nrepresentatives.\n\n The structure and content of error messages must be carefully considered by\nthe organization and development team. The extent to which the information\nsystem is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.", - "descriptions": { - "default": "Only authorized personnel should be aware of errors and the details of\nthe errors. Error messages are an indicator of an organization's operational\nstate or can identify the RHEL 8 system or platform. Additionally, Personally\nIdentifiable Information (PII) and operational information must not be revealed\nthrough error messages to unauthorized personnel or their designated\nrepresentatives.\n\n The structure and content of error messages must be carefully considered by\nthe organization and development team. The extent to which the information\nsystem is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.", - "check": "Verify the audit logs have a mode of \"0600\" or less permissive.\n\n First, determine where the audit logs are stored with the following command:\n\n $ sudo grep -iw log_file /etc/audit/auditd.conf\n\n log_file = /var/log/audit/audit.log\n\n Using the location of the audit log file, check if the audit log has a mode\nof \"0600\" or less permissive with the following command:\n\n $ sudo stat -c \"%a %n\" /var/log/audit/audit.log\n\n 600 /var/log/audit/audit.log\n\n If the audit log has a mode more permissive than \"0600\", this is a\nfinding.", - "fix": "Configure the audit log to be protected from unauthorized read access by setting the correct permissive mode with the following command:\n\n$ sudo chmod 0600 /var/log/audit/audit.log" - }, - "impact": 0.5, - "refs": [ - { - "ref": "DPMS Target Red Hat Enterprise Linux 8" - } - ], - "tags": { - "severity": "medium", - "gtitle": "SRG-OS-000057-GPOS-00027", + "gtitle": "SRG-OS-000057-GPOS-00027", "satisfies": [ "SRG-OS-000057-GPOS-00027", "SRG-OS-000058-GPOS-00028", @@ -8936,12 +8877,12 @@ "id": "SV-230396" }, { - "title": "RHEL 8 must be configured so that all files and directories contained\nin local interactive user home directories are group-owned by a group of which\nthe home directory owner is a member.", - "desc": "If a local interactive user's files are group-owned by a group of\nwhich the user is not a member, unintended users may be able to access them.", + "title": "RHEL 8 must not forward IPv4 source-routed packets.", + "desc": "Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf", "descriptions": { - "default": "If a local interactive user's files are group-owned by a group of\nwhich the user is not a member, unintended users may be able to access them.", - "check": "Verify all files and directories in a local interactive user home directory\nare group-owned by a group that the user is a member.\n\n Check the group owner of all files and directories in a local interactive\nuser's home directory with the following command:\n\n Note: The example will be for the user \"smithj\", who has a home directory\nof \"/home/smithj\".\n\n $ sudo ls -lLR ///\n -rw-r--r-- 1 smithj smithj 18 Mar 5 17:06 file1\n -rw-r--r-- 1 smithj smithj 193 Mar 5 17:06 file2\n -rw-r--r-- 1 smithj sa 231 Mar 5 17:06 file3\n\n If any files found with a group-owner different from the home directory\nuser private group, check to see if the user is a member of that group with the\nfollowing command:\n\n $ sudo grep smithj /etc/group\n sa:x:100:juan,shelley,bob,smithj\n smithj:x:521:smithj\n\n If any files or directories are group owned by a group that the directory\nowner is not a member of, this is a finding.", - "fix": "Change the group of a local interactive user's files and directories to a\ngroup that the interactive user is a member. To change the group owner of a\nlocal interactive user's files and directories, use the following command:\n\n Note: The example will be for the user smithj, who has a home directory of\n\"/home/smithj\" and is a member of the users group.\n\n $ sudo chgrp smithj /home/smithj/" + "default": "Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf", + "check": "Verify RHEL 8 does not accept IPv4 source-routed packets.\n\nCheck the value of the accept source route variable with the following command:\n\n$ sudo sysctl net.ipv4.conf.all.accept_source_route\n\nnet.ipv4.conf.all.accept_source_route = 0\n\nIf the returned line does not have a value of \"0\", a line is not returned, or the line is commented out, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r net.ipv4.conf.all.accept_source_route /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: net.ipv4.conf.all.accept_source_route = 0\n\nIf \"net.ipv4.conf.all.accept_source_route\" is not set to \"0\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.", + "fix": "Configure RHEL 8 to not forward IPv4 source-routed packets.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nnet.ipv4.conf.all.accept_source_route=0\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system" }, "impact": 0.5, "refs": [ @@ -8952,156 +8893,155 @@ "tags": { "severity": "medium", "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-244532", - "rid": "SV-244532r743845_rule", - "stig_id": "RHEL-08-010741", - "fix_id": "F-47764r743844_fix", + "gid": "V-244551", + "rid": "SV-244551r858799_rule", + "stig_id": "RHEL-08-040239", + "fix_id": "F-47783r858798_fix", "cci": [ "CCI-000366" ], "nist": [ "CM-6 b" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-244532' do\n title 'RHEL 8 must be configured so that all files and directories contained\nin local interactive user home directories are group-owned by a group of which\nthe home directory owner is a member.'\n desc \"If a local interactive user's files are group-owned by a group of\nwhich the user is not a member, unintended users may be able to access them.\"\n desc 'check', %q(Verify all files and directories in a local interactive user home directory\nare group-owned by a group that the user is a member.\n\n Check the group owner of all files and directories in a local interactive\nuser's home directory with the following command:\n\n Note: The example will be for the user \"smithj\", who has a home directory\nof \"/home/smithj\".\n\n $ sudo ls -lLR ///\n -rw-r--r-- 1 smithj smithj 18 Mar 5 17:06 file1\n -rw-r--r-- 1 smithj smithj 193 Mar 5 17:06 file2\n -rw-r--r-- 1 smithj sa 231 Mar 5 17:06 file3\n\n If any files found with a group-owner different from the home directory\nuser private group, check to see if the user is a member of that group with the\nfollowing command:\n\n $ sudo grep smithj /etc/group\n sa:x:100:juan,shelley,bob,smithj\n smithj:x:521:smithj\n\n If any files or directories are group owned by a group that the directory\nowner is not a member of, this is a finding.)\n desc 'fix', %q(Change the group of a local interactive user's files and directories to a\ngroup that the interactive user is a member. To change the group owner of a\nlocal interactive user's files and directories, use the following command:\n\n Note: The example will be for the user smithj, who has a home directory of\n\"/home/smithj\" and is a member of the users group.\n\n $ sudo chgrp smithj /home/smithj/)\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-244532'\n tag rid: 'SV-244532r743845_rule'\n tag stig_id: 'RHEL-08-010741'\n tag fix_id: 'F-47764r743844_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n tag 'container'\n\n ignore_shells = input('non_interactive_shells').join('|')\n exempt_home_users = input('exempt_home_users').join('|')\n\n findings = Set[]\n users.where { !username.match(exempt_home_users) && !shell.match(ignore_shells) && (uid >= 1000 || uid.zero?) }.entries.each do |user_info|\n findings += command(\"find #{user_info.home} -xdev -not -gid #{user_info.gid}\").stdout.split(\"\\n\")\n end\n describe 'All files in the users home directory' do\n it 'are expected to be owned by the user' do\n expect(findings).to be_empty, \"Some files in the users home directory are not owned by the user. Please ensure all files are owned by thier user. Findings:\\n\\t- #{findings.join(\"\\n\\t- \")}\"\n end\n end\nend\n", + "code": "control 'SV-244551' do\n title 'RHEL 8 must not forward IPv4 source-routed packets.'\n desc 'Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf'\n desc 'check', 'Verify RHEL 8 does not accept IPv4 source-routed packets.\n\nCheck the value of the accept source route variable with the following command:\n\n$ sudo sysctl net.ipv4.conf.all.accept_source_route\n\nnet.ipv4.conf.all.accept_source_route = 0\n\nIf the returned line does not have a value of \"0\", a line is not returned, or the line is commented out, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r net.ipv4.conf.all.accept_source_route /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: net.ipv4.conf.all.accept_source_route = 0\n\nIf \"net.ipv4.conf.all.accept_source_route\" is not set to \"0\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to not forward IPv4 source-routed packets.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nnet.ipv4.conf.all.accept_source_route=0\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-244551'\n tag rid: 'SV-244551r858799_rule'\n tag stig_id: 'RHEL-08-040239'\n tag fix_id: 'F-47783r858798_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This system is acting as a router on the network, this control is Not Applicable', impact: 0.0) {\n !input('network_router')\n }\n\n # Define the kernel parameter to be checked\n parameter = 'net.ipv4.conf.all.accept_source_route'\n action = 'IPv4 source-routed packets'\n value = 0\n\n # Get the current value of the kernel parameter\n current_value = kernel_parameter(parameter)\n\n # Check if the system is a Docker container\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n elsif input('ipv4_enabled') == false\n impact 0.0\n describe 'IPv4 is disabled on the system, this requirement is Not Applicable.' do\n skip 'IPv4 is disabled on the system, this requirement is Not Applicable.'\n end\n else\n\n describe kernel_parameter(parameter) do\n it 'is disabled in sysctl -a' do\n expect(current_value.value).to cmp value\n expect(current_value.value).not_to be_nil\n end\n end\n\n # Get the list of sysctl configuration files\n sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ')\n\n # Search for the kernel parameter in the configuration files\n search_results = command(\"grep -r ^#{parameter} #{sysctl_config_files} {} \\;\").stdout.split(\"\\n\")\n\n # Parse the search results into a hash\n config_values = search_results.each_with_object({}) do |item, results|\n file, setting = item.split(':')\n file = 'grep did not return filename' if file.empty?\n\n results[file] ||= []\n results[file] << setting.split('=').last\n end\n\n uniq_config_values = config_values.values.flatten.map(&:strip).map(&:to_i).uniq\n\n # Check the configuration files\n describe 'Configuration files' do\n if search_results.empty?\n it \"do not explicitly set the `#{parameter}` parameter\" do\n expect(config_values).not_to be_empty, \"Add the line `#{parameter}=#{value}` to a file in the `/etc/sysctl.d/` directory\"\n end\n else\n it \"do not have conflicting settings for #{action}\" do\n expect(uniq_config_values.count).to eq(1), \"Expected one unique configuration, but got #{config_values}\"\n end\n it \"set the parameter to the right value for #{action}\" do\n expect(config_values.values.flatten.all? { |v| v.to_i.eql?(value) }).to be true\n end\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-244532.rb", + "ref": "./Red Hat 8 STIG/controls/SV-244551.rb", "line": 1 }, - "id": "SV-244532" + "id": "SV-244551" }, { - "title": "RHEL 8 must restrict access to the kernel message buffer.", - "desc": "Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection.\n\nThis requirement generally applies to the design of an information technology product, but it can also apply to the configuration of particular information system components that are, or use, such products. This can be verified by acceptance/validation processes in DoD or other government agencies.\n\nThere may be shared resources with configurable protections (e.g., files in storage) that may be assessed on specific information system components.\n\nRestricting access to the kernel message buffer limits access to only root. This prevents attackers from gaining additional system information as a non-privileged user.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf", + "title": "RHEL 8 must not allow blank or null passwords in the password-auth\nfile.", + "desc": "If an account has an empty password, anyone could log on and run\ncommands with the privileges of that account. Accounts with empty passwords\nshould never be used in operational environments.", "descriptions": { - "default": "Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection.\n\nThis requirement generally applies to the design of an information technology product, but it can also apply to the configuration of particular information system components that are, or use, such products. This can be verified by acceptance/validation processes in DoD or other government agencies.\n\nThere may be shared resources with configurable protections (e.g., files in storage) that may be assessed on specific information system components.\n\nRestricting access to the kernel message buffer limits access to only root. This prevents attackers from gaining additional system information as a non-privileged user.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf", - "check": "Verify the operating system is configured to restrict access to the kernel message buffer with the following commands:\n\nCheck the status of the kernel.dmesg_restrict kernel parameter.\n\n$ sudo sysctl kernel.dmesg_restrict\n\nkernel.dmesg_restrict = 1\n\nIf \"kernel.dmesg_restrict\" is not set to \"1\" or is missing, this is a finding.\n\nCheck that the configuration files are present to enable this kernel parameter.\n\n$ sudo grep -r kernel.dmesg_restrict /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf:kernel.dmesg_restrict = 1\n\nIf \"kernel.dmesg_restrict\" is not set to \"1\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.", - "fix": "Configure the operating system to restrict access to the kernel message buffer.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nkernel.dmesg_restrict = 1\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system" + "default": "If an account has an empty password, anyone could log on and run\ncommands with the privileges of that account. Accounts with empty passwords\nshould never be used in operational environments.", + "check": "To verify that null passwords cannot be used, run the following command:\n\n$ sudo grep -i nullok /etc/pam.d/password-auth\n\nIf output is produced, this is a finding.", + "fix": "Remove any instances of the \"nullok\" option in the\n\"/etc/pam.d/password-auth\" file to prevent logons with empty passwords.\n\n Note: Manual changes to the listed file may be overwritten by the\n\"authselect\" program." }, - "impact": 0.3, + "impact": 0.7, "refs": [ { "ref": "DPMS Target Red Hat Enterprise Linux 8" } ], "tags": { - "severity": "low", - "gtitle": "SRG-OS-000138-GPOS-00069", - "gid": "V-230269", - "rid": "SV-230269r858756_rule", - "stig_id": "RHEL-08-010375", - "fix_id": "F-32913r858755_fix", + "severity": "high", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-244541", + "rid": "SV-244541r743872_rule", + "stig_id": "RHEL-08-020332", + "fix_id": "F-47773r743871_fix", "cci": [ - "CCI-001090" + "CCI-000366" ], "nist": [ - "SC-4" - ], - "host": null + "CM-6 b" + ] }, - "code": "control 'SV-230269' do\n title 'RHEL 8 must restrict access to the kernel message buffer.'\n desc 'Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection.\n\nThis requirement generally applies to the design of an information technology product, but it can also apply to the configuration of particular information system components that are, or use, such products. This can be verified by acceptance/validation processes in DoD or other government agencies.\n\nThere may be shared resources with configurable protections (e.g., files in storage) that may be assessed on specific information system components.\n\nRestricting access to the kernel message buffer limits access to only root. This prevents attackers from gaining additional system information as a non-privileged user.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf'\n desc 'check', 'Verify the operating system is configured to restrict access to the kernel message buffer with the following commands:\n\nCheck the status of the kernel.dmesg_restrict kernel parameter.\n\n$ sudo sysctl kernel.dmesg_restrict\n\nkernel.dmesg_restrict = 1\n\nIf \"kernel.dmesg_restrict\" is not set to \"1\" or is missing, this is a finding.\n\nCheck that the configuration files are present to enable this kernel parameter.\n\n$ sudo grep -r kernel.dmesg_restrict /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf:kernel.dmesg_restrict = 1\n\nIf \"kernel.dmesg_restrict\" is not set to \"1\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure the operating system to restrict access to the kernel message buffer.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nkernel.dmesg_restrict = 1\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system'\n impact 0.3\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'low'\n tag gtitle: 'SRG-OS-000138-GPOS-00069'\n tag gid: 'V-230269'\n tag rid: 'SV-230269r858756_rule'\n tag stig_id: 'RHEL-08-010375'\n tag fix_id: 'F-32913r858755_fix'\n tag cci: ['CCI-001090']\n tag nist: ['SC-4']\n tag 'host'\n\n only_if('Control not applicable within a container', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n action = 'kernel.dmesg_restrict'\n\n describe kernel_parameter(action) do\n its('value') { should eq 1 }\n end\n\n search_result = command(\"grep -r ^#{action} #{input('sysctl_conf_files').join(' ')}\").stdout.strip\n\n correct_result = search_result.lines.any? { |line| line.match(/#{action}\\s*=\\s*1$/) }\n incorrect_results = search_result.lines.map(&:strip).select { |line| line.match(/#{action}\\s*=\\s*[^1]$/) }\n\n describe 'Kernel config files' do\n it \"should configure '#{action}'\" do\n expect(correct_result).to eq(true), 'No config file was found that correctly sets this action'\n end\n unless incorrect_results.nil?\n it 'should not have incorrect or conflicting setting(s) in the config files' do\n expect(incorrect_results).to be_empty, \"Incorrect or conflicting setting(s) found:\\n\\t- #{incorrect_results.join(\"\\n\\t- \")}\"\n end\n end\n end\nend\n", + "code": "control 'SV-244541' do\n title 'RHEL 8 must not allow blank or null passwords in the password-auth\nfile.'\n desc 'If an account has an empty password, anyone could log on and run\ncommands with the privileges of that account. Accounts with empty passwords\nshould never be used in operational environments.'\n desc 'check', 'To verify that null passwords cannot be used, run the following command:\n\n$ sudo grep -i nullok /etc/pam.d/password-auth\n\nIf output is produced, this is a finding.'\n desc 'fix', 'Remove any instances of the \"nullok\" option in the\n\"/etc/pam.d/password-auth\" file to prevent logons with empty passwords.\n\n Note: Manual changes to the listed file may be overwritten by the\n\"authselect\" program.'\n impact 0.7\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'high'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-244541'\n tag rid: 'SV-244541r743872_rule'\n tag stig_id: 'RHEL-08-020332'\n tag fix_id: 'F-47773r743871_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n pam_auth_files = input('pam_auth_files')\n file_list = pam_auth_files.values.join(' ')\n bad_entries = command(\"grep -i nullok #{file_list}\").stdout.lines.collect { |line| line.split.join(' ') }\n\n describe 'The system is configureed' do\n subject { command(\"grep -i nullok #{file_list}\") }\n it 'to not allow null passwords' do\n expect(subject.stdout.strip).to be_empty, \"The system is configured to allow null passwords. Please remove any instances of the `nullok` option from: \\n\\t- #{bad_entries.join(\"\\n\\t- \")}\"\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230269.rb", + "ref": "./Red Hat 8 STIG/controls/SV-244541.rb", "line": 1 }, - "id": "SV-230269" + "id": "SV-244541" }, { - "title": "RHEL 8 must prevent the installation of software, patches, service\npacks, device drivers, or operating system components from a repository without\nverification they have been digitally signed using a certificate that is issued\nby a Certificate Authority (CA) that is recognized and approved by the\norganization.", - "desc": "Changes to any software components can have significant effects on the\noverall security of the operating system. This requirement ensures the software\nhas not been tampered with and that it has been provided by a trusted vendor.\n\n Accordingly, patches, service packs, device drivers, or operating system\ncomponents must be signed with a certificate recognized and approved by the\norganization.\n\n Verifying the authenticity of the software prior to installation validates\nthe integrity of the patch or upgrade received from a vendor. This verifies the\nsoftware has not been tampered with and that it has been provided by a trusted\nvendor. Self-signed certificates are disallowed by this requirement. The\noperating system should not have to verify the software again. This requirement\ndoes not mandate DoD certificates for this purpose; however, the certificate\nused to verify the software must be from an approved CA.", + "title": "Executable search paths within the initialization files of all local\ninteractive RHEL 8 users must only contain paths that resolve to the system\ndefault or the users home directory.", + "desc": "The executable search path (typically the PATH environment variable)\ncontains a list of directories for the shell to search to find executables. If\nthis path includes the current working directory (other than the user's home\ndirectory), executables in these directories may be executed instead of system\ncommands. This variable is formatted as a colon-separated list of directories.\nIf there is an empty entry, such as a leading or trailing colon or two\nconsecutive colons, this is interpreted as the current working directory. If\ndeviations from the default system search path for the local interactive user\nare required, they must be documented with the Information System Security\nOfficer (ISSO).", "descriptions": { - "default": "Changes to any software components can have significant effects on the\noverall security of the operating system. This requirement ensures the software\nhas not been tampered with and that it has been provided by a trusted vendor.\n\n Accordingly, patches, service packs, device drivers, or operating system\ncomponents must be signed with a certificate recognized and approved by the\norganization.\n\n Verifying the authenticity of the software prior to installation validates\nthe integrity of the patch or upgrade received from a vendor. This verifies the\nsoftware has not been tampered with and that it has been provided by a trusted\nvendor. Self-signed certificates are disallowed by this requirement. The\noperating system should not have to verify the software again. This requirement\ndoes not mandate DoD certificates for this purpose; however, the certificate\nused to verify the software must be from an approved CA.", - "check": "Verify the operating system prevents the installation of patches, service packs, device drivers, or operating system components from a repository without verification that they have been digitally signed using a certificate that is recognized and approved by the organization.\n\nCheck that YUM verifies the signature of packages from a repository prior to install with the following command:\n\n $ sudo grep -E '^\\[.*\\]|gpgcheck' /etc/yum.repos.d/*.repo\n\n /etc/yum.repos.d/appstream.repo:[appstream]\n /etc/yum.repos.d/appstream.repo:gpgcheck=1\n /etc/yum.repos.d/baseos.repo:[baseos]\n /etc/yum.repos.d/baseos.repo:gpgcheck=1\n\nIf \"gpgcheck\" is not set to \"1\", or if options are missing or commented out, ask the System Administrator how the certificates for patches and other operating system components are verified.\n\nIf there is no process to validate certificates that is approved by the organization, this is a finding.", - "fix": "Configure the operating system to verify the signature of packages from a\nrepository prior to install by setting the following option in the\n\"/etc/yum.repos.d/[your_repo_name].repo\" file:\n\n gpgcheck=1" + "default": "The executable search path (typically the PATH environment variable)\ncontains a list of directories for the shell to search to find executables. If\nthis path includes the current working directory (other than the user's home\ndirectory), executables in these directories may be executed instead of system\ncommands. This variable is formatted as a colon-separated list of directories.\nIf there is an empty entry, such as a leading or trailing colon or two\nconsecutive colons, this is interpreted as the current working directory. If\ndeviations from the default system search path for the local interactive user\nare required, they must be documented with the Information System Security\nOfficer (ISSO).", + "check": "Verify that all local interactive user initialization file executable search path statements do not contain statements that will reference a working directory other than user home directories with the following commands:\n\n$ sudo grep -i path= /home/*/.*\n\n/home/[localinteractiveuser]/.bash_profile:PATH=$PATH:$HOME/.local/bin:$HOME/bin\n\nIf any local interactive user initialization files have executable search path statements that include directories outside of their home directory and is not documented with the ISSO as an operational requirement, this is a finding.", + "fix": "Edit the local interactive user initialization files to change any PATH\nvariable statements that reference directories other than their home directory.\n\n If a local interactive user requires path variables to reference a\ndirectory owned by the application, it must be documented with the ISSO." }, - "impact": 0.7, + "impact": 0.5, "refs": [ { "ref": "DPMS Target Red Hat Enterprise Linux 8" } ], "tags": { - "severity": "high", - "gtitle": "SRG-OS-000366-GPOS-00153", - "gid": "V-230264", - "rid": "SV-230264r880711_rule", - "stig_id": "RHEL-08-010370", - "fix_id": "F-32908r880710_fix", + "severity": "medium", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-230317", + "rid": "SV-230317r792896_rule", + "stig_id": "RHEL-08-010690", + "fix_id": "F-32961r567698_fix", "cci": [ - "CCI-001749" + "CCI-000366" ], "nist": [ - "CM-5 (3)" + "CM-6 b" ], "host": null, "container": null }, - "code": "control 'SV-230264' do\n title 'RHEL 8 must prevent the installation of software, patches, service\npacks, device drivers, or operating system components from a repository without\nverification they have been digitally signed using a certificate that is issued\nby a Certificate Authority (CA) that is recognized and approved by the\norganization.'\n desc 'Changes to any software components can have significant effects on the\noverall security of the operating system. This requirement ensures the software\nhas not been tampered with and that it has been provided by a trusted vendor.\n\n Accordingly, patches, service packs, device drivers, or operating system\ncomponents must be signed with a certificate recognized and approved by the\norganization.\n\n Verifying the authenticity of the software prior to installation validates\nthe integrity of the patch or upgrade received from a vendor. This verifies the\nsoftware has not been tampered with and that it has been provided by a trusted\nvendor. Self-signed certificates are disallowed by this requirement. The\noperating system should not have to verify the software again. This requirement\ndoes not mandate DoD certificates for this purpose; however, the certificate\nused to verify the software must be from an approved CA.'\n desc 'check', %q(Verify the operating system prevents the installation of patches, service packs, device drivers, or operating system components from a repository without verification that they have been digitally signed using a certificate that is recognized and approved by the organization.\n\nCheck that YUM verifies the signature of packages from a repository prior to install with the following command:\n\n $ sudo grep -E '^\\[.*\\]|gpgcheck' /etc/yum.repos.d/*.repo\n\n /etc/yum.repos.d/appstream.repo:[appstream]\n /etc/yum.repos.d/appstream.repo:gpgcheck=1\n /etc/yum.repos.d/baseos.repo:[baseos]\n /etc/yum.repos.d/baseos.repo:gpgcheck=1\n\nIf \"gpgcheck\" is not set to \"1\", or if options are missing or commented out, ask the System Administrator how the certificates for patches and other operating system components are verified.\n\nIf there is no process to validate certificates that is approved by the organization, this is a finding.)\n desc 'fix', 'Configure the operating system to verify the signature of packages from a\nrepository prior to install by setting the following option in the\n\"/etc/yum.repos.d/[your_repo_name].repo\" file:\n\n gpgcheck=1'\n impact 0.7\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'high'\n tag gtitle: 'SRG-OS-000366-GPOS-00153'\n tag gid: 'V-230264'\n tag rid: 'SV-230264r880711_rule'\n tag stig_id: 'RHEL-08-010370'\n tag fix_id: 'F-32908r880710_fix'\n tag cci: ['CCI-001749']\n tag nist: ['CM-5 (3)']\n tag 'host'\n tag 'container'\n\n # TODO: create a plural resource for repo def files (`repositories`?)\n\n # get list of all repo files\n repo_def_files = command('ls /etc/yum.repos.d/*.repo').stdout.split(\"\\n\")\n\n if repo_def_files.empty?\n describe 'No repos found in /etc/yum.repos.d/*.repo' do\n skip 'No repos found in /etc/yum.repos.d/*.repo'\n end\n else\n # pull out all repo definitions from all files into one big hash\n repos = repo_def_files.map { |file| parse_config_file(file).params }.inject(&:merge)\n\n # check big hash for repos that fail the test condition\n failing_repos = repos.keys.reject { |repo_name| repos[repo_name]['gpgcheck'] == '1' }\n\n describe 'All repositories' do\n it 'should be configured to verify digital signatures' do\n expect(failing_repos).to be_empty, \"Misconfigured repositories:\\n\\t- #{failing_repos.join(\"\\n\\t- \")}\"\n end\n end\n end\nend\n", + "code": "control 'SV-230317' do\n title 'Executable search paths within the initialization files of all local\ninteractive RHEL 8 users must only contain paths that resolve to the system\ndefault or the users home directory.'\n desc \"The executable search path (typically the PATH environment variable)\ncontains a list of directories for the shell to search to find executables. If\nthis path includes the current working directory (other than the user's home\ndirectory), executables in these directories may be executed instead of system\ncommands. This variable is formatted as a colon-separated list of directories.\nIf there is an empty entry, such as a leading or trailing colon or two\nconsecutive colons, this is interpreted as the current working directory. If\ndeviations from the default system search path for the local interactive user\nare required, they must be documented with the Information System Security\nOfficer (ISSO).\"\n desc 'check', 'Verify that all local interactive user initialization file executable search path statements do not contain statements that will reference a working directory other than user home directories with the following commands:\n\n$ sudo grep -i path= /home/*/.*\n\n/home/[localinteractiveuser]/.bash_profile:PATH=$PATH:$HOME/.local/bin:$HOME/bin\n\nIf any local interactive user initialization files have executable search path statements that include directories outside of their home directory and is not documented with the ISSO as an operational requirement, this is a finding.'\n desc 'fix', 'Edit the local interactive user initialization files to change any PATH\nvariable statements that reference directories other than their home directory.\n\n If a local interactive user requires path variables to reference a\ndirectory owned by the application, it must be documented with the ISSO.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230317'\n tag rid: 'SV-230317r792896_rule'\n tag stig_id: 'RHEL-08-010690'\n tag fix_id: 'F-32961r567698_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n tag 'container'\n\n ignore_shells = input('non_interactive_shells').join('|')\n\n findings = {}\n users.where { !shell.match(ignore_shells) && (uid >= 1000 || uid.zero?) }.entries.each do |user_info|\n next if input('exempt_home_users').include?(user_info.username.to_s)\n\n grep_results = command(\"grep -i path= --exclude=\\\".bash_history\\\" #{user_info.home}/.*\").stdout.split(\"\\n\")\n grep_results.each do |result|\n result.slice! 'PATH='\n # Case when last value in exec search path is :\n result += ' ' if result[-1] == ':'\n result.slice! '$PATH:'\n result.gsub! '=\"', '=' # account for cases where path is set to equal a quote-wrapped statement\n result.gsub! '$HOME', user_info.home.to_s\n result.gsub! '~', user_info.home.to_s\n result.gsub! ':$PATH', '' # remove $PATH if it shows up at the end of line\n line_arr = result.split(':')\n line_arr.delete_at(0)\n line_arr.each do |line|\n line = line.strip\n\n # Don't run test on line that exports PATH and is not commented out\n next unless !line.start_with?('export') && !line.start_with?('#')\n\n # Case when :: found in exec search path or : found at beginning\n if line.strip.empty?\n curr_work_dir = command('pwd').stdout.delete(\"\\n\")\n line = curr_work_dir if curr_work_dir.start_with?(user_info.home.to_s) || curr_work_dir[]\n end\n\n # catch a leading '\"'\n line = line[1..line.length] if line.start_with?('\"')\n\n # This will fail if non-home directory found in path\n next if line.start_with?(user_info.home)\n\n # we want a hash of usernames as the keys and arrays of failing lines as values\n findings[user_info.username] = if findings[user_info.username]\n findings[user_info.username] << line\n else\n [line]\n end\n end\n end\n end\n\n describe 'Initialization files' do\n it \"should not include executable search paths that include directories outside the respective user's home directory\" do\n expect(findings).to be_empty, \"Users with non-homedir paths assigned to their PATH environment variable:\\n\\t#{findings}\"\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230264.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230317.rb", "line": 1 }, - "id": "SV-230264" + "id": "SV-230317" }, { - "title": "RHEL 8 must have the packages required to use the hardware random\nnumber generator entropy gatherer service.", - "desc": "The most important characteristic of a random number generator is its\nrandomness, namely its ability to deliver random numbers that are impossible to\npredict. Entropy in computer security is associated with the unpredictability\nof a source of randomness. The random source with high entropy tends to\nachieve a uniform distribution of random values. Random number generators are\none of the most important building blocks of cryptosystems.\n\n The rngd service feeds random data from hardware device to kernel random\ndevice. Quality (non-predictable) random number generation is important for\nseveral security functions (i.e., ciphers).", + "title": "All RHEL 8 world-writable directories must be group-owned by root,\nsys, bin, or an application group.", + "desc": "If a world-writable directory is not group-owned by root, sys, bin, or\nan application Group Identifier (GID), unauthorized users may be able to modify\nfiles created by others.\n\n The only authorized public directories are those temporary directories\nsupplied with the system or those designed to be temporary file repositories.\nThe setting is normally reserved for directories used by the system and by\nusers for temporary file storage, (e.g., /tmp), and for directories requiring\nglobal read/write access.", "descriptions": { - "default": "The most important characteristic of a random number generator is its\nrandomness, namely its ability to deliver random numbers that are impossible to\npredict. Entropy in computer security is associated with the unpredictability\nof a source of randomness. The random source with high entropy tends to\nachieve a uniform distribution of random values. Random number generators are\none of the most important building blocks of cryptosystems.\n\n The rngd service feeds random data from hardware device to kernel random\ndevice. Quality (non-predictable) random number generation is important for\nseveral security functions (i.e., ciphers).", - "check": "Check that RHEL 8 has the packages required to enabled the hardware random\nnumber generator entropy gatherer service with the following command:\n\n $ sudo yum list installed rng-tools\n\n rng-tools.x86_64 6.8-3.el8\n@anaconda\n\n If the \"rng-tools\" package is not installed, this is a finding.", - "fix": "Install the packages required to enabled the hardware random number\ngenerator entropy gatherer service with the following command:\n\n $ sudo yum install rng-tools" + "default": "If a world-writable directory is not group-owned by root, sys, bin, or\nan application Group Identifier (GID), unauthorized users may be able to modify\nfiles created by others.\n\n The only authorized public directories are those temporary directories\nsupplied with the system or those designed to be temporary file repositories.\nThe setting is normally reserved for directories used by the system and by\nusers for temporary file storage, (e.g., /tmp), and for directories requiring\nglobal read/write access.", + "check": "The following command will discover and print world-writable directories\nthat are not group-owned by a system account, given the assumption that only\nsystem accounts have a gid lower than 1000. Run it once for each local\npartition [PART]:\n\n $ sudo find [PART] -xdev -type d -perm -0002 -gid +999 -print\n\n If there is output, this is a finding.", + "fix": "All directories in local partitions which are world-writable\nmust be group-owned by root or another system account. If any world-writable\ndirectories are not group-owned by a system account, this must be investigated.\n Following this, the directories must be deleted or assigned to an appropriate\ngroup." }, - "impact": 0.3, + "impact": 0.5, "refs": [ { "ref": "DPMS Target Red Hat Enterprise Linux 8" } ], "tags": { - "severity": "low", + "severity": "medium", "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-244527", - "rid": "SV-244527r743830_rule", - "stig_id": "RHEL-08-010472", - "fix_id": "F-47759r743829_fix", + "gid": "V-230319", + "rid": "SV-230319r743961_rule", + "stig_id": "RHEL-08-010710", + "fix_id": "F-32963r567704_fix", "cci": [ "CCI-000366" ], "nist": [ "CM-6 b" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-244527' do\n title 'RHEL 8 must have the packages required to use the hardware random\nnumber generator entropy gatherer service.'\n desc 'The most important characteristic of a random number generator is its\nrandomness, namely its ability to deliver random numbers that are impossible to\npredict. Entropy in computer security is associated with the unpredictability\nof a source of randomness. The random source with high entropy tends to\nachieve a uniform distribution of random values. Random number generators are\none of the most important building blocks of cryptosystems.\n\n The rngd service feeds random data from hardware device to kernel random\ndevice. Quality (non-predictable) random number generation is important for\nseveral security functions (i.e., ciphers).'\n desc 'check', 'Check that RHEL 8 has the packages required to enabled the hardware random\nnumber generator entropy gatherer service with the following command:\n\n $ sudo yum list installed rng-tools\n\n rng-tools.x86_64 6.8-3.el8\n@anaconda\n\n If the \"rng-tools\" package is not installed, this is a finding.'\n desc 'fix', 'Install the packages required to enabled the hardware random number\ngenerator entropy gatherer service with the following command:\n\n $ sudo yum install rng-tools'\n impact 0.3\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'low'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-244527'\n tag rid: 'SV-244527r743830_rule'\n tag stig_id: 'RHEL-08-010472'\n tag fix_id: 'F-47759r743829_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This requirement is Not Applicable in the container', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe package('rng-tools') do\n it { should be_installed }\n end\nend\n", + "code": "control 'SV-230319' do\n title 'All RHEL 8 world-writable directories must be group-owned by root,\nsys, bin, or an application group.'\n desc 'If a world-writable directory is not group-owned by root, sys, bin, or\nan application Group Identifier (GID), unauthorized users may be able to modify\nfiles created by others.\n\n The only authorized public directories are those temporary directories\nsupplied with the system or those designed to be temporary file repositories.\nThe setting is normally reserved for directories used by the system and by\nusers for temporary file storage, (e.g., /tmp), and for directories requiring\nglobal read/write access.'\n desc 'check', 'The following command will discover and print world-writable directories\nthat are not group-owned by a system account, given the assumption that only\nsystem accounts have a gid lower than 1000. Run it once for each local\npartition [PART]:\n\n $ sudo find [PART] -xdev -type d -perm -0002 -gid +999 -print\n\n If there is output, this is a finding.'\n desc 'fix', 'All directories in local partitions which are world-writable\nmust be group-owned by root or another system account. If any world-writable\ndirectories are not group-owned by a system account, this must be investigated.\n Following this, the directories must be deleted or assigned to an appropriate\ngroup.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230319'\n tag rid: 'SV-230319r743961_rule'\n tag stig_id: 'RHEL-08-010710'\n tag fix_id: 'F-32963r567704_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n tag 'container'\n\n if input('disable_slow_controls')\n describe 'This control consistently takes a long to run and has been disabled using the disable_slow_controls attribute.' do\n skip 'This control consistently takes a long to run and has been disabled using the disable_slow_controls attribute. You must enable this control for a full accredidation for production.'\n end\n else\n\n partitions = etc_fstab.params.map { |partition| partition['mount_point'] }.uniq\n\n cmd = \"find #{partitions.join(' ')} -xdev -type d -perm -0002 -gid +999 -print\"\n failing_dirs = command(cmd).stdout.split(\"\\n\").uniq\n\n describe 'Any world-writeable directories' do\n it 'should be group-owned by system accounts' do\n expect(failing_dirs).to be_empty, \"Failing directories:\\n\\t- #{failing_dirs.join(\"\\n\\t- \")}\"\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-244527.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230319.rb", "line": 1 }, - "id": "SV-244527" + "id": "SV-230319" }, { - "title": "Unattended or automatic logon via the RHEL 8 graphical user interface\nmust not be allowed.", - "desc": "Failure to restrict system access to authenticated users negatively\nimpacts operating system security.", + "title": "RHEL 8 must prevent files with the setuid and setgid bit set from\nbeing executed on the /boot directory.", + "desc": "The \"nosuid\" mount option causes the system not to execute\n\"setuid\" and \"setgid\" files with owner privileges. This option must be used\nfor mounting any file system not containing approved \"setuid\" and \"setguid\"\nfiles. Executing files from untrusted file systems increases the opportunity\nfor unprivileged users to attain unauthorized administrative access.", "descriptions": { - "default": "Failure to restrict system access to authenticated users negatively\nimpacts operating system security.", - "check": "Verify the operating system does not allow an unattended or automatic logon\nto the system via a graphical user interface.\n\n Note: This requirement assumes the use of the RHEL 8 default graphical user\ninterface, Gnome Shell. If the system does not have any graphical user\ninterface installed, this requirement is Not Applicable.\n\n Check for the value of the \"AutomaticLoginEnable\" in the\n\"/etc/gdm/custom.conf\" file with the following command:\n\n $ sudo grep -i automaticloginenable /etc/gdm/custom.conf\n\n AutomaticLoginEnable=false\n\n If the value of \"AutomaticLoginEnable\" is not set to \"false\", this is a\nfinding.", - "fix": "Configure the operating system to not allow an unattended or automatic\nlogon to the system via a graphical user interface.\n\n Add or edit the line for the \"AutomaticLoginEnable\" parameter in the\n[daemon] section of the \"/etc/gdm/custom.conf\" file to \"false\":\n\n [daemon]\n AutomaticLoginEnable=false" + "default": "The \"nosuid\" mount option causes the system not to execute\n\"setuid\" and \"setgid\" files with owner privileges. This option must be used\nfor mounting any file system not containing approved \"setuid\" and \"setguid\"\nfiles. Executing files from untrusted file systems increases the opportunity\nfor unprivileged users to attain unauthorized administrative access.", + "check": "For systems that use UEFI, this is Not Applicable.\n\n Verify the /boot directory is mounted with the \"nosuid\" option with the\nfollowing command:\n\n $ sudo mount | grep '\\s/boot\\s'\n\n /dev/sda1 on /boot type xfs\n(rw,nosuid,relatime,seclabe,attr2,inode64,noquota)\n\n If the /boot file system does not have the \"nosuid\" option set, this is a\nfinding.", + "fix": "Configure the \"/etc/fstab\" to use the \"nosuid\" option on\nthe /boot directory." }, - "impact": 0, + "impact": 0.5, "refs": [ { "ref": "DPMS Target Red Hat Enterprise Linux 8" } ], "tags": { - "severity": "high", - "gtitle": "SRG-OS-000480-GPOS-00229", - "gid": "V-230329", - "rid": "SV-230329r877377_rule", - "stig_id": "RHEL-08-010820", - "fix_id": "F-32973r567734_fix", + "severity": "medium", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-230300", + "rid": "SV-230300r743959_rule", + "stig_id": "RHEL-08-010571", + "fix_id": "F-32944r567647_fix", "cci": [ "CCI-000366" ], @@ -9110,20 +9050,20 @@ ], "host": null }, - "code": "control 'SV-230329' do\n title 'Unattended or automatic logon via the RHEL 8 graphical user interface\nmust not be allowed.'\n desc 'Failure to restrict system access to authenticated users negatively\nimpacts operating system security.'\n desc 'check', 'Verify the operating system does not allow an unattended or automatic logon\nto the system via a graphical user interface.\n\n Note: This requirement assumes the use of the RHEL 8 default graphical user\ninterface, Gnome Shell. If the system does not have any graphical user\ninterface installed, this requirement is Not Applicable.\n\n Check for the value of the \"AutomaticLoginEnable\" in the\n\"/etc/gdm/custom.conf\" file with the following command:\n\n $ sudo grep -i automaticloginenable /etc/gdm/custom.conf\n\n AutomaticLoginEnable=false\n\n If the value of \"AutomaticLoginEnable\" is not set to \"false\", this is a\nfinding.'\n desc 'fix', 'Configure the operating system to not allow an unattended or automatic\nlogon to the system via a graphical user interface.\n\n Add or edit the line for the \"AutomaticLoginEnable\" parameter in the\n[daemon] section of the \"/etc/gdm/custom.conf\" file to \"false\":\n\n [daemon]\n AutomaticLoginEnable=false'\n impact 0.7\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'high'\n tag gtitle: 'SRG-OS-000480-GPOS-00229'\n tag gid: 'V-230329'\n tag rid: 'SV-230329r877377_rule'\n tag stig_id: 'RHEL-08-010820'\n tag fix_id: 'F-32973r567734_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This requirement is Not Applicable inside a container, the containers host manages the containers filesystems') {\n !virtualization.system.eql?('docker')\n }\n\n custom_conf = '/etc/gdm/custom.conf'\n\n if package('gnome-desktop3').installed?\n if (f = file(custom_conf)).exist?\n describe parse_config_file(custom_conf) do\n its('daemon.AutomaticLoginEnable') { cmp false }\n end\n else\n describe f do\n it { should exist }\n end\n end\n else\n impact 0.0\n describe 'The system does not have GDM installed' do\n skip 'The system does not have GDM installed, this requirement is Not Applicable.'\n end\n end\nend\n", + "code": "control 'SV-230300' do\n title 'RHEL 8 must prevent files with the setuid and setgid bit set from\nbeing executed on the /boot directory.'\n desc 'The \"nosuid\" mount option causes the system not to execute\n\"setuid\" and \"setgid\" files with owner privileges. This option must be used\nfor mounting any file system not containing approved \"setuid\" and \"setguid\"\nfiles. Executing files from untrusted file systems increases the opportunity\nfor unprivileged users to attain unauthorized administrative access.'\n desc 'check', %q(For systems that use UEFI, this is Not Applicable.\n\n Verify the /boot directory is mounted with the \"nosuid\" option with the\nfollowing command:\n\n $ sudo mount | grep '\\s/boot\\s'\n\n /dev/sda1 on /boot type xfs\n(rw,nosuid,relatime,seclabe,attr2,inode64,noquota)\n\n If the /boot file system does not have the \"nosuid\" option set, this is a\nfinding.)\n desc 'fix', 'Configure the \"/etc/fstab\" to use the \"nosuid\" option on\nthe /boot directory.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230300'\n tag rid: 'SV-230300r743959_rule'\n tag stig_id: 'RHEL-08-010571'\n tag fix_id: 'F-32944r567647_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n if file('/sys/firmware/efi').exist?\n impact 0.0\n describe 'System running UEFI' do\n skip 'The System is running UEFI, this control is Not Applicable.'\n end\n else\n describe mount('/boot') do\n it { should be_mounted }\n its('options') { should include 'nosuid' }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230329.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230300.rb", "line": 1 }, - "id": "SV-230329" + "id": "SV-230300" }, { - "title": "All RHEL 8 networked systems must have SSH installed.", - "desc": "Without protection of the transmitted information, confidentiality and\nintegrity may be compromised because unprotected communications can be\nintercepted and either read or altered.\n\n This requirement applies to both internal and external networks and all\ntypes of information system components from which information can be\ntransmitted (e.g., servers, mobile devices, notebook computers, printers,\ncopiers, scanners, and facsimile machines). Communication paths outside the\nphysical protection of a controlled boundary are exposed to the possibility of\ninterception and modification.\n\n Protecting the confidentiality and integrity of organizational information\ncan be accomplished by physical means (e.g., employing physical distribution\nsystems) or by logical means (e.g., employing cryptographic techniques). If\nphysical means of protection are employed, then logical means (cryptography) do\nnot have to be employed, and vice versa.", + "title": "RHEL 8 must map the authenticated identity to the user or group\naccount for PKI-based authentication.", + "desc": "Without mapping the certificate used to authenticate to the user\naccount, the ability to determine the identity of the individual user or group\nwill not be available for forensic analysis.\n\n There are various methods of mapping certificates to user/group accounts\nfor RHEL 8. For the purposes of this requirement, the check and fix will\naccount for Active Directory mapping. Some of the other possible methods\ninclude joining the system to a domain and utilizing a Red Hat idM server, or a\nlocal system mapping, where the system is not part of a domain.", "descriptions": { - "default": "Without protection of the transmitted information, confidentiality and\nintegrity may be compromised because unprotected communications can be\nintercepted and either read or altered.\n\n This requirement applies to both internal and external networks and all\ntypes of information system components from which information can be\ntransmitted (e.g., servers, mobile devices, notebook computers, printers,\ncopiers, scanners, and facsimile machines). Communication paths outside the\nphysical protection of a controlled boundary are exposed to the possibility of\ninterception and modification.\n\n Protecting the confidentiality and integrity of organizational information\ncan be accomplished by physical means (e.g., employing physical distribution\nsystems) or by logical means (e.g., employing cryptographic techniques). If\nphysical means of protection are employed, then logical means (cryptography) do\nnot have to be employed, and vice versa.", - "check": "Verify SSH is installed with the following command:\n\n$ sudo yum list installed openssh-server\n\nopenssh-server.x86_64 8.0p1-5.el8 @anaconda\n\nIf the \"SSH server\" package is not installed, this is a finding.", - "fix": "Install SSH packages onto the host with the following command:\n\n$ sudo yum install openssh-server.x86_64" + "default": "Without mapping the certificate used to authenticate to the user\naccount, the ability to determine the identity of the individual user or group\nwill not be available for forensic analysis.\n\n There are various methods of mapping certificates to user/group accounts\nfor RHEL 8. For the purposes of this requirement, the check and fix will\naccount for Active Directory mapping. Some of the other possible methods\ninclude joining the system to a domain and utilizing a Red Hat idM server, or a\nlocal system mapping, where the system is not part of a domain.", + "check": "Verify the certificate of the user or group is mapped to the corresponding user or group in the \"sssd.conf\" file with the following command:\n\nNote: If the System Administrator demonstrates the use of an approved alternate multifactor authentication method, this requirement is not applicable.\n\n$ sudo cat /etc/sssd/sssd.conf\n\n[sssd]\nconfig_file_version = 2\nservices = pam, sudo, ssh\ndomains = testing.test\n\n[pam]\npam_cert_auth = True\n\n[domain/testing.test]\nid_provider = ldap\n\n[certmap/testing.test/rule_name]\nmatchrule =.*EDIPI@mil\nmaprule = (userCertificate;binary={cert!bin})\ndomains = testing.test\n\nIf the certmap section does not exist, ask the System Administrator to indicate how certificates are mapped to accounts. If there is no evidence of certificate mapping, this is a finding.", + "fix": "Configure the operating system to map the authenticated identity to the user or group account by adding or modifying the certmap section of the \"/etc/sssd/sssd.conf file based on the following example:\n\n[certmap/testing.test/rule_name]\nmatchrule =.*EDIPI@mil\nmaprule = (userCertificate;binary={cert!bin})\ndomains = testing.test\n\nThe \"sssd\" service must be restarted for the changes to take effect. To restart the \"sssd\" service, run the following command:\n\n$ sudo systemctl restart sssd.service" }, "impact": 0.5, "refs": [ @@ -9133,40 +9073,34 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000423-GPOS-00187", - "satisfies": [ - "SRG-OS-000423-GPOS-00187", - "SRG-OS-000424-GPOS-00188", - "SRG-OS-000425-GPOS-00189", - "SRG-OS-000426-GPOS-00190" - ], - "gid": "V-244549", - "rid": "SV-244549r916422_rule", - "stig_id": "RHEL-08-040159", - "fix_id": "F-47781r743895_fix", + "gtitle": "SRG-OS-000068-GPOS-00036", + "gid": "V-230355", + "rid": "SV-230355r858743_rule", + "stig_id": "RHEL-08-020090", + "fix_id": "F-32999r818835_fix", "cci": [ - "CCI-002418" + "CCI-000187" ], "nist": [ - "SC-8" + "IA-5 (2) (c)", + "IA-5 (2) (a) (2)" ], - "host": null, - "container-conditional": null + "host": null }, - "code": "control 'SV-244549' do\n title 'All RHEL 8 networked systems must have SSH installed.'\n desc 'Without protection of the transmitted information, confidentiality and\nintegrity may be compromised because unprotected communications can be\nintercepted and either read or altered.\n\n This requirement applies to both internal and external networks and all\ntypes of information system components from which information can be\ntransmitted (e.g., servers, mobile devices, notebook computers, printers,\ncopiers, scanners, and facsimile machines). Communication paths outside the\nphysical protection of a controlled boundary are exposed to the possibility of\ninterception and modification.\n\n Protecting the confidentiality and integrity of organizational information\ncan be accomplished by physical means (e.g., employing physical distribution\nsystems) or by logical means (e.g., employing cryptographic techniques). If\nphysical means of protection are employed, then logical means (cryptography) do\nnot have to be employed, and vice versa.'\n desc 'check', 'Verify SSH is installed with the following command:\n\n$ sudo yum list installed openssh-server\n\nopenssh-server.x86_64 8.0p1-5.el8 @anaconda\n\nIf the \"SSH server\" package is not installed, this is a finding.'\n desc 'fix', 'Install SSH packages onto the host with the following command:\n\n$ sudo yum install openssh-server.x86_64'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000423-GPOS-00187'\n tag satisfies: ['SRG-OS-000423-GPOS-00187', 'SRG-OS-000424-GPOS-00188', 'SRG-OS-000425-GPOS-00189', 'SRG-OS-000426-GPOS-00190']\n tag gid: 'V-244549'\n tag rid: 'SV-244549r916422_rule'\n tag stig_id: 'RHEL-08-040159'\n tag fix_id: 'F-47781r743895_fix'\n tag cci: ['CCI-002418']\n tag nist: ['SC-8']\n tag 'host'\n tag 'container-conditional'\n\n openssh_present = package('openssh-server').installed?\n\n only_if('This requirement is Not Applicable in the container without open-ssh installed', impact: 0.0) {\n !(virtualization.system.eql?('docker') && !openssh_present)\n }\n\n if input('allow_container_openssh_server') == false\n describe 'In a container Environment' do\n it 'the OpenSSH Server should be installed only when allowed in a container environment' do\n expect(openssh_present).to eq(false), 'OpenSSH Server is installed but not approved for the container environment'\n end\n end\n else\n describe 'In a machine environment' do\n it 'the OpenSSH Server should be installed' do\n expect(package('openssh-server').installed?).to eq(true), 'the OpenSSH Server is not installed'\n end\n end\n end\nend\n", + "code": "control 'SV-230355' do\n title 'RHEL 8 must map the authenticated identity to the user or group\naccount for PKI-based authentication.'\n desc 'Without mapping the certificate used to authenticate to the user\naccount, the ability to determine the identity of the individual user or group\nwill not be available for forensic analysis.\n\n There are various methods of mapping certificates to user/group accounts\nfor RHEL 8. For the purposes of this requirement, the check and fix will\naccount for Active Directory mapping. Some of the other possible methods\ninclude joining the system to a domain and utilizing a Red Hat idM server, or a\nlocal system mapping, where the system is not part of a domain.'\n desc 'check', 'Verify the certificate of the user or group is mapped to the corresponding user or group in the \"sssd.conf\" file with the following command:\n\nNote: If the System Administrator demonstrates the use of an approved alternate multifactor authentication method, this requirement is not applicable.\n\n$ sudo cat /etc/sssd/sssd.conf\n\n[sssd]\nconfig_file_version = 2\nservices = pam, sudo, ssh\ndomains = testing.test\n\n[pam]\npam_cert_auth = True\n\n[domain/testing.test]\nid_provider = ldap\n\n[certmap/testing.test/rule_name]\nmatchrule =.*EDIPI@mil\nmaprule = (userCertificate;binary={cert!bin})\ndomains = testing.test\n\nIf the certmap section does not exist, ask the System Administrator to indicate how certificates are mapped to accounts. If there is no evidence of certificate mapping, this is a finding.'\n desc 'fix', 'Configure the operating system to map the authenticated identity to the user or group account by adding or modifying the certmap section of the \"/etc/sssd/sssd.conf file based on the following example:\n\n[certmap/testing.test/rule_name]\nmatchrule =.*EDIPI@mil\nmaprule = (userCertificate;binary={cert!bin})\ndomains = testing.test\n\nThe \"sssd\" service must be restarted for the changes to take effect. To restart the \"sssd\" service, run the following command:\n\n$ sudo systemctl restart sssd.service'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000068-GPOS-00036'\n tag gid: 'V-230355'\n tag rid: 'SV-230355r858743_rule'\n tag stig_id: 'RHEL-08-020090'\n tag fix_id: 'F-32999r818835_fix'\n tag cci: ['CCI-000187']\n tag nist: ['IA-5 (2) (c)', 'IA-5 (2) (a) (2)']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe file('/etc/sssd/sssd.conf') do\n it { should exist }\n its('content') { should match(/^\\s*\\[certmap.*\\]\\s*$/) }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-244549.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230355.rb", "line": 1 }, - "id": "SV-244549" + "id": "SV-230355" }, { - "title": "RHEL 8 must authenticate the remote logging server for off-loading\naudit logs.", - "desc": "Information stored in one location is vulnerable to accidental or\nincidental deletion or alteration.\n\n Off-loading is a common process in information systems with limited audit\nstorage capacity.\n\n RHEL 8 installation media provides \"rsyslogd\". \"rsyslogd\" is a system\nutility providing support for message logging. Support for both internet and\nUNIX domain sockets enables this utility to support both local and remote\nlogging. Couple this utility with \"gnutls\" (which is a secure communications\nlibrary implementing the SSL, TLS and DTLS protocols), and you have a method to\nsecurely encrypt and off-load auditing.\n\n \"Rsyslog\" supported authentication modes include:\n anon - anonymous authentication\n x509/fingerprint - certificate fingerprint authentication\n x509/certvalid - certificate validation only\n x509/name - certificate validation and subject name authentication.", + "title": "The RHEL 8 /var/log/messages file must be owned by root.", + "desc": "Only authorized personnel should be aware of errors and the details of\nthe errors. Error messages are an indicator of an organization's operational\nstate or can identify the RHEL 8 system or platform. Additionally, Personally\nIdentifiable Information (PII) and operational information must not be revealed\nthrough error messages to unauthorized personnel or their designated\nrepresentatives.\n\n The structure and content of error messages must be carefully considered by\nthe organization and development team. The extent to which the information\nsystem is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.", "descriptions": { - "default": "Information stored in one location is vulnerable to accidental or\nincidental deletion or alteration.\n\n Off-loading is a common process in information systems with limited audit\nstorage capacity.\n\n RHEL 8 installation media provides \"rsyslogd\". \"rsyslogd\" is a system\nutility providing support for message logging. Support for both internet and\nUNIX domain sockets enables this utility to support both local and remote\nlogging. Couple this utility with \"gnutls\" (which is a secure communications\nlibrary implementing the SSL, TLS and DTLS protocols), and you have a method to\nsecurely encrypt and off-load auditing.\n\n \"Rsyslog\" supported authentication modes include:\n anon - anonymous authentication\n x509/fingerprint - certificate fingerprint authentication\n x509/certvalid - certificate validation only\n x509/name - certificate validation and subject name authentication.", - "check": "Verify the operating system authenticates the remote logging server for\noff-loading audit logs with the following command:\n\n $ sudo grep -i '$ActionSendStreamDriverAuthMode' /etc/rsyslog.conf\n/etc/rsyslog.d/*.conf\n\n /etc/rsyslog.conf:$ActionSendStreamDriverAuthMode x509/name\n\n If the value of the \"$ActionSendStreamDriverAuthMode\" option is not set\nto \"x509/name\" or the line is commented out, ask the System Administrator to\nindicate how the audit logs are off-loaded to a different system or media.\n\n If there is no evidence that the transfer of the audit logs being\noff-loaded to another system or media is encrypted, this is a finding.", - "fix": "Configure the operating system to authenticate the remote logging server\nfor off-loading audit logs by setting the following option in\n\"/etc/rsyslog.conf\" or \"/etc/rsyslog.d/[customfile].conf\":\n\n $ActionSendStreamDriverAuthMode x509/name" + "default": "Only authorized personnel should be aware of errors and the details of\nthe errors. Error messages are an indicator of an organization's operational\nstate or can identify the RHEL 8 system or platform. Additionally, Personally\nIdentifiable Information (PII) and operational information must not be revealed\nthrough error messages to unauthorized personnel or their designated\nrepresentatives.\n\n The structure and content of error messages must be carefully considered by\nthe organization and development team. The extent to which the information\nsystem is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.", + "check": "Verify that the /var/log/messages file is owned by root with the following\ncommand:\n\n $ sudo stat -c \"%U\" /var/log/messages\n\n root\n\n If \"root\" is not returned as a result, this is a finding.", + "fix": "Change the owner of the file /var/log/messages to root by running the\nfollowing command:\n\n $ sudo chown root /var/log/messages" }, "impact": 0.5, "refs": [ @@ -9176,74 +9110,69 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000342-GPOS-00133", - "satisfies": [ - "SRG-OS-000342-GPOS-00133", - "SRG-OS-000479-GPOS-00224" - ], - "gid": "V-230482", - "rid": "SV-230482r877390_rule", - "stig_id": "RHEL-08-030720", - "fix_id": "F-33126r568193_fix", + "gtitle": "SRG-OS-000206-GPOS-00084", + "gid": "V-230246", + "rid": "SV-230246r627750_rule", + "stig_id": "RHEL-08-010220", + "fix_id": "F-32890r567485_fix", "cci": [ - "CCI-001851" + "CCI-001314" ], "nist": [ - "AU-4 (1)" + "SI-11 b" ], "host": null }, - "code": "control 'SV-230482' do\n title 'RHEL 8 must authenticate the remote logging server for off-loading\naudit logs.'\n desc 'Information stored in one location is vulnerable to accidental or\nincidental deletion or alteration.\n\n Off-loading is a common process in information systems with limited audit\nstorage capacity.\n\n RHEL 8 installation media provides \"rsyslogd\". \"rsyslogd\" is a system\nutility providing support for message logging. Support for both internet and\nUNIX domain sockets enables this utility to support both local and remote\nlogging. Couple this utility with \"gnutls\" (which is a secure communications\nlibrary implementing the SSL, TLS and DTLS protocols), and you have a method to\nsecurely encrypt and off-load auditing.\n\n \"Rsyslog\" supported authentication modes include:\n anon - anonymous authentication\n x509/fingerprint - certificate fingerprint authentication\n x509/certvalid - certificate validation only\n x509/name - certificate validation and subject name authentication.'\n desc 'check', %q(Verify the operating system authenticates the remote logging server for\noff-loading audit logs with the following command:\n\n $ sudo grep -i '$ActionSendStreamDriverAuthMode' /etc/rsyslog.conf\n/etc/rsyslog.d/*.conf\n\n /etc/rsyslog.conf:$ActionSendStreamDriverAuthMode x509/name\n\n If the value of the \"$ActionSendStreamDriverAuthMode\" option is not set\nto \"x509/name\" or the line is commented out, ask the System Administrator to\nindicate how the audit logs are off-loaded to a different system or media.\n\n If there is no evidence that the transfer of the audit logs being\noff-loaded to another system or media is encrypted, this is a finding.)\n desc 'fix', 'Configure the operating system to authenticate the remote logging server\nfor off-loading audit logs by setting the following option in\n\"/etc/rsyslog.conf\" or \"/etc/rsyslog.d/[customfile].conf\":\n\n $ActionSendStreamDriverAuthMode x509/name'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000342-GPOS-00133'\n tag satisfies: ['SRG-OS-000342-GPOS-00133', 'SRG-OS-000479-GPOS-00224']\n tag gid: 'V-230482'\n tag rid: 'SV-230482r877390_rule'\n tag stig_id: 'RHEL-08-030720'\n tag fix_id: 'F-33126r568193_fix'\n tag cci: ['CCI-001851']\n tag nist: ['AU-4 (1)']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n if input('alternative_logging_method') != ''\n describe 'manual check' do\n skip 'Manual check required. Ask the administrator to indicate how logging is done for this system.'\n end\n else\n describe 'rsyslog configuration' do\n subject {\n command(\"grep -i '^\\$ActionSendStreamDriverAuthMode' #{input('logging_conf_files').join(' ')} | awk -F ':' '{ print $2 }'\").stdout\n }\n it { should match %r{\\$ActionSendStreamDriverAuthMode\\s+x509/name} }\n end\n end\nend\n", + "code": "control 'SV-230246' do\n title 'The RHEL 8 /var/log/messages file must be owned by root.'\n desc \"Only authorized personnel should be aware of errors and the details of\nthe errors. Error messages are an indicator of an organization's operational\nstate or can identify the RHEL 8 system or platform. Additionally, Personally\nIdentifiable Information (PII) and operational information must not be revealed\nthrough error messages to unauthorized personnel or their designated\nrepresentatives.\n\n The structure and content of error messages must be carefully considered by\nthe organization and development team. The extent to which the information\nsystem is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.\"\n desc 'check', 'Verify that the /var/log/messages file is owned by root with the following\ncommand:\n\n $ sudo stat -c \"%U\" /var/log/messages\n\n root\n\n If \"root\" is not returned as a result, this is a finding.'\n desc 'fix', 'Change the owner of the file /var/log/messages to root by running the\nfollowing command:\n\n $ sudo chown root /var/log/messages'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000206-GPOS-00084'\n tag gid: 'V-230246'\n tag rid: 'SV-230246r627750_rule'\n tag stig_id: 'RHEL-08-010220'\n tag fix_id: 'F-32890r567485_fix'\n tag cci: ['CCI-001314']\n tag nist: ['SI-11 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe.one do\n describe file('/var/log/messages') do\n it { should be_owned_by 'root' }\n end\n describe file('/var/log/messages') do\n it { should_not exist }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230482.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230246.rb", "line": 1 }, - "id": "SV-230482" + "id": "SV-230246" }, { - "title": "RHEL 8 must define default permissions for all authenticated users in\nsuch a way that the user can only read and modify their own files.", - "desc": "Setting the most restrictive default permissions ensures that when new\naccounts are created, they do not have unnecessary access.", + "title": "RHEL 8 must disable network management of the chrony daemon.", + "desc": "Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate.\n\nNot exposing the management interface of the chrony daemon on the network diminishes the attack space.\n\nRHEL 8 utilizes the \"timedatectl\" command to view the status of the \"systemd-timesyncd.service\". The \"timedatectl\" status will display the local time, UTC, and the offset from UTC.\n\nNote that USNO offers authenticated NTP service to DOD and U.S. Government agencies operating on the NIPR and SIPR networks. Visit https://www.usno.navy.mil/USNO/time/ntp/DOD-customers for more information.", "descriptions": { - "default": "Setting the most restrictive default permissions ensures that when new\naccounts are created, they do not have unnecessary access.", - "check": "Verify the operating system defines default permissions for all\nauthenticated users in such a way that the user can only read and modify their\nown files.\n\n Check for the value of the \"UMASK\" parameter in \"/etc/login.defs\" file\nwith the following command:\n\n Note: If the value of the \"UMASK\" parameter is set to \"000\" in\n\"/etc/login.defs\" file, the Severity is raised to a CAT I.\n\n # grep -i umask /etc/login.defs\n\n UMASK 077\n\n If the value for the \"UMASK\" parameter is not \"077\", or the \"UMASK\"\nparameter is missing or is commented out, this is a finding.", - "fix": "Configure the operating system to define default permissions for all\nauthenticated users in such a way that the user can only read and modify their\nown files.\n\n Add or edit the line for the \"UMASK\" parameter in \"/etc/login.defs\"\nfile to \"077\":\n\n UMASK 077" + "default": "Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate.\n\nNot exposing the management interface of the chrony daemon on the network diminishes the attack space.\n\nRHEL 8 utilizes the \"timedatectl\" command to view the status of the \"systemd-timesyncd.service\". The \"timedatectl\" status will display the local time, UTC, and the offset from UTC.\n\nNote that USNO offers authenticated NTP service to DOD and U.S. Government agencies operating on the NIPR and SIPR networks. Visit https://www.usno.navy.mil/USNO/time/ntp/DOD-customers for more information.", + "check": "Note: If the system is approved and documented by the information system security officer (ISSO) to function as an NTP time server, this requirement is Not Applicable.\n\nVerify RHEL 8 disables network management of the chrony daemon with the following command:\n\n $ sudo grep -w 'cmdport' /etc/chrony.conf\n cmdport 0\n\nIf the \"cmdport\" option is not set to \"0\", is commented out or missing, this is a finding.", + "fix": "Configure the operating system disable network management of the chrony daemon by adding or modifying the following line in the \"/etc/chrony.conf\" file.\n\n cmdport 0" }, - "impact": 0.5, + "impact": 0.3, "refs": [ { "ref": "DPMS Target Red Hat Enterprise Linux 8" } ], "tags": { - "severity": "medium", - "gtitle": "SRG-OS-000480-GPOS-00228", - "gid": "V-230383", - "rid": "SV-230383r627750_rule", - "stig_id": "RHEL-08-020351", - "fix_id": "F-33027r567896_fix", + "severity": "low", + "gtitle": "SRG-OS-000095-GPOS-00049", + "gid": "V-230486", + "rid": "SV-230486r928593_rule", + "stig_id": "RHEL-08-030742", + "fix_id": "F-33130r928592_fix", "cci": [ - "CCI-000366" + "CCI-000381" ], "nist": [ - "CM-6 b" + "CM-7 a" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-230383' do\n title 'RHEL 8 must define default permissions for all authenticated users in\nsuch a way that the user can only read and modify their own files.'\n desc 'Setting the most restrictive default permissions ensures that when new\naccounts are created, they do not have unnecessary access.'\n desc 'check', 'Verify the operating system defines default permissions for all\nauthenticated users in such a way that the user can only read and modify their\nown files.\n\n Check for the value of the \"UMASK\" parameter in \"/etc/login.defs\" file\nwith the following command:\n\n Note: If the value of the \"UMASK\" parameter is set to \"000\" in\n\"/etc/login.defs\" file, the Severity is raised to a CAT I.\n\n # grep -i umask /etc/login.defs\n\n UMASK 077\n\n If the value for the \"UMASK\" parameter is not \"077\", or the \"UMASK\"\nparameter is missing or is commented out, this is a finding.'\n desc 'fix', 'Configure the operating system to define default permissions for all\nauthenticated users in such a way that the user can only read and modify their\nown files.\n\n Add or edit the line for the \"UMASK\" parameter in \"/etc/login.defs\"\nfile to \"077\":\n\n UMASK 077'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00228'\n tag gid: 'V-230383'\n tag rid: 'SV-230383r627750_rule'\n tag stig_id: 'RHEL-08-020351'\n tag fix_id: 'F-33027r567896_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n tag 'container'\n\n permissions_for_shells = input('permissions_for_shells')\n\n describe login_defs do\n its('UMASK') { should cmp permissions_for_shells['default_umask'] }\n end\nend\n", + "code": "control 'SV-230486' do\n title 'RHEL 8 must disable network management of the chrony daemon.'\n desc 'Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate.\n\nNot exposing the management interface of the chrony daemon on the network diminishes the attack space.\n\nRHEL 8 utilizes the \"timedatectl\" command to view the status of the \"systemd-timesyncd.service\". The \"timedatectl\" status will display the local time, UTC, and the offset from UTC.\n\nNote that USNO offers authenticated NTP service to DOD and U.S. Government agencies operating on the NIPR and SIPR networks. Visit https://www.usno.navy.mil/USNO/time/ntp/DOD-customers for more information.'\n desc 'check', %q(Note: If the system is approved and documented by the information system security officer (ISSO) to function as an NTP time server, this requirement is Not Applicable.\n\nVerify RHEL 8 disables network management of the chrony daemon with the following command:\n\n $ sudo grep -w 'cmdport' /etc/chrony.conf\n cmdport 0\n\nIf the \"cmdport\" option is not set to \"0\", is commented out or missing, this is a finding.)\n desc 'fix', 'Configure the operating system disable network management of the chrony daemon by adding or modifying the following line in the \"/etc/chrony.conf\" file.\n\n cmdport 0'\n impact 0.3\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'low'\n tag gtitle: 'SRG-OS-000095-GPOS-00049'\n tag gid: 'V-230486'\n tag rid: 'SV-230486r928593_rule'\n tag stig_id: 'RHEL-08-030742'\n tag fix_id: 'F-33130r928592_fix'\n tag cci: ['CCI-000381']\n tag nist: ['CM-7 a']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !(virtualization.system.eql?('docker') && !file('/etc/chrony.conf').exist?)\n }\n\n chrony_conf = ntp_conf('/etc/chrony.conf')\n\n describe chrony_conf do\n its('cmdport') { should cmp 0 }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230383.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230486.rb", "line": 1 }, - "id": "SV-230383" + "id": "SV-230486" }, { - "title": "RHEL 8 SSH server must be configured to use only FIPS-validated key exchange algorithms.", - "desc": "Without cryptographic integrity protections provided by FIPS-validated cryptographic algorithms, information can be viewed and altered by unauthorized users without detection.\n\nRHEL 8 incorporates system-wide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/opensshserver.config file.\n\nThe system will attempt to use the first algorithm presented by the client that matches the server list. Listing the values \"strongest to weakest\" is a method to ensure the use of the strongest algorithm available to secure the SSH connection.", + "title": "RHEL 8 must employ FIPS 140-2 approved cryptographic hashing\nalgorithms for all stored passwords.", + "desc": "The system must use a strong hashing algorithm to store the password.\n\n Passwords need to be protected at all times, and encryption is the standard\nmethod for protecting passwords. If passwords are not encrypted, they can be\nplainly read (i.e., clear text) and easily compromised.", "descriptions": { - "default": "Without cryptographic integrity protections provided by FIPS-validated cryptographic algorithms, information can be viewed and altered by unauthorized users without detection.\n\nRHEL 8 incorporates system-wide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/opensshserver.config file.\n\nThe system will attempt to use the first algorithm presented by the client that matches the server list. Listing the values \"strongest to weakest\" is a method to ensure the use of the strongest algorithm available to secure the SSH connection.", - "check": "Verify that the SSH server is configured to use only FIPS-validated key exchange algorithms:\n\n $ sudo grep -i kexalgorithms /etc/crypto-policies/back-ends/opensshserver.config\n\n CRYPTO_POLICY='-oKexAlgorithms=ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512'\n\nIf the entries following \"KexAlgorithms\" have any algorithms defined other than \"ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512\", appear in different order than shown, or are missing or commented out, this is a finding.", - "fix": "Configure the SSH server to use only FIPS-validated key exchange algorithms by adding or modifying the following line in \"/etc/crypto-policies/back-ends/opensshserver.config\":\n\n-oKexAlgorithms=ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512\n\nA reboot is required for the changes to take effect." + "default": "The system must use a strong hashing algorithm to store the password.\n\n Passwords need to be protected at all times, and encryption is the standard\nmethod for protecting passwords. If passwords are not encrypted, they can be\nplainly read (i.e., clear text) and easily compromised.", + "check": "Confirm that the interactive user account passwords are using a strong\npassword hash with the following command:\n\n $ sudo cut -d: -f2 /etc/shadow\n\n\n$6$kcOnRq/5$NUEYPuyL.wghQwWssXRcLRFiiru7f5JPV6GaJhNC2aK5F3PZpE/BCCtwrxRc/AInKMNX3CdMw11m9STiql12f/\n\n Password hashes \"!\" or \"*\" indicate inactive accounts not available for\nlogon and are not evaluated. If any interactive user password hash does not\nbegin with \"$6$\", this is a finding.", + "fix": "Lock all interactive user accounts not using SHA-512 hashing\nuntil the passwords can be regenerated with SHA-512." }, "impact": 0.5, "refs": [ @@ -9252,114 +9181,111 @@ } ], "tags": { - "check_id": "C-59601r917887_chk", "severity": "medium", - "gid": "V-255924", - "rid": "SV-255924r917888_rule", - "stig_id": "RHEL-08-040342", - "gtitle": "SRG-OS-000250-GPOS-00093", - "fix_id": "F-59544r880732_fix", - "documentable": null, + "gtitle": "SRG-OS-000073-GPOS-00041", + "gid": "V-230232", + "rid": "SV-230232r877397_rule", + "stig_id": "RHEL-08-010120", + "fix_id": "F-32876r567443_fix", "cci": [ - "CCI-001453" + "CCI-000196" ], "nist": [ - "AC-17 (2)" + "IA-5 (1) (c)" ], "host": null, "container": null }, - "code": "control 'SV-255924' do\n title 'RHEL 8 SSH server must be configured to use only FIPS-validated key exchange algorithms.'\n desc 'Without cryptographic integrity protections provided by FIPS-validated cryptographic algorithms, information can be viewed and altered by unauthorized users without detection.\n\nRHEL 8 incorporates system-wide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/opensshserver.config file.\n\nThe system will attempt to use the first algorithm presented by the client that matches the server list. Listing the values \"strongest to weakest\" is a method to ensure the use of the strongest algorithm available to secure the SSH connection.'\n desc 'check', %q(Verify that the SSH server is configured to use only FIPS-validated key exchange algorithms:\n\n $ sudo grep -i kexalgorithms /etc/crypto-policies/back-ends/opensshserver.config\n\n CRYPTO_POLICY='-oKexAlgorithms=ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512'\n\nIf the entries following \"KexAlgorithms\" have any algorithms defined other than \"ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512\", appear in different order than shown, or are missing or commented out, this is a finding.)\n desc 'fix', 'Configure the SSH server to use only FIPS-validated key exchange algorithms by adding or modifying the following line in \"/etc/crypto-policies/back-ends/opensshserver.config\":\n\n-oKexAlgorithms=ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512\n\nA reboot is required for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag check_id: 'C-59601r917887_chk'\n tag severity: 'medium'\n tag gid: 'V-255924'\n tag rid: 'SV-255924r917888_rule'\n tag stig_id: 'RHEL-08-040342'\n tag gtitle: 'SRG-OS-000250-GPOS-00093'\n tag fix_id: 'F-59544r880732_fix'\n tag 'documentable'\n tag cci: ['CCI-001453']\n tag nist: ['AC-17 (2)']\n tag 'host'\n tag 'container'\n\n describe parse_config_file('/etc/crypto-policies/back-ends/opensshserver.config') do\n its('CRYPTO_POLICY') { should include '-oKexAlgorithms=ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512' }\n end\nend\n", + "code": "control 'SV-230232' do\n title 'RHEL 8 must employ FIPS 140-2 approved cryptographic hashing\nalgorithms for all stored passwords.'\n desc 'The system must use a strong hashing algorithm to store the password.\n\n Passwords need to be protected at all times, and encryption is the standard\nmethod for protecting passwords. If passwords are not encrypted, they can be\nplainly read (i.e., clear text) and easily compromised.'\n desc 'check', 'Confirm that the interactive user account passwords are using a strong\npassword hash with the following command:\n\n $ sudo cut -d: -f2 /etc/shadow\n\n\n$6$kcOnRq/5$NUEYPuyL.wghQwWssXRcLRFiiru7f5JPV6GaJhNC2aK5F3PZpE/BCCtwrxRc/AInKMNX3CdMw11m9STiql12f/\n\n Password hashes \"!\" or \"*\" indicate inactive accounts not available for\nlogon and are not evaluated. If any interactive user password hash does not\nbegin with \"$6$\", this is a finding.'\n desc 'fix', 'Lock all interactive user accounts not using SHA-512 hashing\nuntil the passwords can be regenerated with SHA-512.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000073-GPOS-00041'\n tag gid: 'V-230232'\n tag rid: 'SV-230232r877397_rule'\n tag stig_id: 'RHEL-08-010120'\n tag fix_id: 'F-32876r567443_fix'\n tag cci: ['CCI-000196']\n tag nist: ['IA-5 (1) (c)']\n tag 'host'\n tag 'container'\n\n weak_pw_hash_users = inspec.shadow.where { password !~ /^[*!]{1,2}.*$|^\\$6\\$.*$|^$/ }.users\n\n describe 'All stored passwords' do\n it 'should only be hashed with the SHA512 algorithm' do\n message = \"Users without SHA512 hashes:\\n\\t- #{weak_pw_hash_users.join(\"\\n\\t- \")}\"\n expect(weak_pw_hash_users).to be_empty, message\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-255924.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230232.rb", "line": 1 }, - "id": "SV-255924" + "id": "SV-230232" }, { - "title": "RHEL 8 must disable virtual syscalls.", - "desc": "Syscalls are special routines in the Linux kernel, which userspace\napplications ask to do privileged tasks. Invoking a system call is an\nexpensive operation because the processor must interrupt the currently\nexecuting task and switch context to kernel mode and then back to userspace\nafter the system call completes. Virtual Syscalls map into user space a page\nthat contains some variables and the implementation of some system calls. This\nallows the system calls to be executed in userspace to alleviate the context\nswitching expense.\n\n Virtual Syscalls provide an opportunity of attack for a user who has\ncontrol of the return instruction pointer. Disabling vsyscalls help to prevent\nreturn oriented programming (ROP) attacks via buffer overflows and overruns. If\nthe system intends to run containers based on RHEL 6 components, then virtual\nsyscalls will need enabled so the components function properly.", + "title": "RHEL 8 must enable Linux audit logging for the USBGuard daemon.", + "desc": "Without the capability to generate audit records, it would be\ndifficult to establish, correlate, and investigate the events relating to an\nincident or identify those responsible for one.\n\n If auditing is enabled late in the startup process, the actions of some\nstartup processes may not be audited. Some audit systems also maintain state\ninformation only available if auditing is enabled before a given process is\ncreated.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n The list of audited events is the set of events for which audits are to be\ngenerated. This set of events is typically a subset of the list of all events\nfor which the system is capable of generating audit records.\n\n DoD has defined the list of events for which RHEL 8 will provide an audit\nrecord generation capability as the following:\n\n 1) Successful and unsuccessful attempts to access, modify, or delete\nprivileges, security objects, security levels, or categories of information\n(e.g., classification levels);\n\n 2) Access actions, such as successful and unsuccessful logon attempts,\nprivileged activities or other system-level access, starting and ending time\nfor user access to the system, concurrent logons from different workstations,\nsuccessful and unsuccessful accesses to objects, all program initiations, and\nall direct access to the information system;\n\n 3) All account creations, modifications, disabling, and terminations; and\n\n 4) All kernel module load, unload, and restart actions.", "descriptions": { - "default": "Syscalls are special routines in the Linux kernel, which userspace\napplications ask to do privileged tasks. Invoking a system call is an\nexpensive operation because the processor must interrupt the currently\nexecuting task and switch context to kernel mode and then back to userspace\nafter the system call completes. Virtual Syscalls map into user space a page\nthat contains some variables and the implementation of some system calls. This\nallows the system calls to be executed in userspace to alleviate the context\nswitching expense.\n\n Virtual Syscalls provide an opportunity of attack for a user who has\ncontrol of the return instruction pointer. Disabling vsyscalls help to prevent\nreturn oriented programming (ROP) attacks via buffer overflows and overruns. If\nthe system intends to run containers based on RHEL 6 components, then virtual\nsyscalls will need enabled so the components function properly.", - "check": "Verify that GRUB 2 is configured to disable vsyscalls with the following commands:\n\nCheck that the current GRUB 2 configuration disables vsyscalls:\n\n$ sudo grub2-editenv list | grep vsyscall\n\nkernelopts=root=/dev/mapper/rhel-root ro crashkernel=auto resume=/dev/mapper/rhel-swap rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet fips=1 page_poison=1 vsyscall=none audit=1 audit_backlog_limit=8192 boot=UUID=8d171156-cd61-421c-ba41-1c021ac29e82\n\nIf \"vsyscall\" is not set to \"none\" or is missing, this is a finding.\n\nCheck that vsyscalls are disabled by default to persist in kernel updates:\n\n$ sudo grep vsyscall /etc/default/grub\n\nGRUB_CMDLINE_LINUX=\"vsyscall=none\"\n\nIf \"vsyscall\" is not set to \"none\", is missing or commented out and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.", - "fix": "Document the use of vsyscalls with the ISSO as an operational requirement\nor disable them with the following command:\n\n $ sudo grubby --update-kernel=ALL --args=\"vsyscall=none\"\n\n Add or modify the following line in \"/etc/default/grub\" to ensure the\nconfiguration survives kernel updates:\n\n GRUB_CMDLINE_LINUX=\"vsyscall=none\"" + "default": "Without the capability to generate audit records, it would be\ndifficult to establish, correlate, and investigate the events relating to an\nincident or identify those responsible for one.\n\n If auditing is enabled late in the startup process, the actions of some\nstartup processes may not be audited. Some audit systems also maintain state\ninformation only available if auditing is enabled before a given process is\ncreated.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n The list of audited events is the set of events for which audits are to be\ngenerated. This set of events is typically a subset of the list of all events\nfor which the system is capable of generating audit records.\n\n DoD has defined the list of events for which RHEL 8 will provide an audit\nrecord generation capability as the following:\n\n 1) Successful and unsuccessful attempts to access, modify, or delete\nprivileges, security objects, security levels, or categories of information\n(e.g., classification levels);\n\n 2) Access actions, such as successful and unsuccessful logon attempts,\nprivileged activities or other system-level access, starting and ending time\nfor user access to the system, concurrent logons from different workstations,\nsuccessful and unsuccessful accesses to objects, all program initiations, and\nall direct access to the information system;\n\n 3) All account creations, modifications, disabling, and terminations; and\n\n 4) All kernel module load, unload, and restart actions.", + "check": "Verify RHEL 8 enables Linux audit logging of the USBGuard daemon with the\nfollowing commands:\n\n Note: If the USBGuard daemon is not installed and enabled, this requirement\nis not applicable.\n\n $ sudo grep -i auditbackend /etc/usbguard/usbguard-daemon.conf\n\n AuditBackend=LinuxAudit\n\n If the \"AuditBackend\" entry does not equal \"LinuxAudit\", is missing, or\nthe line is commented out, this is a finding.", + "fix": "Configure RHEL 8 to enable Linux audit logging of the USBGuard daemon by\nadding or modifying the following line in\n\"/etc/usbguard/usbguard-daemon.conf\":\n\n AuditBackend=LinuxAudit" }, - "impact": 0.5, + "impact": 0.3, "refs": [ { "ref": "DPMS Target Red Hat Enterprise Linux 8" } ], "tags": { - "severity": "medium", - "gtitle": "SRG-OS-000134-GPOS-00068", + "severity": "low", + "gtitle": "SRG-OS-000062-GPOS-00031", "satisfies": [ - "SRG-OS-000134-GPOS-00068", - "SRG-OS-000433-GPOS-00192" + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000471-GPOS-00215" ], - "gid": "V-230278", - "rid": "SV-230278r792886_rule", - "stig_id": "RHEL-08-010422", - "fix_id": "F-32922r743947_fix", + "gid": "V-230470", + "rid": "SV-230470r744006_rule", + "stig_id": "RHEL-08-030603", + "fix_id": "F-33114r744005_fix", "cci": [ - "CCI-001084" + "CCI-000169" ], "nist": [ - "SC-3" + "AU-12 a" ], "host": null }, - "code": "control 'SV-230278' do\n title 'RHEL 8 must disable virtual syscalls.'\n desc 'Syscalls are special routines in the Linux kernel, which userspace\napplications ask to do privileged tasks. Invoking a system call is an\nexpensive operation because the processor must interrupt the currently\nexecuting task and switch context to kernel mode and then back to userspace\nafter the system call completes. Virtual Syscalls map into user space a page\nthat contains some variables and the implementation of some system calls. This\nallows the system calls to be executed in userspace to alleviate the context\nswitching expense.\n\n Virtual Syscalls provide an opportunity of attack for a user who has\ncontrol of the return instruction pointer. Disabling vsyscalls help to prevent\nreturn oriented programming (ROP) attacks via buffer overflows and overruns. If\nthe system intends to run containers based on RHEL 6 components, then virtual\nsyscalls will need enabled so the components function properly.'\n desc 'check', 'Verify that GRUB 2 is configured to disable vsyscalls with the following commands:\n\nCheck that the current GRUB 2 configuration disables vsyscalls:\n\n$ sudo grub2-editenv list | grep vsyscall\n\nkernelopts=root=/dev/mapper/rhel-root ro crashkernel=auto resume=/dev/mapper/rhel-swap rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet fips=1 page_poison=1 vsyscall=none audit=1 audit_backlog_limit=8192 boot=UUID=8d171156-cd61-421c-ba41-1c021ac29e82\n\nIf \"vsyscall\" is not set to \"none\" or is missing, this is a finding.\n\nCheck that vsyscalls are disabled by default to persist in kernel updates:\n\n$ sudo grep vsyscall /etc/default/grub\n\nGRUB_CMDLINE_LINUX=\"vsyscall=none\"\n\nIf \"vsyscall\" is not set to \"none\", is missing or commented out and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.'\n desc 'fix', 'Document the use of vsyscalls with the ISSO as an operational requirement\nor disable them with the following command:\n\n $ sudo grubby --update-kernel=ALL --args=\"vsyscall=none\"\n\n Add or modify the following line in \"/etc/default/grub\" to ensure the\nconfiguration survives kernel updates:\n\n GRUB_CMDLINE_LINUX=\"vsyscall=none\"'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000134-GPOS-00068'\n tag satisfies: ['SRG-OS-000134-GPOS-00068', 'SRG-OS-000433-GPOS-00192']\n tag gid: 'V-230278'\n tag rid: 'SV-230278r792886_rule'\n tag stig_id: 'RHEL-08-010422'\n tag fix_id: 'F-32922r743947_fix'\n tag cci: ['CCI-001084']\n tag nist: ['SC-3']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n grub_stdout = command('grub2-editenv - list').stdout\n setting = /vsyscall\\s*=\\s*none/\n\n describe 'GRUB config' do\n it 'should enable page poisoning' do\n expect(parse_config(grub_stdout)['kernelopts']).to match(setting), 'Current GRUB configuration does not disable this setting'\n expect(parse_config_file('/etc/default/grub')['GRUB_CMDLINE_LINUX']).to match(setting), 'Setting not configured to persist between kernel updates'\n end\n end\nend\n", + "code": "control 'SV-230470' do\n title 'RHEL 8 must enable Linux audit logging for the USBGuard daemon.'\n desc 'Without the capability to generate audit records, it would be\ndifficult to establish, correlate, and investigate the events relating to an\nincident or identify those responsible for one.\n\n If auditing is enabled late in the startup process, the actions of some\nstartup processes may not be audited. Some audit systems also maintain state\ninformation only available if auditing is enabled before a given process is\ncreated.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n The list of audited events is the set of events for which audits are to be\ngenerated. This set of events is typically a subset of the list of all events\nfor which the system is capable of generating audit records.\n\n DoD has defined the list of events for which RHEL 8 will provide an audit\nrecord generation capability as the following:\n\n 1) Successful and unsuccessful attempts to access, modify, or delete\nprivileges, security objects, security levels, or categories of information\n(e.g., classification levels);\n\n 2) Access actions, such as successful and unsuccessful logon attempts,\nprivileged activities or other system-level access, starting and ending time\nfor user access to the system, concurrent logons from different workstations,\nsuccessful and unsuccessful accesses to objects, all program initiations, and\nall direct access to the information system;\n\n 3) All account creations, modifications, disabling, and terminations; and\n\n 4) All kernel module load, unload, and restart actions.'\n desc 'check', 'Verify RHEL 8 enables Linux audit logging of the USBGuard daemon with the\nfollowing commands:\n\n Note: If the USBGuard daemon is not installed and enabled, this requirement\nis not applicable.\n\n $ sudo grep -i auditbackend /etc/usbguard/usbguard-daemon.conf\n\n AuditBackend=LinuxAudit\n\n If the \"AuditBackend\" entry does not equal \"LinuxAudit\", is missing, or\nthe line is commented out, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to enable Linux audit logging of the USBGuard daemon by\nadding or modifying the following line in\n\"/etc/usbguard/usbguard-daemon.conf\":\n\n AuditBackend=LinuxAudit'\n impact 0.3\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'low'\n tag gtitle: 'SRG-OS-000062-GPOS-00031'\n tag satisfies: ['SRG-OS-000062-GPOS-00031', 'SRG-OS-000471-GPOS-00215']\n tag gid: 'V-230470'\n tag rid: 'SV-230470r744006_rule'\n tag stig_id: 'RHEL-08-030603'\n tag fix_id: 'F-33114r744005_fix'\n tag cci: ['CCI-000169']\n tag nist: ['AU-12 a']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe parse_config_file('/etc/usbguard/usbguard-daemon.conf') do\n its('AuditBackend') { should cmp 'LinuxAudit' }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230278.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230470.rb", "line": 1 }, - "id": "SV-230278" + "id": "SV-230470" }, { - "title": "RHEL 8 system commands must be owned by root.", - "desc": "If RHEL 8 were to allow any user to make changes to software\nlibraries, then those changes might be implemented without undergoing the\nappropriate testing and approvals that are part of a robust change management\nprocess.\n\n This requirement applies to RHEL 8 with software libraries that are\naccessible and configurable, as in the case of interpreted languages. Software\nlibraries also include privileged programs that execute with escalated\nprivileges. Only qualified and authorized individuals will be allowed to obtain\naccess to information system components for purposes of initiating changes,\nincluding upgrades and modifications.", + "title": "RHEL 8 must resolve audit information before writing to disk.", + "desc": "Without establishing what type of events occurred, the source of\nevents, where events occurred, and the outcome of events, it would be difficult\nto establish, correlate, and investigate the events leading up to an outage or\nattack.\n\n Audit record content that may be necessary to satisfy this requirement\nincludes, for example, time stamps, source and destination addresses,\nuser/process identifiers, event descriptions, success/fail indications,\nfilenames involved, and access control or flow control rules invoked.\n\n Enriched logging aids in making sense of who, what, and when events occur\non a system. Without this, determining root cause of an event will be much\nmore difficult.", "descriptions": { - "default": "If RHEL 8 were to allow any user to make changes to software\nlibraries, then those changes might be implemented without undergoing the\nappropriate testing and approvals that are part of a robust change management\nprocess.\n\n This requirement applies to RHEL 8 with software libraries that are\naccessible and configurable, as in the case of interpreted languages. Software\nlibraries also include privileged programs that execute with escalated\nprivileges. Only qualified and authorized individuals will be allowed to obtain\naccess to information system components for purposes of initiating changes,\nincluding upgrades and modifications.", - "check": "Verify the system commands contained in the following directories are owned\nby \"root\" with the following command:\n\n $ sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin\n! -user root -exec ls -l {} \\;\n\n If any system commands are returned, this is a finding.", - "fix": "Configure the system commands to be protected from unauthorized access.\n\n Run the following command, replacing \"[FILE]\" with any system command\nfile not owned by \"root\".\n\n $ sudo chown root [FILE]" + "default": "Without establishing what type of events occurred, the source of\nevents, where events occurred, and the outcome of events, it would be difficult\nto establish, correlate, and investigate the events leading up to an outage or\nattack.\n\n Audit record content that may be necessary to satisfy this requirement\nincludes, for example, time stamps, source and destination addresses,\nuser/process identifiers, event descriptions, success/fail indications,\nfilenames involved, and access control or flow control rules invoked.\n\n Enriched logging aids in making sense of who, what, and when events occur\non a system. Without this, determining root cause of an event will be much\nmore difficult.", + "check": "Verify the RHEL 8 Audit Daemon is configured to resolve audit information\nbefore writing to disk, with the following command:\n\n $ sudo grep \"log_format\" /etc/audit/auditd.conf\n\n log_format = ENRICHED\n\n If the \"log_format\" option is not \"ENRICHED\", or the line is commented\nout, this is a finding.", + "fix": "Edit the /etc/audit/auditd.conf file and add or update the \"log_format\"\noption:\n\n log_format = ENRICHED\n\n The audit daemon must be restarted for changes to take effect." }, - "impact": 0.5, + "impact": 0.3, "refs": [ { "ref": "DPMS Target Red Hat Enterprise Linux 8" } ], "tags": { - "severity": "medium", - "gtitle": "SRG-OS-000259-GPOS-00100", - "gid": "V-230258", - "rid": "SV-230258r627750_rule", - "stig_id": "RHEL-08-010310", - "fix_id": "F-32902r567521_fix", + "severity": "low", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-230395", + "rid": "SV-230395r627750_rule", + "stig_id": "RHEL-08-030063", + "fix_id": "F-33039r567932_fix", "cci": [ - "CCI-001499" + "CCI-000366" ], "nist": [ - "CM-5 (6)" + "CM-6 b" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-230258' do\n title 'RHEL 8 system commands must be owned by root.'\n desc 'If RHEL 8 were to allow any user to make changes to software\nlibraries, then those changes might be implemented without undergoing the\nappropriate testing and approvals that are part of a robust change management\nprocess.\n\n This requirement applies to RHEL 8 with software libraries that are\naccessible and configurable, as in the case of interpreted languages. Software\nlibraries also include privileged programs that execute with escalated\nprivileges. Only qualified and authorized individuals will be allowed to obtain\naccess to information system components for purposes of initiating changes,\nincluding upgrades and modifications.'\n desc 'check', 'Verify the system commands contained in the following directories are owned\nby \"root\" with the following command:\n\n $ sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin\n! -user root -exec ls -l {} \\\\;\n\n If any system commands are returned, this is a finding.'\n desc 'fix', 'Configure the system commands to be protected from unauthorized access.\n\n Run the following command, replacing \"[FILE]\" with any system command\nfile not owned by \"root\".\n\n $ sudo chown root [FILE]'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000259-GPOS-00100'\n tag gid: 'V-230258'\n tag rid: 'SV-230258r627750_rule'\n tag stig_id: 'RHEL-08-010310'\n tag fix_id: 'F-32902r567521_fix'\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n tag 'host'\n tag 'container'\n\n failing_files = command(\"find -L #{input('system_command_dirs').join(' ')} ! -user root -exec ls -d {} \\\\;\").stdout.split(\"\\n\")\n\n describe 'System commands' do\n it 'should be owned by root' do\n expect(failing_files).to be_empty, \"Files not owned by root:\\n\\t- #{failing_files.join(\"\\n\\t- \")}\"\n end\n end\nend\n", + "code": "control 'SV-230395' do\n title 'RHEL 8 must resolve audit information before writing to disk.'\n desc 'Without establishing what type of events occurred, the source of\nevents, where events occurred, and the outcome of events, it would be difficult\nto establish, correlate, and investigate the events leading up to an outage or\nattack.\n\n Audit record content that may be necessary to satisfy this requirement\nincludes, for example, time stamps, source and destination addresses,\nuser/process identifiers, event descriptions, success/fail indications,\nfilenames involved, and access control or flow control rules invoked.\n\n Enriched logging aids in making sense of who, what, and when events occur\non a system. Without this, determining root cause of an event will be much\nmore difficult.'\n desc 'check', 'Verify the RHEL 8 Audit Daemon is configured to resolve audit information\nbefore writing to disk, with the following command:\n\n $ sudo grep \"log_format\" /etc/audit/auditd.conf\n\n log_format = ENRICHED\n\n If the \"log_format\" option is not \"ENRICHED\", or the line is commented\nout, this is a finding.'\n desc 'fix', 'Edit the /etc/audit/auditd.conf file and add or update the \"log_format\"\noption:\n\n log_format = ENRICHED\n\n The audit daemon must be restarted for changes to take effect.'\n impact 0.3\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'low'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230395'\n tag rid: 'SV-230395r627750_rule'\n tag stig_id: 'RHEL-08-030063'\n tag fix_id: 'F-33039r567932_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n describe parse_config_file('/etc/audit/auditd.conf') do\n its('log_format') { should eq 'ENRICHED' }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230258.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230395.rb", "line": 1 }, - "id": "SV-230258" + "id": "SV-230395" }, { - "title": "RHEL 8 must not enable IPv6 packet forwarding unless the system is a router.", - "desc": "Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf", + "title": "RHEL 8 systems below version 8.4 must ensure the password complexity module in the system-auth file is configured for three retries or less.", + "desc": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. \"pwquality\" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system.\n\nRHEL 8 uses \"pwquality\" as a mechanism to enforce password complexity. This is set in both:\n/etc/pam.d/password-auth\n/etc/pam.d/system-auth\n\nBy limiting the number of attempts to meet the pwquality module complexity requirements before returning with an error, the system will audit abnormal attempts at password changes.", "descriptions": { - "default": "Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf", - "check": "Verify RHEL 8 is not performing IPv6 packet forwarding, unless the system is a router.\n\nNote: If IPv6 is disabled on the system, this requirement is Not Applicable.\n\nCheck that IPv6 forwarding is disabled using the following commands:\n\n$ sudo sysctl net.ipv6.conf.all.forwarding\n\nnet.ipv6.conf.all.forwarding = 0\n\nIf the IPv6 forwarding value is not \"0\" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r net.ipv6.conf.all.forwarding /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: net.ipv6.conf.all.forwarding = 0\n\nIf \"net.ipv6.conf.all.forwarding\" is not set to \"0\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.", - "fix": "Configure RHEL 8 to not allow IPv6 packet forwarding, unless the system is a router.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nnet.ipv6.conf.all.forwarding=0\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system" + "default": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. \"pwquality\" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system.\n\nRHEL 8 uses \"pwquality\" as a mechanism to enforce password complexity. This is set in both:\n/etc/pam.d/password-auth\n/etc/pam.d/system-auth\n\nBy limiting the number of attempts to meet the pwquality module complexity requirements before returning with an error, the system will audit abnormal attempts at password changes.", + "check": "Note: This requirement applies to RHEL versions 8.0 through 8.3. If the system is RHEL version 8.4 or newer, this requirement is not applicable.\n\nVerify the operating system is configured to limit the \"pwquality\" retry option to 3.\n\nCheck for the use of the \"pwquality\" retry option in the system-auth file with the following command:\n\n $ sudo cat /etc/pam.d/system-auth | grep pam_pwquality\n\n password requisite pam_pwquality.so retry=3\n\nIf the value of \"retry\" is set to \"0\" or greater than \"3\", this is a finding.", + "fix": "Configure the operating system to limit the \"pwquality\" retry option to 3.\n\nAdd the following line to the \"/etc/pam.d/system-auth\" file (or modify the line to have the required value):\n\n password requisite pam_pwquality.so retry=3" }, "impact": 0.5, "refs": [ @@ -9368,48 +9294,51 @@ } ], "tags": { + "check_id": "C-55151r902741_chk", "severity": "medium", + "gid": "V-251714", + "rid": "SV-251714r902743_rule", + "stig_id": "RHEL-08-020102", "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-230540", - "rid": "SV-230540r858810_rule", - "stig_id": "RHEL-08-040260", - "fix_id": "F-33184r858809_fix", + "fix_id": "F-55105r902742_fix", + "documentable": null, "cci": [ "CCI-000366" ], "nist": [ "CM-6 b" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-230540' do\n title 'RHEL 8 must not enable IPv6 packet forwarding unless the system is a router.'\n desc 'Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf'\n desc 'check', 'Verify RHEL 8 is not performing IPv6 packet forwarding, unless the system is a router.\n\nNote: If IPv6 is disabled on the system, this requirement is Not Applicable.\n\nCheck that IPv6 forwarding is disabled using the following commands:\n\n$ sudo sysctl net.ipv6.conf.all.forwarding\n\nnet.ipv6.conf.all.forwarding = 0\n\nIf the IPv6 forwarding value is not \"0\" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r net.ipv6.conf.all.forwarding /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: net.ipv6.conf.all.forwarding = 0\n\nIf \"net.ipv6.conf.all.forwarding\" is not set to \"0\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to not allow IPv6 packet forwarding, unless the system is a router.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nnet.ipv6.conf.all.forwarding=0\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230540'\n tag rid: 'SV-230540r858810_rule'\n tag stig_id: 'RHEL-08-040260'\n tag fix_id: 'F-33184r858809_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This system is acting as a router on the network, this control is Not Applicable', impact: 0.0) {\n !input('network_router')\n }\n\n # Define the kernel parameter to be checked\n parameter = 'net.ipv6.conf.all.forwarding'\n action = 'IPv6 packet forwarding'\n value = 0\n\n # Get the current value of the kernel parameter\n current_value = kernel_parameter(parameter)\n\n # Check if the system is a Docker container\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n elsif input('ipv6_enabled') == false\n impact 0.0\n describe 'IPv6 is disabled on the system, this requirement is Not Applicable.' do\n skip 'IPv6 is disabled on the system, this requirement is Not Applicable.'\n end\n else\n\n describe kernel_parameter(parameter) do\n it 'is disabled in sysctl -a' do\n expect(current_value.value).to cmp value\n expect(current_value.value).not_to be_nil\n end\n end\n\n # Get the list of sysctl configuration files\n sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ')\n\n # Search for the kernel parameter in the configuration files\n search_results = command(\"grep -r ^#{parameter} #{sysctl_config_files} {} \\;\").stdout.split(\"\\n\")\n\n # Parse the search results into a hash\n config_values = search_results.each_with_object({}) do |item, results|\n file, setting = item.split(':')\n file = 'grep did not return filename' if file.empty?\n\n results[file] ||= []\n results[file] << setting.split('=').last\n end\n\n uniq_config_values = config_values.values.flatten.map(&:strip).map(&:to_i).uniq\n\n # Check the configuration files\n describe 'Configuration files' do\n if search_results.empty?\n it \"do not explicitly set the `#{parameter}` parameter\" do\n expect(config_values).not_to be_empty, \"Add the line `#{parameter}=#{value}` to a file in the `/etc/sysctl.d/` directory\"\n end\n else\n it \"do not have conflicting settings for #{action}\" do\n expect(uniq_config_values.count).to eq(1), \"Expected one unique configuration, but got #{config_values}\"\n end\n it \"set the parameter to the right value for #{action}\" do\n expect(config_values.values.flatten.all? { |v| v.to_i.eql?(value) }).to be true\n end\n end\n end\n end\nend\n", + "code": "control 'SV-251714' do\n title 'RHEL 8 systems below version 8.4 must ensure the password complexity module in the system-auth file is configured for three retries or less.'\n desc 'Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. \"pwquality\" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system.\n\nRHEL 8 uses \"pwquality\" as a mechanism to enforce password complexity. This is set in both:\n/etc/pam.d/password-auth\n/etc/pam.d/system-auth\n\nBy limiting the number of attempts to meet the pwquality module complexity requirements before returning with an error, the system will audit abnormal attempts at password changes.'\n desc 'check', 'Note: This requirement applies to RHEL versions 8.0 through 8.3. If the system is RHEL version 8.4 or newer, this requirement is not applicable.\n\nVerify the operating system is configured to limit the \"pwquality\" retry option to 3.\n\nCheck for the use of the \"pwquality\" retry option in the system-auth file with the following command:\n\n $ sudo cat /etc/pam.d/system-auth | grep pam_pwquality\n\n password requisite pam_pwquality.so retry=3\n\nIf the value of \"retry\" is set to \"0\" or greater than \"3\", this is a finding.'\n desc 'fix', 'Configure the operating system to limit the \"pwquality\" retry option to 3.\n\nAdd the following line to the \"/etc/pam.d/system-auth\" file (or modify the line to have the required value):\n\n password requisite pam_pwquality.so retry=3'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag check_id: 'C-55151r902741_chk'\n tag severity: 'medium'\n tag gid: 'V-251714'\n tag rid: 'SV-251714r902743_rule'\n tag stig_id: 'RHEL-08-020102'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag fix_id: 'F-55105r902742_fix'\n tag 'documentable'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n tag 'container'\n\n pam_auth_files = input('pam_auth_files')\n\n only_if('This requirement only applies to RHEL 8 versions below 8.4', impact: 0.0) do\n os.release.to_f < 8.4\n end\n\n describe pam(pam_auth_files['system-auth']) do\n its('lines') { should match_pam_rule('.* .* pam_pwquality.so').any_with_integer_arg('retry', '>=', input('min_retry')) }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230540.rb", + "ref": "./Red Hat 8 STIG/controls/SV-251714.rb", "line": 1 }, - "id": "SV-230540" + "id": "SV-251714" }, { - "title": "The x86 Ctrl-Alt-Delete key sequence must be disabled on RHEL 8.", - "desc": "A locally logged-on user, who presses Ctrl-Alt-Delete when at the\nconsole, can reboot the system. If accidentally pressed, as could happen in the\ncase of a mixed OS environment, this can create the risk of short-term loss of\navailability of systems due to unintentional reboot. In a graphical user\nenvironment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is\nreduced because the user will be prompted before any action is taken.", + "title": "RHEL 8 must prevent files with the setuid and setgid bit set from\nbeing executed on file systems that are imported via Network File System (NFS).", + "desc": "The \"nosuid\" mount option causes the system not to execute\n\"setuid\" and \"setgid\" files with owner privileges. This option must be used\nfor mounting any file system not containing approved \"setuid\" and \"setguid\"\nfiles. Executing files from untrusted file systems increases the opportunity\nfor unprivileged users to attain unauthorized administrative access.", "descriptions": { - "default": "A locally logged-on user, who presses Ctrl-Alt-Delete when at the\nconsole, can reboot the system. If accidentally pressed, as could happen in the\ncase of a mixed OS environment, this can create the risk of short-term loss of\navailability of systems due to unintentional reboot. In a graphical user\nenvironment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is\nreduced because the user will be prompted before any action is taken.", - "check": "Verify RHEL 8 is not configured to reboot the system when Ctrl-Alt-Delete\nis pressed with the following command:\n\n $ sudo systemctl status ctrl-alt-del.target\n\n ctrl-alt-del.target\n Loaded: masked (Reason: Unit ctrl-alt-del.target is masked.)\n Active: inactive (dead)\n\n If the \"ctrl-alt-del.target\" is loaded and not masked, this is a finding.", - "fix": "Configure the system to disable the Ctrl-Alt-Delete sequence for the command line with the following commands:\n\n$ sudo systemctl disable ctrl-alt-del.target\n\n$ sudo systemctl mask ctrl-alt-del.target\n\nCreated symlink /etc/systemd/system/ctrl-alt-del.target -> /dev/null\n\nReload the daemon for this change to take effect.\n\n$ sudo systemctl daemon-reload" + "default": "The \"nosuid\" mount option causes the system not to execute\n\"setuid\" and \"setgid\" files with owner privileges. This option must be used\nfor mounting any file system not containing approved \"setuid\" and \"setguid\"\nfiles. Executing files from untrusted file systems increases the opportunity\nfor unprivileged users to attain unauthorized administrative access.", + "check": "Verify that file systems being imported via NFS are mounted with the\n\"nosuid\" option with the following command:\n\n $ sudo grep nfs /etc/fstab | grep nosuid\n\n UUID=e06097bb-cfcd-437b-9e4d-a691f5662a7d /store nfs rw,nosuid,nodev,noexec\n0 0\n\n If a file system found in \"/etc/fstab\" refers to NFS and it does not have\nthe \"nosuid\" option set, this is a finding.", + "fix": "Configure the \"/etc/fstab\" to use the \"nosuid\" option on\nfile systems that are being imported via NFS." }, - "impact": 0.7, + "impact": 0.5, "refs": [ { "ref": "DPMS Target Red Hat Enterprise Linux 8" } ], "tags": { - "severity": "high", + "severity": "medium", "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-230529", - "rid": "SV-230529r833338_rule", - "stig_id": "RHEL-08-040170", - "fix_id": "F-33173r833337_fix", + "gid": "V-230308", + "rid": "SV-230308r627750_rule", + "stig_id": "RHEL-08-010650", + "fix_id": "F-32952r567671_fix", "cci": [ "CCI-000366" ], @@ -9418,20 +9347,20 @@ ], "host": null }, - "code": "control 'SV-230529' do\n title 'The x86 Ctrl-Alt-Delete key sequence must be disabled on RHEL 8.'\n desc 'A locally logged-on user, who presses Ctrl-Alt-Delete when at the\nconsole, can reboot the system. If accidentally pressed, as could happen in the\ncase of a mixed OS environment, this can create the risk of short-term loss of\navailability of systems due to unintentional reboot. In a graphical user\nenvironment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is\nreduced because the user will be prompted before any action is taken.'\n desc 'check', 'Verify RHEL 8 is not configured to reboot the system when Ctrl-Alt-Delete\nis pressed with the following command:\n\n $ sudo systemctl status ctrl-alt-del.target\n\n ctrl-alt-del.target\n Loaded: masked (Reason: Unit ctrl-alt-del.target is masked.)\n Active: inactive (dead)\n\n If the \"ctrl-alt-del.target\" is loaded and not masked, this is a finding.'\n desc 'fix', 'Configure the system to disable the Ctrl-Alt-Delete sequence for the command line with the following commands:\n\n$ sudo systemctl disable ctrl-alt-del.target\n\n$ sudo systemctl mask ctrl-alt-del.target\n\nCreated symlink /etc/systemd/system/ctrl-alt-del.target -> /dev/null\n\nReload the daemon for this change to take effect.\n\n$ sudo systemctl daemon-reload'\n impact 0.7\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'high'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230529'\n tag rid: 'SV-230529r833338_rule'\n tag stig_id: 'RHEL-08-040170'\n tag fix_id: 'F-33173r833337_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n c = systemd_service('ctrl-alt-del.target')\n\n describe.one do\n describe c do\n its('params.LoadState') { should eq 'masked' }\n end\n describe c do\n its('params.LoadState') { should eq 'not-found' }\n end\n end\nend\n", + "code": "control 'SV-230308' do\n title 'RHEL 8 must prevent files with the setuid and setgid bit set from\nbeing executed on file systems that are imported via Network File System (NFS).'\n desc 'The \"nosuid\" mount option causes the system not to execute\n\"setuid\" and \"setgid\" files with owner privileges. This option must be used\nfor mounting any file system not containing approved \"setuid\" and \"setguid\"\nfiles. Executing files from untrusted file systems increases the opportunity\nfor unprivileged users to attain unauthorized administrative access.'\n desc 'check', 'Verify that file systems being imported via NFS are mounted with the\n\"nosuid\" option with the following command:\n\n $ sudo grep nfs /etc/fstab | grep nosuid\n\n UUID=e06097bb-cfcd-437b-9e4d-a691f5662a7d /store nfs rw,nosuid,nodev,noexec\n0 0\n\n If a file system found in \"/etc/fstab\" refers to NFS and it does not have\nthe \"nosuid\" option set, this is a finding.'\n desc 'fix', 'Configure the \"/etc/fstab\" to use the \"nosuid\" option on\nfile systems that are being imported via NFS.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230308'\n tag rid: 'SV-230308r627750_rule'\n tag stig_id: 'RHEL-08-010650'\n tag fix_id: 'F-32952r567671_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n option = 'nosuid'\n nfs_file_systems = etc_fstab.nfs_file_systems.params\n failing_mounts = nfs_file_systems.reject { |mnt| mnt['mount_options'].include?(option) }\n\n if nfs_file_systems.empty?\n describe 'No NFS' do\n it 'is mounted' do\n expect(nfs_file_systems).to be_empty\n end\n end\n else\n describe 'Any mounted Network File System (NFS)' do\n it \"should have '#{option}' set\" do\n expect(failing_mounts).to be_empty, \"NFS without '#{option}' set:\\n\\t- #{failing_mounts.join(\"\\n\\t- \")}\"\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230529.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230308.rb", "line": 1 }, - "id": "SV-230529" + "id": "SV-230308" }, { - "title": "RHEL 8 must use cryptographic mechanisms to protect the integrity of\naudit tools.", - "desc": "Protecting the integrity of the tools used for auditing purposes is a\ncritical step toward ensuring the integrity of audit information. Audit\ninformation includes all information (e.g., audit records, audit settings, and\naudit reports) needed to successfully audit information system activity.\n\n Audit tools include, but are not limited to, vendor-provided and open\nsource audit tools needed to successfully view and manipulate audit information\nsystem activity and records. Audit tools include custom queries and report\ngenerators.\n\n It is not uncommon for attackers to replace the audit tools or inject code\ninto the existing tools with the purpose of providing the capability to hide or\nerase system activity from the audit logs.\n\n To address this risk, audit tools must be cryptographically signed to\nprovide the capability to identify when the audit tools have been modified,\nmanipulated, or replaced. An example is a checksum hash of the file or files.", + "title": "RHEL 8 must not enable IPv4 packet forwarding unless the system is a router.", + "desc": "Routing protocol daemons are typically used on routers to exchange network\n topology information with other routers. If this software is used when not required,\n system network information may be unnecessarily transmitted across the network.\n\n The sysctl --system command will load settings from all system configuration files.\n\n All configuration files are sorted by their filename in lexicographic order, regardless\n of which of the directories they reside in. If multiple files specify the same option,\n the entry in the file with the lexicographically latest name will take precedence.\n\n Files are read from directories in the following list from top to bottom. Once a file of a\n given filename is loaded, any file of the same name in subsequent directories is ignored.\n\n /etc/sysctl.d/*.conf\n /run/sysctl.d/*.conf\n /usr/local/lib/sysctl.d/*.conf\n /usr/lib/sysctl.d/*.conf\n /lib/sysctl.d/*.conf\n /etc/sysctl.conf", "descriptions": { - "default": "Protecting the integrity of the tools used for auditing purposes is a\ncritical step toward ensuring the integrity of audit information. Audit\ninformation includes all information (e.g., audit records, audit settings, and\naudit reports) needed to successfully audit information system activity.\n\n Audit tools include, but are not limited to, vendor-provided and open\nsource audit tools needed to successfully view and manipulate audit information\nsystem activity and records. Audit tools include custom queries and report\ngenerators.\n\n It is not uncommon for attackers to replace the audit tools or inject code\ninto the existing tools with the purpose of providing the capability to hide or\nerase system activity from the audit logs.\n\n To address this risk, audit tools must be cryptographically signed to\nprovide the capability to identify when the audit tools have been modified,\nmanipulated, or replaced. An example is a checksum hash of the file or files.", - "check": "Verify that Advanced Intrusion Detection Environment (AIDE) is properly configured to use cryptographic mechanisms to protect the integrity of audit tools.\n\nIf AIDE is not installed, ask the System Administrator how file integrity checks are performed on the system.\n\nCheck the selection lines to ensure AIDE is configured to add/check with the following command:\n\n $ sudo grep -E '(\\/usr\\/sbin\\/(audit|au|rsys))' /etc/aide.conf\n\n /usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512\n /usr/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512\n /usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512\n /usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512\n /usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512\n /usr/sbin/rsyslogd p+i+n+u+g+s+b+acl+xattrs+sha512\n /usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512\n\nIf any of the audit tools listed above do not have an appropriate selection line, ask the system administrator to indicate what cryptographic mechanisms are being used to protect the integrity of the audit tools. If there is no evidence of integrity protection, this is a finding.", - "fix": "Add or update the following lines to \"/etc/aide.conf\", to protect the\nintegrity of the audit tools.\n\n # Audit Tools\n /usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512\n /usr/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512\n /usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512\n /usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512\n /usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512\n /usr/sbin/rsyslogd p+i+n+u+g+s+b+acl+xattrs+sha512\n /usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512" + "default": "Routing protocol daemons are typically used on routers to exchange network\n topology information with other routers. If this software is used when not required,\n system network information may be unnecessarily transmitted across the network.\n\n The sysctl --system command will load settings from all system configuration files.\n\n All configuration files are sorted by their filename in lexicographic order, regardless\n of which of the directories they reside in. If multiple files specify the same option,\n the entry in the file with the lexicographically latest name will take precedence.\n\n Files are read from directories in the following list from top to bottom. Once a file of a\n given filename is loaded, any file of the same name in subsequent directories is ignored.\n\n /etc/sysctl.d/*.conf\n /run/sysctl.d/*.conf\n /usr/local/lib/sysctl.d/*.conf\n /usr/lib/sysctl.d/*.conf\n /lib/sysctl.d/*.conf\n /etc/sysctl.conf", + "check": "Verify RHEL 8 is not performing IPv4 packet forwarding, unless the system is a router.\n\nCheck that IPv4 forwarding is disabled using the following command:\n\n$ sudo sysctl net.ipv4.conf.all.forwarding\n\nnet.ipv4.conf.all.forwarding = 0\nIf the IPv4 forwarding value is not \"0\" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r net.ipv4.conf.all.forwarding /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: net.ipv4.conf.all.forwarding = 0\n\nIf \"net.ipv4.conf.all.forwarding\" is not set to \"0\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.", + "fix": "Configure RHEL 8 to not allow IPv4 packet forwarding, unless the system is a router.\n\n Add or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\n net.ipv4.conf.all.forwarding=0\n\n Remove any configurations that conflict with the above from the following locations:\n /run/sysctl.d/*.conf\n /usr/local/lib/sysctl.d/*.conf\n /usr/lib/sysctl.d/*.conf\n /lib/sysctl.d/*.conf\n /etc/sysctl.conf\n /etc/sysctl.d/*.conf\n\n Load settings from all system configuration files with the following command:\n\n $ sudo sysctl --system" }, "impact": 0.5, "refs": [ @@ -9440,73 +9369,72 @@ } ], "tags": { + "check_id": "C-53751r833382_chk", "severity": "medium", - "gtitle": "SRG-OS-000278-GPOS-00108", - "gid": "V-230475", - "rid": "SV-230475r880722_rule", - "stig_id": "RHEL-08-030650", - "fix_id": "F-33119r568172_fix", + "gid": "V-250317", + "rid": "SV-250317r858808_rule", + "stig_id": "RHEL-08-040259", + "gtitle": "SRG-OS-000480-GPOS-00227", + "fix_id": "F-53705r858807_fix", + "documentable": null, "cci": [ - "CCI-001496" + "CCI-000366" ], "nist": [ - "AU-9 (3)" + "CM-6 b" ], "host": null }, - "code": "control 'SV-230475' do\n title 'RHEL 8 must use cryptographic mechanisms to protect the integrity of\naudit tools.'\n desc 'Protecting the integrity of the tools used for auditing purposes is a\ncritical step toward ensuring the integrity of audit information. Audit\ninformation includes all information (e.g., audit records, audit settings, and\naudit reports) needed to successfully audit information system activity.\n\n Audit tools include, but are not limited to, vendor-provided and open\nsource audit tools needed to successfully view and manipulate audit information\nsystem activity and records. Audit tools include custom queries and report\ngenerators.\n\n It is not uncommon for attackers to replace the audit tools or inject code\ninto the existing tools with the purpose of providing the capability to hide or\nerase system activity from the audit logs.\n\n To address this risk, audit tools must be cryptographically signed to\nprovide the capability to identify when the audit tools have been modified,\nmanipulated, or replaced. An example is a checksum hash of the file or files.'\n desc 'check', \"Verify that Advanced Intrusion Detection Environment (AIDE) is properly configured to use cryptographic mechanisms to protect the integrity of audit tools.\n\nIf AIDE is not installed, ask the System Administrator how file integrity checks are performed on the system.\n\nCheck the selection lines to ensure AIDE is configured to add/check with the following command:\n\n $ sudo grep -E '(\\\\/usr\\\\/sbin\\\\/(audit|au|rsys))' /etc/aide.conf\n\n /usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512\n /usr/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512\n /usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512\n /usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512\n /usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512\n /usr/sbin/rsyslogd p+i+n+u+g+s+b+acl+xattrs+sha512\n /usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512\n\nIf any of the audit tools listed above do not have an appropriate selection line, ask the system administrator to indicate what cryptographic mechanisms are being used to protect the integrity of the audit tools. If there is no evidence of integrity protection, this is a finding.\"\n desc 'fix', 'Add or update the following lines to \"/etc/aide.conf\", to protect the\nintegrity of the audit tools.\n\n # Audit Tools\n /usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512\n /usr/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512\n /usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512\n /usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512\n /usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512\n /usr/sbin/rsyslogd p+i+n+u+g+s+b+acl+xattrs+sha512\n /usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000278-GPOS-00108'\n tag gid: 'V-230475'\n tag rid: 'SV-230475r880722_rule'\n tag stig_id: 'RHEL-08-030650'\n tag fix_id: 'F-33119r568172_fix'\n tag cci: ['CCI-001496']\n tag nist: ['AU-9 (3)']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n audit_tools = %w[/usr/sbin/auditctl\n /usr/sbin/auditd\n /usr/sbin/ausearch\n /usr/sbin/aureport\n /usr/sbin/autrace\n /usr/sbin/rsyslogd\n /usr/sbin/augenrules]\n\n if package('aide').installed?\n audit_tools.each do |tool|\n describe \"selection_line: #{tool}\" do\n subject { aide_conf.where { selection_line.eql?(tool) } }\n its('rules.flatten') { should include 'p' }\n its('rules.flatten') { should include 'i' }\n its('rules.flatten') { should include 'n' }\n its('rules.flatten') { should include 'u' }\n its('rules.flatten') { should include 'g' }\n its('rules.flatten') { should include 's' }\n its('rules.flatten') { should include 'b' }\n its('rules.flatten') { should include 'acl' }\n its('rules.flatten') { should include 'xattrs' }\n its('rules.flatten') { should include 'sha512' }\n end\n end\n else\n describe 'The system is not utilizing Advanced Intrusion Detection Environment (AIDE)' do\n skip 'The system is not utilizing Advanced Intrusion Detection Environment (AIDE), manual review is required.'\n end\n end\nend\n", + "code": "control 'SV-250317' do\n title 'RHEL 8 must not enable IPv4 packet forwarding unless the system is a router.'\n desc 'Routing protocol daemons are typically used on routers to exchange network\n topology information with other routers. If this software is used when not required,\n system network information may be unnecessarily transmitted across the network.\n\n The sysctl --system command will load settings from all system configuration files.\n\n All configuration files are sorted by their filename in lexicographic order, regardless\n of which of the directories they reside in. If multiple files specify the same option,\n the entry in the file with the lexicographically latest name will take precedence.\n\n Files are read from directories in the following list from top to bottom. Once a file of a\n given filename is loaded, any file of the same name in subsequent directories is ignored.\n\n /etc/sysctl.d/*.conf\n /run/sysctl.d/*.conf\n /usr/local/lib/sysctl.d/*.conf\n /usr/lib/sysctl.d/*.conf\n /lib/sysctl.d/*.conf\n /etc/sysctl.conf'\n desc 'check', 'Verify RHEL 8 is not performing IPv4 packet forwarding, unless the system is a router.\n\nCheck that IPv4 forwarding is disabled using the following command:\n\n$ sudo sysctl net.ipv4.conf.all.forwarding\n\nnet.ipv4.conf.all.forwarding = 0\nIf the IPv4 forwarding value is not \"0\" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r net.ipv4.conf.all.forwarding /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: net.ipv4.conf.all.forwarding = 0\n\nIf \"net.ipv4.conf.all.forwarding\" is not set to \"0\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to not allow IPv4 packet forwarding, unless the system is a router.\n\n Add or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\n net.ipv4.conf.all.forwarding=0\n\n Remove any configurations that conflict with the above from the following locations:\n /run/sysctl.d/*.conf\n /usr/local/lib/sysctl.d/*.conf\n /usr/lib/sysctl.d/*.conf\n /lib/sysctl.d/*.conf\n /etc/sysctl.conf\n /etc/sysctl.d/*.conf\n\n Load settings from all system configuration files with the following command:\n\n $ sudo sysctl --system'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag check_id: 'C-53751r833382_chk'\n tag severity: 'medium'\n tag gid: 'V-250317'\n tag rid: 'SV-250317r858808_rule'\n tag stig_id: 'RHEL-08-040259'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag fix_id: 'F-53705r858807_fix'\n tag 'documentable'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This system is acting as a router on the network, this control is Not Applicable', impact: 0.0) {\n !input('network_router')\n }\n\n # Define the kernel parameter to be checked\n parameter = 'net.ipv4.conf.all.forwarding'\n action = 'IPv4 packet forwarding'\n value = 0\n\n # Get the current value of the kernel parameter\n current_value = kernel_parameter(parameter)\n\n # Check if the system is a Docker container\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n elsif input('ipv4_enabled') == false\n impact 0.0\n describe 'IPv4 is disabled on the system, this requirement is Not Applicable.' do\n skip 'IPv4 is disabled on the system, this requirement is Not Applicable.'\n end\n else\n\n describe kernel_parameter(parameter) do\n it 'is disabled in sysctl -a' do\n expect(current_value.value).to cmp value\n expect(current_value.value).not_to be_nil\n end\n end\n\n # Get the list of sysctl configuration files\n sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ')\n\n # Search for the kernel parameter in the configuration files\n search_results = command(\"grep -r ^#{parameter} #{sysctl_config_files} {} \\;\").stdout.split(\"\\n\")\n\n # Parse the search results into a hash\n config_values = search_results.each_with_object({}) do |item, results|\n file, setting = item.split(':')\n file = 'grep did not return filename' if file.empty?\n\n results[file] ||= []\n results[file] << setting.split('=').last\n end\n\n uniq_config_values = config_values.values.flatten.map(&:strip).map(&:to_i).uniq\n\n # Check the configuration files\n describe 'Configuration files' do\n if search_results.empty?\n it \"do not explicitly set the `#{parameter}` parameter\" do\n expect(config_values).not_to be_empty, \"Add the line `#{parameter}=#{value}` to a file in the `/etc/sysctl.d/` directory\"\n end\n else\n it \"do not have conflicting settings for #{action}\" do\n expect(uniq_config_values.count).to eq(1), \"Expected one unique configuration, but got #{config_values}\"\n end\n it \"set the parameter to the right value for #{action}\" do\n expect(config_values.values.flatten.all? { |v| v.to_i.eql?(value) }).to be true\n end\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230475.rb", + "ref": "./Red Hat 8 STIG/controls/SV-250317.rb", "line": 1 }, - "id": "SV-230475" + "id": "SV-250317" }, { - "title": "The RHEL 8 operating system must not have accounts configured with blank or null passwords.", - "desc": "If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.", + "title": "RHEL 8 must set the umask value to 077 for all local interactive user\naccounts.", + "desc": "The umask controls the default access mode assigned to newly created\nfiles. A umask of 077 limits new files to mode 600 or less permissive. Although\numask can be represented as a four-digit number, the first digit representing\nspecial access modes is typically ignored or required to be \"0\". This\nrequirement applies to the globally configured system defaults and the local\ninteractive user defaults for each account on the system.", "descriptions": { - "default": "If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.", - "check": "Check the \"/etc/shadow\" file for blank passwords with the following command:\n\n$ sudo awk -F: '!$2 {print $1}' /etc/shadow\n\nIf the command returns any results, this is a finding.", - "fix": "Configure all accounts on the system to have a password or lock the account\nwith the following commands:\n\nPerform a password reset:\n$ sudo passwd [username]\n\nLock an account:\n$ sudo passwd -l [username]" + "default": "The umask controls the default access mode assigned to newly created\nfiles. A umask of 077 limits new files to mode 600 or less permissive. Although\numask can be represented as a four-digit number, the first digit representing\nspecial access modes is typically ignored or required to be \"0\". This\nrequirement applies to the globally configured system defaults and the local\ninteractive user defaults for each account on the system.", + "check": "Verify that the default umask for all local interactive users is \"077\".\n\nIdentify the locations of all local interactive user home directories by looking at the \"/etc/passwd\" file.\n\nCheck all local interactive user initialization files for interactive users with the following command:\n\nNote: The example is for a system that is configured to create users home directories in the \"/home\" directory.\n\n$ sudo grep -ir ^umask /home | grep -v '.bash_history'\n\nIf any local interactive user initialization files are found to have a umask statement that has a value less restrictive than \"077\", this is a finding.", + "fix": "Remove the umask statement from all local interactive user's initialization\nfiles.\n\n If the account is for an application, the requirement for a umask less\nrestrictive than \"077\" can be documented with the Information System Security\nOfficer, but the user agreement for access to the account must specify that the\nlocal interactive user must log on to their account first and then switch the\nuser to the application account with the correct option to gain the account's\nenvironment variables." }, - "impact": 0.7, + "impact": 0.5, "refs": [ { "ref": "DPMS Target Red Hat Enterprise Linux 8" } ], "tags": { - "check_id": "C-55143r809340_chk", - "severity": "high", - "gid": "V-251706", - "rid": "SV-251706r809342_rule", - "stig_id": "RHEL-08-010121", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-55097r809341_fix", - "documentable": null, + "severity": "medium", + "gtitle": "SRG-OS-000480-GPOS-00228", + "gid": "V-230384", + "rid": "SV-230384r858732_rule", + "stig_id": "RHEL-08-020352", + "fix_id": "F-33028r567899_fix", "cci": [ "CCI-000366" ], "nist": [ "CM-6 b" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-251706' do\n title 'The RHEL 8 operating system must not have accounts configured with blank or null passwords.'\n desc 'If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.'\n desc 'check', %q(Check the \"/etc/shadow\" file for blank passwords with the following command:\n\n$ sudo awk -F: '!$2 {print $1}' /etc/shadow\n\nIf the command returns any results, this is a finding.)\n desc 'fix', 'Configure all accounts on the system to have a password or lock the account\nwith the following commands:\n\nPerform a password reset:\n$ sudo passwd [username]\n\nLock an account:\n$ sudo passwd -l [username]'\n impact 0.7\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag check_id: 'C-55143r809340_chk'\n tag severity: 'high'\n tag gid: 'V-251706'\n tag rid: 'SV-251706r809342_rule'\n tag stig_id: 'RHEL-08-010121'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag fix_id: 'F-55097r809341_fix'\n tag 'documentable'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n tag 'container'\n\n users_with_blank_passwords = shadow.where { password.nil? || password.empty? }.users - input('users_allowed_blank_passwords')\n\n describe 'All users' do\n it 'should have a password set' do\n fail_msg = \"Users with blank passwords:\\n\\t- #{users_with_blank_passwords.join(\"\\n\\t- \")}\"\n expect(users_with_blank_passwords).to be_empty, fail_msg\n end\n end\nend\n", + "code": "control 'SV-230384' do\n title 'RHEL 8 must set the umask value to 077 for all local interactive user\naccounts.'\n desc 'The umask controls the default access mode assigned to newly created\nfiles. A umask of 077 limits new files to mode 600 or less permissive. Although\numask can be represented as a four-digit number, the first digit representing\nspecial access modes is typically ignored or required to be \"0\". This\nrequirement applies to the globally configured system defaults and the local\ninteractive user defaults for each account on the system.'\n desc 'check', %q(Verify that the default umask for all local interactive users is \"077\".\n\nIdentify the locations of all local interactive user home directories by looking at the \"/etc/passwd\" file.\n\nCheck all local interactive user initialization files for interactive users with the following command:\n\nNote: The example is for a system that is configured to create users home directories in the \"/home\" directory.\n\n$ sudo grep -ir ^umask /home | grep -v '.bash_history'\n\nIf any local interactive user initialization files are found to have a umask statement that has a value less restrictive than \"077\", this is a finding.)\n desc 'fix', %q(Remove the umask statement from all local interactive user's initialization\nfiles.\n\n If the account is for an application, the requirement for a umask less\nrestrictive than \"077\" can be documented with the Information System Security\nOfficer, but the user agreement for access to the account must specify that the\nlocal interactive user must log on to their account first and then switch the\nuser to the application account with the correct option to gain the account's\nenvironment variables.)\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00228'\n tag gid: 'V-230384'\n tag rid: 'SV-230384r858732_rule'\n tag stig_id: 'RHEL-08-020352'\n tag fix_id: 'F-33028r567899_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n exempt_home_users = input('exempt_home_users')\n expected_mode = input('permissions_for_shells')['default_umask']\n uid_min = login_defs.read_params['UID_MIN'].to_i\n uid_min = 1000 if uid_min.nil?\n\n iusers = passwd.where { uid.to_i >= uid_min && shell !~ /nologin/ && !exempt_home_users.include?(user) }\n\n if !iusers.users.nil? && !iusers.users.empty?\n\n # run the check text's grep against all interactive users, compare any hits to the expected mode\n failing_users = iusers.entries.select { |u|\n umask_set = command(\"grep -ir ^umask #{u.home} | grep -v '.bash_history'\").stdout.strip\n umask_set.nil? && umask_set.match(/(?\\d{3,4})/)['umask'].to_i > expected_mode.to_i\n }.map(&:user)\n\n describe 'All non-exempt interactive users on the system' do\n it \"should not set the UMASK more permissive than '#{expected_mode}' in any init files\" do\n expect(failing_users).to be_empty, \"Failing users:\\n\\t- #{failing_users.join(\"\\n\\t- \")}\"\n end\n end\n else\n describe 'No non-exempt interactive user accounts' do\n it 'were detected on the system' do\n expect(true).to eq(true)\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-251706.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230384.rb", "line": 1 }, - "id": "SV-251706" + "id": "SV-230384" }, { - "title": "The RHEL 8 audit package must be installed.", - "desc": "Without establishing what type of events occurred, the source of\nevents, where events occurred, and the outcome of events, it would be difficult\nto establish, correlate, and investigate the events leading up to an outage or\nattack.\n\n Audit record content that may be necessary to satisfy this requirement\nincludes, for example, time stamps, source and destination addresses,\nuser/process identifiers, event descriptions, success/fail indications,\nfilenames involved, and access control or flow control rules invoked.\n\n Associating event types with detected events in RHEL 8 audit logs provides\na means of investigating an attack, recognizing resource utilization or\ncapacity thresholds, or identifying an improperly configured RHEL 8 system.", + "title": "RHEL 8 must be configured to disable USB mass storage.", + "desc": "USB mass storage permits easy introduction of unknown devices, thereby\nfacilitating malicious activity.", "descriptions": { - "default": "Without establishing what type of events occurred, the source of\nevents, where events occurred, and the outcome of events, it would be difficult\nto establish, correlate, and investigate the events leading up to an outage or\nattack.\n\n Audit record content that may be necessary to satisfy this requirement\nincludes, for example, time stamps, source and destination addresses,\nuser/process identifiers, event descriptions, success/fail indications,\nfilenames involved, and access control or flow control rules invoked.\n\n Associating event types with detected events in RHEL 8 audit logs provides\na means of investigating an attack, recognizing resource utilization or\ncapacity thresholds, or identifying an improperly configured RHEL 8 system.", - "check": "Verify the audit service is configured to produce audit records.\n\nCheck that the audit service is installed with the following command:\n\n$ sudo yum list installed audit\n\nIf the \"audit\" package is not installed, this is a finding.", - "fix": "Configure the audit service to produce audit records containing the\ninformation needed to establish when (date and time) an event occurred.\n\n Install the audit service (if the audit service is not already installed)\nwith the following command:\n\n $ sudo yum install audit" + "default": "USB mass storage permits easy introduction of unknown devices, thereby\nfacilitating malicious activity.", + "check": "Verify the operating system disables the ability to load the USB Storage kernel module.\n\n $ sudo grep -r usb-storage /etc/modprobe.d/* | grep -i \"/bin/false\"\n install usb-storage /bin/false\n\nIf the command does not return any output, or the line is commented out, and use of USB Storage is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.\n\nVerify the operating system disables the ability to use USB mass storage devices.\n\nCheck to see if USB mass storage is disabled with the following command:\n\n $ sudo grep usb-storage /etc/modprobe.d/* | grep -i \"blacklist\"\n blacklist usb-storage\n\nIf the command does not return any output or the output is not \"blacklist usb-storage\" and use of USB storage devices is not documented with the ISSO as an operational requirement, this is a finding.", + "fix": "Configure the operating system to disable the ability to use the USB Storage kernel module and the ability to use USB mass storage devices.\n\nAdd or update the following lines in the file \"/etc/modprobe.d/blacklist.conf\":\n\n install usb-storage /bin/false\n blacklist usb-storage\n\nReboot the system for the settings to take effect." }, "impact": 0.5, "refs": [ @@ -9516,95 +9444,74 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000062-GPOS-00031", + "gtitle": "SRG-OS-000114-GPOS-00059", "satisfies": [ - "SRG-OS-000062-GPOS-00031", - "SRG-OS-000037-GPOS-00015", - "SRG-OS-000038-GPOS-00016", - "SRG-OS-000039-GPOS-00017", - "SRG-OS-000040-GPOS-00018", - "SRG-OS-000041-GPOS-00019", - "SRG-OS-000042-GPOS-00021", - "SRG-OS-000051-GPOS-00024", - "SRG-OS-000054-GPOS-00025", - "SRG-OS-000122-GPOS-00063", - "SRG-OS-000254-GPOS-00095", - "SRG-OS-000255-GPOS-00096", - "SRG-OS-000337-GPOS-00129", - "SRG-OS-000348-GPOS-00136", - "SRG-OS-000349-GPOS-00137", - "SRG-OS-000350-GPOS-00138", - "SRG-OS-000351-GPOS-00139", - "SRG-OS-000352-GPOS-00140", - "SRG-OS-000353-GPOS-00141", - "SRG-OS-000354-GPOS-00142", - "SRG-OS-000358-GPOS-00145", - "SRG-OS-000365-GPOS-00152", - "SRG-OS-000392-GPOS-00172", - "SRG-OS-000475-GPOS-00220" + "SRG-OS-000114-GPOS-00059", + "SRG-OS-000378-GPOS-00163" ], - "gid": "V-230411", - "rid": "SV-230411r744000_rule", - "stig_id": "RHEL-08-030180", - "fix_id": "F-33055r646880_fix", + "gid": "V-230503", + "rid": "SV-230503r942936_rule", + "stig_id": "RHEL-08-040080", + "fix_id": "F-33147r942935_fix", "cci": [ - "CCI-000169" + "CCI-000778" ], "nist": [ - "AU-12 a" + "IA-3" ], "host": null }, - "code": "control 'SV-230411' do\n title 'The RHEL 8 audit package must be installed.'\n desc 'Without establishing what type of events occurred, the source of\nevents, where events occurred, and the outcome of events, it would be difficult\nto establish, correlate, and investigate the events leading up to an outage or\nattack.\n\n Audit record content that may be necessary to satisfy this requirement\nincludes, for example, time stamps, source and destination addresses,\nuser/process identifiers, event descriptions, success/fail indications,\nfilenames involved, and access control or flow control rules invoked.\n\n Associating event types with detected events in RHEL 8 audit logs provides\na means of investigating an attack, recognizing resource utilization or\ncapacity thresholds, or identifying an improperly configured RHEL 8 system.'\n desc 'check', 'Verify the audit service is configured to produce audit records.\n\nCheck that the audit service is installed with the following command:\n\n$ sudo yum list installed audit\n\nIf the \"audit\" package is not installed, this is a finding.'\n desc 'fix', 'Configure the audit service to produce audit records containing the\ninformation needed to establish when (date and time) an event occurred.\n\n Install the audit service (if the audit service is not already installed)\nwith the following command:\n\n $ sudo yum install audit'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000062-GPOS-00031'\n tag satisfies: ['SRG-OS-000062-GPOS-00031', 'SRG-OS-000037-GPOS-00015', 'SRG-OS-000038-GPOS-00016', 'SRG-OS-000039-GPOS-00017', 'SRG-OS-000040-GPOS-00018', 'SRG-OS-000041-GPOS-00019', 'SRG-OS-000042-GPOS-00021', 'SRG-OS-000051-GPOS-00024', 'SRG-OS-000054-GPOS-00025', 'SRG-OS-000122-GPOS-00063', 'SRG-OS-000254-GPOS-00095', 'SRG-OS-000255-GPOS-00096', 'SRG-OS-000337-GPOS-00129', 'SRG-OS-000348-GPOS-00136', 'SRG-OS-000349-GPOS-00137', 'SRG-OS-000350-GPOS-00138', 'SRG-OS-000351-GPOS-00139', 'SRG-OS-000352-GPOS-00140', 'SRG-OS-000353-GPOS-00141', 'SRG-OS-000354-GPOS-00142', 'SRG-OS-000358-GPOS-00145', 'SRG-OS-000365-GPOS-00152', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000475-GPOS-00220']\n tag gid: 'V-230411'\n tag rid: 'SV-230411r744000_rule'\n tag stig_id: 'RHEL-08-030180'\n tag fix_id: 'F-33055r646880_fix'\n tag cci: ['CCI-000169']\n tag nist: ['AU-12 a']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe package('audit') do\n it { should be_installed }\n end\nend\n", + "code": "control 'SV-230503' do\n title 'RHEL 8 must be configured to disable USB mass storage.'\n desc 'USB mass storage permits easy introduction of unknown devices, thereby\nfacilitating malicious activity.'\n desc 'check', 'Verify the operating system disables the ability to load the USB Storage kernel module.\n\n $ sudo grep -r usb-storage /etc/modprobe.d/* | grep -i \"/bin/false\"\n install usb-storage /bin/false\n\nIf the command does not return any output, or the line is commented out, and use of USB Storage is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.\n\nVerify the operating system disables the ability to use USB mass storage devices.\n\nCheck to see if USB mass storage is disabled with the following command:\n\n $ sudo grep usb-storage /etc/modprobe.d/* | grep -i \"blacklist\"\n blacklist usb-storage\n\nIf the command does not return any output or the output is not \"blacklist usb-storage\" and use of USB storage devices is not documented with the ISSO as an operational requirement, this is a finding.'\n desc 'fix', 'Configure the operating system to disable the ability to use the USB Storage kernel module and the ability to use USB mass storage devices.\n\nAdd or update the following lines in the file \"/etc/modprobe.d/blacklist.conf\":\n\n install usb-storage /bin/false\n blacklist usb-storage\n\nReboot the system for the settings to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000114-GPOS-00059'\n tag satisfies: ['SRG-OS-000114-GPOS-00059', 'SRG-OS-000378-GPOS-00163']\n tag gid: 'V-230503'\n tag rid: 'SV-230503r942936_rule'\n tag stig_id: 'RHEL-08-040080'\n tag fix_id: 'F-33147r942935_fix'\n tag cci: ['CCI-000778']\n tag nist: ['IA-3']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n if input('usb_storage_required') == true\n describe kernel_module('usb_storage') do\n it { should_not be_disabled }\n it { should_not be_blacklisted }\n end\n else\n describe kernel_module('usb_storage') do\n it { should be_disabled }\n it { should be_blacklisted }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230411.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230503.rb", "line": 1 }, - "id": "SV-230411" + "id": "SV-230503" }, { - "title": "RHEL 8 must limit the number of concurrent sessions to ten for all\naccounts and/or account types.", - "desc": "Operating system management includes the ability to control the number\nof users and user sessions that utilize an operating system. Limiting the\nnumber of allowed users and sessions per user is helpful in reducing the risks\nrelated to DoS attacks.\n\n This requirement addresses concurrent sessions for information system\naccounts and does not address concurrent sessions by single users via multiple\nsystem accounts. The maximum number of concurrent sessions should be defined\nbased on mission needs and the operational environment for each system.", + "title": "RHEL 8 must disable storing core dumps.", + "desc": "It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n A core dump includes a memory image taken at the time the operating system\nterminates an application. The memory image could contain sensitive data and is\ngenerally useful only for developers trying to debug problems.", "descriptions": { - "default": "Operating system management includes the ability to control the number\nof users and user sessions that utilize an operating system. Limiting the\nnumber of allowed users and sessions per user is helpful in reducing the risks\nrelated to DoS attacks.\n\n This requirement addresses concurrent sessions for information system\naccounts and does not address concurrent sessions by single users via multiple\nsystem accounts. The maximum number of concurrent sessions should be defined\nbased on mission needs and the operational environment for each system.", - "check": "Verify the operating system limits the number of concurrent sessions to\n\"10\" for all accounts and/or account types by issuing the following command:\n\n $ sudo grep -r -s '^[^#].*maxlogins' /etc/security/limits.conf\n/etc/security/limits.d/*.conf\n\n * hard maxlogins 10\n\n This can be set as a global domain (with the * wildcard) but may be set\ndifferently for multiple domains.\n\n If the \"maxlogins\" item is missing, commented out, or the value is set\ngreater than \"10\" and is not documented with the Information System Security\nOfficer (ISSO) as an operational requirement for all domains that have the\n\"maxlogins\" item assigned, this is a finding.", - "fix": "Configure the operating system to limit the number of concurrent sessions\nto \"10\" for all accounts and/or account types.\n\n Add the following line to the top of the /etc/security/limits.conf or in a\n\".conf\" file defined in /etc/security/limits.d/:\n\n * hard maxlogins 10" + "default": "It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n A core dump includes a memory image taken at the time the operating system\nterminates an application. The memory image could contain sensitive data and is\ngenerally useful only for developers trying to debug problems.", + "check": "Verify the operating system disables storing core dumps for all users by\nissuing the following command:\n\n $ sudo grep -i storage /etc/systemd/coredump.conf\n\n Storage=none\n\n If the \"Storage\" item is missing, commented out, or the value is anything\nother than \"none\" and the need for core dumps is not documented with the\nInformation System Security Officer (ISSO) as an operational requirement for\nall domains that have the \"core\" item assigned, this is a finding.", + "fix": "Configure the operating system to disable storing core dumps for all users.\n\nAdd or modify the following line in /etc/systemd/coredump.conf:\n\nStorage=none" }, - "impact": 0.3, + "impact": 0.5, "refs": [ { "ref": "DPMS Target Red Hat Enterprise Linux 8" } ], "tags": { - "severity": "low", - "gtitle": "SRG-OS-000027-GPOS-00008", - "gid": "V-230346", - "rid": "SV-230346r877399_rule", - "stig_id": "RHEL-08-020024", - "fix_id": "F-32990r619863_fix", + "severity": "medium", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-230314", + "rid": "SV-230314r627750_rule", + "stig_id": "RHEL-08-010674", + "fix_id": "F-32958r567689_fix", "cci": [ - "CCI-000054" + "CCI-000366" ], + "legacy": [], "nist": [ - "AC-10" + "CM-6 b" ], "host": null }, - "code": "control 'SV-230346' do\n title 'RHEL 8 must limit the number of concurrent sessions to ten for all\naccounts and/or account types.'\n desc 'Operating system management includes the ability to control the number\nof users and user sessions that utilize an operating system. Limiting the\nnumber of allowed users and sessions per user is helpful in reducing the risks\nrelated to DoS attacks.\n\n This requirement addresses concurrent sessions for information system\naccounts and does not address concurrent sessions by single users via multiple\nsystem accounts. The maximum number of concurrent sessions should be defined\nbased on mission needs and the operational environment for each system.'\n desc 'check', %q(Verify the operating system limits the number of concurrent sessions to\n\"10\" for all accounts and/or account types by issuing the following command:\n\n $ sudo grep -r -s '^[^#].*maxlogins' /etc/security/limits.conf\n/etc/security/limits.d/*.conf\n\n * hard maxlogins 10\n\n This can be set as a global domain (with the * wildcard) but may be set\ndifferently for multiple domains.\n\n If the \"maxlogins\" item is missing, commented out, or the value is set\ngreater than \"10\" and is not documented with the Information System Security\nOfficer (ISSO) as an operational requirement for all domains that have the\n\"maxlogins\" item assigned, this is a finding.)\n desc 'fix', 'Configure the operating system to limit the number of concurrent sessions\nto \"10\" for all accounts and/or account types.\n\n Add the following line to the top of the /etc/security/limits.conf or in a\n\".conf\" file defined in /etc/security/limits.d/:\n\n * hard maxlogins 10'\n impact 0.3\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'low'\n tag gtitle: 'SRG-OS-000027-GPOS-00008'\n tag gid: 'V-230346'\n tag rid: 'SV-230346r877399_rule'\n tag stig_id: 'RHEL-08-020024'\n tag fix_id: 'F-32990r619863_fix'\n tag cci: ['CCI-000054']\n tag nist: ['AC-10']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n setting = 'maxlogins'\n expected_value = input('concurrent_sessions_permitted')\n\n limits_files = command('ls /etc/security/limits.d/*.conf').stdout.strip.split\n limits_files.append('/etc/security/limits.conf')\n\n # make sure that at least one limits.conf file has the correct setting\n globally_set = limits_files.any? { |lf| !limits_conf(lf).read_params['*'].nil? && limits_conf(lf).read_params['*'].include?(['hard', setting.to_s, expected_value.to_s]) }\n\n # make sure that no limits.conf file has a value that contradicts the global set\n failing_files = limits_files.select { |lf|\n limits_conf(lf).read_params.values.flatten(1).any? { |l|\n l[1].eql?(setting) && l[2].to_i > expected_value\n }\n }\n describe 'Limits files' do\n it \"should limit concurrent sessions to #{expected_value} by default\" do\n expect(globally_set).to eq(true), \"No global ('*') setting for concurrent sessions found\"\n end\n it 'should not have any conflicting settings' do\n expect(failing_files).to be_empty, \"Files with incorrect '#{setting}' settings:\\n\\t- #{failing_files.join(\"\\n\\t- \")}\"\n end\n end\nend\n", + "code": "control 'SV-230314' do\n title 'RHEL 8 must disable storing core dumps.'\n desc 'It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n A core dump includes a memory image taken at the time the operating system\nterminates an application. The memory image could contain sensitive data and is\ngenerally useful only for developers trying to debug problems.'\n desc 'check', 'Verify the operating system disables storing core dumps for all users by\nissuing the following command:\n\n $ sudo grep -i storage /etc/systemd/coredump.conf\n\n Storage=none\n\n If the \"Storage\" item is missing, commented out, or the value is anything\nother than \"none\" and the need for core dumps is not documented with the\nInformation System Security Officer (ISSO) as an operational requirement for\nall domains that have the \"core\" item assigned, this is a finding.'\n desc 'fix', 'Configure the operating system to disable storing core dumps for all users.\n\nAdd or modify the following line in /etc/systemd/coredump.conf:\n\nStorage=none'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230314'\n tag rid: 'SV-230314r627750_rule'\n tag stig_id: 'RHEL-08-010674'\n tag fix_id: 'F-32958r567689_fix'\n tag cci: ['CCI-000366']\n tag legacy: []\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe parse_config_file('/etc/systemd/coredump.conf') do\n its('Coredump.Storage') { should cmp 'none' }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230346.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230314.rb", "line": 1 }, - "id": "SV-230346" + "id": "SV-230314" }, { - "title": "RHEL 8 must cover or disable the built-in or attached camera when not\nin use.", - "desc": "It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n Failing to disconnect from collaborative computing devices (i.e., cameras)\ncan result in subsequent compromises of organizational information. Providing\neasy methods to physically disconnect from such devices after a collaborative\ncomputing session helps to ensure participants actually carry out the\ndisconnect activity without having to go through complex and tedious procedures.", + "title": "The RHEL 8 /var/log/messages file must be group-owned by root.", + "desc": "Only authorized personnel should be aware of errors and the details of\nthe errors. Error messages are an indicator of an organization's operational\nstate or can identify the RHEL 8 system or platform. Additionally, Personally\nIdentifiable Information (PII) and operational information must not be revealed\nthrough error messages to unauthorized personnel or their designated\nrepresentatives.\n\n The structure and content of error messages must be carefully considered by\nthe organization and development team. The extent to which the information\nsystem is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.", "descriptions": { - "default": "It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n Failing to disconnect from collaborative computing devices (i.e., cameras)\ncan result in subsequent compromises of organizational information. Providing\neasy methods to physically disconnect from such devices after a collaborative\ncomputing session helps to ensure participants actually carry out the\ndisconnect activity without having to go through complex and tedious procedures.", - "check": "If the device or operating system does not have a camera installed, this requirement is not applicable.\n\nThis requirement is not applicable to mobile devices (smartphones and tablets), where the use of the camera is a local AO decision.\n\nThis requirement is not applicable to dedicated VTC suites located in approved VTC locations that are centrally managed.\n\nFor an external camera, if there is not a method for the operator to manually disconnect the camera at the end of collaborative computing sessions, this is a finding.\n\nFor a built-in camera, the camera must be protected by a camera cover (e.g., laptop camera cover slide) when not in use. If the built-in camera is not protected with a camera cover, or is not physically disabled, this is a finding.\n\nIf the camera is not disconnected, covered, or physically disabled, determine if it is being disabled via software with the following commands:\n\nVerify the operating system disables the ability to load the uvcvideo kernel module.\n\n $ sudo grep -r uvcvideo /etc/modprobe.d/* | grep \"/bin/false\"\n install uvcvideo /bin/false\n\nIf the command does not return any output, or the line is commented out, and the collaborative computing device has not been authorized for use, this is a finding.\n\nVerify the camera is disabled via blacklist with the following command:\n\n $ sudo grep -r uvcvideo /etc/modprobe.d/* | grep \"blacklist\"\n blacklist uvcvideo\n\nIf the command does not return any output or the output is not \"blacklist uvcvideo\", and the collaborative computing device has not been authorized for use, this is a finding.", - "fix": "Configure the operating system to disable the built-in or attached camera when not in use.\n\nBuild or modify the \"/etc/modprobe.d/blacklist.conf\" file by using the following example:\n\n install uvcvideo /bin/false\n blacklist uvcvideo\n\nReboot the system for the settings to take effect." + "default": "Only authorized personnel should be aware of errors and the details of\nthe errors. Error messages are an indicator of an organization's operational\nstate or can identify the RHEL 8 system or platform. Additionally, Personally\nIdentifiable Information (PII) and operational information must not be revealed\nthrough error messages to unauthorized personnel or their designated\nrepresentatives.\n\n The structure and content of error messages must be carefully considered by\nthe organization and development team. The extent to which the information\nsystem is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.", + "check": "Verify the \"/var/log/messages\" file is group-owned by root with the\nfollowing command:\n\n $ sudo stat -c \"%G\" /var/log/messages\n\n root\n\n If \"root\" is not returned as a result, this is a finding.", + "fix": "Change the group of the file \"/var/log/messages\" to \"root\" by running\nthe following command:\n\n $ sudo chgrp root /var/log/messages" }, "impact": 0.5, "refs": [ @@ -9614,37 +9521,33 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000095-GPOS-00049", - "satisfies": [ - "SRG-OS-000095-GPOS-00049", - "SRG-OS-000370-GPOS-00155" - ], - "gid": "V-230493", - "rid": "SV-230493r942915_rule", - "stig_id": "RHEL-08-040020", - "fix_id": "F-33137r942914_fix", + "gtitle": "SRG-OS-000206-GPOS-00084", + "gid": "V-230247", + "rid": "SV-230247r627750_rule", + "stig_id": "RHEL-08-010230", + "fix_id": "F-32891r567488_fix", "cci": [ - "CCI-000381" + "CCI-001314" ], "nist": [ - "CM-7 a" + "SI-11 b" ], "host": null }, - "code": "control 'SV-230493' do\n title 'RHEL 8 must cover or disable the built-in or attached camera when not\nin use.'\n desc 'It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n Failing to disconnect from collaborative computing devices (i.e., cameras)\ncan result in subsequent compromises of organizational information. Providing\neasy methods to physically disconnect from such devices after a collaborative\ncomputing session helps to ensure participants actually carry out the\ndisconnect activity without having to go through complex and tedious procedures.'\n desc 'check', 'If the device or operating system does not have a camera installed, this requirement is not applicable.\n\nThis requirement is not applicable to mobile devices (smartphones and tablets), where the use of the camera is a local AO decision.\n\nThis requirement is not applicable to dedicated VTC suites located in approved VTC locations that are centrally managed.\n\nFor an external camera, if there is not a method for the operator to manually disconnect the camera at the end of collaborative computing sessions, this is a finding.\n\nFor a built-in camera, the camera must be protected by a camera cover (e.g., laptop camera cover slide) when not in use. If the built-in camera is not protected with a camera cover, or is not physically disabled, this is a finding.\n\nIf the camera is not disconnected, covered, or physically disabled, determine if it is being disabled via software with the following commands:\n\nVerify the operating system disables the ability to load the uvcvideo kernel module.\n\n $ sudo grep -r uvcvideo /etc/modprobe.d/* | grep \"/bin/false\"\n install uvcvideo /bin/false\n\nIf the command does not return any output, or the line is commented out, and the collaborative computing device has not been authorized for use, this is a finding.\n\nVerify the camera is disabled via blacklist with the following command:\n\n $ sudo grep -r uvcvideo /etc/modprobe.d/* | grep \"blacklist\"\n blacklist uvcvideo\n\nIf the command does not return any output or the output is not \"blacklist uvcvideo\", and the collaborative computing device has not been authorized for use, this is a finding.'\n desc 'fix', 'Configure the operating system to disable the built-in or attached camera when not in use.\n\nBuild or modify the \"/etc/modprobe.d/blacklist.conf\" file by using the following example:\n\n install uvcvideo /bin/false\n blacklist uvcvideo\n\nReboot the system for the settings to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000095-GPOS-00049'\n tag satisfies: ['SRG-OS-000095-GPOS-00049', 'SRG-OS-000370-GPOS-00155']\n tag gid: 'V-230493'\n tag rid: 'SV-230493r942915_rule'\n tag stig_id: 'RHEL-08-040020'\n tag fix_id: 'F-33137r942914_fix'\n tag cci: ['CCI-000381']\n tag nist: ['CM-7 a']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n if input('camera_installed')\n describe kernel_module('uvcvideo') do\n it { should_not be_loaded }\n it { should be_blacklisted }\n end\n else\n impact 0.0\n describe 'Device or operating system does not have a camera installed' do\n skip 'Device or operating system does not have a camera installed, this control is Not Applicable.'\n end\n end\nend\n", + "code": "control 'SV-230247' do\n title 'The RHEL 8 /var/log/messages file must be group-owned by root.'\n desc \"Only authorized personnel should be aware of errors and the details of\nthe errors. Error messages are an indicator of an organization's operational\nstate or can identify the RHEL 8 system or platform. Additionally, Personally\nIdentifiable Information (PII) and operational information must not be revealed\nthrough error messages to unauthorized personnel or their designated\nrepresentatives.\n\n The structure and content of error messages must be carefully considered by\nthe organization and development team. The extent to which the information\nsystem is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.\"\n desc 'check', 'Verify the \"/var/log/messages\" file is group-owned by root with the\nfollowing command:\n\n $ sudo stat -c \"%G\" /var/log/messages\n\n root\n\n If \"root\" is not returned as a result, this is a finding.'\n desc 'fix', 'Change the group of the file \"/var/log/messages\" to \"root\" by running\nthe following command:\n\n $ sudo chgrp root /var/log/messages'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000206-GPOS-00084'\n tag gid: 'V-230247'\n tag rid: 'SV-230247r627750_rule'\n tag stig_id: 'RHEL-08-010230'\n tag fix_id: 'F-32891r567488_fix'\n tag cci: ['CCI-001314']\n tag nist: ['SI-11 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe.one do\n describe file('/var/log/messages') do\n its('group') { should be_in input('var_log_messages_group') }\n end\n describe file('/var/log/messages') do\n it { should_not exist }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230493.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230247.rb", "line": 1 }, - "id": "SV-230493" + "id": "SV-230247" }, { - "title": "RHEL 8 must disable the user list at logon for graphical user\ninterfaces.", - "desc": "Leaving the user list enabled is a security risk since it allows\nanyone with physical access to the system to enumerate known user accounts\nwithout authenticated access to the system.", + "title": "The RHEL 8 file system automounter must be disabled unless required.", + "desc": "Automatically mounting file systems permits easy introduction of\nunknown devices, thereby facilitating malicious activity.", "descriptions": { - "default": "Leaving the user list enabled is a security risk since it allows\nanyone with physical access to the system to enumerate known user accounts\nwithout authenticated access to the system.", - "check": "Verify the operating system disables the user logon list for graphical user\ninterfaces with the following command:\n Note: This requirement assumes the use of the RHEL 8 default graphical user\ninterface, Gnome Shell. If the system does not have any graphical user\ninterface installed, this requirement is Not Applicable.\n\n $ sudo gsettings get org.gnome.login-screen disable-user-list\n true\n\n If the setting is \"false\", this is a finding.", - "fix": "Configure the operating system to disable the user list at logon for\ngraphical user interfaces.\n\n Create a database to contain the system-wide screensaver settings (if it\ndoes not already exist) with the following command:\n Note: The example below is using the database \"local\" for the system, so\nif the system is using another database in \"/etc/dconf/profile/user\", the\nfile should be created under the appropriate subdirectory.\n\n $ sudo touch /etc/dconf/db/local.d/02-login-screen\n\n [org/gnome/login-screen]\n disable-user-list=true\n\n Update the system databases:\n $ sudo dconf update" + "default": "Automatically mounting file systems permits easy introduction of\nunknown devices, thereby facilitating malicious activity.", + "check": "Verify the operating system disables the ability to automount devices.\n\n Check to see if automounter service is active with the following command:\n\n Note: If the autofs service is not installed, this requirement is not\napplicable.\n\n $ sudo systemctl status autofs\n\n autofs.service - Automounts filesystems on demand\n Loaded: loaded (/usr/lib/systemd/system/autofs.service; disabled)\n Active: inactive (dead)\n\n If the \"autofs\" status is set to \"active\" and is not documented with\nthe Information System Security Officer (ISSO) as an operational requirement,\nthis is a finding.", + "fix": "Configure the operating system to disable the ability to automount devices.\n\n Turn off the automount service with the following commands:\n\n $ sudo systemctl stop autofs\n $ sudo systemctl disable autofs\n\n If \"autofs\" is required for Network File System (NFS), it must be\ndocumented with the ISSO." }, "impact": 0.5, "refs": [ @@ -9654,33 +9557,33 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-244536", - "rid": "SV-244536r743857_rule", - "stig_id": "RHEL-08-020032", - "fix_id": "F-47768r743856_fix", + "gtitle": "SRG-OS-000114-GPOS-00059", + "gid": "V-230502", + "rid": "SV-230502r627750_rule", + "stig_id": "RHEL-08-040070", + "fix_id": "F-33146r568253_fix", "cci": [ - "CCI-000366" + "CCI-000778" ], "nist": [ - "CM-6 b" + "IA-3" ], "host": null }, - "code": "control 'SV-244536' do\n title 'RHEL 8 must disable the user list at logon for graphical user\ninterfaces.'\n desc 'Leaving the user list enabled is a security risk since it allows\nanyone with physical access to the system to enumerate known user accounts\nwithout authenticated access to the system.'\n desc 'check', 'Verify the operating system disables the user logon list for graphical user\ninterfaces with the following command:\n Note: This requirement assumes the use of the RHEL 8 default graphical user\ninterface, Gnome Shell. If the system does not have any graphical user\ninterface installed, this requirement is Not Applicable.\n\n $ sudo gsettings get org.gnome.login-screen disable-user-list\n true\n\n If the setting is \"false\", this is a finding.'\n desc 'fix', 'Configure the operating system to disable the user list at logon for\ngraphical user interfaces.\n\n Create a database to contain the system-wide screensaver settings (if it\ndoes not already exist) with the following command:\n Note: The example below is using the database \"local\" for the system, so\nif the system is using another database in \"/etc/dconf/profile/user\", the\nfile should be created under the appropriate subdirectory.\n\n $ sudo touch /etc/dconf/db/local.d/02-login-screen\n\n [org/gnome/login-screen]\n disable-user-list=true\n\n Update the system databases:\n $ sudo dconf update'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-244536'\n tag rid: 'SV-244536r743857_rule'\n tag stig_id: 'RHEL-08-020032'\n tag fix_id: 'F-47768r743856_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This requirement is Not Applicable in the container', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n no_gui = command('ls /usr/share/xsessions/*').stderr.match?(/No such file or directory/)\n\n if no_gui\n impact 0.0\n describe 'The system does not have a GUI installed, this requirement is Not Applicable.' do\n skip 'A GUI desktop is not installed, this control is Not Applicable.'\n end\n else\n describe command('gsettings get org.gnome.login-screen disable-user-list') do\n its('stdout.strip') { should cmp 'true' }\n end\n end\nend\n", + "code": "control 'SV-230502' do\n title 'The RHEL 8 file system automounter must be disabled unless required.'\n desc 'Automatically mounting file systems permits easy introduction of\nunknown devices, thereby facilitating malicious activity.'\n desc 'check', 'Verify the operating system disables the ability to automount devices.\n\n Check to see if automounter service is active with the following command:\n\n Note: If the autofs service is not installed, this requirement is not\napplicable.\n\n $ sudo systemctl status autofs\n\n autofs.service - Automounts filesystems on demand\n Loaded: loaded (/usr/lib/systemd/system/autofs.service; disabled)\n Active: inactive (dead)\n\n If the \"autofs\" status is set to \"active\" and is not documented with\nthe Information System Security Officer (ISSO) as an operational requirement,\nthis is a finding.'\n desc 'fix', 'Configure the operating system to disable the ability to automount devices.\n\n Turn off the automount service with the following commands:\n\n $ sudo systemctl stop autofs\n $ sudo systemctl disable autofs\n\n If \"autofs\" is required for Network File System (NFS), it must be\ndocumented with the ISSO.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000114-GPOS-00059'\n tag gid: 'V-230502'\n tag rid: 'SV-230502r627750_rule'\n tag stig_id: 'RHEL-08-040070'\n tag fix_id: 'F-33146r568253_fix'\n tag cci: ['CCI-000778']\n tag nist: ['IA-3']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n if input('autofs_required') == true\n describe systemd_service('autofs.service') do\n it { should be_running }\n it { should be_enabled }\n it { should be_installed }\n end\n elsif package('autofs').installed?\n describe systemd_service('autofs.service') do\n it { should_not be_running }\n it { should_not be_enabled }\n it { should_not be_installed }\n end\n else\n impact 0.0\n describe 'The autofs service is not installed' do\n skip 'The autofs service is not installed, this control is Not Applicable.'\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-244536.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230502.rb", "line": 1 }, - "id": "SV-244536" + "id": "SV-230502" }, { - "title": "The RHEL 8 /var/log/messages file must have mode 0640 or less\npermissive.", - "desc": "Only authorized personnel should be aware of errors and the details of\nthe errors. Error messages are an indicator of an organization's operational\nstate or can identify the RHEL 8 system or platform. Additionally, Personally\nIdentifiable Information (PII) and operational information must not be revealed\nthrough error messages to unauthorized personnel or their designated\nrepresentatives.\n\n The structure and content of error messages must be carefully considered by\nthe organization and development team. The extent to which the information\nsystem is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.", + "title": "RHEL 8 must prevent the use of dictionary words for passwords.", + "desc": "If RHEL 8 allows the user to select passwords based on dictionary\nwords, this increases the chances of password compromise by increasing the\nopportunity for successful guesses, and brute-force attacks.", "descriptions": { - "default": "Only authorized personnel should be aware of errors and the details of\nthe errors. Error messages are an indicator of an organization's operational\nstate or can identify the RHEL 8 system or platform. Additionally, Personally\nIdentifiable Information (PII) and operational information must not be revealed\nthrough error messages to unauthorized personnel or their designated\nrepresentatives.\n\n The structure and content of error messages must be carefully considered by\nthe organization and development team. The extent to which the information\nsystem is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.", - "check": "Verify that the \"/var/log/messages\" file has mode \"0640\" or less\npermissive with the following command:\n\n $ sudo stat -c \"%a %n\" /var/log/messages\n\n 640 /var/log/messages\n\n If a value of \"0640\" or less permissive is not returned, this is a\nfinding.", - "fix": "Change the permissions of the file \"/var/log/messages\" to \"0640\" by\nrunning the following command:\n\n $ sudo chmod 0640 /var/log/messages" + "default": "If RHEL 8 allows the user to select passwords based on dictionary\nwords, this increases the chances of password compromise by increasing the\nopportunity for successful guesses, and brute-force attacks.", + "check": "Verify RHEL 8 prevents the use of dictionary words for passwords.\n\nDetermine if the field \"dictcheck\" is set with the following command:\n\n$ sudo grep -r dictcheck /etc/security/pwquality.conf*\n\n/etc/security/pwquality.conf:dictcheck=1\n\nIf the \"dictcheck\" parameter is not set to \"1\", or is commented out, this is a finding.\nIf conflicting results are returned, this is a finding.", + "fix": "Configure RHEL 8 to prevent the use of dictionary words for passwords.\n\nAdd or update the following line in the \"/etc/security/pwquality.conf\" file or a configuration file in the /etc/pwquality.conf.d/ directory to contain the \"dictcheck\" parameter:\n\ndictcheck=1\n\nRemove any configurations that conflict with the above value." }, "impact": 0.5, "refs": [ @@ -9690,33 +9593,34 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000206-GPOS-00084", - "gid": "V-230245", - "rid": "SV-230245r627750_rule", - "stig_id": "RHEL-08-010210", - "fix_id": "F-32889r567482_fix", + "gtitle": "SRG-OS-000480-GPOS-00225", + "gid": "V-230377", + "rid": "SV-230377r858789_rule", + "stig_id": "RHEL-08-020300", + "fix_id": "F-33021r858788_fix", "cci": [ - "CCI-001314" + "CCI-000366" ], "nist": [ - "SI-11 b" + "CM-6 b" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-230245' do\n title 'The RHEL 8 /var/log/messages file must have mode 0640 or less\npermissive.'\n desc \"Only authorized personnel should be aware of errors and the details of\nthe errors. Error messages are an indicator of an organization's operational\nstate or can identify the RHEL 8 system or platform. Additionally, Personally\nIdentifiable Information (PII) and operational information must not be revealed\nthrough error messages to unauthorized personnel or their designated\nrepresentatives.\n\n The structure and content of error messages must be carefully considered by\nthe organization and development team. The extent to which the information\nsystem is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.\"\n desc 'check', 'Verify that the \"/var/log/messages\" file has mode \"0640\" or less\npermissive with the following command:\n\n $ sudo stat -c \"%a %n\" /var/log/messages\n\n 640 /var/log/messages\n\n If a value of \"0640\" or less permissive is not returned, this is a\nfinding.'\n desc 'fix', 'Change the permissions of the file \"/var/log/messages\" to \"0640\" by\nrunning the following command:\n\n $ sudo chmod 0640 /var/log/messages'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000206-GPOS-00084'\n tag gid: 'V-230245'\n tag rid: 'SV-230245r627750_rule'\n tag stig_id: 'RHEL-08-010210'\n tag fix_id: 'F-32889r567482_fix'\n tag cci: ['CCI-001314']\n tag nist: ['SI-11 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe.one do\n describe file('/var/log/messages') do\n it { should_not be_more_permissive_than('0640') }\n end\n describe file('/var/log/messages') do\n it { should_not exist }\n end\n end\nend\n", + "code": "control 'SV-230377' do\n title 'RHEL 8 must prevent the use of dictionary words for passwords.'\n desc 'If RHEL 8 allows the user to select passwords based on dictionary\nwords, this increases the chances of password compromise by increasing the\nopportunity for successful guesses, and brute-force attacks.'\n desc 'check', 'Verify RHEL 8 prevents the use of dictionary words for passwords.\n\nDetermine if the field \"dictcheck\" is set with the following command:\n\n$ sudo grep -r dictcheck /etc/security/pwquality.conf*\n\n/etc/security/pwquality.conf:dictcheck=1\n\nIf the \"dictcheck\" parameter is not set to \"1\", or is commented out, this is a finding.\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to prevent the use of dictionary words for passwords.\n\nAdd or update the following line in the \"/etc/security/pwquality.conf\" file or a configuration file in the /etc/pwquality.conf.d/ directory to contain the \"dictcheck\" parameter:\n\ndictcheck=1\n\nRemove any configurations that conflict with the above value.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00225'\n tag gid: 'V-230377'\n tag rid: 'SV-230377r858789_rule'\n tag stig_id: 'RHEL-08-020300'\n tag fix_id: 'F-33021r858788_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n tag 'container'\n\n describe parse_config_file('/etc/security/pwquality.conf') do\n its('dictcheck') { should eq '1' }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230245.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230377.rb", "line": 1 }, - "id": "SV-230245" + "id": "SV-230377" }, { - "title": "Successful/unsuccessful uses of userhelper in RHEL 8 must generate an\naudit record.", - "desc": "Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged commands. The organization must maintain audit trails in sufficient\ndetail to reconstruct events to determine the cause and impact of compromise.\nThe \"userhelper\" command is not intended to be run interactively.\n\"Userhelper\" provides a basic interface to change a user's password, gecos\ninformation, and shell. The main difference between this program and its\ntraditional equivalents (passwd, chfn, chsh) is that prompts are written to\nstandard out to make it easy for a graphical user interface wrapper to\ninterface to it as a child process.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", + "title": "RHEL 8 must not accept router advertisements on all IPv6 interfaces by\ndefault.", + "desc": "Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.\n\nAn illicit router advertisement message could result in a man-in-the-middle attack.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf", "descriptions": { - "default": "Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged commands. The organization must maintain audit trails in sufficient\ndetail to reconstruct events to determine the cause and impact of compromise.\nThe \"userhelper\" command is not intended to be run interactively.\n\"Userhelper\" provides a basic interface to change a user's password, gecos\ninformation, and shell. The main difference between this program and its\ntraditional equivalents (passwd, chfn, chsh) is that prompts are written to\nstandard out to make it easy for a graphical user interface wrapper to\ninterface to it as a child process.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", - "check": "Verify that an audit event is generated for any successful/unsuccessful use\nof \"userhelper\" by performing the following command to check the file system\nrules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w \"userhelper\" /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-unix-update\n\n If the command does not return a line, or the line is commented out, this\nis a finding.", - "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful uses of the \"userhelper\" by adding or updating the\nfollowing rule in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-unix-update\n\n The audit daemon must be restarted for the changes to take effect." + "default": "Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.\n\nAn illicit router advertisement message could result in a man-in-the-middle attack.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf", + "check": "Verify RHEL 8 does not accept router advertisements on all IPv6 interfaces by default, unless the system is a router.\n\nNote: If IPv6 is disabled on the system, this requirement is not applicable.\n\nCheck to see if router advertisements are not accepted by default by using the following command:\n\n$ sudo sysctl net.ipv6.conf.default.accept_ra\n\nnet.ipv6.conf.default.accept_ra = 0\n\nIf the \"accept_ra\" value is not \"0\" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r net.ipv6.conf.default.accept_ra /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: net.ipv6.conf.default.accept_ra = 0\n\nIf \"net.ipv6.conf.default.accept_ra\" is not set to \"0\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.", + "fix": "Configure RHEL 8 to not accept router advertisements on all IPv6 interfaces by default unless the system is a router.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nnet.ipv6.conf.default.accept_ra=0\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system" }, "impact": 0.5, "refs": [ @@ -9726,42 +9630,33 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000062-GPOS-00031", - "satisfies": [ - "SRG-OS-000062-GPOS-00031", - "SRG-OS-000037-GPOS-00015", - "SRG-OS-000042-GPOS-00020", - "SRG-OS-000062-GPOS-00031", - "SRG-OS-000392-GPOS-00172", - "SRG-OS-000462-GPOS-00206", - "SRG-OS-000471-GPOS-00215" - ], - "gid": "V-230431", - "rid": "SV-230431r627750_rule", - "stig_id": "RHEL-08-030315", - "fix_id": "F-33075r568040_fix", - "cci": [ - "CCI-000169" + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-230542", + "rid": "SV-230542r858814_rule", + "stig_id": "RHEL-08-040262", + "fix_id": "F-33186r858813_fix", + "cci": [ + "CCI-000366" ], "nist": [ - "AU-12 a" + "CM-6 b" ], "host": null }, - "code": "control 'SV-230431' do\n title 'Successful/unsuccessful uses of userhelper in RHEL 8 must generate an\naudit record.'\n desc %q(Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged commands. The organization must maintain audit trails in sufficient\ndetail to reconstruct events to determine the cause and impact of compromise.\nThe \"userhelper\" command is not intended to be run interactively.\n\"Userhelper\" provides a basic interface to change a user's password, gecos\ninformation, and shell. The main difference between this program and its\ntraditional equivalents (passwd, chfn, chsh) is that prompts are written to\nstandard out to make it easy for a graphical user interface wrapper to\ninterface to it as a child process.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.)\n desc 'check', 'Verify that an audit event is generated for any successful/unsuccessful use\nof \"userhelper\" by performing the following command to check the file system\nrules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w \"userhelper\" /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-unix-update\n\n If the command does not return a line, or the line is commented out, this\nis a finding.'\n desc 'fix', 'Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful uses of the \"userhelper\" by adding or updating the\nfollowing rule in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-unix-update\n\n The audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000062-GPOS-00031'\n tag satisfies: ['SRG-OS-000062-GPOS-00031', 'SRG-OS-000037-GPOS-00015', 'SRG-OS-000042-GPOS-00020', 'SRG-OS-000062-GPOS-00031', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000471-GPOS-00215']\n tag gid: 'V-230431'\n tag rid: 'SV-230431r627750_rule'\n tag stig_id: 'RHEL-08-030315'\n tag fix_id: 'F-33075r568040_fix'\n tag cci: ['CCI-000169']\n tag nist: ['AU-12 a']\n tag 'host'\n\n audit_command = '/usr/sbin/userhelper'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include(input('audit_rule_keynames').merge(input('audit_rule_keynames_overrides'))[audit_command])\n end\n end\nend\n", + "code": "control 'SV-230542' do\n title 'RHEL 8 must not accept router advertisements on all IPv6 interfaces by\ndefault.'\n desc 'Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.\n\nAn illicit router advertisement message could result in a man-in-the-middle attack.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf'\n desc 'check', 'Verify RHEL 8 does not accept router advertisements on all IPv6 interfaces by default, unless the system is a router.\n\nNote: If IPv6 is disabled on the system, this requirement is not applicable.\n\nCheck to see if router advertisements are not accepted by default by using the following command:\n\n$ sudo sysctl net.ipv6.conf.default.accept_ra\n\nnet.ipv6.conf.default.accept_ra = 0\n\nIf the \"accept_ra\" value is not \"0\" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r net.ipv6.conf.default.accept_ra /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: net.ipv6.conf.default.accept_ra = 0\n\nIf \"net.ipv6.conf.default.accept_ra\" is not set to \"0\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to not accept router advertisements on all IPv6 interfaces by default unless the system is a router.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nnet.ipv6.conf.default.accept_ra=0\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230542'\n tag rid: 'SV-230542r858814_rule'\n tag stig_id: 'RHEL-08-040262'\n tag fix_id: 'F-33186r858813_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This system is acting as a router on the network, this control is Not Applicable', impact: 0.0) {\n !input('network_router')\n }\n\n # Define the kernel parameter to be checked\n parameter = 'net.ipv6.conf.default.accept_ra'\n action = 'IPv6 router advertisements (by default for all interfaces)'\n value = 0\n\n # Get the current value of the kernel parameter\n current_value = kernel_parameter(parameter)\n\n # Check if the system is a Docker container\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n elsif input('ipv6_enabled') == false\n impact 0.0\n describe 'IPv6 is disabled on the system, this requirement is Not Applicable.' do\n skip 'IPv6 is disabled on the system, this requirement is Not Applicable.'\n end\n else\n\n describe kernel_parameter(parameter) do\n it 'is disabled in sysctl -a' do\n expect(current_value.value).to cmp value\n expect(current_value.value).not_to be_nil\n end\n end\n\n # Get the list of sysctl configuration files\n sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ')\n\n # Search for the kernel parameter in the configuration files\n search_results = command(\"grep -r ^#{parameter} #{sysctl_config_files} {} \\;\").stdout.split(\"\\n\")\n\n # Parse the search results into a hash\n config_values = search_results.each_with_object({}) do |item, results|\n file, setting = item.split(':')\n file = 'grep did not return filename' if file.empty?\n\n results[file] ||= []\n results[file] << setting.split('=').last\n end\n\n uniq_config_values = config_values.values.flatten.map(&:strip).map(&:to_i).uniq\n\n # Check the configuration files\n describe 'Configuration files' do\n if search_results.empty?\n it \"do not explicitly set the `#{parameter}` parameter\" do\n expect(config_values).not_to be_empty, \"Add the line `#{parameter}=#{value}` to a file in the `/etc/sysctl.d/` directory\"\n end\n else\n it \"do not have conflicting settings for #{action}\" do\n expect(uniq_config_values.count).to eq(1), \"Expected one unique configuration, but got #{config_values}\"\n end\n it \"set the parameter to the right value for #{action}\" do\n expect(config_values.values.flatten.all? { |v| v.to_i.eql?(value) }).to be true\n end\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230431.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230542.rb", "line": 1 }, - "id": "SV-230431" + "id": "SV-230542" }, { - "title": "RHEL 8 must ensure the password complexity module is enabled in the password-auth file.", - "desc": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. \"pwquality\" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system.\n\nRHEL 8 utilizes \"pwquality\" as a mechanism to enforce password complexity. This is set in both:\n/etc/pam.d/password-auth\n/etc/pam.d/system-auth", + "title": "RHEL 8 must mount /var/log/audit with the noexec option.", + "desc": "The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n The \"noexec\" mount option causes the system to not execute binary files.\nThis option must be used for mounting any file system not containing approved\nbinary files, as they may be incompatible. Executing files from untrusted file\nsystems increases the opportunity for unprivileged users to attain unauthorized\nadministrative access.\n\n The \"nodev\" mount option causes the system to not interpret character or\nblock special devices. Executing character or block special devices from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.\n\n The \"nosuid\" mount option causes the system to not execute \"setuid\" and\n\"setgid\" files with owner privileges. This option must be used for mounting\nany file system not containing approved \"setuid\" and \"setguid\" files.\nExecuting files from untrusted file systems increases the opportunity for\nunprivileged users to attain unauthorized administrative access.", "descriptions": { - "default": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. \"pwquality\" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system.\n\nRHEL 8 utilizes \"pwquality\" as a mechanism to enforce password complexity. This is set in both:\n/etc/pam.d/password-auth\n/etc/pam.d/system-auth", - "check": "Verify the operating system uses \"pwquality\" to enforce the password complexity rules.\n\nCheck for the use of \"pwquality\" in the password-auth file with the following command:\n\n $ sudo cat /etc/pam.d/password-auth | grep pam_pwquality\n\n password requisite pam_pwquality.so\n\nIf the command does not return a line containing the value \"pam_pwquality.so\" as shown, or the line is commented out, this is a finding.", - "fix": "Configure the operating system to use \"pwquality\" to enforce password complexity rules.\n\nAdd the following line to the \"/etc/pam.d/password-auth\" file (or modify the line to have the required value):\n\n password requisite pam_pwquality.so" + "default": "The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n The \"noexec\" mount option causes the system to not execute binary files.\nThis option must be used for mounting any file system not containing approved\nbinary files, as they may be incompatible. Executing files from untrusted file\nsystems increases the opportunity for unprivileged users to attain unauthorized\nadministrative access.\n\n The \"nodev\" mount option causes the system to not interpret character or\nblock special devices. Executing character or block special devices from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.\n\n The \"nosuid\" mount option causes the system to not execute \"setuid\" and\n\"setgid\" files with owner privileges. This option must be used for mounting\nany file system not containing approved \"setuid\" and \"setguid\" files.\nExecuting files from untrusted file systems increases the opportunity for\nunprivileged users to attain unauthorized administrative access.", + "check": "Verify \"/var/log/audit\" is mounted with the \"noexec\" option:\n\n $ sudo mount | grep /var/log/audit\n\n /dev/mapper/rhel-var-log-audit on /var/log/audit type xfs\n(rw,nodev,nosuid,noexec,seclabel)\n\n Verify that the \"noexec\" option is configured for /var/log/audit:\n\n $ sudo cat /etc/fstab | grep /var/log/audit\n\n /dev/mapper/rhel-var-log-audit /var/log/audit xfs\ndefaults,nodev,nosuid,noexec 0 0\n\n If results are returned and the \"noexec\" option is missing, or if\n/var/log/audit is mounted without the \"noexec\" option, this is a finding.", + "fix": "Configure the system so that /var/log/audit is mounted with the \"noexec\"\noption by adding /modifying the /etc/fstab with the following line:\n\n /dev/mapper/rhel-var-log-audit /var/log/audit xfs\ndefaults,nodev,nosuid,noexec 0 0" }, "impact": 0.5, "refs": [ @@ -9771,72 +9666,70 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000069-GPOS-00037", - "gid": "V-230356", - "rid": "SV-230356r902728_rule", - "stig_id": "RHEL-08-020100", - "fix_id": "F-33000r902727_fix", + "gtitle": "SRG-OS-000368-GPOS-00154", + "gid": "V-230519", + "rid": "SV-230519r854060_rule", + "stig_id": "RHEL-08-040131", + "fix_id": "F-33163r568304_fix", "cci": [ - "CCI-000192", - "CCI-000366" + "CCI-001764" ], "nist": [ - "IA-5 (1) (a)", - "CM-6 b" + "CM-7 (2)" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-230356' do\n title 'RHEL 8 must ensure the password complexity module is enabled in the password-auth file.'\n desc 'Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. \"pwquality\" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system.\n\nRHEL 8 utilizes \"pwquality\" as a mechanism to enforce password complexity. This is set in both:\n/etc/pam.d/password-auth\n/etc/pam.d/system-auth'\n desc 'check', 'Verify the operating system uses \"pwquality\" to enforce the password complexity rules.\n\nCheck for the use of \"pwquality\" in the password-auth file with the following command:\n\n $ sudo cat /etc/pam.d/password-auth | grep pam_pwquality\n\n password requisite pam_pwquality.so\n\nIf the command does not return a line containing the value \"pam_pwquality.so\" as shown, or the line is commented out, this is a finding.'\n desc 'fix', 'Configure the operating system to use \"pwquality\" to enforce password complexity rules.\n\nAdd the following line to the \"/etc/pam.d/password-auth\" file (or modify the line to have the required value):\n\n password requisite pam_pwquality.so'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000069-GPOS-00037'\n tag gid: 'V-230356'\n tag rid: 'SV-230356r902728_rule'\n tag stig_id: 'RHEL-08-020100'\n tag fix_id: 'F-33000r902727_fix'\n tag cci: ['CCI-000192', 'CCI-000366']\n tag nist: ['IA-5 (1) (a)', 'CM-6 b']\n tag 'host'\n tag 'container'\n\n pam_auth_files = input('pam_auth_files')\n\n describe pam(pam_auth_files['password-auth']) do\n its('lines') { should match_pam_rule('password (required|requisite) pam_pwquality.so') }\n end\n describe pam(pam_auth_files['system-auth']) do\n its('lines') { should match_pam_rule('password (required|requisite) pam_pwquality.so') }\n end\nend\n", + "code": "control 'SV-230519' do\n title 'RHEL 8 must mount /var/log/audit with the noexec option.'\n desc 'The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n The \"noexec\" mount option causes the system to not execute binary files.\nThis option must be used for mounting any file system not containing approved\nbinary files, as they may be incompatible. Executing files from untrusted file\nsystems increases the opportunity for unprivileged users to attain unauthorized\nadministrative access.\n\n The \"nodev\" mount option causes the system to not interpret character or\nblock special devices. Executing character or block special devices from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.\n\n The \"nosuid\" mount option causes the system to not execute \"setuid\" and\n\"setgid\" files with owner privileges. This option must be used for mounting\nany file system not containing approved \"setuid\" and \"setguid\" files.\nExecuting files from untrusted file systems increases the opportunity for\nunprivileged users to attain unauthorized administrative access.'\n desc 'check', 'Verify \"/var/log/audit\" is mounted with the \"noexec\" option:\n\n $ sudo mount | grep /var/log/audit\n\n /dev/mapper/rhel-var-log-audit on /var/log/audit type xfs\n(rw,nodev,nosuid,noexec,seclabel)\n\n Verify that the \"noexec\" option is configured for /var/log/audit:\n\n $ sudo cat /etc/fstab | grep /var/log/audit\n\n /dev/mapper/rhel-var-log-audit /var/log/audit xfs\ndefaults,nodev,nosuid,noexec 0 0\n\n If results are returned and the \"noexec\" option is missing, or if\n/var/log/audit is mounted without the \"noexec\" option, this is a finding.'\n desc 'fix', 'Configure the system so that /var/log/audit is mounted with the \"noexec\"\noption by adding /modifying the /etc/fstab with the following line:\n\n /dev/mapper/rhel-var-log-audit /var/log/audit xfs\ndefaults,nodev,nosuid,noexec 0 0'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000368-GPOS-00154'\n tag gid: 'V-230519'\n tag rid: 'SV-230519r854060_rule'\n tag stig_id: 'RHEL-08-040131'\n tag fix_id: 'F-33163r568304_fix'\n tag cci: ['CCI-001764']\n tag nist: ['CM-7 (2)']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n path = '/var/log/audit'\n option = 'noexec'\n\n describe mount(path) do\n its('options') { should include option }\n end\n\n describe etc_fstab.where { mount_point == path } do\n its('mount_options.flatten') { should include option }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230356.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230519.rb", "line": 1 }, - "id": "SV-230356" + "id": "SV-230519" }, { - "title": "RHEL 8 must disable the chrony daemon from acting as a server.", - "desc": "Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate.\n\nMinimizing the exposure of the server functionality of the chrony daemon diminishes the attack surface.\n\nRHEL 8 utilizes the \"timedatectl\" command to view the status of the \"systemd-timesyncd.service\". The \"timedatectl\" status will display the local time, UTC, and the offset from UTC.\n\nNote that USNO offers authenticated NTP service to DOD and U.S. Government agencies operating on the NIPR and SIPR networks. Visit https://www.usno.navy.mil/USNO/time/ntp/DOD-customers for more information.", + "title": "The RHEL 8 SSH public host key files must have mode 0644 or less\npermissive.", + "desc": "If a public host key file is modified by an unauthorized user, the SSH\nservice may be compromised.", "descriptions": { - "default": "Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate.\n\nMinimizing the exposure of the server functionality of the chrony daemon diminishes the attack surface.\n\nRHEL 8 utilizes the \"timedatectl\" command to view the status of the \"systemd-timesyncd.service\". The \"timedatectl\" status will display the local time, UTC, and the offset from UTC.\n\nNote that USNO offers authenticated NTP service to DOD and U.S. Government agencies operating on the NIPR and SIPR networks. Visit https://www.usno.navy.mil/USNO/time/ntp/DOD-customers for more information.", - "check": "Note: If the system is approved and documented by the information system security officer (ISSO) to function as an NTP time server, this requirement is Not Applicable.\n\nVerify RHEL 8 disables the chrony daemon from acting as a server with the following command:\n\n $ sudo grep -w 'port' /etc/chrony.conf\n port 0\n\nIf the \"port\" option is not set to \"0\", is commented out or missing, this is a finding.", - "fix": "Configure the operating system to disable the chrony daemon from acting as a server by adding or modifying the following line in the \"/etc/chrony.conf\" file:\n\n port 0" + "default": "If a public host key file is modified by an unauthorized user, the SSH\nservice may be compromised.", + "check": "Verify the SSH public host key files have mode \"0644\" or less permissive\nwith the following command:\n\n $ sudo ls -l /etc/ssh/*.pub\n\n -rw-r--r-- 1 root root 618 Nov 28 06:43 ssh_host_dsa_key.pub\n -rw-r--r-- 1 root root 347 Nov 28 06:43 ssh_host_key.pub\n -rw-r--r-- 1 root root 238 Nov 28 06:43 ssh_host_rsa_key.pub\n\n If any key.pub file has a mode more permissive than \"0644\", this is a\nfinding.\n\n Note: SSH public key files may be found in other directories on the system\ndepending on the installation.", + "fix": "Change the mode of public host key files under \"/etc/ssh\" to \"0644\"\nwith the following command:\n\n $ sudo chmod 0644 /etc/ssh/*key.pub\n\n The SSH daemon must be restarted for the changes to take effect. To restart\nthe SSH daemon, run the following command:\n\n $ sudo systemctl restart sshd.service" }, - "impact": 0.3, + "impact": 0.5, "refs": [ { "ref": "DPMS Target Red Hat Enterprise Linux 8" } ], "tags": { - "severity": "low", - "gtitle": "SRG-OS-000095-GPOS-00049", - "gid": "V-230485", - "rid": "SV-230485r928590_rule", - "stig_id": "RHEL-08-030741", - "fix_id": "F-33129r928589_fix", + "severity": "medium", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-230286", + "rid": "SV-230286r627750_rule", + "stig_id": "RHEL-08-010480", + "fix_id": "F-32930r567605_fix", "cci": [ - "CCI-000381" + "CCI-000366" ], "nist": [ - "CM-7 a" + "CM-6 b" ], - "host": null + "host": null, + "container-conditional": null }, - "code": "control 'SV-230485' do\n title 'RHEL 8 must disable the chrony daemon from acting as a server.'\n desc 'Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate.\n\nMinimizing the exposure of the server functionality of the chrony daemon diminishes the attack surface.\n\nRHEL 8 utilizes the \"timedatectl\" command to view the status of the \"systemd-timesyncd.service\". The \"timedatectl\" status will display the local time, UTC, and the offset from UTC.\n\nNote that USNO offers authenticated NTP service to DOD and U.S. Government agencies operating on the NIPR and SIPR networks. Visit https://www.usno.navy.mil/USNO/time/ntp/DOD-customers for more information.'\n desc 'check', %q(Note: If the system is approved and documented by the information system security officer (ISSO) to function as an NTP time server, this requirement is Not Applicable.\n\nVerify RHEL 8 disables the chrony daemon from acting as a server with the following command:\n\n $ sudo grep -w 'port' /etc/chrony.conf\n port 0\n\nIf the \"port\" option is not set to \"0\", is commented out or missing, this is a finding.)\n desc 'fix', 'Configure the operating system to disable the chrony daemon from acting as a server by adding or modifying the following line in the \"/etc/chrony.conf\" file:\n\n port 0'\n impact 0.3\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'low'\n tag gtitle: 'SRG-OS-000095-GPOS-00049'\n tag gid: 'V-230485'\n tag rid: 'SV-230485r928590_rule'\n tag stig_id: 'RHEL-08-030741'\n tag fix_id: 'F-33129r928589_fix'\n tag cci: ['CCI-000381']\n tag nist: ['CM-7 a']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !(virtualization.system.eql?('docker') && !file('/etc/chrony.conf').exist?)\n }\n\n chrony_conf = ntp_conf('/etc/chrony.conf')\n\n describe chrony_conf do\n its('port') { should cmp 0 }\n end\nend\n", + "code": "control 'SV-230286' do\n title 'The RHEL 8 SSH public host key files must have mode 0644 or less\npermissive.'\n desc 'If a public host key file is modified by an unauthorized user, the SSH\nservice may be compromised.'\n desc 'check', 'Verify the SSH public host key files have mode \"0644\" or less permissive\nwith the following command:\n\n $ sudo ls -l /etc/ssh/*.pub\n\n -rw-r--r-- 1 root root 618 Nov 28 06:43 ssh_host_dsa_key.pub\n -rw-r--r-- 1 root root 347 Nov 28 06:43 ssh_host_key.pub\n -rw-r--r-- 1 root root 238 Nov 28 06:43 ssh_host_rsa_key.pub\n\n If any key.pub file has a mode more permissive than \"0644\", this is a\nfinding.\n\n Note: SSH public key files may be found in other directories on the system\ndepending on the installation.'\n desc 'fix', 'Change the mode of public host key files under \"/etc/ssh\" to \"0644\"\nwith the following command:\n\n $ sudo chmod 0644 /etc/ssh/*key.pub\n\n The SSH daemon must be restarted for the changes to take effect. To restart\nthe SSH daemon, run the following command:\n\n $ sudo systemctl restart sshd.service'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230286'\n tag rid: 'SV-230286r627750_rule'\n tag stig_id: 'RHEL-08-010480'\n tag fix_id: 'F-32930r567605_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n tag 'container-conditional'\n\n only_if('This control is Not Applicable to containers without SSH installed', impact: 0.0) {\n !(virtualization.system.eql?('docker') && !directory('/etc/ssh').exist?)\n }\n\n ssh_host_key_dirs = input('ssh_host_key_dirs').join(' ')\n pub_keys = command(\"find #{ssh_host_key_dirs} -xdev -name '*.pub'\").stdout.split(\"\\n\")\n mode = input('ssh_pub_key_mode')\n failing_keys = pub_keys.select { |key| file(key).more_permissive_than?(mode) }\n\n describe 'All SSH public keys on the filesystem' do\n it \"should be less permissive than #{mode}\" do\n expect(failing_keys).to be_empty, \"Failing keyfiles:\\n\\t- #{failing_keys.join(\"\\n\\t- \")}\"\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230485.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230286.rb", "line": 1 }, - "id": "SV-230485" + "id": "SV-230286" }, { - "title": "The RHEL 8 System must take appropriate action when an audit\nprocessing failure occurs.", - "desc": "It is critical for the appropriate personnel to be aware if a system\nis at risk of failing to process audit logs as required. Without this\nnotification, the security personnel may be unaware of an impending failure of\nthe audit capability, and system operation may be adversely affected.\n\n Audit processing failures include software/hardware errors, failures in the\naudit capturing mechanisms, and audit storage capacity being reached or\nexceeded.\n\n This requirement applies to each audit data storage repository (i.e.,\ndistinct information system component where audit records are stored), the\ncentralized audit storage capacity of organizations (i.e., all audit data\nstorage repositories combined), or both.", + "title": "RHEL 8 must disable the kernel.core_pattern.", + "desc": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf", "descriptions": { - "default": "It is critical for the appropriate personnel to be aware if a system\nis at risk of failing to process audit logs as required. Without this\nnotification, the security personnel may be unaware of an impending failure of\nthe audit capability, and system operation may be adversely affected.\n\n Audit processing failures include software/hardware errors, failures in the\naudit capturing mechanisms, and audit storage capacity being reached or\nexceeded.\n\n This requirement applies to each audit data storage repository (i.e.,\ndistinct information system component where audit records are stored), the\ncentralized audit storage capacity of organizations (i.e., all audit data\nstorage repositories combined), or both.", - "check": "Verify RHEL 8 takes the appropriate action when an audit processing failure\noccurs.\n\n Check that RHEL 8 takes the appropriate action when an audit processing\nfailure occurs with the following command:\n\n $ sudo grep disk_error_action /etc/audit/auditd.conf\n\n disk_error_action = HALT\n\n If the value of the \"disk_error_action\" option is not \"SYSLOG\",\n\"SINGLE\", or \"HALT\", or the line is commented out, ask the system\nadministrator to indicate how the system takes appropriate action when an audit\nprocess failure occurs. If there is no evidence of appropriate action, this is\na finding.", - "fix": "Configure RHEL 8 to shut down by default upon audit failure (unless\navailability is an overriding concern).\n\n Add or update the following line (depending on configuration\n\"disk_error_action\" can be set to \"SYSLOG\" or \"SINGLE\" depending on\nconfiguration) in \"/etc/audit/auditd.conf\" file:\n\n disk_error_action = HALT\n\n If availability has been determined to be more important, and this decision\nis documented with the ISSO, configure the operating system to notify system\nadministration staff and ISSO staff in the event of an audit processing failure\nby setting the \"disk_error_action\" to \"SYSLOG\"." + "default": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf", + "check": "Verify RHEL 8 disables storing core dumps with the following commands:\n\n$ sudo sysctl kernel.core_pattern\n\nkernel.core_pattern = |/bin/false\n\nIf the returned line does not have a value of \"|/bin/false\", or a line is not returned and the need for core dumps is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.\n\nCheck that the configuration files are present to enable this kernel parameter.\n\n$ sudo grep -r kernel.core_pattern /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf:kernel.core_pattern = |/bin/false\n\nIf \"kernel.core_pattern\" is not set to \"|/bin/false\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.", + "fix": "Configure RHEL 8 to disable storing core dumps.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nkernel.core_pattern = |/bin/false\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nThe system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:\n\n$ sudo sysctl --system" }, "impact": 0.5, "refs": [ @@ -9846,33 +9739,34 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000047-GPOS-00023", - "gid": "V-230390", - "rid": "SV-230390r627750_rule", - "stig_id": "RHEL-08-030040", - "fix_id": "F-33034r567917_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-230311", + "rid": "SV-230311r858769_rule", + "stig_id": "RHEL-08-010671", + "fix_id": "F-32955r858768_fix", "cci": [ - "CCI-000140" + "CCI-000366" ], + "legacy": [], "nist": [ - "AU-5 b" + "CM-6 b" ], "host": null }, - "code": "control 'SV-230390' do\n title 'The RHEL 8 System must take appropriate action when an audit\nprocessing failure occurs.'\n desc 'It is critical for the appropriate personnel to be aware if a system\nis at risk of failing to process audit logs as required. Without this\nnotification, the security personnel may be unaware of an impending failure of\nthe audit capability, and system operation may be adversely affected.\n\n Audit processing failures include software/hardware errors, failures in the\naudit capturing mechanisms, and audit storage capacity being reached or\nexceeded.\n\n This requirement applies to each audit data storage repository (i.e.,\ndistinct information system component where audit records are stored), the\ncentralized audit storage capacity of organizations (i.e., all audit data\nstorage repositories combined), or both.'\n desc 'check', 'Verify RHEL 8 takes the appropriate action when an audit processing failure\noccurs.\n\n Check that RHEL 8 takes the appropriate action when an audit processing\nfailure occurs with the following command:\n\n $ sudo grep disk_error_action /etc/audit/auditd.conf\n\n disk_error_action = HALT\n\n If the value of the \"disk_error_action\" option is not \"SYSLOG\",\n\"SINGLE\", or \"HALT\", or the line is commented out, ask the system\nadministrator to indicate how the system takes appropriate action when an audit\nprocess failure occurs. If there is no evidence of appropriate action, this is\na finding.'\n desc 'fix', 'Configure RHEL 8 to shut down by default upon audit failure (unless\navailability is an overriding concern).\n\n Add or update the following line (depending on configuration\n\"disk_error_action\" can be set to \"SYSLOG\" or \"SINGLE\" depending on\nconfiguration) in \"/etc/audit/auditd.conf\" file:\n\n disk_error_action = HALT\n\n If availability has been determined to be more important, and this decision\nis documented with the ISSO, configure the operating system to notify system\nadministration staff and ISSO staff in the event of an audit processing failure\nby setting the \"disk_error_action\" to \"SYSLOG\".'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000047-GPOS-00023'\n tag gid: 'V-230390'\n tag rid: 'SV-230390r627750_rule'\n tag stig_id: 'RHEL-08-030040'\n tag fix_id: 'F-33034r567917_fix'\n tag cci: ['CCI-000140']\n tag nist: ['AU-5 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n disk_error_action = input('disk_error_action').map(&:upcase)\n\n describe auditd_conf do\n its('disk_error_action.upcase') { should be_in disk_error_action }\n end\nend\n", + "code": "control 'SV-230311' do\n title 'RHEL 8 must disable the kernel.core_pattern.'\n desc 'It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf'\n desc 'check', 'Verify RHEL 8 disables storing core dumps with the following commands:\n\n$ sudo sysctl kernel.core_pattern\n\nkernel.core_pattern = |/bin/false\n\nIf the returned line does not have a value of \"|/bin/false\", or a line is not returned and the need for core dumps is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.\n\nCheck that the configuration files are present to enable this kernel parameter.\n\n$ sudo grep -r kernel.core_pattern /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf:kernel.core_pattern = |/bin/false\n\nIf \"kernel.core_pattern\" is not set to \"|/bin/false\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to disable storing core dumps.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nkernel.core_pattern = |/bin/false\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nThe system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:\n\n$ sudo sysctl --system'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230311'\n tag rid: 'SV-230311r858769_rule'\n tag stig_id: 'RHEL-08-010671'\n tag fix_id: 'F-32955r858768_fix'\n tag cci: ['CCI-000366']\n tag legacy: []\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n kernel_setting = 'kernel.core_pattern'\n kernel_expected_value = input('kernel_dump_expected_value')\n\n describe kernel_parameter(kernel_setting) do\n its('value') { should eq kernel_expected_value }\n end\n\n k_conf_files = input('kernel_config_files')\n\n # make sure the setting is set somewhere\n k_conf = command(\"grep -r #{kernel_setting} #{k_conf_files.join(' ')}\").stdout.split(\"\\n\")\n\n # make sure it is set correctly\n failing_k_conf = k_conf.reject { |k| k.match(/#{kernel_parameter}\\s*=\\s*#{kernel_expected_value}/) }\n\n describe 'Kernel config files' do\n it \"should set '#{kernel_setting}' on startup\" do\n expect(k_conf).to_not be_empty, \"Setting not found in any of the following config files:\\n\\t- #{k_conf_files.join(\"\\n\\t- \")}\"\n expect(failing_k_conf).to be_empty, \"Incorrect or conflicting settings found:\\n\\t- #{failing_k_conf.join(\"\\n\\t- \")}\" if k_conf.nil?\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230390.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230311.rb", "line": 1 }, - "id": "SV-230390" + "id": "SV-230311" }, { - "title": "RHEL 8 must not respond to Internet Control Message Protocol (ICMP)\nechoes sent to a broadcast address.", - "desc": "Responding to broadcast ICMP echoes facilitates network mapping and provides a vector for amplification attacks.\n\nThere are notable differences between Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6). IPv6 does not implement the same method of broadcast as IPv4. Instead, IPv6 uses multicast addressing to the all-hosts multicast group. Refer to RFC4294 for an explanation of \"IPv6 Node Requirements\", which resulted in this difference between IPv4 and IPv6.\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf", + "title": "Successful/unsuccessful uses of userhelper in RHEL 8 must generate an\naudit record.", + "desc": "Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged commands. The organization must maintain audit trails in sufficient\ndetail to reconstruct events to determine the cause and impact of compromise.\nThe \"userhelper\" command is not intended to be run interactively.\n\"Userhelper\" provides a basic interface to change a user's password, gecos\ninformation, and shell. The main difference between this program and its\ntraditional equivalents (passwd, chfn, chsh) is that prompts are written to\nstandard out to make it easy for a graphical user interface wrapper to\ninterface to it as a child process.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", "descriptions": { - "default": "Responding to broadcast ICMP echoes facilitates network mapping and provides a vector for amplification attacks.\n\nThere are notable differences between Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6). IPv6 does not implement the same method of broadcast as IPv4. Instead, IPv6 uses multicast addressing to the all-hosts multicast group. Refer to RFC4294 for an explanation of \"IPv6 Node Requirements\", which resulted in this difference between IPv4 and IPv6.\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf", - "check": "Verify RHEL 8 does not respond to ICMP echoes sent to a broadcast address.\n\nCheck the value of the \"icmp_echo_ignore_broadcasts\" variable with the following command:\n\n$ sudo sysctl net.ipv4.icmp_echo_ignore_broadcasts\n\nnet.ipv4.icmp_echo_ignore_broadcasts = 1\n\nIf the returned line does not have a value of \"1\", a line is not returned, or the retuned line is commented out, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r net.ipv4.icmp_echo_ignore_broadcasts /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: net.ipv4.icmp_echo_ignore_broadcasts = 1\n\nIf \"net.ipv4.icmp_echo_ignore_broadcasts\" is not set to \"1\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.", - "fix": "Configure RHEL 8 to not respond to IPv4 ICMP echoes sent to a broadcast address.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nnet.ipv4.icmp_echo_ignore_broadcasts=1\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system" + "default": "Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged commands. The organization must maintain audit trails in sufficient\ndetail to reconstruct events to determine the cause and impact of compromise.\nThe \"userhelper\" command is not intended to be run interactively.\n\"Userhelper\" provides a basic interface to change a user's password, gecos\ninformation, and shell. The main difference between this program and its\ntraditional equivalents (passwd, chfn, chsh) is that prompts are written to\nstandard out to make it easy for a graphical user interface wrapper to\ninterface to it as a child process.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", + "check": "Verify that an audit event is generated for any successful/unsuccessful use\nof \"userhelper\" by performing the following command to check the file system\nrules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w \"userhelper\" /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-unix-update\n\n If the command does not return a line, or the line is commented out, this\nis a finding.", + "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful uses of the \"userhelper\" by adding or updating the\nfollowing rule in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-unix-update\n\n The audit daemon must be restarted for the changes to take effect." }, "impact": 0.5, "refs": [ @@ -9882,33 +9776,42 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-230537", - "rid": "SV-230537r858797_rule", - "stig_id": "RHEL-08-040230", - "fix_id": "F-33181r858796_fix", + "gtitle": "SRG-OS-000062-GPOS-00031", + "satisfies": [ + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000037-GPOS-00015", + "SRG-OS-000042-GPOS-00020", + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000392-GPOS-00172", + "SRG-OS-000462-GPOS-00206", + "SRG-OS-000471-GPOS-00215" + ], + "gid": "V-230431", + "rid": "SV-230431r627750_rule", + "stig_id": "RHEL-08-030315", + "fix_id": "F-33075r568040_fix", "cci": [ - "CCI-000366" + "CCI-000169" ], "nist": [ - "CM-6 b" + "AU-12 a" ], "host": null }, - "code": "control 'SV-230537' do\n title 'RHEL 8 must not respond to Internet Control Message Protocol (ICMP)\nechoes sent to a broadcast address.'\n desc 'Responding to broadcast ICMP echoes facilitates network mapping and provides a vector for amplification attacks.\n\nThere are notable differences between Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6). IPv6 does not implement the same method of broadcast as IPv4. Instead, IPv6 uses multicast addressing to the all-hosts multicast group. Refer to RFC4294 for an explanation of \"IPv6 Node Requirements\", which resulted in this difference between IPv4 and IPv6.\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf'\n desc 'check', 'Verify RHEL 8 does not respond to ICMP echoes sent to a broadcast address.\n\nCheck the value of the \"icmp_echo_ignore_broadcasts\" variable with the following command:\n\n$ sudo sysctl net.ipv4.icmp_echo_ignore_broadcasts\n\nnet.ipv4.icmp_echo_ignore_broadcasts = 1\n\nIf the returned line does not have a value of \"1\", a line is not returned, or the retuned line is commented out, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r net.ipv4.icmp_echo_ignore_broadcasts /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: net.ipv4.icmp_echo_ignore_broadcasts = 1\n\nIf \"net.ipv4.icmp_echo_ignore_broadcasts\" is not set to \"1\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to not respond to IPv4 ICMP echoes sent to a broadcast address.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nnet.ipv4.icmp_echo_ignore_broadcasts=1\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230537'\n tag rid: 'SV-230537r858797_rule'\n tag stig_id: 'RHEL-08-040230'\n tag fix_id: 'F-33181r858796_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This system is acting as a router on the network, this control is Not Applicable', impact: 0.0) {\n !input('network_router')\n }\n\n # Define the kernel parameter to be checked\n parameter = 'net.ipv4.icmp_echo_ignore_broadcasts'\n action = 'IPv4 broadcasts'\n value = 1\n\n # Get the current value of the kernel parameter\n current_value = kernel_parameter(parameter)\n\n # Check if the system is a Docker container\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n elsif input('ipv4_enabled') == false\n impact 0.0\n describe 'IPv4 is disabled on the system, this requirement is Not Applicable.' do\n skip 'IPv4 is disabled on the system, this requirement is Not Applicable.'\n end\n else\n\n describe kernel_parameter(parameter) do\n it 'is disabled in sysctl -a' do\n expect(current_value.value).to cmp value\n expect(current_value.value).not_to be_nil\n end\n end\n\n # Get the list of sysctl configuration files\n sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ')\n\n # Search for the kernel parameter in the configuration files\n search_results = command(\"grep -r ^#{parameter} #{sysctl_config_files} {} \\;\").stdout.split(\"\\n\")\n\n # Parse the search results into a hash\n config_values = search_results.each_with_object({}) do |item, results|\n file, setting = item.split(':')\n file = 'grep did not return filename' if file.empty?\n\n results[file] ||= []\n results[file] << setting.split('=').last\n end\n\n uniq_config_values = config_values.values.flatten.map(&:strip).map(&:to_i).uniq\n\n # Check the configuration files\n describe 'Configuration files' do\n if search_results.empty?\n it \"do not explicitly set the `#{parameter}` parameter\" do\n expect(config_values).not_to be_empty, \"Add the line `#{parameter}=#{value}` to a file in the `/etc/sysctl.d/` directory\"\n end\n else\n it \"do not have conflicting settings for #{action}\" do\n expect(uniq_config_values.count).to eq(1), \"Expected one unique configuration, but got #{config_values}\"\n end\n it \"set the parameter to the right value for #{action}\" do\n expect(config_values.values.flatten.all? { |v| v.to_i.eql?(value) }).to be true\n end\n end\n end\n end\nend\n", + "code": "control 'SV-230431' do\n title 'Successful/unsuccessful uses of userhelper in RHEL 8 must generate an\naudit record.'\n desc %q(Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged commands. The organization must maintain audit trails in sufficient\ndetail to reconstruct events to determine the cause and impact of compromise.\nThe \"userhelper\" command is not intended to be run interactively.\n\"Userhelper\" provides a basic interface to change a user's password, gecos\ninformation, and shell. The main difference between this program and its\ntraditional equivalents (passwd, chfn, chsh) is that prompts are written to\nstandard out to make it easy for a graphical user interface wrapper to\ninterface to it as a child process.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.)\n desc 'check', 'Verify that an audit event is generated for any successful/unsuccessful use\nof \"userhelper\" by performing the following command to check the file system\nrules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w \"userhelper\" /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-unix-update\n\n If the command does not return a line, or the line is commented out, this\nis a finding.'\n desc 'fix', 'Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful uses of the \"userhelper\" by adding or updating the\nfollowing rule in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-unix-update\n\n The audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000062-GPOS-00031'\n tag satisfies: ['SRG-OS-000062-GPOS-00031', 'SRG-OS-000037-GPOS-00015', 'SRG-OS-000042-GPOS-00020', 'SRG-OS-000062-GPOS-00031', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000471-GPOS-00215']\n tag gid: 'V-230431'\n tag rid: 'SV-230431r627750_rule'\n tag stig_id: 'RHEL-08-030315'\n tag fix_id: 'F-33075r568040_fix'\n tag cci: ['CCI-000169']\n tag nist: ['AU-12 a']\n tag 'host'\n\n audit_command = '/usr/sbin/userhelper'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include(input('audit_rule_keynames').merge(input('audit_rule_keynames_overrides'))[audit_command])\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230537.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230431.rb", "line": 1 }, - "id": "SV-230537" + "id": "SV-230431" }, { - "title": "RHEL 8 must prevent the loading of a new kernel for later execution.", - "desc": "Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor.\n\nDisabling kexec_load prevents an unsigned kernel image (that could be a windows kernel or modified vulnerable kernel) from being loaded. Kexec can be used subvert the entire secureboot process and should be avoided at all costs especially since it can load unsigned kernel images.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf", + "title": "Successful/unsuccessful uses of the delete_module command in RHEL 8\nmust generate an audit record.", + "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"delete_module\"\ncommand is used to unload a kernel module.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", "descriptions": { - "default": "Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor.\n\nDisabling kexec_load prevents an unsigned kernel image (that could be a windows kernel or modified vulnerable kernel) from being loaded. Kexec can be used subvert the entire secureboot process and should be avoided at all costs especially since it can load unsigned kernel images.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf", - "check": "Verify the operating system is configured to disable kernel image loading with the following commands:\n\nCheck the status of the kernel.kexec_load_disabled kernel parameter.\n\n$ sudo sysctl kernel.kexec_load_disabled\n\nkernel.kexec_load_disabled = 1\n\nIf \"kernel.kexec_load_disabled\" is not set to \"1\" or is missing, this is a finding.\n\nCheck that the configuration files are present to enable this kernel parameter.\n\n$ sudo grep -r kernel.kexec_load_disabled /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf:kernel.kexec_load_disabled = 1\n\nIf \"kernel.kexec_load_disabled\" is not set to \"1\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.", - "fix": "Configure the operating system to disable kernel image loading.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nkernel.kexec_load_disabled = 1\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system" + "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"delete_module\"\ncommand is used to unload a kernel module.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", + "check": "Verify RHEL 8 generates an audit record when successful/unsuccessful\nattempts to use the \"delete_module\" command by performing the following\ncommand to check the file system rules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w \"delete_module\" /etc/audit/audit.rules\n\n -a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=unset -k\nmodule_chng\n -a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=unset -k\nmodule_chng\n\n If the command does not return a line, or the line is commented out, this\nis a finding.", + "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \"delete_module\" command by adding or\nupdating the following rules in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=unset -k\nmodule_chng\n -a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=unset -k\nmodule_chng\n\n The audit daemon must be restarted for the changes to take effect." }, "impact": 0.5, "refs": [ @@ -9918,33 +9821,42 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000366-GPOS-00153", - "gid": "V-230266", - "rid": "SV-230266r877463_rule", - "stig_id": "RHEL-08-010372", - "fix_id": "F-32910r858747_fix", + "gtitle": "SRG-OS-000062-GPOS-00031", + "satisfies": [ + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000037-GPOS-00015", + "SRG-OS-000042-GPOS-00020", + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000392-GPOS-00172", + "SRG-OS-000462-GPOS-00206", + "SRG-OS-000471-GPOS-00215" + ], + "gid": "V-230446", + "rid": "SV-230446r627750_rule", + "stig_id": "RHEL-08-030390", + "fix_id": "F-33090r568085_fix", "cci": [ - "CCI-001749" + "CCI-000169" ], "nist": [ - "CM-5 (3)" + "AU-12 a" ], "host": null }, - "code": "control 'SV-230266' do\n title 'RHEL 8 must prevent the loading of a new kernel for later execution.'\n desc 'Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor.\n\nDisabling kexec_load prevents an unsigned kernel image (that could be a windows kernel or modified vulnerable kernel) from being loaded. Kexec can be used subvert the entire secureboot process and should be avoided at all costs especially since it can load unsigned kernel images.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf'\n desc 'check', 'Verify the operating system is configured to disable kernel image loading with the following commands:\n\nCheck the status of the kernel.kexec_load_disabled kernel parameter.\n\n$ sudo sysctl kernel.kexec_load_disabled\n\nkernel.kexec_load_disabled = 1\n\nIf \"kernel.kexec_load_disabled\" is not set to \"1\" or is missing, this is a finding.\n\nCheck that the configuration files are present to enable this kernel parameter.\n\n$ sudo grep -r kernel.kexec_load_disabled /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf:kernel.kexec_load_disabled = 1\n\nIf \"kernel.kexec_load_disabled\" is not set to \"1\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure the operating system to disable kernel image loading.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nkernel.kexec_load_disabled = 1\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000366-GPOS-00153'\n tag gid: 'V-230266'\n tag rid: 'SV-230266r877463_rule'\n tag stig_id: 'RHEL-08-010372'\n tag fix_id: 'F-32910r858747_fix'\n tag cci: ['CCI-001749']\n tag nist: ['CM-5 (3)']\n tag 'host'\n\n only_if('Control not applicable within a container', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n action = 'kernel.kexec_load_disabled'\n\n describe kernel_parameter(action) do\n its('value') { should eq 1 }\n end\n\n search_result = command(\"grep -r ^#{action} #{input('sysctl_conf_files').join(' ')}\").stdout.strip\n\n correct_result = search_result.lines.any? { |line| line.match(/#{action}\\s*=\\s*1$/) }\n incorrect_results = search_result.lines.map(&:strip).select { |line| line.match(/#{action}\\s*=\\s*[^1]$/) }\n\n describe 'Kernel config files' do\n it \"should configure '#{action}'\" do\n expect(correct_result).to eq(true), 'No config file was found that correctly sets this action'\n end\n unless incorrect_results.nil?\n it 'should not have incorrect or conflicting setting(s) in the config files' do\n expect(incorrect_results).to be_empty, \"Incorrect or conflicting setting(s) found:\\n\\t- #{incorrect_results.join(\"\\n\\t- \")}\"\n end\n end\n end\nend\n", + "code": "control 'SV-230446' do\n title 'Successful/unsuccessful uses of the delete_module command in RHEL 8\nmust generate an audit record.'\n desc 'Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"delete_module\"\ncommand is used to unload a kernel module.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.'\n desc 'check', 'Verify RHEL 8 generates an audit record when successful/unsuccessful\nattempts to use the \"delete_module\" command by performing the following\ncommand to check the file system rules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w \"delete_module\" /etc/audit/audit.rules\n\n -a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=unset -k\nmodule_chng\n -a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=unset -k\nmodule_chng\n\n If the command does not return a line, or the line is commented out, this\nis a finding.'\n desc 'fix', 'Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \"delete_module\" command by adding or\nupdating the following rules in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=unset -k\nmodule_chng\n -a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=unset -k\nmodule_chng\n\n The audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000062-GPOS-00031'\n tag satisfies: ['SRG-OS-000062-GPOS-00031', 'SRG-OS-000037-GPOS-00015', 'SRG-OS-000042-GPOS-00020', 'SRG-OS-000062-GPOS-00031', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000471-GPOS-00215']\n tag gid: 'V-230446'\n tag rid: 'SV-230446r627750_rule'\n tag stig_id: 'RHEL-08-030390'\n tag fix_id: 'F-33090r568085_fix'\n tag cci: ['CCI-000169']\n tag nist: ['AU-12 a']\n tag 'host'\n\n audit_syscalls = ['delete_module']\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe 'Syscall' do\n audit_syscalls.each do |audit_syscall|\n it \"#{audit_syscall} is audited properly\" do\n audit_rule = auditd.syscall(audit_syscall)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n if os.arch.match(/64/)\n expect(audit_rule.arch.uniq).to include('b32', 'b64')\n else\n expect(audit_rule.arch.uniq).to cmp 'b32'\n end\n expect(audit_rule.fields.flatten).to include('auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include(input('audit_rule_keynames').merge(input('audit_rule_keynames_overrides'))[audit_syscall])\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230266.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230446.rb", "line": 1 }, - "id": "SV-230266" + "id": "SV-230446" }, { - "title": "RHEL 8 must not permit direct logons to the root account using remote\naccess via SSH.", - "desc": "Even though the communications channel may be encrypted, an additional\nlayer of security is gained by extending the policy of not logging on directly\nas root. In addition, logging on with a user-specific account provides\nindividual accountability of actions performed on the system.", + "title": "RHEL 8 audit records must contain information to establish what type\nof events occurred, the source of events, where events occurred, and the\noutcome of events.", + "desc": "Without establishing what type of events occurred, the source of\nevents, where events occurred, and the outcome of events, it would be difficult\nto establish, correlate, and investigate the events leading up to an outage or\nattack.\n\n Audit record content that may be necessary to satisfy this requirement\nincludes, for example, time stamps, source and destination addresses,\nuser/process identifiers, event descriptions, success/fail indications,\nfilenames involved, and access control or flow control rules invoked.\n\n Associating event types with detected events in RHEL 8 audit logs provides\na means of investigating an attack, recognizing resource utilization or\ncapacity thresholds, or identifying an improperly configured RHEL 8 system.", "descriptions": { - "default": "Even though the communications channel may be encrypted, an additional\nlayer of security is gained by extending the policy of not logging on directly\nas root. In addition, logging on with a user-specific account provides\nindividual accountability of actions performed on the system.", - "check": "Verify remote access using SSH prevents users from logging on directly as \"root\".\n\nCheck that SSH prevents users from logging on directly as \"root\" with the following command:\n\n$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\\r' | tr '\\n' ' ' | xargs sudo grep -iH '^\\s*permitrootlogin'\n\nPermitRootLogin no\n\nIf the \"PermitRootLogin\" keyword is set to \"yes\", is missing, or is commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.", - "fix": "Configure RHEL 8 to stop users from logging on remotely as the \"root\"\nuser via SSH.\n\n Edit the appropriate \"/etc/ssh/sshd_config\" file to uncomment or add the\nline for the \"PermitRootLogin\" keyword and set its value to \"no\":\n\n PermitRootLogin no\n\n The SSH daemon must be restarted for the changes to take effect. To restart\nthe SSH daemon, run the following command:\n\n $ sudo systemctl restart sshd.service" + "default": "Without establishing what type of events occurred, the source of\nevents, where events occurred, and the outcome of events, it would be difficult\nto establish, correlate, and investigate the events leading up to an outage or\nattack.\n\n Audit record content that may be necessary to satisfy this requirement\nincludes, for example, time stamps, source and destination addresses,\nuser/process identifiers, event descriptions, success/fail indications,\nfilenames involved, and access control or flow control rules invoked.\n\n Associating event types with detected events in RHEL 8 audit logs provides\na means of investigating an attack, recognizing resource utilization or\ncapacity thresholds, or identifying an improperly configured RHEL 8 system.", + "check": "Verify the audit service is configured to produce audit records with the following command:\n\n$ sudo systemctl status auditd.service\n\nauditd.service - Security Auditing Service\nLoaded:loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled)\nActive: active (running) since Tues 2020-12-11 12:56:56 EST; 4 weeks 0 days ago\n\nIf the audit service is not \"active\" and \"running\", this is a finding.", + "fix": "Configure the audit service to produce audit records containing the\ninformation needed to establish when (date and time) an event occurred with the\nfollowing commands:\n\n $ sudo systemctl enable auditd.service\n\n $ sudo systemctl start auditd.service" }, "impact": 0.5, "refs": [ @@ -9954,34 +9866,59 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000109-GPOS-00056", - "gid": "V-230296", - "rid": "SV-230296r951608_rule", - "stig_id": "RHEL-08-010550", - "fix_id": "F-32940r567635_fix", + "gtitle": "SRG-OS-000062-GPOS-00031", + "satisfies": [ + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000037-GPOS-00015", + "SRG-OS-000038-GPOS-00016", + "SRG-OS-000039-GPOS-00017", + "SRG-OS-000040-GPOS-00018", + "SRG-OS-000041-GPOS-00019", + "SRG-OS-000042-GPOS-00021", + "SRG-OS-000051-GPOS-00024", + "SRG-OS-000054-GPOS-00025", + "SRG-OS-000122-GPOS-00063", + "SRG-OS-000254-GPOS-00095", + "SRG-OS-000255-GPOS-00096", + "SRG-OS-000337-GPOS-00129", + "SRG-OS-000348-GPOS-00136", + "SRG-OS-000349-GPOS-00137", + "SRG-OS-000350-GPOS-00138", + "SRG-OS-000351-GPOS-00139", + "SRG-OS-000352-GPOS-00140", + "SRG-OS-000353-GPOS-00141", + "SRG-OS-000354-GPOS-00142", + "SRG-OS-000358-GPOS-00145", + "SRG-OS-000365-GPOS-00152", + "SRG-OS-000392-GPOS-00172", + "SRG-OS-000475-GPOS-00220" + ], + "gid": "V-244542", + "rid": "SV-244542r818838_rule", + "stig_id": "RHEL-08-030181", + "fix_id": "F-47774r743874_fix", "cci": [ - "CCI-000770" + "CCI-000169" ], "nist": [ - "IA-2 (5)" + "AU-12 a" ], - "host": null, - "container-conditional": null + "host": null }, - "code": "control 'SV-230296' do\n title 'RHEL 8 must not permit direct logons to the root account using remote\naccess via SSH.'\n desc 'Even though the communications channel may be encrypted, an additional\nlayer of security is gained by extending the policy of not logging on directly\nas root. In addition, logging on with a user-specific account provides\nindividual accountability of actions performed on the system.'\n desc 'check', %q(Verify remote access using SSH prevents users from logging on directly as \"root\".\n\nCheck that SSH prevents users from logging on directly as \"root\" with the following command:\n\n$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\\r' | tr '\\n' ' ' | xargs sudo grep -iH '^\\s*permitrootlogin'\n\nPermitRootLogin no\n\nIf the \"PermitRootLogin\" keyword is set to \"yes\", is missing, or is commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.)\n desc 'fix', 'Configure RHEL 8 to stop users from logging on remotely as the \"root\"\nuser via SSH.\n\n Edit the appropriate \"/etc/ssh/sshd_config\" file to uncomment or add the\nline for the \"PermitRootLogin\" keyword and set its value to \"no\":\n\n PermitRootLogin no\n\n The SSH daemon must be restarted for the changes to take effect. To restart\nthe SSH daemon, run the following command:\n\n $ sudo systemctl restart sshd.service'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000109-GPOS-00056'\n tag gid: 'V-230296'\n tag rid: 'SV-230296r951608_rule'\n tag stig_id: 'RHEL-08-010550'\n tag fix_id: 'F-32940r567635_fix'\n tag cci: ['CCI-000770']\n tag nist: ['IA-2 (5)']\n tag 'host'\n tag 'container-conditional'\n\n only_if('This control is Not Applicable to containers without SSH installed', impact: 0.0) {\n !(virtualization.system.eql?('docker') && !directory('/etc/ssh').exist?)\n }\n\n describe sshd_active_config do\n its('PermitRootLogin') { should cmp input('permit_root_login') }\n end\nend\n", + "code": "control 'SV-244542' do\n title 'RHEL 8 audit records must contain information to establish what type\nof events occurred, the source of events, where events occurred, and the\noutcome of events.'\n desc 'Without establishing what type of events occurred, the source of\nevents, where events occurred, and the outcome of events, it would be difficult\nto establish, correlate, and investigate the events leading up to an outage or\nattack.\n\n Audit record content that may be necessary to satisfy this requirement\nincludes, for example, time stamps, source and destination addresses,\nuser/process identifiers, event descriptions, success/fail indications,\nfilenames involved, and access control or flow control rules invoked.\n\n Associating event types with detected events in RHEL 8 audit logs provides\na means of investigating an attack, recognizing resource utilization or\ncapacity thresholds, or identifying an improperly configured RHEL 8 system.'\n desc 'check', 'Verify the audit service is configured to produce audit records with the following command:\n\n$ sudo systemctl status auditd.service\n\nauditd.service - Security Auditing Service\nLoaded:loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled)\nActive: active (running) since Tues 2020-12-11 12:56:56 EST; 4 weeks 0 days ago\n\nIf the audit service is not \"active\" and \"running\", this is a finding.'\n desc 'fix', 'Configure the audit service to produce audit records containing the\ninformation needed to establish when (date and time) an event occurred with the\nfollowing commands:\n\n $ sudo systemctl enable auditd.service\n\n $ sudo systemctl start auditd.service'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000062-GPOS-00031'\n tag satisfies: ['SRG-OS-000062-GPOS-00031', 'SRG-OS-000037-GPOS-00015', 'SRG-OS-000038-GPOS-00016', 'SRG-OS-000039-GPOS-00017', 'SRG-OS-000040-GPOS-00018', 'SRG-OS-000041-GPOS-00019', 'SRG-OS-000042-GPOS-00021', 'SRG-OS-000051-GPOS-00024', 'SRG-OS-000054-GPOS-00025', 'SRG-OS-000122-GPOS-00063', 'SRG-OS-000254-GPOS-00095', 'SRG-OS-000255-GPOS-00096', 'SRG-OS-000337-GPOS-00129', 'SRG-OS-000348-GPOS-00136', 'SRG-OS-000349-GPOS-00137', 'SRG-OS-000350-GPOS-00138', 'SRG-OS-000351-GPOS-00139', 'SRG-OS-000352-GPOS-00140', 'SRG-OS-000353-GPOS-00141', 'SRG-OS-000354-GPOS-00142', 'SRG-OS-000358-GPOS-00145', 'SRG-OS-000365-GPOS-00152', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000475-GPOS-00220']\n tag gid: 'V-244542'\n tag rid: 'SV-244542r818838_rule'\n tag stig_id: 'RHEL-08-030181'\n tag fix_id: 'F-47774r743874_fix'\n tag cci: ['CCI-000169']\n tag nist: ['AU-12 a']\n tag 'host'\n\n only_if('This requirement is Not Applicable in the container', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe service('auditd') do\n it { should be_enabled }\n it { should be_running }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230296.rb", + "ref": "./Red Hat 8 STIG/controls/SV-244542.rb", "line": 1 }, - "id": "SV-230296" + "id": "SV-244542" }, { - "title": "RHEL 8 must include root when automatically locking an account until\nthe locked account is released by an administrator when three unsuccessful\nlogon attempts occur during a 15-minute time period.", - "desc": "By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as\nbrute-force attacks, is reduced. Limits are imposed by locking the account.\n\n In RHEL 8.2 the \"/etc/security/faillock.conf\" file was incorporated to\ncentralize the configuration of the pam_faillock.so module. Also introduced is\na \"local_users_only\" option that will only track failed user authentication\nattempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP,\netc.) users to allow the centralized platform to solely manage user lockout.\n\n From \"faillock.conf\" man pages: Note that the default directory that\n\"pam_faillock\" uses is usually cleared on system boot so the access will be\nreenabled after system reboot. If that is undesirable a different tally\ndirectory must be set with the \"dir\" option.", + "title": "Successful/unsuccessful uses of the mount syscall in RHEL 8 must\ngenerate an audit record.", + "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"mount\" syscall is\nused to mount a filesystem.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", "descriptions": { - "default": "By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as\nbrute-force attacks, is reduced. Limits are imposed by locking the account.\n\n In RHEL 8.2 the \"/etc/security/faillock.conf\" file was incorporated to\ncentralize the configuration of the pam_faillock.so module. Also introduced is\na \"local_users_only\" option that will only track failed user authentication\nattempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP,\netc.) users to allow the centralized platform to solely manage user lockout.\n\n From \"faillock.conf\" man pages: Note that the default directory that\n\"pam_faillock\" uses is usually cleared on system boot so the access will be\nreenabled after system reboot. If that is undesirable a different tally\ndirectory must be set with the \"dir\" option.", - "check": "Note: This check applies to RHEL versions 8.2 or newer, if the system is\nRHEL version 8.0 or 8.1, this check is not applicable.\n\n Verify the \"/etc/security/faillock.conf\" file is configured to log user\nname information when unsuccessful logon attempts occur:\n\n $ sudo grep even_deny_root /etc/security/faillock.conf\n\n even_deny_root\n\n If the \"even_deny_root\" option is not set, is missing or commented out,\nthis is a finding.", - "fix": "Configure the operating system to include root when locking an account\nafter three unsuccessful logon attempts occur in 15 minutes.\n\n Add/Modify the \"/etc/security/faillock.conf\" file to match the following\nline:\n\n even_deny_root" + "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"mount\" syscall is\nused to mount a filesystem.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", + "check": "Verify that an audit event is generated for any successful/unsuccessful use\nof the \"mount\" syscall by performing the following command to check the file\nsystem rules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w \"\\-S mount\" /etc/audit/audit.rules\n\n -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -k\nprivileged-mount\n -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -k\nprivileged-mount\n\n If the command does not return a line, or the line is commented out, this\nis a finding.", + "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \"mount\" syscall by adding or updating the\nfollowing rules in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -k\nprivileged-mount\n -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -k\nprivileged-mount\n\n The audit daemon must be restarted for the changes to take effect." }, "impact": 0.5, "refs": [ @@ -9991,38 +9928,42 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000021-GPOS-00005", + "gtitle": "SRG-OS-000062-GPOS-00031", "satisfies": [ - "SRG-OS-000021-GPOS-00005", - "SRG-OS-000329-GPOS-00128" + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000037-GPOS-00015", + "SRG-OS-000042-GPOS-00020", + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000392-GPOS-00172", + "SRG-OS-000462-GPOS-00206", + "SRG-OS-000471-GPOS-00215" ], - "gid": "V-230345", - "rid": "SV-230345r743984_rule", - "stig_id": "RHEL-08-020023", - "fix_id": "F-32989r743983_fix", + "gid": "V-230425", + "rid": "SV-230425r627750_rule", + "stig_id": "RHEL-08-030302", + "fix_id": "F-33069r568022_fix", "cci": [ - "CCI-000044" + "CCI-000169" ], "nist": [ - "AC-7 a" + "AU-12 a" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-230345' do\n title 'RHEL 8 must include root when automatically locking an account until\nthe locked account is released by an administrator when three unsuccessful\nlogon attempts occur during a 15-minute time period.'\n desc 'By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as\nbrute-force attacks, is reduced. Limits are imposed by locking the account.\n\n In RHEL 8.2 the \"/etc/security/faillock.conf\" file was incorporated to\ncentralize the configuration of the pam_faillock.so module. Also introduced is\na \"local_users_only\" option that will only track failed user authentication\nattempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP,\netc.) users to allow the centralized platform to solely manage user lockout.\n\n From \"faillock.conf\" man pages: Note that the default directory that\n\"pam_faillock\" uses is usually cleared on system boot so the access will be\nreenabled after system reboot. If that is undesirable a different tally\ndirectory must be set with the \"dir\" option.'\n desc 'check', 'Note: This check applies to RHEL versions 8.2 or newer, if the system is\nRHEL version 8.0 or 8.1, this check is not applicable.\n\n Verify the \"/etc/security/faillock.conf\" file is configured to log user\nname information when unsuccessful logon attempts occur:\n\n $ sudo grep even_deny_root /etc/security/faillock.conf\n\n even_deny_root\n\n If the \"even_deny_root\" option is not set, is missing or commented out,\nthis is a finding.'\n desc 'fix', 'Configure the operating system to include root when locking an account\nafter three unsuccessful logon attempts occur in 15 minutes.\n\n Add/Modify the \"/etc/security/faillock.conf\" file to match the following\nline:\n\n even_deny_root'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000021-GPOS-00005'\n tag satisfies: ['SRG-OS-000021-GPOS-00005', 'SRG-OS-000329-GPOS-00128']\n tag gid: 'V-230345'\n tag rid: 'SV-230345r743984_rule'\n tag stig_id: 'RHEL-08-020023'\n tag fix_id: 'F-32989r743983_fix'\n tag cci: ['CCI-000044']\n tag nist: ['AC-7 a']\n tag 'host'\n tag 'container'\n\n only_if('This check applies to RHEL versions 8.2 or newer, if the system is RHEL version 8.0 or 8.1, this check is not applicable.', impact: 0.0) {\n (os.release.to_f) >= 8.2\n }\n\n describe parse_config_file('/etc/security/faillock.conf') do\n its('even_deny_root') { should_not be_nil }\n end\nend\n", + "code": "control 'SV-230425' do\n title 'Successful/unsuccessful uses of the mount syscall in RHEL 8 must\ngenerate an audit record.'\n desc 'Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"mount\" syscall is\nused to mount a filesystem.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.'\n desc 'check', 'Verify that an audit event is generated for any successful/unsuccessful use\nof the \"mount\" syscall by performing the following command to check the file\nsystem rules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w \"\\\\-S mount\" /etc/audit/audit.rules\n\n -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -k\nprivileged-mount\n -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -k\nprivileged-mount\n\n If the command does not return a line, or the line is commented out, this\nis a finding.'\n desc 'fix', 'Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \"mount\" syscall by adding or updating the\nfollowing rules in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -k\nprivileged-mount\n -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -k\nprivileged-mount\n\n The audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000062-GPOS-00031'\n tag satisfies: ['SRG-OS-000062-GPOS-00031', 'SRG-OS-000037-GPOS-00015', 'SRG-OS-000042-GPOS-00020', 'SRG-OS-000062-GPOS-00031', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000471-GPOS-00215']\n tag gid: 'V-230425'\n tag rid: 'SV-230425r627750_rule'\n tag stig_id: 'RHEL-08-030302'\n tag fix_id: 'F-33069r568022_fix'\n tag cci: ['CCI-000169']\n tag nist: ['AU-12 a']\n tag 'host'\n\n audit_syscall = 'mount'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe 'Syscall' do\n it \"#{audit_syscall} is audited properly\" do\n audit_rule = auditd.syscall(audit_syscall)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n if os.arch.match(/64/)\n expect(audit_rule.arch.uniq).to include('b32', 'b64')\n else\n expect(audit_rule.arch.uniq).to cmp 'b32'\n end\n expect(audit_rule.fields.flatten).to include('auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include(input('audit_rule_keynames').merge(input('audit_rule_keynames_overrides'))[audit_syscall])\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230345.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230425.rb", "line": 1 }, - "id": "SV-230345" + "id": "SV-230425" }, { - "title": "RHEL 8 must prevent the use of dictionary words for passwords.", - "desc": "If RHEL 8 allows the user to select passwords based on dictionary\nwords, this increases the chances of password compromise by increasing the\nopportunity for successful guesses, and brute-force attacks.", + "title": "The RHEL 8 fapolicy module must be enabled.", + "desc": "The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n Utilizing a whitelist provides a configuration management method for\nallowing the execution of only authorized software. Using only authorized\nsoftware decreases risk by limiting the number of potential vulnerabilities.\nVerification of whitelisted software occurs prior to execution or at system\nstartup.\n\n User home directories/folders may contain information of a sensitive\nnature. Non-privileged users should coordinate any sharing of information with\nan SA through shared resources.\n\n RHEL 8 ships with many optional packages. One such package is a file access\npolicy daemon called \"fapolicyd\". \"fapolicyd\" is a userspace daemon that\ndetermines access rights to files based on attributes of the process and file.\nIt can be used to either blacklist or whitelist processes or file access.\n\n Proceed with caution with enforcing the use of this daemon. Improper\nconfiguration may render the system non-functional. The \"fapolicyd\" API is\nnot namespace aware and can cause issues when launching or running containers.", "descriptions": { - "default": "If RHEL 8 allows the user to select passwords based on dictionary\nwords, this increases the chances of password compromise by increasing the\nopportunity for successful guesses, and brute-force attacks.", - "check": "Verify RHEL 8 prevents the use of dictionary words for passwords.\n\nDetermine if the field \"dictcheck\" is set with the following command:\n\n$ sudo grep -r dictcheck /etc/security/pwquality.conf*\n\n/etc/security/pwquality.conf:dictcheck=1\n\nIf the \"dictcheck\" parameter is not set to \"1\", or is commented out, this is a finding.\nIf conflicting results are returned, this is a finding.", - "fix": "Configure RHEL 8 to prevent the use of dictionary words for passwords.\n\nAdd or update the following line in the \"/etc/security/pwquality.conf\" file or a configuration file in the /etc/pwquality.conf.d/ directory to contain the \"dictcheck\" parameter:\n\ndictcheck=1\n\nRemove any configurations that conflict with the above value." + "default": "The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n Utilizing a whitelist provides a configuration management method for\nallowing the execution of only authorized software. Using only authorized\nsoftware decreases risk by limiting the number of potential vulnerabilities.\nVerification of whitelisted software occurs prior to execution or at system\nstartup.\n\n User home directories/folders may contain information of a sensitive\nnature. Non-privileged users should coordinate any sharing of information with\nan SA through shared resources.\n\n RHEL 8 ships with many optional packages. One such package is a file access\npolicy daemon called \"fapolicyd\". \"fapolicyd\" is a userspace daemon that\ndetermines access rights to files based on attributes of the process and file.\nIt can be used to either blacklist or whitelist processes or file access.\n\n Proceed with caution with enforcing the use of this daemon. Improper\nconfiguration may render the system non-functional. The \"fapolicyd\" API is\nnot namespace aware and can cause issues when launching or running containers.", + "check": "Verify the RHEL 8 \"fapolicyd\" is enabled and running with the following\ncommand:\n\n $ sudo systemctl status fapolicyd.service\n\n fapolicyd.service - File Access Policy Daemon\n Loaded: loaded (/usr/lib/systemd/system/fapolicyd.service; enabled; vendor\npreset: disabled)\n Active: active (running)\n\n If fapolicyd is not enabled and running, this is a finding.", + "fix": "Enable \"fapolicyd\" using the following command:\n\n$ sudo systemctl enable --now fapolicyd" }, "impact": 0.5, "refs": [ @@ -10032,34 +9973,38 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000480-GPOS-00225", - "gid": "V-230377", - "rid": "SV-230377r858789_rule", - "stig_id": "RHEL-08-020300", - "fix_id": "F-33021r858788_fix", + "gtitle": "SRG-OS-000368-GPOS-00154", + "satisfies": [ + "SRG-OS-000368-GPOS-00154", + "SRG-OS-000370-GPOS-00155", + "SRG-OS-000480-GPOS-00232" + ], + "gid": "V-244545", + "rid": "SV-244545r854074_rule", + "stig_id": "RHEL-08-040136", + "fix_id": "F-47777r743883_fix", "cci": [ - "CCI-000366" + "CCI-001764" ], "nist": [ - "CM-6 b" + "CM-7 (2)" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-230377' do\n title 'RHEL 8 must prevent the use of dictionary words for passwords.'\n desc 'If RHEL 8 allows the user to select passwords based on dictionary\nwords, this increases the chances of password compromise by increasing the\nopportunity for successful guesses, and brute-force attacks.'\n desc 'check', 'Verify RHEL 8 prevents the use of dictionary words for passwords.\n\nDetermine if the field \"dictcheck\" is set with the following command:\n\n$ sudo grep -r dictcheck /etc/security/pwquality.conf*\n\n/etc/security/pwquality.conf:dictcheck=1\n\nIf the \"dictcheck\" parameter is not set to \"1\", or is commented out, this is a finding.\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to prevent the use of dictionary words for passwords.\n\nAdd or update the following line in the \"/etc/security/pwquality.conf\" file or a configuration file in the /etc/pwquality.conf.d/ directory to contain the \"dictcheck\" parameter:\n\ndictcheck=1\n\nRemove any configurations that conflict with the above value.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00225'\n tag gid: 'V-230377'\n tag rid: 'SV-230377r858789_rule'\n tag stig_id: 'RHEL-08-020300'\n tag fix_id: 'F-33021r858788_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n tag 'container'\n\n describe parse_config_file('/etc/security/pwquality.conf') do\n its('dictcheck') { should eq '1' }\n end\nend\n", + "code": "control 'SV-244545' do\n title 'The RHEL 8 fapolicy module must be enabled.'\n desc 'The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n Utilizing a whitelist provides a configuration management method for\nallowing the execution of only authorized software. Using only authorized\nsoftware decreases risk by limiting the number of potential vulnerabilities.\nVerification of whitelisted software occurs prior to execution or at system\nstartup.\n\n User home directories/folders may contain information of a sensitive\nnature. Non-privileged users should coordinate any sharing of information with\nan SA through shared resources.\n\n RHEL 8 ships with many optional packages. One such package is a file access\npolicy daemon called \"fapolicyd\". \"fapolicyd\" is a userspace daemon that\ndetermines access rights to files based on attributes of the process and file.\nIt can be used to either blacklist or whitelist processes or file access.\n\n Proceed with caution with enforcing the use of this daemon. Improper\nconfiguration may render the system non-functional. The \"fapolicyd\" API is\nnot namespace aware and can cause issues when launching or running containers.'\n desc 'check', 'Verify the RHEL 8 \"fapolicyd\" is enabled and running with the following\ncommand:\n\n $ sudo systemctl status fapolicyd.service\n\n fapolicyd.service - File Access Policy Daemon\n Loaded: loaded (/usr/lib/systemd/system/fapolicyd.service; enabled; vendor\npreset: disabled)\n Active: active (running)\n\n If fapolicyd is not enabled and running, this is a finding.'\n desc 'fix', 'Enable \"fapolicyd\" using the following command:\n\n$ sudo systemctl enable --now fapolicyd'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000368-GPOS-00154'\n tag satisfies: ['SRG-OS-000368-GPOS-00154', 'SRG-OS-000370-GPOS-00155', 'SRG-OS-000480-GPOS-00232']\n tag gid: 'V-244545'\n tag rid: 'SV-244545r854074_rule'\n tag stig_id: 'RHEL-08-040136'\n tag fix_id: 'F-47777r743883_fix'\n tag cci: ['CCI-001764']\n tag nist: ['CM-7 (2)']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'This requirement is Not Applicable in the container' do\n skip 'This requirement is Not Applicable in the container'\n end\n elsif !input('use_fapolicyd')\n impact 0.0\n describe 'The organization does not use the Fapolicyd service to manage firewall services' do\n skip 'The organization is not using the Fapolicyd service to manage firewall services, this control is Not Applicable'\n end\n else\n describe service('fapolicyd') do\n it { should be_enabled }\n it { should be_running }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230377.rb", + "ref": "./Red Hat 8 STIG/controls/SV-244545.rb", "line": 1 }, - "id": "SV-230377" + "id": "SV-244545" }, { - "title": "Successful/unsuccessful uses of the crontab command in RHEL 8 must\ngenerate an audit record.", - "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"crontab\" command is\nused to maintain crontab files for individual users. Crontab is the program\nused to install, remove, or list the tables used to drive the cron daemon. This\nis similar to the task scheduler used in other operating systems.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", + "title": "RHEL 8 must be configured in the system-auth file to prohibit password reuse for a minimum of five generations.", + "desc": "Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to reuse their password consecutively when that password has exceeded its defined lifetime, the end result is a password that is not changed per policy requirements.\n\nRHEL 8 uses \"pwhistory\" consecutively as a mechanism to prohibit password reuse. This is set in both:\n/etc/pam.d/password-auth\n/etc/pam.d/system-auth.\n\nNote that manual changes to the listed files may be overwritten by the \"authselect\" program.", "descriptions": { - "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"crontab\" command is\nused to maintain crontab files for individual users. Crontab is the program\nused to install, remove, or list the tables used to drive the cron daemon. This\nis similar to the task scheduler used in other operating systems.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", - "check": "Verify that an audit event is generated for any successful/unsuccessful use\nof the \"crontab\" command by performing the following command to check the\nfile system rules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w crontab /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-crontab\n\n If the command does not return a line, or the line is commented out, this\nis a finding.", - "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful uses of the \"crontab\" command by adding or updating\nthe following rule in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-crontab\n\n The audit daemon must be restarted for the changes to take effect." + "default": "Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to reuse their password consecutively when that password has exceeded its defined lifetime, the end result is a password that is not changed per policy requirements.\n\nRHEL 8 uses \"pwhistory\" consecutively as a mechanism to prohibit password reuse. This is set in both:\n/etc/pam.d/password-auth\n/etc/pam.d/system-auth.\n\nNote that manual changes to the listed files may be overwritten by the \"authselect\" program.", + "check": "Verify the operating system is configured in the system-auth file to prohibit password reuse for a minimum of five generations.\n\nCheck for the value of the \"remember\" argument in \"/etc/pam.d/system-auth\" with the following command:\n\n $ sudo grep -i remember /etc/pam.d/system-auth\n\n password requisite pam_pwhistory.so use_authtok remember=5 retry=3\n\nIf the line containing \"pam_pwhistory.so\" does not have the \"remember\" module argument set, is commented out, or the value of the \"remember\" module argument is set to less than \"5\", this is a finding.", + "fix": "Configure the operating system in the system-auth file to prohibit password reuse for a minimum of five generations.\n\nAdd the following line in \"/etc/pam.d/system-auth\" (or modify the line to have the required value):\n\n password requisite pam_pwhistory.so use_authtok remember=5 retry=3" }, "impact": 0.5, "refs": [ @@ -10068,161 +10013,151 @@ } ], "tags": { + "check_id": "C-55154r902747_chk", "severity": "medium", - "gtitle": "SRG-OS-000062-GPOS-00031", - "satisfies": [ - "SRG-OS-000062-GPOS-00031", - "SRG-OS-000037-GPOS-00015", - "SRG-OS-000042-GPOS-00020", - "SRG-OS-000062-GPOS-00031", - "SRG-OS-000392-GPOS-00172", - "SRG-OS-000462-GPOS-00206", - "SRG-OS-000471-GPOS-00215" - ], - "gid": "V-230447", - "rid": "SV-230447r627750_rule", - "stig_id": "RHEL-08-030400", - "fix_id": "F-33091r568088_fix", + "gid": "V-251717", + "rid": "SV-251717r902749_rule", + "stig_id": "RHEL-08-020221", + "gtitle": "SRG-OS-000077-GPOS-00045", + "fix_id": "F-55108r902748_fix", + "documentable": null, "cci": [ - "CCI-000169" + "CCI-000200" ], "nist": [ - "AU-12 a" + "IA-5 (1) (e)" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-230447' do\n title 'Successful/unsuccessful uses of the crontab command in RHEL 8 must\ngenerate an audit record.'\n desc 'Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"crontab\" command is\nused to maintain crontab files for individual users. Crontab is the program\nused to install, remove, or list the tables used to drive the cron daemon. This\nis similar to the task scheduler used in other operating systems.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.'\n desc 'check', 'Verify that an audit event is generated for any successful/unsuccessful use\nof the \"crontab\" command by performing the following command to check the\nfile system rules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w crontab /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-crontab\n\n If the command does not return a line, or the line is commented out, this\nis a finding.'\n desc 'fix', 'Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful uses of the \"crontab\" command by adding or updating\nthe following rule in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-crontab\n\n The audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000062-GPOS-00031'\n tag satisfies: ['SRG-OS-000062-GPOS-00031', 'SRG-OS-000037-GPOS-00015', 'SRG-OS-000042-GPOS-00020', 'SRG-OS-000062-GPOS-00031', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000471-GPOS-00215']\n tag gid: 'V-230447'\n tag rid: 'SV-230447r627750_rule'\n tag stig_id: 'RHEL-08-030400'\n tag fix_id: 'F-33091r568088_fix'\n tag cci: ['CCI-000169']\n tag nist: ['AU-12 a']\n tag 'host'\n\n audit_command = '/usr/bin/crontab'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include(input('audit_rule_keynames').merge(input('audit_rule_keynames_overrides'))[audit_command])\n end\n end\nend\n", + "code": "control 'SV-251717' do\n title 'RHEL 8 must be configured in the system-auth file to prohibit password reuse for a minimum of five generations.'\n desc 'Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to reuse their password consecutively when that password has exceeded its defined lifetime, the end result is a password that is not changed per policy requirements.\n\nRHEL 8 uses \"pwhistory\" consecutively as a mechanism to prohibit password reuse. This is set in both:\n/etc/pam.d/password-auth\n/etc/pam.d/system-auth.\n\nNote that manual changes to the listed files may be overwritten by the \"authselect\" program.'\n desc 'check', 'Verify the operating system is configured in the system-auth file to prohibit password reuse for a minimum of five generations.\n\nCheck for the value of the \"remember\" argument in \"/etc/pam.d/system-auth\" with the following command:\n\n $ sudo grep -i remember /etc/pam.d/system-auth\n\n password requisite pam_pwhistory.so use_authtok remember=5 retry=3\n\nIf the line containing \"pam_pwhistory.so\" does not have the \"remember\" module argument set, is commented out, or the value of the \"remember\" module argument is set to less than \"5\", this is a finding.'\n desc 'fix', 'Configure the operating system in the system-auth file to prohibit password reuse for a minimum of five generations.\n\nAdd the following line in \"/etc/pam.d/system-auth\" (or modify the line to have the required value):\n\n password requisite pam_pwhistory.so use_authtok remember=5 retry=3'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag check_id: 'C-55154r902747_chk'\n tag severity: 'medium'\n tag gid: 'V-251717'\n tag rid: 'SV-251717r902749_rule'\n tag stig_id: 'RHEL-08-020221'\n tag gtitle: 'SRG-OS-000077-GPOS-00045'\n tag fix_id: 'F-55108r902748_fix'\n tag 'documentable'\n tag cci: ['CCI-000200']\n tag nist: ['IA-5 (1) (e)']\n tag 'host'\n tag 'container'\n\n pam_auth_files = input('pam_auth_files')\n\n describe pam(pam_auth_files['system-auth']) do\n its('lines') { should match_pam_rule('password (required|requisite|sufficient) pam_pwhistory.so').any_with_integer_arg('remember', '>=', input('min_reuse_generations')) }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230447.rb", + "ref": "./Red Hat 8 STIG/controls/SV-251717.rb", "line": 1 }, - "id": "SV-230447" + "id": "SV-251717" }, { - "title": "RHEL 8 must disable the asynchronous transfer mode (ATM) protocol.", - "desc": "It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n Failing to disconnect unused protocols can result in a system compromise.\n\n The Asynchronous Transfer Mode (ATM) is a protocol operating on network,\ndata link, and physical layers, based on virtual circuits and virtual paths.\nDisabling ATM protects the system against exploitation of any laws in its\nimplementation.", + "title": "RHEL 8 must automatically lock an account when three unsuccessful\nlogon attempts occur during a 15-minute time period.", + "desc": "By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as\nbrute-force attacks, is reduced. Limits are imposed by locking the account.\n\n In RHEL 8.2 the \"/etc/security/faillock.conf\" file was incorporated to\ncentralize the configuration of the pam_faillock.so module. Also introduced is\na \"local_users_only\" option that will only track failed user authentication\nattempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP,\netc.) users to allow the centralized platform to solely manage user lockout.\n\n From \"faillock.conf\" man pages: Note that the default directory that\n\"pam_faillock\" uses is usually cleared on system boot so the access will be\nreenabled after system reboot. If that is undesirable a different tally\ndirectory must be set with the \"dir\" option.", "descriptions": { - "default": "It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n Failing to disconnect unused protocols can result in a system compromise.\n\n The Asynchronous Transfer Mode (ATM) is a protocol operating on network,\ndata link, and physical layers, based on virtual circuits and virtual paths.\nDisabling ATM protects the system against exploitation of any laws in its\nimplementation.", - "check": "Verify the operating system disables the ability to load the ATM protocol kernel module.\n\n $ sudo grep -r atm /etc/modprobe.d/* | grep \"/bin/false\"\n install atm /bin/false\n\nIf the command does not return any output, or the line is commented out, and use of the ATM protocol is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.\n\nVerify the operating system disables the ability to use the ATM protocol.\n\nCheck to see if the ATM protocol is disabled with the following command:\n\n $ sudo grep -r atm /etc/modprobe.d/* | grep \"blacklist\"\n blacklist atm\n\nIf the command does not return any output or the output is not \"blacklist atm\", and use of the ATM protocol is not documented with the ISSO as an operational requirement, this is a finding.", - "fix": "Configure the operating system to disable the ability to use the ATM protocol kernel module.\n\nAdd or update the following lines in the file \"/etc/modprobe.d/blacklist.conf\":\n\n install atm /bin/false\n blacklist atm\n\nReboot the system for the settings to take effect." + "default": "By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as\nbrute-force attacks, is reduced. Limits are imposed by locking the account.\n\n In RHEL 8.2 the \"/etc/security/faillock.conf\" file was incorporated to\ncentralize the configuration of the pam_faillock.so module. Also introduced is\na \"local_users_only\" option that will only track failed user authentication\nattempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP,\netc.) users to allow the centralized platform to solely manage user lockout.\n\n From \"faillock.conf\" man pages: Note that the default directory that\n\"pam_faillock\" uses is usually cleared on system boot so the access will be\nreenabled after system reboot. If that is undesirable a different tally\ndirectory must be set with the \"dir\" option.", + "check": "Note: This check applies to RHEL versions 8.2 or newer, if the system is\nRHEL version 8.0 or 8.1, this check is not applicable.\n\n Verify the \"/etc/security/faillock.conf\" file is configured to lock an\naccount after three unsuccessful logon attempts within 15 minutes:\n\n $ sudo grep 'fail_interval =' /etc/security/faillock.conf\n\n fail_interval = 900\n\n If the \"fail_interval\" option is not set to \"900\" or more, is missing\nor commented out, this is a finding.", + "fix": "Configure the operating system to lock an account when three unsuccessful\nlogon attempts occur in 15 minutes.\n\n Add/Modify the \"/etc/security/faillock.conf\" file to match the following\nline:\n\n fail_interval = 900" }, - "impact": 0.3, + "impact": 0.5, "refs": [ { "ref": "DPMS Target Red Hat Enterprise Linux 8" } ], "tags": { - "severity": "low", - "gtitle": "SRG-OS-000095-GPOS-00049", - "gid": "V-230494", - "rid": "SV-230494r942918_rule", - "stig_id": "RHEL-08-040021", - "fix_id": "F-33138r942917_fix", + "severity": "medium", + "gtitle": "SRG-OS-000021-GPOS-00005", + "satisfies": [ + "SRG-OS-000021-GPOS-00005", + "SRG-OS-000329-GPOS-00128" + ], + "gid": "V-230335", + "rid": "SV-230335r743969_rule", + "stig_id": "RHEL-08-020013", + "fix_id": "F-32979r743968_fix", "cci": [ - "CCI-000381" + "CCI-000044" ], "nist": [ - "CM-7 a" + "AC-7 a" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-230494' do\n title 'RHEL 8 must disable the asynchronous transfer mode (ATM) protocol.'\n desc 'It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n Failing to disconnect unused protocols can result in a system compromise.\n\n The Asynchronous Transfer Mode (ATM) is a protocol operating on network,\ndata link, and physical layers, based on virtual circuits and virtual paths.\nDisabling ATM protects the system against exploitation of any laws in its\nimplementation.'\n desc 'check', 'Verify the operating system disables the ability to load the ATM protocol kernel module.\n\n $ sudo grep -r atm /etc/modprobe.d/* | grep \"/bin/false\"\n install atm /bin/false\n\nIf the command does not return any output, or the line is commented out, and use of the ATM protocol is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.\n\nVerify the operating system disables the ability to use the ATM protocol.\n\nCheck to see if the ATM protocol is disabled with the following command:\n\n $ sudo grep -r atm /etc/modprobe.d/* | grep \"blacklist\"\n blacklist atm\n\nIf the command does not return any output or the output is not \"blacklist atm\", and use of the ATM protocol is not documented with the ISSO as an operational requirement, this is a finding.'\n desc 'fix', 'Configure the operating system to disable the ability to use the ATM protocol kernel module.\n\nAdd or update the following lines in the file \"/etc/modprobe.d/blacklist.conf\":\n\n install atm /bin/false\n blacklist atm\n\nReboot the system for the settings to take effect.'\n impact 0.3\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'low'\n tag gtitle: 'SRG-OS-000095-GPOS-00049'\n tag gid: 'V-230494'\n tag rid: 'SV-230494r942918_rule'\n tag stig_id: 'RHEL-08-040021'\n tag fix_id: 'F-33138r942917_fix'\n tag cci: ['CCI-000381']\n tag nist: ['CM-7 a']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe kernel_module('atm') do\n it { should be_disabled }\n it { should be_blacklisted }\n end\nend\n", + "code": "control 'SV-230335' do\n title 'RHEL 8 must automatically lock an account when three unsuccessful\nlogon attempts occur during a 15-minute time period.'\n desc 'By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as\nbrute-force attacks, is reduced. Limits are imposed by locking the account.\n\n In RHEL 8.2 the \"/etc/security/faillock.conf\" file was incorporated to\ncentralize the configuration of the pam_faillock.so module. Also introduced is\na \"local_users_only\" option that will only track failed user authentication\nattempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP,\netc.) users to allow the centralized platform to solely manage user lockout.\n\n From \"faillock.conf\" man pages: Note that the default directory that\n\"pam_faillock\" uses is usually cleared on system boot so the access will be\nreenabled after system reboot. If that is undesirable a different tally\ndirectory must be set with the \"dir\" option.'\n desc 'check', %q(Note: This check applies to RHEL versions 8.2 or newer, if the system is\nRHEL version 8.0 or 8.1, this check is not applicable.\n\n Verify the \"/etc/security/faillock.conf\" file is configured to lock an\naccount after three unsuccessful logon attempts within 15 minutes:\n\n $ sudo grep 'fail_interval =' /etc/security/faillock.conf\n\n fail_interval = 900\n\n If the \"fail_interval\" option is not set to \"900\" or more, is missing\nor commented out, this is a finding.)\n desc 'fix', 'Configure the operating system to lock an account when three unsuccessful\nlogon attempts occur in 15 minutes.\n\n Add/Modify the \"/etc/security/faillock.conf\" file to match the following\nline:\n\n fail_interval = 900'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000021-GPOS-00005'\n tag satisfies: ['SRG-OS-000021-GPOS-00005', 'SRG-OS-000329-GPOS-00128']\n tag gid: 'V-230335'\n tag rid: 'SV-230335r743969_rule'\n tag stig_id: 'RHEL-08-020013'\n tag fix_id: 'F-32979r743968_fix'\n tag cci: ['CCI-000044']\n tag nist: ['AC-7 a']\n tag 'host'\n tag 'container'\n\n only_if('This check applies to RHEL versions 8.2 or newer, if the system is RHEL version 8.0 or 8.1, this check is not applicable.', impact: 0.0) {\n (os.release.to_f) >= 8.2\n }\n\n describe parse_config_file(input('security_faillock_conf')) do\n its('fail_interval') { should cmp >= input('fail_interval') }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230494.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230335.rb", "line": 1 }, - "id": "SV-230494" + "id": "SV-230335" }, { - "title": "RHEL 8 must disable network management of the chrony daemon.", - "desc": "Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate.\n\nNot exposing the management interface of the chrony daemon on the network diminishes the attack space.\n\nRHEL 8 utilizes the \"timedatectl\" command to view the status of the \"systemd-timesyncd.service\". The \"timedatectl\" status will display the local time, UTC, and the offset from UTC.\n\nNote that USNO offers authenticated NTP service to DOD and U.S. Government agencies operating on the NIPR and SIPR networks. Visit https://www.usno.navy.mil/USNO/time/ntp/DOD-customers for more information.", + "title": "The iprutils package must not be installed unless mission essential on\nRHEL 8.", + "desc": "It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n Operating systems are capable of providing a wide variety of functions and\nservices. Some of the functions and services, provided by default, may not be\nnecessary to support essential organizational operations (e.g., key missions,\nfunctions).\n\n The iprutils package provides a suite of utilities to manage and configure\nSCSI devices supported by the ipr SCSI storage device driver.", "descriptions": { - "default": "Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate.\n\nNot exposing the management interface of the chrony daemon on the network diminishes the attack space.\n\nRHEL 8 utilizes the \"timedatectl\" command to view the status of the \"systemd-timesyncd.service\". The \"timedatectl\" status will display the local time, UTC, and the offset from UTC.\n\nNote that USNO offers authenticated NTP service to DOD and U.S. Government agencies operating on the NIPR and SIPR networks. Visit https://www.usno.navy.mil/USNO/time/ntp/DOD-customers for more information.", - "check": "Note: If the system is approved and documented by the information system security officer (ISSO) to function as an NTP time server, this requirement is Not Applicable.\n\nVerify RHEL 8 disables network management of the chrony daemon with the following command:\n\n $ sudo grep -w 'cmdport' /etc/chrony.conf\n cmdport 0\n\nIf the \"cmdport\" option is not set to \"0\", is commented out or missing, this is a finding.", - "fix": "Configure the operating system disable network management of the chrony daemon by adding or modifying the following line in the \"/etc/chrony.conf\" file.\n\n cmdport 0" + "default": "It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n Operating systems are capable of providing a wide variety of functions and\nservices. Some of the functions and services, provided by default, may not be\nnecessary to support essential organizational operations (e.g., key missions,\nfunctions).\n\n The iprutils package provides a suite of utilities to manage and configure\nSCSI devices supported by the ipr SCSI storage device driver.", + "check": "Verify the iprutils package has not been installed on the system with the\nfollowing commands:\n\n $ sudo yum list installed iprutils\n\n iprutils.x86_64\n2.4.18.1-1.el8 @anaconda\n\n If the iprutils package is installed and is not documented with the\nInformation System Security Officer (ISSO) as an operational requirement, this\nis a finding.", + "fix": "Document the iprutils package with the ISSO as an operational requirement\nor remove it from the system with the following command:\n\n $ sudo yum remove iprutils" }, - "impact": 0.3, + "impact": 0.5, "refs": [ { "ref": "DPMS Target Red Hat Enterprise Linux 8" } ], "tags": { - "severity": "low", - "gtitle": "SRG-OS-000095-GPOS-00049", - "gid": "V-230486", - "rid": "SV-230486r928593_rule", - "stig_id": "RHEL-08-030742", - "fix_id": "F-33130r928592_fix", + "severity": "medium", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-230560", + "rid": "SV-230560r627750_rule", + "stig_id": "RHEL-08-040380", + "fix_id": "F-33204r568427_fix", "cci": [ - "CCI-000381" + "CCI-000366" ], "nist": [ - "CM-7 a" + "CM-6 b" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-230486' do\n title 'RHEL 8 must disable network management of the chrony daemon.'\n desc 'Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate.\n\nNot exposing the management interface of the chrony daemon on the network diminishes the attack space.\n\nRHEL 8 utilizes the \"timedatectl\" command to view the status of the \"systemd-timesyncd.service\". The \"timedatectl\" status will display the local time, UTC, and the offset from UTC.\n\nNote that USNO offers authenticated NTP service to DOD and U.S. Government agencies operating on the NIPR and SIPR networks. Visit https://www.usno.navy.mil/USNO/time/ntp/DOD-customers for more information.'\n desc 'check', %q(Note: If the system is approved and documented by the information system security officer (ISSO) to function as an NTP time server, this requirement is Not Applicable.\n\nVerify RHEL 8 disables network management of the chrony daemon with the following command:\n\n $ sudo grep -w 'cmdport' /etc/chrony.conf\n cmdport 0\n\nIf the \"cmdport\" option is not set to \"0\", is commented out or missing, this is a finding.)\n desc 'fix', 'Configure the operating system disable network management of the chrony daemon by adding or modifying the following line in the \"/etc/chrony.conf\" file.\n\n cmdport 0'\n impact 0.3\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'low'\n tag gtitle: 'SRG-OS-000095-GPOS-00049'\n tag gid: 'V-230486'\n tag rid: 'SV-230486r928593_rule'\n tag stig_id: 'RHEL-08-030742'\n tag fix_id: 'F-33130r928592_fix'\n tag cci: ['CCI-000381']\n tag nist: ['CM-7 a']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !(virtualization.system.eql?('docker') && !file('/etc/chrony.conf').exist?)\n }\n\n chrony_conf = ntp_conf('/etc/chrony.conf')\n\n describe chrony_conf do\n its('cmdport') { should cmp 0 }\n end\nend\n", + "code": "control 'SV-230560' do\n title 'The iprutils package must not be installed unless mission essential on\nRHEL 8.'\n desc 'It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n Operating systems are capable of providing a wide variety of functions and\nservices. Some of the functions and services, provided by default, may not be\nnecessary to support essential organizational operations (e.g., key missions,\nfunctions).\n\n The iprutils package provides a suite of utilities to manage and configure\nSCSI devices supported by the ipr SCSI storage device driver.'\n desc 'check', 'Verify the iprutils package has not been installed on the system with the\nfollowing commands:\n\n $ sudo yum list installed iprutils\n\n iprutils.x86_64\n2.4.18.1-1.el8 @anaconda\n\n If the iprutils package is installed and is not documented with the\nInformation System Security Officer (ISSO) as an operational requirement, this\nis a finding.'\n desc 'fix', 'Document the iprutils package with the ISSO as an operational requirement\nor remove it from the system with the following command:\n\n $ sudo yum remove iprutils'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230560'\n tag rid: 'SV-230560r627750_rule'\n tag stig_id: 'RHEL-08-040380'\n tag fix_id: 'F-33204r568427_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n tag 'container'\n\n if input('iprutils_required')\n describe package('iprutils') do\n it { should be_installed }\n end\n else\n describe package('iprutils') do\n it { should_not be_installed }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230486.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230560.rb", "line": 1 }, - "id": "SV-230486" + "id": "SV-230560" }, { - "title": "Successful/unsuccessful uses of the sudo command in RHEL 8 must\ngenerate an audit record.", - "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"sudo\" command allows\na permitted user to execute a command as the superuser or another user, as\nspecified by the security policy.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", + "title": "RHEL 8 must have policycoreutils package installed.", + "desc": "Without verification of the security functions, security functions may\nnot operate correctly and the failure may go unnoticed. Security function is\ndefined as the hardware, software, and/or firmware of the information system\nresponsible for enforcing the system security policy and supporting the\nisolation of code and data on which the protection is based. Security\nfunctionality includes, but is not limited to, establishing system accounts,\nconfiguring access authorizations (i.e., permissions, privileges), setting\nevents to be audited, and setting intrusion detection parameters.\n\n Policycoreutils contains the policy core utilities that are required for\nbasic operation of an SELinux-enabled system. These utilities include\nload_policy to load SELinux policies, setfile to label filesystems, newrole to\nswitch roles, and run_init to run /etc/init.d scripts in the proper context.", "descriptions": { - "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"sudo\" command allows\na permitted user to execute a command as the superuser or another user, as\nspecified by the security policy.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", - "check": "Verify that an audit event is generated for any successful/unsuccessful use\nof the \"sudo\" command by performing the following command to check the file\nsystem rules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w sudo /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset\n-k priv_cmd\n\n If the command does not return a line, or the line is commented out, this\nis a finding.", - "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \"sudo\" command by adding or updating the\nfollowing rule in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset\n-k priv_cmd\n\n The audit daemon must be restarted for the changes to take effect." + "default": "Without verification of the security functions, security functions may\nnot operate correctly and the failure may go unnoticed. Security function is\ndefined as the hardware, software, and/or firmware of the information system\nresponsible for enforcing the system security policy and supporting the\nisolation of code and data on which the protection is based. Security\nfunctionality includes, but is not limited to, establishing system accounts,\nconfiguring access authorizations (i.e., permissions, privileges), setting\nevents to be audited, and setting intrusion detection parameters.\n\n Policycoreutils contains the policy core utilities that are required for\nbasic operation of an SELinux-enabled system. These utilities include\nload_policy to load SELinux policies, setfile to label filesystems, newrole to\nswitch roles, and run_init to run /etc/init.d scripts in the proper context.", + "check": "Verify the operating system has the policycoreutils package installed with\nthe following command:\n\n $ sudo yum list installed policycoreutils\n\n policycoreutils.x86_64\n2.9-3.el8 @anaconda\n\n If the policycoreutils package is not installed, this is a finding.", + "fix": "Configure the operating system to have the policycoreutils package\ninstalled with the following command:\n\n $ sudo yum install policycoreutils" }, - "impact": 0.5, + "impact": 0.3, "refs": [ { "ref": "DPMS Target Red Hat Enterprise Linux 8" } ], "tags": { - "severity": "medium", - "gtitle": "SRG-OS-000062-GPOS-00031", - "satisfies": [ - "SRG-OS-000062-GPOS-00031", - "SRG-OS-000037-GPOS-00015", - "SRG-OS-000042-GPOS-00020", - "SRG-OS-000062-GPOS-00031", - "SRG-OS-000392-GPOS-00172", - "SRG-OS-000462-GPOS-00206", - "SRG-OS-000471-GPOS-00215", - "SRG-OS-000466-GPOS-00210" - ], - "gid": "V-230462", - "rid": "SV-230462r627750_rule", - "stig_id": "RHEL-08-030550", - "fix_id": "F-33106r568133_fix", + "severity": "low", + "gtitle": "SRG-OS-000134-GPOS-00068", + "gid": "V-230241", + "rid": "SV-230241r627750_rule", + "stig_id": "RHEL-08-010171", + "fix_id": "F-32885r567470_fix", "cci": [ - "CCI-000169" + "CCI-001084" ], "nist": [ - "AU-12 a" + "SC-3" ], "host": null }, - "code": "control 'SV-230462' do\n title 'Successful/unsuccessful uses of the sudo command in RHEL 8 must\ngenerate an audit record.'\n desc 'Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"sudo\" command allows\na permitted user to execute a command as the superuser or another user, as\nspecified by the security policy.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.'\n desc 'check', 'Verify that an audit event is generated for any successful/unsuccessful use\nof the \"sudo\" command by performing the following command to check the file\nsystem rules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w sudo /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset\n-k priv_cmd\n\n If the command does not return a line, or the line is commented out, this\nis a finding.'\n desc 'fix', 'Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \"sudo\" command by adding or updating the\nfollowing rule in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset\n-k priv_cmd\n\n The audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000062-GPOS-00031'\n tag satisfies: ['SRG-OS-000062-GPOS-00031', 'SRG-OS-000037-GPOS-00015', 'SRG-OS-000042-GPOS-00020', 'SRG-OS-000062-GPOS-00031', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000471-GPOS-00215', 'SRG-OS-000466-GPOS-00210']\n tag gid: 'V-230462'\n tag rid: 'SV-230462r627750_rule'\n tag stig_id: 'RHEL-08-030550'\n tag fix_id: 'F-33106r568133_fix'\n tag cci: ['CCI-000169']\n tag nist: ['AU-12 a']\n tag 'host'\n\n audit_command = '/usr/bin/sudo'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include(input('audit_rule_keynames').merge(input('audit_rule_keynames_overrides'))[audit_command])\n end\n end\nend\n", + "code": "control 'SV-230241' do\n title 'RHEL 8 must have policycoreutils package installed.'\n desc 'Without verification of the security functions, security functions may\nnot operate correctly and the failure may go unnoticed. Security function is\ndefined as the hardware, software, and/or firmware of the information system\nresponsible for enforcing the system security policy and supporting the\nisolation of code and data on which the protection is based. Security\nfunctionality includes, but is not limited to, establishing system accounts,\nconfiguring access authorizations (i.e., permissions, privileges), setting\nevents to be audited, and setting intrusion detection parameters.\n\n Policycoreutils contains the policy core utilities that are required for\nbasic operation of an SELinux-enabled system. These utilities include\nload_policy to load SELinux policies, setfile to label filesystems, newrole to\nswitch roles, and run_init to run /etc/init.d scripts in the proper context.'\n desc 'check', 'Verify the operating system has the policycoreutils package installed with\nthe following command:\n\n $ sudo yum list installed policycoreutils\n\n policycoreutils.x86_64\n2.9-3.el8 @anaconda\n\n If the policycoreutils package is not installed, this is a finding.'\n desc 'fix', 'Configure the operating system to have the policycoreutils package\ninstalled with the following command:\n\n $ sudo yum install policycoreutils'\n impact 0.3\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'low'\n tag gtitle: 'SRG-OS-000134-GPOS-00068'\n tag gid: 'V-230241'\n tag rid: 'SV-230241r627750_rule'\n tag stig_id: 'RHEL-08-010171'\n tag fix_id: 'F-32885r567470_fix'\n tag cci: ['CCI-001084']\n tag nist: ['SC-3']\n tag 'host'\n\n only_if('Control not applicable within a container', impact: 0.0) do\n !virtualization.system.eql?('docker')\n end\n\n describe package('policycoreutils') do\n it { should be_installed }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230462.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230241.rb", "line": 1 }, - "id": "SV-230462" + "id": "SV-230241" }, { - "title": "RHEL 8 must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/sudoers.", - "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "title": "Successful/unsuccessful uses of the chown, fchown, fchownat, and lchown system calls in RHEL 8 must generate an audit record.", + "desc": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"chown\" command is used to change file owner and group.\n\nThe \"fchown\" system call is used to change the ownership of a file referred to by the open file descriptor.\nThe \"fchownat\" system call is used to change ownership of a file relative to a directory file descriptor.\nThe \"lchown\" system call is used to change the ownership of the file specified by a path, which does not dereference symbolic links.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nThe system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible.", "descriptions": { - "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", - "check": "Verify RHEL 8 generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/sudoers\".\n\n Check the auditing rules in \"/etc/audit/audit.rules\" with the following\ncommand:\n\n $ sudo grep /etc/sudoers /etc/audit/audit.rules\n\n -w /etc/sudoers -p wa -k identity\n\n If the command does not return a line, or the line is commented out, this\nis a finding.", - "fix": "Configure RHEL 8 to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/sudoers\".\n\n Add or update the following file system rule to\n\"/etc/audit/rules.d/audit.rules\":\n\n -w /etc/sudoers -p wa -k identity\n\n The audit daemon must be restarted for the changes to take effect." + "default": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"chown\" command is used to change file owner and group.\n\nThe \"fchown\" system call is used to change the ownership of a file referred to by the open file descriptor.\nThe \"fchownat\" system call is used to change ownership of a file relative to a directory file descriptor.\nThe \"lchown\" system call is used to change the ownership of the file specified by a path, which does not dereference symbolic links.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nThe system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible.", + "check": "Verify RHEL 8 generates an audit record upon successful/unsuccessful attempts to use the \"chown\", \"fchown\", \"fchownat\" and \"lchown\" system calls by using the following command to check the file system rules in \"/etc/audit/audit.rules\":\n\n$ sudo grep chown /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod\n-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod\n\nIf audit rules are not defined for \"chown\", \"fchown\", \"fchownat\", and \"lchown\" or any of the lines returned are commented out, this is a finding.", + "fix": "Configure the audit system to generate an audit event for any successful/unsuccessful use of the \"chown\", \"fchown\", \"fchownat\", and \"lchown\" system calls by adding or updating the following line to \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod\n-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod\n\nThe audit daemon must be restarted for the changes to take effect." }, "impact": 0.5, "refs": [ @@ -10235,28 +10170,18 @@ "gtitle": "SRG-OS-000062-GPOS-00031", "satisfies": [ "SRG-OS-000062-GPOS-00031", - "SRG-OS-000004-GPOS-00004", "SRG-OS-000037-GPOS-00015", "SRG-OS-000042-GPOS-00020", - "SRG-OS-000062-GPOS-00031", - "SRG-OS-000304-GPOS-00121", "SRG-OS-000392-GPOS-00172", "SRG-OS-000462-GPOS-00206", - "SRG-OS-000470-GPOS-00214", "SRG-OS-000471-GPOS-00215", - "SRG-OS-000239-GPOS-00089", - "SRG-OS-000240-GPOS-00090", - "SRG-OS-000241-GPOS-00091", - "SRG-OS-000303-GPOS-00120", - "SRG-OS-000304-GPOS-00121", - "CCI-002884", - "SRG-OS-000466-GPOS-00210", - "SRG-OS-000476-GPOS-00221" + "SRG-OS-000064-GPOS-00033", + "SRG-OS-000466-GPOS-00210" ], - "gid": "V-230409", - "rid": "SV-230409r627750_rule", - "stig_id": "RHEL-08-030171", - "fix_id": "F-33053r567974_fix", + "gid": "V-230455", + "rid": "SV-230455r810459_rule", + "stig_id": "RHEL-08-030480", + "fix_id": "F-33099r809307_fix", "cci": [ "CCI-000169" ], @@ -10265,20 +10190,20 @@ ], "host": null }, - "code": "control 'SV-230409' do\n title 'RHEL 8 must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/sudoers.'\n desc 'Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).'\n desc 'check', 'Verify RHEL 8 generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/sudoers\".\n\n Check the auditing rules in \"/etc/audit/audit.rules\" with the following\ncommand:\n\n $ sudo grep /etc/sudoers /etc/audit/audit.rules\n\n -w /etc/sudoers -p wa -k identity\n\n If the command does not return a line, or the line is commented out, this\nis a finding.'\n desc 'fix', 'Configure RHEL 8 to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/sudoers\".\n\n Add or update the following file system rule to\n\"/etc/audit/rules.d/audit.rules\":\n\n -w /etc/sudoers -p wa -k identity\n\n The audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000062-GPOS-00031'\n tag satisfies: ['SRG-OS-000062-GPOS-00031', 'SRG-OS-000004-GPOS-00004', 'SRG-OS-000037-GPOS-00015', 'SRG-OS-000042-GPOS-00020', 'SRG-OS-000062-GPOS-00031', 'SRG-OS-000304-GPOS-00121', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000470-GPOS-00214', 'SRG-OS-000471-GPOS-00215', 'SRG-OS-000239-GPOS-00089', 'SRG-OS-000240-GPOS-00090', 'SRG-OS-000241-GPOS-00091', 'SRG-OS-000303-GPOS-00120', 'SRG-OS-000304-GPOS-00121', 'CCI-002884', 'SRG-OS-000466-GPOS-00210', 'SRG-OS-000476-GPOS-00221']\n tag gid: 'V-230409'\n tag rid: 'SV-230409r627750_rule'\n tag stig_id: 'RHEL-08-030171'\n tag fix_id: 'F-33053r567974_fix'\n tag cci: ['CCI-000169']\n tag nist: ['AU-12 a']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n audit_command = '/etc/sudoers'\n\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.permissions.flatten).to include('w', 'a')\n expect(audit_rule.key.uniq).to include(input('audit_rule_keynames').merge(input('audit_rule_keynames_overrides'))[audit_command])\n end\n end\nend\n", + "code": "control 'SV-230455' do\n title 'Successful/unsuccessful uses of the chown, fchown, fchownat, and lchown system calls in RHEL 8 must generate an audit record.'\n desc 'Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"chown\" command is used to change file owner and group.\n\nThe \"fchown\" system call is used to change the ownership of a file referred to by the open file descriptor.\nThe \"fchownat\" system call is used to change ownership of a file relative to a directory file descriptor.\nThe \"lchown\" system call is used to change the ownership of the file specified by a path, which does not dereference symbolic links.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nThe system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible.'\n desc 'check', 'Verify RHEL 8 generates an audit record upon successful/unsuccessful attempts to use the \"chown\", \"fchown\", \"fchownat\" and \"lchown\" system calls by using the following command to check the file system rules in \"/etc/audit/audit.rules\":\n\n$ sudo grep chown /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod\n-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod\n\nIf audit rules are not defined for \"chown\", \"fchown\", \"fchownat\", and \"lchown\" or any of the lines returned are commented out, this is a finding.'\n desc 'fix', 'Configure the audit system to generate an audit event for any successful/unsuccessful use of the \"chown\", \"fchown\", \"fchownat\", and \"lchown\" system calls by adding or updating the following line to \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod\n-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod\n\nThe audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000062-GPOS-00031'\n tag satisfies: ['SRG-OS-000062-GPOS-00031', 'SRG-OS-000037-GPOS-00015', 'SRG-OS-000042-GPOS-00020', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000471-GPOS-00215', 'SRG-OS-000064-GPOS-00033', 'SRG-OS-000466-GPOS-00210']\n tag gid: 'V-230455'\n tag rid: 'SV-230455r810459_rule'\n tag stig_id: 'RHEL-08-030480'\n tag fix_id: 'F-33099r809307_fix'\n tag cci: ['CCI-000169']\n tag nist: ['AU-12 a']\n tag 'host'\n\n audit_syscalls = ['chown']\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe 'Syscall' do\n audit_syscalls.each do |audit_syscall|\n it \"#{audit_syscall} is audited properly\" do\n audit_rule = auditd.syscall(audit_syscall)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n if os.arch.match(/64/)\n expect(audit_rule.arch.uniq).to include('b32', 'b64')\n else\n expect(audit_rule.arch.uniq).to cmp 'b32'\n end\n expect(audit_rule.fields.flatten).to include('auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include(input('audit_rule_keynames').merge(input('audit_rule_keynames_overrides'))[audit_syscall])\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230409.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230455.rb", "line": 1 }, - "id": "SV-230409" + "id": "SV-230455" }, { - "title": "RHEL 8 must not accept router advertisements on all IPv6 interfaces by\ndefault.", - "desc": "Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.\n\nAn illicit router advertisement message could result in a man-in-the-middle attack.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf", + "title": "A firewall must be able to protect against or limit the effects of\nDenial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting\nmeasures on impacted network interfaces.", + "desc": "DoS is a condition when a resource is not available for legitimate\nusers. When this occurs, the organization either cannot accomplish its mission\nor must operate at degraded capacity.\n\n This requirement addresses the configuration of RHEL 8 to mitigate the\nimpact of DoS attacks that have occurred or are ongoing on system availability.\nFor each system, known and potential DoS attacks must be identified and\nsolutions for each type implemented. A variety of technologies exists to limit\nor, in some cases, eliminate the effects of DoS attacks (e.g., limiting\nprocesses or establishing memory partitions). Employing increased capacity and\nbandwidth, combined with service redundancy, may reduce the susceptibility to\nsome DoS attacks.\n\n Since version 0.6.0, \"firewalld\" has incorporated \"nftables\" as its\nbackend support. Utilizing the limit statement in \"nftables\" can help to\nmitigate DoS attacks.", "descriptions": { - "default": "Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.\n\nAn illicit router advertisement message could result in a man-in-the-middle attack.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf", - "check": "Verify RHEL 8 does not accept router advertisements on all IPv6 interfaces by default, unless the system is a router.\n\nNote: If IPv6 is disabled on the system, this requirement is not applicable.\n\nCheck to see if router advertisements are not accepted by default by using the following command:\n\n$ sudo sysctl net.ipv6.conf.default.accept_ra\n\nnet.ipv6.conf.default.accept_ra = 0\n\nIf the \"accept_ra\" value is not \"0\" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r net.ipv6.conf.default.accept_ra /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: net.ipv6.conf.default.accept_ra = 0\n\nIf \"net.ipv6.conf.default.accept_ra\" is not set to \"0\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.", - "fix": "Configure RHEL 8 to not accept router advertisements on all IPv6 interfaces by default unless the system is a router.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nnet.ipv6.conf.default.accept_ra=0\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system" + "default": "DoS is a condition when a resource is not available for legitimate\nusers. When this occurs, the organization either cannot accomplish its mission\nor must operate at degraded capacity.\n\n This requirement addresses the configuration of RHEL 8 to mitigate the\nimpact of DoS attacks that have occurred or are ongoing on system availability.\nFor each system, known and potential DoS attacks must be identified and\nsolutions for each type implemented. A variety of technologies exists to limit\nor, in some cases, eliminate the effects of DoS attacks (e.g., limiting\nprocesses or establishing memory partitions). Employing increased capacity and\nbandwidth, combined with service redundancy, may reduce the susceptibility to\nsome DoS attacks.\n\n Since version 0.6.0, \"firewalld\" has incorporated \"nftables\" as its\nbackend support. Utilizing the limit statement in \"nftables\" can help to\nmitigate DoS attacks.", + "check": "Verify \"nftables\" is configured to allow rate limits on any connection to\nthe system with the following command:\n\n Verify \"firewalld\" has \"nftables\" set as the default backend:\n\n $ sudo grep -i firewallbackend /etc/firewalld/firewalld.conf\n\n # FirewallBackend\n FirewallBackend=nftables\n\n If the \"nftables\" is not set as the \"firewallbackend\" default, this is\na finding.", + "fix": "Configure \"nftables\" to be the default \"firewallbackend\" for \"firewalld\" by adding or editing the following line in \"/etc/firewalld/firewalld.conf\":\n\nFirewallBackend=nftables\n\nEstablish rate-limiting rules based on organization-defined types of DoS attacks on impacted network interfaces." }, "impact": 0.5, "refs": [ @@ -10288,33 +10213,34 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-230542", - "rid": "SV-230542r858814_rule", - "stig_id": "RHEL-08-040262", - "fix_id": "F-33186r858813_fix", + "gtitle": "SRG-OS-000420-GPOS-00186", + "gid": "V-230525", + "rid": "SV-230525r902735_rule", + "stig_id": "RHEL-08-040150", + "fix_id": "F-33169r902734_fix", "cci": [ - "CCI-000366" + "CCI-002385" ], "nist": [ - "CM-6 b" + "SC-5", + "SC-5 a" ], "host": null }, - "code": "control 'SV-230542' do\n title 'RHEL 8 must not accept router advertisements on all IPv6 interfaces by\ndefault.'\n desc 'Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.\n\nAn illicit router advertisement message could result in a man-in-the-middle attack.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf'\n desc 'check', 'Verify RHEL 8 does not accept router advertisements on all IPv6 interfaces by default, unless the system is a router.\n\nNote: If IPv6 is disabled on the system, this requirement is not applicable.\n\nCheck to see if router advertisements are not accepted by default by using the following command:\n\n$ sudo sysctl net.ipv6.conf.default.accept_ra\n\nnet.ipv6.conf.default.accept_ra = 0\n\nIf the \"accept_ra\" value is not \"0\" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r net.ipv6.conf.default.accept_ra /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: net.ipv6.conf.default.accept_ra = 0\n\nIf \"net.ipv6.conf.default.accept_ra\" is not set to \"0\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to not accept router advertisements on all IPv6 interfaces by default unless the system is a router.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nnet.ipv6.conf.default.accept_ra=0\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230542'\n tag rid: 'SV-230542r858814_rule'\n tag stig_id: 'RHEL-08-040262'\n tag fix_id: 'F-33186r858813_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This system is acting as a router on the network, this control is Not Applicable', impact: 0.0) {\n !input('network_router')\n }\n\n # Define the kernel parameter to be checked\n parameter = 'net.ipv6.conf.default.accept_ra'\n action = 'IPv6 router advertisements (by default for all interfaces)'\n value = 0\n\n # Get the current value of the kernel parameter\n current_value = kernel_parameter(parameter)\n\n # Check if the system is a Docker container\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n elsif input('ipv6_enabled') == false\n impact 0.0\n describe 'IPv6 is disabled on the system, this requirement is Not Applicable.' do\n skip 'IPv6 is disabled on the system, this requirement is Not Applicable.'\n end\n else\n\n describe kernel_parameter(parameter) do\n it 'is disabled in sysctl -a' do\n expect(current_value.value).to cmp value\n expect(current_value.value).not_to be_nil\n end\n end\n\n # Get the list of sysctl configuration files\n sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ')\n\n # Search for the kernel parameter in the configuration files\n search_results = command(\"grep -r ^#{parameter} #{sysctl_config_files} {} \\;\").stdout.split(\"\\n\")\n\n # Parse the search results into a hash\n config_values = search_results.each_with_object({}) do |item, results|\n file, setting = item.split(':')\n file = 'grep did not return filename' if file.empty?\n\n results[file] ||= []\n results[file] << setting.split('=').last\n end\n\n uniq_config_values = config_values.values.flatten.map(&:strip).map(&:to_i).uniq\n\n # Check the configuration files\n describe 'Configuration files' do\n if search_results.empty?\n it \"do not explicitly set the `#{parameter}` parameter\" do\n expect(config_values).not_to be_empty, \"Add the line `#{parameter}=#{value}` to a file in the `/etc/sysctl.d/` directory\"\n end\n else\n it \"do not have conflicting settings for #{action}\" do\n expect(uniq_config_values.count).to eq(1), \"Expected one unique configuration, but got #{config_values}\"\n end\n it \"set the parameter to the right value for #{action}\" do\n expect(config_values.values.flatten.all? { |v| v.to_i.eql?(value) }).to be true\n end\n end\n end\n end\nend\n", + "code": "control 'SV-230525' do\n title 'A firewall must be able to protect against or limit the effects of\nDenial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting\nmeasures on impacted network interfaces.'\n desc 'DoS is a condition when a resource is not available for legitimate\nusers. When this occurs, the organization either cannot accomplish its mission\nor must operate at degraded capacity.\n\n This requirement addresses the configuration of RHEL 8 to mitigate the\nimpact of DoS attacks that have occurred or are ongoing on system availability.\nFor each system, known and potential DoS attacks must be identified and\nsolutions for each type implemented. A variety of technologies exists to limit\nor, in some cases, eliminate the effects of DoS attacks (e.g., limiting\nprocesses or establishing memory partitions). Employing increased capacity and\nbandwidth, combined with service redundancy, may reduce the susceptibility to\nsome DoS attacks.\n\n Since version 0.6.0, \"firewalld\" has incorporated \"nftables\" as its\nbackend support. Utilizing the limit statement in \"nftables\" can help to\nmitigate DoS attacks.'\n desc 'check', 'Verify \"nftables\" is configured to allow rate limits on any connection to\nthe system with the following command:\n\n Verify \"firewalld\" has \"nftables\" set as the default backend:\n\n $ sudo grep -i firewallbackend /etc/firewalld/firewalld.conf\n\n # FirewallBackend\n FirewallBackend=nftables\n\n If the \"nftables\" is not set as the \"firewallbackend\" default, this is\na finding.'\n desc 'fix', 'Configure \"nftables\" to be the default \"firewallbackend\" for \"firewalld\" by adding or editing the following line in \"/etc/firewalld/firewalld.conf\":\n\nFirewallBackend=nftables\n\nEstablish rate-limiting rules based on organization-defined types of DoS attacks on impacted network interfaces.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000420-GPOS-00186'\n tag gid: 'V-230525'\n tag rid: 'SV-230525r902735_rule'\n tag stig_id: 'RHEL-08-040150'\n tag fix_id: 'F-33169r902734_fix'\n tag cci: ['CCI-002385']\n tag nist: ['SC-5', 'SC-5 a']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe parse_config_file('/etc/firewalld/firewalld.conf') do\n its('FirewallBackend') { should eq 'nftables' }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230542.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230525.rb", "line": 1 }, - "id": "SV-230542" + "id": "SV-230525" }, { - "title": "RHEL 8 must not forward IPv4 source-routed packets by default.", - "desc": "Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf", + "title": "RHEL 8 must specify the default \"include\" directory for the /etc/sudoers file.", + "desc": "The \"sudo\" command allows authorized users to run programs (including shells) as other users,\n system users, and root. The \"/etc/sudoers\" file is used to configure authorized \"sudo\" users as\n well as the programs they are allowed to run. Some configuration options in the \"/etc/sudoers\"\n file allow configured users to run programs without re-authenticating. Use of these configuration\n options makes it easier for one compromised account to be used to compromise other accounts.\n\n It is possible to include other sudoers files from within the sudoers file currently being parsed\n using the #include and #includedir directives. When sudo reaches this line it will suspend\n processing of the current file (/etc/sudoers) and switch to the specified file/directory. Once the\n end of the included file(s) is reached, the rest of /etc/sudoers will be processed. Files that are\n included may themselves include other files. A hard limit of 128 nested include files is enforced\n to prevent include file loops.", "descriptions": { - "default": "Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf", - "check": "Verify RHEL 8 does not accept IPv4 source-routed packets by default.\n\nCheck the value of the accept source route variable with the following command:\n\n$ sudo sysctl net.ipv4.conf.default.accept_source_route\n\nnet.ipv4.conf.default.accept_source_route = 0\n\nIf the returned line does not have a value of \"0\", a line is not returned, or the line is commented out, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r net.ipv4.conf.default.accept_source_route /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: net.ipv4.conf.default.accept_source_route = 0\n\nIf \"net.ipv4.conf.default.accept_source_route\" is not set to \"0\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.", - "fix": "Configure RHEL 8 to not forward IPv4 source-routed packets by default.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nnet.ipv4.conf.default.accept_source_route=0\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system" + "default": "The \"sudo\" command allows authorized users to run programs (including shells) as other users,\n system users, and root. The \"/etc/sudoers\" file is used to configure authorized \"sudo\" users as\n well as the programs they are allowed to run. Some configuration options in the \"/etc/sudoers\"\n file allow configured users to run programs without re-authenticating. Use of these configuration\n options makes it easier for one compromised account to be used to compromise other accounts.\n\n It is possible to include other sudoers files from within the sudoers file currently being parsed\n using the #include and #includedir directives. When sudo reaches this line it will suspend\n processing of the current file (/etc/sudoers) and switch to the specified file/directory. Once the\n end of the included file(s) is reached, the rest of /etc/sudoers will be processed. Files that are\n included may themselves include other files. A hard limit of 128 nested include files is enforced\n to prevent include file loops.", + "check": "Note: If the \"include\" and \"includedir\" directives are not present in the /etc/sudoers\n file, this requirement is not applicable.\n\n Verify the operating system specifies only the default \"include\" directory for the /etc/sudoers\n file with the following command:\n\n $ sudo grep include /etc/sudoers\n\n #includedir /etc/sudoers.d\n\n If the results are not \"/etc/sudoers.d\" or additional files or directories are specified, this is\n a finding.\n\n Verify the operating system does not have nested \"include\" files or directories within the\n /etc/sudoers.d directory with the following command:\n\n $ sudo grep -r include /etc/sudoers.d\n\n If results are returned, this is a finding.", + "fix": "Configure the /etc/sudoers file to only include the /etc/sudoers.d directory.\n\n Edit the /etc/sudoers file with the following command:\n\n $ sudo visudo\n\n Add or modify the following line:\n #includedir /etc/sudoers.d" }, "impact": 0.5, "refs": [ @@ -10323,34 +10249,37 @@ } ], "tags": { + "check_id": "C-55148r833384_chk", "severity": "medium", + "gid": "V-251711", + "rid": "SV-251711r833385_rule", + "stig_id": "RHEL-08-010379", "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-244552", - "rid": "SV-244552r858803_rule", - "stig_id": "RHEL-08-040249", - "fix_id": "F-47784r858802_fix", + "fix_id": "F-55102r809356_fix", + "documentable": null, "cci": [ "CCI-000366" ], "nist": [ "CM-6 b" ], - "host": null + "host": null, + "container-conditional": null }, - "code": "control 'SV-244552' do\n title 'RHEL 8 must not forward IPv4 source-routed packets by default.'\n desc 'Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf'\n desc 'check', 'Verify RHEL 8 does not accept IPv4 source-routed packets by default.\n\nCheck the value of the accept source route variable with the following command:\n\n$ sudo sysctl net.ipv4.conf.default.accept_source_route\n\nnet.ipv4.conf.default.accept_source_route = 0\n\nIf the returned line does not have a value of \"0\", a line is not returned, or the line is commented out, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r net.ipv4.conf.default.accept_source_route /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: net.ipv4.conf.default.accept_source_route = 0\n\nIf \"net.ipv4.conf.default.accept_source_route\" is not set to \"0\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to not forward IPv4 source-routed packets by default.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nnet.ipv4.conf.default.accept_source_route=0\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-244552'\n tag rid: 'SV-244552r858803_rule'\n tag stig_id: 'RHEL-08-040249'\n tag fix_id: 'F-47784r858802_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This system is acting as a router on the network, this control is Not Applicable', impact: 0.0) {\n !input('network_router')\n }\n\n # Define the kernel parameter to be checked\n parameter = 'net.ipv4.conf.default.accept_source_route'\n action = 'IPv4 source-routed packets default'\n value = 0\n\n # Get the current value of the kernel parameter\n current_value = kernel_parameter(parameter)\n\n # Check if the system is a Docker container\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n elsif input('ipv4_enabled') == false\n impact 0.0\n describe 'IPv4 is disabled on the system, this requirement is Not Applicable.' do\n skip 'IPv4 is disabled on the system, this requirement is Not Applicable.'\n end\n else\n\n describe kernel_parameter(parameter) do\n it 'is disabled in sysctl -a' do\n expect(current_value.value).to cmp value\n expect(current_value.value).not_to be_nil\n end\n end\n\n # Get the list of sysctl configuration files\n sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ')\n\n # Search for the kernel parameter in the configuration files\n search_results = command(\"grep -r ^#{parameter} #{sysctl_config_files} {} \\;\").stdout.split(\"\\n\")\n\n # Parse the search results into a hash\n config_values = search_results.each_with_object({}) do |item, results|\n file, setting = item.split(':')\n file = 'grep did not return filename' if file.empty?\n\n results[file] ||= []\n results[file] << setting.split('=').last\n end\n\n uniq_config_values = config_values.values.flatten.map(&:strip).map(&:to_i).uniq\n\n # Check the configuration files\n describe 'Configuration files' do\n if search_results.empty?\n it \"do not explicitly set the `#{parameter}` parameter\" do\n expect(config_values).not_to be_empty, \"Add the line `#{parameter}=#{value}` to a file in the `/etc/sysctl.d/` directory\"\n end\n else\n it \"do not have conflicting settings for #{action}\" do\n expect(uniq_config_values.count).to eq(1), \"Expected one unique configuration, but got #{config_values}\"\n end\n it \"set the parameter to the right value for #{action}\" do\n expect(config_values.values.flatten.all? { |v| v.to_i.eql?(value) }).to be true\n end\n end\n end\n end\nend\n", + "code": "control 'SV-251711' do\n title 'RHEL 8 must specify the default \"include\" directory for the /etc/sudoers file.'\n desc 'The \"sudo\" command allows authorized users to run programs (including shells) as other users,\n system users, and root. The \"/etc/sudoers\" file is used to configure authorized \"sudo\" users as\n well as the programs they are allowed to run. Some configuration options in the \"/etc/sudoers\"\n file allow configured users to run programs without re-authenticating. Use of these configuration\n options makes it easier for one compromised account to be used to compromise other accounts.\n\n It is possible to include other sudoers files from within the sudoers file currently being parsed\n using the #include and #includedir directives. When sudo reaches this line it will suspend\n processing of the current file (/etc/sudoers) and switch to the specified file/directory. Once the\n end of the included file(s) is reached, the rest of /etc/sudoers will be processed. Files that are\n included may themselves include other files. A hard limit of 128 nested include files is enforced\n to prevent include file loops.'\n desc 'check', 'Note: If the \"include\" and \"includedir\" directives are not present in the /etc/sudoers\n file, this requirement is not applicable.\n\n Verify the operating system specifies only the default \"include\" directory for the /etc/sudoers\n file with the following command:\n\n $ sudo grep include /etc/sudoers\n\n #includedir /etc/sudoers.d\n\n If the results are not \"/etc/sudoers.d\" or additional files or directories are specified, this is\n a finding.\n\n Verify the operating system does not have nested \"include\" files or directories within the\n /etc/sudoers.d directory with the following command:\n\n $ sudo grep -r include /etc/sudoers.d\n\n If results are returned, this is a finding.'\n desc 'fix', 'Configure the /etc/sudoers file to only include the /etc/sudoers.d directory.\n\n Edit the /etc/sudoers file with the following command:\n\n $ sudo visudo\n\n Add or modify the following line:\n #includedir /etc/sudoers.d'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag check_id: 'C-55148r833384_chk'\n tag severity: 'medium'\n tag gid: 'V-251711'\n tag rid: 'SV-251711r833385_rule'\n tag stig_id: 'RHEL-08-010379'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag fix_id: 'F-55102r809356_fix'\n tag 'documentable'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n tag 'container-conditional'\n\n only_if('Control not applicable within a container without sudo enabled', impact: 0.0) do\n virtualization.system.eql?('docker') && !command('sudo').exist?\n end\n\n if command('grep include /etc/sudoers').stdout.empty?\n impact 0.0\n describe 'This requirement is not applicable as \"include\" and \"includedir\" directives are not present in the /etc/sudoers file' do\n skip 'This requirement is not applicable as \"include\" and \"includedir\" directives are not present in the /etc/sudoers file'\n end\n else\n describe 'Only the default \"include\" directory for /etc/sudoers file should be specified' do\n subject { command('grep include /etc/sudoers').stdout.strip }\n it { should match %r{#includedir\\s*/etc/sudoers.d\\s*$} }\n end\n\n describe 'Nested \"include\" files or directories within /etc/sudoers.d directory should not exist' do\n subject { command('grep -r include /etc/sudoers.d').stdout }\n it { should be_empty }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-244552.rb", + "ref": "./Red Hat 8 STIG/controls/SV-251711.rb", "line": 1 }, - "id": "SV-244552" + "id": "SV-251711" }, { - "title": "RHEL 8 must prevent a user from overriding the screensaver\nlock-enabled setting for the graphical user interface.", - "desc": "A session time-out lock is a temporary action taken when a user stops\nwork and moves away from the immediate physical vicinity of the information\nsystem but does not log out because of the temporary nature of the absence.\nRather than relying on the user to manually lock their operating system session\nprior to vacating the vicinity, operating systems need to be able to identify\nwhen a user's session has idled and take action to initiate the session lock.\n\n The session lock is implemented at the point where session activity can be\ndetermined and/or controlled.\n\n Implementing session settings will have little value if a user is able to\nmanipulate these settings from the defaults prescribed in the other\nrequirements of this implementation guide.\n\n Locking these settings from non-privileged users is crucial to maintaining\na protected baseline.", + "title": "RHEL 8 must allocate audit record storage capacity to store at least\none week of audit records, when audit records are not immediately sent to a\ncentral audit record storage facility.", + "desc": "To ensure RHEL 8 systems have a sufficient storage capacity in which\nto write the audit logs, RHEL 8 needs to be able to allocate audit record\nstorage capacity.\n\n The task of allocating audit record storage capacity is usually performed\nduring initial installation of RHEL 8.", "descriptions": { - "default": "A session time-out lock is a temporary action taken when a user stops\nwork and moves away from the immediate physical vicinity of the information\nsystem but does not log out because of the temporary nature of the absence.\nRather than relying on the user to manually lock their operating system session\nprior to vacating the vicinity, operating systems need to be able to identify\nwhen a user's session has idled and take action to initiate the session lock.\n\n The session lock is implemented at the point where session activity can be\ndetermined and/or controlled.\n\n Implementing session settings will have little value if a user is able to\nmanipulate these settings from the defaults prescribed in the other\nrequirements of this implementation guide.\n\n Locking these settings from non-privileged users is crucial to maintaining\na protected baseline.", - "check": "Verify the operating system prevents a user from overriding settings for\ngraphical user interfaces.\n\n Note: This requirement assumes the use of the RHEL 8 default graphical user\ninterface, Gnome Shell. If the system does not have any graphical user\ninterface installed, this requirement is Not Applicable.\n\n Determine which profile the system database is using with the following\ncommand:\n\n $ sudo grep system-db /etc/dconf/profile/user\n\n system-db:local\n\n Check that graphical settings are locked from non-privileged user\nmodification with the following command:\n\n Note: The example below is using the database \"local\" for the system, so\nthe path is \"/etc/dconf/db/local.d\". This path must be modified if a database\nother than \"local\" is being used.\n\n $ sudo grep -i lock-enabled /etc/dconf/db/local.d/locks/*\n\n /org/gnome/desktop/screensaver/lock-enabled\n\n If the command does not return at least the example result, this is a\nfinding.", - "fix": "Configure the operating system to prevent a user from overriding settings\nfor graphical user interfaces.\n\n Create a database to contain the system-wide screensaver settings (if it\ndoes not already exist) with the following command:\n\n Note: The example below is using the database \"local\" for the system, so\nif the system is using another database in \"/etc/dconf/profile/user\", the\nfile should be created under the appropriate subdirectory.\n\n $ sudo touch /etc/dconf/db/local.d/locks/session\n\n Add the following setting to prevent non-privileged users from modifying it:\n\n /org/gnome/desktop/screensaver/lock-enabled" + "default": "To ensure RHEL 8 systems have a sufficient storage capacity in which\nto write the audit logs, RHEL 8 needs to be able to allocate audit record\nstorage capacity.\n\n The task of allocating audit record storage capacity is usually performed\nduring initial installation of RHEL 8.", + "check": "Verify RHEL 8 allocates audit record storage capacity to store at least one week of audit records when audit records are not immediately sent to a central audit record storage facility.\n\nDetermine to which partition the audit records are being written with the following command:\n\n$ sudo grep -iw log_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nCheck the size of the partition to which audit records are written (with the example being /var/log/audit/) with the following command:\n\n$ sudo df -h /var/log/audit/\n/dev/sda2 24G 10.4G 13.6G 43% /var/log/audit\n\nIf the audit records are not written to a partition made specifically for audit records (/var/log/audit is a separate partition), determine the amount of space being used by other files in the partition with the following command:\n\n$ sudo du -sh [audit_partition]\n1.8G /var/log/audit\n\nIf the audit record partition is not allocated for sufficient storage capacity, this is a finding.\n\nNote: The partition size needed to capture a week of audit records is based on the activity level of the system and the total storage capacity available. Typically 10.0 GB of storage space for audit records should be sufficient.", + "fix": "Allocate enough storage capacity for at least one week of audit records\nwhen audit records are not immediately sent to a central audit record storage\nfacility.\n\n If audit records are stored on a partition made specifically for audit\nrecords, resize the partition with sufficient space to contain one week of\naudit records.\n\n If audit records are not stored on a partition made specifically for audit\nrecords, a new partition with sufficient space will need be to be created." }, "impact": 0.5, "refs": [ @@ -10360,75 +10289,70 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000029-GPOS-00010", - "satisfies": [ - "SRG-OS-000029-GPOS-00010", - "SRG-OS-000031-GPOS-00012", - "SRG-OS-000480-GPOS-00227" - ], - "gid": "V-244539", - "rid": "SV-244539r743866_rule", - "stig_id": "RHEL-08-020082", - "fix_id": "F-47771r743865_fix", + "gtitle": "SRG-OS-000341-GPOS-00132", + "gid": "V-230476", + "rid": "SV-230476r877391_rule", + "stig_id": "RHEL-08-030660", + "fix_id": "F-33120r568175_fix", "cci": [ - "CCI-000057" + "CCI-001849" ], "nist": [ - "AC-11 a" + "AU-4" ], "host": null }, - "code": "control 'SV-244539' do\n title 'RHEL 8 must prevent a user from overriding the screensaver\nlock-enabled setting for the graphical user interface.'\n desc \"A session time-out lock is a temporary action taken when a user stops\nwork and moves away from the immediate physical vicinity of the information\nsystem but does not log out because of the temporary nature of the absence.\nRather than relying on the user to manually lock their operating system session\nprior to vacating the vicinity, operating systems need to be able to identify\nwhen a user's session has idled and take action to initiate the session lock.\n\n The session lock is implemented at the point where session activity can be\ndetermined and/or controlled.\n\n Implementing session settings will have little value if a user is able to\nmanipulate these settings from the defaults prescribed in the other\nrequirements of this implementation guide.\n\n Locking these settings from non-privileged users is crucial to maintaining\na protected baseline.\"\n desc 'check', 'Verify the operating system prevents a user from overriding settings for\ngraphical user interfaces.\n\n Note: This requirement assumes the use of the RHEL 8 default graphical user\ninterface, Gnome Shell. If the system does not have any graphical user\ninterface installed, this requirement is Not Applicable.\n\n Determine which profile the system database is using with the following\ncommand:\n\n $ sudo grep system-db /etc/dconf/profile/user\n\n system-db:local\n\n Check that graphical settings are locked from non-privileged user\nmodification with the following command:\n\n Note: The example below is using the database \"local\" for the system, so\nthe path is \"/etc/dconf/db/local.d\". This path must be modified if a database\nother than \"local\" is being used.\n\n $ sudo grep -i lock-enabled /etc/dconf/db/local.d/locks/*\n\n /org/gnome/desktop/screensaver/lock-enabled\n\n If the command does not return at least the example result, this is a\nfinding.'\n desc 'fix', 'Configure the operating system to prevent a user from overriding settings\nfor graphical user interfaces.\n\n Create a database to contain the system-wide screensaver settings (if it\ndoes not already exist) with the following command:\n\n Note: The example below is using the database \"local\" for the system, so\nif the system is using another database in \"/etc/dconf/profile/user\", the\nfile should be created under the appropriate subdirectory.\n\n $ sudo touch /etc/dconf/db/local.d/locks/session\n\n Add the following setting to prevent non-privileged users from modifying it:\n\n /org/gnome/desktop/screensaver/lock-enabled'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000029-GPOS-00010'\n tag satisfies: ['SRG-OS-000029-GPOS-00010', 'SRG-OS-000031-GPOS-00012', 'SRG-OS-000480-GPOS-00227']\n tag gid: 'V-244539'\n tag rid: 'SV-244539r743866_rule'\n tag stig_id: 'RHEL-08-020082'\n tag fix_id: 'F-47771r743865_fix'\n tag cci: ['CCI-000057']\n tag nist: ['AC-11 a']\n tag 'host'\n\n only_if('This requirement is Not Applicable in the container', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n if !package('gnome-desktop3').installed?\n impact 0.0\n describe 'The GNOME desktop is not installed, this control is Not Applicable.' do\n skip 'The GNOME desktop is not installed, this control is Not Applicable.'\n end\n else\n describe command('grep -i lock-enabled /etc/dconf/db/local.d/locks/*') do\n its('stdout.split') { should include '/org/gnome/desktop/screensaver/lock-enabled' }\n end\n end\nend\n", + "code": "control 'SV-230476' do\n title 'RHEL 8 must allocate audit record storage capacity to store at least\none week of audit records, when audit records are not immediately sent to a\ncentral audit record storage facility.'\n desc 'To ensure RHEL 8 systems have a sufficient storage capacity in which\nto write the audit logs, RHEL 8 needs to be able to allocate audit record\nstorage capacity.\n\n The task of allocating audit record storage capacity is usually performed\nduring initial installation of RHEL 8.'\n desc 'check', 'Verify RHEL 8 allocates audit record storage capacity to store at least one week of audit records when audit records are not immediately sent to a central audit record storage facility.\n\nDetermine to which partition the audit records are being written with the following command:\n\n$ sudo grep -iw log_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nCheck the size of the partition to which audit records are written (with the example being /var/log/audit/) with the following command:\n\n$ sudo df -h /var/log/audit/\n/dev/sda2 24G 10.4G 13.6G 43% /var/log/audit\n\nIf the audit records are not written to a partition made specifically for audit records (/var/log/audit is a separate partition), determine the amount of space being used by other files in the partition with the following command:\n\n$ sudo du -sh [audit_partition]\n1.8G /var/log/audit\n\nIf the audit record partition is not allocated for sufficient storage capacity, this is a finding.\n\nNote: The partition size needed to capture a week of audit records is based on the activity level of the system and the total storage capacity available. Typically 10.0 GB of storage space for audit records should be sufficient.'\n desc 'fix', 'Allocate enough storage capacity for at least one week of audit records\nwhen audit records are not immediately sent to a central audit record storage\nfacility.\n\n If audit records are stored on a partition made specifically for audit\nrecords, resize the partition with sufficient space to contain one week of\naudit records.\n\n If audit records are not stored on a partition made specifically for audit\nrecords, a new partition with sufficient space will need be to be created.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000341-GPOS-00132'\n tag gid: 'V-230476'\n tag rid: 'SV-230476r877391_rule'\n tag stig_id: 'RHEL-08-030660'\n tag fix_id: 'F-33120r568175_fix'\n tag cci: ['CCI-001849']\n tag nist: ['AU-4']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n audit_log_dir = command(\"dirname #{auditd_conf.log_file}\").stdout.strip\n\n describe file(audit_log_dir) do\n it { should exist }\n it { should be_directory }\n end\n\n # Fetch partition sizes in 1K blocks for consistency\n partition_info = command(\"df -B 1K #{audit_log_dir}\").stdout.split(\"\\n\")\n partition_sz_arr = partition_info.last.gsub(/\\s+/m, ' ').strip.split(' ')\n\n # Get unused space percentage\n percentage_space_unused = (100 - partition_sz_arr[4].to_i)\n\n describe \"auditd_conf's space_left threshold\" do\n it 'should be under the amount of space currently available (in 1K blocks) for the audit log directory' do\n expect(auditd_conf.space_left.to_i).to be <= percentage_space_unused\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-244539.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230476.rb", "line": 1 }, - "id": "SV-244539" + "id": "SV-230476" }, { - "title": "The Trivial File Transfer Protocol (TFTP) server package must not be\ninstalled if not required for RHEL 8 operational support.", - "desc": "If TFTP is required for operational support (such as the transmission\nof router configurations) its use must be documented with the Information\nSystem Security Officer (ISSO), restricted to only authorized personnel, and\nhave access control rules established.", + "title": "All RHEL 8 passwords must contain at least one special character.", + "desc": "Use of a complex password helps to increase the time and resources\nrequired to compromise the password. Password complexity, or strength, is a\nmeasure of the effectiveness of a password in resisting attempts at guessing\nand brute-force attacks.\n\n Password complexity is one factor of several that determines how long it\ntakes to crack a password. The more complex the password, the greater the\nnumber of possible combinations that need to be tested before the password is\ncompromised.\n\n RHEL 8 utilizes \"pwquality\" as a mechanism to enforce password\ncomplexity. Note that to require special characters without degrading the\n\"minlen\" value, the credit value must be expressed as a negative number in\n\"/etc/security/pwquality.conf\".", "descriptions": { - "default": "If TFTP is required for operational support (such as the transmission\nof router configurations) its use must be documented with the Information\nSystem Security Officer (ISSO), restricted to only authorized personnel, and\nhave access control rules established.", - "check": "Verify a TFTP server has not been installed on the system with the\nfollowing command:\n\n $ sudo yum list installed tftp-server\n\n tftp-server.x86_64 5.2-24.el8\n\n If TFTP is installed and the requirement for TFTP is not documented with\nthe ISSO, this is a finding.", - "fix": "Remove the TFTP package from the system with the following command:\n\n$ sudo yum remove tftp-server" + "default": "Use of a complex password helps to increase the time and resources\nrequired to compromise the password. Password complexity, or strength, is a\nmeasure of the effectiveness of a password in resisting attempts at guessing\nand brute-force attacks.\n\n Password complexity is one factor of several that determines how long it\ntakes to crack a password. The more complex the password, the greater the\nnumber of possible combinations that need to be tested before the password is\ncompromised.\n\n RHEL 8 utilizes \"pwquality\" as a mechanism to enforce password\ncomplexity. Note that to require special characters without degrading the\n\"minlen\" value, the credit value must be expressed as a negative number in\n\"/etc/security/pwquality.conf\".", + "check": "Verify the value for \"ocredit\" with the following command:\n\n$ sudo grep -r ocredit /etc/security/pwquality.conf*\n\n/etc/security/pwquality.conf:ocredit = -1\n\nIf the value of \"ocredit\" is a positive number or is commented out, this is a finding.\nIf conflicting results are returned, this is a finding.", + "fix": "Configure the operating system to enforce password complexity by requiring that at least one special character be used by setting the \"ocredit\" option.\n\nAdd the following line to /etc/security/pwquality.conf (or modify the line to have the required value):\n\nocredit = -1\n\nRemove any configurations that conflict with the above value." }, - "impact": 0.7, + "impact": 0.5, "refs": [ { "ref": "DPMS Target Red Hat Enterprise Linux 8" } ], "tags": { - "severity": "high", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-230533", - "rid": "SV-230533r627750_rule", - "stig_id": "RHEL-08-040190", - "fix_id": "F-33177r568346_fix", + "severity": "medium", + "gtitle": "SRG-OS-000266-GPOS-00101", + "gid": "V-230375", + "rid": "SV-230375r858787_rule", + "stig_id": "RHEL-08-020280", + "fix_id": "F-33019r858786_fix", "cci": [ - "CCI-000366" + "CCI-001619" ], "nist": [ - "CM-6 b" + "IA-5 (1) (a)" ], "host": null, "container": null }, - "code": "control 'SV-230533' do\n title 'The Trivial File Transfer Protocol (TFTP) server package must not be\ninstalled if not required for RHEL 8 operational support.'\n desc 'If TFTP is required for operational support (such as the transmission\nof router configurations) its use must be documented with the Information\nSystem Security Officer (ISSO), restricted to only authorized personnel, and\nhave access control rules established.'\n desc 'check', 'Verify a TFTP server has not been installed on the system with the\nfollowing command:\n\n $ sudo yum list installed tftp-server\n\n tftp-server.x86_64 5.2-24.el8\n\n If TFTP is installed and the requirement for TFTP is not documented with\nthe ISSO, this is a finding.'\n desc 'fix', 'Remove the TFTP package from the system with the following command:\n\n$ sudo yum remove tftp-server'\n impact 0.7\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'high'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230533'\n tag rid: 'SV-230533r627750_rule'\n tag stig_id: 'RHEL-08-040190'\n tag fix_id: 'F-33177r568346_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n tag 'container'\n\n if input('tftp_required')\n describe package('tftp-server') do\n it { should be_installed }\n end\n else\n describe package('tftp-server') do\n it { should_not be_installed }\n end\n end\nend\n", + "code": "control 'SV-230375' do\n title 'All RHEL 8 passwords must contain at least one special character.'\n desc 'Use of a complex password helps to increase the time and resources\nrequired to compromise the password. Password complexity, or strength, is a\nmeasure of the effectiveness of a password in resisting attempts at guessing\nand brute-force attacks.\n\n Password complexity is one factor of several that determines how long it\ntakes to crack a password. The more complex the password, the greater the\nnumber of possible combinations that need to be tested before the password is\ncompromised.\n\n RHEL 8 utilizes \"pwquality\" as a mechanism to enforce password\ncomplexity. Note that to require special characters without degrading the\n\"minlen\" value, the credit value must be expressed as a negative number in\n\"/etc/security/pwquality.conf\".'\n desc 'check', 'Verify the value for \"ocredit\" with the following command:\n\n$ sudo grep -r ocredit /etc/security/pwquality.conf*\n\n/etc/security/pwquality.conf:ocredit = -1\n\nIf the value of \"ocredit\" is a positive number or is commented out, this is a finding.\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure the operating system to enforce password complexity by requiring that at least one special character be used by setting the \"ocredit\" option.\n\nAdd the following line to /etc/security/pwquality.conf (or modify the line to have the required value):\n\nocredit = -1\n\nRemove any configurations that conflict with the above value.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000266-GPOS-00101'\n tag gid: 'V-230375'\n tag rid: 'SV-230375r858787_rule'\n tag stig_id: 'RHEL-08-020280'\n tag fix_id: 'F-33019r858786_fix'\n tag cci: ['CCI-001619']\n tag nist: ['IA-5 (1) (a)']\n tag 'host'\n tag 'container'\n\n # value = input('ocredit')\n setting = 'ocredit'\n\n describe 'pwquality.conf settings' do\n let(:config) { parse_config_file('/etc/security/pwquality.conf', multiple_values: true) }\n let(:setting_value) { config.params[setting].is_a?(Integer) ? [config.params[setting]] : Array(config.params[setting]) }\n\n it \"has `#{setting}` set\" do\n expect(setting_value).not_to be_empty, \"#{setting} is not set in pwquality.conf\"\n end\n\n it \"only sets `#{setting}` once\" do\n expect(setting_value.length).to eq(1), \"#{setting} is commented or set more than once in pwquality.conf\"\n end\n\n it \"does not set `#{setting}` to a positive value\" do\n expect(setting_value.first.to_i).to be <= 0, \"#{setting} is set to a positive value in pwquality.conf\"\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230533.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230375.rb", "line": 1 }, - "id": "SV-230533" + "id": "SV-230375" }, { - "title": "The RHEL 8 /var/log/messages file must be owned by root.", - "desc": "Only authorized personnel should be aware of errors and the details of\nthe errors. Error messages are an indicator of an organization's operational\nstate or can identify the RHEL 8 system or platform. Additionally, Personally\nIdentifiable Information (PII) and operational information must not be revealed\nthrough error messages to unauthorized personnel or their designated\nrepresentatives.\n\n The structure and content of error messages must be carefully considered by\nthe organization and development team. The extent to which the information\nsystem is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.", + "title": "RHEL 8 must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/shadow.", + "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", "descriptions": { - "default": "Only authorized personnel should be aware of errors and the details of\nthe errors. Error messages are an indicator of an organization's operational\nstate or can identify the RHEL 8 system or platform. Additionally, Personally\nIdentifiable Information (PII) and operational information must not be revealed\nthrough error messages to unauthorized personnel or their designated\nrepresentatives.\n\n The structure and content of error messages must be carefully considered by\nthe organization and development team. The extent to which the information\nsystem is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.", - "check": "Verify that the /var/log/messages file is owned by root with the following\ncommand:\n\n $ sudo stat -c \"%U\" /var/log/messages\n\n root\n\n If \"root\" is not returned as a result, this is a finding.", - "fix": "Change the owner of the file /var/log/messages to root by running the\nfollowing command:\n\n $ sudo chown root /var/log/messages" + "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "check": "Verify RHEL 8 generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/shadow\".\n\n Check the auditing rules in \"/etc/audit/audit.rules\" with the following\ncommand:\n\n $ sudo grep /etc/shadow /etc/audit/audit.rules\n\n -w /etc/shadow -p wa -k identity\n\n If the command does not return a line, or the line is commented out, this\nis a finding.", + "fix": "Configure RHEL 8 to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/shadow\".\n\n Add or update the following file system rule to\n\"/etc/audit/rules.d/audit.rules\":\n\n -w /etc/shadow -p wa -k identity\n\n The audit daemon must be restarted for the changes to take effect." }, "impact": 0.5, "refs": [ @@ -10438,69 +10362,95 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000206-GPOS-00084", - "gid": "V-230246", - "rid": "SV-230246r627750_rule", - "stig_id": "RHEL-08-010220", - "fix_id": "F-32890r567485_fix", + "gtitle": "SRG-OS-000062-GPOS-00031", + "satisfies": [ + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000004-GPOS-00004", + "SRG-OS-000037-GPOS-00015", + "SRG-OS-000042-GPOS-00020", + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000304-GPOS-00121", + "SRG-OS-000392-GPOS-00172", + "SRG-OS-000462-GPOS-00206", + "SRG-OS-000470-GPOS-00214", + "SRG-OS-000471-GPOS-00215", + "SRG-OS-000239-GPOS-00089", + "SRG-OS-000240-GPOS-00090", + "SRG-OS-000241-GPOS-00091", + "SRG-OS-000303-GPOS-00120", + "SRG-OS-000304-GPOS-00121", + "SRG-OS-000466-GPOS-00210", + "SRG-OS-000476-GPOS-00221" + ], + "gid": "V-230404", + "rid": "SV-230404r627750_rule", + "stig_id": "RHEL-08-030130", + "fix_id": "F-33048r567959_fix", "cci": [ - "CCI-001314" + "CCI-000169" ], "nist": [ - "SI-11 b" + "AU-12 a" ], "host": null }, - "code": "control 'SV-230246' do\n title 'The RHEL 8 /var/log/messages file must be owned by root.'\n desc \"Only authorized personnel should be aware of errors and the details of\nthe errors. Error messages are an indicator of an organization's operational\nstate or can identify the RHEL 8 system or platform. Additionally, Personally\nIdentifiable Information (PII) and operational information must not be revealed\nthrough error messages to unauthorized personnel or their designated\nrepresentatives.\n\n The structure and content of error messages must be carefully considered by\nthe organization and development team. The extent to which the information\nsystem is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.\"\n desc 'check', 'Verify that the /var/log/messages file is owned by root with the following\ncommand:\n\n $ sudo stat -c \"%U\" /var/log/messages\n\n root\n\n If \"root\" is not returned as a result, this is a finding.'\n desc 'fix', 'Change the owner of the file /var/log/messages to root by running the\nfollowing command:\n\n $ sudo chown root /var/log/messages'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000206-GPOS-00084'\n tag gid: 'V-230246'\n tag rid: 'SV-230246r627750_rule'\n tag stig_id: 'RHEL-08-010220'\n tag fix_id: 'F-32890r567485_fix'\n tag cci: ['CCI-001314']\n tag nist: ['SI-11 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe.one do\n describe file('/var/log/messages') do\n it { should be_owned_by 'root' }\n end\n describe file('/var/log/messages') do\n it { should_not exist }\n end\n end\nend\n", + "code": "control 'SV-230404' do\n title 'RHEL 8 must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/shadow.'\n desc 'Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).'\n desc 'check', 'Verify RHEL 8 generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/shadow\".\n\n Check the auditing rules in \"/etc/audit/audit.rules\" with the following\ncommand:\n\n $ sudo grep /etc/shadow /etc/audit/audit.rules\n\n -w /etc/shadow -p wa -k identity\n\n If the command does not return a line, or the line is commented out, this\nis a finding.'\n desc 'fix', 'Configure RHEL 8 to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/shadow\".\n\n Add or update the following file system rule to\n\"/etc/audit/rules.d/audit.rules\":\n\n -w /etc/shadow -p wa -k identity\n\n The audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000062-GPOS-00031'\n tag satisfies: ['SRG-OS-000062-GPOS-00031', 'SRG-OS-000004-GPOS-00004', 'SRG-OS-000037-GPOS-00015', 'SRG-OS-000042-GPOS-00020', 'SRG-OS-000062-GPOS-00031', 'SRG-OS-000304-GPOS-00121', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000470-GPOS-00214', 'SRG-OS-000471-GPOS-00215', 'SRG-OS-000239-GPOS-00089', 'SRG-OS-000240-GPOS-00090', 'SRG-OS-000241-GPOS-00091', 'SRG-OS-000303-GPOS-00120', 'SRG-OS-000304-GPOS-00121', 'SRG-OS-000466-GPOS-00210', 'SRG-OS-000476-GPOS-00221']\n tag gid: 'V-230404'\n tag rid: 'SV-230404r627750_rule'\n tag stig_id: 'RHEL-08-030130'\n tag fix_id: 'F-33048r567959_fix'\n tag cci: ['CCI-000169']\n tag nist: ['AU-12 a']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n audit_command = '/etc/shadow'\n\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.permissions.flatten).to include('w', 'a')\n expect(audit_rule.key.uniq).to include(input('audit_rule_keynames').merge(input('audit_rule_keynames_overrides'))[audit_command])\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230246.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230404.rb", "line": 1 }, - "id": "SV-230246" + "id": "SV-230404" }, { - "title": "RHEL 8 must enable mitigations against processor-based\nvulnerabilities.", - "desc": "It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n Operating systems are capable of providing a wide variety of functions and\nservices. Some of the functions and services, provided by default, may not be\nnecessary to support essential organizational operations (e.g., key missions,\nfunctions).\n\n Examples of non-essential capabilities include, but are not limited to,\ngames, software packages, tools, and demonstration software not related to\nrequirements or providing a wide array of functionality not required for every\nmission, but which cannot be disabled.\n\n Verify the operating system is configured to disable non-essential\ncapabilities. The most secure way of ensuring a non-essential capability is\ndisabled is to not have the capability installed.\n\n Kernel page-table isolation is a kernel feature that mitigates the Meltdown\nsecurity vulnerability and hardens the kernel against attempts to bypass kernel\naddress space layout randomization (KASLR).", + "title": "The RHEL 8 SSH daemon must be configured to use system-wide crypto policies.", + "desc": "Without cryptographic integrity protections, information can be\naltered by unauthorized users without detection.\n\n Remote access (e.g., RDP) is access to DoD nonpublic information systems by\nan authorized user (or an information system) communicating through an\nexternal, non-organization-controlled network. Remote access methods include,\nfor example, dial-up, broadband, and wireless.\n\n Cryptographic mechanisms used for protecting the integrity of information\ninclude, for example, signed hash functions using asymmetric cryptography\nenabling distribution of the public key to verify the hash information while\nmaintaining the confidentiality of the secret key used to generate the hash.\n\n RHEL 8 incorporates system-wide crypto policies by default. The SSH\nconfiguration file has no effect on the ciphers, MACs, or algorithms unless\nspecifically defined in the /etc/sysconfig/sshd file. The employed algorithms\ncan be viewed in the /etc/crypto-policies/back-ends/ directory.", "descriptions": { - "default": "It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n Operating systems are capable of providing a wide variety of functions and\nservices. Some of the functions and services, provided by default, may not be\nnecessary to support essential organizational operations (e.g., key missions,\nfunctions).\n\n Examples of non-essential capabilities include, but are not limited to,\ngames, software packages, tools, and demonstration software not related to\nrequirements or providing a wide array of functionality not required for every\nmission, but which cannot be disabled.\n\n Verify the operating system is configured to disable non-essential\ncapabilities. The most secure way of ensuring a non-essential capability is\ndisabled is to not have the capability installed.\n\n Kernel page-table isolation is a kernel feature that mitigates the Meltdown\nsecurity vulnerability and hardens the kernel against attempts to bypass kernel\naddress space layout randomization (KASLR).", - "check": "Verify RHEL 8 enables kernel page-table isolation with the following commands:\n\n$ sudo grub2-editenv list | grep pti\n\nkernelopts=root=/dev/mapper/rhel-root ro crashkernel=auto resume=/dev/mapper/rhel-swap rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet fips=1 audit=1 audit_backlog_limit=8192 pti=on boot=UUID=8d171156-cd61-421c-ba41-1c021ac29e82\n\nIf the \"pti\" entry does not equal \"on\", is missing, or the line is commented out, this is a finding.\n\nCheck that kernel page-table isolation is enabled by default to persist in kernel updates:\n\n$ sudo grep pti /etc/default/grub\n\nGRUB_CMDLINE_LINUX=\"pti=on\"\n\nIf \"pti\" is not set to \"on\", is missing or commented out, this is a finding.", - "fix": "Configure RHEL 8 to enable kernel page-table isolation with the following\ncommand:\n\n $ sudo grubby --update-kernel=ALL --args=\"pti=on\"\n\n Add or modify the following line in \"/etc/default/grub\" to ensure the\nconfiguration survives kernel updates:\n\n GRUB_CMDLINE_LINUX=\"pti=on\"" + "default": "Without cryptographic integrity protections, information can be\naltered by unauthorized users without detection.\n\n Remote access (e.g., RDP) is access to DoD nonpublic information systems by\nan authorized user (or an information system) communicating through an\nexternal, non-organization-controlled network. Remote access methods include,\nfor example, dial-up, broadband, and wireless.\n\n Cryptographic mechanisms used for protecting the integrity of information\ninclude, for example, signed hash functions using asymmetric cryptography\nenabling distribution of the public key to verify the hash information while\nmaintaining the confidentiality of the secret key used to generate the hash.\n\n RHEL 8 incorporates system-wide crypto policies by default. The SSH\nconfiguration file has no effect on the ciphers, MACs, or algorithms unless\nspecifically defined in the /etc/sysconfig/sshd file. The employed algorithms\ncan be viewed in the /etc/crypto-policies/back-ends/ directory.", + "check": "Verify that system-wide crypto policies are in effect:\n\n$ sudo grep CRYPTO_POLICY /etc/sysconfig/sshd\n\n# CRYPTO_POLICY=\n\nIf the \"CRYPTO_POLICY \" is uncommented, this is a finding.", + "fix": "Configure the RHEL 8 SSH daemon to use system-wide crypto policies by adding the following line to /etc/sysconfig/sshd:\n\n# CRYPTO_POLICY=\n\nA reboot is required for the changes to take effect." }, - "impact": 0.3, + "impact": 0.5, "refs": [ { "ref": "DPMS Target Red Hat Enterprise Linux 8" } ], "tags": { - "severity": "low", - "gtitle": "SRG-OS-000095-GPOS-00049", - "gid": "V-230491", - "rid": "SV-230491r818842_rule", - "stig_id": "RHEL-08-040004", - "fix_id": "F-33135r568220_fix", + "severity": "medium", + "gtitle": "SRG-OS-000250-GPOS-00093", + "satisfies": [ + "SRG-OS-000250-GPOS-00093", + "SRG-OS-000393-GPOS-00173", + "SRG-OS-000394-GPOS-00174", + "SRG-OS-000125-GPOS-00065" + ], + "gid": "V-244526", + "rid": "SV-244526r877394_rule", + "stig_id": "RHEL-08-010287", + "fix_id": "F-47758r809333_fix", "cci": [ - "CCI-000381" + "CCI-001453" ], "nist": [ - "CM-7 a" + "AC-17 (2)" ], - "host": null + "host": null, + "container-conditional": null }, - "code": "control 'SV-230491' do\n title 'RHEL 8 must enable mitigations against processor-based\nvulnerabilities.'\n desc 'It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n Operating systems are capable of providing a wide variety of functions and\nservices. Some of the functions and services, provided by default, may not be\nnecessary to support essential organizational operations (e.g., key missions,\nfunctions).\n\n Examples of non-essential capabilities include, but are not limited to,\ngames, software packages, tools, and demonstration software not related to\nrequirements or providing a wide array of functionality not required for every\nmission, but which cannot be disabled.\n\n Verify the operating system is configured to disable non-essential\ncapabilities. The most secure way of ensuring a non-essential capability is\ndisabled is to not have the capability installed.\n\n Kernel page-table isolation is a kernel feature that mitigates the Meltdown\nsecurity vulnerability and hardens the kernel against attempts to bypass kernel\naddress space layout randomization (KASLR).'\n desc 'check', 'Verify RHEL 8 enables kernel page-table isolation with the following commands:\n\n$ sudo grub2-editenv list | grep pti\n\nkernelopts=root=/dev/mapper/rhel-root ro crashkernel=auto resume=/dev/mapper/rhel-swap rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet fips=1 audit=1 audit_backlog_limit=8192 pti=on boot=UUID=8d171156-cd61-421c-ba41-1c021ac29e82\n\nIf the \"pti\" entry does not equal \"on\", is missing, or the line is commented out, this is a finding.\n\nCheck that kernel page-table isolation is enabled by default to persist in kernel updates:\n\n$ sudo grep pti /etc/default/grub\n\nGRUB_CMDLINE_LINUX=\"pti=on\"\n\nIf \"pti\" is not set to \"on\", is missing or commented out, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to enable kernel page-table isolation with the following\ncommand:\n\n $ sudo grubby --update-kernel=ALL --args=\"pti=on\"\n\n Add or modify the following line in \"/etc/default/grub\" to ensure the\nconfiguration survives kernel updates:\n\n GRUB_CMDLINE_LINUX=\"pti=on\"'\n impact 0.3\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'low'\n tag gtitle: 'SRG-OS-000095-GPOS-00049'\n tag gid: 'V-230491'\n tag rid: 'SV-230491r818842_rule'\n tag stig_id: 'RHEL-08-040004'\n tag fix_id: 'F-33135r568220_fix'\n tag cci: ['CCI-000381']\n tag nist: ['CM-7 a']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n grub_stdout = command('grub2-editenv - list').stdout\n\n describe parse_config(grub_stdout) do\n its('kernelopts') { should match(/pti=on/) }\n end\n describe parse_config_file('/etc/default/grub') do\n its('GRUB_CMDLINE_LINUX') { should match(/pti=on/) }\n end\nend\n", + "code": "control 'SV-244526' do\n title 'The RHEL 8 SSH daemon must be configured to use system-wide crypto policies.'\n desc 'Without cryptographic integrity protections, information can be\naltered by unauthorized users without detection.\n\n Remote access (e.g., RDP) is access to DoD nonpublic information systems by\nan authorized user (or an information system) communicating through an\nexternal, non-organization-controlled network. Remote access methods include,\nfor example, dial-up, broadband, and wireless.\n\n Cryptographic mechanisms used for protecting the integrity of information\ninclude, for example, signed hash functions using asymmetric cryptography\nenabling distribution of the public key to verify the hash information while\nmaintaining the confidentiality of the secret key used to generate the hash.\n\n RHEL 8 incorporates system-wide crypto policies by default. The SSH\nconfiguration file has no effect on the ciphers, MACs, or algorithms unless\nspecifically defined in the /etc/sysconfig/sshd file. The employed algorithms\ncan be viewed in the /etc/crypto-policies/back-ends/ directory.'\n desc 'check', 'Verify that system-wide crypto policies are in effect:\n\n$ sudo grep CRYPTO_POLICY /etc/sysconfig/sshd\n\n# CRYPTO_POLICY=\n\nIf the \"CRYPTO_POLICY \" is uncommented, this is a finding.'\n desc 'fix', 'Configure the RHEL 8 SSH daemon to use system-wide crypto policies by adding the following line to /etc/sysconfig/sshd:\n\n# CRYPTO_POLICY=\n\nA reboot is required for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000250-GPOS-00093'\n tag satisfies: ['SRG-OS-000250-GPOS-00093', 'SRG-OS-000393-GPOS-00173', 'SRG-OS-000394-GPOS-00174', 'SRG-OS-000125-GPOS-00065']\n tag gid: 'V-244526'\n tag rid: 'SV-244526r877394_rule'\n tag stig_id: 'RHEL-08-010287'\n tag fix_id: 'F-47758r809333_fix'\n tag cci: ['CCI-001453']\n tag nist: ['AC-17 (2)']\n tag 'host'\n tag 'container-conditional'\n\n openssh_present = package('openssh-server').installed?\n\n only_if('This requirement is Not Applicable in the container without open-ssh installed', impact: 0.0) {\n !(virtualization.system.eql?('docker') && !openssh_present)\n }\n\n if input('allow_container_openssh_server') == false\n describe 'In a container Environment' do\n it 'the OpenSSH Server should be installed only when allowed in a container environment' do\n expect(openssh_present).to eq(false), 'OpenSSH Server is installed but not approved for the container environment'\n end\n end\n else\n describe 'The system' do\n it 'does not have a CRYPTO_POLICY setting configured' do\n expect(parse_config_file('/etc/sysconfig/sshd').params['CRYPTO_POLICY']).to be_nil, 'The CRYPTO_POLICY setting in the /etc/sysconfig/sshd should not be present. Please ensure it is commented out.'\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230491.rb", + "ref": "./Red Hat 8 STIG/controls/SV-244526.rb", "line": 1 }, - "id": "SV-230491" + "id": "SV-244526" }, { - "title": "RHEL 8 must mount /dev/shm with the nosuid option.", - "desc": "The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n The \"noexec\" mount option causes the system to not execute binary files.\nThis option must be used for mounting any file system not containing approved\nbinary files, as they may be incompatible. Executing files from untrusted file\nsystems increases the opportunity for unprivileged users to attain unauthorized\nadministrative access.\n The \"nodev\" mount option causes the system to not interpret character or\nblock special devices. Executing character or block special devices from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.\n The \"nosuid\" mount option causes the system to not execute \"setuid\" and\n\"setgid\" files with owner privileges. This option must be used for mounting\nany file system not containing approved \"setuid\" and \"setguid\" files.\nExecuting files from untrusted file systems increases the opportunity for\nunprivileged users to attain unauthorized administrative access.", + "title": "Successful/unsuccessful uses of the kmod command in RHEL 8 must\ngenerate an audit record.", + "desc": "Without the capability to generate audit records, it would be\ndifficult to establish, correlate, and investigate the events relating to an\nincident or identify those responsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"kmod\" command is\nused to control Linux Kernel modules.\n\n The list of audited events is the set of events for which audits are to be\ngenerated. This set of events is typically a subset of the list of all events\nfor which the system is capable of generating audit records.\n\n DoD has defined the list of events for which RHEL 8 will provide an audit\nrecord generation capability as the following:\n\n 1) Successful and unsuccessful attempts to access, modify, or delete\nprivileges, security objects, security levels, or categories of information\n(e.g., classification levels);\n\n 2) Access actions, such as successful and unsuccessful logon attempts,\nprivileged activities or other system-level access, starting and ending time\nfor user access to the system, concurrent logons from different workstations,\nsuccessful and unsuccessful accesses to objects, all program initiations, and\nall direct access to the information system;\n\n 3) All account creations, modifications, disabling, and terminations; and\n\n 4) All kernel module load, unload, and restart actions.", "descriptions": { - "default": "The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n The \"noexec\" mount option causes the system to not execute binary files.\nThis option must be used for mounting any file system not containing approved\nbinary files, as they may be incompatible. Executing files from untrusted file\nsystems increases the opportunity for unprivileged users to attain unauthorized\nadministrative access.\n The \"nodev\" mount option causes the system to not interpret character or\nblock special devices. Executing character or block special devices from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.\n The \"nosuid\" mount option causes the system to not execute \"setuid\" and\n\"setgid\" files with owner privileges. This option must be used for mounting\nany file system not containing approved \"setuid\" and \"setguid\" files.\nExecuting files from untrusted file systems increases the opportunity for\nunprivileged users to attain unauthorized administrative access.", - "check": "Verify \"/dev/shm\" is mounted with the \"nosuid\" option:\n\n $ sudo mount | grep /dev/shm\n\n tmpfs on /dev/shm type tmpfs (rw,nodev,nosuid,noexec,seclabel)\n\n Verify that the \"nosuid\" option is configured for /dev/shm:\n\n $ sudo cat /etc/fstab | grep /dev/shm\n\n tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0\n\n If results are returned and the \"nosuid\" option is missing, or if\n/dev/shm is mounted without the \"nosuid\" option, this is a finding.", - "fix": "Configure the system so that /dev/shm is mounted with the \"nosuid\"\noption by adding /modifying the /etc/fstab with the following line:\n\n tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0" + "default": "Without the capability to generate audit records, it would be\ndifficult to establish, correlate, and investigate the events relating to an\nincident or identify those responsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"kmod\" command is\nused to control Linux Kernel modules.\n\n The list of audited events is the set of events for which audits are to be\ngenerated. This set of events is typically a subset of the list of all events\nfor which the system is capable of generating audit records.\n\n DoD has defined the list of events for which RHEL 8 will provide an audit\nrecord generation capability as the following:\n\n 1) Successful and unsuccessful attempts to access, modify, or delete\nprivileges, security objects, security levels, or categories of information\n(e.g., classification levels);\n\n 2) Access actions, such as successful and unsuccessful logon attempts,\nprivileged activities or other system-level access, starting and ending time\nfor user access to the system, concurrent logons from different workstations,\nsuccessful and unsuccessful accesses to objects, all program initiations, and\nall direct access to the information system;\n\n 3) All account creations, modifications, disabling, and terminations; and\n\n 4) All kernel module load, unload, and restart actions.", + "check": "Verify if RHEL 8 is configured to audit the execution of the module\nmanagement program \"kmod\", by running the following command:\n\n $ sudo grep \"/usr/bin/kmod\" /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset\n-k modules\n\n If the command does not return a line, or the line is commented out, this\nis a finding.", + "fix": "Configure RHEL 8 to audit the execution of the module management program\n\"kmod\" by adding or updating the following line to\n\"/etc/audit/rules.d/audit.rules\":\n\n -a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset\n-k modules\n\n The audit daemon must be restarted for the changes to take effect." }, "impact": 0.5, "refs": [ @@ -10510,33 +10460,44 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000368-GPOS-00154", - "gid": "V-230509", - "rid": "SV-230509r854050_rule", - "stig_id": "RHEL-08-040121", - "fix_id": "F-33153r568274_fix", + "gtitle": "SRG-OS-000062-GPOS-00031", + "satisfies": [ + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000037-GPOS-00015", + "SRG-OS-000042-GPOS-00020", + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000392-GPOS-00172", + "SRG-OS-000462-GPOS-00206", + "SRG-OS-000471-GPOS-00215", + "SRG-OS-000471-GPOS-00216", + "SRG-OS-000477-GPOS-00222" + ], + "gid": "V-230465", + "rid": "SV-230465r627750_rule", + "stig_id": "RHEL-08-030580", + "fix_id": "F-33109r568142_fix", "cci": [ - "CCI-001764" + "CCI-000169" ], "nist": [ - "CM-7 (2)" + "AU-12 a" ], "host": null }, - "code": "control 'SV-230509' do\n title 'RHEL 8 must mount /dev/shm with the nosuid option.'\n desc 'The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n The \"noexec\" mount option causes the system to not execute binary files.\nThis option must be used for mounting any file system not containing approved\nbinary files, as they may be incompatible. Executing files from untrusted file\nsystems increases the opportunity for unprivileged users to attain unauthorized\nadministrative access.\n The \"nodev\" mount option causes the system to not interpret character or\nblock special devices. Executing character or block special devices from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.\n The \"nosuid\" mount option causes the system to not execute \"setuid\" and\n\"setgid\" files with owner privileges. This option must be used for mounting\nany file system not containing approved \"setuid\" and \"setguid\" files.\nExecuting files from untrusted file systems increases the opportunity for\nunprivileged users to attain unauthorized administrative access.'\n desc 'check', 'Verify \"/dev/shm\" is mounted with the \"nosuid\" option:\n\n $ sudo mount | grep /dev/shm\n\n tmpfs on /dev/shm type tmpfs (rw,nodev,nosuid,noexec,seclabel)\n\n Verify that the \"nosuid\" option is configured for /dev/shm:\n\n $ sudo cat /etc/fstab | grep /dev/shm\n\n tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0\n\n If results are returned and the \"nosuid\" option is missing, or if\n/dev/shm is mounted without the \"nosuid\" option, this is a finding.'\n desc 'fix', 'Configure the system so that /dev/shm is mounted with the \"nosuid\"\noption by adding /modifying the /etc/fstab with the following line:\n\n tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000368-GPOS-00154'\n tag gid: 'V-230509'\n tag rid: 'SV-230509r854050_rule'\n tag stig_id: 'RHEL-08-040121'\n tag fix_id: 'F-33153r568274_fix'\n tag cci: ['CCI-001764']\n tag nist: ['CM-7 (2)']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n path = '/dev/shm'\n option = 'nosuid'\n\n describe mount(path) do\n its('options') { should include option }\n end\n\n describe etc_fstab.where { mount_point == path } do\n its('mount_options.flatten') { should include option }\n end\nend\n", + "code": "control 'SV-230465' do\n title 'Successful/unsuccessful uses of the kmod command in RHEL 8 must\ngenerate an audit record.'\n desc 'Without the capability to generate audit records, it would be\ndifficult to establish, correlate, and investigate the events relating to an\nincident or identify those responsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"kmod\" command is\nused to control Linux Kernel modules.\n\n The list of audited events is the set of events for which audits are to be\ngenerated. This set of events is typically a subset of the list of all events\nfor which the system is capable of generating audit records.\n\n DoD has defined the list of events for which RHEL 8 will provide an audit\nrecord generation capability as the following:\n\n 1) Successful and unsuccessful attempts to access, modify, or delete\nprivileges, security objects, security levels, or categories of information\n(e.g., classification levels);\n\n 2) Access actions, such as successful and unsuccessful logon attempts,\nprivileged activities or other system-level access, starting and ending time\nfor user access to the system, concurrent logons from different workstations,\nsuccessful and unsuccessful accesses to objects, all program initiations, and\nall direct access to the information system;\n\n 3) All account creations, modifications, disabling, and terminations; and\n\n 4) All kernel module load, unload, and restart actions.'\n desc 'check', 'Verify if RHEL 8 is configured to audit the execution of the module\nmanagement program \"kmod\", by running the following command:\n\n $ sudo grep \"/usr/bin/kmod\" /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset\n-k modules\n\n If the command does not return a line, or the line is commented out, this\nis a finding.'\n desc 'fix', 'Configure RHEL 8 to audit the execution of the module management program\n\"kmod\" by adding or updating the following line to\n\"/etc/audit/rules.d/audit.rules\":\n\n -a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset\n-k modules\n\n The audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000062-GPOS-00031'\n tag satisfies: ['SRG-OS-000062-GPOS-00031', 'SRG-OS-000037-GPOS-00015', 'SRG-OS-000042-GPOS-00020', 'SRG-OS-000062-GPOS-00031', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000471-GPOS-00215', 'SRG-OS-000471-GPOS-00216', 'SRG-OS-000477-GPOS-00222']\n tag gid: 'V-230465'\n tag rid: 'SV-230465r627750_rule'\n tag stig_id: 'RHEL-08-030580'\n tag fix_id: 'F-33109r568142_fix'\n tag cci: ['CCI-000169']\n tag nist: ['AU-12 a']\n tag 'host'\n\n audit_command = '/usr/bin/kmod'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include(input('audit_rule_keynames').merge(input('audit_rule_keynames_overrides'))[audit_command])\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230509.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230465.rb", "line": 1 }, - "id": "SV-230509" + "id": "SV-230465" }, { - "title": "RHEL 8 must not accept router advertisements on all IPv6 interfaces.", - "desc": "Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.\n\nAn illicit router advertisement message could result in a man-in-the-middle attack.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf", + "title": "RHEL 8 must restrict usage of ptrace to descendant processes.", + "desc": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf", "descriptions": { - "default": "Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.\n\nAn illicit router advertisement message could result in a man-in-the-middle attack.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf", - "check": "Verify RHEL 8 does not accept router advertisements on all IPv6 interfaces, unless the system is a router.\n\nNote: If IPv6 is disabled on the system, this requirement is not applicable.\n\nCheck to see if router advertisements are not accepted by using the following command:\n\n$ sudo sysctl net.ipv6.conf.all.accept_ra\n\nnet.ipv6.conf.all.accept_ra = 0\n\nIf the \"accept_ra\" value is not \"0\" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r net.ipv6.conf.all.accept_ra /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: net.ipv6.conf.all.accept_ra = 0\n\nIf \"net.ipv6.conf.all.accept_ra\" is not set to \"0\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.", - "fix": "Configure RHEL 8 to not accept router advertisements on all IPv6 interfaces unless the system is a router.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nnet.ipv6.conf.all.accept_ra=0\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system" + "default": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf", + "check": "Verify RHEL 8 restricts usage of ptrace to descendant processes with the following commands:\n\n$ sudo sysctl kernel.yama.ptrace_scope\n\nkernel.yama.ptrace_scope = 1\n\nIf the returned line does not have a value of \"1\", or a line is not returned, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r kernel.yama.ptrace_scope /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: kernel.yama.ptrace_scope = 1\n\nIf \"kernel.yama.ptrace_scope\" is not set to \"1\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.", + "fix": "Configure RHEL 8 to restrict usage of ptrace to descendant processes by adding the following line to a file, in the \"/etc/sysctl.d\" directory:\n\nkernel.yama.ptrace_scope = 1\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nThe system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:\n\n$ sudo sysctl --system" }, "impact": 0.5, "refs": [ @@ -10547,10 +10508,10 @@ "tags": { "severity": "medium", "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-230541", - "rid": "SV-230541r858812_rule", - "stig_id": "RHEL-08-040261", - "fix_id": "F-33185r858811_fix", + "gid": "V-230546", + "rid": "SV-230546r858824_rule", + "stig_id": "RHEL-08-040282", + "fix_id": "F-33190r858823_fix", "cci": [ "CCI-000366" ], @@ -10559,20 +10520,20 @@ ], "host": null }, - "code": "control 'SV-230541' do\n title 'RHEL 8 must not accept router advertisements on all IPv6 interfaces.'\n desc 'Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.\n\nAn illicit router advertisement message could result in a man-in-the-middle attack.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf'\n desc 'check', 'Verify RHEL 8 does not accept router advertisements on all IPv6 interfaces, unless the system is a router.\n\nNote: If IPv6 is disabled on the system, this requirement is not applicable.\n\nCheck to see if router advertisements are not accepted by using the following command:\n\n$ sudo sysctl net.ipv6.conf.all.accept_ra\n\nnet.ipv6.conf.all.accept_ra = 0\n\nIf the \"accept_ra\" value is not \"0\" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r net.ipv6.conf.all.accept_ra /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: net.ipv6.conf.all.accept_ra = 0\n\nIf \"net.ipv6.conf.all.accept_ra\" is not set to \"0\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to not accept router advertisements on all IPv6 interfaces unless the system is a router.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nnet.ipv6.conf.all.accept_ra=0\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230541'\n tag rid: 'SV-230541r858812_rule'\n tag stig_id: 'RHEL-08-040261'\n tag fix_id: 'F-33185r858811_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This system is acting as a router on the network, this control is Not Applicable', impact: 0.0) {\n !input('network_router')\n }\n\n # Define the kernel parameter to be checked\n parameter = 'net.ipv6.conf.all.accept_ra'\n action = 'IPv6 router advertisements'\n value = 0\n\n # Get the current value of the kernel parameter\n current_value = kernel_parameter(parameter)\n\n # Check if the system is a Docker container\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n elsif input('ipv6_enabled') == false\n impact 0.0\n describe 'IPv6 is disabled on the system, this requirement is Not Applicable.' do\n skip 'IPv6 is disabled on the system, this requirement is Not Applicable.'\n end\n else\n\n describe kernel_parameter(parameter) do\n it 'is disabled in sysctl -a' do\n expect(current_value.value).to cmp value\n expect(current_value.value).not_to be_nil\n end\n end\n\n # Get the list of sysctl configuration files\n sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ')\n\n # Search for the kernel parameter in the configuration files\n search_results = command(\"grep -r ^#{parameter} #{sysctl_config_files} {} \\;\").stdout.split(\"\\n\")\n\n # Parse the search results into a hash\n config_values = search_results.each_with_object({}) do |item, results|\n file, setting = item.split(':')\n file = 'grep did not return filename' if file.empty?\n\n results[file] ||= []\n results[file] << setting.split('=').last\n end\n\n uniq_config_values = config_values.values.flatten.map(&:strip).map(&:to_i).uniq\n\n # Check the configuration files\n describe 'Configuration files' do\n if search_results.empty?\n it \"do not explicitly set the `#{parameter}` parameter\" do\n expect(config_values).not_to be_empty, \"Add the line `#{parameter}=#{value}` to a file in the `/etc/sysctl.d/` directory\"\n end\n else\n it \"do not have conflicting settings for #{action}\" do\n expect(uniq_config_values.count).to eq(1), \"Expected one unique configuration, but got #{config_values}\"\n end\n it \"set the parameter to the right value for #{action}\" do\n expect(config_values.values.flatten.all? { |v| v.to_i.eql?(value) }).to be true\n end\n end\n end\n end\nend\n", + "code": "control 'SV-230546' do\n title 'RHEL 8 must restrict usage of ptrace to descendant processes.'\n desc 'It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf'\n desc 'check', 'Verify RHEL 8 restricts usage of ptrace to descendant processes with the following commands:\n\n$ sudo sysctl kernel.yama.ptrace_scope\n\nkernel.yama.ptrace_scope = 1\n\nIf the returned line does not have a value of \"1\", or a line is not returned, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r kernel.yama.ptrace_scope /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: kernel.yama.ptrace_scope = 1\n\nIf \"kernel.yama.ptrace_scope\" is not set to \"1\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to restrict usage of ptrace to descendant processes by adding the following line to a file, in the \"/etc/sysctl.d\" directory:\n\nkernel.yama.ptrace_scope = 1\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nThe system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:\n\n$ sudo sysctl --system'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230546'\n tag rid: 'SV-230546r858824_rule'\n tag stig_id: 'RHEL-08-040282'\n tag fix_id: 'F-33190r858823_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This system is acting as a router on the network, this control is Not Applicable', impact: 0.0) {\n !input('network_router')\n }\n\n # Define the kernel parameter to be checked\n parameter = 'kernel.yama.ptrace_scope'\n action = 'usage of ptrace'\n value = 1\n\n # Get the current value of the kernel parameter\n current_value = kernel_parameter(parameter)\n\n # Check if the system is a Docker container\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n else\n\n describe kernel_parameter(parameter) do\n it 'is disabled in sysctl -a' do\n expect(current_value.value).to cmp value\n expect(current_value.value).not_to be_nil\n end\n end\n\n # Get the list of sysctl configuration files\n sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ')\n\n # Search for the kernel parameter in the configuration files\n search_results = command(\"grep -r ^#{parameter} #{sysctl_config_files} {} \\;\").stdout.split(\"\\n\")\n\n # Parse the search results into a hash\n config_values = search_results.each_with_object({}) do |item, results|\n file, setting = item.split(':')\n file = 'grep did not return filename' if file.empty?\n\n results[file] ||= []\n results[file] << setting.split('=').last\n end\n\n uniq_config_values = config_values.values.flatten.map(&:strip).map(&:to_i).uniq\n\n # Check the configuration files\n describe 'Configuration files' do\n if search_results.empty?\n it \"do not explicitly set the `#{parameter}` parameter\" do\n expect(config_values).not_to be_empty, \"Add the line `#{parameter}=#{value}` to a file in the `/etc/sysctl.d/` directory\"\n end\n else\n it \"do not have conflicting settings for #{action}\" do\n expect(uniq_config_values.count).to eq(1), \"Expected one unique configuration, but got #{config_values}\"\n end\n it \"set the parameter to the right value for #{action}\" do\n expect(config_values.values.flatten.all? { |v| v.to_i.eql?(value) }).to be true\n end\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230541.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230546.rb", "line": 1 }, - "id": "SV-230541" + "id": "SV-230546" }, { - "title": "RHEL 8 must require the maximum number of repeating characters of the\nsame character class be limited to four when passwords are changed.", - "desc": "Use of a complex password helps to increase the time and resources\nrequired to compromise the password. Password complexity, or strength, is a\nmeasure of the effectiveness of a password in resisting attempts at guessing\nand brute-force attacks.\n\n Password complexity is one factor of several that determines how long it\ntakes to crack a password. The more complex the password, the greater the\nnumber of possible combinations that need to be tested before the password is\ncompromised.\n\n RHEL 8 utilizes \"pwquality\" as a mechanism to enforce password\ncomplexity. The \"maxclassrepeat\" option sets the maximum number of allowed\nsame consecutive characters in the same class in the new password.", + "title": "RHEL 8 must cover or disable the built-in or attached camera when not\nin use.", + "desc": "It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n Failing to disconnect from collaborative computing devices (i.e., cameras)\ncan result in subsequent compromises of organizational information. Providing\neasy methods to physically disconnect from such devices after a collaborative\ncomputing session helps to ensure participants actually carry out the\ndisconnect activity without having to go through complex and tedious procedures.", "descriptions": { - "default": "Use of a complex password helps to increase the time and resources\nrequired to compromise the password. Password complexity, or strength, is a\nmeasure of the effectiveness of a password in resisting attempts at guessing\nand brute-force attacks.\n\n Password complexity is one factor of several that determines how long it\ntakes to crack a password. The more complex the password, the greater the\nnumber of possible combinations that need to be tested before the password is\ncompromised.\n\n RHEL 8 utilizes \"pwquality\" as a mechanism to enforce password\ncomplexity. The \"maxclassrepeat\" option sets the maximum number of allowed\nsame consecutive characters in the same class in the new password.", - "check": "Check for the value of the \"maxclassrepeat\" option with the following command:\n\n$ sudo grep -r maxclassrepeat /etc/security/pwquality.conf*\n\n/etc/security/pwquality.conf:maxclassrepeat = 4\n\nIf the value of \"maxclassrepeat\" is set to \"0\", more than \"4\" or is commented out, this is a finding.\nIf conflicting results are returned, this is a finding.", - "fix": "Configure the operating system to require the change of the number of repeating characters of the same character class when passwords are changed by setting the \"maxclassrepeat\" option.\n\nAdd the following line to \"/etc/security/pwquality.conf\" conf (or modify the line to have the required value):\n\nmaxclassrepeat = 4\n\nRemove any configurations that conflict with the above value." + "default": "It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n Failing to disconnect from collaborative computing devices (i.e., cameras)\ncan result in subsequent compromises of organizational information. Providing\neasy methods to physically disconnect from such devices after a collaborative\ncomputing session helps to ensure participants actually carry out the\ndisconnect activity without having to go through complex and tedious procedures.", + "check": "If the device or operating system does not have a camera installed, this requirement is not applicable.\n\nThis requirement is not applicable to mobile devices (smartphones and tablets), where the use of the camera is a local AO decision.\n\nThis requirement is not applicable to dedicated VTC suites located in approved VTC locations that are centrally managed.\n\nFor an external camera, if there is not a method for the operator to manually disconnect the camera at the end of collaborative computing sessions, this is a finding.\n\nFor a built-in camera, the camera must be protected by a camera cover (e.g., laptop camera cover slide) when not in use. If the built-in camera is not protected with a camera cover, or is not physically disabled, this is a finding.\n\nIf the camera is not disconnected, covered, or physically disabled, determine if it is being disabled via software with the following commands:\n\nVerify the operating system disables the ability to load the uvcvideo kernel module.\n\n $ sudo grep -r uvcvideo /etc/modprobe.d/* | grep \"/bin/false\"\n install uvcvideo /bin/false\n\nIf the command does not return any output, or the line is commented out, and the collaborative computing device has not been authorized for use, this is a finding.\n\nVerify the camera is disabled via blacklist with the following command:\n\n $ sudo grep -r uvcvideo /etc/modprobe.d/* | grep \"blacklist\"\n blacklist uvcvideo\n\nIf the command does not return any output or the output is not \"blacklist uvcvideo\", and the collaborative computing device has not been authorized for use, this is a finding.", + "fix": "Configure the operating system to disable the built-in or attached camera when not in use.\n\nBuild or modify the \"/etc/modprobe.d/blacklist.conf\" file by using the following example:\n\n install uvcvideo /bin/false\n blacklist uvcvideo\n\nReboot the system for the settings to take effect." }, "impact": 0.5, "refs": [ @@ -10582,34 +10543,37 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000072-GPOS-00040", - "gid": "V-230360", - "rid": "SV-230360r858777_rule", - "stig_id": "RHEL-08-020140", - "fix_id": "F-33004r858776_fix", + "gtitle": "SRG-OS-000095-GPOS-00049", + "satisfies": [ + "SRG-OS-000095-GPOS-00049", + "SRG-OS-000370-GPOS-00155" + ], + "gid": "V-230493", + "rid": "SV-230493r942915_rule", + "stig_id": "RHEL-08-040020", + "fix_id": "F-33137r942914_fix", "cci": [ - "CCI-000195" + "CCI-000381" ], "nist": [ - "IA-5 (1) (b)" + "CM-7 a" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-230360' do\n title 'RHEL 8 must require the maximum number of repeating characters of the\nsame character class be limited to four when passwords are changed.'\n desc 'Use of a complex password helps to increase the time and resources\nrequired to compromise the password. Password complexity, or strength, is a\nmeasure of the effectiveness of a password in resisting attempts at guessing\nand brute-force attacks.\n\n Password complexity is one factor of several that determines how long it\ntakes to crack a password. The more complex the password, the greater the\nnumber of possible combinations that need to be tested before the password is\ncompromised.\n\n RHEL 8 utilizes \"pwquality\" as a mechanism to enforce password\ncomplexity. The \"maxclassrepeat\" option sets the maximum number of allowed\nsame consecutive characters in the same class in the new password.'\n desc 'check', 'Check for the value of the \"maxclassrepeat\" option with the following command:\n\n$ sudo grep -r maxclassrepeat /etc/security/pwquality.conf*\n\n/etc/security/pwquality.conf:maxclassrepeat = 4\n\nIf the value of \"maxclassrepeat\" is set to \"0\", more than \"4\" or is commented out, this is a finding.\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure the operating system to require the change of the number of repeating characters of the same character class when passwords are changed by setting the \"maxclassrepeat\" option.\n\nAdd the following line to \"/etc/security/pwquality.conf\" conf (or modify the line to have the required value):\n\nmaxclassrepeat = 4\n\nRemove any configurations that conflict with the above value.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000072-GPOS-00040'\n tag gid: 'V-230360'\n tag rid: 'SV-230360r858777_rule'\n tag stig_id: 'RHEL-08-020140'\n tag fix_id: 'F-33004r858776_fix'\n tag cci: ['CCI-000195']\n tag nist: ['IA-5 (1) (b)']\n tag 'host'\n tag 'container'\n\n value = input('maxclassrepeat')\n setting = 'maxclassrepeat'\n\n describe 'pwquality.conf settings' do\n let(:config) { parse_config_file('/etc/security/pwquality.conf', multiple_values: true) }\n let(:setting_value) { config.params[setting].is_a?(Integer) ? [config.params[setting]] : Array(config.params[setting]) }\n\n it \"has `#{setting}` set\" do\n expect(setting_value).not_to be_empty, \"#{setting} is not set in pwquality.conf\"\n end\n\n it \"only sets `#{setting}` once\" do\n expect(setting_value.length).to eq(1), \"#{setting} is commented or set more than once in pwquality.conf\"\n end\n\n it \"does not set `#{setting}` to more than #{value}\" do\n expect(setting_value.first.to_i).to be <= value.to_i, \"#{setting} is set to a value greater than #{value} in pwquality.conf\"\n end\n end\nend\n", + "code": "control 'SV-230493' do\n title 'RHEL 8 must cover or disable the built-in or attached camera when not\nin use.'\n desc 'It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n Failing to disconnect from collaborative computing devices (i.e., cameras)\ncan result in subsequent compromises of organizational information. Providing\neasy methods to physically disconnect from such devices after a collaborative\ncomputing session helps to ensure participants actually carry out the\ndisconnect activity without having to go through complex and tedious procedures.'\n desc 'check', 'If the device or operating system does not have a camera installed, this requirement is not applicable.\n\nThis requirement is not applicable to mobile devices (smartphones and tablets), where the use of the camera is a local AO decision.\n\nThis requirement is not applicable to dedicated VTC suites located in approved VTC locations that are centrally managed.\n\nFor an external camera, if there is not a method for the operator to manually disconnect the camera at the end of collaborative computing sessions, this is a finding.\n\nFor a built-in camera, the camera must be protected by a camera cover (e.g., laptop camera cover slide) when not in use. If the built-in camera is not protected with a camera cover, or is not physically disabled, this is a finding.\n\nIf the camera is not disconnected, covered, or physically disabled, determine if it is being disabled via software with the following commands:\n\nVerify the operating system disables the ability to load the uvcvideo kernel module.\n\n $ sudo grep -r uvcvideo /etc/modprobe.d/* | grep \"/bin/false\"\n install uvcvideo /bin/false\n\nIf the command does not return any output, or the line is commented out, and the collaborative computing device has not been authorized for use, this is a finding.\n\nVerify the camera is disabled via blacklist with the following command:\n\n $ sudo grep -r uvcvideo /etc/modprobe.d/* | grep \"blacklist\"\n blacklist uvcvideo\n\nIf the command does not return any output or the output is not \"blacklist uvcvideo\", and the collaborative computing device has not been authorized for use, this is a finding.'\n desc 'fix', 'Configure the operating system to disable the built-in or attached camera when not in use.\n\nBuild or modify the \"/etc/modprobe.d/blacklist.conf\" file by using the following example:\n\n install uvcvideo /bin/false\n blacklist uvcvideo\n\nReboot the system for the settings to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000095-GPOS-00049'\n tag satisfies: ['SRG-OS-000095-GPOS-00049', 'SRG-OS-000370-GPOS-00155']\n tag gid: 'V-230493'\n tag rid: 'SV-230493r942915_rule'\n tag stig_id: 'RHEL-08-040020'\n tag fix_id: 'F-33137r942914_fix'\n tag cci: ['CCI-000381']\n tag nist: ['CM-7 a']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n if input('camera_installed')\n describe kernel_module('uvcvideo') do\n it { should_not be_loaded }\n it { should be_blacklisted }\n end\n else\n impact 0.0\n describe 'Device or operating system does not have a camera installed' do\n skip 'Device or operating system does not have a camera installed, this control is Not Applicable.'\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230360.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230493.rb", "line": 1 }, - "id": "SV-230360" + "id": "SV-230493" }, { - "title": "RHEL 8 must set the umask value to 077 for all local interactive user\naccounts.", - "desc": "The umask controls the default access mode assigned to newly created\nfiles. A umask of 077 limits new files to mode 600 or less permissive. Although\numask can be represented as a four-digit number, the first digit representing\nspecial access modes is typically ignored or required to be \"0\". This\nrequirement applies to the globally configured system defaults and the local\ninteractive user defaults for each account on the system.", + "title": "A firewall must be installed on RHEL 8.", + "desc": "\"Firewalld\" provides an easy and effective way to block/limit remote\naccess to the system via ports, services, and protocols.\n\n Remote access services, such as those providing remote access to network\ndevices and information systems, which lack automated control capabilities,\nincrease risk and make remote user access management difficult at best.\n\n Remote access is access to DoD nonpublic information systems by an\nauthorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\n RHEL 8 functionality (e.g., RDP) must be capable of taking enforcement\naction if the audit reveals unauthorized activity. Automated control of remote\naccess sessions allows organizations to ensure ongoing compliance with remote\naccess policies by enforcing connection rules of remote access applications on\na variety of information system components (e.g., servers, workstations,\nnotebook computers, smartphones, and tablets).", "descriptions": { - "default": "The umask controls the default access mode assigned to newly created\nfiles. A umask of 077 limits new files to mode 600 or less permissive. Although\numask can be represented as a four-digit number, the first digit representing\nspecial access modes is typically ignored or required to be \"0\". This\nrequirement applies to the globally configured system defaults and the local\ninteractive user defaults for each account on the system.", - "check": "Verify that the default umask for all local interactive users is \"077\".\n\nIdentify the locations of all local interactive user home directories by looking at the \"/etc/passwd\" file.\n\nCheck all local interactive user initialization files for interactive users with the following command:\n\nNote: The example is for a system that is configured to create users home directories in the \"/home\" directory.\n\n$ sudo grep -ir ^umask /home | grep -v '.bash_history'\n\nIf any local interactive user initialization files are found to have a umask statement that has a value less restrictive than \"077\", this is a finding.", - "fix": "Remove the umask statement from all local interactive user's initialization\nfiles.\n\n If the account is for an application, the requirement for a umask less\nrestrictive than \"077\" can be documented with the Information System Security\nOfficer, but the user agreement for access to the account must specify that the\nlocal interactive user must log on to their account first and then switch the\nuser to the application account with the correct option to gain the account's\nenvironment variables." + "default": "\"Firewalld\" provides an easy and effective way to block/limit remote\naccess to the system via ports, services, and protocols.\n\n Remote access services, such as those providing remote access to network\ndevices and information systems, which lack automated control capabilities,\nincrease risk and make remote user access management difficult at best.\n\n Remote access is access to DoD nonpublic information systems by an\nauthorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\n RHEL 8 functionality (e.g., RDP) must be capable of taking enforcement\naction if the audit reveals unauthorized activity. Automated control of remote\naccess sessions allows organizations to ensure ongoing compliance with remote\naccess policies by enforcing connection rules of remote access applications on\na variety of information system components (e.g., servers, workstations,\nnotebook computers, smartphones, and tablets).", + "check": "Verify that \"firewalld\" is installed with the following commands:\n\n $ sudo yum list installed firewalld\n\n firewalld.noarch 0.7.0-5.el8\n\n If the \"firewalld\" package is not installed, ask the System Administrator\nif another firewall is installed. If no firewall is installed this is a finding.", + "fix": "Install \"firewalld\" with the following command:\n\n$ sudo yum install firewalld.noarch" }, "impact": 0.5, "refs": [ @@ -10619,70 +10583,74 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000480-GPOS-00228", - "gid": "V-230384", - "rid": "SV-230384r858732_rule", - "stig_id": "RHEL-08-020352", - "fix_id": "F-33028r567899_fix", + "gtitle": "SRG-OS-000297-GPOS-00115", + "gid": "V-230505", + "rid": "SV-230505r854048_rule", + "stig_id": "RHEL-08-040100", + "fix_id": "F-33149r744019_fix", "cci": [ - "CCI-000366" + "CCI-002314" ], "nist": [ - "CM-6 b" + "AC-17 (1)" ], "host": null }, - "code": "control 'SV-230384' do\n title 'RHEL 8 must set the umask value to 077 for all local interactive user\naccounts.'\n desc 'The umask controls the default access mode assigned to newly created\nfiles. A umask of 077 limits new files to mode 600 or less permissive. Although\numask can be represented as a four-digit number, the first digit representing\nspecial access modes is typically ignored or required to be \"0\". This\nrequirement applies to the globally configured system defaults and the local\ninteractive user defaults for each account on the system.'\n desc 'check', %q(Verify that the default umask for all local interactive users is \"077\".\n\nIdentify the locations of all local interactive user home directories by looking at the \"/etc/passwd\" file.\n\nCheck all local interactive user initialization files for interactive users with the following command:\n\nNote: The example is for a system that is configured to create users home directories in the \"/home\" directory.\n\n$ sudo grep -ir ^umask /home | grep -v '.bash_history'\n\nIf any local interactive user initialization files are found to have a umask statement that has a value less restrictive than \"077\", this is a finding.)\n desc 'fix', %q(Remove the umask statement from all local interactive user's initialization\nfiles.\n\n If the account is for an application, the requirement for a umask less\nrestrictive than \"077\" can be documented with the Information System Security\nOfficer, but the user agreement for access to the account must specify that the\nlocal interactive user must log on to their account first and then switch the\nuser to the application account with the correct option to gain the account's\nenvironment variables.)\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00228'\n tag gid: 'V-230384'\n tag rid: 'SV-230384r858732_rule'\n tag stig_id: 'RHEL-08-020352'\n tag fix_id: 'F-33028r567899_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n exempt_home_users = input('exempt_home_users')\n expected_mode = input('permissions_for_shells')['default_umask']\n uid_min = login_defs.read_params['UID_MIN'].to_i\n uid_min = 1000 if uid_min.nil?\n\n iusers = passwd.where { uid.to_i >= uid_min && shell !~ /nologin/ && !exempt_home_users.include?(user) }\n\n if !iusers.users.nil? && !iusers.users.empty?\n\n # run the check text's grep against all interactive users, compare any hits to the expected mode\n failing_users = iusers.entries.select { |u|\n umask_set = command(\"grep -ir ^umask #{u.home} | grep -v '.bash_history'\").stdout.strip\n umask_set.nil? && umask_set.match(/(?\\d{3,4})/)['umask'].to_i > expected_mode.to_i\n }.map(&:user)\n\n describe 'All non-exempt interactive users on the system' do\n it \"should not set the UMASK more permissive than '#{expected_mode}' in any init files\" do\n expect(failing_users).to be_empty, \"Failing users:\\n\\t- #{failing_users.join(\"\\n\\t- \")}\"\n end\n end\n else\n describe 'No non-exempt interactive user accounts' do\n it 'were detected on the system' do\n expect(true).to eq(true)\n end\n end\n end\nend\n", + "code": "control 'SV-230505' do\n title 'A firewall must be installed on RHEL 8.'\n desc '\"Firewalld\" provides an easy and effective way to block/limit remote\naccess to the system via ports, services, and protocols.\n\n Remote access services, such as those providing remote access to network\ndevices and information systems, which lack automated control capabilities,\nincrease risk and make remote user access management difficult at best.\n\n Remote access is access to DoD nonpublic information systems by an\nauthorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\n RHEL 8 functionality (e.g., RDP) must be capable of taking enforcement\naction if the audit reveals unauthorized activity. Automated control of remote\naccess sessions allows organizations to ensure ongoing compliance with remote\naccess policies by enforcing connection rules of remote access applications on\na variety of information system components (e.g., servers, workstations,\nnotebook computers, smartphones, and tablets).'\n desc 'check', 'Verify that \"firewalld\" is installed with the following commands:\n\n $ sudo yum list installed firewalld\n\n firewalld.noarch 0.7.0-5.el8\n\n If the \"firewalld\" package is not installed, ask the System Administrator\nif another firewall is installed. If no firewall is installed this is a finding.'\n desc 'fix', 'Install \"firewalld\" with the following command:\n\n$ sudo yum install firewalld.noarch'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000297-GPOS-00115'\n tag gid: 'V-230505'\n tag rid: 'SV-230505r854048_rule'\n tag stig_id: 'RHEL-08-040100'\n tag fix_id: 'F-33149r744019_fix'\n tag cci: ['CCI-002314']\n tag nist: ['AC-17 (1)']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n alternate_firewall_tool = input('alternate_firewall_tool')\n\n if alternate_firewall_tool != ''\n describe package(alternate_firewall_tool) do\n it { should be_installed }\n end\n else\n describe package('firewalld') do\n it { should be_installed }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230384.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230505.rb", "line": 1 }, - "id": "SV-230384" + "id": "SV-230505" }, { - "title": "RHEL 8 passwords for new users must have a minimum of 15 characters.", - "desc": "The shorter the password, the lower the number of possible\ncombinations that need to be tested before the password is compromised.\n\n Password complexity, or strength, is a measure of the effectiveness of a\npassword in resisting attempts at guessing and brute-force attacks. Password\nlength is one factor of several that helps to determine strength and how long\nit takes to crack a password. Use of more characters in a password helps to\nincrease exponentially the time and/or resources required to compromise the\npassword.\n\n The DoD minimum password requirement is 15 characters.", + "title": "RHEL 8 must not have the rsh-server package installed.", + "desc": "It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n Operating systems are capable of providing a wide variety of functions and\nservices. Some of the functions and services, provided by default, may not be\nnecessary to support essential organizational operations (e.g., key missions,\nfunctions).\n\n The rsh-server service provides an unencrypted remote access service that\ndoes not provide for the confidentiality and integrity of user passwords or the\nremote session and has very weak authentication.\n\n If a privileged user were to log on using this service, the privileged user\npassword could be compromised.", "descriptions": { - "default": "The shorter the password, the lower the number of possible\ncombinations that need to be tested before the password is compromised.\n\n Password complexity, or strength, is a measure of the effectiveness of a\npassword in resisting attempts at guessing and brute-force attacks. Password\nlength is one factor of several that helps to determine strength and how long\nit takes to crack a password. Use of more characters in a password helps to\nincrease exponentially the time and/or resources required to compromise the\npassword.\n\n The DoD minimum password requirement is 15 characters.", - "check": "Verify that RHEL 8 enforces a minimum 15-character password length for new\nuser accounts by running the following command:\n\n $ sudo grep -i pass_min_len /etc/login.defs\n\n PASS_MIN_LEN 15\n\n If the \"PASS_MIN_LEN\" parameter value is less than \"15\", or commented\nout, this is a finding.", - "fix": "Configure operating system to enforce a minimum 15-character password\nlength for new user accounts.\n\n Add, or modify the following line in the \"/etc/login.defs\" file:\n\n PASS_MIN_LEN 15" + "default": "It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n Operating systems are capable of providing a wide variety of functions and\nservices. Some of the functions and services, provided by default, may not be\nnecessary to support essential organizational operations (e.g., key missions,\nfunctions).\n\n The rsh-server service provides an unencrypted remote access service that\ndoes not provide for the confidentiality and integrity of user passwords or the\nremote session and has very weak authentication.\n\n If a privileged user were to log on using this service, the privileged user\npassword could be compromised.", + "check": "Check to see if the rsh-server package is installed with the following\ncommand:\n\n $ sudo yum list installed rsh-server\n\n If the rsh-server package is installed, this is a finding.", + "fix": "Configure the operating system to disable non-essential capabilities by\nremoving the rsh-server package from the system with the following command:\n\n $ sudo yum remove rsh-server" }, - "impact": 0.5, + "impact": 0.7, "refs": [ { "ref": "DPMS Target Red Hat Enterprise Linux 8" } ], "tags": { - "severity": "medium", - "gtitle": "SRG-OS-000078-GPOS-00046", - "gid": "V-230370", - "rid": "SV-230370r627750_rule", - "stig_id": "RHEL-08-020231", - "fix_id": "F-33014r567857_fix", + "severity": "high", + "gtitle": "SRG-OS-000095-GPOS-00049", + "satisfies": [ + "SRG-OS-000095-GPOS-00049", + "SRG-OS-000074-GPOS-00042" + ], + "gid": "V-230492", + "rid": "SV-230492r627750_rule", + "stig_id": "RHEL-08-040010", + "fix_id": "F-33136r568223_fix", "cci": [ - "CCI-000205" + "CCI-000381" ], "nist": [ - "IA-5 (1) (a)" + "CM-7 a" ], "host": null, "container": null }, - "code": "control 'SV-230370' do\n title 'RHEL 8 passwords for new users must have a minimum of 15 characters.'\n desc 'The shorter the password, the lower the number of possible\ncombinations that need to be tested before the password is compromised.\n\n Password complexity, or strength, is a measure of the effectiveness of a\npassword in resisting attempts at guessing and brute-force attacks. Password\nlength is one factor of several that helps to determine strength and how long\nit takes to crack a password. Use of more characters in a password helps to\nincrease exponentially the time and/or resources required to compromise the\npassword.\n\n The DoD minimum password requirement is 15 characters.'\n desc 'check', 'Verify that RHEL 8 enforces a minimum 15-character password length for new\nuser accounts by running the following command:\n\n $ sudo grep -i pass_min_len /etc/login.defs\n\n PASS_MIN_LEN 15\n\n If the \"PASS_MIN_LEN\" parameter value is less than \"15\", or commented\nout, this is a finding.'\n desc 'fix', 'Configure operating system to enforce a minimum 15-character password\nlength for new user accounts.\n\n Add, or modify the following line in the \"/etc/login.defs\" file:\n\n PASS_MIN_LEN 15'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000078-GPOS-00046'\n tag gid: 'V-230370'\n tag rid: 'SV-230370r627750_rule'\n tag stig_id: 'RHEL-08-020231'\n tag fix_id: 'F-33014r567857_fix'\n tag cci: ['CCI-000205']\n tag nist: ['IA-5 (1) (a)']\n tag 'host'\n tag 'container'\n\n value = input('pass_min_len')\n setting = input_object('pass_min_len').name.upcase\n\n describe \"/etc/login.defs does not have `#{setting}` configured\" do\n let(:config) { login_defs.read_params[setting] }\n it \"greater than #{value} day\" do\n expect(config).to cmp >= value\n end\n end\nend\n", + "code": "control 'SV-230492' do\n title 'RHEL 8 must not have the rsh-server package installed.'\n desc 'It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n Operating systems are capable of providing a wide variety of functions and\nservices. Some of the functions and services, provided by default, may not be\nnecessary to support essential organizational operations (e.g., key missions,\nfunctions).\n\n The rsh-server service provides an unencrypted remote access service that\ndoes not provide for the confidentiality and integrity of user passwords or the\nremote session and has very weak authentication.\n\n If a privileged user were to log on using this service, the privileged user\npassword could be compromised.'\n desc 'check', 'Check to see if the rsh-server package is installed with the following\ncommand:\n\n $ sudo yum list installed rsh-server\n\n If the rsh-server package is installed, this is a finding.'\n desc 'fix', 'Configure the operating system to disable non-essential capabilities by\nremoving the rsh-server package from the system with the following command:\n\n $ sudo yum remove rsh-server'\n impact 0.7\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'high'\n tag gtitle: 'SRG-OS-000095-GPOS-00049'\n tag satisfies: ['SRG-OS-000095-GPOS-00049', 'SRG-OS-000074-GPOS-00042']\n tag gid: 'V-230492'\n tag rid: 'SV-230492r627750_rule'\n tag stig_id: 'RHEL-08-040010'\n tag fix_id: 'F-33136r568223_fix'\n tag cci: ['CCI-000381']\n tag nist: ['CM-7 a']\n tag 'host'\n tag 'container'\n\n describe package('rsh-server') do\n it { should_not be_installed }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230370.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230492.rb", "line": 1 }, - "id": "SV-230370" + "id": "SV-230492" }, { - "title": "Successful/unsuccessful uses of the umount command in RHEL 8 must\ngenerate an audit record.", - "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"umount\" command is\nused to unmount a filesystem.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", + "title": "Successful/unsuccessful uses of the rename, unlink, rmdir, renameat, and unlinkat system calls in RHEL 8 must generate an audit record.", + "desc": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"rename\" system call will rename the specified files by replacing the first occurrence of expression in their name by replacement.\n\nThe \"unlink\" system call deletes a name from the filesystem. If that name was the last link to a file and no processes have the file open, the file is deleted and the space it was using is made available for reuse.\nThe \"rmdir\" system call removes empty directories.\nThe \"renameat\" system call renames a file, moving it between directories if required.\nThe \"unlinkat\" system call operates in exactly the same way as either \"unlink\" or \"rmdir\" except for the differences described in the manual page.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nThe system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. Performance can be helped, however, by combining syscalls into one rule whenever possible.", "descriptions": { - "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"umount\" command is\nused to unmount a filesystem.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", - "check": "Verify that an audit event is generated for any successful/unsuccessful use\nof the \"umount\" command by performing the following command to check the file\nsystem rules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w /usr/bin/umount /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-mount\n\n If the command does not return a line, or the line is commented out, this\nis a finding.", - "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \"umount\" command by adding or updating the\nfollowing rules in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-mount\n\n The audit daemon must be restarted for the changes to take effect." + "default": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"rename\" system call will rename the specified files by replacing the first occurrence of expression in their name by replacement.\n\nThe \"unlink\" system call deletes a name from the filesystem. If that name was the last link to a file and no processes have the file open, the file is deleted and the space it was using is made available for reuse.\nThe \"rmdir\" system call removes empty directories.\nThe \"renameat\" system call renames a file, moving it between directories if required.\nThe \"unlinkat\" system call operates in exactly the same way as either \"unlink\" or \"rmdir\" except for the differences described in the manual page.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nThe system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. Performance can be helped, however, by combining syscalls into one rule whenever possible.", + "check": "Verify RHEL 8 generates an audit record upon successful/unsuccessful attempts to use the \"rename\", \"unlink\", \"rmdir\", \"renameat\", and \"unlinkat\" system calls by using the following command to check the file system rules in \"/etc/audit/audit.rules\":\n\n$ sudo grep 'rename\\|unlink\\|rmdir' /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S rename,unlink,rmdir,renameat,unlinkat -F auid>=1000 -F auid!=unset -k delete\n-a always,exit -F arch=b64 -S rename,unlink,rmdir,renameat,unlinkat -F auid>=1000 -F auid!=unset -k delete\n\nIf the command does not return an audit rule for \"rename\", \"unlink\", \"rmdir\", \"renameat\", and \"unlinkat\" or any of the lines returned are commented out, this is a finding.", + "fix": "Configure the audit system to generate an audit event for any successful/unsuccessful use of the \"rename\", \"unlink\", \"rmdir\", \"renameat\", and \"unlinkat\" system calls by adding or updating the following rules in the \"/etc/audit/rules.d/audit.rules\" file:\n\n-a always,exit -F arch=b32 -S rename,unlink,rmdir,renameat,unlinkat -F auid>=1000 -F auid!=unset -k delete\n-a always,exit -F arch=b64 -S rename,unlink,rmdir,renameat,unlinkat -F auid>=1000 -F auid!=unset -k delete\n\nThe audit daemon must be restarted for the changes to take effect." }, "impact": 0.5, "refs": [ @@ -10697,15 +10665,14 @@ "SRG-OS-000062-GPOS-00031", "SRG-OS-000037-GPOS-00015", "SRG-OS-000042-GPOS-00020", - "SRG-OS-000062-GPOS-00031", "SRG-OS-000392-GPOS-00172", "SRG-OS-000462-GPOS-00206", "SRG-OS-000471-GPOS-00215" ], - "gid": "V-230424", - "rid": "SV-230424r627750_rule", - "stig_id": "RHEL-08-030301", - "fix_id": "F-33068r568019_fix", + "gid": "V-230439", + "rid": "SV-230439r810465_rule", + "stig_id": "RHEL-08-030361", + "fix_id": "F-33083r809301_fix", "cci": [ "CCI-000169" ], @@ -10714,56 +10681,56 @@ ], "host": null }, - "code": "control 'SV-230424' do\n title 'Successful/unsuccessful uses of the umount command in RHEL 8 must\ngenerate an audit record.'\n desc 'Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"umount\" command is\nused to unmount a filesystem.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.'\n desc 'check', 'Verify that an audit event is generated for any successful/unsuccessful use\nof the \"umount\" command by performing the following command to check the file\nsystem rules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w /usr/bin/umount /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-mount\n\n If the command does not return a line, or the line is commented out, this\nis a finding.'\n desc 'fix', 'Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \"umount\" command by adding or updating the\nfollowing rules in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-mount\n\n The audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000062-GPOS-00031'\n tag satisfies: ['SRG-OS-000062-GPOS-00031', 'SRG-OS-000037-GPOS-00015', 'SRG-OS-000042-GPOS-00020', 'SRG-OS-000062-GPOS-00031', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000471-GPOS-00215']\n tag gid: 'V-230424'\n tag rid: 'SV-230424r627750_rule'\n tag stig_id: 'RHEL-08-030301'\n tag fix_id: 'F-33068r568019_fix'\n tag cci: ['CCI-000169']\n tag nist: ['AU-12 a']\n tag 'host'\n\n audit_command = '/usr/bin/umount'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include(input('audit_rule_keynames').merge(input('audit_rule_keynames_overrides'))[audit_command])\n end\n end\nend\n", + "code": "control 'SV-230439' do\n title 'Successful/unsuccessful uses of the rename, unlink, rmdir, renameat, and unlinkat system calls in RHEL 8 must generate an audit record.'\n desc 'Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"rename\" system call will rename the specified files by replacing the first occurrence of expression in their name by replacement.\n\nThe \"unlink\" system call deletes a name from the filesystem. If that name was the last link to a file and no processes have the file open, the file is deleted and the space it was using is made available for reuse.\nThe \"rmdir\" system call removes empty directories.\nThe \"renameat\" system call renames a file, moving it between directories if required.\nThe \"unlinkat\" system call operates in exactly the same way as either \"unlink\" or \"rmdir\" except for the differences described in the manual page.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nThe system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. Performance can be helped, however, by combining syscalls into one rule whenever possible.'\n desc 'check', %q(Verify RHEL 8 generates an audit record upon successful/unsuccessful attempts to use the \"rename\", \"unlink\", \"rmdir\", \"renameat\", and \"unlinkat\" system calls by using the following command to check the file system rules in \"/etc/audit/audit.rules\":\n\n$ sudo grep 'rename\\|unlink\\|rmdir' /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S rename,unlink,rmdir,renameat,unlinkat -F auid>=1000 -F auid!=unset -k delete\n-a always,exit -F arch=b64 -S rename,unlink,rmdir,renameat,unlinkat -F auid>=1000 -F auid!=unset -k delete\n\nIf the command does not return an audit rule for \"rename\", \"unlink\", \"rmdir\", \"renameat\", and \"unlinkat\" or any of the lines returned are commented out, this is a finding.)\n desc 'fix', 'Configure the audit system to generate an audit event for any successful/unsuccessful use of the \"rename\", \"unlink\", \"rmdir\", \"renameat\", and \"unlinkat\" system calls by adding or updating the following rules in the \"/etc/audit/rules.d/audit.rules\" file:\n\n-a always,exit -F arch=b32 -S rename,unlink,rmdir,renameat,unlinkat -F auid>=1000 -F auid!=unset -k delete\n-a always,exit -F arch=b64 -S rename,unlink,rmdir,renameat,unlinkat -F auid>=1000 -F auid!=unset -k delete\n\nThe audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000062-GPOS-00031'\n tag satisfies: ['SRG-OS-000062-GPOS-00031', 'SRG-OS-000037-GPOS-00015', 'SRG-OS-000042-GPOS-00020', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000471-GPOS-00215']\n tag gid: 'V-230439'\n tag rid: 'SV-230439r810465_rule'\n tag stig_id: 'RHEL-08-030361'\n tag fix_id: 'F-33083r809301_fix'\n tag cci: ['CCI-000169']\n tag nist: ['AU-12 a']\n tag 'host'\n\n audit_syscalls = ['rename', 'unlink', 'rmdir', 'renameat', 'unlinkat']\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe 'Syscall' do\n audit_syscalls.each do |audit_syscall|\n it \"#{audit_syscall} is audited properly\" do\n audit_rule = auditd.syscall(audit_syscall)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n if os.arch.match(/64/)\n expect(audit_rule.arch.uniq).to include('b32', 'b64')\n else\n expect(audit_rule.arch.uniq).to cmp 'b32'\n end\n expect(audit_rule.fields.flatten).to include('auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include(input('audit_rule_keynames').merge(input('audit_rule_keynames_overrides'))[audit_syscall])\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230424.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230439.rb", "line": 1 }, - "id": "SV-230424" + "id": "SV-230439" }, { - "title": "RHEL 8 must prevent kernel profiling by unprivileged users.", - "desc": "Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection.\n\nThis requirement generally applies to the design of an information technology product, but it can also apply to the configuration of particular information system components that are, or use, such products. This can be verified by acceptance/validation processes in DoD or other government agencies.\n\nThere may be shared resources with configurable protections (e.g., files in storage) that may be assessed on specific information system components.\n\nSetting the kernel.perf_event_paranoid kernel parameter to \"2\" prevents attackers from gaining additional system information as a non-privileged user.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf", + "title": "RHEL 8 must ignore IPv6 Internet Control Message Protocol (ICMP)\nredirect messages.", + "desc": "ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf", "descriptions": { - "default": "Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection.\n\nThis requirement generally applies to the design of an information technology product, but it can also apply to the configuration of particular information system components that are, or use, such products. This can be verified by acceptance/validation processes in DoD or other government agencies.\n\nThere may be shared resources with configurable protections (e.g., files in storage) that may be assessed on specific information system components.\n\nSetting the kernel.perf_event_paranoid kernel parameter to \"2\" prevents attackers from gaining additional system information as a non-privileged user.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf", - "check": "Verify the operating system is configured to prevent kernel profiling by unprivileged users with the following commands:\n\nCheck the status of the kernel.perf_event_paranoid kernel parameter.\n\n$ sudo sysctl kernel.perf_event_paranoid\n\nkernel.perf_event_paranoid = 2\n\nIf \"kernel.perf_event_paranoid\" is not set to \"2\" or is missing, this is a finding.\n\nCheck that the configuration files are present to enable this kernel parameter.\n\n$ sudo grep -r kernel.perf_event_paranoid /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf:kernel.perf_event_paranoid = 2\n\nIf \"kernel.perf_event_paranoid\" is not set to \"2\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.", - "fix": "Configure the operating system to prevent kernel profiling by unprivileged users.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nkernel.perf_event_paranoid = 2\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system" + "default": "ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf", + "check": "Verify RHEL 8 ignores IPv6 ICMP redirect messages.\n\nNote: If IPv6 is disabled on the system, this requirement is Not Applicable.\n\nCheck the value of the \"accept_redirects\" variables with the following command:\n\n$ sudo sysctl net.ipv6.conf.all.accept_redirects\n\nnet.ipv6.conf.all.accept_redirects = 0\n\nIf the returned line does not have a value of \"0\", a line is not returned, or the line is commented out, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r net.ipv6.conf.all.accept_redirects /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: net.ipv6.conf.all.accept_redirects = 0\n\nIf \"net.ipv6.conf.all.accept_redirects\" is not set to \"0\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.", + "fix": "Configure RHEL 8 to ignore IPv6 ICMP redirect messages.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nnet.ipv6.conf.all.accept_redirects = 0\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system" }, - "impact": 0.3, + "impact": 0.5, "refs": [ { "ref": "DPMS Target Red Hat Enterprise Linux 8" } ], "tags": { - "severity": "low", - "gtitle": "SRG-OS-000138-GPOS-00069", - "gid": "V-230270", - "rid": "SV-230270r858758_rule", - "stig_id": "RHEL-08-010376", - "fix_id": "F-32914r858757_fix", + "severity": "medium", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-230544", + "rid": "SV-230544r858820_rule", + "stig_id": "RHEL-08-040280", + "fix_id": "F-33188r858819_fix", "cci": [ - "CCI-001090" + "CCI-000366" ], "nist": [ - "SC-4" + "CM-6 b" ], "host": null }, - "code": "control 'SV-230270' do\n title 'RHEL 8 must prevent kernel profiling by unprivileged users.'\n desc 'Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection.\n\nThis requirement generally applies to the design of an information technology product, but it can also apply to the configuration of particular information system components that are, or use, such products. This can be verified by acceptance/validation processes in DoD or other government agencies.\n\nThere may be shared resources with configurable protections (e.g., files in storage) that may be assessed on specific information system components.\n\nSetting the kernel.perf_event_paranoid kernel parameter to \"2\" prevents attackers from gaining additional system information as a non-privileged user.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf'\n desc 'check', 'Verify the operating system is configured to prevent kernel profiling by unprivileged users with the following commands:\n\nCheck the status of the kernel.perf_event_paranoid kernel parameter.\n\n$ sudo sysctl kernel.perf_event_paranoid\n\nkernel.perf_event_paranoid = 2\n\nIf \"kernel.perf_event_paranoid\" is not set to \"2\" or is missing, this is a finding.\n\nCheck that the configuration files are present to enable this kernel parameter.\n\n$ sudo grep -r kernel.perf_event_paranoid /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf:kernel.perf_event_paranoid = 2\n\nIf \"kernel.perf_event_paranoid\" is not set to \"2\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure the operating system to prevent kernel profiling by unprivileged users.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nkernel.perf_event_paranoid = 2\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system'\n impact 0.3\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'low'\n tag gtitle: 'SRG-OS-000138-GPOS-00069'\n tag gid: 'V-230270'\n tag rid: 'SV-230270r858758_rule'\n tag stig_id: 'RHEL-08-010376'\n tag fix_id: 'F-32914r858757_fix'\n tag cci: ['CCI-001090']\n tag nist: ['SC-4']\n tag 'host'\n\n only_if('Control not applicable within a container', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n action = 'kernel.perf_event_paranoid'\n\n describe kernel_parameter(action) do\n its('value') { should eq 2 }\n end\n\n search_result = command(\"grep -r ^#{action} #{input('sysctl_conf_files').join(' ')}\").stdout.strip\n\n correct_result = search_result.lines.any? { |line| line.match(/#{action}\\s*=\\s*2$/) }\n incorrect_results = search_result.lines.map(&:strip).select { |line| line.match(/#{action}\\s*=\\s*[^2]$/) }\n\n describe 'Kernel config files' do\n it \"should configure '#{action}'\" do\n expect(correct_result).to eq(true), 'No config file was found that correctly sets this action'\n end\n unless incorrect_results.nil?\n it 'should not have incorrect or conflicting setting(s) in the config files' do\n expect(incorrect_results).to be_empty, \"Incorrect or conflicting setting(s) found:\\n\\t- #{incorrect_results.join(\"\\n\\t- \")}\"\n end\n end\n end\nend\n", + "code": "control 'SV-230544' do\n title 'RHEL 8 must ignore IPv6 Internet Control Message Protocol (ICMP)\nredirect messages.'\n desc \"ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\"\n desc 'check', 'Verify RHEL 8 ignores IPv6 ICMP redirect messages.\n\nNote: If IPv6 is disabled on the system, this requirement is Not Applicable.\n\nCheck the value of the \"accept_redirects\" variables with the following command:\n\n$ sudo sysctl net.ipv6.conf.all.accept_redirects\n\nnet.ipv6.conf.all.accept_redirects = 0\n\nIf the returned line does not have a value of \"0\", a line is not returned, or the line is commented out, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r net.ipv6.conf.all.accept_redirects /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: net.ipv6.conf.all.accept_redirects = 0\n\nIf \"net.ipv6.conf.all.accept_redirects\" is not set to \"0\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to ignore IPv6 ICMP redirect messages.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nnet.ipv6.conf.all.accept_redirects = 0\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230544'\n tag rid: 'SV-230544r858820_rule'\n tag stig_id: 'RHEL-08-040280'\n tag fix_id: 'F-33188r858819_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This system is acting as a router on the network, this control is Not Applicable', impact: 0.0) {\n !input('network_router')\n }\n\n # Define the kernel parameter to be checked\n parameter = 'net.ipv6.conf.all.accept_redirect'\n action = 'accepting IPv6 redirects'\n value = 0\n\n # Get the current value of the kernel parameter\n current_value = kernel_parameter(parameter)\n\n # Check if the system is a Docker container\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n elsif input('ipv6_enabled') == false\n impact 0.0\n describe 'IPv6 is disabled on the system, this requirement is Not Applicable.' do\n skip 'IPv6 is disabled on the system, this requirement is Not Applicable.'\n end\n else\n\n describe kernel_parameter(parameter) do\n it 'is disabled in sysctl -a' do\n expect(current_value.value).to cmp value\n expect(current_value.value).not_to be_nil\n end\n end\n\n # Get the list of sysctl configuration files\n sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ')\n\n # Search for the kernel parameter in the configuration files\n search_results = command(\"grep -r ^#{parameter} #{sysctl_config_files} {} \\;\").stdout.split(\"\\n\")\n\n # Parse the search results into a hash\n config_values = search_results.each_with_object({}) do |item, results|\n file, setting = item.split(':')\n file = 'grep did not return filename' if file.empty?\n\n results[file] ||= []\n results[file] << setting.split('=').last\n end\n\n uniq_config_values = config_values.values.flatten.map(&:strip).map(&:to_i).uniq\n\n # Check the configuration files\n describe 'Configuration files' do\n if search_results.empty?\n it \"do not explicitly set the `#{parameter}` parameter\" do\n expect(config_values).not_to be_empty, \"Add the line `#{parameter}=#{value}` to a file in the `/etc/sysctl.d/` directory\"\n end\n else\n it \"do not have conflicting settings for #{action}\" do\n expect(uniq_config_values.count).to eq(1), \"Expected one unique configuration, but got #{config_values}\"\n end\n it \"set the parameter to the right value for #{action}\" do\n expect(config_values.values.flatten.all? { |v| v.to_i.eql?(value) }).to be true\n end\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230270.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230544.rb", "line": 1 }, - "id": "SV-230270" + "id": "SV-230544" }, { - "title": "RHEL 8 must be configured in the system-auth file to prohibit password reuse for a minimum of five generations.", - "desc": "Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to reuse their password consecutively when that password has exceeded its defined lifetime, the end result is a password that is not changed per policy requirements.\n\nRHEL 8 uses \"pwhistory\" consecutively as a mechanism to prohibit password reuse. This is set in both:\n/etc/pam.d/password-auth\n/etc/pam.d/system-auth.\n\nNote that manual changes to the listed files may be overwritten by the \"authselect\" program.", + "title": "RHEL 8 must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/sudoers.", + "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", "descriptions": { - "default": "Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to reuse their password consecutively when that password has exceeded its defined lifetime, the end result is a password that is not changed per policy requirements.\n\nRHEL 8 uses \"pwhistory\" consecutively as a mechanism to prohibit password reuse. This is set in both:\n/etc/pam.d/password-auth\n/etc/pam.d/system-auth.\n\nNote that manual changes to the listed files may be overwritten by the \"authselect\" program.", - "check": "Verify the operating system is configured in the system-auth file to prohibit password reuse for a minimum of five generations.\n\nCheck for the value of the \"remember\" argument in \"/etc/pam.d/system-auth\" with the following command:\n\n $ sudo grep -i remember /etc/pam.d/system-auth\n\n password requisite pam_pwhistory.so use_authtok remember=5 retry=3\n\nIf the line containing \"pam_pwhistory.so\" does not have the \"remember\" module argument set, is commented out, or the value of the \"remember\" module argument is set to less than \"5\", this is a finding.", - "fix": "Configure the operating system in the system-auth file to prohibit password reuse for a minimum of five generations.\n\nAdd the following line in \"/etc/pam.d/system-auth\" (or modify the line to have the required value):\n\n password requisite pam_pwhistory.so use_authtok remember=5 retry=3" + "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "check": "Verify RHEL 8 generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/sudoers\".\n\n Check the auditing rules in \"/etc/audit/audit.rules\" with the following\ncommand:\n\n $ sudo grep /etc/sudoers /etc/audit/audit.rules\n\n -w /etc/sudoers -p wa -k identity\n\n If the command does not return a line, or the line is commented out, this\nis a finding.", + "fix": "Configure RHEL 8 to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/sudoers\".\n\n Add or update the following file system rule to\n\"/etc/audit/rules.d/audit.rules\":\n\n -w /etc/sudoers -p wa -k identity\n\n The audit daemon must be restarted for the changes to take effect." }, "impact": 0.5, "refs": [ @@ -10772,37 +10739,54 @@ } ], "tags": { - "check_id": "C-55154r902747_chk", "severity": "medium", - "gid": "V-251717", - "rid": "SV-251717r902749_rule", - "stig_id": "RHEL-08-020221", - "gtitle": "SRG-OS-000077-GPOS-00045", - "fix_id": "F-55108r902748_fix", - "documentable": null, + "gtitle": "SRG-OS-000062-GPOS-00031", + "satisfies": [ + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000004-GPOS-00004", + "SRG-OS-000037-GPOS-00015", + "SRG-OS-000042-GPOS-00020", + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000304-GPOS-00121", + "SRG-OS-000392-GPOS-00172", + "SRG-OS-000462-GPOS-00206", + "SRG-OS-000470-GPOS-00214", + "SRG-OS-000471-GPOS-00215", + "SRG-OS-000239-GPOS-00089", + "SRG-OS-000240-GPOS-00090", + "SRG-OS-000241-GPOS-00091", + "SRG-OS-000303-GPOS-00120", + "SRG-OS-000304-GPOS-00121", + "CCI-002884", + "SRG-OS-000466-GPOS-00210", + "SRG-OS-000476-GPOS-00221" + ], + "gid": "V-230409", + "rid": "SV-230409r627750_rule", + "stig_id": "RHEL-08-030171", + "fix_id": "F-33053r567974_fix", "cci": [ - "CCI-000200" + "CCI-000169" ], "nist": [ - "IA-5 (1) (e)" + "AU-12 a" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-251717' do\n title 'RHEL 8 must be configured in the system-auth file to prohibit password reuse for a minimum of five generations.'\n desc 'Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to reuse their password consecutively when that password has exceeded its defined lifetime, the end result is a password that is not changed per policy requirements.\n\nRHEL 8 uses \"pwhistory\" consecutively as a mechanism to prohibit password reuse. This is set in both:\n/etc/pam.d/password-auth\n/etc/pam.d/system-auth.\n\nNote that manual changes to the listed files may be overwritten by the \"authselect\" program.'\n desc 'check', 'Verify the operating system is configured in the system-auth file to prohibit password reuse for a minimum of five generations.\n\nCheck for the value of the \"remember\" argument in \"/etc/pam.d/system-auth\" with the following command:\n\n $ sudo grep -i remember /etc/pam.d/system-auth\n\n password requisite pam_pwhistory.so use_authtok remember=5 retry=3\n\nIf the line containing \"pam_pwhistory.so\" does not have the \"remember\" module argument set, is commented out, or the value of the \"remember\" module argument is set to less than \"5\", this is a finding.'\n desc 'fix', 'Configure the operating system in the system-auth file to prohibit password reuse for a minimum of five generations.\n\nAdd the following line in \"/etc/pam.d/system-auth\" (or modify the line to have the required value):\n\n password requisite pam_pwhistory.so use_authtok remember=5 retry=3'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag check_id: 'C-55154r902747_chk'\n tag severity: 'medium'\n tag gid: 'V-251717'\n tag rid: 'SV-251717r902749_rule'\n tag stig_id: 'RHEL-08-020221'\n tag gtitle: 'SRG-OS-000077-GPOS-00045'\n tag fix_id: 'F-55108r902748_fix'\n tag 'documentable'\n tag cci: ['CCI-000200']\n tag nist: ['IA-5 (1) (e)']\n tag 'host'\n tag 'container'\n\n pam_auth_files = input('pam_auth_files')\n\n describe pam(pam_auth_files['system-auth']) do\n its('lines') { should match_pam_rule('password (required|requisite|sufficient) pam_pwhistory.so').any_with_integer_arg('remember', '>=', input('min_reuse_generations')) }\n end\nend\n", + "code": "control 'SV-230409' do\n title 'RHEL 8 must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/sudoers.'\n desc 'Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).'\n desc 'check', 'Verify RHEL 8 generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/sudoers\".\n\n Check the auditing rules in \"/etc/audit/audit.rules\" with the following\ncommand:\n\n $ sudo grep /etc/sudoers /etc/audit/audit.rules\n\n -w /etc/sudoers -p wa -k identity\n\n If the command does not return a line, or the line is commented out, this\nis a finding.'\n desc 'fix', 'Configure RHEL 8 to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/sudoers\".\n\n Add or update the following file system rule to\n\"/etc/audit/rules.d/audit.rules\":\n\n -w /etc/sudoers -p wa -k identity\n\n The audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000062-GPOS-00031'\n tag satisfies: ['SRG-OS-000062-GPOS-00031', 'SRG-OS-000004-GPOS-00004', 'SRG-OS-000037-GPOS-00015', 'SRG-OS-000042-GPOS-00020', 'SRG-OS-000062-GPOS-00031', 'SRG-OS-000304-GPOS-00121', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000470-GPOS-00214', 'SRG-OS-000471-GPOS-00215', 'SRG-OS-000239-GPOS-00089', 'SRG-OS-000240-GPOS-00090', 'SRG-OS-000241-GPOS-00091', 'SRG-OS-000303-GPOS-00120', 'SRG-OS-000304-GPOS-00121', 'CCI-002884', 'SRG-OS-000466-GPOS-00210', 'SRG-OS-000476-GPOS-00221']\n tag gid: 'V-230409'\n tag rid: 'SV-230409r627750_rule'\n tag stig_id: 'RHEL-08-030171'\n tag fix_id: 'F-33053r567974_fix'\n tag cci: ['CCI-000169']\n tag nist: ['AU-12 a']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n audit_command = '/etc/sudoers'\n\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.permissions.flatten).to include('w', 'a')\n expect(audit_rule.key.uniq).to include(input('audit_rule_keynames').merge(input('audit_rule_keynames_overrides'))[audit_command])\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-251717.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230409.rb", "line": 1 }, - "id": "SV-251717" + "id": "SV-230409" }, { - "title": "The RHEL 8 SSH daemon must be configured to use system-wide crypto policies.", - "desc": "Without cryptographic integrity protections, information can be\naltered by unauthorized users without detection.\n\n Remote access (e.g., RDP) is access to DoD nonpublic information systems by\nan authorized user (or an information system) communicating through an\nexternal, non-organization-controlled network. Remote access methods include,\nfor example, dial-up, broadband, and wireless.\n\n Cryptographic mechanisms used for protecting the integrity of information\ninclude, for example, signed hash functions using asymmetric cryptography\nenabling distribution of the public key to verify the hash information while\nmaintaining the confidentiality of the secret key used to generate the hash.\n\n RHEL 8 incorporates system-wide crypto policies by default. The SSH\nconfiguration file has no effect on the ciphers, MACs, or algorithms unless\nspecifically defined in the /etc/sysconfig/sshd file. The employed algorithms\ncan be viewed in the /etc/crypto-policies/back-ends/ directory.", + "title": "RHEL 8 must mount /var/log/audit with the nodev option.", + "desc": "The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n The \"noexec\" mount option causes the system to not execute binary files.\nThis option must be used for mounting any file system not containing approved\nbinary files, as they may be incompatible. Executing files from untrusted file\nsystems increases the opportunity for unprivileged users to attain unauthorized\nadministrative access.\n\n The \"nodev\" mount option causes the system to not interpret character or\nblock special devices. Executing character or block special devices from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.\n\n The \"nosuid\" mount option causes the system to not execute \"setuid\" and\n\"setgid\" files with owner privileges. This option must be used for mounting\nany file system not containing approved \"setuid\" and \"setguid\" files.\nExecuting files from untrusted file systems increases the opportunity for\nunprivileged users to attain unauthorized administrative access.", "descriptions": { - "default": "Without cryptographic integrity protections, information can be\naltered by unauthorized users without detection.\n\n Remote access (e.g., RDP) is access to DoD nonpublic information systems by\nan authorized user (or an information system) communicating through an\nexternal, non-organization-controlled network. Remote access methods include,\nfor example, dial-up, broadband, and wireless.\n\n Cryptographic mechanisms used for protecting the integrity of information\ninclude, for example, signed hash functions using asymmetric cryptography\nenabling distribution of the public key to verify the hash information while\nmaintaining the confidentiality of the secret key used to generate the hash.\n\n RHEL 8 incorporates system-wide crypto policies by default. The SSH\nconfiguration file has no effect on the ciphers, MACs, or algorithms unless\nspecifically defined in the /etc/sysconfig/sshd file. The employed algorithms\ncan be viewed in the /etc/crypto-policies/back-ends/ directory.", - "check": "Verify that system-wide crypto policies are in effect:\n\n$ sudo grep CRYPTO_POLICY /etc/sysconfig/sshd\n\n# CRYPTO_POLICY=\n\nIf the \"CRYPTO_POLICY \" is uncommented, this is a finding.", - "fix": "Configure the RHEL 8 SSH daemon to use system-wide crypto policies by adding the following line to /etc/sysconfig/sshd:\n\n# CRYPTO_POLICY=\n\nA reboot is required for the changes to take effect." + "default": "The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n The \"noexec\" mount option causes the system to not execute binary files.\nThis option must be used for mounting any file system not containing approved\nbinary files, as they may be incompatible. Executing files from untrusted file\nsystems increases the opportunity for unprivileged users to attain unauthorized\nadministrative access.\n\n The \"nodev\" mount option causes the system to not interpret character or\nblock special devices. Executing character or block special devices from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.\n\n The \"nosuid\" mount option causes the system to not execute \"setuid\" and\n\"setgid\" files with owner privileges. This option must be used for mounting\nany file system not containing approved \"setuid\" and \"setguid\" files.\nExecuting files from untrusted file systems increases the opportunity for\nunprivileged users to attain unauthorized administrative access.", + "check": "Verify \"/var/log/audit\" is mounted with the \"nodev\" option:\n\n $ sudo mount | grep /var/log/audit\n\n /dev/mapper/rhel-var-log-audit on /var/log/audit type xfs\n(rw,nodev,nosuid,noexec,seclabel)\n\n Verify that the \"nodev\" option is configured for /var/log/audit:\n\n $ sudo cat /etc/fstab | grep /var/log/audit\n\n /dev/mapper/rhel-var-log-audit /var/log/audit xfs\ndefaults,nodev,nosuid,noexec 0 0\n\n If results are returned and the \"nodev\" option is missing, or if\n/var/log/audit is mounted without the \"nodev\" option, this is a finding.", + "fix": "Configure the system so that /var/log/audit is mounted with the \"nodev\"\noption by adding /modifying the /etc/fstab with the following line:\n\n /dev/mapper/rhel-var-log-audit /var/log/audit xfs\ndefaults,nodev,nosuid,noexec 0 0" }, "impact": 0.5, "refs": [ @@ -10812,40 +10796,33 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000250-GPOS-00093", - "satisfies": [ - "SRG-OS-000250-GPOS-00093", - "SRG-OS-000393-GPOS-00173", - "SRG-OS-000394-GPOS-00174", - "SRG-OS-000125-GPOS-00065" - ], - "gid": "V-244526", - "rid": "SV-244526r877394_rule", - "stig_id": "RHEL-08-010287", - "fix_id": "F-47758r809333_fix", + "gtitle": "SRG-OS-000368-GPOS-00154", + "gid": "V-230517", + "rid": "SV-230517r854058_rule", + "stig_id": "RHEL-08-040129", + "fix_id": "F-33161r568298_fix", "cci": [ - "CCI-001453" + "CCI-001764" ], "nist": [ - "AC-17 (2)" + "CM-7 (2)" ], - "host": null, - "container-conditional": null + "host": null }, - "code": "control 'SV-244526' do\n title 'The RHEL 8 SSH daemon must be configured to use system-wide crypto policies.'\n desc 'Without cryptographic integrity protections, information can be\naltered by unauthorized users without detection.\n\n Remote access (e.g., RDP) is access to DoD nonpublic information systems by\nan authorized user (or an information system) communicating through an\nexternal, non-organization-controlled network. Remote access methods include,\nfor example, dial-up, broadband, and wireless.\n\n Cryptographic mechanisms used for protecting the integrity of information\ninclude, for example, signed hash functions using asymmetric cryptography\nenabling distribution of the public key to verify the hash information while\nmaintaining the confidentiality of the secret key used to generate the hash.\n\n RHEL 8 incorporates system-wide crypto policies by default. The SSH\nconfiguration file has no effect on the ciphers, MACs, or algorithms unless\nspecifically defined in the /etc/sysconfig/sshd file. The employed algorithms\ncan be viewed in the /etc/crypto-policies/back-ends/ directory.'\n desc 'check', 'Verify that system-wide crypto policies are in effect:\n\n$ sudo grep CRYPTO_POLICY /etc/sysconfig/sshd\n\n# CRYPTO_POLICY=\n\nIf the \"CRYPTO_POLICY \" is uncommented, this is a finding.'\n desc 'fix', 'Configure the RHEL 8 SSH daemon to use system-wide crypto policies by adding the following line to /etc/sysconfig/sshd:\n\n# CRYPTO_POLICY=\n\nA reboot is required for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000250-GPOS-00093'\n tag satisfies: ['SRG-OS-000250-GPOS-00093', 'SRG-OS-000393-GPOS-00173', 'SRG-OS-000394-GPOS-00174', 'SRG-OS-000125-GPOS-00065']\n tag gid: 'V-244526'\n tag rid: 'SV-244526r877394_rule'\n tag stig_id: 'RHEL-08-010287'\n tag fix_id: 'F-47758r809333_fix'\n tag cci: ['CCI-001453']\n tag nist: ['AC-17 (2)']\n tag 'host'\n tag 'container-conditional'\n\n openssh_present = package('openssh-server').installed?\n\n only_if('This requirement is Not Applicable in the container without open-ssh installed', impact: 0.0) {\n !(virtualization.system.eql?('docker') && !openssh_present)\n }\n\n if input('allow_container_openssh_server') == false\n describe 'In a container Environment' do\n it 'the OpenSSH Server should be installed only when allowed in a container environment' do\n expect(openssh_present).to eq(false), 'OpenSSH Server is installed but not approved for the container environment'\n end\n end\n else\n describe 'The system' do\n it 'does not have a CRYPTO_POLICY setting configured' do\n expect(parse_config_file('/etc/sysconfig/sshd').params['CRYPTO_POLICY']).to be_nil, 'The CRYPTO_POLICY setting in the /etc/sysconfig/sshd should not be present. Please ensure it is commented out.'\n end\n end\n end\nend\n", + "code": "control 'SV-230517' do\n title 'RHEL 8 must mount /var/log/audit with the nodev option.'\n desc 'The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n The \"noexec\" mount option causes the system to not execute binary files.\nThis option must be used for mounting any file system not containing approved\nbinary files, as they may be incompatible. Executing files from untrusted file\nsystems increases the opportunity for unprivileged users to attain unauthorized\nadministrative access.\n\n The \"nodev\" mount option causes the system to not interpret character or\nblock special devices. Executing character or block special devices from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.\n\n The \"nosuid\" mount option causes the system to not execute \"setuid\" and\n\"setgid\" files with owner privileges. This option must be used for mounting\nany file system not containing approved \"setuid\" and \"setguid\" files.\nExecuting files from untrusted file systems increases the opportunity for\nunprivileged users to attain unauthorized administrative access.'\n desc 'check', 'Verify \"/var/log/audit\" is mounted with the \"nodev\" option:\n\n $ sudo mount | grep /var/log/audit\n\n /dev/mapper/rhel-var-log-audit on /var/log/audit type xfs\n(rw,nodev,nosuid,noexec,seclabel)\n\n Verify that the \"nodev\" option is configured for /var/log/audit:\n\n $ sudo cat /etc/fstab | grep /var/log/audit\n\n /dev/mapper/rhel-var-log-audit /var/log/audit xfs\ndefaults,nodev,nosuid,noexec 0 0\n\n If results are returned and the \"nodev\" option is missing, or if\n/var/log/audit is mounted without the \"nodev\" option, this is a finding.'\n desc 'fix', 'Configure the system so that /var/log/audit is mounted with the \"nodev\"\noption by adding /modifying the /etc/fstab with the following line:\n\n /dev/mapper/rhel-var-log-audit /var/log/audit xfs\ndefaults,nodev,nosuid,noexec 0 0'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000368-GPOS-00154'\n tag gid: 'V-230517'\n tag rid: 'SV-230517r854058_rule'\n tag stig_id: 'RHEL-08-040129'\n tag fix_id: 'F-33161r568298_fix'\n tag cci: ['CCI-001764']\n tag nist: ['CM-7 (2)']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n path = '/var/log/audit'\n option = 'nodev'\n\n describe mount(path) do\n its('options') { should include option }\n end\n\n describe etc_fstab.where { mount_point == path } do\n its('mount_options.flatten') { should include option }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-244526.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230517.rb", "line": 1 }, - "id": "SV-244526" + "id": "SV-230517" }, { - "title": "The RHEL 8 SSH server must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-2 validated cryptographic hash algorithms.", - "desc": "Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. RHEL 8 incorporates system-wide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/opensshserver.config file. The system will attempt to use the first hash presented by the client that matches the server list. Listing the values \"strongest to weakest\" is a method to ensure the use of the strongest hash available to secure the SSH connection.", + "title": "All RHEL 8 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection.", + "desc": "RHEL 8 systems handling data requiring \"data at rest\" protections\n must employ cryptographic mechanisms to prevent unauthorized disclosure and\n modification of the information at rest.\n\n Selection of a cryptographic mechanism is based on the need to protect the\nintegrity of organizational information. The strength of the mechanism is\ncommensurate with the security category and/or classification of the\ninformation. Organizations have the flexibility to either encrypt all\ninformation on storage devices (i.e., full disk encryption) or encrypt specific\ndata structures (e.g., files, records, or fields).", "descriptions": { - "default": "Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. RHEL 8 incorporates system-wide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/opensshserver.config file. The system will attempt to use the first hash presented by the client that matches the server list. Listing the values \"strongest to weakest\" is a method to ensure the use of the strongest hash available to secure the SSH connection.", - "check": "Verify the SSH server is configured to use only MACs employing FIPS 140-2-approved algorithms with the following command:\n\n $ sudo grep -i macs /etc/crypto-policies/back-ends/opensshserver.config\n\n -oMACS=hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com\n\nIf the MACs entries in the \"opensshserver.config\" file have any hashes other than shown here, the order differs from the example above, or they are missing or commented out, this is a finding.", - "fix": "Configure the RHEL 8 SSH server to use only MACs employing FIPS 140-2-approved algorithms by updating the \"/etc/crypto-policies/back-ends/opensshserver.config\" file with the following line:\n\n -oMACS=hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com\n\n A reboot is required for the changes to take effect." + "default": "RHEL 8 systems handling data requiring \"data at rest\" protections\n must employ cryptographic mechanisms to prevent unauthorized disclosure and\n modification of the information at rest.\n\n Selection of a cryptographic mechanism is based on the need to protect the\nintegrity of organizational information. The strength of the mechanism is\ncommensurate with the security category and/or classification of the\ninformation. Organizations have the flexibility to either encrypt all\ninformation on storage devices (i.e., full disk encryption) or encrypt specific\ndata structures (e.g., files, records, or fields).", + "check": "Verify RHEL 8 prevents unauthorized disclosure or modification of all information requiring at-rest protection by using disk encryption.\n\nIf there is a documented and approved reason for not having data-at-rest encryption at the operating system level, such as encryption provided by a hypervisor or a disk storage array in a virtualized environment, this requirement is not applicable.\n\nVerify all system partitions are encrypted with the following command:\n\n $ sudo blkid\n\n /dev/mapper/rhel-root: UUID=\"67b7d7fe-de60-6fd0-befb-e6748cf97743\" TYPE=\"crypto_LUKS\"\n\nEvery persistent disk partition present must be of type \"crypto_LUKS\". If any partitions other than the boot partition or pseudo file systems (such as /proc or /sys) are not type \"crypto_LUKS\", ask the administrator to indicate how the partitions are encrypted.\n\nIf there is no evidence that these partitions are encrypted, this is a finding.", + "fix": "Configure RHEL 8 to prevent unauthorized modification of all information at\nrest by using disk encryption.\n\n Encrypting a partition in an already installed system is more difficult,\n because existing partitions will need to be resized and changed. To encrypt an\n entire partition, dedicate a partition for encryption in the partition layout." }, "impact": 0.5, "refs": [ @@ -10855,40 +10832,38 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000250-GPOS-00093", + "gtitle": "SRG-OS-000185-GPOS-00079", "satisfies": [ - "SRG-OS-000250-GPOS-00093", - "SRG-OS-000393-GPOS-00173", - "SRG-OS-000394-GPOS-00174", - "SRG-OS-000125-GPOS-00065" + "SRG-OS-000185-GPOS-00079", + "SRG-OS-000404-GPOS-00183", + "SRG-OS-000405-GPOS-00184" ], - "gid": "V-230251", - "rid": "SV-230251r917870_rule", - "stig_id": "RHEL-08-010290", - "fix_id": "F-32895r917869_fix", + "gid": "V-230224", + "rid": "SV-230224r917864_rule", + "stig_id": "RHEL-08-010030", + "fix_id": "F-32868r567419_fix", "cci": [ - "CCI-001453" + "CCI-001199" ], "nist": [ - "AC-17 (2)" + "SC-28" ], - "host": null, - "container-conditional": null + "host": null }, - "code": "control 'SV-230251' do\n title 'The RHEL 8 SSH server must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-2 validated cryptographic hash algorithms.'\n desc 'Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. RHEL 8 incorporates system-wide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/opensshserver.config file. The system will attempt to use the first hash presented by the client that matches the server list. Listing the values \"strongest to weakest\" is a method to ensure the use of the strongest hash available to secure the SSH connection.'\n desc 'check', 'Verify the SSH server is configured to use only MACs employing FIPS 140-2-approved algorithms with the following command:\n\n $ sudo grep -i macs /etc/crypto-policies/back-ends/opensshserver.config\n\n -oMACS=hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com\n\nIf the MACs entries in the \"opensshserver.config\" file have any hashes other than shown here, the order differs from the example above, or they are missing or commented out, this is a finding.'\n desc 'fix', 'Configure the RHEL 8 SSH server to use only MACs employing FIPS 140-2-approved algorithms by updating the \"/etc/crypto-policies/back-ends/opensshserver.config\" file with the following line:\n\n -oMACS=hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com\n\n A reboot is required for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000250-GPOS-00093'\n tag satisfies: ['SRG-OS-000250-GPOS-00093', 'SRG-OS-000393-GPOS-00173', 'SRG-OS-000394-GPOS-00174', 'SRG-OS-000125-GPOS-00065']\n tag gid: 'V-230251'\n tag rid: 'SV-230251r917870_rule'\n tag stig_id: 'RHEL-08-010290'\n tag fix_id: 'F-32895r917869_fix'\n tag cci: ['CCI-001453']\n tag nist: ['AC-17 (2)']\n tag 'host'\n tag 'container-conditional'\n\n # Check if SSH is installed within containerized RHEL\n only_if('SSH is not installed within containerized RHEL. Therefore, this requirement is not applicable.', impact: 0.0) do\n !(virtualization.system.eql?('docker') && !file('/etc/sysconfig/sshd').exist?)\n end\n\n # Define the required algorithms\n required_algorithms = input('openssh_server_required_algorithms')\n\n # TODO: make a simple resource for this based off 'login_defs' or 'yum' as a model\n\n # Parse the configuration file to get the value of \"CRYPTO_POLICY\"\n crypto_policy = parse_config_file('/etc/crypto-policies/back-ends/opensshserver.config')['CRYPTO_POLICY']\n\n # Parse the CRYPTO_POLICY string into a hash of configuration options\n config_options = crypto_policy.scan(/-o(\\w+)=([\\w\\-,@]+.)/).to_h\n\n # Split each configuration option's values into an array\n config_options.transform_values! { |v| v.split(',') }\n\n # Define the path to the crypto policy file\n crypto_policy_file = '/etc/crypto-policies/back-ends/opensshserver.config'\n\n # Test that the crypto policy file is configured with the required algorithms\n describe \"The crypto policy file #{crypto_policy_file}\" do\n it 'is configured with the required algorithms' do\n expect(crypto_policy).not_to be_nil, \"The crypto policy file #{crypto_policy_file} \\ndoes not contain the required algorithms\\n\\n\\t#{required_algorithms}.\"\n end\n end\n\n # Test that the MACS option in the crypto policy file contains the required algorithms in the correct order\n describe 'The MACs option in the crypto policy file' do\n it 'contains the required algorithms in the correct order' do\n expect(config_options['MACS']).to eq(required_algorithms), \"The MACS option in the crypto policy file does not contain the required algorithms in the *exact order*:\\n\\n\\texpected: #{required_algorithms}\\n\\tgot:#{config_options['MACS']}\"\n end\n end\nend\n", + "code": "control 'SV-230224' do\n title 'All RHEL 8 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection.'\n desc 'RHEL 8 systems handling data requiring \"data at rest\" protections\n must employ cryptographic mechanisms to prevent unauthorized disclosure and\n modification of the information at rest.\n\n Selection of a cryptographic mechanism is based on the need to protect the\nintegrity of organizational information. The strength of the mechanism is\ncommensurate with the security category and/or classification of the\ninformation. Organizations have the flexibility to either encrypt all\ninformation on storage devices (i.e., full disk encryption) or encrypt specific\ndata structures (e.g., files, records, or fields).'\n desc 'check', 'Verify RHEL 8 prevents unauthorized disclosure or modification of all information requiring at-rest protection by using disk encryption.\n\nIf there is a documented and approved reason for not having data-at-rest encryption at the operating system level, such as encryption provided by a hypervisor or a disk storage array in a virtualized environment, this requirement is not applicable.\n\nVerify all system partitions are encrypted with the following command:\n\n $ sudo blkid\n\n /dev/mapper/rhel-root: UUID=\"67b7d7fe-de60-6fd0-befb-e6748cf97743\" TYPE=\"crypto_LUKS\"\n\nEvery persistent disk partition present must be of type \"crypto_LUKS\". If any partitions other than the boot partition or pseudo file systems (such as /proc or /sys) are not type \"crypto_LUKS\", ask the administrator to indicate how the partitions are encrypted.\n\nIf there is no evidence that these partitions are encrypted, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to prevent unauthorized modification of all information at\nrest by using disk encryption.\n\n Encrypting a partition in an already installed system is more difficult,\n because existing partitions will need to be resized and changed. To encrypt an\n entire partition, dedicate a partition for encryption in the partition layout.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000185-GPOS-00079'\n tag satisfies: ['SRG-OS-000185-GPOS-00079', 'SRG-OS-000404-GPOS-00183', 'SRG-OS-000405-GPOS-00184']\n tag gid: 'V-230224'\n tag rid: 'SV-230224r917864_rule'\n tag stig_id: 'RHEL-08-010030'\n tag fix_id: 'F-32868r567419_fix'\n tag cci: ['CCI-001199']\n tag nist: ['SC-28']\n tag 'host'\n\n all_args = command('blkid').stdout.strip.split(\"\\n\").map { |s| s.sub(/^\"(.*)\"$/, '\\1') }\n\n def describe_and_skip(message)\n describe message do\n skip message\n end\n end\n\n # TODO: This should really have a resource\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe_and_skip('Disk Encryption and Data At Rest Implementation is handled on the Container Host')\n elsif input('data_at_rest_exempt') == true\n impact 0.0\n describe_and_skip('Data At Rest Requirements have been set to Not Applicabe by the `data_at_rest_exempt` input.')\n elsif all_args.empty?\n # TODO: Determine if this is an NA vs and NR or even a pass\n describe_and_skip('Command blkid did not return and non-psuedo block devices.')\n else\n all_args.each do |args|\n describe args do\n it { should match(/\\bcrypto_LUKS\\b/) }\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230251.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230224.rb", "line": 1 }, - "id": "SV-230251" + "id": "SV-230224" }, { - "title": "Successful/unsuccessful uses of the mount syscall in RHEL 8 must\ngenerate an audit record.", - "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"mount\" syscall is\nused to mount a filesystem.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", + "title": "RHEL 8 systems below version 8.2 must configure SELinux context type to allow the use of a non-default faillock tally directory.", + "desc": "By limiting the number of failed logon attempts, the risk of\n unauthorized system access via user password guessing, otherwise known as\n brute-force attacks, is reduced. Limits are imposed by locking the account.\n\n From \"Pam_Faillock\" man pages: Note that the default directory that\n \"pam_faillock\" uses is usually cleared on system boot so the access will be\n reenabled after system reboot. If that is undesirable, a different tally\n directory must be set with the \"dir\" option.\n\n SELinux, enforcing a targeted policy, will require any non-default tally\n directory's security context type to match the default directory's security\n context type. Without updating the security context type, the pam_faillock\n module will not write failed login attempts to the non-default tally directory.", "descriptions": { - "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"mount\" syscall is\nused to mount a filesystem.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", - "check": "Verify that an audit event is generated for any successful/unsuccessful use\nof the \"mount\" syscall by performing the following command to check the file\nsystem rules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w \"\\-S mount\" /etc/audit/audit.rules\n\n -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -k\nprivileged-mount\n -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -k\nprivileged-mount\n\n If the command does not return a line, or the line is commented out, this\nis a finding.", - "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \"mount\" syscall by adding or updating the\nfollowing rules in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -k\nprivileged-mount\n -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -k\nprivileged-mount\n\n The audit daemon must be restarted for the changes to take effect." + "default": "By limiting the number of failed logon attempts, the risk of\n unauthorized system access via user password guessing, otherwise known as\n brute-force attacks, is reduced. Limits are imposed by locking the account.\n\n From \"Pam_Faillock\" man pages: Note that the default directory that\n \"pam_faillock\" uses is usually cleared on system boot so the access will be\n reenabled after system reboot. If that is undesirable, a different tally\n directory must be set with the \"dir\" option.\n\n SELinux, enforcing a targeted policy, will require any non-default tally\n directory's security context type to match the default directory's security\n context type. Without updating the security context type, the pam_faillock\n module will not write failed login attempts to the non-default tally directory.", + "check": "If the system does not have SELinux enabled and enforcing a\n targeted policy, or if the pam_faillock module is not configured for use,\n this requirement is not applicable.\n\n Note: This check applies to RHEL versions 8.0 and 8.1. If the system is RHEL\n version 8.2 or newer, this check is not applicable.\n\n Verify the location of the non-default tally directory for the pam_faillock\n module with the following command:\n\n $ sudo grep -w dir /etc/pam.d/password-auth\n\n auth required pam_faillock.so preauth dir=/var/log/faillock\n auth required pam_faillock.so authfail dir=/var/log/faillock\n\n Check the security context type of the non-default tally directory with the\n following command:\n\n $ sudo ls -Zd /var/log/faillock\n\n unconfined_u:object_r:faillog_t:s0 /var/log/faillock\n\n If the security context type of the non-default tally directory is not\n \"faillog_t\", this is a finding.", + "fix": "Configure RHEL 8 to allow the use of a non-default faillock\n tally directory while SELinux enforces a targeted policy.\n\n Update the /etc/selinux/targeted/contexts/files/file_contexts.local with\n \"faillog_t\" context type for the non-default faillock tally directory with\n the following command:\n\n $ sudo semanage fcontext -a -t faillog_t \"/var/log/faillock(/.*)?\"\n\n Next, update the context type of the non-default faillock directory/\n subdirectories and files with the following command:\n\n $ sudo restorecon -R -v /var/log/faillock" }, "impact": 0.5, "refs": [ @@ -10897,43 +10872,39 @@ } ], "tags": { + "check_id": "C-53750r793003_chk", "severity": "medium", - "gtitle": "SRG-OS-000062-GPOS-00031", - "satisfies": [ - "SRG-OS-000062-GPOS-00031", - "SRG-OS-000037-GPOS-00015", - "SRG-OS-000042-GPOS-00020", - "SRG-OS-000062-GPOS-00031", - "SRG-OS-000392-GPOS-00172", - "SRG-OS-000462-GPOS-00206", - "SRG-OS-000471-GPOS-00215" - ], - "gid": "V-230425", - "rid": "SV-230425r627750_rule", - "stig_id": "RHEL-08-030302", - "fix_id": "F-33069r568022_fix", + "gid": "V-250316", + "rid": "SV-250316r854080_rule", + "stig_id": "RHEL-08-020028", + "gtitle": "SRG-OS-000021-GPOS-00005", + "fix_id": "F-53704r793004_fix", + "documentable": null, "cci": [ - "CCI-000169" + "CCI-000044", + "CCI-002238" ], "nist": [ - "AU-12 a" + "AC-7 a", + "AC-7 b" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-230425' do\n title 'Successful/unsuccessful uses of the mount syscall in RHEL 8 must\ngenerate an audit record.'\n desc 'Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"mount\" syscall is\nused to mount a filesystem.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.'\n desc 'check', 'Verify that an audit event is generated for any successful/unsuccessful use\nof the \"mount\" syscall by performing the following command to check the file\nsystem rules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w \"\\\\-S mount\" /etc/audit/audit.rules\n\n -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -k\nprivileged-mount\n -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -k\nprivileged-mount\n\n If the command does not return a line, or the line is commented out, this\nis a finding.'\n desc 'fix', 'Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \"mount\" syscall by adding or updating the\nfollowing rules in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -k\nprivileged-mount\n -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -k\nprivileged-mount\n\n The audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000062-GPOS-00031'\n tag satisfies: ['SRG-OS-000062-GPOS-00031', 'SRG-OS-000037-GPOS-00015', 'SRG-OS-000042-GPOS-00020', 'SRG-OS-000062-GPOS-00031', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000471-GPOS-00215']\n tag gid: 'V-230425'\n tag rid: 'SV-230425r627750_rule'\n tag stig_id: 'RHEL-08-030302'\n tag fix_id: 'F-33069r568022_fix'\n tag cci: ['CCI-000169']\n tag nist: ['AU-12 a']\n tag 'host'\n\n audit_syscall = 'mount'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe 'Syscall' do\n it \"#{audit_syscall} is audited properly\" do\n audit_rule = auditd.syscall(audit_syscall)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n if os.arch.match(/64/)\n expect(audit_rule.arch.uniq).to include('b32', 'b64')\n else\n expect(audit_rule.arch.uniq).to cmp 'b32'\n end\n expect(audit_rule.fields.flatten).to include('auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include(input('audit_rule_keynames').merge(input('audit_rule_keynames_overrides'))[audit_syscall])\n end\n end\nend\n", + "code": "control 'SV-250316' do\n title 'RHEL 8 systems below version 8.2 must configure SELinux context type to allow the use of a non-default faillock tally directory.'\n desc %q(By limiting the number of failed logon attempts, the risk of\n unauthorized system access via user password guessing, otherwise known as\n brute-force attacks, is reduced. Limits are imposed by locking the account.\n\n From \"Pam_Faillock\" man pages: Note that the default directory that\n \"pam_faillock\" uses is usually cleared on system boot so the access will be\n reenabled after system reboot. If that is undesirable, a different tally\n directory must be set with the \"dir\" option.\n\n SELinux, enforcing a targeted policy, will require any non-default tally\n directory's security context type to match the default directory's security\n context type. Without updating the security context type, the pam_faillock\n module will not write failed login attempts to the non-default tally directory.)\n desc 'check', 'If the system does not have SELinux enabled and enforcing a\n targeted policy, or if the pam_faillock module is not configured for use,\n this requirement is not applicable.\n\n Note: This check applies to RHEL versions 8.0 and 8.1. If the system is RHEL\n version 8.2 or newer, this check is not applicable.\n\n Verify the location of the non-default tally directory for the pam_faillock\n module with the following command:\n\n $ sudo grep -w dir /etc/pam.d/password-auth\n\n auth required pam_faillock.so preauth dir=/var/log/faillock\n auth required pam_faillock.so authfail dir=/var/log/faillock\n\n Check the security context type of the non-default tally directory with the\n following command:\n\n $ sudo ls -Zd /var/log/faillock\n\n unconfined_u:object_r:faillog_t:s0 /var/log/faillock\n\n If the security context type of the non-default tally directory is not\n \"faillog_t\", this is a finding.'\n desc 'fix', 'Configure RHEL 8 to allow the use of a non-default faillock\n tally directory while SELinux enforces a targeted policy.\n\n Update the /etc/selinux/targeted/contexts/files/file_contexts.local with\n \"faillog_t\" context type for the non-default faillock tally directory with\n the following command:\n\n $ sudo semanage fcontext -a -t faillog_t \"/var/log/faillock(/.*)?\"\n\n Next, update the context type of the non-default faillock directory/\n subdirectories and files with the following command:\n\n $ sudo restorecon -R -v /var/log/faillock'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag check_id: 'C-53750r793003_chk'\n tag severity: 'medium'\n tag gid: 'V-250316'\n tag rid: 'SV-250316r854080_rule'\n tag stig_id: 'RHEL-08-020028'\n tag gtitle: 'SRG-OS-000021-GPOS-00005'\n tag fix_id: 'F-53704r793004_fix'\n tag 'documentable'\n tag cci: ['CCI-000044', 'CCI-002238']\n tag nist: ['AC-7 a', 'AC-7 b']\n tag 'host'\n tag 'container'\n\n only_if('This check applies to RHEL versions 8.0 and 8.1. If the system is RHEL version 8.2 or newer, this check is Not Applicable.', impact: 0.0) {\n os.release.to_f < 8.2\n }\n\n describe selinux do\n it { should be_installed }\n it { should be_enforcing }\n it { should_not be_disabled }\n end\n\n # TODO: refactor this with the pam resource\n describe file('/etc/pam.d/password-auth') do\n its('content') {\n should match(/auth\\s+required\\s+pam_faillock.so preauth\n dir=#{input('non_default_tally_dir')}/)\n }\n its('content') {\n should match(/auth\\s+required\\s+pam_faillock.so authfail\n dir=#{input('non_default_tally_dir')}/)\n }\n end\n\n faillock_tally = input('faillock_tally')\n\n describe \"The selected non-default tally directory for PAM: #{input('non_default_tally_dir')}\" do\n subject { file(input('non_default_tally_dir')) }\n its('selinux_label') { should match(/#{faillock_tally}/) }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230425.rb", + "ref": "./Red Hat 8 STIG/controls/SV-250316.rb", "line": 1 }, - "id": "SV-230425" + "id": "SV-250316" }, - { - "title": "RHEL 8 must implement certificate status checking for multifactor authentication.", - "desc": "Using an authentication device, such as a DoD Common Access Card (CAC)\n or token that is separate from the information system, ensures that even if the\n information system is compromised, credentials stored on the authentication\n device will not be affected.\n\n Multifactor solutions that require devices separate from information\n systems gaining access include, for example, hardware tokens providing\n time-based or challenge-response authenticators and smart cards such as the\n U.S. Government Personal Identity Verification (PIV) card and the DoD CAC.\n\n RHEL 8 includes multiple options for configuring certificate status\nchecking, but for this requirement focuses on the System Security Services\nDaemon (SSSD). By default, sssd performs Online Certificate Status Protocol\n(OCSP) checking and certificate verification using a sha256 digest function.", + { + "title": "RHEL 8 must notify the System Administrator (SA) and Information\nSystem Security Officer (ISSO) (at a minimum) when allocated audit record\nstorage volume 75 percent utilization.", + "desc": "If security personnel are not notified immediately when storage volume\nreaches 75 percent utilization, they are unable to plan for audit record\nstorage capacity expansion.", "descriptions": { - "default": "Using an authentication device, such as a DoD Common Access Card (CAC)\n or token that is separate from the information system, ensures that even if the\n information system is compromised, credentials stored on the authentication\n device will not be affected.\n\n Multifactor solutions that require devices separate from information\n systems gaining access include, for example, hardware tokens providing\n time-based or challenge-response authenticators and smart cards such as the\n U.S. Government Personal Identity Verification (PIV) card and the DoD CAC.\n\n RHEL 8 includes multiple options for configuring certificate status\nchecking, but for this requirement focuses on the System Security Services\nDaemon (SSSD). By default, sssd performs Online Certificate Status Protocol\n(OCSP) checking and certificate verification using a sha256 digest function.", - "check": "Verify the operating system implements certificate status checking for multifactor authentication.\n\nNote: If the System Administrator demonstrates the use of an approved alternate multifactor authentication method, this requirement is not applicable.\n\nCheck to see if Online Certificate Status Protocol (OCSP) is enabled and using the proper digest value on the system with the following command:\n\n$ sudo grep certificate_verification /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf | grep -v \"^#\"\n\ncertificate_verification = ocsp_dgst=sha1\n\nIf the certificate_verification line is missing from the [sssd] section, or is missing \"ocsp_dgst=sha1\", ask the administrator to indicate what type of multifactor authentication is being utilized and how the system implements certificate status checking. If there is no evidence of certificate status checking being used, this is a finding.", - "fix": "Configure the operating system to implement certificate status checking for multifactor authentication.\n\nReview the \"/etc/sssd/sssd.conf\" file to determine if the system is configured to prevent OCSP or certificate verification.\n\nAdd the following line to the [sssd] section of the \"/etc/sssd/sssd.conf\" file:\n\ncertificate_verification = ocsp_dgst=sha1\n\nThe \"sssd\" service must be restarted for the changes to take effect. To restart the \"sssd\" service, run the following command:\n\n$ sudo systemctl restart sssd.service" + "default": "If security personnel are not notified immediately when storage volume\nreaches 75 percent utilization, they are unable to plan for audit record\nstorage capacity expansion.", + "check": "Verify RHEL 8 notifies the SA and ISSO (at a minimum) when allocated audit\nrecord storage volume reaches 75 percent of the repository maximum audit record\nstorage capacity with the following command:\n\n $ sudo grep -w space_left_action /etc/audit/auditd.conf\n\n space_left_action = email\n\n If the value of the \"space_left_action\" is not set to \"email\", or if\nthe line is commented out, ask the System Administrator to indicate how the\nsystem is providing real-time alerts to the SA and ISSO.\n\n If there is no evidence that real-time alerts are configured on the system,\nthis is a finding.", + "fix": "Configure the operating system to initiate an action to notify the SA and\nISSO (at a minimum) when allocated audit record storage volume reaches 75\npercent of the repository maximum audit record storage capacity by\nadding/modifying the following line in the /etc/audit/auditd.conf file.\n\n space_left_action = email\n\n Note: Option names and values in the auditd.conf file are case insensitive." }, "impact": 0.5, "refs": [ @@ -10943,37 +10914,33 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000375-GPOS-00160", - "satisfies": [ - "SRG-OS-000375-GPOS-00160", - "SRG-OS-000377-GPOS-00162" - ], - "gid": "V-230274", - "rid": "SV-230274r858741_rule", - "stig_id": "RHEL-08-010400", - "fix_id": "F-32918r809280_fix", + "gtitle": "SRG-OS-000343-GPOS-00134", + "gid": "V-244543", + "rid": "SV-244543r877389_rule", + "stig_id": "RHEL-08-030731", + "fix_id": "F-47775r743877_fix", "cci": [ - "CCI-001948" + "CCI-001855" ], "nist": [ - "IA-2 (11)" + "AU-5 (1)" ], "host": null }, - "code": "control 'SV-230274' do\n title 'RHEL 8 must implement certificate status checking for multifactor authentication.'\n desc 'Using an authentication device, such as a DoD Common Access Card (CAC)\n or token that is separate from the information system, ensures that even if the\n information system is compromised, credentials stored on the authentication\n device will not be affected.\n\n Multifactor solutions that require devices separate from information\n systems gaining access include, for example, hardware tokens providing\n time-based or challenge-response authenticators and smart cards such as the\n U.S. Government Personal Identity Verification (PIV) card and the DoD CAC.\n\n RHEL 8 includes multiple options for configuring certificate status\nchecking, but for this requirement focuses on the System Security Services\nDaemon (SSSD). By default, sssd performs Online Certificate Status Protocol\n(OCSP) checking and certificate verification using a sha256 digest function.'\n desc 'check', 'Verify the operating system implements certificate status checking for multifactor authentication.\n\nNote: If the System Administrator demonstrates the use of an approved alternate multifactor authentication method, this requirement is not applicable.\n\nCheck to see if Online Certificate Status Protocol (OCSP) is enabled and using the proper digest value on the system with the following command:\n\n$ sudo grep certificate_verification /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf | grep -v \"^#\"\n\ncertificate_verification = ocsp_dgst=sha1\n\nIf the certificate_verification line is missing from the [sssd] section, or is missing \"ocsp_dgst=sha1\", ask the administrator to indicate what type of multifactor authentication is being utilized and how the system implements certificate status checking. If there is no evidence of certificate status checking being used, this is a finding.'\n desc 'fix', 'Configure the operating system to implement certificate status checking for multifactor authentication.\n\nReview the \"/etc/sssd/sssd.conf\" file to determine if the system is configured to prevent OCSP or certificate verification.\n\nAdd the following line to the [sssd] section of the \"/etc/sssd/sssd.conf\" file:\n\ncertificate_verification = ocsp_dgst=sha1\n\nThe \"sssd\" service must be restarted for the changes to take effect. To restart the \"sssd\" service, run the following command:\n\n$ sudo systemctl restart sssd.service'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000375-GPOS-00160'\n tag satisfies: ['SRG-OS-000375-GPOS-00160', 'SRG-OS-000377-GPOS-00162']\n tag gid: 'V-230274'\n tag rid: 'SV-230274r858741_rule'\n tag stig_id: 'RHEL-08-010400'\n tag fix_id: 'F-32918r809280_fix'\n tag cci: ['CCI-001948']\n tag nist: ['IA-2 (11)']\n tag 'host'\n\n only_if('This requirement is Not Applicable inside the container', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n if input('alternate_mfa_method').nil?\n describe 'Manual Review' do\n skip \"Alternate MFA method selected:\\t\\nConsult with ISSO to determine that alternate MFA method is approved; manually review system to ensure alternate MFA method is functioning\"\n end\n else\n sssd_conf_files = input('sssd_conf_files')\n sssd_conf_contents = ini({ command: \"cat #{input('sssd_conf_files').join(' ')}\" })\n sssd_certificate_verification = input('sssd_certificate_verification')\n\n describe 'SSSD' do\n it 'should be installed and enabled' do\n expect(service('sssd')).to be_installed.and be_enabled\n expect(sssd_conf_contents.params).to_not be_empty, \"SSSD configuration files not found or have no content; files checked:\\n\\t- #{sssd_conf_files.join(\"\\n\\t- \")}\"\n end\n if sssd_conf_contents.params.nil?\n it \"should configure certificate_verification to be '#{sssd_certificate_verification}'\" do\n expect(sssd_conf_contents.sssd.certificate_verification).to eq(sssd_certificate_verification)\n end\n end\n end\n end\nend\n", + "code": "control 'SV-244543' do\n title 'RHEL 8 must notify the System Administrator (SA) and Information\nSystem Security Officer (ISSO) (at a minimum) when allocated audit record\nstorage volume 75 percent utilization.'\n desc 'If security personnel are not notified immediately when storage volume\nreaches 75 percent utilization, they are unable to plan for audit record\nstorage capacity expansion.'\n desc 'check', 'Verify RHEL 8 notifies the SA and ISSO (at a minimum) when allocated audit\nrecord storage volume reaches 75 percent of the repository maximum audit record\nstorage capacity with the following command:\n\n $ sudo grep -w space_left_action /etc/audit/auditd.conf\n\n space_left_action = email\n\n If the value of the \"space_left_action\" is not set to \"email\", or if\nthe line is commented out, ask the System Administrator to indicate how the\nsystem is providing real-time alerts to the SA and ISSO.\n\n If there is no evidence that real-time alerts are configured on the system,\nthis is a finding.'\n desc 'fix', 'Configure the operating system to initiate an action to notify the SA and\nISSO (at a minimum) when allocated audit record storage volume reaches 75\npercent of the repository maximum audit record storage capacity by\nadding/modifying the following line in the /etc/audit/auditd.conf file.\n\n space_left_action = email\n\n Note: Option names and values in the auditd.conf file are case insensitive.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000343-GPOS-00134'\n tag gid: 'V-244543'\n tag rid: 'SV-244543r877389_rule'\n tag stig_id: 'RHEL-08-030731'\n tag fix_id: 'F-47775r743877_fix'\n tag cci: ['CCI-001855']\n tag nist: ['AU-5 (1)']\n tag 'host'\n\n alert_method = input('alert_method')\n\n only_if('This requirement is Not Applicable in the container', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe auditd_conf do\n its('space_left_action.downcase') { should cmp alert_method }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230274.rb", + "ref": "./Red Hat 8 STIG/controls/SV-244543.rb", "line": 1 }, - "id": "SV-230274" + "id": "SV-244543" }, { - "title": "RHEL 8 must prevent IPv6 Internet Control Message Protocol (ICMP)\nredirect messages from being accepted.", - "desc": "ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf", + "title": "RHEL 8 must mount /var/tmp with the nodev option.", + "desc": "The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n The \"noexec\" mount option causes the system to not execute binary files.\nThis option must be used for mounting any file system not containing approved\nbinary files, as they may be incompatible. Executing files from untrusted file\nsystems increases the opportunity for unprivileged users to attain unauthorized\nadministrative access.\n\n The \"nodev\" mount option causes the system to not interpret character or\nblock special devices. Executing character or block special devices from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.\n\n The \"nosuid\" mount option causes the system to not execute \"setuid\" and\n\"setgid\" files with owner privileges. This option must be used for mounting\nany file system not containing approved \"setuid\" and \"setguid\" files.\nExecuting files from untrusted file systems increases the opportunity for\nunprivileged users to attain unauthorized administrative access.", "descriptions": { - "default": "ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf", - "check": "Verify RHEL 8 will not accept IPv6 ICMP redirect messages.\n\nNote: If IPv6 is disabled on the system, this requirement is Not Applicable.\n\nCheck the value of the default \"accept_redirects\" variables with the following command:\n\n$ sudo sysctl net.ipv6.conf.default.accept_redirects\n\nnet.ipv6.conf.default.accept_redirects = 0\n\nIf the returned line does not have a value of \"0\", a line is not returned, or the line is commented out, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r net.ipv6.conf.default.accept_redirects /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: net.ipv6.conf.default.accept_redirects = 0\n\nIf \"net.ipv6.conf.default.accept_redirects\" is not set to \"0\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.", - "fix": "Configure RHEL 8 to prevent IPv6 ICMP redirect messages from being accepted.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nnet.ipv6.conf.default.accept_redirects = 0\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system" + "default": "The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n The \"noexec\" mount option causes the system to not execute binary files.\nThis option must be used for mounting any file system not containing approved\nbinary files, as they may be incompatible. Executing files from untrusted file\nsystems increases the opportunity for unprivileged users to attain unauthorized\nadministrative access.\n\n The \"nodev\" mount option causes the system to not interpret character or\nblock special devices. Executing character or block special devices from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.\n\n The \"nosuid\" mount option causes the system to not execute \"setuid\" and\n\"setgid\" files with owner privileges. This option must be used for mounting\nany file system not containing approved \"setuid\" and \"setguid\" files.\nExecuting files from untrusted file systems increases the opportunity for\nunprivileged users to attain unauthorized administrative access.", + "check": "Verify \"/var/tmp\" is mounted with the \"nodev\" option:\n\n$ sudo mount | grep /var/tmp\n\n/dev/mapper/rhel-var-tmp on /var/tmp type xfs (rw,nodev,nosuid,noexec,seclabel)\n\nVerify that the \"nodev\" option is configured for /var/tmp:\n\n$ sudo cat /etc/fstab | grep /var/tmp\n\n/dev/mapper/rhel-var-tmp /var/tmp xfs defaults,nodev,nosuid,noexec 0 0\n\nIf results are returned and the \"nodev\" option is missing, or if /var/tmp is mounted without the \"nodev\" option, this is a finding.", + "fix": "Configure the system so that /var/tmp is mounted with the \"nodev\" option by adding /modifying the /etc/fstab with the following line:\n\n/dev/mapper/rhel-var-tmp /var/tmp xfs defaults,nodev,nosuid,noexec 0 0" }, "impact": 0.5, "refs": [ @@ -10983,33 +10950,33 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-230535", - "rid": "SV-230535r858793_rule", - "stig_id": "RHEL-08-040210", - "fix_id": "F-33179r858792_fix", + "gtitle": "SRG-OS-000368-GPOS-00154", + "gid": "V-230520", + "rid": "SV-230520r854061_rule", + "stig_id": "RHEL-08-040132", + "fix_id": "F-33164r792926_fix", "cci": [ - "CCI-000366" + "CCI-001764" ], "nist": [ - "CM-6 b" + "CM-7 (2)" ], "host": null }, - "code": "control 'SV-230535' do\n title 'RHEL 8 must prevent IPv6 Internet Control Message Protocol (ICMP)\nredirect messages from being accepted.'\n desc \"ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\"\n desc 'check', 'Verify RHEL 8 will not accept IPv6 ICMP redirect messages.\n\nNote: If IPv6 is disabled on the system, this requirement is Not Applicable.\n\nCheck the value of the default \"accept_redirects\" variables with the following command:\n\n$ sudo sysctl net.ipv6.conf.default.accept_redirects\n\nnet.ipv6.conf.default.accept_redirects = 0\n\nIf the returned line does not have a value of \"0\", a line is not returned, or the line is commented out, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r net.ipv6.conf.default.accept_redirects /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: net.ipv6.conf.default.accept_redirects = 0\n\nIf \"net.ipv6.conf.default.accept_redirects\" is not set to \"0\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to prevent IPv6 ICMP redirect messages from being accepted.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nnet.ipv6.conf.default.accept_redirects = 0\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230535'\n tag rid: 'SV-230535r858793_rule'\n tag stig_id: 'RHEL-08-040210'\n tag fix_id: 'F-33179r858792_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This system is acting as a router on the network, this control is Not Applicable', impact: 0.0) {\n !input('network_router')\n }\n\n # Define the kernel parameter to be checked\n parameter = 'net.ipv6.conf.default.accept_redirects'\n action = 'accepting IPv6 redirects'\n value = 0\n\n # Get the current value of the kernel parameter\n current_value = kernel_parameter(parameter)\n\n # Check if the system is a Docker container\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n elsif input('ipv6_enabled') == false\n impact 0.0\n describe 'IPv6 is disabled on the system, this requirement is Not Applicable.' do\n skip 'IPv6 is disabled on the system, this requirement is Not Applicable.'\n end\n else\n\n describe kernel_parameter(parameter) do\n it 'is disabled in sysctl -a' do\n expect(current_value.value).to cmp value\n expect(current_value.value).not_to be_nil\n end\n end\n\n # Get the list of sysctl configuration files\n sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ')\n\n # Search for the kernel parameter in the configuration files\n search_results = command(\"grep -r ^#{parameter} #{sysctl_config_files} {} \\;\").stdout.split(\"\\n\")\n\n # Parse the search results into a hash\n config_values = search_results.each_with_object({}) do |item, results|\n file, setting = item.split(':')\n file = 'grep did not return filename' if file.empty?\n\n results[file] ||= []\n results[file] << setting.split('=').last\n end\n\n uniq_config_values = config_values.values.flatten.map(&:strip).map(&:to_i).uniq\n\n # Check the configuration files\n describe 'Configuration files' do\n if search_results.empty?\n it \"do not explicitly set the `#{parameter}` parameter\" do\n expect(config_values).not_to be_empty, \"Add the line `#{parameter}=#{value}` to a file in the `/etc/sysctl.d/` directory\"\n end\n else\n it \"do not have conflicting settings for #{action}\" do\n expect(uniq_config_values.count).to eq(1), \"Expected one unique configuration, but got #{config_values}\"\n end\n it \"set the parameter to the right value for #{action}\" do\n expect(config_values.values.flatten.all? { |v| v.to_i.eql?(value) }).to be true\n end\n end\n end\n end\nend\n", + "code": "control 'SV-230520' do\n title 'RHEL 8 must mount /var/tmp with the nodev option.'\n desc 'The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n The \"noexec\" mount option causes the system to not execute binary files.\nThis option must be used for mounting any file system not containing approved\nbinary files, as they may be incompatible. Executing files from untrusted file\nsystems increases the opportunity for unprivileged users to attain unauthorized\nadministrative access.\n\n The \"nodev\" mount option causes the system to not interpret character or\nblock special devices. Executing character or block special devices from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.\n\n The \"nosuid\" mount option causes the system to not execute \"setuid\" and\n\"setgid\" files with owner privileges. This option must be used for mounting\nany file system not containing approved \"setuid\" and \"setguid\" files.\nExecuting files from untrusted file systems increases the opportunity for\nunprivileged users to attain unauthorized administrative access.'\n desc 'check', 'Verify \"/var/tmp\" is mounted with the \"nodev\" option:\n\n$ sudo mount | grep /var/tmp\n\n/dev/mapper/rhel-var-tmp on /var/tmp type xfs (rw,nodev,nosuid,noexec,seclabel)\n\nVerify that the \"nodev\" option is configured for /var/tmp:\n\n$ sudo cat /etc/fstab | grep /var/tmp\n\n/dev/mapper/rhel-var-tmp /var/tmp xfs defaults,nodev,nosuid,noexec 0 0\n\nIf results are returned and the \"nodev\" option is missing, or if /var/tmp is mounted without the \"nodev\" option, this is a finding.'\n desc 'fix', 'Configure the system so that /var/tmp is mounted with the \"nodev\" option by adding /modifying the /etc/fstab with the following line:\n\n/dev/mapper/rhel-var-tmp /var/tmp xfs defaults,nodev,nosuid,noexec 0 0'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000368-GPOS-00154'\n tag gid: 'V-230520'\n tag rid: 'SV-230520r854061_rule'\n tag stig_id: 'RHEL-08-040132'\n tag fix_id: 'F-33164r792926_fix'\n tag cci: ['CCI-001764']\n tag nist: ['CM-7 (2)']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n path = '/var/tmp'\n option = 'nodev'\n\n describe mount(path) do\n its('options') { should include option }\n end\n\n describe etc_fstab.where { mount_point == path } do\n its('mount_options.flatten') { should include option }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230535.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230520.rb", "line": 1 }, - "id": "SV-230535" + "id": "SV-230520" }, { - "title": "RHEL 8 must disable access to network bpf syscall from unprivileged\nprocesses.", - "desc": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf", + "title": "RHEL 8 passwords for new users must have a minimum of 15 characters.", + "desc": "The shorter the password, the lower the number of possible\ncombinations that need to be tested before the password is compromised.\n\n Password complexity, or strength, is a measure of the effectiveness of a\npassword in resisting attempts at guessing and brute-force attacks. Password\nlength is one factor of several that helps to determine strength and how long\nit takes to crack a password. Use of more characters in a password helps to\nincrease exponentially the time and/or resources required to compromise the\npassword.\n\n The DoD minimum password requirement is 15 characters.", "descriptions": { - "default": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf", - "check": "Verify RHEL 8 prevents privilege escalation thru the kernel by disabling access to the bpf syscall with the following commands:\n\n$ sudo sysctl kernel.unprivileged_bpf_disabled\n\nkernel.unprivileged_bpf_disabled = 1\n\nIf the returned line does not have a value of \"1\", or a line is not returned, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r kernel.unprivileged_bpf_disabled /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: kernel.unprivileged_bpf_disabled = 1\n\nIf \"kernel.unprivileged_bpf_disabled\" is not set to \"1\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.", - "fix": "Configure RHEL 8 to prevent privilege escalation thru the kernel by disabling access to the bpf syscall by adding the following line to a file, in the \"/etc/sysctl.d\" directory:\n\nkernel.unprivileged_bpf_disabled = 1\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nThe system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:\n\n$ sudo sysctl --system" + "default": "The shorter the password, the lower the number of possible\ncombinations that need to be tested before the password is compromised.\n\n Password complexity, or strength, is a measure of the effectiveness of a\npassword in resisting attempts at guessing and brute-force attacks. Password\nlength is one factor of several that helps to determine strength and how long\nit takes to crack a password. Use of more characters in a password helps to\nincrease exponentially the time and/or resources required to compromise the\npassword.\n\n The DoD minimum password requirement is 15 characters.", + "check": "Verify that RHEL 8 enforces a minimum 15-character password length for new\nuser accounts by running the following command:\n\n $ sudo grep -i pass_min_len /etc/login.defs\n\n PASS_MIN_LEN 15\n\n If the \"PASS_MIN_LEN\" parameter value is less than \"15\", or commented\nout, this is a finding.", + "fix": "Configure operating system to enforce a minimum 15-character password\nlength for new user accounts.\n\n Add, or modify the following line in the \"/etc/login.defs\" file:\n\n PASS_MIN_LEN 15" }, "impact": 0.5, "refs": [ @@ -11019,33 +10986,34 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-230545", - "rid": "SV-230545r858822_rule", - "stig_id": "RHEL-08-040281", - "fix_id": "F-33189r858821_fix", + "gtitle": "SRG-OS-000078-GPOS-00046", + "gid": "V-230370", + "rid": "SV-230370r627750_rule", + "stig_id": "RHEL-08-020231", + "fix_id": "F-33014r567857_fix", "cci": [ - "CCI-000366" + "CCI-000205" ], "nist": [ - "CM-6 b" + "IA-5 (1) (a)" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-230545' do\n title 'RHEL 8 must disable access to network bpf syscall from unprivileged\nprocesses.'\n desc 'It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf'\n desc 'check', 'Verify RHEL 8 prevents privilege escalation thru the kernel by disabling access to the bpf syscall with the following commands:\n\n$ sudo sysctl kernel.unprivileged_bpf_disabled\n\nkernel.unprivileged_bpf_disabled = 1\n\nIf the returned line does not have a value of \"1\", or a line is not returned, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r kernel.unprivileged_bpf_disabled /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: kernel.unprivileged_bpf_disabled = 1\n\nIf \"kernel.unprivileged_bpf_disabled\" is not set to \"1\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to prevent privilege escalation thru the kernel by disabling access to the bpf syscall by adding the following line to a file, in the \"/etc/sysctl.d\" directory:\n\nkernel.unprivileged_bpf_disabled = 1\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nThe system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:\n\n$ sudo sysctl --system'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230545'\n tag rid: 'SV-230545r858822_rule'\n tag stig_id: 'RHEL-08-040281'\n tag fix_id: 'F-33189r858821_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This system is acting as a router on the network, this control is Not Applicable', impact: 0.0) {\n !input('network_router')\n }\n\n # Define the kernel parameter to be checked\n parameter = 'kernel.unprivileged_bpf_disabled'\n action = 'bpf syscall from unprivileged processes'\n value = 1\n\n # Get the current value of the kernel parameter\n current_value = kernel_parameter(parameter)\n\n # Check if the system is a Docker container\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n else\n\n describe kernel_parameter(parameter) do\n it 'is disabled in sysctl -a' do\n expect(current_value.value).to cmp value\n expect(current_value.value).not_to be_nil\n end\n end\n\n # Get the list of sysctl configuration files\n sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ')\n\n # Search for the kernel parameter in the configuration files\n search_results = command(\"grep -r ^#{parameter} #{sysctl_config_files} {} \\;\").stdout.split(\"\\n\")\n\n # Parse the search results into a hash\n config_values = search_results.each_with_object({}) do |item, results|\n file, setting = item.split(':')\n file = 'grep did not return filename' if file.empty?\n\n results[file] ||= []\n results[file] << setting.split('=').last\n end\n\n uniq_config_values = config_values.values.flatten.map(&:strip).map(&:to_i).uniq\n\n # Check the configuration files\n describe 'Configuration files' do\n if search_results.empty?\n it \"do not explicitly set the `#{parameter}` parameter\" do\n expect(config_values).not_to be_empty, \"Add the line `#{parameter}=#{value}` to a file in the `/etc/sysctl.d/` directory\"\n end\n else\n it \"do not have conflicting settings for #{action}\" do\n expect(uniq_config_values.count).to eq(1), \"Expected one unique configuration, but got #{config_values}\"\n end\n it \"set the parameter to the right value for #{action}\" do\n expect(config_values.values.flatten.all? { |v| v.to_i.eql?(value) }).to be true\n end\n end\n end\n end\nend\n", + "code": "control 'SV-230370' do\n title 'RHEL 8 passwords for new users must have a minimum of 15 characters.'\n desc 'The shorter the password, the lower the number of possible\ncombinations that need to be tested before the password is compromised.\n\n Password complexity, or strength, is a measure of the effectiveness of a\npassword in resisting attempts at guessing and brute-force attacks. Password\nlength is one factor of several that helps to determine strength and how long\nit takes to crack a password. Use of more characters in a password helps to\nincrease exponentially the time and/or resources required to compromise the\npassword.\n\n The DoD minimum password requirement is 15 characters.'\n desc 'check', 'Verify that RHEL 8 enforces a minimum 15-character password length for new\nuser accounts by running the following command:\n\n $ sudo grep -i pass_min_len /etc/login.defs\n\n PASS_MIN_LEN 15\n\n If the \"PASS_MIN_LEN\" parameter value is less than \"15\", or commented\nout, this is a finding.'\n desc 'fix', 'Configure operating system to enforce a minimum 15-character password\nlength for new user accounts.\n\n Add, or modify the following line in the \"/etc/login.defs\" file:\n\n PASS_MIN_LEN 15'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000078-GPOS-00046'\n tag gid: 'V-230370'\n tag rid: 'SV-230370r627750_rule'\n tag stig_id: 'RHEL-08-020231'\n tag fix_id: 'F-33014r567857_fix'\n tag cci: ['CCI-000205']\n tag nist: ['IA-5 (1) (a)']\n tag 'host'\n tag 'container'\n\n value = input('pass_min_len')\n setting = input_object('pass_min_len').name.upcase\n\n describe \"/etc/login.defs does not have `#{setting}` configured\" do\n let(:config) { login_defs.read_params[setting] }\n it \"greater than #{value} day\" do\n expect(config).to cmp >= value\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230545.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230370.rb", "line": 1 }, - "id": "SV-230545" + "id": "SV-230370" }, { - "title": "RHEL 8 passwords must have a 24 hours/1 day minimum password lifetime\nrestriction in /etc/shadow.", - "desc": "Enforcing a minimum password lifetime helps to prevent repeated\npassword changes to defeat the password reuse or history enforcement\nrequirement. If users are allowed to immediately and continually change their\npassword, the password could be repeatedly changed in a short period of time to\ndefeat the organization's policy regarding password reuse.", + "title": "The RHEL 8 /var/log directory must be group-owned by root.", + "desc": "Only authorized personnel should be aware of errors and the details of\nthe errors. Error messages are an indicator of an organization's operational\nstate or can identify the RHEL 8 system or platform. Additionally, Personally\nIdentifiable Information (PII) and operational information must not be revealed\nthrough error messages to unauthorized personnel or their designated\nrepresentatives.\n\n The structure and content of error messages must be carefully considered by\nthe organization and development team. The extent to which the information\nsystem is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.", "descriptions": { - "default": "Enforcing a minimum password lifetime helps to prevent repeated\npassword changes to defeat the password reuse or history enforcement\nrequirement. If users are allowed to immediately and continually change their\npassword, the password could be repeatedly changed in a short period of time to\ndefeat the organization's policy regarding password reuse.", - "check": "Check whether the minimum time period between password changes for each\nuser account is one day or greater.\n\n $ sudo awk -F: '$4 < 1 {print $1 \" \" $4}' /etc/shadow\n\n If any results are returned that are not associated with a system account,\nthis is a finding.", - "fix": "Configure non-compliant accounts to enforce a 24 hours/1 day minimum\npassword lifetime:\n\n $ sudo chage -m 1 [user]" + "default": "Only authorized personnel should be aware of errors and the details of\nthe errors. Error messages are an indicator of an organization's operational\nstate or can identify the RHEL 8 system or platform. Additionally, Personally\nIdentifiable Information (PII) and operational information must not be revealed\nthrough error messages to unauthorized personnel or their designated\nrepresentatives.\n\n The structure and content of error messages must be carefully considered by\nthe organization and development team. The extent to which the information\nsystem is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.", + "check": "Verify the \"/var/log\" directory is group-owned by root with the following\ncommand:\n\n $ sudo stat -c \"%G\" /var/log\n\n root\n\n If \"root\" is not returned as a result, this is a finding.", + "fix": "Change the group of the directory \"/var/log\" to \"root\" by running the\nfollowing command:\n\n $ sudo chgrp root /var/log" }, "impact": 0.5, "refs": [ @@ -11055,70 +11023,70 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000075-GPOS-00043", - "gid": "V-230364", - "rid": "SV-230364r627750_rule", - "stig_id": "RHEL-08-020180", - "fix_id": "F-33008r567839_fix", + "gtitle": "SRG-OS-000206-GPOS-00084", + "gid": "V-230250", + "rid": "SV-230250r627750_rule", + "stig_id": "RHEL-08-010260", + "fix_id": "F-32894r567497_fix", "cci": [ - "CCI-000198" + "CCI-001314" ], "nist": [ - "IA-5 (1) (d)" + "SI-11 b" ], "host": null, "container": null }, - "code": "control 'SV-230364' do\n title 'RHEL 8 passwords must have a 24 hours/1 day minimum password lifetime\nrestriction in /etc/shadow.'\n desc \"Enforcing a minimum password lifetime helps to prevent repeated\npassword changes to defeat the password reuse or history enforcement\nrequirement. If users are allowed to immediately and continually change their\npassword, the password could be repeatedly changed in a short period of time to\ndefeat the organization's policy regarding password reuse.\"\n desc 'check', %q(Check whether the minimum time period between password changes for each\nuser account is one day or greater.\n\n $ sudo awk -F: '$4 < 1 {print $1 \" \" $4}' /etc/shadow\n\n If any results are returned that are not associated with a system account,\nthis is a finding.)\n desc 'fix', 'Configure non-compliant accounts to enforce a 24 hours/1 day minimum\npassword lifetime:\n\n $ sudo chage -m 1 [user]'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000075-GPOS-00043'\n tag gid: 'V-230364'\n tag rid: 'SV-230364r627750_rule'\n tag stig_id: 'RHEL-08-020180'\n tag fix_id: 'F-33008r567839_fix'\n tag cci: ['CCI-000198']\n tag nist: ['IA-5 (1) (d)']\n tag 'host'\n tag 'container'\n\n # TODO: add inputs for a frequecny\n\n bad_users = users.where { uid >= 1000 }.where { mindays < 1 }.usernames\n in_scope_users = bad_users - input('exempt_home_users')\n\n describe 'Users should not' do\n it 'be able to change their password more then once a 24 hour period' do\n failure_message = \"The following users can update their password more then once a day: #{in_scope_users.join(', ')}\"\n expect(in_scope_users).to be_empty, failure_message\n end\n end\nend\n", + "code": "control 'SV-230250' do\n title 'The RHEL 8 /var/log directory must be group-owned by root.'\n desc \"Only authorized personnel should be aware of errors and the details of\nthe errors. Error messages are an indicator of an organization's operational\nstate or can identify the RHEL 8 system or platform. Additionally, Personally\nIdentifiable Information (PII) and operational information must not be revealed\nthrough error messages to unauthorized personnel or their designated\nrepresentatives.\n\n The structure and content of error messages must be carefully considered by\nthe organization and development team. The extent to which the information\nsystem is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.\"\n desc 'check', 'Verify the \"/var/log\" directory is group-owned by root with the following\ncommand:\n\n $ sudo stat -c \"%G\" /var/log\n\n root\n\n If \"root\" is not returned as a result, this is a finding.'\n desc 'fix', 'Change the group of the directory \"/var/log\" to \"root\" by running the\nfollowing command:\n\n $ sudo chgrp root /var/log'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000206-GPOS-00084'\n tag gid: 'V-230250'\n tag rid: 'SV-230250r627750_rule'\n tag stig_id: 'RHEL-08-010260'\n tag fix_id: 'F-32894r567497_fix'\n tag cci: ['CCI-001314']\n tag nist: ['SI-11 b']\n tag 'host'\n tag 'container'\n\n describe directory('/var/log') do\n it { should exist }\n its('group') { should eq 'root' }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230364.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230250.rb", "line": 1 }, - "id": "SV-230364" + "id": "SV-230250" }, { - "title": "RHEL 8 must prohibit the use of cached authentications after one day.", - "desc": "If cached authentication information is out-of-date, the validity of\nthe authentication information may be questionable.\n\nRHEL 8 includes multiple options for configuring authentication, but this\nrequirement will be focus on the System Security Services Daemon (SSSD). By\ndefault sssd does not cache credentials.", + "title": "RHEL 8 must limit the number of concurrent sessions to ten for all\naccounts and/or account types.", + "desc": "Operating system management includes the ability to control the number\nof users and user sessions that utilize an operating system. Limiting the\nnumber of allowed users and sessions per user is helpful in reducing the risks\nrelated to DoS attacks.\n\n This requirement addresses concurrent sessions for information system\naccounts and does not address concurrent sessions by single users via multiple\nsystem accounts. The maximum number of concurrent sessions should be defined\nbased on mission needs and the operational environment for each system.", "descriptions": { - "default": "If cached authentication information is out-of-date, the validity of\nthe authentication information may be questionable.\n\nRHEL 8 includes multiple options for configuring authentication, but this\nrequirement will be focus on the System Security Services Daemon (SSSD). By\ndefault sssd does not cache credentials.", - "check": "Verify that the SSSD prohibits the use of cached authentications after one day.\n\nNote: If smart card authentication is not being used on the system this item is Not Applicable.\n\nCheck that SSSD allows cached authentications with the following command:\n\n $ sudo grep -ir cache_credentials /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf\n cache_credentials = true\n\nIf \"cache_credentials\" is set to \"false\" or missing from the configuration file, this is not a finding and no further checks are required.\n\nIf \"cache_credentials\" is set to \"true\", check that SSSD prohibits the use of cached authentications after one day with the following command:\n\n $ sudo grep -ir offline_credentials_expiration /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf\n offline_credentials_expiration = 1\n\nIf \"offline_credentials_expiration\" is not set to a value of \"1\", this is a finding.", - "fix": "Configure the SSSD to prohibit the use of cached authentications\nafter one day.\n\nAdd or change the following line in \"/etc/sssd/sssd.conf\" just below the\nline \"[pam]\".\n\noffline_credentials_expiration = 1" + "default": "Operating system management includes the ability to control the number\nof users and user sessions that utilize an operating system. Limiting the\nnumber of allowed users and sessions per user is helpful in reducing the risks\nrelated to DoS attacks.\n\n This requirement addresses concurrent sessions for information system\naccounts and does not address concurrent sessions by single users via multiple\nsystem accounts. The maximum number of concurrent sessions should be defined\nbased on mission needs and the operational environment for each system.", + "check": "Verify the operating system limits the number of concurrent sessions to\n\"10\" for all accounts and/or account types by issuing the following command:\n\n $ sudo grep -r -s '^[^#].*maxlogins' /etc/security/limits.conf\n/etc/security/limits.d/*.conf\n\n * hard maxlogins 10\n\n This can be set as a global domain (with the * wildcard) but may be set\ndifferently for multiple domains.\n\n If the \"maxlogins\" item is missing, commented out, or the value is set\ngreater than \"10\" and is not documented with the Information System Security\nOfficer (ISSO) as an operational requirement for all domains that have the\n\"maxlogins\" item assigned, this is a finding.", + "fix": "Configure the operating system to limit the number of concurrent sessions\nto \"10\" for all accounts and/or account types.\n\n Add the following line to the top of the /etc/security/limits.conf or in a\n\".conf\" file defined in /etc/security/limits.d/:\n\n * hard maxlogins 10" }, - "impact": 0.5, + "impact": 0.3, "refs": [ { "ref": "DPMS Target Red Hat Enterprise Linux 8" } ], "tags": { - "severity": "medium", - "gtitle": "SRG-OS-000383-GPOS-00166", - "gid": "V-230376", - "rid": "SV-230376r942948_rule", - "stig_id": "RHEL-08-020290", - "fix_id": "F-33020r942947_fix", + "severity": "low", + "gtitle": "SRG-OS-000027-GPOS-00008", + "gid": "V-230346", + "rid": "SV-230346r877399_rule", + "stig_id": "RHEL-08-020024", + "fix_id": "F-32990r619863_fix", "cci": [ - "CCI-002007" + "CCI-000054" ], "nist": [ - "IA-5 (13)" + "AC-10" ], "host": null }, - "code": "control 'SV-230376' do\n title 'RHEL 8 must prohibit the use of cached authentications after one day.'\n desc 'If cached authentication information is out-of-date, the validity of\nthe authentication information may be questionable.\n\nRHEL 8 includes multiple options for configuring authentication, but this\nrequirement will be focus on the System Security Services Daemon (SSSD). By\ndefault sssd does not cache credentials.'\n desc 'check', 'Verify that the SSSD prohibits the use of cached authentications after one day.\n\nNote: If smart card authentication is not being used on the system this item is Not Applicable.\n\nCheck that SSSD allows cached authentications with the following command:\n\n $ sudo grep -ir cache_credentials /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf\n cache_credentials = true\n\nIf \"cache_credentials\" is set to \"false\" or missing from the configuration file, this is not a finding and no further checks are required.\n\nIf \"cache_credentials\" is set to \"true\", check that SSSD prohibits the use of cached authentications after one day with the following command:\n\n $ sudo grep -ir offline_credentials_expiration /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf\n offline_credentials_expiration = 1\n\nIf \"offline_credentials_expiration\" is not set to a value of \"1\", this is a finding.'\n desc 'fix', 'Configure the SSSD to prohibit the use of cached authentications\nafter one day.\n\nAdd or change the following line in \"/etc/sssd/sssd.conf\" just below the\nline \"[pam]\".\n\noffline_credentials_expiration = 1'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000383-GPOS-00166'\n tag gid: 'V-230376'\n tag rid: 'SV-230376r942948_rule'\n tag stig_id: 'RHEL-08-020290'\n tag fix_id: 'F-33020r942947_fix'\n tag cci: ['CCI-002007']\n tag nist: ['IA-5 (13)']\n tag 'host'\n\n sssd_config = parse_config_file('/etc/sssd/sssd.conf')\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n if input('smart_card_enabled')\n impact 0.0\n describe 'The system is not utilizing smart card authentication' do\n skip 'The system is not utilizing smart card authentication, this control\n is Not Applicable.'\n end\n else\n describe.one do\n describe 'Cache credentials enabled' do\n subject { sssd_config.content }\n it { should_not match(/cache_credentials\\s*=\\s*true/) }\n end\n describe 'Offline credentials expiration' do\n subject { sssd_config }\n its('pam.offline_credentials_expiration') { should cmp '1' }\n end\n end\n end\nend\n", + "code": "control 'SV-230346' do\n title 'RHEL 8 must limit the number of concurrent sessions to ten for all\naccounts and/or account types.'\n desc 'Operating system management includes the ability to control the number\nof users and user sessions that utilize an operating system. Limiting the\nnumber of allowed users and sessions per user is helpful in reducing the risks\nrelated to DoS attacks.\n\n This requirement addresses concurrent sessions for information system\naccounts and does not address concurrent sessions by single users via multiple\nsystem accounts. The maximum number of concurrent sessions should be defined\nbased on mission needs and the operational environment for each system.'\n desc 'check', %q(Verify the operating system limits the number of concurrent sessions to\n\"10\" for all accounts and/or account types by issuing the following command:\n\n $ sudo grep -r -s '^[^#].*maxlogins' /etc/security/limits.conf\n/etc/security/limits.d/*.conf\n\n * hard maxlogins 10\n\n This can be set as a global domain (with the * wildcard) but may be set\ndifferently for multiple domains.\n\n If the \"maxlogins\" item is missing, commented out, or the value is set\ngreater than \"10\" and is not documented with the Information System Security\nOfficer (ISSO) as an operational requirement for all domains that have the\n\"maxlogins\" item assigned, this is a finding.)\n desc 'fix', 'Configure the operating system to limit the number of concurrent sessions\nto \"10\" for all accounts and/or account types.\n\n Add the following line to the top of the /etc/security/limits.conf or in a\n\".conf\" file defined in /etc/security/limits.d/:\n\n * hard maxlogins 10'\n impact 0.3\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'low'\n tag gtitle: 'SRG-OS-000027-GPOS-00008'\n tag gid: 'V-230346'\n tag rid: 'SV-230346r877399_rule'\n tag stig_id: 'RHEL-08-020024'\n tag fix_id: 'F-32990r619863_fix'\n tag cci: ['CCI-000054']\n tag nist: ['AC-10']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n setting = 'maxlogins'\n expected_value = input('concurrent_sessions_permitted')\n\n limits_files = command('ls /etc/security/limits.d/*.conf').stdout.strip.split\n limits_files.append('/etc/security/limits.conf')\n\n # make sure that at least one limits.conf file has the correct setting\n globally_set = limits_files.any? { |lf| !limits_conf(lf).read_params['*'].nil? && limits_conf(lf).read_params['*'].include?(['hard', setting.to_s, expected_value.to_s]) }\n\n # make sure that no limits.conf file has a value that contradicts the global set\n failing_files = limits_files.select { |lf|\n limits_conf(lf).read_params.values.flatten(1).any? { |l|\n l[1].eql?(setting) && l[2].to_i > expected_value\n }\n }\n describe 'Limits files' do\n it \"should limit concurrent sessions to #{expected_value} by default\" do\n expect(globally_set).to eq(true), \"No global ('*') setting for concurrent sessions found\"\n end\n it 'should not have any conflicting settings' do\n expect(failing_files).to be_empty, \"Files with incorrect '#{setting}' settings:\\n\\t- #{failing_files.join(\"\\n\\t- \")}\"\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230376.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230346.rb", "line": 1 }, - "id": "SV-230376" + "id": "SV-230346" }, { - "title": "RHEL 8 must prevent files with the setuid and setgid bit set from\nbeing executed on the /boot directory.", - "desc": "The \"nosuid\" mount option causes the system not to execute\n\"setuid\" and \"setgid\" files with owner privileges. This option must be used\nfor mounting any file system not containing approved \"setuid\" and \"setguid\"\nfiles. Executing files from untrusted file systems increases the opportunity\nfor unprivileged users to attain unauthorized administrative access.", + "title": "RHEL 8 duplicate User IDs (UIDs) must not exist for interactive users.", + "desc": "To ensure accountability and prevent unauthenticated access,\ninteractive users must be identified and authenticated to prevent potential\nmisuse and compromise of the system.\n\n Interactive users include organizational employees or individuals the\norganization deems to have equivalent status of employees (e.g., contractors).\nInteractive users (and processes acting on behalf of users) must be uniquely\nidentified and authenticated to all accesses, except for the following:\n\n 1) Accesses explicitly identified and documented by the organization.\nOrganizations document specific user actions that can be performed on the\ninformation system without identification or authentication; and\n\n 2) Accesses that occur through authorized use of group authenticators\nwithout individual authentication. Organizations may require unique\nidentification of individuals in group accounts (e.g., shared privilege\naccounts) or for detailed accountability of individual activity.", "descriptions": { - "default": "The \"nosuid\" mount option causes the system not to execute\n\"setuid\" and \"setgid\" files with owner privileges. This option must be used\nfor mounting any file system not containing approved \"setuid\" and \"setguid\"\nfiles. Executing files from untrusted file systems increases the opportunity\nfor unprivileged users to attain unauthorized administrative access.", - "check": "For systems that use UEFI, this is Not Applicable.\n\n Verify the /boot directory is mounted with the \"nosuid\" option with the\nfollowing command:\n\n $ sudo mount | grep '\\s/boot\\s'\n\n /dev/sda1 on /boot type xfs\n(rw,nosuid,relatime,seclabe,attr2,inode64,noquota)\n\n If the /boot file system does not have the \"nosuid\" option set, this is a\nfinding.", - "fix": "Configure the \"/etc/fstab\" to use the \"nosuid\" option on\nthe /boot directory." + "default": "To ensure accountability and prevent unauthenticated access,\ninteractive users must be identified and authenticated to prevent potential\nmisuse and compromise of the system.\n\n Interactive users include organizational employees or individuals the\norganization deems to have equivalent status of employees (e.g., contractors).\nInteractive users (and processes acting on behalf of users) must be uniquely\nidentified and authenticated to all accesses, except for the following:\n\n 1) Accesses explicitly identified and documented by the organization.\nOrganizations document specific user actions that can be performed on the\ninformation system without identification or authentication; and\n\n 2) Accesses that occur through authorized use of group authenticators\nwithout individual authentication. Organizations may require unique\nidentification of individuals in group accounts (e.g., shared privilege\naccounts) or for detailed accountability of individual activity.", + "check": "Verify that RHEL 8 contains no duplicate User IDs (UIDs) for interactive\nusers.\n\n Check that the operating system contains no duplicate UIDs for interactive\nusers with the following command:\n\n $ sudo awk -F \":\" 'list[$3]++{print $1, $3}' /etc/passwd\n\n If output is produced, and the accounts listed are interactive user\naccounts, this is a finding.", + "fix": "Edit the file \"/etc/passwd\" and provide each interactive user\naccount that has a duplicate User ID (UID) with a unique UID." }, "impact": 0.5, "refs": [ @@ -11128,47 +11096,53 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-230300", - "rid": "SV-230300r743959_rule", - "stig_id": "RHEL-08-010571", - "fix_id": "F-32944r567647_fix", + "gtitle": "SRG-OS-000104-GPOS-00051", + "satisfies": [ + "SRG-OS-000104-GPOS-00051", + "SRG-OS-000121-GPOS-00062", + "SRG-OS-000042-GPOS-00020" + ], + "gid": "V-230371", + "rid": "SV-230371r627750_rule", + "stig_id": "RHEL-08-020240", + "fix_id": "F-33015r567860_fix", "cci": [ - "CCI-000366" + "CCI-000764" ], "nist": [ - "CM-6 b" + "IA-2" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-230300' do\n title 'RHEL 8 must prevent files with the setuid and setgid bit set from\nbeing executed on the /boot directory.'\n desc 'The \"nosuid\" mount option causes the system not to execute\n\"setuid\" and \"setgid\" files with owner privileges. This option must be used\nfor mounting any file system not containing approved \"setuid\" and \"setguid\"\nfiles. Executing files from untrusted file systems increases the opportunity\nfor unprivileged users to attain unauthorized administrative access.'\n desc 'check', %q(For systems that use UEFI, this is Not Applicable.\n\n Verify the /boot directory is mounted with the \"nosuid\" option with the\nfollowing command:\n\n $ sudo mount | grep '\\s/boot\\s'\n\n /dev/sda1 on /boot type xfs\n(rw,nosuid,relatime,seclabe,attr2,inode64,noquota)\n\n If the /boot file system does not have the \"nosuid\" option set, this is a\nfinding.)\n desc 'fix', 'Configure the \"/etc/fstab\" to use the \"nosuid\" option on\nthe /boot directory.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230300'\n tag rid: 'SV-230300r743959_rule'\n tag stig_id: 'RHEL-08-010571'\n tag fix_id: 'F-32944r567647_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n if file('/sys/firmware/efi').exist?\n impact 0.0\n describe 'System running UEFI' do\n skip 'The System is running UEFI, this control is Not Applicable.'\n end\n else\n describe mount('/boot') do\n it { should be_mounted }\n its('options') { should include 'nosuid' }\n end\n end\nend\n", + "code": "control 'SV-230371' do\n title 'RHEL 8 duplicate User IDs (UIDs) must not exist for interactive users.'\n desc 'To ensure accountability and prevent unauthenticated access,\ninteractive users must be identified and authenticated to prevent potential\nmisuse and compromise of the system.\n\n Interactive users include organizational employees or individuals the\norganization deems to have equivalent status of employees (e.g., contractors).\nInteractive users (and processes acting on behalf of users) must be uniquely\nidentified and authenticated to all accesses, except for the following:\n\n 1) Accesses explicitly identified and documented by the organization.\nOrganizations document specific user actions that can be performed on the\ninformation system without identification or authentication; and\n\n 2) Accesses that occur through authorized use of group authenticators\nwithout individual authentication. Organizations may require unique\nidentification of individuals in group accounts (e.g., shared privilege\naccounts) or for detailed accountability of individual activity.'\n desc 'check', %q(Verify that RHEL 8 contains no duplicate User IDs (UIDs) for interactive\nusers.\n\n Check that the operating system contains no duplicate UIDs for interactive\nusers with the following command:\n\n $ sudo awk -F \":\" 'list[$3]++{print $1, $3}' /etc/passwd\n\n If output is produced, and the accounts listed are interactive user\naccounts, this is a finding.)\n desc 'fix', 'Edit the file \"/etc/passwd\" and provide each interactive user\naccount that has a duplicate User ID (UID) with a unique UID.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000104-GPOS-00051'\n tag satisfies: ['SRG-OS-000104-GPOS-00051', 'SRG-OS-000121-GPOS-00062', 'SRG-OS-000042-GPOS-00020']\n tag gid: 'V-230371'\n tag rid: 'SV-230371r627750_rule'\n tag stig_id: 'RHEL-08-020240'\n tag fix_id: 'F-33015r567860_fix'\n tag cci: ['CCI-000764']\n tag nist: ['IA-2']\n tag 'host'\n tag 'container'\n\n user_count = passwd.where { uid.to_i >= 1000 }.entries.length\n\n describe \"Count of interactive unique user IDs should match interactive user count (#{user_count}): UID count\" do\n subject { passwd.where { uid.to_i >= 1000 }.uids.uniq.length }\n it { should eq user_count }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230300.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230371.rb", "line": 1 }, - "id": "SV-230300" + "id": "SV-230371" }, { - "title": "RHEL 8 must prevent special devices on non-root local partitions.", - "desc": "The \"nodev\" mount option causes the system to not interpret\ncharacter or block special devices. Executing character or block special\ndevices from untrusted file systems increases the opportunity for unprivileged\nusers to attain unauthorized administrative access. The only legitimate\nlocation for device files is the /dev directory located on the root partition.", + "title": "The x86 Ctrl-Alt-Delete key sequence must be disabled on RHEL 8.", + "desc": "A locally logged-on user, who presses Ctrl-Alt-Delete when at the\nconsole, can reboot the system. If accidentally pressed, as could happen in the\ncase of a mixed OS environment, this can create the risk of short-term loss of\navailability of systems due to unintentional reboot. In a graphical user\nenvironment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is\nreduced because the user will be prompted before any action is taken.", "descriptions": { - "default": "The \"nodev\" mount option causes the system to not interpret\ncharacter or block special devices. Executing character or block special\ndevices from untrusted file systems increases the opportunity for unprivileged\nusers to attain unauthorized administrative access. The only legitimate\nlocation for device files is the /dev directory located on the root partition.", - "check": "Verify all non-root local partitions are mounted with the \"nodev\" option\nwith the following command:\n\n $ sudo mount | grep '^/dev\\S* on /\\S' | grep --invert-match 'nodev'\n\n If any output is produced, this is a finding.", - "fix": "Configure the \"/etc/fstab\" to use the \"nodev\" option on all\nnon-root local partitions." + "default": "A locally logged-on user, who presses Ctrl-Alt-Delete when at the\nconsole, can reboot the system. If accidentally pressed, as could happen in the\ncase of a mixed OS environment, this can create the risk of short-term loss of\navailability of systems due to unintentional reboot. In a graphical user\nenvironment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is\nreduced because the user will be prompted before any action is taken.", + "check": "Verify RHEL 8 is not configured to reboot the system when Ctrl-Alt-Delete\nis pressed with the following command:\n\n $ sudo systemctl status ctrl-alt-del.target\n\n ctrl-alt-del.target\n Loaded: masked (Reason: Unit ctrl-alt-del.target is masked.)\n Active: inactive (dead)\n\n If the \"ctrl-alt-del.target\" is loaded and not masked, this is a finding.", + "fix": "Configure the system to disable the Ctrl-Alt-Delete sequence for the command line with the following commands:\n\n$ sudo systemctl disable ctrl-alt-del.target\n\n$ sudo systemctl mask ctrl-alt-del.target\n\nCreated symlink /etc/systemd/system/ctrl-alt-del.target -> /dev/null\n\nReload the daemon for this change to take effect.\n\n$ sudo systemctl daemon-reload" }, - "impact": 0.5, + "impact": 0.7, "refs": [ { "ref": "DPMS Target Red Hat Enterprise Linux 8" } ], "tags": { - "severity": "medium", + "severity": "high", "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-230301", - "rid": "SV-230301r627750_rule", - "stig_id": "RHEL-08-010580", - "fix_id": "F-32945r567650_fix", + "gid": "V-230529", + "rid": "SV-230529r833338_rule", + "stig_id": "RHEL-08-040170", + "fix_id": "F-33173r833337_fix", "cci": [ "CCI-000366" ], @@ -11177,65 +11151,57 @@ ], "host": null }, - "code": "control 'SV-230301' do\n title 'RHEL 8 must prevent special devices on non-root local partitions.'\n desc 'The \"nodev\" mount option causes the system to not interpret\ncharacter or block special devices. Executing character or block special\ndevices from untrusted file systems increases the opportunity for unprivileged\nusers to attain unauthorized administrative access. The only legitimate\nlocation for device files is the /dev directory located on the root partition.'\n desc 'check', %q(Verify all non-root local partitions are mounted with the \"nodev\" option\nwith the following command:\n\n $ sudo mount | grep '^/dev\\S* on /\\S' | grep --invert-match 'nodev'\n\n If any output is produced, this is a finding.)\n desc 'fix', 'Configure the \"/etc/fstab\" to use the \"nodev\" option on all\nnon-root local partitions.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230301'\n tag rid: 'SV-230301r627750_rule'\n tag stig_id: 'RHEL-08-010580'\n tag fix_id: 'F-32945r567650_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n option = 'nodev'\n\n mount_stdout = command('mount').stdout.lines\n failing_mount_points = mount_stdout.select { |mp| mp.match(%r{^/dev\\S*\\s+on\\s+/\\S}) }.reject { |mp| mp.match(/\\(.*#{option}.*\\)/) }\n\n describe \"All mounted devices outside of '/dev' directory\" do\n it \"should be mounted with the '#{option}' option\" do\n expect(failing_mount_points).to be_empty, \"Failing devices:\\n\\t- #{failing_mount_points.join(\"\\n\\t- \")}\"\n end\n end\nend\n", + "code": "control 'SV-230529' do\n title 'The x86 Ctrl-Alt-Delete key sequence must be disabled on RHEL 8.'\n desc 'A locally logged-on user, who presses Ctrl-Alt-Delete when at the\nconsole, can reboot the system. If accidentally pressed, as could happen in the\ncase of a mixed OS environment, this can create the risk of short-term loss of\navailability of systems due to unintentional reboot. In a graphical user\nenvironment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is\nreduced because the user will be prompted before any action is taken.'\n desc 'check', 'Verify RHEL 8 is not configured to reboot the system when Ctrl-Alt-Delete\nis pressed with the following command:\n\n $ sudo systemctl status ctrl-alt-del.target\n\n ctrl-alt-del.target\n Loaded: masked (Reason: Unit ctrl-alt-del.target is masked.)\n Active: inactive (dead)\n\n If the \"ctrl-alt-del.target\" is loaded and not masked, this is a finding.'\n desc 'fix', 'Configure the system to disable the Ctrl-Alt-Delete sequence for the command line with the following commands:\n\n$ sudo systemctl disable ctrl-alt-del.target\n\n$ sudo systemctl mask ctrl-alt-del.target\n\nCreated symlink /etc/systemd/system/ctrl-alt-del.target -> /dev/null\n\nReload the daemon for this change to take effect.\n\n$ sudo systemctl daemon-reload'\n impact 0.7\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'high'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230529'\n tag rid: 'SV-230529r833338_rule'\n tag stig_id: 'RHEL-08-040170'\n tag fix_id: 'F-33173r833337_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n c = systemd_service('ctrl-alt-del.target')\n\n describe.one do\n describe c do\n its('params.LoadState') { should eq 'masked' }\n end\n describe c do\n its('params.LoadState') { should eq 'not-found' }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230301.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230529.rb", "line": 1 }, - "id": "SV-230301" + "id": "SV-230529" }, { - "title": "Successful/unsuccessful uses of semanage in RHEL 8 must generate an\naudit record.", - "desc": "Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged commands. The organization must maintain audit trails in sufficient\ndetail to reconstruct events to determine the cause and impact of compromise.\nThe \"semanage\" command is used to configure certain elements of SELinux\npolicy without requiring modification to or recompilation from policy sources.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", + "title": "The gssproxy package must not be installed unless mission essential on\nRHEL 8.", + "desc": "It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n Operating systems are capable of providing a wide variety of functions and\nservices. Some of the functions and services, provided by default, may not be\nnecessary to support essential organizational operations (e.g., key missions,\nfunctions).\n\n The gssproxy package is a proxy for GSS API credential handling and could\nexpose secrets on some networks. It is not needed for normal function of the OS.", "descriptions": { - "default": "Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged commands. The organization must maintain audit trails in sufficient\ndetail to reconstruct events to determine the cause and impact of compromise.\nThe \"semanage\" command is used to configure certain elements of SELinux\npolicy without requiring modification to or recompilation from policy sources.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", - "check": "Verify that an audit event is generated for any successful/unsuccessful use\nof \"semanage\" by performing the following command to check the file system\nrules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w \"semanage\" /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-unix-update\n\n If the command does not return a line, or the line is commented out, this\nis a finding.", - "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful uses of the \"semanage\" by adding or updating the\nfollowing rule in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-unix-update\n\n The audit daemon must be restarted for the changes to take effect." + "default": "It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n Operating systems are capable of providing a wide variety of functions and\nservices. Some of the functions and services, provided by default, may not be\nnecessary to support essential organizational operations (e.g., key missions,\nfunctions).\n\n The gssproxy package is a proxy for GSS API credential handling and could\nexpose secrets on some networks. It is not needed for normal function of the OS.", + "check": "Verify the gssproxy package has not been installed on the system with the\nfollowing commands:\n\n $ sudo yum list installed gssproxy\n\n gssproxy.x86_64\n0.8.0-14.el8 @anaconda\n\n If the gssproxy package is installed and is not documented with the\nInformation System Security Officer (ISSO) as an operational requirement, this\nis a finding.", + "fix": "Document the gssproxy package with the ISSO as an operational requirement\nor remove it from the system with the following command:\n\n $ sudo yum remove gssproxy" }, "impact": 0.5, "refs": [ - { - "ref": "DPMS Target Red Hat Enterprise Linux 8" - } - ], - "tags": { - "severity": "medium", - "gtitle": "SRG-OS-000062-GPOS-00031", - "satisfies": [ - "SRG-OS-000062-GPOS-00031", - "SRG-OS-000037-GPOS-00015", - "SRG-OS-000042-GPOS-00020", - "SRG-OS-000062-GPOS-00031", - "SRG-OS-000392-GPOS-00172", - "SRG-OS-000462-GPOS-00206", - "SRG-OS-000471-GPOS-00215" - ], - "gid": "V-230429", - "rid": "SV-230429r627750_rule", - "stig_id": "RHEL-08-030313", - "fix_id": "F-33073r568034_fix", + { + "ref": "DPMS Target Red Hat Enterprise Linux 8" + } + ], + "tags": { + "severity": "medium", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-230559", + "rid": "SV-230559r646887_rule", + "stig_id": "RHEL-08-040370", + "fix_id": "F-33203r568424_fix", "cci": [ - "CCI-000169" + "CCI-000381" ], "nist": [ - "AU-12 a" + "CM-7 a" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-230429' do\n title 'Successful/unsuccessful uses of semanage in RHEL 8 must generate an\naudit record.'\n desc 'Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged commands. The organization must maintain audit trails in sufficient\ndetail to reconstruct events to determine the cause and impact of compromise.\nThe \"semanage\" command is used to configure certain elements of SELinux\npolicy without requiring modification to or recompilation from policy sources.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.'\n desc 'check', 'Verify that an audit event is generated for any successful/unsuccessful use\nof \"semanage\" by performing the following command to check the file system\nrules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w \"semanage\" /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-unix-update\n\n If the command does not return a line, or the line is commented out, this\nis a finding.'\n desc 'fix', 'Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful uses of the \"semanage\" by adding or updating the\nfollowing rule in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-unix-update\n\n The audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000062-GPOS-00031'\n tag satisfies: ['SRG-OS-000062-GPOS-00031', 'SRG-OS-000037-GPOS-00015', 'SRG-OS-000042-GPOS-00020', 'SRG-OS-000062-GPOS-00031', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000471-GPOS-00215']\n tag gid: 'V-230429'\n tag rid: 'SV-230429r627750_rule'\n tag stig_id: 'RHEL-08-030313'\n tag fix_id: 'F-33073r568034_fix'\n tag cci: ['CCI-000169']\n tag nist: ['AU-12 a']\n tag 'host'\n\n audit_command = '/usr/sbin/semanage'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include(input('audit_rule_keynames').merge(input('audit_rule_keynames_overrides'))[audit_command])\n end\n end\nend\n", + "code": "control 'SV-230559' do\n title 'The gssproxy package must not be installed unless mission essential on\nRHEL 8.'\n desc 'It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n Operating systems are capable of providing a wide variety of functions and\nservices. Some of the functions and services, provided by default, may not be\nnecessary to support essential organizational operations (e.g., key missions,\nfunctions).\n\n The gssproxy package is a proxy for GSS API credential handling and could\nexpose secrets on some networks. It is not needed for normal function of the OS.'\n desc 'check', 'Verify the gssproxy package has not been installed on the system with the\nfollowing commands:\n\n $ sudo yum list installed gssproxy\n\n gssproxy.x86_64\n0.8.0-14.el8 @anaconda\n\n If the gssproxy package is installed and is not documented with the\nInformation System Security Officer (ISSO) as an operational requirement, this\nis a finding.'\n desc 'fix', 'Document the gssproxy package with the ISSO as an operational requirement\nor remove it from the system with the following command:\n\n $ sudo yum remove gssproxy'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230559'\n tag rid: 'SV-230559r646887_rule'\n tag stig_id: 'RHEL-08-040370'\n tag fix_id: 'F-33203r568424_fix'\n tag cci: ['CCI-000381']\n tag nist: ['CM-7 a']\n tag 'host'\n tag 'container'\n\n if input('gssproxy_required')\n describe package('gssproxy') do\n it { should be_installed }\n end\n else\n describe package('gssproxy') do\n it { should_not be_installed }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230429.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230559.rb", "line": 1 }, - "id": "SV-230429" + "id": "SV-230559" }, { - "title": "The krb5-server package must not be installed on RHEL 8.", - "desc": "Unapproved mechanisms that are used for authentication to the\ncryptographic module are not verified and therefore cannot be relied upon to\nprovide confidentiality or integrity, and DoD data may be compromised.\n\n RHEL 8 systems utilizing encryption are required to use FIPS-compliant\nmechanisms for authenticating to cryptographic modules.\n\n Currently, Kerberos does not utilize FIPS 140-2 cryptography.\n\n FIPS 140-2 is the current standard for validating that mechanisms used to\naccess cryptographic modules utilize authentication that meets DoD\nrequirements. This allows for Security Levels 1, 2, 3, or 4 for use on a\ngeneral-purpose computing system.", + "title": "All RHEL 8 local interactive user home directories must be group-owned\nby the home directory owner’s primary group.", + "desc": "If the Group Identifier (GID) of a local interactive user’s home\ndirectory is not the same as the primary GID of the user, this would allow\nunauthorized access to the user’s files, and users that share the same group\nmay not be able to access files that they legitimately should.", "descriptions": { - "default": "Unapproved mechanisms that are used for authentication to the\ncryptographic module are not verified and therefore cannot be relied upon to\nprovide confidentiality or integrity, and DoD data may be compromised.\n\n RHEL 8 systems utilizing encryption are required to use FIPS-compliant\nmechanisms for authenticating to cryptographic modules.\n\n Currently, Kerberos does not utilize FIPS 140-2 cryptography.\n\n FIPS 140-2 is the current standard for validating that mechanisms used to\naccess cryptographic modules utilize authentication that meets DoD\nrequirements. This allows for Security Levels 1, 2, 3, or 4 for use on a\ngeneral-purpose computing system.", - "check": "Verify the krb5-server package has not been installed on the system with\nthe following commands:\n\n If the system is a workstation or is utilizing\nkrb5-server-1.17-18.el8.x86_64 or newer, this is Not Applicable\n\n $ sudo yum list installed krb5-server\n\n krb5-server.x86_64 1.17-9.el8 repository\n\n If the krb5-server package is installed and is not documented with the\nInformation System Security Officer (ISSO) as an operational requirement, this\nis a finding.", - "fix": "Document the krb5-server package with the ISSO as an operational\nrequirement or remove it from the system with the following command:\n\n $ sudo yum remove krb5-server" + "default": "If the Group Identifier (GID) of a local interactive user’s home\ndirectory is not the same as the primary GID of the user, this would allow\nunauthorized access to the user’s files, and users that share the same group\nmay not be able to access files that they legitimately should.", + "check": "Verify the assigned home directory of all local interactive users is group-owned by that user’s primary GID with the following command:\n\nNote: This may miss local interactive users that have been assigned a privileged UID. Evidence of interactive use may be obtained from a number of log files containing system logon information. The returned directory \"/home/smithj\" is used as an example.\n\n $ sudo ls -ld $(awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}' /etc/passwd)\n\n drwxr-x--- 2 smithj admin 4096 Jun 5 12:41 smithj\n\nCheck the user's primary group with the following command:\n\n $ sudo grep $(grep smithj /etc/passwd | awk -F: '{print $4}') /etc/group\n\n admin:x:250:smithj,jonesj,jacksons\n\nIf the user home directory referenced in \"/etc/passwd\" is not group-owned by that user’s primary GID, this is a finding.", + "fix": "Change the group owner of a local interactive user’s home directory to the\ngroup found in \"/etc/passwd\". To change the group owner of a local\ninteractive user’s home directory, use the following command:\n\n Note: The example will be for the user \"smithj\", who has a home directory\nof \"/home/smithj\", and has a primary group of users.\n\n $ sudo chgrp users /home/smithj" }, "impact": 0.5, "refs": [ @@ -11245,34 +11211,33 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000120-GPOS-00061", - "gid": "V-237640", - "rid": "SV-237640r646890_rule", - "stig_id": "RHEL-08-010163", - "fix_id": "F-40822r646889_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-230322", + "rid": "SV-230322r880717_rule", + "stig_id": "RHEL-08-010740", + "fix_id": "F-32966r880716_fix", "cci": [ - "CCI-000803" + "CCI-000366" ], "nist": [ - "IA-7" + "CM-6 b" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-237640' do\n title 'The krb5-server package must not be installed on RHEL 8.'\n desc 'Unapproved mechanisms that are used for authentication to the\ncryptographic module are not verified and therefore cannot be relied upon to\nprovide confidentiality or integrity, and DoD data may be compromised.\n\n RHEL 8 systems utilizing encryption are required to use FIPS-compliant\nmechanisms for authenticating to cryptographic modules.\n\n Currently, Kerberos does not utilize FIPS 140-2 cryptography.\n\n FIPS 140-2 is the current standard for validating that mechanisms used to\naccess cryptographic modules utilize authentication that meets DoD\nrequirements. This allows for Security Levels 1, 2, 3, or 4 for use on a\ngeneral-purpose computing system.'\n desc 'check', 'Verify the krb5-server package has not been installed on the system with\nthe following commands:\n\n If the system is a workstation or is utilizing\nkrb5-server-1.17-18.el8.x86_64 or newer, this is Not Applicable\n\n $ sudo yum list installed krb5-server\n\n krb5-server.x86_64 1.17-9.el8 repository\n\n If the krb5-server package is installed and is not documented with the\nInformation System Security Officer (ISSO) as an operational requirement, this\nis a finding.'\n desc 'fix', 'Document the krb5-server package with the ISSO as an operational\nrequirement or remove it from the system with the following command:\n\n $ sudo yum remove krb5-server'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000120-GPOS-00061'\n tag gid: 'V-237640'\n tag rid: 'SV-237640r646890_rule'\n tag stig_id: 'RHEL-08-010163'\n tag fix_id: 'F-40822r646889_fix'\n tag cci: ['CCI-000803']\n tag nist: ['IA-7']\n tag 'host'\n tag 'container'\n\n kerb = package('krb5-server')\n\n if (kerb.installed? && kerb.version >= '1.17-9.el8') || input('system_is_workstation')\n impact 0.0\n describe 'N/A' do\n skip 'The system is a workstation or is utilizing krb5-server-1.17-9.el8 or newer; control is Not Applicable.'\n end\n elsif input('kerberos_required')\n describe package('krb5-server') do\n it { should be_installed }\n end\n else\n describe package('krb5-server') do\n it { should_not be_installed }\n end\n end\nend\n", + "code": "control 'SV-230322' do\n title 'All RHEL 8 local interactive user home directories must be group-owned\nby the home directory owner’s primary group.'\n desc 'If the Group Identifier (GID) of a local interactive user’s home\ndirectory is not the same as the primary GID of the user, this would allow\nunauthorized access to the user’s files, and users that share the same group\nmay not be able to access files that they legitimately should.'\n desc 'check', %q(Verify the assigned home directory of all local interactive users is group-owned by that user’s primary GID with the following command:\n\nNote: This may miss local interactive users that have been assigned a privileged UID. Evidence of interactive use may be obtained from a number of log files containing system logon information. The returned directory \"/home/smithj\" is used as an example.\n\n $ sudo ls -ld $(awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}' /etc/passwd)\n\n drwxr-x--- 2 smithj admin 4096 Jun 5 12:41 smithj\n\nCheck the user's primary group with the following command:\n\n $ sudo grep $(grep smithj /etc/passwd | awk -F: '{print $4}') /etc/group\n\n admin:x:250:smithj,jonesj,jacksons\n\nIf the user home directory referenced in \"/etc/passwd\" is not group-owned by that user’s primary GID, this is a finding.)\n desc 'fix', 'Change the group owner of a local interactive user’s home directory to the\ngroup found in \"/etc/passwd\". To change the group owner of a local\ninteractive user’s home directory, use the following command:\n\n Note: The example will be for the user \"smithj\", who has a home directory\nof \"/home/smithj\", and has a primary group of users.\n\n $ sudo chgrp users /home/smithj'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230322'\n tag rid: 'SV-230322r880717_rule'\n tag stig_id: 'RHEL-08-010740'\n tag fix_id: 'F-32966r880716_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n exempt_home_users = input('exempt_home_users')\n uid_min = login_defs.read_params['UID_MIN'].to_i\n uid_min = 1000 if uid_min.nil?\n\n iuser_entries = passwd.where { uid.to_i >= uid_min && shell !~ /nologin/ && !exempt_home_users.include?(user) }\n\n if !iuser_entries.users.nil? && !iuser_entries.users.empty?\n failing_iusers = iuser_entries.entries.reject { |iu|\n file(iu['home']).gid == iu.gid.to_i\n }\n failing_homedirs = failing_iusers.map { |iu| iu['home'] }\n\n describe 'All non-exempt interactive user account home directories on the system' do\n it 'should be group-owned by the group of the user they are associated with' do\n expect(failing_homedirs).to be_empty, \"Failing home directories:\\n\\t- #{failing_homedirs.join(\"\\n\\t- \")}\"\n end\n end\n else\n describe 'No non-exempt interactive user accounts' do\n it 'were detected on the system' do\n expect(true).to eq(true)\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-237640.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230322.rb", "line": 1 }, - "id": "SV-237640" + "id": "SV-230322" }, { - "title": "The RHEL 8 System Administrator (SA) and Information System Security\nOfficer (ISSO) (at a minimum) must be alerted of an audit processing failure\nevent.", - "desc": "It is critical for the appropriate personnel to be aware if a system\nis at risk of failing to process audit logs as required. Without this\nnotification, the security personnel may be unaware of an impending failure of\nthe audit capability, and system operation may be adversely affected.\n\n Audit processing failures include software/hardware errors, failures in the\naudit capturing mechanisms, and audit storage capacity being reached or\nexceeded.\n\n This requirement applies to each audit data storage repository (i.e.,\ndistinct information system component where audit records are stored), the\ncentralized audit storage capacity of organizations (i.e., all audit data\nstorage repositories combined), or both.", + "title": "Successful/unsuccessful modifications to the faillock log file in RHEL\n8 must generate an audit record.", + "desc": "Without the capability to generate audit records, it would be\ndifficult to establish, correlate, and investigate the events relating to an\nincident or identify those responsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n The list of audited events is the set of events for which audits are to be\ngenerated. This set of events is typically a subset of the list of all events\nfor which the system is capable of generating audit records.\n\n DoD has defined the list of events for which RHEL 8 will provide an audit\nrecord generation capability as the following:\n\n 1) Successful and unsuccessful attempts to access, modify, or delete\nprivileges, security objects, security levels, or categories of information\n(e.g., classification levels);\n\n 2) Access actions, such as successful and unsuccessful logon attempts,\nprivileged activities or other system-level access, starting and ending time\nfor user access to the system, concurrent logons from different workstations,\nsuccessful and unsuccessful accesses to objects, all program initiations, and\nall direct access to the information system;\n\n 3) All account creations, modifications, disabling, and terminations; and\n\n 4) All kernel module load, unload, and restart actions.\n\n From \"Pam_Faillock man\" pages: Note the default directory that\npam_faillock uses is usually cleared on system boot so the access will be\nreenabled after system reboot. If that is undesirable a different tally\ndirectory must be set with the \"dir\" option.", "descriptions": { - "default": "It is critical for the appropriate personnel to be aware if a system\nis at risk of failing to process audit logs as required. Without this\nnotification, the security personnel may be unaware of an impending failure of\nthe audit capability, and system operation may be adversely affected.\n\n Audit processing failures include software/hardware errors, failures in the\naudit capturing mechanisms, and audit storage capacity being reached or\nexceeded.\n\n This requirement applies to each audit data storage repository (i.e.,\ndistinct information system component where audit records are stored), the\ncentralized audit storage capacity of organizations (i.e., all audit data\nstorage repositories combined), or both.", - "check": "Verify that the SA and ISSO (at a minimum) are notified in the event of an\naudit processing failure.\n\n Check that RHEL 8 notifies the SA and ISSO (at a minimum) in the event of\nan audit processing failure with the following command:\n\n $ sudo grep action_mail_acct /etc/audit/auditd.conf\n\n action_mail_acct = root\n\n If the value of the \"action_mail_acct\" keyword is not set to \"root\"\nand/or other accounts for security personnel, the \"action_mail_acct\" keyword\nis missing, or the retuned line is commented out, ask the system administrator\nto indicate how they and the ISSO are notified of an audit process failure. If\nthere is no evidence of the proper personnel being notified of an audit\nprocessing failure, this is a finding.", - "fix": "Configure \"auditd\" service to notify the SA and ISSO in the event of an\naudit processing failure.\n\n Edit the following line in \"/etc/audit/auditd.conf\" to ensure that\nadministrators are notified via email for those situations:\n\n action_mail_acct = root" + "default": "Without the capability to generate audit records, it would be\ndifficult to establish, correlate, and investigate the events relating to an\nincident or identify those responsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n The list of audited events is the set of events for which audits are to be\ngenerated. This set of events is typically a subset of the list of all events\nfor which the system is capable of generating audit records.\n\n DoD has defined the list of events for which RHEL 8 will provide an audit\nrecord generation capability as the following:\n\n 1) Successful and unsuccessful attempts to access, modify, or delete\nprivileges, security objects, security levels, or categories of information\n(e.g., classification levels);\n\n 2) Access actions, such as successful and unsuccessful logon attempts,\nprivileged activities or other system-level access, starting and ending time\nfor user access to the system, concurrent logons from different workstations,\nsuccessful and unsuccessful accesses to objects, all program initiations, and\nall direct access to the information system;\n\n 3) All account creations, modifications, disabling, and terminations; and\n\n 4) All kernel module load, unload, and restart actions.\n\n From \"Pam_Faillock man\" pages: Note the default directory that\npam_faillock uses is usually cleared on system boot so the access will be\nreenabled after system reboot. If that is undesirable a different tally\ndirectory must be set with the \"dir\" option.", + "check": "Verify RHEL 8 generates an audit record when successful/unsuccessful\nmodifications to the \"faillock\" file occur. First, determine where the\nfaillock tallies are stored with the following commands:\n\n For RHEL versions 8.0 and 8.1:\n\n $ sudo grep -i pam_faillock.so /etc/pam.d/system-auth\n\n auth required pam_faillock.so preauth dir=/var/log/faillock\nsilent deny=3 fail_interval=900 even_deny_root\n\n For RHEL versions 8.2 and newer:\n\n $ sudo grep dir /etc/security/faillock.conf\n\n dir=/var/log/faillock\n\n Using the location of the faillock log file, check that the following calls\nare being audited by performing the following command to check the file system\nrules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w faillock /etc/audit/audit.rules\n\n -w /var/log/faillock -p wa -k logins\n\n If the command does not return a line, or the line is commented out, this\nis a finding.", + "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful modifications to the \"faillock\" file by adding or\nupdating the following rules in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -w /var/log/faillock -p wa -k logins\n\n The audit daemon must be restarted for the changes to take effect." }, "impact": 0.5, "refs": [ @@ -11282,33 +11247,43 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000046-GPOS-00022", - "gid": "V-230388", - "rid": "SV-230388r627750_rule", - "stig_id": "RHEL-08-030020", - "fix_id": "F-33032r567911_fix", + "gtitle": "SRG-OS-000062-GPOS-00031", + "satisfies": [ + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000037-GPOS-00015", + "SRG-OS-000042-GPOS-00020", + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000392-GPOS-00172", + "SRG-OS-000462-GPOS-00206", + "SRG-OS-000471-GPOS-00215", + "SRG-OS-000473-GPOS-00218" + ], + "gid": "V-230466", + "rid": "SV-230466r627750_rule", + "stig_id": "RHEL-08-030590", + "fix_id": "F-33110r568145_fix", "cci": [ - "CCI-000139" + "CCI-000169" ], "nist": [ - "AU-5 a" + "AU-12 a" ], "host": null }, - "code": "control 'SV-230388' do\n title 'The RHEL 8 System Administrator (SA) and Information System Security\nOfficer (ISSO) (at a minimum) must be alerted of an audit processing failure\nevent.'\n desc 'It is critical for the appropriate personnel to be aware if a system\nis at risk of failing to process audit logs as required. Without this\nnotification, the security personnel may be unaware of an impending failure of\nthe audit capability, and system operation may be adversely affected.\n\n Audit processing failures include software/hardware errors, failures in the\naudit capturing mechanisms, and audit storage capacity being reached or\nexceeded.\n\n This requirement applies to each audit data storage repository (i.e.,\ndistinct information system component where audit records are stored), the\ncentralized audit storage capacity of organizations (i.e., all audit data\nstorage repositories combined), or both.'\n desc 'check', 'Verify that the SA and ISSO (at a minimum) are notified in the event of an\naudit processing failure.\n\n Check that RHEL 8 notifies the SA and ISSO (at a minimum) in the event of\nan audit processing failure with the following command:\n\n $ sudo grep action_mail_acct /etc/audit/auditd.conf\n\n action_mail_acct = root\n\n If the value of the \"action_mail_acct\" keyword is not set to \"root\"\nand/or other accounts for security personnel, the \"action_mail_acct\" keyword\nis missing, or the retuned line is commented out, ask the system administrator\nto indicate how they and the ISSO are notified of an audit process failure. If\nthere is no evidence of the proper personnel being notified of an audit\nprocessing failure, this is a finding.'\n desc 'fix', 'Configure \"auditd\" service to notify the SA and ISSO in the event of an\naudit processing failure.\n\n Edit the following line in \"/etc/audit/auditd.conf\" to ensure that\nadministrators are notified via email for those situations:\n\n action_mail_acct = root'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000046-GPOS-00022'\n tag gid: 'V-230388'\n tag rid: 'SV-230388r627750_rule'\n tag stig_id: 'RHEL-08-030020'\n tag fix_id: 'F-33032r567911_fix'\n tag cci: ['CCI-000139']\n tag nist: ['AU-5 a']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n describe auditd_conf do\n its('action_mail_acct') { should cmp 'root' }\n end\nend\n", + "code": "control 'SV-230466' do\n title 'Successful/unsuccessful modifications to the faillock log file in RHEL\n8 must generate an audit record.'\n desc 'Without the capability to generate audit records, it would be\ndifficult to establish, correlate, and investigate the events relating to an\nincident or identify those responsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).\n\n The list of audited events is the set of events for which audits are to be\ngenerated. This set of events is typically a subset of the list of all events\nfor which the system is capable of generating audit records.\n\n DoD has defined the list of events for which RHEL 8 will provide an audit\nrecord generation capability as the following:\n\n 1) Successful and unsuccessful attempts to access, modify, or delete\nprivileges, security objects, security levels, or categories of information\n(e.g., classification levels);\n\n 2) Access actions, such as successful and unsuccessful logon attempts,\nprivileged activities or other system-level access, starting and ending time\nfor user access to the system, concurrent logons from different workstations,\nsuccessful and unsuccessful accesses to objects, all program initiations, and\nall direct access to the information system;\n\n 3) All account creations, modifications, disabling, and terminations; and\n\n 4) All kernel module load, unload, and restart actions.\n\n From \"Pam_Faillock man\" pages: Note the default directory that\npam_faillock uses is usually cleared on system boot so the access will be\nreenabled after system reboot. If that is undesirable a different tally\ndirectory must be set with the \"dir\" option.'\n desc 'check', 'Verify RHEL 8 generates an audit record when successful/unsuccessful\nmodifications to the \"faillock\" file occur. First, determine where the\nfaillock tallies are stored with the following commands:\n\n For RHEL versions 8.0 and 8.1:\n\n $ sudo grep -i pam_faillock.so /etc/pam.d/system-auth\n\n auth required pam_faillock.so preauth dir=/var/log/faillock\nsilent deny=3 fail_interval=900 even_deny_root\n\n For RHEL versions 8.2 and newer:\n\n $ sudo grep dir /etc/security/faillock.conf\n\n dir=/var/log/faillock\n\n Using the location of the faillock log file, check that the following calls\nare being audited by performing the following command to check the file system\nrules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w faillock /etc/audit/audit.rules\n\n -w /var/log/faillock -p wa -k logins\n\n If the command does not return a line, or the line is commented out, this\nis a finding.'\n desc 'fix', 'Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful modifications to the \"faillock\" file by adding or\nupdating the following rules in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -w /var/log/faillock -p wa -k logins\n\n The audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000062-GPOS-00031'\n tag satisfies: ['SRG-OS-000062-GPOS-00031', 'SRG-OS-000037-GPOS-00015', 'SRG-OS-000042-GPOS-00020', 'SRG-OS-000062-GPOS-00031', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000471-GPOS-00215', 'SRG-OS-000473-GPOS-00218']\n tag gid: 'V-230466'\n tag rid: 'SV-230466r627750_rule'\n tag stig_id: 'RHEL-08-030590'\n tag fix_id: 'F-33110r568145_fix'\n tag cci: ['CCI-000169']\n tag nist: ['AU-12 a']\n tag 'host'\n\n if os.release.to_f < 8.2\n m = /dir=(?\\S*)/\n s = command('grep -i pam_faillock.so /etc/pam.d/system-auth').stdout\n dir_match = m.match(s)\n audit_command = (dir_match[:dir] if dir_match)\n else\n audit_command = parse_config_file('/etc/security/faillock.conf').params('dir')\n end\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.permissions.flatten).to include('w', 'a')\n expect(audit_rule.key.uniq).to include(input('audit_rule_keynames').merge(input('audit_rule_keynames_overrides'))[audit_command])\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230388.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230466.rb", "line": 1 }, - "id": "SV-230388" + "id": "SV-230466" }, { - "title": "RHEL 8 duplicate User IDs (UIDs) must not exist for interactive users.", - "desc": "To ensure accountability and prevent unauthenticated access,\ninteractive users must be identified and authenticated to prevent potential\nmisuse and compromise of the system.\n\n Interactive users include organizational employees or individuals the\norganization deems to have equivalent status of employees (e.g., contractors).\nInteractive users (and processes acting on behalf of users) must be uniquely\nidentified and authenticated to all accesses, except for the following:\n\n 1) Accesses explicitly identified and documented by the organization.\nOrganizations document specific user actions that can be performed on the\ninformation system without identification or authentication; and\n\n 2) Accesses that occur through authorized use of group authenticators\nwithout individual authentication. Organizations may require unique\nidentification of individuals in group accounts (e.g., shared privilege\naccounts) or for detailed accountability of individual activity.", + "title": "RHEL 8 must restrict exposed kernel pointer addresses access.", + "desc": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf", "descriptions": { - "default": "To ensure accountability and prevent unauthenticated access,\ninteractive users must be identified and authenticated to prevent potential\nmisuse and compromise of the system.\n\n Interactive users include organizational employees or individuals the\norganization deems to have equivalent status of employees (e.g., contractors).\nInteractive users (and processes acting on behalf of users) must be uniquely\nidentified and authenticated to all accesses, except for the following:\n\n 1) Accesses explicitly identified and documented by the organization.\nOrganizations document specific user actions that can be performed on the\ninformation system without identification or authentication; and\n\n 2) Accesses that occur through authorized use of group authenticators\nwithout individual authentication. Organizations may require unique\nidentification of individuals in group accounts (e.g., shared privilege\naccounts) or for detailed accountability of individual activity.", - "check": "Verify that RHEL 8 contains no duplicate User IDs (UIDs) for interactive\nusers.\n\n Check that the operating system contains no duplicate UIDs for interactive\nusers with the following command:\n\n $ sudo awk -F \":\" 'list[$3]++{print $1, $3}' /etc/passwd\n\n If output is produced, and the accounts listed are interactive user\naccounts, this is a finding.", - "fix": "Edit the file \"/etc/passwd\" and provide each interactive user\naccount that has a duplicate User ID (UID) with a unique UID." + "default": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf", + "check": "Verify RHEL 8 restricts exposed kernel pointer addresses access with the following commands:\n\n$ sudo sysctl kernel.kptr_restrict\n\nkernel.kptr_restrict = 1\n\nIf the returned line does not have a value of \"1\" or \"2\", or a line is not returned, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r kernel.kptr_restrict /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: kernel.kptr_restrict = 1\n\nIf \"kernel.kptr_restrict\" is not set to \"1\" or \"2\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.", + "fix": "Configure RHEL 8 to restrict exposed kernel pointer addresses access by adding the following line to a file, in the \"/etc/sysctl.d\" directory:\n\nkernel.kptr_restrict = 1\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nThe system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:\n\n$ sudo sysctl --system" }, "impact": 0.5, "refs": [ @@ -11318,39 +11293,33 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000104-GPOS-00051", - "satisfies": [ - "SRG-OS-000104-GPOS-00051", - "SRG-OS-000121-GPOS-00062", - "SRG-OS-000042-GPOS-00020" - ], - "gid": "V-230371", - "rid": "SV-230371r627750_rule", - "stig_id": "RHEL-08-020240", - "fix_id": "F-33015r567860_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-230547", + "rid": "SV-230547r858826_rule", + "stig_id": "RHEL-08-040283", + "fix_id": "F-33191r858825_fix", "cci": [ - "CCI-000764" + "CCI-000366" ], "nist": [ - "IA-2" + "CM-6 b" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-230371' do\n title 'RHEL 8 duplicate User IDs (UIDs) must not exist for interactive users.'\n desc 'To ensure accountability and prevent unauthenticated access,\ninteractive users must be identified and authenticated to prevent potential\nmisuse and compromise of the system.\n\n Interactive users include organizational employees or individuals the\norganization deems to have equivalent status of employees (e.g., contractors).\nInteractive users (and processes acting on behalf of users) must be uniquely\nidentified and authenticated to all accesses, except for the following:\n\n 1) Accesses explicitly identified and documented by the organization.\nOrganizations document specific user actions that can be performed on the\ninformation system without identification or authentication; and\n\n 2) Accesses that occur through authorized use of group authenticators\nwithout individual authentication. Organizations may require unique\nidentification of individuals in group accounts (e.g., shared privilege\naccounts) or for detailed accountability of individual activity.'\n desc 'check', %q(Verify that RHEL 8 contains no duplicate User IDs (UIDs) for interactive\nusers.\n\n Check that the operating system contains no duplicate UIDs for interactive\nusers with the following command:\n\n $ sudo awk -F \":\" 'list[$3]++{print $1, $3}' /etc/passwd\n\n If output is produced, and the accounts listed are interactive user\naccounts, this is a finding.)\n desc 'fix', 'Edit the file \"/etc/passwd\" and provide each interactive user\naccount that has a duplicate User ID (UID) with a unique UID.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000104-GPOS-00051'\n tag satisfies: ['SRG-OS-000104-GPOS-00051', 'SRG-OS-000121-GPOS-00062', 'SRG-OS-000042-GPOS-00020']\n tag gid: 'V-230371'\n tag rid: 'SV-230371r627750_rule'\n tag stig_id: 'RHEL-08-020240'\n tag fix_id: 'F-33015r567860_fix'\n tag cci: ['CCI-000764']\n tag nist: ['IA-2']\n tag 'host'\n tag 'container'\n\n user_count = passwd.where { uid.to_i >= 1000 }.entries.length\n\n describe \"Count of interactive unique user IDs should match interactive user count (#{user_count}): UID count\" do\n subject { passwd.where { uid.to_i >= 1000 }.uids.uniq.length }\n it { should eq user_count }\n end\nend\n", + "code": "control 'SV-230547' do\n title 'RHEL 8 must restrict exposed kernel pointer addresses access.'\n desc 'It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf'\n desc 'check', 'Verify RHEL 8 restricts exposed kernel pointer addresses access with the following commands:\n\n$ sudo sysctl kernel.kptr_restrict\n\nkernel.kptr_restrict = 1\n\nIf the returned line does not have a value of \"1\" or \"2\", or a line is not returned, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r kernel.kptr_restrict /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: kernel.kptr_restrict = 1\n\nIf \"kernel.kptr_restrict\" is not set to \"1\" or \"2\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to restrict exposed kernel pointer addresses access by adding the following line to a file, in the \"/etc/sysctl.d\" directory:\n\nkernel.kptr_restrict = 1\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nThe system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:\n\n$ sudo sysctl --system'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230547'\n tag rid: 'SV-230547r858826_rule'\n tag stig_id: 'RHEL-08-040283'\n tag fix_id: 'F-33191r858825_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This system is acting as a router on the network, this control is Not Applicable', impact: 0.0) {\n !input('network_router')\n }\n\n # Define the kernel parameter to be checked\n parameter = 'kernel.kptr_restrict'\n action = 'kernel pointer addresses'\n value = 1\n\n # Get the current value of the kernel parameter\n current_value = kernel_parameter(parameter)\n\n # Check if the system is a Docker container\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n else\n\n describe kernel_parameter(parameter) do\n it 'is disabled in sysctl -a' do\n expect(current_value.value).to cmp value\n expect(current_value.value).not_to be_nil\n end\n end\n\n # Get the list of sysctl configuration files\n sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ')\n\n # Search for the kernel parameter in the configuration files\n search_results = command(\"grep -r ^#{parameter} #{sysctl_config_files} {} \\;\").stdout.split(\"\\n\")\n\n # Parse the search results into a hash\n config_values = search_results.each_with_object({}) do |item, results|\n file, setting = item.split(':')\n file = 'grep did not return filename' if file.empty?\n\n results[file] ||= []\n results[file] << setting.split('=').last\n end\n\n uniq_config_values = config_values.values.flatten.map(&:strip).map(&:to_i).uniq\n\n # Check the configuration files\n describe 'Configuration files' do\n if search_results.empty?\n it \"do not explicitly set the `#{parameter}` parameter\" do\n expect(config_values).not_to be_empty, \"Add the line `#{parameter}=#{value}` to a file in the `/etc/sysctl.d/` directory\"\n end\n else\n it \"do not have conflicting settings for #{action}\" do\n expect(uniq_config_values.count).to eq(1), \"Expected one unique configuration, but got #{config_values}\"\n end\n it \"set the parameter to the right value for #{action}\" do\n expect(config_values.values.flatten.all? { |v| v.to_i.eql?(value) }).to be true\n end\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230371.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230547.rb", "line": 1 }, - "id": "SV-230371" + "id": "SV-230547" }, { - "title": "RHEL 8 audit system must protect logon UIDs from unauthorized change.", - "desc": "Unauthorized disclosure of audit records can reveal system and\nconfiguration data to attackers, thus compromising its confidentiality.\n\n Audit information includes all information (e.g., audit records, audit\nsettings, audit reports) needed to successfully audit RHEL 8 system activity.\n\n In immutable mode, unauthorized users cannot execute changes to the audit\nsystem to potentially hide malicious activity and then put the audit rules\nback. A system reboot would be noticeable and a system administrator could\nthen investigate the unauthorized changes.", + "title": "The RHEL 8 /var/log/messages file must have mode 0640 or less\npermissive.", + "desc": "Only authorized personnel should be aware of errors and the details of\nthe errors. Error messages are an indicator of an organization's operational\nstate or can identify the RHEL 8 system or platform. Additionally, Personally\nIdentifiable Information (PII) and operational information must not be revealed\nthrough error messages to unauthorized personnel or their designated\nrepresentatives.\n\n The structure and content of error messages must be carefully considered by\nthe organization and development team. The extent to which the information\nsystem is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.", "descriptions": { - "default": "Unauthorized disclosure of audit records can reveal system and\nconfiguration data to attackers, thus compromising its confidentiality.\n\n Audit information includes all information (e.g., audit records, audit\nsettings, audit reports) needed to successfully audit RHEL 8 system activity.\n\n In immutable mode, unauthorized users cannot execute changes to the audit\nsystem to potentially hide malicious activity and then put the audit rules\nback. A system reboot would be noticeable and a system administrator could\nthen investigate the unauthorized changes.", - "check": "Verify the audit system prevents unauthorized changes to logon UIDs with\nthe following command:\n\n $ sudo grep -i immutable /etc/audit/audit.rules\n\n --loginuid-immutable\n\n If the login UIDs are not set to be immutable by adding the\n\"--loginuid-immutable\" option to the \"/etc/audit/audit.rules\", this is a\nfinding.", - "fix": "Configure the audit system to set the logon UIDs to be immutable by adding\nthe following line to \"/etc/audit/rules.d/audit.rules\"\n\n --loginuid-immutable" + "default": "Only authorized personnel should be aware of errors and the details of\nthe errors. Error messages are an indicator of an organization's operational\nstate or can identify the RHEL 8 system or platform. Additionally, Personally\nIdentifiable Information (PII) and operational information must not be revealed\nthrough error messages to unauthorized personnel or their designated\nrepresentatives.\n\n The structure and content of error messages must be carefully considered by\nthe organization and development team. The extent to which the information\nsystem is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.", + "check": "Verify that the \"/var/log/messages\" file has mode \"0640\" or less\npermissive with the following command:\n\n $ sudo stat -c \"%a %n\" /var/log/messages\n\n 640 /var/log/messages\n\n If a value of \"0640\" or less permissive is not returned, this is a\nfinding.", + "fix": "Change the permissions of the file \"/var/log/messages\" to \"0640\" by\nrunning the following command:\n\n $ sudo chmod 0640 /var/log/messages" }, "impact": 0.5, "refs": [ @@ -11360,39 +11329,33 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000057-GPOS-00027", - "satisfies": [ - "SRG-OS-000057-GPOS-00027", - "SRG-OS-000058-GPOS-00028", - "SRG-OS-000059-GPOS-00029" - ], - "gid": "V-230403", - "rid": "SV-230403r627750_rule", - "stig_id": "RHEL-08-030122", - "fix_id": "F-33047r567956_fix", + "gtitle": "SRG-OS-000206-GPOS-00084", + "gid": "V-230245", + "rid": "SV-230245r627750_rule", + "stig_id": "RHEL-08-010210", + "fix_id": "F-32889r567482_fix", "cci": [ - "CCI-000162" + "CCI-001314" ], "nist": [ - "AU-9", - "AU-9 a" + "SI-11 b" ], "host": null }, - "code": "control 'SV-230403' do\n title 'RHEL 8 audit system must protect logon UIDs from unauthorized change.'\n desc 'Unauthorized disclosure of audit records can reveal system and\nconfiguration data to attackers, thus compromising its confidentiality.\n\n Audit information includes all information (e.g., audit records, audit\nsettings, audit reports) needed to successfully audit RHEL 8 system activity.\n\n In immutable mode, unauthorized users cannot execute changes to the audit\nsystem to potentially hide malicious activity and then put the audit rules\nback. A system reboot would be noticeable and a system administrator could\nthen investigate the unauthorized changes.'\n desc 'check', 'Verify the audit system prevents unauthorized changes to logon UIDs with\nthe following command:\n\n $ sudo grep -i immutable /etc/audit/audit.rules\n\n --loginuid-immutable\n\n If the login UIDs are not set to be immutable by adding the\n\"--loginuid-immutable\" option to the \"/etc/audit/audit.rules\", this is a\nfinding.'\n desc 'fix', 'Configure the audit system to set the logon UIDs to be immutable by adding\nthe following line to \"/etc/audit/rules.d/audit.rules\"\n\n --loginuid-immutable'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000057-GPOS-00027'\n tag satisfies: ['SRG-OS-000057-GPOS-00027', 'SRG-OS-000058-GPOS-00028', 'SRG-OS-000059-GPOS-00029']\n tag gid: 'V-230403'\n tag rid: 'SV-230403r627750_rule'\n tag stig_id: 'RHEL-08-030122'\n tag fix_id: 'F-33047r567956_fix'\n tag cci: ['CCI-000162']\n tag nist: ['AU-9', 'AU-9 a']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n describe command('grep -i immutable /etc/audit/audit.rules') do\n its('stdout.strip') { should cmp '--loginuid-immutable' }\n end\nend\n", + "code": "control 'SV-230245' do\n title 'The RHEL 8 /var/log/messages file must have mode 0640 or less\npermissive.'\n desc \"Only authorized personnel should be aware of errors and the details of\nthe errors. Error messages are an indicator of an organization's operational\nstate or can identify the RHEL 8 system or platform. Additionally, Personally\nIdentifiable Information (PII) and operational information must not be revealed\nthrough error messages to unauthorized personnel or their designated\nrepresentatives.\n\n The structure and content of error messages must be carefully considered by\nthe organization and development team. The extent to which the information\nsystem is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.\"\n desc 'check', 'Verify that the \"/var/log/messages\" file has mode \"0640\" or less\npermissive with the following command:\n\n $ sudo stat -c \"%a %n\" /var/log/messages\n\n 640 /var/log/messages\n\n If a value of \"0640\" or less permissive is not returned, this is a\nfinding.'\n desc 'fix', 'Change the permissions of the file \"/var/log/messages\" to \"0640\" by\nrunning the following command:\n\n $ sudo chmod 0640 /var/log/messages'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000206-GPOS-00084'\n tag gid: 'V-230245'\n tag rid: 'SV-230245r627750_rule'\n tag stig_id: 'RHEL-08-010210'\n tag fix_id: 'F-32889r567482_fix'\n tag cci: ['CCI-001314']\n tag nist: ['SI-11 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe.one do\n describe file('/var/log/messages') do\n it { should_not be_more_permissive_than('0640') }\n end\n describe file('/var/log/messages') do\n it { should_not exist }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230403.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230245.rb", "line": 1 }, - "id": "SV-230403" + "id": "SV-230245" }, { - "title": "A firewall must be active on RHEL 8.", - "desc": "\"Firewalld\" provides an easy and effective way to block/limit remote\naccess to the system via ports, services, and protocols.\n\n Remote access services, such as those providing remote access to network\ndevices and information systems, which lack automated control capabilities,\nincrease risk and make remote user access management difficult at best.\n\n Remote access is access to DoD nonpublic information systems by an\nauthorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n RHEL 8 functionality (e.g., RDP) must be capable of taking enforcement\naction if the audit reveals unauthorized activity. Automated control of remote\naccess sessions allows organizations to ensure ongoing compliance with remote\naccess policies by enforcing connection rules of remote access applications on\na variety of information system components (e.g., servers, workstations,\nnotebook computers, smartphones, and tablets).", + "title": "The RHEL 8 SSH daemon must perform strict mode checking of home\ndirectory configuration files.", + "desc": "If other users have access to modify user-specific SSH configuration\nfiles, they may be able to log on to the system as another user.", "descriptions": { - "default": "\"Firewalld\" provides an easy and effective way to block/limit remote\naccess to the system via ports, services, and protocols.\n\n Remote access services, such as those providing remote access to network\ndevices and information systems, which lack automated control capabilities,\nincrease risk and make remote user access management difficult at best.\n\n Remote access is access to DoD nonpublic information systems by an\nauthorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n RHEL 8 functionality (e.g., RDP) must be capable of taking enforcement\naction if the audit reveals unauthorized activity. Automated control of remote\naccess sessions allows organizations to ensure ongoing compliance with remote\naccess policies by enforcing connection rules of remote access applications on\na variety of information system components (e.g., servers, workstations,\nnotebook computers, smartphones, and tablets).", - "check": "Verify that \"firewalld\" is active with the following commands:\n\n $ sudo systemctl is-active firewalld\n\n active\n\n If the \"firewalld\" package is not \"active\", ask the System\nAdministrator if another firewall is installed. If no firewall is installed and\nactive this is a finding.", - "fix": "Configure \"firewalld\" to protect the operating system with the following\ncommand:\n\n $ sudo systemctl enable firewalld" + "default": "If other users have access to modify user-specific SSH configuration\nfiles, they may be able to log on to the system as another user.", + "check": "Verify the SSH daemon performs strict mode checking of home directory configuration files with the following command:\n\n$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\\r' | tr '\\n' ' ' | xargs sudo grep -iH '^\\s*strictmodes'\n\nStrictModes yes\n\nIf \"StrictModes\" is set to \"no\", is missing, or the returned line is commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.", + "fix": "Configure SSH to perform strict mode checking of home directory\nconfiguration files. Uncomment the \"StrictModes\" keyword in\n\"/etc/ssh/sshd_config\" and set the value to \"yes\":\n\n StrictModes yes\n\n The SSH daemon must be restarted for the changes to take effect. To restart\nthe SSH daemon, run the following command:\n\n $ sudo systemctl restart sshd.service" }, "impact": 0.5, "refs": [ @@ -11402,32 +11365,34 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000297-GPOS-00115", - "gid": "V-244544", - "rid": "SV-244544r854073_rule", - "stig_id": "RHEL-08-040101", - "fix_id": "F-47776r743880_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-230288", + "rid": "SV-230288r951600_rule", + "stig_id": "RHEL-08-010500", + "fix_id": "F-32932r567611_fix", "cci": [ - "CCI-002314" + "CCI-000366" ], "nist": [ - "AC-17 (1)" - ] + "CM-6 b" + ], + "host": null, + "container-conditional": null }, - "code": "control 'SV-244544' do\n title 'A firewall must be active on RHEL 8.'\n desc '\"Firewalld\" provides an easy and effective way to block/limit remote\naccess to the system via ports, services, and protocols.\n\n Remote access services, such as those providing remote access to network\ndevices and information systems, which lack automated control capabilities,\nincrease risk and make remote user access management difficult at best.\n\n Remote access is access to DoD nonpublic information systems by an\nauthorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n RHEL 8 functionality (e.g., RDP) must be capable of taking enforcement\naction if the audit reveals unauthorized activity. Automated control of remote\naccess sessions allows organizations to ensure ongoing compliance with remote\naccess policies by enforcing connection rules of remote access applications on\na variety of information system components (e.g., servers, workstations,\nnotebook computers, smartphones, and tablets).'\n desc 'check', 'Verify that \"firewalld\" is active with the following commands:\n\n $ sudo systemctl is-active firewalld\n\n active\n\n If the \"firewalld\" package is not \"active\", ask the System\nAdministrator if another firewall is installed. If no firewall is installed and\nactive this is a finding.'\n desc 'fix', 'Configure \"firewalld\" to protect the operating system with the following\ncommand:\n\n $ sudo systemctl enable firewalld'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000297-GPOS-00115'\n tag gid: 'V-244544'\n tag rid: 'SV-244544r854073_rule'\n tag stig_id: 'RHEL-08-040101'\n tag fix_id: 'F-47776r743880_fix'\n tag cci: ['CCI-002314']\n tag nist: ['AC-17 (1)']\n\n only_if('This requirment is Not Applicable in the container, the container management platform manages the firewall service', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n if input('external_firewall')\n message = 'This system uses an externally managed firewall service, verify with the system administrator that the firewall is configured to requirements'\n describe message do\n skip message\n end\n else\n describe package('firewalld') do\n it { should be_installed }\n end\n describe firewalld do\n it { should be_installed }\n it { should be_running }\n end\n end\nend\n", + "code": "control 'SV-230288' do\n title 'The RHEL 8 SSH daemon must perform strict mode checking of home\ndirectory configuration files.'\n desc 'If other users have access to modify user-specific SSH configuration\nfiles, they may be able to log on to the system as another user.'\n desc 'check', %q(Verify the SSH daemon performs strict mode checking of home directory configuration files with the following command:\n\n$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\\r' | tr '\\n' ' ' | xargs sudo grep -iH '^\\s*strictmodes'\n\nStrictModes yes\n\nIf \"StrictModes\" is set to \"no\", is missing, or the returned line is commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.)\n desc 'fix', 'Configure SSH to perform strict mode checking of home directory\nconfiguration files. Uncomment the \"StrictModes\" keyword in\n\"/etc/ssh/sshd_config\" and set the value to \"yes\":\n\n StrictModes yes\n\n The SSH daemon must be restarted for the changes to take effect. To restart\nthe SSH daemon, run the following command:\n\n $ sudo systemctl restart sshd.service'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230288'\n tag rid: 'SV-230288r951600_rule'\n tag stig_id: 'RHEL-08-010500'\n tag fix_id: 'F-32932r567611_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n tag 'container-conditional'\n\n only_if('This control is Not Applicable to containers without SSH installed', impact: 0.0) {\n !(virtualization.system.eql?('docker') && !directory('/etc/ssh').exist?)\n }\n\n describe sshd_active_config do\n its('StrictModes') { should cmp 'yes' }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-244544.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230288.rb", "line": 1 }, - "id": "SV-244544" + "id": "SV-230288" }, { - "title": "RHEL 8 must prevent files with the setuid and setgid bit set from\nbeing executed on file systems that are used with removable media.", - "desc": "The \"nosuid\" mount option causes the system not to execute\n\"setuid\" and \"setgid\" files with owner privileges. This option must be used\nfor mounting any file system not containing approved \"setuid\" and \"setguid\"\nfiles. Executing files from untrusted file systems increases the opportunity\nfor unprivileged users to attain unauthorized administrative access.", + "title": "RHEL 8 must enforce password complexity by requiring that at least one\nuppercase character be used.", + "desc": "Use of a complex password helps to increase the time and resources\nrequired to compromise the password. Password complexity, or strength, is a\nmeasure of the effectiveness of a password in resisting attempts at guessing\nand brute-force attacks.\n\n Password complexity is one factor of several that determines how long it\ntakes to crack a password. The more complex the password, the greater the\nnumber of possible combinations that need to be tested before the password is\ncompromised.\n\n RHEL 8 utilizes pwquality as a mechanism to enforce password complexity.\nNote that in order to require uppercase characters, without degrading the\n\"minlen\" value, the credit value must be expressed as a negative number in\n\"/etc/security/pwquality.conf\".", "descriptions": { - "default": "The \"nosuid\" mount option causes the system not to execute\n\"setuid\" and \"setgid\" files with owner privileges. This option must be used\nfor mounting any file system not containing approved \"setuid\" and \"setguid\"\nfiles. Executing files from untrusted file systems increases the opportunity\nfor unprivileged users to attain unauthorized administrative access.", - "check": "Verify file systems that are used for removable media are mounted with the\n\"nosuid\" option with the following command:\n\n $ sudo more /etc/fstab\n\n UUID=2bc871e4-e2a3-4f29-9ece-3be60c835222 /mnt/usbflash vfat\nnoauto,owner,ro,nosuid,nodev,noexec 0 0\n\n If a file system found in \"/etc/fstab\" refers to removable media and it\ndoes not have the \"nosuid\" option set, this is a finding.", - "fix": "Configure the \"/etc/fstab\" to use the \"nosuid\" option on\nfile systems that are associated with removable media." + "default": "Use of a complex password helps to increase the time and resources\nrequired to compromise the password. Password complexity, or strength, is a\nmeasure of the effectiveness of a password in resisting attempts at guessing\nand brute-force attacks.\n\n Password complexity is one factor of several that determines how long it\ntakes to crack a password. The more complex the password, the greater the\nnumber of possible combinations that need to be tested before the password is\ncompromised.\n\n RHEL 8 utilizes pwquality as a mechanism to enforce password complexity.\nNote that in order to require uppercase characters, without degrading the\n\"minlen\" value, the credit value must be expressed as a negative number in\n\"/etc/security/pwquality.conf\".", + "check": "Verify the value for \"ucredit\" with the following command:\n\n$ sudo grep -r ucredit /etc/security/pwquality.conf*\n\n/etc/security/pwquality.conf:ucredit = -1\n\nIf the value of \"ucredit\" is a positive number or is commented out, this is a finding.\nIf conflicting results are returned, this is a finding.", + "fix": "Configure the operating system to enforce password complexity by requiring that at least one uppercase character be used by setting the \"ucredit\" option.\n\nAdd the following line to /etc/security/pwquality.conf (or modify the line to have the required value):\n\nucredit = -1\n\nRemove any configurations that conflict with the above value." }, "impact": 0.5, "refs": [ @@ -11437,33 +11402,34 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-230305", - "rid": "SV-230305r627750_rule", - "stig_id": "RHEL-08-010620", - "fix_id": "F-32949r567662_fix", + "gtitle": "SRG-OS-000069-GPOS-00037", + "gid": "V-230357", + "rid": "SV-230357r858771_rule", + "stig_id": "RHEL-08-020110", + "fix_id": "F-33001r858770_fix", "cci": [ - "CCI-000366" + "CCI-000192" ], "nist": [ - "CM-6 b" + "IA-5 (1) (a)" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-230305' do\n title 'RHEL 8 must prevent files with the setuid and setgid bit set from\nbeing executed on file systems that are used with removable media.'\n desc 'The \"nosuid\" mount option causes the system not to execute\n\"setuid\" and \"setgid\" files with owner privileges. This option must be used\nfor mounting any file system not containing approved \"setuid\" and \"setguid\"\nfiles. Executing files from untrusted file systems increases the opportunity\nfor unprivileged users to attain unauthorized administrative access.'\n desc 'check', 'Verify file systems that are used for removable media are mounted with the\n\"nosuid\" option with the following command:\n\n $ sudo more /etc/fstab\n\n UUID=2bc871e4-e2a3-4f29-9ece-3be60c835222 /mnt/usbflash vfat\nnoauto,owner,ro,nosuid,nodev,noexec 0 0\n\n If a file system found in \"/etc/fstab\" refers to removable media and it\ndoes not have the \"nosuid\" option set, this is a finding.'\n desc 'fix', 'Configure the \"/etc/fstab\" to use the \"nosuid\" option on\nfile systems that are associated with removable media.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230305'\n tag rid: 'SV-230305r627750_rule'\n tag stig_id: 'RHEL-08-010620'\n tag fix_id: 'F-32949r567662_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n option = 'nosuid'\n file_systems = etc_fstab.params\n non_removable_media = input('non_removable_media_fs')\n mounted_removeable_media = file_systems.reject { |mnt| non_removable_media.include?(mnt['mount_point']) }\n failing_mounts = mounted_removeable_media.reject { |mnt| mnt['mount_options'].include?(option) }\n\n # be very explicit about why this one was a finding since we do not know which mounts are removeable media without the user telling us\n rem_media_msg = \"NOTE: Some mounted devices are not indicated to be non-removable media (you may need to update the 'non_removable_media_fs' input to check if these are truly subject to this requirement)\\n\"\n\n # there should either be no mounted removable media (which should be a requirement anyway), OR\n # all removeable media should be mounted with nosuid\n if mounted_removeable_media.empty?\n describe 'No removeable media' do\n it 'are mounted' do\n expect(mounted_removeable_media).to be_empty\n end\n end\n else\n describe 'Any mounted removeable media' do\n it \"should have '#{option}' set\" do\n expect(failing_mounts).to be_empty, \"#{rem_media_msg}\\nRemoveable media without '#{option}' set:\\n\\t- #{failing_mounts.join(\"\\n\\t- \")}\"\n end\n end\n end\nend\n", + "code": "control 'SV-230357' do\n title 'RHEL 8 must enforce password complexity by requiring that at least one\nuppercase character be used.'\n desc 'Use of a complex password helps to increase the time and resources\nrequired to compromise the password. Password complexity, or strength, is a\nmeasure of the effectiveness of a password in resisting attempts at guessing\nand brute-force attacks.\n\n Password complexity is one factor of several that determines how long it\ntakes to crack a password. The more complex the password, the greater the\nnumber of possible combinations that need to be tested before the password is\ncompromised.\n\n RHEL 8 utilizes pwquality as a mechanism to enforce password complexity.\nNote that in order to require uppercase characters, without degrading the\n\"minlen\" value, the credit value must be expressed as a negative number in\n\"/etc/security/pwquality.conf\".'\n desc 'check', 'Verify the value for \"ucredit\" with the following command:\n\n$ sudo grep -r ucredit /etc/security/pwquality.conf*\n\n/etc/security/pwquality.conf:ucredit = -1\n\nIf the value of \"ucredit\" is a positive number or is commented out, this is a finding.\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure the operating system to enforce password complexity by requiring that at least one uppercase character be used by setting the \"ucredit\" option.\n\nAdd the following line to /etc/security/pwquality.conf (or modify the line to have the required value):\n\nucredit = -1\n\nRemove any configurations that conflict with the above value.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000069-GPOS-00037'\n tag gid: 'V-230357'\n tag rid: 'SV-230357r858771_rule'\n tag stig_id: 'RHEL-08-020110'\n tag fix_id: 'F-33001r858770_fix'\n tag cci: ['CCI-000192']\n tag nist: ['IA-5 (1) (a)']\n tag 'host'\n tag 'container'\n\n describe 'pwquality.conf:' do\n let(:config) { parse_config_file('/etc/security/pwquality.conf', multiple_values: true) }\n let(:setting) { 'ucredit' }\n let(:value) { Array(config.params[setting]) }\n\n it 'has `ucredit` set' do\n expect(value).not_to be_empty, 'ucredit is not set in pwquality.conf'\n end\n\n it 'only sets `ucredit` once' do\n expect(value.length).to eq(1), 'ucredit is commented or set more than once in pwquality.conf'\n end\n\n it 'does not set `ucredit` to a positive value' do\n expect(value.first.to_i).to cmp < 0, 'ucredit is not set to a negative value in pwquality.conf'\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230305.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230357.rb", "line": 1 }, - "id": "SV-230305" + "id": "SV-230357" }, { - "title": "RHEL 8 must implement non-executable data to protect its memory from\nunauthorized code execution.", - "desc": "Some adversaries launch attacks with the intent of executing code in\nnon-executable regions of memory or in memory locations that are prohibited.\nSecurity safeguards employed to protect memory include, for example, data\nexecution prevention and address space layout randomization. Data execution\nprevention safeguards can be either hardware-enforced or software-enforced with\nhardware providing the greater strength of mechanism.\n\n Examples of attacks are buffer overflow attacks.", + "title": "RHEL 8 must mount /var/tmp with the noexec option.", + "desc": "The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n The \"noexec\" mount option causes the system to not execute binary files.\nThis option must be used for mounting any file system not containing approved\nbinary files, as they may be incompatible. Executing files from untrusted file\nsystems increases the opportunity for unprivileged users to attain unauthorized\nadministrative access.\n\n The \"nodev\" mount option causes the system to not interpret character or\nblock special devices. Executing character or block special devices from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.\n\n The \"nosuid\" mount option causes the system to not execute \"setuid\" and\n\"setgid\" files with owner privileges. This option must be used for mounting\nany file system not containing approved \"setuid\" and \"setguid\" files.\nExecuting files from untrusted file systems increases the opportunity for\nunprivileged users to attain unauthorized administrative access.", "descriptions": { - "default": "Some adversaries launch attacks with the intent of executing code in\nnon-executable regions of memory or in memory locations that are prohibited.\nSecurity safeguards employed to protect memory include, for example, data\nexecution prevention and address space layout randomization. Data execution\nprevention safeguards can be either hardware-enforced or software-enforced with\nhardware providing the greater strength of mechanism.\n\n Examples of attacks are buffer overflow attacks.", - "check": "Verify the NX (no-execution) bit flag is set on the system.\n\n Check that the no-execution bit flag is set with the following commands:\n\n $ sudo dmesg | grep NX\n\n [ 0.000000] NX (Execute Disable) protection: active\n\n If \"dmesg\" does not show \"NX (Execute Disable) protection\" active,\ncheck the cpuinfo settings with the following command:\n\n $ sudo less /proc/cpuinfo | grep -i flags\n flags : fpu vme de pse tsc ms nx rdtscp lm constant_tsc\n\n If \"flags\" does not contain the \"nx\" flag, this is a finding.", - "fix": "The NX bit execute protection must be enabled in the system\nBIOS." + "default": "The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n The \"noexec\" mount option causes the system to not execute binary files.\nThis option must be used for mounting any file system not containing approved\nbinary files, as they may be incompatible. Executing files from untrusted file\nsystems increases the opportunity for unprivileged users to attain unauthorized\nadministrative access.\n\n The \"nodev\" mount option causes the system to not interpret character or\nblock special devices. Executing character or block special devices from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.\n\n The \"nosuid\" mount option causes the system to not execute \"setuid\" and\n\"setgid\" files with owner privileges. This option must be used for mounting\nany file system not containing approved \"setuid\" and \"setguid\" files.\nExecuting files from untrusted file systems increases the opportunity for\nunprivileged users to attain unauthorized administrative access.", + "check": "Verify \"/var/tmp\" is mounted with the \"noexec\" option:\n\n$ sudo mount | grep /var/tmp\n\n/dev/mapper/rhel-var-tmp on /var/tmp type xfs (rw,nodev,nosuid,noexec,seclabel)\n\nVerify that the \"noexec\" option is configured for /var/tmp:\n\n$ sudo cat /etc/fstab | grep /var/tmp\n\n/dev/mapper/rhel-var-tmp /var/tmp xfs defaults,nodev,nosuid,noexec 0 0\n\nIf results are returned and the \"noexec\" option is missing, or if /var/tmp is mounted without the \"noexec\" option, this is a finding.", + "fix": "Configure the system so that /var/tmp is mounted with the \"noexec\" option by adding /modifying the /etc/fstab with the following line:\n\n/dev/mapper/rhel-var-tmp /var/tmp xfs defaults,nodev,nosuid,noexec 0 0" }, "impact": 0.5, "refs": [ @@ -11473,106 +11439,108 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000433-GPOS-00192", - "gid": "V-230276", - "rid": "SV-230276r854031_rule", - "stig_id": "RHEL-08-010420", - "fix_id": "F-32920r567575_fix", + "gtitle": "SRG-OS-000368-GPOS-00154", + "gid": "V-230522", + "rid": "SV-230522r854063_rule", + "stig_id": "RHEL-08-040134", + "fix_id": "F-33166r792932_fix", "cci": [ - "CCI-002824" + "CCI-001764" ], "nist": [ - "SI-16" + "CM-7 (2)" ], "host": null }, - "code": "control 'SV-230276' do\n title 'RHEL 8 must implement non-executable data to protect its memory from\nunauthorized code execution.'\n desc 'Some adversaries launch attacks with the intent of executing code in\nnon-executable regions of memory or in memory locations that are prohibited.\nSecurity safeguards employed to protect memory include, for example, data\nexecution prevention and address space layout randomization. Data execution\nprevention safeguards can be either hardware-enforced or software-enforced with\nhardware providing the greater strength of mechanism.\n\n Examples of attacks are buffer overflow attacks.'\n desc 'check', 'Verify the NX (no-execution) bit flag is set on the system.\n\n Check that the no-execution bit flag is set with the following commands:\n\n $ sudo dmesg | grep NX\n\n [ 0.000000] NX (Execute Disable) protection: active\n\n If \"dmesg\" does not show \"NX (Execute Disable) protection\" active,\ncheck the cpuinfo settings with the following command:\n\n $ sudo less /proc/cpuinfo | grep -i flags\n flags : fpu vme de pse tsc ms nx rdtscp lm constant_tsc\n\n If \"flags\" does not contain the \"nx\" flag, this is a finding.'\n desc 'fix', 'The NX bit execute protection must be enabled in the system\nBIOS.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000433-GPOS-00192'\n tag gid: 'V-230276'\n tag rid: 'SV-230276r854031_rule'\n tag stig_id: 'RHEL-08-010420'\n tag fix_id: 'F-32920r567575_fix'\n tag cci: ['CCI-002824']\n tag nist: ['SI-16']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n options = {\n assignment_regex: /^\\s*([^:]*?)\\s*:\\s*(.*?)\\s*$/\n }\n\n dmesg_nx_conf = command('dmesg | grep NX').stdout.match(/:\\s+(\\S+)$/).captures.first\n cpuinfo_flags = parse_config_file('/proc/cpuinfo', options).flags.split\n\n describe.one do\n describe 'The no-execution bit flag' do\n it 'should be set in kernel messages' do\n expect(dmesg_nx_conf).to eq('active'), \"dmesg does not show NX protection set to 'active'\"\n end\n end\n describe 'The no-execution bit flag' do\n it 'should be set in CPU info' do\n expect(cpuinfo_flags).to include('nx'), \"'nx' flag not set in /proc/cpuinfo flags\"\n end\n end\n end\nend\n", + "code": "control 'SV-230522' do\n title 'RHEL 8 must mount /var/tmp with the noexec option.'\n desc 'The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n The \"noexec\" mount option causes the system to not execute binary files.\nThis option must be used for mounting any file system not containing approved\nbinary files, as they may be incompatible. Executing files from untrusted file\nsystems increases the opportunity for unprivileged users to attain unauthorized\nadministrative access.\n\n The \"nodev\" mount option causes the system to not interpret character or\nblock special devices. Executing character or block special devices from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.\n\n The \"nosuid\" mount option causes the system to not execute \"setuid\" and\n\"setgid\" files with owner privileges. This option must be used for mounting\nany file system not containing approved \"setuid\" and \"setguid\" files.\nExecuting files from untrusted file systems increases the opportunity for\nunprivileged users to attain unauthorized administrative access.'\n desc 'check', 'Verify \"/var/tmp\" is mounted with the \"noexec\" option:\n\n$ sudo mount | grep /var/tmp\n\n/dev/mapper/rhel-var-tmp on /var/tmp type xfs (rw,nodev,nosuid,noexec,seclabel)\n\nVerify that the \"noexec\" option is configured for /var/tmp:\n\n$ sudo cat /etc/fstab | grep /var/tmp\n\n/dev/mapper/rhel-var-tmp /var/tmp xfs defaults,nodev,nosuid,noexec 0 0\n\nIf results are returned and the \"noexec\" option is missing, or if /var/tmp is mounted without the \"noexec\" option, this is a finding.'\n desc 'fix', 'Configure the system so that /var/tmp is mounted with the \"noexec\" option by adding /modifying the /etc/fstab with the following line:\n\n/dev/mapper/rhel-var-tmp /var/tmp xfs defaults,nodev,nosuid,noexec 0 0'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000368-GPOS-00154'\n tag gid: 'V-230522'\n tag rid: 'SV-230522r854063_rule'\n tag stig_id: 'RHEL-08-040134'\n tag fix_id: 'F-33166r792932_fix'\n tag cci: ['CCI-001764']\n tag nist: ['CM-7 (2)']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n path = '/var/tmp'\n option = 'noexec'\n\n describe mount(path) do\n its('options') { should include option }\n end\n\n describe etc_fstab.where { mount_point == path } do\n its('mount_options.flatten') { should include option }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230276.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230522.rb", "line": 1 }, - "id": "SV-230276" + "id": "SV-230522" }, { - "title": "RHEL 8 library files must be group-owned by root or a system account.", - "desc": "If RHEL 8 were to allow any user to make changes to software\nlibraries, then those changes might be implemented without undergoing the\nappropriate testing and approvals that are part of a robust change management\nprocess.\n\n This requirement applies to RHEL 8 with software libraries that are\naccessible and configurable, as in the case of interpreted languages. Software\nlibraries also include privileged programs that execute with escalated\nprivileges. Only qualified and authorized individuals will be allowed to obtain\naccess to information system components for purposes of initiating changes,\nincluding upgrades and modifications.", + "title": "RHEL 8 must prevent the installation of software, patches, service\npacks, device drivers, or operating system components of local packages without\nverification they have been digitally signed using a certificate that is issued\nby a Certificate Authority (CA) that is recognized and approved by the\norganization.", + "desc": "Changes to any software components can have significant effects on the\noverall security of the operating system. This requirement ensures the software\nhas not been tampered with and that it has been provided by a trusted vendor.\n\n Accordingly, patches, service packs, device drivers, or operating system\ncomponents must be signed with a certificate recognized and approved by the\norganization.\n\n Verifying the authenticity of the software prior to installation validates\nthe integrity of the patch or upgrade received from a vendor. This verifies the\nsoftware has not been tampered with and that it has been provided by a trusted\nvendor. Self-signed certificates are disallowed by this requirement. The\noperating system should not have to verify the software again. This requirement\ndoes not mandate DoD certificates for this purpose; however, the certificate\nused to verify the software must be from an approved CA.", "descriptions": { - "default": "If RHEL 8 were to allow any user to make changes to software\nlibraries, then those changes might be implemented without undergoing the\nappropriate testing and approvals that are part of a robust change management\nprocess.\n\n This requirement applies to RHEL 8 with software libraries that are\naccessible and configurable, as in the case of interpreted languages. Software\nlibraries also include privileged programs that execute with escalated\nprivileges. Only qualified and authorized individuals will be allowed to obtain\naccess to information system components for purposes of initiating changes,\nincluding upgrades and modifications.", - "check": "Verify the system-wide shared library files are group-owned by \"root\"\nwith the following command:\n\n $ sudo find -L /lib /lib64 /usr/lib /usr/lib64 ! -group root -exec ls -l {}\n\\;\n\n If any system wide shared library file is returned and is not group-owned\nby a required system account, this is a finding.", - "fix": "Configure the system-wide shared library files (/lib, /lib64, /usr/lib and\n/usr/lib64) to be protected from unauthorized access.\n\n Run the following command, replacing \"[FILE]\" with any library file not\ngroup-owned by \"root\".\n\n $ sudo chgrp root [FILE]" + "default": "Changes to any software components can have significant effects on the\noverall security of the operating system. This requirement ensures the software\nhas not been tampered with and that it has been provided by a trusted vendor.\n\n Accordingly, patches, service packs, device drivers, or operating system\ncomponents must be signed with a certificate recognized and approved by the\norganization.\n\n Verifying the authenticity of the software prior to installation validates\nthe integrity of the patch or upgrade received from a vendor. This verifies the\nsoftware has not been tampered with and that it has been provided by a trusted\nvendor. Self-signed certificates are disallowed by this requirement. The\noperating system should not have to verify the software again. This requirement\ndoes not mandate DoD certificates for this purpose; however, the certificate\nused to verify the software must be from an approved CA.", + "check": "Verify the operating system prevents the installation of patches, service\npacks, device drivers, or operating system components from a repository without\nverification that they have been digitally signed using a certificate that is\nrecognized and approved by the organization.\n\n Check if YUM is configured to perform a signature check on local packages\nwith the following command:\n\n $ sudo grep -i localpkg_gpgcheck /etc/dnf/dnf.conf\n\n localpkg_gpgcheck =True\n\n If \"localpkg_gpgcheck\" is not set to either \"1\", \"True\", or \"yes\",\ncommented out, or is missing from \"/etc/dnf/dnf.conf\", this is a finding.", + "fix": "Configure the operating system to remove all software components after\nupdated versions have been installed.\n\n Set the \"localpkg_gpgcheck\" option to \"True\" in the\n\"/etc/dnf/dnf.conf\" file:\n\n localpkg_gpgcheck=True" }, - "impact": 0.5, + "impact": 0.7, "refs": [ { "ref": "DPMS Target Red Hat Enterprise Linux 8" } ], "tags": { - "severity": "medium", - "gtitle": "SRG-OS-000259-GPOS-00100", - "gid": "V-230262", - "rid": "SV-230262r627750_rule", - "stig_id": "RHEL-08-010350", - "fix_id": "F-32906r567533_fix", + "severity": "high", + "gtitle": "SRG-OS-000366-GPOS-00153", + "gid": "V-230265", + "rid": "SV-230265r877463_rule", + "stig_id": "RHEL-08-010371", + "fix_id": "F-32909r567542_fix", "cci": [ - "CCI-001499" + "CCI-001749" ], "nist": [ - "CM-5 (6)" + "CM-5 (3)" ], "host": null, "container": null }, - "code": "control 'SV-230262' do\n title 'RHEL 8 library files must be group-owned by root or a system account.'\n desc 'If RHEL 8 were to allow any user to make changes to software\nlibraries, then those changes might be implemented without undergoing the\nappropriate testing and approvals that are part of a robust change management\nprocess.\n\n This requirement applies to RHEL 8 with software libraries that are\naccessible and configurable, as in the case of interpreted languages. Software\nlibraries also include privileged programs that execute with escalated\nprivileges. Only qualified and authorized individuals will be allowed to obtain\naccess to information system components for purposes of initiating changes,\nincluding upgrades and modifications.'\n desc 'check', 'Verify the system-wide shared library files are group-owned by \"root\"\nwith the following command:\n\n $ sudo find -L /lib /lib64 /usr/lib /usr/lib64 ! -group root -exec ls -l {}\n\\\\;\n\n If any system wide shared library file is returned and is not group-owned\nby a required system account, this is a finding.'\n desc 'fix', 'Configure the system-wide shared library files (/lib, /lib64, /usr/lib and\n/usr/lib64) to be protected from unauthorized access.\n\n Run the following command, replacing \"[FILE]\" with any library file not\ngroup-owned by \"root\".\n\n $ sudo chgrp root [FILE]'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000259-GPOS-00100'\n tag gid: 'V-230262'\n tag rid: 'SV-230262r627750_rule'\n tag stig_id: 'RHEL-08-010350'\n tag fix_id: 'F-32906r567533_fix'\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n tag 'host'\n tag 'container'\n\n failing_files = command(\"find -L #{input('system_libraries').join(' ')} ! -group root -exec ls -d {} \\\\;\").stdout.split(\"\\n\")\n\n describe 'System libraries' do\n it 'should be group-owned by root' do\n expect(failing_files).to be_empty, \"Files not group-owned by root:\\n\\t- #{failing_files.join(\"\\n\\t- \")}\"\n end\n end\nend\n", + "code": "control 'SV-230265' do\n title 'RHEL 8 must prevent the installation of software, patches, service\npacks, device drivers, or operating system components of local packages without\nverification they have been digitally signed using a certificate that is issued\nby a Certificate Authority (CA) that is recognized and approved by the\norganization.'\n desc 'Changes to any software components can have significant effects on the\noverall security of the operating system. This requirement ensures the software\nhas not been tampered with and that it has been provided by a trusted vendor.\n\n Accordingly, patches, service packs, device drivers, or operating system\ncomponents must be signed with a certificate recognized and approved by the\norganization.\n\n Verifying the authenticity of the software prior to installation validates\nthe integrity of the patch or upgrade received from a vendor. This verifies the\nsoftware has not been tampered with and that it has been provided by a trusted\nvendor. Self-signed certificates are disallowed by this requirement. The\noperating system should not have to verify the software again. This requirement\ndoes not mandate DoD certificates for this purpose; however, the certificate\nused to verify the software must be from an approved CA.'\n desc 'check', 'Verify the operating system prevents the installation of patches, service\npacks, device drivers, or operating system components from a repository without\nverification that they have been digitally signed using a certificate that is\nrecognized and approved by the organization.\n\n Check if YUM is configured to perform a signature check on local packages\nwith the following command:\n\n $ sudo grep -i localpkg_gpgcheck /etc/dnf/dnf.conf\n\n localpkg_gpgcheck =True\n\n If \"localpkg_gpgcheck\" is not set to either \"1\", \"True\", or \"yes\",\ncommented out, or is missing from \"/etc/dnf/dnf.conf\", this is a finding.'\n desc 'fix', 'Configure the operating system to remove all software components after\nupdated versions have been installed.\n\n Set the \"localpkg_gpgcheck\" option to \"True\" in the\n\"/etc/dnf/dnf.conf\" file:\n\n localpkg_gpgcheck=True'\n impact 0.7\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'high'\n tag gtitle: 'SRG-OS-000366-GPOS-00153'\n tag gid: 'V-230265'\n tag rid: 'SV-230265r877463_rule'\n tag stig_id: 'RHEL-08-010371'\n tag fix_id: 'F-32909r567542_fix'\n tag cci: ['CCI-001749']\n tag nist: ['CM-5 (3)']\n tag 'host'\n tag 'container'\n\n describe parse_config_file('/etc/dnf/dnf.conf') do\n its('main.localpkg_gpgcheck') { should match(/True|1|yes/i) }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230262.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230265.rb", "line": 1 }, - "id": "SV-230262" + "id": "SV-230265" }, { - "title": "The systemd Ctrl-Alt-Delete burst key sequence in RHEL 8 must be\ndisabled.", - "desc": "A locally logged-on user who presses Ctrl-Alt-Delete when at the\nconsole can reboot the system. If accidentally pressed, as could happen in the\ncase of a mixed OS environment, this can create the risk of short-term loss of\navailability of systems due to unintentional reboot. In a graphical user\nenvironment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is\nreduced because the user will be prompted before any action is taken.", + "title": "The RHEL 8 operating system must use a file integrity tool to verify correct operation of all security functions.", + "desc": "Without verification of the security functions, security functions may not operate correctly, and the failure may go unnoticed.\n Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the\n system security policy and supporting the isolation of code and data on which the protection is based. Security functionality\n includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges),\n setting events to be audited, and setting intrusion detection parameters.\n\n This requirement applies to the RHEL 8 operating system performing security function verification/testing and/or systems and\n environments that require this functionality.", "descriptions": { - "default": "A locally logged-on user who presses Ctrl-Alt-Delete when at the\nconsole can reboot the system. If accidentally pressed, as could happen in the\ncase of a mixed OS environment, this can create the risk of short-term loss of\navailability of systems due to unintentional reboot. In a graphical user\nenvironment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is\nreduced because the user will be prompted before any action is taken.", - "check": "Verify RHEL 8 is not configured to reboot the system when Ctrl-Alt-Delete\nis pressed seven times within two seconds with the following command:\n\n $ sudo grep -i ctrl /etc/systemd/system.conf\n\n CtrlAltDelBurstAction=none\n\n If the \"CtrlAltDelBurstAction\" is not set to \"none\", commented out, or\nis missing, this is a finding.", - "fix": "Configure the system to disable the CtrlAltDelBurstAction by added or\nmodifying the following line in the \"/etc/systemd/system.conf\" configuration\nfile:\n\n CtrlAltDelBurstAction=none\n\n Reload the daemon for this change to take effect.\n\n $ sudo systemctl daemon-reload" + "default": "Without verification of the security functions, security functions may not operate correctly, and the failure may go unnoticed.\n Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the\n system security policy and supporting the isolation of code and data on which the protection is based. Security functionality\n includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges),\n setting events to be audited, and setting intrusion detection parameters.\n\n This requirement applies to the RHEL 8 operating system performing security function verification/testing and/or systems and\n environments that require this functionality.", + "check": "Verify that Advanced Intrusion Detection Environment (AIDE) is installed and verifies the correct operation of all\n security functions.\n\n Check that the AIDE package is installed with the following command:\n $ sudo rpm -q aide\n\n aide-0.16-14.el8_5.1.x86_64\n\n If AIDE is not installed, ask the System Administrator how file integrity checks are performed on the system.\n\n If there is no application installed to perform integrity checks, this is a finding.\n\n If AIDE is installed, check if it has been initialized with the following command:\n $ sudo /usr/sbin/aide --check\n\n If the output is \"Couldn't open file /var/lib/aide/aide.db.gz for reading\", this is a finding.", + "fix": "Install AIDE, initialize it, and perform a manual check.\n\n Install AIDE:\n $ sudo yum install aide\n\n Initialize it:\n $ sudo /usr/sbin/aide --init\n\n Example output:\n Number of entries: 48623\n\n ---------------------------------------------------\n The attributes of the (uncompressed) database(s):\n ---------------------------------------------------\n\n /var/lib/aide/aide.db.new.gz\n SHA1 : LTAVQ8tFJthsrf4m9gfRpnf1vyc=\n SHA256 : NJ9+uzRQKSwmLQ8A6IpKNvYjVKGbhSjt\n BeJBVcmOVrI=\n SHA512 : 7d8I/F6A1b07E4ZuGeilZjefRgJJ/F20\n eC2xoag1OsOVpctt3Mi7Jjjf3vFW4xoY\n 5mdS6/ImQpm0xtlTLOPeQQ==\n\n End timestamp: 2022-10-20 10:50:52 -0700 (run time: 0m 46s)\n\n The new database will need to be renamed to be read by AIDE:\n $ sudo mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz\n\n Perform a manual check:\n $ sudo /usr/sbin/aide --check\n\n Example output:\n Start timestamp: 2022-10-20 11:03:16 -0700 (AIDE 0.16)\n AIDE found differences between database and filesystem!!\n ...\n\n Done." }, - "impact": 0.7, + "impact": 0.5, "refs": [ { "ref": "DPMS Target Red Hat Enterprise Linux 8" } ], "tags": { - "severity": "high", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-230531", - "rid": "SV-230531r627750_rule", - "stig_id": "RHEL-08-040172", - "fix_id": "F-33175r619890_fix", + "check_id": "C-55147r880728_chk", + "severity": "medium", + "gid": "V-251710", + "rid": "SV-251710r880730_rule", + "stig_id": "RHEL-08-010359", + "gtitle": "SRG-OS-000445-GPOS-00199", + "fix_id": "F-55101r880729_fix", + "documentable": null, "cci": [ - "CCI-000366" + "CCI-002696" ], "nist": [ - "CM-6 b" + "SI-6 a" ], "host": null }, - "code": "control 'SV-230531' do\n title 'The systemd Ctrl-Alt-Delete burst key sequence in RHEL 8 must be\ndisabled.'\n desc 'A locally logged-on user who presses Ctrl-Alt-Delete when at the\nconsole can reboot the system. If accidentally pressed, as could happen in the\ncase of a mixed OS environment, this can create the risk of short-term loss of\navailability of systems due to unintentional reboot. In a graphical user\nenvironment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is\nreduced because the user will be prompted before any action is taken.'\n desc 'check', 'Verify RHEL 8 is not configured to reboot the system when Ctrl-Alt-Delete\nis pressed seven times within two seconds with the following command:\n\n $ sudo grep -i ctrl /etc/systemd/system.conf\n\n CtrlAltDelBurstAction=none\n\n If the \"CtrlAltDelBurstAction\" is not set to \"none\", commented out, or\nis missing, this is a finding.'\n desc 'fix', 'Configure the system to disable the CtrlAltDelBurstAction by added or\nmodifying the following line in the \"/etc/systemd/system.conf\" configuration\nfile:\n\n CtrlAltDelBurstAction=none\n\n Reload the daemon for this change to take effect.\n\n $ sudo systemctl daemon-reload'\n impact 0.7\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'high'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230531'\n tag rid: 'SV-230531r627750_rule'\n tag stig_id: 'RHEL-08-040172'\n tag fix_id: 'F-33175r619890_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe parse_config_file('/etc/systemd/system.conf') do\n its('Manager') { should include('CtrlAltDelBurstAction' => 'none') }\n end\nend\n", + "code": "control 'SV-251710' do\n title 'The RHEL 8 operating system must use a file integrity tool to verify correct operation of all security functions.'\n desc 'Without verification of the security functions, security functions may not operate correctly, and the failure may go unnoticed.\n Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the\n system security policy and supporting the isolation of code and data on which the protection is based. Security functionality\n includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges),\n setting events to be audited, and setting intrusion detection parameters.\n\n This requirement applies to the RHEL 8 operating system performing security function verification/testing and/or systems and\n environments that require this functionality.'\n desc 'check', %q(Verify that Advanced Intrusion Detection Environment (AIDE) is installed and verifies the correct operation of all\n security functions.\n\n Check that the AIDE package is installed with the following command:\n $ sudo rpm -q aide\n\n aide-0.16-14.el8_5.1.x86_64\n\n If AIDE is not installed, ask the System Administrator how file integrity checks are performed on the system.\n\n If there is no application installed to perform integrity checks, this is a finding.\n\n If AIDE is installed, check if it has been initialized with the following command:\n $ sudo /usr/sbin/aide --check\n\n If the output is \"Couldn't open file /var/lib/aide/aide.db.gz for reading\", this is a finding.)\n desc 'fix', 'Install AIDE, initialize it, and perform a manual check.\n\n Install AIDE:\n $ sudo yum install aide\n\n Initialize it:\n $ sudo /usr/sbin/aide --init\n\n Example output:\n Number of entries: 48623\n\n ---------------------------------------------------\n The attributes of the (uncompressed) database(s):\n ---------------------------------------------------\n\n /var/lib/aide/aide.db.new.gz\n SHA1 : LTAVQ8tFJthsrf4m9gfRpnf1vyc=\n SHA256 : NJ9+uzRQKSwmLQ8A6IpKNvYjVKGbhSjt\n BeJBVcmOVrI=\n SHA512 : 7d8I/F6A1b07E4ZuGeilZjefRgJJ/F20\n eC2xoag1OsOVpctt3Mi7Jjjf3vFW4xoY\n 5mdS6/ImQpm0xtlTLOPeQQ==\n\n End timestamp: 2022-10-20 10:50:52 -0700 (run time: 0m 46s)\n\n The new database will need to be renamed to be read by AIDE:\n $ sudo mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz\n\n Perform a manual check:\n $ sudo /usr/sbin/aide --check\n\n Example output:\n Start timestamp: 2022-10-20 11:03:16 -0700 (AIDE 0.16)\n AIDE found differences between database and filesystem!!\n ...\n\n Done.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag check_id: 'C-55147r880728_chk'\n tag severity: 'medium'\n tag gid: 'V-251710'\n tag rid: 'SV-251710r880730_rule'\n tag stig_id: 'RHEL-08-010359'\n tag gtitle: 'SRG-OS-000445-GPOS-00199'\n tag fix_id: 'F-55101r880729_fix'\n tag 'documentable'\n tag cci: ['CCI-002696']\n tag nist: ['SI-6 a']\n tag 'host'\n\n aide_check_fast = input('aide_check_fast') # Default to false if not specified\n\n file_integrity_tool = input('file_integrity_tool')\n\n only_if('Control not applicable within a container', impact: 0.0) do\n !virtualization.system.eql?('docker')\n end\n\n if file_integrity_tool == 'aide'\n if aide_check_fast\n describe file('/var/lib/aide/aide.db.gz') do\n it { should exist }\n end\n elsif !input('disable_slow_controls')\n describe command('/usr/sbin/aide --check') do\n its('stdout') { should_not include \"Couldn't open file\" }\n end\n else\n impact 0.0\n describe 'This control takes a long time to execute and has been disabled by slow_controls' do\n skip 'To enable checks, you can either set disable_slow_controls to false or set aide_check_fast to true'\n end\n end\n end\n\n describe package(file_integrity_tool) do\n it { should be_installed }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230531.rb", + "ref": "./Red Hat 8 STIG/controls/SV-251710.rb", "line": 1 }, - "id": "SV-230531" + "id": "SV-251710" }, { - "title": "The tuned package must not be installed unless mission essential on\nRHEL 8.", - "desc": "It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n Operating systems are capable of providing a wide variety of functions and\nservices. Some of the functions and services, provided by default, may not be\nnecessary to support essential organizational operations (e.g., key missions,\nfunctions).\n\n The tuned package contains a daemon that tunes the system settings\ndynamically. It does so by monitoring the usage of several system components\nperiodically. Based on that information, components will then be put into lower\nor higher power savings modes to adapt to the current usage. The tuned package\nis not needed for normal OS operations.", + "title": "RHEL 8 must prevent code from being executed on file systems that are\nimported via Network File System (NFS).", + "desc": "The \"noexec\" mount option causes the system not to execute binary\nfiles. This option must be used for mounting any file system not containing\napproved binary as they may be incompatible. Executing files from untrusted\nfile systems increases the opportunity for unprivileged users to attain\nunauthorized administrative access.", "descriptions": { - "default": "It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n Operating systems are capable of providing a wide variety of functions and\nservices. Some of the functions and services, provided by default, may not be\nnecessary to support essential organizational operations (e.g., key missions,\nfunctions).\n\n The tuned package contains a daemon that tunes the system settings\ndynamically. It does so by monitoring the usage of several system components\nperiodically. Based on that information, components will then be put into lower\nor higher power savings modes to adapt to the current usage. The tuned package\nis not needed for normal OS operations.", - "check": "Verify the tuned package has not been installed on the system with the\nfollowing commands:\n\n $ sudo yum list installed tuned\n\n tuned.noarch\n2.12.0-3.el8 @anaconda\n\n If the tuned package is installed and is not documented with the\nInformation System Security Officer (ISSO) as an operational requirement, this\nis a finding.", - "fix": "Document the tuned package with the ISSO as an operational requirement or\nremove it from the system with the following command:\n\n $ sudo yum remove tuned" + "default": "The \"noexec\" mount option causes the system not to execute binary\nfiles. This option must be used for mounting any file system not containing\napproved binary as they may be incompatible. Executing files from untrusted\nfile systems increases the opportunity for unprivileged users to attain\nunauthorized administrative access.", + "check": "Verify that file systems being imported via NFS are mounted with the\n\"noexec\" option with the following command:\n\n $ sudo grep nfs /etc/fstab | grep noexec\n\n UUID=e06097bb-cfcd-437b-9e4d-a691f5662a7d /store nfs rw,nosuid,nodev,noexec\n0 0\n\n If a file system found in \"/etc/fstab\" refers to NFS and it does not have\nthe \"noexec\" option set, this is a finding.", + "fix": "Configure the \"/etc/fstab\" to use the \"noexec\" option on\nfile systems that are being imported via NFS." }, "impact": 0.5, "refs": [ @@ -11583,69 +11551,68 @@ "tags": { "severity": "medium", "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-230561", - "rid": "SV-230561r627750_rule", - "stig_id": "RHEL-08-040390", - "fix_id": "F-33205r568430_fix", + "gid": "V-230306", + "rid": "SV-230306r627750_rule", + "stig_id": "RHEL-08-010630", + "fix_id": "F-32950r567665_fix", "cci": [ "CCI-000366" ], "nist": [ "CM-6 b" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-230561' do\n title 'The tuned package must not be installed unless mission essential on\nRHEL 8.'\n desc 'It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n Operating systems are capable of providing a wide variety of functions and\nservices. Some of the functions and services, provided by default, may not be\nnecessary to support essential organizational operations (e.g., key missions,\nfunctions).\n\n The tuned package contains a daemon that tunes the system settings\ndynamically. It does so by monitoring the usage of several system components\nperiodically. Based on that information, components will then be put into lower\nor higher power savings modes to adapt to the current usage. The tuned package\nis not needed for normal OS operations.'\n desc 'check', 'Verify the tuned package has not been installed on the system with the\nfollowing commands:\n\n $ sudo yum list installed tuned\n\n tuned.noarch\n2.12.0-3.el8 @anaconda\n\n If the tuned package is installed and is not documented with the\nInformation System Security Officer (ISSO) as an operational requirement, this\nis a finding.'\n desc 'fix', 'Document the tuned package with the ISSO as an operational requirement or\nremove it from the system with the following command:\n\n $ sudo yum remove tuned'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230561'\n tag rid: 'SV-230561r627750_rule'\n tag stig_id: 'RHEL-08-040390'\n tag fix_id: 'F-33205r568430_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n tag 'container'\n\n if input('tuned_required')\n describe package('tuned') do\n it { should be_installed }\n end\n else\n describe package('tuned') do\n it { should_not be_installed }\n end\n end\nend\n", + "code": "control 'SV-230306' do\n title 'RHEL 8 must prevent code from being executed on file systems that are\nimported via Network File System (NFS).'\n desc 'The \"noexec\" mount option causes the system not to execute binary\nfiles. This option must be used for mounting any file system not containing\napproved binary as they may be incompatible. Executing files from untrusted\nfile systems increases the opportunity for unprivileged users to attain\nunauthorized administrative access.'\n desc 'check', 'Verify that file systems being imported via NFS are mounted with the\n\"noexec\" option with the following command:\n\n $ sudo grep nfs /etc/fstab | grep noexec\n\n UUID=e06097bb-cfcd-437b-9e4d-a691f5662a7d /store nfs rw,nosuid,nodev,noexec\n0 0\n\n If a file system found in \"/etc/fstab\" refers to NFS and it does not have\nthe \"noexec\" option set, this is a finding.'\n desc 'fix', 'Configure the \"/etc/fstab\" to use the \"noexec\" option on\nfile systems that are being imported via NFS.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230306'\n tag rid: 'SV-230306r627750_rule'\n tag stig_id: 'RHEL-08-010630'\n tag fix_id: 'F-32950r567665_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n option = 'noexec'\n nfs_file_systems = etc_fstab.nfs_file_systems.params\n failing_mounts = nfs_file_systems.reject { |mnt| mnt['mount_options'].include?(option) }\n\n if nfs_file_systems.empty?\n describe 'No NFS' do\n it 'is mounted' do\n expect(nfs_file_systems).to be_empty\n end\n end\n else\n describe 'Any mounted Network File System (NFS)' do\n it \"should have '#{option}' set\" do\n expect(failing_mounts).to be_empty, \"NFS without '#{option}' set:\\n\\t- #{failing_mounts.join(\"\\n\\t- \")}\"\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230561.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230306.rb", "line": 1 }, - "id": "SV-230561" + "id": "SV-230306" }, { - "title": "RHEL 8 must implement address space layout randomization (ASLR) to\nprotect its memory from unauthorized code execution.", - "desc": "Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can be either hardware-enforced or software-enforced with hardware providing the greater strength of mechanism.\n\nExamples of attacks are buffer overflow attacks.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf", + "title": "RHEL 8 must use a separate file system for /var.", + "desc": "The use of separate file systems for different paths can protect the\nsystem from failures resulting from a file system becoming full or failing.", "descriptions": { - "default": "Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can be either hardware-enforced or software-enforced with hardware providing the greater strength of mechanism.\n\nExamples of attacks are buffer overflow attacks.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf", - "check": "Verify RHEL 8 implements ASLR with the following command:\n\n$ sudo sysctl kernel.randomize_va_space\n\nkernel.randomize_va_space = 2\n\nIf \"kernel.randomize_va_space\" is not set to \"2\", this is a finding.\n\nCheck that the configuration files are present to enable this kernel parameter.\n\n$ sudo grep -r kernel.randomize_va_space /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf:kernel.randomize_va_space = 2\n\nIf \"kernel.randomize_va_space\" is not set to \"2\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.", - "fix": "Configure the operating system to implement virtual address space randomization.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nkernel.randomize_va_space=2\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nIssue the following command to make the changes take effect:\n\n$ sudo sysctl --system" + "default": "The use of separate file systems for different paths can protect the\nsystem from failures resulting from a file system becoming full or failing.", + "check": "Verify that a separate file system has been created for \"/var\".\n\nCheck that a file system has been created for \"/var\" with the following command:\n\n $ sudo grep /var /etc/fstab\n\n /dev/mapper/... /var xfs defaults,nodev 0 0\n\nIf a separate entry for \"/var\" is not in use, this is a finding.", + "fix": "Migrate the \"/var\" path onto a separate file system." }, - "impact": 0.5, + "impact": 0.3, "refs": [ { "ref": "DPMS Target Red Hat Enterprise Linux 8" } ], "tags": { - "severity": "medium", - "gtitle": "SRG-OS-000433-GPOS-00193", - "gid": "V-230280", - "rid": "SV-230280r858767_rule", - "stig_id": "RHEL-08-010430", - "fix_id": "F-32924r858766_fix", + "severity": "low", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-230292", + "rid": "SV-230292r902718_rule", + "stig_id": "RHEL-08-010540", + "fix_id": "F-32936r567623_fix", "cci": [ - "CCI-002824" + "CCI-000366" ], "nist": [ - "SI-16" + "CM-6 b" ], "host": null }, - "code": "control 'SV-230280' do\n title 'RHEL 8 must implement address space layout randomization (ASLR) to\nprotect its memory from unauthorized code execution.'\n desc 'Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can be either hardware-enforced or software-enforced with hardware providing the greater strength of mechanism.\n\nExamples of attacks are buffer overflow attacks.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf'\n desc 'check', 'Verify RHEL 8 implements ASLR with the following command:\n\n$ sudo sysctl kernel.randomize_va_space\n\nkernel.randomize_va_space = 2\n\nIf \"kernel.randomize_va_space\" is not set to \"2\", this is a finding.\n\nCheck that the configuration files are present to enable this kernel parameter.\n\n$ sudo grep -r kernel.randomize_va_space /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf:kernel.randomize_va_space = 2\n\nIf \"kernel.randomize_va_space\" is not set to \"2\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure the operating system to implement virtual address space randomization.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nkernel.randomize_va_space=2\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nIssue the following command to make the changes take effect:\n\n$ sudo sysctl --system'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000433-GPOS-00193'\n tag gid: 'V-230280'\n tag rid: 'SV-230280r858767_rule'\n tag stig_id: 'RHEL-08-010430'\n tag fix_id: 'F-32924r858766_fix'\n tag cci: ['CCI-002824']\n tag nist: ['SI-16']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n describe kernel_parameter('kernel.randomize_va_space') do\n its('value') { should eq 2 }\n end\nend\n", + "code": "control 'SV-230292' do\n title 'RHEL 8 must use a separate file system for /var.'\n desc 'The use of separate file systems for different paths can protect the\nsystem from failures resulting from a file system becoming full or failing.'\n desc 'check', 'Verify that a separate file system has been created for \"/var\".\n\nCheck that a file system has been created for \"/var\" with the following command:\n\n $ sudo grep /var /etc/fstab\n\n /dev/mapper/... /var xfs defaults,nodev 0 0\n\nIf a separate entry for \"/var\" is not in use, this is a finding.'\n desc 'fix', 'Migrate the \"/var\" path onto a separate file system.'\n impact 0.3\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'low'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230292'\n tag rid: 'SV-230292r902718_rule'\n tag stig_id: 'RHEL-08-010540'\n tag fix_id: 'F-32936r567623_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe mount('/var') do\n it { should be_mounted }\n end\n\n describe etc_fstab.where { mount_point == '/var' } do\n it { should exist }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230280.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230292.rb", "line": 1 }, - "id": "SV-230280" + "id": "SV-230292" }, { - "title": "RHEL 8 must disable the use of user namespaces.", - "desc": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf", + "title": "RHEL 8 remote X connections for interactive users must be disabled\nunless to fulfill documented and validated mission requirements.", + "desc": "The security risk of using X11 forwarding is that the client's X11\ndisplay server may be exposed to attack when the SSH client requests\nforwarding. A system administrator may have a stance in which they want to\nprotect clients that may expose themselves to attack by unwittingly requesting\nX11 forwarding, which can warrant a \"no\" setting.\n\n X11 forwarding should be enabled with caution. Users with the ability to\nbypass file permissions on the remote host (for the user's X11 authorization\ndatabase) can access the local X11 display through the forwarded connection. An\nattacker may then be able to perform activities such as keystroke monitoring if\nthe ForwardX11Trusted option is also enabled.\n\n If X11 services are not required for the system's intended function, they\nshould be disabled or restricted as appropriate to the system’s needs.", "descriptions": { - "default": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf", - "check": "Verify RHEL 8 disables the use of user namespaces with the following commands:\n\nNote: User namespaces are used primarily for Linux containers. If containers are in use, this requirement is not applicable.\n\n$ sudo sysctl user.max_user_namespaces\n\nuser.max_user_namespaces = 0\n\nIf the returned line does not have a value of \"0\", or a line is not returned, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r user.max_user_namespaces /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: user.max_user_namespaces = 0\n\nIf \"user.max_user_namespaces\" is not set to \"0\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.", - "fix": "Configure RHEL 8 to disable the use of user namespaces by adding the following line to a file, in the \"/etc/sysctl.d\" directory:\n\nNote: User namespaces are used primarily for Linux containers. If containers are in use, this requirement is not applicable.\n\nuser.max_user_namespaces = 0\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nThe system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:\n\n$ sudo sysctl --system" + "default": "The security risk of using X11 forwarding is that the client's X11\ndisplay server may be exposed to attack when the SSH client requests\nforwarding. A system administrator may have a stance in which they want to\nprotect clients that may expose themselves to attack by unwittingly requesting\nX11 forwarding, which can warrant a \"no\" setting.\n\n X11 forwarding should be enabled with caution. Users with the ability to\nbypass file permissions on the remote host (for the user's X11 authorization\ndatabase) can access the local X11 display through the forwarded connection. An\nattacker may then be able to perform activities such as keystroke monitoring if\nthe ForwardX11Trusted option is also enabled.\n\n If X11 services are not required for the system's intended function, they\nshould be disabled or restricted as appropriate to the system’s needs.", + "check": "Verify X11Forwarding is disabled with the following command:\n\n$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\\r' | tr '\\n' ' ' | xargs sudo grep -iH '^\\s*x11forwarding'\n\nX11Forwarding no\n\nIf the \"X11Forwarding\" keyword is set to \"yes\" and is not documented with the information system security officer (ISSO) as an operational requirement or is missing, this is a finding.\n\nIf conflicting results are returned, this is a finding.", + "fix": "Edit the \"/etc/ssh/sshd_config\" file to uncomment or add the line for the\n\"X11Forwarding\" keyword and set its value to \"no\" (this file may be named\ndifferently or be in a different location if using a version of SSH that is\nprovided by a third-party vendor):\n\n X11Forwarding no\n\n The SSH service must be restarted for changes to take effect:\n\n $ sudo systemctl restart sshd" }, "impact": 0.5, "refs": [ @@ -11656,32 +11623,33 @@ "tags": { "severity": "medium", "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-230548", - "rid": "SV-230548r858828_rule", - "stig_id": "RHEL-08-040284", - "fix_id": "F-33192r858827_fix", + "gid": "V-230555", + "rid": "SV-230555r951618_rule", + "stig_id": "RHEL-08-040340", + "fix_id": "F-33199r568412_fix", "cci": [ "CCI-000366" ], "nist": [ "CM-6 b" ], - "host": null + "host": null, + "container-conditional": null }, - "code": "control 'SV-230548' do\n title 'RHEL 8 must disable the use of user namespaces.'\n desc 'It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf'\n desc 'check', 'Verify RHEL 8 disables the use of user namespaces with the following commands:\n\nNote: User namespaces are used primarily for Linux containers. If containers are in use, this requirement is not applicable.\n\n$ sudo sysctl user.max_user_namespaces\n\nuser.max_user_namespaces = 0\n\nIf the returned line does not have a value of \"0\", or a line is not returned, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r user.max_user_namespaces /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: user.max_user_namespaces = 0\n\nIf \"user.max_user_namespaces\" is not set to \"0\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to disable the use of user namespaces by adding the following line to a file, in the \"/etc/sysctl.d\" directory:\n\nNote: User namespaces are used primarily for Linux containers. If containers are in use, this requirement is not applicable.\n\nuser.max_user_namespaces = 0\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nThe system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:\n\n$ sudo sysctl --system'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230548'\n tag rid: 'SV-230548r858828_rule'\n tag stig_id: 'RHEL-08-040284'\n tag fix_id: 'F-33192r858827_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This system is acting as a router on the network, this control is Not Applicable', impact: 0.0) {\n !input('network_router')\n }\n\n # Define the kernel parameter to be checked\n parameter = 'user.max_user_namespaces'\n action = 'user namespaces'\n value = 0\n\n # Get the current value of the kernel parameter\n current_value = kernel_parameter(parameter)\n\n # Check if the system is a Docker container\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n # Check if the system is a container host\n elsif input('container_host')\n impact 0.0\n describe 'Control not applicable when system is a host for containers' do\n skip 'Control not applicable for container hosts'\n end\n else\n describe kernel_parameter(parameter) do\n it 'is disabled in sysctl -a' do\n expect(current_value.value).to cmp value\n expect(current_value.value).not_to be_nil\n end\n end\n\n # Get the list of sysctl configuration files\n sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ')\n\n # Search for the kernel parameter in the configuration files\n search_results = command(\"grep -r ^#{parameter} #{sysctl_config_files} {} \\;\").stdout.split(\"\\n\")\n\n # Parse the search results into a hash\n config_values = search_results.each_with_object({}) do |item, results|\n file, setting = item.split(':')\n file = 'grep did not return filename' if file.empty?\n\n results[file] ||= []\n results[file] << setting.split('=').last\n end\n\n uniq_config_values = config_values.values.flatten.map(&:strip).map(&:to_i).uniq\n\n # Check the configuration files\n describe 'Configuration files' do\n if search_results.empty?\n it \"do not explicitly set the `#{parameter}` parameter\" do\n expect(config_values).not_to be_empty, \"Add the line `#{parameter}=#{value}` to a file in the `/etc/sysctl.d/` directory\"\n end\n else\n it \"do not have conflicting settings for #{action}\" do\n expect(uniq_config_values.count).to eq(1), \"Expected one unique configuration, but got #{config_values}\"\n end\n it \"set the parameter to the right value for #{action}\" do\n expect(config_values.values.flatten.all? { |v| v.to_i.eql?(value) }).to be true\n end\n end\n end\n end\nend\n", + "code": "control 'SV-230555' do\n title 'RHEL 8 remote X connections for interactive users must be disabled\nunless to fulfill documented and validated mission requirements.'\n desc %q(The security risk of using X11 forwarding is that the client's X11\ndisplay server may be exposed to attack when the SSH client requests\nforwarding. A system administrator may have a stance in which they want to\nprotect clients that may expose themselves to attack by unwittingly requesting\nX11 forwarding, which can warrant a \"no\" setting.\n\n X11 forwarding should be enabled with caution. Users with the ability to\nbypass file permissions on the remote host (for the user's X11 authorization\ndatabase) can access the local X11 display through the forwarded connection. An\nattacker may then be able to perform activities such as keystroke monitoring if\nthe ForwardX11Trusted option is also enabled.\n\n If X11 services are not required for the system's intended function, they\nshould be disabled or restricted as appropriate to the system’s needs.)\n desc 'check', %q(Verify X11Forwarding is disabled with the following command:\n\n$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\\r' | tr '\\n' ' ' | xargs sudo grep -iH '^\\s*x11forwarding'\n\nX11Forwarding no\n\nIf the \"X11Forwarding\" keyword is set to \"yes\" and is not documented with the information system security officer (ISSO) as an operational requirement or is missing, this is a finding.\n\nIf conflicting results are returned, this is a finding.)\n desc 'fix', 'Edit the \"/etc/ssh/sshd_config\" file to uncomment or add the line for the\n\"X11Forwarding\" keyword and set its value to \"no\" (this file may be named\ndifferently or be in a different location if using a version of SSH that is\nprovided by a third-party vendor):\n\n X11Forwarding no\n\n The SSH service must be restarted for changes to take effect:\n\n $ sudo systemctl restart sshd'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230555'\n tag rid: 'SV-230555r951618_rule'\n tag stig_id: 'RHEL-08-040340'\n tag fix_id: 'F-33199r568412_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n tag 'container-conditional'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !(virtualization.system.eql?('docker') && !file('/etc/ssh/sshd_config').exist?)\n }\n\n describe sshd_active_config do\n its('X11Forwarding') { should cmp 'no' }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230548.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230555.rb", "line": 1 }, - "id": "SV-230548" + "id": "SV-230555" }, { - "title": "RHEL 8 must prevent system messages from being presented when three\nunsuccessful logon attempts occur.", - "desc": "By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as\nbrute-force attacks, is reduced. Limits are imposed by locking the account.\n\n In RHEL 8.2 the \"/etc/security/faillock.conf\" file was incorporated to\ncentralize the configuration of the pam_faillock.so module. Also introduced is\na \"local_users_only\" option that will only track failed user authentication\nattempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP,\netc.) users to allow the centralized platform to solely manage user lockout.\n\n From \"faillock.conf\" man pages: Note that the default directory that\n\"pam_faillock\" uses is usually cleared on system boot so the access will be\nreenabled after system reboot. If that is undesirable a different tally\ndirectory must be set with the \"dir\" option.", + "title": "The RHEL 8 SSH server must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-2 validated cryptographic hash algorithms.", + "desc": "Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. RHEL 8 incorporates system-wide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/opensshserver.config file. The system will attempt to use the first hash presented by the client that matches the server list. Listing the values \"strongest to weakest\" is a method to ensure the use of the strongest hash available to secure the SSH connection.", "descriptions": { - "default": "By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as\nbrute-force attacks, is reduced. Limits are imposed by locking the account.\n\n In RHEL 8.2 the \"/etc/security/faillock.conf\" file was incorporated to\ncentralize the configuration of the pam_faillock.so module. Also introduced is\na \"local_users_only\" option that will only track failed user authentication\nattempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP,\netc.) users to allow the centralized platform to solely manage user lockout.\n\n From \"faillock.conf\" man pages: Note that the default directory that\n\"pam_faillock\" uses is usually cleared on system boot so the access will be\nreenabled after system reboot. If that is undesirable a different tally\ndirectory must be set with the \"dir\" option.", - "check": "Note: This check applies to RHEL versions 8.2 or newer, if the system is\nRHEL version 8.0 or 8.1, this check is not applicable.\n\n Verify the \"/etc/security/faillock.conf\" file is configured to prevent\ninformative messages from being presented at logon attempts:\n\n $ sudo grep silent /etc/security/faillock.conf\n\n silent\n\n If the \"silent\" option is not set, is missing or commented out, this is a\nfinding.", - "fix": "Configure the operating system to prevent informative messages from being\npresented at logon attempts.\n\n Add/Modify the \"/etc/security/faillock.conf\" file to match the following\nline:\n\n silent" + "default": "Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. RHEL 8 incorporates system-wide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/opensshserver.config file. The system will attempt to use the first hash presented by the client that matches the server list. Listing the values \"strongest to weakest\" is a method to ensure the use of the strongest hash available to secure the SSH connection.", + "check": "Verify the SSH server is configured to use only MACs employing FIPS 140-2-approved algorithms with the following command:\n\n $ sudo grep -i macs /etc/crypto-policies/back-ends/opensshserver.config\n\n -oMACS=hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com\n\nIf the MACs entries in the \"opensshserver.config\" file have any hashes other than shown here, the order differs from the example above, or they are missing or commented out, this is a finding.", + "fix": "Configure the RHEL 8 SSH server to use only MACs employing FIPS 140-2-approved algorithms by updating the \"/etc/crypto-policies/back-ends/opensshserver.config\" file with the following line:\n\n -oMACS=hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com\n\n A reboot is required for the changes to take effect." }, "impact": 0.5, "refs": [ @@ -11691,38 +11659,40 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000021-GPOS-00005", + "gtitle": "SRG-OS-000250-GPOS-00093", "satisfies": [ - "SRG-OS-000021-GPOS-00005", - "SRG-OS-000329-GPOS-00128" + "SRG-OS-000250-GPOS-00093", + "SRG-OS-000393-GPOS-00173", + "SRG-OS-000394-GPOS-00174", + "SRG-OS-000125-GPOS-00065" ], - "gid": "V-230341", - "rid": "SV-230341r743978_rule", - "stig_id": "RHEL-08-020019", - "fix_id": "F-32985r743977_fix", + "gid": "V-230251", + "rid": "SV-230251r917870_rule", + "stig_id": "RHEL-08-010290", + "fix_id": "F-32895r917869_fix", "cci": [ - "CCI-000044" + "CCI-001453" ], "nist": [ - "AC-7 a" + "AC-17 (2)" ], "host": null, - "container": null + "container-conditional": null }, - "code": "control 'SV-230341' do\n title 'RHEL 8 must prevent system messages from being presented when three\nunsuccessful logon attempts occur.'\n desc 'By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as\nbrute-force attacks, is reduced. Limits are imposed by locking the account.\n\n In RHEL 8.2 the \"/etc/security/faillock.conf\" file was incorporated to\ncentralize the configuration of the pam_faillock.so module. Also introduced is\na \"local_users_only\" option that will only track failed user authentication\nattempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP,\netc.) users to allow the centralized platform to solely manage user lockout.\n\n From \"faillock.conf\" man pages: Note that the default directory that\n\"pam_faillock\" uses is usually cleared on system boot so the access will be\nreenabled after system reboot. If that is undesirable a different tally\ndirectory must be set with the \"dir\" option.'\n desc 'check', 'Note: This check applies to RHEL versions 8.2 or newer, if the system is\nRHEL version 8.0 or 8.1, this check is not applicable.\n\n Verify the \"/etc/security/faillock.conf\" file is configured to prevent\ninformative messages from being presented at logon attempts:\n\n $ sudo grep silent /etc/security/faillock.conf\n\n silent\n\n If the \"silent\" option is not set, is missing or commented out, this is a\nfinding.'\n desc 'fix', 'Configure the operating system to prevent informative messages from being\npresented at logon attempts.\n\n Add/Modify the \"/etc/security/faillock.conf\" file to match the following\nline:\n\n silent'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000021-GPOS-00005'\n tag satisfies: ['SRG-OS-000021-GPOS-00005', 'SRG-OS-000329-GPOS-00128']\n tag gid: 'V-230341'\n tag rid: 'SV-230341r743978_rule'\n tag stig_id: 'RHEL-08-020019'\n tag fix_id: 'F-32985r743977_fix'\n tag cci: ['CCI-000044']\n tag nist: ['AC-7 a']\n tag 'host'\n tag 'container'\n\n only_if('This check applies to RHEL versions 8.2 or newer, if the system is RHEL version 8.0 or 8.1, this check is not applicable.', impact: 0.0) {\n (os.release.to_f) >= 8.2\n }\n\n describe parse_config_file('/etc/security/faillock.conf') do\n its('silent') { should_not be_nil }\n end\nend\n", + "code": "control 'SV-230251' do\n title 'The RHEL 8 SSH server must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-2 validated cryptographic hash algorithms.'\n desc 'Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. RHEL 8 incorporates system-wide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/opensshserver.config file. The system will attempt to use the first hash presented by the client that matches the server list. Listing the values \"strongest to weakest\" is a method to ensure the use of the strongest hash available to secure the SSH connection.'\n desc 'check', 'Verify the SSH server is configured to use only MACs employing FIPS 140-2-approved algorithms with the following command:\n\n $ sudo grep -i macs /etc/crypto-policies/back-ends/opensshserver.config\n\n -oMACS=hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com\n\nIf the MACs entries in the \"opensshserver.config\" file have any hashes other than shown here, the order differs from the example above, or they are missing or commented out, this is a finding.'\n desc 'fix', 'Configure the RHEL 8 SSH server to use only MACs employing FIPS 140-2-approved algorithms by updating the \"/etc/crypto-policies/back-ends/opensshserver.config\" file with the following line:\n\n -oMACS=hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com\n\n A reboot is required for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000250-GPOS-00093'\n tag satisfies: ['SRG-OS-000250-GPOS-00093', 'SRG-OS-000393-GPOS-00173', 'SRG-OS-000394-GPOS-00174', 'SRG-OS-000125-GPOS-00065']\n tag gid: 'V-230251'\n tag rid: 'SV-230251r917870_rule'\n tag stig_id: 'RHEL-08-010290'\n tag fix_id: 'F-32895r917869_fix'\n tag cci: ['CCI-001453']\n tag nist: ['AC-17 (2)']\n tag 'host'\n tag 'container-conditional'\n\n # Check if SSH is installed within containerized RHEL\n only_if('SSH is not installed within containerized RHEL. Therefore, this requirement is not applicable.', impact: 0.0) do\n !(virtualization.system.eql?('docker') && !file('/etc/sysconfig/sshd').exist?)\n end\n\n # Define the required algorithms\n required_algorithms = input('openssh_server_required_algorithms')\n\n # TODO: make a simple resource for this based off 'login_defs' or 'yum' as a model\n\n # Parse the configuration file to get the value of \"CRYPTO_POLICY\"\n crypto_policy = parse_config_file('/etc/crypto-policies/back-ends/opensshserver.config')['CRYPTO_POLICY']\n\n # Parse the CRYPTO_POLICY string into a hash of configuration options\n config_options = crypto_policy.scan(/-o(\\w+)=([\\w\\-,@]+.)/).to_h\n\n # Split each configuration option's values into an array\n config_options.transform_values! { |v| v.split(',') }\n\n # Define the path to the crypto policy file\n crypto_policy_file = '/etc/crypto-policies/back-ends/opensshserver.config'\n\n # Test that the crypto policy file is configured with the required algorithms\n describe \"The crypto policy file #{crypto_policy_file}\" do\n it 'is configured with the required algorithms' do\n expect(crypto_policy).not_to be_nil, \"The crypto policy file #{crypto_policy_file} \\ndoes not contain the required algorithms\\n\\n\\t#{required_algorithms}.\"\n end\n end\n\n # Test that the MACS option in the crypto policy file contains the required algorithms in the correct order\n describe 'The MACs option in the crypto policy file' do\n it 'contains the required algorithms in the correct order' do\n expect(config_options['MACS']).to eq(required_algorithms), \"The MACS option in the crypto policy file does not contain the required algorithms in the *exact order*:\\n\\n\\texpected: #{required_algorithms}\\n\\tgot:#{config_options['MACS']}\"\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230341.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230251.rb", "line": 1 }, - "id": "SV-230341" + "id": "SV-230251" }, { - "title": "RHEL 8 systems below version 8.4 must ensure the password complexity module in the system-auth file is configured for three retries or less.", - "desc": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. \"pwquality\" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system.\n\nRHEL 8 uses \"pwquality\" as a mechanism to enforce password complexity. This is set in both:\n/etc/pam.d/password-auth\n/etc/pam.d/system-auth\n\nBy limiting the number of attempts to meet the pwquality module complexity requirements before returning with an error, the system will audit abnormal attempts at password changes.", + "title": "RHEL 8 must automatically expire temporary accounts within 72 hours.", + "desc": "Temporary accounts are privileged or nonprivileged accounts that are\n established during pressing circumstances, such as new software or hardware\n configuration or an incident response, where the need for prompt account\n activation requires bypassing normal account authorization procedures.\n\n If any inactive temporary accounts are left enabled on the system and are\n not either manually removed or automatically expired within 72 hours, the\n security posture of the system will be degraded and exposed to exploitation\n by unauthorized users or insider threat actors.\n\n Temporary accounts are different from emergency accounts. Emergency accounts,\n also known as \"last resort\" or \"break glass\" accounts, are local logon accounts\n enabled on the system for emergency use by authorized system administrators\n to manage a system when standard logon methods are failing or not available.\n\n Emergency accounts are not subject to manual removal or scheduled expiration\n requirements.\n\n The automatic expiration of temporary accounts may be extended as needed by\n the circumstances but it must not be extended indefinitely. A documented\n permanent account should be established for privileged users who need long-term\n maintenance accounts.", "descriptions": { - "default": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. \"pwquality\" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system.\n\nRHEL 8 uses \"pwquality\" as a mechanism to enforce password complexity. This is set in both:\n/etc/pam.d/password-auth\n/etc/pam.d/system-auth\n\nBy limiting the number of attempts to meet the pwquality module complexity requirements before returning with an error, the system will audit abnormal attempts at password changes.", - "check": "Note: This requirement applies to RHEL versions 8.0 through 8.3. If the system is RHEL version 8.4 or newer, this requirement is not applicable.\n\nVerify the operating system is configured to limit the \"pwquality\" retry option to 3.\n\nCheck for the use of the \"pwquality\" retry option in the system-auth file with the following command:\n\n $ sudo cat /etc/pam.d/system-auth | grep pam_pwquality\n\n password requisite pam_pwquality.so retry=3\n\nIf the value of \"retry\" is set to \"0\" or greater than \"3\", this is a finding.", - "fix": "Configure the operating system to limit the \"pwquality\" retry option to 3.\n\nAdd the following line to the \"/etc/pam.d/system-auth\" file (or modify the line to have the required value):\n\n password requisite pam_pwquality.so retry=3" + "default": "Temporary accounts are privileged or nonprivileged accounts that are\n established during pressing circumstances, such as new software or hardware\n configuration or an incident response, where the need for prompt account\n activation requires bypassing normal account authorization procedures.\n\n If any inactive temporary accounts are left enabled on the system and are\n not either manually removed or automatically expired within 72 hours, the\n security posture of the system will be degraded and exposed to exploitation\n by unauthorized users or insider threat actors.\n\n Temporary accounts are different from emergency accounts. Emergency accounts,\n also known as \"last resort\" or \"break glass\" accounts, are local logon accounts\n enabled on the system for emergency use by authorized system administrators\n to manage a system when standard logon methods are failing or not available.\n\n Emergency accounts are not subject to manual removal or scheduled expiration\n requirements.\n\n The automatic expiration of temporary accounts may be extended as needed by\n the circumstances but it must not be extended indefinitely. A documented\n permanent account should be established for privileged users who need long-term\n maintenance accounts.", + "check": "Verify temporary accounts have been provisioned with an\n expiration date of 72 hours.\n\n For every existing temporary account, run the following command to obtain its\n account expiration information:\n\n $ sudo chage -l | grep -i \"account expires\"\n\n Verify each of these accounts has an expiration date set within 72 hours.\n\n If any temporary accounts have no expiration date set or do not expire within\n 72 hours, this is a finding.", + "fix": "Configure the operating system to expire temporary accounts after\n 72 hours with the following command:\n\n $ sudo chage -E $(date -d +3days +%Y-%m-%d) " }, "impact": 0.5, "refs": [ @@ -11731,37 +11701,35 @@ } ], "tags": { - "check_id": "C-55151r902741_chk", "severity": "medium", - "gid": "V-251714", - "rid": "SV-251714r902743_rule", - "stig_id": "RHEL-08-020102", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-55105r902742_fix", - "documentable": null, + "gtitle": "SRG-OS-000123-GPOS-00064", + "gid": "V-230374", + "rid": "SV-230374r903129_rule", + "stig_id": "RHEL-08-020270", + "fix_id": "F-33018r902730_fix", "cci": [ - "CCI-000366" + "CCI-001682" ], "nist": [ - "CM-6 b" + "AC-2 (2)" ], "host": null, "container": null }, - "code": "control 'SV-251714' do\n title 'RHEL 8 systems below version 8.4 must ensure the password complexity module in the system-auth file is configured for three retries or less.'\n desc 'Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. \"pwquality\" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system.\n\nRHEL 8 uses \"pwquality\" as a mechanism to enforce password complexity. This is set in both:\n/etc/pam.d/password-auth\n/etc/pam.d/system-auth\n\nBy limiting the number of attempts to meet the pwquality module complexity requirements before returning with an error, the system will audit abnormal attempts at password changes.'\n desc 'check', 'Note: This requirement applies to RHEL versions 8.0 through 8.3. If the system is RHEL version 8.4 or newer, this requirement is not applicable.\n\nVerify the operating system is configured to limit the \"pwquality\" retry option to 3.\n\nCheck for the use of the \"pwquality\" retry option in the system-auth file with the following command:\n\n $ sudo cat /etc/pam.d/system-auth | grep pam_pwquality\n\n password requisite pam_pwquality.so retry=3\n\nIf the value of \"retry\" is set to \"0\" or greater than \"3\", this is a finding.'\n desc 'fix', 'Configure the operating system to limit the \"pwquality\" retry option to 3.\n\nAdd the following line to the \"/etc/pam.d/system-auth\" file (or modify the line to have the required value):\n\n password requisite pam_pwquality.so retry=3'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag check_id: 'C-55151r902741_chk'\n tag severity: 'medium'\n tag gid: 'V-251714'\n tag rid: 'SV-251714r902743_rule'\n tag stig_id: 'RHEL-08-020102'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag fix_id: 'F-55105r902742_fix'\n tag 'documentable'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n tag 'container'\n\n pam_auth_files = input('pam_auth_files')\n\n only_if('This requirement only applies to RHEL 8 versions below 8.4', impact: 0.0) do\n os.release.to_f < 8.4\n end\n\n describe pam(pam_auth_files['system-auth']) do\n its('lines') { should match_pam_rule('.* .* pam_pwquality.so').any_with_integer_arg('retry', '>=', input('min_retry')) }\n end\nend\n", + "code": "control 'SV-230374' do\n title 'RHEL 8 must automatically expire temporary accounts within 72 hours.'\n desc 'Temporary accounts are privileged or nonprivileged accounts that are\n established during pressing circumstances, such as new software or hardware\n configuration or an incident response, where the need for prompt account\n activation requires bypassing normal account authorization procedures.\n\n If any inactive temporary accounts are left enabled on the system and are\n not either manually removed or automatically expired within 72 hours, the\n security posture of the system will be degraded and exposed to exploitation\n by unauthorized users or insider threat actors.\n\n Temporary accounts are different from emergency accounts. Emergency accounts,\n also known as \"last resort\" or \"break glass\" accounts, are local logon accounts\n enabled on the system for emergency use by authorized system administrators\n to manage a system when standard logon methods are failing or not available.\n\n Emergency accounts are not subject to manual removal or scheduled expiration\n requirements.\n\n The automatic expiration of temporary accounts may be extended as needed by\n the circumstances but it must not be extended indefinitely. A documented\n permanent account should be established for privileged users who need long-term\n maintenance accounts.'\n desc 'check', 'Verify temporary accounts have been provisioned with an\n expiration date of 72 hours.\n\n For every existing temporary account, run the following command to obtain its\n account expiration information:\n\n $ sudo chage -l | grep -i \"account expires\"\n\n Verify each of these accounts has an expiration date set within 72 hours.\n\n If any temporary accounts have no expiration date set or do not expire within\n 72 hours, this is a finding.'\n desc 'fix', 'Configure the operating system to expire temporary accounts after\n 72 hours with the following command:\n\n $ sudo chage -E $(date -d +3days +%Y-%m-%d) '\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000123-GPOS-00064'\n tag gid: 'V-230374'\n tag rid: 'SV-230374r903129_rule'\n tag stig_id: 'RHEL-08-020270'\n tag fix_id: 'F-33018r902730_fix'\n tag cci: ['CCI-001682']\n tag nist: ['AC-2 (2)']\n tag 'host'\n tag 'container'\n\n tmp_users = input('temporary_accounts')\n\n # NOTE: that 230331 is extremely similar to this req, to the point where this input seems\n # appropriate to use for both of them\n tmp_max_days = input('temporary_account_max_days')\n\n if tmp_users.empty?\n describe 'Temporary accounts' do\n subject { tmp_users }\n it { should be_empty }\n end\n else\n # user has to specify what the tmp accounts are, so we will print a different pass message\n # if none of those tmp accounts even exist on the system for clarity\n tmp_users_existing = tmp_users.select { |u| user(u).exists? }\n failing_users = tmp_users_existing.select { |u| user(u).warndays > tmp_max_days }\n\n describe 'Temporary accounts' do\n if tmp_users_existing.nil?\n it \"should have expiration times less than or equal to '#{tmp_max_days}' days\" do\n expect(failing_users).to be_empty, \"Failing users:\\n\\t- #{failing_users.join(\"\\n\\t- \")}\"\n end\n else\n it \"(input as '#{tmp_users.join(\"', '\")}') were not found on this system\" do\n expect(tmp_users_existing).to be_empty\n end\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-251714.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230374.rb", "line": 1 }, - "id": "SV-251714" + "id": "SV-230374" }, { - "title": "All RHEL 8 world-writable directories must be group-owned by root,\nsys, bin, or an application group.", - "desc": "If a world-writable directory is not group-owned by root, sys, bin, or\nan application Group Identifier (GID), unauthorized users may be able to modify\nfiles created by others.\n\n The only authorized public directories are those temporary directories\nsupplied with the system or those designed to be temporary file repositories.\nThe setting is normally reserved for directories used by the system and by\nusers for temporary file storage, (e.g., /tmp), and for directories requiring\nglobal read/write access.", + "title": "RHEL 8 must not send Internet Control Message Protocol (ICMP)\nredirects.", + "desc": "ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.\n\nThere are notable differences between Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6). There is only a directive to disable sending of IPv4 redirected packets. Refer to RFC4294 for an explanation of \"IPv6 Node Requirements\", which resulted in this difference between IPv4 and IPv6.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf", "descriptions": { - "default": "If a world-writable directory is not group-owned by root, sys, bin, or\nan application Group Identifier (GID), unauthorized users may be able to modify\nfiles created by others.\n\n The only authorized public directories are those temporary directories\nsupplied with the system or those designed to be temporary file repositories.\nThe setting is normally reserved for directories used by the system and by\nusers for temporary file storage, (e.g., /tmp), and for directories requiring\nglobal read/write access.", - "check": "The following command will discover and print world-writable directories\nthat are not group-owned by a system account, given the assumption that only\nsystem accounts have a gid lower than 1000. Run it once for each local\npartition [PART]:\n\n $ sudo find [PART] -xdev -type d -perm -0002 -gid +999 -print\n\n If there is output, this is a finding.", - "fix": "All directories in local partitions which are world-writable\nmust be group-owned by root or another system account. If any world-writable\ndirectories are not group-owned by a system account, this must be investigated.\n Following this, the directories must be deleted or assigned to an appropriate\ngroup." + "default": "ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.\n\nThere are notable differences between Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6). There is only a directive to disable sending of IPv4 redirected packets. Refer to RFC4294 for an explanation of \"IPv6 Node Requirements\", which resulted in this difference between IPv4 and IPv6.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf", + "check": "Verify RHEL 8 does not IPv4 ICMP redirect messages.\n\nCheck the value of the \"all send_redirects\" variables with the following command:\n\n$ sudo sysctl net.ipv4.conf.all.send_redirects\n\nnet.ipv4.conf.all.send_redirects = 0\n\nIf the returned line does not have a value of \"0\", or a line is not returned, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r net.ipv4.conf.all.send_redirects /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: net.ipv4.conf.all.send_redirects = 0\n\nIf \"net.ipv4.conf.all.send_redirects\" is not set to \"0\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.", + "fix": "Configure RHEL 8 to not allow interfaces to perform IPv4 ICMP redirects.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nnet.ipv4.conf.all.send_redirects=0\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system" }, "impact": 0.5, "refs": [ @@ -11772,35 +11740,34 @@ "tags": { "severity": "medium", "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-230319", - "rid": "SV-230319r743961_rule", - "stig_id": "RHEL-08-010710", - "fix_id": "F-32963r567704_fix", + "gid": "V-230536", + "rid": "SV-230536r858795_rule", + "stig_id": "RHEL-08-040220", + "fix_id": "F-33180r858794_fix", "cci": [ "CCI-000366" ], "nist": [ "CM-6 b" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-230319' do\n title 'All RHEL 8 world-writable directories must be group-owned by root,\nsys, bin, or an application group.'\n desc 'If a world-writable directory is not group-owned by root, sys, bin, or\nan application Group Identifier (GID), unauthorized users may be able to modify\nfiles created by others.\n\n The only authorized public directories are those temporary directories\nsupplied with the system or those designed to be temporary file repositories.\nThe setting is normally reserved for directories used by the system and by\nusers for temporary file storage, (e.g., /tmp), and for directories requiring\nglobal read/write access.'\n desc 'check', 'The following command will discover and print world-writable directories\nthat are not group-owned by a system account, given the assumption that only\nsystem accounts have a gid lower than 1000. Run it once for each local\npartition [PART]:\n\n $ sudo find [PART] -xdev -type d -perm -0002 -gid +999 -print\n\n If there is output, this is a finding.'\n desc 'fix', 'All directories in local partitions which are world-writable\nmust be group-owned by root or another system account. If any world-writable\ndirectories are not group-owned by a system account, this must be investigated.\n Following this, the directories must be deleted or assigned to an appropriate\ngroup.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230319'\n tag rid: 'SV-230319r743961_rule'\n tag stig_id: 'RHEL-08-010710'\n tag fix_id: 'F-32963r567704_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n tag 'container'\n\n if input('disable_slow_controls')\n describe 'This control consistently takes a long to run and has been disabled using the disable_slow_controls attribute.' do\n skip 'This control consistently takes a long to run and has been disabled using the disable_slow_controls attribute. You must enable this control for a full accredidation for production.'\n end\n else\n\n partitions = etc_fstab.params.map { |partition| partition['mount_point'] }.uniq\n\n cmd = \"find #{partitions.join(' ')} -xdev -type d -perm -0002 -gid +999 -print\"\n failing_dirs = command(cmd).stdout.split(\"\\n\").uniq\n\n describe 'Any world-writeable directories' do\n it 'should be group-owned by system accounts' do\n expect(failing_dirs).to be_empty, \"Failing directories:\\n\\t- #{failing_dirs.join(\"\\n\\t- \")}\"\n end\n end\n end\nend\n", + "code": "control 'SV-230536' do\n title 'RHEL 8 must not send Internet Control Message Protocol (ICMP)\nredirects.'\n desc %q(ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.\n\nThere are notable differences between Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6). There is only a directive to disable sending of IPv4 redirected packets. Refer to RFC4294 for an explanation of \"IPv6 Node Requirements\", which resulted in this difference between IPv4 and IPv6.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf)\n desc 'check', 'Verify RHEL 8 does not IPv4 ICMP redirect messages.\n\nCheck the value of the \"all send_redirects\" variables with the following command:\n\n$ sudo sysctl net.ipv4.conf.all.send_redirects\n\nnet.ipv4.conf.all.send_redirects = 0\n\nIf the returned line does not have a value of \"0\", or a line is not returned, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r net.ipv4.conf.all.send_redirects /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: net.ipv4.conf.all.send_redirects = 0\n\nIf \"net.ipv4.conf.all.send_redirects\" is not set to \"0\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to not allow interfaces to perform IPv4 ICMP redirects.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nnet.ipv4.conf.all.send_redirects=0\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230536'\n tag rid: 'SV-230536r858795_rule'\n tag stig_id: 'RHEL-08-040220'\n tag fix_id: 'F-33180r858794_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This system is acting as a router on the network, this control is Not Applicable', impact: 0.0) {\n !input('network_router')\n }\n\n # Define the kernel parameter to be checked\n parameter = 'net.ipv4.conf.all.send_redirects'\n action = 'IPv4 redirects'\n value = 0\n\n # Get the current value of the kernel parameter\n current_value = kernel_parameter(parameter)\n\n # Check if the system is a Docker container\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n elsif input('ipv4_enabled') == false\n impact 0.0\n describe 'IPv4 is disabled on the system, this requirement is Not Applicable.' do\n skip 'IPv4 is disabled on the system, this requirement is Not Applicable.'\n end\n else\n\n describe kernel_parameter(parameter) do\n it 'is disabled in sysctl -a' do\n expect(current_value.value).to cmp value\n expect(current_value.value).not_to be_nil\n end\n end\n\n # Get the list of sysctl configuration files\n sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ')\n\n # Search for the kernel parameter in the configuration files\n search_results = command(\"grep -r ^#{parameter} #{sysctl_config_files} {} \\;\").stdout.split(\"\\n\")\n\n # Parse the search results into a hash\n config_values = search_results.each_with_object({}) do |item, results|\n file, setting = item.split(':')\n file = 'grep did not return filename' if file.empty?\n\n results[file] ||= []\n results[file] << setting.split('=').last\n end\n\n uniq_config_values = config_values.values.flatten.map(&:strip).map(&:to_i).uniq\n\n # Check the configuration files\n describe 'Configuration files' do\n if search_results.empty?\n it \"do not explicitly set the `#{parameter}` parameter\" do\n expect(config_values).not_to be_empty, \"Add the line `#{parameter}=#{value}` to a file in the `/etc/sysctl.d/` directory\"\n end\n else\n it \"do not have conflicting settings for #{action}\" do\n expect(uniq_config_values.count).to eq(1), \"Expected one unique configuration, but got #{config_values}\"\n end\n it \"set the parameter to the right value for #{action}\" do\n expect(config_values.values.flatten.all? { |v| v.to_i.eql?(value) }).to be true\n end\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230319.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230536.rb", "line": 1 }, - "id": "SV-230319" + "id": "SV-230536" }, { - "title": "RHEL 8, for certificate-based authentication, must enforce authorized\naccess to the corresponding private key.", - "desc": "If an unauthorized user obtains access to a private key without a\npasscode, that user would have unauthorized access to any system where the\nassociated public key has been installed.", + "title": "Successful/unsuccessful uses of postqueue in RHEL 8 must generate an\naudit record.", + "desc": "Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged commands. The organization must maintain audit trails in sufficient\ndetail to reconstruct events to determine the cause and impact of compromise.\nThe \"postqueue\" command implements the Postfix user interface for queue\nmanagement.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", "descriptions": { - "default": "If an unauthorized user obtains access to a private key without a\npasscode, that user would have unauthorized access to any system where the\nassociated public key has been installed.", - "check": "Verify the SSH private key files have a passcode.\n\nFor each private key stored on the system, use the following command:\n\n$ sudo ssh-keygen -y -f /path/to/file\n\nIf the contents of the key are displayed, this is a finding.", - "fix": "Create a new private and public key pair that utilizes a passcode with the\nfollowing command:\n\n $ sudo ssh-keygen -n [passphrase]" + "default": "Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged commands. The organization must maintain audit trails in sufficient\ndetail to reconstruct events to determine the cause and impact of compromise.\nThe \"postqueue\" command implements the Postfix user interface for queue\nmanagement.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", + "check": "Verify that an audit event is generated for any successful/unsuccessful use\nof \"postqueue\" by performing the following command to check the file system\nrules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w \"postqueue\" /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-unix-update\n\n If the command does not return a line, or the line is commented out, this\nis a finding.", + "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful uses of the \"postqueue\" by adding or updating the\nfollowing rule in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-unix-update\n\n The audit daemon must be restarted for the changes to take effect." }, - "impact": 0, + "impact": 0.5, "refs": [ { "ref": "DPMS Target Red Hat Enterprise Linux 8" @@ -11808,34 +11775,42 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000067-GPOS-00035", - "gid": "V-230230", - "rid": "SV-230230r627750_rule", - "stig_id": "RHEL-08-010100", - "fix_id": "F-32874r567437_fix", + "gtitle": "SRG-OS-000062-GPOS-00031", + "satisfies": [ + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000037-GPOS-00015", + "SRG-OS-000042-GPOS-00020", + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000392-GPOS-00172", + "SRG-OS-000462-GPOS-00206", + "SRG-OS-000471-GPOS-00215" + ], + "gid": "V-230428", + "rid": "SV-230428r627750_rule", + "stig_id": "RHEL-08-030312", + "fix_id": "F-33072r568031_fix", "cci": [ - "CCI-000186" + "CCI-000169" ], "nist": [ - "IA-5 (2) (b)", - "IA-5 (2) (a) (1)" + "AU-12 a" ], "host": null }, - "code": "control 'SV-230230' do\n title 'RHEL 8, for certificate-based authentication, must enforce authorized\naccess to the corresponding private key.'\n desc 'If an unauthorized user obtains access to a private key without a\npasscode, that user would have unauthorized access to any system where the\nassociated public key has been installed.'\n desc 'check', 'Verify the SSH private key files have a passcode.\n\nFor each private key stored on the system, use the following command:\n\n$ sudo ssh-keygen -y -f /path/to/file\n\nIf the contents of the key are displayed, this is a finding.'\n desc 'fix', 'Create a new private and public key pair that utilizes a passcode with the\nfollowing command:\n\n $ sudo ssh-keygen -n [passphrase]'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000067-GPOS-00035'\n tag gid: 'V-230230'\n tag rid: 'SV-230230r627750_rule'\n tag stig_id: 'RHEL-08-010100'\n tag fix_id: 'F-32874r567437_fix'\n tag cci: ['CCI-000186']\n tag nist: ['IA-5 (2) (b)', 'IA-5 (2) (a) (1)']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'N/A' do\n skip 'Control not applicable within a container'\n end\n elsif input('private_key_files').empty?\n impact 0.0\n describe 'N/A' do\n skip 'No private key files were given in the input, this control is Not Applicable'\n end\n elsif input('private_key_files').map { |kf| file(kf).exist? }.uniq.first == false\n describe 'no files found' do\n skip 'No private key files given in the input were found on the system; please check the input accurately lists all private keys on this system'\n end\n else\n passwordless_keys = input('private_key_files').select { |kf|\n file(kf).exist? &&\n !inspec.command(\"ssh-keygen -y -P '' -f #{kf}\").stderr.match('incorrect passphrase supplied to decrypt private key')\n }\n describe 'Private key files' do\n it 'should all have passwords set' do\n expect(passwordless_keys).to be_empty, \"Passwordless key files:\\n\\t- #{passwordless_keys.join(\"\\n\\t- \")}\"\n end\n end\n end\nend\n", + "code": "control 'SV-230428' do\n title 'Successful/unsuccessful uses of postqueue in RHEL 8 must generate an\naudit record.'\n desc 'Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged commands. The organization must maintain audit trails in sufficient\ndetail to reconstruct events to determine the cause and impact of compromise.\nThe \"postqueue\" command implements the Postfix user interface for queue\nmanagement.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.'\n desc 'check', 'Verify that an audit event is generated for any successful/unsuccessful use\nof \"postqueue\" by performing the following command to check the file system\nrules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w \"postqueue\" /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-unix-update\n\n If the command does not return a line, or the line is commented out, this\nis a finding.'\n desc 'fix', 'Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful uses of the \"postqueue\" by adding or updating the\nfollowing rule in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-unix-update\n\n The audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000062-GPOS-00031'\n tag satisfies: ['SRG-OS-000062-GPOS-00031', 'SRG-OS-000037-GPOS-00015', 'SRG-OS-000042-GPOS-00020', 'SRG-OS-000062-GPOS-00031', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000471-GPOS-00215']\n tag gid: 'V-230428'\n tag rid: 'SV-230428r627750_rule'\n tag stig_id: 'RHEL-08-030312'\n tag fix_id: 'F-33072r568031_fix'\n tag cci: ['CCI-000169']\n tag nist: ['AU-12 a']\n tag 'host'\n\n audit_command = '/usr/sbin/postqueue'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include(input('audit_rule_keynames').merge(input('audit_rule_keynames_overrides'))[audit_command])\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230230.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230428.rb", "line": 1 }, - "id": "SV-230230" + "id": "SV-230428" }, { - "title": "Successful/unsuccessful uses of the chcon command in RHEL 8 must\ngenerate an audit record.", - "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"chcon\" command is\nused to change file SELinux security context.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", + "title": "RHEL 8 must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/sudoers.d/.", + "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", "descriptions": { - "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"chcon\" command is\nused to change file SELinux security context.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", - "check": "Verify RHEL 8 generates an audit record when successful/unsuccessful\nattempts to use the \"chcon\" command by performing the following command to\ncheck the file system rules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w chcon /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F\nauid!=unset -k perm_mod\n\n If the command does not return a line, or the line is commented out, this\nis a finding.", - "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \"chcon\" command by adding or updating the\nfollowing rule in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F\nauid!=unset -k perm_mod\n\n The audit daemon must be restarted for the changes to take effect." + "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "check": "Verify RHEL 8 generates audit records for all account creations,\nmodifications, disabling, and termination events that affect\n\"/etc/sudoers.d/\".\n\n Check the auditing rules in \"/etc/audit/audit.rules\" with the following\ncommand:\n\n $ sudo grep /etc/sudoers.d/ /etc/audit/audit.rules\n\n -w /etc/sudoers.d/ -p wa -k identity\n\n If the command does not return a line, or the line is commented out, this\nis a finding.", + "fix": "Configure RHEL 8 to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect\n\"/etc/sudoers.d/\".\n\n Add or update the following file system rule to\n\"/etc/audit/rules.d/audit.rules\":\n\n -w /etc/sudoers.d/ -p wa -k identity\n\n The audit daemon must be restarted for the changes to take effect." }, "impact": 0.5, "refs": [ @@ -11848,18 +11823,28 @@ "gtitle": "SRG-OS-000062-GPOS-00031", "satisfies": [ "SRG-OS-000062-GPOS-00031", + "SRG-OS-000004-GPOS-00004", "SRG-OS-000037-GPOS-00015", "SRG-OS-000042-GPOS-00020", "SRG-OS-000062-GPOS-00031", + "SRG-OS-000304-GPOS-00121", "SRG-OS-000392-GPOS-00172", "SRG-OS-000462-GPOS-00206", - "SRG-OS-000468-GPOS-00212", - "SRG-OS-000471-GPOS-00215" + "SRG-OS-000470-GPOS-00214", + "SRG-OS-000471-GPOS-00215", + "SRG-OS-000239-GPOS-00089", + "SRG-OS-000240-GPOS-00090", + "SRG-OS-000241-GPOS-00091", + "SRG-OS-000303-GPOS-00120", + "SRG-OS-000304-GPOS-00121", + "CCI-002884", + "SRG-OS-000466-GPOS-00210", + "SRG-OS-000476-GPOS-00221" ], - "gid": "V-230419", - "rid": "SV-230419r627750_rule", - "stig_id": "RHEL-08-030260", - "fix_id": "F-33063r568004_fix", + "gid": "V-230410", + "rid": "SV-230410r627750_rule", + "stig_id": "RHEL-08-030172", + "fix_id": "F-33054r567977_fix", "cci": [ "CCI-000169" ], @@ -11868,20 +11853,20 @@ ], "host": null }, - "code": "control 'SV-230419' do\n title 'Successful/unsuccessful uses of the chcon command in RHEL 8 must\ngenerate an audit record.'\n desc 'Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"chcon\" command is\nused to change file SELinux security context.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.'\n desc 'check', 'Verify RHEL 8 generates an audit record when successful/unsuccessful\nattempts to use the \"chcon\" command by performing the following command to\ncheck the file system rules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w chcon /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F\nauid!=unset -k perm_mod\n\n If the command does not return a line, or the line is commented out, this\nis a finding.'\n desc 'fix', 'Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \"chcon\" command by adding or updating the\nfollowing rule in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F\nauid!=unset -k perm_mod\n\n The audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000062-GPOS-00031'\n tag satisfies: ['SRG-OS-000062-GPOS-00031', 'SRG-OS-000037-GPOS-00015', 'SRG-OS-000042-GPOS-00020', 'SRG-OS-000062-GPOS-00031', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000468-GPOS-00212', 'SRG-OS-000471-GPOS-00215']\n tag gid: 'V-230419'\n tag rid: 'SV-230419r627750_rule'\n tag stig_id: 'RHEL-08-030260'\n tag fix_id: 'F-33063r568004_fix'\n tag cci: ['CCI-000169']\n tag nist: ['AU-12 a']\n tag 'host'\n\n audit_command = '/usr/bin/chcon'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include(input('audit_rule_keynames').merge(input('audit_rule_keynames_overrides'))[audit_command])\n end\n end\nend\n", + "code": "control 'SV-230410' do\n title 'RHEL 8 must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/sudoers.d/.'\n desc 'Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).'\n desc 'check', 'Verify RHEL 8 generates audit records for all account creations,\nmodifications, disabling, and termination events that affect\n\"/etc/sudoers.d/\".\n\n Check the auditing rules in \"/etc/audit/audit.rules\" with the following\ncommand:\n\n $ sudo grep /etc/sudoers.d/ /etc/audit/audit.rules\n\n -w /etc/sudoers.d/ -p wa -k identity\n\n If the command does not return a line, or the line is commented out, this\nis a finding.'\n desc 'fix', 'Configure RHEL 8 to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect\n\"/etc/sudoers.d/\".\n\n Add or update the following file system rule to\n\"/etc/audit/rules.d/audit.rules\":\n\n -w /etc/sudoers.d/ -p wa -k identity\n\n The audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000062-GPOS-00031'\n tag satisfies: ['SRG-OS-000062-GPOS-00031', 'SRG-OS-000004-GPOS-00004', 'SRG-OS-000037-GPOS-00015', 'SRG-OS-000042-GPOS-00020', 'SRG-OS-000062-GPOS-00031', 'SRG-OS-000304-GPOS-00121', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000470-GPOS-00214', 'SRG-OS-000471-GPOS-00215', 'SRG-OS-000239-GPOS-00089', 'SRG-OS-000240-GPOS-00090', 'SRG-OS-000241-GPOS-00091', 'SRG-OS-000303-GPOS-00120', 'SRG-OS-000304-GPOS-00121', 'CCI-002884', 'SRG-OS-000466-GPOS-00210', 'SRG-OS-000476-GPOS-00221']\n tag gid: 'V-230410'\n tag rid: 'SV-230410r627750_rule'\n tag stig_id: 'RHEL-08-030172'\n tag fix_id: 'F-33054r567977_fix'\n tag cci: ['CCI-000169']\n tag nist: ['AU-12 a']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n audit_command = '/etc/sudoers.d'\n\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.permissions.flatten).to include('w', 'a')\n expect(audit_rule.key.uniq).to include(input('audit_rule_keynames').merge(input('audit_rule_keynames_overrides'))[audit_command])\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230419.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230410.rb", "line": 1 }, - "id": "SV-230419" + "id": "SV-230410" }, { - "title": "The RHEL 8 shadow password suite must be configured to use a sufficient number of hashing rounds.", - "desc": "The system must use a strong hashing algorithm to store the password.\nThe system must use a sufficient number of hashing rounds to ensure the\nrequired level of entropy.\n\n Passwords need to be protected at all times, and encryption is the standard\nmethod for protecting passwords. If passwords are not encrypted, they can be\nplainly read (i.e., clear text) and easily compromised.", + "title": "RHEL 8 must disable acquiring, saving, and processing core dumps.", + "desc": "It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n A core dump includes a memory image taken at the time the operating system\nterminates an application. The memory image could contain sensitive data and is\ngenerally useful only for developers trying to debug problems.\n\n When the kernel invokes systemd-coredumpt to handle a core dump, it runs in\nprivileged mode, and will connect to the socket created by the\nsystemd-coredump.socket unit. This, in turn, will spawn an unprivileged\nsystemd-coredump@.service instance to process the core dump.", "descriptions": { - "default": "The system must use a strong hashing algorithm to store the password.\nThe system must use a sufficient number of hashing rounds to ensure the\nrequired level of entropy.\n\n Passwords need to be protected at all times, and encryption is the standard\nmethod for protecting passwords. If passwords are not encrypted, they can be\nplainly read (i.e., clear text) and easily compromised.", - "check": "Check that a minimum number of hash rounds is configured by running the following command:\n\n $ sudo grep -E \"^SHA_CRYPT_\" /etc/login.defs\n\nIf only one of \"SHA_CRYPT_MIN_ROUNDS\" or \"SHA_CRYPT_MAX_ROUNDS\" is set, and this value is below \"5000\", this is a finding.\n\nIf both \"SHA_CRYPT_MIN_ROUNDS\" and \"SHA_CRYPT_MAX_ROUNDS\" are set, and the highest value for either is below \"5000\", this is a finding.", - "fix": "Configure RHEL 8 to encrypt all stored passwords with a strong cryptographic hash.\n\nEdit/modify the following line in the \"/etc/login.defs\" file and set \"SHA_CRYPT_MIN_ROUNDS\" to a value no lower than \"5000\":\n\nSHA_CRYPT_MIN_ROUNDS 5000" + "default": "It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n A core dump includes a memory image taken at the time the operating system\nterminates an application. The memory image could contain sensitive data and is\ngenerally useful only for developers trying to debug problems.\n\n When the kernel invokes systemd-coredumpt to handle a core dump, it runs in\nprivileged mode, and will connect to the socket created by the\nsystemd-coredump.socket unit. This, in turn, will spawn an unprivileged\nsystemd-coredump@.service instance to process the core dump.", + "check": "Verify RHEL 8 is not configured to acquire, save, or process core dumps with the following command:\n\n$ sudo systemctl status systemd-coredump.socket\n\nsystemd-coredump.socket\nLoaded: masked (Reason: Unit systemd-coredump.socket is masked.)\nActive: inactive (dead)\n\nIf the \"systemd-coredump.socket\" is loaded and not masked and the need for core dumps is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.", + "fix": "Configure the system to disable the systemd-coredump.socket with the following commands:\n\n$ sudo systemctl disable --now systemd-coredump.socket\n\n$ sudo systemctl mask systemd-coredump.socket\n\nCreated symlink /etc/systemd/system/systemd-coredump.socket -> /dev/null\n\nReload the daemon for this change to take effect.\n\n$ sudo systemctl daemon-reload" }, "impact": 0.5, "refs": [ @@ -11891,34 +11876,34 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000073-GPOS-00041", - "gid": "V-230233", - "rid": "SV-230233r880705_rule", - "stig_id": "RHEL-08-010130", - "fix_id": "F-32877r809272_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-230312", + "rid": "SV-230312r833308_rule", + "stig_id": "RHEL-08-010672", + "fix_id": "F-32956r833307_fix", "cci": [ - "CCI-000196" + "CCI-000366" ], + "legacy": [], "nist": [ - "IA-5 (1) (c)" + "CM-6 b" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-230233' do\n title 'The RHEL 8 shadow password suite must be configured to use a sufficient number of hashing rounds.'\n desc 'The system must use a strong hashing algorithm to store the password.\nThe system must use a sufficient number of hashing rounds to ensure the\nrequired level of entropy.\n\n Passwords need to be protected at all times, and encryption is the standard\nmethod for protecting passwords. If passwords are not encrypted, they can be\nplainly read (i.e., clear text) and easily compromised.'\n desc 'check', 'Check that a minimum number of hash rounds is configured by running the following command:\n\n $ sudo grep -E \"^SHA_CRYPT_\" /etc/login.defs\n\nIf only one of \"SHA_CRYPT_MIN_ROUNDS\" or \"SHA_CRYPT_MAX_ROUNDS\" is set, and this value is below \"5000\", this is a finding.\n\nIf both \"SHA_CRYPT_MIN_ROUNDS\" and \"SHA_CRYPT_MAX_ROUNDS\" are set, and the highest value for either is below \"5000\", this is a finding.'\n desc 'fix', 'Configure RHEL 8 to encrypt all stored passwords with a strong cryptographic hash.\n\nEdit/modify the following line in the \"/etc/login.defs\" file and set \"SHA_CRYPT_MIN_ROUNDS\" to a value no lower than \"5000\":\n\nSHA_CRYPT_MIN_ROUNDS 5000'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000073-GPOS-00041'\n tag gid: 'V-230233'\n tag rid: 'SV-230233r880705_rule'\n tag stig_id: 'RHEL-08-010130'\n tag fix_id: 'F-32877r809272_fix'\n tag cci: ['CCI-000196']\n tag nist: ['IA-5 (1) (c)']\n tag 'host'\n tag 'container'\n\n min = input('sha_crypt_min_rounds')\n max = input('sha_crypt_max_rounds')\n\n describe.one do\n describe login_defs do\n its('SHA_CRYPT_MIN_ROUNDS') { should cmp >= min }\n end\n describe login_defs do\n its('SHA_CRYPT_MIN_ROUNDS') { should be_nil }\n end\n end\n describe.one do\n describe login_defs do\n its('SHA_CRYPT_MAX_ROUNDS') { should cmp >= max }\n end\n describe login_defs do\n its('SHA_CRYPT_MAX_ROUNDS') { should be_nil }\n end\n end\nend\n", + "code": "control 'SV-230312' do\n title 'RHEL 8 must disable acquiring, saving, and processing core dumps.'\n desc 'It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n A core dump includes a memory image taken at the time the operating system\nterminates an application. The memory image could contain sensitive data and is\ngenerally useful only for developers trying to debug problems.\n\n When the kernel invokes systemd-coredumpt to handle a core dump, it runs in\nprivileged mode, and will connect to the socket created by the\nsystemd-coredump.socket unit. This, in turn, will spawn an unprivileged\nsystemd-coredump@.service instance to process the core dump.'\n desc 'check', 'Verify RHEL 8 is not configured to acquire, save, or process core dumps with the following command:\n\n$ sudo systemctl status systemd-coredump.socket\n\nsystemd-coredump.socket\nLoaded: masked (Reason: Unit systemd-coredump.socket is masked.)\nActive: inactive (dead)\n\nIf the \"systemd-coredump.socket\" is loaded and not masked and the need for core dumps is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.'\n desc 'fix', 'Configure the system to disable the systemd-coredump.socket with the following commands:\n\n$ sudo systemctl disable --now systemd-coredump.socket\n\n$ sudo systemctl mask systemd-coredump.socket\n\nCreated symlink /etc/systemd/system/systemd-coredump.socket -> /dev/null\n\nReload the daemon for this change to take effect.\n\n$ sudo systemctl daemon-reload'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230312'\n tag rid: 'SV-230312r833308_rule'\n tag stig_id: 'RHEL-08-010672'\n tag fix_id: 'F-32956r833307_fix'\n tag cci: ['CCI-000366']\n tag legacy: []\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n s = systemd_service('systemd-coredump.socket')\n\n describe.one do\n describe s do\n its('params.LoadState') { should eq 'masked' }\n end\n describe s do\n its('params.LoadState') { should eq 'not-found' }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230233.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230312.rb", "line": 1 }, - "id": "SV-230233" + "id": "SV-230312" }, { - "title": "All RHEL 8 networked systems must have and implement SSH to protect\nthe confidentiality and integrity of transmitted and received information, as\nwell as information during preparation for transmission.", - "desc": "Without protection of the transmitted information, confidentiality and\nintegrity may be compromised because unprotected communications can be\nintercepted and either read or altered.\n\n This requirement applies to both internal and external networks and all\ntypes of information system components from which information can be\ntransmitted (e.g., servers, mobile devices, notebook computers, printers,\ncopiers, scanners, and facsimile machines). Communication paths outside the\nphysical protection of a controlled boundary are exposed to the possibility of\ninterception and modification.\n\n Protecting the confidentiality and integrity of organizational information\ncan be accomplished by physical means (e.g., employing physical distribution\nsystems) or by logical means (e.g., employing cryptographic techniques). If\nphysical means of protection are employed, then logical means (cryptography) do\nnot have to be employed, and vice versa.", + "title": "The RHEL 8 file integrity tool must notify the system administrator\nwhen changes to the baseline configuration or anomalies in the operation of any\nsecurity functions are discovered within an organizationally defined frequency.", + "desc": "Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security.\n\nDetecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information System Security Manager (ISSM)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.\n\nNotifications provided by information systems include messages to local computer consoles, and/or hardware indications, such as lights.\n\nThis capability must take into account operational requirements for availability for selecting an appropriate response. The organization may choose to shut down or restart the information system upon security function anomaly detection.\n\nRHEL 8 comes with many optional software packages. A file integrity tool called Advanced Intrusion Detection Environment (AIDE) is one of those optional packages. This requirement assumes the use of AIDE; however, a different tool may be used if the requirements are met. Note that AIDE does not have a configuration that will send a notification, so a cron job is recommended that uses the mail application on the system to email the results of the file integrity check.", "descriptions": { - "default": "Without protection of the transmitted information, confidentiality and\nintegrity may be compromised because unprotected communications can be\nintercepted and either read or altered.\n\n This requirement applies to both internal and external networks and all\ntypes of information system components from which information can be\ntransmitted (e.g., servers, mobile devices, notebook computers, printers,\ncopiers, scanners, and facsimile machines). Communication paths outside the\nphysical protection of a controlled boundary are exposed to the possibility of\ninterception and modification.\n\n Protecting the confidentiality and integrity of organizational information\ncan be accomplished by physical means (e.g., employing physical distribution\nsystems) or by logical means (e.g., employing cryptographic techniques). If\nphysical means of protection are employed, then logical means (cryptography) do\nnot have to be employed, and vice versa.", - "check": "Verify SSH is loaded and active with the following command:\n\n $ sudo systemctl status sshd\n\n sshd.service - OpenSSH server daemon\n Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled)\n Active: active (running) since Tue 2015-11-17 15:17:22 EST; 4 weeks 0 days\nago\n Main PID: 1348 (sshd)\n CGroup: /system.slice/sshd.service\n 1053 /usr/sbin/sshd -D\n\n If \"sshd\" does not show a status of \"active\" and \"running\", this is a\nfinding.", - "fix": "Configure the SSH service to automatically start after reboot with the\nfollowing command:\n\n $ sudo systemctl enable sshd.service" + "default": "Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security.\n\nDetecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information System Security Manager (ISSM)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.\n\nNotifications provided by information systems include messages to local computer consoles, and/or hardware indications, such as lights.\n\nThis capability must take into account operational requirements for availability for selecting an appropriate response. The organization may choose to shut down or restart the information system upon security function anomaly detection.\n\nRHEL 8 comes with many optional software packages. A file integrity tool called Advanced Intrusion Detection Environment (AIDE) is one of those optional packages. This requirement assumes the use of AIDE; however, a different tool may be used if the requirements are met. Note that AIDE does not have a configuration that will send a notification, so a cron job is recommended that uses the mail application on the system to email the results of the file integrity check.", + "check": "Verify the operating system routinely checks the baseline configuration for unauthorized changes and notifies the system administrator when anomalies in the operation of any security functions are discovered.\n\nCheck that RHEL 8 routinely executes a file integrity scan for changes to the system baseline. The command used in the example will use a daily occurrence.\n\nCheck the cron directories for scripts controlling the execution and notification of results of the file integrity application. For example, if AIDE is installed on the system, use the following commands:\n\n $ sudo ls -al /etc/cron.* | grep aide\n\n -rwxr-xr-x 1 root root 29 Nov 22 2015 aide\n\n $ sudo grep aide /etc/crontab /var/spool/cron/root\n\n /etc/crontab: 30 04 * * * root /usr/sbin/aide\n /var/spool/cron/root: 30 04 * * * root /usr/sbin/aide\n\n $ sudo more /etc/cron.daily/aide\n\n #!/bin/bash\n /usr/sbin/aide --check | /bin/mail -s \"$HOSTNAME - Daily AIDE integrity check run\" root@example_server_name.mil\n\nIf the file integrity application does not exist, or a script file controlling the execution of the file integrity application does not exist, or the file integrity application does not notify designated personnel of changes, this is a finding.", + "fix": "Configure the file integrity tool to run automatically on the system at least weekly and to notify designated personnel if baseline configurations are changed in an unauthorized manner. The AIDE tool can be configured to email designated personnel with the use of the cron system.\n\nThe following example output is generic. It will set cron to run AIDE daily and to send email at the completion of the analysis.\n\n $ sudo more /etc/cron.daily/aide\n\n #!/bin/bash\n\n /usr/sbin/aide --check | /bin/mail -s \"$HOSTNAME - Daily AIDE integrity check run\" root@example_server_name.mil\n\nNote: Per requirement RHEL-08-010358, the \"mailx\" package must be installed on the system to enable email functionality." }, "impact": 0.5, "refs": [ @@ -11928,39 +11913,38 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000423-GPOS-00187", + "gtitle": "SRG-OS-000363-GPOS-00150", "satisfies": [ - "SRG-OS-000423-GPOS-00187", - "SRG-OS-000424-GPOS-00188", - "SRG-OS-000425-GPOS-00189", - "SRG-OS-000426-GPOS-00190" + "SRG-OS-000363-GPOS-00150", + "SRG-OS-000446-GPOS-00200", + "SRG-OS-000447-GPOS-00201" ], - "gid": "V-230526", - "rid": "SV-230526r916422_rule", - "stig_id": "RHEL-08-040160", - "fix_id": "F-33170r744031_fix", + "gid": "V-230263", + "rid": "SV-230263r902716_rule", + "stig_id": "RHEL-08-010360", + "fix_id": "F-32907r902715_fix", "cci": [ - "CCI-002418" + "CCI-001744" ], "nist": [ - "SC-8" + "CM-3 (5)" ], "host": null }, - "code": "control 'SV-230526' do\n title 'All RHEL 8 networked systems must have and implement SSH to protect\nthe confidentiality and integrity of transmitted and received information, as\nwell as information during preparation for transmission.'\n desc 'Without protection of the transmitted information, confidentiality and\nintegrity may be compromised because unprotected communications can be\nintercepted and either read or altered.\n\n This requirement applies to both internal and external networks and all\ntypes of information system components from which information can be\ntransmitted (e.g., servers, mobile devices, notebook computers, printers,\ncopiers, scanners, and facsimile machines). Communication paths outside the\nphysical protection of a controlled boundary are exposed to the possibility of\ninterception and modification.\n\n Protecting the confidentiality and integrity of organizational information\ncan be accomplished by physical means (e.g., employing physical distribution\nsystems) or by logical means (e.g., employing cryptographic techniques). If\nphysical means of protection are employed, then logical means (cryptography) do\nnot have to be employed, and vice versa.'\n desc 'check', 'Verify SSH is loaded and active with the following command:\n\n $ sudo systemctl status sshd\n\n sshd.service - OpenSSH server daemon\n Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled)\n Active: active (running) since Tue 2015-11-17 15:17:22 EST; 4 weeks 0 days\nago\n Main PID: 1348 (sshd)\n CGroup: /system.slice/sshd.service\n 1053 /usr/sbin/sshd -D\n\n If \"sshd\" does not show a status of \"active\" and \"running\", this is a\nfinding.'\n desc 'fix', 'Configure the SSH service to automatically start after reboot with the\nfollowing command:\n\n $ sudo systemctl enable sshd.service'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000423-GPOS-00187'\n tag satisfies: ['SRG-OS-000423-GPOS-00187', 'SRG-OS-000424-GPOS-00188', 'SRG-OS-000425-GPOS-00189', 'SRG-OS-000426-GPOS-00190']\n tag gid: 'V-230526'\n tag rid: 'SV-230526r916422_rule'\n tag stig_id: 'RHEL-08-040160'\n tag fix_id: 'F-33170r744031_fix'\n tag cci: ['CCI-002418']\n tag nist: ['SC-8']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe systemd_service('sshd.service') do\n it { should be_running }\n end\nend\n", + "code": "control 'SV-230263' do\n title 'The RHEL 8 file integrity tool must notify the system administrator\nwhen changes to the baseline configuration or anomalies in the operation of any\nsecurity functions are discovered within an organizationally defined frequency.'\n desc \"Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security.\n\nDetecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information System Security Manager (ISSM)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.\n\nNotifications provided by information systems include messages to local computer consoles, and/or hardware indications, such as lights.\n\nThis capability must take into account operational requirements for availability for selecting an appropriate response. The organization may choose to shut down or restart the information system upon security function anomaly detection.\n\nRHEL 8 comes with many optional software packages. A file integrity tool called Advanced Intrusion Detection Environment (AIDE) is one of those optional packages. This requirement assumes the use of AIDE; however, a different tool may be used if the requirements are met. Note that AIDE does not have a configuration that will send a notification, so a cron job is recommended that uses the mail application on the system to email the results of the file integrity check.\"\n desc 'check', 'Verify the operating system routinely checks the baseline configuration for unauthorized changes and notifies the system administrator when anomalies in the operation of any security functions are discovered.\n\nCheck that RHEL 8 routinely executes a file integrity scan for changes to the system baseline. The command used in the example will use a daily occurrence.\n\nCheck the cron directories for scripts controlling the execution and notification of results of the file integrity application. For example, if AIDE is installed on the system, use the following commands:\n\n $ sudo ls -al /etc/cron.* | grep aide\n\n -rwxr-xr-x 1 root root 29 Nov 22 2015 aide\n\n $ sudo grep aide /etc/crontab /var/spool/cron/root\n\n /etc/crontab: 30 04 * * * root /usr/sbin/aide\n /var/spool/cron/root: 30 04 * * * root /usr/sbin/aide\n\n $ sudo more /etc/cron.daily/aide\n\n #!/bin/bash\n /usr/sbin/aide --check | /bin/mail -s \"$HOSTNAME - Daily AIDE integrity check run\" root@example_server_name.mil\n\nIf the file integrity application does not exist, or a script file controlling the execution of the file integrity application does not exist, or the file integrity application does not notify designated personnel of changes, this is a finding.'\n desc 'fix', 'Configure the file integrity tool to run automatically on the system at least weekly and to notify designated personnel if baseline configurations are changed in an unauthorized manner. The AIDE tool can be configured to email designated personnel with the use of the cron system.\n\nThe following example output is generic. It will set cron to run AIDE daily and to send email at the completion of the analysis.\n\n $ sudo more /etc/cron.daily/aide\n\n #!/bin/bash\n\n /usr/sbin/aide --check | /bin/mail -s \"$HOSTNAME - Daily AIDE integrity check run\" root@example_server_name.mil\n\nNote: Per requirement RHEL-08-010358, the \"mailx\" package must be installed on the system to enable email functionality.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000363-GPOS-00150'\n tag satisfies: ['SRG-OS-000363-GPOS-00150', 'SRG-OS-000446-GPOS-00200', 'SRG-OS-000447-GPOS-00201']\n tag gid: 'V-230263'\n tag rid: 'SV-230263r902716_rule'\n tag stig_id: 'RHEL-08-010360'\n tag fix_id: 'F-32907r902715_fix'\n tag cci: ['CCI-001744']\n tag nist: ['CM-3 (5)']\n tag 'host'\n\n file_integrity_tool = input('file_integrity_tool')\n\n only_if('Control not applicable within a container', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe package(file_integrity_tool) do\n it { should be_installed }\n end\n describe.one do\n describe file(\"/etc/cron.daily/#{file_integrity_tool}\") do\n its('content') { should match %r{/bin/mail} }\n end\n describe file(\"/etc/cron.weekly/#{file_integrity_tool}\") do\n its('content') { should match %r{/bin/mail} }\n end\n describe crontab('root').where { command =~ /#{file_integrity_tool}/ } do\n its('commands.flatten') { should include(match %r{/bin/mail}) }\n end\n if file(\"/etc/cron.d/#{file_integrity_tool}\").exist?\n describe crontab(path: \"/etc/cron.d/#{file_integrity_tool}\") do\n its('commands') { should include(match %r{/bin/mail}) }\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230526.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230263.rb", "line": 1 }, - "id": "SV-230526" + "id": "SV-230263" }, { - "title": "The graphical display manager must not be the default target on RHEL 8 unless approved.", - "desc": "Internet services that are not required for system or application processes must not be active to decrease the attack surface of the system. Graphical display managers have a long history of security vulnerabilities and must not be used, unless approved and documented.", + "title": "RHEL 8 must take action when allocated audit record storage volume\n reaches 75 percent of the repository maximum audit record storage capacity.", + "desc": "If security personnel are not notified immediately when storage volume\n reaches 75 percent utilization, they are unable to plan for audit record\n storage capacity expansion.", "descriptions": { - "default": "Internet services that are not required for system or application processes must not be active to decrease the attack surface of the system. Graphical display managers have a long history of security vulnerabilities and must not be used, unless approved and documented.", - "check": "Verify that the system is configured to boot to the command line:\n\n$ systemctl get-default\nmulti-user.target\n\nIf the system default target is not set to \"multi-user.target\" and the Information System Security Officer (ISSO) lacks a documented requirement for a graphical user interface, this is a finding.", - "fix": "Document the requirement for a graphical user interface with the ISSO or reinstall the operating system without the graphical user interface. If reinstallation is not feasible, then continue with the following procedure:\n\nOpen an SSH session and enter the following commands:\n\n$ sudo systemctl set-default multi-user.target\n\nA reboot is required for the changes to take effect." + "default": "If security personnel are not notified immediately when storage volume\n reaches 75 percent utilization, they are unable to plan for audit record\n storage capacity expansion.", + "check": "Verify RHEL 8 takes action when allocated audit record storage\n volume reaches 75 percent of the repository maximum audit record storage\n capacity with the following commands:\n\n $ sudo grep -w space_left /etc/audit/auditd.conf\n\n space_left = 25%\n\n If the value of the \"space_left\" keyword is not set to \"25%\" or if the\n line is commented out, ask the System Administrator to indicate how the system\n is providing real-time alerts to the SA and ISSO.\n\n If there is no evidence that real-time alerts are configured on the system,\n this is a finding.", + "fix": "Configure the operating system to initiate an action to notify the\n SA and ISSO (at a minimum) when allocated audit record storage volume reaches\n 75 percent of the repository maximum audit record storage capacity by\n adding/modifying the following line in the /etc/audit/auditd.conf file.\n\n space_left = 25%\n\n Note: Option names and values in the auditd.conf file are case insensitive." }, "impact": 0.5, "refs": [ @@ -11969,36 +11953,70 @@ } ], "tags": { - "check_id": "C-55155r809376_chk", "severity": "medium", - "gid": "V-251718", - "rid": "SV-251718r809378_rule", - "stig_id": "RHEL-08-040321", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-55109r809377_fix", - "documentable": null, + "gtitle": "SRG-OS-000343-GPOS-00134", + "gid": "V-230483", + "rid": "SV-230483r877389_rule", + "stig_id": "RHEL-08-030730", + "fix_id": "F-33127r744013_fix", "cci": [ - "CCI-000366" + "CCI-001855" ], "nist": [ - "CM-6 b" + "AU-5 (1)" ], "host": null }, - "code": "control 'SV-251718' do\n title 'The graphical display manager must not be the default target on RHEL 8 unless approved.'\n desc 'Internet services that are not required for system or application processes must not be active to decrease the attack surface of the system. Graphical display managers have a long history of security vulnerabilities and must not be used, unless approved and documented.'\n desc 'check', 'Verify that the system is configured to boot to the command line:\n\n$ systemctl get-default\nmulti-user.target\n\nIf the system default target is not set to \"multi-user.target\" and the Information System Security Officer (ISSO) lacks a documented requirement for a graphical user interface, this is a finding.'\n desc 'fix', 'Document the requirement for a graphical user interface with the ISSO or reinstall the operating system without the graphical user interface. If reinstallation is not feasible, then continue with the following procedure:\n\nOpen an SSH session and enter the following commands:\n\n$ sudo systemctl set-default multi-user.target\n\nA reboot is required for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag check_id: 'C-55155r809376_chk'\n tag severity: 'medium'\n tag gid: 'V-251718'\n tag rid: 'SV-251718r809378_rule'\n tag stig_id: 'RHEL-08-040321'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag fix_id: 'F-55109r809377_fix'\n tag 'documentable'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This requirement is Not Applicable inside the container', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n if input('gui_required')\n impact 0.0\n describe 'skip' do\n skip 'A GUI is indicated as a requirement for this system. This control is Not Applicable.'\n end\n else\n get_default = command('systemctl get-default').stdout.strip\n\n describe get_default do\n it { should cmp 'multi-user.target' }\n end\n end\nend\n", + "code": "control 'SV-230483' do\n title 'RHEL 8 must take action when allocated audit record storage volume\n reaches 75 percent of the repository maximum audit record storage capacity.'\n desc 'If security personnel are not notified immediately when storage volume\n reaches 75 percent utilization, they are unable to plan for audit record\n storage capacity expansion.'\n desc 'check', 'Verify RHEL 8 takes action when allocated audit record storage\n volume reaches 75 percent of the repository maximum audit record storage\n capacity with the following commands:\n\n $ sudo grep -w space_left /etc/audit/auditd.conf\n\n space_left = 25%\n\n If the value of the \"space_left\" keyword is not set to \"25%\" or if the\n line is commented out, ask the System Administrator to indicate how the system\n is providing real-time alerts to the SA and ISSO.\n\n If there is no evidence that real-time alerts are configured on the system,\n this is a finding.'\n desc 'fix', 'Configure the operating system to initiate an action to notify the\n SA and ISSO (at a minimum) when allocated audit record storage volume reaches\n 75 percent of the repository maximum audit record storage capacity by\n adding/modifying the following line in the /etc/audit/auditd.conf file.\n\n space_left = 25%\n\n Note: Option names and values in the auditd.conf file are case insensitive.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000343-GPOS-00134'\n tag gid: 'V-230483'\n tag rid: 'SV-230483r877389_rule'\n tag stig_id: 'RHEL-08-030730'\n tag fix_id: 'F-33127r744013_fix'\n tag cci: ['CCI-001855']\n tag nist: ['AU-5 (1)']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n if input('alternative_logging_method') != ''\n describe 'manual check' do\n skip 'Manual check required. Ask the administrator to indicate how logging is done for this system.'\n end\n else\n describe auditd_conf do\n its('space_left.to_i') { should cmp >= input('audit_storage_threshold') }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-251718.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230483.rb", "line": 1 }, - "id": "SV-251718" + "id": "SV-230483" }, { - "title": "RHEL 8 must block unauthorized peripherals before establishing a\nconnection.", - "desc": "Without authenticating devices, unidentified or unknown devices may be\nintroduced, thereby facilitating malicious activity.\n\n Peripherals include, but are not limited to, such devices as flash drives,\nexternal storage, and printers.\n\n A new feature that RHEL 8 provides is the USBGuard software framework. The\nUSBguard-daemon is the main component of the USBGuard software framework. It\nruns as a service in the background and enforces the USB device authorization\npolicy for all USB devices. The policy is defined by a set of rules using a\nrule language described in the usbguard-rules.conf file. The policy and the\nauthorization state of USB devices can be modified during runtime using the\nusbguard tool.\n\n The System Administrator (SA) must work with the site Information System\nSecurity Officer (ISSO) to determine a list of authorized peripherals and\nestablish rules within the USBGuard software framework to allow only authorized\ndevices.", + "title": "RHEL 8 must disable the transparent inter-process communication (TIPC)\nprotocol.", + "desc": "It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n Failing to disconnect unused protocols can result in a system compromise.\n\n The Transparent Inter-Process Communication (TIPC) protocol is designed to\nprovide communications between nodes in a cluster. Disabling TIPC protects the\nsystem against exploitation of any flaws in its implementation.", "descriptions": { - "default": "Without authenticating devices, unidentified or unknown devices may be\nintroduced, thereby facilitating malicious activity.\n\n Peripherals include, but are not limited to, such devices as flash drives,\nexternal storage, and printers.\n\n A new feature that RHEL 8 provides is the USBGuard software framework. The\nUSBguard-daemon is the main component of the USBGuard software framework. It\nruns as a service in the background and enforces the USB device authorization\npolicy for all USB devices. The policy is defined by a set of rules using a\nrule language described in the usbguard-rules.conf file. The policy and the\nauthorization state of USB devices can be modified during runtime using the\nusbguard tool.\n\n The System Administrator (SA) must work with the site Information System\nSecurity Officer (ISSO) to determine a list of authorized peripherals and\nestablish rules within the USBGuard software framework to allow only authorized\ndevices.", - "check": "Verify the USBGuard has a policy configured with the following command:\n\n $ sudo usbguard list-rules\n\n If the command does not return results or an error is returned, ask the SA\nto indicate how unauthorized peripherals are being blocked.\n\n If there is no evidence that unauthorized peripherals are being blocked\nbefore establishing a connection, this is a finding.", - "fix": "Configure the operating system to enable the blocking of unauthorized\nperipherals with the following command:\n This command must be run from a root shell and will create an allow list\nfor any usb devices currently connect to the system.\n\n # usbguard generate-policy > /etc/usbguard/rules.conf\n\n Note: Enabling and starting usbguard without properly configuring it for an\nindividual system will immediately prevent any access over a usb device such as\na keyboard or mouse" + "default": "It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n Failing to disconnect unused protocols can result in a system compromise.\n\n The Transparent Inter-Process Communication (TIPC) protocol is designed to\nprovide communications between nodes in a cluster. Disabling TIPC protects the\nsystem against exploitation of any flaws in its implementation.", + "check": "Verify the operating system disables the ability to load the TIPC protocol kernel module.\n\n $ sudo grep -r tipc /etc/modprobe.d/* | grep \"/bin/false\"\n install tipc /bin/false\n\nIf the command does not return any output, or the line is commented out, and use of the TIPC protocol is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.\n\nVerify the operating system disables the ability to use the TIPC protocol.\n\nCheck to see if the TIPC protocol is disabled with the following command:\n\n $ sudo grep -r tipc /etc/modprobe.d/* | grep \"blacklist\"\n blacklist tipc\n\nIf the command does not return any output or the output is not \"blacklist tipc\", and use of the TIPC protocol is not documented with the ISSO as an operational requirement, this is a finding.", + "fix": "Configure the operating system to disable the ability to use the TIPC protocol kernel module.\n\nAdd or update the following lines in the file \"/etc/modprobe.d/blacklist.conf\":\n\n install tipc /bin/false\n blacklist tipc\n\nReboot the system for the settings to take effect." + }, + "impact": 0.3, + "refs": [ + { + "ref": "DPMS Target Red Hat Enterprise Linux 8" + } + ], + "tags": { + "severity": "low", + "gtitle": "SRG-OS-000095-GPOS-00049", + "gid": "V-230497", + "rid": "SV-230497r942927_rule", + "stig_id": "RHEL-08-040024", + "fix_id": "F-33141r942926_fix", + "cci": [ + "CCI-000381" + ], + "nist": [ + "CM-7 a" + ], + "host": null + }, + "code": "control 'SV-230497' do\n title 'RHEL 8 must disable the transparent inter-process communication (TIPC)\nprotocol.'\n desc 'It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n Failing to disconnect unused protocols can result in a system compromise.\n\n The Transparent Inter-Process Communication (TIPC) protocol is designed to\nprovide communications between nodes in a cluster. Disabling TIPC protects the\nsystem against exploitation of any flaws in its implementation.'\n desc 'check', 'Verify the operating system disables the ability to load the TIPC protocol kernel module.\n\n $ sudo grep -r tipc /etc/modprobe.d/* | grep \"/bin/false\"\n install tipc /bin/false\n\nIf the command does not return any output, or the line is commented out, and use of the TIPC protocol is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.\n\nVerify the operating system disables the ability to use the TIPC protocol.\n\nCheck to see if the TIPC protocol is disabled with the following command:\n\n $ sudo grep -r tipc /etc/modprobe.d/* | grep \"blacklist\"\n blacklist tipc\n\nIf the command does not return any output or the output is not \"blacklist tipc\", and use of the TIPC protocol is not documented with the ISSO as an operational requirement, this is a finding.'\n desc 'fix', 'Configure the operating system to disable the ability to use the TIPC protocol kernel module.\n\nAdd or update the following lines in the file \"/etc/modprobe.d/blacklist.conf\":\n\n install tipc /bin/false\n blacklist tipc\n\nReboot the system for the settings to take effect.'\n impact 0.3\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'low'\n tag gtitle: 'SRG-OS-000095-GPOS-00049'\n tag gid: 'V-230497'\n tag rid: 'SV-230497r942927_rule'\n tag stig_id: 'RHEL-08-040024'\n tag fix_id: 'F-33141r942926_fix'\n tag cci: ['CCI-000381']\n tag nist: ['CM-7 a']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe kernel_module('tipc') do\n it { should be_disabled }\n it { should be_blacklisted }\n end\nend\n", + "source_location": { + "ref": "./Red Hat 8 STIG/controls/SV-230497.rb", + "line": 1 + }, + "id": "SV-230497" + }, + { + "title": "RHEL 8 must display a banner before granting local or remote access to\nthe system via a graphical user logon.", + "desc": "Display of a standardized and approved use notification before\ngranting access to the operating system ensures privacy and security\nnotification verbiage used is consistent with applicable federal laws,\nExecutive Orders, directives, policies, regulations, standards, and guidance.\n\n System use notifications are required only for access via logon interfaces\nwith human users and are not required when such human interfaces do not exist.", + "descriptions": { + "default": "Display of a standardized and approved use notification before\ngranting access to the operating system ensures privacy and security\nnotification verbiage used is consistent with applicable federal laws,\nExecutive Orders, directives, policies, regulations, standards, and guidance.\n\n System use notifications are required only for access via logon interfaces\nwith human users and are not required when such human interfaces do not exist.", + "check": "Verify RHEL 8 displays a banner before granting access to the operating\nsystem via a graphical user logon.\n\n Note: This requirement assumes the use of the RHEL 8 default graphical user\ninterface, Gnome Shell. If the system does not have any graphical user\ninterface installed, this requirement is Not Applicable.\n\n Check to see if the operating system displays a banner at the logon screen\nwith the following command:\n\n $ sudo grep banner-message-enable /etc/dconf/db/local.d/*\n\n banner-message-enable=true\n\n If \"banner-message-enable\" is set to \"false\" or is missing, this is a\nfinding.", + "fix": "Configure the operating system to display a banner before granting access\nto the system.\n\n Note: If the system does not have a graphical user interface installed,\nthis requirement is Not Applicable.\n\n Create a database to contain the system-wide graphical user logon settings\n(if it does not already exist) with the following command:\n\n $ sudo touch /etc/dconf/db/local.d/01-banner-message\n\n Add the following lines to the [org/gnome/login-screen] section of the\n\"/etc/dconf/db/local.d/01-banner-message\":\n\n [org/gnome/login-screen]\n\n banner-message-enable=true\n\n Run the following command to update the database:\n\n $ sudo dconf update" }, "impact": 0.5, "refs": [ @@ -12008,33 +12026,37 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000378-GPOS-00163", - "gid": "V-230524", - "rid": "SV-230524r854065_rule", - "stig_id": "RHEL-08-040140", - "fix_id": "F-33168r744025_fix", + "gtitle": "SRG-OS-000023-GPOS-00006", + "satisfies": [ + "SRG-OS-000023-GPOS-00006", + "SRG-OS-000228-GPOS-00088" + ], + "gid": "V-244519", + "rid": "SV-244519r743806_rule", + "stig_id": "RHEL-08-010049", + "fix_id": "F-47751r743805_fix", "cci": [ - "CCI-001958" + "CCI-000048" ], "nist": [ - "IA-3" + "AC-8 a" ], "host": null }, - "code": "control 'SV-230524' do\n title 'RHEL 8 must block unauthorized peripherals before establishing a\nconnection.'\n desc 'Without authenticating devices, unidentified or unknown devices may be\nintroduced, thereby facilitating malicious activity.\n\n Peripherals include, but are not limited to, such devices as flash drives,\nexternal storage, and printers.\n\n A new feature that RHEL 8 provides is the USBGuard software framework. The\nUSBguard-daemon is the main component of the USBGuard software framework. It\nruns as a service in the background and enforces the USB device authorization\npolicy for all USB devices. The policy is defined by a set of rules using a\nrule language described in the usbguard-rules.conf file. The policy and the\nauthorization state of USB devices can be modified during runtime using the\nusbguard tool.\n\n The System Administrator (SA) must work with the site Information System\nSecurity Officer (ISSO) to determine a list of authorized peripherals and\nestablish rules within the USBGuard software framework to allow only authorized\ndevices.'\n desc 'check', 'Verify the USBGuard has a policy configured with the following command:\n\n $ sudo usbguard list-rules\n\n If the command does not return results or an error is returned, ask the SA\nto indicate how unauthorized peripherals are being blocked.\n\n If there is no evidence that unauthorized peripherals are being blocked\nbefore establishing a connection, this is a finding.'\n desc 'fix', 'Configure the operating system to enable the blocking of unauthorized\nperipherals with the following command:\n This command must be run from a root shell and will create an allow list\nfor any usb devices currently connect to the system.\n\n # usbguard generate-policy > /etc/usbguard/rules.conf\n\n Note: Enabling and starting usbguard without properly configuring it for an\nindividual system will immediately prevent any access over a usb device such as\na keyboard or mouse'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000378-GPOS-00163'\n tag gid: 'V-230524'\n tag rid: 'SV-230524r854065_rule'\n tag stig_id: 'RHEL-08-040140'\n tag fix_id: 'F-33168r744025_fix'\n tag cci: ['CCI-001958']\n tag nist: ['IA-3']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n peripherals_package = input('peripherals_package')\n\n if peripherals_package != 'usbguard'\n describe 'Non-standard package' do\n it 'is handling peripherals' do\n expect(peripherals_package).to exist\n end\n end\n else\n describe command('usbguard list-rules') do\n its('stdout') { should_not be_empty }\n its('exit_status') { should eq 0 }\n end\n end\nend\n", + "code": "control 'SV-244519' do\n title 'RHEL 8 must display a banner before granting local or remote access to\nthe system via a graphical user logon.'\n desc 'Display of a standardized and approved use notification before\ngranting access to the operating system ensures privacy and security\nnotification verbiage used is consistent with applicable federal laws,\nExecutive Orders, directives, policies, regulations, standards, and guidance.\n\n System use notifications are required only for access via logon interfaces\nwith human users and are not required when such human interfaces do not exist.'\n desc 'check', 'Verify RHEL 8 displays a banner before granting access to the operating\nsystem via a graphical user logon.\n\n Note: This requirement assumes the use of the RHEL 8 default graphical user\ninterface, Gnome Shell. If the system does not have any graphical user\ninterface installed, this requirement is Not Applicable.\n\n Check to see if the operating system displays a banner at the logon screen\nwith the following command:\n\n $ sudo grep banner-message-enable /etc/dconf/db/local.d/*\n\n banner-message-enable=true\n\n If \"banner-message-enable\" is set to \"false\" or is missing, this is a\nfinding.'\n desc 'fix', 'Configure the operating system to display a banner before granting access\nto the system.\n\n Note: If the system does not have a graphical user interface installed,\nthis requirement is Not Applicable.\n\n Create a database to contain the system-wide graphical user logon settings\n(if it does not already exist) with the following command:\n\n $ sudo touch /etc/dconf/db/local.d/01-banner-message\n\n Add the following lines to the [org/gnome/login-screen] section of the\n\"/etc/dconf/db/local.d/01-banner-message\":\n\n [org/gnome/login-screen]\n\n banner-message-enable=true\n\n Run the following command to update the database:\n\n $ sudo dconf update'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000023-GPOS-00006'\n tag satisfies: ['SRG-OS-000023-GPOS-00006', 'SRG-OS-000228-GPOS-00088']\n tag gid: 'V-244519'\n tag rid: 'SV-244519r743806_rule'\n tag stig_id: 'RHEL-08-010049'\n tag fix_id: 'F-47751r743805_fix'\n tag cci: ['CCI-000048']\n tag nist: ['AC-8 a']\n tag 'host'\n\n only_if('This requirement is Not Applicable in the container', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n no_gui = command('ls /usr/share/xsessions/*').stderr.match?(/No such file or directory/)\n\n if no_gui\n impact 0.0\n describe 'The system does not have a GUI Desktop is installed, this control is Not Applicable' do\n skip 'A GUI desktop is not installed, this control is Not Applicable.'\n end\n else\n describe command('grep ^banner-message-enable /etc/dconf/db/local.d/*') do\n its('stdout.strip') { should cmp 'banner-message-enable=true' }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230524.rb", + "ref": "./Red Hat 8 STIG/controls/SV-244519.rb", "line": 1 }, - "id": "SV-230524" + "id": "SV-244519" }, { - "title": "A separate RHEL 8 filesystem must be used for the /tmp directory.", - "desc": "The use of separate file systems for different paths can protect the\nsystem from failures resulting from a file system becoming full or failing.", + "title": "The rsyslog service must be running in RHEL 8.", + "desc": "Configuring RHEL 8 to implement organization-wide security\nimplementation guides and security checklists ensures compliance with federal\nstandards and establishes a common security baseline across the DoD that\nreflects the most restrictive security posture consistent with operational\nrequirements.\n\n Configuration settings are the set of parameters that can be changed in\nhardware, software, or firmware components of the system that affect the\nsecurity posture and/or functionality of the system. Security-related\nparameters are those parameters impacting the security state of the system,\nincluding the parameters required to satisfy other security control\nrequirements. Security-related parameters include, for example: registry\nsettings; account, file, directory permission settings; and settings for\nfunctions, ports, protocols, services, and remote connections.", "descriptions": { - "default": "The use of separate file systems for different paths can protect the\nsystem from failures resulting from a file system becoming full or failing.", - "check": "Verify that a separate file system/partition has been created for\nnon-privileged local interactive user home directories.\n\n $ sudo grep /tmp /etc/fstab\n\n /dev/mapper/rhel-tmp /tmp xfs defaults,nodev,nosuid,noexec 0 0\n\n If a separate entry for the file system/partition \"/tmp\" does not exist,\nthis is a finding.", - "fix": "Migrate the \"/tmp\" directory onto a separate file\nsystem/partition." + "default": "Configuring RHEL 8 to implement organization-wide security\nimplementation guides and security checklists ensures compliance with federal\nstandards and establishes a common security baseline across the DoD that\nreflects the most restrictive security posture consistent with operational\nrequirements.\n\n Configuration settings are the set of parameters that can be changed in\nhardware, software, or firmware components of the system that affect the\nsecurity posture and/or functionality of the system. Security-related\nparameters are those parameters impacting the security state of the system,\nincluding the parameters required to satisfy other security control\nrequirements. Security-related parameters include, for example: registry\nsettings; account, file, directory permission settings; and settings for\nfunctions, ports, protocols, services, and remote connections.", + "check": "Verify the rsyslog service is enabled and active with the following\ncommands:\n\n $ sudo systemctl is-enabled rsyslog\n\n enabled\n\n $ sudo systemctl is-active rsyslog\n\n active\n\n If the service is not \"enabled\" and \"active\" this is a finding.", + "fix": "Start the auditd service, and enable the rsyslog service with the following\ncommands:\n\n $ sudo systemctl start rsyslog.service\n\n $ sudo systemctl enable rsyslog.service" }, "impact": 0.5, "refs": [ @@ -12045,10 +12067,10 @@ "tags": { "severity": "medium", "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-230295", - "rid": "SV-230295r627750_rule", - "stig_id": "RHEL-08-010543", - "fix_id": "F-32939r567632_fix", + "gid": "V-230298", + "rid": "SV-230298r627750_rule", + "stig_id": "RHEL-08-010561", + "fix_id": "F-32942r567641_fix", "cci": [ "CCI-000366" ], @@ -12057,20 +12079,20 @@ ], "host": null }, - "code": "control 'SV-230295' do\n title 'A separate RHEL 8 filesystem must be used for the /tmp directory.'\n desc 'The use of separate file systems for different paths can protect the\nsystem from failures resulting from a file system becoming full or failing.'\n desc 'check', 'Verify that a separate file system/partition has been created for\nnon-privileged local interactive user home directories.\n\n $ sudo grep /tmp /etc/fstab\n\n /dev/mapper/rhel-tmp /tmp xfs defaults,nodev,nosuid,noexec 0 0\n\n If a separate entry for the file system/partition \"/tmp\" does not exist,\nthis is a finding.'\n desc 'fix', 'Migrate the \"/tmp\" directory onto a separate file\nsystem/partition.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230295'\n tag rid: 'SV-230295r627750_rule'\n tag stig_id: 'RHEL-08-010543'\n tag fix_id: 'F-32939r567632_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe mount('/tmp') do\n it { should be_mounted }\n end\n\n describe etc_fstab.where { mount_point == '/tmp' } do\n it { should exist }\n end\nend\n", + "code": "control 'SV-230298' do\n title 'The rsyslog service must be running in RHEL 8.'\n desc 'Configuring RHEL 8 to implement organization-wide security\nimplementation guides and security checklists ensures compliance with federal\nstandards and establishes a common security baseline across the DoD that\nreflects the most restrictive security posture consistent with operational\nrequirements.\n\n Configuration settings are the set of parameters that can be changed in\nhardware, software, or firmware components of the system that affect the\nsecurity posture and/or functionality of the system. Security-related\nparameters are those parameters impacting the security state of the system,\nincluding the parameters required to satisfy other security control\nrequirements. Security-related parameters include, for example: registry\nsettings; account, file, directory permission settings; and settings for\nfunctions, ports, protocols, services, and remote connections.'\n desc 'check', 'Verify the rsyslog service is enabled and active with the following\ncommands:\n\n $ sudo systemctl is-enabled rsyslog\n\n enabled\n\n $ sudo systemctl is-active rsyslog\n\n active\n\n If the service is not \"enabled\" and \"active\" this is a finding.'\n desc 'fix', 'Start the auditd service, and enable the rsyslog service with the following\ncommands:\n\n $ sudo systemctl start rsyslog.service\n\n $ sudo systemctl enable rsyslog.service'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230298'\n tag rid: 'SV-230298r627750_rule'\n tag stig_id: 'RHEL-08-010561'\n tag fix_id: 'F-32942r567641_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe service('rsyslog') do\n it { should be_enabled }\n it { should be_running }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230295.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230298.rb", "line": 1 }, - "id": "SV-230295" + "id": "SV-230298" }, { - "title": "RHEL 8 must automatically expire temporary accounts within 72 hours.", - "desc": "Temporary accounts are privileged or nonprivileged accounts that are\n established during pressing circumstances, such as new software or hardware\n configuration or an incident response, where the need for prompt account\n activation requires bypassing normal account authorization procedures.\n\n If any inactive temporary accounts are left enabled on the system and are\n not either manually removed or automatically expired within 72 hours, the\n security posture of the system will be degraded and exposed to exploitation\n by unauthorized users or insider threat actors.\n\n Temporary accounts are different from emergency accounts. Emergency accounts,\n also known as \"last resort\" or \"break glass\" accounts, are local logon accounts\n enabled on the system for emergency use by authorized system administrators\n to manage a system when standard logon methods are failing or not available.\n\n Emergency accounts are not subject to manual removal or scheduled expiration\n requirements.\n\n The automatic expiration of temporary accounts may be extended as needed by\n the circumstances but it must not be extended indefinitely. A documented\n permanent account should be established for privileged users who need long-term\n maintenance accounts.", + "title": "RHEL 8 audit log directory must have a mode of 0700 or less permissive\nto prevent unauthorized read access.", + "desc": "Unauthorized disclosure of audit records can reveal system and\nconfiguration data to attackers, thus compromising its confidentiality.\n\n Audit information includes all information (e.g., audit records, audit\nsettings, audit reports) needed to successfully audit RHEL 8 system activity.", "descriptions": { - "default": "Temporary accounts are privileged or nonprivileged accounts that are\n established during pressing circumstances, such as new software or hardware\n configuration or an incident response, where the need for prompt account\n activation requires bypassing normal account authorization procedures.\n\n If any inactive temporary accounts are left enabled on the system and are\n not either manually removed or automatically expired within 72 hours, the\n security posture of the system will be degraded and exposed to exploitation\n by unauthorized users or insider threat actors.\n\n Temporary accounts are different from emergency accounts. Emergency accounts,\n also known as \"last resort\" or \"break glass\" accounts, are local logon accounts\n enabled on the system for emergency use by authorized system administrators\n to manage a system when standard logon methods are failing or not available.\n\n Emergency accounts are not subject to manual removal or scheduled expiration\n requirements.\n\n The automatic expiration of temporary accounts may be extended as needed by\n the circumstances but it must not be extended indefinitely. A documented\n permanent account should be established for privileged users who need long-term\n maintenance accounts.", - "check": "Verify temporary accounts have been provisioned with an\n expiration date of 72 hours.\n\n For every existing temporary account, run the following command to obtain its\n account expiration information:\n\n $ sudo chage -l | grep -i \"account expires\"\n\n Verify each of these accounts has an expiration date set within 72 hours.\n\n If any temporary accounts have no expiration date set or do not expire within\n 72 hours, this is a finding.", - "fix": "Configure the operating system to expire temporary accounts after\n 72 hours with the following command:\n\n $ sudo chage -E $(date -d +3days +%Y-%m-%d) " + "default": "Unauthorized disclosure of audit records can reveal system and\nconfiguration data to attackers, thus compromising its confidentiality.\n\n Audit information includes all information (e.g., audit records, audit\nsettings, audit reports) needed to successfully audit RHEL 8 system activity.", + "check": "Verify the audit log directories have a mode of \"0700\" or less permissive\nby first determining where the audit logs are stored with the following command:\n\n $ sudo grep -iw log_file /etc/audit/auditd.conf\n\n log_file = /var/log/audit/audit.log\n\n Using the location of the audit log, determine the directory where the\naudit logs are stored (ex: \"/var/log/audit\"). Run the following command to\ndetermine the permissions for the audit log folder:\n\n $ sudo stat -c \"%a %n\" /var/log/audit\n\n 700 /var/log/audit\n\n If the audit log directory has a mode more permissive than \"0700\", this\nis a finding.", + "fix": "Configure the audit log directory to be protected from unauthorized read\naccess by setting the correct permissive mode with the following command:\n\n $ sudo chmod 0700 [audit_log_directory]\n\n Replace \"[audit_log_directory]\" to the correct audit log directory path,\nby default this location is \"/var/log/audit\"." }, "impact": 0.5, "refs": [ @@ -12080,34 +12102,39 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000123-GPOS-00064", - "gid": "V-230374", - "rid": "SV-230374r903129_rule", - "stig_id": "RHEL-08-020270", - "fix_id": "F-33018r902730_fix", + "gtitle": "SRG-OS-000057-GPOS-00027", + "satisfies": [ + "SRG-OS-000057-GPOS-00027", + "SRG-OS-000058-GPOS-00028", + "SRG-OS-000059-GPOS-00029" + ], + "gid": "V-230401", + "rid": "SV-230401r627750_rule", + "stig_id": "RHEL-08-030120", + "fix_id": "F-33045r567950_fix", "cci": [ - "CCI-001682" + "CCI-000162" ], "nist": [ - "AC-2 (2)" + "AU-9", + "AU-9 a" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-230374' do\n title 'RHEL 8 must automatically expire temporary accounts within 72 hours.'\n desc 'Temporary accounts are privileged or nonprivileged accounts that are\n established during pressing circumstances, such as new software or hardware\n configuration or an incident response, where the need for prompt account\n activation requires bypassing normal account authorization procedures.\n\n If any inactive temporary accounts are left enabled on the system and are\n not either manually removed or automatically expired within 72 hours, the\n security posture of the system will be degraded and exposed to exploitation\n by unauthorized users or insider threat actors.\n\n Temporary accounts are different from emergency accounts. Emergency accounts,\n also known as \"last resort\" or \"break glass\" accounts, are local logon accounts\n enabled on the system for emergency use by authorized system administrators\n to manage a system when standard logon methods are failing or not available.\n\n Emergency accounts are not subject to manual removal or scheduled expiration\n requirements.\n\n The automatic expiration of temporary accounts may be extended as needed by\n the circumstances but it must not be extended indefinitely. A documented\n permanent account should be established for privileged users who need long-term\n maintenance accounts.'\n desc 'check', 'Verify temporary accounts have been provisioned with an\n expiration date of 72 hours.\n\n For every existing temporary account, run the following command to obtain its\n account expiration information:\n\n $ sudo chage -l | grep -i \"account expires\"\n\n Verify each of these accounts has an expiration date set within 72 hours.\n\n If any temporary accounts have no expiration date set or do not expire within\n 72 hours, this is a finding.'\n desc 'fix', 'Configure the operating system to expire temporary accounts after\n 72 hours with the following command:\n\n $ sudo chage -E $(date -d +3days +%Y-%m-%d) '\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000123-GPOS-00064'\n tag gid: 'V-230374'\n tag rid: 'SV-230374r903129_rule'\n tag stig_id: 'RHEL-08-020270'\n tag fix_id: 'F-33018r902730_fix'\n tag cci: ['CCI-001682']\n tag nist: ['AC-2 (2)']\n tag 'host'\n tag 'container'\n\n tmp_users = input('temporary_accounts')\n\n # NOTE: that 230331 is extremely similar to this req, to the point where this input seems\n # appropriate to use for both of them\n tmp_max_days = input('temporary_account_max_days')\n\n if tmp_users.empty?\n describe 'Temporary accounts' do\n subject { tmp_users }\n it { should be_empty }\n end\n else\n # user has to specify what the tmp accounts are, so we will print a different pass message\n # if none of those tmp accounts even exist on the system for clarity\n tmp_users_existing = tmp_users.select { |u| user(u).exists? }\n failing_users = tmp_users_existing.select { |u| user(u).warndays > tmp_max_days }\n\n describe 'Temporary accounts' do\n if tmp_users_existing.nil?\n it \"should have expiration times less than or equal to '#{tmp_max_days}' days\" do\n expect(failing_users).to be_empty, \"Failing users:\\n\\t- #{failing_users.join(\"\\n\\t- \")}\"\n end\n else\n it \"(input as '#{tmp_users.join(\"', '\")}') were not found on this system\" do\n expect(tmp_users_existing).to be_empty\n end\n end\n end\n end\nend\n", + "code": "control 'SV-230401' do\n title 'RHEL 8 audit log directory must have a mode of 0700 or less permissive\nto prevent unauthorized read access.'\n desc 'Unauthorized disclosure of audit records can reveal system and\nconfiguration data to attackers, thus compromising its confidentiality.\n\n Audit information includes all information (e.g., audit records, audit\nsettings, audit reports) needed to successfully audit RHEL 8 system activity.'\n desc 'check', 'Verify the audit log directories have a mode of \"0700\" or less permissive\nby first determining where the audit logs are stored with the following command:\n\n $ sudo grep -iw log_file /etc/audit/auditd.conf\n\n log_file = /var/log/audit/audit.log\n\n Using the location of the audit log, determine the directory where the\naudit logs are stored (ex: \"/var/log/audit\"). Run the following command to\ndetermine the permissions for the audit log folder:\n\n $ sudo stat -c \"%a %n\" /var/log/audit\n\n 700 /var/log/audit\n\n If the audit log directory has a mode more permissive than \"0700\", this\nis a finding.'\n desc 'fix', 'Configure the audit log directory to be protected from unauthorized read\naccess by setting the correct permissive mode with the following command:\n\n $ sudo chmod 0700 [audit_log_directory]\n\n Replace \"[audit_log_directory]\" to the correct audit log directory path,\nby default this location is \"/var/log/audit\".'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000057-GPOS-00027'\n tag satisfies: ['SRG-OS-000057-GPOS-00027', 'SRG-OS-000058-GPOS-00028', 'SRG-OS-000059-GPOS-00029']\n tag gid: 'V-230401'\n tag rid: 'SV-230401r627750_rule'\n tag stig_id: 'RHEL-08-030120'\n tag fix_id: 'F-33045r567950_fix'\n tag cci: ['CCI-000162']\n tag nist: ['AU-9', 'AU-9 a']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n log_dir = command(\"dirname #{auditd_conf('/etc/audit/auditd.conf').log_file}\").stdout.strip\n\n describe directory(log_dir) do\n it { should_not be_more_permissive_than('0700') }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230374.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230401.rb", "line": 1 }, - "id": "SV-230374" + "id": "SV-230401" }, { - "title": "RHEL 8 must ensure account lockouts persist.", - "desc": "By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as\nbrute-force attacks, is reduced. Limits are imposed by locking the account.\n\n RHEL 8 can utilize the \"pam_faillock.so\" for this purpose. Note that\nmanual changes to the listed files may be overwritten by the \"authselect\"\nprogram.\n\n From \"Pam_Faillock\" man pages: Note that the default directory that\n\"pam_faillock\" uses is usually cleared on system boot so the access will be\nreenabled after system reboot. If that is undesirable a different tally\ndirectory must be set with the \"dir\" option.", + "title": "RHEL 8 must not have any automated bug reporting tools installed.", + "desc": "It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n Operating systems are capable of providing a wide variety of functions and\nservices. Some of the functions and services, provided by default, may not be\nnecessary to support essential organizational operations (e.g., key missions,\nfunctions).\n\n Examples of non-essential capabilities include, but are not limited to,\ngames, software packages, tools, and demonstration software not related to\nrequirements or providing a wide array of functionality not required for every\nmission, but which cannot be disabled.\n\n Verify the operating system is configured to disable non-essential\ncapabilities. The most secure way of ensuring a non-essential capability is\ndisabled is to not have the capability installed.", "descriptions": { - "default": "By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as\nbrute-force attacks, is reduced. Limits are imposed by locking the account.\n\n RHEL 8 can utilize the \"pam_faillock.so\" for this purpose. Note that\nmanual changes to the listed files may be overwritten by the \"authselect\"\nprogram.\n\n From \"Pam_Faillock\" man pages: Note that the default directory that\n\"pam_faillock\" uses is usually cleared on system boot so the access will be\nreenabled after system reboot. If that is undesirable a different tally\ndirectory must be set with the \"dir\" option.", - "check": "Check that the faillock directory contents persists after a reboot with the\nfollowing commands:\n\n Note: If the System Administrator demonstrates the use of an approved\ncentralized account management method that locks an account after three\nunsuccessful logon attempts within a period of 15 minutes, this requirement is\nnot applicable.\n\n Note: This check applies to RHEL versions 8.0 and 8.1, if the system is\nRHEL version 8.2 or newer, this check is not applicable.\n\n $ sudo grep pam_faillock.so /etc/pam.d/password-auth\n\n auth required pam_faillock.so preauth dir=/var/log/faillock silent audit\ndeny=3 even_deny_root fail_interval=900 unlock_time=0\n auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0\n account required pam_faillock.so\n\n If the \"dir\" option is not set to a non-default documented tally log\ndirectory on the \"preauth\" and \"authfail\" lines with the\n\"pam_faillock.so\" module, or is missing from these lines, this is a finding.\n\n $ sudo grep pam_faillock.so /etc/pam.d/system-auth\n\n auth required pam_faillock.so preauth dir=/var/log/faillock silent audit\ndeny=3 even_deny_root fail_interval=900 unlock_time=0\n auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0\n account required pam_faillock.so\n\n If the \"dir\" option is not set to a non-default documented tally log\ndirectory on the \"preauth\" and \"authfail\" lines with the\n\"pam_faillock.so\" module, or is missing from these lines, this is a finding.", - "fix": "Configure the operating system maintain the contents of the faillock\ndirectory after a reboot.\n\n Add/Modify the appropriate sections of the \"/etc/pam.d/system-auth\" and\n\"/etc/pam.d/password-auth\" files to match the following lines:\n\n Note: Using the default faillock directory of /var/run/faillock will result\nin the contents being cleared in the event of a reboot.\n\n auth required pam_faillock.so preauth dir=/var/log/faillock silent audit\ndeny=3 even_deny_root fail_interval=900 unlock_time=0\n auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0\n account required pam_faillock.so\n\n The \"sssd\" service must be restarted for the changes to take effect. To\nrestart the \"sssd\" service, run the following command:\n\n $ sudo systemctl restart sssd.service" + "default": "It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n Operating systems are capable of providing a wide variety of functions and\nservices. Some of the functions and services, provided by default, may not be\nnecessary to support essential organizational operations (e.g., key missions,\nfunctions).\n\n Examples of non-essential capabilities include, but are not limited to,\ngames, software packages, tools, and demonstration software not related to\nrequirements or providing a wide array of functionality not required for every\nmission, but which cannot be disabled.\n\n Verify the operating system is configured to disable non-essential\ncapabilities. The most secure way of ensuring a non-essential capability is\ndisabled is to not have the capability installed.", + "check": "Check to see if any automated bug reporting packages are installed with the\nfollowing command:\n\n $ sudo yum list installed abrt*\n\n If any automated bug reporting package is installed, this is a finding.", + "fix": "Configure the operating system to disable non-essential capabilities by\nremoving automated bug reporting packages from the system with the following\ncommand:\n\n $ sudo yum remove abrt*" }, "impact": 0.5, "refs": [ @@ -12117,38 +12144,34 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000021-GPOS-00005", - "satisfies": [ - "SRG-OS-000021-GPOS-00005", - "SRG-OS-000329-GPOS-00128" - ], - "gid": "V-230338", - "rid": "SV-230338r627750_rule", - "stig_id": "RHEL-08-020016", - "fix_id": "F-32982r567761_fix", + "gtitle": "SRG-OS-000095-GPOS-00049", + "gid": "V-230488", + "rid": "SV-230488r627750_rule", + "stig_id": "RHEL-08-040001", + "fix_id": "F-33132r568211_fix", "cci": [ - "CCI-000044" + "CCI-000381" ], "nist": [ - "AC-7 a" + "CM-7 a" ], "host": null, "container": null }, - "code": "control 'SV-230338' do\n title 'RHEL 8 must ensure account lockouts persist.'\n desc 'By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as\nbrute-force attacks, is reduced. Limits are imposed by locking the account.\n\n RHEL 8 can utilize the \"pam_faillock.so\" for this purpose. Note that\nmanual changes to the listed files may be overwritten by the \"authselect\"\nprogram.\n\n From \"Pam_Faillock\" man pages: Note that the default directory that\n\"pam_faillock\" uses is usually cleared on system boot so the access will be\nreenabled after system reboot. If that is undesirable a different tally\ndirectory must be set with the \"dir\" option.'\n desc 'check', 'Check that the faillock directory contents persists after a reboot with the\nfollowing commands:\n\n Note: If the System Administrator demonstrates the use of an approved\ncentralized account management method that locks an account after three\nunsuccessful logon attempts within a period of 15 minutes, this requirement is\nnot applicable.\n\n Note: This check applies to RHEL versions 8.0 and 8.1, if the system is\nRHEL version 8.2 or newer, this check is not applicable.\n\n $ sudo grep pam_faillock.so /etc/pam.d/password-auth\n\n auth required pam_faillock.so preauth dir=/var/log/faillock silent audit\ndeny=3 even_deny_root fail_interval=900 unlock_time=0\n auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0\n account required pam_faillock.so\n\n If the \"dir\" option is not set to a non-default documented tally log\ndirectory on the \"preauth\" and \"authfail\" lines with the\n\"pam_faillock.so\" module, or is missing from these lines, this is a finding.\n\n $ sudo grep pam_faillock.so /etc/pam.d/system-auth\n\n auth required pam_faillock.so preauth dir=/var/log/faillock silent audit\ndeny=3 even_deny_root fail_interval=900 unlock_time=0\n auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0\n account required pam_faillock.so\n\n If the \"dir\" option is not set to a non-default documented tally log\ndirectory on the \"preauth\" and \"authfail\" lines with the\n\"pam_faillock.so\" module, or is missing from these lines, this is a finding.'\n desc 'fix', 'Configure the operating system maintain the contents of the faillock\ndirectory after a reboot.\n\n Add/Modify the appropriate sections of the \"/etc/pam.d/system-auth\" and\n\"/etc/pam.d/password-auth\" files to match the following lines:\n\n Note: Using the default faillock directory of /var/run/faillock will result\nin the contents being cleared in the event of a reboot.\n\n auth required pam_faillock.so preauth dir=/var/log/faillock silent audit\ndeny=3 even_deny_root fail_interval=900 unlock_time=0\n auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0\n account required pam_faillock.so\n\n The \"sssd\" service must be restarted for the changes to take effect. To\nrestart the \"sssd\" service, run the following command:\n\n $ sudo systemctl restart sssd.service'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000021-GPOS-00005'\n tag satisfies: ['SRG-OS-000021-GPOS-00005', 'SRG-OS-000329-GPOS-00128']\n tag gid: 'V-230338'\n tag rid: 'SV-230338r627750_rule'\n tag stig_id: 'RHEL-08-020016'\n tag fix_id: 'F-32982r567761_fix'\n tag cci: ['CCI-000044']\n tag nist: ['AC-7 a']\n tag 'host'\n tag 'container'\n\n only_if('This check applies to RHEL versions 8.0 and 8.1, if the system is RHEL version 8.2 or newer, this check is not applicable.', impact: 0.0) {\n (os.release.to_f) < 8.2\n }\n\n pam_auth_files = input('pam_auth_files')\n\n describe pam(pam_auth_files['password-auth']) do\n its('lines') {\n should match_pam_rule('auth [default=die]|required pam_faillock.so').all_with_args(\"dir=#{input('log_directory')}\")\n }\n end\n describe pam(pam_auth_files['system-auth']) do\n its('lines') {\n should match_pam_rule('auth [default=die]|required pam_faillock.so').all_with_args(\"dir=#{input('log_directory')}\")\n }\n end\nend\n", + "code": "control 'SV-230488' do\n title 'RHEL 8 must not have any automated bug reporting tools installed.'\n desc 'It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n Operating systems are capable of providing a wide variety of functions and\nservices. Some of the functions and services, provided by default, may not be\nnecessary to support essential organizational operations (e.g., key missions,\nfunctions).\n\n Examples of non-essential capabilities include, but are not limited to,\ngames, software packages, tools, and demonstration software not related to\nrequirements or providing a wide array of functionality not required for every\nmission, but which cannot be disabled.\n\n Verify the operating system is configured to disable non-essential\ncapabilities. The most secure way of ensuring a non-essential capability is\ndisabled is to not have the capability installed.'\n desc 'check', 'Check to see if any automated bug reporting packages are installed with the\nfollowing command:\n\n $ sudo yum list installed abrt*\n\n If any automated bug reporting package is installed, this is a finding.'\n desc 'fix', 'Configure the operating system to disable non-essential capabilities by\nremoving automated bug reporting packages from the system with the following\ncommand:\n\n $ sudo yum remove abrt*'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000095-GPOS-00049'\n tag gid: 'V-230488'\n tag rid: 'SV-230488r627750_rule'\n tag stig_id: 'RHEL-08-040001'\n tag fix_id: 'F-33132r568211_fix'\n tag cci: ['CCI-000381']\n tag nist: ['CM-7 a']\n tag 'host'\n tag 'container'\n\n describe packages(/abrt/) do\n its('statuses') { should_not cmp 'installed' }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230338.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230488.rb", "line": 1 }, - "id": "SV-230338" + "id": "SV-230488" }, { - "title": "RHEL 8 must prevent special devices on file systems that are used with\nremovable media.", - "desc": "The \"nodev\" mount option causes the system not to interpret\ncharacter or block special devices. Executing character or block special\ndevices from untrusted file systems increases the opportunity for unprivileged\nusers to attain unauthorized administrative access.", + "title": "RHEL 8 must enable hardening for the Berkeley Packet Filter\nJust-in-time compiler.", + "desc": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nEnabling hardening for the Berkeley Packet Filter (BPF) Just-in-time (JIT) compiler aids in mitigating JIT spraying attacks. Setting the value to \"2\" enables JIT hardening for all users.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf", "descriptions": { - "default": "The \"nodev\" mount option causes the system not to interpret\ncharacter or block special devices. Executing character or block special\ndevices from untrusted file systems increases the opportunity for unprivileged\nusers to attain unauthorized administrative access.", - "check": "Verify file systems that are used for removable media are mounted with the\n\"nodev\" option with the following command:\n\n $ sudo more /etc/fstab\n\n UUID=2bc871e4-e2a3-4f29-9ece-3be60c835222 /mnt/usbflash vfat\nnoauto,owner,ro,nosuid,nodev,noexec 0 0\n\n If a file system found in \"/etc/fstab\" refers to removable media and it\ndoes not have the \"nodev\" option set, this is a finding.", - "fix": "Configure the \"/etc/fstab\" to use the \"nodev\" option on\nfile systems that are associated with removable media." + "default": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nEnabling hardening for the Berkeley Packet Filter (BPF) Just-in-time (JIT) compiler aids in mitigating JIT spraying attacks. Setting the value to \"2\" enables JIT hardening for all users.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf", + "check": "Verify RHEL 8 enables hardening for the BPF JIT with the following commands:\n\n$ sudo sysctl net.core.bpf_jit_harden\n\nnet.core.bpf_jit_harden = 2\n\nIf the returned line does not have a value of \"2\", or a line is not returned, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r net.core.bpf_jit_harden /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: net.core.bpf_jit_harden = 2\n\nIf \"net.core.bpf_jit_harden\" is not set to \"2\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.", + "fix": "Configure RHEL 8 to enable hardening for the BPF JIT compiler by adding the following line to a file, in the \"/etc/sysctl.d\" directory:\n\nnet.core.bpf_jit_harden = 2\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nThe system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:\n\n$ sudo sysctl --system" }, "impact": 0.5, "refs": [ @@ -12159,10 +12182,10 @@ "tags": { "severity": "medium", "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-230303", - "rid": "SV-230303r627750_rule", - "stig_id": "RHEL-08-010600", - "fix_id": "F-32947r567656_fix", + "gid": "V-244554", + "rid": "SV-244554r858832_rule", + "stig_id": "RHEL-08-040286", + "fix_id": "F-47786r858831_fix", "cci": [ "CCI-000366" ], @@ -12171,20 +12194,20 @@ ], "host": null }, - "code": "control 'SV-230303' do\n title 'RHEL 8 must prevent special devices on file systems that are used with\nremovable media.'\n desc 'The \"nodev\" mount option causes the system not to interpret\ncharacter or block special devices. Executing character or block special\ndevices from untrusted file systems increases the opportunity for unprivileged\nusers to attain unauthorized administrative access.'\n desc 'check', 'Verify file systems that are used for removable media are mounted with the\n\"nodev\" option with the following command:\n\n $ sudo more /etc/fstab\n\n UUID=2bc871e4-e2a3-4f29-9ece-3be60c835222 /mnt/usbflash vfat\nnoauto,owner,ro,nosuid,nodev,noexec 0 0\n\n If a file system found in \"/etc/fstab\" refers to removable media and it\ndoes not have the \"nodev\" option set, this is a finding.'\n desc 'fix', 'Configure the \"/etc/fstab\" to use the \"nodev\" option on\nfile systems that are associated with removable media.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230303'\n tag rid: 'SV-230303r627750_rule'\n tag stig_id: 'RHEL-08-010600'\n tag fix_id: 'F-32947r567656_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n option = 'nodev'\n file_systems = etc_fstab.params\n non_removable_media = input('non_removable_media_fs')\n mounted_removeable_media = file_systems.reject { |mnt| non_removable_media.include?(mnt['mount_point']) }\n failing_mounts = mounted_removeable_media.reject { |mnt| mnt['mount_options'].include?(option) }\n\n # be very explicit about why this one was a finding since we do not know which mounts are removeable media without the user telling us\n rem_media_msg = \"NOTE: Some mounted devices are not indicated to be non-removable media (you may need to update the 'non_removable_media_fs' input to check if these are truly subject to this requirement)\\n\"\n\n # there should either be no mounted removable media (which should be a requirement anyway), OR\n # all removeable media should be mounted with nodev\n if mounted_removeable_media.empty?\n describe 'No removeable media' do\n it 'are mounted' do\n expect(mounted_removeable_media).to be_empty\n end\n end\n else\n describe 'Any mounted removeable media' do\n it \"should have '#{option}' set\" do\n expect(failing_mounts).to be_empty, \"#{rem_media_msg}\\nRemoveable media without '#{option}' set:\\n\\t- #{failing_mounts.join(\"\\n\\t- \")}\"\n end\n end\n end\nend\n", + "code": "control 'SV-244554' do\n title 'RHEL 8 must enable hardening for the Berkeley Packet Filter\nJust-in-time compiler.'\n desc 'It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nEnabling hardening for the Berkeley Packet Filter (BPF) Just-in-time (JIT) compiler aids in mitigating JIT spraying attacks. Setting the value to \"2\" enables JIT hardening for all users.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf'\n desc 'check', 'Verify RHEL 8 enables hardening for the BPF JIT with the following commands:\n\n$ sudo sysctl net.core.bpf_jit_harden\n\nnet.core.bpf_jit_harden = 2\n\nIf the returned line does not have a value of \"2\", or a line is not returned, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r net.core.bpf_jit_harden /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: net.core.bpf_jit_harden = 2\n\nIf \"net.core.bpf_jit_harden\" is not set to \"2\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to enable hardening for the BPF JIT compiler by adding the following line to a file, in the \"/etc/sysctl.d\" directory:\n\nnet.core.bpf_jit_harden = 2\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nThe system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:\n\n$ sudo sysctl --system'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-244554'\n tag rid: 'SV-244554r858832_rule'\n tag stig_id: 'RHEL-08-040286'\n tag fix_id: 'F-47786r858831_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This system is acting as a router on the network, this control is Not Applicable', impact: 0.0) {\n !input('network_router')\n }\n\n # Define the kernel parameter to be checked\n parameter = 'net.core.bpf_jit_harden'\n action = 'BPF JIT compiler'\n value = 2\n\n # Get the current value of the kernel parameter\n current_value = kernel_parameter(parameter)\n\n # Check if the system is a Docker container\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n else\n\n describe kernel_parameter(parameter) do\n it 'is disabled in sysctl -a' do\n expect(current_value.value).to cmp value\n expect(current_value.value).not_to be_nil\n end\n end\n\n # Get the list of sysctl configuration files\n sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ')\n\n # Search for the kernel parameter in the configuration files\n search_results = command(\"grep -r ^#{parameter} #{sysctl_config_files} {} \\;\").stdout.split(\"\\n\")\n\n # Parse the search results into a hash\n config_values = search_results.each_with_object({}) do |item, results|\n file, setting = item.split(':')\n file = 'grep did not return filename' if file.empty?\n\n results[file] ||= []\n results[file] << setting.split('=').last\n end\n\n uniq_config_values = config_values.values.flatten.map(&:strip).map(&:to_i).uniq\n\n # Check the configuration files\n describe 'Configuration files' do\n if search_results.empty?\n it \"do not explicitly set the `#{parameter}` parameter\" do\n expect(config_values).not_to be_empty, \"Add the line `#{parameter}=#{value}` to a file in the `/etc/sysctl.d/` directory\"\n end\n else\n it \"do not have conflicting settings for #{action}\" do\n expect(uniq_config_values.count).to eq(1), \"Expected one unique configuration, but got #{config_values}\"\n end\n it \"set the parameter to the right value for #{action}\" do\n expect(config_values.values.flatten.all? { |v| v.to_i.eql?(value) }).to be true\n end\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230303.rb", + "ref": "./Red Hat 8 STIG/controls/SV-244554.rb", "line": 1 }, - "id": "SV-230303" + "id": "SV-244554" }, { - "title": "The RHEL 8 audit system must be configured to audit any usage of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls.", - "desc": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n\"Setxattr\" is a system call used to set an extended attribute value.\n\"Fsetxattr\" is a system call used to set an extended attribute value. This is used to set extended attributes on a file.\n\"Lsetxattr\" is a system call used to set an extended attribute value. This is used to set extended attributes on a symbolic link.\n\"Removexattr\" is a system call that removes extended attributes.\n\"Fremovexattr\" is a system call that removes extended attributes. This is used for removal of extended attributes from a file.\n\"Lremovexattr\" is a system call that removes extended attributes. This is used for removal of extended attributes from symbolic links.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nThe system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible.", + "title": "RHEL 8 must be configured so that all network connections associated with SSH traffic terminate after becoming unresponsive.", + "desc": "Terminating an unresponsive SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element.\n\n Terminating network connections associated with communications sessions includes, for example, deallocating associated TCP/IP address/port pairs at the operating system level and deallocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean the operating system terminates all sessions or network access; it only ends the unresponsive session and releases the resources associated with that session.\n\n RHEL 8 uses /etc/ssh/sshd_config for configurations of OpenSSH. Within the sshd_config, the product of the values of \"ClientAliveInterval\" and \"ClientAliveCountMax\" is used to establish the inactivity threshold. The \"ClientAliveInterval\" is a timeout interval in seconds after which if no data has been received from the client, sshd will send a message through the encrypted channel to request a response from the client. The \"ClientAliveCountMax\" is the number of client alive messages that may be sent without sshd receiving any messages back from the client. If this threshold is met, sshd will disconnect the client. For more information on these settings and others, refer to the sshd_config man pages.", "descriptions": { - "default": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n\"Setxattr\" is a system call used to set an extended attribute value.\n\"Fsetxattr\" is a system call used to set an extended attribute value. This is used to set extended attributes on a file.\n\"Lsetxattr\" is a system call used to set an extended attribute value. This is used to set extended attributes on a symbolic link.\n\"Removexattr\" is a system call that removes extended attributes.\n\"Fremovexattr\" is a system call that removes extended attributes. This is used for removal of extended attributes from a file.\n\"Lremovexattr\" is a system call that removes extended attributes. This is used for removal of extended attributes from symbolic links.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nThe system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible.", - "check": "Verify if RHEL 8 is configured to audit the execution of the \"setxattr\", \"fsetxattr\", \"lsetxattr\", \"removexattr\", \"fremovexattr\", and \"lremovexattr\" system calls by running the following command:\n\n$ sudo grep xattr /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod\n-a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod\n\n-a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod\n\nIf the command does not return an audit rule for \"setxattr\", \"fsetxattr\", \"lsetxattr\", \"removexattr\", \"fremovexattr\", and \"lremovexattr\" or any of the lines returned are commented out, this is a finding.", - "fix": "Configure RHEL 8 to audit the execution of the \"setxattr\", \"fsetxattr\", \"lsetxattr\", \"removexattr\", \"fremovexattr\", and \"lremovexattr\" system calls by adding or updating the following lines to \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod\n-a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod\n\n-a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod\n\nThe audit daemon must be restarted for the changes to take effect." + "default": "Terminating an unresponsive SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element.\n\n Terminating network connections associated with communications sessions includes, for example, deallocating associated TCP/IP address/port pairs at the operating system level and deallocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean the operating system terminates all sessions or network access; it only ends the unresponsive session and releases the resources associated with that session.\n\n RHEL 8 uses /etc/ssh/sshd_config for configurations of OpenSSH. Within the sshd_config, the product of the values of \"ClientAliveInterval\" and \"ClientAliveCountMax\" is used to establish the inactivity threshold. The \"ClientAliveInterval\" is a timeout interval in seconds after which if no data has been received from the client, sshd will send a message through the encrypted channel to request a response from the client. The \"ClientAliveCountMax\" is the number of client alive messages that may be sent without sshd receiving any messages back from the client. If this threshold is met, sshd will disconnect the client. For more information on these settings and others, refer to the sshd_config man pages.", + "check": "Verify the SSH server automatically terminates a user session after the SSH client has become unresponsive.\n\nCheck that the \"ClientAliveCountMax\" is set to \"1\" by performing the following command:\n\n$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\\r' | tr '\\n' ' ' | xargs sudo grep -iH '^\\s*clientalivecountmax'\n\nClientAliveCountMax 1\n\nIf \"ClientAliveCountMax\" do not exist, is not set to a value of \"1\" in \"/etc/ssh/sshd_config\", or is commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.", + "fix": "Note: This setting must be applied in conjunction with RHEL-08-010201 to function correctly.\n\n Configure the SSH server to terminate a user session automatically after the SSH client has become unresponsive.\n\n Modify or append the following lines in the \"/etc/ssh/sshd_config\" file:\n\n ClientAliveCountMax 1\n\n For the changes to take effect, the SSH daemon must be restarted:\n\n $ sudo systemctl restart sshd.service" }, "impact": 0.5, "refs": [ @@ -12194,38 +12217,31 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000062-GPOS-00031", + "gtitle": "SRG-OS-000163-GPOS-00072", "satisfies": [ - "SRG-OS-000062-GPOS-00031", - "SRG-OS-000037-GPOS-00015", - "SRG-OS-000042-GPOS-00020", - "SRG-OS-000392-GPOS-00172", - "SRG-OS-000458-GPOS-00203", - "SRG-OS-000462-GPOS-00206", - "SRG-OS-000463-GPOS-00207", - "SRG-OS-000468-GPOS-00212", - "SRG-OS-000471-GPOS-00215", - "SRG-OS-000474-GPOS-00219", - "SRG-OS-000466-GPOS-00210" + "SRG-OS-000163-GPOS-00072", + "SRG-OS-000126-GPOS-00066", + "SRG-OS-000279-GPOS-00109" ], - "gid": "V-230413", - "rid": "SV-230413r810463_rule", - "stig_id": "RHEL-08-030200", - "fix_id": "F-33057r809294_fix", + "gid": "V-230244", + "rid": "SV-230244r951594_rule", + "stig_id": "RHEL-08-010200", + "fix_id": "F-32888r917866_fix", "cci": [ - "CCI-000169" + "CCI-001133" ], "nist": [ - "AU-12 a" + "SC-10" ], - "host": null + "host": null, + "container-conditional": null }, - "code": "control 'SV-230413' do\n title 'The RHEL 8 audit system must be configured to audit any usage of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls.'\n desc 'Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n\"Setxattr\" is a system call used to set an extended attribute value.\n\"Fsetxattr\" is a system call used to set an extended attribute value. This is used to set extended attributes on a file.\n\"Lsetxattr\" is a system call used to set an extended attribute value. This is used to set extended attributes on a symbolic link.\n\"Removexattr\" is a system call that removes extended attributes.\n\"Fremovexattr\" is a system call that removes extended attributes. This is used for removal of extended attributes from a file.\n\"Lremovexattr\" is a system call that removes extended attributes. This is used for removal of extended attributes from symbolic links.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nThe system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible.'\n desc 'check', 'Verify if RHEL 8 is configured to audit the execution of the \"setxattr\", \"fsetxattr\", \"lsetxattr\", \"removexattr\", \"fremovexattr\", and \"lremovexattr\" system calls by running the following command:\n\n$ sudo grep xattr /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod\n-a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod\n\n-a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod\n\nIf the command does not return an audit rule for \"setxattr\", \"fsetxattr\", \"lsetxattr\", \"removexattr\", \"fremovexattr\", and \"lremovexattr\" or any of the lines returned are commented out, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to audit the execution of the \"setxattr\", \"fsetxattr\", \"lsetxattr\", \"removexattr\", \"fremovexattr\", and \"lremovexattr\" system calls by adding or updating the following lines to \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod\n-a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod\n\n-a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod\n\nThe audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000062-GPOS-00031'\n tag satisfies: ['SRG-OS-000062-GPOS-00031', 'SRG-OS-000037-GPOS-00015', 'SRG-OS-000042-GPOS-00020', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000458-GPOS-00203', 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000463-GPOS-00207', 'SRG-OS-000468-GPOS-00212', 'SRG-OS-000471-GPOS-00215', 'SRG-OS-000474-GPOS-00219', 'SRG-OS-000466-GPOS-00210']\n tag gid: 'V-230413'\n tag rid: 'SV-230413r810463_rule'\n tag stig_id: 'RHEL-08-030200'\n tag fix_id: 'F-33057r809294_fix'\n tag cci: ['CCI-000169']\n tag nist: ['AU-12 a']\n tag 'host'\n\n audit_syscalls = ['setxattr', 'fsetxattr', 'lsetxattr', 'removexattr', 'fremovexattr', 'lremovexattr']\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe 'Syscall' do\n audit_syscalls.each do |audit_syscall|\n it \"#{audit_syscall} is audited properly\" do\n audit_rule = auditd.syscall(audit_syscall)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n if os.arch.match(/64/)\n expect(audit_rule.arch.uniq).to include('b32', 'b64')\n else\n expect(audit_rule.arch.uniq).to cmp 'b32'\n end\n expect(audit_rule.fields.flatten).to include('auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include(input('audit_rule_keynames').merge(input('audit_rule_keynames_overrides'))[audit_syscall])\n end\n end\n end\nend\n", + "code": "control 'SV-230244' do\n title 'RHEL 8 must be configured so that all network connections associated with SSH traffic terminate after becoming unresponsive.'\n desc 'Terminating an unresponsive SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element.\n\n Terminating network connections associated with communications sessions includes, for example, deallocating associated TCP/IP address/port pairs at the operating system level and deallocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean the operating system terminates all sessions or network access; it only ends the unresponsive session and releases the resources associated with that session.\n\n RHEL 8 uses /etc/ssh/sshd_config for configurations of OpenSSH. Within the sshd_config, the product of the values of \"ClientAliveInterval\" and \"ClientAliveCountMax\" is used to establish the inactivity threshold. The \"ClientAliveInterval\" is a timeout interval in seconds after which if no data has been received from the client, sshd will send a message through the encrypted channel to request a response from the client. The \"ClientAliveCountMax\" is the number of client alive messages that may be sent without sshd receiving any messages back from the client. If this threshold is met, sshd will disconnect the client. For more information on these settings and others, refer to the sshd_config man pages.'\n desc 'check', %q(Verify the SSH server automatically terminates a user session after the SSH client has become unresponsive.\n\nCheck that the \"ClientAliveCountMax\" is set to \"1\" by performing the following command:\n\n$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\\r' | tr '\\n' ' ' | xargs sudo grep -iH '^\\s*clientalivecountmax'\n\nClientAliveCountMax 1\n\nIf \"ClientAliveCountMax\" do not exist, is not set to a value of \"1\" in \"/etc/ssh/sshd_config\", or is commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.)\n desc 'fix', 'Note: This setting must be applied in conjunction with RHEL-08-010201 to function correctly.\n\n Configure the SSH server to terminate a user session automatically after the SSH client has become unresponsive.\n\n Modify or append the following lines in the \"/etc/ssh/sshd_config\" file:\n\n ClientAliveCountMax 1\n\n For the changes to take effect, the SSH daemon must be restarted:\n\n $ sudo systemctl restart sshd.service'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000163-GPOS-00072'\n tag satisfies: ['SRG-OS-000163-GPOS-00072', 'SRG-OS-000126-GPOS-00066', 'SRG-OS-000279-GPOS-00109']\n tag gid: 'V-230244'\n tag rid: 'SV-230244r951594_rule'\n tag stig_id: 'RHEL-08-010200'\n tag fix_id: 'F-32888r917866_fix'\n tag cci: ['CCI-001133']\n tag nist: ['SC-10']\n tag 'host'\n tag 'container-conditional'\n\n only_if('SSH is not installed on the system this requirement is Not Applicable', impact: 0.0) {\n (service('sshd').enabled? || package('openssh-server').installed?)\n }\n\n client_alive_count = input('sshd_client_alive_count_max')\n\n if virtualization.system.eql?('docker') && !file('/etc/ssh/sshd_config').exist?\n impact 0.0\n describe 'skip' do\n skip 'SSH configuration does not apply inside containers. This control is Not Applicable.'\n end\n else\n describe 'SSH ClientAliveCountMax configuration' do\n it \"should be set to #{client_alive_count}\" do\n expect(sshd_active_config.ClientAliveCountMax).to(cmp(client_alive_count), \"SSH ClientAliveCountMax is commented out or not set to the expected value (#{client_alive_count})\")\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230413.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230244.rb", "line": 1 }, - "id": "SV-230413" + "id": "SV-230244" }, { "title": "A File Transfer Protocol (FTP) server package must not be installed\nunless mission essential on RHEL 8.", @@ -12265,207 +12281,161 @@ "id": "SV-230558" }, { - "title": "RHEL 8 must not allow blank or null passwords in the system-auth file.", - "desc": "If an account has an empty password, anyone could log on and run\ncommands with the privileges of that account. Accounts with empty passwords\nshould never be used in operational environments.", + "title": "RHEL 8 must not accept router advertisements on all IPv6 interfaces.", + "desc": "Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.\n\nAn illicit router advertisement message could result in a man-in-the-middle attack.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf", "descriptions": { - "default": "If an account has an empty password, anyone could log on and run\ncommands with the privileges of that account. Accounts with empty passwords\nshould never be used in operational environments.", - "check": "To verify that null passwords cannot be used, run the following command:\n\n$ sudo grep -i nullok /etc/pam.d/system-auth\n\nIf output is produced, this is a finding.", - "fix": "Remove any instances of the \"nullok\" option in the\n\"/etc/pam.d/system-auth\" file to prevent logons with empty passwords.\n\n Note: Manual changes to the listed file may be overwritten by the\n\"authselect\" program." + "default": "Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.\n\nAn illicit router advertisement message could result in a man-in-the-middle attack.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf", + "check": "Verify RHEL 8 does not accept router advertisements on all IPv6 interfaces, unless the system is a router.\n\nNote: If IPv6 is disabled on the system, this requirement is not applicable.\n\nCheck to see if router advertisements are not accepted by using the following command:\n\n$ sudo sysctl net.ipv6.conf.all.accept_ra\n\nnet.ipv6.conf.all.accept_ra = 0\n\nIf the \"accept_ra\" value is not \"0\" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r net.ipv6.conf.all.accept_ra /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: net.ipv6.conf.all.accept_ra = 0\n\nIf \"net.ipv6.conf.all.accept_ra\" is not set to \"0\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.", + "fix": "Configure RHEL 8 to not accept router advertisements on all IPv6 interfaces unless the system is a router.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nnet.ipv6.conf.all.accept_ra=0\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system" }, - "impact": 0.7, + "impact": 0.5, "refs": [ { "ref": "DPMS Target Red Hat Enterprise Linux 8" } ], "tags": { - "severity": "high", + "severity": "medium", "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-244540", - "rid": "SV-244540r743869_rule", - "stig_id": "RHEL-08-020331", - "fix_id": "F-47772r743868_fix", + "gid": "V-230541", + "rid": "SV-230541r858812_rule", + "stig_id": "RHEL-08-040261", + "fix_id": "F-33185r858811_fix", "cci": [ "CCI-000366" ], "nist": [ "CM-6 b" - ] - }, - "code": "control 'SV-244540' do\n title 'RHEL 8 must not allow blank or null passwords in the system-auth file.'\n desc 'If an account has an empty password, anyone could log on and run\ncommands with the privileges of that account. Accounts with empty passwords\nshould never be used in operational environments.'\n desc 'check', 'To verify that null passwords cannot be used, run the following command:\n\n$ sudo grep -i nullok /etc/pam.d/system-auth\n\nIf output is produced, this is a finding.'\n desc 'fix', 'Remove any instances of the \"nullok\" option in the\n\"/etc/pam.d/system-auth\" file to prevent logons with empty passwords.\n\n Note: Manual changes to the listed file may be overwritten by the\n\"authselect\" program.'\n impact 0.7\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'high'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-244540'\n tag rid: 'SV-244540r743869_rule'\n tag stig_id: 'RHEL-08-020331'\n tag fix_id: 'F-47772r743868_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n pam_auth_files = input('pam_auth_files')\n file_list = pam_auth_files.values.join(' ')\n bad_entries = command(\"grep -i nullok #{file_list}\").stdout.lines.map(&:strip)\n\n describe 'The system should be configureed' do\n subject { command(\"grep -i nullok #{file_list}\") }\n it 'to not allow null passwords' do\n expect(subject.stdout.strip).to be_empty, \"The system is configured to allow null passwords. Please remove any instances of the `nullok` option from auth files: \\n\\t- #{bad_entries.join(\"\\n\\t- \")}\"\n end\n end\nend\n", - "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-244540.rb", - "line": 1 - }, - "id": "SV-244540" - }, - { - "title": "Successful/unsuccessful uses of the passwd command in RHEL 8 must\ngenerate an audit record.", - "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"passwd\" command is\nused to change passwords for user accounts.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", - "descriptions": { - "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"passwd\" command is\nused to change passwords for user accounts.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", - "check": "Verify that an audit event is generated for any successful/unsuccessful use\nof the \"passwd\" command by performing the following command to check the file\nsystem rules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w passwd /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-passwd\n\n If the command does not return a line, or the line is commented out, this\nis a finding.", - "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful uses of the \"passwd\" command by adding or updating\nthe following rule in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-passwd\n\n The audit daemon must be restarted for the changes to take effect." - }, - "impact": 0.5, - "refs": [ - { - "ref": "DPMS Target Red Hat Enterprise Linux 8" - } - ], - "tags": { - "severity": "medium", - "gtitle": "SRG-OS-000062-GPOS-00031", - "satisfies": [ - "SRG-OS-000062-GPOS-00031", - "SRG-OS-000037-GPOS-00015", - "SRG-OS-000042-GPOS-00020", - "SRG-OS-000062-GPOS-00031", - "SRG-OS-000392-GPOS-00172", - "SRG-OS-000462-GPOS-00206", - "SRG-OS-000471-GPOS-00215" - ], - "gid": "V-230422", - "rid": "SV-230422r627750_rule", - "stig_id": "RHEL-08-030290", - "fix_id": "F-33066r568013_fix", - "cci": [ - "CCI-000169" - ], - "nist": [ - "AU-12 a" ], "host": null }, - "code": "control 'SV-230422' do\n title 'Successful/unsuccessful uses of the passwd command in RHEL 8 must\ngenerate an audit record.'\n desc 'Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"passwd\" command is\nused to change passwords for user accounts.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.'\n desc 'check', 'Verify that an audit event is generated for any successful/unsuccessful use\nof the \"passwd\" command by performing the following command to check the file\nsystem rules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w passwd /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-passwd\n\n If the command does not return a line, or the line is commented out, this\nis a finding.'\n desc 'fix', 'Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful uses of the \"passwd\" command by adding or updating\nthe following rule in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-passwd\n\n The audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000062-GPOS-00031'\n tag satisfies: ['SRG-OS-000062-GPOS-00031', 'SRG-OS-000037-GPOS-00015', 'SRG-OS-000042-GPOS-00020', 'SRG-OS-000062-GPOS-00031', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000471-GPOS-00215']\n tag gid: 'V-230422'\n tag rid: 'SV-230422r627750_rule'\n tag stig_id: 'RHEL-08-030290'\n tag fix_id: 'F-33066r568013_fix'\n tag cci: ['CCI-000169']\n tag nist: ['AU-12 a']\n tag 'host'\n\n audit_command = '/usr/bin/passwd'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include(input('audit_rule_keynames').merge(input('audit_rule_keynames_overrides'))[audit_command])\n end\n end\nend\n", + "code": "control 'SV-230541' do\n title 'RHEL 8 must not accept router advertisements on all IPv6 interfaces.'\n desc 'Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.\n\nAn illicit router advertisement message could result in a man-in-the-middle attack.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf'\n desc 'check', 'Verify RHEL 8 does not accept router advertisements on all IPv6 interfaces, unless the system is a router.\n\nNote: If IPv6 is disabled on the system, this requirement is not applicable.\n\nCheck to see if router advertisements are not accepted by using the following command:\n\n$ sudo sysctl net.ipv6.conf.all.accept_ra\n\nnet.ipv6.conf.all.accept_ra = 0\n\nIf the \"accept_ra\" value is not \"0\" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r net.ipv6.conf.all.accept_ra /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: net.ipv6.conf.all.accept_ra = 0\n\nIf \"net.ipv6.conf.all.accept_ra\" is not set to \"0\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to not accept router advertisements on all IPv6 interfaces unless the system is a router.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nnet.ipv6.conf.all.accept_ra=0\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230541'\n tag rid: 'SV-230541r858812_rule'\n tag stig_id: 'RHEL-08-040261'\n tag fix_id: 'F-33185r858811_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This system is acting as a router on the network, this control is Not Applicable', impact: 0.0) {\n !input('network_router')\n }\n\n # Define the kernel parameter to be checked\n parameter = 'net.ipv6.conf.all.accept_ra'\n action = 'IPv6 router advertisements'\n value = 0\n\n # Get the current value of the kernel parameter\n current_value = kernel_parameter(parameter)\n\n # Check if the system is a Docker container\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n elsif input('ipv6_enabled') == false\n impact 0.0\n describe 'IPv6 is disabled on the system, this requirement is Not Applicable.' do\n skip 'IPv6 is disabled on the system, this requirement is Not Applicable.'\n end\n else\n\n describe kernel_parameter(parameter) do\n it 'is disabled in sysctl -a' do\n expect(current_value.value).to cmp value\n expect(current_value.value).not_to be_nil\n end\n end\n\n # Get the list of sysctl configuration files\n sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ')\n\n # Search for the kernel parameter in the configuration files\n search_results = command(\"grep -r ^#{parameter} #{sysctl_config_files} {} \\;\").stdout.split(\"\\n\")\n\n # Parse the search results into a hash\n config_values = search_results.each_with_object({}) do |item, results|\n file, setting = item.split(':')\n file = 'grep did not return filename' if file.empty?\n\n results[file] ||= []\n results[file] << setting.split('=').last\n end\n\n uniq_config_values = config_values.values.flatten.map(&:strip).map(&:to_i).uniq\n\n # Check the configuration files\n describe 'Configuration files' do\n if search_results.empty?\n it \"do not explicitly set the `#{parameter}` parameter\" do\n expect(config_values).not_to be_empty, \"Add the line `#{parameter}=#{value}` to a file in the `/etc/sysctl.d/` directory\"\n end\n else\n it \"do not have conflicting settings for #{action}\" do\n expect(uniq_config_values.count).to eq(1), \"Expected one unique configuration, but got #{config_values}\"\n end\n it \"set the parameter to the right value for #{action}\" do\n expect(config_values.values.flatten.all? { |v| v.to_i.eql?(value) }).to be true\n end\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230422.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230541.rb", "line": 1 }, - "id": "SV-230422" + "id": "SV-230541" }, { - "title": "RHEL 8 must not enable IPv4 packet forwarding unless the system is a router.", - "desc": "Routing protocol daemons are typically used on routers to exchange network\n topology information with other routers. If this software is used when not required,\n system network information may be unnecessarily transmitted across the network.\n\n The sysctl --system command will load settings from all system configuration files.\n\n All configuration files are sorted by their filename in lexicographic order, regardless\n of which of the directories they reside in. If multiple files specify the same option,\n the entry in the file with the lexicographically latest name will take precedence.\n\n Files are read from directories in the following list from top to bottom. Once a file of a\n given filename is loaded, any file of the same name in subsequent directories is ignored.\n\n /etc/sysctl.d/*.conf\n /run/sysctl.d/*.conf\n /usr/local/lib/sysctl.d/*.conf\n /usr/lib/sysctl.d/*.conf\n /lib/sysctl.d/*.conf\n /etc/sysctl.conf", + "title": "RHEL 8, for certificate-based authentication, must enforce authorized\naccess to the corresponding private key.", + "desc": "If an unauthorized user obtains access to a private key without a\npasscode, that user would have unauthorized access to any system where the\nassociated public key has been installed.", "descriptions": { - "default": "Routing protocol daemons are typically used on routers to exchange network\n topology information with other routers. If this software is used when not required,\n system network information may be unnecessarily transmitted across the network.\n\n The sysctl --system command will load settings from all system configuration files.\n\n All configuration files are sorted by their filename in lexicographic order, regardless\n of which of the directories they reside in. If multiple files specify the same option,\n the entry in the file with the lexicographically latest name will take precedence.\n\n Files are read from directories in the following list from top to bottom. Once a file of a\n given filename is loaded, any file of the same name in subsequent directories is ignored.\n\n /etc/sysctl.d/*.conf\n /run/sysctl.d/*.conf\n /usr/local/lib/sysctl.d/*.conf\n /usr/lib/sysctl.d/*.conf\n /lib/sysctl.d/*.conf\n /etc/sysctl.conf", - "check": "Verify RHEL 8 is not performing IPv4 packet forwarding, unless the system is a router.\n\nCheck that IPv4 forwarding is disabled using the following command:\n\n$ sudo sysctl net.ipv4.conf.all.forwarding\n\nnet.ipv4.conf.all.forwarding = 0\nIf the IPv4 forwarding value is not \"0\" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r net.ipv4.conf.all.forwarding /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: net.ipv4.conf.all.forwarding = 0\n\nIf \"net.ipv4.conf.all.forwarding\" is not set to \"0\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.", - "fix": "Configure RHEL 8 to not allow IPv4 packet forwarding, unless the system is a router.\n\n Add or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\n net.ipv4.conf.all.forwarding=0\n\n Remove any configurations that conflict with the above from the following locations:\n /run/sysctl.d/*.conf\n /usr/local/lib/sysctl.d/*.conf\n /usr/lib/sysctl.d/*.conf\n /lib/sysctl.d/*.conf\n /etc/sysctl.conf\n /etc/sysctl.d/*.conf\n\n Load settings from all system configuration files with the following command:\n\n $ sudo sysctl --system" + "default": "If an unauthorized user obtains access to a private key without a\npasscode, that user would have unauthorized access to any system where the\nassociated public key has been installed.", + "check": "Verify the SSH private key files have a passcode.\n\nFor each private key stored on the system, use the following command:\n\n$ sudo ssh-keygen -y -f /path/to/file\n\nIf the contents of the key are displayed, this is a finding.", + "fix": "Create a new private and public key pair that utilizes a passcode with the\nfollowing command:\n\n $ sudo ssh-keygen -n [passphrase]" }, - "impact": 0.5, + "impact": 0, "refs": [ { "ref": "DPMS Target Red Hat Enterprise Linux 8" } ], "tags": { - "check_id": "C-53751r833382_chk", "severity": "medium", - "gid": "V-250317", - "rid": "SV-250317r858808_rule", - "stig_id": "RHEL-08-040259", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-53705r858807_fix", - "documentable": null, + "gtitle": "SRG-OS-000067-GPOS-00035", + "gid": "V-230230", + "rid": "SV-230230r627750_rule", + "stig_id": "RHEL-08-010100", + "fix_id": "F-32874r567437_fix", "cci": [ - "CCI-000366" + "CCI-000186" ], "nist": [ - "CM-6 b" + "IA-5 (2) (b)", + "IA-5 (2) (a) (1)" ], "host": null }, - "code": "control 'SV-250317' do\n title 'RHEL 8 must not enable IPv4 packet forwarding unless the system is a router.'\n desc 'Routing protocol daemons are typically used on routers to exchange network\n topology information with other routers. If this software is used when not required,\n system network information may be unnecessarily transmitted across the network.\n\n The sysctl --system command will load settings from all system configuration files.\n\n All configuration files are sorted by their filename in lexicographic order, regardless\n of which of the directories they reside in. If multiple files specify the same option,\n the entry in the file with the lexicographically latest name will take precedence.\n\n Files are read from directories in the following list from top to bottom. Once a file of a\n given filename is loaded, any file of the same name in subsequent directories is ignored.\n\n /etc/sysctl.d/*.conf\n /run/sysctl.d/*.conf\n /usr/local/lib/sysctl.d/*.conf\n /usr/lib/sysctl.d/*.conf\n /lib/sysctl.d/*.conf\n /etc/sysctl.conf'\n desc 'check', 'Verify RHEL 8 is not performing IPv4 packet forwarding, unless the system is a router.\n\nCheck that IPv4 forwarding is disabled using the following command:\n\n$ sudo sysctl net.ipv4.conf.all.forwarding\n\nnet.ipv4.conf.all.forwarding = 0\nIf the IPv4 forwarding value is not \"0\" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r net.ipv4.conf.all.forwarding /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: net.ipv4.conf.all.forwarding = 0\n\nIf \"net.ipv4.conf.all.forwarding\" is not set to \"0\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to not allow IPv4 packet forwarding, unless the system is a router.\n\n Add or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\n net.ipv4.conf.all.forwarding=0\n\n Remove any configurations that conflict with the above from the following locations:\n /run/sysctl.d/*.conf\n /usr/local/lib/sysctl.d/*.conf\n /usr/lib/sysctl.d/*.conf\n /lib/sysctl.d/*.conf\n /etc/sysctl.conf\n /etc/sysctl.d/*.conf\n\n Load settings from all system configuration files with the following command:\n\n $ sudo sysctl --system'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag check_id: 'C-53751r833382_chk'\n tag severity: 'medium'\n tag gid: 'V-250317'\n tag rid: 'SV-250317r858808_rule'\n tag stig_id: 'RHEL-08-040259'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag fix_id: 'F-53705r858807_fix'\n tag 'documentable'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This system is acting as a router on the network, this control is Not Applicable', impact: 0.0) {\n !input('network_router')\n }\n\n # Define the kernel parameter to be checked\n parameter = 'net.ipv4.conf.all.forwarding'\n action = 'IPv4 packet forwarding'\n value = 0\n\n # Get the current value of the kernel parameter\n current_value = kernel_parameter(parameter)\n\n # Check if the system is a Docker container\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n elsif input('ipv4_enabled') == false\n impact 0.0\n describe 'IPv4 is disabled on the system, this requirement is Not Applicable.' do\n skip 'IPv4 is disabled on the system, this requirement is Not Applicable.'\n end\n else\n\n describe kernel_parameter(parameter) do\n it 'is disabled in sysctl -a' do\n expect(current_value.value).to cmp value\n expect(current_value.value).not_to be_nil\n end\n end\n\n # Get the list of sysctl configuration files\n sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ')\n\n # Search for the kernel parameter in the configuration files\n search_results = command(\"grep -r ^#{parameter} #{sysctl_config_files} {} \\;\").stdout.split(\"\\n\")\n\n # Parse the search results into a hash\n config_values = search_results.each_with_object({}) do |item, results|\n file, setting = item.split(':')\n file = 'grep did not return filename' if file.empty?\n\n results[file] ||= []\n results[file] << setting.split('=').last\n end\n\n uniq_config_values = config_values.values.flatten.map(&:strip).map(&:to_i).uniq\n\n # Check the configuration files\n describe 'Configuration files' do\n if search_results.empty?\n it \"do not explicitly set the `#{parameter}` parameter\" do\n expect(config_values).not_to be_empty, \"Add the line `#{parameter}=#{value}` to a file in the `/etc/sysctl.d/` directory\"\n end\n else\n it \"do not have conflicting settings for #{action}\" do\n expect(uniq_config_values.count).to eq(1), \"Expected one unique configuration, but got #{config_values}\"\n end\n it \"set the parameter to the right value for #{action}\" do\n expect(config_values.values.flatten.all? { |v| v.to_i.eql?(value) }).to be true\n end\n end\n end\n end\nend\n", + "code": "control 'SV-230230' do\n title 'RHEL 8, for certificate-based authentication, must enforce authorized\naccess to the corresponding private key.'\n desc 'If an unauthorized user obtains access to a private key without a\npasscode, that user would have unauthorized access to any system where the\nassociated public key has been installed.'\n desc 'check', 'Verify the SSH private key files have a passcode.\n\nFor each private key stored on the system, use the following command:\n\n$ sudo ssh-keygen -y -f /path/to/file\n\nIf the contents of the key are displayed, this is a finding.'\n desc 'fix', 'Create a new private and public key pair that utilizes a passcode with the\nfollowing command:\n\n $ sudo ssh-keygen -n [passphrase]'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000067-GPOS-00035'\n tag gid: 'V-230230'\n tag rid: 'SV-230230r627750_rule'\n tag stig_id: 'RHEL-08-010100'\n tag fix_id: 'F-32874r567437_fix'\n tag cci: ['CCI-000186']\n tag nist: ['IA-5 (2) (b)', 'IA-5 (2) (a) (1)']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'N/A' do\n skip 'Control not applicable within a container'\n end\n elsif input('private_key_files').empty?\n impact 0.0\n describe 'N/A' do\n skip 'No private key files were given in the input, this control is Not Applicable'\n end\n elsif input('private_key_files').map { |kf| file(kf).exist? }.uniq.first == false\n describe 'no files found' do\n skip 'No private key files given in the input were found on the system; please check the input accurately lists all private keys on this system'\n end\n else\n passwordless_keys = input('private_key_files').select { |kf|\n file(kf).exist? &&\n !inspec.command(\"ssh-keygen -y -P '' -f #{kf}\").stderr.match('incorrect passphrase supplied to decrypt private key')\n }\n describe 'Private key files' do\n it 'should all have passwords set' do\n expect(passwordless_keys).to be_empty, \"Passwordless key files:\\n\\t- #{passwordless_keys.join(\"\\n\\t- \")}\"\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-250317.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230230.rb", "line": 1 }, - "id": "SV-250317" + "id": "SV-230230" }, { - "title": "RHEL 8 must have policycoreutils package installed.", - "desc": "Without verification of the security functions, security functions may\nnot operate correctly and the failure may go unnoticed. Security function is\ndefined as the hardware, software, and/or firmware of the information system\nresponsible for enforcing the system security policy and supporting the\nisolation of code and data on which the protection is based. Security\nfunctionality includes, but is not limited to, establishing system accounts,\nconfiguring access authorizations (i.e., permissions, privileges), setting\nevents to be audited, and setting intrusion detection parameters.\n\n Policycoreutils contains the policy core utilities that are required for\nbasic operation of an SELinux-enabled system. These utilities include\nload_policy to load SELinux policies, setfile to label filesystems, newrole to\nswitch roles, and run_init to run /etc/init.d scripts in the proper context.", + "title": "The RHEL 8 audit system must be configured to audit the execution of\nprivileged functions and prevent all software from executing at higher\nprivilege levels than users executing the software.", + "desc": "Misuse of privileged functions, either intentionally or\nunintentionally by authorized users, or by unauthorized external entities that\nhave compromised information system accounts, is a serious and ongoing concern\nand can have significant adverse impacts on organizations. Auditing the use of\nprivileged functions is one way to detect such misuse and identify the risk\nfrom insider threats and the advanced persistent threat.", "descriptions": { - "default": "Without verification of the security functions, security functions may\nnot operate correctly and the failure may go unnoticed. Security function is\ndefined as the hardware, software, and/or firmware of the information system\nresponsible for enforcing the system security policy and supporting the\nisolation of code and data on which the protection is based. Security\nfunctionality includes, but is not limited to, establishing system accounts,\nconfiguring access authorizations (i.e., permissions, privileges), setting\nevents to be audited, and setting intrusion detection parameters.\n\n Policycoreutils contains the policy core utilities that are required for\nbasic operation of an SELinux-enabled system. These utilities include\nload_policy to load SELinux policies, setfile to label filesystems, newrole to\nswitch roles, and run_init to run /etc/init.d scripts in the proper context.", - "check": "Verify the operating system has the policycoreutils package installed with\nthe following command:\n\n $ sudo yum list installed policycoreutils\n\n policycoreutils.x86_64\n2.9-3.el8 @anaconda\n\n If the policycoreutils package is not installed, this is a finding.", - "fix": "Configure the operating system to have the policycoreutils package\ninstalled with the following command:\n\n $ sudo yum install policycoreutils" + "default": "Misuse of privileged functions, either intentionally or\nunintentionally by authorized users, or by unauthorized external entities that\nhave compromised information system accounts, is a serious and ongoing concern\nand can have significant adverse impacts on organizations. Auditing the use of\nprivileged functions is one way to detect such misuse and identify the risk\nfrom insider threats and the advanced persistent threat.", + "check": "Verify RHEL 8 audits the execution of privileged functions.\n\n Check if RHEL 8 is configured to audit the execution of the \"execve\"\nsystem call, by running the following command:\n\n $ sudo grep execve /etc/audit/audit.rules\n\n -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k execpriv\n -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k execpriv\n\n -a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k execpriv\n -a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k execpriv\n\n If the command does not return all lines, or the lines are commented out,\nthis is a finding.", + "fix": "Configure RHEL 8 to audit the execution of the \"execve\" system call.\n\n Add or update the following file system rules to\n\"/etc/audit/rules.d/audit.rules\":\n\n -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k execpriv\n -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k execpriv\n\n -a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k execpriv\n -a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k execpriv\n\n The audit daemon must be restarted for the changes to take effect." }, - "impact": 0.3, + "impact": 0.5, "refs": [ { "ref": "DPMS Target Red Hat Enterprise Linux 8" } ], "tags": { - "severity": "low", - "gtitle": "SRG-OS-000134-GPOS-00068", - "gid": "V-230241", - "rid": "SV-230241r627750_rule", - "stig_id": "RHEL-08-010171", - "fix_id": "F-32885r567470_fix", + "severity": "medium", + "gtitle": "SRG-OS-000326-GPOS-00126", + "satisfies": [ + "SRG-OS-000326-GPOS-00126", + "SRG-OS-000327-GPOS-00127" + ], + "gid": "V-230386", + "rid": "SV-230386r854037_rule", + "stig_id": "RHEL-08-030000", + "fix_id": "F-33030r567905_fix", "cci": [ - "CCI-001084" + "CCI-002233" ], "nist": [ - "SC-3" + "AC-6 (8)" ], "host": null }, - "code": "control 'SV-230241' do\n title 'RHEL 8 must have policycoreutils package installed.'\n desc 'Without verification of the security functions, security functions may\nnot operate correctly and the failure may go unnoticed. Security function is\ndefined as the hardware, software, and/or firmware of the information system\nresponsible for enforcing the system security policy and supporting the\nisolation of code and data on which the protection is based. Security\nfunctionality includes, but is not limited to, establishing system accounts,\nconfiguring access authorizations (i.e., permissions, privileges), setting\nevents to be audited, and setting intrusion detection parameters.\n\n Policycoreutils contains the policy core utilities that are required for\nbasic operation of an SELinux-enabled system. These utilities include\nload_policy to load SELinux policies, setfile to label filesystems, newrole to\nswitch roles, and run_init to run /etc/init.d scripts in the proper context.'\n desc 'check', 'Verify the operating system has the policycoreutils package installed with\nthe following command:\n\n $ sudo yum list installed policycoreutils\n\n policycoreutils.x86_64\n2.9-3.el8 @anaconda\n\n If the policycoreutils package is not installed, this is a finding.'\n desc 'fix', 'Configure the operating system to have the policycoreutils package\ninstalled with the following command:\n\n $ sudo yum install policycoreutils'\n impact 0.3\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'low'\n tag gtitle: 'SRG-OS-000134-GPOS-00068'\n tag gid: 'V-230241'\n tag rid: 'SV-230241r627750_rule'\n tag stig_id: 'RHEL-08-010171'\n tag fix_id: 'F-32885r567470_fix'\n tag cci: ['CCI-001084']\n tag nist: ['SC-3']\n tag 'host'\n\n only_if('Control not applicable within a container', impact: 0.0) do\n !virtualization.system.eql?('docker')\n end\n\n describe package('policycoreutils') do\n it { should be_installed }\n end\nend\n", + "code": "control 'SV-230386' do\n title 'The RHEL 8 audit system must be configured to audit the execution of\nprivileged functions and prevent all software from executing at higher\nprivilege levels than users executing the software.'\n desc 'Misuse of privileged functions, either intentionally or\nunintentionally by authorized users, or by unauthorized external entities that\nhave compromised information system accounts, is a serious and ongoing concern\nand can have significant adverse impacts on organizations. Auditing the use of\nprivileged functions is one way to detect such misuse and identify the risk\nfrom insider threats and the advanced persistent threat.'\n desc 'check', 'Verify RHEL 8 audits the execution of privileged functions.\n\n Check if RHEL 8 is configured to audit the execution of the \"execve\"\nsystem call, by running the following command:\n\n $ sudo grep execve /etc/audit/audit.rules\n\n -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k execpriv\n -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k execpriv\n\n -a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k execpriv\n -a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k execpriv\n\n If the command does not return all lines, or the lines are commented out,\nthis is a finding.'\n desc 'fix', 'Configure RHEL 8 to audit the execution of the \"execve\" system call.\n\n Add or update the following file system rules to\n\"/etc/audit/rules.d/audit.rules\":\n\n -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k execpriv\n -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k execpriv\n\n -a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k execpriv\n -a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k execpriv\n\n The audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000326-GPOS-00126'\n tag satisfies: ['SRG-OS-000326-GPOS-00126', 'SRG-OS-000327-GPOS-00127']\n tag gid: 'V-230386'\n tag rid: 'SV-230386r854037_rule'\n tag stig_id: 'RHEL-08-030000'\n tag fix_id: 'F-33030r567905_fix'\n tag cci: ['CCI-002233']\n tag nist: ['AC-6 (8)']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n audit_syscalls = ['execve']\n\n describe 'Syscall' do\n audit_syscalls.each do |audit_syscall|\n it \"#{audit_syscall} is audited properly\" do\n audit_rule = auditd.syscall(audit_syscall)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n if os.arch.match(/64/)\n expect(audit_rule.arch.uniq).to include('b32', 'b64')\n else\n expect(audit_rule.arch.uniq).to cmp 'b32'\n end\n expect(audit_rule.fields.flatten).to include('uid!=euid', 'gid!=egid', 'euid=0', 'egid=0')\n expect(audit_rule.key.uniq).to include(input('audit_rule_keynames').merge(input('audit_rule_keynames_overrides'))[audit_syscall])\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230241.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230386.rb", "line": 1 }, - "id": "SV-230241" + "id": "SV-230386" }, { - "title": "RHEL 8 must prevent a user from overriding the session lock-delay\nsetting for the graphical user interface.", - "desc": "A session time-out lock is a temporary action taken when a user stops\nwork and moves away from the immediate physical vicinity of the information\nsystem but does not log out because of the temporary nature of the absence.\nRather than relying on the user to manually lock their operating system session\nprior to vacating the vicinity, operating systems need to be able to identify\nwhen a user's session has idled and take action to initiate the session lock.\n\n The session lock is implemented at the point where session activity can be\ndetermined and/or controlled.\n\n Implementing session settings will have little value if a user is able to\nmanipulate these settings from the defaults prescribed in the other\nrequirements of this implementation guide.\n\n Locking these settings from non-privileged users is crucial to maintaining\na protected baseline.", + "title": "RHEL 8 must prevent kernel profiling by unprivileged users.", + "desc": "Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection.\n\nThis requirement generally applies to the design of an information technology product, but it can also apply to the configuration of particular information system components that are, or use, such products. This can be verified by acceptance/validation processes in DoD or other government agencies.\n\nThere may be shared resources with configurable protections (e.g., files in storage) that may be assessed on specific information system components.\n\nSetting the kernel.perf_event_paranoid kernel parameter to \"2\" prevents attackers from gaining additional system information as a non-privileged user.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf", "descriptions": { - "default": "A session time-out lock is a temporary action taken when a user stops\nwork and moves away from the immediate physical vicinity of the information\nsystem but does not log out because of the temporary nature of the absence.\nRather than relying on the user to manually lock their operating system session\nprior to vacating the vicinity, operating systems need to be able to identify\nwhen a user's session has idled and take action to initiate the session lock.\n\n The session lock is implemented at the point where session activity can be\ndetermined and/or controlled.\n\n Implementing session settings will have little value if a user is able to\nmanipulate these settings from the defaults prescribed in the other\nrequirements of this implementation guide.\n\n Locking these settings from non-privileged users is crucial to maintaining\na protected baseline.", - "check": "Verify the operating system prevents a user from overriding settings for\ngraphical user interfaces.\n\n Note: This requirement assumes the use of the RHEL 8 default graphical user\ninterface, Gnome Shell. If the system does not have any graphical user\ninterface installed, this requirement is Not Applicable.\n\n Determine which profile the system database is using with the following\ncommand:\n\n $ sudo grep system-db /etc/dconf/profile/user\n\n system-db:local\n\n Check that graphical settings are locked from non-privileged user\nmodification with the following command:\n\n Note: The example below is using the database \"local\" for the system, so\nthe path is \"/etc/dconf/db/local.d\". This path must be modified if a database\nother than \"local\" is being used.\n\n $ sudo grep -i lock-delay /etc/dconf/db/local.d/locks/*\n\n /org/gnome/desktop/screensaver/lock-delay\n\n If the command does not return at least the example result, this is a\nfinding.", - "fix": "Configure the operating system to prevent a user from overriding settings\nfor graphical user interfaces.\n\n Create a database to contain the system-wide screensaver settings (if it\ndoes not already exist) with the following command:\n\n Note: The example below is using the database \"local\" for the system, so\nif the system is using another database in \"/etc/dconf/profile/user\", the\nfile should be created under the appropriate subdirectory.\n\n $ sudo touch /etc/dconf/db/local.d/locks/session\n\n Add the following setting to prevent non-privileged users from modifying it:\n\n /org/gnome/desktop/screensaver/lock-delay" + "default": "Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection.\n\nThis requirement generally applies to the design of an information technology product, but it can also apply to the configuration of particular information system components that are, or use, such products. This can be verified by acceptance/validation processes in DoD or other government agencies.\n\nThere may be shared resources with configurable protections (e.g., files in storage) that may be assessed on specific information system components.\n\nSetting the kernel.perf_event_paranoid kernel parameter to \"2\" prevents attackers from gaining additional system information as a non-privileged user.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf", + "check": "Verify the operating system is configured to prevent kernel profiling by unprivileged users with the following commands:\n\nCheck the status of the kernel.perf_event_paranoid kernel parameter.\n\n$ sudo sysctl kernel.perf_event_paranoid\n\nkernel.perf_event_paranoid = 2\n\nIf \"kernel.perf_event_paranoid\" is not set to \"2\" or is missing, this is a finding.\n\nCheck that the configuration files are present to enable this kernel parameter.\n\n$ sudo grep -r kernel.perf_event_paranoid /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf:kernel.perf_event_paranoid = 2\n\nIf \"kernel.perf_event_paranoid\" is not set to \"2\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.", + "fix": "Configure the operating system to prevent kernel profiling by unprivileged users.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nkernel.perf_event_paranoid = 2\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system" }, - "impact": 0.5, + "impact": 0.3, "refs": [ { "ref": "DPMS Target Red Hat Enterprise Linux 8" } ], "tags": { - "severity": "medium", - "gtitle": "SRG-OS-000029-GPOS-00010", - "satisfies": [ - "SRG-OS-000029-GPOS-00010", - "SRG-OS-000031-GPOS-00012", - "SRG-OS-000480-GPOS-00227" - ], - "gid": "V-230354", - "rid": "SV-230354r743990_rule", - "stig_id": "RHEL-08-020080", - "fix_id": "F-32998r743989_fix", + "severity": "low", + "gtitle": "SRG-OS-000138-GPOS-00069", + "gid": "V-230270", + "rid": "SV-230270r858758_rule", + "stig_id": "RHEL-08-010376", + "fix_id": "F-32914r858757_fix", "cci": [ - "CCI-000057" + "CCI-001090" ], "nist": [ - "AC-11 a" + "SC-4" ], "host": null }, - "code": "control 'SV-230354' do\n title 'RHEL 8 must prevent a user from overriding the session lock-delay\nsetting for the graphical user interface.'\n desc \"A session time-out lock is a temporary action taken when a user stops\nwork and moves away from the immediate physical vicinity of the information\nsystem but does not log out because of the temporary nature of the absence.\nRather than relying on the user to manually lock their operating system session\nprior to vacating the vicinity, operating systems need to be able to identify\nwhen a user's session has idled and take action to initiate the session lock.\n\n The session lock is implemented at the point where session activity can be\ndetermined and/or controlled.\n\n Implementing session settings will have little value if a user is able to\nmanipulate these settings from the defaults prescribed in the other\nrequirements of this implementation guide.\n\n Locking these settings from non-privileged users is crucial to maintaining\na protected baseline.\"\n desc 'check', 'Verify the operating system prevents a user from overriding settings for\ngraphical user interfaces.\n\n Note: This requirement assumes the use of the RHEL 8 default graphical user\ninterface, Gnome Shell. If the system does not have any graphical user\ninterface installed, this requirement is Not Applicable.\n\n Determine which profile the system database is using with the following\ncommand:\n\n $ sudo grep system-db /etc/dconf/profile/user\n\n system-db:local\n\n Check that graphical settings are locked from non-privileged user\nmodification with the following command:\n\n Note: The example below is using the database \"local\" for the system, so\nthe path is \"/etc/dconf/db/local.d\". This path must be modified if a database\nother than \"local\" is being used.\n\n $ sudo grep -i lock-delay /etc/dconf/db/local.d/locks/*\n\n /org/gnome/desktop/screensaver/lock-delay\n\n If the command does not return at least the example result, this is a\nfinding.'\n desc 'fix', 'Configure the operating system to prevent a user from overriding settings\nfor graphical user interfaces.\n\n Create a database to contain the system-wide screensaver settings (if it\ndoes not already exist) with the following command:\n\n Note: The example below is using the database \"local\" for the system, so\nif the system is using another database in \"/etc/dconf/profile/user\", the\nfile should be created under the appropriate subdirectory.\n\n $ sudo touch /etc/dconf/db/local.d/locks/session\n\n Add the following setting to prevent non-privileged users from modifying it:\n\n /org/gnome/desktop/screensaver/lock-delay'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000029-GPOS-00010'\n tag satisfies: ['SRG-OS-000029-GPOS-00010', 'SRG-OS-000031-GPOS-00012', 'SRG-OS-000480-GPOS-00227']\n tag gid: 'V-230354'\n tag rid: 'SV-230354r743990_rule'\n tag stig_id: 'RHEL-08-020080'\n tag fix_id: 'F-32998r743989_fix'\n tag cci: ['CCI-000057']\n tag nist: ['AC-11 a']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n if package('gnome-desktop3').installed?\n describe command('grep -i lock-delay /etc/dconf/db/local.d/locks/*') do\n its('stdout.split') { should include '/org/gnome/desktop/screensaver/lock-delay' }\n end\n else\n impact 0.0\n describe 'The GNOME desktop is not installed' do\n skip 'The GNOME desktop is not installed, this control is Not Applicable.'\n end\n end\nend\n", + "code": "control 'SV-230270' do\n title 'RHEL 8 must prevent kernel profiling by unprivileged users.'\n desc 'Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection.\n\nThis requirement generally applies to the design of an information technology product, but it can also apply to the configuration of particular information system components that are, or use, such products. This can be verified by acceptance/validation processes in DoD or other government agencies.\n\nThere may be shared resources with configurable protections (e.g., files in storage) that may be assessed on specific information system components.\n\nSetting the kernel.perf_event_paranoid kernel parameter to \"2\" prevents attackers from gaining additional system information as a non-privileged user.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf'\n desc 'check', 'Verify the operating system is configured to prevent kernel profiling by unprivileged users with the following commands:\n\nCheck the status of the kernel.perf_event_paranoid kernel parameter.\n\n$ sudo sysctl kernel.perf_event_paranoid\n\nkernel.perf_event_paranoid = 2\n\nIf \"kernel.perf_event_paranoid\" is not set to \"2\" or is missing, this is a finding.\n\nCheck that the configuration files are present to enable this kernel parameter.\n\n$ sudo grep -r kernel.perf_event_paranoid /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf:kernel.perf_event_paranoid = 2\n\nIf \"kernel.perf_event_paranoid\" is not set to \"2\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure the operating system to prevent kernel profiling by unprivileged users.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nkernel.perf_event_paranoid = 2\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system'\n impact 0.3\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'low'\n tag gtitle: 'SRG-OS-000138-GPOS-00069'\n tag gid: 'V-230270'\n tag rid: 'SV-230270r858758_rule'\n tag stig_id: 'RHEL-08-010376'\n tag fix_id: 'F-32914r858757_fix'\n tag cci: ['CCI-001090']\n tag nist: ['SC-4']\n tag 'host'\n\n only_if('Control not applicable within a container', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n action = 'kernel.perf_event_paranoid'\n\n describe kernel_parameter(action) do\n its('value') { should eq 2 }\n end\n\n search_result = command(\"grep -r ^#{action} #{input('sysctl_conf_files').join(' ')}\").stdout.strip\n\n correct_result = search_result.lines.any? { |line| line.match(/#{action}\\s*=\\s*2$/) }\n incorrect_results = search_result.lines.map(&:strip).select { |line| line.match(/#{action}\\s*=\\s*[^2]$/) }\n\n describe 'Kernel config files' do\n it \"should configure '#{action}'\" do\n expect(correct_result).to eq(true), 'No config file was found that correctly sets this action'\n end\n unless incorrect_results.nil?\n it 'should not have incorrect or conflicting setting(s) in the config files' do\n expect(incorrect_results).to be_empty, \"Incorrect or conflicting setting(s) found:\\n\\t- #{incorrect_results.join(\"\\n\\t- \")}\"\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230354.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230270.rb", "line": 1 }, - "id": "SV-230354" + "id": "SV-230270" }, { - "title": "RHEL 8 must use reverse path filtering on all IPv4 interfaces.", + "title": "RHEL 8 must disable the use of user namespaces.", "desc": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf", "descriptions": { "default": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf", - "check": "Verify RHEL 8 uses reverse path filtering on all IPv4 interfaces with the following commands:\n\n$ sudo sysctl net.ipv4.conf.all.rp_filter\n\nnet.ipv4.conf.all.rp_filter = 1\n\nIf the returned line does not have a value of \"1\" or \"2\", or a line is not returned, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r net.ipv4.conf.all.rp_filter /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: net.ipv4.conf.all.rp_filter = 1\n\nIf \"net.ipv4.conf.all.rp_filter\" is not set to \"1\" or \"2\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.", - "fix": "Configure RHEL 8 to use reverse path filtering on all IPv4 interfaces by adding the following line to a file, in the \"/etc/sysctl.d\" directory:\n\nnet.ipv4.conf.all.rp_filter = 1\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nThe system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:\n\n$ sudo sysctl --system" + "check": "Verify RHEL 8 disables the use of user namespaces with the following commands:\n\nNote: User namespaces are used primarily for Linux containers. If containers are in use, this requirement is not applicable.\n\n$ sudo sysctl user.max_user_namespaces\n\nuser.max_user_namespaces = 0\n\nIf the returned line does not have a value of \"0\", or a line is not returned, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r user.max_user_namespaces /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: user.max_user_namespaces = 0\n\nIf \"user.max_user_namespaces\" is not set to \"0\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.", + "fix": "Configure RHEL 8 to disable the use of user namespaces by adding the following line to a file, in the \"/etc/sysctl.d\" directory:\n\nNote: User namespaces are used primarily for Linux containers. If containers are in use, this requirement is not applicable.\n\nuser.max_user_namespaces = 0\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nThe system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:\n\n$ sudo sysctl --system" }, "impact": 0.5, "refs": [ @@ -12476,10 +12446,10 @@ "tags": { "severity": "medium", "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-230549", - "rid": "SV-230549r858830_rule", - "stig_id": "RHEL-08-040285", - "fix_id": "F-33193r858829_fix", + "gid": "V-230548", + "rid": "SV-230548r858828_rule", + "stig_id": "RHEL-08-040284", + "fix_id": "F-33192r858827_fix", "cci": [ "CCI-000366" ], @@ -12488,93 +12458,93 @@ ], "host": null }, - "code": "control 'SV-230549' do\n title 'RHEL 8 must use reverse path filtering on all IPv4 interfaces.'\n desc 'It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf'\n desc 'check', 'Verify RHEL 8 uses reverse path filtering on all IPv4 interfaces with the following commands:\n\n$ sudo sysctl net.ipv4.conf.all.rp_filter\n\nnet.ipv4.conf.all.rp_filter = 1\n\nIf the returned line does not have a value of \"1\" or \"2\", or a line is not returned, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r net.ipv4.conf.all.rp_filter /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: net.ipv4.conf.all.rp_filter = 1\n\nIf \"net.ipv4.conf.all.rp_filter\" is not set to \"1\" or \"2\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to use reverse path filtering on all IPv4 interfaces by adding the following line to a file, in the \"/etc/sysctl.d\" directory:\n\nnet.ipv4.conf.all.rp_filter = 1\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nThe system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:\n\n$ sudo sysctl --system'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230549'\n tag rid: 'SV-230549r858830_rule'\n tag stig_id: 'RHEL-08-040285'\n tag fix_id: 'F-33193r858829_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This system is acting as a router on the network, this control is Not Applicable', impact: 0.0) {\n !input('network_router')\n }\n\n # Define the kernel parameter to be checked\n parameter = 'net.ipv4.conf.all.rp_filter'\n action = 'IPv4 reverse path filtering'\n value = 1\n\n # Get the current value of the kernel parameter\n current_value = kernel_parameter(parameter)\n\n # Check if the system is a Docker container\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n elsif input('ipv4_enabled') == false\n impact 0.0\n describe 'IPv4 is disabled on the system, this requirement is Not Applicable.' do\n skip 'IPv4 is disabled on the system, this requirement is Not Applicable.'\n end\n else\n\n describe kernel_parameter(parameter) do\n it 'is disabled in sysctl -a' do\n expect(current_value.value).to cmp value\n expect(current_value.value).not_to be_nil\n end\n end\n\n # Get the list of sysctl configuration files\n sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ')\n\n # Search for the kernel parameter in the configuration files\n search_results = command(\"grep -r ^#{parameter} #{sysctl_config_files} {} \\;\").stdout.split(\"\\n\")\n\n # Parse the search results into a hash\n config_values = search_results.each_with_object({}) do |item, results|\n file, setting = item.split(':')\n file = 'grep did not return filename' if file.empty?\n\n results[file] ||= []\n results[file] << setting.split('=').last\n end\n\n uniq_config_values = config_values.values.flatten.map(&:strip).map(&:to_i).uniq\n\n # Check the configuration files\n describe 'Configuration files' do\n if search_results.empty?\n it \"do not explicitly set the `#{parameter}` parameter\" do\n expect(config_values).not_to be_empty, \"Add the line `#{parameter}=#{value}` to a file in the `/etc/sysctl.d/` directory\"\n end\n else\n it \"do not have conflicting settings for #{action}\" do\n expect(uniq_config_values.count).to eq(1), \"Expected one unique configuration, but got #{config_values}\"\n end\n it \"set the parameter to the right value for #{action}\" do\n expect(config_values.values.flatten.all? { |v| v.to_i.eql?(value) }).to be true\n end\n end\n end\n end\nend\n", + "code": "control 'SV-230548' do\n title 'RHEL 8 must disable the use of user namespaces.'\n desc 'It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf'\n desc 'check', 'Verify RHEL 8 disables the use of user namespaces with the following commands:\n\nNote: User namespaces are used primarily for Linux containers. If containers are in use, this requirement is not applicable.\n\n$ sudo sysctl user.max_user_namespaces\n\nuser.max_user_namespaces = 0\n\nIf the returned line does not have a value of \"0\", or a line is not returned, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r user.max_user_namespaces /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: user.max_user_namespaces = 0\n\nIf \"user.max_user_namespaces\" is not set to \"0\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to disable the use of user namespaces by adding the following line to a file, in the \"/etc/sysctl.d\" directory:\n\nNote: User namespaces are used primarily for Linux containers. If containers are in use, this requirement is not applicable.\n\nuser.max_user_namespaces = 0\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nThe system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:\n\n$ sudo sysctl --system'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230548'\n tag rid: 'SV-230548r858828_rule'\n tag stig_id: 'RHEL-08-040284'\n tag fix_id: 'F-33192r858827_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This system is acting as a router on the network, this control is Not Applicable', impact: 0.0) {\n !input('network_router')\n }\n\n # Define the kernel parameter to be checked\n parameter = 'user.max_user_namespaces'\n action = 'user namespaces'\n value = 0\n\n # Get the current value of the kernel parameter\n current_value = kernel_parameter(parameter)\n\n # Check if the system is a Docker container\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n # Check if the system is a container host\n elsif input('container_host')\n impact 0.0\n describe 'Control not applicable when system is a host for containers' do\n skip 'Control not applicable for container hosts'\n end\n else\n describe kernel_parameter(parameter) do\n it 'is disabled in sysctl -a' do\n expect(current_value.value).to cmp value\n expect(current_value.value).not_to be_nil\n end\n end\n\n # Get the list of sysctl configuration files\n sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ')\n\n # Search for the kernel parameter in the configuration files\n search_results = command(\"grep -r ^#{parameter} #{sysctl_config_files} {} \\;\").stdout.split(\"\\n\")\n\n # Parse the search results into a hash\n config_values = search_results.each_with_object({}) do |item, results|\n file, setting = item.split(':')\n file = 'grep did not return filename' if file.empty?\n\n results[file] ||= []\n results[file] << setting.split('=').last\n end\n\n uniq_config_values = config_values.values.flatten.map(&:strip).map(&:to_i).uniq\n\n # Check the configuration files\n describe 'Configuration files' do\n if search_results.empty?\n it \"do not explicitly set the `#{parameter}` parameter\" do\n expect(config_values).not_to be_empty, \"Add the line `#{parameter}=#{value}` to a file in the `/etc/sysctl.d/` directory\"\n end\n else\n it \"do not have conflicting settings for #{action}\" do\n expect(uniq_config_values.count).to eq(1), \"Expected one unique configuration, but got #{config_values}\"\n end\n it \"set the parameter to the right value for #{action}\" do\n expect(config_values.values.flatten.all? { |v| v.to_i.eql?(value) }).to be true\n end\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230549.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230548.rb", "line": 1 }, - "id": "SV-230549" + "id": "SV-230548" }, { - "title": "RHEL 8 must enforce password complexity by requiring that at least one\nuppercase character be used.", - "desc": "Use of a complex password helps to increase the time and resources\nrequired to compromise the password. Password complexity, or strength, is a\nmeasure of the effectiveness of a password in resisting attempts at guessing\nand brute-force attacks.\n\n Password complexity is one factor of several that determines how long it\ntakes to crack a password. The more complex the password, the greater the\nnumber of possible combinations that need to be tested before the password is\ncompromised.\n\n RHEL 8 utilizes pwquality as a mechanism to enforce password complexity.\nNote that in order to require uppercase characters, without degrading the\n\"minlen\" value, the credit value must be expressed as a negative number in\n\"/etc/security/pwquality.conf\".", + "title": "YUM must remove all software components after updated versions have\nbeen installed on RHEL 8.", + "desc": "Previous versions of software components that are not removed from the\ninformation system after updates have been installed may be exploited by\nadversaries. Some information technology products may remove older versions of\nsoftware automatically from the information system.", "descriptions": { - "default": "Use of a complex password helps to increase the time and resources\nrequired to compromise the password. Password complexity, or strength, is a\nmeasure of the effectiveness of a password in resisting attempts at guessing\nand brute-force attacks.\n\n Password complexity is one factor of several that determines how long it\ntakes to crack a password. The more complex the password, the greater the\nnumber of possible combinations that need to be tested before the password is\ncompromised.\n\n RHEL 8 utilizes pwquality as a mechanism to enforce password complexity.\nNote that in order to require uppercase characters, without degrading the\n\"minlen\" value, the credit value must be expressed as a negative number in\n\"/etc/security/pwquality.conf\".", - "check": "Verify the value for \"ucredit\" with the following command:\n\n$ sudo grep -r ucredit /etc/security/pwquality.conf*\n\n/etc/security/pwquality.conf:ucredit = -1\n\nIf the value of \"ucredit\" is a positive number or is commented out, this is a finding.\nIf conflicting results are returned, this is a finding.", - "fix": "Configure the operating system to enforce password complexity by requiring that at least one uppercase character be used by setting the \"ucredit\" option.\n\nAdd the following line to /etc/security/pwquality.conf (or modify the line to have the required value):\n\nucredit = -1\n\nRemove any configurations that conflict with the above value." + "default": "Previous versions of software components that are not removed from the\ninformation system after updates have been installed may be exploited by\nadversaries. Some information technology products may remove older versions of\nsoftware automatically from the information system.", + "check": "Verify the operating system removes all software components after updated\nversions have been installed.\n\n Check if YUM is configured to remove unneeded packages with the following\ncommand:\n\n $ sudo grep -i clean_requirements_on_remove /etc/dnf/dnf.conf\n\n clean_requirements_on_remove=True\n\n If \"clean_requirements_on_remove\" is not set to either \"1\", \"True\",\nor \"yes\", commented out, or is missing from \"/etc/dnf/dnf.conf\", this is a\nfinding.", + "fix": "Configure the operating system to remove all software components after\nupdated versions have been installed.\n\n Set the \"clean_requirements_on_remove\" option to \"True\" in the\n\"/etc/dnf/dnf.conf\" file:\n\n clean_requirements_on_remove=True" }, - "impact": 0.5, + "impact": 0.3, "refs": [ { "ref": "DPMS Target Red Hat Enterprise Linux 8" } ], "tags": { - "severity": "medium", - "gtitle": "SRG-OS-000069-GPOS-00037", - "gid": "V-230357", - "rid": "SV-230357r858771_rule", - "stig_id": "RHEL-08-020110", - "fix_id": "F-33001r858770_fix", + "severity": "low", + "gtitle": "SRG-OS-000437-GPOS-00194", + "gid": "V-230281", + "rid": "SV-230281r854034_rule", + "stig_id": "RHEL-08-010440", + "fix_id": "F-32925r567590_fix", "cci": [ - "CCI-000192" + "CCI-002617" ], "nist": [ - "IA-5 (1) (a)" + "SI-2 (6)" ], "host": null, "container": null }, - "code": "control 'SV-230357' do\n title 'RHEL 8 must enforce password complexity by requiring that at least one\nuppercase character be used.'\n desc 'Use of a complex password helps to increase the time and resources\nrequired to compromise the password. Password complexity, or strength, is a\nmeasure of the effectiveness of a password in resisting attempts at guessing\nand brute-force attacks.\n\n Password complexity is one factor of several that determines how long it\ntakes to crack a password. The more complex the password, the greater the\nnumber of possible combinations that need to be tested before the password is\ncompromised.\n\n RHEL 8 utilizes pwquality as a mechanism to enforce password complexity.\nNote that in order to require uppercase characters, without degrading the\n\"minlen\" value, the credit value must be expressed as a negative number in\n\"/etc/security/pwquality.conf\".'\n desc 'check', 'Verify the value for \"ucredit\" with the following command:\n\n$ sudo grep -r ucredit /etc/security/pwquality.conf*\n\n/etc/security/pwquality.conf:ucredit = -1\n\nIf the value of \"ucredit\" is a positive number or is commented out, this is a finding.\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure the operating system to enforce password complexity by requiring that at least one uppercase character be used by setting the \"ucredit\" option.\n\nAdd the following line to /etc/security/pwquality.conf (or modify the line to have the required value):\n\nucredit = -1\n\nRemove any configurations that conflict with the above value.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000069-GPOS-00037'\n tag gid: 'V-230357'\n tag rid: 'SV-230357r858771_rule'\n tag stig_id: 'RHEL-08-020110'\n tag fix_id: 'F-33001r858770_fix'\n tag cci: ['CCI-000192']\n tag nist: ['IA-5 (1) (a)']\n tag 'host'\n tag 'container'\n\n describe 'pwquality.conf:' do\n let(:config) { parse_config_file('/etc/security/pwquality.conf', multiple_values: true) }\n let(:setting) { 'ucredit' }\n let(:value) { Array(config.params[setting]) }\n\n it 'has `ucredit` set' do\n expect(value).not_to be_empty, 'ucredit is not set in pwquality.conf'\n end\n\n it 'only sets `ucredit` once' do\n expect(value.length).to eq(1), 'ucredit is commented or set more than once in pwquality.conf'\n end\n\n it 'does not set `ucredit` to a positive value' do\n expect(value.first.to_i).to cmp < 0, 'ucredit is not set to a negative value in pwquality.conf'\n end\n end\nend\n", + "code": "control 'SV-230281' do\n title 'YUM must remove all software components after updated versions have\nbeen installed on RHEL 8.'\n desc 'Previous versions of software components that are not removed from the\ninformation system after updates have been installed may be exploited by\nadversaries. Some information technology products may remove older versions of\nsoftware automatically from the information system.'\n desc 'check', 'Verify the operating system removes all software components after updated\nversions have been installed.\n\n Check if YUM is configured to remove unneeded packages with the following\ncommand:\n\n $ sudo grep -i clean_requirements_on_remove /etc/dnf/dnf.conf\n\n clean_requirements_on_remove=True\n\n If \"clean_requirements_on_remove\" is not set to either \"1\", \"True\",\nor \"yes\", commented out, or is missing from \"/etc/dnf/dnf.conf\", this is a\nfinding.'\n desc 'fix', 'Configure the operating system to remove all software components after\nupdated versions have been installed.\n\n Set the \"clean_requirements_on_remove\" option to \"True\" in the\n\"/etc/dnf/dnf.conf\" file:\n\n clean_requirements_on_remove=True'\n impact 0.3\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'low'\n tag gtitle: 'SRG-OS-000437-GPOS-00194'\n tag gid: 'V-230281'\n tag rid: 'SV-230281r854034_rule'\n tag stig_id: 'RHEL-08-010440'\n tag fix_id: 'F-32925r567590_fix'\n tag cci: ['CCI-002617']\n tag nist: ['SI-2 (6)']\n tag 'host'\n tag 'container'\n\n describe parse_config_file('/etc/dnf/dnf.conf') do\n its('main.clean_requirements_on_remove') { should match(/1|True|yes/i) }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230357.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230281.rb", "line": 1 }, - "id": "SV-230357" + "id": "SV-230281" }, { - "title": "The RHEL 8 /var/log/messages file must be group-owned by root.", - "desc": "Only authorized personnel should be aware of errors and the details of\nthe errors. Error messages are an indicator of an organization's operational\nstate or can identify the RHEL 8 system or platform. Additionally, Personally\nIdentifiable Information (PII) and operational information must not be revealed\nthrough error messages to unauthorized personnel or their designated\nrepresentatives.\n\n The structure and content of error messages must be carefully considered by\nthe organization and development team. The extent to which the information\nsystem is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.", + "title": "RHEL 8 must enable the hardware random number generator entropy\ngatherer service.", + "desc": "The most important characteristic of a random number generator is its randomness, namely its ability to deliver random numbers that are impossible to predict. Entropy in computer security is associated with the unpredictability of a source of randomness. The random source with high entropy tends to achieve a uniform distribution of random values. Random number generators are one of the most important building blocks of cryptosystems.\n\nThe rngd service feeds random data from hardware device to kernel random device. Quality (nonpredictable) random number generation is important for several security functions (i.e., ciphers).", "descriptions": { - "default": "Only authorized personnel should be aware of errors and the details of\nthe errors. Error messages are an indicator of an organization's operational\nstate or can identify the RHEL 8 system or platform. Additionally, Personally\nIdentifiable Information (PII) and operational information must not be revealed\nthrough error messages to unauthorized personnel or their designated\nrepresentatives.\n\n The structure and content of error messages must be carefully considered by\nthe organization and development team. The extent to which the information\nsystem is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.", - "check": "Verify the \"/var/log/messages\" file is group-owned by root with the\nfollowing command:\n\n $ sudo stat -c \"%G\" /var/log/messages\n\n root\n\n If \"root\" is not returned as a result, this is a finding.", - "fix": "Change the group of the file \"/var/log/messages\" to \"root\" by running\nthe following command:\n\n $ sudo chgrp root /var/log/messages" + "default": "The most important characteristic of a random number generator is its randomness, namely its ability to deliver random numbers that are impossible to predict. Entropy in computer security is associated with the unpredictability of a source of randomness. The random source with high entropy tends to achieve a uniform distribution of random values. Random number generators are one of the most important building blocks of cryptosystems.\n\nThe rngd service feeds random data from hardware device to kernel random device. Quality (nonpredictable) random number generation is important for several security functions (i.e., ciphers).", + "check": "Note: For RHEL versions 8.4 and above running with kernel FIPS mode enabled as specified by RHEL-08-010020, this requirement is Not Applicable.\n\nCheck that RHEL 8 has enabled the hardware random number generator entropy gatherer service.\n\nVerify the rngd service is enabled and active with the following commands:\n\n $ sudo systemctl is-enabled rngd\n enabled\n\n $ sudo systemctl is-active rngd\n active\n\nIf the service is not \"enabled\" and \"active\", this is a finding.", + "fix": "Start the rngd service and enable the rngd service with the following commands:\n\n $ sudo systemctl start rngd.service\n\n $ sudo systemctl enable rngd.service" }, - "impact": 0.5, + "impact": 0.3, "refs": [ { "ref": "DPMS Target Red Hat Enterprise Linux 8" } ], "tags": { - "severity": "medium", - "gtitle": "SRG-OS-000206-GPOS-00084", - "gid": "V-230247", - "rid": "SV-230247r627750_rule", - "stig_id": "RHEL-08-010230", - "fix_id": "F-32891r567488_fix", + "severity": "low", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-230285", + "rid": "SV-230285r928587_rule", + "stig_id": "RHEL-08-010471", + "fix_id": "F-32929r917875_fix", "cci": [ - "CCI-001314" + "CCI-000366" ], "nist": [ - "SI-11 b" + "CM-6 b" ], "host": null }, - "code": "control 'SV-230247' do\n title 'The RHEL 8 /var/log/messages file must be group-owned by root.'\n desc \"Only authorized personnel should be aware of errors and the details of\nthe errors. Error messages are an indicator of an organization's operational\nstate or can identify the RHEL 8 system or platform. Additionally, Personally\nIdentifiable Information (PII) and operational information must not be revealed\nthrough error messages to unauthorized personnel or their designated\nrepresentatives.\n\n The structure and content of error messages must be carefully considered by\nthe organization and development team. The extent to which the information\nsystem is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.\"\n desc 'check', 'Verify the \"/var/log/messages\" file is group-owned by root with the\nfollowing command:\n\n $ sudo stat -c \"%G\" /var/log/messages\n\n root\n\n If \"root\" is not returned as a result, this is a finding.'\n desc 'fix', 'Change the group of the file \"/var/log/messages\" to \"root\" by running\nthe following command:\n\n $ sudo chgrp root /var/log/messages'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000206-GPOS-00084'\n tag gid: 'V-230247'\n tag rid: 'SV-230247r627750_rule'\n tag stig_id: 'RHEL-08-010230'\n tag fix_id: 'F-32891r567488_fix'\n tag cci: ['CCI-001314']\n tag nist: ['SI-11 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe.one do\n describe file('/var/log/messages') do\n its('group') { should be_in input('var_log_messages_group') }\n end\n describe file('/var/log/messages') do\n it { should_not exist }\n end\n end\nend\n", + "code": "control 'SV-230285' do\n title 'RHEL 8 must enable the hardware random number generator entropy\ngatherer service.'\n desc 'The most important characteristic of a random number generator is its randomness, namely its ability to deliver random numbers that are impossible to predict. Entropy in computer security is associated with the unpredictability of a source of randomness. The random source with high entropy tends to achieve a uniform distribution of random values. Random number generators are one of the most important building blocks of cryptosystems.\n\nThe rngd service feeds random data from hardware device to kernel random device. Quality (nonpredictable) random number generation is important for several security functions (i.e., ciphers).'\n desc 'check', 'Note: For RHEL versions 8.4 and above running with kernel FIPS mode enabled as specified by RHEL-08-010020, this requirement is Not Applicable.\n\nCheck that RHEL 8 has enabled the hardware random number generator entropy gatherer service.\n\nVerify the rngd service is enabled and active with the following commands:\n\n $ sudo systemctl is-enabled rngd\n enabled\n\n $ sudo systemctl is-active rngd\n active\n\nIf the service is not \"enabled\" and \"active\", this is a finding.'\n desc 'fix', 'Start the rngd service and enable the rngd service with the following commands:\n\n $ sudo systemctl start rngd.service\n\n $ sudo systemctl enable rngd.service'\n impact 0.3\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'low'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230285'\n tag rid: 'SV-230285r928587_rule'\n tag stig_id: 'RHEL-08-010471'\n tag fix_id: 'F-32929r917875_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n if os.release.to_f >= 8.4 && input('use_fips') == true\n impact 0.0\n describe 'For RHEL versions 8.4 and above running with kernel FIPS mode enabled as specified by RHEL-08-010020, this requirement is Not Applicable.' do\n skip \"Currently on release #{os.release}, this control is Not Applicable.\"\n end\n else\n describe service('rngd') do\n it { should be_enabled }\n it { should be_running }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230247.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230285.rb", "line": 1 }, - "id": "SV-230247" + "id": "SV-230285" }, { - "title": "Successful/unsuccessful uses of the mount command in RHEL 8 must\ngenerate an audit record.", - "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"mount\" command is\nused to mount a filesystem.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", + "title": "RHEL 8 must ensure session control is automatically started at shell\ninitialization.", + "desc": "Tmux is a terminal multiplexer that enables a number of terminals to be created, accessed, and controlled from a single screen. Red Hat endorses tmux as the recommended session controlling package.", "descriptions": { - "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"mount\" command is\nused to mount a filesystem.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", - "check": "Verify that an audit event is generated for any successful/unsuccessful use\nof the \"mount\" command by performing the following command to check the file\nsystem rules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w /usr/bin/mount /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-mount\n\n If the command does not return a line, or the line is commented out, this\nis a finding.", - "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \"mount\" command by adding or updating the\nfollowing rules in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-mount\n\n The audit daemon must be restarted for the changes to take effect." + "default": "Tmux is a terminal multiplexer that enables a number of terminals to be created, accessed, and controlled from a single screen. Red Hat endorses tmux as the recommended session controlling package.", + "check": "Verify the operating system shell initialization file is configured to start each shell with the tmux terminal multiplexer with the following commands:\n\nDetermine if tmux is currently running:\n $ sudo ps all | grep tmux | grep -v grep\n\nIf the command does not produce output, this is a finding.\n\nDetermine the location of the tmux script:\n $ sudo grep -r tmux /etc/bashrc /etc/profile.d\n\n /etc/profile.d/tmux.sh: case \"$name\" in (sshd|login) tmux ;; esac\n\nReview the tmux script by using the following example:\n $ sudo cat /etc/profile.d/tmux.sh\n\nif [ \"$PS1\" ]; then\nparent=$(ps -o ppid= -p $$)\nname=$(ps -o comm= -p $parent)\ncase \"$name\" in (sshd|login) tmux ;; esac\nfi\n\nIf \"tmux\" is not configured as the example above, is commented out, or is missing, this is a finding.", + "fix": "Configure the operating system to initialize the tmux terminal multiplexer as each shell is called by adding the following lines to a custom.sh shell script in the /etc/profile.d/ directory:\n\nif [ \"$PS1\" ]; then\nparent=$(ps -o ppid= -p $$)\nname=$(ps -o comm= -p $parent)\ncase \"$name\" in (sshd|login) tmux ;; esac\nfi\n\nThis setting will take effect at next logon." }, "impact": 0.5, "refs": [ @@ -12584,78 +12554,76 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000062-GPOS-00031", + "gtitle": "SRG-OS-000028-GPOS-00009", "satisfies": [ - "SRG-OS-000062-GPOS-00031", - "SRG-OS-000037-GPOS-00015", - "SRG-OS-000042-GPOS-00020", - "SRG-OS-000062-GPOS-00031", - "SRG-OS-000392-GPOS-00172", - "SRG-OS-000462-GPOS-00206", - "SRG-OS-000471-GPOS-00215" + "SRG-OS-000028-GPOS-00009", + "SRG-OS-000030-GPOS-00011" ], - "gid": "V-230423", - "rid": "SV-230423r627750_rule", - "stig_id": "RHEL-08-030300", - "fix_id": "F-33067r568016_fix", + "gid": "V-230349", + "rid": "SV-230349r917920_rule", + "stig_id": "RHEL-08-020041", + "fix_id": "F-32993r880735_fix", "cci": [ - "CCI-000169" + "CCI-000056" ], "nist": [ - "AU-12 a" + "AC-11 b" ], "host": null }, - "code": "control 'SV-230423' do\n title 'Successful/unsuccessful uses of the mount command in RHEL 8 must\ngenerate an audit record.'\n desc 'Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"mount\" command is\nused to mount a filesystem.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.'\n desc 'check', 'Verify that an audit event is generated for any successful/unsuccessful use\nof the \"mount\" command by performing the following command to check the file\nsystem rules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w /usr/bin/mount /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-mount\n\n If the command does not return a line, or the line is commented out, this\nis a finding.'\n desc 'fix', 'Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \"mount\" command by adding or updating the\nfollowing rules in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-mount\n\n The audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000062-GPOS-00031'\n tag satisfies: ['SRG-OS-000062-GPOS-00031', 'SRG-OS-000037-GPOS-00015', 'SRG-OS-000042-GPOS-00020', 'SRG-OS-000062-GPOS-00031', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000471-GPOS-00215']\n tag gid: 'V-230423'\n tag rid: 'SV-230423r627750_rule'\n tag stig_id: 'RHEL-08-030300'\n tag fix_id: 'F-33067r568016_fix'\n tag cci: ['CCI-000169']\n tag nist: ['AU-12 a']\n tag 'host'\n\n audit_command = '/usr/bin/mount'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include(input('audit_rule_keynames').merge(input('audit_rule_keynames_overrides'))[audit_command])\n end\n end\nend\n", + "code": "control 'SV-230349' do\n title 'RHEL 8 must ensure session control is automatically started at shell\ninitialization.'\n desc 'Tmux is a terminal multiplexer that enables a number of terminals to be created, accessed, and controlled from a single screen. Red Hat endorses tmux as the recommended session controlling package.'\n desc 'check', 'Verify the operating system shell initialization file is configured to start each shell with the tmux terminal multiplexer with the following commands:\n\nDetermine if tmux is currently running:\n $ sudo ps all | grep tmux | grep -v grep\n\nIf the command does not produce output, this is a finding.\n\nDetermine the location of the tmux script:\n $ sudo grep -r tmux /etc/bashrc /etc/profile.d\n\n /etc/profile.d/tmux.sh: case \"$name\" in (sshd|login) tmux ;; esac\n\nReview the tmux script by using the following example:\n $ sudo cat /etc/profile.d/tmux.sh\n\nif [ \"$PS1\" ]; then\nparent=$(ps -o ppid= -p $$)\nname=$(ps -o comm= -p $parent)\ncase \"$name\" in (sshd|login) tmux ;; esac\nfi\n\nIf \"tmux\" is not configured as the example above, is commented out, or is missing, this is a finding.'\n desc 'fix', 'Configure the operating system to initialize the tmux terminal multiplexer as each shell is called by adding the following lines to a custom.sh shell script in the /etc/profile.d/ directory:\n\nif [ \"$PS1\" ]; then\nparent=$(ps -o ppid= -p $$)\nname=$(ps -o comm= -p $parent)\ncase \"$name\" in (sshd|login) tmux ;; esac\nfi\n\nThis setting will take effect at next logon.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000028-GPOS-00009'\n tag satisfies: ['SRG-OS-000028-GPOS-00009', 'SRG-OS-000030-GPOS-00011']\n tag gid: 'V-230349'\n tag rid: 'SV-230349r917920_rule'\n tag stig_id: 'RHEL-08-020041'\n tag fix_id: 'F-32993r880735_fix'\n tag cci: ['CCI-000056']\n tag nist: ['AC-11 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n tmux_running = command('ps all | grep tmux | grep -v grep').stdout.strip\n\n describe 'tmux' do\n it 'should be running' do\n expect(tmux_running).to_not be_empty, 'tmux is not running'\n end\n end\n\n if tmux_running.nil?\n\n # compare the tmux config with the expected multiline string the same way we do the banner checks\n # i.e. strip out all whitespace and compare the strings\n\n expected_config = \"if [ \\\"$PS1\\\" ]; then\\nparent=$(ps -o ppid= -p $$)\\nname=$(ps -o comm= -p $parent)\\ncase \\\"$name\\\" in (sshd|login) tmux ;; esac\\nfi\".content.gsub(/[\\r\\n\\s]/, '')\n\n tmux_script = command('grep -r tmux /etc/bashrc /etc/profile.d').stdout.strip.match(/^(?\\S+):/)['path']\n tmux_config = file(tmux_script).content.gsub(/[\\r\\n\\s]/, '')\n\n describe 'tmux' do\n it 'should be configured as expected' do\n expect(tmux_config).to match(/#{expected_config}/), 'tmux config does not match expected script'\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230423.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230349.rb", "line": 1 }, - "id": "SV-230423" + "id": "SV-230349" }, { - "title": "RHEL 8 must not forward IPv6 source-routed packets by default.", - "desc": "Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf", + "title": "RHEL 8 must display the date and time of the last successful account\nlogon upon logon.", + "desc": "Providing users with feedback on when account accesses last occurred\nfacilitates user recognition and reporting of unauthorized account use.", "descriptions": { - "default": "Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf", - "check": "Verify RHEL 8 does not accept IPv6 source-routed packets by default.\n\nNote: If IPv6 is disabled on the system, this requirement is Not Applicable.\n\nCheck the value of the accept source route variable with the following command:\n\n$ sudo sysctl net.ipv6.conf.default.accept_source_route\n\nnet.ipv6.conf.default.accept_source_route = 0\n\nIf the returned line does not have a value of \"0\", a line is not returned, or the line is commented out, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r net.ipv6.conf.default.accept_source_route /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: net.ipv6.conf.default.accept_source_route = 0\n\nIf \"net.ipv6.conf.default.accept_source_route\" is not set to \"0\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.", - "fix": "Configure RHEL 8 to not forward IPv6 source-routed packets by default.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nnet.ipv6.conf.default.accept_source_route=0\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system" + "default": "Providing users with feedback on when account accesses last occurred\nfacilitates user recognition and reporting of unauthorized account use.", + "check": "Verify users are provided with feedback on when account accesses last\noccurred with the following command:\n\n $ sudo grep pam_lastlog /etc/pam.d/postlogin\n\n session required pam_lastlog.so showfailed\n\n If \"pam_lastlog\" is missing from \"/etc/pam.d/postlogin\" file, or the\nsilent option is present, this is a finding.", + "fix": "Configure the operating system to provide users with feedback on when\naccount accesses last occurred by setting the required configuration options in\n\"/etc/pam.d/postlogin\".\n\n Add the following line to the top of \"/etc/pam.d/postlogin\":\n\n session required pam_lastlog.so showfailed" }, - "impact": 0.5, + "impact": 0.3, "refs": [ { "ref": "DPMS Target Red Hat Enterprise Linux 8" } ], "tags": { - "severity": "medium", + "severity": "low", "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-230539", - "rid": "SV-230539r861085_rule", - "stig_id": "RHEL-08-040250", - "fix_id": "F-33183r858805_fix", + "gid": "V-230381", + "rid": "SV-230381r858726_rule", + "stig_id": "RHEL-08-020340", + "fix_id": "F-33025r567890_fix", "cci": [ - "CCI-000366" + "CCI-000366", + "CCI-000052" ], "nist": [ - "CM-6 b" + "CM-6 b", + "AC-9" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-230539' do\n title 'RHEL 8 must not forward IPv6 source-routed packets by default.'\n desc 'Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf'\n desc 'check', 'Verify RHEL 8 does not accept IPv6 source-routed packets by default.\n\nNote: If IPv6 is disabled on the system, this requirement is Not Applicable.\n\nCheck the value of the accept source route variable with the following command:\n\n$ sudo sysctl net.ipv6.conf.default.accept_source_route\n\nnet.ipv6.conf.default.accept_source_route = 0\n\nIf the returned line does not have a value of \"0\", a line is not returned, or the line is commented out, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r net.ipv6.conf.default.accept_source_route /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: net.ipv6.conf.default.accept_source_route = 0\n\nIf \"net.ipv6.conf.default.accept_source_route\" is not set to \"0\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to not forward IPv6 source-routed packets by default.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nnet.ipv6.conf.default.accept_source_route=0\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230539'\n tag rid: 'SV-230539r861085_rule'\n tag stig_id: 'RHEL-08-040250'\n tag fix_id: 'F-33183r858805_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This system is acting as a router on the network, this control is Not Applicable', impact: 0.0) {\n !input('network_router')\n }\n\n # Define the kernel parameter to be checked\n parameter = 'net.ipv6.conf.default.accept_source_route'\n action = 'forwarding IPv6 source-routed packets'\n value = 0\n\n # Get the current value of the kernel parameter\n current_value = kernel_parameter(parameter)\n\n # Check if the system is a Docker container\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n elsif input('ipv6_enabled') == false\n impact 0.0\n describe 'IPv6 is disabled on the system, this requirement is Not Applicable.' do\n skip 'IPv6 is disabled on the system, this requirement is Not Applicable.'\n end\n else\n\n describe kernel_parameter(parameter) do\n it 'is disabled in sysctl -a' do\n expect(current_value.value).to cmp value\n expect(current_value.value).not_to be_nil\n end\n end\n\n # Get the list of sysctl configuration files\n sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ')\n\n # Search for the kernel parameter in the configuration files\n search_results = command(\"grep -r ^#{parameter} #{sysctl_config_files} {} \\;\").stdout.split(\"\\n\")\n\n # Parse the search results into a hash\n config_values = search_results.each_with_object({}) do |item, results|\n file, setting = item.split(':')\n file = 'grep did not return filename' if file.empty?\n\n results[file] ||= []\n results[file] << setting.split('=').last\n end\n\n uniq_config_values = config_values.values.flatten.map(&:strip).map(&:to_i).uniq\n\n # Check the configuration files\n describe 'Configuration files' do\n if search_results.empty?\n it \"do not explicitly set the `#{parameter}` parameter\" do\n expect(config_values).not_to be_empty, \"Add the line `#{parameter}=#{value}` to a file in the `/etc/sysctl.d/` directory\"\n end\n else\n it \"do not have conflicting settings for #{action}\" do\n expect(uniq_config_values.count).to eq(1), \"Expected one unique configuration, but got #{config_values}\"\n end\n it \"set the parameter to the right value for #{action}\" do\n expect(config_values.values.flatten.all? { |v| v.to_i.eql?(value) }).to be true\n end\n end\n end\n end\nend\n", + "code": "control 'SV-230381' do\n title 'RHEL 8 must display the date and time of the last successful account\nlogon upon logon.'\n desc 'Providing users with feedback on when account accesses last occurred\nfacilitates user recognition and reporting of unauthorized account use.'\n desc 'check', 'Verify users are provided with feedback on when account accesses last\noccurred with the following command:\n\n $ sudo grep pam_lastlog /etc/pam.d/postlogin\n\n session required pam_lastlog.so showfailed\n\n If \"pam_lastlog\" is missing from \"/etc/pam.d/postlogin\" file, or the\nsilent option is present, this is a finding.'\n desc 'fix', 'Configure the operating system to provide users with feedback on when\naccount accesses last occurred by setting the required configuration options in\n\"/etc/pam.d/postlogin\".\n\n Add the following line to the top of \"/etc/pam.d/postlogin\":\n\n session required pam_lastlog.so showfailed'\n impact 0.3\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'low'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230381'\n tag rid: 'SV-230381r858726_rule'\n tag stig_id: 'RHEL-08-020340'\n tag fix_id: 'F-33025r567890_fix'\n tag cci: ['CCI-000366', 'CCI-000052']\n tag nist: ['CM-6 b', 'AC-9']\n tag 'host'\n tag 'container'\n\n describe pam('/etc/pam.d/postlogin') do\n its('lines') { should match_pam_rule('session .* pam_lastlog.so').all_with_args('showfailed') }\n its('lines') { should_not match_pam_rule('session .* pam_lastlog.so').all_without_args('silent') }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230539.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230381.rb", "line": 1 }, - "id": "SV-230539" + "id": "SV-230381" }, { - "title": "RHEL 8 must initiate a session lock for graphical user interfaces when\nthe screensaver is activated.", - "desc": "A session time-out lock is a temporary action taken when a user stops\nwork and moves away from the immediate physical vicinity of the information\nsystem but does not log out because of the temporary nature of the absence.\nRather than relying on the user to manually lock their operating system session\nprior to vacating the vicinity, operating systems need to be able to identify\nwhen a user's session has idled and take action to initiate the session lock.\n\n The session lock is implemented at the point where session activity can be\ndetermined and/or controlled.", + "title": "Successful/unsuccessful uses of the chacl command in RHEL 8 must\ngenerate an audit record.", + "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"chacl\" command is\nused to change the access control list of a file or directory.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", "descriptions": { - "default": "A session time-out lock is a temporary action taken when a user stops\nwork and moves away from the immediate physical vicinity of the information\nsystem but does not log out because of the temporary nature of the absence.\nRather than relying on the user to manually lock their operating system session\nprior to vacating the vicinity, operating systems need to be able to identify\nwhen a user's session has idled and take action to initiate the session lock.\n\n The session lock is implemented at the point where session activity can be\ndetermined and/or controlled.", - "check": "Verify the operating system initiates a session lock a for graphical user\ninterfaces when the screensaver is activated with the following command:\n\n Note: This requirement assumes the use of the RHEL 8 default graphical user\ninterface, Gnome Shell. If the system does not have any graphical user\ninterface installed, this requirement is Not Applicable.\n\n $ sudo gsettings get org.gnome.desktop.screensaver lock-delay\n\n uint32 5\n\n If the \"uint32\" setting is missing, or is not set to \"5\" or less, this\nis a finding.", - "fix": "Configure the operating system to initiate a session lock for graphical\nuser interfaces when a screensaver is activated.\n\n Create a database to contain the system-wide screensaver settings (if it\ndoes not already exist) with the following command:\n\n Note: The example below is using the database \"local\" for the system, so\nif the system is using another database in \"/etc/dconf/profile/user\", the\nfile should be created under the appropriate subdirectory.\n\n $ sudo touch /etc/dconf/db/local.d/00-screensaver\n\n [org/gnome/desktop/screensaver]\n lock-delay=uint32 5\n\n The \"uint32\" must be included along with the integer key values as shown.\n\n Update the system databases:\n\n $ sudo dconf update" + "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"chacl\" command is\nused to change the access control list of a file or directory.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", + "check": "Verify RHEL 8 generates an audit record when successful/unsuccessful\nattempts to use the \"chacl\" command by performing the following command to\ncheck the file system rules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w chacl /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F\nauid!=unset -k perm_mod\n\n If the command does not return a line, or the line is commented out, this\nis a finding.", + "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \"chacl\" command by adding or updating the\nfollowing rule in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F\nauid!=unset -k perm_mod\n\n The audit daemon must be restarted for the changes to take effect." }, "impact": 0.5, "refs": [ @@ -12665,38 +12633,43 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000029-GPOS-00010", + "gtitle": "SRG-OS-000062-GPOS-00031", "satisfies": [ - "SRG-OS-000029-GPOS-00010", - "SRG-OS-000031-GPOS-00012", - "SRG-OS-000480-GPOS-00227" + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000037-GPOS-00015", + "SRG-OS-000042-GPOS-00020", + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000392-GPOS-00172", + "SRG-OS-000462-GPOS-00206", + "SRG-OS-000471-GPOS-00215", + "SRG-OS-000466-GPOS-00210" ], - "gid": "V-244535", - "rid": "SV-244535r743854_rule", - "stig_id": "RHEL-08-020031", - "fix_id": "F-47767r743853_fix", + "gid": "V-230464", + "rid": "SV-230464r627750_rule", + "stig_id": "RHEL-08-030570", + "fix_id": "F-33108r568139_fix", "cci": [ - "CCI-000057" + "CCI-000169" ], "nist": [ - "AC-11 a" + "AU-12 a" ], "host": null }, - "code": "control 'SV-244535' do\n title 'RHEL 8 must initiate a session lock for graphical user interfaces when\nthe screensaver is activated.'\n desc \"A session time-out lock is a temporary action taken when a user stops\nwork and moves away from the immediate physical vicinity of the information\nsystem but does not log out because of the temporary nature of the absence.\nRather than relying on the user to manually lock their operating system session\nprior to vacating the vicinity, operating systems need to be able to identify\nwhen a user's session has idled and take action to initiate the session lock.\n\n The session lock is implemented at the point where session activity can be\ndetermined and/or controlled.\"\n desc 'check', 'Verify the operating system initiates a session lock a for graphical user\ninterfaces when the screensaver is activated with the following command:\n\n Note: This requirement assumes the use of the RHEL 8 default graphical user\ninterface, Gnome Shell. If the system does not have any graphical user\ninterface installed, this requirement is Not Applicable.\n\n $ sudo gsettings get org.gnome.desktop.screensaver lock-delay\n\n uint32 5\n\n If the \"uint32\" setting is missing, or is not set to \"5\" or less, this\nis a finding.'\n desc 'fix', 'Configure the operating system to initiate a session lock for graphical\nuser interfaces when a screensaver is activated.\n\n Create a database to contain the system-wide screensaver settings (if it\ndoes not already exist) with the following command:\n\n Note: The example below is using the database \"local\" for the system, so\nif the system is using another database in \"/etc/dconf/profile/user\", the\nfile should be created under the appropriate subdirectory.\n\n $ sudo touch /etc/dconf/db/local.d/00-screensaver\n\n [org/gnome/desktop/screensaver]\n lock-delay=uint32 5\n\n The \"uint32\" must be included along with the integer key values as shown.\n\n Update the system databases:\n\n $ sudo dconf update'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000029-GPOS-00010'\n tag satisfies: ['SRG-OS-000029-GPOS-00010', 'SRG-OS-000031-GPOS-00012', 'SRG-OS-000480-GPOS-00227']\n tag gid: 'V-244535'\n tag rid: 'SV-244535r743854_rule'\n tag stig_id: 'RHEL-08-020031'\n tag fix_id: 'F-47767r743853_fix'\n tag cci: ['CCI-000057']\n tag nist: ['AC-11 a']\n tag 'host'\n\n only_if('This requirement is Not Applicable in the container', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n no_gui = command('ls /usr/share/xsessions/*').stderr.match?(/No such file or directory/)\n\n if no_gui\n impact 0.0\n describe 'The system does not have a GUI Desktop is installed, this control is Not Applicable' do\n skip 'A GUI desktop is not installed, this control is Not Applicable.'\n end\n else\n describe command('gsettings get org.gnome.desktop.screensaver lock-delay') do\n its('stdout.strip') { should match(/uint32\\s[0-5]/) }\n end\n end\nend\n", + "code": "control 'SV-230464' do\n title 'Successful/unsuccessful uses of the chacl command in RHEL 8 must\ngenerate an audit record.'\n desc 'Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"chacl\" command is\nused to change the access control list of a file or directory.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.'\n desc 'check', 'Verify RHEL 8 generates an audit record when successful/unsuccessful\nattempts to use the \"chacl\" command by performing the following command to\ncheck the file system rules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w chacl /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F\nauid!=unset -k perm_mod\n\n If the command does not return a line, or the line is commented out, this\nis a finding.'\n desc 'fix', 'Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \"chacl\" command by adding or updating the\nfollowing rule in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F\nauid!=unset -k perm_mod\n\n The audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000062-GPOS-00031'\n tag satisfies: ['SRG-OS-000062-GPOS-00031', 'SRG-OS-000037-GPOS-00015', 'SRG-OS-000042-GPOS-00020', 'SRG-OS-000062-GPOS-00031', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000471-GPOS-00215', 'SRG-OS-000466-GPOS-00210']\n tag gid: 'V-230464'\n tag rid: 'SV-230464r627750_rule'\n tag stig_id: 'RHEL-08-030570'\n tag fix_id: 'F-33108r568139_fix'\n tag cci: ['CCI-000169']\n tag nist: ['AU-12 a']\n tag 'host'\n\n audit_command = '/usr/bin/chacl'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include(input('audit_rule_keynames').merge(input('audit_rule_keynames_overrides'))[audit_command])\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-244535.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230464.rb", "line": 1 }, - "id": "SV-244535" + "id": "SV-230464" }, { - "title": "Executable search paths within the initialization files of all local\ninteractive RHEL 8 users must only contain paths that resolve to the system\ndefault or the users home directory.", - "desc": "The executable search path (typically the PATH environment variable)\ncontains a list of directories for the shell to search to find executables. If\nthis path includes the current working directory (other than the user's home\ndirectory), executables in these directories may be executed instead of system\ncommands. This variable is formatted as a colon-separated list of directories.\nIf there is an empty entry, such as a leading or trailing colon or two\nconsecutive colons, this is interpreted as the current working directory. If\ndeviations from the default system search path for the local interactive user\nare required, they must be documented with the Information System Security\nOfficer (ISSO).", + "title": "All RHEL 8 local interactive user accounts must be assigned a home\ndirectory upon creation.", + "desc": "If local interactive users are not assigned a valid home directory,\nthere is no place for the storage and control of files they should own.", "descriptions": { - "default": "The executable search path (typically the PATH environment variable)\ncontains a list of directories for the shell to search to find executables. If\nthis path includes the current working directory (other than the user's home\ndirectory), executables in these directories may be executed instead of system\ncommands. This variable is formatted as a colon-separated list of directories.\nIf there is an empty entry, such as a leading or trailing colon or two\nconsecutive colons, this is interpreted as the current working directory. If\ndeviations from the default system search path for the local interactive user\nare required, they must be documented with the Information System Security\nOfficer (ISSO).", - "check": "Verify that all local interactive user initialization file executable search path statements do not contain statements that will reference a working directory other than user home directories with the following commands:\n\n$ sudo grep -i path= /home/*/.*\n\n/home/[localinteractiveuser]/.bash_profile:PATH=$PATH:$HOME/.local/bin:$HOME/bin\n\nIf any local interactive user initialization files have executable search path statements that include directories outside of their home directory and is not documented with the ISSO as an operational requirement, this is a finding.", - "fix": "Edit the local interactive user initialization files to change any PATH\nvariable statements that reference directories other than their home directory.\n\n If a local interactive user requires path variables to reference a\ndirectory owned by the application, it must be documented with the ISSO." + "default": "If local interactive users are not assigned a valid home directory,\nthere is no place for the storage and control of files they should own.", + "check": "Verify all local interactive users on RHEL 8 are assigned a home directory\nupon creation with the following command:\n\n $ sudo grep -i create_home /etc/login.defs\n\n CREATE_HOME yes\n\n If the value for \"CREATE_HOME\" parameter is not set to \"yes\", the line\nis missing, or the line is commented out, this is a finding.", + "fix": "Configure RHEL 8 to assign home directories to all new local interactive\nusers by setting the \"CREATE_HOME\" parameter in \"/etc/login.defs\" to\n\"yes\" as follows.\n\n CREATE_HOME yes" }, "impact": 0.5, "refs": [ @@ -12707,10 +12680,10 @@ "tags": { "severity": "medium", "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-230317", - "rid": "SV-230317r792896_rule", - "stig_id": "RHEL-08-010690", - "fix_id": "F-32961r567698_fix", + "gid": "V-230324", + "rid": "SV-230324r627750_rule", + "stig_id": "RHEL-08-010760", + "fix_id": "F-32968r567719_fix", "cci": [ "CCI-000366" ], @@ -12720,20 +12693,20 @@ "host": null, "container": null }, - "code": "control 'SV-230317' do\n title 'Executable search paths within the initialization files of all local\ninteractive RHEL 8 users must only contain paths that resolve to the system\ndefault or the users home directory.'\n desc \"The executable search path (typically the PATH environment variable)\ncontains a list of directories for the shell to search to find executables. If\nthis path includes the current working directory (other than the user's home\ndirectory), executables in these directories may be executed instead of system\ncommands. This variable is formatted as a colon-separated list of directories.\nIf there is an empty entry, such as a leading or trailing colon or two\nconsecutive colons, this is interpreted as the current working directory. If\ndeviations from the default system search path for the local interactive user\nare required, they must be documented with the Information System Security\nOfficer (ISSO).\"\n desc 'check', 'Verify that all local interactive user initialization file executable search path statements do not contain statements that will reference a working directory other than user home directories with the following commands:\n\n$ sudo grep -i path= /home/*/.*\n\n/home/[localinteractiveuser]/.bash_profile:PATH=$PATH:$HOME/.local/bin:$HOME/bin\n\nIf any local interactive user initialization files have executable search path statements that include directories outside of their home directory and is not documented with the ISSO as an operational requirement, this is a finding.'\n desc 'fix', 'Edit the local interactive user initialization files to change any PATH\nvariable statements that reference directories other than their home directory.\n\n If a local interactive user requires path variables to reference a\ndirectory owned by the application, it must be documented with the ISSO.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230317'\n tag rid: 'SV-230317r792896_rule'\n tag stig_id: 'RHEL-08-010690'\n tag fix_id: 'F-32961r567698_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n tag 'container'\n\n ignore_shells = input('non_interactive_shells').join('|')\n\n findings = {}\n users.where { !shell.match(ignore_shells) && (uid >= 1000 || uid.zero?) }.entries.each do |user_info|\n next if input('exempt_home_users').include?(user_info.username.to_s)\n\n grep_results = command(\"grep -i path= --exclude=\\\".bash_history\\\" #{user_info.home}/.*\").stdout.split(\"\\n\")\n grep_results.each do |result|\n result.slice! 'PATH='\n # Case when last value in exec search path is :\n result += ' ' if result[-1] == ':'\n result.slice! '$PATH:'\n result.gsub! '=\"', '=' # account for cases where path is set to equal a quote-wrapped statement\n result.gsub! '$HOME', user_info.home.to_s\n result.gsub! '~', user_info.home.to_s\n result.gsub! ':$PATH', '' # remove $PATH if it shows up at the end of line\n line_arr = result.split(':')\n line_arr.delete_at(0)\n line_arr.each do |line|\n line = line.strip\n\n # Don't run test on line that exports PATH and is not commented out\n next unless !line.start_with?('export') && !line.start_with?('#')\n\n # Case when :: found in exec search path or : found at beginning\n if line.strip.empty?\n curr_work_dir = command('pwd').stdout.delete(\"\\n\")\n line = curr_work_dir if curr_work_dir.start_with?(user_info.home.to_s) || curr_work_dir[]\n end\n\n # catch a leading '\"'\n line = line[1..line.length] if line.start_with?('\"')\n\n # This will fail if non-home directory found in path\n next if line.start_with?(user_info.home)\n\n # we want a hash of usernames as the keys and arrays of failing lines as values\n findings[user_info.username] = if findings[user_info.username]\n findings[user_info.username] << line\n else\n [line]\n end\n end\n end\n end\n\n describe 'Initialization files' do\n it \"should not include executable search paths that include directories outside the respective user's home directory\" do\n expect(findings).to be_empty, \"Users with non-homedir paths assigned to their PATH environment variable:\\n\\t#{findings}\"\n end\n end\nend\n", + "code": "control 'SV-230324' do\n title 'All RHEL 8 local interactive user accounts must be assigned a home\ndirectory upon creation.'\n desc 'If local interactive users are not assigned a valid home directory,\nthere is no place for the storage and control of files they should own.'\n desc 'check', 'Verify all local interactive users on RHEL 8 are assigned a home directory\nupon creation with the following command:\n\n $ sudo grep -i create_home /etc/login.defs\n\n CREATE_HOME yes\n\n If the value for \"CREATE_HOME\" parameter is not set to \"yes\", the line\nis missing, or the line is commented out, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to assign home directories to all new local interactive\nusers by setting the \"CREATE_HOME\" parameter in \"/etc/login.defs\" to\n\"yes\" as follows.\n\n CREATE_HOME yes'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230324'\n tag rid: 'SV-230324r627750_rule'\n tag stig_id: 'RHEL-08-010760'\n tag fix_id: 'F-32968r567719_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n tag 'container'\n\n describe login_defs do\n its('CREATE_HOME') { should eq 'yes' }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230317.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230324.rb", "line": 1 }, - "id": "SV-230317" + "id": "SV-230324" }, { - "title": "RHEL 8 must disable core dumps for all users.", - "desc": "It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n A core dump includes a memory image taken at the time the operating system\nterminates an application. The memory image could contain sensitive data and is\ngenerally useful only for developers trying to debug problems.", + "title": "RHEL 8 audit tools must have a mode of 0755 or less permissive.", + "desc": "Protecting audit information also includes identifying and protecting\nthe tools used to view and manipulate log data. Therefore, protecting audit\ntools is necessary to prevent unauthorized operation on audit information.\n\n RHEL 8 systems providing tools to interface with audit information will\nleverage user permissions and roles identifying the user accessing the tools,\nand the corresponding rights the user enjoys, to make access decisions\nregarding the access to audit tools.\n\n Audit tools include, but are not limited to, vendor-provided and open\nsource audit tools needed to successfully view and manipulate audit information\nsystem activity and records. Audit tools include custom queries and report\ngenerators.", "descriptions": { - "default": "It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n A core dump includes a memory image taken at the time the operating system\nterminates an application. The memory image could contain sensitive data and is\ngenerally useful only for developers trying to debug problems.", - "check": "Verify the operating system disables core dumps for all users by issuing\nthe following command:\n\n $ sudo grep -r -s '^[^#].*core' /etc/security/limits.conf\n/etc/security/limits.d/*.conf\n\n * hard core 0\n\n This can be set as a global domain (with the * wildcard) but may be set\ndifferently for multiple domains.\n\n If the \"core\" item is missing, commented out, or the value is anything\nother than \"0\" and the need for core dumps is not documented with the\nInformation System Security Officer (ISSO) as an operational requirement for\nall domains that have the \"core\" item assigned, this is a finding.", - "fix": "Configure the operating system to disable core dumps for all users.\n\n Add the following line to the top of the /etc/security/limits.conf or in a\n\".conf\" file defined in /etc/security/limits.d/:\n\n * hard core 0" + "default": "Protecting audit information also includes identifying and protecting\nthe tools used to view and manipulate log data. Therefore, protecting audit\ntools is necessary to prevent unauthorized operation on audit information.\n\n RHEL 8 systems providing tools to interface with audit information will\nleverage user permissions and roles identifying the user accessing the tools,\nand the corresponding rights the user enjoys, to make access decisions\nregarding the access to audit tools.\n\n Audit tools include, but are not limited to, vendor-provided and open\nsource audit tools needed to successfully view and manipulate audit information\nsystem activity and records. Audit tools include custom queries and report\ngenerators.", + "check": "Verify the audit tools are protected from unauthorized access, deletion, or\nmodification by checking the permissive mode.\n\n Check the octal permission of each audit tool by running the following\ncommand:\n\n $ sudo stat -c \"%a %n\" /sbin/auditctl /sbin/aureport /sbin/ausearch\n/sbin/autrace /sbin/auditd /sbin/rsyslogd /sbin/augenrules\n\n 755 /sbin/auditctl\n 755 /sbin/aureport\n 755 /sbin/ausearch\n 750 /sbin/autrace\n 755 /sbin/auditd\n 755 /sbin/rsyslogd\n 755 /sbin/augenrules\n\n If any of the audit tools has a mode more permissive than \"0755\", this is\na finding.", + "fix": "Configure the audit tools to be protected from unauthorized access by\nsetting the correct permissive mode using the following command:\n\n $ sudo chmod 0755 [audit_tool]\n\n Replace \"[audit_tool]\" with the audit tool that does not have the correct\npermissive mode." }, "impact": 0.5, "refs": [ @@ -12743,34 +12716,34 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-230313", - "rid": "SV-230313r627750_rule", - "stig_id": "RHEL-08-010673", - "fix_id": "F-32957r619861_fix", + "gtitle": "SRG-OS-000256-GPOS-00097", + "gid": "V-230472", + "rid": "SV-230472r627750_rule", + "stig_id": "RHEL-08-030620", + "fix_id": "F-33116r568163_fix", "cci": [ - "CCI-000366" + "CCI-001493" ], - "legacy": [], "nist": [ - "CM-6 b" + "AU-9", + "AU-9 a" ], "host": null }, - "code": "control 'SV-230313' do\n title 'RHEL 8 must disable core dumps for all users.'\n desc 'It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n A core dump includes a memory image taken at the time the operating system\nterminates an application. The memory image could contain sensitive data and is\ngenerally useful only for developers trying to debug problems.'\n desc 'check', %q(Verify the operating system disables core dumps for all users by issuing\nthe following command:\n\n $ sudo grep -r -s '^[^#].*core' /etc/security/limits.conf\n/etc/security/limits.d/*.conf\n\n * hard core 0\n\n This can be set as a global domain (with the * wildcard) but may be set\ndifferently for multiple domains.\n\n If the \"core\" item is missing, commented out, or the value is anything\nother than \"0\" and the need for core dumps is not documented with the\nInformation System Security Officer (ISSO) as an operational requirement for\nall domains that have the \"core\" item assigned, this is a finding.)\n desc 'fix', 'Configure the operating system to disable core dumps for all users.\n\n Add the following line to the top of the /etc/security/limits.conf or in a\n\".conf\" file defined in /etc/security/limits.d/:\n\n * hard core 0'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230313'\n tag rid: 'SV-230313r627750_rule'\n tag stig_id: 'RHEL-08-010673'\n tag fix_id: 'F-32957r619861_fix'\n tag cci: ['CCI-000366']\n tag legacy: []\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n setting = 'core'\n expected_value = input('core_dump_expected_value')\n\n limits_files = command('ls /etc/security/limits.d/*.conf').stdout.strip.split\n limits_files.append('/etc/security/limits.conf')\n\n # make sure that at least one limits.conf file has the correct setting\n globally_set = limits_files.any? { |lf| !limits_conf(lf).read_params['*'].nil? && limits_conf(lf).read_params['*'].include?(['hard', setting.to_s, expected_value.to_s]) }\n\n # make sure that no limits.conf file has a value that contradicts the global set\n failing_files = limits_files.select { |lf|\n limits_conf(lf).read_params.values.flatten(1).any? { |l|\n l[1].eql?(setting) && !l[2].to_i.eql?(expected_value)\n }\n }\n describe 'Limits files' do\n it 'should disallow core dumps by default' do\n expect(globally_set).to eq(true), \"No correct global ('*') setting found\"\n end\n it 'should not have any conflicting settings' do\n expect(failing_files).to be_empty, \"Files with incorrect '#{setting}' settings:\\n\\t- #{failing_files.join(\"\\n\\t- \")}\"\n end\n end\nend\n", + "code": "control 'SV-230472' do\n title 'RHEL 8 audit tools must have a mode of 0755 or less permissive.'\n desc 'Protecting audit information also includes identifying and protecting\nthe tools used to view and manipulate log data. Therefore, protecting audit\ntools is necessary to prevent unauthorized operation on audit information.\n\n RHEL 8 systems providing tools to interface with audit information will\nleverage user permissions and roles identifying the user accessing the tools,\nand the corresponding rights the user enjoys, to make access decisions\nregarding the access to audit tools.\n\n Audit tools include, but are not limited to, vendor-provided and open\nsource audit tools needed to successfully view and manipulate audit information\nsystem activity and records. Audit tools include custom queries and report\ngenerators.'\n desc 'check', 'Verify the audit tools are protected from unauthorized access, deletion, or\nmodification by checking the permissive mode.\n\n Check the octal permission of each audit tool by running the following\ncommand:\n\n $ sudo stat -c \"%a %n\" /sbin/auditctl /sbin/aureport /sbin/ausearch\n/sbin/autrace /sbin/auditd /sbin/rsyslogd /sbin/augenrules\n\n 755 /sbin/auditctl\n 755 /sbin/aureport\n 755 /sbin/ausearch\n 750 /sbin/autrace\n 755 /sbin/auditd\n 755 /sbin/rsyslogd\n 755 /sbin/augenrules\n\n If any of the audit tools has a mode more permissive than \"0755\", this is\na finding.'\n desc 'fix', 'Configure the audit tools to be protected from unauthorized access by\nsetting the correct permissive mode using the following command:\n\n $ sudo chmod 0755 [audit_tool]\n\n Replace \"[audit_tool]\" with the audit tool that does not have the correct\npermissive mode.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000256-GPOS-00097'\n tag gid: 'V-230472'\n tag rid: 'SV-230472r627750_rule'\n tag stig_id: 'RHEL-08-030620'\n tag fix_id: 'F-33116r568163_fix'\n tag cci: ['CCI-001493']\n tag nist: ['AU-9', 'AU-9 a']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n audit_tools = ['/sbin/auditctl', '/sbin/aureport', '/sbin/ausearch', '/sbin/autrace', '/sbin/auditd', '/sbin/rsyslogd', '/sbin/augenrules']\n\n failing_tools = audit_tools.select { |at| file(at).more_permissive_than?(input('audit_tool_mode')) }\n\n describe 'Audit executables' do\n it \"should be no more permissive than '#{input('audit_tool_mode')}'\" do\n expect(failing_tools).to be_empty, \"Failing tools:\\n\\t- #{failing_tools.join(\"\\n\\t- \")}\"\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230313.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230472.rb", "line": 1 }, - "id": "SV-230313" + "id": "SV-230472" }, { - "title": "The RHEL 8 file system automounter must be disabled unless required.", - "desc": "Automatically mounting file systems permits easy introduction of\nunknown devices, thereby facilitating malicious activity.", + "title": "RHEL 8 system commands must be group-owned by root or a system\naccount.", + "desc": "If RHEL 8 were to allow any user to make changes to software\nlibraries, then those changes might be implemented without undergoing the\nappropriate testing and approvals that are part of a robust change management\nprocess.\n\n This requirement applies to RHEL 8 with software libraries that are\naccessible and configurable, as in the case of interpreted languages. Software\nlibraries also include privileged programs that execute with escalated\nprivileges. Only qualified and authorized individuals will be allowed to obtain\naccess to information system components for purposes of initiating changes,\nincluding upgrades and modifications.", "descriptions": { - "default": "Automatically mounting file systems permits easy introduction of\nunknown devices, thereby facilitating malicious activity.", - "check": "Verify the operating system disables the ability to automount devices.\n\n Check to see if automounter service is active with the following command:\n\n Note: If the autofs service is not installed, this requirement is not\napplicable.\n\n $ sudo systemctl status autofs\n\n autofs.service - Automounts filesystems on demand\n Loaded: loaded (/usr/lib/systemd/system/autofs.service; disabled)\n Active: inactive (dead)\n\n If the \"autofs\" status is set to \"active\" and is not documented with\nthe Information System Security Officer (ISSO) as an operational requirement,\nthis is a finding.", - "fix": "Configure the operating system to disable the ability to automount devices.\n\n Turn off the automount service with the following commands:\n\n $ sudo systemctl stop autofs\n $ sudo systemctl disable autofs\n\n If \"autofs\" is required for Network File System (NFS), it must be\ndocumented with the ISSO." + "default": "If RHEL 8 were to allow any user to make changes to software\nlibraries, then those changes might be implemented without undergoing the\nappropriate testing and approvals that are part of a robust change management\nprocess.\n\n This requirement applies to RHEL 8 with software libraries that are\naccessible and configurable, as in the case of interpreted languages. Software\nlibraries also include privileged programs that execute with escalated\nprivileges. Only qualified and authorized individuals will be allowed to obtain\naccess to information system components for purposes of initiating changes,\nincluding upgrades and modifications.", + "check": "Verify the system commands contained in the following directories are group-owned by \"root\", or a required system account, with the following command:\n\n$ sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -exec ls -l {} \\;\n\nIf any system commands are returned and is not group-owned by a required system account, this is a finding.", + "fix": "Configure the system commands to be protected from unauthorized access.\n\n Run the following command, replacing \"[FILE]\" with any system command\nfile not group-owned by \"root\" or a required system account.\n\n $ sudo chgrp root [FILE]" }, "impact": 0.5, "refs": [ @@ -12780,33 +12753,34 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000114-GPOS-00059", - "gid": "V-230502", - "rid": "SV-230502r627750_rule", - "stig_id": "RHEL-08-040070", - "fix_id": "F-33146r568253_fix", + "gtitle": "SRG-OS-000259-GPOS-00100", + "gid": "V-230259", + "rid": "SV-230259r792864_rule", + "stig_id": "RHEL-08-010320", + "fix_id": "F-32903r567524_fix", "cci": [ - "CCI-000778" + "CCI-001499" ], "nist": [ - "IA-3" + "CM-5 (6)" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-230502' do\n title 'The RHEL 8 file system automounter must be disabled unless required.'\n desc 'Automatically mounting file systems permits easy introduction of\nunknown devices, thereby facilitating malicious activity.'\n desc 'check', 'Verify the operating system disables the ability to automount devices.\n\n Check to see if automounter service is active with the following command:\n\n Note: If the autofs service is not installed, this requirement is not\napplicable.\n\n $ sudo systemctl status autofs\n\n autofs.service - Automounts filesystems on demand\n Loaded: loaded (/usr/lib/systemd/system/autofs.service; disabled)\n Active: inactive (dead)\n\n If the \"autofs\" status is set to \"active\" and is not documented with\nthe Information System Security Officer (ISSO) as an operational requirement,\nthis is a finding.'\n desc 'fix', 'Configure the operating system to disable the ability to automount devices.\n\n Turn off the automount service with the following commands:\n\n $ sudo systemctl stop autofs\n $ sudo systemctl disable autofs\n\n If \"autofs\" is required for Network File System (NFS), it must be\ndocumented with the ISSO.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000114-GPOS-00059'\n tag gid: 'V-230502'\n tag rid: 'SV-230502r627750_rule'\n tag stig_id: 'RHEL-08-040070'\n tag fix_id: 'F-33146r568253_fix'\n tag cci: ['CCI-000778']\n tag nist: ['IA-3']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n if input('autofs_required') == true\n describe systemd_service('autofs.service') do\n it { should be_running }\n it { should be_enabled }\n it { should be_installed }\n end\n elsif package('autofs').installed?\n describe systemd_service('autofs.service') do\n it { should_not be_running }\n it { should_not be_enabled }\n it { should_not be_installed }\n end\n else\n impact 0.0\n describe 'The autofs service is not installed' do\n skip 'The autofs service is not installed, this control is Not Applicable.'\n end\n end\nend\n", + "code": "control 'SV-230259' do\n title 'RHEL 8 system commands must be group-owned by root or a system\naccount.'\n desc 'If RHEL 8 were to allow any user to make changes to software\nlibraries, then those changes might be implemented without undergoing the\nappropriate testing and approvals that are part of a robust change management\nprocess.\n\n This requirement applies to RHEL 8 with software libraries that are\naccessible and configurable, as in the case of interpreted languages. Software\nlibraries also include privileged programs that execute with escalated\nprivileges. Only qualified and authorized individuals will be allowed to obtain\naccess to information system components for purposes of initiating changes,\nincluding upgrades and modifications.'\n desc 'check', 'Verify the system commands contained in the following directories are group-owned by \"root\", or a required system account, with the following command:\n\n$ sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -exec ls -l {} \\\\;\n\nIf any system commands are returned and is not group-owned by a required system account, this is a finding.'\n desc 'fix', 'Configure the system commands to be protected from unauthorized access.\n\n Run the following command, replacing \"[FILE]\" with any system command\nfile not group-owned by \"root\" or a required system account.\n\n $ sudo chgrp root [FILE]'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000259-GPOS-00100'\n tag gid: 'V-230259'\n tag rid: 'SV-230259r792864_rule'\n tag stig_id: 'RHEL-08-010320'\n tag fix_id: 'F-32903r567524_fix'\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n tag 'host'\n tag 'container'\n\n failing_files = command(\"find -L #{input('system_command_dirs').join(' ')} ! -group root -exec ls -d {} \\\\;\").stdout.split(\"\\n\")\n\n describe 'System commands' do\n it 'should be group-owned by root' do\n expect(failing_files).to be_empty, \"Files not group-owned by root:\\n\\t- #{failing_files.join(\"\\n\\t- \")}\"\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230502.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230259.rb", "line": 1 }, - "id": "SV-230502" + "id": "SV-230259" }, { - "title": "RHEL 8 must use a separate file system for /var.", - "desc": "The use of separate file systems for different paths can protect the\nsystem from failures resulting from a file system becoming full or failing.", + "title": "The RHEL 8 file integrity tool must be configured to verify extended\nattributes.", + "desc": "Extended attributes in file systems are used to contain arbitrary data\nand file metadata with security implications.\n\n RHEL 8 installation media come with a file integrity tool, Advanced\nIntrusion Detection Environment (AIDE).", "descriptions": { - "default": "The use of separate file systems for different paths can protect the\nsystem from failures resulting from a file system becoming full or failing.", - "check": "Verify that a separate file system has been created for \"/var\".\n\nCheck that a file system has been created for \"/var\" with the following command:\n\n $ sudo grep /var /etc/fstab\n\n /dev/mapper/... /var xfs defaults,nodev 0 0\n\nIf a separate entry for \"/var\" is not in use, this is a finding.", - "fix": "Migrate the \"/var\" path onto a separate file system." + "default": "Extended attributes in file systems are used to contain arbitrary data\nand file metadata with security implications.\n\n RHEL 8 installation media come with a file integrity tool, Advanced\nIntrusion Detection Environment (AIDE).", + "check": "Verify the file integrity tool is configured to verify extended attributes.\n\n If AIDE is not installed, ask the System Administrator how file integrity\nchecks are performed on the system.\n\n Note: AIDE is highly configurable at install time. This requirement assumes\nthe \"aide.conf\" file is under the \"/etc\" directory.\n\n Use the following command to determine if the file is in another location:\n\n $ sudo find / -name aide.conf\n\n Check the \"aide.conf\" file to determine if the \"xattrs\" rule has been\nadded to the rule list being applied to the files and directories selection\nlists.\n\n An example rule that includes the \"xattrs\" rule follows:\n\n All= p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux\n /bin All # apply the custom rule to the files in bin\n /sbin All # apply the same custom rule to the files in sbin\n\n If the \"xattrs\" rule is not being used on all uncommented selection lines\nin the \"/etc/aide.conf\" file, or extended attributes are not being checked by\nanother file integrity tool, this is a finding.", + "fix": "Configure the file integrity tool to check file and directory extended\nattributes.\n\n If AIDE is installed, ensure the \"xattrs\" rule is present on all\nuncommented file and directory selection lists." }, "impact": 0.3, "refs": [ @@ -12817,10 +12791,10 @@ "tags": { "severity": "low", "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-230292", - "rid": "SV-230292r902718_rule", - "stig_id": "RHEL-08-010540", - "fix_id": "F-32936r567623_fix", + "gid": "V-230551", + "rid": "SV-230551r627750_rule", + "stig_id": "RHEL-08-040300", + "fix_id": "F-33195r568400_fix", "cci": [ "CCI-000366" ], @@ -12829,93 +12803,93 @@ ], "host": null }, - "code": "control 'SV-230292' do\n title 'RHEL 8 must use a separate file system for /var.'\n desc 'The use of separate file systems for different paths can protect the\nsystem from failures resulting from a file system becoming full or failing.'\n desc 'check', 'Verify that a separate file system has been created for \"/var\".\n\nCheck that a file system has been created for \"/var\" with the following command:\n\n $ sudo grep /var /etc/fstab\n\n /dev/mapper/... /var xfs defaults,nodev 0 0\n\nIf a separate entry for \"/var\" is not in use, this is a finding.'\n desc 'fix', 'Migrate the \"/var\" path onto a separate file system.'\n impact 0.3\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'low'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230292'\n tag rid: 'SV-230292r902718_rule'\n tag stig_id: 'RHEL-08-010540'\n tag fix_id: 'F-32936r567623_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe mount('/var') do\n it { should be_mounted }\n end\n\n describe etc_fstab.where { mount_point == '/var' } do\n it { should exist }\n end\nend\n", + "code": "control 'SV-230551' do\n title 'The RHEL 8 file integrity tool must be configured to verify extended\nattributes.'\n desc 'Extended attributes in file systems are used to contain arbitrary data\nand file metadata with security implications.\n\n RHEL 8 installation media come with a file integrity tool, Advanced\nIntrusion Detection Environment (AIDE).'\n desc 'check', 'Verify the file integrity tool is configured to verify extended attributes.\n\n If AIDE is not installed, ask the System Administrator how file integrity\nchecks are performed on the system.\n\n Note: AIDE is highly configurable at install time. This requirement assumes\nthe \"aide.conf\" file is under the \"/etc\" directory.\n\n Use the following command to determine if the file is in another location:\n\n $ sudo find / -name aide.conf\n\n Check the \"aide.conf\" file to determine if the \"xattrs\" rule has been\nadded to the rule list being applied to the files and directories selection\nlists.\n\n An example rule that includes the \"xattrs\" rule follows:\n\n All= p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux\n /bin All # apply the custom rule to the files in bin\n /sbin All # apply the same custom rule to the files in sbin\n\n If the \"xattrs\" rule is not being used on all uncommented selection lines\nin the \"/etc/aide.conf\" file, or extended attributes are not being checked by\nanother file integrity tool, this is a finding.'\n desc 'fix', 'Configure the file integrity tool to check file and directory extended\nattributes.\n\n If AIDE is installed, ensure the \"xattrs\" rule is present on all\nuncommented file and directory selection lists.'\n impact 0.3\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'low'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230551'\n tag rid: 'SV-230551r627750_rule'\n tag stig_id: 'RHEL-08-040300'\n tag fix_id: 'F-33195r568400_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n describe package('aide') do\n it { should be_installed }\n end\n\n findings = []\n aide_conf.where { !selection_line.start_with? '!' }.entries.each do |selection|\n findings.append(selection.selection_line) unless selection.rules.include? 'xattrs'\n end\n\n describe \"List of monitored files/directories without 'xattrs' rule\" do\n subject { findings }\n it { should be_empty }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230292.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230551.rb", "line": 1 }, - "id": "SV-230292" + "id": "SV-230551" }, { - "title": "RHEL 8 library directories must have mode 755 or less permissive.", - "desc": "If RHEL 8 were to allow any user to make changes to software libraries,\n then those changes might be implemented without undergoing the appropriate\n testing and approvals that are part of a robust change management process.\n\n This requirement applies to RHEL 8 with software libraries that are accessible\n and configurable, as in the case of interpreted languages. Software libraries\n also include privileged programs that execute with escalated privileges. Only\n qualified and authorized individuals will be allowed to obtain access to\n information system components for purposes of initiating changes, including\n upgrades and modifications.", + "title": "RHEL 8 must disable IEEE 1394 (FireWire) Support.", + "desc": "It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n The IEEE 1394 (FireWire) is a serial bus standard for high-speed real-time\ncommunication. Disabling FireWire protects the system against exploitation of\nany flaws in its implementation.", "descriptions": { - "default": "If RHEL 8 were to allow any user to make changes to software libraries,\n then those changes might be implemented without undergoing the appropriate\n testing and approvals that are part of a robust change management process.\n\n This requirement applies to RHEL 8 with software libraries that are accessible\n and configurable, as in the case of interpreted languages. Software libraries\n also include privileged programs that execute with escalated privileges. Only\n qualified and authorized individuals will be allowed to obtain access to\n information system components for purposes of initiating changes, including\n upgrades and modifications.", - "check": "Verify the system-wide shared library directories within \"/lib\",\n \"/lib64\", \"/usr/lib\" and \"/usr/lib64\" have mode \"755\" or less permissive with\n the following command:\n\n $ sudo find /lib /lib64 /usr/lib /usr/lib64 -perm /022 -type d -exec stat -c \"%n %a\" '{}' \\;\n\n If any system-wide shared library directories are found to be group-writable\n or world-writable, this is a finding.", - "fix": "Configure the library directories to be protected from unauthorized\n access. Run the following command, replacing \"[DIRECTORY]\" with any library\n directory with a mode more permissive than 755.\n\n $ sudo chmod 755 [DIRECTORY]" + "default": "It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n The IEEE 1394 (FireWire) is a serial bus standard for high-speed real-time\ncommunication. Disabling FireWire protects the system against exploitation of\nany flaws in its implementation.", + "check": "Verify the operating system disables the ability to load the firewire-core kernel module.\n\n $ sudo grep -r firewire-core /etc/modprobe.d/* | grep \"/bin/false\"\n install firewire-core /bin/false\n\nIf the command does not return any output, or the line is commented out, and use of the firewire-core protocol is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.\n\nVerify the operating system disables the ability to use the firewire-core kernel module.\n\nCheck to see if the firewire-core kernel module is disabled with the following command:\n\n $ sudo grep -r firewire-core /etc/modprobe.d/* | grep \"blacklist\"\n blacklist firewire-core\n\nIf the command does not return any output or the output is not \"blacklist firewire-core\", and use of the firewire-core kernel module is not documented with the ISSO as an operational requirement, this is a finding.", + "fix": "Configure the operating system to disable the ability to use the firewire-core kernel module.\n\nAdd or update the following lines in the file \"/etc/modprobe.d/blacklist.conf\":\n\n install firewire-core /bin/false\n blacklist firewire-core\n\nReboot the system for the settings to take effect." }, - "impact": 0.5, + "impact": 0.3, "refs": [ { "ref": "DPMS Target Red Hat Enterprise Linux 8" } ], "tags": { - "severity": "medium", - "gtitle": "SRG-OS-000259-GPOS-00100", - "gid": "V-251707", - "rid": "SV-251707r809345_rule", - "stig_id": "RHEL-08-010331", - "fix_id": "F-55098r809344_fix", + "severity": "low", + "gtitle": "SRG-OS-000095-GPOS-00049", + "gid": "V-230499", + "rid": "SV-230499r942933_rule", + "stig_id": "RHEL-08-040026", + "fix_id": "F-33143r942932_fix", "cci": [ - "CCI-001499" + "CCI-000381" ], "nist": [ - "CM-5 (6)" + "CM-7 a" ], "host": null }, - "code": "control 'SV-251707' do\n title 'RHEL 8 library directories must have mode 755 or less permissive.'\n desc 'If RHEL 8 were to allow any user to make changes to software libraries,\n then those changes might be implemented without undergoing the appropriate\n testing and approvals that are part of a robust change management process.\n\n This requirement applies to RHEL 8 with software libraries that are accessible\n and configurable, as in the case of interpreted languages. Software libraries\n also include privileged programs that execute with escalated privileges. Only\n qualified and authorized individuals will be allowed to obtain access to\n information system components for purposes of initiating changes, including\n upgrades and modifications.'\n desc 'check', %q(Verify the system-wide shared library directories within \"/lib\",\n \"/lib64\", \"/usr/lib\" and \"/usr/lib64\" have mode \"755\" or less permissive with\n the following command:\n\n $ sudo find /lib /lib64 /usr/lib /usr/lib64 -perm /022 -type d -exec stat -c \"%n %a\" '{}' \\;\n\n If any system-wide shared library directories are found to be group-writable\n or world-writable, this is a finding.)\n desc 'fix', 'Configure the library directories to be protected from unauthorized\n access. Run the following command, replacing \"[DIRECTORY]\" with any library\n directory with a mode more permissive than 755.\n\n $ sudo chmod 755 [DIRECTORY]'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000259-GPOS-00100'\n tag gid: 'V-251707'\n tag rid: 'SV-251707r809345_rule'\n tag stig_id: 'RHEL-08-010331'\n tag fix_id: 'F-55098r809344_fix'\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n permissions_for_libs = input('permissions_for_libs')\n\n overly_permissive_libs = input('system_libraries').select { |lib|\n file(lib).more_permissive_than?(permissions_for_libs)\n }\n\n describe 'System libraries' do\n it \"should not have permissions set higher than #{permissions_for_libs}\" do\n fail_msg = \"Overly permissive system libraries:\\n\\t- #{overly_permissive_libs.join(\"\\n\\t- \")}\"\n expect(overly_permissive_libs).to be_empty, fail_msg\n end\n end\nend\n", + "code": "control 'SV-230499' do\n title 'RHEL 8 must disable IEEE 1394 (FireWire) Support.'\n desc 'It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n The IEEE 1394 (FireWire) is a serial bus standard for high-speed real-time\ncommunication. Disabling FireWire protects the system against exploitation of\nany flaws in its implementation.'\n desc 'check', 'Verify the operating system disables the ability to load the firewire-core kernel module.\n\n $ sudo grep -r firewire-core /etc/modprobe.d/* | grep \"/bin/false\"\n install firewire-core /bin/false\n\nIf the command does not return any output, or the line is commented out, and use of the firewire-core protocol is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.\n\nVerify the operating system disables the ability to use the firewire-core kernel module.\n\nCheck to see if the firewire-core kernel module is disabled with the following command:\n\n $ sudo grep -r firewire-core /etc/modprobe.d/* | grep \"blacklist\"\n blacklist firewire-core\n\nIf the command does not return any output or the output is not \"blacklist firewire-core\", and use of the firewire-core kernel module is not documented with the ISSO as an operational requirement, this is a finding.'\n desc 'fix', 'Configure the operating system to disable the ability to use the firewire-core kernel module.\n\nAdd or update the following lines in the file \"/etc/modprobe.d/blacklist.conf\":\n\n install firewire-core /bin/false\n blacklist firewire-core\n\nReboot the system for the settings to take effect.'\n impact 0.3\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'low'\n tag gtitle: 'SRG-OS-000095-GPOS-00049'\n tag gid: 'V-230499'\n tag rid: 'SV-230499r942933_rule'\n tag stig_id: 'RHEL-08-040026'\n tag fix_id: 'F-33143r942932_fix'\n tag cci: ['CCI-000381']\n tag nist: ['CM-7 a']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe kernel_module('firewire_core') do\n it { should be_disabled }\n it { should be_blacklisted }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-251707.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230499.rb", "line": 1 }, - "id": "SV-251707" + "id": "SV-230499" }, { - "title": "The gssproxy package must not be installed unless mission essential on\nRHEL 8.", - "desc": "It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n Operating systems are capable of providing a wide variety of functions and\nservices. Some of the functions and services, provided by default, may not be\nnecessary to support essential organizational operations (e.g., key missions,\nfunctions).\n\n The gssproxy package is a proxy for GSS API credential handling and could\nexpose secrets on some networks. It is not needed for normal function of the OS.", + "title": "The Trivial File Transfer Protocol (TFTP) server package must not be\ninstalled if not required for RHEL 8 operational support.", + "desc": "If TFTP is required for operational support (such as the transmission\nof router configurations) its use must be documented with the Information\nSystem Security Officer (ISSO), restricted to only authorized personnel, and\nhave access control rules established.", "descriptions": { - "default": "It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n Operating systems are capable of providing a wide variety of functions and\nservices. Some of the functions and services, provided by default, may not be\nnecessary to support essential organizational operations (e.g., key missions,\nfunctions).\n\n The gssproxy package is a proxy for GSS API credential handling and could\nexpose secrets on some networks. It is not needed for normal function of the OS.", - "check": "Verify the gssproxy package has not been installed on the system with the\nfollowing commands:\n\n $ sudo yum list installed gssproxy\n\n gssproxy.x86_64\n0.8.0-14.el8 @anaconda\n\n If the gssproxy package is installed and is not documented with the\nInformation System Security Officer (ISSO) as an operational requirement, this\nis a finding.", - "fix": "Document the gssproxy package with the ISSO as an operational requirement\nor remove it from the system with the following command:\n\n $ sudo yum remove gssproxy" + "default": "If TFTP is required for operational support (such as the transmission\nof router configurations) its use must be documented with the Information\nSystem Security Officer (ISSO), restricted to only authorized personnel, and\nhave access control rules established.", + "check": "Verify a TFTP server has not been installed on the system with the\nfollowing command:\n\n $ sudo yum list installed tftp-server\n\n tftp-server.x86_64 5.2-24.el8\n\n If TFTP is installed and the requirement for TFTP is not documented with\nthe ISSO, this is a finding.", + "fix": "Remove the TFTP package from the system with the following command:\n\n$ sudo yum remove tftp-server" }, - "impact": 0.5, + "impact": 0.7, "refs": [ { "ref": "DPMS Target Red Hat Enterprise Linux 8" } ], "tags": { - "severity": "medium", + "severity": "high", "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-230559", - "rid": "SV-230559r646887_rule", - "stig_id": "RHEL-08-040370", - "fix_id": "F-33203r568424_fix", + "gid": "V-230533", + "rid": "SV-230533r627750_rule", + "stig_id": "RHEL-08-040190", + "fix_id": "F-33177r568346_fix", "cci": [ - "CCI-000381" + "CCI-000366" ], "nist": [ - "CM-7 a" + "CM-6 b" ], "host": null, "container": null }, - "code": "control 'SV-230559' do\n title 'The gssproxy package must not be installed unless mission essential on\nRHEL 8.'\n desc 'It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n Operating systems are capable of providing a wide variety of functions and\nservices. Some of the functions and services, provided by default, may not be\nnecessary to support essential organizational operations (e.g., key missions,\nfunctions).\n\n The gssproxy package is a proxy for GSS API credential handling and could\nexpose secrets on some networks. It is not needed for normal function of the OS.'\n desc 'check', 'Verify the gssproxy package has not been installed on the system with the\nfollowing commands:\n\n $ sudo yum list installed gssproxy\n\n gssproxy.x86_64\n0.8.0-14.el8 @anaconda\n\n If the gssproxy package is installed and is not documented with the\nInformation System Security Officer (ISSO) as an operational requirement, this\nis a finding.'\n desc 'fix', 'Document the gssproxy package with the ISSO as an operational requirement\nor remove it from the system with the following command:\n\n $ sudo yum remove gssproxy'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230559'\n tag rid: 'SV-230559r646887_rule'\n tag stig_id: 'RHEL-08-040370'\n tag fix_id: 'F-33203r568424_fix'\n tag cci: ['CCI-000381']\n tag nist: ['CM-7 a']\n tag 'host'\n tag 'container'\n\n if input('gssproxy_required')\n describe package('gssproxy') do\n it { should be_installed }\n end\n else\n describe package('gssproxy') do\n it { should_not be_installed }\n end\n end\nend\n", + "code": "control 'SV-230533' do\n title 'The Trivial File Transfer Protocol (TFTP) server package must not be\ninstalled if not required for RHEL 8 operational support.'\n desc 'If TFTP is required for operational support (such as the transmission\nof router configurations) its use must be documented with the Information\nSystem Security Officer (ISSO), restricted to only authorized personnel, and\nhave access control rules established.'\n desc 'check', 'Verify a TFTP server has not been installed on the system with the\nfollowing command:\n\n $ sudo yum list installed tftp-server\n\n tftp-server.x86_64 5.2-24.el8\n\n If TFTP is installed and the requirement for TFTP is not documented with\nthe ISSO, this is a finding.'\n desc 'fix', 'Remove the TFTP package from the system with the following command:\n\n$ sudo yum remove tftp-server'\n impact 0.7\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'high'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230533'\n tag rid: 'SV-230533r627750_rule'\n tag stig_id: 'RHEL-08-040190'\n tag fix_id: 'F-33177r568346_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n tag 'container'\n\n if input('tftp_required')\n describe package('tftp-server') do\n it { should be_installed }\n end\n else\n describe package('tftp-server') do\n it { should_not be_installed }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230559.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230533.rb", "line": 1 }, - "id": "SV-230559" + "id": "SV-230533" }, { - "title": "RHEL 8 Bluetooth must be disabled.", - "desc": "Without protection of communications with wireless peripherals,\nconfidentiality and integrity may be compromised because unprotected\ncommunications can be intercepted and either read, altered, or used to\ncompromise the RHEL 8 operating system.\n\n This requirement applies to wireless peripheral technologies (e.g.,\nwireless mice, keyboards, displays, etc.) used with RHEL 8 systems. Wireless\nperipherals (e.g., Wi-Fi/Bluetooth/IR Keyboards, Mice, and Pointing Devices and\nNear Field Communications [NFC]) present a unique challenge by creating an\nopen, unsecured port on a computer. Wireless peripherals must meet DoD\nrequirements for wireless data transmission and be approved for use by the\nAuthorizing Official (AO). Even though some wireless peripherals, such as mice\nand pointing devices, do not ordinarily carry information that need to be\nprotected, modification of communications with these wireless peripherals may\nbe used to compromise the RHEL 8 operating system. Communication paths outside\nthe physical protection of a controlled boundary are exposed to the possibility\nof interception and modification.\n\n Protecting the confidentiality and integrity of communications with\nwireless peripherals can be accomplished by physical means (e.g., employing\nphysical barriers to wireless radio frequencies) or by logical means (e.g.,\nemploying cryptographic techniques). If physical means of protection are\nemployed, then logical means (cryptography) do not have to be employed, and\nvice versa. If the wireless peripheral is only passing telemetry data,\nencryption of the data may not be required.", + "title": "Successful/unsuccessful uses of the setfacl command in RHEL 8 must\ngenerate an audit record.", + "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"setfacl\" command is\nused to set file access control lists.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", "descriptions": { - "default": "Without protection of communications with wireless peripherals,\nconfidentiality and integrity may be compromised because unprotected\ncommunications can be intercepted and either read, altered, or used to\ncompromise the RHEL 8 operating system.\n\n This requirement applies to wireless peripheral technologies (e.g.,\nwireless mice, keyboards, displays, etc.) used with RHEL 8 systems. Wireless\nperipherals (e.g., Wi-Fi/Bluetooth/IR Keyboards, Mice, and Pointing Devices and\nNear Field Communications [NFC]) present a unique challenge by creating an\nopen, unsecured port on a computer. Wireless peripherals must meet DoD\nrequirements for wireless data transmission and be approved for use by the\nAuthorizing Official (AO). Even though some wireless peripherals, such as mice\nand pointing devices, do not ordinarily carry information that need to be\nprotected, modification of communications with these wireless peripherals may\nbe used to compromise the RHEL 8 operating system. Communication paths outside\nthe physical protection of a controlled boundary are exposed to the possibility\nof interception and modification.\n\n Protecting the confidentiality and integrity of communications with\nwireless peripherals can be accomplished by physical means (e.g., employing\nphysical barriers to wireless radio frequencies) or by logical means (e.g.,\nemploying cryptographic techniques). If physical means of protection are\nemployed, then logical means (cryptography) do not have to be employed, and\nvice versa. If the wireless peripheral is only passing telemetry data,\nencryption of the data may not be required.", - "check": "If the device or operating system does not have a Bluetooth adapter installed, this requirement is not applicable.\n\nThis requirement is not applicable to mobile devices (smartphones and tablets), where the use of Bluetooth is a local AO decision.\n\nDetermine if Bluetooth is disabled with the following command:\n\n $ sudo grep bluetooth /etc/modprobe.d/*\n /etc/modprobe.d/bluetooth.conf:install bluetooth /bin/false\n\nIf the Bluetooth driver blacklist entry is missing, a Bluetooth driver is determined to be in use, and the collaborative computing device has not been authorized for use, this is a finding.\n\nVerify the operating system disables the ability to use Bluetooth with the following command:\n\n $ sudo grep -r bluetooth /etc/modprobe.d | grep -i \"blacklist\" | grep -v \"^#\"\n blacklist bluetooth\n\nIf the command does not return any output or the output is not \"blacklist bluetooth\", and use of Bluetooth is not documented with the ISSO as an operational requirement, this is a finding.", - "fix": "Configure the operating system to disable the Bluetooth adapter when not in use.\n\nBuild or modify the \"/etc/modprobe.d/bluetooth.conf\" file with the following line:\n\n install bluetooth /bin/false\n\nDisable the ability to use the Bluetooth kernel module.\n\n $ sudo vi /etc/modprobe.d/blacklist.conf\n\nAdd or update the line:\n\n blacklist bluetooth\n\nReboot the system for the settings to take effect." + "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"setfacl\" command is\nused to set file access control lists.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", + "check": "Verify RHEL 8 generates an audit record when successful/unsuccessful\nattempts to use the \"setfacl\" command by performing the following command to\ncheck the file system rules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w setfacl /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F\nauid!=unset -k perm_mod\n\n If the command does not return a line, or the line is commented out, this\nis a finding.", + "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \"setfacl\" command by adding or updating\nthe following rule in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F\nauid!=unset -k perm_mod\n\n The audit daemon must be restarted for the changes to take effect." }, "impact": 0.5, "refs": [ @@ -12925,105 +12899,119 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000300-GPOS-00118", - "gid": "V-230507", - "rid": "SV-230507r942939_rule", - "stig_id": "RHEL-08-040111", - "fix_id": "F-33151r942938_fix", + "gtitle": "SRG-OS-000062-GPOS-00031", + "satisfies": [ + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000037-GPOS-00015", + "SRG-OS-000042-GPOS-00020", + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000392-GPOS-00172", + "SRG-OS-000462-GPOS-00206", + "SRG-OS-000471-GPOS-00215" + ], + "gid": "V-230435", + "rid": "SV-230435r627750_rule", + "stig_id": "RHEL-08-030330", + "fix_id": "F-33079r568052_fix", "cci": [ - "CCI-001443" + "CCI-000169" ], "nist": [ - "AC-18 (1)" + "AU-12 a" ], "host": null }, - "code": "control 'SV-230507' do\n title 'RHEL 8 Bluetooth must be disabled.'\n desc 'Without protection of communications with wireless peripherals,\nconfidentiality and integrity may be compromised because unprotected\ncommunications can be intercepted and either read, altered, or used to\ncompromise the RHEL 8 operating system.\n\n This requirement applies to wireless peripheral technologies (e.g.,\nwireless mice, keyboards, displays, etc.) used with RHEL 8 systems. Wireless\nperipherals (e.g., Wi-Fi/Bluetooth/IR Keyboards, Mice, and Pointing Devices and\nNear Field Communications [NFC]) present a unique challenge by creating an\nopen, unsecured port on a computer. Wireless peripherals must meet DoD\nrequirements for wireless data transmission and be approved for use by the\nAuthorizing Official (AO). Even though some wireless peripherals, such as mice\nand pointing devices, do not ordinarily carry information that need to be\nprotected, modification of communications with these wireless peripherals may\nbe used to compromise the RHEL 8 operating system. Communication paths outside\nthe physical protection of a controlled boundary are exposed to the possibility\nof interception and modification.\n\n Protecting the confidentiality and integrity of communications with\nwireless peripherals can be accomplished by physical means (e.g., employing\nphysical barriers to wireless radio frequencies) or by logical means (e.g.,\nemploying cryptographic techniques). If physical means of protection are\nemployed, then logical means (cryptography) do not have to be employed, and\nvice versa. If the wireless peripheral is only passing telemetry data,\nencryption of the data may not be required.'\n desc 'check', 'If the device or operating system does not have a Bluetooth adapter installed, this requirement is not applicable.\n\nThis requirement is not applicable to mobile devices (smartphones and tablets), where the use of Bluetooth is a local AO decision.\n\nDetermine if Bluetooth is disabled with the following command:\n\n $ sudo grep bluetooth /etc/modprobe.d/*\n /etc/modprobe.d/bluetooth.conf:install bluetooth /bin/false\n\nIf the Bluetooth driver blacklist entry is missing, a Bluetooth driver is determined to be in use, and the collaborative computing device has not been authorized for use, this is a finding.\n\nVerify the operating system disables the ability to use Bluetooth with the following command:\n\n $ sudo grep -r bluetooth /etc/modprobe.d | grep -i \"blacklist\" | grep -v \"^#\"\n blacklist bluetooth\n\nIf the command does not return any output or the output is not \"blacklist bluetooth\", and use of Bluetooth is not documented with the ISSO as an operational requirement, this is a finding.'\n desc 'fix', 'Configure the operating system to disable the Bluetooth adapter when not in use.\n\nBuild or modify the \"/etc/modprobe.d/bluetooth.conf\" file with the following line:\n\n install bluetooth /bin/false\n\nDisable the ability to use the Bluetooth kernel module.\n\n $ sudo vi /etc/modprobe.d/blacklist.conf\n\nAdd or update the line:\n\n blacklist bluetooth\n\nReboot the system for the settings to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000300-GPOS-00118'\n tag gid: 'V-230507'\n tag rid: 'SV-230507r942939_rule'\n tag stig_id: 'RHEL-08-040111'\n tag fix_id: 'F-33151r942938_fix'\n tag cci: ['CCI-001443']\n tag nist: ['AC-18 (1)']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n if input('bluetooth_installed')\n describe kernel_module('bluetooth') do\n it { should be_disabled }\n it { should be_blacklisted }\n end\n else\n impact 0.0\n describe 'Device or operating system does not have a Bluetooth adapter installed' do\n skip 'If the device or operating system does not have a Bluetooth adapter installed, this requirement is not applicable.'\n end\n end\nend\n", + "code": "control 'SV-230435' do\n title 'Successful/unsuccessful uses of the setfacl command in RHEL 8 must\ngenerate an audit record.'\n desc 'Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"setfacl\" command is\nused to set file access control lists.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.'\n desc 'check', 'Verify RHEL 8 generates an audit record when successful/unsuccessful\nattempts to use the \"setfacl\" command by performing the following command to\ncheck the file system rules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w setfacl /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F\nauid!=unset -k perm_mod\n\n If the command does not return a line, or the line is commented out, this\nis a finding.'\n desc 'fix', 'Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \"setfacl\" command by adding or updating\nthe following rule in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F\nauid!=unset -k perm_mod\n\n The audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000062-GPOS-00031'\n tag satisfies: ['SRG-OS-000062-GPOS-00031', 'SRG-OS-000037-GPOS-00015', 'SRG-OS-000042-GPOS-00020', 'SRG-OS-000062-GPOS-00031', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000471-GPOS-00215']\n tag gid: 'V-230435'\n tag rid: 'SV-230435r627750_rule'\n tag stig_id: 'RHEL-08-030330'\n tag fix_id: 'F-33079r568052_fix'\n tag cci: ['CCI-000169']\n tag nist: ['AU-12 a']\n tag 'host'\n\n audit_command = '/usr/bin/setfacl'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include(input('audit_rule_keynames').merge(input('audit_rule_keynames_overrides'))[audit_command])\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230507.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230435.rb", "line": 1 }, - "id": "SV-230507" + "id": "SV-230435" }, { - "title": "The RHEL 8 operating system must implement the Endpoint Security for\nLinux Threat Prevention tool.", - "desc": "Adding endpoint security tools can provide the capability to\nautomatically take actions in response to malicious behavior, which can provide\nadditional agility in reacting to network threats. These tools also often\ninclude a reporting capability to provide network awareness of the system,\nwhich may not otherwise exist in an organization's systems management regime.", + "title": "RHEL 8 must disable the stream control transmission protocol (SCTP).", + "desc": "It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n Failing to disconnect unused protocols can result in a system compromise.\n\n The Stream Control Transmission Protocol (SCTP) is a transport layer\nprotocol, designed to support the idea of message-oriented communication, with\nseveral streams of messages within one connection. Disabling SCTP protects the\nsystem against exploitation of any flaws in its implementation.", "descriptions": { - "default": "Adding endpoint security tools can provide the capability to\nautomatically take actions in response to malicious behavior, which can provide\nadditional agility in reacting to network threats. These tools also often\ninclude a reporting capability to provide network awareness of the system,\nwhich may not otherwise exist in an organization's systems management regime.", - "check": "Check that the following package has been installed:\n\n $ sudo rpm -qa | grep -i mcafeetp\n\nIf the \"mcafeetp\" package is not installed, this is a finding.\n\nVerify that the daemon is running:\n\n $ sudo ps -ef | grep -i mfetpd\n\nIf the daemon is not running, this is a finding.", - "fix": "Install and enable the latest Trellix ENSLTP package." + "default": "It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n Failing to disconnect unused protocols can result in a system compromise.\n\n The Stream Control Transmission Protocol (SCTP) is a transport layer\nprotocol, designed to support the idea of message-oriented communication, with\nseveral streams of messages within one connection. Disabling SCTP protects the\nsystem against exploitation of any flaws in its implementation.", + "check": "Verify the operating system disables the ability to load the SCTP kernel module.\n\n $ sudo grep -r sctp /etc/modprobe.d/* | grep \"/bin/false\"\n install sctp /bin/false\n\nIf the command does not return any output, or the line is commented out, and use of the SCTP is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.\n\nVerify the operating system disables the ability to use the SCTP.\n\nCheck to see if the SCTP is disabled with the following command:\n\n $ sudo grep -r sctp /etc/modprobe.d/* | grep \"blacklist\"\n blacklist sctp\n\nIf the command does not return any output or the output is not \"blacklist sctp\", and use of the SCTP is not documented with the ISSO as an operational requirement, this is a finding.", + "fix": "Configure the operating system to disable the ability to use the SCTP kernel module.\n\nAdd or update the following lines in the file \"/etc/modprobe.d/blacklist.conf\":\n\n install sctp /bin/false\n blacklist sctp\n\nReboot the system for the settings to take effect." }, - "impact": 0.5, + "impact": 0.3, "refs": [ { "ref": "DPMS Target Red Hat Enterprise Linux 8" } ], "tags": { - "severity": "medium", - "gtitle": "SRG-OS-000191-GPOS-00080", - "gid": "V-245540", - "rid": "SV-245540r942951_rule", - "stig_id": "RHEL-08-010001", - "fix_id": "F-48770r942950_fix", + "severity": "low", + "gtitle": "SRG-OS-000095-GPOS-00049", + "gid": "V-230496", + "rid": "SV-230496r942924_rule", + "stig_id": "RHEL-08-040023", + "fix_id": "F-33140r942923_fix", "cci": [ - "CCI-001233" + "CCI-000381" ], "nist": [ - "SI-2 (2)" + "CM-7 a" ], "host": null }, - "code": "control 'SV-245540' do\n title 'The RHEL 8 operating system must implement the Endpoint Security for\nLinux Threat Prevention tool.'\n desc \"Adding endpoint security tools can provide the capability to\nautomatically take actions in response to malicious behavior, which can provide\nadditional agility in reacting to network threats. These tools also often\ninclude a reporting capability to provide network awareness of the system,\nwhich may not otherwise exist in an organization's systems management regime.\"\n desc 'check', 'Check that the following package has been installed:\n\n $ sudo rpm -qa | grep -i mcafeetp\n\nIf the \"mcafeetp\" package is not installed, this is a finding.\n\nVerify that the daemon is running:\n\n $ sudo ps -ef | grep -i mfetpd\n\nIf the daemon is not running, this is a finding.'\n desc 'fix', 'Install and enable the latest Trellix ENSLTP package.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000191-GPOS-00080'\n tag gid: 'V-245540'\n tag rid: 'SV-245540r942951_rule'\n tag stig_id: 'RHEL-08-010001'\n tag fix_id: 'F-48770r942950_fix'\n tag cci: ['CCI-001233']\n tag nist: ['SI-2 (2)']\n tag 'host'\n\n only_if('Control not applicable within a container', impact: 0.0) do\n !virtualization.system.eql?('docker')\n end\n\n if input('skip_endpoint_security_tool')\n impact 0.0\n describe 'Implementing the Endpoint Security for Linux Threat Prevention tool is not applicable by agreement with the approval authority of the organization.' do\n skip 'Implementing the Endpoint Security for Linux Threat Prevention tool is not applicable by agreement with the approval authority of the organization.'\n end\n else\n linux_threat_prevention_package = input('linux_threat_prevention_package')\n linux_threat_prevention_service = input('linux_threat_prevention_service')\n describe package(linux_threat_prevention_package) do\n it { should be_installed }\n end\n\n describe processes(linux_threat_prevention_service) do\n it { should exist }\n end\n end\nend\n", + "code": "control 'SV-230496' do\n title 'RHEL 8 must disable the stream control transmission protocol (SCTP).'\n desc 'It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n Failing to disconnect unused protocols can result in a system compromise.\n\n The Stream Control Transmission Protocol (SCTP) is a transport layer\nprotocol, designed to support the idea of message-oriented communication, with\nseveral streams of messages within one connection. Disabling SCTP protects the\nsystem against exploitation of any flaws in its implementation.'\n desc 'check', 'Verify the operating system disables the ability to load the SCTP kernel module.\n\n $ sudo grep -r sctp /etc/modprobe.d/* | grep \"/bin/false\"\n install sctp /bin/false\n\nIf the command does not return any output, or the line is commented out, and use of the SCTP is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.\n\nVerify the operating system disables the ability to use the SCTP.\n\nCheck to see if the SCTP is disabled with the following command:\n\n $ sudo grep -r sctp /etc/modprobe.d/* | grep \"blacklist\"\n blacklist sctp\n\nIf the command does not return any output or the output is not \"blacklist sctp\", and use of the SCTP is not documented with the ISSO as an operational requirement, this is a finding.'\n desc 'fix', 'Configure the operating system to disable the ability to use the SCTP kernel module.\n\nAdd or update the following lines in the file \"/etc/modprobe.d/blacklist.conf\":\n\n install sctp /bin/false\n blacklist sctp\n\nReboot the system for the settings to take effect.'\n impact 0.3\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'low'\n tag gtitle: 'SRG-OS-000095-GPOS-00049'\n tag gid: 'V-230496'\n tag rid: 'SV-230496r942924_rule'\n tag stig_id: 'RHEL-08-040023'\n tag fix_id: 'F-33140r942923_fix'\n tag cci: ['CCI-000381']\n tag nist: ['CM-7 a']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n describe kernel_module('sctp') do\n it { should be_disabled }\n it { should be_blacklisted }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-245540.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230496.rb", "line": 1 }, - "id": "SV-245540" + "id": "SV-230496" }, { - "title": "RHEL 8 must use a separate file system for the system audit data path.", - "desc": "The use of separate file systems for different paths can protect the\nsystem from failures resulting from a file system becoming full or failing.", + "title": "RHEL 8 must ensure account lockouts persist.", + "desc": "By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as\nbrute-force attacks, is reduced. Limits are imposed by locking the account.\n\n In RHEL 8.2 the \"/etc/security/faillock.conf\" file was incorporated to\ncentralize the configuration of the pam_faillock.so module. Also introduced is\na \"local_users_only\" option that will only track failed user authentication\nattempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP,\netc.) users to allow the centralized platform to solely manage user lockout.\n\n From \"faillock.conf\" man pages: Note that the default directory that\n\"pam_faillock\" uses is usually cleared on system boot so the access will be\nreenabled after system reboot. If that is undesirable a different tally\ndirectory must be set with the \"dir\" option.", "descriptions": { - "default": "The use of separate file systems for different paths can protect the\nsystem from failures resulting from a file system becoming full or failing.", - "check": "Verify that a separate file system/partition has been created for the\nsystem audit data path with the following command:\n\n Note: /var/log/audit is used as the example as it is a common location.\n\n $ sudo grep /var/log/audit /etc/fstab\n\n UUID=3645951a /var/log/audit xfs defaults 1 2\n\n If an entry for \"/var/log/audit\" does not exist, ask the System\nAdministrator if the system audit logs are being written to a different file\nsystem/partition on the system, then grep for that file system/partition.\n\n If a separate file system/partition does not exist for the system audit\ndata path, this is a finding.", - "fix": "Migrate the system audit data path onto a separate file system." + "default": "By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as\nbrute-force attacks, is reduced. Limits are imposed by locking the account.\n\n In RHEL 8.2 the \"/etc/security/faillock.conf\" file was incorporated to\ncentralize the configuration of the pam_faillock.so module. Also introduced is\na \"local_users_only\" option that will only track failed user authentication\nattempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP,\netc.) users to allow the centralized platform to solely manage user lockout.\n\n From \"faillock.conf\" man pages: Note that the default directory that\n\"pam_faillock\" uses is usually cleared on system boot so the access will be\nreenabled after system reboot. If that is undesirable a different tally\ndirectory must be set with the \"dir\" option.", + "check": "Note: This check applies to RHEL versions 8.2 or newer. If the system is\nRHEL version 8.0 or 8.1, this check is not applicable.\n\n Verify the \"/etc/security/faillock.conf\" file is configured use a\nnon-default faillock directory to ensure contents persist after reboot:\n\n $ sudo grep 'dir =' /etc/security/faillock.conf\n\n dir = /var/log/faillock\n\n If the \"dir\" option is not set to a non-default documented tally log\ndirectory, is missing or commented out, this is a finding.", + "fix": "Configure the operating system maintain the contents of the faillock\ndirectory after a reboot.\n\n Add/Modify the \"/etc/security/faillock.conf\" file to match the following\nline:\n\n dir = /var/log/faillock" }, - "impact": 0.3, + "impact": 0.5, "refs": [ { "ref": "DPMS Target Red Hat Enterprise Linux 8" } ], "tags": { - "severity": "low", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-230294", - "rid": "SV-230294r627750_rule", - "stig_id": "RHEL-08-010542", - "fix_id": "F-32938r567629_fix", + "severity": "medium", + "gtitle": "SRG-OS-000021-GPOS-00005", + "satisfies": [ + "SRG-OS-000021-GPOS-00005", + "SRG-OS-000329-GPOS-00128" + ], + "gid": "V-230339", + "rid": "SV-230339r743975_rule", + "stig_id": "RHEL-08-020017", + "fix_id": "F-32983r743974_fix", "cci": [ - "CCI-000366" + "CCI-000044" ], "nist": [ - "CM-6 b" + "AC-7 a" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-230294' do\n title 'RHEL 8 must use a separate file system for the system audit data path.'\n desc 'The use of separate file systems for different paths can protect the\nsystem from failures resulting from a file system becoming full or failing.'\n desc 'check', 'Verify that a separate file system/partition has been created for the\nsystem audit data path with the following command:\n\n Note: /var/log/audit is used as the example as it is a common location.\n\n $ sudo grep /var/log/audit /etc/fstab\n\n UUID=3645951a /var/log/audit xfs defaults 1 2\n\n If an entry for \"/var/log/audit\" does not exist, ask the System\nAdministrator if the system audit logs are being written to a different file\nsystem/partition on the system, then grep for that file system/partition.\n\n If a separate file system/partition does not exist for the system audit\ndata path, this is a finding.'\n desc 'fix', 'Migrate the system audit data path onto a separate file system.'\n impact 0.3\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'low'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230294'\n tag rid: 'SV-230294r627750_rule'\n tag stig_id: 'RHEL-08-010542'\n tag fix_id: 'F-32938r567629_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n audit_data_path = command(\"dirname #{auditd_conf.log_file}\").stdout.strip\n\n describe mount(audit_data_path) do\n it { should be_mounted }\n end\n\n describe etc_fstab.where { mount_point == audit_data_path } do\n it { should exist }\n end\nend\n", + "code": "control 'SV-230339' do\n title 'RHEL 8 must ensure account lockouts persist.'\n desc 'By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as\nbrute-force attacks, is reduced. Limits are imposed by locking the account.\n\n In RHEL 8.2 the \"/etc/security/faillock.conf\" file was incorporated to\ncentralize the configuration of the pam_faillock.so module. Also introduced is\na \"local_users_only\" option that will only track failed user authentication\nattempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP,\netc.) users to allow the centralized platform to solely manage user lockout.\n\n From \"faillock.conf\" man pages: Note that the default directory that\n\"pam_faillock\" uses is usually cleared on system boot so the access will be\nreenabled after system reboot. If that is undesirable a different tally\ndirectory must be set with the \"dir\" option.'\n desc 'check', %q(Note: This check applies to RHEL versions 8.2 or newer. If the system is\nRHEL version 8.0 or 8.1, this check is not applicable.\n\n Verify the \"/etc/security/faillock.conf\" file is configured use a\nnon-default faillock directory to ensure contents persist after reboot:\n\n $ sudo grep 'dir =' /etc/security/faillock.conf\n\n dir = /var/log/faillock\n\n If the \"dir\" option is not set to a non-default documented tally log\ndirectory, is missing or commented out, this is a finding.)\n desc 'fix', 'Configure the operating system maintain the contents of the faillock\ndirectory after a reboot.\n\n Add/Modify the \"/etc/security/faillock.conf\" file to match the following\nline:\n\n dir = /var/log/faillock'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000021-GPOS-00005'\n tag satisfies: ['SRG-OS-000021-GPOS-00005', 'SRG-OS-000329-GPOS-00128']\n tag gid: 'V-230339'\n tag rid: 'SV-230339r743975_rule'\n tag stig_id: 'RHEL-08-020017'\n tag fix_id: 'F-32983r743974_fix'\n tag cci: ['CCI-000044']\n tag nist: ['AC-7 a']\n tag 'host'\n tag 'container'\n\n only_if('This check applies to RHEL versions 8.2 or newer. If the system is RHEL version 8.0 or 8.1, this check is not applicable.', impact: 0.0) {\n (os.release.to_f) >= 8.2\n }\n\n describe parse_config_file('/etc/security/faillock.conf') do\n its('dir') { should cmp input('log_directory') }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230294.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230339.rb", "line": 1 }, - "id": "SV-230294" + "id": "SV-230339" }, { - "title": "Successful/unsuccessful uses of postdrop in RHEL 8 must generate an\naudit record.", - "desc": "Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged commands. The organization must maintain audit trails in sufficient\ndetail to reconstruct events to determine the cause and impact of compromise.\nThe \"postdrop\" command creates a file in the maildrop directory and copies\nits standard input to the file.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", + "title": "RHEL 8 passwords must have a minimum of 15 characters.", + "desc": "The shorter the password, the lower the number of possible\ncombinations that need to be tested before the password is compromised.\n\n Password complexity, or strength, is a measure of the effectiveness of a\npassword in resisting attempts at guessing and brute-force attacks. Password\nlength is one factor of several that helps to determine strength and how long\nit takes to crack a password. Use of more characters in a password helps to\nincrease exponentially the time and/or resources required to compromise the\npassword.\n\n RHEL 8 utilizes \"pwquality\" as a mechanism to enforce password\ncomplexity. Configurations are set in the \"etc/security/pwquality.conf\" file.\n\n The \"minlen\", sometimes noted as minimum length, acts as a \"score\" of\ncomplexity based on the credit components of the \"pwquality\" module. By\nsetting the credit components to a negative value, not only will those\ncomponents be required, they will not count towards the total \"score\" of\n\"minlen\". This will enable \"minlen\" to require a 15-character minimum.\n\n The DoD minimum password requirement is 15 characters.", "descriptions": { - "default": "Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged commands. The organization must maintain audit trails in sufficient\ndetail to reconstruct events to determine the cause and impact of compromise.\nThe \"postdrop\" command creates a file in the maildrop directory and copies\nits standard input to the file.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", - "check": "Verify that an audit event is generated for any successful/unsuccessful use\nof \"postdrop\" by performing the following command to check the file system\nrules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w \"postdrop\" /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-unix-update\n\n If the command does not return a line, or the line is commented out, this\nis a finding.", - "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful uses of the \"postdrop\" by adding or updating the\nfollowing rule in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-unix-update\n\n The audit daemon must be restarted for the changes to take effect." + "default": "The shorter the password, the lower the number of possible\ncombinations that need to be tested before the password is compromised.\n\n Password complexity, or strength, is a measure of the effectiveness of a\npassword in resisting attempts at guessing and brute-force attacks. Password\nlength is one factor of several that helps to determine strength and how long\nit takes to crack a password. Use of more characters in a password helps to\nincrease exponentially the time and/or resources required to compromise the\npassword.\n\n RHEL 8 utilizes \"pwquality\" as a mechanism to enforce password\ncomplexity. Configurations are set in the \"etc/security/pwquality.conf\" file.\n\n The \"minlen\", sometimes noted as minimum length, acts as a \"score\" of\ncomplexity based on the credit components of the \"pwquality\" module. By\nsetting the credit components to a negative value, not only will those\ncomponents be required, they will not count towards the total \"score\" of\n\"minlen\". This will enable \"minlen\" to require a 15-character minimum.\n\n The DoD minimum password requirement is 15 characters.", + "check": "Verify the operating system enforces a minimum 15-character password length. The \"minlen\" option sets the minimum number of characters in a new password.\n\nCheck for the value of the \"minlen\" option with the following command:\n\n$ sudo grep -r minlen /etc/security/pwquality.conf*\n\n/etc/security/pwquality.conf:minlen = 15\n\nIf the command does not return a \"minlen\" value of 15 or greater, this is a finding.\nIf conflicting results are returned, this is a finding.", + "fix": "Configure operating system to enforce a minimum 15-character password length.\n\nAdd the following line to \"/etc/security/pwquality.conf\" (or modify the line to have the required value):\n\nminlen = 15\n\nRemove any configurations that conflict with the above value." }, "impact": 0.5, "refs": [ @@ -13033,42 +13021,34 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000062-GPOS-00031", - "satisfies": [ - "SRG-OS-000062-GPOS-00031", - "SRG-OS-000037-GPOS-00015", - "SRG-OS-000042-GPOS-00020", - "SRG-OS-000062-GPOS-00031", - "SRG-OS-000392-GPOS-00172", - "SRG-OS-000462-GPOS-00206", - "SRG-OS-000471-GPOS-00215" - ], - "gid": "V-230427", - "rid": "SV-230427r627750_rule", - "stig_id": "RHEL-08-030311", - "fix_id": "F-33071r568028_fix", + "gtitle": "SRG-OS-000078-GPOS-00046", + "gid": "V-230369", + "rid": "SV-230369r858785_rule", + "stig_id": "RHEL-08-020230", + "fix_id": "F-33013r858784_fix", "cci": [ - "CCI-000169" + "CCI-000205" ], "nist": [ - "AU-12 a" + "IA-5 (1) (a)" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-230427' do\n title 'Successful/unsuccessful uses of postdrop in RHEL 8 must generate an\naudit record.'\n desc 'Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged commands. The organization must maintain audit trails in sufficient\ndetail to reconstruct events to determine the cause and impact of compromise.\nThe \"postdrop\" command creates a file in the maildrop directory and copies\nits standard input to the file.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.'\n desc 'check', 'Verify that an audit event is generated for any successful/unsuccessful use\nof \"postdrop\" by performing the following command to check the file system\nrules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w \"postdrop\" /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-unix-update\n\n If the command does not return a line, or the line is commented out, this\nis a finding.'\n desc 'fix', 'Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful uses of the \"postdrop\" by adding or updating the\nfollowing rule in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-unix-update\n\n The audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000062-GPOS-00031'\n tag satisfies: ['SRG-OS-000062-GPOS-00031', 'SRG-OS-000037-GPOS-00015', 'SRG-OS-000042-GPOS-00020', 'SRG-OS-000062-GPOS-00031', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000471-GPOS-00215']\n tag gid: 'V-230427'\n tag rid: 'SV-230427r627750_rule'\n tag stig_id: 'RHEL-08-030311'\n tag fix_id: 'F-33071r568028_fix'\n tag cci: ['CCI-000169']\n tag nist: ['AU-12 a']\n tag 'host'\n\n audit_command = '/usr/sbin/postdrop'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include(input('audit_rule_keynames').merge(input('audit_rule_keynames_overrides'))[audit_command])\n end\n end\nend\n", + "code": "control 'SV-230369' do\n title 'RHEL 8 passwords must have a minimum of 15 characters.'\n desc 'The shorter the password, the lower the number of possible\ncombinations that need to be tested before the password is compromised.\n\n Password complexity, or strength, is a measure of the effectiveness of a\npassword in resisting attempts at guessing and brute-force attacks. Password\nlength is one factor of several that helps to determine strength and how long\nit takes to crack a password. Use of more characters in a password helps to\nincrease exponentially the time and/or resources required to compromise the\npassword.\n\n RHEL 8 utilizes \"pwquality\" as a mechanism to enforce password\ncomplexity. Configurations are set in the \"etc/security/pwquality.conf\" file.\n\n The \"minlen\", sometimes noted as minimum length, acts as a \"score\" of\ncomplexity based on the credit components of the \"pwquality\" module. By\nsetting the credit components to a negative value, not only will those\ncomponents be required, they will not count towards the total \"score\" of\n\"minlen\". This will enable \"minlen\" to require a 15-character minimum.\n\n The DoD minimum password requirement is 15 characters.'\n desc 'check', 'Verify the operating system enforces a minimum 15-character password length. The \"minlen\" option sets the minimum number of characters in a new password.\n\nCheck for the value of the \"minlen\" option with the following command:\n\n$ sudo grep -r minlen /etc/security/pwquality.conf*\n\n/etc/security/pwquality.conf:minlen = 15\n\nIf the command does not return a \"minlen\" value of 15 or greater, this is a finding.\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure operating system to enforce a minimum 15-character password length.\n\nAdd the following line to \"/etc/security/pwquality.conf\" (or modify the line to have the required value):\n\nminlen = 15\n\nRemove any configurations that conflict with the above value.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000078-GPOS-00046'\n tag gid: 'V-230369'\n tag rid: 'SV-230369r858785_rule'\n tag stig_id: 'RHEL-08-020230'\n tag fix_id: 'F-33013r858784_fix'\n tag cci: ['CCI-000205']\n tag nist: ['IA-5 (1) (a)']\n tag 'host'\n tag 'container'\n\n describe parse_config_file('/etc/security/pwquality.conf') do\n its('minlen.to_i') { should cmp >= input('pass_min_len') }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230427.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230369.rb", "line": 1 }, - "id": "SV-230427" + "id": "SV-230369" }, { - "title": "Successful/unsuccessful uses of the newgrp command in RHEL 8 must\ngenerate an audit record.", - "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"newgrp\" command is\nused to change the current group ID during a login session.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", + "title": "RHEL 8 must mount /tmp with the nodev option.", + "desc": "The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n The \"noexec\" mount option causes the system to not execute binary files.\nThis option must be used for mounting any file system not containing approved\nbinary files, as they may be incompatible. Executing files from untrusted file\nsystems increases the opportunity for unprivileged users to attain unauthorized\nadministrative access.\n\n The \"nodev\" mount option causes the system to not interpret character or\nblock special devices. Executing character or block special devices from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.\n\n The \"nosuid\" mount option causes the system to not execute \"setuid\" and\n\"setgid\" files with owner privileges. This option must be used for mounting\nany file system not containing approved \"setuid\" and \"setguid\" files.\nExecuting files from untrusted file systems increases the opportunity for\nunprivileged users to attain unauthorized administrative access.", "descriptions": { - "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"newgrp\" command is\nused to change the current group ID during a login session.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", - "check": "Verify RHEL 8 generates an audit record when successful/unsuccessful\nattempts to use the \"newgrp\" command by performing the following command to\ncheck the file system rules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w newgrp /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F\nauid!=unset -k priv_cmd\n\n If the command does not return a line, or the line is commented out, this\nis a finding.", - "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \"newgrp\" command by adding or updating the\nfollowing rule in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F\nauid!=unset -k priv_cmd\n\n The audit daemon must be restarted for the changes to take effect." + "default": "The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n The \"noexec\" mount option causes the system to not execute binary files.\nThis option must be used for mounting any file system not containing approved\nbinary files, as they may be incompatible. Executing files from untrusted file\nsystems increases the opportunity for unprivileged users to attain unauthorized\nadministrative access.\n\n The \"nodev\" mount option causes the system to not interpret character or\nblock special devices. Executing character or block special devices from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.\n\n The \"nosuid\" mount option causes the system to not execute \"setuid\" and\n\"setgid\" files with owner privileges. This option must be used for mounting\nany file system not containing approved \"setuid\" and \"setguid\" files.\nExecuting files from untrusted file systems increases the opportunity for\nunprivileged users to attain unauthorized administrative access.", + "check": "Verify \"/tmp\" is mounted with the \"nodev\" option:\n\n $ sudo mount | grep /tmp\n\n /dev/mapper/rhel-tmp on /tmp type xfs (rw,nodev,nosuid,noexec,seclabel)\n\n Verify that the \"nodev\" option is configured for /tmp:\n\n $ sudo cat /etc/fstab | grep /tmp\n\n /dev/mapper/rhel-tmp /tmp xfs defaults,nodev,nosuid,noexec 0 0\n\n If results are returned and the \"nodev\" option is missing, or if /tmp is\nmounted without the \"nodev\" option, this is a finding.", + "fix": "Configure the system so that /tmp is mounted with the \"nodev\" option by\nadding /modifying the /etc/fstab with the following line:\n\n /dev/mapper/rhel-tmp /tmp xfs defaults,nodev,nosuid,noexec 0 0" }, "impact": 0.5, "refs": [ @@ -13078,42 +13058,33 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000062-GPOS-00031", - "satisfies": [ - "SRG-OS-000062-GPOS-00031", - "SRG-OS-000037-GPOS-00015", - "SRG-OS-000042-GPOS-00020", - "SRG-OS-000062-GPOS-00031", - "SRG-OS-000392-GPOS-00172", - "SRG-OS-000462-GPOS-00206", - "SRG-OS-000471-GPOS-00215" - ], - "gid": "V-230437", - "rid": "SV-230437r627750_rule", - "stig_id": "RHEL-08-030350", - "fix_id": "F-33081r568058_fix", + "gtitle": "SRG-OS-000368-GPOS-00154", + "gid": "V-230511", + "rid": "SV-230511r854052_rule", + "stig_id": "RHEL-08-040123", + "fix_id": "F-33155r568280_fix", "cci": [ - "CCI-000169" + "CCI-001764" ], "nist": [ - "AU-12 a" + "CM-7 (2)" ], "host": null }, - "code": "control 'SV-230437' do\n title 'Successful/unsuccessful uses of the newgrp command in RHEL 8 must\ngenerate an audit record.'\n desc 'Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"newgrp\" command is\nused to change the current group ID during a login session.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.'\n desc 'check', 'Verify RHEL 8 generates an audit record when successful/unsuccessful\nattempts to use the \"newgrp\" command by performing the following command to\ncheck the file system rules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w newgrp /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F\nauid!=unset -k priv_cmd\n\n If the command does not return a line, or the line is commented out, this\nis a finding.'\n desc 'fix', 'Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \"newgrp\" command by adding or updating the\nfollowing rule in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F\nauid!=unset -k priv_cmd\n\n The audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000062-GPOS-00031'\n tag satisfies: ['SRG-OS-000062-GPOS-00031', 'SRG-OS-000037-GPOS-00015', 'SRG-OS-000042-GPOS-00020', 'SRG-OS-000062-GPOS-00031', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000471-GPOS-00215']\n tag gid: 'V-230437'\n tag rid: 'SV-230437r627750_rule'\n tag stig_id: 'RHEL-08-030350'\n tag fix_id: 'F-33081r568058_fix'\n tag cci: ['CCI-000169']\n tag nist: ['AU-12 a']\n tag 'host'\n\n audit_command = '/usr/bin/newgrp'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include(input('audit_rule_keynames').merge(input('audit_rule_keynames_overrides'))[audit_command])\n end\n end\nend\n", + "code": "control 'SV-230511' do\n title 'RHEL 8 must mount /tmp with the nodev option.'\n desc 'The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n The \"noexec\" mount option causes the system to not execute binary files.\nThis option must be used for mounting any file system not containing approved\nbinary files, as they may be incompatible. Executing files from untrusted file\nsystems increases the opportunity for unprivileged users to attain unauthorized\nadministrative access.\n\n The \"nodev\" mount option causes the system to not interpret character or\nblock special devices. Executing character or block special devices from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.\n\n The \"nosuid\" mount option causes the system to not execute \"setuid\" and\n\"setgid\" files with owner privileges. This option must be used for mounting\nany file system not containing approved \"setuid\" and \"setguid\" files.\nExecuting files from untrusted file systems increases the opportunity for\nunprivileged users to attain unauthorized administrative access.'\n desc 'check', 'Verify \"/tmp\" is mounted with the \"nodev\" option:\n\n $ sudo mount | grep /tmp\n\n /dev/mapper/rhel-tmp on /tmp type xfs (rw,nodev,nosuid,noexec,seclabel)\n\n Verify that the \"nodev\" option is configured for /tmp:\n\n $ sudo cat /etc/fstab | grep /tmp\n\n /dev/mapper/rhel-tmp /tmp xfs defaults,nodev,nosuid,noexec 0 0\n\n If results are returned and the \"nodev\" option is missing, or if /tmp is\nmounted without the \"nodev\" option, this is a finding.'\n desc 'fix', 'Configure the system so that /tmp is mounted with the \"nodev\" option by\nadding /modifying the /etc/fstab with the following line:\n\n /dev/mapper/rhel-tmp /tmp xfs defaults,nodev,nosuid,noexec 0 0'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000368-GPOS-00154'\n tag gid: 'V-230511'\n tag rid: 'SV-230511r854052_rule'\n tag stig_id: 'RHEL-08-040123'\n tag fix_id: 'F-33155r568280_fix'\n tag cci: ['CCI-001764']\n tag nist: ['CM-7 (2)']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n path = '/tmp'\n option = 'nodev'\n mount_option_enabled = input('mount_tmp_options')[option]\n\n if mount_option_enabled\n describe mount(path) do\n its('options') { should include option }\n end\n\n describe etc_fstab.where { mount_point == path } do\n its('mount_options.flatten') { should include option }\n end\n else\n describe mount(path) do\n its('options') { should_not include option }\n end\n\n describe etc_fstab.where { mount_point == path } do\n its('mount_options.flatten') { should_not include option }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230437.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230511.rb", "line": 1 }, - "id": "SV-230437" + "id": "SV-230511" }, { - "title": "RHEL 8 must encrypt the transfer of audit records off-loaded onto a\ndifferent system or media from the system being audited.", - "desc": "Information stored in one location is vulnerable to accidental or\nincidental deletion or alteration.\n\n Off-loading is a common process in information systems with limited audit\nstorage capacity.\n\n RHEL 8 installation media provides \"rsyslogd\". \"rsyslogd\" is a system\nutility providing support for message logging. Support for both internet and\nUNIX domain sockets enables this utility to support both local and remote\nlogging. Couple this utility with \"gnutls\" (which is a secure communications\nlibrary implementing the SSL, TLS and DTLS protocols), and you have a method to\nsecurely encrypt and off-load auditing.", + "title": "All RHEL 8 world-writable directories must be owned by root, sys, bin,\nor an application user.", + "desc": "If a world-writable directory is not owned by root, sys, bin, or an\napplication User Identifier (UID), unauthorized users may be able to modify\nfiles created by others.\n\n The only authorized public directories are those temporary directories\nsupplied with the system or those designed to be temporary file repositories.\nThe setting is normally reserved for directories used by the system and by\nusers for temporary file storage, (e.g., /tmp), and for directories requiring\nglobal read/write access.", "descriptions": { - "default": "Information stored in one location is vulnerable to accidental or\nincidental deletion or alteration.\n\n Off-loading is a common process in information systems with limited audit\nstorage capacity.\n\n RHEL 8 installation media provides \"rsyslogd\". \"rsyslogd\" is a system\nutility providing support for message logging. Support for both internet and\nUNIX domain sockets enables this utility to support both local and remote\nlogging. Couple this utility with \"gnutls\" (which is a secure communications\nlibrary implementing the SSL, TLS and DTLS protocols), and you have a method to\nsecurely encrypt and off-load auditing.", - "check": "Verify the operating system encrypts audit records off-loaded onto a different system or media from the system being audited with the following commands:\n\n$ sudo grep -i '$DefaultNetstreamDriver' /etc/rsyslog.conf /etc/rsyslog.d/*.conf\n\n/etc/rsyslog.conf:$DefaultNetstreamDriver gtls\n\nIf the value of the \"$DefaultNetstreamDriver\" option is not set to \"gtls\" or the line is commented out, this is a finding.\n\n$ sudo grep -i '$ActionSendStreamDriverMode' /etc/rsyslog.conf /etc/rsyslog.d/*.conf\n\n/etc/rsyslog.conf:$ActionSendStreamDriverMode 1\n\nIf the value of the \"$ActionSendStreamDriverMode\" option is not set to \"1\" or the line is commented out, this is a finding.\n\nIf neither of the definitions above are set, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or media.\n\nIf there is no evidence that the transfer of the audit logs being off-loaded to another system or media is encrypted, this is a finding.", - "fix": "Configure the operating system to encrypt off-loaded audit records by\nsetting the following options in \"/etc/rsyslog.conf\" or\n\"/etc/rsyslog.d/[customfile].conf\":\n\n $DefaultNetstreamDriver gtls\n $ActionSendStreamDriverMode 1" + "default": "If a world-writable directory is not owned by root, sys, bin, or an\napplication User Identifier (UID), unauthorized users may be able to modify\nfiles created by others.\n\n The only authorized public directories are those temporary directories\nsupplied with the system or those designed to be temporary file repositories.\nThe setting is normally reserved for directories used by the system and by\nusers for temporary file storage, (e.g., /tmp), and for directories requiring\nglobal read/write access.", + "check": "The following command will discover and print world-writable directories\nthat are not owned by a system account, given the assumption that only system\naccounts have a uid lower than 1000. Run it once for each local partition\n[PART]:\n\n $ sudo find [PART] -xdev -type d -perm -0002 -uid +999 -print\n\n If there is output, this is a finding.", + "fix": "All directories in local partitions which are world-writable\nshould be owned by root or another system account. If any world-writable\ndirectories are not owned by a system account, this should be investigated.\nFollowing this, the files should be deleted or assigned to an appropriate\ngroup." }, "impact": 0.5, "refs": [ @@ -13123,37 +13094,34 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000342-GPOS-00133", - "satisfies": [ - "SRG-OS-000342-GPOS-00133", - "SRG-OS-000479-GPOS-00224" - ], - "gid": "V-230481", - "rid": "SV-230481r877390_rule", - "stig_id": "RHEL-08-030710", - "fix_id": "F-33125r568190_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-230318", + "rid": "SV-230318r743960_rule", + "stig_id": "RHEL-08-010700", + "fix_id": "F-32962r567701_fix", "cci": [ - "CCI-001851" + "CCI-000366" ], "nist": [ - "AU-4 (1)" + "CM-6 b" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-230481' do\n title 'RHEL 8 must encrypt the transfer of audit records off-loaded onto a\ndifferent system or media from the system being audited.'\n desc 'Information stored in one location is vulnerable to accidental or\nincidental deletion or alteration.\n\n Off-loading is a common process in information systems with limited audit\nstorage capacity.\n\n RHEL 8 installation media provides \"rsyslogd\". \"rsyslogd\" is a system\nutility providing support for message logging. Support for both internet and\nUNIX domain sockets enables this utility to support both local and remote\nlogging. Couple this utility with \"gnutls\" (which is a secure communications\nlibrary implementing the SSL, TLS and DTLS protocols), and you have a method to\nsecurely encrypt and off-load auditing.'\n desc 'check', %q(Verify the operating system encrypts audit records off-loaded onto a different system or media from the system being audited with the following commands:\n\n$ sudo grep -i '$DefaultNetstreamDriver' /etc/rsyslog.conf /etc/rsyslog.d/*.conf\n\n/etc/rsyslog.conf:$DefaultNetstreamDriver gtls\n\nIf the value of the \"$DefaultNetstreamDriver\" option is not set to \"gtls\" or the line is commented out, this is a finding.\n\n$ sudo grep -i '$ActionSendStreamDriverMode' /etc/rsyslog.conf /etc/rsyslog.d/*.conf\n\n/etc/rsyslog.conf:$ActionSendStreamDriverMode 1\n\nIf the value of the \"$ActionSendStreamDriverMode\" option is not set to \"1\" or the line is commented out, this is a finding.\n\nIf neither of the definitions above are set, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or media.\n\nIf there is no evidence that the transfer of the audit logs being off-loaded to another system or media is encrypted, this is a finding.)\n desc 'fix', 'Configure the operating system to encrypt off-loaded audit records by\nsetting the following options in \"/etc/rsyslog.conf\" or\n\"/etc/rsyslog.d/[customfile].conf\":\n\n $DefaultNetstreamDriver gtls\n $ActionSendStreamDriverMode 1'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000342-GPOS-00133'\n tag satisfies: ['SRG-OS-000342-GPOS-00133', 'SRG-OS-000479-GPOS-00224']\n tag gid: 'V-230481'\n tag rid: 'SV-230481r877390_rule'\n tag stig_id: 'RHEL-08-030710'\n tag fix_id: 'F-33125r568190_fix'\n tag cci: ['CCI-001851']\n tag nist: ['AU-4 (1)']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n if input('alternative_logging_method') != ''\n describe 'manual check' do\n skip 'Manual check required. Ask the administrator to indicate how logging is done for this system.'\n end\n else\n describe 'rsyslog configuration' do\n subject {\n command(\"grep -i '^\\$DefaultNetstreamDriver' #{input('logging_conf_files').join(' ')} | awk -F ':' '{ print $2 }'\").stdout\n }\n it { should match(/\\$DefaultNetstreamDriver\\s+gtls/) }\n end\n\n describe 'rsyslog configuration' do\n subject {\n command(\"grep -i '^\\$ActionSendStreamDriverMode' #{input('logging_conf_files').join(' ')} | awk -F ':' '{ print $2 }'\").stdout\n }\n it { should match(/\\$ActionSendStreamDriverMode\\s+1/) }\n end\n end\nend\n", + "code": "control 'SV-230318' do\n title 'All RHEL 8 world-writable directories must be owned by root, sys, bin,\nor an application user.'\n desc 'If a world-writable directory is not owned by root, sys, bin, or an\napplication User Identifier (UID), unauthorized users may be able to modify\nfiles created by others.\n\n The only authorized public directories are those temporary directories\nsupplied with the system or those designed to be temporary file repositories.\nThe setting is normally reserved for directories used by the system and by\nusers for temporary file storage, (e.g., /tmp), and for directories requiring\nglobal read/write access.'\n desc 'check', 'The following command will discover and print world-writable directories\nthat are not owned by a system account, given the assumption that only system\naccounts have a uid lower than 1000. Run it once for each local partition\n[PART]:\n\n $ sudo find [PART] -xdev -type d -perm -0002 -uid +999 -print\n\n If there is output, this is a finding.'\n desc 'fix', 'All directories in local partitions which are world-writable\nshould be owned by root or another system account. If any world-writable\ndirectories are not owned by a system account, this should be investigated.\nFollowing this, the files should be deleted or assigned to an appropriate\ngroup.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230318'\n tag rid: 'SV-230318r743960_rule'\n tag stig_id: 'RHEL-08-010700'\n tag fix_id: 'F-32962r567701_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n tag 'container'\n\n if input('disable_slow_controls')\n describe 'This control consistently takes a long to run and has been disabled using the disable_slow_controls attribute.' do\n skip 'This control consistently takes a long to run and has been disabled using the disable_slow_controls attribute. You must enable this control for a full accredidation for production.'\n end\n else\n\n partitions = etc_fstab.params.map { |partition| partition['mount_point'] }.uniq\n\n cmd = \"find #{partitions.join(' ')} -xdev -type d -perm -0002 -uid +999 -print\"\n failing_dirs = command(cmd).stdout.split(\"\\n\").uniq\n\n describe 'Any world-writeable directories' do\n it 'should be owned by system accounts' do\n expect(failing_dirs).to be_empty, \"Failing directories:\\n\\t- #{failing_dirs.join(\"\\n\\t- \")}\"\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230481.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230318.rb", "line": 1 }, - "id": "SV-230481" + "id": "SV-230318" }, { - "title": "Local RHEL 8 initialization files must not execute world-writable\nprograms.", - "desc": "If user start-up files execute world-writable programs, especially in\nunprotected directories, they could be maliciously modified to destroy user\nfiles or otherwise compromise the system at the user level. If the system is\ncompromised at the user level, it is easier to elevate privileges to eventually\ncompromise the system at the root and network level.", + "title": "RHEL 8 must require users to provide a password for privilege\nescalation.", + "desc": "Without reauthentication, users may access resources or perform tasks\nfor which they do not have authorization.\n\n When operating systems provide the capability to escalate a functional\ncapability, it is critical the user reauthenticate.", "descriptions": { - "default": "If user start-up files execute world-writable programs, especially in\nunprotected directories, they could be maliciously modified to destroy user\nfiles or otherwise compromise the system at the user level. If the system is\ncompromised at the user level, it is easier to elevate privileges to eventually\ncompromise the system at the root and network level.", - "check": "Verify that local initialization files do not execute world-writable\nprograms.\n\n Check the system for world-writable files.\n\n The following command will discover and print world-writable files. Run it\nonce for each local partition [PART]:\n\n $ sudo find [PART] -xdev -type f -perm -0002 -print\n\n For all files listed, check for their presence in the local initialization\nfiles with the following commands:\n\n Note: The example will be for a system that is configured to create user\nhome directories in the \"/home\" directory.\n\n $ sudo grep /home/*/.*\n\n If any local initialization files are found to reference world-writable\nfiles, this is a finding.", - "fix": "Set the mode on files being executed by the local initialization files with\nthe following command:\n\n $ sudo chmod 0755 " + "default": "Without reauthentication, users may access resources or perform tasks\nfor which they do not have authorization.\n\n When operating systems provide the capability to escalate a functional\ncapability, it is critical the user reauthenticate.", + "check": "Verify that \"/etc/sudoers\" has no occurrences of \"NOPASSWD\".\n\n Check that the \"/etc/sudoers\" file has no occurrences of \"NOPASSWD\" by\nrunning the following command:\n\n $ sudo grep -i nopasswd /etc/sudoers /etc/sudoers.d/*\n\n %admin ALL=(ALL) NOPASSWD: ALL\n\n If any occurrences of \"NOPASSWD\" are returned from the command and have\nnot been documented with the ISSO as an organizationally defined administrative\ngroup utilizing MFA, this is a finding.", + "fix": "Remove any occurrence of \"NOPASSWD\" found in \"/etc/sudoers\"\nfile or files in the \"/etc/sudoers.d\" directory." }, "impact": 0.5, "refs": [ @@ -13163,33 +13131,39 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-230309", - "rid": "SV-230309r627750_rule", - "stig_id": "RHEL-08-010660", - "fix_id": "F-32953r567674_fix", + "gtitle": "SRG-OS-000373-GPOS-00156", + "satisfies": [ + "SRG-OS-000373-GPOS-00156", + "SRG-OS-000373-GPOS-00157", + "SRG-OS-000373-GPOS-00158" + ], + "gid": "V-230271", + "rid": "SV-230271r854026_rule", + "stig_id": "RHEL-08-010380", + "fix_id": "F-32915r854025_fix", "cci": [ - "CCI-000366" + "CCI-002038" ], "nist": [ - "CM-6 b" + "IA-11" ], - "host": null + "host": null, + "container-conditional": null }, - "code": "control 'SV-230309' do\n title 'Local RHEL 8 initialization files must not execute world-writable\nprograms.'\n desc 'If user start-up files execute world-writable programs, especially in\nunprotected directories, they could be maliciously modified to destroy user\nfiles or otherwise compromise the system at the user level. If the system is\ncompromised at the user level, it is easier to elevate privileges to eventually\ncompromise the system at the root and network level.'\n desc 'check', 'Verify that local initialization files do not execute world-writable\nprograms.\n\n Check the system for world-writable files.\n\n The following command will discover and print world-writable files. Run it\nonce for each local partition [PART]:\n\n $ sudo find [PART] -xdev -type f -perm -0002 -print\n\n For all files listed, check for their presence in the local initialization\nfiles with the following commands:\n\n Note: The example will be for a system that is configured to create user\nhome directories in the \"/home\" directory.\n\n $ sudo grep /home/*/.*\n\n If any local initialization files are found to reference world-writable\nfiles, this is a finding.'\n desc 'fix', 'Set the mode on files being executed by the local initialization files with\nthe following command:\n\n $ sudo chmod 0755 '\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230309'\n tag rid: 'SV-230309r627750_rule'\n tag stig_id: 'RHEL-08-010660'\n tag fix_id: 'F-32953r567674_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n if input('disable_slow_controls')\n describe 'This control consistently takes a long to run and has been disabled using the disable_slow_controls attribute.' do\n skip 'This control consistently takes a long to run and has been disabled using the disable_slow_controls attribute. You must enable this control for a full accredidation for production.'\n end\n else\n\n # get all world-writeable programs\n mount_points = etc_fstab.mount_point.join(' ')\n ww_programs = command(\"find #{mount_points} -xdev -type f -perm -0002 -print\").stdout.split.join('|')\n\n # get all homedirs\n interactive_users = passwd.where { uid.to_i >= 1000 && shell !~ /nologin/ }\n\n interactive_user_homedirs = interactive_users.homes.map { |home_path| home_path.match(%r{^(.*)/.*$}).captures.first }.uniq\n\n # get all init files (.*) in homedirs\n init_files = command(\"find #{interactive_user_homedirs.join(' ')} -xdev -maxdepth 2 -name '.*' ! -name '.bash_history' -type f\").stdout.split(\"\\n\")\n\n # check for ww programs in the init files\n init_files_invoking_ww = ww_programs.empty? ? [] : init_files.select { |i| file(i).content.lines.any? { |line| line.match(/^#{ww_programs}/) } }\n\n describe 'Interactive user initialization files' do\n it 'should not invoke world-writeable programs' do\n expect(init_files_invoking_ww).to be_empty, \"Failing init files:\\n\\t- #{init_files_invoking_ww.join(\"\\n\\t- \")}\"\n end\n end\n end\nend\n", + "code": "control 'SV-230271' do\n title 'RHEL 8 must require users to provide a password for privilege\nescalation.'\n desc 'Without reauthentication, users may access resources or perform tasks\nfor which they do not have authorization.\n\n When operating systems provide the capability to escalate a functional\ncapability, it is critical the user reauthenticate.'\n desc 'check', 'Verify that \"/etc/sudoers\" has no occurrences of \"NOPASSWD\".\n\n Check that the \"/etc/sudoers\" file has no occurrences of \"NOPASSWD\" by\nrunning the following command:\n\n $ sudo grep -i nopasswd /etc/sudoers /etc/sudoers.d/*\n\n %admin ALL=(ALL) NOPASSWD: ALL\n\n If any occurrences of \"NOPASSWD\" are returned from the command and have\nnot been documented with the ISSO as an organizationally defined administrative\ngroup utilizing MFA, this is a finding.'\n desc 'fix', 'Remove any occurrence of \"NOPASSWD\" found in \"/etc/sudoers\"\nfile or files in the \"/etc/sudoers.d\" directory.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000373-GPOS-00156'\n tag satisfies: ['SRG-OS-000373-GPOS-00156', 'SRG-OS-000373-GPOS-00157', 'SRG-OS-000373-GPOS-00158']\n tag gid: 'V-230271'\n tag rid: 'SV-230271r854026_rule'\n tag stig_id: 'RHEL-08-010380'\n tag fix_id: 'F-32915r854025_fix'\n tag cci: ['CCI-002038']\n tag nist: ['IA-11']\n tag 'host'\n tag 'container-conditional'\n\n only_if('Control not applicable within a container without sudo installed', impact: 0.0) {\n !(virtualization.system.eql?('docker') && !command('sudo').exist?)\n }\n\n # TODO: figure out why this .where throws an exception if we don't explicitly filter out nils via 'tags.nil?'\n # ergo shouldn't the filtertable be handling that kind of nil-checking for us?\n failing_results = sudoers(input('sudoers_config_files').join(' ')).rules.where { tags.nil? && (tags || '').include?('NOPASSWD') }\n\n failing_results = failing_results.where { !input('passwordless_admins').include?(users) } if input('passwordless_admins').nil?\n\n describe 'Sudoers' do\n it 'should not include any (non-exempt) users with NOPASSWD set' do\n expect(failing_results.users).to be_empty, \"NOPASSWD settings found for users:\\n\\t- #{failing_results.users.join(\"\\n\\t- \")}\"\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230309.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230271.rb", "line": 1 }, - "id": "SV-230309" + "id": "SV-230271" }, { - "title": "The RHEL 8 SSH daemon must not allow Kerberos authentication, except\nto fulfill documented and validated mission requirements.", - "desc": "Configuring these settings for the SSH daemon provides additional\nassurance that remote logon via SSH will not use unused methods of\nauthentication, even in the event of misconfiguration elsewhere.", + "title": "RHEL 8 must not forward IPv4 source-routed packets by default.", + "desc": "Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf", "descriptions": { - "default": "Configuring these settings for the SSH daemon provides additional\nassurance that remote logon via SSH will not use unused methods of\nauthentication, even in the event of misconfiguration elsewhere.", - "check": "Verify the SSH daemon does not allow Kerberos authentication with the following command:\n\n$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\\r' | tr '\\n' ' ' | xargs sudo grep -iH '^\\s*kerberosauthentication'\n\nKerberosAuthentication no\n\nIf the value is returned as \"yes\", the returned line is commented out, no output is returned, or has not been documented with the information system security officer (ISSO), this is a finding.\n\nIf conflicting results are returned, this is a finding.", - "fix": "Configure the SSH daemon to not allow Kerberos authentication.\n\n Add the following line in \"/etc/ssh/sshd_config\", or uncomment the line\nand set the value to \"no\":\n\n KerberosAuthentication no\n\n The SSH daemon must be restarted for the changes to take effect. To restart\nthe SSH daemon, run the following command:\n\n $ sudo systemctl restart sshd.service" + "default": "Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf", + "check": "Verify RHEL 8 does not accept IPv4 source-routed packets by default.\n\nCheck the value of the accept source route variable with the following command:\n\n$ sudo sysctl net.ipv4.conf.default.accept_source_route\n\nnet.ipv4.conf.default.accept_source_route = 0\n\nIf the returned line does not have a value of \"0\", a line is not returned, or the line is commented out, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r net.ipv4.conf.default.accept_source_route /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: net.ipv4.conf.default.accept_source_route = 0\n\nIf \"net.ipv4.conf.default.accept_source_route\" is not set to \"0\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.", + "fix": "Configure RHEL 8 to not forward IPv4 source-routed packets by default.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nnet.ipv4.conf.default.accept_source_route=0\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system" }, "impact": 0.5, "refs": [ @@ -13200,70 +13174,68 @@ "tags": { "severity": "medium", "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-230291", - "rid": "SV-230291r952105_rule", - "stig_id": "RHEL-08-010521", - "fix_id": "F-32935r743956_fix", + "gid": "V-244552", + "rid": "SV-244552r858803_rule", + "stig_id": "RHEL-08-040249", + "fix_id": "F-47784r858802_fix", "cci": [ "CCI-000366" ], "nist": [ "CM-6 b" ], - "host": null, - "container-conditional": null + "host": null }, - "code": "control 'SV-230291' do\n title 'The RHEL 8 SSH daemon must not allow Kerberos authentication, except\nto fulfill documented and validated mission requirements.'\n desc 'Configuring these settings for the SSH daemon provides additional\nassurance that remote logon via SSH will not use unused methods of\nauthentication, even in the event of misconfiguration elsewhere.'\n desc 'check', %q(Verify the SSH daemon does not allow Kerberos authentication with the following command:\n\n$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\\r' | tr '\\n' ' ' | xargs sudo grep -iH '^\\s*kerberosauthentication'\n\nKerberosAuthentication no\n\nIf the value is returned as \"yes\", the returned line is commented out, no output is returned, or has not been documented with the information system security officer (ISSO), this is a finding.\n\nIf conflicting results are returned, this is a finding.)\n desc 'fix', 'Configure the SSH daemon to not allow Kerberos authentication.\n\n Add the following line in \"/etc/ssh/sshd_config\", or uncomment the line\nand set the value to \"no\":\n\n KerberosAuthentication no\n\n The SSH daemon must be restarted for the changes to take effect. To restart\nthe SSH daemon, run the following command:\n\n $ sudo systemctl restart sshd.service'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230291'\n tag rid: 'SV-230291r952105_rule'\n tag stig_id: 'RHEL-08-010521'\n tag fix_id: 'F-32935r743956_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n tag 'container-conditional'\n\n only_if('This control is Not Applicable to containers without SSH installed', impact: 0.0) {\n !(virtualization.system.eql?('docker') && !directory('/etc/ssh').exist?)\n }\n\n describe sshd_active_config do\n its('KerberosAuthentication') { should cmp 'no' }\n end\nend\n", + "code": "control 'SV-244552' do\n title 'RHEL 8 must not forward IPv4 source-routed packets by default.'\n desc 'Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf'\n desc 'check', 'Verify RHEL 8 does not accept IPv4 source-routed packets by default.\n\nCheck the value of the accept source route variable with the following command:\n\n$ sudo sysctl net.ipv4.conf.default.accept_source_route\n\nnet.ipv4.conf.default.accept_source_route = 0\n\nIf the returned line does not have a value of \"0\", a line is not returned, or the line is commented out, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r net.ipv4.conf.default.accept_source_route /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: net.ipv4.conf.default.accept_source_route = 0\n\nIf \"net.ipv4.conf.default.accept_source_route\" is not set to \"0\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to not forward IPv4 source-routed packets by default.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nnet.ipv4.conf.default.accept_source_route=0\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-244552'\n tag rid: 'SV-244552r858803_rule'\n tag stig_id: 'RHEL-08-040249'\n tag fix_id: 'F-47784r858802_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This system is acting as a router on the network, this control is Not Applicable', impact: 0.0) {\n !input('network_router')\n }\n\n # Define the kernel parameter to be checked\n parameter = 'net.ipv4.conf.default.accept_source_route'\n action = 'IPv4 source-routed packets default'\n value = 0\n\n # Get the current value of the kernel parameter\n current_value = kernel_parameter(parameter)\n\n # Check if the system is a Docker container\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n elsif input('ipv4_enabled') == false\n impact 0.0\n describe 'IPv4 is disabled on the system, this requirement is Not Applicable.' do\n skip 'IPv4 is disabled on the system, this requirement is Not Applicable.'\n end\n else\n\n describe kernel_parameter(parameter) do\n it 'is disabled in sysctl -a' do\n expect(current_value.value).to cmp value\n expect(current_value.value).not_to be_nil\n end\n end\n\n # Get the list of sysctl configuration files\n sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ')\n\n # Search for the kernel parameter in the configuration files\n search_results = command(\"grep -r ^#{parameter} #{sysctl_config_files} {} \\;\").stdout.split(\"\\n\")\n\n # Parse the search results into a hash\n config_values = search_results.each_with_object({}) do |item, results|\n file, setting = item.split(':')\n file = 'grep did not return filename' if file.empty?\n\n results[file] ||= []\n results[file] << setting.split('=').last\n end\n\n uniq_config_values = config_values.values.flatten.map(&:strip).map(&:to_i).uniq\n\n # Check the configuration files\n describe 'Configuration files' do\n if search_results.empty?\n it \"do not explicitly set the `#{parameter}` parameter\" do\n expect(config_values).not_to be_empty, \"Add the line `#{parameter}=#{value}` to a file in the `/etc/sysctl.d/` directory\"\n end\n else\n it \"do not have conflicting settings for #{action}\" do\n expect(uniq_config_values.count).to eq(1), \"Expected one unique configuration, but got #{config_values}\"\n end\n it \"set the parameter to the right value for #{action}\" do\n expect(config_values.values.flatten.all? { |v| v.to_i.eql?(value) }).to be true\n end\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230291.rb", + "ref": "./Red Hat 8 STIG/controls/SV-244552.rb", "line": 1 }, - "id": "SV-230291" + "id": "SV-244552" }, { - "title": "There must be no shosts.equiv files on the RHEL 8 operating system.", - "desc": "The \"shosts.equiv\" files are used to configure host-based\nauthentication for the system via SSH. Host-based authentication is not\nsufficient for preventing unauthorized access to the system, as it does not\nrequire interactive identification and authentication of a connection request,\nor for the use of two-factor authentication.", + "title": "RHEL 8 must have the packages required for multifactor authentication\n installed.", + "desc": "Using an authentication device, such as a DoD Common Access Card (CAC)\n or token that is separate from the information system, ensures that even if the\n information system is compromised, credentials stored on the authentication\n device will not be affected.\n\n Multifactor solutions that require devices separate from information\n systems gaining access include, for example, hardware tokens providing\n time-based or challenge-response authenticators and smart cards such as the\n U.S. Government Personal Identity Verification (PIV) card and the DoD CAC.\n\n A privileged account is defined as an information system account with\n authorizations of a privileged user.\n\n Remote access is access to DoD nonpublic information systems by an\n authorized user (or an information system) communicating through an external,\n non-organization-controlled network. Remote access methods include, for\n example, dial-up, broadband, and wireless.\n\n This requirement only applies to components where this is specific to the\n function of the device or has the concept of an organizational user (e.g., VPN,\n proxy capability). This does not apply to authentication for the purpose of\n configuring the device itself (management).", "descriptions": { - "default": "The \"shosts.equiv\" files are used to configure host-based\nauthentication for the system via SSH. Host-based authentication is not\nsufficient for preventing unauthorized access to the system, as it does not\nrequire interactive identification and authentication of a connection request,\nor for the use of two-factor authentication.", - "check": "Verify there are no \"shosts.equiv\" files on RHEL 8 with the following\ncommand:\n\n $ sudo find / -name shosts.equiv\n\n If a \"shosts.equiv\" file is found, this is a finding.", - "fix": "Remove any found \"shosts.equiv\" files from the system.\n\n$ sudo rm /etc/ssh/shosts.equiv" + "default": "Using an authentication device, such as a DoD Common Access Card (CAC)\n or token that is separate from the information system, ensures that even if the\n information system is compromised, credentials stored on the authentication\n device will not be affected.\n\n Multifactor solutions that require devices separate from information\n systems gaining access include, for example, hardware tokens providing\n time-based or challenge-response authenticators and smart cards such as the\n U.S. Government Personal Identity Verification (PIV) card and the DoD CAC.\n\n A privileged account is defined as an information system account with\n authorizations of a privileged user.\n\n Remote access is access to DoD nonpublic information systems by an\n authorized user (or an information system) communicating through an external,\n non-organization-controlled network. Remote access methods include, for\n example, dial-up, broadband, and wireless.\n\n This requirement only applies to components where this is specific to the\n function of the device or has the concept of an organizational user (e.g., VPN,\n proxy capability). This does not apply to authentication for the purpose of\n configuring the device itself (management).", + "check": "Verify the operating system has the packages required for multifactor\n authentication installed with the following commands:\n\n $ sudo yum list installed openssl-pkcs11\n\n openssl-pkcs11.x86_64 0.4.8-2.el8 @anaconda\n\n If the \"openssl-pkcs11\" package is not installed, ask the administrator\n to indicate what type of multifactor authentication is being utilized and what\n packages are installed to support it. If there is no evidence of multifactor\n authentication being used, this is a finding.", + "fix": "Configure the operating system to implement multifactor authentication by\n installing the required package with the following command:\n\n $ sudo yum install openssl-pkcs11" }, - "impact": 0.7, + "impact": 0.5, "refs": [ { "ref": "DPMS Target Red Hat Enterprise Linux 8" } ], "tags": { - "severity": "high", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-230283", - "rid": "SV-230283r627750_rule", - "stig_id": "RHEL-08-010460", - "fix_id": "F-32927r567596_fix", + "severity": "medium", + "gtitle": "SRG-OS-000375-GPOS-00160", + "gid": "V-230273", + "rid": "SV-230273r854028_rule", + "stig_id": "RHEL-08-010390", + "fix_id": "F-32917r743942_fix", "cci": [ - "CCI-000366" + "CCI-001948" ], "nist": [ - "CM-6 b" + "IA-2 (11)" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-230283' do\n title 'There must be no shosts.equiv files on the RHEL 8 operating system.'\n desc 'The \"shosts.equiv\" files are used to configure host-based\nauthentication for the system via SSH. Host-based authentication is not\nsufficient for preventing unauthorized access to the system, as it does not\nrequire interactive identification and authentication of a connection request,\nor for the use of two-factor authentication.'\n desc 'check', 'Verify there are no \"shosts.equiv\" files on RHEL 8 with the following\ncommand:\n\n $ sudo find / -name shosts.equiv\n\n If a \"shosts.equiv\" file is found, this is a finding.'\n desc 'fix', 'Remove any found \"shosts.equiv\" files from the system.\n\n$ sudo rm /etc/ssh/shosts.equiv'\n impact 0.7\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'high'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230283'\n tag rid: 'SV-230283r627750_rule'\n tag stig_id: 'RHEL-08-010460'\n tag fix_id: 'F-32927r567596_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n tag 'container'\n\n shosts_files = command('find / -xdev -xautofs -name shosts.equiv').stdout.strip.split(\"\\n\")\n\n describe 'The RHEL8 filesystem' do\n it 'should not have any shosts.equiv files present' do\n expect(shosts_files).to be_empty, \"Discovered shosts files:\\n\\t- #{shosts_files.join(\"\\n\\t- \")}\"\n end\n end\nend\n", + "code": "control 'SV-230273' do\n title 'RHEL 8 must have the packages required for multifactor authentication\n installed.'\n desc 'Using an authentication device, such as a DoD Common Access Card (CAC)\n or token that is separate from the information system, ensures that even if the\n information system is compromised, credentials stored on the authentication\n device will not be affected.\n\n Multifactor solutions that require devices separate from information\n systems gaining access include, for example, hardware tokens providing\n time-based or challenge-response authenticators and smart cards such as the\n U.S. Government Personal Identity Verification (PIV) card and the DoD CAC.\n\n A privileged account is defined as an information system account with\n authorizations of a privileged user.\n\n Remote access is access to DoD nonpublic information systems by an\n authorized user (or an information system) communicating through an external,\n non-organization-controlled network. Remote access methods include, for\n example, dial-up, broadband, and wireless.\n\n This requirement only applies to components where this is specific to the\n function of the device or has the concept of an organizational user (e.g., VPN,\n proxy capability). This does not apply to authentication for the purpose of\n configuring the device itself (management).'\n desc 'check', 'Verify the operating system has the packages required for multifactor\n authentication installed with the following commands:\n\n $ sudo yum list installed openssl-pkcs11\n\n openssl-pkcs11.x86_64 0.4.8-2.el8 @anaconda\n\n If the \"openssl-pkcs11\" package is not installed, ask the administrator\n to indicate what type of multifactor authentication is being utilized and what\n packages are installed to support it. If there is no evidence of multifactor\n authentication being used, this is a finding.'\n desc 'fix', 'Configure the operating system to implement multifactor authentication by\n installing the required package with the following command:\n\n $ sudo yum install openssl-pkcs11'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000375-GPOS-00160'\n tag gid: 'V-230273'\n tag rid: 'SV-230273r854028_rule'\n tag stig_id: 'RHEL-08-010390'\n tag fix_id: 'F-32917r743942_fix'\n tag cci: ['CCI-001948']\n tag nist: ['IA-2 (11)']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n if input('smart_card_enabled')\n describe package('openssl-pkcs11') do\n it { should be_installed }\n end\n else\n impact 0.0\n describe 'The system is not smartcard enabled thus this control is Not Applicable' do\n skip 'The system is not using Smartcards / PIVs to fulfil the MFA requirement, this control is Not Applicable.'\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230283.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230273.rb", "line": 1 }, - "id": "SV-230283" + "id": "SV-230273" }, { - "title": "Successful/unsuccessful uses of the ssh-keysign in RHEL 8 must\ngenerate an audit record.", - "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"ssh-keysign\" program\nis an SSH helper program for host-based authentication.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", + "title": "Successful/unsuccessful uses of setsebool in RHEL 8 must generate an\naudit record.", + "desc": "Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged commands. The organization must maintain audit trails in sufficient\ndetail to reconstruct events to determine the cause and impact of compromise.\nThe \"setsebool\" command sets the current state of a particular SELinux\nboolean or a list of booleans to a given value.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", "descriptions": { - "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"ssh-keysign\" program\nis an SSH helper program for host-based authentication.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", - "check": "Verify RHEL 8 generates an audit record when successful/unsuccessful\nattempts to use the \"ssh-keysign\" by performing the following command to\ncheck the file system rules in \"/etc/audit/audit.rules\":\n\n $ sudo grep ssh-keysign /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F\nauid>=1000 -F auid!=unset -k privileged-ssh\n\n If the command does not return a line, or the line is commented out, this\nis a finding.", - "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \"ssh-keysign\" by adding or updating the\nfollowing rule in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F\nauid>=1000 -F auid!=unset -k privileged-ssh\n\n The audit daemon must be restarted for the changes to take effect." + "default": "Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged commands. The organization must maintain audit trails in sufficient\ndetail to reconstruct events to determine the cause and impact of compromise.\nThe \"setsebool\" command sets the current state of a particular SELinux\nboolean or a list of booleans to a given value.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", + "check": "Verify that an audit event is generated for any successful/unsuccessful use\nof \"setsebool\" by performing the following command to check the file system\nrules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w \"setsebool\" /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-unix-update\n\n If the command does not return a line, or the line is commented out, this\nis a finding.", + "fix": "Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful uses of the \"setsebool\" by adding or updating the\nfollowing rule in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-unix-update\n\n The audit daemon must be restarted for the changes to take effect." }, "impact": 0.5, "refs": [ @@ -13283,10 +13255,10 @@ "SRG-OS-000462-GPOS-00206", "SRG-OS-000471-GPOS-00215" ], - "gid": "V-230434", - "rid": "SV-230434r744002_rule", - "stig_id": "RHEL-08-030320", - "fix_id": "F-33078r744001_fix", + "gid": "V-230432", + "rid": "SV-230432r627750_rule", + "stig_id": "RHEL-08-030316", + "fix_id": "F-33076r568043_fix", "cci": [ "CCI-000169" ], @@ -13295,20 +13267,20 @@ ], "host": null }, - "code": "control 'SV-230434' do\n title 'Successful/unsuccessful uses of the ssh-keysign in RHEL 8 must\ngenerate an audit record.'\n desc 'Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"ssh-keysign\" program\nis an SSH helper program for host-based authentication.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.'\n desc 'check', 'Verify RHEL 8 generates an audit record when successful/unsuccessful\nattempts to use the \"ssh-keysign\" by performing the following command to\ncheck the file system rules in \"/etc/audit/audit.rules\":\n\n $ sudo grep ssh-keysign /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F\nauid>=1000 -F auid!=unset -k privileged-ssh\n\n If the command does not return a line, or the line is commented out, this\nis a finding.'\n desc 'fix', 'Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \"ssh-keysign\" by adding or updating the\nfollowing rule in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F\nauid>=1000 -F auid!=unset -k privileged-ssh\n\n The audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000062-GPOS-00031'\n tag satisfies: ['SRG-OS-000062-GPOS-00031', 'SRG-OS-000037-GPOS-00015', 'SRG-OS-000042-GPOS-00020', 'SRG-OS-000062-GPOS-00031', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000471-GPOS-00215']\n tag gid: 'V-230434'\n tag rid: 'SV-230434r744002_rule'\n tag stig_id: 'RHEL-08-030320'\n tag fix_id: 'F-33078r744001_fix'\n tag cci: ['CCI-000169']\n tag nist: ['AU-12 a']\n tag 'host'\n\n audit_command = '/usr/libexec/openssh/ssh-keysign'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include(input('audit_rule_keynames').merge(input('audit_rule_keynames_overrides'))[audit_command])\n end\n end\nend\n", + "code": "control 'SV-230432' do\n title 'Successful/unsuccessful uses of setsebool in RHEL 8 must generate an\naudit record.'\n desc 'Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged commands. The organization must maintain audit trails in sufficient\ndetail to reconstruct events to determine the cause and impact of compromise.\nThe \"setsebool\" command sets the current state of a particular SELinux\nboolean or a list of booleans to a given value.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.'\n desc 'check', 'Verify that an audit event is generated for any successful/unsuccessful use\nof \"setsebool\" by performing the following command to check the file system\nrules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w \"setsebool\" /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-unix-update\n\n If the command does not return a line, or the line is commented out, this\nis a finding.'\n desc 'fix', 'Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful uses of the \"setsebool\" by adding or updating the\nfollowing rule in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F\nauid!=unset -k privileged-unix-update\n\n The audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000062-GPOS-00031'\n tag satisfies: ['SRG-OS-000062-GPOS-00031', 'SRG-OS-000037-GPOS-00015', 'SRG-OS-000042-GPOS-00020', 'SRG-OS-000062-GPOS-00031', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000471-GPOS-00215']\n tag gid: 'V-230432'\n tag rid: 'SV-230432r627750_rule'\n tag stig_id: 'RHEL-08-030316'\n tag fix_id: 'F-33076r568043_fix'\n tag cci: ['CCI-000169']\n tag nist: ['AU-12 a']\n tag 'host'\n\n audit_command = '/usr/sbin/setsebool'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include(input('audit_rule_keynames').merge(input('audit_rule_keynames_overrides'))[audit_command])\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230434.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230432.rb", "line": 1 }, - "id": "SV-230434" + "id": "SV-230432" }, { - "title": "RHEL 8 must prevent a user from overriding the session idle-delay\nsetting for the graphical user interface.", - "desc": "A session time-out lock is a temporary action taken when a user stops\nwork and moves away from the immediate physical vicinity of the information\nsystem but does not log out because of the temporary nature of the absence.\nRather than relying on the user to manually lock their operating system session\nprior to vacating the vicinity, operating systems need to be able to identify\nwhen a user's session has idled and take action to initiate the session lock.\n\n The session lock is implemented at the point where session activity can be\ndetermined and/or controlled.\n\n Implementing session settings will have little value if a user is able to\nmanipulate these settings from the defaults prescribed in the other\nrequirements of this implementation guide.\n\n Locking these settings from non-privileged users is crucial to maintaining\na protected baseline.", + "title": "RHEL 8 must mount /tmp with the noexec option.", + "desc": "The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n The \"noexec\" mount option causes the system to not execute binary files.\nThis option must be used for mounting any file system not containing approved\nbinary files, as they may be incompatible. Executing files from untrusted file\nsystems increases the opportunity for unprivileged users to attain unauthorized\nadministrative access.\n\n The \"nodev\" mount option causes the system to not interpret character or\nblock special devices. Executing character or block special devices from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.\n\n The \"nosuid\" mount option causes the system to not execute \"setuid\" and\n\"setgid\" files with owner privileges. This option must be used for mounting\nany file system not containing approved \"setuid\" and \"setguid\" files.\nExecuting files from untrusted file systems increases the opportunity for\nunprivileged users to attain unauthorized administrative access.", "descriptions": { - "default": "A session time-out lock is a temporary action taken when a user stops\nwork and moves away from the immediate physical vicinity of the information\nsystem but does not log out because of the temporary nature of the absence.\nRather than relying on the user to manually lock their operating system session\nprior to vacating the vicinity, operating systems need to be able to identify\nwhen a user's session has idled and take action to initiate the session lock.\n\n The session lock is implemented at the point where session activity can be\ndetermined and/or controlled.\n\n Implementing session settings will have little value if a user is able to\nmanipulate these settings from the defaults prescribed in the other\nrequirements of this implementation guide.\n\n Locking these settings from non-privileged users is crucial to maintaining\na protected baseline.", - "check": "Verify the operating system prevents a user from overriding settings for\ngraphical user interfaces.\n\n Note: This requirement assumes the use of the RHEL 8 default graphical user\ninterface, Gnome Shell. If the system does not have any graphical user\ninterface installed, this requirement is Not Applicable.\n\n Determine which profile the system database is using with the following\ncommand:\n\n $ sudo grep system-db /etc/dconf/profile/user\n\n system-db:local\n\n Check that graphical settings are locked from non-privileged user\nmodification with the following command:\n\n Note: The example below is using the database \"local\" for the system, so\nthe path is \"/etc/dconf/db/local.d\". This path must be modified if a database\nother than \"local\" is being used.\n\n $ sudo grep -i idle /etc/dconf/db/local.d/locks/*\n\n /org/gnome/desktop/session/idle-delay\n\n If the command does not return at least the example result, this is a\nfinding.", - "fix": "Configure the operating system to prevent a user from overriding settings\nfor graphical user interfaces.\n\n Create a database to contain the system-wide screensaver settings (if it\ndoes not already exist) with the following command:\n\n Note: The example below is using the database \"local\" for the system, so\nif the system is using another database in \"/etc/dconf/profile/user\", the\nfile should be created under the appropriate subdirectory.\n\n $ sudo touch /etc/dconf/db/local.d/locks/session\n\n Add the following setting to prevent non-privileged users from modifying it:\n\n /org/gnome/desktop/session/idle-delay" + "default": "The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n The \"noexec\" mount option causes the system to not execute binary files.\nThis option must be used for mounting any file system not containing approved\nbinary files, as they may be incompatible. Executing files from untrusted file\nsystems increases the opportunity for unprivileged users to attain unauthorized\nadministrative access.\n\n The \"nodev\" mount option causes the system to not interpret character or\nblock special devices. Executing character or block special devices from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.\n\n The \"nosuid\" mount option causes the system to not execute \"setuid\" and\n\"setgid\" files with owner privileges. This option must be used for mounting\nany file system not containing approved \"setuid\" and \"setguid\" files.\nExecuting files from untrusted file systems increases the opportunity for\nunprivileged users to attain unauthorized administrative access.", + "check": "Verify \"/tmp\" is mounted with the \"noexec\" option:\n\n $ sudo mount | grep /tmp\n\n /dev/mapper/rhel-tmp on /tmp type xfs (rw,nodev,nosuid,noexec,seclabel)\n\n Verify that the \"noexec\" option is configured for /tmp:\n\n $ sudo cat /etc/fstab | grep /tmp\n\n /dev/mapper/rhel-tmp /tmp xfs defaults,nodev,nosuid,noexec 0 0\n\n If results are returned and the \"noexec\" option is missing, or if /tmp is\nmounted without the \"noexec\" option, this is a finding.", + "fix": "Configure the system so that /tmp is mounted with the \"noexec\" option by\nadding /modifying the /etc/fstab with the following line:\n\n /dev/mapper/rhel-tmp /tmp xfs defaults,nodev,nosuid,noexec 0 0" }, "impact": 0.5, "refs": [ @@ -13318,38 +13290,33 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000029-GPOS-00010", - "satisfies": [ - "SRG-OS-000029-GPOS-00010", - "SRG-OS-000031-GPOS-00012", - "SRG-OS-000480-GPOS-00227" - ], - "gid": "V-244538", - "rid": "SV-244538r743863_rule", - "stig_id": "RHEL-08-020081", - "fix_id": "F-47770r743862_fix", + "gtitle": "SRG-OS-000368-GPOS-00154", + "gid": "V-230513", + "rid": "SV-230513r854054_rule", + "stig_id": "RHEL-08-040125", + "fix_id": "F-33157r568286_fix", "cci": [ - "CCI-000057" + "CCI-001764" ], "nist": [ - "AC-11 a" + "CM-7 (2)" ], "host": null }, - "code": "control 'SV-244538' do\n title 'RHEL 8 must prevent a user from overriding the session idle-delay\nsetting for the graphical user interface.'\n desc \"A session time-out lock is a temporary action taken when a user stops\nwork and moves away from the immediate physical vicinity of the information\nsystem but does not log out because of the temporary nature of the absence.\nRather than relying on the user to manually lock their operating system session\nprior to vacating the vicinity, operating systems need to be able to identify\nwhen a user's session has idled and take action to initiate the session lock.\n\n The session lock is implemented at the point where session activity can be\ndetermined and/or controlled.\n\n Implementing session settings will have little value if a user is able to\nmanipulate these settings from the defaults prescribed in the other\nrequirements of this implementation guide.\n\n Locking these settings from non-privileged users is crucial to maintaining\na protected baseline.\"\n desc 'check', 'Verify the operating system prevents a user from overriding settings for\ngraphical user interfaces.\n\n Note: This requirement assumes the use of the RHEL 8 default graphical user\ninterface, Gnome Shell. If the system does not have any graphical user\ninterface installed, this requirement is Not Applicable.\n\n Determine which profile the system database is using with the following\ncommand:\n\n $ sudo grep system-db /etc/dconf/profile/user\n\n system-db:local\n\n Check that graphical settings are locked from non-privileged user\nmodification with the following command:\n\n Note: The example below is using the database \"local\" for the system, so\nthe path is \"/etc/dconf/db/local.d\". This path must be modified if a database\nother than \"local\" is being used.\n\n $ sudo grep -i idle /etc/dconf/db/local.d/locks/*\n\n /org/gnome/desktop/session/idle-delay\n\n If the command does not return at least the example result, this is a\nfinding.'\n desc 'fix', 'Configure the operating system to prevent a user from overriding settings\nfor graphical user interfaces.\n\n Create a database to contain the system-wide screensaver settings (if it\ndoes not already exist) with the following command:\n\n Note: The example below is using the database \"local\" for the system, so\nif the system is using another database in \"/etc/dconf/profile/user\", the\nfile should be created under the appropriate subdirectory.\n\n $ sudo touch /etc/dconf/db/local.d/locks/session\n\n Add the following setting to prevent non-privileged users from modifying it:\n\n /org/gnome/desktop/session/idle-delay'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000029-GPOS-00010'\n tag satisfies: ['SRG-OS-000029-GPOS-00010', 'SRG-OS-000031-GPOS-00012', 'SRG-OS-000480-GPOS-00227']\n tag gid: 'V-244538'\n tag rid: 'SV-244538r743863_rule'\n tag stig_id: 'RHEL-08-020081'\n tag fix_id: 'F-47770r743862_fix'\n tag cci: ['CCI-000057']\n tag nist: ['AC-11 a']\n tag 'host'\n\n only_if('This requirement is Not Applicable in the container', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n no_gui = command('ls /usr/share/xsessions/*').stderr.match?(/No such file or directory/)\n\n if no_gui\n impact 0.0\n describe 'The system does not have a GUI Desktop is installed, this control is Not Applicable' do\n skip 'A GUI desktop is not installed, this control is Not Applicable.'\n end\n else\n describe command('grep -i idle /etc/dconf/db/local.d/locks/*') do\n it 'checks if idle delay is set' do\n expect(subject.stdout.split).to include('/org/gnome/desktop/session/idle-delay'), 'The idle delay is not set. Please ensure it is set.'\n end\n end\n end\nend\n", + "code": "control 'SV-230513' do\n title 'RHEL 8 must mount /tmp with the noexec option.'\n desc 'The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n The \"noexec\" mount option causes the system to not execute binary files.\nThis option must be used for mounting any file system not containing approved\nbinary files, as they may be incompatible. Executing files from untrusted file\nsystems increases the opportunity for unprivileged users to attain unauthorized\nadministrative access.\n\n The \"nodev\" mount option causes the system to not interpret character or\nblock special devices. Executing character or block special devices from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.\n\n The \"nosuid\" mount option causes the system to not execute \"setuid\" and\n\"setgid\" files with owner privileges. This option must be used for mounting\nany file system not containing approved \"setuid\" and \"setguid\" files.\nExecuting files from untrusted file systems increases the opportunity for\nunprivileged users to attain unauthorized administrative access.'\n desc 'check', 'Verify \"/tmp\" is mounted with the \"noexec\" option:\n\n $ sudo mount | grep /tmp\n\n /dev/mapper/rhel-tmp on /tmp type xfs (rw,nodev,nosuid,noexec,seclabel)\n\n Verify that the \"noexec\" option is configured for /tmp:\n\n $ sudo cat /etc/fstab | grep /tmp\n\n /dev/mapper/rhel-tmp /tmp xfs defaults,nodev,nosuid,noexec 0 0\n\n If results are returned and the \"noexec\" option is missing, or if /tmp is\nmounted without the \"noexec\" option, this is a finding.'\n desc 'fix', 'Configure the system so that /tmp is mounted with the \"noexec\" option by\nadding /modifying the /etc/fstab with the following line:\n\n /dev/mapper/rhel-tmp /tmp xfs defaults,nodev,nosuid,noexec 0 0'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000368-GPOS-00154'\n tag gid: 'V-230513'\n tag rid: 'SV-230513r854054_rule'\n tag stig_id: 'RHEL-08-040125'\n tag fix_id: 'F-33157r568286_fix'\n tag cci: ['CCI-001764']\n tag nist: ['CM-7 (2)']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n path = '/tmp'\n option = 'noexec'\n mount_option_enabled = input('mount_tmp_options')[option]\n\n if mount_option_enabled\n describe mount(path) do\n its('options') { should include option }\n end\n\n describe etc_fstab.where { mount_point == path } do\n its('mount_options.flatten') { should include option }\n end\n else\n describe mount(path) do\n its('options') { should_not include option }\n end\n\n describe etc_fstab.where { mount_point == path } do\n its('mount_options.flatten') { should_not include option }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-244538.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230513.rb", "line": 1 }, - "id": "SV-244538" + "id": "SV-230513" }, { - "title": "RHEL 8 must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/shadow.", + "title": "RHEL 8 must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/passwd.", "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", "descriptions": { "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", - "check": "Verify RHEL 8 generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/shadow\".\n\n Check the auditing rules in \"/etc/audit/audit.rules\" with the following\ncommand:\n\n $ sudo grep /etc/shadow /etc/audit/audit.rules\n\n -w /etc/shadow -p wa -k identity\n\n If the command does not return a line, or the line is commented out, this\nis a finding.", - "fix": "Configure RHEL 8 to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/shadow\".\n\n Add or update the following file system rule to\n\"/etc/audit/rules.d/audit.rules\":\n\n -w /etc/shadow -p wa -k identity\n\n The audit daemon must be restarted for the changes to take effect." + "check": "Verify RHEL 8 generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/passwd\".\n\n Check the auditing rules in \"/etc/audit/audit.rules\" with the following\ncommand:\n\n $ sudo grep /etc/passwd /etc/audit/audit.rules\n\n -w /etc/passwd -p wa -k identity\n\n If the command does not return a line, or the line is commented out, this\nis a finding.", + "fix": "Configure RHEL 8 to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/passwd\".\n\n Add or update the following file system rule to\n\"/etc/audit/rules.d/audit.rules\":\n\n -w /etc/passwd -p wa -k identity\n\n The audit daemon must be restarted for the changes to take effect." }, "impact": 0.5, "refs": [ @@ -13379,10 +13346,10 @@ "SRG-OS-000466-GPOS-00210", "SRG-OS-000476-GPOS-00221" ], - "gid": "V-230404", - "rid": "SV-230404r627750_rule", - "stig_id": "RHEL-08-030130", - "fix_id": "F-33048r567959_fix", + "gid": "V-230406", + "rid": "SV-230406r627750_rule", + "stig_id": "RHEL-08-030150", + "fix_id": "F-33050r567965_fix", "cci": [ "CCI-000169" ], @@ -13391,20 +13358,20 @@ ], "host": null }, - "code": "control 'SV-230404' do\n title 'RHEL 8 must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/shadow.'\n desc 'Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).'\n desc 'check', 'Verify RHEL 8 generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/shadow\".\n\n Check the auditing rules in \"/etc/audit/audit.rules\" with the following\ncommand:\n\n $ sudo grep /etc/shadow /etc/audit/audit.rules\n\n -w /etc/shadow -p wa -k identity\n\n If the command does not return a line, or the line is commented out, this\nis a finding.'\n desc 'fix', 'Configure RHEL 8 to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/shadow\".\n\n Add or update the following file system rule to\n\"/etc/audit/rules.d/audit.rules\":\n\n -w /etc/shadow -p wa -k identity\n\n The audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000062-GPOS-00031'\n tag satisfies: ['SRG-OS-000062-GPOS-00031', 'SRG-OS-000004-GPOS-00004', 'SRG-OS-000037-GPOS-00015', 'SRG-OS-000042-GPOS-00020', 'SRG-OS-000062-GPOS-00031', 'SRG-OS-000304-GPOS-00121', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000470-GPOS-00214', 'SRG-OS-000471-GPOS-00215', 'SRG-OS-000239-GPOS-00089', 'SRG-OS-000240-GPOS-00090', 'SRG-OS-000241-GPOS-00091', 'SRG-OS-000303-GPOS-00120', 'SRG-OS-000304-GPOS-00121', 'SRG-OS-000466-GPOS-00210', 'SRG-OS-000476-GPOS-00221']\n tag gid: 'V-230404'\n tag rid: 'SV-230404r627750_rule'\n tag stig_id: 'RHEL-08-030130'\n tag fix_id: 'F-33048r567959_fix'\n tag cci: ['CCI-000169']\n tag nist: ['AU-12 a']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n audit_command = '/etc/shadow'\n\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.permissions.flatten).to include('w', 'a')\n expect(audit_rule.key.uniq).to include(input('audit_rule_keynames').merge(input('audit_rule_keynames_overrides'))[audit_command])\n end\n end\nend\n", + "code": "control 'SV-230406' do\n title 'RHEL 8 must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/passwd.'\n desc 'Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).'\n desc 'check', 'Verify RHEL 8 generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/passwd\".\n\n Check the auditing rules in \"/etc/audit/audit.rules\" with the following\ncommand:\n\n $ sudo grep /etc/passwd /etc/audit/audit.rules\n\n -w /etc/passwd -p wa -k identity\n\n If the command does not return a line, or the line is commented out, this\nis a finding.'\n desc 'fix', 'Configure RHEL 8 to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/passwd\".\n\n Add or update the following file system rule to\n\"/etc/audit/rules.d/audit.rules\":\n\n -w /etc/passwd -p wa -k identity\n\n The audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000062-GPOS-00031'\n tag satisfies: ['SRG-OS-000062-GPOS-00031', 'SRG-OS-000004-GPOS-00004', 'SRG-OS-000037-GPOS-00015', 'SRG-OS-000042-GPOS-00020', 'SRG-OS-000062-GPOS-00031', 'SRG-OS-000304-GPOS-00121', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000470-GPOS-00214', 'SRG-OS-000471-GPOS-00215', 'SRG-OS-000239-GPOS-00089', 'SRG-OS-000240-GPOS-00090', 'SRG-OS-000241-GPOS-00091', 'SRG-OS-000303-GPOS-00120', 'SRG-OS-000304-GPOS-00121', 'SRG-OS-000466-GPOS-00210', 'SRG-OS-000476-GPOS-00221']\n tag gid: 'V-230406'\n tag rid: 'SV-230406r627750_rule'\n tag stig_id: 'RHEL-08-030150'\n tag fix_id: 'F-33050r567965_fix'\n tag cci: ['CCI-000169']\n tag nist: ['AU-12 a']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n audit_command = '/etc/passwd'\n\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.permissions.flatten).to include('w', 'a')\n expect(audit_rule.key.uniq).to include(input('audit_rule_keynames').merge(input('audit_rule_keynames_overrides'))[audit_command])\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230404.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230406.rb", "line": 1 }, - "id": "SV-230404" + "id": "SV-230406" }, { - "title": "The RHEL 8 SSH daemon must perform strict mode checking of home\ndirectory configuration files.", - "desc": "If other users have access to modify user-specific SSH configuration\nfiles, they may be able to log on to the system as another user.", + "title": "RHEL 8 must implement address space layout randomization (ASLR) to\nprotect its memory from unauthorized code execution.", + "desc": "Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can be either hardware-enforced or software-enforced with hardware providing the greater strength of mechanism.\n\nExamples of attacks are buffer overflow attacks.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf", "descriptions": { - "default": "If other users have access to modify user-specific SSH configuration\nfiles, they may be able to log on to the system as another user.", - "check": "Verify the SSH daemon performs strict mode checking of home directory configuration files with the following command:\n\n$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\\r' | tr '\\n' ' ' | xargs sudo grep -iH '^\\s*strictmodes'\n\nStrictModes yes\n\nIf \"StrictModes\" is set to \"no\", is missing, or the returned line is commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.", - "fix": "Configure SSH to perform strict mode checking of home directory\nconfiguration files. Uncomment the \"StrictModes\" keyword in\n\"/etc/ssh/sshd_config\" and set the value to \"yes\":\n\n StrictModes yes\n\n The SSH daemon must be restarted for the changes to take effect. To restart\nthe SSH daemon, run the following command:\n\n $ sudo systemctl restart sshd.service" + "default": "Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can be either hardware-enforced or software-enforced with hardware providing the greater strength of mechanism.\n\nExamples of attacks are buffer overflow attacks.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf", + "check": "Verify RHEL 8 implements ASLR with the following command:\n\n$ sudo sysctl kernel.randomize_va_space\n\nkernel.randomize_va_space = 2\n\nIf \"kernel.randomize_va_space\" is not set to \"2\", this is a finding.\n\nCheck that the configuration files are present to enable this kernel parameter.\n\n$ sudo grep -r kernel.randomize_va_space /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf:kernel.randomize_va_space = 2\n\nIf \"kernel.randomize_va_space\" is not set to \"2\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.", + "fix": "Configure the operating system to implement virtual address space randomization.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nkernel.randomize_va_space=2\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nIssue the following command to make the changes take effect:\n\n$ sudo sysctl --system" }, "impact": 0.5, "refs": [ @@ -13414,34 +13381,33 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-230288", - "rid": "SV-230288r951600_rule", - "stig_id": "RHEL-08-010500", - "fix_id": "F-32932r567611_fix", + "gtitle": "SRG-OS-000433-GPOS-00193", + "gid": "V-230280", + "rid": "SV-230280r858767_rule", + "stig_id": "RHEL-08-010430", + "fix_id": "F-32924r858766_fix", "cci": [ - "CCI-000366" + "CCI-002824" ], "nist": [ - "CM-6 b" + "SI-16" ], - "host": null, - "container-conditional": null + "host": null }, - "code": "control 'SV-230288' do\n title 'The RHEL 8 SSH daemon must perform strict mode checking of home\ndirectory configuration files.'\n desc 'If other users have access to modify user-specific SSH configuration\nfiles, they may be able to log on to the system as another user.'\n desc 'check', %q(Verify the SSH daemon performs strict mode checking of home directory configuration files with the following command:\n\n$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\\r' | tr '\\n' ' ' | xargs sudo grep -iH '^\\s*strictmodes'\n\nStrictModes yes\n\nIf \"StrictModes\" is set to \"no\", is missing, or the returned line is commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.)\n desc 'fix', 'Configure SSH to perform strict mode checking of home directory\nconfiguration files. Uncomment the \"StrictModes\" keyword in\n\"/etc/ssh/sshd_config\" and set the value to \"yes\":\n\n StrictModes yes\n\n The SSH daemon must be restarted for the changes to take effect. To restart\nthe SSH daemon, run the following command:\n\n $ sudo systemctl restart sshd.service'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230288'\n tag rid: 'SV-230288r951600_rule'\n tag stig_id: 'RHEL-08-010500'\n tag fix_id: 'F-32932r567611_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n tag 'container-conditional'\n\n only_if('This control is Not Applicable to containers without SSH installed', impact: 0.0) {\n !(virtualization.system.eql?('docker') && !directory('/etc/ssh').exist?)\n }\n\n describe sshd_active_config do\n its('StrictModes') { should cmp 'yes' }\n end\nend\n", + "code": "control 'SV-230280' do\n title 'RHEL 8 must implement address space layout randomization (ASLR) to\nprotect its memory from unauthorized code execution.'\n desc 'Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can be either hardware-enforced or software-enforced with hardware providing the greater strength of mechanism.\n\nExamples of attacks are buffer overflow attacks.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf'\n desc 'check', 'Verify RHEL 8 implements ASLR with the following command:\n\n$ sudo sysctl kernel.randomize_va_space\n\nkernel.randomize_va_space = 2\n\nIf \"kernel.randomize_va_space\" is not set to \"2\", this is a finding.\n\nCheck that the configuration files are present to enable this kernel parameter.\n\n$ sudo grep -r kernel.randomize_va_space /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf:kernel.randomize_va_space = 2\n\nIf \"kernel.randomize_va_space\" is not set to \"2\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure the operating system to implement virtual address space randomization.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nkernel.randomize_va_space=2\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nIssue the following command to make the changes take effect:\n\n$ sudo sysctl --system'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000433-GPOS-00193'\n tag gid: 'V-230280'\n tag rid: 'SV-230280r858767_rule'\n tag stig_id: 'RHEL-08-010430'\n tag fix_id: 'F-32924r858766_fix'\n tag cci: ['CCI-002824']\n tag nist: ['SI-16']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n describe kernel_parameter('kernel.randomize_va_space') do\n its('value') { should eq 2 }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230288.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230280.rb", "line": 1 }, - "id": "SV-230288" + "id": "SV-230280" }, { - "title": "RHEL 8 must encrypt all stored passwords with a FIPS 140-2 approved\ncryptographic hashing algorithm.", - "desc": "Passwords need to be protected at all times, and encryption is the\nstandard method for protecting passwords. If passwords are not encrypted, they\ncan be plainly read (i.e., clear text) and easily compromised.\n\n Unapproved mechanisms that are used for authentication to the cryptographic\nmodule are not verified and therefore cannot be relied upon to provide\nconfidentiality or integrity, and DoD data may be compromised.\n\n FIPS 140-2 is the current standard for validating that mechanisms used to\naccess cryptographic modules utilize authentication that meets DoD requirements.", + "title": "The RHEL 8 /var/log directory must have mode 0755 or less permissive.", + "desc": "Only authorized personnel should be aware of errors and the details of\nthe errors. Error messages are an indicator of an organization's operational\nstate or can identify the RHEL 8 system or platform. Additionally, Personally\nIdentifiable Information (PII) and operational information must not be revealed\nthrough error messages to unauthorized personnel or their designated\nrepresentatives.\n\n The structure and content of error messages must be carefully considered by\nthe organization and development team. The extent to which the information\nsystem is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.", "descriptions": { - "default": "Passwords need to be protected at all times, and encryption is the\nstandard method for protecting passwords. If passwords are not encrypted, they\ncan be plainly read (i.e., clear text) and easily compromised.\n\n Unapproved mechanisms that are used for authentication to the cryptographic\nmodule are not verified and therefore cannot be relied upon to provide\nconfidentiality or integrity, and DoD data may be compromised.\n\n FIPS 140-2 is the current standard for validating that mechanisms used to\naccess cryptographic modules utilize authentication that meets DoD requirements.", - "check": "Verify that the shadow password suite configuration is set to encrypt\npassword with a FIPS 140-2 approved cryptographic hashing algorithm.\n\n Check the hashing algorithm that is being used to hash passwords with the\nfollowing command:\n\n $ sudo grep -i crypt /etc/login.defs\n\n ENCRYPT_METHOD SHA512\n\n If \"ENCRYPT_METHOD\" does not equal SHA512 or greater, this is a finding.", - "fix": "Configure RHEL 8 to encrypt all stored passwords.\n\n Edit/Modify the following line in the \"/etc/login.defs\" file and set\n\"[ENCRYPT_METHOD]\" to SHA512.\n\n ENCRYPT_METHOD SHA512" + "default": "Only authorized personnel should be aware of errors and the details of\nthe errors. Error messages are an indicator of an organization's operational\nstate or can identify the RHEL 8 system or platform. Additionally, Personally\nIdentifiable Information (PII) and operational information must not be revealed\nthrough error messages to unauthorized personnel or their designated\nrepresentatives.\n\n The structure and content of error messages must be carefully considered by\nthe organization and development team. The extent to which the information\nsystem is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.", + "check": "Verify that the \"/var/log\" directory has a mode of \"0755\" or less with\nthe following command:\n\n $ sudo stat -c \"%a %n\" /var/log\n\n 755\n\n If a value of \"0755\" or less permissive is not returned, this is a\nfinding.", + "fix": "Change the permissions of the directory \"/var/log\" to \"0755\" by running\nthe following command:\n\n $ sudo chmod 0755 /var/log" }, "impact": 0.5, "refs": [ @@ -13451,34 +13417,34 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000073-GPOS-00041", - "gid": "V-230231", - "rid": "SV-230231r877397_rule", - "stig_id": "RHEL-08-010110", - "fix_id": "F-32875r567440_fix", + "gtitle": "SRG-OS-000206-GPOS-00084", + "gid": "V-230248", + "rid": "SV-230248r627750_rule", + "stig_id": "RHEL-08-010240", + "fix_id": "F-32892r567491_fix", "cci": [ - "CCI-000196" + "CCI-001314" ], "nist": [ - "IA-5 (1) (c)" + "SI-11 b" ], "host": null, "container": null }, - "code": "control 'SV-230231' do\n title 'RHEL 8 must encrypt all stored passwords with a FIPS 140-2 approved\ncryptographic hashing algorithm.'\n desc 'Passwords need to be protected at all times, and encryption is the\nstandard method for protecting passwords. If passwords are not encrypted, they\ncan be plainly read (i.e., clear text) and easily compromised.\n\n Unapproved mechanisms that are used for authentication to the cryptographic\nmodule are not verified and therefore cannot be relied upon to provide\nconfidentiality or integrity, and DoD data may be compromised.\n\n FIPS 140-2 is the current standard for validating that mechanisms used to\naccess cryptographic modules utilize authentication that meets DoD requirements.'\n desc 'check', 'Verify that the shadow password suite configuration is set to encrypt\npassword with a FIPS 140-2 approved cryptographic hashing algorithm.\n\n Check the hashing algorithm that is being used to hash passwords with the\nfollowing command:\n\n $ sudo grep -i crypt /etc/login.defs\n\n ENCRYPT_METHOD SHA512\n\n If \"ENCRYPT_METHOD\" does not equal SHA512 or greater, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to encrypt all stored passwords.\n\n Edit/Modify the following line in the \"/etc/login.defs\" file and set\n\"[ENCRYPT_METHOD]\" to SHA512.\n\n ENCRYPT_METHOD SHA512'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000073-GPOS-00041'\n tag gid: 'V-230231'\n tag rid: 'SV-230231r877397_rule'\n tag stig_id: 'RHEL-08-010110'\n tag fix_id: 'F-32875r567440_fix'\n tag cci: ['CCI-000196']\n tag nist: ['IA-5 (1) (c)']\n tag 'host'\n tag 'container'\n\n describe login_defs do\n its('ENCRYPT_METHOD') { should cmp 'SHA512' }\n end\nend\n", + "code": "control 'SV-230248' do\n title 'The RHEL 8 /var/log directory must have mode 0755 or less permissive.'\n desc \"Only authorized personnel should be aware of errors and the details of\nthe errors. Error messages are an indicator of an organization's operational\nstate or can identify the RHEL 8 system or platform. Additionally, Personally\nIdentifiable Information (PII) and operational information must not be revealed\nthrough error messages to unauthorized personnel or their designated\nrepresentatives.\n\n The structure and content of error messages must be carefully considered by\nthe organization and development team. The extent to which the information\nsystem is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.\"\n desc 'check', 'Verify that the \"/var/log\" directory has a mode of \"0755\" or less with\nthe following command:\n\n $ sudo stat -c \"%a %n\" /var/log\n\n 755\n\n If a value of \"0755\" or less permissive is not returned, this is a\nfinding.'\n desc 'fix', 'Change the permissions of the directory \"/var/log\" to \"0755\" by running\nthe following command:\n\n $ sudo chmod 0755 /var/log'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000206-GPOS-00084'\n tag gid: 'V-230248'\n tag rid: 'SV-230248r627750_rule'\n tag stig_id: 'RHEL-08-010240'\n tag fix_id: 'F-32892r567491_fix'\n tag cci: ['CCI-001314']\n tag nist: ['SI-11 b']\n tag 'host'\n tag 'container'\n\n describe directory('/var/log') do\n it { should exist }\n it { should_not be_more_permissive_than('0755') }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230231.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230248.rb", "line": 1 }, - "id": "SV-230231" + "id": "SV-230248" }, { - "title": "RHEL 8 must automatically lock an account when three unsuccessful\nlogon attempts occur.", - "desc": "By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as\nbrute-force attacks, is reduced. Limits are imposed by locking the account.\n\n RHEL 8 can utilize the \"pam_faillock.so\" for this purpose. Note that\nmanual changes to the listed files may be overwritten by the \"authselect\"\nprogram.\n\n From \"Pam_Faillock\" man pages: Note that the default directory that\n\"pam_faillock\" uses is usually cleared on system boot so the access will be\nreenabled after system reboot. If that is undesirable a different tally\ndirectory must be set with the \"dir\" option.", + "title": "RHEL 8 must display the Standard Mandatory DoD Notice and Consent\nBanner before granting local or remote access to the system via a graphical\nuser logon.", + "desc": "Display of a standardized and approved use notification before\ngranting access to the operating system ensures privacy and security\nnotification verbiage used is consistent with applicable federal laws,\nExecutive Orders, directives, policies, regulations, standards, and guidance.\n\n System use notifications are required only for access via logon interfaces\nwith human users and are not required when such human interfaces do not exist.\n\n The banner must be formatted in accordance with applicable DoD policy. Use\nthe following verbiage for operating systems that can accommodate banners of\n1300 characters:\n\n \"You are accessing a U.S. Government (USG) Information System (IS) that is\nprovided for USG-authorized use only.\n\n By using this IS (which includes any device attached to this IS), you\nconsent to the following conditions:\n\n -The USG routinely intercepts and monitors communications on this IS for\npurposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct (PM), law enforcement\n(LE), and counterintelligence (CI) investigations.\n\n -At any time, the USG may inspect and seize data stored on this IS.\n\n -Communications using, or data stored on, this IS are not private, are\nsubject to routine monitoring, interception, and search, and may be disclosed\nor used for any USG-authorized purpose.\n\n -This IS includes security measures (e.g., authentication and access\ncontrols) to protect USG interests--not for your personal benefit or privacy.\n\n -Notwithstanding the above, using this IS does not constitute consent to\nPM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services\nby attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User\nAgreement for details.\"", "descriptions": { - "default": "By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as\nbrute-force attacks, is reduced. Limits are imposed by locking the account.\n\n RHEL 8 can utilize the \"pam_faillock.so\" for this purpose. Note that\nmanual changes to the listed files may be overwritten by the \"authselect\"\nprogram.\n\n From \"Pam_Faillock\" man pages: Note that the default directory that\n\"pam_faillock\" uses is usually cleared on system boot so the access will be\nreenabled after system reboot. If that is undesirable a different tally\ndirectory must be set with the \"dir\" option.", - "check": "Check that the system locks an account after three unsuccessful logon\nattempts with the following commands:\n\n Note: If the System Administrator demonstrates the use of an approved\ncentralized account management method that locks an account after three\nunsuccessful logon attempts within a period of 15 minutes, this requirement is\nnot applicable.\n\n Note: This check applies to RHEL versions 8.0 and 8.1, if the system is\nRHEL version 8.2 or newer, this check is not applicable.\n\n $ sudo grep pam_faillock.so /etc/pam.d/password-auth\n\n auth required pam_faillock.so preauth dir=/var/log/faillock silent audit\ndeny=3 even_deny_root fail_interval=900 unlock_time=0\n auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0\n account required pam_faillock.so\n\n If the \"deny\" option is not set to \"3\" or less (but not \"0\") on the\n\"preauth\" line with the \"pam_faillock.so\" module, or is missing from this\nline, this is a finding.\n\n If any line referencing the \"pam_faillock.so\" module is commented out,\nthis is a finding.\n\n $ sudo grep pam_faillock.so /etc/pam.d/system-auth\n\n auth required pam_faillock.so preauth dir=/var/log/faillock silent audit\ndeny=3 even_deny_root fail_interval=900 unlock_time=0\n auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0\n account required pam_faillock.so\n\n If the \"deny\" option is not set to \"3\" or less (but not \"0\") on the\n\"preauth\" line with the \"pam_faillock.so\" module, or is missing from this\nline, this is a finding.\n\n If any line referencing the \"pam_faillock.so\" module is commented out,\nthis is a finding.", - "fix": "Configure the operating system to lock an account when three unsuccessful\nlogon attempts occur.\n\n Add/Modify the appropriate sections of the \"/etc/pam.d/system-auth\" and\n\"/etc/pam.d/password-auth\" files to match the following lines:\n\n auth required pam_faillock.so preauth dir=/var/log/faillock silent audit\ndeny=3 even_deny_root fail_interval=900 unlock_time=0\n auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0\n account required pam_faillock.so\n\n The \"sssd\" service must be restarted for the changes to take effect. To\nrestart the \"sssd\" service, run the following command:\n\n $ sudo systemctl restart sssd.service" + "default": "Display of a standardized and approved use notification before\ngranting access to the operating system ensures privacy and security\nnotification verbiage used is consistent with applicable federal laws,\nExecutive Orders, directives, policies, regulations, standards, and guidance.\n\n System use notifications are required only for access via logon interfaces\nwith human users and are not required when such human interfaces do not exist.\n\n The banner must be formatted in accordance with applicable DoD policy. Use\nthe following verbiage for operating systems that can accommodate banners of\n1300 characters:\n\n \"You are accessing a U.S. Government (USG) Information System (IS) that is\nprovided for USG-authorized use only.\n\n By using this IS (which includes any device attached to this IS), you\nconsent to the following conditions:\n\n -The USG routinely intercepts and monitors communications on this IS for\npurposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct (PM), law enforcement\n(LE), and counterintelligence (CI) investigations.\n\n -At any time, the USG may inspect and seize data stored on this IS.\n\n -Communications using, or data stored on, this IS are not private, are\nsubject to routine monitoring, interception, and search, and may be disclosed\nor used for any USG-authorized purpose.\n\n -This IS includes security measures (e.g., authentication and access\ncontrols) to protect USG interests--not for your personal benefit or privacy.\n\n -Notwithstanding the above, using this IS does not constitute consent to\nPM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services\nby attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User\nAgreement for details.\"", + "check": "Verify RHEL 8 displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the operating system via a graphical user logon.\n\nNote: This requirement assumes the use of the RHEL 8 default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable.\n\nCheck that the operating system displays the exact Standard Mandatory DoD Notice and Consent Banner text with the command:\n\n$ sudo grep banner-message-text /etc/dconf/db/local.d/*\n\nbanner-message-text=\n'You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\\n-At any time, the USG may inspect and seize data stored on this IS.\\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. '\n\nNote: The \"\\n \" characters are for formatting only. They will not be displayed on the graphical interface.\n\nIf the banner does not match the Standard Mandatory DoD Notice and Consent Banner exactly, this is a finding.", + "fix": "Configure the operating system to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.\n\nNote: If the system does not have a graphical user interface installed, this requirement is Not Applicable.\n\nAdd the following lines to the [org/gnome/login-screen] section of the \"/etc/dconf/db/local.d/01-banner-message\":\n\nbanner-message-text='You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\\n-At any time, the USG may inspect and seize data stored on this IS.\\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. '\n\nNote: The \"\\n \" characters are for formatting only. They will not be displayed on the graphical interface.\n\nRun the following command to update the database:\n\n $ sudo dconf update" }, "impact": 0.5, "refs": [ @@ -13488,38 +13454,73 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000021-GPOS-00005", + "gtitle": "SRG-OS-000023-GPOS-00006", "satisfies": [ - "SRG-OS-000021-GPOS-00005", - "SRG-OS-000329-GPOS-00128" + "SRG-OS-000023-GPOS-00006", + "SRG-OS-000228-GPOS-00088" ], - "gid": "V-230332", - "rid": "SV-230332r627750_rule", - "stig_id": "RHEL-08-020010", - "fix_id": "F-32976r567743_fix", + "gid": "V-230226", + "rid": "SV-230226r743916_rule", + "stig_id": "RHEL-08-010050", + "fix_id": "F-32870r743915_fix", + "cci": [ + "CCI-000048" + ], + "nist": [ + "AC-8 a" + ], + "host": null, + "container": null + }, + "code": "control 'SV-230226' do\n title 'RHEL 8 must display the Standard Mandatory DoD Notice and Consent\nBanner before granting local or remote access to the system via a graphical\nuser logon.'\n desc 'Display of a standardized and approved use notification before\ngranting access to the operating system ensures privacy and security\nnotification verbiage used is consistent with applicable federal laws,\nExecutive Orders, directives, policies, regulations, standards, and guidance.\n\n System use notifications are required only for access via logon interfaces\nwith human users and are not required when such human interfaces do not exist.\n\n The banner must be formatted in accordance with applicable DoD policy. Use\nthe following verbiage for operating systems that can accommodate banners of\n1300 characters:\n\n \"You are accessing a U.S. Government (USG) Information System (IS) that is\nprovided for USG-authorized use only.\n\n By using this IS (which includes any device attached to this IS), you\nconsent to the following conditions:\n\n -The USG routinely intercepts and monitors communications on this IS for\npurposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct (PM), law enforcement\n(LE), and counterintelligence (CI) investigations.\n\n -At any time, the USG may inspect and seize data stored on this IS.\n\n -Communications using, or data stored on, this IS are not private, are\nsubject to routine monitoring, interception, and search, and may be disclosed\nor used for any USG-authorized purpose.\n\n -This IS includes security measures (e.g., authentication and access\ncontrols) to protect USG interests--not for your personal benefit or privacy.\n\n -Notwithstanding the above, using this IS does not constitute consent to\nPM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services\nby attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User\nAgreement for details.\"'\n desc 'check', %q(Verify RHEL 8 displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the operating system via a graphical user logon.\n\nNote: This requirement assumes the use of the RHEL 8 default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable.\n\nCheck that the operating system displays the exact Standard Mandatory DoD Notice and Consent Banner text with the command:\n\n$ sudo grep banner-message-text /etc/dconf/db/local.d/*\n\nbanner-message-text=\n'You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\\n-At any time, the USG may inspect and seize data stored on this IS.\\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. '\n\nNote: The \"\\n \" characters are for formatting only. They will not be displayed on the graphical interface.\n\nIf the banner does not match the Standard Mandatory DoD Notice and Consent Banner exactly, this is a finding.)\n desc 'fix', %q(Configure the operating system to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.\n\nNote: If the system does not have a graphical user interface installed, this requirement is Not Applicable.\n\nAdd the following lines to the [org/gnome/login-screen] section of the \"/etc/dconf/db/local.d/01-banner-message\":\n\nbanner-message-text='You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\\n-At any time, the USG may inspect and seize data stored on this IS.\\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. '\n\nNote: The \"\\n \" characters are for formatting only. They will not be displayed on the graphical interface.\n\nRun the following command to update the database:\n\n $ sudo dconf update)\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000023-GPOS-00006'\n tag satisfies: ['SRG-OS-000023-GPOS-00006', 'SRG-OS-000228-GPOS-00088']\n tag gid: 'V-230226'\n tag rid: 'SV-230226r743916_rule'\n tag stig_id: 'RHEL-08-010050'\n tag fix_id: 'F-32870r743915_fix'\n tag cci: ['CCI-000048']\n tag nist: ['AC-8 a']\n tag 'host'\n tag 'container'\n\n only_if(\"The system does not have GNOME installed; this requirement is Not\n Applicable.\", impact: 0.0) { package('gnome-desktop3').installed? }\n\n banner_message_db = input('banner_message_db')\n\n banner = command(\"grep ^banner-message-text /etc/dconf/db/#{banner_message_db}.d/*\").stdout.gsub(/[\\r\\n\\s]/, '')\n expected_banner = input('banner_message_text_gui').gsub(/[\\r\\n\\s]/, '')\n\n describe 'The GUI Banner ' do\n it 'is set to the standard banner and has the correct text' do\n expect(banner).to eq(expected_banner), 'Banner does not match expected text'\n end\n end\nend\n", + "source_location": { + "ref": "./Red Hat 8 STIG/controls/SV-230226.rb", + "line": 1 + }, + "id": "SV-230226" + }, + { + "title": "A firewall must be active on RHEL 8.", + "desc": "\"Firewalld\" provides an easy and effective way to block/limit remote\naccess to the system via ports, services, and protocols.\n\n Remote access services, such as those providing remote access to network\ndevices and information systems, which lack automated control capabilities,\nincrease risk and make remote user access management difficult at best.\n\n Remote access is access to DoD nonpublic information systems by an\nauthorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n RHEL 8 functionality (e.g., RDP) must be capable of taking enforcement\naction if the audit reveals unauthorized activity. Automated control of remote\naccess sessions allows organizations to ensure ongoing compliance with remote\naccess policies by enforcing connection rules of remote access applications on\na variety of information system components (e.g., servers, workstations,\nnotebook computers, smartphones, and tablets).", + "descriptions": { + "default": "\"Firewalld\" provides an easy and effective way to block/limit remote\naccess to the system via ports, services, and protocols.\n\n Remote access services, such as those providing remote access to network\ndevices and information systems, which lack automated control capabilities,\nincrease risk and make remote user access management difficult at best.\n\n Remote access is access to DoD nonpublic information systems by an\nauthorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n RHEL 8 functionality (e.g., RDP) must be capable of taking enforcement\naction if the audit reveals unauthorized activity. Automated control of remote\naccess sessions allows organizations to ensure ongoing compliance with remote\naccess policies by enforcing connection rules of remote access applications on\na variety of information system components (e.g., servers, workstations,\nnotebook computers, smartphones, and tablets).", + "check": "Verify that \"firewalld\" is active with the following commands:\n\n $ sudo systemctl is-active firewalld\n\n active\n\n If the \"firewalld\" package is not \"active\", ask the System\nAdministrator if another firewall is installed. If no firewall is installed and\nactive this is a finding.", + "fix": "Configure \"firewalld\" to protect the operating system with the following\ncommand:\n\n $ sudo systemctl enable firewalld" + }, + "impact": 0.5, + "refs": [ + { + "ref": "DPMS Target Red Hat Enterprise Linux 8" + } + ], + "tags": { + "severity": "medium", + "gtitle": "SRG-OS-000297-GPOS-00115", + "gid": "V-244544", + "rid": "SV-244544r854073_rule", + "stig_id": "RHEL-08-040101", + "fix_id": "F-47776r743880_fix", "cci": [ - "CCI-000044" + "CCI-002314" ], "nist": [ - "AC-7 a" - ], - "host": null, - "container": null + "AC-17 (1)" + ] }, - "code": "control 'SV-230332' do\n title 'RHEL 8 must automatically lock an account when three unsuccessful\nlogon attempts occur.'\n desc 'By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as\nbrute-force attacks, is reduced. Limits are imposed by locking the account.\n\n RHEL 8 can utilize the \"pam_faillock.so\" for this purpose. Note that\nmanual changes to the listed files may be overwritten by the \"authselect\"\nprogram.\n\n From \"Pam_Faillock\" man pages: Note that the default directory that\n\"pam_faillock\" uses is usually cleared on system boot so the access will be\nreenabled after system reboot. If that is undesirable a different tally\ndirectory must be set with the \"dir\" option.'\n desc 'check', 'Check that the system locks an account after three unsuccessful logon\nattempts with the following commands:\n\n Note: If the System Administrator demonstrates the use of an approved\ncentralized account management method that locks an account after three\nunsuccessful logon attempts within a period of 15 minutes, this requirement is\nnot applicable.\n\n Note: This check applies to RHEL versions 8.0 and 8.1, if the system is\nRHEL version 8.2 or newer, this check is not applicable.\n\n $ sudo grep pam_faillock.so /etc/pam.d/password-auth\n\n auth required pam_faillock.so preauth dir=/var/log/faillock silent audit\ndeny=3 even_deny_root fail_interval=900 unlock_time=0\n auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0\n account required pam_faillock.so\n\n If the \"deny\" option is not set to \"3\" or less (but not \"0\") on the\n\"preauth\" line with the \"pam_faillock.so\" module, or is missing from this\nline, this is a finding.\n\n If any line referencing the \"pam_faillock.so\" module is commented out,\nthis is a finding.\n\n $ sudo grep pam_faillock.so /etc/pam.d/system-auth\n\n auth required pam_faillock.so preauth dir=/var/log/faillock silent audit\ndeny=3 even_deny_root fail_interval=900 unlock_time=0\n auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0\n account required pam_faillock.so\n\n If the \"deny\" option is not set to \"3\" or less (but not \"0\") on the\n\"preauth\" line with the \"pam_faillock.so\" module, or is missing from this\nline, this is a finding.\n\n If any line referencing the \"pam_faillock.so\" module is commented out,\nthis is a finding.'\n desc 'fix', 'Configure the operating system to lock an account when three unsuccessful\nlogon attempts occur.\n\n Add/Modify the appropriate sections of the \"/etc/pam.d/system-auth\" and\n\"/etc/pam.d/password-auth\" files to match the following lines:\n\n auth required pam_faillock.so preauth dir=/var/log/faillock silent audit\ndeny=3 even_deny_root fail_interval=900 unlock_time=0\n auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0\n account required pam_faillock.so\n\n The \"sssd\" service must be restarted for the changes to take effect. To\nrestart the \"sssd\" service, run the following command:\n\n $ sudo systemctl restart sssd.service'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000021-GPOS-00005'\n tag satisfies: ['SRG-OS-000021-GPOS-00005', 'SRG-OS-000329-GPOS-00128']\n tag gid: 'V-230332'\n tag rid: 'SV-230332r627750_rule'\n tag stig_id: 'RHEL-08-020010'\n tag fix_id: 'F-32976r567743_fix'\n tag cci: ['CCI-000044']\n tag nist: ['AC-7 a']\n tag 'host'\n tag 'container'\n\n unsuccessful_attempts = input('unsuccessful_attempts')\n pam_auth_files = input('pam_auth_files')\n\n only_if('This system uses Centralized Account Management to manage this requirement', impact: 0.0) {\n !input('central_account_management')\n }\n\n if os.release.to_f >= 8.2\n impact 0.0\n describe 'This requirement only applies to RHEL 8 version(s) 8.0 and 8.1' do\n skip \"Currently on release #{os.release}, this control is Not Applicable.\"\n end\n else\n [\n pam_auth_files['password-auth'],\n pam_auth_files['system-auth']\n ].each do |path|\n describe pam(path) do\n its('lines') {\n should match_pam_rule('auth [default=die]|required pam_faillock.so preauth').all_with_integer_arg('deny',\n '<=', unsuccessful_attempts)\n }\n its('lines') {\n should match_pam_rule('auth [default=die]|required pam_faillock.so preauth').all_with_integer_arg('deny',\n '>=', 0)\n }\n end\n end\n end\nend\n", + "code": "control 'SV-244544' do\n title 'A firewall must be active on RHEL 8.'\n desc '\"Firewalld\" provides an easy and effective way to block/limit remote\naccess to the system via ports, services, and protocols.\n\n Remote access services, such as those providing remote access to network\ndevices and information systems, which lack automated control capabilities,\nincrease risk and make remote user access management difficult at best.\n\n Remote access is access to DoD nonpublic information systems by an\nauthorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n RHEL 8 functionality (e.g., RDP) must be capable of taking enforcement\naction if the audit reveals unauthorized activity. Automated control of remote\naccess sessions allows organizations to ensure ongoing compliance with remote\naccess policies by enforcing connection rules of remote access applications on\na variety of information system components (e.g., servers, workstations,\nnotebook computers, smartphones, and tablets).'\n desc 'check', 'Verify that \"firewalld\" is active with the following commands:\n\n $ sudo systemctl is-active firewalld\n\n active\n\n If the \"firewalld\" package is not \"active\", ask the System\nAdministrator if another firewall is installed. If no firewall is installed and\nactive this is a finding.'\n desc 'fix', 'Configure \"firewalld\" to protect the operating system with the following\ncommand:\n\n $ sudo systemctl enable firewalld'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000297-GPOS-00115'\n tag gid: 'V-244544'\n tag rid: 'SV-244544r854073_rule'\n tag stig_id: 'RHEL-08-040101'\n tag fix_id: 'F-47776r743880_fix'\n tag cci: ['CCI-002314']\n tag nist: ['AC-17 (1)']\n\n only_if('This requirment is Not Applicable in the container, the container management platform manages the firewall service', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n if input('external_firewall')\n message = 'This system uses an externally managed firewall service, verify with the system administrator that the firewall is configured to requirements'\n describe message do\n skip message\n end\n else\n describe package('firewalld') do\n it { should be_installed }\n end\n describe firewalld do\n it { should be_installed }\n it { should be_running }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230332.rb", + "ref": "./Red Hat 8 STIG/controls/SV-244544.rb", "line": 1 }, - "id": "SV-230332" + "id": "SV-244544" }, { - "title": "RHEL 8 remote X connections for interactive users must be disabled\nunless to fulfill documented and validated mission requirements.", - "desc": "The security risk of using X11 forwarding is that the client's X11\ndisplay server may be exposed to attack when the SSH client requests\nforwarding. A system administrator may have a stance in which they want to\nprotect clients that may expose themselves to attack by unwittingly requesting\nX11 forwarding, which can warrant a \"no\" setting.\n\n X11 forwarding should be enabled with caution. Users with the ability to\nbypass file permissions on the remote host (for the user's X11 authorization\ndatabase) can access the local X11 display through the forwarded connection. An\nattacker may then be able to perform activities such as keystroke monitoring if\nthe ForwardX11Trusted option is also enabled.\n\n If X11 services are not required for the system's intended function, they\nshould be disabled or restricted as appropriate to the system’s needs.", + "title": "RHEL 8 must terminate idle user sessions.", + "desc": "Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended.", "descriptions": { - "default": "The security risk of using X11 forwarding is that the client's X11\ndisplay server may be exposed to attack when the SSH client requests\nforwarding. A system administrator may have a stance in which they want to\nprotect clients that may expose themselves to attack by unwittingly requesting\nX11 forwarding, which can warrant a \"no\" setting.\n\n X11 forwarding should be enabled with caution. Users with the ability to\nbypass file permissions on the remote host (for the user's X11 authorization\ndatabase) can access the local X11 display through the forwarded connection. An\nattacker may then be able to perform activities such as keystroke monitoring if\nthe ForwardX11Trusted option is also enabled.\n\n If X11 services are not required for the system's intended function, they\nshould be disabled or restricted as appropriate to the system’s needs.", - "check": "Verify X11Forwarding is disabled with the following command:\n\n$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\\r' | tr '\\n' ' ' | xargs sudo grep -iH '^\\s*x11forwarding'\n\nX11Forwarding no\n\nIf the \"X11Forwarding\" keyword is set to \"yes\" and is not documented with the information system security officer (ISSO) as an operational requirement or is missing, this is a finding.\n\nIf conflicting results are returned, this is a finding.", - "fix": "Edit the \"/etc/ssh/sshd_config\" file to uncomment or add the line for the\n\"X11Forwarding\" keyword and set its value to \"no\" (this file may be named\ndifferently or be in a different location if using a version of SSH that is\nprovided by a third-party vendor):\n\n X11Forwarding no\n\n The SSH service must be restarted for changes to take effect:\n\n $ sudo systemctl restart sshd" + "default": "Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended.", + "check": "Verify that RHEL 8 logs out sessions that are idle for 15 minutes with the following command:\n\n $ sudo grep -i ^StopIdleSessionSec /etc/systemd/logind.conf\n\n StopIdleSessionSec=900\n\nIf \"StopIdleSessionSec\" is not configured to \"900\" seconds, this is a finding.", + "fix": "Configure RHEL 8 to log out idle sessions by editing the /etc/systemd/logind.conf file with the following line:\n\n StopIdleSessionSec=900\n\nThe \"logind\" service must be restarted for the changes to take effect. To restart the \"logind\" service, run the following command:\n\n $ sudo systemctl restart systemd-logind\n\nNote: To preserve running user programs such as tmux, uncomment and/or edit \"KillUserProccesses=no\" in \"/etc/systemd/logind.conf\"." }, "impact": 0.5, "refs": [ @@ -13528,71 +13529,74 @@ } ], "tags": { + "check_id": "C-60942r917889_chk", "severity": "medium", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-230555", - "rid": "SV-230555r951618_rule", - "stig_id": "RHEL-08-040340", - "fix_id": "F-33199r568412_fix", + "gid": "V-257258", + "rid": "SV-257258r942953_rule", + "stig_id": "RHEL-08-020035", + "gtitle": "SRG-OS-000163-GPOS-00072", + "fix_id": "F-60884r942952_fix", + "documentable": null, "cci": [ - "CCI-000366" + "CCI-001133" ], "nist": [ - "CM-6 b" + "SC-10" ], - "host": null, - "container-conditional": null + "container": null, + "host": null }, - "code": "control 'SV-230555' do\n title 'RHEL 8 remote X connections for interactive users must be disabled\nunless to fulfill documented and validated mission requirements.'\n desc %q(The security risk of using X11 forwarding is that the client's X11\ndisplay server may be exposed to attack when the SSH client requests\nforwarding. A system administrator may have a stance in which they want to\nprotect clients that may expose themselves to attack by unwittingly requesting\nX11 forwarding, which can warrant a \"no\" setting.\n\n X11 forwarding should be enabled with caution. Users with the ability to\nbypass file permissions on the remote host (for the user's X11 authorization\ndatabase) can access the local X11 display through the forwarded connection. An\nattacker may then be able to perform activities such as keystroke monitoring if\nthe ForwardX11Trusted option is also enabled.\n\n If X11 services are not required for the system's intended function, they\nshould be disabled or restricted as appropriate to the system’s needs.)\n desc 'check', %q(Verify X11Forwarding is disabled with the following command:\n\n$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\\r' | tr '\\n' ' ' | xargs sudo grep -iH '^\\s*x11forwarding'\n\nX11Forwarding no\n\nIf the \"X11Forwarding\" keyword is set to \"yes\" and is not documented with the information system security officer (ISSO) as an operational requirement or is missing, this is a finding.\n\nIf conflicting results are returned, this is a finding.)\n desc 'fix', 'Edit the \"/etc/ssh/sshd_config\" file to uncomment or add the line for the\n\"X11Forwarding\" keyword and set its value to \"no\" (this file may be named\ndifferently or be in a different location if using a version of SSH that is\nprovided by a third-party vendor):\n\n X11Forwarding no\n\n The SSH service must be restarted for changes to take effect:\n\n $ sudo systemctl restart sshd'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230555'\n tag rid: 'SV-230555r951618_rule'\n tag stig_id: 'RHEL-08-040340'\n tag fix_id: 'F-33199r568412_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n tag 'container-conditional'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !(virtualization.system.eql?('docker') && !file('/etc/ssh/sshd_config').exist?)\n }\n\n describe sshd_active_config do\n its('X11Forwarding') { should cmp 'no' }\n end\nend\n", + "code": "control 'SV-257258' do\n title 'RHEL 8 must terminate idle user sessions.'\n desc 'Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended.'\n desc 'check', 'Verify that RHEL 8 logs out sessions that are idle for 15 minutes with the following command:\n\n $ sudo grep -i ^StopIdleSessionSec /etc/systemd/logind.conf\n\n StopIdleSessionSec=900\n\nIf \"StopIdleSessionSec\" is not configured to \"900\" seconds, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to log out idle sessions by editing the /etc/systemd/logind.conf file with the following line:\n\n StopIdleSessionSec=900\n\nThe \"logind\" service must be restarted for the changes to take effect. To restart the \"logind\" service, run the following command:\n\n $ sudo systemctl restart systemd-logind\n\nNote: To preserve running user programs such as tmux, uncomment and/or edit \"KillUserProccesses=no\" in \"/etc/systemd/logind.conf\".'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag check_id: 'C-60942r917889_chk'\n tag severity: 'medium'\n tag gid: 'V-257258'\n tag rid: 'SV-257258r942953_rule'\n tag stig_id: 'RHEL-08-020035'\n tag gtitle: 'SRG-OS-000163-GPOS-00072'\n tag fix_id: 'F-60884r942952_fix'\n tag 'documentable'\n tag cci: ['CCI-001133']\n tag nist: ['SC-10']\n tag 'container'\n tag 'host'\n\n stop_idle_session_sec = input('stop_idle_session_sec')\n\n describe parse_config_file('/etc/systemd/logind.conf') do\n its('Login') { should include('StopIdleSessionSec' => stop_idle_session_sec.to_s) }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230555.rb", + "ref": "./Red Hat 8 STIG/controls/SV-257258.rb", "line": 1 }, - "id": "SV-230555" + "id": "SV-257258" }, { - "title": "RHEL 8 must disable the controller area network (CAN) protocol.", - "desc": "It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n Failing to disconnect unused protocols can result in a system compromise.\n\n The Controller Area Network (CAN) is a serial communications protocol,\nwhich was initially developed for automotive and is now also used in marine,\nindustrial, and medical applications. Disabling CAN protects the system against\nexploitation of any flaws in its implementation.", + "title": "All RHEL 8 local files and directories must have a valid group owner.", + "desc": "Files without a valid group owner may be unintentionally inherited if\na group is assigned the same Group Identifier (GID) as the GID of the files\nwithout a valid group owner.", "descriptions": { - "default": "It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n Failing to disconnect unused protocols can result in a system compromise.\n\n The Controller Area Network (CAN) is a serial communications protocol,\nwhich was initially developed for automotive and is now also used in marine,\nindustrial, and medical applications. Disabling CAN protects the system against\nexploitation of any flaws in its implementation.", - "check": "Verify the operating system disables the ability to load the CAN protocol kernel module.\n\n $ sudo grep -r can /etc/modprobe.d/* | grep \"/bin/false\"\n install can /bin/false\n\nIf the command does not return any output, or the line is commented out, and use of the CAN protocol is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.\n\nVerify the operating system disables the ability to use the CAN protocol.\n\nCheck to see if the CAN protocol is disabled with the following command:\n\n $ sudo grep -r can /etc/modprobe.d/* | grep \"blacklist\"\n blacklist can\n\nIf the command does not return any output or the output is not \"blacklist can\", and use of the CAN protocol is not documented with the ISSO as an operational requirement, this is a finding.", - "fix": "Configure the operating system to disable the ability to use the CAN protocol kernel module.\n\nAdd or update the following lines in the file \"/etc/modprobe.d/blacklist.conf\":\n\n install can /bin/false\n blacklist can\n\nReboot the system for the settings to take effect." + "default": "Files without a valid group owner may be unintentionally inherited if\na group is assigned the same Group Identifier (GID) as the GID of the files\nwithout a valid group owner.", + "check": "Verify all local files and directories on RHEL 8 have a valid group with\nthe following command:\n\n Note: The value after -fstype must be replaced with the filesystem type.\nXFS is used as an example.\n\n $ sudo find / -fstype xfs -nogroup\n\n If any files on the system do not have an assigned group, this is a finding.\n\n Note: Command may produce error messages from the /proc and /sys\ndirectories.", + "fix": "Either remove all files and directories from RHEL 8 that do not have a\nvalid group, or assign a valid group to all files and directories on the system\nwith the \"chgrp\" command:\n\n $ sudo chgrp " }, - "impact": 0.3, + "impact": 0.5, "refs": [ { "ref": "DPMS Target Red Hat Enterprise Linux 8" } ], "tags": { - "severity": "low", - "gtitle": "SRG-OS-000095-GPOS-00049", - "gid": "V-230495", - "rid": "SV-230495r942921_rule", - "stig_id": "RHEL-08-040022", - "fix_id": "F-33139r942920_fix", + "severity": "medium", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-230327", + "rid": "SV-230327r627750_rule", + "stig_id": "RHEL-08-010790", + "fix_id": "F-32971r567728_fix", "cci": [ - "CCI-000381" + "CCI-000366" ], "nist": [ - "CM-7 a" + "CM-6 b" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-230495' do\n title 'RHEL 8 must disable the controller area network (CAN) protocol.'\n desc 'It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n Failing to disconnect unused protocols can result in a system compromise.\n\n The Controller Area Network (CAN) is a serial communications protocol,\nwhich was initially developed for automotive and is now also used in marine,\nindustrial, and medical applications. Disabling CAN protects the system against\nexploitation of any flaws in its implementation.'\n desc 'check', 'Verify the operating system disables the ability to load the CAN protocol kernel module.\n\n $ sudo grep -r can /etc/modprobe.d/* | grep \"/bin/false\"\n install can /bin/false\n\nIf the command does not return any output, or the line is commented out, and use of the CAN protocol is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.\n\nVerify the operating system disables the ability to use the CAN protocol.\n\nCheck to see if the CAN protocol is disabled with the following command:\n\n $ sudo grep -r can /etc/modprobe.d/* | grep \"blacklist\"\n blacklist can\n\nIf the command does not return any output or the output is not \"blacklist can\", and use of the CAN protocol is not documented with the ISSO as an operational requirement, this is a finding.'\n desc 'fix', 'Configure the operating system to disable the ability to use the CAN protocol kernel module.\n\nAdd or update the following lines in the file \"/etc/modprobe.d/blacklist.conf\":\n\n install can /bin/false\n blacklist can\n\nReboot the system for the settings to take effect.'\n impact 0.3\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'low'\n tag gtitle: 'SRG-OS-000095-GPOS-00049'\n tag gid: 'V-230495'\n tag rid: 'SV-230495r942921_rule'\n tag stig_id: 'RHEL-08-040022'\n tag fix_id: 'F-33139r942920_fix'\n tag cci: ['CCI-000381']\n tag nist: ['CM-7 a']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe kernel_module('can') do\n it { should be_disabled }\n it { should be_blacklisted }\n end\nend\n", + "code": "control 'SV-230327' do\n title 'All RHEL 8 local files and directories must have a valid group owner.'\n desc 'Files without a valid group owner may be unintentionally inherited if\na group is assigned the same Group Identifier (GID) as the GID of the files\nwithout a valid group owner.'\n desc 'check', 'Verify all local files and directories on RHEL 8 have a valid group with\nthe following command:\n\n Note: The value after -fstype must be replaced with the filesystem type.\nXFS is used as an example.\n\n $ sudo find / -fstype xfs -nogroup\n\n If any files on the system do not have an assigned group, this is a finding.\n\n Note: Command may produce error messages from the /proc and /sys\ndirectories.'\n desc 'fix', 'Either remove all files and directories from RHEL 8 that do not have a\nvalid group, or assign a valid group to all files and directories on the system\nwith the \"chgrp\" command:\n\n $ sudo chgrp '\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230327'\n tag rid: 'SV-230327r627750_rule'\n tag stig_id: 'RHEL-08-010790'\n tag fix_id: 'F-32971r567728_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n tag 'container'\n\n if input('disable_slow_controls')\n describe 'This control consistently takes a long to run and has been disabled using the disable_slow_controls attribute.' do\n skip 'This control consistently takes a long to run and has been disabled using the disable_slow_controls attribute. You must enable this control for a full accredidation for production.'\n end\n else\n\n failing_files = Set[]\n\n command('grep -v \"nodev\" /proc/filesystems | awk \\'NF{ print $NF }\\'')\n .stdout.strip.split(\"\\n\").each do |fs|\n failing_files += command(\"find / -xdev -xautofs -fstype #{fs} -nogroup\").stdout.strip.split(\"\\n\")\n end\n\n describe 'All files on RHEL 8' do\n it 'should have a group' do\n expect(failing_files).to be_empty, \"Files with no group:\\n\\t- #{failing_files.join(\"\\n\\t- \")}\"\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230495.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230327.rb", "line": 1 }, - "id": "SV-230495" + "id": "SV-230327" }, { - "title": "The RHEL 8 /var/log directory must be owned by root.", - "desc": "Only authorized personnel should be aware of errors and the details of\nthe errors. Error messages are an indicator of an organization's operational\nstate or can identify the RHEL 8 system or platform. Additionally, Personally\nIdentifiable Information (PII) and operational information must not be revealed\nthrough error messages to unauthorized personnel or their designated\nrepresentatives.\n\n The structure and content of error messages must be carefully considered by\nthe organization and development team. The extent to which the information\nsystem is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.", + "title": "RHEL 8 must block unauthorized peripherals before establishing a\nconnection.", + "desc": "Without authenticating devices, unidentified or unknown devices may be\nintroduced, thereby facilitating malicious activity.\n\n Peripherals include, but are not limited to, such devices as flash drives,\nexternal storage, and printers.\n\n A new feature that RHEL 8 provides is the USBGuard software framework. The\nUSBguard-daemon is the main component of the USBGuard software framework. It\nruns as a service in the background and enforces the USB device authorization\npolicy for all USB devices. The policy is defined by a set of rules using a\nrule language described in the usbguard-rules.conf file. The policy and the\nauthorization state of USB devices can be modified during runtime using the\nusbguard tool.\n\n The System Administrator (SA) must work with the site Information System\nSecurity Officer (ISSO) to determine a list of authorized peripherals and\nestablish rules within the USBGuard software framework to allow only authorized\ndevices.", "descriptions": { - "default": "Only authorized personnel should be aware of errors and the details of\nthe errors. Error messages are an indicator of an organization's operational\nstate or can identify the RHEL 8 system or platform. Additionally, Personally\nIdentifiable Information (PII) and operational information must not be revealed\nthrough error messages to unauthorized personnel or their designated\nrepresentatives.\n\n The structure and content of error messages must be carefully considered by\nthe organization and development team. The extent to which the information\nsystem is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.", - "check": "Verify the /var/log directory is owned by root with the following command:\n\n$ sudo stat -c \"%U\" /var/log\n\nroot\n\nIf \"root\" is not returned as a result, this is a finding.", - "fix": "Change the owner of the directory /var/log to root by running the following\ncommand:\n\n $ sudo chown root /var/log" + "default": "Without authenticating devices, unidentified or unknown devices may be\nintroduced, thereby facilitating malicious activity.\n\n Peripherals include, but are not limited to, such devices as flash drives,\nexternal storage, and printers.\n\n A new feature that RHEL 8 provides is the USBGuard software framework. The\nUSBguard-daemon is the main component of the USBGuard software framework. It\nruns as a service in the background and enforces the USB device authorization\npolicy for all USB devices. The policy is defined by a set of rules using a\nrule language described in the usbguard-rules.conf file. The policy and the\nauthorization state of USB devices can be modified during runtime using the\nusbguard tool.\n\n The System Administrator (SA) must work with the site Information System\nSecurity Officer (ISSO) to determine a list of authorized peripherals and\nestablish rules within the USBGuard software framework to allow only authorized\ndevices.", + "check": "Verify the USBGuard has a policy configured with the following command:\n\n $ sudo usbguard list-rules\n\n If the command does not return results or an error is returned, ask the SA\nto indicate how unauthorized peripherals are being blocked.\n\n If there is no evidence that unauthorized peripherals are being blocked\nbefore establishing a connection, this is a finding.", + "fix": "Configure the operating system to enable the blocking of unauthorized\nperipherals with the following command:\n This command must be run from a root shell and will create an allow list\nfor any usb devices currently connect to the system.\n\n # usbguard generate-policy > /etc/usbguard/rules.conf\n\n Note: Enabling and starting usbguard without properly configuring it for an\nindividual system will immediately prevent any access over a usb device such as\na keyboard or mouse" }, "impact": 0.5, "refs": [ @@ -13602,34 +13606,33 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000206-GPOS-00084", - "gid": "V-230249", - "rid": "SV-230249r627750_rule", - "stig_id": "RHEL-08-010250", - "fix_id": "F-32893r567494_fix", + "gtitle": "SRG-OS-000378-GPOS-00163", + "gid": "V-230524", + "rid": "SV-230524r854065_rule", + "stig_id": "RHEL-08-040140", + "fix_id": "F-33168r744025_fix", "cci": [ - "CCI-001314" + "CCI-001958" ], "nist": [ - "SI-11 b" + "IA-3" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-230249' do\n title 'The RHEL 8 /var/log directory must be owned by root.'\n desc \"Only authorized personnel should be aware of errors and the details of\nthe errors. Error messages are an indicator of an organization's operational\nstate or can identify the RHEL 8 system or platform. Additionally, Personally\nIdentifiable Information (PII) and operational information must not be revealed\nthrough error messages to unauthorized personnel or their designated\nrepresentatives.\n\n The structure and content of error messages must be carefully considered by\nthe organization and development team. The extent to which the information\nsystem is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.\"\n desc 'check', 'Verify the /var/log directory is owned by root with the following command:\n\n$ sudo stat -c \"%U\" /var/log\n\nroot\n\nIf \"root\" is not returned as a result, this is a finding.'\n desc 'fix', 'Change the owner of the directory /var/log to root by running the following\ncommand:\n\n $ sudo chown root /var/log'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000206-GPOS-00084'\n tag gid: 'V-230249'\n tag rid: 'SV-230249r627750_rule'\n tag stig_id: 'RHEL-08-010250'\n tag fix_id: 'F-32893r567494_fix'\n tag cci: ['CCI-001314']\n tag nist: ['SI-11 b']\n tag 'host'\n tag 'container'\n\n describe directory('/var/log') do\n it { should exist }\n it { should be_owned_by 'root' }\n end\nend\n", + "code": "control 'SV-230524' do\n title 'RHEL 8 must block unauthorized peripherals before establishing a\nconnection.'\n desc 'Without authenticating devices, unidentified or unknown devices may be\nintroduced, thereby facilitating malicious activity.\n\n Peripherals include, but are not limited to, such devices as flash drives,\nexternal storage, and printers.\n\n A new feature that RHEL 8 provides is the USBGuard software framework. The\nUSBguard-daemon is the main component of the USBGuard software framework. It\nruns as a service in the background and enforces the USB device authorization\npolicy for all USB devices. The policy is defined by a set of rules using a\nrule language described in the usbguard-rules.conf file. The policy and the\nauthorization state of USB devices can be modified during runtime using the\nusbguard tool.\n\n The System Administrator (SA) must work with the site Information System\nSecurity Officer (ISSO) to determine a list of authorized peripherals and\nestablish rules within the USBGuard software framework to allow only authorized\ndevices.'\n desc 'check', 'Verify the USBGuard has a policy configured with the following command:\n\n $ sudo usbguard list-rules\n\n If the command does not return results or an error is returned, ask the SA\nto indicate how unauthorized peripherals are being blocked.\n\n If there is no evidence that unauthorized peripherals are being blocked\nbefore establishing a connection, this is a finding.'\n desc 'fix', 'Configure the operating system to enable the blocking of unauthorized\nperipherals with the following command:\n This command must be run from a root shell and will create an allow list\nfor any usb devices currently connect to the system.\n\n # usbguard generate-policy > /etc/usbguard/rules.conf\n\n Note: Enabling and starting usbguard without properly configuring it for an\nindividual system will immediately prevent any access over a usb device such as\na keyboard or mouse'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000378-GPOS-00163'\n tag gid: 'V-230524'\n tag rid: 'SV-230524r854065_rule'\n tag stig_id: 'RHEL-08-040140'\n tag fix_id: 'F-33168r744025_fix'\n tag cci: ['CCI-001958']\n tag nist: ['IA-3']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n peripherals_package = input('peripherals_package')\n\n if peripherals_package != 'usbguard'\n describe 'Non-standard package' do\n it 'is handling peripherals' do\n expect(peripherals_package).to exist\n end\n end\n else\n describe command('usbguard list-rules') do\n its('stdout') { should_not be_empty }\n its('exit_status') { should eq 0 }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230249.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230524.rb", "line": 1 }, - "id": "SV-230249" + "id": "SV-230524" }, { - "title": "RHEL 8 must allocate audit record storage capacity to store at least\none week of audit records, when audit records are not immediately sent to a\ncentral audit record storage facility.", - "desc": "To ensure RHEL 8 systems have a sufficient storage capacity in which\nto write the audit logs, RHEL 8 needs to be able to allocate audit record\nstorage capacity.\n\n The task of allocating audit record storage capacity is usually performed\nduring initial installation of RHEL 8.", + "title": "A separate RHEL 8 filesystem must be used for the /tmp directory.", + "desc": "The use of separate file systems for different paths can protect the\nsystem from failures resulting from a file system becoming full or failing.", "descriptions": { - "default": "To ensure RHEL 8 systems have a sufficient storage capacity in which\nto write the audit logs, RHEL 8 needs to be able to allocate audit record\nstorage capacity.\n\n The task of allocating audit record storage capacity is usually performed\nduring initial installation of RHEL 8.", - "check": "Verify RHEL 8 allocates audit record storage capacity to store at least one week of audit records when audit records are not immediately sent to a central audit record storage facility.\n\nDetermine to which partition the audit records are being written with the following command:\n\n$ sudo grep -iw log_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nCheck the size of the partition to which audit records are written (with the example being /var/log/audit/) with the following command:\n\n$ sudo df -h /var/log/audit/\n/dev/sda2 24G 10.4G 13.6G 43% /var/log/audit\n\nIf the audit records are not written to a partition made specifically for audit records (/var/log/audit is a separate partition), determine the amount of space being used by other files in the partition with the following command:\n\n$ sudo du -sh [audit_partition]\n1.8G /var/log/audit\n\nIf the audit record partition is not allocated for sufficient storage capacity, this is a finding.\n\nNote: The partition size needed to capture a week of audit records is based on the activity level of the system and the total storage capacity available. Typically 10.0 GB of storage space for audit records should be sufficient.", - "fix": "Allocate enough storage capacity for at least one week of audit records\nwhen audit records are not immediately sent to a central audit record storage\nfacility.\n\n If audit records are stored on a partition made specifically for audit\nrecords, resize the partition with sufficient space to contain one week of\naudit records.\n\n If audit records are not stored on a partition made specifically for audit\nrecords, a new partition with sufficient space will need be to be created." + "default": "The use of separate file systems for different paths can protect the\nsystem from failures resulting from a file system becoming full or failing.", + "check": "Verify that a separate file system/partition has been created for\nnon-privileged local interactive user home directories.\n\n $ sudo grep /tmp /etc/fstab\n\n /dev/mapper/rhel-tmp /tmp xfs defaults,nodev,nosuid,noexec 0 0\n\n If a separate entry for the file system/partition \"/tmp\" does not exist,\nthis is a finding.", + "fix": "Migrate the \"/tmp\" directory onto a separate file\nsystem/partition." }, "impact": 0.5, "refs": [ @@ -13639,33 +13642,33 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000341-GPOS-00132", - "gid": "V-230476", - "rid": "SV-230476r877391_rule", - "stig_id": "RHEL-08-030660", - "fix_id": "F-33120r568175_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-230295", + "rid": "SV-230295r627750_rule", + "stig_id": "RHEL-08-010543", + "fix_id": "F-32939r567632_fix", "cci": [ - "CCI-001849" + "CCI-000366" ], "nist": [ - "AU-4" + "CM-6 b" ], "host": null }, - "code": "control 'SV-230476' do\n title 'RHEL 8 must allocate audit record storage capacity to store at least\none week of audit records, when audit records are not immediately sent to a\ncentral audit record storage facility.'\n desc 'To ensure RHEL 8 systems have a sufficient storage capacity in which\nto write the audit logs, RHEL 8 needs to be able to allocate audit record\nstorage capacity.\n\n The task of allocating audit record storage capacity is usually performed\nduring initial installation of RHEL 8.'\n desc 'check', 'Verify RHEL 8 allocates audit record storage capacity to store at least one week of audit records when audit records are not immediately sent to a central audit record storage facility.\n\nDetermine to which partition the audit records are being written with the following command:\n\n$ sudo grep -iw log_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nCheck the size of the partition to which audit records are written (with the example being /var/log/audit/) with the following command:\n\n$ sudo df -h /var/log/audit/\n/dev/sda2 24G 10.4G 13.6G 43% /var/log/audit\n\nIf the audit records are not written to a partition made specifically for audit records (/var/log/audit is a separate partition), determine the amount of space being used by other files in the partition with the following command:\n\n$ sudo du -sh [audit_partition]\n1.8G /var/log/audit\n\nIf the audit record partition is not allocated for sufficient storage capacity, this is a finding.\n\nNote: The partition size needed to capture a week of audit records is based on the activity level of the system and the total storage capacity available. Typically 10.0 GB of storage space for audit records should be sufficient.'\n desc 'fix', 'Allocate enough storage capacity for at least one week of audit records\nwhen audit records are not immediately sent to a central audit record storage\nfacility.\n\n If audit records are stored on a partition made specifically for audit\nrecords, resize the partition with sufficient space to contain one week of\naudit records.\n\n If audit records are not stored on a partition made specifically for audit\nrecords, a new partition with sufficient space will need be to be created.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000341-GPOS-00132'\n tag gid: 'V-230476'\n tag rid: 'SV-230476r877391_rule'\n tag stig_id: 'RHEL-08-030660'\n tag fix_id: 'F-33120r568175_fix'\n tag cci: ['CCI-001849']\n tag nist: ['AU-4']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n audit_log_dir = command(\"dirname #{auditd_conf.log_file}\").stdout.strip\n\n describe file(audit_log_dir) do\n it { should exist }\n it { should be_directory }\n end\n\n # Fetch partition sizes in 1K blocks for consistency\n partition_info = command(\"df -B 1K #{audit_log_dir}\").stdout.split(\"\\n\")\n partition_sz_arr = partition_info.last.gsub(/\\s+/m, ' ').strip.split(' ')\n\n # Get unused space percentage\n percentage_space_unused = (100 - partition_sz_arr[4].to_i)\n\n describe \"auditd_conf's space_left threshold\" do\n it 'should be under the amount of space currently available (in 1K blocks) for the audit log directory' do\n expect(auditd_conf.space_left.to_i).to be <= percentage_space_unused\n end\n end\nend\n", + "code": "control 'SV-230295' do\n title 'A separate RHEL 8 filesystem must be used for the /tmp directory.'\n desc 'The use of separate file systems for different paths can protect the\nsystem from failures resulting from a file system becoming full or failing.'\n desc 'check', 'Verify that a separate file system/partition has been created for\nnon-privileged local interactive user home directories.\n\n $ sudo grep /tmp /etc/fstab\n\n /dev/mapper/rhel-tmp /tmp xfs defaults,nodev,nosuid,noexec 0 0\n\n If a separate entry for the file system/partition \"/tmp\" does not exist,\nthis is a finding.'\n desc 'fix', 'Migrate the \"/tmp\" directory onto a separate file\nsystem/partition.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230295'\n tag rid: 'SV-230295r627750_rule'\n tag stig_id: 'RHEL-08-010543'\n tag fix_id: 'F-32939r567632_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe mount('/tmp') do\n it { should be_mounted }\n end\n\n describe etc_fstab.where { mount_point == '/tmp' } do\n it { should exist }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230476.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230295.rb", "line": 1 }, - "id": "SV-230476" + "id": "SV-230295" }, { - "title": "RHEL 8 must enable a user session lock until that user re-establishes\naccess using established identification and authentication procedures for\ngraphical user sessions.", - "desc": "A session lock is a temporary action taken when a user stops work and\nmoves away from the immediate physical vicinity of the information system but\ndoes not want to log out because of the temporary nature of the absence.\n\n The session lock is implemented at the point where session activity can be\ndetermined.\n\n Regardless of where the session lock is determined and implemented, once\ninvoked, the session lock must remain in place until the user reauthenticates.\nNo other activity aside from reauthentication must unlock the system.", + "title": "RHEL 8 must disable core dump backtraces.", + "desc": "It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n A core dump includes a memory image taken at the time the operating system\nterminates an application. The memory image could contain sensitive data and is\ngenerally useful only for developers trying to debug problems.", "descriptions": { - "default": "A session lock is a temporary action taken when a user stops work and\nmoves away from the immediate physical vicinity of the information system but\ndoes not want to log out because of the temporary nature of the absence.\n\n The session lock is implemented at the point where session activity can be\ndetermined.\n\n Regardless of where the session lock is determined and implemented, once\ninvoked, the session lock must remain in place until the user reauthenticates.\nNo other activity aside from reauthentication must unlock the system.", - "check": "Verify the operating system enables a user's session lock until that user\nre-establishes access using established identification and authentication\nprocedures with the following command:\n\n $ sudo gsettings get org.gnome.desktop.screensaver lock-enabled\n\n true\n\n If the setting is \"false\", this is a finding.\n\n Note: This requirement assumes the use of the RHEL 8 default graphical user\ninterface, Gnome Shell. If the system does not have any graphical user\ninterface installed, this requirement is Not Applicable.", - "fix": "Configure the operating system to enable a user's session lock until that\nuser re-establishes access using established identification and authentication\nprocedures.\n\n Create a database to contain the system-wide screensaver settings (if it\ndoes not already exist) with the following example:\n\n $ sudo vi /etc/dconf/db/local.d/00-screensaver\n\n Edit the \"[org/gnome/desktop/screensaver]\" section of the database file\nand add or update the following lines:\n\n # Set this to true to lock the screen when the screensaver activates\n lock-enabled=true\n\n Update the system databases:\n\n $ sudo dconf update" + "default": "It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n A core dump includes a memory image taken at the time the operating system\nterminates an application. The memory image could contain sensitive data and is\ngenerally useful only for developers trying to debug problems.", + "check": "Verify the operating system disables core dump backtraces by issuing the\nfollowing command:\n\n $ sudo grep -i ProcessSizeMax /etc/systemd/coredump.conf\n\n ProcessSizeMax=0\n\n If the \"ProcessSizeMax\" item is missing, commented out, or the value is\nanything other than \"0\" and the need for core dumps is not documented with\nthe Information System Security Officer (ISSO) as an operational requirement\nfor all domains that have the \"core\" item assigned, this is a finding.", + "fix": "Configure the operating system to disable core dump backtraces.\n\nAdd or modify the following line in /etc/systemd/coredump.conf:\n\nProcessSizeMax=0" }, "impact": 0.5, "refs": [ @@ -13675,37 +13678,34 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000028-GPOS-00009", - "satisfies": [ - "SRG-OS-000028-GPOS-00009", - "SRG-OS-000030-GPOS-00011" - ], - "gid": "V-230347", - "rid": "SV-230347r627750_rule", - "stig_id": "RHEL-08-020030", - "fix_id": "F-32991r567788_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-230315", + "rid": "SV-230315r627750_rule", + "stig_id": "RHEL-08-010675", + "fix_id": "F-32959r567692_fix", "cci": [ - "CCI-000056" + "CCI-000366" ], + "legacy": [], "nist": [ - "AC-11 b" + "CM-6 b" ], "host": null }, - "code": "control 'SV-230347' do\n title 'RHEL 8 must enable a user session lock until that user re-establishes\naccess using established identification and authentication procedures for\ngraphical user sessions.'\n desc 'A session lock is a temporary action taken when a user stops work and\nmoves away from the immediate physical vicinity of the information system but\ndoes not want to log out because of the temporary nature of the absence.\n\n The session lock is implemented at the point where session activity can be\ndetermined.\n\n Regardless of where the session lock is determined and implemented, once\ninvoked, the session lock must remain in place until the user reauthenticates.\nNo other activity aside from reauthentication must unlock the system.'\n desc 'check', %q(Verify the operating system enables a user's session lock until that user\nre-establishes access using established identification and authentication\nprocedures with the following command:\n\n $ sudo gsettings get org.gnome.desktop.screensaver lock-enabled\n\n true\n\n If the setting is \"false\", this is a finding.\n\n Note: This requirement assumes the use of the RHEL 8 default graphical user\ninterface, Gnome Shell. If the system does not have any graphical user\ninterface installed, this requirement is Not Applicable.)\n desc 'fix', %q(Configure the operating system to enable a user's session lock until that\nuser re-establishes access using established identification and authentication\nprocedures.\n\n Create a database to contain the system-wide screensaver settings (if it\ndoes not already exist) with the following example:\n\n $ sudo vi /etc/dconf/db/local.d/00-screensaver\n\n Edit the \"[org/gnome/desktop/screensaver]\" section of the database file\nand add or update the following lines:\n\n # Set this to true to lock the screen when the screensaver activates\n lock-enabled=true\n\n Update the system databases:\n\n $ sudo dconf update)\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000028-GPOS-00009'\n tag satisfies: ['SRG-OS-000028-GPOS-00009', 'SRG-OS-000030-GPOS-00011']\n tag gid: 'V-230347'\n tag rid: 'SV-230347r627750_rule'\n tag stig_id: 'RHEL-08-020030'\n tag fix_id: 'F-32991r567788_fix'\n tag cci: ['CCI-000056']\n tag nist: ['AC-11 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n if package('gnome-desktop3').installed?\n describe command('gsettings get org.gnome.desktop.screensaver lock-enabled') do\n its('stdout.strip') { should cmp 'true' }\n end\n else\n impact 0.0\n describe 'The system does not have GNOME installed' do\n skip \"The system does not have GNOME installed, this requirement is Not\n Applicable.\"\n end\n end\nend\n", + "code": "control 'SV-230315' do\n title 'RHEL 8 must disable core dump backtraces.'\n desc 'It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n A core dump includes a memory image taken at the time the operating system\nterminates an application. The memory image could contain sensitive data and is\ngenerally useful only for developers trying to debug problems.'\n desc 'check', 'Verify the operating system disables core dump backtraces by issuing the\nfollowing command:\n\n $ sudo grep -i ProcessSizeMax /etc/systemd/coredump.conf\n\n ProcessSizeMax=0\n\n If the \"ProcessSizeMax\" item is missing, commented out, or the value is\nanything other than \"0\" and the need for core dumps is not documented with\nthe Information System Security Officer (ISSO) as an operational requirement\nfor all domains that have the \"core\" item assigned, this is a finding.'\n desc 'fix', 'Configure the operating system to disable core dump backtraces.\n\nAdd or modify the following line in /etc/systemd/coredump.conf:\n\nProcessSizeMax=0'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230315'\n tag rid: 'SV-230315r627750_rule'\n tag stig_id: 'RHEL-08-010675'\n tag fix_id: 'F-32959r567692_fix'\n tag cci: ['CCI-000366']\n tag legacy: []\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe parse_config_file('/etc/systemd/coredump.conf') do\n its('Coredump.ProcessSizeMax') { should cmp '0' }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230347.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230315.rb", "line": 1 }, - "id": "SV-230347" + "id": "SV-230315" }, { - "title": "RHEL 8 must mount /var/log/audit with the nosuid option.", - "desc": "The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n The \"noexec\" mount option causes the system to not execute binary files.\nThis option must be used for mounting any file system not containing approved\nbinary files, as they may be incompatible. Executing files from untrusted file\nsystems increases the opportunity for unprivileged users to attain unauthorized\nadministrative access.\n\n The \"nodev\" mount option causes the system to not interpret character or\nblock special devices. Executing character or block special devices from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.\n\n The \"nosuid\" mount option causes the system to not execute \"setuid\" and\n\"setgid\" files with owner privileges. This option must be used for mounting\nany file system not containing approved \"setuid\" and \"setguid\" files.\nExecuting files from untrusted file systems increases the opportunity for\nunprivileged users to attain unauthorized administrative access.", + "title": "RHEL 8 must accept Personal Identity Verification (PIV) credentials.", + "desc": "The use of PIV credentials facilitates standardization and reduces the\n risk of unauthorized access.\n\n The DoD has mandated the use of the Common Access Card (CAC) to support\n identity management and personal authentication for systems covered under\n Homeland Security Presidential Directive (HSPD) 12, as well as making the CAC a\n primary component of layered protection for national security systems.", "descriptions": { - "default": "The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n The \"noexec\" mount option causes the system to not execute binary files.\nThis option must be used for mounting any file system not containing approved\nbinary files, as they may be incompatible. Executing files from untrusted file\nsystems increases the opportunity for unprivileged users to attain unauthorized\nadministrative access.\n\n The \"nodev\" mount option causes the system to not interpret character or\nblock special devices. Executing character or block special devices from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.\n\n The \"nosuid\" mount option causes the system to not execute \"setuid\" and\n\"setgid\" files with owner privileges. This option must be used for mounting\nany file system not containing approved \"setuid\" and \"setguid\" files.\nExecuting files from untrusted file systems increases the opportunity for\nunprivileged users to attain unauthorized administrative access.", - "check": "Verify \"/var/log/audit\" is mounted with the \"nosuid\" option:\n\n $ sudo mount | grep /var/log/audit\n\n /dev/mapper/rhel-var-log-audit on /var/log/audit type xfs\n(rw,nodev,nosuid,noexec,seclabel)\n\n Verify that the \"nosuid\" option is configured for /var/log/audit:\n\n $ sudo cat /etc/fstab | grep /var/log/audit\n\n /dev/mapper/rhel-var-log-audit /var/log/audit xfs\ndefaults,nodev,nosuid,noexec 0 0\n\n If results are returned and the \"nosuid\" option is missing, or if\n/var/log/audit is mounted without the \"nosuid\" option, this is a finding.", - "fix": "Configure the system so that /var/log/audit is mounted with the \"nosuid\"\noption by adding /modifying the /etc/fstab with the following line:\n\n /dev/mapper/rhel-var-log-audit /var/log/audit xfs\ndefaults,nodev,nosuid,noexec 0 0" + "default": "The use of PIV credentials facilitates standardization and reduces the\n risk of unauthorized access.\n\n The DoD has mandated the use of the Common Access Card (CAC) to support\n identity management and personal authentication for systems covered under\n Homeland Security Presidential Directive (HSPD) 12, as well as making the CAC a\n primary component of layered protection for national security systems.", + "check": "Verify RHEL 8 accepts PIV credentials.\n\n Check that the \"opensc\" package is installed on the system with the\n following command:\n\n $ sudo yum list installed opensc\n\n opensc.x86_64 0.19.0-5.el8 @anaconda\n\n Check that \"opensc\" accepts PIV cards with the following command:\n\n $ sudo opensc-tool --list-drivers | grep -i piv\n\n PIV-II Personal Identity Verification Card\n\n If the \"opensc\" package is not installed and the \"opensc-tool\" driver\n list does not include \"PIV-II\", this is a finding.", + "fix": "Configure RHEL 8 to accept PIV credentials.\n\n Install the \"opensc\" package using the following command:\n\n $ sudo yum install opensc" }, "impact": 0.5, "refs": [ @@ -13715,33 +13715,33 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000368-GPOS-00154", - "gid": "V-230518", - "rid": "SV-230518r854059_rule", - "stig_id": "RHEL-08-040130", - "fix_id": "F-33162r568301_fix", + "gtitle": "SRG-OS-000376-GPOS-00161", + "gid": "V-230275", + "rid": "SV-230275r854030_rule", + "stig_id": "RHEL-08-010410", + "fix_id": "F-32919r567572_fix", "cci": [ - "CCI-001764" + "CCI-001953" ], "nist": [ - "CM-7 (2)" + "IA-2 (12)" ], "host": null }, - "code": "control 'SV-230518' do\n title 'RHEL 8 must mount /var/log/audit with the nosuid option.'\n desc 'The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n The \"noexec\" mount option causes the system to not execute binary files.\nThis option must be used for mounting any file system not containing approved\nbinary files, as they may be incompatible. Executing files from untrusted file\nsystems increases the opportunity for unprivileged users to attain unauthorized\nadministrative access.\n\n The \"nodev\" mount option causes the system to not interpret character or\nblock special devices. Executing character or block special devices from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.\n\n The \"nosuid\" mount option causes the system to not execute \"setuid\" and\n\"setgid\" files with owner privileges. This option must be used for mounting\nany file system not containing approved \"setuid\" and \"setguid\" files.\nExecuting files from untrusted file systems increases the opportunity for\nunprivileged users to attain unauthorized administrative access.'\n desc 'check', 'Verify \"/var/log/audit\" is mounted with the \"nosuid\" option:\n\n $ sudo mount | grep /var/log/audit\n\n /dev/mapper/rhel-var-log-audit on /var/log/audit type xfs\n(rw,nodev,nosuid,noexec,seclabel)\n\n Verify that the \"nosuid\" option is configured for /var/log/audit:\n\n $ sudo cat /etc/fstab | grep /var/log/audit\n\n /dev/mapper/rhel-var-log-audit /var/log/audit xfs\ndefaults,nodev,nosuid,noexec 0 0\n\n If results are returned and the \"nosuid\" option is missing, or if\n/var/log/audit is mounted without the \"nosuid\" option, this is a finding.'\n desc 'fix', 'Configure the system so that /var/log/audit is mounted with the \"nosuid\"\noption by adding /modifying the /etc/fstab with the following line:\n\n /dev/mapper/rhel-var-log-audit /var/log/audit xfs\ndefaults,nodev,nosuid,noexec 0 0'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000368-GPOS-00154'\n tag gid: 'V-230518'\n tag rid: 'SV-230518r854059_rule'\n tag stig_id: 'RHEL-08-040130'\n tag fix_id: 'F-33162r568301_fix'\n tag cci: ['CCI-001764']\n tag nist: ['CM-7 (2)']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n path = '/var/log/audit'\n option = 'nosuid'\n\n describe mount(path) do\n its('options') { should include option }\n end\n\n describe etc_fstab.where { mount_point == path } do\n its('mount_options.flatten') { should include option }\n end\nend\n", + "code": "control 'SV-230275' do\n title 'RHEL 8 must accept Personal Identity Verification (PIV) credentials.'\n desc 'The use of PIV credentials facilitates standardization and reduces the\n risk of unauthorized access.\n\n The DoD has mandated the use of the Common Access Card (CAC) to support\n identity management and personal authentication for systems covered under\n Homeland Security Presidential Directive (HSPD) 12, as well as making the CAC a\n primary component of layered protection for national security systems.'\n desc 'check', 'Verify RHEL 8 accepts PIV credentials.\n\n Check that the \"opensc\" package is installed on the system with the\n following command:\n\n $ sudo yum list installed opensc\n\n opensc.x86_64 0.19.0-5.el8 @anaconda\n\n Check that \"opensc\" accepts PIV cards with the following command:\n\n $ sudo opensc-tool --list-drivers | grep -i piv\n\n PIV-II Personal Identity Verification Card\n\n If the \"opensc\" package is not installed and the \"opensc-tool\" driver\n list does not include \"PIV-II\", this is a finding.'\n desc 'fix', 'Configure RHEL 8 to accept PIV credentials.\n\n Install the \"opensc\" package using the following command:\n\n $ sudo yum install opensc'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000376-GPOS-00161'\n tag gid: 'V-230275'\n tag rid: 'SV-230275r854030_rule'\n tag stig_id: 'RHEL-08-010410'\n tag fix_id: 'F-32919r567572_fix'\n tag cci: ['CCI-001953']\n tag nist: ['IA-2 (12)']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n if input('smart_card_enabled')\n\n describe package('opensc') do\n it { should be_installed }\n end\n\n options = { assignment_regex: /^\\s*(\\S+)\\s+(.*)$/ }\n opensc = command('opensc-tool --list-drivers').stdout\n opensc_conf = parse_config(opensc, options)\n\n piv_driver = input('piv_driver')\n\n describe 'OpenSC drivers' do\n it \"should include '#{piv_driver}'\" do\n expect(opensc_conf.params.keys).to include(piv_driver), \"Missing '#{piv_driver}' in OpenSC driver list\"\n end\n end\n else\n impact 0.0\n describe 'The system is not utilizing smart card authentication' do\n skip 'The system is not utilizing smart card authentication, this control is Not Applicable.'\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230518.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230275.rb", "line": 1 }, - "id": "SV-230518" + "id": "SV-230275" }, { - "title": "The RHEL 8 fapolicy module must be configured to employ a deny-all,\npermit-by-exception policy to allow the execution of authorized software\nprograms.", - "desc": "The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n Utilizing a whitelist provides a configuration management method for\nallowing the execution of only authorized software. Using only authorized\nsoftware decreases risk by limiting the number of potential vulnerabilities.\nVerification of whitelisted software occurs prior to execution or at system\nstartup.\n\n User home directories/folders may contain information of a sensitive\nnature. Non-privileged users should coordinate any sharing of information with\nan SA through shared resources.\n\n RHEL 8 ships with many optional packages. One such package is a file access\npolicy daemon called \"fapolicyd\". \"fapolicyd\" is a userspace daemon that\ndetermines access rights to files based on attributes of the process and file.\nIt can be used to either blacklist or whitelist processes or file access.\n\n Proceed with caution with enforcing the use of this daemon. Improper\nconfiguration may render the system non-functional. The \"fapolicyd\" API is\nnot namespace aware and can cause issues when launching or running containers.", + "title": "RHEL 8 audit logs must be owned by root to prevent unauthorized read\naccess.", + "desc": "Only authorized personnel should be aware of errors and the details of\nthe errors. Error messages are an indicator of an organization's operational\nstate or can identify the RHEL 8 system or platform. Additionally, Personally\nIdentifiable Information (PII) and operational information must not be revealed\nthrough error messages to unauthorized personnel or their designated\nrepresentatives.\n\n The structure and content of error messages must be carefully considered by\nthe organization and development team. The extent to which the information\nsystem is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.", "descriptions": { - "default": "The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n Utilizing a whitelist provides a configuration management method for\nallowing the execution of only authorized software. Using only authorized\nsoftware decreases risk by limiting the number of potential vulnerabilities.\nVerification of whitelisted software occurs prior to execution or at system\nstartup.\n\n User home directories/folders may contain information of a sensitive\nnature. Non-privileged users should coordinate any sharing of information with\nan SA through shared resources.\n\n RHEL 8 ships with many optional packages. One such package is a file access\npolicy daemon called \"fapolicyd\". \"fapolicyd\" is a userspace daemon that\ndetermines access rights to files based on attributes of the process and file.\nIt can be used to either blacklist or whitelist processes or file access.\n\n Proceed with caution with enforcing the use of this daemon. Improper\nconfiguration may render the system non-functional. The \"fapolicyd\" API is\nnot namespace aware and can cause issues when launching or running containers.", - "check": "Verify the RHEL 8 \"fapolicyd\" employs a deny-all, permit-by-exception policy.\n\nCheck that \"fapolicyd\" is in enforcement mode with the following command:\n\n$ sudo grep permissive /etc/fapolicyd/fapolicyd.conf\n\npermissive = 0\n\nCheck that fapolicyd employs a deny-all policy on system mounts with the following commands:\n\nFor RHEL 8.4 systems and older:\n$ sudo tail /etc/fapolicyd/fapolicyd.rules\n\nFor RHEL 8.5 systems and newer:\n$ sudo tail /etc/fapolicyd/compiled.rules\n\nallow exe=/usr/bin/python3.7 : ftype=text/x-python\ndeny_audit perm=any pattern=ld_so : all\ndeny perm=any all : all\n\nIf fapolicyd is not running in enforcement mode with a deny-all, permit-by-exception policy, this is a finding.", - "fix": "Configure RHEL 8 to employ a deny-all, permit-by-exception application whitelisting policy with \"fapolicyd\".\n\nWith the \"fapolicyd\" installed and enabled, configure the daemon to function in permissive mode until the whitelist is built correctly to avoid system lockout. Do this by editing the \"/etc/fapolicyd/fapolicyd.conf\" file with the following line:\n\npermissive = 1\n\nFor RHEL 8.4 systems and older:\nBuild the whitelist in the \"/etc/fapolicyd/fapolicyd.rules\" file ensuring the last rule is \"deny perm=any all : all\".\n\nFor RHEL 8.5 systems and newer:\nBuild the whitelist in a file within the \"/etc/fapolicyd/rules.d\" directory ensuring the last rule is \"deny perm=any all : all\".\n\nOnce it is determined the whitelist is built correctly, set the fapolicyd to enforcing mode by editing the \"permissive\" line in the /etc/fapolicyd/fapolicyd.conf file.\n\npermissive = 0" + "default": "Only authorized personnel should be aware of errors and the details of\nthe errors. Error messages are an indicator of an organization's operational\nstate or can identify the RHEL 8 system or platform. Additionally, Personally\nIdentifiable Information (PII) and operational information must not be revealed\nthrough error messages to unauthorized personnel or their designated\nrepresentatives.\n\n The structure and content of error messages must be carefully considered by\nthe organization and development team. The extent to which the information\nsystem is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.", + "check": "Verify the audit logs are owned by \"root\". First, determine where the\naudit logs are stored with the following command:\n\n $ sudo grep -iw log_file /etc/audit/auditd.conf\n\n log_file = /var/log/audit/audit.log\n\n Using the location of the audit log file, determine if the audit log is\nowned by \"root\" using the following command:\n\n $ sudo ls -al /var/log/audit/audit.log\n\n rw------- 2 root root 23 Jun 11 11:56 /var/log/audit/audit.log\n\n If the audit log is not owned by \"root\", this is a finding.", + "fix": "Configure the audit log to be protected from unauthorized read access, by\nsetting the correct owner as \"root\" with the following command:\n\n $ sudo chown root [audit_log_file]\n\n Replace \"[audit_log_file]\" to the correct audit log path, by default this\nlocation is \"/var/log/audit/audit.log\"." }, "impact": 0.5, "refs": [ @@ -13751,37 +13751,40 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000368-GPOS-00154", + "gtitle": "SRG-OS-000057-GPOS-00027", "satisfies": [ - "SRG-OS-000368-GPOS-00154", - "SRG-OS-000370-GPOS-00155", - "SRG-OS-000480-GPOS-00232" + "SRG-OS-000057-GPOS-00027", + "SRG-OS-000058-GPOS-00028", + "SRG-OS-000059-GPOS-00029", + "SRG-OS-000206-GPOS-00084" ], - "gid": "V-244546", - "rid": "SV-244546r858730_rule", - "stig_id": "RHEL-08-040137", - "fix_id": "F-47778r858729_fix", + "gid": "V-230397", + "rid": "SV-230397r627750_rule", + "stig_id": "RHEL-08-030080", + "fix_id": "F-33041r567938_fix", "cci": [ - "CCI-001764" + "CCI-000162" ], "nist": [ - "CM-7 (2)" - ] + "AU-9", + "AU-9 a" + ], + "host": null }, - "code": "control 'SV-244546' do\n title 'The RHEL 8 fapolicy module must be configured to employ a deny-all,\npermit-by-exception policy to allow the execution of authorized software\nprograms.'\n desc 'The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n Utilizing a whitelist provides a configuration management method for\nallowing the execution of only authorized software. Using only authorized\nsoftware decreases risk by limiting the number of potential vulnerabilities.\nVerification of whitelisted software occurs prior to execution or at system\nstartup.\n\n User home directories/folders may contain information of a sensitive\nnature. Non-privileged users should coordinate any sharing of information with\nan SA through shared resources.\n\n RHEL 8 ships with many optional packages. One such package is a file access\npolicy daemon called \"fapolicyd\". \"fapolicyd\" is a userspace daemon that\ndetermines access rights to files based on attributes of the process and file.\nIt can be used to either blacklist or whitelist processes or file access.\n\n Proceed with caution with enforcing the use of this daemon. Improper\nconfiguration may render the system non-functional. The \"fapolicyd\" API is\nnot namespace aware and can cause issues when launching or running containers.'\n desc 'check', 'Verify the RHEL 8 \"fapolicyd\" employs a deny-all, permit-by-exception policy.\n\nCheck that \"fapolicyd\" is in enforcement mode with the following command:\n\n$ sudo grep permissive /etc/fapolicyd/fapolicyd.conf\n\npermissive = 0\n\nCheck that fapolicyd employs a deny-all policy on system mounts with the following commands:\n\nFor RHEL 8.4 systems and older:\n$ sudo tail /etc/fapolicyd/fapolicyd.rules\n\nFor RHEL 8.5 systems and newer:\n$ sudo tail /etc/fapolicyd/compiled.rules\n\nallow exe=/usr/bin/python3.7 : ftype=text/x-python\ndeny_audit perm=any pattern=ld_so : all\ndeny perm=any all : all\n\nIf fapolicyd is not running in enforcement mode with a deny-all, permit-by-exception policy, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to employ a deny-all, permit-by-exception application whitelisting policy with \"fapolicyd\".\n\nWith the \"fapolicyd\" installed and enabled, configure the daemon to function in permissive mode until the whitelist is built correctly to avoid system lockout. Do this by editing the \"/etc/fapolicyd/fapolicyd.conf\" file with the following line:\n\npermissive = 1\n\nFor RHEL 8.4 systems and older:\nBuild the whitelist in the \"/etc/fapolicyd/fapolicyd.rules\" file ensuring the last rule is \"deny perm=any all : all\".\n\nFor RHEL 8.5 systems and newer:\nBuild the whitelist in a file within the \"/etc/fapolicyd/rules.d\" directory ensuring the last rule is \"deny perm=any all : all\".\n\nOnce it is determined the whitelist is built correctly, set the fapolicyd to enforcing mode by editing the \"permissive\" line in the /etc/fapolicyd/fapolicyd.conf file.\n\npermissive = 0'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000368-GPOS-00154'\n tag satisfies: ['SRG-OS-000368-GPOS-00154', 'SRG-OS-000370-GPOS-00155', 'SRG-OS-000480-GPOS-00232']\n tag gid: 'V-244546'\n tag rid: 'SV-244546r858730_rule'\n tag stig_id: 'RHEL-08-040137'\n tag fix_id: 'F-47778r858729_fix'\n tag cci: ['CCI-001764']\n tag nist: ['CM-7 (2)']\n\n # Check if the system is a Docker container or not using Fapolicyd\n if virtualization.system.eql?('docker') || !input('use_fapolicyd')\n impact 0.0\n describe 'Control not applicable' do\n skip 'The organization is not using the Fapolicyd service to manage firewall services, this control is Not Applicable' unless input('use_fapolicyd')\n skip 'Control not applicable within a container' if virtualization.system.eql?('docker')\n end\n else\n # Parse the fapolicyd configuration file\n fapolicyd_config = parse_config_file('/etc/fapolicyd/fapolicyd.conf')\n\n describe 'Fapolicyd configuration' do\n it 'permissive should not be commented out' do\n expect(fapolicyd_config.content).to match(/^permissive\\s*=\\s*0$/), 'permissive is commented out in the fapolicyd.conf file'\n end\n it 'should have permissive set to 0' do\n expect(fapolicyd_config.params['permissive']).to cmp '0'\n end\n end\n\n # Determine the rules file based on the OS release\n rules_file = os.release.to_f < 8.4 ? '/etc/fapolicyd/fapolicyd.rules' : '/etc/fapolicyd/compiled.rules'\n\n # Check if the rules file exists\n describe file(rules_file) do\n it { should exist }\n end\n\n # If the rules file exists, check the last rule\n if file(rules_file).exist?\n rules = file(rules_file).content.strip.split(\"\\n\")\n last_rule = rules.last\n\n describe 'Last rule in the rules file' do\n it { expect(last_rule).to cmp 'deny perm=any all : all' }\n end\n end\n end\nend\n", + "code": "control 'SV-230397' do\n title 'RHEL 8 audit logs must be owned by root to prevent unauthorized read\naccess.'\n desc \"Only authorized personnel should be aware of errors and the details of\nthe errors. Error messages are an indicator of an organization's operational\nstate or can identify the RHEL 8 system or platform. Additionally, Personally\nIdentifiable Information (PII) and operational information must not be revealed\nthrough error messages to unauthorized personnel or their designated\nrepresentatives.\n\n The structure and content of error messages must be carefully considered by\nthe organization and development team. The extent to which the information\nsystem is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.\"\n desc 'check', 'Verify the audit logs are owned by \"root\". First, determine where the\naudit logs are stored with the following command:\n\n $ sudo grep -iw log_file /etc/audit/auditd.conf\n\n log_file = /var/log/audit/audit.log\n\n Using the location of the audit log file, determine if the audit log is\nowned by \"root\" using the following command:\n\n $ sudo ls -al /var/log/audit/audit.log\n\n rw------- 2 root root 23 Jun 11 11:56 /var/log/audit/audit.log\n\n If the audit log is not owned by \"root\", this is a finding.'\n desc 'fix', 'Configure the audit log to be protected from unauthorized read access, by\nsetting the correct owner as \"root\" with the following command:\n\n $ sudo chown root [audit_log_file]\n\n Replace \"[audit_log_file]\" to the correct audit log path, by default this\nlocation is \"/var/log/audit/audit.log\".'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000057-GPOS-00027'\n tag satisfies: ['SRG-OS-000057-GPOS-00027', 'SRG-OS-000058-GPOS-00028', 'SRG-OS-000059-GPOS-00029', 'SRG-OS-000206-GPOS-00084']\n tag gid: 'V-230397'\n tag rid: 'SV-230397r627750_rule'\n tag stig_id: 'RHEL-08-030080'\n tag fix_id: 'F-33041r567938_fix'\n tag cci: ['CCI-000162']\n tag nist: ['AU-9', 'AU-9 a']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n log_file = auditd_conf('/etc/audit/auditd.conf').log_file\n\n describe file(log_file) do\n its('owner') { should eq 'root' }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-244546.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230397.rb", "line": 1 }, - "id": "SV-244546" + "id": "SV-230397" }, { - "title": "RHEL 8 must not have any automated bug reporting tools installed.", - "desc": "It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n Operating systems are capable of providing a wide variety of functions and\nservices. Some of the functions and services, provided by default, may not be\nnecessary to support essential organizational operations (e.g., key missions,\nfunctions).\n\n Examples of non-essential capabilities include, but are not limited to,\ngames, software packages, tools, and demonstration software not related to\nrequirements or providing a wide array of functionality not required for every\nmission, but which cannot be disabled.\n\n Verify the operating system is configured to disable non-essential\ncapabilities. The most secure way of ensuring a non-essential capability is\ndisabled is to not have the capability installed.", + "title": "RHEL 8 must implement smart card logon for multifactor authentication\nfor access to interactive accounts.", + "desc": "Using an authentication device, such as a Common Access Card (CAC) or\ntoken that is separate from the information system, ensures that even if the\ninformation system is compromised, that compromise will not affect credentials\nstored on the authentication device.\n\n Multifactor solutions that require devices separate from information\nsystems gaining access include, for example, hardware tokens providing\ntime-based or challenge-response authenticators and smart cards such as the\nU.S. Government Personal Identity Verification card and the DoD CAC.\n\n There are various methods of implementing multifactor authentication for\nRHEL 8. Some methods include a local system multifactor account mapping or\njoining the system to a domain and utilizing a Red Hat idM server or Microsoft\nWindows Active Directory server. Any of these methods will require that the\nclient operating system handle the multifactor authentication correctly.", "descriptions": { - "default": "It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n Operating systems are capable of providing a wide variety of functions and\nservices. Some of the functions and services, provided by default, may not be\nnecessary to support essential organizational operations (e.g., key missions,\nfunctions).\n\n Examples of non-essential capabilities include, but are not limited to,\ngames, software packages, tools, and demonstration software not related to\nrequirements or providing a wide array of functionality not required for every\nmission, but which cannot be disabled.\n\n Verify the operating system is configured to disable non-essential\ncapabilities. The most secure way of ensuring a non-essential capability is\ndisabled is to not have the capability installed.", - "check": "Check to see if any automated bug reporting packages are installed with the\nfollowing command:\n\n $ sudo yum list installed abrt*\n\n If any automated bug reporting package is installed, this is a finding.", - "fix": "Configure the operating system to disable non-essential capabilities by\nremoving automated bug reporting packages from the system with the following\ncommand:\n\n $ sudo yum remove abrt*" + "default": "Using an authentication device, such as a Common Access Card (CAC) or\ntoken that is separate from the information system, ensures that even if the\ninformation system is compromised, that compromise will not affect credentials\nstored on the authentication device.\n\n Multifactor solutions that require devices separate from information\nsystems gaining access include, for example, hardware tokens providing\ntime-based or challenge-response authenticators and smart cards such as the\nU.S. Government Personal Identity Verification card and the DoD CAC.\n\n There are various methods of implementing multifactor authentication for\nRHEL 8. Some methods include a local system multifactor account mapping or\njoining the system to a domain and utilizing a Red Hat idM server or Microsoft\nWindows Active Directory server. Any of these methods will require that the\nclient operating system handle the multifactor authentication correctly.", + "check": "Verify RHEL 8 uses multifactor authentication for local access to accounts.\n\nNote: If the System Administrator demonstrates the use of an approved alternate multifactor authentication method, this requirement is not applicable.\n\nCheck that the \"pam_cert_auth\" setting is set to \"true\" in the \"/etc/sssd/sssd.conf\" file.\n\nCheck that the \"try_cert_auth\" or \"require_cert_auth\" options are configured in both \"/etc/pam.d/system-auth\" and \"/etc/pam.d/smartcard-auth\" files with the following command:\n\n $ sudo grep -ir cert_auth /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf /etc/pam.d/*\n /etc/sssd/sssd.conf:pam_cert_auth = True\n /etc/pam.d/smartcard-auth:auth sufficient pam_sss.so try_cert_auth\n /etc/pam.d/system-auth:auth [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_sss.so try_cert_auth\n\nIf \"pam_cert_auth\" is not set to \"true\" in \"/etc/sssd/sssd.conf\", this is a finding.\n\nIf \"pam_sss.so\" is not set to \"try_cert_auth\" or \"require_cert_auth\" in both the \"/etc/pam.d/smartcard-auth\" and \"/etc/pam.d/system-auth\" files, this is a finding.", + "fix": "Configure RHEL 8 to use multifactor authentication for local access to\naccounts.\n\n Add or update the \"pam_cert_auth\" setting in the \"/etc/sssd/sssd.conf\"\nfile to match the following line:\n\n [pam]\n pam_cert_auth = True\n\n Add or update \"pam_sss.so\" with \"try_cert_auth\" or\n\"require_cert_auth\" in the \"/etc/pam.d/system-auth\" and\n\"/etc/pam.d/smartcard-auth\" files based on the following examples:\n\n /etc/pam.d/smartcard-auth:auth sufficient pam_sss.so try_cert_auth\n\n /etc/pam.d/system-auth:auth [success=done authinfo_unavail=ignore\nignore=ignore default=die] pam_sss.so try_cert_auth\n\n The \"sssd\" service must be restarted for the changes to take effect. To\nrestart the \"sssd\" service, run the following command:\n\n $ sudo systemctl restart sssd.service" }, "impact": 0.5, "refs": [ @@ -13791,110 +13794,117 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000095-GPOS-00049", - "gid": "V-230488", - "rid": "SV-230488r627750_rule", - "stig_id": "RHEL-08-040001", - "fix_id": "F-33132r568211_fix", + "gtitle": "SRG-OS-000105-GPOS-00052", + "satisfies": [ + "SRG-OS-000105-GPOS-00052", + "SRG-OS-000106-GPOS-00053", + "SRG-OS-000107-GPOS-00054", + "SRG-OS-000108-GPOS-00055" + ], + "gid": "V-230372", + "rid": "SV-230372r942945_rule", + "stig_id": "RHEL-08-020250", + "fix_id": "F-33016r942944_fix", "cci": [ - "CCI-000381" + "CCI-000765" ], "nist": [ - "CM-7 a" + "IA-2 (1)" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-230488' do\n title 'RHEL 8 must not have any automated bug reporting tools installed.'\n desc 'It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n Operating systems are capable of providing a wide variety of functions and\nservices. Some of the functions and services, provided by default, may not be\nnecessary to support essential organizational operations (e.g., key missions,\nfunctions).\n\n Examples of non-essential capabilities include, but are not limited to,\ngames, software packages, tools, and demonstration software not related to\nrequirements or providing a wide array of functionality not required for every\nmission, but which cannot be disabled.\n\n Verify the operating system is configured to disable non-essential\ncapabilities. The most secure way of ensuring a non-essential capability is\ndisabled is to not have the capability installed.'\n desc 'check', 'Check to see if any automated bug reporting packages are installed with the\nfollowing command:\n\n $ sudo yum list installed abrt*\n\n If any automated bug reporting package is installed, this is a finding.'\n desc 'fix', 'Configure the operating system to disable non-essential capabilities by\nremoving automated bug reporting packages from the system with the following\ncommand:\n\n $ sudo yum remove abrt*'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000095-GPOS-00049'\n tag gid: 'V-230488'\n tag rid: 'SV-230488r627750_rule'\n tag stig_id: 'RHEL-08-040001'\n tag fix_id: 'F-33132r568211_fix'\n tag cci: ['CCI-000381']\n tag nist: ['CM-7 a']\n tag 'host'\n tag 'container'\n\n describe packages(/abrt/) do\n its('statuses') { should_not cmp 'installed' }\n end\nend\n", + "code": "control 'SV-230372' do\n title 'RHEL 8 must implement smart card logon for multifactor authentication\nfor access to interactive accounts.'\n desc 'Using an authentication device, such as a Common Access Card (CAC) or\ntoken that is separate from the information system, ensures that even if the\ninformation system is compromised, that compromise will not affect credentials\nstored on the authentication device.\n\n Multifactor solutions that require devices separate from information\nsystems gaining access include, for example, hardware tokens providing\ntime-based or challenge-response authenticators and smart cards such as the\nU.S. Government Personal Identity Verification card and the DoD CAC.\n\n There are various methods of implementing multifactor authentication for\nRHEL 8. Some methods include a local system multifactor account mapping or\njoining the system to a domain and utilizing a Red Hat idM server or Microsoft\nWindows Active Directory server. Any of these methods will require that the\nclient operating system handle the multifactor authentication correctly.'\n desc 'check', 'Verify RHEL 8 uses multifactor authentication for local access to accounts.\n\nNote: If the System Administrator demonstrates the use of an approved alternate multifactor authentication method, this requirement is not applicable.\n\nCheck that the \"pam_cert_auth\" setting is set to \"true\" in the \"/etc/sssd/sssd.conf\" file.\n\nCheck that the \"try_cert_auth\" or \"require_cert_auth\" options are configured in both \"/etc/pam.d/system-auth\" and \"/etc/pam.d/smartcard-auth\" files with the following command:\n\n $ sudo grep -ir cert_auth /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf /etc/pam.d/*\n /etc/sssd/sssd.conf:pam_cert_auth = True\n /etc/pam.d/smartcard-auth:auth sufficient pam_sss.so try_cert_auth\n /etc/pam.d/system-auth:auth [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_sss.so try_cert_auth\n\nIf \"pam_cert_auth\" is not set to \"true\" in \"/etc/sssd/sssd.conf\", this is a finding.\n\nIf \"pam_sss.so\" is not set to \"try_cert_auth\" or \"require_cert_auth\" in both the \"/etc/pam.d/smartcard-auth\" and \"/etc/pam.d/system-auth\" files, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to use multifactor authentication for local access to\naccounts.\n\n Add or update the \"pam_cert_auth\" setting in the \"/etc/sssd/sssd.conf\"\nfile to match the following line:\n\n [pam]\n pam_cert_auth = True\n\n Add or update \"pam_sss.so\" with \"try_cert_auth\" or\n\"require_cert_auth\" in the \"/etc/pam.d/system-auth\" and\n\"/etc/pam.d/smartcard-auth\" files based on the following examples:\n\n /etc/pam.d/smartcard-auth:auth sufficient pam_sss.so try_cert_auth\n\n /etc/pam.d/system-auth:auth [success=done authinfo_unavail=ignore\nignore=ignore default=die] pam_sss.so try_cert_auth\n\n The \"sssd\" service must be restarted for the changes to take effect. To\nrestart the \"sssd\" service, run the following command:\n\n $ sudo systemctl restart sssd.service'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000105-GPOS-00052'\n tag satisfies: ['SRG-OS-000105-GPOS-00052', 'SRG-OS-000106-GPOS-00053', 'SRG-OS-000107-GPOS-00054', 'SRG-OS-000108-GPOS-00055']\n tag gid: 'V-230372'\n tag rid: 'SV-230372r942945_rule'\n tag stig_id: 'RHEL-08-020250'\n tag fix_id: 'F-33016r942944_fix'\n tag cci: ['CCI-000765']\n tag nist: ['IA-2 (1)']\n tag 'host'\n\n only_if('If the System Administrator demonstrates the use of an approved alternate multifactor authentication method, this requirement is not applicable.', impact: 0.0) {\n input('smart_card_enabled')\n }\n\n sssd_conf_files = input('sssd_conf_files')\n sssd_conf_contents = ini({ command: \"cat #{input('sssd_conf_files').join(' ')}\" })\n\n pam_auth_files = input('pam_auth_files')\n\n describe 'SSSD' do\n it 'should be installed and enabled' do\n expect(service('sssd')).to be_installed.and be_enabled\n expect(sssd_conf_contents.params).to_not be_empty, \"SSSD configuration files not found or have no content; files checked:\\n\\t- #{sssd_conf_files.join(\"\\n\\t- \")}\"\n end\n if sssd_conf_contents.params.nil?\n it 'should configure pam_cert_auth' do\n expect(sssd_conf_contents.sssd.pam_cert_auth).to eq(true)\n end\n end\n end\n\n [pam_auth_files['system-auth'], pam_auth_files['smartcard-auth']].each do |path|\n describe pam(path) do\n its('lines') { should match_pam_rule('.* .* pam_sss.so (try_cert_auth|require_cert_auth)') }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230488.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230372.rb", "line": 1 }, - "id": "SV-230488" + "id": "SV-230372" }, { - "title": "RHEL 8 must disable IEEE 1394 (FireWire) Support.", - "desc": "It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n The IEEE 1394 (FireWire) is a serial bus standard for high-speed real-time\ncommunication. Disabling FireWire protects the system against exploitation of\nany flaws in its implementation.", + "title": "The RHEL 8 fapolicy module must be installed.", + "desc": "The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n Utilizing a whitelist provides a configuration management method for\nallowing the execution of only authorized software. Using only authorized\nsoftware decreases risk by limiting the number of potential vulnerabilities.\nVerification of whitelisted software occurs prior to execution or at system\nstartup.\n\n User home directories/folders may contain information of a sensitive\nnature. Non-privileged users should coordinate any sharing of information with\nan SA through shared resources.\n\n RHEL 8 ships with many optional packages. One such package is a file access\npolicy daemon called \"fapolicyd\". \"fapolicyd\" is a userspace daemon that\ndetermines access rights to files based on attributes of the process and file.\nIt can be used to either blacklist or whitelist processes or file access.\n\n Proceed with caution with enforcing the use of this daemon. Improper\nconfiguration may render the system non-functional. The \"fapolicyd\" API is\nnot namespace aware and can cause issues when launching or running containers.", "descriptions": { - "default": "It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n The IEEE 1394 (FireWire) is a serial bus standard for high-speed real-time\ncommunication. Disabling FireWire protects the system against exploitation of\nany flaws in its implementation.", - "check": "Verify the operating system disables the ability to load the firewire-core kernel module.\n\n $ sudo grep -r firewire-core /etc/modprobe.d/* | grep \"/bin/false\"\n install firewire-core /bin/false\n\nIf the command does not return any output, or the line is commented out, and use of the firewire-core protocol is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.\n\nVerify the operating system disables the ability to use the firewire-core kernel module.\n\nCheck to see if the firewire-core kernel module is disabled with the following command:\n\n $ sudo grep -r firewire-core /etc/modprobe.d/* | grep \"blacklist\"\n blacklist firewire-core\n\nIf the command does not return any output or the output is not \"blacklist firewire-core\", and use of the firewire-core kernel module is not documented with the ISSO as an operational requirement, this is a finding.", - "fix": "Configure the operating system to disable the ability to use the firewire-core kernel module.\n\nAdd or update the following lines in the file \"/etc/modprobe.d/blacklist.conf\":\n\n install firewire-core /bin/false\n blacklist firewire-core\n\nReboot the system for the settings to take effect." + "default": "The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n Utilizing a whitelist provides a configuration management method for\nallowing the execution of only authorized software. Using only authorized\nsoftware decreases risk by limiting the number of potential vulnerabilities.\nVerification of whitelisted software occurs prior to execution or at system\nstartup.\n\n User home directories/folders may contain information of a sensitive\nnature. Non-privileged users should coordinate any sharing of information with\nan SA through shared resources.\n\n RHEL 8 ships with many optional packages. One such package is a file access\npolicy daemon called \"fapolicyd\". \"fapolicyd\" is a userspace daemon that\ndetermines access rights to files based on attributes of the process and file.\nIt can be used to either blacklist or whitelist processes or file access.\n\n Proceed with caution with enforcing the use of this daemon. Improper\nconfiguration may render the system non-functional. The \"fapolicyd\" API is\nnot namespace aware and can cause issues when launching or running containers.", + "check": "Verify the RHEL 8 \"fapolicyd\" is installed.\n\nCheck that \"fapolicyd\" is installed with the following command:\n\n$ sudo yum list installed fapolicyd\n\nInstalled Packages\nfapolicyd.x86_64\n\nIf fapolicyd is not installed, this is a finding.", + "fix": "Install \"fapolicyd\" with the following command:\n\n$ sudo yum install fapolicyd.x86_64" }, - "impact": 0.3, + "impact": 0.5, "refs": [ { "ref": "DPMS Target Red Hat Enterprise Linux 8" } ], "tags": { - "severity": "low", - "gtitle": "SRG-OS-000095-GPOS-00049", - "gid": "V-230499", - "rid": "SV-230499r942933_rule", - "stig_id": "RHEL-08-040026", - "fix_id": "F-33143r942932_fix", + "severity": "medium", + "gtitle": "SRG-OS-000368-GPOS-00154", + "satisfies": [ + "SRG-OS-000368-GPOS-00154", + "SRG-OS-000370-GPOS-00155", + "SRG-OS-000480-GPOS-00232" + ], + "gid": "V-230523", + "rid": "SV-230523r854064_rule", + "stig_id": "RHEL-08-040135", + "fix_id": "F-33167r744022_fix", "cci": [ - "CCI-000381" + "CCI-001764" ], "nist": [ - "CM-7 a" + "CM-7 (2)" ], "host": null }, - "code": "control 'SV-230499' do\n title 'RHEL 8 must disable IEEE 1394 (FireWire) Support.'\n desc 'It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n The IEEE 1394 (FireWire) is a serial bus standard for high-speed real-time\ncommunication. Disabling FireWire protects the system against exploitation of\nany flaws in its implementation.'\n desc 'check', 'Verify the operating system disables the ability to load the firewire-core kernel module.\n\n $ sudo grep -r firewire-core /etc/modprobe.d/* | grep \"/bin/false\"\n install firewire-core /bin/false\n\nIf the command does not return any output, or the line is commented out, and use of the firewire-core protocol is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.\n\nVerify the operating system disables the ability to use the firewire-core kernel module.\n\nCheck to see if the firewire-core kernel module is disabled with the following command:\n\n $ sudo grep -r firewire-core /etc/modprobe.d/* | grep \"blacklist\"\n blacklist firewire-core\n\nIf the command does not return any output or the output is not \"blacklist firewire-core\", and use of the firewire-core kernel module is not documented with the ISSO as an operational requirement, this is a finding.'\n desc 'fix', 'Configure the operating system to disable the ability to use the firewire-core kernel module.\n\nAdd or update the following lines in the file \"/etc/modprobe.d/blacklist.conf\":\n\n install firewire-core /bin/false\n blacklist firewire-core\n\nReboot the system for the settings to take effect.'\n impact 0.3\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'low'\n tag gtitle: 'SRG-OS-000095-GPOS-00049'\n tag gid: 'V-230499'\n tag rid: 'SV-230499r942933_rule'\n tag stig_id: 'RHEL-08-040026'\n tag fix_id: 'F-33143r942932_fix'\n tag cci: ['CCI-000381']\n tag nist: ['CM-7 a']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe kernel_module('firewire_core') do\n it { should be_disabled }\n it { should be_blacklisted }\n end\nend\n", + "code": "control 'SV-230523' do\n title 'The RHEL 8 fapolicy module must be installed.'\n desc 'The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n Utilizing a whitelist provides a configuration management method for\nallowing the execution of only authorized software. Using only authorized\nsoftware decreases risk by limiting the number of potential vulnerabilities.\nVerification of whitelisted software occurs prior to execution or at system\nstartup.\n\n User home directories/folders may contain information of a sensitive\nnature. Non-privileged users should coordinate any sharing of information with\nan SA through shared resources.\n\n RHEL 8 ships with many optional packages. One such package is a file access\npolicy daemon called \"fapolicyd\". \"fapolicyd\" is a userspace daemon that\ndetermines access rights to files based on attributes of the process and file.\nIt can be used to either blacklist or whitelist processes or file access.\n\n Proceed with caution with enforcing the use of this daemon. Improper\nconfiguration may render the system non-functional. The \"fapolicyd\" API is\nnot namespace aware and can cause issues when launching or running containers.'\n desc 'check', 'Verify the RHEL 8 \"fapolicyd\" is installed.\n\nCheck that \"fapolicyd\" is installed with the following command:\n\n$ sudo yum list installed fapolicyd\n\nInstalled Packages\nfapolicyd.x86_64\n\nIf fapolicyd is not installed, this is a finding.'\n desc 'fix', 'Install \"fapolicyd\" with the following command:\n\n$ sudo yum install fapolicyd.x86_64'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000368-GPOS-00154'\n tag satisfies: ['SRG-OS-000368-GPOS-00154', 'SRG-OS-000370-GPOS-00155', 'SRG-OS-000480-GPOS-00232']\n tag gid: 'V-230523'\n tag rid: 'SV-230523r854064_rule'\n tag stig_id: 'RHEL-08-040135'\n tag fix_id: 'F-33167r744022_fix'\n tag cci: ['CCI-001764']\n tag nist: ['CM-7 (2)']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n if !input('use_fapolicyd')\n impact 0.0\n describe 'The organization is not using the Fapolicyd service to manage firewall servies, this control is Not Applicable' do\n skip 'The organization is not using the Fapolicyd service to manage firewall servies, this control is Not Applicable'\n end\n else\n describe package('fapolicyd') do\n it { should be_installed }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230499.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230523.rb", "line": 1 }, - "id": "SV-230499" + "id": "SV-230523" }, { - "title": "The RHEL 8 audit system must be configured to audit the execution of\nprivileged functions and prevent all software from executing at higher\nprivilege levels than users executing the software.", - "desc": "Misuse of privileged functions, either intentionally or\nunintentionally by authorized users, or by unauthorized external entities that\nhave compromised information system accounts, is a serious and ongoing concern\nand can have significant adverse impacts on organizations. Auditing the use of\nprivileged functions is one way to detect such misuse and identify the risk\nfrom insider threats and the advanced persistent threat.", + "title": "RHEL 8 must not allow accounts configured with blank or null\npasswords.", + "desc": "If an account has an empty password, anyone could log on and run\ncommands with the privileges of that account. Accounts with empty passwords\nshould never be used in operational environments.", "descriptions": { - "default": "Misuse of privileged functions, either intentionally or\nunintentionally by authorized users, or by unauthorized external entities that\nhave compromised information system accounts, is a serious and ongoing concern\nand can have significant adverse impacts on organizations. Auditing the use of\nprivileged functions is one way to detect such misuse and identify the risk\nfrom insider threats and the advanced persistent threat.", - "check": "Verify RHEL 8 audits the execution of privileged functions.\n\n Check if RHEL 8 is configured to audit the execution of the \"execve\"\nsystem call, by running the following command:\n\n $ sudo grep execve /etc/audit/audit.rules\n\n -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k execpriv\n -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k execpriv\n\n -a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k execpriv\n -a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k execpriv\n\n If the command does not return all lines, or the lines are commented out,\nthis is a finding.", - "fix": "Configure RHEL 8 to audit the execution of the \"execve\" system call.\n\n Add or update the following file system rules to\n\"/etc/audit/rules.d/audit.rules\":\n\n -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k execpriv\n -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k execpriv\n\n -a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k execpriv\n -a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k execpriv\n\n The audit daemon must be restarted for the changes to take effect." + "default": "If an account has an empty password, anyone could log on and run\ncommands with the privileges of that account. Accounts with empty passwords\nshould never be used in operational environments.", + "check": "To verify that null passwords cannot be used, run the following command:\n\n$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\\r' | tr '\\n' ' ' | xargs sudo grep -iH '^\\s*permitemptypasswords'\n\nPermitEmptyPasswords no\n\nIf \"PermitEmptyPasswords\" is set to \"yes\", this is a finding.\n\nIf conflicting results are returned, this is a finding.", + "fix": "Edit the following line in \"etc/ssh/sshd_config\" to prevent logons with\nempty passwords.\n\n PermitEmptyPasswords no\n\n The SSH daemon must be restarted for the changes to take effect. To restart\nthe SSH daemon, run the following command:\n\n $ sudo systemctl restart sshd.service" }, - "impact": 0.5, + "impact": 0.7, "refs": [ { "ref": "DPMS Target Red Hat Enterprise Linux 8" } ], "tags": { - "severity": "medium", - "gtitle": "SRG-OS-000326-GPOS-00126", - "satisfies": [ - "SRG-OS-000326-GPOS-00126", - "SRG-OS-000327-GPOS-00127" - ], - "gid": "V-230386", - "rid": "SV-230386r854037_rule", - "stig_id": "RHEL-08-030000", - "fix_id": "F-33030r567905_fix", + "severity": "high", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-230380", + "rid": "SV-230380r951612_rule", + "stig_id": "RHEL-08-020330", + "fix_id": "F-33024r743992_fix", "cci": [ - "CCI-002233" + "CCI-000366" ], "nist": [ - "AC-6 (8)" + "CM-6 b" ], - "host": null + "host": null, + "container-conditional": null }, - "code": "control 'SV-230386' do\n title 'The RHEL 8 audit system must be configured to audit the execution of\nprivileged functions and prevent all software from executing at higher\nprivilege levels than users executing the software.'\n desc 'Misuse of privileged functions, either intentionally or\nunintentionally by authorized users, or by unauthorized external entities that\nhave compromised information system accounts, is a serious and ongoing concern\nand can have significant adverse impacts on organizations. Auditing the use of\nprivileged functions is one way to detect such misuse and identify the risk\nfrom insider threats and the advanced persistent threat.'\n desc 'check', 'Verify RHEL 8 audits the execution of privileged functions.\n\n Check if RHEL 8 is configured to audit the execution of the \"execve\"\nsystem call, by running the following command:\n\n $ sudo grep execve /etc/audit/audit.rules\n\n -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k execpriv\n -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k execpriv\n\n -a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k execpriv\n -a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k execpriv\n\n If the command does not return all lines, or the lines are commented out,\nthis is a finding.'\n desc 'fix', 'Configure RHEL 8 to audit the execution of the \"execve\" system call.\n\n Add or update the following file system rules to\n\"/etc/audit/rules.d/audit.rules\":\n\n -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k execpriv\n -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k execpriv\n\n -a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k execpriv\n -a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k execpriv\n\n The audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000326-GPOS-00126'\n tag satisfies: ['SRG-OS-000326-GPOS-00126', 'SRG-OS-000327-GPOS-00127']\n tag gid: 'V-230386'\n tag rid: 'SV-230386r854037_rule'\n tag stig_id: 'RHEL-08-030000'\n tag fix_id: 'F-33030r567905_fix'\n tag cci: ['CCI-002233']\n tag nist: ['AC-6 (8)']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n audit_syscalls = ['execve']\n\n describe 'Syscall' do\n audit_syscalls.each do |audit_syscall|\n it \"#{audit_syscall} is audited properly\" do\n audit_rule = auditd.syscall(audit_syscall)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n if os.arch.match(/64/)\n expect(audit_rule.arch.uniq).to include('b32', 'b64')\n else\n expect(audit_rule.arch.uniq).to cmp 'b32'\n end\n expect(audit_rule.fields.flatten).to include('uid!=euid', 'gid!=egid', 'euid=0', 'egid=0')\n expect(audit_rule.key.uniq).to include(input('audit_rule_keynames').merge(input('audit_rule_keynames_overrides'))[audit_syscall])\n end\n end\n end\nend\n", + "code": "control 'SV-230380' do\n title 'RHEL 8 must not allow accounts configured with blank or null\npasswords.'\n desc 'If an account has an empty password, anyone could log on and run\ncommands with the privileges of that account. Accounts with empty passwords\nshould never be used in operational environments.'\n desc 'check', %q(To verify that null passwords cannot be used, run the following command:\n\n$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\\r' | tr '\\n' ' ' | xargs sudo grep -iH '^\\s*permitemptypasswords'\n\nPermitEmptyPasswords no\n\nIf \"PermitEmptyPasswords\" is set to \"yes\", this is a finding.\n\nIf conflicting results are returned, this is a finding.)\n desc 'fix', 'Edit the following line in \"etc/ssh/sshd_config\" to prevent logons with\nempty passwords.\n\n PermitEmptyPasswords no\n\n The SSH daemon must be restarted for the changes to take effect. To restart\nthe SSH daemon, run the following command:\n\n $ sudo systemctl restart sshd.service'\n impact 0.7\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'high'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230380'\n tag rid: 'SV-230380r951612_rule'\n tag stig_id: 'RHEL-08-020330'\n tag fix_id: 'F-33024r743992_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n tag 'container-conditional'\n\n if virtualization.system.eql?('docker') && !file('/etc/ssh/sshd_config').exist?\n impact 0.0\n describe 'Control not applicable - SSH is not installed within containerized RHEL' do\n skip 'Control not applicable - SSH is not installed within containerized RHEL'\n end\n else\n describe sshd_active_config do\n its('PermitEmptyPasswords') { should cmp 'no' }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230386.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230380.rb", "line": 1 }, - "id": "SV-230386" + "id": "SV-230380" }, { - "title": "RHEL 8 operating systems must require authentication upon booting into\nemergency mode.", - "desc": "If the system does not require valid root authentication before it\nboots into emergency or rescue mode, anyone who invokes emergency or rescue\nmode is granted privileged access to all files on the system.", + "title": "RHEL 8 must use a separate file system for /var/tmp.", + "desc": "The use of separate file systems for different paths can protect the\nsystem from failures resulting from a file system becoming full or failing.", "descriptions": { - "default": "If the system does not require valid root authentication before it\nboots into emergency or rescue mode, anyone who invokes emergency or rescue\nmode is granted privileged access to all files on the system.", - "check": "Check to see if the system requires authentication for emergency mode with\nthe following command:\n\n $ sudo grep sulogin-shell /usr/lib/systemd/system/emergency.service\n\n ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency\n\n If the \"ExecStart\" line is configured for anything other than\n\"/usr/lib/systemd/systemd-sulogin-shell emergency\", commented out, or\nmissing, this is a finding.", - "fix": "Configure the system to require authentication upon booting into emergency\nmode by adding the following line to the\n\"/usr/lib/systemd/system/emergency.service\" file.\n\n ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency" + "default": "The use of separate file systems for different paths can protect the\nsystem from failures resulting from a file system becoming full or failing.", + "check": "Verify that a separate file system has been created for \"/var/tmp\".\n\nCheck that a file system has been created for \"/var/tmp\" with the following command:\n\n $ sudo grep /var/tmp /etc/fstab\n\n /dev/mapper/... /var/tmp xfs defaults,nodev,noexec,nosuid 0 0\n\nIf a separate entry for \"/var/tmp\" is not in use, this is a finding.", + "fix": "Migrate the \"/var/tmp\" path onto a separate file system." }, "impact": 0.5, "refs": [ @@ -13904,33 +13914,33 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000080-GPOS-00048", - "gid": "V-244523", - "rid": "SV-244523r743818_rule", - "stig_id": "RHEL-08-010152", - "fix_id": "F-47755r743817_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-244529", + "rid": "SV-244529r902737_rule", + "stig_id": "RHEL-08-010544", + "fix_id": "F-47761r743835_fix", "cci": [ - "CCI-000213" + "CCI-000366" ], "nist": [ - "AC-3" + "CM-6 b" ], "host": null }, - "code": "control 'SV-244523' do\n title 'RHEL 8 operating systems must require authentication upon booting into\nemergency mode.'\n desc 'If the system does not require valid root authentication before it\nboots into emergency or rescue mode, anyone who invokes emergency or rescue\nmode is granted privileged access to all files on the system.'\n desc 'check', 'Check to see if the system requires authentication for emergency mode with\nthe following command:\n\n $ sudo grep sulogin-shell /usr/lib/systemd/system/emergency.service\n\n ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency\n\n If the \"ExecStart\" line is configured for anything other than\n\"/usr/lib/systemd/systemd-sulogin-shell emergency\", commented out, or\nmissing, this is a finding.'\n desc 'fix', 'Configure the system to require authentication upon booting into emergency\nmode by adding the following line to the\n\"/usr/lib/systemd/system/emergency.service\" file.\n\n ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000080-GPOS-00048'\n tag gid: 'V-244523'\n tag rid: 'SV-244523r743818_rule'\n tag stig_id: 'RHEL-08-010152'\n tag fix_id: 'F-47755r743817_fix'\n tag cci: ['CCI-000213']\n tag nist: ['AC-3']\n tag 'host'\n\n only_if('This requirement is Not Applicable in the container', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe service('emergency') do\n its('params.ExecStart') { should include '/usr/lib/systemd/systemd-sulogin-shell emergency' }\n end\nend\n", + "code": "control 'SV-244529' do\n title 'RHEL 8 must use a separate file system for /var/tmp.'\n desc 'The use of separate file systems for different paths can protect the\nsystem from failures resulting from a file system becoming full or failing.'\n desc 'check', 'Verify that a separate file system has been created for \"/var/tmp\".\n\nCheck that a file system has been created for \"/var/tmp\" with the following command:\n\n $ sudo grep /var/tmp /etc/fstab\n\n /dev/mapper/... /var/tmp xfs defaults,nodev,noexec,nosuid 0 0\n\nIf a separate entry for \"/var/tmp\" is not in use, this is a finding.'\n desc 'fix', 'Migrate the \"/var/tmp\" path onto a separate file system.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-244529'\n tag rid: 'SV-244529r902737_rule'\n tag stig_id: 'RHEL-08-010544'\n tag fix_id: 'F-47761r743835_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This requirement is Not Applicable in the container', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe etc_fstab.where { mount_point == '/var/tmp' } do\n it { should exist }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-244523.rb", + "ref": "./Red Hat 8 STIG/controls/SV-244529.rb", "line": 1 }, - "id": "SV-244523" + "id": "SV-244529" }, { - "title": "RHEL 8 passwords must have a minimum of 15 characters.", - "desc": "The shorter the password, the lower the number of possible\ncombinations that need to be tested before the password is compromised.\n\n Password complexity, or strength, is a measure of the effectiveness of a\npassword in resisting attempts at guessing and brute-force attacks. Password\nlength is one factor of several that helps to determine strength and how long\nit takes to crack a password. Use of more characters in a password helps to\nincrease exponentially the time and/or resources required to compromise the\npassword.\n\n RHEL 8 utilizes \"pwquality\" as a mechanism to enforce password\ncomplexity. Configurations are set in the \"etc/security/pwquality.conf\" file.\n\n The \"minlen\", sometimes noted as minimum length, acts as a \"score\" of\ncomplexity based on the credit components of the \"pwquality\" module. By\nsetting the credit components to a negative value, not only will those\ncomponents be required, they will not count towards the total \"score\" of\n\"minlen\". This will enable \"minlen\" to require a 15-character minimum.\n\n The DoD minimum password requirement is 15 characters.", + "title": "RHEL 8 Bluetooth must be disabled.", + "desc": "Without protection of communications with wireless peripherals,\nconfidentiality and integrity may be compromised because unprotected\ncommunications can be intercepted and either read, altered, or used to\ncompromise the RHEL 8 operating system.\n\n This requirement applies to wireless peripheral technologies (e.g.,\nwireless mice, keyboards, displays, etc.) used with RHEL 8 systems. Wireless\nperipherals (e.g., Wi-Fi/Bluetooth/IR Keyboards, Mice, and Pointing Devices and\nNear Field Communications [NFC]) present a unique challenge by creating an\nopen, unsecured port on a computer. Wireless peripherals must meet DoD\nrequirements for wireless data transmission and be approved for use by the\nAuthorizing Official (AO). Even though some wireless peripherals, such as mice\nand pointing devices, do not ordinarily carry information that need to be\nprotected, modification of communications with these wireless peripherals may\nbe used to compromise the RHEL 8 operating system. Communication paths outside\nthe physical protection of a controlled boundary are exposed to the possibility\nof interception and modification.\n\n Protecting the confidentiality and integrity of communications with\nwireless peripherals can be accomplished by physical means (e.g., employing\nphysical barriers to wireless radio frequencies) or by logical means (e.g.,\nemploying cryptographic techniques). If physical means of protection are\nemployed, then logical means (cryptography) do not have to be employed, and\nvice versa. If the wireless peripheral is only passing telemetry data,\nencryption of the data may not be required.", "descriptions": { - "default": "The shorter the password, the lower the number of possible\ncombinations that need to be tested before the password is compromised.\n\n Password complexity, or strength, is a measure of the effectiveness of a\npassword in resisting attempts at guessing and brute-force attacks. Password\nlength is one factor of several that helps to determine strength and how long\nit takes to crack a password. Use of more characters in a password helps to\nincrease exponentially the time and/or resources required to compromise the\npassword.\n\n RHEL 8 utilizes \"pwquality\" as a mechanism to enforce password\ncomplexity. Configurations are set in the \"etc/security/pwquality.conf\" file.\n\n The \"minlen\", sometimes noted as minimum length, acts as a \"score\" of\ncomplexity based on the credit components of the \"pwquality\" module. By\nsetting the credit components to a negative value, not only will those\ncomponents be required, they will not count towards the total \"score\" of\n\"minlen\". This will enable \"minlen\" to require a 15-character minimum.\n\n The DoD minimum password requirement is 15 characters.", - "check": "Verify the operating system enforces a minimum 15-character password length. The \"minlen\" option sets the minimum number of characters in a new password.\n\nCheck for the value of the \"minlen\" option with the following command:\n\n$ sudo grep -r minlen /etc/security/pwquality.conf*\n\n/etc/security/pwquality.conf:minlen = 15\n\nIf the command does not return a \"minlen\" value of 15 or greater, this is a finding.\nIf conflicting results are returned, this is a finding.", - "fix": "Configure operating system to enforce a minimum 15-character password length.\n\nAdd the following line to \"/etc/security/pwquality.conf\" (or modify the line to have the required value):\n\nminlen = 15\n\nRemove any configurations that conflict with the above value." + "default": "Without protection of communications with wireless peripherals,\nconfidentiality and integrity may be compromised because unprotected\ncommunications can be intercepted and either read, altered, or used to\ncompromise the RHEL 8 operating system.\n\n This requirement applies to wireless peripheral technologies (e.g.,\nwireless mice, keyboards, displays, etc.) used with RHEL 8 systems. Wireless\nperipherals (e.g., Wi-Fi/Bluetooth/IR Keyboards, Mice, and Pointing Devices and\nNear Field Communications [NFC]) present a unique challenge by creating an\nopen, unsecured port on a computer. Wireless peripherals must meet DoD\nrequirements for wireless data transmission and be approved for use by the\nAuthorizing Official (AO). Even though some wireless peripherals, such as mice\nand pointing devices, do not ordinarily carry information that need to be\nprotected, modification of communications with these wireless peripherals may\nbe used to compromise the RHEL 8 operating system. Communication paths outside\nthe physical protection of a controlled boundary are exposed to the possibility\nof interception and modification.\n\n Protecting the confidentiality and integrity of communications with\nwireless peripherals can be accomplished by physical means (e.g., employing\nphysical barriers to wireless radio frequencies) or by logical means (e.g.,\nemploying cryptographic techniques). If physical means of protection are\nemployed, then logical means (cryptography) do not have to be employed, and\nvice versa. If the wireless peripheral is only passing telemetry data,\nencryption of the data may not be required.", + "check": "If the device or operating system does not have a Bluetooth adapter installed, this requirement is not applicable.\n\nThis requirement is not applicable to mobile devices (smartphones and tablets), where the use of Bluetooth is a local AO decision.\n\nDetermine if Bluetooth is disabled with the following command:\n\n $ sudo grep bluetooth /etc/modprobe.d/*\n /etc/modprobe.d/bluetooth.conf:install bluetooth /bin/false\n\nIf the Bluetooth driver blacklist entry is missing, a Bluetooth driver is determined to be in use, and the collaborative computing device has not been authorized for use, this is a finding.\n\nVerify the operating system disables the ability to use Bluetooth with the following command:\n\n $ sudo grep -r bluetooth /etc/modprobe.d | grep -i \"blacklist\" | grep -v \"^#\"\n blacklist bluetooth\n\nIf the command does not return any output or the output is not \"blacklist bluetooth\", and use of Bluetooth is not documented with the ISSO as an operational requirement, this is a finding.", + "fix": "Configure the operating system to disable the Bluetooth adapter when not in use.\n\nBuild or modify the \"/etc/modprobe.d/bluetooth.conf\" file with the following line:\n\n install bluetooth /bin/false\n\nDisable the ability to use the Bluetooth kernel module.\n\n $ sudo vi /etc/modprobe.d/blacklist.conf\n\nAdd or update the line:\n\n blacklist bluetooth\n\nReboot the system for the settings to take effect." }, "impact": 0.5, "refs": [ @@ -13940,34 +13950,33 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000078-GPOS-00046", - "gid": "V-230369", - "rid": "SV-230369r858785_rule", - "stig_id": "RHEL-08-020230", - "fix_id": "F-33013r858784_fix", + "gtitle": "SRG-OS-000300-GPOS-00118", + "gid": "V-230507", + "rid": "SV-230507r942939_rule", + "stig_id": "RHEL-08-040111", + "fix_id": "F-33151r942938_fix", "cci": [ - "CCI-000205" + "CCI-001443" ], "nist": [ - "IA-5 (1) (a)" + "AC-18 (1)" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-230369' do\n title 'RHEL 8 passwords must have a minimum of 15 characters.'\n desc 'The shorter the password, the lower the number of possible\ncombinations that need to be tested before the password is compromised.\n\n Password complexity, or strength, is a measure of the effectiveness of a\npassword in resisting attempts at guessing and brute-force attacks. Password\nlength is one factor of several that helps to determine strength and how long\nit takes to crack a password. Use of more characters in a password helps to\nincrease exponentially the time and/or resources required to compromise the\npassword.\n\n RHEL 8 utilizes \"pwquality\" as a mechanism to enforce password\ncomplexity. Configurations are set in the \"etc/security/pwquality.conf\" file.\n\n The \"minlen\", sometimes noted as minimum length, acts as a \"score\" of\ncomplexity based on the credit components of the \"pwquality\" module. By\nsetting the credit components to a negative value, not only will those\ncomponents be required, they will not count towards the total \"score\" of\n\"minlen\". This will enable \"minlen\" to require a 15-character minimum.\n\n The DoD minimum password requirement is 15 characters.'\n desc 'check', 'Verify the operating system enforces a minimum 15-character password length. The \"minlen\" option sets the minimum number of characters in a new password.\n\nCheck for the value of the \"minlen\" option with the following command:\n\n$ sudo grep -r minlen /etc/security/pwquality.conf*\n\n/etc/security/pwquality.conf:minlen = 15\n\nIf the command does not return a \"minlen\" value of 15 or greater, this is a finding.\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure operating system to enforce a minimum 15-character password length.\n\nAdd the following line to \"/etc/security/pwquality.conf\" (or modify the line to have the required value):\n\nminlen = 15\n\nRemove any configurations that conflict with the above value.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000078-GPOS-00046'\n tag gid: 'V-230369'\n tag rid: 'SV-230369r858785_rule'\n tag stig_id: 'RHEL-08-020230'\n tag fix_id: 'F-33013r858784_fix'\n tag cci: ['CCI-000205']\n tag nist: ['IA-5 (1) (a)']\n tag 'host'\n tag 'container'\n\n describe parse_config_file('/etc/security/pwquality.conf') do\n its('minlen.to_i') { should cmp >= input('pass_min_len') }\n end\nend\n", + "code": "control 'SV-230507' do\n title 'RHEL 8 Bluetooth must be disabled.'\n desc 'Without protection of communications with wireless peripherals,\nconfidentiality and integrity may be compromised because unprotected\ncommunications can be intercepted and either read, altered, or used to\ncompromise the RHEL 8 operating system.\n\n This requirement applies to wireless peripheral technologies (e.g.,\nwireless mice, keyboards, displays, etc.) used with RHEL 8 systems. Wireless\nperipherals (e.g., Wi-Fi/Bluetooth/IR Keyboards, Mice, and Pointing Devices and\nNear Field Communications [NFC]) present a unique challenge by creating an\nopen, unsecured port on a computer. Wireless peripherals must meet DoD\nrequirements for wireless data transmission and be approved for use by the\nAuthorizing Official (AO). Even though some wireless peripherals, such as mice\nand pointing devices, do not ordinarily carry information that need to be\nprotected, modification of communications with these wireless peripherals may\nbe used to compromise the RHEL 8 operating system. Communication paths outside\nthe physical protection of a controlled boundary are exposed to the possibility\nof interception and modification.\n\n Protecting the confidentiality and integrity of communications with\nwireless peripherals can be accomplished by physical means (e.g., employing\nphysical barriers to wireless radio frequencies) or by logical means (e.g.,\nemploying cryptographic techniques). If physical means of protection are\nemployed, then logical means (cryptography) do not have to be employed, and\nvice versa. If the wireless peripheral is only passing telemetry data,\nencryption of the data may not be required.'\n desc 'check', 'If the device or operating system does not have a Bluetooth adapter installed, this requirement is not applicable.\n\nThis requirement is not applicable to mobile devices (smartphones and tablets), where the use of Bluetooth is a local AO decision.\n\nDetermine if Bluetooth is disabled with the following command:\n\n $ sudo grep bluetooth /etc/modprobe.d/*\n /etc/modprobe.d/bluetooth.conf:install bluetooth /bin/false\n\nIf the Bluetooth driver blacklist entry is missing, a Bluetooth driver is determined to be in use, and the collaborative computing device has not been authorized for use, this is a finding.\n\nVerify the operating system disables the ability to use Bluetooth with the following command:\n\n $ sudo grep -r bluetooth /etc/modprobe.d | grep -i \"blacklist\" | grep -v \"^#\"\n blacklist bluetooth\n\nIf the command does not return any output or the output is not \"blacklist bluetooth\", and use of Bluetooth is not documented with the ISSO as an operational requirement, this is a finding.'\n desc 'fix', 'Configure the operating system to disable the Bluetooth adapter when not in use.\n\nBuild or modify the \"/etc/modprobe.d/bluetooth.conf\" file with the following line:\n\n install bluetooth /bin/false\n\nDisable the ability to use the Bluetooth kernel module.\n\n $ sudo vi /etc/modprobe.d/blacklist.conf\n\nAdd or update the line:\n\n blacklist bluetooth\n\nReboot the system for the settings to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000300-GPOS-00118'\n tag gid: 'V-230507'\n tag rid: 'SV-230507r942939_rule'\n tag stig_id: 'RHEL-08-040111'\n tag fix_id: 'F-33151r942938_fix'\n tag cci: ['CCI-001443']\n tag nist: ['AC-18 (1)']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n if input('bluetooth_installed')\n describe kernel_module('bluetooth') do\n it { should be_disabled }\n it { should be_blacklisted }\n end\n else\n impact 0.0\n describe 'Device or operating system does not have a Bluetooth adapter installed' do\n skip 'If the device or operating system does not have a Bluetooth adapter installed, this requirement is not applicable.'\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230369.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230507.rb", "line": 1 }, - "id": "SV-230369" + "id": "SV-230507" }, { - "title": "The RHEL 8 file integrity tool must notify the system administrator\nwhen changes to the baseline configuration or anomalies in the operation of any\nsecurity functions are discovered within an organizationally defined frequency.", - "desc": "Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security.\n\nDetecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information System Security Manager (ISSM)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.\n\nNotifications provided by information systems include messages to local computer consoles, and/or hardware indications, such as lights.\n\nThis capability must take into account operational requirements for availability for selecting an appropriate response. The organization may choose to shut down or restart the information system upon security function anomaly detection.\n\nRHEL 8 comes with many optional software packages. A file integrity tool called Advanced Intrusion Detection Environment (AIDE) is one of those optional packages. This requirement assumes the use of AIDE; however, a different tool may be used if the requirements are met. Note that AIDE does not have a configuration that will send a notification, so a cron job is recommended that uses the mail application on the system to email the results of the file integrity check.", + "title": "RHEL 8 must require the change of at least four character classes when passwords are changed.", + "desc": "Use of a complex password helps to increase the time and resources\nrequired to compromise the password. Password complexity, or strength, is a\nmeasure of the effectiveness of a password in resisting attempts at guessing\nand brute-force attacks.\n\n Password complexity is one factor of several that determines how long it\ntakes to crack a password. The more complex the password, the greater the\nnumber of possible combinations that need to be tested before the password is\ncompromised.\n\n RHEL 8 utilizes \"pwquality\" as a mechanism to enforce password\ncomplexity. The \"minclass\" option sets the minimum number of required classes\nof characters for the new password (digits, uppercase, lowercase, others).", "descriptions": { - "default": "Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security.\n\nDetecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information System Security Manager (ISSM)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.\n\nNotifications provided by information systems include messages to local computer consoles, and/or hardware indications, such as lights.\n\nThis capability must take into account operational requirements for availability for selecting an appropriate response. The organization may choose to shut down or restart the information system upon security function anomaly detection.\n\nRHEL 8 comes with many optional software packages. A file integrity tool called Advanced Intrusion Detection Environment (AIDE) is one of those optional packages. This requirement assumes the use of AIDE; however, a different tool may be used if the requirements are met. Note that AIDE does not have a configuration that will send a notification, so a cron job is recommended that uses the mail application on the system to email the results of the file integrity check.", - "check": "Verify the operating system routinely checks the baseline configuration for unauthorized changes and notifies the system administrator when anomalies in the operation of any security functions are discovered.\n\nCheck that RHEL 8 routinely executes a file integrity scan for changes to the system baseline. The command used in the example will use a daily occurrence.\n\nCheck the cron directories for scripts controlling the execution and notification of results of the file integrity application. For example, if AIDE is installed on the system, use the following commands:\n\n $ sudo ls -al /etc/cron.* | grep aide\n\n -rwxr-xr-x 1 root root 29 Nov 22 2015 aide\n\n $ sudo grep aide /etc/crontab /var/spool/cron/root\n\n /etc/crontab: 30 04 * * * root /usr/sbin/aide\n /var/spool/cron/root: 30 04 * * * root /usr/sbin/aide\n\n $ sudo more /etc/cron.daily/aide\n\n #!/bin/bash\n /usr/sbin/aide --check | /bin/mail -s \"$HOSTNAME - Daily AIDE integrity check run\" root@example_server_name.mil\n\nIf the file integrity application does not exist, or a script file controlling the execution of the file integrity application does not exist, or the file integrity application does not notify designated personnel of changes, this is a finding.", - "fix": "Configure the file integrity tool to run automatically on the system at least weekly and to notify designated personnel if baseline configurations are changed in an unauthorized manner. The AIDE tool can be configured to email designated personnel with the use of the cron system.\n\nThe following example output is generic. It will set cron to run AIDE daily and to send email at the completion of the analysis.\n\n $ sudo more /etc/cron.daily/aide\n\n #!/bin/bash\n\n /usr/sbin/aide --check | /bin/mail -s \"$HOSTNAME - Daily AIDE integrity check run\" root@example_server_name.mil\n\nNote: Per requirement RHEL-08-010358, the \"mailx\" package must be installed on the system to enable email functionality." + "default": "Use of a complex password helps to increase the time and resources\nrequired to compromise the password. Password complexity, or strength, is a\nmeasure of the effectiveness of a password in resisting attempts at guessing\nand brute-force attacks.\n\n Password complexity is one factor of several that determines how long it\ntakes to crack a password. The more complex the password, the greater the\nnumber of possible combinations that need to be tested before the password is\ncompromised.\n\n RHEL 8 utilizes \"pwquality\" as a mechanism to enforce password\ncomplexity. The \"minclass\" option sets the minimum number of required classes\nof characters for the new password (digits, uppercase, lowercase, others).", + "check": "Verify the value of the \"minclass\" option with the following command:\n\n$ sudo grep -r minclass /etc/security/pwquality.conf*\n\n/etc/security/pwquality.conf:minclass = 4\n\nIf the value of \"minclass\" is set to less than \"4\" or is commented out, this is a finding.\nIf conflicting results are returned, this is a finding.", + "fix": "Configure the operating system to require the change of at least four character classes when passwords are changed by setting the \"minclass\" option.\n\nAdd the following line to \"/etc/security/pwquality.conf conf\" (or modify the line to have the required value):\n\nminclass = 4\n\nRemove any configurations that conflict with the above value." }, "impact": 0.5, "refs": [ @@ -13977,38 +13986,34 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000363-GPOS-00150", - "satisfies": [ - "SRG-OS-000363-GPOS-00150", - "SRG-OS-000446-GPOS-00200", - "SRG-OS-000447-GPOS-00201" - ], - "gid": "V-230263", - "rid": "SV-230263r902716_rule", - "stig_id": "RHEL-08-010360", - "fix_id": "F-32907r902715_fix", + "gtitle": "SRG-OS-000072-GPOS-00040", + "gid": "V-230362", + "rid": "SV-230362r858781_rule", + "stig_id": "RHEL-08-020160", + "fix_id": "F-33006r858780_fix", "cci": [ - "CCI-001744" + "CCI-000195" ], "nist": [ - "CM-3 (5)" + "IA-5 (1) (b)" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-230263' do\n title 'The RHEL 8 file integrity tool must notify the system administrator\nwhen changes to the baseline configuration or anomalies in the operation of any\nsecurity functions are discovered within an organizationally defined frequency.'\n desc \"Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security.\n\nDetecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information System Security Manager (ISSM)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.\n\nNotifications provided by information systems include messages to local computer consoles, and/or hardware indications, such as lights.\n\nThis capability must take into account operational requirements for availability for selecting an appropriate response. The organization may choose to shut down or restart the information system upon security function anomaly detection.\n\nRHEL 8 comes with many optional software packages. A file integrity tool called Advanced Intrusion Detection Environment (AIDE) is one of those optional packages. This requirement assumes the use of AIDE; however, a different tool may be used if the requirements are met. Note that AIDE does not have a configuration that will send a notification, so a cron job is recommended that uses the mail application on the system to email the results of the file integrity check.\"\n desc 'check', 'Verify the operating system routinely checks the baseline configuration for unauthorized changes and notifies the system administrator when anomalies in the operation of any security functions are discovered.\n\nCheck that RHEL 8 routinely executes a file integrity scan for changes to the system baseline. The command used in the example will use a daily occurrence.\n\nCheck the cron directories for scripts controlling the execution and notification of results of the file integrity application. For example, if AIDE is installed on the system, use the following commands:\n\n $ sudo ls -al /etc/cron.* | grep aide\n\n -rwxr-xr-x 1 root root 29 Nov 22 2015 aide\n\n $ sudo grep aide /etc/crontab /var/spool/cron/root\n\n /etc/crontab: 30 04 * * * root /usr/sbin/aide\n /var/spool/cron/root: 30 04 * * * root /usr/sbin/aide\n\n $ sudo more /etc/cron.daily/aide\n\n #!/bin/bash\n /usr/sbin/aide --check | /bin/mail -s \"$HOSTNAME - Daily AIDE integrity check run\" root@example_server_name.mil\n\nIf the file integrity application does not exist, or a script file controlling the execution of the file integrity application does not exist, or the file integrity application does not notify designated personnel of changes, this is a finding.'\n desc 'fix', 'Configure the file integrity tool to run automatically on the system at least weekly and to notify designated personnel if baseline configurations are changed in an unauthorized manner. The AIDE tool can be configured to email designated personnel with the use of the cron system.\n\nThe following example output is generic. It will set cron to run AIDE daily and to send email at the completion of the analysis.\n\n $ sudo more /etc/cron.daily/aide\n\n #!/bin/bash\n\n /usr/sbin/aide --check | /bin/mail -s \"$HOSTNAME - Daily AIDE integrity check run\" root@example_server_name.mil\n\nNote: Per requirement RHEL-08-010358, the \"mailx\" package must be installed on the system to enable email functionality.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000363-GPOS-00150'\n tag satisfies: ['SRG-OS-000363-GPOS-00150', 'SRG-OS-000446-GPOS-00200', 'SRG-OS-000447-GPOS-00201']\n tag gid: 'V-230263'\n tag rid: 'SV-230263r902716_rule'\n tag stig_id: 'RHEL-08-010360'\n tag fix_id: 'F-32907r902715_fix'\n tag cci: ['CCI-001744']\n tag nist: ['CM-3 (5)']\n tag 'host'\n\n file_integrity_tool = input('file_integrity_tool')\n\n only_if('Control not applicable within a container', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe package(file_integrity_tool) do\n it { should be_installed }\n end\n describe.one do\n describe file(\"/etc/cron.daily/#{file_integrity_tool}\") do\n its('content') { should match %r{/bin/mail} }\n end\n describe file(\"/etc/cron.weekly/#{file_integrity_tool}\") do\n its('content') { should match %r{/bin/mail} }\n end\n describe crontab('root').where { command =~ /#{file_integrity_tool}/ } do\n its('commands.flatten') { should include(match %r{/bin/mail}) }\n end\n if file(\"/etc/cron.d/#{file_integrity_tool}\").exist?\n describe crontab(path: \"/etc/cron.d/#{file_integrity_tool}\") do\n its('commands') { should include(match %r{/bin/mail}) }\n end\n end\n end\nend\n", + "code": "control 'SV-230362' do\n title 'RHEL 8 must require the change of at least four character classes when passwords are changed.'\n desc 'Use of a complex password helps to increase the time and resources\nrequired to compromise the password. Password complexity, or strength, is a\nmeasure of the effectiveness of a password in resisting attempts at guessing\nand brute-force attacks.\n\n Password complexity is one factor of several that determines how long it\ntakes to crack a password. The more complex the password, the greater the\nnumber of possible combinations that need to be tested before the password is\ncompromised.\n\n RHEL 8 utilizes \"pwquality\" as a mechanism to enforce password\ncomplexity. The \"minclass\" option sets the minimum number of required classes\nof characters for the new password (digits, uppercase, lowercase, others).'\n desc 'check', 'Verify the value of the \"minclass\" option with the following command:\n\n$ sudo grep -r minclass /etc/security/pwquality.conf*\n\n/etc/security/pwquality.conf:minclass = 4\n\nIf the value of \"minclass\" is set to less than \"4\" or is commented out, this is a finding.\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure the operating system to require the change of at least four character classes when passwords are changed by setting the \"minclass\" option.\n\nAdd the following line to \"/etc/security/pwquality.conf conf\" (or modify the line to have the required value):\n\nminclass = 4\n\nRemove any configurations that conflict with the above value.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000072-GPOS-00040'\n tag gid: 'V-230362'\n tag rid: 'SV-230362r858781_rule'\n tag stig_id: 'RHEL-08-020160'\n tag fix_id: 'F-33006r858780_fix'\n tag cci: ['CCI-000195']\n tag nist: ['IA-5 (1) (b)']\n tag 'host'\n tag 'container'\n\n value = input('minclass')\n setting = 'minclass'\n\n describe 'pwquality.conf settings' do\n let(:config) { parse_config_file('/etc/security/pwquality.conf', multiple_values: true) }\n let(:setting_value) { config.params[setting].is_a?(Integer) ? [config.params[setting]] : Array(config.params[setting]) }\n\n it \"has `#{setting}` set\" do\n expect(setting_value).not_to be_empty, \"#{setting} is not set in pwquality.conf\"\n end\n\n it \"only sets `#{setting}` once\" do\n expect(setting_value.length).to eq(1), \"#{setting} is commented or set more than once in pwquality.conf\"\n end\n\n it \"does not set `#{setting}` to more than #{value}\" do\n expect(setting_value.first.to_i).to be <= value.to_i, \"#{setting} is set to a value greater than #{value} in pwquality.conf\"\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230263.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230362.rb", "line": 1 }, - "id": "SV-230263" + "id": "SV-230362" }, { - "title": "RHEL 8 must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect\n/etc/security/opasswd.", - "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "title": "RHEL 8 passwords for new users or password changes must have a 24 hours/1 day minimum password lifetime restriction in /etc/login.defs.", + "desc": "Enforcing a minimum password lifetime helps to prevent repeated\npassword changes to defeat the password reuse or history enforcement\nrequirement. If users are allowed to immediately and continually change their\npassword, the password could be repeatedly changed in a short period of time to\ndefeat the organization's policy regarding password reuse.", "descriptions": { - "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", - "check": "Verify RHEL 8 generates audit records for all account creations,\nmodifications, disabling, and termination events that affect\n\"/etc/security/opasswd\".\n\n Check the auditing rules in \"/etc/audit/audit.rules\" with the following\ncommand:\n\n $ sudo grep /etc/security/opasswd /etc/audit/audit.rules\n\n -w /etc/security/opasswd -p wa -k identity\n\n If the command does not return a line, or the line is commented out, this\nis a finding.", - "fix": "Configure RHEL 8 to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect\n\"/etc/security/opasswd\".\n\n Add or update the following file system rule to\n\"/etc/audit/rules.d/audit.rules\":\n\n -w /etc/security/opasswd -p wa -k identity\n\n The audit daemon must be restarted for the changes to take effect." + "default": "Enforcing a minimum password lifetime helps to prevent repeated\npassword changes to defeat the password reuse or history enforcement\nrequirement. If users are allowed to immediately and continually change their\npassword, the password could be repeatedly changed in a short period of time to\ndefeat the organization's policy regarding password reuse.", + "check": "Verify the operating system enforces 24 hours/1 day as the minimum password\nlifetime for new user accounts.\n\n Check for the value of \"PASS_MIN_DAYS\" in \"/etc/login.defs\" with the\nfollowing command:\n\n $ sudo grep -i pass_min_days /etc/login.defs\n PASS_MIN_DAYS 1\n\n If the \"PASS_MIN_DAYS\" parameter value is not \"1\" or greater, or is\ncommented out, this is a finding.", + "fix": "Configure the operating system to enforce 24 hours/1 day as the minimum\npassword lifetime.\n\n Add the following line in \"/etc/login.defs\" (or modify the line to have\nthe required value):\n\n PASS_MIN_DAYS 1" }, "impact": 0.5, "refs": [ @@ -14018,51 +14023,34 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000062-GPOS-00031", - "satisfies": [ - "SRG-OS-000062-GPOS-00031", - "SRG-OS-000004-GPOS-00004", - "SRG-OS-000037-GPOS-00015", - "SRG-OS-000042-GPOS-00020", - "SRG-OS-000062-GPOS-00031", - "SRG-OS-000304-GPOS-00121", - "SRG-OS-000392-GPOS-00172", - "SRG-OS-000462-GPOS-00206", - "SRG-OS-000470-GPOS-00214", - "SRG-OS-000471-GPOS-00215", - "SRG-OS-000239-GPOS-00089", - "SRG-OS-000240-GPOS-00090", - "SRG-OS-000241-GPOS-00091", - "SRG-OS-000303-GPOS-00120", - "SRG-OS-000304-GPOS-00121", - "SRG-OS-000476-GPOS-00221" - ], - "gid": "V-230405", - "rid": "SV-230405r627750_rule", - "stig_id": "RHEL-08-030140", - "fix_id": "F-33049r567962_fix", + "gtitle": "SRG-OS-000075-GPOS-00043", + "gid": "V-230365", + "rid": "SV-230365r858727_rule", + "stig_id": "RHEL-08-020190", + "fix_id": "F-33009r567842_fix", "cci": [ - "CCI-000169" + "CCI-000198" ], "nist": [ - "AU-12 a" + "IA-5 (1) (d)" ], - "host": null + "host": null, + "container": null }, - "code": "control 'SV-230405' do\n title 'RHEL 8 must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect\n/etc/security/opasswd.'\n desc 'Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).'\n desc 'check', 'Verify RHEL 8 generates audit records for all account creations,\nmodifications, disabling, and termination events that affect\n\"/etc/security/opasswd\".\n\n Check the auditing rules in \"/etc/audit/audit.rules\" with the following\ncommand:\n\n $ sudo grep /etc/security/opasswd /etc/audit/audit.rules\n\n -w /etc/security/opasswd -p wa -k identity\n\n If the command does not return a line, or the line is commented out, this\nis a finding.'\n desc 'fix', 'Configure RHEL 8 to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect\n\"/etc/security/opasswd\".\n\n Add or update the following file system rule to\n\"/etc/audit/rules.d/audit.rules\":\n\n -w /etc/security/opasswd -p wa -k identity\n\n The audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000062-GPOS-00031'\n tag satisfies: ['SRG-OS-000062-GPOS-00031', 'SRG-OS-000004-GPOS-00004', 'SRG-OS-000037-GPOS-00015', 'SRG-OS-000042-GPOS-00020', 'SRG-OS-000062-GPOS-00031', 'SRG-OS-000304-GPOS-00121', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000470-GPOS-00214', 'SRG-OS-000471-GPOS-00215', 'SRG-OS-000239-GPOS-00089', 'SRG-OS-000240-GPOS-00090', 'SRG-OS-000241-GPOS-00091', 'SRG-OS-000303-GPOS-00120', 'SRG-OS-000304-GPOS-00121', 'SRG-OS-000476-GPOS-00221']\n tag gid: 'V-230405'\n tag rid: 'SV-230405r627750_rule'\n tag stig_id: 'RHEL-08-030140'\n tag fix_id: 'F-33049r567962_fix'\n tag cci: ['CCI-000169']\n tag nist: ['AU-12 a']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n audit_command = '/etc/security/opasswd'\n\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.permissions.flatten).to include('w', 'a')\n expect(audit_rule.key.uniq).to include(input('audit_rule_keynames').merge(input('audit_rule_keynames_overrides'))[audit_command])\n end\n end\nend\n", + "code": "control 'SV-230365' do\n title 'RHEL 8 passwords for new users or password changes must have a 24 hours/1 day minimum password lifetime restriction in /etc/login.defs.'\n desc \"Enforcing a minimum password lifetime helps to prevent repeated\npassword changes to defeat the password reuse or history enforcement\nrequirement. If users are allowed to immediately and continually change their\npassword, the password could be repeatedly changed in a short period of time to\ndefeat the organization's policy regarding password reuse.\"\n desc 'check', 'Verify the operating system enforces 24 hours/1 day as the minimum password\nlifetime for new user accounts.\n\n Check for the value of \"PASS_MIN_DAYS\" in \"/etc/login.defs\" with the\nfollowing command:\n\n $ sudo grep -i pass_min_days /etc/login.defs\n PASS_MIN_DAYS 1\n\n If the \"PASS_MIN_DAYS\" parameter value is not \"1\" or greater, or is\ncommented out, this is a finding.'\n desc 'fix', 'Configure the operating system to enforce 24 hours/1 day as the minimum\npassword lifetime.\n\n Add the following line in \"/etc/login.defs\" (or modify the line to have\nthe required value):\n\n PASS_MIN_DAYS 1'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000075-GPOS-00043'\n tag gid: 'V-230365'\n tag rid: 'SV-230365r858727_rule'\n tag stig_id: 'RHEL-08-020190'\n tag fix_id: 'F-33009r567842_fix'\n tag cci: ['CCI-000198']\n tag nist: ['IA-5 (1) (d)']\n tag 'host'\n tag 'container'\n\n value = input('pass_min_days')\n setting = input_object('pass_min_days').name.upcase\n\n describe \"/etc/login.defs does not have `#{setting}` configured\" do\n let(:config) { login_defs.read_params[setting] }\n it \"greater than #{value} day\" do\n expect(config).to cmp <= value\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230405.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230365.rb", "line": 1 }, - "id": "SV-230405" + "id": "SV-230365" }, { - "title": "The RHEL 8 operating system must not be configured to bypass password requirements for privilege escalation.", - "desc": "Without re-authentication, users may access resources or perform tasks for which they do not have authorization.\n\nWhen operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate.", + "title": "RHEL 8 must prevent special devices on non-root local partitions.", + "desc": "The \"nodev\" mount option causes the system to not interpret\ncharacter or block special devices. Executing character or block special\ndevices from untrusted file systems increases the opportunity for unprivileged\nusers to attain unauthorized administrative access. The only legitimate\nlocation for device files is the /dev directory located on the root partition.", "descriptions": { - "default": "Without re-authentication, users may access resources or perform tasks for which they do not have authorization.\n\nWhen operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate.", - "check": "Verify the operating system is not be configured to bypass password requirements for privilege escalation.\n\nCheck the configuration of the \"/etc/pam.d/sudo\" file with the following command:\n\n$ sudo grep pam_succeed_if /etc/pam.d/sudo\n\nIf any occurrences of \"pam_succeed_if\" is returned from the command, this is a finding.", - "fix": "Configure the operating system to require users to supply a password for privilege escalation.\n\nCheck the configuration of the \"/etc/ pam.d/sudo\" file with the following command:\n$ sudo vi /etc/pam.d/sudo\n\nRemove any occurrences of \"pam_succeed_if\" in the file." + "default": "The \"nodev\" mount option causes the system to not interpret\ncharacter or block special devices. Executing character or block special\ndevices from untrusted file systems increases the opportunity for unprivileged\nusers to attain unauthorized administrative access. The only legitimate\nlocation for device files is the /dev directory located on the root partition.", + "check": "Verify all non-root local partitions are mounted with the \"nodev\" option\nwith the following command:\n\n $ sudo mount | grep '^/dev\\S* on /\\S' | grep --invert-match 'nodev'\n\n If any output is produced, this is a finding.", + "fix": "Configure the \"/etc/fstab\" to use the \"nodev\" option on all\nnon-root local partitions." }, "impact": 0.5, "refs": [ @@ -14071,42 +14059,34 @@ } ], "tags": { - "check_id": "C-55149r809358_chk", "severity": "medium", - "gid": "V-251712", - "rid": "SV-251712r854083_rule", - "stig_id": "RHEL-08-010385", - "gtitle": "SRG-OS-000373-GPOS-00156", - "fix_id": "F-55103r854082_fix", - "satisfies": [ - "SRG-OS-000373-GPOS-00156", - "SRG-OS-000373-GPOS-00157", - "SRG-OS-000373-GPOS-00158" - ], - "documentable": null, + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-230301", + "rid": "SV-230301r627750_rule", + "stig_id": "RHEL-08-010580", + "fix_id": "F-32945r567650_fix", "cci": [ - "CCI-002038" + "CCI-000366" ], "nist": [ - "IA-11" + "CM-6 b" ], - "host": null, - "container-conditional": null + "host": null }, - "code": "control 'SV-251712' do\n title 'The RHEL 8 operating system must not be configured to bypass password requirements for privilege escalation.'\n desc 'Without re-authentication, users may access resources or perform tasks for which they do not have authorization.\n\nWhen operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate.'\n desc 'check', 'Verify the operating system is not be configured to bypass password requirements for privilege escalation.\n\nCheck the configuration of the \"/etc/pam.d/sudo\" file with the following command:\n\n$ sudo grep pam_succeed_if /etc/pam.d/sudo\n\nIf any occurrences of \"pam_succeed_if\" is returned from the command, this is a finding.'\n desc 'fix', 'Configure the operating system to require users to supply a password for privilege escalation.\n\nCheck the configuration of the \"/etc/ pam.d/sudo\" file with the following command:\n$ sudo vi /etc/pam.d/sudo\n\nRemove any occurrences of \"pam_succeed_if\" in the file.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag check_id: 'C-55149r809358_chk'\n tag severity: 'medium'\n tag gid: 'V-251712'\n tag rid: 'SV-251712r854083_rule'\n tag stig_id: 'RHEL-08-010385'\n tag gtitle: 'SRG-OS-000373-GPOS-00156'\n tag fix_id: 'F-55103r854082_fix'\n tag satisfies: ['SRG-OS-000373-GPOS-00156', 'SRG-OS-000373-GPOS-00157', 'SRG-OS-000373-GPOS-00158']\n tag 'documentable'\n tag cci: ['CCI-002038']\n tag nist: ['IA-11']\n tag 'host'\n tag 'container-conditional'\n\n if virtualization.system.eql?('docker') && !command('sudo').exist?\n impact 0.0\n describe 'Control not applicable within a container without sudo enabled' do\n skip 'Control not applicable within a container without sudo enabled'\n end\n else\n describe parse_config_file('/etc/pam.d/sudo') do\n its('content') { should_not match(/pam_succeed_if/) }\n end\n end\nend\n", + "code": "control 'SV-230301' do\n title 'RHEL 8 must prevent special devices on non-root local partitions.'\n desc 'The \"nodev\" mount option causes the system to not interpret\ncharacter or block special devices. Executing character or block special\ndevices from untrusted file systems increases the opportunity for unprivileged\nusers to attain unauthorized administrative access. The only legitimate\nlocation for device files is the /dev directory located on the root partition.'\n desc 'check', %q(Verify all non-root local partitions are mounted with the \"nodev\" option\nwith the following command:\n\n $ sudo mount | grep '^/dev\\S* on /\\S' | grep --invert-match 'nodev'\n\n If any output is produced, this is a finding.)\n desc 'fix', 'Configure the \"/etc/fstab\" to use the \"nodev\" option on all\nnon-root local partitions.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230301'\n tag rid: 'SV-230301r627750_rule'\n tag stig_id: 'RHEL-08-010580'\n tag fix_id: 'F-32945r567650_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n option = 'nodev'\n\n mount_stdout = command('mount').stdout.lines\n failing_mount_points = mount_stdout.select { |mp| mp.match(%r{^/dev\\S*\\s+on\\s+/\\S}) }.reject { |mp| mp.match(/\\(.*#{option}.*\\)/) }\n\n describe \"All mounted devices outside of '/dev' directory\" do\n it \"should be mounted with the '#{option}' option\" do\n expect(failing_mount_points).to be_empty, \"Failing devices:\\n\\t- #{failing_mount_points.join(\"\\n\\t- \")}\"\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-251712.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230301.rb", "line": 1 }, - "id": "SV-251712" + "id": "SV-230301" }, { - "title": "RHEL 8 must enable a user session lock until that user re-establishes\naccess using established identification and authentication procedures for\ncommand line sessions.", - "desc": "A session lock is a temporary action taken when a user stops work and\nmoves away from the immediate physical vicinity of the information system but\ndoes not want to log out because of the temporary nature of the absence.\n\n The session lock is implemented at the point where session activity can be\ndetermined. Rather than be forced to wait for a period of time to expire before\nthe user session can be locked, RHEL 8 needs to provide users with the ability\nto manually invoke a session lock so users can secure their session if it is\nnecessary to temporarily vacate the immediate physical vicinity.\n\n Tmux is a terminal multiplexer that enables a number of terminals to be\ncreated, accessed, and controlled from a single screen. Red Hat endorses tmux\nas the recommended session controlling package.", + "title": "RHEL 8 audit system must protect logon UIDs from unauthorized change.", + "desc": "Unauthorized disclosure of audit records can reveal system and\nconfiguration data to attackers, thus compromising its confidentiality.\n\n Audit information includes all information (e.g., audit records, audit\nsettings, audit reports) needed to successfully audit RHEL 8 system activity.\n\n In immutable mode, unauthorized users cannot execute changes to the audit\nsystem to potentially hide malicious activity and then put the audit rules\nback. A system reboot would be noticeable and a system administrator could\nthen investigate the unauthorized changes.", "descriptions": { - "default": "A session lock is a temporary action taken when a user stops work and\nmoves away from the immediate physical vicinity of the information system but\ndoes not want to log out because of the temporary nature of the absence.\n\n The session lock is implemented at the point where session activity can be\ndetermined. Rather than be forced to wait for a period of time to expire before\nthe user session can be locked, RHEL 8 needs to provide users with the ability\nto manually invoke a session lock so users can secure their session if it is\nnecessary to temporarily vacate the immediate physical vicinity.\n\n Tmux is a terminal multiplexer that enables a number of terminals to be\ncreated, accessed, and controlled from a single screen. Red Hat endorses tmux\nas the recommended session controlling package.", - "check": "Verify the operating system enables the user to manually initiate a session lock with the following command:\n\n $ sudo grep -Ei 'lock-command|lock-session' /etc/tmux.conf\n\n set -g lock-command vlock\n bind X lock-session\n\nIf the \"lock-command\" is not set and \"lock-session\" is not bound to a specific keyboard key in the global settings, this is a finding.", - "fix": "Configure the operating system to enable a user to manually initiate a session lock via tmux. This configuration binds the uppercase letter \"X\" to manually initiate a session lock after the prefix key \"Ctrl + b\" has been sent. The complete key sequence is thus \"Ctrl + b\" then \"Shift + x\" to lock tmux.\n\nCreate a global configuration file \"/etc/tmux.conf\" and add the following lines:\n\n set -g lock-command vlock\n bind X lock-session\n\nReload tmux configuration to take effect. This can be performed in tmux while it is running:\n\n $ tmux source-file /etc/tmux.conf" + "default": "Unauthorized disclosure of audit records can reveal system and\nconfiguration data to attackers, thus compromising its confidentiality.\n\n Audit information includes all information (e.g., audit records, audit\nsettings, audit reports) needed to successfully audit RHEL 8 system activity.\n\n In immutable mode, unauthorized users cannot execute changes to the audit\nsystem to potentially hide malicious activity and then put the audit rules\nback. A system reboot would be noticeable and a system administrator could\nthen investigate the unauthorized changes.", + "check": "Verify the audit system prevents unauthorized changes to logon UIDs with\nthe following command:\n\n $ sudo grep -i immutable /etc/audit/audit.rules\n\n --loginuid-immutable\n\n If the login UIDs are not set to be immutable by adding the\n\"--loginuid-immutable\" option to the \"/etc/audit/audit.rules\", this is a\nfinding.", + "fix": "Configure the audit system to set the logon UIDs to be immutable by adding\nthe following line to \"/etc/audit/rules.d/audit.rules\"\n\n --loginuid-immutable" }, "impact": 0.5, "refs": [ @@ -14116,37 +14096,39 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000028-GPOS-00009", + "gtitle": "SRG-OS-000057-GPOS-00027", "satisfies": [ - "SRG-OS-000028-GPOS-00009", - "SRG-OS-000030-GPOS-00011" + "SRG-OS-000057-GPOS-00027", + "SRG-OS-000058-GPOS-00028", + "SRG-OS-000059-GPOS-00029" ], - "gid": "V-230348", - "rid": "SV-230348r902725_rule", - "stig_id": "RHEL-08-020040", - "fix_id": "F-32992r880719_fix", + "gid": "V-230403", + "rid": "SV-230403r627750_rule", + "stig_id": "RHEL-08-030122", + "fix_id": "F-33047r567956_fix", "cci": [ - "CCI-000056" + "CCI-000162" ], "nist": [ - "AC-11 b" + "AU-9", + "AU-9 a" ], "host": null }, - "code": "control 'SV-230348' do\n title 'RHEL 8 must enable a user session lock until that user re-establishes\naccess using established identification and authentication procedures for\ncommand line sessions.'\n desc 'A session lock is a temporary action taken when a user stops work and\nmoves away from the immediate physical vicinity of the information system but\ndoes not want to log out because of the temporary nature of the absence.\n\n The session lock is implemented at the point where session activity can be\ndetermined. Rather than be forced to wait for a period of time to expire before\nthe user session can be locked, RHEL 8 needs to provide users with the ability\nto manually invoke a session lock so users can secure their session if it is\nnecessary to temporarily vacate the immediate physical vicinity.\n\n Tmux is a terminal multiplexer that enables a number of terminals to be\ncreated, accessed, and controlled from a single screen. Red Hat endorses tmux\nas the recommended session controlling package.'\n desc 'check', %q(Verify the operating system enables the user to manually initiate a session lock with the following command:\n\n $ sudo grep -Ei 'lock-command|lock-session' /etc/tmux.conf\n\n set -g lock-command vlock\n bind X lock-session\n\nIf the \"lock-command\" is not set and \"lock-session\" is not bound to a specific keyboard key in the global settings, this is a finding.)\n desc 'fix', 'Configure the operating system to enable a user to manually initiate a session lock via tmux. This configuration binds the uppercase letter \"X\" to manually initiate a session lock after the prefix key \"Ctrl + b\" has been sent. The complete key sequence is thus \"Ctrl + b\" then \"Shift + x\" to lock tmux.\n\nCreate a global configuration file \"/etc/tmux.conf\" and add the following lines:\n\n set -g lock-command vlock\n bind X lock-session\n\nReload tmux configuration to take effect. This can be performed in tmux while it is running:\n\n $ tmux source-file /etc/tmux.conf'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000028-GPOS-00009'\n tag satisfies: ['SRG-OS-000028-GPOS-00009', 'SRG-OS-000030-GPOS-00011']\n tag gid: 'V-230348'\n tag rid: 'SV-230348r902725_rule'\n tag stig_id: 'RHEL-08-020040'\n tag fix_id: 'F-32992r880719_fix'\n tag cci: ['CCI-000056']\n tag nist: ['AC-11 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n lock_command = command('grep -i lock-command /etc/tmux.conf').stdout.strip\n lock_session = command('grep -i lock-session /etc/tmux.conf').stdout.strip\n\n describe 'tmux settings' do\n it 'should set lock-command' do\n expect(lock_command).to match(/set -g lock-command vlock/)\n end\n it 'should bind a specific key to lock-session' do\n expect(lock_session).to match(/bind . lock-session/)\n end\n end\nend\n", + "code": "control 'SV-230403' do\n title 'RHEL 8 audit system must protect logon UIDs from unauthorized change.'\n desc 'Unauthorized disclosure of audit records can reveal system and\nconfiguration data to attackers, thus compromising its confidentiality.\n\n Audit information includes all information (e.g., audit records, audit\nsettings, audit reports) needed to successfully audit RHEL 8 system activity.\n\n In immutable mode, unauthorized users cannot execute changes to the audit\nsystem to potentially hide malicious activity and then put the audit rules\nback. A system reboot would be noticeable and a system administrator could\nthen investigate the unauthorized changes.'\n desc 'check', 'Verify the audit system prevents unauthorized changes to logon UIDs with\nthe following command:\n\n $ sudo grep -i immutable /etc/audit/audit.rules\n\n --loginuid-immutable\n\n If the login UIDs are not set to be immutable by adding the\n\"--loginuid-immutable\" option to the \"/etc/audit/audit.rules\", this is a\nfinding.'\n desc 'fix', 'Configure the audit system to set the logon UIDs to be immutable by adding\nthe following line to \"/etc/audit/rules.d/audit.rules\"\n\n --loginuid-immutable'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000057-GPOS-00027'\n tag satisfies: ['SRG-OS-000057-GPOS-00027', 'SRG-OS-000058-GPOS-00028', 'SRG-OS-000059-GPOS-00029']\n tag gid: 'V-230403'\n tag rid: 'SV-230403r627750_rule'\n tag stig_id: 'RHEL-08-030122'\n tag fix_id: 'F-33047r567956_fix'\n tag cci: ['CCI-000162']\n tag nist: ['AU-9', 'AU-9 a']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n describe command('grep -i immutable /etc/audit/audit.rules') do\n its('stdout.strip') { should cmp '--loginuid-immutable' }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230348.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230403.rb", "line": 1 }, - "id": "SV-230348" + "id": "SV-230403" }, { - "title": "RHEL 8 must employ FIPS 140-2 approved cryptographic hashing\nalgorithms for all stored passwords.", - "desc": "The system must use a strong hashing algorithm to store the password.\n\n Passwords need to be protected at all times, and encryption is the standard\nmethod for protecting passwords. If passwords are not encrypted, they can be\nplainly read (i.e., clear text) and easily compromised.", + "title": "RHEL 8 must require the change of at least 8 characters when passwords\nare changed.", + "desc": "Use of a complex password helps to increase the time and resources\nrequired to compromise the password. Password complexity, or strength, is a\nmeasure of the effectiveness of a password in resisting attempts at guessing\nand brute-force attacks.\n\n Password complexity is one factor of several that determines how long it\ntakes to crack a password. The more complex the password, the greater the\nnumber of possible combinations that need to be tested before the password is\ncompromised.\n\n RHEL 8 utilizes \"pwquality\" as a mechanism to enforce password\ncomplexity. The \"difok\" option sets the number of characters in a password\nthat must not be present in the old password.", "descriptions": { - "default": "The system must use a strong hashing algorithm to store the password.\n\n Passwords need to be protected at all times, and encryption is the standard\nmethod for protecting passwords. If passwords are not encrypted, they can be\nplainly read (i.e., clear text) and easily compromised.", - "check": "Confirm that the interactive user account passwords are using a strong\npassword hash with the following command:\n\n $ sudo cut -d: -f2 /etc/shadow\n\n\n$6$kcOnRq/5$NUEYPuyL.wghQwWssXRcLRFiiru7f5JPV6GaJhNC2aK5F3PZpE/BCCtwrxRc/AInKMNX3CdMw11m9STiql12f/\n\n Password hashes \"!\" or \"*\" indicate inactive accounts not available for\nlogon and are not evaluated. If any interactive user password hash does not\nbegin with \"$6$\", this is a finding.", - "fix": "Lock all interactive user accounts not using SHA-512 hashing\nuntil the passwords can be regenerated with SHA-512." + "default": "Use of a complex password helps to increase the time and resources\nrequired to compromise the password. Password complexity, or strength, is a\nmeasure of the effectiveness of a password in resisting attempts at guessing\nand brute-force attacks.\n\n Password complexity is one factor of several that determines how long it\ntakes to crack a password. The more complex the password, the greater the\nnumber of possible combinations that need to be tested before the password is\ncompromised.\n\n RHEL 8 utilizes \"pwquality\" as a mechanism to enforce password\ncomplexity. The \"difok\" option sets the number of characters in a password\nthat must not be present in the old password.", + "check": "Verify the value of the \"difok\" option with the following command:\n\n$ sudo grep -r difok /etc/security/pwquality.conf*\n\n/etc/security/pwquality.conf:difok = 8\n\nIf the value of \"difok\" is set to less than \"8\" or is commented out, this is a finding.\nIf conflicting results are returned, this is a finding.", + "fix": "Configure the operating system to require the change of at least eight of the total number of characters when passwords are changed by setting the \"difok\" option.\n\nAdd the following line to \"/etc/security/pwquality.conf\" (or modify the line to have the required value):\n\ndifok = 8\n\nRemove any configurations that conflict with the above value." }, "impact": 0.5, "refs": [ @@ -14156,48 +14138,48 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000073-GPOS-00041", - "gid": "V-230232", - "rid": "SV-230232r877397_rule", - "stig_id": "RHEL-08-010120", - "fix_id": "F-32876r567443_fix", + "gtitle": "SRG-OS-000072-GPOS-00040", + "gid": "V-230363", + "rid": "SV-230363r858783_rule", + "stig_id": "RHEL-08-020170", + "fix_id": "F-33007r858782_fix", "cci": [ - "CCI-000196" + "CCI-000195" ], "nist": [ - "IA-5 (1) (c)" + "IA-5 (1) (b)" ], "host": null, "container": null }, - "code": "control 'SV-230232' do\n title 'RHEL 8 must employ FIPS 140-2 approved cryptographic hashing\nalgorithms for all stored passwords.'\n desc 'The system must use a strong hashing algorithm to store the password.\n\n Passwords need to be protected at all times, and encryption is the standard\nmethod for protecting passwords. If passwords are not encrypted, they can be\nplainly read (i.e., clear text) and easily compromised.'\n desc 'check', 'Confirm that the interactive user account passwords are using a strong\npassword hash with the following command:\n\n $ sudo cut -d: -f2 /etc/shadow\n\n\n$6$kcOnRq/5$NUEYPuyL.wghQwWssXRcLRFiiru7f5JPV6GaJhNC2aK5F3PZpE/BCCtwrxRc/AInKMNX3CdMw11m9STiql12f/\n\n Password hashes \"!\" or \"*\" indicate inactive accounts not available for\nlogon and are not evaluated. If any interactive user password hash does not\nbegin with \"$6$\", this is a finding.'\n desc 'fix', 'Lock all interactive user accounts not using SHA-512 hashing\nuntil the passwords can be regenerated with SHA-512.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000073-GPOS-00041'\n tag gid: 'V-230232'\n tag rid: 'SV-230232r877397_rule'\n tag stig_id: 'RHEL-08-010120'\n tag fix_id: 'F-32876r567443_fix'\n tag cci: ['CCI-000196']\n tag nist: ['IA-5 (1) (c)']\n tag 'host'\n tag 'container'\n\n weak_pw_hash_users = inspec.shadow.where { password !~ /^[*!]{1,2}.*$|^\\$6\\$.*$|^$/ }.users\n\n describe 'All stored passwords' do\n it 'should only be hashed with the SHA512 algorithm' do\n message = \"Users without SHA512 hashes:\\n\\t- #{weak_pw_hash_users.join(\"\\n\\t- \")}\"\n expect(weak_pw_hash_users).to be_empty, message\n end\n end\nend\n", + "code": "control 'SV-230363' do\n title 'RHEL 8 must require the change of at least 8 characters when passwords\nare changed.'\n desc 'Use of a complex password helps to increase the time and resources\nrequired to compromise the password. Password complexity, or strength, is a\nmeasure of the effectiveness of a password in resisting attempts at guessing\nand brute-force attacks.\n\n Password complexity is one factor of several that determines how long it\ntakes to crack a password. The more complex the password, the greater the\nnumber of possible combinations that need to be tested before the password is\ncompromised.\n\n RHEL 8 utilizes \"pwquality\" as a mechanism to enforce password\ncomplexity. The \"difok\" option sets the number of characters in a password\nthat must not be present in the old password.'\n desc 'check', 'Verify the value of the \"difok\" option with the following command:\n\n$ sudo grep -r difok /etc/security/pwquality.conf*\n\n/etc/security/pwquality.conf:difok = 8\n\nIf the value of \"difok\" is set to less than \"8\" or is commented out, this is a finding.\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure the operating system to require the change of at least eight of the total number of characters when passwords are changed by setting the \"difok\" option.\n\nAdd the following line to \"/etc/security/pwquality.conf\" (or modify the line to have the required value):\n\ndifok = 8\n\nRemove any configurations that conflict with the above value.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000072-GPOS-00040'\n tag gid: 'V-230363'\n tag rid: 'SV-230363r858783_rule'\n tag stig_id: 'RHEL-08-020170'\n tag fix_id: 'F-33007r858782_fix'\n tag cci: ['CCI-000195']\n tag nist: ['IA-5 (1) (b)']\n tag 'host'\n tag 'container'\n\n value = input('difok')\n setting = 'difok'\n\n describe 'pwquality.conf settings' do\n let(:config) { parse_config_file('/etc/security/pwquality.conf', multiple_values: true) }\n let(:setting_value) { config.params[setting].is_a?(Integer) ? [config.params[setting]] : Array(config.params[setting]) }\n\n it \"has `#{setting}` set\" do\n expect(setting_value).not_to be_empty, \"#{setting} is not set in pwquality.conf\"\n end\n\n it \"only sets `#{setting}` once\" do\n expect(setting_value.length).to eq(1), \"#{setting} is commented or set more than once in pwquality.conf\"\n end\n\n it \"does not set `#{setting}` to more than #{value}\" do\n expect(setting_value.first.to_i).to be <= value.to_i, \"#{setting} is set to a value greater than #{value} in pwquality.conf\"\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230232.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230363.rb", "line": 1 }, - "id": "SV-230232" + "id": "SV-230363" }, { - "title": "RHEL 8 must enable the hardware random number generator entropy\ngatherer service.", - "desc": "The most important characteristic of a random number generator is its randomness, namely its ability to deliver random numbers that are impossible to predict. Entropy in computer security is associated with the unpredictability of a source of randomness. The random source with high entropy tends to achieve a uniform distribution of random values. Random number generators are one of the most important building blocks of cryptosystems.\n\nThe rngd service feeds random data from hardware device to kernel random device. Quality (nonpredictable) random number generation is important for several security functions (i.e., ciphers).", + "title": "RHEL 8 must prevent code from being executed on file systems that are\nused with removable media.", + "desc": "The \"noexec\" mount option causes the system not to execute binary\nfiles. This option must be used for mounting any file system not containing\napproved binary files, as they may be incompatible. Executing files from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.", "descriptions": { - "default": "The most important characteristic of a random number generator is its randomness, namely its ability to deliver random numbers that are impossible to predict. Entropy in computer security is associated with the unpredictability of a source of randomness. The random source with high entropy tends to achieve a uniform distribution of random values. Random number generators are one of the most important building blocks of cryptosystems.\n\nThe rngd service feeds random data from hardware device to kernel random device. Quality (nonpredictable) random number generation is important for several security functions (i.e., ciphers).", - "check": "Note: For RHEL versions 8.4 and above running with kernel FIPS mode enabled as specified by RHEL-08-010020, this requirement is Not Applicable.\n\nCheck that RHEL 8 has enabled the hardware random number generator entropy gatherer service.\n\nVerify the rngd service is enabled and active with the following commands:\n\n $ sudo systemctl is-enabled rngd\n enabled\n\n $ sudo systemctl is-active rngd\n active\n\nIf the service is not \"enabled\" and \"active\", this is a finding.", - "fix": "Start the rngd service and enable the rngd service with the following commands:\n\n $ sudo systemctl start rngd.service\n\n $ sudo systemctl enable rngd.service" + "default": "The \"noexec\" mount option causes the system not to execute binary\nfiles. This option must be used for mounting any file system not containing\napproved binary files, as they may be incompatible. Executing files from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.", + "check": "Verify file systems that are used for removable media are mounted with the\n\"noexec\" option with the following command:\n\n $ sudo more /etc/fstab\n\n UUID=2bc871e4-e2a3-4f29-9ece-3be60c835222 /mnt/usbflash vfat\nnoauto,owner,ro,nosuid,nodev,noexec 0 0\n\n If a file system found in \"/etc/fstab\" refers to removable media and it\ndoes not have the \"noexec\" option set, this is a finding.", + "fix": "Configure the \"/etc/fstab\" to use the \"noexec\" option on\nfile systems that are associated with removable media." }, - "impact": 0.3, + "impact": 0.5, "refs": [ { "ref": "DPMS Target Red Hat Enterprise Linux 8" } ], "tags": { - "severity": "low", + "severity": "medium", "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-230285", - "rid": "SV-230285r928587_rule", - "stig_id": "RHEL-08-010471", - "fix_id": "F-32929r917875_fix", + "gid": "V-230304", + "rid": "SV-230304r627750_rule", + "stig_id": "RHEL-08-010610", + "fix_id": "F-32948r567659_fix", "cci": [ "CCI-000366" ], @@ -14206,57 +14188,57 @@ ], "host": null }, - "code": "control 'SV-230285' do\n title 'RHEL 8 must enable the hardware random number generator entropy\ngatherer service.'\n desc 'The most important characteristic of a random number generator is its randomness, namely its ability to deliver random numbers that are impossible to predict. Entropy in computer security is associated with the unpredictability of a source of randomness. The random source with high entropy tends to achieve a uniform distribution of random values. Random number generators are one of the most important building blocks of cryptosystems.\n\nThe rngd service feeds random data from hardware device to kernel random device. Quality (nonpredictable) random number generation is important for several security functions (i.e., ciphers).'\n desc 'check', 'Note: For RHEL versions 8.4 and above running with kernel FIPS mode enabled as specified by RHEL-08-010020, this requirement is Not Applicable.\n\nCheck that RHEL 8 has enabled the hardware random number generator entropy gatherer service.\n\nVerify the rngd service is enabled and active with the following commands:\n\n $ sudo systemctl is-enabled rngd\n enabled\n\n $ sudo systemctl is-active rngd\n active\n\nIf the service is not \"enabled\" and \"active\", this is a finding.'\n desc 'fix', 'Start the rngd service and enable the rngd service with the following commands:\n\n $ sudo systemctl start rngd.service\n\n $ sudo systemctl enable rngd.service'\n impact 0.3\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'low'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230285'\n tag rid: 'SV-230285r928587_rule'\n tag stig_id: 'RHEL-08-010471'\n tag fix_id: 'F-32929r917875_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n if os.release.to_f >= 8.4 && input('use_fips') == true\n impact 0.0\n describe 'For RHEL versions 8.4 and above running with kernel FIPS mode enabled as specified by RHEL-08-010020, this requirement is Not Applicable.' do\n skip \"Currently on release #{os.release}, this control is Not Applicable.\"\n end\n else\n describe service('rngd') do\n it { should be_enabled }\n it { should be_running }\n end\n end\nend\n", + "code": "control 'SV-230304' do\n title 'RHEL 8 must prevent code from being executed on file systems that are\nused with removable media.'\n desc 'The \"noexec\" mount option causes the system not to execute binary\nfiles. This option must be used for mounting any file system not containing\napproved binary files, as they may be incompatible. Executing files from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.'\n desc 'check', 'Verify file systems that are used for removable media are mounted with the\n\"noexec\" option with the following command:\n\n $ sudo more /etc/fstab\n\n UUID=2bc871e4-e2a3-4f29-9ece-3be60c835222 /mnt/usbflash vfat\nnoauto,owner,ro,nosuid,nodev,noexec 0 0\n\n If a file system found in \"/etc/fstab\" refers to removable media and it\ndoes not have the \"noexec\" option set, this is a finding.'\n desc 'fix', 'Configure the \"/etc/fstab\" to use the \"noexec\" option on\nfile systems that are associated with removable media.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230304'\n tag rid: 'SV-230304r627750_rule'\n tag stig_id: 'RHEL-08-010610'\n tag fix_id: 'F-32948r567659_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n option = 'noexec'\n file_systems = etc_fstab.params\n non_removable_media = input('non_removable_media_fs')\n mounted_removeable_media = file_systems.reject { |mnt| non_removable_media.include?(mnt['mount_point']) }\n failing_mounts = mounted_removeable_media.reject { |mnt| mnt['mount_options'].include?(option) }\n\n # be very explicit about why this one was a finding since we do not know which mounts are removeable media without the user telling us\n rem_media_msg = \"NOTE: Some mounted devices are not indicated to be non-removable media (you may need to update the 'non_removable_media_fs' input to check if these are truly subject to this requirement)\\n\"\n\n # there should either be no mounted removable media (which should be a requirement anyway), OR\n # all removeable media should be mounted with noexec\n if mounted_removeable_media.empty?\n describe 'No removeable media' do\n it 'are mounted' do\n expect(mounted_removeable_media).to be_empty\n end\n end\n else\n describe 'Any mounted removeable media' do\n it \"should have '#{option}' set\" do\n expect(failing_mounts).to be_empty, \"#{rem_media_msg}\\nRemoveable media without '#{option}' set:\\n\\t- #{failing_mounts.join(\"\\n\\t- \")}\"\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230285.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230304.rb", "line": 1 }, - "id": "SV-230285" + "id": "SV-230304" }, { - "title": "All RHEL 8 remote access methods must be monitored.", - "desc": "Remote access services, such as those providing remote access to network devices and information systems, which lack automated monitoring capabilities, increase risk and make remote user access management difficult at best.\n\nRemote access is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.\n\nAutomated monitoring of remote access sessions allows organizations to detect cyber attacks and ensure ongoing compliance with remote access policies by auditing connection activities of remote access capabilities, such as Remote Desktop Protocol (RDP), on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets).", + "title": "RHEL 8 must prevent the installation of software, patches, service\npacks, device drivers, or operating system components from a repository without\nverification they have been digitally signed using a certificate that is issued\nby a Certificate Authority (CA) that is recognized and approved by the\norganization.", + "desc": "Changes to any software components can have significant effects on the\noverall security of the operating system. This requirement ensures the software\nhas not been tampered with and that it has been provided by a trusted vendor.\n\n Accordingly, patches, service packs, device drivers, or operating system\ncomponents must be signed with a certificate recognized and approved by the\norganization.\n\n Verifying the authenticity of the software prior to installation validates\nthe integrity of the patch or upgrade received from a vendor. This verifies the\nsoftware has not been tampered with and that it has been provided by a trusted\nvendor. Self-signed certificates are disallowed by this requirement. The\noperating system should not have to verify the software again. This requirement\ndoes not mandate DoD certificates for this purpose; however, the certificate\nused to verify the software must be from an approved CA.", "descriptions": { - "default": "Remote access services, such as those providing remote access to network devices and information systems, which lack automated monitoring capabilities, increase risk and make remote user access management difficult at best.\n\nRemote access is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.\n\nAutomated monitoring of remote access sessions allows organizations to detect cyber attacks and ensure ongoing compliance with remote access policies by auditing connection activities of remote access capabilities, such as Remote Desktop Protocol (RDP), on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets).", - "check": "Verify that RHEL 8 monitors all remote access methods.\n\nCheck that remote access methods are being logged by running the following command:\n\n$ sudo grep -E '(auth\\.\\*|authpriv\\.\\*|daemon\\.\\*)' /etc/rsyslog.conf /etc/rsyslog.d/*.conf\n\nauth.*;authpriv.*;daemon.* /var/log/secure\n\nIf \"auth.*\", \"authpriv.*\" or \"daemon.*\" are not configured to be logged, this is a finding.", - "fix": "Configure RHEL 8 to monitor all remote access methods by installing rsyslog\nwith the following command:\n\n $ sudo yum install rsyslog\n\n Then add or update the following lines to the \"/etc/rsyslog.conf\" file:\n\n auth.*;authpriv.*;daemon.* /var/log/secure\n\n The \"rsyslog\" service must be restarted for the changes to take effect.\nTo restart the \"rsyslog\" service, run the following command:\n\n $ sudo systemctl restart rsyslog.service" + "default": "Changes to any software components can have significant effects on the\noverall security of the operating system. This requirement ensures the software\nhas not been tampered with and that it has been provided by a trusted vendor.\n\n Accordingly, patches, service packs, device drivers, or operating system\ncomponents must be signed with a certificate recognized and approved by the\norganization.\n\n Verifying the authenticity of the software prior to installation validates\nthe integrity of the patch or upgrade received from a vendor. This verifies the\nsoftware has not been tampered with and that it has been provided by a trusted\nvendor. Self-signed certificates are disallowed by this requirement. The\noperating system should not have to verify the software again. This requirement\ndoes not mandate DoD certificates for this purpose; however, the certificate\nused to verify the software must be from an approved CA.", + "check": "Verify the operating system prevents the installation of patches, service packs, device drivers, or operating system components from a repository without verification that they have been digitally signed using a certificate that is recognized and approved by the organization.\n\nCheck that YUM verifies the signature of packages from a repository prior to install with the following command:\n\n $ sudo grep -E '^\\[.*\\]|gpgcheck' /etc/yum.repos.d/*.repo\n\n /etc/yum.repos.d/appstream.repo:[appstream]\n /etc/yum.repos.d/appstream.repo:gpgcheck=1\n /etc/yum.repos.d/baseos.repo:[baseos]\n /etc/yum.repos.d/baseos.repo:gpgcheck=1\n\nIf \"gpgcheck\" is not set to \"1\", or if options are missing or commented out, ask the System Administrator how the certificates for patches and other operating system components are verified.\n\nIf there is no process to validate certificates that is approved by the organization, this is a finding.", + "fix": "Configure the operating system to verify the signature of packages from a\nrepository prior to install by setting the following option in the\n\"/etc/yum.repos.d/[your_repo_name].repo\" file:\n\n gpgcheck=1" }, - "impact": 0.5, + "impact": 0.7, "refs": [ { "ref": "DPMS Target Red Hat Enterprise Linux 8" } ], "tags": { - "severity": "medium", - "gtitle": "SRG-OS-000032-GPOS-00013", - "gid": "V-230228", - "rid": "SV-230228r951592_rule", - "stig_id": "RHEL-08-010070", - "fix_id": "F-32872r567431_fix", + "severity": "high", + "gtitle": "SRG-OS-000366-GPOS-00153", + "gid": "V-230264", + "rid": "SV-230264r880711_rule", + "stig_id": "RHEL-08-010370", + "fix_id": "F-32908r880710_fix", "cci": [ - "CCI-000067" + "CCI-001749" ], "nist": [ - "AC-17 (1)" + "CM-5 (3)" ], "host": null, - "container-conditional": null + "container": null }, - "code": "control 'SV-230228' do\n title 'All RHEL 8 remote access methods must be monitored.'\n desc 'Remote access services, such as those providing remote access to network devices and information systems, which lack automated monitoring capabilities, increase risk and make remote user access management difficult at best.\n\nRemote access is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.\n\nAutomated monitoring of remote access sessions allows organizations to detect cyber attacks and ensure ongoing compliance with remote access policies by auditing connection activities of remote access capabilities, such as Remote Desktop Protocol (RDP), on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets).'\n desc 'check', %q(Verify that RHEL 8 monitors all remote access methods.\n\nCheck that remote access methods are being logged by running the following command:\n\n$ sudo grep -E '(auth\\.\\*|authpriv\\.\\*|daemon\\.\\*)' /etc/rsyslog.conf /etc/rsyslog.d/*.conf\n\nauth.*;authpriv.*;daemon.* /var/log/secure\n\nIf \"auth.*\", \"authpriv.*\" or \"daemon.*\" are not configured to be logged, this is a finding.)\n desc 'fix', 'Configure RHEL 8 to monitor all remote access methods by installing rsyslog\nwith the following command:\n\n $ sudo yum install rsyslog\n\n Then add or update the following lines to the \"/etc/rsyslog.conf\" file:\n\n auth.*;authpriv.*;daemon.* /var/log/secure\n\n The \"rsyslog\" service must be restarted for the changes to take effect.\nTo restart the \"rsyslog\" service, run the following command:\n\n $ sudo systemctl restart rsyslog.service'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000032-GPOS-00013'\n tag gid: 'V-230228'\n tag rid: 'SV-230228r951592_rule'\n tag stig_id: 'RHEL-08-010070'\n tag fix_id: 'F-32872r567431_fix'\n tag cci: ['CCI-000067']\n tag nist: ['AC-17 (1)']\n tag 'host'\n tag 'container-conditional'\n\n only_if('Control not applicable; remote access not configured within containerized RHEL', impact: 0.0) {\n !(virtualization.system.eql?('docker') && !file('/etc/ssh/sshd_config').exist?)\n }\n\n rsyslog = file('/etc/rsyslog.conf')\n\n describe rsyslog do\n it { should exist }\n end\n\n if rsyslog.exist?\n auth_pattern = %r{^\\s*[a-z.;*]*auth(,[a-z,]+)*\\.\\*\\s*/*}\n authpriv_pattern = %r{^\\s*[a-z.;*]*authpriv(,[a-z,]+)*\\.\\*\\s*/*}\n daemon_pattern = %r{^\\s*[a-z.;*]*daemon(,[a-z,]+)*\\.\\*\\s*/*}\n\n rsyslog_conf = command('grep -E \\'(auth.*|authpriv.*|daemon.*)\\' /etc/rsyslog.conf /etc/rsyslog.d/*.conf')\n\n describe 'Logged remote access methods' do\n it 'should include auth.*' do\n expect(rsyslog_conf.stdout).to match(auth_pattern), 'auth.* not configured for logging'\n end\n it 'should include authpriv.*' do\n expect(rsyslog_conf.stdout).to match(authpriv_pattern), 'authpriv.* not configured for logging'\n end\n it 'should include daemon.*' do\n expect(rsyslog_conf.stdout).to match(daemon_pattern), 'daemon.* not configured for logging'\n end\n end\n end\nend\n", + "code": "control 'SV-230264' do\n title 'RHEL 8 must prevent the installation of software, patches, service\npacks, device drivers, or operating system components from a repository without\nverification they have been digitally signed using a certificate that is issued\nby a Certificate Authority (CA) that is recognized and approved by the\norganization.'\n desc 'Changes to any software components can have significant effects on the\noverall security of the operating system. This requirement ensures the software\nhas not been tampered with and that it has been provided by a trusted vendor.\n\n Accordingly, patches, service packs, device drivers, or operating system\ncomponents must be signed with a certificate recognized and approved by the\norganization.\n\n Verifying the authenticity of the software prior to installation validates\nthe integrity of the patch or upgrade received from a vendor. This verifies the\nsoftware has not been tampered with and that it has been provided by a trusted\nvendor. Self-signed certificates are disallowed by this requirement. The\noperating system should not have to verify the software again. This requirement\ndoes not mandate DoD certificates for this purpose; however, the certificate\nused to verify the software must be from an approved CA.'\n desc 'check', %q(Verify the operating system prevents the installation of patches, service packs, device drivers, or operating system components from a repository without verification that they have been digitally signed using a certificate that is recognized and approved by the organization.\n\nCheck that YUM verifies the signature of packages from a repository prior to install with the following command:\n\n $ sudo grep -E '^\\[.*\\]|gpgcheck' /etc/yum.repos.d/*.repo\n\n /etc/yum.repos.d/appstream.repo:[appstream]\n /etc/yum.repos.d/appstream.repo:gpgcheck=1\n /etc/yum.repos.d/baseos.repo:[baseos]\n /etc/yum.repos.d/baseos.repo:gpgcheck=1\n\nIf \"gpgcheck\" is not set to \"1\", or if options are missing or commented out, ask the System Administrator how the certificates for patches and other operating system components are verified.\n\nIf there is no process to validate certificates that is approved by the organization, this is a finding.)\n desc 'fix', 'Configure the operating system to verify the signature of packages from a\nrepository prior to install by setting the following option in the\n\"/etc/yum.repos.d/[your_repo_name].repo\" file:\n\n gpgcheck=1'\n impact 0.7\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'high'\n tag gtitle: 'SRG-OS-000366-GPOS-00153'\n tag gid: 'V-230264'\n tag rid: 'SV-230264r880711_rule'\n tag stig_id: 'RHEL-08-010370'\n tag fix_id: 'F-32908r880710_fix'\n tag cci: ['CCI-001749']\n tag nist: ['CM-5 (3)']\n tag 'host'\n tag 'container'\n\n # TODO: create a plural resource for repo def files (`repositories`?)\n\n # get list of all repo files\n repo_def_files = command('ls /etc/yum.repos.d/*.repo').stdout.split(\"\\n\")\n\n if repo_def_files.empty?\n describe 'No repos found in /etc/yum.repos.d/*.repo' do\n skip 'No repos found in /etc/yum.repos.d/*.repo'\n end\n else\n # pull out all repo definitions from all files into one big hash\n repos = repo_def_files.map { |file| parse_config_file(file).params }.inject(&:merge)\n\n # check big hash for repos that fail the test condition\n failing_repos = repos.keys.reject { |repo_name| repos[repo_name]['gpgcheck'] == '1' }\n\n describe 'All repositories' do\n it 'should be configured to verify digital signatures' do\n expect(failing_repos).to be_empty, \"Misconfigured repositories:\\n\\t- #{failing_repos.join(\"\\n\\t- \")}\"\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230228.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230264.rb", "line": 1 }, - "id": "SV-230228" + "id": "SV-230264" }, { - "title": "The RHEL 8 SSH daemon must not allow authentication using known host’s\nauthentication.", - "desc": "Configuring this setting for the SSH daemon provides additional\nassurance that remote logon via SSH will require a password, even in the event\nof misconfiguration elsewhere.", + "title": "RHEL 8 must prevent special devices on file systems that are imported\nvia Network File System (NFS).", + "desc": "The \"nodev\" mount option causes the system to not interpret\ncharacter or block special devices. Executing character or block special\ndevices from untrusted file systems increases the opportunity for unprivileged\nusers to attain unauthorized administrative access.", "descriptions": { - "default": "Configuring this setting for the SSH daemon provides additional\nassurance that remote logon via SSH will require a password, even in the event\nof misconfiguration elsewhere.", - "check": "Verify the SSH daemon does not allow authentication using known host’s authentication with the following command:\n\n$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\\r' | tr '\\n' ' ' | xargs sudo grep -iH '^\\s*ignoreuserknownhosts'\n\nIgnoreUserKnownHosts yes\n\nIf the value is returned as \"no\", the returned line is commented out, or no output is returned, this is a finding.\n\nIf conflicting results are returned, this is a finding.", - "fix": "Configure the SSH daemon to not allow authentication using known host’s\nauthentication.\n\n Add the following line in \"/etc/ssh/sshd_config\", or uncomment the line\nand set the value to \"yes\":\n\n IgnoreUserKnownHosts yes\n\n The SSH daemon must be restarted for the changes to take effect. To restart\nthe SSH daemon, run the following command:\n\n $ sudo systemctl restart sshd.service" + "default": "The \"nodev\" mount option causes the system to not interpret\ncharacter or block special devices. Executing character or block special\ndevices from untrusted file systems increases the opportunity for unprivileged\nusers to attain unauthorized administrative access.", + "check": "Verify file systems that are being NFS-imported are mounted with the\n\"nodev\" option with the following command:\n\n $ sudo grep nfs /etc/fstab | grep nodev\n\n UUID=e06097bb-cfcd-437b-9e4d-a691f5662a7d /store nfs rw,nosuid,nodev,noexec\n0 0\n\n If a file system found in \"/etc/fstab\" refers to NFS and it does not have\nthe \"nodev\" option set, this is a finding.", + "fix": "Configure the \"/etc/fstab\" to use the \"nodev\" option on\nfile systems that are being imported via NFS." }, "impact": 0.5, "refs": [ @@ -14267,33 +14249,32 @@ "tags": { "severity": "medium", "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-230290", - "rid": "SV-230290r951602_rule", - "stig_id": "RHEL-08-010520", - "fix_id": "F-32934r567617_fix", + "gid": "V-230307", + "rid": "SV-230307r627750_rule", + "stig_id": "RHEL-08-010640", + "fix_id": "F-32951r567668_fix", "cci": [ "CCI-000366" ], "nist": [ "CM-6 b" ], - "host": null, - "container-conditional": null + "host": null }, - "code": "control 'SV-230290' do\n title 'The RHEL 8 SSH daemon must not allow authentication using known host’s\nauthentication.'\n desc 'Configuring this setting for the SSH daemon provides additional\nassurance that remote logon via SSH will require a password, even in the event\nof misconfiguration elsewhere.'\n desc 'check', %q(Verify the SSH daemon does not allow authentication using known host’s authentication with the following command:\n\n$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\\r' | tr '\\n' ' ' | xargs sudo grep -iH '^\\s*ignoreuserknownhosts'\n\nIgnoreUserKnownHosts yes\n\nIf the value is returned as \"no\", the returned line is commented out, or no output is returned, this is a finding.\n\nIf conflicting results are returned, this is a finding.)\n desc 'fix', 'Configure the SSH daemon to not allow authentication using known host’s\nauthentication.\n\n Add the following line in \"/etc/ssh/sshd_config\", or uncomment the line\nand set the value to \"yes\":\n\n IgnoreUserKnownHosts yes\n\n The SSH daemon must be restarted for the changes to take effect. To restart\nthe SSH daemon, run the following command:\n\n $ sudo systemctl restart sshd.service'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230290'\n tag rid: 'SV-230290r951602_rule'\n tag stig_id: 'RHEL-08-010520'\n tag fix_id: 'F-32934r567617_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n tag 'container-conditional'\n\n only_if('This control is Not Applicable to containers without SSH installed', impact: 0.0) {\n !(virtualization.system.eql?('docker') && !directory('/etc/ssh').exist?)\n }\n\n describe sshd_active_config do\n its('IgnoreUserKnownHosts') { should cmp 'yes' }\n end\nend\n", + "code": "control 'SV-230307' do\n title 'RHEL 8 must prevent special devices on file systems that are imported\nvia Network File System (NFS).'\n desc 'The \"nodev\" mount option causes the system to not interpret\ncharacter or block special devices. Executing character or block special\ndevices from untrusted file systems increases the opportunity for unprivileged\nusers to attain unauthorized administrative access.'\n desc 'check', 'Verify file systems that are being NFS-imported are mounted with the\n\"nodev\" option with the following command:\n\n $ sudo grep nfs /etc/fstab | grep nodev\n\n UUID=e06097bb-cfcd-437b-9e4d-a691f5662a7d /store nfs rw,nosuid,nodev,noexec\n0 0\n\n If a file system found in \"/etc/fstab\" refers to NFS and it does not have\nthe \"nodev\" option set, this is a finding.'\n desc 'fix', 'Configure the \"/etc/fstab\" to use the \"nodev\" option on\nfile systems that are being imported via NFS.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230307'\n tag rid: 'SV-230307r627750_rule'\n tag stig_id: 'RHEL-08-010640'\n tag fix_id: 'F-32951r567668_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n option = 'nodev'\n nfs_file_systems = etc_fstab.nfs_file_systems.params\n failing_mounts = nfs_file_systems.reject { |mnt| mnt['mount_options'].include?(option) }\n\n if nfs_file_systems.empty?\n describe 'No NFS' do\n it 'is mounted' do\n expect(nfs_file_systems).to be_empty\n end\n end\n else\n describe 'Any mounted Network File System (NFS)' do\n it \"should have '#{option}' set\" do\n expect(failing_mounts).to be_empty, \"NFS without '#{option}' set:\\n\\t- #{failing_mounts.join(\"\\n\\t- \")}\"\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230290.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230307.rb", "line": 1 }, - "id": "SV-230290" + "id": "SV-230307" }, { - "title": "RHEL 8 operating systems must require authentication upon booting into\nrescue mode.", - "desc": "If the system does not require valid root authentication before it\nboots into emergency or rescue mode, anyone who invokes emergency or rescue\nmode is granted privileged access to all files on the system.", + "title": "RHEL 8 must enable kernel parameters to enforce discretionary access control on hardlinks.", + "desc": "Discretionary Access Control (DAC) is based on the notion that individual users are \"owners\" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions.\n\n When discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. A subject that is constrained in its operation by Mandatory Access Control policies is still able to operate under the less rigorous constraints of this requirement. Thus, while Mandatory Access Control imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, this requirement permits the subject to pass the information to any subject at the same sensitivity level. The policy is bounded by the information system boundary. Once the information is passed outside the control of the information system, additional means may be required to ensure the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control.\n\n By enabling the fs.protected_hardlinks kernel parameter, users can no longer create soft or hard links to files they do not own. Disallowing such hardlinks mitigate vulnerabilities based on insecure file system accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of open() or creat().\n\n The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n\n /etc/sysctl.d/*.conf\n /run/sysctl.d/*.conf\n /usr/local/lib/sysctl.d/*.conf\n /usr/lib/sysctl.d/*.conf\n /lib/sysctl.d/*.conf\n /etc/sysctl.conf", "descriptions": { - "default": "If the system does not require valid root authentication before it\nboots into emergency or rescue mode, anyone who invokes emergency or rescue\nmode is granted privileged access to all files on the system.", - "check": "Check to see if the system requires authentication for rescue mode with the\nfollowing command:\n\n $ sudo grep sulogin-shell /usr/lib/systemd/system/rescue.service\n\n ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue\n\n If the \"ExecStart\" line is configured for anything other than\n\"/usr/lib/systemd/systemd-sulogin-shell rescue\", commented out, or missing,\nthis is a finding.", - "fix": "Configure the system to require authentication upon booting into rescue\nmode by adding the following line to the\n\"/usr/lib/systemd/system/rescue.service\" file.\n\n ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue" + "default": "Discretionary Access Control (DAC) is based on the notion that individual users are \"owners\" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions.\n\n When discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. A subject that is constrained in its operation by Mandatory Access Control policies is still able to operate under the less rigorous constraints of this requirement. Thus, while Mandatory Access Control imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, this requirement permits the subject to pass the information to any subject at the same sensitivity level. The policy is bounded by the information system boundary. Once the information is passed outside the control of the information system, additional means may be required to ensure the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control.\n\n By enabling the fs.protected_hardlinks kernel parameter, users can no longer create soft or hard links to files they do not own. Disallowing such hardlinks mitigate vulnerabilities based on insecure file system accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of open() or creat().\n\n The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n\n /etc/sysctl.d/*.conf\n /run/sysctl.d/*.conf\n /usr/local/lib/sysctl.d/*.conf\n /usr/lib/sysctl.d/*.conf\n /lib/sysctl.d/*.conf\n /etc/sysctl.conf", + "check": "Verify the operating system is configured to enable DAC on hardlinks with the following commands:\n\n Check the status of the fs.protected_hardlinks kernel parameter.\n\n $ sudo sysctl fs.protected_hardlinks\n\n fs.protected_hardlinks = 1\n\n If \"fs.protected_hardlinks\" is not set to \"1\" or is missing, this is a finding.\n\n Check that the configuration files are present to enable this kernel parameter.\n\n $ sudo grep -r fs.protected_hardlinks /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n /etc/sysctl.d/99-sysctl.conf:fs.protected_hardlinks = 1\n\n If \"fs.protected_hardlinks\" is not set to \"1\", is missing or commented out, this is a finding.\n\n If conflicting results are returned, this is a finding.", + "fix": "Configure the operating system to enable DAC on hardlinks.\n\n Add or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\n fs.protected_hardlinks = 1\n\n Remove any configurations that conflict with the above from the following locations:\n /run/sysctl.d/*.conf\n /usr/local/lib/sysctl.d/*.conf\n /usr/lib/sysctl.d/*.conf\n /lib/sysctl.d/*.conf\n /etc/sysctl.conf\n /etc/sysctl.d/*.conf\n\n Load settings from all system configuration files with the following command:\n\n $ sudo sysctl --system" }, "impact": 0.5, "refs": [ @@ -14303,33 +14284,39 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000080-GPOS-00048", - "gid": "V-230236", - "rid": "SV-230236r743928_rule", - "stig_id": "RHEL-08-010151", - "fix_id": "F-32880r743927_fix", + "gtitle": "SRG-OS-000312-GPOS-00122", + "satisfies": [ + "SRG-OS-000312-GPOS-00122", + "SRG-OS-000312-GPOS-00123", + "SRG-OS-000312-GPOS-00124", + "SRG-OS-000324-GPOS-00125" + ], + "gid": "V-230268", + "rid": "SV-230268r858754_rule", + "stig_id": "RHEL-08-010374", + "fix_id": "F-32912r858753_fix", "cci": [ - "CCI-000213" + "CCI-002165" ], "nist": [ - "AC-3" + "AC-3 (4)" ], "host": null }, - "code": "control 'SV-230236' do\n title 'RHEL 8 operating systems must require authentication upon booting into\nrescue mode.'\n desc 'If the system does not require valid root authentication before it\nboots into emergency or rescue mode, anyone who invokes emergency or rescue\nmode is granted privileged access to all files on the system.'\n desc 'check', 'Check to see if the system requires authentication for rescue mode with the\nfollowing command:\n\n $ sudo grep sulogin-shell /usr/lib/systemd/system/rescue.service\n\n ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue\n\n If the \"ExecStart\" line is configured for anything other than\n\"/usr/lib/systemd/systemd-sulogin-shell rescue\", commented out, or missing,\nthis is a finding.'\n desc 'fix', 'Configure the system to require authentication upon booting into rescue\nmode by adding the following line to the\n\"/usr/lib/systemd/system/rescue.service\" file.\n\n ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000080-GPOS-00048'\n tag gid: 'V-230236'\n tag rid: 'SV-230236r743928_rule'\n tag stig_id: 'RHEL-08-010151'\n tag fix_id: 'F-32880r743927_fix'\n tag cci: ['CCI-000213']\n tag nist: ['AC-3']\n tag 'host'\n\n only_if('Control not applicable within a container without sudo enabled', impact: 0.0) do\n !virtualization.system.eql?('docker')\n end\n describe service('rescue') do\n its('params.ExecStart') { should include '/usr/lib/systemd/systemd-sulogin-shell rescue' }\n end\nend\n", + "code": "control 'SV-230268' do\n title 'RHEL 8 must enable kernel parameters to enforce discretionary access control on hardlinks.'\n desc 'Discretionary Access Control (DAC) is based on the notion that individual users are \"owners\" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions.\n\n When discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. A subject that is constrained in its operation by Mandatory Access Control policies is still able to operate under the less rigorous constraints of this requirement. Thus, while Mandatory Access Control imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, this requirement permits the subject to pass the information to any subject at the same sensitivity level. The policy is bounded by the information system boundary. Once the information is passed outside the control of the information system, additional means may be required to ensure the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control.\n\n By enabling the fs.protected_hardlinks kernel parameter, users can no longer create soft or hard links to files they do not own. Disallowing such hardlinks mitigate vulnerabilities based on insecure file system accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of open() or creat().\n\n The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n\n /etc/sysctl.d/*.conf\n /run/sysctl.d/*.conf\n /usr/local/lib/sysctl.d/*.conf\n /usr/lib/sysctl.d/*.conf\n /lib/sysctl.d/*.conf\n /etc/sysctl.conf'\n desc 'check', 'Verify the operating system is configured to enable DAC on hardlinks with the following commands:\n\n Check the status of the fs.protected_hardlinks kernel parameter.\n\n $ sudo sysctl fs.protected_hardlinks\n\n fs.protected_hardlinks = 1\n\n If \"fs.protected_hardlinks\" is not set to \"1\" or is missing, this is a finding.\n\n Check that the configuration files are present to enable this kernel parameter.\n\n $ sudo grep -r fs.protected_hardlinks /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n /etc/sysctl.d/99-sysctl.conf:fs.protected_hardlinks = 1\n\n If \"fs.protected_hardlinks\" is not set to \"1\", is missing or commented out, this is a finding.\n\n If conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure the operating system to enable DAC on hardlinks.\n\n Add or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\n fs.protected_hardlinks = 1\n\n Remove any configurations that conflict with the above from the following locations:\n /run/sysctl.d/*.conf\n /usr/local/lib/sysctl.d/*.conf\n /usr/lib/sysctl.d/*.conf\n /lib/sysctl.d/*.conf\n /etc/sysctl.conf\n /etc/sysctl.d/*.conf\n\n Load settings from all system configuration files with the following command:\n\n $ sudo sysctl --system'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000312-GPOS-00122'\n tag satisfies: ['SRG-OS-000312-GPOS-00122', 'SRG-OS-000312-GPOS-00123', 'SRG-OS-000312-GPOS-00124', 'SRG-OS-000324-GPOS-00125']\n tag gid: 'V-230268'\n tag rid: 'SV-230268r858754_rule'\n tag stig_id: 'RHEL-08-010374'\n tag fix_id: 'F-32912r858753_fix'\n tag cci: ['CCI-002165']\n tag nist: ['AC-3 (4)']\n tag 'host'\n\n only_if('Control not applicable within a container', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n action = 'fs.protected_hardlinks'\n\n describe kernel_parameter(action) do\n its('value') { should eq 1 }\n end\n\n search_result = command(\"grep -r ^#{action} #{input('sysctl_conf_files').join(' ')}\").stdout.strip\n\n correct_result = search_result.lines.any? { |line| line.match(/#{action}\\s*=\\s*1$/) }\n incorrect_results = search_result.lines.map(&:strip).select { |line| line.match(/#{action}\\s*=\\s*[^1]$/) }\n\n describe 'Kernel config files' do\n it \"should configure '#{action}'\" do\n expect(correct_result).to eq(true), 'No config file was found that correctly sets this action'\n end\n unless incorrect_results.nil?\n it 'should not have incorrect or conflicting setting(s) in the config files' do\n expect(incorrect_results).to be_empty, \"Incorrect or conflicting setting(s) found:\\n\\t- #{incorrect_results.join(\"\\n\\t- \")}\"\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230236.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230268.rb", "line": 1 }, - "id": "SV-230236" + "id": "SV-230268" }, { - "title": "RHEL 8 must enable the USBGuard.", - "desc": "Without authenticating devices, unidentified or unknown devices may be\nintroduced, thereby facilitating malicious activity.\n\n Peripherals include, but are not limited to, such devices as flash drives,\nexternal storage, and printers.\n\n A new feature that RHEL 8 provides is the USBGuard software framework. The\nUSBguard-daemon is the main component of the USBGuard software framework. It\nruns as a service in the background and enforces the USB device authorization\npolicy for all USB devices. The policy is defined by a set of rules using a\nrule language described in the usbguard-rules.conf file. The policy and the\nauthorization state of USB devices can be modified during runtime using the\nusbguard tool.\n\n The System Administrator (SA) must work with the site Information System\nSecurity Officer (ISSO) to determine a list of authorized peripherals and\nestablish rules within the USBGuard software framework to allow only authorized\ndevices.", + "title": "RHEL 8 must not allow users to override SSH environment variables.", + "desc": "SSH environment options potentially allow users to bypass access\nrestriction in some configurations.", "descriptions": { - "default": "Without authenticating devices, unidentified or unknown devices may be\nintroduced, thereby facilitating malicious activity.\n\n Peripherals include, but are not limited to, such devices as flash drives,\nexternal storage, and printers.\n\n A new feature that RHEL 8 provides is the USBGuard software framework. The\nUSBguard-daemon is the main component of the USBGuard software framework. It\nruns as a service in the background and enforces the USB device authorization\npolicy for all USB devices. The policy is defined by a set of rules using a\nrule language described in the usbguard-rules.conf file. The policy and the\nauthorization state of USB devices can be modified during runtime using the\nusbguard tool.\n\n The System Administrator (SA) must work with the site Information System\nSecurity Officer (ISSO) to determine a list of authorized peripherals and\nestablish rules within the USBGuard software framework to allow only authorized\ndevices.", - "check": "Verify the operating system has enabled the use of the USBGuard with the\nfollowing command:\n\n $ sudo systemctl status usbguard.service\n\n usbguard.service - USBGuard daemon\n Loaded: loaded (/usr/lib/systemd/system/usbguard.service; enabled; vendor\npreset: disabled)\n Active: active (running)\n\n If the usbguard.service is not enabled and active, ask the SA to indicate\nhow unauthorized peripherals are being blocked.\n If there is no evidence that unauthorized peripherals are being blocked\nbefore establishing a connection, this is a finding.", - "fix": "Configure the operating system to enable the blocking of unauthorized\nperipherals with the following commands:\n\n $ sudo systemctl enable usbguard.service\n\n $ sudo systemctl start usbguard.service\n\n Note: Enabling and starting usbguard without properly configuring it for an\nindividual system will immediately prevent any access over a usb device such as\na keyboard or mouse" + "default": "SSH environment options potentially allow users to bypass access\nrestriction in some configurations.", + "check": "Verify that unattended or automatic logon via ssh is disabled with the following command:\n\n$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\\r' | tr '\\n' ' ' | xargs sudo grep -iH '^\\s*permituserenvironment'\n\nPermitUserEnvironment no\n\nIf \"PermitUserEnvironment\" is set to \"yes\", is missing completely, or is commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.", + "fix": "Configure RHEL 8 to allow the SSH daemon to not allow unattended or\nautomatic logon to the system.\n\n Add or edit the following line in the \"/etc/ssh/sshd_config\" file:\n\n PermitUserEnvironment no\n\n The SSH daemon must be restarted for the changes to take effect. To restart\nthe SSH daemon, run the following command:\n\n $ sudo systemctl restart sshd.service" }, "impact": 0.5, "refs": [ @@ -14339,76 +14326,75 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000378-GPOS-00163", - "gid": "V-244548", - "rid": "SV-244548r854077_rule", - "stig_id": "RHEL-08-040141", - "fix_id": "F-47780r743892_fix", + "gtitle": "SRG-OS-000480-GPOS-00229", + "gid": "V-230330", + "rid": "SV-230330r951610_rule", + "stig_id": "RHEL-08-010830", + "fix_id": "F-32974r567737_fix", "cci": [ - "CCI-001958" + "CCI-000366" ], "nist": [ - "IA-3" + "CM-6 b" ], - "host": null + "host": null, + "container-conditional": null }, - "code": "control 'SV-244548' do\n title 'RHEL 8 must enable the USBGuard.'\n desc 'Without authenticating devices, unidentified or unknown devices may be\nintroduced, thereby facilitating malicious activity.\n\n Peripherals include, but are not limited to, such devices as flash drives,\nexternal storage, and printers.\n\n A new feature that RHEL 8 provides is the USBGuard software framework. The\nUSBguard-daemon is the main component of the USBGuard software framework. It\nruns as a service in the background and enforces the USB device authorization\npolicy for all USB devices. The policy is defined by a set of rules using a\nrule language described in the usbguard-rules.conf file. The policy and the\nauthorization state of USB devices can be modified during runtime using the\nusbguard tool.\n\n The System Administrator (SA) must work with the site Information System\nSecurity Officer (ISSO) to determine a list of authorized peripherals and\nestablish rules within the USBGuard software framework to allow only authorized\ndevices.'\n desc 'check', 'Verify the operating system has enabled the use of the USBGuard with the\nfollowing command:\n\n $ sudo systemctl status usbguard.service\n\n usbguard.service - USBGuard daemon\n Loaded: loaded (/usr/lib/systemd/system/usbguard.service; enabled; vendor\npreset: disabled)\n Active: active (running)\n\n If the usbguard.service is not enabled and active, ask the SA to indicate\nhow unauthorized peripherals are being blocked.\n If there is no evidence that unauthorized peripherals are being blocked\nbefore establishing a connection, this is a finding.'\n desc 'fix', 'Configure the operating system to enable the blocking of unauthorized\nperipherals with the following commands:\n\n $ sudo systemctl enable usbguard.service\n\n $ sudo systemctl start usbguard.service\n\n Note: Enabling and starting usbguard without properly configuring it for an\nindividual system will immediately prevent any access over a usb device such as\na keyboard or mouse'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000378-GPOS-00163'\n tag gid: 'V-244548'\n tag rid: 'SV-244548r854077_rule'\n tag stig_id: 'RHEL-08-040141'\n tag fix_id: 'F-47780r743892_fix'\n tag cci: ['CCI-001958']\n tag nist: ['IA-3']\n tag 'host'\n\n only_if('This requirement does not apply to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n peripherals_service = input('peripherals_service')\n\n describe service(peripherals_service) do\n it \"is expected to be running. \\n\\tPlease ensure to configure the service to ensure your devices function as expected.\" do\n expect(subject.running?).to be(true), \"The #{peripherals_service} service is not running\"\n end\n it \"is expected to be enabled. \\n\\tPlease ensure to configure the service to ensure your devices function as expected.\" do\n expect(subject.enabled?).to be(true), \"The #{peripherals_service} service is not enabled\"\n end\n end\nend\n", + "code": "control 'SV-230330' do\n title 'RHEL 8 must not allow users to override SSH environment variables.'\n desc 'SSH environment options potentially allow users to bypass access\nrestriction in some configurations.'\n desc 'check', %q(Verify that unattended or automatic logon via ssh is disabled with the following command:\n\n$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\\r' | tr '\\n' ' ' | xargs sudo grep -iH '^\\s*permituserenvironment'\n\nPermitUserEnvironment no\n\nIf \"PermitUserEnvironment\" is set to \"yes\", is missing completely, or is commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.)\n desc 'fix', 'Configure RHEL 8 to allow the SSH daemon to not allow unattended or\nautomatic logon to the system.\n\n Add or edit the following line in the \"/etc/ssh/sshd_config\" file:\n\n PermitUserEnvironment no\n\n The SSH daemon must be restarted for the changes to take effect. To restart\nthe SSH daemon, run the following command:\n\n $ sudo systemctl restart sshd.service'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00229'\n tag gid: 'V-230330'\n tag rid: 'SV-230330r951610_rule'\n tag stig_id: 'RHEL-08-010830'\n tag fix_id: 'F-32974r567737_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n tag 'container-conditional'\n\n only_if('This requirement is Not Applicable inside a container, the containers host manages the containers filesystems') {\n !(virtualization.system.eql?('docker') && !file('/etc/ssh/sshd_config').exist?)\n }\n\n describe sshd_active_config do\n its('PermitUserEnvironment') { should eq 'no' }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-244548.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230330.rb", "line": 1 }, - "id": "SV-244548" + "id": "SV-230330" }, { - "title": "RHEL 8 must implement NIST FIPS-validated cryptography for the following: To provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.", - "desc": "Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.\n\nRHEL 8 utilizes GRUB 2 as the default bootloader. Note that GRUB 2 command-line parameters are defined in the \"kernelopts\" variable of the /boot/grub2/grubenv file for all kernel boot entries. The command \"fips-mode-setup\" modifies the \"kernelopts\" variable, which in turn updates all kernel boot entries.\n\nThe fips=1 kernel option needs to be added to the kernel command line during system installation so that key generation is done with FIPS-approved algorithms and continuous monitoring tests in place. Users must also ensure the system has plenty of entropy during the installation process by moving the mouse around, or if no mouse is available, ensuring that many keystrokes are typed. The recommended amount of keystrokes is 256 and more. Less than 256 keystrokes may generate a nonunique key.", + "title": "RHEL 8 must prevent a user from overriding the session lock-delay\nsetting for the graphical user interface.", + "desc": "A session time-out lock is a temporary action taken when a user stops\nwork and moves away from the immediate physical vicinity of the information\nsystem but does not log out because of the temporary nature of the absence.\nRather than relying on the user to manually lock their operating system session\nprior to vacating the vicinity, operating systems need to be able to identify\nwhen a user's session has idled and take action to initiate the session lock.\n\n The session lock is implemented at the point where session activity can be\ndetermined and/or controlled.\n\n Implementing session settings will have little value if a user is able to\nmanipulate these settings from the defaults prescribed in the other\nrequirements of this implementation guide.\n\n Locking these settings from non-privileged users is crucial to maintaining\na protected baseline.", "descriptions": { - "default": "Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.\n\nRHEL 8 utilizes GRUB 2 as the default bootloader. Note that GRUB 2 command-line parameters are defined in the \"kernelopts\" variable of the /boot/grub2/grubenv file for all kernel boot entries. The command \"fips-mode-setup\" modifies the \"kernelopts\" variable, which in turn updates all kernel boot entries.\n\nThe fips=1 kernel option needs to be added to the kernel command line during system installation so that key generation is done with FIPS-approved algorithms and continuous monitoring tests in place. Users must also ensure the system has plenty of entropy during the installation process by moving the mouse around, or if no mouse is available, ensuring that many keystrokes are typed. The recommended amount of keystrokes is 256 and more. Less than 256 keystrokes may generate a nonunique key.", - "check": "Verify the operating system implements DOD-approved encryption to protect the confidentiality of remote access sessions.\n\nCheck to see if FIPS mode is enabled with the following command:\n\n $ fips-mode-setup --check\n FIPS mode is enabled\n\nIf FIPS mode is \"enabled\", check to see if the kernel boot parameter is configured for FIPS mode with the following command:\n\n $ sudo grub2-editenv list | grep fips\n kernelopts=root=/dev/mapper/rhel-root ro crashkernel=auto resume=/dev/mapper/rhel-swap rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet fips=1 boot=UUID=8d171156-cd61-421c-ba41-1c021ac29e82\n\nIf the kernel boot parameter is configured to use FIPS mode, check to see if the system is in FIPS mode with the following command:\n\n $ sudo cat /proc/sys/crypto/fips_enabled\n 1\n\nIf FIPS mode is not \"on\", the kernel boot parameter is not configured for FIPS mode, or the system does not have a value of \"1\" for \"fips_enabled\" in \"/proc/sys/crypto\", this is a finding.", - "fix": "Configure the operating system to implement DOD-approved encryption by following the steps below:\n\nTo enable strict FIPS compliance, the fips=1 kernel option needs to be added to the kernel boot parameters during system installation so key generation is done with FIPS-approved algorithms and continuous monitoring tests in place.\n\nEnable FIPS mode after installation (not strict FIPS-compliant) with the following command:\n\n $ sudo fips-mode-setup --enable\n\nReboot the system for the changes to take effect." + "default": "A session time-out lock is a temporary action taken when a user stops\nwork and moves away from the immediate physical vicinity of the information\nsystem but does not log out because of the temporary nature of the absence.\nRather than relying on the user to manually lock their operating system session\nprior to vacating the vicinity, operating systems need to be able to identify\nwhen a user's session has idled and take action to initiate the session lock.\n\n The session lock is implemented at the point where session activity can be\ndetermined and/or controlled.\n\n Implementing session settings will have little value if a user is able to\nmanipulate these settings from the defaults prescribed in the other\nrequirements of this implementation guide.\n\n Locking these settings from non-privileged users is crucial to maintaining\na protected baseline.", + "check": "Verify the operating system prevents a user from overriding settings for\ngraphical user interfaces.\n\n Note: This requirement assumes the use of the RHEL 8 default graphical user\ninterface, Gnome Shell. If the system does not have any graphical user\ninterface installed, this requirement is Not Applicable.\n\n Determine which profile the system database is using with the following\ncommand:\n\n $ sudo grep system-db /etc/dconf/profile/user\n\n system-db:local\n\n Check that graphical settings are locked from non-privileged user\nmodification with the following command:\n\n Note: The example below is using the database \"local\" for the system, so\nthe path is \"/etc/dconf/db/local.d\". This path must be modified if a database\nother than \"local\" is being used.\n\n $ sudo grep -i lock-delay /etc/dconf/db/local.d/locks/*\n\n /org/gnome/desktop/screensaver/lock-delay\n\n If the command does not return at least the example result, this is a\nfinding.", + "fix": "Configure the operating system to prevent a user from overriding settings\nfor graphical user interfaces.\n\n Create a database to contain the system-wide screensaver settings (if it\ndoes not already exist) with the following command:\n\n Note: The example below is using the database \"local\" for the system, so\nif the system is using another database in \"/etc/dconf/profile/user\", the\nfile should be created under the appropriate subdirectory.\n\n $ sudo touch /etc/dconf/db/local.d/locks/session\n\n Add the following setting to prevent non-privileged users from modifying it:\n\n /org/gnome/desktop/screensaver/lock-delay" }, - "impact": 0.7, + "impact": 0.5, "refs": [ { "ref": "DPMS Target Red Hat Enterprise Linux 8" } ], "tags": { - "severity": "high", - "gtitle": "SRG-OS-000033-GPOS-00014", + "severity": "medium", + "gtitle": "SRG-OS-000029-GPOS-00010", "satisfies": [ - "SRG-OS-000033-GPOS-00014", - "SRG-OS-000125-GPOS-00065", - "SRG-OS-000396-GPOS-00176", - "SRG-OS-000423-GPOS-00187", - "SRG-OS-000478-GPOS-00223" + "SRG-OS-000029-GPOS-00010", + "SRG-OS-000031-GPOS-00012", + "SRG-OS-000480-GPOS-00227" ], - "gid": "V-230223", - "rid": "SV-230223r928585_rule", - "stig_id": "RHEL-08-010020", - "fix_id": "F-32867r928584_fix", + "gid": "V-230354", + "rid": "SV-230354r743990_rule", + "stig_id": "RHEL-08-020080", + "fix_id": "F-32998r743989_fix", "cci": [ - "CCI-000068" + "CCI-000057" ], "nist": [ - "AC-17 (2)" + "AC-11 a" ], "host": null }, - "code": "control 'SV-230223' do\n title 'RHEL 8 must implement NIST FIPS-validated cryptography for the following: To provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.'\n desc 'Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.\n\nRHEL 8 utilizes GRUB 2 as the default bootloader. Note that GRUB 2 command-line parameters are defined in the \"kernelopts\" variable of the /boot/grub2/grubenv file for all kernel boot entries. The command \"fips-mode-setup\" modifies the \"kernelopts\" variable, which in turn updates all kernel boot entries.\n\nThe fips=1 kernel option needs to be added to the kernel command line during system installation so that key generation is done with FIPS-approved algorithms and continuous monitoring tests in place. Users must also ensure the system has plenty of entropy during the installation process by moving the mouse around, or if no mouse is available, ensuring that many keystrokes are typed. The recommended amount of keystrokes is 256 and more. Less than 256 keystrokes may generate a nonunique key.'\n desc 'check', 'Verify the operating system implements DOD-approved encryption to protect the confidentiality of remote access sessions.\n\nCheck to see if FIPS mode is enabled with the following command:\n\n $ fips-mode-setup --check\n FIPS mode is enabled\n\nIf FIPS mode is \"enabled\", check to see if the kernel boot parameter is configured for FIPS mode with the following command:\n\n $ sudo grub2-editenv list | grep fips\n kernelopts=root=/dev/mapper/rhel-root ro crashkernel=auto resume=/dev/mapper/rhel-swap rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet fips=1 boot=UUID=8d171156-cd61-421c-ba41-1c021ac29e82\n\nIf the kernel boot parameter is configured to use FIPS mode, check to see if the system is in FIPS mode with the following command:\n\n $ sudo cat /proc/sys/crypto/fips_enabled\n 1\n\nIf FIPS mode is not \"on\", the kernel boot parameter is not configured for FIPS mode, or the system does not have a value of \"1\" for \"fips_enabled\" in \"/proc/sys/crypto\", this is a finding.'\n desc 'fix', 'Configure the operating system to implement DOD-approved encryption by following the steps below:\n\nTo enable strict FIPS compliance, the fips=1 kernel option needs to be added to the kernel boot parameters during system installation so key generation is done with FIPS-approved algorithms and continuous monitoring tests in place.\n\nEnable FIPS mode after installation (not strict FIPS-compliant) with the following command:\n\n $ sudo fips-mode-setup --enable\n\nReboot the system for the changes to take effect.'\n impact 0.7\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'high'\n tag gtitle: 'SRG-OS-000033-GPOS-00014'\n tag satisfies: ['SRG-OS-000033-GPOS-00014', 'SRG-OS-000125-GPOS-00065', 'SRG-OS-000396-GPOS-00176', 'SRG-OS-000423-GPOS-00187', 'SRG-OS-000478-GPOS-00223']\n tag gid: 'V-230223'\n tag rid: 'SV-230223r928585_rule'\n tag stig_id: 'RHEL-08-010020'\n tag fix_id: 'F-32867r928584_fix'\n tag cci: ['CCI-000068']\n tag nist: ['AC-17 (2)']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable in a container' do\n skip 'The host OS controls the FIPS mode settings. The host OS should also be scanned with the applicable OS validation profile.'\n end\n elsif input('use_fips') == false\n impact 0.0\n describe 'This control is Not Applicable as FIPS is not required for this system' do\n skip 'This control is Not Applicable as FIPS is not required for this system'\n end\n else\n describe command('fips-mode-setup --check') do\n its('stdout.strip') { should match(/FIPS mode is enabled/) }\n end\n\n grub_config = command('grub2-editenv - list').stdout\n\n describe parse_config(grub_config) do\n its('kernelopts') { should match(/fips=1/) }\n end\n\n describe file('/proc/sys/crypto/fips_enabled') do\n its('content.strip') { should cmp '1' }\n end\n end\nend\n", + "code": "control 'SV-230354' do\n title 'RHEL 8 must prevent a user from overriding the session lock-delay\nsetting for the graphical user interface.'\n desc \"A session time-out lock is a temporary action taken when a user stops\nwork and moves away from the immediate physical vicinity of the information\nsystem but does not log out because of the temporary nature of the absence.\nRather than relying on the user to manually lock their operating system session\nprior to vacating the vicinity, operating systems need to be able to identify\nwhen a user's session has idled and take action to initiate the session lock.\n\n The session lock is implemented at the point where session activity can be\ndetermined and/or controlled.\n\n Implementing session settings will have little value if a user is able to\nmanipulate these settings from the defaults prescribed in the other\nrequirements of this implementation guide.\n\n Locking these settings from non-privileged users is crucial to maintaining\na protected baseline.\"\n desc 'check', 'Verify the operating system prevents a user from overriding settings for\ngraphical user interfaces.\n\n Note: This requirement assumes the use of the RHEL 8 default graphical user\ninterface, Gnome Shell. If the system does not have any graphical user\ninterface installed, this requirement is Not Applicable.\n\n Determine which profile the system database is using with the following\ncommand:\n\n $ sudo grep system-db /etc/dconf/profile/user\n\n system-db:local\n\n Check that graphical settings are locked from non-privileged user\nmodification with the following command:\n\n Note: The example below is using the database \"local\" for the system, so\nthe path is \"/etc/dconf/db/local.d\". This path must be modified if a database\nother than \"local\" is being used.\n\n $ sudo grep -i lock-delay /etc/dconf/db/local.d/locks/*\n\n /org/gnome/desktop/screensaver/lock-delay\n\n If the command does not return at least the example result, this is a\nfinding.'\n desc 'fix', 'Configure the operating system to prevent a user from overriding settings\nfor graphical user interfaces.\n\n Create a database to contain the system-wide screensaver settings (if it\ndoes not already exist) with the following command:\n\n Note: The example below is using the database \"local\" for the system, so\nif the system is using another database in \"/etc/dconf/profile/user\", the\nfile should be created under the appropriate subdirectory.\n\n $ sudo touch /etc/dconf/db/local.d/locks/session\n\n Add the following setting to prevent non-privileged users from modifying it:\n\n /org/gnome/desktop/screensaver/lock-delay'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000029-GPOS-00010'\n tag satisfies: ['SRG-OS-000029-GPOS-00010', 'SRG-OS-000031-GPOS-00012', 'SRG-OS-000480-GPOS-00227']\n tag gid: 'V-230354'\n tag rid: 'SV-230354r743990_rule'\n tag stig_id: 'RHEL-08-020080'\n tag fix_id: 'F-32998r743989_fix'\n tag cci: ['CCI-000057']\n tag nist: ['AC-11 a']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n if package('gnome-desktop3').installed?\n describe command('grep -i lock-delay /etc/dconf/db/local.d/locks/*') do\n its('stdout.split') { should include '/org/gnome/desktop/screensaver/lock-delay' }\n end\n else\n impact 0.0\n describe 'The GNOME desktop is not installed' do\n skip 'The GNOME desktop is not installed, this control is Not Applicable.'\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230223.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230354.rb", "line": 1 }, - "id": "SV-230223" + "id": "SV-230354" }, { - "title": "RHEL 8 must display a banner before granting local or remote access to\nthe system via a graphical user logon.", - "desc": "Display of a standardized and approved use notification before\ngranting access to the operating system ensures privacy and security\nnotification verbiage used is consistent with applicable federal laws,\nExecutive Orders, directives, policies, regulations, standards, and guidance.\n\n System use notifications are required only for access via logon interfaces\nwith human users and are not required when such human interfaces do not exist.", + "title": "RHEL 8 must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect\n/etc/security/opasswd.", + "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", "descriptions": { - "default": "Display of a standardized and approved use notification before\ngranting access to the operating system ensures privacy and security\nnotification verbiage used is consistent with applicable federal laws,\nExecutive Orders, directives, policies, regulations, standards, and guidance.\n\n System use notifications are required only for access via logon interfaces\nwith human users and are not required when such human interfaces do not exist.", - "check": "Verify RHEL 8 displays a banner before granting access to the operating\nsystem via a graphical user logon.\n\n Note: This requirement assumes the use of the RHEL 8 default graphical user\ninterface, Gnome Shell. If the system does not have any graphical user\ninterface installed, this requirement is Not Applicable.\n\n Check to see if the operating system displays a banner at the logon screen\nwith the following command:\n\n $ sudo grep banner-message-enable /etc/dconf/db/local.d/*\n\n banner-message-enable=true\n\n If \"banner-message-enable\" is set to \"false\" or is missing, this is a\nfinding.", - "fix": "Configure the operating system to display a banner before granting access\nto the system.\n\n Note: If the system does not have a graphical user interface installed,\nthis requirement is Not Applicable.\n\n Create a database to contain the system-wide graphical user logon settings\n(if it does not already exist) with the following command:\n\n $ sudo touch /etc/dconf/db/local.d/01-banner-message\n\n Add the following lines to the [org/gnome/login-screen] section of the\n\"/etc/dconf/db/local.d/01-banner-message\":\n\n [org/gnome/login-screen]\n\n banner-message-enable=true\n\n Run the following command to update the database:\n\n $ sudo dconf update" + "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "check": "Verify RHEL 8 generates audit records for all account creations,\nmodifications, disabling, and termination events that affect\n\"/etc/security/opasswd\".\n\n Check the auditing rules in \"/etc/audit/audit.rules\" with the following\ncommand:\n\n $ sudo grep /etc/security/opasswd /etc/audit/audit.rules\n\n -w /etc/security/opasswd -p wa -k identity\n\n If the command does not return a line, or the line is commented out, this\nis a finding.", + "fix": "Configure RHEL 8 to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect\n\"/etc/security/opasswd\".\n\n Add or update the following file system rule to\n\"/etc/audit/rules.d/audit.rules\":\n\n -w /etc/security/opasswd -p wa -k identity\n\n The audit daemon must be restarted for the changes to take effect." }, "impact": 0.5, "refs": [ @@ -14418,37 +14404,51 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000023-GPOS-00006", + "gtitle": "SRG-OS-000062-GPOS-00031", "satisfies": [ - "SRG-OS-000023-GPOS-00006", - "SRG-OS-000228-GPOS-00088" + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000004-GPOS-00004", + "SRG-OS-000037-GPOS-00015", + "SRG-OS-000042-GPOS-00020", + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000304-GPOS-00121", + "SRG-OS-000392-GPOS-00172", + "SRG-OS-000462-GPOS-00206", + "SRG-OS-000470-GPOS-00214", + "SRG-OS-000471-GPOS-00215", + "SRG-OS-000239-GPOS-00089", + "SRG-OS-000240-GPOS-00090", + "SRG-OS-000241-GPOS-00091", + "SRG-OS-000303-GPOS-00120", + "SRG-OS-000304-GPOS-00121", + "SRG-OS-000476-GPOS-00221" ], - "gid": "V-244519", - "rid": "SV-244519r743806_rule", - "stig_id": "RHEL-08-010049", - "fix_id": "F-47751r743805_fix", + "gid": "V-230405", + "rid": "SV-230405r627750_rule", + "stig_id": "RHEL-08-030140", + "fix_id": "F-33049r567962_fix", "cci": [ - "CCI-000048" + "CCI-000169" ], "nist": [ - "AC-8 a" + "AU-12 a" ], "host": null }, - "code": "control 'SV-244519' do\n title 'RHEL 8 must display a banner before granting local or remote access to\nthe system via a graphical user logon.'\n desc 'Display of a standardized and approved use notification before\ngranting access to the operating system ensures privacy and security\nnotification verbiage used is consistent with applicable federal laws,\nExecutive Orders, directives, policies, regulations, standards, and guidance.\n\n System use notifications are required only for access via logon interfaces\nwith human users and are not required when such human interfaces do not exist.'\n desc 'check', 'Verify RHEL 8 displays a banner before granting access to the operating\nsystem via a graphical user logon.\n\n Note: This requirement assumes the use of the RHEL 8 default graphical user\ninterface, Gnome Shell. If the system does not have any graphical user\ninterface installed, this requirement is Not Applicable.\n\n Check to see if the operating system displays a banner at the logon screen\nwith the following command:\n\n $ sudo grep banner-message-enable /etc/dconf/db/local.d/*\n\n banner-message-enable=true\n\n If \"banner-message-enable\" is set to \"false\" or is missing, this is a\nfinding.'\n desc 'fix', 'Configure the operating system to display a banner before granting access\nto the system.\n\n Note: If the system does not have a graphical user interface installed,\nthis requirement is Not Applicable.\n\n Create a database to contain the system-wide graphical user logon settings\n(if it does not already exist) with the following command:\n\n $ sudo touch /etc/dconf/db/local.d/01-banner-message\n\n Add the following lines to the [org/gnome/login-screen] section of the\n\"/etc/dconf/db/local.d/01-banner-message\":\n\n [org/gnome/login-screen]\n\n banner-message-enable=true\n\n Run the following command to update the database:\n\n $ sudo dconf update'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000023-GPOS-00006'\n tag satisfies: ['SRG-OS-000023-GPOS-00006', 'SRG-OS-000228-GPOS-00088']\n tag gid: 'V-244519'\n tag rid: 'SV-244519r743806_rule'\n tag stig_id: 'RHEL-08-010049'\n tag fix_id: 'F-47751r743805_fix'\n tag cci: ['CCI-000048']\n tag nist: ['AC-8 a']\n tag 'host'\n\n only_if('This requirement is Not Applicable in the container', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n no_gui = command('ls /usr/share/xsessions/*').stderr.match?(/No such file or directory/)\n\n if no_gui\n impact 0.0\n describe 'The system does not have a GUI Desktop is installed, this control is Not Applicable' do\n skip 'A GUI desktop is not installed, this control is Not Applicable.'\n end\n else\n describe command('grep ^banner-message-enable /etc/dconf/db/local.d/*') do\n its('stdout.strip') { should cmp 'banner-message-enable=true' }\n end\n end\nend\n", + "code": "control 'SV-230405' do\n title 'RHEL 8 must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect\n/etc/security/opasswd.'\n desc 'Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).'\n desc 'check', 'Verify RHEL 8 generates audit records for all account creations,\nmodifications, disabling, and termination events that affect\n\"/etc/security/opasswd\".\n\n Check the auditing rules in \"/etc/audit/audit.rules\" with the following\ncommand:\n\n $ sudo grep /etc/security/opasswd /etc/audit/audit.rules\n\n -w /etc/security/opasswd -p wa -k identity\n\n If the command does not return a line, or the line is commented out, this\nis a finding.'\n desc 'fix', 'Configure RHEL 8 to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect\n\"/etc/security/opasswd\".\n\n Add or update the following file system rule to\n\"/etc/audit/rules.d/audit.rules\":\n\n -w /etc/security/opasswd -p wa -k identity\n\n The audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000062-GPOS-00031'\n tag satisfies: ['SRG-OS-000062-GPOS-00031', 'SRG-OS-000004-GPOS-00004', 'SRG-OS-000037-GPOS-00015', 'SRG-OS-000042-GPOS-00020', 'SRG-OS-000062-GPOS-00031', 'SRG-OS-000304-GPOS-00121', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000470-GPOS-00214', 'SRG-OS-000471-GPOS-00215', 'SRG-OS-000239-GPOS-00089', 'SRG-OS-000240-GPOS-00090', 'SRG-OS-000241-GPOS-00091', 'SRG-OS-000303-GPOS-00120', 'SRG-OS-000304-GPOS-00121', 'SRG-OS-000476-GPOS-00221']\n tag gid: 'V-230405'\n tag rid: 'SV-230405r627750_rule'\n tag stig_id: 'RHEL-08-030140'\n tag fix_id: 'F-33049r567962_fix'\n tag cci: ['CCI-000169']\n tag nist: ['AU-12 a']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n audit_command = '/etc/security/opasswd'\n\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.permissions.flatten).to include('w', 'a')\n expect(audit_rule.key.uniq).to include(input('audit_rule_keynames').merge(input('audit_rule_keynames_overrides'))[audit_command])\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-244519.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230405.rb", "line": 1 }, - "id": "SV-244519" + "id": "SV-230405" }, { - "title": "RHEL 8 must require users to reauthenticate for privilege escalation.", - "desc": "Without reauthentication, users may access resources or perform tasks\nfor which they do not have authorization.\n\n When operating systems provide the capability to escalate a functional\ncapability, it is critical the user reauthenticate.", + "title": "RHEL 8 must not have unnecessary accounts.", + "desc": "Accounts providing no operational purpose provide additional\nopportunities for system compromise. Unnecessary accounts include user accounts\nfor individuals not requiring access to the system and application accounts for\napplications not installed on the system.", "descriptions": { - "default": "Without reauthentication, users may access resources or perform tasks\nfor which they do not have authorization.\n\n When operating systems provide the capability to escalate a functional\ncapability, it is critical the user reauthenticate.", - "check": "Verify that \"/etc/sudoers\" has no occurrences of \"!authenticate\".\n\n Check that the \"/etc/sudoers\" file has no occurrences of\n\"!authenticate\" by running the following command:\n\n $ sudo grep -i !authenticate /etc/sudoers /etc/sudoers.d/*\n\n If any occurrences of \"!authenticate\" return from the command, this is a\nfinding.", - "fix": "Remove any occurrence of \"!authenticate\" found in\n\"/etc/sudoers\" file or files in the \"/etc/sudoers.d\" directory." + "default": "Accounts providing no operational purpose provide additional\nopportunities for system compromise. Unnecessary accounts include user accounts\nfor individuals not requiring access to the system and application accounts for\napplications not installed on the system.", + "check": "Verify all accounts on the system are assigned to an active system,\napplication, or user account.\n\n Obtain the list of authorized system accounts from the Information System\nSecurity Officer (ISSO).\n\n Check the system accounts on the system with the following command:\n\n $ sudo more /etc/passwd\n\n root:x:0:0:root:/root:/bin/bash\n bin:x:1:1:bin:/bin:/sbin/nologin\n daemon:x:2:2:daemon:/sbin:/sbin/nologin\n sync:x:5:0:sync:/sbin:/bin/sync\n shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown\n halt:x:7:0:halt:/sbin:/sbin/halt\n games:x:12:100:games:/usr/games:/sbin/nologin\n gopher:x:13:30:gopher:/var/gopher:/sbin/nologin\n\n Accounts such as \"games\" and \"gopher\" are not authorized accounts as\nthey do not support authorized system functions.\n\n If the accounts on the system do not match the provided documentation, or\naccounts that do not support an authorized system function are present, this is\na finding.", + "fix": "Configure the system so all accounts on the system are assigned to an\nactive system, application, or user account.\n\n Remove accounts that do not support approved system activities or that\nallow for a normal user to perform administrative-level actions.\n\n Document all authorized accounts on the system." }, "impact": 0.5, "refs": [ @@ -14458,113 +14458,107 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000373-GPOS-00156", - "satisfies": [ - "SRG-OS-000373-GPOS-00156", - "SRG-OS-000373-GPOS-00157", - "SRG-OS-000373-GPOS-00158" - ], - "gid": "V-230272", - "rid": "SV-230272r854027_rule", - "stig_id": "RHEL-08-010381", - "fix_id": "F-32916r567563_fix", + "gtitle": "SRG-OS-000480-GPOS-00227", + "gid": "V-230379", + "rid": "SV-230379r627750_rule", + "stig_id": "RHEL-08-020320", + "fix_id": "F-33023r567884_fix", "cci": [ - "CCI-002038" + "CCI-000366" ], "nist": [ - "IA-11" + "CM-6 b" ], "host": null, - "container-conditional": null + "container": null }, - "code": "control 'SV-230272' do\n title 'RHEL 8 must require users to reauthenticate for privilege escalation.'\n desc 'Without reauthentication, users may access resources or perform tasks\nfor which they do not have authorization.\n\n When operating systems provide the capability to escalate a functional\ncapability, it is critical the user reauthenticate.'\n desc 'check', 'Verify that \"/etc/sudoers\" has no occurrences of \"!authenticate\".\n\n Check that the \"/etc/sudoers\" file has no occurrences of\n\"!authenticate\" by running the following command:\n\n $ sudo grep -i !authenticate /etc/sudoers /etc/sudoers.d/*\n\n If any occurrences of \"!authenticate\" return from the command, this is a\nfinding.'\n desc 'fix', 'Remove any occurrence of \"!authenticate\" found in\n\"/etc/sudoers\" file or files in the \"/etc/sudoers.d\" directory.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000373-GPOS-00156'\n tag satisfies: ['SRG-OS-000373-GPOS-00156', 'SRG-OS-000373-GPOS-00157', 'SRG-OS-000373-GPOS-00158']\n tag gid: 'V-230272'\n tag rid: 'SV-230272r854027_rule'\n tag stig_id: 'RHEL-08-010381'\n tag fix_id: 'F-32916r567563_fix'\n tag cci: ['CCI-002038']\n tag nist: ['IA-11']\n tag 'host'\n tag 'container-conditional'\n\n only_if('Control not applicable within a container without sudo installed', impact: 0.0) {\n !(virtualization.system.eql?('docker') && !command('sudo').exist?)\n }\n\n describe sudoers(input('sudoers_config_files')) do\n its('settings.Defaults') { should_not include '!authenticate' }\n end\nend\n", + "code": "control 'SV-230379' do\n title 'RHEL 8 must not have unnecessary accounts.'\n desc 'Accounts providing no operational purpose provide additional\nopportunities for system compromise. Unnecessary accounts include user accounts\nfor individuals not requiring access to the system and application accounts for\napplications not installed on the system.'\n desc 'check', 'Verify all accounts on the system are assigned to an active system,\napplication, or user account.\n\n Obtain the list of authorized system accounts from the Information System\nSecurity Officer (ISSO).\n\n Check the system accounts on the system with the following command:\n\n $ sudo more /etc/passwd\n\n root:x:0:0:root:/root:/bin/bash\n bin:x:1:1:bin:/bin:/sbin/nologin\n daemon:x:2:2:daemon:/sbin:/sbin/nologin\n sync:x:5:0:sync:/sbin:/bin/sync\n shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown\n halt:x:7:0:halt:/sbin:/sbin/halt\n games:x:12:100:games:/usr/games:/sbin/nologin\n gopher:x:13:30:gopher:/var/gopher:/sbin/nologin\n\n Accounts such as \"games\" and \"gopher\" are not authorized accounts as\nthey do not support authorized system functions.\n\n If the accounts on the system do not match the provided documentation, or\naccounts that do not support an authorized system function are present, this is\na finding.'\n desc 'fix', 'Configure the system so all accounts on the system are assigned to an\nactive system, application, or user account.\n\n Remove accounts that do not support approved system activities or that\nallow for a normal user to perform administrative-level actions.\n\n Document all authorized accounts on the system.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230379'\n tag rid: 'SV-230379r627750_rule'\n tag stig_id: 'RHEL-08-020320'\n tag fix_id: 'F-33023r567884_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n tag 'container'\n\n failing_users = passwd.users.reject { |u| (input('known_system_accounts') + input('user_accounts')).uniq.include?(u) }\n\n describe 'All users' do\n it 'should have an explicit, authorized purpose (either a known user account or a required system account)' do\n expect(failing_users).to be_empty, \"Failing users:\\n\\t- #{failing_users.join(\"\\n\\t- \")}\"\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230272.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230379.rb", "line": 1 }, - "id": "SV-230272" + "id": "SV-230379" }, { - "title": "The root account must be the only account having unrestricted access\nto the RHEL 8 system.", - "desc": "If an account other than root also has a User Identifier (UID) of\n\"0\", it has root authority, giving that account unrestricted access to the\nentire operating system. Multiple accounts with a UID of \"0\" afford an\nopportunity for potential intruders to guess a password for a privileged\naccount.", + "title": "RHEL 8 must mount /tmp with the nosuid option.", + "desc": "The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n The \"noexec\" mount option causes the system to not execute binary files.\nThis option must be used for mounting any file system not containing approved\nbinary files, as they may be incompatible. Executing files from untrusted file\nsystems increases the opportunity for unprivileged users to attain unauthorized\nadministrative access.\n The \"nodev\" mount option causes the system to not interpret character or\nblock special devices. Executing character or block special devices from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.\n The \"nosuid\" mount option causes the system to not execute \"setuid\" and\n\"setgid\" files with owner privileges. This option must be used for mounting\nany file system not containing approved \"setuid\" and \"setguid\" files.\nExecuting files from untrusted file systems increases the opportunity for\nunprivileged users to attain unauthorized administrative access.", "descriptions": { - "default": "If an account other than root also has a User Identifier (UID) of\n\"0\", it has root authority, giving that account unrestricted access to the\nentire operating system. Multiple accounts with a UID of \"0\" afford an\nopportunity for potential intruders to guess a password for a privileged\naccount.", - "check": "Check the system for duplicate UID \"0\" assignments with the following\ncommand:\n\n $ sudo awk -F: '$3 == 0 {print $1}' /etc/passwd\n\n If any accounts other than root have a UID of \"0\", this is a finding.", - "fix": "Change the UID of any account on the system, other than root, that has a\nUID of \"0\".\n\n If the account is associated with system commands or applications, the UID\nshould be changed to one greater than \"0\" but less than \"1000\". Otherwise,\nassign a UID of greater than \"1000\" that has not already been assigned." + "default": "The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n The \"noexec\" mount option causes the system to not execute binary files.\nThis option must be used for mounting any file system not containing approved\nbinary files, as they may be incompatible. Executing files from untrusted file\nsystems increases the opportunity for unprivileged users to attain unauthorized\nadministrative access.\n The \"nodev\" mount option causes the system to not interpret character or\nblock special devices. Executing character or block special devices from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.\n The \"nosuid\" mount option causes the system to not execute \"setuid\" and\n\"setgid\" files with owner privileges. This option must be used for mounting\nany file system not containing approved \"setuid\" and \"setguid\" files.\nExecuting files from untrusted file systems increases the opportunity for\nunprivileged users to attain unauthorized administrative access.", + "check": "Verify \"/tmp\" is mounted with the \"nosuid\" option:\n\n $ sudo mount | grep /tmp\n\n /dev/mapper/rhel-tmp on /tmp type xfs (rw,nodev,nosuid,noexec,seclabel)\n\n Verify that the \"nosuid\" option is configured for /tmp:\n\n $ sudo cat /etc/fstab | grep /tmp\n\n /dev/mapper/rhel-tmp /tmp xfs defaults,nodev,nosuid,noexec 0 0\n\n If results are returned and the \"nosuid\" option is missing, or if /tmp is\nmounted without the \"nosuid\" option, this is a finding.", + "fix": "Configure the system so that /tmp is mounted with the \"nosuid\" option by\nadding /modifying the /etc/fstab with the following line:\n\n /dev/mapper/rhel-tmp /tmp xfs defaults,nodev,nosuid,noexec 0 0" }, - "impact": 0.7, + "impact": 0.5, "refs": [ { "ref": "DPMS Target Red Hat Enterprise Linux 8" } ], "tags": { - "severity": "high", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-230534", - "rid": "SV-230534r627750_rule", - "stig_id": "RHEL-08-040200", - "fix_id": "F-33178r568349_fix", + "severity": "medium", + "gtitle": "SRG-OS-000368-GPOS-00154", + "gid": "V-230512", + "rid": "SV-230512r854053_rule", + "stig_id": "RHEL-08-040124", + "fix_id": "F-33156r568283_fix", "cci": [ - "CCI-000366" + "CCI-001764" ], "nist": [ - "CM-6 b" + "CM-7 (2)" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-230534' do\n title 'The root account must be the only account having unrestricted access\nto the RHEL 8 system.'\n desc 'If an account other than root also has a User Identifier (UID) of\n\"0\", it has root authority, giving that account unrestricted access to the\nentire operating system. Multiple accounts with a UID of \"0\" afford an\nopportunity for potential intruders to guess a password for a privileged\naccount.'\n desc 'check', %q(Check the system for duplicate UID \"0\" assignments with the following\ncommand:\n\n $ sudo awk -F: '$3 == 0 {print $1}' /etc/passwd\n\n If any accounts other than root have a UID of \"0\", this is a finding.)\n desc 'fix', 'Change the UID of any account on the system, other than root, that has a\nUID of \"0\".\n\n If the account is associated with system commands or applications, the UID\nshould be changed to one greater than \"0\" but less than \"1000\". Otherwise,\nassign a UID of greater than \"1000\" that has not already been assigned.'\n impact 0.7\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'high'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230534'\n tag rid: 'SV-230534r627750_rule'\n tag stig_id: 'RHEL-08-040200'\n tag fix_id: 'F-33178r568349_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n tag 'container'\n\n describe passwd.uids(0) do\n its('users') { should cmp 'root' }\n its('entries.length') { should eq 1 }\n end\nend\n", + "code": "control 'SV-230512' do\n title 'RHEL 8 must mount /tmp with the nosuid option.'\n desc 'The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n The \"noexec\" mount option causes the system to not execute binary files.\nThis option must be used for mounting any file system not containing approved\nbinary files, as they may be incompatible. Executing files from untrusted file\nsystems increases the opportunity for unprivileged users to attain unauthorized\nadministrative access.\n The \"nodev\" mount option causes the system to not interpret character or\nblock special devices. Executing character or block special devices from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.\n The \"nosuid\" mount option causes the system to not execute \"setuid\" and\n\"setgid\" files with owner privileges. This option must be used for mounting\nany file system not containing approved \"setuid\" and \"setguid\" files.\nExecuting files from untrusted file systems increases the opportunity for\nunprivileged users to attain unauthorized administrative access.'\n desc 'check', 'Verify \"/tmp\" is mounted with the \"nosuid\" option:\n\n $ sudo mount | grep /tmp\n\n /dev/mapper/rhel-tmp on /tmp type xfs (rw,nodev,nosuid,noexec,seclabel)\n\n Verify that the \"nosuid\" option is configured for /tmp:\n\n $ sudo cat /etc/fstab | grep /tmp\n\n /dev/mapper/rhel-tmp /tmp xfs defaults,nodev,nosuid,noexec 0 0\n\n If results are returned and the \"nosuid\" option is missing, or if /tmp is\nmounted without the \"nosuid\" option, this is a finding.'\n desc 'fix', 'Configure the system so that /tmp is mounted with the \"nosuid\" option by\nadding /modifying the /etc/fstab with the following line:\n\n /dev/mapper/rhel-tmp /tmp xfs defaults,nodev,nosuid,noexec 0 0'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000368-GPOS-00154'\n tag gid: 'V-230512'\n tag rid: 'SV-230512r854053_rule'\n tag stig_id: 'RHEL-08-040124'\n tag fix_id: 'F-33156r568283_fix'\n tag cci: ['CCI-001764']\n tag nist: ['CM-7 (2)']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n path = '/tmp'\n option = 'nosuid'\n mount_option_enabled = input('mount_tmp_options')[option]\n\n if mount_option_enabled\n describe mount(path) do\n its('options') { should include option }\n end\n\n describe etc_fstab.where { mount_point == path } do\n its('mount_options.flatten') { should include option }\n end\n else\n describe mount(path) do\n its('options') { should_not include option }\n end\n\n describe etc_fstab.where { mount_point == path } do\n its('mount_options.flatten') { should_not include option }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230534.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230512.rb", "line": 1 }, - "id": "SV-230534" + "id": "SV-230512" }, { - "title": "RHEL 8 must not allow accounts configured with blank or null\npasswords.", - "desc": "If an account has an empty password, anyone could log on and run\ncommands with the privileges of that account. Accounts with empty passwords\nshould never be used in operational environments.", + "title": "RHEL 8 must require re-authentication when using the \"sudo\" command.", + "desc": "Without re-authentication, users may access resources or perform tasks\nfor which they do not have authorization.\n\n When operating systems provide the capability to escalate a functional\ncapability, it is critical the organization requires the user to\nre-authenticate when using the \"sudo\" command.\n\n If the value is set to an integer less than 0, the user's time stamp will\nnot expire and the user will not have to re-authenticate for privileged actions\nuntil the user's session is terminated.", "descriptions": { - "default": "If an account has an empty password, anyone could log on and run\ncommands with the privileges of that account. Accounts with empty passwords\nshould never be used in operational environments.", - "check": "To verify that null passwords cannot be used, run the following command:\n\n$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\\r' | tr '\\n' ' ' | xargs sudo grep -iH '^\\s*permitemptypasswords'\n\nPermitEmptyPasswords no\n\nIf \"PermitEmptyPasswords\" is set to \"yes\", this is a finding.\n\nIf conflicting results are returned, this is a finding.", - "fix": "Edit the following line in \"etc/ssh/sshd_config\" to prevent logons with\nempty passwords.\n\n PermitEmptyPasswords no\n\n The SSH daemon must be restarted for the changes to take effect. To restart\nthe SSH daemon, run the following command:\n\n $ sudo systemctl restart sshd.service" + "default": "Without re-authentication, users may access resources or perform tasks\nfor which they do not have authorization.\n\n When operating systems provide the capability to escalate a functional\ncapability, it is critical the organization requires the user to\nre-authenticate when using the \"sudo\" command.\n\n If the value is set to an integer less than 0, the user's time stamp will\nnot expire and the user will not have to re-authenticate for privileged actions\nuntil the user's session is terminated.", + "check": "Verify the operating system requires re-authentication when using the \"sudo\" command to elevate privileges.\n\n$ sudo grep -ir 'timestamp_timeout' /etc/sudoers /etc/sudoers.d\n/etc/sudoers:Defaults timestamp_timeout=0\n\nIf conflicting results are returned, this is a finding.\n\nIf \"timestamp_timeout\" is set to a negative number, is commented out, or no results are returned, this is a finding.", + "fix": "Configure the \"sudo\" command to require re-authentication.\nEdit the /etc/sudoers file:\n$ sudo visudo\n\nAdd or modify the following line:\nDefaults timestamp_timeout=[value]\nNote: The \"[value]\" must be a number that is greater than or equal to \"0\".\n\nRemove any duplicate or conflicting lines from /etc/sudoers and /etc/sudoers.d/ files." }, - "impact": 0.7, + "impact": 0.5, "refs": [ { "ref": "DPMS Target Red Hat Enterprise Linux 8" } ], "tags": { - "severity": "high", - "gtitle": "SRG-OS-000480-GPOS-00227", - "gid": "V-230380", - "rid": "SV-230380r951612_rule", - "stig_id": "RHEL-08-020330", - "fix_id": "F-33024r743992_fix", + "severity": "medium", + "gtitle": "SRG-OS-000373-GPOS-00156", + "gid": "V-237643", + "rid": "SV-237643r861088_rule", + "stig_id": "RHEL-08-010384", + "fix_id": "F-40825r858763_fix", "cci": [ - "CCI-000366" + "CCI-002038" ], "nist": [ - "CM-6 b" + "IA-11" ], "host": null, "container-conditional": null }, - "code": "control 'SV-230380' do\n title 'RHEL 8 must not allow accounts configured with blank or null\npasswords.'\n desc 'If an account has an empty password, anyone could log on and run\ncommands with the privileges of that account. Accounts with empty passwords\nshould never be used in operational environments.'\n desc 'check', %q(To verify that null passwords cannot be used, run the following command:\n\n$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\\r' | tr '\\n' ' ' | xargs sudo grep -iH '^\\s*permitemptypasswords'\n\nPermitEmptyPasswords no\n\nIf \"PermitEmptyPasswords\" is set to \"yes\", this is a finding.\n\nIf conflicting results are returned, this is a finding.)\n desc 'fix', 'Edit the following line in \"etc/ssh/sshd_config\" to prevent logons with\nempty passwords.\n\n PermitEmptyPasswords no\n\n The SSH daemon must be restarted for the changes to take effect. To restart\nthe SSH daemon, run the following command:\n\n $ sudo systemctl restart sshd.service'\n impact 0.7\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'high'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230380'\n tag rid: 'SV-230380r951612_rule'\n tag stig_id: 'RHEL-08-020330'\n tag fix_id: 'F-33024r743992_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n tag 'container-conditional'\n\n if virtualization.system.eql?('docker') && !file('/etc/ssh/sshd_config').exist?\n impact 0.0\n describe 'Control not applicable - SSH is not installed within containerized RHEL' do\n skip 'Control not applicable - SSH is not installed within containerized RHEL'\n end\n else\n describe sshd_active_config do\n its('PermitEmptyPasswords') { should cmp 'no' }\n end\n end\nend\n", + "code": "control 'SV-237643' do\n title 'RHEL 8 must require re-authentication when using the \"sudo\" command.'\n desc %q(Without re-authentication, users may access resources or perform tasks\nfor which they do not have authorization.\n\n When operating systems provide the capability to escalate a functional\ncapability, it is critical the organization requires the user to\nre-authenticate when using the \"sudo\" command.\n\n If the value is set to an integer less than 0, the user's time stamp will\nnot expire and the user will not have to re-authenticate for privileged actions\nuntil the user's session is terminated.)\n desc 'check', %q(Verify the operating system requires re-authentication when using the \"sudo\" command to elevate privileges.\n\n$ sudo grep -ir 'timestamp_timeout' /etc/sudoers /etc/sudoers.d\n/etc/sudoers:Defaults timestamp_timeout=0\n\nIf conflicting results are returned, this is a finding.\n\nIf \"timestamp_timeout\" is set to a negative number, is commented out, or no results are returned, this is a finding.)\n desc 'fix', 'Configure the \"sudo\" command to require re-authentication.\nEdit the /etc/sudoers file:\n$ sudo visudo\n\nAdd or modify the following line:\nDefaults timestamp_timeout=[value]\nNote: The \"[value]\" must be a number that is greater than or equal to \"0\".\n\nRemove any duplicate or conflicting lines from /etc/sudoers and /etc/sudoers.d/ files.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000373-GPOS-00156'\n tag gid: 'V-237643'\n tag rid: 'SV-237643r861088_rule'\n tag stig_id: 'RHEL-08-010384'\n tag fix_id: 'F-40825r858763_fix'\n tag cci: ['CCI-002038']\n tag nist: ['IA-11']\n tag 'host'\n tag 'container-conditional'\n\n only_if('This requirement is Not Applicable in a container with no sudo installed', impact: 0.0) {\n !(virtualization.system.eql?('docker') && !command('sudo').exist?)\n }\n\n setting = 'timestamp_timeout'\n setting_value = sudoers(input('sudoers_config_files')).settings.Defaults[setting]\n\n describe 'Sudoers configuration' do\n it \"should should set #{setting} to a non-negative number, exactly once\" do\n expect(setting_value).to_not be_nil, \"#{setting} not found inside sudoers config file(s)\"\n expect(setting_value.count).to eq(1), \"#{setting} set #{setting_value.count} times inside sudoers config file(s)\"\n expect(setting_value.first.to_i).to be >= 0\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230380.rb", + "ref": "./Red Hat 8 STIG/controls/SV-237643.rb", "line": 1 }, - "id": "SV-230380" + "id": "SV-237643" }, { - "title": "RHEL 8 must automatically lock graphical user sessions after 15\nminutes of inactivity.", - "desc": "A session lock is a temporary action taken when a user stops work and\nmoves away from the immediate physical vicinity of the information system but\ndoes not want to log out because of the temporary nature of the absence.\n\n The session lock is implemented at the point where session activity can be\ndetermined. Rather than be forced to wait for a period of time to expire before\nthe user session can be locked, RHEL 8 needs to provide users with the ability\nto manually invoke a session lock so users can secure their session if it is\nnecessary to temporarily vacate the immediate physical vicinity.", + "title": "Successful/unsuccessful uses of the su command in RHEL 8 must generate\nan audit record.", + "desc": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"su\" command allows a\nuser to run commands with a substitute user and group ID.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", "descriptions": { - "default": "A session lock is a temporary action taken when a user stops work and\nmoves away from the immediate physical vicinity of the information system but\ndoes not want to log out because of the temporary nature of the absence.\n\n The session lock is implemented at the point where session activity can be\ndetermined. Rather than be forced to wait for a period of time to expire before\nthe user session can be locked, RHEL 8 needs to provide users with the ability\nto manually invoke a session lock so users can secure their session if it is\nnecessary to temporarily vacate the immediate physical vicinity.", - "check": "Verify the operating system initiates a session lock after a 15-minute\nperiod of inactivity for graphical user interfaces with the following commands:\n\n This requirement assumes the use of the RHEL 8 default graphical user\ninterface, Gnome Shell. If the system does not have any graphical user\ninterface installed, this requirement is Not Applicable.\n\n $ sudo gsettings get org.gnome.desktop.session idle-delay\n\n uint32 900\n\n If \"idle-delay\" is set to \"0\" or a value greater than \"900\", this is\na finding.", - "fix": "Configure the operating system to initiate a screensaver after a 15-minute\nperiod of inactivity for graphical user interfaces.\n\n Create a database to contain the system-wide screensaver settings (if it\ndoes not already exist) with the following command:\n\n $ sudo touch /etc/dconf/db/local.d/00-screensaver\n\n Edit /etc/dconf/db/local.d/00-screensaver and add or update the following\nlines:\n\n [org/gnome/desktop/session]\n # Set the lock time out to 900 seconds before the session is considered idle\n idle-delay=uint32 900\n\n Update the system databases:\n\n $ sudo dconf update" + "default": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"su\" command allows a\nuser to run commands with a substitute user and group ID.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.", + "check": "Verify RHEL 8 generates audit records when successful/unsuccessful attempts\nto use the \"su\" command by performing the following command to check the file\nsystem rules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w /usr/bin/su /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset\n-k privileged-priv_change\n\n If the command does not return a line, or the line is commented out, this\nis a finding.", + "fix": "Configure RHEL 8 to generate audit records when successful/unsuccessful\nattempts to use the \"su\" command occur by adding or updating the following\nrule in \"/etc/audit/rules.d/audit.rules\":\n\n -a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset\n-k privileged-priv_change\n\n The audit daemon must be restarted for the changes to take effect." }, "impact": 0.5, "refs": [ @@ -14574,37 +14568,44 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000029-GPOS-00010", + "gtitle": "SRG-OS-000062-GPOS-00031", "satisfies": [ - "SRG-OS-000029-GPOS-00010", - "SRG-OS-000031-GPOS-00012" + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000037-GPOS-00015", + "SRG-OS-000042-GPOS-00020", + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000064-GPOS-0003", + "SRG-OS-000392-GPOS-00172", + "SRG-OS-000462-GPOS-00206", + "SRG-OS-000471-GPOS-00215", + "SRG-OS-000466-GPOS-00210" ], - "gid": "V-230352", - "rid": "SV-230352r646876_rule", - "stig_id": "RHEL-08-020060", - "fix_id": "F-32996r567803_fix", + "gid": "V-230412", + "rid": "SV-230412r627750_rule", + "stig_id": "RHEL-08-030190", + "fix_id": "F-33056r567983_fix", "cci": [ - "CCI-000057" + "CCI-000169" ], "nist": [ - "AC-11 a" + "AU-12 a" ], "host": null }, - "code": "control 'SV-230352' do\n title 'RHEL 8 must automatically lock graphical user sessions after 15\nminutes of inactivity.'\n desc 'A session lock is a temporary action taken when a user stops work and\nmoves away from the immediate physical vicinity of the information system but\ndoes not want to log out because of the temporary nature of the absence.\n\n The session lock is implemented at the point where session activity can be\ndetermined. Rather than be forced to wait for a period of time to expire before\nthe user session can be locked, RHEL 8 needs to provide users with the ability\nto manually invoke a session lock so users can secure their session if it is\nnecessary to temporarily vacate the immediate physical vicinity.'\n desc 'check', 'Verify the operating system initiates a session lock after a 15-minute\nperiod of inactivity for graphical user interfaces with the following commands:\n\n This requirement assumes the use of the RHEL 8 default graphical user\ninterface, Gnome Shell. If the system does not have any graphical user\ninterface installed, this requirement is Not Applicable.\n\n $ sudo gsettings get org.gnome.desktop.session idle-delay\n\n uint32 900\n\n If \"idle-delay\" is set to \"0\" or a value greater than \"900\", this is\na finding.'\n desc 'fix', 'Configure the operating system to initiate a screensaver after a 15-minute\nperiod of inactivity for graphical user interfaces.\n\n Create a database to contain the system-wide screensaver settings (if it\ndoes not already exist) with the following command:\n\n $ sudo touch /etc/dconf/db/local.d/00-screensaver\n\n Edit /etc/dconf/db/local.d/00-screensaver and add or update the following\nlines:\n\n [org/gnome/desktop/session]\n # Set the lock time out to 900 seconds before the session is considered idle\n idle-delay=uint32 900\n\n Update the system databases:\n\n $ sudo dconf update'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000029-GPOS-00010'\n tag satisfies: ['SRG-OS-000029-GPOS-00010', 'SRG-OS-000031-GPOS-00012']\n tag gid: 'V-230352'\n tag rid: 'SV-230352r646876_rule'\n tag stig_id: 'RHEL-08-020060'\n tag fix_id: 'F-32996r567803_fix'\n tag cci: ['CCI-000057']\n tag nist: ['AC-11 a']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n if package('gnome-desktop3').installed?\n describe command(\"gsettings get org.gnome.desktop.session idle-delay | cut -d ' ' -f2\") do\n its('stdout.strip') { should cmp <= input('system_inactivity_timeout') }\n end\n else\n impact 0.0\n describe 'The system does not have GNOME installed' do\n skip \"The system does not have GNOME installed, this requirement is Not\n Applicable.\"\n end\n end\nend\n", + "code": "control 'SV-230412' do\n title 'Successful/unsuccessful uses of the su command in RHEL 8 must generate\nan audit record.'\n desc 'Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"su\" command allows a\nuser to run commands with a substitute user and group ID.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.'\n desc 'check', 'Verify RHEL 8 generates audit records when successful/unsuccessful attempts\nto use the \"su\" command by performing the following command to check the file\nsystem rules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w /usr/bin/su /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset\n-k privileged-priv_change\n\n If the command does not return a line, or the line is commented out, this\nis a finding.'\n desc 'fix', 'Configure RHEL 8 to generate audit records when successful/unsuccessful\nattempts to use the \"su\" command occur by adding or updating the following\nrule in \"/etc/audit/rules.d/audit.rules\":\n\n -a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset\n-k privileged-priv_change\n\n The audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000062-GPOS-00031'\n tag satisfies: ['SRG-OS-000062-GPOS-00031', 'SRG-OS-000037-GPOS-00015', 'SRG-OS-000042-GPOS-00020', 'SRG-OS-000062-GPOS-00031', 'SRG-OS-000064-GPOS-0003', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000471-GPOS-00215', 'SRG-OS-000466-GPOS-00210']\n tag gid: 'V-230412'\n tag rid: 'SV-230412r627750_rule'\n tag stig_id: 'RHEL-08-030190'\n tag fix_id: 'F-33056r567983_fix'\n tag cci: ['CCI-000169']\n tag nist: ['AU-12 a']\n tag 'host'\n\n audit_command = '/usr/bin/su'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include(input('audit_rule_keynames').merge(input('audit_rule_keynames_overrides'))[audit_command])\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230352.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230412.rb", "line": 1 }, - "id": "SV-230352" + "id": "SV-230412" }, { - "title": "RHEL 8 system commands must be group-owned by root or a system\naccount.", - "desc": "If RHEL 8 were to allow any user to make changes to software\nlibraries, then those changes might be implemented without undergoing the\nappropriate testing and approvals that are part of a robust change management\nprocess.\n\n This requirement applies to RHEL 8 with software libraries that are\naccessible and configurable, as in the case of interpreted languages. Software\nlibraries also include privileged programs that execute with escalated\nprivileges. Only qualified and authorized individuals will be allowed to obtain\naccess to information system components for purposes of initiating changes,\nincluding upgrades and modifications.", + "title": "RHEL 8 must mount /dev/shm with the nodev option.", + "desc": "The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n The \"noexec\" mount option causes the system to not execute binary files.\nThis option must be used for mounting any file system not containing approved\nbinary files, as they may be incompatible. Executing files from untrusted file\nsystems increases the opportunity for unprivileged users to attain unauthorized\nadministrative access.\n\n The \"nodev\" mount option causes the system to not interpret character or\nblock special devices. Executing character or block special devices from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.\n\n The \"nosuid\" mount option causes the system to not execute \"setuid\" and\n\"setgid\" files with owner privileges. This option must be used for mounting\nany file system not containing approved \"setuid\" and \"setguid\" files.\nExecuting files from untrusted file systems increases the opportunity for\nunprivileged users to attain unauthorized administrative access.", "descriptions": { - "default": "If RHEL 8 were to allow any user to make changes to software\nlibraries, then those changes might be implemented without undergoing the\nappropriate testing and approvals that are part of a robust change management\nprocess.\n\n This requirement applies to RHEL 8 with software libraries that are\naccessible and configurable, as in the case of interpreted languages. Software\nlibraries also include privileged programs that execute with escalated\nprivileges. Only qualified and authorized individuals will be allowed to obtain\naccess to information system components for purposes of initiating changes,\nincluding upgrades and modifications.", - "check": "Verify the system commands contained in the following directories are group-owned by \"root\", or a required system account, with the following command:\n\n$ sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -exec ls -l {} \\;\n\nIf any system commands are returned and is not group-owned by a required system account, this is a finding.", - "fix": "Configure the system commands to be protected from unauthorized access.\n\n Run the following command, replacing \"[FILE]\" with any system command\nfile not group-owned by \"root\" or a required system account.\n\n $ sudo chgrp root [FILE]" + "default": "The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n The \"noexec\" mount option causes the system to not execute binary files.\nThis option must be used for mounting any file system not containing approved\nbinary files, as they may be incompatible. Executing files from untrusted file\nsystems increases the opportunity for unprivileged users to attain unauthorized\nadministrative access.\n\n The \"nodev\" mount option causes the system to not interpret character or\nblock special devices. Executing character or block special devices from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.\n\n The \"nosuid\" mount option causes the system to not execute \"setuid\" and\n\"setgid\" files with owner privileges. This option must be used for mounting\nany file system not containing approved \"setuid\" and \"setguid\" files.\nExecuting files from untrusted file systems increases the opportunity for\nunprivileged users to attain unauthorized administrative access.", + "check": "Verify \"/dev/shm\" is mounted with the \"nodev\" option:\n\n $ sudo mount | grep /dev/shm\n\n tmpfs on /dev/shm type tmpfs (rw,nodev,nosuid,noexec,seclabel)\n\n Verify that the \"nodev\"option is configured for /dev/shm:\n\n $ sudo cat /etc/fstab | grep /dev/shm\n\n tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0\n\n If results are returned and the \"nodev\" option is missing, or if /dev/shm\nis mounted without the \"nodev\" option, this is a finding.", + "fix": "Configure the system so that /dev/shm is mounted with the \"nodev\" option\nby adding /modifying the /etc/fstab with the following line:\n\n tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0" }, "impact": 0.5, "refs": [ @@ -14614,868 +14615,860 @@ ], "tags": { "severity": "medium", - "gtitle": "SRG-OS-000259-GPOS-00100", - "gid": "V-230259", - "rid": "SV-230259r792864_rule", - "stig_id": "RHEL-08-010320", - "fix_id": "F-32903r567524_fix", + "gtitle": "SRG-OS-000368-GPOS-00154", + "gid": "V-230508", + "rid": "SV-230508r854049_rule", + "stig_id": "RHEL-08-040120", + "fix_id": "F-33152r568271_fix", "cci": [ - "CCI-001499" + "CCI-001764" ], "nist": [ - "CM-5 (6)" + "CM-7 (2)" ], - "host": null, - "container": null + "host": null }, - "code": "control 'SV-230259' do\n title 'RHEL 8 system commands must be group-owned by root or a system\naccount.'\n desc 'If RHEL 8 were to allow any user to make changes to software\nlibraries, then those changes might be implemented without undergoing the\nappropriate testing and approvals that are part of a robust change management\nprocess.\n\n This requirement applies to RHEL 8 with software libraries that are\naccessible and configurable, as in the case of interpreted languages. Software\nlibraries also include privileged programs that execute with escalated\nprivileges. Only qualified and authorized individuals will be allowed to obtain\naccess to information system components for purposes of initiating changes,\nincluding upgrades and modifications.'\n desc 'check', 'Verify the system commands contained in the following directories are group-owned by \"root\", or a required system account, with the following command:\n\n$ sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -exec ls -l {} \\\\;\n\nIf any system commands are returned and is not group-owned by a required system account, this is a finding.'\n desc 'fix', 'Configure the system commands to be protected from unauthorized access.\n\n Run the following command, replacing \"[FILE]\" with any system command\nfile not group-owned by \"root\" or a required system account.\n\n $ sudo chgrp root [FILE]'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000259-GPOS-00100'\n tag gid: 'V-230259'\n tag rid: 'SV-230259r792864_rule'\n tag stig_id: 'RHEL-08-010320'\n tag fix_id: 'F-32903r567524_fix'\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n tag 'host'\n tag 'container'\n\n failing_files = command(\"find -L #{input('system_command_dirs').join(' ')} ! -group root -exec ls -d {} \\\\;\").stdout.split(\"\\n\")\n\n describe 'System commands' do\n it 'should be group-owned by root' do\n expect(failing_files).to be_empty, \"Files not group-owned by root:\\n\\t- #{failing_files.join(\"\\n\\t- \")}\"\n end\n end\nend\n", + "code": "control 'SV-230508' do\n title 'RHEL 8 must mount /dev/shm with the nodev option.'\n desc 'The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n The \"noexec\" mount option causes the system to not execute binary files.\nThis option must be used for mounting any file system not containing approved\nbinary files, as they may be incompatible. Executing files from untrusted file\nsystems increases the opportunity for unprivileged users to attain unauthorized\nadministrative access.\n\n The \"nodev\" mount option causes the system to not interpret character or\nblock special devices. Executing character or block special devices from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.\n\n The \"nosuid\" mount option causes the system to not execute \"setuid\" and\n\"setgid\" files with owner privileges. This option must be used for mounting\nany file system not containing approved \"setuid\" and \"setguid\" files.\nExecuting files from untrusted file systems increases the opportunity for\nunprivileged users to attain unauthorized administrative access.'\n desc 'check', 'Verify \"/dev/shm\" is mounted with the \"nodev\" option:\n\n $ sudo mount | grep /dev/shm\n\n tmpfs on /dev/shm type tmpfs (rw,nodev,nosuid,noexec,seclabel)\n\n Verify that the \"nodev\"option is configured for /dev/shm:\n\n $ sudo cat /etc/fstab | grep /dev/shm\n\n tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0\n\n If results are returned and the \"nodev\" option is missing, or if /dev/shm\nis mounted without the \"nodev\" option, this is a finding.'\n desc 'fix', 'Configure the system so that /dev/shm is mounted with the \"nodev\" option\nby adding /modifying the /etc/fstab with the following line:\n\n tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0'\n impact 0.5\n ref 'DPMS Target Red Hat Enterprise Linux 8'\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000368-GPOS-00154'\n tag gid: 'V-230508'\n tag rid: 'SV-230508r854049_rule'\n tag stig_id: 'RHEL-08-040120'\n tag fix_id: 'F-33152r568271_fix'\n tag cci: ['CCI-001764']\n tag nist: ['CM-7 (2)']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n path = '/dev/shm'\n option = 'nodev'\n\n describe mount(path) do\n its('options') { should include option }\n end\n\n describe etc_fstab.where { mount_point == path } do\n its('mount_options.flatten') { should include option }\n end\nend\n", "source_location": { - "ref": "./Red Hat 8 STIG/controls/SV-230259.rb", + "ref": "./Red Hat 8 STIG/controls/SV-230508.rb", "line": 1 }, - "id": "SV-230259" + "id": "SV-230508" } ], "groups": [ { "title": null, "controls": [ - "SV-230328" - ], - "id": "controls/SV-230328.rb" - }, - { - "title": null, - "controls": [ - "SV-230310" + "SV-230252" ], - "id": "controls/SV-230310.rb" + "id": "controls/SV-230252.rb" }, { "title": null, "controls": [ - "SV-230343" + "SV-230489" ], - "id": "controls/SV-230343.rb" + "id": "controls/SV-230489.rb" }, { "title": null, "controls": [ - "SV-230513" + "SV-230418" ], - "id": "controls/SV-230513.rb" + "id": "controls/SV-230418.rb" }, { "title": null, "controls": [ - "SV-230382" + "SV-244539" ], - "id": "controls/SV-230382.rb" + "id": "controls/SV-244539.rb" }, { "title": null, "controls": [ - "SV-230243" + "SV-230229" ], - "id": "controls/SV-230243.rb" + "id": "controls/SV-230229.rb" }, { "title": null, "controls": [ - "SV-230224" + "SV-244553" ], - "id": "controls/SV-230224.rb" + "id": "controls/SV-244553.rb" }, { "title": null, "controls": [ - "SV-230225" + "SV-230223" ], - "id": "controls/SV-230225.rb" + "id": "controls/SV-230223.rb" }, { "title": null, "controls": [ - "SV-230334" + "SV-230310" ], - "id": "controls/SV-230334.rb" + "id": "controls/SV-230310.rb" }, { "title": null, "controls": [ - "SV-244553" + "SV-230407" ], - "id": "controls/SV-244553.rb" + "id": "controls/SV-230407.rb" }, { "title": null, "controls": [ - "SV-230221" + "SV-244522" ], - "id": "controls/SV-230221.rb" + "id": "controls/SV-244522.rb" }, { "title": null, "controls": [ - "SV-230536" + "SV-230276" ], - "id": "controls/SV-230536.rb" + "id": "controls/SV-230276.rb" }, { "title": null, "controls": [ - "SV-244528" + "SV-230284" ], - "id": "controls/SV-244528.rb" + "id": "controls/SV-230284.rb" }, { "title": null, "controls": [ - "SV-230256" + "SV-230294" ], - "id": "controls/SV-230256.rb" + "id": "controls/SV-230294.rb" }, { "title": null, "controls": [ - "SV-244521" + "SV-230353" ], - "id": "controls/SV-244521.rb" + "id": "controls/SV-230353.rb" }, { "title": null, "controls": [ - "SV-230500" + "SV-230360" ], - "id": "controls/SV-230500.rb" + "id": "controls/SV-230360.rb" }, { "title": null, "controls": [ - "SV-230516" + "SV-230323" ], - "id": "controls/SV-230516.rb" + "id": "controls/SV-230323.rb" }, { "title": null, "controls": [ - "SV-230240" + "SV-230269" ], - "id": "controls/SV-230240.rb" + "id": "controls/SV-230269.rb" }, { "title": null, "controls": [ - "SV-230342" + "SV-230545" ], - "id": "controls/SV-230342.rb" + "id": "controls/SV-230545.rb" }, { "title": null, "controls": [ - "SV-230339" + "SV-230471" ], - "id": "controls/SV-230339.rb" + "id": "controls/SV-230471.rb" }, { "title": null, "controls": [ - "SV-251716" + "SV-244524" ], - "id": "controls/SV-251716.rb" + "id": "controls/SV-244524.rb" }, { "title": null, "controls": [ - "SV-250316" + "SV-244532" ], - "id": "controls/SV-250316.rb" + "id": "controls/SV-244532.rb" }, { "title": null, "controls": [ - "SV-230268" + "SV-230342" ], - "id": "controls/SV-230268.rb" + "id": "controls/SV-230342.rb" }, { "title": null, "controls": [ - "SV-244529" + "SV-230378" ], - "id": "controls/SV-244529.rb" + "id": "controls/SV-230378.rb" }, { "title": null, "controls": [ - "SV-244522" + "SV-256973" ], - "id": "controls/SV-244522.rb" + "id": "controls/SV-256973.rb" }, { "title": null, "controls": [ - "SV-244533" + "SV-230514" ], - "id": "controls/SV-244533.rb" + "id": "controls/SV-230514.rb" }, { "title": null, "controls": [ - "SV-237642" + "SV-230421" ], - "id": "controls/SV-237642.rb" + "id": "controls/SV-230421.rb" }, { "title": null, "controls": [ - "SV-230355" + "SV-230350" ], - "id": "controls/SV-230355.rb" + "id": "controls/SV-230350.rb" }, { "title": null, "controls": [ - "SV-230337" + "SV-230447" ], - "id": "controls/SV-230337.rb" + "id": "controls/SV-230447.rb" }, { "title": null, "controls": [ - "SV-230401" + "SV-230358" ], - "id": "controls/SV-230401.rb" + "id": "controls/SV-230358.rb" }, { "title": null, "controls": [ - "SV-230239" + "SV-230345" ], - "id": "controls/SV-230239.rb" + "id": "controls/SV-230345.rb" }, { "title": null, "controls": [ - "SV-230277" + "SV-244548" ], - "id": "controls/SV-230277.rb" + "id": "controls/SV-244548.rb" }, { "title": null, "controls": [ - "SV-230267" + "SV-230400" ], - "id": "controls/SV-230267.rb" + "id": "controls/SV-230400.rb" }, { "title": null, "controls": [ - "SV-230358" + "SV-230477" ], - "id": "controls/SV-230358.rb" + "id": "controls/SV-230477.rb" }, { "title": null, "controls": [ - "SV-230320" + "SV-230495" ], - "id": "controls/SV-230320.rb" + "id": "controls/SV-230495.rb" }, { "title": null, "controls": [ - "SV-230271" + "SV-230550" ], - "id": "controls/SV-230271.rb" + "id": "controls/SV-230550.rb" }, { "title": null, "controls": [ - "SV-230362" + "SV-230237" ], - "id": "controls/SV-230362.rb" + "id": "controls/SV-230237.rb" }, { "title": null, "controls": [ - "SV-230489" + "SV-230534" ], - "id": "controls/SV-230489.rb" + "id": "controls/SV-230534.rb" }, { "title": null, "controls": [ - "SV-230349" + "SV-230531" ], - "id": "controls/SV-230349.rb" + "id": "controls/SV-230531.rb" }, { "title": null, "controls": [ - "SV-244550" + "SV-230561" ], - "id": "controls/SV-244550.rb" + "id": "controls/SV-230561.rb" }, { "title": null, "controls": [ - "SV-230235" + "SV-230221" ], - "id": "controls/SV-230235.rb" + "id": "controls/SV-230221.rb" }, { "title": null, "controls": [ - "SV-230395" + "SV-230234" ], - "id": "controls/SV-230395.rb" + "id": "controls/SV-230234.rb" }, { "title": null, "controls": [ - "SV-230308" + "SV-254520" ], - "id": "controls/SV-230308.rb" + "id": "controls/SV-254520.rb" }, { "title": null, "controls": [ - "SV-230248" + "SV-251709" ], - "id": "controls/SV-230248.rb" + "id": "controls/SV-251709.rb" }, { "title": null, "controls": [ - "SV-230312" + "SV-230388" ], - "id": "controls/SV-230312.rb" + "id": "controls/SV-230388.rb" }, { "title": null, "controls": [ - "SV-230306" + "SV-230376" ], - "id": "controls/SV-230306.rb" + "id": "controls/SV-230376.rb" }, { "title": null, "controls": [ - "SV-230315" + "SV-230326" ], - "id": "controls/SV-230315.rb" + "id": "controls/SV-230326.rb" }, { "title": null, "controls": [ - "SV-230479" + "SV-230282" ], - "id": "controls/SV-230479.rb" + "id": "controls/SV-230282.rb" }, { "title": null, "controls": [ - "SV-230464" + "SV-230222" ], - "id": "controls/SV-230464.rb" + "id": "controls/SV-230222.rb" }, { "title": null, "controls": [ - "SV-230226" + "SV-230340" ], - "id": "controls/SV-230226.rb" + "id": "controls/SV-230340.rb" }, { "title": null, "controls": [ - "SV-230316" + "SV-230305" ], - "id": "controls/SV-230316.rb" + "id": "controls/SV-230305.rb" }, { "title": null, "controls": [ - "SV-230275" + "SV-230532" ], - "id": "controls/SV-230275.rb" + "id": "controls/SV-230532.rb" }, { "title": null, "controls": [ - "SV-230378" + "SV-255924" ], - "id": "controls/SV-230378.rb" + "id": "controls/SV-255924.rb" }, { "title": null, "controls": [ - "SV-230229" + "SV-230510" ], - "id": "controls/SV-230229.rb" + "id": "controls/SV-230510.rb" }, { "title": null, "controls": [ - "SV-230435" + "SV-251707" ], - "id": "controls/SV-230435.rb" + "id": "controls/SV-251707.rb" }, { "title": null, "controls": [ - "SV-230385" + "SV-230333" ], - "id": "controls/SV-230385.rb" + "id": "controls/SV-230333.rb" }, { "title": null, "controls": [ - "SV-230293" + "SV-230394" ], - "id": "controls/SV-230293.rb" + "id": "controls/SV-230394.rb" }, { "title": null, "controls": [ - "SV-230318" + "SV-230367" ], - "id": "controls/SV-230318.rb" + "id": "controls/SV-230367.rb" }, { "title": null, "controls": [ - "SV-230467" + "SV-230368" ], - "id": "controls/SV-230467.rb" + "id": "controls/SV-230368.rb" }, { "title": null, "controls": [ - "SV-251713" + "SV-230361" ], - "id": "controls/SV-251713.rb" + "id": "controls/SV-230361.rb" }, { "title": null, "controls": [ - "SV-244537" + "SV-230332" ], - "id": "controls/SV-244537.rb" + "id": "controls/SV-230332.rb" }, { "title": null, "controls": [ - "SV-230487" + "SV-230389" ], - "id": "controls/SV-230487.rb" + "id": "controls/SV-230389.rb" }, { "title": null, "controls": [ - "SV-230325" + "SV-230253" ], - "id": "controls/SV-230325.rb" + "id": "controls/SV-230253.rb" }, { "title": null, "controls": [ - "SV-230473" + "SV-237641" ], - "id": "controls/SV-230473.rb" + "id": "controls/SV-237641.rb" }, { "title": null, "controls": [ - "SV-230408" + "SV-230456" ], - "id": "controls/SV-230408.rb" + "id": "controls/SV-230456.rb" }, { "title": null, "controls": [ - "SV-230557" + "SV-230554" ], - "id": "controls/SV-230557.rb" + "id": "controls/SV-230554.rb" }, { "title": null, "controls": [ - "SV-230505" + "SV-230504" ], - "id": "controls/SV-230505.rb" + "id": "controls/SV-230504.rb" }, { "title": null, "controls": [ - "SV-237643" + "SV-230419" ], - "id": "controls/SV-237643.rb" + "id": "controls/SV-230419.rb" }, { "title": null, "controls": [ - "SV-230340" + "SV-230399" ], - "id": "controls/SV-230340.rb" + "id": "controls/SV-230399.rb" }, { "title": null, "controls": [ - "SV-230350" + "SV-230228" ], - "id": "controls/SV-230350.rb" + "id": "controls/SV-230228.rb" }, { "title": null, "controls": [ - "SV-244543" + "SV-230262" ], - "id": "controls/SV-244543.rb" + "id": "controls/SV-230262.rb" }, { "title": null, "controls": [ - "SV-230260" + "SV-230515" ], - "id": "controls/SV-230260.rb" + "id": "controls/SV-230515.rb" }, { "title": null, "controls": [ - "SV-230504" + "SV-230359" ], - "id": "controls/SV-230504.rb" + "id": "controls/SV-230359.rb" }, { "title": null, "controls": [ - "SV-230302" + "SV-230468" ], - "id": "controls/SV-230302.rb" + "id": "controls/SV-230468.rb" }, { "title": null, "controls": [ - "SV-230281" + "SV-230434" ], - "id": "controls/SV-230281.rb" + "id": "controls/SV-230434.rb" }, { "title": null, "controls": [ - "SV-230510" + "SV-244531" ], - "id": "controls/SV-230510.rb" + "id": "controls/SV-244531.rb" }, { "title": null, "controls": [ - "SV-244534" + "SV-230385" ], - "id": "controls/SV-244534.rb" + "id": "controls/SV-230385.rb" }, { "title": null, "controls": [ - "SV-230299" + "SV-230475" ], - "id": "controls/SV-230299.rb" + "id": "controls/SV-230475.rb" }, { "title": null, "controls": [ - "SV-230421" + "SV-230413" ], - "id": "controls/SV-230421.rb" + "id": "controls/SV-230413.rb" }, { "title": null, "controls": [ - "SV-230544" + "SV-230256" ], - "id": "controls/SV-230544.rb" + "id": "controls/SV-230256.rb" }, { "title": null, "controls": [ - "SV-230333" + "SV-230463" ], - "id": "controls/SV-230333.rb" + "id": "controls/SV-230463.rb" }, { "title": null, "controls": [ - "SV-256973" + "SV-230279" ], - "id": "controls/SV-256973.rb" + "id": "controls/SV-230279.rb" }, { "title": null, "controls": [ - "SV-256974" + "SV-230343" ], - "id": "controls/SV-256974.rb" + "id": "controls/SV-230343.rb" }, { "title": null, "controls": [ - "SV-230282" + "SV-230225" ], - "id": "controls/SV-230282.rb" + "id": "controls/SV-230225.rb" }, { "title": null, "controls": [ - "SV-230455" + "SV-230348" ], - "id": "controls/SV-230455.rb" + "id": "controls/SV-230348.rb" }, { "title": null, "controls": [ - "SV-230244" + "SV-230303" ], - "id": "controls/SV-230244.rb" + "id": "controls/SV-230303.rb" }, { "title": null, "controls": [ - "SV-230227" + "SV-244534" ], - "id": "controls/SV-230227.rb" + "id": "controls/SV-244534.rb" }, { "title": null, "controls": [ - "SV-230222" + "SV-244546" ], - "id": "controls/SV-230222.rb" + "id": "controls/SV-244546.rb" }, { "title": null, "controls": [ - "SV-230394" + "SV-230316" ], - "id": "controls/SV-230394.rb" + "id": "controls/SV-230316.rb" }, { "title": null, "controls": [ - "SV-230257" + "SV-230272" ], - "id": "controls/SV-230257.rb" + "id": "controls/SV-230272.rb" }, { "title": null, "controls": [ - "SV-244545" + "SV-230293" ], - "id": "controls/SV-244545.rb" + "id": "controls/SV-230293.rb" }, { "title": null, "controls": [ - "SV-230335" + "SV-251708" ], - "id": "controls/SV-230335.rb" + "id": "controls/SV-251708.rb" }, { "title": null, "controls": [ - "SV-230389" + "SV-230430" ], - "id": "controls/SV-230389.rb" + "id": "controls/SV-230430.rb" }, { "title": null, "controls": [ - "SV-230375" + "SV-230530" ], - "id": "controls/SV-230375.rb" + "id": "controls/SV-230530.rb" }, { "title": null, "controls": [ - "SV-230514" + "SV-230299" ], - "id": "controls/SV-230514.rb" + "id": "controls/SV-230299.rb" }, { "title": null, "controls": [ - "SV-251710" + "SV-230473" ], - "id": "controls/SV-251710.rb" + "id": "controls/SV-230473.rb" }, { "title": null, "controls": [ - "SV-230446" + "SV-230469" ], - "id": "controls/SV-230446.rb" + "id": "controls/SV-230469.rb" }, { "title": null, "controls": [ - "SV-230400" + "SV-230526" ], - "id": "controls/SV-230400.rb" + "id": "controls/SV-230526.rb" }, { "title": null, "controls": [ - "SV-230372" + "SV-230509" ], - "id": "controls/SV-230372.rb" + "id": "controls/SV-230509.rb" }, { "title": null, "controls": [ - "SV-230324" + "SV-230313" ], - "id": "controls/SV-230324.rb" + "id": "controls/SV-230313.rb" }, { "title": null, "controls": [ - "SV-230519" + "SV-237642" ], - "id": "controls/SV-230519.rb" + "id": "controls/SV-237642.rb" }, { "title": null, "controls": [ - "SV-230412" + "SV-230344" ], - "id": "controls/SV-230412.rb" + "id": "controls/SV-230344.rb" }, { "title": null, "controls": [ - "SV-230393" + "SV-230449" ], - "id": "controls/SV-230393.rb" + "id": "controls/SV-230449.rb" }, { "title": null, "controls": [ - "SV-230438" + "SV-230243" ], - "id": "controls/SV-230438.rb" + "id": "controls/SV-230243.rb" }, { "title": null, "controls": [ - "SV-230336" + "SV-230480" ], - "id": "controls/SV-230336.rb" + "id": "controls/SV-230480.rb" }, { "title": null, "controls": [ - "SV-230484" + "SV-230291" ], - "id": "controls/SV-230484.rb" + "id": "controls/SV-230291.rb" }, { "title": null, "controls": [ - "SV-230456" + "SV-230387" ], - "id": "controls/SV-230456.rb" + "id": "controls/SV-230387.rb" }, { "title": null, "controls": [ - "SV-230515" + "SV-230553" ], - "id": "controls/SV-230515.rb" + "id": "controls/SV-230553.rb" }, { "title": null, "controls": [ - "SV-230304" + "SV-230543" ], - "id": "controls/SV-230304.rb" + "id": "controls/SV-230543.rb" }, { "title": null, "controls": [ - "SV-244525" + "SV-230325" ], - "id": "controls/SV-244525.rb" + "id": "controls/SV-230325.rb" }, { "title": null, "controls": [ - "SV-230330" + "SV-250315" ], - "id": "controls/SV-230330.rb" + "id": "controls/SV-250315.rb" }, { "title": null, "controls": [ - "SV-230407" + "SV-230238" ], - "id": "controls/SV-230407.rb" + "id": "controls/SV-230238.rb" }, { "title": null, "controls": [ - "SV-230530" + "SV-230336" ], - "id": "controls/SV-230530.rb" + "id": "controls/SV-230336.rb" }, { "title": null, "controls": [ - "SV-230321" + "SV-230427" ], - "id": "controls/SV-230321.rb" + "id": "controls/SV-230427.rb" }, { "title": null, "controls": [ - "SV-230311" + "SV-244536" ], - "id": "controls/SV-230311.rb" + "id": "controls/SV-244536.rb" }, { "title": null, "controls": [ - "SV-230381" + "SV-230341" ], - "id": "controls/SV-230381.rb" + "id": "controls/SV-230341.rb" }, { "title": null, "controls": [ - "SV-230314" + "SV-230506" ], - "id": "controls/SV-230314.rb" + "id": "controls/SV-230506.rb" }, { "title": null, "controls": [ - "SV-244531" + "SV-230227" ], - "id": "controls/SV-244531.rb" + "id": "controls/SV-230227.rb" }, { "title": null, "controls": [ - "SV-230436" + "SV-230277" ], - "id": "controls/SV-230436.rb" + "id": "controls/SV-230277.rb" }, { "title": null, "controls": [ - "SV-230426" + "SV-230424" ], - "id": "controls/SV-230426.rb" + "id": "controls/SV-230424.rb" }, { "title": null, @@ -15487,436 +15480,436 @@ { "title": null, "controls": [ - "SV-230498" + "SV-230233" ], - "id": "controls/SV-230498.rb" + "id": "controls/SV-230233.rb" }, { "title": null, "controls": [ - "SV-230284" + "SV-251716" ], - "id": "controls/SV-230284.rb" + "id": "controls/SV-251716.rb" }, { "title": null, "controls": [ - "SV-230344" + "SV-230433" ], - "id": "controls/SV-230344.rb" + "id": "controls/SV-230433.rb" }, { "title": null, "controls": [ - "SV-251709" + "SV-230309" ], - "id": "controls/SV-251709.rb" + "id": "controls/SV-230309.rb" }, { "title": null, "controls": [ - "SV-230286" + "SV-230422" ], - "id": "controls/SV-230286.rb" + "id": "controls/SV-230422.rb" }, { "title": null, "controls": [ - "SV-230363" + "SV-244537" ], - "id": "controls/SV-230363.rb" + "id": "controls/SV-244537.rb" }, { "title": null, "controls": [ - "SV-230261" + "SV-230487" ], - "id": "controls/SV-230261.rb" + "id": "controls/SV-230487.rb" }, { "title": null, "controls": [ - "SV-244551" + "SV-230267" ], - "id": "controls/SV-244551.rb" + "id": "controls/SV-230267.rb" }, { "title": null, "controls": [ - "SV-230402" + "SV-230334" ], - "id": "controls/SV-230402.rb" + "id": "controls/SV-230334.rb" }, { "title": null, "controls": [ - "SV-230522" + "SV-251712" ], - "id": "controls/SV-230522.rb" + "id": "controls/SV-251712.rb" }, { "title": null, "controls": [ - "SV-244547" + "SV-230390" ], - "id": "controls/SV-244547.rb" + "id": "controls/SV-230390.rb" }, { "title": null, "controls": [ - "SV-230472" + "SV-230254" ], - "id": "controls/SV-230472.rb" + "id": "controls/SV-230254.rb" }, { "title": null, "controls": [ - "SV-230433" + "SV-230426" ], - "id": "controls/SV-230433.rb" + "id": "controls/SV-230426.rb" }, { "title": null, "controls": [ - "SV-244524" + "SV-230500" ], - "id": "controls/SV-244524.rb" + "id": "controls/SV-230500.rb" }, { "title": null, "controls": [ - "SV-230523" + "SV-230266" ], - "id": "controls/SV-230523.rb" + "id": "controls/SV-230266.rb" }, { "title": null, "controls": [ - "SV-251708" + "SV-230382" ], - "id": "controls/SV-251708.rb" + "id": "controls/SV-230382.rb" }, { "title": null, "controls": [ - "SV-230327" + "SV-230240" ], - "id": "controls/SV-230327.rb" + "id": "controls/SV-230240.rb" }, { "title": null, "controls": [ - "SV-230444" + "SV-230481" ], - "id": "controls/SV-230444.rb" + "id": "controls/SV-230481.rb" }, { "title": null, "controls": [ - "SV-230474" + "SV-230337" ], - "id": "controls/SV-230474.rb" + "id": "controls/SV-230337.rb" }, { "title": null, "controls": [ - "SV-230265" + "SV-230411" ], - "id": "controls/SV-230265.rb" + "id": "controls/SV-230411.rb" }, { "title": null, "controls": [ - "SV-230365" + "SV-230287" ], - "id": "controls/SV-230365.rb" + "id": "controls/SV-230287.rb" }, { "title": null, "controls": [ - "SV-230527" + "SV-230538" ], - "id": "controls/SV-230527.rb" + "id": "controls/SV-230538.rb" }, { "title": null, "controls": [ - "SV-230254" + "SV-230393" ], - "id": "controls/SV-230254.rb" + "id": "controls/SV-230393.rb" }, { "title": null, "controls": [ - "SV-230253" + "SV-230535" ], - "id": "controls/SV-230253.rb" + "id": "controls/SV-230535.rb" }, { "title": null, "controls": [ - "SV-230560" + "SV-244523" ], - "id": "controls/SV-230560.rb" + "id": "controls/SV-244523.rb" }, { "title": null, "controls": [ - "SV-230234" + "SV-230467" ], - "id": "controls/SV-230234.rb" + "id": "controls/SV-230467.rb" }, { "title": null, "controls": [ - "SV-230326" + "SV-230320" ], - "id": "controls/SV-230326.rb" + "id": "controls/SV-230320.rb" }, { "title": null, "controls": [ - "SV-230367" + "SV-230383" ], - "id": "controls/SV-230367.rb" + "id": "controls/SV-230383.rb" }, { "title": null, "controls": [ - "SV-230353" + "SV-230321" ], - "id": "controls/SV-230353.rb" + "id": "controls/SV-230321.rb" }, { "title": null, "controls": [ - "SV-230397" + "SV-230540" ], - "id": "controls/SV-230397.rb" + "id": "controls/SV-230540.rb" }, { "title": null, "controls": [ - "SV-230525" + "SV-230338" ], - "id": "controls/SV-230525.rb" + "id": "controls/SV-230338.rb" }, { "title": null, "controls": [ - "SV-230406" + "SV-230274" ], - "id": "controls/SV-230406.rb" + "id": "controls/SV-230274.rb" }, { "title": null, "controls": [ - "SV-230373" + "SV-230552" ], - "id": "controls/SV-230373.rb" + "id": "controls/SV-230552.rb" }, { "title": null, "controls": [ - "SV-230361" + "SV-230485" ], - "id": "controls/SV-230361.rb" + "id": "controls/SV-230485.rb" }, { "title": null, "controls": [ - "SV-257258" + "SV-230398" ], - "id": "controls/SV-257258.rb" + "id": "controls/SV-230398.rb" }, { "title": null, "controls": [ - "SV-230492" + "SV-230436" ], - "id": "controls/SV-230492.rb" + "id": "controls/SV-230436.rb" }, { "title": null, "controls": [ - "SV-230379" + "SV-230491" ], - "id": "controls/SV-230379.rb" + "id": "controls/SV-230491.rb" }, { "title": null, "controls": [ - "SV-230252" + "SV-256974" ], - "id": "controls/SV-230252.rb" + "id": "controls/SV-256974.rb" }, { "title": null, "controls": [ - "SV-230480" + "SV-230235" ], - "id": "controls/SV-230480.rb" + "id": "controls/SV-230235.rb" }, { "title": null, "controls": [ - "SV-230368" + "SV-230494" ], - "id": "controls/SV-230368.rb" + "id": "controls/SV-230494.rb" }, { "title": null, "controls": [ - "SV-230517" + "SV-230444" ], - "id": "controls/SV-230517.rb" + "id": "controls/SV-230444.rb" }, { "title": null, "controls": [ - "SV-230556" + "SV-244535" ], - "id": "controls/SV-230556.rb" + "id": "controls/SV-244535.rb" }, { "title": null, "controls": [ - "SV-230512" + "SV-230516" ], - "id": "controls/SV-230512.rb" + "id": "controls/SV-230516.rb" }, { "title": null, "controls": [ - "SV-230448" + "SV-230539" ], - "id": "controls/SV-230448.rb" + "id": "controls/SV-230539.rb" }, { "title": null, "controls": [ - "SV-230506" + "SV-251718" ], - "id": "controls/SV-230506.rb" + "id": "controls/SV-251718.rb" }, { "title": null, "controls": [ - "SV-250315" + "SV-230549" ], - "id": "controls/SV-250315.rb" + "id": "controls/SV-230549.rb" }, { "title": null, "controls": [ - "SV-230238" + "SV-230478" ], - "id": "controls/SV-230238.rb" + "id": "controls/SV-230478.rb" }, { "title": null, "controls": [ - "SV-230237" + "SV-230231" ], - "id": "controls/SV-230237.rb" + "id": "controls/SV-230231.rb" }, { "title": null, "controls": [ - "SV-230410" + "SV-230296" ], - "id": "controls/SV-230410.rb" + "id": "controls/SV-230296.rb" }, { "title": null, "controls": [ - "SV-251715" + "SV-230302" ], - "id": "controls/SV-251715.rb" + "id": "controls/SV-230302.rb" }, { "title": null, "controls": [ - "SV-230307" + "SV-230402" ], - "id": "controls/SV-230307.rb" + "id": "controls/SV-230402.rb" }, { "title": null, "controls": [ - "SV-230398" + "SV-244550" ], - "id": "controls/SV-230398.rb" + "id": "controls/SV-244550.rb" }, { "title": null, "controls": [ - "SV-230468" + "SV-230249" ], - "id": "controls/SV-230468.rb" + "id": "controls/SV-230249.rb" }, { "title": null, "controls": [ - "SV-230359" + "SV-230518" ], - "id": "controls/SV-230359.rb" + "id": "controls/SV-230518.rb" }, { "title": null, "controls": [ - "SV-230546" + "SV-230364" ], - "id": "controls/SV-230546.rb" + "id": "controls/SV-230364.rb" }, { "title": null, "controls": [ - "SV-230508" + "SV-230356" ], - "id": "controls/SV-230508.rb" + "id": "controls/SV-230356.rb" }, { "title": null, "controls": [ - "SV-230323" + "SV-244540" ], - "id": "controls/SV-230323.rb" + "id": "controls/SV-244540.rb" }, { "title": null, "controls": [ - "SV-230273" + "SV-230257" ], - "id": "controls/SV-230273.rb" + "id": "controls/SV-230257.rb" }, { "title": null, "controls": [ - "SV-230255" + "SV-230429" ], - "id": "controls/SV-230255.rb" + "id": "controls/SV-230429.rb" }, { "title": null, "controls": [ - "SV-230521" + "SV-244521" ], - "id": "controls/SV-230521.rb" + "id": "controls/SV-244521.rb" }, { "title": null, "controls": [ - "SV-230466" + "SV-230498" ], - "id": "controls/SV-230466.rb" + "id": "controls/SV-230498.rb" }, { "title": null, "controls": [ - "SV-230496" + "SV-230408" ], - "id": "controls/SV-230496.rb" + "id": "controls/SV-230408.rb" }, { "title": null, @@ -15928,303 +15921,303 @@ { "title": null, "controls": [ - "SV-230439" + "SV-251713" ], - "id": "controls/SV-230439.rb" + "id": "controls/SV-251713.rb" }, { "title": null, "controls": [ - "SV-230503" + "SV-230462" ], - "id": "controls/SV-230503.rb" + "id": "controls/SV-230462.rb" }, { "title": null, "controls": [ - "SV-230550" + "SV-230373" ], - "id": "controls/SV-230550.rb" + "id": "controls/SV-230373.rb" }, { "title": null, "controls": [ - "SV-230547" + "SV-244528" ], - "id": "controls/SV-230547.rb" + "id": "controls/SV-244528.rb" }, { "title": null, "controls": [ - "SV-237641" + "SV-230236" ], - "id": "controls/SV-237641.rb" + "id": "controls/SV-230236.rb" }, { "title": null, "controls": [ - "SV-230554" + "SV-237640" ], - "id": "controls/SV-230554.rb" + "id": "controls/SV-237640.rb" }, { "title": null, "controls": [ - "SV-230532" + "SV-230438" ], - "id": "controls/SV-230532.rb" + "id": "controls/SV-230438.rb" }, { "title": null, "controls": [ - "SV-254520" + "SV-245540" ], - "id": "controls/SV-254520.rb" + "id": "controls/SV-245540.rb" }, { "title": null, "controls": [ - "SV-230387" + "SV-230527" ], - "id": "controls/SV-230387.rb" + "id": "controls/SV-230527.rb" }, { "title": null, "controls": [ - "SV-230392" + "SV-230261" ], - "id": "controls/SV-230392.rb" + "id": "controls/SV-230261.rb" }, { "title": null, "controls": [ - "SV-230428" + "SV-230423" ], - "id": "controls/SV-230428.rb" + "id": "controls/SV-230423.rb" }, { "title": null, "controls": [ - "SV-230543" + "SV-230479" ], - "id": "controls/SV-230543.rb" + "id": "controls/SV-230479.rb" }, { "title": null, "controls": [ - "SV-230430" + "SV-230260" ], - "id": "controls/SV-230430.rb" + "id": "controls/SV-230260.rb" }, { "title": null, "controls": [ - "SV-230399" + "SV-230329" ], - "id": "controls/SV-230399.rb" + "id": "controls/SV-230329.rb" }, { "title": null, "controls": [ - "SV-230511" + "SV-244533" ], - "id": "controls/SV-230511.rb" + "id": "controls/SV-244533.rb" }, { "title": null, "controls": [ - "SV-230298" + "SV-230448" ], - "id": "controls/SV-230298.rb" + "id": "controls/SV-230448.rb" }, { "title": null, "controls": [ - "SV-230497" + "SV-230557" ], - "id": "controls/SV-230497.rb" + "id": "controls/SV-230557.rb" }, { "title": null, "controls": [ - "SV-230279" + "SV-230347" ], - "id": "controls/SV-230279.rb" + "id": "controls/SV-230347.rb" }, { "title": null, "controls": [ - "SV-244541" + "SV-230255" ], - "id": "controls/SV-244541.rb" + "id": "controls/SV-230255.rb" }, { "title": null, "controls": [ - "SV-230478" + "SV-230352" ], - "id": "controls/SV-230478.rb" + "id": "controls/SV-230352.rb" }, { "title": null, "controls": [ - "SV-230477" + "SV-230521" ], - "id": "controls/SV-230477.rb" + "id": "controls/SV-230521.rb" }, { "title": null, "controls": [ - "SV-230250" + "SV-230328" ], - "id": "controls/SV-230250.rb" + "id": "controls/SV-230328.rb" }, { "title": null, "controls": [ - "SV-230432" + "SV-244547" ], - "id": "controls/SV-230432.rb" + "id": "controls/SV-244547.rb" }, { "title": null, "controls": [ - "SV-230463" + "SV-230290" ], - "id": "controls/SV-230463.rb" + "id": "controls/SV-230290.rb" }, { "title": null, "controls": [ - "SV-230366" + "SV-230392" ], - "id": "controls/SV-230366.rb" + "id": "controls/SV-230392.rb" }, { "title": null, "controls": [ - "SV-230469" + "SV-244525" ], - "id": "controls/SV-230469.rb" + "id": "controls/SV-244525.rb" }, { "title": null, "controls": [ - "SV-230471" + "SV-230482" ], - "id": "controls/SV-230471.rb" + "id": "controls/SV-230482.rb" }, { "title": null, "controls": [ - "SV-230322" + "SV-244538" ], - "id": "controls/SV-230322.rb" + "id": "controls/SV-244538.rb" }, { "title": null, "controls": [ - "SV-230551" + "SV-230283" ], - "id": "controls/SV-230551.rb" + "id": "controls/SV-230283.rb" }, { "title": null, "controls": [ - "SV-230287" + "SV-230556" ], - "id": "controls/SV-230287.rb" + "id": "controls/SV-230556.rb" }, { "title": null, "controls": [ - "SV-244530" + "SV-251715" ], - "id": "controls/SV-244530.rb" + "id": "controls/SV-251715.rb" }, { "title": null, "controls": [ - "SV-230449" + "SV-230278" ], - "id": "controls/SV-230449.rb" + "id": "controls/SV-230278.rb" }, { "title": null, "controls": [ - "SV-230553" + "SV-230366" ], - "id": "controls/SV-230553.rb" + "id": "controls/SV-230366.rb" }, { "title": null, "controls": [ - "SV-230470" + "SV-230258" ], - "id": "controls/SV-230470.rb" + "id": "controls/SV-230258.rb" }, { "title": null, "controls": [ - "SV-230520" + "SV-230239" ], - "id": "controls/SV-230520.rb" + "id": "controls/SV-230239.rb" }, { "title": null, "controls": [ - "SV-230538" + "SV-230437" ], - "id": "controls/SV-230538.rb" + "id": "controls/SV-230437.rb" }, { "title": null, "controls": [ - "SV-251711" + "SV-244527" ], - "id": "controls/SV-251711.rb" + "id": "controls/SV-244527.rb" }, { "title": null, "controls": [ - "SV-244554" + "SV-251706" ], - "id": "controls/SV-244554.rb" + "id": "controls/SV-251706.rb" }, { "title": null, "controls": [ - "SV-230552" + "SV-230484" ], - "id": "controls/SV-230552.rb" + "id": "controls/SV-230484.rb" }, { "title": null, "controls": [ - "SV-230465" + "SV-244530" ], - "id": "controls/SV-230465.rb" + "id": "controls/SV-244530.rb" }, { "title": null, "controls": [ - "SV-230418" + "SV-244549" ], - "id": "controls/SV-230418.rb" + "id": "controls/SV-244549.rb" }, { "title": null, "controls": [ - "SV-230483" + "SV-230474" ], - "id": "controls/SV-230483.rb" + "id": "controls/SV-230474.rb" }, { "title": null, "controls": [ - "SV-244542" + "SV-230537" ], - "id": "controls/SV-244542.rb" + "id": "controls/SV-230537.rb" }, { "title": null, @@ -16236,597 +16229,604 @@ { "title": null, "controls": [ - "SV-244532" + "SV-244551" ], - "id": "controls/SV-244532.rb" + "id": "controls/SV-244551.rb" }, { "title": null, "controls": [ - "SV-230269" + "SV-244541" ], - "id": "controls/SV-230269.rb" + "id": "controls/SV-244541.rb" }, { "title": null, "controls": [ - "SV-230264" + "SV-230317" ], - "id": "controls/SV-230264.rb" + "id": "controls/SV-230317.rb" }, { "title": null, "controls": [ - "SV-244527" + "SV-230319" ], - "id": "controls/SV-244527.rb" + "id": "controls/SV-230319.rb" }, { "title": null, "controls": [ - "SV-230329" + "SV-230300" ], - "id": "controls/SV-230329.rb" + "id": "controls/SV-230300.rb" }, { "title": null, "controls": [ - "SV-244549" + "SV-230355" ], - "id": "controls/SV-244549.rb" + "id": "controls/SV-230355.rb" }, { "title": null, "controls": [ - "SV-230482" + "SV-230246" ], - "id": "controls/SV-230482.rb" + "id": "controls/SV-230246.rb" }, { "title": null, "controls": [ - "SV-230383" + "SV-230486" ], - "id": "controls/SV-230383.rb" + "id": "controls/SV-230486.rb" }, { "title": null, "controls": [ - "SV-255924" + "SV-230232" ], - "id": "controls/SV-255924.rb" + "id": "controls/SV-230232.rb" }, { "title": null, "controls": [ - "SV-230278" + "SV-230470" ], - "id": "controls/SV-230278.rb" + "id": "controls/SV-230470.rb" }, { "title": null, "controls": [ - "SV-230258" + "SV-230395" ], - "id": "controls/SV-230258.rb" + "id": "controls/SV-230395.rb" }, { "title": null, "controls": [ - "SV-230540" + "SV-251714" ], - "id": "controls/SV-230540.rb" + "id": "controls/SV-251714.rb" }, { "title": null, "controls": [ - "SV-230529" + "SV-230308" ], - "id": "controls/SV-230529.rb" + "id": "controls/SV-230308.rb" }, { "title": null, "controls": [ - "SV-230475" + "SV-250317" ], - "id": "controls/SV-230475.rb" + "id": "controls/SV-250317.rb" }, { "title": null, "controls": [ - "SV-251706" + "SV-230384" ], - "id": "controls/SV-251706.rb" + "id": "controls/SV-230384.rb" }, { "title": null, "controls": [ - "SV-230411" + "SV-230503" ], - "id": "controls/SV-230411.rb" + "id": "controls/SV-230503.rb" }, { "title": null, "controls": [ - "SV-230346" + "SV-230314" ], - "id": "controls/SV-230346.rb" + "id": "controls/SV-230314.rb" }, { "title": null, "controls": [ - "SV-230493" + "SV-230247" ], - "id": "controls/SV-230493.rb" + "id": "controls/SV-230247.rb" + }, + { + "title": null, + "controls": [ + "SV-230502" + ], + "id": "controls/SV-230502.rb" }, { "title": null, "controls": [ - "SV-244536" + "SV-230377" ], - "id": "controls/SV-244536.rb" + "id": "controls/SV-230377.rb" }, { "title": null, "controls": [ - "SV-230245" + "SV-230542" ], - "id": "controls/SV-230245.rb" + "id": "controls/SV-230542.rb" }, { "title": null, "controls": [ - "SV-230431" + "SV-230519" ], - "id": "controls/SV-230431.rb" + "id": "controls/SV-230519.rb" }, { "title": null, "controls": [ - "SV-230356" + "SV-230286" ], - "id": "controls/SV-230356.rb" + "id": "controls/SV-230286.rb" }, { "title": null, "controls": [ - "SV-230485" + "SV-230311" ], - "id": "controls/SV-230485.rb" + "id": "controls/SV-230311.rb" }, { "title": null, "controls": [ - "SV-230390" + "SV-230431" ], - "id": "controls/SV-230390.rb" + "id": "controls/SV-230431.rb" }, { "title": null, "controls": [ - "SV-230537" + "SV-230446" ], - "id": "controls/SV-230537.rb" + "id": "controls/SV-230446.rb" }, { "title": null, "controls": [ - "SV-230266" + "SV-244542" ], - "id": "controls/SV-230266.rb" + "id": "controls/SV-244542.rb" }, { "title": null, "controls": [ - "SV-230296" + "SV-230425" ], - "id": "controls/SV-230296.rb" + "id": "controls/SV-230425.rb" }, { "title": null, "controls": [ - "SV-230345" + "SV-244545" ], - "id": "controls/SV-230345.rb" + "id": "controls/SV-244545.rb" }, { "title": null, "controls": [ - "SV-230377" + "SV-251717" ], - "id": "controls/SV-230377.rb" + "id": "controls/SV-251717.rb" }, { "title": null, "controls": [ - "SV-230447" + "SV-230335" ], - "id": "controls/SV-230447.rb" + "id": "controls/SV-230335.rb" }, { "title": null, "controls": [ - "SV-230494" + "SV-230560" ], - "id": "controls/SV-230494.rb" + "id": "controls/SV-230560.rb" }, { "title": null, "controls": [ - "SV-230486" + "SV-230241" ], - "id": "controls/SV-230486.rb" + "id": "controls/SV-230241.rb" }, { "title": null, "controls": [ - "SV-230462" + "SV-230455" ], - "id": "controls/SV-230462.rb" + "id": "controls/SV-230455.rb" }, { "title": null, "controls": [ - "SV-230409" + "SV-230525" ], - "id": "controls/SV-230409.rb" + "id": "controls/SV-230525.rb" }, { "title": null, "controls": [ - "SV-230542" + "SV-251711" ], - "id": "controls/SV-230542.rb" + "id": "controls/SV-251711.rb" }, { "title": null, "controls": [ - "SV-244552" + "SV-230476" ], - "id": "controls/SV-244552.rb" + "id": "controls/SV-230476.rb" }, { "title": null, "controls": [ - "SV-244539" + "SV-230375" ], - "id": "controls/SV-244539.rb" + "id": "controls/SV-230375.rb" }, { "title": null, "controls": [ - "SV-230533" + "SV-230404" ], - "id": "controls/SV-230533.rb" + "id": "controls/SV-230404.rb" }, { "title": null, "controls": [ - "SV-230246" + "SV-244526" ], - "id": "controls/SV-230246.rb" + "id": "controls/SV-244526.rb" }, { "title": null, "controls": [ - "SV-230491" + "SV-230465" ], - "id": "controls/SV-230491.rb" + "id": "controls/SV-230465.rb" }, { "title": null, "controls": [ - "SV-230509" + "SV-230546" ], - "id": "controls/SV-230509.rb" + "id": "controls/SV-230546.rb" }, { "title": null, "controls": [ - "SV-230541" + "SV-230493" ], - "id": "controls/SV-230541.rb" + "id": "controls/SV-230493.rb" }, { "title": null, "controls": [ - "SV-230360" + "SV-230505" ], - "id": "controls/SV-230360.rb" + "id": "controls/SV-230505.rb" }, { "title": null, "controls": [ - "SV-230384" + "SV-230492" ], - "id": "controls/SV-230384.rb" + "id": "controls/SV-230492.rb" }, { "title": null, "controls": [ - "SV-230370" + "SV-230439" ], - "id": "controls/SV-230370.rb" + "id": "controls/SV-230439.rb" }, { "title": null, "controls": [ - "SV-230424" + "SV-230544" ], - "id": "controls/SV-230424.rb" + "id": "controls/SV-230544.rb" }, { "title": null, "controls": [ - "SV-230270" + "SV-230409" ], - "id": "controls/SV-230270.rb" + "id": "controls/SV-230409.rb" }, { "title": null, "controls": [ - "SV-251717" + "SV-230517" ], - "id": "controls/SV-251717.rb" + "id": "controls/SV-230517.rb" }, { "title": null, "controls": [ - "SV-244526" + "SV-230224" ], - "id": "controls/SV-244526.rb" + "id": "controls/SV-230224.rb" }, { "title": null, "controls": [ - "SV-230251" + "SV-250316" ], - "id": "controls/SV-230251.rb" + "id": "controls/SV-250316.rb" }, { "title": null, "controls": [ - "SV-230425" + "SV-244543" ], - "id": "controls/SV-230425.rb" + "id": "controls/SV-244543.rb" }, { "title": null, "controls": [ - "SV-230274" + "SV-230520" ], - "id": "controls/SV-230274.rb" + "id": "controls/SV-230520.rb" }, { "title": null, "controls": [ - "SV-230535" + "SV-230370" ], - "id": "controls/SV-230535.rb" + "id": "controls/SV-230370.rb" }, { "title": null, "controls": [ - "SV-230545" + "SV-230250" ], - "id": "controls/SV-230545.rb" + "id": "controls/SV-230250.rb" }, { "title": null, "controls": [ - "SV-230364" + "SV-230346" ], - "id": "controls/SV-230364.rb" + "id": "controls/SV-230346.rb" }, { "title": null, "controls": [ - "SV-230376" + "SV-230371" ], - "id": "controls/SV-230376.rb" + "id": "controls/SV-230371.rb" }, { "title": null, "controls": [ - "SV-230300" + "SV-230529" ], - "id": "controls/SV-230300.rb" + "id": "controls/SV-230529.rb" }, { "title": null, "controls": [ - "SV-230301" + "SV-230559" ], - "id": "controls/SV-230301.rb" + "id": "controls/SV-230559.rb" }, { "title": null, "controls": [ - "SV-230429" + "SV-230322" ], - "id": "controls/SV-230429.rb" + "id": "controls/SV-230322.rb" }, { "title": null, "controls": [ - "SV-237640" + "SV-230466" ], - "id": "controls/SV-237640.rb" + "id": "controls/SV-230466.rb" }, { "title": null, "controls": [ - "SV-230388" + "SV-230547" ], - "id": "controls/SV-230388.rb" + "id": "controls/SV-230547.rb" }, { "title": null, "controls": [ - "SV-230371" + "SV-230245" ], - "id": "controls/SV-230371.rb" + "id": "controls/SV-230245.rb" }, { "title": null, "controls": [ - "SV-230403" + "SV-230288" ], - "id": "controls/SV-230403.rb" + "id": "controls/SV-230288.rb" }, { "title": null, "controls": [ - "SV-244544" + "SV-230357" ], - "id": "controls/SV-244544.rb" + "id": "controls/SV-230357.rb" }, { "title": null, "controls": [ - "SV-230305" + "SV-230522" ], - "id": "controls/SV-230305.rb" + "id": "controls/SV-230522.rb" }, { "title": null, "controls": [ - "SV-230276" + "SV-230265" ], - "id": "controls/SV-230276.rb" + "id": "controls/SV-230265.rb" }, { "title": null, "controls": [ - "SV-230262" + "SV-251710" ], - "id": "controls/SV-230262.rb" + "id": "controls/SV-251710.rb" }, { "title": null, "controls": [ - "SV-230531" + "SV-230306" ], - "id": "controls/SV-230531.rb" + "id": "controls/SV-230306.rb" }, { "title": null, "controls": [ - "SV-230561" + "SV-230292" ], - "id": "controls/SV-230561.rb" + "id": "controls/SV-230292.rb" }, { "title": null, "controls": [ - "SV-230280" + "SV-230555" ], - "id": "controls/SV-230280.rb" + "id": "controls/SV-230555.rb" }, { "title": null, "controls": [ - "SV-230548" + "SV-230251" ], - "id": "controls/SV-230548.rb" + "id": "controls/SV-230251.rb" }, { "title": null, "controls": [ - "SV-230341" + "SV-230374" ], - "id": "controls/SV-230341.rb" + "id": "controls/SV-230374.rb" }, { "title": null, "controls": [ - "SV-251714" + "SV-230536" ], - "id": "controls/SV-251714.rb" + "id": "controls/SV-230536.rb" }, { "title": null, "controls": [ - "SV-230319" + "SV-230428" ], - "id": "controls/SV-230319.rb" + "id": "controls/SV-230428.rb" }, { "title": null, "controls": [ - "SV-230230" + "SV-230410" ], - "id": "controls/SV-230230.rb" + "id": "controls/SV-230410.rb" }, { "title": null, "controls": [ - "SV-230419" + "SV-230312" ], - "id": "controls/SV-230419.rb" + "id": "controls/SV-230312.rb" }, { "title": null, "controls": [ - "SV-230233" + "SV-230263" ], - "id": "controls/SV-230233.rb" + "id": "controls/SV-230263.rb" }, { "title": null, "controls": [ - "SV-230526" + "SV-230483" ], - "id": "controls/SV-230526.rb" + "id": "controls/SV-230483.rb" }, { "title": null, "controls": [ - "SV-251718" + "SV-230497" ], - "id": "controls/SV-251718.rb" + "id": "controls/SV-230497.rb" }, { "title": null, "controls": [ - "SV-230524" + "SV-244519" ], - "id": "controls/SV-230524.rb" + "id": "controls/SV-244519.rb" }, { "title": null, "controls": [ - "SV-230295" + "SV-230298" ], - "id": "controls/SV-230295.rb" + "id": "controls/SV-230298.rb" }, { "title": null, "controls": [ - "SV-230374" + "SV-230401" ], - "id": "controls/SV-230374.rb" + "id": "controls/SV-230401.rb" }, { "title": null, "controls": [ - "SV-230338" + "SV-230488" ], - "id": "controls/SV-230338.rb" + "id": "controls/SV-230488.rb" }, { "title": null, "controls": [ - "SV-230303" + "SV-244554" ], - "id": "controls/SV-230303.rb" + "id": "controls/SV-244554.rb" }, { "title": null, "controls": [ - "SV-230413" + "SV-230244" ], - "id": "controls/SV-230413.rb" + "id": "controls/SV-230244.rb" }, { "title": null, @@ -16838,429 +16838,429 @@ { "title": null, "controls": [ - "SV-244540" + "SV-230541" ], - "id": "controls/SV-244540.rb" + "id": "controls/SV-230541.rb" }, { "title": null, "controls": [ - "SV-230422" + "SV-230230" ], - "id": "controls/SV-230422.rb" + "id": "controls/SV-230230.rb" }, { "title": null, "controls": [ - "SV-250317" + "SV-230386" ], - "id": "controls/SV-250317.rb" + "id": "controls/SV-230386.rb" }, { "title": null, "controls": [ - "SV-230241" + "SV-230270" ], - "id": "controls/SV-230241.rb" + "id": "controls/SV-230270.rb" }, { "title": null, "controls": [ - "SV-230354" + "SV-230548" ], - "id": "controls/SV-230354.rb" + "id": "controls/SV-230548.rb" }, { "title": null, "controls": [ - "SV-230549" + "SV-230281" ], - "id": "controls/SV-230549.rb" + "id": "controls/SV-230281.rb" }, { "title": null, "controls": [ - "SV-230357" + "SV-230285" ], - "id": "controls/SV-230357.rb" + "id": "controls/SV-230285.rb" }, { "title": null, "controls": [ - "SV-230247" + "SV-230349" ], - "id": "controls/SV-230247.rb" + "id": "controls/SV-230349.rb" }, { "title": null, "controls": [ - "SV-230423" + "SV-230381" ], - "id": "controls/SV-230423.rb" + "id": "controls/SV-230381.rb" }, { "title": null, "controls": [ - "SV-230539" + "SV-230464" ], - "id": "controls/SV-230539.rb" + "id": "controls/SV-230464.rb" }, { "title": null, "controls": [ - "SV-244535" + "SV-230324" ], - "id": "controls/SV-244535.rb" + "id": "controls/SV-230324.rb" }, { "title": null, "controls": [ - "SV-230317" + "SV-230472" ], - "id": "controls/SV-230317.rb" + "id": "controls/SV-230472.rb" }, { "title": null, "controls": [ - "SV-230313" + "SV-230259" ], - "id": "controls/SV-230313.rb" + "id": "controls/SV-230259.rb" }, { "title": null, "controls": [ - "SV-230502" + "SV-230551" ], - "id": "controls/SV-230502.rb" + "id": "controls/SV-230551.rb" }, { "title": null, "controls": [ - "SV-230292" + "SV-230499" ], - "id": "controls/SV-230292.rb" + "id": "controls/SV-230499.rb" }, { "title": null, "controls": [ - "SV-251707" + "SV-230533" ], - "id": "controls/SV-251707.rb" + "id": "controls/SV-230533.rb" }, { "title": null, "controls": [ - "SV-230559" + "SV-230435" ], - "id": "controls/SV-230559.rb" + "id": "controls/SV-230435.rb" }, { "title": null, "controls": [ - "SV-230507" + "SV-230496" ], - "id": "controls/SV-230507.rb" + "id": "controls/SV-230496.rb" }, { "title": null, "controls": [ - "SV-245540" + "SV-230339" ], - "id": "controls/SV-245540.rb" + "id": "controls/SV-230339.rb" }, { "title": null, "controls": [ - "SV-230294" + "SV-230369" ], - "id": "controls/SV-230294.rb" + "id": "controls/SV-230369.rb" }, { "title": null, "controls": [ - "SV-230427" + "SV-230511" ], - "id": "controls/SV-230427.rb" + "id": "controls/SV-230511.rb" }, { "title": null, "controls": [ - "SV-230437" + "SV-230318" ], - "id": "controls/SV-230437.rb" + "id": "controls/SV-230318.rb" }, { "title": null, "controls": [ - "SV-230481" + "SV-230271" ], - "id": "controls/SV-230481.rb" + "id": "controls/SV-230271.rb" }, { "title": null, "controls": [ - "SV-230309" + "SV-244552" ], - "id": "controls/SV-230309.rb" + "id": "controls/SV-244552.rb" }, { "title": null, "controls": [ - "SV-230291" + "SV-230273" ], - "id": "controls/SV-230291.rb" + "id": "controls/SV-230273.rb" }, { "title": null, "controls": [ - "SV-230283" + "SV-230432" ], - "id": "controls/SV-230283.rb" + "id": "controls/SV-230432.rb" }, { "title": null, "controls": [ - "SV-230434" + "SV-230513" ], - "id": "controls/SV-230434.rb" + "id": "controls/SV-230513.rb" }, { "title": null, "controls": [ - "SV-244538" + "SV-230406" ], - "id": "controls/SV-244538.rb" + "id": "controls/SV-230406.rb" }, { "title": null, "controls": [ - "SV-230404" + "SV-230280" ], - "id": "controls/SV-230404.rb" + "id": "controls/SV-230280.rb" }, { "title": null, "controls": [ - "SV-230288" + "SV-230248" ], - "id": "controls/SV-230288.rb" + "id": "controls/SV-230248.rb" }, { "title": null, "controls": [ - "SV-230231" + "SV-230226" ], - "id": "controls/SV-230231.rb" + "id": "controls/SV-230226.rb" }, { "title": null, "controls": [ - "SV-230332" + "SV-244544" ], - "id": "controls/SV-230332.rb" + "id": "controls/SV-244544.rb" }, { "title": null, "controls": [ - "SV-230555" + "SV-257258" ], - "id": "controls/SV-230555.rb" + "id": "controls/SV-257258.rb" }, { "title": null, "controls": [ - "SV-230495" + "SV-230327" ], - "id": "controls/SV-230495.rb" + "id": "controls/SV-230327.rb" }, { "title": null, "controls": [ - "SV-230249" + "SV-230524" ], - "id": "controls/SV-230249.rb" + "id": "controls/SV-230524.rb" }, { "title": null, "controls": [ - "SV-230476" + "SV-230295" ], - "id": "controls/SV-230476.rb" + "id": "controls/SV-230295.rb" }, { "title": null, "controls": [ - "SV-230347" + "SV-230315" ], - "id": "controls/SV-230347.rb" + "id": "controls/SV-230315.rb" }, { "title": null, "controls": [ - "SV-230518" + "SV-230275" ], - "id": "controls/SV-230518.rb" + "id": "controls/SV-230275.rb" }, { "title": null, "controls": [ - "SV-244546" + "SV-230397" ], - "id": "controls/SV-244546.rb" + "id": "controls/SV-230397.rb" }, { "title": null, "controls": [ - "SV-230488" + "SV-230372" ], - "id": "controls/SV-230488.rb" + "id": "controls/SV-230372.rb" }, { "title": null, "controls": [ - "SV-230499" + "SV-230523" ], - "id": "controls/SV-230499.rb" + "id": "controls/SV-230523.rb" }, { "title": null, "controls": [ - "SV-230386" + "SV-230380" ], - "id": "controls/SV-230386.rb" + "id": "controls/SV-230380.rb" }, { "title": null, "controls": [ - "SV-244523" + "SV-244529" ], - "id": "controls/SV-244523.rb" + "id": "controls/SV-244529.rb" }, { "title": null, "controls": [ - "SV-230369" + "SV-230507" ], - "id": "controls/SV-230369.rb" + "id": "controls/SV-230507.rb" }, { "title": null, "controls": [ - "SV-230263" + "SV-230362" ], - "id": "controls/SV-230263.rb" + "id": "controls/SV-230362.rb" }, { "title": null, "controls": [ - "SV-230405" + "SV-230365" ], - "id": "controls/SV-230405.rb" + "id": "controls/SV-230365.rb" }, { "title": null, "controls": [ - "SV-251712" + "SV-230301" ], - "id": "controls/SV-251712.rb" + "id": "controls/SV-230301.rb" }, { "title": null, "controls": [ - "SV-230348" + "SV-230403" ], - "id": "controls/SV-230348.rb" + "id": "controls/SV-230403.rb" }, { "title": null, "controls": [ - "SV-230232" + "SV-230363" ], - "id": "controls/SV-230232.rb" + "id": "controls/SV-230363.rb" }, { "title": null, "controls": [ - "SV-230285" + "SV-230304" ], - "id": "controls/SV-230285.rb" + "id": "controls/SV-230304.rb" }, { "title": null, "controls": [ - "SV-230228" + "SV-230264" ], - "id": "controls/SV-230228.rb" + "id": "controls/SV-230264.rb" }, { "title": null, "controls": [ - "SV-230290" + "SV-230307" ], - "id": "controls/SV-230290.rb" + "id": "controls/SV-230307.rb" }, { "title": null, "controls": [ - "SV-230236" + "SV-230268" ], - "id": "controls/SV-230236.rb" + "id": "controls/SV-230268.rb" }, { "title": null, "controls": [ - "SV-244548" + "SV-230330" ], - "id": "controls/SV-244548.rb" + "id": "controls/SV-230330.rb" }, { "title": null, "controls": [ - "SV-230223" + "SV-230354" ], - "id": "controls/SV-230223.rb" + "id": "controls/SV-230354.rb" }, { "title": null, "controls": [ - "SV-244519" + "SV-230405" ], - "id": "controls/SV-244519.rb" + "id": "controls/SV-230405.rb" }, { "title": null, "controls": [ - "SV-230272" + "SV-230379" ], - "id": "controls/SV-230272.rb" + "id": "controls/SV-230379.rb" }, { "title": null, "controls": [ - "SV-230534" + "SV-230512" ], - "id": "controls/SV-230534.rb" + "id": "controls/SV-230512.rb" }, { "title": null, "controls": [ - "SV-230380" + "SV-237643" ], - "id": "controls/SV-230380.rb" + "id": "controls/SV-237643.rb" }, { "title": null, "controls": [ - "SV-230352" + "SV-230412" ], - "id": "controls/SV-230352.rb" + "id": "controls/SV-230412.rb" }, { "title": null, "controls": [ - "SV-230259" + "SV-230508" ], - "id": "controls/SV-230259.rb" + "id": "controls/SV-230508.rb" } ], "sha256": "eaf08a3d96a7aa5443b59ee460282f9786d4e0d7c29c497bb7f767b20c6aef05", diff --git a/src/assets/data/baselineProfiles/redhat-jboss-enterprise-application-platform-6.3-stig-baseline.json b/src/assets/data/baselineProfiles/redhat-jboss-enterprise-application-platform-6.3-stig-baseline.json index ec2ee20e..19f9094a 100644 --- a/src/assets/data/baselineProfiles/redhat-jboss-enterprise-application-platform-6.3-stig-baseline.json +++ b/src/assets/data/baselineProfiles/redhat-jboss-enterprise-application-platform-6.3-stig-baseline.json @@ -13,146 +13,178 @@ "supports": [], "controls": [ { - "title": "Access to Wildfly log files must be restricted to authorized users.", - "desc": "If the application provides too much information in error logs and\nadministrative messages to the screen, this could lead to compromise. The\nstructure and content of error messages need to be carefully considered by the\norganization and development team. The extent to which the information system\nis able to identify and handle error conditions is guided by organizational\npolicy and operational requirements.\n\n Application servers must protect the error messages that are created by the\napplication server. All application server users' accounts are used for the\nmanagement of the server and the applications residing on the application\nserver. All accounts are assigned to a certain role with corresponding access\nrights. The application server must restrict access to error messages so only\nauthorized users may view them. Error messages are usually written to logs\ncontained on the file system. The application server will usually create new\nlog files as needed and must take steps to ensure that the proper file\npermissions are utilized when the log files are created.", + "title": "The Wildfly server must be configured to restrict access to the web\n servers private key to authenticated system administrators.", + "desc": "The cornerstone of the PKI is the private key used to encrypt or digitally\nsign information.\n\n If the private key is stolen, this will lead to the compromise of the\nauthentication and non-repudiation gained through PKI because the attacker can\nuse the private key to digitally sign documents and can pretend to be the\nauthorized user.\n\n Both the holders of a digital certificate and the issuing authority must\nprotect the computers, storage devices, or whatever they use to keep the\nprivate keys. Java-based application servers utilize the Java keystore, which\nprovides storage for cryptographic keys and certificates. The keystore is\nusually maintained in a file stored on the file system.", "descriptions": { - "default": "If the application provides too much information in error logs and\nadministrative messages to the screen, this could lead to compromise. The\nstructure and content of error messages need to be carefully considered by the\norganization and development team. The extent to which the information system\nis able to identify and handle error conditions is guided by organizational\npolicy and operational requirements.\n\n Application servers must protect the error messages that are created by the\napplication server. All application server users' accounts are used for the\nmanagement of the server and the applications residing on the application\nserver. All accounts are assigned to a certain role with corresponding access\nrights. The application server must restrict access to error messages so only\nauthorized users may view them. Error messages are usually written to logs\ncontained on the file system. The application server will usually create new\nlog files as needed and must take steps to ensure that the proper file\npermissions are utilized when the log files are created." + "default": "The cornerstone of the PKI is the private key used to encrypt or digitally\nsign information.\n\n If the private key is stolen, this will lead to the compromise of the\nauthentication and non-repudiation gained through PKI because the attacker can\nuse the private key to digitally sign documents and can pretend to be the\nauthorized user.\n\n Both the holders of a digital certificate and the issuing authority must\nprotect the computers, storage devices, or whatever they use to keep the\nprivate keys. Java-based application servers utilize the Java keystore, which\nprovides storage for cryptographic keys and certificates. The keystore is\nusually maintained in a file stored on the file system." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-APP-000267-AS-000170", - "gid": "V-62301", - "rid": "SV-76791r1_rule", - "stig_id": "JBOS-AS-000425", + "gtitle": "SRG-APP-000176-AS-000125", + "gid": "V-62295", + "rid": "SV-76785r1_rule", + "stig_id": "JBOS-AS-000320", "cci": [ - "CCI-001314" + "CCI-000186" ], "documentable": false, "nist": [ - "SI-11 b", + "IA-5 (2) (b)", "Rev_4" ], - "check": "If the Wildfly log folder is installed in the default location\n and AS-000133-JBOSS-00079 is not a finding, the log folders are protected and\n this requirement is not a finding.\n\n By default, Wildlfy installs its log files into a sub-folder of the\n \"Wildfly\" home folder.\n Using a UNIX like OS example, the default location for log files is:\n\n The $JBOSS_HOME default is /opt/bin/widfly\n\n JBOSS_HOME/standalone/log\n JBOSS_HOME/domain/log\n\n For a standalone configuration:\n JBOSS_HOME/standalone/log/server.log\" Contains all server log messages,\n including server startup messages.\n\n For a domain configuration:\n JBOSS_HOME/domain/log/hostcontroller.log\n Host Controller boot log. Contains log messages related to the startup of the\n host controller.\n\n JBOSS_HOME/domain/log/processcontroller.log\n Process controller boot log. Contains log messages related to the startup of\n the process controller.\n\n JBOSS_HOME/domain/servers/SERVERNAME/log/server.log\n The server log for the named server. Contains all log messages for that server,\n including server startup messages.\n\n Log on with an OS user account with Wildfly access and permissions.\n\n Navigate to the \"Wildfly\" folder using the relevant OS commands for\n either a UNIX like OS or a Windows OS.\n\n Examine the permissions of the Wildfly logs folders.\n\n Owner can be full access.\n Group can be full access.\n All others must be restricted.\n\n If the Wildfly log folder is world readable or world writable, this is a\n finding.", - "fix": "Configure file permissions on the Wildfly log folder to protect\n from unauthorized access.", - "fix_id": "F-68221r1_fix" + "check": "The default location for the keystore used by the Wildfly vault\n is the $JBOSS_HOME;/vault/ folder.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n\n If a vault keystore has been created, by default it will be in the file:\n $JBOSS_HOME;/vault/vault.keystore. The file stores a single key, with the\n default alias vault, which will be used to store encrypted strings, such as\n passwords, for Wildfly EAP.\n\n Browse to the Wildfly vault folder using the relevant OS commands.\n Review the file permissions and ensure only system administrators and Wildfly\n users are allowed access.\n\n Owner can be full access\n Group can be full access\n All others must be restricted to execute access or no permission.\n\n If non-system administrators are allowed to access the $JBOSS_HOME;/vault/\n folder, this is a finding.", + "fix": "Configure the application server OS file permissions on the\n corresponding private key to restrict access to authorized accounts or roles.", + "fix_id": "F-68215r1_fix" }, - "code": "control 'V-62301' do\n title \"Access to Wildfly log files must be restricted to authorized users.\"\n desc \"\n If the application provides too much information in error logs and\n administrative messages to the screen, this could lead to compromise. The\n structure and content of error messages need to be carefully considered by the\n organization and development team. The extent to which the information system\n is able to identify and handle error conditions is guided by organizational\n policy and operational requirements.\n\n Application servers must protect the error messages that are created by the\n application server. All application server users' accounts are used for the\n management of the server and the applications residing on the application\n server. All accounts are assigned to a certain role with corresponding access\n rights. The application server must restrict access to error messages so only\n authorized users may view them. Error messages are usually written to logs\n contained on the file system. The application server will usually create new\n log files as needed and must take steps to ensure that the proper file\n permissions are utilized when the log files are created.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000267-AS-000170'\n tag \"gid\": 'V-62301'\n tag \"rid\": 'SV-76791r1_rule'\n tag \"stig_id\": 'JBOS-AS-000425'\n tag \"cci\": ['CCI-001314']\n tag \"documentable\": false\n tag \"nist\": ['SI-11 b', 'Rev_4']\n tag \"check\": \"If the Wildfly log folder is installed in the default location\n and AS-000133-JBOSS-00079 is not a finding, the log folders are protected and\n this requirement is not a finding.\n\n By default, Wildlfy installs its log files into a sub-folder of the\n \\\"Wildfly\\\" home folder.\n Using a UNIX like OS example, the default location for log files is:\n\n The $JBOSS_HOME default is /opt/bin/widfly\n\n JBOSS_HOME/standalone/log\n JBOSS_HOME/domain/log\n\n For a standalone configuration:\n JBOSS_HOME/standalone/log/server.log\\\" Contains all server log messages,\n including server startup messages.\n\n For a domain configuration:\n JBOSS_HOME/domain/log/hostcontroller.log\n Host Controller boot log. Contains log messages related to the startup of the\n host controller.\n\n JBOSS_HOME/domain/log/processcontroller.log\n Process controller boot log. Contains log messages related to the startup of\n the process controller.\n\n JBOSS_HOME/domain/servers/SERVERNAME/log/server.log\n The server log for the named server. Contains all log messages for that server,\n including server startup messages.\n\n Log on with an OS user account with Wildfly access and permissions.\n\n Navigate to the \\\"Wildfly\\\" folder using the relevant OS commands for\n either a UNIX like OS or a Windows OS.\n\n Examine the permissions of the Wildfly logs folders.\n\n Owner can be full access.\n Group can be full access.\n All others must be restricted.\n\n If the Wildfly log folder is world readable or world writable, this is a\n finding.\"\n tag \"fix\": \"Configure file permissions on the Wildfly log folder to protect\n from unauthorized access.\"\n tag \"fix_id\": 'F-68221r1_fix'\n describe directory(\"#{ input('jboss_home') }/standalone/log\") do\n it { should_not be_readable.by 'others' }\n end\n describe directory(\"#{ input('jboss_home') }/standalone/log\") do\n it { should_not be_writable.by 'others' }\n end\nend\n", + "code": "control 'V-62295' do\n title \"The Wildfly server must be configured to restrict access to the web\n servers private key to authenticated system administrators.\"\n desc \"\n The cornerstone of the PKI is the private key used to encrypt or digitally\n sign information.\n\n If the private key is stolen, this will lead to the compromise of the\n authentication and non-repudiation gained through PKI because the attacker can\n use the private key to digitally sign documents and can pretend to be the\n authorized user.\n\n Both the holders of a digital certificate and the issuing authority must\n protect the computers, storage devices, or whatever they use to keep the\n private keys. Java-based application servers utilize the Java keystore, which\n provides storage for cryptographic keys and certificates. The keystore is\n usually maintained in a file stored on the file system.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000176-AS-000125'\n tag \"gid\": 'V-62295'\n tag \"rid\": 'SV-76785r1_rule'\n tag \"stig_id\": 'JBOS-AS-000320'\n tag \"cci\": ['CCI-000186']\n tag \"documentable\": false\n tag \"nist\": ['IA-5 (2) (b)', 'Rev_4']\n tag \"check\": \"The default location for the keystore used by the Wildfly vault\n is the $JBOSS_HOME;/vault/ folder.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n\n If a vault keystore has been created, by default it will be in the file:\n $JBOSS_HOME;/vault/vault.keystore. The file stores a single key, with the\n default alias vault, which will be used to store encrypted strings, such as\n passwords, for Wildfly EAP.\n\n Browse to the Wildfly vault folder using the relevant OS commands.\n Review the file permissions and ensure only system administrators and Wildfly\n users are allowed access.\n\n Owner can be full access\n Group can be full access\n All others must be restricted to execute access or no permission.\n\n If non-system administrators are allowed to access the $JBOSS_HOME;/vault/\n folder, this is a finding.\"\n tag \"fix\": \"Configure the application server OS file permissions on the\n corresponding private key to restrict access to authorized accounts or roles.\"\n tag \"fix_id\": 'F-68215r1_fix'\n describe directory(\"#{ input('jboss_home') }/vault\") do\n it { should_not be_readable.by('others') }\n end\n describe directory(\"#{ input('jboss_home') }/vault\") do\n it { should_not be_writable.by('others') }\n end\nend\n", "source_location": { - "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62301.rb", + "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62295.rb", "line": 1 }, - "id": "V-62301" + "id": "V-62295" }, { - "title": "HTTPS must be enabled for Wildfly web interfaces.", - "desc": "Encryption is critical for protection of remote access sessions. If\nencryption is not being used for integrity, malicious users may gain the\nability to modify the application server configuration. The use of cryptography\nfor ensuring integrity of remote access sessions mitigates that risk.\n\n Application servers utilize a web management interface and scripted\ncommands when allowing remote access. Web access requires the use of TLS, and\nscripted access requires using ssh or some other form of approved cryptography.\nApplication servers must have a capability to enable a secure remote admin\ncapability.\n\n FIPS 140-2 approved TLS versions include TLS V1.0 or greater.\n\n FIPS 140-2 approved TLS versions must be enabled, and non-FIPS-approved SSL\nversions must be disabled.\n\n NIST SP 800-52 specifies the preferred configurations for government\nsystems.", + "title": "Welcome Web Application must be disabled.", + "desc": "The Welcome to Wildfly web page provides a redirect to the Wildfly admin\n console, which, by default, runs on TCP 9990 as well as redirects to the Online\n User Guide and Online User Groups hosted at locations on the Internet. The\n welcome page is unnecessary and should be disabled or replaced with a valid web\n page.", "descriptions": { - "default": "Encryption is critical for protection of remote access sessions. If\nencryption is not being used for integrity, malicious users may gain the\nability to modify the application server configuration. The use of cryptography\nfor ensuring integrity of remote access sessions mitigates that risk.\n\n Application servers utilize a web management interface and scripted\ncommands when allowing remote access. Web access requires the use of TLS, and\nscripted access requires using ssh or some other form of approved cryptography.\nApplication servers must have a capability to enable a secure remote admin\ncapability.\n\n FIPS 140-2 approved TLS versions include TLS V1.0 or greater.\n\n FIPS 140-2 approved TLS versions must be enabled, and non-FIPS-approved SSL\nversions must be disabled.\n\n NIST SP 800-52 specifies the preferred configurations for government\nsystems." + "default": "The Welcome to Wildfly web page provides a redirect to the Wildfly admin\n console, which, by default, runs on TCP 9990 as well as redirects to the Online\n User Guide and Online User Groups hosted at locations on the Internet. The\n welcome page is unnecessary and should be disabled or replaced with a valid web\n page." + }, + "impact": 0.3, + "refs": [], + "tags": { + "gtitle": "SRG-APP-000141-AS-000095", + "gid": "V-62271", + "rid": "SV-76761r1_rule", + "stig_id": "JBOS-AS-000245", + "cci": [ + "CCI-000381" + ], + "documentable": false, + "nist": [ + "CM-7 a", + "Rev_4" + ], + "check": "Use a web browser and browse to HTTP://Wildfly SERVER IP\n ADDRESS:8080\n\n If the Wildfly Welcome page is displayed, this is a finding.", + "fix": "Use the Management CLI script JBOSS_HOME/bin/jboss-cli.sh to run\n the following command. You may need to change the profile to modify a different\n managed domain profile, or remove the \"/profile=default\" portion of the\n command for a standalone server.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n\n \"/profile=default/subsystem=web/virtual-server=default-host:writeattribute(name=enable-welcome-root,value=false)\"\n\n To configure your web application to use the root context (/) as its URL\n address, modify the applications jboss-web.xml, which is located in the\n applications META-INF/ or WEB-INF/ directory. Replace its \n directive with one that looks like the following:\n\n \n /\n ", + "fix_id": "F-68191r1_fix" + }, + "code": "control 'V-62271' do\n title \"Welcome Web Application must be disabled.\"\n desc \"The Welcome to Wildfly web page provides a redirect to the Wildfly admin\n console, which, by default, runs on TCP 9990 as well as redirects to the Online\n User Guide and Online User Groups hosted at locations on the Internet. The\n welcome page is unnecessary and should be disabled or replaced with a valid web\n page.\"\n impact 0.3\n tag \"gtitle\": 'SRG-APP-000141-AS-000095'\n tag \"gid\": 'V-62271'\n tag \"rid\": 'SV-76761r1_rule'\n tag \"stig_id\": 'JBOS-AS-000245'\n tag \"cci\": ['CCI-000381']\n tag \"documentable\": false\n tag \"nist\": ['CM-7 a', 'Rev_4']\n tag \"check\": \"Use a web browser and browse to HTTP://Wildfly SERVER IP\n ADDRESS:8080\n\n If the Wildfly Welcome page is displayed, this is a finding.\"\n\n\n tag \"fix\": \"Use the Management CLI script JBOSS_HOME/bin/jboss-cli.sh to run\n the following command. You may need to change the profile to modify a different\n managed domain profile, or remove the \\\"/profile=default\\\" portion of the\n command for a standalone server.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n\n \\\"/profile=default/subsystem=web/virtual-server=default-host:writeattribute(name=enable-welcome-root,value=false)\\\"\n\n To configure your web application to use the root context (/) as its URL\n address, modify the applications jboss-web.xml, which is located in the\n applications META-INF/ or WEB-INF/ directory. Replace its \n directive with one that looks like the following:\n\n \n /\n \"\n tag \"fix_id\": 'F-68191r1_fix'\n\n connect = input('connection')\n describe 'The wildfly web application' do\n subject { command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /subsystem=undertow/server=default-server/host=default-host/location=\\\\\\/\").stdout }\n it { should_not match(%r{handler=welcome-content}) }\n end\nend\n", + "source_location": { + "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62271.rb", + "line": 1 + }, + "id": "V-62271" + }, + { + "title": "Wildfly servers must be configured to roll over and transfer logs on a\n minimum weekly basis.", + "desc": "Information stored in one location is vulnerable to accidental or\nincidental deletion or alteration. Protecting log data is important during a\nforensic investigation to ensure investigators can track and understand what\nmay have occurred. Off-loading should be set up as a scheduled task but can be\nconfigured to be run manually, if other processes during the off-loading are\nmanual.\n\n Off-loading is a common process in information systems with limited log\nstorage capacity.", + "descriptions": { + "default": "Information stored in one location is vulnerable to accidental or\nincidental deletion or alteration. Protecting log data is important during a\nforensic investigation to ensure investigators can track and understand what\nmay have occurred. Off-loading should be set up as a scheduled task but can be\nconfigured to be run manually, if other processes during the off-loading are\nmanual.\n\n Off-loading is a common process in information systems with limited log\nstorage capacity." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-APP-000015-AS-000010", - "gid": "V-62215", - "rid": "SV-76705r1_rule", - "stig_id": "JBOS-AS-000015", + "gtitle": "SRG-APP-000515-AS-000203", + "gid": "V-62345", + "rid": "SV-76835r1_rule", + "stig_id": "JBOS-AS-000735", "cci": [ - "CCI-001453" + "CCI-001851" ], "documentable": false, "nist": [ - "AC-17 (2)", + "AU-4 (1)", "Rev_4" ], - "check": "Log on to the OS of the Wildfly server with OS permissions that\nallow access to Wildfly.\n\nUsing the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n\nThe $JBOSS_HOME default is /opt/bin/widfly\n\nRun the jboss-cli script.\nConnect to the server and authenticate.\n\nReview the web subsystem and ensure that HTTPS is enabled.\nRun the command:\n\nFor a managed domain:\n\"ls /profile=/subsystem=web/connector=\"\n\nFor a standalone system:\n\"ls /subsystem=web/connector=\"\n\nIf \"https\" is not returned, this is a finding.", - "fix": "Follow procedure \"4.4. Configure the Wildfly Web Server to use\nHTTPS.\" The detailed procedure is found in the Wildfly Security Guide\navailable at the vendor's site, RedHat.com. An overview of steps is provided\nhere.\n\n1. Obtain or generate DoD-approved SSL certificates.\n2. Configure the SSL certificate using your certificate values.\n3. Set the SSL protocol to TLS V1.1 or V1.2.", - "fix_id": "F-68135r1_fix" + "check": "If the Wildfly server is configured to use a Syslog Handler, this\n is not a finding.\n\n Log on to the OS of the Wildfly server with OS permissions that allow access to\n Wildfly.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n\n Using the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n Run the jboss-cli script.\n Connect to the server and authenticate.\n\n Determine if there is a periodic rotating file handler.\n\n For a domain configuration run the following command; where is a\n variable for all of the servers in the domain. Usually \"server-one\",\n \"server-two\", etc.:\n\n \"ls\n /host=master/server=/subsystem=logging/periodic-rotating-file-handler=\"\n\n For a standalone configuration run the command:\n \"ls /subsystem=logging/periodic-rotating-file-handler=\"\n\n If the command does not return \"FILE\", this is a finding.\n\n Review the $JBOSS_HOME;/standalone/log folder for the existence of rotated\n logs, and ask the admin to demonstrate how rotated logs are packaged and\n transferred to another system on at least a weekly basis.", + "fix": "Open the web-based management interface by opening a browser and\n pointing it to HTTPS://:9990/\n\n Authenticate as a user with Admin rights.\n Navigate to the \"Configuration\" tab.\n Expand + Subsystems.\n Expand + Core.\n Select \"Logging\".\n Select the \"Handler\" tab.\n Select \"Periodic\".\n\n If a periodic file handler does not exist, reference Wildfly admin guide for\n instructions on how to create a file handler that will rotate logs on a daily\n basis.\n Create scripts that package and off-load log data at least weekly.", + "fix_id": "F-68265r1_fix" }, - "code": "control 'V-62215' do\n title \"HTTPS must be enabled for Wildfly web interfaces.\"\n desc \"\n Encryption is critical for protection of remote access sessions. If\nencryption is not being used for integrity, malicious users may gain the\nability to modify the application server configuration. The use of cryptography\nfor ensuring integrity of remote access sessions mitigates that risk.\n\n Application servers utilize a web management interface and scripted\ncommands when allowing remote access. Web access requires the use of TLS, and\nscripted access requires using ssh or some other form of approved cryptography.\nApplication servers must have a capability to enable a secure remote admin\ncapability.\n\n FIPS 140-2 approved TLS versions include TLS V1.0 or greater.\n\n FIPS 140-2 approved TLS versions must be enabled, and non-FIPS-approved SSL\nversions must be disabled.\n\n NIST SP 800-52 specifies the preferred configurations for government\nsystems.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000015-AS-000010'\n tag \"gid\": 'V-62215'\n tag \"rid\": 'SV-76705r1_rule'\n tag \"stig_id\": 'JBOS-AS-000015'\n tag \"cci\": ['CCI-001453']\n tag \"documentable\": false\n tag \"nist\": ['AC-17 (2)', 'Rev_4']\n tag \"check\": \"Log on to the OS of the Wildfly server with OS permissions that\nallow access to Wildfly.\n\nUsing the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n\nThe $JBOSS_HOME default is /opt/bin/widfly\n\nRun the jboss-cli script.\nConnect to the server and authenticate.\n\nReview the web subsystem and ensure that HTTPS is enabled.\nRun the command:\n\nFor a managed domain:\n\\\"ls /profile=/subsystem=web/connector=\\\"\n\nFor a standalone system:\n\\\"ls /subsystem=web/connector=\\\"\n\nIf \\\"https\\\" is not returned, this is a finding.\"\n tag \"fix\": \"Follow procedure \\\"4.4. Configure the Wildfly Web Server to use\nHTTPS.\\\" The detailed procedure is found in the Wildfly Security Guide\navailable at the vendor's site, RedHat.com. An overview of steps is provided\nhere.\n\n1. Obtain or generate DoD-approved SSL certificates.\n2. Configure the SSL certificate using your certificate values.\n3. Set the SSL protocol to TLS V1.1 or V1.2.\"\n tag \"fix_id\": 'F-68135r1_fix'\n\n connect = input('connection')\n\n describe 'HTTPS for Wildfly web interfaces' do\n subject { command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /subsystem=undertow/server=default-server/https-listener=https\").stdout }\n it { should match(%r{enabled=true}) }\n end\nend\n", + "code": "control 'V-62345' do\n title \"Wildfly servers must be configured to roll over and transfer logs on a\n minimum weekly basis.\"\n desc \"\n Information stored in one location is vulnerable to accidental or\n incidental deletion or alteration. Protecting log data is important during a\n forensic investigation to ensure investigators can track and understand what\n may have occurred. Off-loading should be set up as a scheduled task but can be\n configured to be run manually, if other processes during the off-loading are\n manual.\n\n Off-loading is a common process in information systems with limited log\n storage capacity.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000515-AS-000203'\n tag \"gid\": 'V-62345'\n tag \"rid\": 'SV-76835r1_rule'\n tag \"stig_id\": 'JBOS-AS-000735'\n tag \"cci\": ['CCI-001851']\n tag \"documentable\": false\n tag \"nist\": ['AU-4 (1)', 'Rev_4']\n tag \"check\": \"If the Wildfly server is configured to use a Syslog Handler, this\n is not a finding.\n\n Log on to the OS of the Wildfly server with OS permissions that allow access to\n Wildfly.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n\n Using the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n Run the jboss-cli script.\n Connect to the server and authenticate.\n\n Determine if there is a periodic rotating file handler.\n\n For a domain configuration run the following command; where is a\n variable for all of the servers in the domain. Usually \\\"server-one\\\",\n \\\"server-two\\\", etc.:\n\n \\\"ls\n /host=master/server=/subsystem=logging/periodic-rotating-file-handler=\\\"\n\n For a standalone configuration run the command:\n \\\"ls /subsystem=logging/periodic-rotating-file-handler=\\\"\n\n If the command does not return \\\"FILE\\\", this is a finding.\n\n Review the $JBOSS_HOME;/standalone/log folder for the existence of rotated\n logs, and ask the admin to demonstrate how rotated logs are packaged and\n transferred to another system on at least a weekly basis.\"\n tag \"fix\": \"Open the web-based management interface by opening a browser and\n pointing it to HTTPS://:9990/\n\n Authenticate as a user with Admin rights.\n Navigate to the \\\"Configuration\\\" tab.\n Expand + Subsystems.\n Expand + Core.\n Select \\\"Logging\\\".\n Select the \\\"Handler\\\" tab.\n Select \\\"Periodic\\\".\n\n If a periodic file handler does not exist, reference Wildfly admin guide for\n instructions on how to create a file handler that will rotate logs on a daily\n basis.\n Create scripts that package and off-load log data at least weekly.\"\n tag \"fix_id\": 'F-68265r1_fix'\n\n connect = input('connection')\n\n describe 'The wildfly periodic roating file handler setting' do\n subject { command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ subsystem=logging/periodic-rotating-file-handler=\").stdout }\n it { should match(%r{FILE}) }\n end\nend\n", "source_location": { - "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62215.rb", + "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62345.rb", "line": 1 }, - "id": "V-62215" + "id": "V-62345" }, { - "title": "The Wildfly server must be configured with Role Based Access Controls.", - "desc": "By default, the Wildfly server is not configured to utilize role based\naccess controls (RBAC). RBAC provides the capability to restrict user access\nto their designated management role, thereby limiting access to only the Wildfly\nfunctionality that they are supposed to have. Without RBAC, the Wildfly server\nis not able to enforce authorized access according to role.", + "title": "The application server must prevent non-privileged users from\n executing privileged functions to include disabling, circumventing, or altering\n implemented security safeguards/countermeasures.", + "desc": "Preventing non-privileged users from executing privileged functions\nmitigates the risk that unauthorized individuals or processes may gain\nunnecessary access to information or privileges.\n\n Restricting non-privileged users also prevents an attacker who has gained\naccess to a non-privileged account, from elevating privileges, creating\naccounts, and performing system checks and maintenance.", "descriptions": { - "default": "By default, the Wildfly server is not configured to utilize role based\naccess controls (RBAC). RBAC provides the capability to restrict user access\nto their designated management role, thereby limiting access to only the Wildfly\nfunctionality that they are supposed to have. Without RBAC, the Wildfly server\nis not able to enforce authorized access according to role." + "default": "Preventing non-privileged users from executing privileged functions\nmitigates the risk that unauthorized individuals or processes may gain\nunnecessary access to information or privileges.\n\n Restricting non-privileged users also prevents an attacker who has gained\naccess to a non-privileged account, from elevating privileges, creating\naccounts, and performing system checks and maintenance." }, - "impact": 0.7, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-APP-000033-AS-000024", - "gid": "V-62227", - "rid": "SV-76717r1_rule", - "stig_id": "JBOS-AS-000035", + "gtitle": "SRG-APP-000340-AS-000185", + "gid": "V-62305", + "rid": "SV-76795r1_rule", + "stig_id": "JBOS-AS-000475", "cci": [ - "CCI-000213" + "CCI-002235" ], "documentable": false, "nist": [ - "AC-3", + "AC-6 (10)", "Rev_4" ], - "check": "Log on to the OS of the Wildfly server with OS permissions that\nallow access to Wildfly.\nUsing the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n\nThe $JBOSS_HOME default is /opt/bin/widfly\nRun the jboss-cli script.\nConnect to the server and authenticate.\n\nRun the following command:\n\nFor standalone servers:\n\"ls /core-service=management/access=authorization/\"\n\nFor managed domain installations:\n\"ls /host=master/core-service=management/access=authorization/\"\n\nIf the \"provider\" attribute is not set to \"rbac\", this is a finding.", - "fix": "Run the following command.\n$JBOSS_HOME;/bin/jboss-cli.sh -c -> connect -> cd\n/core-service=management/access-authorization :write-attribute(name=provider,\nvalue=rbac)\n\nRestart Wildfly.\n\nMap users to roles by running the following command. Upper-case words are\nvariables.\n\nrole-mapping=ROLENAME/include=ALIAS:add(name-USERNAME, type=USER ROLE)", - "fix_id": "F-68147r1_fix" + "check": "Log on to the OS of the Wildfly server with OS permissions that\n allow access to Wildfly.\n Using the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n Run the jboss-cli script.\n Connect to the server and authenticate.\n\n Run the following command:\n\n For standalone servers:\n \"ls /core-service=management/access=authorization/\"\n\n For managed domain installations:\n \"ls /host=master/core-service=management/access=authorization/\"\n\n If the \"provider\" attribute is not set to \"rbac\", this is a finding.", + "fix": "Run the following command.\n $JBOSS_HOME;/bin/jboss-cli.sh -c -> connect -> cd\n /core-service=management/access-authorization :write-attribute(name=provider,\n value=rbac)\n\n Restart Wildfly.\n\n Map users to roles by running the following command. Upper-case words are\n variables.\n\n role-mapping=ROLENAME/include=ALIAS:add(name-USERNAME, type=USER ROLE)", + "fix_id": "F-68225r1_fix" }, - "code": "control 'V-62227' do\n title \"The Wildfly server must be configured with Role Based Access Controls.\"\n desc \"By default, the Wildfly server is not configured to utilize role based\naccess controls (RBAC). RBAC provides the capability to restrict user access\nto their designated management role, thereby limiting access to only the Wildfly\nfunctionality that they are supposed to have. Without RBAC, the Wildfly server\nis not able to enforce authorized access according to role.\"\n impact 0.7\n tag \"gtitle\": 'SRG-APP-000033-AS-000024'\n tag \"gid\": 'V-62227'\n tag \"rid\": 'SV-76717r1_rule'\n tag \"stig_id\": 'JBOS-AS-000035'\n tag \"cci\": ['CCI-000213']\n tag \"documentable\": false\n tag \"nist\": ['AC-3', 'Rev_4']\n tag \"check\": \"Log on to the OS of the Wildfly server with OS permissions that\nallow access to Wildfly.\nUsing the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n\nThe $JBOSS_HOME default is /opt/bin/widfly\nRun the jboss-cli script.\nConnect to the server and authenticate.\n\nRun the following command:\n\nFor standalone servers:\n\\\"ls /core-service=management/access=authorization/\\\"\n\nFor managed domain installations:\n\\\"ls /host=master/core-service=management/access=authorization/\\\"\n\nIf the \\\"provider\\\" attribute is not set to \\\"rbac\\\", this is a finding.\"\n tag \"fix\": \"Run the following command.\n$JBOSS_HOME;/bin/jboss-cli.sh -c -> connect -> cd\n/core-service=management/access-authorization :write-attribute(name=provider,\nvalue=rbac)\n\nRestart Wildfly.\n\nMap users to roles by running the following command. Upper-case words are\nvariables.\n\nrole-mapping=ROLENAME/include=ALIAS:add(name-USERNAME, type=USER ROLE)\"\n tag \"fix_id\": 'F-68147r1_fix'\n\n connect = input('connection')\n\n describe 'The wildfly server authorization access' do\n subject { command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /core-service=management/access=authorization/\").stdout }\n it { should match(%r{provider=rbac}) }\n end\nend\n", + "code": "control 'V-62305' do\n title \"The application server must prevent non-privileged users from\n executing privileged functions to include disabling, circumventing, or altering\n implemented security safeguards/countermeasures.\"\n desc \"\n Preventing non-privileged users from executing privileged functions\n mitigates the risk that unauthorized individuals or processes may gain\n unnecessary access to information or privileges.\n\n Restricting non-privileged users also prevents an attacker who has gained\n access to a non-privileged account, from elevating privileges, creating\n accounts, and performing system checks and maintenance.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000340-AS-000185'\n tag \"gid\": 'V-62305'\n tag \"rid\": 'SV-76795r1_rule'\n tag \"stig_id\": 'JBOS-AS-000475'\n tag \"cci\": ['CCI-002235']\n tag \"documentable\": false\n tag \"nist\": ['AC-6 (10)', 'Rev_4']\n tag \"check\": \"Log on to the OS of the Wildfly server with OS permissions that\n allow access to Wildfly.\n Using the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n Run the jboss-cli script.\n Connect to the server and authenticate.\n\n Run the following command:\n\n For standalone servers:\n \\\"ls /core-service=management/access=authorization/\\\"\n\n For managed domain installations:\n \\\"ls /host=master/core-service=management/access=authorization/\\\"\n\n If the \\\"provider\\\" attribute is not set to \\\"rbac\\\", this is a finding.\"\n tag \"fix\": \"Run the following command.\n $JBOSS_HOME;/bin/jboss-cli.sh -c -> connect -> cd\n /core-service=management/access-authorization :write-attribute(name=provider,\n value=rbac)\n\n Restart Wildfly.\n\n Map users to roles by running the following command. Upper-case words are\n variables.\n\n role-mapping=ROLENAME/include=ALIAS:add(name-USERNAME, type=USER ROLE)\"\n tag \"fix_id\": 'F-68225r1_fix'\n\n connect = input('connection')\n\n describe \"The wildfly application server's access authorization\" do\n subject { command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /core-service=management/access=authorization/\").stdout }\n it { should match(%r{provider=rbac}) }\n end\nend\n", "source_location": { - "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62227.rb", + "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62305.rb", "line": 1 }, - "id": "V-62227" + "id": "V-62305" }, { - "title": "Wildfly must be configured to generate log records when\n successful/unsuccessful attempts to delete privileges occur.", - "desc": "Deleting privileges of a subject/object may cause a subject/object to\n gain or lose capabilities. When successful and unsuccessful privilege\n deletions are made, the events need to be logged. By logging the event, the\n modification or attempted modification can be investigated to determine if it\n was performed inadvertently or maliciously.", + "title": "Wildfly must be configured to use DoD PKI-established certificate\n authorities for verification of the establishment of protected sessions.", + "desc": "Untrusted Certificate Authorities (CA) can issue certificates, but they may\nbe issued by organizations or individuals that seek to compromise DoD systems\nor by organizations with insufficient security controls. If the CA used for\nverifying the certificate is not a DoD-approved CA, trust of this CA has not\nbeen established.\n\n The DoD will only accept PKI certificates obtained from a DoD-approved\ninternal or external certificate authority. Reliance on CAs for the\nestablishment of secure sessions includes, for example, the use of SSL/TLS\ncertificates. The application server must only allow the use of DoD\nPKI-established certificate authorities for verification.", "descriptions": { - "default": "Deleting privileges of a subject/object may cause a subject/object to\n gain or lose capabilities. When successful and unsuccessful privilege\n deletions are made, the events need to be logged. By logging the event, the\n modification or attempted modification can be investigated to determine if it\n was performed inadvertently or maliciously." + "default": "Untrusted Certificate Authorities (CA) can issue certificates, but they may\nbe issued by organizations or individuals that seek to compromise DoD systems\nor by organizations with insufficient security controls. If the CA used for\nverifying the certificate is not a DoD-approved CA, trust of this CA has not\nbeen established.\n\n The DoD will only accept PKI certificates obtained from a DoD-approved\ninternal or external certificate authority. Reliance on CAs for the\nestablishment of secure sessions includes, for example, the use of SSL/TLS\ncertificates. The application server must only allow the use of DoD\nPKI-established certificate authorities for verification." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-APP-000499-AS-000224", - "gid": "V-62331", - "rid": "SV-76821r1_rule", - "stig_id": "JBOS-AS-000695", + "gtitle": "SRG-APP-000427-AS-000264", + "gid": "V-62317", + "rid": "SV-76807r1_rule", + "stig_id": "JBOS-AS-000625", "cci": [ - "CCI-000172" + "CCI-002470" ], "documentable": false, "nist": [ - "AU-12 c", + "SC-23 (5)", "Rev_4" ], - "check": "Log on to the OS of the Wildfly server with OS permissions that\n allow access to Wildfly.\n Using the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n Run the jboss-cli script to start the Command Line Interface (CLI).\n Connect to the server and authenticate.\n Run the command:\n\n For a Managed Domain configuration:\n \"ls\n host=master/server//core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\"\n\n For a Standalone configuration:\n \"ls\n /core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\"\n\n If \"enabled\" = false, this is a finding.", - "fix": "Launch the jboss-cli management interface.\n Connect to the server by typing \"connect\", authenticate as a user in the\n Superuser role, and run the following command:\n\n For a Managed Domain configuration:\n \"host=master/server//core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\"\n\n For a Standalone configuration:\n \"/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\"", - "fix_id": "F-68251r1_fix" + "check": "Locate the cacerts file for the JVM. This can be done using\n the appropriate find command for the OS and change to the directory where the\n cacerts file is located.\n\n To view the certificates stored within this file, execute the java command\n \"keytool -list -v -keystore ./cacerts\".\n Verify that the Certificate Authority (CA) for each certificate is DoD-approved.\n\n If any certificates have a CA that are not DoD-approved, this is a finding.", + "fix": "Locate the cacerts file for the JVM. This can be done using the\n appropriate find command for the OS and change to the directory where the\n cacerts file is located.\n\n Remove the certificates that have a CA that is non-DoD approved, and import DoD\n CA-approved certificates.", + "fix_id": "F-68237r1_fix" }, - "code": "control 'V-62331' do\n title \"Wildfly must be configured to generate log records when\n successful/unsuccessful attempts to delete privileges occur.\"\n desc \"Deleting privileges of a subject/object may cause a subject/object to\n gain or lose capabilities. When successful and unsuccessful privilege\n deletions are made, the events need to be logged. By logging the event, the\n modification or attempted modification can be investigated to determine if it\n was performed inadvertently or maliciously.\"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000499-AS-000224'\n tag \"gid\": 'V-62331'\n tag \"rid\": 'SV-76821r1_rule'\n tag \"stig_id\": 'JBOS-AS-000695'\n tag \"cci\": ['CCI-000172']\n tag \"documentable\": false\n tag \"nist\": ['AU-12 c', 'Rev_4']\n tag \"check\": \"Log on to the OS of the Wildfly server with OS permissions that\n allow access to Wildfly.\n Using the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n Run the jboss-cli script to start the Command Line Interface (CLI).\n Connect to the server and authenticate.\n Run the command:\n\n For a Managed Domain configuration:\n \\\"ls\n host=master/server//core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\\\"\n\n For a Standalone configuration:\n \\\"ls\n /core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\\\"\n\n If \\\"enabled\\\" = false, this is a finding.\"\n tag \"fix\": \"Launch the jboss-cli management interface.\n Connect to the server by typing \\\"connect\\\", authenticate as a user in the\n Superuser role, and run the following command:\n\n For a Managed Domain configuration:\n \\\"host=master/server//core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\\\"\n\n For a Standalone configuration:\n \\\"/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\\\"\"\n tag \"fix_id\": 'F-68251r1_fix'\n\n connect = input('connection')\n\n describe 'The wildfly setting: generate log records when successful/unsuccessful attempts to delete privileges occur' do\n subject { command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /core-service=management/access=audit/logger=audit-log\").stdout }\n it { should_not match(%r{enabled=false}) }\n end\nend\n", + "code": "control 'V-62317' do\n title \"Wildfly must be configured to use DoD PKI-established certificate\n authorities for verification of the establishment of protected sessions.\"\n desc \"\n Untrusted Certificate Authorities (CA) can issue certificates, but they may\n be issued by organizations or individuals that seek to compromise DoD systems\n or by organizations with insufficient security controls. If the CA used for\n verifying the certificate is not a DoD-approved CA, trust of this CA has not\n been established.\n\n The DoD will only accept PKI certificates obtained from a DoD-approved\n internal or external certificate authority. Reliance on CAs for the\n establishment of secure sessions includes, for example, the use of SSL/TLS\n certificates. The application server must only allow the use of DoD\n PKI-established certificate authorities for verification.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000427-AS-000264'\n tag \"gid\": 'V-62317'\n tag \"rid\": 'SV-76807r1_rule'\n tag \"stig_id\": 'JBOS-AS-000625'\n tag \"cci\": ['CCI-002470']\n tag \"documentable\": false\n tag \"nist\": ['SC-23 (5)', 'Rev_4']\n tag \"check\": \"Locate the cacerts file for the JVM. This can be done using\n the appropriate find command for the OS and change to the directory where the\n cacerts file is located.\n\n To view the certificates stored within this file, execute the java command\n \\\"keytool -list -v -keystore ./cacerts\\\".\n Verify that the Certificate Authority (CA) for each certificate is DoD-approved.\n\n If any certificates have a CA that are not DoD-approved, this is a finding.\"\n tag \"fix\": \"Locate the cacerts file for the JVM. This can be done using the\n appropriate find command for the OS and change to the directory where the\n cacerts file is located.\n\n Remove the certificates that have a CA that is non-DoD approved, and import DoD\n CA-approved certificates.\"\n tag \"fix_id\": 'F-68237r1_fix'\n dod_cn = command(\"keytool -list -v -keystore /usr/lib/jvm/java-1.8.0/jre/lib/security/cacerts\").stdout\n eca_cn = command(\"keytool -list -v -keystore /usr/lib/jvm/java-1.8.0/jre/lib/security/cacerts\").stdout\n\n describe.one do\n describe 'The Wildfly DoD PKI-established certificate' do\n subject { dod_cn }\n it { should match(%r{CN=DoD}) }\n end\n describe 'The Wildfly DoD PKI-established certificate' do\n subject { eca_cn }\n it { should match(%r{CN=ECA}) }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62331.rb", + "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62317.rb", "line": 1 }, - "id": "V-62331" + "id": "V-62317" }, { - "title": "Java permissions must be set for hosted applications.", - "desc": "The Java Security Manager is a java class that manages the external\nboundary of the Java Virtual Machine (JVM) sandbox, controlling how code\nexecuting within the JVM can interact with resources outside the JVM.\n\n The JVM requires a security policy in order to restrict application access.\n A properly configured security policy will define what rights the application\nhas to the underlying system. For example, rights to make changes to files on\nthe host system or to initiate network sockets in order to connect to another\nsystem.", + "title": "Silent Authentication must be removed from the Default Application\nSecurity Realm.", + "desc": "Silent Authentication is a configuration setting that allows local OS\nusers access to the Wildfly server and a wide range of operations without\nspecifically authenticating on an individual user basis. By default $localuser\nis a Superuser. This introduces an integrity and availability vulnerability and\nviolates best practice requirements regarding accountability.", "descriptions": { - "default": "The Java Security Manager is a java class that manages the external\nboundary of the Java Virtual Machine (JVM) sandbox, controlling how code\nexecuting within the JVM can interact with resources outside the JVM.\n\n The JVM requires a security policy in order to restrict application access.\n A properly configured security policy will define what rights the application\nhas to the underlying system. For example, rights to make changes to files on\nthe host system or to initiate network sockets in order to connect to another\nsystem." + "default": "Silent Authentication is a configuration setting that allows local OS\nusers access to the Wildfly server and a wide range of operations without\nspecifically authenticating on an individual user basis. By default $localuser\nis a Superuser. This introduces an integrity and availability vulnerability and\nviolates best practice requirements regarding accountability." }, "impact": 0.7, "refs": [], "tags": { "gtitle": "SRG-APP-000033-AS-000024", - "gid": "V-62217", - "rid": "SV-76707r1_rule", - "stig_id": "JBOS-AS-000025", + "gid": "V-62221", + "rid": "SV-76711r1_rule", + "stig_id": "JBOS-AS-000045", "cci": [ "CCI-000213" ], @@ -161,48 +193,48 @@ "AC-3", "Rev_4" ], - "check": "Obtain documentation from the admin that identifies the\n applications hosted on the JBoss server as well as the corresponding rights the\n application requires. For example, if the application requires network socket\n permissions and file write permissions, those requirements should be documented.\n\n 1. Identify the Wildfly installation as either domain or standalone and review\n the relevant configuration file.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n\n For domain installs: JBOSS_HOME/bin/domain.conf\n For standalone installs: JBOSS_HOME/bin/standalone.conf\n\n 2. Identify the location and name of the security policy by reading the\n JAVA_OPTS flag -Djava.security.policy= where will\n indicate name and location of security policy. If the application uses a\n policy URL, obtain URL and policy file from system admin.\n\n 3. Review security policy and ensure hosted applications have the appropriate\n restrictions placed on them as per documented application functionality\n requirements.\n\n If the security policy does not restrict application access to host resources\n as per documented requirements, this is a finding.", - "fix": "Configure the Java security manager to enforce access\n restrictions to the host system resources in accordance with application design\n and resource requirements.", - "fix_id": "F-68137r1_fix" + "check": "Log on to the OS of the Wildfly server with OS permissions that\nallow access to Wildfly.\nUsing the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n\nThe $JBOSS_HOME default is /opt/bin/widfly\nRun the jboss-cli script.\nConnect to the server and authenticate.\n\nVerify that Silent Authentication has been removed from the default Application\nsecurity realm.\nRun the following command.\n\nFor standalone servers, run the following command:\n\"ls /core-service=management/securityrealm=ApplicationRealm/authentication\"\n\nFor managed domain installations, run the following command:\n\"ls\n/host=HOST_NAME/core-service=management/securityrealm=ApplicationRealm/authentication\"\n\nIf \"local\" is returned, this is a finding.", + "fix": "Log on to the OS of the Wildfly server with OS permissions that\nallow access to Wildfly.\nUsing the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\nRun the jboss-cli script.\nConnect to the server and authenticate.\n\nRemove the local element from the Application Realm.\nFor standalone servers, run the following command:\n/core-service=management/securityrealm=\nApplicationRealm/authentication=local:remove\n\nFor managed domain installations, run the following command:\n/host=HOST_NAME/core-service=management/securityrealm=\nApplicationRealm/authentication=local:remove", + "fix_id": "F-68141r1_fix" }, - "code": "control 'V-62217' do\n title \"Java permissions must be set for hosted applications.\"\n desc \"\n The Java Security Manager is a java class that manages the external\n boundary of the Java Virtual Machine (JVM) sandbox, controlling how code\n executing within the JVM can interact with resources outside the JVM.\n\n The JVM requires a security policy in order to restrict application access.\n A properly configured security policy will define what rights the application\n has to the underlying system. For example, rights to make changes to files on\n the host system or to initiate network sockets in order to connect to another\n system.\n \"\n impact 0.7\n tag \"gtitle\": 'SRG-APP-000033-AS-000024'\n tag \"gid\": 'V-62217'\n tag \"rid\": 'SV-76707r1_rule'\n tag \"stig_id\": 'JBOS-AS-000025'\n tag \"cci\": ['CCI-000213']\n tag \"documentable\": false\n tag \"nist\": ['AC-3', 'Rev_4']\n tag \"check\": \"Obtain documentation from the admin that identifies the\n applications hosted on the JBoss server as well as the corresponding rights the\n application requires. For example, if the application requires network socket\n permissions and file write permissions, those requirements should be documented.\n\n 1. Identify the Wildfly installation as either domain or standalone and review\n the relevant configuration file.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n\n For domain installs: JBOSS_HOME/bin/domain.conf\n For standalone installs: JBOSS_HOME/bin/standalone.conf\n\n 2. Identify the location and name of the security policy by reading the\n JAVA_OPTS flag -Djava.security.policy= where will\n indicate name and location of security policy. If the application uses a\n policy URL, obtain URL and policy file from system admin.\n\n 3. Review security policy and ensure hosted applications have the appropriate\n restrictions placed on them as per documented application functionality\n requirements.\n\n If the security policy does not restrict application access to host resources\n as per documented requirements, this is a finding.\"\n tag \"fix\": \"Configure the Java security manager to enforce access\n restrictions to the host system resources in accordance with application design\n and resource requirements.\"\n tag \"fix_id\": 'F-68137r1_fix'\n describe.one do\n describe file(\"#{ input('jboss_home') }/bin/standalone.conf\") do\n its('content') { should match(%r{JAVA_OPTS=\"\\$JAVA_OPTS -Djavax.security.policy=\\/usr\\/lib\\/jvm\\/java\\-1.8.0\\/jre\\/lib\\/security\\/java.policy\"}) }\n end\n describe file(\"#{ input('jboss_home') }/bin/standalone.conf\") do\n its('content') { should match(%r{JAVA_OPTS=\"\\$JAVA_OPTS -Djava.security.manager -Djava.security.policy==%JBOSS_HOME\\\\lib\\\\security\\\\java.policy.policy -Djboss.home.dir=%JBOSS_HOME% -Djboss.modules.policy-permissions=true\"}) }\n end\n describe parse_config_file(\"#{ input('jboss_home') }/bin/standalone.conf\") do\n its('SECMGR') { should match(%r{\"true\"}) }\n end\n end\nend\n", + "code": "control 'V-62221' do\n title \"Silent Authentication must be removed from the Default Application\nSecurity Realm.\"\n desc \"Silent Authentication is a configuration setting that allows local OS\nusers access to the Wildfly server and a wide range of operations without\nspecifically authenticating on an individual user basis. By default $localuser\nis a Superuser. This introduces an integrity and availability vulnerability and\nviolates best practice requirements regarding accountability.\"\n impact 0.7\n tag \"gtitle\": 'SRG-APP-000033-AS-000024'\n tag \"gid\": 'V-62221'\n tag \"rid\": 'SV-76711r1_rule'\n tag \"stig_id\": 'JBOS-AS-000045'\n tag \"cci\": ['CCI-000213']\n tag \"documentable\": false\n tag \"nist\": ['AC-3', 'Rev_4']\n tag \"check\": \"Log on to the OS of the Wildfly server with OS permissions that\nallow access to Wildfly.\nUsing the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n\nThe $JBOSS_HOME default is /opt/bin/widfly\nRun the jboss-cli script.\nConnect to the server and authenticate.\n\nVerify that Silent Authentication has been removed from the default Application\nsecurity realm.\nRun the following command.\n\nFor standalone servers, run the following command:\n\\\"ls /core-service=management/securityrealm=ApplicationRealm/authentication\\\"\n\nFor managed domain installations, run the following command:\n\\\"ls\n/host=HOST_NAME/core-service=management/securityrealm=ApplicationRealm/authentication\\\"\n\nIf \\\"local\\\" is returned, this is a finding.\"\n tag \"fix\": \"Log on to the OS of the Wildfly server with OS permissions that\nallow access to Wildfly.\nUsing the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\nRun the jboss-cli script.\nConnect to the server and authenticate.\n\nRemove the local element from the Application Realm.\nFor standalone servers, run the following command:\n/core-service=management/securityrealm=\nApplicationRealm/authentication=local:remove\n\nFor managed domain installations, run the following command:\n/host=HOST_NAME/core-service=management/securityrealm=\nApplicationRealm/authentication=local:remove\"\n tag \"fix_id\": 'F-68141r1_fix'\n\n connect = input('connection')\n\n describe 'The wildfly default application security realm silent authentication' do\n subject { command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /core-service=management/security-realm=ApplicationRealm/authentication\").stdout }\n it { should_not match(%r{local}) }\n end\nend\n", "source_location": { - "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62217.rb", + "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62221.rb", "line": 1 }, - "id": "V-62217" + "id": "V-62221" }, { - "title": "File permissions must be configured to protect log information from\nany type of unauthorized read access.", - "desc": "If log data were to become compromised, then competent forensic analysis\nand discovery of the true source of potentially malicious system activity is\ndifficult, if not impossible, to achieve.\n\n When not configured to use a centralized logging solution like a syslog\nserver, the Wildfly EAP application server writes log data to log files that are\nstored on the OS; appropriate file permissions must be used to restrict access.\n\n Log information includes all information (e.g., log records, log settings,\ntransaction logs, and log reports) needed to successfully log information\nsystem activity. Application servers must protect log information from\nunauthorized access.", + "title": "The Wildfly server, when hosting mission critical applications, must be\n in a high-availability (HA) cluster.", + "desc": "A MAC I system is a system that handles data vital to the\n organization's operational readiness or effectiveness of deployed or\n contingency forces. A MAC I system must maintain the highest level of\n integrity and availability. By HA clustering the application server, the\n hosted application and data are given a platform that is load-balanced and\n provides high availability.", "descriptions": { - "default": "If log data were to become compromised, then competent forensic analysis\nand discovery of the true source of potentially malicious system activity is\ndifficult, if not impossible, to achieve.\n\n When not configured to use a centralized logging solution like a syslog\nserver, the Wildfly EAP application server writes log data to log files that are\nstored on the OS; appropriate file permissions must be used to restrict access.\n\n Log information includes all information (e.g., log records, log settings,\ntransaction logs, and log reports) needed to successfully log information\nsystem activity. Application servers must protect log information from\nunauthorized access." + "default": "A MAC I system is a system that handles data vital to the\n organization's operational readiness or effectiveness of deployed or\n contingency forces. A MAC I system must maintain the highest level of\n integrity and availability. By HA clustering the application server, the\n hosted application and data are given a platform that is load-balanced and\n provides high availability." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-APP-000118-AS-000078", - "gid": "V-62251", - "rid": "SV-76741r1_rule", - "stig_id": "JBOS-AS-000165", + "gtitle": "SRG-APP-000435-AS-000069", + "gid": "V-62319", + "rid": "SV-76809r1_rule", + "stig_id": "JBOS-AS-000640", "cci": [ - "CCI-000162" + "CCI-002385" ], "documentable": false, "nist": [ - "AU-9", + "SC-5", "Rev_4" ], - "check": "Examine the log file locations and inspect the file\npermissions. Interview the system admin to determine log file locations. The\ndefault location for the log files is:\n\nThe $JBOSS_HOME default is /opt/bin/widfly\n\nStandalone configuration:\n$JBOSS_HOME;/standalone/log/\n\nManaged Domain configuration:\n$JBOSS_HOME;/domain/servers//log/\n$JBOSS_HOME;/domain/log/\n\nReview the file permissions for the log file directories. The method used for\nidentifying file permissions will be based upon the OS the EAP server is\ninstalled on.\n\nIdentify all users with file permissions that allow them to read log files.\n\nRequest documentation from system admin that identifies the users who are\nauthorized to read log files.\n\nIf unauthorized users are allowed to read log files, or if documentation that\nidentifies the users who are authorized to read log files is missing, this is a\nfinding.", - "fix": "Configure the OS file permissions on the application server to\nprotect log information from unauthorized read access.", - "fix_id": "F-68171r1_fix" + "check": "Interview the system admin and determine if the applications\n hosted on the application server are mission critical and require load\n balancing (LB) or high availability (HA).\n\n If the applications do not require LB or HA, this requirement is NA.\n\n If the documentation shows the LB or HA services are being provided by another\n system other than the application server, this requirement is NA.\n\n If applications require LB or HA, request documentation from the system admin\n that identifies what type of LB or HA configuration has been implemented on the\n application server.\n\n Ask the system admin to identify the components that require protection. Some\n options are included here as an example. Bear in mind the examples provided\n are not complete and absolute and are only provided as examples. The\n components being made redundant or HA by the application server will vary based\n upon application availability requirements.\n\n Examples are:\n Instances of the Application Server\n Web Applications\n Stateful, stateless and entity Enterprise Java Beans (EJBs)\n Single Sign On (SSO) mechanisms\n Distributed Cache\n HTTP sessions\n JMS and Message Services.\n\n If the hosted application requirements specify LB or HA and the Wildfly server\n has not been configured to offer HA or LB, this is a finding.", + "fix": "Configure the application server to provide LB or HA services for\n the hosted application.", + "fix_id": "F-68239r1_fix" }, - "code": "control 'V-62251' do\n title \"File permissions must be configured to protect log information from\nany type of unauthorized read access.\"\n desc \"\n If log data were to become compromised, then competent forensic analysis\nand discovery of the true source of potentially malicious system activity is\ndifficult, if not impossible, to achieve.\n\n When not configured to use a centralized logging solution like a syslog\nserver, the Wildfly EAP application server writes log data to log files that are\nstored on the OS; appropriate file permissions must be used to restrict access.\n\n Log information includes all information (e.g., log records, log settings,\ntransaction logs, and log reports) needed to successfully log information\nsystem activity. Application servers must protect log information from\nunauthorized access.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000118-AS-000078'\n tag \"gid\": 'V-62251'\n tag \"rid\": 'SV-76741r1_rule'\n tag \"stig_id\": 'JBOS-AS-000165'\n tag \"cci\": ['CCI-000162']\n tag \"documentable\": false\n tag \"nist\": ['AU-9', 'Rev_4']\n tag \"check\": \"Examine the log file locations and inspect the file\npermissions. Interview the system admin to determine log file locations. The\ndefault location for the log files is:\n\nThe $JBOSS_HOME default is /opt/bin/widfly\n\nStandalone configuration:\n$JBOSS_HOME;/standalone/log/\n\nManaged Domain configuration:\n$JBOSS_HOME;/domain/servers//log/\n$JBOSS_HOME;/domain/log/\n\nReview the file permissions for the log file directories. The method used for\nidentifying file permissions will be based upon the OS the EAP server is\ninstalled on.\n\nIdentify all users with file permissions that allow them to read log files.\n\nRequest documentation from system admin that identifies the users who are\nauthorized to read log files.\n\nIf unauthorized users are allowed to read log files, or if documentation that\nidentifies the users who are authorized to read log files is missing, this is a\nfinding.\"\n tag \"fix\": \"Configure the OS file permissions on the application server to\nprotect log information from unauthorized read access.\"\n tag \"fix_id\": 'F-68171r1_fix'\n\n wildfly_group = input('wildfly_group')\n wildly_owner = input('wildly_owner')\n describe directory(\"#{ input('jboss_home') }/standalone/log\") do\n its('owner') { should eq \"#{wildly_owner}\" }\n its('group') { should eq \"#{wildfly_group}\" }\n its('mode') { should cmp '0750' }\n end\nend\n", + "code": "control 'V-62319' do\n title \"The Wildfly server, when hosting mission critical applications, must be\n in a high-availability (HA) cluster.\"\n desc \"A MAC I system is a system that handles data vital to the\n organization's operational readiness or effectiveness of deployed or\n contingency forces. A MAC I system must maintain the highest level of\n integrity and availability. By HA clustering the application server, the\n hosted application and data are given a platform that is load-balanced and\n provides high availability.\"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000435-AS-000069'\n tag \"gid\": 'V-62319'\n tag \"rid\": 'SV-76809r1_rule'\n tag \"stig_id\": 'JBOS-AS-000640'\n tag \"cci\": ['CCI-002385']\n tag \"documentable\": false\n tag \"nist\": ['SC-5', 'Rev_4']\n tag \"check\": \"Interview the system admin and determine if the applications\n hosted on the application server are mission critical and require load\n balancing (LB) or high availability (HA).\n\n If the applications do not require LB or HA, this requirement is NA.\n\n If the documentation shows the LB or HA services are being provided by another\n system other than the application server, this requirement is NA.\n\n If applications require LB or HA, request documentation from the system admin\n that identifies what type of LB or HA configuration has been implemented on the\n application server.\n\n Ask the system admin to identify the components that require protection. Some\n options are included here as an example. Bear in mind the examples provided\n are not complete and absolute and are only provided as examples. The\n components being made redundant or HA by the application server will vary based\n upon application availability requirements.\n\n Examples are:\n Instances of the Application Server\n Web Applications\n Stateful, stateless and entity Enterprise Java Beans (EJBs)\n Single Sign On (SSO) mechanisms\n Distributed Cache\n HTTP sessions\n JMS and Message Services.\n\n If the hosted application requirements specify LB or HA and the Wildfly server\n has not been configured to offer HA or LB, this is a finding.\"\n tag \"fix\": \"Configure the application server to provide LB or HA services for\n the hosted application.\"\n tag \"fix_id\": 'F-68239r1_fix'\n\n high_availability = input('high_availability')\n\n describe 'The wildfly configuration file used' do\n subject { command ('ps -ef | grep wildfly | grep -v grep | grep -v chef').stdout }\n it { should match /[\\w\\b\\D\\d\\W]* -c=standalone-full.ha.xml [\\w\\b\\D\\d\\W]*/ }\n\n before do\n skip if high_availability == false\n end\n\n end\nend\n", "source_location": { - "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62251.rb", + "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62319.rb", "line": 1 }, - "id": "V-62251" + "id": "V-62319" }, { "title": "Wildlfy must be configured to generate log records that show starting\n and ending times for access to the application server management interface.", @@ -237,402 +269,466 @@ "id": "V-62337" }, { - "title": "Wildfly file permissions must be configured to protect the\n confidentiality and integrity of application files.", - "desc": "The Wildfly EAP Application Server is a Java-based AS. It is installed on\nthe OS file system and depends upon file system access controls to protect\napplication data at rest. The file permissions set on the Wildfly EAP home\nfolder must be configured so as to limit access to only authorized people and\nprocesses. The account used for operating the Wildfly server and any designated\nadministrative or operational accounts are the only accounts that should have\naccess.\n\n When data is written to digital media such as hard drives, mobile\ncomputers, external/removable hard drives, personal digital assistants,\nflash/thumb drives, etc., there is risk of data loss and data compromise.\nSteps must be taken to ensure data stored on the device is protected.", + "title": "Wildfly QuickStarts must be removed.", + "desc": "Wildfly QuickStarts are demo applications that can be deployed quickly.\nDemo applications are not written with security in mind and often open new\nattack vectors. QuickStarts must be removed.", "descriptions": { - "default": "The Wildfly EAP Application Server is a Java-based AS. It is installed on\nthe OS file system and depends upon file system access controls to protect\napplication data at rest. The file permissions set on the Wildfly EAP home\nfolder must be configured so as to limit access to only authorized people and\nprocesses. The account used for operating the Wildfly server and any designated\nadministrative or operational accounts are the only accounts that should have\naccess.\n\n When data is written to digital media such as hard drives, mobile\ncomputers, external/removable hard drives, personal digital assistants,\nflash/thumb drives, etc., there is risk of data loss and data compromise.\nSteps must be taken to ensure data stored on the device is protected." + "default": "Wildfly QuickStarts are demo applications that can be deployed quickly.\nDemo applications are not written with security in mind and often open new\nattack vectors. QuickStarts must be removed." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-APP-000231-AS-000133", - "gid": "V-62299", - "rid": "SV-76789r1_rule", - "stig_id": "JBOS-AS-000400", + "gtitle": "SRG-APP-000141-AS-000095", + "gid": "V-62267", + "rid": "SV-76757r1_rule", + "stig_id": "JBOS-AS-000235", "cci": [ - "CCI-001199" + "CCI-000381" ], "documentable": false, "nist": [ - "SC-28", + "CM-7 a", "Rev_4" ], - "check": "By default, Wildfly installs its files into a folder called\n \"wildfly\". This folder by default is stored within the home folder of\n the Wildfly user account. The installation process, however, allows for the\n override of default values to obtain folder and user account information from\n the system admin.\n\n Log on with a user account with Wildfly access and permissions.\n\n Navigate to the \"Wildfly\" folder using the relevant OS commands for\n either a UNIX-like OS or a Windows OS.\n\n Examine the permissions of the Wildfly folder.\n\n Owner can be full access.\n Group can be full access.\n All others must be restricted to execute access or no permission.\n\n If the Wildfly folder is world readable or world writable, this is a finding.", - "fix": "Configure file permissions on the Wildfly folder to protect from\n unauthorized access.", - "fix_id": "F-68219r1_fix" + "check": "Examine the $JBOSS_HOME; folder. If a\n wildfly quickstarts folder exits, this is a finding.", + "fix": "Delete the QuickStarts folder.", + "fix_id": "F-68187r1_fix" }, - "code": "control 'V-62299' do\n title \"Wildfly file permissions must be configured to protect the\n confidentiality and integrity of application files.\"\n desc \"\n The Wildfly EAP Application Server is a Java-based AS. It is installed on\n the OS file system and depends upon file system access controls to protect\n application data at rest. The file permissions set on the Wildfly EAP home\n folder must be configured so as to limit access to only authorized people and\n processes. The account used for operating the Wildfly server and any designated\n administrative or operational accounts are the only accounts that should have\n access.\n\n When data is written to digital media such as hard drives, mobile\n computers, external/removable hard drives, personal digital assistants,\n flash/thumb drives, etc., there is risk of data loss and data compromise.\n Steps must be taken to ensure data stored on the device is protected.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000231-AS-000133'\n tag \"gid\": 'V-62299'\n tag \"rid\": 'SV-76789r1_rule'\n tag \"stig_id\": 'JBOS-AS-000400'\n tag \"cci\": ['CCI-001199']\n tag \"documentable\": false\n tag \"nist\": ['SC-28', 'Rev_4']\n tag \"check\": \"By default, Wildfly installs its files into a folder called\n \\\"wildfly\\\". This folder by default is stored within the home folder of\n the Wildfly user account. The installation process, however, allows for the\n override of default values to obtain folder and user account information from\n the system admin.\n\n Log on with a user account with Wildfly access and permissions.\n\n Navigate to the \\\"Wildfly\\\" folder using the relevant OS commands for\n either a UNIX-like OS or a Windows OS.\n\n Examine the permissions of the Wildfly folder.\n\n Owner can be full access.\n Group can be full access.\n All others must be restricted to execute access or no permission.\n\n If the Wildfly folder is world readable or world writable, this is a finding.\"\n tag \"fix\": \"Configure file permissions on the Wildfly folder to protect from\n unauthorized access.\"\n tag \"fix_id\": 'F-68219r1_fix'\n describe directory(\"#{ input('jboss_home') }/\") do\n it { should_not be_readable.by('others') }\n end\n describe directory(\"#{ input('jboss_home') }/\") do\n it { should_not be_writable.by('others') }\n end\nend\n", + "code": "control 'V-62267' do\n title \"Wildfly QuickStarts must be removed.\"\n desc \"Wildfly QuickStarts are demo applications that can be deployed quickly.\nDemo applications are not written with security in mind and often open new\nattack vectors. QuickStarts must be removed.\"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000141-AS-000095'\n tag \"gid\": 'V-62267'\n tag \"rid\": 'SV-76757r1_rule'\n tag \"stig_id\": 'JBOS-AS-000235'\n tag \"cci\": ['CCI-000381']\n tag \"documentable\": false\n tag \"nist\": ['CM-7 a', 'Rev_4']\n tag \"check\": \"Examine the $JBOSS_HOME; folder. If a\n wildfly quickstarts folder exits, this is a finding.\"\n tag \"fix\": \"Delete the QuickStarts folder.\"\n tag \"fix_id\": 'F-68187r1_fix'\n describe 'The wildfly quickstart files found' do\n subject { command(\"find #{ input('jboss_home') }/ -type d | grep quickstarts\").stdout }\n it { should match(%r{}) }\n end\nend\n", "source_location": { - "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62299.rb", + "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62267.rb", "line": 1 }, - "id": "V-62299" + "id": "V-62267" }, { - "title": "The Wildfly server must separate hosted application functionality from\n application server management functionality.", - "desc": "The application server consists of the management interface and hosted\napplications. By separating the management interface from hosted applications,\nthe user must authenticate as a privileged user to the management interface\nbefore being presented with management functionality. This prevents\nnon-privileged users from having visibility to functions not available to the\nuser. By limiting visibility, a compromised non-privileged account does not\noffer information to the attacker or functionality and information needed to\nfurther the attack on the application server.\n\n Wildfly is designed to operate with separate application and management\ninterfaces.\n The Wildfly server is started via a script. To start the JBoss server in\ndomain mode, the admin will execute the $JBOSS_HOME;/bin/domain.sh or\ndomain.bat script.\n\nThe $JBOSS_HOME default is /opt/bin/widfly\n\n To start the Wildfly server in standalone mode, the admin will execute\n$JBOSS_HOME;/bin/standalone.bat or standalone.sh.\n\n Command line flags are used to specify which network address is used for\nmanagement and which address is used for public/application access.", + "title": "Wildfly must be configured to generate log records when\n successful/unsuccessful attempts to modify privileges occur.", + "desc": "Changing privileges of a subject/object may cause a subject/object to\n gain or lose capabilities. When successful/unsuccessful changes are made, the\n event needs to be logged. By logging the event, the modification or attempted\n modification can be investigated to determine if it was performed inadvertently\n or maliciously.", "descriptions": { - "default": "The application server consists of the management interface and hosted\napplications. By separating the management interface from hosted applications,\nthe user must authenticate as a privileged user to the management interface\nbefore being presented with management functionality. This prevents\nnon-privileged users from having visibility to functions not available to the\nuser. By limiting visibility, a compromised non-privileged account does not\noffer information to the attacker or functionality and information needed to\nfurther the attack on the application server.\n\n Wildfly is designed to operate with separate application and management\ninterfaces.\n The Wildfly server is started via a script. To start the JBoss server in\ndomain mode, the admin will execute the $JBOSS_HOME;/bin/domain.sh or\ndomain.bat script.\n\nThe $JBOSS_HOME default is /opt/bin/widfly\n\n To start the Wildfly server in standalone mode, the admin will execute\n$JBOSS_HOME;/bin/standalone.bat or standalone.sh.\n\n Command line flags are used to specify which network address is used for\nmanagement and which address is used for public/application access." + "default": "Changing privileges of a subject/object may cause a subject/object to\n gain or lose capabilities. When successful/unsuccessful changes are made, the\n event needs to be logged. By logging the event, the modification or attempted\n modification can be investigated to determine if it was performed inadvertently\n or maliciously." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-APP-000211-AS-000146", - "gid": "V-62297", - "rid": "SV-76787r1_rule", - "stig_id": "JBOS-AS-000355", + "gtitle": "SRG-APP-000495-AS-000220", + "gid": "V-62329", + "rid": "SV-76819r1_rule", + "stig_id": "JBOS-AS-000690", "cci": [ - "CCI-001082" + "CCI-000172" ], "documentable": false, "nist": [ - "SC-2", + "AU-12 c", "Rev_4" ], - "check": "If Wildfly is not started with separate management and public\n interfaces, this is a finding.\n\n Review the network design documents to identify the IP address space for the\n management network.\n\n Use relevant OS commands and administrative techniques to determine how the\n system administrator starts the JBoss server. This includes interviewing the\n system admin, using the \"ps -ef|grep\" command for UNIX like systems or\n checking command line flags and properties on batch scripts for Windows\n systems.\n\n\n\n The \"-b\" flag specifies the public address space.\n The \"-bmanagement\" flag specifies the management address space.\n\n Example:\n $JBOSS_HOME;/bin/standalone.sh -bmanagement 10.10.10.35 -b 192.168.10.25\n\n If Wildfly is not started with separate management and public interfaces, this is\n a finding.", - "fix": "Start the application server with a -bmanagement and a -b flag so\n that admin management functionality and hosted applications are separated.\n\n Refer to section 4.9 in the Wildfly Installation Guide for specific\n instructions on how to start the Wildfly server as a service.", - "fix_id": "F-68217r1_fix" + "check": "Log on to the OS of the Wildfly server with OS permissions that\n allow access to Wildfly.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n\n\n Using the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n Run the jboss-cli script to start the Command Line Interface (CLI).\n Connect to the server and authenticate.\n Run the command:\n\n For a Managed Domain configuration:\n \"ls\n host=master/server//core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\"\n\n For a Standalone configuration:\n \"ls\n /core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\"\n\n If \"enabled\" = false, this is a finding.", + "fix": "Launch the jboss-cli management interface.\n Connect to the server by typing \"connect\", authenticate as a user in the\n Superuser role, and run the following command:\n\n For a Managed Domain configuration:\n \"host=master/server//core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\"\n\n For a Standalone configuration:\n \"/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\"", + "fix_id": "F-68249r1_fix" }, - "code": "control 'V-62297' do\n title \"The Wildfly server must separate hosted application functionality from\n application server management functionality.\"\n desc \"\n The application server consists of the management interface and hosted\n applications. By separating the management interface from hosted applications,\n the user must authenticate as a privileged user to the management interface\n before being presented with management functionality. This prevents\n non-privileged users from having visibility to functions not available to the\n user. By limiting visibility, a compromised non-privileged account does not\n offer information to the attacker or functionality and information needed to\n further the attack on the application server.\n\n Wildfly is designed to operate with separate application and management\n interfaces.\n The Wildfly server is started via a script. To start the JBoss server in\n domain mode, the admin will execute the $JBOSS_HOME;/bin/domain.sh or\n domain.bat script.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n\n To start the Wildfly server in standalone mode, the admin will execute\n $JBOSS_HOME;/bin/standalone.bat or standalone.sh.\n\n Command line flags are used to specify which network address is used for\n management and which address is used for public/application access.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000211-AS-000146'\n tag \"gid\": 'V-62297'\n tag \"rid\": 'SV-76787r1_rule'\n tag \"stig_id\": 'JBOS-AS-000355'\n tag \"cci\": ['CCI-001082']\n tag \"documentable\": false\n tag \"nist\": ['SC-2', 'Rev_4']\n tag \"check\": \"If Wildfly is not started with separate management and public\n interfaces, this is a finding.\n\n Review the network design documents to identify the IP address space for the\n management network.\n\n Use relevant OS commands and administrative techniques to determine how the\n system administrator starts the JBoss server. This includes interviewing the\n system admin, using the \\\"ps -ef|grep\\\" command for UNIX like systems or\n checking command line flags and properties on batch scripts for Windows\n systems.\n\n\n\n The \\\"-b\\\" flag specifies the public address space.\n The \\\"-bmanagement\\\" flag specifies the management address space.\n\n Example:\n $JBOSS_HOME;/bin/standalone.sh -bmanagement 10.10.10.35 -b 192.168.10.25\n\n If Wildfly is not started with separate management and public interfaces, this is\n a finding.\"\n tag \"fix\": \"Start the application server with a -bmanagement and a -b flag so\n that admin management functionality and hosted applications are separated.\n\n Refer to section 4.9 in the Wildfly Installation Guide for specific\n instructions on how to start the Wildfly server as a service.\"\n tag \"fix_id\": 'F-68217r1_fix'\n bind_mgmt_address = command(\"grep jboss.bind.address.management #{ input('jboss_home') }/standalone/configuration/standalone.xml | awk -F'=' '{print $2}' \").stdout\n public_bind_address = command(\"grep jboss.bind.address #{ input('jboss_home') }/standalone/configuration/standalone.xml | grep -v management | awk -F'=' '{print $2}' \").stdout\n describe 'The wildfly bind management address' do\n subject { bind_mgmt_address }\n it { should_not eq public_bind_address }\n end\nend\n", + "code": "control 'V-62329' do\n title \"Wildfly must be configured to generate log records when\n successful/unsuccessful attempts to modify privileges occur.\"\n desc \"Changing privileges of a subject/object may cause a subject/object to\n gain or lose capabilities. When successful/unsuccessful changes are made, the\n event needs to be logged. By logging the event, the modification or attempted\n modification can be investigated to determine if it was performed inadvertently\n or maliciously.\"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000495-AS-000220'\n tag \"gid\": 'V-62329'\n tag \"rid\": 'SV-76819r1_rule'\n tag \"stig_id\": 'JBOS-AS-000690'\n tag \"cci\": ['CCI-000172']\n tag \"documentable\": false\n tag \"nist\": ['AU-12 c', 'Rev_4']\n tag \"check\": \"Log on to the OS of the Wildfly server with OS permissions that\n allow access to Wildfly.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n\n\n Using the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n Run the jboss-cli script to start the Command Line Interface (CLI).\n Connect to the server and authenticate.\n Run the command:\n\n For a Managed Domain configuration:\n \\\"ls\n host=master/server//core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\\\"\n\n For a Standalone configuration:\n \\\"ls\n /core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\\\"\n\n If \\\"enabled\\\" = false, this is a finding.\"\n tag \"fix\": \"Launch the jboss-cli management interface.\n Connect to the server by typing \\\"connect\\\", authenticate as a user in the\n Superuser role, and run the following command:\n\n For a Managed Domain configuration:\n \\\"host=master/server//core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\\\"\n\n For a Standalone configuration:\n \\\"/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\\\"\"\n tag \"fix_id\": 'F-68249r1_fix'\n\n connect = input('connection')\n\n describe 'The wildfly setting: generate log records when successful/unsuccessful attempts to modify privileges occur' do\n subject { command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /core-service=management/access=audit/logger=audit-log\").stdout }\n it { should_not match(%r{enabled=false}) }\n end\nend\n", "source_location": { - "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62297.rb", + "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62329.rb", "line": 1 }, - "id": "V-62297" + "id": "V-62329" }, { - "title": "Wildfly log records must be off-loaded onto a different system or system\ncomponent a minimum of every seven days.", - "desc": "Wildfly logs by default are written to the local file system. A centralized\nlogging solution like syslog should be used whenever possible; however, any log\ndata stored to the file system needs to be off-loaded. Wildfly EAP does not\nprovide an automated backup capability. Instead, reliance is placed on OS or\nthird-party tools to back up or off-load the log files.\n\n Protection of log data includes assuring log data is not accidentally lost\nor deleted. Off-loading log records to a different system or onto separate\nmedia from the system the application server is actually running on helps to\nassure that, in the event of a catastrophic system failure, the log records\nwill be retained.", + "title": "Wildfly KeyStore and Truststore passwords must not be stored in clear\n text.", + "desc": "Access to the Wildfly Password Vault must be secured, and the password used\nto access must be encrypted. There is a specific process used to generate the\nencrypted password hash. This process must be followed in order to store the\npassword in an encrypted format.\n\n The admin must utilize this process in order to ensure the Keystore\npassword is encrypted.", "descriptions": { - "default": "Wildfly logs by default are written to the local file system. A centralized\nlogging solution like syslog should be used whenever possible; however, any log\ndata stored to the file system needs to be off-loaded. Wildfly EAP does not\nprovide an automated backup capability. Instead, reliance is placed on OS or\nthird-party tools to back up or off-load the log files.\n\n Protection of log data includes assuring log data is not accidentally lost\nor deleted. Off-loading log records to a different system or onto separate\nmedia from the system the application server is actually running on helps to\nassure that, in the event of a catastrophic system failure, the log records\nwill be retained." + "default": "Access to the Wildfly Password Vault must be secured, and the password used\nto access must be encrypted. There is a specific process used to generate the\nencrypted password hash. This process must be followed in order to store the\npassword in an encrypted format.\n\n The admin must utilize this process in order to ensure the Keystore\npassword is encrypted." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-APP-000125-AS-000084", - "gid": "V-62257", - "rid": "SV-76747r1_rule", - "stig_id": "JBOS-AS-000195", + "gtitle": "SRG-APP-000171-AS-000119", + "gid": "V-62289", + "rid": "SV-76779r1_rule", + "stig_id": "JBOS-AS-000300", "cci": [ - "CCI-001348" + "CCI-000196" ], "documentable": false, "nist": [ - "AU-9 (2)", + "IA-5 (1) (c)", "Rev_4" ], - "check": "Interview the system admin and obtain details on how the log\nfiles are being off-loaded to a different system or media.\n\nIf the log files are not off-loaded a minimum of every 7 days, this is a\nfinding.", - "fix": "Configure the application server to off-load log records every\nseven days onto a different system or media from the system being logged.", - "fix_id": "F-68177r1_fix" + "check": "The default location for the keystore used by the Wildfly vault\n is the $JBOSS_HOME;/vault/ folder.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n\n If a vault keystore has been created, by default it will be in the file:\n $JBOSS_HOME;/vault/vault.keystore. The file stores a single key, with the\n default alias vault, which will be used to store encrypted strings, such as\n passwords, for JBoss EAP.\n\n Have the system admin provide the procedure used to encrypt the keystore\n password that unlocks the keystore.\n\n If the system administrator is unable to demonstrate or provide written process\n documentation on how to encrypt the keystore password, this is a finding.", + "fix": "Configure the application server to mask the java keystore\n password as per the procedure described in section 11.13.3 -Password Vault\n System in the\n Wildfly-Administration_and_Configuration_Guide-en-US\n document.", + "fix_id": "F-68209r1_fix" }, - "code": "control 'V-62257' do\n title \"Wildfly log records must be off-loaded onto a different system or system\ncomponent a minimum of every seven days.\"\n desc \"\n Wildfly logs by default are written to the local file system. A centralized\nlogging solution like syslog should be used whenever possible; however, any log\ndata stored to the file system needs to be off-loaded. Wildfly EAP does not\nprovide an automated backup capability. Instead, reliance is placed on OS or\nthird-party tools to back up or off-load the log files.\n\n Protection of log data includes assuring log data is not accidentally lost\nor deleted. Off-loading log records to a different system or onto separate\nmedia from the system the application server is actually running on helps to\nassure that, in the event of a catastrophic system failure, the log records\nwill be retained.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000125-AS-000084'\n tag \"gid\": 'V-62257'\n tag \"rid\": 'SV-76747r1_rule'\n tag \"stig_id\": 'JBOS-AS-000195'\n tag \"cci\": ['CCI-001348']\n tag \"documentable\": false\n tag \"nist\": ['AU-9 (2)', 'Rev_4']\n tag \"check\": \"Interview the system admin and obtain details on how the log\nfiles are being off-loaded to a different system or media.\n\nIf the log files are not off-loaded a minimum of every 7 days, this is a\nfinding.\"\n tag \"fix\": \"Configure the application server to off-load log records every\nseven days onto a different system or media from the system being logged.\"\n tag \"fix_id\": 'F-68177r1_fix'\n\n connect = input('connection')\n describe \"The wildfly syslog-handler configuration\" do\n subject { command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /subsystem=logging/syslog-handler=\").stdout }\n it { should_not eq '' }\n end\nend\n", + "code": "control 'V-62289' do\n title \"Wildfly KeyStore and Truststore passwords must not be stored in clear\n text.\"\n desc \"\n Access to the Wildfly Password Vault must be secured, and the password used\n to access must be encrypted. There is a specific process used to generate the\n encrypted password hash. This process must be followed in order to store the\n password in an encrypted format.\n\n The admin must utilize this process in order to ensure the Keystore\n password is encrypted.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000171-AS-000119'\n tag \"gid\": 'V-62289'\n tag \"rid\": 'SV-76779r1_rule'\n tag \"stig_id\": 'JBOS-AS-000300'\n tag \"cci\": ['CCI-000196']\n tag \"documentable\": false\n tag \"nist\": ['IA-5 (1) (c)', 'Rev_4']\n tag \"check\": \"The default location for the keystore used by the Wildfly vault\n is the $JBOSS_HOME;/vault/ folder.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n\n If a vault keystore has been created, by default it will be in the file:\n $JBOSS_HOME;/vault/vault.keystore. The file stores a single key, with the\n default alias vault, which will be used to store encrypted strings, such as\n passwords, for JBoss EAP.\n\n Have the system admin provide the procedure used to encrypt the keystore\n password that unlocks the keystore.\n\n If the system administrator is unable to demonstrate or provide written process\n documentation on how to encrypt the keystore password, this is a finding.\"\n tag \"fix\": \"Configure the application server to mask the java keystore\n password as per the procedure described in section 11.13.3 -Password Vault\n System in the\n Wildfly-Administration_and_Configuration_Guide-en-US\n document.\"\n tag \"fix_id\": 'F-68209r1_fix'\n\n describe 'A manual review is required to verify that the System Admin utilizes a process to ensure the Keystore password is encrypted' do\n skip 'A manual review is required to verify that the System Admin utilizes a process to ensure the Keystore password is encrypted'\n end\nend\n", "source_location": { - "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62257.rb", + "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62289.rb", "line": 1 }, - "id": "V-62257" + "id": "V-62289" }, { - "title": "The Wildfly Server must be configured to use certificates to\n authenticate admins.", - "desc": "Multifactor authentication creates a layered defense and makes it more\ndifficult for an unauthorized person to access the application server. If one\nfactor is compromised or broken, the attacker still has at least one more\nbarrier to breach before successfully breaking into the target. Unlike a\nsimple username/password scenario where the attacker could gain access by\nknowing both the username and password without the user knowing his account was\ncompromised, multifactor authentication adds the requirement that the attacker\nmust have something from the user, such as a token, or to biometrically be the\nuser.\n\n Multifactor authentication is defined as: using two or more factors to\nachieve authentication.\n\n Factors include:\n (i) something a user knows (e.g., password/PIN);\n (ii) something a user has (e.g., cryptographic identification device,\ntoken); or\n (iii) something a user is (e.g., biometric). A CAC or PKI Hardware Token\nmeets this definition.\n\n A privileged account is defined as an information system account with\nauthorizations of a privileged user. These accounts would be capable of\naccessing the web management interface.\n\n When accessing the application server via a network connection,\nadministrative access to the application server must be PKI Hardware Token\nenabled or a DoD-approved soft certificate.", + "title": "HTTPS must be enabled for Wildfly web interfaces.", + "desc": "Encryption is critical for protection of remote access sessions. If\nencryption is not being used for integrity, malicious users may gain the\nability to modify the application server configuration. The use of cryptography\nfor ensuring integrity of remote access sessions mitigates that risk.\n\n Application servers utilize a web management interface and scripted\ncommands when allowing remote access. Web access requires the use of TLS, and\nscripted access requires using ssh or some other form of approved cryptography.\nApplication servers must have a capability to enable a secure remote admin\ncapability.\n\n FIPS 140-2 approved TLS versions include TLS V1.0 or greater.\n\n FIPS 140-2 approved TLS versions must be enabled, and non-FIPS-approved SSL\nversions must be disabled.\n\n NIST SP 800-52 specifies the preferred configurations for government\nsystems.", "descriptions": { - "default": "Multifactor authentication creates a layered defense and makes it more\ndifficult for an unauthorized person to access the application server. If one\nfactor is compromised or broken, the attacker still has at least one more\nbarrier to breach before successfully breaking into the target. Unlike a\nsimple username/password scenario where the attacker could gain access by\nknowing both the username and password without the user knowing his account was\ncompromised, multifactor authentication adds the requirement that the attacker\nmust have something from the user, such as a token, or to biometrically be the\nuser.\n\n Multifactor authentication is defined as: using two or more factors to\nachieve authentication.\n\n Factors include:\n (i) something a user knows (e.g., password/PIN);\n (ii) something a user has (e.g., cryptographic identification device,\ntoken); or\n (iii) something a user is (e.g., biometric). A CAC or PKI Hardware Token\nmeets this definition.\n\n A privileged account is defined as an information system account with\nauthorizations of a privileged user. These accounts would be capable of\naccessing the web management interface.\n\n When accessing the application server via a network connection,\nadministrative access to the application server must be PKI Hardware Token\nenabled or a DoD-approved soft certificate." + "default": "Encryption is critical for protection of remote access sessions. If\nencryption is not being used for integrity, malicious users may gain the\nability to modify the application server configuration. The use of cryptography\nfor ensuring integrity of remote access sessions mitigates that risk.\n\n Application servers utilize a web management interface and scripted\ncommands when allowing remote access. Web access requires the use of TLS, and\nscripted access requires using ssh or some other form of approved cryptography.\nApplication servers must have a capability to enable a secure remote admin\ncapability.\n\n FIPS 140-2 approved TLS versions include TLS V1.0 or greater.\n\n FIPS 140-2 approved TLS versions must be enabled, and non-FIPS-approved SSL\nversions must be disabled.\n\n NIST SP 800-52 specifies the preferred configurations for government\nsystems." + }, + "impact": 0.5, + "refs": [], + "tags": { + "gtitle": "SRG-APP-000015-AS-000010", + "gid": "V-62215", + "rid": "SV-76705r1_rule", + "stig_id": "JBOS-AS-000015", + "cci": [ + "CCI-001453" + ], + "documentable": false, + "nist": [ + "AC-17 (2)", + "Rev_4" + ], + "check": "Log on to the OS of the Wildfly server with OS permissions that\nallow access to Wildfly.\n\nUsing the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n\nThe $JBOSS_HOME default is /opt/bin/widfly\n\nRun the jboss-cli script.\nConnect to the server and authenticate.\n\nReview the web subsystem and ensure that HTTPS is enabled.\nRun the command:\n\nFor a managed domain:\n\"ls /profile=/subsystem=web/connector=\"\n\nFor a standalone system:\n\"ls /subsystem=web/connector=\"\n\nIf \"https\" is not returned, this is a finding.", + "fix": "Follow procedure \"4.4. Configure the Wildfly Web Server to use\nHTTPS.\" The detailed procedure is found in the Wildfly Security Guide\navailable at the vendor's site, RedHat.com. An overview of steps is provided\nhere.\n\n1. Obtain or generate DoD-approved SSL certificates.\n2. Configure the SSL certificate using your certificate values.\n3. Set the SSL protocol to TLS V1.1 or V1.2.", + "fix_id": "F-68135r1_fix" + }, + "code": "control 'V-62215' do\n title \"HTTPS must be enabled for Wildfly web interfaces.\"\n desc \"\n Encryption is critical for protection of remote access sessions. If\nencryption is not being used for integrity, malicious users may gain the\nability to modify the application server configuration. The use of cryptography\nfor ensuring integrity of remote access sessions mitigates that risk.\n\n Application servers utilize a web management interface and scripted\ncommands when allowing remote access. Web access requires the use of TLS, and\nscripted access requires using ssh or some other form of approved cryptography.\nApplication servers must have a capability to enable a secure remote admin\ncapability.\n\n FIPS 140-2 approved TLS versions include TLS V1.0 or greater.\n\n FIPS 140-2 approved TLS versions must be enabled, and non-FIPS-approved SSL\nversions must be disabled.\n\n NIST SP 800-52 specifies the preferred configurations for government\nsystems.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000015-AS-000010'\n tag \"gid\": 'V-62215'\n tag \"rid\": 'SV-76705r1_rule'\n tag \"stig_id\": 'JBOS-AS-000015'\n tag \"cci\": ['CCI-001453']\n tag \"documentable\": false\n tag \"nist\": ['AC-17 (2)', 'Rev_4']\n tag \"check\": \"Log on to the OS of the Wildfly server with OS permissions that\nallow access to Wildfly.\n\nUsing the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n\nThe $JBOSS_HOME default is /opt/bin/widfly\n\nRun the jboss-cli script.\nConnect to the server and authenticate.\n\nReview the web subsystem and ensure that HTTPS is enabled.\nRun the command:\n\nFor a managed domain:\n\\\"ls /profile=/subsystem=web/connector=\\\"\n\nFor a standalone system:\n\\\"ls /subsystem=web/connector=\\\"\n\nIf \\\"https\\\" is not returned, this is a finding.\"\n tag \"fix\": \"Follow procedure \\\"4.4. Configure the Wildfly Web Server to use\nHTTPS.\\\" The detailed procedure is found in the Wildfly Security Guide\navailable at the vendor's site, RedHat.com. An overview of steps is provided\nhere.\n\n1. Obtain or generate DoD-approved SSL certificates.\n2. Configure the SSL certificate using your certificate values.\n3. Set the SSL protocol to TLS V1.1 or V1.2.\"\n tag \"fix_id\": 'F-68135r1_fix'\n\n connect = input('connection')\n\n describe 'HTTPS for Wildfly web interfaces' do\n subject { command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /subsystem=undertow/server=default-server/https-listener=https\").stdout }\n it { should match(%r{enabled=true}) }\n end\nend\n", + "source_location": { + "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62215.rb", + "line": 1 + }, + "id": "V-62215" + }, + { + "title": "Wildfly management Interfaces must be integrated with a centralized\n authentication mechanism that is configured to manage accounts according to DoD\n policy.", + "desc": "Wildfly EAP provides a security realm called ManagementRealm. By default,\nthis realm uses the mgmt-users.properties file for authentication. Using\nfile-based authentication does not allow the Wildfly server to be in compliance\nwith a wide range of user management requirements such as automatic disabling\nof inactive accounts as per DoD policy. To address this issue, the management\ninterfaces used to manage the JBoss server must be associated with a security\nrealm that provides centralized authentication management. Examples are AD or\nLDAP.\n\n Management of user identifiers is not applicable to shared information\nsystem accounts (e.g., guest and anonymous accounts). It is commonly the case\nthat a user account is the name of an information system account associated\nwith an individual.", + "descriptions": { + "default": "Wildfly EAP provides a security realm called ManagementRealm. By default,\nthis realm uses the mgmt-users.properties file for authentication. Using\nfile-based authentication does not allow the Wildfly server to be in compliance\nwith a wide range of user management requirements such as automatic disabling\nof inactive accounts as per DoD policy. To address this issue, the management\ninterfaces used to manage the JBoss server must be associated with a security\nrealm that provides centralized authentication management. Examples are AD or\nLDAP.\n\n Management of user identifiers is not applicable to shared information\nsystem accounts (e.g., guest and anonymous accounts). It is commonly the case\nthat a user account is the name of an information system account associated\nwith an individual." }, "impact": 0, "refs": [], "tags": { - "gtitle": "SRG-APP-000149-AS-000102", - "gid": "V-62279", - "rid": "SV-76769r1_rule", - "stig_id": "JBOS-AS-000265", + "gtitle": "SRG-APP-000163-AS-000111", + "gid": "V-62285", + "rid": "SV-76775r1_rule", + "stig_id": "JBOS-AS-000290", "cci": [ - "CCI-000765" + "CCI-000795" ], "documentable": false, "nist": [ - "IA-2 (1)", + "IA-4 e", "Rev_4" ], - "check": "Log on to the OS of the Wildfly server with OS permissions that\n allow access to Wildfly.\n Using the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n\n Run the jboss-cli script.\n Connect to the server and authenticate.\n\n Follow these steps:\n 1. Identify the security realm assigned to the management interfaces by using\n the following command:\n\n For standalone systems:\n \"ls /core-service=management/management-interface=\"\n\n For managed domain systems:\n \"ls\n /host=master/core-service=management/management-interface=\"\n\n Document the name of the security-realm associated with each management\n interface.\n\n 2. Review the security realm using the command:\n\n For standalone systems:\n \"ls\n /core-service=management/security-realm=/authentication\"\n\n For managed domains:\n \"ls\n /host=master/core-service=management/security-realm=/authentication\"\n\n If the command in step 2 does not return a security realm that uses\n certificates for authentication, this is a finding.", - "fix": "Configure the application server to authenticate privileged users\n via multifactor/certificate-based authentication mechanisms when using network\n access to the management interface.", - "fix_id": "F-68199r1_fix" + "check": "Log on to the OS of the Wildfly server with OS permissions that\n allow access to Wildfly.\n Using the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n Run the jboss-cli script.\n Connect to the server and authenticate.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n\n Obtain the list of management interfaces by running the command:\n \"ls /core-service=management/management-interface\"\n\n Identify the security realm used by each management interface configuration by\n running the command:\n \"ls /core-service=management/management-interface=\"\n\n Determine if the security realm assigned to the management interface uses LDAP\n for authentication by running the command:\n \"ls\n /core-service=management/security-realm=/authentication\"\n\n If the security realm assigned to the management interface does not utilize\n LDAP for authentication, this is a finding.", + "fix": "Follow steps in section 11.8 - Management Interface Security in\n the\n Wildfly-Administration_and_Configuration_Guide-en-US\n document.\n\n 1. Create an outbound connection to the LDAP server.\n 2. Create an LDAP-enabled security realm.\n 3. Reference the new security domain in the Management Interface.", + "fix_id": "F-68205r1_fix" }, - "code": "control 'V-62279' do\n title \"The Wildfly Server must be configured to use certificates to\n authenticate admins.\"\n desc \"\n Multifactor authentication creates a layered defense and makes it more\n difficult for an unauthorized person to access the application server. If one\n factor is compromised or broken, the attacker still has at least one more\n barrier to breach before successfully breaking into the target. Unlike a\n simple username/password scenario where the attacker could gain access by\n knowing both the username and password without the user knowing his account was\n compromised, multifactor authentication adds the requirement that the attacker\n must have something from the user, such as a token, or to biometrically be the\n user.\n\n Multifactor authentication is defined as: using two or more factors to\n achieve authentication.\n\n Factors include:\n (i) something a user knows (e.g., password/PIN);\n (ii) something a user has (e.g., cryptographic identification device,\n token); or\n (iii) something a user is (e.g., biometric). A CAC or PKI Hardware Token\n meets this definition.\n\n A privileged account is defined as an information system account with\n authorizations of a privileged user. These accounts would be capable of\n accessing the web management interface.\n\n When accessing the application server via a network connection,\n administrative access to the application server must be PKI Hardware Token\n enabled or a DoD-approved soft certificate.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000149-AS-000102'\n tag \"gid\": 'V-62279'\n tag \"rid\": 'SV-76769r1_rule'\n tag \"stig_id\": 'JBOS-AS-000265'\n tag \"cci\": ['CCI-000765']\n tag \"documentable\": false\n tag \"nist\": ['IA-2 (1)', 'Rev_4']\n tag \"check\": \"Log on to the OS of the Wildfly server with OS permissions that\n allow access to Wildfly.\n Using the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n\n Run the jboss-cli script.\n Connect to the server and authenticate.\n\n Follow these steps:\n 1. Identify the security realm assigned to the management interfaces by using\n the following command:\n\n For standalone systems:\n \\\"ls /core-service=management/management-interface=\\\"\n\n For managed domain systems:\n \\\"ls\n /host=master/core-service=management/management-interface=\\\"\n\n Document the name of the security-realm associated with each management\n interface.\n\n 2. Review the security realm using the command:\n\n For standalone systems:\n \\\"ls\n /core-service=management/security-realm=/authentication\\\"\n\n For managed domains:\n \\\"ls\n /host=master/core-service=management/security-realm=/authentication\\\"\n\n If the command in step 2 does not return a security realm that uses\n certificates for authentication, this is a finding.\"\n tag \"fix\": \"Configure the application server to authenticate privileged users\n via multifactor/certificate-based authentication mechanisms when using network\n access to the management interface.\"\n tag \"fix_id\": 'F-68199r1_fix'\n\n connect = input('connection')\n\n mgmt_interfaces = command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /core-service=management/management-interface=\").stdout.split(\"\\n\")\n\n mgmt_interfaces.each do |interface|\n\n security_realms = command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /core-service=management/security-realm=\").stdout.split(\"\\n\")\n security_realms.each do |realm|\n\n get_authentication = command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /core-service=management/security-realm=#{realm}/authentication\").stdout\n http_enabled = describe command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /core-service=management/management-interface=http-interface\") .stdout\n\n describe.one do\n describe \"The wildfly server authentication for security realm #{realm}\" do\n subject { get_authentication }\n it { should match /truststore/ }\n end\n describe \"The wildfly server authentication for security realm #{realm}\" do\n subject { http_enabled }\n it { should match(%r{console-enabled=false}) }\n end\n end\n end\n end\n if mgmt_interfaces.empty?\n impact 0.0\n describe 'There are no wildfly management realms, therefore this control is not applicable' do\n skip 'There are no wildfly management realms, therefore this control is not applicable'\n end\n end\nend\n", + "code": "control 'V-62285' do\n title \"Wildfly management Interfaces must be integrated with a centralized\n authentication mechanism that is configured to manage accounts according to DoD\n policy.\"\n desc \"\n Wildfly EAP provides a security realm called ManagementRealm. By default,\n this realm uses the mgmt-users.properties file for authentication. Using\n file-based authentication does not allow the Wildfly server to be in compliance\n with a wide range of user management requirements such as automatic disabling\n of inactive accounts as per DoD policy. To address this issue, the management\n interfaces used to manage the JBoss server must be associated with a security\n realm that provides centralized authentication management. Examples are AD or\n LDAP.\n\n Management of user identifiers is not applicable to shared information\n system accounts (e.g., guest and anonymous accounts). It is commonly the case\n that a user account is the name of an information system account associated\n with an individual.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000163-AS-000111'\n tag \"gid\": 'V-62285'\n tag \"rid\": 'SV-76775r1_rule'\n tag \"stig_id\": 'JBOS-AS-000290'\n tag \"cci\": ['CCI-000795']\n tag \"documentable\": false\n tag \"nist\": ['IA-4 e', 'Rev_4']\n tag \"check\": \"Log on to the OS of the Wildfly server with OS permissions that\n allow access to Wildfly.\n Using the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n Run the jboss-cli script.\n Connect to the server and authenticate.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n\n Obtain the list of management interfaces by running the command:\n \\\"ls /core-service=management/management-interface\\\"\n\n Identify the security realm used by each management interface configuration by\n running the command:\n \\\"ls /core-service=management/management-interface=\\\"\n\n Determine if the security realm assigned to the management interface uses LDAP\n for authentication by running the command:\n \\\"ls\n /core-service=management/security-realm=/authentication\\\"\n\n If the security realm assigned to the management interface does not utilize\n LDAP for authentication, this is a finding.\"\n tag \"fix\": \"Follow steps in section 11.8 - Management Interface Security in\n the\n Wildfly-Administration_and_Configuration_Guide-en-US\n document.\n\n 1. Create an outbound connection to the LDAP server.\n 2. Create an LDAP-enabled security realm.\n 3. Reference the new security domain in the Management Interface.\"\n tag \"fix_id\": 'F-68205r1_fix'\n\n ldap = input('ldap')\n connect = input('connection')\n\n management_interfaces = command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /core-service=management/management-interface=\").stdout.split(\"\\n\")\n\n management_interfaces.each do |interface|\n\n security_realms = command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /core-service=management/security-realm=\").stdout.split(\"\\n\")\n security_realms.each do |realm|\n describe \"The security realm #{realm} authentication mechanism\" do\n subject { command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /core-service=management/security-realm=#{realm}/authentication\").stdout }\n it { should match /ldap/ }\n end\n end\n end\n if management_interfaces.empty?\n impact 0.0\n describe 'The are no Wildfly accounts with the following roles: auditor, administrator, superuser, deployer, maintainer, monitor, or operator, therefore this control is not applicable' do\n skip 'The are no Wildfly accounts with the following roles: auditor, administrator, superuser, deployer, maintainer, monitor, or operator, therefore this control is not applicable'\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62279.rb", + "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62285.rb", "line": 1 }, - "id": "V-62279" + "id": "V-62285" }, { - "title": "The Wildfly server must be configured to log all admin activity.", - "desc": "In order to be able to provide a forensic history of activity, the\napplication server must ensure users who are granted a privileged role or those\nwho utilize a separate distinct account when accessing privileged functions or\ndata have their actions logged.\n\n If privileged activity is not logged, no forensic logs can be used to\nestablish accountability for privileged actions that occur on the system.", + "title": "Wildfly must be configured to generate log records when\n successful/unsuccessful attempts to delete privileges occur.", + "desc": "Deleting privileges of a subject/object may cause a subject/object to\n gain or lose capabilities. When successful and unsuccessful privilege\n deletions are made, the events need to be logged. By logging the event, the\n modification or attempted modification can be investigated to determine if it\n was performed inadvertently or maliciously.", "descriptions": { - "default": "In order to be able to provide a forensic history of activity, the\napplication server must ensure users who are granted a privileged role or those\nwho utilize a separate distinct account when accessing privileged functions or\ndata have their actions logged.\n\n If privileged activity is not logged, no forensic logs can be used to\nestablish accountability for privileged actions that occur on the system." + "default": "Deleting privileges of a subject/object may cause a subject/object to\n gain or lose capabilities. When successful and unsuccessful privilege\n deletions are made, the events need to be logged. By logging the event, the\n modification or attempted modification can be investigated to determine if it\n was performed inadvertently or maliciously." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-APP-000343-AS-000030", - "gid": "V-62307", - "rid": "SV-76797r1_rule", - "stig_id": "JBOS-AS-000480", + "gtitle": "SRG-APP-000499-AS-000224", + "gid": "V-62331", + "rid": "SV-76821r1_rule", + "stig_id": "JBOS-AS-000695", "cci": [ - "CCI-002234" + "CCI-000172" ], "documentable": false, "nist": [ - "AC-6 (9)", + "AU-12 c", "Rev_4" ], - "check": "Log on to the OS of the Wildfly server with OS permissions that\nallow access to Wildfly.\n\nThe $JBOSS_HOME default is /opt/bin/widfly\n\nUsing the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\nRun the jboss-cli script.\nConnect to the server and authenticate.\nRun the command:\n\n/core-service=management/access=audit:read-resource(recursive=true)\n\nUnder the \"logger\" => {audit-log} section of the returned response:\nIf \"enabled\" => false, this is a finding", - "fix": "Launch the jboss-cli management interface substituting standalone\nor domain for based upon the server installation.\n\n$JBOSS_HOME;//bin/jboss-cli\n\nconnect to the server and run the following command:\n\n/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)", - "fix_id": "F-68227r1_fix" + "check": "Log on to the OS of the Wildfly server with OS permissions that\n allow access to Wildfly.\n Using the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n Run the jboss-cli script to start the Command Line Interface (CLI).\n Connect to the server and authenticate.\n Run the command:\n\n For a Managed Domain configuration:\n \"ls\n host=master/server//core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\"\n\n For a Standalone configuration:\n \"ls\n /core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\"\n\n If \"enabled\" = false, this is a finding.", + "fix": "Launch the jboss-cli management interface.\n Connect to the server by typing \"connect\", authenticate as a user in the\n Superuser role, and run the following command:\n\n For a Managed Domain configuration:\n \"host=master/server//core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\"\n\n For a Standalone configuration:\n \"/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\"", + "fix_id": "F-68251r1_fix" }, - "code": "control 'V-62307' do\n title \"The Wildfly server must be configured to log all admin activity.\"\n desc \"\n In order to be able to provide a forensic history of activity, the\napplication server must ensure users who are granted a privileged role or those\nwho utilize a separate distinct account when accessing privileged functions or\ndata have their actions logged.\n\n If privileged activity is not logged, no forensic logs can be used to\nestablish accountability for privileged actions that occur on the system.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000343-AS-000030'\n tag \"gid\": 'V-62307'\n tag \"rid\": 'SV-76797r1_rule'\n tag \"stig_id\": 'JBOS-AS-000480'\n tag \"cci\": ['CCI-002234']\n tag \"documentable\": false\n tag \"nist\": ['AC-6 (9)', 'Rev_4']\n tag \"check\": \"Log on to the OS of the Wildfly server with OS permissions that\nallow access to Wildfly.\n\nThe $JBOSS_HOME default is /opt/bin/widfly\n\nUsing the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\nRun the jboss-cli script.\nConnect to the server and authenticate.\nRun the command:\n\n/core-service=management/access=audit:read-resource(recursive=true)\n\nUnder the \\\"logger\\\" => {audit-log} section of the returned response:\nIf \\\"enabled\\\" => false, this is a finding\"\n tag \"fix\": \"Launch the jboss-cli management interface substituting standalone\nor domain for based upon the server installation.\n\n$JBOSS_HOME;//bin/jboss-cli\n\nconnect to the server and run the following command:\n\n/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\"\n tag \"fix_id\": 'F-68227r1_fix'\n\n connect = input('connection')\n\n describe 'The wildfly server setting to log all admin activity' do\n subject { command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /core-service=management/access=audit/logger=audit-log\").stdout }\n it { should_not match(%r{enabled=false}) }\n end\nend\n", + "code": "control 'V-62331' do\n title \"Wildfly must be configured to generate log records when\n successful/unsuccessful attempts to delete privileges occur.\"\n desc \"Deleting privileges of a subject/object may cause a subject/object to\n gain or lose capabilities. When successful and unsuccessful privilege\n deletions are made, the events need to be logged. By logging the event, the\n modification or attempted modification can be investigated to determine if it\n was performed inadvertently or maliciously.\"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000499-AS-000224'\n tag \"gid\": 'V-62331'\n tag \"rid\": 'SV-76821r1_rule'\n tag \"stig_id\": 'JBOS-AS-000695'\n tag \"cci\": ['CCI-000172']\n tag \"documentable\": false\n tag \"nist\": ['AU-12 c', 'Rev_4']\n tag \"check\": \"Log on to the OS of the Wildfly server with OS permissions that\n allow access to Wildfly.\n Using the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n Run the jboss-cli script to start the Command Line Interface (CLI).\n Connect to the server and authenticate.\n Run the command:\n\n For a Managed Domain configuration:\n \\\"ls\n host=master/server//core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\\\"\n\n For a Standalone configuration:\n \\\"ls\n /core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\\\"\n\n If \\\"enabled\\\" = false, this is a finding.\"\n tag \"fix\": \"Launch the jboss-cli management interface.\n Connect to the server by typing \\\"connect\\\", authenticate as a user in the\n Superuser role, and run the following command:\n\n For a Managed Domain configuration:\n \\\"host=master/server//core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\\\"\n\n For a Standalone configuration:\n \\\"/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\\\"\"\n tag \"fix_id\": 'F-68251r1_fix'\n\n connect = input('connection')\n\n describe 'The wildfly setting: generate log records when successful/unsuccessful attempts to delete privileges occur' do\n subject { command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /core-service=management/access=audit/logger=audit-log\").stdout }\n it { should_not match(%r{enabled=false}) }\n end\nend\n", "source_location": { - "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62307.rb", + "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62331.rb", "line": 1 }, - "id": "V-62307" + "id": "V-62331" }, { - "title": "The application server must prevent non-privileged users from\n executing privileged functions to include disabling, circumventing, or altering\n implemented security safeguards/countermeasures.", - "desc": "Preventing non-privileged users from executing privileged functions\nmitigates the risk that unauthorized individuals or processes may gain\nunnecessary access to information or privileges.\n\n Restricting non-privileged users also prevents an attacker who has gained\naccess to a non-privileged account, from elevating privileges, creating\naccounts, and performing system checks and maintenance.", + "title": "File permissions must be configured to protect log information from\nunauthorized modification.", + "desc": "If log data were to become compromised, then competent forensic analysis\nand discovery of the true source of potentially malicious system activity is\ndifficult, if not impossible, to achieve.\n\n When not configured to use a centralized logging solution like a syslog\nserver, the Wildfly EAP application server writes log data to log files that are\nstored on the OS; appropriate file permissions must be used to restrict\nmodification.\n\n Log information includes all information (e.g., log records, log settings,\ntransaction logs, and log reports) needed to successfully log information\nsystem activity. Application servers must protect log information from\nunauthorized modification.", "descriptions": { - "default": "Preventing non-privileged users from executing privileged functions\nmitigates the risk that unauthorized individuals or processes may gain\nunnecessary access to information or privileges.\n\n Restricting non-privileged users also prevents an attacker who has gained\naccess to a non-privileged account, from elevating privileges, creating\naccounts, and performing system checks and maintenance." + "default": "If log data were to become compromised, then competent forensic analysis\nand discovery of the true source of potentially malicious system activity is\ndifficult, if not impossible, to achieve.\n\n When not configured to use a centralized logging solution like a syslog\nserver, the Wildfly EAP application server writes log data to log files that are\nstored on the OS; appropriate file permissions must be used to restrict\nmodification.\n\n Log information includes all information (e.g., log records, log settings,\ntransaction logs, and log reports) needed to successfully log information\nsystem activity. Application servers must protect log information from\nunauthorized modification." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-APP-000340-AS-000185", - "gid": "V-62305", - "rid": "SV-76795r1_rule", - "stig_id": "JBOS-AS-000475", + "gtitle": "SRG-APP-000119-AS-000079", + "gid": "V-62253", + "rid": "SV-76743r1_rule", + "stig_id": "JBOS-AS-000170", "cci": [ - "CCI-002235" + "CCI-000163" ], "documentable": false, "nist": [ - "AC-6 (10)", + "AU-9", "Rev_4" ], - "check": "Log on to the OS of the Wildfly server with OS permissions that\n allow access to Wildfly.\n Using the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n Run the jboss-cli script.\n Connect to the server and authenticate.\n\n Run the following command:\n\n For standalone servers:\n \"ls /core-service=management/access=authorization/\"\n\n For managed domain installations:\n \"ls /host=master/core-service=management/access=authorization/\"\n\n If the \"provider\" attribute is not set to \"rbac\", this is a finding.", - "fix": "Run the following command.\n $JBOSS_HOME;/bin/jboss-cli.sh -c -> connect -> cd\n /core-service=management/access-authorization :write-attribute(name=provider,\n value=rbac)\n\n Restart Wildfly.\n\n Map users to roles by running the following command. Upper-case words are\n variables.\n\n role-mapping=ROLENAME/include=ALIAS:add(name-USERNAME, type=USER ROLE)", - "fix_id": "F-68225r1_fix" + "check": "Examine the log file locations and inspect the file\npermissions. Interview the system admin to determine log file locations. The\ndefault location for the log files is:\n\nThe $JBOSS_HOME default is /opt/bin/widfly\n\nStandalone configuration:\n$JBOSS_HOME;/standalone/log/\n\nManaged Domain configuration:\n$JBOSS_HOME;/domain/servers//log/\n$JBOSS_HOME;/domain/log/\n\nReview the file permissions for the log file directories. The method used for\nidentifying file permissions will be based upon the OS the EAP server is\ninstalled on.\n\nIdentify all users with file permissions that allow them to modify log files.\n\nRequest documentation from system admin that identifies the users who are\nauthorized to modify log files.\n\nIf unauthorized users are allowed to modify log files, or if documentation that\nidentifies the users who are authorized to modify log files is missing, this is\na finding.", + "fix": "Configure the OS file permissions on the application server to\nprotect log information from unauthorized modification.", + "fix_id": "F-68173r1_fix" }, - "code": "control 'V-62305' do\n title \"The application server must prevent non-privileged users from\n executing privileged functions to include disabling, circumventing, or altering\n implemented security safeguards/countermeasures.\"\n desc \"\n Preventing non-privileged users from executing privileged functions\n mitigates the risk that unauthorized individuals or processes may gain\n unnecessary access to information or privileges.\n\n Restricting non-privileged users also prevents an attacker who has gained\n access to a non-privileged account, from elevating privileges, creating\n accounts, and performing system checks and maintenance.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000340-AS-000185'\n tag \"gid\": 'V-62305'\n tag \"rid\": 'SV-76795r1_rule'\n tag \"stig_id\": 'JBOS-AS-000475'\n tag \"cci\": ['CCI-002235']\n tag \"documentable\": false\n tag \"nist\": ['AC-6 (10)', 'Rev_4']\n tag \"check\": \"Log on to the OS of the Wildfly server with OS permissions that\n allow access to Wildfly.\n Using the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n Run the jboss-cli script.\n Connect to the server and authenticate.\n\n Run the following command:\n\n For standalone servers:\n \\\"ls /core-service=management/access=authorization/\\\"\n\n For managed domain installations:\n \\\"ls /host=master/core-service=management/access=authorization/\\\"\n\n If the \\\"provider\\\" attribute is not set to \\\"rbac\\\", this is a finding.\"\n tag \"fix\": \"Run the following command.\n $JBOSS_HOME;/bin/jboss-cli.sh -c -> connect -> cd\n /core-service=management/access-authorization :write-attribute(name=provider,\n value=rbac)\n\n Restart Wildfly.\n\n Map users to roles by running the following command. Upper-case words are\n variables.\n\n role-mapping=ROLENAME/include=ALIAS:add(name-USERNAME, type=USER ROLE)\"\n tag \"fix_id\": 'F-68225r1_fix'\n\n connect = input('connection')\n\n describe \"The wildfly application server's access authorization\" do\n subject { command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /core-service=management/access=authorization/\").stdout }\n it { should match(%r{provider=rbac}) }\n end\nend\n", + "code": "control 'V-62253' do\n title \"File permissions must be configured to protect log information from\nunauthorized modification.\"\n desc \"\n If log data were to become compromised, then competent forensic analysis\nand discovery of the true source of potentially malicious system activity is\ndifficult, if not impossible, to achieve.\n\n When not configured to use a centralized logging solution like a syslog\nserver, the Wildfly EAP application server writes log data to log files that are\nstored on the OS; appropriate file permissions must be used to restrict\nmodification.\n\n Log information includes all information (e.g., log records, log settings,\ntransaction logs, and log reports) needed to successfully log information\nsystem activity. Application servers must protect log information from\nunauthorized modification.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000119-AS-000079'\n tag \"gid\": 'V-62253'\n tag \"rid\": 'SV-76743r1_rule'\n tag \"stig_id\": 'JBOS-AS-000170'\n tag \"cci\": ['CCI-000163']\n tag \"documentable\": false\n tag \"nist\": ['AU-9', 'Rev_4']\n tag \"check\": \"Examine the log file locations and inspect the file\npermissions. Interview the system admin to determine log file locations. The\ndefault location for the log files is:\n\nThe $JBOSS_HOME default is /opt/bin/widfly\n\nStandalone configuration:\n$JBOSS_HOME;/standalone/log/\n\nManaged Domain configuration:\n$JBOSS_HOME;/domain/servers//log/\n$JBOSS_HOME;/domain/log/\n\nReview the file permissions for the log file directories. The method used for\nidentifying file permissions will be based upon the OS the EAP server is\ninstalled on.\n\nIdentify all users with file permissions that allow them to modify log files.\n\nRequest documentation from system admin that identifies the users who are\nauthorized to modify log files.\n\nIf unauthorized users are allowed to modify log files, or if documentation that\nidentifies the users who are authorized to modify log files is missing, this is\na finding.\"\n tag \"fix\": \"Configure the OS file permissions on the application server to\nprotect log information from unauthorized modification.\"\n tag \"fix_id\": 'F-68173r1_fix'\n\n wildfly_group = input('wildfly_group')\n wildly_owner = input('wildly_owner')\n describe directory(\"#{ input('jboss_home') }/standalone/log\") do\n its('owner') { should eq \"#{wildly_owner}\" }\n its('group') { should eq \"#{wildfly_group}\" }\n its('mode') { should cmp '0750' }\n end\nend\n", "source_location": { - "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62305.rb", + "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62253.rb", "line": 1 }, - "id": "V-62305" + "id": "V-62253" }, { - "title": "Wildfly must be configured to record the IP address and port information\nused by management interface network traffic.", - "desc": "Application server logging capability is critical for accurate forensic\nanalysis. Without sufficient and accurate information, a correct replay of the\nevents cannot be determined.\n\n Ascertaining the correct source, e.g., source IP, of the events is\nimportant during forensic analysis. Correctly determining the source will add\ninformation to the overall reconstruction of the loggable event. By\ndetermining the source of the event correctly, analysis of the enterprise can\nbe undertaken to determine if the event compromised other assets within the\nenterprise.\n\n Without sufficient information establishing the source of the logged event,\ninvestigation into the cause of event is severely hindered. Log record content\nthat may be necessary to satisfy the requirement of this control includes, but\nis not limited to, time stamps, source and destination IP addresses,\nuser/process identifiers, event descriptions, application-specific events,\nsuccess/fail indications, filenames involved, access control, or flow control\nrules invoked.", + "title": "The Wildfly server must be configured to log all admin activity.", + "desc": "In order to be able to provide a forensic history of activity, the\napplication server must ensure users who are granted a privileged role or those\nwho utilize a separate distinct account when accessing privileged functions or\ndata have their actions logged.\n\n If privileged activity is not logged, no forensic logs can be used to\nestablish accountability for privileged actions that occur on the system.", "descriptions": { - "default": "Application server logging capability is critical for accurate forensic\nanalysis. Without sufficient and accurate information, a correct replay of the\nevents cannot be determined.\n\n Ascertaining the correct source, e.g., source IP, of the events is\nimportant during forensic analysis. Correctly determining the source will add\ninformation to the overall reconstruction of the loggable event. By\ndetermining the source of the event correctly, analysis of the enterprise can\nbe undertaken to determine if the event compromised other assets within the\nenterprise.\n\n Without sufficient information establishing the source of the logged event,\ninvestigation into the cause of event is severely hindered. Log record content\nthat may be necessary to satisfy the requirement of this control includes, but\nis not limited to, time stamps, source and destination IP addresses,\nuser/process identifiers, event descriptions, application-specific events,\nsuccess/fail indications, filenames involved, access control, or flow control\nrules invoked." + "default": "In order to be able to provide a forensic history of activity, the\napplication server must ensure users who are granted a privileged role or those\nwho utilize a separate distinct account when accessing privileged functions or\ndata have their actions logged.\n\n If privileged activity is not logged, no forensic logs can be used to\nestablish accountability for privileged actions that occur on the system." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-APP-000098-AS-000061", - "gid": "V-62245", - "rid": "SV-76735r1_rule", - "stig_id": "JBOS-AS-000125", + "gtitle": "SRG-APP-000343-AS-000030", + "gid": "V-62307", + "rid": "SV-76797r1_rule", + "stig_id": "JBOS-AS-000480", "cci": [ - "CCI-000133" + "CCI-002234" ], "documentable": false, "nist": [ - "AU-3", + "AC-6 (9)", "Rev_4" ], - "check": "Log on to the OS of the Wildfly server with OS permissions that\nallow access to Wildfly.\nUsing the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n\nThe $JBOSS_HOME default is /opt/bin/widfly\nRun the jboss-cli script to start the Command Line Interface (CLI).\nConnect to the server and authenticate.\nRun the command:\n\nFor a Managed Domain configuration:\n\"ls\nhost=master/server//core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\"\n\nFor a Standalone configuration:\n\"ls\n/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\"\n\nIf \"enabled\" = false, this is a finding.", - "fix": "Launch the jboss-cli management interface.\nConnect to the server by typing \"connect\", authenticate as a user in the\nSuperuser role, and run the following command:\n\nFor a Managed Domain configuration:\n\"host=master/server//core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\"\n\nFor a Standalone configuration:\n\"/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\"", - "fix_id": "F-68165r1_fix" + "check": "Log on to the OS of the Wildfly server with OS permissions that\nallow access to Wildfly.\n\nThe $JBOSS_HOME default is /opt/bin/widfly\n\nUsing the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\nRun the jboss-cli script.\nConnect to the server and authenticate.\nRun the command:\n\n/core-service=management/access=audit:read-resource(recursive=true)\n\nUnder the \"logger\" => {audit-log} section of the returned response:\nIf \"enabled\" => false, this is a finding", + "fix": "Launch the jboss-cli management interface substituting standalone\nor domain for based upon the server installation.\n\n$JBOSS_HOME;//bin/jboss-cli\n\nconnect to the server and run the following command:\n\n/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)", + "fix_id": "F-68227r1_fix" }, - "code": "control 'V-62245' do\n title \"Wildfly must be configured to record the IP address and port information\nused by management interface network traffic.\"\n desc \"\n Application server logging capability is critical for accurate forensic\nanalysis. Without sufficient and accurate information, a correct replay of the\nevents cannot be determined.\n\n Ascertaining the correct source, e.g., source IP, of the events is\nimportant during forensic analysis. Correctly determining the source will add\ninformation to the overall reconstruction of the loggable event. By\ndetermining the source of the event correctly, analysis of the enterprise can\nbe undertaken to determine if the event compromised other assets within the\nenterprise.\n\n Without sufficient information establishing the source of the logged event,\ninvestigation into the cause of event is severely hindered. Log record content\nthat may be necessary to satisfy the requirement of this control includes, but\nis not limited to, time stamps, source and destination IP addresses,\nuser/process identifiers, event descriptions, application-specific events,\nsuccess/fail indications, filenames involved, access control, or flow control\nrules invoked.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000098-AS-000061'\n tag \"gid\": 'V-62245'\n tag \"rid\": 'SV-76735r1_rule'\n tag \"stig_id\": 'JBOS-AS-000125'\n tag \"cci\": ['CCI-000133']\n tag \"documentable\": false\n tag \"nist\": ['AU-3', 'Rev_4']\n tag \"check\": \"Log on to the OS of the Wildfly server with OS permissions that\nallow access to Wildfly.\nUsing the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n\nThe $JBOSS_HOME default is /opt/bin/widfly\nRun the jboss-cli script to start the Command Line Interface (CLI).\nConnect to the server and authenticate.\nRun the command:\n\nFor a Managed Domain configuration:\n\\\"ls\nhost=master/server//core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\\\"\n\nFor a Standalone configuration:\n\\\"ls\n/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\\\"\n\nIf \\\"enabled\\\" = false, this is a finding.\"\n tag \"fix\": \"Launch the jboss-cli management interface.\nConnect to the server by typing \\\"connect\\\", authenticate as a user in the\nSuperuser role, and run the following command:\n\nFor a Managed Domain configuration:\n\\\"host=master/server//core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\\\"\n\nFor a Standalone configuration:\n\\\"/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\\\"\"\n tag \"fix_id\": 'F-68165r1_fix'\n\n connect = input('connection')\n\n describe 'Wildfly record the IP address and port information used by management interface network traffic.' do\n subject { command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /core-service=management/access=audit/logger=audit-log\").stdout }\n it { should_not match(%r{enabled=false}) }\n end\nend\n", + "code": "control 'V-62307' do\n title \"The Wildfly server must be configured to log all admin activity.\"\n desc \"\n In order to be able to provide a forensic history of activity, the\napplication server must ensure users who are granted a privileged role or those\nwho utilize a separate distinct account when accessing privileged functions or\ndata have their actions logged.\n\n If privileged activity is not logged, no forensic logs can be used to\nestablish accountability for privileged actions that occur on the system.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000343-AS-000030'\n tag \"gid\": 'V-62307'\n tag \"rid\": 'SV-76797r1_rule'\n tag \"stig_id\": 'JBOS-AS-000480'\n tag \"cci\": ['CCI-002234']\n tag \"documentable\": false\n tag \"nist\": ['AC-6 (9)', 'Rev_4']\n tag \"check\": \"Log on to the OS of the Wildfly server with OS permissions that\nallow access to Wildfly.\n\nThe $JBOSS_HOME default is /opt/bin/widfly\n\nUsing the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\nRun the jboss-cli script.\nConnect to the server and authenticate.\nRun the command:\n\n/core-service=management/access=audit:read-resource(recursive=true)\n\nUnder the \\\"logger\\\" => {audit-log} section of the returned response:\nIf \\\"enabled\\\" => false, this is a finding\"\n tag \"fix\": \"Launch the jboss-cli management interface substituting standalone\nor domain for based upon the server installation.\n\n$JBOSS_HOME;//bin/jboss-cli\n\nconnect to the server and run the following command:\n\n/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\"\n tag \"fix_id\": 'F-68227r1_fix'\n\n connect = input('connection')\n\n describe 'The wildfly server setting to log all admin activity' do\n subject { command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /core-service=management/access=audit/logger=audit-log\").stdout }\n it { should_not match(%r{enabled=false}) }\n end\nend\n", "source_location": { - "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62245.rb", + "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62307.rb", "line": 1 }, - "id": "V-62245" + "id": "V-62307" }, { - "title": "Silent Authentication must be removed from the Default Management\nSecurity Realm.", - "desc": "Silent Authentication is a configuration setting that allows local OS\nusers access to the Wildfly server and a wide range of operations without\nspecifically authenticating on an individual user basis. By default $localuser\nis a Superuser. This introduces an integrity and availability vulnerability and\nviolates best practice requirements regarding accountability.", + "title": "The Wildfly Server must be configured to use certificates to\n authenticate admins.", + "desc": "Multifactor authentication creates a layered defense and makes it more\ndifficult for an unauthorized person to access the application server. If one\nfactor is compromised or broken, the attacker still has at least one more\nbarrier to breach before successfully breaking into the target. Unlike a\nsimple username/password scenario where the attacker could gain access by\nknowing both the username and password without the user knowing his account was\ncompromised, multifactor authentication adds the requirement that the attacker\nmust have something from the user, such as a token, or to biometrically be the\nuser.\n\n Multifactor authentication is defined as: using two or more factors to\nachieve authentication.\n\n Factors include:\n (i) something a user knows (e.g., password/PIN);\n (ii) something a user has (e.g., cryptographic identification device,\ntoken); or\n (iii) something a user is (e.g., biometric). A CAC or PKI Hardware Token\nmeets this definition.\n\n A privileged account is defined as an information system account with\nauthorizations of a privileged user. These accounts would be capable of\naccessing the web management interface.\n\n When accessing the application server via a network connection,\nadministrative access to the application server must be PKI Hardware Token\nenabled or a DoD-approved soft certificate.", "descriptions": { - "default": "Silent Authentication is a configuration setting that allows local OS\nusers access to the Wildfly server and a wide range of operations without\nspecifically authenticating on an individual user basis. By default $localuser\nis a Superuser. This introduces an integrity and availability vulnerability and\nviolates best practice requirements regarding accountability." + "default": "Multifactor authentication creates a layered defense and makes it more\ndifficult for an unauthorized person to access the application server. If one\nfactor is compromised or broken, the attacker still has at least one more\nbarrier to breach before successfully breaking into the target. Unlike a\nsimple username/password scenario where the attacker could gain access by\nknowing both the username and password without the user knowing his account was\ncompromised, multifactor authentication adds the requirement that the attacker\nmust have something from the user, such as a token, or to biometrically be the\nuser.\n\n Multifactor authentication is defined as: using two or more factors to\nachieve authentication.\n\n Factors include:\n (i) something a user knows (e.g., password/PIN);\n (ii) something a user has (e.g., cryptographic identification device,\ntoken); or\n (iii) something a user is (e.g., biometric). A CAC or PKI Hardware Token\nmeets this definition.\n\n A privileged account is defined as an information system account with\nauthorizations of a privileged user. These accounts would be capable of\naccessing the web management interface.\n\n When accessing the application server via a network connection,\nadministrative access to the application server must be PKI Hardware Token\nenabled or a DoD-approved soft certificate." + }, + "impact": 0, + "refs": [], + "tags": { + "gtitle": "SRG-APP-000149-AS-000102", + "gid": "V-62279", + "rid": "SV-76769r1_rule", + "stig_id": "JBOS-AS-000265", + "cci": [ + "CCI-000765" + ], + "documentable": false, + "nist": [ + "IA-2 (1)", + "Rev_4" + ], + "check": "Log on to the OS of the Wildfly server with OS permissions that\n allow access to Wildfly.\n Using the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n\n Run the jboss-cli script.\n Connect to the server and authenticate.\n\n Follow these steps:\n 1. Identify the security realm assigned to the management interfaces by using\n the following command:\n\n For standalone systems:\n \"ls /core-service=management/management-interface=\"\n\n For managed domain systems:\n \"ls\n /host=master/core-service=management/management-interface=\"\n\n Document the name of the security-realm associated with each management\n interface.\n\n 2. Review the security realm using the command:\n\n For standalone systems:\n \"ls\n /core-service=management/security-realm=/authentication\"\n\n For managed domains:\n \"ls\n /host=master/core-service=management/security-realm=/authentication\"\n\n If the command in step 2 does not return a security realm that uses\n certificates for authentication, this is a finding.", + "fix": "Configure the application server to authenticate privileged users\n via multifactor/certificate-based authentication mechanisms when using network\n access to the management interface.", + "fix_id": "F-68199r1_fix" + }, + "code": "control 'V-62279' do\n title \"The Wildfly Server must be configured to use certificates to\n authenticate admins.\"\n desc \"\n Multifactor authentication creates a layered defense and makes it more\n difficult for an unauthorized person to access the application server. If one\n factor is compromised or broken, the attacker still has at least one more\n barrier to breach before successfully breaking into the target. Unlike a\n simple username/password scenario where the attacker could gain access by\n knowing both the username and password without the user knowing his account was\n compromised, multifactor authentication adds the requirement that the attacker\n must have something from the user, such as a token, or to biometrically be the\n user.\n\n Multifactor authentication is defined as: using two or more factors to\n achieve authentication.\n\n Factors include:\n (i) something a user knows (e.g., password/PIN);\n (ii) something a user has (e.g., cryptographic identification device,\n token); or\n (iii) something a user is (e.g., biometric). A CAC or PKI Hardware Token\n meets this definition.\n\n A privileged account is defined as an information system account with\n authorizations of a privileged user. These accounts would be capable of\n accessing the web management interface.\n\n When accessing the application server via a network connection,\n administrative access to the application server must be PKI Hardware Token\n enabled or a DoD-approved soft certificate.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000149-AS-000102'\n tag \"gid\": 'V-62279'\n tag \"rid\": 'SV-76769r1_rule'\n tag \"stig_id\": 'JBOS-AS-000265'\n tag \"cci\": ['CCI-000765']\n tag \"documentable\": false\n tag \"nist\": ['IA-2 (1)', 'Rev_4']\n tag \"check\": \"Log on to the OS of the Wildfly server with OS permissions that\n allow access to Wildfly.\n Using the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n\n Run the jboss-cli script.\n Connect to the server and authenticate.\n\n Follow these steps:\n 1. Identify the security realm assigned to the management interfaces by using\n the following command:\n\n For standalone systems:\n \\\"ls /core-service=management/management-interface=\\\"\n\n For managed domain systems:\n \\\"ls\n /host=master/core-service=management/management-interface=\\\"\n\n Document the name of the security-realm associated with each management\n interface.\n\n 2. Review the security realm using the command:\n\n For standalone systems:\n \\\"ls\n /core-service=management/security-realm=/authentication\\\"\n\n For managed domains:\n \\\"ls\n /host=master/core-service=management/security-realm=/authentication\\\"\n\n If the command in step 2 does not return a security realm that uses\n certificates for authentication, this is a finding.\"\n tag \"fix\": \"Configure the application server to authenticate privileged users\n via multifactor/certificate-based authentication mechanisms when using network\n access to the management interface.\"\n tag \"fix_id\": 'F-68199r1_fix'\n\n connect = input('connection')\n\n mgmt_interfaces = command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /core-service=management/management-interface=\").stdout.split(\"\\n\")\n\n mgmt_interfaces.each do |interface|\n\n security_realms = command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /core-service=management/security-realm=\").stdout.split(\"\\n\")\n security_realms.each do |realm|\n\n get_authentication = command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /core-service=management/security-realm=#{realm}/authentication\").stdout\n http_enabled = describe command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /core-service=management/management-interface=http-interface\") .stdout\n\n describe.one do\n describe \"The wildfly server authentication for security realm #{realm}\" do\n subject { get_authentication }\n it { should match /truststore/ }\n end\n describe \"The wildfly server authentication for security realm #{realm}\" do\n subject { http_enabled }\n it { should match(%r{console-enabled=false}) }\n end\n end\n end\n end\n if mgmt_interfaces.empty?\n impact 0.0\n describe 'There are no wildfly management realms, therefore this control is not applicable' do\n skip 'There are no wildfly management realms, therefore this control is not applicable'\n end\n end\nend\n", + "source_location": { + "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62279.rb", + "line": 1 + }, + "id": "V-62279" + }, + { + "title": "Wildfly process owner execution permissions must be limited.", + "desc": "Wildfly EAP application server can be run as the OS admin, which is not\n advised. Running the application server with admin privileges increases the\n attack surface by granting the application server more rights than it requires\n in order to operate. If the server is compromised, the attacker will have the\n same rights as the application server, which in that case would be admin\n rights. The Wildfly EAP server must not be run as the admin user.", + "descriptions": { + "default": "Wildfly EAP application server can be run as the OS admin, which is not\n advised. Running the application server with admin privileges increases the\n attack surface by granting the application server more rights than it requires\n in order to operate. If the server is compromised, the attacker will have the\n same rights as the application server, which in that case would be admin\n rights. The Wildfly EAP server must not be run as the admin user." }, "impact": 0.7, "refs": [], "tags": { - "gtitle": "SRG-APP-000033-AS-000024", - "gid": "V-62223", - "rid": "SV-76713r1_rule", - "stig_id": "JBOS-AS-000050", + "gtitle": "SRG-APP-000141-AS-000095", + "gid": "V-62265", + "rid": "SV-76755r1_rule", + "stig_id": "JBOS-AS-000230", "cci": [ - "CCI-000213" + "CCI-000381" ], "documentable": false, "nist": [ - "AC-3", + "CM-7 a", "Rev_4" ], - "check": "Log on to the OS of the Wildfly server with OS permissions that\nallow access to Wildfly.\nUsing the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n\nThe $JBOSS_HOME default is /opt/bin/widfly\nRun the jboss-cli script.\nConnect to the server and authenticate.\n\nVerify that Silent Authentication has been removed from the default Management\nsecurity realm.\nRun the following command.\n\nFor standalone servers run the following command:\n\"ls /core-service=management/securityrealm=ManagementRealm/authentication\"\n\nFor managed domain installations run the following command:\n\"ls\n/host=HOST_NAME/core-service=management/securityrealm=ManagementRealm/authentication\"\n\nIf \"local\" is returned, this is a finding.", - "fix": "Log on to the OS of the Wildfly server with OS permissions that\nallow access to Wildfly.\nUsing the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\nRun the jboss-cli script.\nConnect to the server and authenticate.\n\nRemove the local element from the Management Realm.\nFor standalone servers run the following command:\n/core-service=management/securityrealm=\nManagementRealm/authentication=local:remove\n\nFor managed domain installations run the following command:\n/host=HOST_NAME/core-service=management/securityrealm=\nManagementRealm/authentication=local:remove", - "fix_id": "F-68143r1_fix" + "check": "The script that is used to start Wildfly determines the mode in\n which Wildfly will operate, which will be in either in standalone mode or domain\n mode. Both scripts are installed by default in the $JBOSS_HOME;/bin/ folder.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n\n In addition to running the Wildfly server as an interactive script launched from\n the command line, Wildfly can also be started as a service.\n\n The scripts used to start Wildfly are:\n Red Hat:\n standalone.sh\n domain.sh\n\n Windows:\n standalone.bat\n domain.bat\n\n Use the relevant OS commands to determine JBoss ownership.\n\n When running as a process:\n Red Hat: \"ps -ef|grep -i jboss\".\n Windows: \"services.msc\".\n\n Search for the Wildfly process, which by default is named \"Wildfly\".\n\n If the user account used to launch the Wildfly script or start the Wildfly process\n has admin rights on the system, this is a finding.", + "fix": "Run the JBoss server with non-admin rights.", + "fix_id": "F-68185r1_fix" }, - "code": "control 'V-62223' do\n title \"Silent Authentication must be removed from the Default Management\nSecurity Realm.\"\n desc \"Silent Authentication is a configuration setting that allows local OS\nusers access to the Wildfly server and a wide range of operations without\nspecifically authenticating on an individual user basis. By default $localuser\nis a Superuser. This introduces an integrity and availability vulnerability and\nviolates best practice requirements regarding accountability.\"\n impact 0.7\n tag \"gtitle\": 'SRG-APP-000033-AS-000024'\n tag \"gid\": 'V-62223'\n tag \"rid\": 'SV-76713r1_rule'\n tag \"stig_id\": 'JBOS-AS-000050'\n tag \"cci\": ['CCI-000213']\n tag \"documentable\": false\n tag \"nist\": ['AC-3', 'Rev_4']\n tag \"check\": \"Log on to the OS of the Wildfly server with OS permissions that\nallow access to Wildfly.\nUsing the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n\nThe $JBOSS_HOME default is /opt/bin/widfly\nRun the jboss-cli script.\nConnect to the server and authenticate.\n\nVerify that Silent Authentication has been removed from the default Management\nsecurity realm.\nRun the following command.\n\nFor standalone servers run the following command:\n\\\"ls /core-service=management/securityrealm=ManagementRealm/authentication\\\"\n\nFor managed domain installations run the following command:\n\\\"ls\n/host=HOST_NAME/core-service=management/securityrealm=ManagementRealm/authentication\\\"\n\nIf \\\"local\\\" is returned, this is a finding.\"\n tag \"fix\": \"Log on to the OS of the Wildfly server with OS permissions that\nallow access to Wildfly.\nUsing the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\nRun the jboss-cli script.\nConnect to the server and authenticate.\n\nRemove the local element from the Management Realm.\nFor standalone servers run the following command:\n/core-service=management/securityrealm=\nManagementRealm/authentication=local:remove\n\nFor managed domain installations run the following command:\n/host=HOST_NAME/core-service=management/securityrealm=\nManagementRealm/authentication=local:remove\"\n tag \"fix_id\": 'F-68143r1_fix'\n\n connect = input('connection')\n\n describe 'The wildfly default management security realm silent authentication' do\n subject { command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /core-service=management/security-realm=ManagementRealm/authentication\").stdout }\n it { should_not match(%r{local}) }\n end\nend\n", + "code": "control 'V-62265' do\n title \"Wildfly process owner execution permissions must be limited.\"\n desc \"Wildfly EAP application server can be run as the OS admin, which is not\n advised. Running the application server with admin privileges increases the\n attack surface by granting the application server more rights than it requires\n in order to operate. If the server is compromised, the attacker will have the\n same rights as the application server, which in that case would be admin\n rights. The Wildfly EAP server must not be run as the admin user.\"\n impact 0.7\n tag \"gtitle\": 'SRG-APP-000141-AS-000095'\n tag \"gid\": 'V-62265'\n tag \"rid\": 'SV-76755r1_rule'\n tag \"stig_id\": 'JBOS-AS-000230'\n tag \"cci\": ['CCI-000381']\n tag \"documentable\": false\n tag \"nist\": ['CM-7 a', 'Rev_4']\n tag \"check\": \"The script that is used to start Wildfly determines the mode in\n which Wildfly will operate, which will be in either in standalone mode or domain\n mode. Both scripts are installed by default in the $JBOSS_HOME;/bin/ folder.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n\n In addition to running the Wildfly server as an interactive script launched from\n the command line, Wildfly can also be started as a service.\n\n The scripts used to start Wildfly are:\n Red Hat:\n standalone.sh\n domain.sh\n\n Windows:\n standalone.bat\n domain.bat\n\n Use the relevant OS commands to determine JBoss ownership.\n\n When running as a process:\n Red Hat: \\\"ps -ef|grep -i jboss\\\".\n Windows: \\\"services.msc\\\".\n\n Search for the Wildfly process, which by default is named \\\"Wildfly\\\".\n\n If the user account used to launch the Wildfly script or start the Wildfly process\n has admin rights on the system, this is a finding.\"\n tag \"fix\": \"Run the JBoss server with non-admin rights.\"\n tag \"fix_id\": 'F-68185r1_fix'\n\n user = command(\"ps -ef | grep #{input('jboss_process_name')} | grep -v inspec | grep -v grep | awk '{print $1}'|uniq\").stdout.split(\"\\n\")\n\n describe 'The wildly process owner' do\n subject { command(\"ps -ef | grep #{input('jboss_process_name')} | grep -v inspec | grep -v grep | awk '{print $1}'|uniq\").stdout }\n it { should_not match(%r{root}) }\n end\n\n user.each do |users|\n group = command(\"id -gn #{users} \").stdout.split(\"\\n\")\n\n group.each do |group|\n\n describe \"The wildfly process owner: #{users}\\'s group\" do\n subject { group }\n it { should_not eq 'root' }\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62223.rb", + "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62265.rb", "line": 1 }, - "id": "V-62223" + "id": "V-62265" }, { - "title": "HTTP management session traffic must be encrypted.", - "desc": "Types of management interfaces utilized by the Wildfly EAP application server\ninclude web-based HTTP interfaces as well as command line-based management\ninterfaces. In the event remote HTTP management is required, the access must\nbe via HTTPS.\n\n This requirement is in conjunction with the requirement to isolate all\nmanagement access to a restricted network.", + "title": "The Wildfly Password Vault must be used for storing passwords or other\n sensitive configuration information.", + "desc": "Wildfly has a Password Vault to encrypt sensitive strings, store\n them in an encrypted keystore, and decrypt them for applications and\n verification systems. Plain-text configuration files, such as XML deployment\n descriptors, need to specify passwords and other sensitive information. Use the\n Wildfly EAP Password Vault to securely store sensitive strings in plain-text\n files.", "descriptions": { - "default": "Types of management interfaces utilized by the Wildfly EAP application server\ninclude web-based HTTP interfaces as well as command line-based management\ninterfaces. In the event remote HTTP management is required, the access must\nbe via HTTPS.\n\n This requirement is in conjunction with the requirement to isolate all\nmanagement access to a restricted network." + "default": "Wildfly has a Password Vault to encrypt sensitive strings, store\n them in an encrypted keystore, and decrypt them for applications and\n verification systems. Plain-text configuration files, such as XML deployment\n descriptors, need to specify passwords and other sensitive information. Use the\n Wildfly EAP Password Vault to securely store sensitive strings in plain-text\n files." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-APP-000014-AS-000009", - "gid": "V-62073", - "rid": "SV-76563r1_rule", - "stig_id": "JBOS-AS-000010", + "gtitle": "SRG-APP-000171-AS-000119", + "gid": "V-62287", + "rid": "SV-76777r1_rule", + "stig_id": "JBOS-AS-000295", "cci": [ - "CCI-000068" + "CCI-000196" ], "documentable": false, "nist": [ - "AC-17 (2)", + "IA-5 (1) (c)", "Rev_4" ], - "check": "Log on to the OS of the Wildfly server with OS permissions that\nallow access to Wildfly. Using the relevant OS commands and syntax, cd to the\n$JBOSS_HOME;/bin/ folder.\n\nThe $JBOSS_HOME default is /opt/bin/widfly\n\nRun the jboss-cli script. Connect to the server and authenticate.\n\nFor a standalone configuration run the following command:\n\"ls /core-service=management/management-interface=http-interface\"\n\nIf \"secure-socket-binding\"=undefined, this is a finding.\n\nFor a domain configuration run the following command:\n\"ls /host=master/core-service=management/management-interface=http-interface\"\n\nIf \"secure-port\" is undefined, this is a finding.", - "fix": "Follow the specific instructions in the Red Hat Security Guide\nfor EAP version 6.3 to configure the management console for HTTPS.\n\nThis involves the following steps.\n1. Create a keystore in JKS format.\n2. Ensure the management console binds to HTTPS.\n3. Create a new Security Realm.\n4. Configure Management Interface to use new security realm.\n5. Configure the management console to use the keystore.\n6. Restart the EAP server.", - "fix_id": "F-67993r1_fix" + "check": "Log on to the OS of the Wildfly server with OS permissions that\n allow access to Wildfly.\n Using the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n\n Run the jboss-cli script.\n Connect to the server and authenticate.\n Run the command:\n\n \"ls /core-service=vault\"\n\n If \"code=undefined\" and \"module=undefined\",\n this is a finding.", + "fix": "Configure the application server to use the java keystore and\n Wildfly vault as per section 11.13.1 -Password Vault System in the\n Wildfly-Administration_and_Configuration_Guide-en-US\n document.\n\n 1. Create a java keystore.\n 2. Mask the keystore password and initialize the password vault.\n 3. Configure JBoss to use the password vault.", + "fix_id": "F-68207r1_fix" }, - "code": "control 'V-62073' do\n title \"HTTP management session traffic must be encrypted.\"\n desc \"\n Types of management interfaces utilized by the Wildfly EAP application server\ninclude web-based HTTP interfaces as well as command line-based management\ninterfaces. In the event remote HTTP management is required, the access must\nbe via HTTPS.\n\n This requirement is in conjunction with the requirement to isolate all\nmanagement access to a restricted network.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000014-AS-000009'\n tag \"gid\": 'V-62073'\n tag \"rid\": 'SV-76563r1_rule'\n tag \"stig_id\": 'JBOS-AS-000010'\n tag \"cci\": ['CCI-000068']\n tag \"documentable\": false\n tag \"nist\": ['AC-17 (2)', 'Rev_4']\n tag \"check\": \"Log on to the OS of the Wildfly server with OS permissions that\nallow access to Wildfly. Using the relevant OS commands and syntax, cd to the\n$JBOSS_HOME;/bin/ folder.\n\nThe $JBOSS_HOME default is /opt/bin/widfly\n\nRun the jboss-cli script. Connect to the server and authenticate.\n\nFor a standalone configuration run the following command:\n\\\"ls /core-service=management/management-interface=http-interface\\\"\n\nIf \\\"secure-socket-binding\\\"=undefined, this is a finding.\n\nFor a domain configuration run the following command:\n\\\"ls /host=master/core-service=management/management-interface=http-interface\\\"\n\nIf \\\"secure-port\\\" is undefined, this is a finding.\"\n tag \"fix\": \"Follow the specific instructions in the Red Hat Security Guide\nfor EAP version 6.3 to configure the management console for HTTPS.\n\nThis involves the following steps.\n1. Create a keystore in JKS format.\n2. Ensure the management console binds to HTTPS.\n3. Create a new Security Realm.\n4. Configure Management Interface to use new security realm.\n5. Configure the management console to use the keystore.\n6. Restart the EAP server.\"\n tag \"fix_id\": 'F-67993r1_fix'\n\n connect = input('connection')\n\n describe 'The wildfly HTTP management session traffic configuration' do\n subject { command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /core-service=management/management-interface=http-interface\").stdout }\n it { should_not match /secure-socket-binding=undefined/ }\n end\nend\n", + "code": "control 'V-62287' do\n title \"The Wildfly Password Vault must be used for storing passwords or other\n sensitive configuration information.\"\n desc \"Wildfly has a Password Vault to encrypt sensitive strings, store\n them in an encrypted keystore, and decrypt them for applications and\n verification systems. Plain-text configuration files, such as XML deployment\n descriptors, need to specify passwords and other sensitive information. Use the\n Wildfly EAP Password Vault to securely store sensitive strings in plain-text\n files.\"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000171-AS-000119'\n tag \"gid\": 'V-62287'\n tag \"rid\": 'SV-76777r1_rule'\n tag \"stig_id\": 'JBOS-AS-000295'\n tag \"cci\": ['CCI-000196']\n tag \"documentable\": false\n tag \"nist\": ['IA-5 (1) (c)', 'Rev_4']\n tag \"check\": \"Log on to the OS of the Wildfly server with OS permissions that\n allow access to Wildfly.\n Using the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n\n Run the jboss-cli script.\n Connect to the server and authenticate.\n Run the command:\n\n \\\"ls /core-service=vault\\\"\n\n If \\\"code=undefined\\\" and \\\"module=undefined\\\",\n this is a finding.\"\n tag \"fix\": \"Configure the application server to use the java keystore and\n Wildfly vault as per section 11.13.1 -Password Vault System in the\n Wildfly-Administration_and_Configuration_Guide-en-US\n document.\n\n 1. Create a java keystore.\n 2. Mask the keystore password and initialize the password vault.\n 3. Configure JBoss to use the password vault.\"\n tag \"fix_id\": 'F-68207r1_fix'\n\n connect = input('connection')\n\n code = command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /core-service=vault\").stdout\n vault_module = command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /core-service=vault\").stdout\n vault_options = command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /core-service=vault\").stdout\n\n describe 'The wildfly password vault code' do\n subject { code }\n it { should_not match(%r{code=undefined}) }\n end\n describe 'The wildfly password vault module' do\n subject { vault_module }\n it { should_not match(%r{module=undefined}) }\n end\nend\n", "source_location": { - "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62073.rb", + "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62287.rb", "line": 1 }, - "id": "V-62073" + "id": "V-62287" }, { - "title": "Production Wildfly servers must log when failed application deployments\n occur.", - "desc": "Without logging the enforcement of access restrictions against changes to\nthe application server configuration, it will be difficult to identify\nattempted attacks, and a log trail will not be available for forensic\ninvestigation for after-the-fact actions. Configuration changes may occur to\nany of the modules within the application server through the management\ninterface, but logging of actions to the configuration of a module outside the\napplication server is not logged.\n\n Enforcement actions are the methods or mechanisms used to prevent\nunauthorized changes to configuration settings. Enforcement action methods may\nbe as simple as denying access to a file based on the application of file\npermissions (access restriction). Log items may consist of lists of actions\nblocked by access restrictions or changes identified after the fact.", + "title": "Wildfly must be configured to use an approved TLS version.", + "desc": "Preventing the disclosure of transmitted information requires that the\napplication server take measures to employ some form of cryptographic mechanism\nin order to protect the information during transmission. This is usually\nachieved through the use of Transport Layer Security (TLS).\n\n Wildlfy relies on the underlying SSL implementation running on the OS. This\ncan be either Java based or OpenSSL. The SSL protocol setting determines which\nSSL protocol is used. SSL has known security vulnerabilities, so TLS should be\nused instead.\n\n If data is transmitted unencrypted, the data then becomes vulnerable to\ndisclosure. The disclosure may reveal user identifier/password combinations,\nwebsite code revealing business logic, or other user personal information.\n\n FIPS 140-2 approved TLS versions include TLS V1.0 or greater.\n\n TLS must be enabled, and non-FIPS-approved SSL versions must be disabled.\nNIST SP 800-52 specifies the preferred configurations for government systems.", "descriptions": { - "default": "Without logging the enforcement of access restrictions against changes to\nthe application server configuration, it will be difficult to identify\nattempted attacks, and a log trail will not be available for forensic\ninvestigation for after-the-fact actions. Configuration changes may occur to\nany of the modules within the application server through the management\ninterface, but logging of actions to the configuration of a module outside the\napplication server is not logged.\n\n Enforcement actions are the methods or mechanisms used to prevent\nunauthorized changes to configuration settings. Enforcement action methods may\nbe as simple as denying access to a file based on the application of file\npermissions (access restriction). Log items may consist of lists of actions\nblocked by access restrictions or changes identified after the fact." + "default": "Preventing the disclosure of transmitted information requires that the\napplication server take measures to employ some form of cryptographic mechanism\nin order to protect the information during transmission. This is usually\nachieved through the use of Transport Layer Security (TLS).\n\n Wildlfy relies on the underlying SSL implementation running on the OS. This\ncan be either Java based or OpenSSL. The SSL protocol setting determines which\nSSL protocol is used. SSL has known security vulnerabilities, so TLS should be\nused instead.\n\n If data is transmitted unencrypted, the data then becomes vulnerable to\ndisclosure. The disclosure may reveal user identifier/password combinations,\nwebsite code revealing business logic, or other user personal information.\n\n FIPS 140-2 approved TLS versions include TLS V1.0 or greater.\n\n TLS must be enabled, and non-FIPS-approved SSL versions must be disabled.\nNIST SP 800-52 specifies the preferred configurations for government systems." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-APP-000381-AS-000089", - "gid": "V-62313", - "rid": "SV-76803r1_rule", - "stig_id": "JBOS-AS-000550", + "gtitle": "SRG-APP-000439-AS-000155", + "gid": "V-62321", + "rid": "SV-76811r2_rule", + "stig_id": "JBOS-AS-000650", "cci": [ - "CCI-001814" + "CCI-002418" ], "documentable": false, "nist": [ - "CM-5 (1)", + "SC-8", "Rev_4" ], - "check": "Log on to the OS of the Wildfly server with OS permissions that\n allow access to Wildfly.\n Using the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n\n Run the jboss-cli script.\n Connect to the server and authenticate.\n Run the command:\n\n ls /core-service=management/access=audit/logger=audit-log\n\n If \"enabled\" = false, this is a finding.", - "fix": "Launch the jboss-cli management interface substituting standalone\n or domain for based upon the server installation.\n\n $JBOSS_HOME;//bin/jboss-cli\n\n connect to the server and run the following command:\n\n /core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)", - "fix_id": "F-68233r1_fix" + "check": "Log on to the OS of the Wildfly server with OS permissions that\n allow access to Wildfly.\n Using the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n\n Run the jboss-cli script.\n Connect to the server and authenticate.\n\n Validate that the TLS protocol is used for HTTPS connections.\n Run the command:\n\n \"ls /subsystem=web/connector=https/ssl=configuration\"\n\n If a TLS V1.1 or V1.2 protocol is not returned, this is a finding.", + "fix": "Reference section 4.6 of the Wildfly Security Guide located\n on the Red Hat vendor's web site for step-by-step instructions on establishing\n SSL encryption on Wildfly.\n\n The overall steps include:\n\n 1. Add an HTTPS connector.\n 2. Configure the SSL encryption certificate and keys.\n 3. Set the protocol to TLS V1.1 or V1.2.", + "fix_id": "F-68241r1_fix" }, - "code": "control 'V-62313' do\n title \"Production Wildfly servers must log when failed application deployments\n occur.\"\n desc \"\n Without logging the enforcement of access restrictions against changes to\n the application server configuration, it will be difficult to identify\n attempted attacks, and a log trail will not be available for forensic\n investigation for after-the-fact actions. Configuration changes may occur to\n any of the modules within the application server through the management\n interface, but logging of actions to the configuration of a module outside the\n application server is not logged.\n\n Enforcement actions are the methods or mechanisms used to prevent\n unauthorized changes to configuration settings. Enforcement action methods may\n be as simple as denying access to a file based on the application of file\n permissions (access restriction). Log items may consist of lists of actions\n blocked by access restrictions or changes identified after the fact.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000381-AS-000089'\n tag \"gid\": 'V-62313'\n tag \"rid\": 'SV-76803r1_rule'\n tag \"stig_id\": 'JBOS-AS-000550'\n tag \"cci\": ['CCI-001814']\n tag \"documentable\": false\n tag \"nist\": ['CM-5 (1)', 'Rev_4']\n tag \"check\": \"Log on to the OS of the Wildfly server with OS permissions that\n allow access to Wildfly.\n Using the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n\n Run the jboss-cli script.\n Connect to the server and authenticate.\n Run the command:\n\n ls /core-service=management/access=audit/logger=audit-log\n\n If \\\"enabled\\\" = false, this is a finding.\"\n tag \"fix\": \"Launch the jboss-cli management interface substituting standalone\n or domain for based upon the server installation.\n\n $JBOSS_HOME;//bin/jboss-cli\n\n connect to the server and run the following command:\n\n /core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\"\n tag \"fix_id\": 'F-68233r1_fix'\n\n connect = input('connection')\n\n describe 'The Wildfly server setting: log when failed application deployments occur' do\n subject { command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /core-service=management/access=audit/logger=audit-log\").stdout }\n it { should_not match(%r{enabled=false}) }\n end\nend\n", + "code": "control 'V-62321' do\n title \"Wildfly must be configured to use an approved TLS version.\"\n desc \"\n Preventing the disclosure of transmitted information requires that the\n application server take measures to employ some form of cryptographic mechanism\n in order to protect the information during transmission. This is usually\n achieved through the use of Transport Layer Security (TLS).\n\n Wildlfy relies on the underlying SSL implementation running on the OS. This\n can be either Java based or OpenSSL. The SSL protocol setting determines which\n SSL protocol is used. SSL has known security vulnerabilities, so TLS should be\n used instead.\n\n If data is transmitted unencrypted, the data then becomes vulnerable to\n disclosure. The disclosure may reveal user identifier/password combinations,\n website code revealing business logic, or other user personal information.\n\n FIPS 140-2 approved TLS versions include TLS V1.0 or greater.\n\n TLS must be enabled, and non-FIPS-approved SSL versions must be disabled.\n NIST SP 800-52 specifies the preferred configurations for government systems.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000439-AS-000155'\n tag \"gid\": 'V-62321'\n tag \"rid\": 'SV-76811r2_rule'\n tag \"stig_id\": 'JBOS-AS-000650'\n tag \"cci\": ['CCI-002418']\n tag \"documentable\": false\n tag \"nist\": ['SC-8', 'Rev_4']\n tag \"check\": \"Log on to the OS of the Wildfly server with OS permissions that\n allow access to Wildfly.\n Using the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n\n Run the jboss-cli script.\n Connect to the server and authenticate.\n\n Validate that the TLS protocol is used for HTTPS connections.\n Run the command:\n\n \\\"ls /subsystem=web/connector=https/ssl=configuration\\\"\n\n If a TLS V1.1 or V1.2 protocol is not returned, this is a finding.\"\n tag \"fix\": \"Reference section 4.6 of the Wildfly Security Guide located\n on the Red Hat vendor's web site for step-by-step instructions on establishing\n SSL encryption on Wildfly.\n\n The overall steps include:\n\n 1. Add an HTTPS connector.\n 2. Configure the SSL encryption certificate and keys.\n 3. Set the protocol to TLS V1.1 or V1.2.\"\n tag \"fix_id\": 'F-68241r1_fix'\n\n connect = input('connection')\n\n describe 'The wildfly enabled TLS versions' do\n subject { command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /subsystem=undertow/server=default-server/https-listener=https/\").stdout }\n it { should match(%r{enabled-protocols=TLSv1.[12]}) }\n end\nend\n", "source_location": { - "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62313.rb", + "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62321.rb", "line": 1 }, - "id": "V-62313" + "id": "V-62321" }, { - "title": "Wildfly process owner interactive access must be restricted.", - "desc": "Wildfly does not require admin rights to operate and should be run as a\n regular user. In addition, if the user account was to be compromised and the\n account was allowed interactive logon rights, this would increase the risk and\n attack surface against the Wildfly system. The right to interactively log on to\n the system using the Wildfly account should be limited according to the OS\n capabilities.", + "title": "Wildfly log records must be off-loaded onto a different system or system\ncomponent a minimum of every seven days.", + "desc": "Wildfly logs by default are written to the local file system. A centralized\nlogging solution like syslog should be used whenever possible; however, any log\ndata stored to the file system needs to be off-loaded. Wildfly EAP does not\nprovide an automated backup capability. Instead, reliance is placed on OS or\nthird-party tools to back up or off-load the log files.\n\n Protection of log data includes assuring log data is not accidentally lost\nor deleted. Off-loading log records to a different system or onto separate\nmedia from the system the application server is actually running on helps to\nassure that, in the event of a catastrophic system failure, the log records\nwill be retained.", "descriptions": { - "default": "Wildfly does not require admin rights to operate and should be run as a\n regular user. In addition, if the user account was to be compromised and the\n account was allowed interactive logon rights, this would increase the risk and\n attack surface against the Wildfly system. The right to interactively log on to\n the system using the Wildfly account should be limited according to the OS\n capabilities." + "default": "Wildfly logs by default are written to the local file system. A centralized\nlogging solution like syslog should be used whenever possible; however, any log\ndata stored to the file system needs to be off-loaded. Wildfly EAP does not\nprovide an automated backup capability. Instead, reliance is placed on OS or\nthird-party tools to back up or off-load the log files.\n\n Protection of log data includes assuring log data is not accidentally lost\nor deleted. Off-loading log records to a different system or onto separate\nmedia from the system the application server is actually running on helps to\nassure that, in the event of a catastrophic system failure, the log records\nwill be retained." }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-APP-000141-AS-000095", - "gid": "V-62261", - "rid": "SV-76751r1_rule", - "stig_id": "JBOS-AS-000220", + "gtitle": "SRG-APP-000125-AS-000084", + "gid": "V-62257", + "rid": "SV-76747r1_rule", + "stig_id": "JBOS-AS-000195", "cci": [ - "CCI-000381" + "CCI-001348" ], "documentable": false, "nist": [ - "CM-7 a", + "AU-9 (2)", "Rev_4" ], - "check": "Identify the user account used to run the Wildfly server. Use\n relevant OS commands to determine logon rights to the system. This account\n should not have full shell/interactive access to the system.\n\n If the user account used to operate Wildfly can log on interactively, this is a\n finding.", - "fix": "Use the relevant OS commands to restrict Wildfly user account from\n interactively logging on to the console of the Wildfly system.\n\n For Windows systems, use GPO.\n\n For UNIX like systems using ssh DenyUsers or follow established\n procedure for restricting access.", - "fix_id": "F-68181r1_fix" + "check": "Interview the system admin and obtain details on how the log\nfiles are being off-loaded to a different system or media.\n\nIf the log files are not off-loaded a minimum of every 7 days, this is a\nfinding.", + "fix": "Configure the application server to off-load log records every\nseven days onto a different system or media from the system being logged.", + "fix_id": "F-68177r1_fix" }, - "code": "control 'V-62261' do\n title \"Wildfly process owner interactive access must be restricted.\"\n desc \"Wildfly does not require admin rights to operate and should be run as a\n regular user. In addition, if the user account was to be compromised and the\n account was allowed interactive logon rights, this would increase the risk and\n attack surface against the Wildfly system. The right to interactively log on to\n the system using the Wildfly account should be limited according to the OS\n capabilities.\"\n impact 0.7\n tag \"gtitle\": 'SRG-APP-000141-AS-000095'\n tag \"gid\": 'V-62261'\n tag \"rid\": 'SV-76751r1_rule'\n tag \"stig_id\": 'JBOS-AS-000220'\n tag \"cci\": ['CCI-000381']\n tag \"documentable\": false\n tag \"nist\": ['CM-7 a', 'Rev_4']\n tag \"check\": \"Identify the user account used to run the Wildfly server. Use\n relevant OS commands to determine logon rights to the system. This account\n should not have full shell/interactive access to the system.\n\n If the user account used to operate Wildfly can log on interactively, this is a\n finding.\"\n tag \"fix\": \"Use the relevant OS commands to restrict Wildfly user account from\n interactively logging on to the console of the Wildfly system.\n\n For Windows systems, use GPO.\n\n For UNIX like systems using ssh DenyUsers or follow established\n procedure for restricting access.\"\n tag \"fix_id\": 'F-68181r1_fix'\n wildfly_process_owners = command(\"ps -aux | grep wildfly | grep -v 'color=auto wildfly' | grep -v chef | grep -v grep | awk '{print $1}'\").stdout.split(\"\\n\")\n\n if wildfly_process_owners.empty?\n impact 0.0\n describe 'There are no wildfly process owners' do\n skip 'There are no wildfly process owners, therfore this control is N/A'\n end\n end\n\n if !wildfly_process_owners.empty?\n wildfly_process_owners.each do |owner|\n get_shell_bin_false = command(\"awk -F : '$1 == \\\"#{owner}\\\" { print $7}' /etc/passwd\").stdout\n get_shell_sbin_nologin = command(\"awk -F : '$1 == \\\"#{owner}\\\" { print $7}' /etc/passwd\").stdout\n get_shell_usr_sbin_nologin = command(\"awk -F : '$1 == \\\"#{owner}\\\" { print $7}' /etc/passwd\").stdout\n\n describe.one do\n describe \"The wildfly process owner: #{owner}\\'s shell/interactive access\" do\n subject { get_shell_bin_false }\n it { should match(%r{/bin/false}) }\n end\n describe \"The wildfly process owner: #{owner}\\'s shell/interactive access\" do\n subject { get_shell_sbin_nologin }\n it { should match(%r{/sbin/nologin}) }\n end\n describe \"The wildfly process owner: #{owner}\\'s shell/interactive access\" do\n subject { get_shell_usr_sbin_nologin }\n it { should match(%r{/usr/sbin/nologin}) }\n end\n end\n end\n end\nend\n", + "code": "control 'V-62257' do\n title \"Wildfly log records must be off-loaded onto a different system or system\ncomponent a minimum of every seven days.\"\n desc \"\n Wildfly logs by default are written to the local file system. A centralized\nlogging solution like syslog should be used whenever possible; however, any log\ndata stored to the file system needs to be off-loaded. Wildfly EAP does not\nprovide an automated backup capability. Instead, reliance is placed on OS or\nthird-party tools to back up or off-load the log files.\n\n Protection of log data includes assuring log data is not accidentally lost\nor deleted. Off-loading log records to a different system or onto separate\nmedia from the system the application server is actually running on helps to\nassure that, in the event of a catastrophic system failure, the log records\nwill be retained.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000125-AS-000084'\n tag \"gid\": 'V-62257'\n tag \"rid\": 'SV-76747r1_rule'\n tag \"stig_id\": 'JBOS-AS-000195'\n tag \"cci\": ['CCI-001348']\n tag \"documentable\": false\n tag \"nist\": ['AU-9 (2)', 'Rev_4']\n tag \"check\": \"Interview the system admin and obtain details on how the log\nfiles are being off-loaded to a different system or media.\n\nIf the log files are not off-loaded a minimum of every 7 days, this is a\nfinding.\"\n tag \"fix\": \"Configure the application server to off-load log records every\nseven days onto a different system or media from the system being logged.\"\n tag \"fix_id\": 'F-68177r1_fix'\n\n connect = input('connection')\n describe \"The wildfly syslog-handler configuration\" do\n subject { command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /subsystem=logging/syslog-handler=\").stdout }\n it { should_not eq '' }\n end\nend\n", "source_location": { - "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62261.rb", + "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62257.rb", "line": 1 }, - "id": "V-62261" + "id": "V-62257" }, { - "title": "Wildfly process owner execution permissions must be limited.", - "desc": "Wildfly EAP application server can be run as the OS admin, which is not\n advised. Running the application server with admin privileges increases the\n attack surface by granting the application server more rights than it requires\n in order to operate. If the server is compromised, the attacker will have the\n same rights as the application server, which in that case would be admin\n rights. The Wildfly EAP server must not be run as the admin user.", + "title": "mgmt-users.properties file permissions must be set to allow access to\nauthorized users only.", + "desc": "The mgmt-users.properties file contains the password hashes of all\nusers who are in a management role and must be protected. Application servers\nhave the ability to specify that the hosted applications utilize shared\nlibraries. The application server must have a capability to divide roles based\nupon duties wherein one project user (such as a developer) cannot modify the\nshared library code of another project user. The application server must also\nbe able to specify that non-privileged users cannot modify any shared library\ncode at all.", "descriptions": { - "default": "Wildfly EAP application server can be run as the OS admin, which is not\n advised. Running the application server with admin privileges increases the\n attack surface by granting the application server more rights than it requires\n in order to operate. If the server is compromised, the attacker will have the\n same rights as the application server, which in that case would be admin\n rights. The Wildfly EAP server must not be run as the admin user." + "default": "The mgmt-users.properties file contains the password hashes of all\nusers who are in a management role and must be protected. Application servers\nhave the ability to specify that the hosted applications utilize shared\nlibraries. The application server must have a capability to divide roles based\nupon duties wherein one project user (such as a developer) cannot modify the\nshared library code of another project user. The application server must also\nbe able to specify that non-privileged users cannot modify any shared library\ncode at all." }, - "impact": 0.7, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-APP-000141-AS-000095", - "gid": "V-62265", - "rid": "SV-76755r1_rule", - "stig_id": "JBOS-AS-000230", + "gtitle": "SRG-APP-000133-AS-000092", + "gid": "V-62259", + "rid": "SV-76749r1_rule", + "stig_id": "JBOS-AS-000210", "cci": [ - "CCI-000381" + "CCI-001499" ], "documentable": false, "nist": [ - "CM-7 a", + "CM-5 (6)", "Rev_4" ], - "check": "The script that is used to start Wildfly determines the mode in\n which Wildfly will operate, which will be in either in standalone mode or domain\n mode. Both scripts are installed by default in the $JBOSS_HOME;/bin/ folder.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n\n In addition to running the Wildfly server as an interactive script launched from\n the command line, Wildfly can also be started as a service.\n\n The scripts used to start Wildfly are:\n Red Hat:\n standalone.sh\n domain.sh\n\n Windows:\n standalone.bat\n domain.bat\n\n Use the relevant OS commands to determine JBoss ownership.\n\n When running as a process:\n Red Hat: \"ps -ef|grep -i jboss\".\n Windows: \"services.msc\".\n\n Search for the Wildfly process, which by default is named \"Wildfly\".\n\n If the user account used to launch the Wildfly script or start the Wildfly process\n has admin rights on the system, this is a finding.", - "fix": "Run the JBoss server with non-admin rights.", - "fix_id": "F-68185r1_fix" + "check": "The mgmt-users.properties files are located in the standalone\nor domain configuration folder.\n\nThe $JBOSS_HOME default is /opt/bin/widfly\n\n$JBOSS_HOME;/domain/configuration/mgmt-users.properties.\n$JBOSS_HOME;/standalone/configuration/mgmt-users.properties.\n\nIdentify users who have access to the files using relevant OS commands.\n\nObtain documentation from system admin identifying authorized users.\n\nOwner can be full access.\nGroup can be full access.\nAll others must have execute permissions only.\n\nIf the file permissions are not configured so as to restrict access to only\nauthorized users, or if documentation that identifies authorized users is\nmissing, this is a finding.", + "fix": "Configure the file permissions to allow access to authorized\nusers only.\nOwner can be full access.\nGroup can be full access.\nAll others must have execute permissions only.", + "fix_id": "F-68179r1_fix" }, - "code": "control 'V-62265' do\n title \"Wildfly process owner execution permissions must be limited.\"\n desc \"Wildfly EAP application server can be run as the OS admin, which is not\n advised. Running the application server with admin privileges increases the\n attack surface by granting the application server more rights than it requires\n in order to operate. If the server is compromised, the attacker will have the\n same rights as the application server, which in that case would be admin\n rights. The Wildfly EAP server must not be run as the admin user.\"\n impact 0.7\n tag \"gtitle\": 'SRG-APP-000141-AS-000095'\n tag \"gid\": 'V-62265'\n tag \"rid\": 'SV-76755r1_rule'\n tag \"stig_id\": 'JBOS-AS-000230'\n tag \"cci\": ['CCI-000381']\n tag \"documentable\": false\n tag \"nist\": ['CM-7 a', 'Rev_4']\n tag \"check\": \"The script that is used to start Wildfly determines the mode in\n which Wildfly will operate, which will be in either in standalone mode or domain\n mode. Both scripts are installed by default in the $JBOSS_HOME;/bin/ folder.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n\n In addition to running the Wildfly server as an interactive script launched from\n the command line, Wildfly can also be started as a service.\n\n The scripts used to start Wildfly are:\n Red Hat:\n standalone.sh\n domain.sh\n\n Windows:\n standalone.bat\n domain.bat\n\n Use the relevant OS commands to determine JBoss ownership.\n\n When running as a process:\n Red Hat: \\\"ps -ef|grep -i jboss\\\".\n Windows: \\\"services.msc\\\".\n\n Search for the Wildfly process, which by default is named \\\"Wildfly\\\".\n\n If the user account used to launch the Wildfly script or start the Wildfly process\n has admin rights on the system, this is a finding.\"\n tag \"fix\": \"Run the JBoss server with non-admin rights.\"\n tag \"fix_id\": 'F-68185r1_fix'\n\n user = command(\"ps -ef | grep #{input('jboss_process_name')} | grep -v inspec | grep -v grep | awk '{print $1}'|uniq\").stdout.split(\"\\n\")\n\n describe 'The wildly process owner' do\n subject { command(\"ps -ef | grep #{input('jboss_process_name')} | grep -v inspec | grep -v grep | awk '{print $1}'|uniq\").stdout }\n it { should_not match(%r{root}) }\n end\n\n user.each do |users|\n group = command(\"id -gn #{users} \").stdout.split(\"\\n\")\n\n group.each do |group|\n\n describe \"The wildfly process owner: #{users}\\'s group\" do\n subject { group }\n it { should_not eq 'root' }\n end\n end\n end\nend\n", + "code": "control 'V-62259' do\n title \"mgmt-users.properties file permissions must be set to allow access to\nauthorized users only.\"\n desc \"The mgmt-users.properties file contains the password hashes of all\nusers who are in a management role and must be protected. Application servers\nhave the ability to specify that the hosted applications utilize shared\nlibraries. The application server must have a capability to divide roles based\nupon duties wherein one project user (such as a developer) cannot modify the\nshared library code of another project user. The application server must also\nbe able to specify that non-privileged users cannot modify any shared library\ncode at all.\"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000133-AS-000092'\n tag \"gid\": 'V-62259'\n tag \"rid\": 'SV-76749r1_rule'\n tag \"stig_id\": 'JBOS-AS-000210'\n tag \"cci\": ['CCI-001499']\n tag \"documentable\": false\n tag \"nist\": ['CM-5 (6)', 'Rev_4']\n tag \"check\": \"The mgmt-users.properties files are located in the standalone\nor domain configuration folder.\n\nThe $JBOSS_HOME default is /opt/bin/widfly\n\n$JBOSS_HOME;/domain/configuration/mgmt-users.properties.\n$JBOSS_HOME;/standalone/configuration/mgmt-users.properties.\n\nIdentify users who have access to the files using relevant OS commands.\n\nObtain documentation from system admin identifying authorized users.\n\nOwner can be full access.\nGroup can be full access.\nAll others must have execute permissions only.\n\nIf the file permissions are not configured so as to restrict access to only\nauthorized users, or if documentation that identifies authorized users is\nmissing, this is a finding.\"\n tag \"fix\": \"Configure the file permissions to allow access to authorized\nusers only.\nOwner can be full access.\nGroup can be full access.\nAll others must have execute permissions only.\"\n tag \"fix_id\": 'F-68179r1_fix'\n describe file(\"#{ input('jboss_home') }/standalone/configuration/mgmt-users.properties\") do\n it { should_not be_readable.by('others') }\n end\n describe file(\"#{ input('jboss_home') }/standalone/configuration/mgmt-users.properties\") do\n it { should_not be_writable.by('others') }\n end\nend\n", "source_location": { - "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62265.rb", + "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62259.rb", "line": 1 }, - "id": "V-62265" + "id": "V-62259" }, { - "title": "Users in JBoss Management Security Realms must be in the appropriate role", - "desc": "Security realms are a series of mappings between users and passwords and\nusers and roles. There are 2 JBoss security realms provided by default; they\nare \"management realm\" and \"application realm\".\n\n Management realm stores authentication information for the management API,\nwhich provides functionality for the web-based management console and the\nmanagement command line interface (CLI).\n\n mgmt-groups.properties stores user to group mapping for the ManagementRealm\nbut only when role-based access controls (RBAC) is enabled.\n\n If management users are not in the appropriate role, unauthorized access to\nJBoss resources can occur.", + "title": "Wildfly management interfaces must be secured.", + "desc": "Wildfly utilizes the concept of security realms to secure the management\ninterfaces used for Wildfly server administration. If the security realm\nattribute is omitted or removed from the management interface definition,\naccess to that interface is no longer secure. The Wildfly management interfaces\nmust be secured.", "descriptions": { - "default": "Security realms are a series of mappings between users and passwords and\nusers and roles. There are 2 JBoss security realms provided by default; they\nare \"management realm\" and \"application realm\".\n\n Management realm stores authentication information for the management API,\nwhich provides functionality for the web-based management console and the\nmanagement command line interface (CLI).\n\n mgmt-groups.properties stores user to group mapping for the ManagementRealm\nbut only when role-based access controls (RBAC) is enabled.\n\n If management users are not in the appropriate role, unauthorized access to\nJBoss resources can occur." + "default": "Wildfly utilizes the concept of security realms to secure the management\ninterfaces used for Wildfly server administration. If the security realm\nattribute is omitted or removed from the management interface definition,\naccess to that interface is no longer secure. The Wildfly management interfaces\nmust be secured." }, "impact": 0, "refs": [], "tags": { "gtitle": "SRG-APP-000033-AS-000024", - "gid": "V-62219", - "rid": "SV-76709r1_rule", - "stig_id": "JBOS-AS-000040", + "gid": "V-62229", + "rid": "SV-76719r1_rule", + "stig_id": "JBOS-AS-000075", "cci": [ "CCI-000213" ], @@ -641,126 +737,126 @@ "AC-3", "Rev_4" ], - "check": "Review the mgmt-users.properties file. Also review the\n section in the standalone.xml or domain.xml configuration files.\n The relevant xml file will depend on if the Wildfly server is configured in\nstandalone or domain mode.\n\nEnsure all users listed in these files are approved for management access to\nthe JBoss server and are in the appropriate role.\n\nThe $JBOSS_HOME default is /opt/bin/widfly\n\nFor domain configurations:\n$JBOSS_HOME;/domain/configuration/mgmt-users.properties.\n$JBOSS_HOME;/domain/configuration/domain.xml\n\nFor standalone configurations:\n$JBOSS_HOME;/standalone/configuration/mgmt-users.properties.\n$JBOSS_HOME;/standalone/configuration/standalone.xml\n\nIf the users listed are not in the appropriate role, this is a finding.", - "fix": "Document approved management users and their roles. Configure\nthe application server to use RBAC and ensure users are placed into the\nappropriate roles.", - "fix_id": "F-68139r1_fix" + "check": "Log on to the OS of the Wildfly server with OS permissions that\nallow access to Wildfly.\nUsing the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n\nThe $JBOSS_HOME default is /opt/bin/widfly\nRun the jboss-cli script.\nConnect to the server and authenticate.\n\nIdentify the management interfaces. To identity the management interfaces, run\nthe following command:\n\nFor standalone servers:\n\"ls /core-service=management/management-interface=\"\n\nFor managed domain installations:\n\"ls /host=HOST_NAME/core-service=management/management-interface=\"\n\nBy default, Wildfly provides two management interfaces; they are named\n\"NATIVE-INTERFACE\" and \"HTTP-INTERFACE\". The system may or may not have\nboth interfaces enabled. For each management interface listed as a result of\nthe previous command, append the name of the management interface to the end of\nthe following command.\n\nFor a standalone system:\n\n\"ls /core-service=management/management-interface=\"\n\nFor a managed domain:\n\n\"ls /host=HOST_NAME/core-service=management/management-interface=\"\n\nIf the \"security-realm=\" attribute is not associated with a management realm,\nthis is a finding.", + "fix": "Identify the security realm used for management of the system.\nBy default, this is called \"Management Realm\".\n\nIf a management security realm is not already available, reference the Wildfly\nsystem administration guide for instructions on how to create a\nsecurity realm for management purposes. Create the management realm, and\nassign authentication and authorization access restrictions to the management\nrealm.\n\nAssign the management interfaces to the management realm.", + "fix_id": "F-68149r1_fix" }, - "code": "control 'V-62219' do\n title \"Users in JBoss Management Security Realms must be in the appropriate role\"\n desc \"\n Security realms are a series of mappings between users and passwords and\nusers and roles. There are 2 JBoss security realms provided by default; they\nare \\\"management realm\\\" and \\\"application realm\\\".\n\n Management realm stores authentication information for the management API,\nwhich provides functionality for the web-based management console and the\nmanagement command line interface (CLI).\n\n mgmt-groups.properties stores user to group mapping for the ManagementRealm\nbut only when role-based access controls (RBAC) is enabled.\n\n If management users are not in the appropriate role, unauthorized access to\nJBoss resources can occur.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000033-AS-000024'\n tag \"gid\": 'V-62219'\n tag \"rid\": 'SV-76709r1_rule'\n tag \"stig_id\": 'JBOS-AS-000040'\n tag \"cci\": ['CCI-000213']\n tag \"documentable\": false\n tag \"nist\": ['AC-3', 'Rev_4']\n tag \"check\": \"Review the mgmt-users.properties file. Also review the\n section in the standalone.xml or domain.xml configuration files.\n The relevant xml file will depend on if the Wildfly server is configured in\nstandalone or domain mode.\n\nEnsure all users listed in these files are approved for management access to\nthe JBoss server and are in the appropriate role.\n\nThe $JBOSS_HOME default is /opt/bin/widfly\n\nFor domain configurations:\n$JBOSS_HOME;/domain/configuration/mgmt-users.properties.\n$JBOSS_HOME;/domain/configuration/domain.xml\n\nFor standalone configurations:\n$JBOSS_HOME;/standalone/configuration/mgmt-users.properties.\n$JBOSS_HOME;/standalone/configuration/standalone.xml\n\nIf the users listed are not in the appropriate role, this is a finding.\"\n tag \"fix\": \"Document approved management users and their roles. Configure\nthe application server to use RBAC and ensure users are placed into the\nappropriate roles.\"\n tag \"fix_id\": 'F-68139r1_fix'\n\n connect = input('connection')\n auditor_role_users = input('auditor_role_users')\n administrator_role_users = input('administrator_role_users')\n superuser_role_users = input('superuser_role_users')\n\n role_mappings = command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /core-service=management/access=authorization/role-mapping=\").stdout.strip.split(\" \")\n auditor_role = command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /core-service=management/access=authorization/role-mapping=Auditor/include= | grep -v 'Manage' | grep -v 'core' | grep -v 'access' | grep -v 'mapping' | grep -v 'not found'\").stdout.strip.split(\" \")\n administrator_role = command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /core-service=management/access=authorization/role-mapping=Administrator/include= | grep -v 'Manage' | grep -v 'core' | grep -v 'access' | grep -v 'mapping' | grep -v 'not found'\").stdout.strip.split(\" \")\n superuser_role = command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /core-service=management/access=authorization/role-mapping=SuperUser/include= | grep -v 'Manage' | grep -v 'core' | grep -v 'access' | grep -v 'mapping' | grep -v 'not found'\").stdout.strip.split(\" \")\n\n if !auditor_role.empty?\n auditor_role.each do |user|\n describe \"#{user}\" do\n it { should be_in auditor_role_users }\n end\n end\n end\n\n if !administrator_role.empty?\n administrator_role.each do |user|\n describe \"#{user}\" do\n it { should be_in administrator_role_users }\n end\n end\n end\n\n if !superuser_role.empty?\n superuser_role.each do |user|\n describe \"#{user}\" do\n it { should be_in superuser_role_users }\n end\n end\n end\n\n if auditor_role.empty? && administrator_role.empty? && superuser_role.empty?\n impact 0.0\n describe 'There are no Wildfly users with the auditor, administrator or superuser roles, therefore this control is not applicable' do\n skip 'There are no Wildfly users with the auditor, administrator or superuser roles, therefore this control is not applicable'\n end\n end\nend\n", + "code": "control 'V-62229' do\n title \"Wildfly management interfaces must be secured.\"\n desc \"Wildfly utilizes the concept of security realms to secure the management\ninterfaces used for Wildfly server administration. If the security realm\nattribute is omitted or removed from the management interface definition,\naccess to that interface is no longer secure. The Wildfly management interfaces\nmust be secured.\"\n impact 0.7\n tag \"gtitle\": 'SRG-APP-000033-AS-000024'\n tag \"gid\": 'V-62229'\n tag \"rid\": 'SV-76719r1_rule'\n tag \"stig_id\": 'JBOS-AS-000075'\n tag \"cci\": ['CCI-000213']\n tag \"documentable\": false\n tag \"nist\": ['AC-3', 'Rev_4']\n tag \"check\": \"Log on to the OS of the Wildfly server with OS permissions that\nallow access to Wildfly.\nUsing the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n\nThe $JBOSS_HOME default is /opt/bin/widfly\nRun the jboss-cli script.\nConnect to the server and authenticate.\n\nIdentify the management interfaces. To identity the management interfaces, run\nthe following command:\n\nFor standalone servers:\n\\\"ls /core-service=management/management-interface=\\\"\n\nFor managed domain installations:\n\\\"ls /host=HOST_NAME/core-service=management/management-interface=\\\"\n\nBy default, Wildfly provides two management interfaces; they are named\n\\\"NATIVE-INTERFACE\\\" and \\\"HTTP-INTERFACE\\\". The system may or may not have\nboth interfaces enabled. For each management interface listed as a result of\nthe previous command, append the name of the management interface to the end of\nthe following command.\n\nFor a standalone system:\n\n\\\"ls /core-service=management/management-interface=\\\"\n\nFor a managed domain:\n\n\\\"ls /host=HOST_NAME/core-service=management/management-interface=\\\"\n\nIf the \\\"security-realm=\\\" attribute is not associated with a management realm,\nthis is a finding.\"\n tag \"fix\": \"Identify the security realm used for management of the system.\nBy default, this is called \\\"Management Realm\\\".\n\nIf a management security realm is not already available, reference the Wildfly\nsystem administration guide for instructions on how to create a\nsecurity realm for management purposes. Create the management realm, and\nassign authentication and authorization access restrictions to the management\nrealm.\n\nAssign the management interfaces to the management realm.\"\n tag \"fix_id\": 'F-68149r1_fix'\n\n connect = input('connection')\n\n mgmt_interfaces = command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\ /core-service=management/management-interface=\").stdout.split(\"\\n\")\n\n mgmt_interfaces.each do |interface|\n describe \"Wildfly management interface: #{interface}\" do\n subject { command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /core-service=management/management-interface=#{interface}\").stdout }\n it { should match(%r{security-realm=ManagementRealm}) }\n end\n end\n if mgmt_interfaces.empty?\n impact 0.0\n describe 'There are no wildfly management interfaces, therefore this control is Not Applicable' do\n skip 'There are no wildfly management interfaces, therefore this control is Not Applicable'\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62219.rb", + "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62229.rb", "line": 1 }, - "id": "V-62219" + "id": "V-62229" }, { - "title": "The application server must produce log records that contain\nsufficient information to establish the outcome of events.", - "desc": "Information system logging capability is critical for accurate forensic\nanalysis. Log record content that may be necessary to satisfy the requirement\nof this control includes, but is not limited to, time stamps, source and\ndestination IP addresses, user/process identifiers, event descriptions,\napplication-specific events, success/fail indications, filenames involved,\naccess control or flow control rules invoked.\n\n Success and failure indicators ascertain the outcome of a particular\napplication server event or function. As such, they also provide a means to\nmeasure the impact of an event and help authorized personnel to determine the\nappropriate response. Event outcome may also include event-specific results\n(e.g., the security state of the information system after the event occurred).", + "title": "Wildfly must utilize encryption when using LDAP for authentication.", + "desc": "Passwords need to be protected at all times, and encryption is the standard\nmethod for protecting passwords during transmission.\n\n Application servers have the capability to utilize LDAP directories for\nauthentication. If LDAP connections are not protected during transmission,\nsensitive authentication credentials can be stolen. When the application server\nutilizes LDAP, the LDAP traffic must be encrypted.", "descriptions": { - "default": "Information system logging capability is critical for accurate forensic\nanalysis. Log record content that may be necessary to satisfy the requirement\nof this control includes, but is not limited to, time stamps, source and\ndestination IP addresses, user/process identifiers, event descriptions,\napplication-specific events, success/fail indications, filenames involved,\naccess control or flow control rules invoked.\n\n Success and failure indicators ascertain the outcome of a particular\napplication server event or function. As such, they also provide a means to\nmeasure the impact of an event and help authorized personnel to determine the\nappropriate response. Event outcome may also include event-specific results\n(e.g., the security state of the information system after the event occurred)." + "default": "Passwords need to be protected at all times, and encryption is the standard\nmethod for protecting passwords during transmission.\n\n Application servers have the capability to utilize LDAP directories for\nauthentication. If LDAP connections are not protected during transmission,\nsensitive authentication credentials can be stolen. When the application server\nutilizes LDAP, the LDAP traffic must be encrypted." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-APP-000099-AS-000062", - "gid": "V-62247", - "rid": "SV-76737r1_rule", - "stig_id": "JBOS-AS-000130", + "gtitle": "SRG-APP-000172-AS-000121", + "gid": "V-62293", + "rid": "SV-76783r1_rule", + "stig_id": "JBOS-AS-000310", "cci": [ - "CCI-000134" + "CCI-000197" ], "documentable": false, "nist": [ - "AU-3", + "IA-5 (1) (c)", "Rev_4" ], - "check": "Log on to the OS of the wildfly server with OS permissions that\nallow access to Wildfly.\n\nThe $JBOSS_HOME default is /opt/bin/widfly\nUsing the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\nRun the jboss-cli script to start the Command Line Interface (CLI).\nConnect to the server and authenticate.\nRun the command:\n\nFor a Managed Domain configuration:\n\"ls\nhost=master/server//core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\"\n\nFor a Standalone configuration:\n\"ls\n/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\"\n\nIf \"enabled\" = false, this is a finding.", - "fix": "Launch the jboss-cli management interface.\nConnect to the server by typing \"connect\", authenticate as a user in the\nSuperuser role, and run the following command:\n\nFor a Managed Domain configuration:\n\"host=master/server//core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\"\n\nFor a Standalone configuration:\n\"/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\"", - "fix_id": "F-68167r1_fix" + "check": "Log on to the OS of the Wildfly server with OS permissions that\n allow access to Wildfly.\n Using the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n\n Run the jboss-cli script.\n Connect to the server and authenticate.\n\n Run the following command:\n\n For standalone servers:\n \"ls\n /socket-binding-group=standard-sockets/remote-destination-outbound-socket-binding=ldap_connection\"\n\n For managed domain installations:\n \"ls\n /socket-binding-group=/remote-destination-outbound-socket-binding=\"\n\n The default port for secure LDAP is 636.\n\n If 636 or secure LDAP protocol is not utilized, this is a finding.", + "fix": "Follow steps in section 11.8 - Management Interface Security in\n the\n JBoss_Enterprise_Application_Platform-6.3-Administration_and_Configuration_Guide-en-US\n document.\n\n 1. Create an outbound connection to the LDAP server.\n 2. Create an LDAP-enabled security realm.\n 3. Reference the new security domain in the Management Interface.", + "fix_id": "F-68213r1_fix" }, - "code": "control 'V-62247' do\n title \"The application server must produce log records that contain\nsufficient information to establish the outcome of events.\"\n desc \"\n Information system logging capability is critical for accurate forensic\nanalysis. Log record content that may be necessary to satisfy the requirement\nof this control includes, but is not limited to, time stamps, source and\ndestination IP addresses, user/process identifiers, event descriptions,\napplication-specific events, success/fail indications, filenames involved,\naccess control or flow control rules invoked.\n\n Success and failure indicators ascertain the outcome of a particular\napplication server event or function. As such, they also provide a means to\nmeasure the impact of an event and help authorized personnel to determine the\nappropriate response. Event outcome may also include event-specific results\n(e.g., the security state of the information system after the event occurred).\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000099-AS-000062'\n tag \"gid\": 'V-62247'\n tag \"rid\": 'SV-76737r1_rule'\n tag \"stig_id\": 'JBOS-AS-000130'\n tag \"cci\": ['CCI-000134']\n tag \"documentable\": false\n tag \"nist\": ['AU-3', 'Rev_4']\n tag \"check\": \"Log on to the OS of the wildfly server with OS permissions that\nallow access to Wildfly.\n\nThe $JBOSS_HOME default is /opt/bin/widfly\nUsing the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\nRun the jboss-cli script to start the Command Line Interface (CLI).\nConnect to the server and authenticate.\nRun the command:\n\nFor a Managed Domain configuration:\n\\\"ls\nhost=master/server//core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\\\"\n\nFor a Standalone configuration:\n\\\"ls\n/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\\\"\n\nIf \\\"enabled\\\" = false, this is a finding.\"\n tag \"fix\": \"Launch the jboss-cli management interface.\nConnect to the server by typing \\\"connect\\\", authenticate as a user in the\nSuperuser role, and run the following command:\n\nFor a Managed Domain configuration:\n\\\"host=master/server//core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\\\"\n\nFor a Standalone configuration:\n\\\"/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\\\"\"\n tag \"fix_id\": 'F-68167r1_fix'\n\n connect = input('connection')\n\n describe 'The application server produce log records that contain sufficient information to establish the outcome of events' do\n subject { command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /core-service=management/access=audit/logger=audit-log\").stdout }\n it { should_not match(%r{enabled=false}) }\n end\nend\n", + "code": "control 'V-62293' do\n title \"Wildfly must utilize encryption when using LDAP for authentication.\"\n desc \"\n Passwords need to be protected at all times, and encryption is the standard\n method for protecting passwords during transmission.\n\n Application servers have the capability to utilize LDAP directories for\n authentication. If LDAP connections are not protected during transmission,\n sensitive authentication credentials can be stolen. When the application server\n utilizes LDAP, the LDAP traffic must be encrypted.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000172-AS-000121'\n tag \"gid\": 'V-62293'\n tag \"rid\": 'SV-76783r1_rule'\n tag \"stig_id\": 'JBOS-AS-000310'\n tag \"cci\": ['CCI-000197']\n tag \"documentable\": false\n tag \"nist\": ['IA-5 (1) (c)', 'Rev_4']\n tag \"check\": \"Log on to the OS of the Wildfly server with OS permissions that\n allow access to Wildfly.\n Using the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n\n Run the jboss-cli script.\n Connect to the server and authenticate.\n\n Run the following command:\n\n For standalone servers:\n \\\"ls\n /socket-binding-group=standard-sockets/remote-destination-outbound-socket-binding=ldap_connection\\\"\n\n For managed domain installations:\n \\\"ls\n /socket-binding-group=/remote-destination-outbound-socket-binding=\\\"\n\n The default port for secure LDAP is 636.\n\n If 636 or secure LDAP protocol is not utilized, this is a finding.\"\n tag \"fix\": \"Follow steps in section 11.8 - Management Interface Security in\n the\n JBoss_Enterprise_Application_Platform-6.3-Administration_and_Configuration_Guide-en-US\n document.\n\n 1. Create an outbound connection to the LDAP server.\n 2. Create an LDAP-enabled security realm.\n 3. Reference the new security domain in the Management Interface.\"\n tag \"fix_id\": 'F-68213r1_fix'\n\n connect = input('connection')\n ldap = input('ldap')\n\n if ldap\n describe 'A manual review is required to ensure wildfly uses encryption when using LDAP for authentication' do\n skip 'A manual review is required to ensure wildfly uses encryption when using LDAP for authentication'\n end\n else\n describe command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /subsystem=undertow/server=default-server/https-listener=https\") do\n its('stdout') { should match(%r{enabled=true}) }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62247.rb", + "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62293.rb", "line": 1 }, - "id": "V-62247" + "id": "V-62293" }, { - "title": "Remote access to JMX subsystem must be disabled.", - "desc": "The JMX subsystem allows you to trigger JDK and application management\n operations remotely. In a managed domain configuration, the JMX subsystem is\n removed by default. For a standalone configuration, it is enabled by default\n and must be removed.", + "title": "HTTP management session traffic must be encrypted.", + "desc": "Types of management interfaces utilized by the Wildfly EAP application server\ninclude web-based HTTP interfaces as well as command line-based management\ninterfaces. In the event remote HTTP management is required, the access must\nbe via HTTPS.\n\n This requirement is in conjunction with the requirement to isolate all\nmanagement access to a restricted network.", "descriptions": { - "default": "The JMX subsystem allows you to trigger JDK and application management\n operations remotely. In a managed domain configuration, the JMX subsystem is\n removed by default. For a standalone configuration, it is enabled by default\n and must be removed." + "default": "Types of management interfaces utilized by the Wildfly EAP application server\ninclude web-based HTTP interfaces as well as command line-based management\ninterfaces. In the event remote HTTP management is required, the access must\nbe via HTTPS.\n\n This requirement is in conjunction with the requirement to isolate all\nmanagement access to a restricted network." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-APP-000141-AS-000095", - "gid": "V-62269", - "rid": "SV-76759r1_rule", - "stig_id": "JBOS-AS-000240", + "gtitle": "SRG-APP-000014-AS-000009", + "gid": "V-62073", + "rid": "SV-76563r1_rule", + "stig_id": "JBOS-AS-000010", "cci": [ - "CCI-000381" + "CCI-000068" ], "documentable": false, "nist": [ - "CM-7 a", + "AC-17 (2)", "Rev_4" ], - "check": "Log on to the OS of the Wildfly server with OS permissions that\n allow access to Wildfly.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n\n Using the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n Run the jboss-cli script to start the Command Line Interface (CLI).\n Connect to the server and authenticate.\n\n For a Managed Domain configuration, you must check each profile name:\n\n For each PROFILE NAME, run the command:\n \"ls /profile=/subsystem=jmx/remoting-connector\"\n\n For a Standalone configuration:\n \"ls /subsystem=jmx/remoting-connector\"\n\n If \"jmx\" is returned, this is a finding.", - "fix": "Log on to the OS of the Wildfly server with OS permissions that\n allow access to Wildfly.\n Using the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n Run the jboss-cli script to start the Command Line Interface (CLI).\n Connect to the server and authenticate.\n\n For a Managed Domain configuration you must check each profile name:\n\n For each PROFILE NAME, run the command:\n \"/profile=/subsystem=jmx/remoting-connector=jmx:remove\"\n\n For a Standalone configuration:\n \"/subsystem=jmx/remoting-connector=jmx:remove\"", - "fix_id": "F-68189r1_fix" + "check": "Log on to the OS of the Wildfly server with OS permissions that\nallow access to Wildfly. Using the relevant OS commands and syntax, cd to the\n$JBOSS_HOME;/bin/ folder.\n\nThe $JBOSS_HOME default is /opt/bin/widfly\n\nRun the jboss-cli script. Connect to the server and authenticate.\n\nFor a standalone configuration run the following command:\n\"ls /core-service=management/management-interface=http-interface\"\n\nIf \"secure-socket-binding\"=undefined, this is a finding.\n\nFor a domain configuration run the following command:\n\"ls /host=master/core-service=management/management-interface=http-interface\"\n\nIf \"secure-port\" is undefined, this is a finding.", + "fix": "Follow the specific instructions in the Red Hat Security Guide\nfor EAP version 6.3 to configure the management console for HTTPS.\n\nThis involves the following steps.\n1. Create a keystore in JKS format.\n2. Ensure the management console binds to HTTPS.\n3. Create a new Security Realm.\n4. Configure Management Interface to use new security realm.\n5. Configure the management console to use the keystore.\n6. Restart the EAP server.", + "fix_id": "F-67993r1_fix" }, - "code": "control 'V-62269' do\n title \"Remote access to JMX subsystem must be disabled.\"\n desc \"The JMX subsystem allows you to trigger JDK and application management\n operations remotely. In a managed domain configuration, the JMX subsystem is\n removed by default. For a standalone configuration, it is enabled by default\n and must be removed.\"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000141-AS-000095'\n tag \"gid\": 'V-62269'\n tag \"rid\": 'SV-76759r1_rule'\n tag \"stig_id\": 'JBOS-AS-000240'\n tag \"cci\": ['CCI-000381']\n tag \"documentable\": false\n tag \"nist\": ['CM-7 a', 'Rev_4']\n tag \"check\": \"Log on to the OS of the Wildfly server with OS permissions that\n allow access to Wildfly.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n\n Using the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n Run the jboss-cli script to start the Command Line Interface (CLI).\n Connect to the server and authenticate.\n\n For a Managed Domain configuration, you must check each profile name:\n\n For each PROFILE NAME, run the command:\n \\\"ls /profile=/subsystem=jmx/remoting-connector\\\"\n\n For a Standalone configuration:\n \\\"ls /subsystem=jmx/remoting-connector\\\"\n\n If \\\"jmx\\\" is returned, this is a finding.\"\n tag \"fix\": \"Log on to the OS of the Wildfly server with OS permissions that\n allow access to Wildfly.\n Using the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n Run the jboss-cli script to start the Command Line Interface (CLI).\n Connect to the server and authenticate.\n\n For a Managed Domain configuration you must check each profile name:\n\n For each PROFILE NAME, run the command:\n \\\"/profile=/subsystem=jmx/remoting-connector=jmx:remove\\\"\n\n For a Standalone configuration:\n \\\"/subsystem=jmx/remoting-connector=jmx:remove\\\"\"\n tag \"fix_id\": 'F-68189r1_fix'\n\n connect = input('connection')\n describe 'The wildfly remote access' do\n subject { command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /subsystem=jmx/remoting-connector\").stdout }\n it { should_not match(%r{jmx}) }\n end\nend\n", + "code": "control 'V-62073' do\n title \"HTTP management session traffic must be encrypted.\"\n desc \"\n Types of management interfaces utilized by the Wildfly EAP application server\ninclude web-based HTTP interfaces as well as command line-based management\ninterfaces. In the event remote HTTP management is required, the access must\nbe via HTTPS.\n\n This requirement is in conjunction with the requirement to isolate all\nmanagement access to a restricted network.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000014-AS-000009'\n tag \"gid\": 'V-62073'\n tag \"rid\": 'SV-76563r1_rule'\n tag \"stig_id\": 'JBOS-AS-000010'\n tag \"cci\": ['CCI-000068']\n tag \"documentable\": false\n tag \"nist\": ['AC-17 (2)', 'Rev_4']\n tag \"check\": \"Log on to the OS of the Wildfly server with OS permissions that\nallow access to Wildfly. Using the relevant OS commands and syntax, cd to the\n$JBOSS_HOME;/bin/ folder.\n\nThe $JBOSS_HOME default is /opt/bin/widfly\n\nRun the jboss-cli script. Connect to the server and authenticate.\n\nFor a standalone configuration run the following command:\n\\\"ls /core-service=management/management-interface=http-interface\\\"\n\nIf \\\"secure-socket-binding\\\"=undefined, this is a finding.\n\nFor a domain configuration run the following command:\n\\\"ls /host=master/core-service=management/management-interface=http-interface\\\"\n\nIf \\\"secure-port\\\" is undefined, this is a finding.\"\n tag \"fix\": \"Follow the specific instructions in the Red Hat Security Guide\nfor EAP version 6.3 to configure the management console for HTTPS.\n\nThis involves the following steps.\n1. Create a keystore in JKS format.\n2. Ensure the management console binds to HTTPS.\n3. Create a new Security Realm.\n4. Configure Management Interface to use new security realm.\n5. Configure the management console to use the keystore.\n6. Restart the EAP server.\"\n tag \"fix_id\": 'F-67993r1_fix'\n\n connect = input('connection')\n\n describe 'The wildfly HTTP management session traffic configuration' do\n subject { command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /core-service=management/management-interface=http-interface\").stdout }\n it { should_not match /secure-socket-binding=undefined/ }\n end\nend\n", "source_location": { - "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62269.rb", + "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62073.rb", "line": 1 }, - "id": "V-62269" + "id": "V-62073" }, { - "title": "Wildfly must be configured to generate log records when\n successful/unsuccessful logon attempts occur.", - "desc": "Logging the access to the application server allows the system\nadministrators to monitor user accounts. By logging successful/unsuccessful\nlogons, the system administrator can determine if an account is compromised\n(e.g., frequent logons) or is in the process of being compromised (e.g.,\nfrequent failed logons) and can take actions to thwart the attack.\n\n Logging successful logons can also be used to determine accounts that are\nno longer in use.", + "title": "The JRE installed on the Wildfly server must be kept up to date.", + "desc": "The Wildfly product is available as Open Source; however, the Red Hat\n vendor provides updates, patches and support for the Wildfly product. It is\n imperative that patches and updates be applied to Wildfly in a timely manner as\n many attacks against Wildfly focus on unpatched systems. It is critical that\n support be obtained and made available.", "descriptions": { - "default": "Logging the access to the application server allows the system\nadministrators to monitor user accounts. By logging successful/unsuccessful\nlogons, the system administrator can determine if an account is compromised\n(e.g., frequent logons) or is in the process of being compromised (e.g.,\nfrequent failed logons) and can take actions to thwart the attack.\n\n Logging successful logons can also be used to determine accounts that are\nno longer in use." + "default": "The Wildfly product is available as Open Source; however, the Red Hat\n vendor provides updates, patches and support for the Wildfly product. It is\n imperative that patches and updates be applied to Wildfly in a timely manner as\n many attacks against Wildfly focus on unpatched systems. It is critical that\n support be obtained and made available." }, - "impact": 0.5, + "impact": 0.7, "refs": [], "tags": { - "gtitle": "SRG-APP-000503-AS-000228", - "gid": "V-62333", - "rid": "SV-76823r1_rule", - "stig_id": "JBOS-AS-000700", + "gtitle": "SRG-APP-000456-AS-000266", + "gid": "V-62327", + "rid": "SV-76817r1_rule", + "stig_id": "JBOS-AS-000685", "cci": [ - "CCI-000172" + "CCI-002605" ], "documentable": false, "nist": [ - "AU-12 c", + "SI-2 c", "Rev_4" ], - "check": "Log on to the OS of the JBoss server with OS permissions that\n allow access to JBoss.\n Using the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n Run the jboss-cli script to start the Command Line Interface (CLI).\n Connect to the server and authenticate.\n Run the command:\n\n For a Managed Domain configuration:\n \"ls\n host=master/server//core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\"\n\n For a Standalone configuration:\n \"ls\n /core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\"\n\n If \"enabled\" = false, this is a finding.", - "fix": "Launch the jboss-cli management interface.\n Connect to the server by typing \"connect\", authenticate as a user in the\n Superuser role, and run the following command:\n\n For a Managed Domain configuration:\n \"host=master/server//core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\"\n\n For a Standalone configuration:\n \"/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\"", - "fix_id": "F-68253r1_fix" + "check": "Interview the system admin and obtain details on their patch\n management processes as it relates to the OS and the Application Server.\n\n If there is no active, documented patch management process in use for these\n components, this is a finding.", + "fix": "Configure the operating system and the application server to use\n a patch management system or process that ensures security-relevant updates are\n installed within the time period directed by the ISSM.", + "fix_id": "F-68247r1_fix" }, - "code": "control 'V-62333' do\n title \"Wildfly must be configured to generate log records when\n successful/unsuccessful logon attempts occur.\"\n desc \"\n Logging the access to the application server allows the system\n administrators to monitor user accounts. By logging successful/unsuccessful\n logons, the system administrator can determine if an account is compromised\n (e.g., frequent logons) or is in the process of being compromised (e.g.,\n frequent failed logons) and can take actions to thwart the attack.\n\n Logging successful logons can also be used to determine accounts that are\n no longer in use.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000503-AS-000228'\n tag \"gid\": 'V-62333'\n tag \"rid\": 'SV-76823r1_rule'\n tag \"stig_id\": 'JBOS-AS-000700'\n tag \"cci\": ['CCI-000172']\n tag \"documentable\": false\n tag \"nist\": ['AU-12 c', 'Rev_4']\n tag \"check\": \"Log on to the OS of the JBoss server with OS permissions that\n allow access to JBoss.\n Using the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n Run the jboss-cli script to start the Command Line Interface (CLI).\n Connect to the server and authenticate.\n Run the command:\n\n For a Managed Domain configuration:\n \\\"ls\n host=master/server//core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\\\"\n\n For a Standalone configuration:\n \\\"ls\n /core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\\\"\n\n If \\\"enabled\\\" = false, this is a finding.\"\n tag \"fix\": \"Launch the jboss-cli management interface.\n Connect to the server by typing \\\"connect\\\", authenticate as a user in the\n Superuser role, and run the following command:\n\n For a Managed Domain configuration:\n \\\"host=master/server//core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\\\"\n\n For a Standalone configuration:\n \\\"/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\\\"\"\n tag \"fix_id\": 'F-68253r1_fix'\n\n connect = input('connection')\n\n describe 'The wildfly setting: generate log records when successful/unsuccessful logon attempts occur' do\n subject { command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\ /core-service=management/access=audit/logger=audit-log\").stdout }\n it { should_not match(%r{enabled=false}) }\n end\nend\n", + "code": "control 'V-62327' do\n title \"The JRE installed on the Wildfly server must be kept up to date.\"\n desc \"The Wildfly product is available as Open Source; however, the Red Hat\n vendor provides updates, patches and support for the Wildfly product. It is\n imperative that patches and updates be applied to Wildfly in a timely manner as\n many attacks against Wildfly focus on unpatched systems. It is critical that\n support be obtained and made available.\"\n impact 0.7\n tag \"gtitle\": 'SRG-APP-000456-AS-000266'\n tag \"gid\": 'V-62327'\n tag \"rid\": 'SV-76817r1_rule'\n tag \"stig_id\": 'JBOS-AS-000685'\n tag \"cci\": ['CCI-002605']\n tag \"documentable\": false\n tag \"nist\": ['SI-2 c', 'Rev_4']\n tag \"check\": \"Interview the system admin and obtain details on their patch\n management processes as it relates to the OS and the Application Server.\n\n If there is no active, documented patch management process in use for these\n components, this is a finding.\"\n tag \"fix\": \"Configure the operating system and the application server to use\n a patch management system or process that ensures security-relevant updates are\n installed within the time period directed by the ISSM.\"\n tag \"fix_id\": 'F-68247r1_fix'\n describe.one do\n describe package('java-1.7.0-openjdk') do\n its('version') { should cmp >= '1.7.0.171' }\n end\n describe package('java-1.8.0-openjdk') do\n its('version') { should cmp >= '1.8.0.161' }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62333.rb", + "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62327.rb", "line": 1 }, - "id": "V-62333" + "id": "V-62327" }, { - "title": "Wildfly management interfaces must be secured.", - "desc": "Wildfly utilizes the concept of security realms to secure the management\ninterfaces used for Wildfly server administration. If the security realm\nattribute is omitted or removed from the management interface definition,\naccess to that interface is no longer secure. The Wildfly management interfaces\nmust be secured.", + "title": "The Wildfly server must be configured with Role Based Access Controls.", + "desc": "By default, the Wildfly server is not configured to utilize role based\naccess controls (RBAC). RBAC provides the capability to restrict user access\nto their designated management role, thereby limiting access to only the Wildfly\nfunctionality that they are supposed to have. Without RBAC, the Wildfly server\nis not able to enforce authorized access according to role.", "descriptions": { - "default": "Wildfly utilizes the concept of security realms to secure the management\ninterfaces used for Wildfly server administration. If the security realm\nattribute is omitted or removed from the management interface definition,\naccess to that interface is no longer secure. The Wildfly management interfaces\nmust be secured." + "default": "By default, the Wildfly server is not configured to utilize role based\naccess controls (RBAC). RBAC provides the capability to restrict user access\nto their designated management role, thereby limiting access to only the Wildfly\nfunctionality that they are supposed to have. Without RBAC, the Wildfly server\nis not able to enforce authorized access according to role." }, - "impact": 0, + "impact": 0.7, "refs": [], "tags": { "gtitle": "SRG-APP-000033-AS-000024", - "gid": "V-62229", - "rid": "SV-76719r1_rule", - "stig_id": "JBOS-AS-000075", + "gid": "V-62227", + "rid": "SV-76717r1_rule", + "stig_id": "JBOS-AS-000035", "cci": [ "CCI-000213" ], @@ -769,16 +865,16 @@ "AC-3", "Rev_4" ], - "check": "Log on to the OS of the Wildfly server with OS permissions that\nallow access to Wildfly.\nUsing the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n\nThe $JBOSS_HOME default is /opt/bin/widfly\nRun the jboss-cli script.\nConnect to the server and authenticate.\n\nIdentify the management interfaces. To identity the management interfaces, run\nthe following command:\n\nFor standalone servers:\n\"ls /core-service=management/management-interface=\"\n\nFor managed domain installations:\n\"ls /host=HOST_NAME/core-service=management/management-interface=\"\n\nBy default, Wildfly provides two management interfaces; they are named\n\"NATIVE-INTERFACE\" and \"HTTP-INTERFACE\". The system may or may not have\nboth interfaces enabled. For each management interface listed as a result of\nthe previous command, append the name of the management interface to the end of\nthe following command.\n\nFor a standalone system:\n\n\"ls /core-service=management/management-interface=\"\n\nFor a managed domain:\n\n\"ls /host=HOST_NAME/core-service=management/management-interface=\"\n\nIf the \"security-realm=\" attribute is not associated with a management realm,\nthis is a finding.", - "fix": "Identify the security realm used for management of the system.\nBy default, this is called \"Management Realm\".\n\nIf a management security realm is not already available, reference the Wildfly\nsystem administration guide for instructions on how to create a\nsecurity realm for management purposes. Create the management realm, and\nassign authentication and authorization access restrictions to the management\nrealm.\n\nAssign the management interfaces to the management realm.", - "fix_id": "F-68149r1_fix" + "check": "Log on to the OS of the Wildfly server with OS permissions that\nallow access to Wildfly.\nUsing the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n\nThe $JBOSS_HOME default is /opt/bin/widfly\nRun the jboss-cli script.\nConnect to the server and authenticate.\n\nRun the following command:\n\nFor standalone servers:\n\"ls /core-service=management/access=authorization/\"\n\nFor managed domain installations:\n\"ls /host=master/core-service=management/access=authorization/\"\n\nIf the \"provider\" attribute is not set to \"rbac\", this is a finding.", + "fix": "Run the following command.\n$JBOSS_HOME;/bin/jboss-cli.sh -c -> connect -> cd\n/core-service=management/access-authorization :write-attribute(name=provider,\nvalue=rbac)\n\nRestart Wildfly.\n\nMap users to roles by running the following command. Upper-case words are\nvariables.\n\nrole-mapping=ROLENAME/include=ALIAS:add(name-USERNAME, type=USER ROLE)", + "fix_id": "F-68147r1_fix" }, - "code": "control 'V-62229' do\n title \"Wildfly management interfaces must be secured.\"\n desc \"Wildfly utilizes the concept of security realms to secure the management\ninterfaces used for Wildfly server administration. If the security realm\nattribute is omitted or removed from the management interface definition,\naccess to that interface is no longer secure. The Wildfly management interfaces\nmust be secured.\"\n impact 0.7\n tag \"gtitle\": 'SRG-APP-000033-AS-000024'\n tag \"gid\": 'V-62229'\n tag \"rid\": 'SV-76719r1_rule'\n tag \"stig_id\": 'JBOS-AS-000075'\n tag \"cci\": ['CCI-000213']\n tag \"documentable\": false\n tag \"nist\": ['AC-3', 'Rev_4']\n tag \"check\": \"Log on to the OS of the Wildfly server with OS permissions that\nallow access to Wildfly.\nUsing the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n\nThe $JBOSS_HOME default is /opt/bin/widfly\nRun the jboss-cli script.\nConnect to the server and authenticate.\n\nIdentify the management interfaces. To identity the management interfaces, run\nthe following command:\n\nFor standalone servers:\n\\\"ls /core-service=management/management-interface=\\\"\n\nFor managed domain installations:\n\\\"ls /host=HOST_NAME/core-service=management/management-interface=\\\"\n\nBy default, Wildfly provides two management interfaces; they are named\n\\\"NATIVE-INTERFACE\\\" and \\\"HTTP-INTERFACE\\\". The system may or may not have\nboth interfaces enabled. For each management interface listed as a result of\nthe previous command, append the name of the management interface to the end of\nthe following command.\n\nFor a standalone system:\n\n\\\"ls /core-service=management/management-interface=\\\"\n\nFor a managed domain:\n\n\\\"ls /host=HOST_NAME/core-service=management/management-interface=\\\"\n\nIf the \\\"security-realm=\\\" attribute is not associated with a management realm,\nthis is a finding.\"\n tag \"fix\": \"Identify the security realm used for management of the system.\nBy default, this is called \\\"Management Realm\\\".\n\nIf a management security realm is not already available, reference the Wildfly\nsystem administration guide for instructions on how to create a\nsecurity realm for management purposes. Create the management realm, and\nassign authentication and authorization access restrictions to the management\nrealm.\n\nAssign the management interfaces to the management realm.\"\n tag \"fix_id\": 'F-68149r1_fix'\n\n connect = input('connection')\n\n mgmt_interfaces = command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\ /core-service=management/management-interface=\").stdout.split(\"\\n\")\n\n mgmt_interfaces.each do |interface|\n describe \"Wildfly management interface: #{interface}\" do\n subject { command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /core-service=management/management-interface=#{interface}\").stdout }\n it { should match(%r{security-realm=ManagementRealm}) }\n end\n end\n if mgmt_interfaces.empty?\n impact 0.0\n describe 'There are no wildfly management interfaces, therefore this control is Not Applicable' do\n skip 'There are no wildfly management interfaces, therefore this control is Not Applicable'\n end\n end\nend\n", + "code": "control 'V-62227' do\n title \"The Wildfly server must be configured with Role Based Access Controls.\"\n desc \"By default, the Wildfly server is not configured to utilize role based\naccess controls (RBAC). RBAC provides the capability to restrict user access\nto their designated management role, thereby limiting access to only the Wildfly\nfunctionality that they are supposed to have. Without RBAC, the Wildfly server\nis not able to enforce authorized access according to role.\"\n impact 0.7\n tag \"gtitle\": 'SRG-APP-000033-AS-000024'\n tag \"gid\": 'V-62227'\n tag \"rid\": 'SV-76717r1_rule'\n tag \"stig_id\": 'JBOS-AS-000035'\n tag \"cci\": ['CCI-000213']\n tag \"documentable\": false\n tag \"nist\": ['AC-3', 'Rev_4']\n tag \"check\": \"Log on to the OS of the Wildfly server with OS permissions that\nallow access to Wildfly.\nUsing the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n\nThe $JBOSS_HOME default is /opt/bin/widfly\nRun the jboss-cli script.\nConnect to the server and authenticate.\n\nRun the following command:\n\nFor standalone servers:\n\\\"ls /core-service=management/access=authorization/\\\"\n\nFor managed domain installations:\n\\\"ls /host=master/core-service=management/access=authorization/\\\"\n\nIf the \\\"provider\\\" attribute is not set to \\\"rbac\\\", this is a finding.\"\n tag \"fix\": \"Run the following command.\n$JBOSS_HOME;/bin/jboss-cli.sh -c -> connect -> cd\n/core-service=management/access-authorization :write-attribute(name=provider,\nvalue=rbac)\n\nRestart Wildfly.\n\nMap users to roles by running the following command. Upper-case words are\nvariables.\n\nrole-mapping=ROLENAME/include=ALIAS:add(name-USERNAME, type=USER ROLE)\"\n tag \"fix_id\": 'F-68147r1_fix'\n\n connect = input('connection')\n\n describe 'The wildfly server authorization access' do\n subject { command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /core-service=management/access=authorization/\").stdout }\n it { should match(%r{provider=rbac}) }\n end\nend\n", "source_location": { - "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62229.rb", + "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62227.rb", "line": 1 }, - "id": "V-62229" + "id": "V-62227" }, { "title": "Wildlfy must be configured to generate log records for all account\n creations, modifications, disabling, and termination events.", @@ -812,38 +908,6 @@ }, "id": "V-62341" }, - { - "title": "Production Wildfly servers must be supported by the vendor.", - "desc": "The Wildfly product is available as Open Source; however, the Red Hat\n vendor provides updates, patches and support for the JBoss product. It is\n imperative that patches and updates be applied to Wildfly in a timely manner as\n many attacks against Wildfly focus on unpatched systems. It is critical that\n support be obtained and made available.", - "descriptions": { - "default": "The Wildfly product is available as Open Source; however, the Red Hat\n vendor provides updates, patches and support for the JBoss product. It is\n imperative that patches and updates be applied to Wildfly in a timely manner as\n many attacks against Wildfly focus on unpatched systems. It is critical that\n support be obtained and made available." - }, - "impact": 0, - "refs": [], - "tags": { - "gtitle": "SRG-APP-000456-AS-000266", - "gid": "V-62325", - "rid": "SV-76815r1_rule", - "stig_id": "JBOS-AS-000680", - "cci": [ - "CCI-002605" - ], - "documentable": false, - "nist": [ - "SI-2 c", - "Rev_4" - ], - "check": "Interview the system admin and have them either show documented\n proof of current support, or have them demonstrate their ability to access the\n Red Hat Enterprise Support portal.\n\n Verify Red Hat support includes coverage for the Wildfly product.\n\n If there is no current and active support from the vendor, this is a finding.", - "fix": "Obtain vendor support from Red Hat.", - "fix_id": "F-68245r1_fix" - }, - "code": "control 'V-62325' do\n title \"Production Wildfly servers must be supported by the vendor.\"\n desc \"The Wildfly product is available as Open Source; however, the Red Hat\n vendor provides updates, patches and support for the JBoss product. It is\n imperative that patches and updates be applied to Wildfly in a timely manner as\n many attacks against Wildfly focus on unpatched systems. It is critical that\n support be obtained and made available.\"\n impact 0.7\n tag \"gtitle\": 'SRG-APP-000456-AS-000266'\n tag \"gid\": 'V-62325'\n tag \"rid\": 'SV-76815r1_rule'\n tag \"stig_id\": 'JBOS-AS-000680'\n tag \"cci\": ['CCI-002605']\n tag \"documentable\": false\n tag \"nist\": ['SI-2 c', 'Rev_4']\n tag \"check\": \"Interview the system admin and have them either show documented\n proof of current support, or have them demonstrate their ability to access the\n Red Hat Enterprise Support portal.\n\n Verify Red Hat support includes coverage for the Wildfly product.\n\n If there is no current and active support from the vendor, this is a finding.\"\n tag \"fix\": \"Obtain vendor support from Red Hat.\"\n tag \"fix_id\": 'F-68245r1_fix'\n impact 0.0\n describe \"Wildfly is the open-source, community version of JBoss and does not include RedHat support, therefore this control is not applicable\" do\n skip \"Wildfly is the open-source, community version of JBoss and does not include RedHat support, therefore this control is not applicable\"\n end\nend\n", - "source_location": { - "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62325.rb", - "line": 1 - }, - "id": "V-62325" - }, { "title": "Wildfly application and management ports must be approved by the PPSM\nCAL.", "desc": "Some networking protocols may not meet organizational security requirements\nto protect data and components.\n\n Application servers natively host a number of various features, such as\nmanagement interfaces, httpd servers and message queues. These features all run\non TCPIP ports. This creates the potential that the vendor may choose to\nutilize port numbers or network services that have been deemed unusable by the\norganization. The application server must have the capability to both\nreconfigure and disable the assigned ports without adversely impacting\napplication server operation capabilities. For a list of approved ports and\nprotocols, reference the DoD ports and protocols website at\nhttps://powhatan.iiie.disa.mil/ports/cal.html.", @@ -877,50 +941,18 @@ "id": "V-62275" }, { - "title": "Welcome Web Application must be disabled.", - "desc": "The Welcome to Wildfly web page provides a redirect to the Wildfly admin\n console, which, by default, runs on TCP 9990 as well as redirects to the Online\n User Guide and Online User Groups hosted at locations on the Internet. The\n welcome page is unnecessary and should be disabled or replaced with a valid web\n page.", - "descriptions": { - "default": "The Welcome to Wildfly web page provides a redirect to the Wildfly admin\n console, which, by default, runs on TCP 9990 as well as redirects to the Online\n User Guide and Online User Groups hosted at locations on the Internet. The\n welcome page is unnecessary and should be disabled or replaced with a valid web\n page." - }, - "impact": 0.3, - "refs": [], - "tags": { - "gtitle": "SRG-APP-000141-AS-000095", - "gid": "V-62271", - "rid": "SV-76761r1_rule", - "stig_id": "JBOS-AS-000245", - "cci": [ - "CCI-000381" - ], - "documentable": false, - "nist": [ - "CM-7 a", - "Rev_4" - ], - "check": "Use a web browser and browse to HTTP://Wildfly SERVER IP\n ADDRESS:8080\n\n If the Wildfly Welcome page is displayed, this is a finding.", - "fix": "Use the Management CLI script JBOSS_HOME/bin/jboss-cli.sh to run\n the following command. You may need to change the profile to modify a different\n managed domain profile, or remove the \"/profile=default\" portion of the\n command for a standalone server.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n\n \"/profile=default/subsystem=web/virtual-server=default-host:writeattribute(name=enable-welcome-root,value=false)\"\n\n To configure your web application to use the root context (/) as its URL\n address, modify the applications jboss-web.xml, which is located in the\n applications META-INF/ or WEB-INF/ directory. Replace its \n directive with one that looks like the following:\n\n \n /\n ", - "fix_id": "F-68191r1_fix" - }, - "code": "control 'V-62271' do\n title \"Welcome Web Application must be disabled.\"\n desc \"The Welcome to Wildfly web page provides a redirect to the Wildfly admin\n console, which, by default, runs on TCP 9990 as well as redirects to the Online\n User Guide and Online User Groups hosted at locations on the Internet. The\n welcome page is unnecessary and should be disabled or replaced with a valid web\n page.\"\n impact 0.3\n tag \"gtitle\": 'SRG-APP-000141-AS-000095'\n tag \"gid\": 'V-62271'\n tag \"rid\": 'SV-76761r1_rule'\n tag \"stig_id\": 'JBOS-AS-000245'\n tag \"cci\": ['CCI-000381']\n tag \"documentable\": false\n tag \"nist\": ['CM-7 a', 'Rev_4']\n tag \"check\": \"Use a web browser and browse to HTTP://Wildfly SERVER IP\n ADDRESS:8080\n\n If the Wildfly Welcome page is displayed, this is a finding.\"\n\n\n tag \"fix\": \"Use the Management CLI script JBOSS_HOME/bin/jboss-cli.sh to run\n the following command. You may need to change the profile to modify a different\n managed domain profile, or remove the \\\"/profile=default\\\" portion of the\n command for a standalone server.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n\n \\\"/profile=default/subsystem=web/virtual-server=default-host:writeattribute(name=enable-welcome-root,value=false)\\\"\n\n To configure your web application to use the root context (/) as its URL\n address, modify the applications jboss-web.xml, which is located in the\n applications META-INF/ or WEB-INF/ directory. Replace its \n directive with one that looks like the following:\n\n \n /\n \"\n tag \"fix_id\": 'F-68191r1_fix'\n\n connect = input('connection')\n describe 'The wildfly web application' do\n subject { command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /subsystem=undertow/server=default-server/host=default-host/location=\\\\\\/\").stdout }\n it { should_not match(%r{handler=welcome-content}) }\n end\nend\n", - "source_location": { - "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62271.rb", - "line": 1 - }, - "id": "V-62271" - }, - { - "title": "The Java Security Manager must be enabled for the wildfly application\nserver.", - "desc": "The Java Security Manager is a java class that manages the external\nboundary of the Java Virtual Machine (JVM) sandbox, controlling how code\nexecuting within the JVM can interact with resources outside the JVM.\n\n The Java Security Manager uses a security policy to determine whether a\ngiven action will be\n permitted or denied.\n\n To protect the host system, the Wildfly application server must be run within\nthe Java Security Manager.", + "title": "Users in JBoss Management Security Realms must be in the appropriate role", + "desc": "Security realms are a series of mappings between users and passwords and\nusers and roles. There are 2 JBoss security realms provided by default; they\nare \"management realm\" and \"application realm\".\n\n Management realm stores authentication information for the management API,\nwhich provides functionality for the web-based management console and the\nmanagement command line interface (CLI).\n\n mgmt-groups.properties stores user to group mapping for the ManagementRealm\nbut only when role-based access controls (RBAC) is enabled.\n\n If management users are not in the appropriate role, unauthorized access to\nJBoss resources can occur.", "descriptions": { - "default": "The Java Security Manager is a java class that manages the external\nboundary of the Java Virtual Machine (JVM) sandbox, controlling how code\nexecuting within the JVM can interact with resources outside the JVM.\n\n The Java Security Manager uses a security policy to determine whether a\ngiven action will be\n permitted or denied.\n\n To protect the host system, the Wildfly application server must be run within\nthe Java Security Manager." + "default": "Security realms are a series of mappings between users and passwords and\nusers and roles. There are 2 JBoss security realms provided by default; they\nare \"management realm\" and \"application realm\".\n\n Management realm stores authentication information for the management API,\nwhich provides functionality for the web-based management console and the\nmanagement command line interface (CLI).\n\n mgmt-groups.properties stores user to group mapping for the ManagementRealm\nbut only when role-based access controls (RBAC) is enabled.\n\n If management users are not in the appropriate role, unauthorized access to\nJBoss resources can occur." }, - "impact": 0.7, + "impact": 0, "refs": [], "tags": { "gtitle": "SRG-APP-000033-AS-000024", - "gid": "V-62225", - "rid": "SV-76715r1_rule", - "stig_id": "JBOS-AS-000030", + "gid": "V-62219", + "rid": "SV-76709r1_rule", + "stig_id": "JBOS-AS-000040", "cci": [ "CCI-000213" ], @@ -929,128 +961,96 @@ "AC-3", "Rev_4" ], - "check": "To determine if the Java Security Manager is enabled for Wildfly,\nyou must examine the startup commands. Wildfly can be configured to run in\neither \"domain\" or a \"standalone\" mode. JBOSS_HOME is the variable home\ndirectory for the Wildfly installation. Use relevant OS commands to navigate the\nfile system.\n\nA. For a managed domain installation, review the domain.conf and\ndomain.conf.bat files:\n\nThe $JBOSS_HOME default is /opt/bin/widfly\n\nJBOSS_HOME/bin/domain.conf\nJBOSS_HOME/bin/domain.conf.bat\n\nIn domain.conf file, ensure there is a JAVA_OPTS flag that loads the Java\nSecurity Manager as well as a relevant Java Security policy. The following is\nan example:\n\nJAVA_OPTS=\"$JAVA_OPTS -Djava.security.manager\n-Djava.security.policy==$PWD/server.policy -Djboss.home.dir=/path/to/JBOSS_HOME\n-Djboss.modules.policy-permissions=true\"\n\nIn domain.conf.bat file, ensure JAVA_OPTS flag is set. The following is an\nexample:\n\nset \"JAVA_OPTS=%JAVA_OPTS% -Djava.security.manager\n-Djava.security.policy==/path/to/server.policy\n-Djboss.home.dir=/path/to/JBOSS_HOME -Djboss.modules.policy-permissions=true\"\n\nB. For a standalone installation, review the standalone.conf and\nstandalone.conf.bat files:\n\nJBOSS_HOME/bin/standalone.conf\nJBOSS_HOME/bin/standalone.conf.bat\n\nIn the standalone.conf file, ensure the JAVA_OPTS flag is set. The following\nis an example:\n\nJAVA_OPTS=\"$JAVA_OPTS -Djava.security.manager\n-Djava.security.policy==$PWD/server.policy -Djboss.home.dir=$JBOSS_HOME\n-Djboss.modules.policy-permissions=true\"\n\nIn the standalone.conf.bat file, ensure the JAVA_OPTS flag is set. The\nfollowing is an example:\n\nset \"JAVA_OPTS=%JAVA_OPTS% -Djava.security.manager\n-Djava.security.policy==/path/to/server.policy -Djboss.home.dir=%JBOSS_HOME%\n-Djboss.modules.policy-permissions=true\"\n\nIf the security manager is not enabled and a security policy not defined, this\nis a finding.", - "fix": "For a domain installation:\nEnable the respective JAVA_OPTS flag in both the domain.conf and the\ndomain.conf.bat files.\n\nFor a standalone installation:\nEnable the respective JAVA_OPTS flag in both the standalone.conf and the\nstandalone.conf.bat files.", - "fix_id": "F-68145r1_fix" + "check": "Review the mgmt-users.properties file. Also review the\n section in the standalone.xml or domain.xml configuration files.\n The relevant xml file will depend on if the Wildfly server is configured in\nstandalone or domain mode.\n\nEnsure all users listed in these files are approved for management access to\nthe JBoss server and are in the appropriate role.\n\nThe $JBOSS_HOME default is /opt/bin/widfly\n\nFor domain configurations:\n$JBOSS_HOME;/domain/configuration/mgmt-users.properties.\n$JBOSS_HOME;/domain/configuration/domain.xml\n\nFor standalone configurations:\n$JBOSS_HOME;/standalone/configuration/mgmt-users.properties.\n$JBOSS_HOME;/standalone/configuration/standalone.xml\n\nIf the users listed are not in the appropriate role, this is a finding.", + "fix": "Document approved management users and their roles. Configure\nthe application server to use RBAC and ensure users are placed into the\nappropriate roles.", + "fix_id": "F-68139r1_fix" }, - "code": "control 'V-62225' do\n title \"The Java Security Manager must be enabled for the wildfly application\nserver.\"\n desc \"\n The Java Security Manager is a java class that manages the external\nboundary of the Java Virtual Machine (JVM) sandbox, controlling how code\nexecuting within the JVM can interact with resources outside the JVM.\n\n The Java Security Manager uses a security policy to determine whether a\ngiven action will be\n permitted or denied.\n\n To protect the host system, the Wildfly application server must be run within\nthe Java Security Manager.\n \"\n impact 0.7\n tag \"gtitle\": 'SRG-APP-000033-AS-000024'\n tag \"gid\": 'V-62225'\n tag \"rid\": 'SV-76715r1_rule'\n tag \"stig_id\": 'JBOS-AS-000030'\n tag \"cci\": ['CCI-000213']\n tag \"documentable\": false\n tag \"nist\": ['AC-3', 'Rev_4']\n tag \"check\": \"To determine if the Java Security Manager is enabled for Wildfly,\nyou must examine the startup commands. Wildfly can be configured to run in\neither \\\"domain\\\" or a \\\"standalone\\\" mode. JBOSS_HOME is the variable home\ndirectory for the Wildfly installation. Use relevant OS commands to navigate the\nfile system.\n\nA. For a managed domain installation, review the domain.conf and\ndomain.conf.bat files:\n\nThe $JBOSS_HOME default is /opt/bin/widfly\n\nJBOSS_HOME/bin/domain.conf\nJBOSS_HOME/bin/domain.conf.bat\n\nIn domain.conf file, ensure there is a JAVA_OPTS flag that loads the Java\nSecurity Manager as well as a relevant Java Security policy. The following is\nan example:\n\nJAVA_OPTS=\\\"$JAVA_OPTS -Djava.security.manager\n-Djava.security.policy==$PWD/server.policy -Djboss.home.dir=/path/to/JBOSS_HOME\n-Djboss.modules.policy-permissions=true\\\"\n\nIn domain.conf.bat file, ensure JAVA_OPTS flag is set. The following is an\nexample:\n\nset \\\"JAVA_OPTS=%JAVA_OPTS% -Djava.security.manager\n-Djava.security.policy==/path/to/server.policy\n-Djboss.home.dir=/path/to/JBOSS_HOME -Djboss.modules.policy-permissions=true\\\"\n\nB. For a standalone installation, review the standalone.conf and\nstandalone.conf.bat files:\n\nJBOSS_HOME/bin/standalone.conf\nJBOSS_HOME/bin/standalone.conf.bat\n\nIn the standalone.conf file, ensure the JAVA_OPTS flag is set. The following\nis an example:\n\nJAVA_OPTS=\\\"$JAVA_OPTS -Djava.security.manager\n-Djava.security.policy==$PWD/server.policy -Djboss.home.dir=$JBOSS_HOME\n-Djboss.modules.policy-permissions=true\\\"\n\nIn the standalone.conf.bat file, ensure the JAVA_OPTS flag is set. The\nfollowing is an example:\n\nset \\\"JAVA_OPTS=%JAVA_OPTS% -Djava.security.manager\n-Djava.security.policy==/path/to/server.policy -Djboss.home.dir=%JBOSS_HOME%\n-Djboss.modules.policy-permissions=true\\\"\n\nIf the security manager is not enabled and a security policy not defined, this\nis a finding.\"\n tag \"fix\": \"For a domain installation:\nEnable the respective JAVA_OPTS flag in both the domain.conf and the\ndomain.conf.bat files.\n\nFor a standalone installation:\nEnable the respective JAVA_OPTS flag in both the standalone.conf and the\nstandalone.conf.bat files.\"\n tag \"fix_id\": 'F-68145r1_fix'\n\n connect = input('connection')\n\n describe file(\"#{ input('jboss_home') }/bin/standalone.conf\") do\n its('content') { should_not match(%r{#JAVA_OPTS}) }\n end\n describe.one do\n describe file(\"#{ input('jboss_home') }/bin/standalone.conf\") do\n its('content') { should_not match(%r{JAVA_OPTS=\\s*}) }\n end\n describe file(\"#{ input('jboss_home') }/bin/standalone.conf\") do\n its('content') { should_not match(%r{JAVA_OPTS=\"\\s*\"\\s*}) }\n end\n describe parse_config_file(\"#{ input('jboss_home') }/bin/standalone.conf\") do\n its('SECMGR') { should match(%r{\"true\"}) }\n end\n end\n\n describe.one do\n describe file(\"#{ input('jboss_home') }/bin/standalone.conf.bat\") do\n its('content') { should_not match(%r{#set\\s*\"JAVA_OPTS=\\s*}) }\n end\n describe file(\"#{ input('jboss_home') }/bin/standalone.conf.bat\") do\n its('content') { should_not match(%r{set\\s*\"JAVA_OPTS=\\s*}) }\n end\n describe file(\"#{ input('jboss_home') }/bin/standalone.conf.bat\") do\n its('content') { should include 'set \"SECMGR=true\"' }\n its('content') { should_not include 'rem set \"SECMGR=true\"' }\n end\n end\nend\n", + "code": "control 'V-62219' do\n title \"Users in JBoss Management Security Realms must be in the appropriate role\"\n desc \"\n Security realms are a series of mappings between users and passwords and\nusers and roles. There are 2 JBoss security realms provided by default; they\nare \\\"management realm\\\" and \\\"application realm\\\".\n\n Management realm stores authentication information for the management API,\nwhich provides functionality for the web-based management console and the\nmanagement command line interface (CLI).\n\n mgmt-groups.properties stores user to group mapping for the ManagementRealm\nbut only when role-based access controls (RBAC) is enabled.\n\n If management users are not in the appropriate role, unauthorized access to\nJBoss resources can occur.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000033-AS-000024'\n tag \"gid\": 'V-62219'\n tag \"rid\": 'SV-76709r1_rule'\n tag \"stig_id\": 'JBOS-AS-000040'\n tag \"cci\": ['CCI-000213']\n tag \"documentable\": false\n tag \"nist\": ['AC-3', 'Rev_4']\n tag \"check\": \"Review the mgmt-users.properties file. Also review the\n section in the standalone.xml or domain.xml configuration files.\n The relevant xml file will depend on if the Wildfly server is configured in\nstandalone or domain mode.\n\nEnsure all users listed in these files are approved for management access to\nthe JBoss server and are in the appropriate role.\n\nThe $JBOSS_HOME default is /opt/bin/widfly\n\nFor domain configurations:\n$JBOSS_HOME;/domain/configuration/mgmt-users.properties.\n$JBOSS_HOME;/domain/configuration/domain.xml\n\nFor standalone configurations:\n$JBOSS_HOME;/standalone/configuration/mgmt-users.properties.\n$JBOSS_HOME;/standalone/configuration/standalone.xml\n\nIf the users listed are not in the appropriate role, this is a finding.\"\n tag \"fix\": \"Document approved management users and their roles. Configure\nthe application server to use RBAC and ensure users are placed into the\nappropriate roles.\"\n tag \"fix_id\": 'F-68139r1_fix'\n\n connect = input('connection')\n auditor_role_users = input('auditor_role_users')\n administrator_role_users = input('administrator_role_users')\n superuser_role_users = input('superuser_role_users')\n\n role_mappings = command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /core-service=management/access=authorization/role-mapping=\").stdout.strip.split(\" \")\n auditor_role = command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /core-service=management/access=authorization/role-mapping=Auditor/include= | grep -v 'Manage' | grep -v 'core' | grep -v 'access' | grep -v 'mapping' | grep -v 'not found'\").stdout.strip.split(\" \")\n administrator_role = command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /core-service=management/access=authorization/role-mapping=Administrator/include= | grep -v 'Manage' | grep -v 'core' | grep -v 'access' | grep -v 'mapping' | grep -v 'not found'\").stdout.strip.split(\" \")\n superuser_role = command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /core-service=management/access=authorization/role-mapping=SuperUser/include= | grep -v 'Manage' | grep -v 'core' | grep -v 'access' | grep -v 'mapping' | grep -v 'not found'\").stdout.strip.split(\" \")\n\n if !auditor_role.empty?\n auditor_role.each do |user|\n describe \"#{user}\" do\n it { should be_in auditor_role_users }\n end\n end\n end\n\n if !administrator_role.empty?\n administrator_role.each do |user|\n describe \"#{user}\" do\n it { should be_in administrator_role_users }\n end\n end\n end\n\n if !superuser_role.empty?\n superuser_role.each do |user|\n describe \"#{user}\" do\n it { should be_in superuser_role_users }\n end\n end\n end\n\n if auditor_role.empty? && administrator_role.empty? && superuser_role.empty?\n impact 0.0\n describe 'There are no Wildfly users with the auditor, administrator or superuser roles, therefore this control is not applicable' do\n skip 'There are no Wildfly users with the auditor, administrator or superuser roles, therefore this control is not applicable'\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62225.rb", + "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62219.rb", "line": 1 }, - "id": "V-62225" + "id": "V-62219" }, { - "title": "The Wildfly server, when hosting mission critical applications, must be\n in a high-availability (HA) cluster.", - "desc": "A MAC I system is a system that handles data vital to the\n organization's operational readiness or effectiveness of deployed or\n contingency forces. A MAC I system must maintain the highest level of\n integrity and availability. By HA clustering the application server, the\n hosted application and data are given a platform that is load-balanced and\n provides high availability.", + "title": "Production Wildfly servers must log when successful application\n deployments occur.", + "desc": "Without logging the enforcement of access restrictions against changes to\nthe application server configuration, it will be difficult to identify\nattempted attacks, and a log trail will not be available for forensic\ninvestigation for after-the-fact actions. Configuration changes may occur to\nany of the modules within the application server through the management\ninterface, but logging of actions to the configuration of a module outside the\napplication server is not logged.\n\n Enforcement actions are the methods or mechanisms used to prevent\nunauthorized changes to configuration settings. Enforcement action methods may\nbe as simple as denying access to a file based on the application of file\npermissions (access restriction). Log items may consist of lists of actions\nblocked by access restrictions or changes identified after the fact.", "descriptions": { - "default": "A MAC I system is a system that handles data vital to the\n organization's operational readiness or effectiveness of deployed or\n contingency forces. A MAC I system must maintain the highest level of\n integrity and availability. By HA clustering the application server, the\n hosted application and data are given a platform that is load-balanced and\n provides high availability." + "default": "Without logging the enforcement of access restrictions against changes to\nthe application server configuration, it will be difficult to identify\nattempted attacks, and a log trail will not be available for forensic\ninvestigation for after-the-fact actions. Configuration changes may occur to\nany of the modules within the application server through the management\ninterface, but logging of actions to the configuration of a module outside the\napplication server is not logged.\n\n Enforcement actions are the methods or mechanisms used to prevent\nunauthorized changes to configuration settings. Enforcement action methods may\nbe as simple as denying access to a file based on the application of file\npermissions (access restriction). Log items may consist of lists of actions\nblocked by access restrictions or changes identified after the fact." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-APP-000435-AS-000069", - "gid": "V-62319", - "rid": "SV-76809r1_rule", - "stig_id": "JBOS-AS-000640", + "gtitle": "SRG-APP-000381-AS-000089", + "gid": "V-62315", + "rid": "SV-76805r1_rule", + "stig_id": "JBOS-AS-000555", "cci": [ - "CCI-002385" + "CCI-001814" ], "documentable": false, "nist": [ - "SC-5", + "CM-5 (1)", "Rev_4" ], - "check": "Interview the system admin and determine if the applications\n hosted on the application server are mission critical and require load\n balancing (LB) or high availability (HA).\n\n If the applications do not require LB or HA, this requirement is NA.\n\n If the documentation shows the LB or HA services are being provided by another\n system other than the application server, this requirement is NA.\n\n If applications require LB or HA, request documentation from the system admin\n that identifies what type of LB or HA configuration has been implemented on the\n application server.\n\n Ask the system admin to identify the components that require protection. Some\n options are included here as an example. Bear in mind the examples provided\n are not complete and absolute and are only provided as examples. The\n components being made redundant or HA by the application server will vary based\n upon application availability requirements.\n\n Examples are:\n Instances of the Application Server\n Web Applications\n Stateful, stateless and entity Enterprise Java Beans (EJBs)\n Single Sign On (SSO) mechanisms\n Distributed Cache\n HTTP sessions\n JMS and Message Services.\n\n If the hosted application requirements specify LB or HA and the Wildfly server\n has not been configured to offer HA or LB, this is a finding.", - "fix": "Configure the application server to provide LB or HA services for\n the hosted application.", - "fix_id": "F-68239r1_fix" + "check": "Log on to the OS of the Wildfly server with OS permissions that\n allow access to Wildfly.\n Using the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n\n Run the jboss-cli script.\n Connect to the server and authenticate.\n Run the command:\n\n ls /core-service=management/access=audit/logger=audit-log\n\n If \"enabled\" = false, this is a finding.", + "fix": "Launch the jboss-cli management interface substituting standalone\n or domain for based upon the server installation.\n\n $JBOSS_HOME;//bin/jboss-cli\n\n connect to the server and run the following command:\n /core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)", + "fix_id": "F-68235r1_fix" }, - "code": "control 'V-62319' do\n title \"The Wildfly server, when hosting mission critical applications, must be\n in a high-availability (HA) cluster.\"\n desc \"A MAC I system is a system that handles data vital to the\n organization's operational readiness or effectiveness of deployed or\n contingency forces. A MAC I system must maintain the highest level of\n integrity and availability. By HA clustering the application server, the\n hosted application and data are given a platform that is load-balanced and\n provides high availability.\"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000435-AS-000069'\n tag \"gid\": 'V-62319'\n tag \"rid\": 'SV-76809r1_rule'\n tag \"stig_id\": 'JBOS-AS-000640'\n tag \"cci\": ['CCI-002385']\n tag \"documentable\": false\n tag \"nist\": ['SC-5', 'Rev_4']\n tag \"check\": \"Interview the system admin and determine if the applications\n hosted on the application server are mission critical and require load\n balancing (LB) or high availability (HA).\n\n If the applications do not require LB or HA, this requirement is NA.\n\n If the documentation shows the LB or HA services are being provided by another\n system other than the application server, this requirement is NA.\n\n If applications require LB or HA, request documentation from the system admin\n that identifies what type of LB or HA configuration has been implemented on the\n application server.\n\n Ask the system admin to identify the components that require protection. Some\n options are included here as an example. Bear in mind the examples provided\n are not complete and absolute and are only provided as examples. The\n components being made redundant or HA by the application server will vary based\n upon application availability requirements.\n\n Examples are:\n Instances of the Application Server\n Web Applications\n Stateful, stateless and entity Enterprise Java Beans (EJBs)\n Single Sign On (SSO) mechanisms\n Distributed Cache\n HTTP sessions\n JMS and Message Services.\n\n If the hosted application requirements specify LB or HA and the Wildfly server\n has not been configured to offer HA or LB, this is a finding.\"\n tag \"fix\": \"Configure the application server to provide LB or HA services for\n the hosted application.\"\n tag \"fix_id\": 'F-68239r1_fix'\n\n high_availability = input('high_availability')\n\n describe 'The wildfly configuration file used' do\n subject { command ('ps -ef | grep wildfly | grep -v grep | grep -v chef').stdout }\n it { should match /[\\w\\b\\D\\d\\W]* -c=standalone-full.ha.xml [\\w\\b\\D\\d\\W]*/ }\n\n before do\n skip if high_availability == false\n end\n\n end\nend\n", + "code": "control 'V-62315' do\n title \"Production Wildfly servers must log when successful application\n deployments occur.\"\n desc \"\n Without logging the enforcement of access restrictions against changes to\n the application server configuration, it will be difficult to identify\n attempted attacks, and a log trail will not be available for forensic\n investigation for after-the-fact actions. Configuration changes may occur to\n any of the modules within the application server through the management\n interface, but logging of actions to the configuration of a module outside the\n application server is not logged.\n\n Enforcement actions are the methods or mechanisms used to prevent\n unauthorized changes to configuration settings. Enforcement action methods may\n be as simple as denying access to a file based on the application of file\n permissions (access restriction). Log items may consist of lists of actions\n blocked by access restrictions or changes identified after the fact.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000381-AS-000089'\n tag \"gid\": 'V-62315'\n tag \"rid\": 'SV-76805r1_rule'\n tag \"stig_id\": 'JBOS-AS-000555'\n tag \"cci\": ['CCI-001814']\n tag \"documentable\": false\n tag \"nist\": ['CM-5 (1)', 'Rev_4']\n tag \"check\": \"Log on to the OS of the Wildfly server with OS permissions that\n allow access to Wildfly.\n Using the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n\n Run the jboss-cli script.\n Connect to the server and authenticate.\n Run the command:\n\n ls /core-service=management/access=audit/logger=audit-log\n\n If \\\"enabled\\\" = false, this is a finding.\"\n tag \"fix\": \"Launch the jboss-cli management interface substituting standalone\n or domain for based upon the server installation.\n\n $JBOSS_HOME;//bin/jboss-cli\n\n connect to the server and run the following command:\n /core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\"\n tag \"fix_id\": 'F-68235r1_fix'\n\n connect = input('connection')\n\n describe 'The wildfly server setting: log when successful application deployments occur' do\n subject { command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /core-service=management/access=audit/logger=audit-log\").stdout }\n it { should_not match(%r{enabled=false}) }\n end\nend\n", "source_location": { - "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62319.rb", + "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62315.rb", "line": 1 }, - "id": "V-62319" + "id": "V-62315" }, { - "title": "The Wildfly server must be configured to use individual accounts and not\n generic or shared accounts.", - "desc": "To assure individual accountability and prevent unauthorized access,\napplication server users (and any processes acting on behalf of application\nserver users) must be individually identified and authenticated.\n\n A group authenticator is a generic account used by multiple individuals.\nUse of a group authenticator alone does not uniquely identify individual users.\n\n Application servers must ensure that individual users are authenticated\nprior to authenticating via role or group authentication. This is to ensure\nthat there is non-repudiation for actions taken.", + "title": "Remote access to JMX subsystem must be disabled.", + "desc": "The JMX subsystem allows you to trigger JDK and application management\n operations remotely. In a managed domain configuration, the JMX subsystem is\n removed by default. For a standalone configuration, it is enabled by default\n and must be removed.", "descriptions": { - "default": "To assure individual accountability and prevent unauthorized access,\napplication server users (and any processes acting on behalf of application\nserver users) must be individually identified and authenticated.\n\n A group authenticator is a generic account used by multiple individuals.\nUse of a group authenticator alone does not uniquely identify individual users.\n\n Application servers must ensure that individual users are authenticated\nprior to authenticating via role or group authentication. This is to ensure\nthat there is non-repudiation for actions taken." + "default": "The JMX subsystem allows you to trigger JDK and application management\n operations remotely. In a managed domain configuration, the JMX subsystem is\n removed by default. For a standalone configuration, it is enabled by default\n and must be removed." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-APP-000153-AS-000104", - "gid": "V-62281", - "rid": "SV-76771r1_rule", - "stig_id": "JBOS-AS-000275", - "cci": [ - "CCI-000770" - ], - "documentable": false, - "nist": [ - "IA-2 (5)", - "Rev_4" - ], - "check": "If the application server management interface is configured to\n use LDAP authentication this requirement is NA.\n\n Determine the mode in which the Wildfly server is operating by authenticating to\n the OS, changing to the $JBOSS_HOME;/bin/ folder and executing the jboss-cli\n script.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n\n Connect to the server and authenticate.\n Run the command: \"ls\" and examine the \"launch-type\" setting.\n\n User account information is stored in the following files for a Wildfly server\n configured in standalone mode. The command line flags passed to the\n \"standalone\" startup script determine the standalone operating mode:\n $JBOSS_HOME;/standalone/configuration/standalone.xml\n $JBOSS_HOME;/standalone/configuration/standalone-full.xml\n $JBOSS_HOME;/standalone/configuration/standalone.-full-ha.xml\n $JBOSS_HOME;/standalone/configuration/standalone.ha.xml\n\n For a Managed Domain:\n $JBOSS_HOME;/domain/configuration/domain.xml.\n\n Review both files for generic or shared user accounts.\n\n Open each xml file with a text editor and locate the \n section.\n Review the sub-section where \"xxxxx\" will be a user\n name.\n\n Have the system administrator identify the user of each user account.\n\n If user accounts are not assigned to individual users, this is a finding.", - "fix": "Configure the application server so required users are\n individually authenticated by creating individual user accounts. Utilize an\n LDAP server that is configured according to DOD policy.", - "fix_id": "F-68201r1_fix" - }, - "code": "control 'V-62281' do\n title \"The Wildfly server must be configured to use individual accounts and not\n generic or shared accounts.\"\n desc \"\n To assure individual accountability and prevent unauthorized access,\n application server users (and any processes acting on behalf of application\n server users) must be individually identified and authenticated.\n\n A group authenticator is a generic account used by multiple individuals.\n Use of a group authenticator alone does not uniquely identify individual users.\n\n Application servers must ensure that individual users are authenticated\n prior to authenticating via role or group authentication. This is to ensure\n that there is non-repudiation for actions taken.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000153-AS-000104'\n tag \"gid\": 'V-62281'\n tag \"rid\": 'SV-76771r1_rule'\n tag \"stig_id\": 'JBOS-AS-000275'\n tag \"cci\": ['CCI-000770']\n tag \"documentable\": false\n tag \"nist\": ['IA-2 (5)', 'Rev_4']\n tag \"check\": \"If the application server management interface is configured to\n use LDAP authentication this requirement is NA.\n\n Determine the mode in which the Wildfly server is operating by authenticating to\n the OS, changing to the $JBOSS_HOME;/bin/ folder and executing the jboss-cli\n script.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n\n Connect to the server and authenticate.\n Run the command: \\\"ls\\\" and examine the \\\"launch-type\\\" setting.\n\n User account information is stored in the following files for a Wildfly server\n configured in standalone mode. The command line flags passed to the\n \\\"standalone\\\" startup script determine the standalone operating mode:\n $JBOSS_HOME;/standalone/configuration/standalone.xml\n $JBOSS_HOME;/standalone/configuration/standalone-full.xml\n $JBOSS_HOME;/standalone/configuration/standalone.-full-ha.xml\n $JBOSS_HOME;/standalone/configuration/standalone.ha.xml\n\n For a Managed Domain:\n $JBOSS_HOME;/domain/configuration/domain.xml.\n\n Review both files for generic or shared user accounts.\n\n Open each xml file with a text editor and locate the \n section.\n Review the sub-section where \\\"xxxxx\\\" will be a user\n name.\n\n Have the system administrator identify the user of each user account.\n\n If user accounts are not assigned to individual users, this is a finding.\"\n tag \"fix\": \"Configure the application server so required users are\n individually authenticated by creating individual user accounts. Utilize an\n LDAP server that is configured according to DOD policy.\"\n tag \"fix_id\": 'F-68201r1_fix'\n\n connect = input('connection')\n auditor_role_users = input('auditor_role_users')\n administrator_role_users = input('administrator_role_users')\n superuser_role_users = input('superuser_role_users')\n deployer_role_users = input('deployer_role_users')\n maintainer_role_users = input('maintainer_role_users')\n monitor_role_users = input('monitor_role_users')\n operator_role_users = input('operator_role_users')\n\n auditor_role = command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /core-service=management/access=authorization/role-mapping=Auditor/include= | grep -v 'Manage' | grep -v 'core' | grep -v 'access' | grep -v 'mapping' | grep -v 'not found'\").stdout.strip.split(\" \")\n administrator_role = command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /core-service=management/access=authorization/role-mapping=Administrator/include= | grep -v 'Manage' | grep -v 'core' | grep -v 'access' | grep -v 'mapping' | grep -v 'not found'\").stdout.strip.split(\" \")\n superuser_role = command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /core-service=management/access=authorization/role-mapping=SuperUser/include= | grep -v 'Manage' | grep -v 'core' | grep -v 'access' | grep -v 'mapping' | grep -v 'not found'\").stdout.strip.split(\" \")\n deployer_role = command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /core-service=management/access=authorization/role-mapping=Deployer/include= | grep -v 'Manage' | grep -v 'core' | grep -v 'access' | grep -v 'mapping' | grep -v 'not found'\").stdout.strip.split(\" \")\n maintainer_role = command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /core-service=management/access=authorization/role-mapping=Maintainer/include= | grep -v 'Manage' | grep -v 'core' | grep -v 'access' | grep -v 'mapping' | grep -v 'not found'\").stdout.strip.split(\" \")\n monitor_role = command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /core-service=management/access=authorization/role-mapping=Monitor/include= | grep -v 'Manage' | grep -v 'core' | grep -v 'access' | grep -v 'mapping' | grep -v 'not found'\").stdout.strip.split(\" \")\n operator_role = command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /core-service=management/access=authorization/role-mapping=Operator/include= | grep -v 'Manage' | grep -v 'core' | grep -v 'access' | grep -v 'mapping' | grep -v 'not found'\").stdout.strip.split(\" \")\n\n if !auditor_role.empty?\n auditor_role.each do |user|\n describe \"User: #{user} with the auditor role\" do\n subject { user }\n it { should be_in auditor_role_users }\n end\n end\n end\n\n if !administrator_role.empty?\n administrator_role.each do |user|\n describe \"User: #{user} with the administrator role\" do\n subject { user }\n it { should be_in administrator_role_users }\n end\n end\n end\n\n if !superuser_role.empty?\n superuser_role.each do |user|\n describe \"User: #{user} with the SuperUser role\" do\n subject { user }\n it { should be_in superuser_role_users }\n end\n end\n end\n\n if !deployer_role.empty?\n deployer_role.each do |user|\n describe \"User: #{user} with the deployer role\" do\n subject { user }\n it { should be_in deployer_role_users }\n end\n end\n end\n\n if !maintainer_role.empty?\n maintainer_role.each do |user|\n describe \"User: #{user} with the maintainer role\" do\n subject { user }\n it { should be_in maintainer_role_users }\n end\n end\n end\n\n if !monitor_role.empty?\n monitor_role.each do |user|\n describe \"User: #{user} with the monitor role\" do\n subject { user }\n it { should be_in monitor_role_users }\n end\n end\n end\n\n if !operator_role.empty?\n operator_role.each do |user|\n describe \"User: #{user} with the operator role\" do\n subject { user }\n it { should be_in operator_role_users }\n end\n end\n end\n if auditor_role.empty? && administrator_role.empty? && superuser_role.empty? && deployer_role.empty? && maintainer_role.empty && monitor_role.empty && operator_role.empty?\n impact 0.0\n desc 'The are no Wildfly accounts with the following roles: auditor, administrator, superuser, deployer, maintainer, monitor, or operator, therefore this control is not applicable'\n describe 'The are no Wildfly accounts with the following roles: auditor, administrator, superuser, deployer, maintainer, monitor, or operator, therefore this control is not applicable' do\n skip 'The are no Wildfly accounts with the following roles: auditor, administrator, superuser, deployer, maintainer, monitor, or operator, therefore this control is not applicable'\n end\n end\nend\n", - "source_location": { - "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62281.rb", - "line": 1 - }, - "id": "V-62281" - }, - { - "title": "The JRE installed on the Wildfly server must be kept up to date.", - "desc": "The Wildfly product is available as Open Source; however, the Red Hat\n vendor provides updates, patches and support for the Wildfly product. It is\n imperative that patches and updates be applied to Wildfly in a timely manner as\n many attacks against Wildfly focus on unpatched systems. It is critical that\n support be obtained and made available.", - "descriptions": { - "default": "The Wildfly product is available as Open Source; however, the Red Hat\n vendor provides updates, patches and support for the Wildfly product. It is\n imperative that patches and updates be applied to Wildfly in a timely manner as\n many attacks against Wildfly focus on unpatched systems. It is critical that\n support be obtained and made available." - }, - "impact": 0.7, - "refs": [], - "tags": { - "gtitle": "SRG-APP-000456-AS-000266", - "gid": "V-62327", - "rid": "SV-76817r1_rule", - "stig_id": "JBOS-AS-000685", + "gtitle": "SRG-APP-000141-AS-000095", + "gid": "V-62269", + "rid": "SV-76759r1_rule", + "stig_id": "JBOS-AS-000240", "cci": [ - "CCI-002605" + "CCI-000381" ], "documentable": false, "nist": [ - "SI-2 c", + "CM-7 a", "Rev_4" ], - "check": "Interview the system admin and obtain details on their patch\n management processes as it relates to the OS and the Application Server.\n\n If there is no active, documented patch management process in use for these\n components, this is a finding.", - "fix": "Configure the operating system and the application server to use\n a patch management system or process that ensures security-relevant updates are\n installed within the time period directed by the ISSM.", - "fix_id": "F-68247r1_fix" + "check": "Log on to the OS of the Wildfly server with OS permissions that\n allow access to Wildfly.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n\n Using the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n Run the jboss-cli script to start the Command Line Interface (CLI).\n Connect to the server and authenticate.\n\n For a Managed Domain configuration, you must check each profile name:\n\n For each PROFILE NAME, run the command:\n \"ls /profile=/subsystem=jmx/remoting-connector\"\n\n For a Standalone configuration:\n \"ls /subsystem=jmx/remoting-connector\"\n\n If \"jmx\" is returned, this is a finding.", + "fix": "Log on to the OS of the Wildfly server with OS permissions that\n allow access to Wildfly.\n Using the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n Run the jboss-cli script to start the Command Line Interface (CLI).\n Connect to the server and authenticate.\n\n For a Managed Domain configuration you must check each profile name:\n\n For each PROFILE NAME, run the command:\n \"/profile=/subsystem=jmx/remoting-connector=jmx:remove\"\n\n For a Standalone configuration:\n \"/subsystem=jmx/remoting-connector=jmx:remove\"", + "fix_id": "F-68189r1_fix" }, - "code": "control 'V-62327' do\n title \"The JRE installed on the Wildfly server must be kept up to date.\"\n desc \"The Wildfly product is available as Open Source; however, the Red Hat\n vendor provides updates, patches and support for the Wildfly product. It is\n imperative that patches and updates be applied to Wildfly in a timely manner as\n many attacks against Wildfly focus on unpatched systems. It is critical that\n support be obtained and made available.\"\n impact 0.7\n tag \"gtitle\": 'SRG-APP-000456-AS-000266'\n tag \"gid\": 'V-62327'\n tag \"rid\": 'SV-76817r1_rule'\n tag \"stig_id\": 'JBOS-AS-000685'\n tag \"cci\": ['CCI-002605']\n tag \"documentable\": false\n tag \"nist\": ['SI-2 c', 'Rev_4']\n tag \"check\": \"Interview the system admin and obtain details on their patch\n management processes as it relates to the OS and the Application Server.\n\n If there is no active, documented patch management process in use for these\n components, this is a finding.\"\n tag \"fix\": \"Configure the operating system and the application server to use\n a patch management system or process that ensures security-relevant updates are\n installed within the time period directed by the ISSM.\"\n tag \"fix_id\": 'F-68247r1_fix'\n describe.one do\n describe package('java-1.7.0-openjdk') do\n its('version') { should cmp >= '1.7.0.171' }\n end\n describe package('java-1.8.0-openjdk') do\n its('version') { should cmp >= '1.8.0.161' }\n end\n end\nend\n", + "code": "control 'V-62269' do\n title \"Remote access to JMX subsystem must be disabled.\"\n desc \"The JMX subsystem allows you to trigger JDK and application management\n operations remotely. In a managed domain configuration, the JMX subsystem is\n removed by default. For a standalone configuration, it is enabled by default\n and must be removed.\"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000141-AS-000095'\n tag \"gid\": 'V-62269'\n tag \"rid\": 'SV-76759r1_rule'\n tag \"stig_id\": 'JBOS-AS-000240'\n tag \"cci\": ['CCI-000381']\n tag \"documentable\": false\n tag \"nist\": ['CM-7 a', 'Rev_4']\n tag \"check\": \"Log on to the OS of the Wildfly server with OS permissions that\n allow access to Wildfly.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n\n Using the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n Run the jboss-cli script to start the Command Line Interface (CLI).\n Connect to the server and authenticate.\n\n For a Managed Domain configuration, you must check each profile name:\n\n For each PROFILE NAME, run the command:\n \\\"ls /profile=/subsystem=jmx/remoting-connector\\\"\n\n For a Standalone configuration:\n \\\"ls /subsystem=jmx/remoting-connector\\\"\n\n If \\\"jmx\\\" is returned, this is a finding.\"\n tag \"fix\": \"Log on to the OS of the Wildfly server with OS permissions that\n allow access to Wildfly.\n Using the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n Run the jboss-cli script to start the Command Line Interface (CLI).\n Connect to the server and authenticate.\n\n For a Managed Domain configuration you must check each profile name:\n\n For each PROFILE NAME, run the command:\n \\\"/profile=/subsystem=jmx/remoting-connector=jmx:remove\\\"\n\n For a Standalone configuration:\n \\\"/subsystem=jmx/remoting-connector=jmx:remove\\\"\"\n tag \"fix_id\": 'F-68189r1_fix'\n\n connect = input('connection')\n describe 'The wildfly remote access' do\n subject { command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /subsystem=jmx/remoting-connector\").stdout }\n it { should_not match(%r{jmx}) }\n end\nend\n", "source_location": { - "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62327.rb", + "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62269.rb", "line": 1 }, - "id": "V-62327" + "id": "V-62269" }, { - "title": "Wildfly must be configured to produce log records containing information\nto establish what type of events occurred.", - "desc": "Information system logging capability is critical for accurate forensic\nanalysis. Without being able to establish what type of event occurred, it\nwould be difficult to establish, correlate, and investigate the events relating\nto an incident or identify those responsible.\n\n Log record content that may be necessary to satisfy the requirement of this\ncontrol includes time stamps, source and destination addresses, user/process\nidentifiers, event descriptions, success/fail indications, filenames involved,\nand access control or flow control rules invoked.\n\n Application servers must log all relevant log data that pertains to the\napplication server. Examples of relevant data include, but are not limited to,\nJava Virtual Machine (JVM) activity, HTTPD/Web server activity, and application\nserver-related system process activity.", + "title": "Wildfly Log Formatter must be configured to produce log records that\nestablish the date and time the events occurred.", + "desc": "Application server logging capability is critical for accurate forensic\nanalysis. Without sufficient and accurate information, a correct replay of the\nevents cannot be determined.\n\n Ascertaining the correct order of the events that occurred is important\nduring forensic analysis. Events that appear harmless by themselves might be\nflagged as a potential threat when properly viewed in sequence. By also\nestablishing the event date and time, an event can be properly viewed with an\nenterprise tool to fully see a possible threat in its entirety.\n\n Without sufficient information establishing when the log event occurred,\ninvestigation into the cause of event is severely hindered. Log record content\nthat may be necessary to satisfy the requirement of this control includes, but\nis not limited to, time stamps, source and destination IP addresses,\nuser/process identifiers, event descriptions, application-specific events,\nsuccess/fail indications, filenames involved, access control, or flow control\nrules invoked.\n\n In addition to logging event information, application servers must also log\nthe corresponding dates and times of these events. Examples of event data\ninclude, but are not limited to, Java Virtual Machine (JVM) activity, HTTPD\nactivity, and application server-related system process activity.", "descriptions": { - "default": "Information system logging capability is critical for accurate forensic\nanalysis. Without being able to establish what type of event occurred, it\nwould be difficult to establish, correlate, and investigate the events relating\nto an incident or identify those responsible.\n\n Log record content that may be necessary to satisfy the requirement of this\ncontrol includes time stamps, source and destination addresses, user/process\nidentifiers, event descriptions, success/fail indications, filenames involved,\nand access control or flow control rules invoked.\n\n Application servers must log all relevant log data that pertains to the\napplication server. Examples of relevant data include, but are not limited to,\nJava Virtual Machine (JVM) activity, HTTPD/Web server activity, and application\nserver-related system process activity." + "default": "Application server logging capability is critical for accurate forensic\nanalysis. Without sufficient and accurate information, a correct replay of the\nevents cannot be determined.\n\n Ascertaining the correct order of the events that occurred is important\nduring forensic analysis. Events that appear harmless by themselves might be\nflagged as a potential threat when properly viewed in sequence. By also\nestablishing the event date and time, an event can be properly viewed with an\nenterprise tool to fully see a possible threat in its entirety.\n\n Without sufficient information establishing when the log event occurred,\ninvestigation into the cause of event is severely hindered. Log record content\nthat may be necessary to satisfy the requirement of this control includes, but\nis not limited to, time stamps, source and destination IP addresses,\nuser/process identifiers, event descriptions, application-specific events,\nsuccess/fail indications, filenames involved, access control, or flow control\nrules invoked.\n\n In addition to logging event information, application servers must also log\nthe corresponding dates and times of these events. Examples of event data\ninclude, but are not limited to, Java Virtual Machine (JVM) activity, HTTPD\nactivity, and application server-related system process activity." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-APP-000095-AS-000056", - "gid": "V-62239", - "rid": "SV-76729r1_rule", - "stig_id": "JBOS-AS-000110", + "gtitle": "SRG-APP-000096-AS-000059", + "gid": "V-62241", + "rid": "SV-76731r1_rule", + "stig_id": "JBOS-AS-000115", "cci": [ - "CCI-000130" + "CCI-000131" ], "documentable": false, "nist": [ @@ -1059,654 +1059,654 @@ ], "check": "Log on to the OS of the Wildfly server with OS permissions that\nallow access to Wildfly.\n\nThe $JBOSS_HOME default is /opt/bin/widfly\nUsing the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\nRun the jboss-cli script to start the Command Line Interface (CLI).\nConnect to the server and authenticate.\nRun the command:\n\nFor a Managed Domain configuration:\n\"ls\nhost=master/server//core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\"\n\nFor a Standalone configuration:\n\"ls\n/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\"\n\nIf \"enabled\" = false, this is a finding.", "fix": "Launch the jboss-cli management interface.\nConnect to the server by typing \"connect\", authenticate as a user in the\nSuperuser role, and run the following command:\n\nFor a Managed Domain configuration:\n\"host=master/server//core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\"\n\nFor a Standalone configuration:\n\"/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\"", - "fix_id": "F-68159r1_fix" + "fix_id": "F-68161r1_fix" }, - "code": "control 'V-62239' do\n title \"Wildfly must be configured to produce log records containing information\nto establish what type of events occurred.\"\n desc \"\n Information system logging capability is critical for accurate forensic\nanalysis. Without being able to establish what type of event occurred, it\nwould be difficult to establish, correlate, and investigate the events relating\nto an incident or identify those responsible.\n\n Log record content that may be necessary to satisfy the requirement of this\ncontrol includes time stamps, source and destination addresses, user/process\nidentifiers, event descriptions, success/fail indications, filenames involved,\nand access control or flow control rules invoked.\n\n Application servers must log all relevant log data that pertains to the\napplication server. Examples of relevant data include, but are not limited to,\nJava Virtual Machine (JVM) activity, HTTPD/Web server activity, and application\nserver-related system process activity.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000095-AS-000056'\n tag \"gid\": 'V-62239'\n tag \"rid\": 'SV-76729r1_rule'\n tag \"stig_id\": 'JBOS-AS-000110'\n tag \"cci\": ['CCI-000130']\n tag \"documentable\": false\n tag \"nist\": ['AU-3', 'Rev_4']\n tag \"check\": \"Log on to the OS of the Wildfly server with OS permissions that\nallow access to Wildfly.\n\nThe $JBOSS_HOME default is /opt/bin/widfly\nUsing the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\nRun the jboss-cli script to start the Command Line Interface (CLI).\nConnect to the server and authenticate.\nRun the command:\n\nFor a Managed Domain configuration:\n\\\"ls\nhost=master/server//core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\\\"\n\nFor a Standalone configuration:\n\\\"ls\n/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\\\"\n\nIf \\\"enabled\\\" = false, this is a finding.\"\n tag \"fix\": \"Launch the jboss-cli management interface.\nConnect to the server by typing \\\"connect\\\", authenticate as a user in the\nSuperuser role, and run the following command:\n\nFor a Managed Domain configuration:\n\\\"host=master/server//core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\\\"\n\nFor a Standalone configuration:\n\\\"/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\\\"\"\n tag \"fix_id\": 'F-68159r1_fix'\n\n connect = input('connection')\n\n describe 'The wildfly server setting: produce log records containing information to establish what type of events occurred' do\n subject { command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /core-service=management/access=audit/logger=audit-log\").stdout }\n it { should_not match(%r{enabled=false}) }\n end\nend\n", + "code": "control 'V-62241' do\n title \"Wildfly Log Formatter must be configured to produce log records that\nestablish the date and time the events occurred.\"\n desc \"\n Application server logging capability is critical for accurate forensic\nanalysis. Without sufficient and accurate information, a correct replay of the\nevents cannot be determined.\n\n Ascertaining the correct order of the events that occurred is important\nduring forensic analysis. Events that appear harmless by themselves might be\nflagged as a potential threat when properly viewed in sequence. By also\nestablishing the event date and time, an event can be properly viewed with an\nenterprise tool to fully see a possible threat in its entirety.\n\n Without sufficient information establishing when the log event occurred,\ninvestigation into the cause of event is severely hindered. Log record content\nthat may be necessary to satisfy the requirement of this control includes, but\nis not limited to, time stamps, source and destination IP addresses,\nuser/process identifiers, event descriptions, application-specific events,\nsuccess/fail indications, filenames involved, access control, or flow control\nrules invoked.\n\n In addition to logging event information, application servers must also log\nthe corresponding dates and times of these events. Examples of event data\ninclude, but are not limited to, Java Virtual Machine (JVM) activity, HTTPD\nactivity, and application server-related system process activity.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000096-AS-000059'\n tag \"gid\": 'V-62241'\n tag \"rid\": 'SV-76731r1_rule'\n tag \"stig_id\": 'JBOS-AS-000115'\n tag \"cci\": ['CCI-000131']\n tag \"documentable\": false\n tag \"nist\": ['AU-3', 'Rev_4']\n tag \"check\": \"Log on to the OS of the Wildfly server with OS permissions that\nallow access to Wildfly.\n\nThe $JBOSS_HOME default is /opt/bin/widfly\nUsing the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\nRun the jboss-cli script to start the Command Line Interface (CLI).\nConnect to the server and authenticate.\nRun the command:\n\nFor a Managed Domain configuration:\n\\\"ls\nhost=master/server//core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\\\"\n\nFor a Standalone configuration:\n\\\"ls\n/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\\\"\n\nIf \\\"enabled\\\" = false, this is a finding.\"\n tag \"fix\": \"Launch the jboss-cli management interface.\nConnect to the server by typing \\\"connect\\\", authenticate as a user in the\nSuperuser role, and run the following command:\n\nFor a Managed Domain configuration:\n\\\"host=master/server//core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\\\"\n\nFor a Standalone configuration:\n\\\"/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\\\"\"\n tag \"fix_id\": 'F-68161r1_fix'\n\n connect = input('connection')\n\n describe 'Wildfly Log Formatter produce log records that establish the date and time the events occurred' do\n subject { command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /core-service=management/access=audit/logger=audit-log\").stdout }\n it { should_not match(%r{enabled=false}) }\n end\nend\n", "source_location": { - "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62239.rb", + "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62241.rb", "line": 1 }, - "id": "V-62239" + "id": "V-62241" }, { - "title": "Wildfly must utilize encryption when using LDAP for authentication.", - "desc": "Passwords need to be protected at all times, and encryption is the standard\nmethod for protecting passwords during transmission.\n\n Application servers have the capability to utilize LDAP directories for\nauthentication. If LDAP connections are not protected during transmission,\nsensitive authentication credentials can be stolen. When the application server\nutilizes LDAP, the LDAP traffic must be encrypted.", + "title": "Java permissions must be set for hosted applications.", + "desc": "The Java Security Manager is a java class that manages the external\nboundary of the Java Virtual Machine (JVM) sandbox, controlling how code\nexecuting within the JVM can interact with resources outside the JVM.\n\n The JVM requires a security policy in order to restrict application access.\n A properly configured security policy will define what rights the application\nhas to the underlying system. For example, rights to make changes to files on\nthe host system or to initiate network sockets in order to connect to another\nsystem.", "descriptions": { - "default": "Passwords need to be protected at all times, and encryption is the standard\nmethod for protecting passwords during transmission.\n\n Application servers have the capability to utilize LDAP directories for\nauthentication. If LDAP connections are not protected during transmission,\nsensitive authentication credentials can be stolen. When the application server\nutilizes LDAP, the LDAP traffic must be encrypted." + "default": "The Java Security Manager is a java class that manages the external\nboundary of the Java Virtual Machine (JVM) sandbox, controlling how code\nexecuting within the JVM can interact with resources outside the JVM.\n\n The JVM requires a security policy in order to restrict application access.\n A properly configured security policy will define what rights the application\nhas to the underlying system. For example, rights to make changes to files on\nthe host system or to initiate network sockets in order to connect to another\nsystem." }, - "impact": 0.5, + "impact": 0.7, "refs": [], "tags": { - "gtitle": "SRG-APP-000172-AS-000121", - "gid": "V-62293", - "rid": "SV-76783r1_rule", - "stig_id": "JBOS-AS-000310", + "gtitle": "SRG-APP-000033-AS-000024", + "gid": "V-62217", + "rid": "SV-76707r1_rule", + "stig_id": "JBOS-AS-000025", "cci": [ - "CCI-000197" + "CCI-000213" ], "documentable": false, "nist": [ - "IA-5 (1) (c)", + "AC-3", "Rev_4" ], - "check": "Log on to the OS of the Wildfly server with OS permissions that\n allow access to Wildfly.\n Using the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n\n Run the jboss-cli script.\n Connect to the server and authenticate.\n\n Run the following command:\n\n For standalone servers:\n \"ls\n /socket-binding-group=standard-sockets/remote-destination-outbound-socket-binding=ldap_connection\"\n\n For managed domain installations:\n \"ls\n /socket-binding-group=/remote-destination-outbound-socket-binding=\"\n\n The default port for secure LDAP is 636.\n\n If 636 or secure LDAP protocol is not utilized, this is a finding.", - "fix": "Follow steps in section 11.8 - Management Interface Security in\n the\n JBoss_Enterprise_Application_Platform-6.3-Administration_and_Configuration_Guide-en-US\n document.\n\n 1. Create an outbound connection to the LDAP server.\n 2. Create an LDAP-enabled security realm.\n 3. Reference the new security domain in the Management Interface.", - "fix_id": "F-68213r1_fix" + "check": "Obtain documentation from the admin that identifies the\n applications hosted on the JBoss server as well as the corresponding rights the\n application requires. For example, if the application requires network socket\n permissions and file write permissions, those requirements should be documented.\n\n 1. Identify the Wildfly installation as either domain or standalone and review\n the relevant configuration file.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n\n For domain installs: JBOSS_HOME/bin/domain.conf\n For standalone installs: JBOSS_HOME/bin/standalone.conf\n\n 2. Identify the location and name of the security policy by reading the\n JAVA_OPTS flag -Djava.security.policy= where will\n indicate name and location of security policy. If the application uses a\n policy URL, obtain URL and policy file from system admin.\n\n 3. Review security policy and ensure hosted applications have the appropriate\n restrictions placed on them as per documented application functionality\n requirements.\n\n If the security policy does not restrict application access to host resources\n as per documented requirements, this is a finding.", + "fix": "Configure the Java security manager to enforce access\n restrictions to the host system resources in accordance with application design\n and resource requirements.", + "fix_id": "F-68137r1_fix" }, - "code": "control 'V-62293' do\n title \"Wildfly must utilize encryption when using LDAP for authentication.\"\n desc \"\n Passwords need to be protected at all times, and encryption is the standard\n method for protecting passwords during transmission.\n\n Application servers have the capability to utilize LDAP directories for\n authentication. If LDAP connections are not protected during transmission,\n sensitive authentication credentials can be stolen. When the application server\n utilizes LDAP, the LDAP traffic must be encrypted.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000172-AS-000121'\n tag \"gid\": 'V-62293'\n tag \"rid\": 'SV-76783r1_rule'\n tag \"stig_id\": 'JBOS-AS-000310'\n tag \"cci\": ['CCI-000197']\n tag \"documentable\": false\n tag \"nist\": ['IA-5 (1) (c)', 'Rev_4']\n tag \"check\": \"Log on to the OS of the Wildfly server with OS permissions that\n allow access to Wildfly.\n Using the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n\n Run the jboss-cli script.\n Connect to the server and authenticate.\n\n Run the following command:\n\n For standalone servers:\n \\\"ls\n /socket-binding-group=standard-sockets/remote-destination-outbound-socket-binding=ldap_connection\\\"\n\n For managed domain installations:\n \\\"ls\n /socket-binding-group=/remote-destination-outbound-socket-binding=\\\"\n\n The default port for secure LDAP is 636.\n\n If 636 or secure LDAP protocol is not utilized, this is a finding.\"\n tag \"fix\": \"Follow steps in section 11.8 - Management Interface Security in\n the\n JBoss_Enterprise_Application_Platform-6.3-Administration_and_Configuration_Guide-en-US\n document.\n\n 1. Create an outbound connection to the LDAP server.\n 2. Create an LDAP-enabled security realm.\n 3. Reference the new security domain in the Management Interface.\"\n tag \"fix_id\": 'F-68213r1_fix'\n\n connect = input('connection')\n ldap = input('ldap')\n\n if ldap\n describe 'A manual review is required to ensure wildfly uses encryption when using LDAP for authentication' do\n skip 'A manual review is required to ensure wildfly uses encryption when using LDAP for authentication'\n end\n else\n describe command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /subsystem=undertow/server=default-server/https-listener=https\") do\n its('stdout') { should match(%r{enabled=true}) }\n end\n end\nend\n", + "code": "control 'V-62217' do\n title \"Java permissions must be set for hosted applications.\"\n desc \"\n The Java Security Manager is a java class that manages the external\n boundary of the Java Virtual Machine (JVM) sandbox, controlling how code\n executing within the JVM can interact with resources outside the JVM.\n\n The JVM requires a security policy in order to restrict application access.\n A properly configured security policy will define what rights the application\n has to the underlying system. For example, rights to make changes to files on\n the host system or to initiate network sockets in order to connect to another\n system.\n \"\n impact 0.7\n tag \"gtitle\": 'SRG-APP-000033-AS-000024'\n tag \"gid\": 'V-62217'\n tag \"rid\": 'SV-76707r1_rule'\n tag \"stig_id\": 'JBOS-AS-000025'\n tag \"cci\": ['CCI-000213']\n tag \"documentable\": false\n tag \"nist\": ['AC-3', 'Rev_4']\n tag \"check\": \"Obtain documentation from the admin that identifies the\n applications hosted on the JBoss server as well as the corresponding rights the\n application requires. For example, if the application requires network socket\n permissions and file write permissions, those requirements should be documented.\n\n 1. Identify the Wildfly installation as either domain or standalone and review\n the relevant configuration file.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n\n For domain installs: JBOSS_HOME/bin/domain.conf\n For standalone installs: JBOSS_HOME/bin/standalone.conf\n\n 2. Identify the location and name of the security policy by reading the\n JAVA_OPTS flag -Djava.security.policy= where will\n indicate name and location of security policy. If the application uses a\n policy URL, obtain URL and policy file from system admin.\n\n 3. Review security policy and ensure hosted applications have the appropriate\n restrictions placed on them as per documented application functionality\n requirements.\n\n If the security policy does not restrict application access to host resources\n as per documented requirements, this is a finding.\"\n tag \"fix\": \"Configure the Java security manager to enforce access\n restrictions to the host system resources in accordance with application design\n and resource requirements.\"\n tag \"fix_id\": 'F-68137r1_fix'\n describe.one do\n describe file(\"#{ input('jboss_home') }/bin/standalone.conf\") do\n its('content') { should match(%r{JAVA_OPTS=\"\\$JAVA_OPTS -Djavax.security.policy=\\/usr\\/lib\\/jvm\\/java\\-1.8.0\\/jre\\/lib\\/security\\/java.policy\"}) }\n end\n describe file(\"#{ input('jboss_home') }/bin/standalone.conf\") do\n its('content') { should match(%r{JAVA_OPTS=\"\\$JAVA_OPTS -Djava.security.manager -Djava.security.policy==%JBOSS_HOME\\\\lib\\\\security\\\\java.policy.policy -Djboss.home.dir=%JBOSS_HOME% -Djboss.modules.policy-permissions=true\"}) }\n end\n describe parse_config_file(\"#{ input('jboss_home') }/bin/standalone.conf\") do\n its('SECMGR') { should match(%r{\"true\"}) }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62293.rb", + "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62217.rb", "line": 1 }, - "id": "V-62293" + "id": "V-62217" }, { - "title": "Production Wildfly servers must not allow automatic application\n deployment.", - "desc": "When dealing with access restrictions pertaining to change control, it\nshould be noted that any changes to the software and/or application server\nconfiguration can potentially have significant effects on the overall security\nof the system.\n\n Access restrictions for changes also include application software libraries.\n\n If the application server provides automatic code deployment capability,\n(where updates to applications hosted on the application server are\nautomatically performed, usually by the developers' IDE tool), it must also\nprovide a capability to restrict the use of automatic application deployment.\nAutomatic code deployments are allowable in a development environment, but not\nin production.", + "title": "Production Wildfly servers must log when failed application deployments\n occur.", + "desc": "Without logging the enforcement of access restrictions against changes to\nthe application server configuration, it will be difficult to identify\nattempted attacks, and a log trail will not be available for forensic\ninvestigation for after-the-fact actions. Configuration changes may occur to\nany of the modules within the application server through the management\ninterface, but logging of actions to the configuration of a module outside the\napplication server is not logged.\n\n Enforcement actions are the methods or mechanisms used to prevent\nunauthorized changes to configuration settings. Enforcement action methods may\nbe as simple as denying access to a file based on the application of file\npermissions (access restriction). Log items may consist of lists of actions\nblocked by access restrictions or changes identified after the fact.", "descriptions": { - "default": "When dealing with access restrictions pertaining to change control, it\nshould be noted that any changes to the software and/or application server\nconfiguration can potentially have significant effects on the overall security\nof the system.\n\n Access restrictions for changes also include application software libraries.\n\n If the application server provides automatic code deployment capability,\n(where updates to applications hosted on the application server are\nautomatically performed, usually by the developers' IDE tool), it must also\nprovide a capability to restrict the use of automatic application deployment.\nAutomatic code deployments are allowable in a development environment, but not\nin production." + "default": "Without logging the enforcement of access restrictions against changes to\nthe application server configuration, it will be difficult to identify\nattempted attacks, and a log trail will not be available for forensic\ninvestigation for after-the-fact actions. Configuration changes may occur to\nany of the modules within the application server through the management\ninterface, but logging of actions to the configuration of a module outside the\napplication server is not logged.\n\n Enforcement actions are the methods or mechanisms used to prevent\nunauthorized changes to configuration settings. Enforcement action methods may\nbe as simple as denying access to a file based on the application of file\npermissions (access restriction). Log items may consist of lists of actions\nblocked by access restrictions or changes identified after the fact." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-APP-000380-AS-000088", - "gid": "V-62311", - "rid": "SV-76801r1_rule", - "stig_id": "JBOS-AS-000545", + "gtitle": "SRG-APP-000381-AS-000089", + "gid": "V-62313", + "rid": "SV-76803r1_rule", + "stig_id": "JBOS-AS-000550", "cci": [ - "CCI-001813" + "CCI-001814" ], "documentable": false, "nist": [ "CM-5 (1)", "Rev_4" ], - "check": "Log on to the OS of the Wildfly server with OS permissions that\n allow access to Wildfly.\n Using the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n\n Run the jboss-cli script.\n Connect to the server and authenticate.\n Run the command:\n\n ls /subsystem=deployment-scanner/scanner=default\n\n If \"scan-enabled\"=true, this is a finding.", - "fix": "Determine the JBoss server configuration as being either\n standalone or domain.\n\n Launch the relevant jboss-cli management interface substituting standalone or\n domain for \n\n $JBOSS_HOME;//bin/jboss-cli\n\n connect to the server and run the command:\n\n /subsystem=deployment-scanner/scanner=default:write-attribute(name=scan-enabled,value=false)", - "fix_id": "F-68231r1_fix" + "check": "Log on to the OS of the Wildfly server with OS permissions that\n allow access to Wildfly.\n Using the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n\n Run the jboss-cli script.\n Connect to the server and authenticate.\n Run the command:\n\n ls /core-service=management/access=audit/logger=audit-log\n\n If \"enabled\" = false, this is a finding.", + "fix": "Launch the jboss-cli management interface substituting standalone\n or domain for based upon the server installation.\n\n $JBOSS_HOME;//bin/jboss-cli\n\n connect to the server and run the following command:\n\n /core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)", + "fix_id": "F-68233r1_fix" }, - "code": "control 'V-62311' do\n title \"Production Wildfly servers must not allow automatic application\n deployment.\"\n desc \"\n When dealing with access restrictions pertaining to change control, it\n should be noted that any changes to the software and/or application server\n configuration can potentially have significant effects on the overall security\n of the system.\n\n Access restrictions for changes also include application software libraries.\n\n If the application server provides automatic code deployment capability,\n (where updates to applications hosted on the application server are\n automatically performed, usually by the developers' IDE tool), it must also\n provide a capability to restrict the use of automatic application deployment.\n Automatic code deployments are allowable in a development environment, but not\n in production.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000380-AS-000088'\n tag \"gid\": 'V-62311'\n tag \"rid\": 'SV-76801r1_rule'\n tag \"stig_id\": 'JBOS-AS-000545'\n tag \"cci\": ['CCI-001813']\n tag \"documentable\": false\n tag \"nist\": ['CM-5 (1)', 'Rev_4']\n tag \"check\": \"Log on to the OS of the Wildfly server with OS permissions that\n allow access to Wildfly.\n Using the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n\n Run the jboss-cli script.\n Connect to the server and authenticate.\n Run the command:\n\n ls /subsystem=deployment-scanner/scanner=default\n\n If \\\"scan-enabled\\\"=true, this is a finding.\"\n tag \"fix\": \"Determine the JBoss server configuration as being either\n standalone or domain.\n\n Launch the relevant jboss-cli management interface substituting standalone or\n domain for \n\n $JBOSS_HOME;//bin/jboss-cli\n\n connect to the server and run the command:\n\n /subsystem=deployment-scanner/scanner=default:write-attribute(name=scan-enabled,value=false)\"\n tag \"fix_id\": 'F-68231r1_fix'\n\n connect = input('connection')\n\n describe 'The wildfly application deployment scanner' do\n subject { command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /subsystem=deployment-scanner/scanner=default\").stdout }\n it { should_not match(%r{scan-enabled=true}) }\n end\nend\n", + "code": "control 'V-62313' do\n title \"Production Wildfly servers must log when failed application deployments\n occur.\"\n desc \"\n Without logging the enforcement of access restrictions against changes to\n the application server configuration, it will be difficult to identify\n attempted attacks, and a log trail will not be available for forensic\n investigation for after-the-fact actions. Configuration changes may occur to\n any of the modules within the application server through the management\n interface, but logging of actions to the configuration of a module outside the\n application server is not logged.\n\n Enforcement actions are the methods or mechanisms used to prevent\n unauthorized changes to configuration settings. Enforcement action methods may\n be as simple as denying access to a file based on the application of file\n permissions (access restriction). Log items may consist of lists of actions\n blocked by access restrictions or changes identified after the fact.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000381-AS-000089'\n tag \"gid\": 'V-62313'\n tag \"rid\": 'SV-76803r1_rule'\n tag \"stig_id\": 'JBOS-AS-000550'\n tag \"cci\": ['CCI-001814']\n tag \"documentable\": false\n tag \"nist\": ['CM-5 (1)', 'Rev_4']\n tag \"check\": \"Log on to the OS of the Wildfly server with OS permissions that\n allow access to Wildfly.\n Using the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n\n Run the jboss-cli script.\n Connect to the server and authenticate.\n Run the command:\n\n ls /core-service=management/access=audit/logger=audit-log\n\n If \\\"enabled\\\" = false, this is a finding.\"\n tag \"fix\": \"Launch the jboss-cli management interface substituting standalone\n or domain for based upon the server installation.\n\n $JBOSS_HOME;//bin/jboss-cli\n\n connect to the server and run the following command:\n\n /core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\"\n tag \"fix_id\": 'F-68233r1_fix'\n\n connect = input('connection')\n\n describe 'The Wildfly server setting: log when failed application deployments occur' do\n subject { command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /core-service=management/access=audit/logger=audit-log\").stdout }\n it { should_not match(%r{enabled=false}) }\n end\nend\n", "source_location": { - "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62311.rb", + "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62313.rb", "line": 1 }, - "id": "V-62311" + "id": "V-62313" }, { - "title": "Wildfly must be configured to allow only the ISSM (or individuals or\nroles appointed by the ISSM) to select which loggable events are to be logged.", - "desc": "The Wildfly server must be configured to select which personnel are assigned\nthe role of selecting which loggable events are to be logged.\n In Wildfly, the role designated for selecting auditable events is the\n\"Auditor\" role.\n The personnel or roles that can select loggable events are only the ISSM\n(or individuals or roles appointed by the ISSM).", + "title": "The Wildfly server must be configured to utilize syslog logging.", + "desc": "Information system logging capability is critical for accurate forensic\nanalysis. Log record content that may be necessary to satisfy the requirement\nof this control includes, but is not limited to, time stamps, source and\ndestination IP addresses, user/process identifiers, event descriptions,\napplication-specific events, success/fail indications, filenames involved,\naccess control or flow control rules invoked.\n\n Off-loading is a common process in information systems with limited log\nstorage capacity.\n\n Centralized management of log records provides for efficiency in\nmaintenance and management of records, as well as the backup and archiving of\nthose records. Application servers and their related components are required to\noff-load log records onto a different system or media than the system being\nlogged.", "descriptions": { - "default": "The Wildfly server must be configured to select which personnel are assigned\nthe role of selecting which loggable events are to be logged.\n In Wildfly, the role designated for selecting auditable events is the\n\"Auditor\" role.\n The personnel or roles that can select loggable events are only the ISSM\n(or individuals or roles appointed by the ISSM)." + "default": "Information system logging capability is critical for accurate forensic\nanalysis. Log record content that may be necessary to satisfy the requirement\nof this control includes, but is not limited to, time stamps, source and\ndestination IP addresses, user/process identifiers, event descriptions,\napplication-specific events, success/fail indications, filenames involved,\naccess control or flow control rules invoked.\n\n Off-loading is a common process in information systems with limited log\nstorage capacity.\n\n Centralized management of log records provides for efficiency in\nmaintenance and management of records, as well as the backup and archiving of\nthose records. Application servers and their related components are required to\noff-load log records onto a different system or media than the system being\nlogged." }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-APP-000090-AS-000051", - "gid": "V-62233", - "rid": "SV-76723r1_rule", - "stig_id": "JBOS-AS-000085", + "gtitle": "SRG-APP-000358-AS-000064", + "gid": "V-62309", + "rid": "SV-76799r1_rule", + "stig_id": "JBOS-AS-000505", "cci": [ - "CCI-000171" + "CCI-001851" ], "documentable": false, "nist": [ - "AU-12 b", + "AU-4 (1)", "Rev_4" ], - "check": "Log on to the OS of the Wildfly server with OS permissions that\nallow access to Wildfly.\nUsing the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n\nThe $JBOSS_HOME default is /opt/bin/widfly\nRun the jboss-cli script to start the Command Line Interface (CLI).\nConnect to the server and authenticate.\nRun the command:\n\nFor a Managed Domain configuration:\n\"ls\nhost=master/server//core-service=management/access=authorization/role-mapping=Auditor/include=\"\n\nFor a Standalone configuration:\n\"ls\n/core-service=management/access=authorization/role-mapping=Auditor/include=\"\n\nIf the list of users in the Auditors group is not approved by the ISSM, this is\na finding.", - "fix": "Obtain documented approvals from ISSM, and assign the appropriate\npersonnel into the \"Auditor\" role.", - "fix_id": "F-68153r1_fix" + "check": "Log on to the OS of the Wildfly server with OS permissions that\n allow access to Wildfly.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n\n Using the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n Run the jboss-cli script.\n Connect to the server and authenticate.\n Run the command:\n\n Standalone configuration:\n \"ls /subsystem=logging/syslog-handler=\"\n\n Domain configuration:\n \"ls /profile=/subsystem=logging/syslog-handler=\"\n Where = the selected application server profile of; default,full,\n full-ha or ha.\n\n If no values are returned, this is a finding.", + "fix": "Log on to the OS of the Wildfly server with OS permissions that\n allow access to Wildfly.\n Using the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n Run the jboss-cli script.\n Connect to the server and authenticate.\n Run the command:\n\n Standalone configuration:\n \"ls /subsystem=logging/syslog-handler=\"\n\n Domain configuration:\n \"ls /profile=default/subsystem=logging/syslog-handler=\"\n\n If no values are returned, this is a finding.", + "fix_id": "F-68229r1_fix" }, - "code": "control 'V-62233' do\n title \"Wildfly must be configured to allow only the ISSM (or individuals or\nroles appointed by the ISSM) to select which loggable events are to be logged.\"\n desc \"\n The Wildfly server must be configured to select which personnel are assigned\nthe role of selecting which loggable events are to be logged.\n In Wildfly, the role designated for selecting auditable events is the\n\\\"Auditor\\\" role.\n The personnel or roles that can select loggable events are only the ISSM\n(or individuals or roles appointed by the ISSM).\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000090-AS-000051'\n tag \"gid\": 'V-62233'\n tag \"rid\": 'SV-76723r1_rule'\n tag \"stig_id\": 'JBOS-AS-000085'\n tag \"cci\": ['CCI-000171']\n tag \"documentable\": false\n tag \"nist\": ['AU-12 b', 'Rev_4']\n tag \"check\": \"Log on to the OS of the Wildfly server with OS permissions that\nallow access to Wildfly.\nUsing the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n\nThe $JBOSS_HOME default is /opt/bin/widfly\nRun the jboss-cli script to start the Command Line Interface (CLI).\nConnect to the server and authenticate.\nRun the command:\n\nFor a Managed Domain configuration:\n\\\"ls\nhost=master/server//core-service=management/access=authorization/role-mapping=Auditor/include=\\\"\n\nFor a Standalone configuration:\n\\\"ls\n/core-service=management/access=authorization/role-mapping=Auditor/include=\\\"\n\nIf the list of users in the Auditors group is not approved by the ISSM, this is\na finding.\"\n tag \"fix\": \"Obtain documented approvals from ISSM, and assign the appropriate\npersonnel into the \\\"Auditor\\\" role.\"\n tag \"fix_id\": 'F-68153r1_fix'\n\n connect = input('connection')\n auditor_role_users = input('auditor_role_users')\n\n auditor_role = command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\ /core-service=management/access=authorization/role-mapping=Auditor/include=\").stdout.split(\"\\n\")\n\n auditor_role.each do |user|\n a = user.strip\n describe \"#{a}\" do\n it { should be_in auditor_role_users }\n end\n end\n if auditor_role.empty?\n impact 0.0\n describe 'There are no wildfly users with the auditor role, therefore this control is not applicable' do\n skip 'There are no wildfly users with the auditor role, therefore this control is not applicable'\n end\n end\nend\n", + "code": "control 'V-62309' do\n title \"The Wildfly server must be configured to utilize syslog logging.\"\n desc \"\n Information system logging capability is critical for accurate forensic\n analysis. Log record content that may be necessary to satisfy the requirement\n of this control includes, but is not limited to, time stamps, source and\n destination IP addresses, user/process identifiers, event descriptions,\n application-specific events, success/fail indications, filenames involved,\n access control or flow control rules invoked.\n\n Off-loading is a common process in information systems with limited log\n storage capacity.\n\n Centralized management of log records provides for efficiency in\n maintenance and management of records, as well as the backup and archiving of\n those records. Application servers and their related components are required to\n off-load log records onto a different system or media than the system being\n logged.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000358-AS-000064'\n tag \"gid\": 'V-62309'\n tag \"rid\": 'SV-76799r1_rule'\n tag \"stig_id\": 'JBOS-AS-000505'\n tag \"cci\": ['CCI-001851']\n tag \"documentable\": false\n tag \"nist\": ['AU-4 (1)', 'Rev_4']\n tag \"check\": \"Log on to the OS of the Wildfly server with OS permissions that\n allow access to Wildfly.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n\n Using the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n Run the jboss-cli script.\n Connect to the server and authenticate.\n Run the command:\n\n Standalone configuration:\n \\\"ls /subsystem=logging/syslog-handler=\\\"\n\n Domain configuration:\n \\\"ls /profile=/subsystem=logging/syslog-handler=\\\"\n Where = the selected application server profile of; default,full,\n full-ha or ha.\n\n If no values are returned, this is a finding.\"\n tag \"fix\": \"Log on to the OS of the Wildfly server with OS permissions that\n allow access to Wildfly.\n Using the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n Run the jboss-cli script.\n Connect to the server and authenticate.\n Run the command:\n\n Standalone configuration:\n \\\"ls /subsystem=logging/syslog-handler=\\\"\n\n Domain configuration:\n \\\"ls /profile=default/subsystem=logging/syslog-handler=\\\"\n\n If no values are returned, this is a finding.\"\n tag \"fix_id\": 'F-68229r1_fix'\n\n connect = input('connection')\n\n describe 'The wildfly server syslog handler' do\n subject { command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /subsystem=logging/syslog-handler=\").stdout }\n it { should_not eq '' }\n end\nend\n", "source_location": { - "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62233.rb", + "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62309.rb", "line": 1 }, - "id": "V-62233" + "id": "V-62309" }, { - "title": "Production Wildfly servers must log when successful application\n deployments occur.", - "desc": "Without logging the enforcement of access restrictions against changes to\nthe application server configuration, it will be difficult to identify\nattempted attacks, and a log trail will not be available for forensic\ninvestigation for after-the-fact actions. Configuration changes may occur to\nany of the modules within the application server through the management\ninterface, but logging of actions to the configuration of a module outside the\napplication server is not logged.\n\n Enforcement actions are the methods or mechanisms used to prevent\nunauthorized changes to configuration settings. Enforcement action methods may\nbe as simple as denying access to a file based on the application of file\npermissions (access restriction). Log items may consist of lists of actions\nblocked by access restrictions or changes identified after the fact.", + "title": "Wildfly file permissions must be configured to protect the\n confidentiality and integrity of application files.", + "desc": "The Wildfly EAP Application Server is a Java-based AS. It is installed on\nthe OS file system and depends upon file system access controls to protect\napplication data at rest. The file permissions set on the Wildfly EAP home\nfolder must be configured so as to limit access to only authorized people and\nprocesses. The account used for operating the Wildfly server and any designated\nadministrative or operational accounts are the only accounts that should have\naccess.\n\n When data is written to digital media such as hard drives, mobile\ncomputers, external/removable hard drives, personal digital assistants,\nflash/thumb drives, etc., there is risk of data loss and data compromise.\nSteps must be taken to ensure data stored on the device is protected.", "descriptions": { - "default": "Without logging the enforcement of access restrictions against changes to\nthe application server configuration, it will be difficult to identify\nattempted attacks, and a log trail will not be available for forensic\ninvestigation for after-the-fact actions. Configuration changes may occur to\nany of the modules within the application server through the management\ninterface, but logging of actions to the configuration of a module outside the\napplication server is not logged.\n\n Enforcement actions are the methods or mechanisms used to prevent\nunauthorized changes to configuration settings. Enforcement action methods may\nbe as simple as denying access to a file based on the application of file\npermissions (access restriction). Log items may consist of lists of actions\nblocked by access restrictions or changes identified after the fact." + "default": "The Wildfly EAP Application Server is a Java-based AS. It is installed on\nthe OS file system and depends upon file system access controls to protect\napplication data at rest. The file permissions set on the Wildfly EAP home\nfolder must be configured so as to limit access to only authorized people and\nprocesses. The account used for operating the Wildfly server and any designated\nadministrative or operational accounts are the only accounts that should have\naccess.\n\n When data is written to digital media such as hard drives, mobile\ncomputers, external/removable hard drives, personal digital assistants,\nflash/thumb drives, etc., there is risk of data loss and data compromise.\nSteps must be taken to ensure data stored on the device is protected." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-APP-000381-AS-000089", - "gid": "V-62315", - "rid": "SV-76805r1_rule", - "stig_id": "JBOS-AS-000555", + "gtitle": "SRG-APP-000231-AS-000133", + "gid": "V-62299", + "rid": "SV-76789r1_rule", + "stig_id": "JBOS-AS-000400", "cci": [ - "CCI-001814" + "CCI-001199" ], "documentable": false, "nist": [ - "CM-5 (1)", + "SC-28", "Rev_4" ], - "check": "Log on to the OS of the Wildfly server with OS permissions that\n allow access to Wildfly.\n Using the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n\n Run the jboss-cli script.\n Connect to the server and authenticate.\n Run the command:\n\n ls /core-service=management/access=audit/logger=audit-log\n\n If \"enabled\" = false, this is a finding.", - "fix": "Launch the jboss-cli management interface substituting standalone\n or domain for based upon the server installation.\n\n $JBOSS_HOME;//bin/jboss-cli\n\n connect to the server and run the following command:\n /core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)", - "fix_id": "F-68235r1_fix" + "check": "By default, Wildfly installs its files into a folder called\n \"wildfly\". This folder by default is stored within the home folder of\n the Wildfly user account. The installation process, however, allows for the\n override of default values to obtain folder and user account information from\n the system admin.\n\n Log on with a user account with Wildfly access and permissions.\n\n Navigate to the \"Wildfly\" folder using the relevant OS commands for\n either a UNIX-like OS or a Windows OS.\n\n Examine the permissions of the Wildfly folder.\n\n Owner can be full access.\n Group can be full access.\n All others must be restricted to execute access or no permission.\n\n If the Wildfly folder is world readable or world writable, this is a finding.", + "fix": "Configure file permissions on the Wildfly folder to protect from\n unauthorized access.", + "fix_id": "F-68219r1_fix" }, - "code": "control 'V-62315' do\n title \"Production Wildfly servers must log when successful application\n deployments occur.\"\n desc \"\n Without logging the enforcement of access restrictions against changes to\n the application server configuration, it will be difficult to identify\n attempted attacks, and a log trail will not be available for forensic\n investigation for after-the-fact actions. Configuration changes may occur to\n any of the modules within the application server through the management\n interface, but logging of actions to the configuration of a module outside the\n application server is not logged.\n\n Enforcement actions are the methods or mechanisms used to prevent\n unauthorized changes to configuration settings. Enforcement action methods may\n be as simple as denying access to a file based on the application of file\n permissions (access restriction). Log items may consist of lists of actions\n blocked by access restrictions or changes identified after the fact.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000381-AS-000089'\n tag \"gid\": 'V-62315'\n tag \"rid\": 'SV-76805r1_rule'\n tag \"stig_id\": 'JBOS-AS-000555'\n tag \"cci\": ['CCI-001814']\n tag \"documentable\": false\n tag \"nist\": ['CM-5 (1)', 'Rev_4']\n tag \"check\": \"Log on to the OS of the Wildfly server with OS permissions that\n allow access to Wildfly.\n Using the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n\n Run the jboss-cli script.\n Connect to the server and authenticate.\n Run the command:\n\n ls /core-service=management/access=audit/logger=audit-log\n\n If \\\"enabled\\\" = false, this is a finding.\"\n tag \"fix\": \"Launch the jboss-cli management interface substituting standalone\n or domain for based upon the server installation.\n\n $JBOSS_HOME;//bin/jboss-cli\n\n connect to the server and run the following command:\n /core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\"\n tag \"fix_id\": 'F-68235r1_fix'\n\n connect = input('connection')\n\n describe 'The wildfly server setting: log when successful application deployments occur' do\n subject { command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /core-service=management/access=audit/logger=audit-log\").stdout }\n it { should_not match(%r{enabled=false}) }\n end\nend\n", + "code": "control 'V-62299' do\n title \"Wildfly file permissions must be configured to protect the\n confidentiality and integrity of application files.\"\n desc \"\n The Wildfly EAP Application Server is a Java-based AS. It is installed on\n the OS file system and depends upon file system access controls to protect\n application data at rest. The file permissions set on the Wildfly EAP home\n folder must be configured so as to limit access to only authorized people and\n processes. The account used for operating the Wildfly server and any designated\n administrative or operational accounts are the only accounts that should have\n access.\n\n When data is written to digital media such as hard drives, mobile\n computers, external/removable hard drives, personal digital assistants,\n flash/thumb drives, etc., there is risk of data loss and data compromise.\n Steps must be taken to ensure data stored on the device is protected.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000231-AS-000133'\n tag \"gid\": 'V-62299'\n tag \"rid\": 'SV-76789r1_rule'\n tag \"stig_id\": 'JBOS-AS-000400'\n tag \"cci\": ['CCI-001199']\n tag \"documentable\": false\n tag \"nist\": ['SC-28', 'Rev_4']\n tag \"check\": \"By default, Wildfly installs its files into a folder called\n \\\"wildfly\\\". This folder by default is stored within the home folder of\n the Wildfly user account. The installation process, however, allows for the\n override of default values to obtain folder and user account information from\n the system admin.\n\n Log on with a user account with Wildfly access and permissions.\n\n Navigate to the \\\"Wildfly\\\" folder using the relevant OS commands for\n either a UNIX-like OS or a Windows OS.\n\n Examine the permissions of the Wildfly folder.\n\n Owner can be full access.\n Group can be full access.\n All others must be restricted to execute access or no permission.\n\n If the Wildfly folder is world readable or world writable, this is a finding.\"\n tag \"fix\": \"Configure file permissions on the Wildfly folder to protect from\n unauthorized access.\"\n tag \"fix_id\": 'F-68219r1_fix'\n describe directory(\"#{ input('jboss_home') }/\") do\n it { should_not be_readable.by('others') }\n end\n describe directory(\"#{ input('jboss_home') }/\") do\n it { should_not be_writable.by('others') }\n end\nend\n", "source_location": { - "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62315.rb", + "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62299.rb", "line": 1 }, - "id": "V-62315" + "id": "V-62299" }, { - "title": "Wildfly must be configured to use an approved cryptographic algorithm in\n conjunction with TLS.", - "desc": "Preventing the disclosure or modification of transmitted information\nrequires that application servers take measures to employ approved cryptography\nin order to protect the information during transmission over the network. This\nis usually achieved through the use of Transport Layer Security (TLS), SSL VPN,\nor IPSec tunnel.\n\n If data in transit is unencrypted, it is vulnerable to disclosure and\nmodification. If approved cryptographic algorithms are not used, encryption\nstrength cannot be assured.\n\n FIPS 140-2 approved TLS versions include TLS V1.0 or greater.\n\n TLS must be enabled, and non-FIPS-approved SSL versions must be disabled.\nNIST SP 800-52 specifies the preferred configurations for government systems.", + "title": "Wildfly process owner interactive access must be restricted.", + "desc": "Wildfly does not require admin rights to operate and should be run as a\n regular user. In addition, if the user account was to be compromised and the\n account was allowed interactive logon rights, this would increase the risk and\n attack surface against the Wildfly system. The right to interactively log on to\n the system using the Wildfly account should be limited according to the OS\n capabilities.", "descriptions": { - "default": "Preventing the disclosure or modification of transmitted information\nrequires that application servers take measures to employ approved cryptography\nin order to protect the information during transmission over the network. This\nis usually achieved through the use of Transport Layer Security (TLS), SSL VPN,\nor IPSec tunnel.\n\n If data in transit is unencrypted, it is vulnerable to disclosure and\nmodification. If approved cryptographic algorithms are not used, encryption\nstrength cannot be assured.\n\n FIPS 140-2 approved TLS versions include TLS V1.0 or greater.\n\n TLS must be enabled, and non-FIPS-approved SSL versions must be disabled.\nNIST SP 800-52 specifies the preferred configurations for government systems." + "default": "Wildfly does not require admin rights to operate and should be run as a\n regular user. In addition, if the user account was to be compromised and the\n account was allowed interactive logon rights, this would increase the risk and\n attack surface against the Wildfly system. The right to interactively log on to\n the system using the Wildfly account should be limited according to the OS\n capabilities." }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { - "gtitle": "SRG-APP-000440-AS-000167", - "gid": "V-62323", - "rid": "SV-76813r2_rule", - "stig_id": "JBOS-AS-000655", + "gtitle": "SRG-APP-000141-AS-000095", + "gid": "V-62261", + "rid": "SV-76751r1_rule", + "stig_id": "JBOS-AS-000220", "cci": [ - "CCI-002421" + "CCI-000381" ], "documentable": false, "nist": [ - "SC-8 (1)", + "CM-7 a", "Rev_4" ], - "check": "Log on to the OS of the Wildfly server with OS permissions that\n allow access to Wildfly.\n Using the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n\n Run the jboss-cli script.\n Connect to the server and authenticate.\n\n Validate that the TLS protocol is used for HTTPS connections.\n Run the command:\n\n \"ls /subsystem=web/connector=https/ssl=configuration\"\n\n Review the cipher suites. The following suites are acceptable as per NIST\n 800-52r1 section 3.3.1 - Cipher Suites. Refer to the NIST document for a\n complete list of acceptable cipher suites. The source NIST document and\n approved encryption algorithms/cipher suites are subject to change and should\n be referenced.\n\n AES_128_CBC\n AES_256_CBC\n AES_128_GCM\n AES_128_CCM\n AES_256_CCM\n\n If the cipher suites utilized by the TLS server are not approved by NIST as per\n 800-52r1, this is a finding.", - "fix": "Reference section 4.6 of the Wildfly Security Guide located\n on the Red Hat vendor's website for step-by-step instructions on establishing\n SSL encryption on Wildfly.\n\n The overall steps include:\n\n 1. Add an HTTPS connector.\n 2. Configure the SSL encryption certificate and keys.\n 3. Set the Cipher to an approved algorithm.", - "fix_id": "F-68243r1_fix" + "check": "Identify the user account used to run the Wildfly server. Use\n relevant OS commands to determine logon rights to the system. This account\n should not have full shell/interactive access to the system.\n\n If the user account used to operate Wildfly can log on interactively, this is a\n finding.", + "fix": "Use the relevant OS commands to restrict Wildfly user account from\n interactively logging on to the console of the Wildfly system.\n\n For Windows systems, use GPO.\n\n For UNIX like systems using ssh DenyUsers or follow established\n procedure for restricting access.", + "fix_id": "F-68181r1_fix" }, - "code": "control 'V-62323' do\n title \"Wildfly must be configured to use an approved cryptographic algorithm in\n conjunction with TLS.\"\n desc \"\n Preventing the disclosure or modification of transmitted information\n requires that application servers take measures to employ approved cryptography\n in order to protect the information during transmission over the network. This\n is usually achieved through the use of Transport Layer Security (TLS), SSL VPN,\n or IPSec tunnel.\n\n If data in transit is unencrypted, it is vulnerable to disclosure and\n modification. If approved cryptographic algorithms are not used, encryption\n strength cannot be assured.\n\n FIPS 140-2 approved TLS versions include TLS V1.0 or greater.\n\n TLS must be enabled, and non-FIPS-approved SSL versions must be disabled.\n NIST SP 800-52 specifies the preferred configurations for government systems.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000440-AS-000167'\n tag \"gid\": 'V-62323'\n tag \"rid\": 'SV-76813r2_rule'\n tag \"stig_id\": 'JBOS-AS-000655'\n tag \"cci\": ['CCI-002421']\n tag \"documentable\": false\n tag \"nist\": ['SC-8 (1)', 'Rev_4']\n tag \"check\": \"Log on to the OS of the Wildfly server with OS permissions that\n allow access to Wildfly.\n Using the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n\n Run the jboss-cli script.\n Connect to the server and authenticate.\n\n Validate that the TLS protocol is used for HTTPS connections.\n Run the command:\n\n \\\"ls /subsystem=web/connector=https/ssl=configuration\\\"\n\n Review the cipher suites. The following suites are acceptable as per NIST\n 800-52r1 section 3.3.1 - Cipher Suites. Refer to the NIST document for a\n complete list of acceptable cipher suites. The source NIST document and\n approved encryption algorithms/cipher suites are subject to change and should\n be referenced.\n\n AES_128_CBC\n AES_256_CBC\n AES_128_GCM\n AES_128_CCM\n AES_256_CCM\n\n If the cipher suites utilized by the TLS server are not approved by NIST as per\n 800-52r1, this is a finding.\"\n tag \"fix\": \"Reference section 4.6 of the Wildfly Security Guide located\n on the Red Hat vendor's website for step-by-step instructions on establishing\n SSL encryption on Wildfly.\n\n The overall steps include:\n\n 1. Add an HTTPS connector.\n 2. Configure the SSL encryption certificate and keys.\n 3. Set the Cipher to an approved algorithm.\"\n tag \"fix_id\": 'F-68243r1_fix'\n\n connect = input('connection')\n\n cipher_suites = command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /subsystem=undertow/server=default-server/https-listener=https/\").stdout\n describe.one do\n describe 'The wildfly cryptographic algorithm used for TLS' do\n subject { cipher_suites }\n it { should match(%r{enabled-cipher-suites=(AES_((128)|(256))_CBC)|(AES_((128)|(256))_GCM)|(AES_((128)|(256))_CCM)|(AES_((128)|(256))_CCM)}) }\n end\n describe 'The wildfly cryptographic algorithm used for TLS' do\n subject { cipher_suites }\n it { should match(%r{enabled-cipher-suites=AES_((128)|(256))_CBC}) }\n end\n describe 'The wildfly cryptographic algorithm used for TLS' do\n subject { cipher_suites }\n it { should match(%r{enabled-cipher-suites=CBC:AES_128_GCM}) }\n end\n describe 'The wildfly cryptographic algorithm used for TLS' do\n subject { cipher_suites }\n it { should match(%r{enabled-cipher-suites=AES_((128)|(256))_CCM}) }\n end\n end\nend\n", + "code": "control 'V-62261' do\n title \"Wildfly process owner interactive access must be restricted.\"\n desc \"Wildfly does not require admin rights to operate and should be run as a\n regular user. In addition, if the user account was to be compromised and the\n account was allowed interactive logon rights, this would increase the risk and\n attack surface against the Wildfly system. The right to interactively log on to\n the system using the Wildfly account should be limited according to the OS\n capabilities.\"\n impact 0.7\n tag \"gtitle\": 'SRG-APP-000141-AS-000095'\n tag \"gid\": 'V-62261'\n tag \"rid\": 'SV-76751r1_rule'\n tag \"stig_id\": 'JBOS-AS-000220'\n tag \"cci\": ['CCI-000381']\n tag \"documentable\": false\n tag \"nist\": ['CM-7 a', 'Rev_4']\n tag \"check\": \"Identify the user account used to run the Wildfly server. Use\n relevant OS commands to determine logon rights to the system. This account\n should not have full shell/interactive access to the system.\n\n If the user account used to operate Wildfly can log on interactively, this is a\n finding.\"\n tag \"fix\": \"Use the relevant OS commands to restrict Wildfly user account from\n interactively logging on to the console of the Wildfly system.\n\n For Windows systems, use GPO.\n\n For UNIX like systems using ssh DenyUsers or follow established\n procedure for restricting access.\"\n tag \"fix_id\": 'F-68181r1_fix'\n wildfly_process_owners = command(\"ps -aux | grep wildfly | grep -v 'color=auto wildfly' | grep -v chef | grep -v grep | awk '{print $1}'\").stdout.split(\"\\n\")\n\n if wildfly_process_owners.empty?\n impact 0.0\n describe 'There are no wildfly process owners' do\n skip 'There are no wildfly process owners, therfore this control is N/A'\n end\n end\n\n if !wildfly_process_owners.empty?\n wildfly_process_owners.each do |owner|\n get_shell_bin_false = command(\"awk -F : '$1 == \\\"#{owner}\\\" { print $7}' /etc/passwd\").stdout\n get_shell_sbin_nologin = command(\"awk -F : '$1 == \\\"#{owner}\\\" { print $7}' /etc/passwd\").stdout\n get_shell_usr_sbin_nologin = command(\"awk -F : '$1 == \\\"#{owner}\\\" { print $7}' /etc/passwd\").stdout\n\n describe.one do\n describe \"The wildfly process owner: #{owner}\\'s shell/interactive access\" do\n subject { get_shell_bin_false }\n it { should match(%r{/bin/false}) }\n end\n describe \"The wildfly process owner: #{owner}\\'s shell/interactive access\" do\n subject { get_shell_sbin_nologin }\n it { should match(%r{/sbin/nologin}) }\n end\n describe \"The wildfly process owner: #{owner}\\'s shell/interactive access\" do\n subject { get_shell_usr_sbin_nologin }\n it { should match(%r{/usr/sbin/nologin}) }\n end\n end\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62323.rb", + "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62261.rb", "line": 1 }, - "id": "V-62323" + "id": "V-62261" }, { - "title": "Wildfly must be configured to initiate session logging upon startup.", - "desc": "Session logging activities are developed, integrated, and used in\nconsultation with legal counsel in accordance with applicable federal laws,\nExecutive Orders, directives, policies, or regulations.", + "title": "The Wildlfy server must be configured to use DoD- or CNSS-approved PKI\n Class 3 or Class 4 certificates.", + "desc": "Class 3 PKI certificates are used for servers and software signing\n rather than for identifying individuals. Class 4 certificates are used for\n business-to-business transactions. Utilizing unapproved certificates not issued\n or approved by DoD or CNS creates an integrity risk. The application server\n must utilize approved DoD or CNS Class 3 or Class 4 certificates for software\n signing and business-to-business transactions.", "descriptions": { - "default": "Session logging activities are developed, integrated, and used in\nconsultation with legal counsel in accordance with applicable federal laws,\nExecutive Orders, directives, policies, or regulations." + "default": "Class 3 PKI certificates are used for servers and software signing\n rather than for identifying individuals. Class 4 certificates are used for\n business-to-business transactions. Utilizing unapproved certificates not issued\n or approved by DoD or CNS creates an integrity risk. The application server\n must utilize approved DoD or CNS Class 3 or Class 4 certificates for software\n signing and business-to-business transactions." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-APP-000092-AS-000053", - "gid": "V-62235", - "rid": "SV-76725r1_rule", - "stig_id": "JBOS-AS-000095", + "gtitle": "SRG-APP-000514-AS-000137", + "gid": "V-62343", + "rid": "SV-76833r1_rule", + "stig_id": "JBOS-AS-000730", "cci": [ - "CCI-001464" + "CCI-002450" ], "documentable": false, "nist": [ - "AU-14 (1)", + "SC-13", "Rev_4" ], - "check": "Log on to the OS of the Wildfly server with OS permissions that\nallow access to Wildfly.\nUsing the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n\nThe $JBOSS_HOME default is /opt/bin/widfly\nRun the jboss-cli script to start the Command Line Interface (CLI).\nConnect to the server and authenticate.\nRun the command:\n\nFor a Managed Domain configuration:\n\"ls\nhost=master/server//core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\"\n\nFor a Standalone configuration:\n\"ls\n/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\"\n\nIf \"enabled\" = false, this is a finding.", - "fix": "Launch the jboss-cli management interface.\nConnect to the server by typing \"connect\", authenticate as a user in the\nSuperuser role and run the following command:\n\nFor a Managed Domain configuration:\n\"host=master/server//core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\"\n\nFor a Standalone configuration:\n\"/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\"", - "fix_id": "F-68155r1_fix" + "check": "Interview the administrator to determine if Wildlfy is using\n certificates for PKI. If Wildlfy is not performing any PKI functions, this\n finding is NA.\n\n The CA certs are usually stored in a file called cacerts located in the\n directory $JAVA_HOME/lib/security. If the file is not in this location, use a\n search command to locate the file, or ask the administrator where the\n certificate store is located.\n\n Open a dos shell or terminal window and change to the location of the\n certificate store. To view the certificates within the certificate store, run\n the command (in this example, the keystore file is cacerts.): keytool -list -v\n -keystore ./cacerts\n\n Locate the \"OU\" field for each certificate within the keystore. The field\n should contain either \"DoD\" or \"CNSS\" as the Organizational Unit (OU).\n\n If the OU does not show that the certificates are DoD or CNSS supplied, this is\n a finding.", + "fix": "Configure the application server to use DoD- or CNSS-approved\n Class 3 or Class 4 PKI certificates.", + "fix_id": "F-68263r1_fix" }, - "code": "control 'V-62235' do\n title \"Wildfly must be configured to initiate session logging upon startup.\"\n desc \"Session logging activities are developed, integrated, and used in\nconsultation with legal counsel in accordance with applicable federal laws,\nExecutive Orders, directives, policies, or regulations.\"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000092-AS-000053'\n tag \"gid\": 'V-62235'\n tag \"rid\": 'SV-76725r1_rule'\n tag \"stig_id\": 'JBOS-AS-000095'\n tag \"cci\": ['CCI-001464']\n tag \"documentable\": false\n tag \"nist\": ['AU-14 (1)', 'Rev_4']\n tag \"check\": \"Log on to the OS of the Wildfly server with OS permissions that\nallow access to Wildfly.\nUsing the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n\nThe $JBOSS_HOME default is /opt/bin/widfly\nRun the jboss-cli script to start the Command Line Interface (CLI).\nConnect to the server and authenticate.\nRun the command:\n\nFor a Managed Domain configuration:\n\\\"ls\nhost=master/server//core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\\\"\n\nFor a Standalone configuration:\n\\\"ls\n/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\\\"\n\nIf \\\"enabled\\\" = false, this is a finding.\"\n tag \"fix\": \"Launch the jboss-cli management interface.\nConnect to the server by typing \\\"connect\\\", authenticate as a user in the\nSuperuser role and run the following command:\n\nFor a Managed Domain configuration:\n\\\"host=master/server//core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\\\"\n\nFor a Standalone configuration:\n\\\"/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\\\"\"\n tag \"fix_id\": 'F-68155r1_fix'\n\n connect = input('connection')\n\n describe 'Wildfly initiate session logging upon startup' do\n subject { command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /core-service=management/access=audit/logger=audit-log\").stdout }\n it { should_not match(%r{enabled=false}) }\n end\nend\n", + "code": "control 'V-62343' do\n title \"The Wildlfy server must be configured to use DoD- or CNSS-approved PKI\n Class 3 or Class 4 certificates.\"\n desc \"Class 3 PKI certificates are used for servers and software signing\n rather than for identifying individuals. Class 4 certificates are used for\n business-to-business transactions. Utilizing unapproved certificates not issued\n or approved by DoD or CNS creates an integrity risk. The application server\n must utilize approved DoD or CNS Class 3 or Class 4 certificates for software\n signing and business-to-business transactions.\"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000514-AS-000137'\n tag \"gid\": 'V-62343'\n tag \"rid\": 'SV-76833r1_rule'\n tag \"stig_id\": 'JBOS-AS-000730'\n tag \"cci\": ['CCI-002450']\n tag \"documentable\": false\n tag \"nist\": ['SC-13', 'Rev_4']\n tag \"check\": \"Interview the administrator to determine if Wildlfy is using\n certificates for PKI. If Wildlfy is not performing any PKI functions, this\n finding is NA.\n\n The CA certs are usually stored in a file called cacerts located in the\n directory $JAVA_HOME/lib/security. If the file is not in this location, use a\n search command to locate the file, or ask the administrator where the\n certificate store is located.\n\n Open a dos shell or terminal window and change to the location of the\n certificate store. To view the certificates within the certificate store, run\n the command (in this example, the keystore file is cacerts.): keytool -list -v\n -keystore ./cacerts\n\n Locate the \\\"OU\\\" field for each certificate within the keystore. The field\n should contain either \\\"DoD\\\" or \\\"CNSS\\\" as the Organizational Unit (OU).\n\n If the OU does not show that the certificates are DoD or CNSS supplied, this is\n a finding.\"\n tag \"fix\": \"Configure the application server to use DoD- or CNSS-approved\n Class 3 or Class 4 PKI certificates.\"\n tag \"fix_id\": 'F-68263r1_fix'\n\n java_cert = input('java_cert')\n\n certs = command(\"keytool -list -v -keystore #{java_cert}\").stdout\n describe.one do\n describe 'The wildfly server PKI certificate' do\n subject { certs }\n it { should match(%r{OU=DoD}) }\n end\n describe 'The wildfly server PKI certificate' do\n subject { certs }\n it { should match(%r{OU=CNSS}) }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62235.rb", + "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62343.rb", "line": 1 }, - "id": "V-62235" + "id": "V-62343" }, { - "title": "Wildfly must be configured to produce log records that establish which\nhosted application triggered the events.", - "desc": "Application server logging capability is critical for accurate forensic\nanalysis. Without sufficient and accurate information, a correct replay of the\nevents cannot be determined.\n\n By default, no web logging is enabled in Wildfly. Logging can be configured\nper web application or by virtual server. If web application logging is not\nset up, application activity will not be logged.\n\n Ascertaining the correct location or process within the application server\nwhere the events occurred is important during forensic analysis. To determine\nwhere an event occurred, the log data must contain data containing the\napplication identity.", + "title": "Wildfly must be configured to log the IP address of the remote system\n connecting to the Wildfly system/cluster.", + "desc": "Information system logging capability is critical for accurate forensic\nanalysis. Without being able to establish what type of event occurred, it\nwould be difficult to establish, correlate, and investigate the events relating\nto an incident or identify those responsible.\n\n Log record content that may be necessary to satisfy the requirement of this\ncontrol includes time stamps, source and destination addresses, user/process\nidentifiers, event descriptions, success/fail indications, filenames involved,\nand access control or flow control rules invoked.\n\n Application servers must log all relevant log data that pertains to the\napplication server. Examples of relevant data include, but are not limited to,\nJava Virtual Machine (JVM) activity, HTTPD/Web server activity, and application\nserver-related system process activity.", "descriptions": { - "default": "Application server logging capability is critical for accurate forensic\nanalysis. Without sufficient and accurate information, a correct replay of the\nevents cannot be determined.\n\n By default, no web logging is enabled in Wildfly. Logging can be configured\nper web application or by virtual server. If web application logging is not\nset up, application activity will not be logged.\n\n Ascertaining the correct location or process within the application server\nwhere the events occurred is important during forensic analysis. To determine\nwhere an event occurred, the log data must contain data containing the\napplication identity." + "default": "Information system logging capability is critical for accurate forensic\nanalysis. Without being able to establish what type of event occurred, it\nwould be difficult to establish, correlate, and investigate the events relating\nto an incident or identify those responsible.\n\n Log record content that may be necessary to satisfy the requirement of this\ncontrol includes time stamps, source and destination addresses, user/process\nidentifiers, event descriptions, success/fail indications, filenames involved,\nand access control or flow control rules invoked.\n\n Application servers must log all relevant log data that pertains to the\napplication server. Examples of relevant data include, but are not limited to,\nJava Virtual Machine (JVM) activity, HTTPD/Web server activity, and application\nserver-related system process activity." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-APP-000097-AS-000060", - "gid": "V-62243", - "rid": "SV-76733r1_rule", - "stig_id": "JBOS-AS-000120", + "gtitle": "SRG-APP-000095-AS-000056", + "gid": "V-62237", + "rid": "SV-76727r1_rule", + "stig_id": "JBOS-AS-000105", "cci": [ - "CCI-000132" + "CCI-000130" ], "documentable": false, "nist": [ "AU-3", "Rev_4" ], - "check": "Application logs are a configurable variable. Interview the\nsystem admin, and have them identify the applications that are running on the\napplication server. Have the system admin identify the log files/location\nwhere application activity is stored.\n\nReview the log files to ensure each application is uniquely identified within\nthe logs or each application has its own unique log file.\n\nGenerate application activity by either authenticating to the application or\ngenerating an auditable event, and ensure the application activity is recorded\nin the log file. Recently time stamped application events are suitable\nevidence of compliance.\n\nIf the log records do not indicate which application hosted on the application\nserver generated the event, or if no events are recorded related to application\nactivity, this is a finding.", - "fix": "Configure log formatter to audit application activity so\nindividual application activity can be identified.", - "fix_id": "F-68163r1_fix" + "check": "Log on to the OS of the Wildlfy server with OS permissions that\n allow access to Wildlfy.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n Using the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n Run the jboss-cli script to start the Command Line Interface (CLI).\n Connect to the server and authenticate.\n Run the command:\n\n For a Managed Domain configuration:\n \"ls\n host=master/server//core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\"\n\n For a Standalone configuration:\n \"ls\n /core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\"\n\n If \"enabled\" = false, this is a finding.", + "fix": "Launch the jboss-cli management interface.\nConnect to the server by typing \"connect\", authenticate as a user in the\nSuperuser role, and run the following command:\n\nFor a Managed Domain configuration:\n\"host=master/server//core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\"\n\nFor a Standalone configuration:\n\"/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\"", + "fix_id": "F-68157r1_fix" }, - "code": "control 'V-62243' do\n title \"Wildfly must be configured to produce log records that establish which\nhosted application triggered the events.\"\n desc \"\n Application server logging capability is critical for accurate forensic\nanalysis. Without sufficient and accurate information, a correct replay of the\nevents cannot be determined.\n\n By default, no web logging is enabled in Wildfly. Logging can be configured\nper web application or by virtual server. If web application logging is not\nset up, application activity will not be logged.\n\n Ascertaining the correct location or process within the application server\nwhere the events occurred is important during forensic analysis. To determine\nwhere an event occurred, the log data must contain data containing the\napplication identity.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000097-AS-000060'\n tag \"gid\": 'V-62243'\n tag \"rid\": 'SV-76733r1_rule'\n tag \"stig_id\": 'JBOS-AS-000120'\n tag \"cci\": ['CCI-000132']\n tag \"documentable\": false\n tag \"nist\": ['AU-3', 'Rev_4']\n tag \"check\": \"Application logs are a configurable variable. Interview the\nsystem admin, and have them identify the applications that are running on the\napplication server. Have the system admin identify the log files/location\nwhere application activity is stored.\n\nReview the log files to ensure each application is uniquely identified within\nthe logs or each application has its own unique log file.\n\nGenerate application activity by either authenticating to the application or\ngenerating an auditable event, and ensure the application activity is recorded\nin the log file. Recently time stamped application events are suitable\nevidence of compliance.\n\nIf the log records do not indicate which application hosted on the application\nserver generated the event, or if no events are recorded related to application\nactivity, this is a finding.\"\n tag \"fix\": \"Configure log formatter to audit application activity so\nindividual application activity can be identified.\"\n tag \"fix_id\": 'F-68163r1_fix'\n file = command('find / -name \"log4j.properties\" 2>/dev/null | grep -v example').stdout\n\n if (input('disable_slow_controls'))\n describe \"This control is a long running control and is disabled, for full accredidation you need to enable this control.\" do\n skip \"This control is a long running control and is disabled, for full accredidation you need to enable this control.\"\n end\n else\n describe 'The number of log4j.properties files found' do\n subject { command('find / -name \"log4j.properties\" 2>/dev/null | grep -v example | wc -l').stdout }\n it { should_not match /0/ }\n end\n\n describe 'The number of words in the log4j.properties file' do\n subject { command(\"wc -c #{file}\").stdout }\n it { should_not match /0/ }\n end\n end\nend", + "code": "control 'V-62237' do\n title \"Wildfly must be configured to log the IP address of the remote system\n connecting to the Wildfly system/cluster.\"\n desc \"\n Information system logging capability is critical for accurate forensic\n analysis. Without being able to establish what type of event occurred, it\n would be difficult to establish, correlate, and investigate the events relating\n to an incident or identify those responsible.\n\n Log record content that may be necessary to satisfy the requirement of this\n control includes time stamps, source and destination addresses, user/process\n identifiers, event descriptions, success/fail indications, filenames involved,\n and access control or flow control rules invoked.\n\n Application servers must log all relevant log data that pertains to the\n application server. Examples of relevant data include, but are not limited to,\n Java Virtual Machine (JVM) activity, HTTPD/Web server activity, and application\n server-related system process activity.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000095-AS-000056'\n tag \"gid\": 'V-62237'\n tag \"rid\": 'SV-76727r1_rule'\n tag \"stig_id\": 'JBOS-AS-000105'\n tag \"cci\": ['CCI-000130']\n tag \"documentable\": false\n tag \"nist\": ['AU-3', 'Rev_4']\n tag \"check\": \"Log on to the OS of the Wildlfy server with OS permissions that\n allow access to Wildlfy.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n Using the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n Run the jboss-cli script to start the Command Line Interface (CLI).\n Connect to the server and authenticate.\n Run the command:\n\n For a Managed Domain configuration:\n \\\"ls\n host=master/server//core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\\\"\n\n For a Standalone configuration:\n \\\"ls\n /core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\\\"\n\n If \\\"enabled\\\" = false, this is a finding.\"\n tag \"fix\": \"Launch the jboss-cli management interface.\nConnect to the server by typing \\\"connect\\\", authenticate as a user in the\nSuperuser role, and run the following command:\n\nFor a Managed Domain configuration:\n\\\"host=master/server//core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\\\"\n\nFor a Standalone configuration:\n\\\"/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\\\"\"\n tag \"fix_id\": 'F-68157r1_fix'\n\n connect = input('connection')\n\n describe 'Wildfly log the IP address of the remote system connecting to the Wildfly system/cluster' do\n subject { command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /core-service=management/access=audit/logger=audit-log\").stdout }\n it { should_not match(%r{enabled=false}) }\n end\nend\n", "source_location": { - "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62243.rb", + "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62237.rb", "line": 1 }, - "id": "V-62243" + "id": "V-62237" }, { - "title": "Wildfly Log Formatter must be configured to produce log records that\nestablish the date and time the events occurred.", - "desc": "Application server logging capability is critical for accurate forensic\nanalysis. Without sufficient and accurate information, a correct replay of the\nevents cannot be determined.\n\n Ascertaining the correct order of the events that occurred is important\nduring forensic analysis. Events that appear harmless by themselves might be\nflagged as a potential threat when properly viewed in sequence. By also\nestablishing the event date and time, an event can be properly viewed with an\nenterprise tool to fully see a possible threat in its entirety.\n\n Without sufficient information establishing when the log event occurred,\ninvestigation into the cause of event is severely hindered. Log record content\nthat may be necessary to satisfy the requirement of this control includes, but\nis not limited to, time stamps, source and destination IP addresses,\nuser/process identifiers, event descriptions, application-specific events,\nsuccess/fail indications, filenames involved, access control, or flow control\nrules invoked.\n\n In addition to logging event information, application servers must also log\nthe corresponding dates and times of these events. Examples of event data\ninclude, but are not limited to, Java Virtual Machine (JVM) activity, HTTPD\nactivity, and application server-related system process activity.", + "title": "Production Wildfly servers must be supported by the vendor.", + "desc": "The Wildfly product is available as Open Source; however, the Red Hat\n vendor provides updates, patches and support for the JBoss product. It is\n imperative that patches and updates be applied to Wildfly in a timely manner as\n many attacks against Wildfly focus on unpatched systems. It is critical that\n support be obtained and made available.", "descriptions": { - "default": "Application server logging capability is critical for accurate forensic\nanalysis. Without sufficient and accurate information, a correct replay of the\nevents cannot be determined.\n\n Ascertaining the correct order of the events that occurred is important\nduring forensic analysis. Events that appear harmless by themselves might be\nflagged as a potential threat when properly viewed in sequence. By also\nestablishing the event date and time, an event can be properly viewed with an\nenterprise tool to fully see a possible threat in its entirety.\n\n Without sufficient information establishing when the log event occurred,\ninvestigation into the cause of event is severely hindered. Log record content\nthat may be necessary to satisfy the requirement of this control includes, but\nis not limited to, time stamps, source and destination IP addresses,\nuser/process identifiers, event descriptions, application-specific events,\nsuccess/fail indications, filenames involved, access control, or flow control\nrules invoked.\n\n In addition to logging event information, application servers must also log\nthe corresponding dates and times of these events. Examples of event data\ninclude, but are not limited to, Java Virtual Machine (JVM) activity, HTTPD\nactivity, and application server-related system process activity." + "default": "The Wildfly product is available as Open Source; however, the Red Hat\n vendor provides updates, patches and support for the JBoss product. It is\n imperative that patches and updates be applied to Wildfly in a timely manner as\n many attacks against Wildfly focus on unpatched systems. It is critical that\n support be obtained and made available." }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { - "gtitle": "SRG-APP-000096-AS-000059", - "gid": "V-62241", - "rid": "SV-76731r1_rule", - "stig_id": "JBOS-AS-000115", + "gtitle": "SRG-APP-000456-AS-000266", + "gid": "V-62325", + "rid": "SV-76815r1_rule", + "stig_id": "JBOS-AS-000680", "cci": [ - "CCI-000131" + "CCI-002605" ], "documentable": false, "nist": [ - "AU-3", + "SI-2 c", "Rev_4" ], - "check": "Log on to the OS of the Wildfly server with OS permissions that\nallow access to Wildfly.\n\nThe $JBOSS_HOME default is /opt/bin/widfly\nUsing the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\nRun the jboss-cli script to start the Command Line Interface (CLI).\nConnect to the server and authenticate.\nRun the command:\n\nFor a Managed Domain configuration:\n\"ls\nhost=master/server//core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\"\n\nFor a Standalone configuration:\n\"ls\n/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\"\n\nIf \"enabled\" = false, this is a finding.", - "fix": "Launch the jboss-cli management interface.\nConnect to the server by typing \"connect\", authenticate as a user in the\nSuperuser role, and run the following command:\n\nFor a Managed Domain configuration:\n\"host=master/server//core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\"\n\nFor a Standalone configuration:\n\"/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\"", - "fix_id": "F-68161r1_fix" + "check": "Interview the system admin and have them either show documented\n proof of current support, or have them demonstrate their ability to access the\n Red Hat Enterprise Support portal.\n\n Verify Red Hat support includes coverage for the Wildfly product.\n\n If there is no current and active support from the vendor, this is a finding.", + "fix": "Obtain vendor support from Red Hat.", + "fix_id": "F-68245r1_fix" }, - "code": "control 'V-62241' do\n title \"Wildfly Log Formatter must be configured to produce log records that\nestablish the date and time the events occurred.\"\n desc \"\n Application server logging capability is critical for accurate forensic\nanalysis. Without sufficient and accurate information, a correct replay of the\nevents cannot be determined.\n\n Ascertaining the correct order of the events that occurred is important\nduring forensic analysis. Events that appear harmless by themselves might be\nflagged as a potential threat when properly viewed in sequence. By also\nestablishing the event date and time, an event can be properly viewed with an\nenterprise tool to fully see a possible threat in its entirety.\n\n Without sufficient information establishing when the log event occurred,\ninvestigation into the cause of event is severely hindered. Log record content\nthat may be necessary to satisfy the requirement of this control includes, but\nis not limited to, time stamps, source and destination IP addresses,\nuser/process identifiers, event descriptions, application-specific events,\nsuccess/fail indications, filenames involved, access control, or flow control\nrules invoked.\n\n In addition to logging event information, application servers must also log\nthe corresponding dates and times of these events. Examples of event data\ninclude, but are not limited to, Java Virtual Machine (JVM) activity, HTTPD\nactivity, and application server-related system process activity.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000096-AS-000059'\n tag \"gid\": 'V-62241'\n tag \"rid\": 'SV-76731r1_rule'\n tag \"stig_id\": 'JBOS-AS-000115'\n tag \"cci\": ['CCI-000131']\n tag \"documentable\": false\n tag \"nist\": ['AU-3', 'Rev_4']\n tag \"check\": \"Log on to the OS of the Wildfly server with OS permissions that\nallow access to Wildfly.\n\nThe $JBOSS_HOME default is /opt/bin/widfly\nUsing the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\nRun the jboss-cli script to start the Command Line Interface (CLI).\nConnect to the server and authenticate.\nRun the command:\n\nFor a Managed Domain configuration:\n\\\"ls\nhost=master/server//core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\\\"\n\nFor a Standalone configuration:\n\\\"ls\n/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\\\"\n\nIf \\\"enabled\\\" = false, this is a finding.\"\n tag \"fix\": \"Launch the jboss-cli management interface.\nConnect to the server by typing \\\"connect\\\", authenticate as a user in the\nSuperuser role, and run the following command:\n\nFor a Managed Domain configuration:\n\\\"host=master/server//core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\\\"\n\nFor a Standalone configuration:\n\\\"/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\\\"\"\n tag \"fix_id\": 'F-68161r1_fix'\n\n connect = input('connection')\n\n describe 'Wildfly Log Formatter produce log records that establish the date and time the events occurred' do\n subject { command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /core-service=management/access=audit/logger=audit-log\").stdout }\n it { should_not match(%r{enabled=false}) }\n end\nend\n", + "code": "control 'V-62325' do\n title \"Production Wildfly servers must be supported by the vendor.\"\n desc \"The Wildfly product is available as Open Source; however, the Red Hat\n vendor provides updates, patches and support for the JBoss product. It is\n imperative that patches and updates be applied to Wildfly in a timely manner as\n many attacks against Wildfly focus on unpatched systems. It is critical that\n support be obtained and made available.\"\n impact 0.7\n tag \"gtitle\": 'SRG-APP-000456-AS-000266'\n tag \"gid\": 'V-62325'\n tag \"rid\": 'SV-76815r1_rule'\n tag \"stig_id\": 'JBOS-AS-000680'\n tag \"cci\": ['CCI-002605']\n tag \"documentable\": false\n tag \"nist\": ['SI-2 c', 'Rev_4']\n tag \"check\": \"Interview the system admin and have them either show documented\n proof of current support, or have them demonstrate their ability to access the\n Red Hat Enterprise Support portal.\n\n Verify Red Hat support includes coverage for the Wildfly product.\n\n If there is no current and active support from the vendor, this is a finding.\"\n tag \"fix\": \"Obtain vendor support from Red Hat.\"\n tag \"fix_id\": 'F-68245r1_fix'\n impact 0.0\n describe \"Wildfly is the open-source, community version of JBoss and does not include RedHat support, therefore this control is not applicable\" do\n skip \"Wildfly is the open-source, community version of JBoss and does not include RedHat support, therefore this control is not applicable\"\n end\nend\n", "source_location": { - "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62241.rb", + "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62325.rb", "line": 1 }, - "id": "V-62241" + "id": "V-62325" }, { - "title": "The Wildfly Password Vault must be used for storing passwords or other\n sensitive configuration information.", - "desc": "Wildfly has a Password Vault to encrypt sensitive strings, store\n them in an encrypted keystore, and decrypt them for applications and\n verification systems. Plain-text configuration files, such as XML deployment\n descriptors, need to specify passwords and other sensitive information. Use the\n Wildfly EAP Password Vault to securely store sensitive strings in plain-text\n files.", + "title": "The Wildfly server must generate log records for access and\n authentication events to the management interface.", + "desc": "Log records can be generated from various components within the Wildfly\napplication server. The minimum list of logged events should be those\npertaining to access and authentication events to the management interface as\nwell as system startup and shutdown events.\n\n By default, Wildfly does not log management interface access but does provide\na default file handler. This handler needs to be enabled. Configuring this\nsetting meets several STIG auditing requirements.", "descriptions": { - "default": "Wildfly has a Password Vault to encrypt sensitive strings, store\n them in an encrypted keystore, and decrypt them for applications and\n verification systems. Plain-text configuration files, such as XML deployment\n descriptors, need to specify passwords and other sensitive information. Use the\n Wildfly EAP Password Vault to securely store sensitive strings in plain-text\n files." + "default": "Log records can be generated from various components within the Wildfly\napplication server. The minimum list of logged events should be those\npertaining to access and authentication events to the management interface as\nwell as system startup and shutdown events.\n\n By default, Wildfly does not log management interface access but does provide\na default file handler. This handler needs to be enabled. Configuring this\nsetting meets several STIG auditing requirements." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-APP-000171-AS-000119", - "gid": "V-62287", - "rid": "SV-76777r1_rule", - "stig_id": "JBOS-AS-000295", + "gtitle": "SRG-APP-000089-AS-000050", + "gid": "V-62231", + "rid": "SV-76721r1_rule", + "stig_id": "JBOS-AS-000080", "cci": [ - "CCI-000196" + "CCI-000169" ], "documentable": false, "nist": [ - "IA-5 (1) (c)", + "AU-12 a", "Rev_4" ], - "check": "Log on to the OS of the Wildfly server with OS permissions that\n allow access to Wildfly.\n Using the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n\n Run the jboss-cli script.\n Connect to the server and authenticate.\n Run the command:\n\n \"ls /core-service=vault\"\n\n If \"code=undefined\" and \"module=undefined\",\n this is a finding.", - "fix": "Configure the application server to use the java keystore and\n Wildfly vault as per section 11.13.1 -Password Vault System in the\n Wildfly-Administration_and_Configuration_Guide-en-US\n document.\n\n 1. Create a java keystore.\n 2. Mask the keystore password and initialize the password vault.\n 3. Configure JBoss to use the password vault.", - "fix_id": "F-68207r1_fix" + "check": "Log on to the OS of the Wildfly server with OS permissions that\n allow access to Wildfly.\n Using the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n Run the jboss-cli script to start the Command Line Interface (CLI).\n Connect to the server and authenticate.\n Run the command:\n\n For a Managed Domain configuration:\n \"ls\n host=master/server//core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\"\n\n For a Standalone configuration:\n \"ls\n /core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\"\n\n If \"enabled\" = false, this is a finding.", + "fix": "Launch the jboss-cli management interface.\n Connect to the server by typing \"connect\", authenticate as a user in the\n Superuser role, and run the following command:\n\n For a Managed Domain configuration:\n \"host=master/server//core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\"\n\n For a Standalone configuration:\n \"/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\"", + "fix_id": "F-68151r1_fix" }, - "code": "control 'V-62287' do\n title \"The Wildfly Password Vault must be used for storing passwords or other\n sensitive configuration information.\"\n desc \"Wildfly has a Password Vault to encrypt sensitive strings, store\n them in an encrypted keystore, and decrypt them for applications and\n verification systems. Plain-text configuration files, such as XML deployment\n descriptors, need to specify passwords and other sensitive information. Use the\n Wildfly EAP Password Vault to securely store sensitive strings in plain-text\n files.\"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000171-AS-000119'\n tag \"gid\": 'V-62287'\n tag \"rid\": 'SV-76777r1_rule'\n tag \"stig_id\": 'JBOS-AS-000295'\n tag \"cci\": ['CCI-000196']\n tag \"documentable\": false\n tag \"nist\": ['IA-5 (1) (c)', 'Rev_4']\n tag \"check\": \"Log on to the OS of the Wildfly server with OS permissions that\n allow access to Wildfly.\n Using the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n\n Run the jboss-cli script.\n Connect to the server and authenticate.\n Run the command:\n\n \\\"ls /core-service=vault\\\"\n\n If \\\"code=undefined\\\" and \\\"module=undefined\\\",\n this is a finding.\"\n tag \"fix\": \"Configure the application server to use the java keystore and\n Wildfly vault as per section 11.13.1 -Password Vault System in the\n Wildfly-Administration_and_Configuration_Guide-en-US\n document.\n\n 1. Create a java keystore.\n 2. Mask the keystore password and initialize the password vault.\n 3. Configure JBoss to use the password vault.\"\n tag \"fix_id\": 'F-68207r1_fix'\n\n connect = input('connection')\n\n code = command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /core-service=vault\").stdout\n vault_module = command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /core-service=vault\").stdout\n vault_options = command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /core-service=vault\").stdout\n\n describe 'The wildfly password vault code' do\n subject { code }\n it { should_not match(%r{code=undefined}) }\n end\n describe 'The wildfly password vault module' do\n subject { vault_module }\n it { should_not match(%r{module=undefined}) }\n end\nend\n", + "code": "control 'V-62231' do\n title \"The Wildfly server must generate log records for access and\n authentication events to the management interface.\"\n desc \"\n Log records can be generated from various components within the Wildfly\n application server. The minimum list of logged events should be those\n pertaining to access and authentication events to the management interface as\n well as system startup and shutdown events.\n\n By default, Wildfly does not log management interface access but does provide\n a default file handler. This handler needs to be enabled. Configuring this\n setting meets several STIG auditing requirements.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000089-AS-000050'\n tag \"gid\": 'V-62231'\n tag \"rid\": 'SV-76721r1_rule'\n tag \"stig_id\": 'JBOS-AS-000080'\n tag \"cci\": ['CCI-000169']\n tag \"documentable\": false\n tag \"nist\": ['AU-12 a', 'Rev_4']\n tag \"check\": \"Log on to the OS of the Wildfly server with OS permissions that\n allow access to Wildfly.\n Using the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n Run the jboss-cli script to start the Command Line Interface (CLI).\n Connect to the server and authenticate.\n Run the command:\n\n For a Managed Domain configuration:\n \\\"ls\n host=master/server//core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\\\"\n\n For a Standalone configuration:\n \\\"ls\n /core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\\\"\n\n If \\\"enabled\\\" = false, this is a finding.\"\n tag \"fix\": \"Launch the jboss-cli management interface.\n Connect to the server by typing \\\"connect\\\", authenticate as a user in the\n Superuser role, and run the following command:\n\n For a Managed Domain configuration:\n \\\"host=master/server//core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\\\"\n\n For a Standalone configuration:\n \\\"/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\\\"\"\n\n tag \"fix_id\": 'F-68151r1_fix'\n\n connect = input('connection')\n\n describe 'The Wildfly server generate log records for access and authentication events to the management interface.' do\n subject { command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /core-service=management/access=audit/logger=audit-log\").stdout }\n it { should_not match(%r{enabled=false}) }\n end\nend\n", "source_location": { - "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62287.rb", + "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62231.rb", "line": 1 }, - "id": "V-62287" + "id": "V-62231" }, { - "title": "Wildfly servers must be configured to roll over and transfer logs on a\n minimum weekly basis.", - "desc": "Information stored in one location is vulnerable to accidental or\nincidental deletion or alteration. Protecting log data is important during a\nforensic investigation to ensure investigators can track and understand what\nmay have occurred. Off-loading should be set up as a scheduled task but can be\nconfigured to be run manually, if other processes during the off-loading are\nmanual.\n\n Off-loading is a common process in information systems with limited log\nstorage capacity.", + "title": "Google Analytics must be disabled in EAP Console.", + "desc": "The Google Analytics feature aims to help Red Hat EAP team understand how\ncustomers are using the console and which parts of the console matter the most\nto the customers. This information will, in turn, help the team to adapt the\nconsole design, features, and content to the immediate needs of the customers.\n\n Sending analytical data to the vendor introduces risk of unauthorized data\nexfiltration. This capability must be disabled.", "descriptions": { - "default": "Information stored in one location is vulnerable to accidental or\nincidental deletion or alteration. Protecting log data is important during a\nforensic investigation to ensure investigators can track and understand what\nmay have occurred. Off-loading should be set up as a scheduled task but can be\nconfigured to be run manually, if other processes during the off-loading are\nmanual.\n\n Off-loading is a common process in information systems with limited log\nstorage capacity." + "default": "The Google Analytics feature aims to help Red Hat EAP team understand how\ncustomers are using the console and which parts of the console matter the most\nto the customers. This information will, in turn, help the team to adapt the\nconsole design, features, and content to the immediate needs of the customers.\n\n Sending analytical data to the vendor introduces risk of unauthorized data\nexfiltration. This capability must be disabled." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-APP-000515-AS-000203", - "gid": "V-62345", - "rid": "SV-76835r1_rule", - "stig_id": "JBOS-AS-000735", + "gtitle": "SRG-APP-000141-AS-000095", + "gid": "V-62263", + "rid": "SV-76753r1_rule", + "stig_id": "JBOS-AS-000225", "cci": [ - "CCI-001851" + "CCI-000381" ], "documentable": false, "nist": [ - "AU-4 (1)", + "CM-7 a", "Rev_4" ], - "check": "If the Wildfly server is configured to use a Syslog Handler, this\n is not a finding.\n\n Log on to the OS of the Wildfly server with OS permissions that allow access to\n Wildfly.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n\n Using the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n Run the jboss-cli script.\n Connect to the server and authenticate.\n\n Determine if there is a periodic rotating file handler.\n\n For a domain configuration run the following command; where is a\n variable for all of the servers in the domain. Usually \"server-one\",\n \"server-two\", etc.:\n\n \"ls\n /host=master/server=/subsystem=logging/periodic-rotating-file-handler=\"\n\n For a standalone configuration run the command:\n \"ls /subsystem=logging/periodic-rotating-file-handler=\"\n\n If the command does not return \"FILE\", this is a finding.\n\n Review the $JBOSS_HOME;/standalone/log folder for the existence of rotated\n logs, and ask the admin to demonstrate how rotated logs are packaged and\n transferred to another system on at least a weekly basis.", - "fix": "Open the web-based management interface by opening a browser and\n pointing it to HTTPS://:9990/\n\n Authenticate as a user with Admin rights.\n Navigate to the \"Configuration\" tab.\n Expand + Subsystems.\n Expand + Core.\n Select \"Logging\".\n Select the \"Handler\" tab.\n Select \"Periodic\".\n\n If a periodic file handler does not exist, reference Wildfly admin guide for\n instructions on how to create a file handler that will rotate logs on a daily\n basis.\n Create scripts that package and off-load log data at least weekly.", - "fix_id": "F-68265r1_fix" + "check": "Open the EAP web console by pointing a web browser to\n HTTPS://:9443 or HTTP://:9990\n\n Log on to the admin console using admin credentials.\n On the bottom right-hand side of the screen, select \"Settings\".\n\n If the \"Enable Data Usage Collection\" box is checked, this is a finding.", + "fix": "Using the EAP web console, log on using admin credentials.\n On the bottom right-hand side of the screen, select \"Settings\",\n uncheck the \"Enable Data Usage Collection\" box, and save the configuration.", + "fix_id": "F-68183r1_fix" }, - "code": "control 'V-62345' do\n title \"Wildfly servers must be configured to roll over and transfer logs on a\n minimum weekly basis.\"\n desc \"\n Information stored in one location is vulnerable to accidental or\n incidental deletion or alteration. Protecting log data is important during a\n forensic investigation to ensure investigators can track and understand what\n may have occurred. Off-loading should be set up as a scheduled task but can be\n configured to be run manually, if other processes during the off-loading are\n manual.\n\n Off-loading is a common process in information systems with limited log\n storage capacity.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000515-AS-000203'\n tag \"gid\": 'V-62345'\n tag \"rid\": 'SV-76835r1_rule'\n tag \"stig_id\": 'JBOS-AS-000735'\n tag \"cci\": ['CCI-001851']\n tag \"documentable\": false\n tag \"nist\": ['AU-4 (1)', 'Rev_4']\n tag \"check\": \"If the Wildfly server is configured to use a Syslog Handler, this\n is not a finding.\n\n Log on to the OS of the Wildfly server with OS permissions that allow access to\n Wildfly.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n\n Using the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n Run the jboss-cli script.\n Connect to the server and authenticate.\n\n Determine if there is a periodic rotating file handler.\n\n For a domain configuration run the following command; where is a\n variable for all of the servers in the domain. Usually \\\"server-one\\\",\n \\\"server-two\\\", etc.:\n\n \\\"ls\n /host=master/server=/subsystem=logging/periodic-rotating-file-handler=\\\"\n\n For a standalone configuration run the command:\n \\\"ls /subsystem=logging/periodic-rotating-file-handler=\\\"\n\n If the command does not return \\\"FILE\\\", this is a finding.\n\n Review the $JBOSS_HOME;/standalone/log folder for the existence of rotated\n logs, and ask the admin to demonstrate how rotated logs are packaged and\n transferred to another system on at least a weekly basis.\"\n tag \"fix\": \"Open the web-based management interface by opening a browser and\n pointing it to HTTPS://:9990/\n\n Authenticate as a user with Admin rights.\n Navigate to the \\\"Configuration\\\" tab.\n Expand + Subsystems.\n Expand + Core.\n Select \\\"Logging\\\".\n Select the \\\"Handler\\\" tab.\n Select \\\"Periodic\\\".\n\n If a periodic file handler does not exist, reference Wildfly admin guide for\n instructions on how to create a file handler that will rotate logs on a daily\n basis.\n Create scripts that package and off-load log data at least weekly.\"\n tag \"fix_id\": 'F-68265r1_fix'\n\n connect = input('connection')\n\n describe 'The wildfly periodic roating file handler setting' do\n subject { command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ subsystem=logging/periodic-rotating-file-handler=\").stdout }\n it { should match(%r{FILE}) }\n end\nend\n", + "code": "control 'V-62263' do\n title \"Google Analytics must be disabled in EAP Console.\"\n desc \"\n The Google Analytics feature aims to help Red Hat EAP team understand how\n customers are using the console and which parts of the console matter the most\n to the customers. This information will, in turn, help the team to adapt the\n console design, features, and content to the immediate needs of the customers.\n\n Sending analytical data to the vendor introduces risk of unauthorized data\n exfiltration. This capability must be disabled.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000141-AS-000095'\n tag \"gid\": 'V-62263'\n tag \"rid\": 'SV-76753r1_rule'\n tag \"stig_id\": 'JBOS-AS-000225'\n tag \"cci\": ['CCI-000381']\n tag \"documentable\": false\n tag \"nist\": ['CM-7 a', 'Rev_4']\n tag \"check\": \"Open the EAP web console by pointing a web browser to\n HTTPS://:9443 or HTTP://:9990\n\n Log on to the admin console using admin credentials.\n On the bottom right-hand side of the screen, select \\\"Settings\\\".\n\n If the \\\"Enable Data Usage Collection\\\" box is checked, this is a finding.\"\n tag \"fix\": \"Using the EAP web console, log on using admin credentials.\n On the bottom right-hand side of the screen, select \\\"Settings\\\",\n uncheck the \\\"Enable Data Usage Collection\\\" box, and save the configuration.\"\n tag \"fix_id\": 'F-68183r1_fix'\n describe 'A manual review is required to ensure Google Analytics is disable in the EAP console' do\n skip 'A manual review is required to ensure Google Analytics is disable in the EAP console'\n end\nend\n", "source_location": { - "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62345.rb", + "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62263.rb", "line": 1 }, - "id": "V-62345" + "id": "V-62263" }, { - "title": "File permissions must be configured to protect log information from\nunauthorized modification.", - "desc": "If log data were to become compromised, then competent forensic analysis\nand discovery of the true source of potentially malicious system activity is\ndifficult, if not impossible, to achieve.\n\n When not configured to use a centralized logging solution like a syslog\nserver, the Wildfly EAP application server writes log data to log files that are\nstored on the OS; appropriate file permissions must be used to restrict\nmodification.\n\n Log information includes all information (e.g., log records, log settings,\ntransaction logs, and log reports) needed to successfully log information\nsystem activity. Application servers must protect log information from\nunauthorized modification.", + "title": "Network access to HTTP management must be disabled on domain-enabled\n application servers not designated as the domain controller.", + "desc": "When configuring Wildfly application servers into a domain configuration,\nHTTP management capabilities are not required on domain member servers as\nmanagement is done via the server that has been designated as the domain\ncontroller.\n\n Leaving HTTP management capabilities enabled on domain member servers\nincreases the attack surfaces; therefore, management services on domain member\nservers must be disabled and management services performed via the domain\ncontroller.", "descriptions": { - "default": "If log data were to become compromised, then competent forensic analysis\nand discovery of the true source of potentially malicious system activity is\ndifficult, if not impossible, to achieve.\n\n When not configured to use a centralized logging solution like a syslog\nserver, the Wildfly EAP application server writes log data to log files that are\nstored on the OS; appropriate file permissions must be used to restrict\nmodification.\n\n Log information includes all information (e.g., log records, log settings,\ntransaction logs, and log reports) needed to successfully log information\nsystem activity. Application servers must protect log information from\nunauthorized modification." + "default": "When configuring Wildfly application servers into a domain configuration,\nHTTP management capabilities are not required on domain member servers as\nmanagement is done via the server that has been designated as the domain\ncontroller.\n\n Leaving HTTP management capabilities enabled on domain member servers\nincreases the attack surfaces; therefore, management services on domain member\nservers must be disabled and management services performed via the domain\ncontroller." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-APP-000119-AS-000079", - "gid": "V-62253", - "rid": "SV-76743r1_rule", - "stig_id": "JBOS-AS-000170", + "gtitle": "SRG-APP-000316-AS-000199", + "gid": "V-62303", + "rid": "SV-76793r1_rule", + "stig_id": "JBOS-AS-000470", "cci": [ - "CCI-000163" + "CCI-002322" ], "documentable": false, "nist": [ - "AU-9", + "AC-17 (9)", "Rev_4" ], - "check": "Examine the log file locations and inspect the file\npermissions. Interview the system admin to determine log file locations. The\ndefault location for the log files is:\n\nThe $JBOSS_HOME default is /opt/bin/widfly\n\nStandalone configuration:\n$JBOSS_HOME;/standalone/log/\n\nManaged Domain configuration:\n$JBOSS_HOME;/domain/servers//log/\n$JBOSS_HOME;/domain/log/\n\nReview the file permissions for the log file directories. The method used for\nidentifying file permissions will be based upon the OS the EAP server is\ninstalled on.\n\nIdentify all users with file permissions that allow them to modify log files.\n\nRequest documentation from system admin that identifies the users who are\nauthorized to modify log files.\n\nIf unauthorized users are allowed to modify log files, or if documentation that\nidentifies the users who are authorized to modify log files is missing, this is\na finding.", - "fix": "Configure the OS file permissions on the application server to\nprotect log information from unauthorized modification.", - "fix_id": "F-68173r1_fix" + "check": "Log on to each of the Wildfly domain member servers.\n\n Note: Sites that manage systems using the Wildfly Operations Network client\n require HTTP interface access. It is acceptable that the management console\n alone be disabled rather than disabling the entire interface itself.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n\n Run the $JBOSS_HOME;/bin/jboss-cli command line interface utility and connect\n to the Wildfly server.\n Run the following command:\n ls /core-service=management/management-interface=httpinterface/\n\n If \"console-enabled=true\", this is a finding.", + "fix": "Run the $JBOSS_HOME;/bin/jboss-cli command line interface\n utility.\n Connect to the Wildfly server and run the following command.\n /core-service=management/management-interface=httpinterface/:write-attribute(name=console-enabled,value=false)\n\n Successful command execution returns\n {\"outcome\" => \"success\"}, and future attempts to access the management\n console via web browser at :9990 will result in no access to the\n admin console.", + "fix_id": "F-68223r1_fix" }, - "code": "control 'V-62253' do\n title \"File permissions must be configured to protect log information from\nunauthorized modification.\"\n desc \"\n If log data were to become compromised, then competent forensic analysis\nand discovery of the true source of potentially malicious system activity is\ndifficult, if not impossible, to achieve.\n\n When not configured to use a centralized logging solution like a syslog\nserver, the Wildfly EAP application server writes log data to log files that are\nstored on the OS; appropriate file permissions must be used to restrict\nmodification.\n\n Log information includes all information (e.g., log records, log settings,\ntransaction logs, and log reports) needed to successfully log information\nsystem activity. Application servers must protect log information from\nunauthorized modification.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000119-AS-000079'\n tag \"gid\": 'V-62253'\n tag \"rid\": 'SV-76743r1_rule'\n tag \"stig_id\": 'JBOS-AS-000170'\n tag \"cci\": ['CCI-000163']\n tag \"documentable\": false\n tag \"nist\": ['AU-9', 'Rev_4']\n tag \"check\": \"Examine the log file locations and inspect the file\npermissions. Interview the system admin to determine log file locations. The\ndefault location for the log files is:\n\nThe $JBOSS_HOME default is /opt/bin/widfly\n\nStandalone configuration:\n$JBOSS_HOME;/standalone/log/\n\nManaged Domain configuration:\n$JBOSS_HOME;/domain/servers//log/\n$JBOSS_HOME;/domain/log/\n\nReview the file permissions for the log file directories. The method used for\nidentifying file permissions will be based upon the OS the EAP server is\ninstalled on.\n\nIdentify all users with file permissions that allow them to modify log files.\n\nRequest documentation from system admin that identifies the users who are\nauthorized to modify log files.\n\nIf unauthorized users are allowed to modify log files, or if documentation that\nidentifies the users who are authorized to modify log files is missing, this is\na finding.\"\n tag \"fix\": \"Configure the OS file permissions on the application server to\nprotect log information from unauthorized modification.\"\n tag \"fix_id\": 'F-68173r1_fix'\n\n wildfly_group = input('wildfly_group')\n wildly_owner = input('wildly_owner')\n describe directory(\"#{ input('jboss_home') }/standalone/log\") do\n its('owner') { should eq \"#{wildly_owner}\" }\n its('group') { should eq \"#{wildfly_group}\" }\n its('mode') { should cmp '0750' }\n end\nend\n", + "code": "control 'V-62303' do\n title \"Network access to HTTP management must be disabled on domain-enabled\n application servers not designated as the domain controller.\"\n desc \"\n When configuring Wildfly application servers into a domain configuration,\n HTTP management capabilities are not required on domain member servers as\n management is done via the server that has been designated as the domain\n controller.\n\n Leaving HTTP management capabilities enabled on domain member servers\n increases the attack surfaces; therefore, management services on domain member\n servers must be disabled and management services performed via the domain\n controller.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000316-AS-000199'\n tag \"gid\": 'V-62303'\n tag \"rid\": 'SV-76793r1_rule'\n tag \"stig_id\": 'JBOS-AS-000470'\n tag \"cci\": ['CCI-002322']\n tag \"documentable\": false\n tag \"nist\": ['AC-17 (9)', 'Rev_4']\n tag \"check\": \"Log on to each of the Wildfly domain member servers.\n\n Note: Sites that manage systems using the Wildfly Operations Network client\n require HTTP interface access. It is acceptable that the management console\n alone be disabled rather than disabling the entire interface itself.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n\n Run the $JBOSS_HOME;/bin/jboss-cli command line interface utility and connect\n to the Wildfly server.\n Run the following command:\n ls /core-service=management/management-interface=httpinterface/\n\n If \\\"console-enabled=true\\\", this is a finding.\"\n tag \"fix\": \"Run the $JBOSS_HOME;/bin/jboss-cli command line interface\n utility.\n Connect to the Wildfly server and run the following command.\n /core-service=management/management-interface=httpinterface/:write-attribute(name=console-enabled,value=false)\n\n Successful command execution returns\n {\\\"outcome\\\" => \\\"success\\\"}, and future attempts to access the management\n console via web browser at :9990 will result in no access to the\n admin console.\"\n tag \"fix_id\": 'F-68223r1_fix'\n\n connect = input('connection')\n\n describe 'The wildfly HTTP management interface' do\n subject { command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /core-service=management/management-interface=http-interface\").stdout }\n it { should_not include 'console-enabled=true' }\n end\nend\n", "source_location": { - "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62253.rb", + "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62303.rb", "line": 1 }, - "id": "V-62253" + "id": "V-62303" }, { - "title": "LDAP enabled security realm value allow-empty-passwords must be set to\n false.", - "desc": "Passwords need to be protected at all times, and encryption is the standard\nmethod for protecting passwords during transmission. If passwords are not\nencrypted, they can be plainly read (i.e., clear text) and easily compromised.\n\n Application servers have the capability to utilize either certificates\n(tokens) or user IDs and passwords in order to authenticate. When the\napplication server transmits or receives passwords, the passwords must be\nencrypted.", + "title": "Any unapproved applications must be removed.", + "desc": "Extraneous services and applications running on an application server\n expands the attack surface and increases risk to the application server.\n Securing any server involves identifying and removing any unnecessary services\n and, in the case of an application server, unnecessary and/or unapproved\n applications.", "descriptions": { - "default": "Passwords need to be protected at all times, and encryption is the standard\nmethod for protecting passwords during transmission. If passwords are not\nencrypted, they can be plainly read (i.e., clear text) and easily compromised.\n\n Application servers have the capability to utilize either certificates\n(tokens) or user IDs and passwords in order to authenticate. When the\napplication server transmits or receives passwords, the passwords must be\nencrypted." + "default": "Extraneous services and applications running on an application server\n expands the attack surface and increases risk to the application server.\n Securing any server involves identifying and removing any unnecessary services\n and, in the case of an application server, unnecessary and/or unapproved\n applications." }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { - "gtitle": "SRG-APP-000172-AS-000120", - "gid": "V-62291", - "rid": "SV-76781r1_rule", - "stig_id": "JBOS-AS-000305", + "gtitle": "SRG-APP-000141-AS-000095", + "gid": "V-62273", + "rid": "SV-76763r1_rule", + "stig_id": "JBOS-AS-000250", "cci": [ - "CCI-000197" + "CCI-000381" ], "documentable": false, "nist": [ - "IA-5 (1) (c)", + "CM-7 a", "Rev_4" ], - "check": "Log on to the OS of the Wildfly server with OS permissions that\n allow access to Wildfly.\n Using the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n\n Run the jboss-cli script.\n Connect to the server and authenticate.\n Run the command:\n\n \"ls\n /core-service=management/security-realm=ldap_security_realm/authentication=ldap\"\n\n If \"allow-empty-passwords=true\", this is a finding.", - "fix": "Configure the LDAP Security Realm using default settings that\n sets \"allow-empty-values\" to false. LDAP Security Realm creation is\n described in section 11.9 -Add an LDAP Security Realm in the\n JBoss_Enterprise_Application_Platform-6.3-Administration_and_Configuration_Guide-en-US\n document.", - "fix_id": "F-68211r1_fix" + "check": "Log on to the OS of the Wildfly server with OS permissions that\n allow access to Wildfly.\n Using the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n\n Run the jboss-cli script.\n Connect to the server and authenticate.\n Run the command:\n\n ls /deployment\n\n The list of deployed applications is displayed. Have the system admin identify\n the applications listed and confirm they are approved applications.\n\n If the system admin cannot provide documentation proving their authorization\n for deployed applications, this is a finding.", + "fix": "Identify, authorize, and document all applications that are\n deployed to the application server. Remove unauthorized applications.", + "fix_id": "F-68193r1_fix" }, - "code": "control 'V-62291' do\n title \"LDAP enabled security realm value allow-empty-passwords must be set to\n false.\"\n desc \"\n Passwords need to be protected at all times, and encryption is the standard\n method for protecting passwords during transmission. If passwords are not\n encrypted, they can be plainly read (i.e., clear text) and easily compromised.\n\n Application servers have the capability to utilize either certificates\n (tokens) or user IDs and passwords in order to authenticate. When the\n application server transmits or receives passwords, the passwords must be\n encrypted.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000172-AS-000120'\n tag \"gid\": 'V-62291'\n tag \"rid\": 'SV-76781r1_rule'\n tag \"stig_id\": 'JBOS-AS-000305'\n tag \"cci\": ['CCI-000197']\n tag \"documentable\": false\n tag \"nist\": ['IA-5 (1) (c)', 'Rev_4']\n tag \"check\": \"Log on to the OS of the Wildfly server with OS permissions that\n allow access to Wildfly.\n Using the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n\n Run the jboss-cli script.\n Connect to the server and authenticate.\n Run the command:\n\n \\\"ls\n /core-service=management/security-realm=ldap_security_realm/authentication=ldap\\\"\n\n If \\\"allow-empty-passwords=true\\\", this is a finding.\"\n tag \"fix\": \"Configure the LDAP Security Realm using default settings that\n sets \\\"allow-empty-values\\\" to false. LDAP Security Realm creation is\n described in section 11.9 -Add an LDAP Security Realm in the\n JBoss_Enterprise_Application_Platform-6.3-Administration_and_Configuration_Guide-en-US\n document.\"\n tag \"fix_id\": 'F-68211r1_fix'\n\n connect = input('connection')\n ldap = input('ldap')\n\n if ldap\n describe 'The LDAP enabled security realm value allow-empty-passwords' do\n subject { command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /core-service=management/security-realm=ldap_security_realm/authentication=ldap\").stdout }\n it { should_not match(%r{allow-empty-passwords=true}) }\n end\n else\n describe 'Ldap is not being used, control not applicable' do\n skip 'Ldap is not being used, control not applicable'\n end\n end\nend\n", + "code": "control 'V-62273' do\n title \"Any unapproved applications must be removed.\"\n desc \"Extraneous services and applications running on an application server\n expands the attack surface and increases risk to the application server.\n Securing any server involves identifying and removing any unnecessary services\n and, in the case of an application server, unnecessary and/or unapproved\n applications.\"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000141-AS-000095'\n tag \"gid\": 'V-62273'\n tag \"rid\": 'SV-76763r1_rule'\n tag \"stig_id\": 'JBOS-AS-000250'\n tag \"cci\": ['CCI-000381']\n tag \"documentable\": false\n tag \"nist\": ['CM-7 a', 'Rev_4']\n tag \"check\": \"Log on to the OS of the Wildfly server with OS permissions that\n allow access to Wildfly.\n Using the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n\n Run the jboss-cli script.\n Connect to the server and authenticate.\n Run the command:\n\n ls /deployment\n\n The list of deployed applications is displayed. Have the system admin identify\n the applications listed and confirm they are approved applications.\n\n If the system admin cannot provide documentation proving their authorization\n for deployed applications, this is a finding.\"\n tag \"fix\": \"Identify, authorize, and document all applications that are\n deployed to the application server. Remove unauthorized applications.\"\n tag \"fix_id\": 'F-68193r1_fix' \n\n connect = input('connection')\n approved_applications = input('approved_applications')\n\n applications_deployed = command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /deployment\").stdout.strip.split(\"\\n\")\n\n applications_deployed.each do |app|\n a = app.strip\n describe \"The installed wildfly application: #{a}\" do\n subject {\"#{a}\"}\n it { should be_in approved_applications }\n end\n end\n if applications_deployed.empty?\n impact 0.0\n describe 'There are no applications installed on the wildfly server, therefore this control is Not Applicable' do\n skip 'There are no applications installed on the wildfly server, therefore this control is Not Applicable'\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62291.rb", + "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62273.rb", "line": 1 }, - "id": "V-62291" + "id": "V-62273" }, { - "title": "Wildfly management Interfaces must be integrated with a centralized\n authentication mechanism that is configured to manage accounts according to DoD\n policy.", - "desc": "Wildfly EAP provides a security realm called ManagementRealm. By default,\nthis realm uses the mgmt-users.properties file for authentication. Using\nfile-based authentication does not allow the Wildfly server to be in compliance\nwith a wide range of user management requirements such as automatic disabling\nof inactive accounts as per DoD policy. To address this issue, the management\ninterfaces used to manage the JBoss server must be associated with a security\nrealm that provides centralized authentication management. Examples are AD or\nLDAP.\n\n Management of user identifiers is not applicable to shared information\nsystem accounts (e.g., guest and anonymous accounts). It is commonly the case\nthat a user account is the name of an information system account associated\nwith an individual.", + "title": "Wildfly must be configured to use an approved cryptographic algorithm in\n conjunction with TLS.", + "desc": "Preventing the disclosure or modification of transmitted information\nrequires that application servers take measures to employ approved cryptography\nin order to protect the information during transmission over the network. This\nis usually achieved through the use of Transport Layer Security (TLS), SSL VPN,\nor IPSec tunnel.\n\n If data in transit is unencrypted, it is vulnerable to disclosure and\nmodification. If approved cryptographic algorithms are not used, encryption\nstrength cannot be assured.\n\n FIPS 140-2 approved TLS versions include TLS V1.0 or greater.\n\n TLS must be enabled, and non-FIPS-approved SSL versions must be disabled.\nNIST SP 800-52 specifies the preferred configurations for government systems.", "descriptions": { - "default": "Wildfly EAP provides a security realm called ManagementRealm. By default,\nthis realm uses the mgmt-users.properties file for authentication. Using\nfile-based authentication does not allow the Wildfly server to be in compliance\nwith a wide range of user management requirements such as automatic disabling\nof inactive accounts as per DoD policy. To address this issue, the management\ninterfaces used to manage the JBoss server must be associated with a security\nrealm that provides centralized authentication management. Examples are AD or\nLDAP.\n\n Management of user identifiers is not applicable to shared information\nsystem accounts (e.g., guest and anonymous accounts). It is commonly the case\nthat a user account is the name of an information system account associated\nwith an individual." + "default": "Preventing the disclosure or modification of transmitted information\nrequires that application servers take measures to employ approved cryptography\nin order to protect the information during transmission over the network. This\nis usually achieved through the use of Transport Layer Security (TLS), SSL VPN,\nor IPSec tunnel.\n\n If data in transit is unencrypted, it is vulnerable to disclosure and\nmodification. If approved cryptographic algorithms are not used, encryption\nstrength cannot be assured.\n\n FIPS 140-2 approved TLS versions include TLS V1.0 or greater.\n\n TLS must be enabled, and non-FIPS-approved SSL versions must be disabled.\nNIST SP 800-52 specifies the preferred configurations for government systems." }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-APP-000163-AS-000111", - "gid": "V-62285", - "rid": "SV-76775r1_rule", - "stig_id": "JBOS-AS-000290", + "gtitle": "SRG-APP-000440-AS-000167", + "gid": "V-62323", + "rid": "SV-76813r2_rule", + "stig_id": "JBOS-AS-000655", "cci": [ - "CCI-000795" + "CCI-002421" ], "documentable": false, "nist": [ - "IA-4 e", + "SC-8 (1)", "Rev_4" ], - "check": "Log on to the OS of the Wildfly server with OS permissions that\n allow access to Wildfly.\n Using the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n Run the jboss-cli script.\n Connect to the server and authenticate.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n\n Obtain the list of management interfaces by running the command:\n \"ls /core-service=management/management-interface\"\n\n Identify the security realm used by each management interface configuration by\n running the command:\n \"ls /core-service=management/management-interface=\"\n\n Determine if the security realm assigned to the management interface uses LDAP\n for authentication by running the command:\n \"ls\n /core-service=management/security-realm=/authentication\"\n\n If the security realm assigned to the management interface does not utilize\n LDAP for authentication, this is a finding.", - "fix": "Follow steps in section 11.8 - Management Interface Security in\n the\n Wildfly-Administration_and_Configuration_Guide-en-US\n document.\n\n 1. Create an outbound connection to the LDAP server.\n 2. Create an LDAP-enabled security realm.\n 3. Reference the new security domain in the Management Interface.", - "fix_id": "F-68205r1_fix" + "check": "Log on to the OS of the Wildfly server with OS permissions that\n allow access to Wildfly.\n Using the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n\n Run the jboss-cli script.\n Connect to the server and authenticate.\n\n Validate that the TLS protocol is used for HTTPS connections.\n Run the command:\n\n \"ls /subsystem=web/connector=https/ssl=configuration\"\n\n Review the cipher suites. The following suites are acceptable as per NIST\n 800-52r1 section 3.3.1 - Cipher Suites. Refer to the NIST document for a\n complete list of acceptable cipher suites. The source NIST document and\n approved encryption algorithms/cipher suites are subject to change and should\n be referenced.\n\n AES_128_CBC\n AES_256_CBC\n AES_128_GCM\n AES_128_CCM\n AES_256_CCM\n\n If the cipher suites utilized by the TLS server are not approved by NIST as per\n 800-52r1, this is a finding.", + "fix": "Reference section 4.6 of the Wildfly Security Guide located\n on the Red Hat vendor's website for step-by-step instructions on establishing\n SSL encryption on Wildfly.\n\n The overall steps include:\n\n 1. Add an HTTPS connector.\n 2. Configure the SSL encryption certificate and keys.\n 3. Set the Cipher to an approved algorithm.", + "fix_id": "F-68243r1_fix" }, - "code": "control 'V-62285' do\n title \"Wildfly management Interfaces must be integrated with a centralized\n authentication mechanism that is configured to manage accounts according to DoD\n policy.\"\n desc \"\n Wildfly EAP provides a security realm called ManagementRealm. By default,\n this realm uses the mgmt-users.properties file for authentication. Using\n file-based authentication does not allow the Wildfly server to be in compliance\n with a wide range of user management requirements such as automatic disabling\n of inactive accounts as per DoD policy. To address this issue, the management\n interfaces used to manage the JBoss server must be associated with a security\n realm that provides centralized authentication management. Examples are AD or\n LDAP.\n\n Management of user identifiers is not applicable to shared information\n system accounts (e.g., guest and anonymous accounts). It is commonly the case\n that a user account is the name of an information system account associated\n with an individual.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000163-AS-000111'\n tag \"gid\": 'V-62285'\n tag \"rid\": 'SV-76775r1_rule'\n tag \"stig_id\": 'JBOS-AS-000290'\n tag \"cci\": ['CCI-000795']\n tag \"documentable\": false\n tag \"nist\": ['IA-4 e', 'Rev_4']\n tag \"check\": \"Log on to the OS of the Wildfly server with OS permissions that\n allow access to Wildfly.\n Using the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n Run the jboss-cli script.\n Connect to the server and authenticate.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n\n Obtain the list of management interfaces by running the command:\n \\\"ls /core-service=management/management-interface\\\"\n\n Identify the security realm used by each management interface configuration by\n running the command:\n \\\"ls /core-service=management/management-interface=\\\"\n\n Determine if the security realm assigned to the management interface uses LDAP\n for authentication by running the command:\n \\\"ls\n /core-service=management/security-realm=/authentication\\\"\n\n If the security realm assigned to the management interface does not utilize\n LDAP for authentication, this is a finding.\"\n tag \"fix\": \"Follow steps in section 11.8 - Management Interface Security in\n the\n Wildfly-Administration_and_Configuration_Guide-en-US\n document.\n\n 1. Create an outbound connection to the LDAP server.\n 2. Create an LDAP-enabled security realm.\n 3. Reference the new security domain in the Management Interface.\"\n tag \"fix_id\": 'F-68205r1_fix'\n\n ldap = input('ldap')\n connect = input('connection')\n\n management_interfaces = command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /core-service=management/management-interface=\").stdout.split(\"\\n\")\n\n management_interfaces.each do |interface|\n\n security_realms = command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /core-service=management/security-realm=\").stdout.split(\"\\n\")\n security_realms.each do |realm|\n describe \"The security realm #{realm} authentication mechanism\" do\n subject { command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /core-service=management/security-realm=#{realm}/authentication\").stdout }\n it { should match /ldap/ }\n end\n end\n end\n if management_interfaces.empty?\n impact 0.0\n describe 'The are no Wildfly accounts with the following roles: auditor, administrator, superuser, deployer, maintainer, monitor, or operator, therefore this control is not applicable' do\n skip 'The are no Wildfly accounts with the following roles: auditor, administrator, superuser, deployer, maintainer, monitor, or operator, therefore this control is not applicable'\n end\n end\nend\n", + "code": "control 'V-62323' do\n title \"Wildfly must be configured to use an approved cryptographic algorithm in\n conjunction with TLS.\"\n desc \"\n Preventing the disclosure or modification of transmitted information\n requires that application servers take measures to employ approved cryptography\n in order to protect the information during transmission over the network. This\n is usually achieved through the use of Transport Layer Security (TLS), SSL VPN,\n or IPSec tunnel.\n\n If data in transit is unencrypted, it is vulnerable to disclosure and\n modification. If approved cryptographic algorithms are not used, encryption\n strength cannot be assured.\n\n FIPS 140-2 approved TLS versions include TLS V1.0 or greater.\n\n TLS must be enabled, and non-FIPS-approved SSL versions must be disabled.\n NIST SP 800-52 specifies the preferred configurations for government systems.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000440-AS-000167'\n tag \"gid\": 'V-62323'\n tag \"rid\": 'SV-76813r2_rule'\n tag \"stig_id\": 'JBOS-AS-000655'\n tag \"cci\": ['CCI-002421']\n tag \"documentable\": false\n tag \"nist\": ['SC-8 (1)', 'Rev_4']\n tag \"check\": \"Log on to the OS of the Wildfly server with OS permissions that\n allow access to Wildfly.\n Using the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n\n Run the jboss-cli script.\n Connect to the server and authenticate.\n\n Validate that the TLS protocol is used for HTTPS connections.\n Run the command:\n\n \\\"ls /subsystem=web/connector=https/ssl=configuration\\\"\n\n Review the cipher suites. The following suites are acceptable as per NIST\n 800-52r1 section 3.3.1 - Cipher Suites. Refer to the NIST document for a\n complete list of acceptable cipher suites. The source NIST document and\n approved encryption algorithms/cipher suites are subject to change and should\n be referenced.\n\n AES_128_CBC\n AES_256_CBC\n AES_128_GCM\n AES_128_CCM\n AES_256_CCM\n\n If the cipher suites utilized by the TLS server are not approved by NIST as per\n 800-52r1, this is a finding.\"\n tag \"fix\": \"Reference section 4.6 of the Wildfly Security Guide located\n on the Red Hat vendor's website for step-by-step instructions on establishing\n SSL encryption on Wildfly.\n\n The overall steps include:\n\n 1. Add an HTTPS connector.\n 2. Configure the SSL encryption certificate and keys.\n 3. Set the Cipher to an approved algorithm.\"\n tag \"fix_id\": 'F-68243r1_fix'\n\n connect = input('connection')\n\n cipher_suites = command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /subsystem=undertow/server=default-server/https-listener=https/\").stdout\n describe.one do\n describe 'The wildfly cryptographic algorithm used for TLS' do\n subject { cipher_suites }\n it { should match(%r{enabled-cipher-suites=(AES_((128)|(256))_CBC)|(AES_((128)|(256))_GCM)|(AES_((128)|(256))_CCM)|(AES_((128)|(256))_CCM)}) }\n end\n describe 'The wildfly cryptographic algorithm used for TLS' do\n subject { cipher_suites }\n it { should match(%r{enabled-cipher-suites=AES_((128)|(256))_CBC}) }\n end\n describe 'The wildfly cryptographic algorithm used for TLS' do\n subject { cipher_suites }\n it { should match(%r{enabled-cipher-suites=CBC:AES_128_GCM}) }\n end\n describe 'The wildfly cryptographic algorithm used for TLS' do\n subject { cipher_suites }\n it { should match(%r{enabled-cipher-suites=AES_((128)|(256))_CCM}) }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62285.rb", + "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62323.rb", "line": 1 }, - "id": "V-62285" + "id": "V-62323" }, { - "title": "Wildfly QuickStarts must be removed.", - "desc": "Wildfly QuickStarts are demo applications that can be deployed quickly.\nDemo applications are not written with security in mind and often open new\nattack vectors. QuickStarts must be removed.", + "title": "The application server must produce log records that contain\nsufficient information to establish the outcome of events.", + "desc": "Information system logging capability is critical for accurate forensic\nanalysis. Log record content that may be necessary to satisfy the requirement\nof this control includes, but is not limited to, time stamps, source and\ndestination IP addresses, user/process identifiers, event descriptions,\napplication-specific events, success/fail indications, filenames involved,\naccess control or flow control rules invoked.\n\n Success and failure indicators ascertain the outcome of a particular\napplication server event or function. As such, they also provide a means to\nmeasure the impact of an event and help authorized personnel to determine the\nappropriate response. Event outcome may also include event-specific results\n(e.g., the security state of the information system after the event occurred).", "descriptions": { - "default": "Wildfly QuickStarts are demo applications that can be deployed quickly.\nDemo applications are not written with security in mind and often open new\nattack vectors. QuickStarts must be removed." + "default": "Information system logging capability is critical for accurate forensic\nanalysis. Log record content that may be necessary to satisfy the requirement\nof this control includes, but is not limited to, time stamps, source and\ndestination IP addresses, user/process identifiers, event descriptions,\napplication-specific events, success/fail indications, filenames involved,\naccess control or flow control rules invoked.\n\n Success and failure indicators ascertain the outcome of a particular\napplication server event or function. As such, they also provide a means to\nmeasure the impact of an event and help authorized personnel to determine the\nappropriate response. Event outcome may also include event-specific results\n(e.g., the security state of the information system after the event occurred)." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-APP-000141-AS-000095", - "gid": "V-62267", - "rid": "SV-76757r1_rule", - "stig_id": "JBOS-AS-000235", + "gtitle": "SRG-APP-000099-AS-000062", + "gid": "V-62247", + "rid": "SV-76737r1_rule", + "stig_id": "JBOS-AS-000130", "cci": [ - "CCI-000381" + "CCI-000134" ], "documentable": false, "nist": [ - "CM-7 a", + "AU-3", "Rev_4" ], - "check": "Examine the $JBOSS_HOME; folder. If a\n wildfly quickstarts folder exits, this is a finding.", - "fix": "Delete the QuickStarts folder.", - "fix_id": "F-68187r1_fix" + "check": "Log on to the OS of the wildfly server with OS permissions that\nallow access to Wildfly.\n\nThe $JBOSS_HOME default is /opt/bin/widfly\nUsing the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\nRun the jboss-cli script to start the Command Line Interface (CLI).\nConnect to the server and authenticate.\nRun the command:\n\nFor a Managed Domain configuration:\n\"ls\nhost=master/server//core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\"\n\nFor a Standalone configuration:\n\"ls\n/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\"\n\nIf \"enabled\" = false, this is a finding.", + "fix": "Launch the jboss-cli management interface.\nConnect to the server by typing \"connect\", authenticate as a user in the\nSuperuser role, and run the following command:\n\nFor a Managed Domain configuration:\n\"host=master/server//core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\"\n\nFor a Standalone configuration:\n\"/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\"", + "fix_id": "F-68167r1_fix" }, - "code": "control 'V-62267' do\n title \"Wildfly QuickStarts must be removed.\"\n desc \"Wildfly QuickStarts are demo applications that can be deployed quickly.\nDemo applications are not written with security in mind and often open new\nattack vectors. QuickStarts must be removed.\"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000141-AS-000095'\n tag \"gid\": 'V-62267'\n tag \"rid\": 'SV-76757r1_rule'\n tag \"stig_id\": 'JBOS-AS-000235'\n tag \"cci\": ['CCI-000381']\n tag \"documentable\": false\n tag \"nist\": ['CM-7 a', 'Rev_4']\n tag \"check\": \"Examine the $JBOSS_HOME; folder. If a\n wildfly quickstarts folder exits, this is a finding.\"\n tag \"fix\": \"Delete the QuickStarts folder.\"\n tag \"fix_id\": 'F-68187r1_fix'\n describe 'The wildfly quickstart files found' do\n subject { command(\"find #{ input('jboss_home') }/ -type d | grep quickstarts\").stdout }\n it { should match(%r{}) }\n end\nend\n", + "code": "control 'V-62247' do\n title \"The application server must produce log records that contain\nsufficient information to establish the outcome of events.\"\n desc \"\n Information system logging capability is critical for accurate forensic\nanalysis. Log record content that may be necessary to satisfy the requirement\nof this control includes, but is not limited to, time stamps, source and\ndestination IP addresses, user/process identifiers, event descriptions,\napplication-specific events, success/fail indications, filenames involved,\naccess control or flow control rules invoked.\n\n Success and failure indicators ascertain the outcome of a particular\napplication server event or function. As such, they also provide a means to\nmeasure the impact of an event and help authorized personnel to determine the\nappropriate response. Event outcome may also include event-specific results\n(e.g., the security state of the information system after the event occurred).\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000099-AS-000062'\n tag \"gid\": 'V-62247'\n tag \"rid\": 'SV-76737r1_rule'\n tag \"stig_id\": 'JBOS-AS-000130'\n tag \"cci\": ['CCI-000134']\n tag \"documentable\": false\n tag \"nist\": ['AU-3', 'Rev_4']\n tag \"check\": \"Log on to the OS of the wildfly server with OS permissions that\nallow access to Wildfly.\n\nThe $JBOSS_HOME default is /opt/bin/widfly\nUsing the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\nRun the jboss-cli script to start the Command Line Interface (CLI).\nConnect to the server and authenticate.\nRun the command:\n\nFor a Managed Domain configuration:\n\\\"ls\nhost=master/server//core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\\\"\n\nFor a Standalone configuration:\n\\\"ls\n/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\\\"\n\nIf \\\"enabled\\\" = false, this is a finding.\"\n tag \"fix\": \"Launch the jboss-cli management interface.\nConnect to the server by typing \\\"connect\\\", authenticate as a user in the\nSuperuser role, and run the following command:\n\nFor a Managed Domain configuration:\n\\\"host=master/server//core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\\\"\n\nFor a Standalone configuration:\n\\\"/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\\\"\"\n tag \"fix_id\": 'F-68167r1_fix'\n\n connect = input('connection')\n\n describe 'The application server produce log records that contain sufficient information to establish the outcome of events' do\n subject { command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /core-service=management/access=audit/logger=audit-log\").stdout }\n it { should_not match(%r{enabled=false}) }\n end\nend\n", "source_location": { - "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62267.rb", + "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62247.rb", "line": 1 }, - "id": "V-62267" + "id": "V-62247" }, { - "title": "Wildfly must be configured to generate log records for privileged\n activities.", - "desc": "Without generating log records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Privileged activities would occur through the management interface. This\ninterface can be web-based or can be command line utilities. Whichever method\nis utilized by the application server, these activities must be logged.", + "title": "File permissions must be configured to protect log information from\nunauthorized deletion.", + "desc": "If log data were to become compromised, then competent forensic analysis\nand discovery of the true source of potentially malicious system activity is\ndifficult, if not impossible, to achieve.\n\n When not configured to use a centralized logging solution like a syslog\nserver, the Wildfly EAP application server writes log data to log files that are\nstored on the OS, appropriate file permissions must be used to restrict\ndeletion.\n\n Logon formation includes all information (e.g., log records, log settings,\ntransaction logs, and log reports) needed to successfully log information\nsystem activity. Application servers must protect log information from\nunauthorized deletion.", "descriptions": { - "default": "Without generating log records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Privileged activities would occur through the management interface. This\ninterface can be web-based or can be command line utilities. Whichever method\nis utilized by the application server, these activities must be logged." + "default": "If log data were to become compromised, then competent forensic analysis\nand discovery of the true source of potentially malicious system activity is\ndifficult, if not impossible, to achieve.\n\n When not configured to use a centralized logging solution like a syslog\nserver, the Wildfly EAP application server writes log data to log files that are\nstored on the OS, appropriate file permissions must be used to restrict\ndeletion.\n\n Logon formation includes all information (e.g., log records, log settings,\ntransaction logs, and log reports) needed to successfully log information\nsystem activity. Application servers must protect log information from\nunauthorized deletion." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-APP-000504-AS-000229", - "gid": "V-62335", - "rid": "SV-76825r1_rule", - "stig_id": "JBOS-AS-000705", + "gtitle": "SRG-APP-000120-AS-000080", + "gid": "V-62255", + "rid": "SV-76745r1_rule", + "stig_id": "JBOS-AS-000175", "cci": [ - "CCI-000172" + "CCI-000164" ], "documentable": false, "nist": [ - "AU-12 c", + "AU-9", "Rev_4" ], - "check": "Log on to the OS of the Wildfly server with OS permissions that\n allow access to Wildfly.\n Using the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n Run the jboss-cli script to start the Command Line Interface (CLI).\n Connect to the server and authenticate.\n Run the command:\n\n For a Managed Domain configuration:\n \"ls\n host=master/server//core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\"\n\n For a Standalone configuration:\n \"ls\n /core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\"\n\n If \"enabled\" = false, this is a finding.", - "fix": "Launch the jboss-cli management interface.\n Connect to the server by typing \"connect\", authenticate as a user in the\n Superuser role, and run the following command:\n\n For a Managed Domain configuration:\n \"host=master/server//core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\"\n\n For a Standalone configuration:\n \"/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\"", - "fix_id": "F-68255r1_fix" + "check": "Examine the log file locations and inspect the file\npermissions. Interview the system admin to determine log file locations. The\ndefault location for the log files is:\n\nStandalone configuration:\n$JBOSS_HOME;/standalone/log/\n\nManaged Domain configuration:\n$JBOSS_HOME;/domain/servers//log/\n$JBOSS_HOME;/domain/log/\n\nReview the file permissions for the log file directories. The method used for\nidentifying file permissions will be based upon the OS the EAP server is\ninstalled on.\n\nIdentify all users with file permissions that allow them to delete log files.\n\nRequest documentation from system admin that identifies the users who are\nauthorized to delete log files.\n\nIf unauthorized users are allowed to delete log files, or if documentation that\nidentifies the users who are authorized to delete log files is missing, this is\na finding.", + "fix": "Configure the OS file permissions on the application server to\nprotect log information from unauthorized deletion.", + "fix_id": "F-68175r1_fix" }, - "code": "control 'V-62335' do\n title \"Wildfly must be configured to generate log records for privileged\n activities.\"\n desc \"\n Without generating log records that are specific to the security and\n mission needs of the organization, it would be difficult to establish,\n correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n\n Privileged activities would occur through the management interface. This\n interface can be web-based or can be command line utilities. Whichever method\n is utilized by the application server, these activities must be logged.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000504-AS-000229'\n tag \"gid\": 'V-62335'\n tag \"rid\": 'SV-76825r1_rule'\n tag \"stig_id\": 'JBOS-AS-000705'\n tag \"cci\": ['CCI-000172']\n tag \"documentable\": false\n tag \"nist\": ['AU-12 c', 'Rev_4']\n tag \"check\": \"Log on to the OS of the Wildfly server with OS permissions that\n allow access to Wildfly.\n Using the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n Run the jboss-cli script to start the Command Line Interface (CLI).\n Connect to the server and authenticate.\n Run the command:\n\n For a Managed Domain configuration:\n \\\"ls\n host=master/server//core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\\\"\n\n For a Standalone configuration:\n \\\"ls\n /core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\\\"\n\n If \\\"enabled\\\" = false, this is a finding.\"\n tag \"fix\": \"Launch the jboss-cli management interface.\n Connect to the server by typing \\\"connect\\\", authenticate as a user in the\n Superuser role, and run the following command:\n\n For a Managed Domain configuration:\n \\\"host=master/server//core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\\\"\n\n For a Standalone configuration:\n \\\"/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\\\"\"\n tag \"fix_id\": 'F-68255r1_fix'\n\n connect = input('connection')\n\n describe 'The wildfly server setting: generate log records for privileged activities' do\n subject { command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /core-service=management/access=audit/logger=audit-log\").stdout }\n it { should_not match(%r{enabled=false}) }\n end\nend\n", + "code": "control 'V-62255' do\n title \"File permissions must be configured to protect log information from\nunauthorized deletion.\"\n desc \"\n If log data were to become compromised, then competent forensic analysis\nand discovery of the true source of potentially malicious system activity is\ndifficult, if not impossible, to achieve.\n\n When not configured to use a centralized logging solution like a syslog\nserver, the Wildfly EAP application server writes log data to log files that are\nstored on the OS, appropriate file permissions must be used to restrict\ndeletion.\n\n Logon formation includes all information (e.g., log records, log settings,\ntransaction logs, and log reports) needed to successfully log information\nsystem activity. Application servers must protect log information from\nunauthorized deletion.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000120-AS-000080'\n tag \"gid\": 'V-62255'\n tag \"rid\": 'SV-76745r1_rule'\n tag \"stig_id\": 'JBOS-AS-000175'\n tag \"cci\": ['CCI-000164']\n tag \"documentable\": false\n tag \"nist\": ['AU-9', 'Rev_4']\n tag \"check\": \"Examine the log file locations and inspect the file\npermissions. Interview the system admin to determine log file locations. The\ndefault location for the log files is:\n\nStandalone configuration:\n$JBOSS_HOME;/standalone/log/\n\nManaged Domain configuration:\n$JBOSS_HOME;/domain/servers//log/\n$JBOSS_HOME;/domain/log/\n\nReview the file permissions for the log file directories. The method used for\nidentifying file permissions will be based upon the OS the EAP server is\ninstalled on.\n\nIdentify all users with file permissions that allow them to delete log files.\n\nRequest documentation from system admin that identifies the users who are\nauthorized to delete log files.\n\nIf unauthorized users are allowed to delete log files, or if documentation that\nidentifies the users who are authorized to delete log files is missing, this is\na finding.\"\n tag \"fix\": \"Configure the OS file permissions on the application server to\nprotect log information from unauthorized deletion.\"\n tag \"fix_id\": 'F-68175r1_fix'\n\n wildfly_group = input('wildfly_group')\n wildly_owner = input('wildly_owner')\n describe directory(\"#{ input('jboss_home') }/standalone/log\") do\n its('owner') { should eq \"#{wildly_owner}\" }\n its('group') { should eq \"#{wildfly_group}\" }\n # use proper mode matcher be_more_permissive_than\n its('mode') { should cmp '0750' }\n end\nend\n", "source_location": { - "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62335.rb", + "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62255.rb", "line": 1 }, - "id": "V-62335" + "id": "V-62255" }, { - "title": "mgmt-users.properties file permissions must be set to allow access to\nauthorized users only.", - "desc": "The mgmt-users.properties file contains the password hashes of all\nusers who are in a management role and must be protected. Application servers\nhave the ability to specify that the hosted applications utilize shared\nlibraries. The application server must have a capability to divide roles based\nupon duties wherein one project user (such as a developer) cannot modify the\nshared library code of another project user. The application server must also\nbe able to specify that non-privileged users cannot modify any shared library\ncode at all.", + "title": "Silent Authentication must be removed from the Default Management\nSecurity Realm.", + "desc": "Silent Authentication is a configuration setting that allows local OS\nusers access to the Wildfly server and a wide range of operations without\nspecifically authenticating on an individual user basis. By default $localuser\nis a Superuser. This introduces an integrity and availability vulnerability and\nviolates best practice requirements regarding accountability.", "descriptions": { - "default": "The mgmt-users.properties file contains the password hashes of all\nusers who are in a management role and must be protected. Application servers\nhave the ability to specify that the hosted applications utilize shared\nlibraries. The application server must have a capability to divide roles based\nupon duties wherein one project user (such as a developer) cannot modify the\nshared library code of another project user. The application server must also\nbe able to specify that non-privileged users cannot modify any shared library\ncode at all." + "default": "Silent Authentication is a configuration setting that allows local OS\nusers access to the Wildfly server and a wide range of operations without\nspecifically authenticating on an individual user basis. By default $localuser\nis a Superuser. This introduces an integrity and availability vulnerability and\nviolates best practice requirements regarding accountability." }, - "impact": 0.5, + "impact": 0.7, "refs": [], "tags": { - "gtitle": "SRG-APP-000133-AS-000092", - "gid": "V-62259", - "rid": "SV-76749r1_rule", - "stig_id": "JBOS-AS-000210", + "gtitle": "SRG-APP-000033-AS-000024", + "gid": "V-62223", + "rid": "SV-76713r1_rule", + "stig_id": "JBOS-AS-000050", "cci": [ - "CCI-001499" + "CCI-000213" ], "documentable": false, "nist": [ - "CM-5 (6)", + "AC-3", "Rev_4" ], - "check": "The mgmt-users.properties files are located in the standalone\nor domain configuration folder.\n\nThe $JBOSS_HOME default is /opt/bin/widfly\n\n$JBOSS_HOME;/domain/configuration/mgmt-users.properties.\n$JBOSS_HOME;/standalone/configuration/mgmt-users.properties.\n\nIdentify users who have access to the files using relevant OS commands.\n\nObtain documentation from system admin identifying authorized users.\n\nOwner can be full access.\nGroup can be full access.\nAll others must have execute permissions only.\n\nIf the file permissions are not configured so as to restrict access to only\nauthorized users, or if documentation that identifies authorized users is\nmissing, this is a finding.", - "fix": "Configure the file permissions to allow access to authorized\nusers only.\nOwner can be full access.\nGroup can be full access.\nAll others must have execute permissions only.", - "fix_id": "F-68179r1_fix" + "check": "Log on to the OS of the Wildfly server with OS permissions that\nallow access to Wildfly.\nUsing the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n\nThe $JBOSS_HOME default is /opt/bin/widfly\nRun the jboss-cli script.\nConnect to the server and authenticate.\n\nVerify that Silent Authentication has been removed from the default Management\nsecurity realm.\nRun the following command.\n\nFor standalone servers run the following command:\n\"ls /core-service=management/securityrealm=ManagementRealm/authentication\"\n\nFor managed domain installations run the following command:\n\"ls\n/host=HOST_NAME/core-service=management/securityrealm=ManagementRealm/authentication\"\n\nIf \"local\" is returned, this is a finding.", + "fix": "Log on to the OS of the Wildfly server with OS permissions that\nallow access to Wildfly.\nUsing the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\nRun the jboss-cli script.\nConnect to the server and authenticate.\n\nRemove the local element from the Management Realm.\nFor standalone servers run the following command:\n/core-service=management/securityrealm=\nManagementRealm/authentication=local:remove\n\nFor managed domain installations run the following command:\n/host=HOST_NAME/core-service=management/securityrealm=\nManagementRealm/authentication=local:remove", + "fix_id": "F-68143r1_fix" }, - "code": "control 'V-62259' do\n title \"mgmt-users.properties file permissions must be set to allow access to\nauthorized users only.\"\n desc \"The mgmt-users.properties file contains the password hashes of all\nusers who are in a management role and must be protected. Application servers\nhave the ability to specify that the hosted applications utilize shared\nlibraries. The application server must have a capability to divide roles based\nupon duties wherein one project user (such as a developer) cannot modify the\nshared library code of another project user. The application server must also\nbe able to specify that non-privileged users cannot modify any shared library\ncode at all.\"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000133-AS-000092'\n tag \"gid\": 'V-62259'\n tag \"rid\": 'SV-76749r1_rule'\n tag \"stig_id\": 'JBOS-AS-000210'\n tag \"cci\": ['CCI-001499']\n tag \"documentable\": false\n tag \"nist\": ['CM-5 (6)', 'Rev_4']\n tag \"check\": \"The mgmt-users.properties files are located in the standalone\nor domain configuration folder.\n\nThe $JBOSS_HOME default is /opt/bin/widfly\n\n$JBOSS_HOME;/domain/configuration/mgmt-users.properties.\n$JBOSS_HOME;/standalone/configuration/mgmt-users.properties.\n\nIdentify users who have access to the files using relevant OS commands.\n\nObtain documentation from system admin identifying authorized users.\n\nOwner can be full access.\nGroup can be full access.\nAll others must have execute permissions only.\n\nIf the file permissions are not configured so as to restrict access to only\nauthorized users, or if documentation that identifies authorized users is\nmissing, this is a finding.\"\n tag \"fix\": \"Configure the file permissions to allow access to authorized\nusers only.\nOwner can be full access.\nGroup can be full access.\nAll others must have execute permissions only.\"\n tag \"fix_id\": 'F-68179r1_fix'\n describe file(\"#{ input('jboss_home') }/standalone/configuration/mgmt-users.properties\") do\n it { should_not be_readable.by('others') }\n end\n describe file(\"#{ input('jboss_home') }/standalone/configuration/mgmt-users.properties\") do\n it { should_not be_writable.by('others') }\n end\nend\n", + "code": "control 'V-62223' do\n title \"Silent Authentication must be removed from the Default Management\nSecurity Realm.\"\n desc \"Silent Authentication is a configuration setting that allows local OS\nusers access to the Wildfly server and a wide range of operations without\nspecifically authenticating on an individual user basis. By default $localuser\nis a Superuser. This introduces an integrity and availability vulnerability and\nviolates best practice requirements regarding accountability.\"\n impact 0.7\n tag \"gtitle\": 'SRG-APP-000033-AS-000024'\n tag \"gid\": 'V-62223'\n tag \"rid\": 'SV-76713r1_rule'\n tag \"stig_id\": 'JBOS-AS-000050'\n tag \"cci\": ['CCI-000213']\n tag \"documentable\": false\n tag \"nist\": ['AC-3', 'Rev_4']\n tag \"check\": \"Log on to the OS of the Wildfly server with OS permissions that\nallow access to Wildfly.\nUsing the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n\nThe $JBOSS_HOME default is /opt/bin/widfly\nRun the jboss-cli script.\nConnect to the server and authenticate.\n\nVerify that Silent Authentication has been removed from the default Management\nsecurity realm.\nRun the following command.\n\nFor standalone servers run the following command:\n\\\"ls /core-service=management/securityrealm=ManagementRealm/authentication\\\"\n\nFor managed domain installations run the following command:\n\\\"ls\n/host=HOST_NAME/core-service=management/securityrealm=ManagementRealm/authentication\\\"\n\nIf \\\"local\\\" is returned, this is a finding.\"\n tag \"fix\": \"Log on to the OS of the Wildfly server with OS permissions that\nallow access to Wildfly.\nUsing the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\nRun the jboss-cli script.\nConnect to the server and authenticate.\n\nRemove the local element from the Management Realm.\nFor standalone servers run the following command:\n/core-service=management/securityrealm=\nManagementRealm/authentication=local:remove\n\nFor managed domain installations run the following command:\n/host=HOST_NAME/core-service=management/securityrealm=\nManagementRealm/authentication=local:remove\"\n tag \"fix_id\": 'F-68143r1_fix'\n\n connect = input('connection')\n\n describe 'The wildfly default management security realm silent authentication' do\n subject { command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /core-service=management/security-realm=ManagementRealm/authentication\").stdout }\n it { should_not match(%r{local}) }\n end\nend\n", "source_location": { - "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62259.rb", + "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62223.rb", "line": 1 }, - "id": "V-62259" + "id": "V-62223" }, { - "title": "The Wildfly server must be configured to utilize syslog logging.", - "desc": "Information system logging capability is critical for accurate forensic\nanalysis. Log record content that may be necessary to satisfy the requirement\nof this control includes, but is not limited to, time stamps, source and\ndestination IP addresses, user/process identifiers, event descriptions,\napplication-specific events, success/fail indications, filenames involved,\naccess control or flow control rules invoked.\n\n Off-loading is a common process in information systems with limited log\nstorage capacity.\n\n Centralized management of log records provides for efficiency in\nmaintenance and management of records, as well as the backup and archiving of\nthose records. Application servers and their related components are required to\noff-load log records onto a different system or media than the system being\nlogged.", + "title": "The Wildfly server must be configured to bind the management interfaces\n to only management networks.", + "desc": "Wildfly provides multiple interfaces for accessing the system. By\n default, these are called \"public\" and \"management\". Allowing\n non-management traffic to access the Wildfly management interface increases the\n chances of a security compromise. The Wildfly server must be configured to bind\n the management interface to a network that controls access. This is usually a\n network that has been designated as a management network and has restricted\n access. Similarly, the public interface must be bound to a network that is not\n on the same segment as the management interface.", "descriptions": { - "default": "Information system logging capability is critical for accurate forensic\nanalysis. Log record content that may be necessary to satisfy the requirement\nof this control includes, but is not limited to, time stamps, source and\ndestination IP addresses, user/process identifiers, event descriptions,\napplication-specific events, success/fail indications, filenames involved,\naccess control or flow control rules invoked.\n\n Off-loading is a common process in information systems with limited log\nstorage capacity.\n\n Centralized management of log records provides for efficiency in\nmaintenance and management of records, as well as the backup and archiving of\nthose records. Application servers and their related components are required to\noff-load log records onto a different system or media than the system being\nlogged." + "default": "Wildfly provides multiple interfaces for accessing the system. By\n default, these are called \"public\" and \"management\". Allowing\n non-management traffic to access the Wildfly management interface increases the\n chances of a security compromise. The Wildfly server must be configured to bind\n the management interface to a network that controls access. This is usually a\n network that has been designated as a management network and has restricted\n access. Similarly, the public interface must be bound to a network that is not\n on the same segment as the management interface." }, "impact": 0.5, - "refs": [], - "tags": { - "gtitle": "SRG-APP-000358-AS-000064", - "gid": "V-62309", - "rid": "SV-76799r1_rule", - "stig_id": "JBOS-AS-000505", + "refs": [], + "tags": { + "gtitle": "SRG-APP-000158-AS-000108", + "gid": "V-62283", + "rid": "SV-76773r1_rule", + "stig_id": "JBOS-AS-000285", "cci": [ - "CCI-001851" + "CCI-000778" ], "documentable": false, "nist": [ - "AU-4 (1)", + "IA-3", "Rev_4" ], - "check": "Log on to the OS of the Wildfly server with OS permissions that\n allow access to Wildfly.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n\n Using the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n Run the jboss-cli script.\n Connect to the server and authenticate.\n Run the command:\n\n Standalone configuration:\n \"ls /subsystem=logging/syslog-handler=\"\n\n Domain configuration:\n \"ls /profile=/subsystem=logging/syslog-handler=\"\n Where = the selected application server profile of; default,full,\n full-ha or ha.\n\n If no values are returned, this is a finding.", - "fix": "Log on to the OS of the Wildfly server with OS permissions that\n allow access to Wildfly.\n Using the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n Run the jboss-cli script.\n Connect to the server and authenticate.\n Run the command:\n\n Standalone configuration:\n \"ls /subsystem=logging/syslog-handler=\"\n\n Domain configuration:\n \"ls /profile=default/subsystem=logging/syslog-handler=\"\n\n If no values are returned, this is a finding.", - "fix_id": "F-68229r1_fix" + "check": "Obtain documentation and network drawings from system admin\n that shows the network interfaces on the Wildfly server and the networks they are\n configured for.\n\n If a management network is not used, you may substitute localhost/127.0.0.1 for\n management address. If localhost/127.0.0.1 is used for management interface,\n this is not a finding.\n\n From the Wildfly server open the web-based admin console by pointing a browser to\n HTTP://127.0.0.1:9990.\n Log on to the management console with admin credentials.\n Select \"RUNTIME\".\n Expand STATUS by clicking on +.\n Expand PLATFORM by clicking on +.\n In the \"Environment\" tab, click the > arrow until you see the\n \"jboss.bind.properties\" and the \"jboss.bind.properties.management\" values.\n\n If the jboss.bind.properties and the jboss.bind.properties.management do not\n have different IP network addresses assigned, this is a finding.\n\n Review the network documentation. If access to the management IP address is\n not restricted, this is a finding.", + "fix": "Refer to the Wildfly EAP Installation guide for\n detailed instructions on how to start JBoss as a service.\n\n Use the following command line parameters to assign the management interface to\n a specific management network.\n\n These command line flags must be added both when starting JBoss as a service\n and when starting from the command line.\n\n Substitute your actual network address for the 10.x.x.x addresses provided as\n an example below.\n\n For a standalone configuration:\n JBOSS_HOME/bin/standalone.sh -bmanagement=10.2.2.1 -b 10.1.1.1\n\n JBOSS_HOME/bin/domain.sh -bmanagement=10.2.2.1 -b 10.1.1.1\n\n If a management network is not available, you may substitute\n localhost/127.0.0.1 for management address. This will force you to manage the\n Wildfly server from the local host.", + "fix_id": "F-68203r1_fix" }, - "code": "control 'V-62309' do\n title \"The Wildfly server must be configured to utilize syslog logging.\"\n desc \"\n Information system logging capability is critical for accurate forensic\n analysis. Log record content that may be necessary to satisfy the requirement\n of this control includes, but is not limited to, time stamps, source and\n destination IP addresses, user/process identifiers, event descriptions,\n application-specific events, success/fail indications, filenames involved,\n access control or flow control rules invoked.\n\n Off-loading is a common process in information systems with limited log\n storage capacity.\n\n Centralized management of log records provides for efficiency in\n maintenance and management of records, as well as the backup and archiving of\n those records. Application servers and their related components are required to\n off-load log records onto a different system or media than the system being\n logged.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000358-AS-000064'\n tag \"gid\": 'V-62309'\n tag \"rid\": 'SV-76799r1_rule'\n tag \"stig_id\": 'JBOS-AS-000505'\n tag \"cci\": ['CCI-001851']\n tag \"documentable\": false\n tag \"nist\": ['AU-4 (1)', 'Rev_4']\n tag \"check\": \"Log on to the OS of the Wildfly server with OS permissions that\n allow access to Wildfly.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n\n Using the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n Run the jboss-cli script.\n Connect to the server and authenticate.\n Run the command:\n\n Standalone configuration:\n \\\"ls /subsystem=logging/syslog-handler=\\\"\n\n Domain configuration:\n \\\"ls /profile=/subsystem=logging/syslog-handler=\\\"\n Where = the selected application server profile of; default,full,\n full-ha or ha.\n\n If no values are returned, this is a finding.\"\n tag \"fix\": \"Log on to the OS of the Wildfly server with OS permissions that\n allow access to Wildfly.\n Using the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n Run the jboss-cli script.\n Connect to the server and authenticate.\n Run the command:\n\n Standalone configuration:\n \\\"ls /subsystem=logging/syslog-handler=\\\"\n\n Domain configuration:\n \\\"ls /profile=default/subsystem=logging/syslog-handler=\\\"\n\n If no values are returned, this is a finding.\"\n tag \"fix_id\": 'F-68229r1_fix'\n\n connect = input('connection')\n\n describe 'The wildfly server syslog handler' do\n subject { command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /subsystem=logging/syslog-handler=\").stdout }\n it { should_not eq '' }\n end\nend\n", + "code": "control 'V-62283' do\n title \"The Wildfly server must be configured to bind the management interfaces\n to only management networks.\"\n desc \"Wildfly provides multiple interfaces for accessing the system. By\n default, these are called \\\"public\\\" and \\\"management\\\". Allowing\n non-management traffic to access the Wildfly management interface increases the\n chances of a security compromise. The Wildfly server must be configured to bind\n the management interface to a network that controls access. This is usually a\n network that has been designated as a management network and has restricted\n access. Similarly, the public interface must be bound to a network that is not\n on the same segment as the management interface.\"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000158-AS-000108'\n tag \"gid\": 'V-62283'\n tag \"rid\": 'SV-76773r1_rule'\n tag \"stig_id\": 'JBOS-AS-000285'\n tag \"cci\": ['CCI-000778']\n tag \"documentable\": false\n tag \"nist\": ['IA-3', 'Rev_4']\n tag \"check\": \"Obtain documentation and network drawings from system admin\n that shows the network interfaces on the Wildfly server and the networks they are\n configured for.\n\n If a management network is not used, you may substitute localhost/127.0.0.1 for\n management address. If localhost/127.0.0.1 is used for management interface,\n this is not a finding.\n\n From the Wildfly server open the web-based admin console by pointing a browser to\n HTTP://127.0.0.1:9990.\n Log on to the management console with admin credentials.\n Select \\\"RUNTIME\\\".\n Expand STATUS by clicking on +.\n Expand PLATFORM by clicking on +.\n In the \\\"Environment\\\" tab, click the > arrow until you see the\n \\\"jboss.bind.properties\\\" and the \\\"jboss.bind.properties.management\\\" values.\n\n If the jboss.bind.properties and the jboss.bind.properties.management do not\n have different IP network addresses assigned, this is a finding.\n\n Review the network documentation. If access to the management IP address is\n not restricted, this is a finding.\"\n tag \"fix\": \"Refer to the Wildfly EAP Installation guide for\n detailed instructions on how to start JBoss as a service.\n\n Use the following command line parameters to assign the management interface to\n a specific management network.\n\n These command line flags must be added both when starting JBoss as a service\n and when starting from the command line.\n\n Substitute your actual network address for the 10.x.x.x addresses provided as\n an example below.\n\n For a standalone configuration:\n JBOSS_HOME/bin/standalone.sh -bmanagement=10.2.2.1 -b 10.1.1.1\n\n JBOSS_HOME/bin/domain.sh -bmanagement=10.2.2.1 -b 10.1.1.1\n\n If a management network is not available, you may substitute\n localhost/127.0.0.1 for management address. This will force you to manage the\n Wildfly server from the local host.\"\n tag \"fix_id\": 'F-68203r1_fix'\n\n bind_mgmt_address = command(\"grep jboss.bind.address.management #{ input('jboss_home') }/standalone/configuration/standalone.xml | awk -F'=' '{print $2}' \").stdout\n public_bind_address = command(\"grep jboss.bind.address #{ input('jboss_home') }/standalone/configuration/standalone.xml | grep -v management | awk -F'=' '{print $2}' \").stdout\n\n bind_mgmt_address = command(\"grep jboss.bind.address.management #{ input('jboss_home') }/standalone/configuration/standalone.xml | awk -F'=' '{print $2}' \").stdout\n public_bind_address = command(\"grep jboss.bind.address #{ input('jboss_home') }/standalone/configuration/standalone.xml | grep -v management | awk -F'=' '{print $2}' \").stdout\n\n describe 'The wildfly bind address' do\n subject { bind_mgmt_address }\n it { should_not eq public_bind_address }\n end\nend\n", "source_location": { - "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62309.rb", + "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62283.rb", "line": 1 }, - "id": "V-62309" + "id": "V-62283" }, { - "title": "File permissions must be configured to protect log information from\nunauthorized deletion.", - "desc": "If log data were to become compromised, then competent forensic analysis\nand discovery of the true source of potentially malicious system activity is\ndifficult, if not impossible, to achieve.\n\n When not configured to use a centralized logging solution like a syslog\nserver, the Wildfly EAP application server writes log data to log files that are\nstored on the OS, appropriate file permissions must be used to restrict\ndeletion.\n\n Logon formation includes all information (e.g., log records, log settings,\ntransaction logs, and log reports) needed to successfully log information\nsystem activity. Application servers must protect log information from\nunauthorized deletion.", + "title": "Wildfly must be configured to generate log records for privileged\n activities.", + "desc": "Without generating log records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Privileged activities would occur through the management interface. This\ninterface can be web-based or can be command line utilities. Whichever method\nis utilized by the application server, these activities must be logged.", "descriptions": { - "default": "If log data were to become compromised, then competent forensic analysis\nand discovery of the true source of potentially malicious system activity is\ndifficult, if not impossible, to achieve.\n\n When not configured to use a centralized logging solution like a syslog\nserver, the Wildfly EAP application server writes log data to log files that are\nstored on the OS, appropriate file permissions must be used to restrict\ndeletion.\n\n Logon formation includes all information (e.g., log records, log settings,\ntransaction logs, and log reports) needed to successfully log information\nsystem activity. Application servers must protect log information from\nunauthorized deletion." + "default": "Without generating log records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Privileged activities would occur through the management interface. This\ninterface can be web-based or can be command line utilities. Whichever method\nis utilized by the application server, these activities must be logged." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-APP-000120-AS-000080", - "gid": "V-62255", - "rid": "SV-76745r1_rule", - "stig_id": "JBOS-AS-000175", + "gtitle": "SRG-APP-000504-AS-000229", + "gid": "V-62335", + "rid": "SV-76825r1_rule", + "stig_id": "JBOS-AS-000705", "cci": [ - "CCI-000164" + "CCI-000172" ], "documentable": false, "nist": [ - "AU-9", + "AU-12 c", "Rev_4" ], - "check": "Examine the log file locations and inspect the file\npermissions. Interview the system admin to determine log file locations. The\ndefault location for the log files is:\n\nStandalone configuration:\n$JBOSS_HOME;/standalone/log/\n\nManaged Domain configuration:\n$JBOSS_HOME;/domain/servers//log/\n$JBOSS_HOME;/domain/log/\n\nReview the file permissions for the log file directories. The method used for\nidentifying file permissions will be based upon the OS the EAP server is\ninstalled on.\n\nIdentify all users with file permissions that allow them to delete log files.\n\nRequest documentation from system admin that identifies the users who are\nauthorized to delete log files.\n\nIf unauthorized users are allowed to delete log files, or if documentation that\nidentifies the users who are authorized to delete log files is missing, this is\na finding.", - "fix": "Configure the OS file permissions on the application server to\nprotect log information from unauthorized deletion.", - "fix_id": "F-68175r1_fix" + "check": "Log on to the OS of the Wildfly server with OS permissions that\n allow access to Wildfly.\n Using the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n Run the jboss-cli script to start the Command Line Interface (CLI).\n Connect to the server and authenticate.\n Run the command:\n\n For a Managed Domain configuration:\n \"ls\n host=master/server//core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\"\n\n For a Standalone configuration:\n \"ls\n /core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\"\n\n If \"enabled\" = false, this is a finding.", + "fix": "Launch the jboss-cli management interface.\n Connect to the server by typing \"connect\", authenticate as a user in the\n Superuser role, and run the following command:\n\n For a Managed Domain configuration:\n \"host=master/server//core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\"\n\n For a Standalone configuration:\n \"/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\"", + "fix_id": "F-68255r1_fix" }, - "code": "control 'V-62255' do\n title \"File permissions must be configured to protect log information from\nunauthorized deletion.\"\n desc \"\n If log data were to become compromised, then competent forensic analysis\nand discovery of the true source of potentially malicious system activity is\ndifficult, if not impossible, to achieve.\n\n When not configured to use a centralized logging solution like a syslog\nserver, the Wildfly EAP application server writes log data to log files that are\nstored on the OS, appropriate file permissions must be used to restrict\ndeletion.\n\n Logon formation includes all information (e.g., log records, log settings,\ntransaction logs, and log reports) needed to successfully log information\nsystem activity. Application servers must protect log information from\nunauthorized deletion.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000120-AS-000080'\n tag \"gid\": 'V-62255'\n tag \"rid\": 'SV-76745r1_rule'\n tag \"stig_id\": 'JBOS-AS-000175'\n tag \"cci\": ['CCI-000164']\n tag \"documentable\": false\n tag \"nist\": ['AU-9', 'Rev_4']\n tag \"check\": \"Examine the log file locations and inspect the file\npermissions. Interview the system admin to determine log file locations. The\ndefault location for the log files is:\n\nStandalone configuration:\n$JBOSS_HOME;/standalone/log/\n\nManaged Domain configuration:\n$JBOSS_HOME;/domain/servers//log/\n$JBOSS_HOME;/domain/log/\n\nReview the file permissions for the log file directories. The method used for\nidentifying file permissions will be based upon the OS the EAP server is\ninstalled on.\n\nIdentify all users with file permissions that allow them to delete log files.\n\nRequest documentation from system admin that identifies the users who are\nauthorized to delete log files.\n\nIf unauthorized users are allowed to delete log files, or if documentation that\nidentifies the users who are authorized to delete log files is missing, this is\na finding.\"\n tag \"fix\": \"Configure the OS file permissions on the application server to\nprotect log information from unauthorized deletion.\"\n tag \"fix_id\": 'F-68175r1_fix'\n\n wildfly_group = input('wildfly_group')\n wildly_owner = input('wildly_owner')\n describe directory(\"#{ input('jboss_home') }/standalone/log\") do\n its('owner') { should eq \"#{wildly_owner}\" }\n its('group') { should eq \"#{wildfly_group}\" }\n # use proper mode matcher be_more_permissive_than\n its('mode') { should cmp '0750' }\n end\nend\n", + "code": "control 'V-62335' do\n title \"Wildfly must be configured to generate log records for privileged\n activities.\"\n desc \"\n Without generating log records that are specific to the security and\n mission needs of the organization, it would be difficult to establish,\n correlate, and investigate the events relating to an incident or identify those\n responsible for one.\n\n Privileged activities would occur through the management interface. This\n interface can be web-based or can be command line utilities. Whichever method\n is utilized by the application server, these activities must be logged.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000504-AS-000229'\n tag \"gid\": 'V-62335'\n tag \"rid\": 'SV-76825r1_rule'\n tag \"stig_id\": 'JBOS-AS-000705'\n tag \"cci\": ['CCI-000172']\n tag \"documentable\": false\n tag \"nist\": ['AU-12 c', 'Rev_4']\n tag \"check\": \"Log on to the OS of the Wildfly server with OS permissions that\n allow access to Wildfly.\n Using the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n Run the jboss-cli script to start the Command Line Interface (CLI).\n Connect to the server and authenticate.\n Run the command:\n\n For a Managed Domain configuration:\n \\\"ls\n host=master/server//core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\\\"\n\n For a Standalone configuration:\n \\\"ls\n /core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\\\"\n\n If \\\"enabled\\\" = false, this is a finding.\"\n tag \"fix\": \"Launch the jboss-cli management interface.\n Connect to the server by typing \\\"connect\\\", authenticate as a user in the\n Superuser role, and run the following command:\n\n For a Managed Domain configuration:\n \\\"host=master/server//core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\\\"\n\n For a Standalone configuration:\n \\\"/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\\\"\"\n tag \"fix_id\": 'F-68255r1_fix'\n\n connect = input('connection')\n\n describe 'The wildfly server setting: generate log records for privileged activities' do\n subject { command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /core-service=management/access=audit/logger=audit-log\").stdout }\n it { should_not match(%r{enabled=false}) }\n end\nend\n", "source_location": { - "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62255.rb", + "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62335.rb", "line": 1 }, - "id": "V-62255" + "id": "V-62335" }, { - "title": "The Wildfly server must generate log records for access and\n authentication events to the management interface.", - "desc": "Log records can be generated from various components within the Wildfly\napplication server. The minimum list of logged events should be those\npertaining to access and authentication events to the management interface as\nwell as system startup and shutdown events.\n\n By default, Wildfly does not log management interface access but does provide\na default file handler. This handler needs to be enabled. Configuring this\nsetting meets several STIG auditing requirements.", + "title": "The Wildfly Server must be configured to utilize a centralized\n authentication mechanism such as AD or LDAP.", + "desc": "To assure accountability and prevent unauthorized access, application\nserver users must be uniquely identified and authenticated. This is typically\naccomplished via the use of a user store that is either local (OS-based) or\ncentralized (Active Directory/LDAP) in nature. It should be noted that Wildfly\ndoes not specifically mention Active Directory since AD is LDAP aware.\n\n To ensure accountability and prevent unauthorized access, the JBoss Server\nmust be configured to utilize a centralized authentication mechanism.", "descriptions": { - "default": "Log records can be generated from various components within the Wildfly\napplication server. The minimum list of logged events should be those\npertaining to access and authentication events to the management interface as\nwell as system startup and shutdown events.\n\n By default, Wildfly does not log management interface access but does provide\na default file handler. This handler needs to be enabled. Configuring this\nsetting meets several STIG auditing requirements." + "default": "To assure accountability and prevent unauthorized access, application\nserver users must be uniquely identified and authenticated. This is typically\naccomplished via the use of a user store that is either local (OS-based) or\ncentralized (Active Directory/LDAP) in nature. It should be noted that Wildfly\ndoes not specifically mention Active Directory since AD is LDAP aware.\n\n To ensure accountability and prevent unauthorized access, the JBoss Server\nmust be configured to utilize a centralized authentication mechanism." }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { - "gtitle": "SRG-APP-000089-AS-000050", - "gid": "V-62231", - "rid": "SV-76721r1_rule", - "stig_id": "JBOS-AS-000080", + "gtitle": "SRG-APP-000148-AS-000101", + "gid": "V-62277", + "rid": "SV-76767r1_rule", + "stig_id": "JBOS-AS-000260", "cci": [ - "CCI-000169" + "CCI-000764" ], "documentable": false, "nist": [ - "AU-12 a", + "IA-2", "Rev_4" ], - "check": "Log on to the OS of the Wildfly server with OS permissions that\n allow access to Wildfly.\n Using the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n Run the jboss-cli script to start the Command Line Interface (CLI).\n Connect to the server and authenticate.\n Run the command:\n\n For a Managed Domain configuration:\n \"ls\n host=master/server//core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\"\n\n For a Standalone configuration:\n \"ls\n /core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\"\n\n If \"enabled\" = false, this is a finding.", - "fix": "Launch the jboss-cli management interface.\n Connect to the server by typing \"connect\", authenticate as a user in the\n Superuser role, and run the following command:\n\n For a Managed Domain configuration:\n \"host=master/server//core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\"\n\n For a Standalone configuration:\n \"/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\"", - "fix_id": "F-68151r1_fix" + "check": "Log on to the OS of the Wildfly server with OS permissions that\n allow access to Wildfly.\n Using the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n Run the jboss-cli script.\n Connect to the server and authenticate.\n\n To obtain the list of security realms run the command:\n \"ls /core-service=management/security-realm=\"\n\n Review each security realm using the command:\n \"ls\n /core-service=management/security-realm=/authentication\"\n\n If this command does not return a security realm that uses LDAP for\n authentication, this is a finding.", + "fix": "Follow steps in section 11.8 - Management Interface Security in\n the\n Wildfly_Enterprise_Application_Administration_and_Configuration_Guide-en-US\n document.\n\n 1. Create an outbound connection to the LDAP server.\n 2. Create an LDAP-enabled security realm.\n 3. Reference the new security domain in the Management Interface.", + "fix_id": "F-68197r1_fix" }, - "code": "control 'V-62231' do\n title \"The Wildfly server must generate log records for access and\n authentication events to the management interface.\"\n desc \"\n Log records can be generated from various components within the Wildfly\n application server. The minimum list of logged events should be those\n pertaining to access and authentication events to the management interface as\n well as system startup and shutdown events.\n\n By default, Wildfly does not log management interface access but does provide\n a default file handler. This handler needs to be enabled. Configuring this\n setting meets several STIG auditing requirements.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000089-AS-000050'\n tag \"gid\": 'V-62231'\n tag \"rid\": 'SV-76721r1_rule'\n tag \"stig_id\": 'JBOS-AS-000080'\n tag \"cci\": ['CCI-000169']\n tag \"documentable\": false\n tag \"nist\": ['AU-12 a', 'Rev_4']\n tag \"check\": \"Log on to the OS of the Wildfly server with OS permissions that\n allow access to Wildfly.\n Using the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n Run the jboss-cli script to start the Command Line Interface (CLI).\n Connect to the server and authenticate.\n Run the command:\n\n For a Managed Domain configuration:\n \\\"ls\n host=master/server//core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\\\"\n\n For a Standalone configuration:\n \\\"ls\n /core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\\\"\n\n If \\\"enabled\\\" = false, this is a finding.\"\n tag \"fix\": \"Launch the jboss-cli management interface.\n Connect to the server by typing \\\"connect\\\", authenticate as a user in the\n Superuser role, and run the following command:\n\n For a Managed Domain configuration:\n \\\"host=master/server//core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\\\"\n\n For a Standalone configuration:\n \\\"/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\\\"\"\n\n tag \"fix_id\": 'F-68151r1_fix'\n\n connect = input('connection')\n\n describe 'The Wildfly server generate log records for access and authentication events to the management interface.' do\n subject { command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /core-service=management/access=audit/logger=audit-log\").stdout }\n it { should_not match(%r{enabled=false}) }\n end\nend\n", + "code": "control 'V-62277' do\n title \"The Wildfly Server must be configured to utilize a centralized\n authentication mechanism such as AD or LDAP.\"\n desc \"\n To assure accountability and prevent unauthorized access, application\n server users must be uniquely identified and authenticated. This is typically\n accomplished via the use of a user store that is either local (OS-based) or\n centralized (Active Directory/LDAP) in nature. It should be noted that Wildfly\n does not specifically mention Active Directory since AD is LDAP aware.\n\n To ensure accountability and prevent unauthorized access, the JBoss Server\n must be configured to utilize a centralized authentication mechanism.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000148-AS-000101'\n tag \"gid\": 'V-62277'\n tag \"rid\": 'SV-76767r1_rule'\n tag \"stig_id\": 'JBOS-AS-000260'\n tag \"cci\": ['CCI-000764']\n tag \"documentable\": false\n tag \"nist\": ['IA-2', 'Rev_4']\n tag \"check\": \"Log on to the OS of the Wildfly server with OS permissions that\n allow access to Wildfly.\n Using the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n Run the jboss-cli script.\n Connect to the server and authenticate.\n\n To obtain the list of security realms run the command:\n \\\"ls /core-service=management/security-realm=\\\"\n\n Review each security realm using the command:\n \\\"ls\n /core-service=management/security-realm=/authentication\\\"\n\n If this command does not return a security realm that uses LDAP for\n authentication, this is a finding.\"\n tag \"fix\": \"Follow steps in section 11.8 - Management Interface Security in\n the\n Wildfly_Enterprise_Application_Administration_and_Configuration_Guide-en-US\n document.\n\n 1. Create an outbound connection to the LDAP server.\n 2. Create an LDAP-enabled security realm.\n 3. Reference the new security domain in the Management Interface.\"\n tag \"fix_id\": 'F-68197r1_fix'\n\n connect = input('connection')\n\n get_security_realms = command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /core-service=management/security-realm=\").stdout.split(\"\\n\")\n\n get_security_realms.each do |security_realm|\n describe \"The security realm #{security_realm} authentication mechanism\" do\n subject { command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /core-service=management/security-realm=#{security_realm}/authentication\").stdout }\n it { should include 'ldap' }\n end\n end\n if get_security_realms.empty?\n impact 0.0\n describe 'There are no wildfly security realms configured, therefore this controls is not applicable' do\n skip 'There are no wildfly security realms configured, therefore this controls is not applicable'\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62231.rb", + "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62277.rb", "line": 1 }, - "id": "V-62231" + "id": "V-62277" }, { - "title": "Silent Authentication must be removed from the Default Application\nSecurity Realm.", - "desc": "Silent Authentication is a configuration setting that allows local OS\nusers access to the Wildfly server and a wide range of operations without\nspecifically authenticating on an individual user basis. By default $localuser\nis a Superuser. This introduces an integrity and availability vulnerability and\nviolates best practice requirements regarding accountability.", + "title": "Access to Wildfly log files must be restricted to authorized users.", + "desc": "If the application provides too much information in error logs and\nadministrative messages to the screen, this could lead to compromise. The\nstructure and content of error messages need to be carefully considered by the\norganization and development team. The extent to which the information system\nis able to identify and handle error conditions is guided by organizational\npolicy and operational requirements.\n\n Application servers must protect the error messages that are created by the\napplication server. All application server users' accounts are used for the\nmanagement of the server and the applications residing on the application\nserver. All accounts are assigned to a certain role with corresponding access\nrights. The application server must restrict access to error messages so only\nauthorized users may view them. Error messages are usually written to logs\ncontained on the file system. The application server will usually create new\nlog files as needed and must take steps to ensure that the proper file\npermissions are utilized when the log files are created.", "descriptions": { - "default": "Silent Authentication is a configuration setting that allows local OS\nusers access to the Wildfly server and a wide range of operations without\nspecifically authenticating on an individual user basis. By default $localuser\nis a Superuser. This introduces an integrity and availability vulnerability and\nviolates best practice requirements regarding accountability." + "default": "If the application provides too much information in error logs and\nadministrative messages to the screen, this could lead to compromise. The\nstructure and content of error messages need to be carefully considered by the\norganization and development team. The extent to which the information system\nis able to identify and handle error conditions is guided by organizational\npolicy and operational requirements.\n\n Application servers must protect the error messages that are created by the\napplication server. All application server users' accounts are used for the\nmanagement of the server and the applications residing on the application\nserver. All accounts are assigned to a certain role with corresponding access\nrights. The application server must restrict access to error messages so only\nauthorized users may view them. Error messages are usually written to logs\ncontained on the file system. The application server will usually create new\nlog files as needed and must take steps to ensure that the proper file\npermissions are utilized when the log files are created." }, - "impact": 0.7, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-APP-000033-AS-000024", - "gid": "V-62221", - "rid": "SV-76711r1_rule", - "stig_id": "JBOS-AS-000045", + "gtitle": "SRG-APP-000267-AS-000170", + "gid": "V-62301", + "rid": "SV-76791r1_rule", + "stig_id": "JBOS-AS-000425", "cci": [ - "CCI-000213" + "CCI-001314" ], "documentable": false, "nist": [ - "AC-3", + "SI-11 b", "Rev_4" ], - "check": "Log on to the OS of the Wildfly server with OS permissions that\nallow access to Wildfly.\nUsing the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n\nThe $JBOSS_HOME default is /opt/bin/widfly\nRun the jboss-cli script.\nConnect to the server and authenticate.\n\nVerify that Silent Authentication has been removed from the default Application\nsecurity realm.\nRun the following command.\n\nFor standalone servers, run the following command:\n\"ls /core-service=management/securityrealm=ApplicationRealm/authentication\"\n\nFor managed domain installations, run the following command:\n\"ls\n/host=HOST_NAME/core-service=management/securityrealm=ApplicationRealm/authentication\"\n\nIf \"local\" is returned, this is a finding.", - "fix": "Log on to the OS of the Wildfly server with OS permissions that\nallow access to Wildfly.\nUsing the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\nRun the jboss-cli script.\nConnect to the server and authenticate.\n\nRemove the local element from the Application Realm.\nFor standalone servers, run the following command:\n/core-service=management/securityrealm=\nApplicationRealm/authentication=local:remove\n\nFor managed domain installations, run the following command:\n/host=HOST_NAME/core-service=management/securityrealm=\nApplicationRealm/authentication=local:remove", - "fix_id": "F-68141r1_fix" + "check": "If the Wildfly log folder is installed in the default location\n and AS-000133-JBOSS-00079 is not a finding, the log folders are protected and\n this requirement is not a finding.\n\n By default, Wildlfy installs its log files into a sub-folder of the\n \"Wildfly\" home folder.\n Using a UNIX like OS example, the default location for log files is:\n\n The $JBOSS_HOME default is /opt/bin/widfly\n\n JBOSS_HOME/standalone/log\n JBOSS_HOME/domain/log\n\n For a standalone configuration:\n JBOSS_HOME/standalone/log/server.log\" Contains all server log messages,\n including server startup messages.\n\n For a domain configuration:\n JBOSS_HOME/domain/log/hostcontroller.log\n Host Controller boot log. Contains log messages related to the startup of the\n host controller.\n\n JBOSS_HOME/domain/log/processcontroller.log\n Process controller boot log. Contains log messages related to the startup of\n the process controller.\n\n JBOSS_HOME/domain/servers/SERVERNAME/log/server.log\n The server log for the named server. Contains all log messages for that server,\n including server startup messages.\n\n Log on with an OS user account with Wildfly access and permissions.\n\n Navigate to the \"Wildfly\" folder using the relevant OS commands for\n either a UNIX like OS or a Windows OS.\n\n Examine the permissions of the Wildfly logs folders.\n\n Owner can be full access.\n Group can be full access.\n All others must be restricted.\n\n If the Wildfly log folder is world readable or world writable, this is a\n finding.", + "fix": "Configure file permissions on the Wildfly log folder to protect\n from unauthorized access.", + "fix_id": "F-68221r1_fix" }, - "code": "control 'V-62221' do\n title \"Silent Authentication must be removed from the Default Application\nSecurity Realm.\"\n desc \"Silent Authentication is a configuration setting that allows local OS\nusers access to the Wildfly server and a wide range of operations without\nspecifically authenticating on an individual user basis. By default $localuser\nis a Superuser. This introduces an integrity and availability vulnerability and\nviolates best practice requirements regarding accountability.\"\n impact 0.7\n tag \"gtitle\": 'SRG-APP-000033-AS-000024'\n tag \"gid\": 'V-62221'\n tag \"rid\": 'SV-76711r1_rule'\n tag \"stig_id\": 'JBOS-AS-000045'\n tag \"cci\": ['CCI-000213']\n tag \"documentable\": false\n tag \"nist\": ['AC-3', 'Rev_4']\n tag \"check\": \"Log on to the OS of the Wildfly server with OS permissions that\nallow access to Wildfly.\nUsing the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n\nThe $JBOSS_HOME default is /opt/bin/widfly\nRun the jboss-cli script.\nConnect to the server and authenticate.\n\nVerify that Silent Authentication has been removed from the default Application\nsecurity realm.\nRun the following command.\n\nFor standalone servers, run the following command:\n\\\"ls /core-service=management/securityrealm=ApplicationRealm/authentication\\\"\n\nFor managed domain installations, run the following command:\n\\\"ls\n/host=HOST_NAME/core-service=management/securityrealm=ApplicationRealm/authentication\\\"\n\nIf \\\"local\\\" is returned, this is a finding.\"\n tag \"fix\": \"Log on to the OS of the Wildfly server with OS permissions that\nallow access to Wildfly.\nUsing the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\nRun the jboss-cli script.\nConnect to the server and authenticate.\n\nRemove the local element from the Application Realm.\nFor standalone servers, run the following command:\n/core-service=management/securityrealm=\nApplicationRealm/authentication=local:remove\n\nFor managed domain installations, run the following command:\n/host=HOST_NAME/core-service=management/securityrealm=\nApplicationRealm/authentication=local:remove\"\n tag \"fix_id\": 'F-68141r1_fix'\n\n connect = input('connection')\n\n describe 'The wildfly default application security realm silent authentication' do\n subject { command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /core-service=management/security-realm=ApplicationRealm/authentication\").stdout }\n it { should_not match(%r{local}) }\n end\nend\n", + "code": "control 'V-62301' do\n title \"Access to Wildfly log files must be restricted to authorized users.\"\n desc \"\n If the application provides too much information in error logs and\n administrative messages to the screen, this could lead to compromise. The\n structure and content of error messages need to be carefully considered by the\n organization and development team. The extent to which the information system\n is able to identify and handle error conditions is guided by organizational\n policy and operational requirements.\n\n Application servers must protect the error messages that are created by the\n application server. All application server users' accounts are used for the\n management of the server and the applications residing on the application\n server. All accounts are assigned to a certain role with corresponding access\n rights. The application server must restrict access to error messages so only\n authorized users may view them. Error messages are usually written to logs\n contained on the file system. The application server will usually create new\n log files as needed and must take steps to ensure that the proper file\n permissions are utilized when the log files are created.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000267-AS-000170'\n tag \"gid\": 'V-62301'\n tag \"rid\": 'SV-76791r1_rule'\n tag \"stig_id\": 'JBOS-AS-000425'\n tag \"cci\": ['CCI-001314']\n tag \"documentable\": false\n tag \"nist\": ['SI-11 b', 'Rev_4']\n tag \"check\": \"If the Wildfly log folder is installed in the default location\n and AS-000133-JBOSS-00079 is not a finding, the log folders are protected and\n this requirement is not a finding.\n\n By default, Wildlfy installs its log files into a sub-folder of the\n \\\"Wildfly\\\" home folder.\n Using a UNIX like OS example, the default location for log files is:\n\n The $JBOSS_HOME default is /opt/bin/widfly\n\n JBOSS_HOME/standalone/log\n JBOSS_HOME/domain/log\n\n For a standalone configuration:\n JBOSS_HOME/standalone/log/server.log\\\" Contains all server log messages,\n including server startup messages.\n\n For a domain configuration:\n JBOSS_HOME/domain/log/hostcontroller.log\n Host Controller boot log. Contains log messages related to the startup of the\n host controller.\n\n JBOSS_HOME/domain/log/processcontroller.log\n Process controller boot log. Contains log messages related to the startup of\n the process controller.\n\n JBOSS_HOME/domain/servers/SERVERNAME/log/server.log\n The server log for the named server. Contains all log messages for that server,\n including server startup messages.\n\n Log on with an OS user account with Wildfly access and permissions.\n\n Navigate to the \\\"Wildfly\\\" folder using the relevant OS commands for\n either a UNIX like OS or a Windows OS.\n\n Examine the permissions of the Wildfly logs folders.\n\n Owner can be full access.\n Group can be full access.\n All others must be restricted.\n\n If the Wildfly log folder is world readable or world writable, this is a\n finding.\"\n tag \"fix\": \"Configure file permissions on the Wildfly log folder to protect\n from unauthorized access.\"\n tag \"fix_id\": 'F-68221r1_fix'\n describe directory(\"#{ input('jboss_home') }/standalone/log\") do\n it { should_not be_readable.by 'others' }\n end\n describe directory(\"#{ input('jboss_home') }/standalone/log\") do\n it { should_not be_writable.by 'others' }\n end\nend\n", "source_location": { - "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62221.rb", + "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62301.rb", "line": 1 }, - "id": "V-62221" + "id": "V-62301" }, { "title": "Wildfly must be configured to generate log records when concurrent\n logons from different workstations occur to the application server management\n interface.", @@ -1741,167 +1741,167 @@ "id": "V-62339" }, { - "title": "The Wildfly server must be configured to restrict access to the web\n servers private key to authenticated system administrators.", - "desc": "The cornerstone of the PKI is the private key used to encrypt or digitally\nsign information.\n\n If the private key is stolen, this will lead to the compromise of the\nauthentication and non-repudiation gained through PKI because the attacker can\nuse the private key to digitally sign documents and can pretend to be the\nauthorized user.\n\n Both the holders of a digital certificate and the issuing authority must\nprotect the computers, storage devices, or whatever they use to keep the\nprivate keys. Java-based application servers utilize the Java keystore, which\nprovides storage for cryptographic keys and certificates. The keystore is\nusually maintained in a file stored on the file system.", + "title": "Wildfly must be configured to produce log records that establish which\nhosted application triggered the events.", + "desc": "Application server logging capability is critical for accurate forensic\nanalysis. Without sufficient and accurate information, a correct replay of the\nevents cannot be determined.\n\n By default, no web logging is enabled in Wildfly. Logging can be configured\nper web application or by virtual server. If web application logging is not\nset up, application activity will not be logged.\n\n Ascertaining the correct location or process within the application server\nwhere the events occurred is important during forensic analysis. To determine\nwhere an event occurred, the log data must contain data containing the\napplication identity.", "descriptions": { - "default": "The cornerstone of the PKI is the private key used to encrypt or digitally\nsign information.\n\n If the private key is stolen, this will lead to the compromise of the\nauthentication and non-repudiation gained through PKI because the attacker can\nuse the private key to digitally sign documents and can pretend to be the\nauthorized user.\n\n Both the holders of a digital certificate and the issuing authority must\nprotect the computers, storage devices, or whatever they use to keep the\nprivate keys. Java-based application servers utilize the Java keystore, which\nprovides storage for cryptographic keys and certificates. The keystore is\nusually maintained in a file stored on the file system." + "default": "Application server logging capability is critical for accurate forensic\nanalysis. Without sufficient and accurate information, a correct replay of the\nevents cannot be determined.\n\n By default, no web logging is enabled in Wildfly. Logging can be configured\nper web application or by virtual server. If web application logging is not\nset up, application activity will not be logged.\n\n Ascertaining the correct location or process within the application server\nwhere the events occurred is important during forensic analysis. To determine\nwhere an event occurred, the log data must contain data containing the\napplication identity." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-APP-000176-AS-000125", - "gid": "V-62295", - "rid": "SV-76785r1_rule", - "stig_id": "JBOS-AS-000320", + "gtitle": "SRG-APP-000097-AS-000060", + "gid": "V-62243", + "rid": "SV-76733r1_rule", + "stig_id": "JBOS-AS-000120", "cci": [ - "CCI-000186" + "CCI-000132" ], "documentable": false, "nist": [ - "IA-5 (2) (b)", + "AU-3", "Rev_4" ], - "check": "The default location for the keystore used by the Wildfly vault\n is the $JBOSS_HOME;/vault/ folder.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n\n If a vault keystore has been created, by default it will be in the file:\n $JBOSS_HOME;/vault/vault.keystore. The file stores a single key, with the\n default alias vault, which will be used to store encrypted strings, such as\n passwords, for Wildfly EAP.\n\n Browse to the Wildfly vault folder using the relevant OS commands.\n Review the file permissions and ensure only system administrators and Wildfly\n users are allowed access.\n\n Owner can be full access\n Group can be full access\n All others must be restricted to execute access or no permission.\n\n If non-system administrators are allowed to access the $JBOSS_HOME;/vault/\n folder, this is a finding.", - "fix": "Configure the application server OS file permissions on the\n corresponding private key to restrict access to authorized accounts or roles.", - "fix_id": "F-68215r1_fix" + "check": "Application logs are a configurable variable. Interview the\nsystem admin, and have them identify the applications that are running on the\napplication server. Have the system admin identify the log files/location\nwhere application activity is stored.\n\nReview the log files to ensure each application is uniquely identified within\nthe logs or each application has its own unique log file.\n\nGenerate application activity by either authenticating to the application or\ngenerating an auditable event, and ensure the application activity is recorded\nin the log file. Recently time stamped application events are suitable\nevidence of compliance.\n\nIf the log records do not indicate which application hosted on the application\nserver generated the event, or if no events are recorded related to application\nactivity, this is a finding.", + "fix": "Configure log formatter to audit application activity so\nindividual application activity can be identified.", + "fix_id": "F-68163r1_fix" }, - "code": "control 'V-62295' do\n title \"The Wildfly server must be configured to restrict access to the web\n servers private key to authenticated system administrators.\"\n desc \"\n The cornerstone of the PKI is the private key used to encrypt or digitally\n sign information.\n\n If the private key is stolen, this will lead to the compromise of the\n authentication and non-repudiation gained through PKI because the attacker can\n use the private key to digitally sign documents and can pretend to be the\n authorized user.\n\n Both the holders of a digital certificate and the issuing authority must\n protect the computers, storage devices, or whatever they use to keep the\n private keys. Java-based application servers utilize the Java keystore, which\n provides storage for cryptographic keys and certificates. The keystore is\n usually maintained in a file stored on the file system.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000176-AS-000125'\n tag \"gid\": 'V-62295'\n tag \"rid\": 'SV-76785r1_rule'\n tag \"stig_id\": 'JBOS-AS-000320'\n tag \"cci\": ['CCI-000186']\n tag \"documentable\": false\n tag \"nist\": ['IA-5 (2) (b)', 'Rev_4']\n tag \"check\": \"The default location for the keystore used by the Wildfly vault\n is the $JBOSS_HOME;/vault/ folder.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n\n If a vault keystore has been created, by default it will be in the file:\n $JBOSS_HOME;/vault/vault.keystore. The file stores a single key, with the\n default alias vault, which will be used to store encrypted strings, such as\n passwords, for Wildfly EAP.\n\n Browse to the Wildfly vault folder using the relevant OS commands.\n Review the file permissions and ensure only system administrators and Wildfly\n users are allowed access.\n\n Owner can be full access\n Group can be full access\n All others must be restricted to execute access or no permission.\n\n If non-system administrators are allowed to access the $JBOSS_HOME;/vault/\n folder, this is a finding.\"\n tag \"fix\": \"Configure the application server OS file permissions on the\n corresponding private key to restrict access to authorized accounts or roles.\"\n tag \"fix_id\": 'F-68215r1_fix'\n describe directory(\"#{ input('jboss_home') }/vault\") do\n it { should_not be_readable.by('others') }\n end\n describe directory(\"#{ input('jboss_home') }/vault\") do\n it { should_not be_writable.by('others') }\n end\nend\n", + "code": "control 'V-62243' do\n title \"Wildfly must be configured to produce log records that establish which\nhosted application triggered the events.\"\n desc \"\n Application server logging capability is critical for accurate forensic\nanalysis. Without sufficient and accurate information, a correct replay of the\nevents cannot be determined.\n\n By default, no web logging is enabled in Wildfly. Logging can be configured\nper web application or by virtual server. If web application logging is not\nset up, application activity will not be logged.\n\n Ascertaining the correct location or process within the application server\nwhere the events occurred is important during forensic analysis. To determine\nwhere an event occurred, the log data must contain data containing the\napplication identity.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000097-AS-000060'\n tag \"gid\": 'V-62243'\n tag \"rid\": 'SV-76733r1_rule'\n tag \"stig_id\": 'JBOS-AS-000120'\n tag \"cci\": ['CCI-000132']\n tag \"documentable\": false\n tag \"nist\": ['AU-3', 'Rev_4']\n tag \"check\": \"Application logs are a configurable variable. Interview the\nsystem admin, and have them identify the applications that are running on the\napplication server. Have the system admin identify the log files/location\nwhere application activity is stored.\n\nReview the log files to ensure each application is uniquely identified within\nthe logs or each application has its own unique log file.\n\nGenerate application activity by either authenticating to the application or\ngenerating an auditable event, and ensure the application activity is recorded\nin the log file. Recently time stamped application events are suitable\nevidence of compliance.\n\nIf the log records do not indicate which application hosted on the application\nserver generated the event, or if no events are recorded related to application\nactivity, this is a finding.\"\n tag \"fix\": \"Configure log formatter to audit application activity so\nindividual application activity can be identified.\"\n tag \"fix_id\": 'F-68163r1_fix'\n file = command('find / -name \"log4j.properties\" 2>/dev/null | grep -v example').stdout\n\n if (input('disable_slow_controls'))\n describe \"This control is a long running control and is disabled, for full accredidation you need to enable this control.\" do\n skip \"This control is a long running control and is disabled, for full accredidation you need to enable this control.\"\n end\n else\n describe 'The number of log4j.properties files found' do\n subject { command('find / -name \"log4j.properties\" 2>/dev/null | grep -v example | wc -l').stdout }\n it { should_not match /0/ }\n end\n\n describe 'The number of words in the log4j.properties file' do\n subject { command(\"wc -c #{file}\").stdout }\n it { should_not match /0/ }\n end\n end\nend", "source_location": { - "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62295.rb", + "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62243.rb", "line": 1 }, - "id": "V-62295" + "id": "V-62243" }, { - "title": "Any unapproved applications must be removed.", - "desc": "Extraneous services and applications running on an application server\n expands the attack surface and increases risk to the application server.\n Securing any server involves identifying and removing any unnecessary services\n and, in the case of an application server, unnecessary and/or unapproved\n applications.", + "title": "Wildfly must be configured to initiate session logging upon startup.", + "desc": "Session logging activities are developed, integrated, and used in\nconsultation with legal counsel in accordance with applicable federal laws,\nExecutive Orders, directives, policies, or regulations.", "descriptions": { - "default": "Extraneous services and applications running on an application server\n expands the attack surface and increases risk to the application server.\n Securing any server involves identifying and removing any unnecessary services\n and, in the case of an application server, unnecessary and/or unapproved\n applications." + "default": "Session logging activities are developed, integrated, and used in\nconsultation with legal counsel in accordance with applicable federal laws,\nExecutive Orders, directives, policies, or regulations." }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-APP-000141-AS-000095", - "gid": "V-62273", - "rid": "SV-76763r1_rule", - "stig_id": "JBOS-AS-000250", + "gtitle": "SRG-APP-000092-AS-000053", + "gid": "V-62235", + "rid": "SV-76725r1_rule", + "stig_id": "JBOS-AS-000095", "cci": [ - "CCI-000381" + "CCI-001464" ], "documentable": false, "nist": [ - "CM-7 a", + "AU-14 (1)", "Rev_4" ], - "check": "Log on to the OS of the Wildfly server with OS permissions that\n allow access to Wildfly.\n Using the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n\n Run the jboss-cli script.\n Connect to the server and authenticate.\n Run the command:\n\n ls /deployment\n\n The list of deployed applications is displayed. Have the system admin identify\n the applications listed and confirm they are approved applications.\n\n If the system admin cannot provide documentation proving their authorization\n for deployed applications, this is a finding.", - "fix": "Identify, authorize, and document all applications that are\n deployed to the application server. Remove unauthorized applications.", - "fix_id": "F-68193r1_fix" + "check": "Log on to the OS of the Wildfly server with OS permissions that\nallow access to Wildfly.\nUsing the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n\nThe $JBOSS_HOME default is /opt/bin/widfly\nRun the jboss-cli script to start the Command Line Interface (CLI).\nConnect to the server and authenticate.\nRun the command:\n\nFor a Managed Domain configuration:\n\"ls\nhost=master/server//core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\"\n\nFor a Standalone configuration:\n\"ls\n/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\"\n\nIf \"enabled\" = false, this is a finding.", + "fix": "Launch the jboss-cli management interface.\nConnect to the server by typing \"connect\", authenticate as a user in the\nSuperuser role and run the following command:\n\nFor a Managed Domain configuration:\n\"host=master/server//core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\"\n\nFor a Standalone configuration:\n\"/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\"", + "fix_id": "F-68155r1_fix" }, - "code": "control 'V-62273' do\n title \"Any unapproved applications must be removed.\"\n desc \"Extraneous services and applications running on an application server\n expands the attack surface and increases risk to the application server.\n Securing any server involves identifying and removing any unnecessary services\n and, in the case of an application server, unnecessary and/or unapproved\n applications.\"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000141-AS-000095'\n tag \"gid\": 'V-62273'\n tag \"rid\": 'SV-76763r1_rule'\n tag \"stig_id\": 'JBOS-AS-000250'\n tag \"cci\": ['CCI-000381']\n tag \"documentable\": false\n tag \"nist\": ['CM-7 a', 'Rev_4']\n tag \"check\": \"Log on to the OS of the Wildfly server with OS permissions that\n allow access to Wildfly.\n Using the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n\n Run the jboss-cli script.\n Connect to the server and authenticate.\n Run the command:\n\n ls /deployment\n\n The list of deployed applications is displayed. Have the system admin identify\n the applications listed and confirm they are approved applications.\n\n If the system admin cannot provide documentation proving their authorization\n for deployed applications, this is a finding.\"\n tag \"fix\": \"Identify, authorize, and document all applications that are\n deployed to the application server. Remove unauthorized applications.\"\n tag \"fix_id\": 'F-68193r1_fix' \n\n connect = input('connection')\n approved_applications = input('approved_applications')\n\n applications_deployed = command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /deployment\").stdout.strip.split(\"\\n\")\n\n applications_deployed.each do |app|\n a = app.strip\n describe \"The installed wildfly application: #{a}\" do\n subject {\"#{a}\"}\n it { should be_in approved_applications }\n end\n end\n if applications_deployed.empty?\n impact 0.0\n describe 'There are no applications installed on the wildfly server, therefore this control is Not Applicable' do\n skip 'There are no applications installed on the wildfly server, therefore this control is Not Applicable'\n end\n end\nend\n", + "code": "control 'V-62235' do\n title \"Wildfly must be configured to initiate session logging upon startup.\"\n desc \"Session logging activities are developed, integrated, and used in\nconsultation with legal counsel in accordance with applicable federal laws,\nExecutive Orders, directives, policies, or regulations.\"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000092-AS-000053'\n tag \"gid\": 'V-62235'\n tag \"rid\": 'SV-76725r1_rule'\n tag \"stig_id\": 'JBOS-AS-000095'\n tag \"cci\": ['CCI-001464']\n tag \"documentable\": false\n tag \"nist\": ['AU-14 (1)', 'Rev_4']\n tag \"check\": \"Log on to the OS of the Wildfly server with OS permissions that\nallow access to Wildfly.\nUsing the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n\nThe $JBOSS_HOME default is /opt/bin/widfly\nRun the jboss-cli script to start the Command Line Interface (CLI).\nConnect to the server and authenticate.\nRun the command:\n\nFor a Managed Domain configuration:\n\\\"ls\nhost=master/server//core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\\\"\n\nFor a Standalone configuration:\n\\\"ls\n/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\\\"\n\nIf \\\"enabled\\\" = false, this is a finding.\"\n tag \"fix\": \"Launch the jboss-cli management interface.\nConnect to the server by typing \\\"connect\\\", authenticate as a user in the\nSuperuser role and run the following command:\n\nFor a Managed Domain configuration:\n\\\"host=master/server//core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\\\"\n\nFor a Standalone configuration:\n\\\"/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\\\"\"\n tag \"fix_id\": 'F-68155r1_fix'\n\n connect = input('connection')\n\n describe 'Wildfly initiate session logging upon startup' do\n subject { command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /core-service=management/access=audit/logger=audit-log\").stdout }\n it { should_not match(%r{enabled=false}) }\n end\nend\n", "source_location": { - "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62273.rb", + "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62235.rb", "line": 1 }, - "id": "V-62273" + "id": "V-62235" }, { - "title": "Google Analytics must be disabled in EAP Console.", - "desc": "The Google Analytics feature aims to help Red Hat EAP team understand how\ncustomers are using the console and which parts of the console matter the most\nto the customers. This information will, in turn, help the team to adapt the\nconsole design, features, and content to the immediate needs of the customers.\n\n Sending analytical data to the vendor introduces risk of unauthorized data\nexfiltration. This capability must be disabled.", + "title": "The Wildfly server must be configured to use individual accounts and not\n generic or shared accounts.", + "desc": "To assure individual accountability and prevent unauthorized access,\napplication server users (and any processes acting on behalf of application\nserver users) must be individually identified and authenticated.\n\n A group authenticator is a generic account used by multiple individuals.\nUse of a group authenticator alone does not uniquely identify individual users.\n\n Application servers must ensure that individual users are authenticated\nprior to authenticating via role or group authentication. This is to ensure\nthat there is non-repudiation for actions taken.", "descriptions": { - "default": "The Google Analytics feature aims to help Red Hat EAP team understand how\ncustomers are using the console and which parts of the console matter the most\nto the customers. This information will, in turn, help the team to adapt the\nconsole design, features, and content to the immediate needs of the customers.\n\n Sending analytical data to the vendor introduces risk of unauthorized data\nexfiltration. This capability must be disabled." + "default": "To assure individual accountability and prevent unauthorized access,\napplication server users (and any processes acting on behalf of application\nserver users) must be individually identified and authenticated.\n\n A group authenticator is a generic account used by multiple individuals.\nUse of a group authenticator alone does not uniquely identify individual users.\n\n Application servers must ensure that individual users are authenticated\nprior to authenticating via role or group authentication. This is to ensure\nthat there is non-repudiation for actions taken." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-APP-000141-AS-000095", - "gid": "V-62263", - "rid": "SV-76753r1_rule", - "stig_id": "JBOS-AS-000225", + "gtitle": "SRG-APP-000153-AS-000104", + "gid": "V-62281", + "rid": "SV-76771r1_rule", + "stig_id": "JBOS-AS-000275", "cci": [ - "CCI-000381" + "CCI-000770" ], "documentable": false, "nist": [ - "CM-7 a", + "IA-2 (5)", "Rev_4" ], - "check": "Open the EAP web console by pointing a web browser to\n HTTPS://:9443 or HTTP://:9990\n\n Log on to the admin console using admin credentials.\n On the bottom right-hand side of the screen, select \"Settings\".\n\n If the \"Enable Data Usage Collection\" box is checked, this is a finding.", - "fix": "Using the EAP web console, log on using admin credentials.\n On the bottom right-hand side of the screen, select \"Settings\",\n uncheck the \"Enable Data Usage Collection\" box, and save the configuration.", - "fix_id": "F-68183r1_fix" + "check": "If the application server management interface is configured to\n use LDAP authentication this requirement is NA.\n\n Determine the mode in which the Wildfly server is operating by authenticating to\n the OS, changing to the $JBOSS_HOME;/bin/ folder and executing the jboss-cli\n script.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n\n Connect to the server and authenticate.\n Run the command: \"ls\" and examine the \"launch-type\" setting.\n\n User account information is stored in the following files for a Wildfly server\n configured in standalone mode. The command line flags passed to the\n \"standalone\" startup script determine the standalone operating mode:\n $JBOSS_HOME;/standalone/configuration/standalone.xml\n $JBOSS_HOME;/standalone/configuration/standalone-full.xml\n $JBOSS_HOME;/standalone/configuration/standalone.-full-ha.xml\n $JBOSS_HOME;/standalone/configuration/standalone.ha.xml\n\n For a Managed Domain:\n $JBOSS_HOME;/domain/configuration/domain.xml.\n\n Review both files for generic or shared user accounts.\n\n Open each xml file with a text editor and locate the \n section.\n Review the sub-section where \"xxxxx\" will be a user\n name.\n\n Have the system administrator identify the user of each user account.\n\n If user accounts are not assigned to individual users, this is a finding.", + "fix": "Configure the application server so required users are\n individually authenticated by creating individual user accounts. Utilize an\n LDAP server that is configured according to DOD policy.", + "fix_id": "F-68201r1_fix" }, - "code": "control 'V-62263' do\n title \"Google Analytics must be disabled in EAP Console.\"\n desc \"\n The Google Analytics feature aims to help Red Hat EAP team understand how\n customers are using the console and which parts of the console matter the most\n to the customers. This information will, in turn, help the team to adapt the\n console design, features, and content to the immediate needs of the customers.\n\n Sending analytical data to the vendor introduces risk of unauthorized data\n exfiltration. This capability must be disabled.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000141-AS-000095'\n tag \"gid\": 'V-62263'\n tag \"rid\": 'SV-76753r1_rule'\n tag \"stig_id\": 'JBOS-AS-000225'\n tag \"cci\": ['CCI-000381']\n tag \"documentable\": false\n tag \"nist\": ['CM-7 a', 'Rev_4']\n tag \"check\": \"Open the EAP web console by pointing a web browser to\n HTTPS://:9443 or HTTP://:9990\n\n Log on to the admin console using admin credentials.\n On the bottom right-hand side of the screen, select \\\"Settings\\\".\n\n If the \\\"Enable Data Usage Collection\\\" box is checked, this is a finding.\"\n tag \"fix\": \"Using the EAP web console, log on using admin credentials.\n On the bottom right-hand side of the screen, select \\\"Settings\\\",\n uncheck the \\\"Enable Data Usage Collection\\\" box, and save the configuration.\"\n tag \"fix_id\": 'F-68183r1_fix'\n describe 'A manual review is required to ensure Google Analytics is disable in the EAP console' do\n skip 'A manual review is required to ensure Google Analytics is disable in the EAP console'\n end\nend\n", + "code": "control 'V-62281' do\n title \"The Wildfly server must be configured to use individual accounts and not\n generic or shared accounts.\"\n desc \"\n To assure individual accountability and prevent unauthorized access,\n application server users (and any processes acting on behalf of application\n server users) must be individually identified and authenticated.\n\n A group authenticator is a generic account used by multiple individuals.\n Use of a group authenticator alone does not uniquely identify individual users.\n\n Application servers must ensure that individual users are authenticated\n prior to authenticating via role or group authentication. This is to ensure\n that there is non-repudiation for actions taken.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000153-AS-000104'\n tag \"gid\": 'V-62281'\n tag \"rid\": 'SV-76771r1_rule'\n tag \"stig_id\": 'JBOS-AS-000275'\n tag \"cci\": ['CCI-000770']\n tag \"documentable\": false\n tag \"nist\": ['IA-2 (5)', 'Rev_4']\n tag \"check\": \"If the application server management interface is configured to\n use LDAP authentication this requirement is NA.\n\n Determine the mode in which the Wildfly server is operating by authenticating to\n the OS, changing to the $JBOSS_HOME;/bin/ folder and executing the jboss-cli\n script.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n\n Connect to the server and authenticate.\n Run the command: \\\"ls\\\" and examine the \\\"launch-type\\\" setting.\n\n User account information is stored in the following files for a Wildfly server\n configured in standalone mode. The command line flags passed to the\n \\\"standalone\\\" startup script determine the standalone operating mode:\n $JBOSS_HOME;/standalone/configuration/standalone.xml\n $JBOSS_HOME;/standalone/configuration/standalone-full.xml\n $JBOSS_HOME;/standalone/configuration/standalone.-full-ha.xml\n $JBOSS_HOME;/standalone/configuration/standalone.ha.xml\n\n For a Managed Domain:\n $JBOSS_HOME;/domain/configuration/domain.xml.\n\n Review both files for generic or shared user accounts.\n\n Open each xml file with a text editor and locate the \n section.\n Review the sub-section where \\\"xxxxx\\\" will be a user\n name.\n\n Have the system administrator identify the user of each user account.\n\n If user accounts are not assigned to individual users, this is a finding.\"\n tag \"fix\": \"Configure the application server so required users are\n individually authenticated by creating individual user accounts. Utilize an\n LDAP server that is configured according to DOD policy.\"\n tag \"fix_id\": 'F-68201r1_fix'\n\n connect = input('connection')\n auditor_role_users = input('auditor_role_users')\n administrator_role_users = input('administrator_role_users')\n superuser_role_users = input('superuser_role_users')\n deployer_role_users = input('deployer_role_users')\n maintainer_role_users = input('maintainer_role_users')\n monitor_role_users = input('monitor_role_users')\n operator_role_users = input('operator_role_users')\n\n auditor_role = command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /core-service=management/access=authorization/role-mapping=Auditor/include= | grep -v 'Manage' | grep -v 'core' | grep -v 'access' | grep -v 'mapping' | grep -v 'not found'\").stdout.strip.split(\" \")\n administrator_role = command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /core-service=management/access=authorization/role-mapping=Administrator/include= | grep -v 'Manage' | grep -v 'core' | grep -v 'access' | grep -v 'mapping' | grep -v 'not found'\").stdout.strip.split(\" \")\n superuser_role = command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /core-service=management/access=authorization/role-mapping=SuperUser/include= | grep -v 'Manage' | grep -v 'core' | grep -v 'access' | grep -v 'mapping' | grep -v 'not found'\").stdout.strip.split(\" \")\n deployer_role = command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /core-service=management/access=authorization/role-mapping=Deployer/include= | grep -v 'Manage' | grep -v 'core' | grep -v 'access' | grep -v 'mapping' | grep -v 'not found'\").stdout.strip.split(\" \")\n maintainer_role = command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /core-service=management/access=authorization/role-mapping=Maintainer/include= | grep -v 'Manage' | grep -v 'core' | grep -v 'access' | grep -v 'mapping' | grep -v 'not found'\").stdout.strip.split(\" \")\n monitor_role = command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /core-service=management/access=authorization/role-mapping=Monitor/include= | grep -v 'Manage' | grep -v 'core' | grep -v 'access' | grep -v 'mapping' | grep -v 'not found'\").stdout.strip.split(\" \")\n operator_role = command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /core-service=management/access=authorization/role-mapping=Operator/include= | grep -v 'Manage' | grep -v 'core' | grep -v 'access' | grep -v 'mapping' | grep -v 'not found'\").stdout.strip.split(\" \")\n\n if !auditor_role.empty?\n auditor_role.each do |user|\n describe \"User: #{user} with the auditor role\" do\n subject { user }\n it { should be_in auditor_role_users }\n end\n end\n end\n\n if !administrator_role.empty?\n administrator_role.each do |user|\n describe \"User: #{user} with the administrator role\" do\n subject { user }\n it { should be_in administrator_role_users }\n end\n end\n end\n\n if !superuser_role.empty?\n superuser_role.each do |user|\n describe \"User: #{user} with the SuperUser role\" do\n subject { user }\n it { should be_in superuser_role_users }\n end\n end\n end\n\n if !deployer_role.empty?\n deployer_role.each do |user|\n describe \"User: #{user} with the deployer role\" do\n subject { user }\n it { should be_in deployer_role_users }\n end\n end\n end\n\n if !maintainer_role.empty?\n maintainer_role.each do |user|\n describe \"User: #{user} with the maintainer role\" do\n subject { user }\n it { should be_in maintainer_role_users }\n end\n end\n end\n\n if !monitor_role.empty?\n monitor_role.each do |user|\n describe \"User: #{user} with the monitor role\" do\n subject { user }\n it { should be_in monitor_role_users }\n end\n end\n end\n\n if !operator_role.empty?\n operator_role.each do |user|\n describe \"User: #{user} with the operator role\" do\n subject { user }\n it { should be_in operator_role_users }\n end\n end\n end\n if auditor_role.empty? && administrator_role.empty? && superuser_role.empty? && deployer_role.empty? && maintainer_role.empty && monitor_role.empty && operator_role.empty?\n impact 0.0\n desc 'The are no Wildfly accounts with the following roles: auditor, administrator, superuser, deployer, maintainer, monitor, or operator, therefore this control is not applicable'\n describe 'The are no Wildfly accounts with the following roles: auditor, administrator, superuser, deployer, maintainer, monitor, or operator, therefore this control is not applicable' do\n skip 'The are no Wildfly accounts with the following roles: auditor, administrator, superuser, deployer, maintainer, monitor, or operator, therefore this control is not applicable'\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62263.rb", + "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62281.rb", "line": 1 }, - "id": "V-62263" + "id": "V-62281" }, { - "title": "Wildfly must be configured to use an approved TLS version.", - "desc": "Preventing the disclosure of transmitted information requires that the\napplication server take measures to employ some form of cryptographic mechanism\nin order to protect the information during transmission. This is usually\nachieved through the use of Transport Layer Security (TLS).\n\n Wildlfy relies on the underlying SSL implementation running on the OS. This\ncan be either Java based or OpenSSL. The SSL protocol setting determines which\nSSL protocol is used. SSL has known security vulnerabilities, so TLS should be\nused instead.\n\n If data is transmitted unencrypted, the data then becomes vulnerable to\ndisclosure. The disclosure may reveal user identifier/password combinations,\nwebsite code revealing business logic, or other user personal information.\n\n FIPS 140-2 approved TLS versions include TLS V1.0 or greater.\n\n TLS must be enabled, and non-FIPS-approved SSL versions must be disabled.\nNIST SP 800-52 specifies the preferred configurations for government systems.", + "title": "The Java Security Manager must be enabled for the wildfly application\nserver.", + "desc": "The Java Security Manager is a java class that manages the external\nboundary of the Java Virtual Machine (JVM) sandbox, controlling how code\nexecuting within the JVM can interact with resources outside the JVM.\n\n The Java Security Manager uses a security policy to determine whether a\ngiven action will be\n permitted or denied.\n\n To protect the host system, the Wildfly application server must be run within\nthe Java Security Manager.", "descriptions": { - "default": "Preventing the disclosure of transmitted information requires that the\napplication server take measures to employ some form of cryptographic mechanism\nin order to protect the information during transmission. This is usually\nachieved through the use of Transport Layer Security (TLS).\n\n Wildlfy relies on the underlying SSL implementation running on the OS. This\ncan be either Java based or OpenSSL. The SSL protocol setting determines which\nSSL protocol is used. SSL has known security vulnerabilities, so TLS should be\nused instead.\n\n If data is transmitted unencrypted, the data then becomes vulnerable to\ndisclosure. The disclosure may reveal user identifier/password combinations,\nwebsite code revealing business logic, or other user personal information.\n\n FIPS 140-2 approved TLS versions include TLS V1.0 or greater.\n\n TLS must be enabled, and non-FIPS-approved SSL versions must be disabled.\nNIST SP 800-52 specifies the preferred configurations for government systems." + "default": "The Java Security Manager is a java class that manages the external\nboundary of the Java Virtual Machine (JVM) sandbox, controlling how code\nexecuting within the JVM can interact with resources outside the JVM.\n\n The Java Security Manager uses a security policy to determine whether a\ngiven action will be\n permitted or denied.\n\n To protect the host system, the Wildfly application server must be run within\nthe Java Security Manager." }, - "impact": 0.5, + "impact": 0.7, "refs": [], "tags": { - "gtitle": "SRG-APP-000439-AS-000155", - "gid": "V-62321", - "rid": "SV-76811r2_rule", - "stig_id": "JBOS-AS-000650", + "gtitle": "SRG-APP-000033-AS-000024", + "gid": "V-62225", + "rid": "SV-76715r1_rule", + "stig_id": "JBOS-AS-000030", "cci": [ - "CCI-002418" + "CCI-000213" ], "documentable": false, "nist": [ - "SC-8", + "AC-3", "Rev_4" ], - "check": "Log on to the OS of the Wildfly server with OS permissions that\n allow access to Wildfly.\n Using the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n\n Run the jboss-cli script.\n Connect to the server and authenticate.\n\n Validate that the TLS protocol is used for HTTPS connections.\n Run the command:\n\n \"ls /subsystem=web/connector=https/ssl=configuration\"\n\n If a TLS V1.1 or V1.2 protocol is not returned, this is a finding.", - "fix": "Reference section 4.6 of the Wildfly Security Guide located\n on the Red Hat vendor's web site for step-by-step instructions on establishing\n SSL encryption on Wildfly.\n\n The overall steps include:\n\n 1. Add an HTTPS connector.\n 2. Configure the SSL encryption certificate and keys.\n 3. Set the protocol to TLS V1.1 or V1.2.", - "fix_id": "F-68241r1_fix" + "check": "To determine if the Java Security Manager is enabled for Wildfly,\nyou must examine the startup commands. Wildfly can be configured to run in\neither \"domain\" or a \"standalone\" mode. JBOSS_HOME is the variable home\ndirectory for the Wildfly installation. Use relevant OS commands to navigate the\nfile system.\n\nA. For a managed domain installation, review the domain.conf and\ndomain.conf.bat files:\n\nThe $JBOSS_HOME default is /opt/bin/widfly\n\nJBOSS_HOME/bin/domain.conf\nJBOSS_HOME/bin/domain.conf.bat\n\nIn domain.conf file, ensure there is a JAVA_OPTS flag that loads the Java\nSecurity Manager as well as a relevant Java Security policy. The following is\nan example:\n\nJAVA_OPTS=\"$JAVA_OPTS -Djava.security.manager\n-Djava.security.policy==$PWD/server.policy -Djboss.home.dir=/path/to/JBOSS_HOME\n-Djboss.modules.policy-permissions=true\"\n\nIn domain.conf.bat file, ensure JAVA_OPTS flag is set. The following is an\nexample:\n\nset \"JAVA_OPTS=%JAVA_OPTS% -Djava.security.manager\n-Djava.security.policy==/path/to/server.policy\n-Djboss.home.dir=/path/to/JBOSS_HOME -Djboss.modules.policy-permissions=true\"\n\nB. For a standalone installation, review the standalone.conf and\nstandalone.conf.bat files:\n\nJBOSS_HOME/bin/standalone.conf\nJBOSS_HOME/bin/standalone.conf.bat\n\nIn the standalone.conf file, ensure the JAVA_OPTS flag is set. The following\nis an example:\n\nJAVA_OPTS=\"$JAVA_OPTS -Djava.security.manager\n-Djava.security.policy==$PWD/server.policy -Djboss.home.dir=$JBOSS_HOME\n-Djboss.modules.policy-permissions=true\"\n\nIn the standalone.conf.bat file, ensure the JAVA_OPTS flag is set. The\nfollowing is an example:\n\nset \"JAVA_OPTS=%JAVA_OPTS% -Djava.security.manager\n-Djava.security.policy==/path/to/server.policy -Djboss.home.dir=%JBOSS_HOME%\n-Djboss.modules.policy-permissions=true\"\n\nIf the security manager is not enabled and a security policy not defined, this\nis a finding.", + "fix": "For a domain installation:\nEnable the respective JAVA_OPTS flag in both the domain.conf and the\ndomain.conf.bat files.\n\nFor a standalone installation:\nEnable the respective JAVA_OPTS flag in both the standalone.conf and the\nstandalone.conf.bat files.", + "fix_id": "F-68145r1_fix" }, - "code": "control 'V-62321' do\n title \"Wildfly must be configured to use an approved TLS version.\"\n desc \"\n Preventing the disclosure of transmitted information requires that the\n application server take measures to employ some form of cryptographic mechanism\n in order to protect the information during transmission. This is usually\n achieved through the use of Transport Layer Security (TLS).\n\n Wildlfy relies on the underlying SSL implementation running on the OS. This\n can be either Java based or OpenSSL. The SSL protocol setting determines which\n SSL protocol is used. SSL has known security vulnerabilities, so TLS should be\n used instead.\n\n If data is transmitted unencrypted, the data then becomes vulnerable to\n disclosure. The disclosure may reveal user identifier/password combinations,\n website code revealing business logic, or other user personal information.\n\n FIPS 140-2 approved TLS versions include TLS V1.0 or greater.\n\n TLS must be enabled, and non-FIPS-approved SSL versions must be disabled.\n NIST SP 800-52 specifies the preferred configurations for government systems.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000439-AS-000155'\n tag \"gid\": 'V-62321'\n tag \"rid\": 'SV-76811r2_rule'\n tag \"stig_id\": 'JBOS-AS-000650'\n tag \"cci\": ['CCI-002418']\n tag \"documentable\": false\n tag \"nist\": ['SC-8', 'Rev_4']\n tag \"check\": \"Log on to the OS of the Wildfly server with OS permissions that\n allow access to Wildfly.\n Using the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n\n Run the jboss-cli script.\n Connect to the server and authenticate.\n\n Validate that the TLS protocol is used for HTTPS connections.\n Run the command:\n\n \\\"ls /subsystem=web/connector=https/ssl=configuration\\\"\n\n If a TLS V1.1 or V1.2 protocol is not returned, this is a finding.\"\n tag \"fix\": \"Reference section 4.6 of the Wildfly Security Guide located\n on the Red Hat vendor's web site for step-by-step instructions on establishing\n SSL encryption on Wildfly.\n\n The overall steps include:\n\n 1. Add an HTTPS connector.\n 2. Configure the SSL encryption certificate and keys.\n 3. Set the protocol to TLS V1.1 or V1.2.\"\n tag \"fix_id\": 'F-68241r1_fix'\n\n connect = input('connection')\n\n describe 'The wildfly enabled TLS versions' do\n subject { command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /subsystem=undertow/server=default-server/https-listener=https/\").stdout }\n it { should match(%r{enabled-protocols=TLSv1.[12]}) }\n end\nend\n", + "code": "control 'V-62225' do\n title \"The Java Security Manager must be enabled for the wildfly application\nserver.\"\n desc \"\n The Java Security Manager is a java class that manages the external\nboundary of the Java Virtual Machine (JVM) sandbox, controlling how code\nexecuting within the JVM can interact with resources outside the JVM.\n\n The Java Security Manager uses a security policy to determine whether a\ngiven action will be\n permitted or denied.\n\n To protect the host system, the Wildfly application server must be run within\nthe Java Security Manager.\n \"\n impact 0.7\n tag \"gtitle\": 'SRG-APP-000033-AS-000024'\n tag \"gid\": 'V-62225'\n tag \"rid\": 'SV-76715r1_rule'\n tag \"stig_id\": 'JBOS-AS-000030'\n tag \"cci\": ['CCI-000213']\n tag \"documentable\": false\n tag \"nist\": ['AC-3', 'Rev_4']\n tag \"check\": \"To determine if the Java Security Manager is enabled for Wildfly,\nyou must examine the startup commands. Wildfly can be configured to run in\neither \\\"domain\\\" or a \\\"standalone\\\" mode. JBOSS_HOME is the variable home\ndirectory for the Wildfly installation. Use relevant OS commands to navigate the\nfile system.\n\nA. For a managed domain installation, review the domain.conf and\ndomain.conf.bat files:\n\nThe $JBOSS_HOME default is /opt/bin/widfly\n\nJBOSS_HOME/bin/domain.conf\nJBOSS_HOME/bin/domain.conf.bat\n\nIn domain.conf file, ensure there is a JAVA_OPTS flag that loads the Java\nSecurity Manager as well as a relevant Java Security policy. The following is\nan example:\n\nJAVA_OPTS=\\\"$JAVA_OPTS -Djava.security.manager\n-Djava.security.policy==$PWD/server.policy -Djboss.home.dir=/path/to/JBOSS_HOME\n-Djboss.modules.policy-permissions=true\\\"\n\nIn domain.conf.bat file, ensure JAVA_OPTS flag is set. The following is an\nexample:\n\nset \\\"JAVA_OPTS=%JAVA_OPTS% -Djava.security.manager\n-Djava.security.policy==/path/to/server.policy\n-Djboss.home.dir=/path/to/JBOSS_HOME -Djboss.modules.policy-permissions=true\\\"\n\nB. For a standalone installation, review the standalone.conf and\nstandalone.conf.bat files:\n\nJBOSS_HOME/bin/standalone.conf\nJBOSS_HOME/bin/standalone.conf.bat\n\nIn the standalone.conf file, ensure the JAVA_OPTS flag is set. The following\nis an example:\n\nJAVA_OPTS=\\\"$JAVA_OPTS -Djava.security.manager\n-Djava.security.policy==$PWD/server.policy -Djboss.home.dir=$JBOSS_HOME\n-Djboss.modules.policy-permissions=true\\\"\n\nIn the standalone.conf.bat file, ensure the JAVA_OPTS flag is set. The\nfollowing is an example:\n\nset \\\"JAVA_OPTS=%JAVA_OPTS% -Djava.security.manager\n-Djava.security.policy==/path/to/server.policy -Djboss.home.dir=%JBOSS_HOME%\n-Djboss.modules.policy-permissions=true\\\"\n\nIf the security manager is not enabled and a security policy not defined, this\nis a finding.\"\n tag \"fix\": \"For a domain installation:\nEnable the respective JAVA_OPTS flag in both the domain.conf and the\ndomain.conf.bat files.\n\nFor a standalone installation:\nEnable the respective JAVA_OPTS flag in both the standalone.conf and the\nstandalone.conf.bat files.\"\n tag \"fix_id\": 'F-68145r1_fix'\n\n connect = input('connection')\n\n describe file(\"#{ input('jboss_home') }/bin/standalone.conf\") do\n its('content') { should_not match(%r{#JAVA_OPTS}) }\n end\n describe.one do\n describe file(\"#{ input('jboss_home') }/bin/standalone.conf\") do\n its('content') { should_not match(%r{JAVA_OPTS=\\s*}) }\n end\n describe file(\"#{ input('jboss_home') }/bin/standalone.conf\") do\n its('content') { should_not match(%r{JAVA_OPTS=\"\\s*\"\\s*}) }\n end\n describe parse_config_file(\"#{ input('jboss_home') }/bin/standalone.conf\") do\n its('SECMGR') { should match(%r{\"true\"}) }\n end\n end\n\n describe.one do\n describe file(\"#{ input('jboss_home') }/bin/standalone.conf.bat\") do\n its('content') { should_not match(%r{#set\\s*\"JAVA_OPTS=\\s*}) }\n end\n describe file(\"#{ input('jboss_home') }/bin/standalone.conf.bat\") do\n its('content') { should_not match(%r{set\\s*\"JAVA_OPTS=\\s*}) }\n end\n describe file(\"#{ input('jboss_home') }/bin/standalone.conf.bat\") do\n its('content') { should include 'set \"SECMGR=true\"' }\n its('content') { should_not include 'rem set \"SECMGR=true\"' }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62321.rb", + "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62225.rb", "line": 1 }, - "id": "V-62321" + "id": "V-62225" }, { - "title": "The Wildfly Server must be configured to utilize a centralized\n authentication mechanism such as AD or LDAP.", - "desc": "To assure accountability and prevent unauthorized access, application\nserver users must be uniquely identified and authenticated. This is typically\naccomplished via the use of a user store that is either local (OS-based) or\ncentralized (Active Directory/LDAP) in nature. It should be noted that Wildfly\ndoes not specifically mention Active Directory since AD is LDAP aware.\n\n To ensure accountability and prevent unauthorized access, the JBoss Server\nmust be configured to utilize a centralized authentication mechanism.", + "title": "The Wildfly server must separate hosted application functionality from\n application server management functionality.", + "desc": "The application server consists of the management interface and hosted\napplications. By separating the management interface from hosted applications,\nthe user must authenticate as a privileged user to the management interface\nbefore being presented with management functionality. This prevents\nnon-privileged users from having visibility to functions not available to the\nuser. By limiting visibility, a compromised non-privileged account does not\noffer information to the attacker or functionality and information needed to\nfurther the attack on the application server.\n\n Wildfly is designed to operate with separate application and management\ninterfaces.\n The Wildfly server is started via a script. To start the JBoss server in\ndomain mode, the admin will execute the $JBOSS_HOME;/bin/domain.sh or\ndomain.bat script.\n\nThe $JBOSS_HOME default is /opt/bin/widfly\n\n To start the Wildfly server in standalone mode, the admin will execute\n$JBOSS_HOME;/bin/standalone.bat or standalone.sh.\n\n Command line flags are used to specify which network address is used for\nmanagement and which address is used for public/application access.", "descriptions": { - "default": "To assure accountability and prevent unauthorized access, application\nserver users must be uniquely identified and authenticated. This is typically\naccomplished via the use of a user store that is either local (OS-based) or\ncentralized (Active Directory/LDAP) in nature. It should be noted that Wildfly\ndoes not specifically mention Active Directory since AD is LDAP aware.\n\n To ensure accountability and prevent unauthorized access, the JBoss Server\nmust be configured to utilize a centralized authentication mechanism." + "default": "The application server consists of the management interface and hosted\napplications. By separating the management interface from hosted applications,\nthe user must authenticate as a privileged user to the management interface\nbefore being presented with management functionality. This prevents\nnon-privileged users from having visibility to functions not available to the\nuser. By limiting visibility, a compromised non-privileged account does not\noffer information to the attacker or functionality and information needed to\nfurther the attack on the application server.\n\n Wildfly is designed to operate with separate application and management\ninterfaces.\n The Wildfly server is started via a script. To start the JBoss server in\ndomain mode, the admin will execute the $JBOSS_HOME;/bin/domain.sh or\ndomain.bat script.\n\nThe $JBOSS_HOME default is /opt/bin/widfly\n\n To start the Wildfly server in standalone mode, the admin will execute\n$JBOSS_HOME;/bin/standalone.bat or standalone.sh.\n\n Command line flags are used to specify which network address is used for\nmanagement and which address is used for public/application access." }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-APP-000148-AS-000101", - "gid": "V-62277", - "rid": "SV-76767r1_rule", - "stig_id": "JBOS-AS-000260", + "gtitle": "SRG-APP-000211-AS-000146", + "gid": "V-62297", + "rid": "SV-76787r1_rule", + "stig_id": "JBOS-AS-000355", "cci": [ - "CCI-000764" + "CCI-001082" ], "documentable": false, "nist": [ - "IA-2", + "SC-2", "Rev_4" ], - "check": "Log on to the OS of the Wildfly server with OS permissions that\n allow access to Wildfly.\n Using the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n Run the jboss-cli script.\n Connect to the server and authenticate.\n\n To obtain the list of security realms run the command:\n \"ls /core-service=management/security-realm=\"\n\n Review each security realm using the command:\n \"ls\n /core-service=management/security-realm=/authentication\"\n\n If this command does not return a security realm that uses LDAP for\n authentication, this is a finding.", - "fix": "Follow steps in section 11.8 - Management Interface Security in\n the\n Wildfly_Enterprise_Application_Administration_and_Configuration_Guide-en-US\n document.\n\n 1. Create an outbound connection to the LDAP server.\n 2. Create an LDAP-enabled security realm.\n 3. Reference the new security domain in the Management Interface.", - "fix_id": "F-68197r1_fix" + "check": "If Wildfly is not started with separate management and public\n interfaces, this is a finding.\n\n Review the network design documents to identify the IP address space for the\n management network.\n\n Use relevant OS commands and administrative techniques to determine how the\n system administrator starts the JBoss server. This includes interviewing the\n system admin, using the \"ps -ef|grep\" command for UNIX like systems or\n checking command line flags and properties on batch scripts for Windows\n systems.\n\n\n\n The \"-b\" flag specifies the public address space.\n The \"-bmanagement\" flag specifies the management address space.\n\n Example:\n $JBOSS_HOME;/bin/standalone.sh -bmanagement 10.10.10.35 -b 192.168.10.25\n\n If Wildfly is not started with separate management and public interfaces, this is\n a finding.", + "fix": "Start the application server with a -bmanagement and a -b flag so\n that admin management functionality and hosted applications are separated.\n\n Refer to section 4.9 in the Wildfly Installation Guide for specific\n instructions on how to start the Wildfly server as a service.", + "fix_id": "F-68217r1_fix" }, - "code": "control 'V-62277' do\n title \"The Wildfly Server must be configured to utilize a centralized\n authentication mechanism such as AD or LDAP.\"\n desc \"\n To assure accountability and prevent unauthorized access, application\n server users must be uniquely identified and authenticated. This is typically\n accomplished via the use of a user store that is either local (OS-based) or\n centralized (Active Directory/LDAP) in nature. It should be noted that Wildfly\n does not specifically mention Active Directory since AD is LDAP aware.\n\n To ensure accountability and prevent unauthorized access, the JBoss Server\n must be configured to utilize a centralized authentication mechanism.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000148-AS-000101'\n tag \"gid\": 'V-62277'\n tag \"rid\": 'SV-76767r1_rule'\n tag \"stig_id\": 'JBOS-AS-000260'\n tag \"cci\": ['CCI-000764']\n tag \"documentable\": false\n tag \"nist\": ['IA-2', 'Rev_4']\n tag \"check\": \"Log on to the OS of the Wildfly server with OS permissions that\n allow access to Wildfly.\n Using the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n Run the jboss-cli script.\n Connect to the server and authenticate.\n\n To obtain the list of security realms run the command:\n \\\"ls /core-service=management/security-realm=\\\"\n\n Review each security realm using the command:\n \\\"ls\n /core-service=management/security-realm=/authentication\\\"\n\n If this command does not return a security realm that uses LDAP for\n authentication, this is a finding.\"\n tag \"fix\": \"Follow steps in section 11.8 - Management Interface Security in\n the\n Wildfly_Enterprise_Application_Administration_and_Configuration_Guide-en-US\n document.\n\n 1. Create an outbound connection to the LDAP server.\n 2. Create an LDAP-enabled security realm.\n 3. Reference the new security domain in the Management Interface.\"\n tag \"fix_id\": 'F-68197r1_fix'\n\n connect = input('connection')\n\n get_security_realms = command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /core-service=management/security-realm=\").stdout.split(\"\\n\")\n\n get_security_realms.each do |security_realm|\n describe \"The security realm #{security_realm} authentication mechanism\" do\n subject { command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /core-service=management/security-realm=#{security_realm}/authentication\").stdout }\n it { should include 'ldap' }\n end\n end\n if get_security_realms.empty?\n impact 0.0\n describe 'There are no wildfly security realms configured, therefore this controls is not applicable' do\n skip 'There are no wildfly security realms configured, therefore this controls is not applicable'\n end\n end\nend\n", + "code": "control 'V-62297' do\n title \"The Wildfly server must separate hosted application functionality from\n application server management functionality.\"\n desc \"\n The application server consists of the management interface and hosted\n applications. By separating the management interface from hosted applications,\n the user must authenticate as a privileged user to the management interface\n before being presented with management functionality. This prevents\n non-privileged users from having visibility to functions not available to the\n user. By limiting visibility, a compromised non-privileged account does not\n offer information to the attacker or functionality and information needed to\n further the attack on the application server.\n\n Wildfly is designed to operate with separate application and management\n interfaces.\n The Wildfly server is started via a script. To start the JBoss server in\n domain mode, the admin will execute the $JBOSS_HOME;/bin/domain.sh or\n domain.bat script.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n\n To start the Wildfly server in standalone mode, the admin will execute\n $JBOSS_HOME;/bin/standalone.bat or standalone.sh.\n\n Command line flags are used to specify which network address is used for\n management and which address is used for public/application access.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000211-AS-000146'\n tag \"gid\": 'V-62297'\n tag \"rid\": 'SV-76787r1_rule'\n tag \"stig_id\": 'JBOS-AS-000355'\n tag \"cci\": ['CCI-001082']\n tag \"documentable\": false\n tag \"nist\": ['SC-2', 'Rev_4']\n tag \"check\": \"If Wildfly is not started with separate management and public\n interfaces, this is a finding.\n\n Review the network design documents to identify the IP address space for the\n management network.\n\n Use relevant OS commands and administrative techniques to determine how the\n system administrator starts the JBoss server. This includes interviewing the\n system admin, using the \\\"ps -ef|grep\\\" command for UNIX like systems or\n checking command line flags and properties on batch scripts for Windows\n systems.\n\n\n\n The \\\"-b\\\" flag specifies the public address space.\n The \\\"-bmanagement\\\" flag specifies the management address space.\n\n Example:\n $JBOSS_HOME;/bin/standalone.sh -bmanagement 10.10.10.35 -b 192.168.10.25\n\n If Wildfly is not started with separate management and public interfaces, this is\n a finding.\"\n tag \"fix\": \"Start the application server with a -bmanagement and a -b flag so\n that admin management functionality and hosted applications are separated.\n\n Refer to section 4.9 in the Wildfly Installation Guide for specific\n instructions on how to start the Wildfly server as a service.\"\n tag \"fix_id\": 'F-68217r1_fix'\n bind_mgmt_address = command(\"grep jboss.bind.address.management #{ input('jboss_home') }/standalone/configuration/standalone.xml | awk -F'=' '{print $2}' \").stdout\n public_bind_address = command(\"grep jboss.bind.address #{ input('jboss_home') }/standalone/configuration/standalone.xml | grep -v management | awk -F'=' '{print $2}' \").stdout\n describe 'The wildfly bind management address' do\n subject { bind_mgmt_address }\n it { should_not eq public_bind_address }\n end\nend\n", "source_location": { - "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62277.rb", + "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62297.rb", "line": 1 }, - "id": "V-62277" + "id": "V-62297" }, { - "title": "Wildfly must be configured to log the IP address of the remote system\n connecting to the Wildfly system/cluster.", + "title": "Wildfly must be configured to produce log records containing information\nto establish what type of events occurred.", "desc": "Information system logging capability is critical for accurate forensic\nanalysis. Without being able to establish what type of event occurred, it\nwould be difficult to establish, correlate, and investigate the events relating\nto an incident or identify those responsible.\n\n Log record content that may be necessary to satisfy the requirement of this\ncontrol includes time stamps, source and destination addresses, user/process\nidentifiers, event descriptions, success/fail indications, filenames involved,\nand access control or flow control rules invoked.\n\n Application servers must log all relevant log data that pertains to the\napplication server. Examples of relevant data include, but are not limited to,\nJava Virtual Machine (JVM) activity, HTTPD/Web server activity, and application\nserver-related system process activity.", "descriptions": { "default": "Information system logging capability is critical for accurate forensic\nanalysis. Without being able to establish what type of event occurred, it\nwould be difficult to establish, correlate, and investigate the events relating\nto an incident or identify those responsible.\n\n Log record content that may be necessary to satisfy the requirement of this\ncontrol includes time stamps, source and destination addresses, user/process\nidentifiers, event descriptions, success/fail indications, filenames involved,\nand access control or flow control rules invoked.\n\n Application servers must log all relevant log data that pertains to the\napplication server. Examples of relevant data include, but are not limited to,\nJava Virtual Machine (JVM) activity, HTTPD/Web server activity, and application\nserver-related system process activity." @@ -1910,9 +1910,9 @@ "refs": [], "tags": { "gtitle": "SRG-APP-000095-AS-000056", - "gid": "V-62237", - "rid": "SV-76727r1_rule", - "stig_id": "JBOS-AS-000105", + "gid": "V-62239", + "rid": "SV-76729r1_rule", + "stig_id": "JBOS-AS-000110", "cci": [ "CCI-000130" ], @@ -1921,368 +1921,361 @@ "AU-3", "Rev_4" ], - "check": "Log on to the OS of the Wildlfy server with OS permissions that\n allow access to Wildlfy.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n Using the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n Run the jboss-cli script to start the Command Line Interface (CLI).\n Connect to the server and authenticate.\n Run the command:\n\n For a Managed Domain configuration:\n \"ls\n host=master/server//core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\"\n\n For a Standalone configuration:\n \"ls\n /core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\"\n\n If \"enabled\" = false, this is a finding.", + "check": "Log on to the OS of the Wildfly server with OS permissions that\nallow access to Wildfly.\n\nThe $JBOSS_HOME default is /opt/bin/widfly\nUsing the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\nRun the jboss-cli script to start the Command Line Interface (CLI).\nConnect to the server and authenticate.\nRun the command:\n\nFor a Managed Domain configuration:\n\"ls\nhost=master/server//core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\"\n\nFor a Standalone configuration:\n\"ls\n/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\"\n\nIf \"enabled\" = false, this is a finding.", "fix": "Launch the jboss-cli management interface.\nConnect to the server by typing \"connect\", authenticate as a user in the\nSuperuser role, and run the following command:\n\nFor a Managed Domain configuration:\n\"host=master/server//core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\"\n\nFor a Standalone configuration:\n\"/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\"", - "fix_id": "F-68157r1_fix" + "fix_id": "F-68159r1_fix" }, - "code": "control 'V-62237' do\n title \"Wildfly must be configured to log the IP address of the remote system\n connecting to the Wildfly system/cluster.\"\n desc \"\n Information system logging capability is critical for accurate forensic\n analysis. Without being able to establish what type of event occurred, it\n would be difficult to establish, correlate, and investigate the events relating\n to an incident or identify those responsible.\n\n Log record content that may be necessary to satisfy the requirement of this\n control includes time stamps, source and destination addresses, user/process\n identifiers, event descriptions, success/fail indications, filenames involved,\n and access control or flow control rules invoked.\n\n Application servers must log all relevant log data that pertains to the\n application server. Examples of relevant data include, but are not limited to,\n Java Virtual Machine (JVM) activity, HTTPD/Web server activity, and application\n server-related system process activity.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000095-AS-000056'\n tag \"gid\": 'V-62237'\n tag \"rid\": 'SV-76727r1_rule'\n tag \"stig_id\": 'JBOS-AS-000105'\n tag \"cci\": ['CCI-000130']\n tag \"documentable\": false\n tag \"nist\": ['AU-3', 'Rev_4']\n tag \"check\": \"Log on to the OS of the Wildlfy server with OS permissions that\n allow access to Wildlfy.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n Using the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n Run the jboss-cli script to start the Command Line Interface (CLI).\n Connect to the server and authenticate.\n Run the command:\n\n For a Managed Domain configuration:\n \\\"ls\n host=master/server//core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\\\"\n\n For a Standalone configuration:\n \\\"ls\n /core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\\\"\n\n If \\\"enabled\\\" = false, this is a finding.\"\n tag \"fix\": \"Launch the jboss-cli management interface.\nConnect to the server by typing \\\"connect\\\", authenticate as a user in the\nSuperuser role, and run the following command:\n\nFor a Managed Domain configuration:\n\\\"host=master/server//core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\\\"\n\nFor a Standalone configuration:\n\\\"/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\\\"\"\n tag \"fix_id\": 'F-68157r1_fix'\n\n connect = input('connection')\n\n describe 'Wildfly log the IP address of the remote system connecting to the Wildfly system/cluster' do\n subject { command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /core-service=management/access=audit/logger=audit-log\").stdout }\n it { should_not match(%r{enabled=false}) }\n end\nend\n", + "code": "control 'V-62239' do\n title \"Wildfly must be configured to produce log records containing information\nto establish what type of events occurred.\"\n desc \"\n Information system logging capability is critical for accurate forensic\nanalysis. Without being able to establish what type of event occurred, it\nwould be difficult to establish, correlate, and investigate the events relating\nto an incident or identify those responsible.\n\n Log record content that may be necessary to satisfy the requirement of this\ncontrol includes time stamps, source and destination addresses, user/process\nidentifiers, event descriptions, success/fail indications, filenames involved,\nand access control or flow control rules invoked.\n\n Application servers must log all relevant log data that pertains to the\napplication server. Examples of relevant data include, but are not limited to,\nJava Virtual Machine (JVM) activity, HTTPD/Web server activity, and application\nserver-related system process activity.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000095-AS-000056'\n tag \"gid\": 'V-62239'\n tag \"rid\": 'SV-76729r1_rule'\n tag \"stig_id\": 'JBOS-AS-000110'\n tag \"cci\": ['CCI-000130']\n tag \"documentable\": false\n tag \"nist\": ['AU-3', 'Rev_4']\n tag \"check\": \"Log on to the OS of the Wildfly server with OS permissions that\nallow access to Wildfly.\n\nThe $JBOSS_HOME default is /opt/bin/widfly\nUsing the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\nRun the jboss-cli script to start the Command Line Interface (CLI).\nConnect to the server and authenticate.\nRun the command:\n\nFor a Managed Domain configuration:\n\\\"ls\nhost=master/server//core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\\\"\n\nFor a Standalone configuration:\n\\\"ls\n/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\\\"\n\nIf \\\"enabled\\\" = false, this is a finding.\"\n tag \"fix\": \"Launch the jboss-cli management interface.\nConnect to the server by typing \\\"connect\\\", authenticate as a user in the\nSuperuser role, and run the following command:\n\nFor a Managed Domain configuration:\n\\\"host=master/server//core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\\\"\n\nFor a Standalone configuration:\n\\\"/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\\\"\"\n tag \"fix_id\": 'F-68159r1_fix'\n\n connect = input('connection')\n\n describe 'The wildfly server setting: produce log records containing information to establish what type of events occurred' do\n subject { command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /core-service=management/access=audit/logger=audit-log\").stdout }\n it { should_not match(%r{enabled=false}) }\n end\nend\n", "source_location": { - "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62237.rb", + "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62239.rb", "line": 1 }, - "id": "V-62237" + "id": "V-62239" }, { - "title": "Network access to HTTP management must be disabled on domain-enabled\n application servers not designated as the domain controller.", - "desc": "When configuring Wildfly application servers into a domain configuration,\nHTTP management capabilities are not required on domain member servers as\nmanagement is done via the server that has been designated as the domain\ncontroller.\n\n Leaving HTTP management capabilities enabled on domain member servers\nincreases the attack surfaces; therefore, management services on domain member\nservers must be disabled and management services performed via the domain\ncontroller.", + "title": "File permissions must be configured to protect log information from\nany type of unauthorized read access.", + "desc": "If log data were to become compromised, then competent forensic analysis\nand discovery of the true source of potentially malicious system activity is\ndifficult, if not impossible, to achieve.\n\n When not configured to use a centralized logging solution like a syslog\nserver, the Wildfly EAP application server writes log data to log files that are\nstored on the OS; appropriate file permissions must be used to restrict access.\n\n Log information includes all information (e.g., log records, log settings,\ntransaction logs, and log reports) needed to successfully log information\nsystem activity. Application servers must protect log information from\nunauthorized access.", "descriptions": { - "default": "When configuring Wildfly application servers into a domain configuration,\nHTTP management capabilities are not required on domain member servers as\nmanagement is done via the server that has been designated as the domain\ncontroller.\n\n Leaving HTTP management capabilities enabled on domain member servers\nincreases the attack surfaces; therefore, management services on domain member\nservers must be disabled and management services performed via the domain\ncontroller." + "default": "If log data were to become compromised, then competent forensic analysis\nand discovery of the true source of potentially malicious system activity is\ndifficult, if not impossible, to achieve.\n\n When not configured to use a centralized logging solution like a syslog\nserver, the Wildfly EAP application server writes log data to log files that are\nstored on the OS; appropriate file permissions must be used to restrict access.\n\n Log information includes all information (e.g., log records, log settings,\ntransaction logs, and log reports) needed to successfully log information\nsystem activity. Application servers must protect log information from\nunauthorized access." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-APP-000316-AS-000199", - "gid": "V-62303", - "rid": "SV-76793r1_rule", - "stig_id": "JBOS-AS-000470", + "gtitle": "SRG-APP-000118-AS-000078", + "gid": "V-62251", + "rid": "SV-76741r1_rule", + "stig_id": "JBOS-AS-000165", "cci": [ - "CCI-002322" + "CCI-000162" ], "documentable": false, "nist": [ - "AC-17 (9)", + "AU-9", "Rev_4" ], - "check": "Log on to each of the Wildfly domain member servers.\n\n Note: Sites that manage systems using the Wildfly Operations Network client\n require HTTP interface access. It is acceptable that the management console\n alone be disabled rather than disabling the entire interface itself.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n\n Run the $JBOSS_HOME;/bin/jboss-cli command line interface utility and connect\n to the Wildfly server.\n Run the following command:\n ls /core-service=management/management-interface=httpinterface/\n\n If \"console-enabled=true\", this is a finding.", - "fix": "Run the $JBOSS_HOME;/bin/jboss-cli command line interface\n utility.\n Connect to the Wildfly server and run the following command.\n /core-service=management/management-interface=httpinterface/:write-attribute(name=console-enabled,value=false)\n\n Successful command execution returns\n {\"outcome\" => \"success\"}, and future attempts to access the management\n console via web browser at :9990 will result in no access to the\n admin console.", - "fix_id": "F-68223r1_fix" + "check": "Examine the log file locations and inspect the file\npermissions. Interview the system admin to determine log file locations. The\ndefault location for the log files is:\n\nThe $JBOSS_HOME default is /opt/bin/widfly\n\nStandalone configuration:\n$JBOSS_HOME;/standalone/log/\n\nManaged Domain configuration:\n$JBOSS_HOME;/domain/servers//log/\n$JBOSS_HOME;/domain/log/\n\nReview the file permissions for the log file directories. The method used for\nidentifying file permissions will be based upon the OS the EAP server is\ninstalled on.\n\nIdentify all users with file permissions that allow them to read log files.\n\nRequest documentation from system admin that identifies the users who are\nauthorized to read log files.\n\nIf unauthorized users are allowed to read log files, or if documentation that\nidentifies the users who are authorized to read log files is missing, this is a\nfinding.", + "fix": "Configure the OS file permissions on the application server to\nprotect log information from unauthorized read access.", + "fix_id": "F-68171r1_fix" }, - "code": "control 'V-62303' do\n title \"Network access to HTTP management must be disabled on domain-enabled\n application servers not designated as the domain controller.\"\n desc \"\n When configuring Wildfly application servers into a domain configuration,\n HTTP management capabilities are not required on domain member servers as\n management is done via the server that has been designated as the domain\n controller.\n\n Leaving HTTP management capabilities enabled on domain member servers\n increases the attack surfaces; therefore, management services on domain member\n servers must be disabled and management services performed via the domain\n controller.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000316-AS-000199'\n tag \"gid\": 'V-62303'\n tag \"rid\": 'SV-76793r1_rule'\n tag \"stig_id\": 'JBOS-AS-000470'\n tag \"cci\": ['CCI-002322']\n tag \"documentable\": false\n tag \"nist\": ['AC-17 (9)', 'Rev_4']\n tag \"check\": \"Log on to each of the Wildfly domain member servers.\n\n Note: Sites that manage systems using the Wildfly Operations Network client\n require HTTP interface access. It is acceptable that the management console\n alone be disabled rather than disabling the entire interface itself.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n\n Run the $JBOSS_HOME;/bin/jboss-cli command line interface utility and connect\n to the Wildfly server.\n Run the following command:\n ls /core-service=management/management-interface=httpinterface/\n\n If \\\"console-enabled=true\\\", this is a finding.\"\n tag \"fix\": \"Run the $JBOSS_HOME;/bin/jboss-cli command line interface\n utility.\n Connect to the Wildfly server and run the following command.\n /core-service=management/management-interface=httpinterface/:write-attribute(name=console-enabled,value=false)\n\n Successful command execution returns\n {\\\"outcome\\\" => \\\"success\\\"}, and future attempts to access the management\n console via web browser at :9990 will result in no access to the\n admin console.\"\n tag \"fix_id\": 'F-68223r1_fix'\n\n connect = input('connection')\n\n describe 'The wildfly HTTP management interface' do\n subject { command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /core-service=management/management-interface=http-interface\").stdout }\n it { should_not include 'console-enabled=true' }\n end\nend\n", + "code": "control 'V-62251' do\n title \"File permissions must be configured to protect log information from\nany type of unauthorized read access.\"\n desc \"\n If log data were to become compromised, then competent forensic analysis\nand discovery of the true source of potentially malicious system activity is\ndifficult, if not impossible, to achieve.\n\n When not configured to use a centralized logging solution like a syslog\nserver, the Wildfly EAP application server writes log data to log files that are\nstored on the OS; appropriate file permissions must be used to restrict access.\n\n Log information includes all information (e.g., log records, log settings,\ntransaction logs, and log reports) needed to successfully log information\nsystem activity. Application servers must protect log information from\nunauthorized access.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000118-AS-000078'\n tag \"gid\": 'V-62251'\n tag \"rid\": 'SV-76741r1_rule'\n tag \"stig_id\": 'JBOS-AS-000165'\n tag \"cci\": ['CCI-000162']\n tag \"documentable\": false\n tag \"nist\": ['AU-9', 'Rev_4']\n tag \"check\": \"Examine the log file locations and inspect the file\npermissions. Interview the system admin to determine log file locations. The\ndefault location for the log files is:\n\nThe $JBOSS_HOME default is /opt/bin/widfly\n\nStandalone configuration:\n$JBOSS_HOME;/standalone/log/\n\nManaged Domain configuration:\n$JBOSS_HOME;/domain/servers//log/\n$JBOSS_HOME;/domain/log/\n\nReview the file permissions for the log file directories. The method used for\nidentifying file permissions will be based upon the OS the EAP server is\ninstalled on.\n\nIdentify all users with file permissions that allow them to read log files.\n\nRequest documentation from system admin that identifies the users who are\nauthorized to read log files.\n\nIf unauthorized users are allowed to read log files, or if documentation that\nidentifies the users who are authorized to read log files is missing, this is a\nfinding.\"\n tag \"fix\": \"Configure the OS file permissions on the application server to\nprotect log information from unauthorized read access.\"\n tag \"fix_id\": 'F-68171r1_fix'\n\n wildfly_group = input('wildfly_group')\n wildly_owner = input('wildly_owner')\n describe directory(\"#{ input('jboss_home') }/standalone/log\") do\n its('owner') { should eq \"#{wildly_owner}\" }\n its('group') { should eq \"#{wildfly_group}\" }\n its('mode') { should cmp '0750' }\n end\nend\n", "source_location": { - "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62303.rb", + "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62251.rb", "line": 1 }, - "id": "V-62303" + "id": "V-62251" }, { - "title": "The Wildfly server must be configured to bind the management interfaces\n to only management networks.", - "desc": "Wildfly provides multiple interfaces for accessing the system. By\n default, these are called \"public\" and \"management\". Allowing\n non-management traffic to access the Wildfly management interface increases the\n chances of a security compromise. The Wildfly server must be configured to bind\n the management interface to a network that controls access. This is usually a\n network that has been designated as a management network and has restricted\n access. Similarly, the public interface must be bound to a network that is not\n on the same segment as the management interface.", + "title": "Wildfly must be configured to generate log records when\n successful/unsuccessful logon attempts occur.", + "desc": "Logging the access to the application server allows the system\nadministrators to monitor user accounts. By logging successful/unsuccessful\nlogons, the system administrator can determine if an account is compromised\n(e.g., frequent logons) or is in the process of being compromised (e.g.,\nfrequent failed logons) and can take actions to thwart the attack.\n\n Logging successful logons can also be used to determine accounts that are\nno longer in use.", "descriptions": { - "default": "Wildfly provides multiple interfaces for accessing the system. By\n default, these are called \"public\" and \"management\". Allowing\n non-management traffic to access the Wildfly management interface increases the\n chances of a security compromise. The Wildfly server must be configured to bind\n the management interface to a network that controls access. This is usually a\n network that has been designated as a management network and has restricted\n access. Similarly, the public interface must be bound to a network that is not\n on the same segment as the management interface." + "default": "Logging the access to the application server allows the system\nadministrators to monitor user accounts. By logging successful/unsuccessful\nlogons, the system administrator can determine if an account is compromised\n(e.g., frequent logons) or is in the process of being compromised (e.g.,\nfrequent failed logons) and can take actions to thwart the attack.\n\n Logging successful logons can also be used to determine accounts that are\nno longer in use." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-APP-000158-AS-000108", - "gid": "V-62283", - "rid": "SV-76773r1_rule", - "stig_id": "JBOS-AS-000285", + "gtitle": "SRG-APP-000503-AS-000228", + "gid": "V-62333", + "rid": "SV-76823r1_rule", + "stig_id": "JBOS-AS-000700", "cci": [ - "CCI-000778" + "CCI-000172" ], "documentable": false, "nist": [ - "IA-3", + "AU-12 c", "Rev_4" ], - "check": "Obtain documentation and network drawings from system admin\n that shows the network interfaces on the Wildfly server and the networks they are\n configured for.\n\n If a management network is not used, you may substitute localhost/127.0.0.1 for\n management address. If localhost/127.0.0.1 is used for management interface,\n this is not a finding.\n\n From the Wildfly server open the web-based admin console by pointing a browser to\n HTTP://127.0.0.1:9990.\n Log on to the management console with admin credentials.\n Select \"RUNTIME\".\n Expand STATUS by clicking on +.\n Expand PLATFORM by clicking on +.\n In the \"Environment\" tab, click the > arrow until you see the\n \"jboss.bind.properties\" and the \"jboss.bind.properties.management\" values.\n\n If the jboss.bind.properties and the jboss.bind.properties.management do not\n have different IP network addresses assigned, this is a finding.\n\n Review the network documentation. If access to the management IP address is\n not restricted, this is a finding.", - "fix": "Refer to the Wildfly EAP Installation guide for\n detailed instructions on how to start JBoss as a service.\n\n Use the following command line parameters to assign the management interface to\n a specific management network.\n\n These command line flags must be added both when starting JBoss as a service\n and when starting from the command line.\n\n Substitute your actual network address for the 10.x.x.x addresses provided as\n an example below.\n\n For a standalone configuration:\n JBOSS_HOME/bin/standalone.sh -bmanagement=10.2.2.1 -b 10.1.1.1\n\n JBOSS_HOME/bin/domain.sh -bmanagement=10.2.2.1 -b 10.1.1.1\n\n If a management network is not available, you may substitute\n localhost/127.0.0.1 for management address. This will force you to manage the\n Wildfly server from the local host.", - "fix_id": "F-68203r1_fix" + "check": "Log on to the OS of the JBoss server with OS permissions that\n allow access to JBoss.\n Using the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n Run the jboss-cli script to start the Command Line Interface (CLI).\n Connect to the server and authenticate.\n Run the command:\n\n For a Managed Domain configuration:\n \"ls\n host=master/server//core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\"\n\n For a Standalone configuration:\n \"ls\n /core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\"\n\n If \"enabled\" = false, this is a finding.", + "fix": "Launch the jboss-cli management interface.\n Connect to the server by typing \"connect\", authenticate as a user in the\n Superuser role, and run the following command:\n\n For a Managed Domain configuration:\n \"host=master/server//core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\"\n\n For a Standalone configuration:\n \"/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\"", + "fix_id": "F-68253r1_fix" }, - "code": "control 'V-62283' do\n title \"The Wildfly server must be configured to bind the management interfaces\n to only management networks.\"\n desc \"Wildfly provides multiple interfaces for accessing the system. By\n default, these are called \\\"public\\\" and \\\"management\\\". Allowing\n non-management traffic to access the Wildfly management interface increases the\n chances of a security compromise. The Wildfly server must be configured to bind\n the management interface to a network that controls access. This is usually a\n network that has been designated as a management network and has restricted\n access. Similarly, the public interface must be bound to a network that is not\n on the same segment as the management interface.\"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000158-AS-000108'\n tag \"gid\": 'V-62283'\n tag \"rid\": 'SV-76773r1_rule'\n tag \"stig_id\": 'JBOS-AS-000285'\n tag \"cci\": ['CCI-000778']\n tag \"documentable\": false\n tag \"nist\": ['IA-3', 'Rev_4']\n tag \"check\": \"Obtain documentation and network drawings from system admin\n that shows the network interfaces on the Wildfly server and the networks they are\n configured for.\n\n If a management network is not used, you may substitute localhost/127.0.0.1 for\n management address. If localhost/127.0.0.1 is used for management interface,\n this is not a finding.\n\n From the Wildfly server open the web-based admin console by pointing a browser to\n HTTP://127.0.0.1:9990.\n Log on to the management console with admin credentials.\n Select \\\"RUNTIME\\\".\n Expand STATUS by clicking on +.\n Expand PLATFORM by clicking on +.\n In the \\\"Environment\\\" tab, click the > arrow until you see the\n \\\"jboss.bind.properties\\\" and the \\\"jboss.bind.properties.management\\\" values.\n\n If the jboss.bind.properties and the jboss.bind.properties.management do not\n have different IP network addresses assigned, this is a finding.\n\n Review the network documentation. If access to the management IP address is\n not restricted, this is a finding.\"\n tag \"fix\": \"Refer to the Wildfly EAP Installation guide for\n detailed instructions on how to start JBoss as a service.\n\n Use the following command line parameters to assign the management interface to\n a specific management network.\n\n These command line flags must be added both when starting JBoss as a service\n and when starting from the command line.\n\n Substitute your actual network address for the 10.x.x.x addresses provided as\n an example below.\n\n For a standalone configuration:\n JBOSS_HOME/bin/standalone.sh -bmanagement=10.2.2.1 -b 10.1.1.1\n\n JBOSS_HOME/bin/domain.sh -bmanagement=10.2.2.1 -b 10.1.1.1\n\n If a management network is not available, you may substitute\n localhost/127.0.0.1 for management address. This will force you to manage the\n Wildfly server from the local host.\"\n tag \"fix_id\": 'F-68203r1_fix'\n\n bind_mgmt_address = command(\"grep jboss.bind.address.management #{ input('jboss_home') }/standalone/configuration/standalone.xml | awk -F'=' '{print $2}' \").stdout\n public_bind_address = command(\"grep jboss.bind.address #{ input('jboss_home') }/standalone/configuration/standalone.xml | grep -v management | awk -F'=' '{print $2}' \").stdout\n\n bind_mgmt_address = command(\"grep jboss.bind.address.management #{ input('jboss_home') }/standalone/configuration/standalone.xml | awk -F'=' '{print $2}' \").stdout\n public_bind_address = command(\"grep jboss.bind.address #{ input('jboss_home') }/standalone/configuration/standalone.xml | grep -v management | awk -F'=' '{print $2}' \").stdout\n\n describe 'The wildfly bind address' do\n subject { bind_mgmt_address }\n it { should_not eq public_bind_address }\n end\nend\n", + "code": "control 'V-62333' do\n title \"Wildfly must be configured to generate log records when\n successful/unsuccessful logon attempts occur.\"\n desc \"\n Logging the access to the application server allows the system\n administrators to monitor user accounts. By logging successful/unsuccessful\n logons, the system administrator can determine if an account is compromised\n (e.g., frequent logons) or is in the process of being compromised (e.g.,\n frequent failed logons) and can take actions to thwart the attack.\n\n Logging successful logons can also be used to determine accounts that are\n no longer in use.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000503-AS-000228'\n tag \"gid\": 'V-62333'\n tag \"rid\": 'SV-76823r1_rule'\n tag \"stig_id\": 'JBOS-AS-000700'\n tag \"cci\": ['CCI-000172']\n tag \"documentable\": false\n tag \"nist\": ['AU-12 c', 'Rev_4']\n tag \"check\": \"Log on to the OS of the JBoss server with OS permissions that\n allow access to JBoss.\n Using the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n Run the jboss-cli script to start the Command Line Interface (CLI).\n Connect to the server and authenticate.\n Run the command:\n\n For a Managed Domain configuration:\n \\\"ls\n host=master/server//core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\\\"\n\n For a Standalone configuration:\n \\\"ls\n /core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\\\"\n\n If \\\"enabled\\\" = false, this is a finding.\"\n tag \"fix\": \"Launch the jboss-cli management interface.\n Connect to the server by typing \\\"connect\\\", authenticate as a user in the\n Superuser role, and run the following command:\n\n For a Managed Domain configuration:\n \\\"host=master/server//core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\\\"\n\n For a Standalone configuration:\n \\\"/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\\\"\"\n tag \"fix_id\": 'F-68253r1_fix'\n\n connect = input('connection')\n\n describe 'The wildfly setting: generate log records when successful/unsuccessful logon attempts occur' do\n subject { command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\ /core-service=management/access=audit/logger=audit-log\").stdout }\n it { should_not match(%r{enabled=false}) }\n end\nend\n", "source_location": { - "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62283.rb", + "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62333.rb", "line": 1 }, - "id": "V-62283" + "id": "V-62333" }, { - "title": "Wildfly must be configured to use DoD PKI-established certificate\n authorities for verification of the establishment of protected sessions.", - "desc": "Untrusted Certificate Authorities (CA) can issue certificates, but they may\nbe issued by organizations or individuals that seek to compromise DoD systems\nor by organizations with insufficient security controls. If the CA used for\nverifying the certificate is not a DoD-approved CA, trust of this CA has not\nbeen established.\n\n The DoD will only accept PKI certificates obtained from a DoD-approved\ninternal or external certificate authority. Reliance on CAs for the\nestablishment of secure sessions includes, for example, the use of SSL/TLS\ncertificates. The application server must only allow the use of DoD\nPKI-established certificate authorities for verification.", + "title": "LDAP enabled security realm value allow-empty-passwords must be set to\n false.", + "desc": "Passwords need to be protected at all times, and encryption is the standard\nmethod for protecting passwords during transmission. If passwords are not\nencrypted, they can be plainly read (i.e., clear text) and easily compromised.\n\n Application servers have the capability to utilize either certificates\n(tokens) or user IDs and passwords in order to authenticate. When the\napplication server transmits or receives passwords, the passwords must be\nencrypted.", "descriptions": { - "default": "Untrusted Certificate Authorities (CA) can issue certificates, but they may\nbe issued by organizations or individuals that seek to compromise DoD systems\nor by organizations with insufficient security controls. If the CA used for\nverifying the certificate is not a DoD-approved CA, trust of this CA has not\nbeen established.\n\n The DoD will only accept PKI certificates obtained from a DoD-approved\ninternal or external certificate authority. Reliance on CAs for the\nestablishment of secure sessions includes, for example, the use of SSL/TLS\ncertificates. The application server must only allow the use of DoD\nPKI-established certificate authorities for verification." + "default": "Passwords need to be protected at all times, and encryption is the standard\nmethod for protecting passwords during transmission. If passwords are not\nencrypted, they can be plainly read (i.e., clear text) and easily compromised.\n\n Application servers have the capability to utilize either certificates\n(tokens) or user IDs and passwords in order to authenticate. When the\napplication server transmits or receives passwords, the passwords must be\nencrypted." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-APP-000427-AS-000264", - "gid": "V-62317", - "rid": "SV-76807r1_rule", - "stig_id": "JBOS-AS-000625", + "gtitle": "SRG-APP-000172-AS-000120", + "gid": "V-62291", + "rid": "SV-76781r1_rule", + "stig_id": "JBOS-AS-000305", "cci": [ - "CCI-002470" + "CCI-000197" ], "documentable": false, "nist": [ - "SC-23 (5)", + "IA-5 (1) (c)", "Rev_4" ], - "check": "Locate the cacerts file for the JVM. This can be done using\n the appropriate find command for the OS and change to the directory where the\n cacerts file is located.\n\n To view the certificates stored within this file, execute the java command\n \"keytool -list -v -keystore ./cacerts\".\n Verify that the Certificate Authority (CA) for each certificate is DoD-approved.\n\n If any certificates have a CA that are not DoD-approved, this is a finding.", - "fix": "Locate the cacerts file for the JVM. This can be done using the\n appropriate find command for the OS and change to the directory where the\n cacerts file is located.\n\n Remove the certificates that have a CA that is non-DoD approved, and import DoD\n CA-approved certificates.", - "fix_id": "F-68237r1_fix" + "check": "Log on to the OS of the Wildfly server with OS permissions that\n allow access to Wildfly.\n Using the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n\n Run the jboss-cli script.\n Connect to the server and authenticate.\n Run the command:\n\n \"ls\n /core-service=management/security-realm=ldap_security_realm/authentication=ldap\"\n\n If \"allow-empty-passwords=true\", this is a finding.", + "fix": "Configure the LDAP Security Realm using default settings that\n sets \"allow-empty-values\" to false. LDAP Security Realm creation is\n described in section 11.9 -Add an LDAP Security Realm in the\n JBoss_Enterprise_Application_Platform-6.3-Administration_and_Configuration_Guide-en-US\n document.", + "fix_id": "F-68211r1_fix" }, - "code": "control 'V-62317' do\n title \"Wildfly must be configured to use DoD PKI-established certificate\n authorities for verification of the establishment of protected sessions.\"\n desc \"\n Untrusted Certificate Authorities (CA) can issue certificates, but they may\n be issued by organizations or individuals that seek to compromise DoD systems\n or by organizations with insufficient security controls. If the CA used for\n verifying the certificate is not a DoD-approved CA, trust of this CA has not\n been established.\n\n The DoD will only accept PKI certificates obtained from a DoD-approved\n internal or external certificate authority. Reliance on CAs for the\n establishment of secure sessions includes, for example, the use of SSL/TLS\n certificates. The application server must only allow the use of DoD\n PKI-established certificate authorities for verification.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000427-AS-000264'\n tag \"gid\": 'V-62317'\n tag \"rid\": 'SV-76807r1_rule'\n tag \"stig_id\": 'JBOS-AS-000625'\n tag \"cci\": ['CCI-002470']\n tag \"documentable\": false\n tag \"nist\": ['SC-23 (5)', 'Rev_4']\n tag \"check\": \"Locate the cacerts file for the JVM. This can be done using\n the appropriate find command for the OS and change to the directory where the\n cacerts file is located.\n\n To view the certificates stored within this file, execute the java command\n \\\"keytool -list -v -keystore ./cacerts\\\".\n Verify that the Certificate Authority (CA) for each certificate is DoD-approved.\n\n If any certificates have a CA that are not DoD-approved, this is a finding.\"\n tag \"fix\": \"Locate the cacerts file for the JVM. This can be done using the\n appropriate find command for the OS and change to the directory where the\n cacerts file is located.\n\n Remove the certificates that have a CA that is non-DoD approved, and import DoD\n CA-approved certificates.\"\n tag \"fix_id\": 'F-68237r1_fix'\n dod_cn = command(\"keytool -list -v -keystore /usr/lib/jvm/java-1.8.0/jre/lib/security/cacerts\").stdout\n eca_cn = command(\"keytool -list -v -keystore /usr/lib/jvm/java-1.8.0/jre/lib/security/cacerts\").stdout\n\n describe.one do\n describe 'The Wildfly DoD PKI-established certificate' do\n subject { dod_cn }\n it { should match(%r{CN=DoD}) }\n end\n describe 'The Wildfly DoD PKI-established certificate' do\n subject { eca_cn }\n it { should match(%r{CN=ECA}) }\n end\n end\nend\n", + "code": "control 'V-62291' do\n title \"LDAP enabled security realm value allow-empty-passwords must be set to\n false.\"\n desc \"\n Passwords need to be protected at all times, and encryption is the standard\n method for protecting passwords during transmission. If passwords are not\n encrypted, they can be plainly read (i.e., clear text) and easily compromised.\n\n Application servers have the capability to utilize either certificates\n (tokens) or user IDs and passwords in order to authenticate. When the\n application server transmits or receives passwords, the passwords must be\n encrypted.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000172-AS-000120'\n tag \"gid\": 'V-62291'\n tag \"rid\": 'SV-76781r1_rule'\n tag \"stig_id\": 'JBOS-AS-000305'\n tag \"cci\": ['CCI-000197']\n tag \"documentable\": false\n tag \"nist\": ['IA-5 (1) (c)', 'Rev_4']\n tag \"check\": \"Log on to the OS of the Wildfly server with OS permissions that\n allow access to Wildfly.\n Using the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n\n Run the jboss-cli script.\n Connect to the server and authenticate.\n Run the command:\n\n \\\"ls\n /core-service=management/security-realm=ldap_security_realm/authentication=ldap\\\"\n\n If \\\"allow-empty-passwords=true\\\", this is a finding.\"\n tag \"fix\": \"Configure the LDAP Security Realm using default settings that\n sets \\\"allow-empty-values\\\" to false. LDAP Security Realm creation is\n described in section 11.9 -Add an LDAP Security Realm in the\n JBoss_Enterprise_Application_Platform-6.3-Administration_and_Configuration_Guide-en-US\n document.\"\n tag \"fix_id\": 'F-68211r1_fix'\n\n connect = input('connection')\n ldap = input('ldap')\n\n if ldap\n describe 'The LDAP enabled security realm value allow-empty-passwords' do\n subject { command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /core-service=management/security-realm=ldap_security_realm/authentication=ldap\").stdout }\n it { should_not match(%r{allow-empty-passwords=true}) }\n end\n else\n describe 'Ldap is not being used, control not applicable' do\n skip 'Ldap is not being used, control not applicable'\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62317.rb", + "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62291.rb", "line": 1 }, - "id": "V-62317" + "id": "V-62291" }, { - "title": "The Wildlfy server must be configured to use DoD- or CNSS-approved PKI\n Class 3 or Class 4 certificates.", - "desc": "Class 3 PKI certificates are used for servers and software signing\n rather than for identifying individuals. Class 4 certificates are used for\n business-to-business transactions. Utilizing unapproved certificates not issued\n or approved by DoD or CNS creates an integrity risk. The application server\n must utilize approved DoD or CNS Class 3 or Class 4 certificates for software\n signing and business-to-business transactions.", + "title": "Wildfly ROOT logger must be configured to utilize the appropriate\n logging level.", + "desc": "Information system logging capability is critical for accurate forensic\nanalysis. Log record content that may be necessary to satisfy the requirement\nof this control includes: time stamps, source and destination addresses,\nuser/process identifiers, event descriptions, success/fail indications,\nfilenames involved, and access control or flow control rules invoked.\n\n The Wildfly application server ROOT logger captures all messages not captured\nby a log category and sends them to a log handler (FILE, CONSOLE, SYSLOG,\nETC.). By default, the ROOT logger level is set to INFO, which is a value of\n800. This will capture most events adequately. Any level numerically higher\nthan INFO (> 800) records less data and may result in an insufficient amount of\ninformation being logged by the ROOT logger. This can result in failed\nforensic investigations. The ROOT logger level must be INFO level or lower to\nprovide adequate log information.", "descriptions": { - "default": "Class 3 PKI certificates are used for servers and software signing\n rather than for identifying individuals. Class 4 certificates are used for\n business-to-business transactions. Utilizing unapproved certificates not issued\n or approved by DoD or CNS creates an integrity risk. The application server\n must utilize approved DoD or CNS Class 3 or Class 4 certificates for software\n signing and business-to-business transactions." + "default": "Information system logging capability is critical for accurate forensic\nanalysis. Log record content that may be necessary to satisfy the requirement\nof this control includes: time stamps, source and destination addresses,\nuser/process identifiers, event descriptions, success/fail indications,\nfilenames involved, and access control or flow control rules invoked.\n\n The Wildfly application server ROOT logger captures all messages not captured\nby a log category and sends them to a log handler (FILE, CONSOLE, SYSLOG,\nETC.). By default, the ROOT logger level is set to INFO, which is a value of\n800. This will capture most events adequately. Any level numerically higher\nthan INFO (> 800) records less data and may result in an insufficient amount of\ninformation being logged by the ROOT logger. This can result in failed\nforensic investigations. The ROOT logger level must be INFO level or lower to\nprovide adequate log information." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-APP-000514-AS-000137", - "gid": "V-62343", - "rid": "SV-76833r1_rule", - "stig_id": "JBOS-AS-000730", + "gtitle": "SRG-APP-000100-AS-000063", + "gid": "V-62249", + "rid": "SV-76739r1_rule", + "stig_id": "JBOS-AS-000135", "cci": [ - "CCI-002450" + "CCI-001487" ], "documentable": false, "nist": [ - "SC-13", + "AU-3", "Rev_4" ], - "check": "Interview the administrator to determine if Wildlfy is using\n certificates for PKI. If Wildlfy is not performing any PKI functions, this\n finding is NA.\n\n The CA certs are usually stored in a file called cacerts located in the\n directory $JAVA_HOME/lib/security. If the file is not in this location, use a\n search command to locate the file, or ask the administrator where the\n certificate store is located.\n\n Open a dos shell or terminal window and change to the location of the\n certificate store. To view the certificates within the certificate store, run\n the command (in this example, the keystore file is cacerts.): keytool -list -v\n -keystore ./cacerts\n\n Locate the \"OU\" field for each certificate within the keystore. The field\n should contain either \"DoD\" or \"CNSS\" as the Organizational Unit (OU).\n\n If the OU does not show that the certificates are DoD or CNSS supplied, this is\n a finding.", - "fix": "Configure the application server to use DoD- or CNSS-approved\n Class 3 or Class 4 PKI certificates.", - "fix_id": "F-68263r1_fix" + "check": "Log on to the OS of the Wildfly server with OS permissions that\n allow access to Wildfly.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n Using the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n Run the jboss-cli script to start the Command Line Interface (CLI).\n Connect to the server and authenticate.\n\n The PROFILE NAMEs included with a Managed Domain Wildfly configuration are:\n \"default\", \"full\", \"full-ha\" or \"ha\"\n For a Managed Domain configuration, you must check each profile name:\n\n For each PROFILE NAME, run the command:\n \"ls /profile=/subsystem=logging/root-logger=ROOT\"\n\n If ROOT logger \"level\" is not set to INFO, DEBUG or TRACE\n This is a finding for each (default, full, full-ha and ha)\n\n For a Standalone configuration:\n \"ls /subsystem=logging/root-logger=ROOT\"\n\n If \"level\" not = INFO, DEBUG or TRACE, this is a finding.", + "fix": "Log on to the OS of the Wildfly server with OS permissions that\n allow access to Wildfly.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n Using the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n Run the jboss-cli script to start the Command Line Interface (CLI).\n Connect to the server and authenticate.\n\n The PROFILE NAMEs included with a Managed Domain Wildfly configuration are:\n \"default\", \"full\", \"full-ha\" or \"ha\"\n For a Managed Domain configuration, you must check each profile name:\n\n For each PROFILE NAME, run the command:\n \"/profile=/subsystem=logging/root-logger=ROOT:write-attribute(name=level,value=INFO)\"\n\n For a Standalone configuration:\n \"/subsystem=logging/root-logger=ROOT:write-attribute(name=level,value=INFO)\"", + "fix_id": "F-68169r1_fix" }, - "code": "control 'V-62343' do\n title \"The Wildlfy server must be configured to use DoD- or CNSS-approved PKI\n Class 3 or Class 4 certificates.\"\n desc \"Class 3 PKI certificates are used for servers and software signing\n rather than for identifying individuals. Class 4 certificates are used for\n business-to-business transactions. Utilizing unapproved certificates not issued\n or approved by DoD or CNS creates an integrity risk. The application server\n must utilize approved DoD or CNS Class 3 or Class 4 certificates for software\n signing and business-to-business transactions.\"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000514-AS-000137'\n tag \"gid\": 'V-62343'\n tag \"rid\": 'SV-76833r1_rule'\n tag \"stig_id\": 'JBOS-AS-000730'\n tag \"cci\": ['CCI-002450']\n tag \"documentable\": false\n tag \"nist\": ['SC-13', 'Rev_4']\n tag \"check\": \"Interview the administrator to determine if Wildlfy is using\n certificates for PKI. If Wildlfy is not performing any PKI functions, this\n finding is NA.\n\n The CA certs are usually stored in a file called cacerts located in the\n directory $JAVA_HOME/lib/security. If the file is not in this location, use a\n search command to locate the file, or ask the administrator where the\n certificate store is located.\n\n Open a dos shell or terminal window and change to the location of the\n certificate store. To view the certificates within the certificate store, run\n the command (in this example, the keystore file is cacerts.): keytool -list -v\n -keystore ./cacerts\n\n Locate the \\\"OU\\\" field for each certificate within the keystore. The field\n should contain either \\\"DoD\\\" or \\\"CNSS\\\" as the Organizational Unit (OU).\n\n If the OU does not show that the certificates are DoD or CNSS supplied, this is\n a finding.\"\n tag \"fix\": \"Configure the application server to use DoD- or CNSS-approved\n Class 3 or Class 4 PKI certificates.\"\n tag \"fix_id\": 'F-68263r1_fix'\n\n java_cert = input('java_cert')\n\n certs = command(\"keytool -list -v -keystore #{java_cert}\").stdout\n describe.one do\n describe 'The wildfly server PKI certificate' do\n subject { certs }\n it { should match(%r{OU=DoD}) }\n end\n describe 'The wildfly server PKI certificate' do\n subject { certs }\n it { should match(%r{OU=CNSS}) }\n end\n end\nend\n", + "code": "control 'V-62249' do\n title \"Wildfly ROOT logger must be configured to utilize the appropriate\n logging level.\"\n desc \"\n Information system logging capability is critical for accurate forensic\n analysis. Log record content that may be necessary to satisfy the requirement\n of this control includes: time stamps, source and destination addresses,\n user/process identifiers, event descriptions, success/fail indications,\n filenames involved, and access control or flow control rules invoked.\n\n The Wildfly application server ROOT logger captures all messages not captured\n by a log category and sends them to a log handler (FILE, CONSOLE, SYSLOG,\n ETC.). By default, the ROOT logger level is set to INFO, which is a value of\n 800. This will capture most events adequately. Any level numerically higher\n than INFO (> 800) records less data and may result in an insufficient amount of\n information being logged by the ROOT logger. This can result in failed\n forensic investigations. The ROOT logger level must be INFO level or lower to\n provide adequate log information.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000100-AS-000063'\n tag \"gid\": 'V-62249'\n tag \"rid\": 'SV-76739r1_rule'\n tag \"stig_id\": 'JBOS-AS-000135'\n tag \"cci\": ['CCI-001487']\n tag \"documentable\": false\n tag \"nist\": ['AU-3', 'Rev_4']\n tag \"check\": \"Log on to the OS of the Wildfly server with OS permissions that\n allow access to Wildfly.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n Using the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n Run the jboss-cli script to start the Command Line Interface (CLI).\n Connect to the server and authenticate.\n\n The PROFILE NAMEs included with a Managed Domain Wildfly configuration are:\n \\\"default\\\", \\\"full\\\", \\\"full-ha\\\" or \\\"ha\\\"\n For a Managed Domain configuration, you must check each profile name:\n\n For each PROFILE NAME, run the command:\n \\\"ls /profile=/subsystem=logging/root-logger=ROOT\\\"\n\n If ROOT logger \\\"level\\\" is not set to INFO, DEBUG or TRACE\n This is a finding for each (default, full, full-ha and ha)\n\n For a Standalone configuration:\n \\\"ls /subsystem=logging/root-logger=ROOT\\\"\n\n If \\\"level\\\" not = INFO, DEBUG or TRACE, this is a finding.\"\n tag \"fix\": \"Log on to the OS of the Wildfly server with OS permissions that\n allow access to Wildfly.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n Using the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n Run the jboss-cli script to start the Command Line Interface (CLI).\n Connect to the server and authenticate.\n\n The PROFILE NAMEs included with a Managed Domain Wildfly configuration are:\n \\\"default\\\", \\\"full\\\", \\\"full-ha\\\" or \\\"ha\\\"\n For a Managed Domain configuration, you must check each profile name:\n\n For each PROFILE NAME, run the command:\n \\\"/profile=/subsystem=logging/root-logger=ROOT:write-attribute(name=level,value=INFO)\\\"\n\n For a Standalone configuration:\n \\\"/subsystem=logging/root-logger=ROOT:write-attribute(name=level,value=INFO)\\\"\"\n tag \"fix_id\": 'F-68169r1_fix'\n\n connect = input('connection')\n\n get_logging_level = command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /subsystem=logging/root-logger=ROOT\").stdout\n\n describe.one do\n describe 'The wildfly root logger level' do\n subject { get_logging_level }\n it { should match(%r{level=INFO}) }\n end\n describe 'The wildfly root logger level' do\n subject { get_logging_level }\n it { should match(%r{level=DEBUG}) }\n end\n describe 'The wildfly root logger level' do\n subject { get_logging_level }\n it { should match(%r{level=TRACE}) }\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62343.rb", + "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62249.rb", "line": 1 }, - "id": "V-62343" + "id": "V-62249" }, { - "title": "Wildfly must be configured to generate log records when\n successful/unsuccessful attempts to modify privileges occur.", - "desc": "Changing privileges of a subject/object may cause a subject/object to\n gain or lose capabilities. When successful/unsuccessful changes are made, the\n event needs to be logged. By logging the event, the modification or attempted\n modification can be investigated to determine if it was performed inadvertently\n or maliciously.", + "title": "Production Wildfly servers must not allow automatic application\n deployment.", + "desc": "When dealing with access restrictions pertaining to change control, it\nshould be noted that any changes to the software and/or application server\nconfiguration can potentially have significant effects on the overall security\nof the system.\n\n Access restrictions for changes also include application software libraries.\n\n If the application server provides automatic code deployment capability,\n(where updates to applications hosted on the application server are\nautomatically performed, usually by the developers' IDE tool), it must also\nprovide a capability to restrict the use of automatic application deployment.\nAutomatic code deployments are allowable in a development environment, but not\nin production.", "descriptions": { - "default": "Changing privileges of a subject/object may cause a subject/object to\n gain or lose capabilities. When successful/unsuccessful changes are made, the\n event needs to be logged. By logging the event, the modification or attempted\n modification can be investigated to determine if it was performed inadvertently\n or maliciously." + "default": "When dealing with access restrictions pertaining to change control, it\nshould be noted that any changes to the software and/or application server\nconfiguration can potentially have significant effects on the overall security\nof the system.\n\n Access restrictions for changes also include application software libraries.\n\n If the application server provides automatic code deployment capability,\n(where updates to applications hosted on the application server are\nautomatically performed, usually by the developers' IDE tool), it must also\nprovide a capability to restrict the use of automatic application deployment.\nAutomatic code deployments are allowable in a development environment, but not\nin production." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-APP-000495-AS-000220", - "gid": "V-62329", - "rid": "SV-76819r1_rule", - "stig_id": "JBOS-AS-000690", + "gtitle": "SRG-APP-000380-AS-000088", + "gid": "V-62311", + "rid": "SV-76801r1_rule", + "stig_id": "JBOS-AS-000545", "cci": [ - "CCI-000172" + "CCI-001813" ], "documentable": false, "nist": [ - "AU-12 c", + "CM-5 (1)", "Rev_4" ], - "check": "Log on to the OS of the Wildfly server with OS permissions that\n allow access to Wildfly.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n\n\n Using the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n Run the jboss-cli script to start the Command Line Interface (CLI).\n Connect to the server and authenticate.\n Run the command:\n\n For a Managed Domain configuration:\n \"ls\n host=master/server//core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\"\n\n For a Standalone configuration:\n \"ls\n /core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\"\n\n If \"enabled\" = false, this is a finding.", - "fix": "Launch the jboss-cli management interface.\n Connect to the server by typing \"connect\", authenticate as a user in the\n Superuser role, and run the following command:\n\n For a Managed Domain configuration:\n \"host=master/server//core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\"\n\n For a Standalone configuration:\n \"/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\"", - "fix_id": "F-68249r1_fix" + "check": "Log on to the OS of the Wildfly server with OS permissions that\n allow access to Wildfly.\n Using the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n\n Run the jboss-cli script.\n Connect to the server and authenticate.\n Run the command:\n\n ls /subsystem=deployment-scanner/scanner=default\n\n If \"scan-enabled\"=true, this is a finding.", + "fix": "Determine the JBoss server configuration as being either\n standalone or domain.\n\n Launch the relevant jboss-cli management interface substituting standalone or\n domain for \n\n $JBOSS_HOME;//bin/jboss-cli\n\n connect to the server and run the command:\n\n /subsystem=deployment-scanner/scanner=default:write-attribute(name=scan-enabled,value=false)", + "fix_id": "F-68231r1_fix" }, - "code": "control 'V-62329' do\n title \"Wildfly must be configured to generate log records when\n successful/unsuccessful attempts to modify privileges occur.\"\n desc \"Changing privileges of a subject/object may cause a subject/object to\n gain or lose capabilities. When successful/unsuccessful changes are made, the\n event needs to be logged. By logging the event, the modification or attempted\n modification can be investigated to determine if it was performed inadvertently\n or maliciously.\"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000495-AS-000220'\n tag \"gid\": 'V-62329'\n tag \"rid\": 'SV-76819r1_rule'\n tag \"stig_id\": 'JBOS-AS-000690'\n tag \"cci\": ['CCI-000172']\n tag \"documentable\": false\n tag \"nist\": ['AU-12 c', 'Rev_4']\n tag \"check\": \"Log on to the OS of the Wildfly server with OS permissions that\n allow access to Wildfly.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n\n\n Using the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n Run the jboss-cli script to start the Command Line Interface (CLI).\n Connect to the server and authenticate.\n Run the command:\n\n For a Managed Domain configuration:\n \\\"ls\n host=master/server//core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\\\"\n\n For a Standalone configuration:\n \\\"ls\n /core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\\\"\n\n If \\\"enabled\\\" = false, this is a finding.\"\n tag \"fix\": \"Launch the jboss-cli management interface.\n Connect to the server by typing \\\"connect\\\", authenticate as a user in the\n Superuser role, and run the following command:\n\n For a Managed Domain configuration:\n \\\"host=master/server//core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\\\"\n\n For a Standalone configuration:\n \\\"/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\\\"\"\n tag \"fix_id\": 'F-68249r1_fix'\n\n connect = input('connection')\n\n describe 'The wildfly setting: generate log records when successful/unsuccessful attempts to modify privileges occur' do\n subject { command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /core-service=management/access=audit/logger=audit-log\").stdout }\n it { should_not match(%r{enabled=false}) }\n end\nend\n", + "code": "control 'V-62311' do\n title \"Production Wildfly servers must not allow automatic application\n deployment.\"\n desc \"\n When dealing with access restrictions pertaining to change control, it\n should be noted that any changes to the software and/or application server\n configuration can potentially have significant effects on the overall security\n of the system.\n\n Access restrictions for changes also include application software libraries.\n\n If the application server provides automatic code deployment capability,\n (where updates to applications hosted on the application server are\n automatically performed, usually by the developers' IDE tool), it must also\n provide a capability to restrict the use of automatic application deployment.\n Automatic code deployments are allowable in a development environment, but not\n in production.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000380-AS-000088'\n tag \"gid\": 'V-62311'\n tag \"rid\": 'SV-76801r1_rule'\n tag \"stig_id\": 'JBOS-AS-000545'\n tag \"cci\": ['CCI-001813']\n tag \"documentable\": false\n tag \"nist\": ['CM-5 (1)', 'Rev_4']\n tag \"check\": \"Log on to the OS of the Wildfly server with OS permissions that\n allow access to Wildfly.\n Using the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n\n Run the jboss-cli script.\n Connect to the server and authenticate.\n Run the command:\n\n ls /subsystem=deployment-scanner/scanner=default\n\n If \\\"scan-enabled\\\"=true, this is a finding.\"\n tag \"fix\": \"Determine the JBoss server configuration as being either\n standalone or domain.\n\n Launch the relevant jboss-cli management interface substituting standalone or\n domain for \n\n $JBOSS_HOME;//bin/jboss-cli\n\n connect to the server and run the command:\n\n /subsystem=deployment-scanner/scanner=default:write-attribute(name=scan-enabled,value=false)\"\n tag \"fix_id\": 'F-68231r1_fix'\n\n connect = input('connection')\n\n describe 'The wildfly application deployment scanner' do\n subject { command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /subsystem=deployment-scanner/scanner=default\").stdout }\n it { should_not match(%r{scan-enabled=true}) }\n end\nend\n", "source_location": { - "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62329.rb", + "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62311.rb", "line": 1 }, - "id": "V-62329" + "id": "V-62311" }, { - "title": "Wildfly KeyStore and Truststore passwords must not be stored in clear\n text.", - "desc": "Access to the Wildfly Password Vault must be secured, and the password used\nto access must be encrypted. There is a specific process used to generate the\nencrypted password hash. This process must be followed in order to store the\npassword in an encrypted format.\n\n The admin must utilize this process in order to ensure the Keystore\npassword is encrypted.", + "title": "Wildfly must be configured to record the IP address and port information\nused by management interface network traffic.", + "desc": "Application server logging capability is critical for accurate forensic\nanalysis. Without sufficient and accurate information, a correct replay of the\nevents cannot be determined.\n\n Ascertaining the correct source, e.g., source IP, of the events is\nimportant during forensic analysis. Correctly determining the source will add\ninformation to the overall reconstruction of the loggable event. By\ndetermining the source of the event correctly, analysis of the enterprise can\nbe undertaken to determine if the event compromised other assets within the\nenterprise.\n\n Without sufficient information establishing the source of the logged event,\ninvestigation into the cause of event is severely hindered. Log record content\nthat may be necessary to satisfy the requirement of this control includes, but\nis not limited to, time stamps, source and destination IP addresses,\nuser/process identifiers, event descriptions, application-specific events,\nsuccess/fail indications, filenames involved, access control, or flow control\nrules invoked.", "descriptions": { - "default": "Access to the Wildfly Password Vault must be secured, and the password used\nto access must be encrypted. There is a specific process used to generate the\nencrypted password hash. This process must be followed in order to store the\npassword in an encrypted format.\n\n The admin must utilize this process in order to ensure the Keystore\npassword is encrypted." + "default": "Application server logging capability is critical for accurate forensic\nanalysis. Without sufficient and accurate information, a correct replay of the\nevents cannot be determined.\n\n Ascertaining the correct source, e.g., source IP, of the events is\nimportant during forensic analysis. Correctly determining the source will add\ninformation to the overall reconstruction of the loggable event. By\ndetermining the source of the event correctly, analysis of the enterprise can\nbe undertaken to determine if the event compromised other assets within the\nenterprise.\n\n Without sufficient information establishing the source of the logged event,\ninvestigation into the cause of event is severely hindered. Log record content\nthat may be necessary to satisfy the requirement of this control includes, but\nis not limited to, time stamps, source and destination IP addresses,\nuser/process identifiers, event descriptions, application-specific events,\nsuccess/fail indications, filenames involved, access control, or flow control\nrules invoked." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-APP-000171-AS-000119", - "gid": "V-62289", - "rid": "SV-76779r1_rule", - "stig_id": "JBOS-AS-000300", + "gtitle": "SRG-APP-000098-AS-000061", + "gid": "V-62245", + "rid": "SV-76735r1_rule", + "stig_id": "JBOS-AS-000125", "cci": [ - "CCI-000196" + "CCI-000133" ], "documentable": false, "nist": [ - "IA-5 (1) (c)", + "AU-3", "Rev_4" ], - "check": "The default location for the keystore used by the Wildfly vault\n is the $JBOSS_HOME;/vault/ folder.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n\n If a vault keystore has been created, by default it will be in the file:\n $JBOSS_HOME;/vault/vault.keystore. The file stores a single key, with the\n default alias vault, which will be used to store encrypted strings, such as\n passwords, for JBoss EAP.\n\n Have the system admin provide the procedure used to encrypt the keystore\n password that unlocks the keystore.\n\n If the system administrator is unable to demonstrate or provide written process\n documentation on how to encrypt the keystore password, this is a finding.", - "fix": "Configure the application server to mask the java keystore\n password as per the procedure described in section 11.13.3 -Password Vault\n System in the\n Wildfly-Administration_and_Configuration_Guide-en-US\n document.", - "fix_id": "F-68209r1_fix" + "check": "Log on to the OS of the Wildfly server with OS permissions that\nallow access to Wildfly.\nUsing the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n\nThe $JBOSS_HOME default is /opt/bin/widfly\nRun the jboss-cli script to start the Command Line Interface (CLI).\nConnect to the server and authenticate.\nRun the command:\n\nFor a Managed Domain configuration:\n\"ls\nhost=master/server//core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\"\n\nFor a Standalone configuration:\n\"ls\n/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\"\n\nIf \"enabled\" = false, this is a finding.", + "fix": "Launch the jboss-cli management interface.\nConnect to the server by typing \"connect\", authenticate as a user in the\nSuperuser role, and run the following command:\n\nFor a Managed Domain configuration:\n\"host=master/server//core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\"\n\nFor a Standalone configuration:\n\"/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\"", + "fix_id": "F-68165r1_fix" }, - "code": "control 'V-62289' do\n title \"Wildfly KeyStore and Truststore passwords must not be stored in clear\n text.\"\n desc \"\n Access to the Wildfly Password Vault must be secured, and the password used\n to access must be encrypted. There is a specific process used to generate the\n encrypted password hash. This process must be followed in order to store the\n password in an encrypted format.\n\n The admin must utilize this process in order to ensure the Keystore\n password is encrypted.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000171-AS-000119'\n tag \"gid\": 'V-62289'\n tag \"rid\": 'SV-76779r1_rule'\n tag \"stig_id\": 'JBOS-AS-000300'\n tag \"cci\": ['CCI-000196']\n tag \"documentable\": false\n tag \"nist\": ['IA-5 (1) (c)', 'Rev_4']\n tag \"check\": \"The default location for the keystore used by the Wildfly vault\n is the $JBOSS_HOME;/vault/ folder.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n\n If a vault keystore has been created, by default it will be in the file:\n $JBOSS_HOME;/vault/vault.keystore. The file stores a single key, with the\n default alias vault, which will be used to store encrypted strings, such as\n passwords, for JBoss EAP.\n\n Have the system admin provide the procedure used to encrypt the keystore\n password that unlocks the keystore.\n\n If the system administrator is unable to demonstrate or provide written process\n documentation on how to encrypt the keystore password, this is a finding.\"\n tag \"fix\": \"Configure the application server to mask the java keystore\n password as per the procedure described in section 11.13.3 -Password Vault\n System in the\n Wildfly-Administration_and_Configuration_Guide-en-US\n document.\"\n tag \"fix_id\": 'F-68209r1_fix'\n\n describe 'A manual review is required to verify that the System Admin utilizes a process to ensure the Keystore password is encrypted' do\n skip 'A manual review is required to verify that the System Admin utilizes a process to ensure the Keystore password is encrypted'\n end\nend\n", + "code": "control 'V-62245' do\n title \"Wildfly must be configured to record the IP address and port information\nused by management interface network traffic.\"\n desc \"\n Application server logging capability is critical for accurate forensic\nanalysis. Without sufficient and accurate information, a correct replay of the\nevents cannot be determined.\n\n Ascertaining the correct source, e.g., source IP, of the events is\nimportant during forensic analysis. Correctly determining the source will add\ninformation to the overall reconstruction of the loggable event. By\ndetermining the source of the event correctly, analysis of the enterprise can\nbe undertaken to determine if the event compromised other assets within the\nenterprise.\n\n Without sufficient information establishing the source of the logged event,\ninvestigation into the cause of event is severely hindered. Log record content\nthat may be necessary to satisfy the requirement of this control includes, but\nis not limited to, time stamps, source and destination IP addresses,\nuser/process identifiers, event descriptions, application-specific events,\nsuccess/fail indications, filenames involved, access control, or flow control\nrules invoked.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000098-AS-000061'\n tag \"gid\": 'V-62245'\n tag \"rid\": 'SV-76735r1_rule'\n tag \"stig_id\": 'JBOS-AS-000125'\n tag \"cci\": ['CCI-000133']\n tag \"documentable\": false\n tag \"nist\": ['AU-3', 'Rev_4']\n tag \"check\": \"Log on to the OS of the Wildfly server with OS permissions that\nallow access to Wildfly.\nUsing the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n\nThe $JBOSS_HOME default is /opt/bin/widfly\nRun the jboss-cli script to start the Command Line Interface (CLI).\nConnect to the server and authenticate.\nRun the command:\n\nFor a Managed Domain configuration:\n\\\"ls\nhost=master/server//core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\\\"\n\nFor a Standalone configuration:\n\\\"ls\n/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\\\"\n\nIf \\\"enabled\\\" = false, this is a finding.\"\n tag \"fix\": \"Launch the jboss-cli management interface.\nConnect to the server by typing \\\"connect\\\", authenticate as a user in the\nSuperuser role, and run the following command:\n\nFor a Managed Domain configuration:\n\\\"host=master/server//core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\\\"\n\nFor a Standalone configuration:\n\\\"/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)\\\"\"\n tag \"fix_id\": 'F-68165r1_fix'\n\n connect = input('connection')\n\n describe 'Wildfly record the IP address and port information used by management interface network traffic.' do\n subject { command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /core-service=management/access=audit/logger=audit-log\").stdout }\n it { should_not match(%r{enabled=false}) }\n end\nend\n", "source_location": { - "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62289.rb", + "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62245.rb", "line": 1 }, - "id": "V-62289" + "id": "V-62245" }, { - "title": "Wildfly ROOT logger must be configured to utilize the appropriate\n logging level.", - "desc": "Information system logging capability is critical for accurate forensic\nanalysis. Log record content that may be necessary to satisfy the requirement\nof this control includes: time stamps, source and destination addresses,\nuser/process identifiers, event descriptions, success/fail indications,\nfilenames involved, and access control or flow control rules invoked.\n\n The Wildfly application server ROOT logger captures all messages not captured\nby a log category and sends them to a log handler (FILE, CONSOLE, SYSLOG,\nETC.). By default, the ROOT logger level is set to INFO, which is a value of\n800. This will capture most events adequately. Any level numerically higher\nthan INFO (> 800) records less data and may result in an insufficient amount of\ninformation being logged by the ROOT logger. This can result in failed\nforensic investigations. The ROOT logger level must be INFO level or lower to\nprovide adequate log information.", + "title": "Wildfly must be configured to allow only the ISSM (or individuals or\nroles appointed by the ISSM) to select which loggable events are to be logged.", + "desc": "The Wildfly server must be configured to select which personnel are assigned\nthe role of selecting which loggable events are to be logged.\n In Wildfly, the role designated for selecting auditable events is the\n\"Auditor\" role.\n The personnel or roles that can select loggable events are only the ISSM\n(or individuals or roles appointed by the ISSM).", "descriptions": { - "default": "Information system logging capability is critical for accurate forensic\nanalysis. Log record content that may be necessary to satisfy the requirement\nof this control includes: time stamps, source and destination addresses,\nuser/process identifiers, event descriptions, success/fail indications,\nfilenames involved, and access control or flow control rules invoked.\n\n The Wildfly application server ROOT logger captures all messages not captured\nby a log category and sends them to a log handler (FILE, CONSOLE, SYSLOG,\nETC.). By default, the ROOT logger level is set to INFO, which is a value of\n800. This will capture most events adequately. Any level numerically higher\nthan INFO (> 800) records less data and may result in an insufficient amount of\ninformation being logged by the ROOT logger. This can result in failed\nforensic investigations. The ROOT logger level must be INFO level or lower to\nprovide adequate log information." + "default": "The Wildfly server must be configured to select which personnel are assigned\nthe role of selecting which loggable events are to be logged.\n In Wildfly, the role designated for selecting auditable events is the\n\"Auditor\" role.\n The personnel or roles that can select loggable events are only the ISSM\n(or individuals or roles appointed by the ISSM)." }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { - "gtitle": "SRG-APP-000100-AS-000063", - "gid": "V-62249", - "rid": "SV-76739r1_rule", - "stig_id": "JBOS-AS-000135", + "gtitle": "SRG-APP-000090-AS-000051", + "gid": "V-62233", + "rid": "SV-76723r1_rule", + "stig_id": "JBOS-AS-000085", "cci": [ - "CCI-001487" + "CCI-000171" ], "documentable": false, "nist": [ - "AU-3", + "AU-12 b", "Rev_4" ], - "check": "Log on to the OS of the Wildfly server with OS permissions that\n allow access to Wildfly.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n Using the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n Run the jboss-cli script to start the Command Line Interface (CLI).\n Connect to the server and authenticate.\n\n The PROFILE NAMEs included with a Managed Domain Wildfly configuration are:\n \"default\", \"full\", \"full-ha\" or \"ha\"\n For a Managed Domain configuration, you must check each profile name:\n\n For each PROFILE NAME, run the command:\n \"ls /profile=/subsystem=logging/root-logger=ROOT\"\n\n If ROOT logger \"level\" is not set to INFO, DEBUG or TRACE\n This is a finding for each (default, full, full-ha and ha)\n\n For a Standalone configuration:\n \"ls /subsystem=logging/root-logger=ROOT\"\n\n If \"level\" not = INFO, DEBUG or TRACE, this is a finding.", - "fix": "Log on to the OS of the Wildfly server with OS permissions that\n allow access to Wildfly.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n Using the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n Run the jboss-cli script to start the Command Line Interface (CLI).\n Connect to the server and authenticate.\n\n The PROFILE NAMEs included with a Managed Domain Wildfly configuration are:\n \"default\", \"full\", \"full-ha\" or \"ha\"\n For a Managed Domain configuration, you must check each profile name:\n\n For each PROFILE NAME, run the command:\n \"/profile=/subsystem=logging/root-logger=ROOT:write-attribute(name=level,value=INFO)\"\n\n For a Standalone configuration:\n \"/subsystem=logging/root-logger=ROOT:write-attribute(name=level,value=INFO)\"", - "fix_id": "F-68169r1_fix" + "check": "Log on to the OS of the Wildfly server with OS permissions that\nallow access to Wildfly.\nUsing the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n\nThe $JBOSS_HOME default is /opt/bin/widfly\nRun the jboss-cli script to start the Command Line Interface (CLI).\nConnect to the server and authenticate.\nRun the command:\n\nFor a Managed Domain configuration:\n\"ls\nhost=master/server//core-service=management/access=authorization/role-mapping=Auditor/include=\"\n\nFor a Standalone configuration:\n\"ls\n/core-service=management/access=authorization/role-mapping=Auditor/include=\"\n\nIf the list of users in the Auditors group is not approved by the ISSM, this is\na finding.", + "fix": "Obtain documented approvals from ISSM, and assign the appropriate\npersonnel into the \"Auditor\" role.", + "fix_id": "F-68153r1_fix" }, - "code": "control 'V-62249' do\n title \"Wildfly ROOT logger must be configured to utilize the appropriate\n logging level.\"\n desc \"\n Information system logging capability is critical for accurate forensic\n analysis. Log record content that may be necessary to satisfy the requirement\n of this control includes: time stamps, source and destination addresses,\n user/process identifiers, event descriptions, success/fail indications,\n filenames involved, and access control or flow control rules invoked.\n\n The Wildfly application server ROOT logger captures all messages not captured\n by a log category and sends them to a log handler (FILE, CONSOLE, SYSLOG,\n ETC.). By default, the ROOT logger level is set to INFO, which is a value of\n 800. This will capture most events adequately. Any level numerically higher\n than INFO (> 800) records less data and may result in an insufficient amount of\n information being logged by the ROOT logger. This can result in failed\n forensic investigations. The ROOT logger level must be INFO level or lower to\n provide adequate log information.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000100-AS-000063'\n tag \"gid\": 'V-62249'\n tag \"rid\": 'SV-76739r1_rule'\n tag \"stig_id\": 'JBOS-AS-000135'\n tag \"cci\": ['CCI-001487']\n tag \"documentable\": false\n tag \"nist\": ['AU-3', 'Rev_4']\n tag \"check\": \"Log on to the OS of the Wildfly server with OS permissions that\n allow access to Wildfly.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n Using the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n Run the jboss-cli script to start the Command Line Interface (CLI).\n Connect to the server and authenticate.\n\n The PROFILE NAMEs included with a Managed Domain Wildfly configuration are:\n \\\"default\\\", \\\"full\\\", \\\"full-ha\\\" or \\\"ha\\\"\n For a Managed Domain configuration, you must check each profile name:\n\n For each PROFILE NAME, run the command:\n \\\"ls /profile=/subsystem=logging/root-logger=ROOT\\\"\n\n If ROOT logger \\\"level\\\" is not set to INFO, DEBUG or TRACE\n This is a finding for each (default, full, full-ha and ha)\n\n For a Standalone configuration:\n \\\"ls /subsystem=logging/root-logger=ROOT\\\"\n\n If \\\"level\\\" not = INFO, DEBUG or TRACE, this is a finding.\"\n tag \"fix\": \"Log on to the OS of the Wildfly server with OS permissions that\n allow access to Wildfly.\n\n The $JBOSS_HOME default is /opt/bin/widfly\n Using the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n Run the jboss-cli script to start the Command Line Interface (CLI).\n Connect to the server and authenticate.\n\n The PROFILE NAMEs included with a Managed Domain Wildfly configuration are:\n \\\"default\\\", \\\"full\\\", \\\"full-ha\\\" or \\\"ha\\\"\n For a Managed Domain configuration, you must check each profile name:\n\n For each PROFILE NAME, run the command:\n \\\"/profile=/subsystem=logging/root-logger=ROOT:write-attribute(name=level,value=INFO)\\\"\n\n For a Standalone configuration:\n \\\"/subsystem=logging/root-logger=ROOT:write-attribute(name=level,value=INFO)\\\"\"\n tag \"fix_id\": 'F-68169r1_fix'\n\n connect = input('connection')\n\n get_logging_level = command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\\\ /subsystem=logging/root-logger=ROOT\").stdout\n\n describe.one do\n describe 'The wildfly root logger level' do\n subject { get_logging_level }\n it { should match(%r{level=INFO}) }\n end\n describe 'The wildfly root logger level' do\n subject { get_logging_level }\n it { should match(%r{level=DEBUG}) }\n end\n describe 'The wildfly root logger level' do\n subject { get_logging_level }\n it { should match(%r{level=TRACE}) }\n end\n end\nend\n", + "code": "control 'V-62233' do\n title \"Wildfly must be configured to allow only the ISSM (or individuals or\nroles appointed by the ISSM) to select which loggable events are to be logged.\"\n desc \"\n The Wildfly server must be configured to select which personnel are assigned\nthe role of selecting which loggable events are to be logged.\n In Wildfly, the role designated for selecting auditable events is the\n\\\"Auditor\\\" role.\n The personnel or roles that can select loggable events are only the ISSM\n(or individuals or roles appointed by the ISSM).\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000090-AS-000051'\n tag \"gid\": 'V-62233'\n tag \"rid\": 'SV-76723r1_rule'\n tag \"stig_id\": 'JBOS-AS-000085'\n tag \"cci\": ['CCI-000171']\n tag \"documentable\": false\n tag \"nist\": ['AU-12 b', 'Rev_4']\n tag \"check\": \"Log on to the OS of the Wildfly server with OS permissions that\nallow access to Wildfly.\nUsing the relevant OS commands and syntax, cd to the $JBOSS_HOME;/bin/ folder.\n\nThe $JBOSS_HOME default is /opt/bin/widfly\nRun the jboss-cli script to start the Command Line Interface (CLI).\nConnect to the server and authenticate.\nRun the command:\n\nFor a Managed Domain configuration:\n\\\"ls\nhost=master/server//core-service=management/access=authorization/role-mapping=Auditor/include=\\\"\n\nFor a Standalone configuration:\n\\\"ls\n/core-service=management/access=authorization/role-mapping=Auditor/include=\\\"\n\nIf the list of users in the Auditors group is not approved by the ISSM, this is\na finding.\"\n tag \"fix\": \"Obtain documented approvals from ISSM, and assign the appropriate\npersonnel into the \\\"Auditor\\\" role.\"\n tag \"fix_id\": 'F-68153r1_fix'\n\n connect = input('connection')\n auditor_role_users = input('auditor_role_users')\n\n auditor_role = command(\"/bin/sh #{ input('jboss_home') }/bin/jboss-cli.sh #{connect} --commands=ls\\ /core-service=management/access=authorization/role-mapping=Auditor/include=\").stdout.split(\"\\n\")\n\n auditor_role.each do |user|\n a = user.strip\n describe \"#{a}\" do\n it { should be_in auditor_role_users }\n end\n end\n if auditor_role.empty?\n impact 0.0\n describe 'There are no wildfly users with the auditor role, therefore this control is not applicable' do\n skip 'There are no wildfly users with the auditor role, therefore this control is not applicable'\n end\n end\nend\n", "source_location": { - "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62249.rb", + "ref": "./Red Hat Jboss EAP 6.3 STIG/controls/V-62233.rb", "line": 1 }, - "id": "V-62249" + "id": "V-62233" } ], "groups": [ { "title": null, "controls": [ - "V-62301" - ], - "id": "controls/V-62301.rb" - }, - { - "title": null, - "controls": [ - "V-62215" + "V-62295" ], - "id": "controls/V-62215.rb" + "id": "controls/V-62295.rb" }, { "title": null, "controls": [ - "V-62227" + "V-62271" ], - "id": "controls/V-62227.rb" + "id": "controls/V-62271.rb" }, { "title": null, "controls": [ - "V-62331" + "V-62345" ], - "id": "controls/V-62331.rb" + "id": "controls/V-62345.rb" }, { "title": null, "controls": [ - "V-62217" + "V-62305" ], - "id": "controls/V-62217.rb" + "id": "controls/V-62305.rb" }, { "title": null, "controls": [ - "V-62251" + "V-62317" ], - "id": "controls/V-62251.rb" + "id": "controls/V-62317.rb" }, { "title": null, "controls": [ - "V-62337" + "V-62221" ], - "id": "controls/V-62337.rb" + "id": "controls/V-62221.rb" }, { "title": null, "controls": [ - "V-62299" + "V-62319" ], - "id": "controls/V-62299.rb" + "id": "controls/V-62319.rb" }, { "title": null, "controls": [ - "V-62297" + "V-62337" ], - "id": "controls/V-62297.rb" + "id": "controls/V-62337.rb" }, { "title": null, "controls": [ - "V-62257" + "V-62267" ], - "id": "controls/V-62257.rb" + "id": "controls/V-62267.rb" }, { "title": null, "controls": [ - "V-62279" + "V-62329" ], - "id": "controls/V-62279.rb" + "id": "controls/V-62329.rb" }, { "title": null, "controls": [ - "V-62307" + "V-62289" ], - "id": "controls/V-62307.rb" + "id": "controls/V-62289.rb" }, { "title": null, "controls": [ - "V-62305" + "V-62215" ], - "id": "controls/V-62305.rb" + "id": "controls/V-62215.rb" }, { "title": null, "controls": [ - "V-62245" + "V-62285" ], - "id": "controls/V-62245.rb" + "id": "controls/V-62285.rb" }, { "title": null, "controls": [ - "V-62223" + "V-62331" ], - "id": "controls/V-62223.rb" + "id": "controls/V-62331.rb" }, { "title": null, "controls": [ - "V-62073" + "V-62253" ], - "id": "controls/V-62073.rb" + "id": "controls/V-62253.rb" }, { "title": null, "controls": [ - "V-62313" + "V-62307" ], - "id": "controls/V-62313.rb" + "id": "controls/V-62307.rb" }, { "title": null, "controls": [ - "V-62261" + "V-62279" ], - "id": "controls/V-62261.rb" + "id": "controls/V-62279.rb" }, { "title": null, @@ -2294,30 +2287,30 @@ { "title": null, "controls": [ - "V-62219" + "V-62287" ], - "id": "controls/V-62219.rb" + "id": "controls/V-62287.rb" }, { "title": null, "controls": [ - "V-62247" + "V-62321" ], - "id": "controls/V-62247.rb" + "id": "controls/V-62321.rb" }, { "title": null, "controls": [ - "V-62269" + "V-62257" ], - "id": "controls/V-62269.rb" + "id": "controls/V-62257.rb" }, { "title": null, "controls": [ - "V-62333" + "V-62259" ], - "id": "controls/V-62333.rb" + "id": "controls/V-62259.rb" }, { "title": null, @@ -2329,205 +2322,212 @@ { "title": null, "controls": [ - "V-62341" + "V-62293" ], - "id": "controls/V-62341.rb" + "id": "controls/V-62293.rb" }, { "title": null, "controls": [ - "V-62325" + "V-62073" ], - "id": "controls/V-62325.rb" + "id": "controls/V-62073.rb" }, { "title": null, "controls": [ - "V-62275" + "V-62327" ], - "id": "controls/V-62275.rb" + "id": "controls/V-62327.rb" }, { "title": null, "controls": [ - "V-62271" + "V-62227" ], - "id": "controls/V-62271.rb" + "id": "controls/V-62227.rb" }, { "title": null, "controls": [ - "V-62225" + "V-62341" ], - "id": "controls/V-62225.rb" + "id": "controls/V-62341.rb" }, { "title": null, "controls": [ - "V-62319" + "V-62275" ], - "id": "controls/V-62319.rb" + "id": "controls/V-62275.rb" }, { "title": null, "controls": [ - "V-62281" + "V-62219" ], - "id": "controls/V-62281.rb" + "id": "controls/V-62219.rb" }, { "title": null, "controls": [ - "V-62327" + "V-62315" ], - "id": "controls/V-62327.rb" + "id": "controls/V-62315.rb" }, { "title": null, "controls": [ - "V-62239" + "V-62269" ], - "id": "controls/V-62239.rb" + "id": "controls/V-62269.rb" }, { "title": null, "controls": [ - "V-62293" + "V-62241" ], - "id": "controls/V-62293.rb" + "id": "controls/V-62241.rb" }, { "title": null, "controls": [ - "V-62311" + "V-62217" ], - "id": "controls/V-62311.rb" + "id": "controls/V-62217.rb" }, { "title": null, "controls": [ - "V-62233" + "V-62313" ], - "id": "controls/V-62233.rb" + "id": "controls/V-62313.rb" }, { "title": null, "controls": [ - "V-62315" + "V-62309" ], - "id": "controls/V-62315.rb" + "id": "controls/V-62309.rb" }, { "title": null, "controls": [ - "V-62323" + "V-62299" ], - "id": "controls/V-62323.rb" + "id": "controls/V-62299.rb" }, { "title": null, "controls": [ - "V-62235" + "V-62261" ], - "id": "controls/V-62235.rb" + "id": "controls/V-62261.rb" }, { "title": null, "controls": [ - "V-62243" + "V-62343" ], - "id": "controls/V-62243.rb" + "id": "controls/V-62343.rb" }, { "title": null, "controls": [ - "V-62241" + "V-62237" ], - "id": "controls/V-62241.rb" + "id": "controls/V-62237.rb" }, { "title": null, "controls": [ - "V-62287" + "V-62325" ], - "id": "controls/V-62287.rb" + "id": "controls/V-62325.rb" }, { "title": null, "controls": [ - "V-62345" + "V-62231" ], - "id": "controls/V-62345.rb" + "id": "controls/V-62231.rb" }, { "title": null, "controls": [ - "V-62253" + "V-62263" ], - "id": "controls/V-62253.rb" + "id": "controls/V-62263.rb" }, { "title": null, "controls": [ - "V-62291" + "V-62303" ], - "id": "controls/V-62291.rb" + "id": "controls/V-62303.rb" }, { "title": null, "controls": [ - "V-62285" + "V-62273" ], - "id": "controls/V-62285.rb" + "id": "controls/V-62273.rb" }, { "title": null, "controls": [ - "V-62267" + "V-62323" ], - "id": "controls/V-62267.rb" + "id": "controls/V-62323.rb" }, { "title": null, "controls": [ - "V-62335" + "V-62247" ], - "id": "controls/V-62335.rb" + "id": "controls/V-62247.rb" }, { "title": null, "controls": [ - "V-62259" + "V-62255" ], - "id": "controls/V-62259.rb" + "id": "controls/V-62255.rb" }, { "title": null, "controls": [ - "V-62309" + "V-62223" ], - "id": "controls/V-62309.rb" + "id": "controls/V-62223.rb" }, { "title": null, "controls": [ - "V-62255" + "V-62283" ], - "id": "controls/V-62255.rb" + "id": "controls/V-62283.rb" }, { "title": null, "controls": [ - "V-62231" + "V-62335" ], - "id": "controls/V-62231.rb" + "id": "controls/V-62335.rb" }, { "title": null, "controls": [ - "V-62221" + "V-62277" ], - "id": "controls/V-62221.rb" + "id": "controls/V-62277.rb" + }, + { + "title": null, + "controls": [ + "V-62301" + ], + "id": "controls/V-62301.rb" }, { "title": null, @@ -2539,93 +2539,93 @@ { "title": null, "controls": [ - "V-62295" + "V-62243" ], - "id": "controls/V-62295.rb" + "id": "controls/V-62243.rb" }, { "title": null, "controls": [ - "V-62273" + "V-62235" ], - "id": "controls/V-62273.rb" + "id": "controls/V-62235.rb" }, { "title": null, "controls": [ - "V-62263" + "V-62281" ], - "id": "controls/V-62263.rb" + "id": "controls/V-62281.rb" }, { "title": null, "controls": [ - "V-62321" + "V-62225" ], - "id": "controls/V-62321.rb" + "id": "controls/V-62225.rb" }, { "title": null, "controls": [ - "V-62277" + "V-62297" ], - "id": "controls/V-62277.rb" + "id": "controls/V-62297.rb" }, { "title": null, "controls": [ - "V-62237" + "V-62239" ], - "id": "controls/V-62237.rb" + "id": "controls/V-62239.rb" }, { "title": null, "controls": [ - "V-62303" + "V-62251" ], - "id": "controls/V-62303.rb" + "id": "controls/V-62251.rb" }, { "title": null, "controls": [ - "V-62283" + "V-62333" ], - "id": "controls/V-62283.rb" + "id": "controls/V-62333.rb" }, { "title": null, "controls": [ - "V-62317" + "V-62291" ], - "id": "controls/V-62317.rb" + "id": "controls/V-62291.rb" }, { "title": null, "controls": [ - "V-62343" + "V-62249" ], - "id": "controls/V-62343.rb" + "id": "controls/V-62249.rb" }, { "title": null, "controls": [ - "V-62329" + "V-62311" ], - "id": "controls/V-62329.rb" + "id": "controls/V-62311.rb" }, { "title": null, "controls": [ - "V-62289" + "V-62245" ], - "id": "controls/V-62289.rb" + "id": "controls/V-62245.rb" }, { "title": null, "controls": [ - "V-62249" + "V-62233" ], - "id": "controls/V-62249.rb" + "id": "controls/V-62233.rb" } ], "sha256": "b9afbc3bc88efdb3027487daf658d017a2d314e53000b42e11e52953c12e2243", diff --git a/src/assets/data/baselineProfiles/rsa-archer-6-security-configuration-guide-baseline.json b/src/assets/data/baselineProfiles/rsa-archer-6-security-configuration-guide-baseline.json index ad59334d..220c52e4 100644 --- a/src/assets/data/baselineProfiles/rsa-archer-6-security-configuration-guide-baseline.json +++ b/src/assets/data/baselineProfiles/rsa-archer-6-security-configuration-guide-baseline.json @@ -12,12 +12,12 @@ "supports": [], "controls": [ { - "title": "Alpha characters required", - "desc": "When passwords are changed or new passwords are established, the new\n password must contain at least two alpha characters.", + "title": "Password change interval", + "desc": "Existing passwords must be restricted to a 90-day maximum lifetime.", "descriptions": { - "default": "When passwords are changed or new passwords are established, the new\n password must contain at least two alpha characters.", - "check": "In security parameters, check if AlphaCharsRequired = 2.", - "fix": "In security parameters, set AlphaCharsRequired = 2." + "default": "Existing passwords must be restricted to a 90-day maximum lifetime.", + "check": "In security parameters, check if PasswordChangeInterval = 90.", + "fix": "In security parameters, set PasswordChangeInterval = 90." }, "impact": 0.4, "refs": [], @@ -27,20 +27,20 @@ "Rev_4" ] }, - "code": "control 'rsa-archer-1.2' do\n title 'Alpha characters required'\n desc 'When passwords are changed or new passwords are established, the new\n password must contain at least two alpha characters.'\n impact 'medium'\n desc 'check', 'In security parameters, check if AlphaCharsRequired = 2.'\n desc 'fix', 'In security parameters, set AlphaCharsRequired = 2.'\n tag 'nist': ['IA-5(1)', 'Rev_4']\n\n archer_api_helper = archer(url: attribute('url'),\n instancename: attribute('instancename'),\n user_domain: attribute('user_domain'),\n username: attribute('username'),\n password: attribute('password'),\n ssl_verify: attribute('ssl_verify'))\n\n describe archer_api_helper do\n its('default_administrative_user.AlphaCharsRequired') { should cmp >= attribute('minimum_alpha_characters') }\n its('general_user_parameter.AlphaCharsRequired') { should cmp >= attribute('minimum_alpha_characters') }\n its('archer_services_parameter.AlphaCharsRequired') { should cmp >= attribute('minimum_alpha_characters') }\n end\nend\n", + "code": "control 'rsa-archer-1.7' do\n title 'Password change interval'\n desc 'Existing passwords must be restricted to a 90-day maximum lifetime.'\n impact 'medium'\n desc 'check', 'In security parameters, check if PasswordChangeInterval = 90.'\n desc 'fix', 'In security parameters, set PasswordChangeInterval = 90.'\n tag 'nist': ['IA-5(1)', 'Rev_4']\n\n archer_api_helper = archer(url: attribute('url'),\n instancename: attribute('instancename'),\n user_domain: attribute('user_domain'),\n username: attribute('username'),\n password: attribute('password'),\n ssl_verify: attribute('ssl_verify'))\n\n describe archer_api_helper do\n its('default_administrative_user.PasswordChangeInterval') { should cmp <= attribute('password_change_interval') }\n its('general_user_parameter.PasswordChangeInterval') { should cmp <= attribute('password_change_interval') }\n its('archer_services_parameter.PasswordChangeInterval') { should cmp <= attribute('password_change_interval') }\n end\nend\n", "source_location": { - "ref": "./RSA Archer 6 SCG/controls/rsa-archer-1.2.rb", + "ref": "./RSA Archer 6 SCG/controls/rsa-archer-1.7.rb", "line": 1 }, - "id": "rsa-archer-1.2" + "id": "rsa-archer-1.7" }, { - "title": "Grace logons", - "desc": "After password expiration, zero grace logons are permitted using the\n expired password.", + "title": "Minimum Password Length", + "desc": "Passwords must be a minimum of 9 characters in length.", "descriptions": { - "default": "After password expiration, zero grace logons are permitted using the\n expired password.", - "check": "In security parameters, check if GraceLogins = 0.", - "fix": "In security parameters, set GraceLogins = 0." + "default": "Passwords must be a minimum of 9 characters in length.", + "check": "In security parameters, check if MinPasswordLength = 9.", + "fix": "In security parameters, set MinPasswordLength = 9." }, "impact": 0.4, "refs": [], @@ -50,43 +50,43 @@ "Rev_4" ] }, - "code": "control 'rsa-archer-1.9' do\n title 'Grace logons'\n desc 'After password expiration, zero grace logons are permitted using the\n expired password.'\n impact 'medium'\n desc 'check', 'In security parameters, check if GraceLogins = 0.'\n desc 'fix', 'In security parameters, set GraceLogins = 0.'\n tag 'nist': ['IA-5(1)', 'Rev_4']\n\n archer_api_helper = archer(url: attribute('url'),\n instancename: attribute('instancename'),\n user_domain: attribute('user_domain'),\n username: attribute('username'),\n password: attribute('password'),\n ssl_verify: attribute('ssl_verify'))\n\n describe archer_api_helper do\n its('default_administrative_user.GraceLogins') { should cmp attribute('grace_logins') }\n its('general_user_parameter.GraceLogins') { should cmp attribute('grace_logins') }\n its('archer_services_parameter.GraceLogins') { should cmp attribute('grace_logins') }\n end\nend\n", + "code": "control 'rsa-archer-1.1' do\n title 'Minimum Password Length'\n desc 'Passwords must be a minimum of 9 characters in length.'\n impact 'medium'\n desc 'check', 'In security parameters, check if MinPasswordLength = 9.'\n desc 'fix', 'In security parameters, set MinPasswordLength = 9.'\n tag 'nist': ['IA-5(1)', 'Rev_4']\n\n archer_api_helper = archer(url: attribute('url'),\n instancename: attribute('instancename'),\n user_domain: attribute('user_domain'),\n username: attribute('username'),\n password: attribute('password'),\n ssl_verify: attribute('ssl_verify'))\n\n describe archer_api_helper do\n its('default_administrative_user.MinPasswordLength') { should cmp >= attribute('minimum_password_length') }\n its('general_user_parameter.MinPasswordLength') { should cmp >= attribute('minimum_password_length') }\n its('archer_services_parameter.MinPasswordLength') { should cmp >= attribute('minimum_password_length') }\n end\nend\n", "source_location": { - "ref": "./RSA Archer 6 SCG/controls/rsa-archer-1.9.rb", + "ref": "./RSA Archer 6 SCG/controls/rsa-archer-1.1.rb", "line": 1 }, - "id": "rsa-archer-1.9" + "id": "rsa-archer-1.1" }, { - "title": "Password change interval", - "desc": "Existing passwords must be restricted to a 90-day maximum lifetime.", + "title": "Account lockout period", + "desc": "Accounts locked due to unsuccessful logon attempts will stay locked\n until unlocked by an administrator.", "descriptions": { - "default": "Existing passwords must be restricted to a 90-day maximum lifetime.", - "check": "In security parameters, check if PasswordChangeInterval = 90.", - "fix": "In security parameters, set PasswordChangeInterval = 90." + "default": "Accounts locked due to unsuccessful logon attempts will stay locked\n until unlocked by an administrator.", + "check": "In security parameters, check if LockoutPeriod = 999.", + "fix": "In security parameters, set LockoutPeriod = 999." }, "impact": 0.4, "refs": [], "tags": { "nist": [ - "IA-5(1)", + "AC-7", "Rev_4" ] }, - "code": "control 'rsa-archer-1.7' do\n title 'Password change interval'\n desc 'Existing passwords must be restricted to a 90-day maximum lifetime.'\n impact 'medium'\n desc 'check', 'In security parameters, check if PasswordChangeInterval = 90.'\n desc 'fix', 'In security parameters, set PasswordChangeInterval = 90.'\n tag 'nist': ['IA-5(1)', 'Rev_4']\n\n archer_api_helper = archer(url: attribute('url'),\n instancename: attribute('instancename'),\n user_domain: attribute('user_domain'),\n username: attribute('username'),\n password: attribute('password'),\n ssl_verify: attribute('ssl_verify'))\n\n describe archer_api_helper do\n its('default_administrative_user.PasswordChangeInterval') { should cmp <= attribute('password_change_interval') }\n its('general_user_parameter.PasswordChangeInterval') { should cmp <= attribute('password_change_interval') }\n its('archer_services_parameter.PasswordChangeInterval') { should cmp <= attribute('password_change_interval') }\n end\nend\n", + "code": "control 'rsa-archer-1.12' do\n title 'Account lockout period'\n desc 'Accounts locked due to unsuccessful logon attempts will stay locked\n until unlocked by an administrator.'\n impact 'medium'\n desc 'check', 'In security parameters, check if LockoutPeriod = 999.'\n desc 'fix', 'In security parameters, set LockoutPeriod = 999.'\n tag 'nist': ['AC-7', 'Rev_4']\n\n archer_api_helper = archer(url: attribute('url'),\n instancename: attribute('instancename'),\n user_domain: attribute('user_domain'),\n username: attribute('username'),\n password: attribute('password'),\n ssl_verify: attribute('ssl_verify'))\n\n describe archer_api_helper do\n its('default_administrative_user.LockoutPeriod') { should cmp >= attribute('lockout_period') }\n its('general_user_parameter.LockoutPeriod') { should cmp >= attribute('lockout_period') }\n its('archer_services_parameter.LockoutPeriod') { should cmp >= attribute('lockout_period') }\n end\nend\n", "source_location": { - "ref": "./RSA Archer 6 SCG/controls/rsa-archer-1.7.rb", + "ref": "./RSA Archer 6 SCG/controls/rsa-archer-1.12.rb", "line": 1 }, - "id": "rsa-archer-1.7" + "id": "rsa-archer-1.12" }, { - "title": "Minimum Password Length", - "desc": "Passwords must be a minimum of 9 characters in length.", + "title": "Alpha characters required", + "desc": "When passwords are changed or new passwords are established, the new\n password must contain at least two alpha characters.", "descriptions": { - "default": "Passwords must be a minimum of 9 characters in length.", - "check": "In security parameters, check if MinPasswordLength = 9.", - "fix": "In security parameters, set MinPasswordLength = 9." + "default": "When passwords are changed or new passwords are established, the new\n password must contain at least two alpha characters.", + "check": "In security parameters, check if AlphaCharsRequired = 2.", + "fix": "In security parameters, set AlphaCharsRequired = 2." }, "impact": 0.4, "refs": [], @@ -96,89 +96,89 @@ "Rev_4" ] }, - "code": "control 'rsa-archer-1.1' do\n title 'Minimum Password Length'\n desc 'Passwords must be a minimum of 9 characters in length.'\n impact 'medium'\n desc 'check', 'In security parameters, check if MinPasswordLength = 9.'\n desc 'fix', 'In security parameters, set MinPasswordLength = 9.'\n tag 'nist': ['IA-5(1)', 'Rev_4']\n\n archer_api_helper = archer(url: attribute('url'),\n instancename: attribute('instancename'),\n user_domain: attribute('user_domain'),\n username: attribute('username'),\n password: attribute('password'),\n ssl_verify: attribute('ssl_verify'))\n\n describe archer_api_helper do\n its('default_administrative_user.MinPasswordLength') { should cmp >= attribute('minimum_password_length') }\n its('general_user_parameter.MinPasswordLength') { should cmp >= attribute('minimum_password_length') }\n its('archer_services_parameter.MinPasswordLength') { should cmp >= attribute('minimum_password_length') }\n end\nend\n", + "code": "control 'rsa-archer-1.2' do\n title 'Alpha characters required'\n desc 'When passwords are changed or new passwords are established, the new\n password must contain at least two alpha characters.'\n impact 'medium'\n desc 'check', 'In security parameters, check if AlphaCharsRequired = 2.'\n desc 'fix', 'In security parameters, set AlphaCharsRequired = 2.'\n tag 'nist': ['IA-5(1)', 'Rev_4']\n\n archer_api_helper = archer(url: attribute('url'),\n instancename: attribute('instancename'),\n user_domain: attribute('user_domain'),\n username: attribute('username'),\n password: attribute('password'),\n ssl_verify: attribute('ssl_verify'))\n\n describe archer_api_helper do\n its('default_administrative_user.AlphaCharsRequired') { should cmp >= attribute('minimum_alpha_characters') }\n its('general_user_parameter.AlphaCharsRequired') { should cmp >= attribute('minimum_alpha_characters') }\n its('archer_services_parameter.AlphaCharsRequired') { should cmp >= attribute('minimum_alpha_characters') }\n end\nend\n", "source_location": { - "ref": "./RSA Archer 6 SCG/controls/rsa-archer-1.1.rb", + "ref": "./RSA Archer 6 SCG/controls/rsa-archer-1.2.rb", "line": 1 }, - "id": "rsa-archer-1.1" + "id": "rsa-archer-1.2" }, { - "title": "Session time-out", - "desc": "The operating system must initiate a session time-out after a 10 minute\n period of inactivity", + "title": "Uppercase characters required", + "desc": "When passwords are changed or new passwords are established, the new\n password must contain at least one uppercase character.", "descriptions": { - "default": "The operating system must initiate a session time-out after a 10 minute\n period of inactivity", - "check": "In security parameters, check if SessionTimeout = 10.", - "fix": "In security parameters, set SessionTimeout = 10." + "default": "When passwords are changed or new passwords are established, the new\n password must contain at least one uppercase character.", + "check": "In security parameters, check if UppercaseCharsRequired = 1.", + "fix": "In security parameters, set UppercaseCharsRequired = 1." }, "impact": 0.4, "refs": [], "tags": { "nist": [ - "AC-11", + "IA-5(1)", "Rev_4" ] }, - "code": "control 'rsa-archer-1.11' do\n title 'Session time-out'\n desc 'The operating system must initiate a session time-out after a 10 minute\n period of inactivity '\n impact 'medium'\n desc 'check', 'In security parameters, check if SessionTimeout = 10.'\n desc 'fix', 'In security parameters, set SessionTimeout = 10.'\n tag 'nist': ['AC-11', 'Rev_4']\n\n archer_api_helper = archer(url: attribute('url'),\n instancename: attribute('instancename'),\n user_domain: attribute('user_domain'),\n username: attribute('username'),\n password: attribute('password'),\n ssl_verify: attribute('ssl_verify'))\n\n describe archer_api_helper do\n its('default_administrative_user.SessionTimeout') { should cmp <= attribute('session_timeout') }\n its('general_user_parameter.SessionTimeout') { should cmp <= attribute('session_timeout') }\n its('archer_services_parameter.SessionTimeout') { should cmp <= attribute('session_timeout') }\n end\nend\n", + "code": "control 'rsa-archer-1.5' do\n title 'Uppercase characters required'\n desc 'When passwords are changed or new passwords are established, the new\n password must contain at least one uppercase character.'\n impact 'medium'\n desc 'check', 'In security parameters, check if UppercaseCharsRequired = 1.'\n desc 'fix', 'In security parameters, set UppercaseCharsRequired = 1.'\n tag 'nist': ['IA-5(1)', 'Rev_4']\n\n archer_api_helper = archer(url: attribute('url'),\n instancename: attribute('instancename'),\n user_domain: attribute('user_domain'),\n username: attribute('username'),\n password: attribute('password'),\n ssl_verify: attribute('ssl_verify'))\n\n describe archer_api_helper do\n its('default_administrative_user.UppercaseCharsRequired') { should cmp >= attribute('minimum_uppercase_characters') }\n its('general_user_parameter.UppercaseCharsRequired') { should cmp >= attribute('minimum_uppercase_characters') }\n its('archer_services_parameter.UppercaseCharsRequired') { should cmp >= attribute('minimum_uppercase_characters') }\n end\nend\n", "source_location": { - "ref": "./RSA Archer 6 SCG/controls/rsa-archer-1.11.rb", + "ref": "./RSA Archer 6 SCG/controls/rsa-archer-1.5.rb", "line": 1 }, - "id": "rsa-archer-1.11" + "id": "rsa-archer-1.5" }, { - "title": "Maximum failed logon attempts", - "desc": "Accounts subject to 3 unsuccessful logon attempts must be locked.", + "title": "Lowercase characters require", + "desc": "When passwords are changed or new passwords are assigned, the new\n password must contain at least one lowercase character.", "descriptions": { - "default": "Accounts subject to 3 unsuccessful logon attempts must be locked.", - "check": "In security parameters, check if MaximumFailedLoginAttempts = 3.", - "fix": "In security parameters, set MaximumFailedLoginAttempts = 3." + "default": "When passwords are changed or new passwords are assigned, the new\n password must contain at least one lowercase character.", + "check": "In security parameters, check if LowercaseCharsRequired = 1.", + "fix": "In security parameters, set LowercaseCharsRequired = 1." }, "impact": 0.4, "refs": [], "tags": { "nist": [ - "AC-7", + "IA-5(1)", "Rev_4" ] }, - "code": "control 'rsa-archer-1.10' do\n title 'Maximum failed logon attempts'\n desc 'Accounts subject to 3 unsuccessful logon attempts must be locked.'\n impact 'medium'\n desc 'check', 'In security parameters, check if MaximumFailedLoginAttempts = 3.'\n desc 'fix', 'In security parameters, set MaximumFailedLoginAttempts = 3.'\n tag 'nist': ['AC-7', 'Rev_4']\n\n archer_api_helper = archer(url: attribute('url'),\n instancename: attribute('instancename'),\n user_domain: attribute('user_domain'),\n username: attribute('username'),\n password: attribute('password'),\n ssl_verify: attribute('ssl_verify'))\n\n describe archer_api_helper do\n its('default_administrative_user.MaximumFailedLoginAttempts') { should cmp attribute('unsuccessful_login_attempts') }\n its('general_user_parameter.MaximumFailedLoginAttempts') { should cmp attribute('unsuccessful_login_attempts') }\n its('archer_services_parameter.MaximumFailedLoginAttempts') { should cmp attribute('unsuccessful_login_attempts') }\n end\nend\n", + "code": "control 'rsa-archer-1.6' do\n title 'Lowercase characters require'\n desc 'When passwords are changed or new passwords are assigned, the new\n password must contain at least one lowercase character.'\n impact 'medium'\n desc 'check', 'In security parameters, check if LowercaseCharsRequired = 1.'\n desc 'fix', 'In security parameters, set LowercaseCharsRequired = 1.'\n tag 'nist': ['IA-5(1)', 'Rev_4']\n\n archer_api_helper = archer(url: attribute('url'),\n instancename: attribute('instancename'),\n user_domain: attribute('user_domain'),\n username: attribute('username'),\n password: attribute('password'),\n ssl_verify: attribute('ssl_verify'))\n\n describe archer_api_helper do\n its('default_administrative_user.LowercaseCharsRequired') { should cmp >= attribute('minimum_lowercase_characters') }\n its('general_user_parameter.LowercaseCharsRequired') { should cmp >= attribute('minimum_lowercase_characters') }\n its('archer_services_parameter.LowercaseCharsRequired') { should cmp >= attribute('minimum_lowercase_characters') }\n end\nend\n", "source_location": { - "ref": "./RSA Archer 6 SCG/controls/rsa-archer-1.10.rb", + "ref": "./RSA Archer 6 SCG/controls/rsa-archer-1.6.rb", "line": 1 }, - "id": "rsa-archer-1.10" + "id": "rsa-archer-1.6" }, { - "title": "Account lockout period", - "desc": "Accounts locked due to unsuccessful logon attempts will stay locked\n until unlocked by an administrator.", + "title": "Grace logons", + "desc": "After password expiration, zero grace logons are permitted using the\n expired password.", "descriptions": { - "default": "Accounts locked due to unsuccessful logon attempts will stay locked\n until unlocked by an administrator.", - "check": "In security parameters, check if LockoutPeriod = 999.", - "fix": "In security parameters, set LockoutPeriod = 999." + "default": "After password expiration, zero grace logons are permitted using the\n expired password.", + "check": "In security parameters, check if GraceLogins = 0.", + "fix": "In security parameters, set GraceLogins = 0." }, "impact": 0.4, "refs": [], "tags": { "nist": [ - "AC-7", + "IA-5(1)", "Rev_4" ] }, - "code": "control 'rsa-archer-1.12' do\n title 'Account lockout period'\n desc 'Accounts locked due to unsuccessful logon attempts will stay locked\n until unlocked by an administrator.'\n impact 'medium'\n desc 'check', 'In security parameters, check if LockoutPeriod = 999.'\n desc 'fix', 'In security parameters, set LockoutPeriod = 999.'\n tag 'nist': ['AC-7', 'Rev_4']\n\n archer_api_helper = archer(url: attribute('url'),\n instancename: attribute('instancename'),\n user_domain: attribute('user_domain'),\n username: attribute('username'),\n password: attribute('password'),\n ssl_verify: attribute('ssl_verify'))\n\n describe archer_api_helper do\n its('default_administrative_user.LockoutPeriod') { should cmp >= attribute('lockout_period') }\n its('general_user_parameter.LockoutPeriod') { should cmp >= attribute('lockout_period') }\n its('archer_services_parameter.LockoutPeriod') { should cmp >= attribute('lockout_period') }\n end\nend\n", + "code": "control 'rsa-archer-1.9' do\n title 'Grace logons'\n desc 'After password expiration, zero grace logons are permitted using the\n expired password.'\n impact 'medium'\n desc 'check', 'In security parameters, check if GraceLogins = 0.'\n desc 'fix', 'In security parameters, set GraceLogins = 0.'\n tag 'nist': ['IA-5(1)', 'Rev_4']\n\n archer_api_helper = archer(url: attribute('url'),\n instancename: attribute('instancename'),\n user_domain: attribute('user_domain'),\n username: attribute('username'),\n password: attribute('password'),\n ssl_verify: attribute('ssl_verify'))\n\n describe archer_api_helper do\n its('default_administrative_user.GraceLogins') { should cmp attribute('grace_logins') }\n its('general_user_parameter.GraceLogins') { should cmp attribute('grace_logins') }\n its('archer_services_parameter.GraceLogins') { should cmp attribute('grace_logins') }\n end\nend\n", "source_location": { - "ref": "./RSA Archer 6 SCG/controls/rsa-archer-1.12.rb", + "ref": "./RSA Archer 6 SCG/controls/rsa-archer-1.9.rb", "line": 1 }, - "id": "rsa-archer-1.12" + "id": "rsa-archer-1.9" }, { - "title": "Uppercase characters required", - "desc": "When passwords are changed or new passwords are established, the new\n password must contain at least one uppercase character.", + "title": "Numeric characters required", + "desc": "When passwords are changed or new passwords are established, the new\n password must contain at least one numeric character.", "descriptions": { - "default": "When passwords are changed or new passwords are established, the new\n password must contain at least one uppercase character.", - "check": "In security parameters, check if UppercaseCharsRequired = 1.", - "fix": "In security parameters, set UppercaseCharsRequired = 1." + "default": "When passwords are changed or new passwords are established, the new\n password must contain at least one numeric character.", + "check": "In security parameters, check if NumericCharsRequired = 1.", + "fix": "In security parameters, set NumericCharsRequired = 1." }, "impact": 0.4, "refs": [], @@ -188,20 +188,20 @@ "Rev_4" ] }, - "code": "control 'rsa-archer-1.5' do\n title 'Uppercase characters required'\n desc 'When passwords are changed or new passwords are established, the new\n password must contain at least one uppercase character.'\n impact 'medium'\n desc 'check', 'In security parameters, check if UppercaseCharsRequired = 1.'\n desc 'fix', 'In security parameters, set UppercaseCharsRequired = 1.'\n tag 'nist': ['IA-5(1)', 'Rev_4']\n\n archer_api_helper = archer(url: attribute('url'),\n instancename: attribute('instancename'),\n user_domain: attribute('user_domain'),\n username: attribute('username'),\n password: attribute('password'),\n ssl_verify: attribute('ssl_verify'))\n\n describe archer_api_helper do\n its('default_administrative_user.UppercaseCharsRequired') { should cmp >= attribute('minimum_uppercase_characters') }\n its('general_user_parameter.UppercaseCharsRequired') { should cmp >= attribute('minimum_uppercase_characters') }\n its('archer_services_parameter.UppercaseCharsRequired') { should cmp >= attribute('minimum_uppercase_characters') }\n end\nend\n", + "code": "control 'rsa-archer-1.3' do\n title 'Numeric characters required'\n desc 'When passwords are changed or new passwords are established, the new\n password must contain at least one numeric character.'\n impact 'medium'\n desc 'check', 'In security parameters, check if NumericCharsRequired = 1.'\n desc 'fix', 'In security parameters, set NumericCharsRequired = 1.'\n tag 'nist': ['IA-5(1)', 'Rev_4']\n\n archer_api_helper = archer(url: attribute('url'),\n instancename: attribute('instancename'),\n user_domain: attribute('user_domain'),\n username: attribute('username'),\n password: attribute('password'),\n ssl_verify: attribute('ssl_verify'))\n\n describe archer_api_helper do\n its('default_administrative_user.NumericCharsRequired') { should cmp >= attribute('minimum_numeric_characters') }\n its('general_user_parameter.NumericCharsRequired') { should cmp >= attribute('minimum_numeric_characters') }\n its('archer_services_parameter.NumericCharsRequired') { should cmp >= attribute('minimum_numeric_characters') }\n end\nend\n", "source_location": { - "ref": "./RSA Archer 6 SCG/controls/rsa-archer-1.5.rb", + "ref": "./RSA Archer 6 SCG/controls/rsa-archer-1.3.rb", "line": 1 }, - "id": "rsa-archer-1.5" + "id": "rsa-archer-1.3" }, { - "title": "Special characters required", - "desc": "When passwords are changed or new passwords are established, the new\n password must contain at least one special character.", + "title": "Previous passwords disallowed", + "desc": "Passwords must be prohibited from reuse for a minimum of 20 generations.", "descriptions": { - "default": "When passwords are changed or new passwords are established, the new\n password must contain at least one special character.", - "check": "In security parameters, check if SpecialCharsRequired = 1.", - "fix": "In security parameters, set SpecialCharsRequired = 1." + "default": "Passwords must be prohibited from reuse for a minimum of 20 generations.", + "check": "In security parameters, check if PreviousPasswordsDisallowed = 20.", + "fix": "In security parameters, set PreviousPasswordsDisallowed = 20." }, "impact": 0.4, "refs": [], @@ -211,43 +211,43 @@ "Rev_4" ] }, - "code": "control 'rsa-archer-1.4' do\n title 'Special characters required'\n desc 'When passwords are changed or new passwords are established, the new\n password must contain at least one special character.'\n impact 'medium'\n desc 'check', 'In security parameters, check if SpecialCharsRequired = 1.'\n desc 'fix', 'In security parameters, set SpecialCharsRequired = 1.'\n tag 'nist': ['IA-5(1)', 'Rev_4']\n\n archer_api_helper = archer(url: attribute('url'),\n instancename: attribute('instancename'),\n user_domain: attribute('user_domain'),\n username: attribute('username'),\n password: attribute('password'),\n ssl_verify: attribute('ssl_verify'))\n\n describe archer_api_helper do\n its('default_administrative_user.SpecialCharsRequired') { should cmp >= attribute('minimum_special_characters') }\n its('general_user_parameter.SpecialCharsRequired') { should cmp >= attribute('minimum_special_characters') }\n its('archer_services_parameter.SpecialCharsRequired') { should cmp >= attribute('minimum_special_characters') }\n end\nend\n", + "code": "control 'rsa-archer-1.8' do\n title 'Previous passwords disallowed'\n desc 'Passwords must be prohibited from reuse for a minimum of 20 generations.'\n impact 'medium'\n desc 'check', 'In security parameters, check if PreviousPasswordsDisallowed = 20.'\n desc 'fix', 'In security parameters, set PreviousPasswordsDisallowed = 20.'\n tag 'nist': ['IA-5(1)', 'Rev_4']\n\n archer_api_helper = archer(url: attribute('url'),\n instancename: attribute('instancename'),\n user_domain: attribute('user_domain'),\n username: attribute('username'),\n password: attribute('password'),\n ssl_verify: attribute('ssl_verify'))\n\n describe archer_api_helper do\n its('default_administrative_user.PreviousPasswordsDisallowed') { should cmp >= attribute('previous_passwords_disallowed') }\n its('general_user_parameter.PreviousPasswordsDisallowed') { should cmp >= attribute('previous_passwords_disallowed') }\n its('archer_services_parameter.PreviousPasswordsDisallowed') { should cmp >= attribute('previous_passwords_disallowed') }\n end\nend\n", "source_location": { - "ref": "./RSA Archer 6 SCG/controls/rsa-archer-1.4.rb", + "ref": "./RSA Archer 6 SCG/controls/rsa-archer-1.8.rb", "line": 1 }, - "id": "rsa-archer-1.4" + "id": "rsa-archer-1.8" }, { - "title": "Lowercase characters require", - "desc": "When passwords are changed or new passwords are assigned, the new\n password must contain at least one lowercase character.", + "title": "Session time-out", + "desc": "The operating system must initiate a session time-out after a 10 minute\n period of inactivity", "descriptions": { - "default": "When passwords are changed or new passwords are assigned, the new\n password must contain at least one lowercase character.", - "check": "In security parameters, check if LowercaseCharsRequired = 1.", - "fix": "In security parameters, set LowercaseCharsRequired = 1." + "default": "The operating system must initiate a session time-out after a 10 minute\n period of inactivity", + "check": "In security parameters, check if SessionTimeout = 10.", + "fix": "In security parameters, set SessionTimeout = 10." }, "impact": 0.4, "refs": [], "tags": { "nist": [ - "IA-5(1)", + "AC-11", "Rev_4" ] }, - "code": "control 'rsa-archer-1.6' do\n title 'Lowercase characters require'\n desc 'When passwords are changed or new passwords are assigned, the new\n password must contain at least one lowercase character.'\n impact 'medium'\n desc 'check', 'In security parameters, check if LowercaseCharsRequired = 1.'\n desc 'fix', 'In security parameters, set LowercaseCharsRequired = 1.'\n tag 'nist': ['IA-5(1)', 'Rev_4']\n\n archer_api_helper = archer(url: attribute('url'),\n instancename: attribute('instancename'),\n user_domain: attribute('user_domain'),\n username: attribute('username'),\n password: attribute('password'),\n ssl_verify: attribute('ssl_verify'))\n\n describe archer_api_helper do\n its('default_administrative_user.LowercaseCharsRequired') { should cmp >= attribute('minimum_lowercase_characters') }\n its('general_user_parameter.LowercaseCharsRequired') { should cmp >= attribute('minimum_lowercase_characters') }\n its('archer_services_parameter.LowercaseCharsRequired') { should cmp >= attribute('minimum_lowercase_characters') }\n end\nend\n", + "code": "control 'rsa-archer-1.11' do\n title 'Session time-out'\n desc 'The operating system must initiate a session time-out after a 10 minute\n period of inactivity '\n impact 'medium'\n desc 'check', 'In security parameters, check if SessionTimeout = 10.'\n desc 'fix', 'In security parameters, set SessionTimeout = 10.'\n tag 'nist': ['AC-11', 'Rev_4']\n\n archer_api_helper = archer(url: attribute('url'),\n instancename: attribute('instancename'),\n user_domain: attribute('user_domain'),\n username: attribute('username'),\n password: attribute('password'),\n ssl_verify: attribute('ssl_verify'))\n\n describe archer_api_helper do\n its('default_administrative_user.SessionTimeout') { should cmp <= attribute('session_timeout') }\n its('general_user_parameter.SessionTimeout') { should cmp <= attribute('session_timeout') }\n its('archer_services_parameter.SessionTimeout') { should cmp <= attribute('session_timeout') }\n end\nend\n", "source_location": { - "ref": "./RSA Archer 6 SCG/controls/rsa-archer-1.6.rb", + "ref": "./RSA Archer 6 SCG/controls/rsa-archer-1.11.rb", "line": 1 }, - "id": "rsa-archer-1.6" + "id": "rsa-archer-1.11" }, { - "title": "Previous passwords disallowed", - "desc": "Passwords must be prohibited from reuse for a minimum of 20 generations.", + "title": "Special characters required", + "desc": "When passwords are changed or new passwords are established, the new\n password must contain at least one special character.", "descriptions": { - "default": "Passwords must be prohibited from reuse for a minimum of 20 generations.", - "check": "In security parameters, check if PreviousPasswordsDisallowed = 20.", - "fix": "In security parameters, set PreviousPasswordsDisallowed = 20." + "default": "When passwords are changed or new passwords are established, the new\n password must contain at least one special character.", + "check": "In security parameters, check if SpecialCharsRequired = 1.", + "fix": "In security parameters, set SpecialCharsRequired = 1." }, "impact": 0.4, "refs": [], @@ -257,121 +257,121 @@ "Rev_4" ] }, - "code": "control 'rsa-archer-1.8' do\n title 'Previous passwords disallowed'\n desc 'Passwords must be prohibited from reuse for a minimum of 20 generations.'\n impact 'medium'\n desc 'check', 'In security parameters, check if PreviousPasswordsDisallowed = 20.'\n desc 'fix', 'In security parameters, set PreviousPasswordsDisallowed = 20.'\n tag 'nist': ['IA-5(1)', 'Rev_4']\n\n archer_api_helper = archer(url: attribute('url'),\n instancename: attribute('instancename'),\n user_domain: attribute('user_domain'),\n username: attribute('username'),\n password: attribute('password'),\n ssl_verify: attribute('ssl_verify'))\n\n describe archer_api_helper do\n its('default_administrative_user.PreviousPasswordsDisallowed') { should cmp >= attribute('previous_passwords_disallowed') }\n its('general_user_parameter.PreviousPasswordsDisallowed') { should cmp >= attribute('previous_passwords_disallowed') }\n its('archer_services_parameter.PreviousPasswordsDisallowed') { should cmp >= attribute('previous_passwords_disallowed') }\n end\nend\n", + "code": "control 'rsa-archer-1.4' do\n title 'Special characters required'\n desc 'When passwords are changed or new passwords are established, the new\n password must contain at least one special character.'\n impact 'medium'\n desc 'check', 'In security parameters, check if SpecialCharsRequired = 1.'\n desc 'fix', 'In security parameters, set SpecialCharsRequired = 1.'\n tag 'nist': ['IA-5(1)', 'Rev_4']\n\n archer_api_helper = archer(url: attribute('url'),\n instancename: attribute('instancename'),\n user_domain: attribute('user_domain'),\n username: attribute('username'),\n password: attribute('password'),\n ssl_verify: attribute('ssl_verify'))\n\n describe archer_api_helper do\n its('default_administrative_user.SpecialCharsRequired') { should cmp >= attribute('minimum_special_characters') }\n its('general_user_parameter.SpecialCharsRequired') { should cmp >= attribute('minimum_special_characters') }\n its('archer_services_parameter.SpecialCharsRequired') { should cmp >= attribute('minimum_special_characters') }\n end\nend\n", "source_location": { - "ref": "./RSA Archer 6 SCG/controls/rsa-archer-1.8.rb", + "ref": "./RSA Archer 6 SCG/controls/rsa-archer-1.4.rb", "line": 1 }, - "id": "rsa-archer-1.8" + "id": "rsa-archer-1.4" }, { - "title": "Numeric characters required", - "desc": "When passwords are changed or new passwords are established, the new\n password must contain at least one numeric character.", + "title": "Maximum failed logon attempts", + "desc": "Accounts subject to 3 unsuccessful logon attempts must be locked.", "descriptions": { - "default": "When passwords are changed or new passwords are established, the new\n password must contain at least one numeric character.", - "check": "In security parameters, check if NumericCharsRequired = 1.", - "fix": "In security parameters, set NumericCharsRequired = 1." + "default": "Accounts subject to 3 unsuccessful logon attempts must be locked.", + "check": "In security parameters, check if MaximumFailedLoginAttempts = 3.", + "fix": "In security parameters, set MaximumFailedLoginAttempts = 3." }, "impact": 0.4, "refs": [], "tags": { "nist": [ - "IA-5(1)", + "AC-7", "Rev_4" ] }, - "code": "control 'rsa-archer-1.3' do\n title 'Numeric characters required'\n desc 'When passwords are changed or new passwords are established, the new\n password must contain at least one numeric character.'\n impact 'medium'\n desc 'check', 'In security parameters, check if NumericCharsRequired = 1.'\n desc 'fix', 'In security parameters, set NumericCharsRequired = 1.'\n tag 'nist': ['IA-5(1)', 'Rev_4']\n\n archer_api_helper = archer(url: attribute('url'),\n instancename: attribute('instancename'),\n user_domain: attribute('user_domain'),\n username: attribute('username'),\n password: attribute('password'),\n ssl_verify: attribute('ssl_verify'))\n\n describe archer_api_helper do\n its('default_administrative_user.NumericCharsRequired') { should cmp >= attribute('minimum_numeric_characters') }\n its('general_user_parameter.NumericCharsRequired') { should cmp >= attribute('minimum_numeric_characters') }\n its('archer_services_parameter.NumericCharsRequired') { should cmp >= attribute('minimum_numeric_characters') }\n end\nend\n", + "code": "control 'rsa-archer-1.10' do\n title 'Maximum failed logon attempts'\n desc 'Accounts subject to 3 unsuccessful logon attempts must be locked.'\n impact 'medium'\n desc 'check', 'In security parameters, check if MaximumFailedLoginAttempts = 3.'\n desc 'fix', 'In security parameters, set MaximumFailedLoginAttempts = 3.'\n tag 'nist': ['AC-7', 'Rev_4']\n\n archer_api_helper = archer(url: attribute('url'),\n instancename: attribute('instancename'),\n user_domain: attribute('user_domain'),\n username: attribute('username'),\n password: attribute('password'),\n ssl_verify: attribute('ssl_verify'))\n\n describe archer_api_helper do\n its('default_administrative_user.MaximumFailedLoginAttempts') { should cmp attribute('unsuccessful_login_attempts') }\n its('general_user_parameter.MaximumFailedLoginAttempts') { should cmp attribute('unsuccessful_login_attempts') }\n its('archer_services_parameter.MaximumFailedLoginAttempts') { should cmp attribute('unsuccessful_login_attempts') }\n end\nend\n", "source_location": { - "ref": "./RSA Archer 6 SCG/controls/rsa-archer-1.3.rb", + "ref": "./RSA Archer 6 SCG/controls/rsa-archer-1.10.rb", "line": 1 }, - "id": "rsa-archer-1.3" + "id": "rsa-archer-1.10" } ], "groups": [ { "title": null, "controls": [ - "rsa-archer-1.2" + "rsa-archer-1.7" ], - "id": "controls/rsa-archer-1.2.rb" + "id": "controls/rsa-archer-1.7.rb" }, { "title": null, "controls": [ - "rsa-archer-1.9" + "rsa-archer-1.1" ], - "id": "controls/rsa-archer-1.9.rb" + "id": "controls/rsa-archer-1.1.rb" }, { "title": null, "controls": [ - "rsa-archer-1.7" + "rsa-archer-1.12" ], - "id": "controls/rsa-archer-1.7.rb" + "id": "controls/rsa-archer-1.12.rb" }, { "title": null, "controls": [ - "rsa-archer-1.1" + "rsa-archer-1.2" ], - "id": "controls/rsa-archer-1.1.rb" + "id": "controls/rsa-archer-1.2.rb" }, { "title": null, "controls": [ - "rsa-archer-1.11" + "rsa-archer-1.5" ], - "id": "controls/rsa-archer-1.11.rb" + "id": "controls/rsa-archer-1.5.rb" }, { "title": null, "controls": [ - "rsa-archer-1.10" + "rsa-archer-1.6" ], - "id": "controls/rsa-archer-1.10.rb" + "id": "controls/rsa-archer-1.6.rb" }, { "title": null, "controls": [ - "rsa-archer-1.12" + "rsa-archer-1.9" ], - "id": "controls/rsa-archer-1.12.rb" + "id": "controls/rsa-archer-1.9.rb" }, { "title": null, "controls": [ - "rsa-archer-1.5" + "rsa-archer-1.3" ], - "id": "controls/rsa-archer-1.5.rb" + "id": "controls/rsa-archer-1.3.rb" }, { "title": null, "controls": [ - "rsa-archer-1.4" + "rsa-archer-1.8" ], - "id": "controls/rsa-archer-1.4.rb" + "id": "controls/rsa-archer-1.8.rb" }, { "title": null, "controls": [ - "rsa-archer-1.6" + "rsa-archer-1.11" ], - "id": "controls/rsa-archer-1.6.rb" + "id": "controls/rsa-archer-1.11.rb" }, { "title": null, "controls": [ - "rsa-archer-1.8" + "rsa-archer-1.4" ], - "id": "controls/rsa-archer-1.8.rb" + "id": "controls/rsa-archer-1.4.rb" }, { "title": null, "controls": [ - "rsa-archer-1.3" + "rsa-archer-1.10" ], - "id": "controls/rsa-archer-1.3.rb" + "id": "controls/rsa-archer-1.10.rb" } ], "sha256": "dc4ae9213005f211c3d381118e0c00441c00b98dc658c3cd0574d30586974dc3",